- Linux-stable-mirror - lists.linaro.org

FAILED: patch "[PATCH] btrfs: Fix delalloc inodes invalidation during transaction" failed to apply to 4.16-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.16-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From fe816d0f1d4c31c4c31d42ca78a87660565fc800 Mon Sep 17 00:00:00 2001 From: Nikolay Borisov <nborisov(a)suse.com> Date: Fri, 27 Apr 2018 12:21:53 +0300 Subject: [PATCH] btrfs: Fix delalloc inodes invalidation during transaction abort When a transaction is aborted btrfs_cleanup_transaction is called to cleanup all the various in-flight bits and pieces which migth be active. One of those is delalloc inodes - inodes which have dirty pages which haven't been persisted yet. Currently the process of freeing such delalloc inodes in exceptional circumstances such as transaction abort boiled down to calling btrfs_invalidate_inodes whose sole job is to invalidate the dentries for all inodes related to a root. This is in fact wrong and insufficient since such delalloc inodes will likely have pending pages or ordered-extents and will be linked to the sb->s_inode_list. This means that unmounting a btrfs instance with an aborted transaction could potentially lead inodes/their pages visible to the system long after their superblock has been freed. This in turn leads to a "use-after-free" situation once page shrink is triggered. This situation could be simulated by running generic/019 which would cause such inodes to be left hanging, followed by generic/176 which causes memory pressure and page eviction which lead to touching the freed super block instance. This situation is additionally detected by the unmount code of VFS with the following message: "VFS: Busy inodes after unmount of Self-destruct in 5 seconds. Have a nice day..." Additionally btrfs hits WARN_ON(!RB_EMPTY_ROOT(&root->inode_tree)); in free_fs_root for the same reason. This patch aims to rectify the sitaution by doing the following: 1. Change btrfs_destroy_delalloc_inodes so that it calls invalidate_inode_pages2 for every inode on the delalloc list, this ensures that all the pages of the inode are released. This function boils down to calling btrfs_releasepage. During test I observed cases where inodes on the delalloc list were having an i_count of 0, so this necessitates using igrab to be sure we are working on a non-freed inode. 2. Since calling btrfs_releasepage might queue delayed iputs move the call out to btrfs_cleanup_transaction in btrfs_error_commit_super before calling run_delayed_iputs for the last time. This is necessary to ensure that delayed iputs are run. Note: this patch is tagged for 4.14 stable but the fix applies to older versions too but needs to be backported manually due to conflicts. CC: stable(a)vger.kernel.org # 4.14.x: 2b8773313494: btrfs: Split btrfs_del_delalloc_inode into 2 functions CC: stable(a)vger.kernel.org # 4.14.x Signed-off-by: Nikolay Borisov <nborisov(a)suse.com> Reviewed-by: David Sterba <dsterba(a)suse.com> [ add comment to igrab ] Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c index 60caa68c3618..c3504b4d281b 100644 --- a/fs/btrfs/disk-io.c +++ b/fs/btrfs/disk-io.c @@ -3818,6 +3818,7 @@ void close_ctree(struct btrfs_fs_info *fs_info) set_bit(BTRFS_FS_CLOSING_DONE, &fs_info->flags); btrfs_free_qgroup_config(fs_info); + ASSERT(list_empty(&fs_info->delalloc_roots)); if (percpu_counter_sum(&fs_info->delalloc_bytes)) { btrfs_info(fs_info, "at unmount delalloc count %lld", @@ -4125,15 +4126,15 @@ static int btrfs_check_super_valid(struct btrfs_fs_info *fs_info) static void btrfs_error_commit_super(struct btrfs_fs_info *fs_info) { + /* cleanup FS via transaction */ + btrfs_cleanup_transaction(fs_info); + mutex_lock(&fs_info->cleaner_mutex); btrfs_run_delayed_iputs(fs_info); mutex_unlock(&fs_info->cleaner_mutex); down_write(&fs_info->cleanup_work_sem); up_write(&fs_info->cleanup_work_sem); - - /* cleanup FS via transaction */ - btrfs_cleanup_transaction(fs_info); } static void btrfs_destroy_ordered_extents(struct btrfs_root *root) @@ -4258,19 +4259,23 @@ static void btrfs_destroy_delalloc_inodes(struct btrfs_root *root) list_splice_init(&root->delalloc_inodes, &splice); while (!list_empty(&splice)) { + struct inode *inode = NULL; btrfs_inode = list_first_entry(&splice, struct btrfs_inode, delalloc_inodes); - - list_del_init(&btrfs_inode->delalloc_inodes); - clear_bit(BTRFS_INODE_IN_DELALLOC_LIST, - &btrfs_inode->runtime_flags); + __btrfs_del_delalloc_inode(root, btrfs_inode); spin_unlock(&root->delalloc_lock); - btrfs_invalidate_inodes(btrfs_inode->root); - + /* + * Make sure we get a live inode and that it'll not disappear + * meanwhile. + */ + inode = igrab(&btrfs_inode->vfs_inode); + if (inode) { + invalidate_inode_pages2(inode->i_mapping); + iput(inode); + } spin_lock(&root->delalloc_lock); } - spin_unlock(&root->delalloc_lock); } @@ -4286,7 +4291,6 @@ static void btrfs_destroy_all_delalloc_inodes(struct btrfs_fs_info *fs_info) while (!list_empty(&splice)) { root = list_first_entry(&splice, struct btrfs_root, delalloc_root); - list_del_init(&root->delalloc_root); root = btrfs_grab_fs_root(root); BUG_ON(!root); spin_unlock(&fs_info->delalloc_root_lock);

7 years, 3 months

1
0
0 0

FAILED: patch "[PATCH] Btrfs: send, fix invalid access to commit roots due to" failed to apply to 4.9-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.9-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 6f2f0b394b54e2b159ef969a0b5274e9bbf82ff2 Mon Sep 17 00:00:00 2001 From: Robbie Ko <robbieko(a)synology.com> Date: Mon, 14 May 2018 10:51:34 +0800 Subject: [PATCH] Btrfs: send, fix invalid access to commit roots due to concurrent snapshotting [BUG] btrfs incremental send BUG happens when creating a snapshot of snapshot that is being used by send. [REASON] The problem can happen if while we are doing a send one of the snapshots used (parent or send) is snapshotted, because snapshoting implies COWing the root of the source subvolume/snapshot. 1. When doing an incremental send, the send process will get the commit roots from the parent and send snapshots, and add references to them through extent_buffer_get(). 2. When a snapshot/subvolume is snapshotted, its root node is COWed (transaction.c:create_pending_snapshot()). 3. COWing releases the space used by the node immediately, through: __btrfs_cow_block() --btrfs_free_tree_block() ----btrfs_add_free_space(bytenr of node) 4. Because send doesn't hold a transaction open, it's possible that the transaction used to create the snapshot commits, switches the commit root and the old space used by the previous root node gets assigned to some other node allocation. Allocation of a new node will use the existing extent buffer found in memory, which we previously got a reference through extent_buffer_get(), and allow the extent buffer's content (pages) to be modified: btrfs_alloc_tree_block --btrfs_reserve_extent ----find_free_extent (get bytenr of old node) --btrfs_init_new_buffer (use bytenr of old node) ----btrfs_find_create_tree_block ------alloc_extent_buffer --------find_extent_buffer (get old node) 5. So send can access invalid memory content and have unpredictable behaviour. [FIX] So we fix the problem by copying the commit roots of the send and parent snapshots and use those copies. CallTrace looks like this: ------------[ cut here ]------------ kernel BUG at fs/btrfs/ctree.c:1861! invalid opcode: 0000 [#1] SMP CPU: 6 PID: 24235 Comm: btrfs Tainted: P O 3.10.105 #23721 ffff88046652d680 ti: ffff88041b720000 task.ti: ffff88041b720000 RIP: 0010:[<ffffffffa08dd0e8>] read_node_slot+0x108/0x110 [btrfs] RSP: 0018:ffff88041b723b68 EFLAGS: 00010246 RAX: ffff88043ca6b000 RBX: ffff88041b723c50 RCX: ffff880000000000 RDX: 000000000000004c RSI: ffff880314b133f8 RDI: ffff880458b24000 RBP: 0000000000000000 R08: 0000000000000001 R09: ffff88041b723c66 R10: 0000000000000001 R11: 0000000000001000 R12: ffff8803f3e48890 R13: ffff8803f3e48880 R14: ffff880466351800 R15: 0000000000000001 FS: 00007f8c321dc8c0(0000) GS:ffff88047fcc0000(0000) CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 R2: 00007efd1006d000 CR3: 0000000213a24000 CR4: 00000000003407e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Stack: ffff88041b723c50 ffff8803f3e48880 ffff8803f3e48890 ffff8803f3e48880 ffff880466351800 0000000000000001 ffffffffa08dd9d7 ffff88041b723c50 ffff8803f3e48880 ffff88041b723c66 ffffffffa08dde85 a9ff88042d2c4400 Call Trace: [<ffffffffa08dd9d7>] ? tree_move_down.isra.33+0x27/0x50 [btrfs] [<ffffffffa08dde85>] ? tree_advance+0xb5/0xc0 [btrfs] [<ffffffffa08e83d4>] ? btrfs_compare_trees+0x2d4/0x760 [btrfs] [<ffffffffa0982050>] ? finish_inode_if_needed+0x870/0x870 [btrfs] [<ffffffffa09841ea>] ? btrfs_ioctl_send+0xeda/0x1050 [btrfs] [<ffffffffa094bd3d>] ? btrfs_ioctl+0x1e3d/0x33f0 [btrfs] [<ffffffff81111133>] ? handle_pte_fault+0x373/0x990 [<ffffffff8153a096>] ? atomic_notifier_call_chain+0x16/0x20 [<ffffffff81063256>] ? set_task_cpu+0xb6/0x1d0 [<ffffffff811122c3>] ? handle_mm_fault+0x143/0x2a0 [<ffffffff81539cc0>] ? __do_page_fault+0x1d0/0x500 [<ffffffff81062f07>] ? check_preempt_curr+0x57/0x90 [<ffffffff8115075a>] ? do_vfs_ioctl+0x4aa/0x990 [<ffffffff81034f83>] ? do_fork+0x113/0x3b0 [<ffffffff812dd7d7>] ? trace_hardirqs_off_thunk+0x3a/0x6c [<ffffffff81150cc8>] ? SyS_ioctl+0x88/0xa0 [<ffffffff8153e422>] ? system_call_fastpath+0x16/0x1b ---[ end trace 29576629ee80b2e1 ]--- Fixes: 7069830a9e38 ("Btrfs: add btrfs_compare_trees function") CC: stable(a)vger.kernel.org # 3.6+ Signed-off-by: Robbie Ko <robbieko(a)synology.com> Reviewed-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c index 3fd44835b386..63488f0b850f 100644 --- a/fs/btrfs/ctree.c +++ b/fs/btrfs/ctree.c @@ -5414,12 +5414,24 @@ int btrfs_compare_trees(struct btrfs_root *left_root, down_read(&fs_info->commit_root_sem); left_level = btrfs_header_level(left_root->commit_root); left_root_level = left_level; - left_path->nodes[left_level] = left_root->commit_root; + left_path->nodes[left_level] = + btrfs_clone_extent_buffer(left_root->commit_root); + if (!left_path->nodes[left_level]) { + up_read(&fs_info->commit_root_sem); + ret = -ENOMEM; + goto out; + } extent_buffer_get(left_path->nodes[left_level]); right_level = btrfs_header_level(right_root->commit_root); right_root_level = right_level; - right_path->nodes[right_level] = right_root->commit_root; + right_path->nodes[right_level] = + btrfs_clone_extent_buffer(right_root->commit_root); + if (!right_path->nodes[right_level]) { + up_read(&fs_info->commit_root_sem); + ret = -ENOMEM; + goto out; + } extent_buffer_get(right_path->nodes[right_level]); up_read(&fs_info->commit_root_sem);

7 years, 3 months

1
0
0 0

FAILED: patch "[PATCH] Btrfs: send, fix invalid access to commit roots due to" failed to apply to 4.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 6f2f0b394b54e2b159ef969a0b5274e9bbf82ff2 Mon Sep 17 00:00:00 2001 From: Robbie Ko <robbieko(a)synology.com> Date: Mon, 14 May 2018 10:51:34 +0800 Subject: [PATCH] Btrfs: send, fix invalid access to commit roots due to concurrent snapshotting [BUG] btrfs incremental send BUG happens when creating a snapshot of snapshot that is being used by send. [REASON] The problem can happen if while we are doing a send one of the snapshots used (parent or send) is snapshotted, because snapshoting implies COWing the root of the source subvolume/snapshot. 1. When doing an incremental send, the send process will get the commit roots from the parent and send snapshots, and add references to them through extent_buffer_get(). 2. When a snapshot/subvolume is snapshotted, its root node is COWed (transaction.c:create_pending_snapshot()). 3. COWing releases the space used by the node immediately, through: __btrfs_cow_block() --btrfs_free_tree_block() ----btrfs_add_free_space(bytenr of node) 4. Because send doesn't hold a transaction open, it's possible that the transaction used to create the snapshot commits, switches the commit root and the old space used by the previous root node gets assigned to some other node allocation. Allocation of a new node will use the existing extent buffer found in memory, which we previously got a reference through extent_buffer_get(), and allow the extent buffer's content (pages) to be modified: btrfs_alloc_tree_block --btrfs_reserve_extent ----find_free_extent (get bytenr of old node) --btrfs_init_new_buffer (use bytenr of old node) ----btrfs_find_create_tree_block ------alloc_extent_buffer --------find_extent_buffer (get old node) 5. So send can access invalid memory content and have unpredictable behaviour. [FIX] So we fix the problem by copying the commit roots of the send and parent snapshots and use those copies. CallTrace looks like this: ------------[ cut here ]------------ kernel BUG at fs/btrfs/ctree.c:1861! invalid opcode: 0000 [#1] SMP CPU: 6 PID: 24235 Comm: btrfs Tainted: P O 3.10.105 #23721 ffff88046652d680 ti: ffff88041b720000 task.ti: ffff88041b720000 RIP: 0010:[<ffffffffa08dd0e8>] read_node_slot+0x108/0x110 [btrfs] RSP: 0018:ffff88041b723b68 EFLAGS: 00010246 RAX: ffff88043ca6b000 RBX: ffff88041b723c50 RCX: ffff880000000000 RDX: 000000000000004c RSI: ffff880314b133f8 RDI: ffff880458b24000 RBP: 0000000000000000 R08: 0000000000000001 R09: ffff88041b723c66 R10: 0000000000000001 R11: 0000000000001000 R12: ffff8803f3e48890 R13: ffff8803f3e48880 R14: ffff880466351800 R15: 0000000000000001 FS: 00007f8c321dc8c0(0000) GS:ffff88047fcc0000(0000) CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 R2: 00007efd1006d000 CR3: 0000000213a24000 CR4: 00000000003407e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Stack: ffff88041b723c50 ffff8803f3e48880 ffff8803f3e48890 ffff8803f3e48880 ffff880466351800 0000000000000001 ffffffffa08dd9d7 ffff88041b723c50 ffff8803f3e48880 ffff88041b723c66 ffffffffa08dde85 a9ff88042d2c4400 Call Trace: [<ffffffffa08dd9d7>] ? tree_move_down.isra.33+0x27/0x50 [btrfs] [<ffffffffa08dde85>] ? tree_advance+0xb5/0xc0 [btrfs] [<ffffffffa08e83d4>] ? btrfs_compare_trees+0x2d4/0x760 [btrfs] [<ffffffffa0982050>] ? finish_inode_if_needed+0x870/0x870 [btrfs] [<ffffffffa09841ea>] ? btrfs_ioctl_send+0xeda/0x1050 [btrfs] [<ffffffffa094bd3d>] ? btrfs_ioctl+0x1e3d/0x33f0 [btrfs] [<ffffffff81111133>] ? handle_pte_fault+0x373/0x990 [<ffffffff8153a096>] ? atomic_notifier_call_chain+0x16/0x20 [<ffffffff81063256>] ? set_task_cpu+0xb6/0x1d0 [<ffffffff811122c3>] ? handle_mm_fault+0x143/0x2a0 [<ffffffff81539cc0>] ? __do_page_fault+0x1d0/0x500 [<ffffffff81062f07>] ? check_preempt_curr+0x57/0x90 [<ffffffff8115075a>] ? do_vfs_ioctl+0x4aa/0x990 [<ffffffff81034f83>] ? do_fork+0x113/0x3b0 [<ffffffff812dd7d7>] ? trace_hardirqs_off_thunk+0x3a/0x6c [<ffffffff81150cc8>] ? SyS_ioctl+0x88/0xa0 [<ffffffff8153e422>] ? system_call_fastpath+0x16/0x1b ---[ end trace 29576629ee80b2e1 ]--- Fixes: 7069830a9e38 ("Btrfs: add btrfs_compare_trees function") CC: stable(a)vger.kernel.org # 3.6+ Signed-off-by: Robbie Ko <robbieko(a)synology.com> Reviewed-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c index 3fd44835b386..63488f0b850f 100644 --- a/fs/btrfs/ctree.c +++ b/fs/btrfs/ctree.c @@ -5414,12 +5414,24 @@ int btrfs_compare_trees(struct btrfs_root *left_root, down_read(&fs_info->commit_root_sem); left_level = btrfs_header_level(left_root->commit_root); left_root_level = left_level; - left_path->nodes[left_level] = left_root->commit_root; + left_path->nodes[left_level] = + btrfs_clone_extent_buffer(left_root->commit_root); + if (!left_path->nodes[left_level]) { + up_read(&fs_info->commit_root_sem); + ret = -ENOMEM; + goto out; + } extent_buffer_get(left_path->nodes[left_level]); right_level = btrfs_header_level(right_root->commit_root); right_root_level = right_level; - right_path->nodes[right_level] = right_root->commit_root; + right_path->nodes[right_level] = + btrfs_clone_extent_buffer(right_root->commit_root); + if (!right_path->nodes[right_level]) { + up_read(&fs_info->commit_root_sem); + ret = -ENOMEM; + goto out; + } extent_buffer_get(right_path->nodes[right_level]); up_read(&fs_info->commit_root_sem);

7 years, 3 months

1
0
0 0

FAILED: patch "[PATCH] Btrfs: send, fix invalid access to commit roots due to" failed to apply to 3.18-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 3.18-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 6f2f0b394b54e2b159ef969a0b5274e9bbf82ff2 Mon Sep 17 00:00:00 2001 From: Robbie Ko <robbieko(a)synology.com> Date: Mon, 14 May 2018 10:51:34 +0800 Subject: [PATCH] Btrfs: send, fix invalid access to commit roots due to concurrent snapshotting [BUG] btrfs incremental send BUG happens when creating a snapshot of snapshot that is being used by send. [REASON] The problem can happen if while we are doing a send one of the snapshots used (parent or send) is snapshotted, because snapshoting implies COWing the root of the source subvolume/snapshot. 1. When doing an incremental send, the send process will get the commit roots from the parent and send snapshots, and add references to them through extent_buffer_get(). 2. When a snapshot/subvolume is snapshotted, its root node is COWed (transaction.c:create_pending_snapshot()). 3. COWing releases the space used by the node immediately, through: __btrfs_cow_block() --btrfs_free_tree_block() ----btrfs_add_free_space(bytenr of node) 4. Because send doesn't hold a transaction open, it's possible that the transaction used to create the snapshot commits, switches the commit root and the old space used by the previous root node gets assigned to some other node allocation. Allocation of a new node will use the existing extent buffer found in memory, which we previously got a reference through extent_buffer_get(), and allow the extent buffer's content (pages) to be modified: btrfs_alloc_tree_block --btrfs_reserve_extent ----find_free_extent (get bytenr of old node) --btrfs_init_new_buffer (use bytenr of old node) ----btrfs_find_create_tree_block ------alloc_extent_buffer --------find_extent_buffer (get old node) 5. So send can access invalid memory content and have unpredictable behaviour. [FIX] So we fix the problem by copying the commit roots of the send and parent snapshots and use those copies. CallTrace looks like this: ------------[ cut here ]------------ kernel BUG at fs/btrfs/ctree.c:1861! invalid opcode: 0000 [#1] SMP CPU: 6 PID: 24235 Comm: btrfs Tainted: P O 3.10.105 #23721 ffff88046652d680 ti: ffff88041b720000 task.ti: ffff88041b720000 RIP: 0010:[<ffffffffa08dd0e8>] read_node_slot+0x108/0x110 [btrfs] RSP: 0018:ffff88041b723b68 EFLAGS: 00010246 RAX: ffff88043ca6b000 RBX: ffff88041b723c50 RCX: ffff880000000000 RDX: 000000000000004c RSI: ffff880314b133f8 RDI: ffff880458b24000 RBP: 0000000000000000 R08: 0000000000000001 R09: ffff88041b723c66 R10: 0000000000000001 R11: 0000000000001000 R12: ffff8803f3e48890 R13: ffff8803f3e48880 R14: ffff880466351800 R15: 0000000000000001 FS: 00007f8c321dc8c0(0000) GS:ffff88047fcc0000(0000) CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 R2: 00007efd1006d000 CR3: 0000000213a24000 CR4: 00000000003407e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Stack: ffff88041b723c50 ffff8803f3e48880 ffff8803f3e48890 ffff8803f3e48880 ffff880466351800 0000000000000001 ffffffffa08dd9d7 ffff88041b723c50 ffff8803f3e48880 ffff88041b723c66 ffffffffa08dde85 a9ff88042d2c4400 Call Trace: [<ffffffffa08dd9d7>] ? tree_move_down.isra.33+0x27/0x50 [btrfs] [<ffffffffa08dde85>] ? tree_advance+0xb5/0xc0 [btrfs] [<ffffffffa08e83d4>] ? btrfs_compare_trees+0x2d4/0x760 [btrfs] [<ffffffffa0982050>] ? finish_inode_if_needed+0x870/0x870 [btrfs] [<ffffffffa09841ea>] ? btrfs_ioctl_send+0xeda/0x1050 [btrfs] [<ffffffffa094bd3d>] ? btrfs_ioctl+0x1e3d/0x33f0 [btrfs] [<ffffffff81111133>] ? handle_pte_fault+0x373/0x990 [<ffffffff8153a096>] ? atomic_notifier_call_chain+0x16/0x20 [<ffffffff81063256>] ? set_task_cpu+0xb6/0x1d0 [<ffffffff811122c3>] ? handle_mm_fault+0x143/0x2a0 [<ffffffff81539cc0>] ? __do_page_fault+0x1d0/0x500 [<ffffffff81062f07>] ? check_preempt_curr+0x57/0x90 [<ffffffff8115075a>] ? do_vfs_ioctl+0x4aa/0x990 [<ffffffff81034f83>] ? do_fork+0x113/0x3b0 [<ffffffff812dd7d7>] ? trace_hardirqs_off_thunk+0x3a/0x6c [<ffffffff81150cc8>] ? SyS_ioctl+0x88/0xa0 [<ffffffff8153e422>] ? system_call_fastpath+0x16/0x1b ---[ end trace 29576629ee80b2e1 ]--- Fixes: 7069830a9e38 ("Btrfs: add btrfs_compare_trees function") CC: stable(a)vger.kernel.org # 3.6+ Signed-off-by: Robbie Ko <robbieko(a)synology.com> Reviewed-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c index 3fd44835b386..63488f0b850f 100644 --- a/fs/btrfs/ctree.c +++ b/fs/btrfs/ctree.c @@ -5414,12 +5414,24 @@ int btrfs_compare_trees(struct btrfs_root *left_root, down_read(&fs_info->commit_root_sem); left_level = btrfs_header_level(left_root->commit_root); left_root_level = left_level; - left_path->nodes[left_level] = left_root->commit_root; + left_path->nodes[left_level] = + btrfs_clone_extent_buffer(left_root->commit_root); + if (!left_path->nodes[left_level]) { + up_read(&fs_info->commit_root_sem); + ret = -ENOMEM; + goto out; + } extent_buffer_get(left_path->nodes[left_level]); right_level = btrfs_header_level(right_root->commit_root); right_root_level = right_level; - right_path->nodes[right_level] = right_root->commit_root; + right_path->nodes[right_level] = + btrfs_clone_extent_buffer(right_root->commit_root); + if (!right_path->nodes[right_level]) { + up_read(&fs_info->commit_root_sem); + ret = -ENOMEM; + goto out; + } extent_buffer_get(right_path->nodes[right_level]); up_read(&fs_info->commit_root_sem);

7 years, 3 months

1
0
0 0

FAILED: patch "[PATCH] btrfs: fix reading stale metadata blocks after degraded raid1" failed to apply to 3.18-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 3.18-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 02a3307aa9c20b4f6626255b028f07f6cfa16feb Mon Sep 17 00:00:00 2001 From: Liu Bo <bo.liu(a)linux.alibaba.com> Date: Wed, 16 May 2018 01:37:36 +0800 Subject: [PATCH] btrfs: fix reading stale metadata blocks after degraded raid1 mounts If a btree block, aka. extent buffer, is not available in the extent buffer cache, it'll be read out from the disk instead, i.e. btrfs_search_slot() read_block_for_search() # hold parent and its lock, go to read child btrfs_release_path() read_tree_block() # read child Unfortunately, the parent lock got released before reading child, so commit 5bdd3536cbbe ("Btrfs: Fix block generation verification race") had used 0 as parent transid to read the child block. It forces read_tree_block() not to check if parent transid is different with the generation id of the child that it reads out from disk. A simple PoC is included in btrfs/124, 0. A two-disk raid1 btrfs, 1. Right after mkfs.btrfs, block A is allocated to be device tree's root. 2. Mount this filesystem and put it in use, after a while, device tree's root got COW but block A hasn't been allocated/overwritten yet. 3. Umount it and reload the btrfs module to remove both disks from the global @fs_devices list. 4. mount -odegraded dev1 and write some data, so now block A is allocated to be a leaf in checksum tree. Note that only dev1 has the latest metadata of this filesystem. 5. Umount it and mount it again normally (with both disks), since raid1 can pick up one disk by the writer task's pid, if btrfs_search_slot() needs to read block A, dev2 which does NOT have the latest metadata might be read for block A, then we got a stale block A. 6. As parent transid is not checked, block A is marked as uptodate and put into the extent buffer cache, so the future search won't bother to read disk again, which means it'll make changes on this stale one and make it dirty and flush it onto disk. To avoid the problem, parent transid needs to be passed to read_tree_block(). In order to get a valid parent transid, we need to hold the parent's lock until finishing reading child. This patch needs to be slightly adapted for stable kernels, the &first_key parameter added to read_tree_block() is from 4.16+ (581c1760415c4). The fix is to replace 0 by 'gen'. Fixes: 5bdd3536cbbe ("Btrfs: Fix block generation verification race") CC: stable(a)vger.kernel.org # 4.4+ Signed-off-by: Liu Bo <bo.liu(a)linux.alibaba.com> Reviewed-by: Filipe Manana <fdmanana(a)suse.com> Reviewed-by: Qu Wenruo <wqu(a)suse.com> [ update changelog ] Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c index 63488f0b850f..8c68961925b1 100644 --- a/fs/btrfs/ctree.c +++ b/fs/btrfs/ctree.c @@ -2436,10 +2436,8 @@ read_block_for_search(struct btrfs_root *root, struct btrfs_path *p, if (p->reada != READA_NONE) reada_for_search(fs_info, p, level, slot, key->objectid); - btrfs_release_path(p); - ret = -EAGAIN; - tmp = read_tree_block(fs_info, blocknr, 0, parent_level - 1, + tmp = read_tree_block(fs_info, blocknr, gen, parent_level - 1, &first_key); if (!IS_ERR(tmp)) { /* @@ -2454,6 +2452,8 @@ read_block_for_search(struct btrfs_root *root, struct btrfs_path *p, } else { ret = PTR_ERR(tmp); } + + btrfs_release_path(p); return ret; }

7 years, 3 months

1
0
0 0

FAILED: patch "[PATCH] btrfs: fix reading stale metadata blocks after degraded raid1" failed to apply to 4.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 02a3307aa9c20b4f6626255b028f07f6cfa16feb Mon Sep 17 00:00:00 2001 From: Liu Bo <bo.liu(a)linux.alibaba.com> Date: Wed, 16 May 2018 01:37:36 +0800 Subject: [PATCH] btrfs: fix reading stale metadata blocks after degraded raid1 mounts If a btree block, aka. extent buffer, is not available in the extent buffer cache, it'll be read out from the disk instead, i.e. btrfs_search_slot() read_block_for_search() # hold parent and its lock, go to read child btrfs_release_path() read_tree_block() # read child Unfortunately, the parent lock got released before reading child, so commit 5bdd3536cbbe ("Btrfs: Fix block generation verification race") had used 0 as parent transid to read the child block. It forces read_tree_block() not to check if parent transid is different with the generation id of the child that it reads out from disk. A simple PoC is included in btrfs/124, 0. A two-disk raid1 btrfs, 1. Right after mkfs.btrfs, block A is allocated to be device tree's root. 2. Mount this filesystem and put it in use, after a while, device tree's root got COW but block A hasn't been allocated/overwritten yet. 3. Umount it and reload the btrfs module to remove both disks from the global @fs_devices list. 4. mount -odegraded dev1 and write some data, so now block A is allocated to be a leaf in checksum tree. Note that only dev1 has the latest metadata of this filesystem. 5. Umount it and mount it again normally (with both disks), since raid1 can pick up one disk by the writer task's pid, if btrfs_search_slot() needs to read block A, dev2 which does NOT have the latest metadata might be read for block A, then we got a stale block A. 6. As parent transid is not checked, block A is marked as uptodate and put into the extent buffer cache, so the future search won't bother to read disk again, which means it'll make changes on this stale one and make it dirty and flush it onto disk. To avoid the problem, parent transid needs to be passed to read_tree_block(). In order to get a valid parent transid, we need to hold the parent's lock until finishing reading child. This patch needs to be slightly adapted for stable kernels, the &first_key parameter added to read_tree_block() is from 4.16+ (581c1760415c4). The fix is to replace 0 by 'gen'. Fixes: 5bdd3536cbbe ("Btrfs: Fix block generation verification race") CC: stable(a)vger.kernel.org # 4.4+ Signed-off-by: Liu Bo <bo.liu(a)linux.alibaba.com> Reviewed-by: Filipe Manana <fdmanana(a)suse.com> Reviewed-by: Qu Wenruo <wqu(a)suse.com> [ update changelog ] Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c index 63488f0b850f..8c68961925b1 100644 --- a/fs/btrfs/ctree.c +++ b/fs/btrfs/ctree.c @@ -2436,10 +2436,8 @@ read_block_for_search(struct btrfs_root *root, struct btrfs_path *p, if (p->reada != READA_NONE) reada_for_search(fs_info, p, level, slot, key->objectid); - btrfs_release_path(p); - ret = -EAGAIN; - tmp = read_tree_block(fs_info, blocknr, 0, parent_level - 1, + tmp = read_tree_block(fs_info, blocknr, gen, parent_level - 1, &first_key); if (!IS_ERR(tmp)) { /* @@ -2454,6 +2452,8 @@ read_block_for_search(struct btrfs_root *root, struct btrfs_path *p, } else { ret = PTR_ERR(tmp); } + + btrfs_release_path(p); return ret; }

7 years, 3 months

1
0
0 0

FAILED: patch "[PATCH] btrfs: fix reading stale metadata blocks after degraded raid1" failed to apply to 4.9-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.9-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 02a3307aa9c20b4f6626255b028f07f6cfa16feb Mon Sep 17 00:00:00 2001 From: Liu Bo <bo.liu(a)linux.alibaba.com> Date: Wed, 16 May 2018 01:37:36 +0800 Subject: [PATCH] btrfs: fix reading stale metadata blocks after degraded raid1 mounts If a btree block, aka. extent buffer, is not available in the extent buffer cache, it'll be read out from the disk instead, i.e. btrfs_search_slot() read_block_for_search() # hold parent and its lock, go to read child btrfs_release_path() read_tree_block() # read child Unfortunately, the parent lock got released before reading child, so commit 5bdd3536cbbe ("Btrfs: Fix block generation verification race") had used 0 as parent transid to read the child block. It forces read_tree_block() not to check if parent transid is different with the generation id of the child that it reads out from disk. A simple PoC is included in btrfs/124, 0. A two-disk raid1 btrfs, 1. Right after mkfs.btrfs, block A is allocated to be device tree's root. 2. Mount this filesystem and put it in use, after a while, device tree's root got COW but block A hasn't been allocated/overwritten yet. 3. Umount it and reload the btrfs module to remove both disks from the global @fs_devices list. 4. mount -odegraded dev1 and write some data, so now block A is allocated to be a leaf in checksum tree. Note that only dev1 has the latest metadata of this filesystem. 5. Umount it and mount it again normally (with both disks), since raid1 can pick up one disk by the writer task's pid, if btrfs_search_slot() needs to read block A, dev2 which does NOT have the latest metadata might be read for block A, then we got a stale block A. 6. As parent transid is not checked, block A is marked as uptodate and put into the extent buffer cache, so the future search won't bother to read disk again, which means it'll make changes on this stale one and make it dirty and flush it onto disk. To avoid the problem, parent transid needs to be passed to read_tree_block(). In order to get a valid parent transid, we need to hold the parent's lock until finishing reading child. This patch needs to be slightly adapted for stable kernels, the &first_key parameter added to read_tree_block() is from 4.16+ (581c1760415c4). The fix is to replace 0 by 'gen'. Fixes: 5bdd3536cbbe ("Btrfs: Fix block generation verification race") CC: stable(a)vger.kernel.org # 4.4+ Signed-off-by: Liu Bo <bo.liu(a)linux.alibaba.com> Reviewed-by: Filipe Manana <fdmanana(a)suse.com> Reviewed-by: Qu Wenruo <wqu(a)suse.com> [ update changelog ] Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c index 63488f0b850f..8c68961925b1 100644 --- a/fs/btrfs/ctree.c +++ b/fs/btrfs/ctree.c @@ -2436,10 +2436,8 @@ read_block_for_search(struct btrfs_root *root, struct btrfs_path *p, if (p->reada != READA_NONE) reada_for_search(fs_info, p, level, slot, key->objectid); - btrfs_release_path(p); - ret = -EAGAIN; - tmp = read_tree_block(fs_info, blocknr, 0, parent_level - 1, + tmp = read_tree_block(fs_info, blocknr, gen, parent_level - 1, &first_key); if (!IS_ERR(tmp)) { /* @@ -2454,6 +2452,8 @@ read_block_for_search(struct btrfs_root *root, struct btrfs_path *p, } else { ret = PTR_ERR(tmp); } + + btrfs_release_path(p); return ret; }

7 years, 3 months

1
0
0 0

FAILED: patch "[PATCH] btrfs: fix reading stale metadata blocks after degraded raid1" failed to apply to 4.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 02a3307aa9c20b4f6626255b028f07f6cfa16feb Mon Sep 17 00:00:00 2001 From: Liu Bo <bo.liu(a)linux.alibaba.com> Date: Wed, 16 May 2018 01:37:36 +0800 Subject: [PATCH] btrfs: fix reading stale metadata blocks after degraded raid1 mounts If a btree block, aka. extent buffer, is not available in the extent buffer cache, it'll be read out from the disk instead, i.e. btrfs_search_slot() read_block_for_search() # hold parent and its lock, go to read child btrfs_release_path() read_tree_block() # read child Unfortunately, the parent lock got released before reading child, so commit 5bdd3536cbbe ("Btrfs: Fix block generation verification race") had used 0 as parent transid to read the child block. It forces read_tree_block() not to check if parent transid is different with the generation id of the child that it reads out from disk. A simple PoC is included in btrfs/124, 0. A two-disk raid1 btrfs, 1. Right after mkfs.btrfs, block A is allocated to be device tree's root. 2. Mount this filesystem and put it in use, after a while, device tree's root got COW but block A hasn't been allocated/overwritten yet. 3. Umount it and reload the btrfs module to remove both disks from the global @fs_devices list. 4. mount -odegraded dev1 and write some data, so now block A is allocated to be a leaf in checksum tree. Note that only dev1 has the latest metadata of this filesystem. 5. Umount it and mount it again normally (with both disks), since raid1 can pick up one disk by the writer task's pid, if btrfs_search_slot() needs to read block A, dev2 which does NOT have the latest metadata might be read for block A, then we got a stale block A. 6. As parent transid is not checked, block A is marked as uptodate and put into the extent buffer cache, so the future search won't bother to read disk again, which means it'll make changes on this stale one and make it dirty and flush it onto disk. To avoid the problem, parent transid needs to be passed to read_tree_block(). In order to get a valid parent transid, we need to hold the parent's lock until finishing reading child. This patch needs to be slightly adapted for stable kernels, the &first_key parameter added to read_tree_block() is from 4.16+ (581c1760415c4). The fix is to replace 0 by 'gen'. Fixes: 5bdd3536cbbe ("Btrfs: Fix block generation verification race") CC: stable(a)vger.kernel.org # 4.4+ Signed-off-by: Liu Bo <bo.liu(a)linux.alibaba.com> Reviewed-by: Filipe Manana <fdmanana(a)suse.com> Reviewed-by: Qu Wenruo <wqu(a)suse.com> [ update changelog ] Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c index 63488f0b850f..8c68961925b1 100644 --- a/fs/btrfs/ctree.c +++ b/fs/btrfs/ctree.c @@ -2436,10 +2436,8 @@ read_block_for_search(struct btrfs_root *root, struct btrfs_path *p, if (p->reada != READA_NONE) reada_for_search(fs_info, p, level, slot, key->objectid); - btrfs_release_path(p); - ret = -EAGAIN; - tmp = read_tree_block(fs_info, blocknr, 0, parent_level - 1, + tmp = read_tree_block(fs_info, blocknr, gen, parent_level - 1, &first_key); if (!IS_ERR(tmp)) { /* @@ -2454,6 +2452,8 @@ read_block_for_search(struct btrfs_root *root, struct btrfs_path *p, } else { ret = PTR_ERR(tmp); } + + btrfs_release_path(p); return ret; }

7 years, 3 months

1
0
0 0

FAILED: patch "[PATCH] btrfs: fix reading stale metadata blocks after degraded raid1" failed to apply to 4.16-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.16-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 02a3307aa9c20b4f6626255b028f07f6cfa16feb Mon Sep 17 00:00:00 2001 From: Liu Bo <bo.liu(a)linux.alibaba.com> Date: Wed, 16 May 2018 01:37:36 +0800 Subject: [PATCH] btrfs: fix reading stale metadata blocks after degraded raid1 mounts If a btree block, aka. extent buffer, is not available in the extent buffer cache, it'll be read out from the disk instead, i.e. btrfs_search_slot() read_block_for_search() # hold parent and its lock, go to read child btrfs_release_path() read_tree_block() # read child Unfortunately, the parent lock got released before reading child, so commit 5bdd3536cbbe ("Btrfs: Fix block generation verification race") had used 0 as parent transid to read the child block. It forces read_tree_block() not to check if parent transid is different with the generation id of the child that it reads out from disk. A simple PoC is included in btrfs/124, 0. A two-disk raid1 btrfs, 1. Right after mkfs.btrfs, block A is allocated to be device tree's root. 2. Mount this filesystem and put it in use, after a while, device tree's root got COW but block A hasn't been allocated/overwritten yet. 3. Umount it and reload the btrfs module to remove both disks from the global @fs_devices list. 4. mount -odegraded dev1 and write some data, so now block A is allocated to be a leaf in checksum tree. Note that only dev1 has the latest metadata of this filesystem. 5. Umount it and mount it again normally (with both disks), since raid1 can pick up one disk by the writer task's pid, if btrfs_search_slot() needs to read block A, dev2 which does NOT have the latest metadata might be read for block A, then we got a stale block A. 6. As parent transid is not checked, block A is marked as uptodate and put into the extent buffer cache, so the future search won't bother to read disk again, which means it'll make changes on this stale one and make it dirty and flush it onto disk. To avoid the problem, parent transid needs to be passed to read_tree_block(). In order to get a valid parent transid, we need to hold the parent's lock until finishing reading child. This patch needs to be slightly adapted for stable kernels, the &first_key parameter added to read_tree_block() is from 4.16+ (581c1760415c4). The fix is to replace 0 by 'gen'. Fixes: 5bdd3536cbbe ("Btrfs: Fix block generation verification race") CC: stable(a)vger.kernel.org # 4.4+ Signed-off-by: Liu Bo <bo.liu(a)linux.alibaba.com> Reviewed-by: Filipe Manana <fdmanana(a)suse.com> Reviewed-by: Qu Wenruo <wqu(a)suse.com> [ update changelog ] Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c index 63488f0b850f..8c68961925b1 100644 --- a/fs/btrfs/ctree.c +++ b/fs/btrfs/ctree.c @@ -2436,10 +2436,8 @@ read_block_for_search(struct btrfs_root *root, struct btrfs_path *p, if (p->reada != READA_NONE) reada_for_search(fs_info, p, level, slot, key->objectid); - btrfs_release_path(p); - ret = -EAGAIN; - tmp = read_tree_block(fs_info, blocknr, 0, parent_level - 1, + tmp = read_tree_block(fs_info, blocknr, gen, parent_level - 1, &first_key); if (!IS_ERR(tmp)) { /* @@ -2454,6 +2452,8 @@ read_block_for_search(struct btrfs_root *root, struct btrfs_path *p, } else { ret = PTR_ERR(tmp); } + + btrfs_release_path(p); return ret; }

7 years, 3 months

1
0
0 0

FAILED: patch "[PATCH] Btrfs: fix duplicate extents after fsync of file with" failed to apply to 3.18-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 3.18-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 31d11b83b96faaee4bb514d375a09489117c3e8d Mon Sep 17 00:00:00 2001 From: Filipe Manana <fdmanana(a)suse.com> Date: Wed, 9 May 2018 16:01:46 +0100 Subject: [PATCH] Btrfs: fix duplicate extents after fsync of file with prealloc extents In commit 471d557afed1 ("Btrfs: fix loss of prealloc extents past i_size after fsync log replay"), on fsync, we started to always log all prealloc extents beyond an inode's i_size in order to avoid losing them after a power failure. However under some cases this can lead to the log replay code to create duplicate extent items, with different lengths, in the extent tree. That happens because, as of that commit, we can now log extent items based on extent maps that are not on the "modified" list of extent maps of the inode's extent map tree. Logging extent items based on extent maps is used during the fast fsync path to save time and for this to work reliably it requires that the extent maps are not merged with other adjacent extent maps - having the extent maps in the list of modified extents gives such guarantee. Consider the following example, captured during a long run of fsstress, which illustrates this problem. We have inode 271, in the filesystem tree (root 5), for which all of the following operations and discussion apply to. A buffered write starts at offset 312391 with a length of 933471 bytes (end offset at 1245862). At this point we have, for this inode, the following extent maps with the their field values: em A, start 0, orig_start 0, len 40960, block_start 18446744073709551613, block_len 0, orig_block_len 0 em B, start 40960, orig_start 40960, len 376832, block_start 1106399232, block_len 376832, orig_block_len 376832 em C, start 417792, orig_start 417792, len 782336, block_start 18446744073709551613, block_len 0, orig_block_len 0 em D, start 1200128, orig_start 1200128, len 835584, block_start 1106776064, block_len 835584, orig_block_len 835584 em E, start 2035712, orig_start 2035712, len 245760, block_start 1107611648, block_len 245760, orig_block_len 245760 Extent map A corresponds to a hole and extent maps D and E correspond to preallocated extents. Extent map D ends where extent map E begins (1106776064 + 835584 = 1107611648), but these extent maps were not merged because they are in the inode's list of modified extent maps. An fsync against this inode is made, which triggers the fast path (BTRFS_INODE_NEEDS_FULL_SYNC is not set). This fsync triggers writeback of the data previously written using buffered IO, and when the respective ordered extent finishes, btrfs_drop_extents() is called against the (aligned) range 311296..1249279. This causes a split of extent map D at btrfs_drop_extent_cache(), replacing extent map D with a new extent map D', also added to the list of modified extents, with the following values: em D', start 1249280, orig_start of 1200128, block_start 1106825216 (= 1106776064 + 1249280 - 1200128), orig_block_len 835584, block_len 786432 (835584 - (1249280 - 1200128)) Then, during the fast fsync, btrfs_log_changed_extents() is called and extent maps D' and E are removed from the list of modified extents. The flag EXTENT_FLAG_LOGGING is also set on them. After the extents are logged clear_em_logging() is called on each of them, and that makes extent map E to be merged with extent map D' (try_merge_map()), resulting in D' being deleted and E adjusted to: em E, start 1249280, orig_start 1200128, len 1032192, block_start 1106825216, block_len 1032192, orig_block_len 245760 A direct IO write at offset 1847296 and length of 360448 bytes (end offset at 2207744) starts, and at that moment the following extent maps exist for our inode: em A, start 0, orig_start 0, len 40960, block_start 18446744073709551613, block_len 0, orig_block_len 0 em B, start 40960, orig_start 40960, len 270336, block_start 1106399232, block_len 270336, orig_block_len 376832 em C, start 311296, orig_start 311296, len 937984, block_start 1112842240, block_len 937984, orig_block_len 937984 em E (prealloc), start 1249280, orig_start 1200128, len 1032192, block_start 1106825216, block_len 1032192, orig_block_len 245760 The dio write results in drop_extent_cache() being called twice. The first time for a range that starts at offset 1847296 and ends at offset 2035711 (length of 188416), which results in a double split of extent map E, replacing it with two new extent maps: em F, start 1249280, orig_start 1200128, block_start 1106825216, block_len 598016, orig_block_len 598016 em G, start 2035712, orig_start 1200128, block_start 1107611648, block_len 245760, orig_block_len 1032192 It also creates a new extent map that represents a part of the requested IO (through create_io_em()): em H, start 1847296, len 188416, block_start 1107423232, block_len 188416 The second call to drop_extent_cache() has a range with a start offset of 2035712 and end offset of 2207743 (length of 172032). This leads to replacing extent map G with a new extent map I with the following values: em I, start 2207744, orig_start 1200128, block_start 1107783680, block_len 73728, orig_block_len 1032192 It also creates a new extent map that represents the second part of the requested IO (through create_io_em()): em J, start 2035712, len 172032, block_start 1107611648, block_len 172032 The dio write set the inode's i_size to 2207744 bytes. After the dio write the inode has the following extent maps: em A, start 0, orig_start 0, len 40960, block_start 18446744073709551613, block_len 0, orig_block_len 0 em B, start 40960, orig_start 40960, len 270336, block_start 1106399232, block_len 270336, orig_block_len 376832 em C, start 311296, orig_start 311296, len 937984, block_start 1112842240, block_len 937984, orig_block_len 937984 em F, start 1249280, orig_start 1200128, len 598016, block_start 1106825216, block_len 598016, orig_block_len 598016 em H, start 1847296, orig_start 1200128, len 188416, block_start 1107423232, block_len 188416, orig_block_len 835584 em J, start 2035712, orig_start 2035712, len 172032, block_start 1107611648, block_len 172032, orig_block_len 245760 em I, start 2207744, orig_start 1200128, len 73728, block_start 1107783680, block_len 73728, orig_block_len 1032192 Now do some change to the file, like adding a xattr for example and then fsync it again. This triggers a fast fsync path, and as of commit 471d557afed1 ("Btrfs: fix loss of prealloc extents past i_size after fsync log replay"), we use the extent map I to log a file extent item because it's a prealloc extent and it starts at an offset matching the inode's i_size. However when we log it, we create a file extent item with a value for the disk byte location that is wrong, as can be seen from the following output of "btrfs inspect-internal dump-tree": item 1 key (271 EXTENT_DATA 2207744) itemoff 3782 itemsize 53 generation 22 type 2 (prealloc) prealloc data disk byte 1106776064 nr 1032192 prealloc data offset 1007616 nr 73728 Here the disk byte value corresponds to calculation based on some fields from the extent map I: 1106776064 = block_start (1107783680) - 1007616 (extent_offset) extent_offset = 2207744 (start) - 1200128 (orig_start) = 1007616 The disk byte value of 1106776064 clashes with disk byte values of the file extent items at offsets 1249280 and 1847296 in the fs tree: item 6 key (271 EXTENT_DATA 1249280) itemoff 3568 itemsize 53 generation 20 type 2 (prealloc) prealloc data disk byte 1106776064 nr 835584 prealloc data offset 49152 nr 598016 item 7 key (271 EXTENT_DATA 1847296) itemoff 3515 itemsize 53 generation 20 type 1 (regular) extent data disk byte 1106776064 nr 835584 extent data offset 647168 nr 188416 ram 835584 extent compression 0 (none) item 8 key (271 EXTENT_DATA 2035712) itemoff 3462 itemsize 53 generation 20 type 1 (regular) extent data disk byte 1107611648 nr 245760 extent data offset 0 nr 172032 ram 245760 extent compression 0 (none) item 9 key (271 EXTENT_DATA 2207744) itemoff 3409 itemsize 53 generation 20 type 2 (prealloc) prealloc data disk byte 1107611648 nr 245760 prealloc data offset 172032 nr 73728 Instead of the disk byte value of 1106776064, the value of 1107611648 should have been logged. Also the data offset value should have been 172032 and not 1007616. After a log replay we end up getting two extent items in the extent tree with different lengths, one of 835584, which is correct and existed before the log replay, and another one of 1032192 which is wrong and is based on the logged file extent item: item 12 key (1106776064 EXTENT_ITEM 835584) itemoff 3406 itemsize 53 refs 2 gen 15 flags DATA extent data backref root 5 objectid 271 offset 1200128 count 2 item 13 key (1106776064 EXTENT_ITEM 1032192) itemoff 3353 itemsize 53 refs 1 gen 22 flags DATA extent data backref root 5 objectid 271 offset 1200128 count 1 Obviously this leads to many problems and a filesystem check reports many errors: (...) checking extents Extent back ref already exists for 1106776064 parent 0 root 5 owner 271 offset 1200128 num_refs 1 extent item 1106776064 has multiple extent items ref mismatch on [1106776064 835584] extent item 2, found 3 Incorrect local backref count on 1106776064 root 5 owner 271 offset 1200128 found 2 wanted 1 back 0x55b1d0ad7680 Backref 1106776064 root 5 owner 271 offset 1200128 num_refs 0 not found in extent tree Incorrect local backref count on 1106776064 root 5 owner 271 offset 1200128 found 1 wanted 0 back 0x55b1d0ad4e70 Backref bytes do not match extent backref, bytenr=1106776064, ref bytes=835584, backref bytes=1032192 backpointer mismatch on [1106776064 835584] checking free space cache block group 1103101952 has wrong amount of free space failed to load free space cache for block group 1103101952 checking fs roots (...) So fix this by logging the prealloc extents beyond the inode's i_size based on searches in the subvolume tree instead of the extent maps. Fixes: 471d557afed1 ("Btrfs: fix loss of prealloc extents past i_size after fsync log replay") CC: stable(a)vger.kernel.org # 4.14+ Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c index c1509547c762..8f23a94dab77 100644 --- a/fs/btrfs/tree-log.c +++ b/fs/btrfs/tree-log.c @@ -4320,6 +4320,110 @@ static int log_one_extent(struct btrfs_trans_handle *trans, return ret; } +/* + * Log all prealloc extents beyond the inode's i_size to make sure we do not + * lose them after doing a fast fsync and replaying the log. We scan the + * subvolume's root instead of iterating the inode's extent map tree because + * otherwise we can log incorrect extent items based on extent map conversion. + * That can happen due to the fact that extent maps are merged when they + * are not in the extent map tree's list of modified extents. + */ +static int btrfs_log_prealloc_extents(struct btrfs_trans_handle *trans, + struct btrfs_inode *inode, + struct btrfs_path *path) +{ + struct btrfs_root *root = inode->root; + struct btrfs_key key; + const u64 i_size = i_size_read(&inode->vfs_inode); + const u64 ino = btrfs_ino(inode); + struct btrfs_path *dst_path = NULL; + u64 last_extent = (u64)-1; + int ins_nr = 0; + int start_slot; + int ret; + + if (!(inode->flags & BTRFS_INODE_PREALLOC)) + return 0; + + key.objectid = ino; + key.type = BTRFS_EXTENT_DATA_KEY; + key.offset = i_size; + ret = btrfs_search_slot(NULL, root, &key, path, 0, 0); + if (ret < 0) + goto out; + + while (true) { + struct extent_buffer *leaf = path->nodes[0]; + int slot = path->slots[0]; + + if (slot >= btrfs_header_nritems(leaf)) { + if (ins_nr > 0) { + ret = copy_items(trans, inode, dst_path, path, + &last_extent, start_slot, + ins_nr, 1, 0); + if (ret < 0) + goto out; + ins_nr = 0; + } + ret = btrfs_next_leaf(root, path); + if (ret < 0) + goto out; + if (ret > 0) { + ret = 0; + break; + } + continue; + } + + btrfs_item_key_to_cpu(leaf, &key, slot); + if (key.objectid > ino) + break; + if (WARN_ON_ONCE(key.objectid < ino) || + key.type < BTRFS_EXTENT_DATA_KEY || + key.offset < i_size) { + path->slots[0]++; + continue; + } + if (last_extent == (u64)-1) { + last_extent = key.offset; + /* + * Avoid logging extent items logged in past fsync calls + * and leading to duplicate keys in the log tree. + */ + do { + ret = btrfs_truncate_inode_items(trans, + root->log_root, + &inode->vfs_inode, + i_size, + BTRFS_EXTENT_DATA_KEY); + } while (ret == -EAGAIN); + if (ret) + goto out; + } + if (ins_nr == 0) + start_slot = slot; + ins_nr++; + path->slots[0]++; + if (!dst_path) { + dst_path = btrfs_alloc_path(); + if (!dst_path) { + ret = -ENOMEM; + goto out; + } + } + } + if (ins_nr > 0) { + ret = copy_items(trans, inode, dst_path, path, &last_extent, + start_slot, ins_nr, 1, 0); + if (ret > 0) + ret = 0; + } +out: + btrfs_release_path(path); + btrfs_free_path(dst_path); + return ret; +} + static int btrfs_log_changed_extents(struct btrfs_trans_handle *trans, struct btrfs_root *root, struct btrfs_inode *inode, @@ -4362,6 +4466,11 @@ static int btrfs_log_changed_extents(struct btrfs_trans_handle *trans, if (em->generation <= test_gen) continue; + /* We log prealloc extents beyond eof later. */ + if (test_bit(EXTENT_FLAG_PREALLOC, &em->flags) && + em->start >= i_size_read(&inode->vfs_inode)) + continue; + if (em->start < logged_start) logged_start = em->start; if ((em->start + em->len - 1) > logged_end) @@ -4374,31 +4483,6 @@ static int btrfs_log_changed_extents(struct btrfs_trans_handle *trans, num++; } - /* - * Add all prealloc extents beyond the inode's i_size to make sure we - * don't lose them after doing a fast fsync and replaying the log. - */ - if (inode->flags & BTRFS_INODE_PREALLOC) { - struct rb_node *node; - - for (node = rb_last(&tree->map); node; node = rb_prev(node)) { - em = rb_entry(node, struct extent_map, rb_node); - if (em->start < i_size_read(&inode->vfs_inode)) - break; - if (!list_empty(&em->list)) - continue; - /* Same as above loop. */ - if (++num > 32768) { - list_del_init(&tree->modified_extents); - ret = -EFBIG; - goto process; - } - refcount_inc(&em->refs); - set_bit(EXTENT_FLAG_LOGGING, &em->flags); - list_add_tail(&em->list, &extents); - } - } - list_sort(NULL, &extents, extent_cmp); btrfs_get_logged_extents(inode, logged_list, logged_start, logged_end); /* @@ -4443,6 +4527,9 @@ static int btrfs_log_changed_extents(struct btrfs_trans_handle *trans, up_write(&inode->dio_sem); btrfs_release_path(path); + if (!ret) + ret = btrfs_log_prealloc_extents(trans, inode, path); + return ret; }

7 years, 3 months

1
0
0 0

FAILED: patch "[PATCH] Btrfs: fix duplicate extents after fsync of file with" failed to apply to 4.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 31d11b83b96faaee4bb514d375a09489117c3e8d Mon Sep 17 00:00:00 2001 From: Filipe Manana <fdmanana(a)suse.com> Date: Wed, 9 May 2018 16:01:46 +0100 Subject: [PATCH] Btrfs: fix duplicate extents after fsync of file with prealloc extents In commit 471d557afed1 ("Btrfs: fix loss of prealloc extents past i_size after fsync log replay"), on fsync, we started to always log all prealloc extents beyond an inode's i_size in order to avoid losing them after a power failure. However under some cases this can lead to the log replay code to create duplicate extent items, with different lengths, in the extent tree. That happens because, as of that commit, we can now log extent items based on extent maps that are not on the "modified" list of extent maps of the inode's extent map tree. Logging extent items based on extent maps is used during the fast fsync path to save time and for this to work reliably it requires that the extent maps are not merged with other adjacent extent maps - having the extent maps in the list of modified extents gives such guarantee. Consider the following example, captured during a long run of fsstress, which illustrates this problem. We have inode 271, in the filesystem tree (root 5), for which all of the following operations and discussion apply to. A buffered write starts at offset 312391 with a length of 933471 bytes (end offset at 1245862). At this point we have, for this inode, the following extent maps with the their field values: em A, start 0, orig_start 0, len 40960, block_start 18446744073709551613, block_len 0, orig_block_len 0 em B, start 40960, orig_start 40960, len 376832, block_start 1106399232, block_len 376832, orig_block_len 376832 em C, start 417792, orig_start 417792, len 782336, block_start 18446744073709551613, block_len 0, orig_block_len 0 em D, start 1200128, orig_start 1200128, len 835584, block_start 1106776064, block_len 835584, orig_block_len 835584 em E, start 2035712, orig_start 2035712, len 245760, block_start 1107611648, block_len 245760, orig_block_len 245760 Extent map A corresponds to a hole and extent maps D and E correspond to preallocated extents. Extent map D ends where extent map E begins (1106776064 + 835584 = 1107611648), but these extent maps were not merged because they are in the inode's list of modified extent maps. An fsync against this inode is made, which triggers the fast path (BTRFS_INODE_NEEDS_FULL_SYNC is not set). This fsync triggers writeback of the data previously written using buffered IO, and when the respective ordered extent finishes, btrfs_drop_extents() is called against the (aligned) range 311296..1249279. This causes a split of extent map D at btrfs_drop_extent_cache(), replacing extent map D with a new extent map D', also added to the list of modified extents, with the following values: em D', start 1249280, orig_start of 1200128, block_start 1106825216 (= 1106776064 + 1249280 - 1200128), orig_block_len 835584, block_len 786432 (835584 - (1249280 - 1200128)) Then, during the fast fsync, btrfs_log_changed_extents() is called and extent maps D' and E are removed from the list of modified extents. The flag EXTENT_FLAG_LOGGING is also set on them. After the extents are logged clear_em_logging() is called on each of them, and that makes extent map E to be merged with extent map D' (try_merge_map()), resulting in D' being deleted and E adjusted to: em E, start 1249280, orig_start 1200128, len 1032192, block_start 1106825216, block_len 1032192, orig_block_len 245760 A direct IO write at offset 1847296 and length of 360448 bytes (end offset at 2207744) starts, and at that moment the following extent maps exist for our inode: em A, start 0, orig_start 0, len 40960, block_start 18446744073709551613, block_len 0, orig_block_len 0 em B, start 40960, orig_start 40960, len 270336, block_start 1106399232, block_len 270336, orig_block_len 376832 em C, start 311296, orig_start 311296, len 937984, block_start 1112842240, block_len 937984, orig_block_len 937984 em E (prealloc), start 1249280, orig_start 1200128, len 1032192, block_start 1106825216, block_len 1032192, orig_block_len 245760 The dio write results in drop_extent_cache() being called twice. The first time for a range that starts at offset 1847296 and ends at offset 2035711 (length of 188416), which results in a double split of extent map E, replacing it with two new extent maps: em F, start 1249280, orig_start 1200128, block_start 1106825216, block_len 598016, orig_block_len 598016 em G, start 2035712, orig_start 1200128, block_start 1107611648, block_len 245760, orig_block_len 1032192 It also creates a new extent map that represents a part of the requested IO (through create_io_em()): em H, start 1847296, len 188416, block_start 1107423232, block_len 188416 The second call to drop_extent_cache() has a range with a start offset of 2035712 and end offset of 2207743 (length of 172032). This leads to replacing extent map G with a new extent map I with the following values: em I, start 2207744, orig_start 1200128, block_start 1107783680, block_len 73728, orig_block_len 1032192 It also creates a new extent map that represents the second part of the requested IO (through create_io_em()): em J, start 2035712, len 172032, block_start 1107611648, block_len 172032 The dio write set the inode's i_size to 2207744 bytes. After the dio write the inode has the following extent maps: em A, start 0, orig_start 0, len 40960, block_start 18446744073709551613, block_len 0, orig_block_len 0 em B, start 40960, orig_start 40960, len 270336, block_start 1106399232, block_len 270336, orig_block_len 376832 em C, start 311296, orig_start 311296, len 937984, block_start 1112842240, block_len 937984, orig_block_len 937984 em F, start 1249280, orig_start 1200128, len 598016, block_start 1106825216, block_len 598016, orig_block_len 598016 em H, start 1847296, orig_start 1200128, len 188416, block_start 1107423232, block_len 188416, orig_block_len 835584 em J, start 2035712, orig_start 2035712, len 172032, block_start 1107611648, block_len 172032, orig_block_len 245760 em I, start 2207744, orig_start 1200128, len 73728, block_start 1107783680, block_len 73728, orig_block_len 1032192 Now do some change to the file, like adding a xattr for example and then fsync it again. This triggers a fast fsync path, and as of commit 471d557afed1 ("Btrfs: fix loss of prealloc extents past i_size after fsync log replay"), we use the extent map I to log a file extent item because it's a prealloc extent and it starts at an offset matching the inode's i_size. However when we log it, we create a file extent item with a value for the disk byte location that is wrong, as can be seen from the following output of "btrfs inspect-internal dump-tree": item 1 key (271 EXTENT_DATA 2207744) itemoff 3782 itemsize 53 generation 22 type 2 (prealloc) prealloc data disk byte 1106776064 nr 1032192 prealloc data offset 1007616 nr 73728 Here the disk byte value corresponds to calculation based on some fields from the extent map I: 1106776064 = block_start (1107783680) - 1007616 (extent_offset) extent_offset = 2207744 (start) - 1200128 (orig_start) = 1007616 The disk byte value of 1106776064 clashes with disk byte values of the file extent items at offsets 1249280 and 1847296 in the fs tree: item 6 key (271 EXTENT_DATA 1249280) itemoff 3568 itemsize 53 generation 20 type 2 (prealloc) prealloc data disk byte 1106776064 nr 835584 prealloc data offset 49152 nr 598016 item 7 key (271 EXTENT_DATA 1847296) itemoff 3515 itemsize 53 generation 20 type 1 (regular) extent data disk byte 1106776064 nr 835584 extent data offset 647168 nr 188416 ram 835584 extent compression 0 (none) item 8 key (271 EXTENT_DATA 2035712) itemoff 3462 itemsize 53 generation 20 type 1 (regular) extent data disk byte 1107611648 nr 245760 extent data offset 0 nr 172032 ram 245760 extent compression 0 (none) item 9 key (271 EXTENT_DATA 2207744) itemoff 3409 itemsize 53 generation 20 type 2 (prealloc) prealloc data disk byte 1107611648 nr 245760 prealloc data offset 172032 nr 73728 Instead of the disk byte value of 1106776064, the value of 1107611648 should have been logged. Also the data offset value should have been 172032 and not 1007616. After a log replay we end up getting two extent items in the extent tree with different lengths, one of 835584, which is correct and existed before the log replay, and another one of 1032192 which is wrong and is based on the logged file extent item: item 12 key (1106776064 EXTENT_ITEM 835584) itemoff 3406 itemsize 53 refs 2 gen 15 flags DATA extent data backref root 5 objectid 271 offset 1200128 count 2 item 13 key (1106776064 EXTENT_ITEM 1032192) itemoff 3353 itemsize 53 refs 1 gen 22 flags DATA extent data backref root 5 objectid 271 offset 1200128 count 1 Obviously this leads to many problems and a filesystem check reports many errors: (...) checking extents Extent back ref already exists for 1106776064 parent 0 root 5 owner 271 offset 1200128 num_refs 1 extent item 1106776064 has multiple extent items ref mismatch on [1106776064 835584] extent item 2, found 3 Incorrect local backref count on 1106776064 root 5 owner 271 offset 1200128 found 2 wanted 1 back 0x55b1d0ad7680 Backref 1106776064 root 5 owner 271 offset 1200128 num_refs 0 not found in extent tree Incorrect local backref count on 1106776064 root 5 owner 271 offset 1200128 found 1 wanted 0 back 0x55b1d0ad4e70 Backref bytes do not match extent backref, bytenr=1106776064, ref bytes=835584, backref bytes=1032192 backpointer mismatch on [1106776064 835584] checking free space cache block group 1103101952 has wrong amount of free space failed to load free space cache for block group 1103101952 checking fs roots (...) So fix this by logging the prealloc extents beyond the inode's i_size based on searches in the subvolume tree instead of the extent maps. Fixes: 471d557afed1 ("Btrfs: fix loss of prealloc extents past i_size after fsync log replay") CC: stable(a)vger.kernel.org # 4.14+ Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c index c1509547c762..8f23a94dab77 100644 --- a/fs/btrfs/tree-log.c +++ b/fs/btrfs/tree-log.c @@ -4320,6 +4320,110 @@ static int log_one_extent(struct btrfs_trans_handle *trans, return ret; } +/* + * Log all prealloc extents beyond the inode's i_size to make sure we do not + * lose them after doing a fast fsync and replaying the log. We scan the + * subvolume's root instead of iterating the inode's extent map tree because + * otherwise we can log incorrect extent items based on extent map conversion. + * That can happen due to the fact that extent maps are merged when they + * are not in the extent map tree's list of modified extents. + */ +static int btrfs_log_prealloc_extents(struct btrfs_trans_handle *trans, + struct btrfs_inode *inode, + struct btrfs_path *path) +{ + struct btrfs_root *root = inode->root; + struct btrfs_key key; + const u64 i_size = i_size_read(&inode->vfs_inode); + const u64 ino = btrfs_ino(inode); + struct btrfs_path *dst_path = NULL; + u64 last_extent = (u64)-1; + int ins_nr = 0; + int start_slot; + int ret; + + if (!(inode->flags & BTRFS_INODE_PREALLOC)) + return 0; + + key.objectid = ino; + key.type = BTRFS_EXTENT_DATA_KEY; + key.offset = i_size; + ret = btrfs_search_slot(NULL, root, &key, path, 0, 0); + if (ret < 0) + goto out; + + while (true) { + struct extent_buffer *leaf = path->nodes[0]; + int slot = path->slots[0]; + + if (slot >= btrfs_header_nritems(leaf)) { + if (ins_nr > 0) { + ret = copy_items(trans, inode, dst_path, path, + &last_extent, start_slot, + ins_nr, 1, 0); + if (ret < 0) + goto out; + ins_nr = 0; + } + ret = btrfs_next_leaf(root, path); + if (ret < 0) + goto out; + if (ret > 0) { + ret = 0; + break; + } + continue; + } + + btrfs_item_key_to_cpu(leaf, &key, slot); + if (key.objectid > ino) + break; + if (WARN_ON_ONCE(key.objectid < ino) || + key.type < BTRFS_EXTENT_DATA_KEY || + key.offset < i_size) { + path->slots[0]++; + continue; + } + if (last_extent == (u64)-1) { + last_extent = key.offset; + /* + * Avoid logging extent items logged in past fsync calls + * and leading to duplicate keys in the log tree. + */ + do { + ret = btrfs_truncate_inode_items(trans, + root->log_root, + &inode->vfs_inode, + i_size, + BTRFS_EXTENT_DATA_KEY); + } while (ret == -EAGAIN); + if (ret) + goto out; + } + if (ins_nr == 0) + start_slot = slot; + ins_nr++; + path->slots[0]++; + if (!dst_path) { + dst_path = btrfs_alloc_path(); + if (!dst_path) { + ret = -ENOMEM; + goto out; + } + } + } + if (ins_nr > 0) { + ret = copy_items(trans, inode, dst_path, path, &last_extent, + start_slot, ins_nr, 1, 0); + if (ret > 0) + ret = 0; + } +out: + btrfs_release_path(path); + btrfs_free_path(dst_path); + return ret; +} + static int btrfs_log_changed_extents(struct btrfs_trans_handle *trans, struct btrfs_root *root, struct btrfs_inode *inode, @@ -4362,6 +4466,11 @@ static int btrfs_log_changed_extents(struct btrfs_trans_handle *trans, if (em->generation <= test_gen) continue; + /* We log prealloc extents beyond eof later. */ + if (test_bit(EXTENT_FLAG_PREALLOC, &em->flags) && + em->start >= i_size_read(&inode->vfs_inode)) + continue; + if (em->start < logged_start) logged_start = em->start; if ((em->start + em->len - 1) > logged_end) @@ -4374,31 +4483,6 @@ static int btrfs_log_changed_extents(struct btrfs_trans_handle *trans, num++; } - /* - * Add all prealloc extents beyond the inode's i_size to make sure we - * don't lose them after doing a fast fsync and replaying the log. - */ - if (inode->flags & BTRFS_INODE_PREALLOC) { - struct rb_node *node; - - for (node = rb_last(&tree->map); node; node = rb_prev(node)) { - em = rb_entry(node, struct extent_map, rb_node); - if (em->start < i_size_read(&inode->vfs_inode)) - break; - if (!list_empty(&em->list)) - continue; - /* Same as above loop. */ - if (++num > 32768) { - list_del_init(&tree->modified_extents); - ret = -EFBIG; - goto process; - } - refcount_inc(&em->refs); - set_bit(EXTENT_FLAG_LOGGING, &em->flags); - list_add_tail(&em->list, &extents); - } - } - list_sort(NULL, &extents, extent_cmp); btrfs_get_logged_extents(inode, logged_list, logged_start, logged_end); /* @@ -4443,6 +4527,9 @@ static int btrfs_log_changed_extents(struct btrfs_trans_handle *trans, up_write(&inode->dio_sem); btrfs_release_path(path); + if (!ret) + ret = btrfs_log_prealloc_extents(trans, inode, path); + return ret; }

7 years, 3 months

1
0
0 0

FAILED: patch "[PATCH] Btrfs: fix duplicate extents after fsync of file with" failed to apply to 4.9-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.9-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 31d11b83b96faaee4bb514d375a09489117c3e8d Mon Sep 17 00:00:00 2001 From: Filipe Manana <fdmanana(a)suse.com> Date: Wed, 9 May 2018 16:01:46 +0100 Subject: [PATCH] Btrfs: fix duplicate extents after fsync of file with prealloc extents In commit 471d557afed1 ("Btrfs: fix loss of prealloc extents past i_size after fsync log replay"), on fsync, we started to always log all prealloc extents beyond an inode's i_size in order to avoid losing them after a power failure. However under some cases this can lead to the log replay code to create duplicate extent items, with different lengths, in the extent tree. That happens because, as of that commit, we can now log extent items based on extent maps that are not on the "modified" list of extent maps of the inode's extent map tree. Logging extent items based on extent maps is used during the fast fsync path to save time and for this to work reliably it requires that the extent maps are not merged with other adjacent extent maps - having the extent maps in the list of modified extents gives such guarantee. Consider the following example, captured during a long run of fsstress, which illustrates this problem. We have inode 271, in the filesystem tree (root 5), for which all of the following operations and discussion apply to. A buffered write starts at offset 312391 with a length of 933471 bytes (end offset at 1245862). At this point we have, for this inode, the following extent maps with the their field values: em A, start 0, orig_start 0, len 40960, block_start 18446744073709551613, block_len 0, orig_block_len 0 em B, start 40960, orig_start 40960, len 376832, block_start 1106399232, block_len 376832, orig_block_len 376832 em C, start 417792, orig_start 417792, len 782336, block_start 18446744073709551613, block_len 0, orig_block_len 0 em D, start 1200128, orig_start 1200128, len 835584, block_start 1106776064, block_len 835584, orig_block_len 835584 em E, start 2035712, orig_start 2035712, len 245760, block_start 1107611648, block_len 245760, orig_block_len 245760 Extent map A corresponds to a hole and extent maps D and E correspond to preallocated extents. Extent map D ends where extent map E begins (1106776064 + 835584 = 1107611648), but these extent maps were not merged because they are in the inode's list of modified extent maps. An fsync against this inode is made, which triggers the fast path (BTRFS_INODE_NEEDS_FULL_SYNC is not set). This fsync triggers writeback of the data previously written using buffered IO, and when the respective ordered extent finishes, btrfs_drop_extents() is called against the (aligned) range 311296..1249279. This causes a split of extent map D at btrfs_drop_extent_cache(), replacing extent map D with a new extent map D', also added to the list of modified extents, with the following values: em D', start 1249280, orig_start of 1200128, block_start 1106825216 (= 1106776064 + 1249280 - 1200128), orig_block_len 835584, block_len 786432 (835584 - (1249280 - 1200128)) Then, during the fast fsync, btrfs_log_changed_extents() is called and extent maps D' and E are removed from the list of modified extents. The flag EXTENT_FLAG_LOGGING is also set on them. After the extents are logged clear_em_logging() is called on each of them, and that makes extent map E to be merged with extent map D' (try_merge_map()), resulting in D' being deleted and E adjusted to: em E, start 1249280, orig_start 1200128, len 1032192, block_start 1106825216, block_len 1032192, orig_block_len 245760 A direct IO write at offset 1847296 and length of 360448 bytes (end offset at 2207744) starts, and at that moment the following extent maps exist for our inode: em A, start 0, orig_start 0, len 40960, block_start 18446744073709551613, block_len 0, orig_block_len 0 em B, start 40960, orig_start 40960, len 270336, block_start 1106399232, block_len 270336, orig_block_len 376832 em C, start 311296, orig_start 311296, len 937984, block_start 1112842240, block_len 937984, orig_block_len 937984 em E (prealloc), start 1249280, orig_start 1200128, len 1032192, block_start 1106825216, block_len 1032192, orig_block_len 245760 The dio write results in drop_extent_cache() being called twice. The first time for a range that starts at offset 1847296 and ends at offset 2035711 (length of 188416), which results in a double split of extent map E, replacing it with two new extent maps: em F, start 1249280, orig_start 1200128, block_start 1106825216, block_len 598016, orig_block_len 598016 em G, start 2035712, orig_start 1200128, block_start 1107611648, block_len 245760, orig_block_len 1032192 It also creates a new extent map that represents a part of the requested IO (through create_io_em()): em H, start 1847296, len 188416, block_start 1107423232, block_len 188416 The second call to drop_extent_cache() has a range with a start offset of 2035712 and end offset of 2207743 (length of 172032). This leads to replacing extent map G with a new extent map I with the following values: em I, start 2207744, orig_start 1200128, block_start 1107783680, block_len 73728, orig_block_len 1032192 It also creates a new extent map that represents the second part of the requested IO (through create_io_em()): em J, start 2035712, len 172032, block_start 1107611648, block_len 172032 The dio write set the inode's i_size to 2207744 bytes. After the dio write the inode has the following extent maps: em A, start 0, orig_start 0, len 40960, block_start 18446744073709551613, block_len 0, orig_block_len 0 em B, start 40960, orig_start 40960, len 270336, block_start 1106399232, block_len 270336, orig_block_len 376832 em C, start 311296, orig_start 311296, len 937984, block_start 1112842240, block_len 937984, orig_block_len 937984 em F, start 1249280, orig_start 1200128, len 598016, block_start 1106825216, block_len 598016, orig_block_len 598016 em H, start 1847296, orig_start 1200128, len 188416, block_start 1107423232, block_len 188416, orig_block_len 835584 em J, start 2035712, orig_start 2035712, len 172032, block_start 1107611648, block_len 172032, orig_block_len 245760 em I, start 2207744, orig_start 1200128, len 73728, block_start 1107783680, block_len 73728, orig_block_len 1032192 Now do some change to the file, like adding a xattr for example and then fsync it again. This triggers a fast fsync path, and as of commit 471d557afed1 ("Btrfs: fix loss of prealloc extents past i_size after fsync log replay"), we use the extent map I to log a file extent item because it's a prealloc extent and it starts at an offset matching the inode's i_size. However when we log it, we create a file extent item with a value for the disk byte location that is wrong, as can be seen from the following output of "btrfs inspect-internal dump-tree": item 1 key (271 EXTENT_DATA 2207744) itemoff 3782 itemsize 53 generation 22 type 2 (prealloc) prealloc data disk byte 1106776064 nr 1032192 prealloc data offset 1007616 nr 73728 Here the disk byte value corresponds to calculation based on some fields from the extent map I: 1106776064 = block_start (1107783680) - 1007616 (extent_offset) extent_offset = 2207744 (start) - 1200128 (orig_start) = 1007616 The disk byte value of 1106776064 clashes with disk byte values of the file extent items at offsets 1249280 and 1847296 in the fs tree: item 6 key (271 EXTENT_DATA 1249280) itemoff 3568 itemsize 53 generation 20 type 2 (prealloc) prealloc data disk byte 1106776064 nr 835584 prealloc data offset 49152 nr 598016 item 7 key (271 EXTENT_DATA 1847296) itemoff 3515 itemsize 53 generation 20 type 1 (regular) extent data disk byte 1106776064 nr 835584 extent data offset 647168 nr 188416 ram 835584 extent compression 0 (none) item 8 key (271 EXTENT_DATA 2035712) itemoff 3462 itemsize 53 generation 20 type 1 (regular) extent data disk byte 1107611648 nr 245760 extent data offset 0 nr 172032 ram 245760 extent compression 0 (none) item 9 key (271 EXTENT_DATA 2207744) itemoff 3409 itemsize 53 generation 20 type 2 (prealloc) prealloc data disk byte 1107611648 nr 245760 prealloc data offset 172032 nr 73728 Instead of the disk byte value of 1106776064, the value of 1107611648 should have been logged. Also the data offset value should have been 172032 and not 1007616. After a log replay we end up getting two extent items in the extent tree with different lengths, one of 835584, which is correct and existed before the log replay, and another one of 1032192 which is wrong and is based on the logged file extent item: item 12 key (1106776064 EXTENT_ITEM 835584) itemoff 3406 itemsize 53 refs 2 gen 15 flags DATA extent data backref root 5 objectid 271 offset 1200128 count 2 item 13 key (1106776064 EXTENT_ITEM 1032192) itemoff 3353 itemsize 53 refs 1 gen 22 flags DATA extent data backref root 5 objectid 271 offset 1200128 count 1 Obviously this leads to many problems and a filesystem check reports many errors: (...) checking extents Extent back ref already exists for 1106776064 parent 0 root 5 owner 271 offset 1200128 num_refs 1 extent item 1106776064 has multiple extent items ref mismatch on [1106776064 835584] extent item 2, found 3 Incorrect local backref count on 1106776064 root 5 owner 271 offset 1200128 found 2 wanted 1 back 0x55b1d0ad7680 Backref 1106776064 root 5 owner 271 offset 1200128 num_refs 0 not found in extent tree Incorrect local backref count on 1106776064 root 5 owner 271 offset 1200128 found 1 wanted 0 back 0x55b1d0ad4e70 Backref bytes do not match extent backref, bytenr=1106776064, ref bytes=835584, backref bytes=1032192 backpointer mismatch on [1106776064 835584] checking free space cache block group 1103101952 has wrong amount of free space failed to load free space cache for block group 1103101952 checking fs roots (...) So fix this by logging the prealloc extents beyond the inode's i_size based on searches in the subvolume tree instead of the extent maps. Fixes: 471d557afed1 ("Btrfs: fix loss of prealloc extents past i_size after fsync log replay") CC: stable(a)vger.kernel.org # 4.14+ Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c index c1509547c762..8f23a94dab77 100644 --- a/fs/btrfs/tree-log.c +++ b/fs/btrfs/tree-log.c @@ -4320,6 +4320,110 @@ static int log_one_extent(struct btrfs_trans_handle *trans, return ret; } +/* + * Log all prealloc extents beyond the inode's i_size to make sure we do not + * lose them after doing a fast fsync and replaying the log. We scan the + * subvolume's root instead of iterating the inode's extent map tree because + * otherwise we can log incorrect extent items based on extent map conversion. + * That can happen due to the fact that extent maps are merged when they + * are not in the extent map tree's list of modified extents. + */ +static int btrfs_log_prealloc_extents(struct btrfs_trans_handle *trans, + struct btrfs_inode *inode, + struct btrfs_path *path) +{ + struct btrfs_root *root = inode->root; + struct btrfs_key key; + const u64 i_size = i_size_read(&inode->vfs_inode); + const u64 ino = btrfs_ino(inode); + struct btrfs_path *dst_path = NULL; + u64 last_extent = (u64)-1; + int ins_nr = 0; + int start_slot; + int ret; + + if (!(inode->flags & BTRFS_INODE_PREALLOC)) + return 0; + + key.objectid = ino; + key.type = BTRFS_EXTENT_DATA_KEY; + key.offset = i_size; + ret = btrfs_search_slot(NULL, root, &key, path, 0, 0); + if (ret < 0) + goto out; + + while (true) { + struct extent_buffer *leaf = path->nodes[0]; + int slot = path->slots[0]; + + if (slot >= btrfs_header_nritems(leaf)) { + if (ins_nr > 0) { + ret = copy_items(trans, inode, dst_path, path, + &last_extent, start_slot, + ins_nr, 1, 0); + if (ret < 0) + goto out; + ins_nr = 0; + } + ret = btrfs_next_leaf(root, path); + if (ret < 0) + goto out; + if (ret > 0) { + ret = 0; + break; + } + continue; + } + + btrfs_item_key_to_cpu(leaf, &key, slot); + if (key.objectid > ino) + break; + if (WARN_ON_ONCE(key.objectid < ino) || + key.type < BTRFS_EXTENT_DATA_KEY || + key.offset < i_size) { + path->slots[0]++; + continue; + } + if (last_extent == (u64)-1) { + last_extent = key.offset; + /* + * Avoid logging extent items logged in past fsync calls + * and leading to duplicate keys in the log tree. + */ + do { + ret = btrfs_truncate_inode_items(trans, + root->log_root, + &inode->vfs_inode, + i_size, + BTRFS_EXTENT_DATA_KEY); + } while (ret == -EAGAIN); + if (ret) + goto out; + } + if (ins_nr == 0) + start_slot = slot; + ins_nr++; + path->slots[0]++; + if (!dst_path) { + dst_path = btrfs_alloc_path(); + if (!dst_path) { + ret = -ENOMEM; + goto out; + } + } + } + if (ins_nr > 0) { + ret = copy_items(trans, inode, dst_path, path, &last_extent, + start_slot, ins_nr, 1, 0); + if (ret > 0) + ret = 0; + } +out: + btrfs_release_path(path); + btrfs_free_path(dst_path); + return ret; +} + static int btrfs_log_changed_extents(struct btrfs_trans_handle *trans, struct btrfs_root *root, struct btrfs_inode *inode, @@ -4362,6 +4466,11 @@ static int btrfs_log_changed_extents(struct btrfs_trans_handle *trans, if (em->generation <= test_gen) continue; + /* We log prealloc extents beyond eof later. */ + if (test_bit(EXTENT_FLAG_PREALLOC, &em->flags) && + em->start >= i_size_read(&inode->vfs_inode)) + continue; + if (em->start < logged_start) logged_start = em->start; if ((em->start + em->len - 1) > logged_end) @@ -4374,31 +4483,6 @@ static int btrfs_log_changed_extents(struct btrfs_trans_handle *trans, num++; } - /* - * Add all prealloc extents beyond the inode's i_size to make sure we - * don't lose them after doing a fast fsync and replaying the log. - */ - if (inode->flags & BTRFS_INODE_PREALLOC) { - struct rb_node *node; - - for (node = rb_last(&tree->map); node; node = rb_prev(node)) { - em = rb_entry(node, struct extent_map, rb_node); - if (em->start < i_size_read(&inode->vfs_inode)) - break; - if (!list_empty(&em->list)) - continue; - /* Same as above loop. */ - if (++num > 32768) { - list_del_init(&tree->modified_extents); - ret = -EFBIG; - goto process; - } - refcount_inc(&em->refs); - set_bit(EXTENT_FLAG_LOGGING, &em->flags); - list_add_tail(&em->list, &extents); - } - } - list_sort(NULL, &extents, extent_cmp); btrfs_get_logged_extents(inode, logged_list, logged_start, logged_end); /* @@ -4443,6 +4527,9 @@ static int btrfs_log_changed_extents(struct btrfs_trans_handle *trans, up_write(&inode->dio_sem); btrfs_release_path(path); + if (!ret) + ret = btrfs_log_prealloc_extents(trans, inode, path); + return ret; }

7 years, 3 months

1
0
0 0

FAILED: patch "[PATCH] Btrfs: fix duplicate extents after fsync of file with" failed to apply to 4.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 31d11b83b96faaee4bb514d375a09489117c3e8d Mon Sep 17 00:00:00 2001 From: Filipe Manana <fdmanana(a)suse.com> Date: Wed, 9 May 2018 16:01:46 +0100 Subject: [PATCH] Btrfs: fix duplicate extents after fsync of file with prealloc extents In commit 471d557afed1 ("Btrfs: fix loss of prealloc extents past i_size after fsync log replay"), on fsync, we started to always log all prealloc extents beyond an inode's i_size in order to avoid losing them after a power failure. However under some cases this can lead to the log replay code to create duplicate extent items, with different lengths, in the extent tree. That happens because, as of that commit, we can now log extent items based on extent maps that are not on the "modified" list of extent maps of the inode's extent map tree. Logging extent items based on extent maps is used during the fast fsync path to save time and for this to work reliably it requires that the extent maps are not merged with other adjacent extent maps - having the extent maps in the list of modified extents gives such guarantee. Consider the following example, captured during a long run of fsstress, which illustrates this problem. We have inode 271, in the filesystem tree (root 5), for which all of the following operations and discussion apply to. A buffered write starts at offset 312391 with a length of 933471 bytes (end offset at 1245862). At this point we have, for this inode, the following extent maps with the their field values: em A, start 0, orig_start 0, len 40960, block_start 18446744073709551613, block_len 0, orig_block_len 0 em B, start 40960, orig_start 40960, len 376832, block_start 1106399232, block_len 376832, orig_block_len 376832 em C, start 417792, orig_start 417792, len 782336, block_start 18446744073709551613, block_len 0, orig_block_len 0 em D, start 1200128, orig_start 1200128, len 835584, block_start 1106776064, block_len 835584, orig_block_len 835584 em E, start 2035712, orig_start 2035712, len 245760, block_start 1107611648, block_len 245760, orig_block_len 245760 Extent map A corresponds to a hole and extent maps D and E correspond to preallocated extents. Extent map D ends where extent map E begins (1106776064 + 835584 = 1107611648), but these extent maps were not merged because they are in the inode's list of modified extent maps. An fsync against this inode is made, which triggers the fast path (BTRFS_INODE_NEEDS_FULL_SYNC is not set). This fsync triggers writeback of the data previously written using buffered IO, and when the respective ordered extent finishes, btrfs_drop_extents() is called against the (aligned) range 311296..1249279. This causes a split of extent map D at btrfs_drop_extent_cache(), replacing extent map D with a new extent map D', also added to the list of modified extents, with the following values: em D', start 1249280, orig_start of 1200128, block_start 1106825216 (= 1106776064 + 1249280 - 1200128), orig_block_len 835584, block_len 786432 (835584 - (1249280 - 1200128)) Then, during the fast fsync, btrfs_log_changed_extents() is called and extent maps D' and E are removed from the list of modified extents. The flag EXTENT_FLAG_LOGGING is also set on them. After the extents are logged clear_em_logging() is called on each of them, and that makes extent map E to be merged with extent map D' (try_merge_map()), resulting in D' being deleted and E adjusted to: em E, start 1249280, orig_start 1200128, len 1032192, block_start 1106825216, block_len 1032192, orig_block_len 245760 A direct IO write at offset 1847296 and length of 360448 bytes (end offset at 2207744) starts, and at that moment the following extent maps exist for our inode: em A, start 0, orig_start 0, len 40960, block_start 18446744073709551613, block_len 0, orig_block_len 0 em B, start 40960, orig_start 40960, len 270336, block_start 1106399232, block_len 270336, orig_block_len 376832 em C, start 311296, orig_start 311296, len 937984, block_start 1112842240, block_len 937984, orig_block_len 937984 em E (prealloc), start 1249280, orig_start 1200128, len 1032192, block_start 1106825216, block_len 1032192, orig_block_len 245760 The dio write results in drop_extent_cache() being called twice. The first time for a range that starts at offset 1847296 and ends at offset 2035711 (length of 188416), which results in a double split of extent map E, replacing it with two new extent maps: em F, start 1249280, orig_start 1200128, block_start 1106825216, block_len 598016, orig_block_len 598016 em G, start 2035712, orig_start 1200128, block_start 1107611648, block_len 245760, orig_block_len 1032192 It also creates a new extent map that represents a part of the requested IO (through create_io_em()): em H, start 1847296, len 188416, block_start 1107423232, block_len 188416 The second call to drop_extent_cache() has a range with a start offset of 2035712 and end offset of 2207743 (length of 172032). This leads to replacing extent map G with a new extent map I with the following values: em I, start 2207744, orig_start 1200128, block_start 1107783680, block_len 73728, orig_block_len 1032192 It also creates a new extent map that represents the second part of the requested IO (through create_io_em()): em J, start 2035712, len 172032, block_start 1107611648, block_len 172032 The dio write set the inode's i_size to 2207744 bytes. After the dio write the inode has the following extent maps: em A, start 0, orig_start 0, len 40960, block_start 18446744073709551613, block_len 0, orig_block_len 0 em B, start 40960, orig_start 40960, len 270336, block_start 1106399232, block_len 270336, orig_block_len 376832 em C, start 311296, orig_start 311296, len 937984, block_start 1112842240, block_len 937984, orig_block_len 937984 em F, start 1249280, orig_start 1200128, len 598016, block_start 1106825216, block_len 598016, orig_block_len 598016 em H, start 1847296, orig_start 1200128, len 188416, block_start 1107423232, block_len 188416, orig_block_len 835584 em J, start 2035712, orig_start 2035712, len 172032, block_start 1107611648, block_len 172032, orig_block_len 245760 em I, start 2207744, orig_start 1200128, len 73728, block_start 1107783680, block_len 73728, orig_block_len 1032192 Now do some change to the file, like adding a xattr for example and then fsync it again. This triggers a fast fsync path, and as of commit 471d557afed1 ("Btrfs: fix loss of prealloc extents past i_size after fsync log replay"), we use the extent map I to log a file extent item because it's a prealloc extent and it starts at an offset matching the inode's i_size. However when we log it, we create a file extent item with a value for the disk byte location that is wrong, as can be seen from the following output of "btrfs inspect-internal dump-tree": item 1 key (271 EXTENT_DATA 2207744) itemoff 3782 itemsize 53 generation 22 type 2 (prealloc) prealloc data disk byte 1106776064 nr 1032192 prealloc data offset 1007616 nr 73728 Here the disk byte value corresponds to calculation based on some fields from the extent map I: 1106776064 = block_start (1107783680) - 1007616 (extent_offset) extent_offset = 2207744 (start) - 1200128 (orig_start) = 1007616 The disk byte value of 1106776064 clashes with disk byte values of the file extent items at offsets 1249280 and 1847296 in the fs tree: item 6 key (271 EXTENT_DATA 1249280) itemoff 3568 itemsize 53 generation 20 type 2 (prealloc) prealloc data disk byte 1106776064 nr 835584 prealloc data offset 49152 nr 598016 item 7 key (271 EXTENT_DATA 1847296) itemoff 3515 itemsize 53 generation 20 type 1 (regular) extent data disk byte 1106776064 nr 835584 extent data offset 647168 nr 188416 ram 835584 extent compression 0 (none) item 8 key (271 EXTENT_DATA 2035712) itemoff 3462 itemsize 53 generation 20 type 1 (regular) extent data disk byte 1107611648 nr 245760 extent data offset 0 nr 172032 ram 245760 extent compression 0 (none) item 9 key (271 EXTENT_DATA 2207744) itemoff 3409 itemsize 53 generation 20 type 2 (prealloc) prealloc data disk byte 1107611648 nr 245760 prealloc data offset 172032 nr 73728 Instead of the disk byte value of 1106776064, the value of 1107611648 should have been logged. Also the data offset value should have been 172032 and not 1007616. After a log replay we end up getting two extent items in the extent tree with different lengths, one of 835584, which is correct and existed before the log replay, and another one of 1032192 which is wrong and is based on the logged file extent item: item 12 key (1106776064 EXTENT_ITEM 835584) itemoff 3406 itemsize 53 refs 2 gen 15 flags DATA extent data backref root 5 objectid 271 offset 1200128 count 2 item 13 key (1106776064 EXTENT_ITEM 1032192) itemoff 3353 itemsize 53 refs 1 gen 22 flags DATA extent data backref root 5 objectid 271 offset 1200128 count 1 Obviously this leads to many problems and a filesystem check reports many errors: (...) checking extents Extent back ref already exists for 1106776064 parent 0 root 5 owner 271 offset 1200128 num_refs 1 extent item 1106776064 has multiple extent items ref mismatch on [1106776064 835584] extent item 2, found 3 Incorrect local backref count on 1106776064 root 5 owner 271 offset 1200128 found 2 wanted 1 back 0x55b1d0ad7680 Backref 1106776064 root 5 owner 271 offset 1200128 num_refs 0 not found in extent tree Incorrect local backref count on 1106776064 root 5 owner 271 offset 1200128 found 1 wanted 0 back 0x55b1d0ad4e70 Backref bytes do not match extent backref, bytenr=1106776064, ref bytes=835584, backref bytes=1032192 backpointer mismatch on [1106776064 835584] checking free space cache block group 1103101952 has wrong amount of free space failed to load free space cache for block group 1103101952 checking fs roots (...) So fix this by logging the prealloc extents beyond the inode's i_size based on searches in the subvolume tree instead of the extent maps. Fixes: 471d557afed1 ("Btrfs: fix loss of prealloc extents past i_size after fsync log replay") CC: stable(a)vger.kernel.org # 4.14+ Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c index c1509547c762..8f23a94dab77 100644 --- a/fs/btrfs/tree-log.c +++ b/fs/btrfs/tree-log.c @@ -4320,6 +4320,110 @@ static int log_one_extent(struct btrfs_trans_handle *trans, return ret; } +/* + * Log all prealloc extents beyond the inode's i_size to make sure we do not + * lose them after doing a fast fsync and replaying the log. We scan the + * subvolume's root instead of iterating the inode's extent map tree because + * otherwise we can log incorrect extent items based on extent map conversion. + * That can happen due to the fact that extent maps are merged when they + * are not in the extent map tree's list of modified extents. + */ +static int btrfs_log_prealloc_extents(struct btrfs_trans_handle *trans, + struct btrfs_inode *inode, + struct btrfs_path *path) +{ + struct btrfs_root *root = inode->root; + struct btrfs_key key; + const u64 i_size = i_size_read(&inode->vfs_inode); + const u64 ino = btrfs_ino(inode); + struct btrfs_path *dst_path = NULL; + u64 last_extent = (u64)-1; + int ins_nr = 0; + int start_slot; + int ret; + + if (!(inode->flags & BTRFS_INODE_PREALLOC)) + return 0; + + key.objectid = ino; + key.type = BTRFS_EXTENT_DATA_KEY; + key.offset = i_size; + ret = btrfs_search_slot(NULL, root, &key, path, 0, 0); + if (ret < 0) + goto out; + + while (true) { + struct extent_buffer *leaf = path->nodes[0]; + int slot = path->slots[0]; + + if (slot >= btrfs_header_nritems(leaf)) { + if (ins_nr > 0) { + ret = copy_items(trans, inode, dst_path, path, + &last_extent, start_slot, + ins_nr, 1, 0); + if (ret < 0) + goto out; + ins_nr = 0; + } + ret = btrfs_next_leaf(root, path); + if (ret < 0) + goto out; + if (ret > 0) { + ret = 0; + break; + } + continue; + } + + btrfs_item_key_to_cpu(leaf, &key, slot); + if (key.objectid > ino) + break; + if (WARN_ON_ONCE(key.objectid < ino) || + key.type < BTRFS_EXTENT_DATA_KEY || + key.offset < i_size) { + path->slots[0]++; + continue; + } + if (last_extent == (u64)-1) { + last_extent = key.offset; + /* + * Avoid logging extent items logged in past fsync calls + * and leading to duplicate keys in the log tree. + */ + do { + ret = btrfs_truncate_inode_items(trans, + root->log_root, + &inode->vfs_inode, + i_size, + BTRFS_EXTENT_DATA_KEY); + } while (ret == -EAGAIN); + if (ret) + goto out; + } + if (ins_nr == 0) + start_slot = slot; + ins_nr++; + path->slots[0]++; + if (!dst_path) { + dst_path = btrfs_alloc_path(); + if (!dst_path) { + ret = -ENOMEM; + goto out; + } + } + } + if (ins_nr > 0) { + ret = copy_items(trans, inode, dst_path, path, &last_extent, + start_slot, ins_nr, 1, 0); + if (ret > 0) + ret = 0; + } +out: + btrfs_release_path(path); + btrfs_free_path(dst_path); + return ret; +} + static int btrfs_log_changed_extents(struct btrfs_trans_handle *trans, struct btrfs_root *root, struct btrfs_inode *inode, @@ -4362,6 +4466,11 @@ static int btrfs_log_changed_extents(struct btrfs_trans_handle *trans, if (em->generation <= test_gen) continue; + /* We log prealloc extents beyond eof later. */ + if (test_bit(EXTENT_FLAG_PREALLOC, &em->flags) && + em->start >= i_size_read(&inode->vfs_inode)) + continue; + if (em->start < logged_start) logged_start = em->start; if ((em->start + em->len - 1) > logged_end) @@ -4374,31 +4483,6 @@ static int btrfs_log_changed_extents(struct btrfs_trans_handle *trans, num++; } - /* - * Add all prealloc extents beyond the inode's i_size to make sure we - * don't lose them after doing a fast fsync and replaying the log. - */ - if (inode->flags & BTRFS_INODE_PREALLOC) { - struct rb_node *node; - - for (node = rb_last(&tree->map); node; node = rb_prev(node)) { - em = rb_entry(node, struct extent_map, rb_node); - if (em->start < i_size_read(&inode->vfs_inode)) - break; - if (!list_empty(&em->list)) - continue; - /* Same as above loop. */ - if (++num > 32768) { - list_del_init(&tree->modified_extents); - ret = -EFBIG; - goto process; - } - refcount_inc(&em->refs); - set_bit(EXTENT_FLAG_LOGGING, &em->flags); - list_add_tail(&em->list, &extents); - } - } - list_sort(NULL, &extents, extent_cmp); btrfs_get_logged_extents(inode, logged_list, logged_start, logged_end); /* @@ -4443,6 +4527,9 @@ static int btrfs_log_changed_extents(struct btrfs_trans_handle *trans, up_write(&inode->dio_sem); btrfs_release_path(path); + if (!ret) + ret = btrfs_log_prealloc_extents(trans, inode, path); + return ret; }

7 years, 3 months

1
0
0 0

FAILED: patch "[PATCH] Btrfs: fix duplicate extents after fsync of file with" failed to apply to 4.16-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.16-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 31d11b83b96faaee4bb514d375a09489117c3e8d Mon Sep 17 00:00:00 2001 From: Filipe Manana <fdmanana(a)suse.com> Date: Wed, 9 May 2018 16:01:46 +0100 Subject: [PATCH] Btrfs: fix duplicate extents after fsync of file with prealloc extents In commit 471d557afed1 ("Btrfs: fix loss of prealloc extents past i_size after fsync log replay"), on fsync, we started to always log all prealloc extents beyond an inode's i_size in order to avoid losing them after a power failure. However under some cases this can lead to the log replay code to create duplicate extent items, with different lengths, in the extent tree. That happens because, as of that commit, we can now log extent items based on extent maps that are not on the "modified" list of extent maps of the inode's extent map tree. Logging extent items based on extent maps is used during the fast fsync path to save time and for this to work reliably it requires that the extent maps are not merged with other adjacent extent maps - having the extent maps in the list of modified extents gives such guarantee. Consider the following example, captured during a long run of fsstress, which illustrates this problem. We have inode 271, in the filesystem tree (root 5), for which all of the following operations and discussion apply to. A buffered write starts at offset 312391 with a length of 933471 bytes (end offset at 1245862). At this point we have, for this inode, the following extent maps with the their field values: em A, start 0, orig_start 0, len 40960, block_start 18446744073709551613, block_len 0, orig_block_len 0 em B, start 40960, orig_start 40960, len 376832, block_start 1106399232, block_len 376832, orig_block_len 376832 em C, start 417792, orig_start 417792, len 782336, block_start 18446744073709551613, block_len 0, orig_block_len 0 em D, start 1200128, orig_start 1200128, len 835584, block_start 1106776064, block_len 835584, orig_block_len 835584 em E, start 2035712, orig_start 2035712, len 245760, block_start 1107611648, block_len 245760, orig_block_len 245760 Extent map A corresponds to a hole and extent maps D and E correspond to preallocated extents. Extent map D ends where extent map E begins (1106776064 + 835584 = 1107611648), but these extent maps were not merged because they are in the inode's list of modified extent maps. An fsync against this inode is made, which triggers the fast path (BTRFS_INODE_NEEDS_FULL_SYNC is not set). This fsync triggers writeback of the data previously written using buffered IO, and when the respective ordered extent finishes, btrfs_drop_extents() is called against the (aligned) range 311296..1249279. This causes a split of extent map D at btrfs_drop_extent_cache(), replacing extent map D with a new extent map D', also added to the list of modified extents, with the following values: em D', start 1249280, orig_start of 1200128, block_start 1106825216 (= 1106776064 + 1249280 - 1200128), orig_block_len 835584, block_len 786432 (835584 - (1249280 - 1200128)) Then, during the fast fsync, btrfs_log_changed_extents() is called and extent maps D' and E are removed from the list of modified extents. The flag EXTENT_FLAG_LOGGING is also set on them. After the extents are logged clear_em_logging() is called on each of them, and that makes extent map E to be merged with extent map D' (try_merge_map()), resulting in D' being deleted and E adjusted to: em E, start 1249280, orig_start 1200128, len 1032192, block_start 1106825216, block_len 1032192, orig_block_len 245760 A direct IO write at offset 1847296 and length of 360448 bytes (end offset at 2207744) starts, and at that moment the following extent maps exist for our inode: em A, start 0, orig_start 0, len 40960, block_start 18446744073709551613, block_len 0, orig_block_len 0 em B, start 40960, orig_start 40960, len 270336, block_start 1106399232, block_len 270336, orig_block_len 376832 em C, start 311296, orig_start 311296, len 937984, block_start 1112842240, block_len 937984, orig_block_len 937984 em E (prealloc), start 1249280, orig_start 1200128, len 1032192, block_start 1106825216, block_len 1032192, orig_block_len 245760 The dio write results in drop_extent_cache() being called twice. The first time for a range that starts at offset 1847296 and ends at offset 2035711 (length of 188416), which results in a double split of extent map E, replacing it with two new extent maps: em F, start 1249280, orig_start 1200128, block_start 1106825216, block_len 598016, orig_block_len 598016 em G, start 2035712, orig_start 1200128, block_start 1107611648, block_len 245760, orig_block_len 1032192 It also creates a new extent map that represents a part of the requested IO (through create_io_em()): em H, start 1847296, len 188416, block_start 1107423232, block_len 188416 The second call to drop_extent_cache() has a range with a start offset of 2035712 and end offset of 2207743 (length of 172032). This leads to replacing extent map G with a new extent map I with the following values: em I, start 2207744, orig_start 1200128, block_start 1107783680, block_len 73728, orig_block_len 1032192 It also creates a new extent map that represents the second part of the requested IO (through create_io_em()): em J, start 2035712, len 172032, block_start 1107611648, block_len 172032 The dio write set the inode's i_size to 2207744 bytes. After the dio write the inode has the following extent maps: em A, start 0, orig_start 0, len 40960, block_start 18446744073709551613, block_len 0, orig_block_len 0 em B, start 40960, orig_start 40960, len 270336, block_start 1106399232, block_len 270336, orig_block_len 376832 em C, start 311296, orig_start 311296, len 937984, block_start 1112842240, block_len 937984, orig_block_len 937984 em F, start 1249280, orig_start 1200128, len 598016, block_start 1106825216, block_len 598016, orig_block_len 598016 em H, start 1847296, orig_start 1200128, len 188416, block_start 1107423232, block_len 188416, orig_block_len 835584 em J, start 2035712, orig_start 2035712, len 172032, block_start 1107611648, block_len 172032, orig_block_len 245760 em I, start 2207744, orig_start 1200128, len 73728, block_start 1107783680, block_len 73728, orig_block_len 1032192 Now do some change to the file, like adding a xattr for example and then fsync it again. This triggers a fast fsync path, and as of commit 471d557afed1 ("Btrfs: fix loss of prealloc extents past i_size after fsync log replay"), we use the extent map I to log a file extent item because it's a prealloc extent and it starts at an offset matching the inode's i_size. However when we log it, we create a file extent item with a value for the disk byte location that is wrong, as can be seen from the following output of "btrfs inspect-internal dump-tree": item 1 key (271 EXTENT_DATA 2207744) itemoff 3782 itemsize 53 generation 22 type 2 (prealloc) prealloc data disk byte 1106776064 nr 1032192 prealloc data offset 1007616 nr 73728 Here the disk byte value corresponds to calculation based on some fields from the extent map I: 1106776064 = block_start (1107783680) - 1007616 (extent_offset) extent_offset = 2207744 (start) - 1200128 (orig_start) = 1007616 The disk byte value of 1106776064 clashes with disk byte values of the file extent items at offsets 1249280 and 1847296 in the fs tree: item 6 key (271 EXTENT_DATA 1249280) itemoff 3568 itemsize 53 generation 20 type 2 (prealloc) prealloc data disk byte 1106776064 nr 835584 prealloc data offset 49152 nr 598016 item 7 key (271 EXTENT_DATA 1847296) itemoff 3515 itemsize 53 generation 20 type 1 (regular) extent data disk byte 1106776064 nr 835584 extent data offset 647168 nr 188416 ram 835584 extent compression 0 (none) item 8 key (271 EXTENT_DATA 2035712) itemoff 3462 itemsize 53 generation 20 type 1 (regular) extent data disk byte 1107611648 nr 245760 extent data offset 0 nr 172032 ram 245760 extent compression 0 (none) item 9 key (271 EXTENT_DATA 2207744) itemoff 3409 itemsize 53 generation 20 type 2 (prealloc) prealloc data disk byte 1107611648 nr 245760 prealloc data offset 172032 nr 73728 Instead of the disk byte value of 1106776064, the value of 1107611648 should have been logged. Also the data offset value should have been 172032 and not 1007616. After a log replay we end up getting two extent items in the extent tree with different lengths, one of 835584, which is correct and existed before the log replay, and another one of 1032192 which is wrong and is based on the logged file extent item: item 12 key (1106776064 EXTENT_ITEM 835584) itemoff 3406 itemsize 53 refs 2 gen 15 flags DATA extent data backref root 5 objectid 271 offset 1200128 count 2 item 13 key (1106776064 EXTENT_ITEM 1032192) itemoff 3353 itemsize 53 refs 1 gen 22 flags DATA extent data backref root 5 objectid 271 offset 1200128 count 1 Obviously this leads to many problems and a filesystem check reports many errors: (...) checking extents Extent back ref already exists for 1106776064 parent 0 root 5 owner 271 offset 1200128 num_refs 1 extent item 1106776064 has multiple extent items ref mismatch on [1106776064 835584] extent item 2, found 3 Incorrect local backref count on 1106776064 root 5 owner 271 offset 1200128 found 2 wanted 1 back 0x55b1d0ad7680 Backref 1106776064 root 5 owner 271 offset 1200128 num_refs 0 not found in extent tree Incorrect local backref count on 1106776064 root 5 owner 271 offset 1200128 found 1 wanted 0 back 0x55b1d0ad4e70 Backref bytes do not match extent backref, bytenr=1106776064, ref bytes=835584, backref bytes=1032192 backpointer mismatch on [1106776064 835584] checking free space cache block group 1103101952 has wrong amount of free space failed to load free space cache for block group 1103101952 checking fs roots (...) So fix this by logging the prealloc extents beyond the inode's i_size based on searches in the subvolume tree instead of the extent maps. Fixes: 471d557afed1 ("Btrfs: fix loss of prealloc extents past i_size after fsync log replay") CC: stable(a)vger.kernel.org # 4.14+ Signed-off-by: Filipe Manana <fdmanana(a)suse.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c index c1509547c762..8f23a94dab77 100644 --- a/fs/btrfs/tree-log.c +++ b/fs/btrfs/tree-log.c @@ -4320,6 +4320,110 @@ static int log_one_extent(struct btrfs_trans_handle *trans, return ret; } +/* + * Log all prealloc extents beyond the inode's i_size to make sure we do not + * lose them after doing a fast fsync and replaying the log. We scan the + * subvolume's root instead of iterating the inode's extent map tree because + * otherwise we can log incorrect extent items based on extent map conversion. + * That can happen due to the fact that extent maps are merged when they + * are not in the extent map tree's list of modified extents. + */ +static int btrfs_log_prealloc_extents(struct btrfs_trans_handle *trans, + struct btrfs_inode *inode, + struct btrfs_path *path) +{ + struct btrfs_root *root = inode->root; + struct btrfs_key key; + const u64 i_size = i_size_read(&inode->vfs_inode); + const u64 ino = btrfs_ino(inode); + struct btrfs_path *dst_path = NULL; + u64 last_extent = (u64)-1; + int ins_nr = 0; + int start_slot; + int ret; + + if (!(inode->flags & BTRFS_INODE_PREALLOC)) + return 0; + + key.objectid = ino; + key.type = BTRFS_EXTENT_DATA_KEY; + key.offset = i_size; + ret = btrfs_search_slot(NULL, root, &key, path, 0, 0); + if (ret < 0) + goto out; + + while (true) { + struct extent_buffer *leaf = path->nodes[0]; + int slot = path->slots[0]; + + if (slot >= btrfs_header_nritems(leaf)) { + if (ins_nr > 0) { + ret = copy_items(trans, inode, dst_path, path, + &last_extent, start_slot, + ins_nr, 1, 0); + if (ret < 0) + goto out; + ins_nr = 0; + } + ret = btrfs_next_leaf(root, path); + if (ret < 0) + goto out; + if (ret > 0) { + ret = 0; + break; + } + continue; + } + + btrfs_item_key_to_cpu(leaf, &key, slot); + if (key.objectid > ino) + break; + if (WARN_ON_ONCE(key.objectid < ino) || + key.type < BTRFS_EXTENT_DATA_KEY || + key.offset < i_size) { + path->slots[0]++; + continue; + } + if (last_extent == (u64)-1) { + last_extent = key.offset; + /* + * Avoid logging extent items logged in past fsync calls + * and leading to duplicate keys in the log tree. + */ + do { + ret = btrfs_truncate_inode_items(trans, + root->log_root, + &inode->vfs_inode, + i_size, + BTRFS_EXTENT_DATA_KEY); + } while (ret == -EAGAIN); + if (ret) + goto out; + } + if (ins_nr == 0) + start_slot = slot; + ins_nr++; + path->slots[0]++; + if (!dst_path) { + dst_path = btrfs_alloc_path(); + if (!dst_path) { + ret = -ENOMEM; + goto out; + } + } + } + if (ins_nr > 0) { + ret = copy_items(trans, inode, dst_path, path, &last_extent, + start_slot, ins_nr, 1, 0); + if (ret > 0) + ret = 0; + } +out: + btrfs_release_path(path); + btrfs_free_path(dst_path); + return ret; +} + static int btrfs_log_changed_extents(struct btrfs_trans_handle *trans, struct btrfs_root *root, struct btrfs_inode *inode, @@ -4362,6 +4466,11 @@ static int btrfs_log_changed_extents(struct btrfs_trans_handle *trans, if (em->generation <= test_gen) continue; + /* We log prealloc extents beyond eof later. */ + if (test_bit(EXTENT_FLAG_PREALLOC, &em->flags) && + em->start >= i_size_read(&inode->vfs_inode)) + continue; + if (em->start < logged_start) logged_start = em->start; if ((em->start + em->len - 1) > logged_end) @@ -4374,31 +4483,6 @@ static int btrfs_log_changed_extents(struct btrfs_trans_handle *trans, num++; } - /* - * Add all prealloc extents beyond the inode's i_size to make sure we - * don't lose them after doing a fast fsync and replaying the log. - */ - if (inode->flags & BTRFS_INODE_PREALLOC) { - struct rb_node *node; - - for (node = rb_last(&tree->map); node; node = rb_prev(node)) { - em = rb_entry(node, struct extent_map, rb_node); - if (em->start < i_size_read(&inode->vfs_inode)) - break; - if (!list_empty(&em->list)) - continue; - /* Same as above loop. */ - if (++num > 32768) { - list_del_init(&tree->modified_extents); - ret = -EFBIG; - goto process; - } - refcount_inc(&em->refs); - set_bit(EXTENT_FLAG_LOGGING, &em->flags); - list_add_tail(&em->list, &extents); - } - } - list_sort(NULL, &extents, extent_cmp); btrfs_get_logged_extents(inode, logged_list, logged_start, logged_end); /* @@ -4443,6 +4527,9 @@ static int btrfs_log_changed_extents(struct btrfs_trans_handle *trans, up_write(&inode->dio_sem); btrfs_release_path(path); + if (!ret) + ret = btrfs_log_prealloc_extents(trans, inode, path); + return ret; }

7 years, 3 months

1
0
0 0

FAILED: patch "[PATCH] s390/kernel: use expoline for indirect branches" failed to apply to 4.16-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.16-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From c50c84c3ac4d5db683904bdb3257798b6ef980ae Mon Sep 17 00:00:00 2001 From: Martin Schwidefsky <schwidefsky(a)de.ibm.com> Date: Wed, 25 Apr 2018 18:41:30 +0200 Subject: [PATCH] s390/kernel: use expoline for indirect branches The assember code in arch/s390/kernel uses a few more indirect branches which need to be done with execute trampolines for CONFIG_EXPOLINE=y. Cc: stable(a)vger.kernel.org # 4.16 Fixes: f19fbd5ed6 ("s390: introduce execute-trampolines for branches") Reviewed-by: Hendrik Brueckner <brueckner(a)linux.vnet.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky(a)de.ibm.com> diff --git a/arch/s390/kernel/base.S b/arch/s390/kernel/base.S index f6c56009e822..b65874b0b412 100644 --- a/arch/s390/kernel/base.S +++ b/arch/s390/kernel/base.S @@ -9,18 +9,22 @@ #include <linux/linkage.h> #include <asm/asm-offsets.h> +#include <asm/nospec-insn.h> #include <asm/ptrace.h> #include <asm/sigp.h> + GEN_BR_THUNK %r9 + GEN_BR_THUNK %r14 + ENTRY(s390_base_mcck_handler) basr %r13,0 0: lg %r15,__LC_PANIC_STACK # load panic stack aghi %r15,-STACK_FRAME_OVERHEAD larl %r1,s390_base_mcck_handler_fn - lg %r1,0(%r1) - ltgr %r1,%r1 + lg %r9,0(%r1) + ltgr %r9,%r9 jz 1f - basr %r14,%r1 + BASR_EX %r14,%r9 1: la %r1,4095 lmg %r0,%r15,__LC_GPREGS_SAVE_AREA-4095(%r1) lpswe __LC_MCK_OLD_PSW @@ -37,10 +41,10 @@ ENTRY(s390_base_ext_handler) basr %r13,0 0: aghi %r15,-STACK_FRAME_OVERHEAD larl %r1,s390_base_ext_handler_fn - lg %r1,0(%r1) - ltgr %r1,%r1 + lg %r9,0(%r1) + ltgr %r9,%r9 jz 1f - basr %r14,%r1 + BASR_EX %r14,%r9 1: lmg %r0,%r15,__LC_SAVE_AREA_ASYNC ni __LC_EXT_OLD_PSW+1,0xfd # clear wait state bit lpswe __LC_EXT_OLD_PSW @@ -57,10 +61,10 @@ ENTRY(s390_base_pgm_handler) basr %r13,0 0: aghi %r15,-STACK_FRAME_OVERHEAD larl %r1,s390_base_pgm_handler_fn - lg %r1,0(%r1) - ltgr %r1,%r1 + lg %r9,0(%r1) + ltgr %r9,%r9 jz 1f - basr %r14,%r1 + BASR_EX %r14,%r9 lmg %r0,%r15,__LC_SAVE_AREA_SYNC lpswe __LC_PGM_OLD_PSW 1: lpswe disabled_wait_psw-0b(%r13) @@ -117,7 +121,7 @@ ENTRY(diag308_reset) larl %r4,.Lcontinue_psw # Restore PSW flags lpswe 0(%r4) .Lcontinue: - br %r14 + BR_EX %r14 .align 16 .Lrestart_psw: .long 0x00080000,0x80000000 + .Lrestart_part2 diff --git a/arch/s390/kernel/reipl.S b/arch/s390/kernel/reipl.S index 73cc3750f0d3..7f14adf512c6 100644 --- a/arch/s390/kernel/reipl.S +++ b/arch/s390/kernel/reipl.S @@ -7,8 +7,11 @@ #include <linux/linkage.h> #include <asm/asm-offsets.h> +#include <asm/nospec-insn.h> #include <asm/sigp.h> + GEN_BR_THUNK %r9 + # # Issue "store status" for the current CPU to its prefix page # and call passed function afterwards @@ -67,9 +70,9 @@ ENTRY(store_status) st %r4,0(%r1) st %r5,4(%r1) stg %r2,8(%r1) - lgr %r1,%r2 + lgr %r9,%r2 lgr %r2,%r3 - br %r1 + BR_EX %r9 .section .bss .align 8 diff --git a/arch/s390/kernel/swsusp.S b/arch/s390/kernel/swsusp.S index e99187149f17..a049a7b9d6e8 100644 --- a/arch/s390/kernel/swsusp.S +++ b/arch/s390/kernel/swsusp.S @@ -13,6 +13,7 @@ #include <asm/ptrace.h> #include <asm/thread_info.h> #include <asm/asm-offsets.h> +#include <asm/nospec-insn.h> #include <asm/sigp.h> /* @@ -24,6 +25,8 @@ * (see below) in the resume process. * This function runs with disabled interrupts. */ + GEN_BR_THUNK %r14 + .section .text ENTRY(swsusp_arch_suspend) stmg %r6,%r15,__SF_GPRS(%r15) @@ -103,7 +106,7 @@ ENTRY(swsusp_arch_suspend) spx 0x318(%r1) lmg %r6,%r15,STACK_FRAME_OVERHEAD + __SF_GPRS(%r15) lghi %r2,0 - br %r14 + BR_EX %r14 /* * Restore saved memory image to correct place and restore register context. @@ -197,11 +200,10 @@ pgm_check_entry: larl %r15,init_thread_union ahi %r15,1<<(PAGE_SHIFT+THREAD_SIZE_ORDER) larl %r2,.Lpanic_string - larl %r3,sclp_early_printk lghi %r1,0 sam31 sigp %r1,%r0,SIGP_SET_ARCHITECTURE - basr %r14,%r3 + brasl %r14,sclp_early_printk larl %r3,.Ldisabled_wait_31 lpsw 0(%r3) 4: @@ -267,7 +269,7 @@ restore_registers: /* Return 0 */ lmg %r6,%r15,STACK_FRAME_OVERHEAD + __SF_GPRS(%r15) lghi %r2,0 - br %r14 + BR_EX %r14 .section .data..nosave,"aw",@progbits .align 8

7 years, 3 months

1
0
0 0

FAILED: patch "[PATCH] s390/kernel: use expoline for indirect branches" failed to apply to 4.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From c50c84c3ac4d5db683904bdb3257798b6ef980ae Mon Sep 17 00:00:00 2001 From: Martin Schwidefsky <schwidefsky(a)de.ibm.com> Date: Wed, 25 Apr 2018 18:41:30 +0200 Subject: [PATCH] s390/kernel: use expoline for indirect branches The assember code in arch/s390/kernel uses a few more indirect branches which need to be done with execute trampolines for CONFIG_EXPOLINE=y. Cc: stable(a)vger.kernel.org # 4.16 Fixes: f19fbd5ed6 ("s390: introduce execute-trampolines for branches") Reviewed-by: Hendrik Brueckner <brueckner(a)linux.vnet.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky(a)de.ibm.com> diff --git a/arch/s390/kernel/base.S b/arch/s390/kernel/base.S index f6c56009e822..b65874b0b412 100644 --- a/arch/s390/kernel/base.S +++ b/arch/s390/kernel/base.S @@ -9,18 +9,22 @@ #include <linux/linkage.h> #include <asm/asm-offsets.h> +#include <asm/nospec-insn.h> #include <asm/ptrace.h> #include <asm/sigp.h> + GEN_BR_THUNK %r9 + GEN_BR_THUNK %r14 + ENTRY(s390_base_mcck_handler) basr %r13,0 0: lg %r15,__LC_PANIC_STACK # load panic stack aghi %r15,-STACK_FRAME_OVERHEAD larl %r1,s390_base_mcck_handler_fn - lg %r1,0(%r1) - ltgr %r1,%r1 + lg %r9,0(%r1) + ltgr %r9,%r9 jz 1f - basr %r14,%r1 + BASR_EX %r14,%r9 1: la %r1,4095 lmg %r0,%r15,__LC_GPREGS_SAVE_AREA-4095(%r1) lpswe __LC_MCK_OLD_PSW @@ -37,10 +41,10 @@ ENTRY(s390_base_ext_handler) basr %r13,0 0: aghi %r15,-STACK_FRAME_OVERHEAD larl %r1,s390_base_ext_handler_fn - lg %r1,0(%r1) - ltgr %r1,%r1 + lg %r9,0(%r1) + ltgr %r9,%r9 jz 1f - basr %r14,%r1 + BASR_EX %r14,%r9 1: lmg %r0,%r15,__LC_SAVE_AREA_ASYNC ni __LC_EXT_OLD_PSW+1,0xfd # clear wait state bit lpswe __LC_EXT_OLD_PSW @@ -57,10 +61,10 @@ ENTRY(s390_base_pgm_handler) basr %r13,0 0: aghi %r15,-STACK_FRAME_OVERHEAD larl %r1,s390_base_pgm_handler_fn - lg %r1,0(%r1) - ltgr %r1,%r1 + lg %r9,0(%r1) + ltgr %r9,%r9 jz 1f - basr %r14,%r1 + BASR_EX %r14,%r9 lmg %r0,%r15,__LC_SAVE_AREA_SYNC lpswe __LC_PGM_OLD_PSW 1: lpswe disabled_wait_psw-0b(%r13) @@ -117,7 +121,7 @@ ENTRY(diag308_reset) larl %r4,.Lcontinue_psw # Restore PSW flags lpswe 0(%r4) .Lcontinue: - br %r14 + BR_EX %r14 .align 16 .Lrestart_psw: .long 0x00080000,0x80000000 + .Lrestart_part2 diff --git a/arch/s390/kernel/reipl.S b/arch/s390/kernel/reipl.S index 73cc3750f0d3..7f14adf512c6 100644 --- a/arch/s390/kernel/reipl.S +++ b/arch/s390/kernel/reipl.S @@ -7,8 +7,11 @@ #include <linux/linkage.h> #include <asm/asm-offsets.h> +#include <asm/nospec-insn.h> #include <asm/sigp.h> + GEN_BR_THUNK %r9 + # # Issue "store status" for the current CPU to its prefix page # and call passed function afterwards @@ -67,9 +70,9 @@ ENTRY(store_status) st %r4,0(%r1) st %r5,4(%r1) stg %r2,8(%r1) - lgr %r1,%r2 + lgr %r9,%r2 lgr %r2,%r3 - br %r1 + BR_EX %r9 .section .bss .align 8 diff --git a/arch/s390/kernel/swsusp.S b/arch/s390/kernel/swsusp.S index e99187149f17..a049a7b9d6e8 100644 --- a/arch/s390/kernel/swsusp.S +++ b/arch/s390/kernel/swsusp.S @@ -13,6 +13,7 @@ #include <asm/ptrace.h> #include <asm/thread_info.h> #include <asm/asm-offsets.h> +#include <asm/nospec-insn.h> #include <asm/sigp.h> /* @@ -24,6 +25,8 @@ * (see below) in the resume process. * This function runs with disabled interrupts. */ + GEN_BR_THUNK %r14 + .section .text ENTRY(swsusp_arch_suspend) stmg %r6,%r15,__SF_GPRS(%r15) @@ -103,7 +106,7 @@ ENTRY(swsusp_arch_suspend) spx 0x318(%r1) lmg %r6,%r15,STACK_FRAME_OVERHEAD + __SF_GPRS(%r15) lghi %r2,0 - br %r14 + BR_EX %r14 /* * Restore saved memory image to correct place and restore register context. @@ -197,11 +200,10 @@ pgm_check_entry: larl %r15,init_thread_union ahi %r15,1<<(PAGE_SHIFT+THREAD_SIZE_ORDER) larl %r2,.Lpanic_string - larl %r3,sclp_early_printk lghi %r1,0 sam31 sigp %r1,%r0,SIGP_SET_ARCHITECTURE - basr %r14,%r3 + brasl %r14,sclp_early_printk larl %r3,.Ldisabled_wait_31 lpsw 0(%r3) 4: @@ -267,7 +269,7 @@ restore_registers: /* Return 0 */ lmg %r6,%r15,STACK_FRAME_OVERHEAD + __SF_GPRS(%r15) lghi %r2,0 - br %r14 + BR_EX %r14 .section .data..nosave,"aw",@progbits .align 8

7 years, 3 months

1
0
0 0

FAILED: patch "[PATCH] s390/crc32-vx: use expoline for indirect branches" failed to apply to 4.9-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.9-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 467a3bf219cee12259182c5cb4821f88fd518a51 Mon Sep 17 00:00:00 2001 From: Martin Schwidefsky <schwidefsky(a)de.ibm.com> Date: Mon, 23 Apr 2018 14:31:36 +0200 Subject: [PATCH] s390/crc32-vx: use expoline for indirect branches The return from the crc32_le_vgfm_16/crc32c_le_vgfm_16 and the crc32_be_vgfm_16 functions are done with "br %r14". These are indirect branches as well and need to use execute trampolines for CONFIG_EXPOLINE=y. Cc: stable(a)vger.kernel.org # 4.16 Fixes: f19fbd5ed6 ("s390: introduce execute-trampolines for branches") Reviewed-by: Hendrik Brueckner <brueckner(a)linux.vnet.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky(a)de.ibm.com> diff --git a/arch/s390/crypto/crc32be-vx.S b/arch/s390/crypto/crc32be-vx.S index e8077f0971f8..2bf01ba44107 100644 --- a/arch/s390/crypto/crc32be-vx.S +++ b/arch/s390/crypto/crc32be-vx.S @@ -13,6 +13,7 @@ */ #include <linux/linkage.h> +#include <asm/nospec-insn.h> #include <asm/vx-insn.h> /* Vector register range containing CRC-32 constants */ @@ -67,6 +68,8 @@ .previous + GEN_BR_THUNK %r14 + .text /* * The CRC-32 function(s) use these calling conventions: @@ -203,6 +206,6 @@ ENTRY(crc32_be_vgfm_16) .Ldone: VLGVF %r2,%v2,3 - br %r14 + BR_EX %r14 .previous diff --git a/arch/s390/crypto/crc32le-vx.S b/arch/s390/crypto/crc32le-vx.S index d8c67a58c0c5..7d6f568bd3ad 100644 --- a/arch/s390/crypto/crc32le-vx.S +++ b/arch/s390/crypto/crc32le-vx.S @@ -14,6 +14,7 @@ */ #include <linux/linkage.h> +#include <asm/nospec-insn.h> #include <asm/vx-insn.h> /* Vector register range containing CRC-32 constants */ @@ -76,6 +77,7 @@ .previous + GEN_BR_THUNK %r14 .text @@ -264,6 +266,6 @@ crc32_le_vgfm_generic: .Ldone: VLGVF %r2,%v2,2 - br %r14 + BR_EX %r14 .previous

7 years, 3 months

1
0
0 0

FAILED: patch "[PATCH] s390/crc32-vx: use expoline for indirect branches" failed to apply to 4.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 467a3bf219cee12259182c5cb4821f88fd518a51 Mon Sep 17 00:00:00 2001 From: Martin Schwidefsky <schwidefsky(a)de.ibm.com> Date: Mon, 23 Apr 2018 14:31:36 +0200 Subject: [PATCH] s390/crc32-vx: use expoline for indirect branches The return from the crc32_le_vgfm_16/crc32c_le_vgfm_16 and the crc32_be_vgfm_16 functions are done with "br %r14". These are indirect branches as well and need to use execute trampolines for CONFIG_EXPOLINE=y. Cc: stable(a)vger.kernel.org # 4.16 Fixes: f19fbd5ed6 ("s390: introduce execute-trampolines for branches") Reviewed-by: Hendrik Brueckner <brueckner(a)linux.vnet.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky(a)de.ibm.com> diff --git a/arch/s390/crypto/crc32be-vx.S b/arch/s390/crypto/crc32be-vx.S index e8077f0971f8..2bf01ba44107 100644 --- a/arch/s390/crypto/crc32be-vx.S +++ b/arch/s390/crypto/crc32be-vx.S @@ -13,6 +13,7 @@ */ #include <linux/linkage.h> +#include <asm/nospec-insn.h> #include <asm/vx-insn.h> /* Vector register range containing CRC-32 constants */ @@ -67,6 +68,8 @@ .previous + GEN_BR_THUNK %r14 + .text /* * The CRC-32 function(s) use these calling conventions: @@ -203,6 +206,6 @@ ENTRY(crc32_be_vgfm_16) .Ldone: VLGVF %r2,%v2,3 - br %r14 + BR_EX %r14 .previous diff --git a/arch/s390/crypto/crc32le-vx.S b/arch/s390/crypto/crc32le-vx.S index d8c67a58c0c5..7d6f568bd3ad 100644 --- a/arch/s390/crypto/crc32le-vx.S +++ b/arch/s390/crypto/crc32le-vx.S @@ -14,6 +14,7 @@ */ #include <linux/linkage.h> +#include <asm/nospec-insn.h> #include <asm/vx-insn.h> /* Vector register range containing CRC-32 constants */ @@ -76,6 +77,7 @@ .previous + GEN_BR_THUNK %r14 .text @@ -264,6 +266,6 @@ crc32_le_vgfm_generic: .Ldone: VLGVF %r2,%v2,2 - br %r14 + BR_EX %r14 .previous

7 years, 3 months

1
0
0 0

FAILED: patch "[PATCH] s390/crc32-vx: use expoline for indirect branches" failed to apply to 4.16-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.16-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 467a3bf219cee12259182c5cb4821f88fd518a51 Mon Sep 17 00:00:00 2001 From: Martin Schwidefsky <schwidefsky(a)de.ibm.com> Date: Mon, 23 Apr 2018 14:31:36 +0200 Subject: [PATCH] s390/crc32-vx: use expoline for indirect branches The return from the crc32_le_vgfm_16/crc32c_le_vgfm_16 and the crc32_be_vgfm_16 functions are done with "br %r14". These are indirect branches as well and need to use execute trampolines for CONFIG_EXPOLINE=y. Cc: stable(a)vger.kernel.org # 4.16 Fixes: f19fbd5ed6 ("s390: introduce execute-trampolines for branches") Reviewed-by: Hendrik Brueckner <brueckner(a)linux.vnet.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky(a)de.ibm.com> diff --git a/arch/s390/crypto/crc32be-vx.S b/arch/s390/crypto/crc32be-vx.S index e8077f0971f8..2bf01ba44107 100644 --- a/arch/s390/crypto/crc32be-vx.S +++ b/arch/s390/crypto/crc32be-vx.S @@ -13,6 +13,7 @@ */ #include <linux/linkage.h> +#include <asm/nospec-insn.h> #include <asm/vx-insn.h> /* Vector register range containing CRC-32 constants */ @@ -67,6 +68,8 @@ .previous + GEN_BR_THUNK %r14 + .text /* * The CRC-32 function(s) use these calling conventions: @@ -203,6 +206,6 @@ ENTRY(crc32_be_vgfm_16) .Ldone: VLGVF %r2,%v2,3 - br %r14 + BR_EX %r14 .previous diff --git a/arch/s390/crypto/crc32le-vx.S b/arch/s390/crypto/crc32le-vx.S index d8c67a58c0c5..7d6f568bd3ad 100644 --- a/arch/s390/crypto/crc32le-vx.S +++ b/arch/s390/crypto/crc32le-vx.S @@ -14,6 +14,7 @@ */ #include <linux/linkage.h> +#include <asm/nospec-insn.h> #include <asm/vx-insn.h> /* Vector register range containing CRC-32 constants */ @@ -76,6 +77,7 @@ .previous + GEN_BR_THUNK %r14 .text @@ -264,6 +266,6 @@ crc32_le_vgfm_generic: .Ldone: VLGVF %r2,%v2,2 - br %r14 + BR_EX %r14 .previous

7 years, 3 months

1
0
0 0

FAILED: patch "[PATCH] s390/lib: use expoline for indirect branches" failed to apply to 4.16-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.16-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 97489e0663fa700d6e7febddc43b58df98d7bcda Mon Sep 17 00:00:00 2001 From: Martin Schwidefsky <schwidefsky(a)de.ibm.com> Date: Mon, 23 Apr 2018 14:31:36 +0200 Subject: [PATCH] s390/lib: use expoline for indirect branches The return from the memmove, memset, memcpy, __memset16, __memset32 and __memset64 functions are done with "br %r14". These are indirect branches as well and need to use execute trampolines for CONFIG_EXPOLINE=y. Cc: stable(a)vger.kernel.org # 4.16 Fixes: f19fbd5ed6 ("s390: introduce execute-trampolines for branches") Reviewed-by: Hendrik Brueckner <brueckner(a)linux.vnet.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky(a)de.ibm.com> diff --git a/arch/s390/lib/mem.S b/arch/s390/lib/mem.S index 495c9c4bacc7..2311f15be9cf 100644 --- a/arch/s390/lib/mem.S +++ b/arch/s390/lib/mem.S @@ -7,6 +7,9 @@ #include <linux/linkage.h> #include <asm/export.h> +#include <asm/nospec-insn.h> + + GEN_BR_THUNK %r14 /* * void *memmove(void *dest, const void *src, size_t n) @@ -33,14 +36,14 @@ ENTRY(memmove) .Lmemmove_forward_remainder: larl %r5,.Lmemmove_mvc ex %r4,0(%r5) - br %r14 + BR_EX %r14 .Lmemmove_reverse: ic %r0,0(%r4,%r3) stc %r0,0(%r4,%r1) brctg %r4,.Lmemmove_reverse ic %r0,0(%r4,%r3) stc %r0,0(%r4,%r1) - br %r14 + BR_EX %r14 .Lmemmove_mvc: mvc 0(1,%r1),0(%r3) EXPORT_SYMBOL(memmove) @@ -77,7 +80,7 @@ ENTRY(memset) .Lmemset_clear_remainder: larl %r3,.Lmemset_xc ex %r4,0(%r3) - br %r14 + BR_EX %r14 .Lmemset_fill: cghi %r4,1 lgr %r1,%r2 @@ -95,10 +98,10 @@ ENTRY(memset) stc %r3,0(%r1) larl %r5,.Lmemset_mvc ex %r4,0(%r5) - br %r14 + BR_EX %r14 .Lmemset_fill_exit: stc %r3,0(%r1) - br %r14 + BR_EX %r14 .Lmemset_xc: xc 0(1,%r1),0(%r1) .Lmemset_mvc: @@ -121,7 +124,7 @@ ENTRY(memcpy) .Lmemcpy_remainder: larl %r5,.Lmemcpy_mvc ex %r4,0(%r5) - br %r14 + BR_EX %r14 .Lmemcpy_loop: mvc 0(256,%r1),0(%r3) la %r1,256(%r1) @@ -159,10 +162,10 @@ ENTRY(__memset\bits) \insn %r3,0(%r1) larl %r5,.L__memset_mvc\bits ex %r4,0(%r5) - br %r14 + BR_EX %r14 .L__memset_exit\bits: \insn %r3,0(%r2) - br %r14 + BR_EX %r14 .L__memset_mvc\bits: mvc \bytes(1,%r1),0(%r1) .endm

7 years, 3 months

1
0
0 0

Linux 4.16.10

by Greg KH

I'm announcing the release of the 4.16.10 kernel. All users of the 4.16 kernel series must upgrade. The updated 4.16.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.16.y and can be browsed at the normal kernel.org git web browser: http://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 drivers/infiniband/hw/mlx5/main.c | 2 drivers/net/bonding/bond_alb.c | 15 + drivers/net/bonding/bond_main.c | 2 drivers/net/ethernet/broadcom/bcmsysport.c | 16 +- drivers/net/ethernet/broadcom/tg3.c | 9 - drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 16 ++ drivers/net/ethernet/mellanox/mlx4/en_netdev.c | 8 - drivers/net/ethernet/mellanox/mlx4/mlx4_en.h | 7 drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c | 8 - drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 7 drivers/net/ethernet/mellanox/mlx5/core/en_tx.c | 20 +- drivers/net/ethernet/mellanox/mlx5/core/eswitch.c | 11 + drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 23 +- drivers/net/ethernet/mellanox/mlxsw/core.c | 4 drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c | 12 - drivers/net/ethernet/netronome/nfp/flower/action.c | 10 + drivers/net/ethernet/netronome/nfp/flower/cmsg.h | 5 drivers/net/ethernet/realtek/8139too.c | 2 drivers/net/ethernet/realtek/r8169.c | 3 drivers/net/ethernet/sun/niu.c | 5 drivers/net/ethernet/ti/cpsw.c | 2 drivers/net/hyperv/netvsc_drv.c | 3 drivers/net/hyperv/rndis_filter.c | 2 drivers/net/phy/sfp-bus.c | 2 drivers/net/usb/qmi_wwan.c | 12 + drivers/scsi/aacraid/commsup.c | 8 - fs/proc/base.c | 8 - include/linux/mlx5/driver.h | 12 - include/linux/mm.h | 1 include/net/bonding.h | 1 include/net/tls.h | 1 mm/gup.c | 3 net/bridge/br_if.c | 4 net/compat.c | 6 net/dccp/ccids/ccid2.c | 14 + net/dccp/timer.c | 2 net/ipv4/ping.c | 7 net/ipv4/route.c | 119 ++++++--------- net/ipv4/tcp.c | 5 net/ipv4/tcp_bbr.c | 4 net/ipv4/udp.c | 11 - net/ipv6/route.c | 7 net/ipv6/udp.c | 4 net/llc/af_llc.c | 3 net/nsh/nsh.c | 4 net/openvswitch/flow_netlink.c | 9 - net/rds/recv.c | 1 net/sched/act_skbmod.c | 5 net/sched/cls_api.c | 2 net/sched/sch_fq.c | 37 +++- net/sctp/associola.c | 30 +++ net/sctp/inqueue.c | 2 net/sctp/ipv6.c | 3 net/sctp/sm_statefuns.c | 88 +++++------ net/sctp/stream.c | 2 net/sctp/ulpevent.c | 1 net/smc/af_smc.c | 18 +- net/tipc/socket.c | 3 net/tls/tls_main.c | 8 + 60 files changed, 397 insertions(+), 244 deletions(-) Adi Nissim (1): net/mlx5: E-Switch, Include VF RDMA stats in vport statistics Andre Tomt (1): net/tls: Fix connection stall on partial tls record Andrey Ignatov (1): ipv4: fix memory leaks in udp_sendmsg, ping_v4_sendmsg Antoine Tenart (1): net: phy: sfp: fix the BR,min computation Bjørn Mork (1): qmi_wwan: do not steal interfaces from class drivers Christophe JAILLET (2): net/mlx4_en: Fix an error handling path in 'mlx4_en_init_netdev()' mlxsw: core: Fix an error handling path in 'mlxsw_core_bus_device_register()' Dave Carroll (1): scsi: aacraid: Correct hba_send to include iu_type Dave Watson (1): net/tls: Don't recursively call push_record during tls_write_space callbacks Debabrata Banerjee (2): bonding: do not allow rlb updates to invalid mac bonding: send learning packets for vlans on slave Eric Dumazet (8): dccp: fix tasklet usage llc: better deal with too small mtu net_sched: fq: take care of throttled flows before reuse rds: do not leak kernel memory to user land ipv6: fix uninit-value in ip6_multipath_l3_keys() nsh: fix infinite loop tcp: restore autocorking tipc: fix one byte leak in tipc_sk_set_orig_addr() Florian Fainelli (1): net: systemport: Correclty disambiguate driver instances Greg Kroah-Hartman (1): Linux 4.16.10 Grygorii Strashko (1): net: ethernet: ti: cpsw: fix packet leaking in dual_mac mode Hangbin Liu (2): bridge: check iface upper dev when setting master via ioctl ipv4: reset fnhe_mtu_locked after cache route flushed Heiner Kallweit (1): r8169: fix powering up RTL8168h Huy Nguyen (1): net/mlx5e: DCBNL fix min inline header size for dscp Ido Schimmel (1): mlxsw: spectrum_switchdev: Do not remove mrouter port from MDB's ports list Ingo Molnar (1): 8139too: Use disable_irq_nosync() in rtl8139_poll_controller() Israel Rukshin (1): net/mlx5: Fix mlx5_get_vector_affinity function Jianbo Liu (1): net/mlx5e: Allow offloading ipv4 header re-write for icmp Jiri Pirko (1): net: sched: fix error path in tcf_proto_create() when modules are not configured John Hurley (1): nfp: flower: set tunnel ttl value to net default Julian Anastasov (1): ipv4: fix fnhe usage by non-cached routes Lance Richardson (1): net: support compat 64-bit time in {s,g}etsockopt Michael Chan (1): tg3: Fix vunmap() BUG_ON() triggered from tg3_free_consistent(). Mohammed Gamal (1): hv_netvsc: Fix net device attach on older Windows hosts Moshe Shemesh (1): net/mlx4_en: Verify coalescing parameters are in range Neal Cardwell (1): tcp_bbr: fix to zero idle_restart only upon S/ACKed data Paolo Abeni (1): udp: fix SO_BINDTODEVICE Rob Taglang (1): net: ethernet: sun: niu set correct packet size in skb Roi Dayan (1): net/mlx5e: Err if asked to offload TC match on frag being first Roman Mashak (1): net sched actions: fix refcnt leak in skbmod Stefano Brivio (1): openvswitch: Don't swap table in nlattr_set() after OVS_ATTR_NESTED is found Stephen Hemminger (1): hv_netvsc: set master device Talat Batheesh (1): net/mlx5: Avoid cleaning flow steering table twice during error flow Tariq Toukan (1): net/mlx5e: TX, Use correct counter in dma_map error flow Ursula Braun (2): net/smc: restrict non-blocking connect finish net/smc: keep clcsock reference in smc_tcp_listen_work() Willy Tarreau (1): proc: do not access cmdline nor environ from file-backed areas Xin Long (6): sctp: delay the authentication for the duplicated cookie-echo chunk sctp: fix the issue that the cookie-ack with auth can't get processed sctp: handle two v4 addrs comparison in sctp_inet6_cmp_addr sctp: remove sctp_chunk_put from fail_mark err path in sctp_ulpevent_make_rcvmsg sctp: use the old asoc when making the cookie-ack chunk in dupcook_d sctp: clear the new asoc's stream outcnt in sctp_stream_update Yuchung Cheng (1): tcp: ignore Fast Open on repair mode

7 years, 3 months

1
1
0 0

Linux 4.14.42

by Greg KH

I'm announcing the release of the 4.14.42 kernel. All users of the 4.14 kernel series must upgrade. The updated 4.14.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.14.y and can be browsed at the normal kernel.org git web browser: http://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 drivers/net/bonding/bond_alb.c | 15 +- drivers/net/bonding/bond_main.c | 2 drivers/net/ethernet/broadcom/tg3.c | 9 - drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 16 ++ drivers/net/ethernet/mellanox/mlx4/en_netdev.c | 8 - drivers/net/ethernet/mellanox/mlx4/mlx4_en.h | 7 - drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 7 + drivers/net/ethernet/mellanox/mlx5/core/en_tx.c | 20 +-- drivers/net/ethernet/mellanox/mlx5/core/eswitch.c | 11 +- drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 23 ++-- drivers/net/ethernet/realtek/8139too.c | 2 drivers/net/ethernet/realtek/r8169.c | 3 drivers/net/ethernet/sun/niu.c | 5 drivers/net/ethernet/ti/cpsw.c | 2 drivers/net/hyperv/netvsc_drv.c | 3 drivers/net/usb/qmi_wwan.c | 12 ++ drivers/scsi/aacraid/commsup.c | 8 - fs/btrfs/extent-tree.c | 7 + fs/proc/base.c | 8 - include/linux/mm.h | 1 include/net/bonding.h | 1 include/net/tls.h | 1 mm/gup.c | 3 net/bridge/br_if.c | 4 net/compat.c | 6 - net/dccp/ccids/ccid2.c | 14 ++ net/dccp/timer.c | 2 net/ipv4/ping.c | 7 - net/ipv4/route.c | 118 +++++++++------------- net/ipv4/tcp.c | 3 net/ipv4/tcp_bbr.c | 4 net/ipv4/udp.c | 11 +- net/ipv6/route.c | 7 + net/ipv6/udp.c | 4 net/l2tp/l2tp_netlink.c | 2 net/llc/af_llc.c | 3 net/nsh/nsh.c | 2 net/openvswitch/flow_netlink.c | 9 - net/rds/recv.c | 1 net/sched/act_skbmod.c | 5 net/sched/cls_api.c | 2 net/sched/sch_fq.c | 37 ++++-- net/sctp/associola.c | 30 +++++ net/sctp/inqueue.c | 2 net/sctp/ipv6.c | 3 net/sctp/sm_statefuns.c | 88 ++++++++-------- net/sctp/ulpevent.c | 1 net/tls/tls_main.c | 8 + net/xfrm/xfrm_input.c | 2 net/xfrm/xfrm_state.c | 1 51 files changed, 348 insertions(+), 204 deletions(-) Adi Nissim (1): net/mlx5: E-Switch, Include VF RDMA stats in vport statistics Andre Tomt (1): net/tls: Fix connection stall on partial tls record Andrey Ignatov (1): ipv4: fix memory leaks in udp_sendmsg, ping_v4_sendmsg Antony Antony (1): xfrm: fix xfrm_do_migrate() with AEAD e.g(AES-GCM) Bjørn Mork (1): qmi_wwan: do not steal interfaces from class drivers Christophe JAILLET (1): net/mlx4_en: Fix an error handling path in 'mlx4_en_init_netdev()' Dave Carroll (1): scsi: aacraid: Correct hba_send to include iu_type Dave Watson (1): net/tls: Don't recursively call push_record during tls_write_space callbacks Debabrata Banerjee (2): bonding: do not allow rlb updates to invalid mac bonding: send learning packets for vlans on slave Eric Dumazet (6): dccp: fix tasklet usage llc: better deal with too small mtu net_sched: fq: take care of throttled flows before reuse rds: do not leak kernel memory to user land ipv6: fix uninit-value in ip6_multipath_l3_keys() nsh: fix infinite loop Greg Kroah-Hartman (1): Linux 4.14.42 Grygorii Strashko (1): net: ethernet: ti: cpsw: fix packet leaking in dual_mac mode Hangbin Liu (1): bridge: check iface upper dev when setting master via ioctl Heiner Kallweit (1): r8169: fix powering up RTL8168h Herbert Xu (1): xfrm: Use __skb_queue_tail in xfrm_trans_queue Ingo Molnar (1): 8139too: Use disable_irq_nosync() in rtl8139_poll_controller() James Chapman (1): l2tp: revert "l2tp: fix missing print session offset info" Jianbo Liu (1): net/mlx5e: Allow offloading ipv4 header re-write for icmp Jiri Pirko (1): net: sched: fix error path in tcf_proto_create() when modules are not configured Julian Anastasov (1): ipv4: fix fnhe usage by non-cached routes Lance Richardson (1): net: support compat 64-bit time in {s,g}etsockopt Michael Chan (1): tg3: Fix vunmap() BUG_ON() triggered from tg3_free_consistent(). Moshe Shemesh (1): net/mlx4_en: Verify coalescing parameters are in range Neal Cardwell (1): tcp_bbr: fix to zero idle_restart only upon S/ACKed data Paolo Abeni (1): udp: fix SO_BINDTODEVICE Rob Taglang (1): net: ethernet: sun: niu set correct packet size in skb Roi Dayan (1): net/mlx5e: Err if asked to offload TC match on frag being first Roman Mashak (1): net sched actions: fix refcnt leak in skbmod Stefano Brivio (1): openvswitch: Don't swap table in nlattr_set() after OVS_ATTR_NESTED is found Stephen Hemminger (1): hv_netvsc: set master device Talat Batheesh (1): net/mlx5: Avoid cleaning flow steering table twice during error flow Tariq Toukan (1): net/mlx5e: TX, Use correct counter in dma_map error flow Willy Tarreau (1): proc: do not access cmdline nor environ from file-backed areas Xin Long (5): sctp: delay the authentication for the duplicated cookie-echo chunk sctp: fix the issue that the cookie-ack with auth can't get processed sctp: handle two v4 addrs comparison in sctp_inet6_cmp_addr sctp: remove sctp_chunk_put from fail_mark err path in sctp_ulpevent_make_rcvmsg sctp: use the old asoc when making the cookie-ack chunk in dupcook_d Yuchung Cheng (1): tcp: ignore Fast Open on repair mode ethanwu (1): btrfs: Take trans lock before access running trans in check_delayed_ref

7 years, 3 months

1
1
0 0

Linux 4.9.101

by Greg KH

I'm announcing the release of the 4.9.101 kernel. All users of the 4.9 kernel series must upgrade. The updated 4.9.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.9.y and can be browsed at the normal kernel.org git web browser: http://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/alpha/include/asm/futex.h | 26 +---- arch/arc/include/asm/futex.h | 40 +------- arch/arm/boot/dts/imx6qdl-wandboard.dtsi | 1 arch/arm/include/asm/futex.h | 26 ----- arch/arm64/include/asm/futex.h | 27 ------ arch/frv/include/asm/futex.h | 3 arch/frv/kernel/futex.c | 27 ------ arch/hexagon/include/asm/futex.h | 38 -------- arch/ia64/include/asm/futex.h | 25 ----- arch/microblaze/include/asm/futex.h | 38 -------- arch/mips/include/asm/futex.h | 25 ----- arch/parisc/include/asm/futex.h | 26 ----- arch/powerpc/include/asm/futex.h | 26 +---- arch/s390/include/asm/futex.h | 23 +---- arch/sh/include/asm/futex.h | 26 ----- arch/sparc/include/asm/futex_64.h | 26 +---- arch/tile/include/asm/futex.h | 40 +------- arch/x86/include/asm/futex.h | 40 +------- arch/xtensa/include/asm/futex.h | 27 +----- drivers/net/bonding/bond_alb.c | 15 ++- drivers/net/bonding/bond_main.c | 2 drivers/net/ethernet/broadcom/tg3.c | 9 +- drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 16 +++ drivers/net/ethernet/mellanox/mlx4/mlx4_en.h | 7 + drivers/net/ethernet/mellanox/mlx5/core/eswitch.c | 11 ++ drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 21 ++-- drivers/net/ethernet/netronome/nfp/nfp_net_common.c | 4 drivers/net/ethernet/realtek/8139too.c | 2 drivers/net/ethernet/realtek/r8169.c | 3 drivers/net/ethernet/sun/niu.c | 5 - drivers/net/ethernet/ti/cpsw.c | 2 drivers/net/usb/qmi_wwan.c | 12 ++ drivers/tty/serial/sccnxp.c | 13 ++ fs/lockd/svc.c | 2 fs/proc/base.c | 10 +- include/asm-generic/futex.h | 50 ++--------- include/linux/mm.h | 1 include/net/bonding.h | 1 kernel/exit.c | 4 kernel/futex.c | 39 ++++++++ mm/gup.c | 3 net/bridge/br_if.c | 4 net/compat.c | 6 - net/dccp/ccids/ccid2.c | 14 ++- net/dccp/timer.c | 2 net/ipv4/ping.c | 7 + net/ipv4/tcp.c | 2 net/ipv4/tcp_bbr.c | 4 net/ipv4/udp.c | 7 + net/l2tp/l2tp_netlink.c | 2 net/llc/af_llc.c | 3 net/openvswitch/flow_netlink.c | 9 -- net/sched/sch_fq.c | 37 +++++--- net/sctp/associola.c | 30 ++++++ net/sctp/inqueue.c | 2 net/sctp/ipv6.c | 3 net/sctp/sm_statefuns.c | 89 +++++++++++--------- net/sctp/ulpevent.c | 1 net/xfrm/xfrm_state.c | 1 60 files changed, 383 insertions(+), 584 deletions(-) Adi Nissim (1): net/mlx5: E-Switch, Include VF RDMA stats in vport statistics Alexey Khoroshilov (1): serial: sccnxp: Fix error handling in sccnxp_probe() Andrey Ignatov (1): ipv4: fix memory leaks in udp_sendmsg, ping_v4_sendmsg Antony Antony (1): xfrm: fix xfrm_do_migrate() with AEAD e.g(AES-GCM) Bjørn Mork (1): qmi_wwan: do not steal interfaces from class drivers Debabrata Banerjee (2): bonding: do not allow rlb updates to invalid mac bonding: send learning packets for vlans on slave Eric Dumazet (3): dccp: fix tasklet usage llc: better deal with too small mtu net_sched: fq: take care of throttled flows before reuse Greg Kroah-Hartman (2): Revert "ARM: dts: imx6qdl-wandboard: Fix audio channel swap" Linux 4.9.101 Grygorii Strashko (1): net: ethernet: ti: cpsw: fix packet leaking in dual_mac mode Hangbin Liu (1): bridge: check iface upper dev when setting master via ioctl Heiner Kallweit (1): r8169: fix powering up RTL8168h Ingo Molnar (1): 8139too: Use disable_irq_nosync() in rtl8139_poll_controller() Jakub Kicinski (1): nfp: TX time stamp packets before HW doorbell is rung James Chapman (1): l2tp: revert "l2tp: fix missing print session offset info" Jiri Slaby (2): futex: Remove duplicated code and fix undefined behaviour futex: futex_wake_op, fix sign_extend32 sign bits Lance Richardson (1): net: support compat 64-bit time in {s,g}etsockopt Michael Chan (1): tg3: Fix vunmap() BUG_ON() triggered from tg3_free_consistent(). Moshe Shemesh (1): net/mlx4_en: Verify coalescing parameters are in range Neal Cardwell (1): tcp_bbr: fix to zero idle_restart only upon S/ACKed data Rob Taglang (1): net: ethernet: sun: niu set correct packet size in skb Stefano Brivio (1): openvswitch: Don't swap table in nlattr_set() after OVS_ATTR_NESTED is found Talat Batheesh (1): net/mlx5: Avoid cleaning flow steering table twice during error flow Vasily Averin (1): lockd: lost rollback of set_grace_period() in lockd_down_net() Willy Tarreau (1): proc: do not access cmdline nor environ from file-backed areas Xin Long (5): sctp: handle two v4 addrs comparison in sctp_inet6_cmp_addr sctp: remove sctp_chunk_put from fail_mark err path in sctp_ulpevent_make_rcvmsg sctp: use the old asoc when making the cookie-ack chunk in dupcook_d sctp: fix the issue that the cookie-ack with auth can't get processed sctp: delay the authentication for the duplicated cookie-echo chunk Yuchung Cheng (1): tcp: ignore Fast Open on repair mode zhongjiang (1): kernel/exit.c: avoid undefined behaviour when calling wait4()

7 years, 3 months

1
1
0 0

FAILED: patch "[PATCH] bcache: return 0 from bch_debug_init() if CONFIG_DEBUG_FS=n" failed to apply to 4.16-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.16-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 1c1a2ee1b53b006754073eefc65d2b2cedb5264b Mon Sep 17 00:00:00 2001 From: Coly Li <colyli(a)suse.de> Date: Thu, 17 May 2018 23:33:26 +0800 Subject: [PATCH] bcache: return 0 from bch_debug_init() if CONFIG_DEBUG_FS=n Commit 539d39eb2708 ("bcache: fix wrong return value in bch_debug_init()") returns the return value of debugfs_create_dir() to bcache_init(). When CONFIG_DEBUG_FS=n, bch_debug_init() always returns 1 and makes bcache_init() failedi. This patch makes bch_debug_init() always returns 0 if CONFIG_DEBUG_FS=n, so bcache can continue to work for the kernels which don't have debugfs enanbled. Changelog: v4: Add Acked-by from Kent Overstreet. v3: Use IS_ENABLED(CONFIG_DEBUG_FS) to replace #ifdef DEBUG_FS. v2: Remove a warning information v1: Initial version. Fixes: Commit 539d39eb2708 ("bcache: fix wrong return value in bch_debug_init()") Cc: stable(a)vger.kernel.org Signed-off-by: Coly Li <colyli(a)suse.de> Reported-by: Massimo B. <massimo.b(a)gmx.net> Reported-by: Kai Krakow <kai(a)kaishome.de> Tested-by: Kai Krakow <kai(a)kaishome.de> Acked-by: Kent Overstreet <kent.overstreet(a)gmail.com> Signed-off-by: Jens Axboe <axboe(a)kernel.dk> diff --git a/drivers/md/bcache/debug.c b/drivers/md/bcache/debug.c index 4e63c6f6c04d..d030ce3025a6 100644 --- a/drivers/md/bcache/debug.c +++ b/drivers/md/bcache/debug.c @@ -250,7 +250,9 @@ void bch_debug_exit(void) int __init bch_debug_init(struct kobject *kobj) { - bcache_debug = debugfs_create_dir("bcache", NULL); + if (!IS_ENABLED(CONFIG_DEBUG_FS)) + return 0; + bcache_debug = debugfs_create_dir("bcache", NULL); return IS_ERR_OR_NULL(bcache_debug); }

7 years, 3 months

3
3
0 0

Re: FAILED: patch "[PATCH] bcache: return 0 from bch_debug_init() if CONFIG_DEBUG_FS=n" failed to apply to 4.16-stable tree

by Greg KH

On Sun, May 20, 2018 at 10:59:32AM +0200, Kai Krakow wrote: > Hey Greg! > > The v1 version applied for me but it shows a compiler warning. I didn't try > the newer version yet. > > I could prepare a back-ported version. Backported would be good. Also, the code really is wrong even with this change. No code path should ever do anything different if debugfs is enabled or not, or based on the return value of a debugfs call. No need to check anything here at all, the function should be: void __init bch_debug_init(void) { bcache_debug = debugfs_create_dir("bcache", NULL); } That's it, no checking, and all is fine and good. Any result of a debugfs call can always be fed back into another debugfs call with no harm or errors happening. thanks, greg k-h

7 years, 3 months

3
4
0 0

FAILED: patch "[PATCH] s390/ftrace: use expoline for indirect branches" failed to apply to 4.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 23a4d7fd34856da8218c4cfc23dba7a6ec0a423a Mon Sep 17 00:00:00 2001 From: Martin Schwidefsky <schwidefsky(a)de.ibm.com> Date: Wed, 25 Apr 2018 18:35:26 +0200 Subject: [PATCH] s390/ftrace: use expoline for indirect branches The return from the ftrace_stub, _mcount, ftrace_caller and return_to_handler functions is done with "br %r14" and "br %r1". These are indirect branches as well and need to use execute trampolines for CONFIG_EXPOLINE=y. The ftrace_caller function is a special case as it returns to the start of a function and may only use %r0 and %r1. For a pre z10 machine the standard execute trampoline uses a LARL + EX to do this, but this requires *two* registers in the range %r1..%r15. To get around this the 'br %r1' located in the lowcore is used, then the EX instruction does not need an address register. But the lowcore trick may only be used for pre z14 machines, with noexec=on the mapping for the first page may not contain instructions. The solution for that is an ALTERNATIVE in the expoline THUNK generated by 'GEN_BR_THUNK %r1' to switch to EXRL, this relies on the fact that a machine that supports noexec=on has EXRL as well. Cc: stable(a)vger.kernel.org # 4.16 Fixes: f19fbd5ed6 ("s390: introduce execute-trampolines for branches") Signed-off-by: Martin Schwidefsky <schwidefsky(a)de.ibm.com> diff --git a/arch/s390/include/asm/nospec-insn.h b/arch/s390/include/asm/nospec-insn.h index 440689cbcf51..7d7640e1cf90 100644 --- a/arch/s390/include/asm/nospec-insn.h +++ b/arch/s390/include/asm/nospec-insn.h @@ -2,12 +2,16 @@ #ifndef _ASM_S390_NOSPEC_ASM_H #define _ASM_S390_NOSPEC_ASM_H +#include <asm/alternative-asm.h> +#include <asm/asm-offsets.h> #include <asm/dwarf.h> #ifdef __ASSEMBLY__ #ifdef CONFIG_EXPOLINE +_LC_BR_R1 = __LC_BR_R1 + /* * The expoline macros are used to create thunks in the same format * as gcc generates them. The 'comdat' section flag makes sure that @@ -78,13 +82,21 @@ .endm .macro __THUNK_EX_BR reg,ruse + # Be very careful when adding instructions to this macro! + # The ALTERNATIVE replacement code has a .+10 which targets + # the "br \reg" after the code has been patched. #ifdef CONFIG_HAVE_MARCH_Z10_FEATURES exrl 0,555f j . #else + .ifc \reg,%r1 + ALTERNATIVE "ex %r0,_LC_BR_R1", ".insn ril,0xc60000000000,0,.+10", 35 + j . + .else larl \ruse,555f ex 0,0(\ruse) j . + .endif #endif 555: br \reg .endm diff --git a/arch/s390/kernel/asm-offsets.c b/arch/s390/kernel/asm-offsets.c index eb2a5c0443cd..11aea745a2a6 100644 --- a/arch/s390/kernel/asm-offsets.c +++ b/arch/s390/kernel/asm-offsets.c @@ -181,6 +181,7 @@ int main(void) OFFSET(__LC_MACHINE_FLAGS, lowcore, machine_flags); OFFSET(__LC_PREEMPT_COUNT, lowcore, preempt_count); OFFSET(__LC_GMAP, lowcore, gmap); + OFFSET(__LC_BR_R1, lowcore, br_r1_trampoline); /* software defined ABI-relevant lowcore locations 0xe00 - 0xe20 */ OFFSET(__LC_DUMP_REIPL, lowcore, ipib); /* hardware defined lowcore locations 0x1000 - 0x18ff */ diff --git a/arch/s390/kernel/mcount.S b/arch/s390/kernel/mcount.S index 82df7d80fab2..27110f3294ed 100644 --- a/arch/s390/kernel/mcount.S +++ b/arch/s390/kernel/mcount.S @@ -9,13 +9,17 @@ #include <linux/linkage.h> #include <asm/asm-offsets.h> #include <asm/ftrace.h> +#include <asm/nospec-insn.h> #include <asm/ptrace.h> #include <asm/export.h> + GEN_BR_THUNK %r1 + GEN_BR_THUNK %r14 + .section .kprobes.text, "ax" ENTRY(ftrace_stub) - br %r14 + BR_EX %r14 #define STACK_FRAME_SIZE (STACK_FRAME_OVERHEAD + __PT_SIZE) #define STACK_PTREGS (STACK_FRAME_OVERHEAD) @@ -23,7 +27,7 @@ ENTRY(ftrace_stub) #define STACK_PTREGS_PSW (STACK_PTREGS + __PT_PSW) ENTRY(_mcount) - br %r14 + BR_EX %r14 EXPORT_SYMBOL(_mcount) @@ -53,7 +57,7 @@ ENTRY(ftrace_caller) #endif lgr %r3,%r14 la %r5,STACK_PTREGS(%r15) - basr %r14,%r1 + BASR_EX %r14,%r1 #ifdef CONFIG_FUNCTION_GRAPH_TRACER # The j instruction gets runtime patched to a nop instruction. # See ftrace_enable_ftrace_graph_caller. @@ -68,7 +72,7 @@ ftrace_graph_caller_end: #endif lg %r1,(STACK_PTREGS_PSW+8)(%r15) lmg %r2,%r15,(STACK_PTREGS_GPRS+2*8)(%r15) - br %r1 + BR_EX %r1 #ifdef CONFIG_FUNCTION_GRAPH_TRACER @@ -81,6 +85,6 @@ ENTRY(return_to_handler) aghi %r15,STACK_FRAME_OVERHEAD lgr %r14,%r2 lmg %r2,%r5,32(%r15) - br %r14 + BR_EX %r14 #endif

7 years, 3 months

1
0
0 0

FAILED: patch "[PATCH] s390/ftrace: use expoline for indirect branches" failed to apply to 4.9-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.9-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 23a4d7fd34856da8218c4cfc23dba7a6ec0a423a Mon Sep 17 00:00:00 2001 From: Martin Schwidefsky <schwidefsky(a)de.ibm.com> Date: Wed, 25 Apr 2018 18:35:26 +0200 Subject: [PATCH] s390/ftrace: use expoline for indirect branches The return from the ftrace_stub, _mcount, ftrace_caller and return_to_handler functions is done with "br %r14" and "br %r1". These are indirect branches as well and need to use execute trampolines for CONFIG_EXPOLINE=y. The ftrace_caller function is a special case as it returns to the start of a function and may only use %r0 and %r1. For a pre z10 machine the standard execute trampoline uses a LARL + EX to do this, but this requires *two* registers in the range %r1..%r15. To get around this the 'br %r1' located in the lowcore is used, then the EX instruction does not need an address register. But the lowcore trick may only be used for pre z14 machines, with noexec=on the mapping for the first page may not contain instructions. The solution for that is an ALTERNATIVE in the expoline THUNK generated by 'GEN_BR_THUNK %r1' to switch to EXRL, this relies on the fact that a machine that supports noexec=on has EXRL as well. Cc: stable(a)vger.kernel.org # 4.16 Fixes: f19fbd5ed6 ("s390: introduce execute-trampolines for branches") Signed-off-by: Martin Schwidefsky <schwidefsky(a)de.ibm.com> diff --git a/arch/s390/include/asm/nospec-insn.h b/arch/s390/include/asm/nospec-insn.h index 440689cbcf51..7d7640e1cf90 100644 --- a/arch/s390/include/asm/nospec-insn.h +++ b/arch/s390/include/asm/nospec-insn.h @@ -2,12 +2,16 @@ #ifndef _ASM_S390_NOSPEC_ASM_H #define _ASM_S390_NOSPEC_ASM_H +#include <asm/alternative-asm.h> +#include <asm/asm-offsets.h> #include <asm/dwarf.h> #ifdef __ASSEMBLY__ #ifdef CONFIG_EXPOLINE +_LC_BR_R1 = __LC_BR_R1 + /* * The expoline macros are used to create thunks in the same format * as gcc generates them. The 'comdat' section flag makes sure that @@ -78,13 +82,21 @@ .endm .macro __THUNK_EX_BR reg,ruse + # Be very careful when adding instructions to this macro! + # The ALTERNATIVE replacement code has a .+10 which targets + # the "br \reg" after the code has been patched. #ifdef CONFIG_HAVE_MARCH_Z10_FEATURES exrl 0,555f j . #else + .ifc \reg,%r1 + ALTERNATIVE "ex %r0,_LC_BR_R1", ".insn ril,0xc60000000000,0,.+10", 35 + j . + .else larl \ruse,555f ex 0,0(\ruse) j . + .endif #endif 555: br \reg .endm diff --git a/arch/s390/kernel/asm-offsets.c b/arch/s390/kernel/asm-offsets.c index eb2a5c0443cd..11aea745a2a6 100644 --- a/arch/s390/kernel/asm-offsets.c +++ b/arch/s390/kernel/asm-offsets.c @@ -181,6 +181,7 @@ int main(void) OFFSET(__LC_MACHINE_FLAGS, lowcore, machine_flags); OFFSET(__LC_PREEMPT_COUNT, lowcore, preempt_count); OFFSET(__LC_GMAP, lowcore, gmap); + OFFSET(__LC_BR_R1, lowcore, br_r1_trampoline); /* software defined ABI-relevant lowcore locations 0xe00 - 0xe20 */ OFFSET(__LC_DUMP_REIPL, lowcore, ipib); /* hardware defined lowcore locations 0x1000 - 0x18ff */ diff --git a/arch/s390/kernel/mcount.S b/arch/s390/kernel/mcount.S index 82df7d80fab2..27110f3294ed 100644 --- a/arch/s390/kernel/mcount.S +++ b/arch/s390/kernel/mcount.S @@ -9,13 +9,17 @@ #include <linux/linkage.h> #include <asm/asm-offsets.h> #include <asm/ftrace.h> +#include <asm/nospec-insn.h> #include <asm/ptrace.h> #include <asm/export.h> + GEN_BR_THUNK %r1 + GEN_BR_THUNK %r14 + .section .kprobes.text, "ax" ENTRY(ftrace_stub) - br %r14 + BR_EX %r14 #define STACK_FRAME_SIZE (STACK_FRAME_OVERHEAD + __PT_SIZE) #define STACK_PTREGS (STACK_FRAME_OVERHEAD) @@ -23,7 +27,7 @@ ENTRY(ftrace_stub) #define STACK_PTREGS_PSW (STACK_PTREGS + __PT_PSW) ENTRY(_mcount) - br %r14 + BR_EX %r14 EXPORT_SYMBOL(_mcount) @@ -53,7 +57,7 @@ ENTRY(ftrace_caller) #endif lgr %r3,%r14 la %r5,STACK_PTREGS(%r15) - basr %r14,%r1 + BASR_EX %r14,%r1 #ifdef CONFIG_FUNCTION_GRAPH_TRACER # The j instruction gets runtime patched to a nop instruction. # See ftrace_enable_ftrace_graph_caller. @@ -68,7 +72,7 @@ ftrace_graph_caller_end: #endif lg %r1,(STACK_PTREGS_PSW+8)(%r15) lmg %r2,%r15,(STACK_PTREGS_GPRS+2*8)(%r15) - br %r1 + BR_EX %r1 #ifdef CONFIG_FUNCTION_GRAPH_TRACER @@ -81,6 +85,6 @@ ENTRY(return_to_handler) aghi %r15,STACK_FRAME_OVERHEAD lgr %r14,%r2 lmg %r2,%r5,32(%r15) - br %r14 + BR_EX %r14 #endif

7 years, 3 months

1
0
0 0

FAILED: patch "[PATCH] s390/ftrace: use expoline for indirect branches" failed to apply to 4.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 23a4d7fd34856da8218c4cfc23dba7a6ec0a423a Mon Sep 17 00:00:00 2001 From: Martin Schwidefsky <schwidefsky(a)de.ibm.com> Date: Wed, 25 Apr 2018 18:35:26 +0200 Subject: [PATCH] s390/ftrace: use expoline for indirect branches The return from the ftrace_stub, _mcount, ftrace_caller and return_to_handler functions is done with "br %r14" and "br %r1". These are indirect branches as well and need to use execute trampolines for CONFIG_EXPOLINE=y. The ftrace_caller function is a special case as it returns to the start of a function and may only use %r0 and %r1. For a pre z10 machine the standard execute trampoline uses a LARL + EX to do this, but this requires *two* registers in the range %r1..%r15. To get around this the 'br %r1' located in the lowcore is used, then the EX instruction does not need an address register. But the lowcore trick may only be used for pre z14 machines, with noexec=on the mapping for the first page may not contain instructions. The solution for that is an ALTERNATIVE in the expoline THUNK generated by 'GEN_BR_THUNK %r1' to switch to EXRL, this relies on the fact that a machine that supports noexec=on has EXRL as well. Cc: stable(a)vger.kernel.org # 4.16 Fixes: f19fbd5ed6 ("s390: introduce execute-trampolines for branches") Signed-off-by: Martin Schwidefsky <schwidefsky(a)de.ibm.com> diff --git a/arch/s390/include/asm/nospec-insn.h b/arch/s390/include/asm/nospec-insn.h index 440689cbcf51..7d7640e1cf90 100644 --- a/arch/s390/include/asm/nospec-insn.h +++ b/arch/s390/include/asm/nospec-insn.h @@ -2,12 +2,16 @@ #ifndef _ASM_S390_NOSPEC_ASM_H #define _ASM_S390_NOSPEC_ASM_H +#include <asm/alternative-asm.h> +#include <asm/asm-offsets.h> #include <asm/dwarf.h> #ifdef __ASSEMBLY__ #ifdef CONFIG_EXPOLINE +_LC_BR_R1 = __LC_BR_R1 + /* * The expoline macros are used to create thunks in the same format * as gcc generates them. The 'comdat' section flag makes sure that @@ -78,13 +82,21 @@ .endm .macro __THUNK_EX_BR reg,ruse + # Be very careful when adding instructions to this macro! + # The ALTERNATIVE replacement code has a .+10 which targets + # the "br \reg" after the code has been patched. #ifdef CONFIG_HAVE_MARCH_Z10_FEATURES exrl 0,555f j . #else + .ifc \reg,%r1 + ALTERNATIVE "ex %r0,_LC_BR_R1", ".insn ril,0xc60000000000,0,.+10", 35 + j . + .else larl \ruse,555f ex 0,0(\ruse) j . + .endif #endif 555: br \reg .endm diff --git a/arch/s390/kernel/asm-offsets.c b/arch/s390/kernel/asm-offsets.c index eb2a5c0443cd..11aea745a2a6 100644 --- a/arch/s390/kernel/asm-offsets.c +++ b/arch/s390/kernel/asm-offsets.c @@ -181,6 +181,7 @@ int main(void) OFFSET(__LC_MACHINE_FLAGS, lowcore, machine_flags); OFFSET(__LC_PREEMPT_COUNT, lowcore, preempt_count); OFFSET(__LC_GMAP, lowcore, gmap); + OFFSET(__LC_BR_R1, lowcore, br_r1_trampoline); /* software defined ABI-relevant lowcore locations 0xe00 - 0xe20 */ OFFSET(__LC_DUMP_REIPL, lowcore, ipib); /* hardware defined lowcore locations 0x1000 - 0x18ff */ diff --git a/arch/s390/kernel/mcount.S b/arch/s390/kernel/mcount.S index 82df7d80fab2..27110f3294ed 100644 --- a/arch/s390/kernel/mcount.S +++ b/arch/s390/kernel/mcount.S @@ -9,13 +9,17 @@ #include <linux/linkage.h> #include <asm/asm-offsets.h> #include <asm/ftrace.h> +#include <asm/nospec-insn.h> #include <asm/ptrace.h> #include <asm/export.h> + GEN_BR_THUNK %r1 + GEN_BR_THUNK %r14 + .section .kprobes.text, "ax" ENTRY(ftrace_stub) - br %r14 + BR_EX %r14 #define STACK_FRAME_SIZE (STACK_FRAME_OVERHEAD + __PT_SIZE) #define STACK_PTREGS (STACK_FRAME_OVERHEAD) @@ -23,7 +27,7 @@ ENTRY(ftrace_stub) #define STACK_PTREGS_PSW (STACK_PTREGS + __PT_PSW) ENTRY(_mcount) - br %r14 + BR_EX %r14 EXPORT_SYMBOL(_mcount) @@ -53,7 +57,7 @@ ENTRY(ftrace_caller) #endif lgr %r3,%r14 la %r5,STACK_PTREGS(%r15) - basr %r14,%r1 + BASR_EX %r14,%r1 #ifdef CONFIG_FUNCTION_GRAPH_TRACER # The j instruction gets runtime patched to a nop instruction. # See ftrace_enable_ftrace_graph_caller. @@ -68,7 +72,7 @@ ftrace_graph_caller_end: #endif lg %r1,(STACK_PTREGS_PSW+8)(%r15) lmg %r2,%r15,(STACK_PTREGS_GPRS+2*8)(%r15) - br %r1 + BR_EX %r1 #ifdef CONFIG_FUNCTION_GRAPH_TRACER @@ -81,6 +85,6 @@ ENTRY(return_to_handler) aghi %r15,STACK_FRAME_OVERHEAD lgr %r14,%r2 lmg %r2,%r5,32(%r15) - br %r14 + BR_EX %r14 #endif

7 years, 3 months

1
0
0 0

FAILED: patch "[PATCH] s390/ftrace: use expoline for indirect branches" failed to apply to 4.16-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.16-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 23a4d7fd34856da8218c4cfc23dba7a6ec0a423a Mon Sep 17 00:00:00 2001 From: Martin Schwidefsky <schwidefsky(a)de.ibm.com> Date: Wed, 25 Apr 2018 18:35:26 +0200 Subject: [PATCH] s390/ftrace: use expoline for indirect branches The return from the ftrace_stub, _mcount, ftrace_caller and return_to_handler functions is done with "br %r14" and "br %r1". These are indirect branches as well and need to use execute trampolines for CONFIG_EXPOLINE=y. The ftrace_caller function is a special case as it returns to the start of a function and may only use %r0 and %r1. For a pre z10 machine the standard execute trampoline uses a LARL + EX to do this, but this requires *two* registers in the range %r1..%r15. To get around this the 'br %r1' located in the lowcore is used, then the EX instruction does not need an address register. But the lowcore trick may only be used for pre z14 machines, with noexec=on the mapping for the first page may not contain instructions. The solution for that is an ALTERNATIVE in the expoline THUNK generated by 'GEN_BR_THUNK %r1' to switch to EXRL, this relies on the fact that a machine that supports noexec=on has EXRL as well. Cc: stable(a)vger.kernel.org # 4.16 Fixes: f19fbd5ed6 ("s390: introduce execute-trampolines for branches") Signed-off-by: Martin Schwidefsky <schwidefsky(a)de.ibm.com> diff --git a/arch/s390/include/asm/nospec-insn.h b/arch/s390/include/asm/nospec-insn.h index 440689cbcf51..7d7640e1cf90 100644 --- a/arch/s390/include/asm/nospec-insn.h +++ b/arch/s390/include/asm/nospec-insn.h @@ -2,12 +2,16 @@ #ifndef _ASM_S390_NOSPEC_ASM_H #define _ASM_S390_NOSPEC_ASM_H +#include <asm/alternative-asm.h> +#include <asm/asm-offsets.h> #include <asm/dwarf.h> #ifdef __ASSEMBLY__ #ifdef CONFIG_EXPOLINE +_LC_BR_R1 = __LC_BR_R1 + /* * The expoline macros are used to create thunks in the same format * as gcc generates them. The 'comdat' section flag makes sure that @@ -78,13 +82,21 @@ .endm .macro __THUNK_EX_BR reg,ruse + # Be very careful when adding instructions to this macro! + # The ALTERNATIVE replacement code has a .+10 which targets + # the "br \reg" after the code has been patched. #ifdef CONFIG_HAVE_MARCH_Z10_FEATURES exrl 0,555f j . #else + .ifc \reg,%r1 + ALTERNATIVE "ex %r0,_LC_BR_R1", ".insn ril,0xc60000000000,0,.+10", 35 + j . + .else larl \ruse,555f ex 0,0(\ruse) j . + .endif #endif 555: br \reg .endm diff --git a/arch/s390/kernel/asm-offsets.c b/arch/s390/kernel/asm-offsets.c index eb2a5c0443cd..11aea745a2a6 100644 --- a/arch/s390/kernel/asm-offsets.c +++ b/arch/s390/kernel/asm-offsets.c @@ -181,6 +181,7 @@ int main(void) OFFSET(__LC_MACHINE_FLAGS, lowcore, machine_flags); OFFSET(__LC_PREEMPT_COUNT, lowcore, preempt_count); OFFSET(__LC_GMAP, lowcore, gmap); + OFFSET(__LC_BR_R1, lowcore, br_r1_trampoline); /* software defined ABI-relevant lowcore locations 0xe00 - 0xe20 */ OFFSET(__LC_DUMP_REIPL, lowcore, ipib); /* hardware defined lowcore locations 0x1000 - 0x18ff */ diff --git a/arch/s390/kernel/mcount.S b/arch/s390/kernel/mcount.S index 82df7d80fab2..27110f3294ed 100644 --- a/arch/s390/kernel/mcount.S +++ b/arch/s390/kernel/mcount.S @@ -9,13 +9,17 @@ #include <linux/linkage.h> #include <asm/asm-offsets.h> #include <asm/ftrace.h> +#include <asm/nospec-insn.h> #include <asm/ptrace.h> #include <asm/export.h> + GEN_BR_THUNK %r1 + GEN_BR_THUNK %r14 + .section .kprobes.text, "ax" ENTRY(ftrace_stub) - br %r14 + BR_EX %r14 #define STACK_FRAME_SIZE (STACK_FRAME_OVERHEAD + __PT_SIZE) #define STACK_PTREGS (STACK_FRAME_OVERHEAD) @@ -23,7 +27,7 @@ ENTRY(ftrace_stub) #define STACK_PTREGS_PSW (STACK_PTREGS + __PT_PSW) ENTRY(_mcount) - br %r14 + BR_EX %r14 EXPORT_SYMBOL(_mcount) @@ -53,7 +57,7 @@ ENTRY(ftrace_caller) #endif lgr %r3,%r14 la %r5,STACK_PTREGS(%r15) - basr %r14,%r1 + BASR_EX %r14,%r1 #ifdef CONFIG_FUNCTION_GRAPH_TRACER # The j instruction gets runtime patched to a nop instruction. # See ftrace_enable_ftrace_graph_caller. @@ -68,7 +72,7 @@ ftrace_graph_caller_end: #endif lg %r1,(STACK_PTREGS_PSW+8)(%r15) lmg %r2,%r15,(STACK_PTREGS_GPRS+2*8)(%r15) - br %r1 + BR_EX %r1 #ifdef CONFIG_FUNCTION_GRAPH_TRACER @@ -81,6 +85,6 @@ ENTRY(return_to_handler) aghi %r15,STACK_FRAME_OVERHEAD lgr %r14,%r2 lmg %r2,%r5,32(%r15) - br %r14 + BR_EX %r14 #endif

7 years, 3 months

1
0
0 0

FAILED: patch "[PATCH] s390: move spectre sysfs attribute code" failed to apply to 4.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 4253b0e0627ee3461e64c2495c616f1c8f6b127b Mon Sep 17 00:00:00 2001 From: Martin Schwidefsky <schwidefsky(a)de.ibm.com> Date: Tue, 24 Apr 2018 08:23:54 +0200 Subject: [PATCH] s390: move spectre sysfs attribute code The nospec-branch.c file is compiled without the gcc options to generate expoline thunks. The return branch of the sysfs show functions cpu_show_spectre_v1 and cpu_show_spectre_v2 is an indirect branch as well. These need to be compiled with expolines. Move the sysfs functions for spectre reporting to a separate file and loose an '.' for one of the messages. Cc: stable(a)vger.kernel.org # 4.16 Fixes: d424986f1d ("s390: add sysfs attributes for spectre") Signed-off-by: Martin Schwidefsky <schwidefsky(a)de.ibm.com> diff --git a/arch/s390/kernel/Makefile b/arch/s390/kernel/Makefile index 84ea6225efb4..f92dd8ed3884 100644 --- a/arch/s390/kernel/Makefile +++ b/arch/s390/kernel/Makefile @@ -65,6 +65,7 @@ obj-y += nospec-branch.o extra-y += head.o head64.o vmlinux.lds +obj-$(CONFIG_SYSFS) += nospec-sysfs.o CFLAGS_REMOVE_nospec-branch.o += $(CC_FLAGS_EXPOLINE) obj-$(CONFIG_MODULES) += module.o diff --git a/arch/s390/kernel/nospec-branch.c b/arch/s390/kernel/nospec-branch.c index 46d49a11663f..834cf29f2599 100644 --- a/arch/s390/kernel/nospec-branch.c +++ b/arch/s390/kernel/nospec-branch.c @@ -1,7 +1,6 @@ // SPDX-License-Identifier: GPL-2.0 #include <linux/module.h> #include <linux/device.h> -#include <linux/cpu.h> #include <asm/nospec-branch.h> static int __init nobp_setup_early(char *str) @@ -44,24 +43,6 @@ static int __init nospec_report(void) } arch_initcall(nospec_report); -#ifdef CONFIG_SYSFS -ssize_t cpu_show_spectre_v1(struct device *dev, - struct device_attribute *attr, char *buf) -{ - return sprintf(buf, "Mitigation: __user pointer sanitization\n"); -} - -ssize_t cpu_show_spectre_v2(struct device *dev, - struct device_attribute *attr, char *buf) -{ - if (IS_ENABLED(CC_USING_EXPOLINE) && !nospec_disable) - return sprintf(buf, "Mitigation: execute trampolines\n"); - if (__test_facility(82, S390_lowcore.alt_stfle_fac_list)) - return sprintf(buf, "Mitigation: limited branch prediction.\n"); - return sprintf(buf, "Vulnerable\n"); -} -#endif - #ifdef CONFIG_EXPOLINE int nospec_disable = IS_ENABLED(CONFIG_EXPOLINE_OFF); diff --git a/arch/s390/kernel/nospec-sysfs.c b/arch/s390/kernel/nospec-sysfs.c new file mode 100644 index 000000000000..8affad5f18cb --- /dev/null +++ b/arch/s390/kernel/nospec-sysfs.c @@ -0,0 +1,21 @@ +// SPDX-License-Identifier: GPL-2.0 +#include <linux/device.h> +#include <linux/cpu.h> +#include <asm/facility.h> +#include <asm/nospec-branch.h> + +ssize_t cpu_show_spectre_v1(struct device *dev, + struct device_attribute *attr, char *buf) +{ + return sprintf(buf, "Mitigation: __user pointer sanitization\n"); +} + +ssize_t cpu_show_spectre_v2(struct device *dev, + struct device_attribute *attr, char *buf) +{ + if (IS_ENABLED(CC_USING_EXPOLINE) && !nospec_disable) + return sprintf(buf, "Mitigation: execute trampolines\n"); + if (__test_facility(82, S390_lowcore.alt_stfle_fac_list)) + return sprintf(buf, "Mitigation: limited branch prediction\n"); + return sprintf(buf, "Vulnerable\n"); +}

7 years, 3 months

1
0
0 0

FAILED: patch "[PATCH] s390: move spectre sysfs attribute code" failed to apply to 4.9-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.9-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 4253b0e0627ee3461e64c2495c616f1c8f6b127b Mon Sep 17 00:00:00 2001 From: Martin Schwidefsky <schwidefsky(a)de.ibm.com> Date: Tue, 24 Apr 2018 08:23:54 +0200 Subject: [PATCH] s390: move spectre sysfs attribute code The nospec-branch.c file is compiled without the gcc options to generate expoline thunks. The return branch of the sysfs show functions cpu_show_spectre_v1 and cpu_show_spectre_v2 is an indirect branch as well. These need to be compiled with expolines. Move the sysfs functions for spectre reporting to a separate file and loose an '.' for one of the messages. Cc: stable(a)vger.kernel.org # 4.16 Fixes: d424986f1d ("s390: add sysfs attributes for spectre") Signed-off-by: Martin Schwidefsky <schwidefsky(a)de.ibm.com> diff --git a/arch/s390/kernel/Makefile b/arch/s390/kernel/Makefile index 84ea6225efb4..f92dd8ed3884 100644 --- a/arch/s390/kernel/Makefile +++ b/arch/s390/kernel/Makefile @@ -65,6 +65,7 @@ obj-y += nospec-branch.o extra-y += head.o head64.o vmlinux.lds +obj-$(CONFIG_SYSFS) += nospec-sysfs.o CFLAGS_REMOVE_nospec-branch.o += $(CC_FLAGS_EXPOLINE) obj-$(CONFIG_MODULES) += module.o diff --git a/arch/s390/kernel/nospec-branch.c b/arch/s390/kernel/nospec-branch.c index 46d49a11663f..834cf29f2599 100644 --- a/arch/s390/kernel/nospec-branch.c +++ b/arch/s390/kernel/nospec-branch.c @@ -1,7 +1,6 @@ // SPDX-License-Identifier: GPL-2.0 #include <linux/module.h> #include <linux/device.h> -#include <linux/cpu.h> #include <asm/nospec-branch.h> static int __init nobp_setup_early(char *str) @@ -44,24 +43,6 @@ static int __init nospec_report(void) } arch_initcall(nospec_report); -#ifdef CONFIG_SYSFS -ssize_t cpu_show_spectre_v1(struct device *dev, - struct device_attribute *attr, char *buf) -{ - return sprintf(buf, "Mitigation: __user pointer sanitization\n"); -} - -ssize_t cpu_show_spectre_v2(struct device *dev, - struct device_attribute *attr, char *buf) -{ - if (IS_ENABLED(CC_USING_EXPOLINE) && !nospec_disable) - return sprintf(buf, "Mitigation: execute trampolines\n"); - if (__test_facility(82, S390_lowcore.alt_stfle_fac_list)) - return sprintf(buf, "Mitigation: limited branch prediction.\n"); - return sprintf(buf, "Vulnerable\n"); -} -#endif - #ifdef CONFIG_EXPOLINE int nospec_disable = IS_ENABLED(CONFIG_EXPOLINE_OFF); diff --git a/arch/s390/kernel/nospec-sysfs.c b/arch/s390/kernel/nospec-sysfs.c new file mode 100644 index 000000000000..8affad5f18cb --- /dev/null +++ b/arch/s390/kernel/nospec-sysfs.c @@ -0,0 +1,21 @@ +// SPDX-License-Identifier: GPL-2.0 +#include <linux/device.h> +#include <linux/cpu.h> +#include <asm/facility.h> +#include <asm/nospec-branch.h> + +ssize_t cpu_show_spectre_v1(struct device *dev, + struct device_attribute *attr, char *buf) +{ + return sprintf(buf, "Mitigation: __user pointer sanitization\n"); +} + +ssize_t cpu_show_spectre_v2(struct device *dev, + struct device_attribute *attr, char *buf) +{ + if (IS_ENABLED(CC_USING_EXPOLINE) && !nospec_disable) + return sprintf(buf, "Mitigation: execute trampolines\n"); + if (__test_facility(82, S390_lowcore.alt_stfle_fac_list)) + return sprintf(buf, "Mitigation: limited branch prediction\n"); + return sprintf(buf, "Vulnerable\n"); +}

7 years, 3 months

1
0
0 0

FAILED: patch "[PATCH] s390: move spectre sysfs attribute code" failed to apply to 4.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 4253b0e0627ee3461e64c2495c616f1c8f6b127b Mon Sep 17 00:00:00 2001 From: Martin Schwidefsky <schwidefsky(a)de.ibm.com> Date: Tue, 24 Apr 2018 08:23:54 +0200 Subject: [PATCH] s390: move spectre sysfs attribute code The nospec-branch.c file is compiled without the gcc options to generate expoline thunks. The return branch of the sysfs show functions cpu_show_spectre_v1 and cpu_show_spectre_v2 is an indirect branch as well. These need to be compiled with expolines. Move the sysfs functions for spectre reporting to a separate file and loose an '.' for one of the messages. Cc: stable(a)vger.kernel.org # 4.16 Fixes: d424986f1d ("s390: add sysfs attributes for spectre") Signed-off-by: Martin Schwidefsky <schwidefsky(a)de.ibm.com> diff --git a/arch/s390/kernel/Makefile b/arch/s390/kernel/Makefile index 84ea6225efb4..f92dd8ed3884 100644 --- a/arch/s390/kernel/Makefile +++ b/arch/s390/kernel/Makefile @@ -65,6 +65,7 @@ obj-y += nospec-branch.o extra-y += head.o head64.o vmlinux.lds +obj-$(CONFIG_SYSFS) += nospec-sysfs.o CFLAGS_REMOVE_nospec-branch.o += $(CC_FLAGS_EXPOLINE) obj-$(CONFIG_MODULES) += module.o diff --git a/arch/s390/kernel/nospec-branch.c b/arch/s390/kernel/nospec-branch.c index 46d49a11663f..834cf29f2599 100644 --- a/arch/s390/kernel/nospec-branch.c +++ b/arch/s390/kernel/nospec-branch.c @@ -1,7 +1,6 @@ // SPDX-License-Identifier: GPL-2.0 #include <linux/module.h> #include <linux/device.h> -#include <linux/cpu.h> #include <asm/nospec-branch.h> static int __init nobp_setup_early(char *str) @@ -44,24 +43,6 @@ static int __init nospec_report(void) } arch_initcall(nospec_report); -#ifdef CONFIG_SYSFS -ssize_t cpu_show_spectre_v1(struct device *dev, - struct device_attribute *attr, char *buf) -{ - return sprintf(buf, "Mitigation: __user pointer sanitization\n"); -} - -ssize_t cpu_show_spectre_v2(struct device *dev, - struct device_attribute *attr, char *buf) -{ - if (IS_ENABLED(CC_USING_EXPOLINE) && !nospec_disable) - return sprintf(buf, "Mitigation: execute trampolines\n"); - if (__test_facility(82, S390_lowcore.alt_stfle_fac_list)) - return sprintf(buf, "Mitigation: limited branch prediction.\n"); - return sprintf(buf, "Vulnerable\n"); -} -#endif - #ifdef CONFIG_EXPOLINE int nospec_disable = IS_ENABLED(CONFIG_EXPOLINE_OFF); diff --git a/arch/s390/kernel/nospec-sysfs.c b/arch/s390/kernel/nospec-sysfs.c new file mode 100644 index 000000000000..8affad5f18cb --- /dev/null +++ b/arch/s390/kernel/nospec-sysfs.c @@ -0,0 +1,21 @@ +// SPDX-License-Identifier: GPL-2.0 +#include <linux/device.h> +#include <linux/cpu.h> +#include <asm/facility.h> +#include <asm/nospec-branch.h> + +ssize_t cpu_show_spectre_v1(struct device *dev, + struct device_attribute *attr, char *buf) +{ + return sprintf(buf, "Mitigation: __user pointer sanitization\n"); +} + +ssize_t cpu_show_spectre_v2(struct device *dev, + struct device_attribute *attr, char *buf) +{ + if (IS_ENABLED(CC_USING_EXPOLINE) && !nospec_disable) + return sprintf(buf, "Mitigation: execute trampolines\n"); + if (__test_facility(82, S390_lowcore.alt_stfle_fac_list)) + return sprintf(buf, "Mitigation: limited branch prediction\n"); + return sprintf(buf, "Vulnerable\n"); +}

7 years, 3 months

1
0
0 0

FAILED: patch "[PATCH] s390: move spectre sysfs attribute code" failed to apply to 4.16-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.16-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 4253b0e0627ee3461e64c2495c616f1c8f6b127b Mon Sep 17 00:00:00 2001 From: Martin Schwidefsky <schwidefsky(a)de.ibm.com> Date: Tue, 24 Apr 2018 08:23:54 +0200 Subject: [PATCH] s390: move spectre sysfs attribute code The nospec-branch.c file is compiled without the gcc options to generate expoline thunks. The return branch of the sysfs show functions cpu_show_spectre_v1 and cpu_show_spectre_v2 is an indirect branch as well. These need to be compiled with expolines. Move the sysfs functions for spectre reporting to a separate file and loose an '.' for one of the messages. Cc: stable(a)vger.kernel.org # 4.16 Fixes: d424986f1d ("s390: add sysfs attributes for spectre") Signed-off-by: Martin Schwidefsky <schwidefsky(a)de.ibm.com> diff --git a/arch/s390/kernel/Makefile b/arch/s390/kernel/Makefile index 84ea6225efb4..f92dd8ed3884 100644 --- a/arch/s390/kernel/Makefile +++ b/arch/s390/kernel/Makefile @@ -65,6 +65,7 @@ obj-y += nospec-branch.o extra-y += head.o head64.o vmlinux.lds +obj-$(CONFIG_SYSFS) += nospec-sysfs.o CFLAGS_REMOVE_nospec-branch.o += $(CC_FLAGS_EXPOLINE) obj-$(CONFIG_MODULES) += module.o diff --git a/arch/s390/kernel/nospec-branch.c b/arch/s390/kernel/nospec-branch.c index 46d49a11663f..834cf29f2599 100644 --- a/arch/s390/kernel/nospec-branch.c +++ b/arch/s390/kernel/nospec-branch.c @@ -1,7 +1,6 @@ // SPDX-License-Identifier: GPL-2.0 #include <linux/module.h> #include <linux/device.h> -#include <linux/cpu.h> #include <asm/nospec-branch.h> static int __init nobp_setup_early(char *str) @@ -44,24 +43,6 @@ static int __init nospec_report(void) } arch_initcall(nospec_report); -#ifdef CONFIG_SYSFS -ssize_t cpu_show_spectre_v1(struct device *dev, - struct device_attribute *attr, char *buf) -{ - return sprintf(buf, "Mitigation: __user pointer sanitization\n"); -} - -ssize_t cpu_show_spectre_v2(struct device *dev, - struct device_attribute *attr, char *buf) -{ - if (IS_ENABLED(CC_USING_EXPOLINE) && !nospec_disable) - return sprintf(buf, "Mitigation: execute trampolines\n"); - if (__test_facility(82, S390_lowcore.alt_stfle_fac_list)) - return sprintf(buf, "Mitigation: limited branch prediction.\n"); - return sprintf(buf, "Vulnerable\n"); -} -#endif - #ifdef CONFIG_EXPOLINE int nospec_disable = IS_ENABLED(CONFIG_EXPOLINE_OFF); diff --git a/arch/s390/kernel/nospec-sysfs.c b/arch/s390/kernel/nospec-sysfs.c new file mode 100644 index 000000000000..8affad5f18cb --- /dev/null +++ b/arch/s390/kernel/nospec-sysfs.c @@ -0,0 +1,21 @@ +// SPDX-License-Identifier: GPL-2.0 +#include <linux/device.h> +#include <linux/cpu.h> +#include <asm/facility.h> +#include <asm/nospec-branch.h> + +ssize_t cpu_show_spectre_v1(struct device *dev, + struct device_attribute *attr, char *buf) +{ + return sprintf(buf, "Mitigation: __user pointer sanitization\n"); +} + +ssize_t cpu_show_spectre_v2(struct device *dev, + struct device_attribute *attr, char *buf) +{ + if (IS_ENABLED(CC_USING_EXPOLINE) && !nospec_disable) + return sprintf(buf, "Mitigation: execute trampolines\n"); + if (__test_facility(82, S390_lowcore.alt_stfle_fac_list)) + return sprintf(buf, "Mitigation: limited branch prediction\n"); + return sprintf(buf, "Vulnerable\n"); +}

7 years, 3 months

1
0
0 0

FAILED: patch "[PATCH] s390: move expoline assembler macros to a header" failed to apply to 4.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 6dd85fbb87d1d6b87a3b1f02ca28d7b2abd2e7ba Mon Sep 17 00:00:00 2001 From: Martin Schwidefsky <schwidefsky(a)de.ibm.com> Date: Fri, 20 Apr 2018 16:49:46 +0200 Subject: [PATCH] s390: move expoline assembler macros to a header To be able to use the expoline branches in different assembler files move the associated macros from entry.S to a new header nospec-insn.h. While we are at it make the macros a bit nicer to use. Cc: stable(a)vger.kernel.org # 4.16 Fixes: f19fbd5ed6 ("s390: introduce execute-trampolines for branches") Signed-off-by: Martin Schwidefsky <schwidefsky(a)de.ibm.com> diff --git a/arch/s390/include/asm/nospec-insn.h b/arch/s390/include/asm/nospec-insn.h new file mode 100644 index 000000000000..440689cbcf51 --- /dev/null +++ b/arch/s390/include/asm/nospec-insn.h @@ -0,0 +1,127 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +#ifndef _ASM_S390_NOSPEC_ASM_H +#define _ASM_S390_NOSPEC_ASM_H + +#include <asm/dwarf.h> + +#ifdef __ASSEMBLY__ + +#ifdef CONFIG_EXPOLINE + +/* + * The expoline macros are used to create thunks in the same format + * as gcc generates them. The 'comdat' section flag makes sure that + * the various thunks are merged into a single copy. + */ + .macro __THUNK_PROLOG_NAME name + .pushsection .text.\name,"axG",@progbits,\name,comdat + .globl \name + .hidden \name + .type \name,@function +\name: + CFI_STARTPROC + .endm + + .macro __THUNK_EPILOG + CFI_ENDPROC + .popsection + .endm + + .macro __THUNK_PROLOG_BR r1,r2 + __THUNK_PROLOG_NAME __s390x_indirect_jump_r\r2\()use_r\r1 + .endm + + .macro __THUNK_BR r1,r2 + jg __s390x_indirect_jump_r\r2\()use_r\r1 + .endm + + .macro __THUNK_BRASL r1,r2,r3 + brasl \r1,__s390x_indirect_jump_r\r3\()use_r\r2 + .endm + + .macro __DECODE_RR expand,reg,ruse + .set __decode_fail,1 + .irp r1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 + .ifc \reg,%r\r1 + .irp r2,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 + .ifc \ruse,%r\r2 + \expand \r1,\r2 + .set __decode_fail,0 + .endif + .endr + .endif + .endr + .if __decode_fail == 1 + .error "__DECODE_RR failed" + .endif + .endm + + .macro __DECODE_RRR expand,rsave,rtarget,ruse + .set __decode_fail,1 + .irp r1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 + .ifc \rsave,%r\r1 + .irp r2,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 + .ifc \rtarget,%r\r2 + .irp r3,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 + .ifc \ruse,%r\r3 + \expand \r1,\r2,\r3 + .set __decode_fail,0 + .endif + .endr + .endif + .endr + .endif + .endr + .if __decode_fail == 1 + .error "__DECODE_RRR failed" + .endif + .endm + + .macro __THUNK_EX_BR reg,ruse +#ifdef CONFIG_HAVE_MARCH_Z10_FEATURES + exrl 0,555f + j . +#else + larl \ruse,555f + ex 0,0(\ruse) + j . +#endif +555: br \reg + .endm + + .macro GEN_BR_THUNK reg,ruse=%r1 + __DECODE_RR __THUNK_PROLOG_BR,\reg,\ruse + __THUNK_EX_BR \reg,\ruse + __THUNK_EPILOG + .endm + + .macro BR_EX reg,ruse=%r1 +557: __DECODE_RR __THUNK_BR,\reg,\ruse + .pushsection .s390_indirect_branches,"a",@progbits + .long 557b-. + .popsection + .endm + + .macro BASR_EX rsave,rtarget,ruse=%r1 +559: __DECODE_RRR __THUNK_BRASL,\rsave,\rtarget,\ruse + .pushsection .s390_indirect_branches,"a",@progbits + .long 559b-. + .popsection + .endm + +#else + .macro GEN_BR_THUNK reg,ruse=%r1 + .endm + + .macro BR_EX reg,ruse=%r1 + br \reg + .endm + + .macro BASR_EX rsave,rtarget,ruse=%r1 + basr \rsave,\rtarget + .endm +#endif + +#endif /* __ASSEMBLY__ */ + +#endif /* _ASM_S390_NOSPEC_ASM_H */ diff --git a/arch/s390/kernel/entry.S b/arch/s390/kernel/entry.S index 3f22f139a041..f03402efab4b 100644 --- a/arch/s390/kernel/entry.S +++ b/arch/s390/kernel/entry.S @@ -28,6 +28,7 @@ #include <asm/setup.h> #include <asm/nmi.h> #include <asm/export.h> +#include <asm/nospec-insn.h> __PT_R0 = __PT_GPRS __PT_R1 = __PT_GPRS + 8 @@ -183,67 +184,9 @@ _LPP_OFFSET = __LC_LPP "jnz .+8; .long 0xb2e8d000", 82 .endm -#ifdef CONFIG_EXPOLINE - - .macro GEN_BR_THUNK name,reg,tmp - .section .text.\name,"axG",@progbits,\name,comdat - .globl \name - .hidden \name - .type \name,@function -\name: - CFI_STARTPROC -#ifdef CONFIG_HAVE_MARCH_Z10_FEATURES - exrl 0,0f -#else - larl \tmp,0f - ex 0,0(\tmp) -#endif - j . -0: br \reg - CFI_ENDPROC - .endm - - GEN_BR_THUNK __s390x_indirect_jump_r1use_r9,%r9,%r1 - GEN_BR_THUNK __s390x_indirect_jump_r1use_r14,%r14,%r1 - GEN_BR_THUNK __s390x_indirect_jump_r11use_r14,%r14,%r11 - - .macro BASR_R14_R9 -0: brasl %r14,__s390x_indirect_jump_r1use_r9 - .pushsection .s390_indirect_branches,"a",@progbits - .long 0b-. - .popsection - .endm - - .macro BR_R1USE_R14 -0: jg __s390x_indirect_jump_r1use_r14 - .pushsection .s390_indirect_branches,"a",@progbits - .long 0b-. - .popsection - .endm - - .macro BR_R11USE_R14 -0: jg __s390x_indirect_jump_r11use_r14 - .pushsection .s390_indirect_branches,"a",@progbits - .long 0b-. - .popsection - .endm - -#else /* CONFIG_EXPOLINE */ - - .macro BASR_R14_R9 - basr %r14,%r9 - .endm - - .macro BR_R1USE_R14 - br %r14 - .endm - - .macro BR_R11USE_R14 - br %r14 - .endm - -#endif /* CONFIG_EXPOLINE */ - + GEN_BR_THUNK %r9 + GEN_BR_THUNK %r14 + GEN_BR_THUNK %r14,%r11 .section .kprobes.text, "ax" .Ldummy: @@ -260,7 +203,7 @@ _LPP_OFFSET = __LC_LPP ENTRY(__bpon) .globl __bpon BPON - BR_R1USE_R14 + BR_EX %r14 /* * Scheduler resume function, called by switch_to @@ -284,7 +227,7 @@ ENTRY(__switch_to) mvc __LC_CURRENT_PID(4,%r0),0(%r3) # store pid of next lmg %r6,%r15,__SF_GPRS(%r15) # load gprs of next task ALTERNATIVE "", ".insn s,0xb2800000,_LPP_OFFSET", 40 - BR_R1USE_R14 + BR_EX %r14 .L__critical_start: @@ -351,7 +294,7 @@ sie_exit: xgr %r5,%r5 lmg %r6,%r14,__SF_GPRS(%r15) # restore kernel registers lg %r2,__SF_SIE_REASON(%r15) # return exit reason code - BR_R1USE_R14 + BR_EX %r14 .Lsie_fault: lghi %r14,-EFAULT stg %r14,__SF_SIE_REASON(%r15) # set exit reason code @@ -410,7 +353,7 @@ ENTRY(system_call) lgf %r9,0(%r8,%r10) # get system call add. TSTMSK __TI_flags(%r12),_TIF_TRACE jnz .Lsysc_tracesys - BASR_R14_R9 # call sys_xxxx + BASR_EX %r14,%r9 # call sys_xxxx stg %r2,__PT_R2(%r11) # store return value .Lsysc_return: @@ -595,7 +538,7 @@ ENTRY(system_call) lmg %r3,%r7,__PT_R3(%r11) stg %r7,STACK_FRAME_OVERHEAD(%r15) lg %r2,__PT_ORIG_GPR2(%r11) - BASR_R14_R9 # call sys_xxx + BASR_EX %r14,%r9 # call sys_xxx stg %r2,__PT_R2(%r11) # store return value .Lsysc_tracenogo: TSTMSK __TI_flags(%r12),_TIF_TRACE @@ -619,7 +562,7 @@ ENTRY(ret_from_fork) lmg %r9,%r10,__PT_R9(%r11) # load gprs ENTRY(kernel_thread_starter) la %r2,0(%r10) - BASR_R14_R9 + BASR_EX %r14,%r9 j .Lsysc_tracenogo /* @@ -701,7 +644,7 @@ ENTRY(pgm_check_handler) je .Lpgm_return lgf %r9,0(%r10,%r1) # load address of handler routine lgr %r2,%r11 # pass pointer to pt_regs - BASR_R14_R9 # branch to interrupt-handler + BASR_EX %r14,%r9 # branch to interrupt-handler .Lpgm_return: LOCKDEP_SYS_EXIT tm __PT_PSW+1(%r11),0x01 # returning to user ? @@ -1019,7 +962,7 @@ ENTRY(psw_idle) stpt __TIMER_IDLE_ENTER(%r2) .Lpsw_idle_lpsw: lpswe __SF_EMPTY(%r15) - BR_R1USE_R14 + BR_EX %r14 .Lpsw_idle_end: /* @@ -1061,7 +1004,7 @@ ENTRY(save_fpu_regs) .Lsave_fpu_regs_done: oi __LC_CPU_FLAGS+7,_CIF_FPU .Lsave_fpu_regs_exit: - BR_R1USE_R14 + BR_EX %r14 .Lsave_fpu_regs_end: EXPORT_SYMBOL(save_fpu_regs) @@ -1107,7 +1050,7 @@ load_fpu_regs: .Lload_fpu_regs_done: ni __LC_CPU_FLAGS+7,255-_CIF_FPU .Lload_fpu_regs_exit: - BR_R1USE_R14 + BR_EX %r14 .Lload_fpu_regs_end: .L__critical_end: @@ -1322,7 +1265,7 @@ cleanup_critical: jl 0f clg %r9,BASED(.Lcleanup_table+104) # .Lload_fpu_regs_end jl .Lcleanup_load_fpu_regs -0: BR_R11USE_R14 +0: BR_EX %r14 .align 8 .Lcleanup_table: @@ -1358,7 +1301,7 @@ cleanup_critical: ni __SIE_PROG0C+3(%r9),0xfe # no longer in SIE lctlg %c1,%c1,__LC_USER_ASCE # load primary asce larl %r9,sie_exit # skip forward to sie_exit - BR_R11USE_R14 + BR_EX %r14 #endif .Lcleanup_system_call: @@ -1412,7 +1355,7 @@ cleanup_critical: stg %r15,56(%r11) # r15 stack pointer # set new psw address and exit larl %r9,.Lsysc_do_svc - BR_R11USE_R14 + BR_EX %r14,%r11 .Lcleanup_system_call_insn: .quad system_call .quad .Lsysc_stmg @@ -1424,7 +1367,7 @@ cleanup_critical: .Lcleanup_sysc_tif: larl %r9,.Lsysc_tif - BR_R11USE_R14 + BR_EX %r14,%r11 .Lcleanup_sysc_restore: # check if stpt has been executed @@ -1441,14 +1384,14 @@ cleanup_critical: mvc 0(64,%r11),__PT_R8(%r9) lmg %r0,%r7,__PT_R0(%r9) 1: lmg %r8,%r9,__LC_RETURN_PSW - BR_R11USE_R14 + BR_EX %r14,%r11 .Lcleanup_sysc_restore_insn: .quad .Lsysc_exit_timer .quad .Lsysc_done - 4 .Lcleanup_io_tif: larl %r9,.Lio_tif - BR_R11USE_R14 + BR_EX %r14,%r11 .Lcleanup_io_restore: # check if stpt has been executed @@ -1462,7 +1405,7 @@ cleanup_critical: mvc 0(64,%r11),__PT_R8(%r9) lmg %r0,%r7,__PT_R0(%r9) 1: lmg %r8,%r9,__LC_RETURN_PSW - BR_R11USE_R14 + BR_EX %r14,%r11 .Lcleanup_io_restore_insn: .quad .Lio_exit_timer .quad .Lio_done - 4 @@ -1515,17 +1458,17 @@ cleanup_critical: # prepare return psw nihh %r8,0xfcfd # clear irq & wait state bits lg %r9,48(%r11) # return from psw_idle - BR_R11USE_R14 + BR_EX %r14,%r11 .Lcleanup_idle_insn: .quad .Lpsw_idle_lpsw .Lcleanup_save_fpu_regs: larl %r9,save_fpu_regs - BR_R11USE_R14 + BR_EX %r14,%r11 .Lcleanup_load_fpu_regs: larl %r9,load_fpu_regs - BR_R11USE_R14 + BR_EX %r14,%r11 /* * Integer constants

7 years, 3 months

1
0
0 0

FAILED: patch "[PATCH] s390: move expoline assembler macros to a header" failed to apply to 4.9-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.9-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 6dd85fbb87d1d6b87a3b1f02ca28d7b2abd2e7ba Mon Sep 17 00:00:00 2001 From: Martin Schwidefsky <schwidefsky(a)de.ibm.com> Date: Fri, 20 Apr 2018 16:49:46 +0200 Subject: [PATCH] s390: move expoline assembler macros to a header To be able to use the expoline branches in different assembler files move the associated macros from entry.S to a new header nospec-insn.h. While we are at it make the macros a bit nicer to use. Cc: stable(a)vger.kernel.org # 4.16 Fixes: f19fbd5ed6 ("s390: introduce execute-trampolines for branches") Signed-off-by: Martin Schwidefsky <schwidefsky(a)de.ibm.com> diff --git a/arch/s390/include/asm/nospec-insn.h b/arch/s390/include/asm/nospec-insn.h new file mode 100644 index 000000000000..440689cbcf51 --- /dev/null +++ b/arch/s390/include/asm/nospec-insn.h @@ -0,0 +1,127 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +#ifndef _ASM_S390_NOSPEC_ASM_H +#define _ASM_S390_NOSPEC_ASM_H + +#include <asm/dwarf.h> + +#ifdef __ASSEMBLY__ + +#ifdef CONFIG_EXPOLINE + +/* + * The expoline macros are used to create thunks in the same format + * as gcc generates them. The 'comdat' section flag makes sure that + * the various thunks are merged into a single copy. + */ + .macro __THUNK_PROLOG_NAME name + .pushsection .text.\name,"axG",@progbits,\name,comdat + .globl \name + .hidden \name + .type \name,@function +\name: + CFI_STARTPROC + .endm + + .macro __THUNK_EPILOG + CFI_ENDPROC + .popsection + .endm + + .macro __THUNK_PROLOG_BR r1,r2 + __THUNK_PROLOG_NAME __s390x_indirect_jump_r\r2\()use_r\r1 + .endm + + .macro __THUNK_BR r1,r2 + jg __s390x_indirect_jump_r\r2\()use_r\r1 + .endm + + .macro __THUNK_BRASL r1,r2,r3 + brasl \r1,__s390x_indirect_jump_r\r3\()use_r\r2 + .endm + + .macro __DECODE_RR expand,reg,ruse + .set __decode_fail,1 + .irp r1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 + .ifc \reg,%r\r1 + .irp r2,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 + .ifc \ruse,%r\r2 + \expand \r1,\r2 + .set __decode_fail,0 + .endif + .endr + .endif + .endr + .if __decode_fail == 1 + .error "__DECODE_RR failed" + .endif + .endm + + .macro __DECODE_RRR expand,rsave,rtarget,ruse + .set __decode_fail,1 + .irp r1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 + .ifc \rsave,%r\r1 + .irp r2,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 + .ifc \rtarget,%r\r2 + .irp r3,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 + .ifc \ruse,%r\r3 + \expand \r1,\r2,\r3 + .set __decode_fail,0 + .endif + .endr + .endif + .endr + .endif + .endr + .if __decode_fail == 1 + .error "__DECODE_RRR failed" + .endif + .endm + + .macro __THUNK_EX_BR reg,ruse +#ifdef CONFIG_HAVE_MARCH_Z10_FEATURES + exrl 0,555f + j . +#else + larl \ruse,555f + ex 0,0(\ruse) + j . +#endif +555: br \reg + .endm + + .macro GEN_BR_THUNK reg,ruse=%r1 + __DECODE_RR __THUNK_PROLOG_BR,\reg,\ruse + __THUNK_EX_BR \reg,\ruse + __THUNK_EPILOG + .endm + + .macro BR_EX reg,ruse=%r1 +557: __DECODE_RR __THUNK_BR,\reg,\ruse + .pushsection .s390_indirect_branches,"a",@progbits + .long 557b-. + .popsection + .endm + + .macro BASR_EX rsave,rtarget,ruse=%r1 +559: __DECODE_RRR __THUNK_BRASL,\rsave,\rtarget,\ruse + .pushsection .s390_indirect_branches,"a",@progbits + .long 559b-. + .popsection + .endm + +#else + .macro GEN_BR_THUNK reg,ruse=%r1 + .endm + + .macro BR_EX reg,ruse=%r1 + br \reg + .endm + + .macro BASR_EX rsave,rtarget,ruse=%r1 + basr \rsave,\rtarget + .endm +#endif + +#endif /* __ASSEMBLY__ */ + +#endif /* _ASM_S390_NOSPEC_ASM_H */ diff --git a/arch/s390/kernel/entry.S b/arch/s390/kernel/entry.S index 3f22f139a041..f03402efab4b 100644 --- a/arch/s390/kernel/entry.S +++ b/arch/s390/kernel/entry.S @@ -28,6 +28,7 @@ #include <asm/setup.h> #include <asm/nmi.h> #include <asm/export.h> +#include <asm/nospec-insn.h> __PT_R0 = __PT_GPRS __PT_R1 = __PT_GPRS + 8 @@ -183,67 +184,9 @@ _LPP_OFFSET = __LC_LPP "jnz .+8; .long 0xb2e8d000", 82 .endm -#ifdef CONFIG_EXPOLINE - - .macro GEN_BR_THUNK name,reg,tmp - .section .text.\name,"axG",@progbits,\name,comdat - .globl \name - .hidden \name - .type \name,@function -\name: - CFI_STARTPROC -#ifdef CONFIG_HAVE_MARCH_Z10_FEATURES - exrl 0,0f -#else - larl \tmp,0f - ex 0,0(\tmp) -#endif - j . -0: br \reg - CFI_ENDPROC - .endm - - GEN_BR_THUNK __s390x_indirect_jump_r1use_r9,%r9,%r1 - GEN_BR_THUNK __s390x_indirect_jump_r1use_r14,%r14,%r1 - GEN_BR_THUNK __s390x_indirect_jump_r11use_r14,%r14,%r11 - - .macro BASR_R14_R9 -0: brasl %r14,__s390x_indirect_jump_r1use_r9 - .pushsection .s390_indirect_branches,"a",@progbits - .long 0b-. - .popsection - .endm - - .macro BR_R1USE_R14 -0: jg __s390x_indirect_jump_r1use_r14 - .pushsection .s390_indirect_branches,"a",@progbits - .long 0b-. - .popsection - .endm - - .macro BR_R11USE_R14 -0: jg __s390x_indirect_jump_r11use_r14 - .pushsection .s390_indirect_branches,"a",@progbits - .long 0b-. - .popsection - .endm - -#else /* CONFIG_EXPOLINE */ - - .macro BASR_R14_R9 - basr %r14,%r9 - .endm - - .macro BR_R1USE_R14 - br %r14 - .endm - - .macro BR_R11USE_R14 - br %r14 - .endm - -#endif /* CONFIG_EXPOLINE */ - + GEN_BR_THUNK %r9 + GEN_BR_THUNK %r14 + GEN_BR_THUNK %r14,%r11 .section .kprobes.text, "ax" .Ldummy: @@ -260,7 +203,7 @@ _LPP_OFFSET = __LC_LPP ENTRY(__bpon) .globl __bpon BPON - BR_R1USE_R14 + BR_EX %r14 /* * Scheduler resume function, called by switch_to @@ -284,7 +227,7 @@ ENTRY(__switch_to) mvc __LC_CURRENT_PID(4,%r0),0(%r3) # store pid of next lmg %r6,%r15,__SF_GPRS(%r15) # load gprs of next task ALTERNATIVE "", ".insn s,0xb2800000,_LPP_OFFSET", 40 - BR_R1USE_R14 + BR_EX %r14 .L__critical_start: @@ -351,7 +294,7 @@ sie_exit: xgr %r5,%r5 lmg %r6,%r14,__SF_GPRS(%r15) # restore kernel registers lg %r2,__SF_SIE_REASON(%r15) # return exit reason code - BR_R1USE_R14 + BR_EX %r14 .Lsie_fault: lghi %r14,-EFAULT stg %r14,__SF_SIE_REASON(%r15) # set exit reason code @@ -410,7 +353,7 @@ ENTRY(system_call) lgf %r9,0(%r8,%r10) # get system call add. TSTMSK __TI_flags(%r12),_TIF_TRACE jnz .Lsysc_tracesys - BASR_R14_R9 # call sys_xxxx + BASR_EX %r14,%r9 # call sys_xxxx stg %r2,__PT_R2(%r11) # store return value .Lsysc_return: @@ -595,7 +538,7 @@ ENTRY(system_call) lmg %r3,%r7,__PT_R3(%r11) stg %r7,STACK_FRAME_OVERHEAD(%r15) lg %r2,__PT_ORIG_GPR2(%r11) - BASR_R14_R9 # call sys_xxx + BASR_EX %r14,%r9 # call sys_xxx stg %r2,__PT_R2(%r11) # store return value .Lsysc_tracenogo: TSTMSK __TI_flags(%r12),_TIF_TRACE @@ -619,7 +562,7 @@ ENTRY(ret_from_fork) lmg %r9,%r10,__PT_R9(%r11) # load gprs ENTRY(kernel_thread_starter) la %r2,0(%r10) - BASR_R14_R9 + BASR_EX %r14,%r9 j .Lsysc_tracenogo /* @@ -701,7 +644,7 @@ ENTRY(pgm_check_handler) je .Lpgm_return lgf %r9,0(%r10,%r1) # load address of handler routine lgr %r2,%r11 # pass pointer to pt_regs - BASR_R14_R9 # branch to interrupt-handler + BASR_EX %r14,%r9 # branch to interrupt-handler .Lpgm_return: LOCKDEP_SYS_EXIT tm __PT_PSW+1(%r11),0x01 # returning to user ? @@ -1019,7 +962,7 @@ ENTRY(psw_idle) stpt __TIMER_IDLE_ENTER(%r2) .Lpsw_idle_lpsw: lpswe __SF_EMPTY(%r15) - BR_R1USE_R14 + BR_EX %r14 .Lpsw_idle_end: /* @@ -1061,7 +1004,7 @@ ENTRY(save_fpu_regs) .Lsave_fpu_regs_done: oi __LC_CPU_FLAGS+7,_CIF_FPU .Lsave_fpu_regs_exit: - BR_R1USE_R14 + BR_EX %r14 .Lsave_fpu_regs_end: EXPORT_SYMBOL(save_fpu_regs) @@ -1107,7 +1050,7 @@ load_fpu_regs: .Lload_fpu_regs_done: ni __LC_CPU_FLAGS+7,255-_CIF_FPU .Lload_fpu_regs_exit: - BR_R1USE_R14 + BR_EX %r14 .Lload_fpu_regs_end: .L__critical_end: @@ -1322,7 +1265,7 @@ cleanup_critical: jl 0f clg %r9,BASED(.Lcleanup_table+104) # .Lload_fpu_regs_end jl .Lcleanup_load_fpu_regs -0: BR_R11USE_R14 +0: BR_EX %r14 .align 8 .Lcleanup_table: @@ -1358,7 +1301,7 @@ cleanup_critical: ni __SIE_PROG0C+3(%r9),0xfe # no longer in SIE lctlg %c1,%c1,__LC_USER_ASCE # load primary asce larl %r9,sie_exit # skip forward to sie_exit - BR_R11USE_R14 + BR_EX %r14 #endif .Lcleanup_system_call: @@ -1412,7 +1355,7 @@ cleanup_critical: stg %r15,56(%r11) # r15 stack pointer # set new psw address and exit larl %r9,.Lsysc_do_svc - BR_R11USE_R14 + BR_EX %r14,%r11 .Lcleanup_system_call_insn: .quad system_call .quad .Lsysc_stmg @@ -1424,7 +1367,7 @@ cleanup_critical: .Lcleanup_sysc_tif: larl %r9,.Lsysc_tif - BR_R11USE_R14 + BR_EX %r14,%r11 .Lcleanup_sysc_restore: # check if stpt has been executed @@ -1441,14 +1384,14 @@ cleanup_critical: mvc 0(64,%r11),__PT_R8(%r9) lmg %r0,%r7,__PT_R0(%r9) 1: lmg %r8,%r9,__LC_RETURN_PSW - BR_R11USE_R14 + BR_EX %r14,%r11 .Lcleanup_sysc_restore_insn: .quad .Lsysc_exit_timer .quad .Lsysc_done - 4 .Lcleanup_io_tif: larl %r9,.Lio_tif - BR_R11USE_R14 + BR_EX %r14,%r11 .Lcleanup_io_restore: # check if stpt has been executed @@ -1462,7 +1405,7 @@ cleanup_critical: mvc 0(64,%r11),__PT_R8(%r9) lmg %r0,%r7,__PT_R0(%r9) 1: lmg %r8,%r9,__LC_RETURN_PSW - BR_R11USE_R14 + BR_EX %r14,%r11 .Lcleanup_io_restore_insn: .quad .Lio_exit_timer .quad .Lio_done - 4 @@ -1515,17 +1458,17 @@ cleanup_critical: # prepare return psw nihh %r8,0xfcfd # clear irq & wait state bits lg %r9,48(%r11) # return from psw_idle - BR_R11USE_R14 + BR_EX %r14,%r11 .Lcleanup_idle_insn: .quad .Lpsw_idle_lpsw .Lcleanup_save_fpu_regs: larl %r9,save_fpu_regs - BR_R11USE_R14 + BR_EX %r14,%r11 .Lcleanup_load_fpu_regs: larl %r9,load_fpu_regs - BR_R11USE_R14 + BR_EX %r14,%r11 /* * Integer constants

7 years, 3 months

1
0
0 0

FAILED: patch "[PATCH] s390: move expoline assembler macros to a header" failed to apply to 4.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 6dd85fbb87d1d6b87a3b1f02ca28d7b2abd2e7ba Mon Sep 17 00:00:00 2001 From: Martin Schwidefsky <schwidefsky(a)de.ibm.com> Date: Fri, 20 Apr 2018 16:49:46 +0200 Subject: [PATCH] s390: move expoline assembler macros to a header To be able to use the expoline branches in different assembler files move the associated macros from entry.S to a new header nospec-insn.h. While we are at it make the macros a bit nicer to use. Cc: stable(a)vger.kernel.org # 4.16 Fixes: f19fbd5ed6 ("s390: introduce execute-trampolines for branches") Signed-off-by: Martin Schwidefsky <schwidefsky(a)de.ibm.com> diff --git a/arch/s390/include/asm/nospec-insn.h b/arch/s390/include/asm/nospec-insn.h new file mode 100644 index 000000000000..440689cbcf51 --- /dev/null +++ b/arch/s390/include/asm/nospec-insn.h @@ -0,0 +1,127 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +#ifndef _ASM_S390_NOSPEC_ASM_H +#define _ASM_S390_NOSPEC_ASM_H + +#include <asm/dwarf.h> + +#ifdef __ASSEMBLY__ + +#ifdef CONFIG_EXPOLINE + +/* + * The expoline macros are used to create thunks in the same format + * as gcc generates them. The 'comdat' section flag makes sure that + * the various thunks are merged into a single copy. + */ + .macro __THUNK_PROLOG_NAME name + .pushsection .text.\name,"axG",@progbits,\name,comdat + .globl \name + .hidden \name + .type \name,@function +\name: + CFI_STARTPROC + .endm + + .macro __THUNK_EPILOG + CFI_ENDPROC + .popsection + .endm + + .macro __THUNK_PROLOG_BR r1,r2 + __THUNK_PROLOG_NAME __s390x_indirect_jump_r\r2\()use_r\r1 + .endm + + .macro __THUNK_BR r1,r2 + jg __s390x_indirect_jump_r\r2\()use_r\r1 + .endm + + .macro __THUNK_BRASL r1,r2,r3 + brasl \r1,__s390x_indirect_jump_r\r3\()use_r\r2 + .endm + + .macro __DECODE_RR expand,reg,ruse + .set __decode_fail,1 + .irp r1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 + .ifc \reg,%r\r1 + .irp r2,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 + .ifc \ruse,%r\r2 + \expand \r1,\r2 + .set __decode_fail,0 + .endif + .endr + .endif + .endr + .if __decode_fail == 1 + .error "__DECODE_RR failed" + .endif + .endm + + .macro __DECODE_RRR expand,rsave,rtarget,ruse + .set __decode_fail,1 + .irp r1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 + .ifc \rsave,%r\r1 + .irp r2,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 + .ifc \rtarget,%r\r2 + .irp r3,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 + .ifc \ruse,%r\r3 + \expand \r1,\r2,\r3 + .set __decode_fail,0 + .endif + .endr + .endif + .endr + .endif + .endr + .if __decode_fail == 1 + .error "__DECODE_RRR failed" + .endif + .endm + + .macro __THUNK_EX_BR reg,ruse +#ifdef CONFIG_HAVE_MARCH_Z10_FEATURES + exrl 0,555f + j . +#else + larl \ruse,555f + ex 0,0(\ruse) + j . +#endif +555: br \reg + .endm + + .macro GEN_BR_THUNK reg,ruse=%r1 + __DECODE_RR __THUNK_PROLOG_BR,\reg,\ruse + __THUNK_EX_BR \reg,\ruse + __THUNK_EPILOG + .endm + + .macro BR_EX reg,ruse=%r1 +557: __DECODE_RR __THUNK_BR,\reg,\ruse + .pushsection .s390_indirect_branches,"a",@progbits + .long 557b-. + .popsection + .endm + + .macro BASR_EX rsave,rtarget,ruse=%r1 +559: __DECODE_RRR __THUNK_BRASL,\rsave,\rtarget,\ruse + .pushsection .s390_indirect_branches,"a",@progbits + .long 559b-. + .popsection + .endm + +#else + .macro GEN_BR_THUNK reg,ruse=%r1 + .endm + + .macro BR_EX reg,ruse=%r1 + br \reg + .endm + + .macro BASR_EX rsave,rtarget,ruse=%r1 + basr \rsave,\rtarget + .endm +#endif + +#endif /* __ASSEMBLY__ */ + +#endif /* _ASM_S390_NOSPEC_ASM_H */ diff --git a/arch/s390/kernel/entry.S b/arch/s390/kernel/entry.S index 3f22f139a041..f03402efab4b 100644 --- a/arch/s390/kernel/entry.S +++ b/arch/s390/kernel/entry.S @@ -28,6 +28,7 @@ #include <asm/setup.h> #include <asm/nmi.h> #include <asm/export.h> +#include <asm/nospec-insn.h> __PT_R0 = __PT_GPRS __PT_R1 = __PT_GPRS + 8 @@ -183,67 +184,9 @@ _LPP_OFFSET = __LC_LPP "jnz .+8; .long 0xb2e8d000", 82 .endm -#ifdef CONFIG_EXPOLINE - - .macro GEN_BR_THUNK name,reg,tmp - .section .text.\name,"axG",@progbits,\name,comdat - .globl \name - .hidden \name - .type \name,@function -\name: - CFI_STARTPROC -#ifdef CONFIG_HAVE_MARCH_Z10_FEATURES - exrl 0,0f -#else - larl \tmp,0f - ex 0,0(\tmp) -#endif - j . -0: br \reg - CFI_ENDPROC - .endm - - GEN_BR_THUNK __s390x_indirect_jump_r1use_r9,%r9,%r1 - GEN_BR_THUNK __s390x_indirect_jump_r1use_r14,%r14,%r1 - GEN_BR_THUNK __s390x_indirect_jump_r11use_r14,%r14,%r11 - - .macro BASR_R14_R9 -0: brasl %r14,__s390x_indirect_jump_r1use_r9 - .pushsection .s390_indirect_branches,"a",@progbits - .long 0b-. - .popsection - .endm - - .macro BR_R1USE_R14 -0: jg __s390x_indirect_jump_r1use_r14 - .pushsection .s390_indirect_branches,"a",@progbits - .long 0b-. - .popsection - .endm - - .macro BR_R11USE_R14 -0: jg __s390x_indirect_jump_r11use_r14 - .pushsection .s390_indirect_branches,"a",@progbits - .long 0b-. - .popsection - .endm - -#else /* CONFIG_EXPOLINE */ - - .macro BASR_R14_R9 - basr %r14,%r9 - .endm - - .macro BR_R1USE_R14 - br %r14 - .endm - - .macro BR_R11USE_R14 - br %r14 - .endm - -#endif /* CONFIG_EXPOLINE */ - + GEN_BR_THUNK %r9 + GEN_BR_THUNK %r14 + GEN_BR_THUNK %r14,%r11 .section .kprobes.text, "ax" .Ldummy: @@ -260,7 +203,7 @@ _LPP_OFFSET = __LC_LPP ENTRY(__bpon) .globl __bpon BPON - BR_R1USE_R14 + BR_EX %r14 /* * Scheduler resume function, called by switch_to @@ -284,7 +227,7 @@ ENTRY(__switch_to) mvc __LC_CURRENT_PID(4,%r0),0(%r3) # store pid of next lmg %r6,%r15,__SF_GPRS(%r15) # load gprs of next task ALTERNATIVE "", ".insn s,0xb2800000,_LPP_OFFSET", 40 - BR_R1USE_R14 + BR_EX %r14 .L__critical_start: @@ -351,7 +294,7 @@ sie_exit: xgr %r5,%r5 lmg %r6,%r14,__SF_GPRS(%r15) # restore kernel registers lg %r2,__SF_SIE_REASON(%r15) # return exit reason code - BR_R1USE_R14 + BR_EX %r14 .Lsie_fault: lghi %r14,-EFAULT stg %r14,__SF_SIE_REASON(%r15) # set exit reason code @@ -410,7 +353,7 @@ ENTRY(system_call) lgf %r9,0(%r8,%r10) # get system call add. TSTMSK __TI_flags(%r12),_TIF_TRACE jnz .Lsysc_tracesys - BASR_R14_R9 # call sys_xxxx + BASR_EX %r14,%r9 # call sys_xxxx stg %r2,__PT_R2(%r11) # store return value .Lsysc_return: @@ -595,7 +538,7 @@ ENTRY(system_call) lmg %r3,%r7,__PT_R3(%r11) stg %r7,STACK_FRAME_OVERHEAD(%r15) lg %r2,__PT_ORIG_GPR2(%r11) - BASR_R14_R9 # call sys_xxx + BASR_EX %r14,%r9 # call sys_xxx stg %r2,__PT_R2(%r11) # store return value .Lsysc_tracenogo: TSTMSK __TI_flags(%r12),_TIF_TRACE @@ -619,7 +562,7 @@ ENTRY(ret_from_fork) lmg %r9,%r10,__PT_R9(%r11) # load gprs ENTRY(kernel_thread_starter) la %r2,0(%r10) - BASR_R14_R9 + BASR_EX %r14,%r9 j .Lsysc_tracenogo /* @@ -701,7 +644,7 @@ ENTRY(pgm_check_handler) je .Lpgm_return lgf %r9,0(%r10,%r1) # load address of handler routine lgr %r2,%r11 # pass pointer to pt_regs - BASR_R14_R9 # branch to interrupt-handler + BASR_EX %r14,%r9 # branch to interrupt-handler .Lpgm_return: LOCKDEP_SYS_EXIT tm __PT_PSW+1(%r11),0x01 # returning to user ? @@ -1019,7 +962,7 @@ ENTRY(psw_idle) stpt __TIMER_IDLE_ENTER(%r2) .Lpsw_idle_lpsw: lpswe __SF_EMPTY(%r15) - BR_R1USE_R14 + BR_EX %r14 .Lpsw_idle_end: /* @@ -1061,7 +1004,7 @@ ENTRY(save_fpu_regs) .Lsave_fpu_regs_done: oi __LC_CPU_FLAGS+7,_CIF_FPU .Lsave_fpu_regs_exit: - BR_R1USE_R14 + BR_EX %r14 .Lsave_fpu_regs_end: EXPORT_SYMBOL(save_fpu_regs) @@ -1107,7 +1050,7 @@ load_fpu_regs: .Lload_fpu_regs_done: ni __LC_CPU_FLAGS+7,255-_CIF_FPU .Lload_fpu_regs_exit: - BR_R1USE_R14 + BR_EX %r14 .Lload_fpu_regs_end: .L__critical_end: @@ -1322,7 +1265,7 @@ cleanup_critical: jl 0f clg %r9,BASED(.Lcleanup_table+104) # .Lload_fpu_regs_end jl .Lcleanup_load_fpu_regs -0: BR_R11USE_R14 +0: BR_EX %r14 .align 8 .Lcleanup_table: @@ -1358,7 +1301,7 @@ cleanup_critical: ni __SIE_PROG0C+3(%r9),0xfe # no longer in SIE lctlg %c1,%c1,__LC_USER_ASCE # load primary asce larl %r9,sie_exit # skip forward to sie_exit - BR_R11USE_R14 + BR_EX %r14 #endif .Lcleanup_system_call: @@ -1412,7 +1355,7 @@ cleanup_critical: stg %r15,56(%r11) # r15 stack pointer # set new psw address and exit larl %r9,.Lsysc_do_svc - BR_R11USE_R14 + BR_EX %r14,%r11 .Lcleanup_system_call_insn: .quad system_call .quad .Lsysc_stmg @@ -1424,7 +1367,7 @@ cleanup_critical: .Lcleanup_sysc_tif: larl %r9,.Lsysc_tif - BR_R11USE_R14 + BR_EX %r14,%r11 .Lcleanup_sysc_restore: # check if stpt has been executed @@ -1441,14 +1384,14 @@ cleanup_critical: mvc 0(64,%r11),__PT_R8(%r9) lmg %r0,%r7,__PT_R0(%r9) 1: lmg %r8,%r9,__LC_RETURN_PSW - BR_R11USE_R14 + BR_EX %r14,%r11 .Lcleanup_sysc_restore_insn: .quad .Lsysc_exit_timer .quad .Lsysc_done - 4 .Lcleanup_io_tif: larl %r9,.Lio_tif - BR_R11USE_R14 + BR_EX %r14,%r11 .Lcleanup_io_restore: # check if stpt has been executed @@ -1462,7 +1405,7 @@ cleanup_critical: mvc 0(64,%r11),__PT_R8(%r9) lmg %r0,%r7,__PT_R0(%r9) 1: lmg %r8,%r9,__LC_RETURN_PSW - BR_R11USE_R14 + BR_EX %r14,%r11 .Lcleanup_io_restore_insn: .quad .Lio_exit_timer .quad .Lio_done - 4 @@ -1515,17 +1458,17 @@ cleanup_critical: # prepare return psw nihh %r8,0xfcfd # clear irq & wait state bits lg %r9,48(%r11) # return from psw_idle - BR_R11USE_R14 + BR_EX %r14,%r11 .Lcleanup_idle_insn: .quad .Lpsw_idle_lpsw .Lcleanup_save_fpu_regs: larl %r9,save_fpu_regs - BR_R11USE_R14 + BR_EX %r14,%r11 .Lcleanup_load_fpu_regs: larl %r9,load_fpu_regs - BR_R11USE_R14 + BR_EX %r14,%r11 /* * Integer constants

7 years, 3 months

1
0
0 0

FAILED: patch "[PATCH] s390: move expoline assembler macros to a header" failed to apply to 4.16-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.16-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 6dd85fbb87d1d6b87a3b1f02ca28d7b2abd2e7ba Mon Sep 17 00:00:00 2001 From: Martin Schwidefsky <schwidefsky(a)de.ibm.com> Date: Fri, 20 Apr 2018 16:49:46 +0200 Subject: [PATCH] s390: move expoline assembler macros to a header To be able to use the expoline branches in different assembler files move the associated macros from entry.S to a new header nospec-insn.h. While we are at it make the macros a bit nicer to use. Cc: stable(a)vger.kernel.org # 4.16 Fixes: f19fbd5ed6 ("s390: introduce execute-trampolines for branches") Signed-off-by: Martin Schwidefsky <schwidefsky(a)de.ibm.com> diff --git a/arch/s390/include/asm/nospec-insn.h b/arch/s390/include/asm/nospec-insn.h new file mode 100644 index 000000000000..440689cbcf51 --- /dev/null +++ b/arch/s390/include/asm/nospec-insn.h @@ -0,0 +1,127 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +#ifndef _ASM_S390_NOSPEC_ASM_H +#define _ASM_S390_NOSPEC_ASM_H + +#include <asm/dwarf.h> + +#ifdef __ASSEMBLY__ + +#ifdef CONFIG_EXPOLINE + +/* + * The expoline macros are used to create thunks in the same format + * as gcc generates them. The 'comdat' section flag makes sure that + * the various thunks are merged into a single copy. + */ + .macro __THUNK_PROLOG_NAME name + .pushsection .text.\name,"axG",@progbits,\name,comdat + .globl \name + .hidden \name + .type \name,@function +\name: + CFI_STARTPROC + .endm + + .macro __THUNK_EPILOG + CFI_ENDPROC + .popsection + .endm + + .macro __THUNK_PROLOG_BR r1,r2 + __THUNK_PROLOG_NAME __s390x_indirect_jump_r\r2\()use_r\r1 + .endm + + .macro __THUNK_BR r1,r2 + jg __s390x_indirect_jump_r\r2\()use_r\r1 + .endm + + .macro __THUNK_BRASL r1,r2,r3 + brasl \r1,__s390x_indirect_jump_r\r3\()use_r\r2 + .endm + + .macro __DECODE_RR expand,reg,ruse + .set __decode_fail,1 + .irp r1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 + .ifc \reg,%r\r1 + .irp r2,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 + .ifc \ruse,%r\r2 + \expand \r1,\r2 + .set __decode_fail,0 + .endif + .endr + .endif + .endr + .if __decode_fail == 1 + .error "__DECODE_RR failed" + .endif + .endm + + .macro __DECODE_RRR expand,rsave,rtarget,ruse + .set __decode_fail,1 + .irp r1,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 + .ifc \rsave,%r\r1 + .irp r2,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 + .ifc \rtarget,%r\r2 + .irp r3,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15 + .ifc \ruse,%r\r3 + \expand \r1,\r2,\r3 + .set __decode_fail,0 + .endif + .endr + .endif + .endr + .endif + .endr + .if __decode_fail == 1 + .error "__DECODE_RRR failed" + .endif + .endm + + .macro __THUNK_EX_BR reg,ruse +#ifdef CONFIG_HAVE_MARCH_Z10_FEATURES + exrl 0,555f + j . +#else + larl \ruse,555f + ex 0,0(\ruse) + j . +#endif +555: br \reg + .endm + + .macro GEN_BR_THUNK reg,ruse=%r1 + __DECODE_RR __THUNK_PROLOG_BR,\reg,\ruse + __THUNK_EX_BR \reg,\ruse + __THUNK_EPILOG + .endm + + .macro BR_EX reg,ruse=%r1 +557: __DECODE_RR __THUNK_BR,\reg,\ruse + .pushsection .s390_indirect_branches,"a",@progbits + .long 557b-. + .popsection + .endm + + .macro BASR_EX rsave,rtarget,ruse=%r1 +559: __DECODE_RRR __THUNK_BRASL,\rsave,\rtarget,\ruse + .pushsection .s390_indirect_branches,"a",@progbits + .long 559b-. + .popsection + .endm + +#else + .macro GEN_BR_THUNK reg,ruse=%r1 + .endm + + .macro BR_EX reg,ruse=%r1 + br \reg + .endm + + .macro BASR_EX rsave,rtarget,ruse=%r1 + basr \rsave,\rtarget + .endm +#endif + +#endif /* __ASSEMBLY__ */ + +#endif /* _ASM_S390_NOSPEC_ASM_H */ diff --git a/arch/s390/kernel/entry.S b/arch/s390/kernel/entry.S index 3f22f139a041..f03402efab4b 100644 --- a/arch/s390/kernel/entry.S +++ b/arch/s390/kernel/entry.S @@ -28,6 +28,7 @@ #include <asm/setup.h> #include <asm/nmi.h> #include <asm/export.h> +#include <asm/nospec-insn.h> __PT_R0 = __PT_GPRS __PT_R1 = __PT_GPRS + 8 @@ -183,67 +184,9 @@ _LPP_OFFSET = __LC_LPP "jnz .+8; .long 0xb2e8d000", 82 .endm -#ifdef CONFIG_EXPOLINE - - .macro GEN_BR_THUNK name,reg,tmp - .section .text.\name,"axG",@progbits,\name,comdat - .globl \name - .hidden \name - .type \name,@function -\name: - CFI_STARTPROC -#ifdef CONFIG_HAVE_MARCH_Z10_FEATURES - exrl 0,0f -#else - larl \tmp,0f - ex 0,0(\tmp) -#endif - j . -0: br \reg - CFI_ENDPROC - .endm - - GEN_BR_THUNK __s390x_indirect_jump_r1use_r9,%r9,%r1 - GEN_BR_THUNK __s390x_indirect_jump_r1use_r14,%r14,%r1 - GEN_BR_THUNK __s390x_indirect_jump_r11use_r14,%r14,%r11 - - .macro BASR_R14_R9 -0: brasl %r14,__s390x_indirect_jump_r1use_r9 - .pushsection .s390_indirect_branches,"a",@progbits - .long 0b-. - .popsection - .endm - - .macro BR_R1USE_R14 -0: jg __s390x_indirect_jump_r1use_r14 - .pushsection .s390_indirect_branches,"a",@progbits - .long 0b-. - .popsection - .endm - - .macro BR_R11USE_R14 -0: jg __s390x_indirect_jump_r11use_r14 - .pushsection .s390_indirect_branches,"a",@progbits - .long 0b-. - .popsection - .endm - -#else /* CONFIG_EXPOLINE */ - - .macro BASR_R14_R9 - basr %r14,%r9 - .endm - - .macro BR_R1USE_R14 - br %r14 - .endm - - .macro BR_R11USE_R14 - br %r14 - .endm - -#endif /* CONFIG_EXPOLINE */ - + GEN_BR_THUNK %r9 + GEN_BR_THUNK %r14 + GEN_BR_THUNK %r14,%r11 .section .kprobes.text, "ax" .Ldummy: @@ -260,7 +203,7 @@ _LPP_OFFSET = __LC_LPP ENTRY(__bpon) .globl __bpon BPON - BR_R1USE_R14 + BR_EX %r14 /* * Scheduler resume function, called by switch_to @@ -284,7 +227,7 @@ ENTRY(__switch_to) mvc __LC_CURRENT_PID(4,%r0),0(%r3) # store pid of next lmg %r6,%r15,__SF_GPRS(%r15) # load gprs of next task ALTERNATIVE "", ".insn s,0xb2800000,_LPP_OFFSET", 40 - BR_R1USE_R14 + BR_EX %r14 .L__critical_start: @@ -351,7 +294,7 @@ sie_exit: xgr %r5,%r5 lmg %r6,%r14,__SF_GPRS(%r15) # restore kernel registers lg %r2,__SF_SIE_REASON(%r15) # return exit reason code - BR_R1USE_R14 + BR_EX %r14 .Lsie_fault: lghi %r14,-EFAULT stg %r14,__SF_SIE_REASON(%r15) # set exit reason code @@ -410,7 +353,7 @@ ENTRY(system_call) lgf %r9,0(%r8,%r10) # get system call add. TSTMSK __TI_flags(%r12),_TIF_TRACE jnz .Lsysc_tracesys - BASR_R14_R9 # call sys_xxxx + BASR_EX %r14,%r9 # call sys_xxxx stg %r2,__PT_R2(%r11) # store return value .Lsysc_return: @@ -595,7 +538,7 @@ ENTRY(system_call) lmg %r3,%r7,__PT_R3(%r11) stg %r7,STACK_FRAME_OVERHEAD(%r15) lg %r2,__PT_ORIG_GPR2(%r11) - BASR_R14_R9 # call sys_xxx + BASR_EX %r14,%r9 # call sys_xxx stg %r2,__PT_R2(%r11) # store return value .Lsysc_tracenogo: TSTMSK __TI_flags(%r12),_TIF_TRACE @@ -619,7 +562,7 @@ ENTRY(ret_from_fork) lmg %r9,%r10,__PT_R9(%r11) # load gprs ENTRY(kernel_thread_starter) la %r2,0(%r10) - BASR_R14_R9 + BASR_EX %r14,%r9 j .Lsysc_tracenogo /* @@ -701,7 +644,7 @@ ENTRY(pgm_check_handler) je .Lpgm_return lgf %r9,0(%r10,%r1) # load address of handler routine lgr %r2,%r11 # pass pointer to pt_regs - BASR_R14_R9 # branch to interrupt-handler + BASR_EX %r14,%r9 # branch to interrupt-handler .Lpgm_return: LOCKDEP_SYS_EXIT tm __PT_PSW+1(%r11),0x01 # returning to user ? @@ -1019,7 +962,7 @@ ENTRY(psw_idle) stpt __TIMER_IDLE_ENTER(%r2) .Lpsw_idle_lpsw: lpswe __SF_EMPTY(%r15) - BR_R1USE_R14 + BR_EX %r14 .Lpsw_idle_end: /* @@ -1061,7 +1004,7 @@ ENTRY(save_fpu_regs) .Lsave_fpu_regs_done: oi __LC_CPU_FLAGS+7,_CIF_FPU .Lsave_fpu_regs_exit: - BR_R1USE_R14 + BR_EX %r14 .Lsave_fpu_regs_end: EXPORT_SYMBOL(save_fpu_regs) @@ -1107,7 +1050,7 @@ load_fpu_regs: .Lload_fpu_regs_done: ni __LC_CPU_FLAGS+7,255-_CIF_FPU .Lload_fpu_regs_exit: - BR_R1USE_R14 + BR_EX %r14 .Lload_fpu_regs_end: .L__critical_end: @@ -1322,7 +1265,7 @@ cleanup_critical: jl 0f clg %r9,BASED(.Lcleanup_table+104) # .Lload_fpu_regs_end jl .Lcleanup_load_fpu_regs -0: BR_R11USE_R14 +0: BR_EX %r14 .align 8 .Lcleanup_table: @@ -1358,7 +1301,7 @@ cleanup_critical: ni __SIE_PROG0C+3(%r9),0xfe # no longer in SIE lctlg %c1,%c1,__LC_USER_ASCE # load primary asce larl %r9,sie_exit # skip forward to sie_exit - BR_R11USE_R14 + BR_EX %r14 #endif .Lcleanup_system_call: @@ -1412,7 +1355,7 @@ cleanup_critical: stg %r15,56(%r11) # r15 stack pointer # set new psw address and exit larl %r9,.Lsysc_do_svc - BR_R11USE_R14 + BR_EX %r14,%r11 .Lcleanup_system_call_insn: .quad system_call .quad .Lsysc_stmg @@ -1424,7 +1367,7 @@ cleanup_critical: .Lcleanup_sysc_tif: larl %r9,.Lsysc_tif - BR_R11USE_R14 + BR_EX %r14,%r11 .Lcleanup_sysc_restore: # check if stpt has been executed @@ -1441,14 +1384,14 @@ cleanup_critical: mvc 0(64,%r11),__PT_R8(%r9) lmg %r0,%r7,__PT_R0(%r9) 1: lmg %r8,%r9,__LC_RETURN_PSW - BR_R11USE_R14 + BR_EX %r14,%r11 .Lcleanup_sysc_restore_insn: .quad .Lsysc_exit_timer .quad .Lsysc_done - 4 .Lcleanup_io_tif: larl %r9,.Lio_tif - BR_R11USE_R14 + BR_EX %r14,%r11 .Lcleanup_io_restore: # check if stpt has been executed @@ -1462,7 +1405,7 @@ cleanup_critical: mvc 0(64,%r11),__PT_R8(%r9) lmg %r0,%r7,__PT_R0(%r9) 1: lmg %r8,%r9,__LC_RETURN_PSW - BR_R11USE_R14 + BR_EX %r14,%r11 .Lcleanup_io_restore_insn: .quad .Lio_exit_timer .quad .Lio_done - 4 @@ -1515,17 +1458,17 @@ cleanup_critical: # prepare return psw nihh %r8,0xfcfd # clear irq & wait state bits lg %r9,48(%r11) # return from psw_idle - BR_R11USE_R14 + BR_EX %r14,%r11 .Lcleanup_idle_insn: .quad .Lpsw_idle_lpsw .Lcleanup_save_fpu_regs: larl %r9,save_fpu_regs - BR_R11USE_R14 + BR_EX %r14,%r11 .Lcleanup_load_fpu_regs: larl %r9,load_fpu_regs - BR_R11USE_R14 + BR_EX %r14,%r11 /* * Integer constants

7 years, 3 months

1
0
0 0

FAILED: patch "[PATCH] s390/kernel: use expoline for indirect branches" failed to apply to 4.9-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.9-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From c50c84c3ac4d5db683904bdb3257798b6ef980ae Mon Sep 17 00:00:00 2001 From: Martin Schwidefsky <schwidefsky(a)de.ibm.com> Date: Wed, 25 Apr 2018 18:41:30 +0200 Subject: [PATCH] s390/kernel: use expoline for indirect branches The assember code in arch/s390/kernel uses a few more indirect branches which need to be done with execute trampolines for CONFIG_EXPOLINE=y. Cc: stable(a)vger.kernel.org # 4.16 Fixes: f19fbd5ed6 ("s390: introduce execute-trampolines for branches") Reviewed-by: Hendrik Brueckner <brueckner(a)linux.vnet.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky(a)de.ibm.com> diff --git a/arch/s390/kernel/base.S b/arch/s390/kernel/base.S index f6c56009e822..b65874b0b412 100644 --- a/arch/s390/kernel/base.S +++ b/arch/s390/kernel/base.S @@ -9,18 +9,22 @@ #include <linux/linkage.h> #include <asm/asm-offsets.h> +#include <asm/nospec-insn.h> #include <asm/ptrace.h> #include <asm/sigp.h> + GEN_BR_THUNK %r9 + GEN_BR_THUNK %r14 + ENTRY(s390_base_mcck_handler) basr %r13,0 0: lg %r15,__LC_PANIC_STACK # load panic stack aghi %r15,-STACK_FRAME_OVERHEAD larl %r1,s390_base_mcck_handler_fn - lg %r1,0(%r1) - ltgr %r1,%r1 + lg %r9,0(%r1) + ltgr %r9,%r9 jz 1f - basr %r14,%r1 + BASR_EX %r14,%r9 1: la %r1,4095 lmg %r0,%r15,__LC_GPREGS_SAVE_AREA-4095(%r1) lpswe __LC_MCK_OLD_PSW @@ -37,10 +41,10 @@ ENTRY(s390_base_ext_handler) basr %r13,0 0: aghi %r15,-STACK_FRAME_OVERHEAD larl %r1,s390_base_ext_handler_fn - lg %r1,0(%r1) - ltgr %r1,%r1 + lg %r9,0(%r1) + ltgr %r9,%r9 jz 1f - basr %r14,%r1 + BASR_EX %r14,%r9 1: lmg %r0,%r15,__LC_SAVE_AREA_ASYNC ni __LC_EXT_OLD_PSW+1,0xfd # clear wait state bit lpswe __LC_EXT_OLD_PSW @@ -57,10 +61,10 @@ ENTRY(s390_base_pgm_handler) basr %r13,0 0: aghi %r15,-STACK_FRAME_OVERHEAD larl %r1,s390_base_pgm_handler_fn - lg %r1,0(%r1) - ltgr %r1,%r1 + lg %r9,0(%r1) + ltgr %r9,%r9 jz 1f - basr %r14,%r1 + BASR_EX %r14,%r9 lmg %r0,%r15,__LC_SAVE_AREA_SYNC lpswe __LC_PGM_OLD_PSW 1: lpswe disabled_wait_psw-0b(%r13) @@ -117,7 +121,7 @@ ENTRY(diag308_reset) larl %r4,.Lcontinue_psw # Restore PSW flags lpswe 0(%r4) .Lcontinue: - br %r14 + BR_EX %r14 .align 16 .Lrestart_psw: .long 0x00080000,0x80000000 + .Lrestart_part2 diff --git a/arch/s390/kernel/reipl.S b/arch/s390/kernel/reipl.S index 73cc3750f0d3..7f14adf512c6 100644 --- a/arch/s390/kernel/reipl.S +++ b/arch/s390/kernel/reipl.S @@ -7,8 +7,11 @@ #include <linux/linkage.h> #include <asm/asm-offsets.h> +#include <asm/nospec-insn.h> #include <asm/sigp.h> + GEN_BR_THUNK %r9 + # # Issue "store status" for the current CPU to its prefix page # and call passed function afterwards @@ -67,9 +70,9 @@ ENTRY(store_status) st %r4,0(%r1) st %r5,4(%r1) stg %r2,8(%r1) - lgr %r1,%r2 + lgr %r9,%r2 lgr %r2,%r3 - br %r1 + BR_EX %r9 .section .bss .align 8 diff --git a/arch/s390/kernel/swsusp.S b/arch/s390/kernel/swsusp.S index e99187149f17..a049a7b9d6e8 100644 --- a/arch/s390/kernel/swsusp.S +++ b/arch/s390/kernel/swsusp.S @@ -13,6 +13,7 @@ #include <asm/ptrace.h> #include <asm/thread_info.h> #include <asm/asm-offsets.h> +#include <asm/nospec-insn.h> #include <asm/sigp.h> /* @@ -24,6 +25,8 @@ * (see below) in the resume process. * This function runs with disabled interrupts. */ + GEN_BR_THUNK %r14 + .section .text ENTRY(swsusp_arch_suspend) stmg %r6,%r15,__SF_GPRS(%r15) @@ -103,7 +106,7 @@ ENTRY(swsusp_arch_suspend) spx 0x318(%r1) lmg %r6,%r15,STACK_FRAME_OVERHEAD + __SF_GPRS(%r15) lghi %r2,0 - br %r14 + BR_EX %r14 /* * Restore saved memory image to correct place and restore register context. @@ -197,11 +200,10 @@ pgm_check_entry: larl %r15,init_thread_union ahi %r15,1<<(PAGE_SHIFT+THREAD_SIZE_ORDER) larl %r2,.Lpanic_string - larl %r3,sclp_early_printk lghi %r1,0 sam31 sigp %r1,%r0,SIGP_SET_ARCHITECTURE - basr %r14,%r3 + brasl %r14,sclp_early_printk larl %r3,.Ldisabled_wait_31 lpsw 0(%r3) 4: @@ -267,7 +269,7 @@ restore_registers: /* Return 0 */ lmg %r6,%r15,STACK_FRAME_OVERHEAD + __SF_GPRS(%r15) lghi %r2,0 - br %r14 + BR_EX %r14 .section .data..nosave,"aw",@progbits .align 8

7 years, 3 months

1
0
0 0

FAILED: patch "[PATCH] s390/kernel: use expoline for indirect branches" failed to apply to 4.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From c50c84c3ac4d5db683904bdb3257798b6ef980ae Mon Sep 17 00:00:00 2001 From: Martin Schwidefsky <schwidefsky(a)de.ibm.com> Date: Wed, 25 Apr 2018 18:41:30 +0200 Subject: [PATCH] s390/kernel: use expoline for indirect branches The assember code in arch/s390/kernel uses a few more indirect branches which need to be done with execute trampolines for CONFIG_EXPOLINE=y. Cc: stable(a)vger.kernel.org # 4.16 Fixes: f19fbd5ed6 ("s390: introduce execute-trampolines for branches") Reviewed-by: Hendrik Brueckner <brueckner(a)linux.vnet.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky(a)de.ibm.com> diff --git a/arch/s390/kernel/base.S b/arch/s390/kernel/base.S index f6c56009e822..b65874b0b412 100644 --- a/arch/s390/kernel/base.S +++ b/arch/s390/kernel/base.S @@ -9,18 +9,22 @@ #include <linux/linkage.h> #include <asm/asm-offsets.h> +#include <asm/nospec-insn.h> #include <asm/ptrace.h> #include <asm/sigp.h> + GEN_BR_THUNK %r9 + GEN_BR_THUNK %r14 + ENTRY(s390_base_mcck_handler) basr %r13,0 0: lg %r15,__LC_PANIC_STACK # load panic stack aghi %r15,-STACK_FRAME_OVERHEAD larl %r1,s390_base_mcck_handler_fn - lg %r1,0(%r1) - ltgr %r1,%r1 + lg %r9,0(%r1) + ltgr %r9,%r9 jz 1f - basr %r14,%r1 + BASR_EX %r14,%r9 1: la %r1,4095 lmg %r0,%r15,__LC_GPREGS_SAVE_AREA-4095(%r1) lpswe __LC_MCK_OLD_PSW @@ -37,10 +41,10 @@ ENTRY(s390_base_ext_handler) basr %r13,0 0: aghi %r15,-STACK_FRAME_OVERHEAD larl %r1,s390_base_ext_handler_fn - lg %r1,0(%r1) - ltgr %r1,%r1 + lg %r9,0(%r1) + ltgr %r9,%r9 jz 1f - basr %r14,%r1 + BASR_EX %r14,%r9 1: lmg %r0,%r15,__LC_SAVE_AREA_ASYNC ni __LC_EXT_OLD_PSW+1,0xfd # clear wait state bit lpswe __LC_EXT_OLD_PSW @@ -57,10 +61,10 @@ ENTRY(s390_base_pgm_handler) basr %r13,0 0: aghi %r15,-STACK_FRAME_OVERHEAD larl %r1,s390_base_pgm_handler_fn - lg %r1,0(%r1) - ltgr %r1,%r1 + lg %r9,0(%r1) + ltgr %r9,%r9 jz 1f - basr %r14,%r1 + BASR_EX %r14,%r9 lmg %r0,%r15,__LC_SAVE_AREA_SYNC lpswe __LC_PGM_OLD_PSW 1: lpswe disabled_wait_psw-0b(%r13) @@ -117,7 +121,7 @@ ENTRY(diag308_reset) larl %r4,.Lcontinue_psw # Restore PSW flags lpswe 0(%r4) .Lcontinue: - br %r14 + BR_EX %r14 .align 16 .Lrestart_psw: .long 0x00080000,0x80000000 + .Lrestart_part2 diff --git a/arch/s390/kernel/reipl.S b/arch/s390/kernel/reipl.S index 73cc3750f0d3..7f14adf512c6 100644 --- a/arch/s390/kernel/reipl.S +++ b/arch/s390/kernel/reipl.S @@ -7,8 +7,11 @@ #include <linux/linkage.h> #include <asm/asm-offsets.h> +#include <asm/nospec-insn.h> #include <asm/sigp.h> + GEN_BR_THUNK %r9 + # # Issue "store status" for the current CPU to its prefix page # and call passed function afterwards @@ -67,9 +70,9 @@ ENTRY(store_status) st %r4,0(%r1) st %r5,4(%r1) stg %r2,8(%r1) - lgr %r1,%r2 + lgr %r9,%r2 lgr %r2,%r3 - br %r1 + BR_EX %r9 .section .bss .align 8 diff --git a/arch/s390/kernel/swsusp.S b/arch/s390/kernel/swsusp.S index e99187149f17..a049a7b9d6e8 100644 --- a/arch/s390/kernel/swsusp.S +++ b/arch/s390/kernel/swsusp.S @@ -13,6 +13,7 @@ #include <asm/ptrace.h> #include <asm/thread_info.h> #include <asm/asm-offsets.h> +#include <asm/nospec-insn.h> #include <asm/sigp.h> /* @@ -24,6 +25,8 @@ * (see below) in the resume process. * This function runs with disabled interrupts. */ + GEN_BR_THUNK %r14 + .section .text ENTRY(swsusp_arch_suspend) stmg %r6,%r15,__SF_GPRS(%r15) @@ -103,7 +106,7 @@ ENTRY(swsusp_arch_suspend) spx 0x318(%r1) lmg %r6,%r15,STACK_FRAME_OVERHEAD + __SF_GPRS(%r15) lghi %r2,0 - br %r14 + BR_EX %r14 /* * Restore saved memory image to correct place and restore register context. @@ -197,11 +200,10 @@ pgm_check_entry: larl %r15,init_thread_union ahi %r15,1<<(PAGE_SHIFT+THREAD_SIZE_ORDER) larl %r2,.Lpanic_string - larl %r3,sclp_early_printk lghi %r1,0 sam31 sigp %r1,%r0,SIGP_SET_ARCHITECTURE - basr %r14,%r3 + brasl %r14,sclp_early_printk larl %r3,.Ldisabled_wait_31 lpsw 0(%r3) 4: @@ -267,7 +269,7 @@ restore_registers: /* Return 0 */ lmg %r6,%r15,STACK_FRAME_OVERHEAD + __SF_GPRS(%r15) lghi %r2,0 - br %r14 + BR_EX %r14 .section .data..nosave,"aw",@progbits .align 8

7 years, 3 months

1
0
0 0

FAILED: patch "[PATCH] s390/crc32-vx: use expoline for indirect branches" failed to apply to 4.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 467a3bf219cee12259182c5cb4821f88fd518a51 Mon Sep 17 00:00:00 2001 From: Martin Schwidefsky <schwidefsky(a)de.ibm.com> Date: Mon, 23 Apr 2018 14:31:36 +0200 Subject: [PATCH] s390/crc32-vx: use expoline for indirect branches The return from the crc32_le_vgfm_16/crc32c_le_vgfm_16 and the crc32_be_vgfm_16 functions are done with "br %r14". These are indirect branches as well and need to use execute trampolines for CONFIG_EXPOLINE=y. Cc: stable(a)vger.kernel.org # 4.16 Fixes: f19fbd5ed6 ("s390: introduce execute-trampolines for branches") Reviewed-by: Hendrik Brueckner <brueckner(a)linux.vnet.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky(a)de.ibm.com> diff --git a/arch/s390/crypto/crc32be-vx.S b/arch/s390/crypto/crc32be-vx.S index e8077f0971f8..2bf01ba44107 100644 --- a/arch/s390/crypto/crc32be-vx.S +++ b/arch/s390/crypto/crc32be-vx.S @@ -13,6 +13,7 @@ */ #include <linux/linkage.h> +#include <asm/nospec-insn.h> #include <asm/vx-insn.h> /* Vector register range containing CRC-32 constants */ @@ -67,6 +68,8 @@ .previous + GEN_BR_THUNK %r14 + .text /* * The CRC-32 function(s) use these calling conventions: @@ -203,6 +206,6 @@ ENTRY(crc32_be_vgfm_16) .Ldone: VLGVF %r2,%v2,3 - br %r14 + BR_EX %r14 .previous diff --git a/arch/s390/crypto/crc32le-vx.S b/arch/s390/crypto/crc32le-vx.S index d8c67a58c0c5..7d6f568bd3ad 100644 --- a/arch/s390/crypto/crc32le-vx.S +++ b/arch/s390/crypto/crc32le-vx.S @@ -14,6 +14,7 @@ */ #include <linux/linkage.h> +#include <asm/nospec-insn.h> #include <asm/vx-insn.h> /* Vector register range containing CRC-32 constants */ @@ -76,6 +77,7 @@ .previous + GEN_BR_THUNK %r14 .text @@ -264,6 +266,6 @@ crc32_le_vgfm_generic: .Ldone: VLGVF %r2,%v2,2 - br %r14 + BR_EX %r14 .previous

7 years, 3 months

1
0
0 0

FAILED: patch "[PATCH] s390/lib: use expoline for indirect branches" failed to apply to 4.4-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 97489e0663fa700d6e7febddc43b58df98d7bcda Mon Sep 17 00:00:00 2001 From: Martin Schwidefsky <schwidefsky(a)de.ibm.com> Date: Mon, 23 Apr 2018 14:31:36 +0200 Subject: [PATCH] s390/lib: use expoline for indirect branches The return from the memmove, memset, memcpy, __memset16, __memset32 and __memset64 functions are done with "br %r14". These are indirect branches as well and need to use execute trampolines for CONFIG_EXPOLINE=y. Cc: stable(a)vger.kernel.org # 4.16 Fixes: f19fbd5ed6 ("s390: introduce execute-trampolines for branches") Reviewed-by: Hendrik Brueckner <brueckner(a)linux.vnet.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky(a)de.ibm.com> diff --git a/arch/s390/lib/mem.S b/arch/s390/lib/mem.S index 495c9c4bacc7..2311f15be9cf 100644 --- a/arch/s390/lib/mem.S +++ b/arch/s390/lib/mem.S @@ -7,6 +7,9 @@ #include <linux/linkage.h> #include <asm/export.h> +#include <asm/nospec-insn.h> + + GEN_BR_THUNK %r14 /* * void *memmove(void *dest, const void *src, size_t n) @@ -33,14 +36,14 @@ ENTRY(memmove) .Lmemmove_forward_remainder: larl %r5,.Lmemmove_mvc ex %r4,0(%r5) - br %r14 + BR_EX %r14 .Lmemmove_reverse: ic %r0,0(%r4,%r3) stc %r0,0(%r4,%r1) brctg %r4,.Lmemmove_reverse ic %r0,0(%r4,%r3) stc %r0,0(%r4,%r1) - br %r14 + BR_EX %r14 .Lmemmove_mvc: mvc 0(1,%r1),0(%r3) EXPORT_SYMBOL(memmove) @@ -77,7 +80,7 @@ ENTRY(memset) .Lmemset_clear_remainder: larl %r3,.Lmemset_xc ex %r4,0(%r3) - br %r14 + BR_EX %r14 .Lmemset_fill: cghi %r4,1 lgr %r1,%r2 @@ -95,10 +98,10 @@ ENTRY(memset) stc %r3,0(%r1) larl %r5,.Lmemset_mvc ex %r4,0(%r5) - br %r14 + BR_EX %r14 .Lmemset_fill_exit: stc %r3,0(%r1) - br %r14 + BR_EX %r14 .Lmemset_xc: xc 0(1,%r1),0(%r1) .Lmemset_mvc: @@ -121,7 +124,7 @@ ENTRY(memcpy) .Lmemcpy_remainder: larl %r5,.Lmemcpy_mvc ex %r4,0(%r5) - br %r14 + BR_EX %r14 .Lmemcpy_loop: mvc 0(256,%r1),0(%r3) la %r1,256(%r1) @@ -159,10 +162,10 @@ ENTRY(__memset\bits) \insn %r3,0(%r1) larl %r5,.L__memset_mvc\bits ex %r4,0(%r5) - br %r14 + BR_EX %r14 .L__memset_exit\bits: \insn %r3,0(%r2) - br %r14 + BR_EX %r14 .L__memset_mvc\bits: mvc \bytes(1,%r1),0(%r1) .endm

7 years, 3 months

1
0
0 0

FAILED: patch "[PATCH] s390/lib: use expoline for indirect branches" failed to apply to 4.9-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.9-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 97489e0663fa700d6e7febddc43b58df98d7bcda Mon Sep 17 00:00:00 2001 From: Martin Schwidefsky <schwidefsky(a)de.ibm.com> Date: Mon, 23 Apr 2018 14:31:36 +0200 Subject: [PATCH] s390/lib: use expoline for indirect branches The return from the memmove, memset, memcpy, __memset16, __memset32 and __memset64 functions are done with "br %r14". These are indirect branches as well and need to use execute trampolines for CONFIG_EXPOLINE=y. Cc: stable(a)vger.kernel.org # 4.16 Fixes: f19fbd5ed6 ("s390: introduce execute-trampolines for branches") Reviewed-by: Hendrik Brueckner <brueckner(a)linux.vnet.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky(a)de.ibm.com> diff --git a/arch/s390/lib/mem.S b/arch/s390/lib/mem.S index 495c9c4bacc7..2311f15be9cf 100644 --- a/arch/s390/lib/mem.S +++ b/arch/s390/lib/mem.S @@ -7,6 +7,9 @@ #include <linux/linkage.h> #include <asm/export.h> +#include <asm/nospec-insn.h> + + GEN_BR_THUNK %r14 /* * void *memmove(void *dest, const void *src, size_t n) @@ -33,14 +36,14 @@ ENTRY(memmove) .Lmemmove_forward_remainder: larl %r5,.Lmemmove_mvc ex %r4,0(%r5) - br %r14 + BR_EX %r14 .Lmemmove_reverse: ic %r0,0(%r4,%r3) stc %r0,0(%r4,%r1) brctg %r4,.Lmemmove_reverse ic %r0,0(%r4,%r3) stc %r0,0(%r4,%r1) - br %r14 + BR_EX %r14 .Lmemmove_mvc: mvc 0(1,%r1),0(%r3) EXPORT_SYMBOL(memmove) @@ -77,7 +80,7 @@ ENTRY(memset) .Lmemset_clear_remainder: larl %r3,.Lmemset_xc ex %r4,0(%r3) - br %r14 + BR_EX %r14 .Lmemset_fill: cghi %r4,1 lgr %r1,%r2 @@ -95,10 +98,10 @@ ENTRY(memset) stc %r3,0(%r1) larl %r5,.Lmemset_mvc ex %r4,0(%r5) - br %r14 + BR_EX %r14 .Lmemset_fill_exit: stc %r3,0(%r1) - br %r14 + BR_EX %r14 .Lmemset_xc: xc 0(1,%r1),0(%r1) .Lmemset_mvc: @@ -121,7 +124,7 @@ ENTRY(memcpy) .Lmemcpy_remainder: larl %r5,.Lmemcpy_mvc ex %r4,0(%r5) - br %r14 + BR_EX %r14 .Lmemcpy_loop: mvc 0(256,%r1),0(%r3) la %r1,256(%r1) @@ -159,10 +162,10 @@ ENTRY(__memset\bits) \insn %r3,0(%r1) larl %r5,.L__memset_mvc\bits ex %r4,0(%r5) - br %r14 + BR_EX %r14 .L__memset_exit\bits: \insn %r3,0(%r2) - br %r14 + BR_EX %r14 .L__memset_mvc\bits: mvc \bytes(1,%r1),0(%r1) .endm

7 years, 3 months

1
0
0 0

FAILED: patch "[PATCH] s390/lib: use expoline for indirect branches" failed to apply to 4.19-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.19-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 97489e0663fa700d6e7febddc43b58df98d7bcda Mon Sep 17 00:00:00 2001 From: Martin Schwidefsky <schwidefsky(a)de.ibm.com> Date: Mon, 23 Apr 2018 14:31:36 +0200 Subject: [PATCH] s390/lib: use expoline for indirect branches The return from the memmove, memset, memcpy, __memset16, __memset32 and __memset64 functions are done with "br %r14". These are indirect branches as well and need to use execute trampolines for CONFIG_EXPOLINE=y. Cc: stable(a)vger.kernel.org # 4.16 Fixes: f19fbd5ed6 ("s390: introduce execute-trampolines for branches") Reviewed-by: Hendrik Brueckner <brueckner(a)linux.vnet.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky(a)de.ibm.com> diff --git a/arch/s390/lib/mem.S b/arch/s390/lib/mem.S index 495c9c4bacc7..2311f15be9cf 100644 --- a/arch/s390/lib/mem.S +++ b/arch/s390/lib/mem.S @@ -7,6 +7,9 @@ #include <linux/linkage.h> #include <asm/export.h> +#include <asm/nospec-insn.h> + + GEN_BR_THUNK %r14 /* * void *memmove(void *dest, const void *src, size_t n) @@ -33,14 +36,14 @@ ENTRY(memmove) .Lmemmove_forward_remainder: larl %r5,.Lmemmove_mvc ex %r4,0(%r5) - br %r14 + BR_EX %r14 .Lmemmove_reverse: ic %r0,0(%r4,%r3) stc %r0,0(%r4,%r1) brctg %r4,.Lmemmove_reverse ic %r0,0(%r4,%r3) stc %r0,0(%r4,%r1) - br %r14 + BR_EX %r14 .Lmemmove_mvc: mvc 0(1,%r1),0(%r3) EXPORT_SYMBOL(memmove) @@ -77,7 +80,7 @@ ENTRY(memset) .Lmemset_clear_remainder: larl %r3,.Lmemset_xc ex %r4,0(%r3) - br %r14 + BR_EX %r14 .Lmemset_fill: cghi %r4,1 lgr %r1,%r2 @@ -95,10 +98,10 @@ ENTRY(memset) stc %r3,0(%r1) larl %r5,.Lmemset_mvc ex %r4,0(%r5) - br %r14 + BR_EX %r14 .Lmemset_fill_exit: stc %r3,0(%r1) - br %r14 + BR_EX %r14 .Lmemset_xc: xc 0(1,%r1),0(%r1) .Lmemset_mvc: @@ -121,7 +124,7 @@ ENTRY(memcpy) .Lmemcpy_remainder: larl %r5,.Lmemcpy_mvc ex %r4,0(%r5) - br %r14 + BR_EX %r14 .Lmemcpy_loop: mvc 0(256,%r1),0(%r3) la %r1,256(%r1) @@ -159,10 +162,10 @@ ENTRY(__memset\bits) \insn %r3,0(%r1) larl %r5,.L__memset_mvc\bits ex %r4,0(%r5) - br %r14 + BR_EX %r14 .L__memset_exit\bits: \insn %r3,0(%r2) - br %r14 + BR_EX %r14 .L__memset_mvc\bits: mvc \bytes(1,%r1),0(%r1) .endm

7 years, 3 months

1
0
0 0

FAILED: patch "[PATCH] s390/lib: use expoline for indirect branches" failed to apply to 4.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 97489e0663fa700d6e7febddc43b58df98d7bcda Mon Sep 17 00:00:00 2001 From: Martin Schwidefsky <schwidefsky(a)de.ibm.com> Date: Mon, 23 Apr 2018 14:31:36 +0200 Subject: [PATCH] s390/lib: use expoline for indirect branches The return from the memmove, memset, memcpy, __memset16, __memset32 and __memset64 functions are done with "br %r14". These are indirect branches as well and need to use execute trampolines for CONFIG_EXPOLINE=y. Cc: stable(a)vger.kernel.org # 4.16 Fixes: f19fbd5ed6 ("s390: introduce execute-trampolines for branches") Reviewed-by: Hendrik Brueckner <brueckner(a)linux.vnet.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky(a)de.ibm.com> diff --git a/arch/s390/lib/mem.S b/arch/s390/lib/mem.S index 495c9c4bacc7..2311f15be9cf 100644 --- a/arch/s390/lib/mem.S +++ b/arch/s390/lib/mem.S @@ -7,6 +7,9 @@ #include <linux/linkage.h> #include <asm/export.h> +#include <asm/nospec-insn.h> + + GEN_BR_THUNK %r14 /* * void *memmove(void *dest, const void *src, size_t n) @@ -33,14 +36,14 @@ ENTRY(memmove) .Lmemmove_forward_remainder: larl %r5,.Lmemmove_mvc ex %r4,0(%r5) - br %r14 + BR_EX %r14 .Lmemmove_reverse: ic %r0,0(%r4,%r3) stc %r0,0(%r4,%r1) brctg %r4,.Lmemmove_reverse ic %r0,0(%r4,%r3) stc %r0,0(%r4,%r1) - br %r14 + BR_EX %r14 .Lmemmove_mvc: mvc 0(1,%r1),0(%r3) EXPORT_SYMBOL(memmove) @@ -77,7 +80,7 @@ ENTRY(memset) .Lmemset_clear_remainder: larl %r3,.Lmemset_xc ex %r4,0(%r3) - br %r14 + BR_EX %r14 .Lmemset_fill: cghi %r4,1 lgr %r1,%r2 @@ -95,10 +98,10 @@ ENTRY(memset) stc %r3,0(%r1) larl %r5,.Lmemset_mvc ex %r4,0(%r5) - br %r14 + BR_EX %r14 .Lmemset_fill_exit: stc %r3,0(%r1) - br %r14 + BR_EX %r14 .Lmemset_xc: xc 0(1,%r1),0(%r1) .Lmemset_mvc: @@ -121,7 +124,7 @@ ENTRY(memcpy) .Lmemcpy_remainder: larl %r5,.Lmemcpy_mvc ex %r4,0(%r5) - br %r14 + BR_EX %r14 .Lmemcpy_loop: mvc 0(256,%r1),0(%r3) la %r1,256(%r1) @@ -159,10 +162,10 @@ ENTRY(__memset\bits) \insn %r3,0(%r1) larl %r5,.L__memset_mvc\bits ex %r4,0(%r5) - br %r14 + BR_EX %r14 .L__memset_exit\bits: \insn %r3,0(%r2) - br %r14 + BR_EX %r14 .L__memset_mvc\bits: mvc \bytes(1,%r1),0(%r1) .endm

7 years, 3 months

1
0
0 0

FAILED: patch "[PATCH] drm/vmwgfx: Set dmabuf_size when vmw_dmabuf_init is" failed to apply to 4.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 91ba9f28a3de97761c2b5fd5df5d88421268e507 Mon Sep 17 00:00:00 2001 From: Deepak Rawat <drawat(a)vmware.com> Date: Tue, 15 May 2018 15:39:09 +0200 Subject: [PATCH] drm/vmwgfx: Set dmabuf_size when vmw_dmabuf_init is successful SOU primary plane prepare_fb hook depends upon dmabuf_size to pin up BO (and not call a new vmw_dmabuf_init) when a new fb size is same as current fb. This was changed in a recent commit which is causing page_flip to fail on VM with low display memory and multi-mon failure when cycle monitors from secondary display. Cc: <stable(a)vger.kernel.org> # 4.14, 4.16 Fixes: 20fb5a635a0c ("drm/vmwgfx: Unpin the screen object backup buffer when not used") Signed-off-by: Deepak Rawat <drawat(a)vmware.com> Reviewed-by: Sinclair Yeh <syeh(a)vmware.com> Signed-off-by: Thomas Hellstrom <thellstrom(a)vmware.com> diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c b/drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c index 648f8127f65a..3d667e903beb 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c @@ -482,6 +482,8 @@ vmw_sou_primary_plane_prepare_fb(struct drm_plane *plane, return ret; } + vps->dmabuf_size = size; + /* * TTM already thinks the buffer is pinned, but make sure the * pin_count is upped.

7 years, 3 months

1
0
0 0

FAILED: patch "[PATCH] drm/vmwgfx: Set dmabuf_size when vmw_dmabuf_init is" failed to apply to 4.16-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.16-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 91ba9f28a3de97761c2b5fd5df5d88421268e507 Mon Sep 17 00:00:00 2001 From: Deepak Rawat <drawat(a)vmware.com> Date: Tue, 15 May 2018 15:39:09 +0200 Subject: [PATCH] drm/vmwgfx: Set dmabuf_size when vmw_dmabuf_init is successful SOU primary plane prepare_fb hook depends upon dmabuf_size to pin up BO (and not call a new vmw_dmabuf_init) when a new fb size is same as current fb. This was changed in a recent commit which is causing page_flip to fail on VM with low display memory and multi-mon failure when cycle monitors from secondary display. Cc: <stable(a)vger.kernel.org> # 4.14, 4.16 Fixes: 20fb5a635a0c ("drm/vmwgfx: Unpin the screen object backup buffer when not used") Signed-off-by: Deepak Rawat <drawat(a)vmware.com> Reviewed-by: Sinclair Yeh <syeh(a)vmware.com> Signed-off-by: Thomas Hellstrom <thellstrom(a)vmware.com> diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c b/drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c index 648f8127f65a..3d667e903beb 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c @@ -482,6 +482,8 @@ vmw_sou_primary_plane_prepare_fb(struct drm_plane *plane, return ret; } + vps->dmabuf_size = size; + /* * TTM already thinks the buffer is pinned, but make sure the * pin_count is upped.

7 years, 3 months

1
0
0 0

FAILED: patch "[PATCH] ARM64: dts: marvell: armada-cp110: Add clocks for the xmdio" failed to apply to 4.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From a057344806d035cb9ac991619fa07854e807562d Mon Sep 17 00:00:00 2001 From: Maxime Chevallier <maxime.chevallier(a)bootlin.com> Date: Wed, 25 Apr 2018 13:07:31 +0200 Subject: [PATCH] ARM64: dts: marvell: armada-cp110: Add clocks for the xmdio node The Marvell XSMI controller needs 3 clocks to operate correctly : - The MG clock (clk 5) - The MG Core clock (clk 6) - The GOP clock (clk 18) This commit adds them, to avoid system hangs when using these interfaces. [gregory.clement: use the real first commit to fix and add the cc:stable flag] Fixes: f66b2aff46ea ("arm64: dts: marvell: add xmdio nodes for 7k/8k") Cc: <stable(a)vger.kernel.org> Signed-off-by: Maxime Chevallier <maxime.chevallier(a)bootlin.com> Signed-off-by: Gregory CLEMENT <gregory.clement(a)bootlin.com> diff --git a/arch/arm64/boot/dts/marvell/armada-cp110.dtsi b/arch/arm64/boot/dts/marvell/armada-cp110.dtsi index 48cad7919efa..ca22f9d100f5 100644 --- a/arch/arm64/boot/dts/marvell/armada-cp110.dtsi +++ b/arch/arm64/boot/dts/marvell/armada-cp110.dtsi @@ -141,6 +141,8 @@ #size-cells = <0>; compatible = "marvell,xmdio"; reg = <0x12a600 0x10>; + clocks = <&CP110_LABEL(clk) 1 5>, + <&CP110_LABEL(clk) 1 6>, <&CP110_LABEL(clk) 1 18>; status = "disabled"; };

7 years, 3 months

1
0
0 0

FAILED: patch "[PATCH] ARM64: dts: marvell: armada-cp110: Add mg_core_clk for" failed to apply to 4.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From f43194c1447c9536efb0859c2f3f46f6bf2b9154 Mon Sep 17 00:00:00 2001 From: Maxime Chevallier <maxime.chevallier(a)bootlin.com> Date: Wed, 25 Apr 2018 20:19:47 +0200 Subject: [PATCH] ARM64: dts: marvell: armada-cp110: Add mg_core_clk for ethernet node Marvell PPv2.2 controller present on CP-110 need the extra "mg_core_clk" clock to avoid system hangs when powering some network interfaces up. This issue appeared after a recent clock rework on Armada 7K/8K platforms. This commit adds the new clock and updates the documentation accordingly. [gregory.clement: use the real first commit to fix and add the cc:stable flag] Fixes: e3af9f7c6ece ("RM64: dts: marvell: armada-cp110: Fix clock resources for various node") Cc: <stable(a)vger.kernel.org> Signed-off-by: Maxime Chevallier <maxime.chevallier(a)bootlin.com> Signed-off-by: Gregory CLEMENT <gregory.clement(a)bootlin.com> diff --git a/Documentation/devicetree/bindings/net/marvell-pp2.txt b/Documentation/devicetree/bindings/net/marvell-pp2.txt index 1814fa13f6ab..fc019df0d863 100644 --- a/Documentation/devicetree/bindings/net/marvell-pp2.txt +++ b/Documentation/devicetree/bindings/net/marvell-pp2.txt @@ -21,9 +21,10 @@ Required properties: - main controller clock (for both armada-375-pp2 and armada-7k-pp2) - GOP clock (for both armada-375-pp2 and armada-7k-pp2) - MG clock (only for armada-7k-pp2) + - MG Core clock (only for armada-7k-pp2) - AXI clock (only for armada-7k-pp2) -- clock-names: names of used clocks, must be "pp_clk", "gop_clk", "mg_clk" - and "axi_clk" (the 2 latter only for armada-7k-pp2). +- clock-names: names of used clocks, must be "pp_clk", "gop_clk", "mg_clk", + "mg_core_clk" and "axi_clk" (the 3 latter only for armada-7k-pp2). The ethernet ports are represented by subnodes. At least one port is required. @@ -80,8 +81,8 @@ cpm_ethernet: ethernet@0 { compatible = "marvell,armada-7k-pp22"; reg = <0x0 0x100000>, <0x129000 0xb000>; clocks = <&cpm_syscon0 1 3>, <&cpm_syscon0 1 9>, - <&cpm_syscon0 1 5>, <&cpm_syscon0 1 18>; - clock-names = "pp_clk", "gop_clk", "gp_clk", "axi_clk"; + <&cpm_syscon0 1 5>, <&cpm_syscon0 1 6>, <&cpm_syscon0 1 18>; + clock-names = "pp_clk", "gop_clk", "mg_clk", "mg_core_clk", "axi_clk"; eth0: eth0 { interrupts = <ICU_GRP_NSR 39 IRQ_TYPE_LEVEL_HIGH>, diff --git a/arch/arm64/boot/dts/marvell/armada-cp110.dtsi b/arch/arm64/boot/dts/marvell/armada-cp110.dtsi index ca22f9d100f5..ed2f1237ea1e 100644 --- a/arch/arm64/boot/dts/marvell/armada-cp110.dtsi +++ b/arch/arm64/boot/dts/marvell/armada-cp110.dtsi @@ -38,9 +38,10 @@ compatible = "marvell,armada-7k-pp22"; reg = <0x0 0x100000>, <0x129000 0xb000>; clocks = <&CP110_LABEL(clk) 1 3>, <&CP110_LABEL(clk) 1 9>, - <&CP110_LABEL(clk) 1 5>, <&CP110_LABEL(clk) 1 18>; + <&CP110_LABEL(clk) 1 5>, <&CP110_LABEL(clk) 1 6>, + <&CP110_LABEL(clk) 1 18>; clock-names = "pp_clk", "gop_clk", - "mg_clk", "axi_clk"; + "mg_clk", "mg_core_clk", "axi_clk"; marvell,system-controller = <&CP110_LABEL(syscon0)>; status = "disabled"; dma-coherent;

7 years, 3 months

1
0
0 0

Please apply dd83c161fbcc ("kernel/exit.c: avoid undefined behaviour when calling wait4()") to v4.9.y and older

by Guenter Roeck

Hi Greg, please apply commit dd83c161fbc ("kernel/exit.c: avoid undefined behaviour when calling wait4()") to v4.9.y and older to fix CVE-2018-10087. Thanks, Guenter

7 years, 3 months

2
4
0 0

FAILED: patch "[PATCH] vsprintf: Replace memory barrier with static_key for" failed to apply to 4.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 85f4f12d51397f1648e1f4350f77e24039b82d61 Mon Sep 17 00:00:00 2001 From: "Steven Rostedt (VMware)" <rostedt(a)goodmis.org> Date: Tue, 15 May 2018 22:24:52 -0400 Subject: [PATCH] vsprintf: Replace memory barrier with static_key for random_ptr_key update Reviewing Tobin's patches for getting pointers out early before entropy has been established, I noticed that there's a lone smp_mb() in the code. As with most lone memory barriers, this one appears to be incorrectly used. We currently basically have this: get_random_bytes(&ptr_key, sizeof(ptr_key)); /* * have_filled_random_ptr_key==true is dependent on get_random_bytes(). * ptr_to_id() needs to see have_filled_random_ptr_key==true * after get_random_bytes() returns. */ smp_mb(); WRITE_ONCE(have_filled_random_ptr_key, true); And later we have: if (unlikely(!have_filled_random_ptr_key)) return string(buf, end, "(ptrval)", spec); /* Missing memory barrier here. */ hashval = (unsigned long)siphash_1u64((u64)ptr, &ptr_key); As the CPU can perform speculative loads, we could have a situation with the following: CPU0 CPU1 ---- ---- load ptr_key = 0 store ptr_key = random smp_mb() store have_filled_random_ptr_key load have_filled_random_ptr_key = true BAD BAD BAD! (you're so bad!) Because nothing prevents CPU1 from loading ptr_key before loading have_filled_random_ptr_key. But this race is very unlikely, but we can't keep an incorrect smp_mb() in place. Instead, replace the have_filled_random_ptr_key with a static_branch not_filled_random_ptr_key, that is initialized to true and changed to false when we get enough entropy. If the update happens in early boot, the static_key is updated immediately, otherwise it will have to wait till entropy is filled and this happens in an interrupt handler which can't enable a static_key, as that requires a preemptible context. In that case, a work_queue is used to enable it, as entropy already took too long to establish in the first place waiting a little more shouldn't hurt anything. The benefit of using the static key is that the unlikely branch in vsprintf() now becomes a nop. Link: http://lkml.kernel.org/r/20180515100558.21df515e@gandalf.local.home Cc: stable(a)vger.kernel.org Fixes: ad67b74d2469d ("printk: hash addresses printed with %p") Acked-by: Linus Torvalds <torvalds(a)linux-foundation.org> Signed-off-by: Steven Rostedt (VMware) <rostedt(a)goodmis.org> diff --git a/lib/vsprintf.c b/lib/vsprintf.c index 30c0cb8cc9bc..23920c5ff728 100644 --- a/lib/vsprintf.c +++ b/lib/vsprintf.c @@ -1669,19 +1669,22 @@ char *pointer_string(char *buf, char *end, const void *ptr, return number(buf, end, (unsigned long int)ptr, spec); } -static bool have_filled_random_ptr_key __read_mostly; +static DEFINE_STATIC_KEY_TRUE(not_filled_random_ptr_key); static siphash_key_t ptr_key __read_mostly; -static void fill_random_ptr_key(struct random_ready_callback *unused) +static void enable_ptr_key_workfn(struct work_struct *work) { get_random_bytes(&ptr_key, sizeof(ptr_key)); - /* - * have_filled_random_ptr_key==true is dependent on get_random_bytes(). - * ptr_to_id() needs to see have_filled_random_ptr_key==true - * after get_random_bytes() returns. - */ - smp_mb(); - WRITE_ONCE(have_filled_random_ptr_key, true); + /* Needs to run from preemptible context */ + static_branch_disable(&not_filled_random_ptr_key); +} + +static DECLARE_WORK(enable_ptr_key_work, enable_ptr_key_workfn); + +static void fill_random_ptr_key(struct random_ready_callback *unused) +{ + /* This may be in an interrupt handler. */ + queue_work(system_unbound_wq, &enable_ptr_key_work); } static struct random_ready_callback random_ready = { @@ -1695,7 +1698,8 @@ static int __init initialize_ptr_random(void) if (!ret) { return 0; } else if (ret == -EALREADY) { - fill_random_ptr_key(&random_ready); + /* This is in preemptible context */ + enable_ptr_key_workfn(&enable_ptr_key_work); return 0; } @@ -1709,7 +1713,7 @@ static char *ptr_to_id(char *buf, char *end, void *ptr, struct printf_spec spec) unsigned long hashval; const int default_width = 2 * sizeof(ptr); - if (unlikely(!have_filled_random_ptr_key)) { + if (static_branch_unlikely(&not_filled_random_ptr_key)) { spec.field_width = default_width; /* string length must be less than default_width */ return string(buf, end, "(ptrval)", spec);

7 years, 3 months

2
1
0 0

[PATCH 4.16 00/55] 4.16.10-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.16.10 release. There are 55 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sun May 20 08:14:42 UTC 2018. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.16.10-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.16.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.16.10-rc1 Willy Tarreau <w(a)1wt.eu> proc: do not access cmdline nor environ from file-backed areas Dave Carroll <david.carroll(a)microsemi.com> scsi: aacraid: Correct hba_send to include iu_type Ursula Braun <ubraun(a)linux.ibm.com> net/smc: keep clcsock reference in smc_tcp_listen_work() Antoine Tenart <antoine.tenart(a)bootlin.com> net: phy: sfp: fix the BR,min computation Israel Rukshin <israelr(a)mellanox.com> net/mlx5: Fix mlx5_get_vector_affinity function Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> mlxsw: core: Fix an error handling path in 'mlxsw_core_bus_device_register()' Hangbin Liu <liuhangbin(a)gmail.com> ipv4: reset fnhe_mtu_locked after cache route flushed Mohammed Gamal <mgamal(a)redhat.com> hv_netvsc: Fix net device attach on older Windows hosts Eric Dumazet <edumazet(a)google.com> tipc: fix one byte leak in tipc_sk_set_orig_addr() Eric Dumazet <edumazet(a)google.com> tcp: restore autocorking Xin Long <lucien.xin(a)gmail.com> sctp: clear the new asoc's stream outcnt in sctp_stream_update John Hurley <john.hurley(a)netronome.com> nfp: flower: set tunnel ttl value to net default Florian Fainelli <f.fainelli(a)gmail.com> net: systemport: Correclty disambiguate driver instances Huy Nguyen <huyn(a)mellanox.com> net/mlx5e: DCBNL fix min inline header size for dscp Ido Schimmel <idosch(a)mellanox.com> mlxsw: spectrum_switchdev: Do not remove mrouter port from MDB's ports list Paolo Abeni <pabeni(a)redhat.com> udp: fix SO_BINDTODEVICE Eric Dumazet <edumazet(a)google.com> nsh: fix infinite loop Jianbo Liu <jianbol(a)mellanox.com> net/mlx5e: Allow offloading ipv4 header re-write for icmp Eric Dumazet <edumazet(a)google.com> ipv6: fix uninit-value in ip6_multipath_l3_keys() Stephen Hemminger <stephen(a)networkplumber.org> hv_netvsc: set master device Talat Batheesh <talatb(a)mellanox.com> net/mlx5: Avoid cleaning flow steering table twice during error flow Tariq Toukan <tariqt(a)mellanox.com> net/mlx5e: TX, Use correct counter in dma_map error flow Jiri Pirko <jiri(a)mellanox.com> net: sched: fix error path in tcf_proto_create() when modules are not configured Debabrata Banerjee <dbanerje(a)akamai.com> bonding: send learning packets for vlans on slave Debabrata Banerjee <dbanerje(a)akamai.com> bonding: do not allow rlb updates to invalid mac Michael Chan <michael.chan(a)broadcom.com> tg3: Fix vunmap() BUG_ON() triggered from tg3_free_consistent(). Yuchung Cheng <ycheng(a)google.com> tcp: ignore Fast Open on repair mode Neal Cardwell <ncardwell(a)google.com> tcp_bbr: fix to zero idle_restart only upon S/ACKed data Xin Long <lucien.xin(a)gmail.com> sctp: use the old asoc when making the cookie-ack chunk in dupcook_d Xin Long <lucien.xin(a)gmail.com> sctp: remove sctp_chunk_put from fail_mark err path in sctp_ulpevent_make_rcvmsg Xin Long <lucien.xin(a)gmail.com> sctp: handle two v4 addrs comparison in sctp_inet6_cmp_addr Xin Long <lucien.xin(a)gmail.com> sctp: fix the issue that the cookie-ack with auth can't get processed Xin Long <lucien.xin(a)gmail.com> sctp: delay the authentication for the duplicated cookie-echo chunk Eric Dumazet <edumazet(a)google.com> rds: do not leak kernel memory to user land Heiner Kallweit <hkallweit1(a)gmail.com> r8169: fix powering up RTL8168h Bjørn Mork <bjorn(a)mork.no> qmi_wwan: do not steal interfaces from class drivers Stefano Brivio <sbrivio(a)redhat.com> openvswitch: Don't swap table in nlattr_set() after OVS_ATTR_NESTED is found Andre Tomt <andre(a)tomt.net> net/tls: Fix connection stall on partial tls record Dave Watson <davejwatson(a)fb.com> net/tls: Don't recursively call push_record during tls_write_space callbacks Lance Richardson <lance.richardson.net(a)gmail.com> net: support compat 64-bit time in {s,g}etsockopt Ursula Braun <ubraun(a)linux.ibm.com> net/smc: restrict non-blocking connect finish Eric Dumazet <edumazet(a)google.com> net_sched: fq: take care of throttled flows before reuse Roman Mashak <mrv(a)mojatatu.com> net sched actions: fix refcnt leak in skbmod Adi Nissim <adin(a)mellanox.com> net/mlx5: E-Switch, Include VF RDMA stats in vport statistics Roi Dayan <roid(a)mellanox.com> net/mlx5e: Err if asked to offload TC match on frag being first Moshe Shemesh <moshe(a)mellanox.com> net/mlx4_en: Verify coalescing parameters are in range Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> net/mlx4_en: Fix an error handling path in 'mlx4_en_init_netdev()' Grygorii Strashko <grygorii.strashko(a)ti.com> net: ethernet: ti: cpsw: fix packet leaking in dual_mac mode Rob Taglang <rob(a)taglang.io> net: ethernet: sun: niu set correct packet size in skb Eric Dumazet <edumazet(a)google.com> llc: better deal with too small mtu Andrey Ignatov <rdna(a)fb.com> ipv4: fix memory leaks in udp_sendmsg, ping_v4_sendmsg Julian Anastasov <ja(a)ssi.bg> ipv4: fix fnhe usage by non-cached routes Eric Dumazet <edumazet(a)google.com> dccp: fix tasklet usage Hangbin Liu <liuhangbin(a)gmail.com> bridge: check iface upper dev when setting master via ioctl Ingo Molnar <mingo(a)elte.hu> 8139too: Use disable_irq_nosync() in rtl8139_poll_controller() ------------- Diffstat: Makefile | 4 +- drivers/infiniband/hw/mlx5/main.c | 2 +- drivers/net/bonding/bond_alb.c | 15 +-- drivers/net/bonding/bond_main.c | 2 + drivers/net/ethernet/broadcom/bcmsysport.c | 16 ++- drivers/net/ethernet/broadcom/tg3.c | 9 +- drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 16 +++ drivers/net/ethernet/mellanox/mlx4/en_netdev.c | 8 +- drivers/net/ethernet/mellanox/mlx4/mlx4_en.h | 7 +- drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c | 8 +- drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 7 +- drivers/net/ethernet/mellanox/mlx5/core/en_tx.c | 20 ++-- drivers/net/ethernet/mellanox/mlx5/core/eswitch.c | 11 +- drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 23 ++-- drivers/net/ethernet/mellanox/mlxsw/core.c | 4 +- .../ethernet/mellanox/mlxsw/spectrum_switchdev.c | 12 +-- drivers/net/ethernet/netronome/nfp/flower/action.c | 10 +- drivers/net/ethernet/netronome/nfp/flower/cmsg.h | 5 +- drivers/net/ethernet/realtek/8139too.c | 2 +- drivers/net/ethernet/realtek/r8169.c | 3 + drivers/net/ethernet/sun/niu.c | 5 +- drivers/net/ethernet/ti/cpsw.c | 2 + drivers/net/hyperv/netvsc_drv.c | 3 +- drivers/net/hyperv/rndis_filter.c | 2 +- drivers/net/phy/sfp-bus.c | 2 +- drivers/net/usb/qmi_wwan.c | 12 +++ drivers/scsi/aacraid/commsup.c | 8 +- fs/proc/base.c | 8 +- include/linux/mlx5/driver.h | 12 +-- include/linux/mm.h | 1 + include/net/bonding.h | 1 + include/net/tls.h | 1 + mm/gup.c | 3 + net/bridge/br_if.c | 4 +- net/compat.c | 6 +- net/dccp/ccids/ccid2.c | 14 ++- net/dccp/timer.c | 2 +- net/ipv4/ping.c | 7 +- net/ipv4/route.c | 119 ++++++++++----------- net/ipv4/tcp.c | 5 +- net/ipv4/tcp_bbr.c | 4 +- net/ipv4/udp.c | 11 +- net/ipv6/route.c | 7 +- net/ipv6/udp.c | 4 +- net/llc/af_llc.c | 3 + net/nsh/nsh.c | 4 + net/openvswitch/flow_netlink.c | 9 +- net/rds/recv.c | 1 + net/sched/act_skbmod.c | 5 +- net/sched/cls_api.c | 2 +- net/sched/sch_fq.c | 37 ++++--- net/sctp/associola.c | 30 +++++- net/sctp/inqueue.c | 2 +- net/sctp/ipv6.c | 3 + net/sctp/sm_statefuns.c | 88 ++++++++------- net/sctp/stream.c | 2 + net/sctp/ulpevent.c | 1 - net/smc/af_smc.c | 18 ++-- net/tipc/socket.c | 3 +- net/tls/tls_main.c | 8 ++ 60 files changed, 398 insertions(+), 245 deletions(-)

7 years, 3 months

4
60
0 0

[PATCH] blk-mq: avoid to starve tag allocation after allocation process migrates

by Ming Lei

When the allocation process is scheduled back and the mapped hw queue is changed, do one extra wake up on orignal queue for compensating wake up miss, so other allocations on the orignal queue won't be starved. This patch fixes one request allocation hang issue, which can be triggered easily in case of very low nr_request. Cc: <stable(a)vger.kernel.org> Cc: Omar Sandoval <osandov(a)fb.com> Signed-off-by: Ming Lei <ming.lei(a)redhat.com> --- block/blk-mq-tag.c | 13 +++++++++++++ include/linux/sbitmap.h | 7 +++++++ lib/sbitmap.c | 6 ++++++ 3 files changed, 26 insertions(+) diff --git a/block/blk-mq-tag.c b/block/blk-mq-tag.c index 336dde07b230..a965db489f98 100644 --- a/block/blk-mq-tag.c +++ b/block/blk-mq-tag.c @@ -134,6 +134,8 @@ unsigned int blk_mq_get_tag(struct blk_mq_alloc_data *data) ws = bt_wait_ptr(bt, data->hctx); drop_ctx = data->ctx == NULL; do { + struct sbitmap_queue *bt_orig; + /* * We're out of tags on this hardware queue, kick any * pending IO submits before going to sleep waiting for @@ -159,6 +161,7 @@ unsigned int blk_mq_get_tag(struct blk_mq_alloc_data *data) if (data->ctx) blk_mq_put_ctx(data->ctx); + bt_orig = bt; io_schedule(); data->ctx = blk_mq_get_ctx(data->q); @@ -170,6 +173,16 @@ unsigned int blk_mq_get_tag(struct blk_mq_alloc_data *data) bt = &tags->bitmap_tags; finish_wait(&ws->wait, &wait); + + /* + * If destination hw queue is changed, wake up original + * queue one extra time for compensating the wake up + * miss, so other allocations on original queue won't + * be starved. + */ + if (bt != bt_orig) + sbitmap_queue_wake(bt_orig); + ws = bt_wait_ptr(bt, data->hctx); } while (1); diff --git a/include/linux/sbitmap.h b/include/linux/sbitmap.h index 841585f6e5f2..b23f50355281 100644 --- a/include/linux/sbitmap.h +++ b/include/linux/sbitmap.h @@ -484,6 +484,13 @@ static inline struct sbq_wait_state *sbq_wait_ptr(struct sbitmap_queue *sbq, void sbitmap_queue_wake_all(struct sbitmap_queue *sbq); /** + * sbitmap_wake_up() - Do a regular wake up compensation if the queue + * allocated from is changed after scheduling back. + * @sbq: Bitmap queue to wake up. + */ +void sbitmap_queue_wake_up(struct sbitmap_queue *sbq); + +/** * sbitmap_queue_show() - Dump &struct sbitmap_queue information to a &struct * seq_file. * @sbq: Bitmap queue to show. diff --git a/lib/sbitmap.c b/lib/sbitmap.c index e6a9c06ec70c..c6ae4206bcb1 100644 --- a/lib/sbitmap.c +++ b/lib/sbitmap.c @@ -466,6 +466,12 @@ static void sbq_wake_up(struct sbitmap_queue *sbq) } } +void sbitmap_queue_wake_up(struct sbitmap_queue *sbq) +{ + sbq_wake_up(sbq); +} +EXPORT_SYMBOL_GPL(sbitmap_queue_wake_up); + void sbitmap_queue_clear(struct sbitmap_queue *sbq, unsigned int nr, unsigned int cpu) { -- 2.9.5

7 years, 3 months

1
0
0 0

[PATCH] x86/mm: Drop TS_COMPAT on 64-bit exec() syscall

by Dmitry Safonov

The x86 mmap() code selects the mmap base for an allocation depending on the bitness of the syscall. For 64bit sycalls it select mm->mmap_base and for 32bit mm->mmap_compat_base. exec() calls mmap() which in turn uses in_compat_syscall() to check whether the mapping is for a 32bit or a 64bit task. The decision is made on the following criteria: ia32 child->thread.status & TS_COMPAT x32 child->pt_regs.orig_ax & __X32_SYSCALL_BIT ia64 !ia32 && !x32 __set_personality_x32() was dropping TS_COMPAT flag, but set_personality_64bit() has kept compat syscall flag making in_compat_syscall() return true during the first exec() syscall. Which in result has user-visible effects, mentioned by Alexey: 1) It breaks ASAN $ gcc -fsanitize=address wrap.c -o wrap-asan $ ./wrap32 ./wrap-asan true ==1217==Shadow memory range interleaves with an existing memory mapping. ASan cannot proceed correctly. ABORTING. ==1217==ASan shadow was supposed to be located in the [0x00007fff7000-0x10007fff7fff] range. ==1217==Process memory map follows: 0x000000400000-0x000000401000 /home/izbyshev/test/gcc/asan-exec-from-32bit/wrap-asan 0x000000600000-0x000000601000 /home/izbyshev/test/gcc/asan-exec-from-32bit/wrap-asan 0x000000601000-0x000000602000 /home/izbyshev/test/gcc/asan-exec-from-32bit/wrap-asan 0x0000f7dbd000-0x0000f7de2000 /lib64/ld-2.27.so 0x0000f7fe2000-0x0000f7fe3000 /lib64/ld-2.27.so 0x0000f7fe3000-0x0000f7fe4000 /lib64/ld-2.27.so 0x0000f7fe4000-0x0000f7fe5000 0x7fed9abff000-0x7fed9af54000 0x7fed9af54000-0x7fed9af6b000 /lib64/libgcc_s.so.1 [snip] 2) It doesn't seem to be great for security if an attacker always knows that ld.so is going to be mapped into the first 4GB in this case (the same thing happens for PIEs as well). The testcase: $ cat wrap.c int main(int argc, char *argv[]) { execvp(argv[1], &argv[1]); return 127; } $ gcc wrap.c -o wrap $ LD_SHOW_AUXV=1 ./wrap ./wrap true |& grep AT_BASE AT_BASE: 0x7f63b8309000 AT_BASE: 0x7faec143c000 AT_BASE: 0x7fbdb25fa000 $ gcc -m32 wrap.c -o wrap32 $ LD_SHOW_AUXV=1 ./wrap32 ./wrap true |& grep AT_BASE AT_BASE: 0xf7eff000 AT_BASE: 0xf7cee000 AT_BASE: 0x7f8b9774e000 Fixes: commit 1b028f784e8c ("x86/mm: Introduce mmap_compat_base() for 32-bit mmap()") commit ada26481dfe6 ("x86/mm: Make in_compat_syscall() work during exec") Cc: Borislav Petkov <bp(a)suse.de> Cc: Cyrill Gorcunov <gorcunov(a)openvz.org> Cc: Dmitry Safonov <0x7f454c46(a)gmail.com> Cc: "H. Peter Anvin" <hpa(a)zytor.com> Cc: Ingo Molnar <mingo(a)redhat.com> Cc: "Kirill A. Shutemov" <kirill.shutemov(a)linux.intel.com> Cc: Thomas Gleixner <tglx(a)linutronix.de> Cc: <linux-mm(a)kvack.org> Cc: <x86(a)kernel.org> Cc: <stable(a)vger.kernel.org> # v4.12+ Reported-by: Alexey Izbyshev <izbyshev(a)ispras.ru> Bisected-by: Alexander Monakov <amonakov(a)ispras.ru> Investigated-by: Andy Lutomirski <luto(a)kernel.org> Signed-off-by: Dmitry Safonov <dima(a)arista.com> --- arch/x86/kernel/process_64.c | 1 + 1 file changed, 1 insertion(+) diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c index 4b100fe0f508..12bb445fb98d 100644 --- a/arch/x86/kernel/process_64.c +++ b/arch/x86/kernel/process_64.c @@ -542,6 +542,7 @@ void set_personality_64bit(void) clear_thread_flag(TIF_X32); /* Pretend that this comes from a 64bit execve */ task_pt_regs(current)->orig_ax = __NR_execve; + current_thread_info()->status &= ~TS_COMPAT; /* Ensure the corresponding mm is not marked. */ if (current->mm) -- 2.13.6

7 years, 4 months

4
10
0 0

[patch 09/10] mm: don't allow deferred pages with NEED_PER_CPU_KM

by akpm＠linux-foundation.org

From: Pavel Tatashin <pasha.tatashin(a)oracle.com> Subject: mm: don't allow deferred pages with NEED_PER_CPU_KM It is unsafe to do virtual to physical translations before mm_init() is called if struct page is needed in order to determine the memory section number (see SECTION_IN_PAGE_FLAGS). This is because only in mm_init() we initialize struct pages for all the allocated memory when deferred struct pages are used. My recent fix c9e97a1997 ("mm: initialize pages on demand during boot") exposed this problem, because it greatly reduced number of pages that are initialized before mm_init(), but the problem existed even before my fix, as Fengguang Wu found. Below is a more detailed explanation of the problem. We initialize struct pages in four places: 1. Early in boot a small set of struct pages is initialized to fill the first section, and lower zones. 2. During mm_init() we initialize "struct pages" for all the memory that is allocated, i.e reserved in memblock. 3. Using on-demand logic when pages are allocated after mm_init call (when memblock is finished) 4. After smp_init() when the rest free deferred pages are initialized. The problem occurs if we try to do va to phys translation of a memory between steps 1 and 2. Because we have not yet initialized struct pages for all the reserved pages, it is inherently unsafe to do va to phys if the translation itself requires access of "struct page" as in case of this combination: CONFIG_SPARSE && !CONFIG_SPARSE_VMEMMAP The following path exposes the problem: start_kernel() trap_init() setup_cpu_entry_areas() setup_cpu_entry_area(cpu) get_cpu_gdt_paddr(cpu) per_cpu_ptr_to_phys(addr) pcpu_addr_to_page(addr) virt_to_page(addr) pfn_to_page(__pa(addr) >> PAGE_SHIFT) We disable this path by not allowing NEED_PER_CPU_KM with deferred struct pages feature. The problems are discussed in these threads: http://lkml.kernel.org/r/20180418135300.inazvpxjxowogyge@wfg-t540p.sh.intel… http://lkml.kernel.org/r/20180419013128.iurzouiqxvcnpbvz@wfg-t540p.sh.intel… http://lkml.kernel.org/r/20180426202619.2768-1-pasha.tatashin@oracle.com Link: http://lkml.kernel.org/r/20180515175124.1770-1-pasha.tatashin@oracle.com Fixes: 3a80a7fa7989 ("mm: meminit: initialise a subset of struct pages if CONFIG_DEFERRED_STRUCT_PAGE_INIT is set") Signed-off-by: Pavel Tatashin <pasha.tatashin(a)oracle.com> Acked-by: Michal Hocko <mhocko(a)suse.com> Reviewed-by: Andrew Morton <akpm(a)linux-foundation.org> Cc: Steven Sistare <steven.sistare(a)oracle.com> Cc: Daniel Jordan <daniel.m.jordan(a)oracle.com> Cc: Mel Gorman <mgorman(a)techsingularity.net> Cc: Fengguang Wu <fengguang.wu(a)intel.com> Cc: Dennis Zhou <dennisszhou(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/Kconfig | 1 + 1 file changed, 1 insertion(+) diff -puN mm/Kconfig~mm-dont-allow-deferred-pages-with-need_per_cpu_km mm/Kconfig --- a/mm/Kconfig~mm-dont-allow-deferred-pages-with-need_per_cpu_km +++ a/mm/Kconfig @@ -636,6 +636,7 @@ config DEFERRED_STRUCT_PAGE_INIT default n depends on NO_BOOTMEM depends on !FLATMEM + depends on !NEED_PER_CPU_KM help Ordinarily all struct pages are initialised during early boot in a single thread. On very large machines this can take a considerable _

7 years, 4 months

1
0
0 0

[patch 07/10] radix tree: fix multi-order iteration race

by akpm＠linux-foundation.org

From: Ross Zwisler <ross.zwisler(a)linux.intel.com> Subject: radix tree: fix multi-order iteration race Fix a race in the multi-order iteration code which causes the kernel to hit a GP fault. This was first seen with a production v4.15 based kernel (4.15.6-300.fc27.x86_64) utilizing a DAX workload which used order 9 PMD DAX entries. The race has to do with how we tear down multi-order sibling entries when we are removing an item from the tree. Remember for example that an order 2 entry looks like this: struct radix_tree_node.slots[] = [entry][sibling][sibling][sibling] where 'entry' is in some slot in the struct radix_tree_node, and the three slots following 'entry' contain sibling pointers which point back to 'entry.' When we delete 'entry' from the tree, we call : radix_tree_delete() radix_tree_delete_item() __radix_tree_delete() replace_slot() replace_slot() first removes the siblings in order from the first to the last, then at then replaces 'entry' with NULL. This means that for a brief period of time we end up with one or more of the siblings removed, so: struct radix_tree_node.slots[] = [entry][NULL][sibling][sibling] This causes an issue if you have a reader iterating over the slots in the tree via radix_tree_for_each_slot() while only under rcu_read_lock()/rcu_read_unlock() protection. This is a common case in mm/filemap.c. The issue is that when __radix_tree_next_slot() => skip_siblings() tries to skip over the sibling entries in the slots, it currently does so with an exact match on the slot directly preceding our current slot. Normally this works: V preceding slot struct radix_tree_node.slots[] = [entry][sibling][sibling][sibling] ^ current slot This lets you find the first sibling, and you skip them all in order. But in the case where one of the siblings is NULL, that slot is skipped and then our sibling detection is interrupted: V preceding slot struct radix_tree_node.slots[] = [entry][NULL][sibling][sibling] ^ current slot This means that the sibling pointers aren't recognized since they point all the way back to 'entry', so we think that they are normal internal radix tree pointers. This causes us to think we need to walk down to a struct radix_tree_node starting at the address of 'entry'. In a real running kernel this will crash the thread with a GP fault when you try and dereference the slots in your broken node starting at 'entry'. We fix this race by fixing the way that skip_siblings() detects sibling nodes. Instead of testing against the preceding slot we instead look for siblings via is_sibling_entry() which compares against the position of the struct radix_tree_node.slots[] array. This ensures that sibling entries are properly identified, even if they are no longer contiguous with the 'entry' they point to. Link: http://lkml.kernel.org/r/20180503192430.7582-6-ross.zwisler@linux.intel.com Fixes: 148deab223b2 ("radix-tree: improve multiorder iterators") Signed-off-by: Ross Zwisler <ross.zwisler(a)linux.intel.com> Reported-by: CR, Sapthagirish <sapthagirish.cr(a)intel.com> Reviewed-by: Jan Kara <jack(a)suse.cz> Cc: Matthew Wilcox <willy(a)infradead.org> Cc: Christoph Hellwig <hch(a)lst.de> Cc: Dan Williams <dan.j.williams(a)intel.com> Cc: Dave Chinner <david(a)fromorbit.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- lib/radix-tree.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff -puN lib/radix-tree.c~radix-tree-fix-multi-order-iteration-race lib/radix-tree.c --- a/lib/radix-tree.c~radix-tree-fix-multi-order-iteration-race +++ a/lib/radix-tree.c @@ -1612,11 +1612,9 @@ static void set_iter_tags(struct radix_t static void __rcu **skip_siblings(struct radix_tree_node **nodep, void __rcu **slot, struct radix_tree_iter *iter) { - void *sib = node_to_entry(slot - 1); - while (iter->index < iter->next_index) { *nodep = rcu_dereference_raw(*slot); - if (*nodep && *nodep != sib) + if (*nodep && !is_sibling_entry(iter->node, *nodep)) return slot; slot++; iter->index = __radix_tree_iter_add(iter, 1); @@ -1631,7 +1629,7 @@ void __rcu **__radix_tree_next_slot(void struct radix_tree_iter *iter, unsigned flags) { unsigned tag = flags & RADIX_TREE_ITER_TAG_MASK; - struct radix_tree_node *node = rcu_dereference_raw(*slot); + struct radix_tree_node *node; slot = skip_siblings(&node, slot, iter); _

7 years, 4 months

1
0
0 0

[patch 01/10] lib/test_bitmap.c: fix bitmap optimisation tests to report errors correctly

by akpm＠linux-foundation.org

From: Matthew Wilcox <mawilcox(a)microsoft.com> Subject: lib/test_bitmap.c: fix bitmap optimisation tests to report errors correctly I had neglected to increment the error counter when the tests failed, which made the tests noisy when they fail, but not actually return an error code. Link: http://lkml.kernel.org/r/20180509114328.9887-1-mpe@ellerman.id.au Fixes: 3cc78125a081 ("lib/test_bitmap.c: add optimisation tests") Signed-off-by: Matthew Wilcox <mawilcox(a)microsoft.com> Signed-off-by: Michael Ellerman <mpe(a)ellerman.id.au> Reported-by: Michael Ellerman <mpe(a)ellerman.id.au> Tested-by: Michael Ellerman <mpe(a)ellerman.id.au> Reviewed-by: Kees Cook <keescook(a)chromium.org> Cc: Yury Norov <ynorov(a)caviumnetworks.com> Cc: Andy Shevchenko <andriy.shevchenko(a)linux.intel.com> Cc: Geert Uytterhoeven <geert(a)linux-m68k.org> Cc: <stable(a)vger.kernel.org> [4.13+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- lib/test_bitmap.c | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff -puN lib/test_bitmap.c~lib-test_bitmapc-fix-bitmap-optimisation-tests-to-report-errors-correctly lib/test_bitmap.c --- a/lib/test_bitmap.c~lib-test_bitmapc-fix-bitmap-optimisation-tests-to-report-errors-correctly +++ a/lib/test_bitmap.c @@ -331,23 +331,32 @@ static void noinline __init test_mem_opt unsigned int start, nbits; for (start = 0; start < 1024; start += 8) { - memset(bmap1, 0x5a, sizeof(bmap1)); - memset(bmap2, 0x5a, sizeof(bmap2)); for (nbits = 0; nbits < 1024 - start; nbits += 8) { + memset(bmap1, 0x5a, sizeof(bmap1)); + memset(bmap2, 0x5a, sizeof(bmap2)); + bitmap_set(bmap1, start, nbits); __bitmap_set(bmap2, start, nbits); - if (!bitmap_equal(bmap1, bmap2, 1024)) + if (!bitmap_equal(bmap1, bmap2, 1024)) { printk("set not equal %d %d\n", start, nbits); - if (!__bitmap_equal(bmap1, bmap2, 1024)) + failed_tests++; + } + if (!__bitmap_equal(bmap1, bmap2, 1024)) { printk("set not __equal %d %d\n", start, nbits); + failed_tests++; + } bitmap_clear(bmap1, start, nbits); __bitmap_clear(bmap2, start, nbits); - if (!bitmap_equal(bmap1, bmap2, 1024)) + if (!bitmap_equal(bmap1, bmap2, 1024)) { printk("clear not equal %d %d\n", start, nbits); - if (!__bitmap_equal(bmap1, bmap2, 1024)) + failed_tests++; + } + if (!__bitmap_equal(bmap1, bmap2, 1024)) { printk("clear not __equal %d %d\n", start, nbits); + failed_tests++; + } } } } _

7 years, 4 months

1
0
0 0

[PATCH v11 01/10] media: v4l: vsp1: Release buffers for each video node

by Kieran Bingham

From: Kieran Bingham <kieran.bingham+renesas(a)ideasonboard.com> Commit 372b2b0399fc ("media: v4l: vsp1: Release buffers in start_streaming error path") introduced a helper to clean up buffers on error paths, but inadvertently changed the code such that only the output WPF buffers were cleaned, rather than the video node being operated on. Since then vsp1_video_cleanup_pipeline() has grown to perform both video node cleanup, as well as pipeline cleanup. Split the implementation into two distinct functions that perform the required work, so that each video node can release it's buffers correctly on streamoff. The pipe cleanup that was performed in the vsp1_video_stop_streaming() (releasing the pipe->dl) is moved to the function for clarity. Fixes: 372b2b0399fc ("media: v4l: vsp1: Release buffers in start_streaming error path") Cc: stable(a)vger.kernel.org # v4.13+ Signed-off-by: Kieran Bingham <kieran.bingham+renesas(a)ideasonboard.com> --- drivers/media/platform/vsp1/vsp1_video.c | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/drivers/media/platform/vsp1/vsp1_video.c b/drivers/media/platform/vsp1/vsp1_video.c index c8c12223a267..ba89dd176a13 100644 --- a/drivers/media/platform/vsp1/vsp1_video.c +++ b/drivers/media/platform/vsp1/vsp1_video.c @@ -842,9 +842,8 @@ static int vsp1_video_setup_pipeline(struct vsp1_pipeline *pipe) return 0; } -static void vsp1_video_cleanup_pipeline(struct vsp1_pipeline *pipe) +static void vsp1_video_release_buffers(struct vsp1_video *video) { - struct vsp1_video *video = pipe->output->video; struct vsp1_vb2_buffer *buffer; unsigned long flags; @@ -854,12 +853,18 @@ static void vsp1_video_cleanup_pipeline(struct vsp1_pipeline *pipe) vb2_buffer_done(&buffer->buf.vb2_buf, VB2_BUF_STATE_ERROR); INIT_LIST_HEAD(&video->irqqueue); spin_unlock_irqrestore(&video->irqlock, flags); +} + +static void vsp1_video_cleanup_pipeline(struct vsp1_pipeline *pipe) +{ + lockdep_assert_held(&pipe->lock); /* Release our partition table allocation */ - mutex_lock(&pipe->lock); kfree(pipe->part_table); pipe->part_table = NULL; - mutex_unlock(&pipe->lock); + + vsp1_dl_list_put(pipe->dl); + pipe->dl = NULL; } static int vsp1_video_start_streaming(struct vb2_queue *vq, unsigned int count) @@ -874,8 +879,9 @@ static int vsp1_video_start_streaming(struct vb2_queue *vq, unsigned int count) if (pipe->stream_count == pipe->num_inputs) { ret = vsp1_video_setup_pipeline(pipe); if (ret < 0) { - mutex_unlock(&pipe->lock); + vsp1_video_release_buffers(video); vsp1_video_cleanup_pipeline(pipe); + mutex_unlock(&pipe->lock); return ret; } @@ -925,13 +931,12 @@ static void vsp1_video_stop_streaming(struct vb2_queue *vq) if (ret == -ETIMEDOUT) dev_err(video->vsp1->dev, "pipeline stop timeout\n"); - vsp1_dl_list_put(pipe->dl); - pipe->dl = NULL; + vsp1_video_cleanup_pipeline(pipe); } mutex_unlock(&pipe->lock); media_pipeline_stop(&video->video.entity); - vsp1_video_cleanup_pipeline(pipe); + vsp1_video_release_buffers(video); vsp1_video_pipeline_put(pipe); } -- git-series 0.9.1

7 years, 4 months

3
2
0 0

[PATCH 4.9 00/33] 4.9.101-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.9.101 release. There are 33 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sun May 20 08:15:20 UTC 2018. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.101-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.9.101-rc1 Willy Tarreau <w(a)1wt.eu> proc: do not access cmdline nor environ from file-backed areas Jakub Kicinski <jakub.kicinski(a)netronome.com> nfp: TX time stamp packets before HW doorbell is rung James Chapman <jchapman(a)katalix.com> l2tp: revert "l2tp: fix missing print session offset info" Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "ARM: dts: imx6qdl-wandboard: Fix audio channel swap" Vasily Averin <vvs(a)virtuozzo.com> lockd: lost rollback of set_grace_period() in lockd_down_net() Antony Antony <antony(a)phenome.org> xfrm: fix xfrm_do_migrate() with AEAD e.g(AES-GCM) Jiri Slaby <jslaby(a)suse.cz> futex: Remove duplicated code and fix undefined behaviour Alexey Khoroshilov <khoroshilov(a)ispras.ru> serial: sccnxp: Fix error handling in sccnxp_probe() Xin Long <lucien.xin(a)gmail.com> sctp: delay the authentication for the duplicated cookie-echo chunk Xin Long <lucien.xin(a)gmail.com> sctp: fix the issue that the cookie-ack with auth can't get processed Yuchung Cheng <ycheng(a)google.com> tcp: ignore Fast Open on repair mode Debabrata Banerjee <dbanerje(a)akamai.com> bonding: send learning packets for vlans on slave Talat Batheesh <talatb(a)mellanox.com> net/mlx5: Avoid cleaning flow steering table twice during error flow Debabrata Banerjee <dbanerje(a)akamai.com> bonding: do not allow rlb updates to invalid mac Michael Chan <michael.chan(a)broadcom.com> tg3: Fix vunmap() BUG_ON() triggered from tg3_free_consistent(). Neal Cardwell <ncardwell(a)google.com> tcp_bbr: fix to zero idle_restart only upon S/ACKed data Xin Long <lucien.xin(a)gmail.com> sctp: use the old asoc when making the cookie-ack chunk in dupcook_d Xin Long <lucien.xin(a)gmail.com> sctp: remove sctp_chunk_put from fail_mark err path in sctp_ulpevent_make_rcvmsg Xin Long <lucien.xin(a)gmail.com> sctp: handle two v4 addrs comparison in sctp_inet6_cmp_addr Heiner Kallweit <hkallweit1(a)gmail.com> r8169: fix powering up RTL8168h Bjørn Mork <bjorn(a)mork.no> qmi_wwan: do not steal interfaces from class drivers Stefano Brivio <sbrivio(a)redhat.com> openvswitch: Don't swap table in nlattr_set() after OVS_ATTR_NESTED is found Lance Richardson <lance.richardson.net(a)gmail.com> net: support compat 64-bit time in {s,g}etsockopt Eric Dumazet <edumazet(a)google.com> net_sched: fq: take care of throttled flows before reuse Adi Nissim <adin(a)mellanox.com> net/mlx5: E-Switch, Include VF RDMA stats in vport statistics Moshe Shemesh <moshe(a)mellanox.com> net/mlx4_en: Verify coalescing parameters are in range Grygorii Strashko <grygorii.strashko(a)ti.com> net: ethernet: ti: cpsw: fix packet leaking in dual_mac mode Rob Taglang <rob(a)taglang.io> net: ethernet: sun: niu set correct packet size in skb Eric Dumazet <edumazet(a)google.com> llc: better deal with too small mtu Andrey Ignatov <rdna(a)fb.com> ipv4: fix memory leaks in udp_sendmsg, ping_v4_sendmsg Eric Dumazet <edumazet(a)google.com> dccp: fix tasklet usage Hangbin Liu <liuhangbin(a)gmail.com> bridge: check iface upper dev when setting master via ioctl Ingo Molnar <mingo(a)elte.hu> 8139too: Use disable_irq_nosync() in rtl8139_poll_controller() ------------- Diffstat: Makefile | 4 +- arch/alpha/include/asm/futex.h | 26 ++----- arch/arc/include/asm/futex.h | 40 ++-------- arch/arm/boot/dts/imx6qdl-wandboard.dtsi | 1 - arch/arm/include/asm/futex.h | 26 +------ arch/arm64/include/asm/futex.h | 27 +------ arch/frv/include/asm/futex.h | 3 +- arch/frv/kernel/futex.c | 27 +------ arch/hexagon/include/asm/futex.h | 38 +-------- arch/ia64/include/asm/futex.h | 25 +----- arch/microblaze/include/asm/futex.h | 38 +-------- arch/mips/include/asm/futex.h | 25 +----- arch/parisc/include/asm/futex.h | 26 +------ arch/powerpc/include/asm/futex.h | 26 ++----- arch/s390/include/asm/futex.h | 23 ++---- arch/sh/include/asm/futex.h | 26 +------ arch/sparc/include/asm/futex_64.h | 26 ++----- arch/tile/include/asm/futex.h | 40 ++-------- arch/x86/include/asm/futex.h | 40 ++-------- arch/xtensa/include/asm/futex.h | 27 ++----- drivers/net/bonding/bond_alb.c | 15 ++-- drivers/net/bonding/bond_main.c | 2 + drivers/net/ethernet/broadcom/tg3.c | 9 ++- drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 16 ++++ drivers/net/ethernet/mellanox/mlx4/mlx4_en.h | 7 +- drivers/net/ethernet/mellanox/mlx5/core/eswitch.c | 11 ++- drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 21 +++-- .../net/ethernet/netronome/nfp/nfp_net_common.c | 4 +- drivers/net/ethernet/realtek/8139too.c | 2 +- drivers/net/ethernet/realtek/r8169.c | 3 + drivers/net/ethernet/sun/niu.c | 5 +- drivers/net/ethernet/ti/cpsw.c | 2 + drivers/net/usb/qmi_wwan.c | 12 +++ drivers/tty/serial/sccnxp.c | 13 +++- fs/lockd/svc.c | 2 + fs/proc/base.c | 10 +-- include/asm-generic/futex.h | 50 +++--------- include/linux/mm.h | 1 + include/net/bonding.h | 1 + kernel/futex.c | 39 ++++++++++ mm/gup.c | 3 + net/bridge/br_if.c | 4 +- net/compat.c | 6 +- net/dccp/ccids/ccid2.c | 14 +++- net/dccp/timer.c | 2 +- net/ipv4/ping.c | 7 +- net/ipv4/tcp.c | 2 +- net/ipv4/tcp_bbr.c | 4 +- net/ipv4/udp.c | 7 +- net/l2tp/l2tp_netlink.c | 2 - net/llc/af_llc.c | 3 + net/openvswitch/flow_netlink.c | 9 +-- net/sched/sch_fq.c | 37 ++++++--- net/sctp/associola.c | 30 +++++++- net/sctp/inqueue.c | 2 +- net/sctp/ipv6.c | 3 + net/sctp/sm_statefuns.c | 89 ++++++++++++---------- net/sctp/ulpevent.c | 1 - net/xfrm/xfrm_state.c | 1 + 59 files changed, 380 insertions(+), 585 deletions(-)

7 years, 4 months

5
37
0 0

[PATCH 4.14 00/45] 4.14.42-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.14.42 release. There are 45 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sun May 20 08:15:14 UTC 2018. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.42-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.14.42-rc1 Willy Tarreau <w(a)1wt.eu> proc: do not access cmdline nor environ from file-backed areas James Chapman <jchapman(a)katalix.com> l2tp: revert "l2tp: fix missing print session offset info" Antony Antony <antony(a)phenome.org> xfrm: fix xfrm_do_migrate() with AEAD e.g(AES-GCM) ethanwu <ethanwu(a)synology.com> btrfs: Take trans lock before access running trans in check_delayed_ref Herbert Xu <herbert(a)gondor.apana.org.au> xfrm: Use __skb_queue_tail in xfrm_trans_queue Dave Carroll <david.carroll(a)microsemi.com> scsi: aacraid: Correct hba_send to include iu_type Paolo Abeni <pabeni(a)redhat.com> udp: fix SO_BINDTODEVICE Eric Dumazet <edumazet(a)google.com> nsh: fix infinite loop Jianbo Liu <jianbol(a)mellanox.com> net/mlx5e: Allow offloading ipv4 header re-write for icmp Eric Dumazet <edumazet(a)google.com> ipv6: fix uninit-value in ip6_multipath_l3_keys() Stephen Hemminger <stephen(a)networkplumber.org> hv_netvsc: set master device Talat Batheesh <talatb(a)mellanox.com> net/mlx5: Avoid cleaning flow steering table twice during error flow Tariq Toukan <tariqt(a)mellanox.com> net/mlx5e: TX, Use correct counter in dma_map error flow Jiri Pirko <jiri(a)mellanox.com> net: sched: fix error path in tcf_proto_create() when modules are not configured Debabrata Banerjee <dbanerje(a)akamai.com> bonding: send learning packets for vlans on slave Debabrata Banerjee <dbanerje(a)akamai.com> bonding: do not allow rlb updates to invalid mac Michael Chan <michael.chan(a)broadcom.com> tg3: Fix vunmap() BUG_ON() triggered from tg3_free_consistent(). Yuchung Cheng <ycheng(a)google.com> tcp: ignore Fast Open on repair mode Neal Cardwell <ncardwell(a)google.com> tcp_bbr: fix to zero idle_restart only upon S/ACKed data Xin Long <lucien.xin(a)gmail.com> sctp: use the old asoc when making the cookie-ack chunk in dupcook_d Xin Long <lucien.xin(a)gmail.com> sctp: remove sctp_chunk_put from fail_mark err path in sctp_ulpevent_make_rcvmsg Xin Long <lucien.xin(a)gmail.com> sctp: handle two v4 addrs comparison in sctp_inet6_cmp_addr Xin Long <lucien.xin(a)gmail.com> sctp: fix the issue that the cookie-ack with auth can't get processed Xin Long <lucien.xin(a)gmail.com> sctp: delay the authentication for the duplicated cookie-echo chunk Eric Dumazet <edumazet(a)google.com> rds: do not leak kernel memory to user land Heiner Kallweit <hkallweit1(a)gmail.com> r8169: fix powering up RTL8168h Bjørn Mork <bjorn(a)mork.no> qmi_wwan: do not steal interfaces from class drivers Stefano Brivio <sbrivio(a)redhat.com> openvswitch: Don't swap table in nlattr_set() after OVS_ATTR_NESTED is found Andre Tomt <andre(a)tomt.net> net/tls: Fix connection stall on partial tls record Dave Watson <davejwatson(a)fb.com> net/tls: Don't recursively call push_record during tls_write_space callbacks Lance Richardson <lance.richardson.net(a)gmail.com> net: support compat 64-bit time in {s,g}etsockopt Eric Dumazet <edumazet(a)google.com> net_sched: fq: take care of throttled flows before reuse Roman Mashak <mrv(a)mojatatu.com> net sched actions: fix refcnt leak in skbmod Adi Nissim <adin(a)mellanox.com> net/mlx5: E-Switch, Include VF RDMA stats in vport statistics Roi Dayan <roid(a)mellanox.com> net/mlx5e: Err if asked to offload TC match on frag being first Moshe Shemesh <moshe(a)mellanox.com> net/mlx4_en: Verify coalescing parameters are in range Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> net/mlx4_en: Fix an error handling path in 'mlx4_en_init_netdev()' Grygorii Strashko <grygorii.strashko(a)ti.com> net: ethernet: ti: cpsw: fix packet leaking in dual_mac mode Rob Taglang <rob(a)taglang.io> net: ethernet: sun: niu set correct packet size in skb Eric Dumazet <edumazet(a)google.com> llc: better deal with too small mtu Andrey Ignatov <rdna(a)fb.com> ipv4: fix memory leaks in udp_sendmsg, ping_v4_sendmsg Julian Anastasov <ja(a)ssi.bg> ipv4: fix fnhe usage by non-cached routes Eric Dumazet <edumazet(a)google.com> dccp: fix tasklet usage Hangbin Liu <liuhangbin(a)gmail.com> bridge: check iface upper dev when setting master via ioctl Ingo Molnar <mingo(a)elte.hu> 8139too: Use disable_irq_nosync() in rtl8139_poll_controller() ------------- Diffstat: Makefile | 4 +- drivers/net/bonding/bond_alb.c | 15 +-- drivers/net/bonding/bond_main.c | 2 + drivers/net/ethernet/broadcom/tg3.c | 9 +- drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 16 +++ drivers/net/ethernet/mellanox/mlx4/en_netdev.c | 8 +- drivers/net/ethernet/mellanox/mlx4/mlx4_en.h | 7 +- drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 7 +- drivers/net/ethernet/mellanox/mlx5/core/en_tx.c | 20 ++-- drivers/net/ethernet/mellanox/mlx5/core/eswitch.c | 11 +- drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 23 +++-- drivers/net/ethernet/realtek/8139too.c | 2 +- drivers/net/ethernet/realtek/r8169.c | 3 + drivers/net/ethernet/sun/niu.c | 5 +- drivers/net/ethernet/ti/cpsw.c | 2 + drivers/net/hyperv/netvsc_drv.c | 3 +- drivers/net/usb/qmi_wwan.c | 12 +++ drivers/scsi/aacraid/commsup.c | 8 +- fs/btrfs/extent-tree.c | 7 ++ fs/proc/base.c | 8 +- include/linux/mm.h | 1 + include/net/bonding.h | 1 + include/net/tls.h | 1 + mm/gup.c | 3 + net/bridge/br_if.c | 4 +- net/compat.c | 6 +- net/dccp/ccids/ccid2.c | 14 ++- net/dccp/timer.c | 2 +- net/ipv4/ping.c | 7 +- net/ipv4/route.c | 118 ++++++++++------------ net/ipv4/tcp.c | 3 +- net/ipv4/tcp_bbr.c | 4 +- net/ipv4/udp.c | 11 +- net/ipv6/route.c | 7 +- net/ipv6/udp.c | 4 +- net/l2tp/l2tp_netlink.c | 2 - net/llc/af_llc.c | 3 + net/nsh/nsh.c | 2 + net/openvswitch/flow_netlink.c | 9 +- net/rds/recv.c | 1 + net/sched/act_skbmod.c | 5 +- net/sched/cls_api.c | 2 +- net/sched/sch_fq.c | 37 ++++--- net/sctp/associola.c | 30 +++++- net/sctp/inqueue.c | 2 +- net/sctp/ipv6.c | 3 + net/sctp/sm_statefuns.c | 88 ++++++++-------- net/sctp/ulpevent.c | 1 - net/tls/tls_main.c | 8 ++ net/xfrm/xfrm_input.c | 2 +- net/xfrm/xfrm_state.c | 1 + 51 files changed, 349 insertions(+), 205 deletions(-)

7 years, 4 months

4
47
0 0

[PATCH] drm/psr: Fix missed entry in PSR setup time table.

by Dhinakaran Pandiyan

Entry corresponding to 220 us setup time was missing. I am not aware of any specific bug this fixes, but this could potentially result in enabling PSR on a panel with a higher setup time requirement than supported by the hardware. I verified the value is present in eDP spec versions 1.3, 1.4 and 1.4a. Fixes: 6608804b3d7f ("drm/dp: Add drm_dp_psr_setup_time()") Cc: stable(a)vger.kernel.org Cc: Ville Syrjälä <ville.syrjala(a)linux.intel.com> Cc: Jose Roberto de Souza <jose.souza(a)intel.com> Signed-off-by: Dhinakaran Pandiyan <dhinakaran.pandiyan(a)intel.com> --- drivers/gpu/drm/drm_dp_helper.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/gpu/drm/drm_dp_helper.c b/drivers/gpu/drm/drm_dp_helper.c index 36c7609a4bd5..a7ba602a43a8 100644 --- a/drivers/gpu/drm/drm_dp_helper.c +++ b/drivers/gpu/drm/drm_dp_helper.c @@ -1159,6 +1159,7 @@ int drm_dp_psr_setup_time(const u8 psr_cap[EDP_PSR_RECEIVER_CAP_SIZE]) static const u16 psr_setup_time_us[] = { PSR_SETUP_TIME(330), PSR_SETUP_TIME(275), + PSR_SETUP_TIME(220), PSR_SETUP_TIME(165), PSR_SETUP_TIME(110), PSR_SETUP_TIME(55), -- 2.14.1

7 years, 4 months

3
3
0 0

[PATCH] scsi: sg: allocate with __GFP_ZERO in sg_build_indirect()

by Alexander Potapenko

This shall help avoid copying uninitialized memory to the userspace when calling ioctl(fd, SG_IO) with an empty command. Reported-by: syzbot+7d26fc1eea198488deab(a)syzkaller.appspotmail.com Cc: stable(a)vger.kernel.org Signed-off-by: Alexander Potapenko <glider(a)google.com> Acked-by: Douglas Gilbert <dgilbert(a)interlog.com> Reviewed-by: Johannes Thumshirn <jthumshirn(a)suse.de> --- drivers/scsi/sg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c index c198b96368dd..5c40d809830f 100644 --- a/drivers/scsi/sg.c +++ b/drivers/scsi/sg.c @@ -1894,7 +1894,7 @@ sg_build_indirect(Sg_scatter_hold * schp, Sg_fd * sfp, int buff_size) num = (rem_sz > scatter_elem_sz_prev) ? scatter_elem_sz_prev : rem_sz; - schp->pages[k] = alloc_pages(gfp_mask, order); + schp->pages[k] = alloc_pages(gfp_mask | __GFP_ZERO, order); if (!schp->pages[k]) goto out; -- 2.17.0.441.gb46fe60e1d-goog

7 years, 4 months

3
2
0 0

[PATCH] PM/ runtime: fix resume from suspend on newer hp zbook/elitebook

by Thomas Martitz

In 08810a4119aaebf6318f209ec5dd9828e969cba4 setting dev->power.direct_complete was made conditional on pm_runtime_suspended(). The justification was: While at it, make the core check pm_runtime_suspended() when setting power.direct_complete so that it doesn't need to be checked by ->prepare callbacks. However, this breaks resuming from suspend on those newer HP laptops if the amdgpu driver is used (due to hybrid intel+radeon graphics). Given the justification for the change, undoing it seems best as it appears to have unintended side effects. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199693 References: https://bugs.freedesktop.org/show_bug.cgi?id=106447 Signed-off-by: Thomas Martitz <kugel(a)rockbox.org> Cc: Pavel Machek <pavel(a)ucw.cz> Cc: Len Brown <len.brown(a)intel.com> Cc: <linux-pm(a)vger.kernel.org> Cc: <stable(a)vger.kernel.org> [4.15+] Signed-off-by: Thomas Martitz <kugel(a)rockbox.org> --- drivers/base/power/main.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/base/power/main.c b/drivers/base/power/main.c index 02a497e7c785..b2fb0974f832 100644 --- a/drivers/base/power/main.c +++ b/drivers/base/power/main.c @@ -1960,8 +1960,7 @@ static int device_prepare(struct device *dev, pm_message_t state) */ spin_lock_irq(&dev->power.lock); dev->power.direct_complete = state.event == PM_EVENT_SUSPEND && - pm_runtime_suspended(dev) && ret > 0 && - !dev_pm_test_driver_flags(dev, DPM_FLAG_NEVER_SKIP); + ret > 0 && !dev_pm_test_driver_flags(dev, DPM_FLAG_NEVER_SKIP); spin_unlock_irq(&dev->power.lock); return 0; } -- 2.17.0

7 years, 4 months

2
3
0 0

reverting "l2tp: fix missing print session offset info"

by Guillaume Nault

Hi, Commit 820da5357572 ("l2tp: fix missing print session offset info") has been backported to several -stable trees (AFAICS 3.18, 4.4, 4.9, 4.14 and 4.15). This patch has been reverted upstream as the L2TP offset option was dropped. Therefore it doesn't make sense to start exporting this data in stable releases. Can you guys revert the corresponding commits from your trees, or queue up de3b58bc359a ("l2tp: revert "l2tp: fix missing print session offset info"")? If some of you have 820da5357572 queued up for other trees, then please drop it. Guillaume

7 years, 4 months

2
2
0 0

[PATCH] spi: spi-s3c64xx: Fix system resume support

by Marek Szyprowski

Since Linux v4.10 release (commit 1d9174fbc55e "PM / Runtime: Defer resuming of the device in pm_runtime_force_resume()"), pm_runtime_force_resume() function doesn't runtime resume device if it was not runtime active before system suspend. Thus, driver should not do any register access after pm_runtime_force_resume() without checking the runtime status of the device. To fix this issue, simply move s3c64xx_spi_hwinit() call to s3c64xx_spi_runtime_resume() to ensure that hardware is always properly initialized. This fixes Synchronous external abort issue on system suspend/resume cycle on newer Exynos SoCs. Signed-off-by: Marek Szyprowski <m.szyprowski(a)samsung.com> CC: <stable(a)vger.kernel.org> # 4.10.x: 1c75862d8e5a spi: spi-s3c64xx: Remove unused s3c64xx_spi_hwinit() CC: <stable(a)vger.kernel.org> # 4.10.x Reviewed-by: Krzysztof Kozlowski <krzk(a)kernel.org> Acked-by: Andi Shyti <andi(a)etezian.org> --- Resend reason: added cc: stable, reviewed and acked tags --- drivers/spi/spi-s3c64xx.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/spi/spi-s3c64xx.c b/drivers/spi/spi-s3c64xx.c index f55dc78957ad..7b7151ec14c8 100644 --- a/drivers/spi/spi-s3c64xx.c +++ b/drivers/spi/spi-s3c64xx.c @@ -1292,8 +1292,6 @@ static int s3c64xx_spi_resume(struct device *dev) if (ret < 0) return ret; - s3c64xx_spi_hwinit(sdd); - return spi_master_resume(master); } #endif /* CONFIG_PM_SLEEP */ @@ -1331,6 +1329,8 @@ static int s3c64xx_spi_runtime_resume(struct device *dev) if (ret != 0) goto err_disable_src_clk; + s3c64xx_spi_hwinit(sdd); + return 0; err_disable_src_clk: -- 2.17.0

7 years, 4 months

3
3
0 0

[PATCH ghak82] audit: Fix extended comparison of GID/EGID

by Ondrej Mosnacek

The audit_filter_rules() function in auditsc.c used the in_[e]group_p() functions to check GID/EGID match, but these functions use the current task's credentials, while the comparison should use the credentials of the task given to audit_filter_rules() as a parameter (tsk). Note that we can use group_search(cred->group_info, ...) as a replacement for both in_group_p and in_egroup_p as these functions only compare the parameter to cred->fsgid/egid and then call group_search. In fact, the usage of in_group_p was incorrect also because it compared to cred->fsgid and not cred->gid. GitHub issue: https://github.com/linux-audit/audit-kernel/issues/82 Fixes: 37eebe39c973 ("audit: improve GID/EGID comparation logic") Cc: stable(a)vger.kernel.org Signed-off-by: Ondrej Mosnacek <omosnace(a)redhat.com> --- kernel/auditsc.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index cbab0da86d15..ec38e4d97c23 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -490,20 +490,20 @@ static int audit_filter_rules(struct task_struct *tsk, result = audit_gid_comparator(cred->gid, f->op, f->gid); if (f->op == Audit_equal) { if (!result) - result = in_group_p(f->gid); + result = groups_search(cred->group_info, f->gid); } else if (f->op == Audit_not_equal) { if (result) - result = !in_group_p(f->gid); + result = !groups_search(cred->group_info, f->gid); } break; case AUDIT_EGID: result = audit_gid_comparator(cred->egid, f->op, f->gid); if (f->op == Audit_equal) { if (!result) - result = in_egroup_p(f->gid); + result = groups_search(cred->group_info, f->gid); } else if (f->op == Audit_not_equal) { if (result) - result = !in_egroup_p(f->gid); + result = !groups_search(cred->group_info, f->gid); } break; case AUDIT_SGID: -- 2.17.0

7 years, 4 months

2
2
0 0

[PATCH v2] mtd: rawnand: Do not check FAIL bit when executing a SET_FEATURES op

by Boris Brezillon

The ONFI spec clearly says that FAIL bit is only valid for PROGRAM, ERASE and READ-with-on-die-ECC operations, and should be ignored otherwise. It seems that checking it after sending a SET_FEATURES is a bad idea because a previous READ, PROGRAM or ERASE op may have failed, and depending on the implementation, the FAIL bit is not cleared until a new READ, PROGRAM or ERASE is started. This leads to ->set_features() returning -EIO while it actually worked, which can sometimes stop a batch of READ/PROGRAM ops. Note that we only fix the ->exec_op() path here, because some drivers are abusing the NAND_STATUS_FAIL flag in their ->waitfunc() implementation to propagate other kind of errors, like wait-ready-timeout or controller-related errors. Let's not try to fix those drivers since they worked fine so far. Fixes: 8878b126df76 ("mtd: nand: add ->exec_op() implementation") Cc: stable(a)vger.kernel.org Signed-off-by: Boris Brezillon <boris.brezillon(a)bootlin.com> --- This patch is fixing a problem we had with on-die ECC on Micron NANDs [1]. On these chips, when you have an ECC failure, the FAIL bit is set and it's not cleared until the next READ operation, which led the following SET_FEATURES (used to re-enable on-die ECC) to fail with -EIO and stopped the batch of page reads started by UBIFS, which in turn led to unmountable FS. [1]http://patchwork.ozlabs.org/patch/907874/ Changes in v2: - Fix the subject prefix --- drivers/mtd/nand/raw/nand_base.c | 27 +++++++++------------------ 1 file changed, 9 insertions(+), 18 deletions(-) diff --git a/drivers/mtd/nand/raw/nand_base.c b/drivers/mtd/nand/raw/nand_base.c index f28c3a555861..ee29f34562ab 100644 --- a/drivers/mtd/nand/raw/nand_base.c +++ b/drivers/mtd/nand/raw/nand_base.c @@ -2174,7 +2174,6 @@ static int nand_set_features_op(struct nand_chip *chip, u8 feature, struct mtd_info *mtd = nand_to_mtd(chip); const u8 *params = data; int i, ret; - u8 status; if (chip->exec_op) { const struct nand_sdr_timings *sdr = @@ -2188,26 +2187,18 @@ static int nand_set_features_op(struct nand_chip *chip, u8 feature, }; struct nand_operation op = NAND_OPERATION(instrs); - ret = nand_exec_op(chip, &op); - if (ret) - return ret; - - ret = nand_status_op(chip, &status); - if (ret) - return ret; - } else { - chip->cmdfunc(mtd, NAND_CMD_SET_FEATURES, feature, -1); - for (i = 0; i < ONFI_SUBFEATURE_PARAM_LEN; ++i) - chip->write_byte(mtd, params[i]); + return nand_exec_op(chip, &op); + } - ret = chip->waitfunc(mtd, chip); - if (ret < 0) - return ret; + chip->cmdfunc(mtd, NAND_CMD_SET_FEATURES, feature, -1); + for (i = 0; i < ONFI_SUBFEATURE_PARAM_LEN; ++i) + chip->write_byte(mtd, params[i]); - status = ret; - } + ret = chip->waitfunc(mtd, chip); + if (ret < 0) + return ret; - if (status & NAND_STATUS_FAIL) + if (ret & NAND_STATUS_FAIL) return -EIO; return 0; -- 2.14.1

7 years, 4 months

2
2
0 0

[PATCH] ALSA: timer: Fix pause event notification

by Ben Hutchings

Commit f65e0d299807 ("ALSA: timer: Call notifier in the same spinlock") combined the start/continue and stop/pause functions, and in doing so changed the event code for the pause case to SNDRV_TIMER_EVENT_CONTINUE. Change it back to SNDRV_TIMER_EVENT_PAUSE. Fixes: f65e0d299807 ("ALSA: timer: Call notifier in the same spinlock") Signed-off-by: Ben Hutchings <ben.hutchings(a)codethink.co.uk> Cc: stable(a)vger.kernel.org --- sound/core/timer.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sound/core/timer.c b/sound/core/timer.c index dc87728c5b74..0ddcae495838 100644 --- a/sound/core/timer.c +++ b/sound/core/timer.c @@ -592,7 +592,7 @@ static int snd_timer_stop1(struct snd_timer_instance *timeri, bool stop) else timeri->flags |= SNDRV_TIMER_IFLG_PAUSED; snd_timer_notify1(timeri, stop ? SNDRV_TIMER_EVENT_STOP : - SNDRV_TIMER_EVENT_CONTINUE); + SNDRV_TIMER_EVENT_PAUSE); unlock: spin_unlock_irqrestore(&timer->lock, flags); return result; @@ -614,7 +614,7 @@ static int snd_timer_stop_slave(struct snd_timer_instance *timeri, bool stop) list_del_init(&timeri->ack_list); list_del_init(&timeri->active_list); snd_timer_notify1(timeri, stop ? SNDRV_TIMER_EVENT_STOP : - SNDRV_TIMER_EVENT_CONTINUE); + SNDRV_TIMER_EVENT_PAUSE); spin_unlock(&timeri->timer->lock); } spin_unlock_irqrestore(&slave_active_lock, flags); -- 2.11.0

7 years, 4 months

2
1
0 0

[PATCH] cxl: Disable prefault_mode in Radix mode

by Vaibhav Jain

From: Vaibhav Jain <vaibhav(a)linux.ibm.com> On Power-8 the AFU attr prefault_mode tried to improve storage fault performance by prefaulting process segments. However Power-9 radix mode doesn't have Storage-Segments and prefaulting Pages is too fine grained. So this patch updates prefault_mode_store() to not allow any other value apart from CXL_PREFAULT_NONE when radix mode is enabled. Cc: <stable(a)vger.kernel.org> Fixes: f24be42aab37 ("cxl: Add psl9 specific code") Signed-off-by: Vaibhav Jain <vaibhav(a)linux.ibm.com> --- Documentation/ABI/testing/sysfs-class-cxl | 4 +++- drivers/misc/cxl/sysfs.c | 16 ++++++++++++---- 2 files changed, 15 insertions(+), 5 deletions(-) diff --git a/Documentation/ABI/testing/sysfs-class-cxl b/Documentation/ABI/testing/sysfs-class-cxl index 640f65e79ef1..267920a1874b 100644 --- a/Documentation/ABI/testing/sysfs-class-cxl +++ b/Documentation/ABI/testing/sysfs-class-cxl @@ -69,7 +69,9 @@ Date: September 2014 Contact: linuxppc-dev(a)lists.ozlabs.org Description: read/write Set the mode for prefaulting in segments into the segment table - when performing the START_WORK ioctl. Possible values: + when performing the START_WORK ioctl. Only applicable when + running under hashed page table mmu. + Possible values: none: No prefaulting (default) work_element_descriptor: Treat the work element descriptor as an effective address and diff --git a/drivers/misc/cxl/sysfs.c b/drivers/misc/cxl/sysfs.c index 4b5a4c5d3c01..629e2e156412 100644 --- a/drivers/misc/cxl/sysfs.c +++ b/drivers/misc/cxl/sysfs.c @@ -353,12 +353,20 @@ static ssize_t prefault_mode_store(struct device *device, struct cxl_afu *afu = to_cxl_afu(device); enum prefault_modes mode = -1; - if (!strncmp(buf, "work_element_descriptor", 23)) - mode = CXL_PREFAULT_WED; - if (!strncmp(buf, "all", 3)) - mode = CXL_PREFAULT_ALL; if (!strncmp(buf, "none", 4)) mode = CXL_PREFAULT_NONE; + else { + if (!radix_enabled()) { + + /* only allowed when not in radix mode */ + if (!strncmp(buf, "work_element_descriptor", 23)) + mode = CXL_PREFAULT_WED; + if (!strncmp(buf, "all", 3)) + mode = CXL_PREFAULT_ALL; + } else { + dev_err(device, "Cannot prefault with radix enabled\n"); + } + } if (mode == -1) return -EINVAL; -- 2.17.0

7 years, 4 months

1
0
0 0

Backport of pipe.c patch to 4.4.y that fixes LTP fcntl35 test error

by Daniel Sangorrin

Oops sorry, I failed to write the subject. It should been something like the subject of this e-mail. > -----Original Message----- > From: stable-owner(a)vger.kernel.org [mailto:stable-owner@vger.kernel.org] On > Behalf Of Daniel Sangorrin > Sent: Friday, May 18, 2018 9:59 AM > To: stable(a)vger.kernel.org > Cc: mtk.manpages(a)gmail.com; viro(a)zeniv.linux.org.uk > Subject: > > Hello Greg, > > After running LTP with Fuego on the LTS kernel 4.4.y, there were > a few test cases failing that I thought needed some investigation. > > I reviewed the first one (fcntl35 and fcntl35_64) so far. According to the > comments on LTP's fcntl35.c file (by Xiao Yang <yangx.jy(a)cn.fujitsu.com>) > the bug tested by this test case was fixed by: > pipe: cap initial pipe capacity according to pipe-max-size > commit 086e774a57fba4695f14383c0818994c0b31da7c > Author: Michael Kerrisk (man-pages) <mtk.manpages(a)gmail.com> > Date: Tue Oct 11 13:53:43 2016 -0700 > > I backported that patch (see next e-mail), tested again and confirmed that > the patch fixed the bug (or at least the error message in LTP's test). > > Before: > fcntl35.c:98: FAIL: an unprivileged user init the capacity of a pipe to 65536 > unexpectedly, expected 4096 > After: > fcntl35.c:101: PASS: an unprivileged user init the capacity of a pipe to 4096 > successfully > > Thanks, > Daniel Sangorrin >

7 years, 4 months

2
1
0 0

None

by Daniel Sangorrin

Hello Greg, After running LTP with Fuego on the LTS kernel 4.4.y, there were a few test cases failing that I thought needed some investigation. I reviewed the first one (fcntl35 and fcntl35_64) so far. According to the comments on LTP's fcntl35.c file (by Xiao Yang <yangx.jy(a)cn.fujitsu.com>) the bug tested by this test case was fixed by: pipe: cap initial pipe capacity according to pipe-max-size commit 086e774a57fba4695f14383c0818994c0b31da7c Author: Michael Kerrisk (man-pages) <mtk.manpages(a)gmail.com> Date: Tue Oct 11 13:53:43 2016 -0700 I backported that patch (see next e-mail), tested again and confirmed that the patch fixed the bug (or at least the error message in LTP's test). Before: fcntl35.c:98: FAIL: an unprivileged user init the capacity of a pipe to 65536 unexpectedly, expected 4096 After: fcntl35.c:101: PASS: an unprivileged user init the capacity of a pipe to 4096 successfully Thanks, Daniel Sangorrin

7 years, 4 months

1
1
0 0

[PATCH 4.4 000/190] 4.4.128-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.4.128 release. There are 190 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Fri Apr 13 18:34:54 UTC 2018. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.128-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.4.128-rc1 David Ahern <dsahern(a)gmail.com> vrf: Fix use after free and double free in vrf_finish_output Paolo Abeni <pabeni(a)redhat.com> ipv6: the entire IPv6 header chain must fit the first fragment Jeff Barnhill <0xeffeff(a)gmail.com> net/ipv6: Increment OUTxxx counters after netfilter hook Craig Dillabaugh <cdillaba(a)mojatatu.com> net sched actions: fix dumping which requires several messages to user space Heiner Kallweit <hkallweit1(a)gmail.com> r8169: fix setting driver_data after register_netdev Eric Dumazet <edumazet(a)google.com> vti6: better validate user provided tunnel names Eric Dumazet <edumazet(a)google.com> ip6_tunnel: better validate user provided tunnel names Eric Dumazet <edumazet(a)google.com> ip6_gre: better validate user provided tunnel names Eric Dumazet <edumazet(a)google.com> ipv6: sit: better validate user provided tunnel names Eric Dumazet <edumazet(a)google.com> ip_tunnel: better validate user provided tunnel names Eric Dumazet <edumazet(a)google.com> net: fool proof dev_valid_name() Xin Long <lucien.xin(a)gmail.com> bonding: process the err returned by dev_set_allmulti properly in bond_enslave Xin Long <lucien.xin(a)gmail.com> bonding: move dev_mc_sync after master_upper_dev_link in bond_enslave Xin Long <lucien.xin(a)gmail.com> bonding: fix the err path for dev hwaddr sync in bond_enslave Hangbin Liu <liuhangbin(a)gmail.com> vlan: also check phy_driver ts_info for vlan's real device Jason Wang <jasowang(a)redhat.com> vhost: correctly remove wait queue during poll failure Kai-Heng Feng <kai.heng.feng(a)canonical.com> sky2: Increase D3 delay to sky2 stops working after suspend Eric Dumazet <edumazet(a)google.com> sctp: sctp_sockaddr_af must check minimal addr length for AF_INET6 Eric Dumazet <edumazet(a)google.com> sctp: do not leak kernel memory to user space Eric Dumazet <edumazet(a)google.com> pptp: remove a buggy dst release in pptp_connect() Davide Caratti <dcaratti(a)redhat.com> net/sched: fix NULL dereference in the error path of tcf_bpf_init() Alexander Potapenko <glider(a)google.com> netlink: make sure nladdr has correct size in netlink_connect() David Ahern <dsahern(a)gmail.com> net/ipv6: Fix route leaking between VRFs Eric Dumazet <edumazet(a)google.com> net: fix possible out-of-bound read in skb_network_protocol() Miguel Fadon Perlines <mfadon(a)teldat.com> arp: fix arp_filter on l3slave devices Arnd Bergmann <arnd(a)arndb.de> Kbuild: provide a __UNIQUE_ID for clang Mel Gorman <mgorman(a)suse.de> futex: Remove requirement for lock_page() in get_futex_key() Theodore Ts'o <tytso(a)mit.edu> random: use lockless method of accessing and updating f->reg_idx Nathan Chancellor <natechancellor(a)gmail.com> virtio_net: check return value of skb_to_sgvec in one more location Jason A. Donenfeld <Jason(a)zx2c4.com> virtio_net: check return value of skb_to_sgvec always Jason A. Donenfeld <Jason(a)zx2c4.com> rxrpc: check return value of skb_to_sgvec always Jason A. Donenfeld <Jason(a)zx2c4.com> ipsec: check return value of skb_to_sgvec always Jiri Olsa <jolsa(a)kernel.org> perf tools: Fix copyfile_offset update of output offset Arjun Vynipadath <arjun(a)chelsio.com> cxgb4vf: Fix SGE FL buffer initialization logic for 64K pages Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> EDAC, mv64x60: Fix an error handling path Tony Lindgren <tony(a)atomide.com> tty: n_gsm: Allow ADM response in addition to UA for control dlci Ming Lei <ming.lei(a)redhat.com> blk-mq: fix kernel oops in blk_mq_tag_idle() chenxiang <chenxiang66(a)hisilicon.com> scsi: libsas: initialize sas_phy status according to response of DISCOVER Jason Yan <yanaijie(a)huawei.com> scsi: libsas: fix error when getting phy events Jason Yan <yanaijie(a)huawei.com> scsi: libsas: fix memory leak in sas_smp_get_phy_events() Tang Junhui <tang.junhui(a)zte.com.cn> bcache: segregate flash only volume write streams Tang Junhui <tang.junhui(a)zte.com.cn> bcache: stop writeback thread after detaching Roopa Prabhu <roopa(a)cumulusnetworks.com> vxlan: dont migrate permanent fdb entries during learn Stefan Haberland <sth(a)linux.vnet.ibm.com> s390/dasd: fix hanging safe offline Bob Moore <robert.moore(a)intel.com> ACPICA: Disassembler: Abort on an invalid/unknown AML opcode Lv Zheng <lv.zheng(a)intel.com> ACPICA: Events: Add runtime stub support for event APIs Christophe Jaillet <christophe.jaillet(a)wanadoo.fr> cpuidle: dt: Add missing 'of_node_put()' Marcel Holtmann <marcel(a)holtmann.org> Bluetooth: Send HCI Set Event Mask Page 2 command only when needed Lorenzo Bianconi <lorenzo.bianconi83(a)gmail.com> iio: magnetometer: st_magn_spi: fix spi_device_id table Jag Raman <jag.raman(a)oracle.com> sparc64: ldc abort during vds iso boot Xin Long <lucien.xin(a)gmail.com> sctp: fix recursive locking warning in sctp_do_peeloff Mintz, Yuval <Yuval.Mintz(a)cavium.com> bnx2x: Allow vfs to disable txvlan offload Arnd Bergmann <arnd(a)arndb.de> xen: avoid type warning in xchg_xen_ulong Willem de Bruijn <willemb(a)google.com> skbuff: only inherit relevant tx_flags Namhyung Kim <namhyung(a)kernel.org> perf tests: Decompress kernel module before objdump Christian Lamparter <chunkeey(a)googlemail.com> net: emac: fix reset timeout with AR8035 phy James Wang <jnwang(a)suse.com> Fix loop device flush before configure v3 Marcin Nowakowski <marcin.nowakowski(a)imgtec.com> MIPS: kprobes: flush_insn_slot should flush only if probe initialised Marcin Nowakowski <marcin.nowakowski(a)imgtec.com> MIPS: mm: adjust PKMAP location Marcin Nowakowski <marcin.nowakowski(a)imgtec.com> MIPS: mm: fixed mappings: correct initialisation Peter Zijlstra <peterz(a)infradead.org> perf/core: Correct event creation with PERF_FORMAT_GROUP Chris Wilson <chris(a)chris-wilson.co.uk> e1000e: Undo e1000e_pm_freeze if __e1000_shutdown fails Leonard Crestez <leonard.crestez(a)nxp.com> ARM: imx: Add MXC_CPU_IMX6ULL and cpu_is_imx6ull Russell King <rmk+kernel(a)armlinux.org.uk> net: phy: avoid genphy_aneg_done() for PHYs without clause 22 support A Sun <as1033x(a)comcast.net> mceusb: sporadic RX truncation corruption fix Pan Bian <bianpan2016(a)163.com> cx25840: fix unchecked return values Jacob Keller <jacob.e.keller(a)intel.com> e1000e: fix race condition around skb_tstamp_tx() Robert Jarzmik <robert.jarzmik(a)free.fr> tags: honor COMPILED_SOURCE with apart output directory Milian Wolff <milian.wolff(a)kdab.com> perf report: Ensure the perf DSO mapping matches what libdw sees Namhyung Kim <namhyung(a)kernel.org> perf header: Set proper module name when build-id event found Ido Shamay <idos(a)mellanox.com> net/mlx4: Check if Granular QoS per VF has been enabled before updating QP qos_vport Talat Batheesh <talatb(a)mellanox.com> net/mlx4: Fix the check in attaching steering rules Haishuang Yan <yanhaishuang(a)cmss.chinamobile.com> sit: reload iphdr in ipip6_rcv Jason A. Donenfeld <Jason(a)zx2c4.com> skbuff: return -EMSGSIZE in skb_to_sgvec to prevent overflow Dmitry Monakhov <dmonakhov(a)openvz.org> bio-integrity: Do not allocate integrity context for bio w/o data Thomas Bogendoerfer <tsbogend(a)alpha.franken.de> Fix serial console on SNI RM400 machines Ganesh Goudar <ganeshgr(a)chelsio.com> cxgb4: fix incorrect cim_la output for T6 Tomi Valkeinen <tomi.valkeinen(a)ti.com> drm/omap: fix tiled buffer stride calculations Jia-Ju Bai <baijiaju1990(a)163.com> mISDN: Fix a sleep-in-atomic bug Jia-Ju Bai <baijiaju1990(a)163.com> qlcnic: Fix a sleep-in-atomic bug in qlcnic_82xx_hw_write_wx_2M and qlcnic_82xx_hw_read_wx_2M Jiri Olsa <jolsa(a)kernel.org> perf trace: Add mmap alias for s390 Michael Ellerman <mpe(a)ellerman.id.au> powerpc/spufs: Fix coredump of SPU contexts Bryan O'Donoghue <pure.logic(a)nexus-software.ie> clk: Fix __set_clk_rates error print-string Sudeep Holla <sudeep.holla(a)arm.com> clk: scpi: fix return type of __scpi_dvfs_round_rate Roman Pen <roman.penyaev(a)profitbricks.com> KVM: SVM: do not zero out segment attributes if segment is unusable or not present Gustavo A. R. Silva <garsilva(a)embeddedor.com> net: freescale: fix potential null pointer dereference NeilBrown <neilb(a)suse.com> SUNRPC: ensure correct error is reported by xs_tcp_setup_socket() Vaibhav Jain <vaibhav(a)linux.vnet.ibm.com> rtc: interface: Validate alarm-time before handling rollover Vaibhav Jain <vaibhav(a)linux.vnet.ibm.com> rtc: opal: Handle disabled TPO in opal_get_tpo_time() Arjun Vynipadath <arjun(a)chelsio.com> cxgb4: FW upgrade fixes Arnd Bergmann <arnd(a)arndb.de> net/mlx5: avoid build warning for uniprocessor Will Deacon <will.deacon(a)arm.com> arm64: futex: Fix undefined behaviour with FUTEX_OP_OPARG_SHIFT usage Arvind Yadav <arvind.yadav.cs(a)gmail.com> dmaengine: imx-sdma: Handle return value of clk_prepare_enable Ivan Mikhaylov <ivan(a)de.ibm.com> powerpc/[booke|4xx]: Don't clobber TCR[WP] when setting TCR[DIE] Miklos Szeredi <mszeredi(a)redhat.com> ovl: filter trusted xattr for non-admin Firo Yang <firogm(a)gmail.com> hdlcdrv: Fix divide by zero in hdlcdrv_ioctl Colin Ian King <colin.king(a)canonical.com> wl1251: check return from call to wl1251_acx_arp_ip_filter Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> ASoC: Intel: sst: Fix the return value of 'sst_send_byte_stream_mrfld()' Linus Walleij <linus.walleij(a)linaro.org> gpio: label descriptors using the device name Pieter \"PoroCYon\" Sluys <pcy(a)national.shitposting.agency> vfb: fix video mode and line_length being set when loaded Chaitra P B <chaitra.basappa(a)broadcom.com> scsi: mpt3sas: Proper handling of set/clear of "ATA command pending" flag. Rafael David Tinoco <rafael.tinoco(a)canonical.com> scsi: libiscsi: Allow sd_shutdown on bad transport Hans de Goede <hdegoede(a)redhat.com> ASoC: Intel: cht_bsw_rt5645: Analog Mic support Mauro Carvalho Chehab <mchehab(a)s-opensource.com> media: videobuf2-core: don't go out of the buffer range Maciej Purski <m.purski(a)samsung.com> hwmon: (ina2xx) Make calibration register value fixed Sowmini Varadhan <sowmini.varadhan(a)oracle.com> rds; Reset rs->rs_bound_addr in rds_add_bound() failure path Hangbin Liu <liuhangbin(a)gmail.com> l2tp: fix missing print session offset info Masami Hiramatsu <mhiramat(a)kernel.org> perf probe: Add warning message if there is unexpected event name Yi Zeng <yizeng(a)asrmicro.com> thermal: power_allocator: fix one race condition issue for thermal_instances list Rasmus Villemoes <rasmus.villemoes(a)prevas.dk> ARM: dts: ls1021a: add "fsl,ls1021a-esdhc" compatible string to esdhc node linzhang <xiaolou4617(a)gmail.com> net: llc: add lock_sock in llc_ui_bind to avoid a race condition Jan H. Schönherr <jschoenh(a)amazon.de> KVM: nVMX: Fix handling of lmsw instruction Nithin Sujir <nsujir(a)tintri.com> bonding: Don't update slave->link until ready to commit KT Liao <kt.liao(a)emc.com.tw> Input: elan_i2c - clear INT before resetting controller Roman Kapl <roman.kapl(a)sysgo.com> net: move somaxconn init from sysctl code Eric Dumazet <edumazet(a)google.com> tcp: better validation of received ack sequences Eryu Guan <eguan(a)redhat.com> ext4: fix off-by-one on max nr_pages in ext4_find_unwritten_pgoff() Michael Schmitz <schmitzmic(a)gmail.com> fix race in drivers/char/random.c:get_reg() Maurizio Lombardi <mlombard(a)redhat.com> scsi: bnx2fc: fix race condition in bnx2fc_get_host_stats() Kuninori Morimoto <kuninori.morimoto.gx(a)renesas.com> ASoC: rsnd: SSI PIO adjust to 24bit mode Dan Carpenter <dan.carpenter(a)oracle.com> pNFS/flexfiles: missing error code in ff_layout_alloc_lseg() Liping Zhang <zlpnobody(a)gmail.com> netfilter: ctnetlink: fix incorrect nf_ct_put during hash resize Dan Carpenter <dan.carpenter(a)oracle.com> libceph: NULL deref on crush_decode() error path Lin Zhang <xiaolou4617(a)gmail.com> net: ieee802154: fix net_device reference release too early Jesper Dangaard Brouer <brouer(a)redhat.com> mlx5: fix bug reading rss_hash_type from CQE Dan Carpenter <dan.carpenter(a)oracle.com> block: fix an error code in add_partition() Stephen Smalley <sds(a)tycho.nsa.gov> selinux: do not check open permission on sockets Tariq Toukan <tariqt(a)mellanox.com> net/mlx5: Tolerate irq_set_affinity_hint() failures Vlastimil Babka <vbabka(a)suse.cz> sched/numa: Use down_read_trylock() for the mmap_sem Tin Huynh <tnhuynh(a)apm.com> leds: pca955x: Correct I2C Functionality Kees Cook <keescook(a)chromium.org> ray_cs: Avoid reading past end of buffer Suman Anna <s-anna(a)ti.com> ARM: davinci: da8xx: Create DSP device only when assigned memory Guoqing Jiang <gqjiang(a)suse.com> md-cluster: fix potential lock issue in add_new_disk Konstantin Khlebnikov <khlebnikov(a)yandex-team.ru> ext4: handle the rest of ext4_mb_load_buddy() ENOMEM errors Nikita Yushchenko <nikita.yoush(a)cogentembedded.com> iio: hi8435: cleanup reset gpio Nikita Yushchenko <nikita.yoush(a)cogentembedded.com> iio: hi8435: avoid garbage event at first enable Antony Antony <antony(a)phenome.org> xfrm: fix state migration copy replay sequence numbers Michael Ellerman <mpe(a)ellerman.id.au> selftests/powerpc: Fix TM resched DSCR test with some compilers Colin Ian King <colin.king(a)canonical.com> ath5k: fix memory leak on buf on failed eeprom read Michael Ellerman <mpe(a)ellerman.id.au> powerpc/mm: Fix virt_addr_valid() etc. on 64-bit hash Varun Prakash <varun(a)chelsio.com> scsi: csiostor: fix use after free in csio_hw_use_fwconfig() Geert Uytterhoeven <geert+renesas(a)glider.be> sh_eth: Use platform device for printing before register_netdev() Geert Uytterhoeven <geert+renesas(a)glider.be> serial: sh-sci: Fix race condition causing garbage during shutdown Vignesh R <vigneshr(a)ti.com> serial: 8250: omap: Disable DMA for console UART Alan Stern <stern(a)rowland.harvard.edu> USB: ene_usb6250: fix SCSI residue overwriting linzhang <xiaolou4617(a)gmail.com> net: x25: fix one potential use-after-free issue Alan Stern <stern(a)rowland.harvard.edu> USB: ene_usb6250: fix first command execution Jisheng Zhang <jszhang(a)marvell.com> usb: chipidea: properly handle host or gadget initialization failure Ihar Hrachyshka <ihrachys(a)redhat.com> arp: honour gratuitous ARP _replies_ Ihar Hrachyshka <ihrachys(a)redhat.com> neighbour: update neigh timestamps iff update is effective Thomas Petazzoni <thomas.petazzoni(a)free-electrons.com> ata: libahci: properly propagate return value of platform_get_irq() Colin Ian King <colin.king(a)canonical.com> btrfs: fix incorrect error return ret being passed to mapping_set_error Pan Bian <bianpan2016(a)163.com> usb: dwc3: keystone: check return value Anup Patel <anup.patel(a)broadcom.com> async_tx: Fix DMA_PREP_FENCE usage in do_async_gen_syndrome() Mahesh Bandewar <maheshb(a)google.com> ipv6: avoid dad-failures for addresses with NODAD Fabio Estevam <fabio.estevam(a)nxp.com> ARM: dts: imx6qdl-wandboard: Fix audio channel swap Peter Zijlstra <peterz(a)infradead.org> x86/tsc: Provide 'tsc=unstable' boot parameter Andrea della Porta <sfaragnaus(a)gmail.com> staging: wlan-ng: prism2mgmt.c: fixed a double endian conversion before calling hfa384x_drvr_setconfig16, also fixes relative sparse warning Fabio Estevam <fabio.estevam(a)nxp.com> ARM: dts: imx53-qsrb: Pulldown PMIC IRQ pin Dan Carpenter <dan.carpenter(a)oracle.com> PowerCap: Fix an error code in powercap_register_zone() Doug Berger <opendmb(a)gmail.com> bus: brcmstb_gisb: correct support for 64-bit address output Doug Berger <opendmb(a)gmail.com> bus: brcmstb_gisb: Use register offsets with writes too Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> SMB2: Fix share type handling Neil Horman <nhorman(a)tuxdriver.com> vmxnet3: ensure that adapter is in proper state during force_close Paul Mackerras <paulus(a)ozlabs.org> KVM: PPC: Book3S PR: Check copy_to/from_user return values KT Liao <kt.liao(a)emc.com.tw> Input: elantech - force relative mode on a certain module Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Input: elan_i2c - check if device is there before really probing Colin Ian King <colin.king(a)canonical.com> netxen_nic: set rcode to the return status from the call to netxen_issue_cmd Stefan Wahren <stefan.wahren(a)i2se.com> net: qca_spi: Fix alignment issues in rx path Wen Xiong <wenxiong(a)linux.vnet.ibm.com> blk-mq: NVMe 512B/4K+T10 DIF/DIX format returns I/O error on dd with split op Rabin Vincent <rabinv(a)axis.com> CIFS: silence lockdep splat in cifs_relock_file() Trond Myklebust <trond.myklebust(a)primarydata.com> NFSv4.1: Work around a Linux server bug... Talat Batheesh <talatb(a)mellanox.com> net/mlx4_en: Avoid adding steering rules with invalid ring Heiko Carstens <heiko.carstens(a)de.ibm.com> s390: move _text symbol to address higher than zero Kirill Tkhai <ktkhai(a)virtuozzo.com> pidns: disable pid allocation if pid_ns_prepare_proc() is failed in alloc_pid() Dan Carpenter <dan.carpenter(a)oracle.com> drivers/misc/vmw_vmci/vmci_queue_pair.c: fix a couple integer overflow tests J. Bruce Fields <bfields(a)redhat.com> lockd: fix lockd shutdown race Grygorii Strashko <grygorii.strashko(a)ti.com> net: ethernet: ti: cpsw: adjust cpsw fifos depth for fullduplex flow control Jim Baxter <jim_baxter(a)mentor.com> net: cdc_ncm: Fix TX zero padding Dan Carpenter <dan.carpenter(a)oracle.com> ipmi_ssif: unlock on allocation failure Kees Cook <keescook(a)chromium.org> qlge: Avoid reading past end of buffer Kees Cook <keescook(a)chromium.org> bna: Avoid reading past end of buffer Luca Coelho <luciano.coelho(a)intel.com> mac80211: bail out from prep_connection() if a reconfig is ongoing Steffen Klassert <steffen.klassert(a)secunet.com> af_key: Fix slab-out-of-bounds in pfkey_compile_policy. Bart Van Assche <bart.vanassche(a)sandisk.com> IB/srpt: Fix abort handling Trond Myklebust <trond.myklebust(a)primarydata.com> NFSv4.1: RECLAIM_COMPLETE must handle NFS4ERR_CONN_NOT_BOUND_TO_SESSION Josh Poimboeuf <jpoimboe(a)redhat.com> x86/asm: Don't use RBP as a temporary register in csum_partial_copy_generic() Pan Bian <bianpan2016(a)163.com> rtc: snvs: fix an incorrect check of return value Julia Cartwright <julia(a)ni.com> md/raid5: make use of spin_lock_irq over local_irq_disable + spin_lock Johannes Berg <johannes.berg(a)intel.com> cfg80211: make RATE_INFO_BW_20 the default ------------- Diffstat: Makefile | 4 +- arch/arm/boot/dts/imx53-qsrb.dts | 2 +- arch/arm/boot/dts/imx6qdl-wandboard.dtsi | 1 + arch/arm/boot/dts/ls1021a.dtsi | 2 +- arch/arm/include/asm/xen/events.h | 2 +- arch/arm/mach-davinci/devices-da8xx.c | 10 +++ arch/arm/mach-imx/cpu.c | 3 + arch/arm/mach-imx/mxc.h | 6 ++ arch/arm64/include/asm/futex.h | 8 +- arch/mips/include/asm/kprobes.h | 3 +- arch/mips/include/asm/pgtable-32.h | 7 +- arch/mips/mm/pgtable-32.c | 6 +- arch/powerpc/include/asm/page.h | 12 +++ arch/powerpc/kernel/time.c | 14 +++- arch/powerpc/kvm/book3s_pr_papr.c | 34 ++++++-- arch/powerpc/platforms/cell/spufs/coredump.c | 2 + arch/s390/kernel/vmlinux.lds.S | 8 +- arch/sparc/kernel/ldc.c | 7 +- arch/x86/kernel/tsc.c | 2 + arch/x86/kvm/svm.c | 24 +++--- arch/x86/kvm/vmx.c | 7 +- arch/x86/lib/csum-copy_64.S | 12 +-- block/bio-integrity.c | 3 + block/blk-mq.c | 7 +- block/partition-generic.c | 4 +- crypto/async_tx/async_pq.c | 5 +- drivers/acpi/acpica/evxfevnt.c | 18 ++++ drivers/acpi/acpica/psobject.c | 14 ++++ drivers/ata/libahci_platform.c | 5 +- drivers/block/loop.c | 3 + drivers/bus/brcmstb_gisb.c | 42 +++++----- drivers/char/ipmi/ipmi_ssif.c | 2 + drivers/char/random.c | 10 ++- drivers/clk/clk-conf.c | 2 +- drivers/clk/clk-scpi.c | 6 +- drivers/cpuidle/dt_idle_states.c | 4 +- drivers/dma/imx-sdma.c | 23 +++-- drivers/edac/mv64x60_edac.c | 2 +- drivers/gpio/gpiolib.c | 3 +- drivers/gpu/drm/omapdrm/omap_gem.c | 4 +- drivers/hwmon/ina2xx.c | 87 +++++++++++-------- drivers/iio/adc/hi8435.c | 27 ++++-- drivers/iio/magnetometer/st_magn_spi.c | 2 - drivers/infiniband/ulp/srpt/ib_srpt.c | 6 +- drivers/input/mouse/elan_i2c_core.c | 7 ++ drivers/input/mouse/elan_i2c_i2c.c | 9 +- drivers/input/mouse/elantech.c | 11 +++ drivers/isdn/mISDN/stack.c | 2 +- drivers/leds/leds-pca955x.c | 2 +- drivers/md/bcache/alloc.c | 19 +++-- drivers/md/bcache/super.c | 6 ++ drivers/md/md-cluster.c | 4 +- drivers/md/raid5.c | 17 ++-- drivers/media/i2c/cx25840/cx25840-core.c | 36 ++++---- drivers/media/rc/mceusb.c | 9 +- drivers/media/v4l2-core/videobuf2-core.c | 4 + drivers/misc/vmw_vmci/vmci_queue_pair.c | 10 ++- drivers/net/bonding/bond_main.c | 84 ++++++++++--------- drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 19 ++++- drivers/net/ethernet/brocade/bna/bfa_ioc.c | 2 +- drivers/net/ethernet/chelsio/cxgb4/t4_hw.c | 32 ++++++- drivers/net/ethernet/chelsio/cxgb4vf/sge.c | 23 +++-- drivers/net/ethernet/freescale/fsl_pq_mdio.c | 9 +- drivers/net/ethernet/ibm/emac/core.c | 26 +++++- drivers/net/ethernet/intel/e1000e/netdev.c | 17 +++- drivers/net/ethernet/marvell/sky2.c | 2 +- drivers/net/ethernet/mellanox/mlx4/mcg.c | 15 +++- drivers/net/ethernet/mellanox/mlx4/qp.c | 19 +++++ .../net/ethernet/mellanox/mlx4/resource_tracker.c | 16 ++-- drivers/net/ethernet/mellanox/mlx5/core/main.c | 14 +--- .../net/ethernet/qlogic/netxen/netxen_nic_ctx.c | 2 +- drivers/net/ethernet/qlogic/qlcnic/qlcnic_hw.c | 2 +- drivers/net/ethernet/qlogic/qlge/qlge_dbg.c | 4 +- drivers/net/ethernet/qualcomm/qca_spi.c | 10 ++- drivers/net/ethernet/realtek/r8169.c | 4 +- drivers/net/ethernet/renesas/sh_eth.c | 2 +- drivers/net/ethernet/ti/cpsw.c | 16 ++++ drivers/net/hamradio/hdlcdrv.c | 2 + drivers/net/phy/phy.c | 6 ++ drivers/net/ppp/pptp.c | 1 - drivers/net/usb/cdc_ncm.c | 11 ++- drivers/net/virtio_net.c | 16 +++- drivers/net/vmxnet3/vmxnet3_drv.c | 5 ++ drivers/net/vrf.c | 8 +- drivers/net/vxlan.c | 2 +- drivers/net/wireless/ath/ath5k/debug.c | 5 +- drivers/net/wireless/ray_cs.c | 7 +- drivers/net/wireless/ti/wl1251/main.c | 3 +- drivers/powercap/powercap_sys.c | 1 + drivers/rtc/interface.c | 9 +- drivers/rtc/rtc-opal.c | 10 +++ drivers/rtc/rtc-snvs.c | 2 +- drivers/s390/block/dasd.c | 8 +- drivers/scsi/bnx2fc/bnx2fc.h | 1 + drivers/scsi/bnx2fc/bnx2fc_fcoe.c | 10 ++- drivers/scsi/csiostor/csio_hw.c | 5 +- drivers/scsi/libiscsi.c | 24 +++++- drivers/scsi/libsas/sas_expander.c | 4 +- drivers/scsi/mpt3sas/mpt3sas_scsih.c | 28 ++++--- drivers/staging/wlan-ng/prism2mgmt.c | 2 +- drivers/thermal/power_allocator.c | 2 + drivers/tty/n_gsm.c | 17 +++- drivers/tty/serial/8250/8250_omap.c | 4 + drivers/tty/serial/sccnxp.c | 15 ++-- drivers/tty/serial/sh-sci.c | 16 +++- drivers/usb/chipidea/core.c | 29 +++++-- drivers/usb/dwc3/dwc3-keystone.c | 4 + drivers/usb/storage/ene_ub6250.c | 11 ++- drivers/vhost/vhost.c | 3 +- drivers/video/fbdev/vfb.c | 17 ++++ fs/btrfs/extent_io.c | 2 +- fs/cifs/file.c | 2 +- fs/cifs/smb2pdu.c | 14 ++-- fs/ext4/file.c | 2 +- fs/ext4/mballoc.c | 23 +++-- fs/lockd/svc.c | 6 +- fs/nfs/flexfilelayout/flexfilelayout.c | 1 + fs/nfs/nfs4proc.c | 13 ++- fs/nfs/nfs4state.c | 10 ++- fs/overlayfs/inode.c | 12 ++- include/linux/compiler-clang.h | 5 ++ include/linux/mlx4/qp.h | 1 + include/linux/mlx5/device.h | 10 ++- include/linux/skbuff.h | 8 +- include/net/cfg80211.h | 2 +- include/net/x25.h | 4 +- kernel/events/core.c | 15 ++-- kernel/futex.c | 98 ++++++++++++++++++++-- kernel/pid.c | 4 +- kernel/sched/fair.c | 3 +- net/8021q/vlan_dev.c | 6 +- net/bluetooth/hci_core.c | 17 +++- net/ceph/osdmap.c | 1 + net/core/dev.c | 4 +- net/core/neighbour.c | 14 +++- net/core/net_namespace.c | 19 +++++ net/core/skbuff.c | 75 +++++++++++------ net/core/sysctl_net_core.c | 2 - net/ieee802154/socket.c | 8 +- net/ipv4/ah4.c | 8 +- net/ipv4/arp.c | 18 +++- net/ipv4/esp4.c | 13 +-- net/ipv4/ip_tunnel.c | 11 +-- net/ipv4/tcp_input.c | 24 +++--- net/ipv6/addrconf.c | 5 +- net/ipv6/ah6.c | 8 +- net/ipv6/esp6.c | 12 ++- net/ipv6/ip6_gre.c | 8 +- net/ipv6/ip6_output.c | 19 +++-- net/ipv6/ip6_tunnel.c | 11 ++- net/ipv6/ip6_vti.c | 7 +- net/ipv6/route.c | 3 + net/ipv6/sit.c | 9 +- net/key/af_key.c | 2 +- net/l2tp/l2tp_netlink.c | 2 + net/llc/af_llc.c | 3 + net/mac80211/mlme.c | 4 + net/netfilter/nf_conntrack_netlink.c | 7 +- net/netlink/af_netlink.c | 3 + net/rds/bind.c | 1 + net/rxrpc/rxkad.c | 21 +++-- net/sched/act_api.c | 4 +- net/sched/act_bpf.c | 12 ++- net/sctp/ipv6.c | 4 +- net/sctp/socket.c | 17 ++-- net/sunrpc/xprtsock.c | 7 +- net/x25/af_x25.c | 24 ++++-- net/x25/sysctl_net_x25.c | 5 +- net/xfrm/xfrm_state.c | 2 + scripts/tags.sh | 1 + security/selinux/hooks.c | 10 ++- sound/soc/intel/atom/sst/sst_stream.c | 2 +- sound/soc/intel/boards/cht_bsw_rt5645.c | 7 ++ sound/soc/sh/rcar/ssi.c | 11 ++- tools/perf/builtin-trace.c | 4 + tools/perf/tests/code-reading.c | 20 ++++- tools/perf/util/header.c | 12 ++- tools/perf/util/probe-event.c | 8 ++ tools/perf/util/unwind-libdw.c | 8 ++ tools/perf/util/util.c | 2 +- .../testing/selftests/powerpc/tm/tm-resched-dscr.c | 2 +- 181 files changed, 1416 insertions(+), 523 deletions(-)

7 years, 4 months

7
210
0 0

[PATCH] xen-swiotlb: fix the check condition for xen_swiotlb_free_coherent

by Joe Jin

When run raidconfig from Dom0 we found that the Xen DMA heap is reduced, but Dom Heap is increased by the same size. Tracing raidconfig we found that the related ioctl() in megaraid_sas will call dma_alloc_coherent() to apply memory. If the memory allocated by Dom0 is not in the DMA area, it will exchange memory with Xen to meet the requiment. Later drivers call dma_free_coherent() to free the memory, on xen_swiotlb_free_coherent() the check condition (dev_addr + size - 1 <= dma_mask) is always false, it prevents calling xen_destroy_contiguous_region() to return the memory to the Xen DMA heap. This issue introduced by commit 6810df88dcfc2 "xen-swiotlb: When doing coherent alloc/dealloc check before swizzling the MFNs.". Signed-off-by: Joe Jin <joe.jin(a)oracle.com> Tested-by: John Sobecki <john.sobecki(a)oracle.com> Reviewed-by: Rzeszutek Wilk <konrad.wilk(a)oracle.com> Cc: stable(a)vger.kernel.org --- drivers/xen/swiotlb-xen.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/xen/swiotlb-xen.c b/drivers/xen/swiotlb-xen.c index e1c60899fdbc..a6f9ba85dc4b 100644 --- a/drivers/xen/swiotlb-xen.c +++ b/drivers/xen/swiotlb-xen.c @@ -351,7 +351,7 @@ xen_swiotlb_free_coherent(struct device *hwdev, size_t size, void *vaddr, * physical address */ phys = xen_bus_to_phys(dev_addr); - if (((dev_addr + size - 1 > dma_mask)) || + if (((dev_addr + size - 1 <= dma_mask)) || range_straddles_page_boundary(phys, size)) xen_destroy_contiguous_region(phys, order); -- 2.14.3 (Apple Git-98)

7 years, 4 months

1
0
0 0

[PATCH UPSTREAM] xen-swiotlb: fix the check condition for xen_swiotlb_free_coherent

by Joe Jin

When run raidconfig from Dom0 we found that the Xen DMA heap is reduced, but Dom Heap is increased by the same size. Tracing raidconfig we found that the related ioctl() in megaraid_sas will call dma_alloc_coherent() to apply memory. If the memory allocated by Dom0 is not in the DMA area, it will exchange memory with Xen to meet the requiment. Later drivers call dma_free_coherent() to free the memory, on xen_swiotlb_free_coherent() the check condition (dev_addr + size - 1 <= dma_mask) is always false, it prevents calling xen_destroy_contiguous_region() to return the memory to the Xen DMA heap. This issue introduced by commit 6810df88dcfc2 "xen-swiotlb: When doing coherent alloc/dealloc check before swizzling the MFNs.". Signed-off-by: Joe Jin <joe.jin(a)oracle.com> Tested-by: John Sobecki <john.sobecki(a)oracle.com> Reviewed-by: Rzeszutek Wilk <konrad.wilk(a)oracle.com> Cc: stable(a)vger.kernel.org --- drivers/xen/swiotlb-xen.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/xen/swiotlb-xen.c b/drivers/xen/swiotlb-xen.c index e1c60899fdbc..a6f9ba85dc4b 100644 --- a/drivers/xen/swiotlb-xen.c +++ b/drivers/xen/swiotlb-xen.c @@ -351,7 +351,7 @@ xen_swiotlb_free_coherent(struct device *hwdev, size_t size, void *vaddr, * physical address */ phys = xen_bus_to_phys(dev_addr); - if (((dev_addr + size - 1 > dma_mask)) || + if (((dev_addr + size - 1 <= dma_mask)) || range_straddles_page_boundary(phys, size)) xen_destroy_contiguous_region(phys, order); -- 2.14.3 (Apple Git-98)

7 years, 4 months

2
2
0 0

Build failure in v4.4.y.queue

by Guenter Roeck

v4.4.y: drivers/net/ethernet/ti/cpsw.c: In function 'cpsw_add_dual_emac_def_ale_entries': drivers/net/ethernet/ti/cpsw.c:1112:23: error: 'cpsw' undeclared Guenter

7 years, 4 months

2
1
0 0

Re: [PATCH 2/2] nbd: don't start req until after the dead connection logic

by Bart Van Assche

On Thu, 2017-10-19 at 16:21 -0400, Josef Bacik wrote: > + blk_mq_start_request(req); > if (unlikely(nsock->pending && nsock->pending != req)) { > blk_mq_requeue_request(req, true); > ret = 0; (replying to an e-mail from seven months ago) Hello Josef, Are you aware that the nbd driver is one of the very few block drivers that calls blk_mq_requeue_request() after a request has been started? I think that can lead to the block layer core to undesired behavior, e.g. that the timeout handler fires concurrently with a request being reinstered. Can you or a colleague have a look at this? I would like to add the following code to the block layer core and I think that the nbd driver would trigger this warning: void blk_mq_requeue_request(struct request *rq, bool kick_requeue_list) { + WARN_ON_ONCE(old_state != MQ_RQ_COMPLETE); + __blk_mq_requeue_request(rq); Thanks, Bart.

7 years, 4 months

2
2
0 0

[PATCH 07/25] zfcp: fix missing REC trigger trace on enqueue without ERP thread

by Steffen Maier

Example trace record formatted with zfcpdbf from s390-tools: Timestamp : ... Area : REC Subarea : 00 Level : 1 Exception : - CPU ID : .. Caller : 0x... Record ID : 1 ZFCP_DBF_REC_TRIG Tag : ....... LUN : 0x... WWPN : 0x... D_ID : 0x... Adapter status : 0x... Port status : 0x... LUN status : 0x... Ready count : 0x... Running count : 0x... ERP want : 0x0. ZFCP_ERP_ACTION_REOPEN_... ERP need : 0xc0 ZFCP_ERP_ACTION_NONE Signed-off-by: Steffen Maier <maier(a)linux.ibm.com> Cc: <stable(a)vger.kernel.org> #2.6.38+ Reviewed-by: Benjamin Block <bblock(a)linux.ibm.com> --- drivers/s390/scsi/zfcp_erp.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/drivers/s390/scsi/zfcp_erp.c b/drivers/s390/scsi/zfcp_erp.c index 20fe59300d0e..69dfb328dba4 100644 --- a/drivers/s390/scsi/zfcp_erp.c +++ b/drivers/s390/scsi/zfcp_erp.c @@ -315,8 +315,11 @@ static int zfcp_erp_action_enqueue(int want, struct zfcp_adapter *adapter, goto out; } - if (!adapter->erp_thread) - return -EIO; + if (!adapter->erp_thread) { + need = ZFCP_ERP_ACTION_NONE; /* marker for trace */ + retval = -EIO; + goto out; + } need = zfcp_erp_required_act(want, adapter, port, sdev); if (!need) -- 2.16.3

7 years, 4 months

1
0
0 0

[PATCH 06/25] zfcp: fix missing REC trigger trace for all objects in ERP_FAILED

by Steffen Maier

That other commit introduced an inconsistency because it would trace on ERP_FAILED for all callers of port forced reopen triggers (not just terminate_rport_io), but it would not trace on ERP_FAILED for all callers of other ERP triggers such as adapter, port regular, LUN. Therefore, generalize that other commit. zfcp_erp_action_enqueue() already had two early outs which re-used the one zfcp_dbf_rec_trig() call. All ERP trigger functions finally run through zfcp_erp_action_enqueue(). So move the special handling for ZFCP_STATUS_COMMON_ERP_FAILED into zfcp_erp_action_enqueue() and add another early out with new trace marker for pseudo ERP need in this case. This removes all early returns from all ERP trigger functions so we always end up at zfcp_dbf_rec_trig(). Example trace record formatted with zfcpdbf from s390-tools: Timestamp : ... Area : REC Subarea : 00 Level : 1 Exception : - CPU ID : .. Caller : 0x... Record ID : 1 ZFCP_DBF_REC_TRIG Tag : ....... LUN : 0x... WWPN : 0x... D_ID : 0x... Adapter status : 0x... Port status : 0x... LUN status : 0x... Ready count : 0x... Running count : 0x... ERP want : 0x0. ZFCP_ERP_ACTION_REOPEN_... ERP need : 0xe0 ZFCP_ERP_ACTION_FAILED Signed-off-by: Steffen Maier <maier(a)linux.ibm.com> Cc: <stable(a)vger.kernel.org> #2.6.38+ Reviewed-by: Benjamin Block <bblock(a)linux.ibm.com> --- drivers/s390/scsi/zfcp_erp.c | 79 ++++++++++++++++++++++++++++---------------- 1 file changed, 51 insertions(+), 28 deletions(-) diff --git a/drivers/s390/scsi/zfcp_erp.c b/drivers/s390/scsi/zfcp_erp.c index 5c368cdfc455..20fe59300d0e 100644 --- a/drivers/s390/scsi/zfcp_erp.c +++ b/drivers/s390/scsi/zfcp_erp.c @@ -143,6 +143,49 @@ static void zfcp_erp_action_dismiss_adapter(struct zfcp_adapter *adapter) } } +static int zfcp_erp_handle_failed(int want, struct zfcp_adapter *adapter, + struct zfcp_port *port, + struct scsi_device *sdev) +{ + int need = want; + struct zfcp_scsi_dev *zsdev; + + switch (want) { + case ZFCP_ERP_ACTION_REOPEN_LUN: + zsdev = sdev_to_zfcp(sdev); + if (atomic_read(&zsdev->status) & ZFCP_STATUS_COMMON_ERP_FAILED) + need = 0; + break; + case ZFCP_ERP_ACTION_REOPEN_PORT_FORCED: + if (atomic_read(&port->status) & ZFCP_STATUS_COMMON_ERP_FAILED) + need = 0; + break; + case ZFCP_ERP_ACTION_REOPEN_PORT: + if (atomic_read(&port->status) & + ZFCP_STATUS_COMMON_ERP_FAILED) { + need = 0; + /* ensure propagation of failed status to new devices */ + zfcp_erp_set_port_status( + port, ZFCP_STATUS_COMMON_ERP_FAILED); + } + break; + case ZFCP_ERP_ACTION_REOPEN_ADAPTER: + if (atomic_read(&adapter->status) & + ZFCP_STATUS_COMMON_ERP_FAILED) { + need = 0; + /* ensure propagation of failed status to new devices */ + zfcp_erp_set_adapter_status( + adapter, ZFCP_STATUS_COMMON_ERP_FAILED); + } + break; + default: + need = 0; + break; + } + + return need; +} + static int zfcp_erp_required_act(int want, struct zfcp_adapter *adapter, struct zfcp_port *port, struct scsi_device *sdev) @@ -266,6 +309,12 @@ static int zfcp_erp_action_enqueue(int want, struct zfcp_adapter *adapter, int retval = 1, need; struct zfcp_erp_action *act; + need = zfcp_erp_handle_failed(want, adapter, port, sdev); + if (!need) { + need = ZFCP_ERP_ACTION_FAILED; /* marker for trace */ + goto out; + } + if (!adapter->erp_thread) return -EIO; @@ -314,12 +363,6 @@ static int _zfcp_erp_adapter_reopen(struct zfcp_adapter *adapter, zfcp_erp_adapter_block(adapter, clear_mask); zfcp_scsi_schedule_rports_block(adapter); - /* ensure propagation of failed status to new devices */ - if (atomic_read(&adapter->status) & ZFCP_STATUS_COMMON_ERP_FAILED) { - zfcp_erp_set_adapter_status(adapter, - ZFCP_STATUS_COMMON_ERP_FAILED); - return -EIO; - } return zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_ADAPTER, adapter, NULL, NULL, id, 0); } @@ -338,12 +381,8 @@ void zfcp_erp_adapter_reopen(struct zfcp_adapter *adapter, int clear, char *id) zfcp_scsi_schedule_rports_block(adapter); write_lock_irqsave(&adapter->erp_lock, flags); - if (atomic_read(&adapter->status) & ZFCP_STATUS_COMMON_ERP_FAILED) - zfcp_erp_set_adapter_status(adapter, - ZFCP_STATUS_COMMON_ERP_FAILED); - else - zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_ADAPTER, adapter, - NULL, NULL, id, 0); + zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_ADAPTER, adapter, + NULL, NULL, id, 0); write_unlock_irqrestore(&adapter->erp_lock, flags); } @@ -384,13 +423,6 @@ static void _zfcp_erp_port_forced_reopen(struct zfcp_port *port, int clear, zfcp_erp_port_block(port, clear); zfcp_scsi_schedule_rport_block(port); - if (atomic_read(&port->status) & ZFCP_STATUS_COMMON_ERP_FAILED) { - zfcp_dbf_rec_trig(id, port->adapter, port, NULL, - ZFCP_ERP_ACTION_REOPEN_PORT_FORCED, - ZFCP_ERP_ACTION_FAILED); - return; - } - zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_PORT_FORCED, port->adapter, port, NULL, id, 0); } @@ -416,12 +448,6 @@ static int _zfcp_erp_port_reopen(struct zfcp_port *port, int clear, char *id) zfcp_erp_port_block(port, clear); zfcp_scsi_schedule_rport_block(port); - if (atomic_read(&port->status) & ZFCP_STATUS_COMMON_ERP_FAILED) { - /* ensure propagation of failed status to new devices */ - zfcp_erp_set_port_status(port, ZFCP_STATUS_COMMON_ERP_FAILED); - return -EIO; - } - return zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_PORT, port->adapter, port, NULL, id, 0); } @@ -461,9 +487,6 @@ static void _zfcp_erp_lun_reopen(struct scsi_device *sdev, int clear, char *id, zfcp_erp_lun_block(sdev, clear); - if (atomic_read(&zfcp_sdev->status) & ZFCP_STATUS_COMMON_ERP_FAILED) - return; - zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_LUN, adapter, zfcp_sdev->port, sdev, id, act_status); } -- 2.16.3

7 years, 4 months

1
0
0 0

[PATCH 05/25] zfcp: fix missing REC trigger trace on terminate_rport_io for ERP_FAILED

by Steffen Maier

For problem determination we always want to see when we were invoked on the terminate_rport_io callback whether we perform something or not. Temporal event sequence of interest with a long fast_io_fail_tmo of 27 sec: loose remote port t workqueue [s] zfcp_q_<dev> IRQ zfcperp<dev> === ================== =================== ============================ 0 recv RSCN q p.test_link_work block rport start fast_io_fail_tmo send ADISC ELS 4 recv ADISC fail block zfcp_port port forced reopen send open port 12 recv open port fail q p.gid_pn_work zfcp_erp_wakeup (zfcp_erp_wait would return) GID_PN fail Before this point, we got a SCSI trace with tag "sctrpi1" on fast_io_fail, e.g. with the typical 5 sec setting. port.status |= ERP_FAILED If fast_io_fail_tmo triggers after this point, we missed a SCSI trace. workqueue fc_dl_<host> ================== 27 fc_timeout_fail_rport_io fc_terminate_rport_io zfcp_scsi_terminate_rport_io zfcp_erp_port_forced_reopen _zfcp_erp_port_forced_reopen if (port.status & ERP_FAILED) return; Therefore, write a trace before above early return. Example trace record formatted with zfcpdbf from s390-tools: Timestamp : ... Area : REC Subarea : 00 Level : 1 Exception : - CPU ID : .. Caller : 0x... Record ID : 1 ZFCP_DBF_REC_TRIG Tag : sctrpi1 SCSI terminate rport I/O LUN : 0xffffffffffffffff none (invalid) WWPN : 0x<wwpn> D_ID : 0x<n_port_id> Adapter status : 0x... Port status : 0x... LUN status : 0x00000000 none (invalid) Ready count : 0x... Running count : 0x... ERP want : 0x03 ZFCP_ERP_ACTION_REOPEN_PORT_FORCED ERP need : 0xe0 ZFCP_ERP_ACTION_FAILED Signed-off-by: Steffen Maier <maier(a)linux.ibm.com> Cc: <stable(a)vger.kernel.org> #2.6.38+ Reviewed-by: Benjamin Block <bblock(a)linux.ibm.com> --- drivers/s390/scsi/zfcp_erp.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/drivers/s390/scsi/zfcp_erp.c b/drivers/s390/scsi/zfcp_erp.c index 3489b1bc9121..5c368cdfc455 100644 --- a/drivers/s390/scsi/zfcp_erp.c +++ b/drivers/s390/scsi/zfcp_erp.c @@ -42,9 +42,13 @@ enum zfcp_erp_steps { * @ZFCP_ERP_ACTION_REOPEN_PORT_FORCED: Forced port recovery. * @ZFCP_ERP_ACTION_REOPEN_ADAPTER: Adapter recovery. * @ZFCP_ERP_ACTION_NONE: Eyecatcher pseudo flag to bitwise or-combine with - * either of the other enum values. + * either of the first four enum values. * Used to indicate that an ERP action could not be * set up despite a detected need for some recovery. + * @ZFCP_ERP_ACTION_FAILED: Eyecatcher pseudo flag to bitwise or-combine with + * either of the first four enum values. + * Used to indicate that ERP not needed because + * the object has ZFCP_STATUS_COMMON_ERP_FAILED. */ enum zfcp_erp_act_type { ZFCP_ERP_ACTION_REOPEN_LUN = 1, @@ -52,6 +56,7 @@ enum zfcp_erp_act_type { ZFCP_ERP_ACTION_REOPEN_PORT_FORCED = 3, ZFCP_ERP_ACTION_REOPEN_ADAPTER = 4, ZFCP_ERP_ACTION_NONE = 0xc0, + ZFCP_ERP_ACTION_FAILED = 0xe0, }; enum zfcp_erp_act_state { @@ -379,8 +384,12 @@ static void _zfcp_erp_port_forced_reopen(struct zfcp_port *port, int clear, zfcp_erp_port_block(port, clear); zfcp_scsi_schedule_rport_block(port); - if (atomic_read(&port->status) & ZFCP_STATUS_COMMON_ERP_FAILED) + if (atomic_read(&port->status) & ZFCP_STATUS_COMMON_ERP_FAILED) { + zfcp_dbf_rec_trig(id, port->adapter, port, NULL, + ZFCP_ERP_ACTION_REOPEN_PORT_FORCED, + ZFCP_ERP_ACTION_FAILED); return; + } zfcp_erp_action_enqueue(ZFCP_ERP_ACTION_REOPEN_PORT_FORCED, port->adapter, port, NULL, id, 0); -- 2.16.3

7 years, 4 months

1
0
0 0

[PATCH 04/25] zfcp: fix missing REC trigger trace on terminate_rport_io early return

by Steffen Maier

get_device() and its internally used kobject_get() only return NULL if they get passed NULL as argument. zfcp_get_port_by_wwpn() loops over adapter->port_list so the iteration variable port is always non-NULL. Struct device is embedded in struct zfcp_port so &port->dev is always non-NULL. This is the argument to get_device(). However, if we get an fc_rport in terminate_rport_io() for which we cannot find a match within zfcp_get_port_by_wwpn(), the latter can return NULL. v2.6.30 commit 70932935b61e ("[SCSI] zfcp: Fix oops when port disappears") introduced an early return without adding a trace record for this case. Even if we don't need recovery in this case, for debugging we should still see that our callback was invoked originally by scsi_transport_fc. Example trace record formatted with zfcpdbf from s390-tools: Timestamp : ... Area : REC Subarea : 00 Level : 1 Exception : - CPU ID : .. Caller : 0x... Record ID : 1 Tag : sctrpin SCSI terminate rport I/O, no zfcp port LUN : 0xffffffffffffffff none (invalid) WWPN : 0x<wwpn> WWPN D_ID : 0x<n_port_id> N_Port-ID Adapter status : 0x... Port status : 0xffffffff unknown (-1) LUN status : 0x00000000 none (invalid) Ready count : 0x... Running count : 0x... ERP want : 0x03 ZFCP_ERP_ACTION_REOPEN_PORT_FORCED ERP need : 0xc0 ZFCP_ERP_ACTION_NONE Signed-off-by: Steffen Maier <maier(a)linux.ibm.com> Fixes: 70932935b61e ("[SCSI] zfcp: Fix oops when port disappears") Cc: <stable(a)vger.kernel.org> #2.6.38+ Reviewed-by: Benjamin Block <bblock(a)linux.ibm.com> --- drivers/s390/scsi/zfcp_erp.c | 20 ++++++++++++++++++++ drivers/s390/scsi/zfcp_ext.h | 3 +++ drivers/s390/scsi/zfcp_scsi.c | 5 +++++ 3 files changed, 28 insertions(+) diff --git a/drivers/s390/scsi/zfcp_erp.c b/drivers/s390/scsi/zfcp_erp.c index d9cd25b56cfa..3489b1bc9121 100644 --- a/drivers/s390/scsi/zfcp_erp.c +++ b/drivers/s390/scsi/zfcp_erp.c @@ -283,6 +283,26 @@ static int zfcp_erp_action_enqueue(int want, struct zfcp_adapter *adapter, return retval; } +void zfcp_erp_port_forced_no_port_dbf(char *id, struct zfcp_adapter *adapter, + u64 port_name, u32 port_id) +{ + unsigned long flags; + static /* don't waste stack */ struct zfcp_port tmpport; + + write_lock_irqsave(&adapter->erp_lock, flags); + /* Stand-in zfcp port with fields just good enough for + * zfcp_dbf_rec_trig() and zfcp_dbf_set_common(). + * Under lock because tmpport is static. + */ + atomic_set(&tmpport.status, -1); /* unknown */ + tmpport.wwpn = port_name; + tmpport.d_id = port_id; + zfcp_dbf_rec_trig(id, adapter, &tmpport, NULL, + ZFCP_ERP_ACTION_REOPEN_PORT_FORCED, + ZFCP_ERP_ACTION_NONE); + write_unlock_irqrestore(&adapter->erp_lock, flags); +} + static int _zfcp_erp_adapter_reopen(struct zfcp_adapter *adapter, int clear_mask, char *id) { diff --git a/drivers/s390/scsi/zfcp_ext.h b/drivers/s390/scsi/zfcp_ext.h index e55f42ce1168..3299bd345076 100644 --- a/drivers/s390/scsi/zfcp_ext.h +++ b/drivers/s390/scsi/zfcp_ext.h @@ -55,6 +55,9 @@ extern void zfcp_dbf_scsi_eh(char *tag, struct zfcp_adapter *adapter, /* zfcp_erp.c */ extern void zfcp_erp_set_adapter_status(struct zfcp_adapter *, u32); extern void zfcp_erp_clear_adapter_status(struct zfcp_adapter *, u32); +extern void zfcp_erp_port_forced_no_port_dbf(char *id, + struct zfcp_adapter *adapter, + u64 port_name, u32 port_id); extern void zfcp_erp_adapter_reopen(struct zfcp_adapter *, int, char *); extern void zfcp_erp_adapter_shutdown(struct zfcp_adapter *, int, char *); extern void zfcp_erp_set_port_status(struct zfcp_port *, u32); diff --git a/drivers/s390/scsi/zfcp_scsi.c b/drivers/s390/scsi/zfcp_scsi.c index 4fdb1665b0e6..478e7ef9ea2f 100644 --- a/drivers/s390/scsi/zfcp_scsi.c +++ b/drivers/s390/scsi/zfcp_scsi.c @@ -605,6 +605,11 @@ static void zfcp_scsi_terminate_rport_io(struct fc_rport *rport) if (port) { zfcp_erp_port_forced_reopen(port, 0, "sctrpi1"); put_device(&port->dev); + } else { + zfcp_erp_port_forced_no_port_dbf( + "sctrpin", adapter, + rport->port_name /* zfcp_scsi_rport_register */, + rport->port_id /* zfcp_scsi_rport_register */); } } -- 2.16.3

7 years, 4 months

1
0
0 0

[PATCH 03/25] zfcp: fix misleading REC trigger trace where erp_action setup failed

by Steffen Maier

If a SCSI device is deleted during scsi_eh host reset, we cannot get a reference to the SCSI device anymore since scsi_device_get returns !=0 by design. Assuming the recovery of adapter and port(s) was successful, zfcp_erp_strategy_followup_success() attempts to trigger a LUN reset for the half-gone SCSI device. Unfortunately, it causes the following confusing trace record which states that zfcp will do a LUN recovery as "ERP need" is ZFCP_ERP_ACTION_REOPEN_LUN == 1 and equals "ERP want". Old example trace record formatted with zfcpdbf from s390-tools: Tag: : ersfs_3 ERP, trigger, unit reopen, port reopen succeeded LUN : 0x<FCP_LUN> WWPN : 0x<WWPN> D_ID : 0x<N_Port-ID> Adapter status : 0x5400050b Port status : 0x54000001 LUN status : 0x40000000 ZFCP_STATUS_COMMON_RUNNING but not ZFCP_STATUS_COMMON_UNBLOCKED as it was closed on close part of adapter reopen ERP want : 0x01 ERP need : 0x01 misleading However, zfcp_erp_setup_act() returns NULL as it cannot get the reference. Hence, zfcp_erp_action_enqueue() takes an early goto out and _NO_ recovery actually happens. We always do want the recovery trigger trace record even if no erp_action could be enqueued as in this case. For other cases where we did not enqueue an erp_action, 'need' has always been zero to indicate this. In order to indicate above goto out, introduce an eyecatcher "flag" to mark the "ERP need" as 'not needed' but still keep the information which erp_action type, that zfcp_erp_required_act() had decided upon, is needed. 0xc_ is chosen to be visibly different from 0x0_ in "ERP want". New example trace record formatted with zfcpdbf from s390-tools: Tag: : ersfs_3 ERP, trigger, unit reopen, port reopen succeeded LUN : 0x<FCP_LUN> WWPN : 0x<WWPN> D_ID : 0x<N_Port-ID> Adapter status : 0x5400050b Port status : 0x54000001 LUN status : 0x40000000 ERP want : 0x01 ERP need : 0xc1 would need LUN ERP, but no action set up ^ Before v2.6.38 commit ae0904f60fab ("[SCSI] zfcp: Redesign of the debug tracing for recovery actions.") we could detect this case because the "erp_action" field in the trace was NULL. The rework removed erp_action as argument and field from the trace. This patch here is for tracing. A fix to allow LUN recovery in the case at hand is a topic for a separate patch. See also commit fdbd1c5e27da ("[SCSI] zfcp: Allow running unit/LUN shutdown without acquiring reference") for a similar case and background info. Signed-off-by: Steffen Maier <maier(a)linux.ibm.com> Fixes: ae0904f60fab ("[SCSI] zfcp: Redesign of the debug tracing for recovery actions.") Cc: <stable(a)vger.kernel.org> #2.6.38+ Reviewed-by: Benjamin Block <bblock(a)linux.ibm.com> --- drivers/s390/scsi/zfcp_erp.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/drivers/s390/scsi/zfcp_erp.c b/drivers/s390/scsi/zfcp_erp.c index 1d91a32db08e..d9cd25b56cfa 100644 --- a/drivers/s390/scsi/zfcp_erp.c +++ b/drivers/s390/scsi/zfcp_erp.c @@ -35,11 +35,23 @@ enum zfcp_erp_steps { ZFCP_ERP_STEP_LUN_OPENING = 0x2000, }; +/** + * enum zfcp_erp_act_type - Type of ERP action object. + * @ZFCP_ERP_ACTION_REOPEN_LUN: LUN recovery. + * @ZFCP_ERP_ACTION_REOPEN_PORT: Port recovery. + * @ZFCP_ERP_ACTION_REOPEN_PORT_FORCED: Forced port recovery. + * @ZFCP_ERP_ACTION_REOPEN_ADAPTER: Adapter recovery. + * @ZFCP_ERP_ACTION_NONE: Eyecatcher pseudo flag to bitwise or-combine with + * either of the other enum values. + * Used to indicate that an ERP action could not be + * set up despite a detected need for some recovery. + */ enum zfcp_erp_act_type { ZFCP_ERP_ACTION_REOPEN_LUN = 1, ZFCP_ERP_ACTION_REOPEN_PORT = 2, ZFCP_ERP_ACTION_REOPEN_PORT_FORCED = 3, ZFCP_ERP_ACTION_REOPEN_ADAPTER = 4, + ZFCP_ERP_ACTION_NONE = 0xc0, }; enum zfcp_erp_act_state { @@ -257,8 +269,10 @@ static int zfcp_erp_action_enqueue(int want, struct zfcp_adapter *adapter, goto out; act = zfcp_erp_setup_act(need, act_status, adapter, port, sdev); - if (!act) + if (!act) { + need |= ZFCP_ERP_ACTION_NONE; /* marker for trace */ goto out; + } atomic_or(ZFCP_STATUS_ADAPTER_ERP_PENDING, &adapter->status); ++adapter->erp_total_count; list_add_tail(&act->list, &adapter->erp_ready_head); -- 2.16.3

7 years, 4 months

1
0
0 0

[PATCH 02/25] zfcp: fix missing SCSI trace for retry of abort / scsi_eh TMF

by Steffen Maier

We already have a SCSI trace for the end of abort and scsi_eh TMF. Due to zfcp_erp_wait() and fc_block_scsi_eh() time can pass between the start of our eh callback and an actual send/recv of an abort / TMF request. In order to see the temporal sequence including any abort / TMF send retries, add a trace before the above two blocking functions. This supports problem determination with scsi_eh and parallel zfcp ERP. No need to explicitly trace the beginning of our eh callback, since we typically can send an abort / TMF and see its HBA response (in the worst case, it's a pseudo response on dismiss all of adapter recovery, e.g. due to an FSF request timeout [fsrth_1] of the abort / TMF). If we cannot send, we now get a trace record for the first "abrt_wt" or "[lt]r_wait" which denotes almost the beginning of the callback. No need to explicitly trace the wakeup after the above two blocking functions because the next retry loop causes another trace in any case and that is sufficient. Example trace records formatted with zfcpdbf from s390-tools: Timestamp : ... Area : SCSI Subarea : 00 Level : 1 Exception : - CPU ID : .. Caller : 0x... Record ID : 1 Tag : abrt_wt abort, before zfcp_erp_wait() Request ID : 0x0000000000000000 none (invalid) SCSI ID : 0x<scsi_id> SCSI LUN : 0x<scsi_lun> SCSI LUN high : 0x<scsi_lun_high> SCSI result : 0x<scsi_result_of_cmd_to_be_aborted> SCSI retries : 0x<retries_of_cmd_to_be_aborted> SCSI allowed : 0x<allowed_retries_of_cmd_to_be_aborted> SCSI scribble : 0x<req_id_of_cmd_to_be_aborted> SCSI opcode : <CDB_of_cmd_to_be_aborted> FCP rsp inf cod: 0x.. none (invalid) FCP rsp IU : ... none (invalid) Timestamp : ... Area : SCSI Subarea : 00 Level : 1 Exception : - CPU ID : .. Caller : 0x... Record ID : 1 Tag : lr_wait LUN reset, before zfcp_erp_wait() Request ID : 0x0000000000000000 none (invalid) SCSI ID : 0x<scsi_id> SCSI LUN : 0x<scsi_lun> SCSI LUN high : 0x<scsi_lun_high> SCSI result : 0x... unrelated SCSI retries : 0x.. unrelated SCSI allowed : 0x.. unrelated SCSI scribble : 0x... unrelated SCSI opcode : ... unrelated FCP rsp inf cod: 0x.. none (invalid) FCP rsp IU : ... none (invalid) Signed-off-by: Steffen Maier <maier(a)linux.ibm.com> Fixes: 63caf367e1c9 ("[SCSI] zfcp: Improve reliability of SCSI eh handlers in zfcp") Fixes: af4de36d911a ("[SCSI] zfcp: Block scsi_eh thread for rport state BLOCKED") Cc: <stable(a)vger.kernel.org> #2.6.38+ Reviewed-by: Benjamin Block <bblock(a)linux.ibm.com> --- drivers/s390/scsi/zfcp_scsi.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/s390/scsi/zfcp_scsi.c b/drivers/s390/scsi/zfcp_scsi.c index a62357f5e8b4..4fdb1665b0e6 100644 --- a/drivers/s390/scsi/zfcp_scsi.c +++ b/drivers/s390/scsi/zfcp_scsi.c @@ -181,6 +181,7 @@ static int zfcp_scsi_eh_abort_handler(struct scsi_cmnd *scpnt) if (abrt_req) break; + zfcp_dbf_scsi_abort("abrt_wt", scpnt, NULL); zfcp_erp_wait(adapter); ret = fc_block_scsi_eh(scpnt); if (ret) { @@ -277,6 +278,7 @@ static int zfcp_task_mgmt_function(struct scsi_cmnd *scpnt, u8 tm_flags) if (fsf_req) break; + zfcp_dbf_scsi_devreset("wait", scpnt, tm_flags, NULL); zfcp_erp_wait(adapter); ret = fc_block_scsi_eh(scpnt); if (ret) { -- 2.16.3

7 years, 4 months

1
0
0 0

[PATCH 01/25] zfcp: fix missing SCSI trace for result of eh_host_reset_handler

by Steffen Maier

For problem determination we need to see whether and why we were successful or not. This allows deduction of scsi_eh escalation. Example trace record formatted with zfcpdbf from s390-tools: Timestamp : ... Area : SCSI Subarea : 00 Level : 1 Exception : - CPU ID : .. Caller : 0x... Record ID : 1 Tag : schrh_r SCSI host reset handler result Request ID : 0x0000000000000000 none (invalid) SCSI ID : 0xffffffff none (invalid) SCSI LUN : 0xffffffff none (invalid) SCSI LUN high : 0xffffffff none (invalid) SCSI result : 0x00002002 field re-used for midlayer value: SUCCESS or in other cases: 0x2009 == FAST_IO_FAIL SCSI retries : 0xff none (invalid) SCSI allowed : 0xff none (invalid) SCSI scribble : 0xffffffffffffffff none (invalid) SCSI opcode : ffffffff ffffffff ffffffff ffffffff none (invalid) FCP rsp inf cod: 0xff none (invalid) FCP rsp IU : 00000000 00000000 00000000 00000000 none (invalid) 00000000 00000000 v2.6.35 commit a1dbfddd02d2 ("[SCSI] zfcp: Pass return code from fc_block_scsi_eh to scsi eh") introduced the first return with something other than the previously hardcoded single SUCCESS return path. Signed-off-by: Steffen Maier <maier(a)linux.ibm.com> Fixes: a1dbfddd02d2 ("[SCSI] zfcp: Pass return code from fc_block_scsi_eh to scsi eh") Cc: <stable(a)vger.kernel.org> #2.6.38+ Reviewed-by: Jens Remus <jremus(a)linux.ibm.com> Reviewed-by: Benjamin Block <bblock(a)linux.ibm.com> --- drivers/s390/scsi/zfcp_dbf.c | 40 ++++++++++++++++++++++++++++++++++++++++ drivers/s390/scsi/zfcp_ext.h | 2 ++ drivers/s390/scsi/zfcp_scsi.c | 11 ++++++----- 3 files changed, 48 insertions(+), 5 deletions(-) diff --git a/drivers/s390/scsi/zfcp_dbf.c b/drivers/s390/scsi/zfcp_dbf.c index a8b831000b2d..1e5ea5e4992b 100644 --- a/drivers/s390/scsi/zfcp_dbf.c +++ b/drivers/s390/scsi/zfcp_dbf.c @@ -643,6 +643,46 @@ void zfcp_dbf_scsi(char *tag, int level, struct scsi_cmnd *sc, spin_unlock_irqrestore(&dbf->scsi_lock, flags); } +/** + * zfcp_dbf_scsi_eh() - Trace event for special cases of scsi_eh callbacks. + * @tag: Identifier for event. + * @adapter: Pointer to zfcp adapter as context for this event. + * @scsi_id: SCSI ID/target to indicate scope of task management function (TMF). + * @ret: Return value of calling function. + * + * This SCSI trace variant does not depend on any of: + * scsi_cmnd, zfcp_fsf_req, scsi_device. + */ +void zfcp_dbf_scsi_eh(char *tag, struct zfcp_adapter *adapter, + unsigned int scsi_id, int ret) +{ + struct zfcp_dbf *dbf = adapter->dbf; + struct zfcp_dbf_scsi *rec = &dbf->scsi_buf; + unsigned long flags; + static int const level = 1; + + if (unlikely(!debug_level_enabled(adapter->dbf->scsi, level))) + return; + + spin_lock_irqsave(&dbf->scsi_lock, flags); + memset(rec, 0, sizeof(*rec)); + + memcpy(rec->tag, tag, ZFCP_DBF_TAG_LEN); + rec->id = ZFCP_DBF_SCSI_CMND; + rec->scsi_result = ret; /* re-use field, int is 4 bytes and fits */ + rec->scsi_retries = ~0; + rec->scsi_allowed = ~0; + rec->fcp_rsp_info = ~0; + rec->scsi_id = scsi_id; + rec->scsi_lun = (u32)ZFCP_DBF_INVALID_LUN; + rec->scsi_lun_64_hi = (u32)(ZFCP_DBF_INVALID_LUN >> 32); + rec->host_scribble = ~0; + memset(rec->scsi_opcode, 0xff, ZFCP_DBF_SCSI_OPCODE); + + debug_event(dbf->scsi, level, rec, sizeof(*rec)); + spin_unlock_irqrestore(&dbf->scsi_lock, flags); +} + static debug_info_t *zfcp_dbf_reg(const char *name, int size, int rec_size) { struct debug_info *d; diff --git a/drivers/s390/scsi/zfcp_ext.h b/drivers/s390/scsi/zfcp_ext.h index bf8ea4df2bb8..e55f42ce1168 100644 --- a/drivers/s390/scsi/zfcp_ext.h +++ b/drivers/s390/scsi/zfcp_ext.h @@ -49,6 +49,8 @@ extern void zfcp_dbf_san_res(char *, struct zfcp_fsf_req *); extern void zfcp_dbf_san_in_els(char *, struct zfcp_fsf_req *); extern void zfcp_dbf_scsi(char *, int, struct scsi_cmnd *, struct zfcp_fsf_req *); +extern void zfcp_dbf_scsi_eh(char *tag, struct zfcp_adapter *adapter, + unsigned int scsi_id, int ret); /* zfcp_erp.c */ extern void zfcp_erp_set_adapter_status(struct zfcp_adapter *, u32); diff --git a/drivers/s390/scsi/zfcp_scsi.c b/drivers/s390/scsi/zfcp_scsi.c index 4d2ba5682493..a62357f5e8b4 100644 --- a/drivers/s390/scsi/zfcp_scsi.c +++ b/drivers/s390/scsi/zfcp_scsi.c @@ -323,15 +323,16 @@ static int zfcp_scsi_eh_host_reset_handler(struct scsi_cmnd *scpnt) { struct zfcp_scsi_dev *zfcp_sdev = sdev_to_zfcp(scpnt->device); struct zfcp_adapter *adapter = zfcp_sdev->port->adapter; - int ret; + int ret = SUCCESS, fc_ret; zfcp_erp_adapter_reopen(adapter, 0, "schrh_1"); zfcp_erp_wait(adapter); - ret = fc_block_scsi_eh(scpnt); - if (ret) - return ret; + fc_ret = fc_block_scsi_eh(scpnt); + if (fc_ret) + ret = fc_ret; - return SUCCESS; + zfcp_dbf_scsi_eh("schrh_r", adapter, ~0, ret); + return ret; } struct scsi_transport_template *zfcp_scsi_transport_template; -- 2.16.3

7 years, 4 months

1
0
0 0

FAILED: patch "net: ethernet: ti: cpsw: fix packet leaking in dual_mac mode" failed to build on 4.4 tree

by Dan Rue

It seems that patch "net: ethernet: ti: cpsw: fix packet leaking in dual_mac mode" fails to build in the upcoming 4.4 release candidate. CC drivers/net/ethernet/ti/cpsw.o ../drivers/net/ethernet/ti/cpsw.c: In function ‘cpsw_add_dual_emac_def_ale_entries’: ../drivers/net/ethernet/ti/cpsw.c:1112:23: error: ‘cpsw’ undeclared (first use in this function); did you mean ‘cpts’? cpsw_ale_control_set(cpsw->ale, slave_port, ^~~~ cpts ../drivers/net/ethernet/ti/cpsw.c:1112:23: note: each undeclared identifier is reported only once for each function it appears in Thanks, Dan -- Linaro LKFT https://lkft.linaro.org/

7 years, 4 months

2
1
0 0

Applied "spi: spi-s3c64xx: Fix system resume support" to the spi tree

by Mark Brown

The patch spi: spi-s3c64xx: Fix system resume support has been applied to the spi tree at https://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi.git All being well this means that it will be integrated into the linux-next tree (usually sometime in the next 24 hours) and sent to Linus during the next merge window (or sooner if it is a bug fix), however if problems are discovered then the patch may be dropped or reverted. You may get further e-mails resulting from automated or manual testing and review of the tree, please engage with people reporting problems and send followup patches addressing any issues that are reported if needed. If any updates are required or you are submitting further changes they should be sent as incremental updates against current git, existing patches will not be replaced. Please add any relevant lists and maintainers to the CCs when replying to this mail. Thanks, Mark >From e935dba111621bd6a0c5d48e6511a4d9885103b4 Mon Sep 17 00:00:00 2001 From: Marek Szyprowski <m.szyprowski(a)samsung.com> Date: Wed, 16 May 2018 10:42:39 +0200 Subject: [PATCH] spi: spi-s3c64xx: Fix system resume support Since Linux v4.10 release (commit 1d9174fbc55e "PM / Runtime: Defer resuming of the device in pm_runtime_force_resume()"), pm_runtime_force_resume() function doesn't runtime resume device if it was not runtime active before system suspend. Thus, driver should not do any register access after pm_runtime_force_resume() without checking the runtime status of the device. To fix this issue, simply move s3c64xx_spi_hwinit() call to s3c64xx_spi_runtime_resume() to ensure that hardware is always properly initialized. This fixes Synchronous external abort issue on system suspend/resume cycle on newer Exynos SoCs. Signed-off-by: Marek Szyprowski <m.szyprowski(a)samsung.com> Reviewed-by: Krzysztof Kozlowski <krzk(a)kernel.org> Signed-off-by: Mark Brown <broonie(a)kernel.org> Cc: stable(a)vger.kernel.org --- drivers/spi/spi-s3c64xx.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/spi/spi-s3c64xx.c b/drivers/spi/spi-s3c64xx.c index f55dc78957ad..7b7151ec14c8 100644 --- a/drivers/spi/spi-s3c64xx.c +++ b/drivers/spi/spi-s3c64xx.c @@ -1292,8 +1292,6 @@ static int s3c64xx_spi_resume(struct device *dev) if (ret < 0) return ret; - s3c64xx_spi_hwinit(sdd); - return spi_master_resume(master); } #endif /* CONFIG_PM_SLEEP */ @@ -1331,6 +1329,8 @@ static int s3c64xx_spi_runtime_resume(struct device *dev) if (ret != 0) goto err_disable_src_clk; + s3c64xx_spi_hwinit(sdd); + return 0; err_disable_src_clk: -- 2.17.0

7 years, 4 months

1
0
0 0

net: ieee802154: 6lowpan: fix frag reassembly

by Stefan Schmidt

Hello. Please apply f18fa5de5ba7f1d6650951502bb96a6e4715a948 (net: ieee802154: 6lowpan: fix frag reassembly) to the 4.16.x stable tree. Earlier trees are not needed as the problem was introduced in 4.16. Normally net/ patches would come through DaveM, but he asked me for this one to submit it directly when i sent him the pull request. First time stable request on my side here, let me know if I got something wrong. regards Stefan Schmidt

7 years, 4 months

4
5
0 0

[PATCH v3-UPADATE 2/3] ioremap: Update pgtable free interfaces with addr

by Toshi Kani

From: Chintan Pandya <cpandya(a)codeaurora.org> The following kernel panic was observed on ARM64 platform due to a stale TLB entry. 1. ioremap with 4K size, a valid pte page table is set. 2. iounmap it, its pte entry is set to 0. 3. ioremap the same address with 2M size, update its pmd entry with a new value. 4. CPU may hit an exception because the old pmd entry is still in TLB, which leads to a kernel panic. Commit b6bdb7517c3d ("mm/vmalloc: add interfaces to free unmapped page table") has addressed this panic by falling to pte mappings in the above case on ARM64. To support pmd mappings in all cases, TLB purge needs to be performed in this case on ARM64. Add a new arg, 'addr', to pud_free_pmd_page() and pmd_free_pte_page() so that TLB purge can be added later in seprate patches. [toshi(a)hpe.com: merge changes, rewrite patch description] Fixes: 28ee90fe6048 ("x86/mm: implement free pmd/pte page interfaces") Signed-off-by: Chintan Pandya <cpandya(a)codeaurora.org> Signed-off-by: Toshi Kani <toshi.kani(a)hpe.com> Cc: Andrew Morton <akpm(a)linux-foundation.org> Cc: Michal Hocko <mhocko(a)suse.com> Cc: Thomas Gleixner <tglx(a)linutronix.de> Cc: Ingo Molnar <mingo(a)redhat.com> Cc: "H. Peter Anvin" <hpa(a)zytor.com> Cc: Will Deacon <will.deacon(a)arm.com> Cc: Joerg Roedel <joro(a)8bytes.org> Cc: <stable(a)vger.kernel.org> --- v3-UPDATE - Rewrite patch description --- arch/arm64/mm/mmu.c | 4 ++-- arch/x86/mm/pgtable.c | 12 +++++++----- include/asm-generic/pgtable.h | 8 ++++---- lib/ioremap.c | 4 ++-- 4 files changed, 15 insertions(+), 13 deletions(-) diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c index 2dbb2c9f1ec1..da98828609a1 100644 --- a/arch/arm64/mm/mmu.c +++ b/arch/arm64/mm/mmu.c @@ -973,12 +973,12 @@ int pmd_clear_huge(pmd_t *pmdp) return 1; } -int pud_free_pmd_page(pud_t *pud) +int pud_free_pmd_page(pud_t *pud, unsigned long addr) { return pud_none(*pud); } -int pmd_free_pte_page(pmd_t *pmd) +int pmd_free_pte_page(pmd_t *pmd, unsigned long addr) { return pmd_none(*pmd); } diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c index 3f7180bc5f52..f60fdf411103 100644 --- a/arch/x86/mm/pgtable.c +++ b/arch/x86/mm/pgtable.c @@ -719,11 +719,12 @@ int pmd_clear_huge(pmd_t *pmd) /** * pud_free_pmd_page - Clear pud entry and free pmd page. * @pud: Pointer to a PUD. + * @addr: Virtual address associated with pud. * * Context: The pud range has been unmaped and TLB purged. * Return: 1 if clearing the entry succeeded. 0 otherwise. */ -int pud_free_pmd_page(pud_t *pud) +int pud_free_pmd_page(pud_t *pud, unsigned long addr) { pmd_t *pmd; int i; @@ -734,7 +735,7 @@ int pud_free_pmd_page(pud_t *pud) pmd = (pmd_t *)pud_page_vaddr(*pud); for (i = 0; i < PTRS_PER_PMD; i++) - if (!pmd_free_pte_page(&pmd[i])) + if (!pmd_free_pte_page(&pmd[i], addr + (i * PMD_SIZE))) return 0; pud_clear(pud); @@ -746,11 +747,12 @@ int pud_free_pmd_page(pud_t *pud) /** * pmd_free_pte_page - Clear pmd entry and free pte page. * @pmd: Pointer to a PMD. + * @addr: Virtual address associated with pmd. * * Context: The pmd range has been unmaped and TLB purged. * Return: 1 if clearing the entry succeeded. 0 otherwise. */ -int pmd_free_pte_page(pmd_t *pmd) +int pmd_free_pte_page(pmd_t *pmd, unsigned long addr) { pte_t *pte; @@ -766,7 +768,7 @@ int pmd_free_pte_page(pmd_t *pmd) #else /* !CONFIG_X86_64 */ -int pud_free_pmd_page(pud_t *pud) +int pud_free_pmd_page(pud_t *pud, unsigned long addr) { return pud_none(*pud); } @@ -775,7 +777,7 @@ int pud_free_pmd_page(pud_t *pud) * Disable free page handling on x86-PAE. This assures that ioremap() * does not update sync'd pmd entries. See vmalloc_sync_one(). */ -int pmd_free_pte_page(pmd_t *pmd) +int pmd_free_pte_page(pmd_t *pmd, unsigned long addr) { return pmd_none(*pmd); } diff --git a/include/asm-generic/pgtable.h b/include/asm-generic/pgtable.h index f59639afaa39..b081794ba135 100644 --- a/include/asm-generic/pgtable.h +++ b/include/asm-generic/pgtable.h @@ -1019,8 +1019,8 @@ int pud_set_huge(pud_t *pud, phys_addr_t addr, pgprot_t prot); int pmd_set_huge(pmd_t *pmd, phys_addr_t addr, pgprot_t prot); int pud_clear_huge(pud_t *pud); int pmd_clear_huge(pmd_t *pmd); -int pud_free_pmd_page(pud_t *pud); -int pmd_free_pte_page(pmd_t *pmd); +int pud_free_pmd_page(pud_t *pud, unsigned long addr); +int pmd_free_pte_page(pmd_t *pmd, unsigned long addr); #else /* !CONFIG_HAVE_ARCH_HUGE_VMAP */ static inline int p4d_set_huge(p4d_t *p4d, phys_addr_t addr, pgprot_t prot) { @@ -1046,11 +1046,11 @@ static inline int pmd_clear_huge(pmd_t *pmd) { return 0; } -static inline int pud_free_pmd_page(pud_t *pud) +static inline int pud_free_pmd_page(pud_t *pud, unsigned long addr) { return 0; } -static inline int pmd_free_pte_page(pmd_t *pmd) +static inline int pmd_free_pte_page(pmd_t *pmd, unsigned long addr) { return 0; } diff --git a/lib/ioremap.c b/lib/ioremap.c index 54e5bbaa3200..517f5853ffed 100644 --- a/lib/ioremap.c +++ b/lib/ioremap.c @@ -92,7 +92,7 @@ static inline int ioremap_pmd_range(pud_t *pud, unsigned long addr, if (ioremap_pmd_enabled() && ((next - addr) == PMD_SIZE) && IS_ALIGNED(phys_addr + addr, PMD_SIZE) && - pmd_free_pte_page(pmd)) { + pmd_free_pte_page(pmd, addr)) { if (pmd_set_huge(pmd, phys_addr + addr, prot)) continue; } @@ -119,7 +119,7 @@ static inline int ioremap_pud_range(p4d_t *p4d, unsigned long addr, if (ioremap_pud_enabled() && ((next - addr) == PUD_SIZE) && IS_ALIGNED(phys_addr + addr, PUD_SIZE) && - pud_free_pmd_page(pud)) { + pud_free_pmd_page(pud, addr)) { if (pud_set_huge(pud, phys_addr + addr, prot)) continue; }

7 years, 4 months

1
0
0 0

[PATCH 1/1] bcache: return 0 from bch_debug_init() if CONFIG_DEBUG_FS=n

by Coly Li

Commit 539d39eb2708 ("bcache: fix wrong return value in bch_debug_init()") returns the return value of debugfs_create_dir() to bcache_init(). When CONFIG_DEBUG_FS=n, bch_debug_init() always returns 1 and makes bcache_init() failedi. This patch makes bch_debug_init() always returns 0 if CONFIG_DEBUG_FS=n, so bcache can continue to work for the kernels which don't have debugfs enanbled. Changelog: v4: Add Acked-by from Kent Overstreet. v3: Use IS_ENABLED(CONFIG_DEBUG_FS) to replace #ifdef DEBUG_FS. v2: Remove a warning information v1: Initial version. Fixes: Commit 539d39eb2708 ("bcache: fix wrong return value in bch_debug_init()") Cc: stable(a)vger.kernel.org Signed-off-by: Coly Li <colyli(a)suse.de> Reported-by: Massimo B. <massimo.b(a)gmx.net> Reported-by: Kai Krakow <kai(a)kaishome.de> Tested-by: Kai Krakow <kai(a)kaishome.de> Acked-by: Kent Overstreet <kent.overstreet(a)gmail.com> --- drivers/md/bcache/debug.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/md/bcache/debug.c b/drivers/md/bcache/debug.c index 4e63c6f6c04d..d030ce3025a6 100644 --- a/drivers/md/bcache/debug.c +++ b/drivers/md/bcache/debug.c @@ -250,7 +250,9 @@ void bch_debug_exit(void) int __init bch_debug_init(struct kobject *kobj) { - bcache_debug = debugfs_create_dir("bcache", NULL); + if (!IS_ENABLED(CONFIG_DEBUG_FS)) + return 0; + bcache_debug = debugfs_create_dir("bcache", NULL); return IS_ERR_OR_NULL(bcache_debug); } -- 2.16.3

7 years, 4 months

2
1
0 0

[PATCH 5/7] ext4: pass -ESHUTDOWN code to jbd2 layer

by Theodore Ts'o

Previously the jbd2 layer assumed that a file system check would be required after a journal abort. In the case of the deliberate file system shutdown, this should not be necessary. Allow the jbd2 layer to distinguish between these two cases by using the ESHUTDOWN errno. Also add proper locking to __journal_abort_soft(). Signed-off-by: Theodore Ts'o <tytso(a)mit.edu> Cc: stable(a)vger.kernel.org --- fs/ext4/ioctl.c | 4 ++-- fs/jbd2/journal.c | 25 +++++++++++++++++++------ 2 files changed, 21 insertions(+), 8 deletions(-) diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c index 16d3d1325f5b..9ac33a7cbd32 100644 --- a/fs/ext4/ioctl.c +++ b/fs/ext4/ioctl.c @@ -493,13 +493,13 @@ static int ext4_shutdown(struct super_block *sb, unsigned long arg) set_bit(EXT4_FLAGS_SHUTDOWN, &sbi->s_ext4_flags); if (sbi->s_journal && !is_journal_aborted(sbi->s_journal)) { (void) ext4_force_commit(sb); - jbd2_journal_abort(sbi->s_journal, 0); + jbd2_journal_abort(sbi->s_journal, -ESHUTDOWN); } break; case EXT4_GOING_FLAGS_NOLOGFLUSH: set_bit(EXT4_FLAGS_SHUTDOWN, &sbi->s_ext4_flags); if (sbi->s_journal && !is_journal_aborted(sbi->s_journal)) - jbd2_journal_abort(sbi->s_journal, 0); + jbd2_journal_abort(sbi->s_journal, -ESHUTDOWN); break; default: return -EINVAL; diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c index 3fbf48ec2188..efa0c72a0b9f 100644 --- a/fs/jbd2/journal.c +++ b/fs/jbd2/journal.c @@ -1483,12 +1483,15 @@ static void jbd2_mark_journal_empty(journal_t *journal, int write_op) void jbd2_journal_update_sb_errno(journal_t *journal) { journal_superblock_t *sb = journal->j_superblock; + int errcode; read_lock(&journal->j_state_lock); - jbd_debug(1, "JBD2: updating superblock error (errno %d)\n", - journal->j_errno); - sb->s_errno = cpu_to_be32(journal->j_errno); + errcode = journal->j_errno; read_unlock(&journal->j_state_lock); + if (errcode == -ESHUTDOWN) + errcode = 0; + jbd_debug(1, "JBD2: updating superblock error (errno %d)\n", errcode); + sb->s_errno = cpu_to_be32(errcode); jbd2_write_superblock(journal, REQ_SYNC | REQ_FUA); } @@ -2105,12 +2108,22 @@ void __jbd2_journal_abort_hard(journal_t *journal) * but don't do any other IO. */ static void __journal_abort_soft (journal_t *journal, int errno) { - if (journal->j_flags & JBD2_ABORT) - return; + int old_errno; - if (!journal->j_errno) + write_lock(&journal->j_state_lock); + old_errno = journal->j_errno; + if (!journal->j_errno || errno == -ESHUTDOWN) journal->j_errno = errno; + if (journal->j_flags & JBD2_ABORT) { + write_unlock(&journal->j_state_lock); + if (!old_errno && old_errno != -ESHUTDOWN && + errno == -ESHUTDOWN) + jbd2_journal_update_sb_errno(journal); + return; + } + write_unlock(&journal->j_state_lock); + __jbd2_journal_abort_hard(journal); if (errno) { -- 2.16.1.72.g5be1f00a9a

7 years, 4 months

3
3
0 0

Re: [PATCH] powerpc/lib: Remove .balign inside string functions for PPC32

by Nicholas Piggin

On Thu, 17 May 2018 16:21:17 +0200 Christophe LEROY <christophe.leroy(a)c-s.fr> wrote: > Le 17/05/2018 à 15:46, Michael Ellerman a écrit : > > Nicholas Piggin <npiggin(a)gmail.com> writes: > > > >> On Thu, 17 May 2018 12:04:13 +0200 (CEST) > >> Christophe Leroy <christophe.leroy(a)c-s.fr> wrote: > >> > >>> commit 87a156fb18fe1 ("Align hot loops of some string functions") > >>> degraded the performance of string functions by adding useless > >>> nops > >>> > >>> A simple benchmark on an 8xx calling 100000x a memchr() that > >>> matches the first byte runs in 41668 TB ticks before this patch > >>> and in 35986 TB ticks after this patch. So this gives an > >>> improvement of approx 10% > >>> > >>> Another benchmark doing the same with a memchr() matching the 128th > >>> byte runs in 1011365 TB ticks before this patch and 1005682 TB ticks > >>> after this patch, so regardless on the number of loops, removing > >>> those useless nops improves the test by 5683 TB ticks. > >>> > >>> Fixes: 87a156fb18fe1 ("Align hot loops of some string functions") > >>> Signed-off-by: Christophe Leroy <christophe.leroy(a)c-s.fr> > >>> --- > >>> Was sent already as part of a serie optimising string functions. > >>> Resending on itself as it is independent of the other changes in the > >>> serie > >>> > >>> arch/powerpc/lib/string.S | 6 ++++++ > >>> 1 file changed, 6 insertions(+) > >>> > >>> diff --git a/arch/powerpc/lib/string.S b/arch/powerpc/lib/string.S > >>> index a787776822d8..a026d8fa8a99 100644 > >>> --- a/arch/powerpc/lib/string.S > >>> +++ b/arch/powerpc/lib/string.S > >>> @@ -23,7 +23,9 @@ _GLOBAL(strncpy) > >>> mtctr r5 > >>> addi r6,r3,-1 > >>> addi r4,r4,-1 > >>> +#ifdef CONFIG_PPC64 > >>> .balign 16 > >>> +#endif > >>> 1: lbzu r0,1(r4) > >>> cmpwi 0,r0,0 > >>> stbu r0,1(r6) > >> > >> The ifdefs are a bit ugly, but you can't argue with the numbers. These > >> alignments should be IFETCH_ALIGN_BYTES, which is intended to optimise > >> the ifetch performance when you have such a loop (although there is > >> always a tradeoff for a single iteration). > >> > >> Would it make sense to define that for 32-bit as well, and you could use > >> it here instead of the ifdefs? Small CPUs could just use 0. > > > > Can we do it with a macro in the header, eg. like: > > > > #ifdef CONFIG_PPC64 > > #define IFETCH_BALIGN .balign IFETCH_ALIGN_BYTES > > #endif > > > > ... > > > > addi r4,r4,-1 > > IFETCH_BALIGN > > 1: lbzu r0,1(r4) > > > > > > Why not just define IFETCH_ALIGN_SHIFT for PPC32 as well in asm/cache.h > ?, then replace the .balign 16 by .balign IFETCH_ALIGN_BYTES (or .align > IFETCH_ALIGN_SHIFT) ? Yeah that's what I was thinking. I would do that. Thanks, Nick

7 years, 4 months

1
0
0 0

[PATCH 2/2] powerpc/powernv: Fix NVRAM sleep in invalid context when crashing

by Nicholas Piggin

Similarly to opal_event_shutdown, opal_nvram_write can be called in the crash path with irqs disabled. Special case the delay to avoid sleeping in invalid context. Cc: stable(a)vger.kernel.org # v3.2 Fixes: 3b8070335f ("powerpc/powernv: Fix OPAL NVRAM driver OPAL_BUSY loops") Signed-off-by: Nicholas Piggin <npiggin(a)gmail.com> --- arch/powerpc/platforms/powernv/opal-nvram.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/arch/powerpc/platforms/powernv/opal-nvram.c b/arch/powerpc/platforms/powernv/opal-nvram.c index 1bceb95f422d..5584247f5029 100644 --- a/arch/powerpc/platforms/powernv/opal-nvram.c +++ b/arch/powerpc/platforms/powernv/opal-nvram.c @@ -44,6 +44,10 @@ static ssize_t opal_nvram_read(char *buf, size_t count, loff_t *index) return count; } +/* + * This can be called in the panic path with interrupts off, so use + * mdelay in that case. + */ static ssize_t opal_nvram_write(char *buf, size_t count, loff_t *index) { s64 rc = OPAL_BUSY; @@ -58,10 +62,16 @@ static ssize_t opal_nvram_write(char *buf, size_t count, loff_t *index) while (rc == OPAL_BUSY || rc == OPAL_BUSY_EVENT) { rc = opal_write_nvram(__pa(buf), count, off); if (rc == OPAL_BUSY_EVENT) { - msleep(OPAL_BUSY_DELAY_MS); + if (in_interrupt() || irqs_disabled()) + mdelay(OPAL_BUSY_DELAY_MS); + else + msleep(OPAL_BUSY_DELAY_MS); opal_poll_events(NULL); } else if (rc == OPAL_BUSY) { - msleep(OPAL_BUSY_DELAY_MS); + if (in_interrupt() || irqs_disabled()) + mdelay(OPAL_BUSY_DELAY_MS); + else + msleep(OPAL_BUSY_DELAY_MS); } } -- 2.17.0

7 years, 4 months

2
1
0 0

[PATCH v3] bcache: return 0 from bch_debug_init() if CONFIG_DEBUG_FS=n

by Coly Li

Commit 539d39eb2708 ("bcache: fix wrong return value in bch_debug_init()") returns the return value of debugfs_create_dir() to bcache_init(). When CONFIG_DEBUG_FS=n, bch_debug_init() always returns 1 and makes bcache_init() failedi. This patch makes bch_debug_init() always returns 0 if CONFIG_DEBUG_FS=n, so bcache can continue to work for the kernels which don't have debugfs enanbled. Fixes: Commit 539d39eb2708 ("bcache: fix wrong return value in bch_debug_init()") Cc: stable(a)vger.kernel.org Signed-off-by: Coly Li <colyli(a)suse.de> Reported-by: Massimo B. <massimo.b(a)gmx.net> Reported-by: Kai Krakow <kai(a)kaishome.de> Tested-by: Kai Krakow <kai(a)kaishome.de> Cc: Kent Overstreet <kent.overstreet(a)gmail.com> --- drivers/md/bcache/debug.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/md/bcache/debug.c b/drivers/md/bcache/debug.c index 4e63c6f6c04d..d030ce3025a6 100644 --- a/drivers/md/bcache/debug.c +++ b/drivers/md/bcache/debug.c @@ -250,7 +250,9 @@ void bch_debug_exit(void) int __init bch_debug_init(struct kobject *kobj) { - bcache_debug = debugfs_create_dir("bcache", NULL); + if (!IS_ENABLED(CONFIG_DEBUG_FS)) + return 0; + bcache_debug = debugfs_create_dir("bcache", NULL); return IS_ERR_OR_NULL(bcache_debug); } -- 2.16.3

7 years, 4 months

2
1
0 0

[PATCH v2] bcache: return 0 from bch_debug_init() if CONFIG_DEBUG_FS=n

by Coly Li

Commit 539d39eb2708 ("bcache: fix wrong return value in bch_debug_init()") returns the return value of debugfs_create_dir() to bcache_init(). When CONFIG_DEBUG_FS=n, bch_debug_init() always returns 1 and makes bcache_init() failedi. This patch makes bch_debug_init() always returns 0 if CONFIG_DEBUG_FS=n, so bcache can continue to work for the kernels which don't have debugfs enanbled. Fixes: Commit 539d39eb2708 ("bcache: fix wrong return value in bch_debug_init()") Cc: stable(a)vger.kernel.org Signed-off-by: Coly Li <colyli(a)suse.de> Reported-by: Massimo B. <massimo.b(a)gmx.net> Reported-by: Kai Krakow <kai(a)kaishome.de> Tested-by: Kai Krakow <kai(a)kaishome.de> Cc: Kent Overstreet <kent.overstreet(a)gmail.com> --- drivers/md/bcache/bcache.h | 5 +++++ drivers/md/bcache/debug.c | 8 ++++---- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/drivers/md/bcache/bcache.h b/drivers/md/bcache/bcache.h index 3a0cfb237af9..5b3fe87f32ee 100644 --- a/drivers/md/bcache/bcache.h +++ b/drivers/md/bcache/bcache.h @@ -994,8 +994,13 @@ void bch_open_buckets_free(struct cache_set *); int bch_cache_allocator_start(struct cache *ca); +#ifdef CONFIG_DEBUG_FS void bch_debug_exit(void); int bch_debug_init(struct kobject *); +#else +static inline void bch_debug_exit(void) {}; +static inline int bch_debug_init(struct kobject *kobj) { return 0; }; +#endif void bch_request_exit(void); int bch_request_init(void); diff --git a/drivers/md/bcache/debug.c b/drivers/md/bcache/debug.c index 4e63c6f6c04d..20e5e524e88e 100644 --- a/drivers/md/bcache/debug.c +++ b/drivers/md/bcache/debug.c @@ -17,8 +17,6 @@ #include <linux/random.h> #include <linux/seq_file.h> -struct dentry *bcache_debug; - #ifdef CONFIG_BCACHE_DEBUG #define for_each_written_bset(b, start, i) \ @@ -151,6 +149,8 @@ void bch_data_verify(struct cached_dev *dc, struct bio *bio) /* XXX: cache set refcounting */ +struct dentry *bcache_debug; + struct dump_iterator { char buf[PAGE_SIZE]; size_t bytes; @@ -240,8 +240,6 @@ void bch_debug_init_cache_set(struct cache_set *c) } } -#endif - void bch_debug_exit(void) { if (!IS_ERR_OR_NULL(bcache_debug)) @@ -254,3 +252,5 @@ int __init bch_debug_init(struct kobject *kobj) return IS_ERR_OR_NULL(bcache_debug); } + +#endif -- 2.16.3

7 years, 4 months

2
2
0 0

[PATCH v3 2/3] ioremap: Update pgtable free interfaces with addr

by Toshi Kani

From: Chintan Pandya <cpandya(a)codeaurora.org> This patch ("mm/vmalloc: Add interfaces to free unmapped page table") adds following 2 interfaces to free the page table in case we implement huge mapping. pud_free_pmd_page() and pmd_free_pte_page() Some architectures (like arm64) needs to do proper TLB maintanance after updating pagetable entry even in map. Why ? Read this, https://patchwork.kernel.org/patch/10134581/ Pass 'addr' in these interfaces so that proper TLB ops can be performed. [toshi(a)hpe.com: merge changes] Fixes: 28ee90fe6048 ("x86/mm: implement free pmd/pte page interfaces") Signed-off-by: Chintan Pandya <cpandya(a)codeaurora.org> Signed-off-by: Toshi Kani <toshi.kani(a)hpe.com> Cc: <stable(a)vger.kernel.org> --- arch/arm64/mm/mmu.c | 4 ++-- arch/x86/mm/pgtable.c | 12 +++++++----- include/asm-generic/pgtable.h | 8 ++++---- lib/ioremap.c | 4 ++-- 4 files changed, 15 insertions(+), 13 deletions(-) diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c index 2dbb2c9f1ec1..da98828609a1 100644 --- a/arch/arm64/mm/mmu.c +++ b/arch/arm64/mm/mmu.c @@ -973,12 +973,12 @@ int pmd_clear_huge(pmd_t *pmdp) return 1; } -int pud_free_pmd_page(pud_t *pud) +int pud_free_pmd_page(pud_t *pud, unsigned long addr) { return pud_none(*pud); } -int pmd_free_pte_page(pmd_t *pmd) +int pmd_free_pte_page(pmd_t *pmd, unsigned long addr) { return pmd_none(*pmd); } diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c index 3f7180bc5f52..f60fdf411103 100644 --- a/arch/x86/mm/pgtable.c +++ b/arch/x86/mm/pgtable.c @@ -719,11 +719,12 @@ int pmd_clear_huge(pmd_t *pmd) /** * pud_free_pmd_page - Clear pud entry and free pmd page. * @pud: Pointer to a PUD. + * @addr: Virtual address associated with pud. * * Context: The pud range has been unmaped and TLB purged. * Return: 1 if clearing the entry succeeded. 0 otherwise. */ -int pud_free_pmd_page(pud_t *pud) +int pud_free_pmd_page(pud_t *pud, unsigned long addr) { pmd_t *pmd; int i; @@ -734,7 +735,7 @@ int pud_free_pmd_page(pud_t *pud) pmd = (pmd_t *)pud_page_vaddr(*pud); for (i = 0; i < PTRS_PER_PMD; i++) - if (!pmd_free_pte_page(&pmd[i])) + if (!pmd_free_pte_page(&pmd[i], addr + (i * PMD_SIZE))) return 0; pud_clear(pud); @@ -746,11 +747,12 @@ int pud_free_pmd_page(pud_t *pud) /** * pmd_free_pte_page - Clear pmd entry and free pte page. * @pmd: Pointer to a PMD. + * @addr: Virtual address associated with pmd. * * Context: The pmd range has been unmaped and TLB purged. * Return: 1 if clearing the entry succeeded. 0 otherwise. */ -int pmd_free_pte_page(pmd_t *pmd) +int pmd_free_pte_page(pmd_t *pmd, unsigned long addr) { pte_t *pte; @@ -766,7 +768,7 @@ int pmd_free_pte_page(pmd_t *pmd) #else /* !CONFIG_X86_64 */ -int pud_free_pmd_page(pud_t *pud) +int pud_free_pmd_page(pud_t *pud, unsigned long addr) { return pud_none(*pud); } @@ -775,7 +777,7 @@ int pud_free_pmd_page(pud_t *pud) * Disable free page handling on x86-PAE. This assures that ioremap() * does not update sync'd pmd entries. See vmalloc_sync_one(). */ -int pmd_free_pte_page(pmd_t *pmd) +int pmd_free_pte_page(pmd_t *pmd, unsigned long addr) { return pmd_none(*pmd); } diff --git a/include/asm-generic/pgtable.h b/include/asm-generic/pgtable.h index f59639afaa39..b081794ba135 100644 --- a/include/asm-generic/pgtable.h +++ b/include/asm-generic/pgtable.h @@ -1019,8 +1019,8 @@ int pud_set_huge(pud_t *pud, phys_addr_t addr, pgprot_t prot); int pmd_set_huge(pmd_t *pmd, phys_addr_t addr, pgprot_t prot); int pud_clear_huge(pud_t *pud); int pmd_clear_huge(pmd_t *pmd); -int pud_free_pmd_page(pud_t *pud); -int pmd_free_pte_page(pmd_t *pmd); +int pud_free_pmd_page(pud_t *pud, unsigned long addr); +int pmd_free_pte_page(pmd_t *pmd, unsigned long addr); #else /* !CONFIG_HAVE_ARCH_HUGE_VMAP */ static inline int p4d_set_huge(p4d_t *p4d, phys_addr_t addr, pgprot_t prot) { @@ -1046,11 +1046,11 @@ static inline int pmd_clear_huge(pmd_t *pmd) { return 0; } -static inline int pud_free_pmd_page(pud_t *pud) +static inline int pud_free_pmd_page(pud_t *pud, unsigned long addr) { return 0; } -static inline int pmd_free_pte_page(pmd_t *pmd) +static inline int pmd_free_pte_page(pmd_t *pmd, unsigned long addr) { return 0; } diff --git a/lib/ioremap.c b/lib/ioremap.c index 54e5bbaa3200..517f5853ffed 100644 --- a/lib/ioremap.c +++ b/lib/ioremap.c @@ -92,7 +92,7 @@ static inline int ioremap_pmd_range(pud_t *pud, unsigned long addr, if (ioremap_pmd_enabled() && ((next - addr) == PMD_SIZE) && IS_ALIGNED(phys_addr + addr, PMD_SIZE) && - pmd_free_pte_page(pmd)) { + pmd_free_pte_page(pmd, addr)) { if (pmd_set_huge(pmd, phys_addr + addr, prot)) continue; } @@ -119,7 +119,7 @@ static inline int ioremap_pud_range(p4d_t *p4d, unsigned long addr, if (ioremap_pud_enabled() && ((next - addr) == PUD_SIZE) && IS_ALIGNED(phys_addr + addr, PUD_SIZE) && - pud_free_pmd_page(pud)) { + pud_free_pmd_page(pud, addr)) { if (pud_set_huge(pud, phys_addr + addr, prot)) continue; }

7 years, 4 months

3
2
0 0

FAILED: patch "[PATCH] btrfs: Take trans lock before access running trans in" failed to apply to 4.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 998ac6d21cfd6efd58f5edf420bae8839dda9f2a Mon Sep 17 00:00:00 2001 From: ethanwu <ethanwu(a)synology.com> Date: Sun, 29 Apr 2018 15:59:42 +0800 Subject: [PATCH] btrfs: Take trans lock before access running trans in check_delayed_ref In preivous patch: Btrfs: kill trans in run_delalloc_nocow and btrfs_cross_ref_exist We avoid starting btrfs transaction and get this information from fs_info->running_transaction directly. When accessing running_transaction in check_delayed_ref, there's a chance that current transaction will be freed by commit transaction after the NULL pointer check of running_transaction is passed. After looking all the other places using fs_info->running_transaction, they are either protected by trans_lock or holding the transactions. Fix this by using trans_lock and increasing the use_count. Fixes: e4c3b2dcd144 ("Btrfs: kill trans in run_delalloc_nocow and btrfs_cross_ref_exist") CC: stable(a)vger.kernel.org # 4.14+ Signed-off-by: ethanwu <ethanwu(a)synology.com> Signed-off-by: David Sterba <dsterba(a)suse.com> diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c index f99102063366..3871658b6ab1 100644 --- a/fs/btrfs/extent-tree.c +++ b/fs/btrfs/extent-tree.c @@ -3142,7 +3142,11 @@ static noinline int check_delayed_ref(struct btrfs_root *root, struct rb_node *node; int ret = 0; + spin_lock(&root->fs_info->trans_lock); cur_trans = root->fs_info->running_transaction; + if (cur_trans) + refcount_inc(&cur_trans->use_count); + spin_unlock(&root->fs_info->trans_lock); if (!cur_trans) return 0; @@ -3151,6 +3155,7 @@ static noinline int check_delayed_ref(struct btrfs_root *root, head = btrfs_find_delayed_ref_head(delayed_refs, bytenr); if (!head) { spin_unlock(&delayed_refs->lock); + btrfs_put_transaction(cur_trans); return 0; } @@ -3167,6 +3172,7 @@ static noinline int check_delayed_ref(struct btrfs_root *root, mutex_lock(&head->mutex); mutex_unlock(&head->mutex); btrfs_put_delayed_ref_head(head); + btrfs_put_transaction(cur_trans); return -EAGAIN; } spin_unlock(&delayed_refs->lock); @@ -3199,6 +3205,7 @@ static noinline int check_delayed_ref(struct btrfs_root *root, } spin_unlock(&head->lock); mutex_unlock(&head->mutex); + btrfs_put_transaction(cur_trans); return ret; }

7 years, 4 months

3
2
0 0

[PATCH 1/2][stable-4.4] arm64: introduce mov_q macro to move a constant into a 64-bit register

by Suzuki K Poulose

commit 30b5ba5cf333cc650e474eaf2cc1ae91bc7cf89f upstream Implement a macro mov_q that can be used to move an immediate constant into a 64-bit register, using between 2 and 4 movz/movk instructions (depending on the operand) Cc: stable(a)vger.kernel.org # v4.4 Acked-by: Catalin Marinas <catalin.marinas(a)arm.com> Signed-off-by: Ard Biesheuvel <ard.biesheuvel(a)linaro.org> Signed-off-by: Will Deacon <will.deacon(a)arm.com> Signed-off-by: Suzuki K Poulose <suzuki.poulose(a)arm.com> --- Cherry picked for backport of "commit ece1397cbc89c51914fae1aec729539cfd8bd62b upstream" --- arch/arm64/include/asm/assembler.h | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/arch/arm64/include/asm/assembler.h b/arch/arm64/include/asm/assembler.h index 12eff92..83e2309 100644 --- a/arch/arm64/include/asm/assembler.h +++ b/arch/arm64/include/asm/assembler.h @@ -204,4 +204,24 @@ lr .req x30 // link register .size __pi_##x, . - x; \ ENDPROC(x) + /* + * mov_q - move an immediate constant into a 64-bit register using + * between 2 and 4 movz/movk instructions (depending on the + * magnitude and sign of the operand) + */ + .macro mov_q, reg, val + .if (((\val) >> 31) == 0 || ((\val) >> 31) == 0x1ffffffff) + movz \reg, :abs_g1_s:\val + .else + .if (((\val) >> 47) == 0 || ((\val) >> 47) == 0x1ffff) + movz \reg, :abs_g2_s:\val + .else + movz \reg, :abs_g3:\val + movk \reg, :abs_g2_nc:\val + .endif + movk \reg, :abs_g1_nc:\val + .endif + movk \reg, :abs_g0_nc:\val + .endm + #endif /* __ASM_ASSEMBLER_H */ -- 2.7.4

7 years, 4 months

2
2
0 0

[PATCH 4.4 00/72] 4.4.127-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.4.127 release. There are 72 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sun Apr 8 08:42:48 UTC 2018. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.127-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.4.127-rc1 Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "ip6_vti: adjust vti mtu according to mtu of lower device" Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> net: cavium: liquidio: fix up "Avoid dma_unmap_single on uninitialized ndata" Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> spi: davinci: fix up dma_mapping_error() incorrect patch Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "mtip32xx: use runtime tag to initialize command header" Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "cpufreq: Fix governor module removal race" Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "ARM: dts: omap3-n900: Fix the audio CODEC's reset pin" Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "ARM: dts: am335x-pepper: Fix the audio CODEC's reset pin" Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "PCI/MSI: Stop disabling MSI/MSI-X in pci_device_shutdown()" Dan Williams <dan.j.williams(a)intel.com> nospec: Kill array_index_nospec_mask_check() Will Deacon <will.deacon(a)arm.com> nospec: Move array_index_nospec() parameter checking into separate macro Matthias Brugger <matthias.bgg(a)gmail.com> net: hns: Fix ethtool private flags Guoqing Jiang <gqjiang(a)suse.com> md/raid10: reset the 'first' at the end of loop Keerthy <j-keerthy(a)ti.com> ARM: dts: am57xx-beagle-x15-common: Add overide powerhold property Keerthy <j-keerthy(a)ti.com> ARM: dts: dra7: Add power hold and power controller properties to palmas Keerthy <j-keerthy(a)ti.com> Documentation: pinctrl: palmas: Add ti,palmas-powerhold-override property definition Mike Frysinger <vapier(a)chromium.org> vt: change SGR 21 to follow the standards Ondrej Zary <linux(a)rainbow-software.org> Input: i8042 - enable MUX on Sony VAIO VGN-CS series to fix touchpad Dennis Wassenberg <dennis.wassenberg(a)secunet.com> Input: i8042 - add Lenovo ThinkPad L460 to i8042 reset list Frank Mori Hess <fmh6jj(a)gmail.com> staging: comedi: ni_mio_common: ack ai fifo error interrupts. Andy Lutomirski <luto(a)kernel.org> fs/proc: Stop trying to report thread stacks Eric Biggers <ebiggers(a)google.com> crypto: x86/cast5-avx - fix ECB encryption when long sg follows short one Herbert Xu <herbert(a)gondor.apana.org.au> crypto: ahash - Fix early termination in hash walk Alexander Gerasiov <gq(a)redlab-i.ru> parport_pc: Add support for WCH CH382L PCI-E single parallel port card. Oliver Neukum <oneukum(a)suse.com> media: usbtv: prevent double free in error case Colin Ian King <colin.king(a)canonical.com> mei: remove dev_err message on an unsupported ioctl Johan Hovold <johan(a)kernel.org> USB: serial: cp210x: add ELDAT Easywave RX09 id Clemens Werther <clemens.werther(a)gmail.com> USB: serial: ftdi_sio: add support for Harman FirmwareHubEmulator Major Hayden <major(a)mhtx.net> USB: serial: ftdi_sio: add RT Systems VX-8 cable John Stultz <john.stultz(a)linaro.org> usb: dwc2: Improve gadget state disconnection handling Paolo Bonzini <pbonzini(a)redhat.com> scsi: virtio_scsi: always read VPD pages for multiqueue too Alexander Potapenko <glider(a)google.com> llist: clang: introduce member_address_is_nonnull() Szymon Janc <szymon.janc(a)codecoup.pl> Bluetooth: Fix missing encryption refresh on Security Request Florian Westphal <fw(a)strlen.de> netfilter: x_tables: add and use xt_check_proc_name Florian Westphal <fw(a)strlen.de> netfilter: bridge: ebt_among: add more missing match size checks Steffen Klassert <steffen.klassert(a)secunet.com> xfrm: Refuse to insert 32 bit userspace socket policies on 64 bit systems Greg Hackmann <ghackmann(a)google.com> net: xfrm: use preempt-safe this_cpu_read() in ipcomp_alloc_tfms() Roland Dreier <roland(a)purestorage.com> RDMA/ucma: Introduce safer rdma_addr_size() variants Leon Romanovsky <leonro(a)mellanox.com> RDMA/ucma: Don't allow join attempts for unsupported AF family Leon Romanovsky <leonro(a)mellanox.com> RDMA/ucma: Check that device exists prior to accessing it Leon Romanovsky <leonro(a)mellanox.com> RDMA/ucma: Check that device is connected prior to access it Leon Romanovsky <leonro(a)mellanox.com> RDMA/ucma: Ensure that CM_ID exists prior to access it Leon Romanovsky <leonro(a)mellanox.com> RDMA/ucma: Fix use-after-free access in ucma_close Leon Romanovsky <leonro(a)mellanox.com> RDMA/ucma: Check AF family prior resolving address Florian Westphal <fw(a)strlen.de> xfrm_user: uncoditionally validate esn replay attribute struct Nick Desaulniers <ndesaulniers(a)google.com> arm64: avoid overflow in VA_START and PAGE_OFFSET Matthias Kaehlcke <mka(a)chromium.org> selinux: Remove redundant check for unknown labeling behavior Matthias Kaehlcke <mka(a)chromium.org> netfilter: ctnetlink: Make some parameters integer to avoid enum mismatch Arnd Bergmann <arnd(a)arndb.de> tty: provide tty_name() even without CONFIG_TTY Richard Guy Briggs <rgb(a)redhat.com> audit: add tty field to LOGIN event Matthias Kaehlcke <mka(a)chromium.org> frv: declare jiffies to be located in the .data section Matthias Kaehlcke <mka(a)chromium.org> jiffies.h: declare jiffies and jiffies_64 with ____cacheline_aligned_in_smp Mark Charlebois <charlebm(a)gmail.com> fs: compat: Remove warning from COMPATIBLE_IOCTL Matthias Kaehlcke <mka(a)chromium.org> selinux: Remove unnecessary check of array base in selinux_set_mapping() Matthias Kaehlcke <mka(a)chromium.org> cpumask: Add helper cpumask_available() Matthias Kaehlcke <mka(a)chromium.org> genirq: Use cpumask_available() for check of cpumask variable Nick Desaulniers <ndesaulniers(a)google.com> netfilter: nf_nat_h323: fix logical-not-parentheses warning Nick Desaulniers <nick.desaulniers(a)gmail.com> Input: mousedev - fix implicit conversion warning Matthias Kaehlcke <mka(a)chromium.org> dm ioctl: remove double parentheses Matthias Kaehlcke <mka(a)chromium.org> PCI: Make PCI_ROM_ADDRESS_MASK a 32-bit constant Kaixu Xia <xiakaixu(a)huawei.com> writeback: fix the wrong congested state variable definition Colin Ian King <colin.king(a)canonical.com> ACPI, PCI, irq: remove redundant check for null string pointer Masami Hiramatsu <mhiramat(a)kernel.org> kprobes/x86: Fix to set RWX bits correctly before releasing trampoline Krzysztof Opasiak <kopasiak90(a)gmail.com> usb: gadget: f_hid: fix: Prevent accessing released memory Felipe F. Tonello <eu(a)felipetonello.com> usb: gadget: align buffer size when allocating for OUT endpoint Felipe F. Tonello <eu(a)felipetonello.com> usb: gadget: fix usb_ep_align_maybe endianness and new usb_ep_align Felipe F. Tonello <eu(a)felipetonello.com> usb: gadget: change len to size_t on alloc_ep_req() Felipe F. Tonello <eu(a)felipetonello.com> usb: gadget: define free_ep_req as universal function Richard Narron <comet.berkeley(a)gmail.com> partitions/msdos: Unable to mount UFS 44bsd partitions Linus Torvalds <torvalds(a)linux-foundation.org> perf/hwbp: Simplify the perf-hwbp code, fix documentation Dan Carpenter <dan.carpenter(a)oracle.com> ALSA: pcm: potential uninitialized return values Stefan Roese <sr(a)denx.de> ALSA: pcm: Use dma_bytes as size parameter in dma_mmap_coherent() Linus Walleij <linus.walleij(a)linaro.org> mtd: jedec_probe: Fix crash in jedec_read_mfr() ------------- Diffstat: .../devicetree/bindings/pinctrl/pinctrl-palmas.txt | 9 +++ Documentation/filesystems/proc.txt | 26 --------- Makefile | 4 +- arch/arm/boot/dts/am335x-pepper.dts | 2 +- arch/arm/boot/dts/am57xx-beagle-x15.dts | 1 + arch/arm/boot/dts/dra7-evm.dts | 2 + arch/arm/boot/dts/omap3-n900.dts | 4 +- arch/arm64/include/asm/memory.h | 6 +- arch/frv/include/asm/timex.h | 6 ++ arch/x86/crypto/cast5_avx_glue.c | 3 +- arch/x86/kernel/kprobes/core.c | 9 +++ block/partitions/msdos.c | 4 +- crypto/ahash.c | 7 ++- drivers/acpi/pci_irq.c | 3 - drivers/block/mtip32xx/mtip32xx.c | 36 ++++-------- drivers/cpufreq/cpufreq.c | 6 -- drivers/infiniband/core/addr.c | 16 ++++++ drivers/infiniband/core/ucma.c | 67 +++++++++++++++------- drivers/input/mousedev.c | 62 +++++++++++--------- drivers/input/serio/i8042-x86ia64io.h | 24 ++++++++ drivers/md/dm-ioctl.c | 4 +- drivers/md/raid10.c | 1 + drivers/media/usb/usbtv/usbtv-core.c | 2 + drivers/misc/mei/main.c | 1 - drivers/mtd/chips/jedec_probe.c | 2 + drivers/net/ethernet/cavium/liquidio/lio_main.c | 2 +- drivers/net/ethernet/hisilicon/hns/hns_dsaf_gmac.c | 2 +- drivers/net/ethernet/hisilicon/hns/hns_dsaf_ppe.c | 2 +- drivers/net/ethernet/hisilicon/hns/hns_dsaf_rcb.c | 2 +- drivers/net/ethernet/hisilicon/hns/hns_ethtool.c | 4 +- drivers/parport/parport_pc.c | 4 ++ drivers/pci/pci-driver.c | 2 + drivers/pci/probe.c | 2 +- drivers/pci/setup-res.c | 2 +- drivers/scsi/virtio_scsi.c | 1 + drivers/spi/spi-davinci.c | 2 +- drivers/staging/comedi/drivers/ni_mio_common.c | 2 + drivers/tty/vt/vt.c | 6 +- drivers/usb/dwc2/hcd.c | 7 ++- drivers/usb/gadget/function/f_hid.c | 24 ++++++-- drivers/usb/gadget/function/f_midi.c | 6 -- drivers/usb/gadget/function/f_sourcesink.c | 6 -- drivers/usb/gadget/function/g_zero.h | 1 - drivers/usb/gadget/u_f.c | 6 +- drivers/usb/gadget/u_f.h | 26 ++++++++- drivers/usb/serial/cp210x.c | 1 + drivers/usb/serial/ftdi_sio.c | 2 + drivers/usb/serial/ftdi_sio_ids.h | 9 +++ fs/compat_ioctl.c | 2 +- fs/proc/task_mmu.c | 29 ++++------ fs/proc/task_nommu.c | 28 ++++----- include/linux/audit.h | 24 ++++++++ include/linux/cpumask.h | 10 ++++ include/linux/jiffies.h | 13 ++--- include/linux/llist.h | 21 ++++++- include/linux/netfilter/x_tables.h | 2 + include/linux/nospec.h | 14 ----- include/linux/tty.h | 4 +- include/linux/usb/gadget.h | 17 +++++- include/rdma/ib_addr.h | 2 + include/uapi/linux/pci_regs.h | 2 +- kernel/audit.c | 18 ++---- kernel/auditsc.c | 8 ++- kernel/events/hw_breakpoint.c | 30 +++------- kernel/irq/manage.c | 2 +- kernel/kprobes.c | 2 +- mm/backing-dev.c | 4 +- net/bluetooth/smp.c | 8 ++- net/bridge/netfilter/ebt_among.c | 34 +++++++++++ net/ipv4/netfilter/nf_nat_h323.c | 57 +++++++++--------- net/ipv6/ip6_vti.c | 20 ------- net/netfilter/nf_conntrack_netlink.c | 7 +-- net/netfilter/x_tables.c | 30 ++++++++++ net/netfilter/xt_hashlimit.c | 5 +- net/netfilter/xt_recent.c | 6 +- net/xfrm/xfrm_ipcomp.c | 2 +- net/xfrm/xfrm_state.c | 5 ++ net/xfrm/xfrm_user.c | 21 +++---- security/selinux/hooks.c | 16 ------ security/selinux/ss/services.c | 2 +- sound/core/oss/pcm_oss.c | 4 +- sound/core/pcm_native.c | 2 +- 82 files changed, 522 insertions(+), 357 deletions(-)

7 years, 4 months

6
81
0 0

[PATCH 4.14] xfrm: Use __skb_queue_tail in xfrm_trans_queue

by Alistair Strachan

From: Herbert Xu <herbert(a)gondor.apana.org.au> commit d16b46e4fd8bc6063624605f25b8c0835bb1fbe3 upstream. From: Herbert Xu <herbert(a)gondor.apana.org.au> We do not need locking in xfrm_trans_queue because it is designed to use per-CPU buffers. However, the original code incorrectly used skb_queue_tail which takes the lock. This patch switches it to __skb_queue_tail instead. Fixes the following stack trace seen when testing ipsec: BUG: spinlock bad magic on CPU#1, xfrm_algorithm_/945 lock: 0xffff8fb3dfd1fe78, .magic: 00000000, .owner: <none>/-1, .owner_cpu: 0 CPU: 1 PID: 945 Comm: xfrm_algorithm_ Not tainted 4.14.40-00047-g99a610f9568b #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 Call Trace: dump_stack+0xa1/0xd0 ? spin_bug+0x99/0xb0 do_raw_spin_lock+0x5c/0x90 _raw_spin_lock_irqsave+0x33/0x60 skb_queue_tail+0x17/0x40 ? xfrm4_rcv+0x40/0x40 xfrm_trans_queue+0x5c/0xa0 ? nf_hook_slow+0x3d/0xb0 xfrm4_transport_finish+0x1a1/0x1d0 ? xfrm4_transport_finish+0x1d0/0x1d0 xfrm_input+0x7f4/0x920 xfrm4_esp_rcv+0x2e/0x60 ip_local_deliver_finish+0x140/0x210 ip_local_deliver+0xc7/0xf0 ? ip_local_deliver+0xf0/0xf0 ip_rcv+0x2f9/0x410 ? ip_rcv+0x410/0x410 __netif_receive_skb_core+0x927/0xa50 netif_receive_skb_internal+0xef/0x190 ? __skb_get_hash_symmetric+0xbc/0x110 netif_receive_skb+0x90/0xc0 tun_get_user+0xd30/0xfc0 tun_chr_write_iter+0x5a/0x80 __vfs_write+0x10c/0x150 vfs_write+0xdf/0x190 SyS_write+0x4c/0xb0 do_syscall_64+0x59/0x70 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 Reported-and-tested-by: Artem Savkov <asavkov(a)redhat.com> Fixes: e095ecaec6d9 ("xfrm: Reinject transport-mode packets...") Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> Signed-off-by: Steffen Klassert <steffen.klassert(a)secunet.com> Cc: stable(a)vger.kernel.org Cc: kernel-team(a)android.com Signed-off-by: Alistair Strachan <astrachan(a)google.com> --- net/xfrm/xfrm_input.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c index 3f6f6f8c9fa5..5b2409746ae0 100644 --- a/net/xfrm/xfrm_input.c +++ b/net/xfrm/xfrm_input.c @@ -518,7 +518,7 @@ int xfrm_trans_queue(struct sk_buff *skb, return -ENOBUFS; XFRM_TRANS_SKB_CB(skb)->finish = finish; - skb_queue_tail(&trans->queue, skb); + __skb_queue_tail(&trans->queue, skb); tasklet_schedule(&trans->tasklet); return 0; } -- 2.17.0.441.gb46fe60e1d-goog

7 years, 4 months

2
1
0 0

[PATCH 4.4 00/97] 4.4.129-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.4.129 release. There are 97 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Tue Apr 24 13:52:47 UTC 2018. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.129-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.4.129-rc1 Greg Thelen <gthelen(a)google.com> writeback: safer lock nesting Amir Goldstein <amir73il(a)gmail.com> fanotify: fix logic of events on child wangguang <wang.guang55(a)zte.com.cn> ext4: bugfix for mmaped pages in mpage_release_unused_pages() Matthew Wilcox <mawilcox(a)microsoft.com> mm/filemap.c: fix NULL pointer in page_cache_tree_insert() Michal Hocko <mhocko(a)suse.com> mm: allow GFP_{FS,IO} for page_cache_read page cache allocation Ian Kent <raven(a)themaw.net> autofs: mount point create should honour passed in mode Al Viro <viro(a)zeniv.linux.org.uk> Don't leak MNT_INTERNAL away from internal mounts Al Viro <viro(a)zeniv.linux.org.uk> rpc_pipefs: fix double-dput() Al Viro <viro(a)zeniv.linux.org.uk> hypfs_kill_super(): deal with failed allocations Al Viro <viro(a)zeniv.linux.org.uk> jffs2_kill_sb(): deal with failed allocations Michael Ellerman <mpe(a)ellerman.id.au> powerpc/lib: Fix off-by-one in alternate feature patching Michael Neuling <mikey(a)neuling.org> powerpc/eeh: Fix enabling bridge MMIO windows Matt Redfearn <matt.redfearn(a)mips.com> MIPS: memset.S: Fix clobber of v1 in last_fixup Matt Redfearn <matt.redfearn(a)mips.com> MIPS: memset.S: Fix return of __clear_user from Lpartial_fixup Matt Redfearn <matt.redfearn(a)mips.com> MIPS: memset.S: EVA & fault support for small_memset Matt Redfearn <matt.redfearn(a)mips.com> MIPS: uaccess: Add micromips clobbers to bzero invocation Rodrigo Rivas Costa <rodrigorivascosta(a)gmail.com> HID: hidraw: Fix crash on HIDIOCGFEATURE with a destroyed device David Wang <davidwang(a)zhaoxin.com> ALSA: hda - New VIA controller suppor no-snoop path Takashi Iwai <tiwai(a)suse.de> ALSA: rawmidi: Fix missing input substream checks in compat ioctls Fabián Inostroza <soulsonceonfire(a)gmail.com> ALSA: line6: Use correct endpoint type for midi output Theodore Ts'o <tytso(a)mit.edu> ext4: fix deadlock between inline_data and ext4_expand_extra_isize_ea() Jan Kara <jack(a)suse.cz> ext4: fix crashes in dioread_nolock mode Paul Parsons <lost.distance(a)yahoo.com> drm/radeon: Fix PCIe lane width calculation Theodore Ts'o <tytso(a)mit.edu> ext4: don't allow r/w mounts if metadata blocks overlap the superblock Alex Williamson <alex.williamson(a)redhat.com> vfio/pci: Virtualize Maximum Read Request Size Alex Williamson <alex.williamson(a)redhat.com> vfio/pci: Virtualize Maximum Payload Size Alex Williamson <alex.williamson(a)redhat.com> vfio-pci: Virtualize PCIe & AF FLR Takashi Iwai <tiwai(a)suse.de> ALSA: pcm: Fix endless loop for XRUN recovery in OSS emulation Takashi Iwai <tiwai(a)suse.de> ALSA: pcm: Fix mutex unbalance in OSS emulation ioctls Takashi Iwai <tiwai(a)suse.de> ALSA: pcm: Return -EBUSY for OSS ioctls changing busy streams Takashi Iwai <tiwai(a)suse.de> ALSA: pcm: Avoid potential races between OSS ioctls and read/write Takashi Iwai <tiwai(a)suse.de> ALSA: pcm: Use ERESTARTSYS instead of EINTR in OSS emulation Nicholas Mc Guire <hofrat(a)osadl.org> ALSA: oss: consolidate kmalloc/memset 0 call to kzalloc Igor Pylypiv <igor.pylypiv(a)gmail.com> watchdog: f71808e_wdt: Fix WD_EN register read Mikhail Lappo <mikhail.lappo(a)esrlabs.com> thermal: imx: Fix race condition in imx_thermal_probe() Boris Brezillon <boris.brezillon(a)bootlin.com> clk: bcm2835: De-assert/assert PLL reset signal when appropriate Richard Genoud <richard.genoud(a)gmail.com> clk: mvebu: armada-38x: add support for missing clocks Ralph Sennhauser <ralph.sennhauser(a)gmail.com> clk: mvebu: armada-38x: add support for 1866MHz variants Alex Smith <alex.smith(a)imgtec.com> mmc: jz4740: Fix race condition in IRQ mask update Lu Baolu <baolu.lu(a)linux.intel.com> iommu/vt-d: Fix a potential memory leak Krzysztof Mazur <krzysiek(a)podlesie.net> um: Use POSIX ucontext_t instead of struct ucontext Maxime Jayat <maxime.jayat(a)mobile-devices.fr> dmaengine: at_xdmac: fix rare residue corruption Bart Van Assche <bart.vanassche(a)wdc.com> IB/srp: Fix completion vector assignment algorithm Bart Van Assche <bart.vanassche(a)wdc.com> IB/srp: Fix srp_abort() Takashi Iwai <tiwai(a)suse.de> ALSA: pcm: Fix UAF at PCM release via PCM timer access Roland Dreier <roland(a)purestorage.com> RDMA/ucma: Don't allow setting RDMA_OPTION_IB_PATH without an RDMA device Theodore Ts'o <tytso(a)mit.edu> ext4: fail ext4_iget for root directory if unallocated Theodore Ts'o <tytso(a)mit.edu> ext4: add validity checks for bitmap block numbers Theodore Ts'o <tytso(a)mit.edu> ext4: don't update checksum of new initialized bitmaps Theodore Ts'o <tytso(a)mit.edu> jbd2: if the journal is aborted then don't allow update of the log tail Theodore Ts'o <tytso(a)mit.edu> random: use a tighter cap in credit_entropy_bits_safe() Mika Westerberg <mika.westerberg(a)linux.intel.com> thunderbolt: Resume control channel after hibernation image is created James Kelly <jamespeterkelly(a)gmail.com> ASoC: ssm2602: Replace reg_default_raw with reg_default Aaron Ma <aaron.ma(a)canonical.com> HID: core: Fix size as type u32 Aaron Ma <aaron.ma(a)canonical.com> HID: Fix hid_report_len usage Nicholas Piggin <npiggin(a)gmail.com> powerpc/powernv: Fix OPAL NVRAM driver OPAL_BUSY loops Nicholas Piggin <npiggin(a)gmail.com> powerpc/64: Fix smp_wmb barrier definition use use lwsync consistently Nicholas Piggin <npiggin(a)gmail.com> powerpc/powernv: Handle unknown OPAL errors in opal_nvram_write() Aaron Ma <aaron.ma(a)canonical.com> HID: i2c-hid: fix size check and type usage Thinh Nguyen <Thinh.Nguyen(a)synopsys.com> usb: dwc3: pci: Properly cleanup resource Zhengjun Xing <zhengjun.xing(a)linux.intel.com> USB:fix USB3 devices behind USB3 hubs not resuming at hibernate thaw Mika Westerberg <mika.westerberg(a)linux.intel.com> ACPI / hotplug / PCI: Check presence of slot itself in get_slot_status() Hans de Goede <hdegoede(a)redhat.com> ACPI / video: Add quirk to force acpi-video backlight on Samsung 670Z5E Dan Carpenter <dan.carpenter(a)oracle.com> regmap: Fix reversed bounds check in regmap_raw_write() Jason Andryuk <jandryuk(a)gmail.com> xen-netfront: Fix hang on device removal Santiago Esteban <Santiago.Esteban(a)microchip.com> ARM: dts: at91: sama5d4: fix pinctrl compatible string Nicolas Ferre <nicolas.ferre(a)microchip.com> ARM: dts: at91: at91sam9g25: fix mux-mask pinctrl property Heinrich Schuchardt <xypron.glpk(a)gmx.de> usb: musb: gadget: misplaced out of bounds check Vlastimil Babka <vbabka(a)suse.cz> mm, slab: reschedule cache_reap() on the same CPU Eric Biggers <ebiggers(a)google.com> ipc/shm: fix use-after-free of shm file via remap_file_pages() Takashi Iwai <tiwai(a)suse.de> resource: fix integer overflow at reallocation Andrew Morton <akpm(a)linux-foundation.org> fs/reiserfs/journal.c: add missing resierfs_warning() arg Richard Weinberger <richard(a)nod.at> ubi: Reject MLC NAND Romain Izard <romain.izard.pro(a)gmail.com> ubi: Fix error for write access Richard Weinberger <richard(a)nod.at> ubi: fastmap: Don't flush fastmap work on detach Richard Weinberger <richard(a)nod.at> ubifs: Check ubifs_wbuf_sync() return code Tejun Heo <tj(a)kernel.org> tty: make n_tty_read() always abort if hangup is in progress Ville Syrjälä <ville.syrjala(a)linux.intel.com> x86/hweight: Don't clobber %rdi Borislav Petkov <bp(a)suse.de> x86/hweight: Get rid of the special calling convention Phil Elwell <phil(a)raspberrypi.org> lan78xx: Correctly indicate invalid OTP Tejaswi Tanikella <tejaswit(a)codeaurora.org> slip: Check if rstate is initialized before uncompressing Bassem Boubaker <bassem.boubaker(a)actia.fr> cdc_ether: flag the Cinterion AHS8 modem by gemalto as WWAN Marek Szyprowski <m.szyprowski(a)samsung.com> hwmon: (ina2xx) Fix access to uninitialized mutex Sudhir Sreedharan <ssreedharan(a)mvista.com> rtl8187: Fix NULL pointer dereference in priv->conf_mutex Al Viro <viro(a)zeniv.linux.org.uk> getname_kernel() needs to make sure that ->name != ->iname in long case Vasily Gorbik <gor(a)linux.ibm.com> s390/ipl: ensure loadparm valid flag is set Julian Wiedmann <jwi(a)linux.vnet.ibm.com> s390/qdio: don't merge ERROR output buffers Julian Wiedmann <jwi(a)linux.vnet.ibm.com> s390/qdio: don't retry EQBS after CCQ 96 Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> block/loop: fix deadlock after loop_set_status Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "perf tests: Decompress kernel module before objdump" Arnd Bergmann <arnd(a)arndb.de> radeon: hide pointless #warning when compile testing Adrian Hunter <adrian.hunter(a)intel.com> perf intel-pt: Fix timestamp following overflow Adrian Hunter <adrian.hunter(a)intel.com> perf intel-pt: Fix error recovery from missing TIP packet Adrian Hunter <adrian.hunter(a)intel.com> perf intel-pt: Fix sync_switch Adrian Hunter <adrian.hunter(a)intel.com> perf intel-pt: Fix overlap detection to identify consecutive buffers correctly Helge Deller <deller(a)gmx.de> parisc: Fix out of array access in match_pci_device() Mauro Carvalho Chehab <mchehab(a)s-opensource.com> media: v4l2-compat-ioctl32: don't oops on overlay ------------- Diffstat: Makefile | 4 +- arch/arm/boot/dts/at91sam9g25.dtsi | 2 +- arch/arm/boot/dts/sama5d4.dtsi | 2 +- arch/mips/include/asm/uaccess.h | 11 +- arch/mips/lib/memset.S | 11 +- arch/parisc/kernel/drivers.c | 4 + arch/powerpc/include/asm/barrier.h | 3 +- arch/powerpc/include/asm/synch.h | 4 - arch/powerpc/kernel/eeh_pe.c | 3 +- arch/powerpc/lib/feature-fixups.c | 2 +- arch/powerpc/platforms/powernv/opal-nvram.c | 11 +- arch/s390/hypfs/inode.c | 2 +- arch/s390/kernel/ipl.c | 1 + arch/um/os-Linux/signal.c | 2 +- arch/x86/Kconfig | 5 - arch/x86/include/asm/arch_hweight.h | 24 ++- arch/x86/kernel/i386_ksyms_32.c | 2 + arch/x86/kernel/x8664_ksyms_64.c | 3 + arch/x86/lib/Makefile | 2 +- arch/x86/lib/hweight.S | 79 +++++++++ arch/x86/um/stub_segv.c | 2 +- drivers/acpi/video_detect.c | 9 + drivers/base/regmap/regmap.c | 2 +- drivers/block/loop.c | 12 +- drivers/char/random.c | 2 +- drivers/clk/bcm/clk-bcm2835.c | 8 +- drivers/clk/mvebu/armada-38x.c | 15 +- drivers/dma/at_xdmac.c | 4 +- drivers/gpu/drm/radeon/radeon_object.c | 3 +- drivers/gpu/drm/radeon/si_dpm.c | 4 +- drivers/hid/hid-core.c | 10 +- drivers/hid/hid-input.c | 3 +- drivers/hid/hid-multitouch.c | 5 +- drivers/hid/hid-rmi.c | 4 +- drivers/hid/hidraw.c | 5 + drivers/hid/i2c-hid/i2c-hid.c | 13 +- drivers/hwmon/ina2xx.c | 3 +- drivers/infiniband/core/ucma.c | 3 + drivers/infiniband/ulp/srp/ib_srp.c | 18 +- drivers/iommu/intel-svm.c | 1 + drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 4 +- drivers/mmc/host/jz4740_mmc.c | 2 +- drivers/mtd/ubi/block.c | 2 +- drivers/mtd/ubi/build.c | 11 ++ drivers/mtd/ubi/fastmap-wl.c | 1 - drivers/net/slip/slhc.c | 5 + drivers/net/usb/cdc_ether.c | 6 + drivers/net/usb/lan78xx.c | 3 +- drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c | 2 +- drivers/net/xen-netfront.c | 7 +- drivers/pci/hotplug/acpiphp_glue.c | 23 ++- drivers/s390/cio/qdio_main.c | 42 ++--- drivers/thermal/imx_thermal.c | 6 +- drivers/thunderbolt/nhi.c | 1 + drivers/tty/n_tty.c | 6 + drivers/tty/tty_io.c | 9 + drivers/usb/core/generic.c | 9 +- drivers/usb/dwc3/dwc3-pci.c | 2 +- drivers/usb/musb/musb_gadget_ep0.c | 14 +- drivers/vfio/pci/vfio_pci_config.c | 107 +++++++++++- drivers/watchdog/f71808e_wdt.c | 2 +- fs/autofs4/root.c | 2 +- fs/ext4/balloc.c | 19 ++- fs/ext4/ialloc.c | 54 ++---- fs/ext4/inline.c | 66 ++++--- fs/ext4/inode.c | 48 +++--- fs/ext4/super.c | 6 + fs/ext4/xattr.c | 30 ++-- fs/ext4/xattr.h | 32 ++++ fs/fs-writeback.c | 7 +- fs/jbd2/journal.c | 5 +- fs/jffs2/super.c | 2 +- fs/namei.c | 3 +- fs/namespace.c | 3 +- fs/notify/fanotify/fanotify.c | 34 ++-- fs/reiserfs/journal.c | 2 +- fs/ubifs/super.c | 14 +- include/linux/backing-dev-defs.h | 5 + include/linux/backing-dev.h | 31 ++-- include/linux/hid.h | 6 +- include/linux/mm.h | 4 + include/linux/tty.h | 1 + include/net/slhc_vj.h | 1 + include/sound/pcm_oss.h | 1 + ipc/shm.c | 23 ++- kernel/resource.c | 3 +- lib/Makefile | 2 - lib/hweight.c | 4 + mm/filemap.c | 16 +- mm/memory.c | 17 ++ mm/page-writeback.c | 18 +- mm/slab.c | 3 +- net/sunrpc/rpc_pipe.c | 1 + sound/core/oss/pcm_oss.c | 189 ++++++++++++++++----- sound/core/pcm.c | 8 +- sound/core/rawmidi_compat.c | 18 +- sound/pci/hda/hda_intel.c | 3 +- sound/soc/codecs/ssm2602.c | 19 ++- sound/usb/line6/midi.c | 2 +- tools/perf/tests/code-reading.c | 20 +-- .../perf/util/intel-pt-decoder/intel-pt-decoder.c | 64 ++++--- .../perf/util/intel-pt-decoder/intel-pt-decoder.h | 2 +- tools/perf/util/intel-pt.c | 37 +++- 103 files changed, 943 insertions(+), 449 deletions(-)

7 years, 4 months

8
103
0 0

[PATCH] sched/rt: fix call to cpufreq_update_util

by Vincent Guittot

With commit 8f111bc357aa ("cpufreq/schedutil: Rewrite CPUFREQ_RT support") schedutil governor uses rq->rt.rt_nr_running to detect whether a RT task is currently running on the CPU and to set frequency to max if necessary. cpufreq_update_util() is called in enqueue/dequeue_top_rt_rq() but rq->rt.rt_nr_running as not been updated yet when dequeue_top_rt_rq() is called so schedutil still considers that a RT task is running when the last task is dequeued. The update of rq->rt.rt_nr_running happens later in dequeue_rt_stack() Fixes: 8f111bc357aa ('cpufreq/schedutil: Rewrite CPUFREQ_RT support') Cc: <stable(a)vger.kernel.org> # v4.16+ Signed-off-by: Vincent Guittot <vincent.guittot(a)linaro.org> --- kernel/sched/rt.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/kernel/sched/rt.c b/kernel/sched/rt.c index 7aef6b4..6e74d3d 100644 --- a/kernel/sched/rt.c +++ b/kernel/sched/rt.c @@ -1001,8 +1001,6 @@ dequeue_top_rt_rq(struct rt_rq *rt_rq) sub_nr_running(rq, rt_rq->rt_nr_running); rt_rq->rt_queued = 0; - /* Kick cpufreq (see the comment in kernel/sched/sched.h). */ - cpufreq_update_util(rq, 0); } static void @@ -1288,6 +1286,9 @@ static void dequeue_rt_stack(struct sched_rt_entity *rt_se, unsigned int flags) if (on_rt_rq(rt_se)) __dequeue_rt_entity(rt_se, flags); } + + /* Kick cpufreq (see the comment in kernel/sched/sched.h). */ + cpufreq_update_util(rq_of_rt_rq(rt_rq_of_se(back)), 0); } static void enqueue_rt_entity(struct sched_rt_entity *rt_se, unsigned int flags) -- 2.7.4

7 years, 4 months

2
2
0 0

[PATCH v3 1/3] x86/mm: disable ioremap free page handling on x86-PAE

by Toshi Kani

ioremap() supports pmd mappings on x86-PAE. However, kernel's pmd tables are not shared among processes on x86-PAE. Therefore, any update to sync'd pmd entries need re-syncing. Freeing a pte page also leads to a vmalloc fault and hits the BUG_ON in vmalloc_sync_one(). Disable free page handling on x86-PAE. pud_free_pmd_page() and pmd_free_pte_page() simply return 0 if a given pud/pmd entry is present. This assures that ioremap() does not update sync'd pmd entries at the cost of falling back to pte mappings. Fixes: 28ee90fe6048 ("x86/mm: implement free pmd/pte page interfaces") Reported-by: Joerg Roedel <joro(a)8bytes.org> Signed-off-by: Toshi Kani <toshi.kani(a)hpe.com> Cc: Andrew Morton <akpm(a)linux-foundation.org> Cc: Michal Hocko <mhocko(a)suse.com> Cc: Thomas Gleixner <tglx(a)linutronix.de> Cc: Ingo Molnar <mingo(a)redhat.com> Cc: "H. Peter Anvin" <hpa(a)zytor.com> Cc: Joerg Roedel <joro(a)8bytes.org> Cc: <stable(a)vger.kernel.org> --- arch/x86/mm/pgtable.c | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c index ffc8c13c50e4..3f7180bc5f52 100644 --- a/arch/x86/mm/pgtable.c +++ b/arch/x86/mm/pgtable.c @@ -715,6 +715,7 @@ int pmd_clear_huge(pmd_t *pmd) return 0; } +#ifdef CONFIG_X86_64 /** * pud_free_pmd_page - Clear pud entry and free pmd page. * @pud: Pointer to a PUD. @@ -762,4 +763,22 @@ int pmd_free_pte_page(pmd_t *pmd) return 1; } + +#else /* !CONFIG_X86_64 */ + +int pud_free_pmd_page(pud_t *pud) +{ + return pud_none(*pud); +} + +/* + * Disable free page handling on x86-PAE. This assures that ioremap() + * does not update sync'd pmd entries. See vmalloc_sync_one(). + */ +int pmd_free_pte_page(pmd_t *pmd) +{ + return pmd_none(*pmd); +} + +#endif /* CONFIG_X86_64 */ #endif /* CONFIG_HAVE_ARCH_HUGE_VMAP */

7 years, 4 months

1
0
0 0

[PATCH] media: gl861: fix probe of dvb_usb_gl861

by mika.batsman＠gmail.com

From: Mika Båtsman <mika.batsman(a)gmail.com> Probe of dvb_usb_gl861 was working at least with v4.4. Noticed the issue with v4.13 but according to similar issues the problem started with v4.9. [ 15.288065] transfer buffer not dma capable [ 15.288090] WARNING: CPU: 2 PID: 493 at drivers/usb/core/hcd.c:1595 usb_hcd_map_urb_for_dma+0x4e2/0x640 ...CUT... [ 15.288791] dvb_usb_gl861: probe of 3-7:1.0 failed with error -5 Tested with MSI Mega Sky 580 DVB-T Tuner [GL861] Cc: stable(a)vger.kernel.org Signed-off-by: Mika Båtsman <mika.batsman(a)gmail.com> --- drivers/media/usb/dvb-usb-v2/gl861.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/drivers/media/usb/dvb-usb-v2/gl861.c b/drivers/media/usb/dvb-usb-v2/gl861.c index b1b09c5..0a988e3 100644 --- a/drivers/media/usb/dvb-usb-v2/gl861.c +++ b/drivers/media/usb/dvb-usb-v2/gl861.c @@ -20,15 +20,22 @@ static int gl861_i2c_msg(struct dvb_usb_device *d, u8 addr, u16 value = addr << (8 + 1); int wo = (rbuf == NULL || rlen == 0); /* write-only */ u8 req, type; + int ret; + void *dmadata; if (wo) { req = GL861_REQ_I2C_WRITE; type = GL861_WRITE; + dmadata = kmemdup(wbuf, wlen, GFP_KERNEL); } else { /* rw */ req = GL861_REQ_I2C_READ; type = GL861_READ; + dmadata = kmalloc(rlen, GFP_KERNEL); } + if (!dmadata) + return -ENOMEM; + switch (wlen) { case 1: index = wbuf[0]; @@ -45,8 +52,14 @@ static int gl861_i2c_msg(struct dvb_usb_device *d, u8 addr, msleep(1); /* avoid I2C errors */ - return usb_control_msg(d->udev, usb_rcvctrlpipe(d->udev, 0), req, type, - value, index, rbuf, rlen, 2000); + ret = usb_control_msg(d->udev, usb_rcvctrlpipe(d->udev, 0), req, type, + value, index, dmadata, rlen, 2000); + + if (!wo) + memcpy(rbuf, dmadata, rlen); + + kfree(dmadata); + return ret; } /* I2C */ -- 2.7.4

7 years, 4 months

1
0
0 0

[PATCH] media: gl861: fix probe of dvb_usb_gl861

by mika.batsman＠gmail.com

From: Mika Båtsman <mika.batsman(a)gmail.com> Probe of dvb_usb_gl861 was working at least with v4.4. Noticed the issue with v4.13 but according to similar issues the problem started with v4.9. [ 15.288065] transfer buffer not dma capable [ 15.288090] WARNING: CPU: 2 PID: 493 at drivers/usb/core/hcd.c:1595 usb_hcd_map_urb_for_dma+0x4e2/0x640 ...CUT... [ 15.288791] dvb_usb_gl861: probe of 3-7:1.0 failed with error -5 Tested with MSI Mega Sky 580 DVB-T Tuner [GL861] Cc: stable(a)vger.kernel.org Signed-off-by: Mika Båtsman <mika.batsman(a)gmail.com> --- drivers/media/usb/dvb-usb-v2/gl861.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/drivers/media/usb/dvb-usb-v2/gl861.c b/drivers/media/usb/dvb-usb-v2/gl861.c index b1b09c5..0a988e3 100644 --- a/drivers/media/usb/dvb-usb-v2/gl861.c +++ b/drivers/media/usb/dvb-usb-v2/gl861.c @@ -20,15 +20,22 @@ static int gl861_i2c_msg(struct dvb_usb_device *d, u8 addr, u16 value = addr << (8 + 1); int wo = (rbuf == NULL || rlen == 0); /* write-only */ u8 req, type; + int ret; + void *dmadata; if (wo) { req = GL861_REQ_I2C_WRITE; type = GL861_WRITE; + dmadata = kmemdup(wbuf, wlen, GFP_KERNEL); } else { /* rw */ req = GL861_REQ_I2C_READ; type = GL861_READ; + dmadata = kmalloc(rlen, GFP_KERNEL); } + if (!dmadata) + return -ENOMEM; + switch (wlen) { case 1: index = wbuf[0]; @@ -45,8 +52,14 @@ static int gl861_i2c_msg(struct dvb_usb_device *d, u8 addr, msleep(1); /* avoid I2C errors */ - return usb_control_msg(d->udev, usb_rcvctrlpipe(d->udev, 0), req, type, - value, index, rbuf, rlen, 2000); + ret = usb_control_msg(d->udev, usb_rcvctrlpipe(d->udev, 0), req, type, + value, index, dmadata, rlen, 2000); + + if (!wo) + memcpy(rbuf, dmadata, rlen); + + kfree(dmadata); + return ret; } /* I2C */ -- 2.7.4

7 years, 4 months

1
0
0 0

[PATCH] ubi: fastmap: Cancel work upon detach

by Richard Weinberger

Ben Hutchings pointed out that 29b7a6fa1ec0 ("ubi: fastmap: Don't flush fastmap work on detach") does not really fix the problem, it just reduces the risk to hit the race window where fastmap work races against free()'ing ubi->volumes[]. The correct approach is making sure that no more fastmap work is in progress before we free ubi data structures. So we cancel fastmap work right after the ubi background thread is stopped. By setting ubi->thread_enabled to zero we make sure that no further work tries to wake the thread. Fixes: 29b7a6fa1ec0 ("ubi: fastmap: Don't flush fastmap work on detach") Fixes: 74cdaf24004a ("UBI: Fastmap: Fix memory leaks while closing the WL sub-system") Cc: stable(a)vger.kernel.org Cc: Ben Hutchings <ben.hutchings(a)codethink.co.uk> Cc: Martin Townsend <mtownsend1973(a)gmail.com> Signed-off-by: Richard Weinberger <richard(a)nod.at> --- drivers/mtd/ubi/build.c | 3 +++ drivers/mtd/ubi/wl.c | 4 +--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/mtd/ubi/build.c b/drivers/mtd/ubi/build.c index 6326a02e4568..0cf3356424cd 100644 --- a/drivers/mtd/ubi/build.c +++ b/drivers/mtd/ubi/build.c @@ -1100,6 +1100,9 @@ int ubi_detach_mtd_dev(int ubi_num, int anyway) if (ubi->bgt_thread) kthread_stop(ubi->bgt_thread); +#ifdef CONFIG_MTD_UBI_FASTMAP + cancel_work_sync(&ubi->fm_work); +#endif ubi_debugfs_exit_dev(ubi); uif_close(ubi); diff --git a/drivers/mtd/ubi/wl.c b/drivers/mtd/ubi/wl.c index 3cc302924899..6bbb968fe9da 100644 --- a/drivers/mtd/ubi/wl.c +++ b/drivers/mtd/ubi/wl.c @@ -1505,6 +1505,7 @@ int ubi_thread(void *u) } dbg_wl("background thread \"%s\" is killed", ubi->bgt_name); + ubi->thread_enabled = 0; return 0; } @@ -1514,9 +1515,6 @@ int ubi_thread(void *u) */ static void shutdown_work(struct ubi_device *ubi) { -#ifdef CONFIG_MTD_UBI_FASTMAP - flush_work(&ubi->fm_work); -#endif while (!list_empty(&ubi->works)) { struct ubi_work *wrk; -- 2.13.6

7 years, 4 months

1
0
0 0

[PATCH 4/7] nbd: use bd_set_size when updating disk size

by Josef Bacik

From: Josef Bacik <jbacik(a)fb.com> When we stopped relying on the bdev everywhere I broke updating the block device size on the fly, which ceph relies on. We can't just do set_capacity, we also have to do bd_set_size so things like parted will notice the device size change. Fixes: 29eaadc ("nbd: stop using the bdev everywhere") cc: stable(a)vger.kernel.org Signed-off-by: Josef Bacik <jbacik(a)fb.com> --- drivers/block/nbd.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c index b709abf3cb79..64278f472efe 100644 --- a/drivers/block/nbd.c +++ b/drivers/block/nbd.c @@ -234,9 +234,18 @@ static void nbd_size_clear(struct nbd_device *nbd) static void nbd_size_update(struct nbd_device *nbd) { struct nbd_config *config = nbd->config; + struct block_device *bdev = bdget_disk(nbd->disk, 0); + blk_queue_logical_block_size(nbd->disk->queue, config->blksize); blk_queue_physical_block_size(nbd->disk->queue, config->blksize); set_capacity(nbd->disk, config->bytesize >> 9); + if (bdev) { + if (bdev->bd_disk) + bd_set_size(bdev, config->bytesize); + else + bdev->bd_invalidated = 1; + bdput(bdev); + } kobject_uevent(&nbd_to_dev(nbd)->kobj, KOBJ_CHANGE); } @@ -1114,7 +1123,6 @@ static int nbd_start_device_ioctl(struct nbd_device *nbd, struct block_device *b if (ret) return ret; - bd_set_size(bdev, config->bytesize); if (max_part) bdev->bd_invalidated = 1; mutex_unlock(&nbd->config_lock); -- 2.14.3

7 years, 4 months

1
0
0 0

[PATCH 3/7] nbd: update size when connected

by Josef Bacik

From: Josef Bacik <jbacik(a)fb.com> I messed up changing the size of an NBD device while it was connected by not actually updating the device or doing the uevent. Fix this by updating everything if we're connected and we change the size. cc: stable(a)vger.kernel.org Fixes: 639812a ("nbd: don't set the device size until we're connected") Signed-off-by: Josef Bacik <jbacik(a)fb.com> --- drivers/block/nbd.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c index 9710a0c338b0..b709abf3cb79 100644 --- a/drivers/block/nbd.c +++ b/drivers/block/nbd.c @@ -246,6 +246,8 @@ static void nbd_size_set(struct nbd_device *nbd, loff_t blocksize, struct nbd_config *config = nbd->config; config->blksize = blocksize; config->bytesize = blocksize * nr_blocks; + if (nbd->task_recv != NULL) + nbd_size_update(nbd); } static void nbd_complete_rq(struct request *req) -- 2.14.3

7 years, 4 months

1
0
0 0

[PATCH 2/7] nbd: fix nbd device deletion

by Josef Bacik

From: Josef Bacik <jbacik(a)fb.com> This fixes a use after free bug, we shouldn't be doing disk->queue right after we do del_gendisk(disk). Save the queue and do the cleanup after the del_gendisk. Fixes: c6a4759ea0c9 ("nbd: add device refcounting") cc: stable(a)vger.kernel.org Signed-off-by: Josef Bacik <jbacik(a)fb.com> --- drivers/block/nbd.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c index afbc202ca6fd..9710a0c338b0 100644 --- a/drivers/block/nbd.c +++ b/drivers/block/nbd.c @@ -173,9 +173,12 @@ static const struct device_attribute pid_attr = { static void nbd_dev_remove(struct nbd_device *nbd) { struct gendisk *disk = nbd->disk; + struct request_queue *q; + if (disk) { + q = disk->queue; del_gendisk(disk); - blk_cleanup_queue(disk->queue); + blk_cleanup_queue(q); blk_mq_free_tag_set(&nbd->tag_set); disk->private_data = NULL; put_disk(disk); -- 2.14.3

7 years, 4 months

1
0
0 0

Linux 4.16.9

by Greg KH

I'm announcing the release of the 4.16.9 kernel. All users of the 4.16 kernel series must upgrade. The updated 4.16.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.16.y and can be browsed at the normal kernel.org git web browser: http://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/arm/boot/dts/imx35.dtsi | 4 arch/arm/boot/dts/imx53.dtsi | 4 arch/x86/events/core.c | 8 + arch/x86/events/intel/cstate.c | 2 arch/x86/events/msr.c | 9 + crypto/af_alg.c | 8 - drivers/ata/libata-core.c | 3 drivers/atm/zatm.c | 3 drivers/bluetooth/btusb.c | 19 +++ drivers/clk/ti/clock.h | 9 + drivers/gpio/gpio-aspeed.c | 2 drivers/gpio/gpiolib.c | 7 - drivers/gpu/drm/drm_atomic.c | 8 + drivers/gpu/drm/i915/intel_cdclk.c | 41 +++++++- drivers/gpu/drm/i915/intel_dp.c | 20 ---- drivers/gpu/drm/i915/intel_lvds.c | 3 drivers/gpu/drm/nouveau/nouveau_bo.c | 1 drivers/gpu/drm/nouveau/nouveau_bo.h | 2 drivers/gpu/drm/nouveau/nouveau_ttm.c | 6 - drivers/gpu/drm/nouveau/nv50_display.c | 7 - drivers/gpu/drm/ttm/ttm_page_alloc.c | 11 +- drivers/gpu/drm/ttm/ttm_page_alloc_dma.c | 3 drivers/gpu/drm/vc4/vc4_plane.c | 2 drivers/i2c/i2c-dev.c | 2 drivers/md/dm-integrity.c | 2 drivers/mtd/nand/marvell_nand.c | 12 +- drivers/net/can/flexcan.c | 26 ++--- drivers/net/can/spi/hi311x.c | 11 +- drivers/net/can/usb/kvaser_usb.c | 2 drivers/nvme/host/core.c | 3 drivers/nvme/host/nvme.h | 5 + drivers/nvme/host/pci.c | 12 ++ drivers/pci/pci.c | 37 +++++-- drivers/thermal/samsung/exynos_tmu.c | 14 ++ fs/ceph/file.c | 10 +- fs/cifs/cifsfs.c | 13 ++ fs/fs-writeback.c | 2 include/linux/bpf.h | 4 include/linux/oom.h | 2 include/linux/wait_bit.h | 17 +++ include/net/inet_timewait_sock.h | 1 include/net/nexthop.h | 2 kernel/bpf/core.c | 45 +++++---- kernel/compat.c | 1 kernel/events/callchain.c | 10 -- kernel/events/ring_buffer.c | 7 + kernel/sched/autogroup.c | 7 + kernel/sched/core.c | 7 + kernel/sched/cpufreq_schedutil.c | 3 kernel/trace/bpf_trace.c | 25 ++++- kernel/trace/trace_events_filter.c | 3 kernel/trace/trace_uprobe.c | 2 lib/swiotlb.c | 2 mm/backing-dev.c | 3 mm/memcontrol.c | 3 mm/mmap.c | 44 +++++--- mm/oom_kill.c | 81 ++++++++-------- mm/sparse.c | 2 mm/z3fold.c | 42 ++++++-- net/atm/lec.c | 9 + net/bridge/netfilter/ebtables.c | 11 +- net/core/dev_addr_lists.c | 4 net/core/skbuff.c | 1 net/dccp/ipv4.c | 1 net/dccp/ipv6.c | 1 net/ipv4/inet_timewait_sock.c | 1 net/ipv4/inetpeer.c | 1 net/ipv4/route.c | 11 +- net/ipv4/tcp.c | 2 net/kcm/kcmsock.c | 1 net/netfilter/ipvs/ip_vs_ctl.c | 8 - net/netfilter/ipvs/ip_vs_sync.c | 155 ++++++++++++++++--------------- net/netlink/af_netlink.c | 2 net/rds/tcp.c | 17 +-- net/rfkill/rfkill-gpio.c | 7 + 76 files changed, 557 insertions(+), 323 deletions(-) Alexander Popov (1): i2c: dev: prevent ZERO_SIZE_PTR deref in i2cdev_ioctl_rdwr() Ben Skeggs (1): drm/nouveau/ttm: don't dereference nvbo::cli, it can outlive client Boris Brezillon (1): drm/vc4: Fix scaling of uni-planar formats Charles Machalow (1): nvme: Fix sync controller reset return Chris Packham (1): mtd: rawnand: marvell: pass ms delay to wait_op David Rientjes (1): mm, oom: fix concurrent munlock and oom reaper unmap, v3 Eric Dumazet (10): crypto: af_alg - fix possible uninit-value in alg_bind() netlink: fix uninit-value in netlink_sendmsg net: fix rtnh_ok() net: initialize skb->peeked when cloning net: fix uninit-value in __hw_addr_add_ex() dccp: initialize ireq->ir_mark ipv4: fix uninit-value in ip_route_output_key_hash_rcu() soreuseport: initialise timewait reuseport field inetpeer: fix uninit-value in inet_getpeer tcp: fix TCP_REPAIR_QUEUE bound checking Florent Flament (1): drm/i915: Fix drm:intel_enable_lvds ERROR message in kernel log Florian Westphal (1): netfilter: ebtables: don't attempt to allocate 0-sized compat array Govert Overgaauw (1): gpio: fix aspeed_gpio unmask irq Greg Kroah-Hartman (1): Linux 4.16.9 Gustavo A. R. Silva (2): net: atm: Fix potential Spectre v1 atm: zatm: Fix potential Spectre v1 Hans de Goede (4): libata: Apply NOLPM quirk for SanDisk SD7UB3Q*G1001 SSDs Revert "Bluetooth: btusb: Fix quirk for Atheros 1525/QCA6174" Bluetooth: btusb: Add Dell XPS 13 9360 to btusb_needs_reset_resume_table Bluetooth: btusb: Only check needs_reset_resume DMI table for QCA rome chipsets Ilya Dryomov (1): ceph: fix rsize/wsize capping in ceph_direct_read_write() Jan Kara (1): bdi: Fix oops in wb_workfn() Jann Horn (1): compat: fix 4-byte infoleak via uninitialized struct field Jean Delvare (1): swiotlb: silent unwanted warning "buffer is full" Jens Axboe (1): nvme: add quirk to force medium priority for SQ creation Jimmy Assarsson (1): can: kvaser_usb: Increase correct stats counter in kvaser_usb_rx_can_msg() Jiri Olsa (1): perf: Remove superfluous allocation error check Johan Hovold (1): rfkill: gpio: fix memory leak in probe error path Julian Anastasov (1): ipvs: fix rtnl_lock lockups caused by start_sync_thread Kai Heng Feng (1): PCI / PM: Always check PME wakeup capability for runtime wakeup support Lukas Wunner (2): can: hi311x: Acquire SPI lock on ->do_get_berr_counter can: hi311x: Work around TX complete interrupt erratum Lyude Paul (1): drm/nouveau: Fix deadlock in nv50_mstm_register_connector() Marek Szyprowski (2): thermal: exynos: Reading temperature makes sense only when TMU is turned on thermal: exynos: Propagate error value from tmu_read() Masami Hiramatsu (1): tracing/uprobe_event: Fix strncpy corner case Michal Hocko (1): memcg: fix per_node_info cleanup Michel Dänzer (1): drm/ttm: Use GFP_TRANSHUGE_LIGHT for allocating huge pages Mikulas Patocka (1): dm integrity: use kvfree for kvmalloc'd memory Miquel Raynal (1): mtd: rawnand: marvell: fix command xtype in BCH write hook Pavel Tatashin (1): mm: sections are not offlined during memory hotremove Peter Zijlstra (7): sched/core: Fix possible Spectre-v1 indexing for sched_prio_to_weight[] sched/autogroup: Fix possible Spectre-v1 indexing for sched_prio_to_weight[] perf/x86: Fix possible Spectre-v1 indexing for hw_perf_event cache_* perf/x86/cstate: Fix possible Spectre-v1 indexing for pkg_msr perf/x86/msr: Fix possible Spectre-v1 indexing in the MSR driver perf/core: Fix possible Spectre-v1 indexing for ->aux_pages[] perf/x86: Fix possible Spectre-v1 indexing for x86_pmu::event_map() Rafael J. Wysocki (2): PCI / PM: Check device_may_wakeup() in pci_enable_wake() cpufreq: schedutil: Avoid using invalid next_freq Rodrigo Vivi (1): drm/i915: Adjust eDP's logical vco in a reliable place. Sowmini Varadhan (1): rds: tcp: must use spin_lock_irq* and not spin_lock_bh with rds_tcp_conn_lock Steve French (1): smb3: directory sync should not return an error Steven Rostedt (VMware) (1): tracing: Fix regex_match_front() to not over compare the test string Tero Kristo (1): clk: ti: fix flag space conflict with clkctrl clocks Tetsuo Handa (2): bdi: wake up concurrent wb_shutdown() callers. bdi: Fix use after free bug in debugfs_remove() Timur Tabi (1): gpioib: do not free unrequested descriptors Tom Herbert (1): kcm: Call strp_stop before strp_done in kcm_attach Uwe Kleine-König (3): gpio: fix error path in lineevent_create can: flexcan: fix endianess detection arm: dts: imx[35]*: declare flexcan devices to be compatible to imx25's flexcan Ville Syrjälä (2): drm/atomic: Clean old_state/new_state in drm_atomic_state_default_clear() drm/atomic: Clean private obj old_state/new_state in drm_atomic_state_default_clear() Vitaly Wool (1): z3fold: fix reclaim lock-ups Yonghong Song (1): bpf/tracing: fix a deadlock in perf_event_detach_bpf_prog

7 years, 4 months

1
1
0 0

Linux 4.14.41

by Greg KH

I'm announcing the release of the 4.14.41 kernel. All users of the 4.14 kernel series must upgrade. The updated 4.14.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.14.y and can be browsed at the normal kernel.org git web browser: http://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/arm64/silicon-errata.txt | 1 Makefile | 2 arch/arm64/Kconfig | 14 ++ arch/arm64/include/asm/assembler.h | 40 ++++++++ arch/arm64/include/asm/cputype.h | 2 arch/arm64/mm/proc.S | 5 + arch/powerpc/kvm/book3s_64_mmu_radix.c | 72 +++++++++----- arch/powerpc/kvm/book3s_hv.c | 17 +-- arch/powerpc/kvm/book3s_hv_rmhandlers.S | 8 + arch/x86/events/core.c | 8 + arch/x86/events/intel/cstate.c | 2 arch/x86/events/msr.c | 9 + arch/x86/kvm/lapic.c | 37 ++++--- crypto/af_alg.c | 8 - drivers/ata/libata-core.c | 3 drivers/atm/zatm.c | 3 drivers/bluetooth/btusb.c | 19 +++ drivers/gpio/gpio-aspeed.c | 2 drivers/gpio/gpiolib.c | 7 - drivers/gpu/drm/drm_atomic.c | 8 + drivers/gpu/drm/i915/intel_lvds.c | 3 drivers/gpu/drm/nouveau/nv50_display.c | 7 - drivers/gpu/drm/vc4/vc4_plane.c | 2 drivers/md/dm-integrity.c | 2 drivers/net/can/spi/hi311x.c | 11 +- drivers/net/can/usb/kvaser_usb.c | 2 drivers/nvme/host/nvme.h | 5 + drivers/nvme/host/pci.c | 12 ++ drivers/pci/pci.c | 37 +++++-- drivers/thermal/samsung/exynos_tmu.c | 14 ++ fs/ceph/file.c | 10 +- fs/cifs/cifsfs.c | 13 ++ fs/fs-writeback.c | 2 include/linux/oom.h | 2 include/linux/wait_bit.h | 17 +++ include/net/inet_timewait_sock.h | 1 include/net/nexthop.h | 2 kernel/compat.c | 1 kernel/events/callchain.c | 10 -- kernel/events/ring_buffer.c | 7 + kernel/sched/autogroup.c | 7 + kernel/sched/cpufreq_schedutil.c | 3 kernel/trace/trace_events_filter.c | 3 kernel/trace/trace_uprobe.c | 2 mm/backing-dev.c | 2 mm/memcontrol.c | 3 mm/mmap.c | 44 +++++---- mm/oom_kill.c | 74 ++++++++------- mm/sparse.c | 2 mm/z3fold.c | 42 ++++++-- net/atm/lec.c | 9 + net/bridge/netfilter/ebtables.c | 11 +- net/core/dev_addr_lists.c | 4 net/core/skbuff.c | 1 net/dccp/ipv4.c | 1 net/dccp/ipv6.c | 1 net/ipv4/inet_timewait_sock.c | 1 net/ipv4/inetpeer.c | 1 net/ipv4/route.c | 11 +- net/ipv4/tcp.c | 2 net/kcm/kcmsock.c | 1 net/netfilter/ipvs/ip_vs_ctl.c | 8 - net/netfilter/ipvs/ip_vs_sync.c | 155 ++++++++++++++++---------------- net/netlink/af_netlink.c | 2 net/rfkill/rfkill-gpio.c | 7 + 65 files changed, 542 insertions(+), 282 deletions(-) Anthoine Bourgeois (1): KVM: x86: remove APIC Timer periodic/oneshot spikes Boris Brezillon (1): drm/vc4: Fix scaling of uni-planar formats David Rientjes (1): mm, oom: fix concurrent munlock and oom reaper unmap, v3 Eric Dumazet (10): crypto: af_alg - fix possible uninit-value in alg_bind() netlink: fix uninit-value in netlink_sendmsg net: fix rtnh_ok() net: initialize skb->peeked when cloning net: fix uninit-value in __hw_addr_add_ex() dccp: initialize ireq->ir_mark ipv4: fix uninit-value in ip_route_output_key_hash_rcu() soreuseport: initialise timewait reuseport field inetpeer: fix uninit-value in inet_getpeer tcp: fix TCP_REPAIR_QUEUE bound checking Florent Flament (1): drm/i915: Fix drm:intel_enable_lvds ERROR message in kernel log Florian Westphal (1): netfilter: ebtables: don't attempt to allocate 0-sized compat array Govert Overgaauw (1): gpio: fix aspeed_gpio unmask irq Greg Kroah-Hartman (1): Linux 4.14.41 Gustavo A. R. Silva (2): net: atm: Fix potential Spectre v1 atm: zatm: Fix potential Spectre v1 Hans de Goede (4): libata: Apply NOLPM quirk for SanDisk SD7UB3Q*G1001 SSDs Revert "Bluetooth: btusb: Fix quirk for Atheros 1525/QCA6174" Bluetooth: btusb: Add Dell XPS 13 9360 to btusb_needs_reset_resume_table Bluetooth: btusb: Only check needs_reset_resume DMI table for QCA rome chipsets Ilya Dryomov (1): ceph: fix rsize/wsize capping in ceph_direct_read_write() Jan Kara (1): bdi: Fix oops in wb_workfn() Jann Horn (1): compat: fix 4-byte infoleak via uninitialized struct field Jens Axboe (1): nvme: add quirk to force medium priority for SQ creation Jimmy Assarsson (1): can: kvaser_usb: Increase correct stats counter in kvaser_usb_rx_can_msg() Jiri Olsa (1): perf: Remove superfluous allocation error check Johan Hovold (1): rfkill: gpio: fix memory leak in probe error path Julian Anastasov (1): ipvs: fix rtnl_lock lockups caused by start_sync_thread Kai Heng Feng (1): PCI / PM: Always check PME wakeup capability for runtime wakeup support Laurent Vivier (1): KVM: PPC: Book3S HV: Fix guest time accounting with VIRT_CPU_ACCOUNTING_GEN Lukas Wunner (2): can: hi311x: Acquire SPI lock on ->do_get_berr_counter can: hi311x: Work around TX complete interrupt erratum Lyude Paul (1): drm/nouveau: Fix deadlock in nv50_mstm_register_connector() Marek Szyprowski (2): thermal: exynos: Reading temperature makes sense only when TMU is turned on thermal: exynos: Propagate error value from tmu_read() Masami Hiramatsu (1): tracing/uprobe_event: Fix strncpy corner case Michal Hocko (1): memcg: fix per_node_info cleanup Mikulas Patocka (1): dm integrity: use kvfree for kvmalloc'd memory Paul Mackerras (3): KVM: PPC: Book3S HV: Fix trap number return from __kvmppc_vcore_entry KVM: PPC: Book3S HV: Fix VRMA initialization with 2MB or 1GB memory backing KVM: PPC: Book3S HV: Fix handling of large pages in radix page fault handler Pavel Tatashin (1): mm: sections are not offlined during memory hotremove Peter Zijlstra (6): sched/autogroup: Fix possible Spectre-v1 indexing for sched_prio_to_weight[] perf/x86: Fix possible Spectre-v1 indexing for hw_perf_event cache_* perf/x86/cstate: Fix possible Spectre-v1 indexing for pkg_msr perf/x86/msr: Fix possible Spectre-v1 indexing in the MSR driver perf/core: Fix possible Spectre-v1 indexing for ->aux_pages[] perf/x86: Fix possible Spectre-v1 indexing for x86_pmu::event_map() Rafael J. Wysocki (2): PCI / PM: Check device_may_wakeup() in pci_enable_wake() cpufreq: schedutil: Avoid using invalid next_freq Steve French (1): smb3: directory sync should not return an error Steven Rostedt (VMware) (1): tracing: Fix regex_match_front() to not over compare the test string Suzuki K Poulose (1): arm64: Add work around for Arm Cortex-A55 Erratum 1024718 Tetsuo Handa (1): bdi: wake up concurrent wb_shutdown() callers. Timur Tabi (1): gpioib: do not free unrequested descriptors Tom Herbert (1): kcm: Call strp_stop before strp_done in kcm_attach Uwe Kleine-König (1): gpio: fix error path in lineevent_create Ville Syrjälä (2): drm/atomic: Clean old_state/new_state in drm_atomic_state_default_clear() drm/atomic: Clean private obj old_state/new_state in drm_atomic_state_default_clear() Vitaly Wool (1): z3fold: fix reclaim lock-ups

7 years, 4 months

1
1
0 0

Linux 4.9.100

by Greg KH

I'm announcing the release of the 4.9.100 kernel. All users of the 4.9 kernel series must upgrade. The updated 4.9.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.9.y and can be browsed at the normal kernel.org git web browser: http://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/arm64/silicon-errata.txt | 1 Makefile | 2 arch/arm64/Kconfig | 14 ++ arch/arm64/include/asm/assembler.h | 40 ++++++++ arch/arm64/include/asm/cputype.h | 5 + arch/arm64/mm/proc.S | 5 + arch/powerpc/kvm/book3s_hv_rmhandlers.S | 8 + arch/x86/events/core.c | 8 + arch/x86/events/intel/cstate.c | 2 arch/x86/events/msr.c | 9 + crypto/af_alg.c | 8 - drivers/ata/libata-core.c | 3 drivers/atm/zatm.c | 3 drivers/bluetooth/btusb.c | 2 drivers/gpio/gpio-aspeed.c | 2 drivers/gpio/gpiolib.c | 7 - drivers/gpu/drm/i915/intel_lvds.c | 3 drivers/gpu/drm/vc4/vc4_plane.c | 2 drivers/infiniband/core/device.c | 3 drivers/net/can/usb/kvaser_usb.c | 2 drivers/thermal/samsung/exynos_tmu.c | 14 ++ fs/f2fs/data.c | 2 fs/fs-writeback.c | 2 include/net/inet_timewait_sock.h | 1 include/net/nexthop.h | 2 kernel/events/callchain.c | 10 -- kernel/events/ring_buffer.c | 7 + kernel/trace/trace_events_filter.c | 3 kernel/trace/trace_uprobe.c | 2 net/atm/lec.c | 9 + net/core/dev_addr_lists.c | 4 net/core/skbuff.c | 1 net/dccp/ipv4.c | 1 net/dccp/ipv6.c | 1 net/ipv4/inet_timewait_sock.c | 1 net/ipv4/tcp.c | 2 net/kcm/kcmsock.c | 1 net/netfilter/ipvs/ip_vs_ctl.c | 8 - net/netfilter/ipvs/ip_vs_sync.c | 155 ++++++++++++++++---------------- net/netlink/af_netlink.c | 2 net/rfkill/rfkill-gpio.c | 7 + 41 files changed, 237 insertions(+), 127 deletions(-) Boris Brezillon (1): drm/vc4: Fix scaling of uni-planar formats Eric Dumazet (8): crypto: af_alg - fix possible uninit-value in alg_bind() netlink: fix uninit-value in netlink_sendmsg net: fix rtnh_ok() net: initialize skb->peeked when cloning net: fix uninit-value in __hw_addr_add_ex() dccp: initialize ireq->ir_mark soreuseport: initialise timewait reuseport field tcp: fix TCP_REPAIR_QUEUE bound checking Florent Flament (1): drm/i915: Fix drm:intel_enable_lvds ERROR message in kernel log Govert Overgaauw (1): gpio: fix aspeed_gpio unmask irq Greg Kroah-Hartman (1): Linux 4.9.100 Gustavo A. R. Silva (2): net: atm: Fix potential Spectre v1 atm: zatm: Fix potential Spectre v1 Hans de Goede (2): libata: Apply NOLPM quirk for SanDisk SD7UB3Q*G1001 SSDs Revert "Bluetooth: btusb: Fix quirk for Atheros 1525/QCA6174" Jan Kara (1): bdi: Fix oops in wb_workfn() Jimmy Assarsson (1): can: kvaser_usb: Increase correct stats counter in kvaser_usb_rx_can_msg() Jiri Olsa (1): perf: Remove superfluous allocation error check Johan Hovold (1): rfkill: gpio: fix memory leak in probe error path Julian Anastasov (1): ipvs: fix rtnl_lock lockups caused by start_sync_thread Marek Szyprowski (2): thermal: exynos: Reading temperature makes sense only when TMU is turned on thermal: exynos: Propagate error value from tmu_read() Masami Hiramatsu (1): tracing/uprobe_event: Fix strncpy corner case Paul Mackerras (1): KVM: PPC: Book3S HV: Fix trap number return from __kvmppc_vcore_entry Peter Zijlstra (5): perf/x86: Fix possible Spectre-v1 indexing for hw_perf_event cache_* perf/x86/cstate: Fix possible Spectre-v1 indexing for pkg_msr perf/x86/msr: Fix possible Spectre-v1 indexing in the MSR driver perf/core: Fix possible Spectre-v1 indexing for ->aux_pages[] perf/x86: Fix possible Spectre-v1 indexing for x86_pmu::event_map() Sagi Grimberg (1): IB/device: Convert ib-comp-wq to be CPU-bound Steven Rostedt (VMware) (1): tracing: Fix regex_match_front() to not over compare the test string Suzuki K Poulose (1): arm64: Add work around for Arm Cortex-A55 Erratum 1024718 Timur Tabi (1): gpioib: do not free unrequested descriptors Tom Herbert (1): kcm: Call strp_stop before strp_done in kcm_attach Uwe Kleine-König (1): gpio: fix error path in lineevent_create Wei Fang (1): f2fs: fix a dead loop in f2fs_fiemap()

7 years, 4 months

1
1
0 0

Linux 4.4.132

by Greg KH

I'm announcing the release of the 4.4.132 kernel. All users of the 4.4 kernel series must upgrade. The updated 4.4.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.4.y and can be browsed at the normal kernel.org git web browser: http://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 arch/s390/kvm/kvm-s390.c | 4 arch/x86/kernel/cpu/perf_event.c | 8 arch/x86/kernel/cpu/perf_event_intel_cstate.c | 2 arch/x86/kernel/cpu/perf_event_msr.c | 9 crypto/af_alg.c | 8 drivers/ata/libata-core.c | 3 drivers/atm/zatm.c | 3 drivers/bluetooth/btusb.c | 2 drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 1 drivers/infiniband/core/ucma.c | 2 drivers/infiniband/hw/mlx5/qp.c | 22 - drivers/input/input-leds.c | 8 drivers/input/touchscreen/atmel_mxt_ts.c | 9 drivers/mtd/nand/gpmi-nand/gpmi-nand.c | 78 +++ drivers/net/can/usb/kvaser_usb.c | 2 drivers/net/usb/qmi_wwan.c | 1 drivers/net/wireless/ath/ath10k/core.c | 8 drivers/net/wireless/ath/ath10k/core.h | 4 drivers/net/wireless/ath/ath10k/htt_rx.c | 100 ++++ drivers/net/wireless/ath/wcn36xx/txrx.c | 2 drivers/usb/core/config.c | 4 drivers/usb/musb/musb_host.c | 4 drivers/usb/serial/option.c | 448 +++++++--------------- drivers/usb/serial/visor.c | 69 +-- fs/f2fs/data.c | 2 fs/fs-writeback.c | 2 fs/xfs/xfs_file.c | 14 include/net/inet_timewait_sock.h | 1 include/net/mac80211.h | 14 include/net/nexthop.h | 2 kernel/bpf/arraymap.c | 2 kernel/bpf/hashtab.c | 9 kernel/bpf/syscall.c | 20 kernel/events/callchain.c | 10 kernel/events/core.c | 2 kernel/events/ring_buffer.c | 7 kernel/trace/trace_events_filter.c | 3 kernel/trace/trace_uprobe.c | 2 kernel/tracepoint.c | 4 mm/percpu.c | 1 net/atm/lec.c | 9 net/core/dev_addr_lists.c | 4 net/core/skbuff.c | 1 net/dccp/ipv4.c | 1 net/dccp/ipv6.c | 1 net/ipv4/inet_timewait_sock.c | 1 net/ipv4/tcp.c | 2 net/mac80211/util.c | 5 net/mac80211/wep.c | 3 net/mac80211/wpa.c | 45 +- net/netfilter/ipvs/ip_vs_ctl.c | 8 net/netfilter/ipvs/ip_vs_sync.c | 155 +++---- net/netlink/af_netlink.c | 2 net/rfkill/rfkill-gpio.c | 7 net/xfrm/xfrm_user.c | 2 sound/core/pcm_compat.c | 2 sound/core/seq/seq_virmidi.c | 4 sound/drivers/aloop.c | 29 + tools/testing/selftests/firmware/fw_filesystem.sh | 6 60 files changed, 655 insertions(+), 530 deletions(-) Alan Stern (1): USB: Accept bulk endpoints with 1024-byte maxpacket Alexander Yarygin (1): KVM: s390: Enable all facility bits that are known good for passthrough Ben Hutchings (1): test_firmware: fix setting old custom fw path back on exit, second try Bin Liu (1): usb: musb: host: fix potential NULL pointer dereference Danit Goldberg (1): IB/mlx5: Use unlimited rate when static rate is not supported Darrick J. Wong (1): xfs: prevent creating negative-sized file via INSERT_RANGE David Spinadel (1): mac80211: Add RX flag to indicate ICV stripped Dmitry Torokhov (1): Input: leds - fix out of bound access Eric Dumazet (8): crypto: af_alg - fix possible uninit-value in alg_bind() netlink: fix uninit-value in netlink_sendmsg net: fix rtnh_ok() net: initialize skb->peeked when cloning net: fix uninit-value in __hw_addr_add_ex() dccp: initialize ireq->ir_mark soreuseport: initialise timewait reuseport field tcp: fix TCP_REPAIR_QUEUE bound checking Greg Kroah-Hartman (2): USB: serial: visor: handle potential invalid device configuration Linux 4.4.132 Gustavo A. R. Silva (2): net: atm: Fix potential Spectre v1 atm: zatm: Fix potential Spectre v1 Hans de Goede (2): libata: Apply NOLPM quirk for SanDisk SD7UB3Q*G1001 SSDs Revert "Bluetooth: btusb: Fix quirk for Atheros 1525/QCA6174" Jan Kara (1): bdi: Fix oops in wb_workfn() Jimmy Assarsson (1): can: kvaser_usb: Increase correct stats counter in kvaser_usb_rx_can_msg() Jiri Olsa (1): perf: Remove superfluous allocation error check Johan Hovold (2): USB: serial: option: reimplement interface masking rfkill: gpio: fix memory leak in probe error path Julian Anastasov (1): ipvs: fix rtnl_lock lockups caused by start_sync_thread Kristian Evensen (1): USB: serial: option: Add support for Quectel EP06 Leon Romanovsky (1): RDMA/mlx5: Protect from shift operand overflow Markus Pargmann (1): gpmi-nand: Handle ECC Errors in erased pages Masami Hiramatsu (1): tracing/uprobe_event: Fix strncpy corner case Mathieu Desnoyers (1): tracepoint: Do not warn on ENOMEM Peter Zijlstra (5): perf/x86: Fix possible Spectre-v1 indexing for hw_perf_event cache_* perf/x86/cstate: Fix possible Spectre-v1 indexing for pkg_msr perf/x86/msr: Fix possible Spectre-v1 indexing in the MSR driver perf/core: Fix possible Spectre-v1 indexing for ->aux_pages[] perf/x86: Fix possible Spectre-v1 indexing for x86_pmu::event_map() Robert Rosengren (1): ALSA: aloop: Mark paused device as inactive Roland Dreier (1): RDMA/ucma: Allow resolving address w/o specifying source address SZ Lin (林上智) (2): NET: usb: qmi_wwan: add support for ublox R410M PID 0x90b2 USB: serial: option: adding support for ublox R410M Sara Sharon (2): mac80211: allow not sending MIC up from driver for HW crypto mac80211: allow same PN for AMSDU sub-frames Steven Rostedt (VMware) (1): tracing: Fix regex_match_front() to not over compare the test string Takashi Iwai (3): ALSA: pcm: Check PCM state at xfern compat ioctl ALSA: seq: Fix races at MIDI encoding in snd_virmidi_output_trigger() ALSA: aloop: Add missing cable lock to ctl API callbacks Tan Xiaojun (1): perf/core: Fix the perf_cpu_time_max_percent check Tejun Heo (1): percpu: include linux/sched.h for cond_resched() Teng Qin (1): bpf: map_get_next_key to return first key on NULL Thomas Hellstrom (1): drm/vmwgfx: Fix a buffer object leak Vasanthakumar Thiagarajan (2): ath10k: fix rfc1042 header retrieval in QCA4019 with eth decap mode ath10k: rebuild crypto header in rx data frames Vittorio Gambaletta (VittGam) (1): Input: atmel_mxt_ts - add touchpad button mapping for Samsung Chromebook Pro Wei Fang (1): f2fs: fix a dead loop in f2fs_fiemap() Yi Zhao (1): xfrm_user: fix return value from xfrm_user_rcv_msg

7 years, 4 months

1
1
0 0

Linux 3.18.109

by Greg KH

I'm announcing the release of the 3.18.109 kernel. All users of the 3.18 kernel series must upgrade. The updated 3.18.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-3.18.y and can be browsed at the normal kernel.org git web browser: http://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Makefile | 2 - drivers/ata/libata-core.c | 3 + drivers/infiniband/hw/mlx5/qp.c | 4 ++ drivers/net/can/usb/kvaser_usb.c | 2 - drivers/net/usb/qmi_wwan.c | 1 drivers/usb/musb/musb_host.c | 4 +- drivers/usb/serial/visor.c | 69 ++++++++++++++++++------------------- include/net/inet_timewait_sock.h | 1 include/net/nexthop.h | 2 - kernel/events/callchain.c | 10 +---- kernel/events/core.c | 2 - kernel/trace/trace_events_filter.c | 3 + kernel/trace/trace_uprobe.c | 2 + mm/percpu.c | 1 net/core/dev_addr_lists.c | 4 +- net/core/skbuff.c | 1 net/ipv4/inet_timewait_sock.c | 1 net/ipv4/tcp.c | 2 - net/netlink/af_netlink.c | 2 + net/rfkill/rfkill-gpio.c | 7 +++ sound/core/pcm_compat.c | 2 + sound/core/seq/seq_virmidi.c | 4 +- sound/drivers/aloop.c | 29 ++++++++++++--- tools/perf/util/session.c | 1 24 files changed, 101 insertions(+), 58 deletions(-) Bin Liu (1): usb: musb: host: fix potential NULL pointer dereference Eric Dumazet (6): netlink: fix uninit-value in netlink_sendmsg net: fix rtnh_ok() net: initialize skb->peeked when cloning net: fix uninit-value in __hw_addr_add_ex() soreuseport: initialise timewait reuseport field tcp: fix TCP_REPAIR_QUEUE bound checking Greg Kroah-Hartman (2): USB: serial: visor: handle potential invalid device configuration Linux 3.18.109 Hans de Goede (1): libata: Apply NOLPM quirk for SanDisk SD7UB3Q*G1001 SSDs Jimmy Assarsson (1): can: kvaser_usb: Increase correct stats counter in kvaser_usb_rx_can_msg() Jiri Olsa (1): perf: Remove superfluous allocation error check Johan Hovold (1): rfkill: gpio: fix memory leak in probe error path Leon Romanovsky (1): RDMA/mlx5: Protect from shift operand overflow Masami Hiramatsu (1): tracing/uprobe_event: Fix strncpy corner case Murilo Opsfelder Araujo (1): perf session: Fix undeclared 'oe' Robert Rosengren (1): ALSA: aloop: Mark paused device as inactive SZ Lin (林上智) (1): NET: usb: qmi_wwan: add support for ublox R410M PID 0x90b2 Steven Rostedt (VMware) (1): tracing: Fix regex_match_front() to not over compare the test string Takashi Iwai (3): ALSA: pcm: Check PCM state at xfern compat ioctl ALSA: seq: Fix races at MIDI encoding in snd_virmidi_output_trigger() ALSA: aloop: Add missing cable lock to ctl API callbacks Tan Xiaojun (1): perf/core: Fix the perf_cpu_time_max_percent check Tejun Heo (1): percpu: include linux/sched.h for cond_resched()

7 years, 4 months

1
1
0 0

[PATCH] block: fix QEMU crash with scsi-hd and drive_del

by Greg Kurz

Removing a drive with drive_del while it is being used to run an I/O intensive workload can cause QEMU to crash. An AIO flush can yield at some point: blk_aio_flush_entry() blk_co_flush(blk) bdrv_co_flush(blk->root->bs) ... qemu_coroutine_yield() and let the HMP command to run, free blk->root and give control back to the AIO flush: hmp_drive_del() blk_remove_bs() bdrv_root_unref_child(blk->root) child_bs = blk->root->bs bdrv_detach_child(blk->root) bdrv_replace_child(blk->root, NULL) blk->root->bs = NULL g_free(blk->root) <============== blk->root becomes stale bdrv_unref(child_bs) bdrv_delete(child_bs) bdrv_close() bdrv_drained_begin() bdrv_do_drained_begin() bdrv_drain_recurse() aio_poll() ... qemu_coroutine_switch() and the AIO flush completion ends up dereferencing blk->root: blk_aio_complete() scsi_aio_complete() blk_get_aio_context(blk) bs = blk_bs(blk) ie, bs = blk->root ? blk->root->bs : NULL ^^^^^ stale The solution to this user-after-free situation is is to clear blk->root before calling bdrv_unref() in bdrv_detach_child(), and let blk_get_aio_context() fall back to the main loop context since the BDS has been removed. Signed-off-by: Greg Kurz <groug(a)kaod.org> --- The use-after-free condition is easy to reproduce with a stress-ng run in the guest: -device virtio-scsi-pci,id=scsi1 \ -drive file=/home/greg/images/scratch.qcow2,format=qcow2,if=none,id=drive1 \ -device scsi-hd,bus=scsi1.0,drive=drive1,id=scsi-hd1 # stress-ng --hdd 0 --aggressive and doing drive_del from the QEMU monitor while stress-ng is still running: (qemu) drive_del drive1 The crash is less easy to hit though, as it depends on the bs field of the stale blk->root to have a non-NULL value that eventually breaks something when it gets dereferenced. The following patch simulates that, and allows to validate the fix: --- a/block.c +++ b/block.c @@ -2127,6 +2127,8 @@ BdrvChild *bdrv_attach_child(BlockDriverState *parent_bs, static void bdrv_detach_child(BdrvChild *child) { + BlockDriverState *bs = child->bs; + if (child->next.le_prev) { QLIST_REMOVE(child, next); child->next.le_prev = NULL; @@ -2135,7 +2137,15 @@ static void bdrv_detach_child(BdrvChild *child) bdrv_replace_child(child, NULL); g_free(child->name); - g_free(child); + /* Poison the BdrvChild instead of freeing it, in order to break blk_bs() + * if the blk still has a pointer to this BdrvChild in blk->root. + */ + if (atomic_read(&bs->in_flight)) { + child->bs = (BlockDriverState *) -1; + fprintf(stderr, "\nPoisonned BdrvChild %p\n", child); + } else { + g_free(child); + } } void bdrv_root_unref_child(BdrvChild *child) --- block/block-backend.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/block/block-backend.c b/block/block-backend.c index 681b240b1268..ed9434e236b9 100644 --- a/block/block-backend.c +++ b/block/block-backend.c @@ -756,6 +756,7 @@ void blk_remove_bs(BlockBackend *blk) { ThrottleGroupMember *tgm = &blk->public.throttle_group_member; BlockDriverState *bs; + BdrvChild *root; notifier_list_notify(&blk->remove_bs_notifiers, blk); if (tgm->throttle_state) { @@ -768,8 +769,9 @@ void blk_remove_bs(BlockBackend *blk) blk_update_root_state(blk); - bdrv_root_unref_child(blk->root); + root = blk->root; blk->root = NULL; + bdrv_root_unref_child(root); } /*

7 years, 4 months

2
1
0 0

[PATCH v3 11/14] ftrace/selftest: Have the reset_trigger code be a bit more careful

by Steven Rostedt

From: "Steven Rostedt (VMware)" <rostedt(a)goodmis.org> The trigger code is picky in how it can be disabled as there may be dependencies between different events and synthetic events. Change the order on how triggers are reset. 1) Reset triggers of all synthetic events first 2) Remove triggers with actions attached to them 3) Remove all other triggers If this order isn't followed, then some triggers will not be reset, and an error may happen because a trigger is busy. Cc: stable(a)vger.kernel.org Fixes: cfa0963dc474f ("kselftests/ftrace : Add event trigger testcases") Acked-by: Masami Hiramatsu <mhiramat(a)kernel.org> Signed-off-by: Steven Rostedt (VMware) <rostedt(a)goodmis.org> --- .../testing/selftests/ftrace/test.d/functions | 21 ++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/tools/testing/selftests/ftrace/test.d/functions b/tools/testing/selftests/ftrace/test.d/functions index 2a4f16fc9819..8393b1c06027 100644 --- a/tools/testing/selftests/ftrace/test.d/functions +++ b/tools/testing/selftests/ftrace/test.d/functions @@ -15,14 +15,29 @@ reset_tracer() { # reset the current tracer echo nop > current_tracer } -reset_trigger() { # reset all current setting triggers - grep -v ^# events/*/*/trigger | +reset_trigger_file() { + # remove action triggers first + grep -H ':on[^:]*(' $@ | + while read line; do + cmd=`echo $line | cut -f2- -d: | cut -f1 -d" "` + file=`echo $line | cut -f1 -d:` + echo "!$cmd" >> $file + done + grep -Hv ^# $@ | while read line; do cmd=`echo $line | cut -f2- -d: | cut -f1 -d" "` - echo "!$cmd" > `echo $line | cut -f1 -d:` + file=`echo $line | cut -f1 -d:` + echo "!$cmd" > $file done } +reset_trigger() { # reset all current setting triggers + if [ -d events/synthetic ]; then + reset_trigger_file events/synthetic/*/trigger + fi + reset_trigger_file events/*/*/trigger +} + reset_events_filter() { # reset all current setting filters grep -v ^none events/*/*/filter | while read line; do -- 2.17.0

7 years, 4 months

1
0
0 0

[PATCH v2 1/3] x86/mm: disable ioremap free page handling on x86-PAE

by Toshi Kani

ioremap() supports pmd mappings on x86-PAE. However, kernel's pmd tables are not shared among processes on x86-PAE. Therefore, any update to sync'd pmd entries need re-syncing. Freeing a pte page also leads to a vmalloc fault and hits the BUG_ON in vmalloc_sync_one(). Disable free page handling on x86-PAE. pud_free_pmd_page() and pmd_free_pte_page() simply return 0 if a given pud/pmd entry is present. This assures that ioremap() does not update sync'd pmd entries at the cost of falling back to pte mappings. Fixes: 28ee90fe6048 ("x86/mm: implement free pmd/pte page interfaces") Reported-by: Joerg Roedel <joro(a)8bytes.org> Signed-off-by: Toshi Kani <toshi.kani(a)hpe.com> Cc: Andrew Morton <akpm(a)linux-foundation.org> Cc: Michal Hocko <mhocko(a)suse.com> Cc: Thomas Gleixner <tglx(a)linutronix.de> Cc: Ingo Molnar <mingo(a)redhat.com> Cc: "H. Peter Anvin" <hpa(a)zytor.com> Cc: Joerg Roedel <joro(a)8bytes.org> Cc: <stable(a)vger.kernel.org> --- arch/x86/mm/pgtable.c | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c index ffc8c13c50e4..08cdd7c13619 100644 --- a/arch/x86/mm/pgtable.c +++ b/arch/x86/mm/pgtable.c @@ -715,6 +715,7 @@ int pmd_clear_huge(pmd_t *pmd) return 0; } +#ifdef CONFIG_X86_64 /** * pud_free_pmd_page - Clear pud entry and free pmd page. * @pud: Pointer to a PUD. @@ -762,4 +763,22 @@ int pmd_free_pte_page(pmd_t *pmd) return 1; } + +#else /* !CONFIG_X86_64 */ + +int pud_free_pmd_page(pud_t *pud, unsigned long addr) +{ + return pud_none(*pud); +} + +/* + * Disable free page handling on x86-PAE. This assures that ioremap() + * does not update sync'd pmd entries. See vmalloc_sync_one(). + */ +int pmd_free_pte_page(pmd_t *pmd, unsigned long addr) +{ + return pmd_none(*pmd); +} + +#endif /* CONFIG_X86_64 */ #endif /* CONFIG_HAVE_ARCH_HUGE_VMAP */

7 years, 4 months

3
2
0 0

[PATCH] bcache: return 0 from bch_debug_init() if CONFIG_DEBUG_FS=n

by Coly Li

Commit 539d39eb2708 ("bcache: fix wrong return value in bch_debug_init()") returns the return value of debugfs_create_dir() to bcache_init(). When CONFIG_DEBUG_FS=n, bch_debug_init() always returns 1 and makes bcache_init() failedi. This patch makes bch_debug_init() always returns 0 if CONFIG_DEBUG_FS=n, so bcache can continue to work for the kernels which don't have debugfs enanbled. Fixes: Commit 539d39eb2708 ("bcache: fix wrong return value in bch_debug_init()") Cc: stable(a)vger.kernel.org Signed-off-by: Coly Li <colyli(a)suse.de> Reported-by: Massimo B. <massimo.b(a)gmx.net> Reported-by: Kai Krakow <kai(a)kaishome.de> Cc: Kent Overstreet <kent.overstreet(a)gmail.com> --- drivers/md/bcache/bcache.h | 5 +++++ drivers/md/bcache/debug.c | 4 ++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/md/bcache/bcache.h b/drivers/md/bcache/bcache.h index 3a0cfb237af9..5b3fe87f32ee 100644 --- a/drivers/md/bcache/bcache.h +++ b/drivers/md/bcache/bcache.h @@ -994,8 +994,13 @@ void bch_open_buckets_free(struct cache_set *); int bch_cache_allocator_start(struct cache *ca); +#ifdef CONFIG_DEBUG_FS void bch_debug_exit(void); int bch_debug_init(struct kobject *); +#else +static inline void bch_debug_exit(void) {}; +static inline int bch_debug_init(struct kobject *kobj) { return 0; }; +#endif void bch_request_exit(void); int bch_request_init(void); diff --git a/drivers/md/bcache/debug.c b/drivers/md/bcache/debug.c index 4e63c6f6c04d..34a0ed4ed70c 100644 --- a/drivers/md/bcache/debug.c +++ b/drivers/md/bcache/debug.c @@ -240,8 +240,6 @@ void bch_debug_init_cache_set(struct cache_set *c) } } -#endif - void bch_debug_exit(void) { if (!IS_ERR_OR_NULL(bcache_debug)) @@ -254,3 +252,5 @@ int __init bch_debug_init(struct kobject *kobj) return IS_ERR_OR_NULL(bcache_debug); } + +#endif -- 2.16.3

7 years, 4 months

1
0
0 0

[PATCH 0/3] x86/platform/UV: Update Memory Block Size Setting

by mike.travis＠hpe.com

Update support for the UV kernel to accommodate Intel BIOS changes in NVDIMM alignment, which caused UV BIOS to align the memory boundaries on different blocks than the previous UV standard of 2GB. --

7 years, 4 months

4
10
0 0

[PATCH v3 1/4] ovl: use insert_inode_locked4() to hash a newly created inode

by Amir Goldstein

Currently, there is a small window where ovl_obtain_alias() can race with ovl_instantiate() and create two different overlay inodes with the same underlying real non-dir non-hardlink inode. The race requires an adversary to guess the file handle of the yet to be created upper inode and decode the guessed file handle after ovl_creat_real(), but before ovl_instantiate(). This patch fixes the race, by using insert_inode_locked4() to add a newly created inode to icache. If the newly created inode apears to already exist in icache (hashed by the same real upper inode), we export this error to user instead of silently not hashing the new inode. This race does not affect overlay directory inodes, because those are decoded via ovl_lookup_real() and not with ovl_obtain_alias(), so avoid using the new helper d_instantiate_new() to reduce backport dependencies. Backporting only makes sense for v4.16 where NFS export was introduced. Cc: Al Viro <viro(a)zeniv.linux.org.uk> Cc: <stable(a)vger.kernel.org> #v4.16 Signed-off-by: Amir Goldstein <amir73il(a)gmail.com> --- fs/overlayfs/dir.c | 24 ++++++++++++++++++------ fs/overlayfs/inode.c | 18 ++++++++++++++++++ fs/overlayfs/overlayfs.h | 1 + 3 files changed, 37 insertions(+), 6 deletions(-) diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c index 47dc980e8b33..62e6733b755c 100644 --- a/fs/overlayfs/dir.c +++ b/fs/overlayfs/dir.c @@ -183,14 +183,24 @@ static int ovl_set_opaque(struct dentry *dentry, struct dentry *upperdentry) } /* Common operations required to be done after creation of file on upper */ -static void ovl_instantiate(struct dentry *dentry, struct inode *inode, - struct dentry *newdentry, bool hardlink) +static int ovl_instantiate(struct dentry *dentry, struct inode *inode, + struct dentry *newdentry, bool hardlink) { ovl_dir_modified(dentry->d_parent, false); - ovl_copyattr(d_inode(newdentry), inode); ovl_dentry_set_upper_alias(dentry); if (!hardlink) { - ovl_inode_update(inode, newdentry); + int err; + + ovl_inode_init(inode, newdentry, NULL); + /* + * XXX: if we ever use ovl_obtain_alias() to decode directory + * file handles, need to use ovl_insert_inode_locked() and + * d_instantiate_new() here to prevent ovl_obtain_alias() + * from sneaking in before d_instantiate(). + */ + err = ovl_insert_inode(inode, d_inode(newdentry)); + if (err) + return err; } else { WARN_ON(ovl_inode_real(inode) != d_inode(newdentry)); dput(newdentry); @@ -200,6 +210,8 @@ static void ovl_instantiate(struct dentry *dentry, struct inode *inode, /* Force lookup of new upper hardlink to find its lower */ if (hardlink) d_drop(dentry); + + return 0; } static bool ovl_type_merge(struct dentry *dentry) @@ -238,7 +250,7 @@ static int ovl_create_upper(struct dentry *dentry, struct inode *inode, ovl_set_opaque(dentry, newdentry); } - ovl_instantiate(dentry, inode, newdentry, !!hardlink); + err = ovl_instantiate(dentry, inode, newdentry, !!hardlink); newdentry = NULL; out_dput: dput(newdentry); @@ -439,7 +451,7 @@ static int ovl_create_over_whiteout(struct dentry *dentry, struct inode *inode, if (err) goto out_cleanup; } - ovl_instantiate(dentry, inode, newdentry, !!hardlink); + err = ovl_instantiate(dentry, inode, newdentry, !!hardlink); newdentry = NULL; out_dput2: dput(upper); diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c index 7abcf96e94fc..060c534998d1 100644 --- a/fs/overlayfs/inode.c +++ b/fs/overlayfs/inode.c @@ -741,6 +741,24 @@ static bool ovl_verify_inode(struct inode *inode, struct dentry *lowerdentry, return true; } +static int ovl_insert_inode_locked(struct inode *inode, struct inode *realinode) +{ + return insert_inode_locked4(inode, (unsigned long) realinode, + ovl_inode_test, realinode); +} + +int ovl_insert_inode(struct inode *inode, struct inode *realinode) +{ + int err; + + err = ovl_insert_inode_locked(inode, realinode); + if (err) + return err; + + unlock_new_inode(inode); + return 0; +} + struct inode *ovl_lookup_inode(struct super_block *sb, struct dentry *real, bool is_upper) { diff --git a/fs/overlayfs/overlayfs.h b/fs/overlayfs/overlayfs.h index caaa47cea2aa..642b25702092 100644 --- a/fs/overlayfs/overlayfs.h +++ b/fs/overlayfs/overlayfs.h @@ -343,6 +343,7 @@ int ovl_update_time(struct inode *inode, struct timespec *ts, int flags); bool ovl_is_private_xattr(const char *name); struct inode *ovl_new_inode(struct super_block *sb, umode_t mode, dev_t rdev); +int ovl_insert_inode(struct inode *inode, struct inode *realinode); struct inode *ovl_lookup_inode(struct super_block *sb, struct dentry *real, bool is_upper); struct inode *ovl_get_inode(struct super_block *sb, struct dentry *upperdentry, -- 2.7.4

7 years, 4 months

3
6
0 0

[PATCHES] Networking

by David Miller

Please queue up the following networking bug fixes for v4.14 and v4.16 -stable, respectively. Thanks!

7 years, 4 months

2
1
0 0

[PATCH 4.14 00/62] 4.14.41-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.14.41 release. There are 62 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed May 16 06:47:52 UTC 2018. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.41-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.14.41-rc1 Anthoine Bourgeois <anthoine.bourgeois(a)blade-group.com> KVM: x86: remove APIC Timer periodic/oneshot spikes Paul Mackerras <paulus(a)ozlabs.org> KVM: PPC: Book3S HV: Fix handling of large pages in radix page fault handler Peter Zijlstra <peterz(a)infradead.org> perf/x86: Fix possible Spectre-v1 indexing for x86_pmu::event_map() Peter Zijlstra <peterz(a)infradead.org> perf/core: Fix possible Spectre-v1 indexing for ->aux_pages[] Peter Zijlstra <peterz(a)infradead.org> perf/x86/msr: Fix possible Spectre-v1 indexing in the MSR driver Peter Zijlstra <peterz(a)infradead.org> perf/x86/cstate: Fix possible Spectre-v1 indexing for pkg_msr Peter Zijlstra <peterz(a)infradead.org> perf/x86: Fix possible Spectre-v1 indexing for hw_perf_event cache_* Masami Hiramatsu <mhiramat(a)kernel.org> tracing/uprobe_event: Fix strncpy corner case Peter Zijlstra <peterz(a)infradead.org> sched/autogroup: Fix possible Spectre-v1 indexing for sched_prio_to_weight[] Steve French <smfrench(a)gmail.com> smb3: directory sync should not return an error Jens Axboe <axboe(a)kernel.dk> nvme: add quirk to force medium priority for SQ creation Marek Szyprowski <m.szyprowski(a)samsung.com> thermal: exynos: Propagate error value from tmu_read() Marek Szyprowski <m.szyprowski(a)samsung.com> thermal: exynos: Reading temperature makes sense only when TMU is turned on Hans de Goede <hdegoede(a)redhat.com> Bluetooth: btusb: Only check needs_reset_resume DMI table for QCA rome chipsets Hans de Goede <hdegoede(a)redhat.com> Bluetooth: btusb: Add Dell XPS 13 9360 to btusb_needs_reset_resume_table Hans de Goede <hdegoede(a)redhat.com> Revert "Bluetooth: btusb: Fix quirk for Atheros 1525/QCA6174" Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: schedutil: Avoid using invalid next_freq Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> PCI / PM: Check device_may_wakeup() in pci_enable_wake() Kai Heng Feng <kai.heng.feng(a)canonical.com> PCI / PM: Always check PME wakeup capability for runtime wakeup support Gustavo A. R. Silva <gustavo(a)embeddedor.com> atm: zatm: Fix potential Spectre v1 Gustavo A. R. Silva <gustavo(a)embeddedor.com> net: atm: Fix potential Spectre v1 Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/atomic: Clean private obj old_state/new_state in drm_atomic_state_default_clear() Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/atomic: Clean old_state/new_state in drm_atomic_state_default_clear() Lyude Paul <lyude(a)redhat.com> drm/nouveau: Fix deadlock in nv50_mstm_register_connector() Florent Flament <contact(a)florentflament.com> drm/i915: Fix drm:intel_enable_lvds ERROR message in kernel log Boris Brezillon <boris.brezillon(a)bootlin.com> drm/vc4: Fix scaling of uni-planar formats Lukas Wunner <lukas(a)wunner.de> can: hi311x: Work around TX complete interrupt erratum Lukas Wunner <lukas(a)wunner.de> can: hi311x: Acquire SPI lock on ->do_get_berr_counter Jimmy Assarsson <extja(a)kvaser.com> can: kvaser_usb: Increase correct stats counter in kvaser_usb_rx_can_msg() Ilya Dryomov <idryomov(a)gmail.com> ceph: fix rsize/wsize capping in ceph_direct_read_write() David Rientjes <rientjes(a)google.com> mm, oom: fix concurrent munlock and oom reaper unmap, v3 Pavel Tatashin <pasha.tatashin(a)oracle.com> mm: sections are not offlined during memory hotremove Vitaly Wool <vitalywool(a)gmail.com> z3fold: fix reclaim lock-ups Steven Rostedt (VMware) <rostedt(a)goodmis.org> tracing: Fix regex_match_front() to not over compare the test string Mikulas Patocka <mpatocka(a)redhat.com> dm integrity: use kvfree for kvmalloc'd memory Hans de Goede <hdegoede(a)redhat.com> libata: Apply NOLPM quirk for SanDisk SD7UB3Q*G1001 SSDs Johan Hovold <johan(a)kernel.org> rfkill: gpio: fix memory leak in probe error path Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> gpio: fix error path in lineevent_create Govert Overgaauw <govert.overgaauw(a)prodrive-technologies.com> gpio: fix aspeed_gpio unmask irq Timur Tabi <timur(a)codeaurora.org> gpioib: do not free unrequested descriptors Jann Horn <jannh(a)google.com> compat: fix 4-byte infoleak via uninitialized struct field Suzuki K Poulose <suzuki.poulose(a)arm.com> arm64: Add work around for Arm Cortex-A55 Erratum 1024718 Paul Mackerras <paulus(a)ozlabs.org> KVM: PPC: Book3S HV: Fix VRMA initialization with 2MB or 1GB memory backing Laurent Vivier <lvivier(a)redhat.com> KVM: PPC: Book3S HV: Fix guest time accounting with VIRT_CPU_ACCOUNTING_GEN Paul Mackerras <paulus(a)ozlabs.org> KVM: PPC: Book3S HV: Fix trap number return from __kvmppc_vcore_entry Jan Kara <jack(a)suse.cz> bdi: Fix oops in wb_workfn() Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> bdi: wake up concurrent wb_shutdown() callers. Eric Dumazet <edumazet(a)google.com> tcp: fix TCP_REPAIR_QUEUE bound checking Jiri Olsa <jolsa(a)kernel.org> perf: Remove superfluous allocation error check Michal Hocko <mhocko(a)suse.com> memcg: fix per_node_info cleanup Eric Dumazet <edumazet(a)google.com> inetpeer: fix uninit-value in inet_getpeer Eric Dumazet <edumazet(a)google.com> soreuseport: initialise timewait reuseport field Eric Dumazet <edumazet(a)google.com> ipv4: fix uninit-value in ip_route_output_key_hash_rcu() Eric Dumazet <edumazet(a)google.com> dccp: initialize ireq->ir_mark Eric Dumazet <edumazet(a)google.com> net: fix uninit-value in __hw_addr_add_ex() Eric Dumazet <edumazet(a)google.com> net: initialize skb->peeked when cloning Eric Dumazet <edumazet(a)google.com> net: fix rtnh_ok() Eric Dumazet <edumazet(a)google.com> netlink: fix uninit-value in netlink_sendmsg Eric Dumazet <edumazet(a)google.com> crypto: af_alg - fix possible uninit-value in alg_bind() Tom Herbert <tom(a)quantonium.net> kcm: Call strp_stop before strp_done in kcm_attach Florian Westphal <fw(a)strlen.de> netfilter: ebtables: don't attempt to allocate 0-sized compat array Julian Anastasov <ja(a)ssi.bg> ipvs: fix rtnl_lock lockups caused by start_sync_thread ------------- Diffstat: Documentation/arm64/silicon-errata.txt | 1 + Makefile | 4 +- arch/arm64/Kconfig | 14 +++ arch/arm64/include/asm/assembler.h | 40 +++++++++ arch/arm64/include/asm/cputype.h | 2 + arch/arm64/mm/proc.S | 5 ++ arch/powerpc/kvm/book3s_64_mmu_radix.c | 72 +++++++++------ arch/powerpc/kvm/book3s_hv.c | 17 ++-- arch/powerpc/kvm/book3s_hv_rmhandlers.S | 8 +- arch/x86/events/core.c | 8 +- arch/x86/events/intel/cstate.c | 2 + arch/x86/events/msr.c | 9 +- arch/x86/kvm/lapic.c | 37 ++++---- crypto/af_alg.c | 8 +- drivers/ata/libata-core.c | 3 + drivers/atm/zatm.c | 3 + drivers/bluetooth/btusb.c | 19 +++- drivers/gpio/gpio-aspeed.c | 2 +- drivers/gpio/gpiolib.c | 7 +- drivers/gpu/drm/drm_atomic.c | 8 ++ drivers/gpu/drm/i915/intel_lvds.c | 3 +- drivers/gpu/drm/nouveau/nv50_display.c | 7 +- drivers/gpu/drm/vc4/vc4_plane.c | 2 +- drivers/md/dm-integrity.c | 2 +- drivers/net/can/spi/hi311x.c | 11 ++- drivers/net/can/usb/kvaser_usb.c | 2 +- drivers/nvme/host/nvme.h | 5 ++ drivers/nvme/host/pci.c | 12 ++- drivers/pci/pci.c | 37 +++++--- drivers/thermal/samsung/exynos_tmu.c | 14 ++- fs/ceph/file.c | 10 +-- fs/cifs/cifsfs.c | 13 +++ fs/fs-writeback.c | 2 +- include/linux/oom.h | 2 + include/linux/wait_bit.h | 17 ++++ include/net/inet_timewait_sock.h | 1 + include/net/nexthop.h | 2 +- kernel/compat.c | 1 + kernel/events/callchain.c | 10 +-- kernel/events/ring_buffer.c | 7 +- kernel/sched/autogroup.c | 7 +- kernel/sched/cpufreq_schedutil.c | 3 +- kernel/trace/trace_events_filter.c | 3 + kernel/trace/trace_uprobe.c | 2 + mm/backing-dev.c | 2 +- mm/memcontrol.c | 3 + mm/mmap.c | 44 +++++---- mm/oom_kill.c | 74 ++++++++------- mm/sparse.c | 2 +- mm/z3fold.c | 42 ++++++--- net/atm/lec.c | 9 +- net/bridge/netfilter/ebtables.c | 11 +-- net/core/dev_addr_lists.c | 4 +- net/core/skbuff.c | 1 + net/dccp/ipv4.c | 1 + net/dccp/ipv6.c | 1 + net/ipv4/inet_timewait_sock.c | 1 + net/ipv4/inetpeer.c | 1 + net/ipv4/route.c | 11 +-- net/ipv4/tcp.c | 2 +- net/kcm/kcmsock.c | 1 + net/netfilter/ipvs/ip_vs_ctl.c | 8 -- net/netfilter/ipvs/ip_vs_sync.c | 155 ++++++++++++++++---------------- net/netlink/af_netlink.c | 2 + net/rfkill/rfkill-gpio.c | 7 +- 65 files changed, 543 insertions(+), 283 deletions(-)

7 years, 4 months

7
63
0 0

[PATCH V4] clk: at91: PLL recalc_rate() now using cached MUL and DIV values

by Marcin Ziemianowicz

When a USB device is connected to the USB host port on the SAM9N12 then you get "-62" error which seems to indicate USB replies from the device are timing out. Based on a logic sniffer, I saw the USB bus was running at half speed. The PLL code uses cached MUL and DIV values which get set in set_rate() and applied in prepare(), but the recalc_rate() function instead queries the hardware instead of using these cached values. Therefore, if recalc_rate() is called between a set_rate() and prepare(), the wrong frequency is calculated and later the USB clock divider for the SAM9N12 SOC will be configured for an incorrect clock. In my case, the PLL hardware was set to 96 Mhz before the OHCI driver loads, and therefore the usb clock divider was being set to /2 even though the OHCI driver set the PLL to 48 Mhz. As an alternative explanation, I noticed this was fixed in the past by 87e2ed338f1b ("clk: at91: fix recalc_rate implementation of PLL driver") but the bug was later re-introduced by 1bdf02326b71 ("clk: at91: make use of syscon/regmap internally"). Fixes: 1bdf02326b71 ("clk: at91: make use of syscon/regmap internally) Cc: <stable(a)vger.kernel.org> Signed-off-by: Marcin Ziemianowicz <marcin(a)ziemianowicz.com> --- Thank you for bearing with me about this Boris. Changes since V3: Fix for double returns found by kbluild test robot > Comments by Boris Brezillon about email formatting issues Changes since V2: Removed all logging/debug messages I added > Comment by Boris Brezillon about my fix being wrong addressed Changes since V1: Added patch set cover letter Shortened lines which were over >80 characters long > Comment by Greg Kroah-Hartman about "from" field in email addressed > Comment by Alan Stern about redundant debug lines addressed drivers/clk/at91/clk-pll.c | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/drivers/clk/at91/clk-pll.c b/drivers/clk/at91/clk-pll.c index 7d3223fc..72b6091e 100644 --- a/drivers/clk/at91/clk-pll.c +++ b/drivers/clk/at91/clk-pll.c @@ -132,19 +132,8 @@ static unsigned long clk_pll_recalc_rate(struct clk_hw *hw, unsigned long parent_rate) { struct clk_pll *pll = to_clk_pll(hw); - unsigned int pllr; - u16 mul; - u8 div; - - regmap_read(pll->regmap, PLL_REG(pll->id), &pllr); - - div = PLL_DIV(pllr); - mul = PLL_MUL(pllr, pll->layout); - - if (!div || !mul) - return 0; - return (parent_rate / div) * (mul + 1); + return (parent_rate / pll->div) * (pll->mul + 1); } static long clk_pll_get_best_div_mul(struct clk_pll *pll, unsigned long rate, -- 2.17.0

7 years, 4 months

3
4
0 0

[PATCH] drm/vmwgfx: Set dmabuf_size when vmw_dmabuf_init is successful

by Thomas Hellstrom

From: Deepak Rawat <drawat(a)vmware.com> SOU primary plane prepare_fb hook depends upon dmabuf_size to pin up BO (and not call a new vmw_dmabuf_init) when a new fb size is same as current fb. This was changed in a recent commit which is causing page_flip to fail on VM with low display memory and multi-mon failure when cycle monitors from secondary display. Cc: <stable(a)vger.kernel.org> # 4.14, 4.16 Fixes: 20fb5a635a0c ("drm/vmwgfx: Unpin the screen object backup buffer when not used") Signed-off-by: Deepak Rawat <drawat(a)vmware.com> Reviewed-by: Sinclair Yeh <syeh(a)vmware.com> Signed-off-by: Thomas Hellstrom <thellstrom(a)vmware.com> --- drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c b/drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c index 648f8127f65a..3d667e903beb 100644 --- a/drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c +++ b/drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c @@ -482,6 +482,8 @@ vmw_sou_primary_plane_prepare_fb(struct drm_plane *plane, return ret; } + vps->dmabuf_size = size; + /* * TTM already thinks the buffer is pinned, but make sure the * pin_count is upped. -- 2.14.3

7 years, 4 months

1
0
0 0

[PATCH 3/3] MIPS: Add DSP ASE regset support

by Maciej W. Rozycki

Define an NT_MIPS_DSP core file note type and implement a corresponding regset holding the DSP ASE register context, following the layout of the `mips_dsp_state' structure, except for the DSPControl register stored as a 64-bit rather than 32-bit quantity in a 64-bit note. The lack of DSP ASE register saving to core files can be considered a design flaw with commit e50c0a8fa60d ("Support the MIPS32 / MIPS64 DSP ASE."), leading to an incomplete state being saved. Consequently no DSP ASE regset has been created with commit 7aeb753b5353 ("MIPS: Implement task_user_regset_view."), when regset support was added to the MIPS port. Additionally there is no way for ptrace(2) to correctly access the DSP accumulator registers in n32 processes with the existing interfaces. This is due to 32-bit truncation of data passed with PTRACE_PEEKUSR and PTRACE_POKEUSR requests, which cannot be avoided owing to how the data types for ptrace(3) have been defined. This new NT_MIPS_DSP regset fills the missing interface gap. Cc: <stable(a)vger.kernel.org> # 3.13+ Fixes: 7aeb753b5353 ("MIPS: Implement task_user_regset_view.") Signed-off-by: Maciej W. Rozycki <macro(a)mips.com> --- Hi, This was verified with 32-bit DSP and non-DSP hardware configurations by dumping cores and examining, with `readelf', the notes created. In the former case DSP registers were filled with patterns by the program being crashed and the patterns verified in the core file produced. I have no 64-bit DSP hardware handy, but the same code has been used, except for the data type holding register data, for both 32-bit and 64-bit notes, so it should be obviously correct. As noted in the commit description I consider it a design flaw and therefore I think it makes sense to backport this change and propose doing so. Maciej --- arch/mips/kernel/ptrace.c | 189 ++++++++++++++++++++++++++++++++++++++++++++++ include/uapi/linux/elf.h | 1 2 files changed, 190 insertions(+) linux-mips-regset-dsp.diff Index: linux-jhogan-test/arch/mips/kernel/ptrace.c =================================================================== --- linux-jhogan-test.orig/arch/mips/kernel/ptrace.c 2018-05-09 23:26:36.787614000 +0100 +++ linux-jhogan-test/arch/mips/kernel/ptrace.c 2018-05-09 23:53:18.864657000 +0100 @@ -41,6 +41,7 @@ #include <asm/mipsmtregs.h> #include <asm/pgtable.h> #include <asm/page.h> +#include <asm/processor.h> #include <asm/syscall.h> #include <linux/uaccess.h> #include <asm/bootinfo.h> @@ -589,9 +590,179 @@ static int fpr_set(struct task_struct *t return err; } +#if defined(CONFIG_32BIT) || defined(CONFIG_MIPS32_O32) + +/* + * Copy the DSP context to the supplied 32-bit NT_MIPS_DSP buffer. + */ +static int dsp32_get(struct task_struct *target, + const struct user_regset *regset, + unsigned int pos, unsigned int count, + void *kbuf, void __user *ubuf) +{ + unsigned int start, num_regs, i; + u32 dspregs[NUM_DSP_REGS + 1]; + + BUG_ON(count % sizeof(u32)); + + if (!cpu_has_dsp) + return -EIO; + + start = pos / sizeof(u32); + num_regs = count / sizeof(u32); + + if (start + num_regs > NUM_DSP_REGS + 1) + return -EIO; + + for (i = start; i < num_regs; i++) + switch (i) { + case 0 ... NUM_DSP_REGS - 1: + dspregs[i] = target->thread.dsp.dspr[i]; + break; + case NUM_DSP_REGS: + dspregs[i] = target->thread.dsp.dspcontrol; + break; + } + return user_regset_copyout(&pos, &count, &kbuf, &ubuf, dspregs, 0, + sizeof(dspregs)); +} + +/* + * Copy the supplied 32-bit NT_MIPS_DSP buffer to the DSP context. + */ +static int dsp32_set(struct task_struct *target, + const struct user_regset *regset, + unsigned int pos, unsigned int count, + const void *kbuf, const void __user *ubuf) +{ + unsigned int start, num_regs, i; + u32 dspregs[NUM_DSP_REGS + 1]; + int err; + + BUG_ON(count % sizeof(u32)); + + if (!cpu_has_dsp) + return -EIO; + + start = pos / sizeof(u32); + num_regs = count / sizeof(u32); + + if (start + num_regs > NUM_DSP_REGS + 1) + return -EIO; + + err = user_regset_copyin(&pos, &count, &kbuf, &ubuf, dspregs, 0, + sizeof(dspregs)); + if (err) + return err; + + for (i = start; i < num_regs; i++) + switch (i) { + case 0 ... NUM_DSP_REGS - 1: + target->thread.dsp.dspr[i] = (s32)dspregs[i]; + break; + case NUM_DSP_REGS: + target->thread.dsp.dspcontrol = (s32)dspregs[i]; + break; + } + + return 0; +} + +#endif /* CONFIG_32BIT || CONFIG_MIPS32_O32 */ + +#ifdef CONFIG_64BIT + +/* + * Copy the DSP context to the supplied 64-bit NT_MIPS_DSP buffer. + */ +static int dsp64_get(struct task_struct *target, + const struct user_regset *regset, + unsigned int pos, unsigned int count, + void *kbuf, void __user *ubuf) +{ + unsigned int start, num_regs, i; + u64 dspregs[NUM_DSP_REGS + 1]; + + BUG_ON(count % sizeof(u64)); + + if (!cpu_has_dsp) + return -EIO; + + start = pos / sizeof(u64); + num_regs = count / sizeof(u64); + + if (start + num_regs > NUM_DSP_REGS + 1) + return -EIO; + + for (i = start; i < num_regs; i++) + switch (i) { + case 0 ... NUM_DSP_REGS - 1: + dspregs[i] = target->thread.dsp.dspr[i]; + break; + case NUM_DSP_REGS: + dspregs[i] = target->thread.dsp.dspcontrol; + break; + } + return user_regset_copyout(&pos, &count, &kbuf, &ubuf, dspregs, 0, + sizeof(dspregs)); +} + +/* + * Copy the supplied 64-bit NT_MIPS_DSP buffer to the DSP context. + */ +static int dsp64_set(struct task_struct *target, + const struct user_regset *regset, + unsigned int pos, unsigned int count, + const void *kbuf, const void __user *ubuf) +{ + unsigned int start, num_regs, i; + u64 dspregs[NUM_DSP_REGS + 1]; + int err; + + BUG_ON(count % sizeof(u64)); + + if (!cpu_has_dsp) + return -EIO; + + start = pos / sizeof(u64); + num_regs = count / sizeof(u64); + + if (start + num_regs > NUM_DSP_REGS + 1) + return -EIO; + + err = user_regset_copyin(&pos, &count, &kbuf, &ubuf, dspregs, 0, + sizeof(dspregs)); + if (err) + return err; + + for (i = start; i < num_regs; i++) + switch (i) { + case 0 ... NUM_DSP_REGS - 1: + target->thread.dsp.dspr[i] = dspregs[i]; + break; + case NUM_DSP_REGS: + target->thread.dsp.dspcontrol = dspregs[i]; + break; + } + + return 0; +} + +#endif /* CONFIG_64BIT */ + +/* + * Determine whether the DSP context is present. + */ +static int dsp_active(struct task_struct *target, + const struct user_regset *regset) +{ + return cpu_has_dsp ? NUM_DSP_REGS + 1 : -ENODEV; +} + enum mips_regset { REGSET_GPR, REGSET_FPR, + REGSET_DSP, }; struct pt_regs_offset { @@ -697,6 +868,15 @@ static const struct user_regset mips_reg .get = fpr_get, .set = fpr_set, }, + [REGSET_DSP] = { + .core_note_type = NT_MIPS_DSP, + .n = NUM_DSP_REGS + 1, + .size = sizeof(u32), + .align = sizeof(u32), + .get = dsp32_get, + .set = dsp32_set, + .active = dsp_active, + }, }; static const struct user_regset_view user_mips_view = { @@ -728,6 +908,15 @@ static const struct user_regset mips64_r .get = fpr_get, .set = fpr_set, }, + [REGSET_DSP] = { + .core_note_type = NT_MIPS_DSP, + .n = NUM_DSP_REGS + 1, + .size = sizeof(u64), + .align = sizeof(u64), + .get = dsp64_get, + .set = dsp64_set, + .active = dsp_active, + }, }; static const struct user_regset_view user_mips64_view = { Index: linux-jhogan-test/include/uapi/linux/elf.h =================================================================== --- linux-jhogan-test.orig/include/uapi/linux/elf.h 2018-05-09 23:22:44.799797000 +0100 +++ linux-jhogan-test/include/uapi/linux/elf.h 2018-05-09 23:51:32.646880000 +0100 @@ -424,6 +424,7 @@ typedef struct elf64_shdr { #define NT_METAG_RPIPE 0x501 /* Metag read pipeline state */ #define NT_METAG_TLS 0x502 /* Metag TLS pointer */ #define NT_ARC_V2 0x600 /* ARCv2 accumulator/extra registers */ +#define NT_MIPS_DSP 0x700 /* MIPS DSP ASE registers */ /* Note header in a PT_NOTE section */ typedef struct elf32_note {

7 years, 4 months

1
0
0 0

[PATCH 2/3] MIPS: Correct the 64-bit DSP accumulator register size

by Maciej W. Rozycki

Use the `unsigned long' rather than `__u32' type for DSP accumulator registers, like with the regular MIPS multiply/divide accumulator and general-purpose registers, as all are 64-bit in 64-bit implementations and using a 32-bit data type leads to contents truncation on context saving. Update `arch_ptrace' and `compat_arch_ptrace' accordingly, removing casts that are similarly not used with multiply/divide accumulator or general-purpose register accesses. Cc: stable(a)vger.kernel.org # 2.6.15+ Fixes: e50c0a8fa60d ("Support the MIPS32 / MIPS64 DSP ASE.") Signed-off-by: Maciej W. Rozycki <macro(a)mips.com> --- Hi, I have no 64-bit DSP hardware handy to verify this change, however some surely exists and is used to run Linux, as indicated by GDB PR gdb/22286, <https://sourceware.org/bugzilla/show_bug.cgi?id=22286>, so we better get it right before people start screaming. Maciej --- arch/mips/include/asm/processor.h | 2 +- arch/mips/kernel/ptrace.c | 2 +- arch/mips/kernel/ptrace32.c | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) linux-mips-dsp64.diff Index: linux-jhogan-test/arch/mips/include/asm/processor.h =================================================================== --- linux-jhogan-test.orig/arch/mips/include/asm/processor.h 2018-03-21 17:13:52.000000000 +0000 +++ linux-jhogan-test/arch/mips/include/asm/processor.h 2018-05-09 22:35:33.248559000 +0100 @@ -141,7 +141,7 @@ struct mips_fpu_struct { #define NUM_DSP_REGS 6 -typedef __u32 dspreg_t; +typedef unsigned long dspreg_t; struct mips_dsp_state { dspreg_t dspr[NUM_DSP_REGS]; Index: linux-jhogan-test/arch/mips/kernel/ptrace.c =================================================================== --- linux-jhogan-test.orig/arch/mips/kernel/ptrace.c 2018-05-09 22:34:00.000000000 +0100 +++ linux-jhogan-test/arch/mips/kernel/ptrace.c 2018-05-09 22:37:45.416608000 +0100 @@ -856,7 +856,7 @@ long arch_ptrace(struct task_struct *chi goto out; } dregs = __get_dsp_regs(child); - tmp = (unsigned long) (dregs[addr - DSP_BASE]); + tmp = dregs[addr - DSP_BASE]; break; } case DSP_CONTROL: Index: linux-jhogan-test/arch/mips/kernel/ptrace32.c =================================================================== --- linux-jhogan-test.orig/arch/mips/kernel/ptrace32.c 2018-03-21 17:13:52.000000000 +0000 +++ linux-jhogan-test/arch/mips/kernel/ptrace32.c 2018-05-09 22:45:50.924418000 +0100 @@ -142,7 +142,7 @@ long compat_arch_ptrace(struct task_stru goto out; } dregs = __get_dsp_regs(child); - tmp = (unsigned long) (dregs[addr - DSP_BASE]); + tmp = dregs[addr - DSP_BASE]; break; } case DSP_CONTROL:

7 years, 4 months

1
0
0 0

+ kernel-sys-fix-potential-spectre-v1.patch added to -mm tree

by akpm＠linux-foundation.org

The patch titled Subject: kernel/sys.c: fix potential Spectre v1 issue has been added to the -mm tree. Its filename is kernel-sys-fix-potential-spectre-v1.patch This patch should soon appear at http://ozlabs.org/~akpm/mmots/broken-out/kernel-sys-fix-potential-spectre-v… and later at http://ozlabs.org/~akpm/mmotm/broken-out/kernel-sys-fix-potential-spectre-v… Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next and is updated there every 3-4 working days ------------------------------------------------------ From: "Gustavo A. R. Silva" <gustavo(a)embeddedor.com> Subject: kernel/sys.c: fix potential Spectre v1 issue `resource' can be controlled by user-space, hence leading to a potential exploitation of the Spectre variant 1 vulnerability. This issue was detected with the help of Smatch: kernel/sys.c:1474 __do_compat_sys_old_getrlimit() warn: potential spectre issue 'get_current()->signal->rlim' (local cap) kernel/sys.c:1455 __do_sys_old_getrlimit() warn: potential spectre issue 'get_current()->signal->rlim' (local cap) Fix this by sanitizing *resource* before using it to index current->signal->rlim Notice that given that speculation windows are large, the policy is to kill the speculation on the first load and not worry if it can be completed with a dependent load/store [1]. [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 Link: http://lkml.kernel.org/r/20180515030038.GA11822@embeddedor.com Signed-off-by: Gustavo A. R. Silva <gustavo(a)embeddedor.com> Reviewed-by: Andrew Morton <akpm(a)linux-foundation.org> Cc: Alexei Starovoitov <ast(a)kernel.org> Cc: Dan Williams <dan.j.williams(a)intel.com> Cc: Thomas Gleixner <tglx(a)linutronix.de> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- kernel/sys.c | 5 +++++ 1 file changed, 5 insertions(+) diff -puN kernel/sys.c~kernel-sys-fix-potential-spectre-v1 kernel/sys.c --- a/kernel/sys.c~kernel-sys-fix-potential-spectre-v1 +++ a/kernel/sys.c @@ -69,6 +69,9 @@ #include <asm/io.h> #include <asm/unistd.h> +/* Hardening for Spectre-v1 */ +#include <linux/nospec.h> + #include "uid16.h" #ifndef SET_UNALIGN_CTL @@ -1451,6 +1454,7 @@ SYSCALL_DEFINE2(old_getrlimit, unsigned if (resource >= RLIM_NLIMITS) return -EINVAL; + resource = array_index_nospec(resource, RLIM_NLIMITS); task_lock(current->group_leader); x = current->signal->rlim[resource]; task_unlock(current->group_leader); @@ -1470,6 +1474,7 @@ COMPAT_SYSCALL_DEFINE2(old_getrlimit, un if (resource >= RLIM_NLIMITS) return -EINVAL; + resource = array_index_nospec(resource, RLIM_NLIMITS); task_lock(current->group_leader); r = current->signal->rlim[resource]; task_unlock(current->group_leader); _ Patches currently in -mm which might be from gustavo(a)embeddedor.com are kernel-sys-fix-potential-spectre-v1.patch

7 years, 4 months

1
0
0 0

[PATCH] clk:aspeed: Fix reset bits for PCI/VGA and PECI

by Jae Hyun Yoo

This commit fixes incorrect setting of reset bits for PCI/VGA and PECI modules. 1. Reset bit for PCI/VGA is 8. 2. PECI reset bit is missing so added bit 10 as its reset bit. Signed-off-by: Jae Hyun Yoo <jae.hyun.yoo(a)linux.intel.com> Fixes: 15ed8ce5f84e ("clk: aspeed: Register gated clocks") Cc: stable <stable(a)vger.kernel.org> --- drivers/clk/clk-aspeed.c | 4 ++-- include/dt-bindings/clock/aspeed-clock.h | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/clk/clk-aspeed.c b/drivers/clk/clk-aspeed.c index 5eb50c31e455..2c23e7d7ba28 100644 --- a/drivers/clk/clk-aspeed.c +++ b/drivers/clk/clk-aspeed.c @@ -88,7 +88,7 @@ static const struct aspeed_gate_data aspeed_gates[] = { [ASPEED_CLK_GATE_GCLK] = { 1, 7, "gclk-gate", NULL, 0 }, /* 2D engine */ [ASPEED_CLK_GATE_MCLK] = { 2, -1, "mclk-gate", "mpll", CLK_IS_CRITICAL }, /* SDRAM */ [ASPEED_CLK_GATE_VCLK] = { 3, 6, "vclk-gate", NULL, 0 }, /* Video Capture */ - [ASPEED_CLK_GATE_BCLK] = { 4, 10, "bclk-gate", "bclk", 0 }, /* PCIe/PCI */ + [ASPEED_CLK_GATE_BCLK] = { 4, 8, "bclk-gate", "bclk", 0 }, /* PCIe/PCI */ [ASPEED_CLK_GATE_DCLK] = { 5, -1, "dclk-gate", NULL, 0 }, /* DAC */ [ASPEED_CLK_GATE_REFCLK] = { 6, -1, "refclk-gate", "clkin", CLK_IS_CRITICAL }, [ASPEED_CLK_GATE_USBPORT2CLK] = { 7, 3, "usb-port2-gate", NULL, 0 }, /* USB2.0 Host port 2 */ @@ -297,7 +297,7 @@ static const u8 aspeed_resets[] = { [ASPEED_RESET_JTAG_MASTER] = 22, [ASPEED_RESET_MIC] = 18, [ASPEED_RESET_PWM] = 9, - [ASPEED_RESET_PCIVGA] = 8, + [ASPEED_RESET_PECI] = 10, [ASPEED_RESET_I2C] = 2, [ASPEED_RESET_AHB] = 1, }; diff --git a/include/dt-bindings/clock/aspeed-clock.h b/include/dt-bindings/clock/aspeed-clock.h index d3558d897a4d..8d69b9134bef 100644 --- a/include/dt-bindings/clock/aspeed-clock.h +++ b/include/dt-bindings/clock/aspeed-clock.h @@ -45,7 +45,7 @@ #define ASPEED_RESET_JTAG_MASTER 3 #define ASPEED_RESET_MIC 4 #define ASPEED_RESET_PWM 5 -#define ASPEED_RESET_PCIVGA 6 +#define ASPEED_RESET_PECI 6 #define ASPEED_RESET_I2C 7 #define ASPEED_RESET_AHB 8 -- 2.17.0

7 years, 4 months

3
3
0 0

[PATCH v2 3/3] x86/mm: add TLB purge to free pmd/pte page interfaces

by Toshi Kani

ioremap() calls pud_free_pmd_page() / pmd_free_pte_page() when it creates a pud / pmd map. The following preconditions are met at their entry. - All pte entries for a target pud/pmd address range have been cleared. - System-wide TLB purges have been peformed for a target pud/pmd address range. The preconditions assure that there is no stale TLB entry for the range. Speculation may not cache TLB entries since it requires all levels of page entries, including ptes, to have P & A-bits set for an associated address. However, speculation may cache pud/pmd entries (paging-structure caches) when they have P-bit set. Add a system-wide TLB purge (INVLPG) to a single page after clearing pud/pmd entry's P-bit. SDM 4.10.4.1, Operation that Invalidate TLBs and Paging-Structure Caches, states that: INVLPG invalidates all paging-structure caches associated with the current PCID regardless of the liner addresses to which they correspond. Fixes: 28ee90fe6048 ("x86/mm: implement free pmd/pte page interfaces") Signed-off-by: Toshi Kani <toshi.kani(a)hpe.com> Cc: Andrew Morton <akpm(a)linux-foundation.org> Cc: Michal Hocko <mhocko(a)suse.com> Cc: Thomas Gleixner <tglx(a)linutronix.de> Cc: Ingo Molnar <mingo(a)redhat.com> Cc: "H. Peter Anvin" <hpa(a)zytor.com> Cc: Joerg Roedel <joro(a)8bytes.org> Cc: <stable(a)vger.kernel.org> --- arch/x86/mm/pgtable.c | 34 ++++++++++++++++++++++++++++------ 1 file changed, 28 insertions(+), 6 deletions(-) diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c index f60fdf411103..7e96594c7e97 100644 --- a/arch/x86/mm/pgtable.c +++ b/arch/x86/mm/pgtable.c @@ -721,24 +721,42 @@ int pmd_clear_huge(pmd_t *pmd) * @pud: Pointer to a PUD. * @addr: Virtual address associated with pud. * - * Context: The pud range has been unmaped and TLB purged. + * Context: The pud range has been unmapped and TLB purged. * Return: 1 if clearing the entry succeeded. 0 otherwise. */ int pud_free_pmd_page(pud_t *pud, unsigned long addr) { - pmd_t *pmd; + pmd_t *pmd, *pmd_sv; + pte_t *pte; int i; if (pud_none(*pud)) return 1; pmd = (pmd_t *)pud_page_vaddr(*pud); + pmd_sv = (pmd_t *)__get_free_page(GFP_KERNEL); + if (!pmd_sv) + return 0; - for (i = 0; i < PTRS_PER_PMD; i++) - if (!pmd_free_pte_page(&pmd[i], addr + (i * PMD_SIZE))) - return 0; + for (i = 0; i < PTRS_PER_PMD; i++) { + pmd_sv[i] = pmd[i]; + if (!pmd_none(pmd[i])) + pmd_clear(&pmd[i]); + } pud_clear(pud); + + /* INVLPG to clear all paging-structure caches */ + flush_tlb_kernel_range(addr, addr + PAGE_SIZE-1); + + for (i = 0; i < PTRS_PER_PMD; i++) { + if (!pmd_none(pmd_sv[i])) { + pte = (pte_t *)pmd_page_vaddr(pmd_sv[i]); + free_page((unsigned long)pte); + } + } + + free_page((unsigned long)pmd_sv); free_page((unsigned long)pmd); return 1; @@ -749,7 +767,7 @@ int pud_free_pmd_page(pud_t *pud, unsigned long addr) * @pmd: Pointer to a PMD. * @addr: Virtual address associated with pmd. * - * Context: The pmd range has been unmaped and TLB purged. + * Context: The pmd range has been unmapped and TLB purged. * Return: 1 if clearing the entry succeeded. 0 otherwise. */ int pmd_free_pte_page(pmd_t *pmd, unsigned long addr) @@ -761,6 +779,10 @@ int pmd_free_pte_page(pmd_t *pmd, unsigned long addr) pte = (pte_t *)pmd_page_vaddr(*pmd); pmd_clear(pmd); + + /* INVLPG to clear all paging-structure caches */ + flush_tlb_kernel_range(addr, addr + PAGE_SIZE-1); + free_page((unsigned long)pte); return 1;

7 years, 4 months

1
0
0 0

[PATCH v2 2/3] ioremap: Update pgtable free interfaces with addr

by Toshi Kani

From: Chintan Pandya <cpandya(a)codeaurora.org> This patch ("mm/vmalloc: Add interfaces to free unmapped page table") adds following 2 interfaces to free the page table in case we implement huge mapping. pud_free_pmd_page() and pmd_free_pte_page() Some architectures (like arm64) needs to do proper TLB maintanance after updating pagetable entry even in map. Why ? Read this, https://patchwork.kernel.org/patch/10134581/ Pass 'addr' in these interfaces so that proper TLB ops can be performed. Fixes: 28ee90fe6048 ("x86/mm: implement free pmd/pte page interfaces") Signed-off-by: Chintan Pandya <cpandya(a)codeaurora.org> Signed-off-by: Toshi Kani <toshi.kani(a)hpe.com> Cc: <stable(a)vger.kernel.org> --- arch/arm64/mm/mmu.c | 4 ++-- arch/x86/mm/pgtable.c | 8 +++++--- include/asm-generic/pgtable.h | 8 ++++---- lib/ioremap.c | 4 ++-- 4 files changed, 13 insertions(+), 11 deletions(-) diff --git a/arch/arm64/mm/mmu.c b/arch/arm64/mm/mmu.c index 2dbb2c9f1ec1..da98828609a1 100644 --- a/arch/arm64/mm/mmu.c +++ b/arch/arm64/mm/mmu.c @@ -973,12 +973,12 @@ int pmd_clear_huge(pmd_t *pmdp) return 1; } -int pud_free_pmd_page(pud_t *pud) +int pud_free_pmd_page(pud_t *pud, unsigned long addr) { return pud_none(*pud); } -int pmd_free_pte_page(pmd_t *pmd) +int pmd_free_pte_page(pmd_t *pmd, unsigned long addr) { return pmd_none(*pmd); } diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c index 08cdd7c13619..f60fdf411103 100644 --- a/arch/x86/mm/pgtable.c +++ b/arch/x86/mm/pgtable.c @@ -719,11 +719,12 @@ int pmd_clear_huge(pmd_t *pmd) /** * pud_free_pmd_page - Clear pud entry and free pmd page. * @pud: Pointer to a PUD. + * @addr: Virtual address associated with pud. * * Context: The pud range has been unmaped and TLB purged. * Return: 1 if clearing the entry succeeded. 0 otherwise. */ -int pud_free_pmd_page(pud_t *pud) +int pud_free_pmd_page(pud_t *pud, unsigned long addr) { pmd_t *pmd; int i; @@ -734,7 +735,7 @@ int pud_free_pmd_page(pud_t *pud) pmd = (pmd_t *)pud_page_vaddr(*pud); for (i = 0; i < PTRS_PER_PMD; i++) - if (!pmd_free_pte_page(&pmd[i])) + if (!pmd_free_pte_page(&pmd[i], addr + (i * PMD_SIZE))) return 0; pud_clear(pud); @@ -746,11 +747,12 @@ int pud_free_pmd_page(pud_t *pud) /** * pmd_free_pte_page - Clear pmd entry and free pte page. * @pmd: Pointer to a PMD. + * @addr: Virtual address associated with pmd. * * Context: The pmd range has been unmaped and TLB purged. * Return: 1 if clearing the entry succeeded. 0 otherwise. */ -int pmd_free_pte_page(pmd_t *pmd) +int pmd_free_pte_page(pmd_t *pmd, unsigned long addr) { pte_t *pte; diff --git a/include/asm-generic/pgtable.h b/include/asm-generic/pgtable.h index f59639afaa39..b081794ba135 100644 --- a/include/asm-generic/pgtable.h +++ b/include/asm-generic/pgtable.h @@ -1019,8 +1019,8 @@ int pud_set_huge(pud_t *pud, phys_addr_t addr, pgprot_t prot); int pmd_set_huge(pmd_t *pmd, phys_addr_t addr, pgprot_t prot); int pud_clear_huge(pud_t *pud); int pmd_clear_huge(pmd_t *pmd); -int pud_free_pmd_page(pud_t *pud); -int pmd_free_pte_page(pmd_t *pmd); +int pud_free_pmd_page(pud_t *pud, unsigned long addr); +int pmd_free_pte_page(pmd_t *pmd, unsigned long addr); #else /* !CONFIG_HAVE_ARCH_HUGE_VMAP */ static inline int p4d_set_huge(p4d_t *p4d, phys_addr_t addr, pgprot_t prot) { @@ -1046,11 +1046,11 @@ static inline int pmd_clear_huge(pmd_t *pmd) { return 0; } -static inline int pud_free_pmd_page(pud_t *pud) +static inline int pud_free_pmd_page(pud_t *pud, unsigned long addr) { return 0; } -static inline int pmd_free_pte_page(pmd_t *pmd) +static inline int pmd_free_pte_page(pmd_t *pmd, unsigned long addr) { return 0; } diff --git a/lib/ioremap.c b/lib/ioremap.c index 54e5bbaa3200..517f5853ffed 100644 --- a/lib/ioremap.c +++ b/lib/ioremap.c @@ -92,7 +92,7 @@ static inline int ioremap_pmd_range(pud_t *pud, unsigned long addr, if (ioremap_pmd_enabled() && ((next - addr) == PMD_SIZE) && IS_ALIGNED(phys_addr + addr, PMD_SIZE) && - pmd_free_pte_page(pmd)) { + pmd_free_pte_page(pmd, addr)) { if (pmd_set_huge(pmd, phys_addr + addr, prot)) continue; } @@ -119,7 +119,7 @@ static inline int ioremap_pud_range(p4d_t *p4d, unsigned long addr, if (ioremap_pud_enabled() && ((next - addr) == PUD_SIZE) && IS_ALIGNED(phys_addr + addr, PUD_SIZE) && - pud_free_pmd_page(pud)) { + pud_free_pmd_page(pud, addr)) { if (pud_set_huge(pud, phys_addr + addr, prot)) continue; }

7 years, 4 months

1
0
0 0

+ mm-dont-allow-deferred-pages-with-need_per_cpu_km.patch added to -mm tree

by akpm＠linux-foundation.org

The patch titled Subject: mm: don't allow deferred pages with NEED_PER_CPU_KM has been added to the -mm tree. Its filename is mm-dont-allow-deferred-pages-with-need_per_cpu_km.patch This patch should soon appear at http://ozlabs.org/~akpm/mmots/broken-out/mm-dont-allow-deferred-pages-with-… and later at http://ozlabs.org/~akpm/mmotm/broken-out/mm-dont-allow-deferred-pages-with-… Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next and is updated there every 3-4 working days ------------------------------------------------------ From: Pavel Tatashin <pasha.tatashin(a)oracle.com> Subject: mm: don't allow deferred pages with NEED_PER_CPU_KM It is unsafe to do virtual to physical translations before mm_init() is called if struct page is needed in order to determine the memory section number (see SECTION_IN_PAGE_FLAGS). This is because only in mm_init() we initialize struct pages for all the allocated memory when deferred struct pages are used. My recent fix c9e97a1997 ("mm: initialize pages on demand during boot") exposed this problem, because it greatly reduced number of pages that are initialized before mm_init(), but the problem existed even before my fix, as Fengguang Wu found. Below is a more detailed explanation of the problem. We initialize struct pages in four places: 1. Early in boot a small set of struct pages is initialized to fill the first section, and lower zones. 2. During mm_init() we initialize "struct pages" for all the memory that is allocated, i.e reserved in memblock. 3. Using on-demand logic when pages are allocated after mm_init call (when memblock is finished) 4. After smp_init() when the rest free deferred pages are initialized. The problem occurs if we try to do va to phys translation of a memory between steps 1 and 2. Because we have not yet initialized struct pages for all the reserved pages, it is inherently unsafe to do va to phys if the translation itself requires access of "struct page" as in case of this combination: CONFIG_SPARSE && !CONFIG_SPARSE_VMEMMAP The following path exposes the problem: start_kernel() trap_init() setup_cpu_entry_areas() setup_cpu_entry_area(cpu) get_cpu_gdt_paddr(cpu) per_cpu_ptr_to_phys(addr) pcpu_addr_to_page(addr) virt_to_page(addr) pfn_to_page(__pa(addr) >> PAGE_SHIFT) We disable this path by not allowing NEED_PER_CPU_KM with deferred struct pages feature. The problems are discussed in these threads: http://lkml.kernel.org/r/20180418135300.inazvpxjxowogyge@wfg-t540p.sh.intel… http://lkml.kernel.org/r/20180419013128.iurzouiqxvcnpbvz@wfg-t540p.sh.intel… http://lkml.kernel.org/r/20180426202619.2768-1-pasha.tatashin@oracle.com Link: http://lkml.kernel.org/r/20180515175124.1770-1-pasha.tatashin@oracle.com Fixes: 3a80a7fa7989 ("mm: meminit: initialise a subset of struct pages if CONFIG_DEFERRED_STRUCT_PAGE_INIT is set") Signed-off-by: Pavel Tatashin <pasha.tatashin(a)oracle.com> Acked-by: Michal Hocko <mhocko(a)suse.com> Reviewed-by: Andrew Morton <akpm(a)linux-foundation.org> Cc: Steven Sistare <steven.sistare(a)oracle.com> Cc: Daniel Jordan <daniel.m.jordan(a)oracle.com> Cc: Mel Gorman <mgorman(a)techsingularity.net> Cc: Fengguang Wu <fengguang.wu(a)intel.com> Cc: Dennis Zhou <dennisszhou(a)gmail.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/Kconfig | 1 + 1 file changed, 1 insertion(+) diff -puN mm/Kconfig~mm-dont-allow-deferred-pages-with-need_per_cpu_km mm/Kconfig --- a/mm/Kconfig~mm-dont-allow-deferred-pages-with-need_per_cpu_km +++ a/mm/Kconfig @@ -636,6 +636,7 @@ config DEFERRED_STRUCT_PAGE_INIT default n depends on NO_BOOTMEM depends on !FLATMEM + depends on !NEED_PER_CPU_KM help Ordinarily all struct pages are initialised during early boot in a single thread. On very large machines this can take a considerable _ Patches currently in -mm which might be from pasha.tatashin(a)oracle.com are mm-dont-allow-deferred-pages-with-need_per_cpu_km.patch sparc64-ng4-memset-32-bits-overflow.patch

7 years, 4 months

1
0
0 0

Re: ACPICA: acpi: acpica: fix acpi operand cache leak in nseval.c

by Mark Salyzyn

ToT commit 97f3c0a4b0579b646b6b10ae5a3d59f0441cc12c (ACPICA: acpi: acpica: fix acpi operand cache leak in nseval.c) was assigned CVE-2017-13695 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-13695 and has been public since August 25 2017 Please apply to 3.18, 4.4 and 4.9 stable kernels for the reasons outlined in the body of the patch: "This cache leak causes a security threat because an old kernel (<= 4.9) shows memory locations of kernel functions in stack dump. Some malicious users could use this information to neutralize kernel ASLR." Bonus Points: Since the patch is ToT upstream, relieving the bug that results in the memory leak, even despite the non-CVE security status for <=4.12 kernels, it may be advised to also include this patch in 4.14.y stable as well. Sincerely -- Mark Salyzyn

7 years, 4 months

3
5
0 0

[PATCH 2/3] x86/mm: add TLB purge to free pmd/pte page interfaces

by Toshi Kani

ioremap() calls pud_free_pmd_page() / pmd_free_pte_page() when it creates a pud / pmd map. The following preconditions are met at their entry. - All pte entries for a target pud/pmd address range have been cleared. - System-wide TLB purges have been peformed for a target pud/pmd address range. The preconditions assure that there is no stale TLB entry for the range. Speculation may not cache TLB entries since it requires all levels of page entries, including ptes, to have P & A-bits set for an associated address. However, speculation may cache pud/pmd entries (paging-structure caches) when they have P-bit set. Add a system-wide TLB purge (INVLPG) to a single page after clearing pud/pmd entry's P-bit. SDM 4.10.4.1, Operation that Invalidate TLBs and Paging-Structure Caches, states that: INVLPG invalidates all paging-structure caches associated with the current PCID regardless of the liner addresses to which they correspond. Fixes: 28ee90fe6048 ("x86/mm: implement free pmd/pte page interfaces") Signed-off-by: Toshi Kani <toshi.kani(a)hpe.com> Cc: Andrew Morton <akpm(a)linux-foundation.org> Cc: Michal Hocko <mhocko(a)suse.com> Cc: Thomas Gleixner <tglx(a)linutronix.de> Cc: Ingo Molnar <mingo(a)redhat.com> Cc: "H. Peter Anvin" <hpa(a)zytor.com> Cc: Joerg Roedel <joro(a)8bytes.org> Cc: <stable(a)vger.kernel.org> --- arch/x86/mm/pgtable.c | 32 ++++++++++++++++++++++++++------ 1 file changed, 26 insertions(+), 6 deletions(-) diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c index 37e3cbac59b9..816fd41ee854 100644 --- a/arch/x86/mm/pgtable.c +++ b/arch/x86/mm/pgtable.c @@ -720,24 +720,40 @@ int pmd_clear_huge(pmd_t *pmd) * @pud: Pointer to a PUD. * @addr: Virtual address associated with pud. * - * Context: The pud range has been unmaped and TLB purged. + * Context: The pud range has been unmapped and TLB purged. * Return: 1 if clearing the entry succeeded. 0 otherwise. */ int pud_free_pmd_page(pud_t *pud, unsigned long addr) { - pmd_t *pmd; + pmd_t *pmd, *pmd_sv; + pte_t *pte; int i; if (pud_none(*pud)) return 1; pmd = (pmd_t *)pud_page_vaddr(*pud); + pmd_sv = (pmd_t *)__get_free_page(GFP_KERNEL); - for (i = 0; i < PTRS_PER_PMD; i++) - if (!pmd_free_pte_page(&pmd[i], addr + (i * PMD_SIZE))) - return 0; + for (i = 0; i < PTRS_PER_PMD; i++) { + pmd_sv[i] = pmd[i]; + if (!pmd_none(pmd[i])) + pmd_clear(&pmd[i]); + } pud_clear(pud); + + /* INVLPG to clear all paging-structure caches */ + flush_tlb_kernel_range(addr, addr + PAGE_SIZE-1); + + for (i = 0; i < PTRS_PER_PMD; i++) { + if (!pmd_none(pmd_sv[i])) { + pte = (pte_t *)pmd_page_vaddr(pmd_sv[i]); + free_page((unsigned long)pte); + } + } + + free_page((unsigned long)pmd_sv); free_page((unsigned long)pmd); return 1; @@ -748,7 +764,7 @@ int pud_free_pmd_page(pud_t *pud, unsigned long addr) * @pmd: Pointer to a PMD. * @addr: Virtual address associated with pmd. * - * Context: The pmd range has been unmaped and TLB purged. + * Context: The pmd range has been unmapped and TLB purged. * Return: 1 if clearing the entry succeeded. 0 otherwise. */ int pmd_free_pte_page(pmd_t *pmd, unsigned long addr) @@ -760,6 +776,10 @@ int pmd_free_pte_page(pmd_t *pmd, unsigned long addr) pte = (pte_t *)pmd_page_vaddr(*pmd); pmd_clear(pmd); + + /* INVLPG to clear all paging-structure caches */ + flush_tlb_kernel_range(addr, addr + PAGE_SIZE-1); + free_page((unsigned long)pte); return 1;

7 years, 4 months

3
2
0 0

[PATCH for-next 00/14] IB/hfi1: Updates for-next 5/2/2018

by Dennis Dalessandro

Hi Doug and Jason, Here are some patches to go to for-next. These include the couple patches that needed rework that were posted before the OFA conf. Well actually those patches that had issues were just dropped with the exception of the one from Alex, to add handling of kernel restart to hfi1 and qib. Patch 8 is his V2. Nothing else too scary or exciting in here. Well OK so that's not quite right the CQ completion vector patch is rather interesting. This adds support for compeltion vectors for hfi1 and helps improve performance in things like IPoIB. There is a signifianct patch from Mitko that redoes a lof our fault injection stuff. It's a big patch but I'm not sure it lends itself to being broken up further. One other thing of note is the "Create common functions" patch from Sebastian depends on one of the patches that I sent for the -rc. It won't apply cleanly without that. --- Alex Estrin (2): IB/hfi1: Complete check for locally terminated smp IB/{hfi1,qib}: Add handling of kernel restart Brian Welty (1): IB/{hfi1,qib,rdmavt}: Move logic to allocate receive WQE into rdmavt Kamenee Arumugam (1): IB/Hfi1: Read CCE Revision register to verify the device is responsive Michael J. Ruhl (4): IB/hfi1: Return actual error value from program_rcvarray() IB/hfi1: Use after free race condition in send context error path IB/hfi1: Return correct value for device state IB/hfi1: Reorder incorrect send context disable Mike Marciniszyn (1): IB/hfi1: Fix fault injection init/exit issues Mitko Haralanov (1): IB/hfi1: Rework fault injection machinery Sebastian Sanchez (4): IB/hfi1: Prevent LNI hang when LCB can't obtain lanes IB/hfi1: Optimize kthread pointer locking when queuing CQ entries IB/hfi1: Create common functions for affinity CPU mask operations IB/{hfi1,rdmavt,qib}: Implement CQ completion vector support drivers/infiniband/hw/hfi1/Makefile | 10 - drivers/infiniband/hw/hfi1/affinity.c | 497 +++++++++++++++++++++++++-- drivers/infiniband/hw/hfi1/affinity.h | 10 - drivers/infiniband/hw/hfi1/chip.c | 74 +++- drivers/infiniband/hw/hfi1/chip.h | 15 + drivers/infiniband/hw/hfi1/chip_registers.h | 7 drivers/infiniband/hw/hfi1/debugfs.c | 292 ---------------- drivers/infiniband/hw/hfi1/debugfs.h | 93 +++-- drivers/infiniband/hw/hfi1/driver.c | 20 + drivers/infiniband/hw/hfi1/fault.c | 375 ++++++++++++++++++++ drivers/infiniband/hw/hfi1/fault.h | 109 ++++++ drivers/infiniband/hw/hfi1/file_ops.c | 2 drivers/infiniband/hw/hfi1/hfi.h | 14 + drivers/infiniband/hw/hfi1/init.c | 28 +- drivers/infiniband/hw/hfi1/mad.c | 36 +- drivers/infiniband/hw/hfi1/pcie.c | 8 drivers/infiniband/hw/hfi1/pio.c | 44 ++ drivers/infiniband/hw/hfi1/rc.c | 8 drivers/infiniband/hw/hfi1/ruc.c | 154 -------- drivers/infiniband/hw/hfi1/trace.c | 3 drivers/infiniband/hw/hfi1/trace_dbg.h | 3 drivers/infiniband/hw/hfi1/uc.c | 4 drivers/infiniband/hw/hfi1/ud.c | 4 drivers/infiniband/hw/hfi1/user_exp_rcv.c | 1 drivers/infiniband/hw/hfi1/verbs.c | 20 - drivers/infiniband/hw/hfi1/verbs.h | 8 drivers/infiniband/hw/qib/qib.h | 1 drivers/infiniband/hw/qib/qib_init.c | 13 + drivers/infiniband/hw/qib/qib_rc.c | 8 drivers/infiniband/hw/qib/qib_ruc.c | 154 -------- drivers/infiniband/hw/qib/qib_uc.c | 4 drivers/infiniband/hw/qib/qib_ud.c | 4 drivers/infiniband/hw/qib/qib_verbs.c | 6 drivers/infiniband/hw/qib/qib_verbs.h | 2 drivers/infiniband/sw/rdmavt/cq.c | 74 ++-- drivers/infiniband/sw/rdmavt/cq.h | 6 drivers/infiniband/sw/rdmavt/qp.c | 149 ++++++++ drivers/infiniband/sw/rdmavt/trace_cq.h | 35 ++ drivers/infiniband/sw/rdmavt/vt.c | 35 +- include/rdma/rdma_vt.h | 7 include/rdma/rdmavt_cq.h | 5 include/rdma/rdmavt_qp.h | 1 42 files changed, 1491 insertions(+), 852 deletions(-) create mode 100644 drivers/infiniband/hw/hfi1/fault.c create mode 100644 drivers/infiniband/hw/hfi1/fault.h -- -Denny

7 years, 4 months

3
9
0 0

patch "staging: android: ion: Switch to pr_warn_once in ion_buffer_destroy" added to staging-next

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled staging: android: ion: Switch to pr_warn_once in ion_buffer_destroy to my staging git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git in the staging-next branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will also be merged in the next major kernel release during the merge window. If you have any questions about this process, please let me know. >From 45ad559a29629cb1c64ee636563c69b71524f077 Mon Sep 17 00:00:00 2001 From: Laura Abbott <labbott(a)redhat.com> Date: Mon, 14 May 2018 14:35:09 -0700 Subject: staging: android: ion: Switch to pr_warn_once in ion_buffer_destroy Syzbot reported yet another warning with Ion: WARNING: CPU: 0 PID: 1467 at drivers/staging/android/ion/ion.c:122 ion_buffer_destroy+0xd4/0x190 drivers/staging/android/ion/ion.c:122 Kernel panic - not syncing: panic_on_warn set ... This is catching that a buffer was freed with an existing kernel mapping still present. This can be easily be triggered from userspace by calling DMA_BUF_SYNC_START without calling DMA_BUF_SYNC_END. Switch to a single pr_warn_once to indicate the error without being disruptive. Reported-by: syzbot+cd8bcd40cb049efa2770(a)syzkaller.appspotmail.com Reported-by: syzbot <syzkaller(a)googlegroups.com> Signed-off-by: Laura Abbott <labbott(a)redhat.com> Cc: stable <stable(a)vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/staging/android/ion/ion.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/staging/android/ion/ion.c b/drivers/staging/android/ion/ion.c index af682cbde767..9d1109e43ed4 100644 --- a/drivers/staging/android/ion/ion.c +++ b/drivers/staging/android/ion/ion.c @@ -111,8 +111,11 @@ static struct ion_buffer *ion_buffer_create(struct ion_heap *heap, void ion_buffer_destroy(struct ion_buffer *buffer) { - if (WARN_ON(buffer->kmap_cnt > 0)) + if (buffer->kmap_cnt > 0) { + pr_warn_once("%s: buffer still mapped in the kernel\n", + __func__); buffer->heap->ops->unmap_kernel(buffer->heap, buffer); + } buffer->heap->ops->free(buffer); kfree(buffer); } -- 2.17.0

7 years, 4 months

1
0
0 0

[PATCH] mtd: rawnand: marvell: Fix read logic for layouts with ->nchunks > 2

by Boris Brezillon

The code is doing monolithic reads for all chunks except the last one which is wrong since a monolithic read will issue the READ0+ADDRS+READ_START sequence. It not only takes longer because it forces the NAND chip to reload the page content into its internal cache, but by doing that we also reset the column pointer to 0, which means we'll always read the first chunk instead of moving to the next one. Rework the code to do a monolithic read only for the first chunk, then switch to naked reads for all intermediate chunks and finally issue a last naked read for the last chunk. Fixes: 02f26ecf8c77 mtd: nand: add reworked Marvell NAND controller driver Cc: stable(a)vger.kernel.org Reported-by: Chris Packham <chris.packham(a)alliedtelesis.co.nz> Signed-off-by: Boris Brezillon <boris.brezillon(a)bootlin.com> Tested-by: Chris Packham <chris.packham(a)alliedtelesis.co.nz> --- drivers/mtd/nand/raw/marvell_nand.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/drivers/mtd/nand/raw/marvell_nand.c b/drivers/mtd/nand/raw/marvell_nand.c index db5ec4e8bde9..ebb1d141b900 100644 --- a/drivers/mtd/nand/raw/marvell_nand.c +++ b/drivers/mtd/nand/raw/marvell_nand.c @@ -1194,11 +1194,13 @@ static void marvell_nfc_hw_ecc_bch_read_chunk(struct nand_chip *chip, int chunk, NDCB0_CMD2(NAND_CMD_READSTART); /* - * Trigger the naked read operation only on the last chunk. - * Otherwise, use monolithic read. + * Trigger the monolithic read on the first chunk, then naked read on + * intermediate chunks and finally a last naked read on the last chunk. */ - if (lt->nchunks == 1 || (chunk < lt->nchunks - 1)) + if (chunk == 0) nfc_op.ndcb[0] |= NDCB0_CMD_XTYPE(XTYPE_MONOLITHIC_RW); + else if (chunk < lt->nchunks - 1) + nfc_op.ndcb[0] |= NDCB0_CMD_XTYPE(XTYPE_NAKED_RW); else nfc_op.ndcb[0] |= NDCB0_CMD_XTYPE(XTYPE_LAST_NAKED_RW); -- 2.14.1

7 years, 4 months

2
2
0 0

[PATCH v2 0/6] usb: gadget: udc: renesas_usb3: fix some major issues

by Yoshihiro Shimoda

This patch set is based on v4.16. Changes from v1: - Add Reviewed-by in patch 1, 2, 3 and 4. - Revise typo in patch 4. - Add new patches as patch 5 and 6. Yoshihiro Shimoda (6): usb: gadget: udc: renesas_usb3: fix double phy_put() usb: gadget: udc: renesas_usb3: should remove debugfs usb: gadget: udc: renesas_usb3: should call pm_runtime_enable() before add udc usb: gadget: udc: renesas_usb3: should call devm_phy_get() before add udc usb: gadget: udc: renesas_usb3: should fail if devm_phy_get() returns error usb: gadget: udc: renesas_usb3: disable the controller's irqs for reconnecting drivers/usb/gadget/udc/renesas_usb3.c | 37 +++++++++++++++++++++++------------ 1 file changed, 25 insertions(+), 12 deletions(-) -- 1.9.1

7 years, 4 months

2
13
0 0

patch "staging: android: ion: Switch to pr_warn_once in ion_buffer_destroy" added to staging-testing

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled staging: android: ion: Switch to pr_warn_once in ion_buffer_destroy to my staging git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git in the staging-testing branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will be merged to the staging-next branch sometime soon, after it passes testing, and the merge window is open. If you have any questions about this process, please let me know. >From 45ad559a29629cb1c64ee636563c69b71524f077 Mon Sep 17 00:00:00 2001 From: Laura Abbott <labbott(a)redhat.com> Date: Mon, 14 May 2018 14:35:09 -0700 Subject: staging: android: ion: Switch to pr_warn_once in ion_buffer_destroy Syzbot reported yet another warning with Ion: WARNING: CPU: 0 PID: 1467 at drivers/staging/android/ion/ion.c:122 ion_buffer_destroy+0xd4/0x190 drivers/staging/android/ion/ion.c:122 Kernel panic - not syncing: panic_on_warn set ... This is catching that a buffer was freed with an existing kernel mapping still present. This can be easily be triggered from userspace by calling DMA_BUF_SYNC_START without calling DMA_BUF_SYNC_END. Switch to a single pr_warn_once to indicate the error without being disruptive. Reported-by: syzbot+cd8bcd40cb049efa2770(a)syzkaller.appspotmail.com Reported-by: syzbot <syzkaller(a)googlegroups.com> Signed-off-by: Laura Abbott <labbott(a)redhat.com> Cc: stable <stable(a)vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/staging/android/ion/ion.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/staging/android/ion/ion.c b/drivers/staging/android/ion/ion.c index af682cbde767..9d1109e43ed4 100644 --- a/drivers/staging/android/ion/ion.c +++ b/drivers/staging/android/ion/ion.c @@ -111,8 +111,11 @@ static struct ion_buffer *ion_buffer_create(struct ion_heap *heap, void ion_buffer_destroy(struct ion_buffer *buffer) { - if (WARN_ON(buffer->kmap_cnt > 0)) + if (buffer->kmap_cnt > 0) { + pr_warn_once("%s: buffer still mapped in the kernel\n", + __func__); buffer->heap->ops->unmap_kernel(buffer->heap, buffer); + } buffer->heap->ops->free(buffer); kfree(buffer); } -- 2.17.0

7 years, 4 months

1
0
0 0

[PATCH 4.16 00/72] 4.16.9-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.16.9 release. There are 72 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed May 16 06:47:58 UTC 2018. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.16.9-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.16.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.16.9-rc1 Peter Zijlstra <peterz(a)infradead.org> perf/x86: Fix possible Spectre-v1 indexing for x86_pmu::event_map() Peter Zijlstra <peterz(a)infradead.org> perf/core: Fix possible Spectre-v1 indexing for ->aux_pages[] Peter Zijlstra <peterz(a)infradead.org> perf/x86/msr: Fix possible Spectre-v1 indexing in the MSR driver Peter Zijlstra <peterz(a)infradead.org> perf/x86/cstate: Fix possible Spectre-v1 indexing for pkg_msr Peter Zijlstra <peterz(a)infradead.org> perf/x86: Fix possible Spectre-v1 indexing for hw_perf_event cache_* Masami Hiramatsu <mhiramat(a)kernel.org> tracing/uprobe_event: Fix strncpy corner case Peter Zijlstra <peterz(a)infradead.org> sched/autogroup: Fix possible Spectre-v1 indexing for sched_prio_to_weight[] Peter Zijlstra <peterz(a)infradead.org> sched/core: Fix possible Spectre-v1 indexing for sched_prio_to_weight[] Jean Delvare <jdelvare(a)suse.de> swiotlb: silent unwanted warning "buffer is full" Steve French <smfrench(a)gmail.com> smb3: directory sync should not return an error Charles Machalow <charles.machalow(a)intel.com> nvme: Fix sync controller reset return Jens Axboe <axboe(a)kernel.dk> nvme: add quirk to force medium priority for SQ creation Marek Szyprowski <m.szyprowski(a)samsung.com> thermal: exynos: Propagate error value from tmu_read() Marek Szyprowski <m.szyprowski(a)samsung.com> thermal: exynos: Reading temperature makes sense only when TMU is turned on Hans de Goede <hdegoede(a)redhat.com> Bluetooth: btusb: Only check needs_reset_resume DMI table for QCA rome chipsets Hans de Goede <hdegoede(a)redhat.com> Bluetooth: btusb: Add Dell XPS 13 9360 to btusb_needs_reset_resume_table Hans de Goede <hdegoede(a)redhat.com> Revert "Bluetooth: btusb: Fix quirk for Atheros 1525/QCA6174" Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> arm: dts: imx[35]*: declare flexcan devices to be compatible to imx25's flexcan Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> cpufreq: schedutil: Avoid using invalid next_freq Rafael J. Wysocki <rafael.j.wysocki(a)intel.com> PCI / PM: Check device_may_wakeup() in pci_enable_wake() Kai Heng Feng <kai.heng.feng(a)canonical.com> PCI / PM: Always check PME wakeup capability for runtime wakeup support Gustavo A. R. Silva <gustavo(a)embeddedor.com> atm: zatm: Fix potential Spectre v1 Gustavo A. R. Silva <gustavo(a)embeddedor.com> net: atm: Fix potential Spectre v1 Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/atomic: Clean private obj old_state/new_state in drm_atomic_state_default_clear() Ville Syrjälä <ville.syrjala(a)linux.intel.com> drm/atomic: Clean old_state/new_state in drm_atomic_state_default_clear() Ben Skeggs <bskeggs(a)redhat.com> drm/nouveau/ttm: don't dereference nvbo::cli, it can outlive client Lyude Paul <lyude(a)redhat.com> drm/nouveau: Fix deadlock in nv50_mstm_register_connector() Rodrigo Vivi <rodrigo.vivi(a)intel.com> drm/i915: Adjust eDP's logical vco in a reliable place. Florent Flament <contact(a)florentflament.com> drm/i915: Fix drm:intel_enable_lvds ERROR message in kernel log Michel Dänzer <michel.daenzer(a)amd.com> drm/ttm: Use GFP_TRANSHUGE_LIGHT for allocating huge pages Boris Brezillon <boris.brezillon(a)bootlin.com> drm/vc4: Fix scaling of uni-planar formats Boris Brezillon <boris.brezillon(a)bootlin.com> mtd: rawnand: Make sure we wait tWB before polling the STATUS reg Miquel Raynal <miquel.raynal(a)bootlin.com> mtd: rawnand: marvell: fix command xtype in BCH write hook Chris Packham <chris.packham(a)alliedtelesis.co.nz> mtd: rawnand: marvell: pass ms delay to wait_op Lukas Wunner <lukas(a)wunner.de> can: hi311x: Work around TX complete interrupt erratum Lukas Wunner <lukas(a)wunner.de> can: hi311x: Acquire SPI lock on ->do_get_berr_counter Jimmy Assarsson <extja(a)kvaser.com> can: kvaser_usb: Increase correct stats counter in kvaser_usb_rx_can_msg() Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> can: flexcan: fix endianess detection Ilya Dryomov <idryomov(a)gmail.com> ceph: fix rsize/wsize capping in ceph_direct_read_write() David Rientjes <rientjes(a)google.com> mm, oom: fix concurrent munlock and oom reaper unmap, v3 Pavel Tatashin <pasha.tatashin(a)oracle.com> mm: sections are not offlined during memory hotremove Vitaly Wool <vitalywool(a)gmail.com> z3fold: fix reclaim lock-ups Steven Rostedt (VMware) <rostedt(a)goodmis.org> tracing: Fix regex_match_front() to not over compare the test string Mikulas Patocka <mpatocka(a)redhat.com> dm integrity: use kvfree for kvmalloc'd memory Hans de Goede <hdegoede(a)redhat.com> libata: Apply NOLPM quirk for SanDisk SD7UB3Q*G1001 SSDs Johan Hovold <johan(a)kernel.org> rfkill: gpio: fix memory leak in probe error path Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> gpio: fix error path in lineevent_create Govert Overgaauw <govert.overgaauw(a)prodrive-technologies.com> gpio: fix aspeed_gpio unmask irq Timur Tabi <timur(a)codeaurora.org> gpioib: do not free unrequested descriptors Jann Horn <jannh(a)google.com> compat: fix 4-byte infoleak via uninitialized struct field Jan Kara <jack(a)suse.cz> bdi: Fix oops in wb_workfn() Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> bdi: Fix use after free bug in debugfs_remove() Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> bdi: wake up concurrent wb_shutdown() callers. Eric Dumazet <edumazet(a)google.com> tcp: fix TCP_REPAIR_QUEUE bound checking Alexander Popov <alex.popov(a)linux.com> i2c: dev: prevent ZERO_SIZE_PTR deref in i2cdev_ioctl_rdwr() Jiri Olsa <jolsa(a)kernel.org> perf: Remove superfluous allocation error check Michal Hocko <mhocko(a)suse.com> memcg: fix per_node_info cleanup Yonghong Song <yhs(a)fb.com> bpf/tracing: fix a deadlock in perf_event_detach_bpf_prog Eric Dumazet <edumazet(a)google.com> inetpeer: fix uninit-value in inet_getpeer Eric Dumazet <edumazet(a)google.com> soreuseport: initialise timewait reuseport field Eric Dumazet <edumazet(a)google.com> ipv4: fix uninit-value in ip_route_output_key_hash_rcu() Eric Dumazet <edumazet(a)google.com> dccp: initialize ireq->ir_mark Eric Dumazet <edumazet(a)google.com> net: fix uninit-value in __hw_addr_add_ex() Eric Dumazet <edumazet(a)google.com> net: initialize skb->peeked when cloning Eric Dumazet <edumazet(a)google.com> net: fix rtnh_ok() Eric Dumazet <edumazet(a)google.com> netlink: fix uninit-value in netlink_sendmsg Eric Dumazet <edumazet(a)google.com> crypto: af_alg - fix possible uninit-value in alg_bind() Sowmini Varadhan <sowmini.varadhan(a)oracle.com> rds: tcp: must use spin_lock_irq* and not spin_lock_bh with rds_tcp_conn_lock Tom Herbert <tom(a)quantonium.net> kcm: Call strp_stop before strp_done in kcm_attach Tero Kristo <t-kristo(a)ti.com> clk: ti: fix flag space conflict with clkctrl clocks Florian Westphal <fw(a)strlen.de> netfilter: ebtables: don't attempt to allocate 0-sized compat array Julian Anastasov <ja(a)ssi.bg> ipvs: fix rtnl_lock lockups caused by start_sync_thread ------------- Diffstat: Makefile | 4 +- arch/arm/boot/dts/imx35.dtsi | 4 +- arch/arm/boot/dts/imx53.dtsi | 4 +- arch/x86/events/core.c | 8 +- arch/x86/events/intel/cstate.c | 2 + arch/x86/events/msr.c | 9 +- crypto/af_alg.c | 8 +- drivers/ata/libata-core.c | 3 + drivers/atm/zatm.c | 3 + drivers/bluetooth/btusb.c | 19 +++- drivers/clk/ti/clock.h | 9 +- drivers/gpio/gpio-aspeed.c | 2 +- drivers/gpio/gpiolib.c | 7 +- drivers/gpu/drm/drm_atomic.c | 8 ++ drivers/gpu/drm/i915/intel_cdclk.c | 41 +++++++- drivers/gpu/drm/i915/intel_dp.c | 20 ---- drivers/gpu/drm/i915/intel_lvds.c | 3 +- drivers/gpu/drm/nouveau/nouveau_bo.c | 1 - drivers/gpu/drm/nouveau/nouveau_bo.h | 2 - drivers/gpu/drm/nouveau/nouveau_ttm.c | 6 +- drivers/gpu/drm/nouveau/nv50_display.c | 7 +- drivers/gpu/drm/ttm/ttm_page_alloc.c | 11 ++- drivers/gpu/drm/ttm/ttm_page_alloc_dma.c | 3 +- drivers/gpu/drm/vc4/vc4_plane.c | 2 +- drivers/i2c/i2c-dev.c | 2 +- drivers/md/dm-integrity.c | 2 +- drivers/mtd/nand/marvell_nand.c | 12 ++- drivers/mtd/nand/nand_base.c | 5 + drivers/net/can/flexcan.c | 26 +++--- drivers/net/can/spi/hi311x.c | 11 ++- drivers/net/can/usb/kvaser_usb.c | 2 +- drivers/nvme/host/core.c | 3 +- drivers/nvme/host/nvme.h | 5 + drivers/nvme/host/pci.c | 12 ++- drivers/pci/pci.c | 37 ++++++-- drivers/thermal/samsung/exynos_tmu.c | 14 ++- fs/ceph/file.c | 10 +- fs/cifs/cifsfs.c | 13 +++ fs/fs-writeback.c | 2 +- include/linux/bpf.h | 4 +- include/linux/oom.h | 2 + include/linux/wait_bit.h | 17 ++++ include/net/inet_timewait_sock.h | 1 + include/net/nexthop.h | 2 +- kernel/bpf/core.c | 45 +++++---- kernel/compat.c | 1 + kernel/events/callchain.c | 10 +- kernel/events/ring_buffer.c | 7 +- kernel/sched/autogroup.c | 7 +- kernel/sched/core.c | 7 +- kernel/sched/cpufreq_schedutil.c | 3 +- kernel/trace/bpf_trace.c | 25 ++++- kernel/trace/trace_events_filter.c | 3 + kernel/trace/trace_uprobe.c | 2 + lib/swiotlb.c | 2 +- mm/backing-dev.c | 3 +- mm/memcontrol.c | 3 + mm/mmap.c | 44 +++++---- mm/oom_kill.c | 81 ++++++++-------- mm/sparse.c | 2 +- mm/z3fold.c | 42 ++++++--- net/atm/lec.c | 9 +- net/bridge/netfilter/ebtables.c | 11 ++- net/core/dev_addr_lists.c | 4 +- net/core/skbuff.c | 1 + net/dccp/ipv4.c | 1 + net/dccp/ipv6.c | 1 + net/ipv4/inet_timewait_sock.c | 1 + net/ipv4/inetpeer.c | 1 + net/ipv4/route.c | 11 ++- net/ipv4/tcp.c | 2 +- net/kcm/kcmsock.c | 1 + net/netfilter/ipvs/ip_vs_ctl.c | 8 -- net/netfilter/ipvs/ip_vs_sync.c | 155 ++++++++++++++++--------------- net/netlink/af_netlink.c | 2 + net/rds/tcp.c | 17 ++-- net/rfkill/rfkill-gpio.c | 7 +- 77 files changed, 563 insertions(+), 324 deletions(-)

7 years, 4 months

6
73
0 0

[PATCH 4.9 00/36] 4.9.100-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.9.100 release. There are 36 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed May 16 06:47:47 UTC 2018. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.100-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.9.100-rc1 Peter Zijlstra <peterz(a)infradead.org> perf/x86: Fix possible Spectre-v1 indexing for x86_pmu::event_map() Peter Zijlstra <peterz(a)infradead.org> perf/core: Fix possible Spectre-v1 indexing for ->aux_pages[] Peter Zijlstra <peterz(a)infradead.org> perf/x86/msr: Fix possible Spectre-v1 indexing in the MSR driver Peter Zijlstra <peterz(a)infradead.org> perf/x86/cstate: Fix possible Spectre-v1 indexing for pkg_msr Peter Zijlstra <peterz(a)infradead.org> perf/x86: Fix possible Spectre-v1 indexing for hw_perf_event cache_* Masami Hiramatsu <mhiramat(a)kernel.org> tracing/uprobe_event: Fix strncpy corner case Marek Szyprowski <m.szyprowski(a)samsung.com> thermal: exynos: Propagate error value from tmu_read() Marek Szyprowski <m.szyprowski(a)samsung.com> thermal: exynos: Reading temperature makes sense only when TMU is turned on Hans de Goede <hdegoede(a)redhat.com> Revert "Bluetooth: btusb: Fix quirk for Atheros 1525/QCA6174" Gustavo A. R. Silva <gustavo(a)embeddedor.com> atm: zatm: Fix potential Spectre v1 Gustavo A. R. Silva <gustavo(a)embeddedor.com> net: atm: Fix potential Spectre v1 Florent Flament <contact(a)florentflament.com> drm/i915: Fix drm:intel_enable_lvds ERROR message in kernel log Boris Brezillon <boris.brezillon(a)bootlin.com> drm/vc4: Fix scaling of uni-planar formats Jimmy Assarsson <extja(a)kvaser.com> can: kvaser_usb: Increase correct stats counter in kvaser_usb_rx_can_msg() Steven Rostedt (VMware) <rostedt(a)goodmis.org> tracing: Fix regex_match_front() to not over compare the test string Hans de Goede <hdegoede(a)redhat.com> libata: Apply NOLPM quirk for SanDisk SD7UB3Q*G1001 SSDs Johan Hovold <johan(a)kernel.org> rfkill: gpio: fix memory leak in probe error path Uwe Kleine-König <u.kleine-koenig(a)pengutronix.de> gpio: fix error path in lineevent_create Govert Overgaauw <govert.overgaauw(a)prodrive-technologies.com> gpio: fix aspeed_gpio unmask irq Timur Tabi <timur(a)codeaurora.org> gpioib: do not free unrequested descriptors Suzuki K Poulose <suzuki.poulose(a)arm.com> arm64: Add work around for Arm Cortex-A55 Erratum 1024718 Wei Fang <fangwei1(a)huawei.com> f2fs: fix a dead loop in f2fs_fiemap() Paul Mackerras <paulus(a)ozlabs.org> KVM: PPC: Book3S HV: Fix trap number return from __kvmppc_vcore_entry Jan Kara <jack(a)suse.cz> bdi: Fix oops in wb_workfn() Eric Dumazet <edumazet(a)google.com> tcp: fix TCP_REPAIR_QUEUE bound checking Jiri Olsa <jolsa(a)kernel.org> perf: Remove superfluous allocation error check Eric Dumazet <edumazet(a)google.com> soreuseport: initialise timewait reuseport field Eric Dumazet <edumazet(a)google.com> dccp: initialize ireq->ir_mark Eric Dumazet <edumazet(a)google.com> net: fix uninit-value in __hw_addr_add_ex() Eric Dumazet <edumazet(a)google.com> net: initialize skb->peeked when cloning Eric Dumazet <edumazet(a)google.com> net: fix rtnh_ok() Eric Dumazet <edumazet(a)google.com> netlink: fix uninit-value in netlink_sendmsg Eric Dumazet <edumazet(a)google.com> crypto: af_alg - fix possible uninit-value in alg_bind() Tom Herbert <tom(a)quantonium.net> kcm: Call strp_stop before strp_done in kcm_attach Sagi Grimberg <sagi(a)grimberg.me> IB/device: Convert ib-comp-wq to be CPU-bound Julian Anastasov <ja(a)ssi.bg> ipvs: fix rtnl_lock lockups caused by start_sync_thread ------------- Diffstat: Documentation/arm64/silicon-errata.txt | 1 + Makefile | 4 +- arch/arm64/Kconfig | 14 +++ arch/arm64/include/asm/assembler.h | 40 +++++++++ arch/arm64/include/asm/cputype.h | 5 ++ arch/arm64/mm/proc.S | 5 ++ arch/powerpc/kvm/book3s_hv_rmhandlers.S | 8 +- arch/x86/events/core.c | 8 +- arch/x86/events/intel/cstate.c | 2 + arch/x86/events/msr.c | 9 +- crypto/af_alg.c | 8 +- drivers/ata/libata-core.c | 3 + drivers/atm/zatm.c | 3 + drivers/bluetooth/btusb.c | 2 +- drivers/gpio/gpio-aspeed.c | 2 +- drivers/gpio/gpiolib.c | 7 +- drivers/gpu/drm/i915/intel_lvds.c | 3 +- drivers/gpu/drm/vc4/vc4_plane.c | 2 +- drivers/infiniband/core/device.c | 3 +- drivers/net/can/usb/kvaser_usb.c | 2 +- drivers/thermal/samsung/exynos_tmu.c | 14 ++- fs/f2fs/data.c | 2 +- fs/fs-writeback.c | 2 +- include/net/inet_timewait_sock.h | 1 + include/net/nexthop.h | 2 +- kernel/events/callchain.c | 10 +-- kernel/events/ring_buffer.c | 7 +- kernel/trace/trace_events_filter.c | 3 + kernel/trace/trace_uprobe.c | 2 + net/atm/lec.c | 9 +- net/core/dev_addr_lists.c | 4 +- net/core/skbuff.c | 1 + net/dccp/ipv4.c | 1 + net/dccp/ipv6.c | 1 + net/ipv4/inet_timewait_sock.c | 1 + net/ipv4/tcp.c | 2 +- net/kcm/kcmsock.c | 1 + net/netfilter/ipvs/ip_vs_ctl.c | 8 -- net/netfilter/ipvs/ip_vs_sync.c | 155 ++++++++++++++++---------------- net/netlink/af_netlink.c | 2 + net/rfkill/rfkill-gpio.c | 7 +- 41 files changed, 238 insertions(+), 128 deletions(-)

7 years, 4 months

4
36
0 0

[PATCH 1/2] MIPS: memset.S: EVA & fault support for small_memset

by Matt Redfearn

The MIPS kernel memset / bzero implementation includes a small_memset branch which is used when the region to be set is smaller than a long (4 bytes on 32bit, 8 bytes on 64bit). The current small_memset implementation uses a simple store byte loop to write the destination. There are 2 issues with this implementation: 1. When EVA mode is active, user and kernel address spaces may overlap. Currently the use of the sb instruction means kernel mode addressing is always used and an intended write to userspace may actually overwrite some critical kernel data. 2. If the write triggers a page fault, for example by calling __clear_user(NULL, 2), instead of gracefully handling the fault, an OOPS is triggered. Fix these issues by replacing the sb instruction with the EX() macro, which will emit EVA compatible instuctions as required. Additionally implement a fault fixup for small_memset which sets a2 to the number of bytes that could not be cleared (as defined by __clear_user). Reported-by: Chuanhua Lei <chuanhua.lei(a)intel.com> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable(a)vger.kernel.org Signed-off-by: Matt Redfearn <matt.redfearn(a)mips.com> --- arch/mips/lib/memset.S | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/arch/mips/lib/memset.S b/arch/mips/lib/memset.S index a1456664d6c2..90bcdf1224ee 100644 --- a/arch/mips/lib/memset.S +++ b/arch/mips/lib/memset.S @@ -219,7 +219,7 @@ 1: PTR_ADDIU a0, 1 /* fill bytewise */ R10KCBARRIER(0(ra)) bne t1, a0, 1b - sb a1, -1(a0) + EX(sb, a1, -1(a0), .Lsmall_fixup\@) 2: jr ra /* done */ move a2, zero @@ -260,6 +260,11 @@ jr ra andi v1, a2, STORMASK +.Lsmall_fixup\@: + PTR_SUBU a2, t1, a0 + jr ra + PTR_ADDIU a2, 1 + .endm /* -- 2.7.4

7 years, 4 months

3
3
0 0

[PATCH] MIPS: Fix ptrace(2) PTRACE_PEEKUSR and PTRACE_POKEUSR accesses to o32 FGRs

by Maciej W. Rozycki

Check the TIF_32BIT_FPREGS task setting of the tracee rather than the tracer in determining the layout of floating-point general registers in the floating-point context, correcting access to odd-numbered registers for o32 tracees where the setting disagrees between the two processes. Cc: stable(a)vger.kernel.org # 3.14+ Fixes: 597ce1723e0f ("MIPS: Support for 64-bit FP with O32 binaries") Signed-off-by: Maciej W. Rozycki <macro(a)mips.com> --- Hi, These are not the usual requests used by GDB to access the floating-point context, which is likely why it went unnoticed so long. They are only used as a fallback in the case where PTRACE_GETFPREGS and PTRACE_SETFPREGS requests are not supported, i.e. with ancient kernels. However to verify an unrelated GDB bug fix I have tweaked GDB to always use PTRACE_PEEKUSR and PTRACE_POKEUSR, and then discovered this issue in native GDB regression testing, as it showed regressions from corrupt FGR contents across numerous tests compared to the usual results. This fix removed those regressions then. Not being typically used does not mean we ought to keep the interface broken. Therefore please apply. Maciej --- arch/mips/kernel/ptrace.c | 4 ++-- arch/mips/kernel/ptrace32.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) linux-mips-ptrace-test-thread-flag.diff Index: linux/arch/mips/kernel/ptrace.c =================================================================== --- linux.orig/arch/mips/kernel/ptrace.c 2018-05-12 22:52:19.000000000 +0100 +++ linux/arch/mips/kernel/ptrace.c 2018-05-12 22:56:07.893993000 +0100 @@ -1059,7 +1059,7 @@ long arch_ptrace(struct task_struct *chi fregs = get_fpu_regs(child); #ifdef CONFIG_32BIT - if (test_thread_flag(TIF_32BIT_FPREGS)) { + if (test_tsk_thread_flag(child, TIF_32BIT_FPREGS)) { /* * The odd registers are actually the high * order bits of the values stored in the even @@ -1154,7 +1154,7 @@ long arch_ptrace(struct task_struct *chi init_fp_ctx(child); #ifdef CONFIG_32BIT - if (test_thread_flag(TIF_32BIT_FPREGS)) { + if (test_tsk_thread_flag(child, TIF_32BIT_FPREGS)) { /* * The odd registers are actually the high * order bits of the values stored in the even Index: linux-mipsswbrd038/arch/mips/kernel/ptrace32.c =================================================================== --- linux-mipsswbrd038.orig/arch/mips/kernel/ptrace32.c 2018-05-12 22:52:19.000000000 +0100 +++ linux-mipsswbrd038/arch/mips/kernel/ptrace32.c 2018-05-12 22:55:20.906637000 +0100 @@ -99,7 +99,7 @@ long compat_arch_ptrace(struct task_stru break; } fregs = get_fpu_regs(child); - if (test_thread_flag(TIF_32BIT_FPREGS)) { + if (test_tsk_thread_flag(child, TIF_32BIT_FPREGS)) { /* * The odd registers are actually the high * order bits of the values stored in the even @@ -212,7 +212,7 @@ long compat_arch_ptrace(struct task_stru sizeof(child->thread.fpu)); child->thread.fpu.fcr31 = 0; } - if (test_thread_flag(TIF_32BIT_FPREGS)) { + if (test_tsk_thread_flag(child, TIF_32BIT_FPREGS)) { /* * The odd registers are actually the high * order bits of the values stored in the even

7 years, 4 months

2
1
0 0

[PATCH 3.18 00/23] 3.18.109-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 3.18.109 release. There are 23 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Wed May 16 06:46:49 UTC 2018. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v3.x/stable-review/patch-3.18.109-r… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-3.18.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 3.18.109-rc1 Masami Hiramatsu <mhiramat(a)kernel.org> tracing/uprobe_event: Fix strncpy corner case Jimmy Assarsson <extja(a)kvaser.com> can: kvaser_usb: Increase correct stats counter in kvaser_usb_rx_can_msg() Steven Rostedt (VMware) <rostedt(a)goodmis.org> tracing: Fix regex_match_front() to not over compare the test string Hans de Goede <hdegoede(a)redhat.com> libata: Apply NOLPM quirk for SanDisk SD7UB3Q*G1001 SSDs Johan Hovold <johan(a)kernel.org> rfkill: gpio: fix memory leak in probe error path Eric Dumazet <edumazet(a)google.com> tcp: fix TCP_REPAIR_QUEUE bound checking Jiri Olsa <jolsa(a)kernel.org> perf: Remove superfluous allocation error check Eric Dumazet <edumazet(a)google.com> soreuseport: initialise timewait reuseport field Eric Dumazet <edumazet(a)google.com> net: fix uninit-value in __hw_addr_add_ex() Eric Dumazet <edumazet(a)google.com> net: initialize skb->peeked when cloning Eric Dumazet <edumazet(a)google.com> net: fix rtnh_ok() Eric Dumazet <edumazet(a)google.com> netlink: fix uninit-value in netlink_sendmsg Bin Liu <b-liu(a)ti.com> usb: musb: host: fix potential NULL pointer dereference Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> USB: serial: visor: handle potential invalid device configuration SZ Lin (林上智) <sz.lin(a)moxa.com> NET: usb: qmi_wwan: add support for ublox R410M PID 0x90b2 Leon Romanovsky <leonro(a)mellanox.com> RDMA/mlx5: Protect from shift operand overflow Takashi Iwai <tiwai(a)suse.de> ALSA: aloop: Add missing cable lock to ctl API callbacks Robert Rosengren <robert.rosengren(a)axis.com> ALSA: aloop: Mark paused device as inactive Takashi Iwai <tiwai(a)suse.de> ALSA: seq: Fix races at MIDI encoding in snd_virmidi_output_trigger() Takashi Iwai <tiwai(a)suse.de> ALSA: pcm: Check PCM state at xfern compat ioctl Murilo Opsfelder Araujo <muriloo(a)linux.ibm.com> perf session: Fix undeclared 'oe' Tan Xiaojun <tanxiaojun(a)huawei.com> perf/core: Fix the perf_cpu_time_max_percent check Tejun Heo <tj(a)kernel.org> percpu: include linux/sched.h for cond_resched() ------------- Diffstat: Makefile | 4 +-- drivers/ata/libata-core.c | 3 ++ drivers/infiniband/hw/mlx5/qp.c | 4 +++ drivers/net/can/usb/kvaser_usb.c | 2 +- drivers/net/usb/qmi_wwan.c | 1 + drivers/usb/musb/musb_host.c | 4 ++- drivers/usb/serial/visor.c | 69 +++++++++++++++++++------------------- include/net/inet_timewait_sock.h | 1 + include/net/nexthop.h | 2 +- kernel/events/callchain.c | 10 ++---- kernel/events/core.c | 2 +- kernel/trace/trace_events_filter.c | 3 ++ kernel/trace/trace_uprobe.c | 2 ++ mm/percpu.c | 1 + net/core/dev_addr_lists.c | 4 +-- net/core/skbuff.c | 1 + net/ipv4/inet_timewait_sock.c | 1 + net/ipv4/tcp.c | 2 +- net/netlink/af_netlink.c | 2 ++ net/rfkill/rfkill-gpio.c | 7 +++- sound/core/pcm_compat.c | 2 ++ sound/core/seq/seq_virmidi.c | 4 +-- sound/drivers/aloop.c | 29 +++++++++++++--- tools/perf/util/session.c | 1 + 24 files changed, 102 insertions(+), 59 deletions(-)

7 years, 4 months

5
26
0 0

[PATCH] tracing/x86/xen: Remove zero data size trace events trace_xen_mmu_flush_tlb{_all}

by Steven Rostedt

From: "Steven Rostedt (VMware)" <rostedt(a)goodmis.org> Doing an audit of trace events, I discovered two trace events in the xen subsystem that use a hack to create zero data size trace events. This is not what trace events are for. Trace events add memory footprint overhead, and if all you need to do is see if a function is hit or not, simply make that function noinline and use function tracer filtering. Worse yet, the hack used was: __array(char, x, 0) Which creates a static string of zero in length. There's assumptions about such constructs in ftrace that this is a dynamic string that is nul terminated. This is not the case with these tracepoints and can cause problems in various parts of ftrace. Nuke the trace events! Cc: stable(a)vger.kernel.org Fixes: 95a7d76897c1e ("xen/mmu: Use Xen specific TLB flush instead of the generic one.") Signed-off-by: Steven Rostedt (VMware) <rostedt(a)goodmis.org> --- arch/x86/xen/mmu.c | 4 +--- arch/x86/xen/mmu_pv.c | 4 +--- include/trace/events/xen.h | 16 ---------------- 3 files changed, 2 insertions(+), 22 deletions(-) diff --git a/arch/x86/xen/mmu.c b/arch/x86/xen/mmu.c index d33e7dbe3129..2d76106788a3 100644 --- a/arch/x86/xen/mmu.c +++ b/arch/x86/xen/mmu.c @@ -42,13 +42,11 @@ xmaddr_t arbitrary_virt_to_machine(void *vaddr) } EXPORT_SYMBOL_GPL(arbitrary_virt_to_machine); -static void xen_flush_tlb_all(void) +static noinline void xen_flush_tlb_all(void) { struct mmuext_op *op; struct multicall_space mcs; - trace_xen_mmu_flush_tlb_all(0); - preempt_disable(); mcs = xen_mc_entry(sizeof(*op)); diff --git a/arch/x86/xen/mmu_pv.c b/arch/x86/xen/mmu_pv.c index 486c0a34d00b..2c30cabfda90 100644 --- a/arch/x86/xen/mmu_pv.c +++ b/arch/x86/xen/mmu_pv.c @@ -1310,13 +1310,11 @@ unsigned long xen_read_cr2_direct(void) return this_cpu_read(xen_vcpu_info.arch.cr2); } -static void xen_flush_tlb(void) +static noinline void xen_flush_tlb(void) { struct mmuext_op *op; struct multicall_space mcs; - trace_xen_mmu_flush_tlb(0); - preempt_disable(); mcs = xen_mc_entry(sizeof(*op)); diff --git a/include/trace/events/xen.h b/include/trace/events/xen.h index 7dd8f34c37df..fdcf88bcf0ea 100644 --- a/include/trace/events/xen.h +++ b/include/trace/events/xen.h @@ -352,22 +352,6 @@ DECLARE_EVENT_CLASS(xen_mmu_pgd, DEFINE_XEN_MMU_PGD_EVENT(xen_mmu_pgd_pin); DEFINE_XEN_MMU_PGD_EVENT(xen_mmu_pgd_unpin); -TRACE_EVENT(xen_mmu_flush_tlb_all, - TP_PROTO(int x), - TP_ARGS(x), - TP_STRUCT__entry(__array(char, x, 0)), - TP_fast_assign((void)x), - TP_printk("%s", "") - ); - -TRACE_EVENT(xen_mmu_flush_tlb, - TP_PROTO(int x), - TP_ARGS(x), - TP_STRUCT__entry(__array(char, x, 0)), - TP_fast_assign((void)x), - TP_printk("%s", "") - ); - TRACE_EVENT(xen_mmu_flush_tlb_one_user, TP_PROTO(unsigned long addr), TP_ARGS(addr), -- 2.13.6

7 years, 4 months

2
4
0 0

[merged] mm-oom-fix-concurrent-munlock-and-oom-reaper-unmap.patch removed from -mm tree

by akpm＠linux-foundation.org

The patch titled Subject: mm, oom: fix concurrent munlock and oom reaper unmap, v3 has been removed from the -mm tree. Its filename was mm-oom-fix-concurrent-munlock-and-oom-reaper-unmap.patch This patch was dropped because it was merged into mainline or a subsystem tree ------------------------------------------------------ From: David Rientjes <rientjes(a)google.com> Subject: mm, oom: fix concurrent munlock and oom reaper unmap, v3 Since exit_mmap() is done without the protection of mm->mmap_sem, it is possible for the oom reaper to concurrently operate on an mm until MMF_OOM_SKIP is set. This allows munlock_vma_pages_all() to concurrently run while the oom reaper is operating on a vma. Since munlock_vma_pages_range() depends on clearing VM_LOCKED from vm_flags before actually doing the munlock to determine if any other vmas are locking the same memory, the check for VM_LOCKED in the oom reaper is racy. This is especially noticeable on architectures such as powerpc where clearing a huge pmd requires serialize_against_pte_lookup(). If the pmd is zapped by the oom reaper during follow_page_mask() after the check for pmd_none() is bypassed, this ends up deferencing a NULL ptl or a kernel oops. Fix this by manually freeing all possible memory from the mm before doing the munlock and then setting MMF_OOM_SKIP. The oom reaper can not run on the mm anymore so the munlock is safe to do in exit_mmap(). It also matches the logic that the oom reaper currently uses for determining when to set MMF_OOM_SKIP itself, so there's no new risk of excessive oom killing. This issue fixes CVE-2018-1000200. Link: http://lkml.kernel.org/r/alpine.DEB.2.21.1804241526320.238665@chino.kir.cor… Fixes: 212925802454 ("mm: oom: let oom_reap_task and exit_mmap run concurrently") Signed-off-by: David Rientjes <rientjes(a)google.com> Suggested-by: Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> Acked-by: Michal Hocko <mhocko(a)suse.com> Cc: Andrea Arcangeli <aarcange(a)redhat.com> Cc: <stable(a)vger.kernel.org> [4.14+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/oom.h | 2 + mm/mmap.c | 44 +++++++++++++--------- mm/oom_kill.c | 81 ++++++++++++++++++++++-------------------- 3 files changed, 71 insertions(+), 56 deletions(-) diff -puN include/linux/oom.h~mm-oom-fix-concurrent-munlock-and-oom-reaper-unmap include/linux/oom.h --- a/include/linux/oom.h~mm-oom-fix-concurrent-munlock-and-oom-reaper-unmap +++ a/include/linux/oom.h @@ -95,6 +95,8 @@ static inline int check_stable_address_s return 0; } +void __oom_reap_task_mm(struct mm_struct *mm); + extern unsigned long oom_badness(struct task_struct *p, struct mem_cgroup *memcg, const nodemask_t *nodemask, unsigned long totalpages); diff -puN mm/mmap.c~mm-oom-fix-concurrent-munlock-and-oom-reaper-unmap mm/mmap.c --- a/mm/mmap.c~mm-oom-fix-concurrent-munlock-and-oom-reaper-unmap +++ a/mm/mmap.c @@ -3024,6 +3024,32 @@ void exit_mmap(struct mm_struct *mm) /* mm's last user has gone, and its about to be pulled down */ mmu_notifier_release(mm); + if (unlikely(mm_is_oom_victim(mm))) { + /* + * Manually reap the mm to free as much memory as possible. + * Then, as the oom reaper does, set MMF_OOM_SKIP to disregard + * this mm from further consideration. Taking mm->mmap_sem for + * write after setting MMF_OOM_SKIP will guarantee that the oom + * reaper will not run on this mm again after mmap_sem is + * dropped. + * + * Nothing can be holding mm->mmap_sem here and the above call + * to mmu_notifier_release(mm) ensures mmu notifier callbacks in + * __oom_reap_task_mm() will not block. + * + * This needs to be done before calling munlock_vma_pages_all(), + * which clears VM_LOCKED, otherwise the oom reaper cannot + * reliably test it. + */ + mutex_lock(&oom_lock); + __oom_reap_task_mm(mm); + mutex_unlock(&oom_lock); + + set_bit(MMF_OOM_SKIP, &mm->flags); + down_write(&mm->mmap_sem); + up_write(&mm->mmap_sem); + } + if (mm->locked_vm) { vma = mm->mmap; while (vma) { @@ -3045,24 +3071,6 @@ void exit_mmap(struct mm_struct *mm) /* update_hiwater_rss(mm) here? but nobody should be looking */ /* Use -1 here to ensure all VMAs in the mm are unmapped */ unmap_vmas(&tlb, vma, 0, -1); - - if (unlikely(mm_is_oom_victim(mm))) { - /* - * Wait for oom_reap_task() to stop working on this - * mm. Because MMF_OOM_SKIP is already set before - * calling down_read(), oom_reap_task() will not run - * on this "mm" post up_write(). - * - * mm_is_oom_victim() cannot be set from under us - * either because victim->mm is already set to NULL - * under task_lock before calling mmput and oom_mm is - * set not NULL by the OOM killer only if victim->mm - * is found not NULL while holding the task_lock. - */ - set_bit(MMF_OOM_SKIP, &mm->flags); - down_write(&mm->mmap_sem); - up_write(&mm->mmap_sem); - } free_pgtables(&tlb, vma, FIRST_USER_ADDRESS, USER_PGTABLES_CEILING); tlb_finish_mmu(&tlb, 0, -1); diff -puN mm/oom_kill.c~mm-oom-fix-concurrent-munlock-and-oom-reaper-unmap mm/oom_kill.c --- a/mm/oom_kill.c~mm-oom-fix-concurrent-munlock-and-oom-reaper-unmap +++ a/mm/oom_kill.c @@ -469,7 +469,6 @@ bool process_shares_mm(struct task_struc return false; } - #ifdef CONFIG_MMU /* * OOM Reaper kernel thread which tries to reap the memory used by the OOM @@ -480,16 +479,54 @@ static DECLARE_WAIT_QUEUE_HEAD(oom_reape static struct task_struct *oom_reaper_list; static DEFINE_SPINLOCK(oom_reaper_lock); -static bool __oom_reap_task_mm(struct task_struct *tsk, struct mm_struct *mm) +void __oom_reap_task_mm(struct mm_struct *mm) { - struct mmu_gather tlb; struct vm_area_struct *vma; + + /* + * Tell all users of get_user/copy_from_user etc... that the content + * is no longer stable. No barriers really needed because unmapping + * should imply barriers already and the reader would hit a page fault + * if it stumbled over a reaped memory. + */ + set_bit(MMF_UNSTABLE, &mm->flags); + + for (vma = mm->mmap ; vma; vma = vma->vm_next) { + if (!can_madv_dontneed_vma(vma)) + continue; + + /* + * Only anonymous pages have a good chance to be dropped + * without additional steps which we cannot afford as we + * are OOM already. + * + * We do not even care about fs backed pages because all + * which are reclaimable have already been reclaimed and + * we do not want to block exit_mmap by keeping mm ref + * count elevated without a good reason. + */ + if (vma_is_anonymous(vma) || !(vma->vm_flags & VM_SHARED)) { + const unsigned long start = vma->vm_start; + const unsigned long end = vma->vm_end; + struct mmu_gather tlb; + + tlb_gather_mmu(&tlb, mm, start, end); + mmu_notifier_invalidate_range_start(mm, start, end); + unmap_page_range(&tlb, vma, start, end, NULL); + mmu_notifier_invalidate_range_end(mm, start, end); + tlb_finish_mmu(&tlb, start, end); + } + } +} + +static bool oom_reap_task_mm(struct task_struct *tsk, struct mm_struct *mm) +{ bool ret = true; /* * We have to make sure to not race with the victim exit path * and cause premature new oom victim selection: - * __oom_reap_task_mm exit_mm + * oom_reap_task_mm exit_mm * mmget_not_zero * mmput * atomic_dec_and_test @@ -534,39 +571,8 @@ static bool __oom_reap_task_mm(struct ta trace_start_task_reaping(tsk->pid); - /* - * Tell all users of get_user/copy_from_user etc... that the content - * is no longer stable. No barriers really needed because unmapping - * should imply barriers already and the reader would hit a page fault - * if it stumbled over a reaped memory. - */ - set_bit(MMF_UNSTABLE, &mm->flags); - - for (vma = mm->mmap ; vma; vma = vma->vm_next) { - if (!can_madv_dontneed_vma(vma)) - continue; + __oom_reap_task_mm(mm); - /* - * Only anonymous pages have a good chance to be dropped - * without additional steps which we cannot afford as we - * are OOM already. - * - * We do not even care about fs backed pages because all - * which are reclaimable have already been reclaimed and - * we do not want to block exit_mmap by keeping mm ref - * count elevated without a good reason. - */ - if (vma_is_anonymous(vma) || !(vma->vm_flags & VM_SHARED)) { - const unsigned long start = vma->vm_start; - const unsigned long end = vma->vm_end; - - tlb_gather_mmu(&tlb, mm, start, end); - mmu_notifier_invalidate_range_start(mm, start, end); - unmap_page_range(&tlb, vma, start, end, NULL); - mmu_notifier_invalidate_range_end(mm, start, end); - tlb_finish_mmu(&tlb, start, end); - } - } pr_info("oom_reaper: reaped process %d (%s), now anon-rss:%lukB, file-rss:%lukB, shmem-rss:%lukB\n", task_pid_nr(tsk), tsk->comm, K(get_mm_counter(mm, MM_ANONPAGES)), @@ -587,14 +593,13 @@ static void oom_reap_task(struct task_st struct mm_struct *mm = tsk->signal->oom_mm; /* Retry the down_read_trylock(mmap_sem) a few times */ - while (attempts++ < MAX_OOM_REAP_RETRIES && !__oom_reap_task_mm(tsk, mm)) + while (attempts++ < MAX_OOM_REAP_RETRIES && !oom_reap_task_mm(tsk, mm)) schedule_timeout_idle(HZ/10); if (attempts <= MAX_OOM_REAP_RETRIES || test_bit(MMF_OOM_SKIP, &mm->flags)) goto done; - pr_info("oom_reaper: unable to reap pid:%d (%s)\n", task_pid_nr(tsk), tsk->comm); debug_show_all_locks(); _ Patches currently in -mm which might be from rientjes(a)google.com are

7 years, 4 months

1
0
0 0

[merged] mm-sections-are-not-offlined-during-memory-hotremove.patch removed from -mm tree

by akpm＠linux-foundation.org

The patch titled Subject: mm: sections are not offlined during memory hotremove has been removed from the -mm tree. Its filename was mm-sections-are-not-offlined-during-memory-hotremove.patch This patch was dropped because it was merged into mainline or a subsystem tree ------------------------------------------------------ From: Pavel Tatashin <pasha.tatashin(a)oracle.com> Subject: mm: sections are not offlined during memory hotremove Memory hotplug and hotremove operate with per-block granularity. If the machine has a large amount of memory (more than 64G), the size of a memory block can span multiple sections. By mistake, during hotremove we set only the first section to offline state. The bug was discovered because kernel selftest started to fail: https://lkml.kernel.org/r/20180423011247.GK5563@yexl-desktop After commit, "mm/memory_hotplug: optimize probe routine". But, the bug is older than this commit. In this optimization we also added a check for sections to be in a proper state during hotplug operation. Link: http://lkml.kernel.org/r/20180427145257.15222-1-pasha.tatashin@oracle.com Fixes: 2d070eab2e82 ("mm: consider zone which is not fully populated to have holes") Signed-off-by: Pavel Tatashin <pasha.tatashin(a)oracle.com> Acked-by: Michal Hocko <mhocko(a)suse.com> Reviewed-by: Andrew Morton <akpm(a)linux-foundation.org> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Steven Sistare <steven.sistare(a)oracle.com> Cc: Daniel Jordan <daniel.m.jordan(a)oracle.com> Cc: "Kirill A. Shutemov" <kirill.shutemov(a)linux.intel.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/sparse.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff -puN mm/sparse.c~mm-sections-are-not-offlined-during-memory-hotremove mm/sparse.c --- a/mm/sparse.c~mm-sections-are-not-offlined-during-memory-hotremove +++ a/mm/sparse.c @@ -629,7 +629,7 @@ void offline_mem_sections(unsigned long unsigned long pfn; for (pfn = start_pfn; pfn < end_pfn; pfn += PAGES_PER_SECTION) { - unsigned long section_nr = pfn_to_section_nr(start_pfn); + unsigned long section_nr = pfn_to_section_nr(pfn); struct mem_section *ms; /* _ Patches currently in -mm which might be from pasha.tatashin(a)oracle.com are mm-allow-deferred-page-init-for-vmemmap-only.patch sparc64-ng4-memset-32-bits-overflow.patch

7 years, 4 months

1
0
0 0

[merged] z3fold-fix-reclaim-lock-ups.patch removed from -mm tree

by akpm＠linux-foundation.org

The patch titled Subject: z3fold: fix reclaim lock-ups has been removed from the -mm tree. Its filename was z3fold-fix-reclaim-lock-ups.patch This patch was dropped because it was merged into mainline or a subsystem tree ------------------------------------------------------ From: Vitaly Wool <vitalywool(a)gmail.com> Subject: z3fold: fix reclaim lock-ups Do not try to optimize in-page object layout while the page is under reclaim. This fixes lock-ups on reclaim and improves reclaim performance at the same time. [akpm(a)linux-foundation.org: coding-style fixes] Link: http://lkml.kernel.org/r/20180430125800.444cae9706489f412ad12621@gmail.com Signed-off-by: Vitaly Wool <vitaly.vul(a)sony.com> Reported-by: Guenter Roeck <linux(a)roeck-us.net> Tested-by: Guenter Roeck <linux(a)roeck-us.net> Cc: <Oleksiy.Avramchenko(a)sony.com> Cc: Matthew Wilcox <mawilcox(a)microsoft.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/z3fold.c | 42 ++++++++++++++++++++++++++++++------------ 1 file changed, 30 insertions(+), 12 deletions(-) diff -puN mm/z3fold.c~z3fold-fix-reclaim-lock-ups mm/z3fold.c --- a/mm/z3fold.c~z3fold-fix-reclaim-lock-ups +++ a/mm/z3fold.c @@ -144,7 +144,8 @@ enum z3fold_page_flags { PAGE_HEADLESS = 0, MIDDLE_CHUNK_MAPPED, NEEDS_COMPACTING, - PAGE_STALE + PAGE_STALE, + UNDER_RECLAIM }; /***************** @@ -173,6 +174,7 @@ static struct z3fold_header *init_z3fold clear_bit(MIDDLE_CHUNK_MAPPED, &page->private); clear_bit(NEEDS_COMPACTING, &page->private); clear_bit(PAGE_STALE, &page->private); + clear_bit(UNDER_RECLAIM, &page->private); spin_lock_init(&zhdr->page_lock); kref_init(&zhdr->refcount); @@ -756,6 +758,10 @@ static void z3fold_free(struct z3fold_po atomic64_dec(&pool->pages_nr); return; } + if (test_bit(UNDER_RECLAIM, &page->private)) { + z3fold_page_unlock(zhdr); + return; + } if (test_and_set_bit(NEEDS_COMPACTING, &page->private)) { z3fold_page_unlock(zhdr); return; @@ -840,6 +846,8 @@ static int z3fold_reclaim_page(struct z3 kref_get(&zhdr->refcount); list_del_init(&zhdr->buddy); zhdr->cpu = -1; + set_bit(UNDER_RECLAIM, &page->private); + break; } list_del_init(&page->lru); @@ -887,25 +895,35 @@ static int z3fold_reclaim_page(struct z3 goto next; } next: - spin_lock(&pool->lock); if (test_bit(PAGE_HEADLESS, &page->private)) { if (ret == 0) { - spin_unlock(&pool->lock); free_z3fold_page(page); return 0; } - } else if (kref_put(&zhdr->refcount, release_z3fold_page)) { - atomic64_dec(&pool->pages_nr); + spin_lock(&pool->lock); + list_add(&page->lru, &pool->lru); + spin_unlock(&pool->lock); + } else { + z3fold_page_lock(zhdr); + clear_bit(UNDER_RECLAIM, &page->private); + if (kref_put(&zhdr->refcount, + release_z3fold_page_locked)) { + atomic64_dec(&pool->pages_nr); + return 0; + } + /* + * if we are here, the page is still not completely + * free. Take the global pool lock then to be able + * to add it back to the lru list + */ + spin_lock(&pool->lock); + list_add(&page->lru, &pool->lru); spin_unlock(&pool->lock); - return 0; + z3fold_page_unlock(zhdr); } - /* - * Add to the beginning of LRU. - * Pool lock has to be kept here to ensure the page has - * not already been released - */ - list_add(&page->lru, &pool->lru); + /* We started off locked to we need to lock the pool back */ + spin_lock(&pool->lock); } spin_unlock(&pool->lock); return -EAGAIN; _ Patches currently in -mm which might be from vitalywool(a)gmail.com are

7 years, 4 months

1
0
0 0

patch "serial: 8250: omap: Fix idling of clocks for unused uarts" added to tty-next

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled serial: 8250: omap: Fix idling of clocks for unused uarts to my tty git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty.git in the tty-next branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will also be merged in the next major kernel release during the merge window. If you have any questions about this process, please let me know. >From 13dc04d0e5fdc25c8f713ad23fdce51cf2bf96ba Mon Sep 17 00:00:00 2001 From: Tony Lindgren <tony(a)atomide.com> Date: Fri, 4 May 2018 10:44:09 -0700 Subject: serial: 8250: omap: Fix idling of clocks for unused uarts I noticed that unused UARTs won't necessarily idle properly always unless at least one byte tx transfer is done first. After some debugging I narrowed down the problem to the scr register dma configuration bits that need to be set before softreset for the clocks to idle. Unless we do this, the module clkctrl idlest bits may be set to 1 instead of 3 meaning the clock will never idle and is blocking deeper idle states for the whole domain. This might be related to the configuration done by the bootloader or kexec booting where certain configurations cause the 8250 or the clkctrl clock to jam in a way where setting of the scr bits and reset is needed to clear it. I've tried diffing the 8250 registers for the various modes, but did not see anything specific. So far I've only seen this on omap4 but I'm suspecting this might also happen on the other clkctrl using SoCs considering they already have a quirk enabled for UART_ERRATA_CLOCK_DISABLE. Let's fix the issue by configuring scr before reset for basic dma even if we don't use it. The scr register will be reset when we do softreset few lines after, and we restore scr on resume. We should do this for all the SoCs with UART_ERRATA_CLOCK_DISABLE quirk flag set since the ones with UART_ERRATA_CLOCK_DISABLE are all based using clkctrl similar to omap4. Looks like both OMAP_UART_SCR_DMAMODE_1 | OMAP_UART_SCR_DMAMODE_CTL bits are needed for the clkctrl to idle after a softreset. And we need to add omap4 to also use the UART_ERRATA_CLOCK_DISABLE for the related workaround to be enabled. This same compatible value will also be used for omap5. Fixes: cdb929e4452a ("serial: 8250_omap: workaround errata around idling UART after using DMA") Cc: Keerthy <j-keerthy(a)ti.com> Cc: Matthijs van Duin <matthijsvanduin(a)gmail.com> Cc: Sekhar Nori <nsekhar(a)ti.com> Cc: Tero Kristo <t-kristo(a)ti.com> Signed-off-by: Tony Lindgren <tony(a)atomide.com> Cc: stable <stable(a)vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/tty/serial/8250/8250_omap.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/drivers/tty/serial/8250/8250_omap.c b/drivers/tty/serial/8250/8250_omap.c index 6aaa84355fd1..1b337fee07ed 100644 --- a/drivers/tty/serial/8250/8250_omap.c +++ b/drivers/tty/serial/8250/8250_omap.c @@ -1110,13 +1110,14 @@ static int omap8250_no_handle_irq(struct uart_port *port) return 0; } +static const u8 omap4_habit = UART_ERRATA_CLOCK_DISABLE; static const u8 am3352_habit = OMAP_DMA_TX_KICK | UART_ERRATA_CLOCK_DISABLE; static const u8 dra742_habit = UART_ERRATA_CLOCK_DISABLE; static const struct of_device_id omap8250_dt_ids[] = { { .compatible = "ti,omap2-uart" }, { .compatible = "ti,omap3-uart" }, - { .compatible = "ti,omap4-uart" }, + { .compatible = "ti,omap4-uart", .data = &omap4_habit, }, { .compatible = "ti,am3352-uart", .data = &am3352_habit, }, { .compatible = "ti,am4372-uart", .data = &am3352_habit, }, { .compatible = "ti,dra742-uart", .data = &dra742_habit, }, @@ -1362,6 +1363,19 @@ static int omap8250_soft_reset(struct device *dev) int sysc; int syss; + /* + * At least on omap4, unused uarts may not idle after reset without + * a basic scr dma configuration even with no dma in use. The + * module clkctrl status bits will be 1 instead of 3 blocking idle + * for the whole clockdomain. The softreset below will clear scr, + * and we restore it on resume so this is safe to do on all SoCs + * needing omap8250_soft_reset() quirk. Do it in two writes as + * recommended in the comment for omap8250_update_scr(). + */ + serial_out(up, UART_OMAP_SCR, OMAP_UART_SCR_DMAMODE_1); + serial_out(up, UART_OMAP_SCR, + OMAP_UART_SCR_DMAMODE_1 | OMAP_UART_SCR_DMAMODE_CTL); + sysc = serial_in(up, UART_OMAP_SYSC); /* softreset the UART */ -- 2.17.0

7 years, 4 months

1
0
0 0

patch "serial: samsung: fix maxburst parameter for DMA transactions" added to tty-next

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled serial: samsung: fix maxburst parameter for DMA transactions to my tty git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty.git in the tty-next branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will also be merged in the next major kernel release during the merge window. If you have any questions about this process, please let me know. >From aa2f80e752c75e593b3820f42c416ed9458fa73e Mon Sep 17 00:00:00 2001 From: Marek Szyprowski <m.szyprowski(a)samsung.com> Date: Thu, 10 May 2018 08:41:13 +0200 Subject: serial: samsung: fix maxburst parameter for DMA transactions The best granularity of residue that DMA engine can report is in the BURST units, so the serial driver must use MAXBURST = 1 and DMA_SLAVE_BUSWIDTH_1_BYTE if it relies on exact number of bytes transferred by DMA engine. Fixes: 62c37eedb74c ("serial: samsung: add dma reqest/release functions") Signed-off-by: Marek Szyprowski <m.szyprowski(a)samsung.com> Acked-by: Krzysztof Kozlowski <krzk(a)kernel.org> Cc: stable <stable(a)vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/tty/serial/samsung.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/drivers/tty/serial/samsung.c b/drivers/tty/serial/samsung.c index 3f2f8c118ce0..64e96926f1ad 100644 --- a/drivers/tty/serial/samsung.c +++ b/drivers/tty/serial/samsung.c @@ -862,15 +862,12 @@ static int s3c24xx_serial_request_dma(struct s3c24xx_uart_port *p) dma->rx_conf.direction = DMA_DEV_TO_MEM; dma->rx_conf.src_addr_width = DMA_SLAVE_BUSWIDTH_1_BYTE; dma->rx_conf.src_addr = p->port.mapbase + S3C2410_URXH; - dma->rx_conf.src_maxburst = 16; + dma->rx_conf.src_maxburst = 1; dma->tx_conf.direction = DMA_MEM_TO_DEV; dma->tx_conf.dst_addr_width = DMA_SLAVE_BUSWIDTH_1_BYTE; dma->tx_conf.dst_addr = p->port.mapbase + S3C2410_UTXH; - if (dma_get_cache_alignment() >= 16) - dma->tx_conf.dst_maxburst = 16; - else - dma->tx_conf.dst_maxburst = 1; + dma->tx_conf.dst_maxburst = 1; dma->rx_chan = dma_request_chan(p->port.dev, "rx"); -- 2.17.0

7 years, 4 months

1
0
0 0

patch "tty: pl011: Avoid spuriously stuck-off interrupts" added to tty-next

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled tty: pl011: Avoid spuriously stuck-off interrupts to my tty git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty.git in the tty-next branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will also be merged in the next major kernel release during the merge window. If you have any questions about this process, please let me know. >From 4a7e625ce50412a7711efa0f2ef0b96ce3826759 Mon Sep 17 00:00:00 2001 From: Dave Martin <Dave.Martin(a)arm.com> Date: Thu, 10 May 2018 18:08:23 +0100 Subject: tty: pl011: Avoid spuriously stuck-off interrupts Commit 9b96fbacda34 ("serial: PL011: clear pending interrupts") clears the RX and receive timeout interrupts on pl011 startup, to avoid a screaming-interrupt scenario that can occur when the firmware or bootloader leaves these interrupts asserted. This has been noted as an issue when running Linux on qemu [1]. Unfortunately, the above fix seems to lead to potential misbehaviour if the RX FIFO interrupt is asserted _non_ spuriously on driver startup, if the RX FIFO is also already full to the trigger level. Clearing the RX FIFO interrupt does not change the FIFO fill level. In this scenario, because the interrupt is now clear and because the FIFO is already full to the trigger level, no new assertion of the RX FIFO interrupt can occur unless the FIFO is drained back below the trigger level. This never occurs because the pl011 driver is waiting for an RX FIFO interrupt to tell it that there is something to read, and does not read the FIFO at all until that interrupt occurs. Thus, simply clearing "spurious" interrupts on startup may be misguided, since there is no way to be sure that the interrupts are truly spurious, and things can go wrong if they are not. This patch instead clears the interrupt condition by draining the RX FIFO during UART startup, after clearing any potentially spurious interrupt. This should ensure that an interrupt will definitely be asserted if the RX FIFO subsequently becomes sufficiently full. The drain is done at the point of enabling interrupts only. This means that it will occur any time the UART is newly opened through the tty layer. It will not apply to polled-mode use of the UART by kgdboc: since that scenario cannot use interrupts by design, this should not matter. kgdboc will interact badly with "normal" use of the UART in any case: this patch makes no attempt to paper over such issues. This patch does not attempt to address the case where the RX FIFO fills faster than it can be drained: that is a pathological hardware design problem that is beyond the scope of the driver to work around. As a failsafe, the number of poll iterations for draining the FIFO is limited to twice the FIFO size. This will ensure that the kernel at least boots even if it is impossible to drain the FIFO for some reason. [1] [Qemu-devel] [Qemu-arm] [PATCH] pl011: do not put into fifo before enabled the interruption https://lists.gnu.org/archive/html/qemu-devel/2018-01/msg06446.html Reported-by: Wei Xu <xuwei5(a)hisilicon.com> Cc: Russell King <linux(a)armlinux.org.uk> Cc: Linus Walleij <linus.walleij(a)linaro.org> Cc: Peter Maydell <peter.maydell(a)linaro.org> Fixes: 9b96fbacda34 ("serial: PL011: clear pending interrupts") Signed-off-by: Dave Martin <Dave.Martin(a)arm.com> Cc: stable <stable(a)vger.kernel.org> Tested-by: Wei Xu <xuwei5(a)hisilicon.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/tty/serial/amba-pl011.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/drivers/tty/serial/amba-pl011.c b/drivers/tty/serial/amba-pl011.c index 4b40a5b449ee..ebd33c0232e6 100644 --- a/drivers/tty/serial/amba-pl011.c +++ b/drivers/tty/serial/amba-pl011.c @@ -1727,10 +1727,26 @@ static int pl011_allocate_irq(struct uart_amba_port *uap) */ static void pl011_enable_interrupts(struct uart_amba_port *uap) { + unsigned int i; + spin_lock_irq(&uap->port.lock); /* Clear out any spuriously appearing RX interrupts */ pl011_write(UART011_RTIS | UART011_RXIS, uap, REG_ICR); + + /* + * RXIS is asserted only when the RX FIFO transitions from below + * to above the trigger threshold. If the RX FIFO is already + * full to the threshold this can't happen and RXIS will now be + * stuck off. Drain the RX FIFO explicitly to fix this: + */ + for (i = 0; i < uap->fifosize * 2; ++i) { + if (pl011_read(uap, REG_FR) & UART01x_FR_RXFE) + break; + + pl011_read(uap, REG_DR); + } + uap->im = UART011_RTIM; if (!pl011_dma_rx_running(uap)) uap->im |= UART011_RXIM; -- 2.17.0

7 years, 4 months

1
0
0 0

patch "driver core: Don't ignore class_dir_create_and_add() failure." added to driver-core-next

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled driver core: Don't ignore class_dir_create_and_add() failure. to my driver-core git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core.git in the driver-core-next branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will also be merged in the next major kernel release during the merge window. If you have any questions about this process, please let me know. >From 84d0c27d6233a9ba0578b20f5a09701eb66cee42 Mon Sep 17 00:00:00 2001 From: Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> Date: Mon, 7 May 2018 19:10:31 +0900 Subject: driver core: Don't ignore class_dir_create_and_add() failure. syzbot is hitting WARN() at kernfs_add_one() [1]. This is because kernfs_create_link() is confused by previous device_add() call which continued without setting dev->kobj.parent field when get_device_parent() failed by memory allocation fault injection. Fix this by propagating the error from class_dir_create_and_add() to the calllers of get_device_parent(). [1] https://syzkaller.appspot.com/bug?id=fae0fb607989ea744526d1c082a5b8de652911… Signed-off-by: Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> Reported-by: syzbot <syzbot+df47f81c226b31d89fb1(a)syzkaller.appspotmail.com> Cc: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Cc: stable <stable(a)vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/base/core.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/drivers/base/core.c b/drivers/base/core.c index b610816eb887..d680fd030316 100644 --- a/drivers/base/core.c +++ b/drivers/base/core.c @@ -1467,7 +1467,7 @@ class_dir_create_and_add(struct class *class, struct kobject *parent_kobj) dir = kzalloc(sizeof(*dir), GFP_KERNEL); if (!dir) - return NULL; + return ERR_PTR(-ENOMEM); dir->class = class; kobject_init(&dir->kobj, &class_dir_ktype); @@ -1477,7 +1477,7 @@ class_dir_create_and_add(struct class *class, struct kobject *parent_kobj) retval = kobject_add(&dir->kobj, parent_kobj, "%s", class->name); if (retval < 0) { kobject_put(&dir->kobj); - return NULL; + return ERR_PTR(retval); } return &dir->kobj; } @@ -1784,6 +1784,10 @@ int device_add(struct device *dev) parent = get_device(dev->parent); kobj = get_device_parent(dev, parent); + if (IS_ERR(kobj)) { + error = PTR_ERR(kobj); + goto parent_error; + } if (kobj) dev->kobj.parent = kobj; @@ -1882,6 +1886,7 @@ int device_add(struct device *dev) kobject_del(&dev->kobj); Error: cleanup_glue_dir(dev, glue_dir); +parent_error: put_device(parent); name_error: kfree(dev->p); @@ -2701,6 +2706,11 @@ int device_move(struct device *dev, struct device *new_parent, device_pm_lock(); new_parent = get_device(new_parent); new_parent_kobj = get_device_parent(dev, new_parent); + if (IS_ERR(new_parent_kobj)) { + error = PTR_ERR(new_parent_kobj); + put_device(new_parent); + goto out; + } pr_debug("device: '%s': %s: moving to '%s'\n", dev_name(dev), __func__, new_parent ? dev_name(new_parent) : "<NULL>"); -- 2.17.0

7 years, 4 months

1
0
0 0

patch "1wire: family module autoload fails because of upper/lower case" added to char-misc-next

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled 1wire: family module autoload fails because of upper/lower case to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-next branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will also be merged in the next major kernel release during the merge window. If you have any questions about this process, please let me know. >From 065c09563c872e52813a17218c52cd642be1dca6 Mon Sep 17 00:00:00 2001 From: Ingo Flaschberger <ingo.flaschberger(a)gmail.com> Date: Tue, 1 May 2018 16:10:33 +0200 Subject: 1wire: family module autoload fails because of upper/lower case mismatch. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 1wire family module autoload fails because of upper/lower case mismatch. Signed-off-by: Ingo Flaschberger <ingo.flaschberger(a)gmail.com> Acked-by: Evgeniy Polyakov <zbr(a)ioremap.net> Cc: stable <stable(a)vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/w1/w1.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/w1/w1.c b/drivers/w1/w1.c index 80a778b02f28..caef0e0fd817 100644 --- a/drivers/w1/w1.c +++ b/drivers/w1/w1.c @@ -751,7 +751,7 @@ int w1_attach_slave_device(struct w1_master *dev, struct w1_reg_num *rn) /* slave modules need to be loaded in a context with unlocked mutex */ mutex_unlock(&dev->mutex); - request_module("w1-family-0x%02x", rn->family); + request_module("w1-family-0x%02X", rn->family); mutex_lock(&dev->mutex); spin_lock(&w1_flock); -- 2.17.0

7 years, 4 months

1
0
0 0

patch "w1: mxc_w1: Enable clock before calling clk_get_rate() on it" added to char-misc-next

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled w1: mxc_w1: Enable clock before calling clk_get_rate() on it to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-next branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will also be merged in the next major kernel release during the merge window. If you have any questions about this process, please let me know. >From 955bc61328dc0a297fb3baccd84e9d3aee501ed8 Mon Sep 17 00:00:00 2001 From: Stefan Potyra <Stefan.Potyra(a)elektrobit.com> Date: Wed, 2 May 2018 10:55:31 +0200 Subject: w1: mxc_w1: Enable clock before calling clk_get_rate() on it According to the API, you may only call clk_get_rate() after actually enabling it. Found by Linux Driver Verification project (linuxtesting.org). Fixes: a5fd9139f74c ("w1: add 1-wire master driver for i.MX27 / i.MX31") Signed-off-by: Stefan Potyra <Stefan.Potyra(a)elektrobit.com> Acked-by: Evgeniy Polyakov <zbr(a)ioremap.net> Cc: stable <stable(a)vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/w1/masters/mxc_w1.c | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/drivers/w1/masters/mxc_w1.c b/drivers/w1/masters/mxc_w1.c index 74f2e6e6202a..8851d441e5fd 100644 --- a/drivers/w1/masters/mxc_w1.c +++ b/drivers/w1/masters/mxc_w1.c @@ -112,6 +112,10 @@ static int mxc_w1_probe(struct platform_device *pdev) if (IS_ERR(mdev->clk)) return PTR_ERR(mdev->clk); + err = clk_prepare_enable(mdev->clk); + if (err) + return err; + clkrate = clk_get_rate(mdev->clk); if (clkrate < 10000000) dev_warn(&pdev->dev, @@ -125,12 +129,10 @@ static int mxc_w1_probe(struct platform_device *pdev) res = platform_get_resource(pdev, IORESOURCE_MEM, 0); mdev->regs = devm_ioremap_resource(&pdev->dev, res); - if (IS_ERR(mdev->regs)) - return PTR_ERR(mdev->regs); - - err = clk_prepare_enable(mdev->clk); - if (err) - return err; + if (IS_ERR(mdev->regs)) { + err = PTR_ERR(mdev->regs); + goto out_disable_clk; + } /* Software reset 1-Wire module */ writeb(MXC_W1_RESET_RST, mdev->regs + MXC_W1_RESET); @@ -146,8 +148,12 @@ static int mxc_w1_probe(struct platform_device *pdev) err = w1_add_master_device(&mdev->bus_master); if (err) - clk_disable_unprepare(mdev->clk); + goto out_disable_clk; + return 0; + +out_disable_clk: + clk_disable_unprepare(mdev->clk); return err; } -- 2.17.0

7 years, 4 months

1
0
0 0

[PATCH] ARM: dts: socfpga: Fix NAND controller node compatible for Arria10

by Dinh Nguyen

The NAND compatible "denali,denal-nand-dt" property has never been used and is obsolete. Remove it. Cc: stable(a)vger.kernel.org Fixes: f549af06e9b6("ARM: dts: socfpga: Add NAND device tree for Arria10") Signed-off-by: Dinh Nguyen <dinguyen(a)kernel.org> --- arch/arm/boot/dts/socfpga_arria10.dtsi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/arm/boot/dts/socfpga_arria10.dtsi b/arch/arm/boot/dts/socfpga_arria10.dtsi index bead79e4b2aa..d8b1aa309f76 100644 --- a/arch/arm/boot/dts/socfpga_arria10.dtsi +++ b/arch/arm/boot/dts/socfpga_arria10.dtsi @@ -633,7 +633,7 @@ nand: nand@ffb90000 { #address-cells = <1>; #size-cells = <1>; - compatible = "denali,denali-nand-dt", "altr,socfpga-denali-nand"; + compatible = "altr,socfpga-denali-nand"; reg = <0xffb90000 0x72000>, <0xffb80000 0x10000>; reg-names = "nand_data", "denali_reg"; -- 2.17.0.391.g1f1cddd

7 years, 4 months

1
0
0 0

patch "driver core: Don't ignore class_dir_create_and_add() failure." added to driver-core-testing

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled driver core: Don't ignore class_dir_create_and_add() failure. to my driver-core git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core.git in the driver-core-testing branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will be merged to the driver-core-next branch sometime soon, after it passes testing, and the merge window is open. If you have any questions about this process, please let me know. >From 84d0c27d6233a9ba0578b20f5a09701eb66cee42 Mon Sep 17 00:00:00 2001 From: Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> Date: Mon, 7 May 2018 19:10:31 +0900 Subject: driver core: Don't ignore class_dir_create_and_add() failure. syzbot is hitting WARN() at kernfs_add_one() [1]. This is because kernfs_create_link() is confused by previous device_add() call which continued without setting dev->kobj.parent field when get_device_parent() failed by memory allocation fault injection. Fix this by propagating the error from class_dir_create_and_add() to the calllers of get_device_parent(). [1] https://syzkaller.appspot.com/bug?id=fae0fb607989ea744526d1c082a5b8de652911… Signed-off-by: Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> Reported-by: syzbot <syzbot+df47f81c226b31d89fb1(a)syzkaller.appspotmail.com> Cc: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Cc: stable <stable(a)vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/base/core.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/drivers/base/core.c b/drivers/base/core.c index b610816eb887..d680fd030316 100644 --- a/drivers/base/core.c +++ b/drivers/base/core.c @@ -1467,7 +1467,7 @@ class_dir_create_and_add(struct class *class, struct kobject *parent_kobj) dir = kzalloc(sizeof(*dir), GFP_KERNEL); if (!dir) - return NULL; + return ERR_PTR(-ENOMEM); dir->class = class; kobject_init(&dir->kobj, &class_dir_ktype); @@ -1477,7 +1477,7 @@ class_dir_create_and_add(struct class *class, struct kobject *parent_kobj) retval = kobject_add(&dir->kobj, parent_kobj, "%s", class->name); if (retval < 0) { kobject_put(&dir->kobj); - return NULL; + return ERR_PTR(retval); } return &dir->kobj; } @@ -1784,6 +1784,10 @@ int device_add(struct device *dev) parent = get_device(dev->parent); kobj = get_device_parent(dev, parent); + if (IS_ERR(kobj)) { + error = PTR_ERR(kobj); + goto parent_error; + } if (kobj) dev->kobj.parent = kobj; @@ -1882,6 +1886,7 @@ int device_add(struct device *dev) kobject_del(&dev->kobj); Error: cleanup_glue_dir(dev, glue_dir); +parent_error: put_device(parent); name_error: kfree(dev->p); @@ -2701,6 +2706,11 @@ int device_move(struct device *dev, struct device *new_parent, device_pm_lock(); new_parent = get_device(new_parent); new_parent_kobj = get_device_parent(dev, new_parent); + if (IS_ERR(new_parent_kobj)) { + error = PTR_ERR(new_parent_kobj); + put_device(new_parent); + goto out; + } pr_debug("device: '%s': %s: moving to '%s'\n", dev_name(dev), __func__, new_parent ? dev_name(new_parent) : "<NULL>"); -- 2.17.0

7 years, 4 months

1
0
0 0

patch "1wire: family module autoload fails because of upper/lower case" added to char-misc-testing

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled 1wire: family module autoload fails because of upper/lower case to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-testing branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will be merged to the char-misc-next branch sometime soon, after it passes testing, and the merge window is open. If you have any questions about this process, please let me know. >From 065c09563c872e52813a17218c52cd642be1dca6 Mon Sep 17 00:00:00 2001 From: Ingo Flaschberger <ingo.flaschberger(a)gmail.com> Date: Tue, 1 May 2018 16:10:33 +0200 Subject: 1wire: family module autoload fails because of upper/lower case mismatch. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 1wire family module autoload fails because of upper/lower case mismatch. Signed-off-by: Ingo Flaschberger <ingo.flaschberger(a)gmail.com> Acked-by: Evgeniy Polyakov <zbr(a)ioremap.net> Cc: stable <stable(a)vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/w1/w1.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/w1/w1.c b/drivers/w1/w1.c index 80a778b02f28..caef0e0fd817 100644 --- a/drivers/w1/w1.c +++ b/drivers/w1/w1.c @@ -751,7 +751,7 @@ int w1_attach_slave_device(struct w1_master *dev, struct w1_reg_num *rn) /* slave modules need to be loaded in a context with unlocked mutex */ mutex_unlock(&dev->mutex); - request_module("w1-family-0x%02x", rn->family); + request_module("w1-family-0x%02X", rn->family); mutex_lock(&dev->mutex); spin_lock(&w1_flock); -- 2.17.0

7 years, 4 months

1
0
0 0

patch "w1: mxc_w1: Enable clock before calling clk_get_rate() on it" added to char-misc-testing

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled w1: mxc_w1: Enable clock before calling clk_get_rate() on it to my char-misc git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git in the char-misc-testing branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will be merged to the char-misc-next branch sometime soon, after it passes testing, and the merge window is open. If you have any questions about this process, please let me know. >From 955bc61328dc0a297fb3baccd84e9d3aee501ed8 Mon Sep 17 00:00:00 2001 From: Stefan Potyra <Stefan.Potyra(a)elektrobit.com> Date: Wed, 2 May 2018 10:55:31 +0200 Subject: w1: mxc_w1: Enable clock before calling clk_get_rate() on it According to the API, you may only call clk_get_rate() after actually enabling it. Found by Linux Driver Verification project (linuxtesting.org). Fixes: a5fd9139f74c ("w1: add 1-wire master driver for i.MX27 / i.MX31") Signed-off-by: Stefan Potyra <Stefan.Potyra(a)elektrobit.com> Acked-by: Evgeniy Polyakov <zbr(a)ioremap.net> Cc: stable <stable(a)vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/w1/masters/mxc_w1.c | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/drivers/w1/masters/mxc_w1.c b/drivers/w1/masters/mxc_w1.c index 74f2e6e6202a..8851d441e5fd 100644 --- a/drivers/w1/masters/mxc_w1.c +++ b/drivers/w1/masters/mxc_w1.c @@ -112,6 +112,10 @@ static int mxc_w1_probe(struct platform_device *pdev) if (IS_ERR(mdev->clk)) return PTR_ERR(mdev->clk); + err = clk_prepare_enable(mdev->clk); + if (err) + return err; + clkrate = clk_get_rate(mdev->clk); if (clkrate < 10000000) dev_warn(&pdev->dev, @@ -125,12 +129,10 @@ static int mxc_w1_probe(struct platform_device *pdev) res = platform_get_resource(pdev, IORESOURCE_MEM, 0); mdev->regs = devm_ioremap_resource(&pdev->dev, res); - if (IS_ERR(mdev->regs)) - return PTR_ERR(mdev->regs); - - err = clk_prepare_enable(mdev->clk); - if (err) - return err; + if (IS_ERR(mdev->regs)) { + err = PTR_ERR(mdev->regs); + goto out_disable_clk; + } /* Software reset 1-Wire module */ writeb(MXC_W1_RESET_RST, mdev->regs + MXC_W1_RESET); @@ -146,8 +148,12 @@ static int mxc_w1_probe(struct platform_device *pdev) err = w1_add_master_device(&mdev->bus_master); if (err) - clk_disable_unprepare(mdev->clk); + goto out_disable_clk; + return 0; + +out_disable_clk: + clk_disable_unprepare(mdev->clk); return err; } -- 2.17.0

7 years, 4 months

1
0
0 0

[PATCH] IB/srpt: Increase port count

by Bart Van Assche

Since there are adapters that have four ports, increase the size of the srpt_device.port[] array. This patch avoids that the following warning is hit with quad port Chelsio adapters: WARN_ON(sdev->device->phys_port_cnt > ARRAY_SIZE(sdev->port)); Reported-by: Steve Wise <swise(a)opengridcomputing.com> Signed-off-by: Bart Van Assche <bart.vanassche(a)wdc.com> Cc: Steve Wise <swise(a)opengridcomputing.com> Cc: <stable(a)vger.kernel.org> --- drivers/infiniband/ulp/srpt/ib_srpt.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/infiniband/ulp/srpt/ib_srpt.h b/drivers/infiniband/ulp/srpt/ib_srpt.h index 2361483476a0..b72f1f4066fa 100644 --- a/drivers/infiniband/ulp/srpt/ib_srpt.h +++ b/drivers/infiniband/ulp/srpt/ib_srpt.h @@ -410,7 +410,7 @@ struct srpt_device { struct mutex sdev_mutex; bool use_srq; struct srpt_recv_ioctx **ioctx_ring; - struct srpt_port port[2]; + struct srpt_port port[4]; struct ib_event_handler event_handler; struct list_head list; }; -- 2.16.3

7 years, 4 months

4
3
0 0

patch "serial: 8250: omap: Fix idling of clocks for unused uarts" added to tty-testing

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled serial: 8250: omap: Fix idling of clocks for unused uarts to my tty git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty.git in the tty-testing branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will be merged to the tty-next branch sometime soon, after it passes testing, and the merge window is open. If you have any questions about this process, please let me know. >From 13dc04d0e5fdc25c8f713ad23fdce51cf2bf96ba Mon Sep 17 00:00:00 2001 From: Tony Lindgren <tony(a)atomide.com> Date: Fri, 4 May 2018 10:44:09 -0700 Subject: serial: 8250: omap: Fix idling of clocks for unused uarts I noticed that unused UARTs won't necessarily idle properly always unless at least one byte tx transfer is done first. After some debugging I narrowed down the problem to the scr register dma configuration bits that need to be set before softreset for the clocks to idle. Unless we do this, the module clkctrl idlest bits may be set to 1 instead of 3 meaning the clock will never idle and is blocking deeper idle states for the whole domain. This might be related to the configuration done by the bootloader or kexec booting where certain configurations cause the 8250 or the clkctrl clock to jam in a way where setting of the scr bits and reset is needed to clear it. I've tried diffing the 8250 registers for the various modes, but did not see anything specific. So far I've only seen this on omap4 but I'm suspecting this might also happen on the other clkctrl using SoCs considering they already have a quirk enabled for UART_ERRATA_CLOCK_DISABLE. Let's fix the issue by configuring scr before reset for basic dma even if we don't use it. The scr register will be reset when we do softreset few lines after, and we restore scr on resume. We should do this for all the SoCs with UART_ERRATA_CLOCK_DISABLE quirk flag set since the ones with UART_ERRATA_CLOCK_DISABLE are all based using clkctrl similar to omap4. Looks like both OMAP_UART_SCR_DMAMODE_1 | OMAP_UART_SCR_DMAMODE_CTL bits are needed for the clkctrl to idle after a softreset. And we need to add omap4 to also use the UART_ERRATA_CLOCK_DISABLE for the related workaround to be enabled. This same compatible value will also be used for omap5. Fixes: cdb929e4452a ("serial: 8250_omap: workaround errata around idling UART after using DMA") Cc: Keerthy <j-keerthy(a)ti.com> Cc: Matthijs van Duin <matthijsvanduin(a)gmail.com> Cc: Sekhar Nori <nsekhar(a)ti.com> Cc: Tero Kristo <t-kristo(a)ti.com> Signed-off-by: Tony Lindgren <tony(a)atomide.com> Cc: stable <stable(a)vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/tty/serial/8250/8250_omap.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/drivers/tty/serial/8250/8250_omap.c b/drivers/tty/serial/8250/8250_omap.c index 6aaa84355fd1..1b337fee07ed 100644 --- a/drivers/tty/serial/8250/8250_omap.c +++ b/drivers/tty/serial/8250/8250_omap.c @@ -1110,13 +1110,14 @@ static int omap8250_no_handle_irq(struct uart_port *port) return 0; } +static const u8 omap4_habit = UART_ERRATA_CLOCK_DISABLE; static const u8 am3352_habit = OMAP_DMA_TX_KICK | UART_ERRATA_CLOCK_DISABLE; static const u8 dra742_habit = UART_ERRATA_CLOCK_DISABLE; static const struct of_device_id omap8250_dt_ids[] = { { .compatible = "ti,omap2-uart" }, { .compatible = "ti,omap3-uart" }, - { .compatible = "ti,omap4-uart" }, + { .compatible = "ti,omap4-uart", .data = &omap4_habit, }, { .compatible = "ti,am3352-uart", .data = &am3352_habit, }, { .compatible = "ti,am4372-uart", .data = &am3352_habit, }, { .compatible = "ti,dra742-uart", .data = &dra742_habit, }, @@ -1362,6 +1363,19 @@ static int omap8250_soft_reset(struct device *dev) int sysc; int syss; + /* + * At least on omap4, unused uarts may not idle after reset without + * a basic scr dma configuration even with no dma in use. The + * module clkctrl status bits will be 1 instead of 3 blocking idle + * for the whole clockdomain. The softreset below will clear scr, + * and we restore it on resume so this is safe to do on all SoCs + * needing omap8250_soft_reset() quirk. Do it in two writes as + * recommended in the comment for omap8250_update_scr(). + */ + serial_out(up, UART_OMAP_SCR, OMAP_UART_SCR_DMAMODE_1); + serial_out(up, UART_OMAP_SCR, + OMAP_UART_SCR_DMAMODE_1 | OMAP_UART_SCR_DMAMODE_CTL); + sysc = serial_in(up, UART_OMAP_SYSC); /* softreset the UART */ -- 2.17.0

7 years, 4 months

1
0
0 0

patch "serial: samsung: fix maxburst parameter for DMA transactions" added to tty-testing

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled serial: samsung: fix maxburst parameter for DMA transactions to my tty git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty.git in the tty-testing branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will be merged to the tty-next branch sometime soon, after it passes testing, and the merge window is open. If you have any questions about this process, please let me know. >From aa2f80e752c75e593b3820f42c416ed9458fa73e Mon Sep 17 00:00:00 2001 From: Marek Szyprowski <m.szyprowski(a)samsung.com> Date: Thu, 10 May 2018 08:41:13 +0200 Subject: serial: samsung: fix maxburst parameter for DMA transactions The best granularity of residue that DMA engine can report is in the BURST units, so the serial driver must use MAXBURST = 1 and DMA_SLAVE_BUSWIDTH_1_BYTE if it relies on exact number of bytes transferred by DMA engine. Fixes: 62c37eedb74c ("serial: samsung: add dma reqest/release functions") Signed-off-by: Marek Szyprowski <m.szyprowski(a)samsung.com> Acked-by: Krzysztof Kozlowski <krzk(a)kernel.org> Cc: stable <stable(a)vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/tty/serial/samsung.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/drivers/tty/serial/samsung.c b/drivers/tty/serial/samsung.c index 3f2f8c118ce0..64e96926f1ad 100644 --- a/drivers/tty/serial/samsung.c +++ b/drivers/tty/serial/samsung.c @@ -862,15 +862,12 @@ static int s3c24xx_serial_request_dma(struct s3c24xx_uart_port *p) dma->rx_conf.direction = DMA_DEV_TO_MEM; dma->rx_conf.src_addr_width = DMA_SLAVE_BUSWIDTH_1_BYTE; dma->rx_conf.src_addr = p->port.mapbase + S3C2410_URXH; - dma->rx_conf.src_maxburst = 16; + dma->rx_conf.src_maxburst = 1; dma->tx_conf.direction = DMA_MEM_TO_DEV; dma->tx_conf.dst_addr_width = DMA_SLAVE_BUSWIDTH_1_BYTE; dma->tx_conf.dst_addr = p->port.mapbase + S3C2410_UTXH; - if (dma_get_cache_alignment() >= 16) - dma->tx_conf.dst_maxburst = 16; - else - dma->tx_conf.dst_maxburst = 1; + dma->tx_conf.dst_maxburst = 1; dma->rx_chan = dma_request_chan(p->port.dev, "rx"); -- 2.17.0

7 years, 4 months

1
0
0 0

patch "tty: pl011: Avoid spuriously stuck-off interrupts" added to tty-testing

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled tty: pl011: Avoid spuriously stuck-off interrupts to my tty git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty.git in the tty-testing branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will be merged to the tty-next branch sometime soon, after it passes testing, and the merge window is open. If you have any questions about this process, please let me know. >From 4a7e625ce50412a7711efa0f2ef0b96ce3826759 Mon Sep 17 00:00:00 2001 From: Dave Martin <Dave.Martin(a)arm.com> Date: Thu, 10 May 2018 18:08:23 +0100 Subject: tty: pl011: Avoid spuriously stuck-off interrupts Commit 9b96fbacda34 ("serial: PL011: clear pending interrupts") clears the RX and receive timeout interrupts on pl011 startup, to avoid a screaming-interrupt scenario that can occur when the firmware or bootloader leaves these interrupts asserted. This has been noted as an issue when running Linux on qemu [1]. Unfortunately, the above fix seems to lead to potential misbehaviour if the RX FIFO interrupt is asserted _non_ spuriously on driver startup, if the RX FIFO is also already full to the trigger level. Clearing the RX FIFO interrupt does not change the FIFO fill level. In this scenario, because the interrupt is now clear and because the FIFO is already full to the trigger level, no new assertion of the RX FIFO interrupt can occur unless the FIFO is drained back below the trigger level. This never occurs because the pl011 driver is waiting for an RX FIFO interrupt to tell it that there is something to read, and does not read the FIFO at all until that interrupt occurs. Thus, simply clearing "spurious" interrupts on startup may be misguided, since there is no way to be sure that the interrupts are truly spurious, and things can go wrong if they are not. This patch instead clears the interrupt condition by draining the RX FIFO during UART startup, after clearing any potentially spurious interrupt. This should ensure that an interrupt will definitely be asserted if the RX FIFO subsequently becomes sufficiently full. The drain is done at the point of enabling interrupts only. This means that it will occur any time the UART is newly opened through the tty layer. It will not apply to polled-mode use of the UART by kgdboc: since that scenario cannot use interrupts by design, this should not matter. kgdboc will interact badly with "normal" use of the UART in any case: this patch makes no attempt to paper over such issues. This patch does not attempt to address the case where the RX FIFO fills faster than it can be drained: that is a pathological hardware design problem that is beyond the scope of the driver to work around. As a failsafe, the number of poll iterations for draining the FIFO is limited to twice the FIFO size. This will ensure that the kernel at least boots even if it is impossible to drain the FIFO for some reason. [1] [Qemu-devel] [Qemu-arm] [PATCH] pl011: do not put into fifo before enabled the interruption https://lists.gnu.org/archive/html/qemu-devel/2018-01/msg06446.html Reported-by: Wei Xu <xuwei5(a)hisilicon.com> Cc: Russell King <linux(a)armlinux.org.uk> Cc: Linus Walleij <linus.walleij(a)linaro.org> Cc: Peter Maydell <peter.maydell(a)linaro.org> Fixes: 9b96fbacda34 ("serial: PL011: clear pending interrupts") Signed-off-by: Dave Martin <Dave.Martin(a)arm.com> Cc: stable <stable(a)vger.kernel.org> Tested-by: Wei Xu <xuwei5(a)hisilicon.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/tty/serial/amba-pl011.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/drivers/tty/serial/amba-pl011.c b/drivers/tty/serial/amba-pl011.c index 4b40a5b449ee..ebd33c0232e6 100644 --- a/drivers/tty/serial/amba-pl011.c +++ b/drivers/tty/serial/amba-pl011.c @@ -1727,10 +1727,26 @@ static int pl011_allocate_irq(struct uart_amba_port *uap) */ static void pl011_enable_interrupts(struct uart_amba_port *uap) { + unsigned int i; + spin_lock_irq(&uap->port.lock); /* Clear out any spuriously appearing RX interrupts */ pl011_write(UART011_RTIS | UART011_RXIS, uap, REG_ICR); + + /* + * RXIS is asserted only when the RX FIFO transitions from below + * to above the trigger threshold. If the RX FIFO is already + * full to the threshold this can't happen and RXIS will now be + * stuck off. Drain the RX FIFO explicitly to fix this: + */ + for (i = 0; i < uap->fifosize * 2; ++i) { + if (pl011_read(uap, REG_FR) & UART01x_FR_RXFE) + break; + + pl011_read(uap, REG_DR); + } + uap->im = UART011_RTIM; if (!pl011_dma_rx_running(uap)) uap->im |= UART011_RXIM; -- 2.17.0

7 years, 4 months

1
0
0 0

patch "xhci: Fix USB3 NULL pointer dereference at logical disconnect." added to usb-linus

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled xhci: Fix USB3 NULL pointer dereference at logical disconnect. to my usb git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git in the usb-linus branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will hopefully also be merged in Linus's tree for the next -rc kernel release. If you have any questions about this process, please let me know. >From 2278446e2b7cd33ad894b32e7eb63afc7db6c86e Mon Sep 17 00:00:00 2001 From: Mathias Nyman <mathias.nyman(a)linux.intel.com> Date: Mon, 14 May 2018 11:57:23 +0300 Subject: xhci: Fix USB3 NULL pointer dereference at logical disconnect. Hub driver will try to disable a USB3 device twice at logical disconnect, racing with xhci_free_dev() callback from the first port disable. This can be triggered with "udisksctl power-off --block-device <disk>" or by writing "1" to the "remove" sysfs file for a USB3 device in 4.17-rc4. USB3 devices don't have a similar disabled link state as USB2 devices, and use a U3 suspended link state instead. In this state the port is still enabled and connected. hub_port_connect() first disconnects the device, then later it notices that device is still enabled (due to U3 states) it will try to disable the port again (set to U3). The xhci_free_dev() called during device disable is async, so checking for existing xhci->devs[i] when setting link state to U3 the second time was successful, even if device was being freed. The regression was caused by, and whole thing revealed by, Commit 44a182b9d177 ("xhci: Fix use-after-free in xhci_free_virt_device") which sets xhci->devs[i]->udev to NULL before xhci_virt_dev() returned. and causes a NULL pointer dereference the second time we try to set U3. Fix this by checking xhci->devs[i]->udev exists before setting link state. The original patch went to stable so this fix needs to be applied there as well. Fixes: 44a182b9d177 ("xhci: Fix use-after-free in xhci_free_virt_device") Cc: <stable(a)vger.kernel.org> Reported-by: Jordan Glover <Golden_Miller83(a)protonmail.ch> Tested-by: Jordan Glover <Golden_Miller83(a)protonmail.ch> Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/usb/host/xhci-hub.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/host/xhci-hub.c b/drivers/usb/host/xhci-hub.c index 72ebbc908e19..32cd52ca8318 100644 --- a/drivers/usb/host/xhci-hub.c +++ b/drivers/usb/host/xhci-hub.c @@ -354,7 +354,7 @@ int xhci_find_slot_id_by_port(struct usb_hcd *hcd, struct xhci_hcd *xhci, slot_id = 0; for (i = 0; i < MAX_HC_SLOTS; i++) { - if (!xhci->devs[i]) + if (!xhci->devs[i] || !xhci->devs[i]->udev) continue; speed = xhci->devs[i]->udev->speed; if (((speed >= USB_SPEED_SUPER) == (hcd->speed >= HCD_USB3)) -- 2.17.0

7 years, 4 months

1
0
0 0

[PATCH 1/1] xhci: Fix USB3 NULL pointer dereference at logical disconnect.

by Mathias Nyman

Hub driver will try to disable a USB3 device twice at logical disconnect, racing with xhci_free_dev() callback from the first port disable. This can be triggered with "udisksctl power-off --block-device <disk>" or by writing "1" to the "remove" sysfs file for a USB3 device in 4.17-rc4. USB3 devices don't have a similar disabled link state as USB2 devices, and use a U3 suspended link state instead. In this state the port is still enabled and connected. hub_port_connect() first disconnects the device, then later it notices that device is still enabled (due to U3 states) it will try to disable the port again (set to U3). The xhci_free_dev() called during device disable is async, so checking for existing xhci->devs[i] when setting link state to U3 the second time was successful, even if device was being freed. The regression was caused by, and whole thing revealed by, Commit 44a182b9d177 ("xhci: Fix use-after-free in xhci_free_virt_device") which sets xhci->devs[i]->udev to NULL before xhci_virt_dev() returned. and causes a NULL pointer dereference the second time we try to set U3. Fix this by checking xhci->devs[i]->udev exists before setting link state. The original patch went to stable so this fix needs to be applied there as well. Fixes: 44a182b9d177 ("xhci: Fix use-after-free in xhci_free_virt_device") Cc: <stable(a)vger.kernel.org> Reported-by: Jordan Glover <Golden_Miller83(a)protonmail.ch> Tested-by: Jordan Glover <Golden_Miller83(a)protonmail.ch> Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> --- drivers/usb/host/xhci-hub.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/host/xhci-hub.c b/drivers/usb/host/xhci-hub.c index 72ebbc9..32cd52c 100644 --- a/drivers/usb/host/xhci-hub.c +++ b/drivers/usb/host/xhci-hub.c @@ -354,7 +354,7 @@ int xhci_find_slot_id_by_port(struct usb_hcd *hcd, struct xhci_hcd *xhci, slot_id = 0; for (i = 0; i < MAX_HC_SLOTS; i++) { - if (!xhci->devs[i]) + if (!xhci->devs[i] || !xhci->devs[i]->udev) continue; speed = xhci->devs[i]->udev->speed; if (((speed >= USB_SPEED_SUPER) == (hcd->speed >= HCD_USB3)) -- 2.7.4

7 years, 4 months

1
0
0 0

[PATCH] drm/i915/oa: Disable OA on Haswell

by Chris Wilson

We observe that the OA architecture is clobbering random memory. Disable it until this can be resolved. References: https://bugs.freedesktop.org/show_bug.cgi?id=106379 Signed-off-by: Chris Wilson <chris(a)chris-wilson.co.uk> Cc: Lionel Landwerlin <lionel.g.landwerlin(a)intel.com> Cc: Matthew Auld <matthew.auld(a)intel.com> Cc: Joonas Lahtinen <joonas.lahtinen(a)linux.intel.com> Cc: Rodrigo Vivi <rodrigo.vivi(a)intel.com> Cc: Jani Nikula <jani.nikula(a)intel.com> Cc: stable(a)vger.kernel.org --- drivers/gpu/drm/i915/i915_perf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/gpu/drm/i915/i915_perf.c b/drivers/gpu/drm/i915/i915_perf.c index 019bd2d073ad..20187f3bf350 100644 --- a/drivers/gpu/drm/i915/i915_perf.c +++ b/drivers/gpu/drm/i915/i915_perf.c @@ -3425,7 +3425,7 @@ static struct ctl_table dev_root[] = { */ void i915_perf_init(struct drm_i915_private *dev_priv) { - if (IS_HASWELL(dev_priv)) { + if (IS_HASWELL(dev_priv) && 0) { dev_priv->perf.oa.ops.is_valid_b_counter_reg = gen7_is_valid_b_counter_addr; dev_priv->perf.oa.ops.is_valid_mux_reg = -- 2.17.0

7 years, 4 months

2
10
0 0

[tip:efi/core] efi: Avoid potential crashes, fix the 'struct efi_pci_io_protocol_32' definition for mixed mode

by tip-bot for Ard Biesheuvel

Commit-ID: 0b3225ab9407f557a8e20f23f37aa7236c10a9b1 Gitweb: https://git.kernel.org/tip/0b3225ab9407f557a8e20f23f37aa7236c10a9b1 Author: Ard Biesheuvel <ard.biesheuvel(a)linaro.org> AuthorDate: Fri, 4 May 2018 07:59:58 +0200 Committer: Ingo Molnar <mingo(a)kernel.org> CommitDate: Mon, 14 May 2018 08:56:29 +0200 efi: Avoid potential crashes, fix the 'struct efi_pci_io_protocol_32' definition for mixed mode Mixed mode allows a kernel built for x86_64 to interact with 32-bit EFI firmware, but requires us to define all struct definitions carefully when it comes to pointer sizes. 'struct efi_pci_io_protocol_32' currently uses a 'void *' for the 'romimage' field, which will be interpreted as a 64-bit field on such kernels, potentially resulting in bogus memory references and subsequent crashes. Tested-by: Hans de Goede <hdegoede(a)redhat.com> Signed-off-by: Ard Biesheuvel <ard.biesheuvel(a)linaro.org> Cc: <stable(a)vger.kernel.org> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Matt Fleming <matt(a)codeblueprint.co.uk> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Thomas Gleixner <tglx(a)linutronix.de> Cc: linux-efi(a)vger.kernel.org Link: http://lkml.kernel.org/r/20180504060003.19618-13-ard.biesheuvel@linaro.org Signed-off-by: Ingo Molnar <mingo(a)kernel.org> --- arch/x86/boot/compressed/eboot.c | 6 ++++-- include/linux/efi.h | 8 ++++---- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c index 47d3efff6805..09f36c0d9d4f 100644 --- a/arch/x86/boot/compressed/eboot.c +++ b/arch/x86/boot/compressed/eboot.c @@ -163,7 +163,8 @@ __setup_efi_pci32(efi_pci_io_protocol_32 *pci, struct pci_setup_rom **__rom) if (status != EFI_SUCCESS) goto free_struct; - memcpy(rom->romdata, pci->romimage, pci->romsize); + memcpy(rom->romdata, (void *)(unsigned long)pci->romimage, + pci->romsize); return status; free_struct: @@ -269,7 +270,8 @@ __setup_efi_pci64(efi_pci_io_protocol_64 *pci, struct pci_setup_rom **__rom) if (status != EFI_SUCCESS) goto free_struct; - memcpy(rom->romdata, pci->romimage, pci->romsize); + memcpy(rom->romdata, (void *)(unsigned long)pci->romimage, + pci->romsize); return status; free_struct: diff --git a/include/linux/efi.h b/include/linux/efi.h index f1b7d68ac460..3016d8c456bc 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h @@ -395,8 +395,8 @@ typedef struct { u32 attributes; u32 get_bar_attributes; u32 set_bar_attributes; - uint64_t romsize; - void *romimage; + u64 romsize; + u32 romimage; } efi_pci_io_protocol_32; typedef struct { @@ -415,8 +415,8 @@ typedef struct { u64 attributes; u64 get_bar_attributes; u64 set_bar_attributes; - uint64_t romsize; - void *romimage; + u64 romsize; + u64 romimage; } efi_pci_io_protocol_64; typedef struct {

7 years, 4 months

1
0
0 0

FAILED: patch "[PATCH] KVM: x86: remove APIC Timer periodic/oneshot spikes" failed to apply to 4.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From ecf08dad723d3e000aecff6c396f54772d124733 Mon Sep 17 00:00:00 2001 From: Anthoine Bourgeois <anthoine.bourgeois(a)blade-group.com> Date: Sun, 29 Apr 2018 22:05:58 +0000 Subject: [PATCH] KVM: x86: remove APIC Timer periodic/oneshot spikes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Since the commit "8003c9ae204e: add APIC Timer periodic/oneshot mode VMX preemption timer support", a Windows 10 guest has some erratic timer spikes. Here the results on a 150000 times 1ms timer without any load: Before 8003c9ae204e | After 8003c9ae204e Max 1834us | 86000us Mean 1100us | 1021us Deviation 59us | 149us Here the results on a 150000 times 1ms timer with a cpu-z stress test: Before 8003c9ae204e | After 8003c9ae204e Max 32000us | 140000us Mean 1006us | 1997us Deviation 140us | 11095us The root cause of the problem is starting hrtimer with an expiry time already in the past can take more than 20 milliseconds to trigger the timer function. It can be solved by forward such past timers immediately, rather than submitting them to hrtimer_start(). In case the timer is periodic, update the target expiration and call hrtimer_start with it. v2: Check if the tsc deadline is already expired. Thank you Mika. v3: Execute the past timers immediately rather than submitting them to hrtimer_start(). v4: Rearm the periodic timer with advance_periodic_target_expiration() a simpler version of set_target_expiration(). Thank you Paolo. Cc: Mika Penttilä <mika.penttila(a)nextfour.com> Cc: Wanpeng Li <kernellwp(a)gmail.com> Cc: Paolo Bonzini <pbonzini(a)redhat.com> Cc: stable(a)vger.kernel.org Signed-off-by: Anthoine Bourgeois <anthoine.bourgeois(a)blade-group.com> 8003c9ae204e ("KVM: LAPIC: add APIC Timer periodic/oneshot mode VMX preemption timer support") Signed-off-by: Radim Krčmář <rkrcmar(a)redhat.com> diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c index 70dcb5548022..b74c9c1405b9 100644 --- a/arch/x86/kvm/lapic.c +++ b/arch/x86/kvm/lapic.c @@ -1463,23 +1463,6 @@ static void start_sw_tscdeadline(struct kvm_lapic *apic) local_irq_restore(flags); } -static void start_sw_period(struct kvm_lapic *apic) -{ - if (!apic->lapic_timer.period) - return; - - if (apic_lvtt_oneshot(apic) && - ktime_after(ktime_get(), - apic->lapic_timer.target_expiration)) { - apic_timer_expired(apic); - return; - } - - hrtimer_start(&apic->lapic_timer.timer, - apic->lapic_timer.target_expiration, - HRTIMER_MODE_ABS_PINNED); -} - static void update_target_expiration(struct kvm_lapic *apic, uint32_t old_divisor) { ktime_t now, remaining; @@ -1546,6 +1529,26 @@ static void advance_periodic_target_expiration(struct kvm_lapic *apic) apic->lapic_timer.period); } +static void start_sw_period(struct kvm_lapic *apic) +{ + if (!apic->lapic_timer.period) + return; + + if (ktime_after(ktime_get(), + apic->lapic_timer.target_expiration)) { + apic_timer_expired(apic); + + if (apic_lvtt_oneshot(apic)) + return; + + advance_periodic_target_expiration(apic); + } + + hrtimer_start(&apic->lapic_timer.timer, + apic->lapic_timer.target_expiration, + HRTIMER_MODE_ABS_PINNED); +} + bool kvm_lapic_hv_timer_in_use(struct kvm_vcpu *vcpu) { if (!lapic_in_kernel(vcpu))

7 years, 4 months

3
2
0 0

[CVE-2018-1092][T/X/A/B/C] ext4: fail ext4_iget for root directory if unallocated

by Khalid Elmously

From: Theodore Ts'o <tytso(a)mit.edu> CVE-2018-1092 If the root directory has an i_links_count of zero, then when the file system is mounted, then when ext4_fill_super() notices the problem and tries to call iput() the root directory in the error return path, ext4_evict_inode() will try to free the inode on disk, before all of the file system structures are set up, and this will result in an OOPS caused by a NULL pointer dereference. This issue has been assigned CVE-2018-1092. https://bugzilla.kernel.org/show_bug.cgi?id=199179 https://bugzilla.redhat.com/show_bug.cgi?id=1560777 Reported-by: Wen Xu <wen.xu(a)gatech.edu> Signed-off-by: Theodore Ts'o <tytso(a)mit.edu> Cc: stable(a)vger.kernel.org (cherry-picked from 8e4b5eae5decd9dfe5a4ee369c22028f90ab4c44) Signed-off-by: Khalid Elmously <khalid.elmously(a)canonical.com> --- fs/ext4/inode.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c index 3d4d1dccc8a1..398faeff1938 100644 --- a/fs/ext4/inode.c +++ b/fs/ext4/inode.c @@ -4745,6 +4745,12 @@ struct inode *ext4_iget(struct super_block *sb, unsigned long ino) goto bad_inode; raw_inode = ext4_raw_inode(&iloc); + if ((ino == EXT4_ROOT_INO) && (raw_inode->i_links_count == 0)) { + EXT4_ERROR_INODE(inode, "root inode unallocated"); + ret = -EFSCORRUPTED; + goto bad_inode; + } + if (EXT4_INODE_SIZE(inode->i_sb) > EXT4_GOOD_OLD_INODE_SIZE) { ei->i_extra_isize = le16_to_cpu(raw_inode->i_extra_isize); if (EXT4_GOOD_OLD_INODE_SIZE + ei->i_extra_isize > -- 2.17.0

7 years, 4 months

2
2
0 0

[PATCH v4.14] KVM: PPC: Book3S HV: Fix handling of large pages in radix page fault handler

by Paul Mackerras

commit c3856aeb29402e94ad9b3879030165cc6a4fdc56 upstream. This fixes several bugs in the radix page fault handler relating to the way large pages in the memory backing the guest were handled. First, the check for large pages only checked for explicit huge pages and missed transparent huge pages. Then the check that the addresses (host virtual vs. guest physical) had appropriate alignment was wrong, meaning that the code never put a large page in the partition scoped radix tree; it was always demoted to a small page. Fixing this exposed bugs in kvmppc_create_pte(). We were never invalidating a 2MB PTE, which meant that if a page was initially faulted in without write permission and the guest then attempted to store to it, we would never update the PTE to have write permission. If we find a valid 2MB PTE in the PMD, we need to clear it and do a TLB invalidation before installing either the new 2MB PTE or a pointer to a page table page. This also corrects an assumption that get_user_pages_fast would set the _PAGE_DIRTY bit if we are writing, which is not true. Instead we mark the page dirty explicitly with set_page_dirty_lock(). This also means we don't need the dirty bit set on the host PTE when providing write access on a read fault. [paulus(a)ozlabs.org - use mark_pages_dirty instead of kvmppc_update_dirty_map] Signed-off-by: Paul Mackerras <paulus(a)ozlabs.org> --- arch/powerpc/kvm/book3s_64_mmu_radix.c | 72 ++++++++++++++++++++++------------ 1 file changed, 46 insertions(+), 26 deletions(-) diff --git a/arch/powerpc/kvm/book3s_64_mmu_radix.c b/arch/powerpc/kvm/book3s_64_mmu_radix.c index c5d7435455f1..27a41695fcfd 100644 --- a/arch/powerpc/kvm/book3s_64_mmu_radix.c +++ b/arch/powerpc/kvm/book3s_64_mmu_radix.c @@ -19,6 +19,9 @@ #include <asm/pgalloc.h> #include <asm/pte-walk.h> +static void mark_pages_dirty(struct kvm *kvm, struct kvm_memory_slot *memslot, + unsigned long gfn, unsigned int order); + /* * Supported radix tree geometry. * Like p9, we support either 5 or 9 bits at the first (lowest) level, @@ -195,6 +198,12 @@ static void kvmppc_pte_free(pte_t *ptep) kmem_cache_free(kvm_pte_cache, ptep); } +/* Like pmd_huge() and pmd_large(), but works regardless of config options */ +static inline int pmd_is_leaf(pmd_t pmd) +{ + return !!(pmd_val(pmd) & _PAGE_PTE); +} + static int kvmppc_create_pte(struct kvm *kvm, pte_t pte, unsigned long gpa, unsigned int level, unsigned long mmu_seq) { @@ -219,7 +228,7 @@ static int kvmppc_create_pte(struct kvm *kvm, pte_t pte, unsigned long gpa, else new_pmd = pmd_alloc_one(kvm->mm, gpa); - if (level == 0 && !(pmd && pmd_present(*pmd))) + if (level == 0 && !(pmd && pmd_present(*pmd) && !pmd_is_leaf(*pmd))) new_ptep = kvmppc_pte_alloc(); /* Check if we might have been invalidated; let the guest retry if so */ @@ -244,12 +253,30 @@ static int kvmppc_create_pte(struct kvm *kvm, pte_t pte, unsigned long gpa, new_pmd = NULL; } pmd = pmd_offset(pud, gpa); - if (pmd_large(*pmd)) { - /* Someone else has instantiated a large page here; retry */ - ret = -EAGAIN; - goto out_unlock; - } - if (level == 1 && !pmd_none(*pmd)) { + if (pmd_is_leaf(*pmd)) { + unsigned long lgpa = gpa & PMD_MASK; + + /* + * If we raced with another CPU which has just put + * a 2MB pte in after we saw a pte page, try again. + */ + if (level == 0 && !new_ptep) { + ret = -EAGAIN; + goto out_unlock; + } + /* Valid 2MB page here already, remove it */ + old = kvmppc_radix_update_pte(kvm, pmdp_ptep(pmd), + ~0UL, 0, lgpa, PMD_SHIFT); + kvmppc_radix_tlbie_page(kvm, lgpa, PMD_SHIFT); + if (old & _PAGE_DIRTY) { + unsigned long gfn = lgpa >> PAGE_SHIFT; + struct kvm_memory_slot *memslot; + memslot = gfn_to_memslot(kvm, gfn); + if (memslot) + mark_pages_dirty(kvm, memslot, gfn, + PMD_SHIFT - PAGE_SHIFT); + } + } else if (level == 1 && !pmd_none(*pmd)) { /* * There's a page table page here, but we wanted * to install a large page. Tell the caller and let @@ -412,28 +439,24 @@ int kvmppc_book3s_radix_page_fault(struct kvm_run *run, struct kvm_vcpu *vcpu, } else { page = pages[0]; pfn = page_to_pfn(page); - if (PageHuge(page)) { - page = compound_head(page); - pte_size <<= compound_order(page); + if (PageCompound(page)) { + pte_size <<= compound_order(compound_head(page)); /* See if we can insert a 2MB large-page PTE here */ if (pte_size >= PMD_SIZE && - (gpa & PMD_MASK & PAGE_MASK) == - (hva & PMD_MASK & PAGE_MASK)) { + (gpa & (PMD_SIZE - PAGE_SIZE)) == + (hva & (PMD_SIZE - PAGE_SIZE))) { level = 1; pfn &= ~((PMD_SIZE >> PAGE_SHIFT) - 1); } } /* See if we can provide write access */ if (writing) { - /* - * We assume gup_fast has set dirty on the host PTE. - */ pgflags |= _PAGE_WRITE; } else { local_irq_save(flags); ptep = find_current_mm_pte(current->mm->pgd, hva, NULL, NULL); - if (ptep && pte_write(*ptep) && pte_dirty(*ptep)) + if (ptep && pte_write(*ptep)) pgflags |= _PAGE_WRITE; local_irq_restore(flags); } @@ -459,18 +482,15 @@ int kvmppc_book3s_radix_page_fault(struct kvm_run *run, struct kvm_vcpu *vcpu, pte = pfn_pte(pfn, __pgprot(pgflags)); ret = kvmppc_create_pte(kvm, pte, gpa, level, mmu_seq); } - if (ret == 0 || ret == -EAGAIN) - ret = RESUME_GUEST; if (page) { - /* - * We drop pages[0] here, not page because page might - * have been set to the head page of a compound, but - * we have to drop the reference on the correct tail - * page to match the get inside gup() - */ - put_page(pages[0]); + if (!ret && (pgflags & _PAGE_WRITE)) + set_page_dirty_lock(page); + put_page(page); } + + if (ret == 0 || ret == -EAGAIN) + ret = RESUME_GUEST; return ret; } @@ -676,7 +696,7 @@ void kvmppc_free_radix(struct kvm *kvm) continue; pmd = pmd_offset(pud, 0); for (im = 0; im < PTRS_PER_PMD; ++im, ++pmd) { - if (pmd_huge(*pmd)) { + if (pmd_is_leaf(*pmd)) { pmd_clear(pmd); continue; } -- 2.11.0

7 years, 4 months

2
1
0 0

[PATCH v2 04/13] soc: rockchip: power-domain: Fix wrong value when power up pd

by Elaine Zhang

From: Finley Xiao <finley.xiao(a)rock-chips.com> Solve the pd could only ever turn off but never turn them on again, If the pd registers have the writemask bits. Fix up the code error for commit: commit 79bb17ce8edb3141339b5882e372d0ec7346217c Author: Elaine Zhang <zhangqing(a)rock-chips.com> Date: Fri Dec 23 11:47:52 2016 +0800 soc: rockchip: power-domain: Support domain control in hiword-registers New Rockchips SoCs may have their power-domain control in registers using a writemask-based access scheme (upper 16bit being the write mask). So add a DOMAIN_M type and handle this case accordingly. Signed-off-by: Elaine Zhang <zhangqing(a)rock-chips.com> Signed-off-by: Heiko Stuebner <heiko(a)sntech.de> Signed-off-by: Finley Xiao <finley.xiao(a)rock-chips.com> Signed-off-by: Elaine Zhang <zhangqing(a)rock-chips.com> --- drivers/soc/rockchip/pm_domains.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/soc/rockchip/pm_domains.c b/drivers/soc/rockchip/pm_domains.c index ebd7c41898c0..01d4ba26a054 100644 --- a/drivers/soc/rockchip/pm_domains.c +++ b/drivers/soc/rockchip/pm_domains.c @@ -264,7 +264,7 @@ static void rockchip_do_pmu_set_power_domain(struct rockchip_pm_domain *pd, return; else if (pd->info->pwr_w_mask) regmap_write(pmu->regmap, pmu->info->pwr_offset, - on ? pd->info->pwr_mask : + on ? pd->info->pwr_w_mask : (pd->info->pwr_mask | pd->info->pwr_w_mask)); else regmap_update_bits(pmu->regmap, pmu->info->pwr_offset, -- 1.9.1

7 years, 4 months

2
1
0 0

[PATCH v4.14 1/4] KVM: PPC: Book3S HV: Fix trap number return from __kvmppc_vcore_entry

by Paul Mackerras

commit a8b48a4dccea77e29462e59f1dbf0d5aa1ff167c upstream. This fixes a bug where the trap number that is returned by __kvmppc_vcore_entry gets corrupted. The effect of the corruption is that IPIs get ignored on POWER9 systems when the IPI is sent via a doorbell interrupt to a CPU which is executing in a KVM guest. The effect of the IPI being ignored is often that another CPU locks up inside smp_call_function_many() (and if that CPU is holding a spinlock, other CPUs then lock up inside raw_spin_lock()). The trap number is currently held in register r12 for most of the assembly-language part of the guest exit path. In that path, we call kvmppc_subcore_exit_guest(), which is a C function, without restoring r12 afterwards. Depending on the kernel config and the compiler, it may modify r12 or it may not, so some config/compiler combinations see the bug and others don't. To fix this, we arrange for the trap number to be stored on the stack from the point where kvmhv_commence_exit is called until the end of the function, then the trap number is loaded and returned in r12 as before. Cc: stable(a)vger.kernel.org # v4.8+ Fixes: fd7bacbca47a ("KVM: PPC: Book3S HV: Fix TB corruption in guest exit path on HMI interrupt") Signed-off-by: Paul Mackerras <paulus(a)ozlabs.org> --- arch/powerpc/kvm/book3s_hv_rmhandlers.S | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/arch/powerpc/kvm/book3s_hv_rmhandlers.S b/arch/powerpc/kvm/book3s_hv_rmhandlers.S index 2b3194b9608f..663a398449b7 100644 --- a/arch/powerpc/kvm/book3s_hv_rmhandlers.S +++ b/arch/powerpc/kvm/book3s_hv_rmhandlers.S @@ -308,7 +308,6 @@ kvm_novcpu_exit: stw r12, STACK_SLOT_TRAP(r1) bl kvmhv_commence_exit nop - lwz r12, STACK_SLOT_TRAP(r1) b kvmhv_switch_to_host /* @@ -1136,6 +1135,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_ARCH_300) secondary_too_late: li r12, 0 + stw r12, STACK_SLOT_TRAP(r1) cmpdi r4, 0 beq 11f stw r12, VCPU_TRAP(r4) @@ -1445,12 +1445,12 @@ mc_cont: 1: #endif /* CONFIG_KVM_XICS */ + stw r12, STACK_SLOT_TRAP(r1) mr r3, r12 /* Increment exit count, poke other threads to exit */ bl kvmhv_commence_exit nop ld r9, HSTATE_KVM_VCPU(r13) - lwz r12, VCPU_TRAP(r9) /* Stop others sending VCPU interrupts to this physical CPU */ li r0, -1 @@ -1816,6 +1816,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_POWER9_DD1) * POWER7/POWER8 guest -> host partition switch code. * We don't have to lock against tlbies but we do * have to coordinate the hardware threads. + * Here STACK_SLOT_TRAP(r1) contains the trap number. */ kvmhv_switch_to_host: /* Secondary threads wait for primary to do partition switch */ @@ -1868,11 +1869,11 @@ BEGIN_FTR_SECTION END_FTR_SECTION_IFSET(CPU_FTR_ARCH_207S) /* If HMI, call kvmppc_realmode_hmi_handler() */ + lwz r12, STACK_SLOT_TRAP(r1) cmpwi r12, BOOK3S_INTERRUPT_HMI bne 27f bl kvmppc_realmode_hmi_handler nop - li r12, BOOK3S_INTERRUPT_HMI /* * At this point kvmppc_realmode_hmi_handler would have resync-ed * the TB. Hence it is not required to subtract guest timebase @@ -1950,6 +1951,7 @@ END_MMU_FTR_SECTION_IFSET(MMU_FTR_TYPE_RADIX) li r0, KVM_GUEST_MODE_NONE stb r0, HSTATE_IN_GUEST(r13) + lwz r12, STACK_SLOT_TRAP(r1) /* return trap # in r12 */ ld r0, SFS+PPC_LR_STKOFF(r1) addi r1, r1, SFS mtlr r0 -- 2.11.0

7 years, 4 months

2
8
0 0

[PATCH] ext4: update mtime in ext4_punch_hole even if no blocks are released

by Lukas Czerner

Currently in ext4_punch_hole we're going to skip the mtime update if there are no actual blocks to release. However we've actually modified the file by zeroing the partial block so the mtime should be updated. Moreover the sync and datasync handling is skipped as well, which is also wrong. Fix it. Signed-off-by: Lukas Czerner <lczerner(a)redhat.com> Reported-by: Joe Habermann <joe.habermann(a)quantum.com> Cc: <stable(a)vger.kernel.org> --- fs/ext4/inode.c | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c index 1e50c5e..6b4c5c0 100644 --- a/fs/ext4/inode.c +++ b/fs/ext4/inode.c @@ -4298,28 +4298,28 @@ int ext4_punch_hole(struct inode *inode, loff_t offset, loff_t length) EXT4_BLOCK_SIZE_BITS(sb); stop_block = (offset + length) >> EXT4_BLOCK_SIZE_BITS(sb); - /* If there are no blocks to remove, return now */ - if (first_block >= stop_block) - goto out_stop; + /* If there are blocks to remove, do it */ + if (stop_block > first_block) { - down_write(&EXT4_I(inode)->i_data_sem); - ext4_discard_preallocations(inode); + down_write(&EXT4_I(inode)->i_data_sem); + ext4_discard_preallocations(inode); - ret = ext4_es_remove_extent(inode, first_block, - stop_block - first_block); - if (ret) { - up_write(&EXT4_I(inode)->i_data_sem); - goto out_stop; - } + ret = ext4_es_remove_extent(inode, first_block, + stop_block - first_block); + if (ret) { + up_write(&EXT4_I(inode)->i_data_sem); + goto out_stop; + } - if (ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS)) - ret = ext4_ext_remove_space(inode, first_block, - stop_block - 1); - else - ret = ext4_ind_remove_space(handle, inode, first_block, - stop_block); + if (ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS)) + ret = ext4_ext_remove_space(inode, first_block, + stop_block - 1); + else + ret = ext4_ind_remove_space(handle, inode, first_block, + stop_block); - up_write(&EXT4_I(inode)->i_data_sem); + up_write(&EXT4_I(inode)->i_data_sem); + } if (IS_SYNC(inode)) ext4_handle_sync(handle); -- 2.7.5

7 years, 4 months

2
1
0 0

[PATCH] ext4: Fix hole length detection in ext4_ind_map_blocks()

by Jan Kara

When ext4_ind_map_blocks() computes a length of a hole, it doesn't count with the fact that mapped offset may be somewhere in the middle of the completely empty subtree. In such case it will return too large length of the hole which then results in lseek(SEEK_DATA) to end up returning an incorrect offset beyond the end of the hole. Fix the problem by correctly taking offset within a subtree into account when computing a length of a hole. Fixes: facab4d9711e7aa3532cb82643803e8f1b9518e8 CC: stable(a)vger.kernel.org Reported-by: Jeff Mahoney <jeffm(a)suse.com> Signed-off-by: Jan Kara <jack(a)suse.cz> --- fs/ext4/indirect.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) I'll submit corresponding fstest shortly. diff --git a/fs/ext4/indirect.c b/fs/ext4/indirect.c index c32802c956d5..bf7fa1507e81 100644 --- a/fs/ext4/indirect.c +++ b/fs/ext4/indirect.c @@ -561,10 +561,16 @@ int ext4_ind_map_blocks(handle_t *handle, struct inode *inode, unsigned epb = inode->i_sb->s_blocksize / sizeof(u32); int i; - /* Count number blocks in a subtree under 'partial' */ - count = 1; - for (i = 0; partial + i != chain + depth - 1; i++) - count *= epb; + /* + * Count number blocks in a subtree under 'partial'. At each + * level we count number of complete empty subtrees beyond + * current offset and then descend into the subtree only + * partially beyond current offset. + */ + count = 0; + for (i = partial - chain + 1; i < depth; i++) + count = count * epb + (epb - offsets[i] - 1); + count++; /* Fill in size of a hole we found */ map->m_pblk = 0; map->m_len = min_t(unsigned int, map->m_len, count); -- 2.13.6

7 years, 4 months

2
1
0 0

[BUGFIX PATCH v3 0/4] arm: kprobes: Fix to prohibit probing on unsafe functions

by Masami Hiramatsu

Hi, This is the 3rd version of bugfix series for kprobes on arm. This series fixes 4 different issues which I found. - Fix to use smp_processor_id() after disabling preemption. - Prohibit probing on optimized_callback() for avoiding recursive probe. - Prohibit kprobes on do_undefinstr() by same reason. - Prohibit kprobes on get_user() by same reason. >From v2, I included another 2 bugfixes (1/4 and 2/4) which are not merged yet, and added "Cc: stable(a)vger.kernel.org", since there are obvious bugs. Thanks, --- Masami Hiramatsu (4): arm: kprobes: Fix to use get_kprobe_ctlblk after irq-disabed arm: kprobes: Prohibit probing on optimized_callback arm: kprobes: Prohibit kprobes on do_undefinstr arm: kprobes: Prohibit kprobes on get_user functions arch/arm/include/asm/assembler.h | 10 ++++++++++ arch/arm/kernel/traps.c | 5 ++++- arch/arm/lib/getuser.S | 10 ++++++++++ arch/arm/probes/kprobes/opt-arm.c | 4 +++- 4 files changed, 27 insertions(+), 2 deletions(-) -- Masami Hiramatsu (Linaro) <mhiramat(a)kernel.org>

7 years, 4 months

4
11
0 0

[PATCH 4.4 00/50] 4.4.130-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.4.130 release. There are 50 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sun Apr 29 13:56:42 UTC 2018. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.130-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.4.130-rc1 Heiko Carstens <heiko.carstens(a)de.ibm.com> s390/uprobes: implement arch_uretprobe_is_alive() Sebastian Ott <sebott(a)linux.ibm.com> s390/cio: update chpid descriptor after resource accessibility event Dan Carpenter <dan.carpenter(a)oracle.com> cdrom: information leak in cdrom_ioctl_media_changed() Martin K. Petersen <martin.petersen(a)oracle.com> scsi: mptsas: Disable WRITE SAME Eric Dumazet <edumazet(a)google.com> ipv6: add RTA_TABLE and RTA_PREFSRC to rtm_ipv6_policy Eric Dumazet <edumazet(a)google.com> net: af_packet: fix race in PACKET_{R|T}X_RING Eric Dumazet <edumazet(a)google.com> tcp: md5: reject TCP_MD5SIG or TCP_MD5SIG_EXT on established sockets Wolfgang Bumiller <w.bumiller(a)proxmox.com> net: fix deadlock while clearing neighbor proxy table Eric Dumazet <edumazet(a)google.com> tipc: add policy for TIPC_NLA_NET_ADDR Cong Wang <xiyou.wangcong(a)gmail.com> llc: fix NULL pointer deref for SOCK_ZAPPED Cong Wang <xiyou.wangcong(a)gmail.com> llc: hold llc_sap before release_sock() Xin Long <lucien.xin(a)gmail.com> sctp: do not check port in sctp_inet6_cmp_addr Toshiaki Makita <makita.toshiaki(a)lab.ntt.co.jp> vlan: Fix reading memory beyond skb->tail in skb_vlan_tagged_multi Guillaume Nault <g.nault(a)alphalink.fr> pppoe: check sockaddr length in pppoe_connect() Willem de Bruijn <willemb(a)google.com> packet: fix bitfield update race Xin Long <lucien.xin(a)gmail.com> team: fix netconsole setup over team Paolo Abeni <pabeni(a)redhat.com> team: avoid adding twice the same option to the event list Jann Horn <jannh(a)google.com> tcp: don't read out-of-bounds opsize Cong Wang <xiyou.wangcong(a)gmail.com> llc: delete timers synchronously in llc_sk_free() Eric Dumazet <edumazet(a)google.com> net: validate attribute sizes in neigh_dump_table() Guillaume Nault <g.nault(a)alphalink.fr> l2tp: check sockaddr length in pppol2tp_connect() Eric Biggers <ebiggers(a)google.com> KEYS: DNS: limit the length of option strings Xin Long <lucien.xin(a)gmail.com> bonding: do not set slave_dev npinfo before slave_enable_netpoll in bond_enslave Martin Schwidefsky <schwidefsky(a)de.ibm.com> s390: correct module section names for expoline code revert Martin Schwidefsky <schwidefsky(a)de.ibm.com> s390: correct nospec auto detection init order Martin Schwidefsky <schwidefsky(a)de.ibm.com> s390: add sysfs attributes for spectre Martin Schwidefsky <schwidefsky(a)de.ibm.com> s390: report spectre mitigation via syslog Martin Schwidefsky <schwidefsky(a)de.ibm.com> s390: add automatic detection of the spectre defense Martin Schwidefsky <schwidefsky(a)de.ibm.com> s390: move nobp parameter functions to nospec-branch.c Martin Schwidefsky <schwidefsky(a)de.ibm.com> s390/entry.S: fix spurious zeroing of r0 Martin Schwidefsky <schwidefsky(a)de.ibm.com> s390: do not bypass BPENTER for interrupt system calls Martin Schwidefsky <schwidefsky(a)de.ibm.com> s390: Replace IS_ENABLED(EXPOLINE_*) with IS_ENABLED(CONFIG_EXPOLINE_*) Martin Schwidefsky <schwidefsky(a)de.ibm.com> s390: introduce execute-trampolines for branches Martin Schwidefsky <schwidefsky(a)de.ibm.com> s390: run user space and KVM guests with modified branch prediction Martin Schwidefsky <schwidefsky(a)de.ibm.com> s390: add options to change branch prediction behaviour for the kernel Martin Schwidefsky <schwidefsky(a)de.ibm.com> s390/alternative: use a copy of the facility bit mask Martin Schwidefsky <schwidefsky(a)de.ibm.com> s390: add optimized array_index_mask_nospec Martin Schwidefsky <schwidefsky(a)de.ibm.com> s390: scrub registers on kernel entry and KVM exit Martin Schwidefsky <schwidefsky(a)de.ibm.com> KVM: s390: wire up bpb feature Martin Schwidefsky <schwidefsky(a)de.ibm.com> s390: enable CPU alternatives unconditionally Martin Schwidefsky <schwidefsky(a)de.ibm.com> s390: introduce CPU alternatives Karthikeyan Periyasamy <periyasa(a)codeaurora.org> Revert "ath10k: send (re)assoc peer command when NSS changed" Sahitya Tummala <stummala(a)codeaurora.org> jbd2: fix use after free in kjournald2() Felix Fietkau <nbd(a)nbd.name> ath9k_hw: check if the chip failed to wake up Dmitry Torokhov <dmitry.torokhov(a)gmail.com> Input: drv260x - fix initializing overdrive voltage Grant Grundler <grundler(a)chromium.org> r8152: add Linksys USB3GIGV1 id Chen Feng <puck.chen(a)hisilicon.com> staging: ion : Donnot wakeup kswapd in ion system alloc Jiri Olsa <jolsa(a)kernel.org> perf: Return proper values for user stack errors Xiaoming Gao <gxm.linux.kernel(a)gmail.com> x86/tsc: Prevent 32bit truncation in calc_hpet_ref() Steve French <smfrench(a)gmail.com> cifs: do not allow creating sockets except with SMB1 posix exensions ------------- Diffstat: Documentation/kernel-parameters.txt | 3 + Makefile | 4 +- arch/s390/Kconfig | 47 +++++ arch/s390/Makefile | 10 ++ arch/s390/include/asm/alternative.h | 149 +++++++++++++++ arch/s390/include/asm/barrier.h | 24 +++ arch/s390/include/asm/facility.h | 18 ++ arch/s390/include/asm/kvm_host.h | 3 +- arch/s390/include/asm/lowcore.h | 7 +- arch/s390/include/asm/nospec-branch.h | 17 ++ arch/s390/include/asm/processor.h | 4 + arch/s390/include/asm/thread_info.h | 4 + arch/s390/include/uapi/asm/kvm.h | 3 + arch/s390/kernel/Makefile | 5 +- arch/s390/kernel/alternative.c | 112 ++++++++++++ arch/s390/kernel/early.c | 5 + arch/s390/kernel/entry.S | 250 +++++++++++++++++++++++--- arch/s390/kernel/ipl.c | 1 + arch/s390/kernel/module.c | 65 ++++++- arch/s390/kernel/nospec-branch.c | 169 +++++++++++++++++ arch/s390/kernel/processor.c | 18 ++ arch/s390/kernel/setup.c | 14 +- arch/s390/kernel/smp.c | 7 +- arch/s390/kernel/uprobes.c | 9 + arch/s390/kernel/vmlinux.lds.S | 37 ++++ arch/s390/kvm/kvm-s390.c | 13 +- arch/x86/kernel/tsc.c | 2 +- drivers/cdrom/cdrom.c | 2 +- drivers/input/misc/drv260x.c | 2 +- drivers/message/fusion/mptsas.c | 1 + drivers/net/bonding/bond_main.c | 3 +- drivers/net/ppp/pppoe.c | 4 + drivers/net/team/team.c | 38 +++- drivers/net/usb/cdc_ether.c | 10 ++ drivers/net/usb/r8152.c | 2 + drivers/net/wireless/ath/ath10k/mac.c | 5 +- drivers/net/wireless/ath/ath9k/hw.c | 4 + drivers/s390/char/Makefile | 2 + drivers/s390/cio/chsc.c | 14 +- drivers/staging/android/ion/ion_system_heap.c | 2 +- fs/cifs/dir.c | 9 +- fs/jbd2/journal.c | 2 +- include/linux/if_vlan.h | 7 +- include/net/llc_conn.h | 1 + include/uapi/linux/kvm.h | 1 + kernel/events/core.c | 4 +- net/core/dev.c | 2 +- net/core/neighbour.c | 40 +++-- net/dns_resolver/dns_key.c | 13 +- net/ipv4/tcp.c | 6 +- net/ipv4/tcp_input.c | 7 +- net/ipv6/route.c | 2 + net/l2tp/l2tp_ppp.c | 7 + net/llc/af_llc.c | 14 +- net/llc/llc_c_ac.c | 9 +- net/llc/llc_conn.c | 22 ++- net/packet/af_packet.c | 88 ++++++--- net/packet/internal.h | 10 +- net/sctp/ipv6.c | 60 +++---- net/tipc/net.c | 3 +- 60 files changed, 1228 insertions(+), 168 deletions(-)

7 years, 4 months

7
58
0 0

[PATCH] [stable 4.9] arm64: Add work around for Arm Cortex-A55 Erratum 1024718

by Suzuki K Poulose

commit ece1397cbc89c51914fae1aec729539cfd8bd62b upstream Some variants of the Arm Cortex-55 cores (r0p0, r0p1, r1p0) suffer from an erratum 1024718, which causes incorrect updates when DBM/AP bits in a page table entry is modified without a break-before-make sequence. The work around is to disable the hardware DBM feature on the affected cores. The hardware Access Flag management features is not affected. The hardware DBM feature is a non-conflicting capability, i.e, the kernel could handle cores using the feature and those without having the features running at the same time. So this work around is detected at early boot time, rather than delaying it until the CPUs are brought up into the kernel with MMU turned on. This also avoids other complexities with late CPUs turning online, with or without the hardware DBM features. Cc: stable(a)vger.kernel.org # v4.9 Cc: Catalin Marinas <catalin.marinas(a)arm.com> Cc: Mark Rutland <mark.rutland(a)arm.com> Cc: Will Deacon <will.deacon(a)arm.com> Signed-off-by: Suzuki K Poulose <suzuki.poulose(a)arm.com> --- Note: The upstream commit is on top of a reworked capability infrastructure for arm64 heterogeneous systems, which allows delaying the CPU model checks. This backport is based on the original version of the patch [0], which checks the affected CPU models during the early boot. [0] https://lkml.kernel.org/r/20180116102323.3470-1-suzuki.poulose@arm.com --- Documentation/arm64/silicon-errata.txt | 1 + arch/arm64/Kconfig | 14 ++++++++++++ arch/arm64/include/asm/assembler.h | 40 ++++++++++++++++++++++++++++++++++ arch/arm64/include/asm/cputype.h | 5 +++++ arch/arm64/mm/proc.S | 5 +++++ 5 files changed, 65 insertions(+) diff --git a/Documentation/arm64/silicon-errata.txt b/Documentation/arm64/silicon-errata.txt index d11af52..ac9489f 100644 --- a/Documentation/arm64/silicon-errata.txt +++ b/Documentation/arm64/silicon-errata.txt @@ -54,6 +54,7 @@ stable kernels. | ARM | Cortex-A57 | #852523 | N/A | | ARM | Cortex-A57 | #834220 | ARM64_ERRATUM_834220 | | ARM | Cortex-A72 | #853709 | N/A | +| ARM | Cortex-A55 | #1024718 | ARM64_ERRATUM_1024718 | | ARM | MMU-500 | #841119,#826419 | N/A | | | | | | | Cavium | ThunderX ITS | #22375, #24313 | CAVIUM_ERRATUM_22375 | diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index 90e58bb..d0df361 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -427,6 +427,20 @@ config ARM64_ERRATUM_843419 If unsure, say Y. +config ARM64_ERRATUM_1024718 + bool "Cortex-A55: 1024718: Update of DBM/AP bits without break before make might result in incorrect update" + default y + help + This option adds work around for Arm Cortex-A55 Erratum 1024718. + + Affected Cortex-A55 cores (r0p0, r0p1, r1p0) could cause incorrect + update of the hardware dirty bit when the DBM/AP bits are updated + without a break-before-make. The work around is to disable the usage + of hardware DBM locally on the affected cores. CPUs not affected by + erratum will continue to use the feature. + + If unsure, say Y. + config CAVIUM_ERRATUM_22375 bool "Cavium erratum 22375, 24313" default y diff --git a/arch/arm64/include/asm/assembler.h b/arch/arm64/include/asm/assembler.h index e60375c..bfcfec3 100644 --- a/arch/arm64/include/asm/assembler.h +++ b/arch/arm64/include/asm/assembler.h @@ -25,6 +25,7 @@ #include <asm/asm-offsets.h> #include <asm/cpufeature.h> +#include <asm/cputype.h> #include <asm/page.h> #include <asm/pgtable-hwdef.h> #include <asm/ptrace.h> @@ -435,4 +436,43 @@ alternative_endif and \phys, \pte, #(((1 << (48 - PAGE_SHIFT)) - 1) << PAGE_SHIFT) .endm +/* + * Check the MIDR_EL1 of the current CPU for a given model and a range of + * variant/revision. See asm/cputype.h for the macros used below. + * + * model: MIDR_CPU_MODEL of CPU + * rv_min: Minimum of MIDR_CPU_VAR_REV() + * rv_max: Maximum of MIDR_CPU_VAR_REV() + * res: Result register. + * tmp1, tmp2, tmp3: Temporary registers + * + * Corrupts: res, tmp1, tmp2, tmp3 + * Returns: 0, if the CPU id doesn't match. Non-zero otherwise + */ + .macro cpu_midr_match model, rv_min, rv_max, res, tmp1, tmp2, tmp3 + mrs \res, midr_el1 + mov_q \tmp1, (MIDR_REVISION_MASK | MIDR_VARIANT_MASK) + mov_q \tmp2, MIDR_CPU_MODEL_MASK + and \tmp3, \res, \tmp2 // Extract model + and \tmp1, \res, \tmp1 // rev & variant + mov_q \tmp2, \model + cmp \tmp3, \tmp2 + cset \res, eq + cbz \res, .Ldone\@ // Model matches ? + + .if (\rv_min != 0) // Skip min check if rv_min == 0 + mov_q \tmp3, \rv_min + cmp \tmp1, \tmp3 + cset \res, ge + .endif // \rv_min != 0 + /* Skip rv_max check if rv_min == rv_max && rv_min != 0 */ + .if ((\rv_min != \rv_max) || \rv_min == 0) + mov_q \tmp2, \rv_max + cmp \tmp1, \tmp2 + cset \tmp2, le + and \res, \res, \tmp2 + .endif +.Ldone\@: + .endm + #endif /* __ASM_ASSEMBLER_H */ diff --git a/arch/arm64/include/asm/cputype.h b/arch/arm64/include/asm/cputype.h index 9ee3038..39d1db6 100644 --- a/arch/arm64/include/asm/cputype.h +++ b/arch/arm64/include/asm/cputype.h @@ -56,6 +56,9 @@ (0xf << MIDR_ARCHITECTURE_SHIFT) | \ ((partnum) << MIDR_PARTNUM_SHIFT)) +#define MIDR_CPU_VAR_REV(var, rev) \ + (((var) << MIDR_VARIANT_SHIFT) | (rev)) + #define MIDR_CPU_MODEL_MASK (MIDR_IMPLEMENTOR_MASK | MIDR_PARTNUM_MASK | \ MIDR_ARCHITECTURE_MASK) @@ -74,6 +77,7 @@ #define ARM_CPU_PART_AEM_V8 0xD0F #define ARM_CPU_PART_FOUNDATION 0xD00 +#define ARM_CPU_PART_CORTEX_A55 0xD05 #define ARM_CPU_PART_CORTEX_A57 0xD07 #define ARM_CPU_PART_CORTEX_A72 0xD08 #define ARM_CPU_PART_CORTEX_A53 0xD03 @@ -89,6 +93,7 @@ #define BRCM_CPU_PART_VULCAN 0x516 #define MIDR_CORTEX_A53 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A53) +#define MIDR_CORTEX_A55 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A55) #define MIDR_CORTEX_A57 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A57) #define MIDR_CORTEX_A72 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A72) #define MIDR_CORTEX_A73 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A73) diff --git a/arch/arm64/mm/proc.S b/arch/arm64/mm/proc.S index 619da1c..66cce21 100644 --- a/arch/arm64/mm/proc.S +++ b/arch/arm64/mm/proc.S @@ -425,6 +425,11 @@ ENTRY(__cpu_setup) cbz x9, 2f cmp x9, #2 b.lt 1f +#ifdef CONFIG_ARM64_ERRATUM_1024718 + /* Disable hardware DBM on Cortex-A55 r0p0, r0p1 & r1p0 */ + cpu_midr_match MIDR_CORTEX_A55, MIDR_CPU_VAR_REV(0, 0), MIDR_CPU_VAR_REV(1, 0), x1, x2, x3, x4 + cbnz x1, 1f +#endif orr x10, x10, #TCR_HD // hardware Dirty flag update 1: orr x10, x10, #TCR_HA // hardware Access flag update 2: -- 2.7.4

7 years, 4 months

3
3
0 0

FAILED: patch "[PATCH] drm/i915: Adjust eDP's logical vco in a reliable place." failed to apply to 4.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 9d219554d9bf59875b4e571a0392d620e8954879 Mon Sep 17 00:00:00 2001 From: Rodrigo Vivi <rodrigo.vivi(a)intel.com> Date: Wed, 2 May 2018 10:52:55 -0700 Subject: [PATCH] drm/i915: Adjust eDP's logical vco in a reliable place. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit On intel_dp_compute_config() we were calculating the needed vco for eDP on gen9 and we stashing it in intel_atomic_state.cdclk.logical.vco However few moments later on intel_modeset_checks() we fully replace entire intel_atomic_state.cdclk.logical with dev_priv->cdclk.logical fully overwriting the logical desired vco for eDP on gen9. So, with wrong VCO value we end up with wrong desired cdclk, but also it will raise a lot of WARNs: On gen9, when we read CDCLK_CTL to verify if we configured properly the desired frequency the CD Frequency Select bits [27:26] == 10b can mean 337.5 or 308.57 MHz depending on the VCO. So if we have wrong VCO value stashed we will believe the frequency selection didn't stick and start to raise WARNs of cdclk mismatch. [ 42.857519] [drm:intel_dump_cdclk_state [i915]] Changing CDCLK to 308571 kHz, VCO 8640000 kHz, ref 24000 kHz, bypass 24000 kHz, voltage level 0 [ 42.897269] cdclk state doesn't match! [ 42.901052] WARNING: CPU: 5 PID: 1116 at drivers/gpu/drm/i915/intel_cdclk.c:2084 intel_set_cdclk+0x5d/0x110 [i915] [ 42.938004] RIP: 0010:intel_set_cdclk+0x5d/0x110 [i915] [ 43.155253] WARNING: CPU: 5 PID: 1116 at drivers/gpu/drm/i915/intel_cdclk.c:2084 intel_set_cdclk+0x5d/0x110 [i915] [ 43.170277] [drm:intel_dump_cdclk_state [i915]] [hw state] 337500 kHz, VCO 8100000 kHz, ref 24000 kHz, bypass 24000 kHz, voltage level 0 [ 43.182566] [drm:intel_dump_cdclk_state [i915]] [sw state] 308571 kHz, VCO 8640000 kHz, ref 24000 kHz, bypass 24000 kHz, voltage level 0 v2: Move the entire eDP's vco logical adjustment to inside the skl_modeset_calc_cdclk as suggested by Ville. Cc: Ville Syrjälä <ville.syrjala(a)linux.intel.com> Signed-off-by: Rodrigo Vivi <rodrigo.vivi(a)intel.com> Reviewed-by: Ville Syrjälä <ville.syrjala(a)linux.intel.com> Fixes: bb0f4aab0e76 ("drm/i915: Track full cdclk state for the logical and actual cdclk frequencies") Cc: <stable(a)vger.kernel.org> # v4.12+ Link: https://patchwork.freedesktop.org/patch/msgid/20180502175255.5344-1-rodrigo… (cherry picked from commit 3297234a05ab1e90091b0574db4c397ef0e90d5f) Signed-off-by: Joonas Lahtinen <joonas.lahtinen(a)linux.intel.com> diff --git a/drivers/gpu/drm/i915/intel_cdclk.c b/drivers/gpu/drm/i915/intel_cdclk.c index 32d24c69da3c..704ddb4d3ca7 100644 --- a/drivers/gpu/drm/i915/intel_cdclk.c +++ b/drivers/gpu/drm/i915/intel_cdclk.c @@ -2302,9 +2302,44 @@ static int bdw_modeset_calc_cdclk(struct drm_atomic_state *state) return 0; } +static int skl_dpll0_vco(struct intel_atomic_state *intel_state) +{ + struct drm_i915_private *dev_priv = to_i915(intel_state->base.dev); + struct intel_crtc *crtc; + struct intel_crtc_state *crtc_state; + int vco, i; + + vco = intel_state->cdclk.logical.vco; + if (!vco) + vco = dev_priv->skl_preferred_vco_freq; + + for_each_new_intel_crtc_in_state(intel_state, crtc, crtc_state, i) { + if (!crtc_state->base.enable) + continue; + + if (!intel_crtc_has_type(crtc_state, INTEL_OUTPUT_EDP)) + continue; + + /* + * DPLL0 VCO may need to be adjusted to get the correct + * clock for eDP. This will affect cdclk as well. + */ + switch (crtc_state->port_clock / 2) { + case 108000: + case 216000: + vco = 8640000; + break; + default: + vco = 8100000; + break; + } + } + + return vco; +} + static int skl_modeset_calc_cdclk(struct drm_atomic_state *state) { - struct drm_i915_private *dev_priv = to_i915(state->dev); struct intel_atomic_state *intel_state = to_intel_atomic_state(state); int min_cdclk, cdclk, vco; @@ -2312,9 +2347,7 @@ static int skl_modeset_calc_cdclk(struct drm_atomic_state *state) if (min_cdclk < 0) return min_cdclk; - vco = intel_state->cdclk.logical.vco; - if (!vco) - vco = dev_priv->skl_preferred_vco_freq; + vco = skl_dpll0_vco(intel_state); /* * FIXME should also account for plane ratio diff --git a/drivers/gpu/drm/i915/intel_dp.c b/drivers/gpu/drm/i915/intel_dp.c index 9a4a51e79fa1..b7b4cfdeb974 100644 --- a/drivers/gpu/drm/i915/intel_dp.c +++ b/drivers/gpu/drm/i915/intel_dp.c @@ -1881,26 +1881,6 @@ intel_dp_compute_config(struct intel_encoder *encoder, reduce_m_n); } - /* - * DPLL0 VCO may need to be adjusted to get the correct - * clock for eDP. This will affect cdclk as well. - */ - if (intel_dp_is_edp(intel_dp) && IS_GEN9_BC(dev_priv)) { - int vco; - - switch (pipe_config->port_clock / 2) { - case 108000: - case 216000: - vco = 8640000; - break; - default: - vco = 8100000; - break; - } - - to_intel_atomic_state(pipe_config->base.state)->cdclk.logical.vco = vco; - } - if (!HAS_DDI(dev_priv)) intel_dp_set_clock(encoder, pipe_config);

7 years, 4 months

1
0
0 0

FAILED: patch "[PATCH] mm: treat indirectly reclaimable memory as free in overcommit" failed to apply to 4.14-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From d79f7aa496fc94d763f67b833a1f36f4c171176f Mon Sep 17 00:00:00 2001 From: Roman Gushchin <guro(a)fb.com> Date: Tue, 10 Apr 2018 16:27:47 -0700 Subject: [PATCH] mm: treat indirectly reclaimable memory as free in overcommit logic Indirectly reclaimable memory can consume a significant part of total memory and it's actually reclaimable (it will be released under actual memory pressure). So, the overcommit logic should treat it as free. Otherwise, it's possible to cause random system-wide memory allocation failures by consuming a significant amount of memory by indirectly reclaimable memory, e.g. dentry external names. If overcommit policy GUESS is used, it might be used for denial of service attack under some conditions. The following program illustrates the approach. It causes the kernel to allocate an unreclaimable kmalloc-256 chunk for each stat() call, so that at some point the overcommit logic may start blocking large allocation system-wide. int main() { char buf[256]; unsigned long i; struct stat statbuf; buf[0] = '/'; for (i = 1; i < sizeof(buf); i++) buf[i] = '_'; for (i = 0; 1; i++) { sprintf(&buf[248], "%8lu", i); stat(buf, &statbuf); } return 0; } This patch in combination with related indirectly reclaimable memory patches closes this issue. Link: http://lkml.kernel.org/r/20180313130041.8078-1-guro@fb.com Signed-off-by: Roman Gushchin <guro(a)fb.com> Reviewed-by: Andrew Morton <akpm(a)linux-foundation.org> Cc: Alexander Viro <viro(a)zeniv.linux.org.uk> Cc: Michal Hocko <mhocko(a)suse.com> Cc: Johannes Weiner <hannes(a)cmpxchg.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds(a)linux-foundation.org> diff --git a/mm/util.c b/mm/util.c index 029fc2f3b395..73676f0f1b43 100644 --- a/mm/util.c +++ b/mm/util.c @@ -667,6 +667,13 @@ int __vm_enough_memory(struct mm_struct *mm, long pages, int cap_sys_admin) */ free += global_node_page_state(NR_SLAB_RECLAIMABLE); + /* + * Part of the kernel memory, which can be released + * under memory pressure. + */ + free += global_node_page_state( + NR_INDIRECTLY_RECLAIMABLE_BYTES) >> PAGE_SHIFT; + /* * Leave reserved pages. The pages are not for anonymous pages. */

7 years, 4 months

1
0
0 0

[PATCH] nvme/pci: Sync controller reset for AER slot_reset

by Keith Busch

AER handling expects a successful return from slot_reset means the driver made the device functional again. The nvme driver had been using an asynchronous reset to recover the device, so the device may still be initializing after control is returned to the AER handler. This creates problems for subsequent event handling, causing the initializion to fail. This patch fixes that by syncing the controller reset before returning to the AER driver, and reporting the true state of the reset. Link: https://bugzilla.kernel.org/show_bug.cgi?id=199657 Reported-by: Alex Gagniuc <mr.nuke.me(a)gmail.com> Cc: Sinan Kaya <okaya(a)codeaurora.org> Cc: Bjorn Helgaas <bhelgaas(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Keith Busch <keith.busch(a)intel.com> --- drivers/nvme/host/pci.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/nvme/host/pci.c b/drivers/nvme/host/pci.c index b542dce45927..2e221796257a 100644 --- a/drivers/nvme/host/pci.c +++ b/drivers/nvme/host/pci.c @@ -2681,8 +2681,15 @@ static pci_ers_result_t nvme_slot_reset(struct pci_dev *pdev) dev_info(dev->ctrl.device, "restart after slot reset\n"); pci_restore_state(pdev); - nvme_reset_ctrl(&dev->ctrl); - return PCI_ERS_RESULT_RECOVERED; + nvme_reset_ctrl_sync(&dev->ctrl); + + switch (dev->ctrl.state) { + case NVME_CTRL_LIVE: + case NVME_CTRL_ADMIN_ONLY: + return PCI_ERS_RESULT_RECOVERED; + default: + return PCI_ERS_RESULT_DISCONNECT; + } } static void nvme_error_resume(struct pci_dev *pdev) -- 2.14.3

7 years, 4 months

6
8
0 0

[PATCH 1/1] doc: fix sysfs ABI documentation

by kys＠linuxonhyperv.com

From: Stephen Hemminger <stephen(a)networkplumber.org> In 4.9 kernel, the sysfs files for Hyper-V VMBus changed name but the documentation files were not updated. The current sysfs file names are /sys/bus/vmbus/devices/<UUID>/... See commit 9a56e5d6a0ba ("Drivers: hv: make VMBus bus ids persistent") and commit f6b2db084b65 ("vmbus: make sysfs names consistent with PCI") Reported-by: Michael Kelley <mikelley(a)microsoft.com> Signed-off-by: Stephen Hemminger <sthemmin(a)microsoft.com> Cc: stable(a)vger.kernel.org Signed-off-by: K. Y. Srinivasan <kys(a)microsoft.com> --- Documentation/ABI/stable/sysfs-bus-vmbus | 40 ++++++++++++++++---------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/Documentation/ABI/stable/sysfs-bus-vmbus b/Documentation/ABI/stable/sysfs-bus-vmbus index 0c9d9dcd2151..3eaffbb2d468 100644 --- a/Documentation/ABI/stable/sysfs-bus-vmbus +++ b/Documentation/ABI/stable/sysfs-bus-vmbus @@ -1,25 +1,25 @@ -What: /sys/bus/vmbus/devices/vmbus_*/id +What: /sys/bus/vmbus/devices/<UUID>/id Date: Jul 2009 KernelVersion: 2.6.31 Contact: K. Y. Srinivasan <kys(a)microsoft.com> Description: The VMBus child_relid of the device's primary channel Users: tools/hv/lsvmbus -What: /sys/bus/vmbus/devices/vmbus_*/class_id +What: /sys/bus/vmbus/devices/<UUID>/class_id Date: Jul 2009 KernelVersion: 2.6.31 Contact: K. Y. Srinivasan <kys(a)microsoft.com> Description: The VMBus interface type GUID of the device Users: tools/hv/lsvmbus -What: /sys/bus/vmbus/devices/vmbus_*/device_id +What: /sys/bus/vmbus/devices/<UUID>/device_id Date: Jul 2009 KernelVersion: 2.6.31 Contact: K. Y. Srinivasan <kys(a)microsoft.com> Description: The VMBus interface instance GUID of the device Users: tools/hv/lsvmbus -What: /sys/bus/vmbus/devices/vmbus_*/channel_vp_mapping +What: /sys/bus/vmbus/devices/<UUID>/channel_vp_mapping Date: Jul 2015 KernelVersion: 4.2.0 Contact: K. Y. Srinivasan <kys(a)microsoft.com> @@ -28,112 +28,112 @@ Description: The mapping of which primary/sub channels are bound to which Format: <channel's child_relid:the bound cpu's number> Users: tools/hv/lsvmbus -What: /sys/bus/vmbus/devices/vmbus_*/device +What: /sys/bus/vmbus/devices/<UUID>/device Date: Dec. 2015 KernelVersion: 4.5 Contact: K. Y. Srinivasan <kys(a)microsoft.com> Description: The 16 bit device ID of the device Users: tools/hv/lsvmbus and user level RDMA libraries -What: /sys/bus/vmbus/devices/vmbus_*/vendor +What: /sys/bus/vmbus/devices/<UUID>/vendor Date: Dec. 2015 KernelVersion: 4.5 Contact: K. Y. Srinivasan <kys(a)microsoft.com> Description: The 16 bit vendor ID of the device Users: tools/hv/lsvmbus and user level RDMA libraries -What: /sys/bus/vmbus/devices/vmbus_*/channels/NN +What: /sys/bus/vmbus/devices/<UUID>/channels/<N> Date: September. 2017 KernelVersion: 4.14 Contact: Stephen Hemminger <sthemmin(a)microsoft.com> Description: Directory for per-channel information NN is the VMBUS relid associtated with the channel. -What: /sys/bus/vmbus/devices/vmbus_*/channels/NN/cpu +What: /sys/bus/vmbus/devices/<UUID>/channels/<N>/cpu Date: September. 2017 KernelVersion: 4.14 Contact: Stephen Hemminger <sthemmin(a)microsoft.com> Description: VCPU (sub)channel is affinitized to Users: tools/hv/lsvmbus and other debugging tools -What: /sys/bus/vmbus/devices/vmbus_*/channels/NN/cpu +What: /sys/bus/vmbus/devices/<UUID>/channels/<N>/cpu Date: September. 2017 KernelVersion: 4.14 Contact: Stephen Hemminger <sthemmin(a)microsoft.com> Description: VCPU (sub)channel is affinitized to Users: tools/hv/lsvmbus and other debugging tools -What: /sys/bus/vmbus/devices/vmbus_*/channels/NN/in_mask +What: /sys/bus/vmbus/devices/<UUID>/channels/<N>/in_mask Date: September. 2017 KernelVersion: 4.14 Contact: Stephen Hemminger <sthemmin(a)microsoft.com> Description: Host to guest channel interrupt mask Users: Debugging tools -What: /sys/bus/vmbus/devices/vmbus_*/channels/NN/latency +What: /sys/bus/vmbus/devices/<UUID>/channels/<N>/latency Date: September. 2017 KernelVersion: 4.14 Contact: Stephen Hemminger <sthemmin(a)microsoft.com> Description: Channel signaling latency Users: Debugging tools -What: /sys/bus/vmbus/devices/vmbus_*/channels/NN/out_mask +What: /sys/bus/vmbus/devices/<UUID>/channels/<N>/out_mask Date: September. 2017 KernelVersion: 4.14 Contact: Stephen Hemminger <sthemmin(a)microsoft.com> Description: Guest to host channel interrupt mask Users: Debugging tools -What: /sys/bus/vmbus/devices/vmbus_*/channels/NN/pending +What: /sys/bus/vmbus/devices/<UUID>/channels/<N>/pending Date: September. 2017 KernelVersion: 4.14 Contact: Stephen Hemminger <sthemmin(a)microsoft.com> Description: Channel interrupt pending state Users: Debugging tools -What: /sys/bus/vmbus/devices/vmbus_*/channels/NN/read_avail +What: /sys/bus/vmbus/devices/<UUID>/channels/<N>/read_avail Date: September. 2017 KernelVersion: 4.14 Contact: Stephen Hemminger <sthemmin(a)microsoft.com> Description: Bytes available to read Users: Debugging tools -What: /sys/bus/vmbus/devices/vmbus_*/channels/NN/write_avail +What: /sys/bus/vmbus/devices/<UUID>/channels/<N>/write_avail Date: September. 2017 KernelVersion: 4.14 Contact: Stephen Hemminger <sthemmin(a)microsoft.com> Description: Bytes available to write Users: Debugging tools -What: /sys/bus/vmbus/devices/vmbus_*/channels/NN/events +What: /sys/bus/vmbus/devices/<UUID>/channels/<N>/events Date: September. 2017 KernelVersion: 4.14 Contact: Stephen Hemminger <sthemmin(a)microsoft.com> Description: Number of times we have signaled the host Users: Debugging tools -What: /sys/bus/vmbus/devices/vmbus_*/channels/NN/interrupts +What: /sys/bus/vmbus/devices/<UUID>/channels/<N>/interrupts Date: September. 2017 KernelVersion: 4.14 Contact: Stephen Hemminger <sthemmin(a)microsoft.com> Description: Number of times we have taken an interrupt (incoming) Users: Debugging tools -What: /sys/bus/vmbus/devices/vmbus_*/channels/NN/subchannel_id +What: /sys/bus/vmbus/devices/<UUID>/channels/<N>/subchannel_id Date: January. 2018 KernelVersion: 4.16 Contact: Stephen Hemminger <sthemmin(a)microsoft.com> Description: Subchannel ID associated with VMBUS channel Users: Debugging tools and userspace drivers -What: /sys/bus/vmbus/devices/vmbus_*/channels/NN/monitor_id +What: /sys/bus/vmbus/devices/<UUID>/channels/<N>/monitor_id Date: January. 2018 KernelVersion: 4.16 Contact: Stephen Hemminger <sthemmin(a)microsoft.com> Description: Monitor bit associated with channel Users: Debugging tools and userspace drivers -What: /sys/bus/vmbus/devices/vmbus_*/channels/NN/ring +What: /sys/bus/vmbus/devices/<UUID>/channels/<N>/ring Date: January. 2018 KernelVersion: 4.16 Contact: Stephen Hemminger <sthemmin(a)microsoft.com> -- 2.15.1

7 years, 4 months

1
0
0 0

[PATCH v2 03/12] arm: dts: mt7623: fix invalid memory node being generated

by sean.wang＠mediatek.com

From: Sean Wang <sean.wang(a)mediatek.com> Below two wrong nodes in existing DTS files would cause a fail boot since in fact the address 0 is not the correct place the memory device locates at. memory { device_type = "memory"; reg = <0x0 0x0 0x0 0x0>; }; memory@80000000 { reg = <0x0 0x80000000 0x0 0x40000000>; }; In order to avoid having a memory node starting at address 0, we can't include file skeleton64.dtsi and instead need to explicitly manually define a few of properties the DTS relies on such as #address-cells and #size-cells in root node and device_type in the node memory@80000000. Cc: stable(a)vger.kernel.org Fixes: 31ac0d69a1d4 ("ARM: dts: mediatek: add MT7623 basic support") Signed-off-by: Sean Wang <sean.wang(a)mediatek.com> Cc: Rob Herring <robh+dt(a)kernel.org> --- arch/arm/boot/dts/mt7623.dtsi | 3 ++- arch/arm/boot/dts/mt7623n-bananapi-bpi-r2.dts | 1 + arch/arm/boot/dts/mt7623n-rfb.dtsi | 1 + 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/arch/arm/boot/dts/mt7623.dtsi b/arch/arm/boot/dts/mt7623.dtsi index fec4715..406a9f3 100644 --- a/arch/arm/boot/dts/mt7623.dtsi +++ b/arch/arm/boot/dts/mt7623.dtsi @@ -15,11 +15,12 @@ #include <dt-bindings/phy/phy.h> #include <dt-bindings/reset/mt2701-resets.h> #include <dt-bindings/thermal/thermal.h> -#include "skeleton64.dtsi" / { compatible = "mediatek,mt7623"; interrupt-parent = <&sysirq>; + #address-cells = <2>; + #size-cells = <2>; cpu_opp_table: opp-table { compatible = "operating-points-v2"; diff --git a/arch/arm/boot/dts/mt7623n-bananapi-bpi-r2.dts b/arch/arm/boot/dts/mt7623n-bananapi-bpi-r2.dts index bbf56f8..5938e4c 100644 --- a/arch/arm/boot/dts/mt7623n-bananapi-bpi-r2.dts +++ b/arch/arm/boot/dts/mt7623n-bananapi-bpi-r2.dts @@ -109,6 +109,7 @@ }; memory@80000000 { + device_type = "memory"; reg = <0 0x80000000 0 0x40000000>; }; }; diff --git a/arch/arm/boot/dts/mt7623n-rfb.dtsi b/arch/arm/boot/dts/mt7623n-rfb.dtsi index a199ae7..343e8ef 100644 --- a/arch/arm/boot/dts/mt7623n-rfb.dtsi +++ b/arch/arm/boot/dts/mt7623n-rfb.dtsi @@ -40,6 +40,7 @@ }; memory@80000000 { + device_type = "memory"; reg = <0 0x80000000 0 0x40000000>; }; -- 2.7.4

7 years, 4 months

3
2
0 0

patch "xhci: Fix use-after-free in xhci_free_virt_device" causes kernel crashes on 4.16.8 on unplug

by Jacob Saunders

On Linux kernel 4.16.8 (using Arch Linux) if I eject a USB 3.0 device from my system (unplug or "udisksctl power-off --block-device /dev/sde), it freezes instantly with a null pointer error in XHCI. I've been unable to successfully capture a kernel log of the error (and my cameras did not return usable results) and the screen begins scrolling near-immediately with hung processors in a VT. I have done a git bisection (between 4.16.7 and 4.16.7) narrowing it down to the following commit: commit f5331826b0b7a5f2db56a9020ddbb8ce16acdfc0 Author: Mathias Nyman <mathias.nyman(a)linux.intel.com> Date: Thu May 3 17:30:07 2018 +0300 xhci: Fix use-after-free in xhci_free_virt_device commit 44a182b9d17765514fa2b1cc911e4e65134eef93 upstream. KASAN found a use-after-free in xhci_free_virt_device+0x33b/0x38e where xhci_free_virt_device() sets slot id to 0 if udev exists: if (dev->udev && dev->udev->slot_id) dev->udev->slot_id = 0; dev->udev will be true even if udev is freed because dev->udev is not set to NULL. set dev->udev pointer to NULL in xhci_free_dev() The original patch went to stable so this fix needs to be applied there as well. Fixes: a400efe455f7 ("xhci: zero usb device slot_id member when disabling and freeing a xhci slot") Cc: <stable(a)vger.kernel.org> Reported-by: Guenter Roeck <linux(a)roeck-us.net> Reviewed-by: Guenter Roeck <linux(a)roeck-us.net> Tested-by: Guenter Roeck <linux(a)roeck-us.net> Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> :040000 040000 356ecdc13bf252535bd51b8558a8173dae546f19 d28f201228652e87e51ba48f5a0ad4539cca5c29 M drivers Can I be CC'd on future responses to this? I am not subscribed to the list. Jacob Saunders

7 years, 4 months

2
1
0 0

[patch 10/13] mm, oom: fix concurrent munlock and oom reaper unmap, v3

by akpm＠linux-foundation.org

From: David Rientjes <rientjes(a)google.com> Subject: mm, oom: fix concurrent munlock and oom reaper unmap, v3 Since exit_mmap() is done without the protection of mm->mmap_sem, it is possible for the oom reaper to concurrently operate on an mm until MMF_OOM_SKIP is set. This allows munlock_vma_pages_all() to concurrently run while the oom reaper is operating on a vma. Since munlock_vma_pages_range() depends on clearing VM_LOCKED from vm_flags before actually doing the munlock to determine if any other vmas are locking the same memory, the check for VM_LOCKED in the oom reaper is racy. This is especially noticeable on architectures such as powerpc where clearing a huge pmd requires serialize_against_pte_lookup(). If the pmd is zapped by the oom reaper during follow_page_mask() after the check for pmd_none() is bypassed, this ends up deferencing a NULL ptl or a kernel oops. Fix this by manually freeing all possible memory from the mm before doing the munlock and then setting MMF_OOM_SKIP. The oom reaper can not run on the mm anymore so the munlock is safe to do in exit_mmap(). It also matches the logic that the oom reaper currently uses for determining when to set MMF_OOM_SKIP itself, so there's no new risk of excessive oom killing. This issue fixes CVE-2018-1000200. Link: http://lkml.kernel.org/r/alpine.DEB.2.21.1804241526320.238665@chino.kir.cor… Fixes: 212925802454 ("mm: oom: let oom_reap_task and exit_mmap run concurrently") Signed-off-by: David Rientjes <rientjes(a)google.com> Suggested-by: Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> Acked-by: Michal Hocko <mhocko(a)suse.com> Cc: Andrea Arcangeli <aarcange(a)redhat.com> Cc: <stable(a)vger.kernel.org> [4.14+] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/oom.h | 2 + mm/mmap.c | 44 +++++++++++++--------- mm/oom_kill.c | 81 ++++++++++++++++++++++-------------------- 3 files changed, 71 insertions(+), 56 deletions(-) diff -puN include/linux/oom.h~mm-oom-fix-concurrent-munlock-and-oom-reaper-unmap include/linux/oom.h --- a/include/linux/oom.h~mm-oom-fix-concurrent-munlock-and-oom-reaper-unmap +++ a/include/linux/oom.h @@ -95,6 +95,8 @@ static inline int check_stable_address_s return 0; } +void __oom_reap_task_mm(struct mm_struct *mm); + extern unsigned long oom_badness(struct task_struct *p, struct mem_cgroup *memcg, const nodemask_t *nodemask, unsigned long totalpages); diff -puN mm/mmap.c~mm-oom-fix-concurrent-munlock-and-oom-reaper-unmap mm/mmap.c --- a/mm/mmap.c~mm-oom-fix-concurrent-munlock-and-oom-reaper-unmap +++ a/mm/mmap.c @@ -3024,6 +3024,32 @@ void exit_mmap(struct mm_struct *mm) /* mm's last user has gone, and its about to be pulled down */ mmu_notifier_release(mm); + if (unlikely(mm_is_oom_victim(mm))) { + /* + * Manually reap the mm to free as much memory as possible. + * Then, as the oom reaper does, set MMF_OOM_SKIP to disregard + * this mm from further consideration. Taking mm->mmap_sem for + * write after setting MMF_OOM_SKIP will guarantee that the oom + * reaper will not run on this mm again after mmap_sem is + * dropped. + * + * Nothing can be holding mm->mmap_sem here and the above call + * to mmu_notifier_release(mm) ensures mmu notifier callbacks in + * __oom_reap_task_mm() will not block. + * + * This needs to be done before calling munlock_vma_pages_all(), + * which clears VM_LOCKED, otherwise the oom reaper cannot + * reliably test it. + */ + mutex_lock(&oom_lock); + __oom_reap_task_mm(mm); + mutex_unlock(&oom_lock); + + set_bit(MMF_OOM_SKIP, &mm->flags); + down_write(&mm->mmap_sem); + up_write(&mm->mmap_sem); + } + if (mm->locked_vm) { vma = mm->mmap; while (vma) { @@ -3045,24 +3071,6 @@ void exit_mmap(struct mm_struct *mm) /* update_hiwater_rss(mm) here? but nobody should be looking */ /* Use -1 here to ensure all VMAs in the mm are unmapped */ unmap_vmas(&tlb, vma, 0, -1); - - if (unlikely(mm_is_oom_victim(mm))) { - /* - * Wait for oom_reap_task() to stop working on this - * mm. Because MMF_OOM_SKIP is already set before - * calling down_read(), oom_reap_task() will not run - * on this "mm" post up_write(). - * - * mm_is_oom_victim() cannot be set from under us - * either because victim->mm is already set to NULL - * under task_lock before calling mmput and oom_mm is - * set not NULL by the OOM killer only if victim->mm - * is found not NULL while holding the task_lock. - */ - set_bit(MMF_OOM_SKIP, &mm->flags); - down_write(&mm->mmap_sem); - up_write(&mm->mmap_sem); - } free_pgtables(&tlb, vma, FIRST_USER_ADDRESS, USER_PGTABLES_CEILING); tlb_finish_mmu(&tlb, 0, -1); diff -puN mm/oom_kill.c~mm-oom-fix-concurrent-munlock-and-oom-reaper-unmap mm/oom_kill.c --- a/mm/oom_kill.c~mm-oom-fix-concurrent-munlock-and-oom-reaper-unmap +++ a/mm/oom_kill.c @@ -469,7 +469,6 @@ bool process_shares_mm(struct task_struc return false; } - #ifdef CONFIG_MMU /* * OOM Reaper kernel thread which tries to reap the memory used by the OOM @@ -480,16 +479,54 @@ static DECLARE_WAIT_QUEUE_HEAD(oom_reape static struct task_struct *oom_reaper_list; static DEFINE_SPINLOCK(oom_reaper_lock); -static bool __oom_reap_task_mm(struct task_struct *tsk, struct mm_struct *mm) +void __oom_reap_task_mm(struct mm_struct *mm) { - struct mmu_gather tlb; struct vm_area_struct *vma; + + /* + * Tell all users of get_user/copy_from_user etc... that the content + * is no longer stable. No barriers really needed because unmapping + * should imply barriers already and the reader would hit a page fault + * if it stumbled over a reaped memory. + */ + set_bit(MMF_UNSTABLE, &mm->flags); + + for (vma = mm->mmap ; vma; vma = vma->vm_next) { + if (!can_madv_dontneed_vma(vma)) + continue; + + /* + * Only anonymous pages have a good chance to be dropped + * without additional steps which we cannot afford as we + * are OOM already. + * + * We do not even care about fs backed pages because all + * which are reclaimable have already been reclaimed and + * we do not want to block exit_mmap by keeping mm ref + * count elevated without a good reason. + */ + if (vma_is_anonymous(vma) || !(vma->vm_flags & VM_SHARED)) { + const unsigned long start = vma->vm_start; + const unsigned long end = vma->vm_end; + struct mmu_gather tlb; + + tlb_gather_mmu(&tlb, mm, start, end); + mmu_notifier_invalidate_range_start(mm, start, end); + unmap_page_range(&tlb, vma, start, end, NULL); + mmu_notifier_invalidate_range_end(mm, start, end); + tlb_finish_mmu(&tlb, start, end); + } + } +} + +static bool oom_reap_task_mm(struct task_struct *tsk, struct mm_struct *mm) +{ bool ret = true; /* * We have to make sure to not race with the victim exit path * and cause premature new oom victim selection: - * __oom_reap_task_mm exit_mm + * oom_reap_task_mm exit_mm * mmget_not_zero * mmput * atomic_dec_and_test @@ -534,39 +571,8 @@ static bool __oom_reap_task_mm(struct ta trace_start_task_reaping(tsk->pid); - /* - * Tell all users of get_user/copy_from_user etc... that the content - * is no longer stable. No barriers really needed because unmapping - * should imply barriers already and the reader would hit a page fault - * if it stumbled over a reaped memory. - */ - set_bit(MMF_UNSTABLE, &mm->flags); - - for (vma = mm->mmap ; vma; vma = vma->vm_next) { - if (!can_madv_dontneed_vma(vma)) - continue; + __oom_reap_task_mm(mm); - /* - * Only anonymous pages have a good chance to be dropped - * without additional steps which we cannot afford as we - * are OOM already. - * - * We do not even care about fs backed pages because all - * which are reclaimable have already been reclaimed and - * we do not want to block exit_mmap by keeping mm ref - * count elevated without a good reason. - */ - if (vma_is_anonymous(vma) || !(vma->vm_flags & VM_SHARED)) { - const unsigned long start = vma->vm_start; - const unsigned long end = vma->vm_end; - - tlb_gather_mmu(&tlb, mm, start, end); - mmu_notifier_invalidate_range_start(mm, start, end); - unmap_page_range(&tlb, vma, start, end, NULL); - mmu_notifier_invalidate_range_end(mm, start, end); - tlb_finish_mmu(&tlb, start, end); - } - } pr_info("oom_reaper: reaped process %d (%s), now anon-rss:%lukB, file-rss:%lukB, shmem-rss:%lukB\n", task_pid_nr(tsk), tsk->comm, K(get_mm_counter(mm, MM_ANONPAGES)), @@ -587,14 +593,13 @@ static void oom_reap_task(struct task_st struct mm_struct *mm = tsk->signal->oom_mm; /* Retry the down_read_trylock(mmap_sem) a few times */ - while (attempts++ < MAX_OOM_REAP_RETRIES && !__oom_reap_task_mm(tsk, mm)) + while (attempts++ < MAX_OOM_REAP_RETRIES && !oom_reap_task_mm(tsk, mm)) schedule_timeout_idle(HZ/10); if (attempts <= MAX_OOM_REAP_RETRIES || test_bit(MMF_OOM_SKIP, &mm->flags)) goto done; - pr_info("oom_reaper: unable to reap pid:%d (%s)\n", task_pid_nr(tsk), tsk->comm); debug_show_all_locks(); _

7 years, 4 months

1
0
0 0

[patch 06/13] mm: sections are not offlined during memory hotremove

by akpm＠linux-foundation.org

From: Pavel Tatashin <pasha.tatashin(a)oracle.com> Subject: mm: sections are not offlined during memory hotremove Memory hotplug and hotremove operate with per-block granularity. If the machine has a large amount of memory (more than 64G), the size of a memory block can span multiple sections. By mistake, during hotremove we set only the first section to offline state. The bug was discovered because kernel selftest started to fail: https://lkml.kernel.org/r/20180423011247.GK5563@yexl-desktop After commit, "mm/memory_hotplug: optimize probe routine". But, the bug is older than this commit. In this optimization we also added a check for sections to be in a proper state during hotplug operation. Link: http://lkml.kernel.org/r/20180427145257.15222-1-pasha.tatashin@oracle.com Fixes: 2d070eab2e82 ("mm: consider zone which is not fully populated to have holes") Signed-off-by: Pavel Tatashin <pasha.tatashin(a)oracle.com> Acked-by: Michal Hocko <mhocko(a)suse.com> Reviewed-by: Andrew Morton <akpm(a)linux-foundation.org> Cc: Vlastimil Babka <vbabka(a)suse.cz> Cc: Steven Sistare <steven.sistare(a)oracle.com> Cc: Daniel Jordan <daniel.m.jordan(a)oracle.com> Cc: "Kirill A. Shutemov" <kirill.shutemov(a)linux.intel.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/sparse.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff -puN mm/sparse.c~mm-sections-are-not-offlined-during-memory-hotremove mm/sparse.c --- a/mm/sparse.c~mm-sections-are-not-offlined-during-memory-hotremove +++ a/mm/sparse.c @@ -629,7 +629,7 @@ void offline_mem_sections(unsigned long unsigned long pfn; for (pfn = start_pfn; pfn < end_pfn; pfn += PAGES_PER_SECTION) { - unsigned long section_nr = pfn_to_section_nr(start_pfn); + unsigned long section_nr = pfn_to_section_nr(pfn); struct mem_section *ms; /* _

7 years, 4 months

1
0
0 0

[patch 05/13] z3fold: fix reclaim lock-ups

by akpm＠linux-foundation.org

From: Vitaly Wool <vitalywool(a)gmail.com> Subject: z3fold: fix reclaim lock-ups Do not try to optimize in-page object layout while the page is under reclaim. This fixes lock-ups on reclaim and improves reclaim performance at the same time. [akpm(a)linux-foundation.org: coding-style fixes] Link: http://lkml.kernel.org/r/20180430125800.444cae9706489f412ad12621@gmail.com Signed-off-by: Vitaly Wool <vitaly.vul(a)sony.com> Reported-by: Guenter Roeck <linux(a)roeck-us.net> Tested-by: Guenter Roeck <linux(a)roeck-us.net> Cc: <Oleksiy.Avramchenko(a)sony.com> Cc: Matthew Wilcox <mawilcox(a)microsoft.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/z3fold.c | 42 ++++++++++++++++++++++++++++++------------ 1 file changed, 30 insertions(+), 12 deletions(-) diff -puN mm/z3fold.c~z3fold-fix-reclaim-lock-ups mm/z3fold.c --- a/mm/z3fold.c~z3fold-fix-reclaim-lock-ups +++ a/mm/z3fold.c @@ -144,7 +144,8 @@ enum z3fold_page_flags { PAGE_HEADLESS = 0, MIDDLE_CHUNK_MAPPED, NEEDS_COMPACTING, - PAGE_STALE + PAGE_STALE, + UNDER_RECLAIM }; /***************** @@ -173,6 +174,7 @@ static struct z3fold_header *init_z3fold clear_bit(MIDDLE_CHUNK_MAPPED, &page->private); clear_bit(NEEDS_COMPACTING, &page->private); clear_bit(PAGE_STALE, &page->private); + clear_bit(UNDER_RECLAIM, &page->private); spin_lock_init(&zhdr->page_lock); kref_init(&zhdr->refcount); @@ -756,6 +758,10 @@ static void z3fold_free(struct z3fold_po atomic64_dec(&pool->pages_nr); return; } + if (test_bit(UNDER_RECLAIM, &page->private)) { + z3fold_page_unlock(zhdr); + return; + } if (test_and_set_bit(NEEDS_COMPACTING, &page->private)) { z3fold_page_unlock(zhdr); return; @@ -840,6 +846,8 @@ static int z3fold_reclaim_page(struct z3 kref_get(&zhdr->refcount); list_del_init(&zhdr->buddy); zhdr->cpu = -1; + set_bit(UNDER_RECLAIM, &page->private); + break; } list_del_init(&page->lru); @@ -887,25 +895,35 @@ static int z3fold_reclaim_page(struct z3 goto next; } next: - spin_lock(&pool->lock); if (test_bit(PAGE_HEADLESS, &page->private)) { if (ret == 0) { - spin_unlock(&pool->lock); free_z3fold_page(page); return 0; } - } else if (kref_put(&zhdr->refcount, release_z3fold_page)) { - atomic64_dec(&pool->pages_nr); + spin_lock(&pool->lock); + list_add(&page->lru, &pool->lru); + spin_unlock(&pool->lock); + } else { + z3fold_page_lock(zhdr); + clear_bit(UNDER_RECLAIM, &page->private); + if (kref_put(&zhdr->refcount, + release_z3fold_page_locked)) { + atomic64_dec(&pool->pages_nr); + return 0; + } + /* + * if we are here, the page is still not completely + * free. Take the global pool lock then to be able + * to add it back to the lru list + */ + spin_lock(&pool->lock); + list_add(&page->lru, &pool->lru); spin_unlock(&pool->lock); - return 0; + z3fold_page_unlock(zhdr); } - /* - * Add to the beginning of LRU. - * Pool lock has to be kept here to ensure the page has - * not already been released - */ - list_add(&page->lru, &pool->lru); + /* We started off locked to we need to lock the pool back */ + spin_lock(&pool->lock); } spin_unlock(&pool->lock); return -EAGAIN; _

7 years, 4 months

1
0
0 0

Re: [PATCH] drm/i915/oa: Disable OA on Haswell

by Chris Wilson

Quoting Lionel Landwerlin (2018-05-11 18:41:28) > On 11/05/18 16:51, Chris Wilson wrote: > > But I can't even startup a gdm on that machine with drm-tip. So maybe > there is some much more broken... > > Don't leave us in suspense... > > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=890614 > > > Not our bug :) You would not believe how relieved I am that someone else has bugs in their code. -Chris

7 years, 4 months

1
0
0 0

[GIT PULL] tracing: Fix regex_match_front() to not over compare the test string

by Steven Rostedt

Linus, Working on some new updates to trace filtering, I noticed that the regex_match_front() test was updated to be limited to the size of the pattern instead of the full test string. But as the test string is not guaranteed to be nul terminated, it still needs to consider the size of the test string. Please pull the latest trace-v4.17-rc4 tree, which can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace.git trace-v4.17-rc4 Tag SHA1: cb82e07247fa5f1a91940a2928fb260256727a14 Head SHA1: dc432c3d7f9bceb3de6f5b44fb9c657c9810ed6d Steven Rostedt (VMware) (1): tracing: Fix regex_match_front() to not over compare the test string ---- kernel/trace/trace_events_filter.c | 3 +++ 1 file changed, 3 insertions(+) --------------------------- commit dc432c3d7f9bceb3de6f5b44fb9c657c9810ed6d Author: Steven Rostedt (VMware) <rostedt(a)goodmis.org> Date: Wed May 9 11:59:32 2018 -0400 tracing: Fix regex_match_front() to not over compare the test string The regex match function regex_match_front() in the tracing filter logic, was fixed to test just the pattern length from testing the entire test string. That is, it went from strncmp(str, r->pattern, len) to strcmp(str, r->pattern, r->len). The issue is that str is not guaranteed to be nul terminated, and if r->len is greater than the length of str, it can access more memory than is allocated. The solution is to add a simple test if (len < r->len) return 0. Cc: stable(a)vger.kernel.org Fixes: 285caad415f45 ("tracing/filters: Fix MATCH_FRONT_ONLY filter matching") Signed-off-by: Steven Rostedt (VMware) <rostedt(a)goodmis.org> diff --git a/kernel/trace/trace_events_filter.c b/kernel/trace/trace_events_filter.c index 1f951b3df60c..7d306b74230f 100644 --- a/kernel/trace/trace_events_filter.c +++ b/kernel/trace/trace_events_filter.c @@ -762,6 +762,9 @@ static int regex_match_full(char *str, struct regex *r, int len) static int regex_match_front(char *str, struct regex *r, int len) { + if (len < r->len) + return 0; + if (strncmp(str, r->pattern, r->len) == 0) return 1; return 0;

7 years, 4 months

1
0
0 0

FAILED: patch "[PATCH] test_firmware: fix setting old custom fw path back on exit, " failed to apply to 4.16-stable tree

by gregkh＠linuxfoundation.org

The patch below does not apply to the 4.16-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to <stable(a)vger.kernel.org>. thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From e538409257d0217a9bc715686100a5328db75a15 Mon Sep 17 00:00:00 2001 From: Ben Hutchings <ben.hutchings(a)codethink.co.uk> Date: Wed, 4 Apr 2018 22:38:49 +0200 Subject: [PATCH] test_firmware: fix setting old custom fw path back on exit, second try Commit 65c79230576 tried to clear the custom firmware path on exit by writing a single space to the firmware_class.path parameter. This doesn't work because nothing strips this space from the value stored and fw_get_filesystem_firmware() only ignores zero-length paths. Instead, write a null byte. Fixes: 0a8adf58475 ("test: add firmware_class loader test") Fixes: 65c79230576 ("test_firmware: fix setting old custom fw path back on exit") Signed-off-by: Ben Hutchings <ben.hutchings(a)codethink.co.uk> Acked-by: Luis R. Rodriguez <mcgrof(a)kernel.org> Cc: stable <stable(a)vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> diff --git a/tools/testing/selftests/firmware/fw_lib.sh b/tools/testing/selftests/firmware/fw_lib.sh index 9ea31b57d71a..962d7f4ac627 100755 --- a/tools/testing/selftests/firmware/fw_lib.sh +++ b/tools/testing/selftests/firmware/fw_lib.sh @@ -154,11 +154,13 @@ test_finish() if [ "$HAS_FW_LOADER_USER_HELPER" = "yes" ]; then echo "$OLD_TIMEOUT" >/sys/class/firmware/timeout fi - if [ "$OLD_FWPATH" = "" ]; then - OLD_FWPATH=" " - fi if [ "$TEST_REQS_FW_SET_CUSTOM_PATH" = "yes" ]; then - echo -n "$OLD_FWPATH" >/sys/module/firmware_class/parameters/path + if [ "$OLD_FWPATH" = "" ]; then + # A zero-length write won't work; write a null byte + printf '\000' >/sys/module/firmware_class/parameters/path + else + echo -n "$OLD_FWPATH" >/sys/module/firmware_class/parameters/path + fi fi if [ -f $FW ]; then rm -f "$FW"

7 years, 4 months

3
3
0 0

[PATCH 4/4] KVM: arm/arm64: VGIC/ITS save/restore: protect kvm_read_guest() calls

by Andre Przywara

kvm_read_guest() will eventually look up in kvm_memslots(), which requires either to hold the kvm->slots_lock or to be inside a kvm->srcu critical section. In contrast to x86 and s390 we don't take the SRCU lock on every guest exit, so we have to do it individually for each kvm_read_guest() call. Use the newly introduced wrapper for that. Cc: Stable <stable(a)vger.kernel.org> # 4.12+ Reported-by: Jan Glauber <jan.glauber(a)caviumnetworks.com> Signed-off-by: Andre Przywara <andre.przywara(a)arm.com> --- virt/kvm/arm/vgic/vgic-its.c | 4 ++-- virt/kvm/arm/vgic/vgic-v3.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/virt/kvm/arm/vgic/vgic-its.c b/virt/kvm/arm/vgic/vgic-its.c index 7cb060e01a76..4ed79c939fb4 100644 --- a/virt/kvm/arm/vgic/vgic-its.c +++ b/virt/kvm/arm/vgic/vgic-its.c @@ -1897,7 +1897,7 @@ static int scan_its_table(struct vgic_its *its, gpa_t base, int size, int esz, int next_offset; size_t byte_offset; - ret = kvm_read_guest(kvm, gpa, entry, esz); + ret = kvm_read_guest_lock(kvm, gpa, entry, esz); if (ret) return ret; @@ -2267,7 +2267,7 @@ static int vgic_its_restore_cte(struct vgic_its *its, gpa_t gpa, int esz) int ret; BUG_ON(esz > sizeof(val)); - ret = kvm_read_guest(kvm, gpa, &val, esz); + ret = kvm_read_guest_lock(kvm, gpa, &val, esz); if (ret) return ret; val = le64_to_cpu(val); diff --git a/virt/kvm/arm/vgic/vgic-v3.c b/virt/kvm/arm/vgic/vgic-v3.c index c7423f3768e5..bdcf8e7a6161 100644 --- a/virt/kvm/arm/vgic/vgic-v3.c +++ b/virt/kvm/arm/vgic/vgic-v3.c @@ -344,7 +344,7 @@ int vgic_v3_lpi_sync_pending_status(struct kvm *kvm, struct vgic_irq *irq) bit_nr = irq->intid % BITS_PER_BYTE; ptr = pendbase + byte_offset; - ret = kvm_read_guest(kvm, ptr, &val, 1); + ret = kvm_read_guest_lock(kvm, ptr, &val, 1); if (ret) return ret; @@ -397,7 +397,7 @@ int vgic_v3_save_pending_tables(struct kvm *kvm) ptr = pendbase + byte_offset; if (byte_offset != last_byte_offset) { - ret = kvm_read_guest(kvm, ptr, &val, 1); + ret = kvm_read_guest_lock(kvm, ptr, &val, 1); if (ret) return ret; last_byte_offset = byte_offset; -- 2.14.1

7 years, 4 months

1
0
0 0

[PATCH 3/4] KVM: arm/arm64: VGIC/ITS: protect kvm_read_guest() calls with SRCU lock

by Andre Przywara

kvm_read_guest() will eventually look up in kvm_memslots(), which requires either to hold the kvm->slots_lock or to be inside a kvm->srcu critical section. In contrast to x86 and s390 we don't take the SRCU lock on every guest exit, so we have to do it individually for each kvm_read_guest() call. Provide a wrapper which does that and use that everywhere. Note that ending the SRCU critical section before returning from the kvm_read_guest() wrapper is safe, because the data has been *copied*, so we don't need to rely on valid references to the memslot anymore. Cc: Stable <stable(a)vger.kernel.org> # 4.8+ Reported-by: Jan Glauber <jan.glauber(a)caviumnetworks.com> Signed-off-by: Andre Przywara <andre.przywara(a)arm.com> --- arch/arm/include/asm/kvm_mmu.h | 16 ++++++++++++++++ arch/arm64/include/asm/kvm_mmu.h | 16 ++++++++++++++++ virt/kvm/arm/vgic/vgic-its.c | 15 ++++++++------- 3 files changed, 40 insertions(+), 7 deletions(-) diff --git a/arch/arm/include/asm/kvm_mmu.h b/arch/arm/include/asm/kvm_mmu.h index 707a1f06dc5d..f675162663f0 100644 --- a/arch/arm/include/asm/kvm_mmu.h +++ b/arch/arm/include/asm/kvm_mmu.h @@ -309,6 +309,22 @@ static inline unsigned int kvm_get_vmid_bits(void) return 8; } +/* + * We are not in the kvm->srcu critical section most of the time, so we take + * the SRCU read lock here. Since we copy the data from the user page, we + * can immediately drop the lock again. + */ +static inline int kvm_read_guest_lock(struct kvm *kvm, + gpa_t gpa, void *data, unsigned long len) +{ + int srcu_idx = srcu_read_lock(&kvm->srcu); + int ret = kvm_read_guest(kvm, gpa, data, len); + + srcu_read_unlock(&kvm->srcu, srcu_idx); + + return ret; +} + static inline void *kvm_get_hyp_vector(void) { return kvm_ksym_ref(__kvm_hyp_vector); diff --git a/arch/arm64/include/asm/kvm_mmu.h b/arch/arm64/include/asm/kvm_mmu.h index 082110993647..6128992c2ded 100644 --- a/arch/arm64/include/asm/kvm_mmu.h +++ b/arch/arm64/include/asm/kvm_mmu.h @@ -360,6 +360,22 @@ static inline unsigned int kvm_get_vmid_bits(void) return (cpuid_feature_extract_unsigned_field(reg, ID_AA64MMFR1_VMIDBITS_SHIFT) == 2) ? 16 : 8; } +/* + * We are not in the kvm->srcu critical section most of the time, so we take + * the SRCU read lock here. Since we copy the data from the user page, we + * can immediately drop the lock again. + */ +static inline int kvm_read_guest_lock(struct kvm *kvm, + gpa_t gpa, void *data, unsigned long len) +{ + int srcu_idx = srcu_read_lock(&kvm->srcu); + int ret = kvm_read_guest(kvm, gpa, data, len); + + srcu_read_unlock(&kvm->srcu, srcu_idx); + + return ret; +} + #ifdef CONFIG_KVM_INDIRECT_VECTORS /* * EL2 vectors can be mapped and rerouted in a number of ways, diff --git a/virt/kvm/arm/vgic/vgic-its.c b/virt/kvm/arm/vgic/vgic-its.c index 51a80b600632..7cb060e01a76 100644 --- a/virt/kvm/arm/vgic/vgic-its.c +++ b/virt/kvm/arm/vgic/vgic-its.c @@ -281,8 +281,8 @@ static int update_lpi_config(struct kvm *kvm, struct vgic_irq *irq, int ret; unsigned long flags; - ret = kvm_read_guest(kvm, propbase + irq->intid - GIC_LPI_OFFSET, - &prop, 1); + ret = kvm_read_guest_lock(kvm, propbase + irq->intid - GIC_LPI_OFFSET, + &prop, 1); if (ret) return ret; @@ -444,8 +444,9 @@ static int its_sync_lpi_pending_table(struct kvm_vcpu *vcpu) * this very same byte in the last iteration. Reuse that. */ if (byte_offset != last_byte_offset) { - ret = kvm_read_guest(vcpu->kvm, pendbase + byte_offset, - &pendmask, 1); + ret = kvm_read_guest_lock(vcpu->kvm, + pendbase + byte_offset, + &pendmask, 1); if (ret) { kfree(intids); return ret; @@ -789,7 +790,7 @@ static bool vgic_its_check_id(struct vgic_its *its, u64 baser, u32 id, return false; /* Each 1st level entry is represented by a 64-bit value. */ - if (kvm_read_guest(its->dev->kvm, + if (kvm_read_guest_lock(its->dev->kvm, BASER_ADDRESS(baser) + index * sizeof(indirect_ptr), &indirect_ptr, sizeof(indirect_ptr))) return false; @@ -1370,8 +1371,8 @@ static void vgic_its_process_commands(struct kvm *kvm, struct vgic_its *its) cbaser = CBASER_ADDRESS(its->cbaser); while (its->cwriter != its->creadr) { - int ret = kvm_read_guest(kvm, cbaser + its->creadr, - cmd_buf, ITS_CMD_SIZE); + int ret = kvm_read_guest_lock(kvm, cbaser + its->creadr, + cmd_buf, ITS_CMD_SIZE); /* * If kvm_read_guest() fails, this could be due to the guest * programming a bogus value in CBASER or something else going -- 2.14.1

7 years, 4 months

1
0
0 0

[PATCH 2/4] KVM: arm/arm64: VGIC/ITS: Promote irq_lock() in update_affinity

by Andre Przywara

Apparently the development of update_affinity() overlapped with the promotion of irq_lock to be _irqsave, so the patch didn't convert this lock over. This will make lockdep complain. Fix this by disabling IRQs around the lock. Cc: stable(a)vger.kernel.org Fixes: 08c9fd042117 ("KVM: arm/arm64: vITS: Add a helper to update the affinity of an LPI") Reported-by: Jan Glauber <jan.glauber(a)caviumnetworks.com> Signed-off-by: Andre Przywara <andre.przywara(a)arm.com> --- virt/kvm/arm/vgic/vgic-its.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/virt/kvm/arm/vgic/vgic-its.c b/virt/kvm/arm/vgic/vgic-its.c index 41abf92f2699..51a80b600632 100644 --- a/virt/kvm/arm/vgic/vgic-its.c +++ b/virt/kvm/arm/vgic/vgic-its.c @@ -350,10 +350,11 @@ static int vgic_copy_lpi_list(struct kvm_vcpu *vcpu, u32 **intid_ptr) static int update_affinity(struct vgic_irq *irq, struct kvm_vcpu *vcpu) { int ret = 0; + unsigned long flags; - spin_lock(&irq->irq_lock); + spin_lock_irqsave(&irq->irq_lock, flags); irq->target_vcpu = vcpu; - spin_unlock(&irq->irq_lock); + spin_unlock_irqrestore(&irq->irq_lock, flags); if (irq->hw) { struct its_vlpi_map map; -- 2.14.1

7 years, 4 months

1
0
0 0

[PATCH 1/4] KVM: arm/arm64: Properly protect VGIC locks from IRQs

by Andre Przywara

As Jan reported [1], lockdep complains about the VGIC not being bullet proof. This seems to be due to two issues: - When commit 006df0f34930 ("KVM: arm/arm64: Support calling vgic_update_irq_pending from irq context") promoted irq_lock and ap_list_lock to _irqsave, we forgot two instances of irq_lock. lockdeps seems to pick those up. - If a lock is _irqsave, any other locks we take inside them should be _irqsafe as well. So the lpi_list_lock needs to be promoted also. This fixes both issues by simply making the remaining instances of those locks _irqsave. One irq_lock is addressed in a separate patch, to simplify backporting. Cc: stable(a)vger.kernel.org Fixes: 006df0f34930 ("KVM: arm/arm64: Support calling vgic_update_irq_pending from irq context") Reported-by: Jan Glauber <jan.glauber(a)caviumnetworks.com> Signed-off-by: Andre Przywara <andre.przywara(a)arm.com> [1] http://lists.infradead.org/pipermail/linux-arm-kernel/2018-May/575718.html --- virt/kvm/arm/vgic/vgic-debug.c | 5 +++-- virt/kvm/arm/vgic/vgic-its.c | 10 ++++++---- virt/kvm/arm/vgic/vgic.c | 22 ++++++++++++++-------- 3 files changed, 23 insertions(+), 14 deletions(-) diff --git a/virt/kvm/arm/vgic/vgic-debug.c b/virt/kvm/arm/vgic/vgic-debug.c index 10b38178cff2..4ffc0b5e6105 100644 --- a/virt/kvm/arm/vgic/vgic-debug.c +++ b/virt/kvm/arm/vgic/vgic-debug.c @@ -211,6 +211,7 @@ static int vgic_debug_show(struct seq_file *s, void *v) struct vgic_state_iter *iter = (struct vgic_state_iter *)v; struct vgic_irq *irq; struct kvm_vcpu *vcpu = NULL; + unsigned long flags; if (iter->dist_id == 0) { print_dist_state(s, &kvm->arch.vgic); @@ -227,9 +228,9 @@ static int vgic_debug_show(struct seq_file *s, void *v) irq = &kvm->arch.vgic.spis[iter->intid - VGIC_NR_PRIVATE_IRQS]; } - spin_lock(&irq->irq_lock); + spin_lock_irqsave(&irq->irq_lock, flags); print_irq_state(s, irq, vcpu); - spin_unlock(&irq->irq_lock); + spin_unlock_irqrestore(&irq->irq_lock, flags); return 0; } diff --git a/virt/kvm/arm/vgic/vgic-its.c b/virt/kvm/arm/vgic/vgic-its.c index a8f07243aa9f..41abf92f2699 100644 --- a/virt/kvm/arm/vgic/vgic-its.c +++ b/virt/kvm/arm/vgic/vgic-its.c @@ -52,6 +52,7 @@ static struct vgic_irq *vgic_add_lpi(struct kvm *kvm, u32 intid, { struct vgic_dist *dist = &kvm->arch.vgic; struct vgic_irq *irq = vgic_get_irq(kvm, NULL, intid), *oldirq; + unsigned long flags; int ret; /* In this case there is no put, since we keep the reference. */ @@ -71,7 +72,7 @@ static struct vgic_irq *vgic_add_lpi(struct kvm *kvm, u32 intid, irq->intid = intid; irq->target_vcpu = vcpu; - spin_lock(&dist->lpi_list_lock); + spin_lock_irqsave(&dist->lpi_list_lock, flags); /* * There could be a race with another vgic_add_lpi(), so we need to @@ -99,7 +100,7 @@ static struct vgic_irq *vgic_add_lpi(struct kvm *kvm, u32 intid, dist->lpi_list_count++; out_unlock: - spin_unlock(&dist->lpi_list_lock); + spin_unlock_irqrestore(&dist->lpi_list_lock, flags); /* * We "cache" the configuration table entries in our struct vgic_irq's. @@ -315,6 +316,7 @@ static int vgic_copy_lpi_list(struct kvm_vcpu *vcpu, u32 **intid_ptr) { struct vgic_dist *dist = &vcpu->kvm->arch.vgic; struct vgic_irq *irq; + unsigned long flags; u32 *intids; int irq_count, i = 0; @@ -330,7 +332,7 @@ static int vgic_copy_lpi_list(struct kvm_vcpu *vcpu, u32 **intid_ptr) if (!intids) return -ENOMEM; - spin_lock(&dist->lpi_list_lock); + spin_lock_irqsave(&dist->lpi_list_lock, flags); list_for_each_entry(irq, &dist->lpi_list_head, lpi_list) { if (i == irq_count) break; @@ -339,7 +341,7 @@ static int vgic_copy_lpi_list(struct kvm_vcpu *vcpu, u32 **intid_ptr) continue; intids[i++] = irq->intid; } - spin_unlock(&dist->lpi_list_lock); + spin_unlock_irqrestore(&dist->lpi_list_lock, flags); *intid_ptr = intids; return i; diff --git a/virt/kvm/arm/vgic/vgic.c b/virt/kvm/arm/vgic/vgic.c index 27219313a406..1dfb5b2f1b12 100644 --- a/virt/kvm/arm/vgic/vgic.c +++ b/virt/kvm/arm/vgic/vgic.c @@ -43,9 +43,13 @@ struct vgic_global kvm_vgic_global_state __ro_after_init = { * kvm->lock (mutex) * its->cmd_lock (mutex) * its->its_lock (mutex) - * vgic_cpu->ap_list_lock - * kvm->lpi_list_lock - * vgic_irq->irq_lock + * vgic_cpu->ap_list_lock must be taken with IRQs disabled + * kvm->lpi_list_lock must be taken with IRQs disabled + * vgic_irq->irq_lock must be taken with IRQs disabled + * + * As the ap_list_lock might be taken from the timer interrupt handler, + * we have to disable IRQs before taking this lock and everything lower + * than it. * * If you need to take multiple locks, always take the upper lock first, * then the lower ones, e.g. first take the its_lock, then the irq_lock. @@ -72,8 +76,9 @@ static struct vgic_irq *vgic_get_lpi(struct kvm *kvm, u32 intid) { struct vgic_dist *dist = &kvm->arch.vgic; struct vgic_irq *irq = NULL; + unsigned long flags; - spin_lock(&dist->lpi_list_lock); + spin_lock_irqsave(&dist->lpi_list_lock, flags); list_for_each_entry(irq, &dist->lpi_list_head, lpi_list) { if (irq->intid != intid) @@ -89,7 +94,7 @@ static struct vgic_irq *vgic_get_lpi(struct kvm *kvm, u32 intid) irq = NULL; out_unlock: - spin_unlock(&dist->lpi_list_lock); + spin_unlock_irqrestore(&dist->lpi_list_lock, flags); return irq; } @@ -134,19 +139,20 @@ static void vgic_irq_release(struct kref *ref) void vgic_put_irq(struct kvm *kvm, struct vgic_irq *irq) { struct vgic_dist *dist = &kvm->arch.vgic; + unsigned long flags; if (irq->intid < VGIC_MIN_LPI) return; - spin_lock(&dist->lpi_list_lock); + spin_lock_irqsave(&dist->lpi_list_lock, flags); if (!kref_put(&irq->refcount, vgic_irq_release)) { - spin_unlock(&dist->lpi_list_lock); + spin_unlock_irqrestore(&dist->lpi_list_lock, flags); return; }; list_del(&irq->lpi_list); dist->lpi_list_count--; - spin_unlock(&dist->lpi_list_lock); + spin_unlock_irqrestore(&dist->lpi_list_lock, flags); kfree(irq); } -- 2.14.1

7 years, 4 months

1
0
0 0

[PATCH] [stable 4.14] arm64: Add work around for Arm Cortex-A55 Erratum 1024718

by Suzuki K Poulose

commit ece1397cbc89c51914fae1aec729539cfd8bd62b upstream Some variants of the Arm Cortex-55 cores (r0p0, r0p1, r1p0) suffer from an erratum 1024718, which causes incorrect updates when DBM/AP bits in a page table entry is modified without a break-before-make sequence. The work around is to disable the hardware DBM feature on the affected cores. The hardware Access Flag management features is not affected. The hardware DBM feature is a non-conflicting capability, i.e, the kernel could handle cores using the feature and those without having the features running at the same time. So this work around is detected at early boot time, rather than delaying it until the CPUs are brought up into the kernel with MMU turned on. This also avoids other complexities with late CPUs turning online, with or without the hardware DBM features. Cc: stable(a)vger.kernel.org # v4.14 Cc: Catalin Marinas <catalin.marinas(a)arm.com> Cc: Mark Rutland <mark.rutland(a)arm.com> Cc: Will Deacon <will.deacon(a)arm.com> Signed-off-by: Suzuki K Poulose <suzuki.poulose(a)arm.com> --- Note: The upstream commit is on top of a reworked capability infrastructure for arm64 heterogeneous systems, which allows delaying the CPU model checks. This backport is based on the original version of the patch [0], which checks the affected CPU models during the early boot. [0] https://lkml.kernel.org/r/20180116102323.3470-1-suzuki.poulose@arm.com --- Documentation/arm64/silicon-errata.txt | 1 + arch/arm64/Kconfig | 14 ++++++++++++ arch/arm64/include/asm/assembler.h | 40 ++++++++++++++++++++++++++++++++++ arch/arm64/include/asm/cputype.h | 2 ++ arch/arm64/mm/proc.S | 5 +++++ 5 files changed, 62 insertions(+) diff --git a/Documentation/arm64/silicon-errata.txt b/Documentation/arm64/silicon-errata.txt index f3d0d31..e4fe6ad 100644 --- a/Documentation/arm64/silicon-errata.txt +++ b/Documentation/arm64/silicon-errata.txt @@ -55,6 +55,7 @@ stable kernels. | ARM | Cortex-A57 | #834220 | ARM64_ERRATUM_834220 | | ARM | Cortex-A72 | #853709 | N/A | | ARM | Cortex-A73 | #858921 | ARM64_ERRATUM_858921 | +| ARM | Cortex-A55 | #1024718 | ARM64_ERRATUM_1024718 | | ARM | MMU-500 | #841119,#826419 | N/A | | | | | | | Cavium | ThunderX ITS | #22375, #24313 | CAVIUM_ERRATUM_22375 | diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig index c2abb4e..2d5f7ac 100644 --- a/arch/arm64/Kconfig +++ b/arch/arm64/Kconfig @@ -443,6 +443,20 @@ config ARM64_ERRATUM_843419 If unsure, say Y. +config ARM64_ERRATUM_1024718 + bool "Cortex-A55: 1024718: Update of DBM/AP bits without break before make might result in incorrect update" + default y + help + This option adds work around for Arm Cortex-A55 Erratum 1024718. + + Affected Cortex-A55 cores (r0p0, r0p1, r1p0) could cause incorrect + update of the hardware dirty bit when the DBM/AP bits are updated + without a break-before-make. The work around is to disable the usage + of hardware DBM locally on the affected cores. CPUs not affected by + erratum will continue to use the feature. + + If unsure, say Y. + config CAVIUM_ERRATUM_22375 bool "Cavium erratum 22375, 24313" default y diff --git a/arch/arm64/include/asm/assembler.h b/arch/arm64/include/asm/assembler.h index 463619d..25b2a41 100644 --- a/arch/arm64/include/asm/assembler.h +++ b/arch/arm64/include/asm/assembler.h @@ -25,6 +25,7 @@ #include <asm/asm-offsets.h> #include <asm/cpufeature.h> +#include <asm/cputype.h> #include <asm/page.h> #include <asm/pgtable-hwdef.h> #include <asm/ptrace.h> @@ -495,4 +496,43 @@ alternative_endif and \phys, \pte, #(((1 << (48 - PAGE_SHIFT)) - 1) << PAGE_SHIFT) .endm +/* + * Check the MIDR_EL1 of the current CPU for a given model and a range of + * variant/revision. See asm/cputype.h for the macros used below. + * + * model: MIDR_CPU_MODEL of CPU + * rv_min: Minimum of MIDR_CPU_VAR_REV() + * rv_max: Maximum of MIDR_CPU_VAR_REV() + * res: Result register. + * tmp1, tmp2, tmp3: Temporary registers + * + * Corrupts: res, tmp1, tmp2, tmp3 + * Returns: 0, if the CPU id doesn't match. Non-zero otherwise + */ + .macro cpu_midr_match model, rv_min, rv_max, res, tmp1, tmp2, tmp3 + mrs \res, midr_el1 + mov_q \tmp1, (MIDR_REVISION_MASK | MIDR_VARIANT_MASK) + mov_q \tmp2, MIDR_CPU_MODEL_MASK + and \tmp3, \res, \tmp2 // Extract model + and \tmp1, \res, \tmp1 // rev & variant + mov_q \tmp2, \model + cmp \tmp3, \tmp2 + cset \res, eq + cbz \res, .Ldone\@ // Model matches ? + + .if (\rv_min != 0) // Skip min check if rv_min == 0 + mov_q \tmp3, \rv_min + cmp \tmp1, \tmp3 + cset \res, ge + .endif // \rv_min != 0 + /* Skip rv_max check if rv_min == rv_max && rv_min != 0 */ + .if ((\rv_min != \rv_max) || \rv_min == 0) + mov_q \tmp2, \rv_max + cmp \tmp1, \tmp2 + cset \tmp2, le + and \res, \res, \tmp2 + .endif +.Ldone\@: + .endm + #endif /* __ASM_ASSEMBLER_H */ diff --git a/arch/arm64/include/asm/cputype.h b/arch/arm64/include/asm/cputype.h index be7bd19..30da091 100644 --- a/arch/arm64/include/asm/cputype.h +++ b/arch/arm64/include/asm/cputype.h @@ -78,6 +78,7 @@ #define ARM_CPU_PART_AEM_V8 0xD0F #define ARM_CPU_PART_FOUNDATION 0xD00 +#define ARM_CPU_PART_CORTEX_A55 0xD05 #define ARM_CPU_PART_CORTEX_A57 0xD07 #define ARM_CPU_PART_CORTEX_A72 0xD08 #define ARM_CPU_PART_CORTEX_A53 0xD03 @@ -98,6 +99,7 @@ #define QCOM_CPU_PART_KRYO 0x200 #define MIDR_CORTEX_A53 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A53) +#define MIDR_CORTEX_A55 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A55) #define MIDR_CORTEX_A57 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A57) #define MIDR_CORTEX_A72 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A72) #define MIDR_CORTEX_A73 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A73) diff --git a/arch/arm64/mm/proc.S b/arch/arm64/mm/proc.S index 139320a..e338165 100644 --- a/arch/arm64/mm/proc.S +++ b/arch/arm64/mm/proc.S @@ -438,6 +438,11 @@ ENTRY(__cpu_setup) cbz x9, 2f cmp x9, #2 b.lt 1f +#ifdef CONFIG_ARM64_ERRATUM_1024718 + /* Disable hardware DBM on Cortex-A55 r0p0, r0p1 & r1p0 */ + cpu_midr_match MIDR_CORTEX_A55, MIDR_CPU_VAR_REV(0, 0), MIDR_CPU_VAR_REV(1, 0), x1, x2, x3, x4 + cbnz x1, 1f +#endif orr x10, x10, #TCR_HD // hardware Dirty flag update 1: orr x10, x10, #TCR_HA // hardware Access flag update 2: -- 2.7.4

7 years, 4 months

2
1
0 0

Please apply commit b86e33075ed1 to v4.4.y and v4.9.y

by Guenter Roeck

Hi Greg, commit b86e33075ed1 ("f2fs: fix a dead loop in f2fs_fiemap()") fixes CVE-2017-18257. Please apply to v4.4.y and v4.9.y. Thanks, Guenter

7 years, 4 months

2
1
0 0

patch "iio: sca3000: Fix an error handling path in 'sca3000_probe()'" added to staging-next

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: sca3000: Fix an error handling path in 'sca3000_probe()' to my staging git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git in the staging-next branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will also be merged in the next major kernel release during the merge window. If you have any questions about this process, please let me know. >From 4a5b45383ca371e123ba103d34d4b3b87616245c Mon Sep 17 00:00:00 2001 From: Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> Date: Sun, 8 Apr 2018 21:44:01 +0200 Subject: iio: sca3000: Fix an error handling path in 'sca3000_probe()' Use 'devm_iio_kfifo_allocate()' instead of 'iio_kfifo_allocate()' in order to simplify code and avoid a memory leak in an error path in 'sca3000_probe()'. A call to 'sca3000_unconfigure_ring()' was missing. Sent via the next merge window as unimportant bug and there are other patches dependent on it. Signed-off-by: Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/accel/sca3000.c | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/drivers/iio/accel/sca3000.c b/drivers/iio/accel/sca3000.c index f33dadf7b262..562f125235db 100644 --- a/drivers/iio/accel/sca3000.c +++ b/drivers/iio/accel/sca3000.c @@ -1277,7 +1277,7 @@ static int sca3000_configure_ring(struct iio_dev *indio_dev) { struct iio_buffer *buffer; - buffer = iio_kfifo_allocate(); + buffer = devm_iio_kfifo_allocate(&indio_dev->dev); if (!buffer) return -ENOMEM; @@ -1287,11 +1287,6 @@ static int sca3000_configure_ring(struct iio_dev *indio_dev) return 0; } -static void sca3000_unconfigure_ring(struct iio_dev *indio_dev) -{ - iio_kfifo_free(indio_dev->buffer); -} - static inline int __sca3000_hw_ring_state_set(struct iio_dev *indio_dev, bool state) { @@ -1546,8 +1541,6 @@ static int sca3000_remove(struct spi_device *spi) if (spi->irq) free_irq(spi->irq, indio_dev); - sca3000_unconfigure_ring(indio_dev); - return 0; } -- 2.17.0

7 years, 4 months

1
0
0 0

patch "iio: adc: ad7791: remove sample freq sysfs attributes" added to staging-next

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: adc: ad7791: remove sample freq sysfs attributes to my staging git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git in the staging-next branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will also be merged in the next major kernel release during the merge window. If you have any questions about this process, please let me know. >From 7eb6b35d93c356f1afebbfb808bc296d6351e708 Mon Sep 17 00:00:00 2001 From: Alexandru Ardelean <alexandru.ardelean(a)analog.com> Date: Mon, 12 Mar 2018 14:06:53 +0200 Subject: iio: adc: ad7791: remove sample freq sysfs attributes In the current state, these attributes are broken, because they are registered already, and the kernel throws a warning. The first registration happens via the `IIO_CHAN_INFO_SAMP_FREQ` flag from the `ad_sigma_delta` driver. In this commit these attrs are removed, and in the following the IIO_CHAN_INFO_SAMP_FREQ behavior will be implemented, which replaces these hooks. This is done to make things a bit easier to review as there is a bit of overlap in the patch if it's done all at once. Fixes: a13e831fcaa7 ("staging: iio: ad7192: implement IIO_CHAN_INFO_SAMP_FREQ") Signed-off-by: Alexandru Ardelean <alexandru.ardelean(a)analog.com> Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/adc/ad7791.c | 49 ---------------------------------------- 1 file changed, 49 deletions(-) diff --git a/drivers/iio/adc/ad7791.c b/drivers/iio/adc/ad7791.c index 70fbf92f9827..03a5f7d6cb0c 100644 --- a/drivers/iio/adc/ad7791.c +++ b/drivers/iio/adc/ad7791.c @@ -244,58 +244,9 @@ static int ad7791_read_raw(struct iio_dev *indio_dev, return -EINVAL; } -static const char * const ad7791_sample_freq_avail[] = { - [AD7791_FILTER_RATE_120] = "120", - [AD7791_FILTER_RATE_100] = "100", - [AD7791_FILTER_RATE_33_3] = "33.3", - [AD7791_FILTER_RATE_20] = "20", - [AD7791_FILTER_RATE_16_6] = "16.6", - [AD7791_FILTER_RATE_16_7] = "16.7", - [AD7791_FILTER_RATE_13_3] = "13.3", - [AD7791_FILTER_RATE_9_5] = "9.5", -}; - -static ssize_t ad7791_read_frequency(struct device *dev, - struct device_attribute *attr, char *buf) -{ - struct iio_dev *indio_dev = dev_to_iio_dev(dev); - struct ad7791_state *st = iio_priv(indio_dev); - unsigned int rate = st->filter & AD7791_FILTER_RATE_MASK; - - return sprintf(buf, "%s\n", ad7791_sample_freq_avail[rate]); -} - -static ssize_t ad7791_write_frequency(struct device *dev, - struct device_attribute *attr, const char *buf, size_t len) -{ - struct iio_dev *indio_dev = dev_to_iio_dev(dev); - struct ad7791_state *st = iio_priv(indio_dev); - int i, ret; - - i = sysfs_match_string(ad7791_sample_freq_avail, buf); - if (i < 0) - return i; - - ret = iio_device_claim_direct_mode(indio_dev); - if (ret) - return ret; - st->filter &= ~AD7791_FILTER_RATE_MASK; - st->filter |= i; - ad_sd_write_reg(&st->sd, AD7791_REG_FILTER, sizeof(st->filter), - st->filter); - iio_device_release_direct_mode(indio_dev); - - return len; -} - -static IIO_DEV_ATTR_SAMP_FREQ(S_IWUSR | S_IRUGO, - ad7791_read_frequency, - ad7791_write_frequency); - static IIO_CONST_ATTR_SAMP_FREQ_AVAIL("120 100 33.3 20 16.7 16.6 13.3 9.5"); static struct attribute *ad7791_attributes[] = { - &iio_dev_attr_sampling_frequency.dev_attr.attr, &iio_const_attr_sampling_frequency_available.dev_attr.attr, NULL }; -- 2.17.0

7 years, 4 months

1
0
0 0

Re: [PATCH] drm: Match sysfs name in link removal to link creation

by Sean Paul

On Fri, May 11, 2018 at 07:15:42AM +0300, Haneen Mohammed wrote: > This patch matches the sysfs name used in the unlinking with the > linking function. Otherwise, remove_compat_control_link() fails to remove > sysfs created by create_compat_control_link() in drm_dev_register(). > > Signed-off-by: Haneen Mohammed <hamohammed.sa(a)gmail.com> Hey Haneen, Nice catch! I've applied this to drm-misc-fixes with applicable Fixes and Cc tags. Sean > --- > drivers/gpu/drm/drm_drv.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c > index a1b9338736e3..c2c21d839727 100644 > --- a/drivers/gpu/drm/drm_drv.c > +++ b/drivers/gpu/drm/drm_drv.c > @@ -716,7 +716,7 @@ static void remove_compat_control_link(struct drm_device *dev) > if (!minor) > return; > > - name = kasprintf(GFP_KERNEL, "controlD%d", minor->index); > + name = kasprintf(GFP_KERNEL, "controlD%d", minor->index + 64); > if (!name) > return; > > -- > 2.17.0 > -- Sean Paul, Software Engineer, Google / Chromium OS

7 years, 4 months

1
0
0 0

[PATCH] mtd: nand: Do not check FAIL bit when executing a SET_FEATURES op

by Boris Brezillon

The ONFI spec clearly says that FAIL bit is only valid for PROGRAM, ERASE and READ-with-on-die-ECC operations, and should be ignored otherwise. It seems that checking it after sending a SET_FEATURES is a bad idea because a previous READ, PROGRAM or ERASE op may have failed, and depending on the implementation, the FAIL bit is not cleared until a new READ, PROGRAM or ERASE is started. This leads to ->set_features() returning -EIO while it actually worked, which can sometimes stop a batch of READ/PROGRAM ops. Note that we only fix the ->exec_op() path here, because some drivers are abusing the NAND_STATUS_FAIL flag in their ->waitfunc() implementation to propagate other kind of errors, like wait-ready-timeout or controller-related errors. Let's not try to fix those drivers since they worked fine so far. Fixes: 8878b126df76 ("mtd: nand: add ->exec_op() implementation") Cc: stable(a)vger.kernel.org Signed-off-by: Boris Brezillon <boris.brezillon(a)bootlin.com> --- This patch is fixing a problem we had with on-die ECC on Micron NANDs [1]. On these chips, when you have an ECC failure, the FAIL bit is set and it's not cleared until the next READ operation, which led the following SET_FEATURES (used to re-enable on-die ECC) to fail with -EIO and stopped the batch of page reads started by UBIFS, which in turn led to unmountable FS. [1]http://patchwork.ozlabs.org/patch/907874/ --- drivers/mtd/nand/raw/nand_base.c | 27 +++++++++------------------ 1 file changed, 9 insertions(+), 18 deletions(-) diff --git a/drivers/mtd/nand/raw/nand_base.c b/drivers/mtd/nand/raw/nand_base.c index f28c3a555861..ee29f34562ab 100644 --- a/drivers/mtd/nand/raw/nand_base.c +++ b/drivers/mtd/nand/raw/nand_base.c @@ -2174,7 +2174,6 @@ static int nand_set_features_op(struct nand_chip *chip, u8 feature, struct mtd_info *mtd = nand_to_mtd(chip); const u8 *params = data; int i, ret; - u8 status; if (chip->exec_op) { const struct nand_sdr_timings *sdr = @@ -2188,26 +2187,18 @@ static int nand_set_features_op(struct nand_chip *chip, u8 feature, }; struct nand_operation op = NAND_OPERATION(instrs); - ret = nand_exec_op(chip, &op); - if (ret) - return ret; - - ret = nand_status_op(chip, &status); - if (ret) - return ret; - } else { - chip->cmdfunc(mtd, NAND_CMD_SET_FEATURES, feature, -1); - for (i = 0; i < ONFI_SUBFEATURE_PARAM_LEN; ++i) - chip->write_byte(mtd, params[i]); + return nand_exec_op(chip, &op); + } - ret = chip->waitfunc(mtd, chip); - if (ret < 0) - return ret; + chip->cmdfunc(mtd, NAND_CMD_SET_FEATURES, feature, -1); + for (i = 0; i < ONFI_SUBFEATURE_PARAM_LEN; ++i) + chip->write_byte(mtd, params[i]); - status = ret; - } + ret = chip->waitfunc(mtd, chip); + if (ret < 0) + return ret; - if (status & NAND_STATUS_FAIL) + if (ret & NAND_STATUS_FAIL) return -EIO; return 0; -- 2.14.1

7 years, 4 months

1
1
0 0

Re: [PATCH] idr: fix invalid ptr dereference on item delete

by Paolo Bonzini

On 10/05/2018 21:16, Roman Kagan wrote: > If an IDR contains a single entry at index==0, the underlying radix tree > has a single item in its root node, in which case > __radix_tree_lookup(index!=0) doesn't set its *@nodep argument (in > addition to returning NULL). > > However, the tree itself is not empty, i.e. the tree root doesn't have > IDR_FREE tag. > > As a result, on an attempt to remove an index!=0 entry from such an IDR, > radix_tree_delete_item doesn't return early and calls > __radix_tree_delete with invalid parameters which are then dereferenced. > > Reported-by: syzbot+35666cba7f0a337e2e79(a)syzkaller.appspotmail.com > Signed-off-by: Roman Kagan <rkagan(a)virtuozzo.com> > --- > lib/radix-tree.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/lib/radix-tree.c b/lib/radix-tree.c > index da9e10c827df..10ff1bfae952 100644 > --- a/lib/radix-tree.c > +++ b/lib/radix-tree.c > @@ -2040,8 +2040,9 @@ void *radix_tree_delete_item(struct radix_tree_root *root, > void *entry; > > entry = __radix_tree_lookup(root, index, &node, &slot); > - if (!entry && (!is_idr(root) || node_tag_get(root, node, IDR_FREE, > - get_slot_offset(node, slot)))) > + if (!entry && (!is_idr(root) || !node || > + node_tag_get(root, node, IDR_FREE, > + get_slot_offset(node, slot)))) > return NULL; > > if (item && entry != item) > I cannot really vouch for the patch, but if it is correct it's definitely stuff for stable. The KVM testcase is only for 4.17-rc but this is a really nasty bug in a core data structure. Cc: stable(a)vger.kernel.org Should radix-tree be compilable in userspace, so that we can add unit tests for it?... Paolo

7 years, 4 months

3
3
0 0

patch "iio: sca3000: Fix an error handling path in 'sca3000_probe()'" added to staging-testing

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: sca3000: Fix an error handling path in 'sca3000_probe()' to my staging git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git in the staging-testing branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will be merged to the staging-next branch sometime soon, after it passes testing, and the merge window is open. If you have any questions about this process, please let me know. >From 4a5b45383ca371e123ba103d34d4b3b87616245c Mon Sep 17 00:00:00 2001 From: Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> Date: Sun, 8 Apr 2018 21:44:01 +0200 Subject: iio: sca3000: Fix an error handling path in 'sca3000_probe()' Use 'devm_iio_kfifo_allocate()' instead of 'iio_kfifo_allocate()' in order to simplify code and avoid a memory leak in an error path in 'sca3000_probe()'. A call to 'sca3000_unconfigure_ring()' was missing. Sent via the next merge window as unimportant bug and there are other patches dependent on it. Signed-off-by: Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/accel/sca3000.c | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/drivers/iio/accel/sca3000.c b/drivers/iio/accel/sca3000.c index f33dadf7b262..562f125235db 100644 --- a/drivers/iio/accel/sca3000.c +++ b/drivers/iio/accel/sca3000.c @@ -1277,7 +1277,7 @@ static int sca3000_configure_ring(struct iio_dev *indio_dev) { struct iio_buffer *buffer; - buffer = iio_kfifo_allocate(); + buffer = devm_iio_kfifo_allocate(&indio_dev->dev); if (!buffer) return -ENOMEM; @@ -1287,11 +1287,6 @@ static int sca3000_configure_ring(struct iio_dev *indio_dev) return 0; } -static void sca3000_unconfigure_ring(struct iio_dev *indio_dev) -{ - iio_kfifo_free(indio_dev->buffer); -} - static inline int __sca3000_hw_ring_state_set(struct iio_dev *indio_dev, bool state) { @@ -1546,8 +1541,6 @@ static int sca3000_remove(struct spi_device *spi) if (spi->irq) free_irq(spi->irq, indio_dev); - sca3000_unconfigure_ring(indio_dev); - return 0; } -- 2.17.0

7 years, 4 months

1
0
0 0

patch "iio: adc: ad7791: remove sample freq sysfs attributes" added to staging-testing

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled iio: adc: ad7791: remove sample freq sysfs attributes to my staging git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging.git in the staging-testing branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will be merged to the staging-next branch sometime soon, after it passes testing, and the merge window is open. If you have any questions about this process, please let me know. >From 7eb6b35d93c356f1afebbfb808bc296d6351e708 Mon Sep 17 00:00:00 2001 From: Alexandru Ardelean <alexandru.ardelean(a)analog.com> Date: Mon, 12 Mar 2018 14:06:53 +0200 Subject: iio: adc: ad7791: remove sample freq sysfs attributes In the current state, these attributes are broken, because they are registered already, and the kernel throws a warning. The first registration happens via the `IIO_CHAN_INFO_SAMP_FREQ` flag from the `ad_sigma_delta` driver. In this commit these attrs are removed, and in the following the IIO_CHAN_INFO_SAMP_FREQ behavior will be implemented, which replaces these hooks. This is done to make things a bit easier to review as there is a bit of overlap in the patch if it's done all at once. Fixes: a13e831fcaa7 ("staging: iio: ad7192: implement IIO_CHAN_INFO_SAMP_FREQ") Signed-off-by: Alexandru Ardelean <alexandru.ardelean(a)analog.com> Cc: <Stable(a)vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron(a)huawei.com> --- drivers/iio/adc/ad7791.c | 49 ---------------------------------------- 1 file changed, 49 deletions(-) diff --git a/drivers/iio/adc/ad7791.c b/drivers/iio/adc/ad7791.c index 70fbf92f9827..03a5f7d6cb0c 100644 --- a/drivers/iio/adc/ad7791.c +++ b/drivers/iio/adc/ad7791.c @@ -244,58 +244,9 @@ static int ad7791_read_raw(struct iio_dev *indio_dev, return -EINVAL; } -static const char * const ad7791_sample_freq_avail[] = { - [AD7791_FILTER_RATE_120] = "120", - [AD7791_FILTER_RATE_100] = "100", - [AD7791_FILTER_RATE_33_3] = "33.3", - [AD7791_FILTER_RATE_20] = "20", - [AD7791_FILTER_RATE_16_6] = "16.6", - [AD7791_FILTER_RATE_16_7] = "16.7", - [AD7791_FILTER_RATE_13_3] = "13.3", - [AD7791_FILTER_RATE_9_5] = "9.5", -}; - -static ssize_t ad7791_read_frequency(struct device *dev, - struct device_attribute *attr, char *buf) -{ - struct iio_dev *indio_dev = dev_to_iio_dev(dev); - struct ad7791_state *st = iio_priv(indio_dev); - unsigned int rate = st->filter & AD7791_FILTER_RATE_MASK; - - return sprintf(buf, "%s\n", ad7791_sample_freq_avail[rate]); -} - -static ssize_t ad7791_write_frequency(struct device *dev, - struct device_attribute *attr, const char *buf, size_t len) -{ - struct iio_dev *indio_dev = dev_to_iio_dev(dev); - struct ad7791_state *st = iio_priv(indio_dev); - int i, ret; - - i = sysfs_match_string(ad7791_sample_freq_avail, buf); - if (i < 0) - return i; - - ret = iio_device_claim_direct_mode(indio_dev); - if (ret) - return ret; - st->filter &= ~AD7791_FILTER_RATE_MASK; - st->filter |= i; - ad_sd_write_reg(&st->sd, AD7791_REG_FILTER, sizeof(st->filter), - st->filter); - iio_device_release_direct_mode(indio_dev); - - return len; -} - -static IIO_DEV_ATTR_SAMP_FREQ(S_IWUSR | S_IRUGO, - ad7791_read_frequency, - ad7791_write_frequency); - static IIO_CONST_ATTR_SAMP_FREQ_AVAIL("120 100 33.3 20 16.7 16.6 13.3 9.5"); static struct attribute *ad7791_attributes[] = { - &iio_dev_attr_sampling_frequency.dev_attr.attr, &iio_const_attr_sampling_frequency_available.dev_attr.attr, NULL }; -- 2.17.0

7 years, 4 months

1
0
0 0

[PATCH v4.9] KVM: PPC: Book3S HV: Fix trap number return from __kvmppc_vcore_entry

by Paul Mackerras

commit a8b48a4dccea77e29462e59f1dbf0d5aa1ff167c upstream. This fixes a bug where the trap number that is returned by __kvmppc_vcore_entry gets corrupted. The effect of the corruption is that IPIs get ignored on POWER9 systems when the IPI is sent via a doorbell interrupt to a CPU which is executing in a KVM guest. The effect of the IPI being ignored is often that another CPU locks up inside smp_call_function_many() (and if that CPU is holding a spinlock, other CPUs then lock up inside raw_spin_lock()). The trap number is currently held in register r12 for most of the assembly-language part of the guest exit path. In that path, we call kvmppc_subcore_exit_guest(), which is a C function, without restoring r12 afterwards. Depending on the kernel config and the compiler, it may modify r12 or it may not, so some config/compiler combinations see the bug and others don't. To fix this, we arrange for the trap number to be stored on the stack from the point where kvmhv_commence_exit is called until the end of the function, then the trap number is loaded and returned in r12 as before. Cc: stable(a)vger.kernel.org # v4.8+ Fixes: fd7bacbca47a ("KVM: PPC: Book3S HV: Fix TB corruption in guest exit path on HMI interrupt") Signed-off-by: Paul Mackerras <paulus(a)ozlabs.org> --- arch/powerpc/kvm/book3s_hv_rmhandlers.S | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/arch/powerpc/kvm/book3s_hv_rmhandlers.S b/arch/powerpc/kvm/book3s_hv_rmhandlers.S index 55fbc0c78721..79a180cf4c94 100644 --- a/arch/powerpc/kvm/book3s_hv_rmhandlers.S +++ b/arch/powerpc/kvm/book3s_hv_rmhandlers.S @@ -299,7 +299,6 @@ kvm_novcpu_exit: stw r12, STACK_SLOT_TRAP(r1) bl kvmhv_commence_exit nop - lwz r12, STACK_SLOT_TRAP(r1) b kvmhv_switch_to_host /* @@ -1023,6 +1022,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_HAS_PPR) secondary_too_late: li r12, 0 + stw r12, STACK_SLOT_TRAP(r1) cmpdi r4, 0 beq 11f stw r12, VCPU_TRAP(r4) @@ -1266,12 +1266,12 @@ mc_cont: bl kvmhv_accumulate_time #endif + stw r12, STACK_SLOT_TRAP(r1) mr r3, r12 /* Increment exit count, poke other threads to exit */ bl kvmhv_commence_exit nop ld r9, HSTATE_KVM_VCPU(r13) - lwz r12, VCPU_TRAP(r9) /* Stop others sending VCPU interrupts to this physical CPU */ li r0, -1 @@ -1549,6 +1549,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_ARCH_207S) * POWER7/POWER8 guest -> host partition switch code. * We don't have to lock against tlbies but we do * have to coordinate the hardware threads. + * Here STACK_SLOT_TRAP(r1) contains the trap number. */ kvmhv_switch_to_host: /* Secondary threads wait for primary to do partition switch */ @@ -1599,11 +1600,11 @@ BEGIN_FTR_SECTION END_FTR_SECTION_IFSET(CPU_FTR_ARCH_207S) /* If HMI, call kvmppc_realmode_hmi_handler() */ + lwz r12, STACK_SLOT_TRAP(r1) cmpwi r12, BOOK3S_INTERRUPT_HMI bne 27f bl kvmppc_realmode_hmi_handler nop - li r12, BOOK3S_INTERRUPT_HMI /* * At this point kvmppc_realmode_hmi_handler would have resync-ed * the TB. Hence it is not required to subtract guest timebase @@ -1678,6 +1679,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_ARCH_207S) li r0, KVM_GUEST_MODE_NONE stb r0, HSTATE_IN_GUEST(r13) + lwz r12, STACK_SLOT_TRAP(r1) /* return trap # in r12 */ ld r0, SFS+PPC_LR_STKOFF(r1) addi r1, r1, SFS mtlr r0 -- 2.11.0

7 years, 4 months

2
1
0 0

[GIT PULL] commits for Linux 4.16

by Sasha Levin

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi Greg, Pleae pull commits for Linux 4.16 . I've sent a review request for all commits over a week ago and all comments were addressed. Thanks, Sasha ===== The following changes since commit b42b71cd28f213cf4688b9891e66b57bdb6eefe8: Linux 4.16.4 (2018-04-24 09:43:11 +0200) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/sashal/linux-stable.git tags/for-greg-4.16-26042018 for you to fetch changes up to bafaa8866f7137b7ed3df848b0e77c8cfc15066c: kdb: make "mdr" command repeat (2018-04-25 17:24:16 -0400) - ---------------------------------------------------------------- for-greg-4.16-26042018 - ---------------------------------------------------------------- Aapo Vienamo (1): ARM: dts: imx7d: cl-som-imx7: fix pinctrl_enet Aaro Koskinen (1): drivers: macintosh: rack-meter: really fix bogus memsets Akinobu Mita (1): media: ov5645: add missing of_node_put() in error path Alexander Graf (1): lan78xx: Connect phy early Alexander Shishkin (1): intel_th: Use correct method of finding hub Alexandre Belloni (4): rtc: hctosys: Ensure system time doesn't overflow time_t rtc: rk808: fix possible race condition rtc: m41t80: fix race conditions rtc: rp5c01: fix possible race condition Alexey Khoroshilov (3): watchdog: davinci_wdt: fix error handling in davinci_wdt_probe() watchdog: sprd_wdt: Fix error handling in sprd_wdt_enable() watchdog: asm9260_wdt: fix error handling in asm9260_wdt_probe() Alistair Popple (1): powerpc/powernv/npu: Fix deadlock in mmio_invalidate() Amitkumar Karwar (1): rsi: fix kernel panic observed on 64bit machine Anand Jain (1): btrfs: fix null pointer deref when target device is missing Andrea Parri (1): riscv/spinlock: Strengthen implementations with fences Andreas Gruenbacher (2): gfs2: Check for the end of metadata in punch_hole gfs2: Fix fallocate chunk size Andrey Konovalov (2): kasan: fix invalid-free test crashing the kernel kasan, slub: fix handling of kasan_slab_free hook Andrzej Hajda (6): clk: samsung: s3c2410: Fix PLL rates clk: samsung: exynos7: Fix PLL rates clk: samsung: exynos5260: Fix PLL rates clk: samsung: exynos5433: Fix PLL rates clk: samsung: exynos5250: Fix PLL rates clk: samsung: exynos3250: Fix PLL rates Anilkumar Kolli (1): ath10k: advertize beacon_int_min_gcd Anshuman Khandual (1): powerpc/fscr: Enable interrupts earlier before calling get_user() Antoine Tenart (8): crypto: inside-secure - move the digest to the request context crypto: inside-secure - wait for the request to complete if in the backlog crypto: atmel-aes - fix the keys zeroing on errors crypto: inside-secure - do not process request if no command was issued crypto: inside-secure - fix the cache_len computation crypto: inside-secure - fix the extra cache computation crypto: inside-secure - do not overwrite the threshold value crypto: inside-secure - fix the invalidation step during cra_exit Archit Taneja (1): dt-bindings: display: msm/dsi: Fix the PHY regulator supply props Arjun Vynipadath (2): cxgb4: Setup FW queues before registering netdev cxgb4: Fix queue free path of ULD drivers Arnd Bergmann (2): clk: hisilicon: mark wdt_mux_p[] as const media: s3c-camif: fix out-of-bounds array access Baoquan He (1): x86/apic: Set up through-local-APIC mode on the boot CPU if 'noapic' specified Bart Van Assche (1): block: Fix a race between request queue removal and the block cgroup controller Ben Hutchings (1): usbip: Correct maximum value of CONFIG_USBIP_VHCI_HC_PORTS Benoit Parrot (1): drm/omap: Add pclk setting case when channel is DSS_WB Bjorn Andersson (2): soc: qcom: wcnss_ctrl: Fix increment in NV upload pinctrl: msm: Use dynamic GPIO numbering Bob Moore (1): ACPICA: Fix memory leak on unusual memory leak Borislav Petkov (1): x86/mce/AMD: Collect error info even if valid bits are not set Brad Love (6): media: cx23885: Override 888 ImpactVCBe crystal frequency media: cx23885: Set subdev host data to clk_freq pointer media: lgdt3306a: Fix a double kfree on i2c device remove media: lgdt3306a: Fix module count mismatch on usb unplug media: em28xx: Add Hauppauge SoloHD/DualHD bulk models media: em28xx: USB bulk packet size fix Brian Norris (1): watchdog: dw: RMW the control register Brijesh Singh (1): crypto: ccp - add check to get PSP master only when PSP is detected Bryan O'Donoghue (1): rtc: snvs: Fix usage of snvs_rtc_enable Carlos Maiolino (1): Force log to disk before reading the AGF during a fstrim Chao Yu (3): f2fs: fix to set KEEP_SIZE bit in f2fs_zero_range f2fs: fix to clear CP_TRIMMED_FLAG f2fs: fix to check extent cache in f2fs_drop_extent_tree Charles Keepax (1): regmap: Correct comparison in regmap_cached Chris Dickens (1): usb: gadget: composite: fix incorrect handling of OS desc requests Christophe JAILLET (4): remoteproc: imx_rproc: Fix an error handling path in 'imx_rproc_probe()' drm/meson: Fix some error handling paths in 'meson_drv_bind_master()' drm/meson: Fix an un-handled error path in 'meson_drv_bind_master()' regulator: of: Add a missing 'of_node_put()' in an error handling path of 'of_regulator_match()' Christophe Jaillet (2): regulator: gpio: Fix some error handling paths in 'gpio_regulator_probe()' spi: bcm-qspi: fIX some error handling paths Christophe Leroy (1): powerpc/mm/slice: Fix hugepage allocation at hint address on 8xx Chunyu Hu (1): cpufreq: cppc_cpufreq: Fix cppc_cpufreq_init() failure path Claudio Imbrenda (1): mm/ksm: fix interaction with THP Colin Ian King (4): net: qualcomm: rmnet: check for null ep to avoid null pointer dereference staging: rtl8192u: return -ENOMEM on failed allocation of priv->oldaddr rtc: tx4939: avoid unintended sign extension on a 24 bit shift media: cx25821: prevent out-of-bounds read on array card Coly Li (3): bcache: quit dc->writeback_thread when BCACHE_DEV_DETACHING is set bcache: fix cached_dev->count usage for bch_cache_set_error() bcache: stop dc->writeback_rate_update properly Cornelia Huck (1): vfio-ccw: fence off transport mode Dan Carpenter (2): platform/x86: dell-smbios: Fix memory leaks in build_tokens_sysfs() xen/acpi: off by one in read_acpi_id() Danilo Krummrich (1): fs/proc/proc_sysctl.c: fix potential page fault while unregistering sysctl table Dave Carroll (1): scsi: aacraid: Insure command thread is not recursively stopped Dave Hansen (1): x86/mm: Do not forbid _PAGE_RW before init for __ro_after_init David Ahern (1): selftests: Add FIB onlink tests David Howells (3): fscache: Fix hanging wait on page discarded by writeback rxrpc: Fix Tx ring annotation after initial Tx failure rxrpc: Don't treat call aborts as conn aborts David Lechner (1): ARM: davinci_all_defconfig: set CONFIG_DAVINCI_WATCHDOG=y David S. Miller (1): sparc64: Make atomic_xchg() an inline function rather than a macro. Davidlohr Bueso (4): ipc/msg: introduce msgctl(MSG_STAT_ANY) ipc/sem: introduce semctl(SEM_STAT_ANY) ipc/shm: introduce shmctl(SHM_STAT_ANY) sched/rt: Fix rq->clock_update_flags < RQCF_ACT_SKIP warning Dexuan Cui (1): tools: hv: fix compiler warnings about major/target_fname Dhinakaran Pandiyan (1): drm/vblank: Data type fixes for 64-bit vblank sequences. Douglas Gilbert (1): scsi: core: Make SCSI Status CONDITION MET equivalent to GOOD Emily Deng (1): drm/amdgpu: Clean sdma wptr register when only enable wptr polling Emmanuel Grumbach (1): mac80211: don't WARN on bad WMM parameters from buggy APs Eran Ben Elisha (1): net/mlx5e: Move all TX timeout logic to be under state lock Eric Anholt (1): drm/panel: simple: Fix the bus format for the Ontat panel Eric Dumazet (3): crypto: af_alg - fix possible uninit-value in alg_bind() soreuseport: initialise timewait reuseport field dccp: initialize ireq->ir_mark Eric Sandeen (1): ext4: don't complain about incorrect features when probing Erik Schmauss (1): ACPICA: Events: add a return on failure from acpi_hw_register_read Esben Haabendal (2): dp83640: Ensure against premature access to PHY registers after reset ARM: dts: ls1021a: Specify TBIPA register address Ezequiel Garcia (1): ASoC: rockchip: rk3288-hdmi-analog: Select needed codecs Felipe Balbi (1): usb: dwc3: Makefile: fix link error on randconfig Filip Sadowski (1): i40e: Add delay after EMP reset for firmware to recover Filipe Manana (2): Btrfs: fix loss of prealloc extents past i_size after fsync log replay Btrfs: fix copy_items() return value when logging an inode Florian Fainelli (2): net: bgmac: Fix endian access in bgmac_dma_tx_ring_free() net: bgmac: Correctly annotate register space Frank Asseg (1): tools/thermal: tmon: fix for segfault Fuyun Liang (3): net: hns3: fix for the wrong shift problem in hns3_set_txbd_baseinfo net: hns3: fix for returning wrong value problem in hns3_get_rss_indir_size net: hns3: fix for returning wrong value problem in hns3_get_rss_key_size Gabriel Matni (1): serial: mvebu-uart: fix tx lost characters Gao Xiang (1): f2fs: flush cp pack except cp pack 2 page at first Geert Uytterhoeven (8): dmaengine: rcar-dmac: Fix too early/late system suspend/resume callbacks serial: xuartps: Fix out-of-bounds access through DT alias serial: sh-sci: Fix out-of-bounds access through DT alias serial: samsung: Fix out-of-bounds access through serial port index serial: mxs-auart: Fix out-of-bounds access through serial port index serial: imx: Fix out-of-bounds access through serial port index serial: fsl_lpuart: Fix out-of-bounds access through DT alias serial: arc_uart: Fix out-of-bounds access through DT alias Govindarajulu Varadarajan (1): enic: enable rq before updating rq descriptors Greg Ungerer (1): m68k: set dma and coherent masks for platform FEC ethernets Gregory CLEMENT (1): i2c: mv64xxx: Apply errata delay only in standard mode Grigor Tovmasyan (1): usb: dwc2: Fix interval type issue Guenter Roeck (3): hwmon: (nct6775) Fix writing pwmX_mode hwmon: (pmbus/max8688) Accept negative page register values hwmon: (pmbus/adm1275) Accept negative page register values Haiyang Zhang (1): hv_netvsc: Fix the return status in RX path Hans Verkuil (1): media: vivid: fix incorrect capabilities for radio Harry Morris (1): ieee802154: ca8210: fix uninitialised data read Heiner Kallweit (1): soc: amlogic: meson-gx-pwrc-vpu: fix error on shutdown when domain is powered off Helge Deller (1): parisc/pci: Switch LBA PCI bus from Hard Fail to Soft Fail mode Henry Zhang (1): ARM: dts: bcm283x: Fix pin function of JTAG pins Honggang Li (1): IB/mlx5: Set the default active rate and width to QDR and 4X Huang Ying (1): mm: fix races between address_space dereference and free in page_evicatable Icenowy Zheng (1): dt-bindings: add device tree binding for Allwinner H6 main CCU Igor Russkikh (1): net: aquantia: oops when shutdown on already stopped device Ilia Lin (1): arm64: dts: qcom: Fix SPI5 config on MSM8996 Ioana Radulescu (2): staging: fsl-dpaa2/eth: Fix incorrect kfree staging: fsl-dpaa2/eth: Fix incorrect casts Ivan Gorinov (2): x86/devicetree: Initialize device tree before using it x86/devicetree: Fix device IRQ settings in DT Jacob Keller (2): i40e: hold the RTNL lock while changing interrupt schemes ixgbe: prevent ptp_rx_hang from running when in FILTER_ALL mode Jake Moroni (1): dpaa_eth: fix pause capability advertisement logic James Hogan (1): rtc: goldfish: Add missing MODULE_LICENSE James Smart (8): nvme: expand nvmf_check_if_ready checks nvme_fc: fix abort race on teardown with lld reject scsi: lpfc: Fix NVME Initiator FirstBurst scsi: lpfc: Fix issue_lip if link is disabled scsi: lpfc: Fix nonrecovery of NVME controller after cable swap. scsi: lpfc: Fix soft lockup in lpfc worker thread during LIP testing scsi: lpfc: Fix IO failure during hba reset testing with nvme io. scsi: lpfc: Fix frequency of Release WQE CQEs Jan Kara (2): udf: Provide saner default for invalid uid / gid fanotify: Avoid lost events due to ENOMEM for unlimited queues Jan KundrÃ¡t (1): pinctrl: mcp23s08: spi: Fix regmap debugfs entries JarosÅ‚aw Janik (1): nvme-pci: disable APST for Samsung NVMe SSD 960 EVO + ASUS PRIME Z370-A Javier Martinez Canillas (1): i2c: core: report OF style module alias for devices registered via OF Jay Vosburgh (1): virtio-net: Fix operstate for virtio when no VIRTIO_NET_F_STATUS Jean Delvare (1): firmware: dmi_scan: Fix UUID length safety check Jeff Mahoney (1): btrfs: fix lockdep splat in btrfs_alloc_subvolume_writers Jens Axboe (1): sr: get/drop reference to device in revalidate and check_events Jerome Brunet (1): clk: meson: axg: add the fractional part of the fixed_pll Jiandi An (1): ima: Fix Kconfig to select TPM 2.0 CRB interface Jin Yao (1): perf report: Fix wrong jump arrow Jiri Olsa (3): perf tests: Use arch__compare_symbol_names to compare symbols perf report: Fix memory corruption in --branch-history mode --branch-history perf tests: Fix dwarf unwind for stripped binaries Joe Perches (1): MIPS: Octeon: Fix logging messages with spurious periods after newlines Joerg Roedel (1): x86/pgtable: Don't set huge PUD/PMD on non-leaf entries Johannes Thumshirn (1): nvme: don't send keep-alives to the discovery controller John Allen (1): ibmvnic: Fix reset return from closed state Joonsoo Kim (1): ARM: CMA: avoid double mapping to the CMA area if CONFIG_HIGHMEM=y Juergen Gross (1): x86/xen: Add pvh specific rsdp address retrieval function Jun Piao (1): ocfs2/dlm: don't handle migrate lockres if already in shutdown Kamlakant Patel (1): ipmi_ssif: Fix kernel panic at msg_done_handler Kan Liang (5): perf mmap: Fix accessing unmapped mmap in perf_mmap__read_done() perf/x86/intel: Properly save/restore the PMU state in the NMI handler perf/x86/intel: Fix large period handling on Broadwell CPUs perf/x86/intel: Fix event update for auto-reload perf kvm: Switch to new perf_mmap__read_event() interface Karthikeyan Periyasamy (2): Revert "ath10k: send (re)assoc peer command when NSS changed" ath10k: Fix kernel panic while using worker (ath10k_sta_rc_update_wk) Kieran Bingham (1): media: i2c: adv748x: fix HDMI field heights Kirill Marinushkin (1): staging: bcm2835-audio: Release resources on module_exit() Ladislav Michl (1): power: supply: ltc2941-battery-gauge: Fix temperature units Larry Finger (1): Bluetooth: btusb: Add device ID for RTL8822BE Lars-Peter Clausen (2): usb: gadget: ffs: Let setup() return USB_GADGET_DELAYED_STATUS usb: gadget: ffs: Execute copy_to_user() with USER_DS set Laurent Pinchart (3): drm: omapdrm: dss: Move initialization code from component bind to probe media: v4l: vsp1: Fix display stalls when requesting too many inputs ARM: dts: porter: Fix HDMI output routing Lenny Szubowicz (1): ACPI: acpi_pad: Fix memory leak in power saving threads Leo Yan (1): coresight: Use %px to print pcsr instead of %p Leon Romanovsky (2): net/mlx5: Protect from command bit overflow RDMA/mlx5: Fix NULL dereference while accessing XRC_TGT QPs Linus Walleij (1): drm/bridge: sii902x: Retry status read after DDI I2C Liu Bo (3): Btrfs: clean up resources during umount after trans is aborted Btrfs: bail out on error during replay_dir_deletes Btrfs: fix NULL pointer dereference in log_dir_items Lorenzo Bianconi (2): mt76x2: fix possible NULL pointer dereferencing in mt76x2_tx() mt76x2: fix warning in ieee80211_get_key_rx_seq() Luca Coelho (1): iwlwifi: mvm: check if mac80211_queue is valid in iwl_mvm_disable_txq Luis R. Rodriguez (1): firmware: fix checking for return values for fw_add_devm_name() Madalin Bucur (1): dpaa_eth: fix SG mapping Madhavan Srinivasan (1): powerpc/perf: Prevent kernel address leak to userspace via BHRB buffer Marc Dionne (1): rxrpc: Fix resend event time calculation Marc Zyngier (1): arm64: insn: Allow ADD/SUB (immediate) with LSL #12 Marcel Ziswiler (1): clk: tegra: Fix pll_u rate configuration Mark Rutland (1): efi/arm*: Only register page tables when they exist Masami Hiramatsu (2): tracing/uprobe_event: Fix strncpy corner case media: vb2: Fix videobuf2 to map correct area Mathias Kresin (1): MIPS: ath79: Fix AR724X_PLL_REG_PCIE_CONFIG offset Mathias Nyman (2): xhci: Show what USB release number the xHC supports from protocol capablity xhci: zero usb device slot_id member when disabling and freeing a xhci slot Mathieu Malaterre (1): powerpc: Add missing prototype for arch_irq_work_raise() Maurizio Lombardi (1): cdrom: do not call check_disk_change() inside cdrom_open() Michael Ellerman (4): powerpc/mpic: Check if cpu_possible() in mpic_physmask() powerpc/perf: Fix kernel address leak via sampling registers selftests: Print the test we're running to /dev/kmsg powerpc/pseries: Make plpar_wrappers.h safe to include when PSERIES=n Michael Schmitz (1): zorro: Set up z->dev.dma_mask for the DMA API Michal Hocko (1): memcg: fix per_node_info cleanup Mikhail Malygin (1): IB/rxe: Fix for oops in rxe_register_device on ppc64le arch Milton Miller (2): watchdog: aspeed: Allow configuring for alternate boot watchdog: aspeed: Fix translation of reset mode to ctrl register Mimi Zohar (1): ima: clear IMA_HASH Minas Harutyunyan (2): usb: dwc2: hcd: Fix host channel halt flow usb: dwc2: host: Fix transaction errors in host mode Ming Lei (1): block: null_blk: fix 'Invalid parameters' when loading module Monk Liu (2): drm/amdgpu: disable GFX ring and disable PQ wptr in hw_fini drm/amdgpu: adjust timeout for ib_ring_tests(v2) NeilBrown (2): staging: lustre: fix bug in osc_enter_cache_try staging: lustre: lmv: correctly iput lmo_root Nicholas Piggin (2): powerpc/64s/idle: Fix restore of AMOR on POWER9 after deep sleep powerpc/64s: sreset panic if there is no debugger or crash dump handlers Nicolin Chen (1): ASoC: fsl_ssi: Maintain a mask of active streams Niklas Cassel (4): pinctrl: artpec6: dt: add missing pin group uart5nocts net: stmmac: ensure that the device has released ownership before reading data net: stmmac: ensure that the MSS desc is the last desc to set the own bit net: stmmac: call correct function in stmmac_mac_config_rx_queues_routing() Nikolay Borisov (1): btrfs: Fix possible softlock on single core machines Nobutaka Okabe (1): ALSA: usb-audio: Add native DSD support for Luxman DA-06 Oded Gabbay (1): drm/amdkfd: add missing include of mm.h Omar Sandoval (1): loop: don't call into filesystem while holding lo_ctl_mutex Parav Pandit (1): IB/core: Honor port_num while resolving GID for IB link layer Paul E. McKenney (1): rcu: Create RCU-specific workqueues with rescuers PaweÅ‚ JabÅ‚oÅ„ski (1): i40e: Fix attach VF to VM issue Peter Robinson (1): crypto: sunxi-ss - Add MODULE_ALIAS to sun4i-ss Peter Rosin (2): ARM: dts: at91: nattis: use the correct compatible for the eeprom ARM: dts: at91: tse850: use the correct compatible for the eeprom Peter Zijlstra (1): perf/core: Fix perf_output_read_group() Petr Vorel (1): ima: Fallback to the builtin hash algorithm Philipp Puschmann (1): arm: dts: socfpga: fix GIC PPI warning Pierre Bourdon (1): max17042: propagate of_node to power supply device Prashant Bhole (1): selftests/net: fixes psock_fanout eBPF test case Qi Hou (1): dmaengine: pl330: fix a race condition in case of threaded irqs Qu Wenruo (2): btrfs: tests/qgroup: Fix wrong tree backref level btrfs: qgroup: Fix root item corruption when multiple same source snapshots are created with quota enabled Quytelda Kahja (1): staging: ks7010: Use constants from ieee80211_eid instead of literal ints. Rafael J. Wysocki (2): PCI: Restore config space on runtime resume despite being unbound PCMCIA / PM: Avoid noirq suspend aborts during suspend-to-idle Randy Dunlap (1): kdb: make "mdr" command repeat Ranjani Sridharan (1): ASoC: topology: create TLV data for dapm widgets Ravikumar Kattekola (1): ARM: dts: dra71-evm: Correct evm_sd regulator max voltage Rich Felker (1): sh: fix debug trap failure to process signals before return to user Richard Fitzgerald (1): pinctrl: devicetree: Fix dt_to_map_one_config handling of hogs Richard Guy Briggs (1): audit: return on memory error to avoid null pointer dereference Richard Haines (1): netlabel: If PF_INET6, check sk_buff ip header version Rolf Evers-Fischer (1): PCI: endpoint: Fix kernel panic after put_device() Sai Praneeth (1): x86/mm: Fix bogus warning during EFI bootup, use boot_cpu_has() instead of this_cpu_has() in build_cr3_noflush() Sandipan Das (2): perf tools: Fix perf builds with clang support perf clang: Add support for recent clang versions Sara Sharon (1): iwlwifi: mvm: take RCU lock before dereferencing Scott Branden (1): bnxt_en: fix clear flags in ethtool reset handling Sean Christopherson (2): KVM: VMX: raise internal error for exception during invalid protected mode state Revert "KVM: X86: Fix SMRAM accessing even if VM is shutdown" Sebastian Andrzej Siewior (2): iommu/amd: Take into account that alloc_dev_data() may return NULL crypto: ccp - don't disable interrupts while setting up debugfs Sebastian Gottschall (1): ath9k: fix crash in spectral scan Sergei Shtylyov (4): sh_eth: fix TSU init on SH7734/R8A7740 soc: renesas: r8a77970-sysc: fix power area parents drm: rcar-du: lvds: Fix LVDS startup on R-Car Gen3 drm: rcar-du: lvds: Fix LVDS startup on R-Car Gen2 Seunghun Han (1): ACPICA: acpi: acpica: fix acpi operand cache leak in nseval.c Shawn Lin (4): clk: rockchip: Fix wrong parent for SDMMC phase clock for rk3228 clk: Don't show the incorrect clock phase phy: rockchip-emmc: retry calpad busy trimming clk: rockchip: Prevent calculating mmc phase if clock rate is zero Shunyong Yang (1): cpufreq: CPPC: Initialize shared perf capabilities of CPUs Sinan Kaya (1): net: qlge: Eliminate duplicate barriers on weakly-ordered archs Sowmini Varadhan (1): rds: tcp: must use spin_lock_irq* and not spin_lock_bh with rds_tcp_conn_lock Sriharsha Basavapatna (1): bnxt_en: Ignore src port field in decap filter nodes Srinivas Kandagatla (1): dmaengine: qcom: bam_dma: get num-channels and num-ees from dt Stefan Wahren (2): ARM: dts: bcm283x: Fix probing of bcm2835-i2s hwrng: bcm2835 - Handle deferred clock properly Sukadev Bhattiprolu (1): powerpc/vas: Fix cleanup when VAS is not configured Suman Anna (1): ARM: dts: keystone-k2e-clocks: Fix missing unit address separator Sylwester Nawrocki (2): ASoC: samsung: odroid: Fix 32000 sample rate handling ASoC: samsung: i2s: Ensure the RCLK rate is properly determined Takashi Iwai (1): ALSA: vmaster: Propagate slave error Takeshi Kihara (1): pinctrl: sh-pfc: r8a7796: Fix MOD_SEL register pin assignment for SSI pins group Tao (1): drm/amd/display: Set vsc pack revision when DPCD revision is >= 1.2 Tedd Ho-Jeong An (1): Bluetooth: btusb: Add support for Intel Bluetooth device 22560 [8087:0026] Tejun Heo (1): rcu: Call touch_nmi_watchdog() while printing stall warnings Tero Kristo (1): clk: ti: fix flag space conflict with clkctrl clocks Thinh Nguyen (2): usb: dwc3: Add SoftReset PHY synchonization delay usb: dwc3: Update DWC_usb31 GTXFIFOSIZ reg fields Thomas Falcon (3): ibmvnic: Zero used TX descriptor counter on reset ibmvnic: Allocate statistics buffers during probe ibmvnic: Fix TX descriptor tracking again Thomas Gleixner (1): genirq/affinity: Don't return with empty affinity masks on error Thomas Hellstrom (1): drm/vmwgfx: Unpin the screen object backup buffer when not used Thomas Richter (2): perf stat: Fix core dump when flag T is used perf test: Fix test case inet_pton to accept inlines. Thomas Vincent-Cross (1): PCI: Add function 1 DMA alias quirk for Marvell 88SE9220 Tom Abraham (1): swap: divide-by-zero when zero length swap file on ssd Ursula Braun (1): net/smc: pay attention to MAX_ORDER for CQ entries Uwe Kleine-KÃ¶nig (1): serial: altera: ensure port->regshift is honored consistently Vaibhav Jain (2): powerpc/xmon: Setup debugger hooks when first break-point is set cxl: Check if PSL data-cache is available before issue flush request Vicente Bergas (1): Bluetooth: btusb: Add USB ID 7392:a611 for Edimax EW-7611ULB Vignesh R (1): serial: 8250: Don't service RX FIFO if interrupts are disabled Viresh Kumar (1): cpufreq: Reorder cpufreq_online() error code path Vitaly Kuznetsov (1): KVM: lapic: stop advertising DIRECTED_EOI when in-kernel IOAPIC is in use Vivek Gautam (1): phy: qcom-qmp: Fix phy pipe clock gating Wilfried Weissmann (1): scsi: mvsas: fix wrong endianness of sgpio api Wolfram Sang (1): usb: gadget: udc: change comparison to bitshift when dealing with a mask Xidong Wang (1): z3fold: fix memory leak Xose Vazquez Perez (1): scsi: devinfo: add HP DISK-SUBSYSTEM device, for HP XP arrays Yang Shi (1): mm: thp: fix potential clearing to referenced flag in page_idle_clear_pte_refs_one() Yisheng Xie (1): perf top: Fix top.call-graph config option reading Yixun Lan (1): clk: meson: axg: fix the od shift of the sys_pll Yong Wu (1): iommu/mediatek: Fix protect memory setting Yoshihiro Shimoda (1): dmaengine: rcar-dmac: Check the done lists in rcar_dmac_chan_get_residue() leilei.lin (1): perf/core: Fix installing cgroup events on CPU lionel.debieve(a)st.com (1): hwrng: stm32 - add reset during probe Ã˜rjan Eide (1): drm/rockchip: Respect page offset for PRIME mmap calls .../devicetree/bindings/clock/sunxi-ccu.txt | 4 + .../devicetree/bindings/display/msm/dsi.txt | 4 + .../bindings/pinctrl/axis,artpec6-pinctrl.txt | 5 +- arch/arm/boot/dts/at91-nattis-2-natte-2.dts | 2 +- arch/arm/boot/dts/at91-tse850-3.dts | 2 +- arch/arm/boot/dts/bcm283x.dtsi | 6 +- arch/arm/boot/dts/dra71-evm.dts | 4 +- arch/arm/boot/dts/imx7d-cl-som-imx7.dts | 52 +-- arch/arm/boot/dts/keystone-k2e-clocks.dtsi | 2 +- arch/arm/boot/dts/ls1021a.dtsi | 3 +- arch/arm/boot/dts/r8a7791-porter.dts | 2 +- arch/arm/boot/dts/socfpga.dtsi | 2 +- arch/arm/configs/davinci_all_defconfig | 2 +- arch/arm/mm/dma-mapping.c | 16 +- arch/arm64/boot/dts/qcom/msm8996.dtsi | 4 +- arch/arm64/kernel/insn.c | 18 +- arch/m68k/coldfire/device.c | 12 +- arch/mips/cavium-octeon/octeon-irq.c | 10 +- arch/mips/include/asm/mach-ath79/ar71xx_regs.h | 2 +- arch/powerpc/include/asm/irq_work.h | 1 + arch/powerpc/include/asm/mmu-8xx.h | 6 + arch/powerpc/include/asm/plpar_wrappers.h | 4 + arch/powerpc/kernel/idle_book3s.S | 2 + arch/powerpc/kernel/setup-common.c | 2 + arch/powerpc/kernel/traps.c | 47 ++- arch/powerpc/mm/8xx_mmu.c | 2 +- arch/powerpc/mm/hugetlbpage.c | 2 + arch/powerpc/mm/mmu_context_nohash.c | 18 +- arch/powerpc/perf/core-book3s.c | 25 ++ arch/powerpc/platforms/Kconfig.cputype | 1 + arch/powerpc/platforms/powernv/npu-dma.c | 229 ++++++++----- arch/powerpc/platforms/powernv/vas-debug.c | 11 + arch/powerpc/platforms/powernv/vas.c | 6 +- arch/powerpc/sysdev/mpic.c | 2 +- arch/powerpc/xmon/xmon.c | 17 +- arch/riscv/include/asm/fence.h | 12 + arch/riscv/include/asm/spinlock.h | 29 +- arch/sh/kernel/entry-common.S | 2 +- arch/sparc/include/asm/atomic_64.h | 6 +- arch/x86/events/core.c | 15 +- arch/x86/events/intel/core.c | 12 +- arch/x86/events/intel/ds.c | 92 ++++- arch/x86/events/perf_event.h | 2 +- arch/x86/include/asm/tlbflush.h | 7 +- arch/x86/kernel/apic/apic.c | 2 +- arch/x86/kernel/cpu/mcheck/mce.c | 14 + arch/x86/kernel/devicetree.c | 21 +- arch/x86/kvm/lapic.c | 10 +- arch/x86/kvm/mmu.c | 2 +- arch/x86/kvm/vmx.c | 20 +- arch/x86/mm/pageattr.c | 6 +- arch/x86/mm/pgtable.c | 9 + arch/x86/xen/enlighten_pvh.c | 14 +- block/blk-core.c | 31 ++ block/blk-sysfs.c | 7 - crypto/af_alg.c | 8 +- drivers/acpi/acpi_pad.c | 3 + drivers/acpi/acpica/evevent.c | 9 +- drivers/acpi/acpica/nseval.c | 8 + drivers/acpi/acpica/psargs.c | 4 + drivers/base/firmware_class.c | 12 +- drivers/base/regmap/regmap.c | 2 +- drivers/block/loop.c | 38 ++- drivers/block/null_blk.c | 46 +-- drivers/block/paride/pcd.c | 2 + drivers/bluetooth/btusb.c | 13 + drivers/cdrom/cdrom.c | 3 - drivers/cdrom/gdrom.c | 3 + drivers/char/hw_random/bcm2835-rng.c | 2 + drivers/char/hw_random/stm32-rng.c | 9 + drivers/char/ipmi/ipmi_ssif.c | 4 +- drivers/clk/clk.c | 3 + drivers/clk/hisilicon/crg-hi3516cv300.c | 2 +- drivers/clk/meson/axg.c | 7 +- drivers/clk/rockchip/clk-mmc-phase.c | 23 ++ drivers/clk/rockchip/clk-rk3228.c | 2 +- drivers/clk/samsung/clk-exynos3250.c | 4 +- drivers/clk/samsung/clk-exynos5250.c | 8 +- drivers/clk/samsung/clk-exynos5260.c | 2 +- drivers/clk/samsung/clk-exynos5433.c | 12 +- drivers/clk/samsung/clk-exynos7.c | 2 +- drivers/clk/samsung/clk-s3c2410.c | 16 +- drivers/clk/tegra/clk-pll.c | 2 + drivers/clk/ti/clock.h | 9 +- drivers/cpufreq/cppc_cpufreq.c | 23 +- drivers/cpufreq/cpufreq.c | 6 +- drivers/crypto/atmel-aes.c | 2 +- drivers/crypto/ccp/ccp-debugfs.c | 7 +- drivers/crypto/ccp/sp-dev.c | 6 +- drivers/crypto/inside-secure/safexcel.c | 12 +- drivers/crypto/inside-secure/safexcel_cipher.c | 2 +- drivers/crypto/inside-secure/safexcel_hash.c | 38 ++- drivers/crypto/sunxi-ss/sun4i-ss-core.c | 1 + drivers/dma/pl330.c | 6 +- drivers/dma/qcom/bam_dma.c | 27 +- drivers/dma/sh/rcar-dmac.c | 13 +- drivers/firmware/dmi_scan.c | 2 +- drivers/firmware/efi/arm-runtime.c | 3 + drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h | 1 + drivers/gpu/drm/amd/amdgpu/amdgpu_ib.c | 33 +- drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 8 +- drivers/gpu/drm/amd/amdgpu/sdma_v3_0.c | 7 +- drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 4 +- drivers/gpu/drm/bridge/sii902x.c | 20 +- drivers/gpu/drm/drm_vblank.c | 8 +- drivers/gpu/drm/meson/meson_drv.c | 29 +- drivers/gpu/drm/omapdrm/dss/dispc.c | 4 + drivers/gpu/drm/omapdrm/dss/dss.c | 193 ++++++----- drivers/gpu/drm/panel/panel-simple.c | 2 +- drivers/gpu/drm/rcar-du/rcar_du_lvdsenc.c | 18 +- drivers/gpu/drm/rockchip/rockchip_drm_gem.c | 7 +- drivers/gpu/drm/vmwgfx/vmwgfx_scrn.c | 29 +- drivers/hwmon/nct6775.c | 10 +- drivers/hwmon/pmbus/adm1275.c | 4 +- drivers/hwmon/pmbus/max8688.c | 2 +- drivers/hwtracing/coresight/coresight-cpu-debug.c | 2 +- drivers/hwtracing/intel_th/core.c | 2 +- drivers/i2c/busses/i2c-mv64xxx.c | 8 +- drivers/i2c/i2c-core-base.c | 8 + drivers/ide/ide-cd.c | 2 + drivers/infiniband/core/multicast.c | 26 +- drivers/infiniband/hw/mlx5/main.c | 3 + drivers/infiniband/hw/mlx5/qp.c | 3 +- drivers/infiniband/sw/rxe/rxe_verbs.c | 2 +- drivers/iommu/amd_iommu.c | 2 + drivers/iommu/mtk_iommu.c | 15 +- drivers/iommu/mtk_iommu.h | 1 + drivers/macintosh/rack-meter.c | 4 +- drivers/md/bcache/bcache.h | 9 +- drivers/md/bcache/super.c | 39 ++- drivers/md/bcache/sysfs.c | 3 +- drivers/md/bcache/writeback.c | 60 +++- drivers/md/bcache/writeback.h | 2 - drivers/media/common/videobuf2/videobuf2-vmalloc.c | 2 +- drivers/media/dvb-frontends/lgdt3306a.c | 10 +- drivers/media/i2c/adv748x/adv748x-hdmi.c | 3 + drivers/media/i2c/ov5645.c | 5 +- drivers/media/pci/cx23885/cx23885-cards.c | 4 + drivers/media/pci/cx23885/cx23885-core.c | 10 + drivers/media/pci/cx25821/cx25821-core.c | 7 +- drivers/media/platform/s3c-camif/camif-capture.c | 7 +- drivers/media/platform/vivid/vivid-ctrls.c | 2 + drivers/media/platform/vsp1/vsp1_drm.c | 9 + drivers/media/usb/em28xx/em28xx-cards.c | 22 +- drivers/media/usb/em28xx/em28xx.h | 2 +- drivers/misc/cxl/cxl.h | 4 + drivers/misc/cxl/native.c | 11 +- drivers/misc/cxl/pci.c | 19 +- drivers/net/ethernet/aquantia/atlantic/aq_nic.c | 8 +- drivers/net/ethernet/broadcom/bgmac.c | 3 +- drivers/net/ethernet/broadcom/bgmac.h | 6 +- drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 8 +- drivers/net/ethernet/broadcom/bnxt/bnxt_tc.c | 4 +- drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 11 +- drivers/net/ethernet/chelsio/cxgb4/cxgb4_uld.c | 1 + drivers/net/ethernet/cisco/enic/enic_main.c | 10 +- drivers/net/ethernet/freescale/dpaa/dpaa_eth.c | 23 +- drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c | 2 +- drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 2 +- drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c | 4 +- drivers/net/ethernet/ibm/ibmvnic.c | 32 +- drivers/net/ethernet/intel/i40e/i40e_main.c | 30 +- drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 11 + drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 3 +- drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 2 +- drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 61 ++-- drivers/net/ethernet/qlogic/qlge/qlge.h | 16 + drivers/net/ethernet/qlogic/qlge/qlge_main.c | 3 +- drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c | 2 + drivers/net/ethernet/renesas/sh_eth.c | 6 +- drivers/net/ethernet/renesas/sh_eth.h | 1 + drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 16 +- drivers/net/hyperv/netvsc.c | 8 +- drivers/net/hyperv/netvsc_drv.c | 2 +- drivers/net/hyperv/rndis_filter.c | 4 +- drivers/net/ieee802154/ca8210.c | 14 +- drivers/net/phy/dp83640.c | 18 + drivers/net/usb/lan78xx.c | 34 +- drivers/net/virtio_net.c | 2 +- drivers/net/wireless/ath/ath10k/mac.c | 17 +- drivers/net/wireless/ath/ath9k/common-spectral.c | 12 +- drivers/net/wireless/intel/iwlwifi/mvm/rs-fw.c | 6 +- drivers/net/wireless/intel/iwlwifi/mvm/utils.c | 11 +- drivers/net/wireless/mediatek/mt76/mt76x2_main.c | 11 + drivers/net/wireless/mediatek/mt76/mt76x2_tx.c | 5 +- drivers/net/wireless/rsi/rsi_91x_sdio.c | 32 +- drivers/net/wireless/rsi/rsi_sdio.h | 2 + drivers/nvme/host/core.c | 17 +- drivers/nvme/host/fabrics.c | 83 ++++- drivers/nvme/host/fabrics.h | 33 +- drivers/nvme/host/fc.c | 17 +- drivers/nvme/host/nvme.h | 1 + drivers/nvme/host/pci.c | 7 +- drivers/nvme/host/rdma.c | 14 +- drivers/nvme/target/loop.c | 11 +- drivers/parisc/lba_pci.c | 20 +- drivers/pci/endpoint/pci-epf-core.c | 2 +- drivers/pci/pci-driver.c | 17 +- drivers/pci/quirks.c | 3 + drivers/pcmcia/cs.c | 10 +- drivers/pcmcia/cs_internal.h | 1 + drivers/phy/qualcomm/phy-qcom-qmp.c | 4 +- drivers/phy/rockchip/phy-rockchip-emmc.c | 27 +- drivers/pinctrl/devicetree.c | 6 +- drivers/pinctrl/pinctrl-mcp23s08.c | 37 +- drivers/pinctrl/qcom/pinctrl-msm.c | 2 +- drivers/pinctrl/sh-pfc/pfc-r8a7796.c | 40 +-- drivers/platform/x86/dell-smbios-base.c | 4 +- drivers/power/supply/ltc2941-battery-gauge.c | 8 +- drivers/power/supply/max17042_battery.c | 1 + drivers/regulator/gpio-regulator.c | 16 +- drivers/regulator/of_regulator.c | 1 + drivers/remoteproc/imx_rproc.c | 6 +- drivers/rtc/hctosys.c | 5 + drivers/rtc/rtc-goldfish.c | 2 + drivers/rtc/rtc-m41t80.c | 18 +- drivers/rtc/rtc-rk808.c | 14 +- drivers/rtc/rtc-rp5c01.c | 12 +- drivers/rtc/rtc-snvs.c | 15 +- drivers/rtc/rtc-tx4939.c | 6 +- drivers/s390/cio/vfio_ccw_fsm.c | 5 + drivers/scsi/aacraid/commsup.c | 4 +- drivers/scsi/aacraid/linit.c | 1 + drivers/scsi/lpfc/lpfc_attr.c | 5 + drivers/scsi/lpfc/lpfc_hbadisc.c | 5 +- drivers/scsi/lpfc/lpfc_nportdisc.c | 15 +- drivers/scsi/lpfc/lpfc_nvme.c | 28 +- drivers/scsi/lpfc/lpfc_nvme.h | 2 + drivers/scsi/lpfc/lpfc_sli.c | 2 + drivers/scsi/mvsas/mv_94xx.c | 23 +- drivers/scsi/scsi_devinfo.c | 1 + drivers/scsi/scsi_lib.c | 11 + drivers/scsi/sr.c | 21 +- drivers/soc/amlogic/meson-gx-pwrc-vpu.c | 6 +- drivers/soc/qcom/wcnss_ctrl.c | 2 +- drivers/soc/renesas/r8a77970-sysc.c | 12 +- drivers/spi/spi-bcm-qspi.c | 4 +- drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c | 16 +- drivers/staging/ks7010/ks_hostif.c | 31 +- drivers/staging/ks7010/ks_hostif.h | 1 + drivers/staging/lustre/lustre/include/obd.h | 2 +- drivers/staging/lustre/lustre/lmv/lmv_obd.c | 2 +- drivers/staging/lustre/lustre/osc/osc_cache.c | 2 +- drivers/staging/rtl8192u/r8192U_core.c | 2 + .../staging/vc04_services/bcm2835-audio/bcm2835.c | 54 ++- drivers/tty/serial/8250/8250_port.c | 3 +- drivers/tty/serial/altera_uart.c | 12 +- drivers/tty/serial/arc_uart.c | 5 + drivers/tty/serial/fsl_lpuart.c | 4 + drivers/tty/serial/imx.c | 6 + drivers/tty/serial/mvebu-uart.c | 2 +- drivers/tty/serial/mxs-auart.c | 4 + drivers/tty/serial/samsung.c | 4 + drivers/tty/serial/sh-sci.c | 4 + drivers/tty/serial/xilinx_uartps.c | 2 +- drivers/usb/dwc2/core.h | 2 +- drivers/usb/dwc2/hcd.c | 32 +- drivers/usb/dwc3/Makefile | 2 +- drivers/usb/dwc3/core.c | 13 +- drivers/usb/dwc3/core.h | 2 + drivers/usb/gadget/composite.c | 40 ++- drivers/usb/gadget/function/f_fs.c | 6 +- drivers/usb/gadget/udc/goku_udc.h | 2 +- drivers/usb/host/xhci-mem.c | 2 + drivers/usb/host/xhci.c | 14 +- drivers/usb/usbip/Kconfig | 2 +- drivers/watchdog/asm9260_wdt.c | 8 +- drivers/watchdog/aspeed_wdt.c | 13 +- drivers/watchdog/davinci_wdt.c | 15 +- drivers/watchdog/dw_wdt.c | 23 +- drivers/watchdog/sprd_wdt.c | 4 +- drivers/xen/xen-acpi-processor.c | 6 +- drivers/zorro/zorro.c | 12 + fs/btrfs/dev-replace.c | 2 +- fs/btrfs/disk-io.c | 5 +- fs/btrfs/extent-tree.c | 1 + fs/btrfs/tests/qgroup-tests.c | 2 +- fs/btrfs/transaction.c | 10 +- fs/btrfs/tree-log.c | 75 ++++- fs/ext4/super.c | 12 + fs/f2fs/checkpoint.c | 71 ++-- fs/f2fs/extent_cache.c | 3 + fs/f2fs/file.c | 8 +- fs/fscache/page.c | 13 +- fs/gfs2/bmap.c | 10 +- fs/gfs2/file.c | 5 +- fs/gfs2/quota.h | 2 + fs/notify/fanotify/fanotify.c | 19 +- fs/notify/fanotify/fanotify.h | 3 +- fs/notify/fanotify/fanotify_user.c | 2 +- fs/ocfs2/dlm/dlmdomain.c | 14 - fs/ocfs2/dlm/dlmdomain.h | 25 +- fs/ocfs2/dlm/dlmrecovery.c | 9 + fs/proc/proc_sysctl.c | 3 + fs/udf/super.c | 5 +- fs/xfs/xfs_discard.c | 14 +- include/drm/drm_vblank.h | 2 +- include/linux/usb/composite.h | 3 + include/net/inet_timewait_sock.h | 1 + include/scsi/scsi.h | 2 + include/uapi/linux/msg.h | 1 + include/uapi/linux/sem.h | 1 + include/uapi/linux/shm.h | 5 +- ipc/msg.c | 17 +- ipc/sem.c | 17 +- ipc/shm.c | 23 +- kernel/audit.c | 2 + kernel/debug/kdb/kdb_main.c | 27 +- kernel/events/core.c | 49 ++- kernel/irq/affinity.c | 15 +- kernel/rcu/rcu.h | 1 + kernel/rcu/srcutree.c | 8 +- kernel/rcu/tree.c | 6 + kernel/rcu/tree_exp.h | 2 +- kernel/rcu/tree_plugin.h | 14 +- kernel/sched/rt.c | 2 + kernel/trace/trace_uprobe.c | 2 + lib/test_kasan.c | 8 + mm/ksm.c | 28 ++ mm/memcontrol.c | 3 + mm/page_idle.c | 12 +- mm/slub.c | 57 ++-- mm/swapfile.c | 4 + mm/vmscan.c | 8 +- mm/z3fold.c | 9 +- net/dccp/ipv4.c | 1 + net/dccp/ipv6.c | 1 + net/ipv4/inet_timewait_sock.c | 1 + net/mac80211/mlme.c | 3 +- net/netlabel/netlabel_unlabeled.c | 10 + net/rds/tcp.c | 17 +- net/rxrpc/call_event.c | 2 +- net/rxrpc/input.c | 15 +- net/rxrpc/sendmsg.c | 4 +- net/smc/smc_ib.c | 10 +- net/smc/smc_wr.h | 1 - security/integrity/ima/Kconfig | 1 + security/integrity/ima/ima_crypto.c | 2 + security/integrity/ima/ima_main.c | 13 + security/integrity/ima/ima_policy.c | 2 +- security/selinux/hooks.c | 3 + security/smack/smack_lsm.c | 3 + sound/core/vmaster.c | 5 +- sound/soc/fsl/fsl_ssi.c | 15 +- sound/soc/rockchip/Kconfig | 3 + sound/soc/samsung/i2s.c | 13 +- sound/soc/samsung/odroid.c | 11 +- sound/soc/soc-topology.c | 3 + sound/usb/quirks.c | 29 +- tools/hv/hv_fcopy_daemon.c | 3 +- tools/hv/hv_vss_daemon.c | 1 + tools/perf/Makefile.perf | 3 +- tools/perf/builtin-kvm.c | 17 +- tools/perf/builtin-stat.c | 9 +- tools/perf/builtin-top.c | 6 +- tools/perf/tests/dwarf-unwind.c | 46 ++- .../perf/tests/shell/trace+probe_libc_inet_pton.sh | 6 +- tools/perf/tests/vmlinux-kallsyms.c | 2 +- tools/perf/ui/browsers/annotate.c | 9 +- tools/perf/util/c++/clang.cpp | 11 +- tools/perf/util/hist.c | 4 +- tools/perf/util/hist.h | 1 - tools/perf/util/mmap.c | 6 + tools/testing/selftests/Makefile | 1 + tools/testing/selftests/net/fib-onlink-tests.sh | 375 +++++++++++++++++++++ tools/testing/selftests/net/psock_fanout.c | 3 +- tools/thermal/tmon/sysfs.c | 12 +- tools/thermal/tmon/tmon.c | 1 - 368 files changed, 3410 insertions(+), 1253 deletions(-) create mode 100644 arch/riscv/include/asm/fence.h create mode 100755 tools/testing/selftests/net/fib-onlink-tests.sh -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE4n5dijQDou9mhzu83qZv95d3LNwFAlrihEMACgkQ3qZv95d3 LNz4qhAAqKT0kzQMLjCSKqrRx0B51Z50nxtr7Qa5QchvT/38SphIyXq/+5MCeRsE V4AA21ltul6rjVh84AWfcIGjkP4eCcFS6D/y2/0bkDO1r2zyJonZ2JvIGkx7kQyW Atomdc231mNzkaH45a+JwJ+fnbQQq9zLZVDDQCk1jXYSwAklC8TvCvCd9xB/Eqda 3ZB0/+rpNG42ZXwH5YGMTFbNdp+vhHhMW4sF4FWnSvX8pspyrHlyYlzlxZLoakHz TNOq2shWITPiBOEh3b2MpNJFmiD/980r+K6qwEPZIeDwoUF1ADVz2SgWiEcf2iTU 14URtiUGg5RTLW82xq1wxxa0g61G5JZplzwE3yrOM9SA5Kclsx2LlCdBYo14nB4R Cz1EBUtV/HxuXrMVf2YRWU0SEMGClm2XgZycLvx5tMgNXLgxA6/fTXmWiR3seBgH Fwnb5u/YGFtrzjkgQ9HlhvmT1hiy2a7hOAjiULx7mBtYo/Ns7FWWGGAYX3O9vML4 WvAlDUcts1t6h225G8o2rFHJfAPiipmEfzp2o0lFSXGiCsL47JRk8aq99XsjpI5G n5KesG0ndKgtnZuI9vi11fffKOREm0tRYuABncqIPqKIPVZoBq2gwiFDgVHDzai+ VZaipyeHdueAH/Fnenp0a05mBdg7m+4NfOUVqApH2SYQizWSYuM= =MB3S -----END PGP SIGNATURE-----

7 years, 4 months

4
9
0 0

+ radix-tree-fix-multi-order-iteration-race.patch added to -mm tree

by akpm＠linux-foundation.org

The patch titled Subject: radix tree: fix multi-order iteration race has been added to the -mm tree. Its filename is radix-tree-fix-multi-order-iteration-race.patch This patch should soon appear at http://ozlabs.org/~akpm/mmots/broken-out/radix-tree-fix-multi-order-iterati… and later at http://ozlabs.org/~akpm/mmotm/broken-out/radix-tree-fix-multi-order-iterati… Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next and is updated there every 3-4 working days ------------------------------------------------------ From: Ross Zwisler <ross.zwisler(a)linux.intel.com> Subject: radix tree: fix multi-order iteration race Fix a race in the multi-order iteration code which causes the kernel to hit a GP fault. This was first seen with a production v4.15 based kernel (4.15.6-300.fc27.x86_64) utilizing a DAX workload which used order 9 PMD DAX entries. The race has to do with how we tear down multi-order sibling entries when we are removing an item from the tree. Remember for example that an order 2 entry looks like this: struct radix_tree_node.slots[] = [entry][sibling][sibling][sibling] where 'entry' is in some slot in the struct radix_tree_node, and the three slots following 'entry' contain sibling pointers which point back to 'entry.' When we delete 'entry' from the tree, we call : radix_tree_delete() radix_tree_delete_item() __radix_tree_delete() replace_slot() replace_slot() first removes the siblings in order from the first to the last, then at then replaces 'entry' with NULL. This means that for a brief period of time we end up with one or more of the siblings removed, so: struct radix_tree_node.slots[] = [entry][NULL][sibling][sibling] This causes an issue if you have a reader iterating over the slots in the tree via radix_tree_for_each_slot() while only under rcu_read_lock()/rcu_read_unlock() protection. This is a common case in mm/filemap.c. The issue is that when __radix_tree_next_slot() => skip_siblings() tries to skip over the sibling entries in the slots, it currently does so with an exact match on the slot directly preceding our current slot. Normally this works: V preceding slot struct radix_tree_node.slots[] = [entry][sibling][sibling][sibling] ^ current slot This lets you find the first sibling, and you skip them all in order. But in the case where one of the siblings is NULL, that slot is skipped and then our sibling detection is interrupted: V preceding slot struct radix_tree_node.slots[] = [entry][NULL][sibling][sibling] ^ current slot This means that the sibling pointers aren't recognized since they point all the way back to 'entry', so we think that they are normal internal radix tree pointers. This causes us to think we need to walk down to a struct radix_tree_node starting at the address of 'entry'. In a real running kernel this will crash the thread with a GP fault when you try and dereference the slots in your broken node starting at 'entry'. We fix this race by fixing the way that skip_siblings() detects sibling nodes. Instead of testing against the preceding slot we instead look for siblings via is_sibling_entry() which compares against the position of the struct radix_tree_node.slots[] array. This ensures that sibling entries are properly identified, even if they are no longer contiguous with the 'entry' they point to. Link: http://lkml.kernel.org/r/20180503192430.7582-6-ross.zwisler@linux.intel.com Fixes: 148deab223b2 ("radix-tree: improve multiorder iterators") Signed-off-by: Ross Zwisler <ross.zwisler(a)linux.intel.com> Reported-by: CR, Sapthagirish <sapthagirish.cr(a)intel.com> Reviewed-by: Jan Kara <jack(a)suse.cz> Cc: Matthew Wilcox <willy(a)infradead.org> Cc: Christoph Hellwig <hch(a)lst.de> Cc: Dan Williams <dan.j.williams(a)intel.com> Cc: Dave Chinner <david(a)fromorbit.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- lib/radix-tree.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff -puN lib/radix-tree.c~radix-tree-fix-multi-order-iteration-race lib/radix-tree.c --- a/lib/radix-tree.c~radix-tree-fix-multi-order-iteration-race +++ a/lib/radix-tree.c @@ -1612,11 +1612,9 @@ static void set_iter_tags(struct radix_t static void __rcu **skip_siblings(struct radix_tree_node **nodep, void __rcu **slot, struct radix_tree_iter *iter) { - void *sib = node_to_entry(slot - 1); - while (iter->index < iter->next_index) { *nodep = rcu_dereference_raw(*slot); - if (*nodep && *nodep != sib) + if (*nodep && !is_sibling_entry(iter->node, *nodep)) return slot; slot++; iter->index = __radix_tree_iter_add(iter, 1); @@ -1631,7 +1629,7 @@ void __rcu **__radix_tree_next_slot(void struct radix_tree_iter *iter, unsigned flags) { unsigned tag = flags & RADIX_TREE_ITER_TAG_MASK; - struct radix_tree_node *node = rcu_dereference_raw(*slot); + struct radix_tree_node *node; slot = skip_siblings(&node, slot, iter); _ Patches currently in -mm which might be from ross.zwisler(a)linux.intel.com are radix-tree-test-suite-fix-mapshift-build-target.patch radix-tree-test-suite-fix-compilation-issue.patch radix-tree-test-suite-add-item_delete_rcu.patch radix-tree-test-suite-multi-order-iteration-race.patch radix-tree-fix-multi-order-iteration-race.patch

7 years, 4 months

3
2
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror