April 2019 - Linux-stable-mirror

[PATCH 4.20, 5.0] mt76x02u: use usb_bulk_msg to upload firmware

by Stanislaw Gruszka

commit 5de4db8fcb6d6fc7d9064c22841211790c0ab81b upstream. We don't need to send firmware data asynchronously, much simpler is just use synchronous usb_bulk_msg(). [ stable note: this patch was originally developed as cleanup, but it remove incorrect usage of page_frag_alloc(): alloc more than PAGE_SIZE and create not ARCH_DMA_MINALIGN dma buffers needed at least for performance reason. Was tested on 5.0 and 4.20, see https://bugzilla.kernel.org/show_bug.cgi?id=202673 and https://bugzilla.kernel.org/show_bug.cgi?id=202241 ] Tested-by: Lorenzo Bianconi <lorenzo.bianconi(a)redhat.com> Signed-off-by: Felix Fietkau <nbd(a)nbd.name> Signed-off-by: Stanislaw Gruszka <sgruszka(a)redhat.com> --- drivers/net/wireless/mediatek/mt76/mt76.h | 13 ++++++ .../net/wireless/mediatek/mt76/mt76x02_usb_mcu.c | 52 +++++++--------------- drivers/net/wireless/mediatek/mt76/usb.c | 1 - 3 files changed, 29 insertions(+), 37 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt76.h b/drivers/net/wireless/mediatek/mt76/mt76.h index 5cd508a68609..6d29ba4046c3 100644 --- a/drivers/net/wireless/mediatek/mt76/mt76.h +++ b/drivers/net/wireless/mediatek/mt76/mt76.h @@ -713,6 +713,19 @@ static inline bool mt76u_check_sg(struct mt76_dev *dev) udev->speed == USB_SPEED_WIRELESS)); } +static inline int +mt76u_bulk_msg(struct mt76_dev *dev, void *data, int len, int timeout) +{ + struct usb_interface *intf = to_usb_interface(dev->dev); + struct usb_device *udev = interface_to_usbdev(intf); + struct mt76_usb *usb = &dev->usb; + unsigned int pipe; + int sent; + + pipe = usb_sndbulkpipe(udev, usb->out_ep[MT_EP_OUT_INBAND_CMD]); + return usb_bulk_msg(udev, pipe, data, len, &sent, timeout); +} + int mt76u_vendor_request(struct mt76_dev *dev, u8 req, u8 req_type, u16 val, u16 offset, void *buf, size_t len); diff --git a/drivers/net/wireless/mediatek/mt76/mt76x02_usb_mcu.c b/drivers/net/wireless/mediatek/mt76/mt76x02_usb_mcu.c index 6db789f90269..2ca393e267af 100644 --- a/drivers/net/wireless/mediatek/mt76/mt76x02_usb_mcu.c +++ b/drivers/net/wireless/mediatek/mt76/mt76x02_usb_mcu.c @@ -121,18 +121,14 @@ static int __mt76x02u_mcu_send_msg(struct mt76_dev *dev, struct sk_buff *skb, int cmd, bool wait_resp) { - struct usb_interface *intf = to_usb_interface(dev->dev); - struct usb_device *udev = interface_to_usbdev(intf); struct mt76_usb *usb = &dev->usb; - unsigned int pipe; - int ret, sent; + int ret; u8 seq = 0; u32 info; if (test_bit(MT76_REMOVED, &dev->state)) return 0; - pipe = usb_sndbulkpipe(udev, usb->out_ep[MT_EP_OUT_INBAND_CMD]); if (wait_resp) { seq = ++usb->mcu.msg_seq & 0xf; if (!seq) @@ -146,7 +142,7 @@ __mt76x02u_mcu_send_msg(struct mt76_dev *dev, struct sk_buff *skb, if (ret) return ret; - ret = usb_bulk_msg(udev, pipe, skb->data, skb->len, &sent, 500); + ret = mt76u_bulk_msg(dev, skb->data, skb->len, 500); if (ret) return ret; @@ -268,14 +264,12 @@ void mt76x02u_mcu_fw_reset(struct mt76x02_dev *dev) EXPORT_SYMBOL_GPL(mt76x02u_mcu_fw_reset); static int -__mt76x02u_mcu_fw_send_data(struct mt76x02_dev *dev, struct mt76u_buf *buf, +__mt76x02u_mcu_fw_send_data(struct mt76x02_dev *dev, u8 *data, const void *fw_data, int len, u32 dst_addr) { - u8 *data = sg_virt(&buf->urb->sg[0]); - DECLARE_COMPLETION_ONSTACK(cmpl); __le32 info; u32 val; - int err; + int err, data_len; info = cpu_to_le32(FIELD_PREP(MT_MCU_MSG_PORT, CPU_TX_PORT) | FIELD_PREP(MT_MCU_MSG_LEN, len) | @@ -291,25 +285,12 @@ __mt76x02u_mcu_fw_send_data(struct mt76x02_dev *dev, struct mt76u_buf *buf, mt76u_single_wr(&dev->mt76, MT_VEND_WRITE_FCE, MT_FCE_DMA_LEN, len << 16); - buf->len = MT_CMD_HDR_LEN + len + sizeof(info); - err = mt76u_submit_buf(&dev->mt76, USB_DIR_OUT, - MT_EP_OUT_INBAND_CMD, - buf, GFP_KERNEL, - mt76u_mcu_complete_urb, &cmpl); - if (err < 0) - return err; - - if (!wait_for_completion_timeout(&cmpl, - msecs_to_jiffies(1000))) { - dev_err(dev->mt76.dev, "firmware upload timed out\n"); - usb_kill_urb(buf->urb); - return -ETIMEDOUT; - } + data_len = MT_CMD_HDR_LEN + len + sizeof(info); - if (mt76u_urb_error(buf->urb)) { - dev_err(dev->mt76.dev, "firmware upload failed: %d\n", - buf->urb->status); - return buf->urb->status; + err = mt76u_bulk_msg(&dev->mt76, data, data_len, 1000); + if (err) { + dev_err(dev->mt76.dev, "firmware upload failed: %d\n", err); + return err; } val = mt76_rr(dev, MT_TX_CPU_FROM_FCE_CPU_DESC_IDX); @@ -322,17 +303,16 @@ __mt76x02u_mcu_fw_send_data(struct mt76x02_dev *dev, struct mt76u_buf *buf, int mt76x02u_mcu_fw_send_data(struct mt76x02_dev *dev, const void *data, int data_len, u32 max_payload, u32 offset) { - int err, len, pos = 0, max_len = max_payload - 8; - struct mt76u_buf buf; + int len, err = 0, pos = 0, max_len = max_payload - 8; + u8 *buf; - err = mt76u_buf_alloc(&dev->mt76, &buf, 1, max_payload, max_payload, - GFP_KERNEL); - if (err < 0) - return err; + buf = kmalloc(max_payload, GFP_KERNEL); + if (!buf) + return -ENOMEM; while (data_len > 0) { len = min_t(int, data_len, max_len); - err = __mt76x02u_mcu_fw_send_data(dev, &buf, data + pos, + err = __mt76x02u_mcu_fw_send_data(dev, buf, data + pos, len, offset + pos); if (err < 0) break; @@ -341,7 +321,7 @@ int mt76x02u_mcu_fw_send_data(struct mt76x02_dev *dev, const void *data, pos += len; usleep_range(5000, 10000); } - mt76u_buf_free(&buf); + kfree(buf); return err; } diff --git a/drivers/net/wireless/mediatek/mt76/usb.c b/drivers/net/wireless/mediatek/mt76/usb.c index b061263453d4..09923cedd039 100644 --- a/drivers/net/wireless/mediatek/mt76/usb.c +++ b/drivers/net/wireless/mediatek/mt76/usb.c @@ -326,7 +326,6 @@ int mt76u_buf_alloc(struct mt76_dev *dev, struct mt76u_buf *buf, return mt76u_fill_rx_sg(dev, buf, nsgs, len, sglen); } -EXPORT_SYMBOL_GPL(mt76u_buf_alloc); void mt76u_buf_free(struct mt76u_buf *buf) { -- 2.7.5

5 years, 1 month

2
1
0 0

[PATCH stable 4.19, 4.20, 5.0] bpf: do not restore dst_reg when cur_state is freed

by Daniel Borkmann

From: Xu Yu <xuyu(a)linux.alibaba.com> [ upstream commit 0803278b0b4d8eeb2b461fb698785df65a725d9e ] Syzkaller hit 'KASAN: use-after-free Write in sanitize_ptr_alu' bug. Call trace: dump_stack+0xbf/0x12e print_address_description+0x6a/0x280 kasan_report+0x237/0x360 sanitize_ptr_alu+0x85a/0x8d0 adjust_ptr_min_max_vals+0x8f2/0x1ca0 adjust_reg_min_max_vals+0x8ed/0x22e0 do_check+0x1ca6/0x5d00 bpf_check+0x9ca/0x2570 bpf_prog_load+0xc91/0x1030 __se_sys_bpf+0x61e/0x1f00 do_syscall_64+0xc8/0x550 entry_SYSCALL_64_after_hwframe+0x49/0xbe Fault injection trace: kfree+0xea/0x290 free_func_state+0x4a/0x60 free_verifier_state+0x61/0xe0 push_stack+0x216/0x2f0 <- inject failslab sanitize_ptr_alu+0x2b1/0x8d0 adjust_ptr_min_max_vals+0x8f2/0x1ca0 adjust_reg_min_max_vals+0x8ed/0x22e0 do_check+0x1ca6/0x5d00 bpf_check+0x9ca/0x2570 bpf_prog_load+0xc91/0x1030 __se_sys_bpf+0x61e/0x1f00 do_syscall_64+0xc8/0x550 entry_SYSCALL_64_after_hwframe+0x49/0xbe When kzalloc() fails in push_stack(), free_verifier_state() will free current verifier state. As push_stack() returns, dst_reg was restored if ptr_is_dst_reg is false. However, as member of the cur_state, dst_reg is also freed, and error occurs when dereferencing dst_reg. Simply fix it by testing ret of push_stack() before restoring dst_reg. Fixes: 979d63d50c0c ("bpf: prevent out of bounds speculation on pointer arithmetic") Signed-off-by: Xu Yu <xuyu(a)linux.alibaba.com> Signed-off-by: Daniel Borkmann <daniel(a)iogearbox.net> --- kernel/bpf/verifier.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index bcb42aa..acc2305 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -2815,7 +2815,7 @@ static int sanitize_ptr_alu(struct bpf_verifier_env *env, *dst_reg = *ptr_reg; } ret = push_stack(env, env->insn_idx + 1, env->insn_idx, true); - if (!ptr_is_dst_reg) + if (!ptr_is_dst_reg && ret) *dst_reg = tmp; return !ret ? -EFAULT : 0; } -- 2.9.5

5 years, 1 month

2
1
0 0

[PATCH 4.9 00/30] 4.9.166-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.9.166 release. There are 30 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu Mar 28 04:25:51 UTC 2019. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.166-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.9.166-rc1 Arnd Bergmann <arnd(a)arndb.de> ath10k: avoid possible string overflow Baolin Wang <baolin.wang(a)linaro.org> power: supply: charger-manager: Fix incorrect return value Enric Balletbo i Serra <enric.balletbo(a)collabora.com> pwm-backlight: Enable/disable the PWM before/after LCD enable toggle. Baolin Wang <baolin.wang(a)linaro.org> rtc: Fix overflow when converting time64_t to rtc_time kehuanlin <chgokhl(a)gmail.com> scsi: ufs: fix wrong command type of UTRD for UFSHCI v2.1 Andrey Konovalov <andreyknvl(a)google.com> USB: core: only clean up what we allocated Peter Zijlstra <peterz(a)infradead.org> lib/int_sqrt: optimize small argument Lanqing Liu <lanqing.liu(a)spreadtrum.com> serial: sprd: clear timeout interrupt only rather than all interrupts Qiao Zhou <qiaozhou(a)asrmicro.com> arm64: traps: disable irq in die() Al Viro <viro(a)ZenIV.linux.org.uk> Hang/soft lockup in d_invalidate with simultaneous calls Wei Qiao <wei.qiao(a)spreadtrum.com> serial: sprd: adjust TIMEOUT to a big value Eric Dumazet <edumazet(a)google.com> tcp/dccp: drop SYN packets if accept queue is full Hui Wang <hui.wang(a)canonical.com> ALSA: hda - Enforces runtime_resume after S3 and S4 for each codec Takashi Iwai <tiwai(a)suse.de> ALSA: hda - Record the current power state before suspend/resume calls Waiman Long <longman(a)redhat.com> locking/lockdep: Add debug_locks check in __lock_downgrade() Myungho Jung <mhjungk(a)gmail.com> Bluetooth: Fix decrementing reference count twice in releasing socket Hans Verkuil <hverkuil(a)xs4all.nl> media: v4l2-ctrls.c/uvc: zero v4l2_event zhangyi (F) <yi.zhang(a)huawei.com> ext4: brelse all indirect buffer in ext4_ind_remove_space() Lukas Czerner <lczerner(a)redhat.com> ext4: fix data corruption caused by unaligned direct AIO Jiufei Xue <jiufei.xue(a)linux.alibaba.com> ext4: fix NULL pointer dereference while journal is aborted Josh Poimboeuf <jpoimboe(a)redhat.com> objtool: Move objtool_file struct off the stack Chen Jie <chenjie6(a)huawei.com> futex: Ensure that futex address is aligned in handle_futex_death() Archer Yan <ayan(a)wavecomp.com> MIPS: Fix kernel crash for R6 in jump label branch function Yasha Cherikovsky <yasha.che3(a)gmail.com> MIPS: Ensure ELF appended dtb is relocated Yifeng Li <tomli(a)tomli.me> mips: loongson64: lemote-2f: Add IRQF_NO_SUSPEND to "cascade" irqaction. Jan Kara <jack(a)suse.cz> udf: Fix crash on IO error during truncate Ilya Dryomov <idryomov(a)gmail.com> libceph: wait for latest osdmap in ceph_monc_blacklist_add() Stanislaw Gruszka <sgruszka(a)redhat.com> iommu/amd: fix sg->dma_address for sg->offset bigger than PAGE_SIZE Thomas Zimmermann <tzimmermann(a)suse.de> drm/vmwgfx: Don't double-free the mode stored in par->set_mode Arnd Bergmann <arnd(a)arndb.de> mmc: pxamci: fix enum type confusion ------------- Diffstat: Makefile | 4 +-- arch/arm64/kernel/traps.c | 8 +++-- arch/mips/include/asm/jump_label.h | 8 ++--- arch/mips/kernel/vmlinux.lds.S | 12 ++++--- arch/mips/loongson64/lemote-2f/irq.c | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_fb.c | 12 ++----- drivers/iommu/amd_iommu.c | 7 ++++- drivers/media/usb/uvc/uvc_ctrl.c | 2 +- drivers/media/v4l2-core/v4l2-ctrls.c | 2 +- drivers/mmc/host/pxamci.c | 2 +- drivers/net/wireless/ath/ath10k/wmi.c | 2 +- drivers/power/supply/charger-manager.c | 3 +- drivers/rtc/rtc-lib.c | 6 ++-- drivers/scsi/ufs/ufshcd.c | 14 +++++---- drivers/tty/serial/sprd_serial.c | 6 ++-- drivers/usb/core/config.c | 9 ++++-- drivers/video/backlight/pwm_bl.c | 9 +++--- fs/dcache.c | 10 +++--- fs/ext4/ext4_jbd2.h | 2 +- fs/ext4/file.c | 2 +- fs/ext4/indirect.c | 12 ++++--- fs/udf/truncate.c | 3 ++ include/linux/ceph/libceph.h | 2 ++ include/net/inet_connection_sock.h | 5 --- kernel/futex.c | 4 +++ kernel/locking/lockdep.c | 3 ++ lib/int_sqrt.c | 3 ++ net/bluetooth/hci_sock.c | 3 +- net/ceph/ceph_common.c | 18 ++++++++++- net/ceph/mon_client.c | 9 ++++++ net/dccp/ipv4.c | 8 +---- net/dccp/ipv6.c | 2 +- net/ipv4/tcp_input.c | 8 +---- sound/pci/hda/hda_codec.c | 57 ++++++++++++++++++++++++++++++++-- tools/objtool/check.c | 3 +- 35 files changed, 175 insertions(+), 87 deletions(-)

5 years, 1 month

7
37
0 0

FAILED: patch "[PATCH] ARM: imx6q: cpuidle: fix bug that CPU might not wake up at" failed to apply to 3.18-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 3.18-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 91740fc8242b4f260cfa4d4536d8551804777fae Mon Sep 17 00:00:00 2001 From: Kohji Okuno <okuno.kohji(a)jp.panasonic.com> Date: Tue, 26 Feb 2019 11:34:13 +0900 Subject: [PATCH] ARM: imx6q: cpuidle: fix bug that CPU might not wake up at expected time In the current cpuidle implementation for i.MX6q, the CPU that sets 'WAIT_UNCLOCKED' and the CPU that returns to 'WAIT_CLOCKED' are always the same. While the CPU that sets 'WAIT_UNCLOCKED' is in IDLE state of "WAIT", if the other CPU wakes up and enters IDLE state of "WFI" istead of "WAIT", this CPU can not wake up at expired time. Because, in the case of "WFI", the CPU must be waked up by the local timer interrupt. But, while 'WAIT_UNCLOCKED' is set, the local timer is stopped, when all CPUs execute "wfi" instruction. As a result, the local timer interrupt is not fired. In this situation, this CPU will wake up by IRQ different from local timer. (e.g. broacast timer) So, this fix changes CPU to return to 'WAIT_CLOCKED'. Signed-off-by: Kohji Okuno <okuno.kohji(a)jp.panasonic.com> Fixes: e5f9dec8ff5f ("ARM: imx6q: support WAIT mode using cpuidle") Cc: <stable(a)vger.kernel.org> Signed-off-by: Shawn Guo <shawnguo(a)kernel.org> diff --git a/arch/arm/mach-imx/cpuidle-imx6q.c b/arch/arm/mach-imx/cpuidle-imx6q.c index bfeb25aaf9a2..326e870d7123 100644 --- a/arch/arm/mach-imx/cpuidle-imx6q.c +++ b/arch/arm/mach-imx/cpuidle-imx6q.c @@ -16,30 +16,23 @@ #include "cpuidle.h" #include "hardware.h" -static atomic_t master = ATOMIC_INIT(0); -static DEFINE_SPINLOCK(master_lock); +static int num_idle_cpus = 0; +static DEFINE_SPINLOCK(cpuidle_lock); static int imx6q_enter_wait(struct cpuidle_device *dev, struct cpuidle_driver *drv, int index) { - if (atomic_inc_return(&master) == num_online_cpus()) { - /* - * With this lock, we prevent other cpu to exit and enter - * this function again and become the master. - */ - if (!spin_trylock(&master_lock)) - goto idle; + spin_lock(&cpuidle_lock); + if (++num_idle_cpus == num_online_cpus()) imx6_set_lpm(WAIT_UNCLOCKED); - cpu_do_idle(); - imx6_set_lpm(WAIT_CLOCKED); - spin_unlock(&master_lock); - goto done; - } + spin_unlock(&cpuidle_lock); -idle: cpu_do_idle(); -done: - atomic_dec(&master); + + spin_lock(&cpuidle_lock); + if (num_idle_cpus-- == num_online_cpus()) + imx6_set_lpm(WAIT_CLOCKED); + spin_unlock(&cpuidle_lock); return index; }

5 years, 1 month

3
2
0 0

Re: [PATCH 1/3] xhci: Fix port resume done detection for SS ports with LPM enabled

by Mathias Nyman

On 27.3.2019 16.00, Sasha Levin wrote: > Hi, > > [This is an automated email] > > This commit has been processed because it contains a -stable tag. > The stable tag indicates that it's relevant for the following trees: all > > The bot has tested the following trees: v5.0.4, v4.19.31, v4.14.108, v4.9.165, v4.4.177, v3.18.137. > > v5.0.4: Build OK! > v4.19.31: Build OK! > v4.14.108: Build OK! > v4.9.165: Failed to apply! Possible dependencies: > 76a0f32b28d4 ("xhci: rename temp and temp1 variables") > > v4.4.177: Failed to apply! Possible dependencies: > 76a0f32b28d4 ("xhci: rename temp and temp1 variables") > > v3.18.137: Failed to apply! Possible dependencies: > 2338b9e47fba ("xhci: define the new default speed ID for SuperSpeedPlus used by xhci hw") > 41485a90d573 ("xhci: optimize xhci bus resume time") > 76a0f32b28d4 ("xhci: rename temp and temp1 variables") > b50107bb83d0 ("xhci: check xhci hardware for USB 3.1 support") > cd33a32157e4 ("usb: xhci: cleanup xhci_hcd allocation") > > > How should we proceed with this patch? Backported versions for 4.9, 4.4 and 3.18 sent to stable Thanks Mathias

5 years, 1 month

2
1
0 0

[PATCH] USB: gadget: f_hid: fix deadlock in f_hidg_write()

by Radoslav Gerganov

commit 072684e8c58d17e853f8e8b9f6d9ce2e58d2b036 upstream. In f_hidg_write() the write_spinlock is acquired before calling usb_ep_queue() which causes a deadlock when dummy_hcd is being used. This is because dummy_queue() callbacks into f_hidg_req_complete() which tries to acquire the same spinlock. This is (part of) the backtrace when the deadlock occurs: 0xffffffffc06b1410 in f_hidg_req_complete 0xffffffffc06a590a in usb_gadget_giveback_request 0xffffffffc06cfff2 in dummy_queue 0xffffffffc06a4b96 in usb_ep_queue 0xffffffffc06b1eb6 in f_hidg_write 0xffffffff8127730b in __vfs_write 0xffffffff812774d1 in vfs_write 0xffffffff81277725 in SYSC_write Fix this by releasing the write_spinlock before calling usb_ep_queue() Reviewed-by: James Bottomley <James.Bottomley(a)HansenPartnership.com> Tested-by: James Bottomley <James.Bottomley(a)HansenPartnership.com> Cc: stable(a)vger.kernel.org Fixes: 749494b6bdbb ("usb: gadget: f_hid: fix: Move IN request allocation to set_alt()") Signed-off-by: Radoslav Gerganov <rgerganov(a)vmware.com> Signed-off-by: Felipe Balbi <felipe.balbi(a)linux.intel.com> --- drivers/usb/gadget/function/f_hid.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/usb/gadget/function/f_hid.c b/drivers/usb/gadget/function/f_hid.c index 5815120..8e83649 100644 --- a/drivers/usb/gadget/function/f_hid.c +++ b/drivers/usb/gadget/function/f_hid.c @@ -340,20 +340,20 @@ static ssize_t f_hidg_write(struct file *file, const char __user *buffer, req->complete = f_hidg_req_complete; req->context = hidg; + spin_unlock_irqrestore(&hidg->write_spinlock, flags); + status = usb_ep_queue(hidg->in_ep, hidg->req, GFP_ATOMIC); if (status < 0) { ERROR(hidg->func.config->cdev, "usb_ep_queue error on int endpoint %zd\n", status); - goto release_write_pending_unlocked; + goto release_write_pending; } else { status = count; } - spin_unlock_irqrestore(&hidg->write_spinlock, flags); return status; release_write_pending: spin_lock_irqsave(&hidg->write_spinlock, flags); -release_write_pending_unlocked: hidg->write_pending = 0; spin_unlock_irqrestore(&hidg->write_spinlock, flags); -- 1.9.1

5 years, 1 month

2
2
0 0

[PATCH] arm64: compat: Reduce address limit

by Vincenzo Frascino

Currently, compat tasks running on arm64 can allocate memory up to TASK_SIZE_32 (UL(0x100000000)). This means that mmap() allocations, if we treat them as returning an array, are not compliant with the sections 6.5.8 of the C standard (C99) which states that: "If the expression P points to an element of an array object and the expression Q points to the last element of the same array object, the pointer expression Q+1 compares greater than P". Redefine TASK_SIZE_32 to address the issue. Cc: Catalin Marinas <catalin.marinas(a)arm.com> Cc: Will Deacon <will.deacon(a)arm.com> Cc: Jann Horn <jannh(a)google.com> Reported-by: Jann Horn <jannh(a)google.com> Signed-off-by: Vincenzo Frascino <vincenzo.frascino(a)arm.com> --- arch/arm64/include/asm/processor.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/arch/arm64/include/asm/processor.h b/arch/arm64/include/asm/processor.h index 5d9ce62bdebd..f8235f7df29b 100644 --- a/arch/arm64/include/asm/processor.h +++ b/arch/arm64/include/asm/processor.h @@ -57,7 +57,11 @@ #define TASK_SIZE_64 (UL(1) << vabits_user) #ifdef CONFIG_COMPAT +#ifdef CONFIG_ARM64_64K_PAGES #define TASK_SIZE_32 UL(0x100000000) +#else +#define TASK_SIZE_32 (UL(0x100000000) - PAGE_SIZE) +#endif /* CONFIG_ARM64_64K_PAGES */ #define TASK_SIZE (test_thread_flag(TIF_32BIT) ? \ TASK_SIZE_32 : TASK_SIZE_64) #define TASK_SIZE_OF(tsk) (test_tsk_thread_flag(tsk, TIF_32BIT) ? \ -- 2.21.0

5 years, 1 month

2
2
0 0

[PATCH backport to 4.4 and 4.9] xhci: Fix port resume done detection for SS ports with LPM enabled

by Mathias Nyman

commit 6cbcf596934c8e16d6288c7cc62dfb7ad8eadf15 upstream backport to 4.4 and 4.9 stable A suspended SS port in U3 link state will go to U0 when resumed, but can almost immediately after that enter U1 or U2 link power save states before host controller driver reads the port status. Host controller driver only checks for U0 state, and might miss the finished resume, leaving flags unclear and skip notifying usb code of the wake. Add U1 and U2 to the possible link states when checking for finished port resume. Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> --- drivers/usb/host/xhci-ring.c | 9 ++++++--- drivers/usb/host/xhci.h | 1 + 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c index f4e34a7..879d822 100644 --- a/drivers/usb/host/xhci-ring.c +++ b/drivers/usb/host/xhci-ring.c @@ -1645,10 +1645,13 @@ static void handle_port_status(struct xhci_hcd *xhci, } } - if ((temp & PORT_PLC) && (temp & PORT_PLS_MASK) == XDEV_U0 && - DEV_SUPERSPEED_ANY(temp)) { + if ((temp & PORT_PLC) && + DEV_SUPERSPEED_ANY(temp) && + ((temp & PORT_PLS_MASK) == XDEV_U0 || + (temp & PORT_PLS_MASK) == XDEV_U1 || + (temp & PORT_PLS_MASK) == XDEV_U2)) { xhci_dbg(xhci, "resume SS port %d finished\n", port_id); - /* We've just brought the device into U0 through either the + /* We've just brought the device into U0/1/2 through either the * Resume state after a device remote wakeup, or through the * U3Exit state after a host-initiated resume. If it's a device * initiated remote wake, don't pass up the link state change, diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h index e679fec..de4771c 100644 --- a/drivers/usb/host/xhci.h +++ b/drivers/usb/host/xhci.h @@ -311,6 +311,7 @@ struct xhci_op_regs { */ #define PORT_PLS_MASK (0xf << 5) #define XDEV_U0 (0x0 << 5) +#define XDEV_U1 (0x1 << 5) #define XDEV_U2 (0x2 << 5) #define XDEV_U3 (0x3 << 5) #define XDEV_INACTIVE (0x6 << 5) -- 2.7.4

5 years, 1 month

1
0
0 0

[PATCH backport to 3.18] xhci: Fix port resume done detection for SS ports with LPM enabled

by Mathias Nyman

commit 6cbcf596934c8e16d6288c7cc62dfb7ad8eadf15 upstream. backport to 3.18 stable. A suspended SS port in U3 link state will go to U0 when resumed, but can almost immediately after that enter U1 or U2 link power save states before host controller driver reads the port status. Host controller driver only checks for U0 state, and might miss the finished resume, leaving flags unclear and skip notifying usb code of the wake. Add U1 and U2 to the possible link states when checking for finished port resume. Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> --- drivers/usb/host/xhci-ring.c | 9 ++++++--- drivers/usb/host/xhci.h | 1 + 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/drivers/usb/host/xhci-ring.c b/drivers/usb/host/xhci-ring.c index 1b70797..54e4af8 100644 --- a/drivers/usb/host/xhci-ring.c +++ b/drivers/usb/host/xhci-ring.c @@ -1599,10 +1599,13 @@ static void handle_port_status(struct xhci_hcd *xhci, } } - if ((temp & PORT_PLC) && (temp & PORT_PLS_MASK) == XDEV_U0 && - DEV_SUPERSPEED(temp)) { + if ((temp & PORT_PLC) && + DEV_SUPERSPEED(temp) && + ((temp & PORT_PLS_MASK) == XDEV_U0 || + (temp & PORT_PLS_MASK) == XDEV_U1 || + (temp & PORT_PLS_MASK) == XDEV_U2)) { xhci_dbg(xhci, "resume SS port %d finished\n", port_id); - /* We've just brought the device into U0 through either the + /* We've just brought the device into U0/1/2 through either the * Resume state after a device remote wakeup, or through the * U3Exit state after a host-initiated resume. If it's a device * initiated remote wake, don't pass up the link state change, diff --git a/drivers/usb/host/xhci.h b/drivers/usb/host/xhci.h index 2ea272a..190d8ed 100644 --- a/drivers/usb/host/xhci.h +++ b/drivers/usb/host/xhci.h @@ -283,6 +283,7 @@ struct xhci_op_regs { */ #define PORT_PLS_MASK (0xf << 5) #define XDEV_U0 (0x0 << 5) +#define XDEV_U1 (0x1 << 5) #define XDEV_U2 (0x2 << 5) #define XDEV_U3 (0x3 << 5) #define XDEV_RESUME (0xf << 5) -- 2.7.4

5 years, 1 month

1
0
0 0

FAILED: patch "[PATCH] scsi: zfcp: fix rport unblock if deleted SCSI devices on" failed to apply to 3.18-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 3.18-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From fe67888fc007a76b81e37da23ce5bd8fb95890b0 Mon Sep 17 00:00:00 2001 From: Steffen Maier <maier(a)linux.ibm.com> Date: Tue, 26 Mar 2019 14:36:58 +0100 Subject: [PATCH] scsi: zfcp: fix rport unblock if deleted SCSI devices on Scsi_Host An already deleted SCSI device can exist on the Scsi_Host and remain there because something still holds a reference. A new SCSI device with the same H:C:T:L and FCP device, target port WWPN, and FCP LUN can be created. When we try to unblock an rport, we still find the deleted SCSI device and return early because the zfcp_scsi_dev of that SCSI device is not ZFCP_STATUS_COMMON_UNBLOCKED. Hence we miss to unblock the rport, even if the new proper SCSI device would be in good state. Therefore, skip deleted SCSI devices when iterating the sdevs of the shost. [cf. __scsi_device_lookup{_by_target}() or scsi_device_get()] The following abbreviated trace sequence can indicate such problem: Area : REC Tag : ersfs_3 LUN : 0x4045400300000000 WWPN : 0x50050763031bd327 LUN status : 0x40000000 not ZFCP_STATUS_COMMON_UNBLOCKED Ready count : n not incremented yet Running count : 0x00000000 ERP want : 0x01 ERP need : 0xc1 ZFCP_ERP_ACTION_NONE Area : REC Tag : ersfs_3 LUN : 0x4045400300000000 WWPN : 0x50050763031bd327 LUN status : 0x41000000 Ready count : n+1 Running count : 0x00000000 ERP want : 0x01 ERP need : 0x01 ... Area : REC Level : 4 only with increased trace level Tag : ertru_l LUN : 0x4045400300000000 WWPN : 0x50050763031bd327 LUN status : 0x40000000 Request ID : 0x0000000000000000 ERP status : 0x01800000 ERP step : 0x1000 ERP action : 0x01 ERP count : 0x00 NOT followed by a trace record with tag "scpaddy" for WWPN 0x50050763031bd327. Signed-off-by: Steffen Maier <maier(a)linux.ibm.com> Fixes: 6f2ce1c6af37 ("scsi: zfcp: fix rport unblock race with LUN recovery") Cc: <stable(a)vger.kernel.org> #2.6.32+ Reviewed-by: Jens Remus <jremus(a)linux.ibm.com> Reviewed-by: Benjamin Block <bblock(a)linux.ibm.com> Signed-off-by: Martin K. Petersen <martin.petersen(a)oracle.com> diff --git a/drivers/s390/scsi/zfcp_erp.c b/drivers/s390/scsi/zfcp_erp.c index 744a64680d5b..c0b2348d7ce6 100644 --- a/drivers/s390/scsi/zfcp_erp.c +++ b/drivers/s390/scsi/zfcp_erp.c @@ -1341,6 +1341,9 @@ static void zfcp_erp_try_rport_unblock(struct zfcp_port *port) struct zfcp_scsi_dev *zsdev = sdev_to_zfcp(sdev); int lun_status; + if (sdev->sdev_state == SDEV_DEL || + sdev->sdev_state == SDEV_CANCEL) + continue; if (zsdev->port != port) continue; /* LUN under port of interest */

5 years, 1 month

3
2
0 0

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror April 2019