- Linux-stable-mirror - lists.linaro.org

[PATCH 4.14-stable backport] vfio: ccw: only free cp on final interrupt

by Cornelia Huck

When we get an interrupt for a channel program, it is not necessarily the final interrupt; for example, the issuing guest may request an intermediate interrupt by specifying the program-controlled-interrupt flag on a ccw. We must not switch the state to idle if the interrupt is not yet final; even more importantly, we must not free the translated channel program if the interrupt is not yet final, or the host can crash during cp rewind. Fixes: e5f84dbaea59 ("vfio: ccw: return I/O results asynchronously") Cc: stable(a)vger.kernel.org # v4.12+ Reviewed-by: Eric Farman <farman(a)linux.ibm.com> Signed-off-by: Cornelia Huck <cohuck(a)redhat.com> (cherry picked from commit 50b7f1b7236bab08ebbbecf90521e84b068d7a17) --- drivers/s390/cio/vfio_ccw_drv.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/s390/cio/vfio_ccw_drv.c b/drivers/s390/cio/vfio_ccw_drv.c index ae7a49ade414..d22759eb6640 100644 --- a/drivers/s390/cio/vfio_ccw_drv.c +++ b/drivers/s390/cio/vfio_ccw_drv.c @@ -70,20 +70,24 @@ static void vfio_ccw_sch_io_todo(struct work_struct *work) { struct vfio_ccw_private *private; struct irb *irb; + bool is_final; private = container_of(work, struct vfio_ccw_private, io_work); irb = &private->irb; + is_final = !(scsw_actl(&irb->scsw) & + (SCSW_ACTL_DEVACT | SCSW_ACTL_SCHACT)); if (scsw_is_solicited(&irb->scsw)) { cp_update_scsw(&private->cp, &irb->scsw); - cp_free(&private->cp); + if (is_final) + cp_free(&private->cp); } memcpy(private->io_region.irb_area, irb, sizeof(*irb)); if (private->io_trigger) eventfd_signal(private->io_trigger, 1); - if (private->mdev) + if (private->mdev && is_final) private->state = VFIO_CCW_STATE_IDLE; } -- 2.17.2

6 years, 7 months

2
1
0 0

[PATCH v2 1/2] dmaengine: sh: rcar-dmac: With cyclic DMA residue 0 is valid

by Dirk Behme

Having a cyclic DMA, a residue 0 is not an indication of a completed DMA. In case of cyclic DMA make sure that dma_set_residue() is called and with this a residue of 0 is forwarded correctly to the caller. Fixes: 3544d2878817 ("dmaengine: rcar-dmac: use result of updated get_residue in tx_status") Signed-off-by: Dirk Behme <dirk.behme(a)de.bosch.com> Signed-off-by: Achim Dahlhoff <Achim.Dahlhoff(a)de.bosch.com> Signed-off-by: Hiroyuki Yokoyama <hiroyuki.yokoyama.vx(a)renesas.com> Cc: <stable(a)vger.kernel.org> # v4.8+ --- Note: Patch done against mainline v5.0 Changes in v2: None drivers/dma/sh/rcar-dmac.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/dma/sh/rcar-dmac.c b/drivers/dma/sh/rcar-dmac.c index 2b4f25698169..2ea59229d7f5 100644 --- a/drivers/dma/sh/rcar-dmac.c +++ b/drivers/dma/sh/rcar-dmac.c @@ -1378,7 +1378,7 @@ static enum dma_status rcar_dmac_tx_status(struct dma_chan *chan, spin_unlock_irqrestore(&rchan->lock, flags); /* if there's no residue, the cookie is complete */ - if (!residue) + if (!residue && !rchan->desc.running->cyclic) return DMA_COMPLETE; dma_set_residue(txstate, residue); -- 2.20.0

6 years, 7 months

1
2
0 0

[PATCH for-4.19 1/2] staging: erofs: fix error handling when failed to read compresssed data

by Gao Xiang

commit b6391ac73400eff38377a4a7364bd3df5efb5178 upstream. Complete read error handling paths for all three kinds of compressed pages: 1) For cache-managed pages, PG_uptodate will be checked since read_endio will unlock and SetPageUptodate for these pages; 2) For inplaced pages, read_endio cannot SetPageUptodate directly since it should be used to mark the final decompressed data, PG_error will be set with page locked for IO error instead; 3) For staging pages, PG_error is used, which is similar to what we do for inplaced pages. Fixes: 3883a79abd02 ("staging: erofs: introduce VLE decompression support") Cc: <stable(a)vger.kernel.org> # 4.19+ Reviewed-by: Chao Yu <yuchao0(a)huawei.com> Signed-off-by: Gao Xiang <gaoxiang25(a)huawei.com> --- This series resolves the following conflicts: FAILED: patch "[PATCH] staging: erofs: fix error handling when failed to read" failed to apply to 4.19-stable tree FAILED: patch "[PATCH] staging: erofs: keep corrupted fs from crashing kernel in" failed to apply to 4.19-stable tree Thanks, Gao Xiang drivers/staging/erofs/unzip_vle.c | 42 +++++++++++++++++++++---------- 1 file changed, 29 insertions(+), 13 deletions(-) diff --git a/drivers/staging/erofs/unzip_vle.c b/drivers/staging/erofs/unzip_vle.c index f44662dd795c..bb9a69158ba4 100644 --- a/drivers/staging/erofs/unzip_vle.c +++ b/drivers/staging/erofs/unzip_vle.c @@ -885,6 +885,7 @@ static int z_erofs_vle_unzip(struct super_block *sb, overlapped = false; compressed_pages = grp->compressed_pages; + err = 0; for (i = 0; i < clusterpages; ++i) { unsigned pagenr; @@ -894,26 +895,39 @@ static int z_erofs_vle_unzip(struct super_block *sb, DBG_BUGON(page == NULL); DBG_BUGON(page->mapping == NULL); - if (z_erofs_is_stagingpage(page)) - continue; + if (!z_erofs_is_stagingpage(page)) { #ifdef EROFS_FS_HAS_MANAGED_CACHE - if (page->mapping == mngda) { - DBG_BUGON(!PageUptodate(page)); - continue; - } + if (page->mapping == mngda) { + if (unlikely(!PageUptodate(page))) + err = -EIO; + continue; + } #endif - /* only non-head page could be reused as a compressed page */ - pagenr = z_erofs_onlinepage_index(page); + /* + * only if non-head page can be selected + * for inplace decompression + */ + pagenr = z_erofs_onlinepage_index(page); - DBG_BUGON(pagenr >= nr_pages); - DBG_BUGON(pages[pagenr]); - ++sparsemem_pages; - pages[pagenr] = page; + DBG_BUGON(pagenr >= nr_pages); + DBG_BUGON(pages[pagenr]); + ++sparsemem_pages; + pages[pagenr] = page; - overlapped = true; + overlapped = true; + } + + /* PG_error needs checking for inplaced and staging pages */ + if (unlikely(PageError(page))) { + DBG_BUGON(PageUptodate(page)); + err = -EIO; + } } + if (unlikely(err)) + goto out; + llen = (nr_pages << PAGE_SHIFT) - work->pageofs; if (z_erofs_vle_workgrp_fmt(grp) == Z_EROFS_VLE_WORKGRP_FMT_PLAIN) { @@ -1078,6 +1092,8 @@ static inline bool recover_managed_page(struct z_erofs_vle_workgroup *grp, return true; lock_page(page); + ClearPageError(page); + if (unlikely(!PagePrivate(page))) { set_page_private(page, (unsigned long)grp); SetPagePrivate(page); -- 2.17.1

6 years, 7 months

2
3
0 0

[PATCH 4.20, 5.0] mt76x02u: use usb_bulk_msg to upload firmware

by Stanislaw Gruszka

commit 5de4db8fcb6d6fc7d9064c22841211790c0ab81b upstream. We don't need to send firmware data asynchronously, much simpler is just use synchronous usb_bulk_msg(). [ stable note: this patch was originally developed as cleanup, but it remove incorrect usage of page_frag_alloc(): alloc more than PAGE_SIZE and create not ARCH_DMA_MINALIGN dma buffers needed at least for performance reason. Was tested on 5.0 and 4.20, see https://bugzilla.kernel.org/show_bug.cgi?id=202673 and https://bugzilla.kernel.org/show_bug.cgi?id=202241 ] Tested-by: Lorenzo Bianconi <lorenzo.bianconi(a)redhat.com> Signed-off-by: Felix Fietkau <nbd(a)nbd.name> Signed-off-by: Stanislaw Gruszka <sgruszka(a)redhat.com> --- drivers/net/wireless/mediatek/mt76/mt76.h | 13 ++++++ .../net/wireless/mediatek/mt76/mt76x02_usb_mcu.c | 52 +++++++--------------- drivers/net/wireless/mediatek/mt76/usb.c | 1 - 3 files changed, 29 insertions(+), 37 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt76.h b/drivers/net/wireless/mediatek/mt76/mt76.h index 5cd508a68609..6d29ba4046c3 100644 --- a/drivers/net/wireless/mediatek/mt76/mt76.h +++ b/drivers/net/wireless/mediatek/mt76/mt76.h @@ -713,6 +713,19 @@ static inline bool mt76u_check_sg(struct mt76_dev *dev) udev->speed == USB_SPEED_WIRELESS)); } +static inline int +mt76u_bulk_msg(struct mt76_dev *dev, void *data, int len, int timeout) +{ + struct usb_interface *intf = to_usb_interface(dev->dev); + struct usb_device *udev = interface_to_usbdev(intf); + struct mt76_usb *usb = &dev->usb; + unsigned int pipe; + int sent; + + pipe = usb_sndbulkpipe(udev, usb->out_ep[MT_EP_OUT_INBAND_CMD]); + return usb_bulk_msg(udev, pipe, data, len, &sent, timeout); +} + int mt76u_vendor_request(struct mt76_dev *dev, u8 req, u8 req_type, u16 val, u16 offset, void *buf, size_t len); diff --git a/drivers/net/wireless/mediatek/mt76/mt76x02_usb_mcu.c b/drivers/net/wireless/mediatek/mt76/mt76x02_usb_mcu.c index 6db789f90269..2ca393e267af 100644 --- a/drivers/net/wireless/mediatek/mt76/mt76x02_usb_mcu.c +++ b/drivers/net/wireless/mediatek/mt76/mt76x02_usb_mcu.c @@ -121,18 +121,14 @@ static int __mt76x02u_mcu_send_msg(struct mt76_dev *dev, struct sk_buff *skb, int cmd, bool wait_resp) { - struct usb_interface *intf = to_usb_interface(dev->dev); - struct usb_device *udev = interface_to_usbdev(intf); struct mt76_usb *usb = &dev->usb; - unsigned int pipe; - int ret, sent; + int ret; u8 seq = 0; u32 info; if (test_bit(MT76_REMOVED, &dev->state)) return 0; - pipe = usb_sndbulkpipe(udev, usb->out_ep[MT_EP_OUT_INBAND_CMD]); if (wait_resp) { seq = ++usb->mcu.msg_seq & 0xf; if (!seq) @@ -146,7 +142,7 @@ __mt76x02u_mcu_send_msg(struct mt76_dev *dev, struct sk_buff *skb, if (ret) return ret; - ret = usb_bulk_msg(udev, pipe, skb->data, skb->len, &sent, 500); + ret = mt76u_bulk_msg(dev, skb->data, skb->len, 500); if (ret) return ret; @@ -268,14 +264,12 @@ void mt76x02u_mcu_fw_reset(struct mt76x02_dev *dev) EXPORT_SYMBOL_GPL(mt76x02u_mcu_fw_reset); static int -__mt76x02u_mcu_fw_send_data(struct mt76x02_dev *dev, struct mt76u_buf *buf, +__mt76x02u_mcu_fw_send_data(struct mt76x02_dev *dev, u8 *data, const void *fw_data, int len, u32 dst_addr) { - u8 *data = sg_virt(&buf->urb->sg[0]); - DECLARE_COMPLETION_ONSTACK(cmpl); __le32 info; u32 val; - int err; + int err, data_len; info = cpu_to_le32(FIELD_PREP(MT_MCU_MSG_PORT, CPU_TX_PORT) | FIELD_PREP(MT_MCU_MSG_LEN, len) | @@ -291,25 +285,12 @@ __mt76x02u_mcu_fw_send_data(struct mt76x02_dev *dev, struct mt76u_buf *buf, mt76u_single_wr(&dev->mt76, MT_VEND_WRITE_FCE, MT_FCE_DMA_LEN, len << 16); - buf->len = MT_CMD_HDR_LEN + len + sizeof(info); - err = mt76u_submit_buf(&dev->mt76, USB_DIR_OUT, - MT_EP_OUT_INBAND_CMD, - buf, GFP_KERNEL, - mt76u_mcu_complete_urb, &cmpl); - if (err < 0) - return err; - - if (!wait_for_completion_timeout(&cmpl, - msecs_to_jiffies(1000))) { - dev_err(dev->mt76.dev, "firmware upload timed out\n"); - usb_kill_urb(buf->urb); - return -ETIMEDOUT; - } + data_len = MT_CMD_HDR_LEN + len + sizeof(info); - if (mt76u_urb_error(buf->urb)) { - dev_err(dev->mt76.dev, "firmware upload failed: %d\n", - buf->urb->status); - return buf->urb->status; + err = mt76u_bulk_msg(&dev->mt76, data, data_len, 1000); + if (err) { + dev_err(dev->mt76.dev, "firmware upload failed: %d\n", err); + return err; } val = mt76_rr(dev, MT_TX_CPU_FROM_FCE_CPU_DESC_IDX); @@ -322,17 +303,16 @@ __mt76x02u_mcu_fw_send_data(struct mt76x02_dev *dev, struct mt76u_buf *buf, int mt76x02u_mcu_fw_send_data(struct mt76x02_dev *dev, const void *data, int data_len, u32 max_payload, u32 offset) { - int err, len, pos = 0, max_len = max_payload - 8; - struct mt76u_buf buf; + int len, err = 0, pos = 0, max_len = max_payload - 8; + u8 *buf; - err = mt76u_buf_alloc(&dev->mt76, &buf, 1, max_payload, max_payload, - GFP_KERNEL); - if (err < 0) - return err; + buf = kmalloc(max_payload, GFP_KERNEL); + if (!buf) + return -ENOMEM; while (data_len > 0) { len = min_t(int, data_len, max_len); - err = __mt76x02u_mcu_fw_send_data(dev, &buf, data + pos, + err = __mt76x02u_mcu_fw_send_data(dev, buf, data + pos, len, offset + pos); if (err < 0) break; @@ -341,7 +321,7 @@ int mt76x02u_mcu_fw_send_data(struct mt76x02_dev *dev, const void *data, pos += len; usleep_range(5000, 10000); } - mt76u_buf_free(&buf); + kfree(buf); return err; } diff --git a/drivers/net/wireless/mediatek/mt76/usb.c b/drivers/net/wireless/mediatek/mt76/usb.c index b061263453d4..09923cedd039 100644 --- a/drivers/net/wireless/mediatek/mt76/usb.c +++ b/drivers/net/wireless/mediatek/mt76/usb.c @@ -326,7 +326,6 @@ int mt76u_buf_alloc(struct mt76_dev *dev, struct mt76u_buf *buf, return mt76u_fill_rx_sg(dev, buf, nsgs, len, sglen); } -EXPORT_SYMBOL_GPL(mt76u_buf_alloc); void mt76u_buf_free(struct mt76u_buf *buf) { -- 2.7.5

6 years, 7 months

2
1
0 0

[PATCH stable 4.19, 4.20, 5.0] bpf: do not restore dst_reg when cur_state is freed

by Daniel Borkmann

From: Xu Yu <xuyu(a)linux.alibaba.com> [ upstream commit 0803278b0b4d8eeb2b461fb698785df65a725d9e ] Syzkaller hit 'KASAN: use-after-free Write in sanitize_ptr_alu' bug. Call trace: dump_stack+0xbf/0x12e print_address_description+0x6a/0x280 kasan_report+0x237/0x360 sanitize_ptr_alu+0x85a/0x8d0 adjust_ptr_min_max_vals+0x8f2/0x1ca0 adjust_reg_min_max_vals+0x8ed/0x22e0 do_check+0x1ca6/0x5d00 bpf_check+0x9ca/0x2570 bpf_prog_load+0xc91/0x1030 __se_sys_bpf+0x61e/0x1f00 do_syscall_64+0xc8/0x550 entry_SYSCALL_64_after_hwframe+0x49/0xbe Fault injection trace: kfree+0xea/0x290 free_func_state+0x4a/0x60 free_verifier_state+0x61/0xe0 push_stack+0x216/0x2f0 <- inject failslab sanitize_ptr_alu+0x2b1/0x8d0 adjust_ptr_min_max_vals+0x8f2/0x1ca0 adjust_reg_min_max_vals+0x8ed/0x22e0 do_check+0x1ca6/0x5d00 bpf_check+0x9ca/0x2570 bpf_prog_load+0xc91/0x1030 __se_sys_bpf+0x61e/0x1f00 do_syscall_64+0xc8/0x550 entry_SYSCALL_64_after_hwframe+0x49/0xbe When kzalloc() fails in push_stack(), free_verifier_state() will free current verifier state. As push_stack() returns, dst_reg was restored if ptr_is_dst_reg is false. However, as member of the cur_state, dst_reg is also freed, and error occurs when dereferencing dst_reg. Simply fix it by testing ret of push_stack() before restoring dst_reg. Fixes: 979d63d50c0c ("bpf: prevent out of bounds speculation on pointer arithmetic") Signed-off-by: Xu Yu <xuyu(a)linux.alibaba.com> Signed-off-by: Daniel Borkmann <daniel(a)iogearbox.net> --- kernel/bpf/verifier.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index bcb42aa..acc2305 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -2815,7 +2815,7 @@ static int sanitize_ptr_alu(struct bpf_verifier_env *env, *dst_reg = *ptr_reg; } ret = push_stack(env, env->insn_idx + 1, env->insn_idx, true); - if (!ptr_is_dst_reg) + if (!ptr_is_dst_reg && ret) *dst_reg = tmp; return !ret ? -EFAULT : 0; } -- 2.9.5

6 years, 7 months

2
1
0 0

[PATCH 4.9 00/30] 4.9.166-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.9.166 release. There are 30 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu Mar 28 04:25:51 UTC 2019. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.166-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.9.166-rc1 Arnd Bergmann <arnd(a)arndb.de> ath10k: avoid possible string overflow Baolin Wang <baolin.wang(a)linaro.org> power: supply: charger-manager: Fix incorrect return value Enric Balletbo i Serra <enric.balletbo(a)collabora.com> pwm-backlight: Enable/disable the PWM before/after LCD enable toggle. Baolin Wang <baolin.wang(a)linaro.org> rtc: Fix overflow when converting time64_t to rtc_time kehuanlin <chgokhl(a)gmail.com> scsi: ufs: fix wrong command type of UTRD for UFSHCI v2.1 Andrey Konovalov <andreyknvl(a)google.com> USB: core: only clean up what we allocated Peter Zijlstra <peterz(a)infradead.org> lib/int_sqrt: optimize small argument Lanqing Liu <lanqing.liu(a)spreadtrum.com> serial: sprd: clear timeout interrupt only rather than all interrupts Qiao Zhou <qiaozhou(a)asrmicro.com> arm64: traps: disable irq in die() Al Viro <viro(a)ZenIV.linux.org.uk> Hang/soft lockup in d_invalidate with simultaneous calls Wei Qiao <wei.qiao(a)spreadtrum.com> serial: sprd: adjust TIMEOUT to a big value Eric Dumazet <edumazet(a)google.com> tcp/dccp: drop SYN packets if accept queue is full Hui Wang <hui.wang(a)canonical.com> ALSA: hda - Enforces runtime_resume after S3 and S4 for each codec Takashi Iwai <tiwai(a)suse.de> ALSA: hda - Record the current power state before suspend/resume calls Waiman Long <longman(a)redhat.com> locking/lockdep: Add debug_locks check in __lock_downgrade() Myungho Jung <mhjungk(a)gmail.com> Bluetooth: Fix decrementing reference count twice in releasing socket Hans Verkuil <hverkuil(a)xs4all.nl> media: v4l2-ctrls.c/uvc: zero v4l2_event zhangyi (F) <yi.zhang(a)huawei.com> ext4: brelse all indirect buffer in ext4_ind_remove_space() Lukas Czerner <lczerner(a)redhat.com> ext4: fix data corruption caused by unaligned direct AIO Jiufei Xue <jiufei.xue(a)linux.alibaba.com> ext4: fix NULL pointer dereference while journal is aborted Josh Poimboeuf <jpoimboe(a)redhat.com> objtool: Move objtool_file struct off the stack Chen Jie <chenjie6(a)huawei.com> futex: Ensure that futex address is aligned in handle_futex_death() Archer Yan <ayan(a)wavecomp.com> MIPS: Fix kernel crash for R6 in jump label branch function Yasha Cherikovsky <yasha.che3(a)gmail.com> MIPS: Ensure ELF appended dtb is relocated Yifeng Li <tomli(a)tomli.me> mips: loongson64: lemote-2f: Add IRQF_NO_SUSPEND to "cascade" irqaction. Jan Kara <jack(a)suse.cz> udf: Fix crash on IO error during truncate Ilya Dryomov <idryomov(a)gmail.com> libceph: wait for latest osdmap in ceph_monc_blacklist_add() Stanislaw Gruszka <sgruszka(a)redhat.com> iommu/amd: fix sg->dma_address for sg->offset bigger than PAGE_SIZE Thomas Zimmermann <tzimmermann(a)suse.de> drm/vmwgfx: Don't double-free the mode stored in par->set_mode Arnd Bergmann <arnd(a)arndb.de> mmc: pxamci: fix enum type confusion ------------- Diffstat: Makefile | 4 +-- arch/arm64/kernel/traps.c | 8 +++-- arch/mips/include/asm/jump_label.h | 8 ++--- arch/mips/kernel/vmlinux.lds.S | 12 ++++--- arch/mips/loongson64/lemote-2f/irq.c | 2 +- drivers/gpu/drm/vmwgfx/vmwgfx_fb.c | 12 ++----- drivers/iommu/amd_iommu.c | 7 ++++- drivers/media/usb/uvc/uvc_ctrl.c | 2 +- drivers/media/v4l2-core/v4l2-ctrls.c | 2 +- drivers/mmc/host/pxamci.c | 2 +- drivers/net/wireless/ath/ath10k/wmi.c | 2 +- drivers/power/supply/charger-manager.c | 3 +- drivers/rtc/rtc-lib.c | 6 ++-- drivers/scsi/ufs/ufshcd.c | 14 +++++---- drivers/tty/serial/sprd_serial.c | 6 ++-- drivers/usb/core/config.c | 9 ++++-- drivers/video/backlight/pwm_bl.c | 9 +++--- fs/dcache.c | 10 +++--- fs/ext4/ext4_jbd2.h | 2 +- fs/ext4/file.c | 2 +- fs/ext4/indirect.c | 12 ++++--- fs/udf/truncate.c | 3 ++ include/linux/ceph/libceph.h | 2 ++ include/net/inet_connection_sock.h | 5 --- kernel/futex.c | 4 +++ kernel/locking/lockdep.c | 3 ++ lib/int_sqrt.c | 3 ++ net/bluetooth/hci_sock.c | 3 +- net/ceph/ceph_common.c | 18 ++++++++++- net/ceph/mon_client.c | 9 ++++++ net/dccp/ipv4.c | 8 +---- net/dccp/ipv6.c | 2 +- net/ipv4/tcp_input.c | 8 +---- sound/pci/hda/hda_codec.c | 57 ++++++++++++++++++++++++++++++++-- tools/objtool/check.c | 3 +- 35 files changed, 175 insertions(+), 87 deletions(-)

6 years, 7 months

7
37
0 0

FAILED: patch "[PATCH] ARM: imx6q: cpuidle: fix bug that CPU might not wake up at" failed to apply to 3.18-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 3.18-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 91740fc8242b4f260cfa4d4536d8551804777fae Mon Sep 17 00:00:00 2001 From: Kohji Okuno <okuno.kohji(a)jp.panasonic.com> Date: Tue, 26 Feb 2019 11:34:13 +0900 Subject: [PATCH] ARM: imx6q: cpuidle: fix bug that CPU might not wake up at expected time In the current cpuidle implementation for i.MX6q, the CPU that sets 'WAIT_UNCLOCKED' and the CPU that returns to 'WAIT_CLOCKED' are always the same. While the CPU that sets 'WAIT_UNCLOCKED' is in IDLE state of "WAIT", if the other CPU wakes up and enters IDLE state of "WFI" istead of "WAIT", this CPU can not wake up at expired time. Because, in the case of "WFI", the CPU must be waked up by the local timer interrupt. But, while 'WAIT_UNCLOCKED' is set, the local timer is stopped, when all CPUs execute "wfi" instruction. As a result, the local timer interrupt is not fired. In this situation, this CPU will wake up by IRQ different from local timer. (e.g. broacast timer) So, this fix changes CPU to return to 'WAIT_CLOCKED'. Signed-off-by: Kohji Okuno <okuno.kohji(a)jp.panasonic.com> Fixes: e5f9dec8ff5f ("ARM: imx6q: support WAIT mode using cpuidle") Cc: <stable(a)vger.kernel.org> Signed-off-by: Shawn Guo <shawnguo(a)kernel.org> diff --git a/arch/arm/mach-imx/cpuidle-imx6q.c b/arch/arm/mach-imx/cpuidle-imx6q.c index bfeb25aaf9a2..326e870d7123 100644 --- a/arch/arm/mach-imx/cpuidle-imx6q.c +++ b/arch/arm/mach-imx/cpuidle-imx6q.c @@ -16,30 +16,23 @@ #include "cpuidle.h" #include "hardware.h" -static atomic_t master = ATOMIC_INIT(0); -static DEFINE_SPINLOCK(master_lock); +static int num_idle_cpus = 0; +static DEFINE_SPINLOCK(cpuidle_lock); static int imx6q_enter_wait(struct cpuidle_device *dev, struct cpuidle_driver *drv, int index) { - if (atomic_inc_return(&master) == num_online_cpus()) { - /* - * With this lock, we prevent other cpu to exit and enter - * this function again and become the master. - */ - if (!spin_trylock(&master_lock)) - goto idle; + spin_lock(&cpuidle_lock); + if (++num_idle_cpus == num_online_cpus()) imx6_set_lpm(WAIT_UNCLOCKED); - cpu_do_idle(); - imx6_set_lpm(WAIT_CLOCKED); - spin_unlock(&master_lock); - goto done; - } + spin_unlock(&cpuidle_lock); -idle: cpu_do_idle(); -done: - atomic_dec(&master); + + spin_lock(&cpuidle_lock); + if (num_idle_cpus-- == num_online_cpus()) + imx6_set_lpm(WAIT_CLOCKED); + spin_unlock(&cpuidle_lock); return index; }

6 years, 7 months

3
2
0 0

Re: [PATCH 1/3] xhci: Fix port resume done detection for SS ports with LPM enabled

by Mathias Nyman

On 27.3.2019 16.00, Sasha Levin wrote: > Hi, > > [This is an automated email] > > This commit has been processed because it contains a -stable tag. > The stable tag indicates that it's relevant for the following trees: all > > The bot has tested the following trees: v5.0.4, v4.19.31, v4.14.108, v4.9.165, v4.4.177, v3.18.137. > > v5.0.4: Build OK! > v4.19.31: Build OK! > v4.14.108: Build OK! > v4.9.165: Failed to apply! Possible dependencies: > 76a0f32b28d4 ("xhci: rename temp and temp1 variables") > > v4.4.177: Failed to apply! Possible dependencies: > 76a0f32b28d4 ("xhci: rename temp and temp1 variables") > > v3.18.137: Failed to apply! Possible dependencies: > 2338b9e47fba ("xhci: define the new default speed ID for SuperSpeedPlus used by xhci hw") > 41485a90d573 ("xhci: optimize xhci bus resume time") > 76a0f32b28d4 ("xhci: rename temp and temp1 variables") > b50107bb83d0 ("xhci: check xhci hardware for USB 3.1 support") > cd33a32157e4 ("usb: xhci: cleanup xhci_hcd allocation") > > > How should we proceed with this patch? Backported versions for 4.9, 4.4 and 3.18 sent to stable Thanks Mathias

6 years, 7 months

2
1
0 0

[PATCH] USB: gadget: f_hid: fix deadlock in f_hidg_write()

by Radoslav Gerganov

commit 072684e8c58d17e853f8e8b9f6d9ce2e58d2b036 upstream. In f_hidg_write() the write_spinlock is acquired before calling usb_ep_queue() which causes a deadlock when dummy_hcd is being used. This is because dummy_queue() callbacks into f_hidg_req_complete() which tries to acquire the same spinlock. This is (part of) the backtrace when the deadlock occurs: 0xffffffffc06b1410 in f_hidg_req_complete 0xffffffffc06a590a in usb_gadget_giveback_request 0xffffffffc06cfff2 in dummy_queue 0xffffffffc06a4b96 in usb_ep_queue 0xffffffffc06b1eb6 in f_hidg_write 0xffffffff8127730b in __vfs_write 0xffffffff812774d1 in vfs_write 0xffffffff81277725 in SYSC_write Fix this by releasing the write_spinlock before calling usb_ep_queue() Reviewed-by: James Bottomley <James.Bottomley(a)HansenPartnership.com> Tested-by: James Bottomley <James.Bottomley(a)HansenPartnership.com> Cc: stable(a)vger.kernel.org Fixes: 749494b6bdbb ("usb: gadget: f_hid: fix: Move IN request allocation to set_alt()") Signed-off-by: Radoslav Gerganov <rgerganov(a)vmware.com> Signed-off-by: Felipe Balbi <felipe.balbi(a)linux.intel.com> --- drivers/usb/gadget/function/f_hid.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/usb/gadget/function/f_hid.c b/drivers/usb/gadget/function/f_hid.c index 5815120..8e83649 100644 --- a/drivers/usb/gadget/function/f_hid.c +++ b/drivers/usb/gadget/function/f_hid.c @@ -340,20 +340,20 @@ static ssize_t f_hidg_write(struct file *file, const char __user *buffer, req->complete = f_hidg_req_complete; req->context = hidg; + spin_unlock_irqrestore(&hidg->write_spinlock, flags); + status = usb_ep_queue(hidg->in_ep, hidg->req, GFP_ATOMIC); if (status < 0) { ERROR(hidg->func.config->cdev, "usb_ep_queue error on int endpoint %zd\n", status); - goto release_write_pending_unlocked; + goto release_write_pending; } else { status = count; } - spin_unlock_irqrestore(&hidg->write_spinlock, flags); return status; release_write_pending: spin_lock_irqsave(&hidg->write_spinlock, flags); -release_write_pending_unlocked: hidg->write_pending = 0; spin_unlock_irqrestore(&hidg->write_spinlock, flags); -- 1.9.1

6 years, 7 months

2
2
0 0

[PATCH] arm64: compat: Reduce address limit

by Vincenzo Frascino

Currently, compat tasks running on arm64 can allocate memory up to TASK_SIZE_32 (UL(0x100000000)). This means that mmap() allocations, if we treat them as returning an array, are not compliant with the sections 6.5.8 of the C standard (C99) which states that: "If the expression P points to an element of an array object and the expression Q points to the last element of the same array object, the pointer expression Q+1 compares greater than P". Redefine TASK_SIZE_32 to address the issue. Cc: Catalin Marinas <catalin.marinas(a)arm.com> Cc: Will Deacon <will.deacon(a)arm.com> Cc: Jann Horn <jannh(a)google.com> Reported-by: Jann Horn <jannh(a)google.com> Signed-off-by: Vincenzo Frascino <vincenzo.frascino(a)arm.com> --- arch/arm64/include/asm/processor.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/arch/arm64/include/asm/processor.h b/arch/arm64/include/asm/processor.h index 5d9ce62bdebd..f8235f7df29b 100644 --- a/arch/arm64/include/asm/processor.h +++ b/arch/arm64/include/asm/processor.h @@ -57,7 +57,11 @@ #define TASK_SIZE_64 (UL(1) << vabits_user) #ifdef CONFIG_COMPAT +#ifdef CONFIG_ARM64_64K_PAGES #define TASK_SIZE_32 UL(0x100000000) +#else +#define TASK_SIZE_32 (UL(0x100000000) - PAGE_SIZE) +#endif /* CONFIG_ARM64_64K_PAGES */ #define TASK_SIZE (test_thread_flag(TIF_32BIT) ? \ TASK_SIZE_32 : TASK_SIZE_64) #define TASK_SIZE_OF(tsk) (test_tsk_thread_flag(tsk, TIF_32BIT) ? \ -- 2.21.0

6 years, 7 months

2
2
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror