- Linux-stable-mirror - lists.linaro.org

[Question] A UBSAN problem in stable-4.4

by Tan Xiaojun

Hi, all, I found the following problem (attached to the end) when testing stable-4.4 with Syzkaller. This is not an easy-to-trigger problem, so the tool does not generate code for recurring problems. >From the call stack, it is because the first parameter in ktime_sub is large, and the second parameter offset is a negative number, causing the final result to overflow into the sign bit and become a large negative number. -------------- ... ktime_t expires = ktime_sub(hrtimer_get_expires(timer), base->offset); ... -------------- But I don't know how to fix this problem. The mainline code is also different from stable-4.4, and I have not found a patch to fix this problem in the mainline repository. So I am a bit confused about how to fix it. Can anyone give me some advice? Thanks. Xiaojun. ================================================================================ UBSAN: Undefined behaviour in kernel/time/hrtimer.c:615:20 signed integer overflow: 9223372036854775807 - -495588161 cannot be represented in type 'long long int' CPU: 0 PID: 4542 Comm: syz-executor0 Not tainted 4.4.156-514.55.6.9.x86_64+ #8 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014 1ffff100391dbf45 ad071d3307b76e03 ffff8801c8edfab0 ffffffff81c9f586 0000000041b58ab3 ffffffff831fd4e6 ffffffff81c9f478 ffff8801c8edfad8 ffff8801c8edfa78 00000000000014a9 ad071d3307b76e03 ffffffff837fd660 Call Trace: [<ffffffff81c9f586>] __dump_stack lib/dump_stack.c:15 [inline] [<ffffffff81c9f586>] dump_stack+0x10e/0x1a8 lib/dump_stack.c:51 [<ffffffff81d814a6>] ubsan_epilogue+0x12/0x8f lib/ubsan.c:164 [<ffffffff81d830a1>] handle_overflow+0x23e/0x299 lib/ubsan.c:195 [<ffffffff81d83157>] __ubsan_handle_sub_overflow+0x2a/0x31 lib/ubsan.c:211 [<ffffffff813d8c33>] hrtimer_reprogram kernel/time/hrtimer.c:615 [inline] [<ffffffff813d8c33>] hrtimer_start_range_ns+0x1083/0x1580 kernel/time/hrtimer.c:1024 [<ffffffff813fde1f>] hrtimer_start include/linux/hrtimer.h:393 [inline] [<ffffffff813fde1f>] alarm_start+0xcf/0x130 kernel/time/alarmtimer.c:328 [<ffffffff813fed66>] alarm_timer_set+0x296/0x4a0 kernel/time/alarmtimer.c:632 [<ffffffff813e1a3e>] SYSC_timer_settime kernel/time/posix-timers.c:914 [inline] [<ffffffff813e1a3e>] SyS_timer_settime+0x2be/0x3d0 kernel/time/posix-timers.c:885 [<ffffffff82c2fb61>] entry_SYSCALL_64_fastpath+0x1e/0x9e ================================================================================ ================================================================================ UBSAN: Undefined behaviour in kernel/time/hrtimer.c:490:13 signed integer overflow: 9223372036854775807 - -495588161 cannot be represented in type 'long long int' CPU: 0 PID: 4542 Comm: syz-executor0 Not tainted 4.4.156-514.55.6.9.x86_64+ #8 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014 1ffff1003ed40f8b ad071d3307b76e03 ffff8801f6a07ce0 ffffffff81c9f586 0000000041b58ab3 ffffffff831fd4e6 ffffffff81c9f478 ffff8801f6a07d08 ffff8801f6a07ca8 000000000000000a ad071d3307b76e03 ffffffff837fd660 Call Trace: <IRQ> [<ffffffff81c9f586>] __dump_stack lib/dump_stack.c:15 [inline] <IRQ> [<ffffffff81c9f586>] dump_stack+0x10e/0x1a8 lib/dump_stack.c:51 [<ffffffff81d814a6>] ubsan_epilogue+0x12/0x8f lib/ubsan.c:164 [<ffffffff81d830a1>] handle_overflow+0x23e/0x299 lib/ubsan.c:195 [<ffffffff81d83157>] __ubsan_handle_sub_overflow+0x2a/0x31 lib/ubsan.c:211 [<ffffffff813d43ea>] __hrtimer_get_next_event+0x1da/0x2b0 kernel/time/hrtimer.c:490 [<ffffffff813d9532>] hrtimer_interrupt+0x202/0x580 kernel/time/hrtimer.c:1361 [<ffffffff8113e7ad>] local_apic_timer_interrupt+0x9d/0x150 arch/x86/kernel/apic/apic.c:901 [<ffffffff82c32ea0>] smp_apic_timer_interrupt+0x80/0xb0 arch/x86/kernel/apic/apic.c:925 [<ffffffff82c30ac5>] apic_timer_interrupt+0xa5/0xb0 arch/x86/entry/entry_64.S:563 <EOI> [<ffffffff82c2f0fb>] ? arch_local_irq_restore arch/x86/include/asm/paravirt.h:812 [inline] <EOI> [<ffffffff82c2f0fb>] ? __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:162 [inline] <EOI> [<ffffffff82c2f0fb>] ? _raw_spin_unlock_irqrestore+0x3b/0x60 kernel/locking/spinlock.c:191 [<ffffffff813e1a4f>] unlock_timer include/linux/spinlock.h:362 [inline] [<ffffffff813e1a4f>] SYSC_timer_settime kernel/time/posix-timers.c:916 [inline] [<ffffffff813e1a4f>] SyS_timer_settime+0x2cf/0x3d0 kernel/time/posix-timers.c:885 [<ffffffff82c2fb61>] entry_SYSCALL_64_fastpath+0x1e/0x9e ================================================================================

7 years

1
0
0 0

[PATCH 4.14 000/143] 4.14.79-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.14.79 release. There are 143 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sun Nov 4 18:27:59 UTC 2018. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.79-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.14.79-rc1 Davide Caratti <dcaratti(a)redhat.com> net/sched: cls_api: add missing validation of netlink attributes Florian Fainelli <f.fainelli(a)gmail.com> net: bcmgenet: Poll internal PHY for GENETv5 Nikolay Aleksandrov <nikolay(a)cumulusnetworks.com> net: ipmr: fix unresolved entry dumps Ido Schimmel <idosch(a)mellanox.com> rtnetlink: Disallow FDB configuration for non-Ethernet device Eric Dumazet <edumazet(a)google.com> net/mlx5e: fix csum adjustments caused by RXFCS Dimitris Michailidis <dmichail(a)google.com> net: fix pskb_trim_rcsum_slow() with odd trim offset Cong Wang <xiyou.wangcong(a)gmail.com> net: drop skb on failure in ip_check_defrag() Phil Sutter <phil(a)nwl.cc> net: sched: Fix for duplicate class dump Huy Nguyen <huyn(a)mellanox.com> net/mlx5: Take only bit 24-26 of wqe.pftype_wq for page fault type Jaime Caamaño Ruiz <jcaamano(a)suse.com> openvswitch: Fix push/pop ethernet validation Stefano Brivio <sbrivio(a)redhat.com> ip6_tunnel: Fix encapsulation layout Tobias Jungel <tobias.jungel(a)gmail.com> bonding: fix length of actor system Wenwen Wang <wang6495(a)umn.edu> ethtool: fix a privilege escalation bug Ake Koomsin <ake(a)igel.co.jp> virtio_net: avoid using netif_tx_disable() for serializing tx routine Jason Wang <jasowang(a)redhat.com> vhost: Fix Spectre V1 vulnerability Paolo Abeni <pabeni(a)redhat.com> udp6: fix encap return code for resubmitting Marcelo Ricardo Leitner <marcelo.leitner(a)gmail.com> sctp: fix race on sctp_id2asoc Heiner Kallweit <hkallweit1(a)gmail.com> r8169: fix NAPI handling under high load Sean Tranchetti <stranche(a)codeaurora.org> net: udp: fix handling of CHECKSUM_COMPLETE packets Niklas Cassel <niklas.cassel(a)linaro.org> net: stmmac: Fix stmmac_mdio_reset() when building stmmac as modules Wenwen Wang <wang6495(a)umn.edu> net: socket: fix a missing-check bug Jakub Kicinski <jakub.kicinski(a)netronome.com> net: sched: gred: pass the right attribute to gred_change_table_def() David Ahern <dsahern(a)gmail.com> net/ipv6: Fix index counter for unicast addresses in in6_dump_addrs Fugang Duan <fugang.duan(a)nxp.com> net: fec: don't dump RX FIFO register when not available Cong Wang <xiyou.wangcong(a)gmail.com> llc: set SOCK_RCU_FREE in llc_sap_add_socket() Stefano Brivio <sbrivio(a)redhat.com> ipv6/ndisc: Preserve IPv6 control buffer if protocol error handlers are called Eric Dumazet <edumazet(a)google.com> ipv6: mcast: fix a use-after-free in inet6_mc_check Nikolay Aleksandrov <nikolay(a)cumulusnetworks.com> net: bridge: remove ipv6 zero address check in mcast queries Hangbin Liu <liuhangbin(a)gmail.com> bridge: do not add port to router list when receives query with source 0.0.0.0 Colin Ian King <colin.king(a)canonical.com> drm/i915/gvt: fix memory leak of a cmd_entry struct on error exit path Rasmus Villemoes <linux(a)rasmusvillemoes.dk> perf tools: Disable parallelism for 'make clean' Sasha Levin <sashal(a)kernel.org> Revert "netfilter: ipv6: nf_defrag: drop skb dst before queueing" Takashi Iwai <tiwai(a)suse.de> ALSA: usx2y: Fix invalid stream URBs Philipp Zabel <philipp.zabel(a)gmail.com> media: uvcvideo: Fix driver reference counting Chris Paterson <chris.paterson2(a)renesas.com> ARM: dts: r8a7790: Correct critical CPU temperature Peter Xu <peterx(a)redhat.com> kvm: x86: fix WARN due to uninitialized guest FPU state Kimmo Rautkoski <ext-kimmo.rautkoski(a)vaisala.com> mtd: spi-nor: Add support for is25wp series chips Christoph Paasch <cpaasch(a)apple.com> sch_netem: restore skb->dev after dequeuing from the rbtree Khazhismel Kumykov <khazhy(a)google.com> fs/fat/fatent.c: add cond_resched() to fat_count_free_clusters() Paolo Abeni <pabeni(a)redhat.com> selftests: rtnetlink.sh explicitly requires bash. Arthur Kiyanovski <akiyano(a)amazon.com> net: ena: fix NULL dereference due to untimely napi initialization Arthur Kiyanovski <akiyano(a)amazon.com> net: ena: fix warning in rmmod caused by double iounmap David Howells <dhowells(a)redhat.com> rxrpc: Fix connection-level abort handling David Howells <dhowells(a)redhat.com> rxrpc: Only take the rwind and mtu values from latest ACK David Howells <dhowells(a)redhat.com> rxrpc: Don't check RXRPC_CALL_TX_LAST after calling rxrpc_rotate_tx_window() Arnaldo Carvalho de Melo <acme(a)redhat.com> perf python: Use -Wno-redundant-decls to build with PYTHON=python3 Sascha Hauer <s.hauer(a)pengutronix.de> ARM: dts: imx53-qsb: disable 1.2GHz OPP Paul Burton <paul.burton(a)mips.com> compiler.h: Allow arch-specific asm/compiler.h Sandipan Das <sandipan(a)linux.ibm.com> perf tests: Fix indexing when invoking subtests Daniel Mack <daniel(a)zonque.org> libertas: call into generic suspend code before turning off power Masahiro Yamada <yamada.masahiro(a)socionext.com> kconfig: fix the rule of mainmenu_stmt symbol Arnd Bergmann <arnd(a)arndb.de> net: stmmac: mark PM functions as __maybe_unused Dan Carpenter <dan.carpenter(a)oracle.com> x86/paravirt: Fix some warning messages Florian Fainelli <f.fainelli(a)gmail.com> net: phy: phylink: Don't release NULL GPIO Qu Wenruo <wqu(a)suse.com> btrfs: quota: Set rescan progress to (u64)-1 if we hit last leaf Martin K. Petersen <martin.petersen(a)oracle.com> scsi: sd: Remember that READ CAPACITY(16) succeeded Brian King <brking(a)linux.vnet.ibm.com> scsi: ibmvfc: Avoid unnecessary port relogin Michael Neuling <mikey(a)neuling.org> selftests/powerpc: Add ptrace hw breakpoint test Phil Reid <preid(a)electromag.com.au> iio: buffer: fix the function signature to match implementation Govindarajulu Varadarajan <gvaradar(a)cisco.com> enic: do not overwrite error code Phil Elwell <phil(a)raspberrypi.org> lan78xx: Don't reset the interface on open Paul Burton <paul.burton(a)mips.com> MIPS: Workaround GCC __builtin_unreachable reordering bug John Keeping <john(a)metanate.com> mmc: dw_mmc-rockchip: correct property names in debug Jason Gunthorpe <jgg(a)mellanox.com> IB/usnic: Update with bug fixes from core code Ross Lagerwall <ross.lagerwall(a)citrix.com> xen-netfront: Fix mismatched rtnl_unlock Ross Lagerwall <ross.lagerwall(a)citrix.com> xen-netfront: Update features after registering netdev Winkler, Tomas <tomas.winkler(a)intel.com> tpm: tpm_crb: relinquish locality on error path. John Fastabend <john.fastabend(a)gmail.com> bpf: sockmap, map_release does not hold refcnt for pinned maps Nayna Jain <nayna(a)linux.vnet.ibm.com> tpm: move the delay_msec increment after sleep in tpm_transmit() David S. Miller <davem(a)davemloft.net> sparc64: Fix regression in pmdp_invalidate(). KarimAllah Ahmed <karahmed(a)amazon.de> KVM: x86: Update the exit_qualification access bits while walking an address Thadeu Lima de Souza Cascardo <cascardo(a)canonical.com> test_bpf: Fix testing with CONFIG_BPF_JIT_ALWAYS_ON=y on other arches Geert Uytterhoeven <geert(a)linux-m68k.org> cifs: Use ULL suffix for 64-bit constant James Chapman <jchapman(a)katalix.com> l2tp: remove configurable payload offset Marcel Ziswiler <marcel.ziswiler(a)toradex.com> ARM: tegra: Fix ULPI regression on Tegra20 Noa Osherovich <noaos(a)mellanox.com> IB/mlx5: Avoid passing an invalid QP type to firmware Stefan Agner <stefan(a)agner.ch> kbuild: set no-integrated-as before incl. arch Makefile Ben Hutchings <ben.hutchings(a)codethink.co.uk> scsi: qla2xxx: Avoid double completion of abort command Shay Agroskin <shayag(a)mellanox.com> net/mlx5e: Refine ets validation function Kevin Hao <haokexin(a)gmail.com> net: phy: Add general dummy stubs for MMD register access Kevin Hao <haokexin(a)gmail.com> net: phy: realtek: Use the dummy stubs for MMD register access for rtl8211b Milan Broz <gmazyland(a)gmail.com> dm integrity: fail early if required HMAC key is not available Corentin Labbe <clabbe(a)baylibre.com> powerpc/pseries: Add empty update_numa_cpu_lookup_table() for NUMA=n Israel Rukshin <israelr(a)mellanox.com> net/mlx5: Fix mlx5_get_vector_affinity function Julian Wiedmann <jwi(a)linux.vnet.ibm.com> s390/qeth: fix error handling in adapter command callbacks Doug Ledford <dledford(a)redhat.com> IB/rxe: put the pool on allocation failure Alex Vesker <valex(a)mellanox.com> IB/ipoib: Fix lockdep issue found on ipoib_ib_dev_heavy_flush Arnd Bergmann <arnd(a)arndb.de> scsi: aacraid: address UBSAN warning regression Shuah Khan <shuah(a)kernel.org> usbip: vhci_hcd: update 'status' file header and format Dan Williams <dan.j.williams(a)intel.com> tools/testing/nvdimm: unit test clear-error commands Andy Lutomirski <luto(a)kernel.org> x86/power: Fix some ordering bugs in __restore_processor_context() Emmanuel Grumbach <emmanuel.grumbach(a)intel.com> iwlwifi: fix the ALIVE notification layout Liad Kaufman <liad.kaufman(a)intel.com> iwlwifi: dbg: allow wrt collection before ALIVE Sara Sharon <sara.sharon(a)intel.com> iwlwifi: mvm: check for short GI only for OFDM Larry Chen <lchen(a)suse.com> ocfs2: fix crash in ocfs2_duplicate_clusters_by_page() Wenwen Wang <wang6495(a)umn.edu> yam: fix a missing-check bug Wenwen Wang <wang6495(a)umn.edu> net: cxgb3_main: fix a missing-check bug Davide Caratti <dcaratti(a)redhat.com> be2net: don't flip hw_features when VXLANs are added/deleted Guenter Roeck <linux(a)roeck-us.net> locking/ww_mutex: Fix runtime warning in the WW mutex selftest Sean Tranchetti <stranche(a)codeaurora.org> net: qualcomm: rmnet: Skip processing loopback packets Maciej W. Rozycki <macro(a)linux-mips.org> declance: Fix continuation with the adapter identification message Rickard x Andersson <rickaran(a)axis.com> net: fec: fix rare tx timeout Natarajan, Janakarajan <Janakarajan.Natarajan(a)amd.com> perf/x86/amd/uncore: Set ThreadMask and SliceMask for L3 Cache perf events Kan Liang <kan.liang(a)linux.intel.com> perf/x86/intel/uncore: Fix PCI BDF address of M3UPI on SKX Jiri Olsa <jolsa(a)redhat.com> perf/ring_buffer: Prevent concurent ring buffer access Peter Zijlstra <peterz(a)infradead.org> perf/core: Fix perf_pmu_unregister() locking Yu Zhao <yuzhao(a)google.com> cfg80211: fix use-after-free in reg_process_hint() Florian Fainelli <f.fainelli(a)gmail.com> smsc95xx: Check for Wake-on-LAN modes Florian Fainelli <f.fainelli(a)gmail.com> smsc75xx: Check for Wake-on-LAN modes Florian Fainelli <f.fainelli(a)gmail.com> r8152: Check for supported Wake-on-LAN Modes Florian Fainelli <f.fainelli(a)gmail.com> sr9800: Check for supported Wake-on-LAN modes Florian Fainelli <f.fainelli(a)gmail.com> lan78xx: Check for supported Wake-on-LAN modes Florian Fainelli <f.fainelli(a)gmail.com> ax88179_178a: Check for supported Wake-on-LAN modes Florian Fainelli <f.fainelli(a)gmail.com> asix: Check for supported Wake-on-LAN modes Masashi Honma <masashi.honma(a)gmail.com> nl80211: Fix possible Spectre-v1 for CQM RSSI thresholds Nathan Chancellor <natechancellor(a)gmail.com> qed: Avoid implicit enum conversion in qed_iwarp_parse_rx_pkt Nathan Chancellor <natechancellor(a)gmail.com> qed: Avoid constant logical operation warning in qed_vf_pf_acquire Nathan Chancellor <natechancellor(a)gmail.com> qed: Avoid implicit enum conversion in qed_roce_mode_to_flavor Nathan Chancellor <natechancellor(a)gmail.com> qed: Fix mask parameter in qed_vf_prep_tunn_req_tlv Nathan Chancellor <natechancellor(a)gmail.com> qed: Avoid implicit enum conversion in qed_set_tunn_cls_info Lubomir Rintel <lkundrak(a)v3.sk> pxa168fb: prepare the clock Matias Karhumaa <matias.karhumaa(a)gmail.com> Bluetooth: SMP: fix crash in unpairing Martin Willi <martin(a)strongswan.org> mac80211_hwsim: do not omit multicast announce of first added radio Masashi Honma <masashi.honma(a)gmail.com> nl80211: Fix possible Spectre-v1 for NL80211_TXRATE_HT Zhao Qiang <qiang.zhao(a)nxp.com> soc: fsl: qe: Fix copy/paste bug in ucc_get_tdm_sync_shift() Alexandre Belloni <alexandre.belloni(a)bootlin.com> soc: fsl: qbman: qman: avoid allocating from non existing gen_pool Michal Simek <michal.simek(a)xilinx.com> net: macb: Clean 64b dma addresses if they are not detected Florian Fainelli <f.fainelli(a)gmail.com> ARM: dts: BCM63xx: Fix incorrect interrupt specifiers Steve Capper <steve.capper(a)arm.com> arm64: hugetlb: Fix handling of young ptes David Ahern <dsahern(a)gmail.com> netfilter: bridge: Don't sabotage nf_hook calls from an l3mdev Sean Tranchetti <stranche(a)codeaurora.org> xfrm: validate template mode Thomas Petazzoni <thomas.petazzoni(a)free-electrons.com> ARM: 8799/1: mm: fix pci_ioremap_io() offset check Steffen Klassert <steffen.klassert(a)secunet.com> xfrm: Fix NULL pointer dereference when skb_dst_force clears the dst_entry. Yuan-Chi Pang <fu3mo6goo(a)gmail.com> mac80211: fix TX status reporting for ieee80211s Johannes Berg <johannes.berg(a)intel.com> mac80211: TDLS: fix skb queue/priority assignment Jouni Malinen <jouni(a)codeaurora.org> cfg80211: Address some corner cases in scan result channel updating Bob Copeland <me(a)bobcopeland.com> mac80211: fix pending queue hang due to TX_DROP Andrei Otcheretianski <andrei.otcheretianski(a)intel.com> cfg80211: reg: Init wiphy_idx in regulatory_hint_core() Andrei Otcheretianski <andrei.otcheretianski(a)intel.com> mac80211: Always report TX status Sowmini Varadhan <sowmini.varadhan(a)oracle.com> xfrm: reset crypto_done when iterating over multiple input xfrms Sowmini Varadhan <sowmini.varadhan(a)oracle.com> xfrm: reset transport header back to network header after all input transforms ahave been applied Thadeu Lima de Souza Cascardo <cascardo(a)canonical.com> xfrm6: call kfree_skb when skb is toobig Steffen Klassert <steffen.klassert(a)secunet.com> xfrm: Validate address prefix lengths in the xfrm selector. ------------- Diffstat: Makefile | 8 +- arch/Kconfig | 8 + arch/arm/boot/dts/bcm63138.dtsi | 14 +- arch/arm/boot/dts/imx53-qsb-common.dtsi | 11 + arch/arm/boot/dts/r8a7790.dtsi | 2 +- arch/arm/boot/dts/tegra20.dtsi | 2 +- arch/arm/mm/ioremap.c | 2 +- arch/arm64/mm/hugetlbpage.c | 12 +- arch/mips/Kconfig | 1 + arch/mips/include/asm/compiler.h | 35 +++ arch/powerpc/include/asm/topology.h | 3 + arch/sparc/mm/tlb.c | 19 +- arch/x86/events/amd/uncore.c | 10 + arch/x86/events/intel/uncore_snbep.c | 12 +- arch/x86/include/asm/perf_event.h | 8 + arch/x86/kernel/paravirt.c | 4 +- arch/x86/kvm/paging_tmpl.h | 11 +- arch/x86/kvm/x86.c | 6 +- arch/x86/power/cpu.c | 21 +- drivers/char/tpm/tpm-interface.c | 3 +- drivers/char/tpm/tpm_crb.c | 10 +- drivers/gpu/drm/i915/gvt/cmd_parser.c | 1 + drivers/infiniband/hw/mlx5/main.c | 2 +- drivers/infiniband/hw/mlx5/qp.c | 7 +- drivers/infiniband/hw/usnic/usnic_ib_verbs.c | 2 +- drivers/infiniband/hw/usnic/usnic_uiom.c | 40 ++- drivers/infiniband/hw/usnic/usnic_uiom.h | 5 +- drivers/infiniband/sw/rxe/rxe_pool.c | 16 +- drivers/infiniband/ulp/ipoib/ipoib_ib.c | 7 +- drivers/md/dm-integrity.c | 3 + drivers/media/usb/uvc/uvc_driver.c | 11 +- drivers/mmc/host/dw_mmc-rockchip.c | 4 +- drivers/mtd/spi-nor/spi-nor.c | 6 + drivers/net/bonding/bond_netlink.c | 3 +- drivers/net/ethernet/amazon/ena/ena_netdev.c | 18 +- drivers/net/ethernet/amd/declance.c | 10 +- drivers/net/ethernet/broadcom/genet/bcmmii.c | 9 +- drivers/net/ethernet/cadence/macb_main.c | 1 + drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c | 17 + drivers/net/ethernet/cisco/enic/enic_main.c | 9 +- drivers/net/ethernet/emulex/benet/be_main.c | 5 +- drivers/net/ethernet/freescale/fec.h | 4 + drivers/net/ethernet/freescale/fec_main.c | 24 +- drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c | 17 +- drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 45 +-- drivers/net/ethernet/mellanox/mlx5/core/eq.c | 2 +- drivers/net/ethernet/qlogic/qed/qed_iwarp.c | 4 +- drivers/net/ethernet/qlogic/qed/qed_roce.c | 15 +- drivers/net/ethernet/qlogic/qed/qed_sp_commands.c | 2 +- drivers/net/ethernet/qlogic/qed/qed_vf.c | 5 +- .../net/ethernet/qualcomm/rmnet/rmnet_handlers.c | 3 + drivers/net/ethernet/realtek/r8169.c | 8 +- drivers/net/ethernet/stmicro/stmmac/stmmac_mdio.c | 2 +- drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c | 4 +- drivers/net/hamradio/yam.c | 4 + drivers/net/phy/phy_device.c | 17 + drivers/net/phy/phylink.c | 2 +- drivers/net/phy/realtek.c | 2 + drivers/net/usb/asix_common.c | 3 + drivers/net/usb/ax88179_178a.c | 3 + drivers/net/usb/lan78xx.c | 21 +- drivers/net/usb/r8152.c | 3 + drivers/net/usb/smsc75xx.c | 3 + drivers/net/usb/smsc95xx.c | 3 + drivers/net/usb/sr9800.c | 3 + drivers/net/virtio_net.c | 5 +- drivers/net/wireless/intel/iwlwifi/fw/api/alive.h | 4 +- drivers/net/wireless/intel/iwlwifi/fw/dbg.c | 15 +- drivers/net/wireless/intel/iwlwifi/mvm/rx.c | 3 +- drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c | 4 +- drivers/net/wireless/mac80211_hwsim.c | 3 +- drivers/net/wireless/marvell/libertas/if_sdio.c | 4 + drivers/net/xen-netfront.c | 11 +- drivers/s390/net/qeth_core_main.c | 85 +++-- drivers/scsi/aacraid/commsup.c | 8 +- drivers/scsi/ibmvscsi/ibmvfc.c | 6 +- drivers/scsi/qla2xxx/qla_init.c | 4 +- drivers/scsi/sd.c | 2 + drivers/soc/fsl/qbman/qman.c | 3 + drivers/soc/fsl/qe/ucc.c | 2 +- drivers/usb/usbip/vhci_sysfs.c | 12 +- drivers/vhost/vhost.c | 2 + drivers/video/fbdev/pxa168fb.c | 6 +- fs/btrfs/qgroup.c | 4 +- fs/cifs/inode.c | 2 +- fs/fat/fatent.c | 1 + fs/ocfs2/refcounttree.c | 16 +- include/linux/bpf.h | 2 +- include/linux/compiler_types.h | 12 + include/linux/iio/buffer-dma.h | 2 +- include/linux/mlx5/driver.h | 12 +- include/linux/phy.h | 4 + kernel/bpf/arraymap.c | 3 +- kernel/bpf/sockmap.c | 4 +- kernel/bpf/syscall.c | 4 +- kernel/events/core.c | 11 +- kernel/locking/test-ww_mutex.c | 10 +- lib/test_bpf.c | 2 +- net/bluetooth/mgmt.c | 7 +- net/bluetooth/smp.c | 29 +- net/bluetooth/smp.h | 3 +- net/bridge/br_multicast.c | 9 +- net/bridge/br_netfilter_hooks.c | 3 +- net/core/datagram.c | 5 +- net/core/ethtool.c | 8 +- net/core/rtnetlink.c | 10 + net/core/skbuff.c | 5 +- net/ipv4/ip_fragment.c | 12 +- net/ipv4/ipmr.c | 2 - net/ipv4/udp.c | 20 +- net/ipv4/xfrm4_input.c | 1 + net/ipv4/xfrm4_mode_transport.c | 4 +- net/ipv6/addrconf.c | 6 +- net/ipv6/ip6_checksum.c | 20 +- net/ipv6/ip6_tunnel.c | 9 +- net/ipv6/mcast.c | 16 +- net/ipv6/ndisc.c | 3 +- net/ipv6/netfilter/nf_conntrack_reasm.c | 2 - net/ipv6/udp.c | 6 +- net/ipv6/xfrm6_input.c | 1 + net/ipv6/xfrm6_mode_transport.c | 4 +- net/ipv6/xfrm6_output.c | 2 + net/l2tp/l2tp_core.c | 14 +- net/l2tp/l2tp_core.h | 3 - net/l2tp/l2tp_debugfs.c | 4 +- net/l2tp/l2tp_netlink.c | 3 - net/llc/llc_conn.c | 1 + net/mac80211/mesh.h | 3 +- net/mac80211/mesh_hwmp.c | 9 +- net/mac80211/status.c | 11 +- net/mac80211/tdls.c | 8 +- net/mac80211/tx.c | 2 +- net/openvswitch/flow_netlink.c | 4 +- net/rxrpc/ar-internal.h | 4 +- net/rxrpc/call_accept.c | 4 +- net/rxrpc/conn_event.c | 26 +- net/rxrpc/input.c | 54 ++-- net/sched/cls_api.c | 7 +- net/sched/sch_api.c | 3 +- net/sched/sch_gred.c | 2 +- net/sched/sch_netem.c | 4 + net/sctp/socket.c | 5 +- net/socket.c | 11 +- net/wireless/nl80211.c | 20 +- net/wireless/reg.c | 8 +- net/wireless/scan.c | 58 +++- net/xfrm/xfrm_input.c | 1 + net/xfrm/xfrm_output.c | 4 + net/xfrm/xfrm_policy.c | 4 + net/xfrm/xfrm_user.c | 15 + scripts/kconfig/zconf.y | 4 +- sound/usb/usx2y/usb_stream.c | 23 +- tools/perf/Makefile | 4 +- tools/perf/tests/builtin-test.c | 4 +- tools/perf/util/setup.py | 2 +- tools/testing/nvdimm/test/nfit.c | 18 ++ tools/testing/selftests/net/rtnetlink.sh | 2 +- tools/testing/selftests/powerpc/ptrace/.gitignore | 1 + tools/testing/selftests/powerpc/ptrace/Makefile | 2 +- .../selftests/powerpc/ptrace/ptrace-hwbreak.c | 342 +++++++++++++++++++++ 160 files changed, 1231 insertions(+), 495 deletions(-)

7 years

10
165
0 0

[PATCH] mm, memory_hotplug: teach has_unmovable_pages about of LRU migrateable pages

by Michal Hocko

From: Michal Hocko <mhocko(a)suse.com> Baoquan He has noticed that 15c30bc09085 ("mm, memory_hotplug: make has_unmovable_pages more robust") is causing memory offlining failures on a movable node. After a further debugging it turned out that has_unmovable_pages fails prematurely because it stumbles over off-LRU pages. Nevertheless those pages are not on LRU because they are waiting on the pcp LRU caches (an example of __dump_page added by a debugging patch) [ 560.923297] page:ffffea043f39fa80 count:1 mapcount:0 mapping:ffff880e5dce1b59 index:0x7f6eec459 [ 560.931967] flags: 0x5fffffc0080024(uptodate|active|swapbacked) [ 560.937867] raw: 005fffffc0080024 dead000000000100 dead000000000200 ffff880e5dce1b59 [ 560.945606] raw: 00000007f6eec459 0000000000000000 00000001ffffffff ffff880e43ae8000 [ 560.953323] page dumped because: hotplug [ 560.957238] page->mem_cgroup:ffff880e43ae8000 [ 560.961620] has_unmovable_pages: pfn:0x10fd030d, found:0x1, count:0x0 [ 560.968127] page:ffffea043f40c340 count:2 mapcount:0 mapping:ffff880e2f2d8628 index:0x0 [ 560.976104] flags: 0x5fffffc0000006(referenced|uptodate) [ 560.981401] raw: 005fffffc0000006 dead000000000100 dead000000000200 ffff880e2f2d8628 [ 560.989119] raw: 0000000000000000 0000000000000000 00000002ffffffff ffff88010a8f5000 [ 560.996833] page dumped because: hotplug The issue could be worked around by calling lru_add_drain_all but we can do better than that. We know that all swap backed pages are migrateable and the same applies for pages which do implement the migratepage callback. Reported-by: Baoquan He <bhe(a)redhat.com> Fixes: 15c30bc09085 ("mm, memory_hotplug: make has_unmovable_pages more robust") Cc: stable Signed-off-by: Michal Hocko <mhocko(a)suse.com> --- Hi, we have been discussing issue reported by Baoquan [1] mostly off-list and he has confirmed the patch solved failures he is seeing. I believe that has_unmovable_pages begs for a much better implementation and/or substantial pages isolation design rethinking but let's close the bug which can be really annoying first. [1] http://lkml.kernel.org/r/20181101091055.GA15166@MiWiFi-R3L-srv mm/page_alloc.c | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/mm/page_alloc.c b/mm/page_alloc.c index 863d46da6586..48ceda313332 100644 --- a/mm/page_alloc.c +++ b/mm/page_alloc.c @@ -7824,8 +7824,22 @@ bool has_unmovable_pages(struct zone *zone, struct page *page, int count, if (__PageMovable(page)) continue; - if (!PageLRU(page)) - found++; + if (PageLRU(page)) + continue; + + /* + * Some LRU pages might be temporarily off-LRU for all + * sort of different reasons - reclaim, migration, + * per-cpu LRU caches etc. + * Make sure we do not consider those pages to be unmovable. + */ + if (PageSwapBacked(page)) + continue; + + if (page->mapping && page->mapping->a_ops && + page->mapping->a_ops->migratepage) + continue; + /* * If there are RECLAIMABLE pages, we need to check * it. But now, memory offline itself doesn't call @@ -7839,7 +7853,7 @@ bool has_unmovable_pages(struct zone *zone, struct page *page, int count, * is set to both of a memory hole page and a _used_ kernel * page at boot. */ - if (found > count) + if (++found > count) goto unmovable; } return false; -- 2.19.1

7 years

2
16
0 0

[PATCH v3 01/11] mtd: cfi_cmdset_0002: Change do_write_oneword() to use chip_good()

by Tokunori Ikegami

In OpenWrt Project the flash write error caused on some products. Also the issue can be fixed by using chip_good() instead of chip_ready(). The chip_ready() just checks the value from flash memory twice. And the chip_good() checks the value with the expected value. Probably the issue can be fixed as checked correctly by the chip_good(). So change to use chip_good() instead of chip_ready(). Signed-off-by: Tokunori Ikegami <ikegami(a)allied-telesis.co.jp> Signed-off-by: Hauke Mehrtens <hauke(a)hauke-m.de> Signed-off-by: Koen Vandeputte <koen.vandeputte(a)ncentric.com> Signed-off-by: Fabio Bettoni <fbettoni(a)gmail.com> Co-Developed-by: Hauke Mehrtens <hauke(a)hauke-m.de> Co-Developed-by: Koen Vandeputte <koen.vandeputte(a)ncentric.com> Co-Developed-by: Fabio Bettoni <fbettoni(a)gmail.com> Reported-by: Fabio Bettoni <fbettoni(a)gmail.com> Cc: Chris Packham <chris.packham(a)alliedtelesis.co.nz> Cc: Joakim Tjernlund <Joakim.Tjernlund(a)infinera.com> Cc: Boris Brezillon <boris.brezillon(a)free-electrons.com> Cc: linux-mtd(a)lists.infradead.org Cc: stable(a)vger.kernel.org --- Changes since v2: - Just update the commit message for the comment. Changes since v1: - Just update the commit message. Background: This is required for OpenWrt Project to result the flash write issue as below patche. <https://git.openwrt.org/?p=openwrt/openwrt.git;a=commitdiff;h=ddc11c3932c7b…> Also the original patch in OpenWRT is below. <https://github.com/openwrt/openwrt/blob/v18.06.0/target/linux/ar71xx/patche…> The reason to use chip_good() is that just actually fix the issue. And also in the past I had fixed the erase function also as same way by the patch below. <https://patchwork.ozlabs.org/patch/922656/> Note: The reason for the patch for erase is same. In my understanding the chip_ready() is just checked the value twice from flash. So I think that sometimes incorrect value is read twice and it is depended on the flash device behavior but not sure.. So change to use chip_good() instead of chip_ready(). drivers/mtd/chips/cfi_cmdset_0002.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/drivers/mtd/chips/cfi_cmdset_0002.c b/drivers/mtd/chips/cfi_cmdset_0002.c index 72428b6bfc47..251c9e1675bd 100644 --- a/drivers/mtd/chips/cfi_cmdset_0002.c +++ b/drivers/mtd/chips/cfi_cmdset_0002.c @@ -1627,31 +1627,37 @@ static int __xipram do_write_oneword(struct map_info *map, struct flchip *chip, continue; } - if (time_after(jiffies, timeo) && !chip_ready(map, adr)){ + if (chip_good(map, adr, datum)) + break; + + if (time_after(jiffies, timeo)){ xip_enable(map, chip, adr); printk(KERN_WARNING "MTD %s(): software timeout\n", __func__); xip_disable(map, chip, adr); + ret = -EIO; break; } - if (chip_ready(map, adr)) - break; - /* Latency issues. Drop the lock, wait a while and retry */ UDELAY(map, chip, adr, 1); } + /* Did we succeed? */ - if (!chip_good(map, adr, datum)) { + if (ret) { /* reset on all failures. */ map_write(map, CMD(0xF0), chip->start); /* FIXME - should have reset delay before continuing */ - if (++retry_cnt <= MAX_RETRIES) + if (++retry_cnt <= MAX_RETRIES) { + ret = 0; goto retry; + } ret = -EIO; } + xip_enable(map, chip, adr); + op_done: if (mode == FL_OTP_WRITE) otp_exit(map, chip, adr, map_bankwidth(map)); -- 2.18.0

7 years

4
9
0 0

[PATCH v2] xen-blkfront: fix kernel panic with negotiate_mq error path

by Manjunath Patil

info->nr_rings isn't adjusted in case of ENOMEM error from negotiate_mq(). This leads to kernel panic in error path. Typical call stack involving panic - #8 page_fault at ffffffff8175936f [exception RIP: blkif_free_ring+33] RIP: ffffffffa0149491 RSP: ffff8804f7673c08 RFLAGS: 00010292 ... #9 blkif_free at ffffffffa0149aaa [xen_blkfront] #10 talk_to_blkback at ffffffffa014c8cd [xen_blkfront] #11 blkback_changed at ffffffffa014ea8b [xen_blkfront] #12 xenbus_otherend_changed at ffffffff81424670 #13 backend_changed at ffffffff81426dc3 #14 xenwatch_thread at ffffffff81422f29 #15 kthread at ffffffff810abe6a #16 ret_from_fork at ffffffff81754078 Cc: stable(a)vger.kernel.org Fixes: 7ed8ce1c5fc7 ("xen-blkfront: move negotiate_mq to cover all cases of new VBDs") Signed-off-by: Manjunath Patil <manjunath.b.patil(a)oracle.com> --- drivers/block/xen-blkfront.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/drivers/block/xen-blkfront.c b/drivers/block/xen-blkfront.c index 429d201..5d84da2 100644 --- a/drivers/block/xen-blkfront.c +++ b/drivers/block/xen-blkfront.c @@ -1919,6 +1919,7 @@ static int negotiate_mq(struct blkfront_info *info) GFP_KERNEL); if (!info->rinfo) { xenbus_dev_fatal(info->xbdev, -ENOMEM, "allocating ring_info structure"); + info->nr_rings = 0; return -ENOMEM; } -- 1.7.1

7 years

3
3
0 0

[PATCH] vfs: swap names of {do,vfs}_clone_file_range()

by Amir Goldstein

commit a725356b6659469d182d662f22d770d83d3bc7b5 upstream. Commit 031a072a0b8a ("vfs: call vfs_clone_file_range() under freeze protection") created a wrapper do_clone_file_range() around vfs_clone_file_range() moving the freeze protection to former, so overlayfs could call the latter. The more common vfs practice is to call do_xxx helpers from vfs_xxx helpers, where freeze protecction is taken in the vfs_xxx helper, so this anomality could be a source of confusion. It seems that commit 8ede205541ff ("ovl: add reflink/copyfile/dedup support") may have fallen a victim to this confusion - ovl_clone_file_range() calls the vfs_clone_file_range() helper in the hope of getting freeze protection on upper fs, but in fact results in overlayfs allowing to bypass upper fs freeze protection. Swap the names of the two helpers to conform to common vfs practice and call the correct helpers from overlayfs and nfsd. Signed-off-by: Amir Goldstein <amir73il(a)gmail.com> Signed-off-by: Miklos Szeredi <mszeredi(a)redhat.com> Fixes: 031a072a0b8a ("vfs: call vfs_clone_file_range() under freeze...") Signed-off-by: Amir Goldstein <amir73il(a)gmail.com> --- Greg, The upstream commit (-rc8) is not a bug fix, it's a vfs API fix. If we do not apply it to stable kernels, we are going to have a backporting landmine, should a future fix use vfs_clone_file_range() it will not do the same thing upstream and in stable. I backported the change to linux-4.18.y and added the Fixes label. I verified that there are no pathces between the Fixes commit and current master that use {vfs,do}_clone_file_range() and could be considered for backporting to stable (all thoses that can be considered are already in stable). I verified that that with this backport applies to v4.18.16 there are no regression of quick clone tests in xfstests with overlayfs and with xfs. Backport patch also applies cleanly to v4.14.78. Thanks, Amir. fs/ioctl.c | 2 +- fs/nfsd/vfs.c | 3 ++- fs/overlayfs/copy_up.c | 2 +- fs/read_write.c | 17 +++++++++++++++-- include/linux/fs.h | 17 +++-------------- 5 files changed, 22 insertions(+), 19 deletions(-) diff --git a/fs/ioctl.c b/fs/ioctl.c index b445b13fc59b..5444fec607ce 100644 --- a/fs/ioctl.c +++ b/fs/ioctl.c @@ -229,7 +229,7 @@ static long ioctl_file_clone(struct file *dst_file, unsigned long srcfd, ret = -EXDEV; if (src_file.file->f_path.mnt != dst_file->f_path.mnt) goto fdput; - ret = do_clone_file_range(src_file.file, off, dst_file, destoff, olen); + ret = vfs_clone_file_range(src_file.file, off, dst_file, destoff, olen); fdput: fdput(src_file); return ret; diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c index b0555d7d8200..613d2fe2dddd 100644 --- a/fs/nfsd/vfs.c +++ b/fs/nfsd/vfs.c @@ -541,7 +541,8 @@ __be32 nfsd4_set_nfs4_label(struct svc_rqst *rqstp, struct svc_fh *fhp, __be32 nfsd4_clone_file_range(struct file *src, u64 src_pos, struct file *dst, u64 dst_pos, u64 count) { - return nfserrno(do_clone_file_range(src, src_pos, dst, dst_pos, count)); + return nfserrno(vfs_clone_file_range(src, src_pos, dst, dst_pos, + count)); } ssize_t nfsd_copy_file_range(struct file *src, u64 src_pos, struct file *dst, diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c index ddaddb4ce4c3..26b477f2538d 100644 --- a/fs/overlayfs/copy_up.c +++ b/fs/overlayfs/copy_up.c @@ -156,7 +156,7 @@ static int ovl_copy_up_data(struct path *old, struct path *new, loff_t len) } /* Try to use clone_file_range to clone up within the same fs */ - error = vfs_clone_file_range(old_file, 0, new_file, 0, len); + error = do_clone_file_range(old_file, 0, new_file, 0, len); if (!error) goto out; /* Couldn't clone, so now we try to copy the data */ diff --git a/fs/read_write.c b/fs/read_write.c index 153f8f690490..c9d489684335 100644 --- a/fs/read_write.c +++ b/fs/read_write.c @@ -1818,8 +1818,8 @@ int vfs_clone_file_prep_inodes(struct inode *inode_in, loff_t pos_in, } EXPORT_SYMBOL(vfs_clone_file_prep_inodes); -int vfs_clone_file_range(struct file *file_in, loff_t pos_in, - struct file *file_out, loff_t pos_out, u64 len) +int do_clone_file_range(struct file *file_in, loff_t pos_in, + struct file *file_out, loff_t pos_out, u64 len) { struct inode *inode_in = file_inode(file_in); struct inode *inode_out = file_inode(file_out); @@ -1866,6 +1866,19 @@ int vfs_clone_file_range(struct file *file_in, loff_t pos_in, return ret; } +EXPORT_SYMBOL(do_clone_file_range); + +int vfs_clone_file_range(struct file *file_in, loff_t pos_in, + struct file *file_out, loff_t pos_out, u64 len) +{ + int ret; + + file_start_write(file_out); + ret = do_clone_file_range(file_in, pos_in, file_out, pos_out, len); + file_end_write(file_out); + + return ret; +} EXPORT_SYMBOL(vfs_clone_file_range); /* diff --git a/include/linux/fs.h b/include/linux/fs.h index a3afa50bb79f..e73363bd8646 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -1813,8 +1813,10 @@ extern ssize_t vfs_copy_file_range(struct file *, loff_t , struct file *, extern int vfs_clone_file_prep_inodes(struct inode *inode_in, loff_t pos_in, struct inode *inode_out, loff_t pos_out, u64 *len, bool is_dedupe); +extern int do_clone_file_range(struct file *file_in, loff_t pos_in, + struct file *file_out, loff_t pos_out, u64 len); extern int vfs_clone_file_range(struct file *file_in, loff_t pos_in, - struct file *file_out, loff_t pos_out, u64 len); + struct file *file_out, loff_t pos_out, u64 len); extern int vfs_dedupe_file_range_compare(struct inode *src, loff_t srcoff, struct inode *dest, loff_t destoff, loff_t len, bool *is_same); @@ -2755,19 +2757,6 @@ static inline void file_end_write(struct file *file) __sb_end_write(file_inode(file)->i_sb, SB_FREEZE_WRITE); } -static inline int do_clone_file_range(struct file *file_in, loff_t pos_in, - struct file *file_out, loff_t pos_out, - u64 len) -{ - int ret; - - file_start_write(file_out); - ret = vfs_clone_file_range(file_in, pos_in, file_out, pos_out, len); - file_end_write(file_out); - - return ret; -} - /* * get_write_access() gets write permission for a file. * put_write_access() releases this write permission. -- 2.7.4

7 years

2
3
0 0

[PATCH v3 04/16] tpm: call tpm2_flush_space() on error in tpm_try_transmit()

by Jarkko Sakkinen

Always call tpm2_flush_space() on failure in tpm_try_transmit() so that the volatile memory of the TPM gets cleared. If /dev/tpm0 does not have sufficient permissions (usually it has), this could leak to the leakage of TPM objects. Through /dev/tpmrm0 this issue does not raise new security concerns. Cc: stable(a)vger.kernel.org Fixes: 745b361e989a ("tpm:tpm: infrastructure for TPM spaces") Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen(a)linux.intel.com> --- drivers/char/tpm/tpm-interface.c | 28 +++++++++++++++++----------- drivers/char/tpm/tpm.h | 1 + drivers/char/tpm/tpm2-space.c | 2 +- 3 files changed, 19 insertions(+), 12 deletions(-) diff --git a/drivers/char/tpm/tpm-interface.c b/drivers/char/tpm/tpm-interface.c index 64510ed81b46..ecda6f96cde0 100644 --- a/drivers/char/tpm/tpm-interface.c +++ b/drivers/char/tpm/tpm-interface.c @@ -224,14 +224,14 @@ static ssize_t tpm_try_transmit(struct tpm_chip *chip, rc = tpm2_prepare_space(chip, space, ordinal, buf); if (rc) - goto out; + goto out_idle; rc = chip->ops->send(chip, buf, count); if (rc < 0) { if (rc != -EPIPE) dev_err(&chip->dev, "%s: tpm_send: error %d\n", __func__, rc); - goto out; + goto out_space; } if (chip->flags & TPM_CHIP_FLAG_IRQ) @@ -247,7 +247,7 @@ static ssize_t tpm_try_transmit(struct tpm_chip *chip, if (chip->ops->req_canceled(chip, status)) { dev_err(&chip->dev, "Operation Canceled\n"); rc = -ECANCELED; - goto out; + goto out_space; } tpm_msleep(TPM_TIMEOUT_POLL); @@ -257,7 +257,7 @@ static ssize_t tpm_try_transmit(struct tpm_chip *chip, chip->ops->cancel(chip); dev_err(&chip->dev, "Operation Timed out\n"); rc = -ETIME; - goto out; + goto out_space; out_recv: len = chip->ops->recv(chip, buf, bufsiz); @@ -265,22 +265,28 @@ static ssize_t tpm_try_transmit(struct tpm_chip *chip, rc = len; dev_err(&chip->dev, "tpm_transmit: tpm_recv: error %d\n", rc); - goto out; + goto out_idle; } else if (len < TPM_HEADER_SIZE) { rc = -EFAULT; - goto out; + goto out_idle; } if (len != be32_to_cpu(header->length)) { rc = -EFAULT; - goto out; + goto out_idle; } - rc = tpm2_commit_space(chip, space, ordinal, buf, &len); - if (rc) - dev_err(&chip->dev, "tpm2_commit_space: error %d\n", rc); +out_space: + if (rc) { + tpm2_flush_space(chip); + } else { + rc = tpm2_commit_space(chip, space, ordinal, buf, &len); + if (rc) + dev_err(&chip->dev, "tpm2_commit_space: error %d\n", + rc); + } -out: +out_idle: /* may fail but do not override previous error value in rc */ tpm_go_idle(chip, flags); diff --git a/drivers/char/tpm/tpm.h b/drivers/char/tpm/tpm.h index 49bca4d1e786..229ac42b644e 100644 --- a/drivers/char/tpm/tpm.h +++ b/drivers/char/tpm/tpm.h @@ -579,6 +579,7 @@ int tpm2_probe(struct tpm_chip *chip); int tpm2_find_cc(struct tpm_chip *chip, u32 cc); int tpm2_init_space(struct tpm_space *space); void tpm2_del_space(struct tpm_chip *chip, struct tpm_space *space); +void tpm2_flush_space(struct tpm_chip *chip); int tpm2_prepare_space(struct tpm_chip *chip, struct tpm_space *space, u32 cc, u8 *cmd); int tpm2_commit_space(struct tpm_chip *chip, struct tpm_space *space, diff --git a/drivers/char/tpm/tpm2-space.c b/drivers/char/tpm/tpm2-space.c index 1131a8e7b79b..d53c882268ff 100644 --- a/drivers/char/tpm/tpm2-space.c +++ b/drivers/char/tpm/tpm2-space.c @@ -162,7 +162,7 @@ static int tpm2_save_context(struct tpm_chip *chip, u32 handle, u8 *buf, return 0; } -static void tpm2_flush_space(struct tpm_chip *chip) +void tpm2_flush_space(struct tpm_chip *chip) { struct tpm_space *space = &chip->work_space; int i; -- 2.19.1

7 years

2
2
0 0

[PATCH stable 4.18/4.19] bpf: fix partial copy of map_ptr when dst is scalar

by Daniel Borkmann

commit 0962590e553331db2cc0aef2dc35c57f6300dbbe upstream. ALU operations on pointers such as scalar_reg += map_value_ptr are handled in adjust_ptr_min_max_vals(). Problem is however that map_ptr and range in the register state share a union, so transferring state through dst_reg->range = ptr_reg->range is just buggy as any new map_ptr in the dst_reg is then truncated (or null) for subsequent checks. Fix this by adding a raw member and use it for copying state over to dst_reg. Fixes: f1174f77b50c ("bpf/verifier: rework value tracking") Signed-off-by: Daniel Borkmann <daniel(a)iogearbox.net> Cc: Edward Cree <ecree(a)solarflare.com> Acked-by: Alexei Starovoitov <ast(a)kernel.org> Signed-off-by: Alexei Starovoitov <ast(a)kernel.org> Acked-by: Edward Cree <ecree(a)solarflare.com> --- include/linux/bpf_verifier.h | 3 +++ kernel/bpf/verifier.c | 10 ++++++---- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h index 38b04f5..1fd6fa8 100644 --- a/include/linux/bpf_verifier.h +++ b/include/linux/bpf_verifier.h @@ -50,6 +50,9 @@ struct bpf_reg_state { * PTR_TO_MAP_VALUE_OR_NULL */ struct bpf_map *map_ptr; + + /* Max size from any of the above. */ + unsigned long raw; }; /* Fixed part of pointer offset, pointer types only */ s32 off; diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 82e8ede..b000686 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -2731,7 +2731,7 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, dst_reg->umax_value = umax_ptr; dst_reg->var_off = ptr_reg->var_off; dst_reg->off = ptr_reg->off + smin_val; - dst_reg->range = ptr_reg->range; + dst_reg->raw = ptr_reg->raw; break; } /* A new variable offset is created. Note that off_reg->off @@ -2761,10 +2761,11 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, } dst_reg->var_off = tnum_add(ptr_reg->var_off, off_reg->var_off); dst_reg->off = ptr_reg->off; + dst_reg->raw = ptr_reg->raw; if (reg_is_pkt_pointer(ptr_reg)) { dst_reg->id = ++env->id_gen; /* something was added to pkt_ptr, set range to zero */ - dst_reg->range = 0; + dst_reg->raw = 0; } break; case BPF_SUB: @@ -2793,7 +2794,7 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, dst_reg->var_off = ptr_reg->var_off; dst_reg->id = ptr_reg->id; dst_reg->off = ptr_reg->off - smin_val; - dst_reg->range = ptr_reg->range; + dst_reg->raw = ptr_reg->raw; break; } /* A new variable offset is created. If the subtrahend is known @@ -2819,11 +2820,12 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, } dst_reg->var_off = tnum_sub(ptr_reg->var_off, off_reg->var_off); dst_reg->off = ptr_reg->off; + dst_reg->raw = ptr_reg->raw; if (reg_is_pkt_pointer(ptr_reg)) { dst_reg->id = ++env->id_gen; /* something was added to pkt_ptr, set range to zero */ if (smin_val < 0) - dst_reg->range = 0; + dst_reg->raw = 0; } break; case BPF_AND: -- 2.9.5

7 years

2
1
0 0

[PATCH 4.14 0/2] USB: serial: option: Backport Quectel EP06/endpoint patches

by Kristian Evensen

This patch series contains backports for 4.14 of two patches that were submitted to stable, but failed to apply. One patch adds support for dynamic interface configuration on the Quectel EP06, while the other contains an upstream change triggered by the EP06-change. The reason the patches failed to apply, is that option_probe() in option.c has been changed upstream. A slight reshuffling of the changes in "USB: serial: option: improve Quectel EP06 detection" was required. "USB: serial: option: add two-endpoints device-id flag" applied cleanly after the change, but a small change was still needed. The upstream commit removes a variable that is still in use in 4.14, so this change is removed. Signed-off-by: Kristian Evensen <kristian.evensen(a)gmail.com> Johan Hovold (1): USB: serial: option: add two-endpoints device-id flag Kristian Evensen (1): USB: serial: option: improve Quectel EP06 detection drivers/usb/serial/option.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) -- 2.14.1

7 years

2
3
0 0

+ mm-use-kvzalloc-for-swap_info_struct-allocation.patch added to -mm tree

by akpm＠linux-foundation.org

The patch titled Subject: mm/swapfile.c: use kvzalloc for swap_info_struct allocation has been added to the -mm tree. Its filename is mm-use-kvzalloc-for-swap_info_struct-allocation.patch This patch should soon appear at http://ozlabs.org/~akpm/mmots/broken-out/mm-use-kvzalloc-for-swap_info_stru… and later at http://ozlabs.org/~akpm/mmotm/broken-out/mm-use-kvzalloc-for-swap_info_stru… Before you just go and hit "reply", please: a) Consider who else should be cc'ed b) Prefer to cc a suitable mailing list as well c) Ideally: find the original patch on the mailing list and do a reply-to-all to that, adding suitable additional cc's *** Remember to use Documentation/process/submit-checklist.rst when testing your code *** The -mm tree is included into linux-next and is updated there every 3-4 working days ------------------------------------------------------ From: Vasily Averin <vvs(a)virtuozzo.com> Subject: mm/swapfile.c: use kvzalloc for swap_info_struct allocation a2468cc9bfdf ("swap: choose swap device according to numa node") changed 'avail_lists' field of 'struct swap_info_struct' to an array. In popular linux distros it increased size of swap_info_struct up to 40 Kbytes and now swap_info_struct allocation requires order-4 page. Switch to kvzmalloc allows to avoid unexpected allocation failures. Link: http://lkml.kernel.org/r/fc23172d-3c75-21e2-d551-8b1808cbe593@virtuozzo.com Fixes: a2468cc9bfdf ("swap: choose swap device according to numa node") Signed-off-by: Vasily Averin <vvs(a)virtuozzo.com> Acked-by: Aaron Lu <aaron.lu(a)intel.com> Acked-by: Michal Hocko <mhocko(a)suse.com> Reviewed-by: Andrew Morton <akpm(a)linux-foundation.org> Cc: Huang Ying <ying.huang(a)intel.com> Cc: <stable(a)vger.kernel.org> Signed-off-by: Andrew Morton <akpm(a)linux-foundation.org> --- mm/swapfile.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) --- a/mm/swapfile.c~mm-use-kvzalloc-for-swap_info_struct-allocation +++ a/mm/swapfile.c @@ -2813,7 +2813,7 @@ static struct swap_info_struct *alloc_sw unsigned int type; int i; - p = kzalloc(sizeof(*p), GFP_KERNEL); + p = kvzalloc(sizeof(*p), GFP_KERNEL); if (!p) return ERR_PTR(-ENOMEM); @@ -2824,7 +2824,7 @@ static struct swap_info_struct *alloc_sw } if (type >= MAX_SWAPFILES) { spin_unlock(&swap_lock); - kfree(p); + kvfree(p); return ERR_PTR(-EPERM); } if (type >= nr_swapfiles) { @@ -2838,7 +2838,7 @@ static struct swap_info_struct *alloc_sw smp_wmb(); nr_swapfiles++; } else { - kfree(p); + kvfree(p); p = swap_info[type]; /* * Do not memset this entry: a racing procfs swap_next() _ Patches currently in -mm which might be from vvs(a)virtuozzo.com are mm-use-kvzalloc-for-swap_info_struct-allocation.patch

7 years

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror