March 2018 - Linux-stable-mirror

Re: [PATCH 3.18 00/24] 3.18.98-stable review

by Greg Kroah-Hartman

On Fri, Mar 02, 2018 at 05:41:28PM +0000, Harsh Shandilya wrote: > On Fri 2 Mar, 2018, 2:25 PM Greg Kroah-Hartman, <gregkh(a)linuxfoundation.org> > wrote: > > > This is the start of the stable review cycle for the 3.18.98 release. > > There are 24 patches in this series, all will be posted as a response > > to this one. If anyone has any issues with these being applied, please > > let me know. > > > > Responses should be made by Sun Mar 4 08:42:22 UTC 2018. > > Anything received after that time might be too late. > > > > The whole patch series can be found in one patch at: > > > > https://www.kernel.org/pub/linux/kernel/v3.x/stable-review/patch-3.18.98-rc… > > or in the git tree and branch at: > > git:// > > git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git > > linux-3.18.y > > and the diffstat can be found below. > > > > Builds and boots on the OnePlus 3T, no merge issues with CAF's msm-3.18 > tree. Great, thanks for testing and letting me know. greg k-h > >

6 years, 2 months

1
0
0 0

[PATCH] spi: Fix scatterlist elements size in spi_map_buf

by Maxime Chevallier

When SPI transfers can be offloaded using DMA, the SPI core need to build a scatterlist to make sure that the buffer to be transferred is dma-able. This patch fixes the scatterlist entry size computation in the case where the maximum acceptable scatterlist entry supported by the DMA controller is less than PAGE_SIZE, when the buffer is vmalloced. For each entry, the actual size is given by the minimum between the desc_len (which is the max buffer size supported by the DMA controller) and the remaining buffer length until we cross a page boundary. Fixes: 65598c13fd66 ("spi: Fix per-page mapping of unaligned vmalloc-ed buffer") Signed-off-by: Maxime Chevallier <maxime.chevallier(a)bootlin.com> --- drivers/spi/spi.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c index b33a727a0158..4153f959f28c 100644 --- a/drivers/spi/spi.c +++ b/drivers/spi/spi.c @@ -779,8 +779,14 @@ static int spi_map_buf(struct spi_controller *ctlr, struct device *dev, for (i = 0; i < sgs; i++) { if (vmalloced_buf || kmap_buf) { - min = min_t(size_t, - len, desc_len - offset_in_page(buf)); + /* + * Next scatterlist entry size is the minimum between + * the desc_len and the remaining buffer length that + * fits in a page. + */ + min = min_t(size_t, desc_len, + min_t(size_t, len, + PAGE_SIZE - offset_in_page(buf))); if (vmalloced_buf) vm_page = vmalloc_to_page(buf); else -- 2.11.0

6 years, 2 months

3
2
0 0

Re: [PATCH 1/2] xen: xenbus_dev_frontend: Fix XS_TRANSACTION_END handling

by Juergen Gross

On 02/03/18 15:58, Simon Gaiser wrote: > Juergen Gross: >> On 20/02/18 05:56, Simon Gaiser wrote: >>> Juergen Gross: >>>> On 07/02/18 23:22, Simon Gaiser wrote: >>>>> Commit fd8aa9095a95 ("xen: optimize xenbus driver for multiple >>>>> concurrent xenstore accesses") made a subtle change to the semantic of >>>>> xenbus_dev_request_and_reply() and xenbus_transaction_end(). >>>>> >>>>> Before on an error response to XS_TRANSACTION_END >>>>> xenbus_dev_request_and_reply() would not decrement the active >>>>> transaction counter. But xenbus_transaction_end() has always counted the >>>>> transaction as finished regardless of the response. >>>> >>>> Which is correct now. Xenstore will free all transaction related >>>> data regardless of the response. A once failed transaction can't >>>> be repaired, it has to be repeated completely. >>> >>> So if xenstore frees the transaction why should we keep it in the list >>> with pending transaction in xenbus_dev_frontend? That's exactly what >>> this patch fixes by always removing it from the list, not only on a >>> successful response (See below for the EINVAL case). >> >> Aah, sorry, I seem to have misread my own coding. :-( >> >> Yes, you are right. Sorry for not seeing it before. >> >>> >>> [...] >>>>> But xenbus_dev_frontend tries to end a transaction on closing of the >>>>> device if the XS_TRANSACTION_END failed before. Trying to close the >>>>> transaction twice corrupts the reference count. So fix this by also >>>>> considering a transaction closed if we have sent XS_TRANSACTION_END once >>>>> regardless of the return code. >>>> >>>> A transaction in the list of transactions should not considered to be >>>> finished. Either it is not on the list or it is still pending. >>> >>> With "considering a transaction closed" I mean "take the code path which >>> removes the transaction from the list with pending transactions". >>> >>> From the follow-up mail: >>>>>> The new behavior is that xenbus_dev_request_and_reply() and >>>>>> xenbus_transaction_end() will always count the transaction as finished >>>>>> regardless the response code (handled in xs_request_exit()). >>>>> >>>>> ENOENT should not decrement the transaction counter, while all >>>>> other responses to XS_TRANSACTION_END should still do so. >>>> >>>> Sorry, I stand corrected: the ENOENT case should never happen, as this >>>> case is tested in xenbus_write_transaction(). It doesn't hurt to test >>>> for ENOENT, though. >>>> >>>> What should be handled is EINVAL: this would happen if a user specified >>>> a string different from "T" and "F". >>> >>> Ok, I will handle those cases in xs_request_exit(). Although I don't >>> like that this depends on the internals of xenstore (At least to me it's >>> not obvious why it should only return ENOENT or EINVAL in this case). >>> >>> In the xenbus_write_transaction() case checking the string before >>> sending the transaction (like the transaction itself is verified) would >>> avoid this problem. >> >> Right. I'd prefer this solution. >> >> Remains the only problem you tried to tackle with your second patch: a >> kernel driver going crazy and ending transactions it never started (or >> ending them multiple times). The EINVAL case can't happen here, but >> ENOENT can. Either ENOENT has to be handled in xs_request_exit() or you >> need to keep track of the transactions like in the user interface and >> refuse ending an unknown transaction. Or you trust the kernel users. >> Trying to fix the usage counter seems to be the wrong approach IMO. > > The point of the second patch was to detect such bugs. This would have > saved quite some time to find this bug. I added the "fix" of the counter > I just because it was trivial after having the if there. > > Adding tracking seems to be a quite complex solution for a _potential_ > problem. I agree. > So I would go with checking ENOENT in xs_request_exit(). Should this be > WARN_ON_ONCE()? Since this normally should not happen I would say yes. Yes, having a WARN_ON_ONCE here will help. > Should I keep the reference counter sanity check? And if yes, with the > "fix" to the counter? I'd drop it. This really should not happen and blowing up kernel size with checks of impossible situations isn't the way to go. In case you really want to do something here you can add something like ASSERT(xs_state_users) before decrementing the counter. Juergen

6 years, 2 months

1
0
0 0

Re: [PATCH 1/2] xen: xenbus_dev_frontend: Fix XS_TRANSACTION_END handling

by Juergen Gross

On 20/02/18 05:56, Simon Gaiser wrote: > Juergen Gross: >> On 07/02/18 23:22, Simon Gaiser wrote: >>> Commit fd8aa9095a95 ("xen: optimize xenbus driver for multiple >>> concurrent xenstore accesses") made a subtle change to the semantic of >>> xenbus_dev_request_and_reply() and xenbus_transaction_end(). >>> >>> Before on an error response to XS_TRANSACTION_END >>> xenbus_dev_request_and_reply() would not decrement the active >>> transaction counter. But xenbus_transaction_end() has always counted the >>> transaction as finished regardless of the response. >> >> Which is correct now. Xenstore will free all transaction related >> data regardless of the response. A once failed transaction can't >> be repaired, it has to be repeated completely. > > So if xenstore frees the transaction why should we keep it in the list > with pending transaction in xenbus_dev_frontend? That's exactly what > this patch fixes by always removing it from the list, not only on a > successful response (See below for the EINVAL case). Aah, sorry, I seem to have misread my own coding. :-( Yes, you are right. Sorry for not seeing it before. > > [...] >>> But xenbus_dev_frontend tries to end a transaction on closing of the >>> device if the XS_TRANSACTION_END failed before. Trying to close the >>> transaction twice corrupts the reference count. So fix this by also >>> considering a transaction closed if we have sent XS_TRANSACTION_END once >>> regardless of the return code. >> >> A transaction in the list of transactions should not considered to be >> finished. Either it is not on the list or it is still pending. > > With "considering a transaction closed" I mean "take the code path which > removes the transaction from the list with pending transactions". > > From the follow-up mail: >>>> The new behavior is that xenbus_dev_request_and_reply() and >>>> xenbus_transaction_end() will always count the transaction as finished >>>> regardless the response code (handled in xs_request_exit()). >>> >>> ENOENT should not decrement the transaction counter, while all >>> other responses to XS_TRANSACTION_END should still do so. >> >> Sorry, I stand corrected: the ENOENT case should never happen, as this >> case is tested in xenbus_write_transaction(). It doesn't hurt to test >> for ENOENT, though. >> >> What should be handled is EINVAL: this would happen if a user specified >> a string different from "T" and "F". > > Ok, I will handle those cases in xs_request_exit(). Although I don't > like that this depends on the internals of xenstore (At least to me it's > not obvious why it should only return ENOENT or EINVAL in this case). > > In the xenbus_write_transaction() case checking the string before > sending the transaction (like the transaction itself is verified) would > avoid this problem. Right. I'd prefer this solution. Remains the only problem you tried to tackle with your second patch: a kernel driver going crazy and ending transactions it never started (or ending them multiple times). The EINVAL case can't happen here, but ENOENT can. Either ENOENT has to be handled in xs_request_exit() or you need to keep track of the transactions like in the user interface and refuse ending an unknown transaction. Or you trust the kernel users. Trying to fix the usage counter seems to be the wrong approach IMO. Juergen

6 years, 2 months

1
0
0 0

Re: [PATCH] i2c: s3c2410: Properly handle interrupts of number 0

by Russell King - ARM Linux

On Fri, Mar 02, 2018 at 01:46:47PM +0100, Wolfram Sang wrote: > > So, maybe some words why I accepted this patch. > > On Fri, Mar 02, 2018 at 11:19:31AM +0000, Russell King - ARM Linux wrote: > > Note that there have been patches proposed to make platform_get_irq() > > return an error rather than returning a value of zero, so changing > > the driver in this way is not a good idea. > > I'd much agree to such an approach, yet I didn't see it coming along so > far for years(?) now. It needs platform maintainers to be motivated to fix it, and one way to provide that motivation is for subsystem maintainers to say no to patches like this. If patches like this get accepted, then the "problem" gets solved, and there is very little motivation to fix the platform itself. If you look back at the history of this, the times when platforms have been fixed is when they have a problem exactly like this, and they're told to fix their platforms IRQ numbering instead of the patch to "fix" the driver being accepted. Why fix the interrupt numbering if patches to "fix" drivers get accepted? -- RMK's Patch system: http://www.armlinux.org.uk/developer/patches/ FTTC broadband for 0.8mile line in suburbia: sync at 8.8Mbps down 630kbps up According to speedtest.net: 8.21Mbps down 510kbps up

6 years, 2 months

1
0
0 0

[PATCH] i2c: s3c2410: Properly handle interrupts of number 0

by Krzysztof Kozlowski

Interrupt number 0 (returned by platform_get_irq()) might be a valid IRQ so do not treat it as an error. If interrupt 0 was configured, the driver would exit the probe early, before finishing initialization, but with 0-exit status. Reported-by: Dan Carpenter <dan.carpenter(a)oracle.com> Cc: stable(a)vger.kernel.org Fixes: e0d1ec97853f ("i2c-s3c2410: Change IRQ to be plain integer.") Signed-off-by: Krzysztof Kozlowski <krzk(a)kernel.org> --- drivers/i2c/busses/i2c-s3c2410.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/i2c/busses/i2c-s3c2410.c b/drivers/i2c/busses/i2c-s3c2410.c index 5d97510ee48b..783a93404f47 100644 --- a/drivers/i2c/busses/i2c-s3c2410.c +++ b/drivers/i2c/busses/i2c-s3c2410.c @@ -1178,7 +1178,7 @@ static int s3c24xx_i2c_probe(struct platform_device *pdev) */ if (!(i2c->quirks & QUIRK_POLL)) { i2c->irq = ret = platform_get_irq(pdev, 0); - if (ret <= 0) { + if (ret < 0) { dev_err(&pdev->dev, "cannot find IRQ\n"); clk_unprepare(i2c->clk); return ret; -- 2.7.4

6 years, 2 months

3
5
0 0

[PATCH 1/1] usb: gadget: f_fs: Fix use-after-free in ffs_fs_kill_sb()

by Xinyong

When I debug a kernel crash issue in funcitonfs, found ffs_data.ref overflowed, While functionfs is unmounting, ffs_data is put twice. Commit 43938613c6fd ("drivers, usb: convert ffs_data.ref from atomic_t to refcount_t") can avoid refcount overflow, but that is risk some situations. So no need put ffs data in ffs_fs_kill_sb, already put in ffs_data_closed. The issue can be reproduced in Mediatek mt6763 SoC, ffs for ADB device. KASAN enabled configuration reports use-after-free errro. BUG: KASAN: use-after-free in refcount_dec_and_test+0x14/0xe0 at addr ffffffc0579386a0 Read of size 4 by task umount/4650 ==================================================== BUG kmalloc-512 (Tainted: P W O ): kasan: bad access detected ----------------------------------------------------------------------------- INFO: Allocated in ffs_fs_mount+0x194/0x844 age=22856 cpu=2 pid=566 alloc_debug_processing+0x1ac/0x1e8 ___slab_alloc.constprop.63+0x640/0x648 __slab_alloc.isra.57.constprop.62+0x24/0x34 kmem_cache_alloc_trace+0x1a8/0x2bc ffs_fs_mount+0x194/0x844 mount_fs+0x6c/0x1d0 vfs_kern_mount+0x50/0x1b4 do_mount+0x258/0x1034 INFO: Freed in ffs_data_put+0x25c/0x320 age=0 cpu=3 pid=4650 free_debug_processing+0x22c/0x434 __slab_free+0x2d8/0x3a0 kfree+0x254/0x264 ffs_data_put+0x25c/0x320 ffs_data_closed+0x124/0x15c ffs_fs_kill_sb+0xb8/0x110 deactivate_locked_super+0x6c/0x98 deactivate_super+0xb0/0xbc INFO: Object 0xffffffc057938600 @offset=1536 fp=0x (null) ...... Call trace: [<ffffff900808cf5c>] dump_backtrace+0x0/0x250 [<ffffff900808d3a0>] show_stack+0x14/0x1c [<ffffff90084a8c04>] dump_stack+0xa0/0xc8 [<ffffff900826c2b4>] print_trailer+0x158/0x260 [<ffffff900826d9d8>] object_err+0x3c/0x40 [<ffffff90082745f0>] kasan_report_error+0x2a8/0x754 [<ffffff9008274f84>] kasan_report+0x5c/0x60 [<ffffff9008273208>] __asan_load4+0x70/0x88 [<ffffff90084cd81c>] refcount_dec_and_test+0x14/0xe0 [<ffffff9008d98f9c>] ffs_data_put+0x80/0x320 [<ffffff9008d9d904>] ffs_fs_kill_sb+0xc8/0x110 [<ffffff90082852a0>] deactivate_locked_super+0x6c/0x98 [<ffffff900828537c>] deactivate_super+0xb0/0xbc [<ffffff90082af0c0>] cleanup_mnt+0x64/0xec [<ffffff90082af1b0>] __cleanup_mnt+0x10/0x18 [<ffffff90080d9e68>] task_work_run+0xcc/0x124 [<ffffff900808c8c0>] do_notify_resume+0x60/0x70 [<ffffff90080866e4>] work_pending+0x10/0x14 Cc: stable(a)vger.kernel.org Signed-off-by: Xinyong <xinyong.fang(a)linux.alibaba.com> --- drivers/usb/gadget/function/f_fs.c | 1 - 1 file changed, 1 deletion(-) diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c index c2592d8..d2428a9 100644 --- a/drivers/usb/gadget/function/f_fs.c +++ b/drivers/usb/gadget/function/f_fs.c @@ -1538,7 +1538,6 @@ static int ffs_fs_parse_opts(struct ffs_sb_fill_data *data, char *opts) if (sb->s_fs_info) { ffs_release_dev(sb->s_fs_info); ffs_data_closed(sb->s_fs_info); - ffs_data_put(sb->s_fs_info); } } -- 1.7.9.5

6 years, 2 months

1
0
0 0

Re: [PATCH] i2c: s3c2410: Properly handle interrupts of number 0

by Dan Carpenter

On Fri, Mar 02, 2018 at 11:29:26AM +0100, Wolfram Sang wrote: > On Thu, Mar 01, 2018 at 09:34:44PM +0100, Krzysztof Kozlowski wrote: > > Interrupt number 0 (returned by platform_get_irq()) might be a valid IRQ > > so do not treat it as an error. If interrupt 0 was configured, the driver > > would exit the probe early, before finishing initialization, but with > > 0-exit status. > > > > Reported-by: Dan Carpenter <dan.carpenter(a)oracle.com> > > Cc: stable(a)vger.kernel.org > > Fixes: e0d1ec97853f ("i2c-s3c2410: Change IRQ to be plain integer.") > > Please configure git to use 14 digits here. Wait, when did we decide that 12 wasn't enough? I just did a `git log | grep Fixes | tee baz | head -n 200` and only on my git tree tehre were only 2 which used exactly 14 digits. The standard is 12. regards, dan carpenter

6 years, 2 months

1
1
0 0

[PATCH 2/2] PCI: Add function 1 DMA alias quirk for Highpoint RocketRAID 644L

by Hans de Goede

The Highpoint RocketRAID 644L uses a Marvel 88SE9235 controller, as with other Marvel controllers this needs a function 1 DMA alias quirk. Note the RocketRAID 642L uses the same Marvel 88SE9235 controller and already is listed with a function 1 DMA alias quirk. Cc: stable(a)vger.kernel.org BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1534106 Signed-off-by: Hans de Goede <hdegoede(a)redhat.com> --- drivers/pci/quirks.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c index 8b14bd326d4a..46d47bd6ca1f 100644 --- a/drivers/pci/quirks.c +++ b/drivers/pci/quirks.c @@ -3908,6 +3908,8 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9230, quirk_dma_func1_alias); DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_TTI, 0x0642, quirk_dma_func1_alias); +DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_TTI, 0x0645, + quirk_dma_func1_alias); /* https://bugs.gentoo.org/show_bug.cgi?id=497630 */ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_JMICRON, PCI_DEVICE_ID_JMICRON_JMB388_ESD, -- 2.14.3

6 years, 2 months

1
0
0 0

[PATCH 1/2] ahci: Add PCI-id for the Highpoint Rocketraid 644L card

by Hans de Goede

Like the Highpoint Rocketraid 642L and cards using a Marvel 88SE9235 controller in general, this RAID card also supports AHCI mode and short of a custom driver, this is the only way to make it work under Linux. Note that even though the card is called to 644L, it has a product-id of 0x0645. Cc: stable(a)vger.kernel.org BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1534106 Signed-off-by: Hans de Goede <hdegoede(a)redhat.com> --- drivers/ata/ahci.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c index 355a95a83a34..1ff17799769d 100644 --- a/drivers/ata/ahci.c +++ b/drivers/ata/ahci.c @@ -550,7 +550,9 @@ static const struct pci_device_id ahci_pci_tbl[] = { .driver_data = board_ahci_yes_fbs }, { PCI_DEVICE(PCI_VENDOR_ID_MARVELL_EXT, 0x9230), .driver_data = board_ahci_yes_fbs }, - { PCI_DEVICE(PCI_VENDOR_ID_TTI, 0x0642), + { PCI_DEVICE(PCI_VENDOR_ID_TTI, 0x0642), /* highpoint rocketraid 642L */ + .driver_data = board_ahci_yes_fbs }, + { PCI_DEVICE(PCI_VENDOR_ID_TTI, 0x0645), /* highpoint rocketraid 644L */ .driver_data = board_ahci_yes_fbs }, /* Promise */ -- 2.14.3

6 years, 2 months

1
0
0 0

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror March 2018