- Linux-stable-mirror - lists.linaro.org

[PATCH 3/3] drm/dp_mst: Fix topology ref leak in drm_dp_mst_allocate_vcpi()

by Lyude Paul

Another drive-by fix. If slots < 0, or drm_dp_init_vcpi() fails, we'll end up returning from the function without dropping the topology ref that we grabbed at the very start. This would result in an MST hub and/or it's ports staying around even after the MST topology has been removed from the system. So, fix this by making sure that we always drop the topology ref to port when returning from this function. Additionally: it looks like this bug exists pre-topology & malloc krefs, so let's also make sure this gets backported to stable. Signed-off-by: Lyude Paul <lyude(a)redhat.com> Fixes: ad7f8a1f9ced ("drm/helper: add Displayport multi-stream helper (v0.6)") Cc: David Airlie <airlied(a)linux.ie> Cc: Daniel Vetter <daniel(a)ffwll.ch> Cc: <stable(a)vger.kernel.org> # v3.17+ --- drivers/gpu/drm/drm_dp_mst_topology.c | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/drivers/gpu/drm/drm_dp_mst_topology.c b/drivers/gpu/drm/drm_dp_mst_topology.c index d99560c5c693..403f035dc8b8 100644 --- a/drivers/gpu/drm/drm_dp_mst_topology.c +++ b/drivers/gpu/drm/drm_dp_mst_topology.c @@ -3177,28 +3177,29 @@ EXPORT_SYMBOL(drm_dp_atomic_release_vcpi_slots); bool drm_dp_mst_allocate_vcpi(struct drm_dp_mst_topology_mgr *mgr, struct drm_dp_mst_port *port, int pbn, int slots) { - int ret; + int rc; + bool ret = false; - port = drm_dp_mst_topology_get_port_validated(mgr, port); - if (!port) + if (slots < 0) return false; - if (slots < 0) + port = drm_dp_mst_topology_get_port_validated(mgr, port); + if (!port) return false; if (port->vcpi.vcpi > 0) { DRM_DEBUG_KMS("payload: vcpi %d already allocated for pbn %d - requested pbn %d\n", port->vcpi.vcpi, port->vcpi.pbn, pbn); if (pbn == port->vcpi.pbn) { - drm_dp_mst_topology_put_port(port); - return true; + ret = true; + goto out; } } - ret = drm_dp_init_vcpi(mgr, &port->vcpi, pbn, slots); - if (ret) { + rc = drm_dp_init_vcpi(mgr, &port->vcpi, pbn, slots); + if (rc) { DRM_DEBUG_KMS("failed to init vcpi slots=%d max=63 ret=%d\n", - DIV_ROUND_UP(pbn, mgr->pbn_div), ret); + DIV_ROUND_UP(pbn, mgr->pbn_div), rc); goto out; } DRM_DEBUG_KMS("initing vcpi for pbn=%d slots=%d\n", @@ -3206,10 +3207,10 @@ bool drm_dp_mst_allocate_vcpi(struct drm_dp_mst_topology_mgr *mgr, /* Keep port allocated until it's payload has been removed */ drm_dp_mst_get_port_malloc(port); - drm_dp_mst_topology_put_port(port); - return true; + ret = true; out: - return false; + drm_dp_mst_topology_put_port(port); + return ret; } EXPORT_SYMBOL(drm_dp_mst_allocate_vcpi); -- 2.20.1

6 years, 11 months

1
0
0 0

[PATCH 4.14 00/27] 4.14.94-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.14.94 release. There are 27 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu Jan 17 15:48:28 UTC 2019. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.94-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.14.94-rc1 Christoffer Dall <christoffer.dall(a)arm.com> KVM: arm/arm64: Fix VMID alloc race by reverting to lock-less Vasily Averin <vvs(a)virtuozzo.com> sunrpc: use-after-free in svc_process_common() Theodore Ts'o <tytso(a)mit.edu> ext4: track writeback errors using the generic tracking infrastructure Theodore Ts'o <tytso(a)mit.edu> ext4: use ext4_write_inode() when fsyncing w/o a journal Theodore Ts'o <tytso(a)mit.edu> ext4: avoid kernel warning when writing the superblock to a dead device Theodore Ts'o <tytso(a)mit.edu> ext4: fix a potential fiemap/page fault deadlock w/ inline_data Theodore Ts'o <tytso(a)mit.edu> ext4: make sure enough credits are reserved for dioread_nolock writes Ilya Dryomov <idryomov(a)gmail.com> rbd: don't return 0 on unmap if RBD_DEV_FLAG_REMOVING is set Ivan Mironov <mironov.ivan(a)gmail.com> drm/fb-helper: Partially bring back workaround for bugs of SDL 1.2 Yi Zeng <yizeng(a)asrmicro.com> i2c: dev: prevent adapter retries and timeout being set as minus value Hans de Goede <hdegoede(a)redhat.com> ACPI / PMIC: xpower: Fix TS-pin current-source handling Hans de Goede <hdegoede(a)redhat.com> ACPI: power: Skip duplicate power resource references in _PRx Michal Hocko <mhocko(a)suse.com> mm, memcg: fix reclaim deadlock with writeback Jan Stancek <jstancek(a)redhat.com> mm: page_mapped: don't assume compound page is huge or THP Christoph Lameter <cl(a)linux.com> slab: alien caches must not be initialized if the allocation of the alien cache failed Jack Stocker <jackstocker.93(a)gmail.com> USB: Add USB_QUIRK_DELAY_CTRL_MSG quirk for Corsair K70 RGB Icenowy Zheng <icenowy(a)aosc.io> USB: storage: add quirk for SMI SM3350 Icenowy Zheng <icenowy(a)aosc.io> USB: storage: don't insert sane sense for SPC3+ when bad sense specified Daniele Palmas <dnlplm(a)gmail.com> usb: cdc-acm: send ZLP for Telit 3G Intel based modems Ross Lagerwall <ross.lagerwall(a)citrix.com> cifs: Fix potential OOB access of lock element array Pavel Shilovsky <pshilov(a)microsoft.com> CIFS: Do not hide EINTR after sending network packets Pavel Shilovsky <pshilov(a)microsoft.com> CIFS: Fix adjustment of credits for MTU requests Kailang Yang <kailang(a)realtek.com> ALSA: hda/realtek - Disable headset Mic VREF for headset mode of ALC225 Kailang Yang <kailang(a)realtek.com> ALSA: hda/realtek - Add unplug function into unplug state of Headset Mode for ALC225 Kailang Yang <kailang(a)realtek.com> ALSA: hda/realtek - Support Dell headset mode for New AIO platform WANG Chao <chao.wang(a)ucloud.cn> x86, modpost: Replace last remnants of RETPOLINE with CONFIG_RETPOLINE Rik van Riel <riel(a)redhat.com> x86,kvm: move qemu/guest FPU switching out to vcpu_run ------------- Diffstat: Makefile | 4 +- arch/x86/include/asm/kvm_host.h | 13 ++++ arch/x86/kernel/cpu/bugs.c | 2 +- arch/x86/kvm/x86.c | 34 ++++----- drivers/acpi/pmic/intel_pmic_xpower.c | 41 ++++++++--- drivers/acpi/power.c | 22 ++++++ drivers/block/rbd.c | 9 ++- drivers/gpu/drm/drm_fb_helper.c | 126 ++++++++++++++++++++-------------- drivers/i2c/i2c-dev.c | 6 ++ drivers/usb/class/cdc-acm.c | 7 ++ drivers/usb/core/quirks.c | 3 +- drivers/usb/storage/scsiglue.c | 8 ++- drivers/usb/storage/unusual_devs.h | 12 ++++ fs/cifs/file.c | 8 +-- fs/cifs/smb2file.c | 4 +- fs/cifs/smb2pdu.c | 8 ++- fs/cifs/transport.c | 2 +- fs/ext4/fsync.c | 16 +++-- fs/ext4/inline.c | 6 +- fs/ext4/inode.c | 3 +- fs/ext4/super.c | 2 +- include/linux/compiler-gcc.h | 2 +- include/linux/kvm_host.h | 2 +- include/linux/module.h | 2 +- include/linux/sunrpc/svc.h | 5 +- mm/memory.c | 23 +++++++ mm/slab.c | 6 +- mm/util.c | 2 +- net/sunrpc/svc.c | 11 +-- net/sunrpc/svc_xprt.c | 5 +- net/sunrpc/svcsock.c | 2 +- scripts/mod/modpost.c | 2 +- sound/pci/hda/patch_realtek.c | 18 ++++- virt/kvm/arm/arm.c | 23 +++---- 34 files changed, 300 insertions(+), 139 deletions(-)

6 years, 11 months

5
36
0 0

[PATCH 4.9 00/16] 4.9.151-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.9.151 release. There are 16 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu Jan 17 15:48:25 UTC 2019. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.151-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.9.151-rc1 Vasily Averin <vvs(a)virtuozzo.com> sunrpc: use-after-free in svc_process_common() Theodore Ts'o <tytso(a)mit.edu> ext4: avoid kernel warning when writing the superblock to a dead device Theodore Ts'o <tytso(a)mit.edu> ext4: fix a potential fiemap/page fault deadlock w/ inline_data Theodore Ts'o <tytso(a)mit.edu> ext4: make sure enough credits are reserved for dioread_nolock writes Ilya Dryomov <idryomov(a)gmail.com> rbd: don't return 0 on unmap if RBD_DEV_FLAG_REMOVING is set Yi Zeng <yizeng(a)asrmicro.com> i2c: dev: prevent adapter retries and timeout being set as minus value Hans de Goede <hdegoede(a)redhat.com> ACPI: power: Skip duplicate power resource references in _PRx Jan Stancek <jstancek(a)redhat.com> mm: page_mapped: don't assume compound page is huge or THP Christoph Lameter <cl(a)linux.com> slab: alien caches must not be initialized if the allocation of the alien cache failed Jack Stocker <jackstocker.93(a)gmail.com> USB: Add USB_QUIRK_DELAY_CTRL_MSG quirk for Corsair K70 RGB Icenowy Zheng <icenowy(a)aosc.io> USB: storage: add quirk for SMI SM3350 Icenowy Zheng <icenowy(a)aosc.io> USB: storage: don't insert sane sense for SPC3+ when bad sense specified Daniele Palmas <dnlplm(a)gmail.com> usb: cdc-acm: send ZLP for Telit 3G Intel based modems Ross Lagerwall <ross.lagerwall(a)citrix.com> cifs: Fix potential OOB access of lock element array Pavel Shilovsky <pshilov(a)microsoft.com> CIFS: Do not hide EINTR after sending network packets Kailang Yang <kailang(a)realtek.com> ALSA: hda/realtek - Disable headset Mic VREF for headset mode of ALC225 ------------- Diffstat: Makefile | 4 ++-- drivers/acpi/power.c | 22 ++++++++++++++++++++++ drivers/block/rbd.c | 9 ++++----- drivers/i2c/i2c-dev.c | 6 ++++++ drivers/usb/class/cdc-acm.c | 7 +++++++ drivers/usb/core/quirks.c | 3 ++- drivers/usb/storage/scsiglue.c | 8 ++++++-- drivers/usb/storage/unusual_devs.h | 12 ++++++++++++ fs/cifs/file.c | 8 ++++---- fs/cifs/smb2file.c | 4 ++-- fs/cifs/transport.c | 2 +- fs/ext4/inline.c | 6 +++--- fs/ext4/inode.c | 3 ++- fs/ext4/super.c | 2 +- include/linux/sunrpc/svc.h | 5 ++++- mm/slab.c | 6 ++++-- mm/util.c | 2 +- net/sunrpc/svc.c | 9 ++++++--- net/sunrpc/svc_xprt.c | 5 +++-- net/sunrpc/svcsock.c | 2 +- sound/pci/hda/patch_realtek.c | 16 +++++++++++++++- 21 files changed, 108 insertions(+), 33 deletions(-)

6 years, 11 months

5
20
0 0

[PATCH 4.4 00/51] 4.4.171-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.4.171 release. There are 51 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Thu Jan 17 15:48:21 UTC 2019. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.171-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.4.171-rc1 Vasily Averin <vvs(a)virtuozzo.com> sunrpc: use-after-free in svc_process_common() Theodore Ts'o <tytso(a)mit.edu> ext4: fix a potential fiemap/page fault deadlock w/ inline_data Eric Biggers <ebiggers(a)google.com> crypto: cts - fix crash on short inputs Yi Zeng <yizeng(a)asrmicro.com> i2c: dev: prevent adapter retries and timeout being set as minus value Hans de Goede <hdegoede(a)redhat.com> ACPI: power: Skip duplicate power resource references in _PRx Ley Foon Tan <lftan(a)altera.com> PCI: altera: Move retrain from fixup to altera_pcie_host_init() Ley Foon Tan <lftan(a)altera.com> PCI: altera: Rework config accessors for use without a struct pci_bus Ley Foon Tan <lftan(a)altera.com> PCI: altera: Poll for link training status after retraining the link Ley Foon Tan <lftan(a)altera.com> PCI: altera: Poll for link up status after retraining the link Ley Foon Tan <lftan(a)altera.com> PCI: altera: Check link status before retrain link Bjorn Helgaas <bhelgaas(a)google.com> PCI: altera: Reorder read/write functions Ley Foon Tan <lftan(a)altera.com> PCI: altera: Fix altera_pcie_link_is_up() Christoph Lameter <cl(a)linux.com> slab: alien caches must not be initialized if the allocation of the alien cache failed Jack Stocker <jackstocker.93(a)gmail.com> USB: Add USB_QUIRK_DELAY_CTRL_MSG quirk for Corsair K70 RGB Icenowy Zheng <icenowy(a)aosc.io> USB: storage: add quirk for SMI SM3350 Icenowy Zheng <icenowy(a)aosc.io> USB: storage: don't insert sane sense for SPC3+ when bad sense specified Daniele Palmas <dnlplm(a)gmail.com> usb: cdc-acm: send ZLP for Telit 3G Intel based modems Ross Lagerwall <ross.lagerwall(a)citrix.com> cifs: Fix potential OOB access of lock element array Pavel Shilovsky <pshilov(a)microsoft.com> CIFS: Do not hide EINTR after sending network packets Shaokun Zhang <zhangshaokun(a)hisilicon.com> btrfs: tree-checker: Fix misleading group system information Qu Wenruo <wqu(a)suse.com> btrfs: tree-checker: Check level for leaves and nodes Qu Wenruo <wqu(a)suse.com> btrfs: Verify that every chunk has corresponding block group at mount time Qu Wenruo <wqu(a)suse.com> btrfs: Check that each block group has corresponding chunk at mount time Gu Jinxiang <gujx(a)cn.fujitsu.com> btrfs: validate type when reading a chunk Qu Wenruo <wqu(a)suse.com> btrfs: tree-checker: Detect invalid and empty essential trees Qu Wenruo <wqu(a)suse.com> btrfs: tree-checker: Verify block_group_item David Sterba <dsterba(a)suse.com> btrfs: tree-check: reduce stack consumption in check_dir_item Arnd Bergmann <arnd(a)arndb.de> btrfs: tree-checker: use %zu format string for size_t Qu Wenruo <wqu(a)suse.com> btrfs: tree-checker: Add checker for dir item Qu Wenruo <wqu(a)suse.com> btrfs: tree-checker: Fix false panic for sanity test Qu Wenruo <quwenruo.btrfs(a)gmx.com> btrfs: tree-checker: Enhance btrfs_check_node output Qu Wenruo <quwenruo.btrfs(a)gmx.com> btrfs: Move leaf and node validation checker to tree-checker.c Qu Wenruo <quwenruo.btrfs(a)gmx.com> btrfs: Add checker for EXTENT_CSUM Qu Wenruo <quwenruo.btrfs(a)gmx.com> btrfs: Add sanity check for EXTENT_DATA when reading out leaf Qu Wenruo <quwenruo.btrfs(a)gmx.com> btrfs: Check if item pointer overlaps with the item itself Qu Wenruo <quwenruo.btrfs(a)gmx.com> btrfs: Refactor check_leaf function for later expansion Jeff Mahoney <jeffm(a)suse.com> btrfs: struct-funcs, constify readers Filipe Manana <fdmanana(a)suse.com> Btrfs: fix emptiness check for dirtied extent buffers at check_leaf() Liu Bo <bo.li.liu(a)oracle.com> Btrfs: memset to avoid stale content in btree leaf Liu Bo <bo.li.liu(a)oracle.com> Btrfs: kill BUG_ON in run_delayed_tree_ref Liu Bo <bo.li.liu(a)oracle.com> Btrfs: improve check_node to avoid reading corrupted nodes Liu Bo <bo.li.liu(a)oracle.com> Btrfs: memset to avoid stale content in btree node block Liu Bo <bo.li.liu(a)oracle.com> Btrfs: fix BUG_ON in btrfs_mark_buffer_dirty Liu Bo <bo.li.liu(a)oracle.com> Btrfs: check btree node's nritems Liu Bo <bo.li.liu(a)oracle.com> Btrfs: detect corruption when non-root leaf has zero item Josef Bacik <jbacik(a)fb.com> Btrfs: fix em leak in find_first_block_group Liu Bo <bo.li.liu(a)oracle.com> Btrfs: check inconsistence between chunk and block group Liu Bo <bo.li.liu(a)oracle.com> Btrfs: add validadtion checks for chunk loading Qu Wenruo <quwenruo(a)cn.fujitsu.com> btrfs: Enhance chunk validation check Jeff Mahoney <jeffm(a)suse.com> btrfs: cleanup, stop casting for extent_map->lookup everywhere Kailang Yang <kailang(a)realtek.com> ALSA: hda/realtek - Disable headset Mic VREF for headset mode of ALC225 ------------- Diffstat: Makefile | 4 +- crypto/cts.c | 8 +- drivers/acpi/power.c | 22 ++ drivers/i2c/i2c-dev.c | 6 + drivers/pci/host/pcie-altera.c | 201 +++++++++--- drivers/usb/class/cdc-acm.c | 7 + drivers/usb/core/quirks.c | 3 +- drivers/usb/storage/scsiglue.c | 8 +- drivers/usb/storage/unusual_devs.h | 12 + fs/btrfs/Makefile | 2 +- fs/btrfs/ctree.c | 14 - fs/btrfs/ctree.h | 141 ++++---- fs/btrfs/dev-replace.c | 2 +- fs/btrfs/disk-io.c | 80 +---- fs/btrfs/extent-tree.c | 112 ++++++- fs/btrfs/extent_io.c | 43 ++- fs/btrfs/extent_io.h | 19 +- fs/btrfs/extent_map.c | 2 +- fs/btrfs/extent_map.h | 10 +- fs/btrfs/scrub.c | 2 +- fs/btrfs/struct-funcs.c | 9 +- fs/btrfs/tree-checker.c | 649 +++++++++++++++++++++++++++++++++++++ fs/btrfs/tree-checker.h | 38 +++ fs/btrfs/volumes.c | 139 +++++++- fs/btrfs/volumes.h | 2 + fs/cifs/file.c | 8 +- fs/cifs/smb2file.c | 4 +- fs/cifs/transport.c | 2 +- fs/ext4/inline.c | 6 +- include/linux/sunrpc/svc.h | 5 +- mm/slab.c | 6 +- net/sunrpc/svc.c | 10 +- net/sunrpc/svc_xprt.c | 5 +- net/sunrpc/svcsock.c | 2 +- sound/pci/hda/patch_realtek.c | 16 +- 35 files changed, 1324 insertions(+), 275 deletions(-)

6 years, 11 months

4
54
0 0

[PATCH v3] xen: Fix x86 sched_clock() interface for xen

by Juergen Gross

Commit f94c8d11699759 ("sched/clock, x86/tsc: Rework the x86 'unstable' sched_clock() interface") broke Xen guest time handling across migration: [ 187.249951] Freezing user space processes ... (elapsed 0.001 seconds) done. [ 187.251137] OOM killer disabled. [ 187.251137] Freezing remaining freezable tasks ... (elapsed 0.001 seconds) done. [ 187.252299] suspending xenstore... [ 187.266987] xen:grant_table: Grant tables using version 1 layout [18446743811.706476] OOM killer enabled. [18446743811.706478] Restarting tasks ... done. [18446743811.720505] Setting capacity to 16777216 Fix that by setting xen_sched_clock_offset at resume time to ensure a monotonic clock value. Fixes: f94c8d11699759 ("sched/clock, x86/tsc: Rework the x86 'unstable' sched_clock() interface") Cc: <stable(a)vger.kernel.org> # 4.11 Reported-by: Hans van Kranenburg <hans(a)knorrie.org> Signed-off-by: Juergen Gross <jgross(a)suse.com> --- arch/x86/xen/time.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/arch/x86/xen/time.c b/arch/x86/xen/time.c index 72bf446c3fee..6e29794573b7 100644 --- a/arch/x86/xen/time.c +++ b/arch/x86/xen/time.c @@ -361,8 +361,6 @@ void xen_timer_resume(void) { int cpu; - pvclock_resume(); - if (xen_clockevent != &xen_vcpuop_clockevent) return; @@ -379,12 +377,15 @@ static const struct pv_time_ops xen_time_ops __initconst = { }; static struct pvclock_vsyscall_time_info *xen_clock __read_mostly; +static u64 xen_clock_value_saved; void xen_save_time_memory_area(void) { struct vcpu_register_time_memory_area t; int ret; + xen_clock_value_saved = xen_clocksource_read() - xen_sched_clock_offset; + if (!xen_clock) return; @@ -404,7 +405,7 @@ void xen_restore_time_memory_area(void) int ret; if (!xen_clock) - return; + goto out; t.addr.v = &xen_clock->pvti; @@ -421,6 +422,11 @@ void xen_restore_time_memory_area(void) if (ret != 0) pr_notice("Cannot restore secondary vcpu_time_info (err %d)", ret); + +out: + /* Need pvclock_resume() before using xen_clocksource_read(). */ + pvclock_resume(); + xen_sched_clock_offset = xen_clocksource_read() - xen_clock_value_saved; } static void xen_setup_vsyscall_time_info(void) -- 2.16.4

6 years, 11 months

4
11
0 0

[PATCH] usb: phy: am335x: fix race condition in _probe

by Bin Liu

power off the phy should be done before populate the phy. Otherwise, am335x_init() could be called by the phy owner to power on the phy first, then am335x_phy_probe() turns off the phy again without the caller knowing it. Fixes: 2fc711d76352 ("usb: phy: am335x: Enable USB remote wakeup using PHY wakeup") Cc: stable(a)vger.kernel.org # v3.18+ Signed-off-by: Bin Liu <b-liu(a)ti.com> --- drivers/usb/phy/phy-am335x.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/drivers/usb/phy/phy-am335x.c b/drivers/usb/phy/phy-am335x.c index 27bdb7222527..f5f0568d8533 100644 --- a/drivers/usb/phy/phy-am335x.c +++ b/drivers/usb/phy/phy-am335x.c @@ -61,9 +61,6 @@ static int am335x_phy_probe(struct platform_device *pdev) if (ret) return ret; - ret = usb_add_phy_dev(&am_phy->usb_phy_gen.phy); - if (ret) - return ret; am_phy->usb_phy_gen.phy.init = am335x_init; am_phy->usb_phy_gen.phy.shutdown = am335x_shutdown; @@ -82,7 +79,7 @@ static int am335x_phy_probe(struct platform_device *pdev) device_set_wakeup_enable(dev, false); phy_ctrl_power(am_phy->phy_ctrl, am_phy->id, am_phy->dr_mode, false); - return 0; + return usb_add_phy_dev(&am_phy->usb_phy_gen.phy); } static int am335x_phy_remove(struct platform_device *pdev) -- 2.17.1

6 years, 11 months

1
0
0 0

[PATCH] ipmi: fix use-after-free of user->release_barrier.rda

by Yang Yingliang

When we do the following test, we got oops in ipmi_msghandler driver while((1)) do service ipmievd restart & service ipmievd restart done --------------------------------------------------------------- [ 294.230186] Unable to handle kernel paging request at virtual address 0000803fea6ea008 [ 294.230188] Mem abort info: [ 294.230190] ESR = 0x96000004 [ 294.230191] Exception class = DABT (current EL), IL = 32 bits [ 294.230193] SET = 0, FnV = 0 [ 294.230194] EA = 0, S1PTW = 0 [ 294.230195] Data abort info: [ 294.230196] ISV = 0, ISS = 0x00000004 [ 294.230197] CM = 0, WnR = 0 [ 294.230199] user pgtable: 4k pages, 48-bit VAs, pgdp = 00000000a1c1b75a [ 294.230201] [0000803fea6ea008] pgd=0000000000000000 [ 294.230204] Internal error: Oops: 96000004 [#1] SMP [ 294.235211] Modules linked in: nls_utf8 isofs rpcrdma ib_iser ib_srpt target_core_mod ib_srp scsi_transport_srp ib_ipoib rdma_ucm ib_umad rdma_cm ib_cm iw_cm dm_mirror dm_region_hash dm_log dm_mod aes_ce_blk crypto_simd cryptd aes_ce_cipher ghash_ce sha2_ce ses sha256_arm64 sha1_ce hibmc_drm hisi_sas_v2_hw enclosure sg hisi_sas_main sbsa_gwdt ip_tables mlx5_ib ib_uverbs marvell ib_core mlx5_core ixgbe ipmi_si mdio hns_dsaf ipmi_devintf ipmi_msghandler hns_enet_drv hns_mdio [ 294.277745] CPU: 3 PID: 0 Comm: swapper/3 Kdump: loaded Not tainted 5.0.0-rc2+ #113 [ 294.285511] Hardware name: Huawei TaiShan 2280 /BC11SPCD, BIOS 1.37 11/21/2017 [ 294.292835] pstate: 80000005 (Nzcv daif -PAN -UAO) [ 294.297695] pc : __srcu_read_lock+0x38/0x58 [ 294.301940] lr : acquire_ipmi_user+0x2c/0x70 [ipmi_msghandler] [ 294.307853] sp : ffff00001001bc80 [ 294.311208] x29: ffff00001001bc80 x28: ffff0000117e5000 [ 294.316594] x27: 0000000000000000 x26: dead000000000100 [ 294.321980] x25: dead000000000200 x24: ffff803f6bd06800 [ 294.327366] x23: 0000000000000000 x22: 0000000000000000 [ 294.332752] x21: ffff00001001bd04 x20: ffff80df33d19018 [ 294.338137] x19: ffff80df33d19018 x18: 0000000000000000 [ 294.343523] x17: 0000000000000000 x16: 0000000000000000 [ 294.348908] x15: 0000000000000000 x14: 0000000000000002 [ 294.354293] x13: 0000000000000000 x12: 0000000000000000 [ 294.359679] x11: 0000000000000000 x10: 0000000000100000 [ 294.365065] x9 : 0000000000000000 x8 : 0000000000000004 [ 294.370451] x7 : 0000000000000000 x6 : ffff80df34558678 [ 294.375836] x5 : 000000000000000c x4 : 0000000000000000 [ 294.381221] x3 : 0000000000000001 x2 : 0000803fea6ea000 [ 294.386607] x1 : 0000803fea6ea008 x0 : 0000000000000001 [ 294.391994] Process swapper/3 (pid: 0, stack limit = 0x0000000083087293) [ 294.398791] Call trace: [ 294.401266] __srcu_read_lock+0x38/0x58 [ 294.405154] acquire_ipmi_user+0x2c/0x70 [ipmi_msghandler] [ 294.410716] deliver_response+0x80/0xf8 [ipmi_msghandler] [ 294.416189] deliver_local_response+0x28/0x68 [ipmi_msghandler] [ 294.422193] handle_one_recv_msg+0x158/0xcf8 [ipmi_msghandler] [ 294.432050] handle_new_recv_msgs+0xc0/0x210 [ipmi_msghandler] [ 294.441984] smi_recv_tasklet+0x8c/0x158 [ipmi_msghandler] [ 294.451618] tasklet_action_common.isra.5+0x88/0x138 [ 294.460661] tasklet_action+0x2c/0x38 [ 294.468191] __do_softirq+0x120/0x2f8 [ 294.475561] irq_exit+0x134/0x140 [ 294.482445] __handle_domain_irq+0x6c/0xc0 [ 294.489954] gic_handle_irq+0xb8/0x178 [ 294.497037] el1_irq+0xb0/0x140 [ 294.503381] arch_cpu_idle+0x34/0x1a8 [ 294.510096] do_idle+0x1d4/0x290 [ 294.516322] cpu_startup_entry+0x28/0x30 [ 294.523230] secondary_start_kernel+0x184/0x1d0 [ 294.530657] Code: d538d082 d2800023 8b010c81 8b020021 (c85f7c25) [ 294.539746] ---[ end trace 8a7a880dee570b29 ]--- [ 294.547341] Kernel panic - not syncing: Fatal exception in interrupt [ 294.556837] SMP: stopping secondary CPUs [ 294.563996] Kernel Offset: disabled [ 294.570515] CPU features: 0x002,21006008 [ 294.577638] Memory Limit: none [ 294.587178] Starting crashdump kernel... [ 294.594314] Bye! Because the user->release_barrier.rda is freed in ipmi_destroy_user(), but the refcount is not zero, when acquire_ipmi_user() uses user->release_barrier.rda in __srcu_read_lock(), it causes oops. Fix this by calling cleanup_srcu_struct() when the refcount is zero. Fixes: e86ee2d44b44 ("ipmi: Rework locking and shutdown for hot remove") Cc: stable(a)vger.kernel.org Signed-off-by: Yang Yingliang <yangyingliang(a)huawei.com> --- drivers/char/ipmi/ipmi_msghandler.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c index a74ce88..6c26533 100644 --- a/drivers/char/ipmi/ipmi_msghandler.c +++ b/drivers/char/ipmi/ipmi_msghandler.c @@ -1183,6 +1183,7 @@ int ipmi_get_smi_info(int if_num, struct ipmi_smi_info *data) static void free_user(struct kref *ref) { struct ipmi_user *user = container_of(ref, struct ipmi_user, refcount); + cleanup_srcu_struct(&user->release_barrier); kfree(user); } @@ -1259,7 +1260,6 @@ int ipmi_destroy_user(struct ipmi_user *user) { _ipmi_destroy_user(user); - cleanup_srcu_struct(&user->release_barrier); kref_put(&user->refcount, free_user); return 0; -- 1.8.3

6 years, 11 months

2
1
0 0

[PATCH STABLE v4.19.15] gpiolib: fix line event timestamps for nested irqs

by Bartosz Golaszewski

From: Bartosz Golaszewski <bgolaszewski(a)baylibre.com> Nested interrupts run inside the calling thread's context and the top half handler is never called which means that we never read the timestamp. This issue came up when trying to read line events from a gpiochip using regmap_irq_chip for interrupts. Fix it by reading the timestamp from the irq thread function if it's still 0 by the time the second handler is called. Fixes: d58f2bf261fd ("gpio: Timestamp events in hardirq handler") Cc: stable(a)vger.kernel.org Signed-off-by: Bartosz Golaszewski <bgolaszewski(a)baylibre.com> --- Hi Sasha, this is a backport for v4.19.y series. The original patch didn't apply due to a conflict. drivers/gpio/gpiolib.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c index a8e01d99919c..b3ab6c428423 100644 --- a/drivers/gpio/gpiolib.c +++ b/drivers/gpio/gpiolib.c @@ -817,7 +817,15 @@ static irqreturn_t lineevent_irq_thread(int irq, void *p) /* Do not leak kernel stack to userspace */ memset(&ge, 0, sizeof(ge)); - ge.timestamp = le->timestamp; + /* + * We may be running from a nested threaded interrupt in which case + * we didn't get the timestamp from lineevent_irq_handler(). + */ + if (!le->timestamp) + ge.timestamp = ktime_get_real_ns(); + else + ge.timestamp = le->timestamp; + level = gpiod_get_value_cansleep(le->desc); if (le->eflags & GPIOEVENT_REQUEST_RISING_EDGE -- 2.19.1

6 years, 11 months

3
2
0 0

[git:media_tree/fixes] media: vim2m: only cancel work if it is for right context

by Mauro Carvalho Chehab

This is an automatic generated email to let you know that the following patch were queued: Subject: media: vim2m: only cancel work if it is for right context Author: Hans Verkuil <hverkuil(a)xs4all.nl> Date: Fri Jan 11 07:07:25 2019 -0500 cancel_delayed_work_sync() was called for any queue, but it should only be called for the queue that is associated with the currently running job. Otherwise, if two filehandles are streaming at the same time, then closing the first will cancel the work which might still be running for a job from the second filehandle. As a result the second filehandle will never be able to finish the job and an attempt to stop streaming on that second filehandle will stall. Fixes: 52117be68b82 ("media: vim2m: use cancel_delayed_work_sync instead of flush_schedule_work") Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Cc: <stable(a)vger.kernel.org> # for v4.20 and up Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung(a)kernel.org> drivers/media/platform/vim2m.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- diff --git a/drivers/media/platform/vim2m.c b/drivers/media/platform/vim2m.c index d01821a6906a..89d9c4c21037 100644 --- a/drivers/media/platform/vim2m.c +++ b/drivers/media/platform/vim2m.c @@ -807,7 +807,9 @@ static void vim2m_stop_streaming(struct vb2_queue *q) struct vb2_v4l2_buffer *vbuf; unsigned long flags; - cancel_delayed_work_sync(&dev->work_run); + if (v4l2_m2m_get_curr_priv(dev->m2m_dev) == ctx) + cancel_delayed_work_sync(&dev->work_run); + for (;;) { if (V4L2_TYPE_IS_OUTPUT(q->type)) vbuf = v4l2_m2m_src_buf_remove(ctx->fh.m2m_ctx);

6 years, 11 months

1
0
0 0

[git:media_tree/fixes] media: v4l: ioctl: Validate num_planes for debug messages

by Mauro Carvalho Chehab

This is an automatic generated email to let you know that the following patch were queued: Subject: media: v4l: ioctl: Validate num_planes for debug messages Author: Sakari Ailus <sakari.ailus(a)linux.intel.com> Date: Thu Jan 10 09:24:26 2019 -0500 The num_planes field in struct v4l2_pix_format_mplane is used in a loop before validating it. As the use is printing a debug message in this case, just cap the value to the maximum allowed. Signed-off-by: Sakari Ailus <sakari.ailus(a)linux.intel.com> Cc: stable(a)vger.kernel.org Reviewed-by: Thierry Reding <treding(a)nvidia.com> Signed-off-by: Hans Verkuil <hverkuil-cisco(a)xs4all.nl> Cc: <stable(a)vger.kernel.org> # for v4.12 and up Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung(a)kernel.org> drivers/media/v4l2-core/v4l2-ioctl.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- diff --git a/drivers/media/v4l2-core/v4l2-ioctl.c b/drivers/media/v4l2-core/v4l2-ioctl.c index 44bc7c4f1c11..90aad465f9ed 100644 --- a/drivers/media/v4l2-core/v4l2-ioctl.c +++ b/drivers/media/v4l2-core/v4l2-ioctl.c @@ -287,6 +287,7 @@ static void v4l_print_format(const void *arg, bool write_only) const struct v4l2_window *win; const struct v4l2_sdr_format *sdr; const struct v4l2_meta_format *meta; + u32 planes; unsigned i; pr_cont("type=%s", prt_names(p->type, v4l2_type_names)); @@ -317,7 +318,8 @@ static void v4l_print_format(const void *arg, bool write_only) prt_names(mp->field, v4l2_field_names), mp->colorspace, mp->num_planes, mp->flags, mp->ycbcr_enc, mp->quantization, mp->xfer_func); - for (i = 0; i < mp->num_planes; i++) + planes = min_t(u32, mp->num_planes, VIDEO_MAX_PLANES); + for (i = 0; i < planes; i++) printk(KERN_DEBUG "plane %u: bytesperline=%u sizeimage=%u\n", i, mp->plane_fmt[i].bytesperline, mp->plane_fmt[i].sizeimage);

6 years, 11 months

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror