- Linux-stable-mirror - lists.linaro.org

[Linux-stable-mirror] Patch "powerpc/64: Fix checksum folding in csum_tcpudp_nofold and ip_fast_csum_nofold" has been added to the 4.9-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled powerpc/64: Fix checksum folding in csum_tcpudp_nofold and ip_fast_csum_nofold to the 4.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: powerpc-64-fix-checksum-folding-in-csum_tcpudp_nofold-and-ip_fast_csum_nofold.patch and it can be found in the queue-4.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From b492f7e4e07a28e706db26cf4943bb0911435426 Mon Sep 17 00:00:00 2001 From: Paul Mackerras <paulus(a)ozlabs.org> Date: Thu, 3 Nov 2016 16:10:55 +1100 Subject: powerpc/64: Fix checksum folding in csum_tcpudp_nofold and ip_fast_csum_nofold From: Paul Mackerras <paulus(a)ozlabs.org> commit b492f7e4e07a28e706db26cf4943bb0911435426 upstream. These functions compute an IP checksum by computing a 64-bit sum and folding it to 32 bits (the "nofold" in their names refers to folding down to 16 bits). However, doing (u32) (s + (s >> 32)) is not sufficient to fold a 64-bit sum to 32 bits correctly. The addition can produce a carry out from bit 31, which needs to be added in to the sum to produce the correct result. To fix this, we copy the from64to32() function from lib/checksum.c and use that. Signed-off-by: Paul Mackerras <paulus(a)ozlabs.org> Signed-off-by: Michael Ellerman <mpe(a)ellerman.id.au> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- arch/powerpc/include/asm/checksum.h | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) --- a/arch/powerpc/include/asm/checksum.h +++ b/arch/powerpc/include/asm/checksum.h @@ -53,17 +53,25 @@ static inline __sum16 csum_fold(__wsum s return (__force __sum16)(~((__force u32)sum + tmp) >> 16); } +static inline u32 from64to32(u64 x) +{ + /* add up 32-bit and 32-bit for 32+c bit */ + x = (x & 0xffffffff) + (x >> 32); + /* add up carry.. */ + x = (x & 0xffffffff) + (x >> 32); + return (u32)x; +} + static inline __wsum csum_tcpudp_nofold(__be32 saddr, __be32 daddr, __u32 len, __u8 proto, __wsum sum) { #ifdef __powerpc64__ - unsigned long s = (__force u32)sum; + u64 s = (__force u32)sum; s += (__force u32)saddr; s += (__force u32)daddr; s += proto + len; - s += (s >> 32); - return (__force __wsum) s; + return (__force __wsum) from64to32(s); #else __asm__("\n\ addc %0,%0,%1 \n\ @@ -123,8 +131,7 @@ static inline __wsum ip_fast_csum_nofold for (i = 0; i < ihl - 1; i++, ptr++) s += *ptr; - s += (s >> 32); - return (__force __wsum)s; + return (__force __wsum)from64to32(s); #else __wsum sum, tmp; Patches currently in stable-queue which might be from paulus(a)ozlabs.org are queue-4.9/powerpc-64-fix-checksum-folding-in-csum_tcpudp_nofold-and-ip_fast_csum_nofold.patch queue-4.9/powerpc-64-fix-checksum-folding-in-csum_add.patch queue-4.9/powerpc-64-invalidate-process-table-caching-after-setting-process-table.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] [PATCH RESEND] KVM: X86: Fix load bad host fpu state

by Wanpeng Li

From: Wanpeng Li <wanpeng.li(a)hotmail.com> ------------[ cut here ]------------ Bad FPU state detected at kvm_put_guest_fpu+0xd8/0x2d0 [kvm], reinitializing FPU registers. WARNING: CPU: 1 PID: 4594 at arch/x86/mm/extable.c:103 ex_handler_fprestore+0x88/0x90 CPU: 1 PID: 4594 Comm: qemu-system-x86 Tainted: G B OE 4.15.0-rc2+ #10 RIP: 0010:ex_handler_fprestore+0x88/0x90 Call Trace: fixup_exception+0x4e/0x60 do_general_protection+0xff/0x270 general_protection+0x22/0x30 RIP: 0010:kvm_put_guest_fpu+0xd8/0x2d0 [kvm] RSP: 0018:ffff8803d5627810 EFLAGS: 00010246 kvm_vcpu_reset+0x3b4/0x3c0 [kvm] kvm_apic_accept_events+0x1c0/0x240 [kvm] kvm_arch_vcpu_ioctl_run+0x1658/0x2fb0 [kvm] kvm_vcpu_ioctl+0x479/0x880 [kvm] do_vfs_ioctl+0x142/0x9a0 SyS_ioctl+0x74/0x80 do_syscall_64+0x15f/0x600 This can be reproduced by running any testcase in kvm-unit-tests since the qemu userspace FPU context is not initialized, which results in the init path from kvm_apic_accept_events() will load/put qemu userspace FPU context w/o initialized. In addition, w/o this splatting we still should initialize vcpu->arch.user_fpu instead of current->thread.fpu. This patch fixes it by initializing qemu user FPU context if it is uninitialized before KVM_RUN. Cc: Paolo Bonzini <pbonzini(a)redhat.com> Cc: Radim Krčmář <rkrcmar(a)redhat.com> Cc: Rik van Riel <riel(a)redhat.com> Cc: stable(a)vger.kernel.org Fixes: f775b13eedee (x86,kvm: move qemu/guest FPU switching out to vcpu_run) Signed-off-by: Wanpeng Li <wanpeng.li(a)hotmail.com> --- arch/x86/kvm/x86.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c index a92b22f..063a643 100644 --- a/arch/x86/kvm/x86.c +++ b/arch/x86/kvm/x86.c @@ -7273,10 +7273,13 @@ static int complete_emulated_mmio(struct kvm_vcpu *vcpu) int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run) { - struct fpu *fpu = &current->thread.fpu; + struct fpu *fpu = &vcpu->arch.user_fpu; int r; - fpu__initialize(fpu); + if (!fpu->initialized) { + fpstate_init(&fpu->state); + fpu->initialized = 1; + } kvm_sigset_activate(vcpu); -- 2.7.4

7 years, 9 months

4
9
0 0

[Linux-stable-mirror] [PATCH AUTOSEL for 4.4 01/59] ALSA: hda - add support for docking station for HP 820 G2

by alexander.levin＠verizon.com

From: Jaroslav Kysela <perex(a)perex.cz> [ Upstream commit 04d5466a976b096364a39a63ac264c1b3a5f8fa1 ] This tested patch adds missing initialization for Line-In/Out PINs for the docking station for HP 820 G2. Signed-off-by: Jaroslav Kysela <perex(a)perex.cz> Signed-off-by: Takashi Iwai <tiwai(a)suse.de> Signed-off-by: Sasha Levin <alexander.levin(a)verizon.com> --- sound/pci/hda/patch_realtek.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c index e5730a7d0480..2159b18f76bf 100644 --- a/sound/pci/hda/patch_realtek.c +++ b/sound/pci/hda/patch_realtek.c @@ -4839,6 +4839,7 @@ enum { ALC286_FIXUP_HP_GPIO_LED, ALC280_FIXUP_HP_GPIO2_MIC_HOTKEY, ALC280_FIXUP_HP_DOCK_PINS, + ALC269_FIXUP_HP_DOCK_GPIO_MIC1_LED, ALC280_FIXUP_HP_9480M, ALC288_FIXUP_DELL_HEADSET_MODE, ALC288_FIXUP_DELL1_MIC_NO_PRESENCE, @@ -5377,6 +5378,16 @@ static const struct hda_fixup alc269_fixups[] = { .chained = true, .chain_id = ALC280_FIXUP_HP_GPIO4 }, + [ALC269_FIXUP_HP_DOCK_GPIO_MIC1_LED] = { + .type = HDA_FIXUP_PINS, + .v.pins = (const struct hda_pintbl[]) { + { 0x1b, 0x21011020 }, /* line-out */ + { 0x18, 0x2181103f }, /* line-in */ + { }, + }, + .chained = true, + .chain_id = ALC269_FIXUP_HP_GPIO_MIC1_LED + }, [ALC280_FIXUP_HP_9480M] = { .type = HDA_FIXUP_FUNC, .v.func = alc280_fixup_hp_9480m, @@ -5629,7 +5640,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = { SND_PCI_QUIRK(0x103c, 0x2256, "HP", ALC269_FIXUP_HP_GPIO_MIC1_LED), SND_PCI_QUIRK(0x103c, 0x2257, "HP", ALC269_FIXUP_HP_GPIO_MIC1_LED), SND_PCI_QUIRK(0x103c, 0x2259, "HP", ALC269_FIXUP_HP_GPIO_MIC1_LED), - SND_PCI_QUIRK(0x103c, 0x225a, "HP", ALC269_FIXUP_HP_GPIO_MIC1_LED), + SND_PCI_QUIRK(0x103c, 0x225a, "HP", ALC269_FIXUP_HP_DOCK_GPIO_MIC1_LED), SND_PCI_QUIRK(0x103c, 0x2260, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC1), SND_PCI_QUIRK(0x103c, 0x2263, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC1), SND_PCI_QUIRK(0x103c, 0x2264, "HP", ALC269_FIXUP_HP_MUTE_LED_MIC1), @@ -5794,6 +5805,7 @@ static const struct hda_model_fixup alc269_fixup_models[] = { {.id = ALC269_FIXUP_HEADSET_MODE_NO_HP_MIC, .name = "headset-mode-no-hp-mic"}, {.id = ALC269_FIXUP_LENOVO_DOCK, .name = "lenovo-dock"}, {.id = ALC269_FIXUP_HP_GPIO_LED, .name = "hp-gpio-led"}, + {.id = ALC269_FIXUP_HP_DOCK_GPIO_MIC1_LED, .name = "hp-dock-gpio-mic1-led"}, {.id = ALC269_FIXUP_DELL1_MIC_NO_PRESENCE, .name = "dell-headset-multi"}, {.id = ALC269_FIXUP_DELL2_MIC_NO_PRESENCE, .name = "dell-headset-dock"}, {.id = ALC283_FIXUP_CHROME_BOOK, .name = "alc283-dac-wcaps"}, -- 2.11.0

7 years, 9 months

1
58
0 0

[Linux-stable-mirror] [PATCH AUTOSEL for 4.9 026/100] r8152: fix the rx early size of RTL8153

by alexander.levin＠verizon.com

From: hayeswang <hayeswang(a)realtek.com> [ Upstream commit b20cb60e2b865638459e6ec82ad3536d3734e555 ] revert commit a59e6d815226 ("r8152: correct the rx early size") and fix the rx early size as (rx buffer size - rx packet size - rx desc size - alignment) / 4 Signed-off-by: Hayes Wang <hayeswang(a)realtek.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Sasha Levin <alexander.levin(a)verizon.com> --- drivers/net/usb/r8152.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c index 823219cf95ef..5bc0377cdcdd 100644 --- a/drivers/net/usb/r8152.c +++ b/drivers/net/usb/r8152.c @@ -32,7 +32,7 @@ #define NETNEXT_VERSION "08" /* Information for net */ -#define NET_VERSION "8" +#define NET_VERSION "9" #define DRIVER_VERSION "v1." NETNEXT_VERSION "." NET_VERSION #define DRIVER_AUTHOR "Realtek linux nic maintainers <nic_swsd(a)realtek.com>" @@ -501,6 +501,8 @@ enum rtl_register_content { #define RTL8153_RMS RTL8153_MAX_PACKET #define RTL8152_TX_TIMEOUT (5 * HZ) #define RTL8152_NAPI_WEIGHT 64 +#define rx_reserved_size(x) ((x) + VLAN_ETH_HLEN + CRC_SIZE + \ + sizeof(struct rx_desc) + RX_ALIGN) /* rtl8152 flags */ enum rtl8152_flags { @@ -2253,8 +2255,7 @@ static void r8153_set_rx_early_timeout(struct r8152 *tp) static void r8153_set_rx_early_size(struct r8152 *tp) { - u32 mtu = tp->netdev->mtu; - u32 ocp_data = (agg_buf_sz - mtu - VLAN_ETH_HLEN - VLAN_HLEN) / 8; + u32 ocp_data = (agg_buf_sz - rx_reserved_size(tp->netdev->mtu)) / 4; ocp_write_word(tp, MCU_TYPE_USB, USB_RX_EARLY_SIZE, ocp_data); } -- 2.11.0

7 years, 9 months

1
74
0 0

[Linux-stable-mirror] [PATCH AUTOSEL for 4.9 001/100] cxl: Route eeh events to all slices for pci_channel_io_perm_failure state

by alexander.levin＠verizon.com

From: Vaibhav Jain <vaibhav(a)linux.vnet.ibm.com> [ Upstream commit 07f5ab6002a4f0b633f3495157166f9f6180871b ] Fix a boundary condition where in some cases an eeh event with state == pci_channel_io_perm_failure wont be passed on to a driver attached to the virtual PCI device associated with a slice. This will happen in case the slice just before (n-1) doesn't have any vPHB bus associated with it, that results in an early return from cxl_pci_error_detected() callback. With state == pci_channel_io_perm_failure, the adapter will be removed irrespective of the return value of cxl_vphb_error_detected(). So we now always return PCI_ERS_RESULT_DISCONNECTED for this case i.e even if the AFU isn't using a vPHB (currently returns PCI_ERS_RESULT_NONE). Fixes: e4f5fc001a6("cxl: Do not create vPHB if there are no AFU configuration records") Signed-off-by: Vaibhav Jain <vaibhav(a)linux.vnet.ibm.com> Reviewed-by: Matthew R. Ochs <mrochs(a)linux.vnet.ibm.com> Reviewed-by: Andrew Donnellan <andrew.donnellan(a)au1.ibm.com> Acked-by: Frederic Barrat <fbarrat(a)linux.vnet.ibm.com> Signed-off-by: Michael Ellerman <mpe(a)ellerman.id.au> Signed-off-by: Sasha Levin <alexander.levin(a)verizon.com> --- drivers/misc/cxl/pci.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/drivers/misc/cxl/pci.c b/drivers/misc/cxl/pci.c index eef202d4399b..9b8628273b1b 100644 --- a/drivers/misc/cxl/pci.c +++ b/drivers/misc/cxl/pci.c @@ -1793,15 +1793,14 @@ static pci_ers_result_t cxl_pci_error_detected(struct pci_dev *pdev, /* If we're permanently dead, give up. */ if (state == pci_channel_io_perm_failure) { - /* Tell the AFU drivers; but we don't care what they - * say, we're going away. - */ for (i = 0; i < adapter->slices; i++) { afu = adapter->afu[i]; - /* Only participate in EEH if we are on a virtual PHB */ - if (afu->phb == NULL) - return PCI_ERS_RESULT_NONE; - cxl_vphb_error_detected(afu, state); + /* + * Tell the AFU drivers; but we don't care what they + * say, we're going away. + */ + if (afu->phb != NULL) + cxl_vphb_error_detected(afu, state); } return PCI_ERS_RESULT_DISCONNECT; } -- 2.11.0

7 years, 9 months

1
23
0 0

[Linux-stable-mirror] [PATCH] USB: chipidea: msm: fix ulpi-node lookup

by Johan Hovold

Fix child-node lookup during probe, which ended up searching the whole device tree depth-first starting at the parent rather than just matching on its children. Note that the original premature free of the parent node has already been fixed separately, but that fix was apparently never backported to stable. Fixes: 47654a162081 ("usb: chipidea: msm: Restore wrapper settings after reset") Fixes: b74c43156c0c ("usb: chipidea: msm: ci_hdrc_msm_probe() missing of_node_get()") Cc: stable <stable(a)vger.kernel.org> # 4.10: b74c43156c0c Cc: Stephen Boyd <stephen.boyd(a)linaro.org> Cc: Frank Rowand <frank.rowand(a)sony.com> Signed-off-by: Johan Hovold <johan(a)kernel.org> --- drivers/usb/chipidea/ci_hdrc_msm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/usb/chipidea/ci_hdrc_msm.c b/drivers/usb/chipidea/ci_hdrc_msm.c index 3593ce0ec641..880009987460 100644 --- a/drivers/usb/chipidea/ci_hdrc_msm.c +++ b/drivers/usb/chipidea/ci_hdrc_msm.c @@ -247,7 +247,7 @@ static int ci_hdrc_msm_probe(struct platform_device *pdev) if (ret) goto err_mux; - ulpi_node = of_find_node_by_name(of_node_get(pdev->dev.of_node), "ulpi"); + ulpi_node = of_get_child_by_name(pdev->dev.of_node, "ulpi"); if (ulpi_node) { phy_node = of_get_next_available_child(ulpi_node, NULL); ci->hsic = of_device_is_compatible(phy_node, "qcom,usb-hsic-phy"); -- 2.15.0

7 years, 9 months

2
3
0 0

[Linux-stable-mirror] + mm-oom_reaper-fix-memory-corruption.patch added to -mm tree

by akpm＠linux-foundation.org

The patch titled Subject: mm, oom_reaper: fix memory corruption has been added to the -mm tree. Its filename is mm-oom_reaper-fix-memory-corruption.patch This patch should soon appear at http://ozlabs.org/~akpm/mmots/broken-out/mm-oom_reaper-fix-memory-corruptio… and later at http://ozlabs.org/~akpm/mmotm/broken-out/mm-oom_reaper-fix-memory-corruptio… Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/SubmitChecklist when testing your code *** The -mm tree is included into linux-next and is updated there every 3-4 working days ------------------------------------------------------ From: Michal Hocko <mhocko(a)suse.com> Subject: mm, oom_reaper: fix memory corruption David Rientjes has reported the following memory corruption while the oom reaper tries to unmap the victims address space BUG: Bad page map in process oom_reaper pte:6353826300000000 pmd:00000000 addr:00007f50cab1d000 vm_flags:08100073 anon_vma:ffff9eea335603f0 mapping: (null) index:7f50cab1d file: (null) fault: (null) mmap: (null) readpage: (null) CPU: 2 PID: 1001 Comm: oom_reaper Call Trace: [<ffffffffa4bd967d>] dump_stack+0x4d/0x70 [<ffffffffa4a03558>] unmap_page_range+0x1068/0x1130 [<ffffffffa4a2e07f>] __oom_reap_task_mm+0xd5/0x16b [<ffffffffa4a2e226>] oom_reaper+0xff/0x14c [<ffffffffa48d6ad1>] kthread+0xc1/0xe0 Tetsuo Handa has noticed that the synchronization inside exit_mmap is insufficient. We only synchronize with the oom reaper if tsk_is_oom_victim which is not true if the final __mmput is called from a different context than the oom victim exit path. This can trivially happen from context of any task which has grabbed mm reference (e.g. to read /proc/<pid>/ file which requires mm etc.). The race would look like this oom_reaper oom_victim task mmget_not_zero do_exit mmput __oom_reap_task_mm mmput __mmput exit_mmap remove_vma unmap_page_range Fix this issue by providing a new mm_is_oom_victim() helper which operates on the mm struct rather than a task. Any context which operates on a remote mm struct should use this helper in place of tsk_is_oom_victim. The flag is set in mark_oom_victim and never cleared so it is stable in the exit_mmap path. Debugged by Tetsuo Handa. Link: http://lkml.kernel.org/r/20171210095130.17110-1-mhocko@kernel.org Fixes: 212925802454 ("mm: oom: let oom_reap_task and exit_mmap run concurrently") Signed-off-by: Michal Hocko <mhocko(a)suse.com> Reported-by: David Rientjes <rientjes(a)google.com> Acked-by: David Rientjes <rientjes(a)google.com> Cc: Tetsuo Handa <penguin-kernel(a)I-love.SAKURA.ne.jp> Cc: Andrea Argangeli <andrea(a)kernel.org> Cc: <stable(a)vger.kernel.org> [4.14] Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- include/linux/oom.h | 9 +++++++++ include/linux/sched/coredump.h | 1 + mm/mmap.c | 10 +++++----- mm/oom_kill.c | 4 +++- 4 files changed, 18 insertions(+), 6 deletions(-) diff -puN include/linux/oom.h~mm-oom_reaper-fix-memory-corruption include/linux/oom.h --- a/include/linux/oom.h~mm-oom_reaper-fix-memory-corruption +++ a/include/linux/oom.h @@ -67,6 +67,15 @@ static inline bool tsk_is_oom_victim(str } /* + * Use this helper if tsk->mm != mm and the victim mm needs a special + * handling. This is guaranteed to stay true after once set. + */ +static inline bool mm_is_oom_victim(struct mm_struct *mm) +{ + return test_bit(MMF_OOM_VICTIM, &mm->flags); +} + +/* * Checks whether a page fault on the given mm is still reliable. * This is no longer true if the oom reaper started to reap the * address space which is reflected by MMF_UNSTABLE flag set in diff -puN include/linux/sched/coredump.h~mm-oom_reaper-fix-memory-corruption include/linux/sched/coredump.h --- a/include/linux/sched/coredump.h~mm-oom_reaper-fix-memory-corruption +++ a/include/linux/sched/coredump.h @@ -70,6 +70,7 @@ static inline int get_dumpable(struct mm #define MMF_UNSTABLE 22 /* mm is unstable for copy_from_user */ #define MMF_HUGE_ZERO_PAGE 23 /* mm has ever used the global huge zero page */ #define MMF_DISABLE_THP 24 /* disable THP for all VMAs */ +#define MMF_OOM_VICTIM 25 /* mm is the oom victim */ #define MMF_DISABLE_THP_MASK (1 << MMF_DISABLE_THP) #define MMF_INIT_MASK (MMF_DUMPABLE_MASK | MMF_DUMP_FILTER_MASK |\ diff -puN mm/mmap.c~mm-oom_reaper-fix-memory-corruption mm/mmap.c --- a/mm/mmap.c~mm-oom_reaper-fix-memory-corruption +++ a/mm/mmap.c @@ -3019,20 +3019,20 @@ void exit_mmap(struct mm_struct *mm) /* Use -1 here to ensure all VMAs in the mm are unmapped */ unmap_vmas(&tlb, vma, 0, -1); - set_bit(MMF_OOM_SKIP, &mm->flags); - if (unlikely(tsk_is_oom_victim(current))) { + if (unlikely(mm_is_oom_victim(mm))) { /* * Wait for oom_reap_task() to stop working on this * mm. Because MMF_OOM_SKIP is already set before * calling down_read(), oom_reap_task() will not run * on this "mm" post up_write(). * - * tsk_is_oom_victim() cannot be set from under us - * either because current->mm is already set to NULL + * mm_is_oom_victim() cannot be set from under us + * either because victim->mm is already set to NULL * under task_lock before calling mmput and oom_mm is - * set not NULL by the OOM killer only if current->mm + * set not NULL by the OOM killer only if victim->mm * is found not NULL while holding the task_lock. */ + set_bit(MMF_OOM_SKIP, &mm->flags); down_write(&mm->mmap_sem); up_write(&mm->mmap_sem); } diff -puN mm/oom_kill.c~mm-oom_reaper-fix-memory-corruption mm/oom_kill.c --- a/mm/oom_kill.c~mm-oom_reaper-fix-memory-corruption +++ a/mm/oom_kill.c @@ -683,8 +683,10 @@ static void mark_oom_victim(struct task_ return; /* oom_mm is bound to the signal struct life time. */ - if (!cmpxchg(&tsk->signal->oom_mm, NULL, mm)) + if (!cmpxchg(&tsk->signal->oom_mm, NULL, mm)) { mmgrab(tsk->signal->oom_mm); + set_bit(MMF_OOM_VICTIM, &mm->flags); + } /* * Make sure that the task is woken up from uninterruptible sleep _ Patches currently in -mm which might be from mhocko(a)suse.com are mm-oom_reaper-fix-memory-corruption.patch mm-drop-hotplug-lock-from-lru_add_drain_all.patch mm-hugetlb-drop-hugepages_treat_as_movable-sysctl.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] [PATCH] Fix handling of verdicts after NF_QUEUE

by Debabrata Banerjee

A verdict of NF_STOLEN after NF_QUEUE will cause an incorrect return value and a potential kernel panic via double free of skb's This was broken by commit 7034b566a4e7 ("netfilter: fix nf_queue handling") and subsequently fixed in v4.10 by commit c63cbc460419 ("netfilter: use switch() to handle verdict cases from nf_hook_slow()"). However that commit cannot be cleanly cherry-picked to v4.9 Signed-off-by: Debabrata Banerjee <dbanerje(a)akamai.com> --- This fix is only needed for v4.9 stable since v4.10+ does not have the issue --- net/netfilter/core.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/net/netfilter/core.c b/net/netfilter/core.c index 004af030ef1a..d869ea50623e 100644 --- a/net/netfilter/core.c +++ b/net/netfilter/core.c @@ -364,6 +364,11 @@ int nf_hook_slow(struct sk_buff *skb, struct nf_hook_state *state) ret = nf_queue(skb, state, &entry, verdict); if (ret == 1 && entry) goto next_hook; + } else { + /* Implicit handling for NF_STOLEN, as well as any other + * non conventional verdicts. + */ + ret = 0; } return ret; } -- 2.15.1

7 years, 9 months

3
3
0 0

[Linux-stable-mirror] + kernel-make-groups_sort-calling-a-responsibility-group_info-allocators.patch added to -mm tree

by akpm＠linux-foundation.org

The patch titled Subject: kernel: make groups_sort calling a responsibility group_info allocators has been added to the -mm tree. Its filename is kernel-make-groups_sort-calling-a-responsibility-group_info-allocators.patch This patch should soon appear at http://ozlabs.org/~akpm/mmots/broken-out/kernel-make-groups_sort-calling-a-… and later at http://ozlabs.org/~akpm/mmotm/broken-out/kernel-make-groups_sort-calling-a-… Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/SubmitChecklist when testing your code *** The -mm tree is included into linux-next and is updated there every 3-4 working days ------------------------------------------------------ From: Thiago Rafael Becker <thiago.becker(a)gmail.com> Subject: kernel: make groups_sort calling a responsibility group_info allocators In testing, we found that nfsd threads may call set_groups in parallel for the same entry cached in auth.unix.gid, racing in the call of groups_sort, corrupting the groups for that entry and leading to permission denials for the client. This patch: - Make groups_sort globally visible. - Move the call to groups_sort to the modifiers of group_info - Remove the call to groups_sort from set_groups Link: http://lkml.kernel.org/r/20171211151420.18655-1-thiago.becker@gmail.com Signed-off-by: Thiago Rafael Becker <thiago.becker(a)gmail.com> Reviewed-by: Matthew Wilcox <mawilcox(a)microsoft.com> Reviewed-by: NeilBrown <neilb(a)suse.com> Acked-by: "J. Bruce Fields" <bfields(a)fieldses.org> Cc: Al Viro <viro(a)zeniv.linux.org.uk> Cc: Martin Schwidefsky <schwidefsky(a)de.ibm.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- arch/s390/kernel/compat_linux.c | 1 + fs/nfsd/auth.c | 3 +++ include/linux/cred.h | 1 + kernel/groups.c | 5 +++-- kernel/uid16.c | 1 + net/sunrpc/auth_gss/gss_rpc_xdr.c | 1 + net/sunrpc/auth_gss/svcauth_gss.c | 1 + net/sunrpc/svcauth_unix.c | 2 ++ 8 files changed, 13 insertions(+), 2 deletions(-) diff -puN arch/s390/kernel/compat_linux.c~kernel-make-groups_sort-calling-a-responsibility-group_info-allocators arch/s390/kernel/compat_linux.c --- a/arch/s390/kernel/compat_linux.c~kernel-make-groups_sort-calling-a-responsibility-group_info-allocators +++ a/arch/s390/kernel/compat_linux.c @@ -263,6 +263,7 @@ COMPAT_SYSCALL_DEFINE2(s390_setgroups16, return retval; } + groups_sort(group_info); retval = set_current_groups(group_info); put_group_info(group_info); diff -puN fs/nfsd/auth.c~kernel-make-groups_sort-calling-a-responsibility-group_info-allocators fs/nfsd/auth.c --- a/fs/nfsd/auth.c~kernel-make-groups_sort-calling-a-responsibility-group_info-allocators +++ a/fs/nfsd/auth.c @@ -60,6 +60,9 @@ int nfsd_setuser(struct svc_rqst *rqstp, gi->gid[i] = exp->ex_anon_gid; else gi->gid[i] = rqgi->gid[i]; + + /* Each thread allocates its own gi, no race */ + groups_sort(gi); } } else { gi = get_group_info(rqgi); diff -puN include/linux/cred.h~kernel-make-groups_sort-calling-a-responsibility-group_info-allocators include/linux/cred.h --- a/include/linux/cred.h~kernel-make-groups_sort-calling-a-responsibility-group_info-allocators +++ a/include/linux/cred.h @@ -83,6 +83,7 @@ extern int set_current_groups(struct gro extern void set_groups(struct cred *, struct group_info *); extern int groups_search(const struct group_info *, kgid_t); extern bool may_setgroups(void); +extern void groups_sort(struct group_info *); /* * The security context of a task diff -puN kernel/groups.c~kernel-make-groups_sort-calling-a-responsibility-group_info-allocators kernel/groups.c --- a/kernel/groups.c~kernel-make-groups_sort-calling-a-responsibility-group_info-allocators +++ a/kernel/groups.c @@ -86,11 +86,12 @@ static int gid_cmp(const void *_a, const return gid_gt(a, b) - gid_lt(a, b); } -static void groups_sort(struct group_info *group_info) +void groups_sort(struct group_info *group_info) { sort(group_info->gid, group_info->ngroups, sizeof(*group_info->gid), gid_cmp, NULL); } +EXPORT_SYMBOL(groups_sort); /* a simple bsearch */ int groups_search(const struct group_info *group_info, kgid_t grp) @@ -122,7 +123,6 @@ int groups_search(const struct group_inf void set_groups(struct cred *new, struct group_info *group_info) { put_group_info(new->group_info); - groups_sort(group_info); get_group_info(group_info); new->group_info = group_info; } @@ -206,6 +206,7 @@ SYSCALL_DEFINE2(setgroups, int, gidsetsi return retval; } + groups_sort(group_info); retval = set_current_groups(group_info); put_group_info(group_info); diff -puN kernel/uid16.c~kernel-make-groups_sort-calling-a-responsibility-group_info-allocators kernel/uid16.c --- a/kernel/uid16.c~kernel-make-groups_sort-calling-a-responsibility-group_info-allocators +++ a/kernel/uid16.c @@ -192,6 +192,7 @@ SYSCALL_DEFINE2(setgroups16, int, gidset return retval; } + groups_sort(group_info); retval = set_current_groups(group_info); put_group_info(group_info); diff -puN net/sunrpc/auth_gss/gss_rpc_xdr.c~kernel-make-groups_sort-calling-a-responsibility-group_info-allocators net/sunrpc/auth_gss/gss_rpc_xdr.c --- a/net/sunrpc/auth_gss/gss_rpc_xdr.c~kernel-make-groups_sort-calling-a-responsibility-group_info-allocators +++ a/net/sunrpc/auth_gss/gss_rpc_xdr.c @@ -231,6 +231,7 @@ static int gssx_dec_linux_creds(struct x goto out_free_groups; creds->cr_group_info->gid[i] = kgid; } + groups_sort(creds->cr_group_info); return 0; out_free_groups: diff -puN net/sunrpc/auth_gss/svcauth_gss.c~kernel-make-groups_sort-calling-a-responsibility-group_info-allocators net/sunrpc/auth_gss/svcauth_gss.c --- a/net/sunrpc/auth_gss/svcauth_gss.c~kernel-make-groups_sort-calling-a-responsibility-group_info-allocators +++ a/net/sunrpc/auth_gss/svcauth_gss.c @@ -481,6 +481,7 @@ static int rsc_parse(struct cache_detail goto out; rsci.cred.cr_group_info->gid[i] = kgid; } + groups_sort(rsci.cred.cr_group_info); /* mech name */ len = qword_get(&mesg, buf, mlen); diff -puN net/sunrpc/svcauth_unix.c~kernel-make-groups_sort-calling-a-responsibility-group_info-allocators net/sunrpc/svcauth_unix.c --- a/net/sunrpc/svcauth_unix.c~kernel-make-groups_sort-calling-a-responsibility-group_info-allocators +++ a/net/sunrpc/svcauth_unix.c @@ -520,6 +520,7 @@ static int unix_gid_parse(struct cache_d ug.gi->gid[i] = kgid; } + groups_sort(ug.gi); ugp = unix_gid_lookup(cd, uid); if (ugp) { struct cache_head *ch; @@ -819,6 +820,7 @@ svcauth_unix_accept(struct svc_rqst *rqs kgid_t kgid = make_kgid(&init_user_ns, svc_getnl(argv)); cred->cr_group_info->gid[i] = kgid; } + groups_sort(cred->cr_group_info); if (svc_getu32(argv) != htonl(RPC_AUTH_NULL) || svc_getu32(argv) != 0) { *authp = rpc_autherr_badverf; return SVC_DENIED; _ Patches currently in -mm which might be from thiago.becker(a)gmail.com are kernel-make-groups_sort-calling-a-responsibility-group_info-allocators.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] [REGRESSION][4.13.y][4.14.y][v4.15.y] net: reduce skb_warn_bad_offload() noise

by Joseph Salisbury

Hi Eric, A kernel bug report was opened against Ubuntu [0]. It was found that reverting the following commit resolved this bug: commit b2504a5dbef3305ef41988ad270b0e8ec289331c Author: Eric Dumazet <edumazet(a)google.com> Date: Tue Jan 31 10:20:32 2017 -0800 net: reduce skb_warn_bad_offload() noise The regression was introduced as of v4.11-rc1 and still exists in current mainline. I was hoping to get your feedback, since you are the patch author. Do you think gathering any additional data will help diagnose this issue, or would it be best to submit a revert request? This commit did in fact resolve another bug[1], but in the process introduced this regression. Thanks, Joe [0] http://pad.lv/1715609 [1] http://pad.lv/1705447

7 years, 9 months

5
6
0 0

[Linux-stable-mirror] [PATCH v2 0/6] MIPS: NT_PRFPREG regset handling fixes

by Maciej W. Rozycki

Hi, This series corrects a number of issues with NT_PRFPREG regset, most importantly an FCSR access API regression introduced with the addition of MSA support, and then a few smaller issues with the get/set handlers. I have decided to factor out non-MSA and MSA context helpers as the first step to avoid the issue with excessive indentation that would inevitably happen if the regression fix was applied to current code as it stands. It shouldn't be a big deal with backporting as this code hasn't changed much since the regression, and it will make any future bacports easier. Only a call to `init_fp_ctx' will have to be trivially resolved (though arguably commit ac9ad83bc318 ("MIPS: prevent FP context set via ptrace being discarded"), which has added `init_fp_ctx', would be good to backport as far as possible instead). These changes have been verified by examining the register state recorded in core dumps manually with GDB, as well as by running the GDB test suite. No user of ptrace(2) PTRACE_GETREGSET and PTRACE_SETREGSET requests is known for the MIPS port, so this part remains not covered, however it is assumed to remain consistent with how the creation of core file works. See individual patch descriptions for further details, and for changes made since v1 to address concerns raised in the review. Maciej

7 years, 9 months

2
7
0 0

Re: [Linux-stable-mirror] [PATCH v3 1/2] usb: dwc2: host: Don't retry NAKed transactions right away

by Doug Anderson

Hi, On Tue, Dec 12, 2017 at 3:06 AM, Felipe Balbi <balbi(a)kernel.org> wrote: > > Hi, > > Douglas Anderson <dianders(a)chromium.org> writes: >> On rk3288-veyron devices on Chrome OS it was found that plugging in an >> Arduino-based USB device could cause the system to lockup, especially >> if the CPU Frequency was at one of the slower operating points (like >> 100 MHz / 200 MHz). >> >> Upon tracing, I found that the following was happening: >> * The USB device (full speed) was connected to a high speed hub and >> then to the rk3288. Thus, we were dealing with split transactions, >> which is all handled in software on dwc2. >> * Userspace was initiating a BULK IN transfer >> * When we sent the SSPLIT (to start the split transaction), we got an >> ACK. Good. Then we issued the CSPLIT. >> * When we sent the CSPLIT, we got back a NAK. We immediately (from >> the interrupt handler) started to retry and sent another SSPLIT. >> * The device kept NAKing our CSPLIT, so we kept ping-ponging between >> sending a SSPLIT and a CSPLIT, each time sending from the interrupt >> handler. >> * The handling of the interrupts was (because of the low CPU speed and >> the inefficiency of the dwc2 interrupt handler) was actually taking >> _longer_ than it took the other side to send the ACK/NAK. Thus we >> were _always_ in the USB interrupt routine. >> * The fact that USB interrupts were always going off was preventing >> other things from happening in the system. This included preventing >> the system from being able to transition to a higher CPU frequency. >> >> As I understand it, there is no requirement to retry super quickly >> after a NAK, we just have to retry sometime in the future. Thus one >> solution to the above is to just add a delay between getting a NAK and >> retrying the transmission. If this delay is sufficiently long to get >> out of the interrupt routine then the rest of the system will be able >> to make forward progress. Even a 25 us delay would probably be >> enough, but we'll be extra conservative and try to delay 1 ms (the >> exact amount depends on HZ and the accuracy of the jiffy and how close >> the current jiffy is to ticking, but could be as much as 20 ms or as >> little as 1 ms). >> >> Presumably adding a delay like this could impact the USB throughput, >> so we only add the delay with repeated NAKs. >> >> NOTE: Upon further testing of a pl2303 serial adapter, I found that >> this fix may help with problems there. Specifically I found that the >> pl2303 serial adapters tend to respond with a NAK when they have >> nothing to say and thus we end with this same sequence. >> >> Signed-off-by: Douglas Anderson <dianders(a)chromium.org> >> Cc: stable(a)vger.kernel.org >> Reviewed-by: Julius Werner <jwerner(a)chromium.org> >> Tested-by: Stefan Wahren <stefan.wahren(a)i2se.com> > > This seems too big for -rc or -stable inclusion. I've removed the stable tag at your request. I originally added it at your request in response to v2 of this patch. I'd agree that it's a pretty big patch and therefore "risky" to pick back to stable. ...but it does fix a bug reported by several people on the mailing lists, so I'll leave it to your discretion. Previously in relation to the stable tag, I had mentioned: It's a little weird since it doesn't "fix" any specific commit, so I guess it will be up to stable folks to decide how far to go back. The dwc2 devices I work with are actually on 3.14, but we have some pretty massive backports related to dwc2 there... > In any case, this > doesn't apply to my testing/next branch. Care to rebase and collect acks > you received while doing that? Sure, no problem. I've posted v4 with John Youn's Ack. The reason v3 didn't apply is that you've now got commit e99e88a9d2b0 ("treewide: setup_timer() -> timer_setup()"). Originally my plan was to beat that patch into the kernel and then I'd do the timer conversion myself. That was patch #2 in the v3 series, AKA <https://patchwork.kernel.org/patch/10032935/>. ...but since I failed to beat Kees' patch in, I've now squashed patches #1 and #2 together and resolved the trivial conflict. If anyone were thinking of trying to backport this patch to older kernels (where they presumably don't have Kees's timer patch) they can always use the v3 patch posted here as a reference for how to make things work. ;) -Doug

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] [PATCH PTI v3 01/10] x86/espfix/64: Fix espfix double-fault handling on 5-level systems

by Andy Lutomirski

Using PGDIR_SHIFT to identify espfix64 addresses on 5-level systems was wrong, and it resulted in panics due to unhandled double faults. Use P4D_SHIFT instead, which is correct on 4-level and 5-level machines. This fixes a panic when running x86 selftests on 5-level machines. Fixes: 1d33b219563f ("x86/espfix: Add support for 5-level paging") Cc: stable(a)vger.kernel.org Cc: "Kirill A. Shutemov" <kirill(a)shutemov.name> Cc: Dave Hansen <dave.hansen(a)intel.com> Signed-off-by: Andy Lutomirski <luto(a)kernel.org> --- arch/x86/kernel/traps.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c index 74136fd16f49..c4e5b0a7516f 100644 --- a/arch/x86/kernel/traps.c +++ b/arch/x86/kernel/traps.c @@ -360,7 +360,7 @@ dotraplinkage void do_double_fault(struct pt_regs *regs, long error_code) * * No need for ist_enter here because we don't use RCU. */ - if (((long)regs->sp >> PGDIR_SHIFT) == ESPFIX_PGD_ENTRY && + if (((long)regs->sp >> P4D_SHIFT) == ESPFIX_PGD_ENTRY && regs->cs == __KERNEL_CS && regs->ip == (unsigned long)native_irq_return_iret) { -- 2.13.6

7 years, 9 months

2
1
0 0

[Linux-stable-mirror] [PATCH v3.18 backport] arm: KVM: Fix VTTBR_BADDR_MASK BUG_ON off-by-one

by Christoffer Dall

From: Marc Zyngier <marc.zyngier(a)arm.com> Commit 5553b142be11e794ebc0805950b2e8313f93d718 upstream. VTTBR_BADDR_MASK is used to sanity check the size and alignment of the VTTBR address. It seems to currently be off by one, thereby only allowing up to 39-bit addresses (instead of 40-bit) and also insufficiently checking the alignment. This patch fixes it. This patch is the 32bit pendent of Kristina's arm64 fix, and she deserves the actual kudos for pinpointing that one. Fixes: f7ed45be3ba52 ("KVM: ARM: World-switch implementation") Cc: <stable(a)vger.kernel.org> # 3.9 Reported-by: Kristina Martsenko <kristina.martsenko(a)arm.com> Reviewed-by: Christoffer Dall <christoffer.dall(a)linaro.org> Signed-off-by: Marc Zyngier <marc.zyngier(a)arm.com> Signed-off-by: Christoffer Dall <christoffer.dall(a)linaro.org> --- arch/arm/include/asm/kvm_arm.h | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/arch/arm/include/asm/kvm_arm.h b/arch/arm/include/asm/kvm_arm.h index 816db0bf2dd8..46b336df4ec1 100644 --- a/arch/arm/include/asm/kvm_arm.h +++ b/arch/arm/include/asm/kvm_arm.h @@ -161,8 +161,7 @@ #else #define VTTBR_X (5 - KVM_T0SZ) #endif -#define VTTBR_BADDR_SHIFT (VTTBR_X - 1) -#define VTTBR_BADDR_MASK (((1LLU << (40 - VTTBR_X)) - 1) << VTTBR_BADDR_SHIFT) +#define VTTBR_BADDR_MASK (((1LLU << (40 - VTTBR_X)) - 1) << VTTBR_X) #define VTTBR_VMID_SHIFT (48LLU) #define VTTBR_VMID_MASK (0xffLLU << VTTBR_VMID_SHIFT) -- 2.14.2

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] [PATCH v4.4 backport] arm: KVM: Fix VTTBR_BADDR_MASK BUG_ON off-by-one

by Christoffer Dall

From: Marc Zyngier <marc.zyngier(a)arm.com> Commit 5553b142be11e794ebc0805950b2e8313f93d718 upstream. VTTBR_BADDR_MASK is used to sanity check the size and alignment of the VTTBR address. It seems to currently be off by one, thereby only allowing up to 39-bit addresses (instead of 40-bit) and also insufficiently checking the alignment. This patch fixes it. This patch is the 32bit pendent of Kristina's arm64 fix, and she deserves the actual kudos for pinpointing that one. Fixes: f7ed45be3ba52 ("KVM: ARM: World-switch implementation") Cc: <stable(a)vger.kernel.org> # 3.9 Reported-by: Kristina Martsenko <kristina.martsenko(a)arm.com> Reviewed-by: Christoffer Dall <christoffer.dall(a)linaro.org> Signed-off-by: Marc Zyngier <marc.zyngier(a)arm.com> Signed-off-by: Christoffer Dall <christoffer.dall(a)linaro.org> --- arch/arm/include/asm/kvm_arm.h | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/arch/arm/include/asm/kvm_arm.h b/arch/arm/include/asm/kvm_arm.h index dc641ddf0784..0f2720713492 100644 --- a/arch/arm/include/asm/kvm_arm.h +++ b/arch/arm/include/asm/kvm_arm.h @@ -161,8 +161,7 @@ #else #define VTTBR_X (5 - KVM_T0SZ) #endif -#define VTTBR_BADDR_SHIFT (VTTBR_X - 1) -#define VTTBR_BADDR_MASK (((1LLU << (40 - VTTBR_X)) - 1) << VTTBR_BADDR_SHIFT) +#define VTTBR_BADDR_MASK (((1LLU << (40 - VTTBR_X)) - 1) << VTTBR_X) #define VTTBR_VMID_SHIFT (48LLU) #define VTTBR_VMID_MASK (0xffLLU << VTTBR_VMID_SHIFT) -- 2.14.2

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] [PATCH v3.18 backport] arm64: KVM: fix VTTBR_BADDR_MASK BUG_ON off-by-one

by Christoffer Dall

From: Kristina Martsenko <kristina.martsenko(a)arm.com> Commit 26aa7b3b1c0fb3f1a6176a0c1847204ef4355693 upstream. VTTBR_BADDR_MASK is used to sanity check the size and alignment of the VTTBR address. It seems to currently be off by one, thereby only allowing up to 47-bit addresses (instead of 48-bit) and also insufficiently checking the alignment. This patch fixes it. As an example, with 4k pages, before this patch we have: PHYS_MASK_SHIFT = 48 VTTBR_X = 37 - 24 = 13 VTTBR_BADDR_SHIFT = 13 - 1 = 12 VTTBR_BADDR_MASK = ((1 << 35) - 1) << 12 = 0x00007ffffffff000 Which is wrong, because the mask doesn't allow bit 47 of the VTTBR address to be set, and only requires the address to be 12-bit (4k) aligned, while it actually needs to be 13-bit (8k) aligned because we concatenate two 4k tables. With this patch, the mask becomes 0x0000ffffffffe000, which is what we want. Fixes: 0369f6a34b9f ("arm64: KVM: EL2 register definitions") Cc: <stable(a)vger.kernel.org> # 3.11.x Reviewed-by: Suzuki K Poulose <suzuki.poulose(a)arm.com> Reviewed-by: Christoffer Dall <christoffer.dall(a)linaro.org> Signed-off-by: Kristina Martsenko <kristina.martsenko(a)arm.com> Signed-off-by: Marc Zyngier <marc.zyngier(a)arm.com> Signed-off-by: Christoffer Dall <christoffer.dall(a)linaro.org> --- arch/arm64/include/asm/kvm_arm.h | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/arch/arm64/include/asm/kvm_arm.h b/arch/arm64/include/asm/kvm_arm.h index 8afb863f5a9e..333ddd45dd1f 100644 --- a/arch/arm64/include/asm/kvm_arm.h +++ b/arch/arm64/include/asm/kvm_arm.h @@ -160,8 +160,7 @@ #define VTTBR_X (37 - VTCR_EL2_T0SZ_40B) #endif -#define VTTBR_BADDR_SHIFT (VTTBR_X - 1) -#define VTTBR_BADDR_MASK (((UL(1) << (PHYS_MASK_SHIFT - VTTBR_X)) - 1) << VTTBR_BADDR_SHIFT) +#define VTTBR_BADDR_MASK (((UL(1) << (PHYS_MASK_SHIFT - VTTBR_X)) - 1) << VTTBR_X) #define VTTBR_VMID_SHIFT (UL(48)) #define VTTBR_VMID_MASK (UL(0xFF) << VTTBR_VMID_SHIFT) -- 2.14.2

7 years, 9 months

1
1
0 0

[Linux-stable-mirror] [PATCH v4.9 backport] KVM: arm/arm64: vgic-its: Preserve the revious read from the pending table

by Christoffer Dall

From: Marc Zyngier <marc.zyngier(a)arm.com> Commit 64afe6e9eb4841f35317da4393de21a047a883b3 upstream. The current pending table parsing code assumes that we keep the previous read of the pending bits, but keep that variable in the current block, making sure it is discarded on each loop. We end-up using whatever is on the stack. Who knows, it might just be the right thing... Fixes: 33d3bc9556a7d ("KVM: arm64: vgic-its: Read initial LPI pending table") Cc: <stable(a)vger.kernel.org> # 4.8 Reported-by: AKASHI Takahiro <takahiro.akashi(a)linaro.org> Reviewed-by: Christoffer Dall <christoffer.dall(a)linaro.org> Signed-off-by: Marc Zyngier <marc.zyngier(a)arm.com> Signed-off-by: Christoffer Dall <christoffer.dall(a)linaro.org> --- virt/kvm/arm/vgic/vgic-its.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/virt/kvm/arm/vgic/vgic-its.c b/virt/kvm/arm/vgic/vgic-its.c index 4660a7d04eea..bbd4a988e8c1 100644 --- a/virt/kvm/arm/vgic/vgic-its.c +++ b/virt/kvm/arm/vgic/vgic-its.c @@ -322,6 +322,7 @@ static int its_sync_lpi_pending_table(struct kvm_vcpu *vcpu) int ret = 0; u32 *intids; int nr_irqs, i; + u8 pendmask; nr_irqs = vgic_copy_lpi_list(vcpu->kvm, &intids); if (nr_irqs < 0) @@ -329,7 +330,6 @@ static int its_sync_lpi_pending_table(struct kvm_vcpu *vcpu) for (i = 0; i < nr_irqs; i++) { int byte_offset, bit_nr; - u8 pendmask; byte_offset = intids[i] / BITS_PER_BYTE; bit_nr = intids[i] % BITS_PER_BYTE; -- 2.14.2

7 years, 9 months

1
2
0 0

[Linux-stable-mirror] [PATCH v4.4 backport] arm64: KVM: fix VTTBR_BADDR_MASK BUG_ON off-by-one

by Christoffer Dall

From: Kristina Martsenko <kristina.martsenko(a)arm.com> Commit 26aa7b3b1c0fb3f1a6176a0c1847204ef4355693 upstream. VTTBR_BADDR_MASK is used to sanity check the size and alignment of the VTTBR address. It seems to currently be off by one, thereby only allowing up to 47-bit addresses (instead of 48-bit) and also insufficiently checking the alignment. This patch fixes it. As an example, with 4k pages, before this patch we have: PHYS_MASK_SHIFT = 48 VTTBR_X = 37 - 24 = 13 VTTBR_BADDR_SHIFT = 13 - 1 = 12 VTTBR_BADDR_MASK = ((1 << 35) - 1) << 12 = 0x00007ffffffff000 Which is wrong, because the mask doesn't allow bit 47 of the VTTBR address to be set, and only requires the address to be 12-bit (4k) aligned, while it actually needs to be 13-bit (8k) aligned because we concatenate two 4k tables. With this patch, the mask becomes 0x0000ffffffffe000, which is what we want. Fixes: 0369f6a34b9f ("arm64: KVM: EL2 register definitions") Cc: <stable(a)vger.kernel.org> # 3.11.x Reviewed-by: Suzuki K Poulose <suzuki.poulose(a)arm.com> Reviewed-by: Christoffer Dall <christoffer.dall(a)linaro.org> Signed-off-by: Kristina Martsenko <kristina.martsenko(a)arm.com> Signed-off-by: Marc Zyngier <marc.zyngier(a)arm.com> Signed-off-by: Christoffer Dall <christoffer.dall(a)linaro.org> --- arch/arm64/include/asm/kvm_arm.h | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/arch/arm64/include/asm/kvm_arm.h b/arch/arm64/include/asm/kvm_arm.h index 2d960f8588b0..ef8e13d379cb 100644 --- a/arch/arm64/include/asm/kvm_arm.h +++ b/arch/arm64/include/asm/kvm_arm.h @@ -164,8 +164,7 @@ #define VTTBR_X (37 - VTCR_EL2_T0SZ_40B) #endif -#define VTTBR_BADDR_SHIFT (VTTBR_X - 1) -#define VTTBR_BADDR_MASK (((UL(1) << (PHYS_MASK_SHIFT - VTTBR_X)) - 1) << VTTBR_BADDR_SHIFT) +#define VTTBR_BADDR_MASK (((UL(1) << (PHYS_MASK_SHIFT - VTTBR_X)) - 1) << VTTBR_X) #define VTTBR_VMID_SHIFT (UL(48)) #define VTTBR_VMID_MASK (UL(0xFF) << VTTBR_VMID_SHIFT) -- 2.14.2

7 years, 9 months

2
2
0 0

[Linux-stable-mirror] [PATCH] usb: add RESET_RESUME for ELSA MicroLink 56K

by Oliver Neukum

This modem needs this quirk to operate. It produces timeouts when resumed without reset. Signed-off-by: Oliver Neukum <oneukum(a)suse.com> CC: stable(a)vger.kernel.org --- drivers/usb/core/quirks.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c index f1dbab6f798f..360ae28ab83e 100644 --- a/drivers/usb/core/quirks.c +++ b/drivers/usb/core/quirks.c @@ -146,6 +146,9 @@ static const struct usb_device_id usb_quirk_list[] = { /* appletouch */ { USB_DEVICE(0x05ac, 0x021a), .driver_info = USB_QUIRK_RESET_RESUME }, + /* ELSA MicroLink 56K */ + { USB_DEVICE(0x05cc, 0x2267), .driver_info = USB_QUIRK_RESET_RESUME }, + /* Genesys Logic hub, internally used by Moshi USB to Ethernet Adapter */ { USB_DEVICE(0x05e3, 0x0616), .driver_info = USB_QUIRK_NO_LPM }, -- 2.13.6

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] [GIT PULL] commits for Linux 4.4

by alexander.levin＠verizon.com

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi Greg, Pleae pull commits for Linux 4.4 . I've sent a review request for all commits over a week ago and all comments were addressed. Thanks, Sasha ===== The following changes since commit 69b0bf95a51eb4b0890b3979531aed932cf51d7f: Linux 4.4.105 (2017-12-09 18:42:44 +0100) are available in the git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/sashal/linux-stable.git tags/for-greg-4.4-11122017 for you to fetch changes up to 85d60a17903274c04a99ef7387f43aa7e9f751ee: audit: ensure that 'audit=1' actually enables audit for PID 1 (2017-12-11 19:34:48 -0500) - ---------------------------------------------------------------- for-greg-4.4-11122017 - ---------------------------------------------------------------- Alexey Kardashevskiy (1): powerpc/powernv/ioda2: Gracefully fail if too many TCE levels requested Arvind Yadav (1): atm: horizon: Fix irq release error Ben Hutchings (1): mac80211_hwsim: Fix memory leak in hwsim_new_radio_nl() Blomme, Maarten (1): spi_ks8995: fix "BUG: key accdaa28 not in .data!" Chris Brandt (1): i2c: riic: fix restart condition Christophe JAILLET (1): USB: gadgetfs: Fix a potential memory leak in 'dev_config()' Chuck Lever (1): sunrpc: Fix rpc_task_begin trace point Daniel Drake (1): HID: chicony: Add support for another ASUS Zen AiO keyboard David Daney (1): module: set __jump_table alignment to 8 David Howells (1): afs: Connect up the CB.ProbeUuid Florian Westphal (1): netfilter: don't track fragmented packets Franck Demathieu (1): irqchip/crossbar: Fix incorrect type of register size Guenter Roeck (2): ARM: OMAP2+: Fix device node reference counts ARM: OMAP2+: Release device node after it is no longer needed. Herbert Xu (1): xfrm: Copy policy family in clone_policy James Smart (1): scsi: lpfc: Fix crash during Hardware error recovery on SLI3 adapters Jan Kara (1): axonram: Fix gendisk handling Jason Baron (1): jump_label: Invoke jump_label_test() via early_initcall() Jim Mattson (1): kvm: nVMX: VMCLEAR should not cause the vCPU to shut down Jim Qu (1): drm/amd/amdgpu: fix console deadlock if late init failed Johannes Thumshirn (1): zram: set physical queue limits to avoid array out of bounds accesses John Keeping (1): usb: gadget: configs: plug memory leak JÃ©rÃ©my Lefaure (2): EDAC, i5000, i5400: Fix use of MTR_DRAM_WIDTH macro EDAC, i5000, i5400: Fix definition of NRECMEMB register Keefe Liu (1): ipvlan: fix ipv6 outbound device Krzysztof Kozlowski (1): crypto: s5p-sss - Fix completing crypto request in IRQ handler Ladislav Michl (1): ARM: OMAP2+: gpmc-onenand: propagate error on initialization failure Majd Dibbiny (1): IB/mlx5: Assign send CQ and recv CQ of UMR QP Mark Bloch (1): IB/mlx4: Increase maximal message size under UD QP Mark Rutland (2): arm: KVM: Survive unknown traps from guests arm64: KVM: Survive unknown traps from guests Masahiro Yamada (1): kbuild: pkg: use --transform option to prefix paths in tar Michal Schmidt (3): bnx2x: prevent crash when accessing PTP with interface down bnx2x: fix possible overrun of VFPF multicast addresses array bnx2x: do not rollback VF MAC/VLAN filters we did not configure Ming Lei (1): block: wake up all tasks blocked in get_request() Paul Moore (1): audit: ensure that 'audit=1' actually enables audit for PID 1 Pavel Tatashin (1): sparc64/mm: set fields in deferred pages Phil Reid (1): gpio: altera: Use handle_level_irq when configured as a level_high Randy Dunlap (1): dynamic-debug-howto: fix optional/omitted ending line number to be LARGE instead of 0 Sachin Sant (1): selftest/powerpc: Fix false failures for skipped tests Sasha Levin (3): Revert "drm/armada: Fix compile fail" Revert "spi: SPI_FSL_DSPI should depend on HAS_DMA" Revert "s390/kbuild: enable modversions for symbols exported from asm" Steffen Klassert (1): vti6: Don't report path MTU below IPV6_MIN_MTU. Stephen Bates (1): lib/genalloc.c: make the avail variable an atomic_long_t Tejun Heo (2): libata: drop WARN from protocol error in ata_sff_qc_issue() workqueue: trigger WARN if queue_delayed_work() is called with NULL @wq Thomas Gleixner (1): x86/hpet: Prevent might sleep splat on resume Trond Myklebust (1): NFS: Fix a typo in nfs_rename() WANG Cong (1): ipv6: reorder icmpv6_init() and ip6_mr_init() Wanpeng Li (1): KVM: nVMX: reset nested_run_pending if the vCPU is going to be reset Xin Long (4): route: also update fnhe_genid when updating a route cache route: update fnhe_expires for redirect when the fnhe exists sctp: do not free asoc when it is already dead in sctp_sendmsg sctp: use the right sk after waking up from wait_buf sleep arch/arm/include/asm/kvm_arm.h | 1 + arch/arm/kvm/handle_exit.c | 19 +++++++----- arch/arm/mach-omap2/gpmc-onenand.c | 10 +++--- arch/arm/mach-omap2/omap_hwmod_3xxx_data.c | 25 ++++++++++----- arch/arm64/kvm/handle_exit.c | 19 +++++++----- arch/powerpc/platforms/powernv/pci-ioda.c | 3 ++ arch/powerpc/sysdev/axonram.c | 5 ++- arch/s390/include/asm/asm-prototypes.h | 8 ----- arch/sparc/mm/init_64.c | 9 +++++- arch/x86/kernel/hpet.c | 2 +- arch/x86/kvm/vmx.c | 26 +++++----------- block/blk-core.c | 4 +-- drivers/ata/libata-sff.c | 1 - drivers/atm/horizon.c | 2 +- drivers/block/zram/zram_drv.c | 2 ++ drivers/crypto/s5p-sss.c | 5 +-- drivers/edac/i5000_edac.c | 8 ++--- drivers/edac/i5400_edac.c | 9 +++--- drivers/gpio/gpio-altera.c | 26 +++++++--------- drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 5 ++- drivers/gpu/drm/armada/Makefile | 2 -- drivers/hid/Kconfig | 4 +-- drivers/hid/hid-chicony.c | 1 + drivers/hid/hid-core.c | 1 + drivers/hid/hid-ids.h | 1 + drivers/i2c/busses/i2c-riic.c | 6 +++- drivers/infiniband/hw/mlx4/qp.c | 2 +- drivers/infiniband/hw/mlx5/main.c | 2 ++ drivers/irqchip/irq-crossbar.c | 8 ++--- drivers/memory/omap-gpmc.c | 4 +-- drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 20 +++++++++++- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c | 8 ++++- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.h | 1 + drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c | 23 +++++++------- drivers/net/ipvlan/ipvlan_core.c | 2 +- drivers/net/phy/spi_ks8995.c | 1 + drivers/net/wireless/mac80211_hwsim.c | 5 ++- drivers/scsi/lpfc/lpfc_els.c | 14 ++++++--- drivers/spi/Kconfig | 1 - drivers/usb/gadget/configfs.c | 1 + drivers/usb/gadget/legacy/inode.c | 4 ++- fs/afs/cmservice.c | 3 ++ fs/nfs/dir.c | 2 +- include/linux/genalloc.h | 3 +- include/linux/omap-gpmc.h | 5 +-- kernel/audit.c | 10 +++--- kernel/jump_label.c | 2 +- kernel/workqueue.c | 1 + lib/dynamic_debug.c | 4 +++ lib/genalloc.c | 10 +++--- net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 4 +++ net/ipv4/netfilter/nf_nat_l3proto_ipv4.c | 5 --- net/ipv4/route.c | 14 ++++++--- net/ipv6/af_inet6.c | 10 +++--- net/ipv6/ip6_vti.c | 8 +++-- net/sctp/socket.c | 38 +++++++++++++++-------- net/sunrpc/sched.c | 3 +- net/xfrm/xfrm_policy.c | 1 + scripts/module-common.lds | 2 ++ scripts/package/Makefile | 5 ++- tools/testing/selftests/powerpc/harness.c | 6 ++-- 61 files changed, 263 insertions(+), 173 deletions(-) delete mode 100644 arch/s390/include/asm/asm-prototypes.h -----BEGIN PGP SIGNATURE----- iQIcBAEBCAAGBQJaLyneAAoJEN6mb/eXdyzcozsP/RWAsb1T3wV6ZCqlgGfWzKQH A68FoInZJb9gLpXziggxIBjHZeFhKrv86xBhq8hJXEWt8MHA4X3JBaWovK2Nt/NA +h2ncFvJC7QUmXSMnisonCzYuzs7RNll9bdUmZxIVfTE7d4JjjPjM7he/uIkwdub gc5f8vVJsg6XROUTuIpj1I+hbGshICj+4LtfRFoBe3EJKa7vnjy+RwMJMmfMVnNr cNo84Z5FqIpYBT2prM3+blTWv9EgSZKJVfWlV2mJFMzLgwhoUsZvbZmmDU/uRi50 CsIaYsIJhdyTRrUV59UAQVbEdlZ21FhVGoCd8La64k+boxDUfel81N11EH8CFLm8 g4i1u11k+f8TPc1JRRRDPbKMSGaev7yhMTJjsJ9z/Hu691ICl8CC3fIWZtP8Z6nH HsBmHJmSAGSdDf6Eau1G232lGhx6pVdZ0MFqWYhqu3XgT6T09ylzGyVEk6m9mwoK DonRnJ8L/TCB4cQDSSqSmJRBsLorlQht50uyRcyth/rkdW8OegymY98kPnyCkMm+ skHERh4ufUaQbpEBW5uH1xB05T/zCSonzXxldaC5DCrEs/ZxCwdib3U/fyu6hMKC m2y8KZ5P0OZ00wUhHePQuSY1mS7WpoAvpsTjp0mMf67ZH42xxBrOL59cRyJeTJdE QeW4v6fKJF2RMYKk58xI =bY4h -----END PGP SIGNATURE-----

7 years, 9 months

2
1
0 0

[Linux-stable-mirror] Patch "zram: set physical queue limits to avoid array out of bounds accesses" has been added to the 4.4-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled zram: set physical queue limits to avoid array out of bounds accesses to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: zram-set-physical-queue-limits-to-avoid-array-out-of-bounds-accesses.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Tue Dec 12 13:38:50 CET 2017 From: Johannes Thumshirn <jthumshirn(a)suse.de> Date: Mon, 6 Mar 2017 11:23:35 +0100 Subject: zram: set physical queue limits to avoid array out of bounds accesses From: Johannes Thumshirn <jthumshirn(a)suse.de> [ Upstream commit 0bc315381fe9ed9fb91db8b0e82171b645ac008f ] zram can handle at most SECTORS_PER_PAGE sectors in a bio's bvec. When using the NVMe over Fabrics loopback target which potentially sends a huge bulk of pages attached to the bio's bvec this results in a kernel panic because of array out of bounds accesses in zram_decompress_page(). Signed-off-by: Johannes Thumshirn <jthumshirn(a)suse.de> Reviewed-by: Hannes Reinecke <hare(a)suse.com> Reviewed-by: Sergey Senozhatsky <sergey.senozhatsky(a)gmail.com> Signed-off-by: Jens Axboe <axboe(a)fb.com> Signed-off-by: Sasha Levin <alexander.levin(a)verizon.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/block/zram/zram_drv.c | 2 ++ 1 file changed, 2 insertions(+) --- a/drivers/block/zram/zram_drv.c +++ b/drivers/block/zram/zram_drv.c @@ -1247,6 +1247,8 @@ static int zram_add(void) blk_queue_io_min(zram->disk->queue, PAGE_SIZE); blk_queue_io_opt(zram->disk->queue, PAGE_SIZE); zram->disk->queue->limits.discard_granularity = PAGE_SIZE; + zram->disk->queue->limits.max_sectors = SECTORS_PER_PAGE; + zram->disk->queue->limits.chunk_sectors = 0; blk_queue_max_discard_sectors(zram->disk->queue, UINT_MAX); /* * zram_bio_discard() will clear all logical blocks if logical block Patches currently in stable-queue which might be from jthumshirn(a)suse.de are queue-4.4/zram-set-physical-queue-limits-to-avoid-array-out-of-bounds-accesses.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "xfrm: Copy policy family in clone_policy" has been added to the 4.4-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled xfrm: Copy policy family in clone_policy to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: xfrm-copy-policy-family-in-clone_policy.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Tue Dec 12 13:38:50 CET 2017 From: Herbert Xu <herbert(a)gondor.apana.org.au> Date: Fri, 10 Nov 2017 14:14:06 +1100 Subject: xfrm: Copy policy family in clone_policy From: Herbert Xu <herbert(a)gondor.apana.org.au> [ Upstream commit 0e74aa1d79a5bbc663e03a2804399cae418a0321 ] The syzbot found an ancient bug in the IPsec code. When we cloned a socket policy (for example, for a child TCP socket derived from a listening socket), we did not copy the family field. This results in a live policy with a zero family field. This triggers a BUG_ON check in the af_key code when the cloned policy is retrieved. This patch fixes it by copying the family field over. Reported-by: syzbot <syzkaller(a)googlegroups.com> Signed-off-by: Herbert Xu <herbert(a)gondor.apana.org.au> Signed-off-by: Steffen Klassert <steffen.klassert(a)secunet.com> Signed-off-by: Sasha Levin <alexander.levin(a)verizon.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- net/xfrm/xfrm_policy.c | 1 + 1 file changed, 1 insertion(+) --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -1361,6 +1361,7 @@ static struct xfrm_policy *clone_policy( newp->xfrm_nr = old->xfrm_nr; newp->index = old->index; newp->type = old->type; + newp->family = old->family; memcpy(newp->xfrm_vec, old->xfrm_vec, newp->xfrm_nr*sizeof(struct xfrm_tmpl)); write_lock_bh(&net->xfrm.xfrm_policy_lock); Patches currently in stable-queue which might be from herbert(a)gondor.apana.org.au are queue-4.4/xfrm-copy-policy-family-in-clone_policy.patch queue-4.4/crypto-s5p-sss-fix-completing-crypto-request-in-irq-handler.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "x86/hpet: Prevent might sleep splat on resume" has been added to the 4.4-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled x86/hpet: Prevent might sleep splat on resume to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: x86-hpet-prevent-might-sleep-splat-on-resume.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Tue Dec 12 13:38:50 CET 2017 From: Thomas Gleixner <tglx(a)linutronix.de> Date: Wed, 1 Mar 2017 21:10:17 +0100 Subject: x86/hpet: Prevent might sleep splat on resume From: Thomas Gleixner <tglx(a)linutronix.de> [ Upstream commit bb1a2c26165640ba2cbcfe06c81e9f9d6db4e643 ] Sergey reported a might sleep warning triggered from the hpet resume path. It's caused by the call to disable_irq() from interrupt disabled context. The problem with the low level resume code is that it is not accounted as a special system_state like we do during the boot process. Calling the same code during system boot would not trigger the warning. That's inconsistent at best. In this particular case it's trivial to replace the disable_irq() with disable_hardirq() because this particular code path is solely used from system resume and the involved hpet interrupts can never be force threaded. Reported-and-tested-by: Sergey Senozhatsky <sergey.senozhatsky.work(a)gmail.com> Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Cc: Peter Zijlstra <peterz(a)infradead.org> Cc: "Rafael J. Wysocki" <rjw(a)sisk.pl> Cc: Sergey Senozhatsky <sergey.senozhatsky(a)gmail.com> Cc: Borislav Petkov <bp(a)alien8.de> Link: http://lkml.kernel.org/r/alpine.DEB.2.20.1703012108460.3684@nanos Signed-off-by: Thomas Gleixner <tglx(a)linutronix.de> Signed-off-by: Sasha Levin <alexander.levin(a)verizon.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- arch/x86/kernel/hpet.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/arch/x86/kernel/hpet.c +++ b/arch/x86/kernel/hpet.c @@ -353,7 +353,7 @@ static int hpet_resume(struct clock_even irq_domain_deactivate_irq(irq_get_irq_data(hdev->irq)); irq_domain_activate_irq(irq_get_irq_data(hdev->irq)); - disable_irq(hdev->irq); + disable_hardirq(hdev->irq); irq_set_affinity(hdev->irq, cpumask_of(hdev->cpu)); enable_irq(hdev->irq); } Patches currently in stable-queue which might be from tglx(a)linutronix.de are queue-4.4/efi-esrt-use-memunmap-instead-of-kfree-to-free-the-remapping.patch queue-4.4/x86-hpet-prevent-might-sleep-splat-on-resume.patch queue-4.4/efi-move-some-sysfs-files-to-be-read-only-by-root.patch queue-4.4/sparc64-mm-set-fields-in-deferred-pages.patch queue-4.4/jump_label-invoke-jump_label_test-via-early_initcall.patch queue-4.4/x86-pci-make-broadcom_postcore_init-check-acpi_disabled.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "workqueue: trigger WARN if queue_delayed_work() is called with NULL @wq" has been added to the 4.4-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled workqueue: trigger WARN if queue_delayed_work() is called with NULL @wq to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: workqueue-trigger-warn-if-queue_delayed_work-is-called-with-null-wq.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Tue Dec 12 13:38:50 CET 2017 From: Tejun Heo <tj(a)kernel.org> Date: Mon, 6 Mar 2017 15:33:42 -0500 Subject: workqueue: trigger WARN if queue_delayed_work() is called with NULL @wq From: Tejun Heo <tj(a)kernel.org> [ Upstream commit 637fdbae60d6cb9f6e963c1079d7e0445c86ff7d ] If queue_delayed_work() gets called with NULL @wq, the kernel will oops asynchronuosly on timer expiration which isn't too helpful in tracking down the offender. This actually happened with smc. __queue_delayed_work() already does several input sanity checks synchronously. Add NULL @wq check. Reported-by: Dave Jones <davej(a)codemonkey.org.uk> Link: http://lkml.kernel.org/r/20170227171439.jshx3qplflyrgcv7@codemonkey.org.uk Signed-off-by: Tejun Heo <tj(a)kernel.org> Signed-off-by: Sasha Levin <alexander.levin(a)verizon.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- kernel/workqueue.c | 1 + 1 file changed, 1 insertion(+) --- a/kernel/workqueue.c +++ b/kernel/workqueue.c @@ -1479,6 +1479,7 @@ static void __queue_delayed_work(int cpu struct timer_list *timer = &dwork->timer; struct work_struct *work = &dwork->work; + WARN_ON_ONCE(!wq); WARN_ON_ONCE(timer->function != delayed_work_timer_fn || timer->data != (unsigned long)dwork); WARN_ON_ONCE(timer_pending(timer)); Patches currently in stable-queue which might be from tj(a)kernel.org are queue-4.4/libata-drop-warn-from-protocol-error-in-ata_sff_qc_issue.patch queue-4.4/workqueue-trigger-warn-if-queue_delayed_work-is-called-with-null-wq.patch

7 years, 9 months

1
0
0 0

[Linux-stable-mirror] Patch "vti6: Don't report path MTU below IPV6_MIN_MTU." has been added to the 4.4-stable tree

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled vti6: Don't report path MTU below IPV6_MIN_MTU. to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum… The filename of the patch is: vti6-don-t-report-path-mtu-below-ipv6_min_mtu.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable(a)vger.kernel.org> know about it. >From foo@baz Tue Dec 12 13:38:50 CET 2017 From: Steffen Klassert <steffen.klassert(a)secunet.com> Date: Wed, 15 Feb 2017 11:38:58 +0100 Subject: vti6: Don't report path MTU below IPV6_MIN_MTU. From: Steffen Klassert <steffen.klassert(a)secunet.com> [ Upstream commit e3dc847a5f85b43ee2bfc8eae407a7e383483228 ] In vti6_xmit(), the check for IPV6_MIN_MTU before we send a ICMPV6_PKT_TOOBIG message is missing. So we might report a PMTU below 1280. Fix this by adding the required check. Fixes: ccd740cbc6e ("vti6: Add pmtu handling to vti6_xmit.") Signed-off-by: Steffen Klassert <steffen.klassert(a)secunet.com> Signed-off-by: Sasha Levin <alexander.levin(a)verizon.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- net/ipv6/ip6_vti.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) --- a/net/ipv6/ip6_vti.c +++ b/net/ipv6/ip6_vti.c @@ -474,11 +474,15 @@ vti6_xmit(struct sk_buff *skb, struct ne if (!skb->ignore_df && skb->len > mtu) { skb_dst(skb)->ops->update_pmtu(dst, NULL, skb, mtu); - if (skb->protocol == htons(ETH_P_IPV6)) + if (skb->protocol == htons(ETH_P_IPV6)) { + if (mtu < IPV6_MIN_MTU) + mtu = IPV6_MIN_MTU; + icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu); - else + } else { icmp_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED, htonl(mtu)); + } return -EMSGSIZE; } Patches currently in stable-queue which might be from steffen.klassert(a)secunet.com are queue-4.4/xfrm-copy-policy-family-in-clone_policy.patch queue-4.4/vti6-don-t-report-path-mtu-below-ipv6_min_mtu.patch

7 years, 9 months

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror