[PATCH 12/12] net: mediatek: remove superfluous queue wake up call
The code checks if the queue should be stopped because we are below the
threshold of free descriptors only to check if it should be started again.
If we do end up in a state where we are at the threshold limit, it makes
more sense to just stop the queue and wait for the next IRQ to trigger the
TX housekeeping again. There is no rush in enqueuing the next packet, it
needs to wait for all the others in the queue to be dispatched first
anyway.
Signed-off-by: John Crispin
---
drivers/net/ethernet/mediatek/mtk_eth_soc.c |7 ++-
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c
b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
index 40d3cfd..ebfca7d 100644
--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
@@ -764,12 +764,9 @@ static int mtk_start_xmit(struct sk_buff *skb, struct
net_device *dev)
if (mtk_tx_map(skb, dev, tx_num, ring, gso) < 0)
goto drop;
- if (unlikely(atomic_read(&ring->free_count) <= ring->thresh)) {
+ if (unlikely(atomic_read(&ring->free_count) <= ring->thresh))
mtk_stop_queue(eth);
- if (unlikely(atomic_read(&ring->free_count) >
-ring->thresh))
- mtk_wake_queue(eth);
- }
+
spin_unlock_irqrestore(ð->page_lock, flags);
return NETDEV_TX_OK;
--
1.7.10.4
[PATCH 11/12] net: mediatek: only wake the queue if it is stopped
The current code unconditionally wakes up the queue at the end of each
tx_poll action. Change the code to only wake up the queues if any of
them have actually been stopped before.
Signed-off-by: John Crispin
---
drivers/net/ethernet/mediatek/mtk_eth_soc.c | 17 -
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c
b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
index 6daf48b..40d3cfd 100644
--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
@@ -685,6 +685,20 @@ static inline int mtk_cal_txd_req(struct sk_buff *skb)
return nfrags;
}
+static int mtk_queue_stopped(struct mtk_eth *eth)
+{
+ int i;
+
+ for (i = 0; i < MTK_MAC_COUNT; i++) {
+ if (!eth->netdev[i])
+ continue;
+ if (netif_queue_stopped(eth->netdev[i]))
+ return 1;
+ }
+
+ return 0;
+}
+
static void mtk_wake_queue(struct mtk_eth *eth)
{
int i;
@@ -929,7 +943,8 @@ static int mtk_poll_tx(struct mtk_eth *eth, int budget,
bool *tx_again)
if (!total)
return 0;
- if (atomic_read(&ring->free_count) > ring->thresh)
+ if (mtk_queue_stopped(eth) &&
+ (atomic_read(&ring->free_count) > ring->thresh))
mtk_wake_queue(eth);
return total;
--
1.7.10.4
[PATCH 10/12] net: mediatek: fix off by one in the TX ring allocation
The TX ring setup has an off by one error causing it to not utilise all descriptors. This has the side effect that we need to reset the next pointer at runtime to make it work. Fix the off by one and remove the code fixing the ring at runtime. Signed-off-by: John Crispin --- drivers/net/ethernet/mediatek/mtk_eth_soc.c |3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c index 24714ab..6daf48b 100644 --- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c +++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c @@ -903,7 +903,6 @@ static int mtk_poll_tx(struct mtk_eth *eth, int budget, bool *tx_again) } mtk_tx_unmap(eth->dev, tx_buf); - ring->last_free->txd2 = next_cpu; ring->last_free = desc; atomic_inc(&ring->free_count); @@ -1011,7 +1010,7 @@ static int mtk_tx_alloc(struct mtk_eth *eth) atomic_set(&ring->free_count, MTK_DMA_SIZE - 2); ring->next_free = &ring->dma[0]; - ring->last_free = &ring->dma[MTK_DMA_SIZE - 2]; + ring->last_free = &ring->dma[MTK_DMA_SIZE - 1]; ring->thresh = MAX_SKB_FRAGS; /* make sure that all changes to the dma ring are flushed before we -- 1.7.10.4
Re: [PATCH v7 0/4] i2c-smbus: add support for HOST NOTIFY
Hi Benjamin, > this is mostly a resubmission of the v6 with the acks, tested-by and few typos > here and there. I actually reviewed v6 but got an NMI so writing the mails fell through the cracks :( Sorry about that! Good news is that the code is fine from my point of view, some documentation updates I'd request. After updating those, I will pick up the core patches right away. Note that while the i801 patch looks good to me, I need Jean's review here. There are other patches pending for i801, that needs to be coordinated by him. Thanks, Wolfram signature.asc Description: PGP signature
Re: [PATCH v7 1/4] i2c: add a protocol parameter to the alert callback
On Tue, May 31, 2016 at 12:03:02PM +0200, Benjamin Tissoires wrote: > .alert() is meant to be generic, but there is currently no way > for the device driver to know which protocol generated the alert. > Add a parameter in .alert() to help the device driver to understand > what is given in data. > > This patch is required to have the support of SMBus Host Notify protocol > through .alert(). > > Tested-by: Andrew Duggan signature.asc Description: PGP signature
Re: [PATCH v7 2/4] i2c-smbus: add SMBus Host Notify support
> diff --git a/Documentation/i2c/smbus-protocol
> b/Documentation/i2c/smbus-protocol
> index 6012b12..4e07848 100644
> --- a/Documentation/i2c/smbus-protocol
> +++ b/Documentation/i2c/smbus-protocol
> @@ -199,6 +199,9 @@ alerting device's address.
>
> [S] [HostAddr] [Wr] A [DevAddr] A [DataLow] A [DataHigh] A [P]
>
> +I2C drivers for devices which can trigger SMBus Host Notify should implement
> +the optional alert() callback.
> +
I'd like a similar "This is implemented the following way in the Linux
kernel:" paragraph here as in the alert section. The item what bus
drivers should do is missing.
> + if (host_notify->pending) {
> + spin_unlock_irqrestore(&host_notify->lock, flags);
> + dev_warn(&adapter->dev, "Host Notify already scheduled.\n");
> + return -EFAULT;
Very minor nit: -EBUSY?
> +#if defined(CONFIG_I2C_SMBUS) || defined(CONFIG_I2C_SMBUS_MODULE)
IS_ENABLED()?
signature.asc
Description: PGP signature
Re: [PATCH v7 3/4] i2c: i801: add support of Host Notify
On Tue, May 31, 2016 at 12:03:04PM +0200, Benjamin Tissoires wrote: > The i801 chip can handle the Host Notify feature since ICH 3 as mentioned > in > http://www.intel.com/content/dam/doc/datasheet/82801ca-io-controller-hub-3-datasheet.pdf > > Enable the functionality unconditionally and propagate the alert > on each notification. > > With a T440s and a Synaptics touchpad that implements Host Notify, the > payload data is always 0x, so I am not sure if the device actually > sends the payload or if there is a problem regarding the implementation. > > Tested-by: Andrew Duggan > Signed-off-by: Benjamin Tissoires Did some high level review. Did not dig into datasheets. Acked-by: Wolfram Sang signature.asc Description: PGP signature
Re: [PATCH 01/12] net: mediatek: fix DQL support
From: John Crispin
Date: Sun, 5 Jun 2016 08:32:54 +0200
> @@ -625,7 +625,16 @@ static int mtk_tx_map(struct sk_buff *skb, struct
> net_device *dev,
> WRITE_ONCE(itxd->txd3, (TX_DMA_SWC | TX_DMA_PLEN0(skb_headlen(skb)) |
> (!nr_frags * TX_DMA_LS0)));
>
> - netdev_sent_queue(dev, skb->len);
> + /* we have a single DMA ring so BQL needs to be updated for all devices
> + * sitting on this ring
> + */
> + for (i = 0; i < MTK_MAC_COUNT; i++) {
> + if (!eth->netdev[i])
> + continue;
> +
> + netdev_sent_queue(eth->netdev[i], skb->len);
> + }
> +
> skb_tx_timestamp(skb);
Sorry, this is very far from working.
You cannot asynchronously touch the DQL state of another netdevice.
You have to hold the TX lock of a queue while changing it's DQL state,
otherwise you'll corrupt the state.
This "loop over all possible devices on this DMA ring" is pretty
expensive for the problem you're trying to solve.
You'll have to find another way to fix this bug, which BTW I'm not too
clear about. The commit message doesn't explain sufficiently what the
actual problem is. "not deterministic" doesn't give enough details.
Re: [PATCH net-next 1/3] arm64: bpf: implement bpf_tail_call() helper
On 06/05/2016 01:46 AM, kbuild test robot wrote: Hi, [auto build test ERROR on net-next/master] url: https://github.com/0day-ci/linux/commits/Zi-Shen-Lim/arm64-bpf-implement-bpf_tail_call-helper/20160605-060435 config: arm64-defconfig (attached as .config) compiler: aarch64-linux-gnu-gcc (Debian 5.3.1-8) 5.3.1 20160205 reproduce: wget https://git.kernel.org/cgit/linux/kernel/git/wfg/lkp-tests.git/plain/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross # save the attached .config to linux build tree make.cross ARCH=arm64 All errors (new ones prefixed by >>): In file included from arch/arm64/net/bpf_jit_comp.c:21:0: include/linux/bpf.h: In function 'bpf_prog_get': include/linux/bpf.h:235:9: error: implicit declaration of function 'ERR_PTR' [-Werror=implicit-function-declaration] return ERR_PTR(-EOPNOTSUPP); ^ include/linux/bpf.h:235:9: warning: return makes pointer from integer without a cast [-Wint-conversion] In file included from include/linux/rwsem.h:17:0, from include/linux/mm_types.h:10, from include/linux/sched.h:27, from arch/arm64/include/asm/compat.h:25, from arch/arm64/include/asm/stat.h:23, from include/linux/stat.h:5, from include/linux/compat.h:12, from include/linux/filter.h:10, from arch/arm64/net/bpf_jit_comp.c:22: include/linux/err.h: At top level: include/linux/err.h:23:35: error: conflicting types for 'ERR_PTR' static inline void * __must_check ERR_PTR(long error) ^ In file included from arch/arm64/net/bpf_jit_comp.c:21:0: include/linux/bpf.h:235:9: note: previous implicit declaration of 'ERR_PTR' was here return ERR_PTR(-EOPNOTSUPP); ^ cc1: some warnings being treated as errors Looks like including linux/bpf.h at the very beginning causes issues when bpf syscall is disabled. We should probably just include linux/err.h from bpf.h.
[PATCH] mfd: max77620: Constify resources tables
These tables are never modified, so declare them as const.
Signed-off-by: Axel Lin
---
drivers/mfd/max77620.c | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/mfd/max77620.c b/drivers/mfd/max77620.c
index 199d261..e831422 100644
--- a/drivers/mfd/max77620.c
+++ b/drivers/mfd/max77620.c
@@ -37,19 +37,19 @@
#include
#include
-static struct resource gpio_resources[] = {
+static const struct resource gpio_resources[] = {
DEFINE_RES_IRQ(MAX77620_IRQ_TOP_GPIO),
};
-static struct resource power_resources[] = {
+static const struct resource power_resources[] = {
DEFINE_RES_IRQ(MAX77620_IRQ_LBT_MBATLOW),
};
-static struct resource rtc_resources[] = {
+static const struct resource rtc_resources[] = {
DEFINE_RES_IRQ(MAX77620_IRQ_TOP_RTC),
};
-static struct resource thermal_resources[] = {
+static const struct resource thermal_resources[] = {
DEFINE_RES_IRQ(MAX77620_IRQ_LBT_TJALRM1),
DEFINE_RES_IRQ(MAX77620_IRQ_LBT_TJALRM2),
};
--
2.5.0
Free Gift
I intend to give to you a portion of my Wealth as a free-will financial donation to you. Respond now to partake. Regards. Bernard Arnault Philanthropic Email: bena12...@qq.com
RE: [PATCH v10 2/7] usb: mux: add generic code for dual role port mux
Hi > -Original Message- > From: linux-usb-ow...@vger.kernel.org [mailto:linux-usb- > ow...@vger.kernel.org] On Behalf Of Lu Baolu > Sent: Sunday, June 05, 2016 2:56 PM > To: Peter Chen > Cc: felipe.ba...@linux.intel.com; Mathias Nyman ; > Greg Kroah-Hartman ; Lee Jones > ; Heikki Krogerus ; > Liam Girdwood ; Mark Brown ; > linux-...@vger.kernel.org; linux-kernel@vger.kernel.org; Roger Quadros > > Subject: Re: [PATCH v10 2/7] usb: mux: add generic code for dual role port > mux > > Hi Peter, > > On 06/04/2016 10:28 AM, Peter Chen wrote: > > On Sat, Jun 04, 2016 at 12:06:06AM +0800, Lu Baolu wrote: > >>> from my point,it is a dual-role switch driver too, > >> No, it's not a dual-role switch driver, but a driver for USB port > multiplexing. > >> > >> One example of port multiplexing can be found in several Intel SOC > >> and PCH chips, inside of which, there are two independent USB > >> controllers: host and device. They might share a single port and this > >> port could be configured to route the line to one of these two > >> controllers. This patch introduced a generic framework for port mux > >> drivers. It aids the drivers to handle port mux by providing > >> interfaces to 1) register/unregister a mux device; 2) lookup the mux > device; and 3) switch the port. > >> > > For this case, I can't see it is different with dual-role switch. > > Port mux is part of dual role switch, but not the whole thing. > > Dual role switch includes at least below things: > - ID or type-C event detection > - port mux > - VBUS management > - start/stop host/device controllers > > An OTG/Dual-role framework can be used to keep all these things run > together with an internal state machine. But it's not duplicated with a > generic framework for port mux and the port mux drivers. > > > Your > > case is just like Renesas case, which uses two different drivers > > between peripheral and host[1]. > > In my case, the port mux devices are physical devices and they can be > controlled through GPIO pins or device registers. They are independent of > both peripheral and host controllers. > I also think current OTG/Dual role framework can support your case, if you find there is any limitation of it which can't meet your requirement, we should improve it, Roger also provide an example of dual role switch with USB3 based on his OTG core. > > >> Port multiplexing isn't equal to USB dual role. There are other cases > >> in today's systems. In several Intel PCH chips, there equips two USB > >> host controllers: ehci and xhci. The xhci USB2 ports are multiplexed > >> with ehci. This guarantees all USB ports work even running an old > version of OS which lacks of USB3 support. > >> In theory, we can create a driver for the port mux and switch the > >> ports between xhci and ehci, but that's silly, isn't it? Why not > >> always USB3?:-) > >> > >> Another case is xHCI debug capability. The xHCI host controller might > >> equip a unit for system debugging (refer to 7.6 of xHCI spec). The > >> debugging unit is independent of xhci host controller. But it shares > >> its port with xhci. Software could switch the port between xhci and > >> the debugging unit through the registers defined in xHCI spec. > >> > > Yes, above two are different with dual role switch. But in your code > > and Kconfig, it seems this framework is dedicated for dual-role. Eg: > > > > +menuconfig USB_PORTMUX > > + bool "USB dual role port MUX support" > > + help > > + Generic USB dual role port mux support. > > Above two cases are examples for port multiplexing, but I don't think we > need drivers for them. At this moment, this framework is only for dual > role port mux devices. > > > > > I think a general dual role port mux is necessary, it can be used to > > manage different dual-role switch method, eg > > Yes, I agree. > > > - ID pin > > - External connector through GPIO > > - SoC register > > - sysfs > > - type-C events > > ID pin and type-C events are the *reasons* which trigger the port mux > switch. Currently, on our platforms, gpio, registers and sysfs are methods > to control the mux. Those methods also can be mapped/added into OTG/dual role core framework. > > > > > But this code is better co-work with OTG/Dual-role framework, we'd > > better have only interface that the user can know which role for the > > current port. > > OTG/Dual-role framework and portmux framework are not overlapped. >From previous discussion, I still think this is a special dual role switch:) which should be covered by general OTG/dual role core(this core framework is target to support one port with both host and device capable by any HW/IC implementations). Li Jun > The sysfs interface shouldn't be overlapped as well. Say, I have a port > mux device and I have a driver for it. I am able to read the status of my > port mux device through sysfs. This is not part of OTG/Dual-role as far as > I can see. > > Best regards, > Lu Baolu > -- > To
[PATCH RESEND -trivial] init/Kconfig: Spelling s/compuation/computation/, double "the"
Signed-off-by: Geert Uytterhoeven --- Sent before on 2014-08-08. --- init/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/init/Kconfig b/init/Kconfig index f755a602d4a176e0..fa0ab926aa8a150a 100644 --- a/init/Kconfig +++ b/init/Kconfig @@ -851,7 +851,7 @@ config LOG_CPU_MAX_BUF_SHIFT used as it forces an exact (power of two) size of the ring buffer. The number of possible CPUs is used for this computation ignoring - hotplugging making the compuation optimal for the the worst case + hotplugging making the computation optimal for the worst case scenerio while allowing a simple algorithm to be used from bootup. Examples shift values and their meaning: -- 1.9.1
Re: [PATCH v10 2/7] usb: mux: add generic code for dual role port mux
Hi, On 06/05/2016 04:33 PM, Jun Li wrote: >> Port mux is part of dual role switch, but not the whole thing. >> > >> > Dual role switch includes at least below things: >> > - ID or type-C event detection >> > - port mux >> > - VBUS management >> > - start/stop host/device controllers >> > >> > An OTG/Dual-role framework can be used to keep all these things run >> > together with an internal state machine. But it's not duplicated with a >> > generic framework for port mux and the port mux drivers. >> > >>> > > Your >>> > > case is just like Renesas case, which uses two different drivers >>> > > between peripheral and host[1]. >> > >> > In my case, the port mux devices are physical devices and they can be >> > controlled through GPIO pins or device registers. They are independent of >> > both peripheral and host controllers. >> > > I also think current OTG/Dual role framework can support your case, if you > find there is any limitation of it which can't meet your requirement, we > should improve it, Roger also provide an example of dual role switch with > USB3 based on his OTG core. Why do we need an OTG framework to support a device driver? Is it something like a bus or class driver? Best regards, Lu Baolu
Re: [PATCH v2] ION: Sys_heap: Add cached pool to spead up cached buffer alloc
Hi Greg,
Can you take this patch?
Thanks
On 2016年05月24日 06:32, Laura Abbott wrote:
> On 05/18/2016 08:03 PM, Chen Feng wrote:
>> Add ion cached pool in system heap. This patch add a cached pool
>> in system heap. It has a great improvement of alloc for cached
>> buffer.
>>
>> With memory pressue alloc test 800MB in userspace used iontest.
>> The result avg is 577ms. Without patch it's avg is about 883ms.
>>
>> v1: Makes the cached buffer zeroed before going to pool
>> v2: Add cached param in pool to distinguish wheather need to flush
>> cache at a fresh alloc.
>> Rework the shrink function.
>>
>> Signed-off-by: Chen Feng
>> Signed-off-by: Xia Qing
>> Reviewed-by: Fu Jun
>
> Acked-by: Laura Abbott
>
>> ---
>> drivers/staging/android/ion/ion_page_pool.c | 10 +-
>> drivers/staging/android/ion/ion_priv.h| 5 +-
>> drivers/staging/android/ion/ion_system_heap.c | 183
>> +-
>> 3 files changed, 133 insertions(+), 65 deletions(-)
>>
>> diff --git a/drivers/staging/android/ion/ion_page_pool.c
>> b/drivers/staging/android/ion/ion_page_pool.c
>> index 1fe8016..2c5e5c5 100644
>> --- a/drivers/staging/android/ion/ion_page_pool.c
>> +++ b/drivers/staging/android/ion/ion_page_pool.c
>> @@ -30,8 +30,9 @@ static void *ion_page_pool_alloc_pages(struct
>> ion_page_pool *pool)
>>
>> if (!page)
>> return NULL;
>> -ion_pages_sync_for_device(NULL, page, PAGE_SIZE << pool->order,
>> -DMA_BIDIRECTIONAL);
>> +if (!pool->cached)
>> +ion_pages_sync_for_device(NULL, page, PAGE_SIZE << pool->order,
>> + DMA_BIDIRECTIONAL);
>> return page;
>> }
>>
>> @@ -147,7 +148,8 @@ int ion_page_pool_shrink(struct ion_page_pool *pool,
>> gfp_t gfp_mask,
>> return freed;
>> }
>>
>> -struct ion_page_pool *ion_page_pool_create(gfp_t gfp_mask, unsigned int
>> order)
>> +struct ion_page_pool *ion_page_pool_create(gfp_t gfp_mask, unsigned int
>> order,
>> + bool cached)
>> {
>> struct ion_page_pool *pool = kmalloc(sizeof(*pool), GFP_KERNEL);
>>
>> @@ -161,6 +163,8 @@ struct ion_page_pool *ion_page_pool_create(gfp_t
>> gfp_mask, unsigned int order)
>> pool->order = order;
>> mutex_init(&pool->mutex);
>> plist_node_init(&pool->list, order);
>> +if (cached)
>> +pool->cached = true;
>>
>> return pool;
>> }
>> diff --git a/drivers/staging/android/ion/ion_priv.h
>> b/drivers/staging/android/ion/ion_priv.h
>> index 0239883..f3cb8b4 100644
>> --- a/drivers/staging/android/ion/ion_priv.h
>> +++ b/drivers/staging/android/ion/ion_priv.h
>> @@ -360,6 +360,7 @@ void ion_carveout_free(struct ion_heap *heap,
>> ion_phys_addr_t addr,
>> * @gfp_mask:gfp_mask to use from alloc
>> * @order:order of pages in the pool
>> * @list:plist node for list of pools
>> + * @cached:it's cached pool or not
>> *
>> * Allows you to keep a pool of pre allocated pages to use from your heap.
>> * Keeping a pool of pages that is ready for dma, ie any cached mapping have
>> @@ -369,6 +370,7 @@ void ion_carveout_free(struct ion_heap *heap,
>> ion_phys_addr_t addr,
>> struct ion_page_pool {
>> int high_count;
>> int low_count;
>> +bool cached;
>> struct list_head high_items;
>> struct list_head low_items;
>> struct mutex mutex;
>> @@ -377,7 +379,8 @@ struct ion_page_pool {
>> struct plist_node list;
>> };
>>
>> -struct ion_page_pool *ion_page_pool_create(gfp_t gfp_mask, unsigned int
>> order);
>> +struct ion_page_pool *ion_page_pool_create(gfp_t gfp_mask, unsigned int
>> order,
>> + bool cached);
>> void ion_page_pool_destroy(struct ion_page_pool *);
>> struct page *ion_page_pool_alloc(struct ion_page_pool *);
>> void ion_page_pool_free(struct ion_page_pool *, struct page *);
>> diff --git a/drivers/staging/android/ion/ion_system_heap.c
>> b/drivers/staging/android/ion/ion_system_heap.c
>> index b69dfc7..32a0ebf 100644
>> --- a/drivers/staging/android/ion/ion_system_heap.c
>> +++ b/drivers/staging/android/ion/ion_system_heap.c
>> @@ -26,16 +26,18 @@
>> #include "ion.h"
>> #include "ion_priv.h"
>>
>> +#define NUM_ORDERS ARRAY_SIZE(orders)
>> +
>> static gfp_t high_order_gfp_flags = (GFP_HIGHUSER | __GFP_ZERO |
>> __GFP_NOWARN |
>> __GFP_NORETRY) & ~__GFP_RECLAIM;
>> static gfp_t low_order_gfp_flags = (GFP_HIGHUSER | __GFP_ZERO |
>> __GFP_NOWARN);
>> static const unsigned int orders[] = {8, 4, 0};
>> -static const int num_orders = ARRAY_SIZE(orders);
>> +
>> static int order_to_index(unsigned int order)
>> {
>> int i;
>>
>> -for (i = 0; i < num_orders; i++)
>> +for (i = 0; i < NUM_ORDERS; i++)
>> if (order == orders[i])
>> return i;
>> BUG();
>> @@ -49,47 +51,55 @@ static inline unsigned int order_to_size(int order)
>>
>> struct ion_system_heap {
>> struct ion_heap heap;
>> -struct ion_page_pool *pool
[PATCH v2] NFC: fdp: Detect errors from fdp_nci_create_conn()
drivers/nfc/fdp/fdp.c: In function ‘fdp_nci_patch_otp’:
drivers/nfc/fdp/fdp.c:373: warning: comparison is always false due to limited
range of data type
drivers/nfc/fdp/fdp.c: In function ‘fdp_nci_patch_ram’:
drivers/nfc/fdp/fdp.c:444: warning: comparison is always false due to limited
range of data type
fdp_nci_create_conn() may return a negative error code, which is
silently ignored by assigning it to a u8.
Change conn_id from u8 to int to fix this.
Fixes: a06347c04c13e380 ("NFC: Add Intel Fields Peak NFC solution driver")
Signed-off-by: Geert Uytterhoeven
---
fdp_nci_patch_otp() and fdp_nci_patch_ram() are almost identical.
Please merge them, or create a common helper.
v2:
- Rebased, updated, reworded.
---
drivers/nfc/fdp/fdp.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/nfc/fdp/fdp.c b/drivers/nfc/fdp/fdp.c
index e44a7a2f4061a10a..16427420b1a2aa25 100644
--- a/drivers/nfc/fdp/fdp.c
+++ b/drivers/nfc/fdp/fdp.c
@@ -353,7 +353,7 @@ static int fdp_nci_patch_otp(struct nci_dev *ndev)
{
struct fdp_nci_info *info = nci_get_drvdata(ndev);
struct device *dev = &info->phy->i2c_dev->dev;
- u8 conn_id;
+ int conn_id;
int r = 0;
if (info->otp_version >= info->otp_patch_version)
@@ -424,7 +424,7 @@ static int fdp_nci_patch_ram(struct nci_dev *ndev)
{
struct fdp_nci_info *info = nci_get_drvdata(ndev);
struct device *dev = &info->phy->i2c_dev->dev;
- u8 conn_id;
+ int conn_id;
int r = 0;
if (info->ram_version >= info->ram_patch_version)
--
1.9.1
[PATCH] nfds: Fix NFSD_MDS_PR_KEY on 32-bit by adding ULL postfix
On 32-bit:
fs/nfsd/blocklayout.c: In function ‘nfsd4_block_get_device_info_scsi’:
fs/nfsd/blocklayout.c:337: warning: integer constant is too large for
‘long’ type
fs/nfsd/blocklayout.c:344: warning: integer constant is too large for
‘long’ type
fs/nfsd/blocklayout.c: In function ‘nfsd4_scsi_fence_client’:
fs/nfsd/blocklayout.c:385: warning: integer constant is too large for
‘long’ type
Add the missing "ULL" postfix to 64-bit constant NFSD_MDS_PR_KEY to fix
this.
Fixes: f99d4fbdae6765d0 ("nfsd: add SCSI layout support")
Signed-off-by: Geert Uytterhoeven
Reviewed-by: Christoph Hellwig
---
v2:
- Add Reviewed-by.
Despite Bruce's "Thanks, applying for 4.6.--b." on 2016-03-29, this
still hasn't made it into next-20160603.
---
fs/nfsd/blocklayout.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/nfsd/blocklayout.c b/fs/nfsd/blocklayout.c
index e55b5242614da7a9..31f3df193bdbb47b 100644
--- a/fs/nfsd/blocklayout.c
+++ b/fs/nfsd/blocklayout.c
@@ -290,7 +290,7 @@ out_free_buf:
return error;
}
-#define NFSD_MDS_PR_KEY0x0100
+#define NFSD_MDS_PR_KEY0x0100ULL
/*
* We use the client ID as a unique key for the reservations.
--
1.9.1
Re: [PATCH v2,3/5] dt-bindings: mtu3: add devicetree bindings
On Fri, 2016-06-03 at 15:34 +0200, Matthias Brugger wrote: > > On 31/05/16 07:52, Chunfeng Yun wrote: > > add a DT binding doc for MediaTek USB3 DRD driver > > > > Signed-off-by: Chunfeng Yun > > --- > > Documentation/devicetree/bindings/usb/mtu3.txt | 85 > > > > 1 file changed, 85 insertions(+) > > create mode 100644 Documentation/devicetree/bindings/usb/mtu3.txt > > > > diff --git a/Documentation/devicetree/bindings/usb/mtu3.txt > > b/Documentation/devicetree/bindings/usb/mtu3.txt > > new file mode 100644 > > index 000..571ae8b > > --- /dev/null > > +++ b/Documentation/devicetree/bindings/usb/mtu3.txt > > The file should be called mt8173-mtu3.txt to be in line with mt8173-xhci.txt > Ok, I will rename it > > > @@ -0,0 +1,85 @@ > > +The device node for Mediatek USB3.0 DRD controller > > + > > +Required properties: > > + - compatible : should be "mediatek,mt8173-mtu3" > > + - reg : specifies physical base address and size of the registers > > + - reg-names: should be "mac" for device IP and "ippc" for IP port control > > + - interrupts : interrupt used by the device IP > > + - power-domains : a phandle to USB power domain node to control USB's > > + mtcmos > > + - vusb33-supply : regulator of USB avdd3.3v > > + - clocks : a list of phandle + clock-specifier pairs, one for each > > + entry in clock-names > > + - clock-names : must contain "sys_ck" for clock of controller; > > + "wakeup_deb_p0" and "wakeup_deb_p1" are optional, they are > > + depends on "mediatek,enable-wakeup" > > + - phys : a list of phandle + phy specifier pairs > > + - dr_mode : should be one of "host", "peripheral" or "otg", > > + refer to usb/generic.txt > > + > > +Optional properties: > > + - #address-cells, #size-cells : should be '2' if the device has sub-nodes > > + with 'reg' property > > + - ranges : allows valid 1:1 translation between child's address space and > > + parent's address space > > + - extcon : external connector for vbus and idpin changes detection, needed > > + when supports dual-role mode. > > + - vbus-supply : reference to the VBUS regulator, needed when supports > > + dual-role mode. > > + - pinctl-names : a pinctrl state named "default" must be defined, > > + "id_float" and "id_ground" are optinal which depends on > > + "mediatek,enable-manual-drd" > > So pinctrl is optional, but if you put it, you need at least "default"? Yes, the first one is "default". > > Apart from that, DT maintainers prefer to have the binding patches at > the beginning of a series, so it's easier for them to not oversee any. > Ok. Thanks a lot. > Regards, > Matthias
[PATCH] rtc: efi: Fail probing if RTC reads don't work
While the EFI spec mandates an RTC, not every implementation actually adheres
to that rule (or can adhere to it - some systems just don't have an RTC).
For those, we really don't want to probe the EFI RTC driver at all, because if
we do we'd get a non-functional driver that does nothing useful but only spills
our kernel log with warnings.
Signed-off-by: Alexander Graf
---
drivers/rtc/rtc-efi.c | 6 ++
1 file changed, 6 insertions(+)
diff --git a/drivers/rtc/rtc-efi.c b/drivers/rtc/rtc-efi.c
index 96d3860..0130afd 100644
--- a/drivers/rtc/rtc-efi.c
+++ b/drivers/rtc/rtc-efi.c
@@ -259,6 +259,12 @@ static const struct rtc_class_ops efi_rtc_ops = {
static int __init efi_rtc_probe(struct platform_device *dev)
{
struct rtc_device *rtc;
+ efi_time_t eft;
+ efi_time_cap_t cap;
+
+ /* First check if the RTC is usable */
+ if (efi.get_time(&eft, &cap) != EFI_SUCCESS)
+ return -ENODEV;
rtc = devm_rtc_device_register(&dev->dev, "rtc-efi", &efi_rtc_ops,
THIS_MODULE);
--
1.8.5.6
[PATCH v2] fpga: FPGA_MGR_ZYNQ_FPGA should depend on HAS_DMA
If NO_DMA=y: ERROR: "bad_dma_ops" [drivers/fpga/zynq-fpga.ko] undefined! Add a dependency on HAS_DMA to fix this. Signed-off-by: Geert Uytterhoeven Reviewed-by: Moritz Fischer --- v2: - Add Reviewed-by, - Updated error message for recent kernels, - Submit to Greg, as requested by Alan. --- drivers/fpga/Kconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/fpga/Kconfig b/drivers/fpga/Kconfig index c9b9fdf6cfbbeb6d..d61410299ec0cf80 100644 --- a/drivers/fpga/Kconfig +++ b/drivers/fpga/Kconfig @@ -21,6 +21,7 @@ config FPGA_MGR_SOCFPGA config FPGA_MGR_ZYNQ_FPGA tristate "Xilinx Zynq FPGA" + depends on HAS_DMA help FPGA manager driver support for Xilinx Zynq FPGAs. -- 1.9.1
[PATCH 3.10 024/143] USB: serial: cp210x: Adding GE Healthcare Device ID
From: Martyn Welch
commit cddc9434e3dcc37a85c4412fb8e277d3a582e456 upstream.
The CP2105 is used in the GE Healthcare Remote Alarm Box, with the
Manufacturer ID of 0x1901 and Product ID of 0x0194.
Signed-off-by: Martyn Welch
Cc: stable
Signed-off-by: Johan Hovold
Signed-off-by: Willy Tarreau
---
drivers/usb/serial/cp210x.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c
index 84b7704..a4003d4 100644
--- a/drivers/usb/serial/cp210x.c
+++ b/drivers/usb/serial/cp210x.c
@@ -164,6 +164,7 @@ static const struct usb_device_id id_table[] = {
{ USB_DEVICE(0x18EF, 0xE025) }, /* ELV Marble Sound Board 1 */
{ USB_DEVICE(0x1901, 0x0190) }, /* GE B850 CP2105 Recorder interface */
{ USB_DEVICE(0x1901, 0x0193) }, /* GE B650 CP2104 PMC interface */
+ { USB_DEVICE(0x1901, 0x0194) }, /* GE Healthcare Remote Alarm Box */
{ USB_DEVICE(0x19CF, 0x3000) }, /* Parrot NMEA GPS Flight Recorder */
{ USB_DEVICE(0x1ADB, 0x0001) }, /* Schweitzer Engineering C662 Cable */
{ USB_DEVICE(0x1B1C, 0x1C00) }, /* Corsair USB Dongle */
--
2.8.0.rc2.1.gbe9624a
[PATCH 3.10 000/143] 3.10.102-stable review
This is the start of the stable review cycle for the 3.10.102 release. All patches will be posted as a response to this one. If anyone has any issue with these being applied, please let me know. If anyone thinks some important patches are missing and should be added prior to the release, please report them quickly with their respective mainline commit IDs. Responses should be made by Sat Jun 11 11:48:43 CEST 2016. Anything received after that time might be too late. If someone wants a bit more time for a deeper review, please let me know. The whole patch series can be found in one patch at : https://kernel.org/pub/linux/kernel/v3.x/stable-review/patch-3.10.102-rc1.gz The shortlog and diffstat are appended below. Thanks, Willy === Aaro Koskinen (1): mtd: onenand: fix deadlock in onenand_block_markbad Adrian Hunter (1): mmc: mmc: Fix partition switch timeout for some eMMCs Al Viro (1): get_rock_ridge_filename(): handle malformed NM entries Alan Stern (1): HID: usbhid: fix inconsistent reset/resume/reset-resume behavior Alexey Khoroshilov (2): [media] usbvision-video: fix memory leak of alt_max_pkt_size usbvision: fix leak of usb_dev on failure paths in usbvision_probe() Andi Kleen (2): perf/x86/intel: Fix PEBS data source interpretation on Nehalem/Westmere asmlinkage, pnp: Make variables used from assembler code visible Andrey Gelman (1): Input: ads7846 - correct the value got from SPI Andy Lutomirski (1): x86/iopl: Fix iopl capability check on Xen PV Anton Blanchard (1): powerpc: scan_features() updates incorrect bits for REAL_LE Arnaldo Carvalho de Melo (1): net: Fix use after free in the recvmmsg exit path Arnd Bergmann (5): farsync: fix off-by-one bug in fst_add_one ath9k: fix buffer overrun for ar9287 ASoC: s3c24xx: use const snd_soc_component_driver pointer paride: make 'verbose' parameter an 'int' again lpfc: fix misleading indentation Aurelien Jacquiot (1): rapidio/rionet: fix deadlock on SMP Behan Webster (1): x86: LLVMLinux: Fix "incomplete type const struct x86cpu_device_id" Ben Hutchings (3): pipe: Fix buffer offset after partially failed read misc/bmp085: Enable building as a module atl2: Disable unimplemented scatter/gather feature Bill Sommerfeld (1): udp6: fix UDP/IPv6 encap resubmit path Bjorn Helgaas (1): PCI: Disable IO/MEM decoding for devices with non-compliant BARs Bj�rn Mork (3): USB: option: add "D-Link DWM-221 B1" device id cdc_ncm: toggle altsetting to force reset before setup qmi_wwan: add "D-Link DWM-221 B1" device id Borislav Petkov (1): perf stat: Document --detailed option Chanwoo Choi (1): serial: samsung: Reorder the sequence of clock control when call s3c24xx_serial_set_termios() Chris Friesen (1): route: do not cache fib route info on local routes with oif Dan Carpenter (1): EDAC, amd64_edac: Shift wrapping issue in f1x_get_norm_dct_addr() Dan Streetman (1): nbd: ratelimit error msgs after socket close David S. Miller (1): decnet: Do not build routes to devices without decnet private data. Diego Viola (1): net: jme: fix suspend/resume on JMC260 Dmitry Ivanov (1): nl80211: check netlink protocol in socket release notification Douglas Gilbert (1): sg: fix dxferp in from_to case Eric Wheeler (1): bcache: fix cache_set_flush() NULL pointer dereference on OOM Eryu Guan (1): ext4: fix NULL pointer dereference in ext4_mark_inode_dirty() Florian Westphal (1): ipv6: re-enable fragment header matching in ipv6_find_hdr Gabriel Krisman Bertazi (1): ipr: Fix regression when loading firmware Geert Uytterhoeven (1): rtc: vr41xx: Wire up alarm_irq_enable Guenter Roeck (1): hwmon: (max) Return -ENODEV from max_read_channel if not instantiated Guillaume Nault (1): ppp: take reference on channels netns H. Peter Anvin (3): linux/const.h: Add _BITUL() and _BITULL() x86: Rename X86_CR4_RDWRGSFS to X86_CR4_FSGSBASE x86, processor-flags: Fix the datatypes and add bit number defines Haishuang Yan (2): ipv4: l2tp: fix a potential issue in l2tp_ip_recv ipv6: l2tp: fix a potential issue in l2tp_ip6_recv Hans de Goede (2): pwc: Add USB id for Philips Spc880nc webcam bttv: Width must be a multiple of 16 when capturing planar formats Helge Deller (2): parisc: Avoid function pointers for kernel exception routines parisc: Fix kernel crash with reversed copy_from_user() Herbert Xu (2): crypto: gcm - Fix rfc4543 decryption crash crypto: hash - Fix page length clamping in hash walk Ian Campbell (1): VSOCK: do not disconnect socket when peer has shutdown SEND only Ignat Korchagin (1): USB: usbip: fix potential out-of-bounds write Insu Yun (1): ipr: Fix out-of-bounds null overwrite Jasem Mutlaq (1): USB: serial: cp210x: add Straizona Focusers device ids Jes Sorensen (1): md/raid5: Compare apples to apples (or sectors to sectors) Jiri Slaby (2): Bluetooth: vhci: purge unhandled skbs tty: vt, return error when
[PATCH 3.10 048/143] Input: ims-pcu - sanity check against missing interfaces
From: Oliver Neukum
commit a0ad220c96692eda76b2e3fd7279f3dcd1d8a8ff upstream.
A malicious device missing interface can make the driver oops.
Add sanity checking.
Signed-off-by: Oliver Neukum
CC: sta...@vger.kernel.org
Signed-off-by: Dmitry Torokhov
Signed-off-by: Willy Tarreau
---
drivers/input/misc/ims-pcu.c | 4
1 file changed, 4 insertions(+)
diff --git a/drivers/input/misc/ims-pcu.c b/drivers/input/misc/ims-pcu.c
index e204f26..77164dc 100644
--- a/drivers/input/misc/ims-pcu.c
+++ b/drivers/input/misc/ims-pcu.c
@@ -1433,6 +1433,8 @@ static int ims_pcu_parse_cdc_data(struct usb_interface
*intf, struct ims_pcu *pc
pcu->ctrl_intf = usb_ifnum_to_if(pcu->udev,
union_desc->bMasterInterface0);
+ if (!pcu->ctrl_intf)
+ return -EINVAL;
alt = pcu->ctrl_intf->cur_altsetting;
pcu->ep_ctrl = &alt->endpoint[0].desc;
@@ -1440,6 +1442,8 @@ static int ims_pcu_parse_cdc_data(struct usb_interface
*intf, struct ims_pcu *pc
pcu->data_intf = usb_ifnum_to_if(pcu->udev,
union_desc->bSlaveInterface0);
+ if (!pcu->data_intf)
+ return -EINVAL;
alt = pcu->data_intf->cur_altsetting;
if (alt->desc.bNumEndpoints != 2) {
--
2.8.0.rc2.1.gbe9624a
[PATCH 3.10 106/143] clk: versatile: sp810: support reentrance
From: Linus Walleij
commit ec7957a6aa0aaf981fb8356dc47a2cdd01cde03c upstream.
Despite care take to allocate clocks state containers the
SP810 driver actually just supports creating one instance:
all clocks registered for every instance will end up with the
exact same name and __clk_init() will fail.
Rename the timclken<0> .. timclken to sp810__
so every clock on every instance gets a unique name.
This is necessary for the RealView PBA8 which has two SP810
blocks: the second block will not register its clocks unless
every clock on every instance is unique and results in boot
logs like this:
[ cut here ]
WARNING: CPU: 0 PID: 0 at ../drivers/clk/versatile/clk-sp810.c:137
clk_sp810_of_setup+0x110/0x154()
Modules linked in:
CPU: 0 PID: 0 Comm: swapper/0 Not tainted
4.5.0-rc2-00030-g352718fc39f6-dirty #225
Hardware name: ARM RealView Machine (Device Tree Support)
[] (unwind_backtrace) from []
(show_stack+0x10/0x14)
[] (show_stack) from []
(dump_stack+0x84/0x9c)
[] (dump_stack) from []
(warn_slowpath_common+0x74/0xb0)
[] (warn_slowpath_common) from []
(warn_slowpath_null+0x1c/0x24)
[] (warn_slowpath_null) from []
(clk_sp810_of_setup+0x110/0x154)
[] (clk_sp810_of_setup) from []
(of_clk_init+0x12c/0x1c8)
[] (of_clk_init) from []
(time_init+0x20/0x2c)
[] (time_init) from []
(start_kernel+0x244/0x3c4)
[] (start_kernel) from [<7000807c>] (0x7000807c)
---[ end trace cb88537fdc8fa200 ]---
Cc: Michael Turquette
Cc: Pawel Moll
Fixes: 6e973d2c4385 "clk: vexpress: Add separate SP810 driver"
Signed-off-by: Linus Walleij
Signed-off-by: Stephen Boyd
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Willy Tarreau
---
drivers/clk/versatile/clk-sp810.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/clk/versatile/clk-sp810.c
b/drivers/clk/versatile/clk-sp810.c
index b9e05bd..a21e2fa 100644
--- a/drivers/clk/versatile/clk-sp810.c
+++ b/drivers/clk/versatile/clk-sp810.c
@@ -141,6 +141,7 @@ void __init clk_sp810_of_setup(struct device_node *node)
const char *parent_names[2];
char name[12];
struct clk_init_data init;
+ static int instance;
int i;
if (!sp810) {
@@ -172,7 +173,7 @@ void __init clk_sp810_of_setup(struct device_node *node)
init.num_parents = ARRAY_SIZE(parent_names);
for (i = 0; i < ARRAY_SIZE(sp810->timerclken); i++) {
- snprintf(name, ARRAY_SIZE(name), "timerclken%d", i);
+ snprintf(name, sizeof(name), "sp810_%d_%d", instance, i);
sp810->timerclken[i].sp810 = sp810;
sp810->timerclken[i].channel = i;
@@ -184,5 +185,6 @@ void __init clk_sp810_of_setup(struct device_node *node)
}
of_clk_add_provider(node, clk_sp810_timerclken_of_get, sp810);
+ instance++;
}
CLK_OF_DECLARE(sp810, "arm,sp810", clk_sp810_of_setup);
--
2.8.0.rc2.1.gbe9624a
[PATCH 3.10 030/143] bttv: Width must be a multiple of 16 when capturing planar formats
From: Hans de Goede
commit 5c915c68763889f0183a1cc61c84bb228b60124a upstream.
On my bttv card "Hauppauge WinTV [card=10]" capturing in YV12 fmt at max
size results in a solid green rectangle being captured (all colors 0 in
YUV).
This turns out to be caused by max-width (924) not being a multiple of 16.
We've likely never hit this problem before since normally xawtv / tvtime,
etc. will prefer packed pixel formats. But when using a video card which
is using xf86-video-modesetting + glamor, only planar XVideo fmts are
available, and xawtv will chose a matching capture format to avoid needing
to do conversion, triggering the solid green window problem.
Cc: sta...@vger.kernel.org
Signed-off-by: Hans de Goede
Acked-by: Hans Verkuil
Signed-off-by: Mauro Carvalho Chehab
Signed-off-by: Willy Tarreau
---
drivers/media/pci/bt8xx/bttv-driver.c | 26 --
1 file changed, 20 insertions(+), 6 deletions(-)
diff --git a/drivers/media/pci/bt8xx/bttv-driver.c
b/drivers/media/pci/bt8xx/bttv-driver.c
index e2633d9..aa4519e 100644
--- a/drivers/media/pci/bt8xx/bttv-driver.c
+++ b/drivers/media/pci/bt8xx/bttv-driver.c
@@ -2376,6 +2376,19 @@ static int bttv_g_fmt_vid_overlay(struct file *file,
void *priv,
return 0;
}
+static void bttv_get_width_mask_vid_cap(const struct bttv_format *fmt,
+ unsigned int *width_mask,
+ unsigned int *width_bias)
+{
+ if (fmt->flags & FORMAT_FLAGS_PLANAR) {
+ *width_mask = ~15; /* width must be a multiple of 16 pixels */
+ *width_bias = 8; /* nearest */
+ } else {
+ *width_mask = ~3; /* width must be a multiple of 4 pixels */
+ *width_bias = 2; /* nearest */
+ }
+}
+
static int bttv_try_fmt_vid_cap(struct file *file, void *priv,
struct v4l2_format *f)
{
@@ -2385,6 +2398,7 @@ static int bttv_try_fmt_vid_cap(struct file *file, void
*priv,
enum v4l2_field field;
__s32 width, height;
__s32 height2;
+ unsigned int width_mask, width_bias;
int rc;
fmt = format_by_fourcc(f->fmt.pix.pixelformat);
@@ -2417,9 +2431,9 @@ static int bttv_try_fmt_vid_cap(struct file *file, void
*priv,
width = f->fmt.pix.width;
height = f->fmt.pix.height;
+ bttv_get_width_mask_vid_cap(fmt, &width_mask, &width_bias);
rc = limit_scaled_size_lock(fh, &width, &height, field,
- /* width_mask: 4 pixels */ ~3,
- /* width_bias: nearest */ 2,
+ width_mask, width_bias,
/* adjust_size */ 1,
/* adjust_crop */ 0);
if (0 != rc)
@@ -2452,6 +2466,7 @@ static int bttv_s_fmt_vid_cap(struct file *file, void
*priv,
struct bttv_fh *fh = priv;
struct bttv *btv = fh->btv;
__s32 width, height;
+ unsigned int width_mask, width_bias;
enum v4l2_field field;
retval = bttv_switch_type(fh, f->type);
@@ -2466,9 +2481,10 @@ static int bttv_s_fmt_vid_cap(struct file *file, void
*priv,
height = f->fmt.pix.height;
field = f->fmt.pix.field;
+ fmt = format_by_fourcc(f->fmt.pix.pixelformat);
+ bttv_get_width_mask_vid_cap(fmt, &width_mask, &width_bias);
retval = limit_scaled_size_lock(fh, &width, &height, f->fmt.pix.field,
- /* width_mask: 4 pixels */ ~3,
- /* width_bias: nearest */ 2,
+ width_mask, width_bias,
/* adjust_size */ 1,
/* adjust_crop */ 1);
if (0 != retval)
@@ -2476,8 +2492,6 @@ static int bttv_s_fmt_vid_cap(struct file *file, void
*priv,
f->fmt.pix.field = field;
- fmt = format_by_fourcc(f->fmt.pix.pixelformat);
-
/* update our state informations */
fh->fmt = fmt;
fh->cap.field= f->fmt.pix.field;
--
2.8.0.rc2.1.gbe9624a
[PATCH 3.10 046/143] tracing: Fix trace_printk() to print when not using bprintk()
From: "Steven Rostedt (Red Hat)"
commit 3debb0a9ddb16526de8b456491b7db60114f7b5e upstream.
The trace_printk() code will allocate extra buffers if the compile detects
that a trace_printk() is used. To do this, the format of the trace_printk()
is saved to the __trace_printk_fmt section, and if that section is bigger
than zero, the buffers are allocated (along with a message that this has
happened).
If trace_printk() uses a format that is not a constant, and thus something
not guaranteed to be around when the print happens, the compiler optimizes
the fmt out, as it is not used, and the __trace_printk_fmt section is not
filled. This means the kernel will not allocate the special buffers needed
for the trace_printk() and the trace_printk() will not write anything to the
tracing buffer.
Adding a "__used" to the variable in the __trace_printk_fmt section will
keep it around, even though it is set to NULL. This will keep the string
from being printed in the debugfs/tracing/printk_formats section as it is
not needed.
Reported-by: Vlastimil Babka
Fixes: 07d777fe8c398 "tracing: Add percpu buffers for trace_printk()"
Cc: sta...@vger.kernel.org # v3.5+
Signed-off-by: Steven Rostedt
Signed-off-by: Willy Tarreau
---
include/linux/kernel.h | 6 +++---
kernel/trace/trace_printk.c | 3 +++
2 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/include/linux/kernel.h b/include/linux/kernel.h
index 341551c..5f4554b 100644
--- a/include/linux/kernel.h
+++ b/include/linux/kernel.h
@@ -557,7 +557,7 @@ do {
\
#define do_trace_printk(fmt, args...) \
do { \
- static const char *trace_printk_fmt \
+ static const char *trace_printk_fmt __used \
__attribute__((section("__trace_printk_fmt"))) =\
__builtin_constant_p(fmt) ? fmt : NULL; \
\
@@ -604,7 +604,7 @@ extern int __trace_puts(unsigned long ip, const char *str,
int size);
*/
#define trace_puts(str) ({ \
- static const char *trace_printk_fmt \
+ static const char *trace_printk_fmt __used \
__attribute__((section("__trace_printk_fmt"))) =\
__builtin_constant_p(str) ? str : NULL; \
\
@@ -624,7 +624,7 @@ extern void trace_dump_stack(int skip);
#define ftrace_vprintk(fmt, vargs) \
do { \
if (__builtin_constant_p(fmt)) {\
- static const char *trace_printk_fmt \
+ static const char *trace_printk_fmt __used \
__attribute__((section("__trace_printk_fmt"))) = \
__builtin_constant_p(fmt) ? fmt : NULL; \
\
diff --git a/kernel/trace/trace_printk.c b/kernel/trace/trace_printk.c
index a9077c1..fdb23e8 100644
--- a/kernel/trace/trace_printk.c
+++ b/kernel/trace/trace_printk.c
@@ -272,6 +272,9 @@ static int t_show(struct seq_file *m, void *v)
const char *str = *fmt;
int i;
+ if (!*fmt)
+ return 0;
+
seq_printf(m, "0x%lx : \"", *(unsigned long *)fmt);
/*
--
2.8.0.rc2.1.gbe9624a
[PATCH 3.10 095/143] fbdev: da8xx-fb: fix videomodes of lcd panels
From: Sushaanth Srirangapathi
commit 713fced8d10fa1c759c8fb6bf9aaa681bae68cad upstream.
Commit 028cd86b794f4a ("video: da8xx-fb: fix the polarities of the
hsync/vsync pulse") fixes polarities of HSYNC/VSYNC pulse but
forgot to update known_lcd_panels[] which had sync values
according to old logic. This breaks LCD at least on DA850 EVM.
This patch fixes this issue and I have tested this for panel
"Sharp_LK043T1DG01" using DA850 EVM board.
Fixes: 028cd86b794f4a ("video: da8xx-fb: fix the polarities of the hsync/vsync
pulse")
Signed-off-by: Sushaanth Srirangapathi
Signed-off-by: Tomi Valkeinen
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Willy Tarreau
---
drivers/video/da8xx-fb.c | 7 +++
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/drivers/video/da8xx-fb.c b/drivers/video/da8xx-fb.c
index 0810939..b13bfb2 100644
--- a/drivers/video/da8xx-fb.c
+++ b/drivers/video/da8xx-fb.c
@@ -226,8 +226,7 @@ static struct fb_videomode known_lcd_panels[] = {
.lower_margin = 2,
.hsync_len = 0,
.vsync_len = 0,
- .sync = FB_SYNC_CLK_INVERT |
- FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
+ .sync = FB_SYNC_CLK_INVERT,
},
/* Sharp LK043T1DG01 */
[1] = {
@@ -241,7 +240,7 @@ static struct fb_videomode known_lcd_panels[] = {
.lower_margin = 2,
.hsync_len = 41,
.vsync_len = 10,
- .sync = FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
+ .sync = 0,
.flag = 0,
},
[2] = {
@@ -256,7 +255,7 @@ static struct fb_videomode known_lcd_panels[] = {
.lower_margin = 10,
.hsync_len = 10,
.vsync_len = 10,
- .sync = FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
+ .sync = 0,
.flag = 0,
},
};
--
2.8.0.rc2.1.gbe9624a
linux-kernel@vger.kernel.org
From: Julia Lawall commit 1b669e713f277a4d4b3cec84e13d16544ac8286d upstream. & is no longer allowed in column 0, since Coccinelle 1.0.4. Signed-off-by: Julia Lawall Tested-by: Nishanth Menon Cc: sta...@vger.kernel.org Signed-off-by: Michal Marek Signed-off-by: Willy Tarreau --- scripts/coccinelle/iterators/use_after_iter.cocci | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/coccinelle/iterators/use_after_iter.cocci b/scripts/coccinelle/iterators/use_after_iter.cocci index 06284c5..93e37ff 100644 --- a/scripts/coccinelle/iterators/use_after_iter.cocci +++ b/scripts/coccinelle/iterators/use_after_iter.cocci @@ -123,7 +123,7 @@ list_remove_head(x,c,...) | sizeof(<+...c...+>) | -&c->member + &c->member | c = E | -- 2.8.0.rc2.1.gbe9624a
[PATCH 3.10 060/143] sctp: lack the check for ports in sctp_v6_cmp_addr
From: Xin Long commit 40b4f0fd74e46c017814618d67ec9127ff20f157 upstream. As the member .cmp_addr of sctp_af_inet6, sctp_v6_cmp_addr should also check the port of addresses, just like sctp_v4_cmp_addr, cause it's invoked by sctp_cmp_addr_exact(). Now sctp_v6_cmp_addr just check the port when two addresses have different family, and lack the port check for two ipv6 addresses. that will make sctp_hash_cmp() cannot work well. so fix it by adding ports comparison in sctp_v6_cmp_addr(). Signed-off-by: Xin Long Signed-off-by: David S. Miller Signed-off-by: Willy Tarreau --- net/sctp/ipv6.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c index bee032a..10d3e28 100644 --- a/net/sctp/ipv6.c +++ b/net/sctp/ipv6.c @@ -520,6 +520,8 @@ static int sctp_v6_cmp_addr(const union sctp_addr *addr1, } return 0; } + if (addr1->v6.sin6_port != addr2->v6.sin6_port) + return 0; if (!ipv6_addr_equal(&addr1->v6.sin6_addr, &addr2->v6.sin6_addr)) return 0; /* If this is a linklocal address, compare the scope_id. */ -- 2.8.0.rc2.1.gbe9624a
[PATCH 3.10 140/143] USB: serial: io_edgeport: fix memory leaks in probe error path
From: Johan Hovold
commit c8d62957d450cc1a22ce3242908709fe367ddc8e upstream.
URBs and buffers allocated in attach for Epic devices would never be
deallocated in case of a later probe error (e.g. failure to allocate
minor numbers) as disconnect is then never called.
Fix by moving deallocation to release and making sure that the
URBs are first unlinked.
Fixes: f9c99bb8b3a1 ("USB: usb-serial: replace shutdown with disconnect,
release")
Cc: stable # v2.6.31
Signed-off-by: Johan Hovold
Acked-by: Greg Kroah-Hartman
Signed-off-by: Willy Tarreau
---
drivers/usb/serial/io_edgeport.c | 17 ++---
1 file changed, 10 insertions(+), 7 deletions(-)
diff --git a/drivers/usb/serial/io_edgeport.c b/drivers/usb/serial/io_edgeport.c
index 1477e85..c574d312 100644
--- a/drivers/usb/serial/io_edgeport.c
+++ b/drivers/usb/serial/io_edgeport.c
@@ -2988,16 +2988,9 @@ static void edge_disconnect(struct usb_serial *serial)
{
struct edgeport_serial *edge_serial = usb_get_serial_data(serial);
- /* stop reads and writes on all ports */
- /* free up our endpoint stuff */
if (edge_serial->is_epic) {
usb_kill_urb(edge_serial->interrupt_read_urb);
- usb_free_urb(edge_serial->interrupt_read_urb);
- kfree(edge_serial->interrupt_in_buffer);
-
usb_kill_urb(edge_serial->read_urb);
- usb_free_urb(edge_serial->read_urb);
- kfree(edge_serial->bulk_in_buffer);
}
}
@@ -3010,6 +3003,16 @@ static void edge_release(struct usb_serial *serial)
{
struct edgeport_serial *edge_serial = usb_get_serial_data(serial);
+ if (edge_serial->is_epic) {
+ usb_kill_urb(edge_serial->interrupt_read_urb);
+ usb_free_urb(edge_serial->interrupt_read_urb);
+ kfree(edge_serial->interrupt_in_buffer);
+
+ usb_kill_urb(edge_serial->read_urb);
+ usb_free_urb(edge_serial->read_urb);
+ kfree(edge_serial->bulk_in_buffer);
+ }
+
kfree(edge_serial);
}
--
2.8.0.rc2.1.gbe9624a
[PATCH 3.10 053/143] sched/cputime: Fix steal time accounting vs. CPU hotplug
From: Thomas Gleixner
commit e9532e69b8d1d1284e8ecf8d2586de34aec61244 upstream.
On CPU hotplug the steal time accounting can keep a stale rq->prev_steal_time
value over CPU down and up. So after the CPU comes up again the delta
calculation in steal_account_process_tick() wreckages itself due to the
unsigned math:
u64 steal = paravirt_steal_clock(smp_processor_id());
steal -= this_rq()->prev_steal_time;
So if steal is smaller than rq->prev_steal_time we end up with an insane large
value which then gets added to rq->prev_steal_time, resulting in a permanent
wreckage of the accounting. As a consequence the per CPU stats in /proc/stat
become stale.
Nice trick to tell the world how idle the system is (100%) while the CPU is
100% busy running tasks. Though we prefer realistic numbers.
None of the accounting values which use a previous value to account for
fractions is reset at CPU hotplug time. update_rq_clock_task() has a sanity
check for prev_irq_time and prev_steal_time_rq, but that sanity check solely
deals with clock warps and limits the /proc/stat visible wreckage. The
prev_time values are still wrong.
Solution is simple: Reset rq->prev_*_time when the CPU is plugged in again.
Signed-off-by: Thomas Gleixner
Acked-by: Rik van Riel
Cc:
Cc: Frederic Weisbecker
Cc: Glauber Costa
Cc: Linus Torvalds
Cc: Peter Zijlstra
Fixes: commit 095c0aa83e52 "sched: adjust scheduler cpu power for stolen time"
Fixes: commit aa483808516c "sched: Remove irq time from available CPU power"
Fixes: commit e6e6685accfa "KVM guest: Steal time accounting"
Link: http://lkml.kernel.org/r/alpine.DEB.2.11.1603041539490.3686@nanos
Signed-off-by: Ingo Molnar
Signed-off-by: Willy Tarreau
---
kernel/sched/core.c | 1 +
kernel/sched/sched.h | 13 +
2 files changed, 14 insertions(+)
diff --git a/kernel/sched/core.c b/kernel/sched/core.c
index f234c84..655d611 100644
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -5217,6 +5217,7 @@ migration_call(struct notifier_block *nfb, unsigned long
action, void *hcpu)
case CPU_UP_PREPARE:
rq->calc_load_update = calc_load_update;
+ account_reset_rq(rq);
break;
case CPU_ONLINE:
diff --git a/kernel/sched/sched.h b/kernel/sched/sched.h
index dfa31d5..e7f4d55 100644
--- a/kernel/sched/sched.h
+++ b/kernel/sched/sched.h
@@ -1378,3 +1378,16 @@ static inline u64 irq_time_read(int cpu)
}
#endif /* CONFIG_64BIT */
#endif /* CONFIG_IRQ_TIME_ACCOUNTING */
+
+static inline void account_reset_rq(struct rq *rq)
+{
+#ifdef CONFIG_IRQ_TIME_ACCOUNTING
+ rq->prev_irq_time = 0;
+#endif
+#ifdef CONFIG_PARAVIRT
+ rq->prev_steal_time = 0;
+#endif
+#ifdef CONFIG_PARAVIRT_TIME_ACCOUNTING
+ rq->prev_steal_time_rq = 0;
+#endif
+}
--
2.8.0.rc2.1.gbe9624a
[PATCH 3.10 061/143] ipv6: re-enable fragment header matching in ipv6_find_hdr
From: Florian Westphal
commit 5d150a985520bbe3cb2aa1ceef24a7e32f20c15f upstream.
When ipv6_find_hdr is used to find a fragment header
(caller specifies target NEXTHDR_FRAGMENT) we erronously return
-ENOENT for all fragments with nonzero offset.
Before commit 9195bb8e381d, when target was specified, we did not
enter the exthdr walk loop as nexthdr == target so this used to work.
Now we do (so we can skip empty route headers). When we then stumble upon
a frag with nonzero frag_off we must return -ENOENT ("header not found")
only if the caller did not specifically request NEXTHDR_FRAGMENT.
This allows nfables exthdr expression to match ipv6 fragments, e.g. via
nft add rule ip6 filter input frag frag-off gt 0
Fixes: 9195bb8e381d ("ipv6: improve ipv6_find_hdr() to skip empty routing
headers")
Signed-off-by: Florian Westphal
Signed-off-by: David S. Miller
Signed-off-by: Willy Tarreau
---
net/ipv6/exthdrs_core.c | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/net/ipv6/exthdrs_core.c b/net/ipv6/exthdrs_core.c
index 51af9d0..f66c1b6 100644
--- a/net/ipv6/exthdrs_core.c
+++ b/net/ipv6/exthdrs_core.c
@@ -257,7 +257,11 @@ int ipv6_find_hdr(const struct sk_buff *skb, unsigned int
*offset,
*fragoff = _frag_off;
return hp->nexthdr;
}
- return -ENOENT;
+ if (!found)
+ return -ENOENT;
+ if (fragoff)
+ *fragoff = _frag_off;
+ break;
}
hdrlen = 8;
} else if (nexthdr == NEXTHDR_AUTH) {
--
2.8.0.rc2.1.gbe9624a
[PATCH 3.10 124/143] packet: fix heap info leak in PACKET_DIAG_MCLIST sock_diag interface
From: Mathias Krause
commit 309cf37fe2a781279b7675d4bb7173198e532867 upstream.
Because we miss to wipe the remainder of i->addr[] in packet_mc_add(),
pdiag_put_mclist() leaks uninitialized heap bytes via the
PACKET_DIAG_MCLIST netlink attribute.
Fix this by explicitly memset(0)ing the remaining bytes in i->addr[].
Fixes: eea68e2f1a00 ("packet: Report socket mclist info via diag module")
Signed-off-by: Mathias Krause
Cc: Eric W. Biederman
Cc: Pavel Emelyanov
Acked-by: Pavel Emelyanov
Signed-off-by: David S. Miller
Signed-off-by: Willy Tarreau
---
net/packet/af_packet.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 39fa339..2d454a2 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -2997,6 +2997,7 @@ static int packet_mc_add(struct sock *sk, struct
packet_mreq_max *mreq)
i->ifindex = mreq->mr_ifindex;
i->alen = mreq->mr_alen;
memcpy(i->addr, mreq->mr_address, i->alen);
+ memset(i->addr + i->alen, 0, sizeof(i->addr) - i->alen);
i->count = 1;
i->next = po->mclist;
po->mclist = i;
--
2.8.0.rc2.1.gbe9624a
[PATCH 3.10 128/143] VSOCK: do not disconnect socket when peer has shutdown SEND only
From: Ian Campbell
commit dedc58e067d8c379a15a8a183c5db318201295bb upstream.
The peer may be expecting a reply having sent a request and then done a
shutdown(SHUT_WR), so tearing down the whole socket at this point seems
wrong and breaks for me with a client which does a SHUT_WR.
Looking at other socket family's stream_recvmsg callbacks doing a shutdown
here does not seem to be the norm and removing it does not seem to have
had any adverse effects that I can see.
I'm using Stefan's RFC virtio transport patches, I'm unsure of the impact
on the vmci transport.
Signed-off-by: Ian Campbell
Cc: "David S. Miller"
Cc: Stefan Hajnoczi
Cc: Claudio Imbrenda
Cc: Andy King
Cc: Dmitry Torokhov
Cc: Jorgen Hansen
Cc: Adit Ranadive
Cc: net...@vger.kernel.org
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Willy Tarreau
---
net/vmw_vsock/af_vsock.c | 21 +
1 file changed, 1 insertion(+), 20 deletions(-)
diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
index 9b88693..66a9bf5 100644
--- a/net/vmw_vsock/af_vsock.c
+++ b/net/vmw_vsock/af_vsock.c
@@ -1804,27 +1804,8 @@ vsock_stream_recvmsg(struct kiocb *kiocb,
else if (sk->sk_shutdown & RCV_SHUTDOWN)
err = 0;
- if (copied > 0) {
- /* We only do these additional bookkeeping/notification steps
-* if we actually copied something out of the queue pair
-* instead of just peeking ahead.
-*/
-
- if (!(flags & MSG_PEEK)) {
- /* If the other side has shutdown for sending and there
-* is nothing more to read, then modify the socket
-* state.
-*/
- if (vsk->peer_shutdown & SEND_SHUTDOWN) {
- if (vsock_stream_has_data(vsk) <= 0) {
- sk->sk_state = SS_UNCONNECTED;
- sock_set_flag(sk, SOCK_DONE);
- sk->sk_state_change(sk);
- }
- }
- }
+ if (copied > 0)
err = copied;
- }
out_wait:
finish_wait(sk_sleep(sk), &wait);
--
2.8.0.rc2.1.gbe9624a
[PATCH 3.10 006/143] KVM: i8254: change PIT discard tick policy
From: Radim KrÄmáÅ
commit 7dd0fdff145c5be7146d0ac06732ae3613412ac1 upstream.
Discard policy uses ack_notifiers to prevent injection of PIT interrupts
before EOI from the last one.
This patch changes the policy to always try to deliver the interrupt,
which makes a difference when its vector is in ISR.
Old implementation would drop the interrupt, but proposed one injects to
IRR, like real hardware would.
The old policy breaks legacy NMI watchdogs, where PIT is used through
virtual wire (LVT0): PIT never sends an interrupt before receiving EOI,
thus a guest deadlock with disabled interrupts will stop NMIs.
Note that NMI doesn't do EOI, so PIT also had to send a normal interrupt
through IOAPIC. (KVM's PIT is deeply rotten and luckily not used much
in modern systems.)
Even though there is a chance of regressions, I think we can fix the
LVT0 NMI bug without introducing a new tick policy.
Cc:
Reported-by: Yuki Shibuya
Reviewed-by: Paolo Bonzini
Signed-off-by: Radim KrÄmáÅ
Signed-off-by: Paolo Bonzini
Signed-off-by: Willy Tarreau
---
arch/x86/kvm/i8254.c | 12 +++-
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/arch/x86/kvm/i8254.c b/arch/x86/kvm/i8254.c
index 1406ffd..b0a706d 100644
--- a/arch/x86/kvm/i8254.c
+++ b/arch/x86/kvm/i8254.c
@@ -244,7 +244,7 @@ static void kvm_pit_ack_irq(struct kvm_irq_ack_notifier
*kian)
* PIC is being reset. Handle it gracefully here
*/
atomic_inc(&ps->pending);
- else if (value > 0)
+ else if (value > 0 && ps->reinject)
/* in this case, we had multiple outstanding pit interrupts
* that we needed to inject. Reinject
*/
@@ -287,7 +287,9 @@ static void pit_do_work(struct kthread_work *work)
* last one has been acked.
*/
spin_lock(&ps->inject_lock);
- if (ps->irq_ack) {
+ if (!ps->reinject)
+ inject = 1;
+ else if (ps->irq_ack) {
ps->irq_ack = 0;
inject = 1;
}
@@ -316,10 +318,10 @@ static enum hrtimer_restart pit_timer_fn(struct hrtimer
*data)
struct kvm_kpit_state *ps = container_of(data, struct kvm_kpit_state,
timer);
struct kvm_pit *pt = ps->kvm->arch.vpit;
- if (ps->reinject || !atomic_read(&ps->pending)) {
+ if (ps->reinject)
atomic_inc(&ps->pending);
- queue_kthread_work(&pt->worker, &pt->expired);
- }
+
+ queue_kthread_work(&pt->worker, &pt->expired);
if (ps->is_periodic) {
hrtimer_add_expires_ns(&ps->timer, ps->period);
--
2.8.0.rc2.1.gbe9624a
[PATCH 3.10 076/143] usb: renesas_usbhs: disable TX IRQ before starting TX DMAC transfer
From: Yoshihiro Shimoda
commit 6490865c67825277b29638e839850882600b48ec upstream.
This patch adds a code to surely disable TX IRQ of the pipe before
starting TX DMAC transfer. Otherwise, a lot of unnecessary TX IRQs
may happen in rare cases when DMAC is used.
Fixes: e73a989 ("usb: renesas_usbhs: add DMAEngine support")
Cc: # v3.1+
Signed-off-by: Yoshihiro Shimoda
Signed-off-by: Felipe Balbi
Signed-off-by: Willy Tarreau
---
drivers/usb/renesas_usbhs/fifo.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/usb/renesas_usbhs/fifo.c b/drivers/usb/renesas_usbhs/fifo.c
index 540e688..157a9f9 100644
--- a/drivers/usb/renesas_usbhs/fifo.c
+++ b/drivers/usb/renesas_usbhs/fifo.c
@@ -934,6 +934,7 @@ static int usbhsf_dma_try_pop(struct usbhs_pkt *pkt, int
*is_done)
pkt->trans = len;
+ usbhsf_tx_irq_ctrl(pipe, 0);
INIT_WORK(&pkt->work, xfer_work);
schedule_work(&pkt->work);
--
2.8.0.rc2.1.gbe9624a
[PATCH 3.10 016/143] be2iscsi: set the boot_kset pointer to NULL in case of failure
From: Maurizio Lombardi commit 84bd64993f916bcf86270c67686ecf4cea7b8933 upstream. In beiscsi_setup_boot_info(), the boot_kset pointer should be set to NULL in case of failure otherwise an invalid pointer dereference may occur later. Cc: Signed-off-by: Maurizio Lombardi Reviewed-by: Johannes Thumshirn Reviewed-by: Jitendra Bhivare Signed-off-by: Martin K. Petersen Signed-off-by: Willy Tarreau --- drivers/scsi/be2iscsi/be_main.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/scsi/be2iscsi/be_main.c b/drivers/scsi/be2iscsi/be_main.c index bfe812f..a683a83 100644 --- a/drivers/scsi/be2iscsi/be_main.c +++ b/drivers/scsi/be2iscsi/be_main.c @@ -4040,6 +4040,7 @@ put_shost: scsi_host_put(phba->shost); free_kset: iscsi_boot_destroy_kset(phba->boot_kset); + phba->boot_kset = NULL; return -ENOMEM; } -- 2.8.0.rc2.1.gbe9624a
[PATCH 3.10 107/143] lpfc: fix misleading indentation
From: Arnd Bergmann
commit aeb6641f8ebdd61939f462a8255b316f9bfab707 upstream.
gcc-6 complains about the indentation of the lpfc_destroy_vport_work_array()
call in lpfc_online(), which clearly doesn't look right:
drivers/scsi/lpfc/lpfc_init.c: In function 'lpfc_online':
drivers/scsi/lpfc/lpfc_init.c:2880:3: warning: statement is indented as if it
were guarded by... [-Wmisleading-indentation]
lpfc_destroy_vport_work_array(phba, vports);
^
drivers/scsi/lpfc/lpfc_init.c:2863:2: note: ...this 'if' clause, but it is not
if (vports != NULL)
^~
Looking at the patch that introduced this code, it's clear that the
behavior is correct and the indentation is wrong.
This fixes the indentation and adds curly braces around the previous
if() block for clarity, as that is most likely what caused the code
to be misindented in the first place.
Signed-off-by: Arnd Bergmann
Fixes: 549e55cd2a1b ("[SCSI] lpfc 8.2.2 : Fix locking around HBA's port_list")
Reviewed-by: Sebastian Herbszt
Reviewed-by: Hannes Reinecke
Reviewed-by: Ewan D. Milne
Signed-off-by: Martin K. Petersen
Signed-off-by: Willy Tarreau
---
drivers/scsi/lpfc/lpfc_init.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c
index cb465b2..e6e0679 100644
--- a/drivers/scsi/lpfc/lpfc_init.c
+++ b/drivers/scsi/lpfc/lpfc_init.c
@@ -2684,7 +2684,7 @@ lpfc_online(struct lpfc_hba *phba)
}
vports = lpfc_create_vport_work_array(phba);
- if (vports != NULL)
+ if (vports != NULL) {
for (i = 0; i <= phba->max_vports && vports[i] != NULL; i++) {
struct Scsi_Host *shost;
shost = lpfc_shost_from_vport(vports[i]);
@@ -2701,7 +2701,8 @@ lpfc_online(struct lpfc_hba *phba)
}
spin_unlock_irq(shost->host_lock);
}
- lpfc_destroy_vport_work_array(phba, vports);
+ }
+ lpfc_destroy_vport_work_array(phba, vports);
lpfc_unblock_mgmt_io(phba);
return 0;
--
2.8.0.rc2.1.gbe9624a
[PATCH 3.10 132/143] ring-buffer: Use long for nr_pages to avoid overflow failures
From: "Steven Rostedt (Red Hat)"
commit 9b94a8fba501f38368aef6ac1b30e7335252a220 upstream.
The size variable to change the ring buffer in ftrace is a long. The
nr_pages used to update the ring buffer based on the size is int. On 64 bit
machines this can cause an overflow problem.
For example, the following will cause the ring buffer to crash:
# cd /sys/kernel/debug/tracing
# echo 10 > buffer_size_kb
# echo 8556384240 > buffer_size_kb
Then you get the warning of:
WARNING: CPU: 1 PID: 318 at kernel/trace/ring_buffer.c:1527
rb_update_pages+0x22f/0x260
Which is:
RB_WARN_ON(cpu_buffer, nr_removed);
Note each ring buffer page holds 4080 bytes.
This is because:
1) 10 causes the ring buffer to have 3 pages.
(10kb requires 3 * 4080 pages to hold)
2) (2^31 / 2^10 + 1) * 4080 = 8556384240
The value written into buffer_size_kb is shifted by 10 and then passed
to ring_buffer_resize(). 8556384240 * 2^10 = 8761737461760
3) The size passed to ring_buffer_resize() is then divided by BUF_PAGE_SIZE
which is 4080. 8761737461760 / 4080 = 2147484672
4) nr_pages is subtracted from the current nr_pages (3) and we get:
2147484669. This value is saved in a signed integer nr_pages_to_update
5) 2147484669 is greater than 2^31 but smaller than 2^32, a signed int
turns into the value of -2147482627
6) As the value is a negative number, in update_pages_handler() it is
negated and passed to rb_remove_pages() and 2147482627 pages will
be removed, which is much larger than 3 and it causes the warning
because not all the pages asked to be removed were removed.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=118001
Fixes: 7a8e76a3829f1 ("tracing: unified trace buffer")
Reported-by: Hao Qin
Signed-off-by: Steven Rostedt
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Willy Tarreau
---
kernel/trace/ring_buffer.c | 26 ++
1 file changed, 14 insertions(+), 12 deletions(-)
diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
index cb73c4e..6f70235 100644
--- a/kernel/trace/ring_buffer.c
+++ b/kernel/trace/ring_buffer.c
@@ -463,7 +463,7 @@ struct ring_buffer_per_cpu {
raw_spinlock_t reader_lock;/* serialize readers */
arch_spinlock_t lock;
struct lock_class_key lock_key;
- unsigned intnr_pages;
+ unsigned long nr_pages;
struct list_head*pages;
struct buffer_page *head_page; /* read from head */
struct buffer_page *tail_page; /* write to tail */
@@ -483,7 +483,7 @@ struct ring_buffer_per_cpu {
u64 write_stamp;
u64 read_stamp;
/* ring buffer pages to update, > 0 to add, < 0 to remove */
- int nr_pages_to_update;
+ longnr_pages_to_update;
struct list_headnew_pages; /* new pages to add */
struct work_struct update_pages_work;
struct completion update_done;
@@ -1120,10 +1120,10 @@ static int rb_check_pages(struct ring_buffer_per_cpu
*cpu_buffer)
return 0;
}
-static int __rb_allocate_pages(int nr_pages, struct list_head *pages, int cpu)
+static int __rb_allocate_pages(long nr_pages, struct list_head *pages, int cpu)
{
- int i;
struct buffer_page *bpage, *tmp;
+ long i;
for (i = 0; i < nr_pages; i++) {
struct page *page;
@@ -1160,7 +1160,7 @@ free_pages:
}
static int rb_allocate_pages(struct ring_buffer_per_cpu *cpu_buffer,
-unsigned nr_pages)
+unsigned long nr_pages)
{
LIST_HEAD(pages);
@@ -1185,7 +1185,7 @@ static int rb_allocate_pages(struct ring_buffer_per_cpu
*cpu_buffer,
}
static struct ring_buffer_per_cpu *
-rb_allocate_cpu_buffer(struct ring_buffer *buffer, int nr_pages, int cpu)
+rb_allocate_cpu_buffer(struct ring_buffer *buffer, long nr_pages, int cpu)
{
struct ring_buffer_per_cpu *cpu_buffer;
struct buffer_page *bpage;
@@ -1284,8 +1284,9 @@ struct ring_buffer *__ring_buffer_alloc(unsigned long
size, unsigned flags,
struct lock_class_key *key)
{
struct ring_buffer *buffer;
+ long nr_pages;
int bsize;
- int cpu, nr_pages;
+ int cpu;
/* keep it in its own cache line */
buffer = kzalloc(ALIGN(sizeof(*buffer), cache_line_size()),
@@ -1408,12 +1409,12 @@ static inline unsigned long rb_page_write(struct
buffer_page *bpage)
}
static int
-rb_remove_pages(struct ring_buffer_per_cpu *cpu_buffer, unsigned int nr_pages)
+rb_remove_pages(struct ring_buffer_per_cpu *cpu_buffer, unsigned long nr_pages)
{
struct list_head *tail_page, *to_remove, *next_page;
struct buffer_page *to
[PATCH 3.10 105/143] nbd: ratelimit error msgs after socket close
From: Dan Streetman
commit da6ccaaa79caca4f38b540b651238f87215217a2 upstream.
Make the "Attempted send on closed socket" error messages generated in
nbd_request_handler() ratelimited.
When the nbd socket is shutdown, the nbd_request_handler() function emits
an error message for every request remaining in its queue. If the queue
is large, this will spam a large amount of messages to the log. There's
no need for a separate error message for each request, so this patch
ratelimits it.
In the specific case this was found, the system was virtual and the error
messages were logged to the serial port, which overwhelmed it.
Fixes: 4d48a542b427 ("nbd: fix I/O hang on disconnected nbds")
Signed-off-by: Dan Streetman
Signed-off-by: Markus Pargmann
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Willy Tarreau
---
drivers/block/nbd.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
index a5c987a..d593fa5 100644
--- a/drivers/block/nbd.c
+++ b/drivers/block/nbd.c
@@ -581,8 +581,8 @@ static void do_nbd_request(struct request_queue *q)
BUG_ON(nbd->magic != NBD_MAGIC);
if (unlikely(!nbd->sock)) {
- dev_err(disk_to_dev(nbd->disk),
- "Attempted send on closed socket\n");
+ dev_err_ratelimited(disk_to_dev(nbd->disk),
+ "Attempted send on closed
socket\n");
req->errors++;
nbd_end_request(req);
spin_lock_irq(q->queue_lock);
--
2.8.0.rc2.1.gbe9624a
[PATCH 3.10 143/143] serial: samsung: Reorder the sequence of clock control when call s3c24xx_serial_set_termios()
From: Chanwoo Choi
commit b8995f527aac143e83d3900ff39357651ea4e0f6 upstream.
This patch fixes the broken serial log when changing the clock source
of uart device. Before disabling the original clock source, this patch
enables the new clock source to protect the clock off state for a split second.
Signed-off-by: Chanwoo Choi
Reviewed-by: Marek Szyprowski
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Willy Tarreau
---
drivers/tty/serial/samsung.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/tty/serial/samsung.c b/drivers/tty/serial/samsung.c
index b8366b1..921bf90 100644
--- a/drivers/tty/serial/samsung.c
+++ b/drivers/tty/serial/samsung.c
@@ -724,6 +724,8 @@ static void s3c24xx_serial_set_termios(struct uart_port
*port,
/* check to see if we need to change clock source */
if (ourport->baudclk != clk) {
+ clk_prepare_enable(clk);
+
s3c24xx_serial_setsource(port, clk_sel);
if (!IS_ERR(ourport->baudclk)) {
@@ -731,8 +733,6 @@ static void s3c24xx_serial_set_termios(struct uart_port
*port,
ourport->baudclk = ERR_PTR(-EINVAL);
}
- clk_prepare_enable(clk);
-
ourport->baudclk = clk;
ourport->baudclk_rate = clk ? clk_get_rate(clk) : 0;
}
--
2.8.0.rc2.1.gbe9624a
[PATCH 3.10 134/143] mfd: omap-usb-tll: Fix scheduling while atomic BUG
From: Roger Quadros
commit b49b927f16acee626c56a1af4ab4cb062f75b5df upstream.
We shouldn't be calling clk_prepare_enable()/clk_prepare_disable()
in an atomic context.
Fixes the following issue:
[5.830970] ehci-omap: OMAP-EHCI Host Controller driver
[5.830974] driver_register 'ehci-omap'
[5.895849] driver_register 'wl1271_sdio'
[5.896870] BUG: scheduling while atomic: udevd/994/0x0002
[5.896876] 4 locks held by udevd/994:
[5.896904] #0: (&dev->mutex){..}, at: []
__driver_attach+0x60/0xac
[5.896923] #1: (&dev->mutex){..}, at: []
__driver_attach+0x70/0xac
[5.896946] #2: (tll_lock){+.+...}, at: []
omap_tll_enable+0x2c/0xd0
[5.896966] #3: (prepare_lock){+.+...}, at: []
clk_prepare_lock+0x48/0xe0
[5.897042] Modules linked in: wlcore_sdio(+) ehci_omap(+) dwc3_omap
snd_soc_ts3a225e leds_is31fl319x bq27xxx_battery_i2c tsc2007 bq27xxx_battery
bq2429x_charger ina2xx tca8418_keypad as5013 leds_tca6507 twl6040_vibra
gpio_twl6040 bmp085_i2c(+) palmas_gpadc usb3503 palmas_pwrbutton bmg160_i2c(+)
bmp085 bma150(+) bmg160_core bmp280 input_polldev snd_soc_omap_mcbsp
snd_soc_omap_mcpdm snd_soc_omap snd_pcm_dmaengine
[5.897048] Preemption disabled at:[< (null)>] (null)
[5.897051]
[5.897059] CPU: 0 PID: 994 Comm: udevd Not tainted 4.6.0-rc5-letux+ #233
[5.897062] Hardware name: Generic OMAP5 (Flattened Device Tree)
[5.897076] [] (unwind_backtrace) from []
(show_stack+0x10/0x14)
[5.897087] [] (show_stack) from []
(dump_stack+0x88/0xc0)
[5.897099] [] (dump_stack) from []
(__schedule_bug+0xac/0xd0)
[5.897111] [] (__schedule_bug) from []
(__schedule+0x88/0x7e4)
[5.897120] [] (__schedule) from [] (schedule+0x9c/0xc0)
[5.897129] [] (schedule) from []
(schedule_preempt_disabled+0x14/0x20)
[5.897140] [] (schedule_preempt_disabled) from []
(mutex_lock_nested+0x258/0x43c)
[5.897150] [] (mutex_lock_nested) from []
(clk_prepare_lock+0x48/0xe0)
[5.897160] [] (clk_prepare_lock) from []
(clk_prepare+0x10/0x28)
[5.897169] [] (clk_prepare) from []
(omap_tll_enable+0x64/0xd0)
[5.897180] [] (omap_tll_enable) from []
(usbhs_runtime_resume+0x18/0x17c)
[5.897192] [] (usbhs_runtime_resume) from []
(pm_generic_runtime_resume+0x2c/0x40)
[5.897202] [] (pm_generic_runtime_resume) from []
(__rpm_callback+0x38/0x68)
[5.897210] [] (__rpm_callback) from []
(rpm_callback+0x70/0x88)
[5.897218] [] (rpm_callback) from []
(rpm_resume+0x4ec/0x7ec)
[5.897227] [] (rpm_resume) from []
(__pm_runtime_resume+0x4c/0x64)
[5.897236] [] (__pm_runtime_resume) from []
(driver_probe_device+0x30/0x70)
[5.897246] [] (driver_probe_device) from []
(__driver_attach+0x88/0xac)
[5.897256] [] (__driver_attach) from []
(bus_for_each_dev+0x50/0x84)
[5.897267] [] (bus_for_each_dev) from []
(bus_add_driver+0xcc/0x1e4)
[5.897276] [] (bus_add_driver) from []
(driver_register+0xac/0xf4)
[5.897286] [] (driver_register) from []
(do_one_initcall+0x100/0x1b8)
[5.897296] [] (do_one_initcall) from []
(do_init_module+0x58/0x1c0)
[5.897304] [] (do_init_module) from []
(SyS_finit_module+0x88/0x90)
[5.897313] [] (SyS_finit_module) from []
(ret_fast_syscall+0x0/0x1c)
[5.912697] [ cut here ]
[5.912711] WARNING: CPU: 0 PID: 994 at kernel/sched/core.c:2996
_raw_spin_unlock+0x28/0x58
[5.912717] DEBUG_LOCKS_WARN_ON(val > preempt_count())
Reported-by: H. Nikolaus Schaller
Tested-by: H. Nikolaus Schaller
Signed-off-by: Roger Quadros
Signed-off-by: Lee Jones
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Willy Tarreau
---
drivers/mfd/omap-usb-tll.c | 9 +++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/mfd/omap-usb-tll.c b/drivers/mfd/omap-usb-tll.c
index e59ac4c..c7576a5 100644
--- a/drivers/mfd/omap-usb-tll.c
+++ b/drivers/mfd/omap-usb-tll.c
@@ -269,6 +269,8 @@ static int usbtll_omap_probe(struct platform_device *pdev)
if (IS_ERR(tll->ch_clk[i]))
dev_dbg(dev, "can't get clock : %s\n", clkname);
+ else
+ clk_prepare(tll->ch_clk[i]);
}
pm_runtime_put_sync(dev);
@@ -301,9 +303,12 @@ static int usbtll_omap_remove(struct platform_device *pdev)
tll_dev = NULL;
spin_unlock(&tll_lock);
- for (i = 0; i < tll->nch; i++)
- if (!IS_ERR(tll->ch_clk[i]))
+ for (i = 0; i < tll->nch; i++) {
+ if (!IS_ERR(tll->ch_clk[i])) {
+ clk_unprepare(tll->ch_clk[i]);
clk_put(tll->ch_clk[i]);
+ }
+ }
pm_runtime_disable(&pdev->dev);
return 0;
--
2.8.0.rc2.1.gbe9624a
[PATCH 3.10 118/143] get_rock_ridge_filename(): handle malformed NM entries
From: Al Viro
commit 99d825822eade8d827a1817357cbf3f889a552d6 upstream.
Payloads of NM entries are not supposed to contain NUL. When we run
into such, only the part prior to the first NUL goes into the
concatenation (i.e. the directory entry name being encoded by a bunch
of NM entries). We do stop when the amount collected so far + the
claimed amount in the current NM entry exceed 254. So far, so good,
but what we return as the total length is the sum of *claimed*
sizes, not the actual amount collected. And that can grow pretty
large - not unlimited, since you'd need to put CE entries in
between to be able to get more than the maximum that could be
contained in one isofs directory entry / continuation chunk and
we are stop once we'd encountered 32 CEs, but you can get about 8Kb
easily. And that's what will be passed to readdir callback as the
name length. 8Kb __copy_to_user() from a buffer allocated by
__get_free_page()
Cc: sta...@vger.kernel.org # 0.98pl6+ (yes, really)
Signed-off-by: Al Viro
Signed-off-by: Willy Tarreau
---
fs/isofs/rock.c | 13 ++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/fs/isofs/rock.c b/fs/isofs/rock.c
index 735d752..204659a 100644
--- a/fs/isofs/rock.c
+++ b/fs/isofs/rock.c
@@ -203,6 +203,8 @@ int get_rock_ridge_filename(struct iso_directory_record *de,
int retnamlen = 0;
int truncate = 0;
int ret = 0;
+ char *p;
+ int len;
if (!ISOFS_SB(inode->i_sb)->s_rock)
return 0;
@@ -267,12 +269,17 @@ repeat:
rr->u.NM.flags);
break;
}
- if ((strlen(retname) + rr->len - 5) >= 254) {
+ len = rr->len - 5;
+ if (retnamlen + len >= 254) {
truncate = 1;
break;
}
- strncat(retname, rr->u.NM.name, rr->len - 5);
- retnamlen += rr->len - 5;
+ p = memchr(rr->u.NM.name, '\0', len);
+ if (unlikely(p))
+ len = p - rr->u.NM.name;
+ memcpy(retname + retnamlen, rr->u.NM.name, len);
+ retnamlen += len;
+ retname[retnamlen] = '\0';
break;
case SIG('R', 'E'):
kfree(rs.buffer);
--
2.8.0.rc2.1.gbe9624a
[PATCH 3.10 035/143] watchdog: rc32434_wdt: fix ioctl error handling
From: "Michael S. Tsirkin" commit 10e7ac22cdd4d211cef99afcb9371b70cb175be6 upstream. Calling return copy_to_user(...) in an ioctl will not do the right thing if there's a pagefault: copy_to_user returns the number of bytes not copied in this case. Fix up watchdog/rc32434_wdt to do return copy_to_user(...)) ? -EFAULT : 0; instead. Cc: sta...@vger.kernel.org Signed-off-by: Michael S. Tsirkin Signed-off-by: Guenter Roeck Signed-off-by: Wim Van Sebroeck Signed-off-by: Willy Tarreau --- drivers/watchdog/rc32434_wdt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/watchdog/rc32434_wdt.c b/drivers/watchdog/rc32434_wdt.c index f78bc00..ea8f582 100644 --- a/drivers/watchdog/rc32434_wdt.c +++ b/drivers/watchdog/rc32434_wdt.c @@ -237,7 +237,7 @@ static long rc32434_wdt_ioctl(struct file *file, unsigned int cmd, return -EINVAL; /* Fall through */ case WDIOC_GETTIMEOUT: - return copy_to_user(argp, &timeout, sizeof(int)); + return copy_to_user(argp, &timeout, sizeof(int)) ? -EFAULT : 0; default: return -ENOTTY; } -- 2.8.0.rc2.1.gbe9624a
[PATCH 3.10 049/143] Input: ati_remote2 - fix crashes on detecting device with invalid descriptor
From: Vladis Dronov
commit 950336ba3e4a1ffd2ca60d29f6ef386dd2c7351d upstream.
The ati_remote2 driver expects at least two interfaces with one
endpoint each. If given malicious descriptor that specify one
interface or no endpoints, it will crash in the probe function.
Ensure there is at least two interfaces and one endpoint for each
interface before using it.
The full disclosure: http://seclists.org/bugtraq/2016/Mar/90
Reported-by: Ralf Spenneberg
Signed-off-by: Vladis Dronov
Cc: sta...@vger.kernel.org
Signed-off-by: Dmitry Torokhov
Signed-off-by: Willy Tarreau
---
drivers/input/misc/ati_remote2.c | 36 ++--
1 file changed, 30 insertions(+), 6 deletions(-)
diff --git a/drivers/input/misc/ati_remote2.c b/drivers/input/misc/ati_remote2.c
index f63341f..e8c6a48 100644
--- a/drivers/input/misc/ati_remote2.c
+++ b/drivers/input/misc/ati_remote2.c
@@ -817,26 +817,49 @@ static int ati_remote2_probe(struct usb_interface
*interface, const struct usb_d
ar2->udev = udev;
+ /* Sanity check, first interface must have an endpoint */
+ if (alt->desc.bNumEndpoints < 1 || !alt->endpoint) {
+ dev_err(&interface->dev,
+ "%s(): interface 0 must have an endpoint\n", __func__);
+ r = -ENODEV;
+ goto fail1;
+ }
ar2->intf[0] = interface;
ar2->ep[0] = &alt->endpoint[0].desc;
+ /* Sanity check, the device must have two interfaces */
ar2->intf[1] = usb_ifnum_to_if(udev, 1);
+ if ((udev->actconfig->desc.bNumInterfaces < 2) || !ar2->intf[1]) {
+ dev_err(&interface->dev, "%s(): need 2 interfaces, found %d\n",
+ __func__, udev->actconfig->desc.bNumInterfaces);
+ r = -ENODEV;
+ goto fail1;
+ }
+
r = usb_driver_claim_interface(&ati_remote2_driver, ar2->intf[1], ar2);
if (r)
goto fail1;
+
+ /* Sanity check, second interface must have an endpoint */
alt = ar2->intf[1]->cur_altsetting;
+ if (alt->desc.bNumEndpoints < 1 || !alt->endpoint) {
+ dev_err(&interface->dev,
+ "%s(): interface 1 must have an endpoint\n", __func__);
+ r = -ENODEV;
+ goto fail2;
+ }
ar2->ep[1] = &alt->endpoint[0].desc;
r = ati_remote2_urb_init(ar2);
if (r)
- goto fail2;
+ goto fail3;
ar2->channel_mask = channel_mask;
ar2->mode_mask = mode_mask;
r = ati_remote2_setup(ar2, ar2->channel_mask);
if (r)
- goto fail2;
+ goto fail3;
usb_make_path(udev, ar2->phys, sizeof(ar2->phys));
strlcat(ar2->phys, "/input0", sizeof(ar2->phys));
@@ -845,11 +868,11 @@ static int ati_remote2_probe(struct usb_interface
*interface, const struct usb_d
r = sysfs_create_group(&udev->dev.kobj, &ati_remote2_attr_group);
if (r)
- goto fail2;
+ goto fail3;
r = ati_remote2_input_init(ar2);
if (r)
- goto fail3;
+ goto fail4;
usb_set_intfdata(interface, ar2);
@@ -857,10 +880,11 @@ static int ati_remote2_probe(struct usb_interface
*interface, const struct usb_d
return 0;
- fail3:
+ fail4:
sysfs_remove_group(&udev->dev.kobj, &ati_remote2_attr_group);
- fail2:
+ fail3:
ati_remote2_urb_cleanup(ar2);
+ fail2:
usb_driver_release_interface(&ati_remote2_driver, ar2->intf[1]);
fail1:
kfree(ar2);
--
2.8.0.rc2.1.gbe9624a
[PATCH 3.10 077/143] ext4: add lockdep annotations for i_data_sem
From: Theodore Ts'o
commit daf647d2dd58cec59570d7698a45b98e580f2076 upstream.
With the internal Quota feature, mke2fs creates empty quota inodes and
quota usage tracking is enabled as soon as the file system is mounted.
Since quotacheck is no longer preallocating all of the blocks in the
quota inode that are likely needed to be written to, we are now seeing
a lockdep false positive caused by needing to allocate a quota block
from inside ext4_map_blocks(), while holding i_data_sem for a data
inode. This results in this complaint:
Possible unsafe locking scenario:
CPU0CPU1
lock(&ei->i_data_sem);
lock(&s->s_dquot.dqio_mutex);
lock(&ei->i_data_sem);
lock(&s->s_dquot.dqio_mutex);
Google-Bug-Id: 27907753
Signed-off-by: Theodore Ts'o
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Willy Tarreau
---
fs/ext4/ext4.h| 23 +++
fs/ext4/move_extent.c | 11 +--
fs/ext4/super.c | 25 +++--
3 files changed, 55 insertions(+), 4 deletions(-)
diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
index 6f74b89..046e3e9 100644
--- a/fs/ext4/ext4.h
+++ b/fs/ext4/ext4.h
@@ -851,6 +851,29 @@ do {
\
#include "extents_status.h"
/*
+ * Lock subclasses for i_data_sem in the ext4_inode_info structure.
+ *
+ * These are needed to avoid lockdep false positives when we need to
+ * allocate blocks to the quota inode during ext4_map_blocks(), while
+ * holding i_data_sem for a normal (non-quota) inode. Since we don't
+ * do quota tracking for the quota inode, this avoids deadlock (as
+ * well as infinite recursion, since it isn't turtles all the way
+ * down...)
+ *
+ * I_DATA_SEM_NORMAL - Used for most inodes
+ * I_DATA_SEM_OTHER - Used by move_inode.c for the second normal inode
+ * where the second inode has larger inode number
+ * than the first
+ * I_DATA_SEM_QUOTA - Used for quota inodes only
+ */
+enum {
+ I_DATA_SEM_NORMAL = 0,
+ I_DATA_SEM_OTHER,
+ I_DATA_SEM_QUOTA,
+};
+
+
+/*
* fourth extended file system inode data in memory
*/
struct ext4_inode_info {
diff --git a/fs/ext4/move_extent.c b/fs/ext4/move_extent.c
index 3dcbf36..ad52ace 100644
--- a/fs/ext4/move_extent.c
+++ b/fs/ext4/move_extent.c
@@ -154,10 +154,10 @@ ext4_double_down_write_data_sem(struct inode *first,
struct inode *second)
{
if (first < second) {
down_write(&EXT4_I(first)->i_data_sem);
- down_write_nested(&EXT4_I(second)->i_data_sem,
SINGLE_DEPTH_NESTING);
+ down_write_nested(&EXT4_I(second)->i_data_sem,
I_DATA_SEM_OTHER);
} else {
down_write(&EXT4_I(second)->i_data_sem);
- down_write_nested(&EXT4_I(first)->i_data_sem,
SINGLE_DEPTH_NESTING);
+ down_write_nested(&EXT4_I(first)->i_data_sem, I_DATA_SEM_OTHER);
}
}
@@ -1117,6 +1117,13 @@ mext_check_arguments(struct inode *orig_inode,
return -EINVAL;
}
+ if (IS_NOQUOTA(orig_inode) || IS_NOQUOTA(donor_inode)) {
+ ext4_debug("ext4 move extent: The argument files should "
+ "not be quota files [ino:orig %lu, donor %lu]\n",
+ orig_inode->i_ino, donor_inode->i_ino);
+ return -EBUSY;
+ }
+
/* Ext4 move extent supports only extent based file */
if (!(ext4_test_inode_flag(orig_inode, EXT4_INODE_EXTENTS))) {
ext4_debug("ext4 move extent: orig file is not extents "
diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index a7e0797..063eb50 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -4984,6 +4984,20 @@ static int ext4_quota_on_mount(struct super_block *sb,
int type)
EXT4_SB(sb)->s_jquota_fmt, type);
}
+static void lockdep_set_quota_inode(struct inode *inode, int subclass)
+{
+ struct ext4_inode_info *ei = EXT4_I(inode);
+
+ /* The first argument of lockdep_set_subclass has to be
+* *exactly* the same as the argument to init_rwsem() --- in
+* this case, in init_once() --- or lockdep gets unhappy
+* because the name of the lock is set using the
+* stringification of the argument to init_rwsem().
+*/
+ (void) ei; /* shut up clang warning if !CONFIG_LOCKDEP */
+ lockdep_set_subclass(&ei->i_data_sem, subclass);
+}
+
/*
* Standard function to be called on quota_on
*/
@@ -5023,8 +5037,12 @@ static int ext4_quota_on(struct super_block *sb, int
type, int format_id,
if (err)
return err;
}
-
- return dquot_quota_on(sb, type, format_id, path);
+ lockdep_set_quota_inode(path->dentry->d_inode, I_DATA_SEM_QUOTA);
+ err = dquot_quota_on(sb, type, f
[PATCH 3.10 090/143] ASoC: s3c24xx: use const snd_soc_component_driver pointer
From: Arnd Bergmann
commit ba4bc32eaa39ba7687f0958ae90eec94da613b46 upstream.
An older patch to convert the API in the s3c i2s driver
ended up passing a const pointer into a function that takes
a non-const pointer, so we now get a warning:
sound/soc/samsung/s3c2412-i2s.c: In function 's3c2412_iis_dev_probe':
sound/soc/samsung/s3c2412-i2s.c:172:9: error: passing argument 3 of
's3c_i2sv2_register_component' discards 'const' qualifier from pointer target
type [-Werror=discarded-qualifiers]
However, the s3c_i2sv2_register_component() function again
passes the pointer into another function taking a const, so
we just need to change its prototype.
Fixes: eca3b01d0885 ("ASoC: switch over to use snd_soc_register_component() on
s3c i2s")
Signed-off-by: Arnd Bergmann
Reviewed-by: Krzysztof Kozlowski
Signed-off-by: Mark Brown
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Willy Tarreau
---
sound/soc/samsung/s3c-i2s-v2.c | 2 +-
sound/soc/samsung/s3c-i2s-v2.h | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/sound/soc/samsung/s3c-i2s-v2.c b/sound/soc/samsung/s3c-i2s-v2.c
index 20e98d1..38c36cd 100644
--- a/sound/soc/samsung/s3c-i2s-v2.c
+++ b/sound/soc/samsung/s3c-i2s-v2.c
@@ -732,7 +732,7 @@ static int s3c2412_i2s_resume(struct snd_soc_dai *dai)
#endif
int s3c_i2sv2_register_component(struct device *dev, int id,
- struct snd_soc_component_driver *cmp_drv,
+ const struct snd_soc_component_driver *cmp_drv,
struct snd_soc_dai_driver *dai_drv)
{
struct snd_soc_dai_ops *ops = drv->ops;
diff --git a/sound/soc/samsung/s3c-i2s-v2.h b/sound/soc/samsung/s3c-i2s-v2.h
index 90abab3..d068414 100644
--- a/sound/soc/samsung/s3c-i2s-v2.h
+++ b/sound/soc/samsung/s3c-i2s-v2.h
@@ -101,7 +101,7 @@ extern int s3c_i2sv2_probe(struct snd_soc_dai *dai,
* soc core.
*/
extern int s3c_i2sv2_register_component(struct device *dev, int id,
- struct snd_soc_component_driver
*cmp_drv,
+ const struct snd_soc_component_driver
*cmp_drv,
struct snd_soc_dai_driver *dai_drv);
#endif /* __SND_SOC_S3C24XX_S3C_I2SV2_I2S_H */
--
2.8.0.rc2.1.gbe9624a
[PATCH 3.10 074/143] ip6_tunnel: set rtnl_link_ops before calling register_netdevice
From: Thadeu Lima de Souza Cascardo
commit b6ee376cb0b7fb4e7e07d6cd248bd40436fb9ba6 upstream.
When creating an ip6tnl tunnel with ip tunnel, rtnl_link_ops is not set
before ip6_tnl_create2 is called. When register_netdevice is called, there
is no linkinfo attribute in the NEWLINK message because of that.
Setting rtnl_link_ops before calling register_netdevice fixes that.
Fixes: 0b112457229d ("ip6tnl: add support of link creation via rtnl")
Signed-off-by: Thadeu Lima de Souza Cascardo
Acked-by: Nicolas Dichtel
Signed-off-by: David S. Miller
Signed-off-by: Willy Tarreau
---
net/ipv6/ip6_tunnel.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
index 14f46af..31bab1a 100644
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -266,12 +266,12 @@ static int ip6_tnl_create2(struct net_device *dev)
t = netdev_priv(dev);
+ dev->rtnl_link_ops = &ip6_link_ops;
err = register_netdevice(dev);
if (err < 0)
goto out;
strcpy(t->parms.name, dev->name);
- dev->rtnl_link_ops = &ip6_link_ops;
dev_hold(dev);
ip6_tnl_link(ip6n, t);
--
2.8.0.rc2.1.gbe9624a
[PATCH 3.10 081/143] usbvision: fix leak of usb_dev on failure paths in usbvision_probe()
From: Alexey Khoroshilov
commit afd270d1a45043cef14341bcceff62ed50e8dc9a upstream.
There is no usb_put_dev() on failure paths in usbvision_probe().
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Alexey Khoroshilov
Signed-off-by: Hans Verkuil
Signed-off-by: Mauro Carvalho Chehab
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Willy Tarreau
---
drivers/media/usb/usbvision/usbvision-video.c | 24 +---
1 file changed, 17 insertions(+), 7 deletions(-)
diff --git a/drivers/media/usb/usbvision/usbvision-video.c
b/drivers/media/usb/usbvision/usbvision-video.c
index 443e7833..017f4d1 100644
--- a/drivers/media/usb/usbvision/usbvision-video.c
+++ b/drivers/media/usb/usbvision/usbvision-video.c
@@ -1521,7 +1521,7 @@ static int usbvision_probe(struct usb_interface *intf,
const struct usb_host_interface *interface;
struct usb_usbvision *usbvision = NULL;
const struct usb_endpoint_descriptor *endpoint;
- int model, i;
+ int model, i, ret;
PDEBUG(DBG_PROBE, "VID=%#04x, PID=%#04x, ifnum=%u",
dev->descriptor.idVendor,
@@ -1530,7 +1530,8 @@ static int usbvision_probe(struct usb_interface *intf,
model = devid->driver_info;
if (model < 0 || model >= usbvision_device_data_size) {
PDEBUG(DBG_PROBE, "model out of bounds %d", model);
- return -ENODEV;
+ ret = -ENODEV;
+ goto err_usb;
}
printk(KERN_INFO "%s: %s found\n", __func__,
usbvision_device_data[model].model_string);
@@ -1545,18 +1546,21 @@ static int usbvision_probe(struct usb_interface *intf,
__func__, ifnum);
dev_err(&intf->dev, "%s: Endpoint attributes %d",
__func__, endpoint->bmAttributes);
- return -ENODEV;
+ ret = -ENODEV;
+ goto err_usb;
}
if (usb_endpoint_dir_out(endpoint)) {
dev_err(&intf->dev, "%s: interface %d. has ISO OUT endpoint!\n",
__func__, ifnum);
- return -ENODEV;
+ ret = -ENODEV;
+ goto err_usb;
}
usbvision = usbvision_alloc(dev, intf);
if (usbvision == NULL) {
dev_err(&intf->dev, "%s: couldn't allocate USBVision struct\n",
__func__);
- return -ENOMEM;
+ ret = -ENOMEM;
+ goto err_usb;
}
if (dev->descriptor.bNumConfigurations > 1)
@@ -1575,8 +1579,8 @@ static int usbvision_probe(struct usb_interface *intf,
usbvision->alt_max_pkt_size = kmalloc(32 * usbvision->num_alt,
GFP_KERNEL);
if (usbvision->alt_max_pkt_size == NULL) {
dev_err(&intf->dev, "usbvision: out of memory!\n");
- usbvision_release(usbvision);
- return -ENOMEM;
+ ret = -ENOMEM;
+ goto err_pkt;
}
for (i = 0; i < usbvision->num_alt; i++) {
@@ -1611,6 +1615,12 @@ static int usbvision_probe(struct usb_interface *intf,
PDEBUG(DBG_PROBE, "success");
return 0;
+
+err_pkt:
+ usbvision_release(usbvision);
+err_usb:
+ usb_put_dev(dev);
+ return ret;
}
--
2.8.0.rc2.1.gbe9624a
[PATCH 3.10 103/143] compiler-gcc: disable -ftracer for __noclone functions
From: Paolo Bonzini
commit 95272c29378ee7dc15f43fa2758cb28a5913a06d upstream.
-ftracer can duplicate asm blocks causing compilation to fail in
noclone functions. For example, KVM declares a global variable
in an asm like
asm("2: ... \n
.pushsection data \n
.global vmx_return \n
vmx_return: .long 2b");
and -ftracer causes a double declaration.
Cc: Andrew Morton
Cc: Michal Marek
Cc: sta...@vger.kernel.org
Cc: k...@vger.kernel.org
Reported-by: Linda Walsh
Signed-off-by: Paolo Bonzini
Signed-off-by: Willy Tarreau
---
include/linux/compiler-gcc.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/linux/compiler-gcc.h b/include/linux/compiler-gcc.h
index 65856c3..953cd121 100644
--- a/include/linux/compiler-gcc.h
+++ b/include/linux/compiler-gcc.h
@@ -177,7 +177,7 @@
#define unreachable() __builtin_unreachable()
/* Mark a function definition as prohibited from being cloned. */
-#define __noclone __attribute__((__noclone__))
+#define __noclone __attribute__((__noclone__, __optimize__("no-tracer")))
#endif /* GCC_VERSION >= 40500 */
--
2.8.0.rc2.1.gbe9624a
[PATCH 3.10 054/143] perf/x86/intel: Fix PEBS data source interpretation on Nehalem/Westmere
From: Andi Kleen
commit e17dc65328057c00db7e1bfea249c8771a78b30b upstream.
Jiri reported some time ago that some entries in the PEBS data source table
in perf do not agree with the SDM. We investigated and the bits
changed for Sandy Bridge, but the SDM was not updated.
perf already implements the bits correctly for Sandy Bridge
and later. This patch patches it up for Nehalem and Westmere.
Signed-off-by: Andi Kleen
Signed-off-by: Peter Zijlstra (Intel)
Cc: Linus Torvalds
Cc: Peter Zijlstra
Cc: Thomas Gleixner
Cc: jo...@kernel.org
Link:
http://lkml.kernel.org/r/1456871124-15985-1-git-send-email-a...@firstfloor.org
Signed-off-by: Ingo Molnar
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Willy Tarreau
---
arch/x86/kernel/cpu/perf_event.h | 2 ++
arch/x86/kernel/cpu/perf_event_intel.c| 2 ++
arch/x86/kernel/cpu/perf_event_intel_ds.c | 11 ++-
3 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/arch/x86/kernel/cpu/perf_event.h b/arch/x86/kernel/cpu/perf_event.h
index ba9aadf..5fd0bbe 100644
--- a/arch/x86/kernel/cpu/perf_event.h
+++ b/arch/x86/kernel/cpu/perf_event.h
@@ -665,6 +665,8 @@ void intel_pmu_lbr_init_atom(void);
void intel_pmu_lbr_init_snb(void);
+void intel_pmu_pebs_data_source_nhm(void);
+
int intel_pmu_setup_lbr_filter(struct perf_event *event);
int p4_pmu_init(void);
diff --git a/arch/x86/kernel/cpu/perf_event_intel.c
b/arch/x86/kernel/cpu/perf_event_intel.c
index 6d6bb6f..ac05758 100644
--- a/arch/x86/kernel/cpu/perf_event_intel.c
+++ b/arch/x86/kernel/cpu/perf_event_intel.c
@@ -2088,6 +2088,7 @@ __init int intel_pmu_init(void)
intel_perfmon_event_map[PERF_COUNT_HW_STALLED_CYCLES_BACKEND] =
X86_CONFIG(.event=0xb1, .umask=0x3f, .inv=1, .cmask=1);
+ intel_pmu_pebs_data_source_nhm();
x86_add_quirk(intel_nehalem_quirk);
pr_cont("Nehalem events, ");
@@ -2133,6 +2134,7 @@ __init int intel_pmu_init(void)
intel_perfmon_event_map[PERF_COUNT_HW_STALLED_CYCLES_BACKEND] =
X86_CONFIG(.event=0xb1, .umask=0x3f, .inv=1, .cmask=1);
+ intel_pmu_pebs_data_source_nhm();
pr_cont("Westmere events, ");
break;
diff --git a/arch/x86/kernel/cpu/perf_event_intel_ds.c
b/arch/x86/kernel/cpu/perf_event_intel_ds.c
index 60250f6..17b090a 100644
--- a/arch/x86/kernel/cpu/perf_event_intel_ds.c
+++ b/arch/x86/kernel/cpu/perf_event_intel_ds.c
@@ -50,7 +50,8 @@ union intel_x86_pebs_dse {
#define OP_LH (P(OP, LOAD) | P(LVL, HIT))
#define SNOOP_NONE_MISS (P(SNOOP, NONE) | P(SNOOP, MISS))
-static const u64 pebs_data_source[] = {
+/* Version for Sandy Bridge and later */
+static u64 pebs_data_source[] = {
P(OP, LOAD) | P(LVL, MISS) | P(LVL, L3) | P(SNOOP, NA),/* 0x00:ukn L3 */
OP_LH | P(LVL, L1) | P(SNOOP, NONE), /* 0x01: L1 local */
OP_LH | P(LVL, LFB) | P(SNOOP, NONE), /* 0x02: LFB hit */
@@ -69,6 +70,14 @@ static const u64 pebs_data_source[] = {
OP_LH | P(LVL, UNC) | P(SNOOP, NONE), /* 0x0f: uncached */
};
+/* Patch up minor differences in the bits */
+void __init intel_pmu_pebs_data_source_nhm(void)
+{
+ pebs_data_source[0x05] = OP_LH | P(LVL, L3) | P(SNOOP, HIT);
+ pebs_data_source[0x06] = OP_LH | P(LVL, L3) | P(SNOOP, HITM);
+ pebs_data_source[0x07] = OP_LH | P(LVL, L3) | P(SNOOP, HITM);
+}
+
static u64 precise_store_data(u64 status)
{
union intel_x86_pebs_dse dse;
--
2.8.0.rc2.1.gbe9624a
[PATCH 3.10 050/143] ocfs2/dlm: fix race between convert and recovery
From: Joseph Qi
commit ac7cf246dfdbec3d8fed296c7bf30e16f5099dac upstream.
There is a race window between dlmconvert_remote and
dlm_move_lockres_to_recovery_list, which will cause a lock with
OCFS2_LOCK_BUSY in grant list, thus system hangs.
dlmconvert_remote
{
spin_lock(&res->spinlock);
list_move_tail(&lock->list, &res->converting);
lock->convert_pending = 1;
spin_unlock(&res->spinlock);
status = dlm_send_remote_convert_request();
>> race window, master has queued ast and return DLM_NORMAL,
and then down before sending ast.
this node detects master down and calls
dlm_move_lockres_to_recovery_list, which will revert the
lock to grant list.
Then OCFS2_LOCK_BUSY won't be cleared as new master won't
send ast any more because it thinks already be authorized.
spin_lock(&res->spinlock);
lock->convert_pending = 0;
if (status != DLM_NORMAL)
dlm_revert_pending_convert(res, lock);
spin_unlock(&res->spinlock);
}
In this case, check if res->state has DLM_LOCK_RES_RECOVERING bit set
(res is still in recovering) or res master changed (new master has
finished recovery), reset the status to DLM_RECOVERING, then it will
retry convert.
Signed-off-by: Joseph Qi
Reported-by: Yiwen Jiang
Reviewed-by: Junxiao Bi
Cc: Mark Fasheh
Cc: Joel Becker
Cc: Tariq Saeed
Cc: Junxiao Bi
Cc:
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
Signed-off-by: Willy Tarreau
---
fs/ocfs2/dlm/dlmconvert.c | 11 ++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/fs/ocfs2/dlm/dlmconvert.c b/fs/ocfs2/dlm/dlmconvert.c
index 29a886d..093200f 100644
--- a/fs/ocfs2/dlm/dlmconvert.c
+++ b/fs/ocfs2/dlm/dlmconvert.c
@@ -265,6 +265,7 @@ enum dlm_status dlmconvert_remote(struct dlm_ctxt *dlm,
struct dlm_lock *lock, int flags, int type)
{
enum dlm_status status;
+ u8 old_owner = res->owner;
mlog(0, "type=%d, convert_type=%d, busy=%d\n", lock->ml.type,
lock->ml.convert_type, res->state & DLM_LOCK_RES_IN_PROGRESS);
@@ -319,11 +320,19 @@ enum dlm_status dlmconvert_remote(struct dlm_ctxt *dlm,
spin_lock(&res->spinlock);
res->state &= ~DLM_LOCK_RES_IN_PROGRESS;
lock->convert_pending = 0;
- /* if it failed, move it back to granted queue */
+ /* if it failed, move it back to granted queue.
+* if master returns DLM_NORMAL and then down before sending ast,
+* it may have already been moved to granted queue, reset to
+* DLM_RECOVERING and retry convert */
if (status != DLM_NORMAL) {
if (status != DLM_NOTQUEUED)
dlm_error(status);
dlm_revert_pending_convert(res, lock);
+ } else if ((res->state & DLM_LOCK_RES_RECOVERING) ||
+ (old_owner != res->owner)) {
+ mlog(0, "res %.*s is in recovering or has been recovered.\n",
+ res->lockname.len, res->lockname.name);
+ status = DLM_RECOVERING;
}
bail:
spin_unlock(&res->spinlock);
--
2.8.0.rc2.1.gbe9624a
[PATCH 3.10 058/143] ALSA: timer: Use mod_timer() for rearming the system timer
From: Takashi Iwai commit 4a07083ed613644c96c34a7dd2853dc5d7c70902 upstream. ALSA system timer backend stops the timer via del_timer() without sync and leaves del_timer_sync() at the close instead. This is because of the restriction by the design of ALSA timer: namely, the stop callback may be called from the timer handler, and calling the sync shall lead to a hangup. However, this also triggers a kernel BUG() when the timer is rearmed immediately after stopping without sync: kernel BUG at kernel/time/timer.c:966! Call Trace: [] snd_timer_s_start+0x13e/0x1a0 [] snd_timer_interrupt+0x504/0xec0 [] ? debug_check_no_locks_freed+0x290/0x290 [] snd_timer_s_function+0xb4/0x120 [] call_timer_fn+0x162/0x520 [] ? call_timer_fn+0xcd/0x520 [] ? snd_timer_interrupt+0xec0/0xec0 It's the place where add_timer() checks the pending timer. It's clear that this may happen after the immediate restart without sync in our cases. So, the workaround here is just to use mod_timer() instead of add_timer(). This looks like a band-aid fix, but it's a right move, as snd_timer_interrupt() takes care of the continuous rearm of timer. Reported-by: Jiri Slaby Cc: Signed-off-by: Takashi Iwai Signed-off-by: Willy Tarreau --- sound/core/timer.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sound/core/timer.c b/sound/core/timer.c index d90d8f4..38742e8 100644 --- a/sound/core/timer.c +++ b/sound/core/timer.c @@ -1012,8 +1012,8 @@ static int snd_timer_s_start(struct snd_timer * timer) njiff += timer->sticks - priv->correction; priv->correction = 0; } - priv->last_expires = priv->tlist.expires = njiff; - add_timer(&priv->tlist); + priv->last_expires = njiff; + mod_timer(&priv->tlist, njiff); return 0; } -- 2.8.0.rc2.1.gbe9624a
[PATCH 3.10 102/143] ARM: OMAP3: Add cpuidle parameters table for omap3430
From: Pali Rohár
commit 98f42221501353067251fbf11e732707dbb68ce3 upstream.
Based on CPU type choose generic omap3 or omap3430 specific cpuidle
parameters. Parameters for omap3430 were measured on Nokia N900 device and
added by commit 5a1b1d3a9efa ("OMAP3: RX-51: Pass cpu idle parameters")
which were later removed by commit 231900afba52 ("ARM: OMAP3: cpuidle -
remove rx51 cpuidle parameters table") due to huge code complexity.
This patch brings cpuidle parameters for omap3430 devices again, but uses
simple condition based on CPU type.
Fixes: 231900afba52 ("ARM: OMAP3: cpuidle - remove rx51 cpuidle
parameters table")
Signed-off-by: Pali Rohár
Acked-by: Daniel Lezcano
Signed-off-by: Tony Lindgren
Signed-off-by: Willy Tarreau
---
arch/arm/mach-omap2/cpuidle34xx.c | 69 ++-
1 file changed, 68 insertions(+), 1 deletion(-)
diff --git a/arch/arm/mach-omap2/cpuidle34xx.c
b/arch/arm/mach-omap2/cpuidle34xx.c
index e18709d..38e1bdc 100644
--- a/arch/arm/mach-omap2/cpuidle34xx.c
+++ b/arch/arm/mach-omap2/cpuidle34xx.c
@@ -34,6 +34,7 @@
#include "pm.h"
#include "control.h"
#include "common.h"
+#include "soc.h"
/* Mach specific information to be recorded in the C-state driver_data */
struct omap3_idle_statedata {
@@ -322,6 +323,69 @@ static struct cpuidle_driver omap3_idle_driver = {
.safe_state_index = 0,
};
+/*
+ * Numbers based on measurements made in October 2009 for PM optimized kernel
+ * with CPU freq enabled on device Nokia N900. Assumes OPP2 (main idle OPP,
+ * and worst case latencies).
+ */
+static struct cpuidle_driver omap3430_idle_driver = {
+ .name = "omap3430_idle",
+ .owner= THIS_MODULE,
+ .states = {
+ {
+ .enter= omap3_enter_idle_bm,
+ .exit_latency = 110 + 162,
+ .target_residency = 5,
+ .name = "C1",
+ .desc = "MPU ON + CORE ON",
+ },
+ {
+ .enter= omap3_enter_idle_bm,
+ .exit_latency = 106 + 180,
+ .target_residency = 309,
+ .name = "C2",
+ .desc = "MPU ON + CORE ON",
+ },
+ {
+ .enter= omap3_enter_idle_bm,
+ .exit_latency = 107 + 410,
+ .target_residency = 46057,
+ .name = "C3",
+ .desc = "MPU RET + CORE ON",
+ },
+ {
+ .enter= omap3_enter_idle_bm,
+ .exit_latency = 121 + 3374,
+ .target_residency = 46057,
+ .name = "C4",
+ .desc = "MPU OFF + CORE ON",
+ },
+ {
+ .enter= omap3_enter_idle_bm,
+ .exit_latency = 855 + 1146,
+ .target_residency = 46057,
+ .name = "C5",
+ .desc = "MPU RET + CORE RET",
+ },
+ {
+ .enter= omap3_enter_idle_bm,
+ .exit_latency = 7580 + 4134,
+ .target_residency = 484329,
+ .name = "C6",
+ .desc = "MPU OFF + CORE RET",
+ },
+ {
+ .enter= omap3_enter_idle_bm,
+ .exit_latency = 7505 + 15274,
+ .target_residency = 484329,
+ .name = "C7",
+ .desc = "MPU OFF + CORE OFF",
+ },
+ },
+ .state_count = ARRAY_SIZE(omap3_idle_data),
+ .safe_state_index = 0,
+};
+
/* Public functions */
/**
@@ -340,5 +404,8 @@ int __init omap3_idle_init(void)
if (!mpu_pd || !core_pd || !per_pd || !cam_pd)
return -ENODEV;
- return cpuidle_register(&omap3_idle_driver, NULL);
+ if (cpu_is_omap3430())
+ return cpuidle_register(&omap3430_idle_driver, NULL);
+ else
+ return cpuidle_register(&omap3_idle_driver, NULL);
}
--
2.8.0.rc2.1.gbe9624a
[PATCH 3.10 059/143] net: jme: fix suspend/resume on JMC260
From: Diego Viola commit ee50c130c82175eaa0820c96b6d3763928af2241 upstream. The JMC260 network card fails to suspend/resume because the call to jme_start_irq() was too early, moving the call to jme_start_irq() after the call to jme_reset_link() makes it work. Prior this change suspend/resume would fail unless /sys/power/pm_async=0 was explicitly specified. Relevant bug report: https://bugzilla.kernel.org/show_bug.cgi?id=112351 Signed-off-by: Diego Viola Signed-off-by: David S. Miller Signed-off-by: Willy Tarreau --- drivers/net/ethernet/jme.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/jme.c b/drivers/net/ethernet/jme.c index 070a6f1..2f4cbca 100644 --- a/drivers/net/ethernet/jme.c +++ b/drivers/net/ethernet/jme.c @@ -3290,13 +3290,14 @@ jme_resume(struct device *dev) jme_reset_phy_processor(jme); jme_phy_calibration(jme); jme_phy_setEA(jme); - jme_start_irq(jme); netif_device_attach(netdev); atomic_inc(&jme->link_changing); jme_reset_link(jme); + jme_start_irq(jme); + return 0; } -- 2.8.0.rc2.1.gbe9624a
[PATCH 3.10 023/143] USB: cypress_m8: add endpoint sanity check
From: Oliver Neukum
commit c55aee1bf0e6b6feec8b2927b43f7a09a6d5f754 upstream.
An attack using missing endpoints exists.
CVE-2016-3137
Signed-off-by: Oliver Neukum
CC: sta...@vger.kernel.org
Signed-off-by: Johan Hovold
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Willy Tarreau
---
drivers/usb/serial/cypress_m8.c | 11 +--
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/drivers/usb/serial/cypress_m8.c b/drivers/usb/serial/cypress_m8.c
index 0821201..09f0f63 100644
--- a/drivers/usb/serial/cypress_m8.c
+++ b/drivers/usb/serial/cypress_m8.c
@@ -449,6 +449,11 @@ static int cypress_generic_port_probe(struct
usb_serial_port *port)
struct usb_serial *serial = port->serial;
struct cypress_private *priv;
+ if (!port->interrupt_out_urb || !port->interrupt_in_urb) {
+ dev_err(&port->dev, "required endpoint is missing\n");
+ return -ENODEV;
+ }
+
priv = kzalloc(sizeof(struct cypress_private), GFP_KERNEL);
if (!priv)
return -ENOMEM;
@@ -606,12 +611,6 @@ static int cypress_open(struct tty_struct *tty, struct
usb_serial_port *port)
cypress_set_termios(tty, port, &priv->tmp_termios);
/* setup the port and start reading from the device */
- if (!port->interrupt_in_urb) {
- dev_err(&port->dev, "%s - interrupt_in_urb is empty!\n",
- __func__);
- return -1;
- }
-
usb_fill_int_urb(port->interrupt_in_urb, serial->dev,
usb_rcvintpipe(serial->dev, port->interrupt_in_endpointAddress),
port->interrupt_in_urb->transfer_buffer,
--
2.8.0.rc2.1.gbe9624a
[PATCH 3.10 022/143] USB: digi_acceleport: do sanity checking for the number of ports
From: Oliver Neukum
commit 5a07975ad0a36708c6b0a5b9fea1ff811d0b0c1f upstream.
The driver can be crashed with devices that expose crafted descriptors
with too few endpoints.
See: http://seclists.org/bugtraq/2016/Mar/61
Signed-off-by: Oliver Neukum
[johan: fix OOB endpoint check and add error messages ]
Cc: stable
Signed-off-by: Johan Hovold
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Willy Tarreau
---
drivers/usb/serial/digi_acceleport.c | 19 +++
1 file changed, 19 insertions(+)
diff --git a/drivers/usb/serial/digi_acceleport.c
b/drivers/usb/serial/digi_acceleport.c
index 7b807d3..8c34d9c 100644
--- a/drivers/usb/serial/digi_acceleport.c
+++ b/drivers/usb/serial/digi_acceleport.c
@@ -1253,8 +1253,27 @@ static int digi_port_init(struct usb_serial_port *port,
unsigned port_num)
static int digi_startup(struct usb_serial *serial)
{
+ struct device *dev = &serial->interface->dev;
struct digi_serial *serial_priv;
int ret;
+ int i;
+
+ /* check whether the device has the expected number of endpoints */
+ if (serial->num_port_pointers < serial->type->num_ports + 1) {
+ dev_err(dev, "OOB endpoints missing\n");
+ return -ENODEV;
+ }
+
+ for (i = 0; i < serial->type->num_ports + 1 ; i++) {
+ if (!serial->port[i]->read_urb) {
+ dev_err(dev, "bulk-in endpoint missing\n");
+ return -ENODEV;
+ }
+ if (!serial->port[i]->write_urb) {
+ dev_err(dev, "bulk-out endpoint missing\n");
+ return -ENODEV;
+ }
+ }
serial_priv = kzalloc(sizeof(*serial_priv), GFP_KERNEL);
if (!serial_priv)
--
2.8.0.rc2.1.gbe9624a
[PATCH 3.10 036/143] splice: handle zero nr_pages in splice_to_pipe()
From: Rabin Vincent commit d6785d9152147596f60234157da2b02540c3e60f upstream. Running the following command: busybox cat /sys/kernel/debug/tracing/trace_pipe > /dev/null with any tracing enabled pretty very quickly leads to various NULL pointer dereferences and VM BUG_ON()s, such as these: BUG: unable to handle kernel NULL pointer dereference at 0020 IP: [] generic_pipe_buf_release+0xc/0x40 Call Trace: [] splice_direct_to_actor+0x143/0x1e0 [] ? generic_pipe_buf_nosteal+0x10/0x10 [] do_splice_direct+0x8f/0xb0 [] do_sendfile+0x199/0x380 [] SyS_sendfile64+0x90/0xa0 [] entry_SYSCALL_64_fastpath+0x12/0x6d page dumped because: VM_BUG_ON_PAGE(atomic_read(&page->_count) == 0) kernel BUG at include/linux/mm.h:367! invalid opcode: [#1] PREEMPT SMP DEBUG_PAGEALLOC RIP: [] generic_pipe_buf_release+0x3c/0x40 Call Trace: [] splice_direct_to_actor+0x143/0x1e0 [] ? generic_pipe_buf_nosteal+0x10/0x10 [] do_splice_direct+0x8f/0xb0 [] do_sendfile+0x199/0x380 [] SyS_sendfile64+0x90/0xa0 [] tracesys_phase2+0x84/0x89 (busybox's cat uses sendfile(2), unlike the coreutils version) This is because tracing_splice_read_pipe() can call splice_to_pipe() with spd->nr_pages == 0. spd_pages underflows in splice_to_pipe() and we fill the page pointers and the other fields of the pipe_buffers with garbage. All other callers of splice_to_pipe() avoid calling it when nr_pages == 0, and we could make tracing_splice_read_pipe() do that too, but it seems reasonable to have splice_to_page() handle this condition gracefully. Cc: sta...@vger.kernel.org Signed-off-by: Rabin Vincent Reviewed-by: Christoph Hellwig Signed-off-by: Al Viro Signed-off-by: Willy Tarreau --- fs/splice.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/splice.c b/fs/splice.c index 3b94a6b..2ffa7b0 100644 --- a/fs/splice.c +++ b/fs/splice.c @@ -189,6 +189,9 @@ ssize_t splice_to_pipe(struct pipe_inode_info *pipe, unsigned int spd_pages = spd->nr_pages; int ret, do_wakeup, page_nr; + if (!spd_pages) + return 0; + ret = 0; do_wakeup = 0; page_nr = 0; -- 2.8.0.rc2.1.gbe9624a
[PATCH 3.10 020/143] USB: usb_driver_claim_interface: add sanity checking
From: Oliver Neukum
commit 0b818e3956fc1ad976bee791eadcbb3b5fec5bfd upstream.
Attacks that trick drivers into passing a NULL pointer
to usb_driver_claim_interface() using forged descriptors are
known. This thwarts them by sanity checking.
Signed-off-by: Oliver Neukum
CC: sta...@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Willy Tarreau
---
drivers/usb/core/driver.c | 6 +-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/core/driver.c b/drivers/usb/core/driver.c
index 2cdd507..f7310dd 100644
--- a/drivers/usb/core/driver.c
+++ b/drivers/usb/core/driver.c
@@ -461,11 +461,15 @@ static int usb_unbind_interface(struct device *dev)
int usb_driver_claim_interface(struct usb_driver *driver,
struct usb_interface *iface, void *priv)
{
- struct device *dev = &iface->dev;
+ struct device *dev;
struct usb_device *udev;
int retval = 0;
int lpm_disable_error;
+ if (!iface)
+ return -ENODEV;
+
+ dev = &iface->dev;
if (dev->driver)
return -EBUSY;
--
2.8.0.rc2.1.gbe9624a
Re: [PATCH] net: ethernet: cavium: liquidio: request_manager: Remove create_workqueue
On Sat, Jun 04, 2016 at 08:54:00PM +0530, Bhaktipriya Shridhar wrote:
> diff --git a/drivers/net/ethernet/cavium/liquidio/request_manager.c
> b/drivers/net/ethernet/cavium/liquidio/request_manager.c
> index a2a2465..9313915 100644
> --- a/drivers/net/ethernet/cavium/liquidio/request_manager.c
> +++ b/drivers/net/ethernet/cavium/liquidio/request_manager.c
> @@ -144,7 +144,9 @@ int octeon_init_instr_queue(struct octeon_device *oct,
>
> oct->fn_list.setup_iq_regs(oct, iq_no);
>
> - oct->check_db_wq[iq_no].wq = create_workqueue("check_iq_db");
> + oct->check_db_wq[iq_no].wq = alloc_workqueue("check_iq_db",
> + WQ_MEM_RECLAIM,
> + 0);
Why the new line between WQ_MEM_RECLAIM and 0?
Except for the subj tag and the above nit,
Acked-by: Tejun Heo
Thanks.
--
tejun
[PATCH 3.10 114/143] USB: serial: cp210x: add Straizona Focusers device ids
From: Jasem Mutlaq
commit 613ac23a46e10d4d4339febdd534fafadd68e059 upstream.
Adding VID:PID for Straizona Focusers to cp210x driver.
Signed-off-by: Jasem Mutlaq
Cc: stable
Signed-off-by: Johan Hovold
Signed-off-by: Willy Tarreau
---
drivers/usb/serial/cp210x.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c
index 40e2d58..0093261 100644
--- a/drivers/usb/serial/cp210x.c
+++ b/drivers/usb/serial/cp210x.c
@@ -108,6 +108,7 @@ static const struct usb_device_id id_table[] = {
{ USB_DEVICE(0x10C4, 0x826B) }, /* Cygnal Integrated Products, Inc.,
Fasttrax GPS demonstration module */
{ USB_DEVICE(0x10C4, 0x8281) }, /* Nanotec Plug & Drive */
{ USB_DEVICE(0x10C4, 0x8293) }, /* Telegesis ETRX2USB */
+ { USB_DEVICE(0x10C4, 0x82F4) }, /* Starizona MicroTouch */
{ USB_DEVICE(0x10C4, 0x82F9) }, /* Procyon AVS */
{ USB_DEVICE(0x10C4, 0x8341) }, /* Siemens MC35PU GPRS Modem */
{ USB_DEVICE(0x10C4, 0x8382) }, /* Cygnal Integrated Products, Inc. */
@@ -117,6 +118,7 @@ static const struct usb_device_id id_table[] = {
{ USB_DEVICE(0x10C4, 0x8418) }, /* IRZ Automation Teleport SG-10
GSM/GPRS Modem */
{ USB_DEVICE(0x10C4, 0x846E) }, /* BEI USB Sensor Interface (VCP) */
{ USB_DEVICE(0x10C4, 0x8477) }, /* Balluff RFID */
+ { USB_DEVICE(0x10C4, 0x84B6) }, /* Starizona Hyperion */
{ USB_DEVICE(0x10C4, 0x85EA) }, /* AC-Services IBUS-IF */
{ USB_DEVICE(0x10C4, 0x85EB) }, /* AC-Services CIS-IBUS */
{ USB_DEVICE(0x10C4, 0x85F8) }, /* Virtenio Preon32 */
--
2.8.0.rc2.1.gbe9624a
[PATCH 3.10 141/143] USB: serial: option: add support for Cinterion PH8 and AHxx
From: Schemmel Hans-Christoph
commit 444f94e9e625f6ec6bbe2cb232a6451c637f35a3 upstream.
Added support for Gemalto's Cinterion PH8 and AHxx products
with 2 RmNet Interfaces and products with 1 RmNet + 1 USB Audio interface.
In addition some minor renaming and formatting.
Signed-off-by: Hans-Christoph Schemmel
[johan: sort current entries and trim trailing whitespace ]
Cc: stable
Signed-off-by: Johan Hovold
Signed-off-by: Willy Tarreau
---
drivers/usb/serial/option.c | 26 --
1 file changed, 20 insertions(+), 6 deletions(-)
diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
index 99c89d7..bcb6f5c 100644
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -375,18 +375,22 @@ static void option_instat_callback(struct urb *urb);
#define HAIER_PRODUCT_CE81B0x10f8
#define HAIER_PRODUCT_CE1000x2009
-/* Cinterion (formerly Siemens) products */
-#define SIEMENS_VENDOR_ID 0x0681
-#define CINTERION_VENDOR_ID0x1e2d
+/* Gemalto's Cinterion products (formerly Siemens) */
+#define SIEMENS_VENDOR_ID 0x0681
+#define CINTERION_VENDOR_ID0x1e2d
+#define CINTERION_PRODUCT_HC25_MDMNET 0x0040
#define CINTERION_PRODUCT_HC25_MDM 0x0047
-#define CINTERION_PRODUCT_HC25_MDMNET 0x0040
+#define CINTERION_PRODUCT_HC28_MDMNET 0x004A /* same for HC28J */
#define CINTERION_PRODUCT_HC28_MDM 0x004C
-#define CINTERION_PRODUCT_HC28_MDMNET 0x004A /* same for HC28J */
#define CINTERION_PRODUCT_EU3_E0x0051
#define CINTERION_PRODUCT_EU3_P0x0052
#define CINTERION_PRODUCT_PH8 0x0053
#define CINTERION_PRODUCT_AHXX 0x0055
#define CINTERION_PRODUCT_PLXX 0x0060
+#define CINTERION_PRODUCT_PH8_2RMNET 0x0082
+#define CINTERION_PRODUCT_PH8_AUDIO0x0083
+#define CINTERION_PRODUCT_AHXX_2RMNET 0x0084
+#define CINTERION_PRODUCT_AHXX_AUDIO 0x0085
/* Olivetti products */
#define OLIVETTI_VENDOR_ID 0x0b3c
@@ -641,6 +645,10 @@ static const struct option_blacklist_info
telit_le922_blacklist_usbcfg3 = {
.reserved = BIT(1) | BIT(2) | BIT(3),
};
+static const struct option_blacklist_info cinterion_rmnet2_blacklist = {
+ .reserved = BIT(4) | BIT(5),
+};
+
static const struct usb_device_id option_ids[] = {
{ USB_DEVICE(OPTION_VENDOR_ID, OPTION_PRODUCT_COLT) },
{ USB_DEVICE(OPTION_VENDOR_ID, OPTION_PRODUCT_RICOLA) },
@@ -1712,7 +1720,13 @@ static const struct usb_device_id option_ids[] = {
{ USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID,
CINTERION_PRODUCT_AHXX, 0xff) },
{ USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_PLXX),
.driver_info = (kernel_ulong_t)&net_intf4_blacklist },
- { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_HC28_MDM) },
+ { USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID,
CINTERION_PRODUCT_PH8_2RMNET, 0xff),
+ .driver_info = (kernel_ulong_t)&cinterion_rmnet2_blacklist },
+ { USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID,
CINTERION_PRODUCT_PH8_AUDIO, 0xff),
+ .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+ { USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID,
CINTERION_PRODUCT_AHXX_2RMNET, 0xff) },
+ { USB_DEVICE_INTERFACE_CLASS(CINTERION_VENDOR_ID,
CINTERION_PRODUCT_AHXX_AUDIO, 0xff) },
+ { USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_HC28_MDM) },
{ USB_DEVICE(CINTERION_VENDOR_ID, CINTERION_PRODUCT_HC28_MDMNET) },
{ USB_DEVICE(SIEMENS_VENDOR_ID, CINTERION_PRODUCT_HC25_MDM) },
{ USB_DEVICE(SIEMENS_VENDOR_ID, CINTERION_PRODUCT_HC25_MDMNET) },
--
2.8.0.rc2.1.gbe9624a
[PATCH 3.10 113/143] USB: serial: cp210x: add ID for Link ECU
From: Mike Manning
commit 1d377f4d690637a0121eac8701f84a0aa1e69a69 upstream.
The Link ECU is an aftermarket ECU computer for vehicles that provides
full tuning abilities as well as datalogging and displaying capabilities
via the USB to Serial adapter built into the device.
Signed-off-by: Mike Manning
Cc: stable
Signed-off-by: Johan Hovold
Signed-off-by: Willy Tarreau
---
drivers/usb/serial/cp210x.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/usb/serial/cp210x.c b/drivers/usb/serial/cp210x.c
index a4003d4..40e2d58 100644
--- a/drivers/usb/serial/cp210x.c
+++ b/drivers/usb/serial/cp210x.c
@@ -140,6 +140,8 @@ static const struct usb_device_id id_table[] = {
{ USB_DEVICE(0x10C4, 0xF004) }, /* Elan Digital Systems USBcount50 */
{ USB_DEVICE(0x10C5, 0xEA61) }, /* Silicon Labs MobiData GPRS USB Modem
*/
{ USB_DEVICE(0x10CE, 0xEA6A) }, /* Silicon Labs MobiData GPRS USB Modem
100EU */
+ { USB_DEVICE(0x12B8, 0xEC60) }, /* Link G4 ECU */
+ { USB_DEVICE(0x12B8, 0xEC62) }, /* Link G4+ ECU */
{ USB_DEVICE(0x13AD, 0x) }, /* Baltech card reader */
{ USB_DEVICE(0x1555, 0x0004) }, /* Owen AC4 USB-RS485 Converter */
{ USB_DEVICE(0x166A, 0x0201) }, /* Clipsal 5500PACA C-Bus Pascal
Automation Controller */
--
2.8.0.rc2.1.gbe9624a
Re: [PATCH] net: ethernet: cavium: liquidio: response_manager: Remove create_workqueue
On Sat, Jun 04, 2016 at 08:21:40PM +0530, Bhaktipriya Shridhar wrote: > alloc_workqueue replaces deprecated create_workqueue(). > > A dedicated workqueue has been used since the workitem viz > (&cwq->wk.work which maps to oct_poll_req_completion) is involved > in normal device operation. WQ_MEM_RECLAIM has been set to guarantee > forward progress under memory pressure, which is a requirement here. > Since there are only a fixed number of work items, explicit concurrency > limit is unnecessary. > > flush_workqueue is unnecessary since destroy_workqueue() itself calls > drain_workqueue() which flushes repeatedly till the workqueue > becomes empty. Hence the call to flush_workqueue() has been dropped. > > Signed-off-by: Bhaktipriya Shridhar As with the previous patch, the subject tag doesn't need to contain the full hierarchy but other than that, Acked-by: Tejun Heo Thanks. -- tejun
[PATCH 3.10 089/143] EDAC: i7core, sb_edac: Don't return NOTIFY_BAD from mce_decoder callback
From: Tony Luck commit c4fc1956fa31003bfbe4f597e359d751568e2954 upstream. Both of these drivers can return NOTIFY_BAD, but this terminates processing other callbacks that were registered later on the chain. Since the driver did nothing to log the error it seems wrong to prevent other interested parties from seeing it. E.g. neither of them had even bothered to check the type of the error to see if it was a memory error before the return NOTIFY_BAD. Signed-off-by: Tony Luck Acked-by: Aristeu Rozanski Acked-by: Mauro Carvalho Chehab Cc: linux-edac Cc: Link: http://lkml.kernel.org/r/72937355dd92318d2630979666063f8a2853495b.1461864507.git.tony.l...@intel.com Signed-off-by: Borislav Petkov Signed-off-by: Willy Tarreau --- drivers/edac/i7core_edac.c | 2 +- drivers/edac/sb_edac.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/edac/i7core_edac.c b/drivers/edac/i7core_edac.c index 271818a..c4131a7 100644 --- a/drivers/edac/i7core_edac.c +++ b/drivers/edac/i7core_edac.c @@ -1878,7 +1878,7 @@ static int i7core_mce_check_error(struct notifier_block *nb, unsigned long val, i7_dev = get_i7core_dev(mce->socketid); if (!i7_dev) - return NOTIFY_BAD; + return NOTIFY_DONE; mci = i7_dev->mci; pvt = mci->pvt_info; diff --git a/drivers/edac/sb_edac.c b/drivers/edac/sb_edac.c index 3bdefbf..0d40f7f 100644 --- a/drivers/edac/sb_edac.c +++ b/drivers/edac/sb_edac.c @@ -1538,7 +1538,7 @@ static int sbridge_mce_check_error(struct notifier_block *nb, unsigned long val, mci = get_mci_for_node_id(mce->socketid); if (!mci) - return NOTIFY_BAD; + return NOTIFY_DONE; pvt = mci->pvt_info; /* -- 2.8.0.rc2.1.gbe9624a
[PATCH 3.10 133/143] ring-buffer: Prevent overflow of size in ring_buffer_resize()
From: "Steven Rostedt (Red Hat)"
commit 59643d1535eb220668692a5359de22545af579f6 upstream.
If the size passed to ring_buffer_resize() is greater than MAX_LONG -
BUF_PAGE_SIZE
then the DIV_ROUND_UP() will return zero.
Here's the details:
# echo 18014398509481980 > /sys/kernel/debug/tracing/buffer_size_kb
tracing_entries_write() processes this and converts kb to bytes.
18014398509481980 << 10 = 18446744073709547520
and this is passed to ring_buffer_resize() as unsigned long size.
size = DIV_ROUND_UP(size, BUF_PAGE_SIZE);
Where DIV_ROUND_UP(a, b) is (a + b - 1)/b
BUF_PAGE_SIZE is 4080 and here
18446744073709547520 + 4080 - 1 = 18446744073709551599
where 18446744073709551599 is still smaller than 2^64
2^64 - 18446744073709551599 = 17
But now 18446744073709551599 / 4080 = 4521260802379792
and size = size * 4080 = 18446744073709551360
This is checked to make sure its still greater than 2 * 4080,
which it is.
Then we convert to the number of buffer pages needed.
nr_page = DIV_ROUND_UP(size, BUF_PAGE_SIZE)
but this time size is 18446744073709551360 and
2^64 - (18446744073709551360 + 4080 - 1) = -3823
Thus it overflows and the resulting number is less than 4080, which makes
3823 / 4080 = 0
an nr_pages is set to this. As we already checked against the minimum that
nr_pages may be, this causes the logic to fail as well, and we crash the
kernel.
There's no reason to have the two DIV_ROUND_UP() (that's just result of
historical code changes), clean up the code and fix this bug.
Cc: sta...@vger.kernel.org # 3.5+
Fixes: 83f40318dab00 ("ring-buffer: Make removal of ring buffer pages atomic")
Signed-off-by: Steven Rostedt
Signed-off-by: Willy Tarreau
---
kernel/trace/ring_buffer.c | 9 -
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
index 6f70235..c4ce3a9 100644
--- a/kernel/trace/ring_buffer.c
+++ b/kernel/trace/ring_buffer.c
@@ -1644,14 +1644,13 @@ int ring_buffer_resize(struct ring_buffer *buffer,
unsigned long size,
!cpumask_test_cpu(cpu_id, buffer->cpumask))
return size;
- size = DIV_ROUND_UP(size, BUF_PAGE_SIZE);
- size *= BUF_PAGE_SIZE;
+ nr_pages = DIV_ROUND_UP(size, BUF_PAGE_SIZE);
/* we need a minimum of two pages */
- if (size < BUF_PAGE_SIZE * 2)
- size = BUF_PAGE_SIZE * 2;
+ if (nr_pages < 2)
+ nr_pages = 2;
- nr_pages = DIV_ROUND_UP(size, BUF_PAGE_SIZE);
+ size = nr_pages * BUF_PAGE_SIZE;
/*
* Don't succeed if resizing is disabled, as a reader might be
--
2.8.0.rc2.1.gbe9624a
include/linux/unaligned/access_ok.h:7:19: error: redefinition of 'get_unaligned_le16'
Hi, FYI, the error/warning still remains. tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master head: 049ec1b5a76d34a6980cccdb7c0baeb4eed7a993 commit: 3194c6870158e305dac2af52f83681e9cb67280f NFC: nfcmrvl: add firmware download support date: 7 months ago config: ia64-allmodconfig (attached as .config) compiler: ia64-linux-gcc (GCC) 4.9.0 reproduce: wget https://git.kernel.org/cgit/linux/kernel/git/wfg/lkp-tests.git/plain/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross git checkout 3194c6870158e305dac2af52f83681e9cb67280f # save the attached .config to linux build tree make.cross ARCH=ia64 All errors (new ones prefixed by >>): In file included from drivers/nfc/nfcmrvl/fw_dnld.c:20:0: >> include/linux/unaligned/access_ok.h:7:19: error: redefinition of >> 'get_unaligned_le16' static inline u16 get_unaligned_le16(const void *p) ^ In file included from arch/ia64/include/asm/unaligned.h:4:0, from arch/ia64/include/asm/io.h:22, from arch/ia64/include/asm/smp.h:20, from include/linux/smp.h:59, from include/linux/topology.h:33, from include/linux/gfp.h:8, from include/linux/kmod.h:22, from include/linux/module.h:13, from drivers/nfc/nfcmrvl/fw_dnld.c:19: include/linux/unaligned/le_struct.h:6:19: note: previous definition of 'get_unaligned_le16' was here static inline u16 get_unaligned_le16(const void *p) ^ In file included from drivers/nfc/nfcmrvl/fw_dnld.c:20:0: >> include/linux/unaligned/access_ok.h:12:19: error: redefinition of >> 'get_unaligned_le32' static inline u32 get_unaligned_le32(const void *p) ^ In file included from arch/ia64/include/asm/unaligned.h:4:0, from arch/ia64/include/asm/io.h:22, from arch/ia64/include/asm/smp.h:20, from include/linux/smp.h:59, from include/linux/topology.h:33, from include/linux/gfp.h:8, from include/linux/kmod.h:22, from include/linux/module.h:13, from drivers/nfc/nfcmrvl/fw_dnld.c:19: include/linux/unaligned/le_struct.h:11:19: note: previous definition of 'get_unaligned_le32' was here static inline u32 get_unaligned_le32(const void *p) ^ In file included from drivers/nfc/nfcmrvl/fw_dnld.c:20:0: >> include/linux/unaligned/access_ok.h:17:19: error: redefinition of >> 'get_unaligned_le64' static inline u64 get_unaligned_le64(const void *p) ^ In file included from arch/ia64/include/asm/unaligned.h:4:0, from arch/ia64/include/asm/io.h:22, from arch/ia64/include/asm/smp.h:20, from include/linux/smp.h:59, from include/linux/topology.h:33, from include/linux/gfp.h:8, from include/linux/kmod.h:22, from include/linux/module.h:13, from drivers/nfc/nfcmrvl/fw_dnld.c:19: include/linux/unaligned/le_struct.h:16:19: note: previous definition of 'get_unaligned_le64' was here static inline u64 get_unaligned_le64(const void *p) ^ In file included from drivers/nfc/nfcmrvl/fw_dnld.c:20:0: >> include/linux/unaligned/access_ok.h:22:19: error: redefinition of >> 'get_unaligned_be16' static inline u16 get_unaligned_be16(const void *p) ^ In file included from arch/ia64/include/asm/unaligned.h:5:0, from arch/ia64/include/asm/io.h:22, from arch/ia64/include/asm/smp.h:20, from include/linux/smp.h:59, from include/linux/topology.h:33, from include/linux/gfp.h:8, from include/linux/kmod.h:22, from include/linux/module.h:13, from drivers/nfc/nfcmrvl/fw_dnld.c:19: include/linux/unaligned/be_byteshift.h:40:19: note: previous definition of 'get_unaligned_be16' was here static inline u16 get_unaligned_be16(const void *p) ^ In file included from drivers/nfc/nfcmrvl/fw_dnld.c:20:0: >> include/linux/unaligned/access_ok.h:27:19: error: redefinition of >> 'get_unaligned_be32' static inline u32 get_unaligned_be32(const void *p) ^ In file included from arch/ia64/include/asm/unaligned.h:5:0, from arch/ia64/include/asm/io.h:22, from arch/ia64/include/asm/smp.h:20, from include/linux/smp.h:59, from include/linux/topology.h:33, from include/linux/gfp.h:8, from include/linux/kmod.h:22,
[PATCH 3.10 123/143] route: do not cache fib route info on local routes with oif
From: Chris Friesen
commit d6d5e999e5df67f8ec20b6be45e2229455ee3699 upstream.
For local routes that require a particular output interface we do not want
to cache the result. Caching the result causes incorrect behaviour when
there are multiple source addresses on the interface. The end result
being that if the intended recipient is waiting on that interface for the
packet he won't receive it because it will be delivered on the loopback
interface and the IP_PKTINFO ipi_ifindex will be set to the loopback
interface as well.
This can be tested by running a program such as "dhcp_release" which
attempts to inject a packet on a particular interface so that it is
received by another program on the same board. The receiving process
should see an IP_PKTINFO ipi_ifndex value of the source interface
(e.g., eth1) instead of the loopback interface (e.g., lo). The packet
will still appear on the loopback interface in tcpdump but the important
aspect is that the CMSG info is correct.
Sample dhcp_release command line:
dhcp_release eth1 192.168.204.222 02:11:33:22:44:66
Signed-off-by: Allain Legacy
Signed off-by: Chris Friesen
Reviewed-by: Julian Anastasov
Signed-off-by: David S. Miller
Signed-off-by: Willy Tarreau
---
net/ipv4/route.c | 12
1 file changed, 12 insertions(+)
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 222e1b6..624ca8e 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -1876,6 +1876,18 @@ static struct rtable *__mkroute_output(const struct
fib_result *res,
*/
if (fi && res->prefixlen < 4)
fi = NULL;
+ } else if ((type == RTN_LOCAL) && (orig_oif != 0) &&
+ (orig_oif != dev_out->ifindex)) {
+ /* For local routes that require a particular output interface
+* we do not want to cache the result. Caching the result
+* causes incorrect behaviour when there are multiple source
+* addresses on the interface, the end result being that if the
+* intended recipient is waiting on that interface for the
+* packet he won't receive it because it will be delivered on
+* the loopback interface and the IP_PKTINFO ipi_ifindex will
+* be set to the loopback interface as well.
+*/
+ fi = NULL;
}
fnhe = NULL;
--
2.8.0.rc2.1.gbe9624a
[PATCH 3.10 055/143] hwmon: (max1111) Return -ENODEV from max1111_read_channel if not instantiated
From: Guenter Roeck
commit 3c2e2266a5bd2d1cef258e6e54dca1d99946379f upstream.
arm:pxa_defconfig can result in the following crash if the max driver
is not instantiated.
Unhandled fault: page domain fault (0x01b) at 0x
pgd = c0004000
[] *pgd=
Internal error: : 1b [#1] PREEMPT ARM
Modules linked in:
CPU: 0 PID: 300 Comm: kworker/0:1 Not tainted 4.5.0-01301-g1701f680407c #10
Hardware name: SHARP Akita
Workqueue: events sharpsl_charge_toggle
task: c390a000 ti: c391e000 task.ti: c391e000
PC is at max_read_channel+0x20/0x30
LR is at sharpsl_pm_pxa_read_max+0x2c/0x3c
pc : []lr : []psr: 2013
...
[] (max_read_channel) from []
(sharpsl_pm_pxa_read_max+0x2c/0x3c)
[] (sharpsl_pm_pxa_read_max) from []
(spitzpm_read_devdata+0x5c/0xc4)
[] (spitzpm_read_devdata) from []
(sharpsl_check_battery_temp+0x78/0x110)
[] (sharpsl_check_battery_temp) from []
(sharpsl_charge_toggle+0x48/0x110)
[] (sharpsl_charge_toggle) from []
(process_one_work+0x14c/0x48c)
[] (process_one_work) from [] (worker_thread+0x3c/0x5d4)
[] (worker_thread) from [] (kthread+0xd0/0xec)
[] (kthread) from [] (ret_from_fork+0x14/0x24)
This can occur because the SPI controller driver (SPI_PXA2XX) is built as
module and thus not necessarily loaded. While building SPI_PXA2XX into the
kernel would make the problem disappear, it appears prudent to ensure that
the driver is instantiated before accessing its data structures.
Cc: Arnd Bergmann
Cc: sta...@vger.kernel.org
Signed-off-by: Guenter Roeck
Signed-off-by: Willy Tarreau
---
drivers/hwmon/max.c | 6 ++
1 file changed, 6 insertions(+)
diff --git a/drivers/hwmon/max.c b/drivers/hwmon/max.c
index eda077d..f787f04 100644
--- a/drivers/hwmon/max.c
+++ b/drivers/hwmon/max.c
@@ -85,6 +85,9 @@ static struct max_data *the_max;
int max_read_channel(int channel)
{
+ if (!the_max || !the_max->spi)
+ return -ENODEV;
+
return max_read(&the_max->spi->dev, channel);
}
EXPORT_SYMBOL(max_read_channel);
@@ -260,6 +263,9 @@ static int max_remove(struct spi_device *spi)
{
struct max_data *data = spi_get_drvdata(spi);
+#ifdef CONFIG_SHARPSL_PM
+ the_max = NULL;
+#endif
hwmon_device_unregister(data->hwmon_dev);
sysfs_remove_group(&spi->dev.kobj, &max1110_attr_group);
sysfs_remove_group(&spi->dev.kobj, &max_attr_group);
--
2.8.0.rc2.1.gbe9624a
[PATCH 3.10 056/143] parisc: Avoid function pointers for kernel exception routines
From: Helge Deller commit e3893027a300927049efc1572f852201eb785142 upstream. We want to avoid the kernel module loader to create function pointers for the kernel fixup routines of get_user() and put_user(). Changing the external reference from function type to int type fixes this. This unbreaks exception handling for get_user() and put_user() when called from a kernel module. Signed-off-by: Helge Deller Cc: sta...@vger.kernel.org Signed-off-by: Willy Tarreau --- arch/parisc/kernel/parisc_ksyms.c | 10 +- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/arch/parisc/kernel/parisc_ksyms.c b/arch/parisc/kernel/parisc_ksyms.c index 568b2c6..3cad8aa 100644 --- a/arch/parisc/kernel/parisc_ksyms.c +++ b/arch/parisc/kernel/parisc_ksyms.c @@ -47,11 +47,11 @@ EXPORT_SYMBOL(__cmpxchg_u64); EXPORT_SYMBOL(lclear_user); EXPORT_SYMBOL(lstrnlen_user); -/* Global fixups */ -extern void fixup_get_user_skip_1(void); -extern void fixup_get_user_skip_2(void); -extern void fixup_put_user_skip_1(void); -extern void fixup_put_user_skip_2(void); +/* Global fixups - defined as int to avoid creation of function pointers */ +extern int fixup_get_user_skip_1; +extern int fixup_get_user_skip_2; +extern int fixup_put_user_skip_1; +extern int fixup_put_user_skip_2; EXPORT_SYMBOL(fixup_get_user_skip_1); EXPORT_SYMBOL(fixup_get_user_skip_2); EXPORT_SYMBOL(fixup_put_user_skip_1); -- 2.8.0.rc2.1.gbe9624a
[PATCH 3.10 073/143] ipv6: l2tp: fix a potential issue in l2tp_ip6_recv
From: Haishuang Yan
commit be447f305494e019dfc37ea4cdf3b0e4200b4eba upstream.
pskb_may_pull() can change skb->data, so we have to load ptr/optr at the
right place.
Signed-off-by: Haishuang Yan
Signed-off-by: David S. Miller
Signed-off-by: Willy Tarreau
---
net/l2tp/l2tp_ip6.c | 8 +---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
index e6e8408..db96af9 100644
--- a/net/l2tp/l2tp_ip6.c
+++ b/net/l2tp/l2tp_ip6.c
@@ -135,12 +135,11 @@ static int l2tp_ip6_recv(struct sk_buff *skb)
struct l2tp_tunnel *tunnel = NULL;
int length;
- /* Point to L2TP header */
- optr = ptr = skb->data;
-
if (!pskb_may_pull(skb, 4))
goto discard;
+ /* Point to L2TP header */
+ optr = ptr = skb->data;
session_id = ntohl(*((__be32 *) ptr));
ptr += 4;
@@ -168,6 +167,9 @@ static int l2tp_ip6_recv(struct sk_buff *skb)
if (!pskb_may_pull(skb, length))
goto discard;
+ /* Point to L2TP header */
+ optr = ptr = skb->data;
+ ptr += 4;
pr_debug("%s: ip recv\n", tunnel->name);
print_hex_dump_bytes("", DUMP_PREFIX_OFFSET, ptr, length);
}
--
2.8.0.rc2.1.gbe9624a
[PATCH 3.10 063/143] usbnet: cleanup after bind() in probe()
From: Oliver Neukum commit 1666984c8625b3db19a9abc298931d35ab7bc64b upstream. In case bind() works, but a later error forces bailing in probe() in error cases work and a timer may be scheduled. They must be killed. This fixes an error case related to the double free reported in http://www.spinics.net/lists/netdev/msg367669.html and needs to go on top of Linus' fix to cdc-ncm. Signed-off-by: Oliver Neukum Signed-off-by: David S. Miller Signed-off-by: Willy Tarreau --- drivers/net/usb/usbnet.c | 7 +++ 1 file changed, 7 insertions(+) diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c index fb068ad..2255d89 100644 --- a/drivers/net/usb/usbnet.c +++ b/drivers/net/usb/usbnet.c @@ -1622,6 +1622,13 @@ out3: if (info->unbind) info->unbind (dev, udev); out1: + /* subdrivers must undo all they did in bind() if they +* fail it, but we may fail later and a deferred kevent +* may trigger an error resubmitting itself and, worse, +* schedule a timer. So we kill it all just in case. +*/ + cancel_work_sync(&dev->kevent); + del_timer_sync(&dev->delay); free_netdev(net); out: return status; -- 2.8.0.rc2.1.gbe9624a
[PATCH 3.10 007/143] KVM: fix spin_lock_init order on x86
From: Paolo Bonzini commit e9ad4ec8379ad1ba6f68b8ca1c26b50b5ae0a327 upstream. Moving the initialization earlier is needed in 4.6 because kvm_arch_init_vm is now using mmu_lock, causing lockdep to complain: [ 284.440294] INFO: trying to register non-static key. [ 284.445259] the code is fine but needs lockdep annotation. [ 284.450736] turning off the locking correctness validator. ... [ 284.528318] [] lock_acquire+0xd3/0x240 [ 284.533733] [] ? kvm_page_track_register_notifier+0x20/0x60 [kvm] [ 284.541467] [] _raw_spin_lock+0x41/0x80 [ 284.546960] [] ? kvm_page_track_register_notifier+0x20/0x60 [kvm] [ 284.554707] [] kvm_page_track_register_notifier+0x20/0x60 [kvm] [ 284.562281] [] kvm_mmu_init_vm+0x20/0x30 [kvm] [ 284.568381] [] kvm_arch_init_vm+0x1ea/0x200 [kvm] [ 284.574740] [] kvm_dev_ioctl+0xbf/0x4d0 [kvm] However, it also helps fixing a preexisting problem, which is why this patch is also good for stable kernels: kvm_create_vm was incrementing current->mm->mm_count but not decrementing it at the out_err label (in case kvm_init_mmu_notifier failed). The new initialization order makes it possible to add the required mmdrop without adding a new error label. Reported-by: Borislav Petkov Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau --- virt/kvm/kvm_main.c | 21 +++-- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c index 1d4b8be..4f865e1 100644 --- a/virt/kvm/kvm_main.c +++ b/virt/kvm/kvm_main.c @@ -468,6 +468,16 @@ static struct kvm *kvm_create_vm(unsigned long type) if (!kvm) return ERR_PTR(-ENOMEM); + spin_lock_init(&kvm->mmu_lock); + atomic_inc(¤t->mm->mm_count); + kvm->mm = current->mm; + kvm_eventfd_init(kvm); + mutex_init(&kvm->lock); + mutex_init(&kvm->irq_lock); + mutex_init(&kvm->slots_lock); + atomic_set(&kvm->users_count, 1); + INIT_LIST_HEAD(&kvm->devices); + r = kvm_arch_init_vm(kvm, type); if (r) goto out_err_nodisable; @@ -497,16 +507,6 @@ static struct kvm *kvm_create_vm(unsigned long type) goto out_err; } - spin_lock_init(&kvm->mmu_lock); - kvm->mm = current->mm; - atomic_inc(&kvm->mm->mm_count); - kvm_eventfd_init(kvm); - mutex_init(&kvm->lock); - mutex_init(&kvm->irq_lock); - mutex_init(&kvm->slots_lock); - atomic_set(&kvm->users_count, 1); - INIT_LIST_HEAD(&kvm->devices); - r = kvm_init_mmu_notifier(kvm); if (r) goto out_err; @@ -526,6 +526,7 @@ out_err_nodisable: kfree(kvm->buses[i]); kfree(kvm->memslots); kvm_arch_free_vm(kvm); + mmdrop(current->mm); return ERR_PTR(r); } -- 2.8.0.rc2.1.gbe9624a
[PATCH 3.10 028/143] net: irda: Fix use-after-free in irtty_open()
From: Peter Hurley
commit 401879c57f01cbf2da204ad2e8db910525c6dbea upstream.
The N_IRDA line discipline may access the previous line discipline's closed
and already-fre private data on open [1].
The tty->disc_data field _never_ refers to valid data on entry to the
line discipline's open() method. Rather, the ldisc is expected to
initialize that field for its own use for the lifetime of the instance
(ie. from open() to close() only).
[1]
==
BUG: KASAN: use-after-free in irtty_open+0x422/0x550 at addr
8800331dd068
Read of size 4 by task a.out/13960
=
BUG kmalloc-512 (Tainted: GB ): kasan: bad access detected
-
...
Call Trace:
[] __asan_report_load4_noabort+0x3e/0x40
mm/kasan/report.c:279
[] irtty_open+0x422/0x550
drivers/net/irda/irtty-sir.c:436
[] tty_ldisc_open.isra.2+0x60/0xa0
drivers/tty/tty_ldisc.c:447
[] tty_set_ldisc+0x1a0/0x940 drivers/tty/tty_ldisc.c:567
[< inline >] tiocsetd drivers/tty/tty_io.c:2650
[] tty_ioctl+0xace/0x1fd0 drivers/tty/tty_io.c:2883
[< inline >] vfs_ioctl fs/ioctl.c:43
[] do_vfs_ioctl+0x57c/0xe60 fs/ioctl.c:607
[< inline >] SYSC_ioctl fs/ioctl.c:622
[] SyS_ioctl+0x74/0x80 fs/ioctl.c:613
[] entry_SYSCALL_64_fastpath+0x16/0x7a
Reported-and-tested-by: Dmitry Vyukov
Cc:
Signed-off-by: Peter Hurley
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Willy Tarreau
---
drivers/net/irda/irtty-sir.c | 10 --
1 file changed, 10 deletions(-)
diff --git a/drivers/net/irda/irtty-sir.c b/drivers/net/irda/irtty-sir.c
index a412671..0d71fa9f 100644
--- a/drivers/net/irda/irtty-sir.c
+++ b/drivers/net/irda/irtty-sir.c
@@ -430,16 +430,6 @@ static int irtty_open(struct tty_struct *tty)
/* Module stuff handled via irda_ldisc.owner - Jean II */
- /* First make sure we're not already connected. */
- if (tty->disc_data != NULL) {
- priv = tty->disc_data;
- if (priv && priv->magic == IRTTY_MAGIC) {
- ret = -EEXIST;
- goto out;
- }
- tty->disc_data = NULL; /* ### */
- }
-
/* stop the underlying driver */
irtty_stop_receiver(tty, TRUE);
if (tty->ops->stop)
--
2.8.0.rc2.1.gbe9624a
[PATCH 3.10 079/143] drm/radeon: hold reference to fences in radeon_sa_bo_new (3.17 and older)
From: Nicolai Hähnle
[Backport of upstream commit f6ff4f67cdf8455d0a4226eeeaf5af17c37d05eb, with
an additional NULL pointer guard that is required for kernels 3.17 and older.
To be precise, any kernel that does *not* have commit 954605ca3 "drm/radeon:
use common fence implementation for fences, v4" requires this additional
NULL pointer guard.]
An arbitrary amount of time can pass between spin_unlock and
radeon_fence_wait_any, so we need to ensure that nobody frees the
fences from under us.
Based on the analogous fix for amdgpu.
Signed-off-by: Nicolai Hähnle
Reviewed-by: Christian König (v1 + fix)
Tested-by: Lutz Euler
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Willy Tarreau
---
drivers/gpu/drm/radeon/radeon_sa.c | 7 +++
1 file changed, 7 insertions(+)
diff --git a/drivers/gpu/drm/radeon/radeon_sa.c
b/drivers/gpu/drm/radeon/radeon_sa.c
index f0bac68..8962411 100644
--- a/drivers/gpu/drm/radeon/radeon_sa.c
+++ b/drivers/gpu/drm/radeon/radeon_sa.c
@@ -349,8 +349,15 @@ int radeon_sa_bo_new(struct radeon_device *rdev,
/* see if we can skip over some allocations */
} while (radeon_sa_bo_next_hole(sa_manager, fences, tries));
+ for (i = 0; i < RADEON_NUM_RINGS; ++i) {
+ if (fences[i])
+ radeon_fence_ref(fences[i]);
+ }
+
spin_unlock(&sa_manager->wq.lock);
r = radeon_fence_wait_any(rdev, fences, false);
+ for (i = 0; i < RADEON_NUM_RINGS; ++i)
+ radeon_fence_unref(&fences[i]);
spin_lock(&sa_manager->wq.lock);
/* if we have nothing to wait for block */
if (r == -ENOENT && block) {
--
2.8.0.rc2.1.gbe9624a
[PATCH 3.10 122/143] decnet: Do not build routes to devices without decnet private data.
From: "David S. Miller"
commit a36a0d4008488fa545c74445d69eaf56377d5d4e upstream.
In particular, make sure we check for decnet private presence
for loopback devices.
Signed-off-by: David S. Miller
Signed-off-by: Willy Tarreau
---
net/decnet/dn_route.c | 9 -
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/net/decnet/dn_route.c b/net/decnet/dn_route.c
index fe32388..b961005 100644
--- a/net/decnet/dn_route.c
+++ b/net/decnet/dn_route.c
@@ -1030,10 +1030,13 @@ source_ok:
if (!fld.daddr) {
fld.daddr = fld.saddr;
- err = -EADDRNOTAVAIL;
if (dev_out)
dev_put(dev_out);
+ err = -EINVAL;
dev_out = init_net.loopback_dev;
+ if (!dev_out->dn_ptr)
+ goto out;
+ err = -EADDRNOTAVAIL;
dev_hold(dev_out);
if (!fld.daddr) {
fld.daddr =
@@ -1106,6 +1109,8 @@ source_ok:
if (dev_out == NULL)
goto out;
dn_db = rcu_dereference_raw(dev_out->dn_ptr);
+ if (!dn_db)
+ goto e_inval;
/* Possible improvement - check all devices for local addr */
if (dn_dev_islocal(dev_out, fld.daddr)) {
dev_put(dev_out);
@@ -1147,6 +1152,8 @@ select_source:
dev_put(dev_out);
dev_out = init_net.loopback_dev;
dev_hold(dev_out);
+ if (!dev_out->dn_ptr)
+ goto e_inval;
fld.flowidn_oif = dev_out->ifindex;
if (res.fi)
dn_fib_info_put(res.fi);
--
2.8.0.rc2.1.gbe9624a
Re: [PATCH] nfds: Fix NFSD_MDS_PR_KEY on 32-bit by adding ULL postfix
On Sun, 2016-06-05 at 11:23 +0200, Geert Uytterhoeven wrote:
> On 32-bit:
>
> fs/nfsd/blocklayout.c: In function ‘nfsd4_block_get_device_info_scsi’:
> fs/nfsd/blocklayout.c:337: warning: integer constant is too large for
> ‘long’ type
> fs/nfsd/blocklayout.c:344: warning: integer constant is too large for
> ‘long’ type
> fs/nfsd/blocklayout.c: In function ‘nfsd4_scsi_fence_client’:
> fs/nfsd/blocklayout.c:385: warning: integer constant is too large for
> ‘long’ type
>
> Add the missing "ULL" postfix to 64-bit constant NFSD_MDS_PR_KEY to fix
> this.
>
> Fixes: f99d4fbdae6765d0 ("nfsd: add SCSI layout support")
> Signed-off-by: Geert Uytterhoeven
> Reviewed-by: Christoph Hellwig
> ---
> v2:
> - Add Reviewed-by.
>
> Despite Bruce's "Thanks, applying for 4.6.--b." on 2016-03-29, this
> still hasn't made it into next-20160603.
> ---
> fs/nfsd/blocklayout.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/fs/nfsd/blocklayout.c b/fs/nfsd/blocklayout.c
> index e55b5242614da7a9..31f3df193bdbb47b 100644
> --- a/fs/nfsd/blocklayout.c
> +++ b/fs/nfsd/blocklayout.c
> @@ -290,7 +290,7 @@ out_free_buf:
> return error;
> }
>
> -#define NFSD_MDS_PR_KEY 0x0100
> +#define NFSD_MDS_PR_KEY 0x0100ULL
>
> /*
> * We use the client ID as a unique key for the reservations.
Thanks!
Reviewed-by: Jeff Layton
[PATCH 3.10 112/143] ACPICA: Dispatcher: Update thread ID for recursive method calls
From: Prarit Bhargava commit 93d68841a23a5779cef6fb9aa0ef32e7c5bd00da upstream. ACPICA commit 7a3bd2d962f221809f25ddb826c9e551b916eb25 Set the mutex owner thread ID. Original patch from: Prarit Bhargava Link: https://bugzilla.kernel.org/show_bug.cgi?id=115121 Link: https://github.com/acpica/acpica/commit/7a3bd2d9 Signed-off-by: Prarit Bhargava Tested-by: Andy Lutomirski # On a Dell XPS 13 9350 Signed-off-by: Bob Moore Signed-off-by: Lv Zheng Cc: All applicable Signed-off-by: Rafael J. Wysocki Signed-off-by: Willy Tarreau --- drivers/acpi/acpica/dsmethod.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/acpi/acpica/dsmethod.c b/drivers/acpi/acpica/dsmethod.c index a9ffd44..2184259 100644 --- a/drivers/acpi/acpica/dsmethod.c +++ b/drivers/acpi/acpica/dsmethod.c @@ -267,6 +267,9 @@ acpi_ds_begin_method_execution(struct acpi_namespace_node *method_node, obj_desc->method.mutex->mutex. original_sync_level = obj_desc->method.mutex->mutex.sync_level; + + obj_desc->method.mutex->mutex.thread_id = + acpi_os_get_thread_id(); } } -- 2.8.0.rc2.1.gbe9624a
[PATCH 3.10 064/143] udp6: fix UDP/IPv6 encap resubmit path
From: Bill Sommerfeld commit 59dca1d8a6725a121dae6c452de0b2611d5865dc upstream. IPv4 interprets a negative return value from a protocol handler as a request to redispatch to a new protocol. In contrast, IPv6 interprets a negative value as an error, and interprets a positive value as a request for redispatch. UDP for IPv6 was unaware of this difference. Change __udp6_lib_rcv() to return a positive value for redispatch. Note that the socket's encap_rcv hook still needs to return a negative value to request dispatch, and in the case of IPv6 packets, adjust IP6CB(skb)->nhoff to identify the byte containing the next protocol. Signed-off-by: Bill Sommerfeld Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman Signed-off-by: Willy Tarreau --- net/ipv6/udp.c | 6 ++ 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c index 7e39018..3046d02 100644 --- a/net/ipv6/udp.c +++ b/net/ipv6/udp.c @@ -839,11 +839,9 @@ int __udp6_lib_rcv(struct sk_buff *skb, struct udp_table *udptable, int ret = udpv6_queue_rcv_skb(sk, skb); sock_put(sk); - /* a return value > 0 means to resubmit the input, but -* it wants the return to be -protocol, or 0 -*/ + /* a return value > 0 means to resubmit the input */ if (ret > 0) - return -ret; + return ret; return 0; } -- 2.8.0.rc2.1.gbe9624a
[PATCH 3.10 080/143] [media] usbvision-video: fix memory leak of alt_max_pkt_size
From: Alexey Khoroshilov
commit 090c65b694c362adb19ec9c27de216a808ee443c upstream.
1. usbvision->alt_max_pkt_size is not deallocated anywhere.
2. if allocation of usbvision->alt_max_pkt_size fails,
there is no proper deallocation of already acquired resources.
The patch adds kfree(usbvision->alt_max_pkt_size) to
usbvision_release() as soon as other deallocations happen there.
It calls usbvision_release() if allocation of
usbvision->alt_max_pkt_size fails as soon as usbvision_release()
is safe to work with incompletely initialized usbvision structure.
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Alexey Khoroshilov
Signed-off-by: Hans Verkuil
Signed-off-by: Mauro Carvalho Chehab
Signed-off-by: Willy Tarreau
---
drivers/media/usb/usbvision/usbvision-video.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/media/usb/usbvision/usbvision-video.c
b/drivers/media/usb/usbvision/usbvision-video.c
index d34c2af..443e7833 100644
--- a/drivers/media/usb/usbvision/usbvision-video.c
+++ b/drivers/media/usb/usbvision/usbvision-video.c
@@ -1459,6 +1459,7 @@ static void usbvision_release(struct usb_usbvision
*usbvision)
usbvision_remove_sysfs(usbvision->vdev);
usbvision_unregister_video(usbvision);
+ kfree(usbvision->alt_max_pkt_size);
usb_free_urb(usbvision->ctrl_urb);
@@ -1574,6 +1575,7 @@ static int usbvision_probe(struct usb_interface *intf,
usbvision->alt_max_pkt_size = kmalloc(32 * usbvision->num_alt,
GFP_KERNEL);
if (usbvision->alt_max_pkt_size == NULL) {
dev_err(&intf->dev, "usbvision: out of memory!\n");
+ usbvision_release(usbvision);
return -ENOMEM;
}
--
2.8.0.rc2.1.gbe9624a
[PATCH 3.10 104/143] ipvs: correct initial offset of Call-ID header search in SIP persistence engine
From: Marco Angaroni
commit 7617a24f83b5d67f4dab1844956be1cebc44aec8 upstream.
The IPVS SIP persistence engine is not able to parse the SIP header
"Call-ID" when such header is inserted in the first positions of
the SIP message.
When IPVS is configured with "--pe sip" option, like for example:
ipvsadm -A -u 1.2.3.4:5060 -s rr --pe sip -p 120 -o
some particular messages (see below for details) do not create entries
in the connection template table, which can be listed with:
ipvsadm -Lcn --persistent-conn
Problematic SIP messages are SIP responses having "Call-ID" header
positioned just after message first line:
SIP/2.0 200 OK
[Call-ID header here]
[rest of the headers]
When "Call-ID" header is positioned down (after a few other headers)
it is correctly recognized.
This is due to the data offset used in get_callid function call inside
ip_vs_pe_sip.c file: since dptr already points to the start of the
SIP message, the value of dataoff should be initially 0.
Otherwise the header is searched starting from some bytes after the
first character of the SIP message.
Fixes: 758ff0338722 ("IPVS: sip persistence engine")
Signed-off-by: Marco Angaroni
Acked-by: Julian Anastasov
Signed-off-by: Simon Horman
Signed-off-by: Willy Tarreau
---
net/netfilter/ipvs/ip_vs_pe_sip.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/ipvs/ip_vs_pe_sip.c
b/net/netfilter/ipvs/ip_vs_pe_sip.c
index bed5f70..bb318e4 100644
--- a/net/netfilter/ipvs/ip_vs_pe_sip.c
+++ b/net/netfilter/ipvs/ip_vs_pe_sip.c
@@ -88,7 +88,7 @@ ip_vs_sip_fill_param(struct ip_vs_conn_param *p, struct
sk_buff *skb)
dptr = skb->data + dataoff;
datalen = skb->len - dataoff;
- if (get_callid(dptr, dataoff, datalen, &matchoff, &matchlen))
+ if (get_callid(dptr, 0, datalen, &matchoff, &matchlen))
return -EINVAL;
/* N.B: pe_data is only set on success,
--
2.8.0.rc2.1.gbe9624a
[PATCH 3.10 025/143] USB: option: add "D-Link DWM-221 B1" device id
From: Bjørn Mork
commit d48d5691ebf88a15d95ba96486917ffc79256536 upstream.
Thomas reports:
"Windows:
00 diagnostics
01 modem
02 at-port
03 nmea
04 nic
Linux:
T: Bus=02 Lev=01 Prnt=01 Port=03 Cnt=01 Dev#= 4 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=2001 ProdID=7e19 Rev=02.32
S: Manufacturer=Mobile Connect
S: Product=Mobile Connect
S: SerialNumber=0123456789ABCDEF
C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
I: If#= 5 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage"
Reported-by: Thomas Schäfer
Cc:
Signed-off-by: Bjørn Mork
Signed-off-by: Johan Hovold
Signed-off-by: Willy Tarreau
---
drivers/usb/serial/option.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/usb/serial/option.c b/drivers/usb/serial/option.c
index 24366a2..99c89d7 100644
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1818,6 +1818,8 @@ static const struct usb_device_id option_ids[] = {
{ USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x7d02, 0xff, 0x00, 0x00) },
{ USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x7d03, 0xff, 0x02, 0x01) },
{ USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x7d03, 0xff, 0x00, 0x00) },
+ { USB_DEVICE_INTERFACE_CLASS(0x2001, 0x7e19, 0xff),
/* D-Link DWM-221 B1 */
+ .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
{ USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e01, 0xff, 0xff, 0xff) }, /*
D-Link DWM-152/C1 */
{ USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e02, 0xff, 0xff, 0xff) }, /*
D-Link DWM-156/C1 */
{ USB_DEVICE_INTERFACE_CLASS(0x2020, 0x4000, 0xff) },/*
OLICARD300 - MT6225 */
--
2.8.0.rc2.1.gbe9624a
[PATCH 3.10 116/143] powerpc: scan_features() updates incorrect bits for REAL_LE
From: Anton Blanchard
commit 6997e57d693b07289694239e52a10d2f02c3a46f upstream.
The REAL_LE feature entry in the ibm_pa_feature struct is missing an MMU
feature value, meaning all the remaining elements initialise the wrong
values.
This means instead of checking for byte 5, bit 0, we check for byte 0,
bit 0, and then we incorrectly set the CPU feature bit as well as MMU
feature bit 1 and CPU user feature bits 0 and 2 (5).
Checking byte 0 bit 0 (IBM numbering), means we're looking at the
"Memory Management Unit (MMU)" feature - ie. does the CPU have an MMU.
In practice that bit is set on all platforms which have the property.
This means we set CPU_FTR_REAL_LE always. In practice that seems not to
matter because all the modern cpus which have this property also
implement REAL_LE, and we've never needed to disable it.
We're also incorrectly setting MMU feature bit 1, which is:
#define MMU_FTR_TYPE_8xx 0x0002
Luckily the only place that looks for MMU_FTR_TYPE_8xx is in Book3E
code, which can't run on the same cpus as scan_features(). So this also
doesn't matter in practice.
Finally in the CPU user feature mask, we're setting bits 0 and 2. Bit 2
is not currently used, and bit 0 is:
#define PPC_FEATURE_PPC_LE0x0001
Which says the CPU supports the old style "PPC Little Endian" mode.
Again this should be harmless in practice as no 64-bit CPUs implement
that mode.
Fix the code by adding the missing initialisation of the MMU feature.
Also add a comment marking CPU user feature bit 2 (0x4) as reserved. It
would be unsafe to start using it as old kernels incorrectly set it.
Fixes: 44ae3ab3358e ("powerpc: Free up some CPU feature bits by moving out
MMU-related features")
Signed-off-by: Anton Blanchard
[mpe: Flesh out changelog, add comment reserving 0x4]
Signed-off-by: Michael Ellerman
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Willy Tarreau
---
arch/powerpc/include/uapi/asm/cputable.h | 1 +
arch/powerpc/kernel/prom.c | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/arch/powerpc/include/uapi/asm/cputable.h
b/arch/powerpc/include/uapi/asm/cputable.h
index de2c0e4..67de80a 100644
--- a/arch/powerpc/include/uapi/asm/cputable.h
+++ b/arch/powerpc/include/uapi/asm/cputable.h
@@ -31,6 +31,7 @@
#define PPC_FEATURE_PSERIES_PERFMON_COMPAT \
0x0040
+/* Reserved - do not use 0x0004 */
#define PPC_FEATURE_TRUE_LE0x0002
#define PPC_FEATURE_PPC_LE 0x0001
diff --git a/arch/powerpc/kernel/prom.c b/arch/powerpc/kernel/prom.c
index 8b6f7a9..e8c45b7 100644
--- a/arch/powerpc/kernel/prom.c
+++ b/arch/powerpc/kernel/prom.c
@@ -159,7 +159,7 @@ static struct ibm_pa_feature {
{CPU_FTR_NOEXECUTE, 0, 0, 0, 6, 0},
{CPU_FTR_NODSISRALIGN, 0, 0,1, 1, 1},
{0, MMU_FTR_CI_LARGE_PAGE, 0, 1, 2, 0},
- {CPU_FTR_REAL_LE, PPC_FEATURE_TRUE_LE, 5, 0, 0},
+ {CPU_FTR_REAL_LE, 0, PPC_FEATURE_TRUE_LE, 5, 0, 0},
};
static void __init scan_features(unsigned long node, unsigned char *ftrs,
--
2.8.0.rc2.1.gbe9624a
Re: [PATCH] net: wireless: marvell: libertas: Remove create_workqueue
On Sat, Jun 04, 2016 at 07:29:01PM +0530, Bhaktipriya Shridhar wrote: > alloc_workqueue replaces deprecated create_workqueue(). > > In if_sdio.c, the workqueue card->workqueue has workitem > &card->packet_worker, which is mapped to if_sdio_host_to_card_worker. > The workitem is involved in sending packets to firmware. > Forward progress under memory pressure is a requirement here. > > In if_spi.c, the workqueue card->workqueue has workitem > &card->packet_worker, which is mapped to if_spi_host_to_card_worker. > The workitem is involved in sending command packets from the host. > Forward progress under memory pressure is a requirement here. > > Dedicated workqueues have been used in both cases since the workitems > on the workqueues are involved in normal device operation with > WQ_MEM_RECLAIM set to gurantee forward progress under memory pressure. > Since there are only a fixed number of work items, explicit concurrency > limit is unnecessary. > > flush_workqueue is unnecessary since destroy_workqueue() itself calls > drain_workqueue() which flushes repeatedly till the workqueue > becomes empty. Hence the calls to flush_workqueue() before > destroy_workqueue() have been dropped. > > Signed-off-by: Bhaktipriya Shridhar Acked-by: Tejun Heo Thanks. -- tejun
[PATCH 3.10 027/143] Input: powermate - fix oops with malicious USB descriptors
From: Josh Boyer commit 9c6ba456711687b794dcf285856fc14e2c76074f upstream. The powermate driver expects at least one valid USB endpoint in its probe function. If given malicious descriptors that specify 0 for the number of endpoints, it will crash. Validate the number of endpoints on the interface before using them. The full report for this issue can be found here: http://seclists.org/bugtraq/2016/Mar/85 Reported-by: Ralf Spenneberg Cc: stable Signed-off-by: Josh Boyer Signed-off-by: Dmitry Torokhov Signed-off-by: Willy Tarreau --- drivers/input/misc/powermate.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/input/misc/powermate.c b/drivers/input/misc/powermate.c index 49c0c3e..21ce1cf 100644 --- a/drivers/input/misc/powermate.c +++ b/drivers/input/misc/powermate.c @@ -308,6 +308,9 @@ static int powermate_probe(struct usb_interface *intf, const struct usb_device_i int error = -ENOMEM; interface = intf->cur_altsetting; + if (interface->desc.bNumEndpoints < 1) + return -EINVAL; + endpoint = &interface->endpoint[0].desc; if (!usb_endpoint_is_int_in(endpoint)) return -EIO; -- 2.8.0.rc2.1.gbe9624a
[PATCH 3.10 121/143] ARM: OMAP3: Fix booting with thumb2 kernel
From: Tony Lindgren
commit d8a50941c91a68da202aaa96a3dacd471ea9c693 upstream.
We get a NULL pointer dereference on omap3 for thumb2 compiled kernels:
Internal error: Oops: 8005 [#1] SMP THUMB2
...
[] (_raw_spin_unlock_irqrestore) from []
(omap3_enter_idle_bm+0xc5/0x178)
[] (omap3_enter_idle_bm) from []
(cpuidle_enter_state+0x77/0x27c)
[] (cpuidle_enter_state) from []
(cpu_startup_entry+0x155/0x23c)
[] (cpu_startup_entry) from []
(start_kernel+0x32f/0x338)
[] (start_kernel) from [<8000807f>] (0x8000807f)
The power management related assembly on omaps needs to interact with
ARM mode bootrom code, so we need to keep most of the related assembly
in ARM mode.
Turns out this error is because of missing ENDPROC for assembly code
as suggested by Stephen Boyd . Let's fix the
problem by adding ENDPROC in two places to sleep34xx.S.
Let's also remove the now duplicate custom code for mode switching.
This has been unnecessary since commit 6ebbf2ce437b ("ARM: convert
all "mov.* pc, reg" to "bx reg" for ARMv6+").
And let's also remove the comments about local variables, they are
now just confusing after the ENDPROC.
The reason why ENDPROC makes a difference is it sets .type and then
the compiler knows what to do with the thumb bit as explained at:
https://wiki.ubuntu.com/ARM/Thumb2PortingHowto
Reported-by: Kevin Hilman
Tested-by: Kevin Hilman
Signed-off-by: Tony Lindgren
Signed-off-by: Willy Tarreau
---
arch/arm/mach-omap2/sleep34xx.S | 22 ++
1 file changed, 2 insertions(+), 20 deletions(-)
diff --git a/arch/arm/mach-omap2/sleep34xx.S b/arch/arm/mach-omap2/sleep34xx.S
index d1dedc8..eafd120 100644
--- a/arch/arm/mach-omap2/sleep34xx.S
+++ b/arch/arm/mach-omap2/sleep34xx.S
@@ -203,23 +203,8 @@ save_context_wfi:
*/
ldr r1, kernel_flush
blx r1
- /*
-* The kernel doesn't interwork: v7_flush_dcache_all in particluar will
-* always return in Thumb state when CONFIG_THUMB2_KERNEL is enabled.
-* This sequence switches back to ARM. Note that .align may insert a
-* nop: bx pc needs to be word-aligned in order to work.
-*/
- THUMB(.thumb )
- THUMB(.align )
- THUMB(bx pc )
- THUMB(nop )
- .arm
-
b omap3_do_wfi
-
-/*
- * Local variables
- */
+ENDPROC(omap34xx_cpu_suspend)
omap3_do_wfi_sram_addr:
.word omap3_do_wfi_sram
kernel_flush:
@@ -364,10 +349,7 @@ exit_nonoff_modes:
* ===
*/
ldmfd sp!, {r4 - r11, pc} @ restore regs and return
-
-/*
- * Local variables
- */
+ENDPROC(omap3_do_wfi)
sdrc_power:
.word SDRC_POWER_V
cm_idlest1_core:
--
2.8.0.rc2.1.gbe9624a
[PATCH 3.10 088/143] i2c: cpm: Fix build break due to incompatible pointer types
From: Michael Ellerman
commit 609d5a1b2b35bb62b4b3750396e55453160c2a17 upstream.
Since commit ea8daa7b9784 ("kbuild: Add option to turn incompatible
pointer check into error"), assignments from an incompatible pointer
types have become a hard error, eg:
drivers/i2c/busses/i2c-cpm.c:545:91: error: passing argument 3 of
'dma_alloc_coherent' from incompatible pointer type
Fix the build break by converting txdma & rxdma to dma_addr_t.
Signed-off-by: Michael Ellerman
Signed-off-by: Wolfram Sang
Cc: sta...@kernel.org
Fixes: ea8daa7b9784
Signed-off-by: Willy Tarreau
---
drivers/i2c/busses/i2c-cpm.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/i2c/busses/i2c-cpm.c b/drivers/i2c/busses/i2c-cpm.c
index 3823623..693e4ce 100644
--- a/drivers/i2c/busses/i2c-cpm.c
+++ b/drivers/i2c/busses/i2c-cpm.c
@@ -120,8 +120,8 @@ struct cpm_i2c {
cbd_t __iomem *rbase;
u_char *txbuf[CPM_MAXBD];
u_char *rxbuf[CPM_MAXBD];
- u32 txdma[CPM_MAXBD];
- u32 rxdma[CPM_MAXBD];
+ dma_addr_t txdma[CPM_MAXBD];
+ dma_addr_t rxdma[CPM_MAXBD];
};
static irqreturn_t cpm_i2c_interrupt(int irq, void *dev_id)
--
2.8.0.rc2.1.gbe9624a
[PATCH 3.10 120/143] asmlinkage, pnp: Make variables used from assembler code visible
From: Andi Kleen
commit a99aa42d0253f033cbb85096d3f2bd82201321e6 upstream.
Mark variables referenced from assembler files visible.
This fixes compile problems with LTO.
Cc: Jaroslav Kysela
Signed-off-by: Andi Kleen
Link:
http://lkml.kernel.org/r/1391845930-28580-4-git-send-email...@linux.intel.com
Signed-off-by: H. Peter Anvin
Signed-off-by: Willy Tarreau
---
drivers/pnp/pnpbios/bioscalls.c | 9 +
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/drivers/pnp/pnpbios/bioscalls.c b/drivers/pnp/pnpbios/bioscalls.c
index 769d265..deb7f4b 100644
--- a/drivers/pnp/pnpbios/bioscalls.c
+++ b/drivers/pnp/pnpbios/bioscalls.c
@@ -21,7 +21,7 @@
#include "pnpbios.h"
-static struct {
+__visible struct {
u16 offset;
u16 segment;
} pnp_bios_callpoint;
@@ -41,6 +41,7 @@ asmlinkage void pnp_bios_callfunc(void);
__asm__(".text \n"
__ALIGN_STR "\n"
+ ".globl pnp_bios_callfunc\n"
"pnp_bios_callfunc:\n"
" pushl %edx \n"
" pushl %ecx \n"
@@ -66,9 +67,9 @@ static struct desc_struct bad_bios_desc =
GDT_ENTRY_INIT(0x4092,
* after PnP BIOS oopses.
*/
-u32 pnp_bios_fault_esp;
-u32 pnp_bios_fault_eip;
-u32 pnp_bios_is_utter_crap = 0;
+__visible u32 pnp_bios_fault_esp;
+__visible u32 pnp_bios_fault_eip;
+__visible u32 pnp_bios_is_utter_crap = 0;
static spinlock_t pnp_bios_lock;
--
2.8.0.rc2.1.gbe9624a
[PATCH 3.10 115/143] Input: ads7846 - correct the value got from SPI
From: Andrey Gelman
commit 879f2fea8a5a748bcbf98d2cdce9139c045505d3 upstream.
According to the touch controller spec, SPI return a 16 bit value, only 12
bits are valid, they are bit[14-3].
The value of MISO and MOSI can be configured when SPI is in idle mode.
Currently this touch driver assumes the SPI bus sets the MOSI and MISO in
low level when SPI bus is in idle mode. So the bit[15] of the value got
from SPI bus is always 0. But when SPI bus congfigures the MOSI and MISO in
high level during the SPI idle mode, the bit[15] of the value get from SPI
is always 1. If bit[15] is not masked, we may get the wrong value.
Mask the invalid bit to make sure the correct value gets returned.
Regardless of the SPI bus idle configuration.
Signed-off-by: Andrey Gelman
Signed-off-by: Haibo Chen
Signed-off-by: Igor Grinberg
Signed-off-by: Dmitry Torokhov
Signed-off-by: Willy Tarreau
---
drivers/input/touchscreen/ads7846.c | 8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/drivers/input/touchscreen/ads7846.c
b/drivers/input/touchscreen/ads7846.c
index 84ccf14..9332e46 100644
--- a/drivers/input/touchscreen/ads7846.c
+++ b/drivers/input/touchscreen/ads7846.c
@@ -697,18 +697,22 @@ static int ads7846_no_filter(void *ads, int data_idx, int
*val)
static int ads7846_get_value(struct ads7846 *ts, struct spi_message *m)
{
+ int value;
struct spi_transfer *t =
list_entry(m->transfers.prev, struct spi_transfer,
transfer_list);
if (ts->model == 7845) {
- return be16_to_cpup((__be16 *)&(((char*)t->rx_buf)[1])) >> 3;
+ value = be16_to_cpup((__be16 *)&(((char *)t->rx_buf)[1]));
} else {
/*
* adjust: on-wire is a must-ignore bit, a BE12 value, then
* padding; built from two 8 bit values written msb-first.
*/
- return be16_to_cpup((__be16 *)t->rx_buf) >> 3;
+ value = be16_to_cpup((__be16 *)t->rx_buf);
}
+
+ /* enforce ADC output is 12 bits width */
+ return (value >> 3) & 0xfff;
}
static void ads7846_update_value(struct spi_message *m, int val)
--
2.8.0.rc2.1.gbe9624a
[PATCH 3.10 087/143] Input: gtco - fix crash on detecting device without endpoints
From: Vladis Dronov
commit 162f98dea487206d9ab79fc12ed64700667a894d upstream.
The gtco driver expects at least one valid endpoint. If given malicious
descriptors that specify 0 for the number of endpoints, it will crash in
the probe function. Ensure there is at least one endpoint on the interface
before using it.
Also let's fix a minor coding style issue.
The full correct report of this issue can be found in the public
Red Hat Bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=1283385
Reported-by: Ralf Spenneberg
Signed-off-by: Vladis Dronov
Cc: sta...@vger.kernel.org
Signed-off-by: Dmitry Torokhov
Signed-off-by: Willy Tarreau
---
drivers/input/tablet/gtco.c | 10 +-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/drivers/input/tablet/gtco.c b/drivers/input/tablet/gtco.c
index 29e01ab..a9f8f92 100644
--- a/drivers/input/tablet/gtco.c
+++ b/drivers/input/tablet/gtco.c
@@ -869,6 +869,14 @@ static int gtco_probe(struct usb_interface *usbinterface,
goto err_free_buf;
}
+ /* Sanity check that a device has an endpoint */
+ if (usbinterface->altsetting[0].desc.bNumEndpoints < 1) {
+ dev_err(&usbinterface->dev,
+ "Invalid number of endpoints\n");
+ error = -EINVAL;
+ goto err_free_urb;
+ }
+
/*
* The endpoint is always altsetting 0, we know this since we know
* this device only has one interrupt endpoint
@@ -890,7 +898,7 @@ static int gtco_probe(struct usb_interface *usbinterface,
* HID report descriptor
*/
if (usb_get_extra_descriptor(usbinterface->cur_altsetting,
-HID_DEVICE_TYPE, &hid_desc) != 0){
+HID_DEVICE_TYPE, &hid_desc) != 0) {
dev_err(&usbinterface->dev,
"Can't retrieve exta USB descriptor to get hid report
descriptor length\n");
error = -EIO;
--
2.8.0.rc2.1.gbe9624a
[PATCH 3.10 130/143] net: fix a kernel infoleak in x25 module
From: Kangjie Lu commit 79e48650320e6fba48369fccf13fd045315b19b8 upstream. Stack object "dte_facilities" is allocated in x25_rx_call_request(), which is supposed to be initialized in x25_negotiate_facilities. However, 5 fields (8 bytes in total) are not initialized. This object is then copied to userland via copy_to_user, thus infoleak occurs. Signed-off-by: Kangjie Lu Signed-off-by: David S. Miller Signed-off-by: Willy Tarreau --- net/x25/x25_facilities.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/x25/x25_facilities.c b/net/x25/x25_facilities.c index 66c63873..de7552d 100644 --- a/net/x25/x25_facilities.c +++ b/net/x25/x25_facilities.c @@ -271,6 +271,7 @@ int x25_negotiate_facilities(struct sk_buff *skb, struct sock *sk, memset(&theirs, 0, sizeof(theirs)); memcpy(new, ours, sizeof(*new)); + memset(dte, 0, sizeof(*dte)); len = x25_parse_facilities(skb, &theirs, dte, &x25->vc_facil_mask); if (len < 0) -- 2.8.0.rc2.1.gbe9624a
[PATCH 3.10 051/143] ocfs2/dlm: fix BUG in dlm_move_lockres_to_recovery_list
From: Joseph Qi
commit be12b299a83fc807bbaccd2bcb8ec50cbb0cb55c upstream.
When master handles convert request, it queues ast first and then
returns status. This may happen that the ast is sent before the request
status because the above two messages are sent by two threads. And
right after the ast is sent, if master down, it may trigger BUG in
dlm_move_lockres_to_recovery_list in the requested node because ast
handler moves it to grant list without clear lock->convert_pending. So
remove BUG_ON statement and check if the ast is processed in
dlmconvert_remote.
Signed-off-by: Joseph Qi
Reported-by: Yiwen Jiang
Cc: Junxiao Bi
Cc: Mark Fasheh
Cc: Joel Becker
Cc: Tariq Saeed
Cc: Junxiao Bi
Cc:
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
Signed-off-by: Willy Tarreau
---
fs/ocfs2/dlm/dlmconvert.c | 13 +
fs/ocfs2/dlm/dlmrecovery.c | 1 -
2 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/fs/ocfs2/dlm/dlmconvert.c b/fs/ocfs2/dlm/dlmconvert.c
index 093200f..f65bdcf 100644
--- a/fs/ocfs2/dlm/dlmconvert.c
+++ b/fs/ocfs2/dlm/dlmconvert.c
@@ -291,6 +291,19 @@ enum dlm_status dlmconvert_remote(struct dlm_ctxt *dlm,
status = DLM_DENIED;
goto bail;
}
+
+ if (lock->ml.type == type && lock->ml.convert_type == LKM_IVMODE) {
+ mlog(0, "last convert request returned DLM_RECOVERING, but "
+"owner has already queued and sent ast to me. res %.*s, "
+"(cookie=%u:%llu, type=%d, conv=%d)\n",
+res->lockname.len, res->lockname.name,
+dlm_get_lock_cookie_node(be64_to_cpu(lock->ml.cookie)),
+dlm_get_lock_cookie_seq(be64_to_cpu(lock->ml.cookie)),
+lock->ml.type, lock->ml.convert_type);
+ status = DLM_NORMAL;
+ goto bail;
+ }
+
res->state |= DLM_LOCK_RES_IN_PROGRESS;
/* move lock to local convert queue */
/* do not alter lock refcount. switching lists. */
diff --git a/fs/ocfs2/dlm/dlmrecovery.c b/fs/ocfs2/dlm/dlmrecovery.c
index 01c69f2..33e9d70 100644
--- a/fs/ocfs2/dlm/dlmrecovery.c
+++ b/fs/ocfs2/dlm/dlmrecovery.c
@@ -2034,7 +2034,6 @@ void dlm_move_lockres_to_recovery_list(struct dlm_ctxt
*dlm,
dlm_lock_get(lock);
if (lock->convert_pending) {
/* move converting lock back to granted */
- BUG_ON(i != DLM_CONVERTING_LIST);
mlog(0, "node died with convert pending "
"on %.*s. move back to granted list.\n",
res->lockname.len, res->lockname.name);
--
2.8.0.rc2.1.gbe9624a
[PATCH 3.10 083/143] usb: xhci: fix wild pointers in xhci_mem_cleanup
From: Lu Baolu commit 71504062a7c34838c3fccd92c447f399d3cb5797 upstream. This patch fixes some wild pointers produced by xhci_mem_cleanup. These wild pointers will cause system crash if xhci_mem_cleanup() is called twice. Reported-and-tested-by: Pengcheng Li Signed-off-by: Lu Baolu Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman [wt: struct xhci_hcd has no ext_caps members in 3.10 ] Signed-off-by: Willy Tarreau --- drivers/usb/host/xhci-mem.c | 5 + 1 file changed, 5 insertions(+) diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c index 87e82e6..af9e4e8 100644 --- a/drivers/usb/host/xhci-mem.c +++ b/drivers/usb/host/xhci-mem.c @@ -1861,6 +1861,11 @@ no_bw: kfree(xhci->port_array); kfree(xhci->rh_bw); + xhci->usb2_ports = NULL; + xhci->usb3_ports = NULL; + xhci->port_array = NULL; + xhci->rh_bw = NULL; + xhci->page_size = 0; xhci->page_shift = 0; xhci->bus_state[0].bus_suspended = 0; -- 2.8.0.rc2.1.gbe9624a
[PATCH 3.10 098/143] drivers/misc/ad525x_dpot: AD5274 fix RDAC read back errors
From: Michael Hennerich
commit f3df53e4d70b5736368a8fe8aa1bb70c1cb1f577 upstream.
Fix RDAC read back errors caused by a typo. Value must shift by 2.
Fixes: a4bd394956f2 ("drivers/misc/ad525x_dpot.c: new features")
Signed-off-by: Michael Hennerich
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Willy Tarreau
---
drivers/misc/ad525x_dpot.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/misc/ad525x_dpot.c b/drivers/misc/ad525x_dpot.c
index 8f99e8e..beb7422 100644
--- a/drivers/misc/ad525x_dpot.c
+++ b/drivers/misc/ad525x_dpot.c
@@ -216,7 +216,7 @@ static s32 dpot_read_i2c(struct dpot_data *dpot, u8 reg)
*/
value = swab16(value);
- if (dpot->uid == DPOT_UID(AD5271_ID))
+ if (dpot->uid == DPOT_UID(AD5274_ID))
value = value >> 2;
return value;
default:
--
2.8.0.rc2.1.gbe9624a
[PATCH 3.10 109/143] proc: prevent accessing /proc//environ until it's ready
From: Mathias Krause
commit 8148a73c9901a8794a50f950083c00ccf97d43b3 upstream.
If /proc//environ gets read before the envp[] array is fully set up
in create_{aout,elf,elf_fdpic,flat}_tables(), we might end up trying to
read more bytes than are actually written, as env_start will already be
set but env_end will still be zero, making the range calculation
underflow, allowing to read beyond the end of what has been written.
Fix this as it is done for /proc//cmdline by testing env_end for
zero. It is, apparently, intentionally set last in create_*_tables().
This bug was found by the PaX size_overflow plugin that detected the
arithmetic underflow of 'this_len = env_end - (env_start + src)' when
env_end is still zero.
The expected consequence is that userland trying to access
/proc//environ of a not yet fully set up process may get
inconsistent data as we're in the middle of copying in the environment
variables.
Fixes: https://forums.grsecurity.net/viewtopic.php?f=3&t=4363
Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=116461
Signed-off-by: Mathias Krause
Cc: Emese Revfy
Cc: Pax Team
Cc: Al Viro
Cc: Mateusz Guzik
Cc: Alexey Dobriyan
Cc: Cyrill Gorcunov
Cc: Jarod Wilson
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Willy Tarreau
---
fs/proc/base.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/proc/base.c b/fs/proc/base.c
index 7b5d453..e5160b7 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -844,7 +844,8 @@ static ssize_t environ_read(struct file *file, char __user
*buf,
int ret = 0;
struct mm_struct *mm = file->private_data;
- if (!mm)
+ /* Ensure the process spawned far enough to have an environment. */
+ if (!mm || !mm->env_end)
return 0;
page = (char *)__get_free_page(GFP_TEMPORARY);
--
2.8.0.rc2.1.gbe9624a
[PATCH 3.10 138/143] USB: serial: keyspan: fix use-after-free in probe error path
From: Johan Hovold
commit 35be1a71d70775e7bd7e45fa6d2897342ff4c9d2 upstream.
The interface instat and indat URBs were submitted in attach, but never
unlinked in release before deallocating the corresponding transfer
buffers.
In the case of a late probe error (e.g. due to failed minor allocation),
disconnect would not have been called before release, causing the
buffers to be freed while the URBs are still in use. We'd also end up
with active URBs for an unbound interface.
Fixes: f9c99bb8b3a1 ("USB: usb-serial: replace shutdown with disconnect,
release")
Cc: stable # v2.6.31
Signed-off-by: Johan Hovold
Acked-by: Greg Kroah-Hartman
Signed-off-by: Willy Tarreau
---
drivers/usb/serial/keyspan.c | 4
1 file changed, 4 insertions(+)
diff --git a/drivers/usb/serial/keyspan.c b/drivers/usb/serial/keyspan.c
index cec377b..32a67c6 100644
--- a/drivers/usb/serial/keyspan.c
+++ b/drivers/usb/serial/keyspan.c
@@ -2392,6 +2392,10 @@ static void keyspan_release(struct usb_serial *serial)
s_priv = usb_get_serial_data(serial);
+ /* Make sure to unlink the URBs submitted in attach. */
+ usb_kill_urb(s_priv->instat_urb);
+ usb_kill_urb(s_priv->indat_urb);
+
usb_free_urb(s_priv->instat_urb);
usb_free_urb(s_priv->indat_urb);
usb_free_urb(s_priv->glocont_urb);
--
2.8.0.rc2.1.gbe9624a
[PATCH 3.10 014/143] sg: fix dxferp in from_to case
From: Douglas Gilbert
commit 5ecee0a3ee8d74b6950cb41e8989b0c2174568d4 upstream.
One of the strange things that the original sg driver did was let the
user provide both a data-out buffer (it followed the sg_header+cdb)
_and_ specify a reply length greater than zero. What happened was that
the user data-out buffer was copied into some kernel buffers and then
the mid level was told a read type operation would take place with the
data from the device overwriting the same kernel buffers. The user would
then read those kernel buffers back into the user space.
>From what I can tell, the above action was broken by commit fad7f01e61bf
("sg: set dxferp to NULL for READ with the older SG interface") in 2008
and syzkaller found that out recently.
Make sure that a user space pointer is passed through when data follows
the sg_header structure and command. Fix the abnormal case when a
non-zero reply_len is also given.
Fixes: fad7f01e61bf737fe8a3740d803f000db57ecac6
Cc: #v2.6.28+
Signed-off-by: Douglas Gilbert
Reviewed-by: Ewan Milne
Signed-off-by: Martin K. Petersen
Signed-off-by: Willy Tarreau
---
drivers/scsi/sg.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index 0be16bf..1f65e32 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -633,7 +633,8 @@ sg_write(struct file *filp, const char __user *buf, size_t
count, loff_t * ppos)
else
hp->dxfer_direction = (mxsize > 0) ? SG_DXFER_FROM_DEV :
SG_DXFER_NONE;
hp->dxfer_len = mxsize;
- if (hp->dxfer_direction == SG_DXFER_TO_DEV)
+ if ((hp->dxfer_direction == SG_DXFER_TO_DEV) ||
+ (hp->dxfer_direction == SG_DXFER_TO_FROM_DEV))
hp->dxferp = (char __user *)buf + cmd_size;
else
hp->dxferp = NULL;
--
2.8.0.rc2.1.gbe9624a
[PATCH 3.10 011/143] x86: Rename X86_CR4_RDWRGSFS to X86_CR4_FSGSBASE
From: "H. Peter Anvin"
commit afcbf13fa6d53d8a97eafaca1dcb344331d2ce0c upstream.
Rename X86_CR4_RDWRGSFS to X86_CR4_FSGSBASE to match the SDM.
Signed-off-by: H. Peter Anvin
Cc: Marcelo Tosatti
Cc: Gleb Natapov
Link: http://lkml.kernel.org/n/tip-buq1evi5dpykxx7ak6ama...@git.kernel.org
[wt: backported to 3.10 only to keep next patch clean]
Signed-off-by: Willy Tarreau
---
arch/x86/include/asm/kvm_host.h | 2 +-
arch/x86/include/uapi/asm/processor-flags.h | 2 +-
arch/x86/kvm/x86.c | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch/x86/include/asm/kvm_host.h b/arch/x86/include/asm/kvm_host.h
index 98b68c2..b76c1bf 100644
--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -59,7 +59,7 @@
(~(unsigned long)(X86_CR4_VME | X86_CR4_PVI | X86_CR4_TSD | X86_CR4_DE\
| X86_CR4_PSE | X86_CR4_PAE | X86_CR4_MCE \
| X86_CR4_PGE | X86_CR4_PCE | X86_CR4_OSFXSR |
X86_CR4_PCIDE \
- | X86_CR4_OSXSAVE | X86_CR4_SMEP | X86_CR4_RDWRGSFS \
+ | X86_CR4_OSXSAVE | X86_CR4_SMEP | X86_CR4_FSGSBASE \
| X86_CR4_OSXMMEXCPT | X86_CR4_VMXE))
#define CR8_RESERVED_BITS (~(unsigned long)X86_CR8_TPR)
diff --git a/arch/x86/include/uapi/asm/processor-flags.h
b/arch/x86/include/uapi/asm/processor-flags.h
index b16e6d2..1b34df5 100644
--- a/arch/x86/include/uapi/asm/processor-flags.h
+++ b/arch/x86/include/uapi/asm/processor-flags.h
@@ -61,7 +61,7 @@
#define X86_CR4_OSFXSR 0x0200 /* enable fast FPU save and restore */
#define X86_CR4_OSXMMEXCPT 0x0400 /* enable unmasked SSE exceptions */
#define X86_CR4_VMXE 0x2000 /* enable VMX virtualization */
-#define X86_CR4_RDWRGSFS 0x0001 /* enable RDWRGSFS support */
+#define X86_CR4_FSGSBASE 0x0001 /* enable RDWRGSFS support */
#define X86_CR4_PCIDE 0x0002 /* enable PCID support */
#define X86_CR4_OSXSAVE 0x0004 /* enable xsave and xrestore */
#define X86_CR4_SMEP 0x0010 /* enable SMEP support */
diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 7f2b6de..3c0b085 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -626,7 +626,7 @@ int kvm_set_cr4(struct kvm_vcpu *vcpu, unsigned long cr4)
if (!guest_cpuid_has_smep(vcpu) && (cr4 & X86_CR4_SMEP))
return 1;
- if (!guest_cpuid_has_fsgsbase(vcpu) && (cr4 & X86_CR4_RDWRGSFS))
+ if (!guest_cpuid_has_fsgsbase(vcpu) && (cr4 & X86_CR4_FSGSBASE))
return 1;
if (is_long_mode(vcpu)) {
--
2.8.0.rc2.1.gbe9624a
[PATCH 3.10 096/143] misc/bmp085: Enable building as a module
From: Ben Hutchings
commit 50e6315dba721cbc24ccd6d7b299f1782f210a98 upstream.
Commit 985087dbcb02 'misc: add support for bmp18x chips to the bmp085
driver' changed the BMP085 config symbol to a boolean. I see no
reason why the shared code cannot be built as a module, so change it
back to tristate.
Fixes: 985087dbcb02 ("misc: add support for bmp18x chips to the bmp085 driver")
Cc: Eric Andersson
Signed-off-by: Ben Hutchings
Acked-by: Arnd Bergmann
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Willy Tarreau
---
drivers/misc/Kconfig | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/misc/Kconfig b/drivers/misc/Kconfig
index c002d86..7a68184 100644
--- a/drivers/misc/Kconfig
+++ b/drivers/misc/Kconfig
@@ -451,7 +451,7 @@ config ARM_CHARLCD
still useful.
config BMP085
- bool
+ tristate
depends on SYSFS
config BMP085_I2C
--
2.8.0.rc2.1.gbe9624a
[PATCH 3.10 101/143] perf stat: Document --detailed option
From: Borislav Petkov
commit f594bae08183fb6b57db55387794ece3e1edf6f6 upstream.
I'm surprised this remained undocumented since at least 2011. And it is
actually a very useful switch, as Steve and I came to realize recently.
Add the text from
2cba3ffb9a9d ("perf stat: Add -d -d and -d -d -d options to show more CPU
events")
which added the incrementing aspect to -d.
Tested-by: Arnaldo Carvalho de Melo
Signed-off-by: Borislav Petkov
Signed-off-by: Arnaldo Carvalho de Melo
Cc: Alexander Shishkin
Cc: David Ahern
Cc: Davidlohr Bueso
Cc: Jiri Olsa
Cc: Mel Gorman
Cc: Namhyung Kim
Cc: Peter Zijlstra
Cc: Peter Zijlstra
Cc: Steven Rostedt
Cc: Thomas Gleixner
Fixes: 2cba3ffb9a9d ("perf stat: Add -d -d and -d -d -d options to show more
CPU events")
Link: http://lkml.kernel.org/r/1457347294-32546-1-git-send-email...@alien8.de
Signed-off-by: Ingo Molnar
Signed-off-by: Willy Tarreau
---
tools/perf/Documentation/perf-stat.txt | 8
1 file changed, 8 insertions(+)
diff --git a/tools/perf/Documentation/perf-stat.txt
b/tools/perf/Documentation/perf-stat.txt
index 2fe87fb..8c96047 100644
--- a/tools/perf/Documentation/perf-stat.txt
+++ b/tools/perf/Documentation/perf-stat.txt
@@ -50,6 +50,14 @@ OPTIONS
--scale::
scale/normalize counter values
+-d::
+--detailed::
+ print more detailed statistics, can be specified up to 3 times
+
+ -d: detailed events, L1 and LLC data cache
+-d -d: more detailed events, dTLB and iTLB events
+ -d -d -d: very detailed events, adding prefetch events
+
-r::
--repeat=::
repeat command and print average + stddev (max: 100). 0 means forever.
--
2.8.0.rc2.1.gbe9624a
