- Linux-stable-mirror - lists.linaro.org

[PATCH 1/3] tracing: Fix synthetic event to accept unsigned modifier

by Steven Rostedt

From: Masami Hiramatsu <mhiramat(a)kernel.org> Fix synthetic event to accept unsigned modifier for its field type correctly. Currently, synthetic_events interface returns error for "unsigned" modifiers as below; # echo "myevent unsigned long var" >> synthetic_events sh: write error: Invalid argument This is because argv_split() breaks "unsigned long" into "unsigned" and "long", but parse_synth_field() doesn't expected it. With this fix, synthetic_events can handle the "unsigned long" correctly like as below; # echo "myevent unsigned long var" >> synthetic_events # cat synthetic_events myevent unsigned long var Link: http://lkml.kernel.org/r/153986832571.18251.8448135724590496531.stgit@devbox Cc: Shuah Khan <shuah(a)kernel.org> Cc: Tom Zanussi <tom.zanussi(a)linux.intel.com> Cc: stable(a)vger.kernel.org Fixes: commit 4b147936fa50 ("tracing: Add support for 'synthetic' events") Signed-off-by: Masami Hiramatsu <mhiramat(a)kernel.org> Signed-off-by: Steven Rostedt (VMware) <rostedt(a)goodmis.org> --- kernel/trace/trace_events_hist.c | 30 ++++++++++++++++++++++++------ 1 file changed, 24 insertions(+), 6 deletions(-) diff --git a/kernel/trace/trace_events_hist.c b/kernel/trace/trace_events_hist.c index 85f6b01431c7..6ff83941065a 100644 --- a/kernel/trace/trace_events_hist.c +++ b/kernel/trace/trace_events_hist.c @@ -738,16 +738,30 @@ static void free_synth_field(struct synth_field *field) kfree(field); } -static struct synth_field *parse_synth_field(char *field_type, - char *field_name) +static struct synth_field *parse_synth_field(int argc, char **argv, + int *consumed) { struct synth_field *field; + const char *prefix = NULL; + char *field_type = argv[0], *field_name; int len, ret = 0; char *array; if (field_type[0] == ';') field_type++; + if (!strcmp(field_type, "unsigned")) { + if (argc < 3) + return ERR_PTR(-EINVAL); + prefix = "unsigned "; + field_type = argv[1]; + field_name = argv[2]; + *consumed = 3; + } else { + field_name = argv[1]; + *consumed = 2; + } + len = strlen(field_name); if (field_name[len - 1] == ';') field_name[len - 1] = '\0'; @@ -760,11 +774,15 @@ static struct synth_field *parse_synth_field(char *field_type, array = strchr(field_name, '['); if (array) len += strlen(array); + if (prefix) + len += strlen(prefix); field->type = kzalloc(len, GFP_KERNEL); if (!field->type) { ret = -ENOMEM; goto free; } + if (prefix) + strcat(field->type, prefix); strcat(field->type, field_type); if (array) { strcat(field->type, array); @@ -1009,7 +1027,7 @@ static int create_synth_event(int argc, char **argv) struct synth_field *field, *fields[SYNTH_FIELDS_MAX]; struct synth_event *event = NULL; bool delete_event = false; - int i, n_fields = 0, ret = 0; + int i, consumed = 0, n_fields = 0, ret = 0; char *name; mutex_lock(&synth_event_mutex); @@ -1061,13 +1079,13 @@ static int create_synth_event(int argc, char **argv) goto err; } - field = parse_synth_field(argv[i], argv[i + 1]); + field = parse_synth_field(argc - i, &argv[i], &consumed); if (IS_ERR(field)) { ret = PTR_ERR(field); goto err; } - fields[n_fields] = field; - i++; n_fields++; + fields[n_fields++] = field; + i += consumed - 1; } if (i < argc) { -- 2.19.0

7 years, 1 month

1
0
0 0

[PATCH v7 01/21] tpm: tpm_i2c_nuvoton: use correct command duration for TPM 2.x

by Tomas Winkler

tpm_i2c_nuvoton calculated commands duration using TPM 1.x values via tpm_calc_ordinal_duration() also for TPM 2.x chips. Call tpm2_calc_ordinal_duration() for retrieving ordinal duration for TPM 2.X chips. Cc: stable(a)vger.kernel.org Cc: Nayna Jain <nayna(a)linux.vnet.ibm.com> Signed-off-by: Tomas Winkler <tomas.winkler(a)intel.com> Reviewed-by: Nayna Jain <nayna(a)linux.ibm.com> Tested-by: Nayna Jain <nayna(a)linux.ibm.com> (For TPM 2.0) --- V7: new in the series. drivers/char/tpm/tpm_i2c_nuvoton.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/drivers/char/tpm/tpm_i2c_nuvoton.c b/drivers/char/tpm/tpm_i2c_nuvoton.c index caa86b19c76d..f74f451baf6a 100644 --- a/drivers/char/tpm/tpm_i2c_nuvoton.c +++ b/drivers/char/tpm/tpm_i2c_nuvoton.c @@ -369,6 +369,7 @@ static int i2c_nuvoton_send(struct tpm_chip *chip, u8 *buf, size_t len) struct device *dev = chip->dev.parent; struct i2c_client *client = to_i2c_client(dev); u32 ordinal; + unsigned long duration; size_t count = 0; int burst_count, bytes2write, retries, rc = -EIO; @@ -455,10 +456,12 @@ static int i2c_nuvoton_send(struct tpm_chip *chip, u8 *buf, size_t len) return rc; } ordinal = be32_to_cpu(*((__be32 *) (buf + 6))); - rc = i2c_nuvoton_wait_for_data_avail(chip, - tpm_calc_ordinal_duration(chip, - ordinal), - &priv->read_queue); + if (chip->flags & TPM_CHIP_FLAG_TPM2) + duration = tpm2_calc_ordinal_duration(chip, ordinal); + else + duration = tpm_calc_ordinal_duration(chip, ordinal); + + rc = i2c_nuvoton_wait_for_data_avail(chip, duration, &priv->read_queue); if (rc) { dev_err(dev, "%s() timeout command duration\n", __func__); i2c_nuvoton_ready(chip); -- 2.14.4

7 years, 1 month

2
1
0 0

[PATCH 4.9 00/35] 4.9.135-stable review

by Greg Kroah-Hartman

This is the start of the stable review cycle for the 4.9.135 release. There are 35 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Sat Oct 20 17:54:00 UTC 2018. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.9.135-rc… or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.9.y and the diffstat can be found below. thanks, greg k-h ------------- Pseudo-Shortlog of commits: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Linux 4.9.135-rc1 Long Li <longli(a)microsoft.com> HV: properly delay KVP packets when negotiation is in progress Theodore Ts'o <tytso(a)mit.edu> ext4: avoid running out of journal credits when appending to an inline file Frederic Weisbecker <fweisbec(a)gmail.com> sched/cputime: Fix ksoftirqd cputime accounting regression Frederic Weisbecker <fweisbec(a)gmail.com> sched/cputime: Increment kcpustat directly on irqtime account Frederic Weisbecker <fweisbec(a)gmail.com> macintosh/rack-meter: Convert cputime64_t use to u64 Frederic Weisbecker <fweisbec(a)gmail.com> sched/cputime: Convert kcpustat to nsecs Stephen Warren <swarren(a)nvidia.com> usb: gadget: serial: fix oops when data rx'd after close Natanael Copa <ncopa(a)alpinelinux.org> HID: quirks: fix support for Apple Magic Keyboards Alexey Brodkin <abrodkin(a)synopsys.com> ARC: build: Don't set CROSS_COMPILE in arch's Makefile Alexey Brodkin <abrodkin(a)synopsys.com> ARC: build: Get rid of toolchain check Xin Long <lucien.xin(a)gmail.com> netfilter: check for seqadj ext existence before adding it in nf_nat_setup_info Jan Kara <jack(a)suse.cz> mm: Preserve _PAGE_DEVMAP across mprotect() calls Linus Torvalds <torvalds(a)linux-foundation.org> mremap: properly flush TLB before releasing the page Arindam Nath <arindam.nath(a)amd.com> iommu/amd: Return devid as alias for ACPI HID devices Michael Neuling <mikey(a)neuling.org> powerpc/tm: Avoid possible userspace r1 corruption on reclaim Michael Neuling <mikey(a)neuling.org> powerpc/tm: Fix userspace r13 corruption James Cowgill <jcowgill(a)debian.org> RISC-V: include linux/ftrace.h in asm-prototypes.h Nathan Chancellor <natechancellor(a)gmail.com> net/mlx4: Use cpumask_available for eq->affinity_mask Johannes Thumshirn <jthumshirn(a)suse.de> scsi: sd: don't crash the host on invalid commands Alexandru Gheorghe <alexandru-cosmin.gheorghe(a)arm.com> drm: mali-dp: Call drm_crtc_vblank_reset on device init Kazuya Mizuguchi <kazuya.mizuguchi.ks(a)renesas.com> ravb: do not write 1 to reserved bits Michael Schmitz <schmitzmic(a)gmail.com> Input: atakbd - fix Atari CapsLock behaviour Andreas Schwab <schwab(a)linux-m68k.org> Input: atakbd - fix Atari keymap Laura Abbott <labbott(a)redhat.com> scsi: ibmvscsis: Ensure partition name is properly NUL terminated Laura Abbott <labbott(a)redhat.com> scsi: ibmvscsis: Fix a stringop-overflow warning Keerthy <j-keerthy(a)ti.com> clocksource/drivers/ti-32k: Add CLOCK_SOURCE_SUSPEND_NONSTOP flag for non-am43 SoCs Marek Lindner <mareklindner(a)neomailbox.ch> batman-adv: fix hardif_neigh refcount on queue_work() failure Marek Lindner <mareklindner(a)neomailbox.ch> batman-adv: fix backbone_gw refcount on queue_work() failure Sven Eckelmann <sven(a)narfation.org> batman-adv: Prevent duplicated tvlv handler Sven Eckelmann <sven(a)narfation.org> batman-adv: Prevent duplicated global TT entry Sven Eckelmann <sven(a)narfation.org> batman-adv: Prevent duplicated softif_vlan entry Sven Eckelmann <sven(a)narfation.org> batman-adv: Prevent duplicated nc_node entry Sven Eckelmann <sven(a)narfation.org> batman-adv: Fix segfault when writing to sysfs elp_interval Sven Eckelmann <sven(a)narfation.org> batman-adv: Fix segfault when writing to throughput_override Jozef Balga <jozef.balga(a)gmail.com> media: af9035: prevent buffer overflow on write ------------- Diffstat: Makefile | 4 +- arch/arc/Makefile | 24 +--------- arch/powerpc/kernel/tm.S | 20 +++++++-- arch/riscv/include/asm/asm-prototypes.h | 7 +++ arch/s390/appldata/appldata_os.c | 16 +++---- arch/x86/include/asm/pgtable_types.h | 2 +- drivers/clocksource/timer-ti-32k.c | 3 ++ drivers/cpufreq/cpufreq.c | 6 +-- drivers/cpufreq/cpufreq_governor.c | 2 +- drivers/cpufreq/cpufreq_stats.c | 1 - drivers/gpu/drm/arm/malidp_drv.c | 1 + drivers/hid/hid-core.c | 3 ++ drivers/hv/hv_kvp.c | 13 +++--- drivers/input/keyboard/atakbd.c | 74 ++++++++++++------------------- drivers/iommu/amd_iommu.c | 6 +++ drivers/macintosh/rack-meter.c | 28 ++++++------ drivers/media/usb/dvb-usb-v2/af9035.c | 6 ++- drivers/net/ethernet/mellanox/mlx4/eq.c | 3 +- drivers/net/ethernet/renesas/ravb.h | 5 +++ drivers/net/ethernet/renesas/ravb_main.c | 11 ++--- drivers/net/ethernet/renesas/ravb_ptp.c | 2 +- drivers/scsi/ibmvscsi_tgt/ibmvscsi_tgt.c | 5 +-- drivers/scsi/sd.c | 3 +- drivers/usb/gadget/function/u_serial.c | 2 +- fs/ext4/ext4.h | 3 -- fs/ext4/inline.c | 38 +--------------- fs/ext4/xattr.c | 18 +------- fs/proc/stat.c | 68 ++++++++++++++--------------- fs/proc/uptime.c | 7 +-- include/linux/huge_mm.h | 2 +- kernel/sched/cpuacct.c | 2 +- kernel/sched/cputime.c | 75 ++++++++++++++------------------ kernel/sched/sched.h | 12 +++-- mm/huge_memory.c | 10 ++--- mm/mremap.c | 30 ++++++------- net/batman-adv/bat_v_elp.c | 8 +++- net/batman-adv/bridge_loop_avoidance.c | 10 ++++- net/batman-adv/network-coding.c | 27 +++++++----- net/batman-adv/soft-interface.c | 25 ++++++++--- net/batman-adv/sysfs.c | 30 ++++++++----- net/batman-adv/translation-table.c | 6 ++- net/batman-adv/tvlv.c | 8 +++- net/netfilter/nf_nat_core.c | 2 +- 43 files changed, 303 insertions(+), 325 deletions(-)

7 years, 1 month

5
40
0 0

[PATCH 2/6] mm/rmap: map_pte() was not handling private ZONE_DEVICE page properly v3

by jglisse＠redhat.com

From: Ralph Campbell <rcampbell(a)nvidia.com> Private ZONE_DEVICE pages use a special pte entry and thus are not present. Properly handle this case in map_pte(), it is already handled in check_pte(), the map_pte() part was lost in some rebase most probably. Without this patch the slow migration path can not migrate back to any private ZONE_DEVICE memory to regular memory. This was found after stress testing migration back to system memory. This ultimatly can lead to the CPU constantly page fault looping on the special swap entry. Changes since v2: - add comments explaining what is going on Changes since v1: - properly lock pte directory in map_pte() Signed-off-by: Ralph Campbell <rcampbell(a)nvidia.com> Signed-off-by: Jérôme Glisse <jglisse(a)redhat.com> Reviewed-by: Balbir Singh <bsingharora(a)gmail.com> Cc: Andrew Morton <akpm(a)linux-foundation.org> Cc: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> Cc: stable(a)vger.kernel.org --- mm/page_vma_mapped.c | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/mm/page_vma_mapped.c b/mm/page_vma_mapped.c index ae3c2a35d61b..11df03e71288 100644 --- a/mm/page_vma_mapped.c +++ b/mm/page_vma_mapped.c @@ -21,7 +21,29 @@ static bool map_pte(struct page_vma_mapped_walk *pvmw) if (!is_swap_pte(*pvmw->pte)) return false; } else { - if (!pte_present(*pvmw->pte)) + /* + * We get here when we are trying to unmap a private + * device page from the process address space. Such + * page is not CPU accessible and thus is mapped as + * a special swap entry, nonetheless it still does + * count as a valid regular mapping for the page (and + * is accounted as such in page maps count). + * + * So handle this special case as if it was a normal + * page mapping ie lock CPU page table and returns + * true. + * + * For more details on device private memory see HMM + * (include/linux/hmm.h or mm/hmm.c). + */ + if (is_swap_pte(*pvmw->pte)) { + swp_entry_t entry; + + /* Handle un-addressable ZONE_DEVICE memory */ + entry = pte_to_swp_entry(*pvmw->pte); + if (!is_device_private_entry(entry)) + return false; + } else if (!pte_present(*pvmw->pte)) return false; } } -- 2.17.2

7 years, 1 month

1
0
0 0

[PATCH v2] fsnotify: Fix busy inodes during unmount

by Jan Kara

Detaching of mark connector from fsnotify_put_mark() can race with unmounting of the filesystem like: CPU1 CPU2 fsnotify_put_mark() spin_lock(&conn->lock); ... inode = fsnotify_detach_connector_from_object(conn) spin_unlock(&conn->lock); generic_shutdown_super() fsnotify_unmount_inodes() sees connector detached for inode -> nothing to do evict_inode() barfs on pending inode reference iput(inode); Resulting in "Busy inodes after unmount" message and possible kernel oops. Make fsnotify_unmount_inodes() properly wait for outstanding inode references from detached connectors. Note that the accounting of outstanding inode references in the superblock can cause some cacheline contention on the counter. OTOH it happens only during deletion of the last notification mark from an inode (or during unlinking of watched inode) and that is not too bad. I have measured time to create & delete inotify watch 100000 times from 64 processes in parallel (each process having its own inotify group and its own file on a shared superblock) on a 64 CPU machine. Average and standard deviation of 15 runs look like: Avg Stddev Vanilla 9.817400 0.276165 Fixed 9.710467 0.228294 So there's no statistically significant difference. Fixes: 6b3f05d24d35 ("fsnotify: Detach mark from object list when last reference is dropped") CC: stable(a)vger.kernel.org Signed-off-by: Jan Kara <jack(a)suse.cz> --- fs/notify/fsnotify.c | 3 +++ fs/notify/mark.c | 39 +++++++++++++++++++++++++++++++-------- include/linux/fs.h | 3 +++ 3 files changed, 37 insertions(+), 8 deletions(-) Changes since v1: * added Fixes tag * improved fsnotify_drop_object to take object type diff --git a/fs/notify/fsnotify.c b/fs/notify/fsnotify.c index f174397b63a0..00d4f4357724 100644 --- a/fs/notify/fsnotify.c +++ b/fs/notify/fsnotify.c @@ -96,6 +96,9 @@ void fsnotify_unmount_inodes(struct super_block *sb) if (iput_inode) iput(iput_inode); + /* Wait for outstanding inode references from connectors */ + wait_var_event(&sb->s_fsnotify_inode_refs, + !atomic_long_read(&sb->s_fsnotify_inode_refs)); } /* diff --git a/fs/notify/mark.c b/fs/notify/mark.c index 59cdb27826de..f4e330b5b379 100644 --- a/fs/notify/mark.c +++ b/fs/notify/mark.c @@ -179,17 +179,20 @@ static void fsnotify_connector_destroy_workfn(struct work_struct *work) } } -static struct inode *fsnotify_detach_connector_from_object( - struct fsnotify_mark_connector *conn) +static void *fsnotify_detach_connector_from_object( + struct fsnotify_mark_connector *conn, + unsigned int *type) { struct inode *inode = NULL; + *type = conn->type; if (conn->type == FSNOTIFY_OBJ_TYPE_DETACHED) return NULL; if (conn->type == FSNOTIFY_OBJ_TYPE_INODE) { inode = fsnotify_conn_inode(conn); inode->i_fsnotify_mask = 0; + atomic_long_inc(&inode->i_sb->s_fsnotify_inode_refs); } else if (conn->type == FSNOTIFY_OBJ_TYPE_VFSMOUNT) { fsnotify_conn_mount(conn)->mnt_fsnotify_mask = 0; } @@ -211,10 +214,29 @@ static void fsnotify_final_mark_destroy(struct fsnotify_mark *mark) fsnotify_put_group(group); } +/* Drop object reference originally held by a connector */ +static void fsnotify_drop_object(unsigned int type, void *objp) +{ + struct inode *inode; + struct super_block *sb; + + if (!objp) + return; + /* Currently only inode references are passed to be dropped */ + if (WARN_ON_ONCE(type != FSNOTIFY_OBJ_TYPE_INODE)) + return; + inode = objp; + sb = inode->i_sb; + iput(inode); + if (atomic_long_dec_and_test(&sb->s_fsnotify_inode_refs)) + wake_up_var(&sb->s_fsnotify_inode_refs); +} + void fsnotify_put_mark(struct fsnotify_mark *mark) { struct fsnotify_mark_connector *conn; - struct inode *inode = NULL; + void *objp = NULL; + unsigned int type; bool free_conn = false; /* Catch marks that were actually never attached to object */ @@ -234,7 +256,7 @@ void fsnotify_put_mark(struct fsnotify_mark *mark) conn = mark->connector; hlist_del_init_rcu(&mark->obj_list); if (hlist_empty(&conn->list)) { - inode = fsnotify_detach_connector_from_object(conn); + objp = fsnotify_detach_connector_from_object(conn, &type); free_conn = true; } else { __fsnotify_recalc_mask(conn); @@ -242,7 +264,7 @@ void fsnotify_put_mark(struct fsnotify_mark *mark) mark->connector = NULL; spin_unlock(&conn->lock); - iput(inode); + fsnotify_drop_object(type, objp); if (free_conn) { spin_lock(&destroy_lock); @@ -709,7 +731,8 @@ void fsnotify_destroy_marks(fsnotify_connp_t *connp) { struct fsnotify_mark_connector *conn; struct fsnotify_mark *mark, *old_mark = NULL; - struct inode *inode; + void *objp; + unsigned int type; conn = fsnotify_grab_connector(connp); if (!conn) @@ -735,11 +758,11 @@ void fsnotify_destroy_marks(fsnotify_connp_t *connp) * mark references get dropped. It would lead to strange results such * as delaying inode deletion or blocking unmount. */ - inode = fsnotify_detach_connector_from_object(conn); + objp = fsnotify_detach_connector_from_object(conn, &type); spin_unlock(&conn->lock); if (old_mark) fsnotify_put_mark(old_mark); - iput(inode); + fsnotify_drop_object(type, objp); } /* diff --git a/include/linux/fs.h b/include/linux/fs.h index 33322702c910..5090f3dcec3b 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -1428,6 +1428,9 @@ struct super_block { /* Number of inodes with nlink == 0 but still referenced */ atomic_long_t s_remove_count; + /* Pending fsnotify inode refs */ + atomic_long_t s_fsnotify_inode_refs; + /* Being remounted read-only */ int s_readonly_remount; -- 2.16.4

7 years, 1 month

2
2
0 0

[PATCH v3] fsnotify: Fix busy inodes during unmount

by Jan Kara

Detaching of mark connector from fsnotify_put_mark() can race with unmounting of the filesystem like: CPU1 CPU2 fsnotify_put_mark() spin_lock(&conn->lock); ... inode = fsnotify_detach_connector_from_object(conn) spin_unlock(&conn->lock); generic_shutdown_super() fsnotify_unmount_inodes() sees connector detached for inode -> nothing to do evict_inode() barfs on pending inode reference iput(inode); Resulting in "Busy inodes after unmount" message and possible kernel oops. Make fsnotify_unmount_inodes() properly wait for outstanding inode references from detached connectors. Note that the accounting of outstanding inode references in the superblock can cause some cacheline contention on the counter. OTOH it happens only during deletion of the last notification mark from an inode (or during unlinking of watched inode) and that is not too bad. I have measured time to create & delete inotify watch 100000 times from 64 processes in parallel (each process having its own inotify group and its own file on a shared superblock) on a 64 CPU machine. Average and standard deviation of 15 runs look like: Avg Stddev Vanilla 9.817400 0.276165 Fixed 9.710467 0.228294 So there's no statistically significant difference. Fixes: 6b3f05d24d35 ("fsnotify: Detach mark from object list when last reference is dropped") CC: stable(a)vger.kernel.org Signed-off-by: Jan Kara <jack(a)suse.cz> --- fs/notify/fsnotify.c | 3 +++ fs/notify/mark.c | 39 +++++++++++++++++++++++++++++++-------- include/linux/fs.h | 3 +++ 3 files changed, 37 insertions(+), 8 deletions(-) Changes since v2: * fixed uninitialized warning Changes since v1: * added Fixes tag * fsnotify_drop_object() now takes type diff --git a/fs/notify/fsnotify.c b/fs/notify/fsnotify.c index f174397b63a0..00d4f4357724 100644 --- a/fs/notify/fsnotify.c +++ b/fs/notify/fsnotify.c @@ -96,6 +96,9 @@ void fsnotify_unmount_inodes(struct super_block *sb) if (iput_inode) iput(iput_inode); + /* Wait for outstanding inode references from connectors */ + wait_var_event(&sb->s_fsnotify_inode_refs, + !atomic_long_read(&sb->s_fsnotify_inode_refs)); } /* diff --git a/fs/notify/mark.c b/fs/notify/mark.c index 59cdb27826de..09535f6423fc 100644 --- a/fs/notify/mark.c +++ b/fs/notify/mark.c @@ -179,17 +179,20 @@ static void fsnotify_connector_destroy_workfn(struct work_struct *work) } } -static struct inode *fsnotify_detach_connector_from_object( - struct fsnotify_mark_connector *conn) +static void *fsnotify_detach_connector_from_object( + struct fsnotify_mark_connector *conn, + unsigned int *type) { struct inode *inode = NULL; + *type = conn->type; if (conn->type == FSNOTIFY_OBJ_TYPE_DETACHED) return NULL; if (conn->type == FSNOTIFY_OBJ_TYPE_INODE) { inode = fsnotify_conn_inode(conn); inode->i_fsnotify_mask = 0; + atomic_long_inc(&inode->i_sb->s_fsnotify_inode_refs); } else if (conn->type == FSNOTIFY_OBJ_TYPE_VFSMOUNT) { fsnotify_conn_mount(conn)->mnt_fsnotify_mask = 0; } @@ -211,10 +214,29 @@ static void fsnotify_final_mark_destroy(struct fsnotify_mark *mark) fsnotify_put_group(group); } +/* Drop object reference originally held by a connector */ +static void fsnotify_drop_object(unsigned int type, void *objp) +{ + struct inode *inode; + struct super_block *sb; + + if (!objp) + return; + /* Currently only inode references are passed to be dropped */ + if (WARN_ON_ONCE(type != FSNOTIFY_OBJ_TYPE_INODE)) + return; + inode = objp; + sb = inode->i_sb; + iput(inode); + if (atomic_long_dec_and_test(&sb->s_fsnotify_inode_refs)) + wake_up_var(&sb->s_fsnotify_inode_refs); +} + void fsnotify_put_mark(struct fsnotify_mark *mark) { struct fsnotify_mark_connector *conn; - struct inode *inode = NULL; + void *objp = NULL; + unsigned int type = FSNOTIFY_OBJ_TYPE_DETACHED; bool free_conn = false; /* Catch marks that were actually never attached to object */ @@ -234,7 +256,7 @@ void fsnotify_put_mark(struct fsnotify_mark *mark) conn = mark->connector; hlist_del_init_rcu(&mark->obj_list); if (hlist_empty(&conn->list)) { - inode = fsnotify_detach_connector_from_object(conn); + objp = fsnotify_detach_connector_from_object(conn, &type); free_conn = true; } else { __fsnotify_recalc_mask(conn); @@ -242,7 +264,7 @@ void fsnotify_put_mark(struct fsnotify_mark *mark) mark->connector = NULL; spin_unlock(&conn->lock); - iput(inode); + fsnotify_drop_object(type, objp); if (free_conn) { spin_lock(&destroy_lock); @@ -709,7 +731,8 @@ void fsnotify_destroy_marks(fsnotify_connp_t *connp) { struct fsnotify_mark_connector *conn; struct fsnotify_mark *mark, *old_mark = NULL; - struct inode *inode; + void *objp; + unsigned int type; conn = fsnotify_grab_connector(connp); if (!conn) @@ -735,11 +758,11 @@ void fsnotify_destroy_marks(fsnotify_connp_t *connp) * mark references get dropped. It would lead to strange results such * as delaying inode deletion or blocking unmount. */ - inode = fsnotify_detach_connector_from_object(conn); + objp = fsnotify_detach_connector_from_object(conn, &type); spin_unlock(&conn->lock); if (old_mark) fsnotify_put_mark(old_mark); - iput(inode); + fsnotify_drop_object(type, objp); } /* diff --git a/include/linux/fs.h b/include/linux/fs.h index 33322702c910..5090f3dcec3b 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -1428,6 +1428,9 @@ struct super_block { /* Number of inodes with nlink == 0 but still referenced */ atomic_long_t s_remove_count; + /* Pending fsnotify inode refs */ + atomic_long_t s_fsnotify_inode_refs; + /* Being remounted read-only */ int s_readonly_remount; -- 2.16.4

7 years, 1 month

1
0
0 0

[PATCH] ACPICA: Use 'jiffies' as the time bassis for acpi_os_get_timer()

by Bart Van Assche

Since acpi_os_get_timer() may be called after the timer subsystem has been suspended, use the jiffies counter instead of ktime_get(). This patch avoids that the following warning is reported during hibernation: WARNING: CPU: 0 PID: 612 at kernel/time/timekeeping.c:751 ktime_get+0x116/0x120 RIP: 0010:ktime_get+0x116/0x120 Call Trace: acpi_os_get_timer+0xe/0x30 acpi_ds_exec_begin_control_op+0x175/0x1de acpi_ds_exec_begin_op+0x2c7/0x39a acpi_ps_create_op+0x573/0x5e4 acpi_ps_parse_loop+0x349/0x1220 acpi_ps_parse_aml+0x25b/0x6da acpi_ps_execute_method+0x327/0x41b acpi_ns_evaluate+0x4e9/0x6f5 acpi_ut_evaluate_object+0xd9/0x2f2 acpi_rs_get_method_data+0x8f/0x114 acpi_walk_resources+0x122/0x1b6 acpi_pci_link_get_current.isra.2+0x157/0x280 acpi_pci_link_set+0x32f/0x4a0 irqrouter_resume+0x58/0x80 syscore_resume+0x84/0x380 hibernation_snapshot+0x20c/0x4f0 hibernate+0x22d/0x3a6 state_store+0x99/0xa0 kobj_attr_store+0x37/0x50 sysfs_kf_write+0x87/0xa0 kernfs_fop_write+0x1a5/0x240 __vfs_write+0xd2/0x410 vfs_write+0x101/0x250 ksys_write+0xab/0x120 __x64_sys_write+0x43/0x50 do_syscall_64+0x71/0x220 entry_SYSCALL_64_after_hwframe+0x49/0xbe Fixes: 164a08cee135 ("ACPICA: Dispatcher: Introduce timeout mechanism for infinite loop detection") Reported-by: Fengguang Wu <fengguang.wu(a)intel.com> References: https://lists.01.org/pipermail/lkp/2018-April/008406.html Cc: Rafael J. Wysocki <rjw(a)rjwysocki.net> Cc: Thomas Gleixner <tglx(a)linutronix.de> Cc: Len Brown <lenb(a)kernel.org> Cc: Yu Chen <yu.c.chen(a)intel.com> Cc: Fengguang Wu <fengguang.wu(a)intel.com> Cc: linux-acpi(a)vger.kernel.org Cc: stable(a)vger.kernel.org Signed-off-by: Bart Van Assche <bvanassche(a)acm.org> --- drivers/acpi/osl.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c index 8df9abfa947b..ed73f6fb0779 100644 --- a/drivers/acpi/osl.c +++ b/drivers/acpi/osl.c @@ -617,15 +617,18 @@ void acpi_os_stall(u32 us) } /* - * Support ACPI 3.0 AML Timer operand - * Returns 64-bit free-running, monotonically increasing timer - * with 100ns granularity + * Support ACPI 3.0 AML Timer operand. Returns a 64-bit free-running, + * monotonically increasing timer with 100ns granularity. Do not use + * ktime_get() to implement this function because this function may get + * called after timekeeping has been suspended. Note: calling this function + * after timekeeping has been suspended may lead to unexpected results + * because when timekeeping is suspended the jiffies counter is not + * incremented. See also timekeeping_suspend(). */ u64 acpi_os_get_timer(void) { - u64 time_ns = ktime_to_ns(ktime_get()); - do_div(time_ns, 100); - return time_ns; + return (get_jiffies_64() - INITIAL_JIFFIES) * + (ACPI_100NSEC_PER_SEC / HZ); } acpi_status acpi_os_read_port(acpi_io_address port, u32 * value, u32 width) -- 2.19.1.568.g152ad8e336-goog

7 years, 1 month

2
1
0 0

[PATCH v2] drm/sun4i: Fix an ulong overflow in the dotclock driver

by Boris Brezillon

The calculated ideal rate can easily overflow an unsigned long, thus making the best div selection buggy as soon as no ideal match is found before the overflow occurs. Fixes: 4731a72df273 ("drm/sun4i: request exact rates to our parents") Cc: <stable(a)vger.kernel.org> Signed-off-by: Boris Brezillon <boris.brezillon(a)bootlin.com> Acked-by: Maxime Ripard <maxime.ripard(a)bootlin.com> --- Changes in v2: - Add a comment to explain why we bail out after an overflow - Add Maxime ack - Use a goto instead of a break --- drivers/gpu/drm/sun4i/sun4i_dotclock.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/drivers/gpu/drm/sun4i/sun4i_dotclock.c b/drivers/gpu/drm/sun4i/sun4i_dotclock.c index e36004fbe453..2a15f2f9271e 100644 --- a/drivers/gpu/drm/sun4i/sun4i_dotclock.c +++ b/drivers/gpu/drm/sun4i/sun4i_dotclock.c @@ -81,9 +81,19 @@ static long sun4i_dclk_round_rate(struct clk_hw *hw, unsigned long rate, int i; for (i = tcon->dclk_min_div; i <= tcon->dclk_max_div; i++) { - unsigned long ideal = rate * i; + u64 ideal = (u64)rate * i; unsigned long rounded; + /* + * ideal has overflowed the max value that can be stored in an + * unsigned long, and every clk operation we might do on a + * truncated u64 value will give us incorrect results. + * Let's just stop there since bigger dividers will result in + * the same overflow issue. + */ + if (ideal > ULONG_MAX) + goto out; + rounded = clk_hw_round_rate(clk_hw_get_parent(hw), ideal); -- 2.14.1

7 years, 1 month

2
1
0 0

patch "usbip:vudc: BUG kmalloc-2048 (Not tainted): Poison overwritten" added to usb-next

by gregkh＠linuxfoundation.org

This is a note to let you know that I've just added the patch titled usbip:vudc: BUG kmalloc-2048 (Not tainted): Poison overwritten to my usb git tree which can be found at git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git in the usb-next branch. The patch will show up in the next release of the linux-next tree (usually sometime within the next 24 hours during the week.) The patch will also be merged in the next major kernel release during the merge window. If you have any questions about this process, please let me know. >From e28fd56ad5273be67d0fae5bedc7e1680e729952 Mon Sep 17 00:00:00 2001 From: "Shuah Khan (Samsung OSG)" <shuah(a)kernel.org> Date: Thu, 18 Oct 2018 10:19:29 -0600 Subject: usbip:vudc: BUG kmalloc-2048 (Not tainted): Poison overwritten In rmmod path, usbip_vudc does platform_device_put() twice once from platform_device_unregister() and then from put_vudc_device(). The second put results in: BUG kmalloc-2048 (Not tainted): Poison overwritten error or BUG: KASAN: use-after-free in kobject_put+0x1e/0x230 if KASAN is enabled. [ 169.042156] calling init+0x0/0x1000 [usbip_vudc] @ 1697 [ 169.042396] ============================================================================= [ 169.043678] probe of usbip-vudc.0 returned 1 after 350 usecs [ 169.044508] BUG kmalloc-2048 (Not tainted): Poison overwritten [ 169.044509] ----------------------------------------------------------------------------- ... [ 169.057849] INFO: Freed in device_release+0x2b/0x80 age=4223 cpu=3 pid=1693 [ 169.057852] kobject_put+0x86/0x1b0 [ 169.057853] 0xffffffffc0c30a96 [ 169.057855] __x64_sys_delete_module+0x157/0x240 Fix it to call platform_device_del() instead and let put_vudc_device() do the platform_device_put(). Reported-by: Randy Dunlap <rdunlap(a)infradead.org> Signed-off-by: Shuah Khan (Samsung OSG) <shuah(a)kernel.org> Cc: <stable(a)vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> --- drivers/usb/usbip/vudc_main.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/drivers/usb/usbip/vudc_main.c b/drivers/usb/usbip/vudc_main.c index 3fc22037a82f..390733e6937e 100644 --- a/drivers/usb/usbip/vudc_main.c +++ b/drivers/usb/usbip/vudc_main.c @@ -73,6 +73,10 @@ static int __init init(void) cleanup: list_for_each_entry_safe(udc_dev, udc_dev2, &vudc_devices, dev_entry) { list_del(&udc_dev->dev_entry); + /* + * Just do platform_device_del() here, put_vudc_device() + * calls the platform_device_put() + */ platform_device_del(udc_dev->pdev); put_vudc_device(udc_dev); } @@ -89,7 +93,11 @@ static void __exit cleanup(void) list_for_each_entry_safe(udc_dev, udc_dev2, &vudc_devices, dev_entry) { list_del(&udc_dev->dev_entry); - platform_device_unregister(udc_dev->pdev); + /* + * Just do platform_device_del() here, put_vudc_device() + * calls the platform_device_put() + */ + platform_device_del(udc_dev->pdev); put_vudc_device(udc_dev); } platform_driver_unregister(&vudc_driver); -- 2.19.1

7 years, 1 month

1
0
0 0

[PATCH] usbip:vudc: BUG kmalloc-2048 (Not tainted): Poison overwritten

by Shuah Khan (Samsung OSG)

In rmmod path, usbip_vudc does platform_device_put() twice once from platform_device_unregister() and then from put_vudc_device(). The second put results in: BUG kmalloc-2048 (Not tainted): Poison overwritten error or BUG: KASAN: use-after-free in kobject_put+0x1e/0x230 if KASAN is enabled. [ 169.042156] calling init+0x0/0x1000 [usbip_vudc] @ 1697 [ 169.042396] ============================================================================= [ 169.043678] probe of usbip-vudc.0 returned 1 after 350 usecs [ 169.044508] BUG kmalloc-2048 (Not tainted): Poison overwritten [ 169.044509] ----------------------------------------------------------------------------- ... [ 169.057849] INFO: Freed in device_release+0x2b/0x80 age=4223 cpu=3 pid=1693 [ 169.057852] kobject_put+0x86/0x1b0 [ 169.057853] 0xffffffffc0c30a96 [ 169.057855] __x64_sys_delete_module+0x157/0x240 Fix it to call platform_device_del() instead and let put_vudc_device() do the platform_device_put(). Reported-by: Randy Dunlap <rdunlap(a)infradead.org> Signed-off-by: Shuah Khan (Samsung OSG) <shuah(a)kernel.org> Cc: <stable(a)vger.kernel.org> --- drivers/usb/usbip/vudc_main.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/drivers/usb/usbip/vudc_main.c b/drivers/usb/usbip/vudc_main.c index 3fc22037a82f..390733e6937e 100644 --- a/drivers/usb/usbip/vudc_main.c +++ b/drivers/usb/usbip/vudc_main.c @@ -73,6 +73,10 @@ static int __init init(void) cleanup: list_for_each_entry_safe(udc_dev, udc_dev2, &vudc_devices, dev_entry) { list_del(&udc_dev->dev_entry); + /* + * Just do platform_device_del() here, put_vudc_device() + * calls the platform_device_put() + */ platform_device_del(udc_dev->pdev); put_vudc_device(udc_dev); } @@ -89,7 +93,11 @@ static void __exit cleanup(void) list_for_each_entry_safe(udc_dev, udc_dev2, &vudc_devices, dev_entry) { list_del(&udc_dev->dev_entry); - platform_device_unregister(udc_dev->pdev); + /* + * Just do platform_device_del() here, put_vudc_device() + * calls the platform_device_put() + */ + platform_device_del(udc_dev->pdev); put_vudc_device(udc_dev); } platform_driver_unregister(&vudc_driver); -- 2.17.0

7 years, 1 month

2
1
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

Linux-stable-mirror