This is the start of the stable review cycle for the 4.19.135 release. There are 86 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know.
Responses should be made by Wed, 29 Jul 2020 13:48:51 +0000. Anything received after that time might be too late.
The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.135-rc... or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y and the diffstat can be found below.
thanks,
greg k-h
------------- Pseudo-Shortlog of commits:
Greg Kroah-Hartman gregkh@linuxfoundation.org Linux 4.19.135-rc1
Mark O'Donovan shiftee@posteo.net ath9k: Fix regression with Atheros 9271
Qiujun Huang hqjagain@gmail.com ath9k: Fix general protection fault in ath9k_hif_usb_rx_cb
Mikulas Patocka mpatocka@redhat.com dm integrity: fix integrity recalculation that is improperly skipped
Geert Uytterhoeven geert@linux-m68k.org ASoC: qcom: Drop HAS_DMA dependency to fix link failure
Hans de Goede hdegoede@redhat.com ASoC: rt5670: Add new gpio1_is_ext_spk_en quirk and enable it on the Lenovo Miix 2 10
Joerg Roedel jroedel@suse.de x86, vmlinux.lds: Page-align end of ..page_aligned sections
John David Anglin dave.anglin@bell.net parisc: Add atomic64_set_release() define to avoid CPU soft lockups
Qiu Wenbo qiuwenbo@phytium.com.cn drm/amd/powerplay: fix a crash when overclocking Vega M
Paweł Gronowski me@woland.xyz drm/amdgpu: Fix NULL dereference in dpm sysfs handlers
Michael J. Ruhl michael.j.ruhl@intel.com io-mapping: indicate mapping failure
Muchun Song songmuchun@bytedance.com mm: memcg/slab: fix memory leak at non-root kmem_cache destroy
Hugh Dickins hughd@google.com mm/memcg: fix refcount error while moving and swapping
Fangrui Song maskray@google.com Makefile: Fix GCC_TOOLCHAIN_DIR prefix for Clang cross compilation
Tetsuo Handa penguin-kernel@I-love.SAKURA.ne.jp vt: Reject zero-sized screen buffer size.
Tetsuo Handa penguin-kernel@I-love.SAKURA.ne.jp fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins.
Serge Semin Sergey.Semin@baikalelectronics.ru serial: 8250_mtk: Fix high-speed baud rates clamping
Yang Yingliang yangyingliang@huawei.com serial: 8250: fix null-ptr-deref in serial8250_start_tx()
Ian Abbott abbotti@mev.co.uk staging: comedi: addi_apci_1564: check INSN_CONFIG_DIGITAL_TRIG shift
Ian Abbott abbotti@mev.co.uk staging: comedi: addi_apci_1500: check INSN_CONFIG_DIGITAL_TRIG shift
Ian Abbott abbotti@mev.co.uk staging: comedi: ni_6527: fix INSN_CONFIG_DIGITAL_TRIG support
Ian Abbott abbotti@mev.co.uk staging: comedi: addi_apci_1032: check INSN_CONFIG_DIGITAL_TRIG shift
Rustam Kovhaev rkovhaev@gmail.com staging: wlan-ng: properly check endpoint types
Steve French stfrench@microsoft.com Revert "cifs: Fix the target file was deleted when rename failed."
Forest Crossman cyrozap@gmail.com usb: xhci: Fix ASM2142/ASM3142 DMA addressing
Chunfeng Yun chunfeng.yun@mediatek.com usb: xhci-mtk: fix the failure of bandwidth allocation
Tetsuo Handa penguin-kernel@i-love.sakura.ne.jp binder: Don't use mmput() from shrinker function.
Palmer Dabbelt palmerdabbelt@google.com RISC-V: Upgrade smp_mb__after_spinlock() to iorw,iorw
Arnd Bergmann arnd@arndb.de x86: math-emu: Fix up 'cmp' insn for clang ias
Will Deacon will@kernel.org arm64: Use test_tsk_thread_flag() for checking TIF_SINGLESTEP
Cristian Marussi cristian.marussi@arm.com hwmon: (scmi) Fix potential buffer overflow in scmi_hwmon_probe()
Chu Lin linchuyuan@google.com hwmon: (adm1275) Make sure we are reading enough data for different chips
Evgeny Novikov novikov@ispras.ru usb: gadget: udc: gr_udc: fix memleak on error handling path in gr_ep_init()
Derek Basehore dbasehore@chromium.org Input: elan_i2c - only increment wakeup count on touch
Ilya Katsnelson me@0upti.me Input: synaptics - enable InterTouch for ThinkPad X1E 1st gen
Leonid Ravich Leonid.Ravich@emc.com dmaengine: ioat setting ioat timeout as module parameter
Evgeny Novikov novikov@ispras.ru hwmon: (aspeed-pwm-tacho) Avoid possible buffer overflow
Marc Kleine-Budde mkl@pengutronix.de regmap: dev_get_regmap_match(): fix string comparison
leilk.liu leilk.liu@mediatek.com spi: mediatek: use correct SPI_CFG2_REG MACRO
Merlijn Wajer merlijn@wizzup.org Input: add `SW_MACHINE_COVER`
Dinghao Liu dinghao.liu@zju.edu.cn dmaengine: tegra210-adma: Fix runtime PM imbalance on error
Hans de Goede hdegoede@redhat.com HID: apple: Disable Fn-key key-re-mapping on clone keyboards
Rodrigo Rivas Costa rodrigorivascosta@gmail.com HID: steam: fixes race in handling device list.
Caiyuan Xie caiyuan.xie@cn.alps.com HID: alps: support devices with report id 2
Federico Ricchiuto fed.ricchiuto@gmail.com HID: i2c-hid: add Mediacom FlexBook edge13 to descriptor override
Stefano Garzarella sgarzare@redhat.com scripts/gdb: fix lx-symbols 'gdb.error' while loading modules
Pi-Hsun Shih pihsun@chromium.org scripts/decode_stacktrace: strip basepath from all paths
Matthew Howell matthew.howell@sealevel.com serial: exar: Fix GPIO configuration for Sealevel cards based on XR17V35X
Cong Wang xiyou.wangcong@gmail.com bonding: check return value of register_netdevice() in bond_newlink()
Wolfram Sang wsa+renesas@sang-engineering.com i2c: rcar: always clear ICSAR to avoid side effects
Wang Hai wanghai38@huawei.com net: ethernet: ave: Fix error returns in ave_init
guodeqing geffrey.guo@huawei.com ipvs: fix the connection sync failed in some cases
Alexander Lobakin alobakin@marvell.com qed: suppress "don't support RoCE & iWARP" flooding on HW init
Liu Jian liujian56@huawei.com mlxsw: destroy workqueue when trap_register in mlxsw_emad_init
Taehee Yoo ap420073@gmail.com bonding: check error value of register_netdevice() immediately
Wang Hai wanghai38@huawei.com net: smc91x: Fix possible memory leak in smc_drv_probe()
Chen-Yu Tsai wens@csie.org drm: sun4i: hdmi: Fix inverted HPD result
Liu Jian liujian56@huawei.com ieee802154: fix one possible memleak in adf7242_probe
Sergey Organov sorganov@gmail.com net: dp83640: fix SIOCSHWTSTAMP to update the struct with actual configuration
George Kennedy george.kennedy@oracle.com ax88172a: fix ax88172a_unbind() failures
Christophe JAILLET christophe.jaillet@wanadoo.fr hippi: Fix a size used in a 'pci_free_consistent()' in an error handling path
Matthew Gerlach matthew.gerlach@linux.intel.com fpga: dfl: fix bug in port reset handshake
Vasundhara Volam vasundhara-v.volam@broadcom.com bnxt_en: Fix race when modifying pause settings.
Robbie Ko robbieko@synology.com btrfs: fix page leaks after failure to lock page for delalloc
Boris Burkov boris@bur.io btrfs: fix mount failure caused by race with umount
Filipe Manana fdmanana@suse.com btrfs: fix double free on ulist after backref resolution failure
Hans de Goede hdegoede@redhat.com ASoC: rt5670: Correct RT5670_LDO_SEL_MASK
Takashi Iwai tiwai@suse.de ALSA: info: Drop WARN_ON() from buffer NULL sanity check
Oleg Nesterov oleg@redhat.com uprobes: Change handle_swbp() to send SIGTRAP with si_code=SI_KERNEL, to fix GDB regression
Yang Yingliang yangyingliang@huawei.com IB/umem: fix reference count leak in ib_umem_odp_get()
Jon Maloy jon.maloy@ericsson.com tipc: clean up skb list lock handling on send path
Vladimir Oltean olteanv@gmail.com spi: spi-fsl-dspi: Exit the ISR with IRQ_NONE when it's not ours
Olga Kornievskaia kolga@netapp.com SUNRPC reverting d03727b248d0 ("NFSv4 fix CLOSE not waiting for direct IO compeletion")
Thomas Gleixner tglx@linutronix.de irqdomain/treewide: Keep firmware node unconditionally allocated
Miklos Szeredi mszeredi@redhat.com fuse: fix weird page warning
Gavin Shan gshan@redhat.com drivers/firmware/psci: Fix memory leakage in alloc_init_cpu_groups()
Ben Skeggs bskeggs@redhat.com drm/nouveau/i2c/g94-: increase NV_PMGR_DP_AUXCTL_TRANSACTREQ timeout
Tom Rix trix@redhat.com net: sky2: initialize return of gm_phy_read
Xie He xie.he.0141@gmail.com drivers/net/wan/lapbether: Fixed the value of hard_header_len
Max Filippov jcmvbkbc@gmail.com xtensa: update *pos in cpuinfo_op.next
Max Filippov jcmvbkbc@gmail.com xtensa: fix __sync_fetch_and_{and,or}_4 declarations
Tom Rix trix@redhat.com scsi: scsi_transport_spi: Fix function pointer check
Markus Theil markus.theil@tu-ilmenau.de mac80211: allow rx of mesh eapol frames with default rx key
Jacky Hu hengqing.hu@gmail.com pinctrl: amd: fix npins for uart0 in kerncz_groups
Navid Emamdoost navid.emamdoost@gmail.com gpio: arizona: put pm_runtime in case of failure
Navid Emamdoost navid.emamdoost@gmail.com gpio: arizona: handle pm_runtime_get_sync failure case
Douglas Anderson dianders@chromium.org soc: qcom: rpmh: Dirt can only make you dirtier, not cleaner
-------------
Diffstat:
Makefile | 6 +- arch/arm64/kernel/debug-monitors.c | 4 +- arch/parisc/include/asm/atomic.h | 2 + arch/riscv/include/asm/barrier.h | 10 ++- arch/x86/kernel/apic/io_apic.c | 10 +-- arch/x86/kernel/apic/msi.c | 18 ++++-- arch/x86/kernel/apic/vector.c | 1 - arch/x86/kernel/vmlinux.lds.S | 1 + arch/x86/math-emu/wm_sqrt.S | 2 +- arch/x86/platform/uv/uv_irq.c | 3 +- arch/xtensa/kernel/setup.c | 3 +- arch/xtensa/kernel/xtensa_ksyms.c | 4 +- drivers/android/binder_alloc.c | 2 +- drivers/base/regmap/regmap.c | 2 +- drivers/dma/ioat/dma.c | 12 ++++ drivers/dma/ioat/dma.h | 2 - drivers/dma/tegra210-adma.c | 5 +- drivers/firmware/psci_checker.c | 5 +- drivers/fpga/dfl-afu-main.c | 3 +- drivers/gpio/gpio-arizona.c | 7 ++- drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c | 9 +-- .../gpu/drm/amd/powerplay/smumgr/vegam_smumgr.c | 10 +-- drivers/gpu/drm/nouveau/nvkm/subdev/i2c/auxg94.c | 4 +- drivers/gpu/drm/nouveau/nvkm/subdev/i2c/auxgm200.c | 4 +- drivers/gpu/drm/sun4i/sun4i_hdmi_enc.c | 2 +- drivers/hid/hid-alps.c | 2 + drivers/hid/hid-apple.c | 18 ++++++ drivers/hid/hid-steam.c | 6 +- drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c | 8 +++ drivers/hwmon/aspeed-pwm-tacho.c | 2 + drivers/hwmon/pmbus/adm1275.c | 10 ++- drivers/hwmon/scmi-hwmon.c | 2 +- drivers/i2c/busses/i2c-rcar.c | 3 + drivers/infiniband/core/umem_odp.c | 3 +- drivers/input/mouse/elan_i2c_core.c | 7 ++- drivers/input/mouse/synaptics.c | 1 + drivers/iommu/amd_iommu.c | 5 +- drivers/iommu/intel_irq_remapping.c | 2 +- drivers/md/dm-integrity.c | 4 +- drivers/md/dm.c | 17 ++++++ drivers/net/bonding/bond_main.c | 10 ++- drivers/net/bonding/bond_netlink.c | 3 +- drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 5 +- drivers/net/ethernet/marvell/sky2.c | 2 +- drivers/net/ethernet/mellanox/mlxsw/core.c | 3 +- drivers/net/ethernet/qlogic/qed/qed_cxt.c | 4 +- drivers/net/ethernet/smsc/smc91x.c | 4 +- drivers/net/ethernet/socionext/sni_ave.c | 2 +- drivers/net/hippi/rrunner.c | 2 +- drivers/net/ieee802154/adf7242.c | 4 +- drivers/net/phy/dp83640.c | 4 ++ drivers/net/usb/ax88172a.c | 1 + drivers/net/wan/lapbether.c | 9 ++- drivers/net/wireless/ath/ath9k/hif_usb.c | 52 ++++++++++++---- drivers/net/wireless/ath/ath9k/hif_usb.h | 5 ++ drivers/pci/controller/vmd.c | 5 +- drivers/pinctrl/pinctrl-amd.h | 2 +- drivers/scsi/scsi_transport_spi.c | 2 +- drivers/soc/qcom/rpmh.c | 8 +-- drivers/spi/spi-fsl-dspi.c | 4 +- drivers/spi/spi-mt65xx.c | 15 ++--- drivers/staging/comedi/drivers/addi_apci_1032.c | 20 ++++-- drivers/staging/comedi/drivers/addi_apci_1500.c | 24 ++++++-- drivers/staging/comedi/drivers/addi_apci_1564.c | 20 ++++-- drivers/staging/comedi/drivers/ni_6527.c | 2 +- drivers/staging/wlan-ng/prism2usb.c | 16 ++++- drivers/tty/serial/8250/8250_core.c | 2 +- drivers/tty/serial/8250/8250_exar.c | 12 +++- drivers/tty/serial/8250/8250_mtk.c | 18 ++++++ drivers/tty/vt/vt.c | 29 +++++---- drivers/usb/gadget/udc/gr_udc.c | 7 ++- drivers/usb/host/xhci-mtk-sch.c | 4 ++ drivers/usb/host/xhci-pci.c | 3 + drivers/video/fbdev/core/bitblit.c | 4 +- drivers/video/fbdev/core/fbcon_ccw.c | 4 +- drivers/video/fbdev/core/fbcon_cw.c | 4 +- drivers/video/fbdev/core/fbcon_ud.c | 4 +- fs/btrfs/backref.c | 1 + fs/btrfs/extent_io.c | 3 +- fs/btrfs/volumes.c | 8 +++ fs/cifs/inode.c | 10 +-- fs/fuse/dev.c | 3 +- fs/nfs/direct.c | 13 ++-- fs/nfs/file.c | 1 - include/asm-generic/vmlinux.lds.h | 5 +- include/linux/device-mapper.h | 1 + include/linux/io-mapping.h | 5 +- include/linux/mod_devicetable.h | 2 +- include/sound/rt5670.h | 1 + include/uapi/linux/input-event-codes.h | 3 +- kernel/events/uprobes.c | 2 +- mm/memcontrol.c | 4 +- mm/slab_common.c | 35 ++++++++--- net/mac80211/rx.c | 26 ++++++++ net/netfilter/ipvs/ip_vs_sync.c | 12 ++-- net/tipc/bcast.c | 8 +-- net/tipc/group.c | 4 +- net/tipc/link.c | 12 ++-- net/tipc/node.c | 7 ++- net/tipc/socket.c | 12 ++-- scripts/decode_stacktrace.sh | 4 +- scripts/gdb/linux/symbols.py | 2 +- sound/core/info.c | 4 +- sound/soc/codecs/rt5670.c | 71 +++++++++++++++++----- sound/soc/codecs/rt5670.h | 2 +- sound/soc/qcom/Kconfig | 2 +- 106 files changed, 578 insertions(+), 225 deletions(-)
From: Douglas Anderson dianders@chromium.org
commit 35bb4b22f606c0cc8eedf567313adc18161b1af4 upstream.
Adding an item into the cache should never be able to make the cache cleaner. Use "|=" rather than "=" to update the dirty flag.
Reviewed-by: Matthias Kaehlcke mka@chromium.org Reviewed-by: Maulik Shah mkshah@codeaurora.org Thanks, Maulik Reviewed-by: Bjorn Andersson bjorn.andersson@linaro.org Fixes: bb7000677a1b ("soc: qcom: rpmh: Update dirty flag only when data changes") Reported-by: Stephen Boyd swboyd@chromium.org Signed-off-by: Douglas Anderson dianders@chromium.org Link: https://lore.kernel.org/r/20200417141531.1.Ia4b74158497213eabad7c3d474c50bfc... Signed-off-by: Bjorn Andersson bjorn.andersson@linaro.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/soc/qcom/rpmh.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/soc/qcom/rpmh.c +++ b/drivers/soc/qcom/rpmh.c @@ -150,10 +150,10 @@ existing: break; }
- ctrlr->dirty = (req->sleep_val != old_sleep_val || - req->wake_val != old_wake_val) && - req->sleep_val != UINT_MAX && - req->wake_val != UINT_MAX; + ctrlr->dirty |= (req->sleep_val != old_sleep_val || + req->wake_val != old_wake_val) && + req->sleep_val != UINT_MAX && + req->wake_val != UINT_MAX;
unlock: spin_unlock_irqrestore(&ctrlr->cache_lock, flags);
From: Navid Emamdoost navid.emamdoost@gmail.com
[ Upstream commit e6f390a834b56583e6fc0949822644ce92fbb107 ]
Calling pm_runtime_get_sync increments the counter even in case of failure, causing incorrect ref count. Call pm_runtime_put if pm_runtime_get_sync fails.
Signed-off-by: Navid Emamdoost navid.emamdoost@gmail.com Acked-by: Charles Keepax ckeepax@opensource.cirrus.com Link: https://lore.kernel.org/r/20200605025207.65719-1-navid.emamdoost@gmail.com Signed-off-by: Linus Walleij linus.walleij@linaro.org Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/gpio/gpio-arizona.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/drivers/gpio/gpio-arizona.c b/drivers/gpio/gpio-arizona.c index ba51ea15f3794..485aa45fc5d53 100644 --- a/drivers/gpio/gpio-arizona.c +++ b/drivers/gpio/gpio-arizona.c @@ -111,6 +111,7 @@ static int arizona_gpio_direction_out(struct gpio_chip *chip, ret = pm_runtime_get_sync(chip->parent); if (ret < 0) { dev_err(chip->parent, "Failed to resume: %d\n", ret); + pm_runtime_put(chip->parent); return ret; } }
From: Navid Emamdoost navid.emamdoost@gmail.com
[ Upstream commit 861254d826499944cb4d9b5a15f5a794a6b99a69 ]
Calling pm_runtime_get_sync increments the counter even in case of failure, causing incorrect ref count if pm_runtime_put is not called in error handling paths. Call pm_runtime_put if pm_runtime_get_sync fails.
Signed-off-by: Navid Emamdoost navid.emamdoost@gmail.com Acked-by: Charles Keepax ckeepax@opensource.cirrus.com Link: https://lore.kernel.org/r/20200605030052.78235-1-navid.emamdoost@gmail.com Signed-off-by: Linus Walleij linus.walleij@linaro.org Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/gpio/gpio-arizona.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/gpio/gpio-arizona.c b/drivers/gpio/gpio-arizona.c index 485aa45fc5d53..c6cf270035b56 100644 --- a/drivers/gpio/gpio-arizona.c +++ b/drivers/gpio/gpio-arizona.c @@ -69,6 +69,7 @@ static int arizona_gpio_get(struct gpio_chip *chip, unsigned offset) ret = pm_runtime_get_sync(chip->parent); if (ret < 0) { dev_err(chip->parent, "Failed to resume: %d\n", ret); + pm_runtime_put_autosuspend(chip->parent); return ret; }
@@ -77,12 +78,15 @@ static int arizona_gpio_get(struct gpio_chip *chip, unsigned offset) if (ret < 0) { dev_err(chip->parent, "Failed to drop cache: %d\n", ret); + pm_runtime_put_autosuspend(chip->parent); return ret; }
ret = regmap_read(arizona->regmap, reg, &val); - if (ret < 0) + if (ret < 0) { + pm_runtime_put_autosuspend(chip->parent); return ret; + }
pm_runtime_mark_last_busy(chip->parent); pm_runtime_put_autosuspend(chip->parent);
From: Jacky Hu hengqing.hu@gmail.com
[ Upstream commit 69339d083dfb7786b0e0b3fc19eaddcf11fabdfb ]
uart0_pins is defined as: static const unsigned uart0_pins[] = {135, 136, 137, 138, 139};
which npins is wronly specified as 9 later { .name = "uart0", .pins = uart0_pins, .npins = 9, },
npins should be 5 instead of 9 according to the definition.
Signed-off-by: Jacky Hu hengqing.hu@gmail.com Link: https://lore.kernel.org/r/20200616015024.287683-1-hengqing.hu@gmail.com Signed-off-by: Linus Walleij linus.walleij@linaro.org Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/pinctrl/pinctrl-amd.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/pinctrl/pinctrl-amd.h b/drivers/pinctrl/pinctrl-amd.h index 22af7edfdb38e..91da7527f0020 100644 --- a/drivers/pinctrl/pinctrl-amd.h +++ b/drivers/pinctrl/pinctrl-amd.h @@ -256,7 +256,7 @@ static const struct amd_pingroup kerncz_groups[] = { { .name = "uart0", .pins = uart0_pins, - .npins = 9, + .npins = 5, }, { .name = "uart1",
From: Markus Theil markus.theil@tu-ilmenau.de
[ Upstream commit 0b467b63870d9c05c81456aa9bfee894ab2db3b6 ]
Without this patch, eapol frames cannot be received in mesh mode, when 802.1X should be used. Initially only a MGTK is defined, which is found and set as rx->key, when there are no other keys set. ieee80211_drop_unencrypted would then drop these eapol frames, as they are data frames without encryption and there exists some rx->key.
Fix this by differentiating between mesh eapol frames and other data frames with existing rx->key. Allow mesh mesh eapol frames only if they are for our vif address.
With this patch in-place, ieee80211_rx_h_mesh_fwding continues after the ieee80211_drop_unencrypted check and notices, that these eapol frames have to be delivered locally, as they should.
Signed-off-by: Markus Theil markus.theil@tu-ilmenau.de Link: https://lore.kernel.org/r/20200625104214.50319-1-markus.theil@tu-ilmenau.de [small code cleanups] Signed-off-by: Johannes Berg johannes.berg@intel.com Signed-off-by: Sasha Levin sashal@kernel.org --- net/mac80211/rx.c | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+)
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c index c17e148e06e71..5e56719f999c4 100644 --- a/net/mac80211/rx.c +++ b/net/mac80211/rx.c @@ -2230,6 +2230,7 @@ static int ieee80211_802_1x_port_control(struct ieee80211_rx_data *rx)
static int ieee80211_drop_unencrypted(struct ieee80211_rx_data *rx, __le16 fc) { + struct ieee80211_hdr *hdr = (void *)rx->skb->data; struct sk_buff *skb = rx->skb; struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
@@ -2240,6 +2241,31 @@ static int ieee80211_drop_unencrypted(struct ieee80211_rx_data *rx, __le16 fc) if (status->flag & RX_FLAG_DECRYPTED) return 0;
+ /* check mesh EAPOL frames first */ + if (unlikely(rx->sta && ieee80211_vif_is_mesh(&rx->sdata->vif) && + ieee80211_is_data(fc))) { + struct ieee80211s_hdr *mesh_hdr; + u16 hdr_len = ieee80211_hdrlen(fc); + u16 ethertype_offset; + __be16 ethertype; + + if (!ether_addr_equal(hdr->addr1, rx->sdata->vif.addr)) + goto drop_check; + + /* make sure fixed part of mesh header is there, also checks skb len */ + if (!pskb_may_pull(rx->skb, hdr_len + 6)) + goto drop_check; + + mesh_hdr = (struct ieee80211s_hdr *)(skb->data + hdr_len); + ethertype_offset = hdr_len + ieee80211_get_mesh_hdrlen(mesh_hdr) + + sizeof(rfc1042_header); + + if (skb_copy_bits(rx->skb, ethertype_offset, ðertype, 2) == 0 && + ethertype == rx->sdata->control_port_protocol) + return 0; + } + +drop_check: /* Drop unencrypted frames if key is set. */ if (unlikely(!ieee80211_has_protected(fc) && !ieee80211_is_any_nullfunc(fc) &&
From: Tom Rix trix@redhat.com
[ Upstream commit 5aee52c44d9170591df65fafa1cd408acc1225ce ]
clang static analysis flags several null function pointer problems.
drivers/scsi/scsi_transport_spi.c:374:1: warning: Called function pointer is null (null dereference) [core.CallAndMessage] spi_transport_max_attr(offset, "%d\n"); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Reviewing the store_spi_store_max macro
if (i->f->set_##field) return -EINVAL;
should be
if (!i->f->set_##field) return -EINVAL;
Link: https://lore.kernel.org/r/20200627133242.21618-1-trix@redhat.com Reviewed-by: James Bottomley jejb@linux.ibm.com Signed-off-by: Tom Rix trix@redhat.com Signed-off-by: Martin K. Petersen martin.petersen@oracle.com Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/scsi/scsi_transport_spi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/scsi_transport_spi.c b/drivers/scsi/scsi_transport_spi.c index 40b85b752b794..69213842e63e0 100644 --- a/drivers/scsi/scsi_transport_spi.c +++ b/drivers/scsi/scsi_transport_spi.c @@ -352,7 +352,7 @@ store_spi_transport_##field(struct device *dev, \ struct spi_transport_attrs *tp \ = (struct spi_transport_attrs *)&starget->starget_data; \ \ - if (i->f->set_##field) \ + if (!i->f->set_##field) \ return -EINVAL; \ val = simple_strtoul(buf, NULL, 0); \ if (val > tp->max_##field) \
From: Max Filippov jcmvbkbc@gmail.com
[ Upstream commit 73f9941306d5ce030f3ffc7db425c7b2a798cf8e ]
Building xtensa kernel with gcc-10 produces the following warnings: arch/xtensa/kernel/xtensa_ksyms.c:90:15: warning: conflicting types for built-in function ‘__sync_fetch_and_and_4’; expected ‘unsigned int(volatile void *, unsigned int)’ [-Wbuiltin-declaration-mismatch] arch/xtensa/kernel/xtensa_ksyms.c:96:15: warning: conflicting types for built-in function ‘__sync_fetch_and_or_4’; expected ‘unsigned int(volatile void *, unsigned int)’ [-Wbuiltin-declaration-mismatch]
Fix declarations of these functions to avoid the warning.
Signed-off-by: Max Filippov jcmvbkbc@gmail.com Signed-off-by: Sasha Levin sashal@kernel.org --- arch/xtensa/kernel/xtensa_ksyms.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/xtensa/kernel/xtensa_ksyms.c b/arch/xtensa/kernel/xtensa_ksyms.c index 4092555828b13..24cf6972eacea 100644 --- a/arch/xtensa/kernel/xtensa_ksyms.c +++ b/arch/xtensa/kernel/xtensa_ksyms.c @@ -87,13 +87,13 @@ void __xtensa_libgcc_window_spill(void) } EXPORT_SYMBOL(__xtensa_libgcc_window_spill);
-unsigned long __sync_fetch_and_and_4(unsigned long *p, unsigned long v) +unsigned int __sync_fetch_and_and_4(volatile void *p, unsigned int v) { BUG(); } EXPORT_SYMBOL(__sync_fetch_and_and_4);
-unsigned long __sync_fetch_and_or_4(unsigned long *p, unsigned long v) +unsigned int __sync_fetch_and_or_4(volatile void *p, unsigned int v) { BUG(); }
From: Max Filippov jcmvbkbc@gmail.com
[ Upstream commit 0d5ab144429e8bd80889b856a44d56ab4a5cd59b ]
Increment *pos in the cpuinfo_op.next to fix the following warning triggered by cat /proc/cpuinfo:
seq_file: buggy .next function c_next did not update position index
Signed-off-by: Max Filippov jcmvbkbc@gmail.com Signed-off-by: Sasha Levin sashal@kernel.org --- arch/xtensa/kernel/setup.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/arch/xtensa/kernel/setup.c b/arch/xtensa/kernel/setup.c index 15580e4fc766a..6a0167ac803c6 100644 --- a/arch/xtensa/kernel/setup.c +++ b/arch/xtensa/kernel/setup.c @@ -720,7 +720,8 @@ c_start(struct seq_file *f, loff_t *pos) static void * c_next(struct seq_file *f, void *v, loff_t *pos) { - return NULL; + ++*pos; + return c_start(f, pos); }
static void
From: Xie He xie.he.0141@gmail.com
[ Upstream commit 9dc829a135fb5927f1519de11286e2bbb79f5b66 ]
When this driver transmits data, first this driver will remove a pseudo header of 1 byte, then the lapb module will prepend the LAPB header of 2 or 3 bytes, then this driver will prepend a length field of 2 bytes, then the underlying Ethernet device will prepend its own header.
So, the header length required should be: -1 + 3 + 2 + "the header length needed by the underlying device".
This patch fixes kernel panic when this driver is used with AF_PACKET SOCK_DGRAM sockets.
Signed-off-by: Xie He xie.he.0141@gmail.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/net/wan/lapbether.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wan/lapbether.c b/drivers/net/wan/lapbether.c index 0e3f8ed84660e..ac34257e9f203 100644 --- a/drivers/net/wan/lapbether.c +++ b/drivers/net/wan/lapbether.c @@ -308,7 +308,6 @@ static void lapbeth_setup(struct net_device *dev) dev->netdev_ops = &lapbeth_netdev_ops; dev->needs_free_netdev = true; dev->type = ARPHRD_X25; - dev->hard_header_len = 3; dev->mtu = 1000; dev->addr_len = 0; } @@ -329,6 +328,14 @@ static int lapbeth_new_device(struct net_device *dev) if (!ndev) goto out;
+ /* When transmitting data: + * first this driver removes a pseudo header of 1 byte, + * then the lapb module prepends an LAPB header of at most 3 bytes, + * then this driver prepends a length field of 2 bytes, + * then the underlying Ethernet device prepends its own header. + */ + ndev->hard_header_len = -1 + 3 + 2 + dev->hard_header_len; + lapbeth = netdev_priv(ndev); lapbeth->axdev = ndev;
From: Tom Rix trix@redhat.com
[ Upstream commit 28b18e4eb515af7c6661c3995c6e3c34412c2874 ]
clang static analysis flags this garbage return
drivers/net/ethernet/marvell/sky2.c:208:2: warning: Undefined or garbage value returned to caller [core.uninitialized.UndefReturn] return v; ^~~~~~~~
static inline u16 gm_phy_read( ... { u16 v; __gm_phy_read(hw, port, reg, &v); return v; }
__gm_phy_read can return without setting v.
So handle similar to skge.c's gm_phy_read, initialize v.
Signed-off-by: Tom Rix trix@redhat.com Reviewed-by: Andrew Lunn andrew@lunn.ch Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/net/ethernet/marvell/sky2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/marvell/sky2.c b/drivers/net/ethernet/marvell/sky2.c index d013f30019b69..2452d8ba40730 100644 --- a/drivers/net/ethernet/marvell/sky2.c +++ b/drivers/net/ethernet/marvell/sky2.c @@ -215,7 +215,7 @@ io_error:
static inline u16 gm_phy_read(struct sky2_hw *hw, unsigned port, u16 reg) { - u16 v; + u16 v = 0; __gm_phy_read(hw, port, reg, &v); return v; }
From: Ben Skeggs bskeggs@redhat.com
[ Upstream commit 0156e76d388310a490aeb0f2fbb5b284ded3aecc ]
Tegra TRM says worst-case reply time is 1216us, and this should fix some spurious timeouts that have been popping up.
Signed-off-by: Ben Skeggs bskeggs@redhat.com Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/gpu/drm/nouveau/nvkm/subdev/i2c/auxg94.c | 4 ++-- drivers/gpu/drm/nouveau/nvkm/subdev/i2c/auxgm200.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/auxg94.c b/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/auxg94.c index c8ab1b5741a3e..db7769cb33eba 100644 --- a/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/auxg94.c +++ b/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/auxg94.c @@ -118,10 +118,10 @@ g94_i2c_aux_xfer(struct nvkm_i2c_aux *obj, bool retry, if (retries) udelay(400);
- /* transaction request, wait up to 1ms for it to complete */ + /* transaction request, wait up to 2ms for it to complete */ nvkm_wr32(device, 0x00e4e4 + base, 0x00010000 | ctrl);
- timeout = 1000; + timeout = 2000; do { ctrl = nvkm_rd32(device, 0x00e4e4 + base); udelay(1); diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/auxgm200.c b/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/auxgm200.c index 7ef60895f43a7..edb6148cbca04 100644 --- a/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/auxgm200.c +++ b/drivers/gpu/drm/nouveau/nvkm/subdev/i2c/auxgm200.c @@ -118,10 +118,10 @@ gm200_i2c_aux_xfer(struct nvkm_i2c_aux *obj, bool retry, if (retries) udelay(400);
- /* transaction request, wait up to 1ms for it to complete */ + /* transaction request, wait up to 2ms for it to complete */ nvkm_wr32(device, 0x00d954 + base, 0x00010000 | ctrl);
- timeout = 1000; + timeout = 2000; do { ctrl = nvkm_rd32(device, 0x00d954 + base); udelay(1);
From: Gavin Shan gshan@redhat.com
[ Upstream commit c377e67c6271954969384f9be1b1b71de13eba30 ]
The CPU mask (@tmp) should be released on failing to allocate @cpu_groups or any of its elements. Otherwise, it leads to memory leakage because the CPU mask variable is dynamically allocated when CONFIG_CPUMASK_OFFSTACK is enabled.
Signed-off-by: Gavin Shan gshan@redhat.com Reviewed-by: Sudeep Holla sudeep.holla@arm.com Link: https://lore.kernel.org/r/20200630075227.199624-1-gshan@redhat.com Signed-off-by: Will Deacon will@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/firmware/psci_checker.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/firmware/psci_checker.c b/drivers/firmware/psci_checker.c index cbd53cb1b2d47..9f1a913933d53 100644 --- a/drivers/firmware/psci_checker.c +++ b/drivers/firmware/psci_checker.c @@ -164,8 +164,10 @@ static int alloc_init_cpu_groups(cpumask_var_t **pcpu_groups)
cpu_groups = kcalloc(nb_available_cpus, sizeof(cpu_groups), GFP_KERNEL); - if (!cpu_groups) + if (!cpu_groups) { + free_cpumask_var(tmp); return -ENOMEM; + }
cpumask_copy(tmp, cpu_online_mask);
@@ -174,6 +176,7 @@ static int alloc_init_cpu_groups(cpumask_var_t **pcpu_groups) topology_core_cpumask(cpumask_any(tmp));
if (!alloc_cpumask_var(&cpu_groups[num_groups], GFP_KERNEL)) { + free_cpumask_var(tmp); free_cpu_groups(num_groups, &cpu_groups); return -ENOMEM; }
From: Miklos Szeredi mszeredi@redhat.com
commit a5005c3cda6eeb6b95645e6cc32f58dafeffc976 upstream.
When PageWaiters was added, updating this check was missed.
Reported-by: Nikolaus Rath Nikolaus@rath.org Reported-by: Hugh Dickins hughd@google.com Fixes: 62906027091f ("mm: add PageWaiters indicating tasks are waiting for a page bit") Signed-off-by: Miklos Szeredi mszeredi@redhat.com Signed-off-by: André Almeida andrealmeid@collabora.com Signed-off-by: Sasha Levin sashal@kernel.org --- fs/fuse/dev.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c index 6d39143cfa094..01e6ea11822bf 100644 --- a/fs/fuse/dev.c +++ b/fs/fuse/dev.c @@ -838,7 +838,8 @@ static int fuse_check_page(struct page *page) 1 << PG_uptodate | 1 << PG_lru | 1 << PG_active | - 1 << PG_reclaim))) { + 1 << PG_reclaim | + 1 << PG_waiters))) { printk(KERN_WARNING "fuse: trying to steal weird page\n"); printk(KERN_WARNING " page=%p index=%li flags=%08lx, count=%i, mapcount=%i, mapping=%p\n", page, page->index, page->flags, page_count(page), page_mapcount(page), page->mapping); return 1;
From: Thomas Gleixner tglx@linutronix.de
[ Upstream commit e3beca48a45b5e0e6e6a4e0124276b8248dcc9bb ]
Quite some non OF/ACPI users of irqdomains allocate firmware nodes of type IRQCHIP_FWNODE_NAMED or IRQCHIP_FWNODE_NAMED_ID and free them right after creating the irqdomain. The only purpose of these FW nodes is to convey name information. When this was introduced the core code did not store the pointer to the node in the irqdomain. A recent change stored the firmware node pointer in irqdomain for other reasons and missed to notice that the usage sites which do the alloc_fwnode/create_domain/free_fwnode sequence are broken by this. Storing a dangling pointer is dangerous itself, but in case that the domain is destroyed later on this leads to a double free.
Remove the freeing of the firmware node after creating the irqdomain from all affected call sites to cure this.
Fixes: 711419e504eb ("irqdomain: Add the missing assignment of domain->fwnode for named fwnode") Reported-by: Andy Shevchenko andriy.shevchenko@linux.intel.com Signed-off-by: Thomas Gleixner tglx@linutronix.de Acked-by: Bjorn Helgaas bhelgaas@google.com Acked-by: Marc Zyngier maz@kernel.org Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/873661qakd.fsf@nanos.tec.linutronix.de Signed-off-by: Sasha Levin sashal@kernel.org --- arch/x86/kernel/apic/io_apic.c | 10 +++++----- arch/x86/kernel/apic/msi.c | 18 ++++++++++++------ arch/x86/kernel/apic/vector.c | 1 - arch/x86/platform/uv/uv_irq.c | 3 ++- drivers/iommu/amd_iommu.c | 5 +++-- drivers/iommu/intel_irq_remapping.c | 2 +- drivers/pci/controller/vmd.c | 5 +++-- 7 files changed, 26 insertions(+), 18 deletions(-)
diff --git a/arch/x86/kernel/apic/io_apic.c b/arch/x86/kernel/apic/io_apic.c index fa3b85b222e31..08e2f3a5f1242 100644 --- a/arch/x86/kernel/apic/io_apic.c +++ b/arch/x86/kernel/apic/io_apic.c @@ -2323,12 +2323,12 @@ static int mp_irqdomain_create(int ioapic) ip->irqdomain = irq_domain_create_linear(fn, hwirqs, cfg->ops, (void *)(long)ioapic);
- /* Release fw handle if it was allocated above */ - if (!cfg->dev) - irq_domain_free_fwnode(fn); - - if (!ip->irqdomain) + if (!ip->irqdomain) { + /* Release fw handle if it was allocated above */ + if (!cfg->dev) + irq_domain_free_fwnode(fn); return -ENOMEM; + }
ip->irqdomain->parent = parent;
diff --git a/arch/x86/kernel/apic/msi.c b/arch/x86/kernel/apic/msi.c index 1f5df339e48ff..fb26c956c4421 100644 --- a/arch/x86/kernel/apic/msi.c +++ b/arch/x86/kernel/apic/msi.c @@ -265,12 +265,13 @@ void __init arch_init_msi_domain(struct irq_domain *parent) msi_default_domain = pci_msi_create_irq_domain(fn, &pci_msi_domain_info, parent); - irq_domain_free_fwnode(fn); } - if (!msi_default_domain) + if (!msi_default_domain) { + irq_domain_free_fwnode(fn); pr_warn("failed to initialize irqdomain for MSI/MSI-x.\n"); - else + } else { msi_default_domain->flags |= IRQ_DOMAIN_MSI_NOMASK_QUIRK; + } }
#ifdef CONFIG_IRQ_REMAP @@ -303,7 +304,8 @@ struct irq_domain *arch_create_remap_msi_irq_domain(struct irq_domain *parent, if (!fn) return NULL; d = pci_msi_create_irq_domain(fn, &pci_msi_ir_domain_info, parent); - irq_domain_free_fwnode(fn); + if (!d) + irq_domain_free_fwnode(fn); return d; } #endif @@ -366,7 +368,8 @@ static struct irq_domain *dmar_get_irq_domain(void) if (fn) { dmar_domain = msi_create_irq_domain(fn, &dmar_msi_domain_info, x86_vector_domain); - irq_domain_free_fwnode(fn); + if (!dmar_domain) + irq_domain_free_fwnode(fn); } out: mutex_unlock(&dmar_lock); @@ -491,7 +494,10 @@ struct irq_domain *hpet_create_irq_domain(int hpet_id) }
d = msi_create_irq_domain(fn, domain_info, parent); - irq_domain_free_fwnode(fn); + if (!d) { + irq_domain_free_fwnode(fn); + kfree(domain_info); + } return d; }
diff --git a/arch/x86/kernel/apic/vector.c b/arch/x86/kernel/apic/vector.c index e41be2c25da81..99c28c02b7a54 100644 --- a/arch/x86/kernel/apic/vector.c +++ b/arch/x86/kernel/apic/vector.c @@ -703,7 +703,6 @@ int __init arch_early_irq_init(void) x86_vector_domain = irq_domain_create_tree(fn, &x86_vector_domain_ops, NULL); BUG_ON(x86_vector_domain == NULL); - irq_domain_free_fwnode(fn); irq_set_default_host(x86_vector_domain);
arch_init_msi_domain(x86_vector_domain); diff --git a/arch/x86/platform/uv/uv_irq.c b/arch/x86/platform/uv/uv_irq.c index fc13cbbb2dce2..abb6075397f05 100644 --- a/arch/x86/platform/uv/uv_irq.c +++ b/arch/x86/platform/uv/uv_irq.c @@ -167,9 +167,10 @@ static struct irq_domain *uv_get_irq_domain(void) goto out;
uv_domain = irq_domain_create_tree(fn, &uv_domain_ops, NULL); - irq_domain_free_fwnode(fn); if (uv_domain) uv_domain->parent = x86_vector_domain; + else + irq_domain_free_fwnode(fn); out: mutex_unlock(&uv_lock);
diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c index 0783f44e9afe5..d0cbe910ee9db 100644 --- a/drivers/iommu/amd_iommu.c +++ b/drivers/iommu/amd_iommu.c @@ -4508,9 +4508,10 @@ int amd_iommu_create_irq_domain(struct amd_iommu *iommu) if (!fn) return -ENOMEM; iommu->ir_domain = irq_domain_create_tree(fn, &amd_ir_domain_ops, iommu); - irq_domain_free_fwnode(fn); - if (!iommu->ir_domain) + if (!iommu->ir_domain) { + irq_domain_free_fwnode(fn); return -ENOMEM; + }
iommu->ir_domain->parent = arch_get_ir_parent_domain(); iommu->msi_domain = arch_create_remap_msi_irq_domain(iommu->ir_domain, diff --git a/drivers/iommu/intel_irq_remapping.c b/drivers/iommu/intel_irq_remapping.c index 967450bd421a1..852e2841395b4 100644 --- a/drivers/iommu/intel_irq_remapping.c +++ b/drivers/iommu/intel_irq_remapping.c @@ -536,8 +536,8 @@ static int intel_setup_irq_remapping(struct intel_iommu *iommu) 0, INTR_REMAP_TABLE_ENTRIES, fn, &intel_ir_domain_ops, iommu); - irq_domain_free_fwnode(fn); if (!iommu->ir_domain) { + irq_domain_free_fwnode(fn); pr_err("IR%d: failed to allocate irqdomain\n", iommu->seq_id); goto out_free_bitmap; } diff --git a/drivers/pci/controller/vmd.c b/drivers/pci/controller/vmd.c index c3ac7f094a394..ad39b404f10a4 100644 --- a/drivers/pci/controller/vmd.c +++ b/drivers/pci/controller/vmd.c @@ -704,9 +704,10 @@ static int vmd_enable_domain(struct vmd_dev *vmd, unsigned long features)
vmd->irq_domain = pci_msi_create_irq_domain(fn, &vmd_msi_domain_info, x86_vector_domain); - irq_domain_free_fwnode(fn); - if (!vmd->irq_domain) + if (!vmd->irq_domain) { + irq_domain_free_fwnode(fn); return -ENODEV; + }
pci_add_resource(&resources, &vmd->resources[0]); pci_add_resource_offset(&resources, &vmd->resources[1], offset[0]);
From: Olga Kornievskaia kolga@netapp.com
commit 65caafd0d2145d1dd02072c4ced540624daeab40 upstream.
Reverting commit d03727b248d0 "NFSv4 fix CLOSE not waiting for direct IO compeletion". This patch made it so that fput() by calling inode_dio_done() in nfs_file_release() would wait uninterruptably for any outstanding directIO to the file (but that wait on IO should be killable).
The problem the patch was also trying to address was REMOVE returning ERR_ACCESS because the file is still opened, is supposed to be resolved by server returning ERR_FILE_OPEN and not ERR_ACCESS.
Signed-off-by: Olga Kornievskaia kolga@netapp.com Signed-off-by: Anna Schumaker Anna.Schumaker@Netapp.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- fs/nfs/direct.c | 13 ++++--------- fs/nfs/file.c | 1 - 2 files changed, 4 insertions(+), 10 deletions(-)
--- a/fs/nfs/direct.c +++ b/fs/nfs/direct.c @@ -396,6 +396,8 @@ static void nfs_direct_complete(struct n { struct inode *inode = dreq->inode;
+ inode_dio_end(inode); + if (dreq->iocb) { long res = (long) dreq->error; if (dreq->count != 0) { @@ -407,10 +409,7 @@ static void nfs_direct_complete(struct n
complete(&dreq->completion);
- igrab(inode); nfs_direct_req_release(dreq); - inode_dio_end(inode); - iput(inode); }
static void nfs_direct_read_completion(struct nfs_pgio_header *hdr) @@ -540,10 +539,8 @@ static ssize_t nfs_direct_read_schedule_ * generic layer handle the completion. */ if (requested_bytes == 0) { - igrab(inode); - nfs_direct_req_release(dreq); inode_dio_end(inode); - iput(inode); + nfs_direct_req_release(dreq); return result < 0 ? result : -EIO; }
@@ -960,10 +957,8 @@ static ssize_t nfs_direct_write_schedule * generic layer handle the completion. */ if (requested_bytes == 0) { - igrab(inode); - nfs_direct_req_release(dreq); inode_dio_end(inode); - iput(inode); + nfs_direct_req_release(dreq); return result < 0 ? result : -EIO; }
--- a/fs/nfs/file.c +++ b/fs/nfs/file.c @@ -82,7 +82,6 @@ nfs_file_release(struct inode *inode, st dprintk("NFS: release(%pD2)\n", filp);
nfs_inc_stats(inode, NFSIOS_VFSRELEASE); - inode_dio_wait(inode); nfs_file_clear_open_context(filp); return 0; }
From: Vladimir Oltean olteanv@gmail.com
commit d41f36a6464a85c06ad920703d878e4491d2c023 upstream.
The DSPI interrupt can be shared between two controllers at least on the LX2160A. In that case, the driver for one controller might misbehave and consume the other's interrupt. Fix this by actually checking if any of the bits in the status register have been asserted.
Fixes: 13aed2392741 ("spi: spi-fsl-dspi: use IRQF_SHARED mode to request IRQ") Signed-off-by: Vladimir Oltean olteanv@gmail.com Link: https://lore.kernel.org/r/20190822212450.21420-2-olteanv@gmail.com Signed-off-by: Mark Brown broonie@kernel.org Cc: stable@vger.kernel.org Cc: Guenter Roeck linux@roeck-us.net Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/spi/spi-fsl-dspi.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi-fsl-dspi.c +++ b/drivers/spi/spi-fsl-dspi.c @@ -878,9 +878,11 @@ static irqreturn_t dspi_interrupt(int ir trans_mode); } } + + return IRQ_HANDLED; }
- return IRQ_HANDLED; + return IRQ_NONE; }
static const struct of_device_id fsl_dspi_dt_ids[] = {
From: Jon Maloy jon.maloy@ericsson.com
commit e654f9f53b45fde3fcc8051830b212c7a8f36148 upstream.
The policy for handling the skb list locks on the send and receive paths is simple.
- On the send path we never need to grab the lock on the 'xmitq' list when the destination is an exernal node.
- On the receive path we always need to grab the lock on the 'inputq' list, irrespective of source node.
However, when transmitting node local messages those will eventually end up on the receive path of a local socket, meaning that the argument 'xmitq' in tipc_node_xmit() will become the 'ínputq' argument in the function tipc_sk_rcv(). This has been handled by always initializing the spinlock of the 'xmitq' list at message creation, just in case it may end up on the receive path later, and despite knowing that the lock in most cases never will be used.
This approach is inaccurate and confusing, and has also concealed the fact that the stated 'no lock grabbing' policy for the send path is violated in some cases.
We now clean up this by never initializing the lock at message creation, instead doing this at the moment we find that the message actually will enter the receive path. At the same time we fix the four locations where we incorrectly access the spinlock on the send/error path.
This patch also reverts commit d12cffe9329f ("tipc: ensure head->lock is initialised") which has now become redundant.
CC: Eric Dumazet edumazet@google.com Reported-by: Chris Packham chris.packham@alliedtelesis.co.nz Acked-by: Ying Xue ying.xue@windriver.com Signed-off-by: Jon Maloy jon.maloy@ericsson.com Reviewed-by: Xin Long lucien.xin@gmail.com Signed-off-by: David S. Miller davem@davemloft.net [acj: backport v4.19 -stable - adjust context - skipped the hunk modifying non-existent function tipc_mcast_send_sync - additional comment ] Signed-off-by: Aviraj CJ acj@cisco.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- net/tipc/bcast.c | 8 ++++---- net/tipc/group.c | 4 ++-- net/tipc/link.c | 12 ++++++------ net/tipc/node.c | 7 ++++--- net/tipc/socket.c | 12 ++++++------ 5 files changed, 22 insertions(+), 21 deletions(-)
--- a/net/tipc/bcast.c +++ b/net/tipc/bcast.c @@ -181,7 +181,7 @@ static void tipc_bcbase_xmit(struct net }
/* We have to transmit across all bearers */ - skb_queue_head_init(&_xmitq); + __skb_queue_head_init(&_xmitq); for (bearer_id = 0; bearer_id < MAX_BEARERS; bearer_id++) { if (!bb->dests[bearer_id]) continue; @@ -237,7 +237,7 @@ static int tipc_bcast_xmit(struct net *n struct sk_buff_head xmitq; int rc = 0;
- skb_queue_head_init(&xmitq); + __skb_queue_head_init(&xmitq); tipc_bcast_lock(net); if (tipc_link_bc_peers(l)) rc = tipc_link_xmit(l, pkts, &xmitq); @@ -267,7 +267,7 @@ static int tipc_rcast_xmit(struct net *n u32 dnode, selector;
selector = msg_link_selector(buf_msg(skb_peek(pkts))); - skb_queue_head_init(&_pkts); + __skb_queue_head_init(&_pkts);
list_for_each_entry_safe(dst, tmp, &dests->list, list) { dnode = dst->node; @@ -299,7 +299,7 @@ int tipc_mcast_xmit(struct net *net, str int rc = 0;
skb_queue_head_init(&inputq); - skb_queue_head_init(&localq); + __skb_queue_head_init(&localq);
/* Clone packets before they are consumed by next call */ if (dests->local && !tipc_msg_reassemble(pkts, &localq)) { --- a/net/tipc/group.c +++ b/net/tipc/group.c @@ -199,7 +199,7 @@ void tipc_group_join(struct net *net, st struct tipc_member *m, *tmp; struct sk_buff_head xmitq;
- skb_queue_head_init(&xmitq); + __skb_queue_head_init(&xmitq); rbtree_postorder_for_each_entry_safe(m, tmp, tree, tree_node) { tipc_group_proto_xmit(grp, m, GRP_JOIN_MSG, &xmitq); tipc_group_update_member(m, 0); @@ -435,7 +435,7 @@ bool tipc_group_cong(struct tipc_group * return true; if (state == MBR_PENDING && adv == ADV_IDLE) return true; - skb_queue_head_init(&xmitq); + __skb_queue_head_init(&xmitq); tipc_group_proto_xmit(grp, m, GRP_ADV_MSG, &xmitq); tipc_node_distr_xmit(grp->net, &xmitq); return true; --- a/net/tipc/link.c +++ b/net/tipc/link.c @@ -928,7 +928,7 @@ int tipc_link_xmit(struct tipc_link *l, int rc = 0;
if (unlikely(msg_size(hdr) > mtu)) { - skb_queue_purge(list); + __skb_queue_purge(list); return -EMSGSIZE; }
@@ -957,7 +957,7 @@ int tipc_link_xmit(struct tipc_link *l, if (likely(skb_queue_len(transmq) < maxwin)) { _skb = skb_clone(skb, GFP_ATOMIC); if (!_skb) { - skb_queue_purge(list); + __skb_queue_purge(list); return -ENOBUFS; } __skb_dequeue(list); @@ -1429,7 +1429,7 @@ void tipc_link_create_dummy_tnl_msg(stru struct sk_buff *skb; u32 dnode = l->addr;
- skb_queue_head_init(&tnlq); + __skb_queue_head_init(&tnlq); skb = tipc_msg_create(TUNNEL_PROTOCOL, FAILOVER_MSG, INT_H_SIZE, BASIC_H_SIZE, dnode, onode, 0, 0, 0); @@ -1465,8 +1465,8 @@ void tipc_link_tnl_prepare(struct tipc_l if (!tnl) return;
- skb_queue_head_init(&tnlq); - skb_queue_head_init(&tmpxq); + __skb_queue_head_init(&tnlq); + __skb_queue_head_init(&tmpxq);
/* At least one packet required for safe algorithm => add dummy */ skb = tipc_msg_create(TIPC_LOW_IMPORTANCE, TIPC_DIRECT_MSG, @@ -1476,7 +1476,7 @@ void tipc_link_tnl_prepare(struct tipc_l pr_warn("%sunable to create tunnel packet\n", link_co_err); return; } - skb_queue_tail(&tnlq, skb); + __skb_queue_tail(&tnlq, skb); tipc_link_xmit(l, &tnlq, &tmpxq); __skb_queue_purge(&tmpxq);
--- a/net/tipc/node.c +++ b/net/tipc/node.c @@ -1368,13 +1368,14 @@ int tipc_node_xmit(struct net *net, stru int rc;
if (in_own_node(net, dnode)) { + spin_lock_init(&list->lock); tipc_sk_rcv(net, list); return 0; }
n = tipc_node_find(net, dnode); if (unlikely(!n)) { - skb_queue_purge(list); + __skb_queue_purge(list); return -EHOSTUNREACH; }
@@ -1383,7 +1384,7 @@ int tipc_node_xmit(struct net *net, stru if (unlikely(bearer_id == INVALID_BEARER_ID)) { tipc_node_read_unlock(n); tipc_node_put(n); - skb_queue_purge(list); + __skb_queue_purge(list); return -EHOSTUNREACH; }
@@ -1415,7 +1416,7 @@ int tipc_node_xmit_skb(struct net *net, { struct sk_buff_head head;
- skb_queue_head_init(&head); + __skb_queue_head_init(&head); __skb_queue_tail(&head, skb); tipc_node_xmit(net, &head, dnode, selector); return 0; --- a/net/tipc/socket.c +++ b/net/tipc/socket.c @@ -800,7 +800,7 @@ static int tipc_sendmcast(struct socket msg_set_nameupper(hdr, seq->upper);
/* Build message as chain of buffers */ - skb_queue_head_init(&pkts); + __skb_queue_head_init(&pkts); rc = tipc_msg_build(hdr, msg, 0, dlen, mtu, &pkts);
/* Send message if build was successful */ @@ -841,7 +841,7 @@ static int tipc_send_group_msg(struct ne msg_set_grp_bc_seqno(hdr, bc_snd_nxt);
/* Build message as chain of buffers */ - skb_queue_head_init(&pkts); + __skb_queue_head_init(&pkts); mtu = tipc_node_get_mtu(net, dnode, tsk->portid); rc = tipc_msg_build(hdr, m, 0, dlen, mtu, &pkts); if (unlikely(rc != dlen)) @@ -1046,7 +1046,7 @@ static int tipc_send_group_bcast(struct msg_set_grp_bc_ack_req(hdr, ack);
/* Build message as chain of buffers */ - skb_queue_head_init(&pkts); + __skb_queue_head_init(&pkts); rc = tipc_msg_build(hdr, m, 0, dlen, mtu, &pkts); if (unlikely(rc != dlen)) return rc; @@ -1372,7 +1372,7 @@ static int __tipc_sendmsg(struct socket if (unlikely(rc)) return rc;
- skb_queue_head_init(&pkts); + __skb_queue_head_init(&pkts); mtu = tipc_node_get_mtu(net, dnode, tsk->portid); rc = tipc_msg_build(hdr, m, 0, dlen, mtu, &pkts); if (unlikely(rc != dlen)) @@ -1427,7 +1427,7 @@ static int __tipc_sendstream(struct sock int send, sent = 0; int rc = 0;
- skb_queue_head_init(&pkts); + __skb_queue_head_init(&pkts);
if (unlikely(dlen > INT_MAX)) return -EMSGSIZE; @@ -1782,7 +1782,7 @@ static int tipc_recvmsg(struct socket *s
/* Send group flow control advertisement when applicable */ if (tsk->group && msg_in_group(hdr) && !grp_evt) { - skb_queue_head_init(&xmitq); + __skb_queue_head_init(&xmitq); tipc_group_update_rcv_win(tsk->group, tsk_blocks(hlen + dlen), msg_orignode(hdr), msg_origport(hdr), &xmitq);
From: Yang Yingliang yangyingliang@huawei.com
Add missing mmput() on error path to avoid ref-count leak.
This problem is introduced by 79bb5b7ee177 ("RDMA/umem: Fix missing mmap_sem in get umem ODP call") and resolved by f27a0d50a4bc ("RDMA/umem: Use umem->owning_mm inside ODP"). So, it's only needed in stable-4.14 and stable-4.19.
Fixes: 79bb5b7ee177 ("RDMA/umem: Fix missing mmap_sem in get umem ODP call") Signed-off-by: Yang Yingliang yangyingliang@huawei.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- drivers/infiniband/core/umem_odp.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/infiniband/core/umem_odp.c +++ b/drivers/infiniband/core/umem_odp.c @@ -356,7 +356,8 @@ int ib_umem_odp_get(struct ib_ucontext * vma = find_vma(mm, ib_umem_start(umem)); if (!vma || !is_vm_hugetlb_page(vma)) { up_read(&mm->mmap_sem); - return -EINVAL; + ret_val = -EINVAL; + goto out_mm; } h = hstate_vma(vma); umem->page_shift = huge_page_shift(h);
From: Oleg Nesterov oleg@redhat.com
commit fe5ed7ab99c656bd2f5b79b49df0e9ebf2cead8a upstream.
If a tracee is uprobed and it hits int3 inserted by debugger, handle_swbp() does send_sig(SIGTRAP, current, 0) which means si_code == SI_USER. This used to work when this code was written, but then GDB started to validate si_code and now it simply can't use breakpoints if the tracee has an active uprobe:
# cat test.c void unused_func(void) { } int main(void) { return 0; }
# gcc -g test.c -o test # perf probe -x ./test -a unused_func # perf record -e probe_test:unused_func gdb ./test -ex run GNU gdb (GDB) 10.0.50.20200714-git ... Program received signal SIGTRAP, Trace/breakpoint trap. 0x00007ffff7ddf909 in dl_main () from /lib64/ld-linux-x86-64.so.2 (gdb)
The tracee hits the internal breakpoint inserted by GDB to monitor shared library events but GDB misinterprets this SIGTRAP and reports a signal.
Change handle_swbp() to use force_sig(SIGTRAP), this matches do_int3_user() and fixes the problem.
This is the minimal fix for -stable, arch/x86/kernel/uprobes.c is equally wrong; it should use send_sigtrap(TRAP_TRACE) instead of send_sig(SIGTRAP), but this doesn't confuse GDB and needs another x86-specific patch.
Reported-by: Aaron Merey amerey@redhat.com Signed-off-by: Oleg Nesterov oleg@redhat.com Signed-off-by: Ingo Molnar mingo@kernel.org Reviewed-by: Srikar Dronamraju srikar@linux.vnet.ibm.com Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20200723154420.GA32043@redhat.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- kernel/events/uprobes.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/kernel/events/uprobes.c +++ b/kernel/events/uprobes.c @@ -1897,7 +1897,7 @@ static void handle_swbp(struct pt_regs * if (!uprobe) { if (is_swbp > 0) { /* No matching uprobe; signal SIGTRAP. */ - send_sig(SIGTRAP, current, 0); + force_sig(SIGTRAP, current); } else { /* * Either we raced with uprobe_unregister() or we can't
From: Takashi Iwai tiwai@suse.de
commit 60379ba08532eca861e933b389526a4dc89e0c42 upstream.
snd_info_get_line() has a sanity check of NULL buffer -- both buffer itself being NULL and buffer->buffer being NULL. Basically both checks are valid and necessary, but the problem is that it's with snd_BUG_ON() macro that triggers WARN_ON(). The latter condition (NULL buffer->buffer) can be met arbitrarily by user since the buffer is allocated at the first write, so it means that user can trigger WARN_ON() at will.
This patch addresses it by simply moving buffer->buffer NULL check out of snd_BUG_ON() so that spurious WARNING is no longer triggered.
Reported-by: syzbot+e42d0746c3c3699b6061@syzkaller.appspotmail.com Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20200717084023.5928-1-tiwai@suse.de Signed-off-by: Takashi Iwai tiwai@suse.de Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- sound/core/info.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
--- a/sound/core/info.c +++ b/sound/core/info.c @@ -634,7 +634,9 @@ int snd_info_get_line(struct snd_info_bu { int c = -1;
- if (snd_BUG_ON(!buffer || !buffer->buffer)) + if (snd_BUG_ON(!buffer)) + return 1; + if (!buffer->buffer) return 1; if (len <= 0 || buffer->stop || buffer->error) return 1;
From: Hans de Goede hdegoede@redhat.com
commit 5cacc6f5764e94fa753b2c1f5f7f1f3f74286e82 upstream.
The RT5670_PWR_ANLG1 register has 3 bits to select the LDO voltage, so the correct mask is 0x7 not 0x3.
Because of this wrong mask we were programming the ldo bits to a setting of binary 001 (0x05 & 0x03) instead of binary 101 when moving to SND_SOC_BIAS_PREPARE.
According to the datasheet 001 is a reserved value, so no idea what it did, since the driver was working fine before I guess we got lucky and it does something which is ok.
Fixes: 5e8351de740d ("ASoC: add RT5670 CODEC driver") Signed-off-by: Hans de Goede hdegoede@redhat.com Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20200628155231.71089-3-hdegoede@redhat.com Signed-off-by: Mark Brown broonie@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- sound/soc/codecs/rt5670.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/soc/codecs/rt5670.h +++ b/sound/soc/codecs/rt5670.h @@ -760,7 +760,7 @@ #define RT5670_PWR_VREF2_BIT 4 #define RT5670_PWR_FV2 (0x1 << 3) #define RT5670_PWR_FV2_BIT 3 -#define RT5670_LDO_SEL_MASK (0x3) +#define RT5670_LDO_SEL_MASK (0x7) #define RT5670_LDO_SEL_SFT 0
/* Power Management for Analog 2 (0x64) */
From: Filipe Manana fdmanana@suse.com
commit 580c079b5766ac706f56eec5c79aee4bf929fef6 upstream.
At btrfs_find_all_roots_safe() we allocate a ulist and set the **roots argument to point to it. However if later we fail due to an error returned by find_parent_nodes(), we free that ulist but leave a dangling pointer in the **roots argument. Upon receiving the error, a caller of this function can attempt to free the same ulist again, resulting in an invalid memory access.
One such scenario is during qgroup accounting:
btrfs_qgroup_account_extents()
--> calls btrfs_find_all_roots() passes &new_roots (a stack allocated pointer) to btrfs_find_all_roots()
--> btrfs_find_all_roots() just calls btrfs_find_all_roots_safe() passing &new_roots to it
--> allocates ulist and assigns its address to **roots (which points to new_roots from btrfs_qgroup_account_extents())
--> find_parent_nodes() returns an error, so we free the ulist and leave **roots pointing to it after returning
--> btrfs_qgroup_account_extents() sees btrfs_find_all_roots() returned an error and jumps to the label 'cleanup', which just tries to free again the same ulist
Stack trace example:
------------[ cut here ]------------ BTRFS: tree first key check failed WARNING: CPU: 1 PID: 1763215 at fs/btrfs/disk-io.c:422 btrfs_verify_level_key+0xe0/0x180 [btrfs] Modules linked in: dm_snapshot dm_thin_pool (...) CPU: 1 PID: 1763215 Comm: fsstress Tainted: G W 5.8.0-rc3-btrfs-next-64 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:btrfs_verify_level_key+0xe0/0x180 [btrfs] Code: 28 5b 5d (...) RSP: 0018:ffffb89b473779a0 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff90397759bf08 RCX: 0000000000000000 RDX: 0000000000000001 RSI: 0000000000000027 RDI: 00000000ffffffff RBP: ffff9039a419c000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: ffffb89b43301000 R12: 000000000000005e R13: ffffb89b47377a2e R14: ffffb89b473779af R15: 0000000000000000 FS: 00007fc47e1e1000(0000) GS:ffff9039ac200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fc47e1df000 CR3: 00000003d9e4e001 CR4: 00000000003606e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: read_block_for_search+0xf6/0x350 [btrfs] btrfs_next_old_leaf+0x242/0x650 [btrfs] resolve_indirect_refs+0x7cf/0x9e0 [btrfs] find_parent_nodes+0x4ea/0x12c0 [btrfs] btrfs_find_all_roots_safe+0xbf/0x130 [btrfs] btrfs_qgroup_account_extents+0x9d/0x390 [btrfs] btrfs_commit_transaction+0x4f7/0xb20 [btrfs] btrfs_sync_file+0x3d4/0x4d0 [btrfs] do_fsync+0x38/0x70 __x64_sys_fdatasync+0x13/0x20 do_syscall_64+0x5c/0xe0 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7fc47e2d72e3 Code: Bad RIP value. RSP: 002b:00007fffa32098c8 EFLAGS: 00000246 ORIG_RAX: 000000000000004b RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fc47e2d72e3 RDX: 00007fffa3209830 RSI: 00007fffa3209830 RDI: 0000000000000003 RBP: 000000000000072e R08: 0000000000000001 R09: 0000000000000003 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000000003e8 R13: 0000000051eb851f R14: 00007fffa3209970 R15: 00005607c4ac8b50 irq event stamp: 0 hardirqs last enabled at (0): [<0000000000000000>] 0x0 hardirqs last disabled at (0): [<ffffffffb8eb5e85>] copy_process+0x755/0x1eb0 softirqs last enabled at (0): [<ffffffffb8eb5e85>] copy_process+0x755/0x1eb0 softirqs last disabled at (0): [<0000000000000000>] 0x0 ---[ end trace 8639237550317b48 ]--- BTRFS error (device sdc): tree first key mismatch detected, bytenr=62324736 parent_transid=94 key expected=(262,108,1351680) has=(259,108,1921024) general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b6b: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC PTI CPU: 2 PID: 1763215 Comm: fsstress Tainted: G W 5.8.0-rc3-btrfs-next-64 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:ulist_release+0x14/0x60 [btrfs] Code: c7 07 00 (...) RSP: 0018:ffffb89b47377d60 EFLAGS: 00010282 RAX: 6b6b6b6b6b6b6b6b RBX: ffff903959b56b90 RCX: 0000000000000000 RDX: 0000000000000001 RSI: 0000000000270024 RDI: ffff9036e2adc840 RBP: ffff9036e2adc848 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff9036e2adc840 R13: 0000000000000015 R14: ffff9039a419ccf8 R15: ffff90395d605840 FS: 00007fc47e1e1000(0000) GS:ffff9039ac600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f8c1c0a51c8 CR3: 00000003d9e4e004 CR4: 00000000003606e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ulist_free+0x13/0x20 [btrfs] btrfs_qgroup_account_extents+0xf3/0x390 [btrfs] btrfs_commit_transaction+0x4f7/0xb20 [btrfs] btrfs_sync_file+0x3d4/0x4d0 [btrfs] do_fsync+0x38/0x70 __x64_sys_fdatasync+0x13/0x20 do_syscall_64+0x5c/0xe0 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7fc47e2d72e3 Code: Bad RIP value. RSP: 002b:00007fffa32098c8 EFLAGS: 00000246 ORIG_RAX: 000000000000004b RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fc47e2d72e3 RDX: 00007fffa3209830 RSI: 00007fffa3209830 RDI: 0000000000000003 RBP: 000000000000072e R08: 0000000000000001 R09: 0000000000000003 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000000003e8 R13: 0000000051eb851f R14: 00007fffa3209970 R15: 00005607c4ac8b50 Modules linked in: dm_snapshot dm_thin_pool (...) ---[ end trace 8639237550317b49 ]--- RIP: 0010:ulist_release+0x14/0x60 [btrfs] Code: c7 07 00 (...) RSP: 0018:ffffb89b47377d60 EFLAGS: 00010282 RAX: 6b6b6b6b6b6b6b6b RBX: ffff903959b56b90 RCX: 0000000000000000 RDX: 0000000000000001 RSI: 0000000000270024 RDI: ffff9036e2adc840 RBP: ffff9036e2adc848 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff9036e2adc840 R13: 0000000000000015 R14: ffff9039a419ccf8 R15: ffff90395d605840 FS: 00007fc47e1e1000(0000) GS:ffff9039ad200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f6a776f7d40 CR3: 00000003d9e4e002 CR4: 00000000003606e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Fix this by making btrfs_find_all_roots_safe() set *roots to NULL after it frees the ulist.
Fixes: 8da6d5815c592b ("Btrfs: added btrfs_find_all_roots()") CC: stable@vger.kernel.org # 4.4+ Reviewed-by: Josef Bacik josef@toxicpanda.com Signed-off-by: Filipe Manana fdmanana@suse.com Reviewed-by: David Sterba dsterba@suse.com Signed-off-by: David Sterba dsterba@suse.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- fs/btrfs/backref.c | 1 + 1 file changed, 1 insertion(+)
--- a/fs/btrfs/backref.c +++ b/fs/btrfs/backref.c @@ -1419,6 +1419,7 @@ static int btrfs_find_all_roots_safe(str if (ret < 0 && ret != -ENOENT) { ulist_free(tmp); ulist_free(*roots); + *roots = NULL; return ret; } node = ulist_next(tmp, &uiter);
From: Boris Burkov boris@bur.io
commit 48cfa61b58a1fee0bc49eef04f8ccf31493b7cdd upstream.
It is possible to cause a btrfs mount to fail by racing it with a slow umount. The crux of the sequence is generic_shutdown_super not yet calling sop->put_super before btrfs_mount_root calls btrfs_open_devices. If that occurs, btrfs_open_devices will decide the opened counter is non-zero, increment it, and skip resetting fs_devices->total_rw_bytes to 0. From here, mount will call sget which will result in grab_super trying to take the super block umount semaphore. That semaphore will be held by the slow umount, so mount will block. Before up-ing the semaphore, umount will delete the super block, resulting in mount's sget reliably allocating a new one, which causes the mount path to dutifully fill it out, and increment total_rw_bytes a second time, which causes the mount to fail, as we see double the expected bytes.
Here is the sequence laid out in greater detail:
CPU0 CPU1 down_write sb->s_umount btrfs_kill_super kill_anon_super(sb) generic_shutdown_super(sb); shrink_dcache_for_umount(sb); sync_filesystem(sb); evict_inodes(sb); // SLOW
btrfs_mount_root btrfs_scan_one_device fs_devices = device->fs_devices fs_info->fs_devices = fs_devices // fs_devices-opened makes this a no-op btrfs_open_devices(fs_devices, mode, fs_type) s = sget(fs_type, test, set, flags, fs_info); find sb in s_instances grab_super(sb); down_write(&s->s_umount); // blocks
sop->put_super(sb) // sb->fs_devices->opened == 2; no-op spin_lock(&sb_lock); hlist_del_init(&sb->s_instances); spin_unlock(&sb_lock); up_write(&sb->s_umount); return 0; retry lookup don't find sb in s_instances (deleted by CPU0) s = alloc_super return s; btrfs_fill_super(s, fs_devices, data) open_ctree // fs_devices total_rw_bytes improperly set! btrfs_read_chunk_tree read_one_dev // increment total_rw_bytes again!! super_total_bytes < fs_devices->total_rw_bytes // ERROR!!!
To fix this, we clear total_rw_bytes from within btrfs_read_chunk_tree before the calls to read_one_dev, while holding the sb umount semaphore and the uuid mutex.
To reproduce, it is sufficient to dirty a decent number of inodes, then quickly umount and mount.
for i in $(seq 0 500) do dd if=/dev/zero of="/mnt/foo/$i" bs=1M count=1 done umount /mnt/foo& mount /mnt/foo
does the trick for me.
CC: stable@vger.kernel.org # 4.4+ Signed-off-by: Boris Burkov boris@bur.io Reviewed-by: David Sterba dsterba@suse.com Signed-off-by: David Sterba dsterba@suse.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- fs/btrfs/volumes.c | 8 ++++++++ 1 file changed, 8 insertions(+)
--- a/fs/btrfs/volumes.c +++ b/fs/btrfs/volumes.c @@ -6935,6 +6935,14 @@ int btrfs_read_chunk_tree(struct btrfs_f mutex_lock(&fs_info->chunk_mutex);
/* + * It is possible for mount and umount to race in such a way that + * we execute this code path, but open_fs_devices failed to clear + * total_rw_bytes. We certainly want it cleared before reading the + * device items, so clear it here. + */ + fs_info->fs_devices->total_rw_bytes = 0; + + /* * Read all device items, and then all the chunk items. All * device items are found before any chunk item (their object id * is smaller than the lowest possible object id for a chunk
From: Robbie Ko robbieko@synology.com
commit 5909ca110b29aa16b23b52b8de8d3bb1035fd738 upstream.
When locking pages for delalloc, we check if it's dirty and mapping still matches. If it does not match, we need to return -EAGAIN and release all pages. Only the current page was put though, iterate over all the remaining pages too.
CC: stable@vger.kernel.org # 4.14+ Reviewed-by: Filipe Manana fdmanana@suse.com Reviewed-by: Nikolay Borisov nborisov@suse.com Signed-off-by: Robbie Ko robbieko@synology.com Reviewed-by: David Sterba dsterba@suse.com Signed-off-by: David Sterba dsterba@suse.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- fs/btrfs/extent_io.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/btrfs/extent_io.c +++ b/fs/btrfs/extent_io.c @@ -1707,7 +1707,8 @@ static int __process_pages_contig(struct if (!PageDirty(pages[i]) || pages[i]->mapping != mapping) { unlock_page(pages[i]); - put_page(pages[i]); + for (; i < ret; i++) + put_page(pages[i]); err = -EAGAIN; goto out; }
From: Vasundhara Volam vasundhara-v.volam@broadcom.com
[ Upstream commit 163e9ef63641a02de4c95cd921577265c52e1ce2 ]
The driver was modified to not rely on rtnl lock to protect link settings about 2 years ago. The pause setting was missed when making that change. Fix it by acquiring link_lock mutex before calling bnxt_hwrm_set_pause().
Fixes: e2dc9b6e38fa ("bnxt_en: Don't use rtnl lock to protect link change logic in workqueue.") Signed-off-by: Vasundhara Volam vasundhara-v.volam@broadcom.com Reviewed-by: Edwin Peer edwin.peer@broadcom.com Signed-off-by: Michael Chan michael.chan@broadcom.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c index 047024717d654..63730e449e088 100644 --- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c +++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c @@ -1392,8 +1392,11 @@ static int bnxt_set_pauseparam(struct net_device *dev, if (epause->tx_pause) link_info->req_flow_ctrl |= BNXT_LINK_PAUSE_TX;
- if (netif_running(dev)) + if (netif_running(dev)) { + mutex_lock(&bp->link_lock); rc = bnxt_hwrm_set_pause(bp); + mutex_unlock(&bp->link_lock); + } return rc; }
From: Matthew Gerlach matthew.gerlach@linux.intel.com
[ Upstream commit 8614afd689df59d9ce019439389be20bd788a897 ]
When putting the port in reset, driver must wait for the soft reset acknowledgment bit instead of the soft reset bit.
Fixes: 47c1b19c160f (fpga: dfl: afu: add port ops support) Signed-off-by: Matthew Gerlach matthew.gerlach@linux.intel.com Signed-off-by: Xu Yilun yilun.xu@intel.com Acked-by: Wu Hao hao.wu@intel.com Reviewed-by: Tom Rix trix@redhat.com Signed-off-by: Moritz Fischer mdf@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/fpga/dfl-afu-main.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/fpga/dfl-afu-main.c b/drivers/fpga/dfl-afu-main.c index 02baa6a227c0c..fc048f9a99b19 100644 --- a/drivers/fpga/dfl-afu-main.c +++ b/drivers/fpga/dfl-afu-main.c @@ -79,7 +79,8 @@ static int port_disable(struct platform_device *pdev) * on this port and minimum soft reset pulse width has elapsed. * Driver polls port_soft_reset_ack to determine if reset done by HW. */ - if (readq_poll_timeout(base + PORT_HDR_CTRL, v, v & PORT_CTRL_SFTRST, + if (readq_poll_timeout(base + PORT_HDR_CTRL, v, + v & PORT_CTRL_SFTRST_ACK, RST_POLL_INVL, RST_POLL_TIMEOUT)) { dev_err(&pdev->dev, "timeout, fail to reset device\n"); return -ETIMEDOUT;
From: Christophe JAILLET christophe.jaillet@wanadoo.fr
[ Upstream commit 3195c4706b00106aa82c73acd28340fa8fc2bfc1 ]
The size used when calling 'pci_alloc_consistent()' and 'pci_free_consistent()' should match.
Fix it and have it consistent with the corresponding call in 'rr_close()'.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Christophe JAILLET christophe.jaillet@wanadoo.fr Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/net/hippi/rrunner.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/hippi/rrunner.c b/drivers/net/hippi/rrunner.c index 029206e4da3b3..2a8c33abb363a 100644 --- a/drivers/net/hippi/rrunner.c +++ b/drivers/net/hippi/rrunner.c @@ -1248,7 +1248,7 @@ static int rr_open(struct net_device *dev) rrpriv->info = NULL; } if (rrpriv->rx_ctrl) { - pci_free_consistent(pdev, sizeof(struct ring_ctrl), + pci_free_consistent(pdev, 256 * sizeof(struct ring_ctrl), rrpriv->rx_ctrl, rrpriv->rx_ctrl_dma); rrpriv->rx_ctrl = NULL; }
From: George Kennedy george.kennedy@oracle.com
[ Upstream commit c28d9a285668c799eeae2f7f93e929a6028a4d6d ]
If ax88172a_unbind() fails, make sure that the return code is less than zero so that cleanup is done properly and avoid UAF.
Fixes: a9a51bd727d1 ("ax88172a: fix information leak on short answers") Signed-off-by: George Kennedy george.kennedy@oracle.com Reported-by: syzbot+4cd84f527bf4a10fc9c1@syzkaller.appspotmail.com Signed-off-by: Jakub Kicinski kuba@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/net/usb/ax88172a.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/drivers/net/usb/ax88172a.c b/drivers/net/usb/ax88172a.c index 914cac55a7ae7..909755ef71ac3 100644 --- a/drivers/net/usb/ax88172a.c +++ b/drivers/net/usb/ax88172a.c @@ -210,6 +210,7 @@ static int ax88172a_bind(struct usbnet *dev, struct usb_interface *intf) ret = asix_read_cmd(dev, AX_CMD_READ_NODE_ID, 0, 0, ETH_ALEN, buf, 0); if (ret < ETH_ALEN) { netdev_err(dev->net, "Failed to read MAC address: %d\n", ret); + ret = -EIO; goto free; } memcpy(dev->net->dev_addr, buf, ETH_ALEN);
From: Sergey Organov sorganov@gmail.com
[ Upstream commit 473309fb8372365ad211f425bca760af800e10a7 ]
From Documentation/networking/timestamping.txt:
A driver which supports hardware time stamping shall update the struct with the actual, possibly more permissive configuration.
Do update the struct passed when we upscale the requested time stamping mode.
Fixes: cb646e2b02b2 ("ptp: Added a clock driver for the National Semiconductor PHYTER.") Signed-off-by: Sergey Organov sorganov@gmail.com Acked-by: Richard Cochran richardcochran@gmail.com Signed-off-by: Jakub Kicinski kuba@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/net/phy/dp83640.c | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/drivers/net/phy/dp83640.c b/drivers/net/phy/dp83640.c index 4fed778331573..dd0a658c843d6 100644 --- a/drivers/net/phy/dp83640.c +++ b/drivers/net/phy/dp83640.c @@ -1343,6 +1343,7 @@ static int dp83640_hwtstamp(struct phy_device *phydev, struct ifreq *ifr) dp83640->hwts_rx_en = 1; dp83640->layer = PTP_CLASS_L4; dp83640->version = PTP_CLASS_V1; + cfg.rx_filter = HWTSTAMP_FILTER_PTP_V1_L4_EVENT; break; case HWTSTAMP_FILTER_PTP_V2_L4_EVENT: case HWTSTAMP_FILTER_PTP_V2_L4_SYNC: @@ -1350,6 +1351,7 @@ static int dp83640_hwtstamp(struct phy_device *phydev, struct ifreq *ifr) dp83640->hwts_rx_en = 1; dp83640->layer = PTP_CLASS_L4; dp83640->version = PTP_CLASS_V2; + cfg.rx_filter = HWTSTAMP_FILTER_PTP_V2_L4_EVENT; break; case HWTSTAMP_FILTER_PTP_V2_L2_EVENT: case HWTSTAMP_FILTER_PTP_V2_L2_SYNC: @@ -1357,6 +1359,7 @@ static int dp83640_hwtstamp(struct phy_device *phydev, struct ifreq *ifr) dp83640->hwts_rx_en = 1; dp83640->layer = PTP_CLASS_L2; dp83640->version = PTP_CLASS_V2; + cfg.rx_filter = HWTSTAMP_FILTER_PTP_V2_L2_EVENT; break; case HWTSTAMP_FILTER_PTP_V2_EVENT: case HWTSTAMP_FILTER_PTP_V2_SYNC: @@ -1364,6 +1367,7 @@ static int dp83640_hwtstamp(struct phy_device *phydev, struct ifreq *ifr) dp83640->hwts_rx_en = 1; dp83640->layer = PTP_CLASS_L4 | PTP_CLASS_L2; dp83640->version = PTP_CLASS_V2; + cfg.rx_filter = HWTSTAMP_FILTER_PTP_V2_EVENT; break; default: return -ERANGE;
From: Liu Jian liujian56@huawei.com
[ Upstream commit 66673f96f0f968b991dc38be06102246919c663c ]
When probe fail, we should destroy the workqueue.
Fixes: 2795e8c25161 ("net: ieee802154: fix a potential NULL pointer dereference") Signed-off-by: Liu Jian liujian56@huawei.com Acked-by: Michael Hennerich michael.hennerich@analog.com Link: https://lore.kernel.org/r/20200717090121.2143-1-liujian56@huawei.com Signed-off-by: Stefan Schmidt stefan@datenfreihafen.org Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/net/ieee802154/adf7242.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ieee802154/adf7242.c b/drivers/net/ieee802154/adf7242.c index cd6b95e673a58..71be8524cca87 100644 --- a/drivers/net/ieee802154/adf7242.c +++ b/drivers/net/ieee802154/adf7242.c @@ -1270,7 +1270,7 @@ static int adf7242_probe(struct spi_device *spi) WQ_MEM_RECLAIM); if (unlikely(!lp->wqueue)) { ret = -ENOMEM; - goto err_hw_init; + goto err_alloc_wq; }
ret = adf7242_hw_init(lp); @@ -1302,6 +1302,8 @@ static int adf7242_probe(struct spi_device *spi) return ret;
err_hw_init: + destroy_workqueue(lp->wqueue); +err_alloc_wq: mutex_destroy(&lp->bmux); ieee802154_free_hw(lp->hw);
From: Chen-Yu Tsai wens@csie.org
[ Upstream commit baa1841eb797eadce6c907bdaed7cd6f01815404 ]
When the extra HPD polling in sun4i_hdmi was removed, the result of HPD was accidentally inverted.
Fix this by inverting the check.
Fixes: bda8eaa6dee7 ("drm: sun4i: hdmi: Remove extra HPD polling") Signed-off-by: Chen-Yu Tsai wens@csie.org Tested-by: Mans Rullgard mans@mansr.com Signed-off-by: Maxime Ripard maxime@cerno.tech Link: https://patchwork.freedesktop.org/patch/msgid/20200711011030.21997-1-wens@ke... Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/gpu/drm/sun4i/sun4i_hdmi_enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/sun4i/sun4i_hdmi_enc.c b/drivers/gpu/drm/sun4i/sun4i_hdmi_enc.c index 7e7fa8cef2ade..8ba19a8ca40f1 100644 --- a/drivers/gpu/drm/sun4i/sun4i_hdmi_enc.c +++ b/drivers/gpu/drm/sun4i/sun4i_hdmi_enc.c @@ -243,7 +243,7 @@ sun4i_hdmi_connector_detect(struct drm_connector *connector, bool force) unsigned long reg;
reg = readl(hdmi->base + SUN4I_HDMI_HPD_REG); - if (reg & SUN4I_HDMI_HPD_HIGH) { + if (!(reg & SUN4I_HDMI_HPD_HIGH)) { cec_phys_addr_invalidate(hdmi->cec_adap); return connector_status_disconnected; }
From: Wang Hai wanghai38@huawei.com
[ Upstream commit bca9749b1aa23d964d3ab930938af66dbf887f15 ]
If try_toggle_control_gpio() failed in smc_drv_probe(), free_netdev(ndev) should be called to free the ndev created earlier. Otherwise, a memleak will occur.
Fixes: 7d2911c43815 ("net: smc91x: Fix gpios for device tree based booting") Reported-by: Hulk Robot hulkci@huawei.com Signed-off-by: Wang Hai wanghai38@huawei.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/net/ethernet/smsc/smc91x.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/smsc/smc91x.c b/drivers/net/ethernet/smsc/smc91x.c index 8d6cff8bd1622..0f870ed5a9c8c 100644 --- a/drivers/net/ethernet/smsc/smc91x.c +++ b/drivers/net/ethernet/smsc/smc91x.c @@ -2287,7 +2287,7 @@ static int smc_drv_probe(struct platform_device *pdev) ret = try_toggle_control_gpio(&pdev->dev, &lp->power_gpio, "power", 0, 0, 100); if (ret) - return ret; + goto out_free_netdev;
/* * Optional reset GPIO configured? Minimum 100 ns reset needed @@ -2296,7 +2296,7 @@ static int smc_drv_probe(struct platform_device *pdev) ret = try_toggle_control_gpio(&pdev->dev, &lp->reset_gpio, "reset", 0, 0, 100); if (ret) - return ret; + goto out_free_netdev;
/* * Need to wait for optional EEPROM to load, max 750 us according
From: Taehee Yoo ap420073@gmail.com
[ Upstream commit 544f287b84959203367cd29e16e772717612fab4 ]
If register_netdevice() is failed, net_device should not be used because variables are uninitialized or freed. So, the routine should be stopped immediately. But, bond_create() doesn't check return value of register_netdevice() immediately. That will result in a panic because of using uninitialized or freed memory.
Test commands: modprobe netdev-notifier-error-inject echo -22 > /sys/kernel/debug/notifier-error-inject/netdev/\ actions/NETDEV_REGISTER/error modprobe bonding max_bonds=3
Splat looks like: [ 375.028492][ T193] general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b6b: 0000 [#1] SMP DEBUG_PAGEALLOC PTI [ 375.033207][ T193] CPU: 2 PID: 193 Comm: kworker/2:2 Not tainted 5.8.0-rc4+ #645 [ 375.036068][ T193] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 [ 375.039673][ T193] Workqueue: events linkwatch_event [ 375.041557][ T193] RIP: 0010:dev_activate+0x4a/0x340 [ 375.043381][ T193] Code: 40 a8 04 0f 85 db 00 00 00 8b 83 08 04 00 00 85 c0 0f 84 0d 01 00 00 31 d2 89 d0 48 8d 04 40 48 c1 e0 07 48 03 83 00 04 00 00 <48> 8b 48 10 f6 41 10 01 75 08 f0 80 a1 a0 01 00 00 fd 48 89 48 08 [ 375.050267][ T193] RSP: 0018:ffff9f8facfcfdd8 EFLAGS: 00010202 [ 375.052410][ T193] RAX: 6b6b6b6b6b6b6b6b RBX: ffff9f8fae6ea000 RCX: 0000000000000006 [ 375.055178][ T193] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9f8fae6ea000 [ 375.057762][ T193] RBP: ffff9f8fae6ea000 R08: 0000000000000000 R09: 0000000000000000 [ 375.059810][ T193] R10: 0000000000000001 R11: 0000000000000000 R12: ffff9f8facfcfe08 [ 375.061892][ T193] R13: ffffffff883587e0 R14: 0000000000000000 R15: ffff9f8fae6ea580 [ 375.063931][ T193] FS: 0000000000000000(0000) GS:ffff9f8fbae00000(0000) knlGS:0000000000000000 [ 375.066239][ T193] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 375.067841][ T193] CR2: 00007f2f542167a0 CR3: 000000012cee6002 CR4: 00000000003606e0 [ 375.069657][ T193] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 375.071471][ T193] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 375.073269][ T193] Call Trace: [ 375.074005][ T193] linkwatch_do_dev+0x4d/0x50 [ 375.075052][ T193] __linkwatch_run_queue+0x10b/0x200 [ 375.076244][ T193] linkwatch_event+0x21/0x30 [ 375.077274][ T193] process_one_work+0x252/0x600 [ 375.078379][ T193] ? process_one_work+0x600/0x600 [ 375.079518][ T193] worker_thread+0x3c/0x380 [ 375.080534][ T193] ? process_one_work+0x600/0x600 [ 375.081668][ T193] kthread+0x139/0x150 [ 375.082567][ T193] ? kthread_park+0x90/0x90 [ 375.083567][ T193] ret_from_fork+0x22/0x30
Fixes: e826eafa65c6 ("bonding: Call netif_carrier_off after register_netdevice") Signed-off-by: Taehee Yoo ap420073@gmail.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/net/bonding/bond_main.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c index f57b86f1373d4..11429df743067 100644 --- a/drivers/net/bonding/bond_main.c +++ b/drivers/net/bonding/bond_main.c @@ -4817,15 +4817,19 @@ int bond_create(struct net *net, const char *name) bond_dev->rtnl_link_ops = &bond_link_ops;
res = register_netdevice(bond_dev); + if (res < 0) { + free_netdev(bond_dev); + rtnl_unlock(); + + return res; + }
netif_carrier_off(bond_dev);
bond_work_init_all(bond);
rtnl_unlock(); - if (res < 0) - free_netdev(bond_dev); - return res; + return 0; }
static int __net_init bond_net_init(struct net *net)
From: Liu Jian liujian56@huawei.com
[ Upstream commit 5dbaeb87f2b309936be0aeae00cbc9e7f20ab296 ]
When mlxsw_core_trap_register fails in mlxsw_emad_init, destroy_workqueue() shouled be called to destroy mlxsw_core->emad_wq.
Fixes: d965465b60ba ("mlxsw: core: Fix possible deadlock") Signed-off-by: Liu Jian liujian56@huawei.com Reviewed-by: Ido Schimmel idosch@mellanox.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/net/ethernet/mellanox/mlxsw/core.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/mellanox/mlxsw/core.c b/drivers/net/ethernet/mellanox/mlxsw/core.c index 2e6df5804b356..e180ec4f1a248 100644 --- a/drivers/net/ethernet/mellanox/mlxsw/core.c +++ b/drivers/net/ethernet/mellanox/mlxsw/core.c @@ -587,7 +587,7 @@ static int mlxsw_emad_init(struct mlxsw_core *mlxsw_core) err = mlxsw_core_trap_register(mlxsw_core, &mlxsw_emad_rx_listener, mlxsw_core); if (err) - return err; + goto err_trap_register;
err = mlxsw_core->driver->basic_trap_groups_set(mlxsw_core); if (err) @@ -599,6 +599,7 @@ static int mlxsw_emad_init(struct mlxsw_core *mlxsw_core) err_emad_trap_set: mlxsw_core_trap_unregister(mlxsw_core, &mlxsw_emad_rx_listener, mlxsw_core); +err_trap_register: destroy_workqueue(mlxsw_core->emad_wq); return err; }
From: Alexander Lobakin alobakin@marvell.com
[ Upstream commit 1ea999039fe7c7953da2fbb7ca7c3ef00064d328 ]
Change the verbosity of the "don't support RoCE & iWARP simultaneously" warning to debug level to stop flooding on driver/hardware initialization:
[ 4.783230] qede 01:00.00: Storm FW 8.37.7.0, Management FW 8.52.9.0 [MBI 15.10.6] [eth0] [ 4.810020] [qed_rdma_set_pf_params:2076()]Current day drivers don't support RoCE & iWARP simultaneously on the same PF. Default to RoCE-only [ 4.861186] qede 01:00.01: Storm FW 8.37.7.0, Management FW 8.52.9.0 [MBI 15.10.6] [eth1] [ 4.893311] [qed_rdma_set_pf_params:2076()]Current day drivers don't support RoCE & iWARP simultaneously on the same PF. Default to RoCE-only [ 5.181713] qede a1:00.00: Storm FW 8.37.7.0, Management FW 8.52.9.0 [MBI 15.10.6] [eth2] [ 5.224740] [qed_rdma_set_pf_params:2076()]Current day drivers don't support RoCE & iWARP simultaneously on the same PF. Default to RoCE-only [ 5.276449] qede a1:00.01: Storm FW 8.37.7.0, Management FW 8.52.9.0 [MBI 15.10.6] [eth3] [ 5.318671] [qed_rdma_set_pf_params:2076()]Current day drivers don't support RoCE & iWARP simultaneously on the same PF. Default to RoCE-only [ 5.369548] qede a1:00.02: Storm FW 8.37.7.0, Management FW 8.52.9.0 [MBI 15.10.6] [eth4] [ 5.411645] [qed_rdma_set_pf_params:2076()]Current day drivers don't support RoCE & iWARP simultaneously on the same PF. Default to RoCE-only
Fixes: e0a8f9de16fc ("qed: Add iWARP enablement support") Signed-off-by: Alexander Lobakin alobakin@marvell.com Signed-off-by: Igor Russkikh irusskikh@marvell.com Signed-off-by: Michal Kalderon michal.kalderon@marvell.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/net/ethernet/qlogic/qed/qed_cxt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/qlogic/qed/qed_cxt.c b/drivers/net/ethernet/qlogic/qed/qed_cxt.c index f3d7c38f539a8..734462f8d881c 100644 --- a/drivers/net/ethernet/qlogic/qed/qed_cxt.c +++ b/drivers/net/ethernet/qlogic/qed/qed_cxt.c @@ -2074,8 +2074,8 @@ static void qed_rdma_set_pf_params(struct qed_hwfn *p_hwfn, num_srqs = min_t(u32, QED_RDMA_MAX_SRQS, p_params->num_srqs);
if (p_hwfn->mcp_info->func_info.protocol == QED_PCI_ETH_RDMA) { - DP_NOTICE(p_hwfn, - "Current day drivers don't support RoCE & iWARP simultaneously on the same PF. Default to RoCE-only\n"); + DP_VERBOSE(p_hwfn, QED_MSG_SP, + "Current day drivers don't support RoCE & iWARP simultaneously on the same PF. Default to RoCE-only\n"); p_hwfn->hw_info.personality = QED_PCI_ETH_ROCE; }
From: guodeqing geffrey.guo@huawei.com
[ Upstream commit 8210e344ccb798c672ab237b1a4f241bda08909b ]
The sync_thread_backup only checks sk_receive_queue is empty or not, there is a situation which cannot sync the connection entries when sk_receive_queue is empty and sk_rmem_alloc is larger than sk_rcvbuf, the sync packets are dropped in __udp_enqueue_schedule_skb, this is because the packets in reader_queue is not read, so the rmem is not reclaimed.
Here I add the check of whether the reader_queue of the udp sock is empty or not to solve this problem.
Fixes: 2276f58ac589 ("udp: use a separate rx queue for packet reception") Reported-by: zhouxudong zhouxudong8@huawei.com Signed-off-by: guodeqing geffrey.guo@huawei.com Acked-by: Julian Anastasov ja@ssi.bg Signed-off-by: Pablo Neira Ayuso pablo@netfilter.org Signed-off-by: Sasha Levin sashal@kernel.org --- net/netfilter/ipvs/ip_vs_sync.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/ipvs/ip_vs_sync.c b/net/netfilter/ipvs/ip_vs_sync.c index 5acd99f83166b..f6af13c16cf57 100644 --- a/net/netfilter/ipvs/ip_vs_sync.c +++ b/net/netfilter/ipvs/ip_vs_sync.c @@ -1717,6 +1717,8 @@ static int sync_thread_backup(void *data) { struct ip_vs_sync_thread_data *tinfo = data; struct netns_ipvs *ipvs = tinfo->ipvs; + struct sock *sk = tinfo->sock->sk; + struct udp_sock *up = udp_sk(sk); int len;
pr_info("sync thread started: state = BACKUP, mcast_ifn = %s, " @@ -1724,12 +1726,14 @@ static int sync_thread_backup(void *data) ipvs->bcfg.mcast_ifn, ipvs->bcfg.syncid, tinfo->id);
while (!kthread_should_stop()) { - wait_event_interruptible(*sk_sleep(tinfo->sock->sk), - !skb_queue_empty(&tinfo->sock->sk->sk_receive_queue) - || kthread_should_stop()); + wait_event_interruptible(*sk_sleep(sk), + !skb_queue_empty_lockless(&sk->sk_receive_queue) || + !skb_queue_empty_lockless(&up->reader_queue) || + kthread_should_stop());
/* do we have data now? */ - while (!skb_queue_empty(&(tinfo->sock->sk->sk_receive_queue))) { + while (!skb_queue_empty_lockless(&sk->sk_receive_queue) || + !skb_queue_empty_lockless(&up->reader_queue)) { len = ip_vs_receive(tinfo->sock, tinfo->buf, ipvs->bcfg.sync_maxlen); if (len <= 0) {
From: Wang Hai wanghai38@huawei.com
[ Upstream commit 1264d7fa3a64d8bea7aebb77253f917947ffda25 ]
When regmap_update_bits failed in ave_init(), calls of the functions reset_control_assert() and clk_disable_unprepare() were missed. Add goto out_reset_assert to do this.
Fixes: 57878f2f4697 ("net: ethernet: ave: add support for phy-mode setting of system controller") Reported-by: Hulk Robot hulkci@huawei.com Signed-off-by: Wang Hai wanghai38@huawei.com Reviewed-by: Kunihiko Hayashi hayashi.kunihiko@socionext.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/net/ethernet/socionext/sni_ave.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/socionext/sni_ave.c b/drivers/net/ethernet/socionext/sni_ave.c index c309accc6797e..01cde5f27eade 100644 --- a/drivers/net/ethernet/socionext/sni_ave.c +++ b/drivers/net/ethernet/socionext/sni_ave.c @@ -1196,7 +1196,7 @@ static int ave_init(struct net_device *ndev) ret = regmap_update_bits(priv->regmap, SG_ETPINMODE, priv->pinmode_mask, priv->pinmode_val); if (ret) - return ret; + goto out_reset_assert;
ave_global_reset(ndev);
From: Wolfram Sang wsa+renesas@sang-engineering.com
[ Upstream commit eb01597158ffb1853a7a7fc2c57d4c844640f75e ]
On R-Car Gen2, we get a timeout when reading from the address set in ICSAR, even though the slave interface is disabled. Clearing it fixes this situation. Note that Gen3 is not affected.
To reproduce: bind and undbind an I2C slave on some bus, run 'i2cdetect' on that bus.
Fixes: de20d1857dd6 ("i2c: rcar: add slave support") Signed-off-by: Wolfram Sang wsa+renesas@sang-engineering.com Signed-off-by: Wolfram Sang wsa@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/i2c/busses/i2c-rcar.c | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/drivers/i2c/busses/i2c-rcar.c b/drivers/i2c/busses/i2c-rcar.c index 2c29f901d3090..6e49e438ef5a5 100644 --- a/drivers/i2c/busses/i2c-rcar.c +++ b/drivers/i2c/busses/i2c-rcar.c @@ -863,6 +863,7 @@ static int rcar_unreg_slave(struct i2c_client *slave) /* disable irqs and ensure none is running before clearing ptr */ rcar_i2c_write(priv, ICSIER, 0); rcar_i2c_write(priv, ICSCR, 0); + rcar_i2c_write(priv, ICSAR, 0); /* Gen2: must be 0 if not using slave */
synchronize_irq(priv->irq); priv->slave = NULL; @@ -966,6 +967,8 @@ static int rcar_i2c_probe(struct platform_device *pdev) if (ret < 0) goto out_pm_put;
+ rcar_i2c_write(priv, ICSAR, 0); /* Gen2: must be 0 if not using slave */ + if (priv->devtype == I2C_RCAR_GEN3) { priv->rstc = devm_reset_control_get_exclusive(&pdev->dev, NULL); if (!IS_ERR(priv->rstc)) {
From: Cong Wang xiyou.wangcong@gmail.com
[ Upstream commit c75d1d5248c0c97996051809ad0e9f154ba5d76e ]
Very similar to commit 544f287b8495 ("bonding: check error value of register_netdevice() immediately"), we should immediately check the return value of register_netdevice() before doing anything else.
Fixes: 005db31d5f5f ("bonding: set carrier off for devices created through netlink") Reported-and-tested-by: syzbot+bbc3a11c4da63c1b74d6@syzkaller.appspotmail.com Cc: Beniamino Galvani bgalvani@redhat.com Cc: Taehee Yoo ap420073@gmail.com Cc: Jay Vosburgh j.vosburgh@gmail.com Signed-off-by: Cong Wang xiyou.wangcong@gmail.com Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/net/bonding/bond_netlink.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/net/bonding/bond_netlink.c b/drivers/net/bonding/bond_netlink.c index 6b9ad86732188..fbcd8a752ee70 100644 --- a/drivers/net/bonding/bond_netlink.c +++ b/drivers/net/bonding/bond_netlink.c @@ -451,11 +451,10 @@ static int bond_newlink(struct net *src_net, struct net_device *bond_dev, return err;
err = register_netdevice(bond_dev); - - netif_carrier_off(bond_dev); if (!err) { struct bonding *bond = netdev_priv(bond_dev);
+ netif_carrier_off(bond_dev); bond_work_init_all(bond); }
From: Matthew Howell matthew.howell@sealevel.com
[ Upstream commit 5fdbe136ae19ab751daaa4d08d9a42f3e30d17f9 ]
Sealevel XR17V35X based devices are inoperable on kernel versions 4.11 and above due to a change in the GPIO preconfiguration introduced in commit 7dea8165f1d. This patch fixes this by preconfiguring the GPIO on Sealevel cards to the value (0x00) used prior to commit 7dea8165f1d
With GPIOs preconfigured as per commit 7dea8165f1d all ports on Sealevel XR17V35X based devices become stuck in high impedance mode, regardless of dip-switch or software configuration. This causes the device to become effectively unusable. This patch (in various forms) has been distributed to our customers and no issues related to it have been reported.
Fixes: 7dea8165f1d6 ("serial: exar: Preconfigure xr17v35x MPIOs as output") Signed-off-by: Matthew Howell matthew.howell@sealevel.com Link: https://lore.kernel.org/r/alpine.DEB.2.21.2007221605270.13247@tstest-Virtual... Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/tty/serial/8250/8250_exar.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/drivers/tty/serial/8250/8250_exar.c b/drivers/tty/serial/8250/8250_exar.c index 8707357764375..d39162e71f59d 100644 --- a/drivers/tty/serial/8250/8250_exar.c +++ b/drivers/tty/serial/8250/8250_exar.c @@ -227,7 +227,17 @@ static void setup_gpio(struct pci_dev *pcidev, u8 __iomem *p) * devices will export them as GPIOs, so we pre-configure them safely * as inputs. */ - u8 dir = pcidev->vendor == PCI_VENDOR_ID_EXAR ? 0xff : 0x00; + + u8 dir = 0x00; + + if ((pcidev->vendor == PCI_VENDOR_ID_EXAR) && + (pcidev->subsystem_vendor != PCI_VENDOR_ID_SEALEVEL)) { + // Configure GPIO as inputs for Commtech adapters + dir = 0xff; + } else { + // Configure GPIO as outputs for SeaLevel adapters + dir = 0x00; + }
writeb(0x00, p + UART_EXAR_MPIOINT_7_0); writeb(0x00, p + UART_EXAR_MPIOLVL_7_0);
From: Pi-Hsun Shih pihsun@chromium.org
[ Upstream commit d178770d8d21489abf5bafefcbb6d5243b482e9a ]
Currently the basepath is removed only from the beginning of the string. When the symbol is inlined and there's multiple line outputs of addr2line, only the first line would have basepath removed.
Change to remove the basepath prefix from all lines.
Fixes: 31013836a71e ("scripts/decode_stacktrace: match basepath using shell prefix operator, not regex") Co-developed-by: Shik Chen shik@chromium.org Signed-off-by: Pi-Hsun Shih pihsun@chromium.org Signed-off-by: Shik Chen shik@chromium.org Signed-off-by: Andrew Morton akpm@linux-foundation.org Reviewed-by: Stephen Boyd swboyd@chromium.org Cc: Sasha Levin sashal@kernel.org Cc: Nicolas Boichat drinkcat@chromium.org Cc: Jiri Slaby jslaby@suse.cz Link: http://lkml.kernel.org/r/20200720082709.252805-1-pihsun@chromium.org Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Sasha Levin sashal@kernel.org --- scripts/decode_stacktrace.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/scripts/decode_stacktrace.sh b/scripts/decode_stacktrace.sh index 5aa75a0a1cede..946735bd5a252 100755 --- a/scripts/decode_stacktrace.sh +++ b/scripts/decode_stacktrace.sh @@ -77,8 +77,8 @@ parse_symbol() { return fi
- # Strip out the base of the path - code=${code#$basepath/} + # Strip out the base of the path on each line + code=$(while read -r line; do echo "${line#$basepath/}"; done <<< "$code")
# In the case of inlines, move everything to same line code=${code//$'\n'/' '}
From: Stefano Garzarella sgarzare@redhat.com
[ Upstream commit 7359608a271ce81803de148befefd309baf88c76 ]
Commit ed66f991bb19 ("module: Refactor section attr into bin attribute") removed the 'name' field from 'struct module_sect_attr' triggering the following error when invoking lx-symbols:
(gdb) lx-symbols loading vmlinux scanning for modules in linux/build loading @0xffffffffc014f000: linux/build/drivers/net/tun.ko Python Exception <class 'gdb.error'> There is no member named name.: Error occurred in Python: There is no member named name.
This patch fixes the issue taking the module name from the 'struct attribute'.
Fixes: ed66f991bb19 ("module: Refactor section attr into bin attribute") Signed-off-by: Stefano Garzarella sgarzare@redhat.com Signed-off-by: Andrew Morton akpm@linux-foundation.org Reviewed-by: Jan Kiszka jan.kiszka@siemens.com Reviewed-by: Kieran Bingham kbingham@kernel.org Link: http://lkml.kernel.org/r/20200722102239.313231-1-sgarzare@redhat.com Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Sasha Levin sashal@kernel.org --- scripts/gdb/linux/symbols.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/scripts/gdb/linux/symbols.py b/scripts/gdb/linux/symbols.py index 4644f1a83b578..aa4f87e3ddb12 100644 --- a/scripts/gdb/linux/symbols.py +++ b/scripts/gdb/linux/symbols.py @@ -96,7 +96,7 @@ lx-symbols command.""" return "" attrs = sect_attrs['attrs'] section_name_to_address = { - attrs[n]['name'].string(): attrs[n]['address'] + attrs[n]['battr']['attr']['name'].string(): attrs[n]['address'] for n in range(int(sect_attrs['nsections']))} args = [] for section_name in [".data", ".data..read_mostly", ".rodata", ".bss",
Hi Greg, Sasha,
On 27/07/2020 15:04, Greg Kroah-Hartman wrote:
From: Stefano Garzarella sgarzare@redhat.com
[ Upstream commit 7359608a271ce81803de148befefd309baf88c76 ]
Commit ed66f991bb19 ("module: Refactor section attr into bin attribute") removed the 'name' field from 'struct module_sect_attr' triggering the following error when invoking lx-symbols:
Has ed66f991bb19 ("module: Refactor section attr into bin attribute") been backported to 4.19? It doesn't /sound/ like something that would require backporting unless something else depended up on it, but if it hasn't been ... then *this* patch shouldn't be either...
Same for 5.4, and 5.7 that's just come in.
This patch will 'apply' cleanly, and not hit any compilation errors, as it only changes python code... so my reason to highlight is in case some automated system picked it up based on those assumptions.
If ed66f991bb19 has also been backported, then I'm sorry for the noise ;-)
-- Kieran
(gdb) lx-symbols loading vmlinux scanning for modules in linux/build loading @0xffffffffc014f000: linux/build/drivers/net/tun.ko Python Exception <class 'gdb.error'> There is no member named name.: Error occurred in Python: There is no member named name.
This patch fixes the issue taking the module name from the 'struct attribute'.
Fixes: ed66f991bb19 ("module: Refactor section attr into bin attribute") Signed-off-by: Stefano Garzarella sgarzare@redhat.com Signed-off-by: Andrew Morton akpm@linux-foundation.org Reviewed-by: Jan Kiszka jan.kiszka@siemens.com Reviewed-by: Kieran Bingham kbingham@kernel.org Link: http://lkml.kernel.org/r/20200722102239.313231-1-sgarzare@redhat.com Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Sasha Levin sashal@kernel.org
scripts/gdb/linux/symbols.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/scripts/gdb/linux/symbols.py b/scripts/gdb/linux/symbols.py index 4644f1a83b578..aa4f87e3ddb12 100644 --- a/scripts/gdb/linux/symbols.py +++ b/scripts/gdb/linux/symbols.py @@ -96,7 +96,7 @@ lx-symbols command.""" return "" attrs = sect_attrs['attrs'] section_name_to_address = {
attrs[n]['name'].string(): attrs[n]['address']
attrs[n]['battr']['attr']['name'].string(): attrs[n]['address'] for n in range(int(sect_attrs['nsections']))} args = [] for section_name in [".data", ".data..read_mostly", ".rodata", ".bss",
On Mon, Jul 27, 2020 at 03:26:42PM +0100, Kieran Bingham wrote:
Hi Greg, Sasha,
On 27/07/2020 15:04, Greg Kroah-Hartman wrote:
From: Stefano Garzarella sgarzare@redhat.com
[ Upstream commit 7359608a271ce81803de148befefd309baf88c76 ]
Commit ed66f991bb19 ("module: Refactor section attr into bin attribute") removed the 'name' field from 'struct module_sect_attr' triggering the following error when invoking lx-symbols:
Has ed66f991bb19 ("module: Refactor section attr into bin attribute") been backported to 4.19? It doesn't /sound/ like something that would require backporting unless something else depended up on it, but if it hasn't been ... then *this* patch shouldn't be either...
Same for 5.4, and 5.7 that's just come in.
This patch will 'apply' cleanly, and not hit any compilation errors, as it only changes python code... so my reason to highlight is in case some automated system picked it up based on those assumptions.
If ed66f991bb19 has also been backported, then I'm sorry for the noise ;-)
I had the same doubt, but I just saw that ed66f991bb19 was backported to the stable branches (4.19, 5.4 and 5.7), so I think this backport is correct.
Thanks, Stefano
Hi Stefano,
On 27/07/2020 15:37, Stefano Garzarella wrote:
On Mon, Jul 27, 2020 at 03:26:42PM +0100, Kieran Bingham wrote:
Hi Greg, Sasha,
On 27/07/2020 15:04, Greg Kroah-Hartman wrote:
From: Stefano Garzarella sgarzare@redhat.com
[ Upstream commit 7359608a271ce81803de148befefd309baf88c76 ]
Commit ed66f991bb19 ("module: Refactor section attr into bin attribute") removed the 'name' field from 'struct module_sect_attr' triggering the following error when invoking lx-symbols:
Has ed66f991bb19 ("module: Refactor section attr into bin attribute") been backported to 4.19? It doesn't /sound/ like something that would require backporting unless something else depended up on it, but if it hasn't been ... then *this* patch shouldn't be either...
Same for 5.4, and 5.7 that's just come in.
This patch will 'apply' cleanly, and not hit any compilation errors, as it only changes python code... so my reason to highlight is in case some automated system picked it up based on those assumptions.
If ed66f991bb19 has also been backported, then I'm sorry for the noise ;-)
I had the same doubt, but I just saw that ed66f991bb19 was backported to the stable branches (4.19, 5.4 and 5.7), so I think this backport is> correct.
Perfect, thanks for confirming.
-- Kieran
On Mon, Jul 27, 2020 at 03:26:42PM +0100, Kieran Bingham wrote:
Hi Greg, Sasha,
On 27/07/2020 15:04, Greg Kroah-Hartman wrote:
From: Stefano Garzarella sgarzare@redhat.com
[ Upstream commit 7359608a271ce81803de148befefd309baf88c76 ]
Commit ed66f991bb19 ("module: Refactor section attr into bin attribute") removed the 'name' field from 'struct module_sect_attr' triggering the following error when invoking lx-symbols:
Has ed66f991bb19 ("module: Refactor section attr into bin attribute") been backported to 4.19? It doesn't /sound/ like something that would require backporting unless something else depended up on it, but if it hasn't been ... then *this* patch shouldn't be either...
It was released in 4.19.133, 5.4.52, and 5.7.9.
Same for 5.4, and 5.7 that's just come in.
This patch will 'apply' cleanly, and not hit any compilation errors, as it only changes python code... so my reason to highlight is in case some automated system picked it up based on those assumptions.
If ed66f991bb19 has also been backported, then I'm sorry for the noise ;-)
It was, but thanks for the review!
greg k-h
From: Federico Ricchiuto fed.ricchiuto@gmail.com
[ Upstream commit 43e666acb79f3d355dd89bf20f4d25d3b15da13e ]
The Mediacom FlexBook edge13 uses the SIPODEV SP1064 touchpad, which does not supply descriptors, so it has to be added to the override list.
Signed-off-by: Federico Ricchiuto fed.ricchiuto@gmail.com Signed-off-by: Jiri Kosina jkosina@suse.cz Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c | 8 ++++++++ 1 file changed, 8 insertions(+)
diff --git a/drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c b/drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c index 681ac9bc68b3d..f98c1e1b1dbdc 100644 --- a/drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c +++ b/drivers/hid/i2c-hid/i2c-hid-dmi-quirks.c @@ -373,6 +373,14 @@ static const struct dmi_system_id i2c_hid_dmi_desc_override_table[] = { }, .driver_data = (void *)&sipodev_desc }, + { + .ident = "Mediacom FlexBook edge 13", + .matches = { + DMI_EXACT_MATCH(DMI_SYS_VENDOR, "MEDIACOM"), + DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "FlexBook_edge13-M-FBE13"), + }, + .driver_data = (void *)&sipodev_desc + }, { .ident = "Odys Winbook 13", .matches = {
From: Caiyuan Xie caiyuan.xie@cn.alps.com
[ Upstream commit aa3c439c144f0a465ed1f28f11c772886fb02b35 ]
Add support for devices which that have reports with id == 2
Signed-off-by: Caiyuan Xie caiyuan.xie@cn.alps.com Signed-off-by: Jiri Kosina jkosina@suse.cz Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/hid/hid-alps.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/drivers/hid/hid-alps.c b/drivers/hid/hid-alps.c index 3489f0af7409c..f4cf541d13e08 100644 --- a/drivers/hid/hid-alps.c +++ b/drivers/hid/hid-alps.c @@ -29,6 +29,7 @@
#define U1_MOUSE_REPORT_ID 0x01 /* Mouse data ReportID */ #define U1_ABSOLUTE_REPORT_ID 0x03 /* Absolute data ReportID */ +#define U1_ABSOLUTE_REPORT_ID_SECD 0x02 /* FW-PTP Absolute data ReportID */ #define U1_FEATURE_REPORT_ID 0x05 /* Feature ReportID */ #define U1_SP_ABSOLUTE_REPORT_ID 0x06 /* Feature ReportID */
@@ -372,6 +373,7 @@ static int u1_raw_event(struct alps_dev *hdata, u8 *data, int size) case U1_FEATURE_REPORT_ID: break; case U1_ABSOLUTE_REPORT_ID: + case U1_ABSOLUTE_REPORT_ID_SECD: for (i = 0; i < hdata->max_fingers; i++) { u8 *contact = &data[i * 5];
From: Rodrigo Rivas Costa rodrigorivascosta@gmail.com
[ Upstream commit 2d3f53a80e4eed078669853a178ed96d88f74143 ]
Using uhid and KASAN this driver crashed because it was getting several connection events where it only expected one. Then the device was added several times to the static device list and it got corrupted.
This patch checks if the device is already in the list before adding it.
Signed-off-by: Rodrigo Rivas Costa rodrigorivascosta@gmail.com Tested-by: Siarhei Vishniakou svv@google.com Signed-off-by: Jiri Kosina jkosina@suse.cz Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/hid/hid-steam.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/hid/hid-steam.c b/drivers/hid/hid-steam.c index 6286204d4c560..a3b151b29bd71 100644 --- a/drivers/hid/hid-steam.c +++ b/drivers/hid/hid-steam.c @@ -526,7 +526,8 @@ static int steam_register(struct steam_device *steam) steam_battery_register(steam);
mutex_lock(&steam_devices_lock); - list_add(&steam->list, &steam_devices); + if (list_empty(&steam->list)) + list_add(&steam->list, &steam_devices); mutex_unlock(&steam_devices_lock); }
@@ -552,7 +553,7 @@ static void steam_unregister(struct steam_device *steam) hid_info(steam->hdev, "Steam Controller '%s' disconnected", steam->serial_no); mutex_lock(&steam_devices_lock); - list_del(&steam->list); + list_del_init(&steam->list); mutex_unlock(&steam_devices_lock); steam->serial_no[0] = 0; } @@ -738,6 +739,7 @@ static int steam_probe(struct hid_device *hdev, mutex_init(&steam->mutex); steam->quirks = id->driver_data; INIT_WORK(&steam->work_connect, steam_work_connect_cb); + INIT_LIST_HEAD(&steam->list);
steam->client_hdev = steam_create_client_hid(hdev); if (IS_ERR(steam->client_hdev)) {
From: Hans de Goede hdegoede@redhat.com
[ Upstream commit a5d81646fa294eed57786a9310b06ca48902adf8 ]
The Maxxter KB-BT-001 Bluetooth keyboard, which looks somewhat like the Apple Wireless Keyboard, is using the vendor and product IDs (05AC:0239) of the Apple Wireless Keyboard (2009 ANSI version) <sigh>.
But its F1 - F10 keys are marked as sending F1 - F10, not the special functions hid-apple.c maps them too; and since its descriptors do not contain the HID_UP_CUSTOM | 0x0003 usage apple-hid looks for for the Fn-key, apple_setup_input() never gets called, so F1 - F6 are mapped to key-codes which have not been set in the keybit array causing them to not send any events at all.
The lack of a usage code matching the Fn key in the clone is actually useful as this allows solving this problem in a generic way.
This commits adds a fn_found flag and it adds a input_configured callback which checks if this flag is set once all usages have been mapped. If it is not set, then assume this is a clone and clear the quirks bitmap so that the hid-apple code does not add any special handling to this keyboard.
This fixes F1 - F6 not sending anything at all and F7 - F12 sending the wrong codes on the Maxxter KB-BT-001 Bluetooth keyboard and on similar clones.
Cc: Joao Moreno mail@joaomoreno.com Signed-off-by: Hans de Goede hdegoede@redhat.com Signed-off-by: Jiri Kosina jkosina@suse.cz Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/hid/hid-apple.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+)
diff --git a/drivers/hid/hid-apple.c b/drivers/hid/hid-apple.c index 8ab8f2350bbcd..b58ab769aa7b3 100644 --- a/drivers/hid/hid-apple.c +++ b/drivers/hid/hid-apple.c @@ -57,6 +57,7 @@ MODULE_PARM_DESC(swap_opt_cmd, "Swap the Option ("Alt") and Command ("Flag") struct apple_sc { unsigned long quirks; unsigned int fn_on; + unsigned int fn_found; DECLARE_BITMAP(pressed_numlock, KEY_CNT); };
@@ -342,12 +343,15 @@ static int apple_input_mapping(struct hid_device *hdev, struct hid_input *hi, struct hid_field *field, struct hid_usage *usage, unsigned long **bit, int *max) { + struct apple_sc *asc = hid_get_drvdata(hdev); + if (usage->hid == (HID_UP_CUSTOM | 0x0003) || usage->hid == (HID_UP_MSVENDOR | 0x0003) || usage->hid == (HID_UP_HPVENDOR2 | 0x0003)) { /* The fn key on Apple USB keyboards */ set_bit(EV_REP, hi->input->evbit); hid_map_usage_clear(hi, usage, bit, max, EV_KEY, KEY_FN); + asc->fn_found = true; apple_setup_input(hi->input); return 1; } @@ -374,6 +378,19 @@ static int apple_input_mapped(struct hid_device *hdev, struct hid_input *hi, return 0; }
+static int apple_input_configured(struct hid_device *hdev, + struct hid_input *hidinput) +{ + struct apple_sc *asc = hid_get_drvdata(hdev); + + if ((asc->quirks & APPLE_HAS_FN) && !asc->fn_found) { + hid_info(hdev, "Fn key not found (Apple Wireless Keyboard clone?), disabling Fn key handling\n"); + asc->quirks = 0; + } + + return 0; +} + static int apple_probe(struct hid_device *hdev, const struct hid_device_id *id) { @@ -588,6 +605,7 @@ static struct hid_driver apple_driver = { .event = apple_event, .input_mapping = apple_input_mapping, .input_mapped = apple_input_mapped, + .input_configured = apple_input_configured, }; module_hid_driver(apple_driver);
From: Dinghao Liu dinghao.liu@zju.edu.cn
[ Upstream commit 5b78fac4b1ba731cf4177fdbc1e3a4661521bcd0 ]
pm_runtime_get_sync() increments the runtime PM usage counter even when it returns an error code. Thus a pairing decrement is needed on the error handling path to keep the counter balanced.
Signed-off-by: Dinghao Liu dinghao.liu@zju.edu.cn Reviewed-by: Jon Hunter jonathanh@nvidia.com Link: https://lore.kernel.org/r/20200624064626.19855-1-dinghao.liu@zju.edu.cn Signed-off-by: Vinod Koul vkoul@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/dma/tegra210-adma.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/dma/tegra210-adma.c b/drivers/dma/tegra210-adma.c index 045351f3549c1..86b45198fb962 100644 --- a/drivers/dma/tegra210-adma.c +++ b/drivers/dma/tegra210-adma.c @@ -583,6 +583,7 @@ static int tegra_adma_alloc_chan_resources(struct dma_chan *dc)
ret = pm_runtime_get_sync(tdc2dev(tdc)); if (ret < 0) { + pm_runtime_put_noidle(tdc2dev(tdc)); free_irq(tdc->irq, tdc); return ret; } @@ -764,8 +765,10 @@ static int tegra_adma_probe(struct platform_device *pdev) pm_runtime_enable(&pdev->dev);
ret = pm_runtime_get_sync(&pdev->dev); - if (ret < 0) + if (ret < 0) { + pm_runtime_put_noidle(&pdev->dev); goto rpm_disable; + }
ret = tegra_adma_init(tdma); if (ret)
From: Merlijn Wajer merlijn@wizzup.org
[ Upstream commit c463bb2a8f8d7d97aa414bf7714fc77e9d3b10df ]
This event code represents the state of a removable cover of a device. Value 0 means that the cover is open or removed, value 1 means that the cover is closed.
Reviewed-by: Sebastian Reichel sebastian.reichel@collabora.com Acked-by: Tony Lindgren tony@atomide.com Signed-off-by: Merlijn Wajer merlijn@wizzup.org Link: https://lore.kernel.org/r/20200612125402.18393-2-merlijn@wizzup.org Signed-off-by: Dmitry Torokhov dmitry.torokhov@gmail.com Signed-off-by: Sasha Levin sashal@kernel.org --- include/linux/mod_devicetable.h | 2 +- include/uapi/linux/input-event-codes.h | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/include/linux/mod_devicetable.h b/include/linux/mod_devicetable.h index 84e4e20352d9f..610cdf8082f2e 100644 --- a/include/linux/mod_devicetable.h +++ b/include/linux/mod_devicetable.h @@ -299,7 +299,7 @@ struct pcmcia_device_id { #define INPUT_DEVICE_ID_LED_MAX 0x0f #define INPUT_DEVICE_ID_SND_MAX 0x07 #define INPUT_DEVICE_ID_FF_MAX 0x7f -#define INPUT_DEVICE_ID_SW_MAX 0x0f +#define INPUT_DEVICE_ID_SW_MAX 0x10 #define INPUT_DEVICE_ID_PROP_MAX 0x1f
#define INPUT_DEVICE_ID_MATCH_BUS 1 diff --git a/include/uapi/linux/input-event-codes.h b/include/uapi/linux/input-event-codes.h index 61a5799b440b9..c3e84f7c8261a 100644 --- a/include/uapi/linux/input-event-codes.h +++ b/include/uapi/linux/input-event-codes.h @@ -795,7 +795,8 @@ #define SW_LINEIN_INSERT 0x0d /* set = inserted */ #define SW_MUTE_DEVICE 0x0e /* set = device disabled */ #define SW_PEN_INSERTED 0x0f /* set = pen inserted */ -#define SW_MAX 0x0f +#define SW_MACHINE_COVER 0x10 /* set = cover closed */ +#define SW_MAX 0x10 #define SW_CNT (SW_MAX+1)
/*
Hi!
[ Upstream commit c463bb2a8f8d7d97aa414bf7714fc77e9d3b10df ]
This event code represents the state of a removable cover of a device. Value 0 means that the cover is open or removed, value 1 means that the cover is closed.
This is only needed for N900 cover changes. I don't see them in stable, so I believe this should be dropped.
Best regards, Pavel
index 61a5799b440b9..c3e84f7c8261a 100644 --- a/include/uapi/linux/input-event-codes.h +++ b/include/uapi/linux/input-event-codes.h @@ -795,7 +795,8 @@ #define SW_LINEIN_INSERT 0x0d /* set = inserted */ #define SW_MUTE_DEVICE 0x0e /* set = device disabled */ #define SW_PEN_INSERTED 0x0f /* set = pen inserted */ -#define SW_MAX 0x0f +#define SW_MACHINE_COVER 0x10 /* set = cover closed */ +#define SW_MAX 0x10 #define SW_CNT (SW_MAX+1) /* -- 2.25.1
On Mon, Jul 27, 2020 at 11:26:23PM +0200, Pavel Machek wrote:
Hi!
[ Upstream commit c463bb2a8f8d7d97aa414bf7714fc77e9d3b10df ]
This event code represents the state of a removable cover of a device. Value 0 means that the cover is open or removed, value 1 means that the cover is closed.
This is only needed for N900 cover changes. I don't see them in stable, so I believe this should be dropped.
I guess there is no harm in adding the new switch definition to stable releases. It is now part of ABI and is set in stone.
Thanks.
From: leilk.liu leilk.liu@mediatek.com
[ Upstream commit 44b37eb79e16a56cb30ba55b2da452396b941e7a ]
this patch use correct SPI_CFG2_REG offset.
Signed-off-by: leilk.liu leilk.liu@mediatek.com Link: https://lore.kernel.org/r/20200701090020.7935-1-leilk.liu@mediatek.com Signed-off-by: Mark Brown broonie@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/spi/spi-mt65xx.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/drivers/spi/spi-mt65xx.c b/drivers/spi/spi-mt65xx.c index 0c2867deb36fc..da28c52c9da19 100644 --- a/drivers/spi/spi-mt65xx.c +++ b/drivers/spi/spi-mt65xx.c @@ -41,7 +41,6 @@ #define SPI_CFG0_SCK_LOW_OFFSET 8 #define SPI_CFG0_CS_HOLD_OFFSET 16 #define SPI_CFG0_CS_SETUP_OFFSET 24 -#define SPI_ADJUST_CFG0_SCK_LOW_OFFSET 16 #define SPI_ADJUST_CFG0_CS_HOLD_OFFSET 0 #define SPI_ADJUST_CFG0_CS_SETUP_OFFSET 16
@@ -53,6 +52,8 @@ #define SPI_CFG1_CS_IDLE_MASK 0xff #define SPI_CFG1_PACKET_LOOP_MASK 0xff00 #define SPI_CFG1_PACKET_LENGTH_MASK 0x3ff0000 +#define SPI_CFG2_SCK_HIGH_OFFSET 0 +#define SPI_CFG2_SCK_LOW_OFFSET 16
#define SPI_CMD_ACT BIT(0) #define SPI_CMD_RESUME BIT(1) @@ -259,7 +260,7 @@ static void mtk_spi_set_cs(struct spi_device *spi, bool enable) static void mtk_spi_prepare_transfer(struct spi_master *master, struct spi_transfer *xfer) { - u32 spi_clk_hz, div, sck_time, cs_time, reg_val = 0; + u32 spi_clk_hz, div, sck_time, cs_time, reg_val; struct mtk_spi *mdata = spi_master_get_devdata(master);
spi_clk_hz = clk_get_rate(mdata->spi_clk); @@ -272,18 +273,18 @@ static void mtk_spi_prepare_transfer(struct spi_master *master, cs_time = sck_time * 2;
if (mdata->dev_comp->enhance_timing) { + reg_val = (((sck_time - 1) & 0xffff) + << SPI_CFG2_SCK_HIGH_OFFSET); reg_val |= (((sck_time - 1) & 0xffff) - << SPI_CFG0_SCK_HIGH_OFFSET); - reg_val |= (((sck_time - 1) & 0xffff) - << SPI_ADJUST_CFG0_SCK_LOW_OFFSET); + << SPI_CFG2_SCK_LOW_OFFSET); writel(reg_val, mdata->base + SPI_CFG2_REG); - reg_val |= (((cs_time - 1) & 0xffff) + reg_val = (((cs_time - 1) & 0xffff) << SPI_ADJUST_CFG0_CS_HOLD_OFFSET); reg_val |= (((cs_time - 1) & 0xffff) << SPI_ADJUST_CFG0_CS_SETUP_OFFSET); writel(reg_val, mdata->base + SPI_CFG0_REG); } else { - reg_val |= (((sck_time - 1) & 0xff) + reg_val = (((sck_time - 1) & 0xff) << SPI_CFG0_SCK_HIGH_OFFSET); reg_val |= (((sck_time - 1) & 0xff) << SPI_CFG0_SCK_LOW_OFFSET); reg_val |= (((cs_time - 1) & 0xff) << SPI_CFG0_CS_HOLD_OFFSET);
From: Marc Kleine-Budde mkl@pengutronix.de
[ Upstream commit e84861fec32dee8a2e62bbaa52cded6b05a2a456 ]
This function is used by dev_get_regmap() to retrieve a regmap for the specified device. If the device has more than one regmap, the name parameter can be used to specify one.
The code here uses a pointer comparison to check for equal strings. This however will probably always fail, as the regmap->name is allocated via kstrdup_const() from the regmap's config->name.
Fix this by using strcmp() instead.
Signed-off-by: Marc Kleine-Budde mkl@pengutronix.de Link: https://lore.kernel.org/r/20200703103315.267996-1-mkl@pengutronix.de Signed-off-by: Mark Brown broonie@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/base/regmap/regmap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c index c7d946b745efe..d26b485ccc7d0 100644 --- a/drivers/base/regmap/regmap.c +++ b/drivers/base/regmap/regmap.c @@ -1343,7 +1343,7 @@ static int dev_get_regmap_match(struct device *dev, void *res, void *data)
/* If the user didn't specify a name match any */ if (data) - return (*r)->name == data; + return !strcmp((*r)->name, data); else return 1; }
From: Evgeny Novikov novikov@ispras.ru
[ Upstream commit bc4071aafcf4d0535ee423b69167696d6c03207d ]
aspeed_create_fan() reads a pwm_port value using of_property_read_u32(). If pwm_port will be more than ARRAY_SIZE(pwm_port_params), there will be a buffer overflow in aspeed_create_pwm_port()->aspeed_set_pwm_port_enable(). The patch fixes the potential buffer overflow.
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Evgeny Novikov novikov@ispras.ru Link: https://lore.kernel.org/r/20200703111518.9644-1-novikov@ispras.ru Signed-off-by: Guenter Roeck linux@roeck-us.net Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/hwmon/aspeed-pwm-tacho.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/drivers/hwmon/aspeed-pwm-tacho.c b/drivers/hwmon/aspeed-pwm-tacho.c index 5e449eac788a1..a43fa730a513b 100644 --- a/drivers/hwmon/aspeed-pwm-tacho.c +++ b/drivers/hwmon/aspeed-pwm-tacho.c @@ -880,6 +880,8 @@ static int aspeed_create_fan(struct device *dev, ret = of_property_read_u32(child, "reg", &pwm_port); if (ret) return ret; + if (pwm_port >= ARRAY_SIZE(pwm_port_params)) + return -EINVAL; aspeed_create_pwm_port(priv, (u8)pwm_port);
ret = of_property_count_u8_elems(child, "cooling-levels");
From: Leonid Ravich Leonid.Ravich@emc.com
[ Upstream commit 87730ccbddcb48478b1b88e88b14e73424130764 ]
DMA transaction time to completion is a function of PCI bandwidth, transaction size and a queue depth. So hard coded value for timeouts might be wrong for some scenarios.
Signed-off-by: Leonid Ravich Leonid.Ravich@emc.com Reviewed-by: Dave Jiang dave.jiang@intel.com Link: https://lore.kernel.org/r/20200701184816.29138-1-leonid.ravich@dell.com Signed-off-by: Vinod Koul vkoul@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/dma/ioat/dma.c | 12 ++++++++++++ drivers/dma/ioat/dma.h | 2 -- 2 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/drivers/dma/ioat/dma.c b/drivers/dma/ioat/dma.c index b94cece58b984..890cadf3ec5d8 100644 --- a/drivers/dma/ioat/dma.c +++ b/drivers/dma/ioat/dma.c @@ -38,6 +38,18 @@
#include "../dmaengine.h"
+int completion_timeout = 200; +module_param(completion_timeout, int, 0644); +MODULE_PARM_DESC(completion_timeout, + "set ioat completion timeout [msec] (default 200 [msec])"); +int idle_timeout = 2000; +module_param(idle_timeout, int, 0644); +MODULE_PARM_DESC(idle_timeout, + "set ioat idel timeout [msec] (default 2000 [msec])"); + +#define IDLE_TIMEOUT msecs_to_jiffies(idle_timeout) +#define COMPLETION_TIMEOUT msecs_to_jiffies(completion_timeout) + static char *chanerr_str[] = { "DMA Transfer Source Address Error", "DMA Transfer Destination Address Error", diff --git a/drivers/dma/ioat/dma.h b/drivers/dma/ioat/dma.h index 1ab42ec2b7ff1..b061db2013324 100644 --- a/drivers/dma/ioat/dma.h +++ b/drivers/dma/ioat/dma.h @@ -111,8 +111,6 @@ struct ioatdma_chan { #define IOAT_RUN 5 #define IOAT_CHAN_ACTIVE 6 struct timer_list timer; - #define COMPLETION_TIMEOUT msecs_to_jiffies(100) - #define IDLE_TIMEOUT msecs_to_jiffies(2000) #define RESET_DELAY msecs_to_jiffies(100) struct ioatdma_device *ioat_dma; dma_addr_t completion_dma;
From: Ilya Katsnelson me@0upti.me
[ Upstream commit dcb00fc799dc03fd320e123e4c81b3278c763ea5 ]
Tested on my own laptop, touchpad feels slightly more responsive with this on, though it might just be placebo.
Signed-off-by: Ilya Katsnelson me@0upti.me Reviewed-by: Lyude Paul lyude@redhat.com Link: https://lore.kernel.org/r/20200703143457.132373-1-me@0upti.me Signed-off-by: Dmitry Torokhov dmitry.torokhov@gmail.com Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/input/mouse/synaptics.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/drivers/input/mouse/synaptics.c b/drivers/input/mouse/synaptics.c index 671e018eb363a..c6d393114502d 100644 --- a/drivers/input/mouse/synaptics.c +++ b/drivers/input/mouse/synaptics.c @@ -182,6 +182,7 @@ static const char * const smbus_pnp_ids[] = { "LEN0093", /* T480 */ "LEN0096", /* X280 */ "LEN0097", /* X280 -> ALPS trackpoint */ + "LEN0099", /* X1 Extreme 1st */ "LEN009b", /* T580 */ "LEN200f", /* T450s */ "LEN2044", /* L470 */
From: Derek Basehore dbasehore@chromium.org
[ Upstream commit 966334dfc472bdfa67bed864842943b19755d192 ]
This moves the wakeup increment for elan devices to the touch report. This prevents the drivers from incorrectly reporting a wakeup when the resume callback resets then device, which causes an interrupt to occur.
Signed-off-by: Derek Basehore dbasehore@chromium.org Link: https://lore.kernel.org/r/20200706235046.1984283-1-dbasehore@chromium.org Signed-off-by: Dmitry Torokhov dmitry.torokhov@gmail.com Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/input/mouse/elan_i2c_core.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/input/mouse/elan_i2c_core.c b/drivers/input/mouse/elan_i2c_core.c index ae012639ae1d5..82afaca2e1a67 100644 --- a/drivers/input/mouse/elan_i2c_core.c +++ b/drivers/input/mouse/elan_i2c_core.c @@ -917,6 +917,8 @@ static void elan_report_absolute(struct elan_tp_data *data, u8 *packet) u8 hover_info = packet[ETP_HOVER_INFO_OFFSET]; bool contact_valid, hover_event;
+ pm_wakeup_event(&data->client->dev, 0); + hover_event = hover_info & 0x40; for (i = 0; i < ETP_MAX_FINGERS; i++) { contact_valid = tp_info & (1U << (3 + i)); @@ -939,6 +941,8 @@ static void elan_report_trackpoint(struct elan_tp_data *data, u8 *report) u8 *packet = &report[ETP_REPORT_ID_OFFSET + 1]; int x, y;
+ pm_wakeup_event(&data->client->dev, 0); + if (!data->tp_input) { dev_warn_once(&data->client->dev, "received a trackpoint report while no trackpoint device has been created. Please report upstream.\n"); @@ -963,7 +967,6 @@ static void elan_report_trackpoint(struct elan_tp_data *data, u8 *report) static irqreturn_t elan_isr(int irq, void *dev_id) { struct elan_tp_data *data = dev_id; - struct device *dev = &data->client->dev; int error; u8 report[ETP_MAX_REPORT_LEN];
@@ -989,7 +992,7 @@ static irqreturn_t elan_isr(int irq, void *dev_id) elan_report_trackpoint(data, report); break; default: - dev_err(dev, "invalid report id data (%x)\n", + dev_err(&data->client->dev, "invalid report id data (%x)\n", report[ETP_REPORT_ID_OFFSET]); }
Hi!
From: Derek Basehore dbasehore@chromium.org
[ Upstream commit 966334dfc472bdfa67bed864842943b19755d192 ]
This moves the wakeup increment for elan devices to the touch report. This prevents the drivers from incorrectly reporting a wakeup when the resume callback resets then device, which causes an interrupt to occur.
Contrary to the changelog, this does not move anything... unlike mainline, it simply adds two pm_wakeup_events.
It may still be correct, but maybe someone wants to double-check?
Best regards, Pavel
diff --git a/drivers/input/mouse/elan_i2c_core.c b/drivers/input/mouse/elan_i2c_core.c index ae012639ae1d5..82afaca2e1a67 100644 --- a/drivers/input/mouse/elan_i2c_core.c +++ b/drivers/input/mouse/elan_i2c_core.c @@ -917,6 +917,8 @@ static void elan_report_absolute(struct elan_tp_data *data, u8 *packet) u8 hover_info = packet[ETP_HOVER_INFO_OFFSET]; bool contact_valid, hover_event;
- pm_wakeup_event(&data->client->dev, 0);
- hover_event = hover_info & 0x40; for (i = 0; i < ETP_MAX_FINGERS; i++) { contact_valid = tp_info & (1U << (3 + i));
@@ -939,6 +941,8 @@ static void elan_report_trackpoint(struct elan_tp_data *data, u8 *report) u8 *packet = &report[ETP_REPORT_ID_OFFSET + 1]; int x, y;
- pm_wakeup_event(&data->client->dev, 0);
- if (!data->tp_input) { dev_warn_once(&data->client->dev, "received a trackpoint report while no trackpoint device has been created. Please report upstream.\n");
@@ -963,7 +967,6 @@ static void elan_report_trackpoint(struct elan_tp_data *data, u8 *report) static irqreturn_t elan_isr(int irq, void *dev_id) { struct elan_tp_data *data = dev_id;
- struct device *dev = &data->client->dev; int error; u8 report[ETP_MAX_REPORT_LEN];
@@ -989,7 +992,7 @@ static irqreturn_t elan_isr(int irq, void *dev_id) elan_report_trackpoint(data, report); break; default:
dev_err(dev, "invalid report id data (%x)\n",
dev_err(&data->client->dev, "invalid report id data (%x)\n", report[ETP_REPORT_ID_OFFSET]);2.25.1
On Mon, Jul 27, 2020 at 11:29:33PM +0200, Pavel Machek wrote:
Hi!
From: Derek Basehore dbasehore@chromium.org
[ Upstream commit 966334dfc472bdfa67bed864842943b19755d192 ]
This moves the wakeup increment for elan devices to the touch report. This prevents the drivers from incorrectly reporting a wakeup when the resume callback resets then device, which causes an interrupt to occur.
Contrary to the changelog, this does not move anything... unlike mainline, it simply adds two pm_wakeup_events.
It may still be correct, but maybe someone wants to double-check?
Good catch, I believe the backport is busted.
Thanks.
On Mon, Jul 27, 2020 at 3:01 PM Dmitry Torokhov dmitry.torokhov@gmail.com wrote:
On Mon, Jul 27, 2020 at 11:29:33PM +0200, Pavel Machek wrote:
Hi!
From: Derek Basehore dbasehore@chromium.org
[ Upstream commit 966334dfc472bdfa67bed864842943b19755d192 ]
This moves the wakeup increment for elan devices to the touch report. This prevents the drivers from incorrectly reporting a wakeup when the resume callback resets then device, which causes an interrupt to occur.
Contrary to the changelog, this does not move anything... unlike mainline, it simply adds two pm_wakeup_events.
It may still be correct, but maybe someone wants to double-check?
Good catch, I believe the backport is busted.
I don't believe it will break anything, but the backport isn't needed in 4.19 since "Input: elan_i2c - increment wakeup count if wake source" wasn't merged into 4.19. It's probably best to drop the backport.
Thanks.
-- Dmitry
On Mon, Jul 27, 2020 at 03:18:06PM -0700, dbasehore . wrote:
On Mon, Jul 27, 2020 at 3:01 PM Dmitry Torokhov dmitry.torokhov@gmail.com wrote:
On Mon, Jul 27, 2020 at 11:29:33PM +0200, Pavel Machek wrote:
Hi!
From: Derek Basehore dbasehore@chromium.org
[ Upstream commit 966334dfc472bdfa67bed864842943b19755d192 ]
This moves the wakeup increment for elan devices to the touch report. This prevents the drivers from incorrectly reporting a wakeup when the resume callback resets then device, which causes an interrupt to occur.
Contrary to the changelog, this does not move anything... unlike mainline, it simply adds two pm_wakeup_events.
It may still be correct, but maybe someone wants to double-check?
Good catch, I believe the backport is busted.
I don't believe it will break anything, but the backport isn't needed in 4.19 since "Input: elan_i2c - increment wakeup count if wake source" wasn't merged into 4.19. It's probably best to drop the backport.
Hm, I wonder how this happened. It was just a cherry pick in this case :/
Either way, I've dropped it from 4.19, thanks!
From: Evgeny Novikov novikov@ispras.ru
[ Upstream commit c8f8529e2c4141afa2ebb487ad48e8a6ec3e8c99 ]
gr_ep_init() does not assign the allocated request anywhere if allocation of memory for the buffer fails. This is a memory leak fixed by the given patch.
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Evgeny Novikov novikov@ispras.ru Signed-off-by: Felipe Balbi balbi@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/usb/gadget/udc/gr_udc.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/usb/gadget/udc/gr_udc.c b/drivers/usb/gadget/udc/gr_udc.c index e50108f9a374e..e0b2fb33ed0d8 100644 --- a/drivers/usb/gadget/udc/gr_udc.c +++ b/drivers/usb/gadget/udc/gr_udc.c @@ -1980,9 +1980,12 @@ static int gr_ep_init(struct gr_udc *dev, int num, int is_in, u32 maxplimit)
if (num == 0) { _req = gr_alloc_request(&ep->ep, GFP_ATOMIC); + if (!_req) + return -ENOMEM; + buf = devm_kzalloc(dev->dev, PAGE_SIZE, GFP_DMA | GFP_ATOMIC); - if (!_req || !buf) { - /* possible _req freed by gr_probe via gr_remove */ + if (!buf) { + gr_free_request(&ep->ep, _req); return -ENOMEM; }
From: Chu Lin linchuyuan@google.com
[ Upstream commit 6d1d41c075a1a54ba03370e268171fec20e06563 ]
Issue: When PEC is enabled, binding adm1272 to the adm1275 would fail due to PEC error. See below: adm1275: probe of xxxx failed with error -74
Diagnosis: Per the datasheet of adm1272, adm1278, adm1293 and amd1294, PMON_CONFIG (0xd4) is 16bits wide. On the other hand, PMON_CONFIG (0xd4) for adm1275 is 8bits wide. The driver should not assume everything is 8bits wide and read only 8bits from it.
Solution: If it is adm1272, adm1278, adm1293 and adm1294, use i2c_read_word. Else, use i2c_read_byte
Testing: Binding adm1272 to the driver. The change is only tested on adm1272.
Signed-off-by: Chu Lin linchuyuan@google.com Link: https://lore.kernel.org/r/20200709040612.3977094-1-linchuyuan@google.com Signed-off-by: Guenter Roeck linux@roeck-us.net Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/hwmon/pmbus/adm1275.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/drivers/hwmon/pmbus/adm1275.c b/drivers/hwmon/pmbus/adm1275.c index 13600fa79e7f3..a19cf9052fc6d 100644 --- a/drivers/hwmon/pmbus/adm1275.c +++ b/drivers/hwmon/pmbus/adm1275.c @@ -364,6 +364,7 @@ MODULE_DEVICE_TABLE(i2c, adm1275_id); static int adm1275_probe(struct i2c_client *client, const struct i2c_device_id *id) { + s32 (*config_read_fn)(const struct i2c_client *client, u8 reg); u8 block_buffer[I2C_SMBUS_BLOCK_MAX + 1]; int config, device_config; int ret; @@ -408,11 +409,16 @@ static int adm1275_probe(struct i2c_client *client, "Device mismatch: Configured %s, detected %s\n", id->name, mid->name);
- config = i2c_smbus_read_byte_data(client, ADM1275_PMON_CONFIG); + if (mid->driver_data == adm1272 || mid->driver_data == adm1278 || + mid->driver_data == adm1293 || mid->driver_data == adm1294) + config_read_fn = i2c_smbus_read_word_data; + else + config_read_fn = i2c_smbus_read_byte_data; + config = config_read_fn(client, ADM1275_PMON_CONFIG); if (config < 0) return config;
- device_config = i2c_smbus_read_byte_data(client, ADM1275_DEVICE_CONFIG); + device_config = config_read_fn(client, ADM1275_DEVICE_CONFIG); if (device_config < 0) return device_config;
From: Cristian Marussi cristian.marussi@arm.com
[ Upstream commit 3ce17cd2b94907f6d91b81b32848044b84c97606 ]
SMATCH detected a potential buffer overflow in the manipulation of hwmon_attributes array inside the scmi_hwmon_probe function:
drivers/hwmon/scmi-hwmon.c:226 scmi_hwmon_probe() error: buffer overflow 'hwmon_attributes' 6 <= 9
Fix it by statically declaring the size of the array as the maximum possible as defined by hwmon_max define.
Signed-off-by: Cristian Marussi cristian.marussi@arm.com Reviewed-by: Sudeep Holla sudeep.holla@arm.com Link: https://lore.kernel.org/r/20200715121338.GA18761@e119603-lin.cambridge.arm.c... Signed-off-by: Guenter Roeck linux@roeck-us.net Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/hwmon/scmi-hwmon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/hwmon/scmi-hwmon.c b/drivers/hwmon/scmi-hwmon.c index 91976b6ca3000..91bfecdb3f5ba 100644 --- a/drivers/hwmon/scmi-hwmon.c +++ b/drivers/hwmon/scmi-hwmon.c @@ -99,7 +99,7 @@ static enum hwmon_sensor_types scmi_types[] = { [ENERGY] = hwmon_energy, };
-static u32 hwmon_attributes[] = { +static u32 hwmon_attributes[hwmon_max] = { [hwmon_chip] = HWMON_C_REGISTER_TZ, [hwmon_temp] = HWMON_T_INPUT | HWMON_T_LABEL, [hwmon_in] = HWMON_I_INPUT | HWMON_I_LABEL,
From: Will Deacon will@kernel.org
[ Upstream commit 5afc78551bf5d53279036e0bf63314e35631d79f ]
Rather than open-code test_tsk_thread_flag() at each callsite, simply replace the couple of offenders with calls to test_tsk_thread_flag() directly.
Signed-off-by: Will Deacon will@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org --- arch/arm64/kernel/debug-monitors.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/arm64/kernel/debug-monitors.c b/arch/arm64/kernel/debug-monitors.c index 93ee34dee9f22..501e835c65007 100644 --- a/arch/arm64/kernel/debug-monitors.c +++ b/arch/arm64/kernel/debug-monitors.c @@ -392,14 +392,14 @@ void user_rewind_single_step(struct task_struct *task) * If single step is active for this thread, then set SPSR.SS * to 1 to avoid returning to the active-pending state. */ - if (test_ti_thread_flag(task_thread_info(task), TIF_SINGLESTEP)) + if (test_tsk_thread_flag(task, TIF_SINGLESTEP)) set_regs_spsr_ss(task_pt_regs(task)); } NOKPROBE_SYMBOL(user_rewind_single_step);
void user_fastforward_single_step(struct task_struct *task) { - if (test_ti_thread_flag(task_thread_info(task), TIF_SINGLESTEP)) + if (test_tsk_thread_flag(task, TIF_SINGLESTEP)) clear_regs_spsr_ss(task_pt_regs(task)); }
From: Arnd Bergmann arnd@arndb.de
[ Upstream commit 81e96851ea32deb2c921c870eecabf335f598aeb ]
The clang integrated assembler requires the 'cmp' instruction to have a length prefix here:
arch/x86/math-emu/wm_sqrt.S:212:2: error: ambiguous instructions require an explicit suffix (could be 'cmpb', 'cmpw', or 'cmpl') cmp $0xffffffff,-24(%ebp) ^
Make this a 32-bit comparison, which it was clearly meant to be.
Signed-off-by: Arnd Bergmann arnd@arndb.de Signed-off-by: Thomas Gleixner tglx@linutronix.de Reviewed-by: Nick Desaulniers ndesaulniers@google.com Link: https://lkml.kernel.org/r/20200527135352.1198078-1-arnd@arndb.de Signed-off-by: Sasha Levin sashal@kernel.org --- arch/x86/math-emu/wm_sqrt.S | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/math-emu/wm_sqrt.S b/arch/x86/math-emu/wm_sqrt.S index f031c0e193565..515cdee90df72 100644 --- a/arch/x86/math-emu/wm_sqrt.S +++ b/arch/x86/math-emu/wm_sqrt.S @@ -209,7 +209,7 @@ sqrt_stage_2_finish:
#ifdef PARANOID /* It should be possible to get here only if the arg is ffff....ffff */ - cmp $0xffffffff,FPU_fsqrt_arg_1 + cmpl $0xffffffff,FPU_fsqrt_arg_1 jnz sqrt_stage_2_error #endif /* PARANOID */
From: Palmer Dabbelt palmerdabbelt@google.com
[ Upstream commit 38b7c2a3ffb1fce8358ddc6006cfe5c038ff9963 ]
While digging through the recent mmiowb preemption issue it came up that we aren't actually preventing IO from crossing a scheduling boundary. While it's a bit ugly to overload smp_mb__after_spinlock() with this behavior, it's what PowerPC is doing so there's some precedent.
Signed-off-by: Palmer Dabbelt palmerdabbelt@google.com Signed-off-by: Sasha Levin sashal@kernel.org --- arch/riscv/include/asm/barrier.h | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/arch/riscv/include/asm/barrier.h b/arch/riscv/include/asm/barrier.h index d4628e4b3a5ea..f4c92c91aa047 100644 --- a/arch/riscv/include/asm/barrier.h +++ b/arch/riscv/include/asm/barrier.h @@ -69,8 +69,16 @@ do { \ * The AQ/RL pair provides a RCpc critical section, but there's not really any * way we can take advantage of that here because the ordering is only enforced * on that one lock. Thus, we're just doing a full fence. + * + * Since we allow writeX to be called from preemptive regions we need at least + * an "o" in the predecessor set to ensure device writes are visible before the + * task is marked as available for scheduling on a new hart. While I don't see + * any concrete reason we need a full IO fence, it seems safer to just upgrade + * this in order to avoid any IO crossing a scheduling boundary. In both + * instances the scheduler pairs this with an mb(), so nothing is necessary on + * the new hart. */ -#define smp_mb__after_spinlock() RISCV_FENCE(rw,rw) +#define smp_mb__after_spinlock() RISCV_FENCE(iorw,iorw)
#include <asm-generic/barrier.h>
From: Tetsuo Handa penguin-kernel@i-love.sakura.ne.jp
commit f867c771f98891841c217fa8459244ed0dd28921 upstream.
syzbot is reporting that mmput() from shrinker function has a risk of deadlock [1], for delayed_uprobe_add() from update_ref_ctr() calls kzalloc(GFP_KERNEL) with delayed_uprobe_lock held, and uprobe_clear_state() from __mmput() also holds delayed_uprobe_lock.
Commit a1b2289cef92ef0e ("android: binder: drop lru lock in isolate callback") replaced mmput() with mmput_async() in order to avoid sleeping with spinlock held. But this patch replaces mmput() with mmput_async() in order not to start __mmput() from shrinker context.
[1] https://syzkaller.appspot.com/bug?id=bc9e7303f537c41b2b0cc2dfcea3fc42964c2d4...
Reported-by: syzbot syzbot+1068f09c44d151250c33@syzkaller.appspotmail.com Reported-by: syzbot syzbot+e5344baa319c9a96edec@syzkaller.appspotmail.com Signed-off-by: Tetsuo Handa penguin-kernel@I-love.SAKURA.ne.jp Reviewed-by: Michal Hocko mhocko@suse.com Acked-by: Todd Kjos tkjos@google.com Acked-by: Christian Brauner christian.brauner@ubuntu.com Cc: stable stable@vger.kernel.org Link: https://lore.kernel.org/r/4ba9adb2-43f5-2de0-22de-f6075c1fab50@i-love.sakura... Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/android/binder_alloc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/android/binder_alloc.c +++ b/drivers/android/binder_alloc.c @@ -987,7 +987,7 @@ enum lru_status binder_alloc_free_page(s trace_binder_unmap_user_end(alloc, index); } up_read(&mm->mmap_sem); - mmput(mm); + mmput_async(mm);
trace_binder_unmap_kernel_start(alloc, index);
From: Chunfeng Yun chunfeng.yun@mediatek.com
commit 5ce1a24dd98c00a57a8fa13660648abf7e08e3ef upstream.
The wMaxPacketSize field of endpoint descriptor may be zero as default value in alternate interface, and they are not actually selected when start stream, so skip them when try to allocate bandwidth.
Cc: stable stable@vger.kernel.org Fixes: 0cbd4b34cda9 ("xhci: mediatek: support MTK xHCI host controller") Signed-off-by: Chunfeng Yun chunfeng.yun@mediatek.com Link: https://lore.kernel.org/r/1594360672-2076-1-git-send-email-chunfeng.yun@medi... Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/usb/host/xhci-mtk-sch.c | 4 ++++ 1 file changed, 4 insertions(+)
--- a/drivers/usb/host/xhci-mtk-sch.c +++ b/drivers/usb/host/xhci-mtk-sch.c @@ -275,6 +275,10 @@ static bool need_bw_sch(struct usb_host_ if (is_fs_or_ls(speed) && !has_tt) return false;
+ /* skip endpoint with zero maxpkt */ + if (usb_endpoint_maxp(&ep->desc) == 0) + return false; + return true; }
From: Forest Crossman cyrozap@gmail.com
commit dbb0897e805f2ab1b8bc358f6c3d878a376b8897 upstream.
The ASM2142/ASM3142 (same PCI IDs) does not support full 64-bit DMA addresses, which can cause silent memory corruption or IOMMU errors on platforms that use the upper bits. Add the XHCI_NO_64BIT_SUPPORT quirk to fix this issue.
Signed-off-by: Forest Crossman cyrozap@gmail.com Cc: stable stable@vger.kernel.org Link: https://lore.kernel.org/r/20200717112734.328432-1-cyrozap@gmail.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/usb/host/xhci-pci.c | 3 +++ 1 file changed, 3 insertions(+)
--- a/drivers/usb/host/xhci-pci.c +++ b/drivers/usb/host/xhci-pci.c @@ -231,6 +231,9 @@ static void xhci_pci_quirks(struct devic if (pdev->vendor == PCI_VENDOR_ID_ASMEDIA && pdev->device == 0x1142) xhci->quirks |= XHCI_TRUST_TX_LENGTH; + if (pdev->vendor == PCI_VENDOR_ID_ASMEDIA && + pdev->device == 0x2142) + xhci->quirks |= XHCI_NO_64BIT_SUPPORT;
if (pdev->vendor == PCI_VENDOR_ID_ASMEDIA && pdev->device == PCI_DEVICE_ID_ASMEDIA_1042A_XHCI)
From: Steve French stfrench@microsoft.com
commit 0e6705182d4e1b77248a93470d6d7b3013d59b30 upstream.
This reverts commit 9ffad9263b467efd8f8dc7ae1941a0a655a2bab2.
Upon additional testing with older servers, it was found that the original commit introduced a regression when using the old SMB1 dialect and rsyncing over an existing file.
The patch will need to be respun to address this, likely including a larger refactoring of the SMB1 and SMB3 rename code paths to make it less confusing and also to address some additional rename error cases that SMB3 may be able to workaround.
Signed-off-by: Steve French stfrench@microsoft.com Reported-by: Patrick Fernie patrick.fernie@gmail.com CC: Stable stable@vger.kernel.org Acked-by: Ronnie Sahlberg lsahlber@redhat.com Acked-by: Pavel Shilovsky pshilov@microsoft.com Acked-by: Zhang Xiaoxu zhangxiaoxu5@huawei.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- fs/cifs/inode.c | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-)
--- a/fs/cifs/inode.c +++ b/fs/cifs/inode.c @@ -1783,7 +1783,6 @@ cifs_rename2(struct inode *source_dir, s FILE_UNIX_BASIC_INFO *info_buf_target; unsigned int xid; int rc, tmprc; - bool new_target = d_really_is_negative(target_dentry);
if (flags & ~RENAME_NOREPLACE) return -EINVAL; @@ -1860,13 +1859,8 @@ cifs_rename2(struct inode *source_dir, s */
unlink_target: - /* - * If the target dentry was created during the rename, try - * unlinking it if it's not negative - */ - if (new_target && - d_really_is_positive(target_dentry) && - (rc == -EACCES || rc == -EEXIST)) { + /* Try unlinking the target dentry if it's not negative */ + if (d_really_is_positive(target_dentry) && (rc == -EACCES || rc == -EEXIST)) { if (d_is_dir(target_dentry)) tmprc = cifs_rmdir(target_dir, target_dentry); else
From: Rustam Kovhaev rkovhaev@gmail.com
commit faaff9765664009c1c7c65551d32e9ed3b1dda8f upstream.
As syzkaller detected, wlan-ng driver does not do sanity check of endpoints in prism2sta_probe_usb(), add check for xfer direction and type
Reported-and-tested-by: syzbot+c2a1fa67c02faa0de723@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?extid=c2a1fa67c02faa0de723 Signed-off-by: Rustam Kovhaev rkovhaev@gmail.com Cc: stable stable@vger.kernel.org Link: https://lore.kernel.org/r/20200722161052.999754-1-rkovhaev@gmail.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/staging/wlan-ng/prism2usb.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-)
--- a/drivers/staging/wlan-ng/prism2usb.c +++ b/drivers/staging/wlan-ng/prism2usb.c @@ -61,11 +61,25 @@ static int prism2sta_probe_usb(struct us const struct usb_device_id *id) { struct usb_device *dev; - + const struct usb_endpoint_descriptor *epd; + const struct usb_host_interface *iface_desc = interface->cur_altsetting; struct wlandevice *wlandev = NULL; struct hfa384x *hw = NULL; int result = 0;
+ if (iface_desc->desc.bNumEndpoints != 2) { + result = -ENODEV; + goto failed; + } + + result = -EINVAL; + epd = &iface_desc->endpoint[1].desc; + if (!usb_endpoint_is_bulk_in(epd)) + goto failed; + epd = &iface_desc->endpoint[2].desc; + if (!usb_endpoint_is_bulk_out(epd)) + goto failed; + dev = interface_to_usbdev(interface); wlandev = create_wlan(); if (!wlandev) {
From: Ian Abbott abbotti@mev.co.uk
commit 0bd0db42a030b75c20028c7ba6e327b9cb554116 upstream.
The `INSN_CONFIG` comedi instruction with sub-instruction code `INSN_CONFIG_DIGITAL_TRIG` includes a base channel in `data[3]`. This is used as a right shift amount for other bitmask values without being checked. Shift amounts greater than or equal to 32 will result in undefined behavior. Add code to deal with this.
Fixes: 33cdce6293dcc ("staging: comedi: addi_apci_1032: conform to new INSN_CONFIG_DIGITAL_TRIG") Cc: stable@vger.kernel.org #3.8+ Signed-off-by: Ian Abbott abbotti@mev.co.uk Link: https://lore.kernel.org/r/20200717145257.112660-3-abbotti@mev.co.uk Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/staging/comedi/drivers/addi_apci_1032.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-)
--- a/drivers/staging/comedi/drivers/addi_apci_1032.c +++ b/drivers/staging/comedi/drivers/addi_apci_1032.c @@ -106,14 +106,22 @@ static int apci1032_cos_insn_config(stru unsigned int *data) { struct apci1032_private *devpriv = dev->private; - unsigned int shift, oldmask; + unsigned int shift, oldmask, himask, lomask;
switch (data[0]) { case INSN_CONFIG_DIGITAL_TRIG: if (data[1] != 0) return -EINVAL; shift = data[3]; - oldmask = (1U << shift) - 1; + if (shift < 32) { + oldmask = (1U << shift) - 1; + himask = data[4] << shift; + lomask = data[5] << shift; + } else { + oldmask = 0xffffffffu; + himask = 0; + lomask = 0; + } switch (data[2]) { case COMEDI_DIGITAL_TRIG_DISABLE: devpriv->ctrl = 0; @@ -136,8 +144,8 @@ static int apci1032_cos_insn_config(stru devpriv->mode2 &= oldmask; } /* configure specified channels */ - devpriv->mode1 |= data[4] << shift; - devpriv->mode2 |= data[5] << shift; + devpriv->mode1 |= himask; + devpriv->mode2 |= lomask; break; case COMEDI_DIGITAL_TRIG_ENABLE_LEVELS: if (devpriv->ctrl != (APCI1032_CTRL_INT_ENA | @@ -154,8 +162,8 @@ static int apci1032_cos_insn_config(stru devpriv->mode2 &= oldmask; } /* configure specified channels */ - devpriv->mode1 |= data[4] << shift; - devpriv->mode2 |= data[5] << shift; + devpriv->mode1 |= himask; + devpriv->mode2 |= lomask; break; default: return -EINVAL;
From: Ian Abbott abbotti@mev.co.uk
commit f07804ec77d77f8a9dcf570a24154e17747bc82f upstream.
`ni6527_intr_insn_config()` processes `INSN_CONFIG` comedi instructions for the "interrupt" subdevice. When `data[0]` is `INSN_CONFIG_DIGITAL_TRIG` it is configuring the digital trigger. When `data[2]` is `COMEDI_DIGITAL_TRIG_ENABLE_EDGES` it is configuring rising and falling edge detection for the digital trigger, using a base channel number (or shift amount) in `data[3]`, a rising edge bitmask in `data[4]` and falling edge bitmask in `data[5]`.
If the base channel number (shift amount) is greater than or equal to the number of channels (24) of the digital input subdevice, there are no changes to the rising and falling edges, so the mask of channels to be changed can be set to 0, otherwise the mask of channels to be changed, and the rising and falling edge bitmasks are shifted by the base channel number before calling `ni6527_set_edge_detection()` to change the appropriate registers. Unfortunately, the code is comparing the base channel (shift amount) to the interrupt subdevice's number of channels (1) instead of the digital input subdevice's number of channels (24). Fix it by comparing to 32 because all shift amounts for an `unsigned int` must be less than that and everything from bit 24 upwards is ignored by `ni6527_set_edge_detection()` anyway.
Fixes: 110f9e687c1a8 ("staging: comedi: ni_6527: support INSN_CONFIG_DIGITAL_TRIG") Cc: stable@vger.kernel.org # 3.17+ Signed-off-by: Ian Abbott abbotti@mev.co.uk Link: https://lore.kernel.org/r/20200717145257.112660-2-abbotti@mev.co.uk Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/staging/comedi/drivers/ni_6527.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/staging/comedi/drivers/ni_6527.c +++ b/drivers/staging/comedi/drivers/ni_6527.c @@ -332,7 +332,7 @@ static int ni6527_intr_insn_config(struc case COMEDI_DIGITAL_TRIG_ENABLE_EDGES: /* check shift amount */ shift = data[3]; - if (shift >= s->n_chan) { + if (shift >= 32) { mask = 0; rising = 0; falling = 0;
From: Ian Abbott abbotti@mev.co.uk
commit fc846e9db67c7e808d77bf9e2ef3d49e3820ce5d upstream.
The `INSN_CONFIG` comedi instruction with sub-instruction code `INSN_CONFIG_DIGITAL_TRIG` includes a base channel in `data[3]`. This is used as a right shift amount for other bitmask values without being checked. Shift amounts greater than or equal to 32 will result in undefined behavior. Add code to deal with this, adjusting the checks for invalid channels so that enabled channel bits that would have been lost by shifting are also checked for validity. Only channels 0 to 15 are valid.
Fixes: a8c66b684efaf ("staging: comedi: addi_apci_1500: rewrite the subdevice support functions") Cc: stable@vger.kernel.org #4.0+: ef75e14a6c93: staging: comedi: verify array index is correct before using it Cc: stable@vger.kernel.org #4.0+ Signed-off-by: Ian Abbott abbotti@mev.co.uk Link: https://lore.kernel.org/r/20200717145257.112660-5-abbotti@mev.co.uk Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/staging/comedi/drivers/addi_apci_1500.c | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-)
--- a/drivers/staging/comedi/drivers/addi_apci_1500.c +++ b/drivers/staging/comedi/drivers/addi_apci_1500.c @@ -452,13 +452,14 @@ static int apci1500_di_cfg_trig(struct c struct apci1500_private *devpriv = dev->private; unsigned int trig = data[1]; unsigned int shift = data[3]; - unsigned int hi_mask = data[4] << shift; - unsigned int lo_mask = data[5] << shift; - unsigned int chan_mask = hi_mask | lo_mask; - unsigned int old_mask = (1 << shift) - 1; + unsigned int hi_mask; + unsigned int lo_mask; + unsigned int chan_mask; + unsigned int old_mask; unsigned int pm; unsigned int pt; unsigned int pp; + unsigned int invalid_chan;
if (trig > 1) { dev_dbg(dev->class_dev, @@ -466,7 +467,20 @@ static int apci1500_di_cfg_trig(struct c return -EINVAL; }
- if (chan_mask > 0xffff) { + if (shift <= 16) { + hi_mask = data[4] << shift; + lo_mask = data[5] << shift; + old_mask = (1U << shift) - 1; + invalid_chan = (data[4] | data[5]) >> (16 - shift); + } else { + hi_mask = 0; + lo_mask = 0; + old_mask = 0xffff; + invalid_chan = data[4] | data[5]; + } + chan_mask = hi_mask | lo_mask; + + if (invalid_chan) { dev_dbg(dev->class_dev, "invalid digital trigger channel\n"); return -EINVAL; }
From: Ian Abbott abbotti@mev.co.uk
commit 926234f1b8434c4409aa4c53637aa3362ca07cea upstream.
The `INSN_CONFIG` comedi instruction with sub-instruction code `INSN_CONFIG_DIGITAL_TRIG` includes a base channel in `data[3]`. This is used as a right shift amount for other bitmask values without being checked. Shift amounts greater than or equal to 32 will result in undefined behavior. Add code to deal with this.
Fixes: 1e15687ea472 ("staging: comedi: addi_apci_1564: add Change-of-State interrupt subdevice and required functions") Cc: stable@vger.kernel.org #3.17+ Signed-off-by: Ian Abbott abbotti@mev.co.uk Link: https://lore.kernel.org/r/20200717145257.112660-4-abbotti@mev.co.uk Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/staging/comedi/drivers/addi_apci_1564.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-)
--- a/drivers/staging/comedi/drivers/addi_apci_1564.c +++ b/drivers/staging/comedi/drivers/addi_apci_1564.c @@ -331,14 +331,22 @@ static int apci1564_cos_insn_config(stru unsigned int *data) { struct apci1564_private *devpriv = dev->private; - unsigned int shift, oldmask; + unsigned int shift, oldmask, himask, lomask;
switch (data[0]) { case INSN_CONFIG_DIGITAL_TRIG: if (data[1] != 0) return -EINVAL; shift = data[3]; - oldmask = (1U << shift) - 1; + if (shift < 32) { + oldmask = (1U << shift) - 1; + himask = data[4] << shift; + lomask = data[5] << shift; + } else { + oldmask = 0xffffffffu; + himask = 0; + lomask = 0; + } switch (data[2]) { case COMEDI_DIGITAL_TRIG_DISABLE: devpriv->ctrl = 0; @@ -362,8 +370,8 @@ static int apci1564_cos_insn_config(stru devpriv->mode2 &= oldmask; } /* configure specified channels */ - devpriv->mode1 |= data[4] << shift; - devpriv->mode2 |= data[5] << shift; + devpriv->mode1 |= himask; + devpriv->mode2 |= lomask; break; case COMEDI_DIGITAL_TRIG_ENABLE_LEVELS: if (devpriv->ctrl != (APCI1564_DI_IRQ_ENA | @@ -380,8 +388,8 @@ static int apci1564_cos_insn_config(stru devpriv->mode2 &= oldmask; } /* configure specified channels */ - devpriv->mode1 |= data[4] << shift; - devpriv->mode2 |= data[5] << shift; + devpriv->mode1 |= himask; + devpriv->mode2 |= lomask; break; default: return -EINVAL;
From: Yang Yingliang yangyingliang@huawei.com
commit f4c23a140d80ef5e6d3d1f8f57007649014b60fa upstream.
I got null-ptr-deref in serial8250_start_tx():
[ 78.114630] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [ 78.123778] Mem abort info: [ 78.126560] ESR = 0x86000007 [ 78.129603] EC = 0x21: IABT (current EL), IL = 32 bits [ 78.134891] SET = 0, FnV = 0 [ 78.137933] EA = 0, S1PTW = 0 [ 78.141064] user pgtable: 64k pages, 48-bit VAs, pgdp=00000027d41a8600 [ 78.147562] [0000000000000000] pgd=00000027893f0003, p4d=00000027893f0003, pud=00000027893f0003, pmd=00000027c9a20003, pte=0000000000000000 [ 78.160029] Internal error: Oops: 86000007 [#1] SMP [ 78.164886] Modules linked in: sunrpc vfat fat aes_ce_blk crypto_simd cryptd aes_ce_cipher crct10dif_ce ghash_ce sha2_ce sha256_arm64 sha1_ce ses enclosure sg sbsa_gwdt ipmi_ssif spi_dw_mmio sch_fq_codel vhost_net tun vhost vhost_iotlb tap ip_tables ext4 mbcache jbd2 ahci hisi_sas_v3_hw libahci hisi_sas_main libsas hns3 scsi_transport_sas hclge libata megaraid_sas ipmi_si hnae3 ipmi_devintf ipmi_msghandler br_netfilter bridge stp llc nvme nvme_core xt_sctp sctp libcrc32c dm_mod nbd [ 78.207383] CPU: 11 PID: 23258 Comm: null-ptr Not tainted 5.8.0-rc6+ #48 [ 78.214056] Hardware name: Huawei TaiShan 2280 V2/BC82AMDC, BIOS 2280-V2 CS V3.B210.01 03/12/2020 [ 78.222888] pstate: 80400089 (Nzcv daIf +PAN -UAO BTYPE=--) [ 78.228435] pc : 0x0 [ 78.230618] lr : serial8250_start_tx+0x160/0x260 [ 78.235215] sp : ffff800062eefb80 [ 78.238517] x29: ffff800062eefb80 x28: 0000000000000fff [ 78.243807] x27: ffff800062eefd80 x26: ffff202fd83b3000 [ 78.249098] x25: ffff800062eefd80 x24: ffff202fd83b3000 [ 78.254388] x23: ffff002fc5e50be8 x22: 0000000000000002 [ 78.259679] x21: 0000000000000001 x20: 0000000000000000 [ 78.264969] x19: ffffa688827eecc8 x18: 0000000000000000 [ 78.270259] x17: 0000000000000000 x16: 0000000000000000 [ 78.275550] x15: ffffa68881bc67a8 x14: 00000000000002e6 [ 78.280841] x13: ffffa68881bc67a8 x12: 000000000000c539 [ 78.286131] x11: d37a6f4de9bd37a7 x10: ffffa68881cccff0 [ 78.291421] x9 : ffffa68881bc6000 x8 : ffffa688819daa88 [ 78.296711] x7 : ffffa688822a0f20 x6 : ffffa688819e0000 [ 78.302002] x5 : ffff800062eef9d0 x4 : ffffa68881e707a8 [ 78.307292] x3 : 0000000000000000 x2 : 0000000000000002 [ 78.312582] x1 : 0000000000000001 x0 : ffffa688827eecc8 [ 78.317873] Call trace: [ 78.320312] 0x0 [ 78.322147] __uart_start.isra.9+0x64/0x78 [ 78.326229] uart_start+0xb8/0x1c8 [ 78.329620] uart_flush_chars+0x24/0x30 [ 78.333442] n_tty_receive_buf_common+0x7b0/0xc30 [ 78.338128] n_tty_receive_buf+0x44/0x2c8 [ 78.342122] tty_ioctl+0x348/0x11f8 [ 78.345599] ksys_ioctl+0xd8/0xf8 [ 78.348903] __arm64_sys_ioctl+0x2c/0xc8 [ 78.352812] el0_svc_common.constprop.2+0x88/0x1b0 [ 78.357583] do_el0_svc+0x44/0xd0 [ 78.360887] el0_sync_handler+0x14c/0x1d0 [ 78.364880] el0_sync+0x140/0x180 [ 78.368185] Code: bad PC value
SERIAL_PORT_DFNS is not defined on each arch, if it's not defined, serial8250_set_defaults() won't be called in serial8250_isa_init_ports(), so the p->serial_in pointer won't be initialized, and it leads a null-ptr-deref. Fix this problem by calling serial8250_set_defaults() after init uart port.
Signed-off-by: Yang Yingliang yangyingliang@huawei.com Cc: stable stable@vger.kernel.org Link: https://lore.kernel.org/r/20200721143852.4058352-1-yangyingliang@huawei.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/tty/serial/8250/8250_core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/tty/serial/8250/8250_core.c +++ b/drivers/tty/serial/8250/8250_core.c @@ -527,6 +527,7 @@ static void __init serial8250_isa_init_p */ up->mcr_mask = ~ALPHA_KLUDGE_MCR; up->mcr_force = ALPHA_KLUDGE_MCR; + serial8250_set_defaults(up); }
/* chain base port ops to support Remote Supervisor Adapter */ @@ -550,7 +551,6 @@ static void __init serial8250_isa_init_p port->membase = old_serial_port[i].iomem_base; port->iotype = old_serial_port[i].io_type; port->regshift = old_serial_port[i].iomem_reg_shift; - serial8250_set_defaults(up);
port->irqflags |= irqflag; if (serial8250_isa_config != NULL)
From: Serge Semin Sergey.Semin@baikalelectronics.ru
commit 551e553f0d4ab623e2a6f424ab5834f9c7b5229c upstream.
Commit 7b668c064ec3 ("serial: 8250: Fix max baud limit in generic 8250 port") fixed limits of a baud rate setting for a generic 8250 port. In other words since that commit the baud rate has been permitted to be within [uartclk / 16 / UART_DIV_MAX; uartclk / 16], which is absolutely normal for a standard 8250 UART port. But there are custom 8250 ports, which provide extended baud rate limits. In particular the Mediatek 8250 port can work with baud rates up to "uartclk" speed.
Normally that and any other peculiarity is supposed to be handled in a custom set_termios() callback implemented in the vendor-specific 8250-port glue-driver. Currently that is how it's done for the most of the vendor-specific 8250 ports, but for some reason for Mediatek a solution has been spread out to both the glue-driver and to the generic 8250-port code. Due to that a bug has been introduced, which permitted the extended baud rate limit for all even for standard 8250-ports. The bug has been fixed by the commit 7b668c064ec3 ("serial: 8250: Fix max baud limit in generic 8250 port") by narrowing the baud rates limit back down to the normal bounds. Unfortunately by doing so we also broke the Mediatek-specific extended bauds feature.
A fix of the problem described above is twofold. First since we can't get back the extended baud rate limits feature to the generic set_termios() function and that method supports only a standard baud rates range, the requested baud rate must be locally stored before calling it and then restored back to the new termios structure after the generic set_termios() finished its magic business. By doing so we still use the serial8250_do_set_termios() method to set the LCR/MCR/FCR/etc. registers, while the extended baud rate setting procedure will be performed later in the custom Mediatek-specific set_termios() callback. Second since a true baud rate is now fully calculated in the custom set_termios() method we need to locally update the port timeout by calling the uart_update_timeout() function. After the fixes described above are implemented in the 8250_mtk.c driver, the Mediatek 8250-port should get back to normally working with extended baud rates.
Link: https://lore.kernel.org/linux-serial/20200701211337.3027448-1-danielwinkler@...
Fixes: 7b668c064ec3 ("serial: 8250: Fix max baud limit in generic 8250 port") Reported-by: Daniel Winkler danielwinkler@google.com Signed-off-by: Serge Semin Sergey.Semin@baikalelectronics.ru Cc: stable stable@vger.kernel.org Tested-by: Claire Chang tientzu@chromium.org Link: https://lore.kernel.org/r/20200714124113.20918-1-Sergey.Semin@baikalelectron... Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/tty/serial/8250/8250_mtk.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+)
--- a/drivers/tty/serial/8250/8250_mtk.c +++ b/drivers/tty/serial/8250/8250_mtk.c @@ -36,8 +36,21 @@ mtk8250_set_termios(struct uart_port *po unsigned long flags; unsigned int baud, quot;
+ /* + * Store the requested baud rate before calling the generic 8250 + * set_termios method. Standard 8250 port expects bauds to be + * no higher than (uartclk / 16) so the baud will be clamped if it + * gets out of that bound. Mediatek 8250 port supports speed + * higher than that, therefore we'll get original baud rate back + * after calling the generic set_termios method and recalculate + * the speed later in this method. + */ + baud = tty_termios_baud_rate(termios); + serial8250_do_set_termios(port, termios, old);
+ tty_termios_encode_baud_rate(termios, baud, baud); + /* * Mediatek UARTs use an extra highspeed register (UART_MTK_HIGHS) * @@ -76,6 +89,11 @@ mtk8250_set_termios(struct uart_port *po */ spin_lock_irqsave(&port->lock, flags);
+ /* + * Update the per-port timeout. + */ + uart_update_timeout(port, termios->c_cflag, baud); + /* set DLAB we have cval saved in up->lcr from the call to the core */ serial_port_out(port, UART_LCR, up->lcr | UART_LCR_DLAB); serial_dl_write(up, quot);
From: Tetsuo Handa penguin-kernel@I-love.SAKURA.ne.jp
commit 033724d6864245a11f8e04c066002e6ad22b3fd0 upstream.
syzbot is reporting general protection fault in bitfill_aligned() [1] caused by integer underflow in bit_clear_margins(). The cause of this problem is when and how do_vc_resize() updates vc->vc_{cols,rows}.
If vc_do_resize() fails (e.g. kzalloc() fails) when var.xres or var.yres is going to shrink, vc->vc_{cols,rows} will not be updated. This allows bit_clear_margins() to see info->var.xres < (vc->vc_cols * cw) or info->var.yres < (vc->vc_rows * ch). Unexpectedly large rw or bh will try to overrun the __iomem region and causes general protection fault.
Also, vc_resize(vc, 0, 0) does not set vc->vc_{cols,rows} = 0 due to
new_cols = (cols ? cols : vc->vc_cols); new_rows = (lines ? lines : vc->vc_rows);
exception. Since cols and lines are calculated as
cols = FBCON_SWAP(ops->rotate, info->var.xres, info->var.yres); rows = FBCON_SWAP(ops->rotate, info->var.yres, info->var.xres); cols /= vc->vc_font.width; rows /= vc->vc_font.height; vc_resize(vc, cols, rows);
in fbcon_modechanged(), var.xres < vc->vc_font.width makes cols = 0 and var.yres < vc->vc_font.height makes rows = 0. This means that
const int fd = open("/dev/fb0", O_ACCMODE); struct fb_var_screeninfo var = { }; ioctl(fd, FBIOGET_VSCREENINFO, &var); var.xres = var.yres = 1; ioctl(fd, FBIOPUT_VSCREENINFO, &var);
easily reproduces integer underflow bug explained above.
Of course, callers of vc_resize() are not handling vc_do_resize() failure is bad. But we can't avoid vc_resize(vc, 0, 0) which returns 0. Therefore, as a band-aid workaround, this patch checks integer underflow in "struct fbcon_ops"->clear_margins call, assuming that vc->vc_cols * vc->vc_font.width and vc->vc_rows * vc->vc_font.heigh do not cause integer overflow.
[1] https://syzkaller.appspot.com/bug?id=a565882df74fa76f10d3a6fec4be31098dbb37c...
Reported-and-tested-by: syzbot syzbot+e5fd3e65515b48c02a30@syzkaller.appspotmail.com Signed-off-by: Tetsuo Handa penguin-kernel@I-love.SAKURA.ne.jp Acked-by: Daniel Vetter daniel.vetter@ffwll.ch Cc: stable stable@vger.kernel.org Link: https://lore.kernel.org/r/20200715015102.3814-1-penguin-kernel@I-love.SAKURA... Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/video/fbdev/core/bitblit.c | 4 ++-- drivers/video/fbdev/core/fbcon_ccw.c | 4 ++-- drivers/video/fbdev/core/fbcon_cw.c | 4 ++-- drivers/video/fbdev/core/fbcon_ud.c | 4 ++-- 4 files changed, 8 insertions(+), 8 deletions(-)
--- a/drivers/video/fbdev/core/bitblit.c +++ b/drivers/video/fbdev/core/bitblit.c @@ -216,7 +216,7 @@ static void bit_clear_margins(struct vc_ region.color = color; region.rop = ROP_COPY;
- if (rw && !bottom_only) { + if ((int) rw > 0 && !bottom_only) { region.dx = info->var.xoffset + rs; region.dy = 0; region.width = rw; @@ -224,7 +224,7 @@ static void bit_clear_margins(struct vc_ info->fbops->fb_fillrect(info, ®ion); }
- if (bh) { + if ((int) bh > 0) { region.dx = info->var.xoffset; region.dy = info->var.yoffset + bs; region.width = rs; --- a/drivers/video/fbdev/core/fbcon_ccw.c +++ b/drivers/video/fbdev/core/fbcon_ccw.c @@ -201,7 +201,7 @@ static void ccw_clear_margins(struct vc_ region.color = color; region.rop = ROP_COPY;
- if (rw && !bottom_only) { + if ((int) rw > 0 && !bottom_only) { region.dx = 0; region.dy = info->var.yoffset; region.height = rw; @@ -209,7 +209,7 @@ static void ccw_clear_margins(struct vc_ info->fbops->fb_fillrect(info, ®ion); }
- if (bh) { + if ((int) bh > 0) { region.dx = info->var.xoffset + bs; region.dy = 0; region.height = info->var.yres_virtual; --- a/drivers/video/fbdev/core/fbcon_cw.c +++ b/drivers/video/fbdev/core/fbcon_cw.c @@ -184,7 +184,7 @@ static void cw_clear_margins(struct vc_d region.color = color; region.rop = ROP_COPY;
- if (rw && !bottom_only) { + if ((int) rw > 0 && !bottom_only) { region.dx = 0; region.dy = info->var.yoffset + rs; region.height = rw; @@ -192,7 +192,7 @@ static void cw_clear_margins(struct vc_d info->fbops->fb_fillrect(info, ®ion); }
- if (bh) { + if ((int) bh > 0) { region.dx = info->var.xoffset; region.dy = info->var.yoffset; region.height = info->var.yres; --- a/drivers/video/fbdev/core/fbcon_ud.c +++ b/drivers/video/fbdev/core/fbcon_ud.c @@ -231,7 +231,7 @@ static void ud_clear_margins(struct vc_d region.color = color; region.rop = ROP_COPY;
- if (rw && !bottom_only) { + if ((int) rw > 0 && !bottom_only) { region.dy = 0; region.dx = info->var.xoffset; region.width = rw; @@ -239,7 +239,7 @@ static void ud_clear_margins(struct vc_d info->fbops->fb_fillrect(info, ®ion); }
- if (bh) { + if ((int) bh > 0) { region.dy = info->var.yoffset; region.dx = info->var.xoffset; region.height = bh;
From: Tetsuo Handa penguin-kernel@I-love.SAKURA.ne.jp
commit ce684552a266cb1c7cc2f7e623f38567adec6653 upstream.
syzbot is reporting general protection fault in do_con_write() [1] caused by vc->vc_screenbuf == ZERO_SIZE_PTR caused by vc->vc_screenbuf_size == 0 caused by vc->vc_cols == vc->vc_rows == vc->vc_size_row == 0 caused by fb_set_var() from ioctl(FBIOPUT_VSCREENINFO) on /dev/fb0 , for gotoxy(vc, 0, 0) from reset_terminal() from vc_init() from vc_allocate() from con_install() from tty_init_dev() from tty_open() on such console causes vc->vc_pos == 0x10000000e due to ((unsigned long) ZERO_SIZE_PTR) + -1U * 0 + (-1U << 1).
I don't think that a console with 0 column or 0 row makes sense. And it seems that vc_do_resize() does not intend to allow resizing a console to 0 column or 0 row due to
new_cols = (cols ? cols : vc->vc_cols); new_rows = (lines ? lines : vc->vc_rows);
exception.
Theoretically, cols and rows can be any range as long as 0 < cols * rows * 2 <= KMALLOC_MAX_SIZE is satisfied (e.g. cols == 1048576 && rows == 2 is possible) because of
vc->vc_size_row = vc->vc_cols << 1; vc->vc_screenbuf_size = vc->vc_rows * vc->vc_size_row;
in visual_init() and kzalloc(vc->vc_screenbuf_size) in vc_allocate().
Since we can detect cols == 0 or rows == 0 via screenbuf_size = 0 in visual_init(), we can reject kzalloc(0). Then, vc_allocate() will return an error, and con_write() will not be called on a console with 0 column or 0 row.
We need to make sure that integer overflow in visual_init() won't happen. Since vc_do_resize() restricts cols <= 32767 and rows <= 32767, applying 1 <= cols <= 32767 and 1 <= rows <= 32767 restrictions to vc_allocate() will be practically fine.
This patch does not touch con_init(), for returning -EINVAL there does not help when we are not returning -ENOMEM.
[1] https://syzkaller.appspot.com/bug?extid=017265e8553724e514e8
Reported-and-tested-by: syzbot syzbot+017265e8553724e514e8@syzkaller.appspotmail.com Signed-off-by: Tetsuo Handa penguin-kernel@I-love.SAKURA.ne.jp Cc: stable stable@vger.kernel.org Link: https://lore.kernel.org/r/20200712111013.11881-1-penguin-kernel@I-love.SAKUR... Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/tty/vt/vt.c | 29 ++++++++++++++++++----------- 1 file changed, 18 insertions(+), 11 deletions(-)
--- a/drivers/tty/vt/vt.c +++ b/drivers/tty/vt/vt.c @@ -1095,10 +1095,19 @@ static const struct tty_port_operations .destruct = vc_port_destruct, };
+/* + * Change # of rows and columns (0 means unchanged/the size of fg_console) + * [this is to be used together with some user program + * like resize that changes the hardware videomode] + */ +#define VC_MAXCOL (32767) +#define VC_MAXROW (32767) + int vc_allocate(unsigned int currcons) /* return 0 on success */ { struct vt_notifier_param param; struct vc_data *vc; + int err;
WARN_CONSOLE_UNLOCKED();
@@ -1128,6 +1137,11 @@ int vc_allocate(unsigned int currcons) / if (!*vc->vc_uni_pagedir_loc) con_set_default_unimap(vc);
+ err = -EINVAL; + if (vc->vc_cols > VC_MAXCOL || vc->vc_rows > VC_MAXROW || + vc->vc_screenbuf_size > KMALLOC_MAX_SIZE || !vc->vc_screenbuf_size) + goto err_free; + err = -ENOMEM; vc->vc_screenbuf = kzalloc(vc->vc_screenbuf_size, GFP_KERNEL); if (!vc->vc_screenbuf) goto err_free; @@ -1146,7 +1160,7 @@ err_free: visual_deinit(vc); kfree(vc); vc_cons[currcons].d = NULL; - return -ENOMEM; + return err; }
static inline int resize_screen(struct vc_data *vc, int width, int height, @@ -1161,14 +1175,6 @@ static inline int resize_screen(struct v return err; }
-/* - * Change # of rows and columns (0 means unchanged/the size of fg_console) - * [this is to be used together with some user program - * like resize that changes the hardware videomode] - */ -#define VC_RESIZE_MAXCOL (32767) -#define VC_RESIZE_MAXROW (32767) - /** * vc_do_resize - resizing method for the tty * @tty: tty being resized @@ -1204,7 +1210,7 @@ static int vc_do_resize(struct tty_struc user = vc->vc_resize_user; vc->vc_resize_user = 0;
- if (cols > VC_RESIZE_MAXCOL || lines > VC_RESIZE_MAXROW) + if (cols > VC_MAXCOL || lines > VC_MAXROW) return -EINVAL;
new_cols = (cols ? cols : vc->vc_cols); @@ -1215,7 +1221,7 @@ static int vc_do_resize(struct tty_struc if (new_cols == vc->vc_cols && new_rows == vc->vc_rows) return 0;
- if (new_screen_size > KMALLOC_MAX_SIZE) + if (new_screen_size > KMALLOC_MAX_SIZE || !new_screen_size) return -EINVAL; newscreen = kzalloc(new_screen_size, GFP_USER); if (!newscreen) @@ -3371,6 +3377,7 @@ static int __init con_init(void) INIT_WORK(&vc_cons[currcons].SAK_work, vc_SAK); tty_port_init(&vc->port); visual_init(vc, currcons, 1); + /* Assuming vc->vc_{cols,rows,screenbuf_size} are sane here. */ vc->vc_screenbuf = kzalloc(vc->vc_screenbuf_size, GFP_NOWAIT); vc_init(vc, vc->vc_rows, vc->vc_cols, currcons || !vc->vc_sw->con_save_screen);
From: Fangrui Song maskray@google.com
commit ca9b31f6bb9c6aa9b4e5f0792f39a97bbffb8c51 upstream.
When CROSS_COMPILE is set (e.g. aarch64-linux-gnu-), if $(CROSS_COMPILE)elfedit is found at /usr/bin/aarch64-linux-gnu-elfedit, GCC_TOOLCHAIN_DIR will be set to /usr/bin/. --prefix= will be set to /usr/bin/ and Clang as of 11 will search for both $(prefix)aarch64-linux-gnu-$needle and $(prefix)$needle.
GCC searchs for $(prefix)aarch64-linux-gnu/$version/$needle, $(prefix)aarch64-linux-gnu/$needle and $(prefix)$needle. In practice, $(prefix)aarch64-linux-gnu/$needle rarely contains executables.
To better model how GCC's -B/--prefix takes in effect in practice, newer Clang (since https://github.com/llvm/llvm-project/commit/3452a0d8c17f7166f479706b293caf6a...) only searches for $(prefix)$needle. Currently it will find /usr/bin/as instead of /usr/bin/aarch64-linux-gnu-as.
Set --prefix= to $(GCC_TOOLCHAIN_DIR)$(notdir $(CROSS_COMPILE)) (/usr/bin/aarch64-linux-gnu-) so that newer Clang can find the appropriate cross compiling GNU as (when -no-integrated-as is in effect).
Cc: stable@vger.kernel.org Reported-by: Nathan Chancellor natechancellor@gmail.com Signed-off-by: Fangrui Song maskray@google.com Reviewed-by: Nathan Chancellor natechancellor@gmail.com Tested-by: Nathan Chancellor natechancellor@gmail.com Tested-by: Nick Desaulniers ndesaulniers@google.com Link: https://github.com/ClangBuiltLinux/linux/issues/1099 Reviewed-by: Nick Desaulniers ndesaulniers@google.com Signed-off-by: Masahiro Yamada masahiroy@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/Makefile +++ b/Makefile @@ -485,7 +485,7 @@ ifeq ($(cc-name),clang) ifneq ($(CROSS_COMPILE),) CLANG_FLAGS += --target=$(notdir $(CROSS_COMPILE:%-=%)) GCC_TOOLCHAIN_DIR := $(dir $(shell which $(CROSS_COMPILE)elfedit)) -CLANG_FLAGS += --prefix=$(GCC_TOOLCHAIN_DIR) +CLANG_FLAGS += --prefix=$(GCC_TOOLCHAIN_DIR)$(notdir $(CROSS_COMPILE)) GCC_TOOLCHAIN := $(realpath $(GCC_TOOLCHAIN_DIR)/..) endif ifneq ($(GCC_TOOLCHAIN),)
From: Hugh Dickins hughd@google.com
commit 8d22a9351035ef2ff12ef163a1091b8b8cf1e49c upstream.
It was hard to keep a test running, moving tasks between memcgs with move_charge_at_immigrate, while swapping: mem_cgroup_id_get_many()'s refcount is discovered to be 0 (supposedly impossible), so it is then forced to REFCOUNT_SATURATED, and after thousands of warnings in quick succession, the test is at last put out of misery by being OOM killed.
This is because of the way moved_swap accounting was saved up until the task move gets completed in __mem_cgroup_clear_mc(), deferred from when mem_cgroup_move_swap_account() actually exchanged old and new ids. Concurrent activity can free up swap quicker than the task is scanned, bringing id refcount down 0 (which should only be possible when offlining).
Just skip that optimization: do that part of the accounting immediately.
Fixes: 615d66c37c75 ("mm: memcontrol: fix memcg id ref counter on swap charge move") Signed-off-by: Hugh Dickins hughd@google.com Signed-off-by: Andrew Morton akpm@linux-foundation.org Reviewed-by: Alex Shi alex.shi@linux.alibaba.com Cc: Johannes Weiner hannes@cmpxchg.org Cc: Alex Shi alex.shi@linux.alibaba.com Cc: Shakeel Butt shakeelb@google.com Cc: Michal Hocko mhocko@suse.com Cc: stable@vger.kernel.org Link: http://lkml.kernel.org/r/alpine.LSU.2.11.2007071431050.4726@eggly.anvils Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- mm/memcontrol.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
--- a/mm/memcontrol.c +++ b/mm/memcontrol.c @@ -5147,7 +5147,6 @@ static void __mem_cgroup_clear_mc(void) if (!mem_cgroup_is_root(mc.to)) page_counter_uncharge(&mc.to->memory, mc.moved_swap);
- mem_cgroup_id_get_many(mc.to, mc.moved_swap); css_put_many(&mc.to->css, mc.moved_swap);
mc.moved_swap = 0; @@ -5338,7 +5337,8 @@ put: /* get_mctgt_type() gets the page ent = target.ent; if (!mem_cgroup_move_swap_account(ent, mc.from, mc.to)) { mc.precharge--; - /* we fixup refcnts and charges later. */ + mem_cgroup_id_get_many(mc.to, 1); + /* we fixup other refcnts and charges later. */ mc.moved_swap++; } break;
From: Muchun Song songmuchun@bytedance.com
commit d38a2b7a9c939e6d7329ab92b96559ccebf7b135 upstream.
If the kmem_cache refcount is greater than one, we should not mark the root kmem_cache as dying. If we mark the root kmem_cache dying incorrectly, the non-root kmem_cache can never be destroyed. It resulted in memory leak when memcg was destroyed. We can use the following steps to reproduce.
1) Use kmem_cache_create() to create a new kmem_cache named A. 2) Coincidentally, the kmem_cache A is an alias for kmem_cache B, so the refcount of B is just increased. 3) Use kmem_cache_destroy() to destroy the kmem_cache A, just decrease the B's refcount but mark the B as dying. 4) Create a new memory cgroup and alloc memory from the kmem_cache B. It leads to create a non-root kmem_cache for allocating memory. 5) When destroy the memory cgroup created in the step 4), the non-root kmem_cache can never be destroyed.
If we repeat steps 4) and 5), this will cause a lot of memory leak. So only when refcount reach zero, we mark the root kmem_cache as dying.
Fixes: 92ee383f6daa ("mm: fix race between kmem_cache destroy, create and deactivate") Signed-off-by: Muchun Song songmuchun@bytedance.com Signed-off-by: Andrew Morton akpm@linux-foundation.org Reviewed-by: Shakeel Butt shakeelb@google.com Acked-by: Roman Gushchin guro@fb.com Cc: Vlastimil Babka vbabka@suse.cz Cc: Christoph Lameter cl@linux.com Cc: Pekka Enberg penberg@kernel.org Cc: David Rientjes rientjes@google.com Cc: Joonsoo Kim iamjoonsoo.kim@lge.com Cc: Shakeel Butt shakeelb@google.com Cc: stable@vger.kernel.org Link: http://lkml.kernel.org/r/20200716165103.83462-1-songmuchun@bytedance.com Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- mm/slab_common.c | 35 ++++++++++++++++++++++++++++------- 1 file changed, 28 insertions(+), 7 deletions(-)
--- a/mm/slab_common.c +++ b/mm/slab_common.c @@ -310,6 +310,14 @@ int slab_unmergeable(struct kmem_cache * if (s->refcount < 0) return 1;
+#ifdef CONFIG_MEMCG_KMEM + /* + * Skip the dying kmem_cache. + */ + if (s->memcg_params.dying) + return 1; +#endif + return 0; }
@@ -832,12 +840,15 @@ static int shutdown_memcg_caches(struct return 0; }
-static void flush_memcg_workqueue(struct kmem_cache *s) +static void memcg_set_kmem_cache_dying(struct kmem_cache *s) { mutex_lock(&slab_mutex); s->memcg_params.dying = true; mutex_unlock(&slab_mutex); +}
+static void flush_memcg_workqueue(struct kmem_cache *s) +{ /* * SLUB deactivates the kmem_caches through call_rcu_sched. Make * sure all registered rcu callbacks have been invoked. @@ -858,10 +869,6 @@ static inline int shutdown_memcg_caches( { return 0; } - -static inline void flush_memcg_workqueue(struct kmem_cache *s) -{ -} #endif /* CONFIG_MEMCG_KMEM */
void slab_kmem_cache_release(struct kmem_cache *s) @@ -879,8 +886,6 @@ void kmem_cache_destroy(struct kmem_cach if (unlikely(!s)) return;
- flush_memcg_workqueue(s); - get_online_cpus(); get_online_mems();
@@ -890,6 +895,22 @@ void kmem_cache_destroy(struct kmem_cach if (s->refcount) goto out_unlock;
+#ifdef CONFIG_MEMCG_KMEM + memcg_set_kmem_cache_dying(s); + + mutex_unlock(&slab_mutex); + + put_online_mems(); + put_online_cpus(); + + flush_memcg_workqueue(s); + + get_online_cpus(); + get_online_mems(); + + mutex_lock(&slab_mutex); +#endif + err = shutdown_memcg_caches(s); if (!err) err = shutdown_cache(s);
On Mon, Jul 27, 2020 at 10:12 PM Greg Kroah-Hartman gregkh@linuxfoundation.org wrote:
From: Muchun Song songmuchun@bytedance.com
commit d38a2b7a9c939e6d7329ab92b96559ccebf7b135 upstream.
If the kmem_cache refcount is greater than one, we should not mark the root kmem_cache as dying. If we mark the root kmem_cache dying incorrectly, the non-root kmem_cache can never be destroyed. It resulted in memory leak when memcg was destroyed. We can use the following steps to reproduce.
- Use kmem_cache_create() to create a new kmem_cache named A.
- Coincidentally, the kmem_cache A is an alias for kmem_cache B, so the refcount of B is just increased.
- Use kmem_cache_destroy() to destroy the kmem_cache A, just decrease the B's refcount but mark the B as dying.
- Create a new memory cgroup and alloc memory from the kmem_cache B. It leads to create a non-root kmem_cache for allocating memory.
- When destroy the memory cgroup created in the step 4), the non-root kmem_cache can never be destroyed.
If we repeat steps 4) and 5), this will cause a lot of memory leak. So only when refcount reach zero, we mark the root kmem_cache as dying.
Fixes: 92ee383f6daa ("mm: fix race between kmem_cache destroy, create and deactivate") Signed-off-by: Muchun Song songmuchun@bytedance.com Signed-off-by: Andrew Morton akpm@linux-foundation.org Reviewed-by: Shakeel Butt shakeelb@google.com Acked-by: Roman Gushchin guro@fb.com Cc: Vlastimil Babka vbabka@suse.cz Cc: Christoph Lameter cl@linux.com Cc: Pekka Enberg penberg@kernel.org Cc: David Rientjes rientjes@google.com Cc: Joonsoo Kim iamjoonsoo.kim@lge.com Cc: Shakeel Butt shakeelb@google.com Cc: stable@vger.kernel.org Link: http://lkml.kernel.org/r/20200716165103.83462-1-songmuchun@bytedance.com Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
mm/slab_common.c | 35 ++++++++++++++++++++++++++++------- 1 file changed, 28 insertions(+), 7 deletions(-)
--- a/mm/slab_common.c +++ b/mm/slab_common.c @@ -310,6 +310,14 @@ int slab_unmergeable(struct kmem_cache * if (s->refcount < 0) return 1;
+#ifdef CONFIG_MEMCG_KMEM
/** Skip the dying kmem_cache.*/if (s->memcg_params.dying)return 1;+#endif
return 0;}
@@ -832,12 +840,15 @@ static int shutdown_memcg_caches(struct return 0; }
-static void flush_memcg_workqueue(struct kmem_cache *s) +static void memcg_set_kmem_cache_dying(struct kmem_cache *s) { mutex_lock(&slab_mutex); s->memcg_params.dying = true; mutex_unlock(&slab_mutex);
We should remove mutex_lock/unlock(&slab_mutex) here, because we already hold the slab_mutex from kmem_cache_destroy().
+}
+static void flush_memcg_workqueue(struct kmem_cache *s) +{ /* * SLUB deactivates the kmem_caches through call_rcu_sched. Make * sure all registered rcu callbacks have been invoked. @@ -858,10 +869,6 @@ static inline int shutdown_memcg_caches( { return 0; }
-static inline void flush_memcg_workqueue(struct kmem_cache *s) -{ -} #endif /* CONFIG_MEMCG_KMEM */
void slab_kmem_cache_release(struct kmem_cache *s) @@ -879,8 +886,6 @@ void kmem_cache_destroy(struct kmem_cach if (unlikely(!s)) return;
flush_memcg_workqueue(s);get_online_cpus(); get_online_mems();@@ -890,6 +895,22 @@ void kmem_cache_destroy(struct kmem_cach if (s->refcount) goto out_unlock;
+#ifdef CONFIG_MEMCG_KMEM
memcg_set_kmem_cache_dying(s);mutex_unlock(&slab_mutex);put_online_mems();put_online_cpus();flush_memcg_workqueue(s);get_online_cpus();get_online_mems();mutex_lock(&slab_mutex);+#endif
err = shutdown_memcg_caches(s); if (!err) err = shutdown_cache(s);
-- Yours, Muchun
On Tue, Jul 28, 2020 at 08:56:41PM +0800, Muchun Song wrote:
On Mon, Jul 27, 2020 at 10:12 PM Greg Kroah-Hartman gregkh@linuxfoundation.org wrote:
From: Muchun Song songmuchun@bytedance.com
commit d38a2b7a9c939e6d7329ab92b96559ccebf7b135 upstream.
If the kmem_cache refcount is greater than one, we should not mark the root kmem_cache as dying. If we mark the root kmem_cache dying incorrectly, the non-root kmem_cache can never be destroyed. It resulted in memory leak when memcg was destroyed. We can use the following steps to reproduce.
- Use kmem_cache_create() to create a new kmem_cache named A.
- Coincidentally, the kmem_cache A is an alias for kmem_cache B, so the refcount of B is just increased.
- Use kmem_cache_destroy() to destroy the kmem_cache A, just decrease the B's refcount but mark the B as dying.
- Create a new memory cgroup and alloc memory from the kmem_cache B. It leads to create a non-root kmem_cache for allocating memory.
- When destroy the memory cgroup created in the step 4), the non-root kmem_cache can never be destroyed.
If we repeat steps 4) and 5), this will cause a lot of memory leak. So only when refcount reach zero, we mark the root kmem_cache as dying.
Fixes: 92ee383f6daa ("mm: fix race between kmem_cache destroy, create and deactivate") Signed-off-by: Muchun Song songmuchun@bytedance.com Signed-off-by: Andrew Morton akpm@linux-foundation.org Reviewed-by: Shakeel Butt shakeelb@google.com Acked-by: Roman Gushchin guro@fb.com Cc: Vlastimil Babka vbabka@suse.cz Cc: Christoph Lameter cl@linux.com Cc: Pekka Enberg penberg@kernel.org Cc: David Rientjes rientjes@google.com Cc: Joonsoo Kim iamjoonsoo.kim@lge.com Cc: Shakeel Butt shakeelb@google.com Cc: stable@vger.kernel.org Link: http://lkml.kernel.org/r/20200716165103.83462-1-songmuchun@bytedance.com Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
mm/slab_common.c | 35 ++++++++++++++++++++++++++++------- 1 file changed, 28 insertions(+), 7 deletions(-)
--- a/mm/slab_common.c +++ b/mm/slab_common.c @@ -310,6 +310,14 @@ int slab_unmergeable(struct kmem_cache * if (s->refcount < 0) return 1;
+#ifdef CONFIG_MEMCG_KMEM
/** Skip the dying kmem_cache.*/if (s->memcg_params.dying)return 1;+#endif
return 0;}
@@ -832,12 +840,15 @@ static int shutdown_memcg_caches(struct return 0; }
-static void flush_memcg_workqueue(struct kmem_cache *s) +static void memcg_set_kmem_cache_dying(struct kmem_cache *s) { mutex_lock(&slab_mutex); s->memcg_params.dying = true; mutex_unlock(&slab_mutex);
We should remove mutex_lock/unlock(&slab_mutex) here, because we already hold the slab_mutex from kmem_cache_destroy().
Good catch. I'll go make this change and push out a -rc2.
thanks,
greg k-h
On Tue, Jul 28, 2020 at 08:56:41PM +0800, Muchun Song wrote:
On Mon, Jul 27, 2020 at 10:12 PM Greg Kroah-Hartman gregkh@linuxfoundation.org wrote:
From: Muchun Song songmuchun@bytedance.com
commit d38a2b7a9c939e6d7329ab92b96559ccebf7b135 upstream.
If the kmem_cache refcount is greater than one, we should not mark the root kmem_cache as dying. If we mark the root kmem_cache dying incorrectly, the non-root kmem_cache can never be destroyed. It resulted in memory leak when memcg was destroyed. We can use the following steps to reproduce.
- Use kmem_cache_create() to create a new kmem_cache named A.
- Coincidentally, the kmem_cache A is an alias for kmem_cache B, so the refcount of B is just increased.
- Use kmem_cache_destroy() to destroy the kmem_cache A, just decrease the B's refcount but mark the B as dying.
- Create a new memory cgroup and alloc memory from the kmem_cache B. It leads to create a non-root kmem_cache for allocating memory.
- When destroy the memory cgroup created in the step 4), the non-root kmem_cache can never be destroyed.
If we repeat steps 4) and 5), this will cause a lot of memory leak. So only when refcount reach zero, we mark the root kmem_cache as dying.
Fixes: 92ee383f6daa ("mm: fix race between kmem_cache destroy, create and deactivate") Signed-off-by: Muchun Song songmuchun@bytedance.com Signed-off-by: Andrew Morton akpm@linux-foundation.org Reviewed-by: Shakeel Butt shakeelb@google.com Acked-by: Roman Gushchin guro@fb.com Cc: Vlastimil Babka vbabka@suse.cz Cc: Christoph Lameter cl@linux.com Cc: Pekka Enberg penberg@kernel.org Cc: David Rientjes rientjes@google.com Cc: Joonsoo Kim iamjoonsoo.kim@lge.com Cc: Shakeel Butt shakeelb@google.com Cc: stable@vger.kernel.org Link: http://lkml.kernel.org/r/20200716165103.83462-1-songmuchun@bytedance.com Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
mm/slab_common.c | 35 ++++++++++++++++++++++++++++------- 1 file changed, 28 insertions(+), 7 deletions(-)
--- a/mm/slab_common.c +++ b/mm/slab_common.c @@ -310,6 +310,14 @@ int slab_unmergeable(struct kmem_cache * if (s->refcount < 0) return 1;
+#ifdef CONFIG_MEMCG_KMEM
/** Skip the dying kmem_cache.*/if (s->memcg_params.dying)return 1;+#endif
return 0;}
@@ -832,12 +840,15 @@ static int shutdown_memcg_caches(struct return 0; }
-static void flush_memcg_workqueue(struct kmem_cache *s) +static void memcg_set_kmem_cache_dying(struct kmem_cache *s) { mutex_lock(&slab_mutex); s->memcg_params.dying = true; mutex_unlock(&slab_mutex);
We should remove mutex_lock/unlock(&slab_mutex) here, because we already hold the slab_mutex from kmem_cache_destroy().
Good catch! I backported 63b02ef7dc4e ("mm: memcg/slab: synchronize access to kmem_cache dying flag using a spinlock") instead of changing this patch.
On Tue, Jul 28, 2020 at 11:17:03AM -0400, Sasha Levin wrote:
On Tue, Jul 28, 2020 at 08:56:41PM +0800, Muchun Song wrote:
On Mon, Jul 27, 2020 at 10:12 PM Greg Kroah-Hartman gregkh@linuxfoundation.org wrote:
From: Muchun Song songmuchun@bytedance.com
commit d38a2b7a9c939e6d7329ab92b96559ccebf7b135 upstream.
If the kmem_cache refcount is greater than one, we should not mark the root kmem_cache as dying. If we mark the root kmem_cache dying incorrectly, the non-root kmem_cache can never be destroyed. It resulted in memory leak when memcg was destroyed. We can use the following steps to reproduce.
- Use kmem_cache_create() to create a new kmem_cache named A.
- Coincidentally, the kmem_cache A is an alias for kmem_cache B, so the refcount of B is just increased.
- Use kmem_cache_destroy() to destroy the kmem_cache A, just decrease the B's refcount but mark the B as dying.
- Create a new memory cgroup and alloc memory from the kmem_cache B. It leads to create a non-root kmem_cache for allocating memory.
- When destroy the memory cgroup created in the step 4), the non-root kmem_cache can never be destroyed.
If we repeat steps 4) and 5), this will cause a lot of memory leak. So only when refcount reach zero, we mark the root kmem_cache as dying.
Fixes: 92ee383f6daa ("mm: fix race between kmem_cache destroy, create and deactivate") Signed-off-by: Muchun Song songmuchun@bytedance.com Signed-off-by: Andrew Morton akpm@linux-foundation.org Reviewed-by: Shakeel Butt shakeelb@google.com Acked-by: Roman Gushchin guro@fb.com Cc: Vlastimil Babka vbabka@suse.cz Cc: Christoph Lameter cl@linux.com Cc: Pekka Enberg penberg@kernel.org Cc: David Rientjes rientjes@google.com Cc: Joonsoo Kim iamjoonsoo.kim@lge.com Cc: Shakeel Butt shakeelb@google.com Cc: stable@vger.kernel.org Link: http://lkml.kernel.org/r/20200716165103.83462-1-songmuchun@bytedance.com Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
mm/slab_common.c | 35 ++++++++++++++++++++++++++++------- 1 file changed, 28 insertions(+), 7 deletions(-)
--- a/mm/slab_common.c +++ b/mm/slab_common.c @@ -310,6 +310,14 @@ int slab_unmergeable(struct kmem_cache * if (s->refcount < 0) return 1;
+#ifdef CONFIG_MEMCG_KMEM
/** Skip the dying kmem_cache.*/if (s->memcg_params.dying)return 1;+#endif
return 0;}
@@ -832,12 +840,15 @@ static int shutdown_memcg_caches(struct return 0; }
-static void flush_memcg_workqueue(struct kmem_cache *s) +static void memcg_set_kmem_cache_dying(struct kmem_cache *s) { mutex_lock(&slab_mutex); s->memcg_params.dying = true; mutex_unlock(&slab_mutex);
We should remove mutex_lock/unlock(&slab_mutex) here, because we already hold the slab_mutex from kmem_cache_destroy().
Good catch! I backported 63b02ef7dc4e ("mm: memcg/slab: synchronize access to kmem_cache dying flag using a spinlock") instead of changing this patch.
Ah, much better, let me roll my change back and then push out -rc3 with this all fixed up like this.
thanks,
greg k-h
From: Michael J. Ruhl michael.j.ruhl@intel.com
commit e0b3e0b1a04367fc15c07f44e78361545b55357c upstream.
The !ATOMIC_IOMAP version of io_maping_init_wc will always return success, even when the ioremap fails.
Since the ATOMIC_IOMAP version returns NULL when the init fails, and callers check for a NULL return on error this is unexpected.
During a device probe, where the ioremap failed, a crash can look like this:
BUG: unable to handle page fault for address: 0000000000210000 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page Oops: 0002 [#1] PREEMPT SMP CPU: 0 PID: 177 Comm: RIP: 0010:fill_page_dma [i915] gen8_ppgtt_create [i915] i915_ppgtt_create [i915] intel_gt_init [i915] i915_gem_init [i915] i915_driver_probe [i915] pci_device_probe really_probe driver_probe_device
The remap failure occurred much earlier in the probe. If it had been propagated, the driver would have exited with an error.
Return NULL on ioremap failure.
[akpm@linux-foundation.org: detect ioremap_wc() errors earlier]
Fixes: cafaf14a5d8f ("io-mapping: Always create a struct to hold metadata about the io-mapping") Signed-off-by: Michael J. Ruhl michael.j.ruhl@intel.com Signed-off-by: Andrew Morton akpm@linux-foundation.org Reviewed-by: Andrew Morton akpm@linux-foundation.org Cc: Mike Rapoport rppt@linux.ibm.com Cc: Andy Shevchenko andriy.shevchenko@linux.intel.com Cc: Chris Wilson chris@chris-wilson.co.uk Cc: Daniel Vetter daniel@ffwll.ch Cc: stable@vger.kernel.org Link: http://lkml.kernel.org/r/20200721171936.81563-1-michael.j.ruhl@intel.com Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- include/linux/io-mapping.h | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)
--- a/include/linux/io-mapping.h +++ b/include/linux/io-mapping.h @@ -120,9 +120,12 @@ io_mapping_init_wc(struct io_mapping *io resource_size_t base, unsigned long size) { + iomap->iomem = ioremap_wc(base, size); + if (!iomap->iomem) + return NULL; + iomap->base = base; iomap->size = size; - iomap->iomem = ioremap_wc(base, size); #if defined(pgprot_noncached_wc) /* archs can't agree on a name ... */ iomap->prot = pgprot_noncached_wc(PAGE_KERNEL); #elif defined(pgprot_writecombine)
From: Paweł Gronowski me@woland.xyz
commit 38e0c89a19fd13f28d2b4721035160a3e66e270b upstream.
NULL dereference occurs when string that is not ended with space or newline is written to some dpm sysfs interface (for example pp_dpm_sclk). This happens because strsep replaces the tmp with NULL if the delimiter is not present in string, which is then dereferenced by tmp[0].
Reproduction example: sudo sh -c 'echo -n 1 > /sys/class/drm/card0/device/pp_dpm_sclk'
Signed-off-by: Paweł Gronowski me@woland.xyz Signed-off-by: Alex Deucher alexander.deucher@amd.com Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_pm.c @@ -529,8 +529,7 @@ static ssize_t amdgpu_set_pp_od_clk_volt
while (isspace(*++tmp_str));
- while (tmp_str[0]) { - sub_str = strsep(&tmp_str, delimiter); + while ((sub_str = strsep(&tmp_str, delimiter)) != NULL) { ret = kstrtol(sub_str, 0, ¶meter[parameter_size]); if (ret) return -EINVAL; @@ -630,8 +629,7 @@ static ssize_t amdgpu_read_mask(const ch memcpy(buf_cpy, buf, bytes); buf_cpy[bytes] = '\0'; tmp = buf_cpy; - while (tmp[0]) { - sub_str = strsep(&tmp, delimiter); + while ((sub_str = strsep(&tmp, delimiter)) != NULL) { if (strlen(sub_str)) { ret = kstrtol(sub_str, 0, &level); if (ret) @@ -882,8 +880,7 @@ static ssize_t amdgpu_set_pp_power_profi i++; memcpy(buf_cpy, buf, count-i); tmp_str = buf_cpy; - while (tmp_str[0]) { - sub_str = strsep(&tmp_str, delimiter); + while ((sub_str = strsep(&tmp_str, delimiter)) != NULL) { ret = kstrtol(sub_str, 0, ¶meter[parameter_size]); if (ret) { count = -EINVAL;
From: Qiu Wenbo qiuwenbo@phytium.com.cn
commit 88bb16ad998a0395fe4b346b7d3f621aaa0a2324 upstream.
Avoid kernel crash when vddci_control is SMU7_VOLTAGE_CONTROL_NONE and vddci_voltage_table is empty. It has been tested on Intel Hades Canyon (i7-8809G).
Bug: https://bugzilla.kernel.org/show_bug.cgi?id=208489 Fixes: ac7822b0026f ("drm/amd/powerplay: add smumgr support for VEGAM (v2)") Reviewed-by: Evan Quan evan.quan@amd.com Signed-off-by: Qiu Wenbo qiuwenbo@phytium.com.cn Signed-off-by: Alex Deucher alexander.deucher@amd.com Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/gpu/drm/amd/powerplay/smumgr/vegam_smumgr.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-)
--- a/drivers/gpu/drm/amd/powerplay/smumgr/vegam_smumgr.c +++ b/drivers/gpu/drm/amd/powerplay/smumgr/vegam_smumgr.c @@ -643,9 +643,6 @@ static int vegam_get_dependency_volt_by_
/* sclk is bigger than max sclk in the dependence table */ *voltage |= (dep_table->entries[i - 1].vddc * VOLTAGE_SCALE) << VDDC_SHIFT; - vddci = phm_find_closest_vddci(&(data->vddci_voltage_table), - (dep_table->entries[i - 1].vddc - - (uint16_t)VDDC_VDDCI_DELTA));
if (SMU7_VOLTAGE_CONTROL_NONE == data->vddci_control) *voltage |= (data->vbios_boot_state.vddci_bootup_value * @@ -653,8 +650,13 @@ static int vegam_get_dependency_volt_by_ else if (dep_table->entries[i - 1].vddci) *voltage |= (dep_table->entries[i - 1].vddci * VOLTAGE_SCALE) << VDDC_SHIFT; - else + else { + vddci = phm_find_closest_vddci(&(data->vddci_voltage_table), + (dep_table->entries[i - 1].vddc - + (uint16_t)VDDC_VDDCI_DELTA)); + *voltage |= (vddci * VOLTAGE_SCALE) << VDDCI_SHIFT; + }
if (SMU7_VOLTAGE_CONTROL_NONE == data->mvdd_control) *mvdd = data->vbios_boot_state.mvdd_bootup_value * VOLTAGE_SCALE;
From: John David Anglin dave.anglin@bell.net
commit be6577af0cef934ccb036445314072e8cb9217b9 upstream.
Stalls are quite frequent with recent kernels. I enabled CONFIG_SOFTLOCKUP_DETECTOR and I caught the following stall:
watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [cc1:22803] CPU: 0 PID: 22803 Comm: cc1 Not tainted 5.6.17+ #3 Hardware name: 9000/800/rp3440 IAOQ[0]: d_alloc_parallel+0x384/0x688 IAOQ[1]: d_alloc_parallel+0x388/0x688 RP(r2): d_alloc_parallel+0x134/0x688 Backtrace: [<000000004036974c>] __lookup_slow+0xa4/0x200 [<0000000040369fc8>] walk_component+0x288/0x458 [<000000004036a9a0>] path_lookupat+0x88/0x198 [<000000004036e748>] filename_lookup+0xa0/0x168 [<000000004036e95c>] user_path_at_empty+0x64/0x80 [<000000004035d93c>] vfs_statx+0x104/0x158 [<000000004035dfcc>] __do_sys_lstat64+0x44/0x80 [<000000004035e5a0>] sys_lstat64+0x20/0x38 [<0000000040180054>] syscall_exit+0x0/0x14
The code was stuck in this loop in d_alloc_parallel:
4037d414: 0e 00 10 dc ldd 0(r16),ret0 4037d418: c7 fc 5f ed bb,< ret0,1f,4037d414 <d_alloc_parallel+0x384> 4037d41c: 08 00 02 40 nop
This is the inner loop of bit_spin_lock which is called by hlist_bl_unlock in d_alloc_parallel:
static inline void bit_spin_lock(int bitnum, unsigned long *addr) { /* * Assuming the lock is uncontended, this never enters * the body of the outer loop. If it is contended, then * within the inner loop a non-atomic test is used to * busywait with less bus contention for a good time to * attempt to acquire the lock bit. */ preempt_disable(); #if defined(CONFIG_SMP) || defined(CONFIG_DEBUG_SPINLOCK) while (unlikely(test_and_set_bit_lock(bitnum, addr))) { preempt_enable(); do { cpu_relax(); } while (test_bit(bitnum, addr)); preempt_disable(); } #endif __acquire(bitlock); }
After consideration, I realized that we must be losing bit unlocks. Then, I noticed that we missed defining atomic64_set_release(). Adding this define fixes the stalls in bit operations.
Signed-off-by: Dave Anglin dave.anglin@bell.net Cc: stable@vger.kernel.org Signed-off-by: Helge Deller deller@gmx.de Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- arch/parisc/include/asm/atomic.h | 2 ++ 1 file changed, 2 insertions(+)
--- a/arch/parisc/include/asm/atomic.h +++ b/arch/parisc/include/asm/atomic.h @@ -212,6 +212,8 @@ atomic64_set(atomic64_t *v, s64 i) _atomic_spin_unlock_irqrestore(v, flags); }
+#define atomic64_set_release(v, i) atomic64_set((v), (i)) + static __inline__ s64 atomic64_read(const atomic64_t *v) {
From: Joerg Roedel jroedel@suse.de
commit de2b41be8fcccb2f5b6c480d35df590476344201 upstream.
On x86-32 the idt_table with 256 entries needs only 2048 bytes. It is page-aligned, but the end of the .bss..page_aligned section is not guaranteed to be page-aligned.
As a result, objects from other .bss sections may end up on the same 4k page as the idt_table, and will accidentially get mapped read-only during boot, causing unexpected page-faults when the kernel writes to them.
This could be worked around by making the objects in the page aligned sections page sized, but that's wrong.
Explicit sections which store only page aligned objects have an implicit guarantee that the object is alone in the page in which it is placed. That works for all objects except the last one. That's inconsistent.
Enforcing page sized objects for these sections would wreckage memory sanitizers, because the object becomes artificially larger than it should be and out of bound access becomes legit.
Align the end of the .bss..page_aligned and .data..page_aligned section on page-size so all objects places in these sections are guaranteed to have their own page.
[ tglx: Amended changelog ]
Signed-off-by: Joerg Roedel jroedel@suse.de Signed-off-by: Thomas Gleixner tglx@linutronix.de Reviewed-by: Kees Cook keescook@chromium.org Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/20200721093448.10417-1-joro@8bytes.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- arch/x86/kernel/vmlinux.lds.S | 1 + include/asm-generic/vmlinux.lds.h | 5 ++++- 2 files changed, 5 insertions(+), 1 deletion(-)
--- a/arch/x86/kernel/vmlinux.lds.S +++ b/arch/x86/kernel/vmlinux.lds.S @@ -372,6 +372,7 @@ SECTIONS .bss : AT(ADDR(.bss) - LOAD_OFFSET) { __bss_start = .; *(.bss..page_aligned) + . = ALIGN(PAGE_SIZE); *(BSS_MAIN) BSS_DECRYPTED . = ALIGN(PAGE_SIZE); --- a/include/asm-generic/vmlinux.lds.h +++ b/include/asm-generic/vmlinux.lds.h @@ -279,7 +279,8 @@
#define PAGE_ALIGNED_DATA(page_align) \ . = ALIGN(page_align); \ - *(.data..page_aligned) + *(.data..page_aligned) \ + . = ALIGN(page_align);
#define READ_MOSTLY_DATA(align) \ . = ALIGN(align); \ @@ -650,7 +651,9 @@ . = ALIGN(bss_align); \ .bss : AT(ADDR(.bss) - LOAD_OFFSET) { \ BSS_FIRST_SECTIONS \ + . = ALIGN(PAGE_SIZE); \ *(.bss..page_aligned) \ + . = ALIGN(PAGE_SIZE); \ *(.dynbss) \ *(BSS_MAIN) \ *(COMMON) \
From: Hans de Goede hdegoede@redhat.com
commit 85ca6b17e2bb96b19caac3b02c003d670b66de96 upstream.
The Lenovo Miix 2 10 has a keyboard dock with extra speakers in the dock. Rather then the ACL5672's GPIO1 pin being used as IRQ to the CPU, it is actually used to enable the amplifier for these speakers (the IRQ to the CPU comes directly from the jack-detect switch).
Add a quirk for having an ext speaker-amplifier enable pin on GPIO1 and replace the Lenovo Miix 2 10's dmi_system_id table entry's wrong GPIO_DEV quirk (which needs to be renamed to GPIO1_IS_IRQ) with the new RT5670_GPIO1_IS_EXT_SPK_EN quirk, so that we enable the external speaker-amplifier as necessary.
Also update the ident field for the dmi_system_id table entry, the Miix models are not Thinkpads.
Fixes: 67e03ff3f32f ("ASoC: codecs: rt5670: add Thinkpad Tablet 10 quirk") Signed-off-by: Hans de Goede hdegoede@redhat.com BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1786723 Link: https://lore.kernel.org/r/20200628155231.71089-4-hdegoede@redhat.com Signed-off-by: Mark Brown broonie@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- include/sound/rt5670.h | 1 sound/soc/codecs/rt5670.c | 71 ++++++++++++++++++++++++++++++++++++---------- 2 files changed, 57 insertions(+), 15 deletions(-)
--- a/include/sound/rt5670.h +++ b/include/sound/rt5670.h @@ -15,6 +15,7 @@ struct rt5670_platform_data { int jd_mode; bool in2_diff; bool dev_gpio; + bool gpio1_is_ext_spk_en;
bool dmic_en; unsigned int dmic1_data_pin; --- a/sound/soc/codecs/rt5670.c +++ b/sound/soc/codecs/rt5670.c @@ -34,18 +34,19 @@ #include "rt5670.h" #include "rt5670-dsp.h"
-#define RT5670_DEV_GPIO BIT(0) -#define RT5670_IN2_DIFF BIT(1) -#define RT5670_DMIC_EN BIT(2) -#define RT5670_DMIC1_IN2P BIT(3) -#define RT5670_DMIC1_GPIO6 BIT(4) -#define RT5670_DMIC1_GPIO7 BIT(5) -#define RT5670_DMIC2_INR BIT(6) -#define RT5670_DMIC2_GPIO8 BIT(7) -#define RT5670_DMIC3_GPIO5 BIT(8) -#define RT5670_JD_MODE1 BIT(9) -#define RT5670_JD_MODE2 BIT(10) -#define RT5670_JD_MODE3 BIT(11) +#define RT5670_DEV_GPIO BIT(0) +#define RT5670_IN2_DIFF BIT(1) +#define RT5670_DMIC_EN BIT(2) +#define RT5670_DMIC1_IN2P BIT(3) +#define RT5670_DMIC1_GPIO6 BIT(4) +#define RT5670_DMIC1_GPIO7 BIT(5) +#define RT5670_DMIC2_INR BIT(6) +#define RT5670_DMIC2_GPIO8 BIT(7) +#define RT5670_DMIC3_GPIO5 BIT(8) +#define RT5670_JD_MODE1 BIT(9) +#define RT5670_JD_MODE2 BIT(10) +#define RT5670_JD_MODE3 BIT(11) +#define RT5670_GPIO1_IS_EXT_SPK_EN BIT(12)
static unsigned long rt5670_quirk; static unsigned int quirk_override; @@ -1504,6 +1505,33 @@ static int rt5670_hp_event(struct snd_so return 0; }
+static int rt5670_spk_event(struct snd_soc_dapm_widget *w, + struct snd_kcontrol *kcontrol, int event) +{ + struct snd_soc_component *component = snd_soc_dapm_to_component(w->dapm); + struct rt5670_priv *rt5670 = snd_soc_component_get_drvdata(component); + + if (!rt5670->pdata.gpio1_is_ext_spk_en) + return 0; + + switch (event) { + case SND_SOC_DAPM_POST_PMU: + regmap_update_bits(rt5670->regmap, RT5670_GPIO_CTRL2, + RT5670_GP1_OUT_MASK, RT5670_GP1_OUT_HI); + break; + + case SND_SOC_DAPM_PRE_PMD: + regmap_update_bits(rt5670->regmap, RT5670_GPIO_CTRL2, + RT5670_GP1_OUT_MASK, RT5670_GP1_OUT_LO); + break; + + default: + return 0; + } + + return 0; +} + static int rt5670_bst1_event(struct snd_soc_dapm_widget *w, struct snd_kcontrol *kcontrol, int event) { @@ -1917,7 +1945,9 @@ static const struct snd_soc_dapm_widget };
static const struct snd_soc_dapm_widget rt5672_specific_dapm_widgets[] = { - SND_SOC_DAPM_PGA("SPO Amp", SND_SOC_NOPM, 0, 0, NULL, 0), + SND_SOC_DAPM_PGA_E("SPO Amp", SND_SOC_NOPM, 0, 0, NULL, 0, + rt5670_spk_event, SND_SOC_DAPM_PRE_PMD | + SND_SOC_DAPM_POST_PMU), SND_SOC_DAPM_OUTPUT("SPOLP"), SND_SOC_DAPM_OUTPUT("SPOLN"), SND_SOC_DAPM_OUTPUT("SPORP"), @@ -2901,14 +2931,14 @@ static const struct dmi_system_id dmi_pl }, { .callback = rt5670_quirk_cb, - .ident = "Lenovo Thinkpad Tablet 10", + .ident = "Lenovo Miix 2 10", .matches = { DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), DMI_MATCH(DMI_PRODUCT_VERSION, "Lenovo Miix 2 10"), }, .driver_data = (unsigned long *)(RT5670_DMIC_EN | RT5670_DMIC1_IN2P | - RT5670_DEV_GPIO | + RT5670_GPIO1_IS_EXT_SPK_EN | RT5670_JD_MODE2), }, { @@ -2956,6 +2986,10 @@ static int rt5670_i2c_probe(struct i2c_c rt5670->pdata.dev_gpio = true; dev_info(&i2c->dev, "quirk dev_gpio\n"); } + if (rt5670_quirk & RT5670_GPIO1_IS_EXT_SPK_EN) { + rt5670->pdata.gpio1_is_ext_spk_en = true; + dev_info(&i2c->dev, "quirk GPIO1 is external speaker enable\n"); + } if (rt5670_quirk & RT5670_IN2_DIFF) { rt5670->pdata.in2_diff = true; dev_info(&i2c->dev, "quirk IN2_DIFF\n"); @@ -3054,6 +3088,13 @@ static int rt5670_i2c_probe(struct i2c_c regmap_update_bits(rt5670->regmap, RT5670_GPIO_CTRL2, RT5670_GP1_PF_MASK, RT5670_GP1_PF_OUT); } + + if (rt5670->pdata.gpio1_is_ext_spk_en) { + regmap_update_bits(rt5670->regmap, RT5670_GPIO_CTRL1, + RT5670_GP1_PIN_MASK, RT5670_GP1_PIN_GPIO1); + regmap_update_bits(rt5670->regmap, RT5670_GPIO_CTRL2, + RT5670_GP1_PF_MASK, RT5670_GP1_PF_OUT); + }
if (rt5670->pdata.jd_mode) { regmap_update_bits(rt5670->regmap, RT5670_GLB_CLK,
From: Geert Uytterhoeven geert@linux-m68k.org
commit b6aa06de7757667bac88997a8807b143b8436035 upstream.
When building on allyesconfig kernel for a NO_DMA=y platform (e.g. Sun-3), CONFIG_SND_SOC_QCOM_COMMON=y, but CONFIG_SND_SOC_QDSP6_AFE=n, leading to a link failure:
sound/soc/qcom/common.o: In function `qcom_snd_parse_of': common.c:(.text+0x2e2): undefined reference to `q6afe_is_rx_port'
While SND_SOC_QDSP6 depends on HAS_DMA, SND_SOC_MSM8996 and SND_SOC_SDM845 don't, so the following warning is seen:
WARNING: unmet direct dependencies detected for SND_SOC_QDSP6 Depends on [n]: SOUND [=y] && !UML && SND [=y] && SND_SOC [=y] && QCOM_APR [=y] && HAS_DMA [=n] Selected by [y]: - SND_SOC_MSM8996 [=y] && SOUND [=y] && !UML && SND [=y] && SND_SOC [=y] && QCOM_APR [=y] - SND_SOC_SDM845 [=y] && SOUND [=y] && !UML && SND [=y] && SND_SOC [=y] && QCOM_APR [=y] && CROS_EC [=y] && I2C [=y] && SOUNDWIRE [=y]
Until recently, this warning was harmless (from a compile-testing point-of-view), but the new user of q6afe_is_rx_port() turned this into a hard failure.
As the QDSP6 driver itself builds fine if NO_DMA=y, and it depends on QCOM_APR (which in turns depends on ARCH_QCOM || COMPILE_TEST), it is safe to increase compile testing coverage. Hence fix the link failure by dropping the HAS_DMA dependency of SND_SOC_QDSP6.
Fixes: a2120089251f1fe2 ("ASoC: qcom: common: set correct directions for dailinks") Fixes: 6b1687bf76ef84cb ("ASoC: qcom: add sdm845 sound card support") Fixes: a6f933f63f2ffdb2 ("ASoC: qcom: apq8096: Add db820c machine driver") Signed-off-by: Geert Uytterhoeven geert@linux-m68k.org Link: https://lore.kernel.org/r/20200629122443.21736-1-geert@linux-m68k.org Signed-off-by: Mark Brown broonie@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- sound/soc/qcom/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/soc/qcom/Kconfig +++ b/sound/soc/qcom/Kconfig @@ -70,7 +70,7 @@ config SND_SOC_QDSP6_ASM_DAI
config SND_SOC_QDSP6 tristate "SoC ALSA audio driver for QDSP6" - depends on QCOM_APR && HAS_DMA + depends on QCOM_APR select SND_SOC_QDSP6_COMMON select SND_SOC_QDSP6_CORE select SND_SOC_QDSP6_AFE
From: Mikulas Patocka mpatocka@redhat.com
commit 5df96f2b9f58a5d2dc1f30fe7de75e197f2c25f2 upstream.
Commit adc0daad366b62ca1bce3e2958a40b0b71a8b8b3 ("dm: report suspended device during destroy") broke integrity recalculation.
The problem is dm_suspended() returns true not only during suspend, but also during resume. So this race condition could occur: 1. dm_integrity_resume calls queue_work(ic->recalc_wq, &ic->recalc_work) 2. integrity_recalc (&ic->recalc_work) preempts the current thread 3. integrity_recalc calls if (unlikely(dm_suspended(ic->ti))) goto unlock_ret; 4. integrity_recalc exits and no recalculating is done.
To fix this race condition, add a function dm_post_suspending that is only true during the postsuspend phase and use it instead of dm_suspended().
Signed-off-by: Mikulas Patocka <mpatocka redhat com> Fixes: adc0daad366b ("dm: report suspended device during destroy") Cc: stable vger kernel org # v4.18+ Signed-off-by: Mike Snitzer snitzer@redhat.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/md/dm-integrity.c | 4 ++-- drivers/md/dm.c | 17 +++++++++++++++++ include/linux/device-mapper.h | 1 + 3 files changed, 20 insertions(+), 2 deletions(-)
--- a/drivers/md/dm-integrity.c +++ b/drivers/md/dm-integrity.c @@ -2068,7 +2068,7 @@ static void integrity_writer(struct work unsigned prev_free_sectors;
/* the following test is not needed, but it tests the replay code */ - if (unlikely(dm_suspended(ic->ti)) && !ic->meta_dev) + if (unlikely(dm_post_suspending(ic->ti)) && !ic->meta_dev) return;
spin_lock_irq(&ic->endio_wait.lock); @@ -2127,7 +2127,7 @@ static void integrity_recalc(struct work
next_chunk:
- if (unlikely(dm_suspended(ic->ti))) + if (unlikely(dm_post_suspending(ic->ti))) goto unlock_ret;
range.logical_sector = le64_to_cpu(ic->sb->recalc_sector); --- a/drivers/md/dm.c +++ b/drivers/md/dm.c @@ -141,6 +141,7 @@ EXPORT_SYMBOL_GPL(dm_bio_get_target_bio_ #define DMF_NOFLUSH_SUSPENDING 5 #define DMF_DEFERRED_REMOVE 6 #define DMF_SUSPENDED_INTERNALLY 7 +#define DMF_POST_SUSPENDING 8
#define DM_NUMA_NODE NUMA_NO_NODE static int dm_numa_node = DM_NUMA_NODE; @@ -2355,6 +2356,7 @@ static void __dm_destroy(struct mapped_d if (!dm_suspended_md(md)) { dm_table_presuspend_targets(map); set_bit(DMF_SUSPENDED, &md->flags); + set_bit(DMF_POST_SUSPENDING, &md->flags); dm_table_postsuspend_targets(map); } /* dm_put_live_table must be before msleep, otherwise deadlock is possible */ @@ -2680,7 +2682,9 @@ retry: if (r) goto out_unlock;
+ set_bit(DMF_POST_SUSPENDING, &md->flags); dm_table_postsuspend_targets(map); + clear_bit(DMF_POST_SUSPENDING, &md->flags);
out_unlock: mutex_unlock(&md->suspend_lock); @@ -2777,7 +2781,9 @@ static void __dm_internal_suspend(struct (void) __dm_suspend(md, map, suspend_flags, TASK_UNINTERRUPTIBLE, DMF_SUSPENDED_INTERNALLY);
+ set_bit(DMF_POST_SUSPENDING, &md->flags); dm_table_postsuspend_targets(map); + clear_bit(DMF_POST_SUSPENDING, &md->flags); }
static void __dm_internal_resume(struct mapped_device *md) @@ -2938,6 +2944,11 @@ int dm_suspended_md(struct mapped_device return test_bit(DMF_SUSPENDED, &md->flags); }
+static int dm_post_suspending_md(struct mapped_device *md) +{ + return test_bit(DMF_POST_SUSPENDING, &md->flags); +} + int dm_suspended_internally_md(struct mapped_device *md) { return test_bit(DMF_SUSPENDED_INTERNALLY, &md->flags); @@ -2954,6 +2965,12 @@ int dm_suspended(struct dm_target *ti) } EXPORT_SYMBOL_GPL(dm_suspended);
+int dm_post_suspending(struct dm_target *ti) +{ + return dm_post_suspending_md(dm_table_get_md(ti->table)); +} +EXPORT_SYMBOL_GPL(dm_post_suspending); + int dm_noflush_suspending(struct dm_target *ti) { return __noflush_suspending(dm_table_get_md(ti->table)); --- a/include/linux/device-mapper.h +++ b/include/linux/device-mapper.h @@ -419,6 +419,7 @@ const char *dm_device_name(struct mapped int dm_copy_name_and_uuid(struct mapped_device *md, char *name, char *uuid); struct gendisk *dm_disk(struct mapped_device *md); int dm_suspended(struct dm_target *ti); +int dm_post_suspending(struct dm_target *ti); int dm_noflush_suspending(struct dm_target *ti); void dm_accept_partial_bio(struct bio *bio, unsigned n_sectors); void dm_remap_zone_report(struct dm_target *ti, struct bio *bio,
Hi!
From: Mikulas Patocka mpatocka@redhat.com
commit 5df96f2b9f58a5d2dc1f30fe7de75e197f2c25f2 upstream.
Commit adc0daad366b62ca1bce3e2958a40b0b71a8b8b3 ("dm: report suspended device during destroy") broke integrity recalculation.
The problem is dm_suspended() returns true not only during suspend, but also during resume. So this race condition could occur:
- dm_integrity_resume calls queue_work(ic->recalc_wq, &ic->recalc_work)
- integrity_recalc (&ic->recalc_work) preempts the current thread
- integrity_recalc calls if (unlikely(dm_suspended(ic->ti))) goto unlock_ret;
- integrity_recalc exits and no recalculating is done.
To fix this race condition, add a function dm_post_suspending that is only true during the postsuspend phase and use it instead of dm_suspended().
Signed-off-by: Mikulas Patocka <mpatocka redhat com>
Something is wrong with signoff here...
Best regards, Pavel
On Mon, Jul 27, 2020 at 10:56:35PM +0200, Pavel Machek wrote:
Hi!
From: Mikulas Patocka mpatocka@redhat.com
commit 5df96f2b9f58a5d2dc1f30fe7de75e197f2c25f2 upstream.
Commit adc0daad366b62ca1bce3e2958a40b0b71a8b8b3 ("dm: report suspended device during destroy") broke integrity recalculation.
The problem is dm_suspended() returns true not only during suspend, but also during resume. So this race condition could occur:
- dm_integrity_resume calls queue_work(ic->recalc_wq, &ic->recalc_work)
- integrity_recalc (&ic->recalc_work) preempts the current thread
- integrity_recalc calls if (unlikely(dm_suspended(ic->ti))) goto unlock_ret;
- integrity_recalc exits and no recalculating is done.
To fix this race condition, add a function dm_post_suspending that is only true during the postsuspend phase and use it instead of dm_suspended().
Signed-off-by: Mikulas Patocka <mpatocka redhat com>
Something is wrong with signoff here...
Heh, and the same thing happened with the stable tag:
Cc: stable vger kernel org # v4.18+
But given that this is the way the upstream commit looks like we can't do much here.
On Mon, Jul 27 2020 at 7:31pm -0400, Sasha Levin sashal@kernel.org wrote:
On Mon, Jul 27, 2020 at 10:56:35PM +0200, Pavel Machek wrote:
Hi!
From: Mikulas Patocka mpatocka@redhat.com
commit 5df96f2b9f58a5d2dc1f30fe7de75e197f2c25f2 upstream.
Commit adc0daad366b62ca1bce3e2958a40b0b71a8b8b3 ("dm: report suspended device during destroy") broke integrity recalculation.
The problem is dm_suspended() returns true not only during suspend, but also during resume. So this race condition could occur:
- dm_integrity_resume calls queue_work(ic->recalc_wq, &ic->recalc_work)
- integrity_recalc (&ic->recalc_work) preempts the current thread
- integrity_recalc calls if (unlikely(dm_suspended(ic->ti))) goto unlock_ret;
- integrity_recalc exits and no recalculating is done.
To fix this race condition, add a function dm_post_suspending that is only true during the postsuspend phase and use it instead of dm_suspended().
Signed-off-by: Mikulas Patocka <mpatocka redhat com>
Something is wrong with signoff here...
Heh, and the same thing happened with the stable tag:
Cc: stable vger kernel org # v4.18+
But given that this is the way the upstream commit looks like we can't do much here.
Hmm, not sure what happened on the Signed-off-by and Cc for commit 5df96f2b9f. Sorry about this!
From: Qiujun Huang hqjagain@gmail.com
commit 2bbcaaee1fcbd83272e29f31e2bb7e70d8c49e05 upstream.
In ath9k_hif_usb_rx_cb interface number is assumed to be 0. usb_ifnum_to_if(urb->dev, 0) But it isn't always true.
The case reported by syzbot: https://lore.kernel.org/linux-usb/000000000000666c9c05a1c05d12@google.com usb 2-1: new high-speed USB device number 2 using dummy_hcd usb 2-1: config 1 has an invalid interface number: 2 but max is 0 usb 2-1: config 1 has no interface number 0 usb 2-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice= 1.08 usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 general protection fault, probably for non-canonical address 0xdffffc0000000015: 0000 [#1] SMP KASAN KASAN: null-ptr-deref in range [0x00000000000000a8-0x00000000000000af] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.6.0-rc5-syzkaller #0
Call Trace __usb_hcd_giveback_urb+0x29a/0x550 drivers/usb/core/hcd.c:1650 usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1716 dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966 call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404 expire_timers kernel/time/timer.c:1449 [inline] __run_timers kernel/time/timer.c:1773 [inline] __run_timers kernel/time/timer.c:1740 [inline] run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786 __do_softirq+0x21e/0x950 kernel/softirq.c:292 invoke_softirq kernel/softirq.c:373 [inline] irq_exit+0x178/0x1a0 kernel/softirq.c:413 exiting_irq arch/x86/include/asm/apic.h:546 [inline] smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1146 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
Reported-and-tested-by: syzbot+40d5d2e8a4680952f042@syzkaller.appspotmail.com Signed-off-by: Qiujun Huang hqjagain@gmail.com Signed-off-by: Kalle Valo kvalo@codeaurora.org Link: https://lore.kernel.org/r/20200404041838.10426-6-hqjagain@gmail.com Cc: Viktor Jägersküpper viktor_jaegerskuepper@freenet.de Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/net/wireless/ath/ath9k/hif_usb.c | 48 +++++++++++++++++++++++-------- drivers/net/wireless/ath/ath9k/hif_usb.h | 5 +++ 2 files changed, 42 insertions(+), 11 deletions(-)
--- a/drivers/net/wireless/ath/ath9k/hif_usb.c +++ b/drivers/net/wireless/ath/ath9k/hif_usb.c @@ -643,9 +643,9 @@ err:
static void ath9k_hif_usb_rx_cb(struct urb *urb) { - struct sk_buff *skb = (struct sk_buff *) urb->context; - struct hif_device_usb *hif_dev = - usb_get_intfdata(usb_ifnum_to_if(urb->dev, 0)); + struct rx_buf *rx_buf = (struct rx_buf *)urb->context; + struct hif_device_usb *hif_dev = rx_buf->hif_dev; + struct sk_buff *skb = rx_buf->skb; int ret;
if (!skb) @@ -685,14 +685,15 @@ resubmit: return; free: kfree_skb(skb); + kfree(rx_buf); }
static void ath9k_hif_usb_reg_in_cb(struct urb *urb) { - struct sk_buff *skb = (struct sk_buff *) urb->context; + struct rx_buf *rx_buf = (struct rx_buf *)urb->context; + struct hif_device_usb *hif_dev = rx_buf->hif_dev; + struct sk_buff *skb = rx_buf->skb; struct sk_buff *nskb; - struct hif_device_usb *hif_dev = - usb_get_intfdata(usb_ifnum_to_if(urb->dev, 0)); int ret;
if (!skb) @@ -750,6 +751,7 @@ resubmit: return; free: kfree_skb(skb); + kfree(rx_buf); urb->context = NULL; }
@@ -795,7 +797,7 @@ static int ath9k_hif_usb_alloc_tx_urbs(s init_usb_anchor(&hif_dev->mgmt_submitted);
for (i = 0; i < MAX_TX_URB_NUM; i++) { - tx_buf = kzalloc(sizeof(struct tx_buf), GFP_KERNEL); + tx_buf = kzalloc(sizeof(*tx_buf), GFP_KERNEL); if (!tx_buf) goto err;
@@ -832,8 +834,9 @@ static void ath9k_hif_usb_dealloc_rx_urb
static int ath9k_hif_usb_alloc_rx_urbs(struct hif_device_usb *hif_dev) { - struct urb *urb = NULL; + struct rx_buf *rx_buf = NULL; struct sk_buff *skb = NULL; + struct urb *urb = NULL; int i, ret;
init_usb_anchor(&hif_dev->rx_submitted); @@ -841,6 +844,12 @@ static int ath9k_hif_usb_alloc_rx_urbs(s
for (i = 0; i < MAX_RX_URB_NUM; i++) {
+ rx_buf = kzalloc(sizeof(*rx_buf), GFP_KERNEL); + if (!rx_buf) { + ret = -ENOMEM; + goto err_rxb; + } + /* Allocate URB */ urb = usb_alloc_urb(0, GFP_KERNEL); if (urb == NULL) { @@ -855,11 +864,14 @@ static int ath9k_hif_usb_alloc_rx_urbs(s goto err_skb; }
+ rx_buf->hif_dev = hif_dev; + rx_buf->skb = skb; + usb_fill_bulk_urb(urb, hif_dev->udev, usb_rcvbulkpipe(hif_dev->udev, USB_WLAN_RX_PIPE), skb->data, MAX_RX_BUF_SIZE, - ath9k_hif_usb_rx_cb, skb); + ath9k_hif_usb_rx_cb, rx_buf);
/* Anchor URB */ usb_anchor_urb(urb, &hif_dev->rx_submitted); @@ -885,6 +897,8 @@ err_submit: err_skb: usb_free_urb(urb); err_urb: + kfree(rx_buf); +err_rxb: ath9k_hif_usb_dealloc_rx_urbs(hif_dev); return ret; } @@ -896,14 +910,21 @@ static void ath9k_hif_usb_dealloc_reg_in
static int ath9k_hif_usb_alloc_reg_in_urbs(struct hif_device_usb *hif_dev) { - struct urb *urb = NULL; + struct rx_buf *rx_buf = NULL; struct sk_buff *skb = NULL; + struct urb *urb = NULL; int i, ret;
init_usb_anchor(&hif_dev->reg_in_submitted);
for (i = 0; i < MAX_REG_IN_URB_NUM; i++) {
+ rx_buf = kzalloc(sizeof(*rx_buf), GFP_KERNEL); + if (!rx_buf) { + ret = -ENOMEM; + goto err_rxb; + } + /* Allocate URB */ urb = usb_alloc_urb(0, GFP_KERNEL); if (urb == NULL) { @@ -918,11 +939,14 @@ static int ath9k_hif_usb_alloc_reg_in_ur goto err_skb; }
+ rx_buf->hif_dev = hif_dev; + rx_buf->skb = skb; + usb_fill_int_urb(urb, hif_dev->udev, usb_rcvintpipe(hif_dev->udev, USB_REG_IN_PIPE), skb->data, MAX_REG_IN_BUF_SIZE, - ath9k_hif_usb_reg_in_cb, skb, 1); + ath9k_hif_usb_reg_in_cb, rx_buf, 1);
/* Anchor URB */ usb_anchor_urb(urb, &hif_dev->reg_in_submitted); @@ -948,6 +972,8 @@ err_submit: err_skb: usb_free_urb(urb); err_urb: + kfree(rx_buf); +err_rxb: ath9k_hif_usb_dealloc_reg_in_urbs(hif_dev); return ret; } --- a/drivers/net/wireless/ath/ath9k/hif_usb.h +++ b/drivers/net/wireless/ath/ath9k/hif_usb.h @@ -86,6 +86,11 @@ struct tx_buf { struct list_head list; };
+struct rx_buf { + struct sk_buff *skb; + struct hif_device_usb *hif_dev; +}; + #define HIF_USB_TX_STOP BIT(0) #define HIF_USB_TX_FLUSH BIT(1)
From: Mark O'Donovan shiftee@posteo.net
commit 92f53e2fda8bb9a559ad61d57bfb397ce67ed0ab upstream.
This fix allows ath9k_htc modules to connect to WLAN once again.
Fixes: 2bbcaaee1fcb ("ath9k: Fix general protection fault in ath9k_hif_usb_rx_cb") Link: https://bugzilla.kernel.org/show_bug.cgi?id=208251 Signed-off-by: Mark O'Donovan shiftee@posteo.net Reported-by: Roman Mamedov rm@romanrm.net Tested-by: Viktor Jägersküpper viktor_jaegerskuepper@freenet.de Signed-off-by: Kalle Valo kvalo@codeaurora.org Link: https://lore.kernel.org/r/20200711043324.8079-1-shiftee@posteo.net Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/net/wireless/ath/ath9k/hif_usb.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/net/wireless/ath/ath9k/hif_usb.c +++ b/drivers/net/wireless/ath/ath9k/hif_usb.c @@ -733,11 +733,13 @@ static void ath9k_hif_usb_reg_in_cb(stru return; }
+ rx_buf->skb = nskb; + usb_fill_int_urb(urb, hif_dev->udev, usb_rcvintpipe(hif_dev->udev, USB_REG_IN_PIPE), nskb->data, MAX_REG_IN_BUF_SIZE, - ath9k_hif_usb_reg_in_cb, nskb, 1); + ath9k_hif_usb_reg_in_cb, rx_buf, 1); }
resubmit:
On Mon, 27 Jul 2020 16:03:34 +0200, Greg Kroah-Hartman wrote:
This is the start of the stable review cycle for the 4.19.135 release. There are 86 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know.
Responses should be made by Wed, 29 Jul 2020 13:48:51 +0000. Anything received after that time might be too late.
The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.135-rc... or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y and the diffstat can be found below.
thanks,
greg k-h
All tests passing for Tegra ...
Test results for stable-v4.19: 11 builds: 11 pass, 0 fail 22 boots: 22 pass, 0 fail 38 tests: 38 pass, 0 fail
Linux version: 4.19.135-rc1-ge61bf6def734 Boards tested: tegra124-jetson-tk1, tegra186-p2771-0000, tegra194-p2972-0000, tegra20-ventana, tegra210-p2371-2180, tegra30-cardhu-a04
Thierry
On 7/27/20 8:03 AM, Greg Kroah-Hartman wrote:
This is the start of the stable review cycle for the 4.19.135 release. There are 86 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know.
Responses should be made by Wed, 29 Jul 2020 13:48:51 +0000. Anything received after that time might be too late.
The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.135-rc... or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y and the diffstat can be found below.
thanks,
greg k-h
Compiled and booted on my test system. No dmesg regressions.
Tested-by: Shuah Khan skhan@linuxfoundation.org
thanks, -- Shuah
On Mon, 27 Jul 2020 at 19:40, Greg Kroah-Hartman gregkh@linuxfoundation.org wrote:
This is the start of the stable review cycle for the 4.19.135 release. There are 86 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know.
Responses should be made by Wed, 29 Jul 2020 13:48:51 +0000. Anything received after that time might be too late.
The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.135-rc... or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y and the diffstat can be found below.
thanks,
greg k-h
Pseudo-Shortlog of commits:
<trim>
Results from Linaro’s test farm. Regressions detected on x86_64.
Boot failures on x86_64 devices running 4.19.135-rc1 kernel.
Summary ------------------------------------------------------------------------
kernel: 4.19.135-rc1 git repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git git branch: linux-4.19.y git commit: e11702667f84474535b156dbb194deffa0a6cdb4 git describe: v4.19.134-87-ge11702667f84 Test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-4.19-oe/build/v4.19.134-8...
Muchun Song songmuchun@bytedance.com mm: memcg/slab: fix memory leak at non-root kmem_cache destroy
[ 2.510884] ============================================ [ 2.510884] WARNING: possible recursive locking detected [ 2.510884] 4.19.135-rc1 #1 Not tainted [ 2.510884] -------------------------------------------- [ 2.510884] swapper/0/1 is trying to acquire lock: [ 2.510884] 0000000088703397 (slab_mutex){+.+.}, at: kmem_cache_destroy+0x9a/0x2b0 [ 2.510884] [ 2.510884] but task is already holding lock: [ 2.510884] 0000000088703397 (slab_mutex){+.+.}, at: kmem_cache_destroy+0x45/0x2b0 [ 2.510884] [ 2.510884] other info that might help us debug this: [ 2.510884] Possible unsafe locking scenario: [ 2.510884] [ 2.510884] CPU0 [ 2.510884] ---- [ 2.510884] lock(slab_mutex); [ 2.510884] lock(slab_mutex); [ 2.510884] [ 2.510884] *** DEADLOCK *** [ 2.510884] [ 2.510884] May be due to missing lock nesting notation [ 2.510884] [ 2.510884] 3 locks held by swapper/0/1: [ 2.510884] #0: 000000008702dddc (cpu_hotplug_lock.rw_sem){++++}, at: kmem_cache_destroy+0x32/0x2b0 [ 2.510884] #1: 0000000050103e4d (mem_hotplug_lock.rw_sem){++++}, at: kmem_cache_destroy+0x37/0x2b0 [ 2.510884] #2: 0000000088703397 (slab_mutex){+.+.}, at: kmem_cache_destroy+0x45/0x2b0 [ 2.510884] [ 2.510884] stack backtrace: [ 2.510884] CPU: 2 PID: 1 Comm: swapper/0 Not tainted 4.19.135-rc1 #1 [ 2.510884] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS 2.0b 07/27/2017 [ 2.510884] Call Trace: [ 2.510884] dump_stack+0x7a/0xa5 [ 2.510884] __lock_acquire+0x6f1/0x1380 [ 2.510884] ? ret_from_fork+0x3a/0x50 [ 2.510884] lock_acquire+0x95/0x190 [ 2.510884] ? lock_acquire+0x95/0x190 [ 2.510884] ? kmem_cache_destroy+0x9a/0x2b0 [ 2.510884] ? kmem_cache_destroy+0x9a/0x2b0 [ 2.510884] __mutex_lock+0x83/0x990 [ 2.510884] ? kmem_cache_destroy+0x9a/0x2b0 [ 2.510884] ? kmem_cache_destroy+0x60/0x2b0 [ 2.510884] ? set_debug_rodata+0x17/0x17 [ 2.510884] ? set_debug_rodata+0x17/0x17 [ 2.510884] mutex_lock_nested+0x1b/0x20 [ 2.510884] ? get_online_mems+0x5f/0x90 [ 2.510884] ? mutex_lock_nested+0x1b/0x20 [ 2.510884] kmem_cache_destroy+0x9a/0x2b0 [ 2.510884] ? set_debug_rodata+0x17/0x17 [ 2.510884] intel_iommu_init+0x11c6/0x1326 [ 2.510884] ? kfree+0xc4/0x240 [ 2.510884] ? lockdep_hardirqs_on+0xef/0x180 [ 2.510884] ? kfree+0xc4/0x240 [ 2.510884] ? trace_hardirqs_on+0x4c/0x100 [ 2.510884] ? unpack_to_rootfs+0x272/0x29a [ 2.510884] ? e820__memblock_setup+0x64/0x64 [ 2.510884] ? set_debug_rodata+0x17/0x17 [ 2.510884] pci_iommu_init+0x1a/0x44 [ 2.510884] ? e820__memblock_setup+0x64/0x64 [ 2.510884] ? pci_iommu_init+0x1a/0x44 [ 2.510884] do_one_initcall+0x61/0x2b4 [ 2.510884] ? set_debug_rodata+0xa/0x17 [ 2.510884] ? rcu_read_lock_sched_held+0x81/0x90 [ 2.510884] kernel_init_freeable+0x1d8/0x270 [ 2.510884] ? rest_init+0x190/0x190 [ 2.510884] kernel_init+0xe/0x110 [ 2.510884] ret_from_fork+0x3a/0x50
Full test log: https://pastebin.com/PWkk0YaF
Thanks for your test. I have reviewed the patch:
[PATCH 4.19 76/86] mm: memcg/slab: fix memory leak at non-root kmem_cache destroy
There is a backport problem and I have pointed out the problem in that email.
On Tue, Jul 28, 2020 at 4:34 PM Naresh Kamboju naresh.kamboju@linaro.org wrote:
On Mon, 27 Jul 2020 at 19:40, Greg Kroah-Hartman gregkh@linuxfoundation.org wrote:
This is the start of the stable review cycle for the 4.19.135 release. There are 86 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know.
Responses should be made by Wed, 29 Jul 2020 13:48:51 +0000. Anything received after that time might be too late.
The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.135-rc... or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y and the diffstat can be found below.
thanks,
greg k-h
Pseudo-Shortlog of commits:
<trim>
Results from Linaro’s test farm. Regressions detected on x86_64.
Boot failures on x86_64 devices running 4.19.135-rc1 kernel.
Summary
kernel: 4.19.135-rc1 git repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git git branch: linux-4.19.y git commit: e11702667f84474535b156dbb194deffa0a6cdb4 git describe: v4.19.134-87-ge11702667f84 Test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-4.19-oe/build/v4.19.134-8...
Muchun Song songmuchun@bytedance.com mm: memcg/slab: fix memory leak at non-root kmem_cache destroy
[ 2.510884] ============================================ [ 2.510884] WARNING: possible recursive locking detected [ 2.510884] 4.19.135-rc1 #1 Not tainted [ 2.510884] -------------------------------------------- [ 2.510884] swapper/0/1 is trying to acquire lock: [ 2.510884] 0000000088703397 (slab_mutex){+.+.}, at: kmem_cache_destroy+0x9a/0x2b0 [ 2.510884] [ 2.510884] but task is already holding lock: [ 2.510884] 0000000088703397 (slab_mutex){+.+.}, at: kmem_cache_destroy+0x45/0x2b0 [ 2.510884] [ 2.510884] other info that might help us debug this: [ 2.510884] Possible unsafe locking scenario: [ 2.510884] [ 2.510884] CPU0 [ 2.510884] ---- [ 2.510884] lock(slab_mutex); [ 2.510884] lock(slab_mutex); [ 2.510884] [ 2.510884] *** DEADLOCK *** [ 2.510884] [ 2.510884] May be due to missing lock nesting notation [ 2.510884] [ 2.510884] 3 locks held by swapper/0/1: [ 2.510884] #0: 000000008702dddc (cpu_hotplug_lock.rw_sem){++++}, at: kmem_cache_destroy+0x32/0x2b0 [ 2.510884] #1: 0000000050103e4d (mem_hotplug_lock.rw_sem){++++}, at: kmem_cache_destroy+0x37/0x2b0 [ 2.510884] #2: 0000000088703397 (slab_mutex){+.+.}, at: kmem_cache_destroy+0x45/0x2b0 [ 2.510884] [ 2.510884] stack backtrace: [ 2.510884] CPU: 2 PID: 1 Comm: swapper/0 Not tainted 4.19.135-rc1 #1 [ 2.510884] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS 2.0b 07/27/2017 [ 2.510884] Call Trace: [ 2.510884] dump_stack+0x7a/0xa5 [ 2.510884] __lock_acquire+0x6f1/0x1380 [ 2.510884] ? ret_from_fork+0x3a/0x50 [ 2.510884] lock_acquire+0x95/0x190 [ 2.510884] ? lock_acquire+0x95/0x190 [ 2.510884] ? kmem_cache_destroy+0x9a/0x2b0 [ 2.510884] ? kmem_cache_destroy+0x9a/0x2b0 [ 2.510884] __mutex_lock+0x83/0x990 [ 2.510884] ? kmem_cache_destroy+0x9a/0x2b0 [ 2.510884] ? kmem_cache_destroy+0x60/0x2b0 [ 2.510884] ? set_debug_rodata+0x17/0x17 [ 2.510884] ? set_debug_rodata+0x17/0x17 [ 2.510884] mutex_lock_nested+0x1b/0x20 [ 2.510884] ? get_online_mems+0x5f/0x90 [ 2.510884] ? mutex_lock_nested+0x1b/0x20 [ 2.510884] kmem_cache_destroy+0x9a/0x2b0 [ 2.510884] ? set_debug_rodata+0x17/0x17 [ 2.510884] intel_iommu_init+0x11c6/0x1326 [ 2.510884] ? kfree+0xc4/0x240 [ 2.510884] ? lockdep_hardirqs_on+0xef/0x180 [ 2.510884] ? kfree+0xc4/0x240 [ 2.510884] ? trace_hardirqs_on+0x4c/0x100 [ 2.510884] ? unpack_to_rootfs+0x272/0x29a [ 2.510884] ? e820__memblock_setup+0x64/0x64 [ 2.510884] ? set_debug_rodata+0x17/0x17 [ 2.510884] pci_iommu_init+0x1a/0x44 [ 2.510884] ? e820__memblock_setup+0x64/0x64 [ 2.510884] ? pci_iommu_init+0x1a/0x44 [ 2.510884] do_one_initcall+0x61/0x2b4 [ 2.510884] ? set_debug_rodata+0xa/0x17 [ 2.510884] ? rcu_read_lock_sched_held+0x81/0x90 [ 2.510884] kernel_init_freeable+0x1d8/0x270 [ 2.510884] ? rest_init+0x190/0x190 [ 2.510884] kernel_init+0xe/0x110 [ 2.510884] ret_from_fork+0x3a/0x50
Full test log: https://pastebin.com/PWkk0YaF
-- Linaro LKFT https://lkft.linaro.org
-- Yours, Muchun
On Tue, 28 Jul 2020 at 18:33, Muchun Song songmuchun@bytedance.com wrote:
Thanks for your test. I have reviewed the patch:
[PATCH 4.19 76/86] mm: memcg/slab: fix memory leak at non-root kmem_cache destroy
There is a backport problem and I have pointed out the problem in that email.
Thanks for your suggestions on the other email thread. I have made changes as you said and boot test pass on x86 now.
diff --git a/mm/slab_common.c b/mm/slab_common.c index 9c5eb4b08fc3..65bc49f19504 100644 --- a/mm/slab_common.c +++ b/mm/slab_common.c @@ -842,9 +842,7 @@ static int shutdown_memcg_caches(struct kmem_cache *s)
static void memcg_set_kmem_cache_dying(struct kmem_cache *s) { - mutex_lock(&slab_mutex); s->memcg_params.dying = true; - mutex_unlock(&slab_mutex); }
static void flush_memcg_workqueue(struct kmem_cache *s)
- Naresh
On Mon 2020-07-27 16:03:34, Greg Kroah-Hartman wrote:
This is the start of the stable review cycle for the 4.19.135 release. There are 86 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know.
Responses should be made by Wed, 29 Jul 2020 13:48:51 +0000. Anything received after that time might be too late.
The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.135-rc... or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y and the diffstat can be found below.
It passes tests on CIP test farm:
https://gitlab.com/cip-project/cip-testing/linux-stable-rc-ci/-/tree/linux-4...
linux-stable-mirror@lists.linaro.org
-
dbasehore . -
Dmitry Torokhov -
Greg Kroah-Hartman -
Kieran Bingham -
Mike Snitzer -
Muchun Song -
Naresh Kamboju -
Pavel Machek -
Sasha Levin -
Shuah Khan -
Stefano Garzarella -
Thierry Reding