I took a scripted approach to look at some product kernels for patches backported into vendor kernels. This is a set of (mostly) bugfixes I found in Spreadtrum's linux-4.4 kernel that are missing in 4.4.176:
ffedbd2210f2 mmc: pwrseq: constify mmc_pwrseq_ops structures c10368897e10 ALSA: compress: add support for 32bit calls in a 64bit kernel 64a67d4762ce mmc: pwrseq_simple: Make reset-gpios optional to match doc 4ec0ef3a8212 USB: iowarrior: fix oops with malicious USB descriptors e5905ff1281f mmc: debugfs: Add a restriction to mmc debugfs clock setting 4ec96b4cbde8 mmc: make MAN_BKOPS_EN message a debug ed9feec72fc1 mmc: sanitize 'bus width' in debug output 10a16a01d8f7 mmc: core: shut up "voltage-ranges unspecified" pr_info() 9772b47a4c29 usb: dwc3: gadget: Fix suspend/resume during device mode 6afedcd23cfd arm64: mm: Add trace_irqflags annotations to do_debug_exception() 437db4c6e798 mmc: mmc: Attempt to flush cache before reset e51534c80660 mmc: core: fix using wrong io voltage if mmc_select_hs200 fails e4c5800a3991 mm/rmap: replace BUG_ON(anon_vma->degree) with VM_WARN_ON 04c080080855 extcon: usb-gpio: Don't miss event during suspend/resume 78283edf2c01 kbuild: setlocalversion: print error to STDERR c526c62d565e usb: gadget: composite: fix dereference after null check coverify warning 511a36d2f357 usb: gadget: Add the gserial port checking in gs_start_tx() 1712c9373f98 mmc: core: don't try to switch block size for dual rate mode 5ea8ea2cb7f1 tcp/dccp: drop SYN packets if accept queue is full e1dc9b08051a serial: sprd: adjust TIMEOUT to a big value 81be24d263db Hang/soft lockup in d_invalidate with simultaneous calls 6f44a0bacb79 arm64: traps: disable irq in die() b7d44c36a6f6 usb: renesas_usbhs: gadget: fix unused-but-set-variable warning 4350782570b9 serial: sprd: clear timeout interrupt only rather than all interrupts 3f3295709ede lib/int_sqrt: optimize small argument 32fd87b3bbf5 USB: core: only clean up what we allocated
Al Viro (1): Hang/soft lockup in d_invalidate with simultaneous calls
Andrey Konovalov (1): USB: core: only clean up what we allocated
Baolin Wang (1): usb: gadget: Add the gserial port checking in gs_start_tx()
Chuanxiao Dong (1): mmc: debugfs: Add a restriction to mmc debugfs clock setting
Dong Aisheng (1): mmc: core: fix using wrong io voltage if mmc_select_hs200 fails
Eric Dumazet (1): tcp/dccp: drop SYN packets if accept queue is full
James Morse (1): arm64: mm: Add trace_irqflags annotations to do_debug_exception()
Josh Boyer (1): USB: iowarrior: fix oops with malicious USB descriptors
Julia Lawall (1): mmc: pwrseq: constify mmc_pwrseq_ops structures
Konstantin Khlebnikov (1): mm/rmap: replace BUG_ON(anon_vma->degree) with VM_WARN_ON
Lanqing Liu (1): serial: sprd: clear timeout interrupt only rather than all interrupts
Martin Fuzzey (1): mmc: pwrseq_simple: Make reset-gpios optional to match doc
Peter Chen (1): usb: gadget: composite: fix dereference after null check coverify warning
Peter Zijlstra (1): lib/int_sqrt: optimize small argument
Qiao Zhou (1): arm64: traps: disable irq in die()
Ravindra Lokhande (1): ALSA: compress: add support for 32bit calls in a 64bit kernel
Roger Quadros (2): usb: dwc3: gadget: Fix suspend/resume during device mode extcon: usb-gpio: Don't miss event during suspend/resume
Russell King (1): mmc: core: shut up "voltage-ranges unspecified" pr_info()
Wei Qiao (1): serial: sprd: adjust TIMEOUT to a big value
Wolfram Sang (3): mmc: make MAN_BKOPS_EN message a debug mmc: sanitize 'bus width' in debug output kbuild: setlocalversion: print error to STDERR
Yoshihiro Shimoda (1): usb: renesas_usbhs: gadget: fix unused-but-set-variable warning
Ziyuan Xu (1): mmc: core: don't try to switch block size for dual rate mode
arch/arm64/kernel/traps.c | 8 +++++-- arch/arm64/mm/fault.c | 33 ++++++++++++++++++-------- drivers/extcon/extcon-usb-gpio.c | 3 +++ drivers/mmc/core/core.c | 13 ++++++---- drivers/mmc/core/debugfs.c | 2 +- drivers/mmc/core/mmc.c | 16 +++++++++---- drivers/mmc/core/pwrseq.h | 2 +- drivers/mmc/core/pwrseq_emmc.c | 2 +- drivers/mmc/core/pwrseq_simple.c | 24 ++++++++++++------- drivers/tty/serial/sprd_serial.c | 6 +++-- drivers/usb/core/config.c | 9 ++++--- drivers/usb/dwc3/gadget.c | 6 +++++ drivers/usb/gadget/composite.c | 2 ++ drivers/usb/gadget/function/u_serial.c | 7 +++++- drivers/usb/misc/iowarrior.c | 6 +++++ drivers/usb/renesas_usbhs/mod_gadget.c | 5 +--- fs/dcache.c | 10 ++++---- include/net/inet_connection_sock.h | 5 ---- lib/int_sqrt.c | 3 +++ mm/rmap.c | 2 +- net/dccp/ipv4.c | 8 +------ net/dccp/ipv6.c | 2 +- net/ipv4/tcp_input.c | 8 +------ scripts/setlocalversion | 2 +- sound/core/compress_offload.c | 13 ++++++++++ 25 files changed, 126 insertions(+), 71 deletions(-)
From: Julia Lawall Julia.Lawall@lip6.fr
The mmc_pwrseq_ops structures are never modified, so declare them as const.
Done with the help of Coccinelle.
Signed-off-by: Julia Lawall Julia.Lawall@lip6.fr Signed-off-by: Ulf Hansson ulf.hansson@linaro.org (cherry picked from commit ffedbd2210f2f4cba490a9205adc11fd1b89a852) Signed-off-by: Arnd Bergmann arnd@arndb.de --- drivers/mmc/core/pwrseq.h | 2 +- drivers/mmc/core/pwrseq_emmc.c | 2 +- drivers/mmc/core/pwrseq_simple.c | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/mmc/core/pwrseq.h b/drivers/mmc/core/pwrseq.h index 096da48c6a7e..133de0426687 100644 --- a/drivers/mmc/core/pwrseq.h +++ b/drivers/mmc/core/pwrseq.h @@ -16,7 +16,7 @@ struct mmc_pwrseq_ops { };
struct mmc_pwrseq { - struct mmc_pwrseq_ops *ops; + const struct mmc_pwrseq_ops *ops; };
#ifdef CONFIG_OF diff --git a/drivers/mmc/core/pwrseq_emmc.c b/drivers/mmc/core/pwrseq_emmc.c index ad4f94ec7e8d..4a82bc77fe49 100644 --- a/drivers/mmc/core/pwrseq_emmc.c +++ b/drivers/mmc/core/pwrseq_emmc.c @@ -51,7 +51,7 @@ static void mmc_pwrseq_emmc_free(struct mmc_host *host) kfree(pwrseq); }
-static struct mmc_pwrseq_ops mmc_pwrseq_emmc_ops = { +static const struct mmc_pwrseq_ops mmc_pwrseq_emmc_ops = { .post_power_on = mmc_pwrseq_emmc_reset, .free = mmc_pwrseq_emmc_free, }; diff --git a/drivers/mmc/core/pwrseq_simple.c b/drivers/mmc/core/pwrseq_simple.c index d10538bb5e07..2b16263458af 100644 --- a/drivers/mmc/core/pwrseq_simple.c +++ b/drivers/mmc/core/pwrseq_simple.c @@ -87,7 +87,7 @@ static void mmc_pwrseq_simple_free(struct mmc_host *host) kfree(pwrseq); }
-static struct mmc_pwrseq_ops mmc_pwrseq_simple_ops = { +static const struct mmc_pwrseq_ops mmc_pwrseq_simple_ops = { .pre_power_on = mmc_pwrseq_simple_pre_power_on, .post_power_on = mmc_pwrseq_simple_post_power_on, .power_off = mmc_pwrseq_simple_power_off,
On Fri, Mar 22, 2019 at 04:43:52PM +0100, Arnd Bergmann wrote:
From: Julia Lawall Julia.Lawall@lip6.fr
The mmc_pwrseq_ops structures are never modified, so declare them as const.
Done with the help of Coccinelle.
Signed-off-by: Julia Lawall Julia.Lawall@lip6.fr Signed-off-by: Ulf Hansson ulf.hansson@linaro.org (cherry picked from commit ffedbd2210f2f4cba490a9205adc11fd1b89a852) Signed-off-by: Arnd Bergmann arnd@arndb.de
drivers/mmc/core/pwrseq.h | 2 +- drivers/mmc/core/pwrseq_emmc.c | 2 +- drivers/mmc/core/pwrseq_simple.c | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/mmc/core/pwrseq.h b/drivers/mmc/core/pwrseq.h index 096da48c6a7e..133de0426687 100644 --- a/drivers/mmc/core/pwrseq.h +++ b/drivers/mmc/core/pwrseq.h @@ -16,7 +16,7 @@ struct mmc_pwrseq_ops { }; struct mmc_pwrseq {
- struct mmc_pwrseq_ops *ops;
- const struct mmc_pwrseq_ops *ops;
}; #ifdef CONFIG_OF diff --git a/drivers/mmc/core/pwrseq_emmc.c b/drivers/mmc/core/pwrseq_emmc.c index ad4f94ec7e8d..4a82bc77fe49 100644 --- a/drivers/mmc/core/pwrseq_emmc.c +++ b/drivers/mmc/core/pwrseq_emmc.c @@ -51,7 +51,7 @@ static void mmc_pwrseq_emmc_free(struct mmc_host *host) kfree(pwrseq); } -static struct mmc_pwrseq_ops mmc_pwrseq_emmc_ops = { +static const struct mmc_pwrseq_ops mmc_pwrseq_emmc_ops = { .post_power_on = mmc_pwrseq_emmc_reset, .free = mmc_pwrseq_emmc_free, }; diff --git a/drivers/mmc/core/pwrseq_simple.c b/drivers/mmc/core/pwrseq_simple.c index d10538bb5e07..2b16263458af 100644 --- a/drivers/mmc/core/pwrseq_simple.c +++ b/drivers/mmc/core/pwrseq_simple.c @@ -87,7 +87,7 @@ static void mmc_pwrseq_simple_free(struct mmc_host *host) kfree(pwrseq); } -static struct mmc_pwrseq_ops mmc_pwrseq_simple_ops = { +static const struct mmc_pwrseq_ops mmc_pwrseq_simple_ops = { .pre_power_on = mmc_pwrseq_simple_pre_power_on, .post_power_on = mmc_pwrseq_simple_post_power_on, .power_off = mmc_pwrseq_simple_power_off,
Why is this needed for a stable patch? It doesn't fix a bug, it just looks like it is a "nice thing" to have, right? I don't think any later patch in this series relies it it, or am I missing something?
thanks,
greg k-h
On Tue, 26 Mar 2019, Greg KH wrote:
On Fri, Mar 22, 2019 at 04:43:52PM +0100, Arnd Bergmann wrote:
From: Julia Lawall Julia.Lawall@lip6.fr
The mmc_pwrseq_ops structures are never modified, so declare them as const.
Done with the help of Coccinelle.
Signed-off-by: Julia Lawall Julia.Lawall@lip6.fr Signed-off-by: Ulf Hansson ulf.hansson@linaro.org (cherry picked from commit ffedbd2210f2f4cba490a9205adc11fd1b89a852) Signed-off-by: Arnd Bergmann arnd@arndb.de
drivers/mmc/core/pwrseq.h | 2 +- drivers/mmc/core/pwrseq_emmc.c | 2 +- drivers/mmc/core/pwrseq_simple.c | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/mmc/core/pwrseq.h b/drivers/mmc/core/pwrseq.h index 096da48c6a7e..133de0426687 100644 --- a/drivers/mmc/core/pwrseq.h +++ b/drivers/mmc/core/pwrseq.h @@ -16,7 +16,7 @@ struct mmc_pwrseq_ops { };
struct mmc_pwrseq {
- struct mmc_pwrseq_ops *ops;
- const struct mmc_pwrseq_ops *ops;
};
#ifdef CONFIG_OF diff --git a/drivers/mmc/core/pwrseq_emmc.c b/drivers/mmc/core/pwrseq_emmc.c index ad4f94ec7e8d..4a82bc77fe49 100644 --- a/drivers/mmc/core/pwrseq_emmc.c +++ b/drivers/mmc/core/pwrseq_emmc.c @@ -51,7 +51,7 @@ static void mmc_pwrseq_emmc_free(struct mmc_host *host) kfree(pwrseq); }
-static struct mmc_pwrseq_ops mmc_pwrseq_emmc_ops = { +static const struct mmc_pwrseq_ops mmc_pwrseq_emmc_ops = { .post_power_on = mmc_pwrseq_emmc_reset, .free = mmc_pwrseq_emmc_free, }; diff --git a/drivers/mmc/core/pwrseq_simple.c b/drivers/mmc/core/pwrseq_simple.c index d10538bb5e07..2b16263458af 100644 --- a/drivers/mmc/core/pwrseq_simple.c +++ b/drivers/mmc/core/pwrseq_simple.c @@ -87,7 +87,7 @@ static void mmc_pwrseq_simple_free(struct mmc_host *host) kfree(pwrseq); }
-static struct mmc_pwrseq_ops mmc_pwrseq_simple_ops = { +static const struct mmc_pwrseq_ops mmc_pwrseq_simple_ops = { .pre_power_on = mmc_pwrseq_simple_pre_power_on, .post_power_on = mmc_pwrseq_simple_post_power_on, .power_off = mmc_pwrseq_simple_power_off,
Why is this needed for a stable patch? It doesn't fix a bug, it just looks like it is a "nice thing" to have, right? I don't think any later patch in this series relies it it, or am I missing something?
Fine with me.
julia
On Tue, Mar 26, 2019 at 2:22 AM Greg KH gregkh@linuxfoundation.org wrote:
On Fri, Mar 22, 2019 at 04:43:52PM +0100, Arnd Bergmann wrote:
}
-static struct mmc_pwrseq_ops mmc_pwrseq_simple_ops = { +static const struct mmc_pwrseq_ops mmc_pwrseq_simple_ops = { .pre_power_on = mmc_pwrseq_simple_pre_power_on, .post_power_on = mmc_pwrseq_simple_post_power_on, .power_off = mmc_pwrseq_simple_power_off,
Why is this needed for a stable patch? It doesn't fix a bug, it just looks like it is a "nice thing" to have, right? I don't think any later patch in this series relies it it, or am I missing something?
Right, the benefit here is rather small. In theory, any structure of function pointers is a place into which an exploit can be placed in case someone finds a way to modify a few bytes of kernel memory. Placing the structures in read-only memory make this a little harder (it doesn't prevent rowhammer attacks though).
Dropping this patch is certainly fine with me, as we have a large supply of other structure definitions like this, and we wont' get close to plugging enough of them in stable kernels.
Arnd
From: Ravindra Lokhande rlokhande@nvidia.com
Compress offload does not support ioctl calls from a 32bit userspace in a 64 bit kernel. This patch adds support for ioctls from a 32bit userspace in a 64bit kernel
Signed-off-by: Ravindra Lokhande rlokhande@nvidia.com Acked-by: Vinod Koul vinod.koul@intel.com Signed-off-by: Takashi Iwai tiwai@suse.de (cherry picked from commit c10368897e104c008c610915a218f0fe5fa4ec96) Signed-off-by: Arnd Bergmann arnd@arndb.de --- sound/core/compress_offload.c | 13 +++++++++++++ 1 file changed, 13 insertions(+)
diff --git a/sound/core/compress_offload.c b/sound/core/compress_offload.c index 6163bf3e8177..33d40d6fa3f1 100644 --- a/sound/core/compress_offload.c +++ b/sound/core/compress_offload.c @@ -38,6 +38,7 @@ #include <linux/uio.h> #include <linux/uaccess.h> #include <linux/module.h> +#include <linux/compat.h> #include <sound/core.h> #include <sound/initval.h> #include <sound/compress_params.h> @@ -858,6 +859,15 @@ static long snd_compr_ioctl(struct file *f, unsigned int cmd, unsigned long arg) return retval; }
+/* support of 32bit userspace on 64bit platforms */ +#ifdef CONFIG_COMPAT +static long snd_compr_ioctl_compat(struct file *file, unsigned int cmd, + unsigned long arg) +{ + return snd_compr_ioctl(file, cmd, (unsigned long)compat_ptr(arg)); +} +#endif + static const struct file_operations snd_compr_file_ops = { .owner = THIS_MODULE, .open = snd_compr_open, @@ -865,6 +875,9 @@ static const struct file_operations snd_compr_file_ops = { .write = snd_compr_write, .read = snd_compr_read, .unlocked_ioctl = snd_compr_ioctl, +#ifdef CONFIG_COMPAT + .compat_ioctl = snd_compr_ioctl_compat, +#endif .mmap = snd_compr_mmap, .poll = snd_compr_poll, };
On Fri, Mar 22, 2019 at 04:43:53PM +0100, Arnd Bergmann wrote:
From: Ravindra Lokhande rlokhande@nvidia.com
Compress offload does not support ioctl calls from a 32bit userspace in a 64 bit kernel. This patch adds support for ioctls from a 32bit userspace in a 64bit kernel
Signed-off-by: Ravindra Lokhande rlokhande@nvidia.com Acked-by: Vinod Koul vinod.koul@intel.com Signed-off-by: Takashi Iwai tiwai@suse.de (cherry picked from commit c10368897e104c008c610915a218f0fe5fa4ec96) Signed-off-by: Arnd Bergmann arnd@arndb.de
sound/core/compress_offload.c | 13 +++++++++++++ 1 file changed, 13 insertions(+)
How is this not a "new feature"? What bug does this fix? Has this ever worked in the past?
thanks,
greg k-h
On Tue, Mar 26, 2019 at 2:23 AM Greg KH gregkh@linuxfoundation.org wrote:
On Fri, Mar 22, 2019 at 04:43:53PM +0100, Arnd Bergmann wrote:
From: Ravindra Lokhande rlokhande@nvidia.com
Compress offload does not support ioctl calls from a 32bit userspace in a 64 bit kernel. This patch adds support for ioctls from a 32bit userspace in a 64bit kernel
Signed-off-by: Ravindra Lokhande rlokhande@nvidia.com Acked-by: Vinod Koul vinod.koul@intel.com Signed-off-by: Takashi Iwai tiwai@suse.de (cherry picked from commit c10368897e104c008c610915a218f0fe5fa4ec96) Signed-off-by: Arnd Bergmann arnd@arndb.de
sound/core/compress_offload.c | 13 +++++++++++++ 1 file changed, 13 insertions(+)
How is this not a "new feature"? What bug does this fix? Has this ever worked in the past?
It has never worked in the past, but I consider it a bug for the compat layer to behave differently from native code. In this case, any 32-bit application using the SNDRV_COMPRESS_* ioctls will just fail to do anything on a 64-bit kernel at all without the trivial fix that should have been there when the driver was originally merged.
Arnd
On Tue, Mar 26, 2019 at 08:55:14AM +0100, Arnd Bergmann wrote:
On Tue, Mar 26, 2019 at 2:23 AM Greg KH gregkh@linuxfoundation.org wrote:
On Fri, Mar 22, 2019 at 04:43:53PM +0100, Arnd Bergmann wrote:
From: Ravindra Lokhande rlokhande@nvidia.com
Compress offload does not support ioctl calls from a 32bit userspace in a 64 bit kernel. This patch adds support for ioctls from a 32bit userspace in a 64bit kernel
Signed-off-by: Ravindra Lokhande rlokhande@nvidia.com Acked-by: Vinod Koul vinod.koul@intel.com Signed-off-by: Takashi Iwai tiwai@suse.de (cherry picked from commit c10368897e104c008c610915a218f0fe5fa4ec96) Signed-off-by: Arnd Bergmann arnd@arndb.de
sound/core/compress_offload.c | 13 +++++++++++++ 1 file changed, 13 insertions(+)
How is this not a "new feature"? What bug does this fix? Has this ever worked in the past?
It has never worked in the past, but I consider it a bug for the compat layer to behave differently from native code. In this case, any 32-bit application using the SNDRV_COMPRESS_* ioctls will just fail to do anything on a 64-bit kernel at all without the trivial fix that should have been there when the driver was originally merged.
Ok, fair enough, now queued up.
greg k-h
From: Martin Fuzzey mfuzzey@parkeon.com
The DT binding doc says reset-gpios is an optional property but the code currently bails out if it is omitted.
This is a regression since it breaks previously working device trees. Fix it by restoring the original documented behaviour.
Fixes: ce037275861e ("mmc: pwrseq_simple: use GPIO descriptors array API") Tested-by: Tony Lindgren tony@atomide.com Signed-off-by: Martin Fuzzey mfuzzey@parkeon.com Signed-off-by: Ulf Hansson ulf.hansson@linaro.org (cherry picked from commit 64a67d4762ce3ce4c9466eadd152d825fbf84967) Signed-off-by: Arnd Bergmann arnd@arndb.de --- drivers/mmc/core/pwrseq_simple.c | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-)
diff --git a/drivers/mmc/core/pwrseq_simple.c b/drivers/mmc/core/pwrseq_simple.c index 2b16263458af..aba786daebca 100644 --- a/drivers/mmc/core/pwrseq_simple.c +++ b/drivers/mmc/core/pwrseq_simple.c @@ -29,15 +29,18 @@ struct mmc_pwrseq_simple { static void mmc_pwrseq_simple_set_gpios_value(struct mmc_pwrseq_simple *pwrseq, int value) { - int i; struct gpio_descs *reset_gpios = pwrseq->reset_gpios; - int values[reset_gpios->ndescs];
- for (i = 0; i < reset_gpios->ndescs; i++) - values[i] = value; + if (!IS_ERR(reset_gpios)) { + int i; + int values[reset_gpios->ndescs];
- gpiod_set_array_value_cansleep(reset_gpios->ndescs, reset_gpios->desc, - values); + for (i = 0; i < reset_gpios->ndescs; i++) + values[i] = value; + + gpiod_set_array_value_cansleep( + reset_gpios->ndescs, reset_gpios->desc, values); + } }
static void mmc_pwrseq_simple_pre_power_on(struct mmc_host *host) @@ -79,7 +82,8 @@ static void mmc_pwrseq_simple_free(struct mmc_host *host) struct mmc_pwrseq_simple *pwrseq = container_of(host->pwrseq, struct mmc_pwrseq_simple, pwrseq);
- gpiod_put_array(pwrseq->reset_gpios); + if (!IS_ERR(pwrseq->reset_gpios)) + gpiod_put_array(pwrseq->reset_gpios);
if (!IS_ERR(pwrseq->ext_clk)) clk_put(pwrseq->ext_clk); @@ -112,7 +116,9 @@ struct mmc_pwrseq *mmc_pwrseq_simple_alloc(struct mmc_host *host, }
pwrseq->reset_gpios = gpiod_get_array(dev, "reset", GPIOD_OUT_HIGH); - if (IS_ERR(pwrseq->reset_gpios)) { + if (IS_ERR(pwrseq->reset_gpios) && + PTR_ERR(pwrseq->reset_gpios) != -ENOENT && + PTR_ERR(pwrseq->reset_gpios) != -ENOSYS) { ret = PTR_ERR(pwrseq->reset_gpios); goto clk_put; }
From: Josh Boyer jwboyer@fedoraproject.org
The iowarrior driver expects at least one valid endpoint. If given malicious descriptors that specify 0 for the number of endpoints, it will crash in the probe function. Ensure there is at least one endpoint on the interface before using it.
The full report of this issue can be found here: http://seclists.org/bugtraq/2016/Mar/87
Reported-by: Ralf Spenneberg ralf@spenneberg.net Cc: stable stable@vger.kernel.org Signed-off-by: Josh Boyer jwboyer@fedoraproject.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org (cherry picked from commit 4ec0ef3a82125efc36173062a50624550a900ae0) Signed-off-by: Arnd Bergmann arnd@arndb.de --- drivers/usb/misc/iowarrior.c | 6 ++++++ 1 file changed, 6 insertions(+)
diff --git a/drivers/usb/misc/iowarrior.c b/drivers/usb/misc/iowarrior.c index 5e43fd881a9c..381a92a0ebb6 100644 --- a/drivers/usb/misc/iowarrior.c +++ b/drivers/usb/misc/iowarrior.c @@ -787,6 +787,12 @@ static int iowarrior_probe(struct usb_interface *interface, iface_desc = interface->cur_altsetting; dev->product_id = le16_to_cpu(udev->descriptor.idProduct);
+ if (iface_desc->desc.bNumEndpoints < 1) { + dev_err(&interface->dev, "Invalid number of endpoints\n"); + retval = -EINVAL; + goto error; + } + /* set up the endpoint information */ for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) { endpoint = &iface_desc->endpoint[i].desc;
On Fri, Mar 22, 2019 at 04:43:55PM +0100, Arnd Bergmann wrote:
From: Josh Boyer jwboyer@fedoraproject.org
The iowarrior driver expects at least one valid endpoint. If given malicious descriptors that specify 0 for the number of endpoints, it will crash in the probe function. Ensure there is at least one endpoint on the interface before using it.
The full report of this issue can be found here: http://seclists.org/bugtraq/2016/Mar/87
Reported-by: Ralf Spenneberg ralf@spenneberg.net Cc: stable stable@vger.kernel.org Signed-off-by: Josh Boyer jwboyer@fedoraproject.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org (cherry picked from commit 4ec0ef3a82125efc36173062a50624550a900ae0) Signed-off-by: Arnd Bergmann arnd@arndb.de
drivers/usb/misc/iowarrior.c | 6 ++++++ 1 file changed, 6 insertions(+)
This commit has been in the tree for a long time. It was in the 4.4.7 release, back in April 2016. And then it was reverted in commit b7321e81fc36 ("USB: iowarrior: fix NULL-deref at probe") as it broke systems. So why add it back, the correct functionality should be there today, right?
thanks,
greg k-h
On Tue, Mar 26, 2019 at 2:23 AM Greg Kroah-Hartman gregkh@linuxfoundation.org wrote:
On Fri, Mar 22, 2019 at 04:43:55PM +0100, Arnd Bergmann wrote:
From: Josh Boyer jwboyer@fedoraproject.org
The iowarrior driver expects at least one valid endpoint. If given malicious descriptors that specify 0 for the number of endpoints, it will crash in the probe function. Ensure there is at least one endpoint on the interface before using it.
The full report of this issue can be found here: http://seclists.org/bugtraq/2016/Mar/87
Reported-by: Ralf Spenneberg ralf@spenneberg.net Cc: stable stable@vger.kernel.org Signed-off-by: Josh Boyer jwboyer@fedoraproject.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org (cherry picked from commit 4ec0ef3a82125efc36173062a50624550a900ae0) Signed-off-by: Arnd Bergmann arnd@arndb.de
drivers/usb/misc/iowarrior.c | 6 ++++++ 1 file changed, 6 insertions(+)
This commit has been in the tree for a long time. It was in the 4.4.7 release, back in April 2016. And then it was reverted in commit b7321e81fc36 ("USB: iowarrior: fix NULL-deref at probe") as it broke systems. So why add it back, the correct functionality should be there today, right?
Sorry I missed that history. The script I used to identify patches noticed that this patch was not applied, but I did not have a check for already- reverted patches.
Chunyan, Baolin: it seems the spreadtrum 4.4 kernel got this wrong as well, by backporting the patch again on top of 4.4.172. Can you check the latest internal version for this?
Arnd
On Tue, 26 Mar 2019 at 16:21, Arnd Bergmann arnd@arndb.de wrote:
On Tue, Mar 26, 2019 at 2:23 AM Greg Kroah-Hartman gregkh@linuxfoundation.org wrote:
On Fri, Mar 22, 2019 at 04:43:55PM +0100, Arnd Bergmann wrote:
From: Josh Boyer jwboyer@fedoraproject.org
The iowarrior driver expects at least one valid endpoint. If given malicious descriptors that specify 0 for the number of endpoints, it will crash in the probe function. Ensure there is at least one endpoint on the interface before using it.
The full report of this issue can be found here: http://seclists.org/bugtraq/2016/Mar/87
Reported-by: Ralf Spenneberg ralf@spenneberg.net Cc: stable stable@vger.kernel.org Signed-off-by: Josh Boyer jwboyer@fedoraproject.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org (cherry picked from commit 4ec0ef3a82125efc36173062a50624550a900ae0) Signed-off-by: Arnd Bergmann arnd@arndb.de
drivers/usb/misc/iowarrior.c | 6 ++++++ 1 file changed, 6 insertions(+)
This commit has been in the tree for a long time. It was in the 4.4.7 release, back in April 2016. And then it was reverted in commit b7321e81fc36 ("USB: iowarrior: fix NULL-deref at probe") as it broke systems. So why add it back, the correct functionality should be there today, right?
Sorry I missed that history. The script I used to identify patches noticed that this patch was not applied, but I did not have a check for already- reverted patches.
Chunyan, Baolin: it seems the spreadtrum 4.4 kernel got this wrong as well, by backporting the patch again on top of 4.4.172. Can you check the latest internal version for this?
Yes, I saw this patch in our 4.4 kernel.
Orson, we should revert this patch from our kernel as Greg mentioned.
Hi Arnd, Baolin,
Thank you!
I am in travel.
I 'll apply it when I am back.
Best, Orson -------- Good patches are always welcome!
________________________________________ From: Baolin Wang baolin.wang@linaro.org Sent: Tuesday, March 26, 2019 17:35 To: Arnd Bergmann Cc: Greg Kroah-Hartman; # 3.4.x; Kees Cook; Sebastian Andrzej Siewior; Gustavo A. R. Silva; Josh Boyer; Ralf Spenneberg; USB list; Linux Kernel Mailing List; 张春艳 (Chunyan Zhang); 王宝林 (Baolin Wang); 翟京 (Orson Zhai); 张春艳 (Chunyan Zhang) Subject: Re: [BACKPORT 4.4.y 04/25] USB: iowarrior: fix oops with malicious USB descriptors
On Tue, 26 Mar 2019 at 16:21, Arnd Bergmann arnd@arndb.de wrote:
On Tue, Mar 26, 2019 at 2:23 AM Greg Kroah-Hartman gregkh@linuxfoundation.org wrote:
On Fri, Mar 22, 2019 at 04:43:55PM +0100, Arnd Bergmann wrote:
From: Josh Boyer jwboyer@fedoraproject.org
The iowarrior driver expects at least one valid endpoint. If given malicious descriptors that specify 0 for the number of endpoints, it will crash in the probe function. Ensure there is at least one endpoint on the interface before using it.
The full report of this issue can be found here: http://seclists.org/bugtraq/2016/Mar/87
Reported-by: Ralf Spenneberg ralf@spenneberg.net Cc: stable stable@vger.kernel.org Signed-off-by: Josh Boyer jwboyer@fedoraproject.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org (cherry picked from commit 4ec0ef3a82125efc36173062a50624550a900ae0) Signed-off-by: Arnd Bergmann arnd@arndb.de
drivers/usb/misc/iowarrior.c | 6 ++++++ 1 file changed, 6 insertions(+)
This commit has been in the tree for a long time. It was in the 4.4.7 release, back in April 2016. And then it was reverted in commit b7321e81fc36 ("USB: iowarrior: fix NULL-deref at probe") as it broke systems. So why add it back, the correct functionality should be there today, right?
Sorry I missed that history. The script I used to identify patches noticed that this patch was not applied, but I did not have a check for already- reverted patches.
Chunyan, Baolin: it seems the spreadtrum 4.4 kernel got this wrong as well, by backporting the patch again on top of 4.4.172. Can you check the latest internal version for this?
Yes, I saw this patch in our 4.4 kernel.
Orson, we should revert this patch from our kernel as Greg mentioned.
-- Baolin Wang Best Regards
From: Chuanxiao Dong chuanxiao.dong@intel.com
Clock frequency values written to an mmc host should not be less than the minimum clock frequency which the mmc host supports.
Signed-off-by: Yuan Juntao juntaox.yuan@intel.com Signed-off-by: Pawel Wodkowski pawelx.wodkowski@intel.com Signed-off-by: Ulf Hansson ulf.hansson@linaro.org (cherry picked from commit e5905ff1281f0a0f5c9863c430ac1ed5faaf5707) Signed-off-by: Arnd Bergmann arnd@arndb.de --- drivers/mmc/core/debugfs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/mmc/core/debugfs.c b/drivers/mmc/core/debugfs.c index 154aced0b91b..705586dcd9fa 100644 --- a/drivers/mmc/core/debugfs.c +++ b/drivers/mmc/core/debugfs.c @@ -220,7 +220,7 @@ static int mmc_clock_opt_set(void *data, u64 val) struct mmc_host *host = data;
/* We need this check due to input value is u64 */ - if (val > host->f_max) + if (val != 0 && (val > host->f_max || val < host->f_min)) return -EINVAL;
mmc_claim_host(host);
From: Wolfram Sang wsa+renesas@sang-engineering.com
IMO this info is only useful for developers. Most users won't need this information, since there is not much they can do about it.
Signed-off-by: Wolfram Sang wsa+renesas@sang-engineering.com Signed-off-by: Ulf Hansson ulf.hansson@linaro.org (cherry picked from commit 4ec96b4cbde8d5714a4477b5a2562c3dd40bc5fa) Signed-off-by: Arnd Bergmann arnd@arndb.de --- drivers/mmc/core/mmc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/mmc/core/mmc.c b/drivers/mmc/core/mmc.c index a31789be0840..adc3291e9d6a 100644 --- a/drivers/mmc/core/mmc.c +++ b/drivers/mmc/core/mmc.c @@ -508,7 +508,7 @@ static int mmc_decode_ext_csd(struct mmc_card *card, u8 *ext_csd) card->ext_csd.raw_bkops_status = ext_csd[EXT_CSD_BKOPS_STATUS]; if (!card->ext_csd.man_bkops_en) - pr_info("%s: MAN_BKOPS_EN bit is not set\n", + pr_debug("%s: MAN_BKOPS_EN bit is not set\n", mmc_hostname(card->host)); }
From: Wolfram Sang wsa+renesas@sang-engineering.com
The bus width is sometimes the actual bus width, and sometimes indices to different arrays encoding the bus width. In my debugging case "2" could mean 8-bit as well as 4-bit, which was extremly confusing. Let's use the human-readable actual bus width in all places.
Signed-off-by: Wolfram Sang wsa+renesas@sang-engineering.com Signed-off-by: Ulf Hansson ulf.hansson@linaro.org (cherry picked from commit ed9feec72fc1fa194ebfdb79e14561b35decce63) Signed-off-by: Arnd Bergmann arnd@arndb.de --- drivers/mmc/core/core.c | 2 +- drivers/mmc/core/mmc.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/mmc/core/core.c b/drivers/mmc/core/core.c index 299a83f1ad38..e2e927d1f7e4 100644 --- a/drivers/mmc/core/core.c +++ b/drivers/mmc/core/core.c @@ -1039,7 +1039,7 @@ static inline void mmc_set_ios(struct mmc_host *host) "width %u timing %u\n", mmc_hostname(host), ios->clock, ios->bus_mode, ios->power_mode, ios->chip_select, ios->vdd, - ios->bus_width, ios->timing); + 1 << ios->bus_width, ios->timing);
host->ops->set_ios(host, ios); } diff --git a/drivers/mmc/core/mmc.c b/drivers/mmc/core/mmc.c index adc3291e9d6a..7286d0d324e1 100644 --- a/drivers/mmc/core/mmc.c +++ b/drivers/mmc/core/mmc.c @@ -952,7 +952,7 @@ static int mmc_select_bus_width(struct mmc_card *card) break; } else { pr_warn("%s: switch to bus width %d failed\n", - mmc_hostname(host), ext_csd_bits[idx]); + mmc_hostname(host), 1 << bus_width); } }
From: Russell King rmk+kernel@arm.linux.org.uk
Each time a driver such as sdhci-esdhc-imx is probed, we get a info printk complaining that the DT voltage-ranges property has not been specified.
However, the DT binding specifically says that the voltage-ranges property is optional. That means we should not be complaining that DT hasn't specified this property: by indicating that it's optional, it is valid not to have the property in DT.
Silence the warning if the property is missing.
Signed-off-by: Russell King rmk+kernel@arm.linux.org.uk Signed-off-by: Ulf Hansson ulf.hansson@linaro.org (cherry picked from commit 10a16a01d8f72e80f4780e40cf3122f4caffa411) Signed-off-by: Arnd Bergmann arnd@arndb.de --- drivers/mmc/core/core.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/mmc/core/core.c b/drivers/mmc/core/core.c index e2e927d1f7e4..df074f8c7cb7 100644 --- a/drivers/mmc/core/core.c +++ b/drivers/mmc/core/core.c @@ -1220,8 +1220,12 @@ int mmc_of_parse_voltage(struct device_node *np, u32 *mask)
voltage_ranges = of_get_property(np, "voltage-ranges", &num_ranges); num_ranges = num_ranges / sizeof(*voltage_ranges) / 2; - if (!voltage_ranges || !num_ranges) { - pr_info("%s: voltage-ranges unspecified\n", np->full_name); + if (!voltage_ranges) { + pr_debug("%s: voltage-ranges unspecified\n", np->full_name); + return -EINVAL; + } + if (!num_ranges) { + pr_err("%s: voltage-ranges empty\n", np->full_name); return -EINVAL; }
From: Roger Quadros rogerq@ti.com
Gadget controller might not be always active during system suspend/resume as gadget driver might not have yet been loaded or might have been unloaded prior to system suspend.
Check if we're active and only then perform necessary actions during suspend/resume.
Signed-off-by: Roger Quadros rogerq@ti.com Signed-off-by: Felipe Balbi felipe.balbi@linux.intel.com (cherry picked from commit 9772b47a4c2916d645c551228b6085ea24acbe5d) Signed-off-by: Arnd Bergmann arnd@arndb.de --- drivers/usb/dwc3/gadget.c | 6 ++++++ 1 file changed, 6 insertions(+)
diff --git a/drivers/usb/dwc3/gadget.c b/drivers/usb/dwc3/gadget.c index b6037a0ae829..58e67c228971 100644 --- a/drivers/usb/dwc3/gadget.c +++ b/drivers/usb/dwc3/gadget.c @@ -2893,6 +2893,9 @@ void dwc3_gadget_exit(struct dwc3 *dwc)
int dwc3_gadget_suspend(struct dwc3 *dwc) { + if (!dwc->gadget_driver) + return 0; + if (dwc->pullups_connected) { dwc3_gadget_disable_irq(dwc); dwc3_gadget_run_stop(dwc, true, true); @@ -2911,6 +2914,9 @@ int dwc3_gadget_resume(struct dwc3 *dwc) struct dwc3_ep *dep; int ret;
+ if (!dwc->gadget_driver) + return 0; + /* Start with SuperSpeed Default */ dwc3_gadget_ep0_desc.wMaxPacketSize = cpu_to_le16(512);
From: James Morse james.morse@arm.com
With CONFIG_PROVE_LOCKING, CONFIG_DEBUG_LOCKDEP and CONFIG_TRACE_IRQFLAGS enabled, lockdep will compare current->hardirqs_enabled with the flags from local_irq_save().
When a debug exception occurs, interrupts are disabled in entry.S, but lockdep isn't told, resulting in: DEBUG_LOCKS_WARN_ON(current->hardirqs_enabled) ------------[ cut here ]------------ WARNING: at ../kernel/locking/lockdep.c:3523 Modules linked in: CPU: 3 PID: 1752 Comm: perf Not tainted 4.5.0-rc4+ #2204 Hardware name: ARM Juno development board (r1) (DT) task: ffffffc974868000 ti: ffffffc975f40000 task.ti: ffffffc975f40000 PC is at check_flags.part.35+0x17c/0x184 LR is at check_flags.part.35+0x17c/0x184 pc : [<ffffff80080fc93c>] lr : [<ffffff80080fc93c>] pstate: 600003c5 [...] ---[ end trace 74631f9305ef5020 ]--- Call trace: [<ffffff80080fc93c>] check_flags.part.35+0x17c/0x184 [<ffffff80080ffe30>] lock_acquire+0xa8/0xc4 [<ffffff8008093038>] breakpoint_handler+0x118/0x288 [<ffffff8008082434>] do_debug_exception+0x3c/0xa8 [<ffffff80080854b4>] el1_dbg+0x18/0x6c [<ffffff80081e82f4>] do_filp_open+0x64/0xdc [<ffffff80081d6e60>] do_sys_open+0x140/0x204 [<ffffff80081d6f58>] SyS_openat+0x10/0x18 [<ffffff8008085d30>] el0_svc_naked+0x24/0x28 possible reason: unannotated irqs-off. irq event stamp: 65857 hardirqs last enabled at (65857): [<ffffff80081fb1c0>] lookup_mnt+0xf4/0x1b4 hardirqs last disabled at (65856): [<ffffff80081fb188>] lookup_mnt+0xbc/0x1b4 softirqs last enabled at (65790): [<ffffff80080bdca4>] __do_softirq+0x1f8/0x290 softirqs last disabled at (65757): [<ffffff80080be038>] irq_exit+0x9c/0xd0
This patch adds the annotations to do_debug_exception(), while trying not to call trace_hardirqs_off() if el1_dbg() interrupted a task that already had irqs disabled.
Signed-off-by: James Morse james.morse@arm.com Signed-off-by: Will Deacon will.deacon@arm.com (cherry picked from commit 6afedcd23cfd7ac56c011069e4a8db37b46e4623) Signed-off-by: Arnd Bergmann arnd@arndb.de --- arch/arm64/mm/fault.c | 33 +++++++++++++++++++++++---------- 1 file changed, 23 insertions(+), 10 deletions(-)
diff --git a/arch/arm64/mm/fault.c b/arch/arm64/mm/fault.c index be7f8416809f..04c4b88706d8 100644 --- a/arch/arm64/mm/fault.c +++ b/arch/arm64/mm/fault.c @@ -595,20 +595,33 @@ asmlinkage int __exception do_debug_exception(unsigned long addr, { const struct fault_info *inf = debug_fault_info + DBG_ESR_EVT(esr); struct siginfo info; + int rv;
- if (!inf->fn(addr, esr, regs)) - return 1; + /* + * Tell lockdep we disabled irqs in entry.S. Do nothing if they were + * already disabled to preserve the last enabled/disabled addresses. + */ + if (interrupts_enabled(regs)) + trace_hardirqs_off();
- pr_alert("Unhandled debug exception: %s (0x%08x) at 0x%016lx\n", - inf->name, esr, addr); + if (!inf->fn(addr, esr, regs)) { + rv = 1; + } else { + pr_alert("Unhandled debug exception: %s (0x%08x) at 0x%016lx\n", + inf->name, esr, addr); + + info.si_signo = inf->sig; + info.si_errno = 0; + info.si_code = inf->code; + info.si_addr = (void __user *)addr; + arm64_notify_die("", regs, &info, 0); + rv = 0; + }
- info.si_signo = inf->sig; - info.si_errno = 0; - info.si_code = inf->code; - info.si_addr = (void __user *)addr; - arm64_notify_die("", regs, &info, 0); + if (interrupts_enabled(regs)) + trace_hardirqs_on();
- return 0; + return rv; }
#ifdef CONFIG_ARM64_PAN
From: Dong Aisheng aisheng.dong@nxp.com
Currently MMC core will keep going if HS200/HS timing switch failed with -EBADMSG error by the assumption that the old timing is still valid.
However, for mmc_select_hs200 case, the signal voltage may have already been switched. If the timing switch failed, we should fall back to the old voltage in case the card is continue run with legacy timing.
If fall back signal voltage failed, we explicitly report an EIO error to force retry during the next power cycle.
Signed-off-by: Dong Aisheng aisheng.dong@nxp.com Signed-off-by: Ulf Hansson ulf.hansson@linaro.org (cherry picked from commit e51534c806609c806d81bfb034f02737461f855c) Signed-off-by: Arnd Bergmann arnd@arndb.de --- drivers/mmc/core/mmc.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/drivers/mmc/core/mmc.c b/drivers/mmc/core/mmc.c index 7286d0d324e1..7844baecf306 100644 --- a/drivers/mmc/core/mmc.c +++ b/drivers/mmc/core/mmc.c @@ -1251,10 +1251,11 @@ static int mmc_select_hs200(struct mmc_card *card) { struct mmc_host *host = card->host; bool send_status = true; - unsigned int old_timing; + unsigned int old_timing, old_signal_voltage; int err = -EINVAL; u8 val;
+ old_signal_voltage = host->ios.signal_voltage; if (card->mmc_avail_type & EXT_CSD_CARD_TYPE_HS200_1_2V) err = __mmc_set_signal_voltage(host, MMC_SIGNAL_VOLTAGE_120);
@@ -1263,7 +1264,7 @@ static int mmc_select_hs200(struct mmc_card *card)
/* If fails try again during next card power cycle */ if (err) - goto err; + return err;
mmc_select_driver_type(card);
@@ -1297,9 +1298,14 @@ static int mmc_select_hs200(struct mmc_card *card) } } err: - if (err) + if (err) { + /* fall back to the old signal voltage, if fails report error */ + if (__mmc_set_signal_voltage(host, old_signal_voltage)) + err = -EIO; + pr_err("%s: %s failed, error %d\n", mmc_hostname(card->host), __func__, err); + } return err; }
From: Konstantin Khlebnikov khlebnikov@yandex-team.ru
This check effectively catches anon vma hierarchy inconsistence and some vma corruptions. It was effective for catching corner cases in anon vma reusing logic. For now this code seems stable so check could be hidden under CONFIG_DEBUG_VM and replaced with WARN because it's not so fatal.
Signed-off-by: Konstantin Khlebnikov khlebnikov@yandex-team.ru Suggested-by: Vasily Averin vvs@virtuozzo.com Acked-by: Vlastimil Babka vbabka@suse.cz Signed-off-by: Andrew Morton akpm@linux-foundation.org Signed-off-by: Linus Torvalds torvalds@linux-foundation.org (cherry picked from commit e4c5800a3991f0c6a766983535dfc10d51802cf6) Signed-off-by: Arnd Bergmann arnd@arndb.de --- mm/rmap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/mm/rmap.c b/mm/rmap.c index 488dda209431..cf733fab230f 100644 --- a/mm/rmap.c +++ b/mm/rmap.c @@ -408,7 +408,7 @@ void unlink_anon_vmas(struct vm_area_struct *vma) list_for_each_entry_safe(avc, next, &vma->anon_vma_chain, same_vma) { struct anon_vma *anon_vma = avc->anon_vma;
- BUG_ON(anon_vma->degree); + VM_WARN_ON(anon_vma->degree); put_anon_vma(anon_vma);
list_del(&avc->same_vma);
From: Roger Quadros rogerq@ti.com
Pin state might have changed during suspend/resume while our interrupts were disabled and if device doesn't support wakeup.
Scan for change during resume for such case.
Signed-off-by: Roger Quadros rogerq@ti.com Signed-off-by: Chanwoo Choi cw00.choi@samsung.com (cherry picked from commit 04c080080855ce84dcd490a2e04805608a21085d) Signed-off-by: Arnd Bergmann arnd@arndb.de --- drivers/extcon/extcon-usb-gpio.c | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/drivers/extcon/extcon-usb-gpio.c b/drivers/extcon/extcon-usb-gpio.c index 2b2fecffb1ad..c6a7c9ddf0ac 100644 --- a/drivers/extcon/extcon-usb-gpio.c +++ b/drivers/extcon/extcon-usb-gpio.c @@ -192,6 +192,9 @@ static int usb_extcon_resume(struct device *dev) }
enable_irq(info->id_irq); + if (!device_may_wakeup(dev)) + queue_delayed_work(system_power_efficient_wq, + &info->wq_detcable, 0);
return ret; }
From: Wolfram Sang wsa@the-dreams.de
I tried to use 'make O=...' from an unclean source tree. This triggered the error path of setlocalversion. But by printing to STDOUT, it created a broken localversion which then caused another (unrelated) error:
"4.7.0-rc2Error: kernelrelease not valid - run make prepare to update it" exceeds 64 characters
After printing to STDERR, the true build error gets displayed later:
/home/wsa/Kernel/linux is not clean, please run 'make mrproper' in the '/home/wsa/Kernel/linux' directory.
Signed-off-by: Wolfram Sang wsa@the-dreams.de Signed-off-by: Michal Marek mmarek@suse.com (cherry picked from commit 78283edf2c01c38eb840a3de5ffd18fe2992ab64) Signed-off-by: Arnd Bergmann arnd@arndb.de --- scripts/setlocalversion | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/scripts/setlocalversion b/scripts/setlocalversion index 63d91e22ed7c..966dd3924ea9 100755 --- a/scripts/setlocalversion +++ b/scripts/setlocalversion @@ -143,7 +143,7 @@ fi if test -e include/config/auto.conf; then . include/config/auto.conf else - echo "Error: kernelrelease not valid - run 'make prepare' to update it" + echo "Error: kernelrelease not valid - run 'make prepare' to update it" >&2 exit 1 fi
From: Peter Chen peter.chen@nxp.com
cdev->config is checked for null pointer at above code, so cdev->config might be null, fix it by adding null pointer check.
Signed-off-by: Peter Chen peter.chen@nxp.com Signed-off-by: Felipe Balbi felipe.balbi@linux.intel.com (cherry picked from commit c526c62d565ea5a5bba9433f28756079734f430d) Signed-off-by: Arnd Bergmann arnd@arndb.de --- drivers/usb/gadget/composite.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c index 58f5fbdb6959..8bf54477f472 100644 --- a/drivers/usb/gadget/composite.c +++ b/drivers/usb/gadget/composite.c @@ -1819,6 +1819,8 @@ unknown: break;
case USB_RECIP_ENDPOINT: + if (!cdev->config) + break; endp = ((w_index & 0x80) >> 3) | (w_index & 0x0f); list_for_each_entry(f, &cdev->config->functions, list) { if (test_bit(endp, f->endpoints))
From: Baolin Wang baolin.wang@linaro.org
When usb gadget is set gadget serial function, it will be crash in below situation.
It will clean the 'port->port_usb' pointer in gserial_disconnect() function when usb link is inactive, but it will release lock for disabling the endpoints in this function. Druing the lock release period, it maybe complete one request to issue gs_write_complete()--->gs_start_tx() function, but the 'port->port_usb' pointer had been set NULL, thus it will be crash in gs_start_tx() function.
This patch adds the 'port->port_usb' pointer checking in gs_start_tx() function to avoid this situation.
Signed-off-by: Baolin Wang baolin.wang@linaro.org Signed-off-by: Felipe Balbi felipe.balbi@linux.intel.com (cherry picked from commit 511a36d2f357724312bb3776d2f6eed3890928b2) Signed-off-by: Arnd Bergmann arnd@arndb.de --- drivers/usb/gadget/function/u_serial.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/gadget/function/u_serial.c b/drivers/usb/gadget/function/u_serial.c index 4ea44f7122ee..d73618475664 100644 --- a/drivers/usb/gadget/function/u_serial.c +++ b/drivers/usb/gadget/function/u_serial.c @@ -361,10 +361,15 @@ __acquires(&port->port_lock) */ { struct list_head *pool = &port->write_pool; - struct usb_ep *in = port->port_usb->in; + struct usb_ep *in; int status = 0; bool do_tty_wake = false;
+ if (!port->port_usb) + return status; + + in = port->port_usb->in; + while (!port->write_busy && !list_empty(pool)) { struct usb_request *req; int len;
From: Ziyuan Xu xzy.xu@rock-chips.com
Per spec, block size should always be 512 bytes for dual rate mode, so any attempts to switch the block size under dual rate mode should be neglected.
Signed-off-by: Ziyuan Xu xzy.xu@rock-chips.com Signed-off-by: Shawn Lin shawn.lin@rock-chips.com Signed-off-by: Ulf Hansson ulf.hansson@linaro.org (cherry picked from commit 1712c9373f98ae8ed41599a8d7841a6fba29c264) Signed-off-by: Arnd Bergmann arnd@arndb.de --- drivers/mmc/core/core.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/mmc/core/core.c b/drivers/mmc/core/core.c index df074f8c7cb7..3e17268b9994 100644 --- a/drivers/mmc/core/core.c +++ b/drivers/mmc/core/core.c @@ -2406,7 +2406,8 @@ int mmc_set_blocklen(struct mmc_card *card, unsigned int blocklen) { struct mmc_command cmd = {0};
- if (mmc_card_blockaddr(card) || mmc_card_ddr52(card)) + if (mmc_card_blockaddr(card) || mmc_card_ddr52(card) || + mmc_card_hs400(card) || mmc_card_hs400es(card)) return 0;
cmd.opcode = MMC_SET_BLOCKLEN;
On Fri, Mar 22, 2019 at 04:44:08PM +0100, Arnd Bergmann wrote:
From: Ziyuan Xu xzy.xu@rock-chips.com
Per spec, block size should always be 512 bytes for dual rate mode, so any attempts to switch the block size under dual rate mode should be neglected.
Signed-off-by: Ziyuan Xu xzy.xu@rock-chips.com Signed-off-by: Shawn Lin shawn.lin@rock-chips.com Signed-off-by: Ulf Hansson ulf.hansson@linaro.org (cherry picked from commit 1712c9373f98ae8ed41599a8d7841a6fba29c264) Signed-off-by: Arnd Bergmann arnd@arndb.de
drivers/mmc/core/core.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/mmc/core/core.c b/drivers/mmc/core/core.c index df074f8c7cb7..3e17268b9994 100644 --- a/drivers/mmc/core/core.c +++ b/drivers/mmc/core/core.c @@ -2406,7 +2406,8 @@ int mmc_set_blocklen(struct mmc_card *card, unsigned int blocklen) { struct mmc_command cmd = {0};
- if (mmc_card_blockaddr(card) || mmc_card_ddr52(card))
- if (mmc_card_blockaddr(card) || mmc_card_ddr52(card) ||
mmc_card_hs400(card) || mmc_card_hs400es(card))
This breaks the build, there is no mmc_card_hs400es() call in 4.4.y.
How did this build for you?
greg k-h
On Tue, Mar 26, 2019 at 2:27 AM Greg KH gregkh@linuxfoundation.org wrote:
On Fri, Mar 22, 2019 at 04:44:08PM +0100, Arnd Bergmann wrote:
From: Ziyuan Xu xzy.xu@rock-chips.com
Per spec, block size should always be 512 bytes for dual rate mode, so any attempts to switch the block size under dual rate mode should be neglected.
Signed-off-by: Ziyuan Xu xzy.xu@rock-chips.com Signed-off-by: Shawn Lin shawn.lin@rock-chips.com Signed-off-by: Ulf Hansson ulf.hansson@linaro.org (cherry picked from commit 1712c9373f98ae8ed41599a8d7841a6fba29c264) Signed-off-by: Arnd Bergmann arnd@arndb.de
drivers/mmc/core/core.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/mmc/core/core.c b/drivers/mmc/core/core.c index df074f8c7cb7..3e17268b9994 100644 --- a/drivers/mmc/core/core.c +++ b/drivers/mmc/core/core.c @@ -2406,7 +2406,8 @@ int mmc_set_blocklen(struct mmc_card *card, unsigned int blocklen) { struct mmc_command cmd = {0};
if (mmc_card_blockaddr(card) || mmc_card_ddr52(card))
if (mmc_card_blockaddr(card) || mmc_card_ddr52(card) ||
mmc_card_hs400(card) || mmc_card_hs400es(card))
This breaks the build, there is no mmc_card_hs400es() call in 4.4.y.
How did this build for you?
I had a larger set of backported patches and then dropped others that did not look like stable material, but then did not rebuild again afterwards. I'll make sure to do that next time.
Arnd
From: Eric Dumazet edumazet@google.com
Per listen(fd, backlog) rules, there is really no point accepting a SYN, sending a SYNACK, and dropping the following ACK packet if accept queue is full, because application is not draining accept queue fast enough.
This behavior is fooling TCP clients that believe they established a flow, while there is nothing at server side. They might then send about 10 MSS (if using IW10) that will be dropped anyway while server is under stress.
Signed-off-by: Eric Dumazet edumazet@google.com Acked-by: Neal Cardwell ncardwell@google.com Acked-by: Yuchung Cheng ycheng@google.com Signed-off-by: David S. Miller davem@davemloft.net (cherry picked from commit 5ea8ea2cb7f1d0db15762c9b0bb9e7330425a071) Signed-off-by: Arnd Bergmann arnd@arndb.de --- include/net/inet_connection_sock.h | 5 ----- net/dccp/ipv4.c | 8 +------- net/dccp/ipv6.c | 2 +- net/ipv4/tcp_input.c | 8 +------- 4 files changed, 3 insertions(+), 20 deletions(-)
diff --git a/include/net/inet_connection_sock.h b/include/net/inet_connection_sock.h index 49dcad4fe99e..72599bbc8255 100644 --- a/include/net/inet_connection_sock.h +++ b/include/net/inet_connection_sock.h @@ -289,11 +289,6 @@ static inline int inet_csk_reqsk_queue_len(const struct sock *sk) return reqsk_queue_len(&inet_csk(sk)->icsk_accept_queue); }
-static inline int inet_csk_reqsk_queue_young(const struct sock *sk) -{ - return reqsk_queue_len_young(&inet_csk(sk)->icsk_accept_queue); -} - static inline int inet_csk_reqsk_queue_is_full(const struct sock *sk) { return inet_csk_reqsk_queue_len(sk) >= sk->sk_max_ack_backlog; diff --git a/net/dccp/ipv4.c b/net/dccp/ipv4.c index 45fd82e61e79..b0a577a79a6a 100644 --- a/net/dccp/ipv4.c +++ b/net/dccp/ipv4.c @@ -592,13 +592,7 @@ int dccp_v4_conn_request(struct sock *sk, struct sk_buff *skb) if (inet_csk_reqsk_queue_is_full(sk)) goto drop;
- /* - * Accept backlog is full. If we have already queued enough - * of warm entries in syn queue, drop request. It is better than - * clogging syn queue with openreqs with exponentially increasing - * timeout. - */ - if (sk_acceptq_is_full(sk) && inet_csk_reqsk_queue_young(sk) > 1) + if (sk_acceptq_is_full(sk)) goto drop;
req = inet_reqsk_alloc(&dccp_request_sock_ops, sk, true); diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c index 0bf41faeffc4..18bb2a42f0d1 100644 --- a/net/dccp/ipv6.c +++ b/net/dccp/ipv6.c @@ -324,7 +324,7 @@ static int dccp_v6_conn_request(struct sock *sk, struct sk_buff *skb) if (inet_csk_reqsk_queue_is_full(sk)) goto drop;
- if (sk_acceptq_is_full(sk) && inet_csk_reqsk_queue_young(sk) > 1) + if (sk_acceptq_is_full(sk)) goto drop;
req = inet_reqsk_alloc(&dccp6_request_sock_ops, sk, true); diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index 1aff93d76f24..b320fa9f834a 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c @@ -6305,13 +6305,7 @@ int tcp_conn_request(struct request_sock_ops *rsk_ops, goto drop; }
- - /* Accept backlog is full. If we have already queued enough - * of warm entries in syn queue, drop request. It is better than - * clogging syn queue with openreqs with exponentially increasing - * timeout. - */ - if (sk_acceptq_is_full(sk) && inet_csk_reqsk_queue_young(sk) > 1) { + if (sk_acceptq_is_full(sk)) { NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_LISTENOVERFLOWS); goto drop; }
On Fri, Mar 22, 2019 at 04:44:09PM +0100, Arnd Bergmann wrote:
From: Eric Dumazet edumazet@google.com
Per listen(fd, backlog) rules, there is really no point accepting a SYN, sending a SYNACK, and dropping the following ACK packet if accept queue is full, because application is not draining accept queue fast enough.
This behavior is fooling TCP clients that believe they established a flow, while there is nothing at server side. They might then send about 10 MSS (if using IW10) that will be dropped anyway while server is under stress.
Signed-off-by: Eric Dumazet edumazet@google.com Acked-by: Neal Cardwell ncardwell@google.com Acked-by: Yuchung Cheng ycheng@google.com Signed-off-by: David S. Miller davem@davemloft.net (cherry picked from commit 5ea8ea2cb7f1d0db15762c9b0bb9e7330425a071)
Also queued up for 4.9.y
From: Wei Qiao wei.qiao@spreadtrum.com
SPRD_TIMEOUT was 256, which is too small to wait until the status switched to workable in a while loop, so that the earlycon could not work correctly.
Signed-off-by: Wei Qiao wei.qiao@spreadtrum.com Signed-off-by: Chunyan Zhang chunyan.zhang@spreadtrum.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org (cherry picked from commit e1dc9b08051a2c2e694edf48d1e704f07c7c143c) Signed-off-by: Arnd Bergmann arnd@arndb.de --- drivers/tty/serial/sprd_serial.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/tty/serial/sprd_serial.c b/drivers/tty/serial/sprd_serial.c index 1e302caaa450..176f0a2bf9d9 100644 --- a/drivers/tty/serial/sprd_serial.c +++ b/drivers/tty/serial/sprd_serial.c @@ -36,7 +36,7 @@ #define SPRD_FIFO_SIZE 128 #define SPRD_DEF_RATE 26000000 #define SPRD_BAUD_IO_LIMIT 3000000 -#define SPRD_TIMEOUT 256 +#define SPRD_TIMEOUT 256000
/* the offset of serial registers and BITs for them */ /* data registers */
On Fri, Mar 22, 2019 at 04:44:10PM +0100, Arnd Bergmann wrote:
From: Wei Qiao wei.qiao@spreadtrum.com
SPRD_TIMEOUT was 256, which is too small to wait until the status switched to workable in a while loop, so that the earlycon could not work correctly.
Signed-off-by: Wei Qiao wei.qiao@spreadtrum.com Signed-off-by: Chunyan Zhang chunyan.zhang@spreadtrum.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org (cherry picked from commit e1dc9b08051a2c2e694edf48d1e704f07c7c143c) Signed-off-by: Arnd Bergmann arnd@arndb.de
drivers/tty/serial/sprd_serial.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
Also applied to 4.9.y
From: Al Viro viro@ZenIV.linux.org.uk
It's not hard to trigger a bunch of d_invalidate() on the same dentry in parallel. They end up fighting each other - any dentry picked for removal by one will be skipped by the rest and we'll go for the next iteration through the entire subtree, even if everything is being skipped. Morevoer, we immediately go back to scanning the subtree. The only thing we really need is to dissolve all mounts in the subtree and as soon as we've nothing left to do, we can just unhash the dentry and bugger off.
Signed-off-by: Al Viro viro@zeniv.linux.org.uk (cherry picked from commit 81be24d263dbeddaba35827036d6f6787a59c2c3) Signed-off-by: Arnd Bergmann arnd@arndb.de --- fs/dcache.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/fs/dcache.c b/fs/dcache.c index 9ffe60702299..cb554e406545 100644 --- a/fs/dcache.c +++ b/fs/dcache.c @@ -1510,7 +1510,7 @@ static void check_and_drop(void *_data) { struct detach_data *data = _data;
- if (!data->mountpoint && !data->select.found) + if (!data->mountpoint && list_empty(&data->select.dispose)) __d_drop(data->select.start); }
@@ -1552,17 +1552,15 @@ void d_invalidate(struct dentry *dentry)
d_walk(dentry, &data, detach_and_collect, check_and_drop);
- if (data.select.found) + if (!list_empty(&data.select.dispose)) shrink_dentry_list(&data.select.dispose); + else if (!data.mountpoint) + return;
if (data.mountpoint) { detach_mounts(data.mountpoint); dput(data.mountpoint); } - - if (!data.mountpoint && !data.select.found) - break; - cond_resched(); } }
On Fri, Mar 22, 2019 at 04:44:11PM +0100, Arnd Bergmann wrote:
From: Al Viro viro@ZenIV.linux.org.uk
It's not hard to trigger a bunch of d_invalidate() on the same dentry in parallel. They end up fighting each other - any dentry picked for removal by one will be skipped by the rest and we'll go for the next iteration through the entire subtree, even if everything is being skipped. Morevoer, we immediately go back to scanning the subtree. The only thing we really need is to dissolve all mounts in the subtree and as soon as we've nothing left to do, we can just unhash the dentry and bugger off.
Signed-off-by: Al Viro viro@zeniv.linux.org.uk (cherry picked from commit 81be24d263dbeddaba35827036d6f6787a59c2c3) Signed-off-by: Arnd Bergmann arnd@arndb.de
fs/dcache.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-)
Also added to 4.9.y
From: Qiao Zhou qiaozhou@asrmicro.com
In current die(), the irq is disabled for __die() handle, not including the possible panic() handling. Since the log in __die() can take several hundreds ms, new irq might come and interrupt current die().
If the process calling die() holds some critical resource, and some other process scheduled later also needs it, then it would deadlock. The first panic will not be executed.
So here disable irq for the whole flow of die().
Signed-off-by: Qiao Zhou qiaozhou@asrmicro.com Signed-off-by: Will Deacon will.deacon@arm.com (cherry picked from commit 6f44a0bacb79a03972c83759711832b382b1b8ac) Signed-off-by: Arnd Bergmann arnd@arndb.de --- arch/arm64/kernel/traps.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/arch/arm64/kernel/traps.c b/arch/arm64/kernel/traps.c index 5d270ca76aec..6b4579e07aa2 100644 --- a/arch/arm64/kernel/traps.c +++ b/arch/arm64/kernel/traps.c @@ -239,10 +239,12 @@ void die(const char *str, struct pt_regs *regs, int err) { struct thread_info *thread = current_thread_info(); int ret; + unsigned long flags; + + raw_spin_lock_irqsave(&die_lock, flags);
oops_enter();
- raw_spin_lock_irq(&die_lock); console_verbose(); bust_spinlocks(1); ret = __die(str, err, thread, regs); @@ -252,13 +254,15 @@ void die(const char *str, struct pt_regs *regs, int err)
bust_spinlocks(0); add_taint(TAINT_DIE, LOCKDEP_NOW_UNRELIABLE); - raw_spin_unlock_irq(&die_lock); oops_exit();
if (in_interrupt()) panic("Fatal exception in interrupt"); if (panic_on_oops) panic("Fatal exception"); + + raw_spin_unlock_irqrestore(&die_lock, flags); + if (ret != NOTIFY_STOP) do_exit(SIGSEGV); }
On Fri, Mar 22, 2019 at 04:44:12PM +0100, Arnd Bergmann wrote:
From: Qiao Zhou qiaozhou@asrmicro.com
In current die(), the irq is disabled for __die() handle, not including the possible panic() handling. Since the log in __die() can take several hundreds ms, new irq might come and interrupt current die().
If the process calling die() holds some critical resource, and some other process scheduled later also needs it, then it would deadlock. The first panic will not be executed.
So here disable irq for the whole flow of die().
Signed-off-by: Qiao Zhou qiaozhou@asrmicro.com Signed-off-by: Will Deacon will.deacon@arm.com (cherry picked from commit 6f44a0bacb79a03972c83759711832b382b1b8ac) Signed-off-by: Arnd Bergmann arnd@arndb.de
arch/arm64/kernel/traps.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-)
also added to 4.9.y
From: Yoshihiro Shimoda yoshihiro.shimoda.uh@renesas.com
The commit b8b9c974afee ("usb: renesas_usbhs: gadget: disable all eps when the driver stops") causes the unused-but-set-variable warning. But, if the usbhsg_ep_disable() will return non-zero value, udc/core.c doesn't clear the ep->enabled flag. So, this driver should not return non-zero value, if the pipe is zero because this means the pipe is already disabled. Otherwise, the ep->enabled flag is never cleared when the usbhsg_ep_disable() is called by the renesas_usbhs driver first.
Fixes: b8b9c974afee ("usb: renesas_usbhs: gadget: disable all eps when the driver stops") Fixes: 11432050f070 ("usb: renesas_usbhs: gadget: fix NULL pointer dereference in ep_disable()") Signed-off-by: Yoshihiro Shimoda yoshihiro.shimoda.uh@renesas.com Signed-off-by: Felipe Balbi felipe.balbi@linux.intel.com (cherry picked from commit b7d44c36a6f6d956e1539e0dd42f98b26e5a4684) Signed-off-by: Arnd Bergmann arnd@arndb.de --- drivers/usb/renesas_usbhs/mod_gadget.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/drivers/usb/renesas_usbhs/mod_gadget.c b/drivers/usb/renesas_usbhs/mod_gadget.c index 8647d2c2a8c4..c5553028e616 100644 --- a/drivers/usb/renesas_usbhs/mod_gadget.c +++ b/drivers/usb/renesas_usbhs/mod_gadget.c @@ -641,14 +641,11 @@ static int usbhsg_ep_disable(struct usb_ep *ep) struct usbhsg_uep *uep = usbhsg_ep_to_uep(ep); struct usbhs_pipe *pipe; unsigned long flags; - int ret = 0;
spin_lock_irqsave(&uep->lock, flags); pipe = usbhsg_uep_to_pipe(uep); - if (!pipe) { - ret = -EINVAL; + if (!pipe) goto out; - }
usbhsg_pipe_disable(uep); usbhs_pipe_free(pipe);
From: Lanqing Liu lanqing.liu@spreadtrum.com
On Spreadtrum's serial device, nearly all of interrupts would be cleared by hardware except timeout interrupt. This patch removed the operation of clearing all interrupt in irq handler, instead added an if statement to check if the timeout interrupt is supposed to be cleared.
Wrongly clearing timeout interrupt would lead to uart data stay in rx fifo, that means the driver cannot read them out anymore.
Signed-off-by: Lanqing Liu lanqing.liu@spreadtrum.com Signed-off-by: Chunyan Zhang chunyan.zhang@spreadtrum.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org (cherry picked from commit 4350782570b919f254c1e083261a21c19fcaee90) Signed-off-by: Arnd Bergmann arnd@arndb.de --- drivers/tty/serial/sprd_serial.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/tty/serial/sprd_serial.c b/drivers/tty/serial/sprd_serial.c index 176f0a2bf9d9..c894eca57e73 100644 --- a/drivers/tty/serial/sprd_serial.c +++ b/drivers/tty/serial/sprd_serial.c @@ -63,6 +63,7 @@
/* interrupt clear register */ #define SPRD_ICLR 0x0014 +#define SPRD_ICLR_TIMEOUT BIT(13)
/* line control register */ #define SPRD_LCR 0x0018 @@ -298,7 +299,8 @@ static irqreturn_t sprd_handle_irq(int irq, void *dev_id) return IRQ_NONE; }
- serial_out(port, SPRD_ICLR, ~0); + if (ims & SPRD_IMSR_TIMEOUT) + serial_out(port, SPRD_ICLR, SPRD_ICLR_TIMEOUT);
if (ims & (SPRD_IMSR_RX_FIFO_FULL | SPRD_IMSR_BREAK_DETECT | SPRD_IMSR_TIMEOUT))
On Fri, Mar 22, 2019 at 04:44:14PM +0100, Arnd Bergmann wrote:
From: Lanqing Liu lanqing.liu@spreadtrum.com
On Spreadtrum's serial device, nearly all of interrupts would be cleared by hardware except timeout interrupt. This patch removed the operation of clearing all interrupt in irq handler, instead added an if statement to check if the timeout interrupt is supposed to be cleared.
Wrongly clearing timeout interrupt would lead to uart data stay in rx fifo, that means the driver cannot read them out anymore.
Signed-off-by: Lanqing Liu lanqing.liu@spreadtrum.com Signed-off-by: Chunyan Zhang chunyan.zhang@spreadtrum.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org (cherry picked from commit 4350782570b919f254c1e083261a21c19fcaee90) Signed-off-by: Arnd Bergmann arnd@arndb.de
drivers/tty/serial/sprd_serial.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
Also added to 4.9.y
From: Peter Zijlstra peterz@infradead.org
The current int_sqrt() computation is sub-optimal for the case of small @x. Which is the interesting case when we're going to do cumulative distribution functions on idle times, which we assume to be a random variable, where the target residency of the deepest idle state gives an upper bound on the variable (5e6ns on recent Intel chips).
In the case of small @x, the compute loop:
while (m != 0) { b = y + m; y >>= 1;
if (x >= b) { x -= b; y += m; } m >>= 2; }
can be reduced to:
while (m > x) m >>= 2;
Because y==0, b==m and until x>=m y will remain 0.
And while this is computationally equivalent, it runs much faster because there's less code, in particular less branches.
cycles: branches: branch-misses:
OLD:
hot: 45.109444 +- 0.044117 44.333392 +- 0.002254 0.018723 +- 0.000593 cold: 187.737379 +- 0.156678 44.333407 +- 0.002254 6.272844 +- 0.004305
PRE:
hot: 67.937492 +- 0.064124 66.999535 +- 0.000488 0.066720 +- 0.001113 cold: 232.004379 +- 0.332811 66.999527 +- 0.000488 6.914634 +- 0.006568
POST:
hot: 43.633557 +- 0.034373 45.333132 +- 0.002277 0.023529 +- 0.000681 cold: 207.438411 +- 0.125840 45.333132 +- 0.002277 6.976486 +- 0.004219
Averages computed over all values <128k using a LFSR to generate order. Cold numbers have a LFSR based branch trace buffer 'confuser' ran between each int_sqrt() invocation.
Link: http://lkml.kernel.org/r/20171020164644.876503355@infradead.org Fixes: 30493cc9dddb ("lib/int_sqrt.c: optimize square root algorithm") Signed-off-by: Peter Zijlstra (Intel) peterz@infradead.org Suggested-by: Anshul Garg aksgarg1989@gmail.com Acked-by: Linus Torvalds torvalds@linux-foundation.org Cc: Davidlohr Bueso dave@stgolabs.net Cc: Thomas Gleixner tglx@linutronix.de Cc: Ingo Molnar mingo@kernel.org Cc: Will Deacon will.deacon@arm.com Cc: Joe Perches joe@perches.com Cc: David Miller davem@davemloft.net Cc: Matthew Wilcox mawilcox@microsoft.com Cc: Kees Cook keescook@chromium.org Cc: Michael Davidson md@google.com Signed-off-by: Andrew Morton akpm@linux-foundation.org Signed-off-by: Linus Torvalds torvalds@linux-foundation.org (cherry picked from commit 3f3295709edea6268ff1609855f498035286af73) Signed-off-by: Arnd Bergmann arnd@arndb.de --- lib/int_sqrt.c | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/lib/int_sqrt.c b/lib/int_sqrt.c index 1ef4cc344977..1afb545a37c5 100644 --- a/lib/int_sqrt.c +++ b/lib/int_sqrt.c @@ -22,6 +22,9 @@ unsigned long int_sqrt(unsigned long x) return x;
m = 1UL << (BITS_PER_LONG - 2); + while (m > x) + m >>= 2; + while (m != 0) { b = y + m; y >>= 1;
On Fri, Mar 22, 2019 at 04:44:15PM +0100, Arnd Bergmann wrote:
From: Peter Zijlstra peterz@infradead.org
The current int_sqrt() computation is sub-optimal for the case of small @x. Which is the interesting case when we're going to do cumulative distribution functions on idle times, which we assume to be a random variable, where the target residency of the deepest idle state gives an upper bound on the variable (5e6ns on recent Intel chips).
In the case of small @x, the compute loop:
while (m != 0) { b = y + m; y >>= 1;
if (x >= b) { x -= b; y += m; } m >>= 2;
}
can be reduced to:
while (m > x) m >>= 2;
Because y==0, b==m and until x>=m y will remain 0.
And while this is computationally equivalent, it runs much faster because there's less code, in particular less branches.
cycles: branches: branch-misses:
OLD:
hot: 45.109444 +- 0.044117 44.333392 +- 0.002254 0.018723 +- 0.000593 cold: 187.737379 +- 0.156678 44.333407 +- 0.002254 6.272844 +- 0.004305
PRE:
hot: 67.937492 +- 0.064124 66.999535 +- 0.000488 0.066720 +- 0.001113 cold: 232.004379 +- 0.332811 66.999527 +- 0.000488 6.914634 +- 0.006568
POST:
hot: 43.633557 +- 0.034373 45.333132 +- 0.002277 0.023529 +- 0.000681 cold: 207.438411 +- 0.125840 45.333132 +- 0.002277 6.976486 +- 0.004219
Averages computed over all values <128k using a LFSR to generate order. Cold numbers have a LFSR based branch trace buffer 'confuser' ran between each int_sqrt() invocation.
Link: http://lkml.kernel.org/r/20171020164644.876503355@infradead.org Fixes: 30493cc9dddb ("lib/int_sqrt.c: optimize square root algorithm") Signed-off-by: Peter Zijlstra (Intel) peterz@infradead.org Suggested-by: Anshul Garg aksgarg1989@gmail.com Acked-by: Linus Torvalds torvalds@linux-foundation.org Cc: Davidlohr Bueso dave@stgolabs.net Cc: Thomas Gleixner tglx@linutronix.de Cc: Ingo Molnar mingo@kernel.org Cc: Will Deacon will.deacon@arm.com Cc: Joe Perches joe@perches.com Cc: David Miller davem@davemloft.net Cc: Matthew Wilcox mawilcox@microsoft.com Cc: Kees Cook keescook@chromium.org Cc: Michael Davidson md@google.com Signed-off-by: Andrew Morton akpm@linux-foundation.org Signed-off-by: Linus Torvalds torvalds@linux-foundation.org (cherry picked from commit 3f3295709edea6268ff1609855f498035286af73) Signed-off-by: Arnd Bergmann arnd@arndb.de
lib/int_sqrt.c | 3 +++ 1 file changed, 3 insertions(+)
Also added to 4.14.y and 4.9.y
From: Andrey Konovalov andreyknvl@google.com
When cleaning up the configurations, make sure we only free the number of configurations and interfaces that we could have allocated.
Reported-by: Andrey Konovalov andreyknvl@google.com Cc: stable stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org (cherry picked from commit 32fd87b3bbf5f7a045546401dfe2894dbbf4d8c3) Signed-off-by: Arnd Bergmann arnd@arndb.de --- drivers/usb/core/config.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c index 6a287c81a7be..b8eb289e0b17 100644 --- a/drivers/usb/core/config.c +++ b/drivers/usb/core/config.c @@ -734,18 +734,21 @@ void usb_destroy_configuration(struct usb_device *dev) return;
if (dev->rawdescriptors) { - for (i = 0; i < dev->descriptor.bNumConfigurations; i++) + for (i = 0; i < dev->descriptor.bNumConfigurations && + i < USB_MAXCONFIG; i++) kfree(dev->rawdescriptors[i]);
kfree(dev->rawdescriptors); dev->rawdescriptors = NULL; }
- for (c = 0; c < dev->descriptor.bNumConfigurations; c++) { + for (c = 0; c < dev->descriptor.bNumConfigurations && + c < USB_MAXCONFIG; c++) { struct usb_host_config *cf = &dev->config[c];
kfree(cf->string); - for (i = 0; i < cf->desc.bNumInterfaces; i++) { + for (i = 0; i < cf->desc.bNumInterfaces && + i < USB_MAXINTERFACES; i++) { if (cf->intf_cache[i]) kref_put(&cf->intf_cache[i]->ref, usb_release_interface_cache);
On Fri, Mar 22, 2019 at 04:44:16PM +0100, Arnd Bergmann wrote:
From: Andrey Konovalov andreyknvl@google.com
When cleaning up the configurations, make sure we only free the number of configurations and interfaces that we could have allocated.
Reported-by: Andrey Konovalov andreyknvl@google.com Cc: stable stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org (cherry picked from commit 32fd87b3bbf5f7a045546401dfe2894dbbf4d8c3) Signed-off-by: Arnd Bergmann arnd@arndb.de
drivers/usb/core/config.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-)
Also added to 4.14.y and 4.9.y
On Fri, Mar 22, 2019 at 04:43:51PM +0100, Arnd Bergmann wrote:
I took a scripted approach to look at some product kernels for patches backported into vendor kernels. This is a set of (mostly) bugfixes I found in Spreadtrum's linux-4.4 kernel that are missing in 4.4.176:
ffedbd2210f2 mmc: pwrseq: constify mmc_pwrseq_ops structures c10368897e10 ALSA: compress: add support for 32bit calls in a 64bit kernel 64a67d4762ce mmc: pwrseq_simple: Make reset-gpios optional to match doc 4ec0ef3a8212 USB: iowarrior: fix oops with malicious USB descriptors e5905ff1281f mmc: debugfs: Add a restriction to mmc debugfs clock setting 4ec96b4cbde8 mmc: make MAN_BKOPS_EN message a debug ed9feec72fc1 mmc: sanitize 'bus width' in debug output 10a16a01d8f7 mmc: core: shut up "voltage-ranges unspecified" pr_info() 9772b47a4c29 usb: dwc3: gadget: Fix suspend/resume during device mode 6afedcd23cfd arm64: mm: Add trace_irqflags annotations to do_debug_exception() 437db4c6e798 mmc: mmc: Attempt to flush cache before reset e51534c80660 mmc: core: fix using wrong io voltage if mmc_select_hs200 fails e4c5800a3991 mm/rmap: replace BUG_ON(anon_vma->degree) with VM_WARN_ON 04c080080855 extcon: usb-gpio: Don't miss event during suspend/resume 78283edf2c01 kbuild: setlocalversion: print error to STDERR c526c62d565e usb: gadget: composite: fix dereference after null check coverify warning 511a36d2f357 usb: gadget: Add the gserial port checking in gs_start_tx() 1712c9373f98 mmc: core: don't try to switch block size for dual rate mode 5ea8ea2cb7f1 tcp/dccp: drop SYN packets if accept queue is full e1dc9b08051a serial: sprd: adjust TIMEOUT to a big value 81be24d263db Hang/soft lockup in d_invalidate with simultaneous calls 6f44a0bacb79 arm64: traps: disable irq in die() b7d44c36a6f6 usb: renesas_usbhs: gadget: fix unused-but-set-variable warning 4350782570b9 serial: sprd: clear timeout interrupt only rather than all interrupts 3f3295709ede lib/int_sqrt: optimize small argument 32fd87b3bbf5 USB: core: only clean up what we allocated
All now queued up, except for the exceptions I have responded to.
thanks,
greg k-h
linux-stable-mirror@lists.linaro.org