- Linux-stable-mirror - lists.linaro.org

[patch 06/27] ipc/shm: fix use-after-free of shm file via remap_file_pages()

by akpm＠linux-foundation.org

From: Eric Biggers <ebiggers(a)google.com> Subject: ipc/shm: fix use-after-free of shm file via remap_file_pages() syzbot reported a use-after-free of shm_file_data(file)->file->f_op in shm_get_unmapped_area(), called via sys_remap_file_pages(). Unfortunately it couldn't generate a reproducer, but I found a bug which I think caused it. When remap_file_pages() is passed a full System V shared memory segment, the memory is first unmapped, then a new map is created using the ->vm_file. Between these steps, the shm ID can be removed and reused for a new shm segment. But, shm_mmap() only checks whether the ID is currently valid before calling the underlying file's ->mmap(); it doesn't check whether it was reused. Thus it can use the wrong underlying file, one that was already freed. Fix this by making the "outer" shm file (the one that gets put in ->vm_file) hold a reference to the real shm file, and by making __shm_open() require that the file associated with the shm ID matches the one associated with the "outer" file. Taking the reference to the real shm file is needed to fully solve the problem, since otherwise sfd->file could point to a freed file, which then could be reallocated for the reused shm ID, causing the wrong shm segment to be mapped (and without the required permission checks). Commit 1ac0b6dec656 ("ipc/shm: handle removed segments gracefully in shm_mmap()") almost fixed this bug, but it didn't go far enough because it didn't consider the case where the shm ID is reused. The following program usually reproduces this bug: #include <stdlib.h> #include <sys/shm.h> #include <sys/syscall.h> #include <unistd.h> int main() { int is_parent = (fork() != 0); srand(getpid()); for (;;) { int id = shmget(0xF00F, 4096, IPC_CREAT|0700); if (is_parent) { void *addr = shmat(id, NULL, 0); usleep(rand() % 50); while (!syscall(__NR_remap_file_pages, addr, 4096, 0, 0, 0)); } else { usleep(rand() % 50); shmctl(id, IPC_RMID, NULL); } } } It causes the following NULL pointer dereference due to a 'struct file' being used while it's being freed. (I couldn't actually get a KASAN use-after-free splat like in the syzbot report. But I think it's possible with this bug; it would just take a more extraordinary race...) BUG: unable to handle kernel NULL pointer dereference at 0000000000000058 PGD 0 P4D 0 Oops: 0000 [#1] SMP NOPTI CPU: 9 PID: 258 Comm: syz_ipc Not tainted 4.16.0-05140-gf8cf2f16a7c95 #189 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-20171110_100015-anatol 04/01/2014 RIP: 0010:d_inode include/linux/dcache.h:519 [inline] RIP: 0010:touch_atime+0x25/0xd0 fs/inode.c:1724 [...] Call Trace: file_accessed include/linux/fs.h:2063 [inline] shmem_mmap+0x25/0x40 mm/shmem.c:2149 call_mmap include/linux/fs.h:1789 [inline] shm_mmap+0x34/0x80 ipc/shm.c:465 call_mmap include/linux/fs.h:1789 [inline] mmap_region+0x309/0x5b0 mm/mmap.c:1712 do_mmap+0x294/0x4a0 mm/mmap.c:1483 do_mmap_pgoff include/linux/mm.h:2235 [inline] SYSC_remap_file_pages mm/mmap.c:2853 [inline] SyS_remap_file_pages+0x232/0x310 mm/mmap.c:2769 do_syscall_64+0x64/0x1a0 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ebiggers(a)google.com: add comment] Link: http://lkml.kernel.org/r/20180410192850.235835-1-ebiggers3@gmail.com Link: http://lkml.kernel.org/r/20180409043039.28915-1-ebiggers3@gmail.com Reported-by: syzbot+d11f321e7f1923157eac80aa990b446596f46439(a)syzkaller.appspotmail.com Fixes: c8d78c1823f4 ("mm: replace remap_file_pages() syscall with emulation") Signed-off-by: Eric Biggers <ebiggers(a)google.com> Acked-by: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> Acked-by: Davidlohr Bueso <dbueso(a)suse.de> Cc: Manfred Spraul <manfred(a)colorfullife.com> Cc: "Eric W . Biederman" <ebiederm(a)xmission.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- ipc/shm.c | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff -puN ipc/shm.c~ipc-shm-fix-use-after-free-of-shm-file-via-remap_file_pages ipc/shm.c --- a/ipc/shm.c~ipc-shm-fix-use-after-free-of-shm-file-via-remap_file_pages +++ a/ipc/shm.c @@ -225,6 +225,12 @@ static int __shm_open(struct vm_area_str if (IS_ERR(shp)) return PTR_ERR(shp); + if (shp->shm_file != sfd->file) { + /* ID was reused */ + shm_unlock(shp); + return -EINVAL; + } + shp->shm_atim = ktime_get_real_seconds(); ipc_update_pid(&shp->shm_lprid, task_tgid(current)); shp->shm_nattch++; @@ -455,8 +461,9 @@ static int shm_mmap(struct file *file, s int ret; /* - * In case of remap_file_pages() emulation, the file can represent - * removed IPC ID: propogate shm_lock() error to caller. + * In case of remap_file_pages() emulation, the file can represent an + * IPC ID that was removed, and possibly even reused by another shm + * segment already. Propagate this case as an error to caller. */ ret = __shm_open(vma); if (ret) @@ -480,6 +487,7 @@ static int shm_release(struct inode *ino struct shm_file_data *sfd = shm_file_data(file); put_ipc_ns(sfd->ns); + fput(sfd->file); shm_file_data(file) = NULL; kfree(sfd); return 0; @@ -1445,7 +1453,16 @@ long do_shmat(int shmid, char __user *sh file->f_mapping = shp->shm_file->f_mapping; sfd->id = shp->shm_perm.id; sfd->ns = get_ipc_ns(ns); - sfd->file = shp->shm_file; + /* + * We need to take a reference to the real shm file to prevent the + * pointer from becoming stale in cases where the lifetime of the outer + * file extends beyond that of the shm segment. It's not usually + * possible, but it can happen during remap_file_pages() emulation as + * that unmaps the memory, then does ->mmap() via file reference only. + * We'll deny the ->mmap() if the shm segment was since removed, but to + * detect shm ID reuse we need to compare the file pointers. + */ + sfd->file = get_file(shp->shm_file); sfd->vm_ops = NULL; err = security_mmap_file(file, prot, flags); _

7 years, 9 months

1
0
0 0

[patch 03/27] get_user_pages_fast(): return -EFAULT on access_ok failure

by akpm＠linux-foundation.org

From: "Michael S. Tsirkin" <mst(a)redhat.com> Subject: get_user_pages_fast(): return -EFAULT on access_ok failure get_user_pages_fast is supposed to be a faster drop-in equivalent of get_user_pages. As such, callers expect it to return a negative return code when passed an invalid address, and never expect it to return 0 when passed a positive number of pages, since its documentation says: * Returns number of pages pinned. This may be fewer than the number * requested. If nr_pages is 0 or negative, returns 0. If no pages * were pinned, returns -errno. When get_user_pages_fast fall back on get_user_pages this is exactly what happens. Unfortunately the implementation is inconsistent: it returns 0 if passed a kernel address, confusing callers: for example, the following is pretty common but does not appear to do the right thing with a kernel address: ret = get_user_pages_fast(addr, 1, writeable, &page); if (ret < 0) return ret; Change get_user_pages_fast to return -EFAULT when supplied a kernel address to make it match expectations. All callers have been audited for consistency with the documented semantics. Link: http://lkml.kernel.org/r/1522962072-182137-4-git-send-email-mst@redhat.com Fixes: 5b65c4677a57 ("mm, x86/mm: Fix performance regression in get_user_pages_fast()") Signed-off-by: Michael S. Tsirkin <mst(a)redhat.com> Reported-by: syzbot+6304bf97ef436580fede(a)syzkaller.appspotmail.com Reviewed-by: Andrew Morton <akpm(a)linux-foundation.org> Cc: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> Cc: Huang Ying <ying.huang(a)intel.com> Cc: Jonathan Corbet <corbet(a)lwn.net> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Thomas Gleixner <tglx(a)linutronix.de> Cc: Thorsten Leemhuis <regressions(a)leemhuis.info> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/gup.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff -puN mm/gup.c~gup-return-efault-on-access_ok-failure mm/gup.c --- a/mm/gup.c~gup-return-efault-on-access_ok-failure +++ a/mm/gup.c @@ -1806,9 +1806,12 @@ int get_user_pages_fast(unsigned long st len = (unsigned long) nr_pages << PAGE_SHIFT; end = start + len; + if (nr_pages <= 0) + return 0; + if (unlikely(!access_ok(write ? VERIFY_WRITE : VERIFY_READ, (void __user *)start, len))) - return 0; + return -EFAULT; if (gup_fast_permitted(start, nr_pages, write)) { local_irq_disable(); _

7 years, 9 months

1
0
0 0

[patch 02/27] mm/gup_benchmark: handle gup failures

by akpm＠linux-foundation.org

From: "Michael S. Tsirkin" <mst(a)redhat.com> Subject: mm/gup_benchmark: handle gup failures Patch series "mm/get_user_pages_fast fixes, cleanups", v2. Turns out get_user_pages_fast and __get_user_pages_fast return different values on error when given a single page: __get_user_pages_fast returns 0. get_user_pages_fast returns either 0 or an error. Callers of get_user_pages_fast expect an error so fix it up to return an error consistently. Stress the difference between get_user_pages_fast and __get_user_pages_fast to make sure callers aren't confused. This patch (of 3): __gup_benchmark_ioctl does not handle the case where get_user_pages_fast fails: - a negative return code will cause a buffer overrun - returning with partial success will cause use of uninitialized memory. [akpm(a)linux-foundation.org: simplification] Link: http://lkml.kernel.org/r/1522962072-182137-3-git-send-email-mst@redhat.com Signed-off-by: Michael S. Tsirkin <mst(a)redhat.com> Reviewed-by: Andrew Morton <akpm(a)linux-foundation.org> Cc: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> Cc: Huang Ying <ying.huang(a)intel.com> Cc: Jonathan Corbet <corbet(a)lwn.net> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: Thomas Gleixner <tglx(a)linutronix.de> Cc: Thorsten Leemhuis <regressions(a)leemhuis.info> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/gup_benchmark.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff -puN mm/gup_benchmark.c~mm-gup_benchmark-handle-gup-failures mm/gup_benchmark.c --- a/mm/gup_benchmark.c~mm-gup_benchmark-handle-gup-failures +++ a/mm/gup_benchmark.c @@ -23,7 +23,7 @@ static int __gup_benchmark_ioctl(unsigne struct page **pages; nr_pages = gup->size / PAGE_SIZE; - pages = kvmalloc(sizeof(void *) * nr_pages, GFP_KERNEL); + pages = kvzalloc(sizeof(void *) * nr_pages, GFP_KERNEL); if (!pages) return -ENOMEM; @@ -41,6 +41,8 @@ static int __gup_benchmark_ioctl(unsigne } nr = get_user_pages_fast(addr, nr, gup->flags & 1, pages + i); + if (nr <= 0) + break; i += nr; } end_time = ktime_get(); _

7 years, 9 months

1
0
0 0

[patch 01/27] resource: fix integer overflow at reallocation

by akpm＠linux-foundation.org

From: Takashi Iwai <tiwai(a)suse.de> Subject: resource: fix integer overflow at reallocation We've got a bug report indicating a kernel panic at booting on an x86-32 system, and it turned out to be the invalid PCI resource assigned after reallocation. __find_resource() first aligns the resource start address and resets the end address with start+size-1 accordingly, then checks whether it's contained. Here the end address may overflow the integer, although resource_contains() still returns true because the function validates only start and end address. So this ends up with returning an invalid resource (start > end). There was already an attempt to cover such a problem in the commit 47ea91b4052d ("Resource: fix wrong resource window calculation"), but this case is an overseen one. This patch adds the validity check of the newly calculated resource for avoiding the integer overflow problem. Bugzilla: http://bugzilla.opensuse.org/show_bug.cgi?id=1086739 Link: http://lkml.kernel.org/r/s5hpo37d5l8.wl-tiwai@suse.de Fixes: 23c570a67448 ("resource: ability to resize an allocated resource") Signed-off-by: Takashi Iwai <tiwai(a)suse.de> Reported-by: Michael Henders <hendersm(a)shaw.ca> Tested-by: Michael Henders <hendersm(a)shaw.ca> Reviewed-by: Andrew Morton <akpm(a)linux-foundation.org> Cc: Ram Pai <linuxram(a)us.ibm.com> Cc: Bjorn Helgaas <bhelgaas(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- kernel/resource.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff -puN kernel/resource.c~resource-fix-integer-overflow-at-reallocation-v1 kernel/resource.c --- a/kernel/resource.c~resource-fix-integer-overflow-at-reallocation-v1 +++ a/kernel/resource.c @@ -651,7 +651,8 @@ static int __find_resource(struct resour alloc.start = constraint->alignf(constraint->alignf_data, &avail, size, constraint->align); alloc.end = alloc.start + size - 1; - if (resource_contains(&avail, &alloc)) { + if (alloc.start <= alloc.end && + resource_contains(&avail, &alloc)) { new->start = alloc.start; new->end = alloc.end; return 0; _

7 years, 9 months

1
0
0 0

[folded-merged] mm-gup_benchmark-handle-gup-failures-fix.patch removed from -mm tree

by akpm＠linux-foundation.org

The patch titled Subject: mm-gup_benchmark-handle-gup-failures-fix has been removed from the -mm tree. Its filename was mm-gup_benchmark-handle-gup-failures-fix.patch This patch was dropped because it was folded into mm-gup_benchmark-handle-gup-failures.patch ------------------------------------------------------ From: Andrew Morton <akpm(a)linux-foundation.org> Subject: mm-gup_benchmark-handle-gup-failures-fix Cc: Huang Ying <ying.huang(a)intel.com> Cc: Jonathan Corbet <corbet(a)lwn.net> Cc: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: "Michael S. Tsirkin" <mst(a)redhat.com> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: <stable(a)vger.kernel.org> Cc: Thomas Gleixner <tglx(a)linutronix.de> Cc: Thorsten Leemhuis <regressions(a)leemhuis.info> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/gup_benchmark.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff -puN mm/gup_benchmark.c~mm-gup_benchmark-handle-gup-failures-fix mm/gup_benchmark.c --- a/mm/gup_benchmark.c~mm-gup_benchmark-handle-gup-failures-fix +++ a/mm/gup_benchmark.c @@ -41,8 +41,9 @@ static int __gup_benchmark_ioctl(unsigne } nr = get_user_pages_fast(addr, nr, gup->flags & 1, pages + i); - if (nr > 0) - i += nr; + if (nr <= 0) + break; + i += nr; } end_time = ktime_get(); _ Patches currently in -mm which might be from akpm(a)linux-foundation.org are i-need-old-gcc.patch mm-gup_benchmark-handle-gup-failures.patch mm-pagemap-fix-swap-offset-value-for-pmd-migration-entry-fix.patch writeback-safer-lock-nesting-fix.patch arm-arch-arm-include-asm-pageh-needs-personalityh.patch ocfs2-without-quota-support-try-to-avoid-calling-quota-recovery-checkpatch-fixes.patch mm.patch list_lru-prefetch-neighboring-list-entries-before-acquiring-lock-fix.patch mm-oom-cgroup-aware-oom-killer-fix.patch mm-oom-docs-describe-the-cgroup-aware-oom-killer-fix-2-fix.patch linux-next-rejects.patch fs-fsnotify-account-fsnotify-metadata-to-kmemcg-fix.patch kernel-forkc-export-kernel_thread-to-modules.patch slab-leaks3-default-y.patch

7 years, 9 months

1
0
0 0

[PATCH] drm/nouveau: Add missing fb SLCG registers for kepler2

by Lyude Paul

Somehow I didn't manage to notice this the last time I looked at my mmiotraces, these seem to be all valid registers. Forwarding this to stable, as there's a small chance that not having these could cause clockgating to be unstable. Signed-off-by: Lyude Paul <lyude(a)redhat.com> Fixes: a0f79082bd174 ("drm/nouveau: Add support for SLCG for Kepler2") Cc: stable(a)vger.kernel.org --- drivers/gpu/drm/nouveau/nvkm/subdev/fb/gk110.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/drivers/gpu/drm/nouveau/nvkm/subdev/fb/gk110.c b/drivers/gpu/drm/nouveau/nvkm/subdev/fb/gk110.c index 0695e5dd360e..0d9ad9fa7774 100644 --- a/drivers/gpu/drm/nouveau/nvkm/subdev/fb/gk110.c +++ b/drivers/gpu/drm/nouveau/nvkm/subdev/fb/gk110.c @@ -32,6 +32,18 @@ * PGRAPH registers for clockgating ******************************************************************************* */ +static const struct nvkm_therm_clkgate_init +gk110_fb_clkgate_slcg_init_bcast_0[] = { + { 0x10f280, 1, 0x00000000 }, + {} +}; + +static const struct nvkm_therm_clkgate_init +gk110_fb_clkgate_slcg_init_pxbar_0[] = { + { 0x13cafc, 1, 0x0000007e }, + { 0x13cbe4, 1, 0x1ffffffe }, + {} +}; static const struct nvkm_therm_clkgate_init gk110_fb_clkgate_blcg_init_unk_0[] = { @@ -45,6 +57,8 @@ gk110_fb_clkgate_blcg_init_unk_0[] = { static const struct nvkm_therm_clkgate_pack gk110_fb_clkgate_pack[] = { + { gk110_fb_clkgate_slcg_init_bcast_0 }, + { gk110_fb_clkgate_slcg_init_pxbar_0 }, { gk110_fb_clkgate_blcg_init_unk_0 }, { gk104_fb_clkgate_blcg_init_vm_0 }, { gk104_fb_clkgate_blcg_init_main_0 }, -- 2.14.3

7 years, 9 months

1
0
0 0

+ autofs-mount-point-create-should-honour-passed-in-mode.patch added to -mm tree

by akpm＠linux-foundation.org

The patch titled Subject: autofs: mount point create should honour passed in mode has been added to the -mm tree. Its filename is autofs-mount-point-create-should-honour-passed-in-mode.patch This patch should soon appear at http://ozlabs.org/~akpm/mmots/broken-out/autofs-mount-point-create-should-h… and later at http://ozlabs.org/~akpm/mmotm/broken-out/autofs-mount-point-create-should-h… Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next and is updated there every 3-4 working days ------------------------------------------------------ From: Ian Kent <raven(a)themaw.net> Subject: autofs: mount point create should honour passed in mode The autofs file system mkdir inode operation blindly sets the created directory mode to S_IFDIR | 0555, ingoring the passed in mode, which can cause selinux dac_override denials. But the function also checks if the caller is the daemon (as no-one else should be able to do anything here) so there's no point in not honouring the passed in mode, allowing the daemon to set appropriate mode when required. Link: http://lkml.kernel.org/r/152361593601.8051.14014139124905996173.stgit@pluto… Signed-off-by: Ian Kent <raven(a)themaw.net> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- fs/autofs4/root.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff -puN fs/autofs4/root.c~autofs-mount-point-create-should-honour-passed-in-mode fs/autofs4/root.c --- a/fs/autofs4/root.c~autofs-mount-point-create-should-honour-passed-in-mode +++ a/fs/autofs4/root.c @@ -749,7 +749,7 @@ static int autofs4_dir_mkdir(struct inod autofs4_del_active(dentry); - inode = autofs4_get_inode(dir->i_sb, S_IFDIR | 0555); + inode = autofs4_get_inode(dir->i_sb, S_IFDIR | mode); if (!inode) return -ENOMEM; d_add(dentry, inode); _ Patches currently in -mm which might be from raven(a)themaw.net are autofs-mount-point-create-should-honour-passed-in-mode.patch

7 years, 9 months

1
0
0 0

v3.18.105 build: 10 failures 1 warnings (v3.18.105)

by Build bot for Mark Brown

Tree/Branch: v3.18.105 Git describe: v3.18.105 Commit: 78db2bbfa0 Linux 3.18.105 Build Time: 0 min 14 sec Passed: 0 / 10 ( 0.00 %) Failed: 10 / 10 (100.00 %) Errors: 0 Warnings: 1 Section Mismatches: 0 Failed defconfigs: x86_64-allnoconfig arm-allnoconfig arm64-defconfig Errors: ------------------------------------------------------------------------------- defconfigs with issues (other than build errors): 1 warnings 0 mismatches : x86_64-allnoconfig 1 warnings 0 mismatches : arm-allnoconfig 1 warnings 0 mismatches : arm64-defconfig ------------------------------------------------------------------------------- Warnings Summary: 1 3 include/config/auto.conf:4559:warning: override: TICK_CPU_ACCOUNTING changes choice state =============================================================================== Detailed per-defconfig build reports below: ------------------------------------------------------------------------------- x86_64-allnoconfig : FAIL, 0 errors, 1 warnings, 0 section mismatches Warnings: include/config/auto.conf:4559:warning: override: TICK_CPU_ACCOUNTING changes choice state ------------------------------------------------------------------------------- arm-allnoconfig : FAIL, 0 errors, 1 warnings, 0 section mismatches Warnings: include/config/auto.conf:4559:warning: override: TICK_CPU_ACCOUNTING changes choice state ------------------------------------------------------------------------------- arm64-defconfig : FAIL, 0 errors, 1 warnings, 0 section mismatches Warnings: include/config/auto.conf:4559:warning: override: TICK_CPU_ACCOUNTING changes choice state ------------------------------------------------------------------------------- Passed with no errors, warnings or mismatches: arm64-allnoconfig arm64-allmodconfig arm-multi_v5_defconfig arm-multi_v7_defconfig x86_64-defconfig arm-allmodconfig x86_64-allmodconfig

7 years, 9 months

1
0
0 0

Linux 4.9.94

by Greg KH

I'm announcing the release of the 4.9.94 kernel. All users of the 4.9 kernel series must upgrade. The updated 4.9.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.9.y and can be browsed at the normal kernel.org git web browser: http://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=summary thanks, greg k-h ------------ Documentation/devicetree/bindings/clock/amlogic,meson8b-clkc.txt | 11 - Documentation/devicetree/bindings/display/sunxi/sun4i-drm.txt | 11 - Makefile | 2 arch/arm/boot/dts/imx53-qsrb.dts | 2 arch/arm/boot/dts/imx6qdl-wandboard.dtsi | 1 arch/arm/boot/dts/ls1021a.dtsi | 2 arch/arm/boot/dts/qcom-ipq4019.dtsi | 4 arch/arm/boot/dts/r8a7740-armadillo800eva.dts | 2 arch/arm/boot/dts/rk322x.dtsi | 6 arch/arm/include/asm/xen/events.h | 2 arch/arm/kvm/hyp/switch.c | 2 arch/arm/mach-davinci/devices-da8xx.c | 10 + arch/arm/mach-imx/cpu.c | 3 arch/arm/mach-imx/mxc.h | 6 arch/arm64/include/asm/futex.h | 8 arch/arm64/kernel/pci.c | 4 arch/arm64/kernel/perf_event.c | 23 +- arch/arm64/kvm/hyp/switch.c | 1 arch/arm64/mm/mmap.c | 19 + arch/mips/include/asm/kprobes.h | 3 arch/mips/include/asm/pgtable-32.h | 7 arch/mips/mm/pgtable-32.c | 6 arch/powerpc/include/asm/module.h | 4 arch/powerpc/include/asm/page.h | 12 + arch/powerpc/kernel/time.c | 14 + arch/powerpc/kvm/book3s_pr_papr.c | 34 ++- arch/powerpc/platforms/cell/spufs/coredump.c | 2 arch/powerpc/sysdev/mpc8xx_pic.c | 2 arch/s390/kernel/vmlinux.lds.S | 8 arch/sparc/kernel/ldc.c | 7 arch/x86/boot/compressed/error.h | 4 arch/x86/include/asm/asm.h | 1 arch/x86/kernel/tsc.c | 2 arch/x86/kvm/lapic.c | 2 arch/x86/kvm/svm.c | 24 +- arch/x86/kvm/vmx.c | 10 - arch/x86/lib/csum-copy_64.S | 12 - arch/x86/lib/kaslr.c | 3 arch/x86/platform/efi/efi.c | 6 block/bio-integrity.c | 3 block/blk-mq.c | 11 - block/partition-generic.c | 4 crypto/asymmetric_keys/x509_cert_parser.c | 1 crypto/async_tx/async_pq.c | 5 drivers/acpi/acpi_video.c | 14 + drivers/acpi/acpica/evxfevnt.c | 18 + drivers/acpi/acpica/psobject.c | 14 + drivers/acpi/ec.c | 2 drivers/acpi/ec_sys.c | 2 drivers/acpi/internal.h | 2 drivers/ata/libahci_platform.c | 5 drivers/block/loop.c | 3 drivers/bus/brcmstb_gisb.c | 42 ++-- drivers/char/ipmi/ipmi_ssif.c | 2 drivers/char/random.c | 10 - drivers/clk/at91/clk-generated.c | 4 drivers/clk/clk-conf.c | 2 drivers/clk/clk-scpi.c | 6 drivers/clk/meson/Kconfig | 6 drivers/clk/meson/meson8b.c | 5 drivers/clk/renesas/clk-rcar-gen2.c | 23 +- drivers/cpuidle/dt_idle_states.c | 4 drivers/crypto/omap-sham.c | 31 ++- drivers/devfreq/devfreq.c | 3 drivers/dma/imx-sdma.c | 23 +- drivers/edac/mv64x60_edac.c | 2 drivers/gpio/gpio-crystalcove.c | 54 +++-- drivers/gpio/gpiolib.c | 3 drivers/gpu/drm/amd/amdkfd/kfd_process.c | 3 drivers/gpu/drm/msm/msm_gem.c | 6 drivers/gpu/drm/omapdrm/omap_gem.c | 4 drivers/gpu/drm/sun4i/sun4i_drv.c | 12 + drivers/gpu/drm/vc4/vc4_gem.c | 13 - drivers/hid/i2c-hid/i2c-hid.c | 13 + drivers/hwmon/ina2xx.c | 87 +++++--- drivers/hwtracing/coresight/coresight-tmc.c | 7 drivers/hwtracing/coresight/coresight.c | 15 + drivers/i2c/muxes/i2c-mux-reg.c | 17 + drivers/iio/adc/hi8435.c | 27 ++ drivers/iio/light/rpr0521.c | 17 + drivers/iio/magnetometer/st_magn_spi.c | 2 drivers/iio/pressure/zpa2326.c | 18 + drivers/infiniband/hw/cxgb4/cm.c | 6 drivers/infiniband/hw/hfi1/sysfs.c | 3 drivers/infiniband/hw/i40iw/i40iw_ctrl.c | 6 drivers/infiniband/hw/i40iw/i40iw_d.h | 1 drivers/infiniband/hw/i40iw/i40iw_puda.c | 2 drivers/infiniband/sw/rdmavt/cq.c | 10 - drivers/infiniband/ulp/srpt/ib_srpt.c | 9 drivers/input/mouse/elan_i2c_core.c | 7 drivers/input/mouse/elan_i2c_i2c.c | 9 drivers/input/mouse/elantech.c | 11 + drivers/input/touchscreen/goodix.c | 8 drivers/irqchip/irq-gic-v3.c | 11 + drivers/irqchip/irq-mbigen.c | 5 drivers/isdn/mISDN/stack.c | 2 drivers/leds/leds-pca955x.c | 2 drivers/md/bcache/alloc.c | 19 + drivers/md/bcache/super.c | 6 drivers/md/md-cluster.c | 4 drivers/md/raid5.c | 17 - drivers/media/i2c/cx25840/cx25840-core.c | 36 ++- drivers/media/platform/pxa_camera.c | 14 + drivers/media/rc/mceusb.c | 9 drivers/media/v4l2-core/videobuf2-core.c | 4 drivers/misc/cxl/flash.c | 8 drivers/misc/vmw_vmci/vmci_queue_pair.c | 10 - drivers/mmc/host/sdhci-pci-core.c | 2 drivers/mmc/host/sdhci.c | 7 drivers/mtd/nand/gpmi-nand/gpmi-nand.c | 10 - drivers/mtd/nand/nand_base.c | 5 drivers/mtd/tests/oobtest.c | 21 ++ drivers/mtd/ubi/fastmap.c | 33 ++- drivers/net/bonding/bond_main.c | 84 ++++---- drivers/net/ethernet/amazon/ena/ena_com.c | 35 ++- drivers/net/ethernet/amazon/ena/ena_netdev.c | 17 + drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 19 + drivers/net/ethernet/brocade/bna/bfa_ioc.c | 2 drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 11 + drivers/net/ethernet/chelsio/cxgb4/t4_hw.c | 32 ++- drivers/net/ethernet/chelsio/cxgb4vf/sge.c | 23 +- drivers/net/ethernet/freescale/fec_main.c | 4 drivers/net/ethernet/freescale/fsl_pq_mdio.c | 9 drivers/net/ethernet/ibm/emac/core.c | 26 ++ drivers/net/ethernet/intel/e1000e/netdev.c | 17 + drivers/net/ethernet/intel/i40evf/i40evf_virtchnl.c | 1 drivers/net/ethernet/intel/igb/igb_ptp.c | 12 + drivers/net/ethernet/marvell/sky2.c | 2 drivers/net/ethernet/mellanox/mlx4/en_dcb_nl.c | 77 ++++--- drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 33 +-- drivers/net/ethernet/mellanox/mlx4/en_main.c | 4 drivers/net/ethernet/mellanox/mlx4/en_netdev.c | 7 drivers/net/ethernet/mellanox/mlx4/mcg.c | 15 + drivers/net/ethernet/mellanox/mlx4/mlx4_en.h | 1 drivers/net/ethernet/mellanox/mlx4/qp.c | 19 + drivers/net/ethernet/mellanox/mlx4/resource_tracker.c | 17 + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 10 - drivers/net/ethernet/mellanox/mlx5/core/main.c | 14 - drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c | 6 drivers/net/ethernet/qlogic/netxen/netxen_nic_ctx.c | 2 drivers/net/ethernet/qlogic/qed/qed_dev.c | 5 drivers/net/ethernet/qlogic/qed/qed_main.c | 6 drivers/net/ethernet/qlogic/qed/qed_mcp.h | 1 drivers/net/ethernet/qlogic/qlcnic/qlcnic_hw.c | 2 drivers/net/ethernet/qlogic/qlge/qlge_dbg.c | 4 drivers/net/ethernet/qualcomm/qca_spi.c | 10 - drivers/net/ethernet/realtek/r8169.c | 4 drivers/net/ethernet/renesas/sh_eth.c | 2 drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 15 + drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.h | 3 drivers/net/ethernet/ti/cpsw.c | 16 + drivers/net/geneve.c | 36 ++- drivers/net/hamradio/hdlcdrv.c | 2 drivers/net/macsec.c | 13 + drivers/net/phy/mdio-mux.c | 11 - drivers/net/phy/micrel.c | 42 ++-- drivers/net/phy/phy.c | 6 drivers/net/ppp/pptp.c | 1 drivers/net/team/team.c | 12 - drivers/net/usb/cdc_ncm.c | 11 - drivers/net/virtio_net.c | 16 + drivers/net/vmxnet3/vmxnet3_drv.c | 5 drivers/net/vrf.c | 8 drivers/net/vxlan.c | 2 drivers/net/wan/fsl_ucc_hdlc.c | 18 - drivers/net/wireless/ath/ath10k/bmi.h | 2 drivers/net/wireless/ath/ath10k/core.c | 16 + drivers/net/wireless/ath/ath5k/debug.c | 5 drivers/net/wireless/intel/iwlwifi/iwl-7000.c | 4 drivers/net/wireless/intel/iwlwifi/iwl-8000.c | 4 drivers/net/wireless/intel/iwlwifi/iwl-prph.h | 1 drivers/net/wireless/intel/iwlwifi/mvm/fw-dbg.c | 12 - drivers/net/wireless/intel/iwlwifi/mvm/mvm.h | 6 drivers/net/wireless/intel/iwlwifi/mvm/ops.c | 32 ++- drivers/net/wireless/intel/iwlwifi/mvm/tt.c | 8 drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 6 drivers/net/wireless/ralink/rt2x00/rt2x00mac.c | 22 +- drivers/net/wireless/ray_cs.c | 7 drivers/net/wireless/ti/wl1251/main.c | 3 drivers/nvme/host/core.c | 4 drivers/nvme/host/pci.c | 13 - drivers/pinctrl/intel/pinctrl-baytrail.c | 6 drivers/pinctrl/meson/pinctrl-meson-gxbb.c | 1 drivers/powercap/powercap_sys.c | 1 drivers/rtc/interface.c | 9 drivers/rtc/rtc-m41t80.c | 12 + drivers/rtc/rtc-opal.c | 10 + drivers/rtc/rtc-snvs.c | 2 drivers/s390/block/dasd.c | 8 drivers/scsi/bnx2fc/bnx2fc.h | 1 drivers/scsi/bnx2fc/bnx2fc_fcoe.c | 10 - drivers/scsi/csiostor/csio_hw.c | 5 drivers/scsi/libiscsi.c | 24 ++ drivers/scsi/libsas/sas_expander.c | 4 drivers/scsi/mpt3sas/mpt3sas_scsih.c | 28 +- drivers/staging/wlan-ng/prism2mgmt.c | 2 drivers/thermal/power_allocator.c | 2 drivers/tty/n_gsm.c | 17 + drivers/tty/serial/8250/8250_omap.c | 4 drivers/tty/serial/sccnxp.c | 15 + drivers/tty/serial/sh-sci.c | 16 + drivers/uio/uio.c | 8 drivers/usb/chipidea/core.c | 29 ++ drivers/usb/dwc3/dwc3-keystone.c | 4 drivers/usb/host/xhci-plat.c | 1 drivers/usb/storage/ene_ub6250.c | 11 - drivers/vhost/net.c | 4 drivers/vhost/vhost.c | 17 - drivers/video/backlight/backlight.c | 15 + drivers/video/backlight/corgi_lcd.c | 2 drivers/video/backlight/tdo24m.c | 2 drivers/video/backlight/tosa_lcd.c | 2 drivers/video/fbdev/vfb.c | 17 + drivers/watchdog/Kconfig | 7 drivers/watchdog/f71808e_wdt.c | 27 ++ fs/btrfs/extent_io.c | 2 fs/cifs/file.c | 2 fs/cifs/smb2pdu.c | 14 - fs/dcache.c | 23 +- fs/ext4/file.c | 2 fs/ext4/mballoc.c | 23 +- fs/lockd/svc.c | 6 fs/nfs/flexfilelayout/flexfilelayout.c | 1 fs/nfs/nfs4proc.c | 13 + fs/nfs/nfs4state.c | 10 - fs/overlayfs/dir.c | 3 fs/overlayfs/inode.c | 12 + include/acpi/platform/acgcc.h | 10 + include/acpi/platform/acintel.h | 2 include/linux/mlx4/qp.h | 1 include/linux/mlx5/device.h | 10 - include/linux/pci.h | 6 include/linux/sched.h | 1 include/linux/skbuff.h | 8 include/net/cfg80211.h | 2 include/net/x25.h | 4 include/soc/fsl/qe/qe.h | 4 kernel/cpu.c | 13 + kernel/events/callchain.c | 6 kernel/events/core.c | 19 + kernel/pid.c | 4 kernel/sched/core.c | 2 kernel/sched/deadline.c | 98 ++++++++-- kernel/sched/fair.c | 3 mm/vmstat.c | 2 net/8021q/vlan_dev.c | 6 net/bluetooth/hci_core.c | 17 + net/ceph/osdmap.c | 1 net/core/dev.c | 4 net/core/neighbour.c | 14 + net/core/net_namespace.c | 19 + net/core/skbuff.c | 75 ++++--- net/core/sysctl_net_core.c | 2 net/hsr/hsr_forward.c | 3 net/hsr/hsr_framereg.c | 9 net/hsr/hsr_framereg.h | 2 net/ieee802154/socket.c | 8 net/ipv4/ah4.c | 8 net/ipv4/arp.c | 18 + net/ipv4/esp4.c | 13 - net/ipv4/fib_semantics.c | 20 +- net/ipv4/ip_tunnel.c | 11 - net/ipv4/ipmr.c | 18 + net/ipv4/tcp_input.c | 24 +- net/ipv6/addrconf.c | 5 net/ipv6/ah6.c | 8 net/ipv6/esp6.c | 12 - net/ipv6/ip6_gre.c | 8 net/ipv6/ip6_output.c | 20 +- net/ipv6/ip6_tunnel.c | 14 + net/ipv6/ip6_vti.c | 7 net/ipv6/route.c | 3 net/ipv6/sit.c | 9 net/key/af_key.c | 2 net/l2tp/l2tp_netlink.c | 2 net/llc/af_llc.c | 3 net/mac80211/cfg.c | 28 ++ net/mac80211/driver-ops.h | 3 net/mac80211/mlme.c | 4 net/netfilter/nf_conntrack_core.c | 39 ++- net/netfilter/nf_conntrack_netlink.c | 7 net/netlink/af_netlink.c | 3 net/rds/bind.c | 1 net/rxrpc/rxkad.c | 19 + net/sched/act_api.c | 4 net/sched/act_bpf.c | 12 - net/sched/act_skbmod.c | 3 net/sched/act_tunnel_key.c | 9 net/sctp/ipv6.c | 4 net/sctp/socket.c | 17 + net/strparser/strparser.c | 4 net/sunrpc/xprtsock.c | 7 net/x25/af_x25.c | 24 +- net/x25/sysctl_net_x25.c | 5 net/xfrm/xfrm_state.c | 2 scripts/tags.sh | 1 security/selinux/hooks.c | 10 - sound/soc/generic/simple-card.c | 2 sound/soc/intel/atom/sst/sst_stream.c | 2 sound/soc/intel/boards/cht_bsw_rt5645.c | 7 sound/soc/intel/skylake/skl-messages.c | 4 sound/soc/intel/skylake/skl-pcm.c | 4 sound/soc/sh/rcar/ssi.c | 11 - tools/perf/builtin-trace.c | 4 tools/perf/tests/code-reading.c | 20 +- tools/perf/util/dso.c | 16 + tools/perf/util/header.c | 12 + tools/perf/util/probe-event.c | 8 tools/perf/util/unwind-libdw.c | 14 + tools/perf/util/unwind-libunwind-local.c | 11 + tools/perf/util/util.c | 2 tools/testing/selftests/powerpc/tm/tm-resched-dscr.c | 2 tools/testing/selftests/seccomp/seccomp_bpf.c | 2 313 files changed, 2423 insertions(+), 917 deletions(-) A Sun (1): mceusb: sporadic RX truncation corruption fix Alan Stern (2): USB: ene_usb6250: fix first command execution USB: ene_usb6250: fix SCSI residue overwriting Alexander Potapenko (1): netlink: make sure nladdr has correct size in netlink_connect() Alexandre Belloni (2): clk: at91: fix clk-generated parenting clk: at91: fix clk-generated compilation Amir Goldstein (1): ovl: persistent inode numbers for upper hardlinks Andrea della Porta (1): staging: wlan-ng: prism2mgmt.c: fixed a double endian conversion before calling hfa384x_drvr_setconfig16, also fixes relative sparse warning Andy Shevchenko (1): sdhci: Advertise 2.0v supply on SDIO host controller Anilkumar Kolli (1): ath10k: add BMI parameters to fix calibration from DT/pre-cal Antony Antony (1): xfrm: fix state migration copy replay sequence numbers Anup Patel (1): async_tx: Fix DMA_PREP_FENCE usage in do_async_gen_syndrome() Ard Biesheuvel (1): arm64: kernel: restrict /dev/mem read() calls to linear region Arjun Vynipadath (3): cxgb4: FW upgrade fixes cxgb4: Fix netdev_features flag cxgb4vf: Fix SGE FL buffer initialization logic for 64K pages Arnd Bergmann (2): net/mlx5: avoid build warning for uniprocessor xen: avoid type warning in xchg_xen_ulong Arvind Yadav (1): dmaengine: imx-sdma: Handle return value of clk_prepare_enable Bart Van Assche (2): IB/srpt: Fix abort handling IB/srpt: Avoid that aborting a command triggers a kernel warning Bob Moore (1): ACPICA: Disassembler: Abort on an invalid/unknown AML opcode Boris Brezillon (1): mtd: nand: gpmi: Fix gpmi_nand_init() error path Bryan O'Donoghue (1): clk: Fix __set_clk_rates error print-string Chaitra P B (1): scsi: mpt3sas: Proper handling of set/clear of "ATA command pending" flag. Chris Wilson (1): e1000e: Undo e1000e_pm_freeze if __e1000_shutdown fails Christian Lamparter (2): ARM: dts: qcom: ipq4019: fix i2c_0 node net: emac: fix reset timeout with AR8035 phy Christoph Hellwig (1): PCI/msi: fix the pci_alloc_irq_vectors_affinity stub Christophe JAILLET (4): SMB2: Fix share type handling ASoC: Intel: sst: Fix the return value of 'sst_send_byte_stream_mrfld()' drm/vc4: Fix resource leak in 'vc4_get_hang_state_ioctl()' in error handling path EDAC, mv64x60: Fix an error handling path Christophe Jaillet (1): cpuidle: dt: Add missing 'of_node_put()' Christophe Leroy (1): powerpc/8xx: fix mpc8xx_get_irq() return on no irq Colin Ian King (4): netxen_nic: set rcode to the return status from the call to netxen_issue_cmd btrfs: fix incorrect error return ret being passed to mapping_set_error ath5k: fix memory leak on buf on failed eeprom read wl1251: check return from call to wl1251_acx_arp_ip_filter Craig Dillabaugh (1): net sched actions: fix dumping which requires several messages to user space Dan Carpenter (10): ipmi_ssif: unlock on allocation failure drivers/misc/vmw_vmci/vmci_queue_pair.c: fix a couple integer overflow tests PowerCap: Fix an error code in powercap_register_zone() perf/core: Fix error handling in perf_event_alloc() block: fix an error code in add_partition() libceph: NULL deref on crush_decode() error path pNFS/flexfiles: missing error code in ff_layout_alloc_lseg() drm/amdkfd: NULL dereference involving create_process() cxl: Unlock on error in probe X.509: Fix error code in x509_cert_parse() Daniel Bristot de Oliveira (1): sched/deadline: Use the revised wakeup rule for suspending constrained dl tasks Dave Watson (1): strparser: Fix sign of err codes David Ahern (2): net/ipv6: Fix route leaking between VRFs vrf: Fix use after free and double free in vrf_finish_output Davide Caratti (3): net/sched: fix NULL dereference in the error path of tcf_bpf_init() net/sched: fix NULL dereference in the error path of tunnel_key_init() net/sched: fix NULL dereference on the error path of tcf_skbmod_init() Dmitry Monakhov (1): bio-integrity: Do not allocate integrity context for bio w/o data Dmitry Torokhov (1): Input: elan_i2c - check if device is there before really probing Doug Berger (2): bus: brcmstb_gisb: Use register offsets with writes too bus: brcmstb_gisb: correct support for 64-bit address output Emmanuel Grumbach (1): iwlwifi: mvm: fix firmware debug restart recording Eran Ben Elisha (1): net/mlx4_en: Fix mixed PFC and Global pause user control requests Eric Dumazet (11): tcp: better validation of received ack sequences net: fix possible out-of-bound read in skb_network_protocol() pptp: remove a buggy dst release in pptp_connect() sctp: do not leak kernel memory to user space sctp: sctp_sockaddr_af must check minimal addr length for AF_INET6 net: fool proof dev_valid_name() ip_tunnel: better validate user provided tunnel names ipv6: sit: better validate user provided tunnel names ip6_gre: better validate user provided tunnel names ip6_tunnel: better validate user provided tunnel names vti6: better validate user provided tunnel names Eryu Guan (1): ext4: fix off-by-one on max nr_pages in ext4_find_unwritten_pgoff() Fabio Estevam (3): ARM: dts: imx53-qsrb: Pulldown PMIC IRQ pin ARM: dts: imx6qdl-wandboard: Fix audio channel swap net: fec: Add a fec_enet_clear_ethtool_stats() stub for CONFIG_M5272 Firo Yang (1): hdlcdrv: Fix divide by zero in hdlcdrv_ioctl Florian Westphal (1): netfilter: conntrack: don't call iter for non-confirmed conntracks Ganapatrao Kulkarni (1): arm64: perf: Ignore exclude_hv when kernel is running in HYP Ganesh Goudar (1): cxgb4: fix incorrect cim_la output for T6 Gary Bisson (1): rtc: m41t80: fix SQW dividers override when setting a date Geert Uytterhoeven (5): clk: renesas: rcar-gen2: Fix PLL0 on R-Car V2H and E2 serial: sh-sci: Fix race condition causing garbage during shutdown sh_eth: Use platform device for printing before register_netdev() ACPI: EC: Fix debugfs_create_*() usage ARM: dts: armadillo800eva: Split LCD mux and gpio Girish Moodalbail (1): geneve: add missing rx stats accounting Greg Hackmann (1): Revert "xhci: plat: Register shutdown for xhci_plat" Greg Kroah-Hartman (1): Linux 4.9.94 Grygorii Strashko (1): net: ethernet: ti: cpsw: adjust cpsw fifos depth for fullduplex flow control Guoqing Jiang (1): md-cluster: fix potential lock issue in add_new_disk Gustavo A. R. Silva (2): PM / devfreq: Fix potential NULL pointer dereference in governor_store net: freescale: fix potential null pointer dereference Haim Dreyfuss (1): iwlwifi: mvm: Fix command queue number on d0i3 flow Haishuang Yan (1): sit: reload iphdr in ipip6_rcv Hangbin Liu (2): l2tp: fix missing print session offset info vlan: also check phy_driver ts_info for vlan's real device Hans de Goede (6): gpio: crystalcove: Do not write regular gpio registers for virtual GPIOs ACPI / video: Default lcd_only to true on Win8-ready and newer machines ASoC: Intel: cht_bsw_rt5645: Analog Mic support pinctrl: baytrail: Enable glitch filter for GPIOs used as interrupts HID: i2c: Call acpi_device_fix_up_power for ACPI-enumerated devices Input: goodix - disable IRQs while suspended Heiko Carstens (1): s390: move _text symbol to address higher than zero Heiner Kallweit (2): pinctrl: meson-gxbb: remove non-existing pin GPIOX_22 r8169: fix setting driver_data after register_netdev Holger Brunck (4): net/wan/fsl_ucc_hdlc: fix unitialized variable warnings net/wan/fsl_ucc_hdlc: fix incorrect memory allocation fsl/qe: add bit description for SYNL register for GUMR net/wan/fsl_ucc_hdlc: fix muram allocation error Ido Schimmel (1): mlxsw: spectrum: Avoid possible NULL pointer dereference Ido Shamay (1): net/mlx4: Check if Granular QoS per VF has been enabled before updating QP qos_vport Ihar Hrachyshka (2): neighbour: update neigh timestamps iff update is effective arp: honour gratuitous ARP _replies_ Ivan Mikhaylov (1): powerpc/[booke|4xx]: Don't clobber TCR[WP] when setting TCR[DIE] J. Bruce Fields (1): lockd: fix lockd shutdown race Jacob Keller (2): e1000e: fix race condition around skb_tstamp_tx() igb: fix race condition with PTP_TX_IN_PROGRESS bits Jag Raman (1): sparc64: ldc abort during vds iso boot James Morse (2): KVM: arm: Restore banked registers and physical timer access on hyp_panic() KVM: arm64: Restore host physical timer access on hyp_panic() James Wang (1): Fix loop device flush before configure v3 Jan H. Schönherr (1): KVM: nVMX: Fix handling of lmsw instruction Jason A. Donenfeld (5): skbuff: return -EMSGSIZE in skb_to_sgvec to prevent overflow macsec: check return value of skb_to_sgvec always ipsec: check return value of skb_to_sgvec always rxrpc: check return value of skb_to_sgvec always virtio_net: check return value of skb_to_sgvec always Jason Wang (3): vhost: correctly remove wait queue during poll failure vhost: validate log when IOTLB is enabled vhost_net: add missing lock nesting notation Jason Yan (2): scsi: libsas: fix memory leak in sas_smp_get_phy_events() scsi: libsas: fix error when getting phy events Jeff Barnhill (1): net/ipv6: Increment OUTxxx counters after netfilter hook Jesper Dangaard Brouer (1): mlx5: fix bug reading rss_hash_type from CQE Jesse Brandeburg (1): i40evf: fix merge error in older patch Jia-Ju Bai (2): qlcnic: Fix a sleep-in-atomic bug in qlcnic_82xx_hw_write_wx_2M and qlcnic_82xx_hw_read_wx_2M mISDN: Fix a sleep-in-atomic bug Jim Baxter (1): net: cdc_ncm: Fix TX zero padding Jim Mattson (1): KVM: nVMX: Update vmcs12->guest_linear_address on nested VM-exit Jiri Olsa (2): perf trace: Add mmap alias for s390 perf tools: Fix copyfile_offset update of output offset Jisheng Zhang (1): usb: chipidea: properly handle host or gadget initialization failure Johannes Berg (2): cfg80211: make RATE_INFO_BW_20 the default iwlwifi: tt: move ucode_loaded check under mutex Jon Mason (1): mdio: mux: Correct mdio_mux_init error path issues Jordan Crouse (1): drm/msm: Take the mutex before calling msm_gem_new_impl Josh Poimboeuf (1): x86/asm: Don't use RBP as a temporary register in csum_partial_copy_generic() Julia Cartwright (1): md/raid5: make use of spin_lock_irq over local_irq_disable + spin_lock Julia Lawall (1): mdio: mux: fix device_node_continue.cocci warnings KT Liao (2): Input: elantech - force relative mode on a certain module Input: elan_i2c - clear INT before resetting controller Kai-Heng Feng (1): sky2: Increase D3 delay to sky2 stops working after suspend Karicheri, Muralidharan (1): hsr: fix incorrect warning Kees Cook (4): x86/boot: Declare error() as noreturn bna: Avoid reading past end of buffer qlge: Avoid reading past end of buffer ray_cs: Avoid reading past end of buffer Kirill Tkhai (1): pidns: disable pid allocation if pid_ns_prepare_proc() is failed in alloc_pid() Konstantin Khlebnikov (1): ext4: handle the rest of ext4_mb_load_buddy() ENOMEM errors Kuninori Morimoto (1): ASoC: rsnd: SSI PIO adjust to 24bit mode Leonard Crestez (2): net: phy: micrel: Restore led_mode and clk_sel on resume ARM: imx: Add MXC_CPU_IMX6ULL and cpu_is_imx6ull Liam McBirnie (1): ip6_tunnel: fix traffic class routing for tunnels Lin Zhang (1): net: ieee802154: fix net_device reference release too early Linus Walleij (1): gpio: label descriptors using the device name Liping Zhang (1): netfilter: ctnetlink: fix incorrect nf_ct_put during hash resize Lorenzo Bianconi (1): iio: magnetometer: st_magn_spi: fix spi_device_id table Luca Coelho (3): mac80211: bail out from prep_connection() if a reconfig is ongoing iwlwifi: pcie: only use d0i3 in suspend/resume if system_pm is set to d0i3 iwlwifi: fix min API version for 7265D, 3168, 8000 and 8265 Lv Zheng (2): ACPICA: OSL: Add support to exclude stdarg.h ACPICA: Events: Add runtime stub support for event APIs MaJun (1): irqchip/mbigen: Fix the clear register offset calculation Maciej Purski (1): hwmon: (ina2xx) Make calibration register value fixed Maciej S. Szmigiero (1): watchdog: f71808e_wdt: Add F71868 support Mahesh Bandewar (1): ipv6: avoid dad-failures for addresses with NODAD Marcel Holtmann (1): Bluetooth: Send HCI Set Event Mask Page 2 command only when needed Marcin Nowakowski (3): MIPS: mm: fixed mappings: correct initialisation MIPS: mm: adjust PKMAP location MIPS: kprobes: flush_insn_slot should flush only if probe initialised Mario Molitor (1): stmmac: fix ptp header for GMAC3 hw timestamp Martin Blumenstingl (1): clk: meson: meson8b: add compatibles for Meson8 and Meson8m2 Masahiro Yamada (1): mtd: nand: check ecc->total sanity in nand_scan_tail Masami Hiramatsu (1): perf probe: Add warning message if there is unexpected event name Matthias Kaehlcke (1): x86/mm/kaslr: Use the _ASM_MUL macro for multiplication to work around Clang incompatibility Maurizio Lombardi (1): scsi: bnx2fc: fix race condition in bnx2fc_get_host_stats() Mauro Carvalho Chehab (1): media: videobuf2-core: don't go out of the buffer range Maxime Ripard (2): drm/sun4i: Ignore the generic connectors for components dt-bindings: display: sun4i: Add allwinner,tcon-channel property Michael Ellerman (4): powerpc/modules: If mprofile-kernel is enabled add it to vermagic powerpc/mm: Fix virt_addr_valid() etc. on 64-bit hash selftests/powerpc: Fix TM resched DSCR test with some compilers powerpc/spufs: Fix coredump of SPU contexts Michael Schmitz (1): fix race in drivers/char/random.c:get_reg() Mickaël Salaün (1): selftests: kselftest_harness: Fix compile warning Miguel Fadon Perlines (1): arp: fix arp_filter on l3slave devices Mike Marciniszyn (1): IB/rdmavt: Allocate CQ memory on the correct node Mikko Koivunen (1): iio: light: rpr0521 poweroff for probe fails Miklos Szeredi (1): ovl: filter trusted xattr for non-admin Milian Wolff (2): perf report: Fix off-by-one for non-activation frames perf report: Ensure the perf DSO mapping matches what libdw sees Ming Lei (3): blk-mq: fix race between updating nr_hw_queues and switching io sched nvme: fix hang in remove path blk-mq: fix kernel oops in blk_mq_tag_idle() Mintz, Yuval (1): bnx2x: Allow vfs to disable txvlan offload Miquel Raynal (1): mtd: mtd_oobtest: Handle bitflips during reads Moni Shoua (1): net/mlx4_en: Change default QoS settings Moshe Shemesh (1): net/mlx4_core: Fix memory leak while delete slave's resources Namhyung Kim (3): perf header: Set proper module name when build-id event found perf tools: Decompress kernel module when reading DSO data perf tests: Decompress kernel module before objdump Nathan Chancellor (1): virtio_net: check return value of skb_to_sgvec in one more location Neil Horman (1): vmxnet3: ensure that adapter is in proper state during force_close NeilBrown (2): VFS: close race between getcwd() and d_move() SUNRPC: ensure correct error is reported by xs_tcp_setup_socket() Netanel Belgazal (5): net: ena: fix rare uncompleted admin command false alarm net: ena: fix race condition between submit and completion admin command net: ena: add missing return when ena_com_get_io_handlers() fails net: ena: add missing unmap bars on device removal net: ena: disable admin msix while working in polling mode Nicholas Mc Guire (1): iio: pressure: zpa2326: report interrupted case as failure Nikita Yushchenko (2): iio: hi8435: avoid garbage event at first enable iio: hi8435: cleanup reset gpio Nithin Sujir (1): bonding: Don't update slave->link until ready to commit Pan Bian (3): rtc: snvs: fix an incorrect check of return value usb: dwc3: keystone: check return value cx25840: fix unchecked return values Paolo Abeni (1): ipv6: the entire IPv6 header chain must fit the first fragment Pardha Saradhi K (1): ASoC: Intel: Skylake: Disable clock gating during firmware and library download Paul Mackerras (1): KVM: PPC: Book3S PR: Check copy_to/from_user return values Peter Große (1): mac80211: Fix setting TX power on monitor interfaces Peter Rosin (1): i2c: mux: reg: put away the parent i2c adapter on probe failure Peter Zijlstra (2): x86/tsc: Provide 'tsc=unstable' boot parameter perf/core: Correct event creation with PERF_FORMAT_GROUP Petr Cvek (1): pxa_camera: fix module remove codepath for v4l2 clock Pieter \"PoroCYon\" Sluys (1): vfb: fix video mode and line_length being set when loaded Rabin Vincent (2): ubi: fastmap: Fix slab corruption CIFS: silence lockdep splat in cifs_relock_file() Rafael David Tinoco (1): scsi: libiscsi: Allow sd_shutdown on bad transport Raju Rangoju (1): RDMA/iw_cxgb4: Avoid touch after free error in ARP failure handlers Rakesh Pandit (1): nvme-pci: fix multiple ctrl removal scheduling Ram Amrani (1): qed: Correct doorbell configuration for !4Kb pages Rasmus Villemoes (1): ARM: dts: ls1021a: add "fsl,ls1021a-esdhc" compatible string to esdhc node Reza Arbab (1): mm, vmstat: Remove spurious WARN() during zoneinfo print Robert Jarzmik (2): backlight: tdo24m: Fix the SPI CS between transfers tags: honor COMPILED_SOURCE with apart output directory Robin Murphy (1): coresight: tmc: Configure DMA mask appropriately Roman Kapl (1): net: move somaxconn init from sysctl code Roman Pen (1): KVM: SVM: do not zero out segment attributes if segment is unusable or not present Roopa Prabhu (1): vxlan: dont migrate permanent fdb entries during learn Russell King (1): net: phy: avoid genphy_aneg_done() for PHYs without clause 22 support Sai Praneeth (1): x86/efi: Disable runtime services on kexec kernel if booted with efi=old_map Shahar Klein (1): net/mlx5e: Sync netdev vxlan ports at open Shanker Donthineni (1): irqchip/gic-v3: Fix the driver probe() fail due to disabled GICC entry Shiraz Saleem (2): i40iw: Fix sequence number for the first partial FPDU i40iw: Correct Q1/XF object count equation Sowmini Varadhan (1): rds; Reset rs->rs_bound_addr in rds_add_bound() failure path Stanislaw Gruszka (1): rt2x00: do not pause queue unconditionally on error path Stefan Agner (1): ASoC: simple-card: fix mic jack initialization Stefan Haberland (1): s390/dasd: fix hanging safe offline Stefan Wahren (1): net: qca_spi: Fix alignment issues in rx path Steffen Klassert (1): af_key: Fix slab-out-of-bounds in pfkey_compile_policy. Stephen Smalley (1): selinux: do not check open permission on sockets Steven L. Roberts (1): RDMA/hfi1: fix array termination by appending NULL to attr array Sudeep Holla (1): clk: scpi: fix return type of __scpi_dvfs_round_rate Sudip Mukherjee (1): backlight: Report error on failure Sugar Zhang (1): ARM: dts: rockchip: fix rk322x i2s1 pinctrl error Suman Anna (2): uio: fix incorrect memory leak cleanup ARM: davinci: da8xx: Create DSP device only when assigned memory Suzuki K Poulose (1): coresight: Fix reference count for software sources Talat Batheesh (2): net/mlx4_en: Avoid adding steering rules with invalid ring net/mlx4: Fix the check in attaching steering rules Tang Junhui (2): bcache: stop writeback thread after detaching bcache: segregate flash only volume write streams Tariq Toukan (1): net/mlx5: Tolerate irq_set_affinity_hint() failures Tero Kristo (2): crypto: omap-sham - buffer handling fixes for hashing later crypto: omap-sham - fix closing of hash with separate finalize call Theodore Ts'o (1): random: use lockless method of accessing and updating f->reg_idx Thomas Bogendoerfer (1): Fix serial console on SNI RM400 machines Thomas Gleixner (1): cpuhotplug: Link lock stacks for hotplug callbacks Thomas Petazzoni (1): ata: libahci: properly propagate return value of platform_get_irq() Thomas Winter (1): ipmr: vrf: Find VIFs using the actual device Timmy Li (1): ARM64: PCI: Fix struct acpi_pci_root_ops allocation failure path Tin Huynh (1): leds: pca955x: Correct I2C Functionality Tomi Valkeinen (1): drm/omap: fix tiled buffer stride calculations Tony Lindgren (1): tty: n_gsm: Allow ADM response in addition to UA for control dlci Trond Myklebust (2): NFSv4.1: RECLAIM_COMPLETE must handle NFS4ERR_CONN_NOT_BOUND_TO_SESSION NFSv4.1: Work around a Linux server bug... Vaibhav Jain (2): rtc: opal: Handle disabled TPO in opal_get_tpo_time() rtc: interface: Validate alarm-time before handling rollover Varun Prakash (1): scsi: csiostor: fix use after free in csio_hw_use_fwconfig() Vignesh R (1): serial: 8250: omap: Disable DMA for console UART Vlastimil Babka (1): sched/numa: Use down_read_trylock() for the mmap_sem Wanpeng Li (1): KVM: X86: Fix preempt the preemption timer cancel Wen Xiong (1): blk-mq: NVMe 512B/4K+T10 DIF/DIX format returns I/O error on dd with split op Will Deacon (2): perf/callchain: Force USER_DS when invoking perf_callchain_user() arm64: futex: Fix undefined behaviour with FUTEX_OP_OPARG_SHIFT usage Willem de Bruijn (1): skbuff: only inherit relevant tx_flags Xin Long (6): sctp: fix recursive locking warning in sctp_do_peeloff bonding: fix the err path for dev hwaddr sync in bond_enslave bonding: move dev_mc_sync after master_upper_dev_link in bond_enslave bonding: process the err returned by dev_set_allmulti properly in bond_enslave route: check sysctl_fib_multipath_use_neigh earlier than hash team: move dev_mc_sync after master_upper_dev_link in team_port_add Yi Zeng (1): thermal: power_allocator: fix one race condition issue for thermal_instances list chenxiang (1): scsi: libsas: initialize sas_phy status according to response of DISCOVER linzhang (2): net: x25: fix one potential use-after-free issue net: llc: add lock_sock in llc_ui_bind to avoid a race condition sudarsana.kalluru(a)cavium.com (1): qed: Fix overriding of supported autoneg value.

7 years, 9 months

1
1
0 0

v4.9.94 build: 11 failures 0 warnings (v4.9.94)

by Build bot for Mark Brown

Tree/Branch: v4.9.94 Git describe: v4.9.94 Commit: cc0eb4dd50 Linux 4.9.94 Build Time: 0 min 25 sec Passed: 0 / 11 ( 0.00 %) Failed: 11 / 11 (100.00 %) Errors: 1 Warnings: 0 Section Mismatches: 0 Failed defconfigs: arm-allnoconfig arm64-defconfig Errors: arm-allnoconfig collect2: error: ld returned 1 exit status arm64-defconfig collect2: error: ld returned 1 exit status ------------------------------------------------------------------------------- defconfigs with issues (other than build errors): ------------------------------------------------------------------------------- Errors summary: 1 2 collect2: error: ld returned 1 exit status =============================================================================== Detailed per-defconfig build reports below: ------------------------------------------------------------------------------- arm-allnoconfig : FAIL, 1 errors, 0 warnings, 0 section mismatches Errors: collect2: error: ld returned 1 exit status ------------------------------------------------------------------------------- arm64-defconfig : FAIL, 1 errors, 0 warnings, 0 section mismatches Errors: collect2: error: ld returned 1 exit status ------------------------------------------------------------------------------- Passed with no errors, warnings or mismatches: arm64-allnoconfig arm64-allmodconfig arm-multi_v5_defconfig arm-multi_v7_defconfig x86_64-defconfig arm-allmodconfig arm-multi_v4t_defconfig x86_64-allnoconfig x86_64-allmodconfig

7 years, 9 months

1
0
0 0

v4.4.128 build: 10 failures 1 warnings (v4.4.128)

by Build bot for Mark Brown

Tree/Branch: v4.4.128 Git describe: v4.4.128 Commit: dbb7876236 Linux 4.4.128 Build Time: 0 min 19 sec Passed: 0 / 10 ( 0.00 %) Failed: 10 / 10 (100.00 %) Errors: 0 Warnings: 1 Section Mismatches: 0 Failed defconfigs: x86_64-allnoconfig arm-allnoconfig arm64-defconfig Errors: ------------------------------------------------------------------------------- defconfigs with issues (other than build errors): 2 warnings 0 mismatches : x86_64-allnoconfig 2 warnings 0 mismatches : arm-allnoconfig 2 warnings 0 mismatches : arm64-defconfig ------------------------------------------------------------------------------- Warnings Summary: 1 6 include/config/auto.conf:4559:warning: override: TICK_CPU_ACCOUNTING changes choice state =============================================================================== Detailed per-defconfig build reports below: ------------------------------------------------------------------------------- x86_64-allnoconfig : FAIL, 0 errors, 2 warnings, 0 section mismatches Warnings: include/config/auto.conf:4559:warning: override: TICK_CPU_ACCOUNTING changes choice state include/config/auto.conf:4559:warning: override: TICK_CPU_ACCOUNTING changes choice state ------------------------------------------------------------------------------- arm-allnoconfig : FAIL, 0 errors, 2 warnings, 0 section mismatches Warnings: include/config/auto.conf:4559:warning: override: TICK_CPU_ACCOUNTING changes choice state include/config/auto.conf:4559:warning: override: TICK_CPU_ACCOUNTING changes choice state ------------------------------------------------------------------------------- arm64-defconfig : FAIL, 0 errors, 2 warnings, 0 section mismatches Warnings: include/config/auto.conf:4559:warning: override: TICK_CPU_ACCOUNTING changes choice state include/config/auto.conf:4559:warning: override: TICK_CPU_ACCOUNTING changes choice state ------------------------------------------------------------------------------- Passed with no errors, warnings or mismatches: arm64-allnoconfig arm64-allmodconfig arm-multi_v5_defconfig arm-multi_v7_defconfig x86_64-defconfig arm-allmodconfig x86_64-allmodconfig

7 years, 9 months

1
0
0 0

[PATCH 1/3] nbd: del_gendisk after we cleanup the queue

by Josef Bacik

From: Josef Bacik <jbacik(a)fb.com> This fixes a use after free bug, we need to do the del_gendisk after we cleanup the queue on the device. Fixes: c6a4759ea0c9 ("nbd: add device refcounting") cc: stable(a)vger.kernel.org Signed-off-by: Josef Bacik <jbacik(a)fb.com> --- drivers/block/nbd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c index 86258b00a1d4..e33da3e6aa20 100644 --- a/drivers/block/nbd.c +++ b/drivers/block/nbd.c @@ -174,8 +174,8 @@ static void nbd_dev_remove(struct nbd_device *nbd) { struct gendisk *disk = nbd->disk; if (disk) { - del_gendisk(disk); blk_cleanup_queue(disk->queue); + del_gendisk(disk); blk_mq_free_tag_set(&nbd->tag_set); disk->private_data = NULL; put_disk(disk); -- 2.14.3

7 years, 9 months

2
5
0 0

[PATCH] blk-mq: fix race between complete and BLK_EH_RESET_TIMER

by Ming Lei

The normal request completion can be done before or during handling BLK_EH_RESET_TIMER, and this race may cause the request to never be completed since driver's .timeout() may always return BLK_EH_RESET_TIMER. This issue can't be fixed completely by driver, since the normal completion can be done between returning .timeout() and handing BLK_EH_RESET_TIMER. This patch fixes this race by introducing rq state of MQ_RQ_COMPLETE_IN_RESET, and reading/writing rq's state by holding queue lock, which can be per-request actually, but just not necessary to introduce one lock for so unusual event. Cc: Bart Van Assche <bart.vanassche(a)wdc.com> Cc: Tejun Heo <tj(a)kernel.org> Cc: Christoph Hellwig <hch(a)lst.de> Cc: Ming Lei <ming.lei(a)redhat.com> Cc: Sagi Grimberg <sagi(a)grimberg.me> Cc: Israel Rukshin <israelr(a)mellanox.com>, Cc: Max Gurtovoy <maxg(a)mellanox.com> Cc: stable(a)vger.kernel.org Signed-off-by: Ming Lei <ming.lei(a)redhat.com> --- This is another way to fix this long-time issue, and turns out this solution is much simpler. block/blk-mq.c | 44 +++++++++++++++++++++++++++++++++++++++----- block/blk-mq.h | 1 + 2 files changed, 40 insertions(+), 5 deletions(-) diff --git a/block/blk-mq.c b/block/blk-mq.c index 0dc9e341c2a7..12e8850e3905 100644 --- a/block/blk-mq.c +++ b/block/blk-mq.c @@ -630,10 +630,27 @@ void blk_mq_complete_request(struct request *rq) * However, that would complicate paths which want to synchronize * against us. Let stay in sync with the issue path so that * hctx_lock() covers both issue and completion paths. + * + * Cover complete vs BLK_EH_RESET_TIMER race in slow path with + * helding queue lock. */ hctx_lock(hctx, &srcu_idx); if (blk_mq_rq_aborted_gstate(rq) != rq->gstate) __blk_mq_complete_request(rq); + else { + unsigned long flags; + bool need_complete = false; + + spin_lock_irqsave(q->queue_lock, flags); + if (!blk_mq_rq_aborted_gstate(rq)) + need_complete = true; + else + blk_mq_rq_update_state(rq, MQ_RQ_COMPLETE_IN_RESET); + spin_unlock_irqrestore(q->queue_lock, flags); + + if (need_complete) + __blk_mq_complete_request(rq); + } hctx_unlock(hctx, srcu_idx); } EXPORT_SYMBOL(blk_mq_complete_request); @@ -814,24 +831,41 @@ static void blk_mq_rq_timed_out(struct request *req, bool reserved) { const struct blk_mq_ops *ops = req->q->mq_ops; enum blk_eh_timer_return ret = BLK_EH_RESET_TIMER; + unsigned long flags; req->rq_flags |= RQF_MQ_TIMEOUT_EXPIRED; if (ops->timeout) ret = ops->timeout(req, reserved); +again: switch (ret) { case BLK_EH_HANDLED: __blk_mq_complete_request(req); break; case BLK_EH_RESET_TIMER: /* - * As nothing prevents from completion happening while - * ->aborted_gstate is set, this may lead to ignored - * completions and further spurious timeouts. + * The normal completion may happen during handling the + * timeout, or even after returning from .timeout(), so + * once the request has been completed, we can't reset + * timer any more since this request may be handled as + * BLK_EH_RESET_TIMER in next timeout handling too, and + * it has to be completed in this situation. + * + * Holding the queue lock to cover read/write rq's + * aborted_gstate and normal state, so the race can be + * avoided completely. */ - blk_mq_rq_update_aborted_gstate(req, 0); - blk_add_timer(req); + spin_lock_irqsave(req->q->queue_lock, flags); + if (blk_mq_rq_state(req) != MQ_RQ_COMPLETE_IN_RESET) { + blk_mq_rq_update_aborted_gstate(req, 0); + blk_add_timer(req); + } else { + blk_mq_rq_update_state(req, MQ_RQ_IN_FLIGHT); + ret = BLK_EH_HANDLED; + goto again; + } + spin_unlock_irqrestore(req->q->queue_lock, flags); break; case BLK_EH_NOT_HANDLED: break; diff --git a/block/blk-mq.h b/block/blk-mq.h index 88c558f71819..6dc242fc785a 100644 --- a/block/blk-mq.h +++ b/block/blk-mq.h @@ -35,6 +35,7 @@ enum mq_rq_state { MQ_RQ_IDLE = 0, MQ_RQ_IN_FLIGHT = 1, MQ_RQ_COMPLETE = 2, + MQ_RQ_COMPLETE_IN_RESET = 3, MQ_RQ_STATE_BITS = 2, MQ_RQ_STATE_MASK = (1 << MQ_RQ_STATE_BITS) - 1, -- 2.9.5

7 years, 9 months

3
8
0 0

imaging solutions

by Ross

Hi, Not sure if you received my email from last week. We offer following image editing services: images cutting out, clipping path, masking jewelry photos retouching beauty photos retouching also wedding photos etc If you want to test our quality of work. You may send us one photo with instruction and we will work on it. Hope to hear from you soon. Regards, Ross The Studio Manager

7 years, 9 months

1
0
0 0

[PATCH v2 01/20] fanotify: fix logic of events on child

by Amir Goldstein

When event on child inodes are sent to the parent inode mark and parent inode mark was not marked with FAN_EVENT_ON_CHILD, the event will not be delivered to the listener process. However, if the same process also has a mount mark, the event to the parent inode will be delivered regadless of the mount mark mask. This behavior is incorrect in the case where the mount mark mask does not contain the specific event type. For example, the process adds a mark on a directory with mask FAN_MODIFY (without FAN_EVENT_ON_CHILD) and a mount mark with mask FAN_CLOSE_NOWRITE (without FAN_ONDIR). A modify event on a file inside that directory (and inside that mount) should not create a FAN_MODIFY event, because neither of the marks requested to get that event on the file. Fixes: 1968f5eed54c ("fanotify: use both marks when possible") Cc: stable <stable(a)vger.kernel.org> Signed-off-by: Amir Goldstein <amir73il(a)gmail.com> --- fs/notify/fanotify/fanotify.c | 34 +++++++++++++++------------------- 1 file changed, 15 insertions(+), 19 deletions(-) diff --git a/fs/notify/fanotify/fanotify.c b/fs/notify/fanotify/fanotify.c index 6702a6a0bbb5..e0e6a9d627df 100644 --- a/fs/notify/fanotify/fanotify.c +++ b/fs/notify/fanotify/fanotify.c @@ -92,7 +92,7 @@ static bool fanotify_should_send_event(struct fsnotify_mark *inode_mark, u32 event_mask, const void *data, int data_type) { - __u32 marks_mask, marks_ignored_mask; + __u32 marks_mask = 0, marks_ignored_mask = 0; const struct path *path = data; pr_debug("%s: inode_mark=%p vfsmnt_mark=%p mask=%x data=%p" @@ -108,24 +108,20 @@ static bool fanotify_should_send_event(struct fsnotify_mark *inode_mark, !d_can_lookup(path->dentry)) return false; - if (inode_mark && vfsmnt_mark) { - marks_mask = (vfsmnt_mark->mask | inode_mark->mask); - marks_ignored_mask = (vfsmnt_mark->ignored_mask | inode_mark->ignored_mask); - } else if (inode_mark) { - /* - * if the event is for a child and this inode doesn't care about - * events on the child, don't send it! - */ - if ((event_mask & FS_EVENT_ON_CHILD) && - !(inode_mark->mask & FS_EVENT_ON_CHILD)) - return false; - marks_mask = inode_mark->mask; - marks_ignored_mask = inode_mark->ignored_mask; - } else if (vfsmnt_mark) { - marks_mask = vfsmnt_mark->mask; - marks_ignored_mask = vfsmnt_mark->ignored_mask; - } else { - BUG(); + /* + * if the event is for a child and this inode doesn't care about + * events on the child, don't send it! + */ + if (inode_mark && + (!(event_mask & FS_EVENT_ON_CHILD) || + (inode_mark->mask & FS_EVENT_ON_CHILD))) { + marks_mask |= inode_mark->mask; + marks_ignored_mask |= inode_mark->ignored_mask; + } + + if (vfsmnt_mark) { + marks_mask |= vfsmnt_mark->mask; + marks_ignored_mask |= vfsmnt_mark->ignored_mask; } if (d_is_dir(path->dentry) && -- 2.7.4

7 years, 9 months

3
2
0 0

[PATCH] xhci: Fix Kernel oops in xhci dbgtty

by Mathias Nyman

From: Zhengjun Xing <zhengjun.xing(a)linux.intel.com> tty_unregister_driver may be called more than 1 time in some hotplug cases,it will cause the kernel oops. This patch checked dbc_tty_driver to make sure it is unregistered only 1 time. [ 175.741404] BUG: unable to handle kernel NULL pointer dereference at 0000000000000034 [ 175.742309] IP: tty_unregister_driver+0x9/0x70 [ 175.743148] PGD 0 P4D 0 [ 175.743981] Oops: 0000 [#1] SMP PTI [ 175.753904] RIP: 0010:tty_unregister_driver+0x9/0x70 [ 175.754817] RSP: 0018:ffffa8ff831d3bb0 EFLAGS: 00010246 [ 175.755753] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 175.756685] RDX: ffff92089c616000 RSI: ffffe64fe1b26080 RDI: 0000000000000000 [ 175.757608] RBP: ffff92086c988230 R08: 000000006c982701 R09: 00000001801e0016 [ 175.758533] R10: ffffa8ff831d3b48 R11: ffff92086c982100 R12: ffff92086c98827c [ 175.759462] R13: ffff92086c988398 R14: 0000000000000060 R15: ffff92089c5e9b40 [ 175.760401] FS: 0000000000000000(0000) GS:ffff9208a0100000(0000) knlGS:0000000000000000 [ 175.761334] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 175.762270] CR2: 0000000000000034 CR3: 000000011800a003 CR4: 00000000003606e0 [ 175.763225] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 175.764164] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 175.765091] Call Trace: [ 175.766014] xhci_dbc_tty_unregister_driver+0x11/0x30 [ 175.766960] xhci_dbc_exit+0x2a/0x40 [ 175.767889] xhci_stop+0x57/0x1c0 [ 175.768824] usb_remove_hcd+0x100/0x250 [ 175.769708] usb_hcd_pci_remove+0x68/0x130 [ 175.770574] pci_device_remove+0x3b/0xc0 [ 175.771435] device_release_driver_internal+0x157/0x230 [ 175.772343] pci_stop_bus_device+0x74/0xa0 [ 175.773205] pci_stop_bus_device+0x2b/0xa0 [ 175.774061] pci_stop_bus_device+0x2b/0xa0 [ 175.774907] pci_stop_bus_device+0x2b/0xa0 [ 175.775741] pci_stop_bus_device+0x2b/0xa0 [ 175.776618] pci_stop_bus_device+0x2b/0xa0 [ 175.777452] pci_stop_bus_device+0x2b/0xa0 [ 175.778273] pci_stop_bus_device+0x2b/0xa0 [ 175.779092] pci_stop_bus_device+0x2b/0xa0 [ 175.779908] pci_stop_bus_device+0x2b/0xa0 [ 175.780750] pci_stop_bus_device+0x2b/0xa0 [ 175.781543] pci_stop_and_remove_bus_device+0xe/0x20 [ 175.782338] pciehp_unconfigure_device+0xb8/0x160 [ 175.783128] pciehp_disable_slot+0x4f/0xd0 [ 175.783920] pciehp_power_thread+0x82/0xa0 [ 175.784766] process_one_work+0x147/0x3c0 [ 175.785564] worker_thread+0x4a/0x440 [ 175.786376] kthread+0xf8/0x130 [ 175.787174] ? rescuer_thread+0x360/0x360 [ 175.787964] ? kthread_associate_blkcg+0x90/0x90 [ 175.788798] ret_from_fork+0x35/0x40 Cc: <stable(a)vger.kernel.org> # 4.16 Fixes: dfba2174dc42 ("usb: xhci: Add DbC support in xHCI driver") Signed-off-by: Zhengjun Xing <zhengjun.xing(a)linux.intel.com> Tested-by: Christian Kellner <christian(a)kellner.me> Reviewed-by: Christian Kellner <christian(a)kellner.me> Signed-off-by: Mathias Nyman <mathias.nyman(a)linux.intel.com> --- drivers/usb/host/xhci-dbgtty.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/drivers/usb/host/xhci-dbgtty.c b/drivers/usb/host/xhci-dbgtty.c index 48779c4..eb494ec5 100644 --- a/drivers/usb/host/xhci-dbgtty.c +++ b/drivers/usb/host/xhci-dbgtty.c @@ -320,9 +320,11 @@ int xhci_dbc_tty_register_driver(struct xhci_hcd *xhci) void xhci_dbc_tty_unregister_driver(void) { - tty_unregister_driver(dbc_tty_driver); - put_tty_driver(dbc_tty_driver); - dbc_tty_driver = NULL; + if (dbc_tty_driver) { + tty_unregister_driver(dbc_tty_driver); + put_tty_driver(dbc_tty_driver); + dbc_tty_driver = NULL; + } } static void dbc_rx_push(unsigned long _port) -- 2.7.4

7 years, 9 months

1
0
0 0

[PATCH] scsi_transport_srp: Fix shost to rport translation

by Bart Van Assche

Since an SRP remote port is attached as a child to shost->shost_gendev and as the only child, the translation from the shost pointer into an rport pointer must happen by looking up the shost child that is an rport. This patch fixes the following KASAN complaint: BUG: KASAN: slab-out-of-bounds in srp_timed_out+0x57/0x110 [scsi_transport_srp] Read of size 4 at addr ffff880035d3fcc0 by task kworker/1:0H/19 CPU: 1 PID: 19 Comm: kworker/1:0H Not tainted 4.16.0-rc3-dbg+ #1 Workqueue: kblockd blk_mq_timeout_work Call Trace: dump_stack+0x85/0xc7 print_address_description+0x65/0x270 kasan_report+0x231/0x350 srp_timed_out+0x57/0x110 [scsi_transport_srp] scsi_times_out+0xc7/0x3f0 [scsi_mod] blk_mq_terminate_expired+0xc2/0x140 bt_iter+0xbc/0xd0 blk_mq_queue_tag_busy_iter+0x1c7/0x350 blk_mq_timeout_work+0x325/0x3f0 process_one_work+0x441/0xa50 worker_thread+0x76/0x6c0 kthread+0x1b2/0x1d0 ret_from_fork+0x24/0x30 Fixes: e68ca75200fe ("scsi_transport_srp: Reduce failover time") Signed-off-by: Bart Van Assche <bart.vanassche(a)wdc.com> Cc: Hannes Reinecke <hare(a)suse.com> Cc: Johannes Thumshirn <jthumshirn(a)suse.de> Cc: Jason Gunthorpe <jgg(a)mellanox.com> Cc: Doug Ledford <dledford(a)redhat.com> Cc: Laurence Oberman <loberman(a)redhat.com> Cc: stable(a)vger.kernel.org --- drivers/scsi/scsi_transport_srp.c | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/drivers/scsi/scsi_transport_srp.c b/drivers/scsi/scsi_transport_srp.c index 36f6190931bc..0d0515615847 100644 --- a/drivers/scsi/scsi_transport_srp.c +++ b/drivers/scsi/scsi_transport_srp.c @@ -51,6 +51,8 @@ struct srp_internal { struct transport_container rport_attr_cont; }; +static int scsi_is_srp_rport(const struct device *dev); + #define to_srp_internal(tmpl) container_of(tmpl, struct srp_internal, t) #define dev_to_rport(d) container_of(d, struct srp_rport, dev) @@ -60,9 +62,24 @@ static inline struct Scsi_Host *rport_to_shost(struct srp_rport *r) return dev_to_shost(r->dev.parent); } +static int find_child_rport(struct device *dev, void *data) +{ + struct device **child = data; + + if (scsi_is_srp_rport(dev)) { + WARN_ON_ONCE(*child); + *child = dev; + } + return 0; +} + static inline struct srp_rport *shost_to_rport(struct Scsi_Host *shost) { - return transport_class_to_srp_rport(&shost->shost_gendev); + struct device *child = NULL; + + WARN_ON_ONCE(device_for_each_child(&shost->shost_gendev, &child, + find_child_rport) < 0); + return child ? dev_to_rport(child) : NULL; } /** -- 2.16.2

7 years, 9 months

3
2
0 0

v4.13+ stable backport request

by Jani Nikula

Stable team, please backport commit a306343bcd7d ("drm/i915/edp: Do not do link training fallback or prune modes on EDP") to v4.13+ Fixes: 9301397a63b3 ("drm/i915: Implement Link Rate fallback on Link training failure") BR, Jani. -- Jani Nikula, Intel Open Source Technology Center

7 years, 9 months

3
6
0 0

[PATCH] mm, slab: reschedule cache_reap() on the same CPU

by Vlastimil Babka

cache_reap() is initially scheduled in start_cpu_timer() via schedule_delayed_work_on(). But then the next iterations are scheduled via schedule_delayed_work(), i.e. using WORK_CPU_UNBOUND. Thus since commit ef557180447f ("workqueue: schedule WORK_CPU_UNBOUND work on wq_unbound_cpumask CPUs") there is no guarantee the future iterations will run on the originally intended cpu, although it's still preferred. I was able to demonstrate this with /sys/module/workqueue/parameters/debug_force_rr_cpu. IIUC, it may also happen due to migrating timers in nohz context. As a result, some cpu's would be calling cache_reap() more frequently and others never. This patch uses schedule_delayed_work_on() with the current cpu when scheduling the next iteration. Signed-off-by: Vlastimil Babka <vbabka(a)suse.cz> Fixes: ef557180447f ("workqueue: schedule WORK_CPU_UNBOUND work on wq_unbound_cpumask CPUs") CC: <stable(a)vger.kernel.org> Cc: Joonsoo Kim <iamjoonsoo.kim(a)lge.com> Cc: David Rientjes <rientjes(a)google.com> Cc: Pekka Enberg <penberg(a)kernel.org> Cc: Christoph Lameter <cl(a)linux.com> Cc: Tejun Heo <tj(a)kernel.org> Cc: Lai Jiangshan <jiangshanlai(a)gmail.com> Cc: John Stultz <john.stultz(a)linaro.org> Cc: Thomas Gleixner <tglx(a)linutronix.de> Cc: Stephen Boyd <sboyd(a)kernel.org> --- mm/slab.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/mm/slab.c b/mm/slab.c index 9095c3945425..a76006aae857 100644 --- a/mm/slab.c +++ b/mm/slab.c @@ -4074,7 +4074,8 @@ static void cache_reap(struct work_struct *w) next_reap_node(); out: /* Set up the next iteration */ - schedule_delayed_work(work, round_jiffies_relative(REAPTIMEOUT_AC)); + schedule_delayed_work_on(smp_processor_id(), work, + round_jiffies_relative(REAPTIMEOUT_AC)); } void get_slabinfo(struct kmem_cache *cachep, struct slabinfo *sinfo) -- 2.16.3

7 years, 9 months

4
4
0 0

[PATCH AUTOSEL for 4.9 001/293] ALSA: timer: Wrap with spinlock for queue access

by Sasha Levin

From: Takashi Iwai <tiwai(a)suse.de> [ Upstream commit d7f910bfedd863d13ea320030fe98e42d0938ed5 ] For accessing the snd_timer_user queue indices, we take tu->qlock. But it's forgotten in a couple of places. The one in snd_timer_user_params() should be safe without the spinlock as the timer is already stopped. But it's better for consistency. The one in poll is just a read-out, so it's not inevitably needed, but it'd be good to make the result consistent, too. Tested-by: Alexander Potapenko <glider(a)google.com> Signed-off-by: Takashi Iwai <tiwai(a)suse.de> Signed-off-by: Sasha Levin <alexander.levin(a)microsoft.com> --- sound/core/timer.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/sound/core/timer.c b/sound/core/timer.c index e5ddc475dca4..bbde1bcdd985 100644 --- a/sound/core/timer.c +++ b/sound/core/timer.c @@ -1773,6 +1773,7 @@ static int snd_timer_user_params(struct file *file, } } } + spin_lock_irq(&tu->qlock); tu->qhead = tu->qtail = tu->qused = 0; if (tu->timeri->flags & SNDRV_TIMER_IFLG_EARLY_EVENT) { if (tu->tread) { @@ -1793,6 +1794,7 @@ static int snd_timer_user_params(struct file *file, } tu->filter = params.filter; tu->ticks = params.ticks; + spin_unlock_irq(&tu->qlock); err = 0; _end: if (copy_to_user(_params, &params, sizeof(params))) @@ -2034,10 +2036,12 @@ static unsigned int snd_timer_user_poll(struct file *file, poll_table * wait) poll_wait(file, &tu->qchange_sleep, wait); mask = 0; + spin_lock_irq(&tu->qlock); if (tu->qused) mask |= POLLIN | POLLRDNORM; if (tu->disconnected) mask |= POLLERR; + spin_unlock_irq(&tu->qlock); return mask; } -- 2.15.1

7 years, 9 months

4
295
0 0

[PATCH] drm/i915/dp: Fix intel_edp_compare_alt_mode.

by Maarten Lankhorst

On fi-cnl-y3 we have 2 modes that differ only by crtc_clock. This means that if we request the normal mode, we automatically get the downclocked mode. This can be seen during boot: [drm:drm_helper_probe_single_connector_modes] [CONNECTOR:101:eDP-1] probed modes : [drm:drm_mode_debug_printmodeline] Modeline 102:"3840x2160" 60 533250 3840 3888 3920 4000 2160 2163 2168 2222 0x48 0xa [drm:drm_mode_debug_printmodeline] Modeline 103:"3840x2160" 48 426600 3840 3888 3920 4000 2160 2163 2168 2222 0x40 0xa ... [drm:intel_dump_pipe_config [i915]] [CRTC:51:pipe A][modeset] [drm:intel_dump_pipe_config [i915]] output_types: EDP (0x100) [drm:intel_dump_pipe_config [i915]] cpu_transcoder: EDP, pipe bpp: 24, dithering: 0 [drm:intel_dump_pipe_config [i915]] dp m_n: lanes: 4; gmch_m: 4970250, gmch_n: 8388608, link_m: 828375, link_n: 1048576, tu: 64 [drm:intel_dump_pipe_config [i915]] dp m2_n2: lanes: 4; gmch_m: 4970250, gmch_n: 8388608, link_m: 828375, link_n: 1048576, tu: 64 [drm:intel_dump_pipe_config [i915]] audio: 0, infoframes: 0 [drm:intel_dump_pipe_config [i915]] requested mode: [drm:drm_mode_debug_printmodeline] Modeline 0:"3840x2160" 60 533250 3840 3888 3920 4000 2160 2163 2168 2222 0x48 0xa [drm:intel_dump_pipe_config [i915]] adjusted mode: [drm:drm_mode_debug_printmodeline] Modeline 0:"3840x2160" 48 426600 3840 3888 3920 4000 2160 2163 2168 2222 0x40 0xa Testcase: kms_panel_fitting.atomic-fastset Signed-off-by: Maarten Lankhorst <maarten.lankhorst(a)linux.intel.com> Fixes: dc911f5bd8aa ("drm/i915/edp: Allow alternate fixed mode for eDP if available.") Cc: David Weinehall <david.weinehall(a)linux.intel.com> Cc: Rodrigo Vivi <rodrigo.vivi(a)intel.com> Cc: Paulo Zanoni <paulo.r.zanoni(a)intel.com> Cc: Jani Nikula <jani.nikula(a)intel.com> Cc: Chris Wilson <chris(a)chris-wilson.co.uk> Cc: Jim Bride <jim.bride(a)linux.intel.com> Cc: Joonas Lahtinen <joonas.lahtinen(a)linux.intel.com> Cc: <stable(a)vger.kernel.org> # v4.14+ --- drivers/gpu/drm/i915/intel_dp.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/i915/intel_dp.c b/drivers/gpu/drm/i915/intel_dp.c index 9a4a51e79fa1..0bd3cc1c82b4 100644 --- a/drivers/gpu/drm/i915/intel_dp.c +++ b/drivers/gpu/drm/i915/intel_dp.c @@ -1684,7 +1684,8 @@ static bool intel_edp_compare_alt_mode(struct drm_display_mode *m1, m1->vdisplay == m2->vdisplay && m1->vsync_start == m2->vsync_start && m1->vsync_end == m2->vsync_end && - m1->vtotal == m2->vtotal); + m1->vtotal == m2->vtotal && + m1->clock == m2->clock); return bres; } -- 2.16.2

7 years, 9 months

4
9
0 0

[alternative-merged] resource-fix-integer-overflow-at-reallocation.patch removed from -mm tree

by akpm＠linux-foundation.org

The patch titled Subject: resource: fix integer overflow at reallocation has been removed from the -mm tree. Its filename was resource-fix-integer-overflow-at-reallocation.patch This patch was dropped because an alternative patch was merged ------------------------------------------------------ From: Takashi Iwai <tiwai(a)suse.de> Subject: resource: fix integer overflow at reallocation We've got a bug report indicating a kernel panic at booting on an x86-32 system, and it turned out to be the invalid resource assigned after PCI resource reallocation. __find_resource() first aligns the resource start address and resets the end address with start+size-1 accordingly, then checks whether it's contained. Here the end address may overflow the integer, although resource_contains() still returns true because the function validates only start and end address. So this ends up with returning an invalid resource (start > end). There was already an attempt to cover such a problem in the commit 47ea91b4052d ("Resource: fix wrong resource window calculation"), but this case is an overseen one. This patch adds the validity check in resource_contains() to see whether the given resource has a valid range for avoiding the integer overflow problem. Bugzilla: http://bugzilla.opensuse.org/show_bug.cgi?id=1086739 Link: http://lkml.kernel.org/r/20180408072026.27365-1-tiwai@suse.de Fixes: 23c570a67448 ("resource: ability to resize an allocated resource") Signed-off-by: Takashi Iwai <tiwai(a)suse.de> Reported-by: Michael Henders <hendersm(a)shaw.ca> Tested-by: Michael Henders <hendersm(a)shaw.ca> Reviewed-by: Ram Pai <linuxram(a)us.ibm.com> Cc: Bjorn Helgaas <bhelgaas(a)google.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/ioport.h | 3 +++ 1 file changed, 3 insertions(+) diff -puN include/linux/ioport.h~resource-fix-integer-overflow-at-reallocation include/linux/ioport.h --- a/include/linux/ioport.h~resource-fix-integer-overflow-at-reallocation +++ a/include/linux/ioport.h @@ -212,6 +212,9 @@ static inline bool resource_contains(str return false; if (r1->flags & IORESOURCE_UNSET || r2->flags & IORESOURCE_UNSET) return false; + /* sanity check whether it's a valid resource range */ + if (r2->end < r2->start) + return false; return r1->start <= r2->start && r1->end >= r2->end; } _ Patches currently in -mm which might be from tiwai(a)suse.de are resource-fix-integer-overflow-at-reallocation-v1.patch

7 years, 9 months

1
0
0 0

+ rapidio-fix-rio_dma_transfer-error-handling.patch added to -mm tree

by akpm＠linux-foundation.org

The patch titled Subject: rapidio: fix rio_dma_transfer error handling has been added to the -mm tree. Its filename is rapidio-fix-rio_dma_transfer-error-handling.patch This patch should soon appear at http://ozlabs.org/~akpm/mmots/broken-out/rapidio-fix-rio_dma_transfer-error… and later at http://ozlabs.org/~akpm/mmotm/broken-out/rapidio-fix-rio_dma_transfer-error… Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next and is updated there every 3-4 working days ------------------------------------------------------ From: Ioan Nicu <ioan.nicu.ext(a)nokia.com> Subject: rapidio: fix rio_dma_transfer error handling Some of the mport_dma_req structure members were initialized late inside the do_dma_request() function, just before submitting the request to the dma engine. But we have some error branches before that. In case of such an error, the code would return on the error path and trigger the calling of dma_req_free() with a req structure which is not completely initialized. This causes a NULL pointer dereference in dma_req_free(). This patch fixes these error branches by making sure that all necessary mport_dma_req structure members are initialized in rio_dma_transfer() immediately after the request structure gets allocated. Link: http://lkml.kernel.org/r/20180412150605.GA31409@nokia.com Signed-off-by: Ioan Nicu <ioan.nicu.ext(a)nokia.com> Tested-by: Alexander Sverdlin <alexander.sverdlin(a)nokia.com> Acked-by: Alexandre Bounine <alex.bou9(a)gmail.com> Cc: Barry Wood <barry.wood(a)idt.com> Cc: Matt Porter <mporter(a)kernel.crashing.org> Cc: Christophe JAILLET <christophe.jaillet(a)wanadoo.fr> Cc: Logan Gunthorpe <logang(a)deltatee.com> Cc: Chris Wilson <chris(a)chris-wilson.co.uk> Cc: Tvrtko Ursulin <tvrtko.ursulin(a)intel.com> Cc: Frank Kunz <frank.kunz(a)nokia.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- drivers/rapidio/devices/rio_mport_cdev.c | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff -puN drivers/rapidio/devices/rio_mport_cdev.c~rapidio-fix-rio_dma_transfer-error-handling drivers/rapidio/devices/rio_mport_cdev.c --- a/drivers/rapidio/devices/rio_mport_cdev.c~rapidio-fix-rio_dma_transfer-error-handling +++ a/drivers/rapidio/devices/rio_mport_cdev.c @@ -740,10 +740,7 @@ static int do_dma_request(struct mport_d tx->callback = dma_xfer_callback; tx->callback_param = req; - req->dmach = chan; - req->sync = sync; req->status = DMA_IN_PROGRESS; - init_completion(&req->req_comp); kref_get(&req->refcount); cookie = dmaengine_submit(tx); @@ -831,13 +828,20 @@ rio_dma_transfer(struct file *filp, u32 if (!req) return -ENOMEM; - kref_init(&req->refcount); - ret = get_dma_channel(priv); if (ret) { kfree(req); return ret; } + chan = priv->dmach; + + kref_init(&req->refcount); + init_completion(&req->req_comp); + req->dir = dir; + req->filp = filp; + req->priv = priv; + req->dmach = chan; + req->sync = sync; /* * If parameter loc_addr != NULL, we are transferring data from/to @@ -925,11 +929,6 @@ rio_dma_transfer(struct file *filp, u32 xfer->offset, xfer->length); } - req->dir = dir; - req->filp = filp; - req->priv = priv; - chan = priv->dmach; - nents = dma_map_sg(chan->device->dev, req->sgt.sgl, req->sgt.nents, dir); if (nents == 0) { _ Patches currently in -mm which might be from ioan.nicu.ext(a)nokia.com are rapidio-fix-rio_dma_transfer-error-handling.patch

7 years, 9 months

1
0
0 0

Targeted Global B2B Companies Emails List

by joann.kaur＠dedicatedaccounts.com

Hi, Hope all is well! We are a database organization. We provide business executives' contact information. Below, I've included a few examples: Industry-Specific Lists: Agriculture, Business Services, Chambers of Commerce, Cities, Towns & Municipalities, Construction, Consumer Services, Cultural, Education, Energy, Utilities & Waste Treatment, Finance, Government, Healthcare, Hospitality, Insurance, Law Firms & Legal Services, Manufacturing, Media & Internet, Metals & Mining, Organizations, Real Estate, Retail, Software, Telecommunications, Transportation, and more! Technology-Specific Lists: SAP users, PeopleSoft users, SIEBEL customers, Oracle Application customers, Microsoft Dynamic users, Sales force users, Microsoft Exchange users, QuickBooks, Lawson users, Act users, JD Edward users, ASP users, Microsoft GP Applications users, Net Suite users, IBM DBMS Application users, McAfee users, MS Dynamics GP (Great Plains), and many more. Title-Specific Lists: C-level executives: CEO, CFO, CIO, CTO, CMO, CISO, CSO, COO Key decision-makers: All C-level, VP-level, and Director-level executives HR Executives: VP of HR, HR Director & HR Manager, etc. Marketing Executives: CMO, VP of Marketing, Director of Marketing, Marketing Managers IT Executives: CIO, CTO, CISO, IT-VP, IT-Director, IT Manager, MIS Manager, etc. Please keep me informed for any additional details. I look forward to hearing from you. Regards, Joann Kaur Marketing Executive

7 years, 9 months

1
0
0 0

[PATCH 4.9 000/102] 4.9.93-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.9.93 release. There are 102 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sun Apr 8 08:42:55 UTC 2018. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.93-rc1… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.9.93-rc1 Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> spi: davinci: fix up dma_mapping_error() incorrect patch Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "ip6_vti: adjust vti mtu according to mtu of lower device" Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "mtip32xx: use runtime tag to initialize command header" Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "spi: bcm-qspi: shut up warning about cfi header inclusion" Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "ARM: dts: omap3-n900: Fix the audio CODEC's reset pin" Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Revert "ARM: dts: am335x-pepper: Fix the audio CODEC's reset pin" Mikulas Patocka <mpatocka(a)redhat.com> Fix slab name "biovec-(1<<(21-12))" Matthias Brugger <matthias.bgg(a)gmail.com> net: hns: Fix ethtool private flags Guoqing Jiang <gqjiang(a)suse.com> md/raid10: reset the 'first' at the end of loop Keerthy <j-keerthy(a)ti.com> ARM: dts: am57xx-idk-common: Add overide powerhold property Keerthy <j-keerthy(a)ti.com> ARM: dts: am57xx-beagle-x15-common: Add overide powerhold property Keerthy <j-keerthy(a)ti.com> ARM: dts: dra7: Add power hold and power controller properties to palmas Keerthy <j-keerthy(a)ti.com> Documentation: pinctrl: palmas: Add ti,palmas-powerhold-override property definition Mike Frysinger <vapier(a)chromium.org> vt: change SGR 21 to follow the standards Ondrej Zary <linux(a)rainbow-software.org> Input: i8042 - enable MUX on Sony VAIO VGN-CS series to fix touchpad Dennis Wassenberg <dennis.wassenberg(a)secunet.com> Input: i8042 - add Lenovo ThinkPad L460 to i8042 reset list Masaki Ota <masaki.ota(a)jp.alps.com> Input: ALPS - fix TrackStick detection on Thinkpad L570 and Latitude 7370 Frank Mori Hess <fmh6jj(a)gmail.com> staging: comedi: ni_mio_common: ack ai fifo error interrupts. Eric Biggers <ebiggers(a)google.com> crypto: x86/cast5-avx - fix ECB encryption when long sg follows short one Herbert Xu <herbert(a)gondor.apana.org.au> crypto: ahash - Fix early termination in hash walk Alexander Gerasiov <gq(a)redlab-i.ru> parport_pc: Add support for WCH CH382L PCI-E single parallel port card. Oliver Neukum <oneukum(a)suse.com> media: usbtv: prevent double free in error case Colin Ian King <colin.king(a)canonical.com> mei: remove dev_err message on an unsupported ioctl Johan Hovold <johan(a)kernel.org> USB: serial: cp210x: add ELDAT Easywave RX09 id Clemens Werther <clemens.werther(a)gmail.com> USB: serial: ftdi_sio: add support for Harman FirmwareHubEmulator Major Hayden <major(a)mhtx.net> USB: serial: ftdi_sio: add RT Systems VX-8 cable Will Deacon <will.deacon(a)arm.com> arm64: idmap: Use "awx" flags for .idmap.text .pushsection directives Will Deacon <will.deacon(a)arm.com> arm64: entry: Reword comment about post_ttbr_update_workaround Marc Zyngier <marc.zyngier(a)arm.com> arm64: Force KPTI to be disabled on Cavium ThunderX Will Deacon <will.deacon(a)arm.com> arm64: kpti: Add ->enable callback to remap swapper using nG mappings Will Deacon <will.deacon(a)arm.com> arm64: kpti: Make use of nG dependent on arm64_kernel_unmapped_at_el0() Jayachandran C <jnair(a)caviumnetworks.com> arm64: Turn on KPTI only on CPUs that need it Jayachandran C <jnair(a)caviumnetworks.com> arm64: cputype: Add MIDR values for Cavium ThunderX2 CPUs Suzuki K Poulose <suzuki.poulose(a)arm.com> arm64: capabilities: Handle duplicate entries for a capability Marc Zyngier <marc.zyngier(a)arm.com> arm64: Allow checking of a CPU-local erratum Will Deacon <will.deacon(a)arm.com> arm64: Take into account ID_AA64PFR0_EL1.CSV3 Will Deacon <will.deacon(a)arm.com> arm64: Kconfig: Reword UNMAP_KERNEL_AT_EL0 kconfig entry Will Deacon <will.deacon(a)arm.com> arm64: Kconfig: Add CONFIG_UNMAP_KERNEL_AT_EL0 Will Deacon <will.deacon(a)arm.com> arm64: use RET instruction for exiting the trampoline Will Deacon <will.deacon(a)arm.com> arm64: kaslr: Put kernel vectors address in separate data page Will Deacon <will.deacon(a)arm.com> arm64: entry: Add fake CPU feature for unmapping the kernel at EL0 Will Deacon <will.deacon(a)arm.com> arm64: tls: Avoid unconditional zeroing of tpidrro_el0 for native tasks Will Deacon <will.deacon(a)arm.com> arm64: entry: Hook up entry trampoline to exception vectors Will Deacon <will.deacon(a)arm.com> arm64: entry: Explicitly pass exception level to kernel_ventry macro Will Deacon <will.deacon(a)arm.com> arm64: mm: Map entry trampoline into trampoline and kernel page tables Will Deacon <will.deacon(a)arm.com> arm64: entry: Add exception trampoline page for exceptions from EL0 AKASHI Takahiro <takahiro.akashi(a)linaro.org> module: extend 'rodata=off' boot cmdline parameter to module mappings Mark Rutland <mark.rutland(a)arm.com> arm64: factor out entry stack manipulation Will Deacon <will.deacon(a)arm.com> arm64: mm: Invalidate both kernel and user ASIDs when performing TLBI Will Deacon <will.deacon(a)arm.com> arm64: mm: Add arm64_kernel_unmapped_at_el0 helper Will Deacon <will.deacon(a)arm.com> arm64: mm: Allocate ASIDs in pairs Will Deacon <will.deacon(a)arm.com> arm64: mm: Move ASID from TTBR0 to TTBR1 Will Deacon <will.deacon(a)arm.com> arm64: mm: Use non-global mappings for kernel space John Stultz <john.stultz(a)linaro.org> usb: dwc2: Improve gadget state disconnection handling Paolo Bonzini <pbonzini(a)redhat.com> scsi: virtio_scsi: always read VPD pages for multiqueue too Alexander Potapenko <glider(a)google.com> llist: clang: introduce member_address_is_nonnull() Szymon Janc <szymon.janc(a)codecoup.pl> Bluetooth: Fix missing encryption refresh on Security Request Florian Westphal <fw(a)strlen.de> netfilter: x_tables: add and use xt_check_proc_name Florian Westphal <fw(a)strlen.de> netfilter: bridge: ebt_among: add more missing match size checks Steffen Klassert <steffen.klassert(a)secunet.com> xfrm: Refuse to insert 32 bit userspace socket policies on 64 bit systems Greg Hackmann <ghackmann(a)google.com> net: xfrm: use preempt-safe this_cpu_read() in ipcomp_alloc_tfms() Roland Dreier <roland(a)purestorage.com> RDMA/ucma: Introduce safer rdma_addr_size() variants Leon Romanovsky <leonro(a)mellanox.com> RDMA/ucma: Check that device exists prior to accessing it Leon Romanovsky <leonro(a)mellanox.com> RDMA/ucma: Check that device is connected prior to access it Leon Romanovsky <leonro(a)mellanox.com> RDMA/ucma: Ensure that CM_ID exists prior to access it Leon Romanovsky <leonro(a)mellanox.com> RDMA/ucma: Fix use-after-free access in ucma_close Leon Romanovsky <leonro(a)mellanox.com> RDMA/ucma: Check AF family prior resolving address Florian Westphal <fw(a)strlen.de> xfrm_user: uncoditionally validate esn replay attribute struct Nick Desaulniers <nick.desaulniers(a)gmail.com> mm/vmscan.c: fix unsequenced modification and access warning Matthias Kaehlcke <mka(a)chromium.org> selinux: Remove redundant check for unknown labeling behavior Nick Desaulniers <ndesaulniers(a)google.com> arm64: avoid overflow in VA_START and PAGE_OFFSET Matthias Kaehlcke <mka(a)chromium.org> btrfs: Remove extra parentheses from condition in copy_items() Matthias Kaehlcke <mka(a)chromium.org> mac80211: ibss: Fix channel type enum in ieee80211_sta_join_ibss() Matthias Kaehlcke <mka(a)chromium.org> mac80211: Fix clang warning about constant operand in logical operation Matthias Kaehlcke <mka(a)chromium.org> netfilter: ctnetlink: Make some parameters integer to avoid enum mismatch Frank Praznik <frank.praznik(a)gmail.com> HID: sony: Use LED_CORE_SUSPENDRESUME Matthias Kaehlcke <mka(a)chromium.org> cfg80211: Fix array-bounds warning in fragment copy Matthias Kaehlcke <mka(a)chromium.org> nl80211: Fix enum type of variable in nl80211_put_sta_rate() Arnd Bergmann <arnd(a)arndb.de> xgene_enet: remove bogus forward declarations Stefan Agner <stefan(a)agner.ch> usb: gadget: remove redundant self assignment Matthias Kaehlcke <mka(a)chromium.org> frv: declare jiffies to be located in the .data section Matthias Kaehlcke <mka(a)chromium.org> jiffies.h: declare jiffies and jiffies_64 with ____cacheline_aligned_in_smp Mark Charlebois <charlebm(a)gmail.com> fs: compat: Remove warning from COMPATIBLE_IOCTL Matthias Kaehlcke <mka(a)chromium.org> selinux: Remove unnecessary check of array base in selinux_set_mapping() Matthias Kaehlcke <mka(a)chromium.org> cpumask: Add helper cpumask_available() Matthias Kaehlcke <mka(a)chromium.org> genirq: Use cpumask_available() for check of cpumask variable Nick Desaulniers <ndesaulniers(a)google.com> netfilter: nf_nat_h323: fix logical-not-parentheses warning Nick Desaulniers <nick.desaulniers(a)gmail.com> Input: mousedev - fix implicit conversion warning Matthias Kaehlcke <mka(a)chromium.org> dm ioctl: remove double parentheses Matthias Kaehlcke <mka(a)chromium.org> PCI: Make PCI_ROM_ADDRESS_MASK a 32-bit constant Masami Hiramatsu <mhiramat(a)kernel.org> kprobes/x86: Fix to set RWX bits correctly before releasing trampoline Richard Narron <comet.berkeley(a)gmail.com> partitions/msdos: Unable to mount UFS 44bsd partitions Nicholas Piggin <npiggin(a)gmail.com> powerpc/64s: Fix i-side SLB miss bad address handler saving nonvolatile GPRs Nicholas Piggin <npiggin(a)gmail.com> powerpc/64s: Fix lost pending interrupt due to race causing lost update to irq_happened Mike Kravetz <mike.kravetz(a)oracle.com> ipc/shm.c: add split function to shm_vm_ops Yan, Zheng <zyan(a)redhat.com> ceph: only dirty ITER_IOVEC pages for direct read Linus Torvalds <torvalds(a)linux-foundation.org> perf/hwbp: Simplify the perf-hwbp code, fix documentation Dan Carpenter <dan.carpenter(a)oracle.com> ALSA: pcm: potential uninitialized return values Stefan Roese <sr(a)denx.de> ALSA: pcm: Use dma_bytes as size parameter in dma_mmap_coherent() Nobutaka Okabe <nob77413(a)gmail.com> ALSA: usb-audio: Add native DSD support for TEAC UD-301 Linus Walleij <linus.walleij(a)linaro.org> mtd: jedec_probe: Fix crash in jedec_read_mfr() Fabio Estevam <festevam(a)gmail.com> ARM: 8746/1: vfp: Go back to clearing vfp_current_hw_state[] ------------- Diffstat: .../devicetree/bindings/pinctrl/pinctrl-palmas.txt | 9 + Makefile | 4 +- arch/arm/boot/dts/am335x-pepper.dts | 2 +- arch/arm/boot/dts/am57xx-beagle-x15-common.dtsi | 1 + arch/arm/boot/dts/am57xx-idk-common.dtsi | 1 + arch/arm/boot/dts/dra7-evm.dts | 2 + arch/arm/boot/dts/omap3-n900.dts | 4 +- arch/arm/vfp/vfpmodule.c | 2 +- arch/arm64/Kconfig | 12 ++ arch/arm64/include/asm/assembler.h | 3 + arch/arm64/include/asm/cpucaps.h | 3 +- arch/arm64/include/asm/cputype.h | 3 + arch/arm64/include/asm/fixmap.h | 6 + arch/arm64/include/asm/memory.h | 6 +- arch/arm64/include/asm/mmu.h | 11 ++ arch/arm64/include/asm/mmu_context.h | 7 + arch/arm64/include/asm/pgtable-hwdef.h | 1 + arch/arm64/include/asm/pgtable-prot.h | 35 ++-- arch/arm64/include/asm/pgtable.h | 1 + arch/arm64/include/asm/proc-fns.h | 6 - arch/arm64/include/asm/sysreg.h | 1 + arch/arm64/include/asm/tlbflush.h | 16 +- arch/arm64/kernel/asm-offsets.c | 6 +- arch/arm64/kernel/cpu-reset.S | 2 +- arch/arm64/kernel/cpufeature.c | 135 +++++++++++-- arch/arm64/kernel/entry.S | 188 +++++++++++++++--- arch/arm64/kernel/head.S | 2 +- arch/arm64/kernel/process.c | 12 +- arch/arm64/kernel/sleep.S | 2 +- arch/arm64/kernel/vmlinux.lds.S | 22 ++- arch/arm64/mm/context.c | 25 ++- arch/arm64/mm/mmu.c | 31 +++ arch/arm64/mm/proc.S | 216 +++++++++++++++++++-- arch/frv/include/asm/timex.h | 6 + arch/powerpc/kernel/exceptions-64s.S | 2 +- arch/powerpc/kernel/irq.c | 8 + arch/x86/crypto/cast5_avx_glue.c | 3 +- arch/x86/kernel/kprobes/core.c | 9 + block/bio.c | 4 +- block/partitions/msdos.c | 4 +- crypto/ahash.c | 7 +- drivers/block/mtip32xx/mtip32xx.c | 36 ++-- drivers/hid/hid-sony.c | 45 ++--- drivers/infiniband/core/addr.c | 16 ++ drivers/infiniband/core/ucma.c | 61 +++--- drivers/input/mouse/alps.c | 24 ++- drivers/input/mousedev.c | 62 +++--- drivers/input/serio/i8042-x86ia64io.h | 24 +++ drivers/md/dm-ioctl.c | 4 +- drivers/md/raid10.c | 1 + drivers/media/usb/usbtv/usbtv-core.c | 2 + drivers/misc/mei/main.c | 1 - drivers/mtd/chips/jedec_probe.c | 2 + drivers/net/ethernet/apm/xgene/xgene_enet_main.c | 50 +++-- drivers/net/ethernet/hisilicon/hns/hns_dsaf_gmac.c | 2 +- drivers/net/ethernet/hisilicon/hns/hns_dsaf_ppe.c | 2 +- drivers/net/ethernet/hisilicon/hns/hns_dsaf_rcb.c | 2 +- drivers/net/ethernet/hisilicon/hns/hns_ethtool.c | 4 +- drivers/net/phy/mdio-xgene.c | 50 +++-- drivers/net/phy/mdio-xgene.h | 4 - drivers/parport/parport_pc.c | 4 + drivers/pci/probe.c | 2 +- drivers/pci/setup-res.c | 2 +- drivers/scsi/virtio_scsi.c | 1 + drivers/spi/Kconfig | 1 - drivers/spi/spi-davinci.c | 2 +- drivers/staging/comedi/drivers/ni_mio_common.c | 2 + drivers/tty/vt/vt.c | 6 +- drivers/usb/dwc2/hcd.c | 7 +- drivers/usb/gadget/udc/core.c | 4 +- drivers/usb/serial/cp210x.c | 1 + drivers/usb/serial/ftdi_sio.c | 2 + drivers/usb/serial/ftdi_sio_ids.h | 9 + fs/btrfs/tree-log.c | 2 +- fs/ceph/file.c | 9 +- fs/compat_ioctl.c | 2 +- include/linux/cpumask.h | 10 + include/linux/init.h | 3 + include/linux/jiffies.h | 13 +- include/linux/llist.h | 21 +- include/linux/netfilter/x_tables.h | 2 + include/rdma/ib_addr.h | 2 + include/uapi/linux/pci_regs.h | 2 +- init/main.c | 7 +- ipc/shm.c | 12 ++ kernel/events/hw_breakpoint.c | 30 +-- kernel/irq/manage.c | 2 +- kernel/kprobes.c | 2 +- kernel/module.c | 20 +- mm/vmscan.c | 13 +- net/bluetooth/smp.c | 8 +- net/bridge/netfilter/ebt_among.c | 34 ++++ net/ipv4/netfilter/nf_nat_h323.c | 57 +++--- net/ipv6/ip6_vti.c | 20 -- net/mac80211/ibss.c | 4 +- net/mac80211/rate.c | 6 +- net/netfilter/nf_conntrack_netlink.c | 7 +- net/netfilter/x_tables.c | 30 +++ net/netfilter/xt_hashlimit.c | 11 +- net/netfilter/xt_recent.c | 6 +- net/wireless/nl80211.c | 2 +- net/wireless/util.c | 6 +- net/xfrm/xfrm_ipcomp.c | 2 +- net/xfrm/xfrm_state.c | 5 + net/xfrm/xfrm_user.c | 21 +- security/selinux/hooks.c | 16 -- security/selinux/ss/services.c | 2 +- sound/core/oss/pcm_oss.c | 4 +- sound/core/pcm_native.c | 2 +- sound/usb/quirks.c | 1 + 110 files changed, 1205 insertions(+), 446 deletions(-)

7 years, 9 months

4
109
0 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror