This is the start of the stable review cycle for the 4.4.122 release. There are 63 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know.
Responses should be made by Sun Mar 18 15:22:41 UTC 2018. Anything received after that time might be too late.
The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.122-rc1... or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y and the diffstat can be found below.
thanks,
greg k-h
------------- Pseudo-Shortlog of commits:
Greg Kroah-Hartman gregkh@linuxfoundation.org Linux 4.4.122-rc1
Greg Kroah-Hartman gregkh@linuxfoundation.org fixup: sctp: verify size of a new chunk in _sctp_make_chunk()
Nikola Ciprich nikola.ciprich@linuxbox.cz serial: 8250_pci: Add Brainboxes UC-260 4 port serial device
Xinyong xinyong.fang@linux.alibaba.com usb: gadget: f_fs: Fix use-after-free in ffs_fs_kill_sb()
Pete Zaitcev zaitcev@kotori.zaitcev.us usb: usbmon: Read text within supplied buffer size
Julia Lawall Julia.Lawall@lip6.fr USB: usbmon: remove assignment from IS_ERR argument
Danilo Krummrich danilokrummrich@dk-develop.de usb: quirks: add control message delay for 1b1c:1b20
Teijo Kinnunen teijo.kinnunen@code-q.fi USB: storage: Add JMicron bridge 152d:2567 to unusual_devs.h
Joel Fernandes joelaf@google.com staging: android: ashmem: Fix lockdep issue during llseek
Frank Mori Hess fmh6jj@gmail.com staging: comedi: fix comedi_nsamples_left.
Oliver Neukum oneukum@suse.com uas: fix comparison for error code
Jonas Danielsson jonas@orbital-systems.com tty/serial: atmel: add new version check for usart
Ulrich Hecht ulrich.hecht+renesas@gmail.com serial: sh-sci: prevent lockup on full TTY buffers
H.J. Lu hjl.tools@gmail.com x86: Treat R_X86_64_PLT32 as R_X86_64_PC32
Josh Poimboeuf jpoimboe@redhat.com x86/module: Detect and skip invalid relocations
Greg Kroah-Hartman gregkh@linuxfoundation.org Revert "ARM: dts: LogicPD Torpedo: Fix I2C1 pinmux"
Trond Myklebust trond.myklebust@primarydata.com NFS: Fix an incorrect type in struct nfs_direct_req
Quinn Tran quinn.tran@cavium.com scsi: qla2xxx: Replace fcport alloc with qla2x00_alloc_fcport
Clay McClure clay@daemons.net ubi: Fix race condition between ubi volume creation and udev
Tahsin Erdogan tahsin@google.com ext4: inplace xattr block update fails to deduplicate blocks
Florian Westphal fw@strlen.de netfilter: x_tables: pack percpu counter allocations
Florian Westphal fw@strlen.de netfilter: x_tables: pass xt_counters struct to counter allocator
Florian Westphal fw@strlen.de netfilter: x_tables: pass xt_counters struct instead of packet counter
Florian Westphal fw@strlen.de netfilter: use skb_to_full_sk in ip_route_me_harder
Florian Westphal fw@strlen.de netfilter: ipv6: fix use-after-free Write in nf_nat_ipv6_manip_pkt
Florian Westphal fw@strlen.de netfilter: bridge: ebt_among: add missing match size checks
Florian Westphal fw@strlen.de netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets
Eric Dumazet edumazet@google.com netfilter: IDLETIMER: be syzkaller friendly
Paolo Abeni pabeni@redhat.com netfilter: nat: cope with negative port range
Paolo Abeni pabeni@redhat.com netfilter: x_tables: fix missing timer initialization in xt_LED
Florian Westphal fw@strlen.de netfilter: add back stackpointer size checks
Philipp Zabel p.zabel@pengutronix.de tc358743: fix register i2c_rd/wr function fix
Dmitry Torokhov dmitry.torokhov@gmail.com Input: tca8418_keypad - remove double read of key event register
Arnd Bergmann arnd@arndb.de ARM: omap2: hide omap3_save_secure_ram on non-OMAP3 builds
Florian Westphal fw@strlen.de netfilter: nfnetlink_queue: fix timestamp attribute
Arnd Bergmann arnd@arndb.de watchdog: hpwdt: fix unused variable warning
Jerry Hoemann jerry.hoemann@hpe.com watchdog: hpwdt: Check source of NMI
Jerry Hoemann jerry.hoemann@hpe.com watchdog: hpwdt: SMBIOS check
Dan Williams dan.j.williams@intel.com nospec: Include <asm/barrier.h> dependency
Dennis Wassenberg dennis.wassenberg@secunet.com ALSA: hda: add dock and led support for HP ProBook 640 G2
Dennis Wassenberg dennis.wassenberg@secunet.com ALSA: hda: add dock and led support for HP EliteBook 820 G3
Takashi Iwai tiwai@suse.de ALSA: seq: More protection for concurrent write and ioctl races
Takashi Iwai tiwai@suse.de ALSA: seq: Don't allow resizing pool in use
Takashi Iwai tiwai@suse.de ALSA: hda/realtek - Fix dock line-out volume on Dell Precision 7520
Seunghun Han kkamagui@gmail.com x86/MCE: Serialize sysfs changes
Michael Lyle mlyle@lyle.org bcache: don't attach backing with duplicate UUID
James Hogan jhogan@kernel.org kbuild: Handle builtin dtb file names containing hyphens
Ross Zwisler ross.zwisler@linux.intel.com loop: Fix lost writes caused by missing flag
Zhang Bo zbsdta@126.com Input: matrix_keypad - fix race when disabling interrupts
Colin Ian King colin.king@canonical.com MIPS: OCTEON: irq: Check for null return on kzalloc allocation
Colin Ian King colin.king@canonical.com MIPS: ath25: Check for kzalloc allocation failure
Justin Chen justinpopo6@gmail.com MIPS: BMIPS: Do not mask IPIs during suspend
Alex Deucher alexander.deucher@amd.com drm/amdgpu: fix KV harvesting
Alex Deucher alexander.deucher@amd.com drm/radeon: fix KV harvesting
Rex Zhu Rex.Zhu@amd.com drm/amdgpu: Notify sbios device ready before send request
Lukas Wunner lukas@wunner.de drm/amdgpu: Fix deadlock on runtime suspend
Lukas Wunner lukas@wunner.de drm/radeon: Fix deadlock on runtime suspend
Lukas Wunner lukas@wunner.de drm/nouveau: Fix deadlock on runtime suspend
Lukas Wunner lukas@wunner.de drm: Allow determining if current task is output poll worker
Lukas Wunner lukas@wunner.de workqueue: Allow retrieval of current task's work struct
himanshu.madhani@cavium.com himanshu.madhani@cavium.com scsi: qla2xxx: Fix NULL pointer crash due to active timer for ABTS
Leon Romanovsky leonro@mellanox.com RDMA/mlx5: Fix integer overflow while resizing CQ
Leon Romanovsky leonro@mellanox.com RDMA/ucma: Check that user doesn't overflow QP state
Leon Romanovsky leonro@mellanox.com RDMA/ucma: Limit possible option size
-------------
Diffstat:
Makefile | 4 +- arch/arm/boot/dts/logicpd-torpedo-som.dtsi | 8 -- arch/arm/mach-omap2/omap-secure.c | 2 + arch/mips/ath25/board.c | 2 + arch/mips/cavium-octeon/octeon-irq.c | 2 + arch/mips/kernel/smp-bmips.c | 8 +- arch/x86/kernel/cpu/mcheck/mce.c | 22 ++++- arch/x86/kernel/machine_kexec_64.c | 1 + arch/x86/kernel/module.c | 14 +++ arch/x86/tools/relocs.c | 3 + drivers/block/loop.c | 2 +- drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c | 3 + drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c | 58 ++++++++---- drivers/gpu/drm/amd/amdgpu/gfx_v7_0.c | 30 +----- drivers/gpu/drm/drm_probe_helper.c | 20 ++++ drivers/gpu/drm/nouveau/nouveau_connector.c | 18 +++- drivers/gpu/drm/radeon/cik.c | 31 +------ drivers/gpu/drm/radeon/radeon_connectors.c | 74 ++++++++++----- drivers/infiniband/core/ucma.c | 6 ++ drivers/infiniband/hw/mlx5/cq.c | 7 +- drivers/input/keyboard/matrix_keypad.c | 4 +- drivers/input/keyboard/tca8418_keypad.c | 2 - drivers/md/bcache/super.c | 11 +++ drivers/media/i2c/tc358743.c | 2 +- drivers/mtd/ubi/vmt.c | 15 ++- drivers/scsi/qla2xxx/qla_init.c | 1 + drivers/scsi/qla2xxx/qla_target.c | 2 +- drivers/staging/android/ashmem.c | 15 ++- drivers/staging/comedi/drivers.c | 3 +- drivers/tty/serial/8250/8250_pci.c | 11 +++ drivers/tty/serial/atmel_serial.c | 1 + drivers/tty/serial/sh-sci.c | 2 + drivers/usb/core/message.c | 4 + drivers/usb/core/quirks.c | 3 +- drivers/usb/gadget/function/f_fs.c | 1 - drivers/usb/mon/mon_text.c | 124 ++++++++++++++++--------- drivers/usb/storage/uas.c | 2 +- drivers/usb/storage/unusual_devs.h | 7 ++ drivers/watchdog/hpwdt.c | 12 ++- fs/ext4/xattr.c | 3 +- fs/nfs/direct.c | 2 +- include/drm/drm_crtc_helper.h | 1 + include/linux/netfilter/x_tables.h | 38 ++------ include/linux/nospec.h | 1 + include/linux/usb/quirks.h | 3 + include/linux/workqueue.h | 1 + kernel/workqueue.c | 16 ++++ net/bridge/netfilter/ebt_among.c | 21 ++++- net/bridge/netfilter/ebtables.c | 13 ++- net/ipv4/netfilter.c | 7 +- net/ipv4/netfilter/arp_tables.c | 20 ++-- net/ipv4/netfilter/ip_tables.c | 20 ++-- net/ipv6/netfilter/ip6_tables.c | 21 +++-- net/ipv6/netfilter/nf_nat_l3proto_ipv6.c | 4 + net/netfilter/nf_nat_proto_common.c | 7 +- net/netfilter/nfnetlink_queue.c | 2 +- net/netfilter/x_tables.c | 55 +++++++++++ net/netfilter/xt_IDLETIMER.c | 9 +- net/netfilter/xt_LED.c | 12 +-- net/sctp/sm_make_chunk.c | 2 +- scripts/Makefile.lib | 8 +- sound/core/seq/seq_clientmgr.c | 21 +++-- sound/core/seq/seq_fifo.c | 2 +- sound/core/seq/seq_memory.c | 14 ++- sound/core/seq/seq_memory.h | 3 +- sound/pci/hda/patch_conexant.c | 2 + sound/pci/hda/patch_realtek.c | 16 ++++ 67 files changed, 572 insertions(+), 289 deletions(-)
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Leon Romanovsky leonro@mellanox.com
commit 6a21dfc0d0db7b7e0acedce67ca533a6eb19283c upstream.
Users of ucma are supposed to provide size of option level, in most paths it is supposed to be equal to u8 or u16, but it is not the case for the IB path record, where it can be multiple of struct ib_path_rec_data.
This patch takes simplest possible approach and prevents providing values more than possible to allocate.
Reported-by: syzbot+a38b0e9f694c379ca7ce@syzkaller.appspotmail.com Fixes: 7ce86409adcd ("RDMA/ucma: Allow user space to set service type") Signed-off-by: Leon Romanovsky leonro@mellanox.com Signed-off-by: Doug Ledford dledford@redhat.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/infiniband/core/ucma.c | 3 +++ 1 file changed, 3 insertions(+)
--- a/drivers/infiniband/core/ucma.c +++ b/drivers/infiniband/core/ucma.c @@ -1274,6 +1274,9 @@ static ssize_t ucma_set_option(struct uc if (IS_ERR(ctx)) return PTR_ERR(ctx);
+ if (unlikely(cmd.optval > KMALLOC_MAX_SIZE)) + return -EINVAL; + optval = memdup_user((void __user *) (unsigned long) cmd.optval, cmd.optlen); if (IS_ERR(optval)) {
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Leon Romanovsky leonro@mellanox.com
commit a5880b84430316e3e1c1f5d23aa32ec6000cc717 upstream.
The QP state is limited and declared in enum ib_qp_state, but ucma user was able to supply any possible (u32) value.
Reported-by: syzbot+0df1ab766f8924b1edba@syzkaller.appspotmail.com Fixes: 75216638572f ("RDMA/cma: Export rdma cm interface to userspace") Signed-off-by: Leon Romanovsky leonro@mellanox.com Signed-off-by: Doug Ledford dledford@redhat.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/infiniband/core/ucma.c | 3 +++ 1 file changed, 3 insertions(+)
--- a/drivers/infiniband/core/ucma.c +++ b/drivers/infiniband/core/ucma.c @@ -1138,6 +1138,9 @@ static ssize_t ucma_init_qp_attr(struct if (copy_from_user(&cmd, inbuf, sizeof(cmd))) return -EFAULT;
+ if (cmd.qp_state > IB_QPS_ERR) + return -EINVAL; + ctx = ucma_get_ctx(file, cmd.id); if (IS_ERR(ctx)) return PTR_ERR(ctx);
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Leon Romanovsky leonro@mellanox.com
commit 28e9091e3119933c38933cb8fc48d5618eb784c8 upstream.
The user can provide very large cqe_size which will cause to integer overflow as it can be seen in the following UBSAN warning:
======================================================================= UBSAN: Undefined behaviour in drivers/infiniband/hw/mlx5/cq.c:1192:53 signed integer overflow: 64870 * 65536 cannot be represented in type 'int' CPU: 0 PID: 267 Comm: syzkaller605279 Not tainted 4.15.0+ #90 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014 Call Trace: dump_stack+0xde/0x164 ? dma_virt_map_sg+0x22c/0x22c ubsan_epilogue+0xe/0x81 handle_overflow+0x1f3/0x251 ? __ubsan_handle_negate_overflow+0x19b/0x19b ? lock_acquire+0x440/0x440 mlx5_ib_resize_cq+0x17e7/0x1e40 ? cyc2ns_read_end+0x10/0x10 ? native_read_msr_safe+0x6c/0x9b ? cyc2ns_read_end+0x10/0x10 ? mlx5_ib_modify_cq+0x220/0x220 ? sched_clock_cpu+0x18/0x200 ? lookup_get_idr_uobject+0x200/0x200 ? rdma_lookup_get_uobject+0x145/0x2f0 ib_uverbs_resize_cq+0x207/0x3e0 ? ib_uverbs_ex_create_cq+0x250/0x250 ib_uverbs_write+0x7f9/0xef0 ? cyc2ns_read_end+0x10/0x10 ? print_irqtrace_events+0x280/0x280 ? ib_uverbs_ex_create_cq+0x250/0x250 ? uverbs_devnode+0x110/0x110 ? sched_clock_cpu+0x18/0x200 ? do_raw_spin_trylock+0x100/0x100 ? __lru_cache_add+0x16e/0x290 __vfs_write+0x10d/0x700 ? uverbs_devnode+0x110/0x110 ? kernel_read+0x170/0x170 ? sched_clock_cpu+0x18/0x200 ? security_file_permission+0x93/0x260 vfs_write+0x1b0/0x550 SyS_write+0xc7/0x1a0 ? SyS_read+0x1a0/0x1a0 ? trace_hardirqs_on_thunk+0x1a/0x1c entry_SYSCALL_64_fastpath+0x1e/0x8b RIP: 0033:0x433549 RSP: 002b:00007ffe63bd1ea8 EFLAGS: 00000217 =======================================================================
Cc: syzkaller syzkaller@googlegroups.com Cc: stable@vger.kernel.org # 3.13 Fixes: bde51583f49b ("IB/mlx5: Add support for resize CQ") Reported-by: Noa Osherovich noaos@mellanox.com Reviewed-by: Yishai Hadas yishaih@mellanox.com Signed-off-by: Leon Romanovsky leonro@mellanox.com Signed-off-by: Doug Ledford dledford@redhat.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/infiniband/hw/mlx5/cq.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/infiniband/hw/mlx5/cq.c +++ b/drivers/infiniband/hw/mlx5/cq.c @@ -972,7 +972,12 @@ static int resize_user(struct mlx5_ib_de if (ucmd.reserved0 || ucmd.reserved1) return -EINVAL;
- umem = ib_umem_get(context, ucmd.buf_addr, entries * ucmd.cqe_size, + /* check multiplication overflow */ + if (ucmd.cqe_size && SIZE_MAX / ucmd.cqe_size <= entries - 1) + return -EINVAL; + + umem = ib_umem_get(context, ucmd.buf_addr, + (size_t)ucmd.cqe_size * entries, IB_ACCESS_LOCAL_WRITE, 1); if (IS_ERR(umem)) { err = PTR_ERR(umem);
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: himanshu.madhani@cavium.com himanshu.madhani@cavium.com
commit 1514839b366417934e2f1328edb50ed1e8a719f5 upstream.
This patch fixes NULL pointer crash due to active timer running for abort IOCB.
From crash dump analysis it was discoverd that get_next_timer_interrupt()
encountered a corrupted entry on the timer list.
#9 [ffff95e1f6f0fd40] page_fault at ffffffff914fe8f8 [exception RIP: get_next_timer_interrupt+440] RIP: ffffffff90ea3088 RSP: ffff95e1f6f0fdf0 RFLAGS: 00010013 RAX: ffff95e1f6451028 RBX: 000218e2389e5f40 RCX: 00000001232ad600 RDX: 0000000000000001 RSI: ffff95e1f6f0fdf0 RDI: 0000000001232ad6 RBP: ffff95e1f6f0fe40 R8: ffff95e1f6451188 R9: 0000000000000001 R10: 0000000000000016 R11: 0000000000000016 R12: 00000001232ad5f6 R13: ffff95e1f6450000 R14: ffff95e1f6f0fdf8 R15: ffff95e1f6f0fe10 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
Looking at the assembly of get_next_timer_interrupt(), address came from %r8 (ffff95e1f6451188) which is pointing to list_head with single entry at ffff95e5ff621178.
0xffffffff90ea307a <get_next_timer_interrupt+426>: mov (%r8),%rdx 0xffffffff90ea307d <get_next_timer_interrupt+429>: cmp %r8,%rdx 0xffffffff90ea3080 <get_next_timer_interrupt+432>: je 0xffffffff90ea30a7 <get_next_timer_interrupt+471> 0xffffffff90ea3082 <get_next_timer_interrupt+434>: nopw 0x0(%rax,%rax,1) 0xffffffff90ea3088 <get_next_timer_interrupt+440>: testb $0x1,0x18(%rdx)
crash> rd ffff95e1f6451188 10 ffff95e1f6451188: ffff95e5ff621178 ffff95e5ff621178 x.b.....x.b..... ffff95e1f6451198: ffff95e1f6451198 ffff95e1f6451198 ..E.......E..... ffff95e1f64511a8: ffff95e1f64511a8 ffff95e1f64511a8 ..E.......E..... ffff95e1f64511b8: ffff95e77cf509a0 ffff95e77cf509a0 ...|.......|.... ffff95e1f64511c8: ffff95e1f64511c8 ffff95e1f64511c8 ..E.......E.....
crash> rd ffff95e5ff621178 10 ffff95e5ff621178: 0000000000000001 ffff95e15936aa00 ..........6Y.... ffff95e5ff621188: 0000000000000000 00000000ffffffff ................ ffff95e5ff621198: 00000000000000a0 0000000000000010 ................ ffff95e5ff6211a8: ffff95e5ff621198 000000000000000c ..b............. ffff95e5ff6211b8: 00000f5800000000 ffff95e751f8d720 ....X... ..Q....
ffff95e5ff621178 belongs to freed mempool object at ffff95e5ff621080.
CACHE NAME OBJSIZE ALLOCATED TOTAL SLABS SSIZE ffff95dc7fd74d00 mnt_cache 384 19785 24948 594 16k SLAB MEMORY NODE TOTAL ALLOCATED FREE ffffdc5dabfd8800 ffff95e5ff620000 1 42 29 13 FREE / [ALLOCATED] ffff95e5ff621080 (cpu 6 cache)
Examining the contents of that memory reveals a pointer to a constant string in the driver, "abort\0", which is set by qla24xx_async_abort_cmd().
crash> rd ffffffffc059277c 20 ffffffffc059277c: 6e490074726f6261 0074707572726574 abort.Interrupt. ffffffffc059278c: 00676e696c6c6f50 6920726576697244 Polling.Driver i ffffffffc059279c: 646f6d207325206e 6974736554000a65 n %s mode..Testi ffffffffc05927ac: 636976656420676e 786c252074612065 ng device at %lx ffffffffc05927bc: 6b63656843000a2e 646f727020676e69 ...Checking prod ffffffffc05927cc: 6f20444920746375 0a2e706968632066 uct ID of chip.. ffffffffc05927dc: 5120646e756f4600 204130303232414c .Found QLA2200A ffffffffc05927ec: 43000a2e70696843 20676e696b636568 Chip...Checking ffffffffc05927fc: 65786f626c69616d 6c636e69000a2e73 mailboxes...incl ffffffffc059280c: 756e696c2f656475 616d2d616d642f78 ude/linux/dma-ma
crash> struct -ox srb_iocb struct srb_iocb { union { struct {...} logio; struct {...} els_logo; struct {...} tmf; struct {...} fxiocb; struct {...} abt; struct ct_arg ctarg; struct {...} mbx; struct {...} nack; [0x0 ] } u; [0xb8] struct timer_list timer; [0x108] void (*timeout)(void *); } SIZE: 0x110
crash> ! bc ibase=16 obase=10 B8+40 F8
The object is a srb_t, and at offset 0xf8 within that structure (i.e. ffff95e5ff621080 + f8 -> ffff95e5ff621178) is a struct timer_list.
Cc: stable@vger.kernel.org #4.4+ Fixes: 4440e46d5db7 ("[SCSI] qla2xxx: Add IOCB Abort command asynchronous handling.") Signed-off-by: Himanshu Madhani himanshu.madhani@cavium.com Reviewed-by: Johannes Thumshirn jthumshirn@suse.de Signed-off-by: Martin K. Petersen martin.petersen@oracle.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/scsi/qla2xxx/qla_init.c | 1 + 1 file changed, 1 insertion(+)
--- a/drivers/scsi/qla2xxx/qla_init.c +++ b/drivers/scsi/qla2xxx/qla_init.c @@ -365,6 +365,7 @@ qla24xx_abort_sp_done(void *data, void * srb_t *sp = (srb_t *)ptr; struct srb_iocb *abt = &sp->u.iocb_cmd;
+ del_timer(&sp->u.iocb_cmd.timer); complete(&abt->u.abt.comp); }
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Wunner lukas@wunner.de
commit 27d4ee03078aba88c5e07dcc4917e8d01d046f38 upstream.
Introduce a helper to retrieve the current task's work struct if it is a workqueue worker.
This allows us to fix a long-standing deadlock in several DRM drivers wherein the ->runtime_suspend callback waits for a specific worker to finish and that worker in turn calls a function which waits for runtime suspend to finish. That function is invoked from multiple call sites and waiting for runtime suspend to finish is the correct thing to do except if it's executing in the context of the worker.
Cc: Lai Jiangshan jiangshanlai@gmail.com Cc: Dave Airlie airlied@redhat.com Cc: Ben Skeggs bskeggs@redhat.com Cc: Alex Deucher alexander.deucher@amd.com Acked-by: Tejun Heo tj@kernel.org Reviewed-by: Lyude Paul lyude@redhat.com Signed-off-by: Lukas Wunner lukas@wunner.de Link: https://patchwork.freedesktop.org/patch/msgid/2d8f603074131eb87e588d2b803a71... Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- include/linux/workqueue.h | 1 + kernel/workqueue.c | 16 ++++++++++++++++ 2 files changed, 17 insertions(+)
--- a/include/linux/workqueue.h +++ b/include/linux/workqueue.h @@ -451,6 +451,7 @@ extern bool cancel_delayed_work_sync(str
extern void workqueue_set_max_active(struct workqueue_struct *wq, int max_active); +extern struct work_struct *current_work(void); extern bool current_is_workqueue_rescuer(void); extern bool workqueue_congested(int cpu, struct workqueue_struct *wq); extern unsigned int work_busy(struct work_struct *work); --- a/kernel/workqueue.c +++ b/kernel/workqueue.c @@ -4048,6 +4048,22 @@ void workqueue_set_max_active(struct wor EXPORT_SYMBOL_GPL(workqueue_set_max_active);
/** + * current_work - retrieve %current task's work struct + * + * Determine if %current task is a workqueue worker and what it's working on. + * Useful to find out the context that the %current task is running in. + * + * Return: work struct if %current task is a workqueue worker, %NULL otherwise. + */ +struct work_struct *current_work(void) +{ + struct worker *worker = current_wq_worker(); + + return worker ? worker->current_work : NULL; +} +EXPORT_SYMBOL(current_work); + +/** * current_is_workqueue_rescuer - is %current workqueue rescuer? * * Determine whether %current is a workqueue rescuer. Can be used from
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Wunner lukas@wunner.de
commit 25c058ccaf2ebbc3e250ec1e199e161f91fe27d4 upstream.
Introduce a helper to determine if the current task is an output poll worker.
This allows us to fix a long-standing deadlock in several DRM drivers wherein the ->runtime_suspend callback waits for the output poll worker to finish and the worker in turn calls a ->detect callback which waits for runtime suspend to finish. The ->detect callback is invoked from multiple call sites and waiting for runtime suspend to finish is the correct thing to do except if it's executing in the context of the worker.
v2: Expand kerneldoc to specifically mention deadlock between output poll worker and autosuspend worker as use case. (Lyude)
Cc: Dave Airlie airlied@redhat.com Cc: Ben Skeggs bskeggs@redhat.com Cc: Alex Deucher alexander.deucher@amd.com Reviewed-by: Lyude Paul lyude@redhat.com Signed-off-by: Lukas Wunner lukas@wunner.de Link: https://patchwork.freedesktop.org/patch/msgid/3549ce32e7f1467102e70d3e9cbf70... Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/gpu/drm/drm_probe_helper.c | 20 ++++++++++++++++++++ include/drm/drm_crtc_helper.h | 1 + 2 files changed, 21 insertions(+)
--- a/drivers/gpu/drm/drm_probe_helper.c +++ b/drivers/gpu/drm/drm_probe_helper.c @@ -412,6 +412,26 @@ out: }
/** + * drm_kms_helper_is_poll_worker - is %current task an output poll worker? + * + * Determine if %current task is an output poll worker. This can be used + * to select distinct code paths for output polling versus other contexts. + * + * One use case is to avoid a deadlock between the output poll worker and + * the autosuspend worker wherein the latter waits for polling to finish + * upon calling drm_kms_helper_poll_disable(), while the former waits for + * runtime suspend to finish upon calling pm_runtime_get_sync() in a + * connector ->detect hook. + */ +bool drm_kms_helper_is_poll_worker(void) +{ + struct work_struct *work = current_work(); + + return work && work->func == output_poll_execute; +} +EXPORT_SYMBOL(drm_kms_helper_is_poll_worker); + +/** * drm_kms_helper_poll_disable - disable output polling * @dev: drm_device * --- a/include/drm/drm_crtc_helper.h +++ b/include/drm/drm_crtc_helper.h @@ -241,5 +241,6 @@ extern void drm_kms_helper_hotplug_event extern void drm_kms_helper_poll_disable(struct drm_device *dev); extern void drm_kms_helper_poll_enable(struct drm_device *dev); extern void drm_kms_helper_poll_enable_locked(struct drm_device *dev); +extern bool drm_kms_helper_is_poll_worker(void);
#endif
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Wunner lukas@wunner.de
commit d61a5c1063515e855bedb1b81e20e50b0ac3541e upstream.
nouveau's ->runtime_suspend hook calls drm_kms_helper_poll_disable(), which waits for the output poll worker to finish if it's running.
The output poll worker meanwhile calls pm_runtime_get_sync() in nouveau_connector_detect() which waits for the ongoing suspend to finish, causing a deadlock.
Fix by not acquiring a runtime PM ref if nouveau_connector_detect() is called in the output poll worker's context. This is safe because the poll worker is only enabled while runtime active and we know that ->runtime_suspend waits for it to finish.
Other contexts calling nouveau_connector_detect() do require a runtime PM ref, these comprise:
status_store() drm sysfs interface ->fill_modes drm callback drm_fb_helper_probe_connector_modes() drm_mode_getconnector() nouveau_connector_hotplug() nouveau_display_hpd_work() nv17_tv_set_property()
Stack trace for posterity:
INFO: task kworker/0:1:58 blocked for more than 120 seconds. Workqueue: events output_poll_execute [drm_kms_helper] Call Trace: schedule+0x28/0x80 rpm_resume+0x107/0x6e0 __pm_runtime_resume+0x47/0x70 nouveau_connector_detect+0x7e/0x4a0 [nouveau] nouveau_connector_detect_lvds+0x132/0x180 [nouveau] drm_helper_probe_detect_ctx+0x85/0xd0 [drm_kms_helper] output_poll_execute+0x11e/0x1c0 [drm_kms_helper] process_one_work+0x184/0x380 worker_thread+0x2e/0x390
INFO: task kworker/0:2:252 blocked for more than 120 seconds. Workqueue: pm pm_runtime_work Call Trace: schedule+0x28/0x80 schedule_timeout+0x1e3/0x370 wait_for_completion+0x123/0x190 flush_work+0x142/0x1c0 nouveau_pmops_runtime_suspend+0x7e/0xd0 [nouveau] pci_pm_runtime_suspend+0x5c/0x180 vga_switcheroo_runtime_suspend+0x1e/0xa0 __rpm_callback+0xc1/0x200 rpm_callback+0x1f/0x70 rpm_suspend+0x13c/0x640 pm_runtime_work+0x6e/0x90 process_one_work+0x184/0x380 worker_thread+0x2e/0x390
Bugzilla: https://bugs.archlinux.org/task/53497 Bugzilla: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870523 Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=70388#c33 Fixes: 5addcf0a5f0f ("nouveau: add runtime PM support (v0.9)") Cc: stable@vger.kernel.org # v3.12+: 27d4ee03078a: workqueue: Allow retrieval of current task's work struct Cc: stable@vger.kernel.org # v3.12+: 25c058ccaf2e: drm: Allow determining if current task is output poll worker Cc: Ben Skeggs bskeggs@redhat.com Cc: Dave Airlie airlied@redhat.com Reviewed-by: Lyude Paul lyude@redhat.com Signed-off-by: Lukas Wunner lukas@wunner.de Link: https://patchwork.freedesktop.org/patch/msgid/b7d2cbb609a80f59ccabfdf479b9d5... Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/gpu/drm/nouveau/nouveau_connector.c | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-)
--- a/drivers/gpu/drm/nouveau/nouveau_connector.c +++ b/drivers/gpu/drm/nouveau/nouveau_connector.c @@ -253,9 +253,15 @@ nouveau_connector_detect(struct drm_conn nv_connector->edid = NULL; }
- ret = pm_runtime_get_sync(connector->dev->dev); - if (ret < 0 && ret != -EACCES) - return conn_status; + /* Outputs are only polled while runtime active, so acquiring a + * runtime PM ref here is unnecessary (and would deadlock upon + * runtime suspend because it waits for polling to finish). + */ + if (!drm_kms_helper_is_poll_worker()) { + ret = pm_runtime_get_sync(connector->dev->dev); + if (ret < 0 && ret != -EACCES) + return conn_status; + }
nv_encoder = nouveau_connector_ddc_detect(connector); if (nv_encoder && (i2c = nv_encoder->i2c) != NULL) { @@ -323,8 +329,10 @@ detect_analog:
out:
- pm_runtime_mark_last_busy(connector->dev->dev); - pm_runtime_put_autosuspend(connector->dev->dev); + if (!drm_kms_helper_is_poll_worker()) { + pm_runtime_mark_last_busy(connector->dev->dev); + pm_runtime_put_autosuspend(connector->dev->dev); + }
return conn_status; }
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Wunner lukas@wunner.de
commit 15734feff2bdac24aa3266c437cffa42851990e3 upstream.
radeon's ->runtime_suspend hook calls drm_kms_helper_poll_disable(), which waits for the output poll worker to finish if it's running.
The output poll worker meanwhile calls pm_runtime_get_sync() in radeon's ->detect hooks, which waits for the ongoing suspend to finish, causing a deadlock.
Fix by not acquiring a runtime PM ref if the ->detect hooks are called in the output poll worker's context. This is safe because the poll worker is only enabled while runtime active and we know that ->runtime_suspend waits for it to finish.
Stack trace for posterity:
INFO: task kworker/0:3:31847 blocked for more than 120 seconds Workqueue: events output_poll_execute [drm_kms_helper] Call Trace: schedule+0x3c/0x90 rpm_resume+0x1e2/0x690 __pm_runtime_resume+0x3f/0x60 radeon_lvds_detect+0x39/0xf0 [radeon] output_poll_execute+0xda/0x1e0 [drm_kms_helper] process_one_work+0x14b/0x440 worker_thread+0x48/0x4a0
INFO: task kworker/2:0:10493 blocked for more than 120 seconds. Workqueue: pm pm_runtime_work Call Trace: schedule+0x3c/0x90 schedule_timeout+0x1b3/0x240 wait_for_common+0xc2/0x180 wait_for_completion+0x1d/0x20 flush_work+0xfc/0x1a0 __cancel_work_timer+0xa5/0x1d0 cancel_delayed_work_sync+0x13/0x20 drm_kms_helper_poll_disable+0x1f/0x30 [drm_kms_helper] radeon_pmops_runtime_suspend+0x3d/0xa0 [radeon] pci_pm_runtime_suspend+0x61/0x1a0 vga_switcheroo_runtime_suspend+0x21/0x70 __rpm_callback+0x32/0x70 rpm_callback+0x24/0x80 rpm_suspend+0x12b/0x640 pm_runtime_work+0x6f/0xb0 process_one_work+0x14b/0x440 worker_thread+0x48/0x4a0
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=94147 Fixes: 10ebc0bc0934 ("drm/radeon: add runtime PM support (v2)") Cc: stable@vger.kernel.org # v3.13+: 27d4ee03078a: workqueue: Allow retrieval of current task's work struct Cc: stable@vger.kernel.org # v3.13+: 25c058ccaf2e: drm: Allow determining if current task is output poll worker Cc: Ismo Toijala ismo.toijala@gmail.com Cc: Alex Deucher alexander.deucher@amd.com Cc: Dave Airlie airlied@redhat.com Reviewed-by: Lyude Paul lyude@redhat.com Signed-off-by: Lukas Wunner lukas@wunner.de Link: https://patchwork.freedesktop.org/patch/msgid/64ea02c44f91dda19bc563902b97bb... Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/gpu/drm/radeon/radeon_connectors.c | 74 +++++++++++++++++++---------- 1 file changed, 49 insertions(+), 25 deletions(-)
--- a/drivers/gpu/drm/radeon/radeon_connectors.c +++ b/drivers/gpu/drm/radeon/radeon_connectors.c @@ -891,9 +891,11 @@ radeon_lvds_detect(struct drm_connector enum drm_connector_status ret = connector_status_disconnected; int r;
- r = pm_runtime_get_sync(connector->dev->dev); - if (r < 0) - return connector_status_disconnected; + if (!drm_kms_helper_is_poll_worker()) { + r = pm_runtime_get_sync(connector->dev->dev); + if (r < 0) + return connector_status_disconnected; + }
if (encoder) { struct radeon_encoder *radeon_encoder = to_radeon_encoder(encoder); @@ -916,8 +918,12 @@ radeon_lvds_detect(struct drm_connector /* check acpi lid status ??? */
radeon_connector_update_scratch_regs(connector, ret); - pm_runtime_mark_last_busy(connector->dev->dev); - pm_runtime_put_autosuspend(connector->dev->dev); + + if (!drm_kms_helper_is_poll_worker()) { + pm_runtime_mark_last_busy(connector->dev->dev); + pm_runtime_put_autosuspend(connector->dev->dev); + } + return ret; }
@@ -1020,9 +1026,11 @@ radeon_vga_detect(struct drm_connector * enum drm_connector_status ret = connector_status_disconnected; int r;
- r = pm_runtime_get_sync(connector->dev->dev); - if (r < 0) - return connector_status_disconnected; + if (!drm_kms_helper_is_poll_worker()) { + r = pm_runtime_get_sync(connector->dev->dev); + if (r < 0) + return connector_status_disconnected; + }
encoder = radeon_best_single_encoder(connector); if (!encoder) @@ -1089,8 +1097,10 @@ radeon_vga_detect(struct drm_connector * radeon_connector_update_scratch_regs(connector, ret);
out: - pm_runtime_mark_last_busy(connector->dev->dev); - pm_runtime_put_autosuspend(connector->dev->dev); + if (!drm_kms_helper_is_poll_worker()) { + pm_runtime_mark_last_busy(connector->dev->dev); + pm_runtime_put_autosuspend(connector->dev->dev); + }
return ret; } @@ -1153,9 +1163,11 @@ radeon_tv_detect(struct drm_connector *c if (!radeon_connector->dac_load_detect) return ret;
- r = pm_runtime_get_sync(connector->dev->dev); - if (r < 0) - return connector_status_disconnected; + if (!drm_kms_helper_is_poll_worker()) { + r = pm_runtime_get_sync(connector->dev->dev); + if (r < 0) + return connector_status_disconnected; + }
encoder = radeon_best_single_encoder(connector); if (!encoder) @@ -1167,8 +1179,12 @@ radeon_tv_detect(struct drm_connector *c if (ret == connector_status_connected) ret = radeon_connector_analog_encoder_conflict_solve(connector, encoder, ret, false); radeon_connector_update_scratch_regs(connector, ret); - pm_runtime_mark_last_busy(connector->dev->dev); - pm_runtime_put_autosuspend(connector->dev->dev); + + if (!drm_kms_helper_is_poll_worker()) { + pm_runtime_mark_last_busy(connector->dev->dev); + pm_runtime_put_autosuspend(connector->dev->dev); + } + return ret; }
@@ -1230,9 +1246,11 @@ radeon_dvi_detect(struct drm_connector * enum drm_connector_status ret = connector_status_disconnected; bool dret = false, broken_edid = false;
- r = pm_runtime_get_sync(connector->dev->dev); - if (r < 0) - return connector_status_disconnected; + if (!drm_kms_helper_is_poll_worker()) { + r = pm_runtime_get_sync(connector->dev->dev); + if (r < 0) + return connector_status_disconnected; + }
if (radeon_connector->detected_hpd_without_ddc) { force = true; @@ -1415,8 +1433,10 @@ out: }
exit: - pm_runtime_mark_last_busy(connector->dev->dev); - pm_runtime_put_autosuspend(connector->dev->dev); + if (!drm_kms_helper_is_poll_worker()) { + pm_runtime_mark_last_busy(connector->dev->dev); + pm_runtime_put_autosuspend(connector->dev->dev); + }
return ret; } @@ -1666,9 +1686,11 @@ radeon_dp_detect(struct drm_connector *c if (radeon_dig_connector->is_mst) return connector_status_disconnected;
- r = pm_runtime_get_sync(connector->dev->dev); - if (r < 0) - return connector_status_disconnected; + if (!drm_kms_helper_is_poll_worker()) { + r = pm_runtime_get_sync(connector->dev->dev); + if (r < 0) + return connector_status_disconnected; + }
if (!force && radeon_check_hpd_status_unchanged(connector)) { ret = connector->status; @@ -1755,8 +1777,10 @@ radeon_dp_detect(struct drm_connector *c }
out: - pm_runtime_mark_last_busy(connector->dev->dev); - pm_runtime_put_autosuspend(connector->dev->dev); + if (!drm_kms_helper_is_poll_worker()) { + pm_runtime_mark_last_busy(connector->dev->dev); + pm_runtime_put_autosuspend(connector->dev->dev); + }
return ret; }
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lukas Wunner lukas@wunner.de
commit aa0aad57909eb321746325951d66af88a83bc956 upstream.
amdgpu's ->runtime_suspend hook calls drm_kms_helper_poll_disable(), which waits for the output poll worker to finish if it's running.
The output poll worker meanwhile calls pm_runtime_get_sync() in amdgpu's ->detect hooks, which waits for the ongoing suspend to finish, causing a deadlock.
Fix by not acquiring a runtime PM ref if the ->detect hooks are called in the output poll worker's context. This is safe because the poll worker is only enabled while runtime active and we know that ->runtime_suspend waits for it to finish.
Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)") Cc: stable@vger.kernel.org # v4.2+: 27d4ee03078a: workqueue: Allow retrieval of current task's work struct Cc: stable@vger.kernel.org # v4.2+: 25c058ccaf2e: drm: Allow determining if current task is output poll worker Cc: Alex Deucher alexander.deucher@amd.com Tested-by: Mike Lothian mike@fireburn.co.uk Reviewed-by: Lyude Paul lyude@redhat.com Signed-off-by: Lukas Wunner lukas@wunner.de Link: https://patchwork.freedesktop.org/patch/msgid/4c9bf72aacae1eef062bd134cd112e... Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c | 58 ++++++++++++++++--------- 1 file changed, 38 insertions(+), 20 deletions(-)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c @@ -739,9 +739,11 @@ amdgpu_connector_lvds_detect(struct drm_ enum drm_connector_status ret = connector_status_disconnected; int r;
- r = pm_runtime_get_sync(connector->dev->dev); - if (r < 0) - return connector_status_disconnected; + if (!drm_kms_helper_is_poll_worker()) { + r = pm_runtime_get_sync(connector->dev->dev); + if (r < 0) + return connector_status_disconnected; + }
if (encoder) { struct amdgpu_encoder *amdgpu_encoder = to_amdgpu_encoder(encoder); @@ -760,8 +762,12 @@ amdgpu_connector_lvds_detect(struct drm_ /* check acpi lid status ??? */
amdgpu_connector_update_scratch_regs(connector, ret); - pm_runtime_mark_last_busy(connector->dev->dev); - pm_runtime_put_autosuspend(connector->dev->dev); + + if (!drm_kms_helper_is_poll_worker()) { + pm_runtime_mark_last_busy(connector->dev->dev); + pm_runtime_put_autosuspend(connector->dev->dev); + } + return ret; }
@@ -862,9 +868,11 @@ amdgpu_connector_vga_detect(struct drm_c enum drm_connector_status ret = connector_status_disconnected; int r;
- r = pm_runtime_get_sync(connector->dev->dev); - if (r < 0) - return connector_status_disconnected; + if (!drm_kms_helper_is_poll_worker()) { + r = pm_runtime_get_sync(connector->dev->dev); + if (r < 0) + return connector_status_disconnected; + }
encoder = amdgpu_connector_best_single_encoder(connector); if (!encoder) @@ -918,8 +926,10 @@ amdgpu_connector_vga_detect(struct drm_c amdgpu_connector_update_scratch_regs(connector, ret);
out: - pm_runtime_mark_last_busy(connector->dev->dev); - pm_runtime_put_autosuspend(connector->dev->dev); + if (!drm_kms_helper_is_poll_worker()) { + pm_runtime_mark_last_busy(connector->dev->dev); + pm_runtime_put_autosuspend(connector->dev->dev); + }
return ret; } @@ -981,9 +991,11 @@ amdgpu_connector_dvi_detect(struct drm_c enum drm_connector_status ret = connector_status_disconnected; bool dret = false, broken_edid = false;
- r = pm_runtime_get_sync(connector->dev->dev); - if (r < 0) - return connector_status_disconnected; + if (!drm_kms_helper_is_poll_worker()) { + r = pm_runtime_get_sync(connector->dev->dev); + if (r < 0) + return connector_status_disconnected; + }
if (!force && amdgpu_connector_check_hpd_status_unchanged(connector)) { ret = connector->status; @@ -1108,8 +1120,10 @@ out: amdgpu_connector_update_scratch_regs(connector, ret);
exit: - pm_runtime_mark_last_busy(connector->dev->dev); - pm_runtime_put_autosuspend(connector->dev->dev); + if (!drm_kms_helper_is_poll_worker()) { + pm_runtime_mark_last_busy(connector->dev->dev); + pm_runtime_put_autosuspend(connector->dev->dev); + }
return ret; } @@ -1351,9 +1365,11 @@ amdgpu_connector_dp_detect(struct drm_co struct drm_encoder *encoder = amdgpu_connector_best_single_encoder(connector); int r;
- r = pm_runtime_get_sync(connector->dev->dev); - if (r < 0) - return connector_status_disconnected; + if (!drm_kms_helper_is_poll_worker()) { + r = pm_runtime_get_sync(connector->dev->dev); + if (r < 0) + return connector_status_disconnected; + }
if (!force && amdgpu_connector_check_hpd_status_unchanged(connector)) { ret = connector->status; @@ -1421,8 +1437,10 @@ amdgpu_connector_dp_detect(struct drm_co
amdgpu_connector_update_scratch_regs(connector, ret); out: - pm_runtime_mark_last_busy(connector->dev->dev); - pm_runtime_put_autosuspend(connector->dev->dev); + if (!drm_kms_helper_is_poll_worker()) { + pm_runtime_mark_last_busy(connector->dev->dev); + pm_runtime_put_autosuspend(connector->dev->dev); + }
return ret; }
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rex Zhu Rex.Zhu@amd.com
commit 1bced75f4ab04bec55aecb57d99435dc6d0ae5a0 upstream.
it is required if a platform supports PCIe root complex core voltage reduction. After receiving this notification, SBIOS can apply default PCIe root complex power policy.
Reviewed-by: Alex Deucher alexander.deucher@amd.com Signed-off-by: Rex Zhu Rex.Zhu@amd.com Signed-off-by: Alex Deucher alexander.deucher@amd.com Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c | 3 +++ 1 file changed, 3 insertions(+)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c +++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_acpi.c @@ -585,6 +585,9 @@ int amdgpu_acpi_pcie_performance_request size_t size; u32 retry = 3;
+ if (amdgpu_acpi_pcie_notify_device_ready(adev)) + return -EINVAL; + /* Get the device handle */ handle = ACPI_HANDLE(&adev->pdev->dev); if (!handle)
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Justin Chen justinpopo6@gmail.com
commit 06a3f0c9f2725f5d7c63c4203839373c9bd00c28 upstream.
Commit a3e6c1eff548 ("MIPS: IRQ: Fix disable_irq on CPU IRQs") fixes an issue where disable_irq did not actually disable the irq. The bug caused our IPIs to not be disabled, which actually is the correct behavior.
With the addition of commit a3e6c1eff548 ("MIPS: IRQ: Fix disable_irq on CPU IRQs"), the IPIs were getting disabled going into suspend, thus schedule_ipi() was not being called. This caused deadlocks where schedulable task were not being scheduled and other cpus were waiting for them to do something.
Add the IRQF_NO_SUSPEND flag so an irq_disable will not be called on the IPIs during suspend.
Signed-off-by: Justin Chen justinpopo6@gmail.com Fixes: a3e6c1eff548 ("MIPS: IRQ: Fix disabled_irq on CPU IRQs") Cc: Florian Fainelli f.fainelli@gmail.com Cc: linux-mips@linux-mips.org Cc: stable@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/17385/ [jhogan@kernel.org: checkpatch: wrap long lines and fix commit refs] Signed-off-by: James Hogan jhogan@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- arch/mips/kernel/smp-bmips.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)
--- a/arch/mips/kernel/smp-bmips.c +++ b/arch/mips/kernel/smp-bmips.c @@ -166,11 +166,11 @@ static void bmips_prepare_cpus(unsigned return; }
- if (request_irq(IPI0_IRQ, bmips_ipi_interrupt, IRQF_PERCPU, - "smp_ipi0", NULL)) + if (request_irq(IPI0_IRQ, bmips_ipi_interrupt, + IRQF_PERCPU | IRQF_NO_SUSPEND, "smp_ipi0", NULL)) panic("Can't request IPI0 interrupt"); - if (request_irq(IPI1_IRQ, bmips_ipi_interrupt, IRQF_PERCPU, - "smp_ipi1", NULL)) + if (request_irq(IPI1_IRQ, bmips_ipi_interrupt, + IRQF_PERCPU | IRQF_NO_SUSPEND, "smp_ipi1", NULL)) panic("Can't request IPI1 interrupt"); }
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Colin Ian King colin.king@canonical.com
commit 1b22b4b28fd5fbc51855219e3238b3ab81da8466 upstream.
Currently there is no null check on a failed allocation of board_data, and hence a null pointer dereference will occurr. Fix this by checking for the out of memory null pointer.
Fixes: a7473717483e ("MIPS: ath25: add board configuration detection") Signed-off-by: Colin Ian King colin.king@canonical.com Cc: Ralf Baechle ralf@linux-mips.org Cc: linux-mips@linux-mips.org Cc: stable@vger.kernel.org # 3.19+ Patchwork: https://patchwork.linux-mips.org/patch/18657/ Signed-off-by: James Hogan jhogan@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- arch/mips/ath25/board.c | 2 ++ 1 file changed, 2 insertions(+)
--- a/arch/mips/ath25/board.c +++ b/arch/mips/ath25/board.c @@ -135,6 +135,8 @@ int __init ath25_find_config(phys_addr_t }
board_data = kzalloc(BOARD_CONFIG_BUFSZ, GFP_KERNEL); + if (!board_data) + goto error; ath25_board.config = (struct ath25_boarddata *)board_data; memcpy_fromio(board_data, bcfg, 0x100); if (broken_boarddata) {
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Colin Ian King colin.king@canonical.com
commit 902f4d067a50ccf645a58dd5fb1d113b6e0f9b5b upstream.
The allocation of host_data is not null checked, leading to a null pointer dereference if the allocation fails. Fix this by adding a null check and return with -ENOMEM.
Fixes: 64b139f97c01 ("MIPS: OCTEON: irq: add CIB and other fixes") Signed-off-by: Colin Ian King colin.king@canonical.com Acked-by: David Daney david.daney@cavium.com Cc: Ralf Baechle ralf@linux-mips.org Cc: "Steven J. Hill" Steven.Hill@cavium.com Cc: linux-mips@linux-mips.org Cc: stable@vger.kernel.org # 4.0+ Patchwork: https://patchwork.linux-mips.org/patch/18658/ Signed-off-by: James Hogan jhogan@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- arch/mips/cavium-octeon/octeon-irq.c | 2 ++ 1 file changed, 2 insertions(+)
--- a/arch/mips/cavium-octeon/octeon-irq.c +++ b/arch/mips/cavium-octeon/octeon-irq.c @@ -2246,6 +2246,8 @@ static int __init octeon_irq_init_cib(st }
host_data = kzalloc(sizeof(*host_data), GFP_KERNEL); + if (!host_data) + return -ENOMEM; raw_spin_lock_init(&host_data->lock);
addr = of_get_address(ciu_node, 0, NULL, NULL);
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Bo zbsdta@126.com
commit ea4f7bd2aca9f68470e9aac0fc9432fd180b1fe7 upstream.
If matrix_keypad_stop() is executing and the keypad interrupt is triggered, disable_row_irqs() may be called by both matrix_keypad_interrupt() and matrix_keypad_stop() at the same time, causing interrupts to be disabled twice and the keypad being "stuck" after resuming.
Take lock when setting keypad->stopped to ensure that ISR will not race with matrix_keypad_stop() disabling interrupts.
Signed-off-by: Zhang Bo zbsdta@126.com Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov dmitry.torokhov@gmail.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/input/keyboard/matrix_keypad.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/input/keyboard/matrix_keypad.c +++ b/drivers/input/keyboard/matrix_keypad.c @@ -216,8 +216,10 @@ static void matrix_keypad_stop(struct in { struct matrix_keypad *keypad = input_get_drvdata(dev);
+ spin_lock_irq(&keypad->lock); keypad->stopped = true; - mb(); + spin_unlock_irq(&keypad->lock); + flush_work(&keypad->work.work); /* * matrix_keypad_scan() will leave IRQs enabled;
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ross Zwisler ross.zwisler@linux.intel.com
commit 1d037577c323e5090ce281e96bc313ab2eee5be2 upstream.
The following commit:
commit aa4d86163e4e ("block: loop: switch to VFS ITER_BVEC")
replaced __do_lo_send_write(), which used ITER_KVEC iterators, with lo_write_bvec() which uses ITER_BVEC iterators. In this change, though, the WRITE flag was lost:
- iov_iter_kvec(&from, ITER_KVEC | WRITE, &kvec, 1, len); + iov_iter_bvec(&i, ITER_BVEC, bvec, 1, bvec->bv_len);
This flag is necessary for the DAX case because we make decisions based on whether or not the iterator is a READ or a WRITE in dax_iomap_actor() and in dax_iomap_rw().
We end up going through this path in configurations where we combine a PMEM device with 4k sectors, a loopback device and DAX. The consequence of this missed flag is that what we intend as a write actually turns into a read in the DAX code, so no data is ever written.
The very simplest test case is to create a loopback device and try and write a small string to it, then hexdump a few bytes of the device to see if the write took. Without this patch you read back all zeros, with this you read back the string you wrote.
For XFS this causes us to fail or panic during the following xfstests:
xfs/074 xfs/078 xfs/216 xfs/217 xfs/250
For ext4 we have a similar issue where writes never happen, but we don't currently have any xfstests that use loopback and show this issue.
Fix this by restoring the WRITE flag argument to iov_iter_bvec(). This causes the xfstests to all pass.
Cc: Al Viro viro@zeniv.linux.org.uk Cc: stable@vger.kernel.org Fixes: commit aa4d86163e4e ("block: loop: switch to VFS ITER_BVEC") Reviewed-by: Christoph Hellwig hch@lst.de Reviewed-by: Ming Lei ming.lei@redhat.com Signed-off-by: Ross Zwisler ross.zwisler@linux.intel.com Signed-off-by: Jens Axboe axboe@kernel.dk Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/block/loop.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/block/loop.c +++ b/drivers/block/loop.c @@ -263,7 +263,7 @@ static int lo_write_bvec(struct file *fi struct iov_iter i; ssize_t bw;
- iov_iter_bvec(&i, ITER_BVEC, bvec, 1, bvec->bv_len); + iov_iter_bvec(&i, ITER_BVEC | WRITE, bvec, 1, bvec->bv_len);
file_start_write(file); bw = vfs_iter_write(file, &i, ppos);
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: James Hogan jhogan@kernel.org
commit 55fe6da9efba102866e2fb5b40b04b6a4b26c19e upstream.
cmd_dt_S_dtb constructs the assembly source to incorporate a devicetree FDT (that is, the .dtb file) as binary data in the kernel image. This assembly source contains labels before and after the binary data. The label names incorporate the file name of the corresponding .dtb file. Hyphens are not legal characters in labels, so .dtb files built into the kernel with hyphens in the file name result in errors like the following:
bcm3368-netgear-cvg834g.dtb.S: Assembler messages: bcm3368-netgear-cvg834g.dtb.S:5: Error: : no such section bcm3368-netgear-cvg834g.dtb.S:5: Error: junk at end of line, first unrecognized character is `-' bcm3368-netgear-cvg834g.dtb.S:6: Error: unrecognized opcode `__dtb_bcm3368-netgear-cvg834g_begin:' bcm3368-netgear-cvg834g.dtb.S:8: Error: unrecognized opcode `__dtb_bcm3368-netgear-cvg834g_end:' bcm3368-netgear-cvg834g.dtb.S:9: Error: : no such section bcm3368-netgear-cvg834g.dtb.S:9: Error: junk at end of line, first unrecognized character is `-'
Fix this by updating cmd_dt_S_dtb to transform all hyphens from the file name to underscores when constructing the labels.
As of v4.16-rc2, 1139 .dts files across ARM64, ARM, MIPS and PowerPC contain hyphens in their names, but the issue only currently manifests on Broadcom MIPS platforms, as that is the only place where such files are built into the kernel. For example when CONFIG_DT_NETGEAR_CVG834G=y, or on BMIPS kernels when the dtbs target is used (in the latter case it admittedly shouldn't really build all the dtb.o files, but thats a separate issue).
Fixes: 695835511f96 ("MIPS: BMIPS: rename bcm96358nb4ser to bcm6358-neufbox4-sercom") Signed-off-by: James Hogan jhogan@kernel.org Reviewed-by: Frank Rowand frowand.list@gmail.com Cc: Rob Herring robh+dt@kernel.org Cc: Michal Marek michal.lkml@markovi.net Cc: Ralf Baechle ralf@linux-mips.org Cc: Florian Fainelli f.fainelli@gmail.com Cc: Kevin Cernekee cernekee@gmail.com Cc: stable@vger.kernel.org # 4.9+ Signed-off-by: Masahiro Yamada yamada.masahiro@socionext.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- scripts/Makefile.lib | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)
--- a/scripts/Makefile.lib +++ b/scripts/Makefile.lib @@ -270,11 +270,11 @@ cmd_dt_S_dtb= \ echo '#include <asm-generic/vmlinux.lds.h>'; \ echo '.section .dtb.init.rodata,"a"'; \ echo '.balign STRUCT_ALIGNMENT'; \ - echo '.global __dtb_$(*F)_begin'; \ - echo '__dtb_$(*F)_begin:'; \ + echo '.global __dtb_$(subst -,_,$(*F))_begin'; \ + echo '__dtb_$(subst -,_,$(*F))_begin:'; \ echo '.incbin "$<" '; \ - echo '__dtb_$(*F)_end:'; \ - echo '.global __dtb_$(*F)_end'; \ + echo '__dtb_$(subst -,_,$(*F))_end:'; \ + echo '.global __dtb_$(subst -,_,$(*F))_end'; \ echo '.balign STRUCT_ALIGNMENT'; \ ) > $@
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Lyle mlyle@lyle.org
commit 86755b7a96faed57f910f9e6b8061e019ac1ec08 upstream.
This can happen e.g. during disk cloning.
This is an incomplete fix: it does not catch duplicate UUIDs earlier when things are still unattached. It does not unregister the device. Further changes to cope better with this are planned but conflict with Coly's ongoing improvements to handling device errors. In the meantime, one can manually stop the device after this has happened.
Attempts to attach a duplicate device result in:
[ 136.372404] loop: module loaded [ 136.424461] bcache: register_bdev() registered backing device loop0 [ 136.424464] bcache: bch_cached_dev_attach() Tried to attach loop0 but duplicate UUID already attached
My test procedure is:
dd if=/dev/sdb1 of=imgfile bs=1024 count=262144 losetup -f imgfile
Signed-off-by: Michael Lyle mlyle@lyle.org Reviewed-by: Tang Junhui tang.junhui@zte.com.cn Cc: stable@vger.kernel.org Signed-off-by: Jens Axboe axboe@kernel.dk Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/md/bcache/super.c | 11 +++++++++++ 1 file changed, 11 insertions(+)
--- a/drivers/md/bcache/super.c +++ b/drivers/md/bcache/super.c @@ -935,6 +935,7 @@ int bch_cached_dev_attach(struct cached_ uint32_t rtime = cpu_to_le32(get_seconds()); struct uuid_entry *u; char buf[BDEVNAME_SIZE]; + struct cached_dev *exist_dc, *t;
bdevname(dc->bdev, buf);
@@ -958,6 +959,16 @@ int bch_cached_dev_attach(struct cached_ return -EINVAL; }
+ /* Check whether already attached */ + list_for_each_entry_safe(exist_dc, t, &c->cached_devs, list) { + if (!memcmp(dc->sb.uuid, exist_dc->sb.uuid, 16)) { + pr_err("Tried to attach %s but duplicate UUID already attached", + buf); + + return -EINVAL; + } + } + u = uuid_find(c, dc->sb.uuid);
if (u &&
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Seunghun Han kkamagui@gmail.com
commit b3b7c4795ccab5be71f080774c45bbbcc75c2aaf upstream.
The check_interval file in
/sys/devices/system/machinecheck/machinecheck<cpu number>
directory is a global timer value for MCE polling. If it is changed by one CPU, mce_restart() broadcasts the event to other CPUs to delete and restart the MCE polling timer and __mcheck_cpu_init_timer() reinitializes the mce_timer variable.
If more than one CPU writes a specific value to the check_interval file concurrently, mce_timer is not protected from such concurrent accesses and all kinds of explosions happen. Since only root can write to those sysfs variables, the issue is not a big deal security-wise.
However, concurrent writes to these configuration variables is void of reason so the proper thing to do is to serialize the access with a mutex.
Boris:
- Make store_int_with_restart() use device_store_ulong() to filter out negative intervals - Limit min interval to 1 second - Correct locking - Massage commit message
Signed-off-by: Seunghun Han kkamagui@gmail.com Signed-off-by: Borislav Petkov bp@suse.de Signed-off-by: Thomas Gleixner tglx@linutronix.de Cc: Greg Kroah-Hartman gregkh@linuxfoundation.org Cc: Tony Luck tony.luck@intel.com Cc: linux-edac linux-edac@vger.kernel.org Cc: stable@vger.kernel.org Link: http://lkml.kernel.org/r/20180302202706.9434-1-kkamagui@gmail.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- arch/x86/kernel/cpu/mcheck/mce.c | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-)
--- a/arch/x86/kernel/cpu/mcheck/mce.c +++ b/arch/x86/kernel/cpu/mcheck/mce.c @@ -60,6 +60,9 @@ static DEFINE_MUTEX(mce_chrdev_read_mute smp_load_acquire(&(p)); \ })
+/* sysfs synchronization */ +static DEFINE_MUTEX(mce_sysfs_mutex); + #define CREATE_TRACE_POINTS #include <trace/events/mce.h>
@@ -2220,6 +2223,7 @@ static ssize_t set_ignore_ce(struct devi if (kstrtou64(buf, 0, &new) < 0) return -EINVAL;
+ mutex_lock(&mce_sysfs_mutex); if (mca_cfg.ignore_ce ^ !!new) { if (new) { /* disable ce features */ @@ -2232,6 +2236,8 @@ static ssize_t set_ignore_ce(struct devi on_each_cpu(mce_enable_ce, (void *)1, 1); } } + mutex_unlock(&mce_sysfs_mutex); + return size; }
@@ -2244,6 +2250,7 @@ static ssize_t set_cmci_disabled(struct if (kstrtou64(buf, 0, &new) < 0) return -EINVAL;
+ mutex_lock(&mce_sysfs_mutex); if (mca_cfg.cmci_disabled ^ !!new) { if (new) { /* disable cmci */ @@ -2255,6 +2262,8 @@ static ssize_t set_cmci_disabled(struct on_each_cpu(mce_enable_ce, NULL, 1); } } + mutex_unlock(&mce_sysfs_mutex); + return size; }
@@ -2262,8 +2271,19 @@ static ssize_t store_int_with_restart(st struct device_attribute *attr, const char *buf, size_t size) { - ssize_t ret = device_store_int(s, attr, buf, size); + unsigned long old_check_interval = check_interval; + ssize_t ret = device_store_ulong(s, attr, buf, size); + + if (check_interval == old_check_interval) + return ret; + + if (check_interval < 1) + check_interval = 1; + + mutex_lock(&mce_sysfs_mutex); mce_restart(); + mutex_unlock(&mce_sysfs_mutex); + return ret; }
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai tiwai@suse.de
commit e312a869cd726c698a75caca0d9e5c22fd3f1534 upstream.
The dock line-out pin (NID 0x17 of ALC3254 codec) on Dell Precision 7520 may route to three different DACs, 0x02, 0x03 and 0x06. The first two DACS have the volume amp controls while the last one doesn't. And unfortunately, the auto-parser assigns this pin to DAC3, resulting in the non-working volume control for the line out.
Fix it by disabling the routing to DAC3 on the corresponding pin.
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199029 Cc: stable@vger.kernel.org Signed-off-by: Takashi Iwai tiwai@suse.de Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- sound/pci/hda/patch_realtek.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+)
--- a/sound/pci/hda/patch_realtek.c +++ b/sound/pci/hda/patch_realtek.c @@ -4722,6 +4722,16 @@ static void alc298_fixup_speaker_volume( } }
+/* disable DAC3 (0x06) selection on NID 0x17 as it has no volume amp control */ +static void alc295_fixup_disable_dac3(struct hda_codec *codec, + const struct hda_fixup *fix, int action) +{ + if (action == HDA_FIXUP_ACT_PRE_PROBE) { + hda_nid_t conn[2] = { 0x02, 0x03 }; + snd_hda_override_conn_list(codec, 0x17, 2, conn); + } +} + /* Hook to update amp GPIO4 for automute */ static void alc280_hp_gpio4_automute_hook(struct hda_codec *codec, struct hda_jack_callback *jack) @@ -4871,6 +4881,7 @@ enum { ALC233_FIXUP_LENOVO_LINE2_MIC_HOTKEY, ALC255_FIXUP_DELL_SPK_NOISE, ALC225_FIXUP_DELL1_MIC_NO_PRESENCE, + ALC295_FIXUP_DISABLE_DAC3, ALC280_FIXUP_HP_HEADSET_MIC, ALC221_FIXUP_HP_FRONT_MIC, ALC292_FIXUP_TPT460, @@ -5560,6 +5571,10 @@ static const struct hda_fixup alc269_fix .chained = true, .chain_id = ALC298_FIXUP_DELL_AIO_MIC_NO_PRESENCE, }, + [ALC295_FIXUP_DISABLE_DAC3] = { + .type = HDA_FIXUP_FUNC, + .v.func = alc295_fixup_disable_dac3, + }, [ALC256_FIXUP_DELL_INSPIRON_7559_SUBWOOFER] = { .type = HDA_FIXUP_PINS, .v.pins = (const struct hda_pintbl[]) { @@ -5617,6 +5632,7 @@ static const struct snd_pci_quirk alc269 SND_PCI_QUIRK(0x1028, 0x0725, "Dell Inspiron 3162", ALC255_FIXUP_DELL_SPK_NOISE), SND_PCI_QUIRK(0x1028, 0x075b, "Dell XPS 13 9360", ALC256_FIXUP_DELL_XPS_13_HEADPHONE_NOISE), SND_PCI_QUIRK(0x1028, 0x075d, "Dell AIO", ALC298_FIXUP_SPK_VOLUME), + SND_PCI_QUIRK(0x1028, 0x07b0, "Dell Precision 7520", ALC295_FIXUP_DISABLE_DAC3), SND_PCI_QUIRK(0x1028, 0x0798, "Dell Inspiron 17 7000 Gaming", ALC256_FIXUP_DELL_INSPIRON_7559_SUBWOOFER), SND_PCI_QUIRK(0x1028, 0x082a, "Dell XPS 13 9360", ALC256_FIXUP_DELL_XPS_13_HEADPHONE_NOISE), SND_PCI_QUIRK(0x1028, 0x164a, "Dell", ALC293_FIXUP_DELL1_MIC_NO_PRESENCE),
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dennis Wassenberg dennis.wassenberg@secunet.com
commit aea808172018ca01abf53db808323aed23281835 upstream.
This patch adds missing initialisation for HP 2013 UltraSlim Dock Line-In/Out PINs and activates keyboard mute/micmute leds for HP EliteBook 820 G3
Signed-off-by: Dennis Wassenberg dennis.wassenberg@secunet.com Cc: stable@vger.kernel.org Signed-off-by: Takashi Iwai tiwai@suse.de Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- sound/pci/hda/patch_conexant.c | 1 + 1 file changed, 1 insertion(+)
--- a/sound/pci/hda/patch_conexant.c +++ b/sound/pci/hda/patch_conexant.c @@ -849,6 +849,7 @@ static const struct snd_pci_quirk cxt506 SND_PCI_QUIRK(0x1025, 0x054c, "Acer Aspire 3830TG", CXT_FIXUP_ASPIRE_DMIC), SND_PCI_QUIRK(0x1025, 0x054f, "Acer Aspire 4830T", CXT_FIXUP_ASPIRE_DMIC), SND_PCI_QUIRK(0x103c, 0x8079, "HP EliteBook 840 G3", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x807C, "HP EliteBook 820 G3", CXT_FIXUP_HP_DOCK), SND_PCI_QUIRK(0x103c, 0x8174, "HP Spectre x360", CXT_FIXUP_HP_SPECTRE), SND_PCI_QUIRK(0x103c, 0x8115, "HP Z1 Gen3", CXT_FIXUP_HP_GATE_MIC), SND_PCI_QUIRK(0x1043, 0x138d, "Asus", CXT_FIXUP_HEADPHONE_MIC_PIN),
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dennis Wassenberg dennis.wassenberg@secunet.com
commit 099fd6ca0ad25bc19c5ade2ea4b25b8fadaa11b3 upstream.
This patch adds missing initialisation for HP 2013 UltraSlim Dock Line-In/Out PINs and activates keyboard mute/micmute leds for HP ProBook 640 G2
Signed-off-by: Dennis Wassenberg dennis.wassenberg@secunet.com Cc: stable@vger.kernel.org Signed-off-by: Takashi Iwai tiwai@suse.de Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- sound/pci/hda/patch_conexant.c | 1 + 1 file changed, 1 insertion(+)
--- a/sound/pci/hda/patch_conexant.c +++ b/sound/pci/hda/patch_conexant.c @@ -850,6 +850,7 @@ static const struct snd_pci_quirk cxt506 SND_PCI_QUIRK(0x1025, 0x054f, "Acer Aspire 4830T", CXT_FIXUP_ASPIRE_DMIC), SND_PCI_QUIRK(0x103c, 0x8079, "HP EliteBook 840 G3", CXT_FIXUP_HP_DOCK), SND_PCI_QUIRK(0x103c, 0x807C, "HP EliteBook 820 G3", CXT_FIXUP_HP_DOCK), + SND_PCI_QUIRK(0x103c, 0x80FD, "HP ProBook 640 G2", CXT_FIXUP_HP_DOCK), SND_PCI_QUIRK(0x103c, 0x8174, "HP Spectre x360", CXT_FIXUP_HP_SPECTRE), SND_PCI_QUIRK(0x103c, 0x8115, "HP Z1 Gen3", CXT_FIXUP_HP_GATE_MIC), SND_PCI_QUIRK(0x1043, 0x138d, "Asus", CXT_FIXUP_HEADPHONE_MIC_PIN),
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Williams dan.j.williams@intel.com
commit eb6174f6d1be16b19cfa43dac296bfed003ce1a6 upstream.
The nospec.h header expects the per-architecture header file <asm/barrier.h> to optionally define array_index_mask_nospec(). Include that dependency to prevent inadvertent fallback to the default array_index_mask_nospec() implementation.
The default implementation may not provide a full mitigation on architectures that perform data value speculation.
Reported-by: Christian Borntraeger borntraeger@de.ibm.com Signed-off-by: Dan Williams dan.j.williams@intel.com Cc: Andy Lutomirski luto@kernel.org Cc: Arjan van de Ven arjan@linux.intel.com Cc: Borislav Petkov bp@alien8.de Cc: Dave Hansen dave.hansen@linux.intel.com Cc: David Woodhouse dwmw2@infradead.org Cc: Greg Kroah-Hartman gregkh@linuxfoundation.org Cc: Josh Poimboeuf jpoimboe@redhat.com Cc: Linus Torvalds torvalds@linux-foundation.org Cc: Peter Zijlstra peterz@infradead.org Cc: Thomas Gleixner tglx@linutronix.de Cc: Will Deacon will.deacon@arm.com Cc: linux-arch@vger.kernel.org Link: http://lkml.kernel.org/r/151881605404.17395.1341935530792574707.stgit@dwilli... Signed-off-by: Ingo Molnar mingo@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- include/linux/nospec.h | 1 + 1 file changed, 1 insertion(+)
--- a/include/linux/nospec.h +++ b/include/linux/nospec.h @@ -5,6 +5,7 @@
#ifndef _LINUX_NOSPEC_H #define _LINUX_NOSPEC_H +#include <asm/barrier.h>
/** * array_index_mask_nospec() - generate a ~0 mask when index < size, 0 otherwise
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jerry Hoemann jerry.hoemann@hpe.com
commit c42cbe41727a138905a28f8e0b00c147be77ee93 upstream.
This corrects: commit cce78da76601 ("watchdog: hpwdt: Add check for UEFI bits")
The test on HPE SMBIOS extension type 219 record "Misc Features" bits for UEFI support is incorrect. The definition of the Misc Features bits in the HPE SMBIOS OEM Extensions specification (and related firmware) was changed to use a different pair of bits to represent UEFI supported. Howerver, a corresponding change to Linux was missed.
Current code/platform work because the iCRU test is working. But purpose of cce78da766 is to ensure correct functionality on future systems where iCRU isn't supported.
Signed-off-by: Jerry Hoemann jerry.hoemann@hpe.com Reviewed-by: Guenter Roeck linux@roeck-us.net Signed-off-by: Guenter Roeck linux@roeck-us.net Signed-off-by: Wim Van Sebroeck wim@iguana.be Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/watchdog/hpwdt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/watchdog/hpwdt.c +++ b/drivers/watchdog/hpwdt.c @@ -700,7 +700,7 @@ static void dmi_find_icru(const struct d smbios_proliant_ptr = (struct smbios_proliant_info *) dm; if (smbios_proliant_ptr->misc_features & 0x01) is_icru = 1; - if (smbios_proliant_ptr->misc_features & 0x408) + if (smbios_proliant_ptr->misc_features & 0x1400) is_uefi = 1; } }
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jerry Hoemann jerry.hoemann@hpe.com
commit 838534e50e2e5c1e644e30ab6cb28da88eb31368 upstream.
Do not claim the NMI (i.e. return NMI_DONE) if the source of the NMI isn't the iLO watchdog or debug.
Signed-off-by: Jerry Hoemann jerry.hoemann@hpe.com Reviewed-by: Guenter Roeck linux@roeck-us.net Signed-off-by: Guenter Roeck linux@roeck-us.net Signed-off-by: Wim Van Sebroeck wim@iguana.be Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/watchdog/hpwdt.c | 10 ++++++++++ 1 file changed, 10 insertions(+)
--- a/drivers/watchdog/hpwdt.c +++ b/drivers/watchdog/hpwdt.c @@ -51,6 +51,7 @@ static char expect_release; static unsigned long hpwdt_is_open;
static void __iomem *pci_mem_addr; /* the PCI-memory address */ +static unsigned long __iomem *hpwdt_nmistat; static unsigned long __iomem *hpwdt_timer_reg; static unsigned long __iomem *hpwdt_timer_con;
@@ -473,6 +474,11 @@ static int hpwdt_time_left(void) return TICKS_TO_SECS(ioread16(hpwdt_timer_reg)); }
+static int hpwdt_my_nmi(void) +{ + return ioread8(hpwdt_nmistat) & 0x6; +} + #ifdef CONFIG_HPWDT_NMI_DECODING /* * NMI Handler @@ -485,6 +491,9 @@ static int hpwdt_pretimeout(unsigned int if (!hpwdt_nmi_decoding) goto out;
+ if ((ulReason == NMI_UNKNOWN) && !hpwdt_my_nmi()) + return NMI_DONE; + spin_lock_irqsave(&rom_lock, rom_pl); if (!die_nmi_called && !is_icru && !is_uefi) asminline_call(&cmn_regs, cru_rom_addr); @@ -840,6 +849,7 @@ static int hpwdt_init_one(struct pci_dev retval = -ENOMEM; goto error_pci_iomap; } + hpwdt_nmistat = pci_mem_addr + 0x6e; hpwdt_timer_reg = pci_mem_addr + 0x70; hpwdt_timer_con = pci_mem_addr + 0x72;
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann arnd@arndb.de
commit aeebc6ba88ba3758ad95467ff6191fabf2074c13 upstream.
The new hpwdt_my_nmi() function is used conditionally, which produces a harmless warning in some configurations:
drivers/watchdog/hpwdt.c:478:12: error: 'hpwdt_my_nmi' defined but not used [-Werror=unused-function]
This moves it inside of the #ifdef that protects its caller, to silence the warning.
Fixes: 621174a92851 ("watchdog: hpwdt: Check source of NMI") Signed-off-by: Arnd Bergmann arnd@arndb.de Reviewed-by: Jerry Hoemann jerry.hoemann@hpe.com Reviewed-by: Guenter Roeck linux@roeck-us.net Signed-off-by: Guenter Roeck linux@roeck-us.net Signed-off-by: Wim Van Sebroeck wim@iguana.be Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/watchdog/hpwdt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/watchdog/hpwdt.c +++ b/drivers/watchdog/hpwdt.c @@ -474,12 +474,12 @@ static int hpwdt_time_left(void) return TICKS_TO_SECS(ioread16(hpwdt_timer_reg)); }
+#ifdef CONFIG_HPWDT_NMI_DECODING static int hpwdt_my_nmi(void) { return ioread8(hpwdt_nmistat) & 0x6; }
-#ifdef CONFIG_HPWDT_NMI_DECODING /* * NMI Handler */
Greg,
Sorry, if I'm missing something, but I see 3 patches for hpwdt queued up for 4.4:
queue-4.4/watchdog-hpwdt-fix-unused-variable-warning.patch queue-4.4/watchdog-hpwdt-smbios-check.patch queue-4.4/watchdog-hpwdt-check-source-of-nmi.patch
Shouldn't there also be a 4.4 patch for
commit 2b3d89b402b085b08498e896c65267a145bed486 watchdog: hpwdt: Remove legacy NMI sourcing.
As there was for 4.15, 4.14, and 4.9?
commit 2b3d89b40 is the Spectre related patch.
thanks
Jerry Hoemann
On Fri, Mar 16, 2018 at 04:23:01PM +0100, Greg Kroah-Hartman wrote:
4.4-stable review patch. If anyone has any objections, please let me know.
From: Arnd Bergmann arnd@arndb.de
commit aeebc6ba88ba3758ad95467ff6191fabf2074c13 upstream.
The new hpwdt_my_nmi() function is used conditionally, which produces a harmless warning in some configurations:
drivers/watchdog/hpwdt.c:478:12: error: 'hpwdt_my_nmi' defined but not used [-Werror=unused-function]
This moves it inside of the #ifdef that protects its caller, to silence the warning.
Fixes: 621174a92851 ("watchdog: hpwdt: Check source of NMI") Signed-off-by: Arnd Bergmann arnd@arndb.de Reviewed-by: Jerry Hoemann jerry.hoemann@hpe.com Reviewed-by: Guenter Roeck linux@roeck-us.net Signed-off-by: Guenter Roeck linux@roeck-us.net Signed-off-by: Wim Van Sebroeck wim@iguana.be Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
drivers/watchdog/hpwdt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/watchdog/hpwdt.c +++ b/drivers/watchdog/hpwdt.c @@ -474,12 +474,12 @@ static int hpwdt_time_left(void) return TICKS_TO_SECS(ioread16(hpwdt_timer_reg)); } +#ifdef CONFIG_HPWDT_NMI_DECODING static int hpwdt_my_nmi(void) { return ioread8(hpwdt_nmistat) & 0x6; } -#ifdef CONFIG_HPWDT_NMI_DECODING /*
- NMI Handler
*/
On Fri, Mar 16, 2018 at 04:55:37PM -0600, Jerry Hoemann wrote:
Greg,
Sorry, if I'm missing something, but I see 3 patches for hpwdt queued up for 4.4:
queue-4.4/watchdog-hpwdt-fix-unused-variable-warning.patch queue-4.4/watchdog-hpwdt-smbios-check.patch queue-4.4/watchdog-hpwdt-check-source-of-nmi.patch
Shouldn't there also be a 4.4 patch for
commit 2b3d89b402b085b08498e896c65267a145bed486 watchdog: hpwdt: Remove legacy NMI sourcing.
As there was for 4.15, 4.14, and 4.9?
It does not apply to the 4.4.y kernel branch. If you feel it should be there, please provide a working backport.
commit 2b3d89b40 is the Spectre related patch.
If you look closely, not many Spectre-related patches are merged into 4.4.y as no one has taken the time to do the backporting. I thought someone was working on this, but odds are they just moved to 4.9.y or 4.14.y as everyone really should if they care about these issues with their platforms.
So if you care about Spectre, I strongly recommend using 4.14.y or newer.
thanks,
greg k-h
On Sun, 2018-03-18 at 11:14 +0100, Greg Kroah-Hartman wrote:
On Fri, Mar 16, 2018 at 04:55:37PM -0600, Jerry Hoemann wrote:
Greg,
Sorry, if I'm missing something, but I see 3 patches for hpwdt queued up for 4.4:
queue-4.4/watchdog-hpwdt-fix-unused-variable-warning.patch queue-4.4/watchdog-hpwdt-smbios-check.patch queue-4.4/watchdog-hpwdt-check-source-of-nmi.patch
Shouldn't there also be a 4.4 patch for
commit 2b3d89b402b085b08498e896c65267a145bed486 watchdog: hpwdt: Remove legacy NMI sourcing.
As there was for 4.15, 4.14, and 4.9?
It does not apply to the 4.4.y kernel branch. If you feel it should be there, please provide a working backport.
commit 2b3d89b40 is the Spectre related patch.
If you look closely, not many Spectre-related patches are merged into 4.4.y as no one has taken the time to do the backporting. I thought someone was working on this, but odds are they just moved to 4.9.y or 4.14.y as everyone really should if they care about these issues with their platforms.
So if you care about Spectre, I strongly recommend using 4.14.y or newer.
I think you have most of the Spectre stuff aside from microcode supported fixes. These are still missing on the 4.4 branch though:
8fa80c503b48 nospec: Move array_index_nospec() parameter checking into separate macro 1d91c1d2c80c nospec: Kill array_index_nospec_mask_check()
I think there may also be some extra uaccess functions that didn't get the nospec treatment.
I'll probably look into backporting the microcode stuff to the older branches (4.4, then 3.16 and 3.2) at some point.
Ben.
2018-03-21 0:19 GMT+01:00 Ben Hutchings ben.hutchings@codethink.co.uk:
On Sun, 2018-03-18 at 11:14 +0100, Greg Kroah-Hartman wrote:
On Fri, Mar 16, 2018 at 04:55:37PM -0600, Jerry Hoemann wrote:
Greg,
Sorry, if I'm missing something, but I see 3 patches for hpwdt queued up for 4.4:
queue-4.4/watchdog-hpwdt-fix-unused-variable-warning.patch queue-4.4/watchdog-hpwdt-smbios-check.patch queue-4.4/watchdog-hpwdt-check-source-of-nmi.patch
Shouldn't there also be a 4.4 patch for
commit 2b3d89b402b085b08498e896c65267a145bed486 watchdog: hpwdt: Remove legacy NMI sourcing.
As there was for 4.15, 4.14, and 4.9?
It does not apply to the 4.4.y kernel branch. If you feel it should be there, please provide a working backport.
commit 2b3d89b40 is the Spectre related patch.
If you look closely, not many Spectre-related patches are merged into 4.4.y as no one has taken the time to do the backporting. I thought someone was working on this, but odds are they just moved to 4.9.y or 4.14.y as everyone really should if they care about these issues with their platforms.
So if you care about Spectre, I strongly recommend using 4.14.y or newer.
I think you have most of the Spectre stuff aside from microcode supported fixes. These are still missing on the 4.4 branch though:
8fa80c503b48 nospec: Move array_index_nospec() parameter checking into separate macro 1d91c1d2c80c nospec: Kill array_index_nospec_mask_check()
I think there may also be some extra uaccess functions that didn't get the nospec treatment.
I'll probably look into backporting the microcode stuff to the older branches (4.4, then 3.16 and 3.2) at some point.
Ben.
-- Ben Hutchings Software Developer, Codethink Ltd.
Hi, Ben,
It will be great, if you can backport spectre fixes into 4.4, I'm happy to test your port. The patch list I gathered when I did porting to 4.4: d3eba77440 x86/cpufeatures: Add CPUID_7_EDX CPUID leaf 40532f65cc x86/cpufeatures: Add Intel feature bits for Speculatio c26a6bea26 x86/cpufeatures: Add AMD feature bits for Speculation Control af57d43c908 x86/msr: Add definitions for new speculation control a8799fd14d x86/pti: Do not enable PTI on CPUs which are not vulnerable to Meltdown 6c5e49150a x86/cpufeature: Blacklist SPEC_CTRL/PRED_CMD on early Spectre v2 microcodes 31fd9eda7f6 x86/speculation: Add basic IBPB (Indirect Branch Prediction Barrier) support 77b3b3ee238 x86/cpufeatures: Clean up Spectre v2 related CPUID flags 77d1424d2fb x86/retpoline: Simplify vmexit_fill_RSB() d7f8d17406d x86/entry/64: Remove the SYSCALL64 fast path 572e509178 x86/entry/64: Push extra regs right away e06d7bfb223 x86: Introduce __uaccess_begin_nospec() and uaccess_try_nospec ae75f83e79 x86/usercopy: Replace open coded stac/clac with __uaccess_{begin, end} 065eae4be83 x86/uaccess: Use __uaccess_begin_nospec() and uaccess_try_nospec cda6b6074cc6f9 x86/cpuid: Fix up "virtual" IBRS/IBPB/STIBP feature bits on Intel 4b234a253e52 x86/pti: Mark constant arrays as __initconst b7649e1776706 KVM: nVMX: mark vmcs12 pages dirty on L2 exit 46e24dfc2df KVM: nVMX: Eliminate vmcs02 pool ff546f9d83d3 KVM: VMX: introduce alloc_loaded_vmcs 6236b782eba37 KVM: VMX: make MSR bitmaps per-VCPU 7013129a403 KVM/x86: Add IBPB support 755502f810c6 KVM/VMX: Emulate MSR_IA32_ARCH_CAPABILITIES e5a83419c957 KVM/VMX: Allow direct access to MSR_IA32_SPEC_CTRL fc00dde96099a1 KVM/SVM: Allow direct access to MSR_IA32_SPEC_CTRL
commit id is from linux-4.9.y
Might be more due to dependency.
Thanks, Jack Wang
On Wed, Mar 21, 2018 at 12:11:10PM +0100, 王金浦 wrote:
2018-03-21 0:19 GMT+01:00 Ben Hutchings ben.hutchings@codethink.co.uk:
On Sun, 2018-03-18 at 11:14 +0100, Greg Kroah-Hartman wrote:
On Fri, Mar 16, 2018 at 04:55:37PM -0600, Jerry Hoemann wrote:
Greg,
Sorry, if I'm missing something, but I see 3 patches for hpwdt queued up for 4.4:
queue-4.4/watchdog-hpwdt-fix-unused-variable-warning.patch queue-4.4/watchdog-hpwdt-smbios-check.patch queue-4.4/watchdog-hpwdt-check-source-of-nmi.patch
Shouldn't there also be a 4.4 patch for
commit 2b3d89b402b085b08498e896c65267a145bed486 watchdog: hpwdt: Remove legacy NMI sourcing.
As there was for 4.15, 4.14, and 4.9?
It does not apply to the 4.4.y kernel branch. If you feel it should be there, please provide a working backport.
commit 2b3d89b40 is the Spectre related patch.
If you look closely, not many Spectre-related patches are merged into 4.4.y as no one has taken the time to do the backporting. I thought someone was working on this, but odds are they just moved to 4.9.y or 4.14.y as everyone really should if they care about these issues with their platforms.
So if you care about Spectre, I strongly recommend using 4.14.y or newer.
I think you have most of the Spectre stuff aside from microcode supported fixes. These are still missing on the 4.4 branch though:
8fa80c503b48 nospec: Move array_index_nospec() parameter checking into separate macro 1d91c1d2c80c nospec: Kill array_index_nospec_mask_check()
I think there may also be some extra uaccess functions that didn't get the nospec treatment.
I'll probably look into backporting the microcode stuff to the older branches (4.4, then 3.16 and 3.2) at some point.
Ben.
-- Ben Hutchings Software Developer, Codethink Ltd.
Hi, Ben,
It will be great, if you can backport spectre fixes into 4.4, I'm happy to test your port. The patch list I gathered when I did porting to 4.4:
If you completed the port to v4.4 already, can you make it available for others ?
Thanks, Guenter
d3eba77440 x86/cpufeatures: Add CPUID_7_EDX CPUID leaf 40532f65cc x86/cpufeatures: Add Intel feature bits for Speculatio c26a6bea26 x86/cpufeatures: Add AMD feature bits for Speculation Control af57d43c908 x86/msr: Add definitions for new speculation control a8799fd14d x86/pti: Do not enable PTI on CPUs which are not vulnerable to Meltdown 6c5e49150a x86/cpufeature: Blacklist SPEC_CTRL/PRED_CMD on early Spectre v2 microcodes 31fd9eda7f6 x86/speculation: Add basic IBPB (Indirect Branch Prediction Barrier) support 77b3b3ee238 x86/cpufeatures: Clean up Spectre v2 related CPUID flags 77d1424d2fb x86/retpoline: Simplify vmexit_fill_RSB() d7f8d17406d x86/entry/64: Remove the SYSCALL64 fast path 572e509178 x86/entry/64: Push extra regs right away e06d7bfb223 x86: Introduce __uaccess_begin_nospec() and uaccess_try_nospec ae75f83e79 x86/usercopy: Replace open coded stac/clac with __uaccess_{begin, end} 065eae4be83 x86/uaccess: Use __uaccess_begin_nospec() and uaccess_try_nospec cda6b6074cc6f9 x86/cpuid: Fix up "virtual" IBRS/IBPB/STIBP feature bits on Intel 4b234a253e52 x86/pti: Mark constant arrays as __initconst b7649e1776706 KVM: nVMX: mark vmcs12 pages dirty on L2 exit 46e24dfc2df KVM: nVMX: Eliminate vmcs02 pool ff546f9d83d3 KVM: VMX: introduce alloc_loaded_vmcs 6236b782eba37 KVM: VMX: make MSR bitmaps per-VCPU 7013129a403 KVM/x86: Add IBPB support 755502f810c6 KVM/VMX: Emulate MSR_IA32_ARCH_CAPABILITIES e5a83419c957 KVM/VMX: Allow direct access to MSR_IA32_SPEC_CTRL fc00dde96099a1 KVM/SVM: Allow direct access to MSR_IA32_SPEC_CTRL
commit id is from linux-4.9.y
Might be more due to dependency.
Thanks, Jack Wang
If you completed the port to v4.4 already, can you make it available for others ?
Thanks, Guenter
Hi Guenter,
Sorry for confusion, the part I've ported already pushed to 4.4.118, the list is just missing part for Ben as a reference.
Cheers, Jack
d3eba77440 x86/cpufeatures: Add CPUID_7_EDX CPUID leaf 40532f65cc x86/cpufeatures: Add Intel feature bits for Speculatio c26a6bea26 x86/cpufeatures: Add AMD feature bits for Speculation Control af57d43c908 x86/msr: Add definitions for new speculation control a8799fd14d x86/pti: Do not enable PTI on CPUs which are not vulnerable to Meltdown 6c5e49150a x86/cpufeature: Blacklist SPEC_CTRL/PRED_CMD on early Spectre v2 microcodes 31fd9eda7f6 x86/speculation: Add basic IBPB (Indirect Branch Prediction Barrier) support 77b3b3ee238 x86/cpufeatures: Clean up Spectre v2 related CPUID flags 77d1424d2fb x86/retpoline: Simplify vmexit_fill_RSB() d7f8d17406d x86/entry/64: Remove the SYSCALL64 fast path 572e509178 x86/entry/64: Push extra regs right away e06d7bfb223 x86: Introduce __uaccess_begin_nospec() and uaccess_try_nospec ae75f83e79 x86/usercopy: Replace open coded stac/clac with __uaccess_{begin, end} 065eae4be83 x86/uaccess: Use __uaccess_begin_nospec() and uaccess_try_nospec cda6b6074cc6f9 x86/cpuid: Fix up "virtual" IBRS/IBPB/STIBP feature bits on Intel 4b234a253e52 x86/pti: Mark constant arrays as __initconst b7649e1776706 KVM: nVMX: mark vmcs12 pages dirty on L2 exit 46e24dfc2df KVM: nVMX: Eliminate vmcs02 pool ff546f9d83d3 KVM: VMX: introduce alloc_loaded_vmcs 6236b782eba37 KVM: VMX: make MSR bitmaps per-VCPU 7013129a403 KVM/x86: Add IBPB support 755502f810c6 KVM/VMX: Emulate MSR_IA32_ARCH_CAPABILITIES e5a83419c957 KVM/VMX: Allow direct access to MSR_IA32_SPEC_CTRL fc00dde96099a1 KVM/SVM: Allow direct access to MSR_IA32_SPEC_CTRL
commit id is from linux-4.9.y
Might be more due to dependency.
Thanks, Jack Wang
On Tue, Mar 20, 2018 at 11:19:39PM +0000, Ben Hutchings wrote:
On Sun, 2018-03-18 at 11:14 +0100, Greg Kroah-Hartman wrote:
On Fri, Mar 16, 2018 at 04:55:37PM -0600, Jerry Hoemann wrote:
Greg,
Sorry, if I'm missing something, but I see 3 patches for hpwdt queued up for 4.4:
queue-4.4/watchdog-hpwdt-fix-unused-variable-warning.patch queue-4.4/watchdog-hpwdt-smbios-check.patch queue-4.4/watchdog-hpwdt-check-source-of-nmi.patch
Shouldn't there also be a 4.4 patch for
commit 2b3d89b402b085b08498e896c65267a145bed486 watchdog: hpwdt: Remove legacy NMI sourcing.
As there was for 4.15, 4.14, and 4.9?
It does not apply to the 4.4.y kernel branch. If you feel it should be there, please provide a working backport.
commit 2b3d89b40 is the Spectre related patch.
If you look closely, not many Spectre-related patches are merged into 4.4.y as no one has taken the time to do the backporting. I thought someone was working on this, but odds are they just moved to 4.9.y or 4.14.y as everyone really should if they care about these issues with their platforms.
So if you care about Spectre, I strongly recommend using 4.14.y or newer.
I think you have most of the Spectre stuff aside from microcode supported fixes. These are still missing on the 4.4 branch though:
8fa80c503b48 nospec: Move array_index_nospec() parameter checking into separate macro 1d91c1d2c80c nospec: Kill array_index_nospec_mask_check()
I think there may also be some extra uaccess functions that didn't get the nospec treatment.
I'm sure there are :(
I've queued up these 2 patches now, thanks.
greg k-h
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal fw@strlen.de
commit a7f1884554b81bd68cd435d72f09a3527629ac43 upstream.
Since 4.4 we erronously use timestamp of the netlink skb (which is zero).
Bugzilla: https://bugzilla.netfilter.org/show_bug.cgi?id=1066 Fixes: b28b1e826f818c30ea7 ("netfilter: nfnetlink_queue: use y2038 safe timestamp") Signed-off-by: Florian Westphal fw@strlen.de Signed-off-by: Pablo Neira Ayuso pablo@netfilter.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- net/netfilter/nfnetlink_queue.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/netfilter/nfnetlink_queue.c +++ b/net/netfilter/nfnetlink_queue.c @@ -501,7 +501,7 @@ nfqnl_build_packet_message(struct net *n
if (entskb->tstamp.tv64) { struct nfqnl_msg_packet_timestamp ts; - struct timespec64 kts = ktime_to_timespec64(skb->tstamp); + struct timespec64 kts = ktime_to_timespec64(entskb->tstamp);
ts.sec = cpu_to_be64(kts.tv_sec); ts.usec = cpu_to_be64(kts.tv_nsec / NSEC_PER_USEC);
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann arnd@arndb.de
commit 863204cfdae98626a92535ac928ad79f4d6b74ff upstream.
In configurations without CONFIG_OMAP3 but with secure RAM support, we now run into a link failure:
arch/arm/mach-omap2/omap-secure.o: In function `omap3_save_secure_ram': omap-secure.c:(.text+0x130): undefined reference to `save_secure_ram_context'
The omap3_save_secure_ram() function is only called from the OMAP34xx power management code, so we can simply hide that function in the appropriate #ifdef.
Fixes: d09220a887f7 ("ARM: OMAP2+: Fix SRAM virt to phys translation for save_secure_ram_context") Acked-by: Tony Lindgren tony@atomide.com Tested-by: Dan Murphy dmurphy@ti.com Signed-off-by: Arnd Bergmann arnd@arndb.de Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- arch/arm/mach-omap2/omap-secure.c | 2 ++ 1 file changed, 2 insertions(+)
--- a/arch/arm/mach-omap2/omap-secure.c +++ b/arch/arm/mach-omap2/omap-secure.c @@ -73,6 +73,7 @@ phys_addr_t omap_secure_ram_mempool_base return omap_secure_memblock_base; }
+#if defined(CONFIG_ARCH_OMAP3) && defined(CONFIG_PM) u32 omap3_save_secure_ram(void __iomem *addr, int size) { u32 ret; @@ -91,6 +92,7 @@ u32 omap3_save_secure_ram(void __iomem *
return ret; } +#endif
/** * rx51_secure_dispatcher: Routine to dispatch secure PPA API calls
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Torokhov dmitry.torokhov@gmail.com
commit 9dd46c02532a6bed6240101ecf4bbc407f8c6adf upstream.
There is no need to tread the same register twice in a row.
Fixes: ea4348c8462a ("Input: tca8418_keypad - hide gcc-4.9 -Wmaybe-un ...") Signed-off-by: Dmitry Torokhov dmitry.torokhov@gmail.com Cc: Ben Hutchings ben.hutchings@codethink.co.uk Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/input/keyboard/tca8418_keypad.c | 2 -- 1 file changed, 2 deletions(-)
--- a/drivers/input/keyboard/tca8418_keypad.c +++ b/drivers/input/keyboard/tca8418_keypad.c @@ -189,8 +189,6 @@ static void tca8418_read_keypad(struct t input_event(input, EV_MSC, MSC_SCAN, code); input_report_key(input, keymap[code], state);
- /* Read for next loop */ - error = tca8418_read_byte(keypad_data, REG_KEY_EVENT_A, ®); } while (1);
input_sync(input);
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Philipp Zabel p.zabel@pengutronix.de
commit f2c61f98e0b5f8b53b8fb860e5dcdd661bde7d0b upstream.
The below mentioned fix contains a small but severe bug, fix it to make the driver work again.
Fixes: 3538aa6ecfb2 ("[media] tc358743: fix register i2c_rd/wr functions")
Cc: Hans Verkuil hans.verkuil@cisco.com Cc: Mauro Carvalho Chehab mchehab@s-opensource.com Signed-off-by: Philipp Zabel p.zabel@pengutronix.de Acked-by: Arnd Bergmann arnd@arndb.de Signed-off-by: Hans Verkuil hansverk@cisco.com Signed-off-by: Mauro Carvalho Chehab mchehab@s-opensource.com Cc: Ben Hutchings ben.hutchings@codethink.co.uk Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/media/i2c/tc358743.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/media/i2c/tc358743.c +++ b/drivers/media/i2c/tc358743.c @@ -226,7 +226,7 @@ static void i2c_wr8(struct v4l2_subdev * static void i2c_wr8_and_or(struct v4l2_subdev *sd, u16 reg, u8 mask, u8 val) { - i2c_wrreg(sd, reg, (i2c_rdreg(sd, reg, 2) & mask) | val, 2); + i2c_wrreg(sd, reg, (i2c_rdreg(sd, reg, 1) & mask) | val, 1); }
static u16 i2c_rd16(struct v4l2_subdev *sd, u16 reg)
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal fw@strlen.de
commit 57ebd808a97d7c5b1e1afb937c2db22beba3c1f8 upstream.
The rationale for removing the check is only correct for rulesets generated by ip(6)tables.
In iptables, a jump can only occur to a user-defined chain, i.e. because we size the stack based on number of user-defined chains we cannot exceed stack size.
However, the underlying binary format has no such restriction, and the validation step only ensures that the jump target is a valid rule start point.
IOW, its possible to build a rule blob that has no user-defined chains but does contain a jump.
If this happens, no jump stack gets allocated and crash occurs because no jumpstack was allocated.
Fixes: 7814b6ec6d0d6 ("netfilter: xtables: don't save/restore jumpstack offset") Reported-by: syzbot+e783f671527912cd9403@syzkaller.appspotmail.com Signed-off-by: Florian Westphal fw@strlen.de Signed-off-by: Pablo Neira Ayuso pablo@netfilter.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- net/ipv4/netfilter/arp_tables.c | 4 ++++ net/ipv4/netfilter/ip_tables.c | 4 ++++ net/ipv6/netfilter/ip6_tables.c | 4 ++++ 3 files changed, 12 insertions(+)
--- a/net/ipv4/netfilter/arp_tables.c +++ b/net/ipv4/netfilter/arp_tables.c @@ -329,6 +329,10 @@ unsigned int arpt_do_table(struct sk_buf } if (table_base + v != arpt_next_entry(e)) { + if (unlikely(stackidx >= private->stacksize)) { + verdict = NF_DROP; + break; + } jumpstack[stackidx++] = e; }
--- a/net/ipv4/netfilter/ip_tables.c +++ b/net/ipv4/netfilter/ip_tables.c @@ -408,6 +408,10 @@ ipt_do_table(struct sk_buff *skb, } if (table_base + v != ipt_next_entry(e) && !(e->ip.flags & IPT_F_GOTO)) { + if (unlikely(stackidx >= private->stacksize)) { + verdict = NF_DROP; + break; + } jumpstack[stackidx++] = e; pr_debug("Pushed %p into pos %u\n", e, stackidx - 1); --- a/net/ipv6/netfilter/ip6_tables.c +++ b/net/ipv6/netfilter/ip6_tables.c @@ -425,6 +425,10 @@ ip6t_do_table(struct sk_buff *skb, } if (table_base + v != ip6t_next_entry(e) && !(e->ipv6.flags & IP6T_F_GOTO)) { + if (unlikely(stackidx >= private->stacksize)) { + verdict = NF_DROP; + break; + } jumpstack[stackidx++] = e; }
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni pabeni@redhat.com
commit 10414014bc085aac9f787a5890b33b5605fbcfc4 upstream.
syzbot reported that xt_LED may try to use the ledinternal->timer without previously initializing it:
------------[ cut here ]------------ kernel BUG at kernel/time/timer.c:958! invalid opcode: 0000 [#1] SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 1 PID: 1826 Comm: kworker/1:2 Not tainted 4.15.0+ #306 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: ipv6_addrconf addrconf_dad_work RIP: 0010:__mod_timer kernel/time/timer.c:958 [inline] RIP: 0010:mod_timer+0x7d6/0x13c0 kernel/time/timer.c:1102 RSP: 0018:ffff8801d24fe9f8 EFLAGS: 00010293 RAX: ffff8801d25246c0 RBX: ffff8801aec6cb50 RCX: ffffffff816052c6 RDX: 0000000000000000 RSI: 00000000fffbd14b RDI: ffff8801aec6cb68 RBP: ffff8801d24fec98 R08: 0000000000000000 R09: 1ffff1003a49fd6c R10: ffff8801d24feb28 R11: 0000000000000005 R12: dffffc0000000000 R13: ffff8801d24fec70 R14: 00000000fffbd14b R15: ffff8801af608f90 FS: 0000000000000000(0000) GS:ffff8801db500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000206d6fd0 CR3: 0000000006a22001 CR4: 00000000001606e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: led_tg+0x1db/0x2e0 net/netfilter/xt_LED.c:75 ip6t_do_table+0xc2a/0x1a30 net/ipv6/netfilter/ip6_tables.c:365 ip6table_raw_hook+0x65/0x80 net/ipv6/netfilter/ip6table_raw.c:42 nf_hook_entry_hookfn include/linux/netfilter.h:120 [inline] nf_hook_slow+0xba/0x1a0 net/netfilter/core.c:483 nf_hook.constprop.27+0x3f6/0x830 include/linux/netfilter.h:243 NF_HOOK include/linux/netfilter.h:286 [inline] ndisc_send_skb+0xa51/0x1370 net/ipv6/ndisc.c:491 ndisc_send_ns+0x38a/0x870 net/ipv6/ndisc.c:633 addrconf_dad_work+0xb9e/0x1320 net/ipv6/addrconf.c:4008 process_one_work+0xbbf/0x1af0 kernel/workqueue.c:2113 worker_thread+0x223/0x1990 kernel/workqueue.c:2247 kthread+0x33c/0x400 kernel/kthread.c:238 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:429 Code: 85 2a 0b 00 00 4d 8b 3c 24 4d 85 ff 75 9f 4c 8b bd 60 fd ff ff e8 bb 57 10 00 65 ff 0d 94 9a a1 7e e9 d9 fc ff ff e8 aa 57 10 00 <0f> 0b e8 a3 57 10 00 e9 14 fb ff ff e8 99 57 10 00 4c 89 bd 70 RIP: __mod_timer kernel/time/timer.c:958 [inline] RSP: ffff8801d24fe9f8 RIP: mod_timer+0x7d6/0x13c0 kernel/time/timer.c:1102 RSP: ffff8801d24fe9f8 ---[ end trace f661ab06f5dd8b3d ]---
The ledinternal struct can be shared between several different xt_LED targets, but the related timer is currently initialized only if the first target requires it. Fix it by unconditionally initializing the timer struct.
v1 -> v2: call del_timer_sync() unconditionally, too.
Fixes: 268cb38e1802 ("netfilter: x_tables: add LED trigger target") Reported-by: syzbot+10c98dc5725c6c8fc7fb@syzkaller.appspotmail.com Signed-off-by: Paolo Abeni pabeni@redhat.com Signed-off-by: Pablo Neira Ayuso pablo@netfilter.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- net/netfilter/xt_LED.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-)
--- a/net/netfilter/xt_LED.c +++ b/net/netfilter/xt_LED.c @@ -141,10 +141,11 @@ static int led_tg_check(const struct xt_ goto exit_alloc; }
- /* See if we need to set up a timer */ - if (ledinfo->delay > 0) - setup_timer(&ledinternal->timer, led_timeout_callback, - (unsigned long)ledinternal); + /* Since the letinternal timer can be shared between multiple targets, + * always set it up, even if the current target does not need it + */ + setup_timer(&ledinternal->timer, led_timeout_callback, + (unsigned long)ledinternal);
list_add_tail(&ledinternal->list, &xt_led_triggers);
@@ -181,8 +182,7 @@ static void led_tg_destroy(const struct
list_del(&ledinternal->list);
- if (ledinfo->delay > 0) - del_timer_sync(&ledinternal->timer); + del_timer_sync(&ledinternal->timer);
led_trigger_unregister(&ledinternal->netfilter_led_trigger);
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni pabeni@redhat.com
commit db57ccf0f2f4624b4c4758379f8165277504fbd7 upstream.
syzbot reported a division by 0 bug in the netfilter nat code:
divide error: 0000 [#1] SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 1 PID: 4168 Comm: syzkaller034710 Not tainted 4.16.0-rc1+ #309 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:nf_nat_l4proto_unique_tuple+0x291/0x530 net/netfilter/nf_nat_proto_common.c:88 RSP: 0018:ffff8801b2466778 EFLAGS: 00010246 RAX: 000000000000f153 RBX: ffff8801b2466dd8 RCX: ffff8801b2466c7c RDX: 0000000000000000 RSI: ffff8801b2466c58 RDI: ffff8801db5293ac RBP: ffff8801b24667d8 R08: ffff8801b8ba6dc0 R09: ffffffff88af5900 R10: ffff8801b24666f0 R11: 0000000000000000 R12: 000000002990f153 R13: 0000000000000001 R14: 0000000000000000 R15: ffff8801b2466c7c FS: 00000000017e3880(0000) GS:ffff8801db500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000208fdfe4 CR3: 00000001b5340002 CR4: 00000000001606e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: dccp_unique_tuple+0x40/0x50 net/netfilter/nf_nat_proto_dccp.c:30 get_unique_tuple+0xc28/0x1c10 net/netfilter/nf_nat_core.c:362 nf_nat_setup_info+0x1c2/0xe00 net/netfilter/nf_nat_core.c:406 nf_nat_redirect_ipv6+0x306/0x730 net/netfilter/nf_nat_redirect.c:124 redirect_tg6+0x7f/0xb0 net/netfilter/xt_REDIRECT.c:34 ip6t_do_table+0xc2a/0x1a30 net/ipv6/netfilter/ip6_tables.c:365 ip6table_nat_do_chain+0x65/0x80 net/ipv6/netfilter/ip6table_nat.c:41 nf_nat_ipv6_fn+0x594/0xa80 net/ipv6/netfilter/nf_nat_l3proto_ipv6.c:302 nf_nat_ipv6_local_fn+0x33/0x5d0 net/ipv6/netfilter/nf_nat_l3proto_ipv6.c:407 ip6table_nat_local_fn+0x2c/0x40 net/ipv6/netfilter/ip6table_nat.c:69 nf_hook_entry_hookfn include/linux/netfilter.h:120 [inline] nf_hook_slow+0xba/0x1a0 net/netfilter/core.c:483 nf_hook include/linux/netfilter.h:243 [inline] NF_HOOK include/linux/netfilter.h:286 [inline] ip6_xmit+0x10ec/0x2260 net/ipv6/ip6_output.c:277 inet6_csk_xmit+0x2fc/0x580 net/ipv6/inet6_connection_sock.c:139 dccp_transmit_skb+0x9ac/0x10f0 net/dccp/output.c:142 dccp_connect+0x369/0x670 net/dccp/output.c:564 dccp_v6_connect+0xe17/0x1bf0 net/dccp/ipv6.c:946 __inet_stream_connect+0x2d4/0xf00 net/ipv4/af_inet.c:620 inet_stream_connect+0x58/0xa0 net/ipv4/af_inet.c:684 SYSC_connect+0x213/0x4a0 net/socket.c:1639 SyS_connect+0x24/0x30 net/socket.c:1620 do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x26/0x9b RIP: 0033:0x441c69 RSP: 002b:00007ffe50cc0be8 EFLAGS: 00000217 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000441c69 RDX: 000000000000001c RSI: 00000000208fdfe4 RDI: 0000000000000003 RBP: 00000000006cc018 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000538 R11: 0000000000000217 R12: 0000000000403590 R13: 0000000000403620 R14: 0000000000000000 R15: 0000000000000000 Code: 48 89 f0 83 e0 07 83 c0 01 38 d0 7c 08 84 d2 0f 85 46 02 00 00 48 8b 45 c8 44 0f b7 20 e8 88 97 04 fd 31 d2 41 0f b7 c4 4c 89 f9 <41> f7 f6 48 c1 e9 03 48 b8 00 00 00 00 00 fc ff df 0f b6 0c 01 RIP: nf_nat_l4proto_unique_tuple+0x291/0x530 net/netfilter/nf_nat_proto_common.c:88 RSP: ffff8801b2466778
The problem is that currently we don't have any check on the configured port range. A port range == -1 triggers the bug, while other negative values may require a very long time to complete the following loop.
This commit addresses the issue swapping the two ends on negative ranges. The check is performed in nf_nat_l4proto_unique_tuple() since the nft nat loads the port values from nft registers at runtime.
v1 -> v2: use the correct 'Fixes' tag v2 -> v3: update commit message, drop unneeded READ_ONCE()
Fixes: 5b1158e909ec ("[NETFILTER]: Add NAT support for nf_conntrack") Reported-by: syzbot+8012e198bd037f4871e5@syzkaller.appspotmail.com Signed-off-by: Paolo Abeni pabeni@redhat.com Signed-off-by: Pablo Neira Ayuso pablo@netfilter.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- net/netfilter/nf_nat_proto_common.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)
--- a/net/netfilter/nf_nat_proto_common.c +++ b/net/netfilter/nf_nat_proto_common.c @@ -41,7 +41,7 @@ void nf_nat_l4proto_unique_tuple(const s const struct nf_conn *ct, u16 *rover) { - unsigned int range_size, min, i; + unsigned int range_size, min, max, i; __be16 *portptr; u_int16_t off;
@@ -71,7 +71,10 @@ void nf_nat_l4proto_unique_tuple(const s } } else { min = ntohs(range->min_proto.all); - range_size = ntohs(range->max_proto.all) - min + 1; + max = ntohs(range->max_proto.all); + if (unlikely(max < min)) + swap(max, min); + range_size = max - min + 1; }
if (range->flags & NF_NAT_RANGE_PROTO_RANDOM) {
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet edumazet@google.com
commit cfc2c740533368b96e2be5e0a4e8c3cace7d9814 upstream.
We had one report from syzkaller [1]
First issue is that INIT_WORK() should be done before mod_timer() or we risk timer being fired too soon, even with a 1 second timer.
Second issue is that we need to reject too big info->timeout to avoid overflows in msecs_to_jiffies(info->timeout * 1000), or risk looping, if result after overflow is 0.
[1] WARNING: CPU: 1 PID: 5129 at kernel/workqueue.c:1444 __queue_work+0xdf4/0x1230 kernel/workqueue.c:1444 Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 5129 Comm: syzkaller159866 Not tainted 4.16.0-rc1+ #230 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 panic+0x1e4/0x41c kernel/panic.c:183 __warn+0x1dc/0x200 kernel/panic.c:547 report_bug+0x211/0x2d0 lib/bug.c:184 fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:178 fixup_bug arch/x86/kernel/traps.c:247 [inline] do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315 invalid_op+0x22/0x40 arch/x86/entry/entry_64.S:988 RIP: 0010:__queue_work+0xdf4/0x1230 kernel/workqueue.c:1444 RSP: 0018:ffff8801db507538 EFLAGS: 00010006 RAX: ffff8801aeb46080 RBX: ffff8801db530200 RCX: ffffffff81481404 RDX: 0000000000000100 RSI: ffffffff86b42640 RDI: 0000000000000082 RBP: ffff8801db507758 R08: 1ffff1003b6a0de5 R09: 000000000000000c R10: ffff8801db5073f0 R11: 0000000000000020 R12: 1ffff1003b6a0eb6 R13: ffff8801b1067ae0 R14: 00000000000001f8 R15: dffffc0000000000 queue_work_on+0x16a/0x1c0 kernel/workqueue.c:1488 queue_work include/linux/workqueue.h:488 [inline] schedule_work include/linux/workqueue.h:546 [inline] idletimer_tg_expired+0x44/0x60 net/netfilter/xt_IDLETIMER.c:116 call_timer_fn+0x228/0x820 kernel/time/timer.c:1326 expire_timers kernel/time/timer.c:1363 [inline] __run_timers+0x7ee/0xb70 kernel/time/timer.c:1666 run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1692 __do_softirq+0x2d7/0xb85 kernel/softirq.c:285 invoke_softirq kernel/softirq.c:365 [inline] irq_exit+0x1cc/0x200 kernel/softirq.c:405 exiting_irq arch/x86/include/asm/apic.h:541 [inline] smp_apic_timer_interrupt+0x16b/0x700 arch/x86/kernel/apic/apic.c:1052 apic_timer_interrupt+0xa9/0xb0 arch/x86/entry/entry_64.S:829 </IRQ> RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:777 [inline] RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline] RIP: 0010:_raw_spin_unlock_irqrestore+0x5e/0xba kernel/locking/spinlock.c:184 RSP: 0018:ffff8801c20173c8 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff12 RAX: dffffc0000000000 RBX: 0000000000000282 RCX: 0000000000000006 RDX: 1ffffffff0d592cd RSI: 1ffff10035d68d23 RDI: 0000000000000282 RBP: ffff8801c20173d8 R08: 1ffff10038402e47 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff8820e5c8 R13: ffff8801b1067ad8 R14: ffff8801aea7c268 R15: ffff8801aea7c278 __debug_object_init+0x235/0x1040 lib/debugobjects.c:378 debug_object_init+0x17/0x20 lib/debugobjects.c:391 __init_work+0x2b/0x60 kernel/workqueue.c:506 idletimer_tg_create net/netfilter/xt_IDLETIMER.c:152 [inline] idletimer_tg_checkentry+0x691/0xb00 net/netfilter/xt_IDLETIMER.c:213 xt_check_target+0x22c/0x7d0 net/netfilter/x_tables.c:850 check_target net/ipv6/netfilter/ip6_tables.c:533 [inline] find_check_entry.isra.7+0x935/0xcf0 net/ipv6/netfilter/ip6_tables.c:575 translate_table+0xf52/0x1690 net/ipv6/netfilter/ip6_tables.c:744 do_replace net/ipv6/netfilter/ip6_tables.c:1160 [inline] do_ip6t_set_ctl+0x370/0x5f0 net/ipv6/netfilter/ip6_tables.c:1686 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115 ipv6_setsockopt+0x10b/0x130 net/ipv6/ipv6_sockglue.c:927 udpv6_setsockopt+0x45/0x80 net/ipv6/udp.c:1422 sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2976 SYSC_setsockopt net/socket.c:1850 [inline] SyS_setsockopt+0x189/0x360 net/socket.c:1829 do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287
Fixes: 0902b469bd25 ("netfilter: xtables: idletimer target implementation") Signed-off-by: Eric Dumazet edumazet@google.com Reported-by: syzkaller syzkaller@googlegroups.com Signed-off-by: Pablo Neira Ayuso pablo@netfilter.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- net/netfilter/xt_IDLETIMER.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-)
--- a/net/netfilter/xt_IDLETIMER.c +++ b/net/netfilter/xt_IDLETIMER.c @@ -147,11 +147,11 @@ static int idletimer_tg_create(struct id (unsigned long) info->timer); info->timer->refcnt = 1;
+ INIT_WORK(&info->timer->work, idletimer_tg_work); + mod_timer(&info->timer->timer, msecs_to_jiffies(info->timeout * 1000) + jiffies);
- INIT_WORK(&info->timer->work, idletimer_tg_work); - return 0;
out_free_attr: @@ -192,7 +192,10 @@ static int idletimer_tg_checkentry(const pr_debug("timeout value is zero\n"); return -EINVAL; } - + if (info->timeout >= INT_MAX / 1000) { + pr_debug("timeout value is too big\n"); + return -EINVAL; + } if (info->label[0] == '\0' || strnlen(info->label, MAX_IDLETIMER_LABEL_SIZE) == MAX_IDLETIMER_LABEL_SIZE) {
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal fw@strlen.de
commit b71812168571fa55e44cdd0254471331b9c4c4c6 upstream.
We need to make sure the offsets are not out of range of the total size. Also check that they are in ascending order.
The WARN_ON triggered by syzkaller (it sets panic_on_warn) is changed to also bail out, no point in continuing parsing.
Briefly tested with simple ruleset of -A INPUT --limit 1/s' --log plus jump to custom chains using 32bit ebtables binary.
Reported-by: syzbot+845a53d13171abf8bf29@syzkaller.appspotmail.com Signed-off-by: Florian Westphal fw@strlen.de Signed-off-by: Pablo Neira Ayuso pablo@netfilter.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- net/bridge/netfilter/ebtables.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-)
--- a/net/bridge/netfilter/ebtables.c +++ b/net/bridge/netfilter/ebtables.c @@ -2021,7 +2021,9 @@ static int ebt_size_mwt(struct compat_eb if (match_kern) match_kern->match_size = ret;
- WARN_ON(type == EBT_COMPAT_TARGET && size_left); + if (WARN_ON(type == EBT_COMPAT_TARGET && size_left)) + return -EINVAL; + match32 = (struct compat_ebt_entry_mwt *) buf; }
@@ -2078,6 +2080,15 @@ static int size_entry_mwt(struct ebt_ent * * offsets are relative to beginning of struct ebt_entry (i.e., 0). */ + for (i = 0; i < 4 ; ++i) { + if (offsets[i] >= *total) + return -EINVAL; + if (i == 0) + continue; + if (offsets[i-1] > offsets[i]) + return -EINVAL; + } + for (i = 0, j = 1 ; j < 4 ; j++, i++) { struct compat_ebt_entry_mwt *match32; unsigned int size;
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal fw@strlen.de
commit c4585a2823edf4d1326da44d1524ecbfda26bb37 upstream.
ebt_among is special, it has a dynamic match size and is exempt from the central size checks.
Therefore it must check that the size of the match structure provided from userspace is sane by making sure em->match_size is at least the minimum size of the expected structure.
The module has such a check, but its only done after accessing a structure that might be out of bounds.
tested with: ebtables -A INPUT ... \ --among-dst fe:fe:fe:fe:fe:fe --among-dst fe:fe:fe:fe:fe:fe --among-src fe:fe:fe:fe:ff:f,fe:fe:fe:fe:fe:fb,fe:fe:fe:fe:fc:fd,fe:fe:fe:fe:fe:fd,fe:fe:fe:fe:fe:fe --among-src fe:fe:fe:fe:ff:f,fe:fe:fe:fe:fe:fa,fe:fe:fe:fe:fe:fd,fe:fe:fe:fe:fe:fe,fe:fe:fe:fe:fe:fe
Reported-by: syzbot+fe0b19af568972814355@syzkaller.appspotmail.com Signed-off-by: Florian Westphal fw@strlen.de Signed-off-by: Pablo Neira Ayuso pablo@netfilter.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- net/bridge/netfilter/ebt_among.c | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-)
--- a/net/bridge/netfilter/ebt_among.c +++ b/net/bridge/netfilter/ebt_among.c @@ -172,18 +172,35 @@ ebt_among_mt(const struct sk_buff *skb, return true; }
+static bool poolsize_invalid(const struct ebt_mac_wormhash *w) +{ + return w && w->poolsize >= (INT_MAX / sizeof(struct ebt_mac_wormhash_tuple)); +} + static int ebt_among_mt_check(const struct xt_mtchk_param *par) { const struct ebt_among_info *info = par->matchinfo; const struct ebt_entry_match *em = container_of(par->matchinfo, const struct ebt_entry_match, data); - int expected_length = sizeof(struct ebt_among_info); + unsigned int expected_length = sizeof(struct ebt_among_info); const struct ebt_mac_wormhash *wh_dst, *wh_src; int err;
+ if (expected_length > em->match_size) + return -EINVAL; + wh_dst = ebt_among_wh_dst(info); - wh_src = ebt_among_wh_src(info); + if (poolsize_invalid(wh_dst)) + return -EINVAL; + expected_length += ebt_mac_wormhash_size(wh_dst); + if (expected_length > em->match_size) + return -EINVAL; + + wh_src = ebt_among_wh_src(info); + if (poolsize_invalid(wh_src)) + return -EINVAL; + expected_length += ebt_mac_wormhash_size(wh_src);
if (em->match_size != EBT_ALIGN(expected_length)) {
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal fw@strlen.de
commit b078556aecd791b0e5cb3a59f4c3a14273b52121 upstream.
l4proto->manip_pkt() can cause reallocation of skb head so pointer to the ipv6 header must be reloaded.
Reported-and-tested-by: syzbot+10005f4292fc9cc89de7@syzkaller.appspotmail.com Fixes: 58a317f1061c89 ("netfilter: ipv6: add IPv6 NAT support") Signed-off-by: Florian Westphal fw@strlen.de Signed-off-by: Pablo Neira Ayuso pablo@netfilter.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- net/ipv6/netfilter/nf_nat_l3proto_ipv6.c | 4 ++++ 1 file changed, 4 insertions(+)
--- a/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c +++ b/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c @@ -99,6 +99,10 @@ static bool nf_nat_ipv6_manip_pkt(struct !l4proto->manip_pkt(skb, &nf_nat_l3proto_ipv6, iphdroff, hdroff, target, maniptype)) return false; + + /* must reload, offset might have changed */ + ipv6h = (void *)skb->data + iphdroff; + manip_addr: if (maniptype == NF_NAT_MANIP_SRC) ipv6h->saddr = target->src.u3.in6;
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal fw@strlen.de
commit 29e09229d9f26129a39462fae0ddabc4d9533989 upstream.
inet_sk(skb->sk) is illegal in case skb is attached to request socket.
Fixes: ca6fb0651883 ("tcp: attach SYNACK messages to request sockets instead of listener") Reported by: Daniel J Blueman daniel@quora.org Signed-off-by: Florian Westphal fw@strlen.de Tested-by: Daniel J Blueman daniel@quora.org Signed-off-by: Pablo Neira Ayuso pablo@netfilter.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- net/ipv4/netfilter.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-)
--- a/net/ipv4/netfilter.c +++ b/net/ipv4/netfilter.c @@ -23,7 +23,8 @@ int ip_route_me_harder(struct net *net, struct rtable *rt; struct flowi4 fl4 = {}; __be32 saddr = iph->saddr; - __u8 flags = skb->sk ? inet_sk_flowi_flags(skb->sk) : 0; + const struct sock *sk = skb_to_full_sk(skb); + __u8 flags = sk ? inet_sk_flowi_flags(sk) : 0; unsigned int hh_len;
if (addr_type == RTN_UNSPEC) @@ -39,7 +40,7 @@ int ip_route_me_harder(struct net *net, fl4.daddr = iph->daddr; fl4.saddr = saddr; fl4.flowi4_tos = RT_TOS(iph->tos); - fl4.flowi4_oif = skb->sk ? skb->sk->sk_bound_dev_if : 0; + fl4.flowi4_oif = sk ? sk->sk_bound_dev_if : 0; fl4.flowi4_mark = skb->mark; fl4.flowi4_flags = flags; rt = ip_route_output_key(net, &fl4); @@ -58,7 +59,7 @@ int ip_route_me_harder(struct net *net, xfrm_decode_session(skb, flowi4_to_flowi(&fl4), AF_INET) == 0) { struct dst_entry *dst = skb_dst(skb); skb_dst_set(skb, NULL); - dst = xfrm_lookup(net, dst, flowi4_to_flowi(&fl4), skb->sk, 0); + dst = xfrm_lookup(net, dst, flowi4_to_flowi(&fl4), sk, 0); if (IS_ERR(dst)) return PTR_ERR(dst); skb_dst_set(skb, dst);
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal fw@strlen.de
commit 4d31eef5176df06f218201bc9c0ce40babb41660 upstream.
On SMP we overload the packet counter (unsigned long) to contain percpu offset. Hide this from callers and pass xt_counters address instead.
Preparation patch to allocate the percpu counters in page-sized batch chunks.
Signed-off-by: Florian Westphal fw@strlen.de Acked-by: Eric Dumazet edumazet@google.com Signed-off-by: Pablo Neira Ayuso pablo@netfilter.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- include/linux/netfilter/x_tables.h | 6 +----- net/ipv4/netfilter/arp_tables.c | 4 ++-- net/ipv4/netfilter/ip_tables.c | 4 ++-- net/ipv6/netfilter/ip6_tables.c | 5 ++--- net/netfilter/x_tables.c | 9 +++++++++ 5 files changed, 16 insertions(+), 12 deletions(-)
--- a/include/linux/netfilter/x_tables.h +++ b/include/linux/netfilter/x_tables.h @@ -395,11 +395,7 @@ static inline unsigned long xt_percpu_co
return 0; } -static inline void xt_percpu_counter_free(u64 pcnt) -{ - if (nr_cpu_ids > 1) - free_percpu((void __percpu *) (unsigned long) pcnt); -} +void xt_percpu_counter_free(struct xt_counters *cnt);
static inline struct xt_counters * xt_get_this_cpu_counter(struct xt_counters *cnt) --- a/net/ipv4/netfilter/arp_tables.c +++ b/net/ipv4/netfilter/arp_tables.c @@ -540,7 +540,7 @@ find_check_entry(struct arpt_entry *e, c err: module_put(t->u.kernel.target->me); out: - xt_percpu_counter_free(e->counters.pcnt); + xt_percpu_counter_free(&e->counters);
return ret; } @@ -628,7 +628,7 @@ static inline void cleanup_entry(struct if (par.target->destroy != NULL) par.target->destroy(&par); module_put(par.target->me); - xt_percpu_counter_free(e->counters.pcnt); + xt_percpu_counter_free(&e->counters); }
/* Checks and translates the user-supplied table segment (held in --- a/net/ipv4/netfilter/ip_tables.c +++ b/net/ipv4/netfilter/ip_tables.c @@ -701,7 +701,7 @@ find_check_entry(struct ipt_entry *e, st cleanup_match(ematch, net); }
- xt_percpu_counter_free(e->counters.pcnt); + xt_percpu_counter_free(&e->counters);
return ret; } @@ -797,7 +797,7 @@ cleanup_entry(struct ipt_entry *e, struc if (par.target->destroy != NULL) par.target->destroy(&par); module_put(par.target->me); - xt_percpu_counter_free(e->counters.pcnt); + xt_percpu_counter_free(&e->counters); }
/* Checks and translates the user-supplied table segment (held in --- a/net/ipv6/netfilter/ip6_tables.c +++ b/net/ipv6/netfilter/ip6_tables.c @@ -713,7 +713,7 @@ find_check_entry(struct ip6t_entry *e, s cleanup_match(ematch, net); }
- xt_percpu_counter_free(e->counters.pcnt); + xt_percpu_counter_free(&e->counters);
return ret; } @@ -808,8 +808,7 @@ static void cleanup_entry(struct ip6t_en if (par.target->destroy != NULL) par.target->destroy(&par); module_put(par.target->me); - - xt_percpu_counter_free(e->counters.pcnt); + xt_percpu_counter_free(&e->counters); }
/* Checks and translates the user-supplied table segment (held in --- a/net/netfilter/x_tables.c +++ b/net/netfilter/x_tables.c @@ -1592,6 +1592,15 @@ void xt_proto_fini(struct net *net, u_in } EXPORT_SYMBOL_GPL(xt_proto_fini);
+void xt_percpu_counter_free(struct xt_counters *counters) +{ + unsigned long pcnt = counters->pcnt; + + if (nr_cpu_ids > 1) + free_percpu((void __percpu *)pcnt); +} +EXPORT_SYMBOL_GPL(xt_percpu_counter_free); + static int __net_init xt_net_init(struct net *net) { int i;
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal fw@strlen.de
commit f28e15bacedd444608e25421c72eb2cf4527c9ca upstream.
Keeps some noise away from a followup patch.
Signed-off-by: Florian Westphal fw@strlen.de Acked-by: Eric Dumazet edumazet@google.com Signed-off-by: Pablo Neira Ayuso pablo@netfilter.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- include/linux/netfilter/x_tables.h | 27 +-------------------------- net/ipv4/netfilter/arp_tables.c | 5 +---- net/ipv4/netfilter/ip_tables.c | 5 +---- net/ipv6/netfilter/ip6_tables.c | 5 +---- net/netfilter/x_tables.c | 30 ++++++++++++++++++++++++++++++ 5 files changed, 34 insertions(+), 38 deletions(-)
--- a/include/linux/netfilter/x_tables.h +++ b/include/linux/netfilter/x_tables.h @@ -369,32 +369,7 @@ static inline unsigned long ifname_compa }
-/* On SMP, ip(6)t_entry->counters.pcnt holds address of the - * real (percpu) counter. On !SMP, its just the packet count, - * so nothing needs to be done there. - * - * xt_percpu_counter_alloc returns the address of the percpu - * counter, or 0 on !SMP. We force an alignment of 16 bytes - * so that bytes/packets share a common cache line. - * - * Hence caller must use IS_ERR_VALUE to check for error, this - * allows us to return 0 for single core systems without forcing - * callers to deal with SMP vs. NONSMP issues. - */ -static inline unsigned long xt_percpu_counter_alloc(void) -{ - if (nr_cpu_ids > 1) { - void __percpu *res = __alloc_percpu(sizeof(struct xt_counters), - sizeof(struct xt_counters)); - - if (res == NULL) - return -ENOMEM; - - return (__force unsigned long) res; - } - - return 0; -} +bool xt_percpu_counter_alloc(struct xt_counters *counters); void xt_percpu_counter_free(struct xt_counters *cnt);
static inline struct xt_counters * --- a/net/ipv4/netfilter/arp_tables.c +++ b/net/ipv4/netfilter/arp_tables.c @@ -515,13 +515,10 @@ find_check_entry(struct arpt_entry *e, c { struct xt_entry_target *t; struct xt_target *target; - unsigned long pcnt; int ret;
- pcnt = xt_percpu_counter_alloc(); - if (IS_ERR_VALUE(pcnt)) + if (!xt_percpu_counter_alloc(&e->counters)) return -ENOMEM; - e->counters.pcnt = pcnt;
t = arpt_get_target(e); target = xt_request_find_target(NFPROTO_ARP, t->u.user.name, --- a/net/ipv4/netfilter/ip_tables.c +++ b/net/ipv4/netfilter/ip_tables.c @@ -657,12 +657,9 @@ find_check_entry(struct ipt_entry *e, st unsigned int j; struct xt_mtchk_param mtpar; struct xt_entry_match *ematch; - unsigned long pcnt;
- pcnt = xt_percpu_counter_alloc(); - if (IS_ERR_VALUE(pcnt)) + if (!xt_percpu_counter_alloc(&e->counters)) return -ENOMEM; - e->counters.pcnt = pcnt;
j = 0; mtpar.net = net; --- a/net/ipv6/netfilter/ip6_tables.c +++ b/net/ipv6/netfilter/ip6_tables.c @@ -670,12 +670,9 @@ find_check_entry(struct ip6t_entry *e, s unsigned int j; struct xt_mtchk_param mtpar; struct xt_entry_match *ematch; - unsigned long pcnt;
- pcnt = xt_percpu_counter_alloc(); - if (IS_ERR_VALUE(pcnt)) + if (!xt_percpu_counter_alloc(&e->counters)) return -ENOMEM; - e->counters.pcnt = pcnt;
j = 0; mtpar.net = net; --- a/net/netfilter/x_tables.c +++ b/net/netfilter/x_tables.c @@ -1592,6 +1592,36 @@ void xt_proto_fini(struct net *net, u_in } EXPORT_SYMBOL_GPL(xt_proto_fini);
+/** + * xt_percpu_counter_alloc - allocate x_tables rule counter + * + * @counter: pointer to counter struct inside the ip(6)/arpt_entry struct + * + * On SMP, the packet counter [ ip(6)t_entry->counters.pcnt ] will then + * contain the address of the real (percpu) counter. + * + * Rule evaluation needs to use xt_get_this_cpu_counter() helper + * to fetch the real percpu counter. + * + * returns false on error. + */ +bool xt_percpu_counter_alloc(struct xt_counters *counter) +{ + void __percpu *res; + + if (nr_cpu_ids <= 1) + return true; + + res = __alloc_percpu(sizeof(struct xt_counters), + sizeof(struct xt_counters)); + if (!res) + return false; + + counter->pcnt = (__force unsigned long)res; + return true; +} +EXPORT_SYMBOL_GPL(xt_percpu_counter_alloc); + void xt_percpu_counter_free(struct xt_counters *counters) { unsigned long pcnt = counters->pcnt;
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal fw@strlen.de
commit ae0ac0ed6fcf5af3be0f63eb935f483f44a402d2 upstream.
instead of allocating each xt_counter individually, allocate 4k chunks and then use these for counter allocation requests.
This should speed up rule evaluation by increasing data locality, also speeds up ruleset loading because we reduce calls to the percpu allocator.
As Eric points out we can't use PAGE_SIZE, page_allocator would fail on arches with 64k page size.
Suggested-by: Eric Dumazet edumazet@google.com Signed-off-by: Florian Westphal fw@strlen.de Acked-by: Eric Dumazet edumazet@google.com Signed-off-by: Pablo Neira Ayuso pablo@netfilter.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- include/linux/netfilter/x_tables.h | 7 ++++++- net/ipv4/netfilter/arp_tables.c | 9 ++++++--- net/ipv4/netfilter/ip_tables.c | 9 ++++++--- net/ipv6/netfilter/ip6_tables.c | 9 ++++++--- net/netfilter/x_tables.c | 34 +++++++++++++++++++++++++--------- 5 files changed, 49 insertions(+), 19 deletions(-)
--- a/include/linux/netfilter/x_tables.h +++ b/include/linux/netfilter/x_tables.h @@ -368,8 +368,13 @@ static inline unsigned long ifname_compa return ret; }
+struct xt_percpu_counter_alloc_state { + unsigned int off; + const char __percpu *mem; +};
-bool xt_percpu_counter_alloc(struct xt_counters *counters); +bool xt_percpu_counter_alloc(struct xt_percpu_counter_alloc_state *state, + struct xt_counters *counter); void xt_percpu_counter_free(struct xt_counters *cnt);
static inline struct xt_counters * --- a/net/ipv4/netfilter/arp_tables.c +++ b/net/ipv4/netfilter/arp_tables.c @@ -511,13 +511,14 @@ static inline int check_target(struct ar }
static inline int -find_check_entry(struct arpt_entry *e, const char *name, unsigned int size) +find_check_entry(struct arpt_entry *e, const char *name, unsigned int size, + struct xt_percpu_counter_alloc_state *alloc_state) { struct xt_entry_target *t; struct xt_target *target; int ret;
- if (!xt_percpu_counter_alloc(&e->counters)) + if (!xt_percpu_counter_alloc(alloc_state, &e->counters)) return -ENOMEM;
t = arpt_get_target(e); @@ -634,6 +635,7 @@ static inline void cleanup_entry(struct static int translate_table(struct xt_table_info *newinfo, void *entry0, const struct arpt_replace *repl) { + struct xt_percpu_counter_alloc_state alloc_state = { 0 }; struct arpt_entry *iter; unsigned int *offsets; unsigned int i; @@ -707,7 +709,8 @@ static int translate_table(struct xt_tab /* Finally, each sanity check must pass */ i = 0; xt_entry_foreach(iter, entry0, newinfo->size) { - ret = find_check_entry(iter, repl->name, repl->size); + ret = find_check_entry(iter, repl->name, repl->size, + &alloc_state); if (ret != 0) break; ++i; --- a/net/ipv4/netfilter/ip_tables.c +++ b/net/ipv4/netfilter/ip_tables.c @@ -649,7 +649,8 @@ static int check_target(struct ipt_entry
static int find_check_entry(struct ipt_entry *e, struct net *net, const char *name, - unsigned int size) + unsigned int size, + struct xt_percpu_counter_alloc_state *alloc_state) { struct xt_entry_target *t; struct xt_target *target; @@ -658,7 +659,7 @@ find_check_entry(struct ipt_entry *e, st struct xt_mtchk_param mtpar; struct xt_entry_match *ematch;
- if (!xt_percpu_counter_alloc(&e->counters)) + if (!xt_percpu_counter_alloc(alloc_state, &e->counters)) return -ENOMEM;
j = 0; @@ -803,6 +804,7 @@ static int translate_table(struct net *net, struct xt_table_info *newinfo, void *entry0, const struct ipt_replace *repl) { + struct xt_percpu_counter_alloc_state alloc_state = { 0 }; struct ipt_entry *iter; unsigned int *offsets; unsigned int i; @@ -872,7 +874,8 @@ translate_table(struct net *net, struct /* Finally, each sanity check must pass */ i = 0; xt_entry_foreach(iter, entry0, newinfo->size) { - ret = find_check_entry(iter, net, repl->name, repl->size); + ret = find_check_entry(iter, net, repl->name, repl->size, + &alloc_state); if (ret != 0) break; ++i; --- a/net/ipv6/netfilter/ip6_tables.c +++ b/net/ipv6/netfilter/ip6_tables.c @@ -662,7 +662,8 @@ static int check_target(struct ip6t_entr
static int find_check_entry(struct ip6t_entry *e, struct net *net, const char *name, - unsigned int size) + unsigned int size, + struct xt_percpu_counter_alloc_state *alloc_state) { struct xt_entry_target *t; struct xt_target *target; @@ -671,7 +672,7 @@ find_check_entry(struct ip6t_entry *e, s struct xt_mtchk_param mtpar; struct xt_entry_match *ematch;
- if (!xt_percpu_counter_alloc(&e->counters)) + if (!xt_percpu_counter_alloc(alloc_state, &e->counters)) return -ENOMEM;
j = 0; @@ -814,6 +815,7 @@ static int translate_table(struct net *net, struct xt_table_info *newinfo, void *entry0, const struct ip6t_replace *repl) { + struct xt_percpu_counter_alloc_state alloc_state = { 0 }; struct ip6t_entry *iter; unsigned int *offsets; unsigned int i; @@ -883,7 +885,8 @@ translate_table(struct net *net, struct /* Finally, each sanity check must pass */ i = 0; xt_entry_foreach(iter, entry0, newinfo->size) { - ret = find_check_entry(iter, net, repl->name, repl->size); + ret = find_check_entry(iter, net, repl->name, repl->size, + &alloc_state); if (ret != 0) break; ++i; --- a/net/netfilter/x_tables.c +++ b/net/netfilter/x_tables.c @@ -38,6 +38,8 @@ MODULE_LICENSE("GPL"); MODULE_AUTHOR("Harald Welte laforge@netfilter.org"); MODULE_DESCRIPTION("{ip,ip6,arp,eb}_tables backend module");
+#define XT_PCPU_BLOCK_SIZE 4096 + struct compat_delta { unsigned int offset; /* offset in kernel */ int delta; /* delta in 32bit user land */ @@ -1595,6 +1597,7 @@ EXPORT_SYMBOL_GPL(xt_proto_fini); /** * xt_percpu_counter_alloc - allocate x_tables rule counter * + * @state: pointer to xt_percpu allocation state * @counter: pointer to counter struct inside the ip(6)/arpt_entry struct * * On SMP, the packet counter [ ip(6)t_entry->counters.pcnt ] will then @@ -1603,21 +1606,34 @@ EXPORT_SYMBOL_GPL(xt_proto_fini); * Rule evaluation needs to use xt_get_this_cpu_counter() helper * to fetch the real percpu counter. * + * To speed up allocation and improve data locality, a 4kb block is + * allocated. + * + * xt_percpu_counter_alloc_state contains the base address of the + * allocated page and the current sub-offset. + * * returns false on error. */ -bool xt_percpu_counter_alloc(struct xt_counters *counter) +bool xt_percpu_counter_alloc(struct xt_percpu_counter_alloc_state *state, + struct xt_counters *counter) { - void __percpu *res; + BUILD_BUG_ON(XT_PCPU_BLOCK_SIZE < (sizeof(*counter) * 2));
if (nr_cpu_ids <= 1) return true;
- res = __alloc_percpu(sizeof(struct xt_counters), - sizeof(struct xt_counters)); - if (!res) - return false; - - counter->pcnt = (__force unsigned long)res; + if (!state->mem) { + state->mem = __alloc_percpu(XT_PCPU_BLOCK_SIZE, + XT_PCPU_BLOCK_SIZE); + if (!state->mem) + return false; + } + counter->pcnt = (__force unsigned long)(state->mem + state->off); + state->off += sizeof(*counter); + if (state->off > (XT_PCPU_BLOCK_SIZE - sizeof(*counter))) { + state->mem = NULL; + state->off = 0; + } return true; } EXPORT_SYMBOL_GPL(xt_percpu_counter_alloc); @@ -1626,7 +1642,7 @@ void xt_percpu_counter_free(struct xt_co { unsigned long pcnt = counters->pcnt;
- if (nr_cpu_ids > 1) + if (nr_cpu_ids > 1 && (pcnt & (XT_PCPU_BLOCK_SIZE - 1)) == 0) free_percpu((void __percpu *)pcnt); } EXPORT_SYMBOL_GPL(xt_percpu_counter_free);
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tahsin Erdogan tahsin@google.com
commit ec00022030da5761518476096626338bd67df57a upstream.
When an xattr block has a single reference, block is updated inplace and it is reinserted to the cache. Later, a cache lookup is performed to see whether an existing block has the same contents. This cache lookup will most of the time return the just inserted entry so deduplication is not achieved.
Running the following test script will produce two xattr blocks which can be observed in "File ACL: " line of debugfs output:
mke2fs -b 1024 -I 128 -F -O extent /dev/sdb 1G mount /dev/sdb /mnt/sdb
touch /mnt/sdb/{x,y}
setfattr -n user.1 -v aaa /mnt/sdb/x setfattr -n user.2 -v bbb /mnt/sdb/x
setfattr -n user.1 -v aaa /mnt/sdb/y setfattr -n user.2 -v bbb /mnt/sdb/y
debugfs -R 'stat x' /dev/sdb | cat debugfs -R 'stat y' /dev/sdb | cat
This patch defers the reinsertion to the cache so that we can locate other blocks with the same contents.
Signed-off-by: Tahsin Erdogan tahsin@google.com Signed-off-by: Theodore Ts'o tytso@mit.edu Reviewed-by: Andreas Dilger adilger@dilger.ca Signed-off-by: Tommi Rantala tommi.t.rantala@nokia.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- fs/ext4/xattr.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)
--- a/fs/ext4/xattr.c +++ b/fs/ext4/xattr.c @@ -828,8 +828,6 @@ ext4_xattr_block_set(handle_t *handle, s if (!IS_LAST_ENTRY(s->first)) ext4_xattr_rehash(header(s->base), s->here); - ext4_xattr_cache_insert(ext4_mb_cache, - bs->bh); } unlock_buffer(bs->bh); if (error == -EFSCORRUPTED) @@ -918,6 +916,7 @@ inserted: } else if (bs->bh && s->base == bs->bh->b_data) { /* We were modifying this block in-place. */ ea_bdebug(bs->bh, "keeping this block"); + ext4_xattr_cache_insert(ext4_mb_cache, bs->bh); new_bh = bs->bh; get_bh(new_bh); } else {
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Clay McClure clay@daemons.net
commit a51a0c8d213594bc094cb8e54aad0cb6d7f7b9a6 upstream.
Similar to commit 714fb87e8bc0 ("ubi: Fix race condition between ubi device creation and udev"), we should make the volume active before registering it.
Signed-off-by: Clay McClure clay@daemons.net Cc: stable@vger.kernel.org Signed-off-by: Richard Weinberger richard@nod.at Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/mtd/ubi/vmt.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-)
--- a/drivers/mtd/ubi/vmt.c +++ b/drivers/mtd/ubi/vmt.c @@ -265,6 +265,12 @@ int ubi_create_volume(struct ubi_device vol->last_eb_bytes = vol->usable_leb_size; }
+ /* Make volume "available" before it becomes accessible via sysfs */ + spin_lock(&ubi->volumes_lock); + ubi->volumes[vol_id] = vol; + ubi->vol_count += 1; + spin_unlock(&ubi->volumes_lock); + /* Register character device for the volume */ cdev_init(&vol->cdev, &ubi_vol_cdev_operations); vol->cdev.owner = THIS_MODULE; @@ -304,11 +310,6 @@ int ubi_create_volume(struct ubi_device if (err) goto out_sysfs;
- spin_lock(&ubi->volumes_lock); - ubi->volumes[vol_id] = vol; - ubi->vol_count += 1; - spin_unlock(&ubi->volumes_lock); - ubi_volume_notify(ubi, vol, UBI_VOLUME_ADDED); self_check_volumes(ubi); return err; @@ -328,6 +329,10 @@ out_sysfs: out_cdev: cdev_del(&vol->cdev); out_mapping: + spin_lock(&ubi->volumes_lock); + ubi->volumes[vol_id] = NULL; + ubi->vol_count -= 1; + spin_unlock(&ubi->volumes_lock); if (do_free) kfree(vol->eba_tbl); out_acc:
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Quinn Tran quinn.tran@cavium.com
commit 063b36d6b0ad74c748d536f5cb47bac2f850a0fa upstream.
Current code manually allocate an fcport structure that is not properly initialize. Replace kzalloc with qla2x00_alloc_fcport, so that all fields are initialized. Also set set scan flag to port found
Cc: stable@vger.kernel.org Signed-off-by: Quinn Tran quinn.tran@cavium.com Signed-off-by: Himanshu Madhani himanshu.madhani@cavium.com Reviewed-by: Hannes Reinecke hare@suse.com Signed-off-by: Martin K. Petersen martin.petersen@oracle.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/scsi/qla2xxx/qla_target.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/scsi/qla2xxx/qla_target.c +++ b/drivers/scsi/qla2xxx/qla_target.c @@ -5502,7 +5502,7 @@ static fc_port_t *qlt_get_port_database( fc_port_t *fcport; int rc;
- fcport = kzalloc(sizeof(*fcport), GFP_KERNEL); + fcport = qla2x00_alloc_fcport(vha, GFP_KERNEL); if (!fcport) { ql_dbg(ql_dbg_tgt_mgt, vha, 0xf06f, "qla_target(%d): Allocation of tmp FC port failed",
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Trond Myklebust trond.myklebust@primarydata.com
commit d9ee65539d3eabd9ade46cca1780e3309ad0f907 upstream.
The start offset needs to be of type loff_t.
Fixed: 5fadeb47dcc5c ("nfs: count DIO good bytes correctly with mirroring") Cc: stable@vger.kernel.org # v4.0+ Signed-off-by: Trond Myklebust trond.myklebust@primarydata.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- fs/nfs/direct.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/nfs/direct.c +++ b/fs/nfs/direct.c @@ -86,9 +86,9 @@ struct nfs_direct_req { struct nfs_direct_mirror mirrors[NFS_PAGEIO_DESCRIPTOR_MIRROR_MAX]; int mirror_count;
+ loff_t io_start; /* Start offset for I/O */ ssize_t count, /* bytes actually processed */ bytes_left, /* bytes left to be sent */ - io_start, /* start of IO */ error; /* any reported error */ struct completion completion; /* wait for i/o completion */
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman gregkh@linuxfoundation.org
This reverts commit c86bfc7b7b01c4b98c29a39bd60e61fa8e337ebf which was commit 74402055a2d3ec998a1ded599e86185a27d9bbf4 upstream.
The backport merged incorrectly, so I'm dropping it.
Reported-by: Ben Hutchings ben.hutchings@codethink.co.uk Cc: Adam Ford aford173@gmail.com Cc: Tony Lindgren tony@atomide.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- arch/arm/boot/dts/logicpd-torpedo-som.dtsi | 8 -------- 1 file changed, 8 deletions(-)
--- a/arch/arm/boot/dts/logicpd-torpedo-som.dtsi +++ b/arch/arm/boot/dts/logicpd-torpedo-som.dtsi @@ -90,8 +90,6 @@ };
&i2c1 { - pinctrl-names = "default"; - pinctrl-0 = <&i2c1_pins>; clock-frequency = <2600000>;
twl: twl@48 { @@ -148,12 +146,6 @@ OMAP3630_CORE2_IOPAD(0x25da, PIN_INPUT_PULLUP | MUX_MODE2) /* etk_ctl.sdmmc3_cmd */ >; }; - i2c1_pins: pinmux_i2c1_pins { - pinctrl-single,pins = < - OMAP3_CORE1_IOPAD(0x21ba, PIN_INPUT | MUX_MODE0) /* i2c1_scl.i2c1_scl */ - OMAP3_CORE1_IOPAD(0x21bc, PIN_INPUT | MUX_MODE0) /* i2c1_sda.i2c1_sda */ - >; - }; };
#include "twl4030.dtsi"
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josh Poimboeuf jpoimboe@redhat.com
commit eda9cec4c9a12208a6f69fbe68f72a6311d50032 upstream.
There have been some cases where external tooling (e.g., kpatch-build) creates a corrupt relocation which targets the wrong address. This is a silent failure which can corrupt memory in unexpected places.
On x86, the bytes of data being overwritten by relocations are always initialized to zero beforehand. Use that knowledge to add sanity checks to detect such cases before they corrupt memory.
Signed-off-by: Josh Poimboeuf jpoimboe@redhat.com Cc: Linus Torvalds torvalds@linux-foundation.org Cc: Peter Zijlstra peterz@infradead.org Cc: Thomas Gleixner tglx@linutronix.de Cc: jeyu@kernel.org Cc: live-patching@vger.kernel.org Link: http://lkml.kernel.org/r/37450d6c6225e54db107fba447ce9e56e5f758e9.1509713553... [ Restructured the messages, as it's unclear whether the relocation or the target is corrupted. ] Signed-off-by: Ingo Molnar mingo@kernel.org Cc: Matthias Kaehlcke mka@chromium.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- arch/x86/kernel/module.c | 13 +++++++++++++ 1 file changed, 13 insertions(+)
--- a/arch/x86/kernel/module.c +++ b/arch/x86/kernel/module.c @@ -170,19 +170,27 @@ int apply_relocate_add(Elf64_Shdr *sechd case R_X86_64_NONE: break; case R_X86_64_64: + if (*(u64 *)loc != 0) + goto invalid_relocation; *(u64 *)loc = val; break; case R_X86_64_32: + if (*(u32 *)loc != 0) + goto invalid_relocation; *(u32 *)loc = val; if (val != *(u32 *)loc) goto overflow; break; case R_X86_64_32S: + if (*(s32 *)loc != 0) + goto invalid_relocation; *(s32 *)loc = val; if ((s64)val != *(s32 *)loc) goto overflow; break; case R_X86_64_PC32: + if (*(u32 *)loc != 0) + goto invalid_relocation; val -= (u64)loc; *(u32 *)loc = val; #if 0 @@ -198,6 +206,11 @@ int apply_relocate_add(Elf64_Shdr *sechd } return 0;
+invalid_relocation: + pr_err("x86/modules: Skipping invalid relocation target, existing value is nonzero for type %d, loc %p, val %Lx\n", + (int)ELF64_R_TYPE(rel[i].r_info), loc, val); + return -ENOEXEC; + overflow: pr_err("overflow in relocation type %d val %Lx\n", (int)ELF64_R_TYPE(rel[i].r_info), val);
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: H.J. Lu hjl.tools@gmail.com
commit b21ebf2fb4cde1618915a97cc773e287ff49173e upstream.
On i386, there are 2 types of PLTs, PIC and non-PIC. PIE and shared objects must use PIC PLT. To use PIC PLT, you need to load _GLOBAL_OFFSET_TABLE_ into EBX first. There is no need for that on x86-64 since x86-64 uses PC-relative PLT.
On x86-64, for 32-bit PC-relative branches, we can generate PLT32 relocation, instead of PC32 relocation, which can also be used as a marker for 32-bit PC-relative branches. Linker can always reduce PLT32 relocation to PC32 if function is defined locally. Local functions should use PC32 relocation. As far as Linux kernel is concerned, R_X86_64_PLT32 can be treated the same as R_X86_64_PC32 since Linux kernel doesn't use PLT.
R_X86_64_PLT32 for 32-bit PC-relative branches has been enabled in binutils master branch which will become binutils 2.31.
[ hjl is working on having better documentation on this all, but a few more notes from him:
"PLT32 relocation is used as marker for PC-relative branches. Because of EBX, it looks odd to generate PLT32 relocation on i386 when EBX doesn't have GOT.
As for symbol resolution, PLT32 and PC32 relocations are almost interchangeable. But when linker sees PLT32 relocation against a protected symbol, it can resolved locally at link-time since it is used on a branch instruction. Linker can't do that for PC32 relocation"
but for the kernel use, the two are basically the same, and this commit gets things building and working with the current binutils master - Linus ]
Signed-off-by: H.J. Lu hjl.tools@gmail.com Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Cc: Matthias Kaehlcke mka@chromium.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- arch/x86/kernel/machine_kexec_64.c | 1 + arch/x86/kernel/module.c | 1 + arch/x86/tools/relocs.c | 3 +++ 3 files changed, 5 insertions(+)
--- a/arch/x86/kernel/machine_kexec_64.c +++ b/arch/x86/kernel/machine_kexec_64.c @@ -519,6 +519,7 @@ int arch_kexec_apply_relocations_add(con goto overflow; break; case R_X86_64_PC32: + case R_X86_64_PLT32: value -= (u64)address; *(u32 *)location = value; break; --- a/arch/x86/kernel/module.c +++ b/arch/x86/kernel/module.c @@ -189,6 +189,7 @@ int apply_relocate_add(Elf64_Shdr *sechd goto overflow; break; case R_X86_64_PC32: + case R_X86_64_PLT32: if (*(u32 *)loc != 0) goto invalid_relocation; val -= (u64)loc; --- a/arch/x86/tools/relocs.c +++ b/arch/x86/tools/relocs.c @@ -769,9 +769,12 @@ static int do_reloc64(struct section *se break;
case R_X86_64_PC32: + case R_X86_64_PLT32: /* * PC relative relocations don't need to be adjusted unless * referencing a percpu symbol. + * + * NB: R_X86_64_PLT32 can be treated as R_X86_64_PC32. */ if (is_percpu_sym(sym, symname)) add_reloc(&relocs32neg, offset);
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ulrich Hecht ulrich.hecht+renesas@gmail.com
commit 7842055bfce4bf0170d0f61df8b2add8399697be upstream.
When the TTY buffers fill up to the configured maximum, a system lockup occurs:
[ 598.820128] INFO: rcu_preempt detected stalls on CPUs/tasks: [ 598.825796] 0-...!: (1 GPs behind) idle=5a6/2/0 softirq=1974/1974 fqs=1 [ 598.832577] (detected by 3, t=62517 jiffies, g=296, c=295, q=126) [ 598.838755] Task dump for CPU 0: [ 598.841977] swapper/0 R running task 0 0 0 0x00000022 [ 598.849023] Call trace: [ 598.851476] __switch_to+0x98/0xb0 [ 598.854870] (null)
This can be prevented by doing a dummy read of the RX data register.
This issue affects both HSCIF and SCIF ports. Reported for R-Car H3 ES2.0; reproduced and fixed on H3 ES1.1. Probably affects other R-Car platforms as well.
Reported-by: Yoshihiro Shimoda yoshihiro.shimoda.uh@renesas.com Signed-off-by: Ulrich Hecht ulrich.hecht+renesas@gmail.com Reviewed-by: Geert Uytterhoeven geert+renesas@glider.be Cc: stable stable@vger.kernel.org Tested-by: Nguyen Viet Dung dung.nguyen.aj@renesas.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/tty/serial/sh-sci.c | 2 ++ 1 file changed, 2 insertions(+)
--- a/drivers/tty/serial/sh-sci.c +++ b/drivers/tty/serial/sh-sci.c @@ -847,6 +847,8 @@ static void sci_receive_chars(struct uar /* Tell the rest of the system the news. New characters! */ tty_flip_buffer_push(tport); } else { + /* TTY buffers full; read from RX reg to prevent lockup */ + serial_port_in(port, SCxRDR); serial_port_in(port, SCxSR); /* dummy read */ sci_clear_SCxSR(port, SCxSR_RDxF_CLEAR(port)); }
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jonas Danielsson jonas@orbital-systems.com
commit fd63a8903a2c40425a9811c3371dd4d0f42c0ad3 upstream.
On our at91sam9260 based board the usart0 and usart1 ports report their versions (ATMEL_US_VERSION) as 0x10302. This version is not included in the current checks in the driver.
Signed-off-by: Jonas Danielsson jonas@orbital-systems.com Acked-by: Richard Genoud richard.genoud@gmail.com Acked-by: Nicolas Ferre nicolas.ferre@microchip.com Cc: stable stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/tty/serial/atmel_serial.c | 1 + 1 file changed, 1 insertion(+)
--- a/drivers/tty/serial/atmel_serial.c +++ b/drivers/tty/serial/atmel_serial.c @@ -1783,6 +1783,7 @@ static void atmel_get_ip_name(struct uar switch (version) { case 0x302: case 0x10213: + case 0x10302: dev_dbg(port->dev, "This version is usart\n"); atmel_port->is_usart = true; break;
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oliver Neukum oneukum@suse.com
commit 9a513c905bb95bef79d96feb08621c1ec8d8c4bb upstream.
A typo broke the comparison.
Fixes: cbeef22fd611 ("usb: uas: unconditionally bring back host after reset") Signed-off-by: Oliver Neukum oneukum@suse.com CC: stable@kernel.org Acked-by: Hans de Goede hdegoede@redhat.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/usb/storage/uas.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/storage/uas.c +++ b/drivers/usb/storage/uas.c @@ -1052,7 +1052,7 @@ static int uas_post_reset(struct usb_int return 0;
err = uas_configure_endpoints(devinfo); - if (err && err != ENODEV) + if (err && err != -ENODEV) shost_printk(KERN_ERR, shost, "%s: alloc streams error %d after reset", __func__, err);
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Frank Mori Hess fmh6jj@gmail.com
commit a42ae5905140c324362fe5036ae1dbb16e4d359c upstream.
A rounding error was causing comedi_nsamples_left to return the wrong value when nsamples was not a multiple of the scan length.
Cc: stable@vger.kernel.org # v4.4+ Signed-off-by: Frank Mori Hess fmh6jj@gmail.com Reviewed-by: Ian Abbott abbotti@mev.co.uk Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/staging/comedi/drivers.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/staging/comedi/drivers.c +++ b/drivers/staging/comedi/drivers.c @@ -484,8 +484,7 @@ unsigned int comedi_nsamples_left(struct struct comedi_cmd *cmd = &async->cmd;
if (cmd->stop_src == TRIG_COUNT) { - unsigned int nscans = nsamples / cmd->scan_end_arg; - unsigned int scans_left = __comedi_nscans_left(s, nscans); + unsigned int scans_left = __comedi_nscans_left(s, cmd->stop_arg); unsigned int scan_pos = comedi_bytes_to_samples(s, async->scan_progress); unsigned long long samples_left = 0;
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joel Fernandes joelaf@google.com
commit cb57469c9573f6018cd1302953dd45d6e05aba7b upstream.
ashmem_mutex create a chain of dependencies like so:
(1) mmap syscall -> mmap_sem -> (acquired) ashmem_mmap ashmem_mutex (try to acquire) (block)
(2) llseek syscall -> ashmem_llseek -> ashmem_mutex -> (acquired) inode_lock -> inode->i_rwsem (try to acquire) (block)
(3) getdents -> iterate_dir -> inode_lock -> inode->i_rwsem (acquired) copy_to_user -> mmap_sem (try to acquire)
There is a lock ordering created between mmap_sem and inode->i_rwsem causing a lockdep splat [2] during a syzcaller test, this patch fixes the issue by unlocking the mutex earlier. Functionally that's Ok since we don't need to protect vfs_llseek.
[1] https://patchwork.kernel.org/patch/10185031/ [2] https://lkml.org/lkml/2018/1/10/48
Acked-by: Todd Kjos tkjos@google.com Cc: Arve Hjonnevag arve@android.com Cc: stable@vger.kernel.org Reported-by: syzbot+8ec30bb7bf1a981a2012@syzkaller.appspotmail.com Signed-off-by: Joel Fernandes joelaf@google.com Acked-by: Greg Hackmann ghackmann@google.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/staging/android/ashmem.c | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-)
--- a/drivers/staging/android/ashmem.c +++ b/drivers/staging/android/ashmem.c @@ -330,24 +330,23 @@ static loff_t ashmem_llseek(struct file mutex_lock(&ashmem_mutex);
if (asma->size == 0) { - ret = -EINVAL; - goto out; + mutex_unlock(&ashmem_mutex); + return -EINVAL; }
if (!asma->file) { - ret = -EBADF; - goto out; + mutex_unlock(&ashmem_mutex); + return -EBADF; }
+ mutex_unlock(&ashmem_mutex); + ret = vfs_llseek(asma->file, offset, origin); if (ret < 0) - goto out; + return ret;
/** Copy f_pos from backing file, since f_ops->llseek() sets it */ file->f_pos = asma->file->f_pos; - -out: - mutex_unlock(&ashmem_mutex); return ret; }
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Teijo Kinnunen teijo.kinnunen@code-q.fi
commit 5126a504b63d82785eaece3a9c30c660b313785a upstream.
This USB-SATA controller seems to be similar with JMicron bridge 152d:2566 already on the list. Adding it here fixes "Invalid field in cdb" errors.
Signed-off-by: Teijo Kinnunen teijo.kinnunen@code-q.fi Cc: stable@vger.kernel.org Acked-by: Alan Stern stern@rowland.harvard.edu Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/usb/storage/unusual_devs.h | 7 +++++++ 1 file changed, 7 insertions(+)
--- a/drivers/usb/storage/unusual_devs.h +++ b/drivers/usb/storage/unusual_devs.h @@ -2142,6 +2142,13 @@ UNUSUAL_DEV( 0x22b8, 0x3010, 0x0001, 0x USB_SC_DEVICE, USB_PR_DEVICE, NULL, US_FL_FIX_CAPACITY | US_FL_IGNORE_RESIDUE ),
+/* Reported by Teijo Kinnunen teijo.kinnunen@code-q.fi */ +UNUSUAL_DEV( 0x152d, 0x2567, 0x0117, 0x0117, + "JMicron", + "USB to ATA/ATAPI Bridge", + USB_SC_DEVICE, USB_PR_DEVICE, NULL, + US_FL_BROKEN_FUA ), + /* Reported-by George Cherian george.cherian@cavium.com */ UNUSUAL_DEV(0x152d, 0x9561, 0x0000, 0x9999, "JMicron",
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Danilo Krummrich danilokrummrich@dk-develop.de
commit cb88a0588717ba6c756cb5972d75766b273a6817 upstream.
Corsair Strafe RGB keyboard does not respond to usb control messages sometimes and hence generates timeouts.
Commit de3af5bf259d ("usb: quirks: add delay init quirk for Corsair Strafe RGB keyboard") tried to fix those timeouts by adding USB_QUIRK_DELAY_INIT.
Unfortunately, even with this quirk timeouts of usb_control_msg() can still be seen, but with a lower frequency (approx. 1 out of 15):
[ 29.103520] usb 1-8: string descriptor 0 read error: -110 [ 34.363097] usb 1-8: can't set config #1, error -110
Adding further delays to different locations where usb control messages are issued just moves the timeouts to other locations, e.g.:
[ 35.400533] usbhid 1-8:1.0: can't add hid device: -110 [ 35.401014] usbhid: probe of 1-8:1.0 failed with error -110
The only way to reliably avoid those issues is having a pause after each usb control message. In approx. 200 boot cycles no more timeouts were seen.
Addionaly, keep USB_QUIRK_DELAY_INIT as it turned out to be necessary to have the delay in hub_port_connect() after hub_port_init().
The overall boot time seems not to be influenced by these additional delays, even on fast machines and lightweight distributions.
Fixes: de3af5bf259d ("usb: quirks: add delay init quirk for Corsair Strafe RGB keyboard") Cc: stable@vger.kernel.org Signed-off-by: Danilo Krummrich danilokrummrich@dk-develop.de Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/usb/core/message.c | 4 ++++ drivers/usb/core/quirks.c | 3 ++- include/linux/usb/quirks.h | 3 +++ 3 files changed, 9 insertions(+), 1 deletion(-)
--- a/drivers/usb/core/message.c +++ b/drivers/usb/core/message.c @@ -147,6 +147,10 @@ int usb_control_msg(struct usb_device *d
ret = usb_internal_control_msg(dev, pipe, dr, data, size, timeout);
+ /* Linger a bit, prior to the next control message. */ + if (dev->quirks & USB_QUIRK_DELAY_CTRL_MSG) + msleep(200); + kfree(dr);
return ret; --- a/drivers/usb/core/quirks.c +++ b/drivers/usb/core/quirks.c @@ -229,7 +229,8 @@ static const struct usb_device_id usb_qu { USB_DEVICE(0x1b1c, 0x1b13), .driver_info = USB_QUIRK_DELAY_INIT },
/* Corsair Strafe RGB */ - { USB_DEVICE(0x1b1c, 0x1b20), .driver_info = USB_QUIRK_DELAY_INIT }, + { USB_DEVICE(0x1b1c, 0x1b20), .driver_info = USB_QUIRK_DELAY_INIT | + USB_QUIRK_DELAY_CTRL_MSG },
/* Corsair K70 LUX */ { USB_DEVICE(0x1b1c, 0x1b36), .driver_info = USB_QUIRK_DELAY_INIT }, --- a/include/linux/usb/quirks.h +++ b/include/linux/usb/quirks.h @@ -56,4 +56,7 @@ */ #define USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL BIT(11)
+/* Device needs a pause after every control message. */ +#define USB_QUIRK_DELAY_CTRL_MSG BIT(13) + #endif /* __LINUX_USB_QUIRKS_H */
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Julia Lawall Julia.Lawall@lip6.fr
commit 46c236dc7d1212d7417e6fb0317f91c44c719322 upstream.
The semantic patch that makes this change is as follows: (http://coccinelle.lip6.fr/)
// <smpl> @@ expression e1,e2; statement S1,S2; @@
+e1 = e2; if (IS_ERR( e1 - = e2 )) S1 else S2 // </smpl>
Signed-off-by: Julia Lawall Julia.Lawall@lip6.fr Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/usb/mon/mon_text.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/usb/mon/mon_text.c +++ b/drivers/usb/mon/mon_text.c @@ -386,7 +386,8 @@ static ssize_t mon_text_read_t(struct fi struct mon_event_text *ep; struct mon_text_ptr ptr;
- if (IS_ERR(ep = mon_text_read_wait(rp, file))) + ep = mon_text_read_wait(rp, file); + if (IS_ERR(ep)) return PTR_ERR(ep); mutex_lock(&rp->printf_lock); ptr.cnt = 0; @@ -413,7 +414,8 @@ static ssize_t mon_text_read_u(struct fi struct mon_event_text *ep; struct mon_text_ptr ptr;
- if (IS_ERR(ep = mon_text_read_wait(rp, file))) + ep = mon_text_read_wait(rp, file); + if (IS_ERR(ep)) return PTR_ERR(ep); mutex_lock(&rp->printf_lock); ptr.cnt = 0;
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pete Zaitcev zaitcev@kotori.zaitcev.us
commit a5f596830e27e15f7a0ecd6be55e433d776986d8 upstream.
This change fixes buffer overflows and silent data corruption with the usbmon device driver text file read operations.
Signed-off-by: Fredrik Noring noring@nocrew.org Signed-off-by: Pete Zaitcev zaitcev@redhat.com Cc: stable stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/usb/mon/mon_text.c | 124 +++++++++++++++++++++++++++------------------ 1 file changed, 77 insertions(+), 47 deletions(-)
--- a/drivers/usb/mon/mon_text.c +++ b/drivers/usb/mon/mon_text.c @@ -82,6 +82,8 @@ struct mon_reader_text {
wait_queue_head_t wait; int printf_size; + size_t printf_offset; + size_t printf_togo; char *printf_buf; struct mutex printf_lock;
@@ -373,75 +375,103 @@ err_alloc: return rc; }
-/* - * For simplicity, we read one record in one system call and throw out - * what does not fit. This means that the following does not work: - * dd if=/dbg/usbmon/0t bs=10 - * Also, we do not allow seeks and do not bother advancing the offset. - */ +static ssize_t mon_text_copy_to_user(struct mon_reader_text *rp, + char __user * const buf, const size_t nbytes) +{ + const size_t togo = min(nbytes, rp->printf_togo); + + if (copy_to_user(buf, &rp->printf_buf[rp->printf_offset], togo)) + return -EFAULT; + rp->printf_togo -= togo; + rp->printf_offset += togo; + return togo; +} + +/* ppos is not advanced since the llseek operation is not permitted. */ static ssize_t mon_text_read_t(struct file *file, char __user *buf, - size_t nbytes, loff_t *ppos) + size_t nbytes, loff_t *ppos) { struct mon_reader_text *rp = file->private_data; struct mon_event_text *ep; struct mon_text_ptr ptr; + ssize_t ret;
- ep = mon_text_read_wait(rp, file); - if (IS_ERR(ep)) - return PTR_ERR(ep); mutex_lock(&rp->printf_lock); - ptr.cnt = 0; - ptr.pbuf = rp->printf_buf; - ptr.limit = rp->printf_size; - - mon_text_read_head_t(rp, &ptr, ep); - mon_text_read_statset(rp, &ptr, ep); - ptr.cnt += snprintf(ptr.pbuf + ptr.cnt, ptr.limit - ptr.cnt, - " %d", ep->length); - mon_text_read_data(rp, &ptr, ep);
- if (copy_to_user(buf, rp->printf_buf, ptr.cnt)) - ptr.cnt = -EFAULT; + if (rp->printf_togo == 0) { + + ep = mon_text_read_wait(rp, file); + if (IS_ERR(ep)) { + mutex_unlock(&rp->printf_lock); + return PTR_ERR(ep); + } + ptr.cnt = 0; + ptr.pbuf = rp->printf_buf; + ptr.limit = rp->printf_size; + + mon_text_read_head_t(rp, &ptr, ep); + mon_text_read_statset(rp, &ptr, ep); + ptr.cnt += snprintf(ptr.pbuf + ptr.cnt, ptr.limit - ptr.cnt, + " %d", ep->length); + mon_text_read_data(rp, &ptr, ep); + + rp->printf_togo = ptr.cnt; + rp->printf_offset = 0; + + kmem_cache_free(rp->e_slab, ep); + } + + ret = mon_text_copy_to_user(rp, buf, nbytes); mutex_unlock(&rp->printf_lock); - kmem_cache_free(rp->e_slab, ep); - return ptr.cnt; + return ret; }
+/* ppos is not advanced since the llseek operation is not permitted. */ static ssize_t mon_text_read_u(struct file *file, char __user *buf, - size_t nbytes, loff_t *ppos) + size_t nbytes, loff_t *ppos) { struct mon_reader_text *rp = file->private_data; struct mon_event_text *ep; struct mon_text_ptr ptr; + ssize_t ret;
- ep = mon_text_read_wait(rp, file); - if (IS_ERR(ep)) - return PTR_ERR(ep); mutex_lock(&rp->printf_lock); - ptr.cnt = 0; - ptr.pbuf = rp->printf_buf; - ptr.limit = rp->printf_size;
- mon_text_read_head_u(rp, &ptr, ep); - if (ep->type == 'E') { - mon_text_read_statset(rp, &ptr, ep); - } else if (ep->xfertype == USB_ENDPOINT_XFER_ISOC) { - mon_text_read_isostat(rp, &ptr, ep); - mon_text_read_isodesc(rp, &ptr, ep); - } else if (ep->xfertype == USB_ENDPOINT_XFER_INT) { - mon_text_read_intstat(rp, &ptr, ep); - } else { - mon_text_read_statset(rp, &ptr, ep); + if (rp->printf_togo == 0) { + + ep = mon_text_read_wait(rp, file); + if (IS_ERR(ep)) { + mutex_unlock(&rp->printf_lock); + return PTR_ERR(ep); + } + ptr.cnt = 0; + ptr.pbuf = rp->printf_buf; + ptr.limit = rp->printf_size; + + mon_text_read_head_u(rp, &ptr, ep); + if (ep->type == 'E') { + mon_text_read_statset(rp, &ptr, ep); + } else if (ep->xfertype == USB_ENDPOINT_XFER_ISOC) { + mon_text_read_isostat(rp, &ptr, ep); + mon_text_read_isodesc(rp, &ptr, ep); + } else if (ep->xfertype == USB_ENDPOINT_XFER_INT) { + mon_text_read_intstat(rp, &ptr, ep); + } else { + mon_text_read_statset(rp, &ptr, ep); + } + ptr.cnt += snprintf(ptr.pbuf + ptr.cnt, ptr.limit - ptr.cnt, + " %d", ep->length); + mon_text_read_data(rp, &ptr, ep); + + rp->printf_togo = ptr.cnt; + rp->printf_offset = 0; + + kmem_cache_free(rp->e_slab, ep); } - ptr.cnt += snprintf(ptr.pbuf + ptr.cnt, ptr.limit - ptr.cnt, - " %d", ep->length); - mon_text_read_data(rp, &ptr, ep);
- if (copy_to_user(buf, rp->printf_buf, ptr.cnt)) - ptr.cnt = -EFAULT; + ret = mon_text_copy_to_user(rp, buf, nbytes); mutex_unlock(&rp->printf_lock); - kmem_cache_free(rp->e_slab, ep); - return ptr.cnt; + return ret; }
static struct mon_event_text *mon_text_read_wait(struct mon_reader_text *rp,
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xinyong xinyong.fang@linux.alibaba.com
commit 1a087f032111a88e826877449dfb93ceb22b78b9 upstream.
When I debug a kernel crash issue in funcitonfs, found ffs_data.ref overflowed, While functionfs is unmounting, ffs_data is put twice.
Commit 43938613c6fd ("drivers, usb: convert ffs_data.ref from atomic_t to refcount_t") can avoid refcount overflow, but that is risk some situations. So no need put ffs data in ffs_fs_kill_sb, already put in ffs_data_closed.
The issue can be reproduced in Mediatek mt6763 SoC, ffs for ADB device. KASAN enabled configuration reports use-after-free errro.
BUG: KASAN: use-after-free in refcount_dec_and_test+0x14/0xe0 at addr ffffffc0579386a0 Read of size 4 by task umount/4650 ==================================================== BUG kmalloc-512 (Tainted: P W O ): kasan: bad access detected -----------------------------------------------------------------------------
INFO: Allocated in ffs_fs_mount+0x194/0x844 age=22856 cpu=2 pid=566 alloc_debug_processing+0x1ac/0x1e8 ___slab_alloc.constprop.63+0x640/0x648 __slab_alloc.isra.57.constprop.62+0x24/0x34 kmem_cache_alloc_trace+0x1a8/0x2bc ffs_fs_mount+0x194/0x844 mount_fs+0x6c/0x1d0 vfs_kern_mount+0x50/0x1b4 do_mount+0x258/0x1034 INFO: Freed in ffs_data_put+0x25c/0x320 age=0 cpu=3 pid=4650 free_debug_processing+0x22c/0x434 __slab_free+0x2d8/0x3a0 kfree+0x254/0x264 ffs_data_put+0x25c/0x320 ffs_data_closed+0x124/0x15c ffs_fs_kill_sb+0xb8/0x110 deactivate_locked_super+0x6c/0x98 deactivate_super+0xb0/0xbc INFO: Object 0xffffffc057938600 @offset=1536 fp=0x (null) ...... Call trace: [<ffffff900808cf5c>] dump_backtrace+0x0/0x250 [<ffffff900808d3a0>] show_stack+0x14/0x1c [<ffffff90084a8c04>] dump_stack+0xa0/0xc8 [<ffffff900826c2b4>] print_trailer+0x158/0x260 [<ffffff900826d9d8>] object_err+0x3c/0x40 [<ffffff90082745f0>] kasan_report_error+0x2a8/0x754 [<ffffff9008274f84>] kasan_report+0x5c/0x60 [<ffffff9008273208>] __asan_load4+0x70/0x88 [<ffffff90084cd81c>] refcount_dec_and_test+0x14/0xe0 [<ffffff9008d98f9c>] ffs_data_put+0x80/0x320 [<ffffff9008d9d904>] ffs_fs_kill_sb+0xc8/0x110 [<ffffff90082852a0>] deactivate_locked_super+0x6c/0x98 [<ffffff900828537c>] deactivate_super+0xb0/0xbc [<ffffff90082af0c0>] cleanup_mnt+0x64/0xec [<ffffff90082af1b0>] __cleanup_mnt+0x10/0x18 [<ffffff90080d9e68>] task_work_run+0xcc/0x124 [<ffffff900808c8c0>] do_notify_resume+0x60/0x70 [<ffffff90080866e4>] work_pending+0x10/0x14
Cc: stable@vger.kernel.org Signed-off-by: Xinyong xinyong.fang@linux.alibaba.com Signed-off-by: Felipe Balbi felipe.balbi@linux.intel.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/usb/gadget/function/f_fs.c | 1 - 1 file changed, 1 deletion(-)
--- a/drivers/usb/gadget/function/f_fs.c +++ b/drivers/usb/gadget/function/f_fs.c @@ -1333,7 +1333,6 @@ ffs_fs_kill_sb(struct super_block *sb) if (sb->s_fs_info) { ffs_release_dev(sb->s_fs_info); ffs_data_closed(sb->s_fs_info); - ffs_data_put(sb->s_fs_info); } }
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikola Ciprich nikola.ciprich@linuxbox.cz
commit 9f2068f35729948bde84d87a40d135015911345d upstream.
Add PCI ids for two variants of Brainboxes UC-260 quad port PCI serial cards.
Suggested-by: Andy Shevchenko andriy.shevchenko@linux.intel.com Signed-off-by: Nikola Ciprich nikola.ciprich@linuxbox.cz Cc: stable stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/tty/serial/8250/8250_pci.c | 11 +++++++++++ 1 file changed, 11 insertions(+)
--- a/drivers/tty/serial/8250/8250_pci.c +++ b/drivers/tty/serial/8250/8250_pci.c @@ -5300,6 +5300,17 @@ static struct pci_device_id serial_pci_t PCI_ANY_ID, PCI_ANY_ID, 0, 0, /* 135a.0dc0 */ pbn_b2_4_115200 }, /* + * BrainBoxes UC-260 + */ + { PCI_VENDOR_ID_INTASHIELD, 0x0D21, + PCI_ANY_ID, PCI_ANY_ID, + PCI_CLASS_COMMUNICATION_MULTISERIAL << 8, 0xffff00, + pbn_b2_4_115200 }, + { PCI_VENDOR_ID_INTASHIELD, 0x0E34, + PCI_ANY_ID, PCI_ANY_ID, + PCI_CLASS_COMMUNICATION_MULTISERIAL << 8, 0xffff00, + pbn_b2_4_115200 }, + /* * Perle PCI-RAS cards */ { PCI_VENDOR_ID_PLX, PCI_DEVICE_ID_PLX_9030,
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman gregkh@linuxfoundation.org
Ben writes:
- int chunklen;
- chunklen = sizeof(*chunk_hdr) + paylen;
I think this length still needs to be rounded up (with WORD_ROUND here, instead of SCTP_PAD4 upstream).
So here's a fix for this problem.
Reported-by: Ben Hutchings ben.hutchings@codethink.co.uk Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- net/sctp/sm_make_chunk.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/sctp/sm_make_chunk.c +++ b/net/sctp/sm_make_chunk.c @@ -1369,7 +1369,7 @@ static struct sctp_chunk *_sctp_make_chu struct sock *sk; int chunklen;
- chunklen = sizeof(*chunk_hdr) + paylen; + chunklen = WORD_ROUND(sizeof(*chunk_hdr) + paylen); if (chunklen > SCTP_MAX_CHUNK_LEN) goto nodata;
On Fri, Mar 16, 2018 at 04:22:32PM +0100, Greg Kroah-Hartman wrote:
This is the start of the stable review cycle for the 4.4.122 release. There are 63 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know.
Responses should be made by Sun Mar 18 15:22:41 UTC 2018. Anything received after that time might be too late.
The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.122-rc1... or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y and the diffstat can be found below.
thanks,
greg k-h
Merged, compiled, and flashed onto my OnePlus 5 (unfortunately, my Pixel 2 XL is going in for an RMA).
No initial issues noticed in general usage or dmesg.
Thanks! Nathan
On Fri, Mar 16, 2018 at 11:05:31AM -0700, Nathan Chancellor wrote:
On Fri, Mar 16, 2018 at 04:22:32PM +0100, Greg Kroah-Hartman wrote:
This is the start of the stable review cycle for the 4.4.122 release. There are 63 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know.
Responses should be made by Sun Mar 18 15:22:41 UTC 2018. Anything received after that time might be too late.
The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.122-rc1... or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y and the diffstat can be found below.
thanks,
greg k-h
Merged, compiled, and flashed onto my OnePlus 5 (unfortunately, my Pixel 2 XL is going in for an RMA).
No initial issues noticed in general usage or dmesg.
Great, thanks for testing and letting me know, and sorry about your Pixel 2 :(
greg k-h
On Fri, Mar 16, 2018 at 11:05:31AM -0700, Nathan Chancellor wrote:
On Fri, Mar 16, 2018 at 04:22:32PM +0100, Greg Kroah-Hartman wrote:
This is the start of the stable review cycle for the 4.4.122 release. There are 63 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know.
Responses should be made by Sun Mar 18 15:22:41 UTC 2018. Anything received after that time might be too late.
The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.122-rc1... or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y and the diffstat can be found below.
thanks,
greg k-h
Merged, compiled, and flashed onto my OnePlus 5 (unfortunately, my Pixel 2 XL is going in for an RMA).
No initial issues noticed in general usage or dmesg.
Great, thanks for testing and letting me know.
greg k-h
On 16 March 2018 at 20:52, Greg Kroah-Hartman gregkh@linuxfoundation.org wrote:
This is the start of the stable review cycle for the 4.4.122 release. There are 63 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know.
Responses should be made by Sun Mar 18 15:22:41 UTC 2018. Anything received after that time might be too late.
The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.122-rc1... or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y and the diffstat can be found below.
thanks,
greg k-h
Results from Linaro’s test farm. No regressions on arm64 and arm.
NOTE: CONFIG_LEGACY_VSYSCALL_EMULATE=y is enabled from config as default. Enabled vsyscall=native and vsyscall=none from kernel command line for testing selftests/x86/test_vsyscall test case on x86_64 and qemu_x86_64.
test_vdso_64 failed on x86_64 device when vsyscall=none is enabled. We will investigate this new test failure.
Summary ------------------------------------------------------------------------
kernel: 4.4.122-rc1 git repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git git branch: linux-4.4.y git commit: d7facaec9c1eb3d2703ce89b2ab81207eb7a4e6c git describe: v4.4.121-64-gd7facaec9c1e Test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-4.4-oe/build/v4.4.121-64-...
No regressions (compared to build v4.4.121)
Boards, architectures and test suites: -------------------------------------
juno-r2 - arm64 * boot - pass: 20 * kselftest - skip: 29, pass: 34 * libhugetlbfs - skip: 1, pass: 90 * ltp-cap_bounds-tests - pass: 2 * ltp-containers-tests - skip: 53, pass: 28 * ltp-fcntl-locktests-tests - pass: 2 * ltp-filecaps-tests - pass: 2 * ltp-fs-tests - skip: 2, pass: 61 * ltp-fs_bind-tests - pass: 2 * ltp-fs_perms_simple-tests - pass: 19 * ltp-hugetlb-tests - pass: 22 * ltp-io-tests - pass: 3 * ltp-ipc-tests - pass: 9 * ltp-math-tests - pass: 11 * ltp-nptl-tests - pass: 2 * ltp-pty-tests - pass: 4 * ltp-sched-tests - skip: 4, pass: 10 * ltp-securebits-tests - pass: 4 * ltp-syscalls-tests - skip: 152, pass: 998 * ltp-timers-tests - skip: 1, pass: 12
qemu_x86_64 * boot - pass: 22 * kselftest - skip: 33, pass: 47 * kselftest-vsyscall-mode-native - skip: 33, pass: 47 * kselftest-vsyscall-mode-none - skip: 33, pass: 47 * libhugetlbfs - skip: 1, pass: 90 * ltp-cap_bounds-tests - pass: 2 * ltp-containers-tests - skip: 17, pass: 64 * ltp-fcntl-locktests-tests - pass: 2 * ltp-filecaps-tests - pass: 2 * ltp-fs-tests - skip: 6, pass: 57 * ltp-fs_bind-tests - pass: 2 * ltp-fs_perms_simple-tests - pass: 19 * ltp-fsx-tests - pass: 2 * ltp-hugetlb-tests - pass: 22 * ltp-io-tests - pass: 3 * ltp-ipc-tests - pass: 9 * ltp-math-tests - pass: 11 * ltp-nptl-tests - pass: 2 * ltp-pty-tests - pass: 4 * ltp-sched-tests - skip: 1, pass: 13 * ltp-securebits-tests - pass: 4 * ltp-syscalls-tests - skip: 149, pass: 1001 * ltp-timers-tests - skip: 1, pass: 12
x15 - arm * boot - pass: 20 * kselftest - skip: 29, pass: 33 * libhugetlbfs - skip: 1, pass: 87 * ltp-cap_bounds-tests - pass: 2 * ltp-containers-tests - skip: 17, pass: 64 * ltp-fcntl-locktests-tests - pass: 2 * ltp-filecaps-tests - pass: 2 * ltp-fs-tests - skip: 2, pass: 61 * ltp-fs_bind-tests - pass: 2 * ltp-fs_perms_simple-tests - pass: 19 * ltp-fsx-tests - pass: 2 * ltp-hugetlb-tests - skip: 2, pass: 20 * ltp-io-tests - pass: 3 * ltp-ipc-tests - pass: 9 * ltp-math-tests - pass: 11 * ltp-nptl-tests - pass: 2 * ltp-pty-tests - pass: 4 * ltp-sched-tests - skip: 1, pass: 13 * ltp-securebits-tests - pass: 4 * ltp-syscalls-tests - skip: 98, pass: 1052 * ltp-timers-tests - skip: 1, pass: 12
x86_64 * boot - pass: 22 * kselftest - skip: 31, fail: 1, pass: 48 * kselftest-vsyscall-mode-native - skip: 31, fail: 1, pass: 48 * kselftest-vsyscall-mode-none - skip: 31, fail: 2, pass: 46 * libhugetlbfs - skip: 1, pass: 90 * ltp-cap_bounds-tests - pass: 2 * ltp-containers-tests - skip: 17, pass: 64 * ltp-fcntl-locktests-tests - pass: 2 * ltp-filecaps-tests - pass: 2 * ltp-fs-tests - skip: 1, pass: 62 * ltp-fs_bind-tests - pass: 2 * ltp-fs_perms_simple-tests - pass: 19 * ltp-fsx-tests - pass: 2 * ltp-hugetlb-tests - pass: 22 * ltp-io-tests - pass: 3 * ltp-ipc-tests - pass: 9 * ltp-math-tests - pass: 11 * ltp-nptl-tests - pass: 2 * ltp-pty-tests - pass: 4 * ltp-sched-tests - skip: 5, pass: 9 * ltp-securebits-tests - pass: 4 * ltp-syscalls-tests - skip: 120, pass: 1030 * ltp-timers-tests - skip: 1, pass: 12
Hikey test results,
Summary ------------------------------------------------------------------------
kernel: 4.4.122-rc1 git repo: https://git.linaro.org/lkft/arm64-stable-rc.git git tag: 4.4.122-rc1-hikey-20180316-150 git commit: f4e336912f0cb6dc3a56a014c5f495b37099d067 git describe: 4.4.122-rc1-hikey-20180316-150 Test details: https://qa-reports.linaro.org/lkft/linaro-hikey-stable-rc-4.4-oe/build/4.4.1...
No regressions (compared to build 4.4.121-rc1-hikey-20180310-148)
Boards, architectures and test suites: -------------------------------------
hi6220-hikey - arm64 * boot - pass: 20 * kselftest - skip: 32, pass: 31 * libhugetlbfs - skip: 1, pass: 90 * ltp-cap_bounds-tests - pass: 2 * ltp-containers-tests - skip: 53, pass: 28 * ltp-fcntl-locktests-tests - pass: 2 * ltp-filecaps-tests - pass: 2 * ltp-fs-tests - skip: 2, pass: 61 * ltp-fs_bind-tests - pass: 2 * ltp-fs_perms_simple-tests - pass: 19 * ltp-fsx-tests - pass: 2 * ltp-hugetlb-tests - skip: 1, pass: 21 * ltp-io-tests - pass: 3 * ltp-ipc-tests - pass: 9 * ltp-math-tests - pass: 11 * ltp-nptl-tests - pass: 2 * ltp-pty-tests - pass: 4 * ltp-sched-tests - skip: 4, pass: 10 * ltp-securebits-tests - pass: 4 * ltp-syscalls-tests - skip: 154, pass: 996 * ltp-timers-tests - skip: 1, pass: 12
-- Linaro QA (beta) https://qa-reports.linaro.org
On 17 March 2018 at 15:41, Naresh Kamboju naresh.kamboju@linaro.org wrote:
On 16 March 2018 at 20:52, Greg Kroah-Hartman gregkh@linuxfoundation.org wrote:
This is the start of the stable review cycle for the 4.4.122 release. There are 63 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know.
Responses should be made by Sun Mar 18 15:22:41 UTC 2018. Anything received after that time might be too late.
The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.122-rc1... or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y and the diffstat can be found below.
thanks,
greg k-h
Results from Linaro’s test farm. No regressions on arm64 and arm.
No regressions on arm64, arm, qemu_x86_64 and x86_64.
* test_vdso_64 test failure on x86_64(vsyscall=none) is not a blocker for rc.
NOTE: CONFIG_LEGACY_VSYSCALL_EMULATE=y is enabled from config as default. Enabled vsyscall=native and vsyscall=none from kernel command line for testing selftests/x86/test_vsyscall test case on x86_64 and qemu_x86_64.
test_vdso_64 failed on x86_64 device when vsyscall=none is enabled. We will investigate this new test failure.
Summary
kernel: 4.4.122-rc1 git repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git git branch: linux-4.4.y git commit: d7facaec9c1eb3d2703ce89b2ab81207eb7a4e6c git describe: v4.4.121-64-gd7facaec9c1e Test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-4.4-oe/build/v4.4.121-64-...
No regressions (compared to build v4.4.121)
Boards, architectures and test suites:
juno-r2 - arm64
- boot - pass: 20
- kselftest - skip: 29, pass: 34
- libhugetlbfs - skip: 1, pass: 90
- ltp-cap_bounds-tests - pass: 2
- ltp-containers-tests - skip: 53, pass: 28
- ltp-fcntl-locktests-tests - pass: 2
- ltp-filecaps-tests - pass: 2
- ltp-fs-tests - skip: 2, pass: 61
- ltp-fs_bind-tests - pass: 2
- ltp-fs_perms_simple-tests - pass: 19
- ltp-hugetlb-tests - pass: 22
- ltp-io-tests - pass: 3
- ltp-ipc-tests - pass: 9
- ltp-math-tests - pass: 11
- ltp-nptl-tests - pass: 2
- ltp-pty-tests - pass: 4
- ltp-sched-tests - skip: 4, pass: 10
- ltp-securebits-tests - pass: 4
- ltp-syscalls-tests - skip: 152, pass: 998
- ltp-timers-tests - skip: 1, pass: 12
qemu_x86_64
- boot - pass: 22
- kselftest - skip: 33, pass: 47
- kselftest-vsyscall-mode-native - skip: 33, pass: 47
- kselftest-vsyscall-mode-none - skip: 33, pass: 47
- libhugetlbfs - skip: 1, pass: 90
- ltp-cap_bounds-tests - pass: 2
- ltp-containers-tests - skip: 17, pass: 64
- ltp-fcntl-locktests-tests - pass: 2
- ltp-filecaps-tests - pass: 2
- ltp-fs-tests - skip: 6, pass: 57
- ltp-fs_bind-tests - pass: 2
- ltp-fs_perms_simple-tests - pass: 19
- ltp-fsx-tests - pass: 2
- ltp-hugetlb-tests - pass: 22
- ltp-io-tests - pass: 3
- ltp-ipc-tests - pass: 9
- ltp-math-tests - pass: 11
- ltp-nptl-tests - pass: 2
- ltp-pty-tests - pass: 4
- ltp-sched-tests - skip: 1, pass: 13
- ltp-securebits-tests - pass: 4
- ltp-syscalls-tests - skip: 149, pass: 1001
- ltp-timers-tests - skip: 1, pass: 12
x15 - arm
- boot - pass: 20
- kselftest - skip: 29, pass: 33
- libhugetlbfs - skip: 1, pass: 87
- ltp-cap_bounds-tests - pass: 2
- ltp-containers-tests - skip: 17, pass: 64
- ltp-fcntl-locktests-tests - pass: 2
- ltp-filecaps-tests - pass: 2
- ltp-fs-tests - skip: 2, pass: 61
- ltp-fs_bind-tests - pass: 2
- ltp-fs_perms_simple-tests - pass: 19
- ltp-fsx-tests - pass: 2
- ltp-hugetlb-tests - skip: 2, pass: 20
- ltp-io-tests - pass: 3
- ltp-ipc-tests - pass: 9
- ltp-math-tests - pass: 11
- ltp-nptl-tests - pass: 2
- ltp-pty-tests - pass: 4
- ltp-sched-tests - skip: 1, pass: 13
- ltp-securebits-tests - pass: 4
- ltp-syscalls-tests - skip: 98, pass: 1052
- ltp-timers-tests - skip: 1, pass: 12
x86_64
- boot - pass: 22
- kselftest - skip: 31, fail: 1, pass: 48
- kselftest-vsyscall-mode-native - skip: 31, fail: 1, pass: 48
- kselftest-vsyscall-mode-none - skip: 31, fail: 2, pass: 46
- libhugetlbfs - skip: 1, pass: 90
- ltp-cap_bounds-tests - pass: 2
- ltp-containers-tests - skip: 17, pass: 64
- ltp-fcntl-locktests-tests - pass: 2
- ltp-filecaps-tests - pass: 2
- ltp-fs-tests - skip: 1, pass: 62
- ltp-fs_bind-tests - pass: 2
- ltp-fs_perms_simple-tests - pass: 19
- ltp-fsx-tests - pass: 2
- ltp-hugetlb-tests - pass: 22
- ltp-io-tests - pass: 3
- ltp-ipc-tests - pass: 9
- ltp-math-tests - pass: 11
- ltp-nptl-tests - pass: 2
- ltp-pty-tests - pass: 4
- ltp-sched-tests - skip: 5, pass: 9
- ltp-securebits-tests - pass: 4
- ltp-syscalls-tests - skip: 120, pass: 1030
- ltp-timers-tests - skip: 1, pass: 12
Hikey test results,
Summary
kernel: 4.4.122-rc1 git repo: https://git.linaro.org/lkft/arm64-stable-rc.git git tag: 4.4.122-rc1-hikey-20180316-150 git commit: f4e336912f0cb6dc3a56a014c5f495b37099d067 git describe: 4.4.122-rc1-hikey-20180316-150 Test details: https://qa-reports.linaro.org/lkft/linaro-hikey-stable-rc-4.4-oe/build/4.4.1...
No regressions (compared to build 4.4.121-rc1-hikey-20180310-148)
Boards, architectures and test suites:
hi6220-hikey - arm64
- boot - pass: 20
- kselftest - skip: 32, pass: 31
- libhugetlbfs - skip: 1, pass: 90
- ltp-cap_bounds-tests - pass: 2
- ltp-containers-tests - skip: 53, pass: 28
- ltp-fcntl-locktests-tests - pass: 2
- ltp-filecaps-tests - pass: 2
- ltp-fs-tests - skip: 2, pass: 61
- ltp-fs_bind-tests - pass: 2
- ltp-fs_perms_simple-tests - pass: 19
- ltp-fsx-tests - pass: 2
- ltp-hugetlb-tests - skip: 1, pass: 21
- ltp-io-tests - pass: 3
- ltp-ipc-tests - pass: 9
- ltp-math-tests - pass: 11
- ltp-nptl-tests - pass: 2
- ltp-pty-tests - pass: 4
- ltp-sched-tests - skip: 4, pass: 10
- ltp-securebits-tests - pass: 4
- ltp-syscalls-tests - skip: 154, pass: 996
- ltp-timers-tests - skip: 1, pass: 12
-- Linaro QA (beta) https://qa-reports.linaro.org
On Sat, Mar 17, 2018 at 03:51:14PM +0530, Naresh Kamboju wrote:
On 17 March 2018 at 15:41, Naresh Kamboju naresh.kamboju@linaro.org wrote:
On 16 March 2018 at 20:52, Greg Kroah-Hartman gregkh@linuxfoundation.org wrote:
This is the start of the stable review cycle for the 4.4.122 release. There are 63 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know.
Responses should be made by Sun Mar 18 15:22:41 UTC 2018. Anything received after that time might be too late.
The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.122-rc1... or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y and the diffstat can be found below.
thanks,
greg k-h
Results from Linaro’s test farm. No regressions on arm64 and arm.
No regressions on arm64, arm, qemu_x86_64 and x86_64.
Thanks for testing and letting me know.
greg k-h
On 03/16/2018 08:22 AM, Greg Kroah-Hartman wrote:
This is the start of the stable review cycle for the 4.4.122 release. There are 63 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know.
Responses should be made by Sun Mar 18 15:22:41 UTC 2018. Anything received after that time might be too late.
Build results: total: 145 pass: 145 fail: 0 Qemu test results: total: 127 pass: 127 fail: 0
Details are available at http://kerneltests.org/builders.
Guenter
linux-stable-mirror@lists.linaro.org