July 2020 - Linux-stable-mirror

[PATCH] arm64: don't preempt_disable in do_debug_exception

by Paul Gortmaker

In commit d8bb6718c4db ("arm64: Make debug exception handlers visible from RCU") debug_exception_enter and exit were added to deal with better tracking of RCU state - however, in addition to that, but not mentioned in the commit log, a preempt_disable/enable pair were also added. Based on the comment (being removed here) it would seem that the pair were not added to address a specific problem, but just as a proactive, preventative measure - as in "seemed like a good idea at the time". The problem is that do_debug_exception() eventually calls out to generic kernel code like do_force_sig_info() which takes non-raw locks and on -rt enabled kernels, results in things looking like the following, since on -rt kernels, it is noticed that preemption is still disabled. BUG: sleeping function called from invalid context at kernel/locking/rtmutex.c:975 in_atomic(): 1, irqs_disabled(): 0, pid: 35658, name: gdbtest Preemption disabled at: [<ffff000010081578>] do_debug_exception+0x38/0x1a4 Call trace: dump_backtrace+0x0/0x138 show_stack+0x24/0x30 dump_stack+0x94/0xbc ___might_sleep+0x13c/0x168 rt_spin_lock+0x40/0x80 do_force_sig_info+0x30/0xe0 force_sig_fault+0x64/0x90 arm64_force_sig_fault+0x50/0x80 send_user_sigtrap+0x50/0x80 brk_handler+0x98/0xc8 do_debug_exception+0x70/0x1a4 el0_dbg+0x18/0x20 The reproducer was basically an automated gdb test that set a breakpoint on a simple "hello world" program and then quit gdb once the breakpoint was hit - i.e. "(gdb) A debugging session is active. Quit anyway? " Fixes: d8bb6718c4db ("arm64: Make debug exception handlers visible from RCU") Cc: stable(a)vger.kernel.org Cc: Naresh Kamboju <naresh.kamboju(a)linaro.org> Cc: Paul E. McKenney <paulmck(a)linux.ibm.com> Cc: Masami Hiramatsu <mhiramat(a)kernel.org> Cc: Will Deacon <will(a)kernel.org> Signed-off-by: Paul Gortmaker <paul.gortmaker(a)windriver.com> --- arch/arm64/mm/fault.c | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c index 8afb238ff335..4d83ec991b33 100644 --- a/arch/arm64/mm/fault.c +++ b/arch/arm64/mm/fault.c @@ -788,13 +788,6 @@ void __init hook_debug_fault_code(int nr, debug_fault_info[nr].name = name; } -/* - * In debug exception context, we explicitly disable preemption despite - * having interrupts disabled. - * This serves two purposes: it makes it much less likely that we would - * accidentally schedule in exception context and it will force a warning - * if we somehow manage to schedule by accident. - */ static void debug_exception_enter(struct pt_regs *regs) { /* @@ -816,8 +809,6 @@ static void debug_exception_enter(struct pt_regs *regs) rcu_nmi_enter(); } - preempt_disable(); - /* This code is a bit fragile. Test it. */ RCU_LOCKDEP_WARN(!rcu_is_watching(), "exception_enter didn't work"); } @@ -825,8 +816,6 @@ NOKPROBE_SYMBOL(debug_exception_enter); static void debug_exception_exit(struct pt_regs *regs) { - preempt_enable_no_resched(); - if (!user_mode(regs)) rcu_nmi_exit(); -- 2.7.4

3 years, 11 months

4
6
0 0

[PATCH 5.4 000/203] 5.4.13-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 5.4.13 release. There are 203 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sat, 18 Jan 2020 23:16:00 +0000. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.13-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 5.4.13-rc1 Kai Li <li.kai4(a)h3c.com> ocfs2: call journal flush to mark journal as empty after journal recovery when mount Nick Desaulniers <ndesaulniers(a)google.com> hexagon: work around compiler crash Nick Desaulniers <ndesaulniers(a)google.com> hexagon: parenthesize registers in asm predicates Ard Biesheuvel <ardb(a)kernel.org> kbuild/deb-pkg: annotate libelf-dev dependency as :native Sakari Ailus <sakari.ailus(a)linux.intel.com> media: intel-ipu3: Align struct ipu3_uapi_awb_fr_config_s to 32 bytes changzhu <Changfeng.Zhu(a)amd.com> drm/amdgpu: enable gfxoff for raven1 refresh Alexander.Barabash(a)dell.com <Alexander.Barabash(a)dell.com> ioat: ioat_alloc_ring() failure handling. Julian Wiedmann <jwi(a)linux.ibm.com> s390/qeth: lock the card while changing its hsuid John Stultz <john.stultz(a)linaro.org> dmaengine: k3dma: Avoid null pointer traversal David Howells <dhowells(a)redhat.com> rxrpc: Fix missing security check on incoming calls David Howells <dhowells(a)redhat.com> rxrpc: Don't take call->user_mutex in rxrpc_new_incoming_call() David Howells <dhowells(a)redhat.com> rxrpc: Unlock new call in rxrpc_new_incoming_call() rather than the caller Ben Dooks (Codethink) <ben.dooks(a)codethink.co.uk> drm/arm/mali: make malidp_mw_connector_helper_funcs static Jouni Hogander <jouni.hogander(a)unikie.com> MIPS: Prevent link failure with kcov instrumentation Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> tomoyo: Suppress RCU warning at list_for_each_entry_rcu(). Vincenzo Frascino <vincenzo.frascino(a)arm.com> mips: Fix gettimeofday() in the vdso library Vladimir Kondratiev <vladimir.kondratiev(a)intel.com> mips: cacheinfo: report shared CPU map Olof Johansson <olof(a)lixom.net> riscv: export flush_icache_all to modules Mathieu Desnoyers <mathieu.desnoyers(a)efficios.com> rseq/selftests: Turn off timeout setting Shuah Khan <skhan(a)linuxfoundation.org> selftests: firmware: Fix it to do root uid check and skip Israel Rukshin <israelr(a)mellanox.com> scsi: target/iblock: Fix protection error with blocks greater than 512B Varun Prakash <varun(a)chelsio.com> scsi: libcxgbi: fix NULL pointer dereference in cxgbi_device_destroy() Johnson CH Chen (陳昭勳) <JohnsonCH.Chen(a)moxa.com> gpio: mpc8xxx: Add platform device to gpiochip->parent Matti Vaittinen <matti.vaittinen(a)fi.rohmeurope.com> rtc: bd70528: Add MODULE ALIAS to autoload module Chuhong Yuan <hslester96(a)gmail.com> rtc: brcmstb-waketimer: add missed clk_disable_unprepare Kars de Jong <jongk(a)linux-m68k.org> rtc: msm6242: Fix reading of 10-hour digit Olga Kornievskaia <olga.kornievskaia(a)gmail.com> NFSD fixing possible null pointer derefering in copy offload Chao Yu <chao(a)kernel.org> f2fs: fix potential overflow Victorien Molle <victorien.molle(a)wifirst.fr> sch_cake: Add missing NLA policy entry TCA_CAKE_SPLIT_GSO Luca Coelho <luciano.coelho(a)intel.com> iwlwifi: mvm: fix support for single antenna diversity Nathan Chancellor <natechancellor(a)gmail.com> rtlwifi: Remove unnecessary NULL check in rtl_regd_init Mordechay Goodstein <mordechay.goodstein(a)intel.com> iwlwifi: mvm: consider ieee80211 station max amsdu value Navid Emamdoost <navid.emamdoost(a)gmail.com> spi: lpspi: fix memory leak in fsl_lpspi_probe Geert Uytterhoeven <geert+renesas(a)glider.be> spi: rspi: Use platform_get_irq_byname_optional() for optional irqs Mans Rullgard <mans(a)mansr.com> spi: atmel: fix handling of cs_change set on non-last xfer Daniel Vetter <daniel.vetter(a)ffwll.ch> spi: pxa2xx: Set controller->max_transfer_size in dma mode Sergei Shtylyov <sergei.shtylyov(a)cogentembedded.com> mtd: spi-nor: fix silent truncation in spi_nor_read_raw() Sergei Shtylyov <sergei.shtylyov(a)cogentembedded.com> mtd: spi-nor: fix silent truncation in spi_nor_read() Huanpeng Xin <huanpeng.xin(a)unisoc.com> spi: sprd: Fix the incorrect SPI register Zhihao Cheng <chengzhihao1(a)huawei.com> ubifs: do_kill_orphans: Fix a memory leak bug Ben Dooks (Codethink) <ben.dooks(a)codethink.co.uk> ubifs: Fixed missed le64_to_cpu() in journal Richard Weinberger <richard(a)nod.at> Revert "ubifs: Fix memory leak bug in alloc_ubifs_info() error path" Yong Wu <yong.wu(a)mediatek.com> memory: mtk-smi: Add PM suspend and resume ops Yong Wu <yong.wu(a)mediatek.com> iommu/mediatek: Add a new tlb_lock for tlb_flush Yong Wu <yong.wu(a)mediatek.com> iommu/mediatek: Correct the flush_iotlb_all callback Jonas Karlman <jonas(a)kwiboo.se> media: hantro: Set H264 FIELDPIC_FLAG_E flag correctly Navid Emamdoost <navid.emamdoost(a)gmail.com> media: aspeed-video: Fix memory leaks in aspeed_video_probe Jonas Karlman <jonas(a)kwiboo.se> media: hantro: Do not reorder H264 scaling list Jonas Karlman <jonas(a)kwiboo.se> media: cedrus: Use correct H264 8x8 scaling list Philipp Zabel <p.zabel(a)pengutronix.de> media: coda: fix deadlock between decoder picture run and start command Seung-Woo Kim <sw0312.kim(a)samsung.com> media: exynos4-is: Fix recursive locking in isp_video_release() Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> media: v4l: cadence: Fix how unsued lanes are handled in 'csi2rx_start()' Boris Brezillon <boris.brezillon(a)collabora.com> media: hantro: h264: Fix the frame_num wraparound case Niklas Söderlund <niklas.soderlund+renesas(a)ragnatech.se> media: rcar-vin: Fix incorrect return statement in rvin_try_format() Janusz Krzysztofik <jmkrzyszt(a)gmail.com> media: ov6650: Fix default format not applied on device probe Janusz Krzysztofik <jmkrzyszt(a)gmail.com> media: ov6650: Fix .get_fmt() V4L2_SUBDEV_FORMAT_TRY support Janusz Krzysztofik <jmkrzyszt(a)gmail.com> media: ov6650: Fix some format attributes not under control Janusz Krzysztofik <jmkrzyszt(a)gmail.com> media: ov6650: Fix incorrect use of JPEG colorspace Dietmar Eggemann <dietmar.eggemann(a)arm.com> ARM: 8943/1: Fix topology setup in case of CPU hotplug for CONFIG_SCHED_MC Peng Fan <peng.fan(a)nxp.com> tty: serial: pch_uart: correct usage of dma_unmap_sg Peng Fan <peng.fan(a)nxp.com> tty: serial: imx: use the sg count from dma_map_sg Thomas Bogendoerfer <tbogendoerfer(a)suse.de> MIPS: SGI-IP27: Fix crash, when CPUs are disabled via nr_cpus parameter Tiezhu Yang <yangtiezhu(a)loongson.cn> MIPS: Loongson: Fix return value of loongson_hwmon_init Thomas Bogendoerfer <tbogendoerfer(a)suse.de> MIPS: PCI: remember nasid changed by set interrupt affinity Oliver O'Halloran <oohall(a)gmail.com> powerpc/powernv: Disable native PCIe port management Bjorn Helgaas <bhelgaas(a)google.com> PCI/PTM: Remove spurious "d" from granularity message Hewenliang <hewenliang4(a)huawei.com> tools: PCI: Fix fd leakage Bjorn Helgaas <bhelgaas(a)google.com> PCI/PM: Clear PCIe PME Status even for legacy power management Rob Herring <robh(a)kernel.org> PCI: Fix missing bridge dma_ranges resource list cleanup Niklas Cassel <niklas.cassel(a)linaro.org> PCI: dwc: Fix find_next_bit() usage Remi Pommarel <repk(a)triplefau.lt> PCI: aardvark: Fix PCI_EXP_RTCTL register configuration Remi Pommarel <repk(a)triplefau.lt> PCI: aardvark: Use LTSSM state to build link training flag Arnd Bergmann <arnd(a)arndb.de> compat_ioctl: handle SIOCOUTQNSD Arnd Bergmann <arnd(a)arndb.de> af_unix: add compat_ioctl support Arnd Bergmann <arnd(a)arndb.de> gfs2: add compat_ioctl support Loic Poulain <loic.poulain(a)linaro.org> arm64: dts: apq8096-db820c: Increase load on l21 for SDCARD Arnd Bergmann <arnd(a)arndb.de> scsi: sd: enable compat ioctls for sed-opal Xiaojie Yuan <xiaojie.yuan(a)amd.com> drm/amdgpu/discovery: reserve discovery data at the top of VRAM Christian König <christian.koenig(a)amd.com> drm/amdgpu: cleanup creating BOs at fixed location (v2) Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "drm/virtio: switch virtio_gpu_wait_ioctl() to gem helper." Mika Westerberg <mika.westerberg(a)linux.intel.com> PCI: pciehp: Do not disable interrupt twice on suspend Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> pinctrl: lewisburg: Update pin list according to v1.1v6 Geert Uytterhoeven <geert+renesas(a)glider.be> pinctrl: sh-pfc: Do not use platform_get_irq() to count interrupts Keiya Nobuta <nobuta.keiya(a)fujitsu.com> pinctrl: sh-pfc: Fix PINMUX_IPSR_PHYS() to set GPSR Colin Ian King <colin.king(a)canonical.com> pinctl: ti: iodelay: fix error checking on pinctrl_count_index_with_args call Navid Emamdoost <navid.emamdoost(a)gmail.com> affs: fix a memory leak in affs_remount Denis Efremov <efremov(a)linux.com> rsi: fix potential null dereference in rsi_probe() Leonard Crestez <leonard.crestez(a)nxp.com> clk: imx: pll14xx: Fix quick switch of S/K parameter Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> dmaengine: dw: platform: Mark 'hclk' clock optional Kishon Vijay Abraham I <kishon(a)ti.com> clk: Fix memory leak in clk_unregister() Marian Mihailescu <mihailescu2m(a)gmail.com> clk: samsung: exynos5420: Preserve CPU clocks configuration during suspend/resume Jerome Brunet <jbrunet(a)baylibre.com> clk: meson: axg-audio: fix regmap last register Alexander Usyskin <alexander.usyskin(a)intel.com> mei: fix modalias documentation Alexandru Ardelean <alexandru.ardelean(a)analog.com> iio: imu: adis16480: assign bias value only if operation succeeded Lorenzo Bianconi <lorenzo(a)kernel.org> iio: imu: st_lsm6dsx: fix gyro gain definitions for LSM9DS1 Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4.x: Drop the slot if nfs4_delegreturn_prepare waits for layoutreturn Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv4.x: Handle bad/dead sessions correctly in nfs41_sequence_process() Scott Mayhew <smayhew(a)redhat.com> nfsd: v4 support requires CRYPTO_SHA256 Scott Mayhew <smayhew(a)redhat.com> nfsd: Fix cld_net->cn_tfm initialization Trond Myklebust <trond.myklebust(a)hammerspace.com> NFSv2: Fix a typo in encode_sattr() Eric Biggers <ebiggers(a)google.com> crypto: geode-aes - convert to skcipher API and make thread-safe Herbert Xu <herbert(a)gondor.apana.org.au> crypto: algif_skcipher - Use chunksize instead of blocksize Ard Biesheuvel <ardb(a)kernel.org> crypto: virtio - implement missing support for output IVs Yunfeng Ye <yeyunfeng(a)huawei.com> crypto: arm64/aes-neonbs - add return value of skcipher_walk_done() in __xts_crypt() Zhou Wang <wangzhou1(a)hisilicon.com> crypto: hisilicon - select NEED_SG_DMA_LENGTH in qm Kconfig Phani Kiran Hemadri <phemadri(a)marvell.com> crypto: cavium/nitrox - fix firmware assignment to AE cores Can Guo <cang(a)codeaurora.org> scsi: ufs: Give an unique ID to each ufs-bsg Diego Calleja <diegocg(a)gmail.com> dm: add dm-clone to the documentation index Chuck Lever <chuck.lever(a)oracle.com> xprtrdma: Fix oops in Receive handler after device removal Chuck Lever <chuck.lever(a)oracle.com> xprtrdma: Fix completion wait during device removal Chuck Lever <chuck.lever(a)oracle.com> xprtrdma: Fix create_qp crash on device unload Vadim Pasternak <vadimp(a)mellanox.com> Documentation/ABI: Add missed attribute for mlxreg-io sysfs interfaces Vadim Pasternak <vadimp(a)mellanox.com> Documentation/ABI: Fix documentation inconsistency for mlxreg-io sysfs interfaces Mike Rapoport <rppt(a)linux.ibm.com> asm-generic/nds32: don't redefine cacheflush primitives Hans de Goede <hdegoede(a)redhat.com> platform/x86: GPD pocket fan: Use default values when wrong modparams are given Jian-Hong Pan <jian-hong(a)endlessm.com> platform/x86: asus-wmi: Fix keyboard brightness cannot be set to 0 Liming Sun <lsun(a)mellanox.com> platform/mellanox: fix potential deadlock in the tmfifo driver Xiang Chen <chenxiang66(a)hisilicon.com> scsi: sd: Clear sdkp->protection_type if disk is reformatted without PI James Bottomley <James.Bottomley(a)HansenPartnership.com> scsi: enclosure: Fix stale device oops with hot replug David Howells <dhowells(a)redhat.com> keys: Fix request_key() cache David Howells <dhowells(a)redhat.com> afs: Fix afs_lookup() to not clobber the version on a new dentry David Howells <dhowells(a)redhat.com> afs: Fix use-after-loss-of-ref Andrii Nakryiko <andriin(a)fb.com> libbpf: Fix Makefile' libbpf symbol mismatch diagnostic Stanislav Fomichev <sdf(a)google.com> bpf: Support pre-2.25-binutils objcopy for vmlinux BTF John Fastabend <john.fastabend(a)gmail.com> bpf: skmsg, fix potential psock NULL pointer dereference Daniel Borkmann <daniel(a)iogearbox.net> bpf: Make use of probe_user_write in probe write helper Daniel Borkmann <daniel(a)iogearbox.net> uaccess: Add non-pagefault user-space write function Bart Van Assche <bvanassche(a)acm.org> RDMA/srpt: Report the SCSI residual to the initiator Leon Romanovsky <leon(a)kernel.org> RDMA/mlx5: Return proper error value Jason Gunthorpe <jgg(a)ziepe.ca> rdma: Remove nes ABI header Yangyang Li <liyangyang20(a)huawei.com> RDMA/hns: Bugfix for qpc/cqc timer configuration Lijun Ou <oulijun(a)huawei.com> RDMA/hns: Fix to support 64K page for srq Chuck Lever <chuck.lever(a)oracle.com> xprtrdma: Close window between waking RPC senders and posting Receives Chuck Lever <chuck.lever(a)oracle.com> xprtrdma: Fix MR list handling Chuck Lever <chuck.lever(a)oracle.com> xprtrdma: Connection becomes unstable after a reconnect Chuck Lever <chuck.lever(a)oracle.com> xprtrdma: Add unique trace points for posting Local Invalidate WRs Yangyang Li <liyangyang20(a)huawei.com> RDMA/hns: Release qp resources when failed to destroy qp Arnd Bergmann <arnd(a)arndb.de> RDMA/hns: Fix build error again Bart Van Assche <bvanassche(a)acm.org> RDMA/siw: Fix port number endianness in a debug message Mark Zhang <markz(a)mellanox.com> RDMA/counter: Prevent QP counter manual binding in auto mode Lang Cheng <chenglang(a)huawei.com> RDMA/hns: Modify return value of restrack functions Weihang Li <liweihang(a)hisilicon.com> RDMA/hns: remove a redundant le16_to_cpu Jason Gunthorpe <jgg(a)ziepe.ca> RDMA/hns: Prevent undefined behavior in hns_roce_set_user_sq_size() Nilkanth Ahirrao <anilkanth(a)jp.adit-jv.com> ASoC: rsnd: fix DALIGN register for SSIU Takashi Iwai <tiwai(a)suse.de> ASoC: core: Fix compile warning with CONFIG_DEBUG_FS=n Pierre-Louis Bossart <pierre-louis.bossart(a)linux.intel.com> ASoC: SOF: Intel: Broadwell: clarify mutual exclusion with legacy driver Shengjiu Wang <shengjiu.wang(a)nxp.com> ASoC: fsl_esai: Add spin lock to protect reset, stop and start Daniel Baluta <daniel.baluta(a)nxp.com> ASoC: simple_card_utils.h: Add missing include Tzung-Bi Shih <tzungbi(a)google.com> ASoC: dt-bindings: mt8183: add missing update Arnd Bergmann <arnd(a)arndb.de> netfilter: nft_meta: use 64-bit time arithmetic Pablo Neira Ayuso <pablo(a)netfilter.org> netfilter: nf_tables_offload: release flow_rule on error from commit path Goldwyn Rodrigues <rgoldwyn(a)suse.com> btrfs: simplify inode locking for RWF_NOWAIT Taehee Yoo <ap420073(a)gmail.com> hsr: fix slab-out-of-bounds Read in hsr_debugfs_rename() Sami Tolvanen <samitolvanen(a)google.com> syscalls/x86: Fix function types in COND_SYSCALL Sami Tolvanen <samitolvanen(a)google.com> syscalls/x86: Use the correct function type for sys_ni_syscall Sami Tolvanen <samitolvanen(a)google.com> syscalls/x86: Use COMPAT_SYSCALL_DEFINE0 for IA32 (rt_)sigreturn Andy Lutomirski <luto(a)kernel.org> syscalls/x86: Wire up COMPAT_SYSCALL_DEFINE0 Ed Maste <emaste(a)freebsd.org> perf vendor events s390: Remove name from L1D_RO_EXCL_WRITES description David Howells <dhowells(a)redhat.com> afs: Fix missing cell comparison in afs_test_super() Florian Fainelli <f.fainelli(a)gmail.com> reset: brcmstb: Remove resource checks Florian Fainelli <f.fainelli(a)gmail.com> dt-bindings: reset: Fix brcmstb-reset example Marc Kleine-Budde <mkl(a)pengutronix.de> can: j1939: fix address claim code example Christian Lamparter <chunkeey(a)gmail.com> ath9k: use iowrite32 over __raw_writel Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> MAINTAINERS: Append missed file to the database Paul Menzel <pmenzel(a)molgen.mpg.de> scsi: smartpqi: Update attribute name to `driver_version` Nathan Chancellor <natechancellor(a)gmail.com> cifs: Adjust indentation in smb2_open_file Julian Wiedmann <jwi(a)linux.ibm.com> s390/qeth: fix initialization on old HW Alexandra Winter <wintera(a)linux.ibm.com> s390/qeth: vnicc Fix init to default Alexandra Winter <wintera(a)linux.ibm.com> s390/qeth: Fix vnicc_is_in_use if rx_bcast not set Alexandra Winter <wintera(a)linux.ibm.com> s390/qeth: fix false reporting of VNIC CHAR config failure Julian Wiedmann <jwi(a)linux.ibm.com> s390/qeth: fix qdio teardown after early init error Taehee Yoo <ap420073(a)gmail.com> hsr: reset network header when supervision frame is created Taehee Yoo <ap420073(a)gmail.com> hsr: rename debugfs file when interface name is changed Taehee Yoo <ap420073(a)gmail.com> hsr: add hsr root debugfs directory Thierry Reding <treding(a)nvidia.com> drm/tegra: Fix ordering of cleanup code Neil Armstrong <narmstrong(a)baylibre.com> PCI: amlogic: Fix probed clock names Arnd Bergmann <arnd(a)arndb.de> PM / devfreq: tegra: Add COMMON_CLK dependency Geert Uytterhoeven <geert+renesas(a)glider.be> gpio: Fix error message on out-of-range GPIO in lookup table Dan Carpenter <dan.carpenter(a)oracle.com> scsi: mpt3sas: Fix double free in attach error handling Ming Lei <ming.lei(a)redhat.com> fs: move guard_bio_eod() after bio_set_op_attrs Roman Gushchin <guro(a)fb.com> bpf: cgroup: prevent out-of-order release of cgroup bpf Jon Derrick <jonathan.derrick(a)intel.com> iommu: Remove device link to group on failure Jon Derrick <jonathan.derrick(a)intel.com> iommu/vt-d: Unlink device if failed to add to group Hangbin Liu <liuhangbin(a)gmail.com> selftests: loopback.sh: skip this test if the driver does not support Qianggui Song <qianggui.song(a)amlogic.com> pinctrl: meson: Fix wrong shift value when get drive-strength Swapna Manupati <swapna.manupati(a)xilinx.com> gpio: zynq: Fix for bug in zynq_gpio_restore_context API Peter Ujfalusi <peter.ujfalusi(a)ti.com> mtd: onenand: omap2: Pass correct flags for prep_dma_memcpy Daniel Baluta <daniel.baluta(a)nxp.com> ASoC: SOF: imx8: Fix dsp_box offset wenxu <wenxu(a)ucloud.cn> netfilter: nft_flow_offload: fix underflow in flowtable reference counter Arnd Bergmann <arnd(a)arndb.de> pinctrl: lochnagar: select GPIOLIB Olivier Moysan <olivier.moysan(a)st.com> ASoC: stm32: spdifrx: fix input pin state management Olivier Moysan <olivier.moysan(a)st.com> ASoC: stm32: spdifrx: fix race condition in irq handler Olivier Moysan <olivier.moysan(a)st.com> ASoC: stm32: spdifrx: fix inconsistent lock state Daniel Baluta <daniel.baluta(a)nxp.com> ASoC: soc-core: Set dpcm_playback / dpcm_capture Colin Ian King <colin.king(a)canonical.com> ASoC: SOF: imx8: fix memory allocation failure check on priv->pd_dev Stefan Wahren <wahrenst(a)gmx.net> i2c: bcm2835: Store pointer to bus clock Christophe Kerello <christophe.kerello(a)st.com> mtd: rawnand: stm32_fmc2: avoid to lock the CPU bus Kaike Wan <kaike.wan(a)intel.com> IB/hfi1: Don't cancel unused work item Selvin Xavier <selvin.xavier(a)broadcom.com> RDMA/bnxt_re: Fix Send Work Entry state check while polling completions Selvin Xavier <selvin.xavier(a)broadcom.com> RDMA/bnxt_re: Avoid freeing MR resources if dereg fails Tony Lindgren <tony(a)atomide.com> phy: mapphone-mdm6600: Fix uninitialized status value regression Ran Bi <ran.bi(a)mediatek.com> rtc: mt6397: fix alarm register overwrite Jiri Kosina <jkosina(a)suse.cz> HID: hidraw, uhid: Always report EPOLLOUT ------------- Diffstat: Documentation/ABI/stable/sysfs-driver-mlxreg-io | 13 +- Documentation/ABI/testing/sysfs-bus-mei | 2 +- Documentation/admin-guide/device-mapper/index.rst | 1 + .../bindings/reset/brcm,brcmstb-reset.txt | 2 +- .../sound/mt8183-mt6358-ts3a227-max98357.txt | 4 +- Documentation/networking/j1939.rst | 2 +- Documentation/scsi/smartpqi.txt | 2 +- MAINTAINERS | 1 + Makefile | 4 +- arch/arm/kernel/smp.c | 4 + arch/arm/kernel/topology.c | 10 +- arch/arm64/boot/dts/qcom/apq8096-db820c.dtsi | 2 + arch/arm64/crypto/aes-neonbs-glue.c | 2 +- arch/hexagon/include/asm/atomic.h | 8 +- arch/hexagon/include/asm/bitops.h | 8 +- arch/hexagon/include/asm/cmpxchg.h | 2 +- arch/hexagon/include/asm/futex.h | 6 +- arch/hexagon/include/asm/spinlock.h | 20 +- arch/hexagon/kernel/stacktrace.c | 4 +- arch/hexagon/kernel/vm_entry.S | 2 +- arch/mips/boot/compressed/Makefile | 3 + arch/mips/include/asm/vdso/gettimeofday.h | 13 - arch/mips/kernel/cacheinfo.c | 27 +- arch/mips/pci/pci-xtalk-bridge.c | 5 +- arch/mips/sgi-ip27/ip27-irq.c | 4 + arch/mips/vdso/vgettimeofday.c | 20 + arch/nds32/include/asm/cacheflush.h | 11 +- arch/powerpc/platforms/powernv/pci.c | 17 + arch/riscv/mm/cacheflush.c | 1 + arch/x86/entry/syscall_32.c | 8 +- arch/x86/entry/syscall_64.c | 14 +- arch/x86/entry/syscalls/syscall_32.tbl | 8 +- arch/x86/ia32/ia32_signal.c | 5 +- arch/x86/include/asm/syscall_wrapper.h | 53 ++- block/bio.c | 12 +- crypto/algif_skcipher.c | 2 +- drivers/clk/clk.c | 1 + drivers/clk/imx/clk-pll14xx.c | 40 +- drivers/clk/meson/axg-audio.c | 2 +- drivers/clk/samsung/clk-exynos5420.c | 2 + drivers/crypto/cavium/nitrox/nitrox_main.c | 9 +- drivers/crypto/geode-aes.c | 440 +++++++-------------- drivers/crypto/geode-aes.h | 15 +- drivers/crypto/hisilicon/Kconfig | 1 + drivers/crypto/virtio/virtio_crypto_algs.c | 9 + drivers/devfreq/Kconfig | 1 + drivers/dma/dw/platform.c | 2 +- drivers/dma/ioat/dma.c | 3 +- drivers/dma/k3dma.c | 12 +- drivers/gpio/gpio-mpc8xxx.c | 1 + drivers/gpio/gpio-zynq.c | 8 +- drivers/gpio/gpiolib.c | 5 +- drivers/gpu/drm/amd/amdgpu/amdgpu.h | 1 + drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.c | 4 +- drivers/gpu/drm/amd/amdgpu/amdgpu_discovery.h | 2 + drivers/gpu/drm/amd/amdgpu/amdgpu_object.c | 61 +++ drivers/gpu/drm/amd/amdgpu/amdgpu_object.h | 3 + drivers/gpu/drm/amd/amdgpu/amdgpu_ras.c | 85 +--- drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c | 99 ++--- drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 15 +- drivers/gpu/drm/amd/include/discovery.h | 1 - drivers/gpu/drm/arm/malidp_mw.c | 2 +- drivers/gpu/drm/tegra/drm.c | 14 +- drivers/gpu/drm/virtio/virtgpu_ioctl.c | 28 +- drivers/hid/hidraw.c | 7 +- drivers/hid/uhid.c | 5 +- drivers/i2c/busses/i2c-bcm2835.c | 17 +- drivers/iio/imu/adis16480.c | 6 +- drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c | 7 +- drivers/infiniband/core/counters.c | 12 +- drivers/infiniband/hw/bnxt_re/ib_verbs.c | 4 +- drivers/infiniband/hw/bnxt_re/qplib_fp.c | 12 +- drivers/infiniband/hw/hfi1/iowait.c | 4 +- drivers/infiniband/hw/hns/Kconfig | 17 +- drivers/infiniband/hw/hns/Makefile | 8 +- drivers/infiniband/hw/hns/hns_roce_hw_v2.c | 18 +- drivers/infiniband/hw/hns/hns_roce_hw_v2.h | 4 +- drivers/infiniband/hw/hns/hns_roce_qp.c | 10 +- drivers/infiniband/hw/hns/hns_roce_restrack.c | 2 +- drivers/infiniband/hw/mlx5/mr.c | 2 +- drivers/infiniband/sw/siw/siw_cm.c | 9 +- drivers/infiniband/ulp/srpt/ib_srpt.c | 24 ++ drivers/iommu/intel-iommu.c | 13 +- drivers/iommu/iommu.c | 1 + drivers/iommu/mtk_iommu.c | 25 +- drivers/iommu/mtk_iommu.h | 1 + drivers/media/i2c/ov6650.c | 79 ++-- drivers/media/platform/aspeed-video.c | 3 +- drivers/media/platform/cadence/cdns-csi2rx.c | 2 +- drivers/media/platform/coda/coda-common.c | 4 +- drivers/media/platform/exynos4-is/fimc-isp-video.c | 2 +- drivers/media/platform/rcar-vin/rcar-v4l2.c | 3 +- drivers/memory/mtk-smi.c | 4 + drivers/misc/enclosure.c | 3 +- drivers/mtd/nand/onenand/omap2.c | 3 +- drivers/mtd/nand/raw/stm32_fmc2_nand.c | 38 +- drivers/mtd/spi-nor/spi-nor.c | 4 +- .../net/wireless/ath/ath9k/ath9k_pci_owl_loader.c | 2 +- drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 20 +- drivers/net/wireless/intel/iwlwifi/mvm/rs-fw.c | 8 +- drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 7 +- drivers/net/wireless/realtek/rtlwifi/regd.c | 2 +- drivers/net/wireless/rsi/rsi_91x_usb.c | 2 +- drivers/pci/controller/dwc/pci-meson.c | 6 +- drivers/pci/controller/dwc/pcie-designware-host.c | 11 +- drivers/pci/controller/pci-aardvark.c | 42 +- drivers/pci/hotplug/pciehp_core.c | 25 +- drivers/pci/pci-driver.c | 3 +- drivers/pci/pcie/ptm.c | 2 +- drivers/pci/probe.c | 1 + drivers/phy/motorola/phy-mapphone-mdm6600.c | 11 +- drivers/pinctrl/cirrus/Kconfig | 1 + drivers/pinctrl/intel/pinctrl-lewisburg.c | 171 ++++---- drivers/pinctrl/meson/pinctrl-meson.c | 1 + drivers/pinctrl/sh-pfc/core.c | 16 +- drivers/pinctrl/sh-pfc/sh_pfc.h | 4 +- drivers/pinctrl/ti/pinctrl-ti-iodelay.c | 2 +- drivers/platform/mellanox/mlxbf-tmfifo.c | 19 +- drivers/platform/mips/cpu_hwmon.c | 2 +- drivers/platform/x86/asus-wmi.c | 8 +- drivers/platform/x86/gpd-pocket-fan.c | 25 +- drivers/reset/reset-brcmstb.c | 6 - drivers/rtc/rtc-bd70528.c | 1 + drivers/rtc/rtc-brcmstb-waketimer.c | 1 + drivers/rtc/rtc-msm6242.c | 3 +- drivers/rtc/rtc-mt6397.c | 47 ++- drivers/s390/net/qeth_core_main.c | 29 +- drivers/s390/net/qeth_l2_main.c | 10 +- drivers/s390/net/qeth_l3_main.c | 2 +- drivers/s390/net/qeth_l3_sys.c | 40 +- drivers/scsi/cxgbi/libcxgbi.c | 3 +- drivers/scsi/mpt3sas/mpt3sas_base.c | 1 - drivers/scsi/sd.c | 18 +- drivers/scsi/ufs/ufs_bsg.c | 2 +- drivers/spi/spi-atmel.c | 10 +- drivers/spi/spi-fsl-lpspi.c | 2 +- drivers/spi/spi-pxa2xx.c | 7 + drivers/spi/spi-rspi.c | 8 +- drivers/spi/spi-sprd.c | 2 +- drivers/staging/media/hantro/hantro_g1_h264_dec.c | 2 +- drivers/staging/media/hantro/hantro_h264.c | 73 ++-- drivers/staging/media/ipu3/include/intel-ipu3.h | 2 +- drivers/staging/media/sunxi/cedrus/cedrus_h264.c | 4 +- drivers/target/target_core_iblock.c | 4 +- drivers/tty/serial/imx.c | 2 +- drivers/tty/serial/pch_uart.c | 5 +- fs/affs/super.c | 6 - fs/afs/dir.c | 18 +- fs/afs/super.c | 1 + fs/btrfs/file.c | 5 +- fs/buffer.c | 8 +- fs/cifs/smb2file.c | 2 +- fs/f2fs/data.c | 2 +- fs/f2fs/file.c | 2 +- fs/gfs2/file.c | 30 ++ fs/internal.h | 2 +- fs/mpage.c | 2 +- fs/nfs/nfs2xdr.c | 2 +- fs/nfs/nfs4proc.c | 38 +- fs/nfsd/Kconfig | 2 +- fs/nfsd/nfs4proc.c | 3 +- fs/nfsd/nfs4recover.c | 12 +- fs/ocfs2/journal.c | 8 + fs/ubifs/journal.c | 2 +- fs/ubifs/orphan.c | 17 +- fs/ubifs/super.c | 4 +- include/asm-generic/cacheflush.h | 33 +- include/crypto/internal/skcipher.h | 30 -- include/crypto/skcipher.h | 30 ++ include/linux/uaccess.h | 12 + include/sound/simple_card_utils.h | 1 + include/trace/events/afs.h | 12 +- include/trace/events/rpcrdma.h | 25 ++ include/uapi/rdma/nes-abi.h | 115 ------ kernel/bpf/cgroup.c | 11 +- kernel/cred.c | 4 +- kernel/trace/bpf_trace.c | 6 +- mm/maccess.c | 45 ++- net/core/skmsg.c | 13 +- net/hsr/hsr_debugfs.c | 36 +- net/hsr/hsr_device.c | 2 + net/hsr/hsr_main.c | 5 + net/hsr/hsr_main.h | 10 + net/hsr/hsr_netlink.c | 1 + net/netfilter/nf_tables_offload.c | 26 +- net/netfilter/nft_flow_offload.c | 3 - net/netfilter/nft_meta.c | 10 +- net/rxrpc/ar-internal.h | 10 +- net/rxrpc/call_accept.c | 60 +-- net/rxrpc/conn_event.c | 16 +- net/rxrpc/conn_service.c | 4 + net/rxrpc/input.c | 18 - net/rxrpc/rxkad.c | 5 +- net/rxrpc/security.c | 70 ++-- net/sched/sch_cake.c | 1 + net/socket.c | 1 + net/sunrpc/xprtrdma/frwr_ops.c | 4 +- net/sunrpc/xprtrdma/rpc_rdma.c | 1 + net/sunrpc/xprtrdma/transport.c | 3 + net/sunrpc/xprtrdma/verbs.c | 103 +++-- net/sunrpc/xprtrdma/xprt_rdma.h | 3 + net/unix/af_unix.c | 19 + scripts/link-vmlinux.sh | 7 +- scripts/package/mkdebian | 2 +- security/tomoyo/common.c | 9 +- security/tomoyo/domain.c | 15 +- security/tomoyo/group.c | 9 +- security/tomoyo/util.c | 6 +- sound/soc/fsl/fsl_esai.c | 12 + sound/soc/intel/Kconfig | 3 + sound/soc/sh/rcar/core.c | 20 +- sound/soc/soc-core.c | 2 + sound/soc/soc-pcm.c | 2 + sound/soc/sof/imx/imx8.c | 5 +- sound/soc/sof/intel/Kconfig | 10 +- sound/soc/stm/stm32_spdifrx.c | 40 +- tools/lib/bpf/Makefile | 2 +- tools/pci/pcitest.c | 1 + .../perf/pmu-events/arch/s390/cf_z14/extended.json | 2 +- tools/testing/selftests/firmware/fw_lib.sh | 6 + tools/testing/selftests/net/forwarding/loopback.sh | 8 + tools/testing/selftests/rseq/settings | 1 + 222 files changed, 1849 insertions(+), 1423 deletions(-)

4 years

8
215
0 0

[PATCH] ext4: Fix checksum errors with indexed dirs

by Jan Kara

DIR_INDEX has been introduced as a compat ext4 feature. That means that even kernels / tools that don't understand the feature may modify the filesystem. This works because for kernels not understanding indexed dir format, internal htree nodes appear just as empty directory entries. Index dir aware kernels then check the htree structure is still consistent before using the data. This all worked reasonably well until metadata checksums were introduced. The problem is that these effectively made DIR_INDEX only ro-compatible because internal htree nodes store checksums in a different place than normal directory blocks. Thus any modification ignorant to DIR_INDEX (or just clearing EXT4_INDEX_FL from the inode) will effectively cause checksum mismatch and trigger kernel errors. So we have to be more careful when dealing with indexed directories on filesystems with checksumming enabled. 1) We just disallow loading and directory inodes with EXT4_INDEX_FL when DIR_INDEX is not enabled. This is harsh but it should be very rare (it means someone disabled DIR_INDEX on existing filesystem and didn't run e2fsck), e2fsck can fix the problem, and we don't want to answer the difficult question: "Should we rather corrupt the directory more or should we ignore that DIR_INDEX feature is not set?" 2) When we find out htree structure is corrupted (but the filesystem and the directory should in support htrees), we continue just ignoring htree information for reading but we refuse to add new entries to the directory to avoid corrupting it more. CC: stable(a)vger.kernel.org Fixes: dbe89444042a ("ext4: Calculate and verify checksums for htree nodes") Signed-off-by: Jan Kara <jack(a)suse.cz> --- fs/ext4/dir.c | 14 ++++++++------ fs/ext4/ext4.h | 5 ++++- fs/ext4/inode.c | 13 +++++++++++++ fs/ext4/namei.c | 7 +++++++ 4 files changed, 32 insertions(+), 7 deletions(-) diff --git a/fs/ext4/dir.c b/fs/ext4/dir.c index 9f00fc0bf21d..cb9ea593b544 100644 --- a/fs/ext4/dir.c +++ b/fs/ext4/dir.c @@ -129,12 +129,14 @@ static int ext4_readdir(struct file *file, struct dir_context *ctx) if (err != ERR_BAD_DX_DIR) { return err; } - /* - * We don't set the inode dirty flag since it's not - * critical that it get flushed back to the disk. - */ - ext4_clear_inode_flag(file_inode(file), - EXT4_INODE_INDEX); + /* Can we just clear INDEX flag to ignore htree information? */ + if (!ext4_has_metadata_csum(sb)) { + /* + * We don't set the inode dirty flag since it's not + * critical that it gets flushed back to the disk. + */ + ext4_clear_inode_flag(inode, EXT4_INODE_INDEX); + } } if (ext4_has_inline_data(inode)) { diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h index f8578caba40d..1fd6c1e2ce2a 100644 --- a/fs/ext4/ext4.h +++ b/fs/ext4/ext4.h @@ -2482,8 +2482,11 @@ void ext4_insert_dentry(struct inode *inode, struct ext4_filename *fname); static inline void ext4_update_dx_flag(struct inode *inode) { - if (!ext4_has_feature_dir_index(inode->i_sb)) + if (!ext4_has_feature_dir_index(inode->i_sb)) { + /* ext4_iget() should have caught this... */ + WARN_ON_ONCE(ext4_has_feature_metadata_csum(inode->i_sb)); ext4_clear_inode_flag(inode, EXT4_INODE_INDEX); + } } static const unsigned char ext4_filetype_table[] = { DT_UNKNOWN, DT_REG, DT_DIR, DT_CHR, DT_BLK, DT_FIFO, DT_SOCK, DT_LNK diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c index 629a25d999f0..d33135308c1b 100644 --- a/fs/ext4/inode.c +++ b/fs/ext4/inode.c @@ -4615,6 +4615,19 @@ struct inode *__ext4_iget(struct super_block *sb, unsigned long ino, ret = -EFSCORRUPTED; goto bad_inode; } + /* + * If dir_index is not enabled but there's dir with INDEX flag set, + * we'd normally treat htree data as empty space. But with metadata + * checksumming that corrupts checksums so forbid that. + */ + if (!ext4_has_feature_dir_index(sb) && ext4_has_metadata_csum(sb) && + ext4_test_inode_flag(inode, EXT4_INODE_INDEX)) { + ext4_error_inode(inode, function, line, 0, + "iget: Dir with htree data on filesystem " + "without dir_index feature."); + ret = -EFSCORRUPTED; + goto bad_inode; + } ei->i_disksize = inode->i_size; #ifdef CONFIG_QUOTA ei->i_reserved_quota = 0; diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c index 1cb42d940784..deb9f7a02976 100644 --- a/fs/ext4/namei.c +++ b/fs/ext4/namei.c @@ -2207,6 +2207,13 @@ static int ext4_add_entry(handle_t *handle, struct dentry *dentry, retval = ext4_dx_add_entry(handle, &fname, dir, inode); if (!retval || (retval != ERR_BAD_DX_DIR)) goto out; + /* Can we just ignore htree data? */ + if (ext4_has_metadata_csum(sb)) { + EXT4_ERROR_INODE(dir, + "Directory has corrupted htree index."); + retval = -EFSCORRUPTED; + goto out; + } ext4_clear_inode_flag(dir, EXT4_INODE_INDEX); dx_fallback++; ext4_mark_inode_dirty(handle, dir); -- 2.16.4

4 years

3
5
0 0

[PATCH] usb: mtu3: fix panic in mtu3_gadget_disconnect()

by Macpaul Lin

This patch fixes a possible issue when mtu3_gadget_stop() already assigned NULL to mtu->gadget_driver during mtu_gadget_disconnect(). Backtrace: [<ffffff9008161974>] notifier_call_chain+0xa4/0x128 [<ffffff9008161fd4>] __atomic_notifier_call_chain+0x84/0x138 [<ffffff9008162ec0>] notify_die+0xb0/0x120 [<ffffff900809e340>] die+0x1f8/0x5d0 [<ffffff90080d03b4>] __do_kernel_fault+0x19c/0x280 [<ffffff90080d04dc>] do_bad_area+0x44/0x140 [<ffffff90080d0f9c>] do_translation_fault+0x4c/0x90 [<ffffff9008080a78>] do_mem_abort+0xb8/0x258 [<ffffff90080849d0>] el1_da+0x24/0x3c [<ffffff9009bde01c>] mtu3_gadget_disconnect+0xac/0x128 [<ffffff9009bd576c>] mtu3_irq+0x34c/0xc18 [<ffffff90082ac03c>] __handle_irq_event_percpu+0x2ac/0xcd0 [<ffffff90082acae0>] handle_irq_event_percpu+0x80/0x138 [<ffffff90082acc44>] handle_irq_event+0xac/0x148 [<ffffff90082b71cc>] handle_fasteoi_irq+0x234/0x568 [<ffffff90082a8708>] generic_handle_irq+0x48/0x68 [<ffffff90082a96ac>] __handle_domain_irq+0x264/0x1740 [<ffffff90080819f4>] gic_handle_irq+0x14c/0x250 [<ffffff9008084cec>] el1_irq+0xec/0x194 [<ffffff90085b985c>] dma_pool_alloc+0x6e4/0xae0 [<ffffff9008d7f890>] cmdq_mbox_pool_alloc_impl+0xb0/0x238 [<ffffff9008d80904>] cmdq_pkt_alloc_buf+0x2dc/0x7c0 [<ffffff9008d80f60>] cmdq_pkt_add_cmd_buffer+0x178/0x270 [<ffffff9008d82320>] cmdq_pkt_perf_begin+0x108/0x148 [<ffffff9008d824d8>] cmdq_pkt_create+0x178/0x1f0 [<ffffff9008f96230>] mtk_crtc_config_default_path+0x328/0x7a0 [<ffffff90090246cc>] mtk_drm_idlemgr_kick+0xa6c/0x1460 [<ffffff9008f9bbb4>] mtk_drm_crtc_atomic_begin+0x1a4/0x1a68 [<ffffff9008e8df9c>] drm_atomic_helper_commit_planes+0x154/0x878 [<ffffff9008f2fb70>] mtk_atomic_complete.isra.16+0xe80/0x19c8 [<ffffff9008f30910>] mtk_atomic_commit+0x258/0x898 [<ffffff9008ef142c>] drm_atomic_commit+0xcc/0x108 [<ffffff9008ef7cf0>] drm_mode_atomic_ioctl+0x1c20/0x2580 [<ffffff9008ebc768>] drm_ioctl_kernel+0x118/0x1b0 [<ffffff9008ebcde8>] drm_ioctl+0x5c0/0x920 [<ffffff900863b030>] do_vfs_ioctl+0x188/0x1820 [<ffffff900863c754>] SyS_ioctl+0x8c/0xa0 Signed-off-by: Macpaul Lin <macpaul.lin(a)mediatek.com> Cc: stable(a)vger.kernel.org --- drivers/usb/mtu3/mtu3_gadget.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/usb/mtu3/mtu3_gadget.c b/drivers/usb/mtu3/mtu3_gadget.c index 68ea4395f871..f20fb83b3239 100644 --- a/drivers/usb/mtu3/mtu3_gadget.c +++ b/drivers/usb/mtu3/mtu3_gadget.c @@ -843,7 +843,12 @@ void mtu3_gadget_disconnect(struct mtu3 *mtu) dev_dbg(mtu->dev, "gadget DISCONNECT\n"); if (mtu->gadget_driver && mtu->gadget_driver->disconnect) { spin_unlock(&mtu->lock); - mtu->gadget_driver->disconnect(&mtu->g); + /* + * avoid kernel panic because mtu3_gadget_stop() assigned NULL + * to mtu->gadget_driver. + */ + if (mtu->gadget_driver && mtu->gadget_driver->disconnect) + mtu->gadget_driver->disconnect(&mtu->g); spin_lock(&mtu->lock); } -- 2.18.0

4 years

4
7
0 0

[PATCH] x86/mpx: fix recursive munmap() corruption

by Dave Hansen

This is a bit of a mess, to put it mildly. But, it's a bug that seems to have gone unticked up to now, probably because nobody uses MPX. The other alternative to this fix is to just deprecate MPX, even in -stable kernels. MPX has the arch_unmap() hook inside of munmap() because MPX uses bounds tables that protect other areas of memory. When memory is unmapped, there is also a need to unmap the MPX bounds tables. Barring this, unused bounds tables can eat 80% of the address space. But, the recursive do_munmap() that gets called vi arch_unmap() wreaks havoc with __do_munmap()'s state. It can result in freeing populated page tables, accessing bogus VMA state, double-freed VMAs and more. To fix this, call arch_unmap() before __do_unmap() has a chance to do anything meaningful. Also, remove the 'vma' argument and force the MPX code to do its own, independent VMA lookup. For the common success case this is functionally identical to what was there before. For the munmap() failure case, it's possible that some MPX tables will be zapped for memory that continues to be in use. But, this is an extraordinarily unlikely scenario and the harm would be that MPX provides no protection since the bounds table got reset (zeroed). I can't imagine anyone doing this: ptr = mmap(); // use ptr ret = munmap(ptr); if (ret) // oh, there was an error, I'll // keep using ptr. Because if you're doing munmap(), you are *done* with the memory. There's probably no good data in there _anyway_. This passes the original reproducer from Richard Biener as well as the existing mpx selftests/. ==== The long story: munmap() has a couple of pieces: 1. Find the affected VMA(s) 2. Split the start/end one(s) if neceesary 3. Pull the VMAs out of the rbtree 4. Actually zap the memory via unmap_region(), including freeing page tables (or queueing them to be freed). 5. Fixup some of the accounting (like fput()) and actually free the VMA itself. I decided to put the arch_unmap() call right afer #3. This was *just* before mmap_sem looked like it might get downgraded (it won't in this context), but it looked right. It wasn't. Richard Biener reported a test that shows this in dmesg: [1216548.787498] BUG: Bad rss-counter state mm:0000000017ce560b idx:1 val:551 [1216548.787500] BUG: non-zero pgtables_bytes on freeing mm: 24576 What triggered this was the recursive do_munmap() called via arch_unmap(). It was freeing page tables that has not been properly zapped. But, the problem was bigger than this. For one, arch_unmap() can free VMAs. But, the calling __do_munmap() has variables that *point* to VMAs and obviously can't handle them just getting freed while the pointer is still valid. I tried a couple of things here. First, I tried to fix the page table freeing problem in isolation, but I then found the VMA issue. I also tried having the MPX code return a flag if it modified the rbtree which would force __do_munmap() to re-walk to restart. That spiralled out of control in complexity pretty fast. Just moving arch_unmap() and accepting that the bonkers failure case might eat some bounds tables seems like the simplest viable fix. Reported-by: Richard Biener <rguenther(a)suse.de> Cc: Michal Hocko <mhocko(a)suse.com> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Andy Lutomirski <luto(a)amacapital.net> Cc: x86(a)kernel.org Cc: Andrew Morton <akpm(a)linux-foundation.org> Cc: linux-kernel(a)vger.kernel.org Cc: linux-mm(a)kvack.org Cc: stable(a)vger.kernel.org --- b/arch/x86/include/asm/mmu_context.h | 6 +++--- b/arch/x86/include/asm/mpx.h | 5 ++--- b/arch/x86/mm/mpx.c | 10 ++++++---- b/include/asm-generic/mm_hooks.h | 1 - b/mm/mmap.c | 15 ++++++++------- 5 files changed, 19 insertions(+), 18 deletions(-) diff -puN mm/mmap.c~mpx-rss-pass-no-vma mm/mmap.c --- a/mm/mmap.c~mpx-rss-pass-no-vma 2019-04-01 06:56:53.409411123 -0700 +++ b/mm/mmap.c 2019-04-01 06:56:53.423411123 -0700 @@ -2731,9 +2731,17 @@ int __do_munmap(struct mm_struct *mm, un return -EINVAL; len = PAGE_ALIGN(len); + end = start + len; if (len == 0) return -EINVAL; + /* + * arch_unmap() might do unmaps itself. It must be called + * and finish any rbtree manipulation before this code + * runs and also starts to manipulate the rbtree. + */ + arch_unmap(mm, start, end); + /* Find the first overlapping VMA */ vma = find_vma(mm, start); if (!vma) @@ -2742,7 +2750,6 @@ int __do_munmap(struct mm_struct *mm, un /* we have start < vma->vm_end */ /* if it doesn't overlap, we have nothing.. */ - end = start + len; if (vma->vm_start >= end) return 0; @@ -2812,12 +2819,6 @@ int __do_munmap(struct mm_struct *mm, un /* Detach vmas from rbtree */ detach_vmas_to_be_unmapped(mm, vma, prev, end); - /* - * mpx unmap needs to be called with mmap_sem held for write. - * It is safe to call it before unmap_region(). - */ - arch_unmap(mm, vma, start, end); - if (downgrade) downgrade_write(&mm->mmap_sem); diff -puN arch/x86/include/asm/mmu_context.h~mpx-rss-pass-no-vma arch/x86/include/asm/mmu_context.h --- a/arch/x86/include/asm/mmu_context.h~mpx-rss-pass-no-vma 2019-04-01 06:56:53.412411123 -0700 +++ b/arch/x86/include/asm/mmu_context.h 2019-04-01 06:56:53.423411123 -0700 @@ -277,8 +277,8 @@ static inline void arch_bprm_mm_init(str mpx_mm_init(mm); } -static inline void arch_unmap(struct mm_struct *mm, struct vm_area_struct *vma, - unsigned long start, unsigned long end) +static inline void arch_unmap(struct mm_struct *mm, unsigned long start, + unsigned long end) { /* * mpx_notify_unmap() goes and reads a rarely-hot @@ -298,7 +298,7 @@ static inline void arch_unmap(struct mm_ * consistently wrong. */ if (unlikely(cpu_feature_enabled(X86_FEATURE_MPX))) - mpx_notify_unmap(mm, vma, start, end); + mpx_notify_unmap(mm, start, end); } /* diff -puN include/asm-generic/mm_hooks.h~mpx-rss-pass-no-vma include/asm-generic/mm_hooks.h --- a/include/asm-generic/mm_hooks.h~mpx-rss-pass-no-vma 2019-04-01 06:56:53.414411123 -0700 +++ b/include/asm-generic/mm_hooks.h 2019-04-01 06:56:53.423411123 -0700 @@ -18,7 +18,6 @@ static inline void arch_exit_mmap(struct } static inline void arch_unmap(struct mm_struct *mm, - struct vm_area_struct *vma, unsigned long start, unsigned long end) { } diff -puN arch/x86/mm/mpx.c~mpx-rss-pass-no-vma arch/x86/mm/mpx.c --- a/arch/x86/mm/mpx.c~mpx-rss-pass-no-vma 2019-04-01 06:56:53.416411123 -0700 +++ b/arch/x86/mm/mpx.c 2019-04-01 06:56:53.423411123 -0700 @@ -881,9 +881,10 @@ static int mpx_unmap_tables(struct mm_st * the virtual address region start...end have already been split if * necessary, and the 'vma' is the first vma in this range (start -> end). */ -void mpx_notify_unmap(struct mm_struct *mm, struct vm_area_struct *vma, - unsigned long start, unsigned long end) +void mpx_notify_unmap(struct mm_struct *mm, unsigned long start, + unsigned long end) { + struct vm_area_struct *vma; int ret; /* @@ -902,11 +903,12 @@ void mpx_notify_unmap(struct mm_struct * * which should not occur normally. Being strict about it here * helps ensure that we do not have an exploitable stack overflow. */ - do { + vma = find_vma(mm, start); + while (vma && vma->vm_start < end) { if (vma->vm_flags & VM_MPX) return; vma = vma->vm_next; - } while (vma && vma->vm_start < end); + } ret = mpx_unmap_tables(mm, start, end); if (ret) diff -puN arch/x86/include/asm/mpx.h~mpx-rss-pass-no-vma arch/x86/include/asm/mpx.h --- a/arch/x86/include/asm/mpx.h~mpx-rss-pass-no-vma 2019-04-01 06:56:53.418411123 -0700 +++ b/arch/x86/include/asm/mpx.h 2019-04-01 06:56:53.424411123 -0700 @@ -78,8 +78,8 @@ static inline void mpx_mm_init(struct mm */ mm->context.bd_addr = MPX_INVALID_BOUNDS_DIR; } -void mpx_notify_unmap(struct mm_struct *mm, struct vm_area_struct *vma, - unsigned long start, unsigned long end); +void mpx_notify_unmap(struct mm_struct *mm, unsigned long start, + unsigned long end); unsigned long mpx_unmapped_area_check(unsigned long addr, unsigned long len, unsigned long flags); @@ -100,7 +100,6 @@ static inline void mpx_mm_init(struct mm { } static inline void mpx_notify_unmap(struct mm_struct *mm, - struct vm_area_struct *vma, unsigned long start, unsigned long end) { } _

4 years

7
13
0 0

[PATCH v2] pinctrl: cherryview: Ensure _REG(ACPI_ADR_SPACE_GPIO, 1) gets called

by Hans de Goede

On Cherry Trail devices there are 2 possible ACPI OpRegions for accessing GPIOs. The standard GeneralPurposeIo OpRegion and the Cherry Trail specific UserDefined 0x9X OpRegions. Having 2 different types of OpRegions leads to potential issues with checks for OpRegion availability, or in other words checks if _REG has been called for the OpRegion which the ACPI code wants to use. The ACPICA core does not call _REG on an ACPI node which does not define an OpRegion matching the type being registered; and the reference design DSDT, from which most Cherry Trail DSDTs are derived, does not define GeneralPurposeIo, nor UserDefined(0x93) OpRegions for the GPO2 (UID 3) device, because no pins were assigned ACPI controlled functions in the reference design. Together this leads to the perfect storm, at least on the Cherry Trail based Medion Akayo E1239T. This design does use a GPO2 pin from its ACPI code and has added the Cherry Trail specific UserDefined(0x93) opregion to its GPO2 ACPI node to access this pin. But it uses a has _REG been called availability check for the standard GeneralPurposeIo OpRegion. This clearly is a bug in the DSDT, but this does work under Windows. This issue leads to the intel_vbtn driver reporting the device always being in tablet-mode at boot, even if it is in laptop mode. Which in turn causes userspace to ignore touchpad events. So iow this issues causes the touchpad to not work at boot. Since the bug in the DSDT stems from the confusion of having 2 different OpRegion types for accessing GPIOs on Cherry Trail devices, I believe that this is best fixed inside the Cherryview pinctrl driver. This commit adds a workaround to the Cherryview pinctrl driver so that the DSDT's expectations of _REG always getting called for the GeneralPurposeIo OpRegion are met. Cc: stable(a)vger.kernel.org Signed-off-by: Hans de Goede <hdegoede(a)redhat.com> --- Changes in v2: - Drop unnecessary if (acpi_has_method(adev->handle, "_REG")) check - Fix Cherryview spelling in the commit message --- drivers/pinctrl/intel/pinctrl-cherryview.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/drivers/pinctrl/intel/pinctrl-cherryview.c b/drivers/pinctrl/intel/pinctrl-cherryview.c index 4c74fdde576d..4817aec114d6 100644 --- a/drivers/pinctrl/intel/pinctrl-cherryview.c +++ b/drivers/pinctrl/intel/pinctrl-cherryview.c @@ -1693,6 +1693,8 @@ static acpi_status chv_pinctrl_mmio_access_handler(u32 function, static int chv_pinctrl_probe(struct platform_device *pdev) { + struct acpi_object_list input; + union acpi_object params[2]; struct chv_pinctrl *pctrl; struct acpi_device *adev; acpi_status status; @@ -1755,6 +1757,22 @@ static int chv_pinctrl_probe(struct platform_device *pdev) if (ACPI_FAILURE(status)) dev_err(&pdev->dev, "failed to install ACPI addr space handler\n"); + /* + * Some DSDT-s use the chv_pinctrl_mmio_access_handler while checking + * for the regular GeneralPurposeIo OpRegion availability, mixed with + * the DSDT not defining a GeneralPurposeIo OpRegion at all. In this + * case the ACPICA code will not call _REG to signal availability of + * the GeneralPurposeIo OpRegion. Manually call _REG here so that + * the DSDT-s GeneralPurposeIo availability checks will succeed. + */ + params[0].type = ACPI_TYPE_INTEGER; + params[0].integer.value = ACPI_ADR_SPACE_GPIO; + params[1].type = ACPI_TYPE_INTEGER; + params[1].integer.value = 1; + input.count = 2; + input.pointer = params; + acpi_evaluate_object(adev->handle, "_REG", &input, NULL); + platform_set_drvdata(pdev, pctrl); return 0; -- 2.26.0

4 years, 1 month

4
11
0 0

Re: [PATCH] x86/memcpy: Introduce memcpy_mcsafe_fast

by Andy Lutomirski

--Andy > On Apr 18, 2020, at 12:42 PM, Linus Torvalds <torvalds(a)linux-foundation.org> wrote: > >>> On Fri, Apr 17, 2020 at 5:12 PM Dan Williams <dan.j.williams(a)intel.com> wrote: >>> >>> @@ -106,12 +108,10 @@ static __always_inline __must_check unsigned long >>> memcpy_mcsafe(void *dst, const void *src, size_t cnt) >>> { >>> #ifdef CONFIG_X86_MCE >>> - i(static_branch_unlikely(&mcsafe_key)) >>> - return __memcpy_mcsafe(dst, src, cnt); >>> - else >>> + if (static_branch_unlikely(&mcsafe_slow_key)) >>> + return memcpy_mcsafe_slow(dst, src, cnt); >>> #endif >>> - memcpy(dst, src, cnt); >>> - return 0; >>> + return memcpy_mcsafe_fast(dst, src, cnt); >>> } > > It strikes me that I see no advantages to making this an inline function at all. > > Even for the good case - where it turns into just a memcpy because MCE > is entirely disabled - it doesn't seem to matter. > > The only case that really helps is when the memcpy can be turned into > a single access. Which - and I checked - does exist, with people doing > > r = memcpy_mcsafe(&sb_seq_count, &sb(wc)->seq_count, sizeof(uint64_t)); > > to read a single 64-bit field which looks aligned to me. > > But that code is incredible garbage anyway, since even on a broken > machine, there's no actual reason to use the slow variant for that > whole access that I can tell. The macs-safe copy routines do not do > anything worthwhile for a single access. Maybe I’m missing something obvious, but what’s the alternative? The _mcsafe variants don’t just avoid the REP mess — they also tell the kernel that this particular access is recoverable via extable. With a regular memory access, the CPU may not explode, but do_machine_check() will, at very best, OOPS, and even that requires a certain degree of optimism. A panic is more likely.

4 years, 1 month

6
24
0 0

[PATCH 4.19 00/81] 4.19.80-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.19.80 release. There are 81 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri 18 Oct 2019 09:43:41 PM UTC. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.19.80-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.19.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.19.80-rc1 Mark-PK Tsai <mark-pk.tsai(a)mediatek.com> perf/hw_breakpoint: Fix arch_hw_breakpoint use-before-initialization Jon Derrick <jonathan.derrick(a)intel.com> PCI: vmd: Fix config addressing when using bus offsets Janakarajan Natarajan <Janakarajan.Natarajan(a)amd.com> x86/asm: Fix MWAITX C-state hint value Nuno Sá <nuno.sa(a)analog.com> hwmon: Fix HWMON_P_MIN_ALARM mask Steven Rostedt (VMware) <rostedt(a)goodmis.org> tracing: Get trace_array reference for available_tracers files Steven Rostedt (VMware) <rostedt(a)goodmis.org> ftrace: Get a reference counter for the trace_array on filter files Srivatsa S. Bhat (VMware) <srivatsa(a)csail.mit.edu> tracing/hwlat: Don't ignore outer-loop duration when calculating max_latency Srivatsa S. Bhat (VMware) <srivatsa(a)csail.mit.edu> tracing/hwlat: Report total time spent in all NMIs during the sample Masayoshi Mizuma <m.mizuma(a)jp.fujitsu.com> arm64/sve: Fix wrong free for task->thread.sve_state Johan Hovold <johan(a)kernel.org> media: stkwebcam: fix runtime PM after driver unbind Al Viro <viro(a)zeniv.linux.org.uk> Fix the locking in dcache_readdir() and friends Jeremy Linton <jeremy.linton(a)arm.com> arm64: topology: Use PPTT to determine if PE is a thread Jeremy Linton <jeremy.linton(a)arm.com> ACPI/PPTT: Add support for ACPI 6.3 thread flag Erik Schmauss <erik.schmauss(a)intel.com> ACPICA: ACPI 6.3: PPTT add additional fields in Processor Structure Flags Jiaxun Yang <jiaxun.yang(a)flygoat.com> MIPS: elf_hwcap: Export userspace ASEs Paul Burton <paul.burton(a)mips.com> MIPS: Disable Loongson MMI instructions for kernel build Trond Myklebust <trondmy(a)gmail.com> NFS: Fix O_DIRECT accounting of number of bytes read/written Josef Bacik <josef(a)toxicpanda.com> btrfs: fix uninitialized ret in ref-verify Josef Bacik <josef(a)toxicpanda.com> btrfs: fix incorrect updating of log root tree Dave Wysochanski <dwysocha(a)redhat.com> cifs: use cifsInodeInfo->open_file_lock while iterating to avoid a panic Fabrice Gasnier <fabrice.gasnier(a)st.com> iio: adc: stm32-adc: fix a race when using several adcs with dma and irq Fabrice Gasnier <fabrice.gasnier(a)st.com> iio: adc: stm32-adc: move registers definitions Bartosz Golaszewski <bgolaszewski(a)baylibre.com> gpiolib: don't clear FLAG_IS_OUT when emulating open-drain/open-source Brian Norris <briannorris(a)chromium.org> firmware: google: increment VPD key_len properly Dan Carpenter <dan.carpenter(a)oracle.com> mm/vmpressure.c: fix a signedness bug in vmpressure_register_event() Michal Hocko <mhocko(a)suse.com> kernel/sysctl.c: do not override max_threads provided by userspace Pavel Shilovsky <piastryyy(a)gmail.com> CIFS: Force reval dentry if LOOKUP_REVAL flag is set Pavel Shilovsky <piastryyy(a)gmail.com> CIFS: Force revalidate inode when dentry is stale Pavel Shilovsky <piastryyy(a)gmail.com> CIFS: Gracefully handle QueryInfo errors during open Harshad Shirwadkar <harshadshirwadkar(a)gmail.com> blk-wbt: fix performance regression in wbt scale_up/scale_down Steve MacLean <Steve.MacLean(a)microsoft.com> perf inject jit: Fix JIT_CODE_MOVE filename Ian Rogers <irogers(a)google.com> perf llvm: Don't access out-of-scope array Ard Biesheuvel <ard.biesheuvel(a)linaro.org> efivar/ssdt: Don't iterate over EFI vars if no SSDT override was specified David Frey <dpfrey(a)gmail.com> iio: light: opt3001: fix mutex unlock race Hans de Goede <hdegoede(a)redhat.com> iio: adc: axp288: Override TS pin bias current for some models Marco Felsch <m.felsch(a)pengutronix.de> iio: adc: ad799x: fix probe error handling Andreas Klinger <ak(a)it-klinger.de> iio: adc: hx711: fix bug in sampling of data Navid Emamdoost <navid.emamdoost(a)gmail.com> staging: vt6655: Fix memory leak in vt6655_probe Navid Emamdoost <navid.emamdoost(a)gmail.com> Staging: fbtft: fix memory leak in fbtft_framebuffer_alloc Bruce Chen <bruce.chen(a)unisoc.com> gpio: eic: sprd: Fix the incorrect EIC offset when toggling Alexander Usyskin <alexander.usyskin(a)intel.com> mei: avoid FW version request on Ibex Peak and earlier Tomas Winkler <tomas.winkler(a)intel.com> mei: me: add comet point (lake) LP device ids Johan Hovold <johan(a)kernel.org> USB: legousbtower: fix use-after-free on release Johan Hovold <johan(a)kernel.org> USB: legousbtower: fix open after failed reset request Johan Hovold <johan(a)kernel.org> USB: legousbtower: fix potential NULL-deref on disconnect Johan Hovold <johan(a)kernel.org> USB: legousbtower: fix deadlock on disconnect Johan Hovold <johan(a)kernel.org> USB: legousbtower: fix slab info leak at probe Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> usb: renesas_usbhs: gadget: Fix usb_ep_set_{halt,wedge}() behavior Yoshihiro Shimoda <yoshihiro.shimoda.uh(a)renesas.com> usb: renesas_usbhs: gadget: Do not discard queues in usb_ep_set_{halt,wedge}() Jacky.Cao(a)sony.com <Jacky.Cao(a)sony.com> USB: dummy-hcd: fix power budget for SuperSpeed mode Johan Hovold <johan(a)kernel.org> USB: microtek: fix info-leak at probe Johan Hovold <johan(a)kernel.org> USB: usblcd: fix I/O after disconnect Johan Hovold <johan(a)kernel.org> USB: serial: fix runtime PM after driver unbind Reinhard Speyerer <rspmn(a)arcor.de> USB: serial: option: add support for Cinterion CLS8 devices Daniele Palmas <dnlplm(a)gmail.com> USB: serial: option: add Telit FN980 compositions Beni Mahler <beni.mahler(a)gmx.net> USB: serial: ftdi_sio: add device IDs for Sienna and Echelon PL-20 Johan Hovold <johan(a)kernel.org> USB: serial: keyspan: fix NULL-derefs on open() and write() Randy Dunlap <rdunlap(a)infradead.org> serial: uartlite: fix exit path null pointer Johan Hovold <johan(a)kernel.org> USB: ldusb: fix NULL-derefs on driver unbind Johan Hovold <johan(a)kernel.org> USB: chaoskey: fix use-after-free on release Johan Hovold <johan(a)kernel.org> USB: usblp: fix runtime PM after driver unbind Johan Hovold <johan(a)kernel.org> USB: iowarrior: fix use-after-free after driver unbind Johan Hovold <johan(a)kernel.org> USB: iowarrior: fix use-after-free on release Johan Hovold <johan(a)kernel.org> USB: iowarrior: fix use-after-free on disconnect Johan Hovold <johan(a)kernel.org> USB: adutux: fix use-after-free on release Johan Hovold <johan(a)kernel.org> USB: adutux: fix NULL-derefs on disconnect Johan Hovold <johan(a)kernel.org> USB: adutux: fix use-after-free on disconnect Kai-Heng Feng <kai.heng.feng(a)canonical.com> xhci: Increase STS_SAVE timeout in xhci_suspend() Bill Kuzeja <William.Kuzeja(a)stratus.com> xhci: Prevent deadlock when xhci adapter breaks during init Rick Tseng <rtseng(a)nvidia.com> usb: xhci: wait for CNR controller not ready bit in xhci resume Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: Fix USB 3.1 capability detection on early xHCI 1.1 spec based hosts Jan Schmidt <jan(a)centricular.com> xhci: Check all endpoints for LPM timeout Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: Prevent device initiated U1/U2 link pm if exit latency is too long Mathias Nyman <mathias.nyman(a)linux.intel.com> xhci: Fix false warning message about wrong bounce buffer write length Johan Hovold <johan(a)kernel.org> USB: usb-skeleton: fix NULL-deref on disconnect Johan Hovold <johan(a)kernel.org> USB: usb-skeleton: fix runtime PM after driver unbind Johan Hovold <johan(a)kernel.org> USB: yurex: fix NULL-derefs on disconnect Alan Stern <stern(a)rowland.harvard.edu> USB: yurex: Don't retry on unexpected errors Bastien Nocera <hadess(a)hadess.net> USB: rio500: Remove Rio 500 kernel driver Icenowy Zheng <icenowy(a)aosc.io> f2fs: use EINVAL for superblock with invalid magic Will Deacon <will(a)kernel.org> panic: ensure preemption is disabled during panic() ------------- Diffstat: Documentation/usb/rio.txt | 138 -------- MAINTAINERS | 7 - Makefile | 4 +- arch/arm/configs/badge4_defconfig | 1 - arch/arm/configs/corgi_defconfig | 1 - arch/arm/configs/pxa_defconfig | 1 - arch/arm/configs/s3c2410_defconfig | 1 - arch/arm/configs/spitz_defconfig | 1 - arch/arm64/kernel/process.c | 32 +- arch/arm64/kernel/topology.c | 19 +- arch/mips/configs/mtx1_defconfig | 1 - arch/mips/configs/rm200_defconfig | 1 - arch/mips/include/uapi/asm/hwcap.h | 11 + arch/mips/kernel/cpu-probe.c | 33 ++ arch/mips/loongson64/Platform | 4 + arch/mips/vdso/Makefile | 1 + arch/x86/include/asm/mwait.h | 2 +- arch/x86/lib/delay.c | 4 +- block/blk-rq-qos.c | 14 +- block/blk-rq-qos.h | 4 +- block/blk-wbt.c | 6 +- drivers/acpi/pptt.c | 52 +++ drivers/firmware/efi/efi.c | 3 + drivers/firmware/google/vpd_decode.c | 2 +- drivers/gpio/gpio-eic-sprd.c | 7 +- drivers/gpio/gpiolib.c | 27 +- drivers/iio/adc/ad799x.c | 4 +- drivers/iio/adc/axp288_adc.c | 32 ++ drivers/iio/adc/hx711.c | 10 +- drivers/iio/adc/stm32-adc-core.c | 70 ++-- drivers/iio/adc/stm32-adc-core.h | 137 ++++++++ drivers/iio/adc/stm32-adc.c | 109 ------ drivers/iio/light/opt3001.c | 6 +- drivers/media/usb/stkwebcam/stk-webcam.c | 3 +- drivers/misc/mei/bus-fixup.c | 14 +- drivers/misc/mei/hw-me-regs.h | 3 + drivers/misc/mei/hw-me.c | 21 +- drivers/misc/mei/hw-me.h | 8 +- drivers/misc/mei/mei_dev.h | 4 + drivers/misc/mei/pci-me.c | 13 +- drivers/pci/controller/vmd.c | 16 +- drivers/staging/fbtft/fbtft-core.c | 7 +- drivers/staging/vt6655/device_main.c | 4 +- drivers/tty/serial/uartlite.c | 3 +- drivers/usb/class/usblp.c | 8 +- drivers/usb/gadget/udc/dummy_hcd.c | 3 +- drivers/usb/host/xhci-ring.c | 4 +- drivers/usb/host/xhci.c | 70 +++- drivers/usb/image/microtek.c | 4 + drivers/usb/misc/Kconfig | 10 - drivers/usb/misc/Makefile | 1 - drivers/usb/misc/adutux.c | 24 +- drivers/usb/misc/chaoskey.c | 5 +- drivers/usb/misc/iowarrior.c | 16 +- drivers/usb/misc/ldusb.c | 24 +- drivers/usb/misc/legousbtower.c | 58 ++-- drivers/usb/misc/rio500.c | 561 ------------------------------- drivers/usb/misc/rio500_usb.h | 20 -- drivers/usb/misc/usblcd.c | 33 +- drivers/usb/misc/yurex.c | 18 +- drivers/usb/renesas_usbhs/common.h | 1 + drivers/usb/renesas_usbhs/fifo.c | 2 +- drivers/usb/renesas_usbhs/fifo.h | 1 + drivers/usb/renesas_usbhs/mod_gadget.c | 18 +- drivers/usb/renesas_usbhs/pipe.c | 15 + drivers/usb/renesas_usbhs/pipe.h | 1 + drivers/usb/serial/ftdi_sio.c | 3 + drivers/usb/serial/ftdi_sio_ids.h | 9 + drivers/usb/serial/keyspan.c | 4 +- drivers/usb/serial/option.c | 11 + drivers/usb/serial/usb-serial.c | 5 +- drivers/usb/usb-skeleton.c | 15 +- fs/btrfs/ref-verify.c | 2 +- fs/btrfs/tree-log.c | 36 +- fs/cifs/dir.c | 8 +- fs/cifs/file.c | 33 +- fs/cifs/inode.c | 4 + fs/f2fs/super.c | 36 +- fs/libfs.c | 134 ++++---- fs/nfs/direct.c | 78 +++-- include/acpi/actbl2.h | 7 +- include/linux/acpi.h | 5 + include/linux/hwmon.h | 2 +- kernel/events/hw_breakpoint.c | 4 +- kernel/fork.c | 4 +- kernel/panic.c | 1 + kernel/trace/ftrace.c | 27 +- kernel/trace/trace.c | 17 +- kernel/trace/trace_hwlat.c | 4 +- mm/vmpressure.c | 20 +- tools/perf/util/jitdump.c | 6 +- tools/perf/util/llvm-utils.c | 6 +- 92 files changed, 967 insertions(+), 1252 deletions(-)

4 years, 1 month

13
103
0 0

[PATCH] drm: avoid spurious EBUSY due to nonblocking atomic modesets

by Daniel Vetter

When doing an atomic modeset with ALLOW_MODESET drivers are allowed to pull in arbitrary other resources, including CRTCs (e.g. when reconfiguring global resources). But in nonblocking mode userspace has then no idea this happened, which can lead to spurious EBUSY calls, both: - when that other CRTC is currently busy doing a page_flip the ALLOW_MODESET commit can fail with an EBUSY - on the other CRTC a normal atomic flip can fail with EBUSY because of the additional commit inserted by the kernel without userspace's knowledge For blocking commits this isn't a problem, because everyone else will just block until all the CRTC are reconfigured. Only thing userspace can notice is the dropped frames without any reason for why frames got dropped. Consensus is that we need new uapi to handle this properly, but no one has any idea what exactly the new uapi should look like. As a stop-gap plug this problem by demoting nonblocking commits which might cause issues by including CRTCs not in the original request to blocking commits. v2: Add comments and a WARN_ON to enforce this only when allowed - we don't want to silently convert page flips into blocking plane updates just because the driver is buggy. References: https://lists.freedesktop.org/archives/dri-devel/2018-July/182281.html Bugzilla: https://gitlab.freedesktop.org/wayland/weston/issues/24#note_9568 Cc: Daniel Stone <daniel(a)fooishbar.org> Cc: Pekka Paalanen <pekka.paalanen(a)collabora.co.uk> Cc: stable(a)vger.kernel.org Signed-off-by: Daniel Vetter <daniel.vetter(a)intel.com> --- drivers/gpu/drm/drm_atomic.c | 34 +++++++++++++++++++++++++++++++--- 1 file changed, 31 insertions(+), 3 deletions(-) diff --git a/drivers/gpu/drm/drm_atomic.c b/drivers/gpu/drm/drm_atomic.c index d5cefb1cb2a2..058512f14772 100644 --- a/drivers/gpu/drm/drm_atomic.c +++ b/drivers/gpu/drm/drm_atomic.c @@ -2018,15 +2018,43 @@ EXPORT_SYMBOL(drm_atomic_commit); int drm_atomic_nonblocking_commit(struct drm_atomic_state *state) { struct drm_mode_config *config = &state->dev->mode_config; - int ret; + unsigned requested_crtc = 0; + unsigned affected_crtc = 0; + struct drm_crtc *crtc; + struct drm_crtc_state *crtc_state; + bool nonblocking = true; + int ret, i; + + /* + * For commits that allow modesets drivers can add other CRTCs to the + * atomic commit, e.g. when they need to reallocate global resources. + * + * But when userspace also requests a nonblocking commit then userspace + * cannot know that the commit affects other CRTCs, which can result in + * spurious EBUSY failures. Until we have better uapi plug this by + * demoting such commits to blocking mode. + */ + for_each_new_crtc_in_state(state, crtc, crtc_state, i) + requested_crtc |= drm_crtc_mask(crtc); ret = drm_atomic_check_only(state); if (ret) return ret; - DRM_DEBUG_ATOMIC("committing %p nonblocking\n", state); + for_each_new_crtc_in_state(state, crtc, crtc_state, i) + affected_crtc |= drm_crtc_mask(crtc); + + if (affected_crtc != requested_crtc) { + /* adding other CRTC is only allowed for modeset commits */ + WARN_ON(state->allow_modeset); + + DRM_DEBUG_ATOMIC("demoting %p to blocking mode to avoid EBUSY\n", state); + nonblocking = false; + } else { + DRM_DEBUG_ATOMIC("committing %p nonblocking\n", state); + } - return config->funcs->atomic_commit(state->dev, state, true); + return config->funcs->atomic_commit(state->dev, state, nonblocking); } EXPORT_SYMBOL(drm_atomic_nonblocking_commit); -- 2.18.0

4 years, 2 months

3
11
0 0

[PATCH] [Patch v2] usbtv: Fix refcounting mixup

by Oliver Neukum

The premature free in the error path is blocked by V4L refcounting, not USB refcounting. Thanks to Ben Hutchings for review. [v2] corrected attributions Signed-off-by: Oliver Neukum <oneukum(a)suse.com> Fixes: 50e704453553 ("media: usbtv: prevent double free in error case") CC: stable(a)vger.kernel.org Reported-by: Ben Hutchings <ben.hutchings(a)codethink.co.uk> --- drivers/media/usb/usbtv/usbtv-core.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/media/usb/usbtv/usbtv-core.c b/drivers/media/usb/usbtv/usbtv-core.c index 5095c380b2c1..4a03c4d66314 100644 --- a/drivers/media/usb/usbtv/usbtv-core.c +++ b/drivers/media/usb/usbtv/usbtv-core.c @@ -113,7 +113,8 @@ static int usbtv_probe(struct usb_interface *intf, usbtv_audio_fail: /* we must not free at this point */ - usb_get_dev(usbtv->udev); + v4l2_device_get(&usbtv->v4l2_dev); + /* this will undo the v4l2_device_get() */ usbtv_video_free(usbtv); usbtv_video_fail: -- 2.13.6

4 years, 2 months

3
7
0 0

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror July 2020