This is the start of the stable review cycle for the 3.16.81 release. There are 63 patches in this series, which will be posted as responses to this one. If anyone has any issues with these being applied, please let me know.
Responses should be made by Fri Jan 10 20:00:00 UTC 2020. Anything received after that time might be too late.
All the patches have also been committed to the linux-3.16.y-rc branch of https://git.kernel.org/pub/scm/linux/kernel/git/bwh/linux-stable-rc.git . A shortlog and diffstat can be found below.
Ben.
-------------
Adrian Bunk (1): mwifiex: Fix NL80211_TX_POWER_LIMITED [65a576e27309120e0621f54d5c81eb9128bd56be]
Amitkumar Karwar (1): mwifiex: don't follow AP if country code received from EEPROM [947d315257f9b25b0e24f5706f8184b3b00774d4]
Andreas Ziegler (1): tracing/uprobes: Fix output for multiple string arguments [0722069a5374b904ec1a67f91249f90e1cfae259]
Ard Biesheuvel (1): arm64/kernel: fix incorrect EL0 check in inv_entry macro [b660950c60a7278f9d8deb7c32a162031207c758]
Arnd Bergmann (1): ARM: 8458/1: bL_switcher: add GIC dependency [6c044fecdf78be3fda159a5036bb33700cdd5e59]
Baolin Wang (1): usb: gadget: Add the gserial port checking in gs_start_tx() [511a36d2f357724312bb3776d2f6eed3890928b2]
Ben Hutchings (3): Revert "sched/fair: Fix bandwidth timer clock drift condition" [not upstream; upstream fix is unsuitable for stable] ext4: Introduce ext4_clamp_want_extra_isize() [7bc04c5c2cc467c5b40f2b03ba08da174a0d5fa7] net: qlogic: Fix error paths in ql_alloc_large_buffers() [cad46039e4c99812db067c8ac22a864960e7acc4]
Bhadram Varka (1): stmmac: copy unicast mac address to MAC registers [a830405ee452ddc4101c3c9334e6fedd42c6b357]
Chaotian Jing (1): mmc: mmc: fix switch timeout issue caused by jiffies precision [987aa5f8059613bf85cbb6f64ffbd34f5cb7a9d1]
Christoffer Dall (1): video: fbdev: Set pixclock = 0 in goldfishfb [ace6033ec5c356615eaa3582fb1946e9eaff6662]
Christoph Hellwig (1): suspend: simplify block I/O handling [343df3c79c62b644ce6ff5dff96c9e0be1ecb242]
Chuanxiao Dong (1): mmc: debugfs: Add a restriction to mmc debugfs clock setting [e5905ff1281f0a0f5c9863c430ac1ed5faaf5707]
Colin Cross (1): mmc: block: Allow more than 8 partitions per card [382c55f88ffeb218c446bf0c46d0fc25d2795fe2]
Dmitry Vyukov (1): locking/x86: Remove the unused atomic_inc_short() methd [31b35f6b4d5285a311e10753f4eb17304326b211]
Dong Aisheng (1): mmc: core: fix using wrong io voltage if mmc_select_hs200 fails [e51534c806609c806d81bfb034f02737461f855c]
Eric Biggers (2): arm64: support keyctl() system call in 32-bit mode [5c2a625937ba49bc691089370638223d310cda9a] crypto: cts - fix crash on short inputs [not upstream; issue was fixed by large refactoring]
Eric Dumazet (2): net: diag: support v4mapped sockets in inet_diag_find_one_icsk() [7c1306723ee916ea9f1fa7d9e4c7a6d029ca7aaf] tcp/dccp: drop SYN packets if accept queue is full [5ea8ea2cb7f1d0db15762c9b0bb9e7330425a071]
Ezequiel Garcia (1): arm64: kconfig: drop CONFIG_RTC_LIB dependency [99a507771fa57238dc7ffe674ae06090333d02c9]
Ganapathi Bhat (1): mwifiex: fix possible heap overflow in mwifiex_process_country_ie() [3d94a4a8373bf5f45cf5f939e88b8354dbf2311b]
Greg Hackmann (1): staging: goldfish: audio: fix compiliation on arm [4532150762ceb0d6fd765ebcb3ba6966fbb8faab]
Ilya Dryomov (1): libceph: handle an empty authorize reply [0fd3fd0a9bb0b02b6435bb7070e9f7b82a23f068]
James Morse (3): PM / Hibernate: Call flush_icache_range() on pages restored in-place [f6cf0545ec697ddc278b7457b7d0c0d86a2ea88e] arm64: kernel: Include _AC definition in page.h [812264550dcba6cdbe84bfac2f27e7d23b5b8733] arm64: mm: Add trace_irqflags annotations to do_debug_exception() [6afedcd23cfd7ac56c011069e4a8db37b46e4623]
Jason Yan (1): scsi: libsas: stop discovering if oob mode is disconnected [f70267f379b5e5e11bdc5d72a56bf17e5feed01f]
Jeffrey Hugo (1): dmaengine: qcom: bam_dma: Fix resource leak [7667819385457b4aeb5fac94f67f52ab52cc10d5]
Johannes Berg (1): cfg80211: size various nl80211 messages correctly [4ef8c1c93f848e360754f10eb2e7134c872b6597]
Konstantin Khlebnikov (1): mm/rmap: replace BUG_ON(anon_vma->degree) with VM_WARN_ON [e4c5800a3991f0c6a766983535dfc10d51802cf6]
Laura Abbott (1): staging: ashmem: Avoid deadlock with mmap/shrink [18e77054de741ef3ed2a2489bc9bf82a318b2d5e]
Linus Torvalds (2): Make filldir[64]() verify the directory entry filename is valid [8a23eb804ca4f2be909e372cf5a9e7b30ae476cd] filldir[64]: remove WARN_ON_ONCE() for bad directory entries [b9959c7a347d6adbb558fba7e36e9fef3cba3b07]
Lorenzo Pieralisi (1): ARM: 8510/1: rework ARM_CPU_SUSPEND dependencies [1b9bdf5c1661873a10e193b8cbb803a87fe5c4a1]
Mark Rutland (1): asm-generic: Fix local variable shadow in __set_fixmap_offset [3694bd76781b76c4f8d2ecd85018feeb1609f0e5]
Mathias Nyman (2): xhci: Fix port resume done detection for SS ports with LPM enabled [6cbcf596934c8e16d6288c7cc62dfb7ad8eadf15] xhci: fix USB3 device initiated resume race with roothub autosuspend [057d476fff778f1d3b9f861fdb5437ea1a3cfc99]
Navid Emamdoost (1): net: qlogic: Fix memory leak in ql_alloc_large_buffers [1acb8f2a7a9f10543868ddd737e37424d5c36cf4]
Peter Chen (1): usb: gadget: composite: fix dereference after null check coverify warning [c526c62d565ea5a5bba9433f28756079734f430d]
Peter Zijlstra (2): locking,x86: Kill atomic_or_long() [f6b4ecee0eb7bfa66ae8d5652105ed4da53209a3] x86/atomic: Fix smp_mb__{before,after}_atomic() [69d927bba39517d0980462efc051875b7f4db185]
Philip Oberstaller (1): usb: gadget: serial: fix re-ordering of tx data [3e9d3d2efc677b501b12512cab5adb4f32a0673a]
Qiao Zhou (1): arm64: traps: disable irq in die() [6f44a0bacb79a03972c83759711832b382b1b8ac]
Rajmal Menariya (1): staging: ion: Set minimum carveout heap allocation order to PAGE_SHIFT [1328d8efef17d5e16bd6e9cfe59130a833674534]
Ravindra Lokhande (1): ALSA: compress: add support for 32bit calls in a 64bit kernel [c10368897e104c008c610915a218f0fe5fa4ec96]
Roderick Colenbrander (2): HID: sony: Support DS4 dongle [de66a1a04c25f2560a8dca7a95e2a150b0d5e17e] HID: sony: Update device ids [cf1015d65d7c8a5504a4c03afb60fb86bff0f032]
Roger Quadros (1): usb: dwc3: gadget: Fix suspend/resume during device mode [9772b47a4c2916d645c551228b6085ea24acbe5d]
Rom Lemarchand (1): staging: ashmem: Add missing include [90a2f171383b5ae43b33ab4d9d566b9765622ac7]
Russell King (1): mmc: core: shut up "voltage-ranges unspecified" pr_info() [10a16a01d8f72e80f4780e40cf3122f4caffa411]
Theodore Ts'o (1): ext4: add more paranoia checking in ext4_expand_extra_isize handling [4ea99936a1630f51fc3a2d61a58ec4a1c4b7d55a]
Will Deacon (2): arm64: debug: Don't propagate UNKNOWN FAR into si_code for debug signals [b9a4b9d084d978f80eb9210727c81804588b42ff] arm64: debug: Ensure debug handlers check triggering exception level [6bd288569b50bc89fa5513031086746968f585cb]
Winter Wang (1): usb: gadget: configfs: add mutex lock before unregister gadget [cee51c33f52ebf673a088a428ac0fecc33ab77fa]
Wolfram Sang (2): kbuild: setlocalversion: print error to STDERR [78283edf2c01c38eb840a3de5ffd18fe2992ab64] mmc: sanitize 'bus width' in debug output [ed9feec72fc1fa194ebfdb79e14561b35decce63]
Xerox Lin (1): usb: gadget: rndis: free response queue during REMOTE_NDIS_RESET_MSG [207707d8fd48ebc977fb2b2794004a020e1ee08e]
Xiaolong Huang (1): can: kvaser_usb: kvaser_usb_leaf: Fix some info-leaks to USB devices [da2311a6385c3b499da2ed5d9be59ce331fa93e9]
Yoshihiro Shimoda (1): usb: renesas_usbhs: gadget: fix unused-but-set-variable warning [b7d44c36a6f6d956e1539e0dd42f98b26e5a4684]
YueHaibing (1): media: cpia2: Fix use-after-free in cpia2_exit [dea37a97265588da604c6ba80160a287b72c7bfd]
Yury Norov (1): arm64: fix COMPAT_SHMLBA definition for large pages [b9b7aebb42d1b1392f3111de61136bb6cf3aae3f]
Makefile | 4 +- arch/arm/Kconfig | 6 +- arch/arm64/Kconfig | 5 +- arch/arm64/include/asm/page.h | 2 + arch/arm64/include/asm/shmparam.h | 2 +- arch/arm64/kernel/entry.S | 2 +- arch/arm64/kernel/kgdb.c | 15 +- arch/arm64/kernel/traps.c | 8 +- arch/arm64/mm/fault.c | 36 +++-- arch/tile/lib/atomic_asm_32.S | 3 +- arch/x86/include/asm/atomic.h | 36 +---- arch/x86/include/asm/atomic64_64.h | 8 +- arch/x86/include/asm/barrier.h | 4 +- crypto/cts.c | 8 +- drivers/dma/qcom_bam_dma.c | 14 ++ drivers/hid/hid-core.c | 3 + drivers/hid/hid-ids.h | 2 + drivers/hid/hid-sony.c | 6 + drivers/media/usb/cpia2/cpia2_v4l.c | 3 +- drivers/mmc/card/block.c | 7 +- drivers/mmc/core/core.c | 10 +- drivers/mmc/core/debugfs.c | 2 +- drivers/mmc/core/mmc.c | 13 +- drivers/mmc/core/mmc_ops.c | 2 +- drivers/net/can/usb/kvaser_usb.c | 6 +- drivers/net/ethernet/qlogic/qla3xxx.c | 9 +- drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 16 +- drivers/net/wireless/mwifiex/cfg80211.c | 17 ++- drivers/net/wireless/mwifiex/ioctl.h | 1 + drivers/net/wireless/mwifiex/sta_ioctl.c | 23 ++- drivers/scsi/libsas/sas_discover.c | 11 +- drivers/staging/android/ashmem.c | 4 +- drivers/staging/android/ion/ion_carveout_heap.c | 2 +- drivers/staging/android/uapi/ashmem.h | 1 + drivers/staging/goldfish/goldfish_audio.c | 1 + drivers/usb/dwc3/gadget.c | 6 + drivers/usb/gadget/composite.c | 2 + drivers/usb/gadget/configfs.c | 2 + drivers/usb/gadget/rndis.c | 6 + drivers/usb/gadget/u_serial.c | 12 +- drivers/usb/host/xhci-hub.c | 8 + drivers/usb/host/xhci-ring.c | 15 +- drivers/usb/host/xhci.h | 2 + drivers/usb/renesas_usbhs/mod_gadget.c | 5 +- drivers/video/fbdev/goldfishfb.c | 2 +- fs/ext4/inode.c | 15 ++ fs/ext4/super.c | 59 +++++--- fs/readdir.c | 40 +++++ include/asm-generic/fixmap.h | 12 +- include/linux/swap.h | 1 - include/net/inet_connection_sock.h | 5 - kernel/power/Makefile | 3 +- kernel/power/block_io.c | 103 ------------- kernel/power/power.h | 9 -- kernel/power/swap.c | 177 +++++++++++++++++----- kernel/sched/fair.c | 14 +- kernel/sched/sched.h | 2 - kernel/trace/trace_uprobe.c | 9 +- mm/page_io.c | 2 +- mm/rmap.c | 2 +- net/ceph/messenger.c | 12 +- net/dccp/ipv4.c | 8 +- net/dccp/ipv6.c | 2 +- net/ipv4/inet_diag.c | 18 ++- net/ipv4/tcp_ipv4.c | 7 +- net/ipv6/tcp_ipv6.c | 2 +- net/wireless/nl80211.c | 16 +- scripts/setlocalversion | 2 +- sound/core/compress_offload.c | 13 ++ 69 files changed, 533 insertions(+), 352 deletions(-)
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Navid Emamdoost navid.emamdoost@gmail.com
commit 1acb8f2a7a9f10543868ddd737e37424d5c36cf4 upstream.
In ql_alloc_large_buffers, a new skb is allocated via netdev_alloc_skb. This skb should be released if pci_dma_mapping_error fails.
Fixes: 0f8ab89e825f ("qla3xxx: Check return code from pci_map_single() in ql_release_to_lrg_buf_free_list(), ql_populate_free_queue(), ql_alloc_large_buffers(), and ql3xxx_send()") Signed-off-by: Navid Emamdoost navid.emamdoost@gmail.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/net/ethernet/qlogic/qla3xxx.c | 1 + 1 file changed, 1 insertion(+)
--- a/drivers/net/ethernet/qlogic/qla3xxx.c +++ b/drivers/net/ethernet/qlogic/qla3xxx.c @@ -2789,6 +2789,7 @@ static int ql_alloc_large_buffers(struct netdev_err(qdev->ndev, "PCI mapping failed with error: %d\n", err); + dev_kfree_skb_irq(skb); ql_free_large_buffers(qdev); return -ENOMEM; }
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ben Hutchings ben@decadent.org.uk
commit cad46039e4c99812db067c8ac22a864960e7acc4 upstream.
ql_alloc_large_buffers() has the usual RX buffer allocation loop where it allocates skbs and maps them for DMA. It also treats failure as a fatal error.
There are (at least) three bugs in the error paths:
1. ql_free_large_buffers() assumes that the lrg_buf[] entry for the first buffer that couldn't be allocated will have .skb == NULL. But the qla_buf[] array is not zero-initialised.
2. ql_free_large_buffers() DMA-unmaps all skbs in lrg_buf[]. This is incorrect for the last allocated skb, if DMA mapping failed.
3. Commit 1acb8f2a7a9f ("net: qlogic: Fix memory leak in ql_alloc_large_buffers") added a direct call to dev_kfree_skb_any() after the skb is recorded in lrg_buf[], so ql_free_large_buffers() will double-free it.
The bugs are somewhat inter-twined, so fix them all at once:
* Clear each entry in qla_buf[] before attempting to allocate an skb for it. This goes half-way to fixing bug 1. * Set the .skb field only after the skb is DMA-mapped. This fixes the rest.
Fixes: 1357bfcf7106 ("qla3xxx: Dynamically size the rx buffer queue ...") Fixes: 0f8ab89e825f ("qla3xxx: Check return code from pci_map_single() ...") Fixes: 1acb8f2a7a9f ("net: qlogic: Fix memory leak in ql_alloc_large_buffers") Signed-off-by: Ben Hutchings ben@decadent.org.uk Signed-off-by: David S. Miller davem@davemloft.net --- drivers/net/ethernet/qlogic/qla3xxx.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/net/ethernet/qlogic/qla3xxx.c +++ b/drivers/net/ethernet/qlogic/qla3xxx.c @@ -2758,6 +2758,9 @@ static int ql_alloc_large_buffers(struct int err;
for (i = 0; i < qdev->num_large_buffers; i++) { + lrg_buf_cb = &qdev->lrg_buf[i]; + memset(lrg_buf_cb, 0, sizeof(struct ql_rcv_buf_cb)); + skb = netdev_alloc_skb(qdev->ndev, qdev->lrg_buffer_len); if (unlikely(!skb)) { @@ -2768,11 +2771,7 @@ static int ql_alloc_large_buffers(struct ql_free_large_buffers(qdev); return -ENOMEM; } else { - - lrg_buf_cb = &qdev->lrg_buf[i]; - memset(lrg_buf_cb, 0, sizeof(struct ql_rcv_buf_cb)); lrg_buf_cb->index = i; - lrg_buf_cb->skb = skb; /* * We save some space to copy the ethhdr from first * buffer @@ -2794,6 +2793,7 @@ static int ql_alloc_large_buffers(struct return -ENOMEM; }
+ lrg_buf_cb->skb = skb; dma_unmap_addr_set(lrg_buf_cb, mapaddr, map); dma_unmap_len_set(lrg_buf_cb, maplen, qdev->lrg_buffer_len -
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Roderick Colenbrander roderick.colenbrander@sony.com
commit cf1015d65d7c8a5504a4c03afb60fb86bff0f032 upstream.
Support additional DS4 model.
Signed-off-by: Roderick Colenbrander roderick.colenbrander@sony.com Reviewed-by: Benjamin Tissoires benjamin.tissoires@redhat.com Signed-off-by: Jiri Kosina jkosina@suse.cz [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/hid/hid-core.c | 2 ++ drivers/hid/hid-ids.h | 1 + drivers/hid/hid-sony.c | 4 ++++ 3 files changed, 7 insertions(+)
--- a/drivers/hid/hid-core.c +++ b/drivers/hid/hid-core.c @@ -1932,6 +1932,8 @@ static const struct hid_device_id hid_ha { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_PS3_CONTROLLER) }, { HID_USB_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_PS4_CONTROLLER) }, { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_PS4_CONTROLLER) }, + { HID_USB_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_PS4_CONTROLLER_2) }, + { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_PS4_CONTROLLER_2) }, { HID_USB_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_VAIO_VGX_MOUSE) }, { HID_USB_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_VAIO_VGP_MOUSE) }, { HID_USB_DEVICE(USB_VENDOR_ID_STEELSERIES, USB_DEVICE_ID_STEELSERIES_SRWS1) }, --- a/drivers/hid/hid-ids.h +++ b/drivers/hid/hid-ids.h @@ -876,6 +876,7 @@ #define USB_DEVICE_ID_SONY_PS3_BDREMOTE 0x0306 #define USB_DEVICE_ID_SONY_PS3_CONTROLLER 0x0268 #define USB_DEVICE_ID_SONY_PS4_CONTROLLER 0x05c4 +#define USB_DEVICE_ID_SONY_PS4_CONTROLLER_2 0x09cc #define USB_DEVICE_ID_SONY_NAVIGATION_CONTROLLER 0x042f #define USB_DEVICE_ID_SONY_BUZZ_CONTROLLER 0x0002 #define USB_DEVICE_ID_SONY_WIRELESS_BUZZ_CONTROLLER 0x1000 --- a/drivers/hid/hid-sony.c +++ b/drivers/hid/hid-sony.c @@ -1998,6 +1998,10 @@ static const struct hid_device_id sony_d .driver_data = DUALSHOCK4_CONTROLLER_USB }, { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_PS4_CONTROLLER), .driver_data = DUALSHOCK4_CONTROLLER_BT }, + { HID_USB_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_PS4_CONTROLLER_2), + .driver_data = DUALSHOCK4_CONTROLLER_USB }, + { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_PS4_CONTROLLER_2), + .driver_data = DUALSHOCK4_CONTROLLER_BT }, { } }; MODULE_DEVICE_TABLE(hid, sony_devices);
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Roderick Colenbrander roderick.colenbrander@sony.com
commit de66a1a04c25f2560a8dca7a95e2a150b0d5e17e upstream.
Add support for USB based DS4 dongle device, which allows connecting a DS4 through Bluetooth, but hides Bluetooth from the host system.
Signed-off-by: Roderick Colenbrander roderick.colenbrander@sony.com Signed-off-by: Jiri Kosina jkosina@suse.cz [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/hid/hid-core.c | 1 + drivers/hid/hid-ids.h | 1 + drivers/hid/hid-sony.c | 2 ++ 3 files changed, 4 insertions(+)
--- a/drivers/hid/hid-core.c +++ b/drivers/hid/hid-core.c @@ -1934,6 +1934,7 @@ static const struct hid_device_id hid_ha { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_PS4_CONTROLLER) }, { HID_USB_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_PS4_CONTROLLER_2) }, { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_PS4_CONTROLLER_2) }, + { HID_USB_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_PS4_CONTROLLER_DONGLE) }, { HID_USB_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_VAIO_VGX_MOUSE) }, { HID_USB_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_VAIO_VGP_MOUSE) }, { HID_USB_DEVICE(USB_VENDOR_ID_STEELSERIES, USB_DEVICE_ID_STEELSERIES_SRWS1) }, --- a/drivers/hid/hid-ids.h +++ b/drivers/hid/hid-ids.h @@ -877,6 +877,7 @@ #define USB_DEVICE_ID_SONY_PS3_CONTROLLER 0x0268 #define USB_DEVICE_ID_SONY_PS4_CONTROLLER 0x05c4 #define USB_DEVICE_ID_SONY_PS4_CONTROLLER_2 0x09cc +#define USB_DEVICE_ID_SONY_PS4_CONTROLLER_DONGLE 0x0ba0 #define USB_DEVICE_ID_SONY_NAVIGATION_CONTROLLER 0x042f #define USB_DEVICE_ID_SONY_BUZZ_CONTROLLER 0x0002 #define USB_DEVICE_ID_SONY_WIRELESS_BUZZ_CONTROLLER 0x1000 --- a/drivers/hid/hid-sony.c +++ b/drivers/hid/hid-sony.c @@ -2002,6 +2002,8 @@ static const struct hid_device_id sony_d .driver_data = DUALSHOCK4_CONTROLLER_USB }, { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_PS4_CONTROLLER_2), .driver_data = DUALSHOCK4_CONTROLLER_BT }, + { HID_USB_DEVICE(USB_VENDOR_ID_SONY, USB_DEVICE_ID_SONY_PS4_CONTROLLER_DONGLE), + .driver_data = DUALSHOCK4_CONTROLLER_USB }, { } }; MODULE_DEVICE_TABLE(hid, sony_devices);
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers ebiggers@google.com
In the CTS template, when the input length is <= one block cipher block (e.g. <= 16 bytes for AES) pass the correct length to the underlying CBC transform rather than one block. This matches the upstream behavior and makes the encryption/decryption operation correctly return -EINVAL when 1 <= nbytes < bsize or succeed when nbytes == 0, rather than crashing.
This was fixed upstream incidentally by a large refactoring, commit 0605c41cc53c ("crypto: cts - Convert to skcipher"). But syzkaller easily trips over this when running on older kernels, as it's easily reachable via AF_ALG. Therefore, this patch makes the minimal fix for older kernels.
Cc: linux-crypto@vger.kernel.org Fixes: 76cb9521795a ("[CRYPTO] cts: Add CTS mode required for Kerberos AES support") Signed-off-by: Eric Biggers ebiggers@google.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- crypto/cts.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)
--- a/crypto/cts.c +++ b/crypto/cts.c @@ -137,8 +137,8 @@ static int crypto_cts_encrypt(struct blk lcldesc.info = desc->info; lcldesc.flags = desc->flags;
- if (tot_blocks == 1) { - err = crypto_blkcipher_encrypt_iv(&lcldesc, dst, src, bsize); + if (tot_blocks <= 1) { + err = crypto_blkcipher_encrypt_iv(&lcldesc, dst, src, nbytes); } else if (nbytes <= bsize * 2) { err = cts_cbc_encrypt(ctx, desc, dst, src, 0, nbytes); } else { @@ -232,8 +232,8 @@ static int crypto_cts_decrypt(struct blk lcldesc.info = desc->info; lcldesc.flags = desc->flags;
- if (tot_blocks == 1) { - err = crypto_blkcipher_decrypt_iv(&lcldesc, dst, src, bsize); + if (tot_blocks <= 1) { + err = crypto_blkcipher_decrypt_iv(&lcldesc, dst, src, nbytes); } else if (nbytes <= bsize * 2) { err = cts_cbc_decrypt(ctx, desc, dst, src, 0, nbytes); } else {
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Andreas Ziegler andreas.ziegler@fau.de
commit 0722069a5374b904ec1a67f91249f90e1cfae259 upstream.
When printing multiple uprobe arguments as strings the output for the earlier arguments would also include all later string arguments.
This is best explained in an example:
Consider adding a uprobe to a function receiving two strings as parameters which is at offset 0xa0 in strlib.so and we want to print both parameters when the uprobe is hit (on x86_64):
$ echo 'p:func /lib/strlib.so:0xa0 +0(%di):string +0(%si):string' > \ /sys/kernel/debug/tracing/uprobe_events
When the function is called as func("foo", "bar") and we hit the probe, the trace file shows a line like the following:
[...] func: (0x7f7e683706a0) arg1="foobar" arg2="bar"
Note the extra "bar" printed as part of arg1. This behaviour stacks up for additional string arguments.
The strings are stored in a dynamically growing part of the uprobe buffer by fetch_store_string() after copying them from userspace via strncpy_from_user(). The return value of strncpy_from_user() is then directly used as the required size for the string. However, this does not take the terminating null byte into account as the documentation for strncpy_from_user() cleary states that it "[...] returns the length of the string (not including the trailing NUL)" even though the null byte will be copied to the destination.
Therefore, subsequent calls to fetch_store_string() will overwrite the terminating null byte of the most recently fetched string with the first character of the current string, leading to the "accumulation" of strings in earlier arguments in the output.
Fix this by incrementing the return value of strncpy_from_user() by one if we did not hit the maximum buffer size.
Link: http://lkml.kernel.org/r/20190116141629.5752-1-andreas.ziegler@fau.de
Cc: Ingo Molnar mingo@redhat.com Fixes: 5baaa59ef09e ("tracing/probes: Implement 'memory' fetch method for uprobes") Acked-by: Masami Hiramatsu mhiramat@kernel.org Signed-off-by: Andreas Ziegler andreas.ziegler@fau.de Signed-off-by: Steven Rostedt (VMware) rostedt@goodmis.org Signed-off-by: Masami Hiramatsu mhiramat@kernel.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- kernel/trace/trace_uprobe.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-)
--- a/kernel/trace/trace_uprobe.c +++ b/kernel/trace/trace_uprobe.c @@ -151,7 +151,14 @@ static void FETCH_FUNC_NAME(memory, stri
ret = strncpy_from_user(dst, src, maxlen); if (ret == maxlen) - dst[--ret] = '\0'; + dst[ret - 1] = '\0'; + else if (ret >= 0) + /* + * Include the terminating null byte. In this case it + * was copied by strncpy_from_user but not accounted + * for in ret. + */ + ret++;
if (ret < 0) { /* Failed to fetch string */ ((u8 *)get_rloc_data(dest))[0] = '\0';
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ilya Dryomov idryomov@gmail.com
commit 0fd3fd0a9bb0b02b6435bb7070e9f7b82a23f068 upstream.
The authorize reply can be empty, for example when the ticket used to build the authorizer is too old and TAG_BADAUTHORIZER is returned from the service. Calling ->verify_authorizer_reply() results in an attempt to decrypt and validate (somewhat) random data in au->buf (most likely the signature block from calc_signature()), which fails and ends up in con_fault_finish() with !con->auth_retry. The ticket isn't invalidated and the connection is retried again and again until a new ticket is obtained from the monitor:
libceph: osd2 192.168.122.1:6809 bad authorize reply libceph: osd2 192.168.122.1:6809 bad authorize reply libceph: osd2 192.168.122.1:6809 bad authorize reply libceph: osd2 192.168.122.1:6809 bad authorize reply
Let TAG_BADAUTHORIZER handler kick in and increment con->auth_retry.
Fixes: 5c056fdc5b47 ("libceph: verify authorize reply on connect") Link: https://tracker.ceph.com/issues/20164 Signed-off-by: Ilya Dryomov idryomov@gmail.com Reviewed-by: Sage Weil sage@redhat.com [idryomov@gmail.com: backport to 4.4: extra arg, no CEPHX_V2] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- net/ceph/messenger.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-)
--- a/net/ceph/messenger.c +++ b/net/ceph/messenger.c @@ -1984,15 +1984,19 @@ static int process_connect(struct ceph_c dout("process_connect on %p tag %d\n", con, (int)con->in_tag);
if (con->auth_reply_buf) { + int len = le32_to_cpu(con->in_reply.authorizer_len); + /* * Any connection that defines ->get_authorizer() * should also define ->verify_authorizer_reply(). * See get_connect_authorizer(). */ - ret = con->ops->verify_authorizer_reply(con, 0); - if (ret < 0) { - con->error_msg = "bad authorize reply"; - return ret; + if (len) { + ret = con->ops->verify_authorizer_reply(con, 0); + if (ret < 0) { + con->error_msg = "bad authorize reply"; + return ret; + } } }
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ravindra Lokhande rlokhande@nvidia.com
commit c10368897e104c008c610915a218f0fe5fa4ec96 upstream.
Compress offload does not support ioctl calls from a 32bit userspace in a 64 bit kernel. This patch adds support for ioctls from a 32bit userspace in a 64bit kernel
Signed-off-by: Ravindra Lokhande rlokhande@nvidia.com Acked-by: Vinod Koul vinod.koul@intel.com Signed-off-by: Takashi Iwai tiwai@suse.de Cc: Arnd Bergmann arnd@arndb.de Signed-off-by: Ben Hutchings ben@decadent.org.uk --- sound/core/compress_offload.c | 13 +++++++++++++ 1 file changed, 13 insertions(+)
--- a/sound/core/compress_offload.c +++ b/sound/core/compress_offload.c @@ -38,6 +38,7 @@ #include <linux/uio.h> #include <linux/uaccess.h> #include <linux/module.h> +#include <linux/compat.h> #include <sound/core.h> #include <sound/initval.h> #include <sound/compress_params.h> @@ -864,6 +865,15 @@ static long snd_compr_ioctl(struct file return retval; }
+/* support of 32bit userspace on 64bit platforms */ +#ifdef CONFIG_COMPAT +static long snd_compr_ioctl_compat(struct file *file, unsigned int cmd, + unsigned long arg) +{ + return snd_compr_ioctl(file, cmd, (unsigned long)compat_ptr(arg)); +} +#endif + static const struct file_operations snd_compr_file_ops = { .owner = THIS_MODULE, .open = snd_compr_open, @@ -871,6 +881,9 @@ static const struct file_operations snd_ .write = snd_compr_write, .read = snd_compr_read, .unlocked_ioctl = snd_compr_ioctl, +#ifdef CONFIG_COMPAT + .compat_ioctl = snd_compr_ioctl_compat, +#endif .mmap = snd_compr_mmap, .poll = snd_compr_poll, };
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Chuanxiao Dong chuanxiao.dong@intel.com
commit e5905ff1281f0a0f5c9863c430ac1ed5faaf5707 upstream.
Clock frequency values written to an mmc host should not be less than the minimum clock frequency which the mmc host supports.
Signed-off-by: Yuan Juntao juntaox.yuan@intel.com Signed-off-by: Pawel Wodkowski pawelx.wodkowski@intel.com Signed-off-by: Ulf Hansson ulf.hansson@linaro.org Cc: Arnd Bergmann arnd@arndb.de Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/mmc/core/debugfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/mmc/core/debugfs.c +++ b/drivers/mmc/core/debugfs.c @@ -195,7 +195,7 @@ static int mmc_clock_opt_set(void *data, struct mmc_host *host = data;
/* We need this check due to input value is u64 */ - if (val > host->f_max) + if (val != 0 && (val > host->f_max || val < host->f_min)) return -EINVAL;
mmc_claim_host(host);
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Wolfram Sang wsa+renesas@sang-engineering.com
commit ed9feec72fc1fa194ebfdb79e14561b35decce63 upstream.
The bus width is sometimes the actual bus width, and sometimes indices to different arrays encoding the bus width. In my debugging case "2" could mean 8-bit as well as 4-bit, which was extremly confusing. Let's use the human-readable actual bus width in all places.
Signed-off-by: Wolfram Sang wsa+renesas@sang-engineering.com Signed-off-by: Ulf Hansson ulf.hansson@linaro.org Cc: Arnd Bergmann arnd@arndb.de Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/mmc/core/core.c | 2 +- drivers/mmc/core/mmc.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/mmc/core/core.c +++ b/drivers/mmc/core/core.c @@ -973,7 +973,7 @@ static inline void mmc_set_ios(struct mm "width %u timing %u\n", mmc_hostname(host), ios->clock, ios->bus_mode, ios->power_mode, ios->chip_select, ios->vdd, - ios->bus_width, ios->timing); + 1 << ios->bus_width, ios->timing);
if (ios->clock > 0) mmc_set_ungated(host); --- a/drivers/mmc/core/mmc.c +++ b/drivers/mmc/core/mmc.c @@ -935,7 +935,7 @@ static int mmc_select_bus_width(struct m break; } else { pr_warn("%s: switch to bus width %d failed\n", - mmc_hostname(host), ext_csd_bits[idx]); + mmc_hostname(host), 1 << bus_width); } }
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Russell King rmk+kernel@arm.linux.org.uk
commit 10a16a01d8f72e80f4780e40cf3122f4caffa411 upstream.
Each time a driver such as sdhci-esdhc-imx is probed, we get a info printk complaining that the DT voltage-ranges property has not been specified.
However, the DT binding specifically says that the voltage-ranges property is optional. That means we should not be complaining that DT hasn't specified this property: by indicating that it's optional, it is valid not to have the property in DT.
Silence the warning if the property is missing.
Signed-off-by: Russell King rmk+kernel@arm.linux.org.uk Signed-off-by: Ulf Hansson ulf.hansson@linaro.org Cc: Arnd Bergmann arnd@arndb.de Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/mmc/core/core.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-)
--- a/drivers/mmc/core/core.c +++ b/drivers/mmc/core/core.c @@ -1181,8 +1181,12 @@ int mmc_of_parse_voltage(struct device_n
voltage_ranges = of_get_property(np, "voltage-ranges", &num_ranges); num_ranges = num_ranges / sizeof(*voltage_ranges) / 2; - if (!voltage_ranges || !num_ranges) { - pr_info("%s: voltage-ranges unspecified\n", np->full_name); + if (!voltage_ranges) { + pr_debug("%s: voltage-ranges unspecified\n", np->full_name); + return -EINVAL; + } + if (!num_ranges) { + pr_err("%s: voltage-ranges empty\n", np->full_name); return -EINVAL; }
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Roger Quadros rogerq@ti.com
commit 9772b47a4c2916d645c551228b6085ea24acbe5d upstream.
Gadget controller might not be always active during system suspend/resume as gadget driver might not have yet been loaded or might have been unloaded prior to system suspend.
Check if we're active and only then perform necessary actions during suspend/resume.
Signed-off-by: Roger Quadros rogerq@ti.com Signed-off-by: Felipe Balbi felipe.balbi@linux.intel.com Cc: Arnd Bergmann arnd@arndb.de [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/usb/dwc3/gadget.c | 6 ++++++ 1 file changed, 6 insertions(+)
--- a/drivers/usb/dwc3/gadget.c +++ b/drivers/usb/dwc3/gadget.c @@ -2955,6 +2955,9 @@ void dwc3_gadget_complete(struct dwc3 *d
int dwc3_gadget_suspend(struct dwc3 *dwc) { + if (!dwc->gadget_driver) + return 0; + __dwc3_gadget_ep_disable(dwc->eps[0]); __dwc3_gadget_ep_disable(dwc->eps[1]);
@@ -2968,6 +2971,9 @@ int dwc3_gadget_resume(struct dwc3 *dwc) struct dwc3_ep *dep; int ret;
+ if (!dwc->gadget_driver) + return 0; + /* Start with SuperSpeed Default */ dwc3_gadget_ep0_desc.wMaxPacketSize = cpu_to_le16(512);
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: James Morse james.morse@arm.com
commit 6afedcd23cfd7ac56c011069e4a8db37b46e4623 upstream.
With CONFIG_PROVE_LOCKING, CONFIG_DEBUG_LOCKDEP and CONFIG_TRACE_IRQFLAGS enabled, lockdep will compare current->hardirqs_enabled with the flags from local_irq_save().
When a debug exception occurs, interrupts are disabled in entry.S, but lockdep isn't told, resulting in: DEBUG_LOCKS_WARN_ON(current->hardirqs_enabled) ------------[ cut here ]------------ WARNING: at ../kernel/locking/lockdep.c:3523 Modules linked in: CPU: 3 PID: 1752 Comm: perf Not tainted 4.5.0-rc4+ #2204 Hardware name: ARM Juno development board (r1) (DT) task: ffffffc974868000 ti: ffffffc975f40000 task.ti: ffffffc975f40000 PC is at check_flags.part.35+0x17c/0x184 LR is at check_flags.part.35+0x17c/0x184 pc : [<ffffff80080fc93c>] lr : [<ffffff80080fc93c>] pstate: 600003c5 [...] ---[ end trace 74631f9305ef5020 ]--- Call trace: [<ffffff80080fc93c>] check_flags.part.35+0x17c/0x184 [<ffffff80080ffe30>] lock_acquire+0xa8/0xc4 [<ffffff8008093038>] breakpoint_handler+0x118/0x288 [<ffffff8008082434>] do_debug_exception+0x3c/0xa8 [<ffffff80080854b4>] el1_dbg+0x18/0x6c [<ffffff80081e82f4>] do_filp_open+0x64/0xdc [<ffffff80081d6e60>] do_sys_open+0x140/0x204 [<ffffff80081d6f58>] SyS_openat+0x10/0x18 [<ffffff8008085d30>] el0_svc_naked+0x24/0x28 possible reason: unannotated irqs-off. irq event stamp: 65857 hardirqs last enabled at (65857): [<ffffff80081fb1c0>] lookup_mnt+0xf4/0x1b4 hardirqs last disabled at (65856): [<ffffff80081fb188>] lookup_mnt+0xbc/0x1b4 softirqs last enabled at (65790): [<ffffff80080bdca4>] __do_softirq+0x1f8/0x290 softirqs last disabled at (65757): [<ffffff80080be038>] irq_exit+0x9c/0xd0
This patch adds the annotations to do_debug_exception(), while trying not to call trace_hardirqs_off() if el1_dbg() interrupted a task that already had irqs disabled.
Signed-off-by: James Morse james.morse@arm.com Signed-off-by: Will Deacon will.deacon@arm.com Cc: Arnd Bergmann arnd@arndb.de Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/arm64/mm/fault.c | 33 +++++++++++++++++++++++---------- 1 file changed, 23 insertions(+), 10 deletions(-)
--- a/arch/arm64/mm/fault.c +++ b/arch/arm64/mm/fault.c @@ -518,18 +518,31 @@ asmlinkage int __exception do_debug_exce { const struct fault_info *inf = debug_fault_info + DBG_ESR_EVT(esr); struct siginfo info; + int rv;
- if (!inf->fn(addr, esr, regs)) - return 1; + /* + * Tell lockdep we disabled irqs in entry.S. Do nothing if they were + * already disabled to preserve the last enabled/disabled addresses. + */ + if (interrupts_enabled(regs)) + trace_hardirqs_off();
- pr_alert("Unhandled debug exception: %s (0x%08x) at 0x%016lx\n", - inf->name, esr, addr); + if (!inf->fn(addr, esr, regs)) { + rv = 1; + } else { + pr_alert("Unhandled debug exception: %s (0x%08x) at 0x%016lx\n", + inf->name, esr, addr);
- info.si_signo = inf->sig; - info.si_errno = 0; - info.si_code = inf->code; - info.si_addr = (void __user *)addr; - arm64_notify_die("", regs, &info, 0); + info.si_signo = inf->sig; + info.si_errno = 0; + info.si_code = inf->code; + info.si_addr = (void __user *)addr; + arm64_notify_die("", regs, &info, 0); + rv = 0; + }
- return 0; + if (interrupts_enabled(regs)) + trace_hardirqs_on(); + + return rv; }
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dong Aisheng aisheng.dong@nxp.com
commit e51534c806609c806d81bfb034f02737461f855c upstream.
Currently MMC core will keep going if HS200/HS timing switch failed with -EBADMSG error by the assumption that the old timing is still valid.
However, for mmc_select_hs200 case, the signal voltage may have already been switched. If the timing switch failed, we should fall back to the old voltage in case the card is continue run with legacy timing.
If fall back signal voltage failed, we explicitly report an EIO error to force retry during the next power cycle.
Signed-off-by: Dong Aisheng aisheng.dong@nxp.com Signed-off-by: Ulf Hansson ulf.hansson@linaro.org Cc: Arnd Bergmann arnd@arndb.de [bwh: Backported to 3.16: - Delete now-unused err label - Adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/drivers/mmc/core/mmc.c +++ b/drivers/mmc/core/mmc.c @@ -1079,8 +1079,10 @@ static int mmc_select_hs400(struct mmc_c static int mmc_select_hs200(struct mmc_card *card) { struct mmc_host *host = card->host; + unsigned int old_signal_voltage; int err = -EINVAL;
+ old_signal_voltage = host->ios.signal_voltage; if (card->mmc_avail_type & EXT_CSD_CARD_TYPE_HS200_1_2V) err = __mmc_set_signal_voltage(host, MMC_SIGNAL_VOLTAGE_120);
@@ -1089,7 +1091,7 @@ static int mmc_select_hs200(struct mmc_c
/* If fails try again during next card power cycle */ if (err) - goto err; + return err;
/* * Set the bus width(4 or 8) with host's support and @@ -1104,7 +1106,12 @@ static int mmc_select_hs200(struct mmc_c if (!err) mmc_set_timing(host, MMC_TIMING_MMC_HS200); } -err: + + if (err) { + /* fall back to the old signal voltage, if fails report error */ + if (__mmc_set_signal_voltage(host, old_signal_voltage)) + err = -EIO; + } return err; }
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Konstantin Khlebnikov khlebnikov@yandex-team.ru
commit e4c5800a3991f0c6a766983535dfc10d51802cf6 upstream.
This check effectively catches anon vma hierarchy inconsistence and some vma corruptions. It was effective for catching corner cases in anon vma reusing logic. For now this code seems stable so check could be hidden under CONFIG_DEBUG_VM and replaced with WARN because it's not so fatal.
Signed-off-by: Konstantin Khlebnikov khlebnikov@yandex-team.ru Suggested-by: Vasily Averin vvs@virtuozzo.com Acked-by: Vlastimil Babka vbabka@suse.cz Signed-off-by: Andrew Morton akpm@linux-foundation.org Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Cc: Arnd Bergmann arnd@arndb.de Signed-off-by: Ben Hutchings ben@decadent.org.uk --- mm/rmap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/mm/rmap.c +++ b/mm/rmap.c @@ -403,7 +403,7 @@ void unlink_anon_vmas(struct vm_area_str list_for_each_entry_safe(avc, next, &vma->anon_vma_chain, same_vma) { struct anon_vma *anon_vma = avc->anon_vma;
- BUG_ON(anon_vma->degree); + VM_WARN_ON(anon_vma->degree); put_anon_vma(anon_vma);
list_del(&avc->same_vma);
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Wolfram Sang wsa@the-dreams.de
commit 78283edf2c01c38eb840a3de5ffd18fe2992ab64 upstream.
I tried to use 'make O=...' from an unclean source tree. This triggered the error path of setlocalversion. But by printing to STDOUT, it created a broken localversion which then caused another (unrelated) error:
"4.7.0-rc2Error: kernelrelease not valid - run make prepare to update it" exceeds 64 characters
After printing to STDERR, the true build error gets displayed later:
/home/wsa/Kernel/linux is not clean, please run 'make mrproper' in the '/home/wsa/Kernel/linux' directory.
Signed-off-by: Wolfram Sang wsa@the-dreams.de Signed-off-by: Michal Marek mmarek@suse.com Cc: Arnd Bergmann arnd@arndb.de Signed-off-by: Ben Hutchings ben@decadent.org.uk --- scripts/setlocalversion | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/scripts/setlocalversion +++ b/scripts/setlocalversion @@ -143,7 +143,7 @@ fi if test -e include/config/auto.conf; then . include/config/auto.conf else - echo "Error: kernelrelease not valid - run 'make prepare' to update it" + echo "Error: kernelrelease not valid - run 'make prepare' to update it" >&2 exit 1 fi
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Peter Chen peter.chen@nxp.com
commit c526c62d565ea5a5bba9433f28756079734f430d upstream.
cdev->config is checked for null pointer at above code, so cdev->config might be null, fix it by adding null pointer check.
Signed-off-by: Peter Chen peter.chen@nxp.com Signed-off-by: Felipe Balbi felipe.balbi@linux.intel.com Cc: Arnd Bergmann arnd@arndb.de Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/usb/gadget/composite.c | 2 ++ 1 file changed, 2 insertions(+)
--- a/drivers/usb/gadget/composite.c +++ b/drivers/usb/gadget/composite.c @@ -1729,6 +1729,8 @@ unknown: break;
case USB_RECIP_ENDPOINT: + if (!cdev->config) + break; endp = ((w_index & 0x80) >> 3) | (w_index & 0x0f); list_for_each_entry(f, &cdev->config->functions, list) { if (test_bit(endp, f->endpoints))
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Philip Oberstaller Philip.Oberstaller@septentrio.com
commit 3e9d3d2efc677b501b12512cab5adb4f32a0673a upstream.
When a single thread is sending out data over the gadget serial port, gs_start_tx() will be called both from the sender context and from the write completion. Since the port lock is released before the packet is queued, the order in which the URBs are submitted is not guaranteed. E.g.
sending thread completion (interrupt)
gs_write() LOCK gs_write_complete() LOCK (wait) gs_start_tx() req1 = list_entry(pool->next) UNLOCK LOCK (acquired) gs_start_tx() req2 = list_entry(pool->next) UNLOCK usb_ep_queue(req2) usb_ep_queue(req1)
I.e., req2 is submitted before req1 but it contains the data that comes after req1.
To reproduce, use SMP with sending thread and completion pinned to different CPUs, or use PREEMPT_RT, and add the following delay just before the call to usb_ep_queue():
if (port->write_started > 0 && !list_empty(pool)) udelay(1000);
To work around this problem, make sure that only one thread is running through the gs_start_tx() loop with an extra flag write_busy. Since gs_start_tx() is always called with the port lock held, no further synchronisation is needed. The original caller will continue through the loop when the request was successfully submitted.
Signed-off-by: Philip Oberstaller Philip.Oberstaller@septentrio.com Signed-off-by: Arnout Vandecappelle (Essensium/Mind) arnout@mind.be Signed-off-by: Felipe Balbi balbi@ti.com [bwh: Backported to 3.16: adjust filename] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/usb/gadget/u_serial.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/usb/gadget/u_serial.c +++ b/drivers/usb/gadget/u_serial.c @@ -116,6 +116,7 @@ struct gs_port { int write_allocated; struct gs_buf port_write_buf; wait_queue_head_t drain_wait; /* wait while writes drain */ + bool write_busy;
/* REVISIT this state ... */ struct usb_cdc_line_coding port_line_coding; /* 8-N-1 etc */ @@ -366,7 +367,7 @@ __acquires(&port->port_lock) int status = 0; bool do_tty_wake = false;
- while (!list_empty(pool)) { + while (!port->write_busy && !list_empty(pool)) { struct usb_request *req; int len;
@@ -396,9 +397,11 @@ __acquires(&port->port_lock) * NOTE that we may keep sending data for a while after * the TTY closed (dev->ioport->port_tty is NULL). */ + port->write_busy = true; spin_unlock(&port->port_lock); status = usb_ep_queue(in, req, GFP_ATOMIC); spin_lock(&port->port_lock); + port->write_busy = false;
if (status) { pr_debug("%s: %s %s err %d\n",
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Baolin Wang baolin.wang@linaro.org
commit 511a36d2f357724312bb3776d2f6eed3890928b2 upstream.
When usb gadget is set gadget serial function, it will be crash in below situation.
It will clean the 'port->port_usb' pointer in gserial_disconnect() function when usb link is inactive, but it will release lock for disabling the endpoints in this function. Druing the lock release period, it maybe complete one request to issue gs_write_complete()--->gs_start_tx() function, but the 'port->port_usb' pointer had been set NULL, thus it will be crash in gs_start_tx() function.
This patch adds the 'port->port_usb' pointer checking in gs_start_tx() function to avoid this situation.
Signed-off-by: Baolin Wang baolin.wang@linaro.org Signed-off-by: Felipe Balbi felipe.balbi@linux.intel.com Cc: Arnd Bergmann arnd@arndb.de [bwh: Backported to 3.16: adjust filename] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/usb/gadget/u_serial.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/usb/gadget/u_serial.c +++ b/drivers/usb/gadget/u_serial.c @@ -363,10 +363,15 @@ __acquires(&port->port_lock) */ { struct list_head *pool = &port->write_pool; - struct usb_ep *in = port->port_usb->in; + struct usb_ep *in; int status = 0; bool do_tty_wake = false;
+ if (!port->port_usb) + return status; + + in = port->port_usb->in; + while (!port->write_busy && !list_empty(pool)) { struct usb_request *req; int len;
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet edumazet@google.com
commit 5ea8ea2cb7f1d0db15762c9b0bb9e7330425a071 upstream.
Per listen(fd, backlog) rules, there is really no point accepting a SYN, sending a SYNACK, and dropping the following ACK packet if accept queue is full, because application is not draining accept queue fast enough.
This behavior is fooling TCP clients that believe they established a flow, while there is nothing at server side. They might then send about 10 MSS (if using IW10) that will be dropped anyway while server is under stress.
Signed-off-by: Eric Dumazet edumazet@google.com Acked-by: Neal Cardwell ncardwell@google.com Acked-by: Yuchung Cheng ycheng@google.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Arnd Bergmann arnd@arndb.de [bwh: Backported to 3.16: Apply TCP changes in both tcp_ipv4.c and tcp_ipv6.c] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/include/net/inet_connection_sock.h +++ b/include/net/inet_connection_sock.h @@ -287,11 +287,6 @@ static inline int inet_csk_reqsk_queue_l return reqsk_queue_len(&inet_csk(sk)->icsk_accept_queue); }
-static inline int inet_csk_reqsk_queue_young(const struct sock *sk) -{ - return reqsk_queue_len_young(&inet_csk(sk)->icsk_accept_queue); -} - static inline int inet_csk_reqsk_queue_is_full(const struct sock *sk) { return reqsk_queue_is_full(&inet_csk(sk)->icsk_accept_queue); --- a/net/dccp/ipv4.c +++ b/net/dccp/ipv4.c @@ -621,13 +621,7 @@ int dccp_v4_conn_request(struct sock *sk if (inet_csk_reqsk_queue_is_full(sk)) goto drop;
- /* - * Accept backlog is full. If we have already queued enough - * of warm entries in syn queue, drop request. It is better than - * clogging syn queue with openreqs with exponentially increasing - * timeout. - */ - if (sk_acceptq_is_full(sk) && inet_csk_reqsk_queue_young(sk) > 1) + if (sk_acceptq_is_full(sk)) goto drop;
req = inet_reqsk_alloc(&dccp_request_sock_ops); --- a/net/dccp/ipv6.c +++ b/net/dccp/ipv6.c @@ -391,7 +391,7 @@ static int dccp_v6_conn_request(struct s if (inet_csk_reqsk_queue_is_full(sk)) goto drop;
- if (sk_acceptq_is_full(sk) && inet_csk_reqsk_queue_young(sk) > 1) + if (sk_acceptq_is_full(sk)) goto drop;
req = inet6_reqsk_alloc(&dccp6_request_sock_ops); --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c @@ -1292,12 +1292,7 @@ int tcp_v4_conn_request(struct sock *sk, goto drop; }
- /* Accept backlog is full. If we have already queued enough - * of warm entries in syn queue, drop request. It is better than - * clogging syn queue with openreqs with exponentially increasing - * timeout. - */ - if (sk_acceptq_is_full(sk) && inet_csk_reqsk_queue_young(sk) > 1) { + if (sk_acceptq_is_full(sk)) { NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_LISTENOVERFLOWS); goto drop; } --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c @@ -1009,7 +1009,7 @@ static int tcp_v6_conn_request(struct so goto drop; }
- if (sk_acceptq_is_full(sk) && inet_csk_reqsk_queue_young(sk) > 1) { + if (sk_acceptq_is_full(sk)) { NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_LISTENOVERFLOWS); goto drop; }
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Qiao Zhou qiaozhou@asrmicro.com
commit 6f44a0bacb79a03972c83759711832b382b1b8ac upstream.
In current die(), the irq is disabled for __die() handle, not including the possible panic() handling. Since the log in __die() can take several hundreds ms, new irq might come and interrupt current die().
If the process calling die() holds some critical resource, and some other process scheduled later also needs it, then it would deadlock. The first panic will not be executed.
So here disable irq for the whole flow of die().
Signed-off-by: Qiao Zhou qiaozhou@asrmicro.com Signed-off-by: Will Deacon will.deacon@arm.com Signed-off-by: Arnd Bergmann arnd@arndb.de Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/arm64/kernel/traps.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-)
--- a/arch/arm64/kernel/traps.c +++ b/arch/arm64/kernel/traps.c @@ -178,10 +178,12 @@ void die(const char *str, struct pt_regs { struct thread_info *thread = current_thread_info(); int ret; + unsigned long flags; + + raw_spin_lock_irqsave(&die_lock, flags);
oops_enter();
- raw_spin_lock_irq(&die_lock); console_verbose(); bust_spinlocks(1); ret = __die(str, err, thread, regs); @@ -191,13 +193,15 @@ void die(const char *str, struct pt_regs
bust_spinlocks(0); add_taint(TAINT_DIE, LOCKDEP_NOW_UNRELIABLE); - raw_spin_unlock_irq(&die_lock); oops_exit();
if (in_interrupt()) panic("Fatal exception in interrupt"); if (panic_on_oops) panic("Fatal exception"); + + raw_spin_unlock_irqrestore(&die_lock, flags); + if (ret != NOTIFY_STOP) do_exit(SIGSEGV); }
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Yoshihiro Shimoda yoshihiro.shimoda.uh@renesas.com
commit b7d44c36a6f6d956e1539e0dd42f98b26e5a4684 upstream.
The commit b8b9c974afee ("usb: renesas_usbhs: gadget: disable all eps when the driver stops") causes the unused-but-set-variable warning. But, if the usbhsg_ep_disable() will return non-zero value, udc/core.c doesn't clear the ep->enabled flag. So, this driver should not return non-zero value, if the pipe is zero because this means the pipe is already disabled. Otherwise, the ep->enabled flag is never cleared when the usbhsg_ep_disable() is called by the renesas_usbhs driver first.
Fixes: b8b9c974afee ("usb: renesas_usbhs: gadget: disable all eps when the driver stops") Fixes: 11432050f070 ("usb: renesas_usbhs: gadget: fix NULL pointer dereference in ep_disable()") Signed-off-by: Yoshihiro Shimoda yoshihiro.shimoda.uh@renesas.com Signed-off-by: Felipe Balbi felipe.balbi@linux.intel.com Cc: Arnd Bergmann arnd@arndb.de Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/usb/renesas_usbhs/mod_gadget.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-)
--- a/drivers/usb/renesas_usbhs/mod_gadget.c +++ b/drivers/usb/renesas_usbhs/mod_gadget.c @@ -611,14 +611,11 @@ static int usbhsg_ep_disable(struct usb_ struct usbhsg_uep *uep = usbhsg_ep_to_uep(ep); struct usbhs_pipe *pipe; unsigned long flags; - int ret = 0;
spin_lock_irqsave(&uep->lock, flags); pipe = usbhsg_uep_to_pipe(uep); - if (!pipe) { - ret = -EINVAL; + if (!pipe) goto out; - }
usbhsg_pipe_disable(uep); usbhs_pipe_free(pipe);
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mathias Nyman mathias.nyman@linux.intel.com
commit 6cbcf596934c8e16d6288c7cc62dfb7ad8eadf15 upstream.
A suspended SS port in U3 link state will go to U0 when resumed, but can almost immediately after that enter U1 or U2 link power save states before host controller driver reads the port status.
Host controller driver only checks for U0 state, and might miss the finished resume, leaving flags unclear and skip notifying usb code of the wake.
Add U1 and U2 to the possible link states when checking for finished port resume.
Signed-off-by: Mathias Nyman mathias.nyman@linux.intel.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org [Mathias Nyman: backport to 3.18 stable.] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/usb/host/xhci-ring.c | 9 ++++++--- drivers/usb/host/xhci.h | 1 + 2 files changed, 7 insertions(+), 3 deletions(-)
--- a/drivers/usb/host/xhci-ring.c +++ b/drivers/usb/host/xhci-ring.c @@ -1645,10 +1645,13 @@ static void handle_port_status(struct xh } }
- if ((temp & PORT_PLC) && (temp & PORT_PLS_MASK) == XDEV_U0 && - DEV_SUPERSPEED(temp)) { + if ((temp & PORT_PLC) && + DEV_SUPERSPEED(temp) && + ((temp & PORT_PLS_MASK) == XDEV_U0 || + (temp & PORT_PLS_MASK) == XDEV_U1 || + (temp & PORT_PLS_MASK) == XDEV_U2)) { xhci_dbg(xhci, "resume SS port %d finished\n", port_id); - /* We've just brought the device into U0 through either the + /* We've just brought the device into U0/1/2 through either the * Resume state after a device remote wakeup, or through the * U3Exit state after a host-initiated resume. If it's a device * initiated remote wake, don't pass up the link state change, --- a/drivers/usb/host/xhci.h +++ b/drivers/usb/host/xhci.h @@ -283,6 +283,7 @@ struct xhci_op_regs { */ #define PORT_PLS_MASK (0xf << 5) #define XDEV_U0 (0x0 << 5) +#define XDEV_U1 (0x1 << 5) #define XDEV_U2 (0x2 << 5) #define XDEV_U3 (0x3 << 5) #define XDEV_INACTIVE (0x6 << 5)
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Colin Cross ccross@android.com
commit 382c55f88ffeb218c446bf0c46d0fc25d2795fe2 upstream.
It is quite common for Android devices to utilize more then 8 partitions on internal eMMC storage.
The vanilla kernel can support this via CONFIG_MMC_BLOCK_MINORS, however that solution caps the system to 256 minors total, which limits the number of mmc cards the system can support.
This patch, which has been carried for quite awhile in the AOSP common tree, provides an alternative solution that doesn't seem to limit the total card count. So I wanted to submit it for consideration upstream.
This patch sets the GENHD_FL_EXT_DEVT flag, which will allocate minor number in major 259 for partitions past disk->minors.
It also removes the use of disk_devt to determine devidx from md->disk. md->disk->first_minor is always initialized from devidx and can always be used to recover it.
Cc: Ulf Hansson ulf.hansson@linaro.org Cc: Adrian Hunter adrian.hunter@intel.com Cc: Ben Hutchings ben@decadent.org.uk Cc: Chuanxiao Dong chuanxiao.dong@intel.com Cc: Shawn Lin shawn.lin@rock-chips.com Cc: Austin S Hemmelgarn ahferroin7@gmail.com Cc: Arnd Bergmann arnd@arndb.de Cc: Android Kernel Team kernel-team@android.com Cc: linux-mmc@vger.kernel.org Signed-off-by: Colin Cross ccross@android.com [jstultz: Added context to commit message] Signed-off-by: John Stultz john.stultz@linaro.org Signed-off-by: Ulf Hansson ulf.hansson@linaro.org Cc: Arnd Bergmann arnd@arndb.de [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/mmc/card/block.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-)
--- a/drivers/mmc/card/block.c +++ b/drivers/mmc/card/block.c @@ -168,11 +168,7 @@ static struct mmc_blk_data *mmc_blk_get(
static inline int mmc_get_devidx(struct gendisk *disk) { - int devmaj = MAJOR(disk_devt(disk)); - int devidx = MINOR(disk_devt(disk)) / perdev_minors; - - if (!devmaj) - devidx = disk->first_minor / perdev_minors; + int devidx = disk->first_minor / perdev_minors; return devidx; }
@@ -2169,6 +2165,7 @@ static struct mmc_blk_data *mmc_blk_allo md->disk->queue = md->queue.queue; md->disk->driverfs_dev = parent; set_disk_ro(md->disk, md->read_only || default_ro); + md->disk->flags = GENHD_FL_EXT_DEVT; if (area_type & MMC_BLK_DATA_AREA_RPMB) md->disk->flags |= GENHD_FL_NO_PART_SCAN;
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Yury Norov ynorov@caviumnetworks.com
commit b9b7aebb42d1b1392f3111de61136bb6cf3aae3f upstream.
ARM glibc uses (4 * __getpagesize()) for SHMLBA, which is correct for 4KB pages and works fine for 64KB pages, but the kernel uses a hardcoded 16KB that is too small for 64KB page based kernels. This changes the definition to what user space sees when using 64KB pages.
Acked-by: Arnd Bergmann arnd@arndb.de Signed-off-by: Yury Norov ynorov@caviumnetworks.com Signed-off-by: Will Deacon will.deacon@arm.com Cc: Arnd Bergmann arnd@arndb.de Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/arm64/include/asm/shmparam.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm64/include/asm/shmparam.h +++ b/arch/arm64/include/asm/shmparam.h @@ -21,7 +21,7 @@ * alignment value. Since we don't have aliasing D-caches, the rest of * the time we can safely use PAGE_SIZE. */ -#define COMPAT_SHMLBA 0x4000 +#define COMPAT_SHMLBA (4 * PAGE_SIZE)
#include <asm-generic/shmparam.h>
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann arnd@arndb.de
commit 6c044fecdf78be3fda159a5036bb33700cdd5e59 upstream.
It is not possible to build the bL_switcher code if the GIC driver is disabled, because it relies on calling into some gic specific interfaces, and that would result in this build error:
arch/arm/common/built-in.o: In function `bL_switch_to': :(.text+0x1230): undefined reference to `gic_get_sgir_physaddr' :(.text+0x1244): undefined reference to `gic_send_sgi' :(.text+0x1268): undefined reference to `gic_migrate_target' arch/arm/common/built-in.o: In function `bL_switcher_enable.part.4': :(.text.unlikely+0x2f8): undefined reference to `gic_get_cpu_id'
This adds a Kconfig dependency to ensure we only build the big-little switcher if the GIC driver is present as well.
Almost all ARMv7 platforms come with a GIC anyway, but it is possible to build a kernel that disables all platforms.
Signed-off-by: Arnd Bergmann arnd@arndb.de Acked-by: Nicolas Pitre nico@linaro.org Signed-off-by: Russell King rmk+kernel@arm.linux.org.uk Cc: Arnd Bergmann arnd@arndb.de Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/arm/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm/Kconfig +++ b/arch/arm/Kconfig @@ -1485,7 +1485,7 @@ config BIG_LITTLE
config BL_SWITCHER bool "big.LITTLE switcher support" - depends on BIG_LITTLE && MCPM && HOTPLUG_CPU + depends on BIG_LITTLE && MCPM && HOTPLUG_CPU && ARM_GIC select ARM_CPU_SUSPEND select CPU_PM help
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet edumazet@google.com
commit 7c1306723ee916ea9f1fa7d9e4c7a6d029ca7aaf upstream.
Lorenzo reported that we could not properly find v4mapped sockets in inet_diag_find_one_icsk(). This patch fixes the issue.
Reported-by: Lorenzo Colitti lorenzo@google.com Signed-off-by: Eric Dumazet edumazet@google.com Acked-by: Lorenzo Colitti lorenzo@google.com Signed-off-by: David S. Miller davem@davemloft.net Cc: Arnd Bergmann arnd@arndb.de [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/net/ipv4/inet_diag.c +++ b/net/ipv4/inet_diag.c @@ -318,12 +318,18 @@ int inet_diag_dump_one_icsk(struct inet_ } #if IS_ENABLED(CONFIG_IPV6) else if (req->sdiag_family == AF_INET6) { - sk = inet6_lookup(net, hashinfo, - (struct in6_addr *)req->id.idiag_dst, - req->id.idiag_dport, - (struct in6_addr *)req->id.idiag_src, - req->id.idiag_sport, - req->id.idiag_if); + if (ipv6_addr_v4mapped((struct in6_addr *)req->id.idiag_dst) && + ipv6_addr_v4mapped((struct in6_addr *)req->id.idiag_src)) + sk = inet_lookup(net, hashinfo, req->id.idiag_dst[3], + req->id.idiag_dport, req->id.idiag_src[3], + req->id.idiag_sport, req->id.idiag_if); + else + sk = inet6_lookup(net, hashinfo, + (struct in6_addr *)req->id.idiag_dst, + req->id.idiag_dport, + (struct in6_addr *)req->id.idiag_src, + req->id.idiag_sport, + req->id.idiag_if); } #endif else {
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland mark.rutland@arm.com
commit 3694bd76781b76c4f8d2ecd85018feeb1609f0e5 upstream.
Currently __set_fixmap_offset is a macro function which has a local variable called 'addr'. If a caller passes a 'phys' parameter which is derived from a variable also called 'addr', the local variable will shadow this, and the compiler will complain about the use of an uninitialized variable. To avoid the issue with namespace clashes, 'addr' is prefixed with a liberal sprinkling of underscores.
Turning __set_fixmap_offset into a static inline breaks the build for several architectures. Fixing this properly requires updates to a number of architectures to make them agree on the prototype of __set_fixmap (it could be done as a subsequent patch series).
Signed-off-by: Mark Rutland mark.rutland@arm.com Cc: Arnd Bergmann arnd@arndb.de [catalin.marinas@arm.com: squashed the original function patch and macro fixup] Signed-off-by: Catalin Marinas catalin.marinas@arm.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- include/asm-generic/fixmap.h | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-)
--- a/include/asm-generic/fixmap.h +++ b/include/asm-generic/fixmap.h @@ -67,12 +67,12 @@ static inline unsigned long virt_to_fix( #endif
/* Return a pointer with offset calculated */ -#define __set_fixmap_offset(idx, phys, flags) \ -({ \ - unsigned long addr; \ - __set_fixmap(idx, phys, flags); \ - addr = fix_to_virt(idx) + ((phys) & (PAGE_SIZE - 1)); \ - addr; \ +#define __set_fixmap_offset(idx, phys, flags) \ +({ \ + unsigned long ________addr; \ + __set_fixmap(idx, phys, flags); \ + ________addr = fix_to_virt(idx) + ((phys) & (PAGE_SIZE - 1)); \ + ________addr; \ })
#define set_fixmap_offset(idx, phys) \
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Laura Abbott lauraa@codeaurora.org
commit 18e77054de741ef3ed2a2489bc9bf82a318b2d5e upstream.
Both ashmem_mmap and ashmem_shrink take the ashmem_lock. It may be possible for ashmem_mmap to invoke ashmem_shrink:
-000|mutex_lock(lock = 0x0) -001|ashmem_shrink(?, sc = 0x0) <--- try to take ashmem_mutex again -002|shrink_slab(shrink = 0xDA5F1CC0, nr_pages_scanned = 0, lru_pages -002|= -002|124) -003|try_to_free_pages(zonelist = 0x0, ?, ?, ?) -004|__alloc_pages_nodemask(gfp_mask = 21200, order = 1, zonelist = -004|0xC11D0940, -005|new_slab(s = 0xE4841E80, ?, node = -1) -006|__slab_alloc.isra.43.constprop.50(s = 0xE4841E80, gfpflags = -006|2148925462, ad -007|kmem_cache_alloc(s = 0xE4841E80, gfpflags = 208) -008|shmem_alloc_inode(?) -009|alloc_inode(sb = 0xE480E800) -010|new_inode_pseudo(?) -011|new_inode(?) -012|shmem_get_inode(sb = 0xE480E800, dir = 0x0, ?, dev = 0, flags = -012|187) -013|shmem_file_setup(?, ?, flags = 187) -014|ashmem_mmap(?, vma = 0xC5D64210) <---- Acquire ashmem_mutex -015|mmap_region(file = 0xDF8E2C00, addr = 1772974080, len = 233472, -015|flags = 57, -016|sys_mmap_pgoff(addr = 0, len = 230400, prot = 3, flags = 1, fd = -016|157, pgoff -017|ret_fast_syscall(asm) -->|exception -018|NUR:0x40097508(asm) ---|end of frame
Avoid this deadlock by using mutex_trylock in ashmem_shrink; if the mutex is already held, do not attempt to shrink.
Cc: Greg KH gregkh@linuxfoundation.org Cc: Android Kernel Team kernel-team@android.com Reported-by: Matt Wagantall mattw@codeaurora.org Reported-by: Syed Rameez Mustafa rameezmustafa@codeaurora.org Reported-by: Osvaldo Banuelos osvaldob@codeaurora.org Reported-by: Subbaraman Narayanamurthy subbaram@codeaurora.org Signed-off-by: Laura Abbott lauraa@codeaurora.org [jstultz: Minor commit message tweaks] Signed-off-by: John Stultz john.stultz@linaro.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Cc: Arnd Bergmann arnd@arndb.de Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/staging/android/ashmem.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/staging/android/ashmem.c +++ b/drivers/staging/android/ashmem.c @@ -434,7 +434,9 @@ ashmem_shrink_scan(struct shrinker *shri if (!(sc->gfp_mask & __GFP_FS)) return SHRINK_STOP;
- mutex_lock(&ashmem_mutex); + if (!mutex_trylock(&ashmem_mutex)) + return -1; + list_for_each_entry_safe(range, next, &ashmem_lru_list, lru) { loff_t start = range->pgstart * PAGE_SIZE; loff_t end = (range->pgend + 1) * PAGE_SIZE;
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Rom Lemarchand romlem@android.com
commit 90a2f171383b5ae43b33ab4d9d566b9765622ac7 upstream.
Include <linux/types.h> into ashmem.h to ensure referenced types are defined
Cc: Android Kernel Team kernel-team@android.com Cc: Greg KH gregkh@linuxfoundation.org Signed-off-by: Rom Lemarchand romlem@android.com [jstultz: Minor commit message tweaks] Signed-off-by: John Stultz john.stultz@linaro.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Cc: Arnd Bergmann arnd@arndb.de Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/staging/android/uapi/ashmem.h | 1 + 1 file changed, 1 insertion(+)
--- a/drivers/staging/android/uapi/ashmem.h +++ b/drivers/staging/android/uapi/ashmem.h @@ -13,6 +13,7 @@ #define _UAPI_LINUX_ASHMEM_H
#include <linux/ioctl.h> +#include <linux/types.h>
#define ASHMEM_NAME_LEN 256
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Rajmal Menariya rajmal.menariya@spreadtrum.com
commit 1328d8efef17d5e16bd6e9cfe59130a833674534 upstream.
In carveout heap, change minimum allocation order from 12 to PAGE_SHIFT. After this change each bit in bitmap (genalloc - General purpose special memory pool) represents one page size memory.
Cc: sprd-ind-kernel-group@googlegroups.com Cc: sanjeev.yadav@spreadtrum.com Cc: Colin Cross ccross@android.com Cc: Android Kernel Team kernel-team@android.com Cc: Greg KH gregkh@linuxfoundation.org Cc: Sumit Semwal sumit.semwal@linaro.org Signed-off-by: Rajmal Menariya rajmal.menariya@spreadtrum.com [jstultz: Reworked commit message] Signed-off-by: John Stultz john.stultz@linaro.org Acked-by: Laura Abbott labbott@redhat.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Cc: Arnd Bergmann arnd@arndb.de Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/staging/android/ion/ion_carveout_heap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/staging/android/ion/ion_carveout_heap.c +++ b/drivers/staging/android/ion/ion_carveout_heap.c @@ -168,7 +168,7 @@ struct ion_heap *ion_carveout_heap_creat if (!carveout_heap) return ERR_PTR(-ENOMEM);
- carveout_heap->pool = gen_pool_create(12, -1); + carveout_heap->pool = gen_pool_create(PAGE_SHIFT, -1); if (!carveout_heap->pool) { kfree(carveout_heap); return ERR_PTR(-ENOMEM);
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Greg Hackmann ghackmann@google.com
commit 4532150762ceb0d6fd765ebcb3ba6966fbb8faab upstream.
We do actually need slab.h, by luck we get it on other platforms but not always on ARM. Include it properly.
Signed-off-by: Greg Hackmann ghackmann@google.com Signed-off-by: Jin Qian jinqian@android.com Signed-off-by: Alan alan@linux.intel.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Cc: Arnd Bergmann arnd@arndb.de Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/staging/goldfish/goldfish_audio.c | 1 + 1 file changed, 1 insertion(+)
--- a/drivers/staging/goldfish/goldfish_audio.c +++ b/drivers/staging/goldfish/goldfish_audio.c @@ -26,6 +26,7 @@ #include <linux/sched.h> #include <linux/dma-mapping.h> #include <linux/uaccess.h> +#include <linux/slab.h> #include <linux/goldfish.h>
MODULE_AUTHOR("Google, Inc.");
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Lorenzo Pieralisi lorenzo.pieralisi@arm.com
commit 1b9bdf5c1661873a10e193b8cbb803a87fe5c4a1 upstream.
The code enabled by the ARM_CPU_SUSPEND config option is used by kernel subsystems for purposes that go beyond system suspend so its config entry should be augmented to take more default options into account and avoid forcing its selection to prevent dependencies override.
To achieve this goal, this patch reworks the ARM_CPU_SUSPEND config entry and updates its default config value (by adding the BL_SWITCHER option to it) and its dependencies (ARCH_SUSPEND_POSSIBLE), so that the symbol is still selected by default by the subsystems requiring it and at the same time enforcing the dependencies correctly.
Signed-off-by: Lorenzo Pieralisi lorenzo.pieralisi@arm.com Cc: Nicolas Pitre nico@fluxnic.net Signed-off-by: Russell King rmk+kernel@arm.linux.org.uk Cc: Arnd Bergmann arnd@arndb.de Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/arm/Kconfig | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/arm/Kconfig +++ b/arch/arm/Kconfig @@ -1486,7 +1486,6 @@ config BIG_LITTLE config BL_SWITCHER bool "big.LITTLE switcher support" depends on BIG_LITTLE && MCPM && HOTPLUG_CPU && ARM_GIC - select ARM_CPU_SUSPEND select CPU_PM help The big.LITTLE "switcher" provides the core functionality to @@ -2201,7 +2200,8 @@ config ARCH_SUSPEND_POSSIBLE def_bool y
config ARM_CPU_SUSPEND - def_bool PM_SLEEP + def_bool PM_SLEEP || BL_SWITCHER + depends on ARCH_SUSPEND_POSSIBLE
config ARCH_HIBERNATION_POSSIBLE bool
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ard Biesheuvel ard.biesheuvel@linaro.org
commit b660950c60a7278f9d8deb7c32a162031207c758 upstream.
The implementation of macro inv_entry refers to its 'el' argument without the required leading backslash, which results in an undefined symbol 'el' to be passed into the kernel_entry macro rather than the index of the exception level as intended.
This undefined symbol strangely enough does not result in build failures, although it is visible in vmlinux:
$ nm -n vmlinux |head U el 0000000000000000 A _kernel_flags_le_hi32 0000000000000000 A _kernel_offset_le_hi32 0000000000000000 A _kernel_size_le_hi32 000000000000000a A _kernel_flags_le_lo32 .....
However, it does result in incorrect code being generated for invalid exceptions taken from EL0, since the argument check in kernel_entry assumes EL1 if its argument does not equal '0'.
Signed-off-by: Ard Biesheuvel ard.biesheuvel@linaro.org Signed-off-by: Catalin Marinas catalin.marinas@arm.com Cc: Arnd Bergmann arnd@arndb.de Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/arm64/kernel/entry.S | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm64/kernel/entry.S +++ b/arch/arm64/kernel/entry.S @@ -187,7 +187,7 @@ END(vectors) * Invalid mode handlers */ .macro inv_entry, el, reason, regsize = 64 - kernel_entry el, \regsize + kernel_entry \el, \regsize mov x0, sp mov x1, #\reason mrs x2, esr_el1
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: James Morse james.morse@arm.com
commit 812264550dcba6cdbe84bfac2f27e7d23b5b8733 upstream.
page.h uses '_AC' in the definition of PAGE_SIZE, but doesn't include linux/const.h where this is defined. This produces build warnings when only asm/page.h is included by asm code.
Signed-off-by: James Morse james.morse@arm.com Acked-by: Mark Rutland mark.rutland@arm.com Acked-by: Catalin Marinas catalin.marinas@arm.com Signed-off-by: Will Deacon will.deacon@arm.com Cc: Arnd Bergmann arnd@arndb.de Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/arm64/include/asm/page.h | 2 ++ 1 file changed, 2 insertions(+)
--- a/arch/arm64/include/asm/page.h +++ b/arch/arm64/include/asm/page.h @@ -19,6 +19,8 @@ #ifndef __ASM_PAGE_H #define __ASM_PAGE_H
+#include <linux/const.h> + /* PAGE_SHIFT determines the page size */ #ifdef CONFIG_ARM64_64K_PAGES #define PAGE_SHIFT 16
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Christoph Hellwig hch@lst.de
commit 343df3c79c62b644ce6ff5dff96c9e0be1ecb242 upstream.
Stop abusing struct page functionality and the swap end_io handler, and instead add a modified version of the blk-lib.c bio_batch helpers.
Also move the block I/O code into swap.c as they are directly tied into each other.
Signed-off-by: Christoph Hellwig hch@lst.de Tested-by: Pavel Machek pavel@ucw.cz Tested-by: Ming Lin mlin@kernel.org Acked-by: Pavel Machek pavel@ucw.cz Acked-by: Rafael J. Wysocki rjw@rjwysocki.net Signed-off-by: Jens Axboe axboe@fb.com [bwh: Backported to 3.16 as dependency of commit f6cf0545ec69 "PM / Hibernate: Call flush_icache_range() on pages restored in-place": - Adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- include/linux/swap.h | 1 - kernel/power/Makefile | 3 +- kernel/power/block_io.c | 103 -------------------------- kernel/power/power.h | 9 --- kernel/power/swap.c | 159 ++++++++++++++++++++++++++++++---------- mm/page_io.c | 2 +- 6 files changed, 122 insertions(+), 155 deletions(-) delete mode 100644 kernel/power/block_io.c
--- a/include/linux/swap.h +++ b/include/linux/swap.h @@ -395,7 +395,6 @@ extern void end_swap_bio_write(struct bi extern int __swap_writepage(struct page *page, struct writeback_control *wbc, void (*end_write_func)(struct bio *, int)); extern int swap_set_page_dirty(struct page *page); -extern void end_swap_bio_read(struct bio *bio, int err);
int add_swap_extent(struct swap_info_struct *sis, unsigned long start_page, unsigned long nr_pages, sector_t start_block); --- a/kernel/power/Makefile +++ b/kernel/power/Makefile @@ -7,8 +7,7 @@ obj-$(CONFIG_VT_CONSOLE_SLEEP) += consol obj-$(CONFIG_FREEZER) += process.o obj-$(CONFIG_SUSPEND) += suspend.o obj-$(CONFIG_PM_TEST_SUSPEND) += suspend_test.o -obj-$(CONFIG_HIBERNATION) += hibernate.o snapshot.o swap.o user.o \ - block_io.o +obj-$(CONFIG_HIBERNATION) += hibernate.o snapshot.o swap.o user.o obj-$(CONFIG_PM_AUTOSLEEP) += autosleep.o obj-$(CONFIG_PM_WAKELOCKS) += wakelock.o
--- a/kernel/power/block_io.c +++ /dev/null @@ -1,103 +0,0 @@ -/* - * This file provides functions for block I/O operations on swap/file. - * - * Copyright (C) 1998,2001-2005 Pavel Machek pavel@ucw.cz - * Copyright (C) 2006 Rafael J. Wysocki rjw@sisk.pl - * - * This file is released under the GPLv2. - */ - -#include <linux/bio.h> -#include <linux/kernel.h> -#include <linux/pagemap.h> -#include <linux/swap.h> - -#include "power.h" - -/** - * submit - submit BIO request. - * @rw: READ or WRITE. - * @off physical offset of page. - * @page: page we're reading or writing. - * @bio_chain: list of pending biod (for async reading) - * - * Straight from the textbook - allocate and initialize the bio. - * If we're reading, make sure the page is marked as dirty. - * Then submit it and, if @bio_chain == NULL, wait. - */ -static int submit(int rw, struct block_device *bdev, sector_t sector, - struct page *page, struct bio **bio_chain) -{ - const int bio_rw = rw | REQ_SYNC; - struct bio *bio; - - bio = bio_alloc(__GFP_WAIT | __GFP_HIGH, 1); - bio->bi_iter.bi_sector = sector; - bio->bi_bdev = bdev; - bio->bi_end_io = end_swap_bio_read; - - if (bio_add_page(bio, page, PAGE_SIZE, 0) < PAGE_SIZE) { - printk(KERN_ERR "PM: Adding page to bio failed at %llu\n", - (unsigned long long)sector); - bio_put(bio); - return -EFAULT; - } - - lock_page(page); - bio_get(bio); - - if (bio_chain == NULL) { - submit_bio(bio_rw, bio); - wait_on_page_locked(page); - if (rw == READ) - bio_set_pages_dirty(bio); - bio_put(bio); - } else { - if (rw == READ) - get_page(page); /* These pages are freed later */ - bio->bi_private = *bio_chain; - *bio_chain = bio; - submit_bio(bio_rw, bio); - } - return 0; -} - -int hib_bio_read_page(pgoff_t page_off, void *addr, struct bio **bio_chain) -{ - return submit(READ, hib_resume_bdev, page_off * (PAGE_SIZE >> 9), - virt_to_page(addr), bio_chain); -} - -int hib_bio_write_page(pgoff_t page_off, void *addr, struct bio **bio_chain) -{ - return submit(WRITE, hib_resume_bdev, page_off * (PAGE_SIZE >> 9), - virt_to_page(addr), bio_chain); -} - -int hib_wait_on_bio_chain(struct bio **bio_chain) -{ - struct bio *bio; - struct bio *next_bio; - int ret = 0; - - if (bio_chain == NULL) - return 0; - - bio = *bio_chain; - if (bio == NULL) - return 0; - while (bio) { - struct page *page; - - next_bio = bio->bi_private; - page = bio->bi_io_vec[0].bv_page; - wait_on_page_locked(page); - if (!PageUptodate(page) || PageError(page)) - ret = -EIO; - put_page(page); - bio_put(bio); - bio = next_bio; - } - *bio_chain = NULL; - return ret; -} --- a/kernel/power/power.h +++ b/kernel/power/power.h @@ -163,15 +163,6 @@ extern void swsusp_close(fmode_t); extern int swsusp_unmark(void); #endif
-/* kernel/power/block_io.c */ -extern struct block_device *hib_resume_bdev; - -extern int hib_bio_read_page(pgoff_t page_off, void *addr, - struct bio **bio_chain); -extern int hib_bio_write_page(pgoff_t page_off, void *addr, - struct bio **bio_chain); -extern int hib_wait_on_bio_chain(struct bio **bio_chain); - struct timeval; /* kernel/power/swsusp.c */ extern void swsusp_show_speed(struct timeval *, struct timeval *, --- a/kernel/power/swap.c +++ b/kernel/power/swap.c @@ -211,7 +211,84 @@ int swsusp_swap_in_use(void) */
static unsigned short root_swap = 0xffff; -struct block_device *hib_resume_bdev; +static struct block_device *hib_resume_bdev; + +struct hib_bio_batch { + atomic_t count; + wait_queue_head_t wait; + int error; +}; + +static void hib_init_batch(struct hib_bio_batch *hb) +{ + atomic_set(&hb->count, 0); + init_waitqueue_head(&hb->wait); + hb->error = 0; +} + +static void hib_end_io(struct bio *bio, int error) +{ + struct hib_bio_batch *hb = bio->bi_private; + const int uptodate = test_bit(BIO_UPTODATE, &bio->bi_flags); + struct page *page = bio->bi_io_vec[0].bv_page; + + if (!uptodate || error) { + printk(KERN_ALERT "Read-error on swap-device (%u:%u:%Lu)\n", + imajor(bio->bi_bdev->bd_inode), + iminor(bio->bi_bdev->bd_inode), + (unsigned long long)bio->bi_iter.bi_sector); + + if (!error) + error = -EIO; + } + + if (bio_data_dir(bio) == WRITE) + put_page(page); + + if (error && !hb->error) + hb->error = error; + if (atomic_dec_and_test(&hb->count)) + wake_up(&hb->wait); + + bio_put(bio); +} + +static int hib_submit_io(int rw, pgoff_t page_off, void *addr, + struct hib_bio_batch *hb) +{ + struct page *page = virt_to_page(addr); + struct bio *bio; + int error = 0; + + bio = bio_alloc(__GFP_WAIT | __GFP_HIGH, 1); + bio->bi_iter.bi_sector = page_off * (PAGE_SIZE >> 9); + bio->bi_bdev = hib_resume_bdev; + + if (bio_add_page(bio, page, PAGE_SIZE, 0) < PAGE_SIZE) { + printk(KERN_ERR "PM: Adding page to bio failed at %llu\n", + (unsigned long long)bio->bi_iter.bi_sector); + bio_put(bio); + return -EFAULT; + } + + if (hb) { + bio->bi_end_io = hib_end_io; + bio->bi_private = hb; + atomic_inc(&hb->count); + submit_bio(rw, bio); + } else { + error = submit_bio_wait(rw, bio); + bio_put(bio); + } + + return error; +} + +static int hib_wait_io(struct hib_bio_batch *hb) +{ + wait_event(hb->wait, atomic_read(&hb->count) == 0); + return hb->error; +}
/* * Saving part @@ -221,7 +298,7 @@ static int mark_swapfiles(struct swap_ma { int error;
- hib_bio_read_page(swsusp_resume_block, swsusp_header, NULL); + hib_submit_io(READ_SYNC, swsusp_resume_block, swsusp_header, NULL); if (!memcmp("SWAP-SPACE",swsusp_header->sig, 10) || !memcmp("SWAPSPACE2",swsusp_header->sig, 10)) { memcpy(swsusp_header->orig_sig,swsusp_header->sig, 10); @@ -230,7 +307,7 @@ static int mark_swapfiles(struct swap_ma swsusp_header->flags = flags; if (flags & SF_CRC32_MODE) swsusp_header->crc32 = handle->crc32; - error = hib_bio_write_page(swsusp_resume_block, + error = hib_submit_io(WRITE_SYNC, swsusp_resume_block, swsusp_header, NULL); } else { printk(KERN_ERR "PM: Swap header not found!\n"); @@ -270,10 +347,10 @@ static int swsusp_swap_check(void) * write_page - Write one page to given swap location. * @buf: Address we're writing. * @offset: Offset of the swap page we're writing to. - * @bio_chain: Link the next write BIO here + * @hb: bio completion batch */
-static int write_page(void *buf, sector_t offset, struct bio **bio_chain) +static int write_page(void *buf, sector_t offset, struct hib_bio_batch *hb) { void *src; int ret; @@ -281,13 +358,13 @@ static int write_page(void *buf, sector_ if (!offset) return -ENOSPC;
- if (bio_chain) { + if (hb) { src = (void *)__get_free_page(__GFP_WAIT | __GFP_NOWARN | __GFP_NORETRY); if (src) { copy_page(src, buf); } else { - ret = hib_wait_on_bio_chain(bio_chain); /* Free pages */ + ret = hib_wait_io(hb); /* Free pages */ if (ret) return ret; src = (void *)__get_free_page(__GFP_WAIT | @@ -297,14 +374,14 @@ static int write_page(void *buf, sector_ copy_page(src, buf); } else { WARN_ON_ONCE(1); - bio_chain = NULL; /* Go synchronous */ + hb = NULL; /* Go synchronous */ src = buf; } } } else { src = buf; } - return hib_bio_write_page(offset, src, bio_chain); + return hib_submit_io(WRITE_SYNC, offset, src, hb); }
static void release_swap_writer(struct swap_map_handle *handle) @@ -347,7 +424,7 @@ err_close: }
static int swap_write_page(struct swap_map_handle *handle, void *buf, - struct bio **bio_chain) + struct hib_bio_batch *hb) { int error = 0; sector_t offset; @@ -355,7 +432,7 @@ static int swap_write_page(struct swap_m if (!handle->cur) return -EINVAL; offset = alloc_swapdev_block(root_swap); - error = write_page(buf, offset, bio_chain); + error = write_page(buf, offset, hb); if (error) return error; handle->cur->entries[handle->k++] = offset; @@ -364,15 +441,15 @@ static int swap_write_page(struct swap_m if (!offset) return -ENOSPC; handle->cur->next_swap = offset; - error = write_page(handle->cur, handle->cur_swap, bio_chain); + error = write_page(handle->cur, handle->cur_swap, hb); if (error) goto out; clear_page(handle->cur); handle->cur_swap = offset; handle->k = 0;
- if (bio_chain && low_free_pages() <= handle->reqd_free_pages) { - error = hib_wait_on_bio_chain(bio_chain); + if (hb && low_free_pages() <= handle->reqd_free_pages) { + error = hib_wait_io(hb); if (error) goto out; /* @@ -444,23 +521,24 @@ static int save_image(struct swap_map_ha int ret; int nr_pages; int err2; - struct bio *bio; + struct hib_bio_batch hb; struct timeval start; struct timeval stop;
+ hib_init_batch(&hb); + printk(KERN_INFO "PM: Saving image data pages (%u pages)...\n", nr_to_write); m = nr_to_write / 10; if (!m) m = 1; nr_pages = 0; - bio = NULL; do_gettimeofday(&start); while (1) { ret = snapshot_read_next(snapshot); if (ret <= 0) break; - ret = swap_write_page(handle, data_of(*snapshot), &bio); + ret = swap_write_page(handle, data_of(*snapshot), &hb); if (ret) break; if (!(nr_pages % m)) @@ -468,7 +546,7 @@ static int save_image(struct swap_map_ha nr_pages / m * 10); nr_pages++; } - err2 = hib_wait_on_bio_chain(&bio); + err2 = hib_wait_io(&hb); do_gettimeofday(&stop); if (!ret) ret = err2; @@ -579,7 +657,7 @@ static int save_image_lzo(struct swap_ma int ret = 0; int nr_pages; int err2; - struct bio *bio; + struct hib_bio_batch hb; struct timeval start; struct timeval stop; size_t off; @@ -588,6 +666,8 @@ static int save_image_lzo(struct swap_ma struct cmp_data *data = NULL; struct crc_data *crc = NULL;
+ hib_init_batch(&hb); + /* * We'll limit the number of threads for compression to limit memory * footprint. @@ -673,7 +753,6 @@ static int save_image_lzo(struct swap_ma if (!m) m = 1; nr_pages = 0; - bio = NULL; do_gettimeofday(&start); for (;;) { for (thr = 0; thr < nr_threads; thr++) { @@ -747,7 +826,7 @@ static int save_image_lzo(struct swap_ma off += PAGE_SIZE) { memcpy(page, data[thr].cmp + off, PAGE_SIZE);
- ret = swap_write_page(handle, page, &bio); + ret = swap_write_page(handle, page, &hb); if (ret) goto out_finish; } @@ -758,7 +837,7 @@ static int save_image_lzo(struct swap_ma }
out_finish: - err2 = hib_wait_on_bio_chain(&bio); + err2 = hib_wait_io(&hb); do_gettimeofday(&stop); if (!ret) ret = err2; @@ -905,7 +984,7 @@ static int get_swap_reader(struct swap_m return -ENOMEM; }
- error = hib_bio_read_page(offset, tmp->map, NULL); + error = hib_submit_io(READ_SYNC, offset, tmp->map, NULL); if (error) { release_swap_reader(handle); return error; @@ -918,7 +997,7 @@ static int get_swap_reader(struct swap_m }
static int swap_read_page(struct swap_map_handle *handle, void *buf, - struct bio **bio_chain) + struct hib_bio_batch *hb) { sector_t offset; int error; @@ -929,7 +1008,7 @@ static int swap_read_page(struct swap_ma offset = handle->cur->entries[handle->k]; if (!offset) return -EFAULT; - error = hib_bio_read_page(offset, buf, bio_chain); + error = hib_submit_io(READ_SYNC, offset, buf, hb); if (error) return error; if (++handle->k >= MAP_PAGE_ENTRIES) { @@ -967,27 +1046,28 @@ static int load_image(struct swap_map_ha int ret = 0; struct timeval start; struct timeval stop; - struct bio *bio; + struct hib_bio_batch hb; int err2; unsigned nr_pages;
+ hib_init_batch(&hb); + printk(KERN_INFO "PM: Loading image data pages (%u pages)...\n", nr_to_read); m = nr_to_read / 10; if (!m) m = 1; nr_pages = 0; - bio = NULL; do_gettimeofday(&start); for ( ; ; ) { ret = snapshot_write_next(snapshot); if (ret <= 0) break; - ret = swap_read_page(handle, data_of(*snapshot), &bio); + ret = swap_read_page(handle, data_of(*snapshot), &hb); if (ret) break; if (snapshot->sync_read) - ret = hib_wait_on_bio_chain(&bio); + ret = hib_wait_io(&hb); if (ret) break; if (!(nr_pages % m)) @@ -995,7 +1075,7 @@ static int load_image(struct swap_map_ha nr_pages / m * 10); nr_pages++; } - err2 = hib_wait_on_bio_chain(&bio); + err2 = hib_wait_io(&hb); do_gettimeofday(&stop); if (!ret) ret = err2; @@ -1066,7 +1146,7 @@ static int load_image_lzo(struct swap_ma unsigned int m; int ret = 0; int eof = 0; - struct bio *bio; + struct hib_bio_batch hb; struct timeval start; struct timeval stop; unsigned nr_pages; @@ -1079,6 +1159,8 @@ static int load_image_lzo(struct swap_ma struct dec_data *data = NULL; struct crc_data *crc = NULL;
+ hib_init_batch(&hb); + /* * We'll limit the number of threads for decompression to limit memory * footprint. @@ -1189,7 +1271,6 @@ static int load_image_lzo(struct swap_ma if (!m) m = 1; nr_pages = 0; - bio = NULL; do_gettimeofday(&start);
ret = snapshot_write_next(snapshot); @@ -1198,7 +1279,7 @@ static int load_image_lzo(struct swap_ma
for(;;) { for (i = 0; !eof && i < want; i++) { - ret = swap_read_page(handle, page[ring], &bio); + ret = swap_read_page(handle, page[ring], &hb); if (ret) { /* * On real read error, finish. On end of data, @@ -1225,7 +1306,7 @@ static int load_image_lzo(struct swap_ma if (!asked) break;
- ret = hib_wait_on_bio_chain(&bio); + ret = hib_wait_io(&hb); if (ret) goto out_finish; have += asked; @@ -1280,7 +1361,7 @@ static int load_image_lzo(struct swap_ma * Wait for more data while we are decompressing. */ if (have < LZO_CMP_PAGES && asked) { - ret = hib_wait_on_bio_chain(&bio); + ret = hib_wait_io(&hb); if (ret) goto out_finish; have += asked; @@ -1429,7 +1510,7 @@ int swsusp_check(void) if (!IS_ERR(hib_resume_bdev)) { set_blocksize(hib_resume_bdev, PAGE_SIZE); clear_page(swsusp_header); - error = hib_bio_read_page(swsusp_resume_block, + error = hib_submit_io(READ_SYNC, swsusp_resume_block, swsusp_header, NULL); if (error) goto put; @@ -1437,7 +1518,7 @@ int swsusp_check(void) if (!memcmp(HIBERNATE_SIG, swsusp_header->sig, 10)) { memcpy(swsusp_header->sig, swsusp_header->orig_sig, 10); /* Reset swap signature now */ - error = hib_bio_write_page(swsusp_resume_block, + error = hib_submit_io(WRITE_SYNC, swsusp_resume_block, swsusp_header, NULL); } else { error = -EINVAL; @@ -1481,10 +1562,10 @@ int swsusp_unmark(void) { int error;
- hib_bio_read_page(swsusp_resume_block, swsusp_header, NULL); + hib_submit_io(READ_SYNC, swsusp_resume_block, swsusp_header, NULL); if (!memcmp(HIBERNATE_SIG,swsusp_header->sig, 10)) { memcpy(swsusp_header->sig,swsusp_header->orig_sig, 10); - error = hib_bio_write_page(swsusp_resume_block, + error = hib_submit_io(WRITE_SYNC, swsusp_resume_block, swsusp_header, NULL); } else { printk(KERN_ERR "PM: Cannot find swsusp signature!\n"); --- a/mm/page_io.c +++ b/mm/page_io.c @@ -69,7 +69,7 @@ void end_swap_bio_write(struct bio *bio, bio_put(bio); }
-void end_swap_bio_read(struct bio *bio, int err) +static void end_swap_bio_read(struct bio *bio, int err) { const int uptodate = test_bit(BIO_UPTODATE, &bio->bi_flags); struct page *page = bio->bi_io_vec[0].bv_page;
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: James Morse james.morse@arm.com
commit f6cf0545ec697ddc278b7457b7d0c0d86a2ea88e upstream.
Some architectures require code written to memory as if it were data to be 'cleaned' from any data caches before the processor can fetch them as new instructions.
During resume from hibernate, the snapshot code copies some pages directly, meaning these architectures do not get a chance to perform their cache maintenance. Modify the read and decompress code to call flush_icache_range() on all pages that are restored, so that the restored in-place pages are guaranteed to be executable on these architectures.
Signed-off-by: James Morse james.morse@arm.com Acked-by: Pavel Machek pavel@ucw.cz Acked-by: Rafael J. Wysocki rjw@rjwysocki.net Acked-by: Catalin Marinas catalin.marinas@arm.com [will: make clean_pages_on_* static and remove initialisers] Signed-off-by: Will Deacon will.deacon@arm.com Cc: Arnd Bergmann arnd@arndb.de Signed-off-by: Ben Hutchings ben@decadent.org.uk --- kernel/power/swap.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+)
--- a/kernel/power/swap.c +++ b/kernel/power/swap.c @@ -36,6 +36,14 @@ #define HIBERNATE_SIG "S1SUSPEND"
/* + * When reading an {un,}compressed image, we may restore pages in place, + * in which case some architectures need these pages cleaning before they + * can be executed. We don't know which pages these may be, so clean the lot. + */ +static bool clean_pages_on_read; +static bool clean_pages_on_decompress; + +/* * The swap map is a data structure used for keeping track of each page * written to a swap partition. It consists of many swap_map_page * structures that contain each an array of MAP_PAGE_ENTRIES swap entries. @@ -244,6 +252,9 @@ static void hib_end_io(struct bio *bio,
if (bio_data_dir(bio) == WRITE) put_page(page); + else if (clean_pages_on_read) + flush_icache_range((unsigned long)page_address(page), + (unsigned long)page_address(page) + PAGE_SIZE);
if (error && !hb->error) hb->error = error; @@ -1052,6 +1063,7 @@ static int load_image(struct swap_map_ha
hib_init_batch(&hb);
+ clean_pages_on_read = true; printk(KERN_INFO "PM: Loading image data pages (%u pages)...\n", nr_to_read); m = nr_to_read / 10; @@ -1127,6 +1139,10 @@ static int lzo_decompress_threadfn(void d->unc_len = LZO_UNC_SIZE; d->ret = lzo1x_decompress_safe(d->cmp + LZO_HEADER, d->cmp_len, d->unc, &d->unc_len); + if (clean_pages_on_decompress) + flush_icache_range((unsigned long)d->unc, + (unsigned long)d->unc + d->unc_len); + atomic_set(&d->stop, 1); wake_up(&d->done); } @@ -1192,6 +1208,8 @@ static int load_image_lzo(struct swap_ma } memset(crc, 0, offsetof(struct crc_data, go));
+ clean_pages_on_decompress = true; + /* * Start the decompression threads. */
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Winter Wang wente.wang@nxp.com
commit cee51c33f52ebf673a088a428ac0fecc33ab77fa upstream.
There may be a race condition if f_fs calls unregister_gadget_item in ffs_closed() when unregister_gadget is called by UDC store at the same time. this leads to a kernel NULL pointer dereference:
[ 310.644928] Unable to handle kernel NULL pointer dereference at virtual address 00000004 [ 310.645053] init: Service 'adbd' is being killed... [ 310.658938] pgd = c9528000 [ 310.662515] [00000004] *pgd=19451831, *pte=00000000, *ppte=00000000 [ 310.669702] Internal error: Oops: 817 [#1] PREEMPT SMP ARM [ 310.675211] Modules linked in: [ 310.678294] CPU: 0 PID: 1537 Comm: ->transport Not tainted 4.1.15-03725-g793404c #2 [ 310.685958] Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree) [ 310.692493] task: c8e24200 ti: c945e000 task.ti: c945e000 [ 310.697911] PC is at usb_gadget_unregister_driver+0xb4/0xd0 [ 310.703502] LR is at __mutex_lock_slowpath+0x10c/0x16c [ 310.708648] pc : [<c075efc0>] lr : [<c0bfb0bc>] psr: 600f0113 <snip..> [ 311.565585] [<c075efc0>] (usb_gadget_unregister_driver) from [<c075e2b8>] (unregister_gadget_item+0x1c/0x34) [ 311.575426] [<c075e2b8>] (unregister_gadget_item) from [<c076fcc8>] (ffs_closed+0x8c/0x9c) [ 311.583702] [<c076fcc8>] (ffs_closed) from [<c07736b8>] (ffs_data_reset+0xc/0xa0) [ 311.591194] [<c07736b8>] (ffs_data_reset) from [<c07738ac>] (ffs_data_closed+0x90/0xd0) [ 311.599208] [<c07738ac>] (ffs_data_closed) from [<c07738f8>] (ffs_ep0_release+0xc/0x14) [ 311.607224] [<c07738f8>] (ffs_ep0_release) from [<c023e030>] (__fput+0x80/0x1d0) [ 311.614635] [<c023e030>] (__fput) from [<c014e688>] (task_work_run+0xb0/0xe8) [ 311.621788] [<c014e688>] (task_work_run) from [<c010afdc>] (do_work_pending+0x7c/0xa4) [ 311.629718] [<c010afdc>] (do_work_pending) from [<c010770c>] (work_pending+0xc/0x20)
for functions using functionFS, i.e. android adbd will close /dev/usb-ffs/adb/ep0 when usb IO thread fails, but switch adb from on to off also triggers write "none" > UDC. These 2 operations both call unregister_gadget, which will lead to the panic above.
add a mutex before calling unregister_gadget for api used in f_fs.
Signed-off-by: Winter Wang wente.wang@nxp.com Signed-off-by: Felipe Balbi felipe.balbi@linux.intel.com Cc: Arnd Bergmann arnd@arndb.de Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/usb/gadget/configfs.c | 2 ++ 1 file changed, 2 insertions(+)
--- a/drivers/usb/gadget/configfs.c +++ b/drivers/usb/gadget/configfs.c @@ -1551,7 +1551,9 @@ void unregister_gadget_item(struct confi { struct gadget_info *gi = to_gadget_info(item);
+ mutex_lock(&gi->lock); unregister_gadget(gi); + mutex_unlock(&gi->lock); } EXPORT_SYMBOL_GPL(unregister_gadget_item);
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Xerox Lin xerox_lin@htc.com
commit 207707d8fd48ebc977fb2b2794004a020e1ee08e upstream.
When rndis data transfer is in progress, some Windows7 Host PC is not sending the GET_ENCAPSULATED_RESPONSE command for receiving the response for the previous SEND_ENCAPSULATED_COMMAND processed.
The rndis function driver appends each response for the SEND_ENCAPSULATED_COMMAND in a queue. As the above process got corrupted, the Host sends a REMOTE_NDIS_RESET_MSG command to do a soft-reset. As the rndis response queue is not freed, the previous response is sent as a part of this REMOTE_NDIS_RESET_MSG's reset response and the Host block any more Rndis transfers.
Hence free the rndis response queue as a part of this soft-reset so that the correct response for REMOTE_NDIS_RESET_MSG is sent properly during the response command.
Signed-off-by: Rajkumar Raghupathy raghup@codeaurora.org Signed-off-by: Xerox Lin xerox_lin@htc.com [AmitP: Cherry-picked this patch and folded other relevant fixes from Android common kernel android-4.4] Signed-off-by: Amit Pundir amit.pundir@linaro.org Signed-off-by: Felipe Balbi felipe.balbi@linux.intel.com Cc: Arnd Bergmann arnd@arndb.de [bwh: Backported to 3.16: - Pass configNr instead of params as first argument to rndis_{get_next,free}_response() - Adjust filename, context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/usb/gadget/rndis.c | 6 ++++++ 1 file changed, 6 insertions(+)
--- a/drivers/usb/gadget/rndis.c +++ b/drivers/usb/gadget/rndis.c @@ -686,6 +686,12 @@ static int rndis_reset_response(int conf rndis_reset_cmplt_type *resp; rndis_resp_t *r; struct rndis_params *params = rndis_per_dev_params + configNr; + u8 *xbuf; + u32 length; + + /* drain the response queue */ + while ((xbuf = rndis_get_next_response(configNr, &length))) + rndis_free_response(configNr, xbuf);
r = rndis_add_response(configNr, sizeof(rndis_reset_cmplt_type)); if (!r)
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Christoffer Dall christoffer.dall@linaro.org
commit ace6033ec5c356615eaa3582fb1946e9eaff6662 upstream.
User space Android code identifies pixclock == 0 as a sign for emulation and will set the frame rate to 60 fps when reading this value, which is the desired outcome.
Signed-off-by: Christoffer Dall christoffer.dall@linaro.org Signed-off-by: Peter Maydell peter.maydell@linaro.org Signed-off-by: Roman Kiryanov rkir@google.com Signed-off-by: Bartlomiej Zolnierkiewicz b.zolnierkie@samsung.com Cc: Arnd Bergmann arnd@arndb.de Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/video/fbdev/goldfishfb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/video/fbdev/goldfishfb.c +++ b/drivers/video/fbdev/goldfishfb.c @@ -234,7 +234,7 @@ static int goldfish_fb_probe(struct plat fb->fb.var.activate = FB_ACTIVATE_NOW; fb->fb.var.height = readl(fb->reg_base + FB_GET_PHYS_HEIGHT); fb->fb.var.width = readl(fb->reg_base + FB_GET_PHYS_WIDTH); - fb->fb.var.pixclock = 10000; + fb->fb.var.pixclock = 0;
fb->fb.var.red.offset = 11; fb->fb.var.red.length = 5;
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ezequiel Garcia ezequiel@vanguardiasur.com.ar
commit 99a507771fa57238dc7ffe674ae06090333d02c9 upstream.
The rtc-lib dependency is not required, and seems it was just copy-pasted from ARM's Kconfig. If platform requires rtc-lib, they should select it individually.
Reviewed-by: Arnd Bergmann arnd@arndb.de Signed-off-by: Ezequiel Garcia ezequiel@vanguardiasur.com.ar Signed-off-by: Will Deacon will.deacon@arm.com Cc: Arnd Bergmann arnd@arndb.de Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/arm64/Kconfig | 1 - 1 file changed, 1 deletion(-)
--- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -60,7 +60,6 @@ config ARM64 select PERF_USE_VMALLOC select POWER_RESET select POWER_SUPPLY - select RTC_LIB select SPARSE_IRQ select SYSCTL_EXCEPTION_TRACE help
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Chaotian Jing chaotian.jing@mediatek.com
commit 987aa5f8059613bf85cbb6f64ffbd34f5cb7a9d1 upstream.
with CONFIG_HZ=100, the precision of jiffies is 10ms, and the generic_cmd6_time of some card is also 10ms. then, may be current time is only 5ms, but already timed out caused by jiffies precision.
Signed-off-by: Chaotian Jing chaotian.jing@mediatek.com Signed-off-by: Ulf Hansson ulf.hansson@linaro.org Cc: Arnd Bergmann arnd@arndb.de Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/mmc/core/mmc_ops.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/mmc/core/mmc_ops.c +++ b/drivers/mmc/core/mmc_ops.c @@ -470,7 +470,7 @@ int __mmc_switch(struct mmc_card *card, timeout_ms = MMC_OPS_TIMEOUT_MS;
/* Must check status to be sure of no errors. */ - timeout = jiffies + msecs_to_jiffies(timeout_ms); + timeout = jiffies + msecs_to_jiffies(timeout_ms) + 1; do { if (send_status) { err = __mmc_send_status(card, &status, ignore_crc);
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Berg johannes.berg@intel.com
commit 4ef8c1c93f848e360754f10eb2e7134c872b6597 upstream.
Ilan reported that sometimes nl80211 messages weren't working if the frames being transported got very large, which was really a problem for userspace-to-kernel messages, but prompted me to look at the code.
Upon review, I found various places where variable-length data is transported in an nl80211 message but the message isn't allocated taking that into account. This shouldn't cause any problems since the frames aren't really that long, apart in one place where two (possibly very long frames) might not fit.
Fix all the places (that I found) that get variable length data from the driver and put it into a message to take the length of the variable data into account. The 100 there is just a safe constant for the remaining message overhead (it's usually around 50 for most messages.)
Signed-off-by: Johannes Berg johannes.berg@intel.com Cc: Arnd Bergmann arnd@arndb.de Signed-off-by: Ben Hutchings ben@decadent.org.uk --- net/wireless/nl80211.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-)
--- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -10463,7 +10463,7 @@ static void nl80211_send_mlme_event(stru struct sk_buff *msg; void *hdr;
- msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp); + msg = nlmsg_new(100 + len, gfp); if (!msg) return;
@@ -10602,7 +10602,7 @@ void nl80211_send_connect_result(struct struct sk_buff *msg; void *hdr;
- msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp); + msg = nlmsg_new(100 + req_ie_len + resp_ie_len, gfp); if (!msg) return;
@@ -10642,7 +10642,7 @@ void nl80211_send_roamed(struct cfg80211 struct sk_buff *msg; void *hdr;
- msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp); + msg = nlmsg_new(100 + req_ie_len + resp_ie_len, gfp); if (!msg) return;
@@ -10680,7 +10680,7 @@ void nl80211_send_disconnected(struct cf struct sk_buff *msg; void *hdr;
- msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); + msg = nlmsg_new(100 + ie_len, GFP_KERNEL); if (!msg) return;
@@ -10757,7 +10757,7 @@ void cfg80211_notify_new_peer_candidate(
trace_cfg80211_notify_new_peer_candidate(dev, addr);
- msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp); + msg = nlmsg_new(100 + ie_len, gfp); if (!msg) return;
@@ -11133,7 +11133,7 @@ int nl80211_send_mgmt(struct cfg80211_re struct sk_buff *msg; void *hdr;
- msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp); + msg = nlmsg_new(100 + len, gfp); if (!msg) return -ENOMEM;
@@ -11176,7 +11176,7 @@ void cfg80211_mgmt_tx_status(struct wire
trace_cfg80211_mgmt_tx_status(wdev, cookie, ack);
- msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp); + msg = nlmsg_new(100 + len, gfp); if (!msg) return;
@@ -11886,7 +11886,7 @@ void cfg80211_ft_event(struct net_device if (!ft_event->target_ap) return;
- msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); + msg = nlmsg_new(100 + ft_event->ric_ies_len, GFP_KERNEL); if (!msg) return;
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers ebiggers@google.com
commit 5c2a625937ba49bc691089370638223d310cda9a upstream.
As is the case for a number of other architectures that have a 32-bit compat mode, enable KEYS_COMPAT if both COMPAT and KEYS are enabled. This allows AArch32 programs to use the keyctl() system call when running on an AArch64 kernel.
Signed-off-by: Eric Biggers ebiggers@google.com Signed-off-by: Will Deacon will.deacon@arm.com Cc: Arnd Bergmann arnd@arndb.de Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/arm64/Kconfig | 4 ++++ 1 file changed, 4 insertions(+)
--- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -352,6 +352,10 @@ config SYSVIPC_COMPAT def_bool y depends on COMPAT && SYSVIPC
+config KEYS_COMPAT + def_bool y + depends on COMPAT && KEYS + endmenu
menu "Power management options"
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Bhadram Varka vbhadram@nvidia.com
commit a830405ee452ddc4101c3c9334e6fedd42c6b357 upstream.
Currently stmmac driver not copying the valid ethernet MAC address to MAC registers. This patch takes care of updating the MAC register with MAC address.
Signed-off-by: Bhadram Varka vbhadram@nvidia.com Signed-off-by: David S. Miller davem@davemloft.net Cc: Arnd Bergmann arnd@arndb.de [bwh: Backported to 3.16: - Pass priv->ioaddr as first argument to set_umac_addr operation - Adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- .../net/ethernet/stmicro/stmmac/stmmac_main.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-)
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c +++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c @@ -2388,6 +2388,20 @@ static int stmmac_ioctl(struct net_devic return ret; }
+static int stmmac_set_mac_address(struct net_device *ndev, void *addr) +{ + struct stmmac_priv *priv = netdev_priv(ndev); + int ret = 0; + + ret = eth_mac_addr(ndev, addr); + if (ret) + return ret; + + priv->hw->mac->set_umac_addr(priv->ioaddr, ndev->dev_addr, 0); + + return ret; +} + #ifdef CONFIG_STMMAC_DEBUG_FS static struct dentry *stmmac_fs_dir; static struct dentry *stmmac_rings_status; @@ -2587,7 +2601,7 @@ static const struct net_device_ops stmma #ifdef CONFIG_NET_POLL_CONTROLLER .ndo_poll_controller = stmmac_poll_controller, #endif - .ndo_set_mac_address = eth_mac_addr, + .ndo_set_mac_address = stmmac_set_mac_address, };
/**
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Will Deacon will.deacon@arm.com
commit b9a4b9d084d978f80eb9210727c81804588b42ff upstream.
FAR_EL1 is UNKNOWN for all debug exceptions other than those caused by taking a hardware watchpoint. Unfortunately, if a debug handler returns a non-zero value, then we will propagate the UNKNOWN FAR value to userspace via the si_addr field of the SIGTRAP siginfo_t.
Instead, let's set si_addr to take on the PC of the faulting instruction, which we have available in the current pt_regs.
Reviewed-by: Mark Rutland mark.rutland@arm.com Signed-off-by: Will Deacon will.deacon@arm.com Signed-off-by: Catalin Marinas catalin.marinas@arm.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/arm64/mm/fault.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-)
--- a/arch/arm64/mm/fault.c +++ b/arch/arm64/mm/fault.c @@ -512,11 +512,12 @@ void __init hook_debug_fault_code(int nr debug_fault_info[nr].name = name; }
-asmlinkage int __exception do_debug_exception(unsigned long addr, +asmlinkage int __exception do_debug_exception(unsigned long addr_if_watchpoint, unsigned int esr, struct pt_regs *regs) { const struct fault_info *inf = debug_fault_info + DBG_ESR_EVT(esr); + unsigned long pc = instruction_pointer(regs); struct siginfo info; int rv;
@@ -527,16 +528,16 @@ asmlinkage int __exception do_debug_exce if (interrupts_enabled(regs)) trace_hardirqs_off();
- if (!inf->fn(addr, esr, regs)) { + if (!inf->fn(addr_if_watchpoint, esr, regs)) { rv = 1; } else { pr_alert("Unhandled debug exception: %s (0x%08x) at 0x%016lx\n", - inf->name, esr, addr); + inf->name, esr, pc);
info.si_signo = inf->sig; info.si_errno = 0; info.si_code = inf->code; - info.si_addr = (void __user *)addr; + info.si_addr = (void __user *)pc; arm64_notify_die("", regs, &info, 0); rv = 0; }
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Will Deacon will.deacon@arm.com
commit 6bd288569b50bc89fa5513031086746968f585cb upstream.
Debug exception handlers may be called for exceptions generated both by user and kernel code. In many cases, this is checked explicitly, but in other cases things either happen to work by happy accident or they go slightly wrong. For example, executing 'brk #4' from userspace will enter the kprobes code and be ignored, but the instruction will be retried forever in userspace instead of delivering a SIGTRAP.
Fix this issue in the most stable-friendly fashion by simply adding explicit checks of the triggering exception level to all of our debug exception handlers.
Reviewed-by: Mark Rutland mark.rutland@arm.com Signed-off-by: Will Deacon will.deacon@arm.com Signed-off-by: Catalin Marinas catalin.marinas@arm.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/arm64/kernel/kgdb.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/arch/arm64/kernel/kgdb.c b/arch/arm64/kernel/kgdb.c index bcac81e600b9..f72743dc070d 100644 --- a/arch/arm64/kernel/kgdb.c +++ b/arch/arm64/kernel/kgdb.c @@ -215,22 +215,31 @@ int kgdb_arch_handle_exception(int exception_vector, int signo,
static int kgdb_brk_fn(struct pt_regs *regs, unsigned int esr) { + if (user_mode(regs)) + return DBG_HOOK_ERROR; + kgdb_handle_exception(1, SIGTRAP, 0, regs); - return 0; + return DBG_HOOK_HANDLED; }
static int kgdb_compiled_brk_fn(struct pt_regs *regs, unsigned int esr) { + if (user_mode(regs)) + return DBG_HOOK_ERROR; + compiled_break = 1; kgdb_handle_exception(1, SIGTRAP, 0, regs);
- return 0; + return DBG_HOOK_HANDLED; }
static int kgdb_step_brk_fn(struct pt_regs *regs, unsigned int esr) { + if (user_mode(regs)) + return DBG_HOOK_ERROR; + kgdb_handle_exception(1, SIGTRAP, 0, regs); - return 0; + return DBG_HOOK_HANDLED; }
static struct break_hook kgdb_brkpt_hook = {
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra peterz@infradead.org
commit 69d927bba39517d0980462efc051875b7f4db185 upstream.
Recent probing at the Linux Kernel Memory Model uncovered a 'surprise'. Strongly ordered architectures where the atomic RmW primitive implies full memory ordering and smp_mb__{before,after}_atomic() are a simple barrier() (such as x86) fail for:
*x = 1; atomic_inc(u); smp_mb__after_atomic(); r0 = *y;
Because, while the atomic_inc() implies memory order, it (surprisingly) does not provide a compiler barrier. This then allows the compiler to re-order like so:
atomic_inc(u); *x = 1; smp_mb__after_atomic(); r0 = *y;
Which the CPU is then allowed to re-order (under TSO rules) like:
atomic_inc(u); r0 = *y; *x = 1;
And this very much was not intended. Therefore strengthen the atomic RmW ops to include a compiler barrier.
NOTE: atomic_{or,and,xor} and the bitops already had the compiler barrier.
Signed-off-by: Peter Zijlstra (Intel) peterz@infradead.org Cc: Linus Torvalds torvalds@linux-foundation.org Cc: Peter Zijlstra peterz@infradead.org Cc: Thomas Gleixner tglx@linutronix.de Signed-off-by: Ingo Molnar mingo@kernel.org Signed-off-by: Jari Ruusu jari.ruusu@gmail.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/x86/include/asm/atomic.h | 8 ++++---- arch/x86/include/asm/atomic64_64.h | 8 ++++---- arch/x86/include/asm/barrier.h | 4 ++-- 3 files changed, 10 insertions(+), 10 deletions(-)
--- a/arch/x86/include/asm/atomic.h +++ b/arch/x86/include/asm/atomic.h @@ -49,7 +49,7 @@ static inline void atomic_add(int i, ato { asm volatile(LOCK_PREFIX "addl %1,%0" : "+m" (v->counter) - : "ir" (i)); + : "ir" (i) : "memory"); }
/** @@ -63,7 +63,7 @@ static inline void atomic_sub(int i, ato { asm volatile(LOCK_PREFIX "subl %1,%0" : "+m" (v->counter) - : "ir" (i)); + : "ir" (i) : "memory"); }
/** @@ -89,7 +89,7 @@ static inline int atomic_sub_and_test(in static inline void atomic_inc(atomic_t *v) { asm volatile(LOCK_PREFIX "incl %0" - : "+m" (v->counter)); + : "+m" (v->counter) :: "memory"); }
/** @@ -101,7 +101,7 @@ static inline void atomic_inc(atomic_t * static inline void atomic_dec(atomic_t *v) { asm volatile(LOCK_PREFIX "decl %0" - : "+m" (v->counter)); + : "+m" (v->counter) :: "memory"); }
/** --- a/arch/x86/include/asm/atomic64_64.h +++ b/arch/x86/include/asm/atomic64_64.h @@ -44,7 +44,7 @@ static inline void atomic64_add(long i, { asm volatile(LOCK_PREFIX "addq %1,%0" : "=m" (v->counter) - : "er" (i), "m" (v->counter)); + : "er" (i), "m" (v->counter) : "memory"); }
/** @@ -58,7 +58,7 @@ static inline void atomic64_sub(long i, { asm volatile(LOCK_PREFIX "subq %1,%0" : "=m" (v->counter) - : "er" (i), "m" (v->counter)); + : "er" (i), "m" (v->counter) : "memory"); }
/** @@ -85,7 +85,7 @@ static inline void atomic64_inc(atomic64 { asm volatile(LOCK_PREFIX "incq %0" : "=m" (v->counter) - : "m" (v->counter)); + : "m" (v->counter) : "memory"); }
/** @@ -98,7 +98,7 @@ static inline void atomic64_dec(atomic64 { asm volatile(LOCK_PREFIX "decq %0" : "=m" (v->counter) - : "m" (v->counter)); + : "m" (v->counter) : "memory"); }
/** --- a/arch/x86/include/asm/barrier.h +++ b/arch/x86/include/asm/barrier.h @@ -167,8 +167,8 @@ do { \ #endif
/* Atomic operations are already serializing on x86 */ -#define smp_mb__before_atomic() barrier() -#define smp_mb__after_atomic() barrier() +#define smp_mb__before_atomic() do { } while (0) +#define smp_mb__after_atomic() do { } while (0)
/* * Stop RDTSC speculation. This is needed when you need to use RDTSC
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra peterz@infradead.org
commit f6b4ecee0eb7bfa66ae8d5652105ed4da53209a3 upstream.
There are no users, kill it.
Signed-off-by: Peter Zijlstra peterz@infradead.org Cc: Jesse Brandeburg jesse.brandeburg@intel.com Cc: Linus Torvalds torvalds@linux-foundation.org Cc: Paul E. McKenney paulmck@linux.vnet.ibm.com Link: http://lkml.kernel.org/r/20140508135851.768177189@infradead.org Signed-off-by: Ingo Molnar mingo@kernel.org [bwh: Backported to 3.16 because this function is broken after "x86/atomic: Fix smp_mb__{before,after}_atomic()"] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/x86/include/asm/atomic.h | 15 --------------- 1 file changed, 15 deletions(-)
--- a/arch/x86/include/asm/atomic.h +++ b/arch/x86/include/asm/atomic.h @@ -218,21 +218,6 @@ static inline short int atomic_inc_short return *v; }
-#ifdef CONFIG_X86_64 -/** - * atomic_or_long - OR of two long integers - * @v1: pointer to type unsigned long - * @v2: pointer to type unsigned long - * - * Atomically ORs @v1 and @v2 - * Returns the result of the OR - */ -static inline void atomic_or_long(unsigned long *v1, unsigned long v2) -{ - asm(LOCK_PREFIX "orq %1, %0" : "+m" (*v1) : "r" (v2)); -} -#endif - /* These are x86-specific, used by some header files */ #define atomic_clear_mask(mask, addr) \ asm volatile(LOCK_PREFIX "andl %0,%1" \
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Vyukov dvyukov@google.com
commit 31b35f6b4d5285a311e10753f4eb17304326b211 upstream.
It is completely unused and implemented only on x86. Remove it.
Suggested-by: Mark Rutland mark.rutland@arm.com Signed-off-by: Dmitry Vyukov dvyukov@google.com Signed-off-by: Peter Zijlstra (Intel) peterz@infradead.org Cc: Andrew Morton akpm@linux-foundation.org Cc: Andrey Ryabinin aryabinin@virtuozzo.com Cc: H. Peter Anvin hpa@zytor.com Cc: Linus Torvalds torvalds@linux-foundation.org Cc: Peter Zijlstra peterz@infradead.org Cc: Thomas Gleixner tglx@linutronix.de Link: http://lkml.kernel.org/r/20170526172900.91058-1-dvyukov@google.com Signed-off-by: Ingo Molnar mingo@kernel.org [bwh: Backported to 3.16 because this function is broken after "x86/atomic: Fix smp_mb__{before,after}_atomic()": - Adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- arch/tile/lib/atomic_asm_32.S | 3 +-- arch/x86/include/asm/atomic.h | 13 ------------- 2 files changed, 1 insertion(+), 15 deletions(-)
--- a/arch/tile/lib/atomic_asm_32.S +++ b/arch/tile/lib/atomic_asm_32.S @@ -24,8 +24,7 @@ * has an opportunity to return -EFAULT to the user if needed. * The 64-bit routines just return a "long long" with the value, * since they are only used from kernel space and don't expect to fault. - * Support for 16-bit ops is included in the framework but we don't provide - * any (x86_64 has an atomic_inc_short(), so we might want to some day). + * Support for 16-bit ops is included in the framework but we don't provide any. * * Note that the caller is advised to issue a suitable L1 or L2 * prefetch on the address being manipulated to avoid extra stalls. --- a/arch/x86/include/asm/atomic.h +++ b/arch/x86/include/asm/atomic.h @@ -205,19 +205,6 @@ static inline int __atomic_add_unless(at return c; }
-/** - * atomic_inc_short - increment of a short integer - * @v: pointer to type int - * - * Atomically adds 1 to @v - * Returns the new value of @u - */ -static inline short int atomic_inc_short(short int *v) -{ - asm(LOCK_PREFIX "addw $1, %0" : "+m" (*v)); - return *v; -} - /* These are x86-specific, used by some header files */ #define atomic_clear_mask(mask, addr) \ asm volatile(LOCK_PREFIX "andl %0,%1" \
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jeffrey Hugo jeffrey.l.hugo@gmail.com
commit 7667819385457b4aeb5fac94f67f52ab52cc10d5 upstream.
bam_dma_terminate_all() will leak resources if any of the transactions are committed to the hardware (present in the desc fifo), and not complete. Since bam_dma_terminate_all() does not cause the hardware to be updated, the hardware will still operate on any previously committed transactions. This can cause memory corruption if the memory for the transaction has been reassigned, and will cause a sync issue between the BAM and its client(s).
Fix this by properly updating the hardware in bam_dma_terminate_all().
Fixes: e7c0fe2a5c84 ("dmaengine: add Qualcomm BAM dma driver") Signed-off-by: Jeffrey Hugo jeffrey.l.hugo@gmail.com Link: https://lore.kernel.org/r/20191017152606.34120-1-jeffrey.l.hugo@gmail.com Signed-off-by: Vinod Koul vkoul@kernel.org [Jeffrey Hugo: Backported to 4.4 which is lacking 6b4faeac05bc ("dmaengine: qcom-bam: Process multiple pending descriptors")] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/dma/qcom_bam_dma.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+)
--- a/drivers/dma/qcom_bam_dma.c +++ b/drivers/dma/qcom_bam_dma.c @@ -539,7 +539,21 @@ static void bam_dma_terminate_all(struct
/* remove all transactions, including active transaction */ spin_lock_irqsave(&bchan->vc.lock, flag); + /* + * If we have transactions queued, then some might be committed to the + * hardware in the desc fifo. The only way to reset the desc fifo is + * to do a hardware reset (either by pipe or the entire block). + * bam_chan_init_hw() will trigger a pipe reset, and also reinit the + * pipe. If the pipe is left disabled (default state after pipe reset) + * and is accessed by a connected hardware engine, a fatal error in + * the BAM will occur. There is a small window where this could happen + * with bam_chan_init_hw(), but it is assumed that the caller has + * stopped activity on any attached hardware engine. Make sure to do + * this first so that the BAM hardware doesn't cause memory corruption + * by accessing freed resources. + */ if (bchan->curr_txd) { + bam_chan_init_hw(bchan, bchan->curr_txd->dir); list_add(&bchan->curr_txd->vd.node, &bchan->vc.desc_issued); bchan->curr_txd = NULL; }
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Adrian Bunk bunk@kernel.org
commit 65a576e27309120e0621f54d5c81eb9128bd56be upstream.
NL80211_TX_POWER_LIMITED was treated as NL80211_TX_POWER_AUTOMATIC, which is the opposite of what should happen and can cause nasty regulatory problems.
if/else converted to a switch without default to make gcc warn on unhandled enum values.
Signed-off-by: Adrian Bunk bunk@kernel.org Signed-off-by: Kalle Valo kvalo@codeaurora.org [bwh: Backported to 3.16: adjust filenames] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/net/wireless/mwifiex/cfg80211.c | 13 +++++++++++-- drivers/net/wireless/mwifiex/ioctl.h | 1 + drivers/net/wireless/mwifiex/sta_ioctl.c | 11 +++++++---- 3 files changed, 19 insertions(+), 6 deletions(-)
--- a/drivers/net/wireless/mwifiex/cfg80211.c +++ b/drivers/net/wireless/mwifiex/cfg80211.c @@ -343,11 +343,20 @@ mwifiex_cfg80211_set_tx_power(struct wip struct mwifiex_power_cfg power_cfg; int dbm = MBM_TO_DBM(mbm);
- if (type == NL80211_TX_POWER_FIXED) { + switch (type) { + case NL80211_TX_POWER_FIXED: power_cfg.is_power_auto = 0; + power_cfg.is_power_fixed = 1; power_cfg.power_level = dbm; - } else { + break; + case NL80211_TX_POWER_LIMITED: + power_cfg.is_power_auto = 0; + power_cfg.is_power_fixed = 0; + power_cfg.power_level = dbm; + break; + case NL80211_TX_POWER_AUTOMATIC: power_cfg.is_power_auto = 1; + break; }
priv = mwifiex_get_priv(adapter, MWIFIEX_BSS_ROLE_ANY); --- a/drivers/net/wireless/mwifiex/ioctl.h +++ b/drivers/net/wireless/mwifiex/ioctl.h @@ -245,6 +245,7 @@ struct mwifiex_ds_encrypt_key {
struct mwifiex_power_cfg { u32 is_power_auto; + u32 is_power_fixed; u32 power_level; };
--- a/drivers/net/wireless/mwifiex/sta_ioctl.c +++ b/drivers/net/wireless/mwifiex/sta_ioctl.c @@ -659,6 +659,9 @@ int mwifiex_set_tx_power(struct mwifiex_ txp_cfg = (struct host_cmd_ds_txpwr_cfg *) buf; txp_cfg->action = cpu_to_le16(HostCmd_ACT_GEN_SET); if (!power_cfg->is_power_auto) { + u16 dbm_min = power_cfg->is_power_fixed ? + dbm : priv->min_tx_power_level; + txp_cfg->mode = cpu_to_le32(1); pg_tlv = (struct mwifiex_types_power_group *) (buf + sizeof(struct host_cmd_ds_txpwr_cfg)); @@ -673,7 +676,7 @@ int mwifiex_set_tx_power(struct mwifiex_ pg->last_rate_code = 0x03; pg->modulation_class = MOD_CLASS_HR_DSSS; pg->power_step = 0; - pg->power_min = (s8) dbm; + pg->power_min = (s8) dbm_min; pg->power_max = (s8) dbm; pg++; /* Power group for modulation class OFDM */ @@ -681,7 +684,7 @@ int mwifiex_set_tx_power(struct mwifiex_ pg->last_rate_code = 0x07; pg->modulation_class = MOD_CLASS_OFDM; pg->power_step = 0; - pg->power_min = (s8) dbm; + pg->power_min = (s8) dbm_min; pg->power_max = (s8) dbm; pg++; /* Power group for modulation class HTBW20 */ @@ -689,7 +692,7 @@ int mwifiex_set_tx_power(struct mwifiex_ pg->last_rate_code = 0x20; pg->modulation_class = MOD_CLASS_HT; pg->power_step = 0; - pg->power_min = (s8) dbm; + pg->power_min = (s8) dbm_min; pg->power_max = (s8) dbm; pg->ht_bandwidth = HT_BW_20; pg++; @@ -698,7 +701,7 @@ int mwifiex_set_tx_power(struct mwifiex_ pg->last_rate_code = 0x20; pg->modulation_class = MOD_CLASS_HT; pg->power_step = 0; - pg->power_min = (s8) dbm; + pg->power_min = (s8) dbm_min; pg->power_max = (s8) dbm; pg->ht_bandwidth = HT_BW_40; }
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Mathias Nyman mathias.nyman@linux.intel.com
commit 057d476fff778f1d3b9f861fdb5437ea1a3cfc99 upstream.
A race in xhci USB3 remote wake handling may force device back to suspend after it initiated resume siganaling, causing a missed resume event or warm reset of device.
When a USB3 link completes resume signaling and goes to enabled (UO) state a interrupt is issued and the interrupt handler will clear the bus_state->port_remote_wakeup resume flag, allowing bus suspend.
If the USB3 roothub thread just finished reading port status before the interrupt, finding ports still in suspended (U3) state, but hasn't yet started suspending the hub, then the xhci interrupt handler will clear the flag that prevented roothub suspend and allow bus to suspend, forcing all port links back to suspended (U3) state.
Example case: usb_runtime_suspend() # because all ports still show suspended U3 usb_suspend_both() hub_suspend(); # successful as hub->wakeup_bits not set yet ==> INTERRUPT xhci_irq() handle_port_status() clear bus_state->port_remote_wakeup usb_wakeup_notification() sets hub->wakeup_bits; kick_hub_wq() <== END INTERRUPT hcd_bus_suspend() xhci_bus_suspend() # success as port_remote_wakeup bits cleared
Fix this by increasing roothub usage count during port resume to prevent roothub autosuspend, and by making sure bus_state->port_remote_wakeup flag is only cleared after resume completion is visible, i.e. after xhci roothub returned U0 or other non-U3 link state link on a get port status request.
Issue rootcaused by Chiasheng Lee
Cc: Lee, Hou-hsun hou-hsun.lee@intel.com Reported-by: Lee, Chiasheng chiasheng.lee@intel.com Signed-off-by: Mathias Nyman mathias.nyman@linux.intel.com Link: https://lore.kernel.org/r/20191211142007.8847-3-mathias.nyman@linux.intel.co... Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org [Mathias Nyman: Backport for 4.9 and 4.4 stable kernels] [bwh: Backported to 3.16: USB 3.0 SS is the highest speed we handle] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/usb/host/xhci-hub.c | 8 ++++++++ drivers/usb/host/xhci-ring.c | 6 +----- drivers/usb/host/xhci.h | 1 + 3 files changed, 10 insertions(+), 5 deletions(-)
--- a/drivers/usb/host/xhci-hub.c +++ b/drivers/usb/host/xhci-hub.c @@ -612,6 +612,14 @@ static u32 xhci_get_port_status(struct u status |= USB_PORT_STAT_C_BH_RESET << 16; if ((raw_port_status & PORT_CEC)) status |= USB_PORT_STAT_C_CONFIG_ERROR << 16; + + /* USB3 remote wake resume signaling completed */ + if (bus_state->port_remote_wakeup & (1 << wIndex) && + (raw_port_status & PORT_PLS_MASK) != XDEV_RESUME && + (raw_port_status & PORT_PLS_MASK) != XDEV_RECOVERY) { + bus_state->port_remote_wakeup &= ~(1 << wIndex); + usb_hcd_end_port_resume(&hcd->self, wIndex); + } }
if (hcd->speed != HCD_USB3) { --- a/drivers/usb/host/xhci-ring.c +++ b/drivers/usb/host/xhci-ring.c @@ -1605,9 +1605,6 @@ static void handle_port_status(struct xh usb_hcd_resume_root_hub(hcd); }
- if (hcd->speed == HCD_USB3 && (temp & PORT_PLS_MASK) == XDEV_INACTIVE) - bus_state->port_remote_wakeup &= ~(1 << faked_port_index); - if ((temp & PORT_PLC) && (temp & PORT_PLS_MASK) == XDEV_RESUME) { xhci_dbg(xhci, "port resume event for port %d\n", port_id);
@@ -1626,6 +1623,7 @@ static void handle_port_status(struct xh bus_state->port_remote_wakeup |= 1 << faked_port_index; xhci_test_and_clear_bit(xhci, port_array, faked_port_index, PORT_PLC); + usb_hcd_start_port_resume(&hcd->self, faked_port_index); xhci_set_link_state(xhci, port_array, faked_port_index, XDEV_U0); /* Need to wait until the next link state change @@ -1663,8 +1661,6 @@ static void handle_port_status(struct xh if (slot_id && xhci->devs[slot_id]) xhci_ring_device(xhci, slot_id); if (bus_state->port_remote_wakeup & (1 << faked_port_index)) { - bus_state->port_remote_wakeup &= - ~(1 << faked_port_index); xhci_test_and_clear_bit(xhci, port_array, faked_port_index, PORT_PLC); usb_wakeup_notification(hcd->self.root_hub, --- a/drivers/usb/host/xhci.h +++ b/drivers/usb/host/xhci.h @@ -288,6 +288,7 @@ struct xhci_op_regs { #define XDEV_U3 (0x3 << 5) #define XDEV_INACTIVE (0x6 << 5) #define XDEV_POLLING (0x7 << 5) +#define XDEV_RECOVERY (0x8 << 5) #define XDEV_COMP_MODE (0xa << 5) #define XDEV_RESUME (0xf << 5) /* true: port has power (see HCC_PPC) */
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Linus Torvalds torvalds@linux-foundation.org
commit 8a23eb804ca4f2be909e372cf5a9e7b30ae476cd upstream.
This has been discussed several times, and now filesystem people are talking about doing it individually at the filesystem layer, so head that off at the pass and just do it in getdents{64}().
This is partially based on a patch by Jann Horn, but checks for NUL bytes as well, and somewhat simplified.
There's also commentary about how it might be better if invalid names due to filesystem corruption don't cause an immediate failure, but only an error at the end of the readdir(), so that people can still see the filenames that are ok.
There's also been discussion about just how much POSIX strictly speaking requires this since it's about filesystem corruption. It's really more "protect user space from bad behavior" as pointed out by Jann. But since Eric Biederman looked up the POSIX wording, here it is for context:
"From readdir:
The readdir() function shall return a pointer to a structure representing the directory entry at the current position in the directory stream specified by the argument dirp, and position the directory stream at the next entry. It shall return a null pointer upon reaching the end of the directory stream. The structure dirent defined in the <dirent.h> header describes a directory entry.
From definitions:
3.129 Directory Entry (or Link)
An object that associates a filename with a file. Several directory entries can associate names with the same file.
...
3.169 Filename
A name consisting of 1 to {NAME_MAX} bytes used to name a file. The characters composing the name may be selected from the set of all character values excluding the slash character and the null byte. The filenames dot and dot-dot have special meaning. A filename is sometimes referred to as a 'pathname component'."
Note that I didn't bother adding the checks to any legacy interfaces that nobody uses.
Also note that if this ends up being noticeable as a performance regression, we can fix that to do a much more optimized model that checks for both NUL and '/' at the same time one word at a time.
We haven't really tended to optimize 'memchr()', and it only checks for one pattern at a time anyway, and we really _should_ check for NUL too (but see the comment about "soft errors" in the code about why it currently only checks for '/')
See the CONFIG_DCACHE_WORD_ACCESS case of hash_name() for how the name lookup code looks for pathname terminating characters in parallel.
Link: https://lore.kernel.org/lkml/20190118161440.220134-2-jannh@google.com/ Cc: Alexander Viro viro@zeniv.linux.org.uk Cc: Jann Horn jannh@google.com Cc: Eric W. Biederman ebiederm@xmission.com Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Cc: Siddharth Chandrasekaran csiddharth@vmware.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- fs/readdir.c | 40 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+)
--- a/fs/readdir.c +++ b/fs/readdir.c @@ -51,6 +51,40 @@ out: EXPORT_SYMBOL(iterate_dir);
/* + * POSIX says that a dirent name cannot contain NULL or a '/'. + * + * It's not 100% clear what we should really do in this case. + * The filesystem is clearly corrupted, but returning a hard + * error means that you now don't see any of the other names + * either, so that isn't a perfect alternative. + * + * And if you return an error, what error do you use? Several + * filesystems seem to have decided on EUCLEAN being the error + * code for EFSCORRUPTED, and that may be the error to use. Or + * just EIO, which is perhaps more obvious to users. + * + * In order to see the other file names in the directory, the + * caller might want to make this a "soft" error: skip the + * entry, and return the error at the end instead. + * + * Note that this should likely do a "memchr(name, 0, len)" + * check too, since that would be filesystem corruption as + * well. However, that case can't actually confuse user space, + * which has to do a strlen() on the name anyway to find the + * filename length, and the above "soft error" worry means + * that it's probably better left alone until we have that + * issue clarified. + */ +static int verify_dirent_name(const char *name, int len) +{ + if (WARN_ON_ONCE(!len)) + return -EIO; + if (WARN_ON_ONCE(memchr(name, '/', len))) + return -EIO; + return 0; +} + +/* * Traditional linux readdir() handling.. * * "count=1" is a special case, meaning that the buffer is one @@ -157,6 +191,9 @@ static int filldir(void * __buf, const c int reclen = ALIGN(offsetof(struct linux_dirent, d_name) + namlen + 2, sizeof(long));
+ buf->error = verify_dirent_name(name, namlen); + if (unlikely(buf->error)) + return buf->error; buf->error = -EINVAL; /* only used if we fail.. */ if (reclen > buf->count) return -EINVAL; @@ -240,6 +277,9 @@ static int filldir64(void * __buf, const int reclen = ALIGN(offsetof(struct linux_dirent64, d_name) + namlen + 1, sizeof(u64));
+ buf->error = verify_dirent_name(name, namlen); + if (unlikely(buf->error)) + return buf->error; buf->error = -EINVAL; /* only used if we fail.. */ if (reclen > buf->count) return -EINVAL;
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Linus Torvalds torvalds@linux-foundation.org
commit b9959c7a347d6adbb558fba7e36e9fef3cba3b07 upstream.
This was always meant to be a temporary thing, just for testing and to see if it actually ever triggered.
The only thing that reported it was syzbot doing disk image fuzzing, and then that warning is expected. So let's just remove it before -rc4, because the extra sanity testing should probably go to -stable, but we don't want the warning to do so.
Reported-by: syzbot+3031f712c7ad5dd4d926@syzkaller.appspotmail.com Fixes: 8a23eb804ca4 ("Make filldir[64]() verify the directory entry filename is valid") Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Cc: Siddharth Chandrasekaran csiddharth@vmware.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- fs/readdir.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
--- a/fs/readdir.c +++ b/fs/readdir.c @@ -77,9 +77,9 @@ EXPORT_SYMBOL(iterate_dir); */ static int verify_dirent_name(const char *name, int len) { - if (WARN_ON_ONCE(!len)) + if (!len) return -EIO; - if (WARN_ON_ONCE(memchr(name, '/', len))) + if (memchr(name, '/', len)) return -EIO; return 0; }
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ben Hutchings ben@decadent.org.uk
Based on commit 7bc04c5c2cc4 "ext4: fix use-after-free race with debug_want_extra_isize". We don't have that bug but this will make it easier to backport commit 4ea99936a163 "ext4: add more paranoia checking in ext4_expand_extra_isize handling".
Cc: Barret Rhoden brho@google.com Cc: Theodore Ts'o tytso@mit.edu Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/fs/ext4/super.c +++ b/fs/ext4/super.c @@ -3423,6 +3423,36 @@ int ext4_calculate_overhead(struct super return 0; }
+static void ext4_clamp_want_extra_isize(struct super_block *sb) +{ + struct ext4_sb_info *sbi = EXT4_SB(sb); + struct ext4_super_block *es = sbi->s_es; + + /* determine the minimum size of new large inodes, if present */ + if (sbi->s_inode_size > EXT4_GOOD_OLD_INODE_SIZE) { + sbi->s_want_extra_isize = sizeof(struct ext4_inode) - + EXT4_GOOD_OLD_INODE_SIZE; + if (EXT4_HAS_RO_COMPAT_FEATURE(sb, + EXT4_FEATURE_RO_COMPAT_EXTRA_ISIZE)) { + if (sbi->s_want_extra_isize < + le16_to_cpu(es->s_want_extra_isize)) + sbi->s_want_extra_isize = + le16_to_cpu(es->s_want_extra_isize); + if (sbi->s_want_extra_isize < + le16_to_cpu(es->s_min_extra_isize)) + sbi->s_want_extra_isize = + le16_to_cpu(es->s_min_extra_isize); + } + } + /* Check if enough inode space is available */ + if (EXT4_GOOD_OLD_INODE_SIZE + sbi->s_want_extra_isize > + sbi->s_inode_size) { + sbi->s_want_extra_isize = sizeof(struct ext4_inode) - + EXT4_GOOD_OLD_INODE_SIZE; + ext4_msg(sb, KERN_INFO, + "required extra inode space not available"); + } +}
static ext4_fsblk_t ext4_calculate_resv_clusters(struct super_block *sb) { @@ -4245,30 +4275,7 @@ no_journal: if (ext4_setup_super(sb, es, sb->s_flags & MS_RDONLY)) sb->s_flags |= MS_RDONLY;
- /* determine the minimum size of new large inodes, if present */ - if (sbi->s_inode_size > EXT4_GOOD_OLD_INODE_SIZE) { - sbi->s_want_extra_isize = sizeof(struct ext4_inode) - - EXT4_GOOD_OLD_INODE_SIZE; - if (EXT4_HAS_RO_COMPAT_FEATURE(sb, - EXT4_FEATURE_RO_COMPAT_EXTRA_ISIZE)) { - if (sbi->s_want_extra_isize < - le16_to_cpu(es->s_want_extra_isize)) - sbi->s_want_extra_isize = - le16_to_cpu(es->s_want_extra_isize); - if (sbi->s_want_extra_isize < - le16_to_cpu(es->s_min_extra_isize)) - sbi->s_want_extra_isize = - le16_to_cpu(es->s_min_extra_isize); - } - } - /* Check if enough inode space is available */ - if (EXT4_GOOD_OLD_INODE_SIZE + sbi->s_want_extra_isize > - sbi->s_inode_size) { - sbi->s_want_extra_isize = sizeof(struct ext4_inode) - - EXT4_GOOD_OLD_INODE_SIZE; - ext4_msg(sb, KERN_INFO, "required extra inode space not" - "available"); - } + ext4_clamp_want_extra_isize(sb);
err = ext4_reserve_clusters(sbi, ext4_calculate_resv_clusters(sb)); if (err) {
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Theodore Ts'o tytso@mit.edu
commit 4ea99936a1630f51fc3a2d61a58ec4a1c4b7d55a upstream.
It's possible to specify a non-zero s_want_extra_isize via debugging option, and this can cause bad things(tm) to happen when using a file system with an inode size of 128 bytes.
Add better checking when the file system is mounted, as well as when we are actually doing the trying to do the inode expansion.
Link: https://lore.kernel.org/r/20191110121510.GH23325@mit.edu Reported-by: syzbot+f8d6f8386ceacdbfff57@syzkaller.appspotmail.com Reported-by: syzbot+33d7ea72e47de3bdf4e1@syzkaller.appspotmail.com Reported-by: syzbot+44b6763edfc17144296f@syzkaller.appspotmail.com Signed-off-by: Theodore Ts'o tytso@mit.edu [bwh: Backported to 3.16: - Use EIO instead of EFSCORRUPTED - Adjust context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/fs/ext4/inode.c +++ b/fs/ext4/inode.c @@ -5094,10 +5094,25 @@ static int ext4_expand_extra_isize(struc { struct ext4_inode *raw_inode; struct ext4_xattr_ibody_header *header; + unsigned int inode_size = EXT4_INODE_SIZE(inode->i_sb); + struct ext4_inode_info *ei = EXT4_I(inode);
if (EXT4_I(inode)->i_extra_isize >= new_extra_isize) return 0;
+ /* this was checked at iget time, but double check for good measure */ + if ((EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize > inode_size) || + (ei->i_extra_isize & 3)) { + EXT4_ERROR_INODE(inode, "bad extra_isize %u (inode size %u)", + ei->i_extra_isize, + EXT4_INODE_SIZE(inode->i_sb)); + return -EIO; + } + if ((new_extra_isize < ei->i_extra_isize) || + (new_extra_isize < 4) || + (new_extra_isize > inode_size - EXT4_GOOD_OLD_INODE_SIZE)) + return -EINVAL; /* Should never happen */ + raw_inode = ext4_raw_inode(&iloc);
header = IHDR(inode, raw_inode); --- a/fs/ext4/super.c +++ b/fs/ext4/super.c @@ -3427,11 +3427,15 @@ static void ext4_clamp_want_extra_isize( { struct ext4_sb_info *sbi = EXT4_SB(sb); struct ext4_super_block *es = sbi->s_es; + unsigned def_extra_isize = sizeof(struct ext4_inode) - + EXT4_GOOD_OLD_INODE_SIZE;
- /* determine the minimum size of new large inodes, if present */ - if (sbi->s_inode_size > EXT4_GOOD_OLD_INODE_SIZE) { - sbi->s_want_extra_isize = sizeof(struct ext4_inode) - - EXT4_GOOD_OLD_INODE_SIZE; + if (sbi->s_inode_size == EXT4_GOOD_OLD_INODE_SIZE) { + sbi->s_want_extra_isize = 0; + return; + } + if (sbi->s_want_extra_isize < 4) { + sbi->s_want_extra_isize = def_extra_isize; if (EXT4_HAS_RO_COMPAT_FEATURE(sb, EXT4_FEATURE_RO_COMPAT_EXTRA_ISIZE)) { if (sbi->s_want_extra_isize < @@ -3445,10 +3449,10 @@ static void ext4_clamp_want_extra_isize( } } /* Check if enough inode space is available */ - if (EXT4_GOOD_OLD_INODE_SIZE + sbi->s_want_extra_isize > - sbi->s_inode_size) { - sbi->s_want_extra_isize = sizeof(struct ext4_inode) - - EXT4_GOOD_OLD_INODE_SIZE; + if ((sbi->s_want_extra_isize > sbi->s_inode_size) || + (EXT4_GOOD_OLD_INODE_SIZE + sbi->s_want_extra_isize > + sbi->s_inode_size)) { + sbi->s_want_extra_isize = def_extra_isize; ext4_msg(sb, KERN_INFO, "required extra inode space not available"); }
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ben Hutchings ben@decadent.org.uk
This reverts commit eb29ee5a3873134917a760bf9c416da0a089a0be, which was commit 512ac999d2755d2b7109e996a76b6fb8b888631d upstream. This introduced a regression and doesn't seem to have been suitable for older stable branches. (It has been fixed differently upstream.)
Signed-off-by: Ben Hutchings ben@decadent.org.uk --- --- a/kernel/sched/fair.c +++ b/kernel/sched/fair.c @@ -3163,7 +3163,6 @@ void __refill_cfs_bandwidth_runtime(stru now = sched_clock_cpu(smp_processor_id()); cfs_b->runtime = cfs_b->quota; cfs_b->runtime_expires = now + ktime_to_ns(cfs_b->period); - cfs_b->expires_seq++; }
static inline struct cfs_bandwidth *tg_cfs_bandwidth(struct task_group *tg) @@ -3186,7 +3185,6 @@ static int assign_cfs_rq_runtime(struct struct task_group *tg = cfs_rq->tg; struct cfs_bandwidth *cfs_b = tg_cfs_bandwidth(tg); u64 amount = 0, min_amount, expires; - int expires_seq;
/* note: this is a positive sum as runtime_remaining <= 0 */ min_amount = sched_cfs_bandwidth_slice() - cfs_rq->runtime_remaining; @@ -3212,7 +3210,6 @@ static int assign_cfs_rq_runtime(struct cfs_b->idle = 0; } } - expires_seq = cfs_b->expires_seq; expires = cfs_b->runtime_expires; raw_spin_unlock(&cfs_b->lock);
@@ -3222,10 +3219,8 @@ static int assign_cfs_rq_runtime(struct * spread between our sched_clock and the one on which runtime was * issued. */ - if (cfs_rq->expires_seq != expires_seq) { - cfs_rq->expires_seq = expires_seq; + if ((s64)(expires - cfs_rq->runtime_expires) > 0) cfs_rq->runtime_expires = expires; - }
return cfs_rq->runtime_remaining > 0; } @@ -3251,9 +3246,12 @@ static void expire_cfs_rq_runtime(struct * has not truly expired. * * Fortunately we can check determine whether this the case by checking - * whether the global deadline(cfs_b->expires_seq) has advanced. + * whether the global deadline has advanced. It is valid to compare + * cfs_b->runtime_expires without any locks since we only care about + * exact equality, so a partial write will still work. */ - if (cfs_rq->expires_seq == cfs_b->expires_seq) { + + if (cfs_rq->runtime_expires != cfs_b->runtime_expires) { /* extend local deadline, drift is bounded above by 2 ticks */ cfs_rq->runtime_expires += TICK_NSEC; } else { --- a/kernel/sched/sched.h +++ b/kernel/sched/sched.h @@ -187,7 +187,6 @@ struct cfs_bandwidth { u64 quota, runtime; s64 hierarchal_quota; u64 runtime_expires; - int expires_seq;
int idle, timer_active; struct hrtimer period_timer, slack_timer; @@ -377,7 +376,6 @@ struct cfs_rq {
#ifdef CONFIG_CFS_BANDWIDTH int runtime_enabled; - int expires_seq; u64 runtime_expires; s64 runtime_remaining;
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Xiaolong Huang butterflyhuangxx@gmail.com
commit da2311a6385c3b499da2ed5d9be59ce331fa93e9 upstream.
Uninitialized Kernel memory can leak to USB devices.
Fix this by using kzalloc() instead of kmalloc().
Signed-off-by: Xiaolong Huang butterflyhuangxx@gmail.com Fixes: 7259124eac7d ("can: kvaser_usb: Split driver into kvaser_usb_core.c and kvaser_usb_leaf.c") Signed-off-by: Marc Kleine-Budde mkl@pengutronix.de [bwh: Backported to 3.16: adjust filename, context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/net/can/usb/kvaser_usb.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/net/can/usb/kvaser_usb.c +++ b/drivers/net/can/usb/kvaser_usb.c @@ -586,7 +586,7 @@ static int kvaser_usb_simple_msg_async(s return -ENOMEM; }
- buf = kmalloc(sizeof(struct kvaser_msg), GFP_ATOMIC); + buf = kzalloc(sizeof(struct kvaser_msg), GFP_ATOMIC); if (!buf) { usb_free_urb(urb); return -ENOMEM; @@ -1109,7 +1109,7 @@ static int kvaser_usb_set_opt_mode(const struct kvaser_msg *msg; int rc;
- msg = kmalloc(sizeof(*msg), GFP_KERNEL); + msg = kzalloc(sizeof(*msg), GFP_KERNEL); if (!msg) return -ENOMEM;
@@ -1240,7 +1240,7 @@ static int kvaser_usb_flush_queue(struct struct kvaser_msg *msg; int rc;
- msg = kmalloc(sizeof(*msg), GFP_KERNEL); + msg = kzalloc(sizeof(*msg), GFP_KERNEL); if (!msg) return -ENOMEM;
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: YueHaibing yuehaibing@huawei.com
commit dea37a97265588da604c6ba80160a287b72c7bfd upstream.
Syzkaller report this:
BUG: KASAN: use-after-free in sysfs_remove_file_ns+0x5f/0x70 fs/sysfs/file.c:468 Read of size 8 at addr ffff8881f59a6b70 by task syz-executor.0/8363
CPU: 0 PID: 8363 Comm: syz-executor.0 Not tainted 5.0.0-rc8+ #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xfa/0x1ce lib/dump_stack.c:113 print_address_description+0x65/0x270 mm/kasan/report.c:187 kasan_report+0x149/0x18d mm/kasan/report.c:317 sysfs_remove_file_ns+0x5f/0x70 fs/sysfs/file.c:468 sysfs_remove_file include/linux/sysfs.h:519 [inline] driver_remove_file+0x40/0x50 drivers/base/driver.c:122 usb_remove_newid_files drivers/usb/core/driver.c:212 [inline] usb_deregister+0x12a/0x3b0 drivers/usb/core/driver.c:1005 cpia2_exit+0xa/0x16 [cpia2] __do_sys_delete_module kernel/module.c:1018 [inline] __se_sys_delete_module kernel/module.c:961 [inline] __x64_sys_delete_module+0x3dc/0x5e0 kernel/module.c:961 do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x462e99 Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f86f3754c58 EFLAGS: 00000246 ORIG_RAX: 00000000000000b0 RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000300 RBP: 0000000000000002 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f86f37556bc R13: 00000000004bcca9 R14: 00000000006f6b48 R15: 00000000ffffffff
Allocated by task 8363: set_track mm/kasan/common.c:85 [inline] __kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:495 kmalloc include/linux/slab.h:545 [inline] kzalloc include/linux/slab.h:740 [inline] bus_add_driver+0xc0/0x610 drivers/base/bus.c:651 driver_register+0x1bb/0x3f0 drivers/base/driver.c:170 usb_register_driver+0x267/0x520 drivers/usb/core/driver.c:965 0xffffffffc1b4817c do_one_initcall+0xfa/0x5ca init/main.c:887 do_init_module+0x204/0x5f6 kernel/module.c:3460 load_module+0x66b2/0x8570 kernel/module.c:3808 __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902 do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 8363: set_track mm/kasan/common.c:85 [inline] __kasan_slab_free+0x130/0x180 mm/kasan/common.c:457 slab_free_hook mm/slub.c:1430 [inline] slab_free_freelist_hook mm/slub.c:1457 [inline] slab_free mm/slub.c:3005 [inline] kfree+0xe1/0x270 mm/slub.c:3957 kobject_cleanup lib/kobject.c:662 [inline] kobject_release lib/kobject.c:691 [inline] kref_put include/linux/kref.h:67 [inline] kobject_put+0x146/0x240 lib/kobject.c:708 bus_remove_driver+0x10e/0x220 drivers/base/bus.c:732 driver_unregister+0x6c/0xa0 drivers/base/driver.c:197 usb_register_driver+0x341/0x520 drivers/usb/core/driver.c:980 0xffffffffc1b4817c do_one_initcall+0xfa/0x5ca init/main.c:887 do_init_module+0x204/0x5f6 kernel/module.c:3460 load_module+0x66b2/0x8570 kernel/module.c:3808 __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902 do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8881f59a6b40 which belongs to the cache kmalloc-256 of size 256 The buggy address is located 48 bytes inside of 256-byte region [ffff8881f59a6b40, ffff8881f59a6c40) The buggy address belongs to the page: page:ffffea0007d66980 count:1 mapcount:0 mapping:ffff8881f6c02e00 index:0x0 flags: 0x2fffc0000000200(slab) raw: 02fffc0000000200 dead000000000100 dead000000000200 ffff8881f6c02e00 raw: 0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected
Memory state around the buggy address: ffff8881f59a6a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8881f59a6a80: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc
ffff8881f59a6b00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
^ ffff8881f59a6b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8881f59a6c00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
cpia2_init does not check return value of cpia2_init, if it failed in usb_register_driver, there is already cleanup using driver_unregister. No need call cpia2_usb_cleanup on module exit.
Reported-by: Hulk Robot hulkci@huawei.com Signed-off-by: YueHaibing yuehaibing@huawei.com Signed-off-by: Hans Verkuil hverkuil-cisco@xs4all.nl Signed-off-by: Mauro Carvalho Chehab mchehab+samsung@kernel.org Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/media/usb/cpia2/cpia2_v4l.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/media/usb/cpia2/cpia2_v4l.c +++ b/drivers/media/usb/cpia2/cpia2_v4l.c @@ -1249,8 +1249,7 @@ static int __init cpia2_init(void) LOG("%s v%s\n", ABOUT, CPIA_VERSION); check_parameters(); - cpia2_usb_init(); - return 0; + return cpia2_usb_init(); }
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Amitkumar Karwar akarwar@marvell.com
commit 947d315257f9b25b0e24f5706f8184b3b00774d4 upstream.
If device has already received country information from EEPROM, we won't parse AP's country IE and download it to firmware. We will also set regulatory flags to disable beacon hints and ignore country IE.
Signed-off-by: Amitkumar Karwar akarwar@marvell.com Signed-off-by: Cathy Luo cluo@marvell.com Signed-off-by: Kalle Valo kvalo@codeaurora.org [bwh: Backported to 3.16: adjust filenames, context] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/net/wireless/mwifiex/cfg80211.c | 4 ++++ drivers/net/wireless/mwifiex/sta_ioctl.c | 3 ++- 2 files changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/net/wireless/mwifiex/cfg80211.c +++ b/drivers/net/wireless/mwifiex/cfg80211.c @@ -2917,6 +2917,10 @@ int mwifiex_register_cfg80211(struct mwi wiphy->cipher_suites = mwifiex_cipher_suites; wiphy->n_cipher_suites = ARRAY_SIZE(mwifiex_cipher_suites);
+ if (adapter->region_code) + wiphy->regulatory_flags |= REGULATORY_DISABLE_BEACON_HINTS | + REGULATORY_COUNTRY_IE_IGNORE; + memcpy(wiphy->perm_addr, priv->curr_addr, ETH_ALEN); wiphy->signal_type = CFG80211_SIGNAL_TYPE_MBM; wiphy->flags |= WIPHY_FLAG_HAVE_AP_SME | --- a/drivers/net/wireless/mwifiex/sta_ioctl.c +++ b/drivers/net/wireless/mwifiex/sta_ioctl.c @@ -266,7 +266,8 @@ int mwifiex_bss_start(struct mwifiex_pri priv->scan_block = false;
if (bss) { - mwifiex_process_country_ie(priv, bss); + if (adapter->region_code == 0x00) + mwifiex_process_country_ie(priv, bss);
/* Allocate and fill new bss descriptor */ bss_desc = kzalloc(sizeof(struct mwifiex_bssdescriptor),
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Ganapathi Bhat gbhat@marvell.com
commit 3d94a4a8373bf5f45cf5f939e88b8354dbf2311b upstream.
mwifiex_process_country_ie() function parse elements of bss descriptor in beacon packet. When processing WLAN_EID_COUNTRY element, there is no upper limit check for country_ie_len before calling memcpy. The destination buffer domain_info->triplet is an array of length MWIFIEX_MAX_TRIPLET_802_11D(83). The remote attacker can build a fake AP with the same ssid as real AP, and send malicous beacon packet with long WLAN_EID_COUNTRY elemen (country_ie_len > 83). Attacker can force STA connect to fake AP on a different channel. When the victim STA connects to fake AP, will trigger the heap buffer overflow. Fix this by checking for length and if found invalid, don not connect to the AP.
This fix addresses CVE-2019-14895.
Reported-by: huangwen huangwenabc@gmail.com Signed-off-by: Ganapathi Bhat gbhat@marvell.com Signed-off-by: Kalle Valo kvalo@codeaurora.org [bwh: Backported to 3.16: - Use wiphy_dbg() instead of mwifiex_dbg() - Adjust filename] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/net/wireless/mwifiex/sta_ioctl.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-)
--- a/drivers/net/wireless/mwifiex/sta_ioctl.c +++ b/drivers/net/wireless/mwifiex/sta_ioctl.c @@ -223,6 +223,14 @@ static int mwifiex_process_country_ie(st "11D: skip setting domain info in FW\n"); return 0; } + + if (country_ie_len > + (IEEE80211_COUNTRY_STRING_LEN + MWIFIEX_MAX_TRIPLET_802_11D)) { + wiphy_dbg(priv->wdev->wiphy, + "11D: country_ie_len overflow!, deauth AP\n"); + return -EINVAL; + } + memcpy(priv->adapter->country_code, &country_ie[2], 2);
domain_info->country_code[0] = country_ie[2]; @@ -266,8 +274,9 @@ int mwifiex_bss_start(struct mwifiex_pri priv->scan_block = false;
if (bss) { - if (adapter->region_code == 0x00) - mwifiex_process_country_ie(priv, bss); + if (adapter->region_code == 0x00 && + mwifiex_process_country_ie(priv, bss)) + return -EINVAL;
/* Allocate and fill new bss descriptor */ bss_desc = kzalloc(sizeof(struct mwifiex_bssdescriptor),
Hi Ben,
On Wed, Jan 08, 2020 at 07:44:00PM +0000, Ben Hutchings wrote:
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
From: Ganapathi Bhat gbhat@marvell.com
commit 3d94a4a8373bf5f45cf5f939e88b8354dbf2311b upstream.
mwifiex_process_country_ie() function parse elements of bss descriptor in beacon packet. When processing WLAN_EID_COUNTRY element, there is no upper limit check for country_ie_len before calling memcpy. The destination buffer domain_info->triplet is an array of length MWIFIEX_MAX_TRIPLET_802_11D(83). The remote attacker can build a fake AP with the same ssid as real AP, and send malicous beacon packet with long WLAN_EID_COUNTRY elemen (country_ie_len > 83). Attacker can force STA connect to fake AP on a different channel. When the victim STA connects to fake AP, will trigger the heap buffer overflow. Fix this by checking for length and if found invalid, don not connect to the AP.
This fix addresses CVE-2019-14895.
Reported-by: huangwen huangwenabc@gmail.com Signed-off-by: Ganapathi Bhat gbhat@marvell.com Signed-off-by: Kalle Valo kvalo@codeaurora.org [bwh: Backported to 3.16:
- Use wiphy_dbg() instead of mwifiex_dbg()
- Adjust filename]
Signed-off-by: Ben Hutchings ben@decadent.org.uk
drivers/net/wireless/mwifiex/sta_ioctl.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-)
--- a/drivers/net/wireless/mwifiex/sta_ioctl.c +++ b/drivers/net/wireless/mwifiex/sta_ioctl.c @@ -223,6 +223,14 @@ static int mwifiex_process_country_ie(st "11D: skip setting domain info in FW\n"); return 0; }
- if (country_ie_len >
(IEEE80211_COUNTRY_STRING_LEN + MWIFIEX_MAX_TRIPLET_802_11D)) {
wiphy_dbg(priv->wdev->wiphy,
"11D: country_ie_len overflow!, deauth AP\n");
return -EINVAL;
- }
- memcpy(priv->adapter->country_code, &country_ie[2], 2);
domain_info->country_code[0] = country_ie[2]; @@ -266,8 +274,9 @@ int mwifiex_bss_start(struct mwifiex_pri priv->scan_block = false; if (bss) {
if (adapter->region_code == 0x00)
mwifiex_process_country_ie(priv, bss);
if (adapter->region_code == 0x00 &&
mwifiex_process_country_ie(priv, bss))
return -EINVAL;
/* Allocate and fill new bss descriptor */ bss_desc = kzalloc(sizeof(struct mwifiex_bssdescriptor),
Brian Norris noted that this commit has unbalanced locking and submitted a followup as per:
https://lkml.kernel.org/linux-wireless/20200106224212.189763-1-briannorris@c... https://patchwork.kernel.org/patch/11320227/
Regards, Salvatore
On Thu, 2020-01-09 at 13:12 +0100, Salvatore Bonaccorso wrote:
Hi Ben,
On Wed, Jan 08, 2020 at 07:44:00PM +0000, Ben Hutchings wrote:
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
From: Ganapathi Bhat gbhat@marvell.com
commit 3d94a4a8373bf5f45cf5f939e88b8354dbf2311b upstream.
[...]
Brian Norris noted that this commit has unbalanced locking and submitted a followup as per:
https://lkml.kernel.org/linux-wireless/20200106224212.189763-1-briannorris@c... https://patchwork.kernel.org/patch/11320227/
Right, but is the new behaviour (possible wrong preemption count) actually worse than the old behaviour (possible heap buffer overflow)?
I think we are better off applying this now and adding that fix once it's upstream.
Ben.
3.16.81-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Jason Yan yanaijie@huawei.com
commit f70267f379b5e5e11bdc5d72a56bf17e5feed01f upstream.
The discovering of sas port is driven by workqueue in libsas. When libsas is processing port events or phy events in workqueue, new events may rise up and change the state of some structures such as asd_sas_phy. This may cause some problems such as follows:
==>thread 1 ==>thread 2
==>phy up ==>phy_up_v3_hw() ==>oob_mode = SATA_OOB_MODE; ==>phy down quickly ==>hisi_sas_phy_down() ==>sas_ha->notify_phy_event() ==>sas_phy_disconnected() ==>oob_mode = OOB_NOT_CONNECTED ==>workqueue wakeup ==>sas_form_port() ==>sas_discover_domain() ==>sas_get_port_device() ==>oob_mode is OOB_NOT_CONNECTED and device is wrongly taken as expander
This at last lead to the panic when libsas trying to issue a command to discover the device.
[183047.614035] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000058 [183047.622896] Mem abort info: [183047.625762] ESR = 0x96000004 [183047.628893] Exception class = DABT (current EL), IL = 32 bits [183047.634888] SET = 0, FnV = 0 [183047.638015] EA = 0, S1PTW = 0 [183047.641232] Data abort info: [183047.644189] ISV = 0, ISS = 0x00000004 [183047.648100] CM = 0, WnR = 0 [183047.651145] user pgtable: 4k pages, 48-bit VAs, pgdp = 00000000b7df67be [183047.657834] [0000000000000058] pgd=0000000000000000 [183047.662789] Internal error: Oops: 96000004 [#1] SMP [183047.667740] Process kworker/u16:2 (pid: 31291, stack limit = 0x00000000417c4974) [183047.675208] CPU: 0 PID: 3291 Comm: kworker/u16:2 Tainted: G W OE 4.19.36-vhulk1907.1.0.h410.eulerosv2r8.aarch64 #1 [183047.687015] Hardware name: N/A N/A/Kunpeng Desktop Board D920S10, BIOS 0.15 10/22/2019 [183047.695007] Workqueue: 0000:74:02.0_disco_q sas_discover_domain [183047.700999] pstate: 20c00009 (nzCv daif +PAN +UAO) [183047.705864] pc : prep_ata_v3_hw+0xf8/0x230 [hisi_sas_v3_hw] [183047.711510] lr : prep_ata_v3_hw+0xb0/0x230 [hisi_sas_v3_hw] [183047.717153] sp : ffff00000f28ba60 [183047.720541] x29: ffff00000f28ba60 x28: ffff8026852d7228 [183047.725925] x27: ffff8027dba3e0a8 x26: ffff8027c05fc200 [183047.731310] x25: 0000000000000000 x24: ffff8026bafa8dc0 [183047.736695] x23: ffff8027c05fc218 x22: ffff8026852d7228 [183047.742079] x21: ffff80007c2f2940 x20: ffff8027c05fc200 [183047.747464] x19: 0000000000f80800 x18: 0000000000000010 [183047.752848] x17: 0000000000000000 x16: 0000000000000000 [183047.758232] x15: ffff000089a5a4ff x14: 0000000000000005 [183047.763617] x13: ffff000009a5a50e x12: ffff8026bafa1e20 [183047.769001] x11: ffff0000087453b8 x10: ffff00000f28b870 [183047.774385] x9 : 0000000000000000 x8 : ffff80007e58f9b0 [183047.779770] x7 : 0000000000000000 x6 : 000000000000003f [183047.785154] x5 : 0000000000000040 x4 : ffffffffffffffe0 [183047.790538] x3 : 00000000000000f8 x2 : 0000000002000007 [183047.795922] x1 : 0000000000000008 x0 : 0000000000000000 [183047.801307] Call trace: [183047.803827] prep_ata_v3_hw+0xf8/0x230 [hisi_sas_v3_hw] [183047.809127] hisi_sas_task_prep+0x750/0x888 [hisi_sas_main] [183047.814773] hisi_sas_task_exec.isra.7+0x88/0x1f0 [hisi_sas_main] [183047.820939] hisi_sas_queue_command+0x28/0x38 [hisi_sas_main] [183047.826757] smp_execute_task_sg+0xec/0x218 [183047.831013] smp_execute_task+0x74/0xa0 [183047.834921] sas_discover_expander.part.7+0x9c/0x5f8 [183047.839959] sas_discover_root_expander+0x90/0x160 [183047.844822] sas_discover_domain+0x1b8/0x1e8 [183047.849164] process_one_work+0x1b4/0x3f8 [183047.853246] worker_thread+0x54/0x470 [183047.856981] kthread+0x134/0x138 [183047.860283] ret_from_fork+0x10/0x18 [183047.863931] Code: f9407a80 528000e2 39409281 72a04002 (b9405800) [183047.870097] kernel fault(0x1) notification starting on CPU 0 [183047.875828] kernel fault(0x1) notification finished on CPU 0 [183047.881559] Modules linked in: unibsp(OE) hns3(OE) hclge(OE) hnae3(OE) mem_drv(OE) hisi_sas_v3_hw(OE) hisi_sas_main(OE) [183047.892418] ---[ end trace 4cc26083fc11b783 ]--- [183047.897107] Kernel panic - not syncing: Fatal exception [183047.902403] kernel fault(0x5) notification starting on CPU 0 [183047.908134] kernel fault(0x5) notification finished on CPU 0 [183047.913865] SMP: stopping secondary CPUs [183047.917861] Kernel Offset: disabled [183047.921422] CPU features: 0x2,a2a00a38 [183047.925243] Memory Limit: none [183047.928372] kernel reboot(0x2) notification starting on CPU 0 [183047.934190] kernel reboot(0x2) notification finished on CPU 0 [183047.940008] ---[ end Kernel panic - not syncing: Fatal exception ]---
Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver") Link: https://lore.kernel.org/r/20191206011118.46909-1-yanaijie@huawei.com Reported-by: Gao Chuan gaochuan4@huawei.com Reviewed-by: John Garry john.garry@huawei.com Signed-off-by: Jason Yan yanaijie@huawei.com Signed-off-by: Martin K. Petersen martin.petersen@oracle.com Signed-off-by: Ben Hutchings ben@decadent.org.uk --- drivers/scsi/libsas/sas_discover.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-)
--- a/drivers/scsi/libsas/sas_discover.c +++ b/drivers/scsi/libsas/sas_discover.c @@ -97,12 +97,21 @@ static int sas_get_port_device(struct as else dev->dev_type = SAS_SATA_DEV; dev->tproto = SAS_PROTOCOL_SATA; - } else { + } else if (port->oob_mode == SAS_OOB_MODE) { struct sas_identify_frame *id = (struct sas_identify_frame *) dev->frame_rcvd; dev->dev_type = id->dev_type; dev->iproto = id->initiator_bits; dev->tproto = id->target_bits; + } else { + /* If the oob mode is OOB_NOT_CONNECTED, the port is + * disconnected due to race with PHY down. We cannot + * continue to discover this port + */ + sas_put_device(dev); + pr_warn("Port %016llx is disconnected when discovering\n", + SAS_ADDR(port->attached_sas_addr)); + return -ENODEV; }
sas_init_dev(dev);
On Wed, Jan 08, 2020 at 07:42:58PM +0000, Ben Hutchings wrote:
This is the start of the stable review cycle for the 3.16.81 release. There are 63 patches in this series, which will be posted as responses to this one. If anyone has any issues with these being applied, please let me know.
Responses should be made by Fri Jan 10 20:00:00 UTC 2020. Anything received after that time might be too late.
Build results: total: 136 pass: 136 fail: 0 Qemu test results: total: 227 pass: 227 fail: 0
Guenter
On Wed, 2020-01-08 at 14:52 -0800, Guenter Roeck wrote:
On Wed, Jan 08, 2020 at 07:42:58PM +0000, Ben Hutchings wrote:
This is the start of the stable review cycle for the 3.16.81 release. There are 63 patches in this series, which will be posted as responses to this one. If anyone has any issues with these being applied, please let me know.
Responses should be made by Fri Jan 10 20:00:00 UTC 2020. Anything received after that time might be too late.
Build results: total: 136 pass: 136 fail: 0 Qemu test results: total: 227 pass: 227 fail: 0
Great, thanks for checking,
Ben.
linux-stable-mirror@lists.linaro.org