- Linux-stable-mirror - lists.linaro.org

[Linux-stable-mirror] [PATCH] ashmem: Fix lockdep issue during llseek

by Joel Fernandes

ashmem_mutex create a chain of dependencies like so: (1) mmap syscall -> mmap_sem -> (acquired) ashmem_mmap ashmem_mutex (try to acquire) (block) (2) llseek syscall -> ashmem_llseek -> ashmem_mutex -> (acquired) inode_lock -> inode->i_rwsem (try to acquire) (block) (3) getdents -> iterate_dir -> inode_lock -> inode->i_rwsem (acquired) copy_to_user -> mmap_sem (try to acquire) There is a lock ordering created between mmap_sem and inode->i_rwsem causing a lockdep splat [2] during a syzcaller test, this patch fixes the issue by unlocking the mutex earlier. Functionally that's Ok since we don't need to protect vfs_llseek. [1] https://patchwork.kernel.org/patch/10185031/ [2] https://lkml.org/lkml/2018/1/10/48 Cc: Todd Kjos <tkjos(a)google.com> Cc: Arve Hjonnevag <arve(a)android.com> Cc: Greg Hackmann <ghackmann(a)google.com> Cc: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Cc: stable(a)vger.kernel.org Reported-by: syzbot+8ec30bb7bf1a981a2012(a)syzkaller.appspotmail.com Signed-off-by: Joel Fernandes <joelaf(a)google.com> --- drivers/staging/android/ashmem.c | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/drivers/staging/android/ashmem.c b/drivers/staging/android/ashmem.c index 372ce9913e6d..6921f86b4aa1 100644 --- a/drivers/staging/android/ashmem.c +++ b/drivers/staging/android/ashmem.c @@ -334,24 +334,23 @@ static loff_t ashmem_llseek(struct file *file, loff_t offset, int origin) mutex_lock(&ashmem_mutex); if (asma->size == 0) { - ret = -EINVAL; - goto out; + mutex_unlock(&ashmem_mutex); + return -EINVAL; } if (!asma->file) { - ret = -EBADF; - goto out; + mutex_unlock(&ashmem_mutex); + return -EBADF; } + mutex_unlock(&ashmem_mutex); + ret = vfs_llseek(asma->file, offset, origin); if (ret < 0) - goto out; + return ret; /** Copy f_pos from backing file, since f_ops->llseek() sets it */ file->f_pos = asma->file->f_pos; - -out: - mutex_unlock(&ashmem_mutex); return ret; } -- 2.16.0.rc1.238.g530d649a79-goog

7 years, 4 months

2
2
0 0

[Linux-stable-mirror] [PATCH 4.9 00/92] 4.9.81-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.9.81 release. There are 92 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sun Feb 11 13:39:04 UTC 2018. Anything received after that time might be too late. The whole patch series can be found in one patch at: kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.81-rc1.gz or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.9.81-rc1 Borislav Petkov <bp(a)suse.de> x86/microcode: Do the family check first Laurent Pinchart <laurent.pinchart+renesas(a)ideasonboard.com> drm: rcar-du: Fix race condition when disabling planes at CRTC stop Laurent Pinchart <laurent.pinchart+renesas(a)ideasonboard.com> drm: rcar-du: Use the VBK interrupt for vblank events Kuninori Morimoto <kuninori.morimoto.gx(a)renesas.com> ASoC: rsnd: avoid duplicate free_irq() Kuninori Morimoto <kuninori.morimoto.gx(a)renesas.com> ASoC: rsnd: don't call free_irq() on Parent SSI Julian Scheel <julian(a)jusst.de> ASoC: simple-card: Fix misleading error message Robert Baronescu <robert.baronescu(a)nxp.com> crypto: tcrypt - fix S/G table for test_aead_speed() KarimAllah Ahmed <karahmed(a)amazon.de> KVM/SVM: Allow direct access to MSR_IA32_SPEC_CTRL KarimAllah Ahmed <karahmed(a)amazon.de> KVM/VMX: Allow direct access to MSR_IA32_SPEC_CTRL KarimAllah Ahmed <karahmed(a)amazon.de> KVM/VMX: Emulate MSR_IA32_ARCH_CAPABILITIES Ashok Raj <ashok.raj(a)intel.com> KVM/x86: Add IBPB support Paolo Bonzini <pbonzini(a)redhat.com> KVM: VMX: make MSR bitmaps per-VCPU Paolo Bonzini <pbonzini(a)redhat.com> KVM: VMX: introduce alloc_loaded_vmcs Jim Mattson <jmattson(a)google.com> KVM: nVMX: Eliminate vmcs02 pool David Matlack <dmatlack(a)google.com> KVM: nVMX: mark vmcs12 pages dirty on L2 exit David Hildenbrand <david(a)redhat.com> KVM: nVMX: vmx_complete_nested_posted_interrupt() can't fail David Hildenbrand <david(a)redhat.com> KVM: nVMX: kmap() can't fail Darren Kenny <darren.kenny(a)oracle.com> x86/speculation: Fix typo IBRS_ATT, which should be IBRS_ALL Arnd Bergmann <arnd(a)arndb.de> x86/pti: Mark constant arrays as __initconst KarimAllah Ahmed <karahmed(a)amazon.de> x86/spectre: Simplify spectre_v2 command line parsing David Woodhouse <dwmw(a)amazon.co.uk> x86/retpoline: Avoid retpolines for built-in __init functions Dan Williams <dan.j.williams(a)intel.com> x86/kvm: Update spectre-v1 mitigation Josh Poimboeuf <jpoimboe(a)redhat.com> x86/paravirt: Remove 'noreplace-paravirt' cmdline option David Woodhouse <dwmw(a)amazon.co.uk> x86/cpuid: Fix up "virtual" IBRS/IBPB/STIBP feature bits on Intel Colin Ian King <colin.king(a)canonical.com> x86/spectre: Fix spelling mistake: "vunerable"-> "vulnerable" Dan Williams <dan.j.williams(a)intel.com> x86/spectre: Report get_user mitigation for spectre_v1 Dan Williams <dan.j.williams(a)intel.com> nl80211: Sanitize array index in parse_txq_params Dan Williams <dan.j.williams(a)intel.com> vfs, fdtable: Prevent bounds-check bypass via speculative execution Dan Williams <dan.j.williams(a)intel.com> x86/syscall: Sanitize syscall table de-references under speculation Dan Williams <dan.j.williams(a)intel.com> x86/get_user: Use pointer masking to limit speculation Dan Williams <dan.j.williams(a)intel.com> x86/uaccess: Use __uaccess_begin_nospec() and uaccess_try_nospec Dan Williams <dan.j.williams(a)intel.com> x86/usercopy: Replace open coded stac/clac with __uaccess_{begin, end} Dan Williams <dan.j.williams(a)intel.com> x86: Introduce __uaccess_begin_nospec() and uaccess_try_nospec Dan Williams <dan.j.williams(a)intel.com> x86: Introduce barrier_nospec Dan Williams <dan.j.williams(a)intel.com> x86: Implement array_index_mask_nospec Dan Williams <dan.j.williams(a)intel.com> array_index_nospec: Sanitize speculative array de-references Mark Rutland <mark.rutland(a)arm.com> Documentation: Document array_index_nospec Andy Lutomirski <luto(a)kernel.org> x86/asm: Move 'status' from thread_struct to thread_info Andy Lutomirski <luto(a)kernel.org> x86/entry/64: Push extra regs right away Andy Lutomirski <luto(a)kernel.org> x86/entry/64: Remove the SYSCALL64 fast path Dou Liyang <douly.fnst(a)cn.fujitsu.com> x86/spectre: Check CONFIG_RETPOLINE in command line parser Borislav Petkov <bp(a)alien8.de> x86/retpoline: Simplify vmexit_fill_RSB() David Woodhouse <dwmw(a)amazon.co.uk> x86/cpufeatures: Clean up Spectre v2 related CPUID flags Thomas Gleixner <tglx(a)linutronix.de> x86/cpu/bugs: Make retpoline module warning conditional Borislav Petkov <bp(a)suse.de> x86/bugs: Drop one "mitigation" from dmesg Borislav Petkov <bp(a)suse.de> x86/nospec: Fix header guards names Borislav Petkov <bp(a)suse.de> x86/alternative: Print unadorned pointers David Woodhouse <dwmw(a)amazon.co.uk> x86/speculation: Add basic IBPB (Indirect Branch Prediction Barrier) support David Woodhouse <dwmw(a)amazon.co.uk> x86/cpufeature: Blacklist SPEC_CTRL/PRED_CMD on early Spectre v2 microcodes David Woodhouse <dwmw(a)amazon.co.uk> x86/pti: Do not enable PTI on CPUs which are not vulnerable to Meltdown David Woodhouse <dwmw(a)amazon.co.uk> x86/msr: Add definitions for new speculation control MSRs David Woodhouse <dwmw(a)amazon.co.uk> x86/cpufeatures: Add AMD feature bits for Speculation Control David Woodhouse <dwmw(a)amazon.co.uk> x86/cpufeatures: Add Intel feature bits for Speculation Control David Woodhouse <dwmw(a)amazon.co.uk> x86/cpufeatures: Add CPUID_7_EDX CPUID leaf Andi Kleen <ak(a)linux.intel.com> module/retpoline: Warn about missing retpoline in module Peter Zijlstra <peterz(a)infradead.org> KVM: VMX: Make indirect call speculation safe Peter Zijlstra <peterz(a)infradead.org> KVM: x86: Make indirect calls in emulator speculation safe Waiman Long <longman(a)redhat.com> x86/retpoline: Remove the esp/rsp thunk Eric Biggers <ebiggers(a)google.com> KEYS: encrypted: fix buffer overread in valid_master_desc() Takashi Iwai <tiwai(a)suse.de> b43: Add missing MODULE_FIRMWARE() Jesse Chan <jc(a)linux.com> media: soc_camera: soc_scale_crop: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE Borislav Petkov <bp(a)suse.de> x86/microcode/AMD: Do not load when running on a hypervisor Josh Poimboeuf <jpoimboe(a)redhat.com> x86/asm: Fix inline asm call constraints for GCC 4.4 Eric Dumazet <edumazet(a)google.com> soreuseport: fix mem leak in reuseport_add_sock() Martin KaFai Lau <kafai(a)fb.com> ipv6: Fix SO_REUSEPORT UDP socket with implicit sk_ipv6only Paolo Abeni <pabeni(a)redhat.com> cls_u32: add missing RCU annotation. Neal Cardwell <ncardwell(a)google.com> tcp_bbr: fix pacing_gain to always be unity when using lt_bw Jason Wang <jasowang(a)redhat.com> vhost_net: stop device during reset owner Li RongQing <lirongqing(a)baidu.com> tcp: release sk_frag.page in tcp_disconnect Chunhao Lin <hau(a)realtek.com> r8169: fix RTL8168EP take too long to complete driver initialization. Kristian Evensen <kristian.evensen(a)gmail.com> qmi_wwan: Add support for Quectel EP06 Junxiao Bi <junxiao.bi(a)oracle.com> qlcnic: fix deadlock bug Eric Dumazet <edumazet(a)google.com> net: igmp: add a missing rcu locking section Nikolay Aleksandrov <nikolay(a)cumulusnetworks.com> ip6mr: fix stale iterator Sebastian Andrzej Siewior <bigeasy(a)linutronix.de> serial: core: mark port as initialized after successful IRQ change Hugh Dickins <hughd(a)google.com> kaiser: allocate pgd with order 0 when pti=off Dave Hansen <dave.hansen(a)linux.intel.com> x86/pti: Make unpoison of pgd for trusted boot work for real Hugh Dickins <hughd(a)google.com> kaiser: fix intel_bts perf crashes Jesse Chan <jc(a)linux.com> ASoC: pcm512x: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE Jesse Chan <jc(a)linux.com> pinctrl: pxa: pxa2xx: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE Jesse Chan <jc(a)linux.com> auxdisplay: img-ascii-lcd: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE Michael Ellerman <mpe(a)ellerman.id.au> powerpc/64s: Allow control of RFI flush via debugfs Michael Ellerman <mpe(a)ellerman.id.au> powerpc/64s: Wire up cpu_show_meltdown() Oliver O'Halloran <oohall(a)gmail.com> powerpc/powernv: Check device-tree for RFI flush settings Michael Neuling <mikey(a)neuling.org> powerpc/pseries: Query hypervisor for RFI flush settings Michael Ellerman <mpe(a)ellerman.id.au> powerpc/64s: Support disabling RFI flush with no_rfi_flush and nopti Michael Ellerman <mpe(a)ellerman.id.au> powerpc/64s: Add support for RFI flush of L1-D cache Nicholas Piggin <npiggin(a)gmail.com> powerpc/64s: Convert slb_miss_common to use RFI_TO_USER/KERNEL Nicholas Piggin <npiggin(a)gmail.com> powerpc/64: Convert the syscall exit path to use RFI_TO_USER/KERNEL Nicholas Piggin <npiggin(a)gmail.com> powerpc/64: Convert fast_exception_return to use RFI_TO_USER/KERNEL Nicholas Piggin <npiggin(a)gmail.com> powerpc/64: Add macros for annotating the destination of rfid/hrfid Michael Neuling <mikey(a)neuling.org> powerpc/pseries: Add H_GET_CPU_CHARACTERISTICS flags & wrapper ------------- Diffstat: Documentation/kernel-parameters.txt | 2 - Documentation/speculation.txt | 90 +++ Makefile | 4 +- arch/powerpc/Kconfig | 1 + arch/powerpc/include/asm/exception-64e.h | 6 + arch/powerpc/include/asm/exception-64s.h | 53 ++ arch/powerpc/include/asm/feature-fixups.h | 15 + arch/powerpc/include/asm/hvcall.h | 17 + arch/powerpc/include/asm/paca.h | 10 + arch/powerpc/include/asm/plpar_wrappers.h | 14 + arch/powerpc/include/asm/setup.h | 13 + arch/powerpc/kernel/asm-offsets.c | 4 + arch/powerpc/kernel/entry_64.S | 30 +- arch/powerpc/kernel/exceptions-64s.S | 108 ++- arch/powerpc/kernel/setup_64.c | 139 ++++ arch/powerpc/kernel/vmlinux.lds.S | 9 + arch/powerpc/lib/feature-fixups.c | 42 ++ arch/powerpc/platforms/powernv/setup.c | 50 ++ arch/powerpc/platforms/pseries/setup.c | 35 + arch/x86/entry/common.c | 9 +- arch/x86/entry/entry_32.S | 3 +- arch/x86/entry/entry_64.S | 134 +--- arch/x86/entry/syscall_64.c | 7 +- arch/x86/events/intel/bts.c | 44 +- arch/x86/include/asm/asm-prototypes.h | 4 +- arch/x86/include/asm/asm.h | 4 +- arch/x86/include/asm/barrier.h | 28 + arch/x86/include/asm/cpufeature.h | 7 +- arch/x86/include/asm/cpufeatures.h | 22 +- arch/x86/include/asm/disabled-features.h | 3 +- arch/x86/include/asm/intel-family.h | 7 +- arch/x86/include/asm/msr-index.h | 12 + arch/x86/include/asm/msr.h | 3 +- arch/x86/include/asm/nospec-branch.h | 91 +-- arch/x86/include/asm/pgalloc.h | 11 - arch/x86/include/asm/pgtable.h | 6 + arch/x86/include/asm/processor.h | 2 - arch/x86/include/asm/required-features.h | 3 +- arch/x86/include/asm/syscall.h | 6 +- arch/x86/include/asm/thread_info.h | 3 +- arch/x86/include/asm/uaccess.h | 15 +- arch/x86/include/asm/uaccess_32.h | 12 +- arch/x86/include/asm/uaccess_64.h | 12 +- arch/x86/kernel/alternative.c | 28 +- arch/x86/kernel/cpu/bugs.c | 128 +++- arch/x86/kernel/cpu/common.c | 70 +- arch/x86/kernel/cpu/intel.c | 66 ++ arch/x86/kernel/cpu/microcode/core.c | 47 +- arch/x86/kernel/cpu/scattered.c | 2 - arch/x86/kernel/process_64.c | 4 +- arch/x86/kernel/ptrace.c | 2 +- arch/x86/kernel/signal.c | 2 +- arch/x86/kernel/tboot.c | 10 + arch/x86/kvm/cpuid.c | 21 +- arch/x86/kvm/cpuid.h | 31 + arch/x86/kvm/emulate.c | 10 +- arch/x86/kvm/svm.c | 116 ++++ arch/x86/kvm/vmx.c | 763 +++++++++++---------- arch/x86/kvm/x86.c | 1 + arch/x86/lib/Makefile | 1 + arch/x86/lib/getuser.S | 10 + arch/x86/lib/retpoline.S | 57 +- arch/x86/lib/usercopy_32.c | 8 +- crypto/tcrypt.c | 6 +- drivers/auxdisplay/img-ascii-lcd.c | 4 + drivers/gpu/drm/rcar-du/rcar_du_crtc.c | 55 +- drivers/gpu/drm/rcar-du/rcar_du_crtc.h | 8 + drivers/media/platform/soc_camera/soc_scale_crop.c | 4 + .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c | 18 +- drivers/net/ethernet/realtek/r8169.c | 4 +- drivers/net/usb/qmi_wwan.c | 1 + drivers/net/wireless/broadcom/b43/main.c | 10 + drivers/pinctrl/pxa/pinctrl-pxa2xx.c | 4 + drivers/tty/serial/serial_core.c | 2 + drivers/vhost/net.c | 1 + include/linux/fdtable.h | 5 +- include/linux/init.h | 9 +- include/linux/module.h | 9 + include/linux/nospec.h | 72 ++ kernel/module.c | 11 + net/core/sock_reuseport.c | 35 +- net/ipv4/igmp.c | 4 + net/ipv4/tcp.c | 6 + net/ipv4/tcp_bbr.c | 6 +- net/ipv6/af_inet6.c | 11 +- net/ipv6/ip6mr.c | 1 + net/sched/cls_u32.c | 12 +- net/wireless/nl80211.c | 9 +- scripts/mod/modpost.c | 9 + security/keys/encrypted-keys/encrypted.c | 31 +- sound/soc/codecs/pcm512x-spi.c | 4 + sound/soc/generic/simple-card.c | 8 +- sound/soc/sh/rcar/ssi.c | 5 + 93 files changed, 2034 insertions(+), 797 deletions(-)

7 years, 4 months

11
107
0 0

[PATCH] [4.14 only backport] Bluetooth: BT_HCIUART now depends on SERIAL_DEV_BUS

by Arnd Bergmann

commit 05e89fb576f580ac95e7a5d00bdb34830b09671a upstream. It is no longer possible to build BT_HCIUART into the kernel when SERIAL_DEV_BUS is a loadable module, even if none of the SERIAL_DEV_BUS based implementations are selected: drivers/bluetooth/hci_ldisc.o: In function `hci_uart_set_flow_control': hci_ldisc.c:(.text+0xb40): undefined reference to `serdev_device_set_flow_control' hci_ldisc.c:(.text+0xb5c): undefined reference to `serdev_device_set_tiocm' This adds a dependency to avoid the broken configuration. Fixes: 7841d554809b ("Bluetooth: hci_uart_set_flow_control: Fix NULL deref when using serdev") Signed-off-by: Arnd Bergmann <arnd(a)arndb.de> Signed-off-by: Marcel Holtmann <marcel(a)holtmann.org> Cc: stable(a)vger.kernel.org Signed-off-by: Arnd Bergmann <arnd(a)arndb.de> --- drivers/bluetooth/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/bluetooth/Kconfig b/drivers/bluetooth/Kconfig index 98a60db8e5d1..b33c8d6eb8c7 100644 --- a/drivers/bluetooth/Kconfig +++ b/drivers/bluetooth/Kconfig @@ -66,6 +66,7 @@ config BT_HCIBTSDIO config BT_HCIUART tristate "HCI UART driver" + depends on SERIAL_DEV_BUS || !SERIAL_DEV_BUS depends on TTY help Bluetooth HCI UART driver. @@ -80,7 +81,6 @@ config BT_HCIUART config BT_HCIUART_SERDEV bool depends on SERIAL_DEV_BUS && BT_HCIUART - depends on SERIAL_DEV_BUS=y || SERIAL_DEV_BUS=BT_HCIUART default y config BT_HCIUART_H4 -- 2.9.0

7 years, 4 months

1
0
0 0

[PATCH] staging: fsl-mc: fix build testing on x86

by Arnd Bergmann

Selecting GENERIC_MSI_IRQ_DOMAIN on x86 causes a compile-time error in some configurations: drivers/base/platform-msi.c:37:19: error: field 'arg' has incomplete type On the other architectures, we are fine, but here we should have an additional dependency on X86_LOCAL_APIC so we can get the PCI_MSI_IRQ_DOMAIN symbol. Cc: stable(a)vger.kernel.org Signed-off-by: Arnd Bergmann <arnd(a)arndb.de> --- drivers/staging/fsl-mc/bus/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/staging/fsl-mc/bus/Kconfig b/drivers/staging/fsl-mc/bus/Kconfig index 504c987447f2..eee1c1b277fa 100644 --- a/drivers/staging/fsl-mc/bus/Kconfig +++ b/drivers/staging/fsl-mc/bus/Kconfig @@ -8,7 +8,7 @@ config FSL_MC_BUS bool "QorIQ DPAA2 fsl-mc bus driver" - depends on OF && (ARCH_LAYERSCAPE || (COMPILE_TEST && (ARM || ARM64 || X86 || PPC))) + depends on OF && (ARCH_LAYERSCAPE || (COMPILE_TEST && (ARM || ARM64 || X86_LOCAL_APIC || PPC))) select GENERIC_MSI_IRQ_DOMAIN help Driver to enable the bus infrastructure for the QorIQ DPAA2 -- 2.9.0

7 years, 4 months

1
0
0 0

[PATCH v2] mm: don't defer struct page initialization for Xen pv guests

by Juergen Gross

Commit f7f99100d8d95dbcf09e0216a143211e79418b9f ("mm: stop zeroing memory during allocation in vmemmap") broke Xen pv domains in some configurations, as the "Pinned" information in struct page of early page tables could get lost. This will lead to the kernel trying to write directly into the page tables instead of asking the hypervisor to do so. The result is a crash like the following: [ 0.004000] BUG: unable to handle kernel paging request at ffff8801ead19008 [ 0.004000] IP: xen_set_pud+0x4e/0xd0 [ 0.004000] PGD 1c0a067 P4D 1c0a067 PUD 23a0067 PMD 1e9de0067 PTE 80100001ead19065 [ 0.004000] Oops: 0003 [#1] PREEMPT SMP [ 0.004000] Modules linked in: [ 0.004000] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.14.0-default+ #271 [ 0.004000] Hardware name: Dell Inc. Latitude E6440/0159N7, BIOS A07 06/26/2014 [ 0.004000] task: ffffffff81c10480 task.stack: ffffffff81c00000 [ 0.004000] RIP: e030:xen_set_pud+0x4e/0xd0 [ 0.004000] RSP: e02b:ffffffff81c03cd8 EFLAGS: 00010246 [ 0.004000] RAX: 002ffff800000800 RBX: ffff88020fd31000 RCX: 0000000000000000 [ 0.004000] RDX: ffffea0000000000 RSI: 00000001b8308067 RDI: ffff8801ead19008 [ 0.004000] RBP: ffff8801ead19008 R08: aaaaaaaaaaaaaaaa R09: 00000000063f4c80 [ 0.004000] R10: aaaaaaaaaaaaaaaa R11: 0720072007200720 R12: 00000001b8308067 [ 0.004000] R13: ffffffff81c8a9cc R14: ffff88018fd31000 R15: 000077ff80000000 [ 0.004000] FS: 0000000000000000(0000) GS:ffff88020f600000(0000) knlGS:0000000000000000 [ 0.004000] CS: e033 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 0.004000] CR2: ffff8801ead19008 CR3: 0000000001c09000 CR4: 0000000000042660 [ 0.004000] Call Trace: [ 0.004000] __pmd_alloc+0x128/0x140 [ 0.004000] ? acpi_os_map_iomem+0x175/0x1b0 [ 0.004000] ioremap_page_range+0x3f4/0x410 [ 0.004000] ? acpi_os_map_iomem+0x175/0x1b0 [ 0.004000] __ioremap_caller+0x1c3/0x2e0 [ 0.004000] acpi_os_map_iomem+0x175/0x1b0 [ 0.004000] acpi_tb_acquire_table+0x39/0x66 [ 0.004000] acpi_tb_validate_table+0x44/0x7c [ 0.004000] acpi_tb_verify_temp_table+0x45/0x304 [ 0.004000] ? acpi_ut_acquire_mutex+0x12a/0x1c2 [ 0.004000] acpi_reallocate_root_table+0x12d/0x141 [ 0.004000] acpi_early_init+0x4d/0x10a [ 0.004000] start_kernel+0x3eb/0x4a1 [ 0.004000] ? set_init_arg+0x55/0x55 [ 0.004000] xen_start_kernel+0x528/0x532 [ 0.004000] Code: 48 01 e8 48 0f 42 15 a2 fd be 00 48 01 d0 48 ba 00 00 00 00 00 ea ff ff 48 c1 e8 0c 48 c1 e0 06 48 01 d0 48 8b 00 f6 c4 02 75 5d <4c> 89 65 00 5b 5d 41 5c c3 65 8b 05 52 9f fe 7e 89 c0 48 0f a3 [ 0.004000] RIP: xen_set_pud+0x4e/0xd0 RSP: ffffffff81c03cd8 [ 0.004000] CR2: ffff8801ead19008 [ 0.004000] ---[ end trace 38eca2e56f1b642e ]--- Avoid this problem by not deferring struct page initialization when running as Xen pv guest. Cc: <stable(a)vger.kernel.org> #4.15 Signed-off-by: Juergen Gross <jgross(a)suse.com> --- mm/page_alloc.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/mm/page_alloc.c b/mm/page_alloc.c index 81e18ceef579..681d504b9a40 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c @@ -347,6 +347,9 @@ static inline bool update_defer_init(pg_data_t *pgdat, /* Always populate low zones for address-constrained allocations */ if (zone_end < pgdat_end_pfn(pgdat)) return true; + /* Xen PV domains need page structures early */ + if (xen_pv_domain()) + return true; (*nr_initialised)++; if ((*nr_initialised > pgdat->static_init_pgcnt) && (pfn & (PAGES_PER_SECTION - 1)) == 0) { -- 2.13.6

7 years, 4 months

1
0
0 0

[PATCH v3] ASoC: sgtl5000: Fix suspend/resume

by Fabio Estevam

From: Fabio Estevam <fabio.estevam(a)nxp.com> Commit 8419caa72702 ("ASoC: sgtl5000: Do not disable regulators in SND_SOC_BIAS_OFF") causes the sgtl5000 to fail after a suspend/resume sequence: # aplay /media/a2002011001-e02.wav Playing WAVE '/media/a2002011001-e02.wav' : Signed 16 bit Little Endian, Rate 44100 Hz, Stereo aplay: pcm_write:2051: write error: Input/output error The problem is caused by the fact that the aforementioned commit dropped the cache handling, so re-introduce the register map resync to fix the problem. Cc: <stable(a)vger.kernel.org> Suggested-by: Mark Brown <broonie(a)kernel.org> Signed-off-by: Fabio Estevam <fabio.estevam(a)nxp.com> --- Changes since v2: - Rebased against Linus' tree sound/soc/codecs/sgtl5000.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/sound/soc/codecs/sgtl5000.c b/sound/soc/codecs/sgtl5000.c index e1ab553..7ff5cb7 100644 --- a/sound/soc/codecs/sgtl5000.c +++ b/sound/soc/codecs/sgtl5000.c @@ -871,15 +871,26 @@ static int sgtl5000_pcm_hw_params(struct snd_pcm_substream *substream, static int sgtl5000_set_bias_level(struct snd_soc_codec *codec, enum snd_soc_bias_level level) { + struct sgtl5000_priv *sgtl = snd_soc_codec_get_drvdata(codec); + int ret; + switch (level) { case SND_SOC_BIAS_ON: case SND_SOC_BIAS_PREPARE: case SND_SOC_BIAS_STANDBY: + regcache_cache_only(sgtl->regmap, false); + ret = regcache_sync(sgtl->regmap); + if (ret) { + regcache_cache_only(sgtl->regmap, true); + return ret; + } + snd_soc_update_bits(codec, SGTL5000_CHIP_ANA_POWER, SGTL5000_REFTOP_POWERUP, SGTL5000_REFTOP_POWERUP); break; case SND_SOC_BIAS_OFF: + regcache_cache_only(sgtl->regmap, true); snd_soc_update_bits(codec, SGTL5000_CHIP_ANA_POWER, SGTL5000_REFTOP_POWERUP, 0); break; -- 2.7.4

7 years, 4 months

2
1
0 0

patch "binder: replace "%p" with "%pK"" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled binder: replace "%p" with "%pK" to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. >From 8ca86f1639ec5890d400fff9211aca22d0a392eb Mon Sep 17 00:00:00 2001 From: Todd Kjos <tkjos(a)android.com> Date: Wed, 7 Feb 2018 13:57:37 -0800 Subject: binder: replace "%p" with "%pK" The format specifier "%p" can leak kernel addresses. Use "%pK" instead. There were 4 remaining cases in binder.c. Signed-off-by: Todd Kjos <tkjos(a)google.com> Cc: stable <stable(a)vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/android/binder.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index 31322e9a235d..a85f9033b57e 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -2199,7 +2199,7 @@ static void binder_transaction_buffer_release(struct binder_proc *proc, int debug_id = buffer->debug_id; binder_debug(BINDER_DEBUG_TRANSACTION, - "%d buffer release %d, size %zd-%zd, failed at %p\n", + "%d buffer release %d, size %zd-%zd, failed at %pK\n", proc->pid, buffer->debug_id, buffer->data_size, buffer->offsets_size, failed_at); @@ -3711,7 +3711,7 @@ static int binder_thread_write(struct binder_proc *proc, } } binder_debug(BINDER_DEBUG_DEAD_BINDER, - "%d:%d BC_DEAD_BINDER_DONE %016llx found %p\n", + "%d:%d BC_DEAD_BINDER_DONE %016llx found %pK\n", proc->pid, thread->pid, (u64)cookie, death); if (death == NULL) { @@ -5042,7 +5042,7 @@ static void print_binder_transaction_ilocked(struct seq_file *m, spin_lock(&t->lock); to_proc = t->to_proc; seq_printf(m, - "%s %d: %p from %d:%d to %d:%d code %x flags %x pri %ld r%d", + "%s %d: %pK from %d:%d to %d:%d code %x flags %x pri %ld r%d", prefix, t->debug_id, t, t->from ? t->from->proc->pid : 0, t->from ? t->from->pid : 0, @@ -5066,7 +5066,7 @@ static void print_binder_transaction_ilocked(struct seq_file *m, } if (buffer->target_node) seq_printf(m, " node %d", buffer->target_node->debug_id); - seq_printf(m, " size %zd:%zd data %p\n", + seq_printf(m, " size %zd:%zd data %pK\n", buffer->data_size, buffer->offsets_size, buffer->data); } -- 2.16.1

7 years, 4 months

1
0
0 0

patch "ANDROID: binder: synchronize_rcu() when using POLLFREE." added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled ANDROID: binder: synchronize_rcu() when using POLLFREE. to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. >From 5eeb2ca02a2f6084fc57ae5c244a38baab07033a Mon Sep 17 00:00:00 2001 From: Martijn Coenen <maco(a)android.com> Date: Fri, 16 Feb 2018 09:47:15 +0100 Subject: ANDROID: binder: synchronize_rcu() when using POLLFREE. To prevent races with ep_remove_waitqueue() removing the waitqueue at the same time. Reported-by: syzbot+a2a3c4909716e271487e(a)syzkaller.appspotmail.com Signed-off-by: Martijn Coenen <maco(a)android.com> Cc: stable <stable(a)vger.kernel.org> # 4.14+ Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/android/binder.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index a85f9033b57e..764b63a5aade 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -4382,6 +4382,15 @@ static int binder_thread_release(struct binder_proc *proc, binder_inner_proc_unlock(thread->proc); + /* + * This is needed to avoid races between wake_up_poll() above and + * and ep_remove_waitqueue() called for other reasons (eg the epoll file + * descriptor being closed); ep_remove_waitqueue() holds an RCU read + * lock, so we can be sure it's done after calling synchronize_rcu(). + */ + if (thread->looper & BINDER_LOOPER_STATE_POLL) + synchronize_rcu(); + if (send_reply) binder_send_failed_reply(send_reply, BR_DEAD_REPLY); binder_release_work(proc, &thread->todo); -- 2.16.1

7 years, 4 months

1
0
0 0

patch "ANDROID: binder: remove WARN() for redundant txn error" added to char-misc-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled ANDROID: binder: remove WARN() for redundant txn error to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. >From e46a3b3ba7509cb7fda0e07bc7c63a2cd90f579b Mon Sep 17 00:00:00 2001 From: Todd Kjos <tkjos(a)android.com> Date: Wed, 7 Feb 2018 12:38:47 -0800 Subject: ANDROID: binder: remove WARN() for redundant txn error binder_send_failed_reply() is called when a synchronous transaction fails. It reports an error to the thread that is waiting for the completion. Given that the transaction is synchronous, there should never be more than 1 error response to that thread -- this was being asserted with a WARN(). However, when exercising the driver with syzbot tests, cases were observed where multiple "synchronous" requests were sent without waiting for responses, so it is possible that multiple errors would be reported to the thread. This testing was conducted with panic_on_warn set which forced the crash. This is easily reproduced by sending back-to-back "synchronous" transactions without checking for any response (eg, set read_size to 0): bwr.write_buffer = (uintptr_t)&bc1; bwr.write_size = sizeof(bc1); bwr.read_buffer = (uintptr_t)&br; bwr.read_size = 0; ioctl(fd, BINDER_WRITE_READ, &bwr); sleep(1); bwr2.write_buffer = (uintptr_t)&bc2; bwr2.write_size = sizeof(bc2); bwr2.read_buffer = (uintptr_t)&br; bwr2.read_size = 0; ioctl(fd, BINDER_WRITE_READ, &bwr2); sleep(1); The first transaction is sent to the servicemanager and the reply fails because no VMA is set up by this client. After binder_send_failed_reply() is called, the BINDER_WORK_RETURN_ERROR is sitting on the thread's todo list since the read_size was 0 and the client is not waiting for a response. The 2nd transaction is sent and the BINDER_WORK_RETURN_ERROR has not been consumed, so the thread's reply_error.cmd is still set (normally cleared when the BINDER_WORK_RETURN_ERROR is handled). Therefore when the servicemanager attempts to reply to the 2nd failed transaction, the error is already set and it triggers this warning. This is a user error since it is not waiting for the synchronous transaction to complete. If it ever does check, it will see an error. Changed the WARN() to a pr_warn(). Signed-off-by: Todd Kjos <tkjos(a)android.com> Reported-by: syzbot <syzkaller(a)googlegroups.com> Cc: stable <stable(a)vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/android/binder.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index ad5e662e3e14..31322e9a235d 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -1991,8 +1991,14 @@ static void binder_send_failed_reply(struct binder_transaction *t, &target_thread->reply_error.work); wake_up_interruptible(&target_thread->wait); } else { - WARN(1, "Unexpected reply error: %u\n", - target_thread->reply_error.cmd); + /* + * Cannot get here for normal operation, but + * we can if multiple synchronous transactions + * are sent without blocking for responses. + * Just ignore the 2nd error in this case. + */ + pr_warn("Unexpected reply error: %u\n", + target_thread->reply_error.cmd); } binder_inner_proc_unlock(target_thread->proc); binder_thread_dec_tmpref(target_thread); -- 2.16.1

7 years, 4 months

1
0
0 0

patch "usb: dwc3: core: Fix ULPI PHYs and prevent phy_get/ulpi_init during" added to usb-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled usb: dwc3: core: Fix ULPI PHYs and prevent phy_get/ulpi_init during to my usb git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git in the usb-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. >From 98112041bcca164676367e261c8c1073ef70cb51 Mon Sep 17 00:00:00 2001 From: Roger Quadros <rogerq(a)ti.com> Date: Mon, 12 Feb 2018 15:30:08 +0200 Subject: usb: dwc3: core: Fix ULPI PHYs and prevent phy_get/ulpi_init during suspend/resume In order for ULPI PHYs to work, dwc3_phy_setup() and dwc3_ulpi_init() must be doene before dwc3_core_get_phy(). commit 541768b08a40 ("usb: dwc3: core: Call dwc3_core_get_phy() before initializing phys") broke this. The other issue is that dwc3_core_get_phy() and dwc3_ulpi_init() should be called only once during the life cycle of the driver. However, as dwc3_core_init() is called during system suspend/resume it will result in multiple calls to dwc3_core_get_phy() and dwc3_ulpi_init() which is wrong. Fix this by moving dwc3_ulpi_init() out of dwc3_phy_setup() into dwc3_core_ulpi_init(). Use a flag 'ulpi_ready' to ensure that dwc3_core_ulpi_init() is called only once from dwc3_core_init(). Use another flag 'phys_ready' to call dwc3_core_get_phy() only once from dwc3_core_init(). Fixes: 541768b08a40 ("usb: dwc3: core: Call dwc3_core_get_phy() before initializing phys") Fixes: f54edb539c11 ("usb: dwc3: core: initialize ULPI before trying to get the PHY") Cc: linux-stable <stable(a)vger.kernel.org> # >= v4.13 Signed-off-by: Roger Quadros <rogerq(a)ti.com> Signed-off-by: Felipe Balbi <felipe.balbi(a)linux.intel.com> --- drivers/usb/dwc3/core.c | 47 ++++++++++++++++++++++++++++++++++++----------- drivers/usb/dwc3/core.h | 5 +++++ 2 files changed, 41 insertions(+), 11 deletions(-) diff --git a/drivers/usb/dwc3/core.c b/drivers/usb/dwc3/core.c index 59511f2cd3ac..f1d838a4acd6 100644 --- a/drivers/usb/dwc3/core.c +++ b/drivers/usb/dwc3/core.c @@ -486,6 +486,22 @@ static void dwc3_cache_hwparams(struct dwc3 *dwc) parms->hwparams8 = dwc3_readl(dwc->regs, DWC3_GHWPARAMS8); } +static int dwc3_core_ulpi_init(struct dwc3 *dwc) +{ + int intf; + int ret = 0; + + intf = DWC3_GHWPARAMS3_HSPHY_IFC(dwc->hwparams.hwparams3); + + if (intf == DWC3_GHWPARAMS3_HSPHY_IFC_ULPI || + (intf == DWC3_GHWPARAMS3_HSPHY_IFC_UTMI_ULPI && + dwc->hsphy_interface && + !strncmp(dwc->hsphy_interface, "ulpi", 4))) + ret = dwc3_ulpi_init(dwc); + + return ret; +} + /** * dwc3_phy_setup - Configure USB PHY Interface of DWC3 Core * @dwc: Pointer to our controller context structure @@ -497,7 +513,6 @@ static void dwc3_cache_hwparams(struct dwc3 *dwc) static int dwc3_phy_setup(struct dwc3 *dwc) { u32 reg; - int ret; reg = dwc3_readl(dwc->regs, DWC3_GUSB3PIPECTL(0)); @@ -568,9 +583,6 @@ static int dwc3_phy_setup(struct dwc3 *dwc) } /* FALLTHROUGH */ case DWC3_GHWPARAMS3_HSPHY_IFC_ULPI: - ret = dwc3_ulpi_init(dwc); - if (ret) - return ret; /* FALLTHROUGH */ default: break; @@ -727,6 +739,7 @@ static void dwc3_core_setup_global_control(struct dwc3 *dwc) } static int dwc3_core_get_phy(struct dwc3 *dwc); +static int dwc3_core_ulpi_init(struct dwc3 *dwc); /** * dwc3_core_init - Low-level initialization of DWC3 Core @@ -758,17 +771,27 @@ static int dwc3_core_init(struct dwc3 *dwc) dwc->maximum_speed = USB_SPEED_HIGH; } - ret = dwc3_core_get_phy(dwc); + ret = dwc3_phy_setup(dwc); if (ret) goto err0; - ret = dwc3_core_soft_reset(dwc); - if (ret) - goto err0; + if (!dwc->ulpi_ready) { + ret = dwc3_core_ulpi_init(dwc); + if (ret) + goto err0; + dwc->ulpi_ready = true; + } - ret = dwc3_phy_setup(dwc); + if (!dwc->phys_ready) { + ret = dwc3_core_get_phy(dwc); + if (ret) + goto err0a; + dwc->phys_ready = true; + } + + ret = dwc3_core_soft_reset(dwc); if (ret) - goto err0; + goto err0a; dwc3_core_setup_global_control(dwc); dwc3_core_num_eps(dwc); @@ -841,6 +864,9 @@ static int dwc3_core_init(struct dwc3 *dwc) phy_exit(dwc->usb2_generic_phy); phy_exit(dwc->usb3_generic_phy); +err0a: + dwc3_ulpi_exit(dwc); + err0: return ret; } @@ -1235,7 +1261,6 @@ static int dwc3_probe(struct platform_device *pdev) err3: dwc3_free_event_buffers(dwc); - dwc3_ulpi_exit(dwc); err2: pm_runtime_allow(&pdev->dev); diff --git a/drivers/usb/dwc3/core.h b/drivers/usb/dwc3/core.h index 185b9603fd98..860d2bc184d1 100644 --- a/drivers/usb/dwc3/core.h +++ b/drivers/usb/dwc3/core.h @@ -797,7 +797,9 @@ struct dwc3_scratchpad_array { * @usb3_phy: pointer to USB3 PHY * @usb2_generic_phy: pointer to USB2 PHY * @usb3_generic_phy: pointer to USB3 PHY + * @phys_ready: flag to indicate that PHYs are ready * @ulpi: pointer to ulpi interface + * @ulpi_ready: flag to indicate that ULPI is initialized * @u2sel: parameter from Set SEL request. * @u2pel: parameter from Set SEL request. * @u1sel: parameter from Set SEL request. @@ -895,7 +897,10 @@ struct dwc3 { struct phy *usb2_generic_phy; struct phy *usb3_generic_phy; + bool phys_ready; + struct ulpi *ulpi; + bool ulpi_ready; void __iomem *regs; size_t regs_size; -- 2.16.1

7 years, 4 months

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror