- Linux-stable-mirror - lists.linaro.org

Patch "dmaengine: ti-dma-crossbar: Fix event mapping for TPCC_EVT_MUX_60_63" has been added to the 4.15-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled dmaengine: ti-dma-crossbar: Fix event mapping for TPCC_EVT_MUX_60_63 to the 4.15-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: dmaengine-ti-dma-crossbar-fix-event-mapping-for-tpcc_evt_mux_60_63.patch and it can be found in the queue-4.15 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Thu Mar 22 14:03:40 CET 2018 From: Vignesh R <vigneshr(a)ti.com> Date: Tue, 19 Dec 2017 12:51:16 +0200 Subject: dmaengine: ti-dma-crossbar: Fix event mapping for TPCC_EVT_MUX_60_63 From: Vignesh R <vigneshr(a)ti.com> [ Upstream commit d087f15786021a9605b20f4c678312510be4cac1 ] Register layout of a typical TPCC_EVT_MUX_M_N register is such that the lowest numbered event is at the lowest byte address and highest numbered event at highest byte address. But TPCC_EVT_MUX_60_63 register layout is different, in that the lowest numbered event is at the highest address and highest numbered event is at the lowest address. Therefore, modify ti_am335x_xbar_write() to handle TPCC_EVT_MUX_60_63 register accordingly. Signed-off-by: Vignesh R <vigneshr(a)ti.com> Signed-off-by: Peter Ujfalusi <peter.ujfalusi(a)ti.com> Signed-off-by: Vinod Koul <vinod.koul(a)intel.com> Signed-off-by: Sasha Levin <alexander.levin(a)microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/dma/ti-dma-crossbar.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) --- a/drivers/dma/ti-dma-crossbar.c +++ b/drivers/dma/ti-dma-crossbar.c @@ -54,7 +54,15 @@ struct ti_am335x_xbar_map { static inline void ti_am335x_xbar_write(void __iomem *iomem, int event, u8 val) { - writeb_relaxed(val, iomem + event); + /* + * TPCC_EVT_MUX_60_63 register layout is different than the + * rest, in the sense, that event 63 is mapped to lowest byte + * and event 60 is mapped to highest, handle it separately. + */ + if (event >= 60 && event <= 63) + writeb_relaxed(val, iomem + (63 - event % 4)); + else + writeb_relaxed(val, iomem + event); } static void ti_am335x_xbar_free(struct device *dev, void *route_data) Patches currently in stable-queue which might be from vigneshr(a)ti.com are queue-4.15/dmaengine-ti-dma-crossbar-fix-event-mapping-for-tpcc_evt_mux_60_63.patch

7 years, 5 months

1
0
0 0

Patch "/dev/mem: Add bounce buffer for copy-out" has been added to the 4.15-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled /dev/mem: Add bounce buffer for copy-out to the 4.15-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: dev-mem-add-bounce-buffer-for-copy-out.patch and it can be found in the queue-4.15 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Thu Mar 22 14:03:39 CET 2018 From: Kees Cook <keescook(a)chromium.org> Date: Fri, 1 Dec 2017 13:19:39 -0800 Subject: /dev/mem: Add bounce buffer for copy-out From: Kees Cook <keescook(a)chromium.org> [ Upstream commit 22ec1a2aea73b9dfe340dff7945bd85af4cc6280 ] As done for /proc/kcore in commit df04abfd181a ("fs/proc/kcore.c: Add bounce buffer for ktext data") this adds a bounce buffer when reading memory via /dev/mem. This is needed to allow kernel text memory to be read out when built with CONFIG_HARDENED_USERCOPY (which refuses to read out kernel text) and without CONFIG_STRICT_DEVMEM (which would have refused to read any RAM contents at all). Since this build configuration isn't common (most systems with CONFIG_HARDENED_USERCOPY also have CONFIG_STRICT_DEVMEM), this also tries to inform Kconfig about the recommended settings. This patch is modified from Brad Spengler/PaX Team's changes to /dev/mem code in the last public patch of grsecurity/PaX based on my understanding of the code. Changes or omissions from the original code are mine and don't reflect the original grsecurity/PaX code. Reported-by: Michael Holzheu <holzheu(a)linux.vnet.ibm.com> Fixes: f5509cc18daa ("mm: Hardened usercopy") Signed-off-by: Kees Cook <keescook(a)chromium.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Sasha Levin <alexander.levin(a)microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/char/mem.c | 27 ++++++++++++++++++++++----- security/Kconfig | 1 + 2 files changed, 23 insertions(+), 5 deletions(-) --- a/drivers/char/mem.c +++ b/drivers/char/mem.c @@ -107,6 +107,8 @@ static ssize_t read_mem(struct file *fil phys_addr_t p = *ppos; ssize_t read, sz; void *ptr; + char *bounce; + int err; if (p != *ppos) return 0; @@ -129,15 +131,22 @@ static ssize_t read_mem(struct file *fil } #endif + bounce = kmalloc(PAGE_SIZE, GFP_KERNEL); + if (!bounce) + return -ENOMEM; + while (count > 0) { unsigned long remaining; int allowed; sz = size_inside_page(p, count); + err = -EPERM; allowed = page_is_allowed(p >> PAGE_SHIFT); if (!allowed) - return -EPERM; + goto failed; + + err = -EFAULT; if (allowed == 2) { /* Show zeros for restricted memory. */ remaining = clear_user(buf, sz); @@ -149,24 +158,32 @@ static ssize_t read_mem(struct file *fil */ ptr = xlate_dev_mem_ptr(p); if (!ptr) - return -EFAULT; - - remaining = copy_to_user(buf, ptr, sz); + goto failed; + err = probe_kernel_read(bounce, ptr, sz); unxlate_dev_mem_ptr(p, ptr); + if (err) + goto failed; + + remaining = copy_to_user(buf, bounce, sz); } if (remaining) - return -EFAULT; + goto failed; buf += sz; p += sz; count -= sz; read += sz; } + kfree(bounce); *ppos += read; return read; + +failed: + kfree(bounce); + return err; } static ssize_t write_mem(struct file *file, const char __user *buf, --- a/security/Kconfig +++ b/security/Kconfig @@ -154,6 +154,7 @@ config HARDENED_USERCOPY bool "Harden memory copies between kernel and userspace" depends on HAVE_HARDENED_USERCOPY_ALLOCATOR select BUG + imply STRICT_DEVMEM help This option checks for obviously wrong memory regions when copying memory to/from the kernel (via copy_to_user() and Patches currently in stable-queue which might be from keescook(a)chromium.org are queue-4.15/dev-mem-add-bounce-buffer-for-copy-out.patch

7 years, 5 months

1
0
0 0

Patch "crypto: artpec6 - set correct iv size for gcm(aes)" has been added to the 4.15-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled crypto: artpec6 - set correct iv size for gcm(aes) to the 4.15-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: crypto-artpec6-set-correct-iv-size-for-gcm-aes.patch and it can be found in the queue-4.15 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Thu Mar 22 14:03:40 CET 2018 From: Lars Persson <lars.persson(a)axis.com> Date: Tue, 12 Dec 2017 12:40:22 +0100 Subject: crypto: artpec6 - set correct iv size for gcm(aes) From: Lars Persson <lars.persson(a)axis.com> [ Upstream commit 6d6e71feb183aa588c849e20e7baa47cb162928a ] The IV size should not include the 32 bit counter. Because we had the IV size set as 16 the transform only worked when the IV input was zero padded. Fixes: a21eb94fc4d3 ("crypto: axis - add ARTPEC-6/7 crypto accelerator driver") Signed-off-by: Lars Persson <larper(a)axis.com> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> Signed-off-by: Sasha Levin <alexander.levin(a)microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/crypto/axis/artpec6_crypto.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) --- a/drivers/crypto/axis/artpec6_crypto.c +++ b/drivers/crypto/axis/artpec6_crypto.c @@ -22,6 +22,7 @@ #include <linux/slab.h> #include <crypto/aes.h> +#include <crypto/gcm.h> #include <crypto/internal/aead.h> #include <crypto/internal/hash.h> #include <crypto/internal/skcipher.h> @@ -1934,7 +1935,7 @@ static int artpec6_crypto_prepare_aead(s memcpy(req_ctx->hw_ctx.J0, areq->iv, crypto_aead_ivsize(cipher)); // The HW omits the initial increment of the counter field. - crypto_inc(req_ctx->hw_ctx.J0+12, 4); + memcpy(req_ctx->hw_ctx.J0 + GCM_AES_IV_SIZE, "\x00\x00\x00\x01", 4); ret = artpec6_crypto_setup_out_descr(common, &req_ctx->hw_ctx, sizeof(struct artpec6_crypto_aead_hw_ctx), false, false); @@ -2956,7 +2957,7 @@ static struct aead_alg aead_algos[] = { .setkey = artpec6_crypto_aead_set_key, .encrypt = artpec6_crypto_aead_encrypt, .decrypt = artpec6_crypto_aead_decrypt, - .ivsize = AES_BLOCK_SIZE, + .ivsize = GCM_AES_IV_SIZE, .maxauthsize = AES_BLOCK_SIZE, .base = { Patches currently in stable-queue which might be from lars.persson(a)axis.com are queue-4.15/crypto-artpec6-set-correct-iv-size-for-gcm-aes.patch

7 years, 5 months

1
0
0 0

Patch "cros_ec: fix nul-termination for firmware build info" has been added to the 4.15-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled cros_ec: fix nul-termination for firmware build info to the 4.15-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: cros_ec-fix-nul-termination-for-firmware-build-info.patch and it can be found in the queue-4.15 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Thu Mar 22 14:03:39 CET 2018 From: Arnd Bergmann <arnd(a)arndb.de> Date: Mon, 4 Dec 2017 15:49:48 +0100 Subject: cros_ec: fix nul-termination for firmware build info From: Arnd Bergmann <arnd(a)arndb.de> [ Upstream commit 50a0d71a5d20e1d3eff1d974fdc8559ad6d74892 ] As gcc-8 reports, we zero out the wrong byte: drivers/platform/chrome/cros_ec_sysfs.c: In function 'show_ec_version': drivers/platform/chrome/cros_ec_sysfs.c:190:12: error: array subscript 4294967295 is above array bounds of 'uint8_t[]' [-Werror=array-bounds] This changes the code back to what it did before changing to a zero-length array structure. Fixes: a841178445bb ("mfd: cros_ec: Use a zero-length array for command data") Signed-off-by: Arnd Bergmann <arnd(a)arndb.de> Signed-off-by: Benson Leung <bleung(a)chromium.org> Signed-off-by: Sasha Levin <alexander.levin(a)microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/platform/chrome/cros_ec_sysfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/platform/chrome/cros_ec_sysfs.c +++ b/drivers/platform/chrome/cros_ec_sysfs.c @@ -187,7 +187,7 @@ static ssize_t show_ec_version(struct de count += scnprintf(buf + count, PAGE_SIZE - count, "Build info: EC error %d\n", msg->result); else { - msg->data[sizeof(msg->data) - 1] = '\0'; + msg->data[EC_HOST_PARAM_SIZE - 1] = '\0'; count += scnprintf(buf + count, PAGE_SIZE - count, "Build info: %s\n", msg->data); } Patches currently in stable-queue which might be from arnd(a)arndb.de are queue-4.15/drm-tilcdc-ensure-nonatomic-iowrite64-is-not-used.patch queue-4.15/cros_ec-fix-nul-termination-for-firmware-build-info.patch

7 years, 5 months

1
0
0 0

Patch "cpufreq: longhaul: Revert transition_delay_us to 200 ms" has been added to the 4.15-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled cpufreq: longhaul: Revert transition_delay_us to 200 ms to the 4.15-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: cpufreq-longhaul-revert-transition_delay_us-to-200-ms.patch and it can be found in the queue-4.15 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Thu Mar 22 14:03:39 CET 2018 From: Viresh Kumar <viresh.kumar(a)linaro.org> Date: Thu, 7 Dec 2017 15:15:19 +0530 Subject: cpufreq: longhaul: Revert transition_delay_us to 200 ms From: Viresh Kumar <viresh.kumar(a)linaro.org> [ Upstream commit 1d0d064307cbfd8546841f6e9d94d02c55e45e1e ] The commit e948bc8fbee0 ("cpufreq: Cap the default transition delay value to 10 ms") caused a regression on EPIA-M min-ITX computer where shutdown or reboot hangs occasionally with a print message like: longhaul: Warning: Timeout while waiting for idle PCI bus cpufreq: __target_index: Failed to change cpu frequency: -16 This probably happens because the cpufreq governor tries to change the frequency of the CPU faster than allowed by the hardware. Before the above commit, the default transition delay was set to 200 ms for a transition_latency of 200000 ns. Lets revert back to that transition delay value to fix it. Note that several other transition delay values were tested like 20 ms and 30 ms and none of them have resolved system hang issue completely. Fixes: e948bc8fbee0 (cpufreq: Cap the default transition delay value to 10 ms) Reported-by: Meelis Roos <mroos(a)linux.ee> Suggested-by: Rafael J. Wysocki <rjw(a)rjwysocki.net> Signed-off-by: Viresh Kumar <viresh.kumar(a)linaro.org> Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> Signed-off-by: Sasha Levin <alexander.levin(a)microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/cpufreq/longhaul.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/cpufreq/longhaul.c +++ b/drivers/cpufreq/longhaul.c @@ -894,7 +894,7 @@ static int longhaul_cpu_init(struct cpuf if ((longhaul_version != TYPE_LONGHAUL_V1) && (scale_voltage != 0)) longhaul_setup_voltagescaling(); - policy->cpuinfo.transition_latency = 200000; /* nsec */ + policy->transition_delay_us = 200000; /* usec */ return cpufreq_table_validate_and_show(policy, longhaul_table); } Patches currently in stable-queue which might be from viresh.kumar(a)linaro.org are queue-4.15/cpufreq-longhaul-revert-transition_delay_us-to-200-ms.patch

7 years, 5 months

1
0
0 0

Patch "coresight: Fix disabling of CoreSight TPIU" has been added to the 4.15-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled coresight: Fix disabling of CoreSight TPIU to the 4.15-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: coresight-fix-disabling-of-coresight-tpiu.patch and it can be found in the queue-4.15 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Thu Mar 22 14:03:40 CET 2018 From: Robert Walker <robert.walker(a)arm.com> Date: Mon, 18 Dec 2017 11:05:44 -0700 Subject: coresight: Fix disabling of CoreSight TPIU From: Robert Walker <robert.walker(a)arm.com> [ Upstream commit 11595db8e17faaa05fadc25746c870e31276962f ] The CoreSight TPIU should be disabled when tracing to other sinks to allow them to operate at full bandwidth. This patch fixes tpiu_disable_hw() to correctly disable the TPIU by configuring the TPIU to stop on flush, initiating a manual flush, waiting for the flush to complete and then waits for the TPIU to indicate it has stopped. Signed-off-by: Robert Walker <robert.walker(a)arm.com> Tested-by: Mike Leach <mike.leach(a)linaro.org> Signed-off-by: Mathieu Poirier <mathieu.poirier(a)linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Sasha Levin <alexander.levin(a)microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/hwtracing/coresight/coresight-tpiu.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) --- a/drivers/hwtracing/coresight/coresight-tpiu.c +++ b/drivers/hwtracing/coresight/coresight-tpiu.c @@ -46,8 +46,11 @@ #define TPIU_ITATBCTR0 0xef8 /** register definition **/ +/* FFSR - 0x300 */ +#define FFSR_FT_STOPPED BIT(1) /* FFCR - 0x304 */ #define FFCR_FON_MAN BIT(6) +#define FFCR_STOP_FI BIT(12) /** * @base: memory mapped base address for this component. @@ -85,10 +88,14 @@ static void tpiu_disable_hw(struct tpiu_ { CS_UNLOCK(drvdata->base); - /* Clear formatter controle reg. */ - writel_relaxed(0x0, drvdata->base + TPIU_FFCR); + /* Clear formatter and stop on flush */ + writel_relaxed(FFCR_STOP_FI, drvdata->base + TPIU_FFCR); /* Generate manual flush */ - writel_relaxed(FFCR_FON_MAN, drvdata->base + TPIU_FFCR); + writel_relaxed(FFCR_STOP_FI | FFCR_FON_MAN, drvdata->base + TPIU_FFCR); + /* Wait for flush to complete */ + coresight_timeout(drvdata->base, TPIU_FFCR, FFCR_FON_MAN, 0); + /* Wait for formatter to stop */ + coresight_timeout(drvdata->base, TPIU_FFSR, FFSR_FT_STOPPED, 1); CS_LOCK(drvdata->base); } Patches currently in stable-queue which might be from robert.walker(a)arm.com are queue-4.15/coresight-fix-disabling-of-coresight-tpiu.patch

7 years, 5 months

1
0
0 0

Patch "clk: use round rate to bail out early in set_rate" has been added to the 4.15-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled clk: use round rate to bail out early in set_rate to the 4.15-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: clk-use-round-rate-to-bail-out-early-in-set_rate.patch and it can be found in the queue-4.15 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Thu Mar 22 14:03:40 CET 2018 From: Jerome Brunet <jbrunet(a)baylibre.com> Date: Fri, 1 Dec 2017 22:51:55 +0100 Subject: clk: use round rate to bail out early in set_rate From: Jerome Brunet <jbrunet(a)baylibre.com> [ Upstream commit ca5e089a32c5ffba6c5101fdabdd6dea18041c34 ] The current implementation of clk_core_set_rate_nolock() bails out early if the requested rate is exactly the same as the one set. It should bail out if the request would not result in a rate a change. This is important when the rate is not exactly what is requested, which is fairly common with PLLs. Ex: provider able to give any rate with steps of 100Hz - 1st consumer request 48000Hz and gets it. - 2nd consumer request 48010Hz as well. If we were to perform the usual mechanism, we would get 48000Hz as well. The clock would not change so there is no point performing any checks to make sure the clock can change, we know it won't. This is important to prepare the addition of the clock protection mechanism Acked-by: Linus Walleij <linus.walleij(a)linaro.org> Tested-by: Quentin Schulz <quentin.schulz(a)free-electrons.com> Tested-by: Maxime Ripard <maxime.ripard(a)free-electrons.com> Acked-by: Michael Turquette <mturquette(a)baylibre.com> Signed-off-by: Jerome Brunet <jbrunet(a)baylibre.com> Signed-off-by: Michael Turquette <mturquette(a)baylibre.com> Link: lkml.kernel.org/r/20171201215200.23523-6-jbrunet@baylibre.com Signed-off-by: Sasha Levin <alexander.levin(a)microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/clk/clk.c | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) --- a/drivers/clk/clk.c +++ b/drivers/clk/clk.c @@ -1642,16 +1642,37 @@ static void clk_change_rate(struct clk_c clk_pm_runtime_put(core); } +static unsigned long clk_core_req_round_rate_nolock(struct clk_core *core, + unsigned long req_rate) +{ + int ret; + struct clk_rate_request req; + + lockdep_assert_held(&prepare_lock); + + if (!core) + return 0; + + clk_core_get_boundaries(core, &req.min_rate, &req.max_rate); + req.rate = req_rate; + + ret = clk_core_round_rate_nolock(core, &req); + + return ret ? 0 : req.rate; +} + static int clk_core_set_rate_nolock(struct clk_core *core, unsigned long req_rate) { struct clk_core *top, *fail_clk; - unsigned long rate = req_rate; + unsigned long rate; int ret = 0; if (!core) return 0; + rate = clk_core_req_round_rate_nolock(core, req_rate); + /* bail early if nothing to do */ if (rate == clk_core_get_rate_nolock(core)) return 0; @@ -1660,7 +1681,7 @@ static int clk_core_set_rate_nolock(stru return -EBUSY; /* calculate new rates and get the topmost changed clock */ - top = clk_calc_new_rates(core, rate); + top = clk_calc_new_rates(core, req_rate); if (!top) return -EINVAL; Patches currently in stable-queue which might be from jbrunet(a)baylibre.com are queue-4.15/clk-check-ops-pointer-on-clock-register.patch queue-4.15/net-phy-meson-gxl-check-phy_write-return-value.patch queue-4.15/clk-use-round-rate-to-bail-out-early-in-set_rate.patch

7 years, 5 months

1
0
0 0

Patch "clk: si5351: Rename internal plls to avoid name collisions" has been added to the 4.15-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled clk: si5351: Rename internal plls to avoid name collisions to the 4.15-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: clk-si5351-rename-internal-plls-to-avoid-name-collisions.patch and it can be found in the queue-4.15 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Thu Mar 22 14:03:40 CET 2018 From: Sergej Sawazki <sergej(a)taudac.com> Date: Tue, 25 Jul 2017 23:21:02 +0200 Subject: clk: si5351: Rename internal plls to avoid name collisions From: Sergej Sawazki <sergej(a)taudac.com> [ Upstream commit cdba9a4fb0b53703959ac861e415816cb61aded4 ] This drivers probe fails due to a clock name collision if a clock named 'plla' or 'pllb' is already registered when registering this drivers internal plls. Fix it by renaming internal plls to avoid name collisions. Cc: Sebastian Hesselbarth <sebastian.hesselbarth(a)gmail.com> Cc: Rabeeh Khoury <rabeeh(a)solid-run.com> Signed-off-by: Sergej Sawazki <sergej(a)taudac.com> Signed-off-by: Stephen Boyd <sboyd(a)codeaurora.org> Signed-off-by: Sasha Levin <alexander.levin(a)microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/clk/clk-si5351.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/clk/clk-si5351.c +++ b/drivers/clk/clk-si5351.c @@ -72,7 +72,7 @@ static const char * const si5351_input_n "xtal", "clkin" }; static const char * const si5351_pll_names[] = { - "plla", "pllb", "vxco" + "si5351_plla", "si5351_pllb", "si5351_vxco" }; static const char * const si5351_msynth_names[] = { "ms0", "ms1", "ms2", "ms3", "ms4", "ms5", "ms6", "ms7" Patches currently in stable-queue which might be from sergej(a)taudac.com are queue-4.15/clk-si5351-rename-internal-plls-to-avoid-name-collisions.patch

7 years, 5 months

1
0
0 0

Patch "clk: Don't touch hardware when reparenting during registration" has been added to the 4.15-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled clk: Don't touch hardware when reparenting during registration to the 4.15-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: clk-don-t-touch-hardware-when-reparenting-during-registration.patch and it can be found in the queue-4.15 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Thu Mar 22 14:03:40 CET 2018 From: Stephen Boyd <sboyd(a)codeaurora.org> Date: Thu, 2 Nov 2017 00:36:09 -0700 Subject: clk: Don't touch hardware when reparenting during registration From: Stephen Boyd <sboyd(a)codeaurora.org> [ Upstream commit f8f8f1d04494d3a6546bee3f0618c4dba31d7b72 ] The orphan clocks reparent operation shouldn't touch the hardware if clocks are enabled, otherwise it may get a chance to disable a newly registered critical clock which triggers the warning below. Assuming we have two clocks: A and B, B is the parent of A. Clock A has flag: CLK_OPS_PARENT_ENABLE Clock B has flag: CLK_IS_CRITICAL Step 1: Clock A is registered, then it becomes orphan. Step 2: Clock B is registered. Before clock B reach the critical clock enable operation, orphan A will find the newly registered parent B and do reparent operation, then parent B will be finally disabled in __clk_set_parent_after() due to CLK_OPS_PARENT_ENABLE flag as there's still no users of B which will then trigger the following warning. WARNING: CPU: 0 PID: 0 at drivers/clk/clk.c:597 clk_core_disable+0xb4/0xe0 Modules linked in: CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.11.0-rc1-00056-gdff1f66-dirty #1373 Hardware name: Generic DT based system Backtrace: [<c010c4bc>] (dump_backtrace) from [<c010c764>] (show_stack+0x18/0x1c) r6:600000d3 r5:00000000 r4:c0e26358 r3:00000000 [<c010c74c>] (show_stack) from [<c040599c>] (dump_stack+0xb4/0xe8) [<c04058e8>] (dump_stack) from [<c0125c94>] (__warn+0xd8/0x104) r10:c0c21cd0 r9:c048aa78 r8:00000255 r7:00000009 r6:c0c1cd90 r5:00000000 r4:00000000 r3:c0e01d34 [<c0125bbc>] (__warn) from [<c0125d74>] (warn_slowpath_null+0x28/0x30) r9:00000000 r8:ef00bf80 r7:c165ac4c r6:ef00bf80 r5:ef00bf80 r4:ef00bf80 [<c0125d4c>] (warn_slowpath_null) from [<c048aa78>] (clk_core_disable+0xb4/0xe0) [<c048a9c4>] (clk_core_disable) from [<c048be88>] (clk_core_disable_lock+0x20/0x2c) r4:000000d3 r3:c0e0af00 [<c048be68>] (clk_core_disable_lock) from [<c048c224>] (clk_core_disable_unprepare+0x14/0x28) r5:00000000 r4:ef00bf80 [<c048c210>] (clk_core_disable_unprepare) from [<c048c270>] (__clk_set_parent_after+0x38/0x54) r4:ef00bd80 r3:000010a0 [<c048c238>] (__clk_set_parent_after) from [<c048daa8>] (clk_register+0x4d0/0x648) r6:ef00d500 r5:ef00bf80 r4:ef00bd80 r3:ef00bfd4 [<c048d5d8>] (clk_register) from [<c048dc30>] (clk_hw_register+0x10/0x1c) r9:00000000 r8:00000003 r7:00000000 r6:00000824 r5:00000001 r4:ef00d500 [<c048dc20>] (clk_hw_register) from [<c048e698>] (_register_divider+0xcc/0x120) [<c048e5cc>] (_register_divider) from [<c048e730>] (clk_register_divider+0x44/0x54) r10:00000004 r9:00000003 r8:00000001 r7:00000000 r6:00000003 r5:00000001 r4:f0810030 [<c048e6ec>] (clk_register_divider) from [<c0d3ff58>] (imx7ulp_clocks_init+0x558/0xe98) r7:c0e296f8 r6:c165c808 r5:00000000 r4:c165c808 [<c0d3fa00>] (imx7ulp_clocks_init) from [<c0d24db0>] (of_clk_init+0x118/0x1e0) r10:00000001 r9:c0e01f68 r8:00000000 r7:c0e01f60 r6:ef7f8974 r5:ef0035c0 r4:00000006 [<c0d24c98>] (of_clk_init) from [<c0d04a50>] (time_init+0x2c/0x38) r10:efffed40 r9:c0d61a48 r8:c0e78000 r7:c0e07900 r6:ffffffff r5:c0e78000 r4:00000000 [<c0d04a24>] (time_init) from [<c0d00b8c>] (start_kernel+0x218/0x394) [<c0d00974>] (start_kernel) from [<6000807c>] (0x6000807c) r10:00000000 r9:410fc075 r8:6000406a r7:c0e0c930 r6:c0d61a44 r5:c0e07918 r4:c0e78294 We know that the clk isn't enabled with any sort of prepare_count here so we don't need to enable anything to prevent a race. And we're holding the prepare mutex so set_rate/set_parent can't race here either. Based on an earlier patch by Dong Aisheng. Fixes: fc8726a2c021 ("clk: core: support clocks which requires parents enable (part 2)") Cc: Michael Turquette <mturquette(a)baylibre.com> Cc: Shawn Guo <shawnguo(a)kernel.org> Reported-by: Dong Aisheng <aisheng.dong(a)nxp.com> Signed-off-by: Stephen Boyd <sboyd(a)codeaurora.org> Signed-off-by: Sasha Levin <alexander.levin(a)microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/clk/clk.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) --- a/drivers/clk/clk.c +++ b/drivers/clk/clk.c @@ -2597,14 +2597,17 @@ static int __clk_core_init(struct clk_co */ hlist_for_each_entry_safe(orphan, tmp2, &clk_orphan_list, child_node) { struct clk_core *parent = __clk_init_parent(orphan); + unsigned long flags; /* * we could call __clk_set_parent, but that would result in a * redundant call to the .set_rate op, if it exists */ if (parent) { - __clk_set_parent_before(orphan, parent); - __clk_set_parent_after(orphan, parent, NULL); + /* update the clk tree topology */ + flags = clk_enable_lock(); + clk_reparent(orphan, parent); + clk_enable_unlock(flags); __clk_recalc_accuracies(orphan); __clk_recalc_rates(orphan, 0); } Patches currently in stable-queue which might be from sboyd(a)codeaurora.org are queue-4.15/clk-at91-pmc-wait-for-clocks-when-resuming.patch queue-4.15/clk-si5351-rename-internal-plls-to-avoid-name-collisions.patch queue-4.15/clk-don-t-touch-hardware-when-reparenting-during-registration.patch queue-4.15/clk-axi-clkgen-correctly-handle-nocount-bit-in-recalc_rate.patch

7 years, 5 months

1
0
0 0

Patch "clk: check ops pointer on clock register" has been added to the 4.15-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled clk: check ops pointer on clock register to the 4.15-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: clk-check-ops-pointer-on-clock-register.patch and it can be found in the queue-4.15 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Thu Mar 22 14:03:40 CET 2018 From: Jerome Brunet <jbrunet(a)baylibre.com> Date: Tue, 19 Dec 2017 09:33:29 +0100 Subject: clk: check ops pointer on clock register From: Jerome Brunet <jbrunet(a)baylibre.com> [ Upstream commit 29fd2a34ef8d863e48183bd473ba57c8d7839e25 ] Nothing really prevents a provider from (trying to) register a clock without providing the clock ops structure. We do check the individual fields before using them, but not the structure pointer itself. This may have the usual nasty consequences when the pointer is dereferenced, most likely when checking one the field during the initialization. This is fixed by returning an error on clock register if the ops pointer is NULL. Signed-off-by: Jerome Brunet <jbrunet(a)baylibre.com> Signed-off-by: Michael Turquette <mturquette(a)baylibre.com> Link: lkml.kernel.org/r/20171219083329.24746-1-jbrunet@baylibre.com Signed-off-by: Sasha Levin <alexander.levin(a)microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/clk/clk.c | 7 +++++++ 1 file changed, 7 insertions(+) --- a/drivers/clk/clk.c +++ b/drivers/clk/clk.c @@ -2684,7 +2684,13 @@ struct clk *clk_register(struct device * ret = -ENOMEM; goto fail_name; } + + if (WARN_ON(!hw->init->ops)) { + ret = -EINVAL; + goto fail_ops; + } core->ops = hw->init->ops; + if (dev && pm_runtime_enabled(dev)) core->dev = dev; if (dev && dev->driver) @@ -2746,6 +2752,7 @@ fail_parent_names_copy: kfree_const(core->parent_names[i]); kfree(core->parent_names); fail_parent_names: +fail_ops: kfree_const(core->name); fail_name: kfree(core); Patches currently in stable-queue which might be from jbrunet(a)baylibre.com are queue-4.15/clk-check-ops-pointer-on-clock-register.patch queue-4.15/net-phy-meson-gxl-check-phy_write-return-value.patch queue-4.15/clk-use-round-rate-to-bail-out-early-in-set_rate.patch

7 years, 5 months

1
0
0 0

[GIT PULL] commits for Linux 4.15

by Sasha Levin

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi Greg, Pleae pull commits for Linux 4.15 . I've sent a review request for all commits over a week ago and all comments were addressed. Thanks, Sasha ===== The following changes since commit cb4a115a42867def71fdcbf0d7b714f268ff37fd: Linux 4.15.7 (2018-02-28 10:21:39 +0100) are available in the git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/sashal/linux-stable.git tags/for-greg-4.15-19032018 for you to fetch changes up to 8ac2e9f63b965cc7e89b6a048ff4b86db67d7959: dmaengine: ti-dma-crossbar: Fix event mapping for TPCC_EVT_MUX_60_63 (2018-03-19 11:26:35 -0400) - ---------------------------------------------------------------- for-greg-4.15-19032018 - ---------------------------------------------------------------- Alexandre Belloni (1): rtc: ac100: Fix multiple race conditions Alexey Kodanev (1): ip6_vti: adjust vti mtu according to mtu of lower device Anton Vasilyev (1): RDMA/ocrdma: Fix permissions for OCRDMA_RESET_STATS Arnd Bergmann (1): cros_ec: fix nul-termination for firmware build info Artemy Kovalyov (1): IB/umem: Fix use of npages/nmap fields Balaji Pothunoori (1): ath10k: handling qos at STA side based on AP WMM enable/disable Benjamin Coddington (1): nfsd4: permit layoutget of executable-only files Bharat Potnuri (1): iser-target: avoid reinitializing rdma contexts for isert commands Bjorn Helgaas (2): PCI/ASPM: Calculate LTR_L1.2_THRESHOLD from device characteristics vgacon: Set VGA struct resource types BjÃ¸rn Mork (1): qmi_wwan: set FLAG_SEND_ZLP to avoid network initiated disconnect Brian Norris (1): pinctrl: rockchip: enable clock when reading pin direction register Christophe JAILLET (1): media: bt8xx: Fix err 'bt878_probe()' Corey Minyard (1): ipmi_si: Fix error handling of platform device Daniel Drake (1): mmc: avoid removing non-removable hosts during suspend Erez Shitrit (1): IB/ipoib: Avoid memory leak if the SA returns a different DGID Florian Fainelli (1): pinctrl: Really force states during suspend/resume Gary R Hook (1): hwrng: core - Clean up RNG list when last hwrng is unregistered Geert Uytterhoeven (3): RDMA/iwpm: Fix uninitialized error code in iwpm_send_mapinfo() spi: sh-msiof: Avoid writing to registers from spi_master.setup() PCI: rcar: Handle rcar_pcie_parse_request_of_pci_ranges() failures Guenter Roeck (2): watchdog: Fix potential kref imbalance when opening watchdog watchdog: Fix kref imbalance seen if handle_boot_enabled=0 Gustavo A. R. Silva (1): media: c8sectpfe: fix potential NULL pointer dereference in c8sectpfe_timer_interrupt H. Nikolaus Schaller (1): omapdrm: panel: fix compatible vendor string for td028ttec1 Haishuang Yan (2): ip_gre: fix error path when erspan_rcv failed ip_gre: fix potential memory leak in erspan_rcv Haiyang Zhang (2): hv_netvsc: Fix the receive buffer size limit hv_netvsc: Fix the TX/RX buffer default sizes James Smart (2): scsi: lpfc: Fix SCSI LUN discovery when SCSI and NVME enabled scsi: lpfc: Fix issues connecting with nvme initiator Jerome Brunet (3): net: phy: meson-gxl: check phy_write return value clk: check ops pointer on clock register clk: use round rate to bail out early in set_rate Jerry Snitselaar (1): iommu/vt-d: clean up pr_irq if request_threaded_irq fails Joel Stanley (1): ARM: dts: aspeed-evb: Add unit name to memory node Johan Hovold (1): soc: qcom: smsm: fix child-node lookup Jonathan NeuschÃ¤fer (1): dt-bindings: display: panel: Fix compatible string for Toshiba LT089AC29000 Kedareswara rao Appana (1): dmaengine: zynqmp_dma: Fix race condition in the probe Kees Cook (1): /dev/mem: Add bounce buffer for copy-out Kishon Vijay Abraham I (1): PCI: designware-ep: Fix ->get_msi() to check MSI_EN bit Lars Persson (1): crypto: artpec6 - set correct iv size for gcm(aes) Lars-Peter Clausen (1): clk: axi-clkgen: Correctly handle nocount bit in recalc_rate() Liu, Changcheng (1): mmc: block: fix logical error to avoid memory leak Logan Gunthorpe (1): drm/tilcdc: ensure nonatomic iowrite64 is not used Loic Poulain (2): Bluetooth: hci_qca: Avoid setup failure on missing rampatch Bluetooth: btqcomsmd: Fix skb double free corruption Mauro Carvalho Chehab (1): media: davinci: fix a debug printk Neal Cardwell (1): tcp: allow TLP in ECN CWR NeilBrown (1): dm: ensure bio submission follows a depth-first tree walk Nicolas Iooss (1): rtlwifi: always initialize variables given to RT_TRACE() Niklas Cassel (1): PCI: endpoint: Fix find_first_zero_bit() usage Parav Pandit (1): RDMA/cma: Use correct size when writing netlink stats Peter Ujfalusi (1): drm/omap: DMM: Check for DMM readiness after successful transaction commit Pixel Ding (1): drm/amdgpu: use polling mem to set SDMA3 wptr for VF Prakash Kamliya (1): drm/msm: fix leak in failed get_pages Richard Leitner (1): net: fec: add phy_reset_after_clk_enable() support Robert Walker (1): coresight: Fix disabling of CoreSight TPIU Romain Izard (1): clk: at91: pmc: Wait for clocks when resuming Roman Gushchin (1): libbpf: prefer global symbols as bpf program name source Ron Economos (1): media: [RESEND] media: dvb-frontends: Add delay to Si2168 restart Russell King (2): sfp: fix EEPROM reading in the case of non-SFF8472 SFPs sfp: fix non-detection of PHY Sahara (1): pty: cancel pty slave port buf's work in tty_release Sebastian Andrzej Siewior (1): tty: goldfish: Enable 'earlycon' only if built-in Sergej Sawazki (1): clk: si5351: Rename internal plls to avoid name collisions Shawn Nematbakhsh (1): platform/chrome: Use proper protocol transfer function Shuah Khan (1): media: s5p-mfc: Fix lock contention - request_firmware() once Stefan Potyra (1): serial: 8250_dw: Disable clock on error Stephen Boyd (1): clk: Don't touch hardware when reparenting during registration Tsang-Shian Lin (1): rtlwifi: rtl_pci: Fix the bug when inactiveps is enabled. Vignesh R (1): dmaengine: ti-dma-crossbar: Fix event mapping for TPCC_EVT_MUX_60_63 Viresh Kumar (1): cpufreq: longhaul: Revert transition_delay_us to 200 ms Yonghong Song (1): bpf/cgroup: fix a verification error for a CGROUP_DEVICE type prog Yuval Shaia (1): IB/ipoib: Warn when one port fails to initialize Zhoujie Wu (1): mmc: sdhci-xenon: wait 5ms after set 1.8V signal enable .../display/panel/toshiba,lt089ac29000.txt | 2 +- .../{toppoly,td028ttec1.txt => tpo,td028ttec1.txt} | 4 +- arch/alpha/kernel/console.c | 1 + arch/arm/boot/dts/aspeed-ast2500-evb.dts | 2 +- drivers/bluetooth/btqcomsmd.c | 3 +- drivers/bluetooth/hci_qca.c | 3 + drivers/char/hw_random/core.c | 4 ++ drivers/char/ipmi/ipmi_si_intf.c | 9 ++- drivers/char/mem.c | 27 ++++++-- drivers/clk/at91/pmc.c | 24 +++++--- drivers/clk/clk-axi-clkgen.c | 29 +++++++-- drivers/clk/clk-si5351.c | 2 +- drivers/clk/clk.c | 39 ++++++++++-- drivers/cpufreq/longhaul.c | 2 +- drivers/crypto/axis/artpec6_crypto.c | 5 +- drivers/dma/ti-dma-crossbar.c | 10 ++- drivers/dma/xilinx/zynqmp_dma.c | 3 +- drivers/gpu/drm/amd/amdgpu/amdgpu_ring.h | 1 + drivers/gpu/drm/amd/amdgpu/sdma_v3_0.c | 27 +++++--- drivers/gpu/drm/msm/msm_gem.c | 14 +++-- .../drm/omapdrm/displays/panel-tpo-td028ttec1.c | 3 + drivers/gpu/drm/omapdrm/omap_dmm_tiler.c | 5 ++ drivers/gpu/drm/tilcdc/tilcdc_regs.h | 2 +- drivers/hwtracing/coresight/coresight-tpiu.c | 13 +++- drivers/infiniband/core/cma.c | 2 +- drivers/infiniband/core/iwpm_util.c | 1 + drivers/infiniband/core/umem.c | 2 +- drivers/infiniband/hw/ocrdma/ocrdma_stats.c | 2 +- drivers/infiniband/ulp/ipoib/ipoib_main.c | 23 ++++++- drivers/infiniband/ulp/isert/ib_isert.c | 7 +++ drivers/infiniband/ulp/isert/ib_isert.h | 1 + drivers/iommu/intel-svm.c | 9 ++- drivers/md/dm.c | 33 +++++++--- drivers/media/dvb-frontends/si2168.c | 3 + drivers/media/pci/bt8xx/bt878.c | 3 +- drivers/media/platform/davinci/vpif_capture.c | 4 +- drivers/media/platform/s5p-mfc/s5p_mfc.c | 6 ++ drivers/media/platform/s5p-mfc/s5p_mfc_common.h | 3 + drivers/media/platform/s5p-mfc/s5p_mfc_ctrl.c | 5 ++ .../media/platform/sti/c8sectpfe/c8sectpfe-core.c | 4 +- drivers/mmc/core/block.c | 1 + drivers/mmc/core/core.c | 8 +++ drivers/mmc/host/sdhci-xenon.c | 7 +++ drivers/net/ethernet/freescale/fec_main.c | 20 ++++++ drivers/net/hyperv/hyperv_net.h | 19 +++++- drivers/net/hyperv/netvsc.c | 5 ++ drivers/net/hyperv/netvsc_drv.c | 4 -- drivers/net/phy/meson-gxl.c | 50 +++++++++++---- drivers/net/phy/sfp.c | 15 +++-- drivers/net/usb/qmi_wwan.c | 4 +- drivers/net/wireless/ath/ath10k/mac.c | 2 +- drivers/net/wireless/realtek/rtlwifi/base.c | 2 +- drivers/net/wireless/realtek/rtlwifi/pci.c | 7 +++ drivers/pci/dwc/pcie-designware-ep.c | 12 +--- drivers/pci/dwc/pcie-designware.h | 1 + drivers/pci/endpoint/pci-ep-cfs.c | 5 +- drivers/pci/host/pcie-rcar.c | 5 +- drivers/pci/pcie/aspm.c | 71 ++++++++++++++-------- drivers/pinctrl/core.c | 24 +++++--- drivers/pinctrl/pinctrl-rockchip.c | 8 +++ drivers/platform/chrome/cros_ec_proto.c | 8 ++- drivers/platform/chrome/cros_ec_sysfs.c | 2 +- drivers/rtc/rtc-ac100.c | 19 +++--- drivers/scsi/lpfc/lpfc_ct.c | 1 + drivers/scsi/lpfc/lpfc_els.c | 30 ++++++--- drivers/scsi/lpfc/lpfc_nportdisc.c | 34 +++++------ drivers/soc/qcom/smsm.c | 6 +- drivers/spi/spi-sh-msiof.c | 35 +++++++---- drivers/tty/Kconfig | 6 +- drivers/tty/goldfish.c | 2 + drivers/tty/serial/8250/8250_dw.c | 3 +- drivers/tty/tty_io.c | 2 + drivers/video/console/vgacon.c | 34 ++++++++--- .../omap2/omapfb/displays/panel-tpo-td028ttec1.c | 3 + drivers/watchdog/watchdog_dev.c | 17 +++--- fs/nfsd/nfs4proc.c | 6 +- include/uapi/linux/bpf.h | 3 +- kernel/bpf/cgroup.c | 15 ++++- net/ipv4/ip_gre.c | 6 +- net/ipv4/tcp_output.c | 9 +-- net/ipv6/ip6_vti.c | 20 ++++++ security/Kconfig | 1 + tools/lib/bpf/libbpf.c | 2 + 83 files changed, 644 insertions(+), 232 deletions(-) rename Documentation/devicetree/bindings/display/panel/{toppoly,td028ttec1.txt => tpo,td028ttec1.txt} (84%) -----BEGIN PGP SIGNATURE----- iQIcBAEBCAAGBQJar9lsAAoJEN6mb/eXdyzcEt0P/iAPf2GsvzVvL79kScYHuUIf DS51y1rw/yRcH6zUyuFJYxhCz5HUsYLfR5L4mJNQ98LkQgiISU4ncKnMc8wlleNn 2wKDTsmpUsswcTducxYQnfwyMKBM6tnCp/ue7losXjjDOb19MhxNd6o2ts2TaiV3 yDsaG1OXK0jpZPdxu/N4b+7wrDOsqSSMwWItbxkOPj2ax+jakVxASMFNxfP4Smjo x0pOZpmzUiG/B7FxkfTHkD8O2BL1zv+0dQcMISosZusf1nopEeeECIqhI6DfIeFu Lp65ZuZxOpIcEyQu1vuJ8B3QVa0kZ8jDnBXAAUNI2BjPGOlj5AM2QJXTysa/xcnF K1pk3PXsK+iPISnxWXBjxvPJKZ1uu6KstMzKaD4VRA8kbJ1UdPv4MvrKPTRuC9lx JW7CyIixfwrSJXfHMFmMh75BM+NpGENwntC8j3xPPeLBsmfibdzyYxbprduOrYKT uxFHkn0/E2eyGjCMw+ftvoV+lULnDB9Z4i/B66WpbCIa8HFj1jVqLA93ZXzEuJEz hlfJ4yDt245nt1o4s6OQNC+dDsFKRcVJVw2Nr+cHO3imOI5xgNcgz5vGEEexx1J8 hdESXmKt4X9D8LNStJ1kR0qkxhJ1PiecSjmNsfiGX0nVsZjX1jCqK3mwrw3RxMHj sOtjfOq9Bgk6qGsysPcH =vB4i -----END PGP SIGNATURE-----

7 years, 5 months

2
1
0 0

Patch "clk: axi-clkgen: Correctly handle nocount bit in recalc_rate()" has been added to the 4.15-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled clk: axi-clkgen: Correctly handle nocount bit in recalc_rate() to the 4.15-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: clk-axi-clkgen-correctly-handle-nocount-bit-in-recalc_rate.patch and it can be found in the queue-4.15 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Thu Mar 22 14:03:40 CET 2018 From: Lars-Peter Clausen <lars(a)metafoo.de> Date: Tue, 5 Sep 2017 11:32:40 +0200 Subject: clk: axi-clkgen: Correctly handle nocount bit in recalc_rate() From: Lars-Peter Clausen <lars(a)metafoo.de> [ Upstream commit 063578dc5f407f67d149133818efabe457daafda ] If the nocount bit is set the divider is bypassed and the settings for the divider count should be ignored and a divider value of 1 should be assumed. Handle this correctly in the driver recalc_rate() callback. While the driver sets up the part so that the read back dividers values yield the correct result the power-on reset settings of the part might not reflect this and hence calling e.g. clk_get_rate() without prior calls to clk_set_rate() will yield the wrong result. Signed-off-by: Lars-Peter Clausen <lars(a)metafoo.de> Signed-off-by: Stephen Boyd <sboyd(a)codeaurora.org> Signed-off-by: Sasha Levin <alexander.levin(a)microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/clk/clk-axi-clkgen.c | 29 ++++++++++++++++++++++++----- 1 file changed, 24 insertions(+), 5 deletions(-) --- a/drivers/clk/clk-axi-clkgen.c +++ b/drivers/clk/clk-axi-clkgen.c @@ -40,6 +40,10 @@ #define MMCM_REG_FILTER1 0x4e #define MMCM_REG_FILTER2 0x4f +#define MMCM_CLKOUT_NOCOUNT BIT(6) + +#define MMCM_CLK_DIV_NOCOUNT BIT(12) + struct axi_clkgen { void __iomem *base; struct clk_hw clk_hw; @@ -315,12 +319,27 @@ static unsigned long axi_clkgen_recalc_r unsigned int reg; unsigned long long tmp; - axi_clkgen_mmcm_read(axi_clkgen, MMCM_REG_CLKOUT0_1, &reg); - dout = (reg & 0x3f) + ((reg >> 6) & 0x3f); + axi_clkgen_mmcm_read(axi_clkgen, MMCM_REG_CLKOUT0_2, &reg); + if (reg & MMCM_CLKOUT_NOCOUNT) { + dout = 1; + } else { + axi_clkgen_mmcm_read(axi_clkgen, MMCM_REG_CLKOUT0_1, &reg); + dout = (reg & 0x3f) + ((reg >> 6) & 0x3f); + } + axi_clkgen_mmcm_read(axi_clkgen, MMCM_REG_CLK_DIV, &reg); - d = (reg & 0x3f) + ((reg >> 6) & 0x3f); - axi_clkgen_mmcm_read(axi_clkgen, MMCM_REG_CLK_FB1, &reg); - m = (reg & 0x3f) + ((reg >> 6) & 0x3f); + if (reg & MMCM_CLK_DIV_NOCOUNT) + d = 1; + else + d = (reg & 0x3f) + ((reg >> 6) & 0x3f); + + axi_clkgen_mmcm_read(axi_clkgen, MMCM_REG_CLK_FB2, &reg); + if (reg & MMCM_CLKOUT_NOCOUNT) { + m = 1; + } else { + axi_clkgen_mmcm_read(axi_clkgen, MMCM_REG_CLK_FB1, &reg); + m = (reg & 0x3f) + ((reg >> 6) & 0x3f); + } if (d == 0 || dout == 0) return 0; Patches currently in stable-queue which might be from lars(a)metafoo.de are queue-4.15/clk-axi-clkgen-correctly-handle-nocount-bit-in-recalc_rate.patch

7 years, 5 months

1
0
0 0

Patch "clk: at91: pmc: Wait for clocks when resuming" has been added to the 4.15-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled clk: at91: pmc: Wait for clocks when resuming to the 4.15-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: clk-at91-pmc-wait-for-clocks-when-resuming.patch and it can be found in the queue-4.15 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Thu Mar 22 14:03:40 CET 2018 From: Romain Izard <romain.izard.pro(a)gmail.com> Date: Mon, 11 Dec 2017 17:55:33 +0100 Subject: clk: at91: pmc: Wait for clocks when resuming From: Romain Izard <romain.izard.pro(a)gmail.com> [ Upstream commit 960e1c4d93be86d3b118fe22d4edc69e401b28b5 ] Wait for the syncronization of all clocks when resuming, not only the UPLL clock. Do not use regmap_read_poll_timeout, as it will call BUG() when interrupts are masked, which is the case in here. Signed-off-by: Romain Izard <romain.izard.pro(a)gmail.com> Acked-by: Ludovic Desroches <ludovic.desroches(a)microchip.com> Acked-by: Nicolas Ferre <nicolas.ferre(a)microchip.com> Acked-by: Alexandre Belloni <alexandre.belloni(a)free-electrons.com> Signed-off-by: Stephen Boyd <sboyd(a)codeaurora.org> Signed-off-by: Sasha Levin <alexander.levin(a)microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/clk/at91/pmc.c | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) --- a/drivers/clk/at91/pmc.c +++ b/drivers/clk/at91/pmc.c @@ -107,10 +107,20 @@ static int pmc_suspend(void) return 0; } +static bool pmc_ready(unsigned int mask) +{ + unsigned int status; + + regmap_read(pmcreg, AT91_PMC_SR, &status); + + return ((status & mask) == mask) ? 1 : 0; +} + static void pmc_resume(void) { - int i, ret = 0; + int i; u32 tmp; + u32 mask = AT91_PMC_MCKRDY | AT91_PMC_LOCKA; regmap_read(pmcreg, AT91_PMC_MCKR, &tmp); if (pmc_cache.mckr != tmp) @@ -134,13 +144,11 @@ static void pmc_resume(void) AT91_PMC_PCR_CMD); } - if (pmc_cache.uckr & AT91_PMC_UPLLEN) { - ret = regmap_read_poll_timeout(pmcreg, AT91_PMC_SR, tmp, - !(tmp & AT91_PMC_LOCKU), - 10, 5000); - if (ret) - pr_crit("USB PLL didn't lock when resuming\n"); - } + if (pmc_cache.uckr & AT91_PMC_UPLLEN) + mask |= AT91_PMC_LOCKU; + + while (!pmc_ready(mask)) + cpu_relax(); } static struct syscore_ops pmc_syscore_ops = { Patches currently in stable-queue which might be from romain.izard.pro(a)gmail.com are queue-4.15/clk-at91-pmc-wait-for-clocks-when-resuming.patch

7 years, 5 months

1
0
0 0

Patch "bpf/cgroup: fix a verification error for a CGROUP_DEVICE type prog" has been added to the 4.15-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled bpf/cgroup: fix a verification error for a CGROUP_DEVICE type prog to the 4.15-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: bpf-cgroup-fix-a-verification-error-for-a-cgroup_device-type-prog.patch and it can be found in the queue-4.15 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Thu Mar 22 14:03:39 CET 2018 From: Yonghong Song <yhs(a)fb.com> Date: Mon, 18 Dec 2017 10:13:44 -0800 Subject: bpf/cgroup: fix a verification error for a CGROUP_DEVICE type prog From: Yonghong Song <yhs(a)fb.com> [ Upstream commit 06ef0ccb5a36e1feba9b413ff59a04ecc4407c1c ] The tools/testing/selftests/bpf test program test_dev_cgroup fails with the following error when compiled with llvm 6.0. (I did not try with earlier versions.) libbpf: load bpf program failed: Permission denied libbpf: -- BEGIN DUMP LOG --- libbpf: 0: (61) r2 = *(u32 *)(r1 +4) 1: (b7) r0 = 0 2: (55) if r2 != 0x1 goto pc+8 R0=inv0 R1=ctx(id=0,off=0,imm=0) R2=inv1 R10=fp0 3: (69) r2 = *(u16 *)(r1 +0) invalid bpf_context access off=0 size=2 ... The culprit is the following statement in dev_cgroup.c: short type = ctx->access_type & 0xFFFF; This code is typical as the ctx->access_type is assigned as below in kernel/bpf/cgroup.c: struct bpf_cgroup_dev_ctx ctx = { .access_type = (access << 16) | dev_type, .major = major, .minor = minor, }; The compiler converts it to u16 access while the verifier cgroup_dev_is_valid_access rejects any non u32 access. This patch permits the field access_type to be accessible with type u16 and u8 as well. Signed-off-by: Yonghong Song <yhs(a)fb.com> Tested-by: Roman Gushchin <guro(a)fb.com> Signed-off-by: Daniel Borkmann <daniel(a)iogearbox.net> Signed-off-by: Sasha Levin <alexander.levin(a)microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- include/uapi/linux/bpf.h | 3 ++- kernel/bpf/cgroup.c | 15 +++++++++++++-- 2 files changed, 15 insertions(+), 3 deletions(-) --- a/include/uapi/linux/bpf.h +++ b/include/uapi/linux/bpf.h @@ -995,7 +995,8 @@ struct bpf_perf_event_value { #define BPF_DEVCG_DEV_CHAR (1ULL << 1) struct bpf_cgroup_dev_ctx { - __u32 access_type; /* (access << 16) | type */ + /* access_type encoded as (BPF_DEVCG_ACC_* << 16) | BPF_DEVCG_DEV_* */ + __u32 access_type; __u32 major; __u32 minor; }; --- a/kernel/bpf/cgroup.c +++ b/kernel/bpf/cgroup.c @@ -568,6 +568,8 @@ static bool cgroup_dev_is_valid_access(i enum bpf_access_type type, struct bpf_insn_access_aux *info) { + const int size_default = sizeof(__u32); + if (type == BPF_WRITE) return false; @@ -576,8 +578,17 @@ static bool cgroup_dev_is_valid_access(i /* The verifier guarantees that size > 0. */ if (off % size != 0) return false; - if (size != sizeof(__u32)) - return false; + + switch (off) { + case bpf_ctx_range(struct bpf_cgroup_dev_ctx, access_type): + bpf_ctx_record_field_size(info, size_default); + if (!bpf_ctx_narrow_access_ok(off, size, size_default)) + return false; + break; + default: + if (size != size_default) + return false; + } return true; } Patches currently in stable-queue which might be from yhs(a)fb.com are queue-4.15/bpf-cgroup-fix-a-verification-error-for-a-cgroup_device-type-prog.patch

7 years, 5 months

1
0
0 0

Patch "Bluetooth: hci_qca: Avoid setup failure on missing rampatch" has been added to the 4.15-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled Bluetooth: hci_qca: Avoid setup failure on missing rampatch to the 4.15-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: bluetooth-hci_qca-avoid-setup-failure-on-missing-rampatch.patch and it can be found in the queue-4.15 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Thu Mar 22 14:03:39 CET 2018 From: Loic Poulain <loic.poulain(a)linaro.org> Date: Mon, 6 Nov 2017 12:16:56 +0100 Subject: Bluetooth: hci_qca: Avoid setup failure on missing rampatch From: Loic Poulain <loic.poulain(a)linaro.org> [ Upstream commit ba8f3597900291a93604643017fff66a14546015 ] Assuming that the original code idea was to enable in-band sleeping only if the setup_rome method returns succes and run in 'standard' mode otherwise, we should not return setup_rome return value which makes qca_setup fail if no rampatch/nvm file found. This fixes BT issue on the dragonboard-820C p4 which includes the following QCA controller: hci0: Product:0x00000008 hci0: Patch :0x00000111 hci0: ROM :0x00000302 hci0: SOC :0x00000044 Since there is no rampatch for this controller revision, just make it work as is. Signed-off-by: Loic Poulain <loic.poulain(a)linaro.org> Signed-off-by: Marcel Holtmann <marcel(a)holtmann.org> Signed-off-by: Sasha Levin <alexander.levin(a)microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/bluetooth/hci_qca.c | 3 +++ 1 file changed, 3 insertions(+) --- a/drivers/bluetooth/hci_qca.c +++ b/drivers/bluetooth/hci_qca.c @@ -932,6 +932,9 @@ static int qca_setup(struct hci_uart *hu if (!ret) { set_bit(STATE_IN_BAND_SLEEP_ENABLED, &qca->flags); qca_debugfs_init(hdev); + } else if (ret == -ENOENT) { + /* No patch/nvm-config found, run with original fw/config */ + ret = 0; } /* Setup bdaddr */ Patches currently in stable-queue which might be from loic.poulain(a)linaro.org are queue-4.15/bluetooth-btqcomsmd-fix-skb-double-free-corruption.patch queue-4.15/bluetooth-hci_qca-avoid-setup-failure-on-missing-rampatch.patch

7 years, 5 months

1
0
0 0

Patch "Bluetooth: btqcomsmd: Fix skb double free corruption" has been added to the 4.15-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled Bluetooth: btqcomsmd: Fix skb double free corruption to the 4.15-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: bluetooth-btqcomsmd-fix-skb-double-free-corruption.patch and it can be found in the queue-4.15 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Thu Mar 22 14:03:39 CET 2018 From: Loic Poulain <loic.poulain(a)linaro.org> Date: Wed, 22 Nov 2017 15:03:17 +0100 Subject: Bluetooth: btqcomsmd: Fix skb double free corruption From: Loic Poulain <loic.poulain(a)linaro.org> [ Upstream commit 67b8fbead4685b36d290a0ef91c6ddffc4920ec9 ] In case of hci send frame failure, skb is still owned by the caller (hci_core) and then should not be freed. This fixes crash on dragonboard-410c when sending SCO packet. skb is freed by both btqcomsmd and hci_core. Fixes: 1511cc750c3d ("Bluetooth: Introduce Qualcomm WCNSS SMD based HCI driver") Signed-off-by: Loic Poulain <loic.poulain(a)linaro.org> Signed-off-by: Marcel Holtmann <marcel(a)holtmann.org> Signed-off-by: Sasha Levin <alexander.levin(a)microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/bluetooth/btqcomsmd.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/drivers/bluetooth/btqcomsmd.c +++ b/drivers/bluetooth/btqcomsmd.c @@ -88,7 +88,8 @@ static int btqcomsmd_send(struct hci_dev break; } - kfree_skb(skb); + if (!ret) + kfree_skb(skb); return ret; } Patches currently in stable-queue which might be from loic.poulain(a)linaro.org are queue-4.15/bluetooth-btqcomsmd-fix-skb-double-free-corruption.patch queue-4.15/bluetooth-hci_qca-avoid-setup-failure-on-missing-rampatch.patch

7 years, 5 months

1
0
0 0

Patch "ath10k: handling qos at STA side based on AP WMM enable/disable" has been added to the 4.15-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled ath10k: handling qos at STA side based on AP WMM enable/disable to the 4.15-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: ath10k-handling-qos-at-sta-side-based-on-ap-wmm-enable-disable.patch and it can be found in the queue-4.15 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Thu Mar 22 14:03:39 CET 2018 From: Balaji Pothunoori <bpothuno(a)qti.qualcomm.com> Date: Thu, 7 Dec 2017 16:58:04 +0200 Subject: ath10k: handling qos at STA side based on AP WMM enable/disable From: Balaji Pothunoori <bpothuno(a)qti.qualcomm.com> [ Upstream commit 07ffb4497360ae8789f05555fec8171ee952304d ] Data packets are not sent by STA in case of STA joined to non QOS AP (WMM disabled AP). This is happening because of STA is sending data packets to firmware from host with qos enabled along with non qos queue value(TID = 16). Due to qos enabled, firmware is discarding the packet. This patch fixes this issue by updating the qos based on station WME capability field if WMM is disabled in AP. This patch is required by 10.4 family chipsets like QCA4019/QCA9888/QCA9884/QCA99X0. Firmware Versoin : 10.4-3.5.1-00018. For 10.2.4 family chipsets QCA988X/QCA9887 and QCA6174 this patch has no effect. Signed-off-by: Balaji Pothunoori <bpothuno(a)qti.qualcomm.com> Signed-off-by: Kalle Valo <kvalo(a)qca.qualcomm.com> Signed-off-by: Sasha Levin <alexander.levin(a)microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/net/wireless/ath/ath10k/mac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/net/wireless/ath/ath10k/mac.c +++ b/drivers/net/wireless/ath/ath10k/mac.c @@ -2563,7 +2563,7 @@ static void ath10k_peer_assoc_h_qos(stru } break; case WMI_VDEV_TYPE_STA: - if (vif->bss_conf.qos) + if (sta->wme) arg->peer_flags |= arvif->ar->wmi.peer_flags->qos; break; case WMI_VDEV_TYPE_IBSS: Patches currently in stable-queue which might be from bpothuno(a)qti.qualcomm.com are queue-4.15/ath10k-handling-qos-at-sta-side-based-on-ap-wmm-enable-disable.patch

7 years, 5 months

1
0
0 0

Patch "ARM: dts: aspeed-evb: Add unit name to memory node" has been added to the 4.15-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled ARM: dts: aspeed-evb: Add unit name to memory node to the 4.15-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: arm-dts-aspeed-evb-add-unit-name-to-memory-node.patch and it can be found in the queue-4.15 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Thu Mar 22 14:03:40 CET 2018 From: Joel Stanley <joel(a)jms.id.au> Date: Mon, 18 Dec 2017 23:27:03 +1030 Subject: ARM: dts: aspeed-evb: Add unit name to memory node From: Joel Stanley <joel(a)jms.id.au> [ Upstream commit e40ed274489a5f516da120186578eb379b452ac6 ] Fixes a warning when building with W=1. All of the ASPEED device trees build without warnings now. Signed-off-by: Joel Stanley <joel(a)jms.id.au> Signed-off-by: Sasha Levin <alexander.levin(a)microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- arch/arm/boot/dts/aspeed-ast2500-evb.dts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/arch/arm/boot/dts/aspeed-ast2500-evb.dts +++ b/arch/arm/boot/dts/aspeed-ast2500-evb.dts @@ -16,7 +16,7 @@ bootargs = "console=ttyS4,115200 earlyprintk"; }; - memory { + memory@80000000 { reg = <0x80000000 0x20000000>; }; }; Patches currently in stable-queue which might be from joel(a)jms.id.au are queue-4.15/arm-dts-aspeed-evb-add-unit-name-to-memory-node.patch

7 years, 5 months

1
0
0 0

Linux 3.18.101

by Greg KH

I'm announcing the release of the 3.18.101 kernel. All users of the 3.18 kernel series must upgrade. The updated 3.18.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-3.18.y and can be browsed at the normal kernel.org git web browser: http://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/arm/boot/dts/am335x-pepper.dts | 2 arch/arm/boot/dts/moxart-uc7112lx.dts | 2 arch/arm/boot/dts/moxart.dtsi | 17 ++++--- arch/arm/boot/dts/omap3-n900.dts | 4 - arch/arm/boot/dts/r8a7790.dtsi | 7 ++- arch/arm/boot/dts/r8a7791.dtsi | 7 ++- arch/mips/net/bpf_jit.c | 16 +++++-- arch/powerpc/mm/fault.c | 2 arch/x86/kernel/kprobes/core.c | 6 ++ arch/x86/kernel/kprobes/opt.c | 3 + block/blk-throttle.c | 11 ++++ drivers/gpu/drm/drm_irq.c | 14 +++++- drivers/gpu/drm/radeon/radeon_display.c | 6 ++ drivers/hid/hid-elo.c | 6 ++ drivers/hid/hid-input.c | 20 ++++++--- drivers/input/touchscreen/tsc2007.c | 8 +++ drivers/iommu/iova.c | 2 drivers/media/i2c/soc_camera/ov6650.c | 2 drivers/media/usb/cpia2/cpia2_v4l.c | 4 - drivers/mtd/nand/nand_base.c | 9 +++- drivers/net/ethernet/apm/xgene/xgene_enet_hw.c | 1 drivers/net/ethernet/apm/xgene/xgene_enet_hw.h | 1 drivers/net/ethernet/faraday/ftgmac100.c | 1 drivers/net/ethernet/intel/fm10k/fm10k_ethtool.c | 2 drivers/net/veth.c | 3 + drivers/net/wireless/ath/ath10k/debug.c | 9 ++++ drivers/net/wireless/ath/wil6210/main.c | 20 +++++++-- drivers/of/device.c | 2 drivers/pci/pci-driver.c | 2 drivers/scsi/ipr.c | 16 +++++-- drivers/scsi/scsi_devinfo.c | 2 drivers/scsi/sg.c | 36 +++++++++------- drivers/spi/spi-omap2-mcspi.c | 9 ++-- drivers/spi/spi-sun6i.c | 2 drivers/usb/gadget/udc/dummy_hcd.c | 20 +++------ drivers/video/fbdev/amba-clcd.c | 4 - fs/aio.c | 42 +++++++++++++------ fs/dcache.c | 11 +++- fs/reiserfs/journal.c | 2 fs/reiserfs/reiserfs.h | 1 fs/reiserfs/super.c | 21 ++++++--- include/linux/pagemap.h | 4 - include/linux/platform_data/isl9305.h | 2 include/net/tcp.h | 8 ++- kernel/printk/braille.c | 15 +++--- kernel/printk/braille.h | 13 ++++- kernel/sched/core.c | 3 - kernel/time/sched_clock.c | 5 ++ net/batman-adv/bridge_loop_avoidance.c | 20 +++++++-- net/mac80211/iface.c | 2 net/sched/act_csum.c | 12 +++++ net/xfrm/xfrm_policy.c | 2 net/xfrm/xfrm_state.c | 7 +++ security/apparmor/lsm.c | 2 security/integrity/ima/ima_appraise.c | 3 - security/selinux/hooks.c | 8 +++ sound/core/oss/pcm_oss.c | 10 ++-- sound/core/seq/seq_clientmgr.c | 4 - sound/core/seq/seq_prioq.c | 28 ++++++------ sound/core/seq/seq_prioq.h | 6 -- sound/core/seq/seq_queue.c | 28 ++++-------- sound/soc/nuc900/nuc900-ac97.c | 4 - tools/perf/util/event.c | 4 - tools/perf/util/ordered-events.c | 3 - tools/perf/util/session.c | 17 ++++++- tools/testing/selftests/rcutorture/bin/configinit.sh | 2 tools/usb/usbip/src/usbipd.c | 2 68 files changed, 389 insertions(+), 182 deletions(-) Akinobu Mita (1): spi: omap2-mcspi: poll OMAP2_MCSPI_CHSTAT_RXS for PIO transfer Al Viro (1): lock_parent() needs to recheck if dentry got __dentry_kill'ed under it Alexander Potapenko (1): selinux: check for address length in selinux_socket_bind() Andreas Pape (1): batman-adv: handle race condition for claims between gateways Andrew F. Davis (2): ARM: dts: am335x-pepper: Fix the audio CODEC's reset pin ARM: dts: omap3-n900: Fix the audio CODEC's reset pin Andrew Lunn (1): net/faraday: Add missing include of of.h Anton Blanchard (1): powerpc: Avoid taking a data miss on every userspace instruction miss Brian King (1): scsi: ipr: Fix missed EH wakeup Chris Wilson (1): drm: Defer disabling the vblank IRQ until the next interrupt (for instant-off) Christopher James Halse Rogers (1): drm/radeon: Fail fb creation from imported dma-bufs. Dan Carpenter (2): media: cpia2: Fix a couple off by one bugs ASoC: nuc900: Fix a loop timeout test David Carrillo-Cisneros (2): perf inject: Copy events when reordering events in pipe mode perf session: Don't rely on evlist in pipe mode David Daney (1): MIPS: BPF: Quit clobbering callee saved registers in JIT code. David Engraf (1): timers, sched_clock: Update timeout for clock wrap Davide Caratti (1): sched: act_csum: don't mangle TCP and UDP GSO packets Dedy Lansky (1): wil6210: fix memory access violation in wil_memcpy_from/toio_32 Gao Feng (1): tcp: sysctl: Fix a race to avoid unexpected 0 window from space Geert Uytterhoeven (2): ARM: dts: r8a7790: Correct parent of SSI[0-9] clocks ARM: dts: r8a7791: Correct parent of SSI[0-9] clocks Greg Kroah-Hartman (1): Linux 3.18.101 H. Nikolaus Schaller (1): Input: tsc2007 - check for presence and power down tsc2007 during probe Hannes Reinecke (1): scsi: sg: close race condition in sg_remove_sfp_usercontext() Jan Kara (1): reiserfs: Make cancel_old_flush() reliable Janusz Krzysztofik (1): media: i2c/soc_camera: fix ov6650 sensor getting wrong clock Jiri Kosina (1): HID: elo: clear BTN_LEFT mapping Johannes Thumshirn (4): scsi: sg: check for valid direction before starting the request scsi: sg: fix SG_DXFER_FROM_DEV transfers scsi: sg: fix static checker warning in sg_is_valid_dxfer scsi: sg: only check for dxfer_len greater than 256M John Johansen (1): apparmor: Make path_max parameter readonly Julien BOIBESSOT (1): tools/usbip: fixes build with musl libc toolchain Kirill A. Shutemov (1): mm: Fix false-positive VM_BUG_ON() in page_cache_{get,add}_speculative() Liam Beguin (1): video: ARM CLCD: fix dma allocation size Linus Walleij (1): ARM: dts: Adjust moxart IRQ controller and flags Lorenzo Colitti (1): net: xfrm: allow clearing socket xfrm policies. Luca Coelho (1): mac80211: remove BUG() when interface type is invalid Masami Hiramatsu (2): kprobes/x86: Fix kprobe-booster not to boost far call instructions kprobes/x86: Set kprobes pages read-only Mimi Zohar (1): ima: relax requiring a file signature for new files with zero length Miquel Raynal (1): mtd: nand: fix interpretation of NAND_CMD_NONE in nand_command[_lp]() Mohammed Shafi Shajakhan (1): ath10k: disallow DFS simulation if DFS channel is not enabled Nate Watterson (1): iommu/iova: Fix underflow bug in __alloc_and_insert_iova_range Paul E. McKenney (1): sched: Stop resched_cpu() from sending IPIs to offline CPUs Phil Turnbull (1): fm10k: correctly check if interface is removed Prarit Bhargava (1): PCI/MSI: Stop disabling MSI/MSI-X in pci_device_shutdown() Quan Nguyen (1): drivers: net: xgene: Fix hardware checksum setting Rob Herring (1): of: fix of_device_get_modalias returned length when truncating buffers Samuel Thibault (1): braille-console: Fix value returned by _braille_console_setup SeongJae Park (1): rcutorture/configinit: Fix build directory error message Shaohua Li (1): blk-throttle: make sure expire time isn't too big Stephane Eranian (1): perf tools: Make perf_event__synthesize_mmap_events() scale Stephen Hemminger (1): veth: set peer GSO values Takashi Iwai (3): ALSA: pcm: Fix UAF in snd_pcm_oss_get_formats() ALSA: seq: Fix possible UAF in snd_seq_check_queue() ALSA: seq: Clear client entry before deleting else at closing Tejun Heo (2): fs/aio: Add explicit RCU grace period when freeing kioctx fs/aio: Use RCU accessors for kioctx_table->table[] Tobias Jordan (1): spi: sun6i: disable/unprepare clocks on remove Tomasz Kramkowski (1): HID: clamp input to logical range if no null state Valtteri Heikkilä (1): HID: reject input outside logical range only if null state is set Vincent Stehlé (1): regulator: isl9305: fix array size Xose Vazquez Perez (1): scsi: devinfo: apply to HP XP the same flags as Hitachi VSP Yuyang Du (1): usb: gadget: dummy_hcd: Fix wrong power status bit clear/reset in dummy_hub_control()

7 years, 5 months

2
2
0 0

Patch "staging: android: ashmem: Fix possible deadlock in ashmem_ioctl" has been added to the 4.9-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled staging: android: ashmem: Fix possible deadlock in ashmem_ioctl to the 4.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: staging-android-ashmem-fix-possible-deadlock-in-ashmem_ioctl.patch and it can be found in the queue-4.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 740a5759bf222332fbb5eda42f89aa25ba38f9b2 Mon Sep 17 00:00:00 2001 From: Yisheng Xie <xieyisheng1(a)huawei.com> Date: Wed, 28 Feb 2018 14:59:22 +0800 Subject: staging: android: ashmem: Fix possible deadlock in ashmem_ioctl From: Yisheng Xie <xieyisheng1(a)huawei.com> commit 740a5759bf222332fbb5eda42f89aa25ba38f9b2 upstream. ashmem_mutex may create a chain of dependencies like: CPU0 CPU1 mmap syscall ioctl syscall -> mmap_sem (acquired) -> ashmem_ioctl -> ashmem_mmap -> ashmem_mutex (acquired) -> ashmem_mutex (try to acquire) -> copy_from_user -> mmap_sem (try to acquire) There is a lock odering problem between mmap_sem and ashmem_mutex causing a lockdep splat[1] during a syzcaller test. This patch fixes the problem by move copy_from_user out of ashmem_mutex. [1] https://www.spinics.net/lists/kernel/msg2733200.html Fixes: ce8a3a9e76d0 (staging: android: ashmem: Fix a race condition in pin ioctls) Reported-by: syzbot+d7a918a7a8e1c952bc36(a)syzkaller.appspotmail.com Signed-off-by: Yisheng Xie <xieyisheng1(a)huawei.com> Cc: "Joel Fernandes (Google)" <joel.opensrc(a)gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/staging/android/ashmem.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) --- a/drivers/staging/android/ashmem.c +++ b/drivers/staging/android/ashmem.c @@ -718,16 +718,14 @@ static int ashmem_pin_unpin(struct ashme size_t pgstart, pgend; int ret = -EINVAL; + if (unlikely(copy_from_user(&pin, p, sizeof(pin)))) + return -EFAULT; + mutex_lock(&ashmem_mutex); if (unlikely(!asma->file)) goto out_unlock; - if (unlikely(copy_from_user(&pin, p, sizeof(pin)))) { - ret = -EFAULT; - goto out_unlock; - } - /* per custom, you can pass zero for len to mean "everything onward" */ if (!pin.len) pin.len = PAGE_ALIGN(asma->size) - pin.offset; Patches currently in stable-queue which might be from xieyisheng1(a)huawei.com are queue-4.9/staging-android-ashmem-fix-possible-deadlock-in-ashmem_ioctl.patch

7 years, 5 months

1
0
0 0

[PATCH 4.9 v2 0/2] Clear LED_BLINK_SW flag in led_blink_set()

by Jacek Anaszewski

The fix for brightness setting when setting delay_off=0 introduces a regression and has truncated commit message. Revert that patch and apply the one-line change required to fix the original issue in the way appropriate for the 4.9 code base. Changes from v1: - added Reported-by and Signed-off-by tags Thanks, Jacek Anaszewski Jacek Anaszewski (2): Revert "led: core: Fix brightness setting when setting delay_off=0" led: core: Clear LED_BLINK_SW flag in led_blink_set() drivers/leds/led-core.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) -- 2.1.4

7 years, 5 months

3
5
0 0

Patch "staging: android: ashmem: Fix possible deadlock in ashmem_ioctl" has been added to the 4.4-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled staging: android: ashmem: Fix possible deadlock in ashmem_ioctl to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: staging-android-ashmem-fix-possible-deadlock-in-ashmem_ioctl.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 740a5759bf222332fbb5eda42f89aa25ba38f9b2 Mon Sep 17 00:00:00 2001 From: Yisheng Xie <xieyisheng1(a)huawei.com> Date: Wed, 28 Feb 2018 14:59:22 +0800 Subject: staging: android: ashmem: Fix possible deadlock in ashmem_ioctl From: Yisheng Xie <xieyisheng1(a)huawei.com> commit 740a5759bf222332fbb5eda42f89aa25ba38f9b2 upstream. ashmem_mutex may create a chain of dependencies like: CPU0 CPU1 mmap syscall ioctl syscall -> mmap_sem (acquired) -> ashmem_ioctl -> ashmem_mmap -> ashmem_mutex (acquired) -> ashmem_mutex (try to acquire) -> copy_from_user -> mmap_sem (try to acquire) There is a lock odering problem between mmap_sem and ashmem_mutex causing a lockdep splat[1] during a syzcaller test. This patch fixes the problem by move copy_from_user out of ashmem_mutex. [1] https://www.spinics.net/lists/kernel/msg2733200.html Fixes: ce8a3a9e76d0 (staging: android: ashmem: Fix a race condition in pin ioctls) Reported-by: syzbot+d7a918a7a8e1c952bc36(a)syzkaller.appspotmail.com Signed-off-by: Yisheng Xie <xieyisheng1(a)huawei.com> Cc: "Joel Fernandes (Google)" <joel.opensrc(a)gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/staging/android/ashmem.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) --- a/drivers/staging/android/ashmem.c +++ b/drivers/staging/android/ashmem.c @@ -703,16 +703,14 @@ static int ashmem_pin_unpin(struct ashme size_t pgstart, pgend; int ret = -EINVAL; + if (unlikely(copy_from_user(&pin, p, sizeof(pin)))) + return -EFAULT; + mutex_lock(&ashmem_mutex); if (unlikely(!asma->file)) goto out_unlock; - if (unlikely(copy_from_user(&pin, p, sizeof(pin)))) { - ret = -EFAULT; - goto out_unlock; - } - /* per custom, you can pass zero for len to mean "everything onward" */ if (!pin.len) pin.len = PAGE_ALIGN(asma->size) - pin.offset; Patches currently in stable-queue which might be from xieyisheng1(a)huawei.com are queue-4.4/staging-android-ashmem-fix-possible-deadlock-in-ashmem_ioctl.patch

7 years, 5 months

1
0
0 0

Patch "staging: android: ashmem: Fix possible deadlock in ashmem_ioctl" has been added to the 4.15-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled staging: android: ashmem: Fix possible deadlock in ashmem_ioctl to the 4.15-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: staging-android-ashmem-fix-possible-deadlock-in-ashmem_ioctl.patch and it can be found in the queue-4.15 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 740a5759bf222332fbb5eda42f89aa25ba38f9b2 Mon Sep 17 00:00:00 2001 From: Yisheng Xie <xieyisheng1(a)huawei.com> Date: Wed, 28 Feb 2018 14:59:22 +0800 Subject: staging: android: ashmem: Fix possible deadlock in ashmem_ioctl From: Yisheng Xie <xieyisheng1(a)huawei.com> commit 740a5759bf222332fbb5eda42f89aa25ba38f9b2 upstream. ashmem_mutex may create a chain of dependencies like: CPU0 CPU1 mmap syscall ioctl syscall -> mmap_sem (acquired) -> ashmem_ioctl -> ashmem_mmap -> ashmem_mutex (acquired) -> ashmem_mutex (try to acquire) -> copy_from_user -> mmap_sem (try to acquire) There is a lock odering problem between mmap_sem and ashmem_mutex causing a lockdep splat[1] during a syzcaller test. This patch fixes the problem by move copy_from_user out of ashmem_mutex. [1] https://www.spinics.net/lists/kernel/msg2733200.html Fixes: ce8a3a9e76d0 (staging: android: ashmem: Fix a race condition in pin ioctls) Reported-by: syzbot+d7a918a7a8e1c952bc36(a)syzkaller.appspotmail.com Signed-off-by: Yisheng Xie <xieyisheng1(a)huawei.com> Cc: "Joel Fernandes (Google)" <joel.opensrc(a)gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/staging/android/ashmem.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) --- a/drivers/staging/android/ashmem.c +++ b/drivers/staging/android/ashmem.c @@ -709,16 +709,14 @@ static int ashmem_pin_unpin(struct ashme size_t pgstart, pgend; int ret = -EINVAL; + if (unlikely(copy_from_user(&pin, p, sizeof(pin)))) + return -EFAULT; + mutex_lock(&ashmem_mutex); if (unlikely(!asma->file)) goto out_unlock; - if (unlikely(copy_from_user(&pin, p, sizeof(pin)))) { - ret = -EFAULT; - goto out_unlock; - } - /* per custom, you can pass zero for len to mean "everything onward" */ if (!pin.len) pin.len = PAGE_ALIGN(asma->size) - pin.offset; Patches currently in stable-queue which might be from xieyisheng1(a)huawei.com are queue-4.15/staging-android-ashmem-fix-possible-deadlock-in-ashmem_ioctl.patch

7 years, 5 months

1
0
0 0

Patch "staging: android: ashmem: Fix possible deadlock in ashmem_ioctl" has been added to the 4.14-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled staging: android: ashmem: Fix possible deadlock in ashmem_ioctl to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: staging-android-ashmem-fix-possible-deadlock-in-ashmem_ioctl.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From 740a5759bf222332fbb5eda42f89aa25ba38f9b2 Mon Sep 17 00:00:00 2001 From: Yisheng Xie <xieyisheng1(a)huawei.com> Date: Wed, 28 Feb 2018 14:59:22 +0800 Subject: staging: android: ashmem: Fix possible deadlock in ashmem_ioctl From: Yisheng Xie <xieyisheng1(a)huawei.com> commit 740a5759bf222332fbb5eda42f89aa25ba38f9b2 upstream. ashmem_mutex may create a chain of dependencies like: CPU0 CPU1 mmap syscall ioctl syscall -> mmap_sem (acquired) -> ashmem_ioctl -> ashmem_mmap -> ashmem_mutex (acquired) -> ashmem_mutex (try to acquire) -> copy_from_user -> mmap_sem (try to acquire) There is a lock odering problem between mmap_sem and ashmem_mutex causing a lockdep splat[1] during a syzcaller test. This patch fixes the problem by move copy_from_user out of ashmem_mutex. [1] https://www.spinics.net/lists/kernel/msg2733200.html Fixes: ce8a3a9e76d0 (staging: android: ashmem: Fix a race condition in pin ioctls) Reported-by: syzbot+d7a918a7a8e1c952bc36(a)syzkaller.appspotmail.com Signed-off-by: Yisheng Xie <xieyisheng1(a)huawei.com> Cc: "Joel Fernandes (Google)" <joel.opensrc(a)gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/staging/android/ashmem.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) --- a/drivers/staging/android/ashmem.c +++ b/drivers/staging/android/ashmem.c @@ -709,16 +709,14 @@ static int ashmem_pin_unpin(struct ashme size_t pgstart, pgend; int ret = -EINVAL; + if (unlikely(copy_from_user(&pin, p, sizeof(pin)))) + return -EFAULT; + mutex_lock(&ashmem_mutex); if (unlikely(!asma->file)) goto out_unlock; - if (unlikely(copy_from_user(&pin, p, sizeof(pin)))) { - ret = -EFAULT; - goto out_unlock; - } - /* per custom, you can pass zero for len to mean "everything onward" */ if (!pin.len) pin.len = PAGE_ALIGN(asma->size) - pin.offset; Patches currently in stable-queue which might be from xieyisheng1(a)huawei.com are queue-4.14/staging-android-ashmem-fix-possible-deadlock-in-ashmem_ioctl.patch

7 years, 5 months

1
0
0 0

FAILED: patch "[PATCH] bpf: fix bpf_prog_array_copy_to_user() issues" failed to apply to 4.15-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.15-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 0911287ce32b14fbc8aab0083151d9b54254091c Mon Sep 17 00:00:00 2001 From: Alexei Starovoitov <ast(a)kernel.org> Date: Fri, 2 Feb 2018 15:14:05 -0800 Subject: [PATCH] bpf: fix bpf_prog_array_copy_to_user() issues 1. move copy_to_user out of rcu section to fix the following issue: ./include/linux/rcupdate.h:302 Illegal context switch in RCU read-side critical section! stack backtrace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 lockdep_rcu_suspicious+0x123/0x170 kernel/locking/lockdep.c:4592 rcu_preempt_sleep_check include/linux/rcupdate.h:301 [inline] ___might_sleep+0x385/0x470 kernel/sched/core.c:6079 __might_sleep+0x95/0x190 kernel/sched/core.c:6067 __might_fault+0xab/0x1d0 mm/memory.c:4532 _copy_to_user+0x2c/0xc0 lib/usercopy.c:25 copy_to_user include/linux/uaccess.h:155 [inline] bpf_prog_array_copy_to_user+0x217/0x4d0 kernel/bpf/core.c:1587 bpf_prog_array_copy_info+0x17b/0x1c0 kernel/bpf/core.c:1685 perf_event_query_prog_array+0x196/0x280 kernel/trace/bpf_trace.c:877 _perf_ioctl kernel/events/core.c:4737 [inline] perf_ioctl+0x3e1/0x1480 kernel/events/core.c:4757 2. move *prog under rcu, since it's not ok to dereference it afterwards 3. in a rare case of prog array being swapped between bpf_prog_array_length() and bpf_prog_array_copy_to_user() calls make sure to copy zeros to user space, so the user doesn't walk over uninited prog_ids while kernel reported uattr->query.prog_cnt > 0 Reported-by: syzbot+7dbcd2d3b85f9b608b23(a)syzkaller.appspotmail.com Fixes: 468e2f64d220 ("bpf: introduce BPF_PROG_QUERY command") Signed-off-by: Alexei Starovoitov <ast(a)kernel.org> Signed-off-by: Daniel Borkmann <daniel(a)iogearbox.net> diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c index 5f35f93dcab2..29ca9208dcfa 100644 --- a/kernel/bpf/core.c +++ b/kernel/bpf/core.c @@ -1576,25 +1576,41 @@ int bpf_prog_array_copy_to_user(struct bpf_prog_array __rcu *progs, __u32 __user *prog_ids, u32 cnt) { struct bpf_prog **prog; - u32 i = 0, id; - + unsigned long err = 0; + u32 i = 0, *ids; + bool nospc; + + /* users of this function are doing: + * cnt = bpf_prog_array_length(); + * if (cnt > 0) + * bpf_prog_array_copy_to_user(..., cnt); + * so below kcalloc doesn't need extra cnt > 0 check, but + * bpf_prog_array_length() releases rcu lock and + * prog array could have been swapped with empty or larger array, + * so always copy 'cnt' prog_ids to the user. + * In a rare race the user will see zero prog_ids + */ + ids = kcalloc(cnt, sizeof(u32), GFP_USER); + if (!ids) + return -ENOMEM; rcu_read_lock(); prog = rcu_dereference(progs)->progs; for (; *prog; prog++) { if (*prog == &dummy_bpf_prog.prog) continue; - id = (*prog)->aux->id; - if (copy_to_user(prog_ids + i, &id, sizeof(id))) { - rcu_read_unlock(); - return -EFAULT; - } + ids[i] = (*prog)->aux->id; if (++i == cnt) { prog++; break; } } + nospc = !!(*prog); rcu_read_unlock(); - if (*prog) + err = copy_to_user(prog_ids, ids, cnt * sizeof(u32)); + kfree(ids); + if (err) + return -EFAULT; + if (nospc) return -ENOSPC; return 0; }

7 years, 5 months

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror