Re: [PATCH] kernel/hung_task.c: allow to set period separately from timeout
On 2018/06/09 6:58, Andrew Morton wrote: > On Fri, 8 Jun 2018 15:30:43 +0200 Dmitry Vyukov wrote: > >> Currently task hung checking period is equal to timeout, >> as the result hung is detected anywhere between timeout and 2*timeout. >> This is fine for most interactive environments, but this hurts automated >> testing setups (syzbot). In an automated setup we need to strictly order >> CPU lockup < RCU stall < workqueue lockup < task hung < silent loss, >> so that RCU stall is not detected as task hung and task hung is not >> detected as silent machine loss. The large variance in task hung >> detection timeout requires setting silent machine loss timeout to >> a very large value (e.g. if task hung is 3 mins, then silent loss >> need to be set to ~7 mins). The additional 3 minutes significantly >> reduce testing efficiency because usually we crash kernel within >> a minute, and this can add hours to bug localization process as it >> needs to do dozens of tests. >> >> Allow setting checking period separately from timeout. >> This allows to set timeout to, say, 3 minutes, but period to 10 secs. >> >> The period is controlled via a new hung_task_period_secs sysctl, >> similar to the existing hung_task_timeout_secs sysctl. >> The default value of 0 results in the current behavior. > > I'm rather struggling to understand the difference between "period" and > "timeout". We would benefit from a clear description of what these two > things do. An appropriate place for this description is > Documentation/sysctl/kernel.txt, which this patch forgot to update. My understanding is that "period" is "how frequently we should check" and "timeout" is "how long a thread remained uninterruptible". Maybe hung_task_check_interval_secs would be better than hung_task_period_secs. timeout = 60 and period = 1 would allow hung task to be reported as soon as it remained uninterruptible for 60 seconds. That makes me easier to narrow down relevant kernel messages and syzbot program. Well, showing exact slept time, along with all threads which slept more than some threshold (e.g. timeout / 2), might be helpful.
Re: [PATCH v3 4/6] mtd: rawnand: add NVIDIA Tegra NAND Flash controller driver
On Fri, 1 Jun 2018 00:16:35 +0200
Stefan Agner wrote:
> +
> +static int tegra_nand_chips_init(struct device *dev,
> + struct tegra_nand_controller *ctrl)
> +{
> + struct device_node *np = dev->of_node;
> + struct device_node *np_nand;
> + int nchips = of_get_child_count(np);
> + struct tegra_nand_chip *nand;
> + struct mtd_info *mtd;
> + struct nand_chip *chip;
> + unsigned long config, bch_config = 0;
> + int bits_per_step;
> + int ret;
> +
> + if (nchips != 1) {
> + dev_err(dev, "Currently only one NAND chip supported\n");
> + return -EINVAL;
> + }
> +
> + np_nand = of_get_next_child(np, NULL);
> +
> + nand = devm_kzalloc(dev, sizeof(*nand), GFP_KERNEL);
> + if (!nand)
> + return -ENOMEM;
> +
> + nand->wp_gpio = devm_gpiod_get_optional(dev, "wp", GPIOD_OUT_LOW);
> +
> + if (IS_ERR(nand->wp_gpio)) {
> + ret = PTR_ERR(nand->wp_gpio);
> + dev_err(dev, "Failed to request WP GPIO: %d\n", ret);
> + return ret;
> + }
> +
You should retrieve the value of reg and store it somewhere in
tegra_nand_chip. ->select_chip() is passed a chip_CE id, and it has to
be converted into a ctrl_CE id. Right now you're assuming that ctrl_CE0
always drives chip_CE0, but that's not necessarily the case.
Also, you don't support multi-CE chips, so you should check the number
of entries in reg and fail if it's not 1.
Re: [RFC v4 0/1] i-search functionality for mconf
Sam Ravnborg writes: > Hi Dirk. > > On Fri, Jun 08, 2018 at 08:46:05PM +0200, Dirk Gouders wrote: >> Hello, >> >> this version is a prototype of the idea, Sam suggested -- I hope I >> undestood it correctly. >> >> This is a remarkable change to mconf in it's behavior; mainly it now >> differentiates two focuses and operates differently, depending on the >> focus. When the focus is on the menu, mconf is in i-search mode, for >> a detailed description see 1/1. >> >> As stated earlier, this is just a prototype, documentation is missing >> and the code is not ready for a real commit. > > When trying this out it started to work as envisioned. > But somehw I manage to get stuck in the menus and cannot navigate to > the buttons. > > Consider to remove the old short-cut for the menus. > (Most/all the first_alph thingy in menubox.c) > That will avoid two confliting navigations principles and likely > make the code simpler to read. > > I am not sure, but maybe you can get rid of all the hotkey > support in print_item with this change too. Hi Sam, thank you (and also to Randy) for having a look at it. Next, I will prepare a patch, more thorougly tested, documentation included and with hotkey support removed. You are right, trying to support two navigation principles makes everything too complex and I was too eager to keep as much of today's functionality as possible. Dirk
Re: [RFC PATCH v3 03/10] PM: Introduce an Energy Model management framework
On Thu, Jun 07, 2018 at 06:04:19PM +0200, Juri Lelli wrote:
> On 07/06/18 16:19, Quentin Perret wrote:
> > Hi Juri,
> >
> > On Thursday 07 Jun 2018 at 16:44:09 (+0200), Juri Lelli wrote:
> > > On 21/05/18 15:24, Quentin Perret wrote:
>
> [...]
>
> > > > +static void fd_update_cs_table(struct em_cs_table *cs_table, int cpu)
> > > > +{
> > > > + unsigned long cmax = arch_scale_cpu_capacity(NULL, cpu);
> > > > + int max_cap_state = cs_table->nr_cap_states - 1;
> > > ^
> > > You don't need this on the stack, right?
> >
> > Oh, why not ?
> >
>
> Because you use it only once here below? Anyway, more a (debatable)
> nitpick than anything.
The compiler optimizes that for you because it knows that it is used
only once. It doesn't put it in the stack, it uses a register. As it
is, it's more readable so I'd rather keep it.
For reference, this is the code gcc 7.3 generates for arm64 for
fd_update_cstable() (which is inlined in em_rescale_cpu_capacity():
x27 holds the address to cs_table
1ac: b9400b63ldr w3, [x27, #8] ; w3 = cs_table->nr_cap_states
1b0: b9406fa4ldr w4, [x29, #108] ; w4 = 0x18 (sizeof(struct
em_cap_state))
1b4: f9400362ldr x2, [x27] ; x2 = &cs_table[state]
1b8: 51000461sub w1, w3, #0x1; w1 max_cap_state =
cs_table->nr_cap_states - 1
[...]
1cc: 9b240821smaddl x1, w1, w4, x2 ; x1 =
&cs_table->state[max_cap_state]
[...]
1d4: f9400427ldr x7, [x1, #8]; x7 fmax =
cs_table->state[max_cap_state].frequency
[...] ; calculates cmax *
cs_table->state[i].frequency in x0
200: 9ac70800udivx0, x0, x7 ; x0 = x0 / fmax
; x0 is then stored to
cs_table->state[i].capacity
Re: [RFC PATCH v3 03/10] PM: Introduce an Energy Model management framework
On Fri, Jun 08, 2018 at 04:47:39PM +0100, Quentin Perret wrote: > Hi Javi, > > On Friday 08 Jun 2018 at 14:39:42 (+0100), Javi Merino wrote: > > On Wed, Jun 06, 2018 at 05:26:47PM +0100, Quentin Perret wrote: > > > On Wednesday 06 Jun 2018 at 16:29:50 (+0100), Quentin Perret wrote: > > > > On Wednesday 06 Jun 2018 at 17:20:00 (+0200), Juri Lelli wrote: > > > > > > > This brings me to another question. Let's say there are multiple > > > > > > > users of > > > > > > > the Energy Model in the system. Shouldn't the units of frequency > > > > > > > and power > > > > > > > not standardized, maybe Mhz and mW? > > > > > > > The task scheduler doesn't care since it is only interested in > > > > > > > power diffs > > > > > > > but other user might do. > > > > > > > > > > > > So the good thing about specifying units is that we can probably > > > > > > assume > > > > > > ranges on the values. If the power is in mW, assuming that we're > > > > > > talking > > > > > > about a single CPU, it'll probably fit in 16 bits. 65W/core should > > > > > > be > > > > > > a reasonable upper-bound ? > > > > > > But there are also vendors who might not be happy with disclosing > > > > > > absolute > > > > > > values ... These are sometimes considered sensitive and only > > > > > > relative > > > > > > numbers are discussed publicly. Now, you can also argue that we > > > > > > already > > > > > > have units specified in IPA for ex, and that it doesn't really > > > > > > matter if > > > > > > a driver "lies" about the real value, as long as the ratios are > > > > > > correct. > > > > > > And I guess that anyone can do measurement on the hardware and get > > > > > > those > > > > > > values anyway. So specifying a unit (mW) for the power is probably a > > > > > > good idea. > > > > > > > > > > Mmm, I remember we fought quite a bit while getting capacity-dmpis-mhz > > > > > binding accepted, and one of the musts was that the values were going > > > > > to > > > > > be normalized. So, normalized power values again maybe? > > > > > > > > Hmmm, that's a very good point ... There should be no problems on the > > > > scheduler side -- we're only interested in correct ratios. But I'm not > > > > sure on the thermal side ... I will double check that. > > > > > > So, IPA needs to compare the power of the CPUs with the power of other > > > things (e.g. GPUs). So we can't normalize the power of the CPUs without > > > normalizing in the same scale the power of the other devices. I see two > > > possibilities: > > > > > > 1) we don't normalize the CPU power values, we specify them in mW, and > > >we document (and maybe throw a warning if we see an issue at runtime) > > >the max range of values. The max expected power for a single core > > >could be 65K for ex (16bits). And based on that we can verify > > >overflow and precision issues in the algorithms, and we keep it easy > > >to compare the CPU power numbers with other devices. > > > > > > 2) we normalize the power values, but that means that the EM framework > > >has to manage not only CPUs, but also other types of devices, and > > >normalized their power values as well. That's required to keep the > > >scale consistent across all of them, and keep comparisons doable. > > >But if we do this, we still have to keep a normalized and a "raw" > > >version of the power for all devices. And the "raw" power must still > > >be in the same unit across all devices, otherwise the re-scaling is > > >broken. The main benefit of doing this is that the range of > > >acceptable "raw" power values can be larger, probably 32bits, and > > >that the precision of the normalized range is arbitrary. > > > > > > I feel like 2) involves a lot of complexity, and not so many benefits, > > > so I'd be happy to go with 1). Unless I forgot something ? > > > > From the thermal point of view, the power values don't need to have > > any given unit, as long as the values are comparable to each other. > > OK, thanks for confirming that :-) > > > Do we need to normalize anything in the kernel though? Can't we just > > assume that whatever the platform is telling us is correct? Quentin > > mentioned it earlier: sometimes absolute values are considered > > sensitive and we only get ones that are correct relative to the rest > > of the system. > > I'm happy to specify the units as mW and let the drivers lie about the > true values. At least that helps them lie coherently if another > subsystem requires power in uW for example. I think this is a good option. Cheers, Javi
Re: [PATCH v7 15/17] mm: Generalize shrink_slab() calls in shrink_node()
Hi, Shakeel. On 08.06.2018 22:21, Shakeel Butt wrote: > On Tue, May 22, 2018 at 3:09 AM Kirill Tkhai wrote: >> >> From: Vladimir Davydov >> >> The patch makes shrink_slab() be called for root_mem_cgroup >> in the same way as it's called for the rest of cgroups. >> This simplifies the logic and improves the readability. >> >> Signed-off-by: Vladimir Davydov >> ktkhai: Description written. >> Signed-off-by: Kirill Tkhai >> --- >> mm/vmscan.c | 21 ++--- >> 1 file changed, 6 insertions(+), 15 deletions(-) >> >> diff --git a/mm/vmscan.c b/mm/vmscan.c >> index f26ca1e00efb..6dbc659db120 100644 >> --- a/mm/vmscan.c >> +++ b/mm/vmscan.c >> @@ -628,10 +628,8 @@ static unsigned long shrink_slab_memcg(gfp_t gfp_mask, >> int nid, >> * @nid is passed along to shrinkers with SHRINKER_NUMA_AWARE set, >> * unaware shrinkers will receive a node id of 0 instead. >> * >> - * @memcg specifies the memory cgroup to target. If it is not NULL, >> - * only shrinkers with SHRINKER_MEMCG_AWARE set will be called to scan >> - * objects from the memory cgroup specified. Otherwise, only unaware >> - * shrinkers are called. >> + * @memcg specifies the memory cgroup to target. Unaware shrinkers >> + * are called only if it is the root cgroup. >> * >> * @priority is sc->priority, we take the number of objects and >> by >> priority >> * in order to get the scan target. >> @@ -645,7 +643,7 @@ static unsigned long shrink_slab(gfp_t gfp_mask, int nid, >> struct shrinker *shrinker; >> unsigned long freed = 0; >> > > Shouldn't there be a VM_BUG_ON(!memcg) here? memcg can be NULL here in case of memory controller is disabled at boot parameters and in case of it's a global reclaim. So, such the check we can't add here. Thanks, Kirill
Re: [PATCH] Fixed coding style problems.
Thanks for the feedback! I will retry the submission. Regards, Chris
[PATCH] staging: comedi: shortened a long line
Shortened a long line to improve readability in
drivers/staging/comedi/drivers.c
Signed-off-by: Chris Opperman
---
drivers/staging/comedi/drivers.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/staging/comedi/drivers.c b/drivers/staging/comedi/drivers.c
index 9d73347..90ee974 100644
--- a/drivers/staging/comedi/drivers.c
+++ b/drivers/staging/comedi/drivers.c
@@ -475,7 +475,8 @@ unsigned int comedi_nsamples_left(struct comedi_subdevice
*s,
struct comedi_cmd *cmd = &async->cmd;
if (cmd->stop_src == TRIG_COUNT) {
- unsigned int scans_left = __comedi_nscans_left(s,
cmd->stop_arg);
+ unsigned int scans_left =
+ __comedi_nscans_left(s, cmd->stop_arg);
unsigned int scan_pos =
comedi_bytes_to_samples(s, async->scan_progress);
unsigned long long samples_left = 0;
--
2.1.4
Re: [PATCH] staging: comedi: shortened a long line
On Sat, 2018-06-09 at 12:54 +0200, Chris Opperman wrote:
> Shortened a long line to improve readability in
> drivers/staging/comedi/drivers.c
Hi Chris.
Look at the whole function and see if you can
find a better way to write it instead of merely
doing what a brainless tool like checkpatch asks.
> diff --git a/drivers/staging/comedi/drivers.c
> b/drivers/staging/comedi/drivers.c
[]
> @@ -475,7 +475,8 @@ unsigned int comedi_nsamples_left(struct comedi_subdevice
> *s,
> struct comedi_cmd *cmd = &async->cmd;
>
> if (cmd->stop_src == TRIG_COUNT) {
> - unsigned int scans_left = __comedi_nscans_left(s,
> cmd->stop_arg);
> + unsigned int scans_left =
> + __comedi_nscans_left(s, cmd->stop_arg);
> unsigned int scan_pos =
> comedi_bytes_to_samples(s, async->scan_progress);
> unsigned long long samples_left = 0;
For instance, this is the existing function:
unsigned int comedi_nsamples_left(struct comedi_subdevice *s,
unsigned int nsamples)
{
struct comedi_async *async = s->async;
struct comedi_cmd *cmd = &async->cmd;
if (cmd->stop_src == TRIG_COUNT) {
unsigned int scans_left = __comedi_nscans_left(s,
cmd->stop_arg);
unsigned int scan_pos =
comedi_bytes_to_samples(s, async->scan_progress);
unsigned long long samples_left = 0;
if (scans_left) {
samples_left = ((unsigned long long)scans_left *
cmd->scan_end_arg) - scan_pos;
}
if (samples_left < nsamples)
nsamples = samples_left;
}
return nsamples;
}
EXPORT_SYMBOL_GPL(comedi_nsamples_left);
By using multiple returns and removing indentation,
this could become something that doesn't fits
neatly on 80 columns.
It's the same number of vertical lines too.
unsigned int comedi_nsamples_left(struct comedi_subdevice *s,
unsigned int nsamples)
{
struct comedi_async *async = s->async;
struct comedi_cmd *cmd = &async->cmd;
unsigned int scans_left;
u64 samples_left;
if (cmd->stop_src != TRIG_COUNT)
return nsamples;
scans_left = __comedi_nscans_left(s, cmd->stop_arg);
if (scans_left == 0)
return 0;
samples_left = (u64)scans_left * cmd->scan_end_arg -
comedi_bytes_to_samples(s, s->async->scan_progress);
if (samples_left < nsamples)
return samples_left;
return nsamples;
}
EXPORT_SYMBOL_GPL(comedi_nsamples_left);
4.16.14: kernel tried to execute NX-protected page [after USB device went to charging state]
Hello, My Holus GPSport 245 was used to download a gpx track. Afterwards I turned the device off while it was attached to USB so it could charge. Later I found these messages you can find below. Is this an actual bug? # dmesg [213812.789603] amdgpu: [powerplay] pp_dpm_get_temperature was not implemented. [213812.789620] amdgpu: [powerplay] pp_dpm_get_temperature was not implemented. [223632.282418] usb 1-7: new full-speed USB device number 6 using xhci_hcd [223632.529546] usb 1-7: New USB device found, idVendor=10c4, idProduct=ea60 [223632.529553] usb 1-7: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [223632.529557] usb 1-7: Product: CP2102 USB to UART Bridge Controller [223632.529561] usb 1-7: Manufacturer: Silicon Labs [223632.529564] usb 1-7: SerialNumber: 0001 [223632.742576] usbcore: registered new interface driver usbserial_generic [223632.742589] usbserial: USB Serial support registered for generic [223632.755240] usbcore: registered new interface driver cp210x [223632.755254] usbserial: USB Serial support registered for cp210x [223632.755286] cp210x 1-7:1.0: cp210x converter detected [223632.768623] usb 1-7: cp210x converter now attached to ttyUSB0 [225389.048501] usb 1-7: USB disconnect, device number 6 [225389.048758] cp210x ttyUSB0: cp210x converter now disconnected from ttyUSB0 [225389.048785] kernel tried to execute NX-protected page - exploit attempt? (uid: 0) [225389.048788] BUG: unable to handle kernel paging request at c08b64e0 [225389.048797] IP: usb_serial_exit+0x35df/0xff [usbserial] [225389.048799] PGD 2ea00c067 P4D 2ea00c067 PUD 2ea00e067 PMD 408590067 PTE 800109510163 [225389.048807] Oops: 0011 [#1] PREEMPT SMP NOPTI [225389.048809] Modules linked in: cp210x usbserial it87(O) hwmon_vid fuse ipt_REJECT nf_reject_ipv4 xt_u32 xt_multiport iptable_filter ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat cpufreq_userspace nf_conntrack_netbios_ns nf_conntrack_broadcast ip6t_REJECT nf_reject_ipv6 xt_tcpudp nf_conntrack_ipv6 nf_defrag_ipv6 xt_conntrack msr nf_conntrack ip6table_filter ip6_tables eeprom uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 snd_usb_audio videodev snd_hwdep videobuf2_common cdc_acm snd_usbmidi_lib snd_rawmidi amdgpu snd_hda_codec_realtek snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_seq snd_seq_device snd_pcm chash snd_timer gpu_sched backlight snd ttm i2c_piix4 evdev acpi_cpufreq k10temp nfsd auth_rpcgss nfs_acl [225389.048857] lockd grace sunrpc binfmt_misc ip_tables x_tables hid_generic sr_mod cdrom usbhid i2c_dev autofs4 [last unloaded: hwmon_vid] [225389.048871] CPU: 1 PID: 5717 Comm: kworker/1:2 Tainted: G O 4.16.14 #5 [225389.048873] Hardware name: Gigabyte Technology Co., Ltd. X470 AORUS ULTRA GAMING/X470 AORUS ULTRA GAMING-CF, BIOS F3g 05/10/2018 [225389.048880] Workqueue: usb_hub_wq hub_event [225389.048886] RIP: 0010:usb_serial_exit+0x35df/0xff [usbserial] [225389.048889] RSP: 0018:90d3c8c27be8 EFLAGS: 00010282 [225389.048892] RAX: c08b64e0 RBX: 8bd5d2190ae8 RCX: [225389.048895] RDX: 8001 RSI: 0282 RDI: 8bd5d2190ad8 [225389.048897] RBP: 8bd5d2190ad8 R08: R09: [225389.048899] R10: R11: R12: 8bd392029480 [225389.048902] R13: 8bd64b4d4e00 R14: 8bd64d2fc030 R15: 8bd64d2fc030 [225389.048905] FS: () GS:8bd65ee4() knlGS: [225389.048908] CS: 0010 DS: ES: CR0: 80050033 [225389.048910] CR2: c08b64e0 CR3: 0003f0b5 CR4: 003406e0 [225389.048912] Call Trace: [225389.048918] ? device_release+0x39/0xa0 [225389.048924] ? kobject_put+0xa1/0x1c0 [225389.048929] ? usb_serial_put+0x4c/0xf0 [usbserial] [225389.048933] ? usb_serial_disconnect+0xdd/0x100 [usbserial] [225389.048938] ? usb_unbind_interface+0x66/0x1e0 [225389.048942] ? device_release_driver_internal+0x17a/0x230 [225389.048946] ? bus_remove_device+0xe0/0x150 [225389.048950] ? device_del+0x129/0x330 [225389.048954] ? usb_disable_device+0x8d/0x230 [225389.048958] ? usb_disconnect+0xb1/0x270 [225389.048962] ? hub_event+0x5f5/0x13b0 [225389.048967] ? SyS_uname+0x11/0xa0 [225389.048971] ? process_one_work+0x1a1/0x2f0 [225389.048974] ? worker_thread+0x26/0x3f0 [225389.048978] ? process_one_work+0x2f0/0x2f0 [225389.048982] ? kthread+0x109/0x120 [225389.048986] ? kthread_create_on_node+0x60/0x60 [225389.048991] ? ret_from_fork+0x22/0x40 [225389.048994] Code: ff ff ff 29 1a 8b c0 ff ff ff ff 50 73 8b c0 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 8b c0 ff ff ff ff 00 00 00 00 00 00 00 00 00 65 8b c0 ff [225389.049043] RIP: usb_serial_exit+0x35df/0xff [usbserial] RSP: 90d3c8c27be8 [225389.049045] CR2: c08b64e0 [225389.049048] ---[ end trace 43c4e5674b0ca81f ]---
Do You Need A Helping Hand?
I am Mavis Wanczyk i know you may not know me but am the latest largest US Powerball lottery winner of $758.7m just of recent, am currently helping out people in need of financial assistance, i know it's hard to believe anything on the internet, so if you don't need my help please don't reply to this message. Regards Mavis Wanczyk Do You Need A Helping Hand?
Re: [PATCH v3] mm: fix race between kmem_cache destroy, create and deactivate
On Tue, May 29, 2018 at 05:12:04PM -0700, Shakeel Butt wrote: > The memcg kmem cache creation and deactivation (SLUB only) is > asynchronous. If a root kmem cache is destroyed whose memcg cache is in > the process of creation or deactivation, the kernel may crash. > > Example of one such crash: > general protection fault: [#1] SMP PTI > CPU: 1 PID: 1721 Comm: kworker/14:1 Not tainted 4.17.0-smp > ... > Workqueue: memcg_kmem_cache kmemcg_deactivate_workfn > RIP: 0010:has_cpu_slab > ... > Call Trace: > ? on_each_cpu_cond > __kmem_cache_shrink > kmemcg_cache_deact_after_rcu > kmemcg_deactivate_workfn > process_one_work > worker_thread > kthread > ret_from_fork+0x35/0x40 > > To fix this race, on root kmem cache destruction, mark the cache as > dying and flush the workqueue used for memcg kmem cache creation and > deactivation. > @@ -845,6 +862,8 @@ void kmem_cache_destroy(struct kmem_cache *s) > if (unlikely(!s)) > return; > > + flush_memcg_workqueue(s); > + This should definitely help against async memcg_kmem_cache_create(), but I'm afraid it doesn't eliminate the race with async destruction, unfortunately, because the latter uses call_rcu_sched(): memcg_deactivate_kmem_caches __kmem_cache_deactivate slab_deactivate_memcg_cache_rcu_sched call_rcu_sched kmem_cache_destroy shutdown_memcg_caches shutdown_cache memcg_deactivate_rcufn Can we somehow flush those pending rcu requests?
Re: [PATCH 1/2] platform/x86: asus-wmi: Call new led hw_changed API on kbd brightness change
Hi, On 09-06-18 02:33, Darren Hart wrote: On Wed, Jun 06, 2018 at 05:32:52PM +0200, Hans de Goede wrote: If we are adding hwdb entries anyway to control the userspace interpretation of the TOGGLE key, then we could also add the new CYCLE key and explicitly re-map it to TOGGLE. That requires slightly more logic in hwdb, but it does mean that we could theoretically just drop the workaround if we ever stop caring about Xorg. Hmm, interesting proposal, I say go for it :) So maybe the next stop is that I can follow Darren's suggestion to eliminate the is_kbd_led_event() and send a v2 for review? I believe the best compromise we have right now is to do what Hans suggested in an earlier proposal. That is implementing the two separate behaviours in the kernel 1) handle this in the kernel as if the hardware changed it, and 2) send a new KEY_KBDILLUMCYCLE event [default]. I think you mean or, not and, depending on a module option the code should do either 1) or 2) not both :) Darren, Andy could you live with a module option for this? We are of course strongly opposed to adding module options. I agree we can't ignore Xorg. I agree policy in general should not be in the kernel. I also see many of these drivers as the last mile to getting a platform fully working. If there is a place for one-off fixes, it's in these drivers. I'd love to refactor and use proper abstractions and all that as the patterns make those abstractions clear - but I don't want to delay getting something working waiting for the ideal solution. So I have two questions I'd like to confirm before saying "OK" to a module option. 1) Hans I think you said that doing the code conversion from TOGGLE to UP based on the LED value and the max value was racy with userspace. What is the failure mode here? Is it not easily recoverable? And how do I enter it? g-s-d can currently already auto-dim the brightness of the kbd backlight when idle (if there are enough brightness levels). Lets say that the brightness is at its highest setting and the user wants to cycle the backlight to off. But just before the user hits the cycle key, the timeout expires and userspace dimms the backlight, now the kernel processes the cycle key event, sees it is not max and sends an up, instead of the expected toggle. Note we already have this problem on machines where the cycle behavior is implemented in the firmware/hardware rather then inside the kernel. A bigger problem with sending up-up-up-toggle is that g-s-d saves the current brightness (max) on the first toggle and restores that on the second toggle, so the second up-up-up-toggle sequence we end up restoring the max, going from max to max on the toggle. So the user needs to press toggle twice at max brightness to get to off (and then once for the next cycle, then 2 times again for the cycle after that, etc.). So I think it is fair to say that sending up-up-up-toggle is not a good idea. Do I have to simultaneously modify the software brightness control AND press the keyboard brightness control? How practical is that? If recoverable AND hard to trigger, I think there is value in the very simple 3 level brightness cycle being handled in the kernel. 2) Why is a module option preferable to a compile time option? It seems to me the policy will be largely distro dependent, and the same kernel needing to support both modes seems likely to be pretty rare. Because lets say that we have everything in place in a recent Fedora to handle the cycle-key in userspace, so we have a mapping for the new event at all levels and g-s-d code to handle it. Then this will still only work for GNOME3 and possibly other wayland based desktop environments. While some of our users will keep using the X11 based XFCE or mate desktop environments. So what we actually want is a module option, with a configurable default. So that we can make the default send the cycle event in a future Fedora, while XFCE / mate users can override the default using the module option. ### So typing all of the above has made me think about this once more. Specifically about how most popular brands handle the cycle behavior in firmware/hardware already and that userspace already needs to deal with this and that sofar this does not seem to be a problem. Combine this with the ugliness of adding a module option + adding a new cycle input event requiring a lot of work at various layers to actually work and I think that taking this series as is, is not so bad. Esp. since I don't see anyone doing this work soon. This comes down to faking the cycling being done inside the firmware/ hardware as e.g. Thinkpads and the Dell XPS series actually do, so, as said, userspace already needs to deal with this. If we in the future actually get around to implementing a kbd-illum-cycle input event and have userspace support in place we can always add the module option then. TL;DR: lets just go with this series as is for now, we can always add a module opt
Re: [PATCH] staging: comedi: shortened a long line
Hi Joe, Thank you for the feedback! I understand better now and will resend the patch. Regards, Chris Opperman
Re: [PATCH] kbuild: fix endless syncconfig in case arch Makefile sets CROSS_COMPILE
2018-06-08 17:20 GMT+09:00 Geert Uytterhoeven :
> Hi Yamada-san,
>
> On Fri, Jun 8, 2018 at 2:21 AM, Masahiro Yamada
> wrote:
>> Commit 21c54b774744 ("kconfig: show compiler version text in the top
>> comment") was intended to detect the compiler upgrade, but Geert
>> reported a breakage on the m68k build.
>>
>> The compiler upgrade is detected by the change of the environment
>> variable, CC_VERSION_TEXT, which contains the first line of the output
>> from $(CC) --version. Currently, this works well when CROSS_COMPILE
>> is given via the environment variable or the Make command line.
>>
>> However, some architectures such as m68k can specify CROSS_COMPILE
>> from arch/$(SRCARCH)/Makefile as well. In this case, "make ARCH=m68k"
>> ends up with endless syncconfig loop.
>>
>> $ make ARCH=m68k defconfig
>> *** Default configuration is based on 'multi_defconfig'
>> #
>> # configuration written to .config
>> #
>> $ make ARCH=m68k
>> scripts/kconfig/conf --syncconfig Kconfig
>> scripts/kconfig/conf --syncconfig Kconfig
>> scripts/kconfig/conf --syncconfig Kconfig
>> scripts/kconfig/conf --syncconfig Kconfig
>
> [...]
>
>> Fixes: 21c54b774744 ("kconfig: show compiler version text in the top
>> comment")
>> Reported-by: Geert Uytterhoeven
>> Signed-off-by: Masahiro Yamada
>
> Thanks for fixing this quickly!
>
> Tested-by: Geert Uytterhoeven
Applied to linux-kbuild.
--
Best Regards
Masahiro Yamada
Dear Talented
Dear Talented, I am Talent Scout For BLUE SKY FILM STUDIO, Present Blue sky Studio a Film Corporation Located in the United State, is Soliciting for the Right to use Your Photo/Face and Personality as One of the Semi -Major Role/ Character in our Upcoming ANIMATED Stereoscope 3D Movie-The Story of Spies in Disguise (Spies in Disguise 2019) The Movie is Currently Filming (In Production) Please Note That There Will Be No Auditions, Traveling or Any Special / Professional Acting Skills, Since the Production of This Movie Will Be Done with our State of Art Computer -Generating Imagery Equipment. We Are Prepared to Pay the Total Sum of $620,000.00 USD. For More Information/Understanding, Please Write us on the E-Mail Below. CONTACT EMAIL: bluesky.filmstu...@usa.com All Reply to: bluesky.filmstu...@usa.com Note: Only the Response send to this mail will be Given a Prior Consideration. Talent Scout Lisa Clement
Re: [PATCH] mm/madvise: allow MADV_DONTNEED to free memory that is MLOCK_ONFAULT
Hi Jason, I love your patch! Perhaps something to improve: [auto build test WARNING on mmotm/master] [also build test WARNING on v4.17 next-20180608] [if your patch is applied to the wrong git tree, please drop us a note to help improve the system] url: https://github.com/0day-ci/linux/commits/Jason-Baron/mm-madvise-allow-MADV_DONTNEED-to-free-memory-that-is-MLOCK_ONFAULT/20180609-185549 base: git://git.cmpxchg.org/linux-mmotm.git master config: alpha-allmodconfig (attached as .config) compiler: alpha-linux-gnu-gcc (Debian 7.2.0-11) 7.2.0 reproduce: wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross # save the attached .config to linux build tree GCC_VERSION=7.2.0 make.cross ARCH=alpha All warnings (new ones prefixed by >>): In file included from mm//internal.h:18:0, from mm//swap.c:39: include/uapi/asm-generic/mman-common.h:22:0: warning: "MAP_FIXED" redefined #define MAP_FIXED 0x10 /* Interpret addr exactly */ In file included from include/uapi/linux/mman.h:5:0, from include/linux/mman.h:9, from mm//swap.c:20: arch/alpha/include/uapi/asm/mman.h:17:0: note: this is the location of the previous definition #define MAP_FIXED 0x100 /* Interpret addr exactly */ In file included from mm//internal.h:18:0, from mm//swap.c:39: include/uapi/asm-generic/mman-common.h:23:0: warning: "MAP_ANONYMOUS" redefined #define MAP_ANONYMOUS 0x20 /* don't use a file */ In file included from include/uapi/linux/mman.h:5:0, from include/linux/mman.h:9, from mm//swap.c:20: arch/alpha/include/uapi/asm/mman.h:18:0: note: this is the location of the previous definition #define MAP_ANONYMOUS 0x10 /* don't use a file */ In file included from mm//internal.h:18:0, from mm//swap.c:39: include/uapi/asm-generic/mman-common.h:27:0: warning: "MAP_UNINITIALIZED" redefined # define MAP_UNINITIALIZED 0x0 /* Don't support this flag */ In file included from mm//swap.c:20:0: include/linux/mman.h:25:0: note: this is the location of the previous definition #define MAP_UNINITIALIZED 0 In file included from mm//internal.h:18:0, from mm//swap.c:39: >> include/uapi/asm-generic/mman-common.h:31:0: warning: "MAP_FIXED_NOREPLACE" >> redefined #define MAP_FIXED_NOREPLACE 0x10 /* MAP_FIXED which doesn't unmap underlying mapping */ In file included from include/uapi/linux/mman.h:5:0, from include/linux/mman.h:9, from mm//swap.c:20: arch/alpha/include/uapi/asm/mman.h:35:0: note: this is the location of the previous definition #define MAP_FIXED_NOREPLACE 0x20/* MAP_FIXED which doesn't unmap underlying mapping */ In file included from mm//internal.h:18:0, from mm//swap.c:39: include/uapi/asm-generic/mman-common.h:39:0: warning: "MS_INVALIDATE" redefined #define MS_INVALIDATE 2 /* invalidate the caches */ In file included from include/uapi/linux/mman.h:5:0, from include/linux/mman.h:9, from mm//swap.c:20: arch/alpha/include/uapi/asm/mman.h:39:0: note: this is the location of the previous definition #define MS_INVALIDATE 4 /* invalidate the caches */ In file included from mm//internal.h:18:0, from mm//swap.c:39: include/uapi/asm-generic/mman-common.h:40:0: warning: "MS_SYNC" redefined #define MS_SYNC 4 /* synchronous memory sync */ In file included from include/uapi/linux/mman.h:5:0, from include/linux/mman.h:9, from mm//swap.c:20: arch/alpha/include/uapi/asm/mman.h:38:0: note: this is the location of the previous definition #define MS_SYNC 2 /* synchronous memory sync */ In file included from mm//internal.h:18:0, from mm//swap.c:39: >> include/uapi/asm-generic/mman-common.h:46:0: warning: "MADV_DONTNEED" >> redefined #define MADV_DONTNEED 4 /* don't need these pages */ In file included from include/uapi/linux/mman.h:5:0, from include/linux/mman.h:9, from mm//swap.c:20: arch/alpha/include/uapi/asm/mman.h:52:0: note: this is the location of the previous definition #define MADV_DONTNEED 6 /* don't need these pages */ vim +/MAP_FIXED_NOREPLACE +31 include/uapi/asm-generic/mman-common.h 5f6164f3 include/asm-generic/mman.h Michael S. Tsirkin 2006-02-15 17 5f6164f3 include/asm-generic/mman.h Michael S. Tsirkin 2006-02-15 18 #define MAP_SHARED 0x01/* Share changes */
Re: 4.16.14: kernel tried to execute NX-protected page [after USB device went to charging state]
On 09-06-18 11:50, Udo van den Heuvel wrote: My Holux GPSport 245 was used to download a gpx track. Afterwards I turned the device off while it was attached to USB so it could charge. Later I found these messages you can find below. Actually I removed the charging Holux GPSport from the USB cable and then the Oops appears. I could reproduce this a minute ago. Udo
Re: building in 32bit chroot on x86_64 host broken
2018-06-08 4:49 GMT+09:00 Thomas Backlund : > > Den 2018-06-07 kl. 22:40, skrev Linus Torvalds: >> >> On Thu, Jun 7, 2018 at 12:35 PM Thomas Backlund wrote: >>> >>> I can work around it for now (or keep the revert in our kernel builds >>> for now) until it gets properly fixed... >> >> So rather than doing the revert, it's probably better if your >> workaround just does >> >> make ARCH=i386 oldconfig >> >> (or maybe even just a "export ARCH=i386" in the environment) >> >> That should get you to continue to otherwise do the same thing. >> >> And if it turns out that your flow is the *only* one affected by this, >> and nobody else complains, maybe we can just say "yeah, slight change >> in build rules, easy to work around" and leave it at that. >> >> Linus > > > Yeah, I can live with that too :) > > I just wanted to point out the regression in case it was not (sort of) > intentional... If you want to do 'make oldconfig' without setting ARCH, maybe the following could work. diff --git a/Makefile b/Makefile index 019a5a0..b491e86 100644 --- a/Makefile +++ b/Makefile @@ -292,7 +292,7 @@ export VERSION PATCHLEVEL SUBLEVEL KERNELRELEASE KERNELVERSION # then ARCH is assigned, getting whatever value it gets normally, and # SUBARCH is subsequently ignored. -SUBARCH := $(shell uname -m | sed -e s/i.86/x86/ -e s/x86_64/x86/ \ +SUBARCH := $(shell uname -m | sed -e s/i.86/i386/ -e s/x86_64/x86/ \ -e s/sun4u/sparc64/ \ -e s/arm.*/arm/ -e s/sa110/arm/ \ -e s/s390x/s390/ -e s/parisc64/parisc/ \ or diff --git a/Makefile b/Makefile index 019a5a0..3586967 100644 --- a/Makefile +++ b/Makefile @@ -292,7 +292,7 @@ export VERSION PATCHLEVEL SUBLEVEL KERNELRELEASE KERNELVERSION # then ARCH is assigned, getting whatever value it gets normally, and # SUBARCH is subsequently ignored. -SUBARCH := $(shell uname -m | sed -e s/i.86/x86/ -e s/x86_64/x86/ \ +SUBARCH := $(shell uname -m | sed -e s/i.86/i386/ \ -e s/sun4u/sparc64/ \ -e s/arm.*/arm/ -e s/sa110/arm/ \ -e s/s390x/s390/ -e s/parisc64/parisc/ \ -- Best Regards Masahiro Yamada
Re: [PATCH v3 4/6] mtd: rawnand: add NVIDIA Tegra NAND Flash controller driver
On Saturday, 9 June 2018 00:51:01 MSK Stefan Agner wrote: > On 01.06.2018 11:20, Dmitry Osipenko wrote: > > On 01.06.2018 01:16, Stefan Agner wrote: > >> Add support for the NAND flash controller found on NVIDIA > >> Tegra 2 SoCs. This implementation does not make use of the > >> command queue feature. Regular operations/data transfers are > >> done in PIO mode. Page read/writes with hardware ECC make > >> use of the DMA for data transfer. > >> > >> Signed-off-by: Lucas Stach > >> Signed-off-by: Stefan Agner > >> --- > >> > >> MAINTAINERS |7 + > >> drivers/mtd/nand/raw/Kconfig |6 + > >> drivers/mtd/nand/raw/Makefile |1 + > >> drivers/mtd/nand/raw/tegra_nand.c | 1143 + > >> 4 files changed, 1157 insertions(+) > >> create mode 100644 drivers/mtd/nand/raw/tegra_nand.c > >> > >> diff --git a/MAINTAINERS b/MAINTAINERS > >> index 58b9861ccf99..c2e5571c85d4 100644 > >> --- a/MAINTAINERS > >> +++ b/MAINTAINERS > >> @@ -13844,6 +13844,13 @@ M:Laxman Dewangan > >> > >> S:Supported > >> F:drivers/input/keyboard/tegra-kbc.c > >> > >> +TEGRA NAND DRIVER > >> +M:Stefan Agner > >> +M:Lucas Stach > >> +S:Maintained > >> +F:Documentation/devicetree/bindings/mtd/nvidia-tegra20-nand.txt > >> +F:drivers/mtd/nand/raw/tegra_nand.c > >> + > >> > >> TEGRA PWM DRIVER > >> M:Thierry Reding > >> S:Supported > >> > >> diff --git a/drivers/mtd/nand/raw/Kconfig b/drivers/mtd/nand/raw/Kconfig > >> index 19a2b283fbbe..e9093f52371e 100644 > >> --- a/drivers/mtd/nand/raw/Kconfig > >> +++ b/drivers/mtd/nand/raw/Kconfig > >> @@ -534,4 +534,10 @@ config MTD_NAND_MTK > >> > >> Enables support for NAND controller on MTK SoCs. > >> This controller is found on mt27xx, mt81xx, mt65xx SoCs. > >> > >> +config MTD_NAND_TEGRA > >> + tristate "Support for NAND controller on NVIDIA Tegra" > >> + depends on ARCH_TEGRA || COMPILE_TEST > >> + help > >> +Enables support for NAND flash controller on NVIDIA Tegra SoC. > >> + > >> > >> endif # MTD_NAND > >> > >> diff --git a/drivers/mtd/nand/raw/Makefile > >> b/drivers/mtd/nand/raw/Makefile > >> index 165b7ef9e9a1..d5a5f9832b88 100644 > >> --- a/drivers/mtd/nand/raw/Makefile > >> +++ b/drivers/mtd/nand/raw/Makefile > >> @@ -56,6 +56,7 @@ obj-$(CONFIG_MTD_NAND_HISI504) += > >> hisi504_nand.o > >> > >> obj-$(CONFIG_MTD_NAND_BRCMNAND) += brcmnand/ > >> obj-$(CONFIG_MTD_NAND_QCOM) += qcom_nandc.o > >> obj-$(CONFIG_MTD_NAND_MTK)+= mtk_ecc.o mtk_nand.o > >> > >> +obj-$(CONFIG_MTD_NAND_TEGRA) += tegra_nand.o > >> > >> nand-objs := nand_base.o nand_bbt.o nand_timings.o nand_ids.o > >> nand-objs += nand_amd.o > >> > >> diff --git a/drivers/mtd/nand/raw/tegra_nand.c > >> b/drivers/mtd/nand/raw/tegra_nand.c new file mode 100644 > >> index ..e9664f2938a3 > >> --- /dev/null > >> +++ b/drivers/mtd/nand/raw/tegra_nand.c > >> @@ -0,0 +1,1143 @@ > >> +// SPDX-License-Identifier: GPL-2.0 > >> +/* > >> + * Copyright (C) 2018 Stefan Agner > >> + * Copyright (C) 2014-2015 Lucas Stach > >> + * Copyright (C) 2012 Avionic Design GmbH > >> + */ > >> + > >> +#include > >> +#include > >> +#include > >> +#include > >> +#include > >> +#include > >> +#include > >> +#include > >> +#include > >> +#include > >> +#include > >> +#include > >> +#include > >> +#include > >> + > >> +#define CMD 0x00 > >> +#define CMD_GO BIT(31) > >> +#define CMD_CLE BIT(30) > >> +#define CMD_ALE BIT(29) > >> +#define CMD_PIO BIT(28) > >> +#define CMD_TX BIT(27) > >> +#define CMD_RX BIT(26) > >> +#define CMD_SEC_CMD BIT(25) > >> +#define CMD_AFT_DAT BIT(24) > >> +#define CMD_TRANS_SIZE(x) (((x - 1) & 0xf) << 20) > >> +#define CMD_A_VALID BIT(19) > >> +#define CMD_B_VALID BIT(18) > >> +#define CMD_RD_STATUS_CHK BIT(17) > >> +#define CMD_RBSY_CHKBIT(16) > >> +#define CMD_CE(x) BIT((8 + ((x) & 0x7))) > >> +#define CMD_CLE_SIZE(x) (((x - 1) & 0x3) << 4) > >> +#define CMD_ALE_SIZE(x) (((x - 1) & 0xf) << 0) > >> + > >> +#define STATUS0x04 > >> + > >> +#define ISR 0x08 > >> +#define ISR_CORRFAIL_ERRBIT(24) > >> +#define ISR_UND BIT(7) > >> +#define ISR_OVR BIT(6) > >> +#define ISR_CMD_DONEBIT(5) > >> +#define ISR_ECC_ERR
Re: building in 32bit chroot on x86_64 host broken
2018-06-08 18:12 GMT+09:00 Michal Kubecek : > On Thu, Jun 07, 2018 at 12:40:30PM -0700, Linus Torvalds wrote: >> On Thu, Jun 7, 2018 at 12:35 PM Thomas Backlund wrote: >> > >> > I can work around it for now (or keep the revert in our kernel builds >> > for now) until it gets properly fixed... >> >> So rather than doing the revert, it's probably better if your >> workaround just does >> >>make ARCH=i386 oldconfig >> >> (or maybe even just a "export ARCH=i386" in the environment) >> >> That should get you to continue to otherwise do the same thing. >> >> And if it turns out that your flow is the *only* one affected by this, >> and nobody else complains, maybe we can just say "yeah, slight change >> in build rules, easy to work around" and leave it at that. > > Not the only one, we hit the same problem when building openSUSE > packages (4.17-rc1) but we resolved it by always setting ARCH: > > https://github.com/openSUSE/kernel-source/commit/fb21b7321ab5 > > It also revealed that we forgot to pass MAKE_ARGS to other phases of RPM > build process so we don't have reason to complain. > > Michal Kubecek Just a note. In case of cross-compiling, not only ARCH but also CROSS_COMPILE must be passed when you do "make *config". In this merge window, some compiler option tests are being moved from Makefiles to the Kconfig phase. People tend to set "export CROSS_COMPILE=..." in their build environment. I have not received any complaint about this change so far. -- Best Regards Masahiro Yamada
[PATCH] staging: comedi: Improved readability of function comedi_nsamples_left.
Signed-off-by: Chris Opperman
---
drivers/staging/comedi/drivers.c | 29 ++---
1 file changed, 14 insertions(+), 15 deletions(-)
diff --git a/drivers/staging/comedi/drivers.c b/drivers/staging/comedi/drivers.c
index 9d73347..3207ae2 100644
--- a/drivers/staging/comedi/drivers.c
+++ b/drivers/staging/comedi/drivers.c
@@ -468,26 +468,25 @@ EXPORT_SYMBOL_GPL(comedi_nscans_left);
* Returns the number of samples remaining to complete the command, or the
* specified expected number of samples (@nsamples), whichever is fewer.
*/
-unsigned int comedi_nsamples_left(struct comedi_subdevice *s,
- unsigned int nsamples)
+u32 comedi_nsamples_left(struct comedi_subdevice *s, u32 nsamples)
{
struct comedi_async *async = s->async;
struct comedi_cmd *cmd = &async->cmd;
+ u32 scans_left;
+ u64 samples_left;
- if (cmd->stop_src == TRIG_COUNT) {
- unsigned int scans_left = __comedi_nscans_left(s,
cmd->stop_arg);
- unsigned int scan_pos =
- comedi_bytes_to_samples(s, async->scan_progress);
- unsigned long long samples_left = 0;
-
- if (scans_left) {
- samples_left = ((unsigned long long)scans_left *
- cmd->scan_end_arg) - scan_pos;
- }
+ if (cmd->stop_src != TRIG_COUNT)
+ return nsamples;
- if (samples_left < nsamples)
- nsamples = samples_left;
- }
+ scans_left = __comedi_nscans_left(s, cmd->stop_arg);
+ if (!scans_left)
+ return 0;
+
+ samples_left = ((u64)scans_left * cmd->scan_end_arg) -
+ comedi_bytes_to_samples(s, async->scan_progress);
+
+ if (samples_left < nsamples)
+ return samples_left;
return nsamples;
}
EXPORT_SYMBOL_GPL(comedi_nsamples_left);
--
2.1.4
Re: [RESEND v2] dmaengine: pxa: add a default requestor policy
Robert Jarzmik writes: > As what former drcmr -1 value meant, add a this as a default to each > channel, ie. that by default no requestor line is used. > > This is specifically used for network drivers smc91x and smc911x, and > needed for their port to slave maps. > > Cc: Arnd Bergmann > Signed-off-by: Robert Jarzmik > --- > Since v1: changed -1 to U32_MAX Hi Vinod, Could I have your ack on this so that I add this one to the dma slave map serie after the merge window is closed please ? Cheers. -- Robert > --- > drivers/dma/pxa_dma.c | 5 + > 1 file changed, 5 insertions(+) > > diff --git a/drivers/dma/pxa_dma.c b/drivers/dma/pxa_dma.c > index 9505334f9c6e..b31c28b67ad3 100644 > --- a/drivers/dma/pxa_dma.c > +++ b/drivers/dma/pxa_dma.c > @@ -762,6 +762,8 @@ static void pxad_free_chan_resources(struct dma_chan > *dchan) > dma_pool_destroy(chan->desc_pool); > chan->desc_pool = NULL; > > + chan->drcmr = U32_MAX; > + chan->prio = PXAD_PRIO_LOWEST; > } > > static void pxad_free_desc(struct virt_dma_desc *vd) > @@ -1386,6 +1388,9 @@ static int pxad_init_dmadev(struct platform_device *op, > c = devm_kzalloc(&op->dev, sizeof(*c), GFP_KERNEL); > if (!c) > return -ENOMEM; > + > + c->drcmr = U32_MAX; > + c->prio = PXAD_PRIO_LOWEST; > c->vc.desc_free = pxad_free_desc; > vchan_init(&c->vc, &pdev->slave); > init_waitqueue_head(&c->wq_state); -- Robert
[PATCH] staging: mt7621-pci: Fix coding style error
This patch removes space after * to fix the following checkpatch error:
ERROR: "foo * bar" should be "foo *bar"
Signed-off-by: Abdun Nihaal
---
drivers/staging/mt7621-pci/pci-mt7621.c | 10 +-
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/staging/mt7621-pci/pci-mt7621.c
b/drivers/staging/mt7621-pci/pci-mt7621.c
index 17f2105ec698..0543ff7d7f40 100644
--- a/drivers/staging/mt7621-pci/pci-mt7621.c
+++ b/drivers/staging/mt7621-pci/pci-mt7621.c
@@ -184,7 +184,7 @@ static int pcie_link_status = 0;
#define PCI_ACCESS_WRITE_4 5
static int config_access(unsigned char access_type, struct pci_bus *bus,
- unsigned int devfn, unsigned int where, u32 * data)
+ unsigned int devfn, unsigned int where, u32 *data)
{
unsigned int slot = PCI_SLOT(devfn);
u8 func = PCI_FUNC(devfn);
@@ -225,19 +225,19 @@ static int config_access(unsigned char access_type,
struct pci_bus *bus,
}
static int
-read_config_byte(struct pci_bus *bus, unsigned int devfn, int where, u8 * val)
+read_config_byte(struct pci_bus *bus, unsigned int devfn, int where, u8 *val)
{
return config_access(PCI_ACCESS_READ_1, bus, devfn, (unsigned
int)where, (u32 *)val);
}
static int
-read_config_word(struct pci_bus *bus, unsigned int devfn, int where, u16 * val)
+read_config_word(struct pci_bus *bus, unsigned int devfn, int where, u16 *val)
{
return config_access(PCI_ACCESS_READ_2, bus, devfn, (unsigned
int)where, (u32 *)val);
}
static int
-read_config_dword(struct pci_bus *bus, unsigned int devfn, int where, u32 *
val)
+read_config_dword(struct pci_bus *bus, unsigned int devfn, int where, u32 *val)
{
return config_access(PCI_ACCESS_READ_4, bus, devfn, (unsigned
int)where, (u32 *)val);
}
@@ -270,7 +270,7 @@ write_config_dword(struct pci_bus *bus, unsigned int devfn,
int where, u32 val)
}
static int
-pci_config_read(struct pci_bus *bus, unsigned int devfn, int where, int size,
u32 * val)
+pci_config_read(struct pci_bus *bus, unsigned int devfn, int where, int size,
u32 *val)
{
switch (size) {
case 1:
--
2.17.0
anmodning forretning
god dag anmodning forretning Jeg bruger dette medie til at informere dig om transaktionen for overførsel af $ 21.500.000 (Twenty-en million fem hundrede tusinde dollars) i min bank i Kina til dig som modtager. Det vil være 100% sikker, er den finansielle officer af den afdøde kunde. For god forståelse af forretningsforslaget kan du sende dit svar på engelsk Venligst kontakt mig på min private e-mail nedenfor for eventuelle spørgsmål og yderligere information. chinsang...@gmail.com Med venlig hilsen Chin Sang e-mail: chinsang...@gmail.com
kernel BUG at drivers/scsi/scsi_error.c:197! - git 4.17.0-x64-08428-g7d3bf613e99a
Hello, everyone! I was trying to test not-yet-completed 4.18-rc1, and run into this bug, probably due to HAL (yes, I still use this) trying to poll empty DVD-RW drive: [ 35.040167] [ cut here ] [ 35.040171] kernel BUG at drivers/scsi/scsi_error.c:197! [ 35.040196] invalid opcode: [#1] SMP NOPTI [ 35.040210] CPU: 2 PID: 117 Comm: kworker/2:1H Not tainted 4.17.0-x64-08428-g7d3bf613e99a-dirty #18 [ 35.040225] Hardware name: MSI MS-7693/970A-G46 (MS-7693), BIOS V2.8 01/08/2016 [ 35.040244] Workqueue: kblockd blk_mq_timeout_work [ 35.040283] RIP: 0010:scsi_times_out+0xe9/0x1a6 [scsi_mod] [ 35.040287] Code: 03 76 18 48 c7 c2 f9 c2 01 a0 48 89 ee 48 c7 c7 14 be 01 a0 31 c0 e8 76 ad 00 00 48 8b 83 98 01 00 00 a8 01 0f 84 a5 00 00 00 <0f> 0b 49 8b 7c 24 38 e8 8f ba 4b e1 41 83 bc 24 2c 01 00 00 ff 74 [ 35.040312] RSP: 0018:c9293d98 EFLAGS: 00010202 [ 35.040318] RAX: 88031f240605 RBX: 88031eed8500 RCX: fffefd40 [ 35.040323] RDX: c9293e80 RSI: 2007 RDI: 88031eed8638 [ 35.040327] RBP: 88031eed8638 R08: 88031eed85d8 R09: [ 35.040332] R10: 0040 R11: fefefefefefefeff R12: 88031f2a8800 [ 35.040336] R13: 88031f2a8800 R14: 88031f29e910 R15: 0001 [ 35.040341] FS: () GS:88032ed0() knlGS: [ 35.040346] CS: 0010 DS: ES: CR0: 80050033 [ 35.040350] CR2: f7ea83c0 CR3: 00031e194000 CR4: 000406e0 [ 35.040354] Call Trace: [ 35.040360] blk_mq_check_expired+0xdc/0x10c [ 35.040365] bt_iter+0x42/0x45 [ 35.040369] __sbitmap_for_each_set.constprop.12+0x83/0xac [ 35.040374] ? blk_mq_update_nr_requests+0xad/0xad [ 35.040595] ? blk_mq_exit_hctx+0xda/0xda [ 35.041595] blk_mq_queue_tag_busy_iter+0xa3/0xb4 [ 35.042578] ? blk_mq_exit_hctx+0xda/0xda [ 35.043550] blk_mq_timeout_work+0x6b/0xca [ 35.044505] process_one_work+0x17c/0x2a6 [ 35.045445] worker_thread+0x19f/0x243 [ 35.046393] ? rescuer_thread+0x262/0x262 [ 35.047346] kthread+0x100/0x108 [ 35.048290] ? kthread_destroy_worker+0x3e/0x3e [ 35.049242] ret_from_fork+0x27/0x50 [ 35.050192] Modules linked in: bridge stp llc bnep rfcomm hidp snd_aloop ipv6 pcmcia pcmcia_core xfs libcrc32c lp parport f71882fg input_leds mousedev hid_generic usbhid hid btusb btintel btbcm btrtl bluetooth nouveau ecdh_generic rfkill morus1280_sse2 morus1280_glue morus640_sse2 morus640_glue ttm drm_kms_helper ghash_clmulni_intel drm crct10dif_pclmul crc32_pclmul drm_panel_orientation_quirks crc32c_intel aegis256_aesni cfbcopyarea fb_sys_fops sysimgblt pcbc sysfillrect cfbimgblt syscopyarea cfbfillrect aesni_intel glue_helper i2c_algo_bit crypto_simd aes_x86_64 ohci_pci snd_hda_codec_realtek aegis128l_aesni pktcdvd aegis128_aesni agpgart ohci_hcd snd_hda_codec_generic cryptd xhci_pci kvm_amd xhci_hcd ehci_pci snd_hda_intel ehci_hcd snd_hda_codec kvm usbcore led_class snd_hda_core video usb_common [ 35.055814] backlight irqbypass fb snd_hwdep snd_pcm mxm_wmi r8169 fbdev mac_hid fam15h_power k10temp mii snd_timer ccp evdev snd rng_core hwmon wmi i2c_piix4 sha1_generic sha256_generic button soundcore font sr_mod acpi_cpufreq rtc_cmos sg i2c_core cdrom edac_mce_amd sd_mod ahci libahci libata scsi_mod [last unloaded: pcmcia_core] [ 35.058426] ---[ end trace fdc9e8c678138a75 ]--- [ 35.059725] RIP: 0010:scsi_times_out+0xe9/0x1a6 [scsi_mod] [ 35.059726] Code: 03 76 18 48 c7 c2 f9 c2 01 a0 48 89 ee 48 c7 c7 14 be 01 a0 31 c0 e8 76 ad 00 00 48 8b 83 98 01 00 00 a8 01 0f 84 a5 00 00 00 <0f> 0b 49 8b 7c 24 38 e8 8f ba 4b e1 41 83 bc 24 2c 01 00 00 ff 74 [ 35.063794] RSP: 0018:c9293d98 EFLAGS: 00010202 [ 35.063796] RAX: 88031f240605 RBX: 88031eed8500 RCX: fffefd40 [ 35.063797] RDX: c9293e80 RSI: 2007 RDI: 88031eed8638 [ 35.063798] RBP: 88031eed8638 R08: 88031eed85d8 R09: [ 35.069198] R10: 0040 R11: fefefefefefefeff R12: 88031f2a8800 [ 35.069198] R13: 88031f2a8800 R14: 88031f29e910 R15: 0001 [ 35.069200] FS: () GS:88032ed0() knlGS: [ 35.073191] CS: 0010 DS: ES: CR0: 80050033 [ 35.073192] CR2: f7ea83c0 CR3: 00031e194000 CR4: 000406e0 and this resulted later on in failure to enter suspend-to-ram: [ 181.912985] PM: suspend entry (deep) [ 181.912993] PM: Syncing filesystems ... done. [ 182.026561] Freezing user space processes ... [ 202.029084] Freezing of tasks failed after 20.002 seconds (1 tasks refusing to freeze, wq_busy=0): [ 202.029106] hald-addon-stor D0 909849 0x20020004 [ 202.029113] Call Trace: [ 202.029128] ? __schedule+0x37f/0x57f [ 202.029134] ? usleep_range+0x51/0x51 [ 202.029139] schedule+0x7f/0x89 [ 202.029144] schedule_timeout+0x21/0xc7 [ 202.
[PATCH 01/10] ARM: OMAP1: ams-delta: drop GPIO lookup table for serio device
GPIO lookup table for ams-delta-serio device was introduced by commit
0486738928bf ("ARM: OMAP1: ams-delta: add GPIO lookup tables").
Unfortunately, a follow up patch "Input: ams_delta_serio: use GPIO
lookup table" was not accepted by subystem maintainer who requested
conversion of the driver to a platform driver, replacepemnt of IRQ GPIO
pin with IRQ resource, replacement of GPIO pin providing keyboard power
with a regulator and removal of remaining GPIO pins from the driver as
not handled by it.
Let's start with removal of no the longer needed GPIO lookup table from
the board init file.
Series created and tested on top of next-20180608 tag from linux-next
tree.
Signed-off-by: Janusz Krzysztofik
---
arch/arm/mach-omap1/board-ams-delta.c | 19 ---
1 file changed, 19 deletions(-)
diff --git a/arch/arm/mach-omap1/board-ams-delta.c
b/arch/arm/mach-omap1/board-ams-delta.c
index 80f54cb54276..18e0ff437b27 100644
--- a/arch/arm/mach-omap1/board-ams-delta.c
+++ b/arch/arm/mach-omap1/board-ams-delta.c
@@ -504,20 +504,6 @@ static struct platform_device cx20442_codec_device = {
.id = -1,
};
-static struct gpiod_lookup_table ams_delta_serio_gpio_table = {
- .table = {
- GPIO_LOOKUP(OMAP_GPIO_LABEL, AMS_DELTA_GPIO_PIN_KEYBRD_DATA,
- "data", 0),
- GPIO_LOOKUP(OMAP_GPIO_LABEL, AMS_DELTA_GPIO_PIN_KEYBRD_CLK,
- "clock", 0),
- GPIO_LOOKUP(LATCH2_LABEL, LATCH2_PIN_KEYBRD_PWR,
- "power", 0),
- GPIO_LOOKUP(LATCH2_LABEL, LATCH2_PIN_KEYBRD_DATAOUT,
- "dataout", 0),
- { },
- },
-};
-
static struct platform_device *ams_delta_devices[] __initdata = {
&latch1_gpio_device,
&latch2_gpio_device,
@@ -534,7 +520,6 @@ static struct platform_device *late_devices[] __initdata = {
static struct gpiod_lookup_table *ams_delta_gpio_tables[] __initdata = {
&ams_delta_audio_gpio_table,
- &ams_delta_serio_gpio_table,
};
static struct gpiod_lookup_table *late_gpio_tables[] __initdata = {
@@ -580,10 +565,6 @@ static void __init ams_delta_init(void)
*/
ams_delta_audio_gpio_table.dev_id =
dev_name(&ams_delta_audio_device.dev);
- /*
-* No device name is assigned to GPIO lookup table for serio device
-* as long as serio driver is not converted to platform device driver.
-*/
gpiod_add_lookup_tables(ams_delta_gpio_tables,
ARRAY_SIZE(ams_delta_gpio_tables));
--
2.16.1
[PATCH 02/10] Input: ams_delta_serio: convert to platform driver
Convert the driver to an "ams-delta-serio" platform driver. For it to
be used with Amstrad Delta, register an "ams-delta-serio" platform
device from the board init file.
Signed-off-by: Janusz Krzysztofik
---
arch/arm/mach-omap1/board-ams-delta.c | 6 ++
drivers/input/serio/ams_delta_serio.c | 34 +-
2 files changed, 27 insertions(+), 13 deletions(-)
diff --git a/arch/arm/mach-omap1/board-ams-delta.c
b/arch/arm/mach-omap1/board-ams-delta.c
index 18e0ff437b27..2119d2d3ba84 100644
--- a/arch/arm/mach-omap1/board-ams-delta.c
+++ b/arch/arm/mach-omap1/board-ams-delta.c
@@ -504,12 +504,18 @@ static struct platform_device cx20442_codec_device = {
.id = -1,
};
+static struct platform_device ams_delta_serio_device = {
+ .name = "ams-delta-serio",
+ .id = PLATFORM_DEVID_NONE,
+};
+
static struct platform_device *ams_delta_devices[] __initdata = {
&latch1_gpio_device,
&latch2_gpio_device,
&ams_delta_kp_device,
&ams_delta_camera_device,
&ams_delta_audio_device,
+ &ams_delta_serio_device,
};
static struct platform_device *late_devices[] __initdata = {
diff --git a/drivers/input/serio/ams_delta_serio.c
b/drivers/input/serio/ams_delta_serio.c
index 3df501c3421b..a2a7fa19bf49 100644
--- a/drivers/input/serio/ams_delta_serio.c
+++ b/drivers/input/serio/ams_delta_serio.c
@@ -22,15 +22,17 @@
*/
#include
#include
+#include
#include
#include
#include
-#include
#include
#include
+#define DRIVER_NAME"ams-delta-serio"
+
MODULE_AUTHOR("Matt Callow");
MODULE_DESCRIPTION("AMS Delta (E3) keyboard port driver");
MODULE_LICENSE("GPL");
@@ -126,13 +128,10 @@ static const struct gpio ams_delta_gpios[]
__initconst_or_module = {
},
};
-static int __init ams_delta_serio_init(void)
+static int ams_delta_serio_init(struct platform_device *pdev)
{
int err;
- if (!machine_is_ams_delta())
- return -ENODEV;
-
ams_delta_serio = kzalloc(sizeof(struct serio), GFP_KERNEL);
if (!ams_delta_serio)
return -ENOMEM;
@@ -142,22 +141,22 @@ static int __init ams_delta_serio_init(void)
ams_delta_serio->close = ams_delta_serio_close;
strlcpy(ams_delta_serio->name, "AMS DELTA keyboard adapter",
sizeof(ams_delta_serio->name));
- strlcpy(ams_delta_serio->phys, "GPIO/serio0",
+ strlcpy(ams_delta_serio->phys, dev_name(&pdev->dev),
sizeof(ams_delta_serio->phys));
+ ams_delta_serio->dev.parent = &pdev->dev;
err = gpio_request_array(ams_delta_gpios,
ARRAY_SIZE(ams_delta_gpios));
if (err) {
- pr_err("ams_delta_serio: Couldn't request gpio pins\n");
+ dev_err(&pdev->dev, "Couldn't request gpio pins\n");
goto serio;
}
err = request_irq(gpio_to_irq(AMS_DELTA_GPIO_PIN_KEYBRD_CLK),
ams_delta_serio_interrupt, IRQ_TYPE_EDGE_RISING,
- "ams-delta-serio", 0);
+ DRIVER_NAME, 0);
if (err < 0) {
- pr_err("ams_delta_serio: couldn't request gpio interrupt %d\n",
- gpio_to_irq(AMS_DELTA_GPIO_PIN_KEYBRD_CLK));
+ dev_err(&pdev->dev, "IRQ request failed (%d)\n", err);
goto gpio;
}
/*
@@ -179,13 +178,22 @@ static int __init ams_delta_serio_init(void)
kfree(ams_delta_serio);
return err;
}
-module_init(ams_delta_serio_init);
-static void __exit ams_delta_serio_exit(void)
+static int ams_delta_serio_exit(struct platform_device *pdev)
{
serio_unregister_port(ams_delta_serio);
free_irq(gpio_to_irq(AMS_DELTA_GPIO_PIN_KEYBRD_CLK), 0);
gpio_free_array(ams_delta_gpios,
ARRAY_SIZE(ams_delta_gpios));
+
+ return 0;
}
-module_exit(ams_delta_serio_exit);
+
+static struct platform_driver ams_delta_serio_driver = {
+ .probe = ams_delta_serio_init,
+ .remove = ams_delta_serio_exit,
+ .driver = {
+ .name = DRIVER_NAME
+ },
+};
+module_platform_driver(ams_delta_serio_driver);
--
2.16.1
[PATCH 03/10] Input: ams_delta_serio: use private structure
Introduce a driver private structure and allocate it on device probe.
For now, use it instead of a static variable for storing a pointer to
serio structure. Subsequent patches will populate it with more members
as needed.
Signed-off-by: Janusz Krzysztofik
# Conflicts:
# drivers/input/serio/ams_delta_serio.c
---
drivers/input/serio/ams_delta_serio.c | 69 ++-
1 file changed, 43 insertions(+), 26 deletions(-)
diff --git a/drivers/input/serio/ams_delta_serio.c
b/drivers/input/serio/ams_delta_serio.c
index a2a7fa19bf49..551a4fa73fe4 100644
--- a/drivers/input/serio/ams_delta_serio.c
+++ b/drivers/input/serio/ams_delta_serio.c
@@ -37,17 +37,17 @@ MODULE_AUTHOR("Matt Callow");
MODULE_DESCRIPTION("AMS Delta (E3) keyboard port driver");
MODULE_LICENSE("GPL");
-static struct serio *ams_delta_serio;
+struct ams_delta_serio {
+ struct serio *serio;
+};
-static int check_data(int data)
+static int check_data(struct serio *serio, int data)
{
int i, parity = 0;
/* check valid stop bit */
if (!(data & 0x400)) {
- dev_warn(&ams_delta_serio->dev,
- "invalid stop bit, data=0x%X\n",
- data);
+ dev_warn(&serio->dev, "invalid stop bit, data=0x%X\n", data);
return SERIO_FRAME;
}
/* calculate the parity */
@@ -57,9 +57,9 @@ static int check_data(int data)
}
/* it should be odd */
if (!(parity & 0x01)) {
- dev_warn(&ams_delta_serio->dev,
- "parity check failed, data=0x%X parity=0x%X\n",
- data, parity);
+ dev_warn(&serio->dev,
+"parity check failed, data=0x%X parity=0x%X\n", data,
+parity);
return SERIO_PARITY;
}
return 0;
@@ -67,6 +67,7 @@ static int check_data(int data)
static irqreturn_t ams_delta_serio_interrupt(int irq, void *dev_id)
{
+ struct ams_delta_serio *priv = dev_id;
int *circ_buff = &fiq_buffer[FIQ_CIRC_BUFF];
int data, dfl;
u8 scancode;
@@ -84,9 +85,9 @@ static irqreturn_t ams_delta_serio_interrupt(int irq, void
*dev_id)
if (fiq_buffer[FIQ_HEAD_OFFSET] == fiq_buffer[FIQ_BUF_LEN])
fiq_buffer[FIQ_HEAD_OFFSET] = 0;
- dfl = check_data(data);
+ dfl = check_data(priv->serio, data);
scancode = (u8) (data >> 1) & 0xFF;
- serio_interrupt(ams_delta_serio, scancode, dfl);
+ serio_interrupt(priv->serio, scancode, dfl);
}
return IRQ_HANDLED;
}
@@ -130,21 +131,14 @@ static const struct gpio ams_delta_gpios[]
__initconst_or_module = {
static int ams_delta_serio_init(struct platform_device *pdev)
{
+ struct ams_delta_serio *priv;
+ struct serio *serio;
int err;
- ams_delta_serio = kzalloc(sizeof(struct serio), GFP_KERNEL);
- if (!ams_delta_serio)
+ priv = devm_kzalloc(&pdev->dev, sizeof(*priv), GFP_KERNEL);
+ if (!priv)
return -ENOMEM;
- ams_delta_serio->id.type = SERIO_8042;
- ams_delta_serio->open = ams_delta_serio_open;
- ams_delta_serio->close = ams_delta_serio_close;
- strlcpy(ams_delta_serio->name, "AMS DELTA keyboard adapter",
- sizeof(ams_delta_serio->name));
- strlcpy(ams_delta_serio->phys, dev_name(&pdev->dev),
- sizeof(ams_delta_serio->phys));
- ams_delta_serio->dev.parent = &pdev->dev;
-
err = gpio_request_array(ams_delta_gpios,
ARRAY_SIZE(ams_delta_gpios));
if (err) {
@@ -154,7 +148,7 @@ static int ams_delta_serio_init(struct platform_device
*pdev)
err = request_irq(gpio_to_irq(AMS_DELTA_GPIO_PIN_KEYBRD_CLK),
ams_delta_serio_interrupt, IRQ_TYPE_EDGE_RISING,
- DRIVER_NAME, 0);
+ DRIVER_NAME, priv);
if (err < 0) {
dev_err(&pdev->dev, "IRQ request failed (%d)\n", err);
goto gpio;
@@ -167,21 +161,44 @@ static int ams_delta_serio_init(struct platform_device
*pdev)
irq_set_handler(gpio_to_irq(AMS_DELTA_GPIO_PIN_KEYBRD_CLK),
handle_simple_irq);
- serio_register_port(ams_delta_serio);
- dev_info(&ams_delta_serio->dev, "%s\n", ams_delta_serio->name);
+ serio = kzalloc(sizeof(*serio), GFP_KERNEL);
+ if (!serio) {
+ err = -ENOMEM;
+ goto irq;
+ }
+
+ priv->serio = serio;
+
+ serio->id.type = SERIO_8042;
+ serio->open = ams_delta_serio_open;
+ serio->close = ams_delta_serio_close;
+ strlcpy(serio->name, "AMS DELTA keyboard adapter", sizeof(serio->name));
+ strlcpy(serio->phys, dev_name(&pdev->dev), sizeof(serio->phys));
+ serio->dev.pa
[PATCH 08/10] ARM: OMAP1: Get rid of
Split the header file into two parts and move them to directories where
they belong.
Information on internal structure of FIQ buffer is moved to
, to be used by ams-delta-serio
driver.
Other information used by ams-delta board init file and FIQ code is
made local to mach-omap1 root directory.
Signed-off-by: Janusz Krzysztofik
---
MAINTAINERS| 1 +
arch/arm/mach-omap1/ams-delta-fiq-handler.S| 5 +--
arch/arm/mach-omap1/ams-delta-fiq.c| 7 ++--
arch/arm/mach-omap1/ams-delta-fiq.h| 41 ++
arch/arm/mach-omap1/board-ams-delta.c | 2 +-
drivers/input/serio/ams_delta_serio.c | 3 +-
.../linux/platform_data}/ams-delta-fiq.h | 27 +++---
7 files changed, 56 insertions(+), 30 deletions(-)
create mode 100644 arch/arm/mach-omap1/ams-delta-fiq.h
rename {arch/arm/mach-omap1/include/mach =>
include/linux/platform_data}/ams-delta-fiq.h (71%)
diff --git a/MAINTAINERS b/MAINTAINERS
index 14fbc6e94774..c487348da38c 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -10391,6 +10391,7 @@ F: arch/arm/plat-omap/
F: arch/arm/configs/omap1_defconfig
F: drivers/i2c/busses/i2c-omap.c
F: include/linux/platform_data/i2c-omap.h
+F: include/linux/platform_data/ams-delta-fiq.h
OMAP2+ SUPPORT
M: Tony Lindgren
diff --git a/arch/arm/mach-omap1/ams-delta-fiq-handler.S
b/arch/arm/mach-omap1/ams-delta-fiq-handler.S
index bf608441b357..ddc27638ba2a 100644
--- a/arch/arm/mach-omap1/ams-delta-fiq-handler.S
+++ b/arch/arm/mach-omap1/ams-delta-fiq-handler.S
@@ -14,11 +14,12 @@
*/
#include
-#include
+#include
+#include
#include
-#include
+#include "ams-delta-fiq.h"
#include "iomap.h"
#include "soc.h"
diff --git a/arch/arm/mach-omap1/ams-delta-fiq.c
b/arch/arm/mach-omap1/ams-delta-fiq.c
index 5a6c59ac9b5f..e72935034d42 100644
--- a/arch/arm/mach-omap1/ams-delta-fiq.c
+++ b/arch/arm/mach-omap1/ams-delta-fiq.c
@@ -19,12 +19,13 @@
#include
#include
#include
+#include
#include
#include
-#include
+#include "ams-delta-fiq.h"
static struct fiq_handler fh = {
.name = "ams-delta-fiq"
@@ -35,8 +36,8 @@ static struct fiq_handler fh = {
* The FIQ and IRQ isrs can both read and write it.
* It is structured as a header section several 32bit slots,
* followed by the circular buffer where the FIQ isr stores
- * keystrokes received from the qwerty keyboard.
- * See ams-delta-fiq.h for details of offsets.
+ * keystrokes received from the qwerty keyboard. See
+ * for details of offsets.
*/
unsigned int fiq_buffer[1024];
EXPORT_SYMBOL(fiq_buffer);
diff --git a/arch/arm/mach-omap1/ams-delta-fiq.h
b/arch/arm/mach-omap1/ams-delta-fiq.h
new file mode 100644
index ..3f691d68aa62
--- /dev/null
+++ b/arch/arm/mach-omap1/ams-delta-fiq.h
@@ -0,0 +1,41 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+
+/*
+ * arch/arm/mach-omap1/ams-delta-fiq.h
+ *
+ * Taken from the original Amstrad modifications to fiq.h
+ *
+ * Copyright (c) 2004 Amstrad Plc
+ * Copyright (c) 2006 Matt Callow
+ * Copyright (c) 2010 Janusz Krzysztofik
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+#ifndef __AMS_DELTA_FIQ_H
+#define __AMS_DELTA_FIQ_H
+
+#include
+
+/*
+ * Interrupt number used for passing control from FIQ to IRQ.
+ * IRQ12, described as reserved, has been selected.
+ */
+#define INT_DEFERRED_FIQ INT_1510_RES12
+/*
+ * Base address of an interrupt handler that the INT_DEFERRED_FIQ belongs to.
+ */
+#if (INT_DEFERRED_FIQ < IH2_BASE)
+#define DEFERRED_FIQ_IH_BASE OMAP_IH1_BASE
+#else
+#define DEFERRED_FIQ_IH_BASE OMAP_IH2_BASE
+#endif
+
+#ifndef __ASSEMBLER__
+extern unsigned char qwerty_fiqin_start, qwerty_fiqin_end;
+
+extern void __init ams_delta_init_fiq(struct gpio_chip *chip);
+#endif
+
+#endif
diff --git a/arch/arm/mach-omap1/board-ams-delta.c
b/arch/arm/mach-omap1/board-ams-delta.c
index f15c0793c34b..fe9a3e7cbfeb 100644
--- a/arch/arm/mach-omap1/board-ams-delta.c
+++ b/arch/arm/mach-omap1/board-ams-delta.c
@@ -41,10 +41,10 @@
#include
#include
-#include
#include "camera.h"
#include
+#include "ams-delta-fiq.h"
#include "iomap.h"
#include "common.h"
diff --git a/drivers/input/serio/ams_delta_serio.c
b/drivers/input/serio/ams_delta_serio.c
index a83d8b3cd838..5d0bd2005648 100644
--- a/drivers/input/serio/ams_delta_serio.c
+++ b/drivers/input/serio/ams_delta_serio.c
@@ -22,6 +22,7 @@
*/
#include
#include
+#include
#include
#include
#include
@@ -30,8 +31,6 @@
#include
-#include
-
#define DRIVER_NAME"ams-delta-serio"
MODULE_AUTHOR("Matt Callow");
diff --git a/arch/arm/mach-omap1/include/mach/ams-delta-fiq.h
b/include/linux/platform_data/ams-delta-fiq.h
similarity index 71%
rename from arch/arm/mach-omap1/include/mach/ams-delta-fiq.h
r
[PATCH 06/10] ARM: OMAP1: ams-delta FIQ: don't use static GPIO numbers
With introduction of GPIO lookup tables to Amstrad Delta board init
file, semantics of symbols representing OMAP GPIO pins defined in
changed from statically assigned global GPIO
numbers to hardware pin numbers local to OMAP "gpio-0-15" chip.
This patch modifies deferred FIQ interrupt handler so it no longer uses
static GPIO numbers in favour of IRQ data descriptors obtained at FIQ
initialization time from descriptor of the GPIO chip with use of its
hardware pin numbers. The chip descriptor is passed from the board
init file.
As a benefit, the deferred FIQ handler should work faster.
Signed-off-by: Janusz Krzysztofik
---
arch/arm/mach-omap1/ams-delta-fiq.c | 48 +---
arch/arm/mach-omap1/board-ams-delta.c| 41 +++-
arch/arm/mach-omap1/include/mach/ams-delta-fiq.h | 2 +-
3 files changed, 74 insertions(+), 17 deletions(-)
diff --git a/arch/arm/mach-omap1/ams-delta-fiq.c
b/arch/arm/mach-omap1/ams-delta-fiq.c
index d7ca9e2b40d2..1d54a6177f14 100644
--- a/arch/arm/mach-omap1/ams-delta-fiq.c
+++ b/arch/arm/mach-omap1/ams-delta-fiq.c
@@ -13,7 +13,8 @@
* under the terms of the GNU General Public License version 2 as published by
* the Free Software Foundation.
*/
-#include
+#include
+#include
#include
#include
#include
@@ -40,14 +41,14 @@ static struct fiq_handler fh = {
unsigned int fiq_buffer[1024];
EXPORT_SYMBOL(fiq_buffer);
+static struct irq_chip *irq_chip;
+static struct irq_data *irq_data[16];
static unsigned int irq_counter[16];
static irqreturn_t deferred_fiq(int irq, void *dev_id)
{
+ struct irq_data *d;
int gpio, irq_num, fiq_count;
- struct irq_chip *irq_chip;
-
- irq_chip = irq_get_chip(gpio_to_irq(AMS_DELTA_GPIO_PIN_KEYBRD_CLK));
/*
* For each handled GPIO interrupt, keep calling its interrupt handler
@@ -55,24 +56,21 @@ static irqreturn_t deferred_fiq(int irq, void *dev_id)
*/
for (gpio = AMS_DELTA_GPIO_PIN_KEYBRD_CLK;
gpio <= AMS_DELTA_GPIO_PIN_HOOK_SWITCH; gpio++) {
- irq_num = gpio_to_irq(gpio);
+ d = irq_data[gpio];
+ irq_num = d->irq;
fiq_count = fiq_buffer[FIQ_CNT_INT_00 + gpio];
if (irq_counter[gpio] < fiq_count &&
gpio != AMS_DELTA_GPIO_PIN_KEYBRD_CLK) {
- struct irq_data *d = irq_get_irq_data(irq_num);
-
/*
* handle_simple_irq() that OMAP GPIO edge
* interrupts default to since commit 80ac93c27441
* requires interrupt already acked and unmasked.
*/
- if (irq_chip) {
- if (irq_chip->irq_ack)
- irq_chip->irq_ack(d);
- if (irq_chip->irq_unmask)
- irq_chip->irq_unmask(d);
- }
+ if (irq_chip->irq_ack)
+ irq_chip->irq_ack(d);
+ if (irq_chip->irq_unmask)
+ irq_chip->irq_unmask(d);
}
for (; irq_counter[gpio] < fiq_count; irq_counter[gpio]++)
generic_handle_irq(irq_num);
@@ -80,14 +78,36 @@ static irqreturn_t deferred_fiq(int irq, void *dev_id)
return IRQ_HANDLED;
}
-void __init ams_delta_init_fiq(void)
+void __init ams_delta_init_fiq(struct gpio_chip *chip)
{
+ struct gpio_desc *gpiod;
void *fiqhandler_start;
unsigned int fiqhandler_length;
struct pt_regs FIQ_regs;
unsigned long val, offset;
int i, retval;
+ /* Store irq_chip location for IRQ handler use */
+ irq_chip = chip->irq.chip;
+ if (!irq_chip) {
+ pr_err("%s: GPIO chip %s is missing IRQ function\n", __func__,
+ chip->label);
+ return;
+ }
+
+ for (i = 0; i < ARRAY_SIZE(irq_data); i++) {
+ gpiod = gpiochip_request_own_desc(chip, i, NULL);
+ if (IS_ERR(gpiod)) {
+ pr_err("%s: failed to get GPIO pin %d (%ld)\n",
+ __func__, i, PTR_ERR(gpiod));
+ return;
+ }
+ /* Store irq_data location for IRQ handler use */
+ irq_data[i] = irq_get_irq_data(gpiod_to_irq(gpiod));
+
+ gpiochip_free_own_desc(gpiod);
+ }
+
fiqhandler_start = &qwerty_fiqin_start;
fiqhandler_length = &qwerty_fiqin_end - &qwerty_fiqin_start;
pr_info("Installing fiq handler from %p, length 0x%x\n",
diff --git a/arch/arm/mach-omap1/board-ams-delta.c
b/arch/arm/mach-omap1/board-ams-delta.c
index 2821284aa0c9..f15c0793c34b 100644
--- a/arch/arm/mach-omap1/board-ams-delta.c
+++ b/arch/arm/mach-omap1/board-a
[PATCH 04/10] Input: ams_delta_serio: Replace power GPIO with regulator
Modify the driver so it no longer requests and manipulates the
"keybrd_pwr" GPIO pin but a "vcc" regulator supply instead.
For this to work with Amstrad Delta, define a regulator over the
"keybrd_pwr" GPIO pin with the "vcc" supply for ams-delta-serio device
and register it from the board file. Both assign an absulute GPIO
number to the soon depreciated .gpio member of the regulator config
structure, and also build and register a GPIO lookup table so it is
ready for use by the regulator driver as soon as its upcoming update
is applied.
Signed-off-by: Janusz Krzysztofik
---
arch/arm/mach-omap1/board-ams-delta.c | 63 +--
drivers/input/serio/ams_delta_serio.c | 27 ++-
2 files changed, 79 insertions(+), 11 deletions(-)
diff --git a/arch/arm/mach-omap1/board-ams-delta.c
b/arch/arm/mach-omap1/board-ams-delta.c
index 2119d2d3ba84..706eb2f9301d 100644
--- a/arch/arm/mach-omap1/board-ams-delta.c
+++ b/arch/arm/mach-omap1/board-ams-delta.c
@@ -509,6 +509,46 @@ static struct platform_device ams_delta_serio_device = {
.id = PLATFORM_DEVID_NONE,
};
+static struct regulator_consumer_supply keybrd_pwr_consumers[] = {
+ /*
+* Initialize supply .dev_name with NULL. It will be replaced
+* with serio dev_name() as soon as the serio device is registered.
+*/
+ REGULATOR_SUPPLY("vcc", NULL),
+};
+
+static struct regulator_init_data keybrd_pwr_initdata = {
+ .constraints= {
+ .valid_ops_mask = REGULATOR_CHANGE_STATUS,
+ },
+ .num_consumer_supplies = ARRAY_SIZE(keybrd_pwr_consumers),
+ .consumer_supplies = keybrd_pwr_consumers,
+};
+
+static struct fixed_voltage_config keybrd_pwr_config = {
+ .supply_name= "keybrd_pwr",
+ .microvolts = 500,
+ .gpio = AMS_DELTA_GPIO_PIN_KEYBRD_PWR,
+ .enable_high= 1,
+ .init_data = &keybrd_pwr_initdata,
+};
+
+static struct platform_device keybrd_pwr_device = {
+ .name = "reg-fixed-voltage",
+ .id = PLATFORM_DEVID_AUTO,
+ .dev= {
+ .platform_data = &keybrd_pwr_config,
+ },
+};
+
+static struct gpiod_lookup_table keybrd_pwr_gpio_table = {
+ .table = {
+ GPIO_LOOKUP(LATCH2_LABEL, LATCH2_PIN_KEYBRD_PWR, NULL,
+ GPIO_ACTIVE_HIGH),
+ { },
+ },
+};
+
static struct platform_device *ams_delta_devices[] __initdata = {
&latch1_gpio_device,
&latch2_gpio_device,
@@ -526,6 +566,7 @@ static struct platform_device *late_devices[] __initdata = {
static struct gpiod_lookup_table *ams_delta_gpio_tables[] __initdata = {
&ams_delta_audio_gpio_table,
+ &keybrd_pwr_gpio_table,
};
static struct gpiod_lookup_table *late_gpio_tables[] __initdata = {
@@ -566,12 +607,30 @@ static void __init ams_delta_init(void)
platform_add_devices(ams_delta_devices, ARRAY_SIZE(ams_delta_devices));
/*
-* As soon as devices have been registered, assign their dev_names
-* to respective GPIO lookup tables before they are added.
+* As soon as regulator consumers have been registered, assign their
+* dev_names to consumer supply entries of respective regulators.
+*/
+ keybrd_pwr_consumers[0].dev_name =
+ dev_name(&ams_delta_serio_device.dev);
+
+ /*
+* Once consumer supply entries are populated with dev_names,
+* register regulator devices. At this stage only the keyboard
+* power regulator has its consumer supply table fully populated.
+*/
+ platform_device_register(&keybrd_pwr_device);
+
+ /*
+* As soon as GPIO consumers have been registered, assign
+* their dev_names to respective GPIO lookup tables.
*/
ams_delta_audio_gpio_table.dev_id =
dev_name(&ams_delta_audio_device.dev);
+ keybrd_pwr_gpio_table.dev_id = dev_name(&keybrd_pwr_device.dev);
+ /*
+* Once GPIO lookup tables are populated with dev_names, register them.
+*/
gpiod_add_lookup_tables(ams_delta_gpio_tables,
ARRAY_SIZE(ams_delta_gpio_tables));
diff --git a/drivers/input/serio/ams_delta_serio.c
b/drivers/input/serio/ams_delta_serio.c
index 551a4fa73fe4..d48beab1d00d 100644
--- a/drivers/input/serio/ams_delta_serio.c
+++ b/drivers/input/serio/ams_delta_serio.c
@@ -23,6 +23,7 @@
#include
#include
#include
+#include
#include
#include
#include
@@ -39,6 +40,7 @@ MODULE_LICENSE("GPL");
struct ams_delta_serio {
struct serio *serio;
+ struct regulator *vcc;
};
static int check_data(struct serio *serio, int data)
@@ -94,16 +96,18 @@ static irqreturn_t ams_delta_serio_interrupt(int irq, void
*dev_id)
static int ams_delta_serio_open(struct serio *serio)
{
- /* ena
[PATCH 10/10] Input: ams_delta_serio: Get FIQ buffer from platform_data
Instead of exporting the FIQ buffer symbol to be used in
ams-delta-serio driver, pass it to the driver as platform_data.
Signed-off-by: Janusz Krzysztofik
---
arch/arm/mach-omap1/ams-delta-fiq.c | 6 +++---
arch/arm/mach-omap1/board-ams-delta.c | 8
drivers/input/serio/ams_delta_serio.c | 20 +---
include/linux/platform_data/ams-delta-fiq.h | 4
4 files changed, 24 insertions(+), 14 deletions(-)
diff --git a/arch/arm/mach-omap1/ams-delta-fiq.c
b/arch/arm/mach-omap1/ams-delta-fiq.c
index e9d350117240..983638994bd4 100644
--- a/arch/arm/mach-omap1/ams-delta-fiq.c
+++ b/arch/arm/mach-omap1/ams-delta-fiq.c
@@ -40,8 +40,7 @@ static struct fiq_handler fh = {
* keystrokes received from the qwerty keyboard. See
* for details of offsets.
*/
-unsigned int fiq_buffer[1024];
-EXPORT_SYMBOL(fiq_buffer);
+static unsigned int fiq_buffer[1024];
static struct irq_chip *irq_chip;
static struct irq_data *irq_data[16];
@@ -203,9 +202,10 @@ void __init ams_delta_init_fiq(struct gpio_chip *chip,
val = omap_readl(OMAP_IH1_BASE + offset) | 1;
omap_writel(val, OMAP_IH1_BASE + offset);
- /* Initialize serio device IRQ resource */
+ /* Initialize serio device IRQ resource and platform_data */
serio->resource[0].start = gpiod_to_irq(clk);
serio->resource[0].end = serio->resource[0].start;
+ serio->dev.platform_data = fiq_buffer;
return;
diff --git a/arch/arm/mach-omap1/board-ams-delta.c
b/arch/arm/mach-omap1/board-ams-delta.c
index 84177ba3e39a..772892487827 100644
--- a/arch/arm/mach-omap1/board-ams-delta.c
+++ b/arch/arm/mach-omap1/board-ams-delta.c
@@ -520,6 +520,14 @@ static struct resource ams_delta_serio_resources[] = {
static struct platform_device ams_delta_serio_device = {
.name = "ams-delta-serio",
.id = PLATFORM_DEVID_NONE,
+ .dev= {
+ /*
+* Initialize .platform_data explicitly with NULL to
+* indicate it is going to be used. It will be replaced
+* with FIQ buffer address as soon as FIQ is initialized.
+*/
+ .platform_data = NULL,
+ },
.num_resources = ARRAY_SIZE(ams_delta_serio_resources),
.resource = ams_delta_serio_resources,
};
diff --git a/drivers/input/serio/ams_delta_serio.c
b/drivers/input/serio/ams_delta_serio.c
index 03640b171516..ee38c5140f43 100644
--- a/drivers/input/serio/ams_delta_serio.c
+++ b/drivers/input/serio/ams_delta_serio.c
@@ -37,6 +37,7 @@ MODULE_LICENSE("GPL");
struct ams_delta_serio {
struct serio *serio;
struct regulator *vcc;
+ unsigned int *fiq_buffer;
};
static int check_data(struct serio *serio, int data)
@@ -66,22 +67,23 @@ static int check_data(struct serio *serio, int data)
static irqreturn_t ams_delta_serio_interrupt(int irq, void *dev_id)
{
struct ams_delta_serio *priv = dev_id;
- int *circ_buff = &fiq_buffer[FIQ_CIRC_BUFF];
+ int *circ_buff = &priv->fiq_buffer[FIQ_CIRC_BUFF];
int data, dfl;
u8 scancode;
- fiq_buffer[FIQ_IRQ_PEND] = 0;
+ priv->fiq_buffer[FIQ_IRQ_PEND] = 0;
/*
* Read data from the circular buffer, check it
* and then pass it on the serio
*/
- while (fiq_buffer[FIQ_KEYS_CNT] > 0) {
+ while (priv->fiq_buffer[FIQ_KEYS_CNT] > 0) {
- data = circ_buff[fiq_buffer[FIQ_HEAD_OFFSET]++];
- fiq_buffer[FIQ_KEYS_CNT]--;
- if (fiq_buffer[FIQ_HEAD_OFFSET] == fiq_buffer[FIQ_BUF_LEN])
- fiq_buffer[FIQ_HEAD_OFFSET] = 0;
+ data = circ_buff[priv->fiq_buffer[FIQ_HEAD_OFFSET]++];
+ priv->fiq_buffer[FIQ_KEYS_CNT]--;
+ if (priv->fiq_buffer[FIQ_HEAD_OFFSET] ==
+ priv->fiq_buffer[FIQ_BUF_LEN])
+ priv->fiq_buffer[FIQ_HEAD_OFFSET] = 0;
dfl = check_data(priv->serio, data);
scancode = (u8) (data >> 1) & 0xFF;
@@ -116,6 +118,10 @@ static int ams_delta_serio_init(struct platform_device
*pdev)
if (!priv)
return -ENOMEM;
+ priv->fiq_buffer = pdev->dev.platform_data;
+ if (!priv->fiq_buffer)
+ return -EINVAL;
+
priv->vcc = devm_regulator_get(&pdev->dev, "vcc");
if (IS_ERR(priv->vcc)) {
err = PTR_ERR(priv->vcc);
diff --git a/include/linux/platform_data/ams-delta-fiq.h
b/include/linux/platform_data/ams-delta-fiq.h
index dc0f835ea918..cf4589ccb720 100644
--- a/include/linux/platform_data/ams-delta-fiq.h
+++ b/include/linux/platform_data/ams-delta-fiq.h
@@ -55,8 +55,4 @@
#define FIQ_CIRC_BUFF 30 /*Start of circular buffer */
-#ifndef __ASSEMBLER__
-extern unsigned int fiq_buffer[];
-#endif
-
#endif
--
2.16.1
[PATCH 09/10] Input: ams_delta_serio: use IRQ resource
The driver still obtains IRQ number from a hardcoded GPIO. Use IRQ
resource instead.
For this to work on Amstrad Delta, add the IRQ resource to
ams-delta-serio platform device structure. Obtain the IRQ number
assigned to "keyboard_clk" GPIO pin from FIQ initialization routine.
As a benefit, the driver no longer needs to include
.
Signed-off-by: Janusz Krzysztofik
---
arch/arm/mach-omap1/ams-delta-fiq.c | 8 +++-
arch/arm/mach-omap1/ams-delta-fiq.h | 3 ++-
arch/arm/mach-omap1/board-ams-delta.c | 17 -
drivers/input/serio/ams_delta_serio.c | 28 ++--
4 files changed, 35 insertions(+), 21 deletions(-)
diff --git a/arch/arm/mach-omap1/ams-delta-fiq.c
b/arch/arm/mach-omap1/ams-delta-fiq.c
index e72935034d42..e9d350117240 100644
--- a/arch/arm/mach-omap1/ams-delta-fiq.c
+++ b/arch/arm/mach-omap1/ams-delta-fiq.c
@@ -20,6 +20,7 @@
#include
#include
#include
+#include
#include
@@ -84,7 +85,8 @@ static irqreturn_t deferred_fiq(int irq, void *dev_id)
return IRQ_HANDLED;
}
-void __init ams_delta_init_fiq(struct gpio_chip *chip)
+void __init ams_delta_init_fiq(struct gpio_chip *chip,
+ struct platform_device *serio)
{
struct gpio_desc *gpiod, *data = NULL, *clk = NULL;
void *fiqhandler_start;
@@ -201,6 +203,10 @@ void __init ams_delta_init_fiq(struct gpio_chip *chip)
val = omap_readl(OMAP_IH1_BASE + offset) | 1;
omap_writel(val, OMAP_IH1_BASE + offset);
+ /* Initialize serio device IRQ resource */
+ serio->resource[0].start = gpiod_to_irq(clk);
+ serio->resource[0].end = serio->resource[0].start;
+
return;
out_gpio:
diff --git a/arch/arm/mach-omap1/ams-delta-fiq.h
b/arch/arm/mach-omap1/ams-delta-fiq.h
index 3f691d68aa62..fd76df3cce37 100644
--- a/arch/arm/mach-omap1/ams-delta-fiq.h
+++ b/arch/arm/mach-omap1/ams-delta-fiq.h
@@ -35,7 +35,8 @@
#ifndef __ASSEMBLER__
extern unsigned char qwerty_fiqin_start, qwerty_fiqin_end;
-extern void __init ams_delta_init_fiq(struct gpio_chip *chip);
+extern void __init ams_delta_init_fiq(struct gpio_chip *chip,
+ struct platform_device *pdev);
#endif
#endif
diff --git a/arch/arm/mach-omap1/board-ams-delta.c
b/arch/arm/mach-omap1/board-ams-delta.c
index fe9a3e7cbfeb..84177ba3e39a 100644
--- a/arch/arm/mach-omap1/board-ams-delta.c
+++ b/arch/arm/mach-omap1/board-ams-delta.c
@@ -504,9 +504,24 @@ static struct platform_device cx20442_codec_device = {
.id = -1,
};
+static struct resource ams_delta_serio_resources[] = {
+ {
+ .flags = IORESOURCE_IRQ,
+ /*
+* Initialize IRQ resource with invalid IRQ number.
+* It will be replaced with dynamically allocated GPIO IRQ
+* obtained from GPIO chip as soon as the chip is available.
+*/
+ .start = -EINVAL,
+ .end= -EINVAL,
+ },
+};
+
static struct platform_device ams_delta_serio_device = {
.name = "ams-delta-serio",
.id = PLATFORM_DEVID_NONE,
+ .num_resources = ARRAY_SIZE(ams_delta_serio_resources),
+ .resource = ams_delta_serio_resources,
};
static struct regulator_consumer_supply keybrd_pwr_consumers[] = {
@@ -615,7 +630,7 @@ static void __init omap_gpio_deps_init(void)
return;
}
- ams_delta_init_fiq(chip);
+ ams_delta_init_fiq(chip, &ams_delta_serio_device);
}
static void __init ams_delta_init(void)
diff --git a/drivers/input/serio/ams_delta_serio.c
b/drivers/input/serio/ams_delta_serio.c
index 5d0bd2005648..03640b171516 100644
--- a/drivers/input/serio/ams_delta_serio.c
+++ b/drivers/input/serio/ams_delta_serio.c
@@ -20,7 +20,6 @@
* However, when used with the E3 mailboard that producecs non-standard
* scancodes, a custom key table must be prepared and loaded from userspace.
*/
-#include
#include
#include
#include
@@ -29,8 +28,6 @@
#include
#include
-#include
-
#define DRIVER_NAME"ams-delta-serio"
MODULE_AUTHOR("Matt Callow");
@@ -113,7 +110,7 @@ static int ams_delta_serio_init(struct platform_device
*pdev)
{
struct ams_delta_serio *priv;
struct serio *serio;
- int err;
+ int irq, err;
priv = devm_kzalloc(&pdev->dev, sizeof(*priv), GFP_KERNEL);
if (!priv)
@@ -129,9 +126,12 @@ static int ams_delta_serio_init(struct platform_device
*pdev)
return err;
}
- err = request_irq(gpio_to_irq(AMS_DELTA_GPIO_PIN_KEYBRD_CLK),
- ams_delta_serio_interrupt, IRQ_TYPE_EDGE_RISING,
- DRIVER_NAME, priv);
+ irq = platform_get_irq(pdev, 0);
+ if (irq < 0)
+ return -ENXIO;
+
+ err = devm_request_irq(&pdev->dev, irq, ams_delta_serio_interrupt,
+ IRQ_TYPE_EDGE_RISING, DRIVER_NAME, priv);
[PATCH 07/10] ARM: OMAP1: ams-delta FIQ: Keep serio input GPIOs requested
>From the very beginning, input GPIO pins of ams-delta serio port have
been used by FIQ handler, not serio driver.
Don't request those pins from the ams-delta-serio driver any longer,
instead keep them requested and initialized by the FIQ initialization
routine which already requests them and releases while identifying GPIO
IRQs.
Signed-off-by: Janusz Krzysztofik
---
arch/arm/mach-omap1/ams-delta-fiq.c | 42 ++-
drivers/input/serio/ams_delta_serio.c | 30 ++---
2 files changed, 39 insertions(+), 33 deletions(-)
diff --git a/arch/arm/mach-omap1/ams-delta-fiq.c
b/arch/arm/mach-omap1/ams-delta-fiq.c
index 1d54a6177f14..5a6c59ac9b5f 100644
--- a/arch/arm/mach-omap1/ams-delta-fiq.c
+++ b/arch/arm/mach-omap1/ams-delta-fiq.c
@@ -45,6 +45,11 @@ static struct irq_chip *irq_chip;
static struct irq_data *irq_data[16];
static unsigned int irq_counter[16];
+static const char *pin_name[16] __initconst = {
+ [AMS_DELTA_GPIO_PIN_KEYBRD_DATA]= "keybrd_data",
+ [AMS_DELTA_GPIO_PIN_KEYBRD_CLK] = "keybrd_clk",
+};
+
static irqreturn_t deferred_fiq(int irq, void *dev_id)
{
struct irq_data *d;
@@ -80,7 +85,7 @@ static irqreturn_t deferred_fiq(int irq, void *dev_id)
void __init ams_delta_init_fiq(struct gpio_chip *chip)
{
- struct gpio_desc *gpiod;
+ struct gpio_desc *gpiod, *data = NULL, *clk = NULL;
void *fiqhandler_start;
unsigned int fiqhandler_length;
struct pt_regs FIQ_regs;
@@ -96,7 +101,7 @@ void __init ams_delta_init_fiq(struct gpio_chip *chip)
}
for (i = 0; i < ARRAY_SIZE(irq_data); i++) {
- gpiod = gpiochip_request_own_desc(chip, i, NULL);
+ gpiod = gpiochip_request_own_desc(chip, i, pin_name[i]);
if (IS_ERR(gpiod)) {
pr_err("%s: failed to get GPIO pin %d (%ld)\n",
__func__, i, PTR_ERR(gpiod));
@@ -105,8 +110,27 @@ void __init ams_delta_init_fiq(struct gpio_chip *chip)
/* Store irq_data location for IRQ handler use */
irq_data[i] = irq_get_irq_data(gpiod_to_irq(gpiod));
- gpiochip_free_own_desc(gpiod);
+ /*
+* FIQ handler takes full control over serio data and clk GPIO
+* pins. Initiaize them and keep requested so nobody can
+* interfere. Fail if any of those two couldn't be requested.
+*/
+ switch (i) {
+ case AMS_DELTA_GPIO_PIN_KEYBRD_DATA:
+ data = gpiod;
+ gpiod_direction_input(data);
+ break;
+ case AMS_DELTA_GPIO_PIN_KEYBRD_CLK:
+ clk = gpiod;
+ gpiod_direction_input(clk);
+ break;
+ default:
+ gpiochip_free_own_desc(gpiod);
+ break;
+ }
}
+ if (!data || !clk)
+ goto out_gpio;
fiqhandler_start = &qwerty_fiqin_start;
fiqhandler_length = &qwerty_fiqin_end - &qwerty_fiqin_start;
@@ -117,7 +141,7 @@ void __init ams_delta_init_fiq(struct gpio_chip *chip)
if (retval) {
pr_err("ams_delta_init_fiq(): couldn't claim FIQ, ret=%d\n",
retval);
- return;
+ goto out_gpio;
}
retval = request_irq(INT_DEFERRED_FIQ, deferred_fiq,
@@ -125,7 +149,7 @@ void __init ams_delta_init_fiq(struct gpio_chip *chip)
if (retval < 0) {
pr_err("Failed to get deferred_fiq IRQ, ret=%d\n", retval);
release_fiq(&fh);
- return;
+ goto out_gpio;
}
/*
* Since no set_type() method is provided by OMAP irq chip,
@@ -175,4 +199,12 @@ void __init ams_delta_init_fiq(struct gpio_chip *chip)
offset = IRQ_ILR0_REG_OFFSET + (INT_GPIO_BANK1 - NR_IRQS_LEGACY) * 0x4;
val = omap_readl(OMAP_IH1_BASE + offset) | 1;
omap_writel(val, OMAP_IH1_BASE + offset);
+
+ return;
+
+out_gpio:
+ if (data)
+ gpiochip_free_own_desc(data);
+ if (clk)
+ gpiochip_free_own_desc(clk);
}
diff --git a/drivers/input/serio/ams_delta_serio.c
b/drivers/input/serio/ams_delta_serio.c
index 0b4d5a952ecb..a83d8b3cd838 100644
--- a/drivers/input/serio/ams_delta_serio.c
+++ b/drivers/input/serio/ams_delta_serio.c
@@ -110,19 +110,6 @@ static void ams_delta_serio_close(struct serio *serio)
regulator_disable(priv->vcc);
}
-static const struct gpio ams_delta_gpios[] __initconst_or_module = {
- {
- .gpio = AMS_DELTA_GPIO_PIN_KEYBRD_DATA,
- .flags = GPIOF_DIR_IN,
- .label = "serio-data",
- },
- {
- .gpio = AMS_DELTA_GPIO_PIN_KEYBRD_CLK,
- .flags = GPIOF_DIR_IN,
-
[PATCH 05/10] ARM: OMAP1: ams-delta: Hog "keybrd_dataout" GPIO pin
"keybrd_dataout" GPIO pin used to be initialized by ams-delta-serio
driver to a state safe for ams-delta-serio device function and not
changed thereafter. As such, it may be assumed not under the driver
control and responsibility for its initialization handed over to board
init file.
Introduce a GPIO hog table and take over control of the
"keybrd_dataout" GPIO pin from the ams-delta-serio driver.
Signed-off-by: Janusz Krzysztofik
---
arch/arm/mach-omap1/board-ams-delta.c | 8
drivers/input/serio/ams_delta_serio.c | 5 -
2 files changed, 8 insertions(+), 5 deletions(-)
diff --git a/arch/arm/mach-omap1/board-ams-delta.c
b/arch/arm/mach-omap1/board-ams-delta.c
index 706eb2f9301d..2821284aa0c9 100644
--- a/arch/arm/mach-omap1/board-ams-delta.c
+++ b/arch/arm/mach-omap1/board-ams-delta.c
@@ -574,6 +574,12 @@ static struct gpiod_lookup_table *late_gpio_tables[]
__initdata = {
&ams_delta_nand_gpio_table,
};
+static struct gpiod_hog ams_delta_gpio_hogs[] = {
+ GPIO_HOG(LATCH2_LABEL, LATCH2_PIN_KEYBRD_DATAOUT, "keybrd_dataout",
+GPIO_ACTIVE_HIGH, GPIOD_OUT_LOW),
+ {},
+};
+
static void __init ams_delta_init(void)
{
/* mux pins for uarts */
@@ -594,6 +600,8 @@ static void __init ams_delta_init(void)
omap_cfg_reg(J19_1610_CAM_D6);
omap_cfg_reg(J18_1610_CAM_D7);
+ gpiod_add_hogs(ams_delta_gpio_hogs);
+
omap_serial_init();
omap_register_i2c_bus(1, 100, NULL, 0);
diff --git a/drivers/input/serio/ams_delta_serio.c
b/drivers/input/serio/ams_delta_serio.c
index d48beab1d00d..0b4d5a952ecb 100644
--- a/drivers/input/serio/ams_delta_serio.c
+++ b/drivers/input/serio/ams_delta_serio.c
@@ -121,11 +121,6 @@ static const struct gpio ams_delta_gpios[]
__initconst_or_module = {
.flags = GPIOF_DIR_IN,
.label = "serio-clock",
},
- {
- .gpio = AMS_DELTA_GPIO_PIN_KEYBRD_DATAOUT,
- .flags = GPIOF_OUT_INIT_LOW,
- .label = "serio-dataout",
- },
};
static int ams_delta_serio_init(struct platform_device *pdev)
--
2.16.1
Re: [PATCH] staging: comedi: Improved readability of function comedi_nsamples_left.
On Sat, Jun 09, 2018 at 04:23:21PM +0200, Chris Opperman wrote: > Signed-off-by: Chris Opperman > --- > drivers/staging/comedi/drivers.c | 29 ++--- > 1 file changed, 14 insertions(+), 15 deletions(-) I can not take patches without any changelog text at all :(
Re: [Bug 199965] New: Memory management: BUG in kernel_restart
On Fri, Jun 08, 2018 at 03:15:08PM -0700, Andrew Morton wrote: > > (switched to email. Please respond via emailed reply-to-all, not via the > bugzilla web interface). > > On Thu, 07 Jun 2018 18:21:24 + bugzilla-dae...@bugzilla.kernel.org wrote: > > > https://bugzilla.kernel.org/show_bug.cgi?id=199965 > > > > Bug ID: 199965 > >Summary: Memory management: BUG in kernel_restart > >Product: Memory Management > >Version: 2.5 > > Kernel Version: 4.17.0 > > Hardware: All > > OS: Linux > > Tree: Mainline > > Status: NEW > > Severity: normal > > Priority: P1 > > Component: Other > > Assignee: a...@linux-foundation.org > > Reporter: m...@mlen.pl > > Regression: No > > > > Reboot randomly fails on 4.17.0 due to memory management issues. Worked > > fine on > > 4.16.13 > > Oh gee, there isn't much to go on here. Unknown kobject on > devices_kset() is in a crappy state during kernel restart. Greg, is > there something we can do to make that kobject_get() warning more > informative? Probably not. > > > > <4>[21100.397182] [ cut here ] > > <4>[21100.397185] kobject: '(null)' (47d32b91): is not initialized, > > yet > > kobject_get() is being called. I don't know how to get any more informative that this :) > > <4>[21100.397209] WARNING: CPU: 1 PID: 25848 at lib/kobject.c:593 > > kobject_get+0x21/0x32 > > <4>[21100.397211] Modules linked in: > > <4>[21100.397215] CPU: 1 PID: 25848 Comm: reboot Not tainted 4.17.0-gentoo > > #2 > > <4>[21100.397217] Hardware name: ASUSTeK COMPUTER INC. Z10PE-D16 > > WS/Z10PE-D16 > > WS, BIOS 3407 03/10/2017 > > <4>[21100.397219] RIP: 0010:kobject_get+0x21/0x32 > > <4>[21100.397220] RSP: 0018:a6c6cd9d3db0 EFLAGS: 00010296 > > <4>[21100.397223] RAX: RBX: 8d6af5012da8 RCX: > > 0002 > > <4>[21100.397225] RDX: 0003 RSI: 0003 RDI: > > > > <4>[21100.397227] RBP: 8d6af3dc9800 R08: baada7db872a R09: > > 8d69a1bc5cd8 > > <4>[21100.397228] R10: a6c6cd9d3ce8 R11: a7264f7d R12: > > 8d6af50099a0 > > <4>[21100.397230] R13: a57dfb43 R14: 8d6af3dc8060 R15: > > > > <4>[21100.397232] FS: 7efef9e42500() GS:8d6afd80() > > knlGS: > > <4>[21100.397233] CS: 0010 DS: ES: CR0: 80050033 > > <4>[21100.397235] CR2: 561f1e29c4d8 CR3: 0010277fc005 CR4: > > 003606e0 > > <4>[21100.397237] DR0: DR1: DR2: > > > > <4>[21100.397238] DR3: DR6: fffe0ff0 DR7: > > 0400 > > <4>[21100.397240] Call Trace: > > <4>[21100.397246] get_device+0x16/0x1b > > <4>[21100.397249] device_shutdown+0x48/0x1a3 > > <4>[21100.397256] kernel_restart+0xe/0x4d > > <4>[21100.397259] __do_sys_reboot+0x168/0x1c5 > > <4>[21100.397264] ? sched_clock_cpu+0x10/0xb4 > > <4>[21100.397266] ? sched_clock_cpu+0x10/0xb4 > > <4>[21100.397270] ? cycles_2_ns+0x55/0x75 > > <4>[21100.397276] ? task_work_run+0x63/0x8a > > <4>[21100.397284] ? _raw_spin_unlock_irq+0x2f/0x41 > > <4>[21100.397287] ? task_work_run+0x63/0x8a > > <4>[21100.397292] do_syscall_64+0x5e/0x6c > > <4>[21100.397295] entry_SYSCALL_64_after_hwframe+0x44/0xa9 Here's the full callstack, but yeah, it's not very obvious as to what device is having the problem, which isn't good. I don't know what to suggest here. Does 'git bisect' help out to narrow down the problem? thanks, greg k-h
[tip:x86/urgent] x86/intel_rdt: Enable CMT and MBM on new Skylake stepping
Commit-ID: 1d9f3e20a56d33e55748552aeec597f58542f92d
Gitweb: https://git.kernel.org/tip/1d9f3e20a56d33e55748552aeec597f58542f92d
Author: Tony Luck
AuthorDate: Fri, 8 Jun 2018 09:07:32 -0700
Committer: Thomas Gleixner
CommitDate: Sat, 9 Jun 2018 16:04:34 +0200
x86/intel_rdt: Enable CMT and MBM on new Skylake stepping
New stepping of Skylake has fixes for cache occupancy and memory
bandwidth monitoring.
Update the code to enable these by default on newer steppings.
Signed-off-by: Tony Luck
Signed-off-by: Thomas Gleixner
Cc: Fenghua Yu
Cc: sta...@vger.kernel.org # v4.14
Cc: Vikas Shivappa
Link: https://lkml.kernel.org/r/20180608160732.9842-1-tony.l...@intel.com
---
arch/x86/kernel/cpu/intel_rdt.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/x86/kernel/cpu/intel_rdt.c b/arch/x86/kernel/cpu/intel_rdt.c
index 589b948e6e01..316a8875bd90 100644
--- a/arch/x86/kernel/cpu/intel_rdt.c
+++ b/arch/x86/kernel/cpu/intel_rdt.c
@@ -821,6 +821,8 @@ static __init void rdt_quirks(void)
case INTEL_FAM6_SKYLAKE_X:
if (boot_cpu_data.x86_stepping <= 4)
set_rdt_options("!cmt,!mbmtotal,!mbmlocal,!l3cat");
+ else
+ set_rdt_options("!l3cat");
}
}
[GIT] IDE
Please pull to get these IDE updates. Primarily IRQ disabling avoidance changes from Sebastian Andrzej Siewior. Thanks! The following changes since commit 5037be168f0e4ee910602935b1180291082d3aac: Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux (2018-06-05 11:13:17 -0700) are available in the Git repository at: gitol...@ra.kernel.org:/pub/scm/linux/kernel/git/davem/ide.git for you to fetch changes up to 47b82e88180c3c6db795a43373beab47cb073f7a: ide: don't enable/disable interrupts in force threaded-IRQ mode (2018-06-05 16:26:47 -0400) Sebastian Andrzej Siewior (4): alim15x3: move irq-restore before pci_dev_put() ide: Handle irq disabling consistently ide: don't disable interrupts during kmap_atomic() ide: don't enable/disable interrupts in force threaded-IRQ mode drivers/ide/alim15x3.c | 2 +- drivers/ide/ide-io.c | 4 ++-- drivers/ide/ide-iops.c | 13 + drivers/ide/ide-taskfile.c | 10 +- kernel/irq/manage.c| 1 + 5 files changed, 14 insertions(+), 16 deletions(-)
[GIT] Sparc
There is a merge conflict here, just take the "HEAD" hunks and it will all work out. It's because I applied a signal code fix that was already merged and then other cleanups/changes happend on top. Other than that, this adds the privileged ADI driver from Tom Hromatka. Please pull, thanks a lot! The following changes since commit fff75eb2a08c2ac96404a2d79685668f3cf5a7a3: Merge tag 'errseq-v4.17' of git://git.kernel.org/pub/scm/linux/kernel/git/jlayton/linux (2018-04-30 16:53:40 -0700) are available in the Git repository at: gitol...@ra.kernel.org:/pub/scm/linux/kernel/git/davem/sparc.git for you to fetch changes up to 1c1ff29da6c86864e73b05d4301a2df1d161f2da: sparc: fix compat siginfo ABI regression (2018-06-05 11:29:42 -0700) David S. Miller (1): Merge branch 'adi-driver' Dmitry V. Levin (1): sparc: fix compat siginfo ABI regression Tom Hromatka (2): char: sparc64: Add privileged ADI driver selftests: sparc64: char: Selftest for privileged ADI driver arch/sparc/include/uapi/asm/siginfo.h | 7 - arch/sparc/kernel/traps_32.c| 2 +- arch/sparc/kernel/traps_64.c| 2 +- drivers/char/Kconfig| 12 ++ drivers/char/Makefile | 1 + drivers/char/adi.c | 239 +++ tools/testing/selftests/Makefile| 1 + tools/testing/selftests/sparc64/Makefile| 46 ++ tools/testing/selftests/sparc64/drivers/.gitignore | 1 + tools/testing/selftests/sparc64/drivers/Makefile| 15 ++ tools/testing/selftests/sparc64/drivers/adi-test.c | 721 ++ tools/testing/selftests/sparc64/drivers/drivers_test.sh | 30 tools/testing/selftests/sparc64/run.sh | 3 + 13 files changed, 1071 insertions(+), 9 deletions(-) create mode 100644 drivers/char/adi.c create mode 100644 tools/testing/selftests/sparc64/Makefile create mode 100644 tools/testing/selftests/sparc64/drivers/.gitignore create mode 100644 tools/testing/selftests/sparc64/drivers/Makefile create mode 100644 tools/testing/selftests/sparc64/drivers/adi-test.c create mode 100755 tools/testing/selftests/sparc64/drivers/drivers_test.sh create mode 100755 tools/testing/selftests/sparc64/run.sh
Re: [PATCH] samples: mbochs: add DMA_SHARED_BUFFER dependency
On Wed, 30 May 2018 23:37:31 +0200
Arnd Bergmann wrote:
> The new bochs vbe sample fails to link when DMA_SHARED_BUFFER is
> disabled:
>
> ERROR: "dma_buf_export" [samples/vfio-mdev/mbochs.ko] undefined!
> ERROR: "dma_buf_fd" [samples/vfio-mdev/mbochs.ko] undefined!
>
> This uses a 'select' statement to enable that framework, like all
> other users do.
>
> Fixes: 8021194eb3da ("sample: vfio bochs vbe display (host device for
> bochs-drm)")
> Signed-off-by: Arnd Bergmann
> ---
> samples/Kconfig | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/samples/Kconfig b/samples/Kconfig
> index 3aeaaca77831..bd133efc1a56 100644
> --- a/samples/Kconfig
> +++ b/samples/Kconfig
> @@ -135,6 +135,7 @@ config SAMPLE_VFIO_MDEV_MDPY_FB
> config SAMPLE_VFIO_MDEV_MBOCHS
> tristate "Build VFIO mdpy example mediated device sample code --
> loadable modules only"
> depends on VFIO_MDEV_DEVICE && m
> + select DMA_SHARED_BUFFER
> help
> Build a virtual display sample driver for use as a VFIO
> mediated device. It supports the region display interface
Almost missed this one. Applied to my next branch for v4.18, also
updated the referenced commit ID as I've had to rebase to account for
a reverted patch in the base. Thanks,
Alex
[PATCH 4.17 01/15] netfilter: nf_flow_table: attach dst to skbs
4.17-stable review patch. If anyone has any objections, please let me know. -- From: Jason A. Donenfeld commit 2a79fd3908acd88e6cb0e620c314d7b1fee56a02 upstream. Some drivers, such as vxlan and wireguard, use the skb's dst in order to determine things like PMTU. They therefore loose functionality when flow offloading is enabled. So, we ensure the skb has it before xmit'ing it in the offloading path. Signed-off-by: Jason A. Donenfeld Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman --- net/ipv4/netfilter/nf_flow_table_ipv4.c |5 +++-- net/ipv6/netfilter/nf_flow_table_ipv6.c |1 + 2 files changed, 4 insertions(+), 2 deletions(-) --- a/net/ipv4/netfilter/nf_flow_table_ipv4.c +++ b/net/ipv4/netfilter/nf_flow_table_ipv4.c @@ -213,7 +213,7 @@ nf_flow_offload_ip_hook(void *priv, stru enum flow_offload_tuple_dir dir; struct flow_offload *flow; struct net_device *outdev; - const struct rtable *rt; + struct rtable *rt; struct iphdr *iph; __be32 nexthop; @@ -234,7 +234,7 @@ nf_flow_offload_ip_hook(void *priv, stru dir = tuplehash->tuple.dir; flow = container_of(tuplehash, struct flow_offload, tuplehash[dir]); - rt = (const struct rtable *)flow->tuplehash[dir].tuple.dst_cache; + rt = (struct rtable *)flow->tuplehash[dir].tuple.dst_cache; if (unlikely(nf_flow_exceeds_mtu(skb, rt))) return NF_ACCEPT; @@ -251,6 +251,7 @@ nf_flow_offload_ip_hook(void *priv, stru skb->dev = outdev; nexthop = rt_nexthop(rt, flow->tuplehash[!dir].tuple.src_v4.s_addr); + skb_dst_set_noref(skb, &rt->dst); neigh_xmit(NEIGH_ARP_TABLE, outdev, &nexthop, skb); return NF_STOLEN; --- a/net/ipv6/netfilter/nf_flow_table_ipv6.c +++ b/net/ipv6/netfilter/nf_flow_table_ipv6.c @@ -243,6 +243,7 @@ nf_flow_offload_ipv6_hook(void *priv, st skb->dev = outdev; nexthop = rt6_nexthop(rt, &flow->tuplehash[!dir].tuple.src_v6); + skb_dst_set_noref(skb, &rt->dst); neigh_xmit(NEIGH_ND_TABLE, outdev, nexthop, skb); return NF_STOLEN;
[PATCH 4.17 10/15] sctp: not allow transport timeout value less than HZ/5 for hb_timer
4.17-stable review patch. If anyone has any objections, please let me know. -- From: Xin Long [ Upstream commit 1d88ba1ebb2763aa86172cd7ca05dedbeccc0d35 ] syzbot reported a rcu_sched self-detected stall on CPU which is caused by too small value set on rto_min with SCTP_RTOINFO sockopt. With this value, hb_timer will get stuck there, as in its timer handler it starts this timer again with this value, then goes to the timer handler again. This problem is there since very beginning, and thanks to Eric for the reproducer shared from a syzbot mail. This patch fixes it by not allowing sctp_transport_timeout to return a smaller value than HZ/5 for hb_timer, which is based on TCP's min rto. Note that it doesn't fix this issue by limiting rto_min, as some users are still using small rto and no proper value was found for it yet. Reported-by: syzbot+3dcd59a1f907245f8...@syzkaller.appspotmail.com Suggested-by: Marcelo Ricardo Leitner Signed-off-by: Xin Long Acked-by: Neil Horman Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/sctp/transport.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/net/sctp/transport.c +++ b/net/sctp/transport.c @@ -634,7 +634,7 @@ unsigned long sctp_transport_timeout(str trans->state != SCTP_PF) timeout += trans->hbinterval; - return timeout; + return max_t(unsigned long, timeout, HZ / 5); } /* Reset transport variables to their initial values */
[PATCH 4.17 08/15] net/packet: refine check for priv area size
4.17-stable review patch. If anyone has any objections, please let me know.
--
From: Eric Dumazet
[ Upstream commit eb73190f4fbeedf762394e92d6a4ec9ace684c88 ]
syzbot was able to trick af_packet again [1]
Various commits tried to address the problem in the past,
but failed to take into account V3 header size.
[1]
tpacket_rcv: packet too big, clamped from 72 to 4294967224. macoff=96
BUG: KASAN: use-after-free in prb_run_all_ft_ops net/packet/af_packet.c:1016
[inline]
BUG: KASAN: use-after-free in prb_fill_curr_block.isra.59+0x4e5/0x5c0
net/packet/af_packet.c:1039
Write of size 2 at addr 8801cb62000e by task kworker/1:2/2106
CPU: 1 PID: 2106 Comm: kworker/1:2 Not tainted 4.17.0-rc7+ #77
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
01/01/2011
Workqueue: ipv6_addrconf addrconf_dad_work
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1b9/0x294 lib/dump_stack.c:113
print_address_description+0x6c/0x20b mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
__asan_report_store2_noabort+0x17/0x20 mm/kasan/report.c:436
prb_run_all_ft_ops net/packet/af_packet.c:1016 [inline]
prb_fill_curr_block.isra.59+0x4e5/0x5c0 net/packet/af_packet.c:1039
__packet_lookup_frame_in_block net/packet/af_packet.c:1094 [inline]
packet_current_rx_frame net/packet/af_packet.c:1117 [inline]
tpacket_rcv+0x1866/0x3340 net/packet/af_packet.c:2282
dev_queue_xmit_nit+0x891/0xb90 net/core/dev.c:2018
xmit_one net/core/dev.c:3049 [inline]
dev_hard_start_xmit+0x16b/0xc10 net/core/dev.c:3069
__dev_queue_xmit+0x2724/0x34c0 net/core/dev.c:3584
dev_queue_xmit+0x17/0x20 net/core/dev.c:3617
neigh_resolve_output+0x679/0xad0 net/core/neighbour.c:1358
neigh_output include/net/neighbour.h:482 [inline]
ip6_finish_output2+0xc9c/0x2810 net/ipv6/ip6_output.c:120
ip6_finish_output+0x5fe/0xbc0 net/ipv6/ip6_output.c:154
NF_HOOK_COND include/linux/netfilter.h:277 [inline]
ip6_output+0x227/0x9b0 net/ipv6/ip6_output.c:171
dst_output include/net/dst.h:444 [inline]
NF_HOOK include/linux/netfilter.h:288 [inline]
ndisc_send_skb+0x100d/0x1570 net/ipv6/ndisc.c:491
ndisc_send_ns+0x3c1/0x8d0 net/ipv6/ndisc.c:633
addrconf_dad_work+0xbef/0x1340 net/ipv6/addrconf.c:4033
process_one_work+0xc1e/0x1b50 kernel/workqueue.c:2145
worker_thread+0x1cc/0x1440 kernel/workqueue.c:2279
kthread+0x345/0x410 kernel/kthread.c:240
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412
The buggy address belongs to the page:
page:ea00072d8800 count:0 mapcount:-127 mapping:
index:0x8801cb620e80
flags: 0x2fffc00()
raw: 02fffc00 8801cb620e80 ff80
raw: ea00072e3820 ea0007132d20 0002
page dumped because: kasan: bad access detected
Memory state around the buggy address:
8801cb61ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
8801cb61ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>8801cb62: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
8801cb620080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
8801cb620100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
Fixes: 2b6867c2ce76 ("net/packet: fix overflow in check for priv area size")
Fixes: dc808110bb62 ("packet: handle too big packets for PACKET_V3")
Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
Signed-off-by: Eric Dumazet
Reported-by: syzbot
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
---
net/packet/af_packet.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -4282,7 +4282,7 @@ static int packet_set_ring(struct sock *
goto out;
if (po->tp_version >= TPACKET_V3 &&
req->tp_block_size <=
- BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv))
+ BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv) +
sizeof(struct tpacket3_hdr))
goto out;
if (unlikely(req->tp_frame_size < po->tp_hdrlen +
po->tp_reserve))
[PATCH 4.17 06/15] netdev-FAQ: clarify DaveMs position for stable backports
4.17-stable review patch. If anyone has any objections, please let me know. -- From: Cong Wang [ Upstream commit 75d4e704fa8d2cf33ff295e5b441317603d7f9fd ] Per discussion with David at netconf 2018, let's clarify DaveM's position of handling stable backports in netdev-FAQ. This is important for people relying on upstream -stable releases. Cc: Greg Kroah-Hartman Signed-off-by: Cong Wang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- Documentation/networking/netdev-FAQ.txt |9 + 1 file changed, 9 insertions(+) --- a/Documentation/networking/netdev-FAQ.txt +++ b/Documentation/networking/netdev-FAQ.txt @@ -179,6 +179,15 @@ A: No. See above answer. In short, if dash marker line as described in Documentation/process/submitting-patches.rst to temporarily embed that information into the patch that you send. +Q: Are all networking bug fixes backported to all stable releases? + +A: Due to capacity, Dave could only take care of the backports for the last + 2 stable releases. For earlier stable releases, each stable branch maintainer + is supposed to take care of them. If you find any patch is missing from an + earlier stable branch, please notify sta...@vger.kernel.org with either a + commit ID or a formal patch backported, and CC Dave and other relevant + networking developers. + Q: Someone said that the comment style and coding convention is different for the networking content. Is this true?
[PATCH 4.17 02/15] bnx2x: use the right constant
4.17-stable review patch. If anyone has any objections, please let me know.
--
From: Julia Lawall
[ Upstream commit dd612f18a49b63af8b3a5f572d999bdb197385bc ]
Nearby code that also tests port suggests that the P0 constant should be
used when port is zero.
The semantic match that finds this problem is as follows:
(http://coccinelle.lip6.fr/)
//
@@
expression e,e1;
@@
* e ? e1 : e1
//
Fixes: 6c3218c6f7e5 ("bnx2x: Adjust ETS to 578xx")
Signed-off-by: Julia Lawall
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
---
drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.c
+++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.c
@@ -588,7 +588,7 @@ static void bnx2x_ets_e3b0_nig_disabled(
* slots for the highest priority.
*/
REG_WR(bp, (port) ? NIG_REG_P1_TX_ARB_NUM_STRICT_ARB_SLOTS :
- NIG_REG_P1_TX_ARB_NUM_STRICT_ARB_SLOTS, 0x100);
+ NIG_REG_P0_TX_ARB_NUM_STRICT_ARB_SLOTS, 0x100);
/* Mapping between the CREDIT_WEIGHT registers and actual client
* numbers
*/
[PATCH 4.17 09/15] rtnetlink: validate attributes in do_setlink()
4.17-stable review patch. If anyone has any objections, please let me know. -- From: Eric Dumazet [ Upstream commit 644c7eebbfd59e72982d11ec6cc7d39af12450ae ] It seems that rtnl_group_changelink() can call do_setlink while a prior call to validate_linkmsg(dev = NULL, ...) could not validate IFLA_ADDRESS / IFLA_BROADCAST Make sure do_setlink() calls validate_linkmsg() instead of letting its callers having this responsibility. With help from Dmitry Vyukov, thanks a lot ! BUG: KMSAN: uninit-value in is_valid_ether_addr include/linux/etherdevice.h:199 [inline] BUG: KMSAN: uninit-value in eth_prepare_mac_addr_change net/ethernet/eth.c:275 [inline] BUG: KMSAN: uninit-value in eth_mac_addr+0x203/0x2b0 net/ethernet/eth.c:308 CPU: 1 PID: 8695 Comm: syz-executor3 Not tainted 4.17.0-rc5+ #103 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:113 kmsan_report+0x149/0x260 mm/kmsan/kmsan.c:1084 __msan_warning_32+0x6e/0xc0 mm/kmsan/kmsan_instr.c:686 is_valid_ether_addr include/linux/etherdevice.h:199 [inline] eth_prepare_mac_addr_change net/ethernet/eth.c:275 [inline] eth_mac_addr+0x203/0x2b0 net/ethernet/eth.c:308 dev_set_mac_address+0x261/0x530 net/core/dev.c:7157 do_setlink+0xbc3/0x5fc0 net/core/rtnetlink.c:2317 rtnl_group_changelink net/core/rtnetlink.c:2824 [inline] rtnl_newlink+0x1fe9/0x37a0 net/core/rtnetlink.c:2976 rtnetlink_rcv_msg+0xa32/0x1560 net/core/rtnetlink.c:4646 netlink_rcv_skb+0x378/0x600 net/netlink/af_netlink.c:2448 rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4664 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline] netlink_unicast+0x1678/0x1750 net/netlink/af_netlink.c:1336 netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901 sock_sendmsg_nosec net/socket.c:629 [inline] sock_sendmsg net/socket.c:639 [inline] ___sys_sendmsg+0xec0/0x1310 net/socket.c:2117 __sys_sendmsg net/socket.c:2155 [inline] __do_sys_sendmsg net/socket.c:2164 [inline] __se_sys_sendmsg net/socket.c:2162 [inline] __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162 do_syscall_64+0x152/0x230 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x455a09 RSP: 002b:7fc07480ec68 EFLAGS: 0246 ORIG_RAX: 002e RAX: ffda RBX: 7fc07480f6d4 RCX: 00455a09 RDX: RSI: 23c0 RDI: 0014 RBP: 0072bea0 R08: R09: R10: R11: 0246 R12: R13: 05d0 R14: 006fdc20 R15: Uninit was stored to memory at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline] kmsan_save_stack mm/kmsan/kmsan.c:294 [inline] kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:685 kmsan_memcpy_origins+0x11d/0x170 mm/kmsan/kmsan.c:527 __msan_memcpy+0x109/0x160 mm/kmsan/kmsan_instr.c:478 do_setlink+0xb84/0x5fc0 net/core/rtnetlink.c:2315 rtnl_group_changelink net/core/rtnetlink.c:2824 [inline] rtnl_newlink+0x1fe9/0x37a0 net/core/rtnetlink.c:2976 rtnetlink_rcv_msg+0xa32/0x1560 net/core/rtnetlink.c:4646 netlink_rcv_skb+0x378/0x600 net/netlink/af_netlink.c:2448 rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4664 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline] netlink_unicast+0x1678/0x1750 net/netlink/af_netlink.c:1336 netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901 sock_sendmsg_nosec net/socket.c:629 [inline] sock_sendmsg net/socket.c:639 [inline] ___sys_sendmsg+0xec0/0x1310 net/socket.c:2117 __sys_sendmsg net/socket.c:2155 [inline] __do_sys_sendmsg net/socket.c:2164 [inline] __se_sys_sendmsg net/socket.c:2162 [inline] __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162 do_syscall_64+0x152/0x230 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Uninit was created at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline] kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:189 kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:315 kmsan_slab_alloc+0x10/0x20 mm/kmsan/kmsan.c:322 slab_post_alloc_hook mm/slab.h:446 [inline] slab_alloc_node mm/slub.c:2753 [inline] __kmalloc_node_track_caller+0xb32/0x11b0 mm/slub.c:4395 __kmalloc_reserve net/core/skbuff.c:138 [inline] __alloc_skb+0x2cb/0x9e0 net/core/skbuff.c:206 alloc_skb include/linux/skbuff.h:988 [inline] netlink_alloc_large_skb net/netlink/af_netlink.c:1182 [inline] netlink_sendmsg+0x76e/0x1350 net/netlink/af_netlink.c:1876 sock_sendmsg_nosec net/socket.c:629 [inline] sock_sendmsg net/socket.c:639 [inline] ___sys_sendmsg+0xec0/0x1310 net/socket.c:2117 __sys_sendmsg net/socket.c:2155 [inline] __do_sys_sendmsg net/socket.c:2164 [inline] __se_sys_sendmsg net/socket.c:2162 [inline] __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162 do_syscall_64+0x152/0x230 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Fixes: e7ed
[PATCH 4.17 04/15] ipv6: omit traffic class when calculating flow hash
4.17-stable review patch. If anyone has any objections, please let me know.
--
From: Michal Kubecek
[ Upstream commit fa1be7e01ea863e911349e30456706749518eeab ]
Some of the code paths calculating flow hash for IPv6 use flowlabel member
of struct flowi6 which, despite its name, encodes both flow label and
traffic class. If traffic class changes within a TCP connection (as e.g.
ssh does), ECMP route can switch between path. It's also inconsistent with
other code paths where ip6_flowlabel() (returning only flow label) is used
to feed the key.
Use only flow label everywhere, including one place where hash key is set
using ip6_flowinfo().
Fixes: 51ebd3181572 ("ipv6: add support of equal cost multipath (ECMP)")
Fixes: f70ea018da06 ("net: Add functions to get skb->hash based on flow
structures")
Signed-off-by: Michal Kubecek
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
---
include/net/ipv6.h|5 +
net/core/flow_dissector.c |2 +-
net/ipv6/route.c |4 ++--
3 files changed, 8 insertions(+), 3 deletions(-)
--- a/include/net/ipv6.h
+++ b/include/net/ipv6.h
@@ -906,6 +906,11 @@ static inline __be32 ip6_make_flowinfo(u
return htonl(tclass << IPV6_TCLASS_SHIFT) | flowlabel;
}
+static inline __be32 flowi6_get_flowlabel(const struct flowi6 *fl6)
+{
+ return fl6->flowlabel & IPV6_FLOWLABEL_MASK;
+}
+
/*
* Prototypes exported by ipv6
*/
--- a/net/core/flow_dissector.c
+++ b/net/core/flow_dissector.c
@@ -1334,7 +1334,7 @@ __u32 __get_hash_from_flowi6(const struc
keys->ports.src = fl6->fl6_sport;
keys->ports.dst = fl6->fl6_dport;
keys->keyid.keyid = fl6->fl6_gre_key;
- keys->tags.flow_label = (__force u32)fl6->flowlabel;
+ keys->tags.flow_label = (__force u32)flowi6_get_flowlabel(fl6);
keys->basic.ip_proto = fl6->flowi6_proto;
return flow_hash_from_keys(keys);
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -1868,7 +1868,7 @@ out:
} else {
keys->addrs.v6addrs.src = key_iph->saddr;
keys->addrs.v6addrs.dst = key_iph->daddr;
- keys->tags.flow_label = ip6_flowinfo(key_iph);
+ keys->tags.flow_label = ip6_flowlabel(key_iph);
keys->basic.ip_proto = key_iph->nexthdr;
}
}
@@ -1889,7 +1889,7 @@ u32 rt6_multipath_hash(const struct net
} else {
hash_keys.addrs.v6addrs.src = fl6->saddr;
hash_keys.addrs.v6addrs.dst = fl6->daddr;
- hash_keys.tags.flow_label = (__force u32)fl6->flowlabel;
+ hash_keys.tags.flow_label = (__force
u32)flowi6_get_flowlabel(fl6);
hash_keys.basic.ip_proto = fl6->flowi6_proto;
}
break;
[PATCH 4.16 15/48] isdn: eicon: fix a missing-check bug
4.16-stable review patch. If anyone has any objections, please let me know.
--
From: Wenwen Wang
[ Upstream commit 6009d1fe6ba3bb2dab55921da60465329cc1cd89 ]
In divasmain.c, the function divas_write() firstly invokes the function
diva_xdi_open_adapter() to open the adapter that matches with the adapter
number provided by the user, and then invokes the function diva_xdi_write()
to perform the write operation using the matched adapter. The two functions
diva_xdi_open_adapter() and diva_xdi_write() are located in diva.c.
In diva_xdi_open_adapter(), the user command is copied to the object 'msg'
from the userspace pointer 'src' through the function pointer 'cp_fn',
which eventually calls copy_from_user() to do the copy. Then, the adapter
number 'msg.adapter' is used to find out a matched adapter from the
'adapter_queue'. A matched adapter will be returned if it is found.
Otherwise, NULL is returned to indicate the failure of the verification on
the adapter number.
As mentioned above, if a matched adapter is returned, the function
diva_xdi_write() is invoked to perform the write operation. In this
function, the user command is copied once again from the userspace pointer
'src', which is the same as the 'src' pointer in diva_xdi_open_adapter() as
both of them are from the 'buf' pointer in divas_write(). Similarly, the
copy is achieved through the function pointer 'cp_fn', which finally calls
copy_from_user(). After the successful copy, the corresponding command
processing handler of the matched adapter is invoked to perform the write
operation.
It is obvious that there are two copies here from userspace, one is in
diva_xdi_open_adapter(), and one is in diva_xdi_write(). Plus, both of
these two copies share the same source userspace pointer, i.e., the 'buf'
pointer in divas_write(). Given that a malicious userspace process can race
to change the content pointed by the 'buf' pointer, this can pose potential
security issues. For example, in the first copy, the user provides a valid
adapter number to pass the verification process and a valid adapter can be
found. Then the user can modify the adapter number to an invalid number.
This way, the user can bypass the verification process of the adapter
number and inject inconsistent data.
This patch reuses the data copied in
diva_xdi_open_adapter() and passes it to diva_xdi_write(). This way, the
above issues can be avoided.
Signed-off-by: Wenwen Wang
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
---
drivers/isdn/hardware/eicon/diva.c | 22 +++---
drivers/isdn/hardware/eicon/diva.h |5 +++--
drivers/isdn/hardware/eicon/divasmain.c | 18 +++---
3 files changed, 29 insertions(+), 16 deletions(-)
--- a/drivers/isdn/hardware/eicon/diva.c
+++ b/drivers/isdn/hardware/eicon/diva.c
@@ -388,10 +388,10 @@ void divasa_xdi_driver_unload(void)
** Receive and process command from user mode utility
*/
void *diva_xdi_open_adapter(void *os_handle, const void __user *src,
- int length,
+ int length, void *mptr,
divas_xdi_copy_from_user_fn_t cp_fn)
{
- diva_xdi_um_cfg_cmd_t msg;
+ diva_xdi_um_cfg_cmd_t *msg = (diva_xdi_um_cfg_cmd_t *)mptr;
diva_os_xdi_adapter_t *a = NULL;
diva_os_spin_lock_magic_t old_irql;
struct list_head *tmp;
@@ -401,21 +401,21 @@ void *diva_xdi_open_adapter(void *os_han
length, sizeof(diva_xdi_um_cfg_cmd_t)))
return NULL;
}
- if ((*cp_fn) (os_handle, &msg, src, sizeof(msg)) <= 0) {
+ if ((*cp_fn) (os_handle, msg, src, sizeof(*msg)) <= 0) {
DBG_ERR(("A: A(?) open, write error"))
return NULL;
}
diva_os_enter_spin_lock(&adapter_lock, &old_irql, "open_adapter");
list_for_each(tmp, &adapter_queue) {
a = list_entry(tmp, diva_os_xdi_adapter_t, link);
- if (a->controller == (int)msg.adapter)
+ if (a->controller == (int)msg->adapter)
break;
a = NULL;
}
diva_os_leave_spin_lock(&adapter_lock, &old_irql, "open_adapter");
if (!a) {
- DBG_ERR(("A: A(%d) open, adapter not found", msg.adapter))
+ DBG_ERR(("A: A(%d) open, adapter not found", msg->adapter))
}
return (a);
@@ -437,8 +437,10 @@ void diva_xdi_close_adapter(void *adapte
int
diva_xdi_write(void *adapter, void *os_handle, const void __user *src,
- int length, divas_xdi_copy_from_user_fn_t cp_fn)
+ int length, void *mptr,
+ divas_xdi_copy_from_user_fn_t cp_fn)
{
+ diva_xdi_um_cfg_cmd_t *msg = (diva_xdi_um_cfg_cmd_t *)mptr;
diva_os_xdi_adapter_t *a = (diva_os_xdi_adapter_t *) adapter;
void *data;
@@ -459,7 +461,13 @@ diva_xdi_write(void *adapter, vo
[PATCH 4.16 13/48] ipv4: remove warning in ip_recv_error
4.16-stable review patch. If anyone has any objections, please let me know.
--
From: Willem de Bruijn
[ Upstream commit 730c54d59403658a62af6517338fa8d4922c1b28 ]
A precondition check in ip_recv_error triggered on an otherwise benign
race. Remove the warning.
The warning triggers when passing an ipv6 socket to this ipv4 error
handling function. RaceFuzzer was able to trigger it due to a race
in setsockopt IPV6_ADDRFORM.
---
CPU0
do_ipv6_setsockopt
sk->sk_socket->ops = &inet_dgram_ops;
---
CPU1
sk->sk_prot->recvmsg
udp_recvmsg
ip_recv_error
WARN_ON_ONCE(sk->sk_family == AF_INET6);
---
CPU0
do_ipv6_setsockopt
sk->sk_family = PF_INET;
This socket option converts a v6 socket that is connected to a v4 peer
to an v4 socket. It updates the socket on the fly, changing fields in
sk as well as other structs. This is inherently non-atomic. It races
with the lockless udp_recvmsg path.
No other code makes an assumption that these fields are updated
atomically. It is benign here, too, as ip_recv_error cares only about
the protocol of the skbs enqueued on the error queue, for which
sk_family is not a precise predictor (thanks to another isue with
IPV6_ADDRFORM).
Link: http://lkml.kernel.org/r/20180518120826.ga19...@dragonet.kaist.ac.kr
Fixes: 7ce875e5ecb8 ("ipv4: warn once on passing AF_INET6 socket to
ip_recv_error")
Reported-by: DaeRyong Jeong
Suggested-by: Eric Dumazet
Signed-off-by: Willem de Bruijn
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
---
net/ipv4/ip_sockglue.c |2 --
1 file changed, 2 deletions(-)
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -511,8 +511,6 @@ int ip_recv_error(struct sock *sk, struc
int err;
int copied;
- WARN_ON_ONCE(sk->sk_family == AF_INET6);
-
err = -EAGAIN;
skb = sock_dequeue_err_skb(sk);
if (!skb)
[PATCH 4.17 15/15] PCI: hv: Do not wait forever on a device that has disappeared
4.17-stable review patch. If anyone has any objections, please let me know.
--
From: Dexuan Cui
commit c3635da2a336441253c33298b87b3042db100725 upstream.
Before the guest finishes the device initialization, the device can be
removed anytime by the host, and after that the host won't respond to
the guest's request, so the guest should be prepared to handle this
case.
Add a polling mechanism to detect device presence.
Signed-off-by: Dexuan Cui
[lorenzo.pieral...@arm.com: edited commit log]
Signed-off-by: Lorenzo Pieralisi
Reviewed-by: Haiyang Zhang
Cc: Stephen Hemminger
Cc: K. Y. Srinivasan
Signed-off-by: Greg Kroah-Hartman
---
drivers/pci/host/pci-hyperv.c | 46 +++---
1 file changed, 34 insertions(+), 12 deletions(-)
--- a/drivers/pci/host/pci-hyperv.c
+++ b/drivers/pci/host/pci-hyperv.c
@@ -556,6 +556,26 @@ static void put_pcichild(struct hv_pci_d
static void get_hvpcibus(struct hv_pcibus_device *hv_pcibus);
static void put_hvpcibus(struct hv_pcibus_device *hv_pcibus);
+/*
+ * There is no good way to get notified from vmbus_onoffer_rescind(),
+ * so let's use polling here, since this is not a hot path.
+ */
+static int wait_for_response(struct hv_device *hdev,
+struct completion *comp)
+{
+ while (true) {
+ if (hdev->channel->rescind) {
+ dev_warn_once(&hdev->device, "The device is gone.\n");
+ return -ENODEV;
+ }
+
+ if (wait_for_completion_timeout(comp, HZ / 10))
+ break;
+ }
+
+ return 0;
+}
+
/**
* devfn_to_wslot() - Convert from Linux PCI slot to Windows
* @devfn: The Linux representation of PCI slot
@@ -1568,7 +1588,8 @@ static struct hv_pci_dev *new_pcichild_d
if (ret)
goto error;
- wait_for_completion(&comp_pkt.host_event);
+ if (wait_for_response(hbus->hdev, &comp_pkt.host_event))
+ goto error;
hpdev->desc = *desc;
refcount_set(&hpdev->refs, 1);
@@ -2069,15 +2090,16 @@ static int hv_pci_protocol_negotiation(s
sizeof(struct pci_version_request),
(unsigned long)pkt, VM_PKT_DATA_INBAND,
VMBUS_DATA_PACKET_FLAG_COMPLETION_REQUESTED);
+ if (!ret)
+ ret = wait_for_response(hdev, &comp_pkt.host_event);
+
if (ret) {
dev_err(&hdev->device,
- "PCI Pass-through VSP failed sending version
reqquest: %#x",
+ "PCI Pass-through VSP failed to request
version: %d",
ret);
goto exit;
}
- wait_for_completion(&comp_pkt.host_event);
-
if (comp_pkt.completion_status >= 0) {
pci_protocol_version = pci_protocol_versions[i];
dev_info(&hdev->device,
@@ -2286,11 +2308,12 @@ static int hv_pci_enter_d0(struct hv_dev
ret = vmbus_sendpacket(hdev->channel, d0_entry, sizeof(*d0_entry),
(unsigned long)pkt, VM_PKT_DATA_INBAND,
VMBUS_DATA_PACKET_FLAG_COMPLETION_REQUESTED);
+ if (!ret)
+ ret = wait_for_response(hdev, &comp_pkt.host_event);
+
if (ret)
goto exit;
- wait_for_completion(&comp_pkt.host_event);
-
if (comp_pkt.completion_status < 0) {
dev_err(&hdev->device,
"PCI Pass-through VSP failed D0 Entry with status %x\n",
@@ -2330,11 +2353,10 @@ static int hv_pci_query_relations(struct
ret = vmbus_sendpacket(hdev->channel, &message, sizeof(message),
0, VM_PKT_DATA_INBAND, 0);
- if (ret)
- return ret;
+ if (!ret)
+ ret = wait_for_response(hdev, &comp);
- wait_for_completion(&comp);
- return 0;
+ return ret;
}
/**
@@ -2404,11 +2426,11 @@ static int hv_send_resources_allocated(s
size_res, (unsigned long)pkt,
VM_PKT_DATA_INBAND,
VMBUS_DATA_PACKET_FLAG_COMPLETION_REQUESTED);
+ if (!ret)
+ ret = wait_for_response(hdev, &comp_pkt.host_event);
if (ret)
break;
- wait_for_completion(&comp_pkt.host_event);
-
if (comp_pkt.completion_status < 0) {
ret = -EPROTO;
dev_err(&hdev->device,
[PATCH 4.16 07/48] cls_flower: Fix incorrect idr release when failing to modify rule
4.16-stable review patch. If anyone has any objections, please let me know.
--
From: Paul Blakey
[ Upstream commit 8258d2da9f9f521dce7019e018360c28d116354e ]
When we fail to modify a rule, we incorrectly release the idr handle
of the unmodified old rule.
Fix that by checking if we need to release it.
Fixes: fe2502e49b58 ("net_sched: remove cls_flower idr on failure")
Reported-by: Vlad Buslov
Reviewed-by: Roi Dayan
Acked-by: Jiri Pirko
Signed-off-by: Paul Blakey
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
---
net/sched/cls_flower.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/sched/cls_flower.c
+++ b/net/sched/cls_flower.c
@@ -974,7 +974,7 @@ static int fl_change(struct net *net, st
return 0;
errout_idr:
- if (fnew->handle)
+ if (!fold)
idr_remove(&head->handle_idr, fnew->handle);
errout:
tcf_exts_destroy(&fnew->exts);
[PATCH 4.16 08/48] dccp: dont free ccid2_hc_tx_sock struct in dccp_disconnect()
4.16-stable review patch. If anyone has any objections, please let me know.
--
From: Alexey Kodanev
[ Upstream commit 2677d20677314101293e6da0094ede7b5526d2b1 ]
Syzbot reported the use-after-free in timer_is_static_object() [1].
This can happen because the structure for the rto timer (ccid2_hc_tx_sock)
is removed in dccp_disconnect(), and ccid2_hc_tx_rto_expire() can be
called after that.
The report [1] is similar to the one in commit 120e9dabaf55 ("dccp:
defer ccid_hc_tx_delete() at dismantle time"). And the fix is the same,
delay freeing ccid2_hc_tx_sock structure, so that it is freed in
dccp_sk_destruct().
[1]
==
BUG: KASAN: use-after-free in timer_is_static_object+0x80/0x90
kernel/time/timer.c:607
Read of size 8 at addr 8801bebb5118 by task syz-executor2/25299
CPU: 1 PID: 25299 Comm: syz-executor2 Not tainted 4.17.0-rc5+ #54
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1b9/0x294 lib/dump_stack.c:113
print_address_description+0x6c/0x20b mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
timer_is_static_object+0x80/0x90 kernel/time/timer.c:607
debug_object_activate+0x2d9/0x670 lib/debugobjects.c:508
debug_timer_activate kernel/time/timer.c:709 [inline]
debug_activate kernel/time/timer.c:764 [inline]
__mod_timer kernel/time/timer.c:1041 [inline]
mod_timer+0x4d3/0x13b0 kernel/time/timer.c:1102
sk_reset_timer+0x22/0x60 net/core/sock.c:2742
ccid2_hc_tx_rto_expire+0x587/0x680 net/dccp/ccids/ccid2.c:147
call_timer_fn+0x230/0x940 kernel/time/timer.c:1326
expire_timers kernel/time/timer.c:1363 [inline]
__run_timers+0x79e/0xc50 kernel/time/timer.c:1666
run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1692
__do_softirq+0x2e0/0xaf5 kernel/softirq.c:285
invoke_softirq kernel/softirq.c:365 [inline]
irq_exit+0x1d1/0x200 kernel/softirq.c:405
exiting_irq arch/x86/include/asm/apic.h:525 [inline]
smp_apic_timer_interrupt+0x17e/0x710 arch/x86/kernel/apic/apic.c:1052
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:863
...
Allocated by task 25374:
save_stack+0x43/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490
kmem_cache_alloc+0x12e/0x760 mm/slab.c:3554
ccid_new+0x25b/0x3e0 net/dccp/ccid.c:151
dccp_hdlr_ccid+0x27/0x150 net/dccp/feat.c:44
__dccp_feat_activate+0x184/0x270 net/dccp/feat.c:344
dccp_feat_activate_values+0x3a7/0x819 net/dccp/feat.c:1538
dccp_create_openreq_child+0x472/0x610 net/dccp/minisocks.c:128
dccp_v4_request_recv_sock+0x12c/0xca0 net/dccp/ipv4.c:408
dccp_v6_request_recv_sock+0x125d/0x1f10 net/dccp/ipv6.c:415
dccp_check_req+0x455/0x6a0 net/dccp/minisocks.c:197
dccp_v4_rcv+0x7b8/0x1f3f net/dccp/ipv4.c:841
ip_local_deliver_finish+0x2e3/0xd80 net/ipv4/ip_input.c:215
NF_HOOK include/linux/netfilter.h:288 [inline]
ip_local_deliver+0x1e1/0x720 net/ipv4/ip_input.c:256
dst_input include/net/dst.h:450 [inline]
ip_rcv_finish+0x81b/0x2200 net/ipv4/ip_input.c:396
NF_HOOK include/linux/netfilter.h:288 [inline]
ip_rcv+0xb70/0x143d net/ipv4/ip_input.c:492
__netif_receive_skb_core+0x26f5/0x3630 net/core/dev.c:4592
__netif_receive_skb+0x2c/0x1e0 net/core/dev.c:4657
process_backlog+0x219/0x760 net/core/dev.c:5337
napi_poll net/core/dev.c:5735 [inline]
net_rx_action+0x7b7/0x1930 net/core/dev.c:5801
__do_softirq+0x2e0/0xaf5 kernel/softirq.c:285
Freed by task 25374:
save_stack+0x43/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
__cache_free mm/slab.c:3498 [inline]
kmem_cache_free+0x86/0x2d0 mm/slab.c:3756
ccid_hc_tx_delete+0xc3/0x100 net/dccp/ccid.c:190
dccp_disconnect+0x130/0xc66 net/dccp/proto.c:286
dccp_close+0x3bc/0xe60 net/dccp/proto.c:1045
inet_release+0x104/0x1f0 net/ipv4/af_inet.c:427
inet6_release+0x50/0x70 net/ipv6/af_inet6.c:460
sock_release+0x96/0x1b0 net/socket.c:594
sock_close+0x16/0x20 net/socket.c:1149
__fput+0x34d/0x890 fs/file_table.c:209
fput+0x15/0x20 fs/file_table.c:243
task_work_run+0x1e4/0x290 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0x2bd/0x310 arch/x86/entry/common.c:166
prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
syscall_return_slowpath arch/x86/entry/common.c:265 [inline]
do_syscall_64+0x6ac/0x800 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at 8801bebb4cc0
which belongs to the cache ccid2_hc_tx_sock of size 1240
The buggy address
[PATCH 4.16 05/48] be2net: Fix error detection logic for BE3
4.16-stable review patch. If anyone has any objections, please let me know.
--
From: Suresh Reddy
[ Upstream commit d2c2725c2cdbcc108a191f50953d31c7b6556761 ]
Check for 0xE00 (RECOVERABLE_ERR) along with ARMFW UE (0x0)
in be_detect_error() to know whether the error is valid error or not
Fixes: 673c96e5a ("be2net: Fix UE detection logic for BE3")
Signed-off-by: Suresh Reddy
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
---
drivers/net/ethernet/emulex/benet/be_main.c |4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/net/ethernet/emulex/benet/be_main.c
+++ b/drivers/net/ethernet/emulex/benet/be_main.c
@@ -3309,7 +3309,9 @@ void be_detect_error(struct be_adapter *
if ((val & POST_STAGE_FAT_LOG_START)
!= POST_STAGE_FAT_LOG_START &&
(val & POST_STAGE_ARMFW_UE)
-!= POST_STAGE_ARMFW_UE)
+!= POST_STAGE_ARMFW_UE &&
+ (val & POST_STAGE_RECOVERABLE_ERR)
+!= POST_STAGE_RECOVERABLE_ERR)
return;
}
[PATCH 4.16 10/48] ip6mr: only set ip6mr_table from setsockopt when ip6mr_new_table succeeds
4.16-stable review patch. If anyone has any objections, please let me know.
--
From: Sabrina Dubroca
[ Upstream commit 848235edb5c93ed086700584c8ff64f6d7fc778d ]
Currently, raw6_sk(sk)->ip6mr_table is set unconditionally during
ip6_mroute_setsockopt(MRT6_TABLE). A subsequent attempt at the same
setsockopt will fail with -ENOENT, since we haven't actually created
that table.
A similar fix for ipv4 was included in commit 5e1859fbcc3c ("ipv4: ipmr:
various fixes and cleanups").
Fixes: d1db275dd3f6 ("ipv6: ip6mr: support multiple tables")
Signed-off-by: Sabrina Dubroca
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
---
net/ipv6/ip6mr.c |3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/ipv6/ip6mr.c
+++ b/net/ipv6/ip6mr.c
@@ -1800,7 +1800,8 @@ int ip6_mroute_setsockopt(struct sock *s
ret = 0;
if (!ip6mr_new_table(net, v))
ret = -ENOMEM;
- raw6_sk(sk)->ip6mr_table = v;
+ else
+ raw6_sk(sk)->ip6mr_table = v;
rtnl_unlock();
return ret;
}
[PATCH 4.16 02/48] mmap: relax file size limit for regular files
4.16-stable review patch. If anyone has any objections, please let me know.
--
From: Linus Torvalds
commit 423913ad4ae5b3e8fb8983f70969fb522261ba26 upstream.
Commit be83bbf80682 ("mmap: introduce sane default mmap limits") was
introduced to catch problems in various ad-hoc character device drivers
doing mmap and getting the size limits wrong. In the process, it used
"known good" limits for the normal cases of mapping regular files and
block device drivers.
It turns out that the "s_maxbytes" limit was less "known good" than I
thought. In particular, /proc doesn't set it, but exposes one regular
file to mmap: /proc/vmcore. As a result, that file got limited to the
default MAX_INT s_maxbytes value.
This went unnoticed for a while, because apparently the only thing that
needs it is the s390 kernel zfcpdump, but there might be other tools
that use this too.
Vasily suggested just changing s_maxbytes for all of /proc, which isn't
wrong, but makes me nervous at this stage. So instead, just make the
new mmap limit always be MAX_LFS_FILESIZE for regular files, which won't
affect anything else. It wasn't the regular file case I was worried
about.
I'd really prefer for maxsize to have been per-inode, but that is not
how things are today.
Fixes: be83bbf80682 ("mmap: introduce sane default mmap limits")
Reported-by: Vasily Gorbik
Cc: Al Viro
Signed-off-by: Linus Torvalds
Signed-off-by: Greg Kroah-Hartman
---
mm/mmap.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -1318,7 +1318,7 @@ static inline int mlock_future_check(str
static inline u64 file_mmap_size_max(struct file *file, struct inode *inode)
{
if (S_ISREG(inode->i_mode))
- return inode->i_sb->s_maxbytes;
+ return MAX_LFS_FILESIZE;
if (S_ISBLK(inode->i_mode))
return MAX_LFS_FILESIZE;
[PATCH 4.16 26/48] packet: fix reserve calculation
4.16-stable review patch. If anyone has any objections, please let me know.
--
From: Willem de Bruijn
[ Upstream commit 9aad13b087ab0a588cd68259de618f100053360e ]
Commit b84bbaf7a6c8 ("packet: in packet_snd start writing at link
layer allocation") ensures that packet_snd always starts writing
the link layer header in reserved headroom allocated for this
purpose.
This is needed because packets may be shorter than hard_header_len,
in which case the space up to hard_header_len may be zeroed. But
that necessary padding is not accounted for in skb->len.
The fix, however, is buggy. It calls skb_push, which grows skb->len
when moving skb->data back. But in this case packet length should not
change.
Instead, call skb_reserve, which moves both skb->data and skb->tail
back, without changing length.
Fixes: b84bbaf7a6c8 ("packet: in packet_snd start writing at link layer
allocation")
Reported-by: Tariq Toukan
Signed-off-by: Willem de Bruijn
Acked-by: Soheil Hassas Yeganeh
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
---
net/packet/af_packet.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -2911,7 +2911,7 @@ static int packet_snd(struct socket *soc
if (unlikely(offset < 0))
goto out_free;
} else if (reserve) {
- skb_push(skb, reserve);
+ skb_reserve(skb, -reserve);
}
/* Returns -EFAULT on error */
[PATCH 4.16 30/48] team: use netdev_features_t instead of u32
4.16-stable review patch. If anyone has any objections, please let me know.
--
From: Dan Carpenter
[ Upstream commit 25ea66544bfd1d9df1b7e1502f8717e85fa1e6e6 ]
This code was introduced in 2011 around the same time that we made
netdev_features_t a u64 type. These days a u32 is not big enough to
hold all the potential features.
Signed-off-by: Dan Carpenter
Acked-by: Jiri Pirko
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
---
drivers/net/team/team.c |3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/net/team/team.c
+++ b/drivers/net/team/team.c
@@ -1004,7 +1004,8 @@ static void team_port_disable(struct tea
static void __team_compute_features(struct team *team)
{
struct team_port *port;
- u32 vlan_features = TEAM_VLAN_FEATURES & NETIF_F_ALL_FOR_ALL;
+ netdev_features_t vlan_features = TEAM_VLAN_FEATURES &
+ NETIF_F_ALL_FOR_ALL;
netdev_features_t enc_features = TEAM_ENC_FEATURES;
unsigned short max_hard_header_len = ETH_HLEN;
unsigned int dst_release_flag = IFF_XMIT_DST_RELEASE |
[PATCH 4.16 19/48] netdev-FAQ: clarify DaveMs position for stable backports
4.16-stable review patch. If anyone has any objections, please let me know. -- From: Cong Wang [ Upstream commit 75d4e704fa8d2cf33ff295e5b441317603d7f9fd ] Per discussion with David at netconf 2018, let's clarify DaveM's position of handling stable backports in netdev-FAQ. This is important for people relying on upstream -stable releases. Cc: Greg Kroah-Hartman Signed-off-by: Cong Wang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- Documentation/networking/netdev-FAQ.txt |9 + 1 file changed, 9 insertions(+) --- a/Documentation/networking/netdev-FAQ.txt +++ b/Documentation/networking/netdev-FAQ.txt @@ -179,6 +179,15 @@ A: No. See above answer. In short, if dash marker line as described in Documentation/process/submitting-patches.rst to temporarily embed that information into the patch that you send. +Q: Are all networking bug fixes backported to all stable releases? + +A: Due to capacity, Dave could only take care of the backports for the last + 2 stable releases. For earlier stable releases, each stable branch maintainer + is supposed to take care of them. If you find any patch is missing from an + earlier stable branch, please notify sta...@vger.kernel.org with either a + commit ID or a formal patch backported, and CC Dave and other relevant + networking developers. + Q: Someone said that the comment style and coding convention is different for the networking content. Is this true?
[PATCH 4.16 20/48] net: ethernet: davinci_emac: fix error handling in probe()
4.16-stable review patch. If anyone has any objections, please let me know.
--
From: Dan Carpenter
[ Upstream commit 8005b09d99fac78e6f5fb9da30b5ae94840af03b ]
The current error handling code has an issue where it does:
if (priv->txchan)
cpdma_chan_destroy(priv->txchan);
The problem is that ->txchan is either valid or an error pointer (which
would lead to an Oops). I've changed it to use multiple error labels so
that the test can be removed.
Also there were some missing calls to netif_napi_del().
Fixes: 3ef0fdb2342c ("net: davinci_emac: switch to new cpdma layer")
Signed-off-by: Dan Carpenter
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
---
drivers/net/ethernet/ti/davinci_emac.c | 22 --
1 file changed, 12 insertions(+), 10 deletions(-)
--- a/drivers/net/ethernet/ti/davinci_emac.c
+++ b/drivers/net/ethernet/ti/davinci_emac.c
@@ -1873,7 +1873,7 @@ static int davinci_emac_probe(struct pla
if (IS_ERR(priv->txchan)) {
dev_err(&pdev->dev, "error initializing tx dma channel\n");
rc = PTR_ERR(priv->txchan);
- goto no_cpdma_chan;
+ goto err_free_dma;
}
priv->rxchan = cpdma_chan_create(priv->dma, EMAC_DEF_RX_CH,
@@ -1881,14 +1881,14 @@ static int davinci_emac_probe(struct pla
if (IS_ERR(priv->rxchan)) {
dev_err(&pdev->dev, "error initializing rx dma channel\n");
rc = PTR_ERR(priv->rxchan);
- goto no_cpdma_chan;
+ goto err_free_txchan;
}
res = platform_get_resource(pdev, IORESOURCE_IRQ, 0);
if (!res) {
dev_err(&pdev->dev, "error getting irq res\n");
rc = -ENOENT;
- goto no_cpdma_chan;
+ goto err_free_rxchan;
}
ndev->irq = res->start;
@@ -1914,7 +1914,7 @@ static int davinci_emac_probe(struct pla
pm_runtime_put_noidle(&pdev->dev);
dev_err(&pdev->dev, "%s: failed to get_sync(%d)\n",
__func__, rc);
- goto no_cpdma_chan;
+ goto err_napi_del;
}
/* register the network device */
@@ -1924,7 +1924,7 @@ static int davinci_emac_probe(struct pla
dev_err(&pdev->dev, "error in register_netdev\n");
rc = -ENODEV;
pm_runtime_put(&pdev->dev);
- goto no_cpdma_chan;
+ goto err_napi_del;
}
@@ -1937,11 +1937,13 @@ static int davinci_emac_probe(struct pla
return 0;
-no_cpdma_chan:
- if (priv->txchan)
- cpdma_chan_destroy(priv->txchan);
- if (priv->rxchan)
- cpdma_chan_destroy(priv->rxchan);
+err_napi_del:
+ netif_napi_del(&priv->napi);
+err_free_rxchan:
+ cpdma_chan_destroy(priv->rxchan);
+err_free_txchan:
+ cpdma_chan_destroy(priv->txchan);
+err_free_dma:
cpdma_ctlr_destroy(priv->dma);
no_pdata:
if (of_phy_is_fixed_link(np))
[PATCH 4.16 47/48] vhost_net: flush batched heads before trying to busy polling
4.16-stable review patch. If anyone has any objections, please let me know.
--
From: Jason Wang
[ Upstream commit f5a4941aa6d190e676065e8f4ed35999f52a01c3 ]
After commit e2b3b35eb989 ("vhost_net: batch used ring update in rx"),
we tend to batch updating used heads. But it doesn't flush batched
heads before trying to do busy polling, this will cause vhost to wait
for guest TX which waits for the used RX. Fixing by flush batched
heads before busy loop.
1 byte TCP_RR performance recovers from 13107.83 to 50402.65.
Fixes: e2b3b35eb989 ("vhost_net: batch used ring update in rx")
Signed-off-by: Jason Wang
Acked-by: Michael S. Tsirkin
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
---
drivers/vhost/net.c | 37 -
1 file changed, 24 insertions(+), 13 deletions(-)
--- a/drivers/vhost/net.c
+++ b/drivers/vhost/net.c
@@ -101,7 +101,9 @@ struct vhost_net_virtqueue {
/* vhost zerocopy support fields below: */
/* last used idx for outstanding DMA zerocopy buffers */
int upend_idx;
- /* first used idx for DMA done zerocopy buffers */
+ /* For TX, first used idx for DMA done zerocopy buffers
+* For RX, number of batched heads
+*/
int done_idx;
/* an array of userspace buffers info */
struct ubuf_info *ubuf_info;
@@ -620,6 +622,18 @@ static int sk_has_rx_data(struct sock *s
return skb_queue_empty(&sk->sk_receive_queue);
}
+static void vhost_rx_signal_used(struct vhost_net_virtqueue *nvq)
+{
+ struct vhost_virtqueue *vq = &nvq->vq;
+ struct vhost_dev *dev = vq->dev;
+
+ if (!nvq->done_idx)
+ return;
+
+ vhost_add_used_and_signal_n(dev, vq, vq->heads, nvq->done_idx);
+ nvq->done_idx = 0;
+}
+
static int vhost_net_rx_peek_head_len(struct vhost_net *net, struct sock *sk)
{
struct vhost_net_virtqueue *rvq = &net->vqs[VHOST_NET_VQ_RX];
@@ -629,6 +643,8 @@ static int vhost_net_rx_peek_head_len(st
int len = peek_head_len(rvq, sk);
if (!len && vq->busyloop_timeout) {
+ /* Flush batched heads first */
+ vhost_rx_signal_used(rvq);
/* Both tx vq and rx socket were polled here */
mutex_lock_nested(&vq->mutex, 1);
vhost_disable_notify(&net->dev, vq);
@@ -756,7 +772,7 @@ static void handle_rx(struct vhost_net *
};
size_t total_len = 0;
int err, mergeable;
- s16 headcount, nheads = 0;
+ s16 headcount;
size_t vhost_hlen, sock_hlen;
size_t vhost_len, sock_len;
struct socket *sock;
@@ -784,8 +800,8 @@ static void handle_rx(struct vhost_net *
while ((sock_len = vhost_net_rx_peek_head_len(net, sock->sk))) {
sock_len += sock_hlen;
vhost_len = sock_len + vhost_hlen;
- headcount = get_rx_bufs(vq, vq->heads + nheads, vhost_len,
- &in, vq_log, &log,
+ headcount = get_rx_bufs(vq, vq->heads + nvq->done_idx,
+ vhost_len, &in, vq_log, &log,
likely(mergeable) ? UIO_MAXIOV : 1);
/* On error, stop handling until the next kick. */
if (unlikely(headcount < 0))
@@ -856,12 +872,9 @@ static void handle_rx(struct vhost_net *
vhost_discard_vq_desc(vq, headcount);
goto out;
}
- nheads += headcount;
- if (nheads > VHOST_RX_BATCH) {
- vhost_add_used_and_signal_n(&net->dev, vq, vq->heads,
- nheads);
- nheads = 0;
- }
+ nvq->done_idx += headcount;
+ if (nvq->done_idx > VHOST_RX_BATCH)
+ vhost_rx_signal_used(nvq);
if (unlikely(vq_log))
vhost_log_write(vq, vq_log, log, vhost_len);
total_len += vhost_len;
@@ -872,9 +885,7 @@ static void handle_rx(struct vhost_net *
}
vhost_net_enable_vq(net, vq);
out:
- if (nheads)
- vhost_add_used_and_signal_n(&net->dev, vq, vq->heads,
- nheads);
+ vhost_rx_signal_used(nvq);
mutex_unlock(&vq->mutex);
}
[PATCH 4.16 24/48] net: phy: broadcom: Fix bcm_write_exp()
4.16-stable review patch. If anyone has any objections, please let me know.
--
From: Florian Fainelli
[ Upstream commit 79fb218d97980d4fee9a64f4c8ff05289364ba25 ]
On newer PHYs, we need to select the expansion register to write with
setting bits [11:8] to 0xf. This was done correctly by bcm7xxx.c prior
to being migrated to generic code under bcm-phy-lib.c which
unfortunately used the older implementation from the BCM54xx days.
Fix this by creating an inline stub: bcm_write_exp_sel() which adds the
correct value (MII_BCM54XX_EXP_SEL_ER) and update both the Cygnus PHY
and BCM7xxx PHY drivers which require setting these bits.
broadcom.c is unchanged because some PHYs even use a different selector
method, so let them specify it directly (e.g: SerDes secondary selector).
Fixes: a1cba5613edf ("net: phy: Add Broadcom phy library for common interfaces")
Signed-off-by: Florian Fainelli
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
---
drivers/net/phy/bcm-cygnus.c |6 +++---
drivers/net/phy/bcm-phy-lib.h |7 +++
drivers/net/phy/bcm7xxx.c |4 ++--
3 files changed, 12 insertions(+), 5 deletions(-)
--- a/drivers/net/phy/bcm-cygnus.c
+++ b/drivers/net/phy/bcm-cygnus.c
@@ -61,17 +61,17 @@ static int bcm_cygnus_afe_config(struct
return rc;
/* make rcal=100, since rdb default is 000 */
- rc = bcm_phy_write_exp(phydev, MII_BRCM_CORE_EXPB1, 0x10);
+ rc = bcm_phy_write_exp_sel(phydev, MII_BRCM_CORE_EXPB1, 0x10);
if (rc < 0)
return rc;
/* CORE_EXPB0, Reset R_CAL/RC_CAL Engine */
- rc = bcm_phy_write_exp(phydev, MII_BRCM_CORE_EXPB0, 0x10);
+ rc = bcm_phy_write_exp_sel(phydev, MII_BRCM_CORE_EXPB0, 0x10);
if (rc < 0)
return rc;
/* CORE_EXPB0, Disable Reset R_CAL/RC_CAL Engine */
- rc = bcm_phy_write_exp(phydev, MII_BRCM_CORE_EXPB0, 0x00);
+ rc = bcm_phy_write_exp_sel(phydev, MII_BRCM_CORE_EXPB0, 0x00);
return 0;
}
--- a/drivers/net/phy/bcm-phy-lib.h
+++ b/drivers/net/phy/bcm-phy-lib.h
@@ -14,11 +14,18 @@
#ifndef _LINUX_BCM_PHY_LIB_H
#define _LINUX_BCM_PHY_LIB_H
+#include
#include
int bcm_phy_write_exp(struct phy_device *phydev, u16 reg, u16 val);
int bcm_phy_read_exp(struct phy_device *phydev, u16 reg);
+static inline int bcm_phy_write_exp_sel(struct phy_device *phydev,
+ u16 reg, u16 val)
+{
+ return bcm_phy_write_exp(phydev, reg | MII_BCM54XX_EXP_SEL_ER, val);
+}
+
int bcm54xx_auxctl_write(struct phy_device *phydev, u16 regnum, u16 val);
int bcm54xx_auxctl_read(struct phy_device *phydev, u16 regnum);
--- a/drivers/net/phy/bcm7xxx.c
+++ b/drivers/net/phy/bcm7xxx.c
@@ -65,10 +65,10 @@ struct bcm7xxx_phy_priv {
static void r_rc_cal_reset(struct phy_device *phydev)
{
/* Reset R_CAL/RC_CAL Engine */
- bcm_phy_write_exp(phydev, 0x00b0, 0x0010);
+ bcm_phy_write_exp_sel(phydev, 0x00b0, 0x0010);
/* Disable Reset R_AL/RC_CAL Engine */
- bcm_phy_write_exp(phydev, 0x00b0, 0x);
+ bcm_phy_write_exp_sel(phydev, 0x00b0, 0x);
}
static int bcm7xxx_28nm_b0_afe_config_init(struct phy_device *phydev)
[PATCH 4.16 41/48] virtio-net: correctly check num_buf during err path
4.16-stable review patch. If anyone has any objections, please let me know.
--
From: Jason Wang
[ Upstream commit 850e088d5bbb42fd4def08d0a4035f2b7126 ]
If we successfully linearize the packet, num_buf will be set to zero
which may confuse error handling path which assumes num_buf is at
least 1 and this can lead the code tries to pop the descriptor of next
buffer. Fixing this by checking num_buf against 1 before decreasing.
Fixes: 4941d472bf95 ("virtio-net: do not reset during XDP set")
Signed-off-by: Jason Wang
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
---
drivers/net/virtio_net.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/virtio_net.c
+++ b/drivers/net/virtio_net.c
@@ -874,7 +874,7 @@ err_xdp:
rcu_read_unlock();
err_skb:
put_page(page);
- while (--num_buf) {
+ while (num_buf-- > 1) {
buf = virtqueue_get_buf(rq->vq, &len);
if (unlikely(!buf)) {
pr_debug("%s: rx error: %d buffers missing\n",
[PATCH 4.16 44/48] virtio-net: correctly redirect linearized packet
4.16-stable review patch. If anyone has any objections, please let me know.
--
From: Jason Wang
[ Upstream commit 6890418bbb780f0ee9cf124055afa79777f1b4f1 ]
After a linearized packet was redirected by XDP, we should not go for
the err path which will try to pop buffers for the next packet and
increase the drop counter. Fixing this by just drop the page refcnt
for the original page.
Fixes: 186b3c998c50 ("virtio-net: support XDP_REDIRECT")
Reported-by: David Ahern
Tested-by: David Ahern
Acked-by: Michael S. Tsirkin
Signed-off-by: Jason Wang
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
---
drivers/net/virtio_net.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/virtio_net.c
+++ b/drivers/net/virtio_net.c
@@ -786,7 +786,7 @@ static struct sk_buff *receive_mergeable
}
*xdp_xmit = true;
if (unlikely(xdp_page != page))
- goto err_xdp;
+ put_page(page);
rcu_read_unlock();
goto xdp_xmit;
default:
[PATCH 4.14 08/41] bnx2x: use the right constant
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Julia Lawall
[ Upstream commit dd612f18a49b63af8b3a5f572d999bdb197385bc ]
Nearby code that also tests port suggests that the P0 constant should be
used when port is zero.
The semantic match that finds this problem is as follows:
(http://coccinelle.lip6.fr/)
//
@@
expression e,e1;
@@
* e ? e1 : e1
//
Fixes: 6c3218c6f7e5 ("bnx2x: Adjust ETS to 578xx")
Signed-off-by: Julia Lawall
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
---
drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.c
+++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.c
@@ -588,7 +588,7 @@ static void bnx2x_ets_e3b0_nig_disabled(
* slots for the highest priority.
*/
REG_WR(bp, (port) ? NIG_REG_P1_TX_ARB_NUM_STRICT_ARB_SLOTS :
- NIG_REG_P1_TX_ARB_NUM_STRICT_ARB_SLOTS, 0x100);
+ NIG_REG_P0_TX_ARB_NUM_STRICT_ARB_SLOTS, 0x100);
/* Mapping between the CREDIT_WEIGHT registers and actual client
* numbers
*/
[PATCH 4.16 45/48] ip_tunnel: restore binding to ifaces with a large mtu
4.16-stable review patch. If anyone has any objections, please let me know.
--
From: Nicolas Dichtel
[ Upstream commit 82612de1c98e610d194e34178bde3cca7dedce41 ]
After commit f6cc9c054e77, the following conf is broken (note that the
default loopback mtu is 65536, ie IP_MAX_MTU + 1):
$ ip tunnel add gre1 mode gre local 10.125.0.1 remote 10.125.0.2 dev lo
add tunnel "gre0" failed: Invalid argument
$ ip l a type dummy
$ ip l s dummy1 up
$ ip l s dummy1 mtu 65535
$ ip tunnel add gre1 mode gre local 10.125.0.1 remote 10.125.0.2 dev dummy1
add tunnel "gre0" failed: Invalid argument
dev_set_mtu() doesn't allow to set a mtu which is too large.
First, let's cap the mtu returned by ip_tunnel_bind_dev(). Second, remove
the magic value 0xFFF8 and use IP_MAX_MTU instead.
0xFFF8 seems to be there for ages, I don't know why this value was used.
With a recent kernel, it's also possible to set a mtu > IP_MAX_MTU:
$ ip l s dummy1 mtu 66000
After that patch, it's also possible to bind an ip tunnel on that kind of
interface.
CC: Petr Machata
CC: Ido Schimmel
Link:
https://git.kernel.org/pub/scm/linux/kernel/git/davem/netdev-vger-cvs.git/commit/?id=e5afd356a411a
Fixes: f6cc9c054e77 ("ip_tunnel: Emit events for post-register MTU changes")
Signed-off-by: Nicolas Dichtel
Reviewed-by: Ido Schimmel
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
---
net/ipv4/ip_tunnel.c |8
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/net/ipv4/ip_tunnel.c
+++ b/net/ipv4/ip_tunnel.c
@@ -344,7 +344,7 @@ static int ip_tunnel_bind_dev(struct net
if (tdev) {
hlen = tdev->hard_header_len + tdev->needed_headroom;
- mtu = tdev->mtu;
+ mtu = min(tdev->mtu, IP_MAX_MTU);
}
dev->needed_headroom = t_hlen + hlen;
@@ -379,7 +379,7 @@ static struct ip_tunnel *ip_tunnel_creat
nt = netdev_priv(dev);
t_hlen = nt->hlen + sizeof(struct iphdr);
dev->min_mtu = ETH_MIN_MTU;
- dev->max_mtu = 0xFFF8 - dev->hard_header_len - t_hlen;
+ dev->max_mtu = IP_MAX_MTU - dev->hard_header_len - t_hlen;
ip_tunnel_add(itn, nt);
return nt;
@@ -948,7 +948,7 @@ int __ip_tunnel_change_mtu(struct net_de
{
struct ip_tunnel *tunnel = netdev_priv(dev);
int t_hlen = tunnel->hlen + sizeof(struct iphdr);
- int max_mtu = 0xFFF8 - dev->hard_header_len - t_hlen;
+ int max_mtu = IP_MAX_MTU - dev->hard_header_len - t_hlen;
if (new_mtu < ETH_MIN_MTU)
return -EINVAL;
@@ -1119,7 +1119,7 @@ int ip_tunnel_newlink(struct net_device
mtu = ip_tunnel_bind_dev(dev);
if (tb[IFLA_MTU]) {
- unsigned int max = 0xfff8 - dev->hard_header_len - nt->hlen;
+ unsigned int max = IP_MAX_MTU - dev->hard_header_len - nt->hlen;
mtu = clamp(dev->mtu, (unsigned int)ETH_MIN_MTU,
(unsigned int)(max - sizeof(struct iphdr)));
[PATCH 4.14 22/41] net: phy: broadcom: Fix bcm_write_exp()
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Florian Fainelli
[ Upstream commit 79fb218d97980d4fee9a64f4c8ff05289364ba25 ]
On newer PHYs, we need to select the expansion register to write with
setting bits [11:8] to 0xf. This was done correctly by bcm7xxx.c prior
to being migrated to generic code under bcm-phy-lib.c which
unfortunately used the older implementation from the BCM54xx days.
Fix this by creating an inline stub: bcm_write_exp_sel() which adds the
correct value (MII_BCM54XX_EXP_SEL_ER) and update both the Cygnus PHY
and BCM7xxx PHY drivers which require setting these bits.
broadcom.c is unchanged because some PHYs even use a different selector
method, so let them specify it directly (e.g: SerDes secondary selector).
Fixes: a1cba5613edf ("net: phy: Add Broadcom phy library for common interfaces")
Signed-off-by: Florian Fainelli
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
---
drivers/net/phy/bcm-cygnus.c |6 +++---
drivers/net/phy/bcm-phy-lib.h |7 +++
drivers/net/phy/bcm7xxx.c |4 ++--
3 files changed, 12 insertions(+), 5 deletions(-)
--- a/drivers/net/phy/bcm-cygnus.c
+++ b/drivers/net/phy/bcm-cygnus.c
@@ -61,17 +61,17 @@ static int bcm_cygnus_afe_config(struct
return rc;
/* make rcal=100, since rdb default is 000 */
- rc = bcm_phy_write_exp(phydev, MII_BRCM_CORE_EXPB1, 0x10);
+ rc = bcm_phy_write_exp_sel(phydev, MII_BRCM_CORE_EXPB1, 0x10);
if (rc < 0)
return rc;
/* CORE_EXPB0, Reset R_CAL/RC_CAL Engine */
- rc = bcm_phy_write_exp(phydev, MII_BRCM_CORE_EXPB0, 0x10);
+ rc = bcm_phy_write_exp_sel(phydev, MII_BRCM_CORE_EXPB0, 0x10);
if (rc < 0)
return rc;
/* CORE_EXPB0, Disable Reset R_CAL/RC_CAL Engine */
- rc = bcm_phy_write_exp(phydev, MII_BRCM_CORE_EXPB0, 0x00);
+ rc = bcm_phy_write_exp_sel(phydev, MII_BRCM_CORE_EXPB0, 0x00);
return 0;
}
--- a/drivers/net/phy/bcm-phy-lib.h
+++ b/drivers/net/phy/bcm-phy-lib.h
@@ -14,11 +14,18 @@
#ifndef _LINUX_BCM_PHY_LIB_H
#define _LINUX_BCM_PHY_LIB_H
+#include
#include
int bcm_phy_write_exp(struct phy_device *phydev, u16 reg, u16 val);
int bcm_phy_read_exp(struct phy_device *phydev, u16 reg);
+static inline int bcm_phy_write_exp_sel(struct phy_device *phydev,
+ u16 reg, u16 val)
+{
+ return bcm_phy_write_exp(phydev, reg | MII_BCM54XX_EXP_SEL_ER, val);
+}
+
int bcm54xx_auxctl_write(struct phy_device *phydev, u16 regnum, u16 val);
int bcm54xx_auxctl_read(struct phy_device *phydev, u16 regnum);
--- a/drivers/net/phy/bcm7xxx.c
+++ b/drivers/net/phy/bcm7xxx.c
@@ -65,10 +65,10 @@ struct bcm7xxx_phy_priv {
static void r_rc_cal_reset(struct phy_device *phydev)
{
/* Reset R_CAL/RC_CAL Engine */
- bcm_phy_write_exp(phydev, 0x00b0, 0x0010);
+ bcm_phy_write_exp_sel(phydev, 0x00b0, 0x0010);
/* Disable Reset R_AL/RC_CAL Engine */
- bcm_phy_write_exp(phydev, 0x00b0, 0x);
+ bcm_phy_write_exp_sel(phydev, 0x00b0, 0x);
}
static int bcm7xxx_28nm_b0_afe_config_init(struct phy_device *phydev)
[PATCH 4.14 00/41] 4.14.49-stable review
This is the start of the stable review cycle for the 4.14.49 release. There are 41 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know. Responses should be made by Mon Jun 11 15:29:07 UTC 2018. Anything received after that time might be too late. The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.49-rc1.gz or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y and the diffstat can be found below. thanks, greg k-h - Pseudo-Shortlog of commits: Greg Kroah-Hartman Linux 4.14.49-rc1 Dexuan Cui PCI: hv: Do not wait forever on a device that has disappeared Paul Blakey cls_flower: Fix incorrect idr release when failing to modify rule Eric Dumazet rtnetlink: validate attributes in do_setlink() Jason Wang virtio-net: fix leaking page for gso packet during mergeable XDP Eran Ben Elisha net/mlx5e: When RXFCS is set, add FCS data into checksum calculation Jason Wang virtio-net: correctly check num_buf during err path Toshiaki Makita tun: Fix NULL pointer dereference in XDP redirect Jack Morgenstein net/mlx4: Fix irq-unsafe spinlock usage Jason Wang virtio-net: correctly transmit XDP buff after linearizing Alexander Duyck net-sysfs: Fix memory leak in XPS configuration Florian Fainelli net: phy: broadcom: Fix auxiliary control register reads Mathieu Xhonneux ipv6: sr: fix memory OOB access in seg6_do_srh_encap/inline Stephen Suryaputra vrf: check the original netdevice for generating redirect Jason Wang vhost: synchronize IOTLB message with dev cleanup Dan Carpenter team: use netdev_features_t instead of u32 Xin Long sctp: not allow transport timeout value less than HZ/5 for hb_timer Shahed Shaikh qed: Fix mask for physical address in ILT entry Willem de Bruijn packet: fix reserve calculation Daniele Palmas net: usb: cdc_mbim: add flag FLAG_SEND_ZLP Florian Fainelli net: phy: broadcom: Fix bcm_write_exp() Eric Dumazet net/packet: refine check for priv area size Eric Dumazet net: metrics: add proper netlink validation Roopa Prabhu net: ipv4: add missing RTA_TABLE to rtm_ipv4_policy Cong Wang netdev-FAQ: clarify DaveM's position for stable backports Kirill Tkhai kcm: Fix use-after-free caused by clonned sockets Wenwen Wang isdn: eicon: fix a missing-check bug Michal Kubecek ipv6: omit traffic class when calculating flow hash Willem de Bruijn ipv4: remove warning in ip_recv_error Eric Dumazet ipmr: properly check rhltable_init() return value Nicolas Dichtel ip6_tunnel: remove magic mtu value 0xFFF8 Sabrina Dubroca ip6mr: only set ip6mr_table from setsockopt when ip6mr_new_table succeeds Govindarajulu Varadarajan enic: set DMA mask to 47 bit Alexey Kodanev dccp: don't free ccid2_hc_tx_sock struct in dccp_disconnect() Julia Lawall bnx2x: use the right constant Suresh Reddy be2net: Fix error detection logic for BE3 Nathan Chancellor kconfig: Avoid format overflow warning from GCC 8.1 Anand Jain btrfs: define SUPER_FLAG_METADUMP_V2 Linus Torvalds mmap: relax file size limit for regular files Linus Torvalds mmap: introduce sane default mmap limits Bart Van Assche scsi: sd_zbc: Avoid that resetting a zone fails sporadically Damien Le Moal scsi: sd_zbc: Fix potential memory leak - Diffstat: Documentation/networking/netdev-FAQ.txt | 9 ++ Makefile | 4 +- drivers/isdn/hardware/eicon/diva.c | 22 ++-- drivers/isdn/hardware/eicon/diva.h | 5 +- drivers/isdn/hardware/eicon/divasmain.c | 18 ++-- drivers/net/ethernet/broadcom/bnx2x/bnx2x_link.c | 2 +- drivers/net/ethernet/cisco/enic/enic_main.c | 8 +- drivers/net/ethernet/emulex/benet/be_main.c | 4 +- drivers/net/ethernet/mellanox/mlx4/qp.c | 4 +- drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 42 drivers/net/ethernet/qlogic/qed/qed_cxt.c| 2 +- drivers/net/phy/bcm-cygnus.c | 6 +- drivers/net/phy/bcm-phy-lib.c| 2 +- drivers/net/phy/bcm-phy-lib.h| 7 ++ drivers/net/phy/bcm7xxx.c| 4 +- drivers/net/team/team.c | 3 +- drivers/net/tun.c| 15 +-- drivers/net/usb/cdc_mbim.c | 2 +- drivers/net/virtio_net.c | 19 ++-- drivers/pci/host/pci-hyperv.c| 46 +--- drivers/scsi/sd_zbc.c| 128 ++- drivers/vhost/vhost.c| 3 + fs/btr
[PATCH 4.14 07/41] be2net: Fix error detection logic for BE3
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Suresh Reddy
[ Upstream commit d2c2725c2cdbcc108a191f50953d31c7b6556761 ]
Check for 0xE00 (RECOVERABLE_ERR) along with ARMFW UE (0x0)
in be_detect_error() to know whether the error is valid error or not
Fixes: 673c96e5a ("be2net: Fix UE detection logic for BE3")
Signed-off-by: Suresh Reddy
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
---
drivers/net/ethernet/emulex/benet/be_main.c |4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/net/ethernet/emulex/benet/be_main.c
+++ b/drivers/net/ethernet/emulex/benet/be_main.c
@@ -3294,7 +3294,9 @@ void be_detect_error(struct be_adapter *
if ((val & POST_STAGE_FAT_LOG_START)
!= POST_STAGE_FAT_LOG_START &&
(val & POST_STAGE_ARMFW_UE)
-!= POST_STAGE_ARMFW_UE)
+!= POST_STAGE_ARMFW_UE &&
+ (val & POST_STAGE_RECOVERABLE_ERR)
+!= POST_STAGE_RECOVERABLE_ERR)
return;
}
[PATCH 4.14 03/41] mmap: introduce sane default mmap limits
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Linus Torvalds
commit be83bbf806822b1b89e0a0f23cd87cddc409e429 upstream.
The internal VM "mmap()" interfaces are based on the mmap target doing
everything using page indexes rather than byte offsets, because
traditionally (ie 32-bit) we had the situation that the byte offset
didn't fit in a register. So while the mmap virtual address was limited
by the word size of the architecture, the backing store was not.
So we're basically passing "pgoff" around as a page index, in order to
be able to describe backing store locations that are much bigger than
the word size (think files larger than 4GB etc).
But while this all makes a ton of sense conceptually, we've been dogged
by various drivers that don't really understand this, and internally
work with byte offsets, and then try to work with the page index by
turning it into a byte offset with "pgoff << PAGE_SHIFT".
Which obviously can overflow.
Adding the size of the mapping to it to get the byte offset of the end
of the backing store just exacerbates the problem, and if you then use
this overflow-prone value to check various limits of your device driver
mmap capability, you're just setting yourself up for problems.
The correct thing for drivers to do is to do their limit math in page
indices, the way the interface is designed. Because the generic mmap
code _does_ test that the index doesn't overflow, since that's what the
mmap code really cares about.
HOWEVER.
Finding and fixing various random drivers is a sisyphean task, so let's
just see if we can just make the core mmap() code do the limiting for
us. Realistically, the only "big" backing stores we need to care about
are regular files and block devices, both of which are known to do this
properly, and which have nice well-defined limits for how much data they
can access.
So let's special-case just those two known cases, and then limit other
random mmap users to a backing store that still fits in "unsigned long".
Realistically, that's not much of a limit at all on 64-bit, and on
32-bit architectures the only worry might be the GPU drivers, which can
have big physical address spaces.
To make it possible for drivers like that to say that they are 64-bit
clean, this patch does repurpose the "FMODE_UNSIGNED_OFFSET" bit in the
file flags to allow drivers to mark their file descriptors as safe in
the full 64-bit mmap address space.
[ The timing for doing this is less than optimal, and this should really
go in a merge window. But realistically, this needs wide testing more
than it needs anything else, and being main-line is the only way to do
that.
So the earlier the better, even if it's outside the proper development
cycle- Linus ]
Cc: Kees Cook
Cc: Dan Carpenter
Cc: Al Viro
Cc: Willy Tarreau
Cc: Dave Airlie
Signed-off-by: Linus Torvalds
Signed-off-by: Greg Kroah-Hartman
---
mm/mmap.c | 32
1 file changed, 32 insertions(+)
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -1315,6 +1315,35 @@ static inline int mlock_future_check(str
return 0;
}
+static inline u64 file_mmap_size_max(struct file *file, struct inode *inode)
+{
+ if (S_ISREG(inode->i_mode))
+ return inode->i_sb->s_maxbytes;
+
+ if (S_ISBLK(inode->i_mode))
+ return MAX_LFS_FILESIZE;
+
+ /* Special "we do even unsigned file positions" case */
+ if (file->f_mode & FMODE_UNSIGNED_OFFSET)
+ return 0;
+
+ /* Yes, random drivers might want more. But I'm tired of buggy drivers
*/
+ return ULONG_MAX;
+}
+
+static inline bool file_mmap_ok(struct file *file, struct inode *inode,
+ unsigned long pgoff, unsigned long len)
+{
+ u64 maxsize = file_mmap_size_max(file, inode);
+
+ if (maxsize && len > maxsize)
+ return false;
+ maxsize -= len;
+ if (pgoff > maxsize >> PAGE_SHIFT)
+ return false;
+ return true;
+}
+
/*
* The caller must hold down_write(¤t->mm->mmap_sem).
*/
@@ -1388,6 +1417,9 @@ unsigned long do_mmap(struct file *file,
if (file) {
struct inode *inode = file_inode(file);
+ if (!file_mmap_ok(file, inode, pgoff, len))
+ return -EOVERFLOW;
+
switch (flags & MAP_TYPE) {
case MAP_SHARED:
if ((prot&PROT_WRITE) && !(file->f_mode&FMODE_WRITE))
[PATCH 4.14 26/41] sctp: not allow transport timeout value less than HZ/5 for hb_timer
4.14-stable review patch. If anyone has any objections, please let me know. -- From: Xin Long [ Upstream commit 1d88ba1ebb2763aa86172cd7ca05dedbeccc0d35 ] syzbot reported a rcu_sched self-detected stall on CPU which is caused by too small value set on rto_min with SCTP_RTOINFO sockopt. With this value, hb_timer will get stuck there, as in its timer handler it starts this timer again with this value, then goes to the timer handler again. This problem is there since very beginning, and thanks to Eric for the reproducer shared from a syzbot mail. This patch fixes it by not allowing sctp_transport_timeout to return a smaller value than HZ/5 for hb_timer, which is based on TCP's min rto. Note that it doesn't fix this issue by limiting rto_min, as some users are still using small rto and no proper value was found for it yet. Reported-by: syzbot+3dcd59a1f907245f8...@syzkaller.appspotmail.com Suggested-by: Marcelo Ricardo Leitner Signed-off-by: Xin Long Acked-by: Neil Horman Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/sctp/transport.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/net/sctp/transport.c +++ b/net/sctp/transport.c @@ -637,7 +637,7 @@ unsigned long sctp_transport_timeout(str trans->state != SCTP_PF) timeout += trans->hbinterval; - return timeout; + return max_t(unsigned long, timeout, HZ / 5); } /* Reset transport variables to their initial values */
[PATCH 4.14 28/41] vhost: synchronize IOTLB message with dev cleanup
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Jason Wang
[ Upstream commit 1b15ad683ab42a203f98b67045b40720e99d0e9a ]
DaeRyong Jeong reports a race between vhost_dev_cleanup() and
vhost_process_iotlb_msg():
Thread interleaving:
CPU0 (vhost_process_iotlb_msg) CPU1 (vhost_dev_cleanup)
(In the case of both VHOST_IOTLB_UPDATE and
VHOST_IOTLB_INVALIDATE)
= =
vhost_umem_clean(dev->iotlb);
if (!dev->iotlb) {
ret = -EFAULT;
break;
}
dev->iotlb = NULL;
The reason is we don't synchronize between them, fixing by protecting
vhost_process_iotlb_msg() with dev mutex.
Reported-by: DaeRyong Jeong
Fixes: 6b1e6cc7855b0 ("vhost: new device IOTLB API")
Signed-off-by: Jason Wang
Acked-by: Michael S. Tsirkin
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
---
drivers/vhost/vhost.c |3 +++
1 file changed, 3 insertions(+)
--- a/drivers/vhost/vhost.c
+++ b/drivers/vhost/vhost.c
@@ -993,6 +993,7 @@ static int vhost_process_iotlb_msg(struc
{
int ret = 0;
+ mutex_lock(&dev->mutex);
vhost_dev_lock_vqs(dev);
switch (msg->type) {
case VHOST_IOTLB_UPDATE:
@@ -1024,6 +1025,8 @@ static int vhost_process_iotlb_msg(struc
}
vhost_dev_unlock_vqs(dev);
+ mutex_unlock(&dev->mutex);
+
return ret;
}
ssize_t vhost_chr_write_iter(struct vhost_dev *dev,
[PATCH 4.14 14/41] ipv4: remove warning in ip_recv_error
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Willem de Bruijn
[ Upstream commit 730c54d59403658a62af6517338fa8d4922c1b28 ]
A precondition check in ip_recv_error triggered on an otherwise benign
race. Remove the warning.
The warning triggers when passing an ipv6 socket to this ipv4 error
handling function. RaceFuzzer was able to trigger it due to a race
in setsockopt IPV6_ADDRFORM.
---
CPU0
do_ipv6_setsockopt
sk->sk_socket->ops = &inet_dgram_ops;
---
CPU1
sk->sk_prot->recvmsg
udp_recvmsg
ip_recv_error
WARN_ON_ONCE(sk->sk_family == AF_INET6);
---
CPU0
do_ipv6_setsockopt
sk->sk_family = PF_INET;
This socket option converts a v6 socket that is connected to a v4 peer
to an v4 socket. It updates the socket on the fly, changing fields in
sk as well as other structs. This is inherently non-atomic. It races
with the lockless udp_recvmsg path.
No other code makes an assumption that these fields are updated
atomically. It is benign here, too, as ip_recv_error cares only about
the protocol of the skbs enqueued on the error queue, for which
sk_family is not a precise predictor (thanks to another isue with
IPV6_ADDRFORM).
Link: http://lkml.kernel.org/r/20180518120826.ga19...@dragonet.kaist.ac.kr
Fixes: 7ce875e5ecb8 ("ipv4: warn once on passing AF_INET6 socket to
ip_recv_error")
Reported-by: DaeRyong Jeong
Suggested-by: Eric Dumazet
Signed-off-by: Willem de Bruijn
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
---
net/ipv4/ip_sockglue.c |2 --
1 file changed, 2 deletions(-)
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -511,8 +511,6 @@ int ip_recv_error(struct sock *sk, struc
int err;
int copied;
- WARN_ON_ONCE(sk->sk_family == AF_INET6);
-
err = -EAGAIN;
skb = sock_dequeue_err_skb(sk);
if (!skb)
[PATCH 4.14 17/41] kcm: Fix use-after-free caused by clonned sockets
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Kirill Tkhai
[ Upstream commit eb7f54b90bd8f469834c5e86dcf72ebf9a629811 ]
(resend for properly queueing in patchwork)
kcm_clone() creates kernel socket, which does not take net counter.
Thus, the net may die before the socket is completely destructed,
i.e. kcm_exit_net() is executed before kcm_done().
Reported-by: syzbot+5f1a04e374a635efc...@syzkaller.appspotmail.com
Signed-off-by: Kirill Tkhai
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
---
net/kcm/kcmsock.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/kcm/kcmsock.c
+++ b/net/kcm/kcmsock.c
@@ -1672,7 +1672,7 @@ static struct file *kcm_clone(struct soc
__module_get(newsock->ops->owner);
newsk = sk_alloc(sock_net(osock->sk), PF_KCM, GFP_KERNEL,
-&kcm_proto, true);
+&kcm_proto, false);
if (!newsk) {
sock_release(newsock);
return ERR_PTR(-ENOMEM);
[PATCH 4.14 19/41] net: ipv4: add missing RTA_TABLE to rtm_ipv4_policy
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Roopa Prabhu
[ Upstream commit 2eabd764cb5512f1338d06ffc054c8bc9fbe9104 ]
Signed-off-by: Roopa Prabhu
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
---
net/ipv4/fib_frontend.c |1 +
1 file changed, 1 insertion(+)
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -625,6 +625,7 @@ const struct nla_policy rtm_ipv4_policy[
[RTA_ENCAP] = { .type = NLA_NESTED },
[RTA_UID] = { .type = NLA_U32 },
[RTA_MARK] = { .type = NLA_U32 },
+ [RTA_TABLE] = { .type = NLA_U32 },
};
static int rtm_to_fib_config(struct net *net, struct sk_buff *skb,
[PATCH 4.14 31/41] net: phy: broadcom: Fix auxiliary control register reads
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Florian Fainelli
[ Upstream commit 733a969a7ed14fc5786bcc59c1bdda83c7ddb46e ]
We are currently doing auxiliary control register reads with the shadow
register value 0b111 (0x7) which incidentally is also the selector value
that should be present in bits [2:0]. Fix this by using the appropriate
selector mask which is defined (MII_BCM54XX_AUXCTL_SHDWSEL_MASK).
This does not have a functional impact yet because we always access the
MII_BCM54XX_AUXCTL_SHDWSEL_MISC (0x7) register in the current code.
This might change at some point though.
Fixes: 5b4e29005123 ("net: phy: broadcom: add bcm54xx_auxctl_read")
Signed-off-by: Florian Fainelli
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
---
drivers/net/phy/bcm-phy-lib.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/phy/bcm-phy-lib.c
+++ b/drivers/net/phy/bcm-phy-lib.c
@@ -56,7 +56,7 @@ int bcm54xx_auxctl_read(struct phy_devic
/* The register must be written to both the Shadow Register Select and
* the Shadow Read Register Selector
*/
- phy_write(phydev, MII_BCM54XX_AUX_CTL, regnum |
+ phy_write(phydev, MII_BCM54XX_AUX_CTL, MII_BCM54XX_AUXCTL_SHDWSEL_MASK |
regnum << MII_BCM54XX_AUXCTL_SHDWSEL_READ_SHIFT);
return phy_read(phydev, MII_BCM54XX_AUX_CTL);
}
[PATCH 4.14 41/41] PCI: hv: Do not wait forever on a device that has disappeared
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Dexuan Cui
commit c3635da2a336441253c33298b87b3042db100725 upstream.
Before the guest finishes the device initialization, the device can be
removed anytime by the host, and after that the host won't respond to
the guest's request, so the guest should be prepared to handle this
case.
Add a polling mechanism to detect device presence.
Signed-off-by: Dexuan Cui
[lorenzo.pieral...@arm.com: edited commit log]
Signed-off-by: Lorenzo Pieralisi
Reviewed-by: Haiyang Zhang
Cc: Stephen Hemminger
Cc: K. Y. Srinivasan
Signed-off-by: Greg Kroah-Hartman
---
drivers/pci/host/pci-hyperv.c | 46 +++---
1 file changed, 34 insertions(+), 12 deletions(-)
--- a/drivers/pci/host/pci-hyperv.c
+++ b/drivers/pci/host/pci-hyperv.c
@@ -566,6 +566,26 @@ static void put_pcichild(struct hv_pci_d
static void get_hvpcibus(struct hv_pcibus_device *hv_pcibus);
static void put_hvpcibus(struct hv_pcibus_device *hv_pcibus);
+/*
+ * There is no good way to get notified from vmbus_onoffer_rescind(),
+ * so let's use polling here, since this is not a hot path.
+ */
+static int wait_for_response(struct hv_device *hdev,
+struct completion *comp)
+{
+ while (true) {
+ if (hdev->channel->rescind) {
+ dev_warn_once(&hdev->device, "The device is gone.\n");
+ return -ENODEV;
+ }
+
+ if (wait_for_completion_timeout(comp, HZ / 10))
+ break;
+ }
+
+ return 0;
+}
+
/**
* devfn_to_wslot() - Convert from Linux PCI slot to Windows
* @devfn: The Linux representation of PCI slot
@@ -1582,7 +1602,8 @@ static struct hv_pci_dev *new_pcichild_d
if (ret)
goto error;
- wait_for_completion(&comp_pkt.host_event);
+ if (wait_for_response(hbus->hdev, &comp_pkt.host_event))
+ goto error;
hpdev->desc = *desc;
refcount_set(&hpdev->refs, 1);
@@ -2075,15 +2096,16 @@ static int hv_pci_protocol_negotiation(s
sizeof(struct pci_version_request),
(unsigned long)pkt, VM_PKT_DATA_INBAND,
VMBUS_DATA_PACKET_FLAG_COMPLETION_REQUESTED);
+ if (!ret)
+ ret = wait_for_response(hdev, &comp_pkt.host_event);
+
if (ret) {
dev_err(&hdev->device,
- "PCI Pass-through VSP failed sending version
reqquest: %#x",
+ "PCI Pass-through VSP failed to request
version: %d",
ret);
goto exit;
}
- wait_for_completion(&comp_pkt.host_event);
-
if (comp_pkt.completion_status >= 0) {
pci_protocol_version = pci_protocol_versions[i];
dev_info(&hdev->device,
@@ -2292,11 +2314,12 @@ static int hv_pci_enter_d0(struct hv_dev
ret = vmbus_sendpacket(hdev->channel, d0_entry, sizeof(*d0_entry),
(unsigned long)pkt, VM_PKT_DATA_INBAND,
VMBUS_DATA_PACKET_FLAG_COMPLETION_REQUESTED);
+ if (!ret)
+ ret = wait_for_response(hdev, &comp_pkt.host_event);
+
if (ret)
goto exit;
- wait_for_completion(&comp_pkt.host_event);
-
if (comp_pkt.completion_status < 0) {
dev_err(&hdev->device,
"PCI Pass-through VSP failed D0 Entry with status %x\n",
@@ -2336,11 +2359,10 @@ static int hv_pci_query_relations(struct
ret = vmbus_sendpacket(hdev->channel, &message, sizeof(message),
0, VM_PKT_DATA_INBAND, 0);
- if (ret)
- return ret;
+ if (!ret)
+ ret = wait_for_response(hdev, &comp);
- wait_for_completion(&comp);
- return 0;
+ return ret;
}
/**
@@ -2410,11 +2432,11 @@ static int hv_send_resources_allocated(s
size_res, (unsigned long)pkt,
VM_PKT_DATA_INBAND,
VMBUS_DATA_PACKET_FLAG_COMPLETION_REQUESTED);
+ if (!ret)
+ ret = wait_for_response(hdev, &comp_pkt.host_event);
if (ret)
break;
- wait_for_completion(&comp_pkt.host_event);
-
if (comp_pkt.completion_status < 0) {
ret = -EPROTO;
dev_err(&hdev->device,
[PATCH 4.14 33/41] virtio-net: correctly transmit XDP buff after linearizing
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Jason Wang
[ Upstream commit 5d458a13dd59d04b4d6658a6d5b94d42732b15ae ]
We should not go for the error path after successfully transmitting a
XDP buffer after linearizing. Since the error path may try to pop and
drop next packet and increase the drop counters. Fixing this by simply
drop the refcnt of original page and go for xmit path.
Fixes: 72979a6c3590 ("virtio_net: xdp, add slowpath case for non contiguous
buffers")
Cc: John Fastabend
Acked-by: Michael S. Tsirkin
Signed-off-by: Jason Wang
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
---
drivers/net/virtio_net.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/virtio_net.c
+++ b/drivers/net/virtio_net.c
@@ -688,7 +688,7 @@ static struct sk_buff *receive_mergeable
trace_xdp_exception(vi->dev, xdp_prog, act);
ewma_pkt_len_add(&rq->mrg_avg_pkt_len, len);
if (unlikely(xdp_page != page))
- goto err_xdp;
+ put_page(page);
rcu_read_unlock();
goto xdp_xmit;
default:
[PATCH 4.14 34/41] net/mlx4: Fix irq-unsafe spinlock usage
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Jack Morgenstein
[ Upstream commit d546b67cda015fb92bfee93d5dc0ceadb91deaee ]
spin_lock/unlock was used instead of spin_un/lock_irq
in a procedure used in process space, on a spinlock
which can be grabbed in an interrupt.
This caused the stack trace below to be displayed (on kernel
4.17.0-rc1 compiled with Lock Debugging enabled):
[ 154.661474] WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected
[ 154.668909] 4.17.0-rc1-rdma_rc_mlx+ #3 Tainted: G I
[ 154.675856] -
[ 154.682706] modprobe/10159 [HC0[0]:SC0[0]:HE0:SE1] is trying to acquire:
[ 154.690254] f3b0e495 (&(&qp_table->lock)->rlock){+.+.}, at:
mlx4_qp_remove+0x20/0x50 [mlx4_core]
[ 154.700927]
and this task is already holding:
[ 154.707461] 94373b5d (&(&cq->lock)->rlock/1){}, at:
destroy_qp_common+0x111/0x560 [mlx4_ib]
[ 154.718028] which would create a new lock dependency:
[ 154.723705] (&(&cq->lock)->rlock/1){} ->
(&(&qp_table->lock)->rlock){+.+.}
[ 154.731922]
but this new dependency connects a SOFTIRQ-irq-safe lock:
[ 154.740798] (&(&cq->lock)->rlock){..-.}
[ 154.740800]
... which became SOFTIRQ-irq-safe at:
[ 154.752163] _raw_spin_lock_irqsave+0x3e/0x50
[ 154.757163] mlx4_ib_poll_cq+0x36/0x900 [mlx4_ib]
[ 154.762554] ipoib_tx_poll+0x4a/0xf0 [ib_ipoib]
...
to a SOFTIRQ-irq-unsafe lock:
[ 154.815603] (&(&qp_table->lock)->rlock){+.+.}
[ 154.815604]
... which became SOFTIRQ-irq-unsafe at:
[ 154.827718] ...
[ 154.827720] _raw_spin_lock+0x35/0x50
[ 154.833912] mlx4_qp_lookup+0x1e/0x50 [mlx4_core]
[ 154.839302] mlx4_flow_attach+0x3f/0x3d0 [mlx4_core]
Since mlx4_qp_lookup() is called only in process space, we can
simply replace the spin_un/lock calls with spin_un/lock_irq calls.
Fixes: 6dc06c08bef1 ("net/mlx4: Fix the check in attaching steering rules")
Signed-off-by: Jack Morgenstein
Signed-off-by: Tariq Toukan
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
---
drivers/net/ethernet/mellanox/mlx4/qp.c |4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/net/ethernet/mellanox/mlx4/qp.c
+++ b/drivers/net/ethernet/mellanox/mlx4/qp.c
@@ -393,11 +393,11 @@ struct mlx4_qp *mlx4_qp_lookup(struct ml
struct mlx4_qp_table *qp_table = &mlx4_priv(dev)->qp_table;
struct mlx4_qp *qp;
- spin_lock(&qp_table->lock);
+ spin_lock_irq(&qp_table->lock);
qp = __mlx4_qp_lookup(dev, qpn);
- spin_unlock(&qp_table->lock);
+ spin_unlock_irq(&qp_table->lock);
return qp;
}
[PATCH 4.14 36/41] virtio-net: correctly check num_buf during err path
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Jason Wang
[ Upstream commit 850e088d5bbb42fd4def08d0a4035f2b7126 ]
If we successfully linearize the packet, num_buf will be set to zero
which may confuse error handling path which assumes num_buf is at
least 1 and this can lead the code tries to pop the descriptor of next
buffer. Fixing this by checking num_buf against 1 before decreasing.
Fixes: 4941d472bf95 ("virtio-net: do not reset during XDP set")
Signed-off-by: Jason Wang
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
---
drivers/net/virtio_net.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/virtio_net.c
+++ b/drivers/net/virtio_net.c
@@ -777,7 +777,7 @@ err_xdp:
rcu_read_unlock();
err_skb:
put_page(page);
- while (--num_buf) {
+ while (num_buf-- > 1) {
buf = virtqueue_get_buf(rq->vq, &len);
if (unlikely(!buf)) {
pr_debug("%s: rx error: %d buffers missing\n",
[PATCH 4.14 30/41] ipv6: sr: fix memory OOB access in seg6_do_srh_encap/inline
4.14-stable review patch. If anyone has any objections, please let me know. -- From: Mathieu Xhonneux [ Upstream commit bbb40a0b75209734ff9286f3326171638c9f6569 ] seg6_do_srh_encap and seg6_do_srh_inline can possibly do an out-of-bounds access when adding the SRH to the packet. This no longer happen when expanding the skb not only by the size of the SRH (+ outer IPv6 header), but also by skb->mac_len. [ 53.793056] BUG: KASAN: use-after-free in seg6_do_srh_encap+0x284/0x620 [ 53.794564] Write of size 14 at addr 88011975ecfa by task ping/674 [ 53.796665] CPU: 0 PID: 674 Comm: ping Not tainted 4.17.0-rc3-ARCH+ #90 [ 53.796670] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-20171110_100015-anatol 04/01/2014 [ 53.796673] Call Trace: [ 53.796679] [ 53.796689] dump_stack+0x71/0xab [ 53.796700] print_address_description+0x6a/0x270 [ 53.796707] kasan_report+0x258/0x380 [ 53.796715] ? seg6_do_srh_encap+0x284/0x620 [ 53.796722] memmove+0x34/0x50 [ 53.796730] seg6_do_srh_encap+0x284/0x620 [ 53.796741] ? seg6_do_srh+0x29b/0x360 [ 53.796747] seg6_do_srh+0x29b/0x360 [ 53.796756] seg6_input+0x2e/0x2e0 [ 53.796765] lwtunnel_input+0x93/0xd0 [ 53.796774] ipv6_rcv+0x690/0x920 [ 53.796783] ? ip6_input+0x170/0x170 [ 53.796791] ? eth_gro_receive+0x2d0/0x2d0 [ 53.796800] ? ip6_input+0x170/0x170 [ 53.796809] __netif_receive_skb_core+0xcc0/0x13f0 [ 53.796820] ? netdev_info+0x110/0x110 [ 53.796827] ? napi_complete_done+0xb6/0x170 [ 53.796834] ? e1000_clean+0x6da/0xf70 [ 53.796845] ? process_backlog+0x129/0x2a0 [ 53.796853] process_backlog+0x129/0x2a0 [ 53.796862] net_rx_action+0x211/0x5c0 [ 53.796870] ? napi_complete_done+0x170/0x170 [ 53.796887] ? run_rebalance_domains+0x11f/0x150 [ 53.796891] __do_softirq+0x10e/0x39e [ 53.796894] do_softirq_own_stack+0x2a/0x40 [ 53.796895] [ 53.796898] do_softirq.part.16+0x54/0x60 [ 53.796900] __local_bh_enable_ip+0x5b/0x60 [ 53.796903] ip6_finish_output2+0x416/0x9f0 [ 53.796906] ? ip6_dst_lookup_flow+0x110/0x110 [ 53.796909] ? ip6_sk_dst_lookup_flow+0x390/0x390 [ 53.796911] ? __rcu_read_unlock+0x66/0x80 [ 53.796913] ? ip6_mtu+0x44/0xf0 [ 53.796916] ? ip6_output+0xfc/0x220 [ 53.796918] ip6_output+0xfc/0x220 [ 53.796921] ? ip6_finish_output+0x2b0/0x2b0 [ 53.796923] ? memcpy+0x34/0x50 [ 53.796926] ip6_send_skb+0x43/0xc0 [ 53.796929] rawv6_sendmsg+0x1216/0x1530 [ 53.796932] ? __orc_find+0x6b/0xc0 [ 53.796934] ? rawv6_rcv_skb+0x160/0x160 [ 53.796937] ? __rcu_read_unlock+0x66/0x80 [ 53.796939] ? __rcu_read_unlock+0x66/0x80 [ 53.796942] ? is_bpf_text_address+0x1e/0x30 [ 53.796944] ? kernel_text_address+0xec/0x100 [ 53.796946] ? __kernel_text_address+0xe/0x30 [ 53.796948] ? unwind_get_return_address+0x2f/0x50 [ 53.796950] ? __save_stack_trace+0x92/0x100 [ 53.796954] ? save_stack+0x89/0xb0 [ 53.796956] ? kasan_kmalloc+0xa0/0xd0 [ 53.796958] ? kmem_cache_alloc+0xd2/0x1f0 [ 53.796961] ? prepare_creds+0x23/0x160 [ 53.796963] ? __x64_sys_capset+0x252/0x3e0 [ 53.796966] ? do_syscall_64+0x69/0x160 [ 53.796968] ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 53.796971] ? __alloc_pages_nodemask+0x170/0x380 [ 53.796973] ? __alloc_pages_slowpath+0x12c0/0x12c0 [ 53.796977] ? tty_vhangup+0x20/0x20 [ 53.796979] ? policy_nodemask+0x1a/0x90 [ 53.796982] ? __mod_node_page_state+0x8d/0xa0 [ 53.796986] ? __check_object_size+0xe7/0x240 [ 53.796989] ? __sys_sendto+0x229/0x290 [ 53.796991] ? rawv6_rcv_skb+0x160/0x160 [ 53.796993] __sys_sendto+0x229/0x290 [ 53.796996] ? __ia32_sys_getpeername+0x50/0x50 [ 53.796999] ? commit_creds+0x2de/0x520 [ 53.797002] ? security_capset+0x57/0x70 [ 53.797004] ? __x64_sys_capset+0x29f/0x3e0 [ 53.797007] ? __x64_sys_rt_sigsuspend+0xe0/0xe0 [ 53.797011] ? __do_page_fault+0x664/0x770 [ 53.797014] __x64_sys_sendto+0x74/0x90 [ 53.797017] do_syscall_64+0x69/0x160 [ 53.797019] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 53.797022] RIP: 0033:0x7f43b7a6714a [ 53.797023] RSP: 002b:7ffd891bd368 EFLAGS: 0246 ORIG_RAX: 002c [ 53.797026] RAX: ffda RBX: 006129c0 RCX: 7f43b7a6714a [ 53.797028] RDX: 0040 RSI: 006129c0 RDI: 0004 [ 53.797029] RBP: 7ffd891be640 R08: 00610940 R09: 001c [ 53.797030] R10: R11: 0246 R12: 0040 [ 53.797032] R13: 0060e6a0 R14: 8004 R15: 0040b661 [ 53.797171] Allocated by task 642: [ 53.797460] kasan_kmalloc+0xa0/0xd0 [ 53.797463] kmem_cache_alloc+0xd2/0x1f0 [ 53.797465] getname_flags+0x40/0x210 [ 53.797467] user_path_at_empty+0x1d/0x40 [ 53.797469] do_faccessat+0x12a/0x320 [ 53.797471] do_syscall_64+0x69/0x160 [ 53.797473] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 53.797607] Freed by task 642: [ 53.79786
[PATCH 4.14 39/41] rtnetlink: validate attributes in do_setlink()
4.14-stable review patch. If anyone has any objections, please let me know. -- From: Eric Dumazet [ Upstream commit 644c7eebbfd59e72982d11ec6cc7d39af12450ae ] It seems that rtnl_group_changelink() can call do_setlink while a prior call to validate_linkmsg(dev = NULL, ...) could not validate IFLA_ADDRESS / IFLA_BROADCAST Make sure do_setlink() calls validate_linkmsg() instead of letting its callers having this responsibility. With help from Dmitry Vyukov, thanks a lot ! BUG: KMSAN: uninit-value in is_valid_ether_addr include/linux/etherdevice.h:199 [inline] BUG: KMSAN: uninit-value in eth_prepare_mac_addr_change net/ethernet/eth.c:275 [inline] BUG: KMSAN: uninit-value in eth_mac_addr+0x203/0x2b0 net/ethernet/eth.c:308 CPU: 1 PID: 8695 Comm: syz-executor3 Not tainted 4.17.0-rc5+ #103 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:113 kmsan_report+0x149/0x260 mm/kmsan/kmsan.c:1084 __msan_warning_32+0x6e/0xc0 mm/kmsan/kmsan_instr.c:686 is_valid_ether_addr include/linux/etherdevice.h:199 [inline] eth_prepare_mac_addr_change net/ethernet/eth.c:275 [inline] eth_mac_addr+0x203/0x2b0 net/ethernet/eth.c:308 dev_set_mac_address+0x261/0x530 net/core/dev.c:7157 do_setlink+0xbc3/0x5fc0 net/core/rtnetlink.c:2317 rtnl_group_changelink net/core/rtnetlink.c:2824 [inline] rtnl_newlink+0x1fe9/0x37a0 net/core/rtnetlink.c:2976 rtnetlink_rcv_msg+0xa32/0x1560 net/core/rtnetlink.c:4646 netlink_rcv_skb+0x378/0x600 net/netlink/af_netlink.c:2448 rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4664 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline] netlink_unicast+0x1678/0x1750 net/netlink/af_netlink.c:1336 netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901 sock_sendmsg_nosec net/socket.c:629 [inline] sock_sendmsg net/socket.c:639 [inline] ___sys_sendmsg+0xec0/0x1310 net/socket.c:2117 __sys_sendmsg net/socket.c:2155 [inline] __do_sys_sendmsg net/socket.c:2164 [inline] __se_sys_sendmsg net/socket.c:2162 [inline] __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162 do_syscall_64+0x152/0x230 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x455a09 RSP: 002b:7fc07480ec68 EFLAGS: 0246 ORIG_RAX: 002e RAX: ffda RBX: 7fc07480f6d4 RCX: 00455a09 RDX: RSI: 23c0 RDI: 0014 RBP: 0072bea0 R08: R09: R10: R11: 0246 R12: R13: 05d0 R14: 006fdc20 R15: Uninit was stored to memory at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline] kmsan_save_stack mm/kmsan/kmsan.c:294 [inline] kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:685 kmsan_memcpy_origins+0x11d/0x170 mm/kmsan/kmsan.c:527 __msan_memcpy+0x109/0x160 mm/kmsan/kmsan_instr.c:478 do_setlink+0xb84/0x5fc0 net/core/rtnetlink.c:2315 rtnl_group_changelink net/core/rtnetlink.c:2824 [inline] rtnl_newlink+0x1fe9/0x37a0 net/core/rtnetlink.c:2976 rtnetlink_rcv_msg+0xa32/0x1560 net/core/rtnetlink.c:4646 netlink_rcv_skb+0x378/0x600 net/netlink/af_netlink.c:2448 rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4664 netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline] netlink_unicast+0x1678/0x1750 net/netlink/af_netlink.c:1336 netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901 sock_sendmsg_nosec net/socket.c:629 [inline] sock_sendmsg net/socket.c:639 [inline] ___sys_sendmsg+0xec0/0x1310 net/socket.c:2117 __sys_sendmsg net/socket.c:2155 [inline] __do_sys_sendmsg net/socket.c:2164 [inline] __se_sys_sendmsg net/socket.c:2162 [inline] __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162 do_syscall_64+0x152/0x230 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Uninit was created at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline] kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:189 kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:315 kmsan_slab_alloc+0x10/0x20 mm/kmsan/kmsan.c:322 slab_post_alloc_hook mm/slab.h:446 [inline] slab_alloc_node mm/slub.c:2753 [inline] __kmalloc_node_track_caller+0xb32/0x11b0 mm/slub.c:4395 __kmalloc_reserve net/core/skbuff.c:138 [inline] __alloc_skb+0x2cb/0x9e0 net/core/skbuff.c:206 alloc_skb include/linux/skbuff.h:988 [inline] netlink_alloc_large_skb net/netlink/af_netlink.c:1182 [inline] netlink_sendmsg+0x76e/0x1350 net/netlink/af_netlink.c:1876 sock_sendmsg_nosec net/socket.c:629 [inline] sock_sendmsg net/socket.c:639 [inline] ___sys_sendmsg+0xec0/0x1310 net/socket.c:2117 __sys_sendmsg net/socket.c:2155 [inline] __do_sys_sendmsg net/socket.c:2164 [inline] __se_sys_sendmsg net/socket.c:2162 [inline] __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162 do_syscall_64+0x152/0x230 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Fixes: e7ed
[PATCH 4.14 38/41] virtio-net: fix leaking page for gso packet during mergeable XDP
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Jason Wang
[ Upstream commit 3d62b2a0db505bbf9ed0755f254e45d775f9807f ]
We need to drop refcnt to xdp_page if we see a gso packet. Otherwise
it will be leaked. Fixing this by moving the check of gso packet above
the linearizing logic. While at it, remove useless comment as well.
Cc: John Fastabend
Fixes: 72979a6c3590 ("virtio_net: xdp, add slowpath case for non contiguous
buffers")
Signed-off-by: Jason Wang
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
---
drivers/net/virtio_net.c | 15 +++
1 file changed, 7 insertions(+), 8 deletions(-)
--- a/drivers/net/virtio_net.c
+++ b/drivers/net/virtio_net.c
@@ -632,6 +632,13 @@ static struct sk_buff *receive_mergeable
void *data;
u32 act;
+ /* Transient failure which in theory could occur if
+* in-flight packets from before XDP was enabled reach
+* the receive path after XDP is loaded.
+*/
+ if (unlikely(hdr->hdr.gso_type))
+ goto err_xdp;
+
/* This happens when rx buffer size is underestimated */
if (unlikely(num_buf > 1 ||
headroom < virtnet_get_headroom(vi))) {
@@ -647,14 +654,6 @@ static struct sk_buff *receive_mergeable
xdp_page = page;
}
- /* Transient failure which in theory could occur if
-* in-flight packets from before XDP was enabled reach
-* the receive path after XDP is loaded. In practice I
-* was not able to create this condition.
-*/
- if (unlikely(hdr->hdr.gso_type))
- goto err_xdp;
-
/* Allow consuming headroom but reserve enough space to push
* the descriptor on if we get an XDP_TX return code.
*/
[PATCH 4.14 37/41] net/mlx5e: When RXFCS is set, add FCS data into checksum calculation
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Eran Ben Elisha
[ Upstream commit 902a545904c71d719ed144234d67df75f31db63b ]
When RXFCS feature is enabled, the HW do not strip the FCS data,
however it is not present in the checksum calculated by the HW.
Fix that by manually calculating the FCS checksum and adding it to the SKB
checksum field.
Add helper function to find the FCS data for all SKB forms (linear,
one fragment or more).
Fixes: 102722fc6832 ("net/mlx5e: Add support for RXFCS feature flag")
Signed-off-by: Eran Ben Elisha
Signed-off-by: Saeed Mahameed
Signed-off-by: Greg Kroah-Hartman
---
drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 42
1 file changed, 42 insertions(+)
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
@@ -635,6 +635,45 @@ static inline bool is_first_ethertype_ip
return (ethertype == htons(ETH_P_IP) || ethertype == htons(ETH_P_IPV6));
}
+static __be32 mlx5e_get_fcs(struct sk_buff *skb)
+{
+ int last_frag_sz, bytes_in_prev, nr_frags;
+ u8 *fcs_p1, *fcs_p2;
+ skb_frag_t *last_frag;
+ __be32 fcs_bytes;
+
+ if (!skb_is_nonlinear(skb))
+ return *(__be32 *)(skb->data + skb->len - ETH_FCS_LEN);
+
+ nr_frags = skb_shinfo(skb)->nr_frags;
+ last_frag = &skb_shinfo(skb)->frags[nr_frags - 1];
+ last_frag_sz = skb_frag_size(last_frag);
+
+ /* If all FCS data is in last frag */
+ if (last_frag_sz >= ETH_FCS_LEN)
+ return *(__be32 *)(skb_frag_address(last_frag) +
+ last_frag_sz - ETH_FCS_LEN);
+
+ fcs_p2 = (u8 *)skb_frag_address(last_frag);
+ bytes_in_prev = ETH_FCS_LEN - last_frag_sz;
+
+ /* Find where the other part of the FCS is - Linear or another frag */
+ if (nr_frags == 1) {
+ fcs_p1 = skb_tail_pointer(skb);
+ } else {
+ skb_frag_t *prev_frag = &skb_shinfo(skb)->frags[nr_frags - 2];
+
+ fcs_p1 = skb_frag_address(prev_frag) +
+ skb_frag_size(prev_frag);
+ }
+ fcs_p1 -= bytes_in_prev;
+
+ memcpy(&fcs_bytes, fcs_p1, bytes_in_prev);
+ memcpy(((u8 *)&fcs_bytes) + bytes_in_prev, fcs_p2, last_frag_sz);
+
+ return fcs_bytes;
+}
+
static inline void mlx5e_handle_csum(struct net_device *netdev,
struct mlx5_cqe64 *cqe,
struct mlx5e_rq *rq,
@@ -653,6 +692,9 @@ static inline void mlx5e_handle_csum(str
if (is_first_ethertype_ip(skb)) {
skb->ip_summed = CHECKSUM_COMPLETE;
skb->csum = csum_unfold((__force __sum16)cqe->check_sum);
+ if (unlikely(netdev->features & NETIF_F_RXFCS))
+ skb->csum = csum_add(skb->csum,
+(__force
__wsum)mlx5e_get_fcs(skb));
rq->stats.csum_complete++;
return;
}
[PATCH 4.14 35/41] tun: Fix NULL pointer dereference in XDP redirect
4.14-stable review patch. If anyone has any objections, please let me know. -- From: Toshiaki Makita [ Upstream commit 6547e387d7f52f2ba681a229de3c13e5b9e01ee1 ] Calling XDP redirection requires bh disabled. Softirq can call another XDP function and redirection functions, then the percpu static variable ri->map can be overwritten to NULL. This is a generic XDP case called from tun. [ 3535.736058] BUG: unable to handle kernel NULL pointer dereference at 0018 [ 3535.743974] PGD 0 P4D 0 [ 3535.746530] Oops: [#1] SMP PTI [ 3535.750049] Modules linked in: vhost_net vhost tap tun bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter sunrpc vfat fat ext4 mbcache jbd2 intel_rapl skx_edac nfit libnvdimm x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm ipmi_ssif irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc ses aesni_intel crypto_simd cryptd enclosure hpwdt hpilo glue_helper ipmi_si pcspkr wmi mei_me ioatdma mei ipmi_devintf shpchp dca ipmi_msghandler lpc_ich acpi_power_meter sch_fq_codel ip_tables xfs libcrc32c sd_mod mgag200 i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm smartpqi i40e crc32c_intel scsi_transport_sas tg3 i2c_core ptp pps_core [ 3535.813456] CPU: 5 PID: 1630 Comm: vhost-1614 Not tainted 4.17.0-rc4 #2 [ 3535.820127] Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 11/14/2017 [ 3535.828732] RIP: 0010:__xdp_map_lookup_elem+0x5/0x30 [ 3535.833740] RSP: 0018:b4bc47bf7c58 EFLAGS: 00010246 [ 3535.839009] RAX: 9fdfcfea1c40 RBX: RCX: 9fdf27fe3100 [ 3535.846205] RDX: 9fdfca769200 RSI: RDI: [ 3535.853402] RBP: b4bc491d9000 R08: 45ad R09: 0ec0 [ 3535.860597] R10: 0001 R11: 9fdf26c3ce4e R12: 9fdf9e72c000 [ 3535.867794] R13: R14: fff2 R15: 9fdfc82cdd00 [ 3535.874990] FS: () GS:9fdfcfe8() knlGS: [ 3535.883152] CS: 0010 DS: ES: CR0: 80050033 [ 3535.888948] CR2: 0018 CR3: 000bde724004 CR4: 007626e0 [ 3535.896145] DR0: DR1: DR2: [ 3535.903342] DR3: DR6: fffe0ff0 DR7: 0400 [ 3535.910538] PKRU: 5554 [ 3535.913267] Call Trace: [ 3535.915736] xdp_do_generic_redirect+0x7a/0x310 [ 3535.920310] do_xdp_generic.part.117+0x285/0x370 [ 3535.924970] tun_get_user+0x5b9/0x1260 [tun] [ 3535.929279] tun_sendmsg+0x52/0x70 [tun] [ 3535.933237] handle_tx+0x2ad/0x5f0 [vhost_net] [ 3535.937721] vhost_worker+0xa5/0x100 [vhost] [ 3535.942030] kthread+0xf5/0x130 [ 3535.945198] ? vhost_dev_ioctl+0x3b0/0x3b0 [vhost] [ 3535.950031] ? kthread_bind+0x10/0x10 [ 3535.953727] ret_from_fork+0x35/0x40 [ 3535.957334] Code: 0e 74 15 83 f8 10 75 05 e9 49 aa b3 ff f3 c3 0f 1f 80 00 00 00 00 f3 c3 e9 29 9d b3 ff 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <8b> 47 18 83 f8 0e 74 0d 83 f8 10 75 05 e9 49 a9 b3 ff 31 c0 c3 [ 3535.976387] RIP: __xdp_map_lookup_elem+0x5/0x30 RSP: b4bc47bf7c58 [ 3535.982883] CR2: 0018 [ 3535.987096] ---[ end trace 383b299dd1430240 ]--- [ 3536.131325] Kernel panic - not syncing: Fatal exception [ 3536.137484] Kernel Offset: 0x26a0 from 0x8100 (relocation range: 0x8000-0xbfff) [ 3536.281406] ---[ end Kernel panic - not syncing: Fatal exception ]--- And a kernel with generic case fixed still panics in tun driver XDP redirect, because it disabled only preemption, but not bh. [ 2055.128746] BUG: unable to handle kernel NULL pointer dereference at 0018 [ 2055.136662] PGD 0 P4D 0 [ 2055.139219] Oops: [#1] SMP PTI [ 2055.142736] Modules linked in: vhost_net vhost tap tun bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter sunrpc vfat fat ext4 mbcache jbd2 intel_rapl skx_edac nfit libnvdimm x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc ses aesni_intel ipmi_ssif crypto_simd enclosure cryptd hpwdt glue_helper ioatdma hpilo wmi dca pcspkr ipmi_si acpi_power_meter ipmi_devintf shpchp mei_me ipmi_msghandler mei lpc_ich sch_fq_codel ip_tables xfs libcrc32c sd_mod mgag200 i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm i40e smartpqi tg3 scsi_transport_sas crc32c_intel i2c_core ptp pps_core [ 2055.206142] CPU: 6 PID: 1693 Comm: vhost-1683 Tainted: GW 4.17.0-rc5-fix-tun+ #1 [ 2055.215011] Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 11/14/2017 [ 2055.223617] RIP: 0010:__xdp_map_lookup_elem+0x5/0x30 [ 2055.228624] RSP: 0018:998b07607cc0 EFLAGS: 00010246 [ 2055.233892] RAX: 8dbd8e235700 RBX: 8dbd8ff21c40 RCX: 0004 [ 2055.241089] RDX: 998b097a9000 RSI: 0
[PATCH 4.14 32/41] net-sysfs: Fix memory leak in XPS configuration
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Alexander Duyck
[ Upstream commit 664088f8d68178809b848ca450f2797efb34e8e7 ]
This patch reorders the error cases in showing the XPS configuration so
that we hold off on memory allocation until after we have verified that we
can support XPS on a given ring.
Fixes: 184c449f91fe ("net: Add support for XPS with QoS via traffic classes")
Signed-off-by: Alexander Duyck
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
---
net/core/net-sysfs.c |6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/net/core/net-sysfs.c
+++ b/net/core/net-sysfs.c
@@ -1207,9 +1207,6 @@ static ssize_t xps_cpus_show(struct netd
cpumask_var_t mask;
unsigned long index;
- if (!zalloc_cpumask_var(&mask, GFP_KERNEL))
- return -ENOMEM;
-
index = get_netdev_queue_index(queue);
if (dev->num_tc) {
@@ -1219,6 +1216,9 @@ static ssize_t xps_cpus_show(struct netd
return -EINVAL;
}
+ if (!zalloc_cpumask_var(&mask, GFP_KERNEL))
+ return -ENOMEM;
+
rcu_read_lock();
dev_maps = rcu_dereference(dev->xps_maps);
if (dev_maps) {
Re: general protection fault in __vfs_write
syzbot has found a reproducer for the following crash on: HEAD commit:3a979e8c07e3 Merge tag 'mailbox-v4.18' of git://git.linaro.. git tree: net-next console output: https://syzkaller.appspot.com/x/log.txt?x=11e0c81f80 kernel config: https://syzkaller.appspot.com/x/.config?x=412e35656a3f7c09 dashboard link: https://syzkaller.appspot.com/bug?extid=7ade6c94abb2774c0fee compiler: gcc (GCC) 8.0.1 20180413 (experimental) syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=1665abf780 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+7ade6c94abb2774c0...@syzkaller.appspotmail.com IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready 8021q: adding VLAN 0 to HW filter on device team0 8021q: adding VLAN 0 to HW filter on device team0 bpfilter: read fail -512 kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: [#1] SMP KASAN CPU: 0 PID: 4546 Comm: syz-executor6 Not tainted 4.17.0+ #83 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:file_write_hint include/linux/fs.h:1932 [inline] RIP: 0010:init_sync_kiocb include/linux/fs.h:1942 [inline] RIP: 0010:new_sync_write fs/read_write.c:470 [inline] RIP: 0010:__vfs_write+0x4a6/0x960 fs/read_write.c:487 Code: c1 ea 03 80 3c 02 00 0f 85 1b 04 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 63 20 49 8d bc 24 c8 00 00 00 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e ec 02 00 00 41 8b 84 24 c8 00 RSP: 0018:8801ae407850 EFLAGS: 00010202 RAX: dc00 RBX: 8801cd88f580 RCX: 81c0d6fb RDX: 0019 RSI: 81c0d70a RDI: 00c8 RBP: 8801ae4079c8 R08: 8801d88ee680 R09: fbfff130c5d9 R10: 8801ae407a10 R11: 89862ecb R12: R13: 8801ae4079a0 R14: R15: 8801ae407a88 FS: 0102f940() GS:8801dae0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 7f5f52ac0518 CR3: 0001d8d8a000 CR4: 001406f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: __kernel_write+0x10c/0x380 fs/read_write.c:506 __bpfilter_process_sockopt+0x1d8/0x35b net/bpfilter/bpfilter_kern.c:66 bpfilter_mbox_request+0x4d/0xb0 net/ipv4/bpfilter/sockopt.c:25 bpfilter_ip_get_sockopt+0x6b/0x90 net/ipv4/bpfilter/sockopt.c:42 ip_getsockopt+0x238/0x2a0 net/ipv4/ip_sockglue.c:1563 tcp_getsockopt+0x93/0xe0 net/ipv4/tcp.c:3532 sock_common_getsockopt+0x9a/0xe0 net/core/sock.c:3012 __sys_getsockopt+0x1a5/0x370 net/socket.c:1972 __do_sys_getsockopt net/socket.c:1983 [inline] __se_sys_getsockopt net/socket.c:1980 [inline] __x64_sys_getsockopt+0xbe/0x150 net/socket.c:1980 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4584ea Code: b8 34 01 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 1d 8f fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 49 89 ca b8 37 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 fa 8e fb ff c3 66 0f 1f 84 00 00 00 00 00 RSP: 002b:00a3e328 EFLAGS: 0246 ORIG_RAX: 0037 RAX: ffda RBX: 00a3e350 RCX: 004584ea RDX: 0040 RSI: RDI: 0003 RBP: 00706f20 R08: 00a3e34c R09: 4000 R10: 00a3e350 R11: 0246 R12: 0003 R13: R14: R15: 00706860 Modules linked in: Dumping ftrace buffer: (ftrace buffer empty) ---[ end trace 9a583fc95516c106 ]--- RIP: 0010:file_write_hint include/linux/fs.h:1932 [inline] RIP: 0010:init_sync_kiocb include/linux/fs.h:1942 [inline] RIP: 0010:new_sync_write fs/read_write.c:470 [inline] RIP: 0010:__vfs_write+0x4a6/0x960 fs/read_write.c:487 Code: c1 ea 03 80 3c 02 00 0f 85 1b 04 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b 63 20 49 8d bc 24 c8 00 00 00 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e ec 02 00 00 41 8b 84 24 c8 00 RSP: 0018:8801ae407850 EFLAGS: 00010202 RAX: dc00 RBX: 8801cd88f580 RCX: 81c0d6fb RDX: 0019 RSI: 81c0d70a RDI: 00c8 RBP: 8801ae4079c8 R08: 8801d88ee680 R09: fbfff130c5d9 R10: 8801ae407a10 R11: 89862ecb R12: R13: 8801ae4079a0 R14: R15: 8801ae407a88 FS: 0102f940() GS:8801dae0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 7f5f52ac0518 CR3: 0001d8d8a000 CR4: 001406f0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400
[PATCH 4.14 40/41] cls_flower: Fix incorrect idr release when failing to modify rule
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Paul Blakey
[ Upstream commit 8258d2da9f9f521dce7019e018360c28d116354e ]
When we fail to modify a rule, we incorrectly release the idr handle
of the unmodified old rule.
Fix that by checking if we need to release it.
Fixes: fe2502e49b58 ("net_sched: remove cls_flower idr on failure")
Reported-by: Vlad Buslov
Reviewed-by: Roi Dayan
Acked-by: Jiri Pirko
Signed-off-by: Paul Blakey
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
---
net/sched/cls_flower.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/sched/cls_flower.c
+++ b/net/sched/cls_flower.c
@@ -1007,7 +1007,7 @@ static int fl_change(struct net *net, st
return 0;
errout_idr:
- if (fnew->handle)
+ if (!fold)
idr_remove_ext(&head->handle_idr, fnew->handle);
errout:
tcf_exts_destroy(&fnew->exts);
[PATCH 4.14 21/41] net/packet: refine check for priv area size
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Eric Dumazet
[ Upstream commit eb73190f4fbeedf762394e92d6a4ec9ace684c88 ]
syzbot was able to trick af_packet again [1]
Various commits tried to address the problem in the past,
but failed to take into account V3 header size.
[1]
tpacket_rcv: packet too big, clamped from 72 to 4294967224. macoff=96
BUG: KASAN: use-after-free in prb_run_all_ft_ops net/packet/af_packet.c:1016
[inline]
BUG: KASAN: use-after-free in prb_fill_curr_block.isra.59+0x4e5/0x5c0
net/packet/af_packet.c:1039
Write of size 2 at addr 8801cb62000e by task kworker/1:2/2106
CPU: 1 PID: 2106 Comm: kworker/1:2 Not tainted 4.17.0-rc7+ #77
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
01/01/2011
Workqueue: ipv6_addrconf addrconf_dad_work
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1b9/0x294 lib/dump_stack.c:113
print_address_description+0x6c/0x20b mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
__asan_report_store2_noabort+0x17/0x20 mm/kasan/report.c:436
prb_run_all_ft_ops net/packet/af_packet.c:1016 [inline]
prb_fill_curr_block.isra.59+0x4e5/0x5c0 net/packet/af_packet.c:1039
__packet_lookup_frame_in_block net/packet/af_packet.c:1094 [inline]
packet_current_rx_frame net/packet/af_packet.c:1117 [inline]
tpacket_rcv+0x1866/0x3340 net/packet/af_packet.c:2282
dev_queue_xmit_nit+0x891/0xb90 net/core/dev.c:2018
xmit_one net/core/dev.c:3049 [inline]
dev_hard_start_xmit+0x16b/0xc10 net/core/dev.c:3069
__dev_queue_xmit+0x2724/0x34c0 net/core/dev.c:3584
dev_queue_xmit+0x17/0x20 net/core/dev.c:3617
neigh_resolve_output+0x679/0xad0 net/core/neighbour.c:1358
neigh_output include/net/neighbour.h:482 [inline]
ip6_finish_output2+0xc9c/0x2810 net/ipv6/ip6_output.c:120
ip6_finish_output+0x5fe/0xbc0 net/ipv6/ip6_output.c:154
NF_HOOK_COND include/linux/netfilter.h:277 [inline]
ip6_output+0x227/0x9b0 net/ipv6/ip6_output.c:171
dst_output include/net/dst.h:444 [inline]
NF_HOOK include/linux/netfilter.h:288 [inline]
ndisc_send_skb+0x100d/0x1570 net/ipv6/ndisc.c:491
ndisc_send_ns+0x3c1/0x8d0 net/ipv6/ndisc.c:633
addrconf_dad_work+0xbef/0x1340 net/ipv6/addrconf.c:4033
process_one_work+0xc1e/0x1b50 kernel/workqueue.c:2145
worker_thread+0x1cc/0x1440 kernel/workqueue.c:2279
kthread+0x345/0x410 kernel/kthread.c:240
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412
The buggy address belongs to the page:
page:ea00072d8800 count:0 mapcount:-127 mapping:
index:0x8801cb620e80
flags: 0x2fffc00()
raw: 02fffc00 8801cb620e80 ff80
raw: ea00072e3820 ea0007132d20 0002
page dumped because: kasan: bad access detected
Memory state around the buggy address:
8801cb61ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
8801cb61ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>8801cb62: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
8801cb620080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
8801cb620100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
Fixes: 2b6867c2ce76 ("net/packet: fix overflow in check for priv area size")
Fixes: dc808110bb62 ("packet: handle too big packets for PACKET_V3")
Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
Signed-off-by: Eric Dumazet
Reported-by: syzbot
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
---
net/packet/af_packet.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -4293,7 +4293,7 @@ static int packet_set_ring(struct sock *
goto out;
if (po->tp_version >= TPACKET_V3 &&
req->tp_block_size <=
- BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv))
+ BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv) +
sizeof(struct tpacket3_hdr))
goto out;
if (unlikely(req->tp_frame_size < po->tp_hdrlen +
po->tp_reserve))
[PATCH 4.14 12/41] ip6_tunnel: remove magic mtu value 0xFFF8
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Nicolas Dichtel
[ Upstream commit f7ff1fde9441b4fcc8ffb6e66e6e5a00d008937e ]
I don't know where this value comes from (probably a copy and paste and
paste and paste ...).
Let's use standard values which are a bit greater.
Link:
https://git.kernel.org/pub/scm/linux/kernel/git/davem/netdev-vger-cvs.git/commit/?id=e5afd356a411a
Signed-off-by: Nicolas Dichtel
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
---
net/ipv6/ip6_tunnel.c | 11 ---
net/ipv6/sit.c|5 +++--
2 files changed, 11 insertions(+), 5 deletions(-)
--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -1693,8 +1693,13 @@ int ip6_tnl_change_mtu(struct net_device
if (new_mtu < ETH_MIN_MTU)
return -EINVAL;
}
- if (new_mtu > 0xFFF8 - dev->hard_header_len)
- return -EINVAL;
+ if (tnl->parms.proto == IPPROTO_IPV6 || tnl->parms.proto == 0) {
+ if (new_mtu > IP6_MAX_MTU - dev->hard_header_len)
+ return -EINVAL;
+ } else {
+ if (new_mtu > IP_MAX_MTU - dev->hard_header_len)
+ return -EINVAL;
+ }
dev->mtu = new_mtu;
return 0;
}
@@ -1842,7 +1847,7 @@ ip6_tnl_dev_init_gen(struct net_device *
if (!(t->parms.flags & IP6_TNL_F_IGN_ENCAP_LIMIT))
dev->mtu -= 8;
dev->min_mtu = ETH_MIN_MTU;
- dev->max_mtu = 0xFFF8 - dev->hard_header_len;
+ dev->max_mtu = IP6_MAX_MTU - dev->hard_header_len;
return 0;
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -1360,7 +1360,7 @@ static void ipip6_tunnel_setup(struct ne
dev->hard_header_len= LL_MAX_HEADER + t_hlen;
dev->mtu= ETH_DATA_LEN - t_hlen;
dev->min_mtu= IPV6_MIN_MTU;
- dev->max_mtu= 0xFFF8 - t_hlen;
+ dev->max_mtu= IP6_MAX_MTU - t_hlen;
dev->flags = IFF_NOARP;
netif_keep_dst(dev);
dev->addr_len = 4;
@@ -1572,7 +1572,8 @@ static int ipip6_newlink(struct net *src
if (tb[IFLA_MTU]) {
u32 mtu = nla_get_u32(tb[IFLA_MTU]);
- if (mtu >= IPV6_MIN_MTU && mtu <= 0xFFF8 - dev->hard_header_len)
+ if (mtu >= IPV6_MIN_MTU &&
+ mtu <= IP6_MAX_MTU - dev->hard_header_len)
dev->mtu = mtu;
}
[PATCH 4.14 20/41] net: metrics: add proper netlink validation
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Eric Dumazet
[ Upstream commit 5b5e7a0de2bbf2a1afcd9f49e940010e9fb80d53 ]
Before using nla_get_u32(), better make sure the attribute
is of the proper size.
Code recently was changed, but bug has been there from beginning
of git.
BUG: KMSAN: uninit-value in rtnetlink_put_metrics+0x553/0x960
net/core/rtnetlink.c:746
CPU: 1 PID: 14139 Comm: syz-executor6 Not tainted 4.17.0-rc5+ #103
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x185/0x1d0 lib/dump_stack.c:113
kmsan_report+0x149/0x260 mm/kmsan/kmsan.c:1084
__msan_warning_32+0x6e/0xc0 mm/kmsan/kmsan_instr.c:686
rtnetlink_put_metrics+0x553/0x960 net/core/rtnetlink.c:746
fib_dump_info+0xc42/0x2190 net/ipv4/fib_semantics.c:1361
rtmsg_fib+0x65f/0x8c0 net/ipv4/fib_semantics.c:419
fib_table_insert+0x2314/0x2b50 net/ipv4/fib_trie.c:1287
inet_rtm_newroute+0x210/0x340 net/ipv4/fib_frontend.c:779
rtnetlink_rcv_msg+0xa32/0x1560 net/core/rtnetlink.c:4646
netlink_rcv_skb+0x378/0x600 net/netlink/af_netlink.c:2448
rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4664
netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
netlink_unicast+0x1678/0x1750 net/netlink/af_netlink.c:1336
netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901
sock_sendmsg_nosec net/socket.c:629 [inline]
sock_sendmsg net/socket.c:639 [inline]
___sys_sendmsg+0xec0/0x1310 net/socket.c:2117
__sys_sendmsg net/socket.c:2155 [inline]
__do_sys_sendmsg net/socket.c:2164 [inline]
__se_sys_sendmsg net/socket.c:2162 [inline]
__x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
do_syscall_64+0x152/0x230 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x455a09
RSP: 002b:7faae5fd8c68 EFLAGS: 0246 ORIG_RAX: 002e
RAX: ffda RBX: 7faae5fd96d4 RCX: 00455a09
RDX: RSI: 2000 RDI: 0013
RBP: 0072bea0 R08: R09:
R10: R11: 0246 R12:
R13: 05d0 R14: 006fdc20 R15:
Uninit was stored to memory at:
kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline]
kmsan_save_stack mm/kmsan/kmsan.c:294 [inline]
kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:685
__msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:529
fib_convert_metrics net/ipv4/fib_semantics.c:1056 [inline]
fib_create_info+0x2d46/0x9dc0 net/ipv4/fib_semantics.c:1150
fib_table_insert+0x3e4/0x2b50 net/ipv4/fib_trie.c:1146
inet_rtm_newroute+0x210/0x340 net/ipv4/fib_frontend.c:779
rtnetlink_rcv_msg+0xa32/0x1560 net/core/rtnetlink.c:4646
netlink_rcv_skb+0x378/0x600 net/netlink/af_netlink.c:2448
rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4664
netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
netlink_unicast+0x1678/0x1750 net/netlink/af_netlink.c:1336
netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901
sock_sendmsg_nosec net/socket.c:629 [inline]
sock_sendmsg net/socket.c:639 [inline]
___sys_sendmsg+0xec0/0x1310 net/socket.c:2117
__sys_sendmsg net/socket.c:2155 [inline]
__do_sys_sendmsg net/socket.c:2164 [inline]
__se_sys_sendmsg net/socket.c:2162 [inline]
__x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
do_syscall_64+0x152/0x230 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Uninit was created at:
kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline]
kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:189
kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:315
kmsan_slab_alloc+0x10/0x20 mm/kmsan/kmsan.c:322
slab_post_alloc_hook mm/slab.h:446 [inline]
slab_alloc_node mm/slub.c:2753 [inline]
__kmalloc_node_track_caller+0xb32/0x11b0 mm/slub.c:4395
__kmalloc_reserve net/core/skbuff.c:138 [inline]
__alloc_skb+0x2cb/0x9e0 net/core/skbuff.c:206
alloc_skb include/linux/skbuff.h:988 [inline]
netlink_alloc_large_skb net/netlink/af_netlink.c:1182 [inline]
netlink_sendmsg+0x76e/0x1350 net/netlink/af_netlink.c:1876
sock_sendmsg_nosec net/socket.c:629 [inline]
sock_sendmsg net/socket.c:639 [inline]
___sys_sendmsg+0xec0/0x1310 net/socket.c:2117
__sys_sendmsg net/socket.c:2155 [inline]
__do_sys_sendmsg net/socket.c:2164 [inline]
__se_sys_sendmsg net/socket.c:2162 [inline]
__x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
do_syscall_64+0x152/0x230 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Fixes: a919525ad832 ("net: Move fib_convert_metrics to metrics file")
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet
Reported-by: syzbot
Cc: David Ahern
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
---
net/ipv4/fib_semantics.c |4
1 file changed, 4 insertions(+)
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -725,6 +725,8 @@ bool fib_metric
[PATCH 4.14 18/41] netdev-FAQ: clarify DaveMs position for stable backports
4.14-stable review patch. If anyone has any objections, please let me know. -- From: Cong Wang [ Upstream commit 75d4e704fa8d2cf33ff295e5b441317603d7f9fd ] Per discussion with David at netconf 2018, let's clarify DaveM's position of handling stable backports in netdev-FAQ. This is important for people relying on upstream -stable releases. Cc: Greg Kroah-Hartman Signed-off-by: Cong Wang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- Documentation/networking/netdev-FAQ.txt |9 + 1 file changed, 9 insertions(+) --- a/Documentation/networking/netdev-FAQ.txt +++ b/Documentation/networking/netdev-FAQ.txt @@ -176,6 +176,15 @@ A: No. See above answer. In short, if dash marker line as described in Documentation/process/submitting-patches.rst to temporarily embed that information into the patch that you send. +Q: Are all networking bug fixes backported to all stable releases? + +A: Due to capacity, Dave could only take care of the backports for the last + 2 stable releases. For earlier stable releases, each stable branch maintainer + is supposed to take care of them. If you find any patch is missing from an + earlier stable branch, please notify sta...@vger.kernel.org with either a + commit ID or a formal patch backported, and CC Dave and other relevant + networking developers. + Q: Someone said that the comment style and coding convention is different for the networking content. Is this true?
[PATCH 4.14 16/41] isdn: eicon: fix a missing-check bug
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Wenwen Wang
[ Upstream commit 6009d1fe6ba3bb2dab55921da60465329cc1cd89 ]
In divasmain.c, the function divas_write() firstly invokes the function
diva_xdi_open_adapter() to open the adapter that matches with the adapter
number provided by the user, and then invokes the function diva_xdi_write()
to perform the write operation using the matched adapter. The two functions
diva_xdi_open_adapter() and diva_xdi_write() are located in diva.c.
In diva_xdi_open_adapter(), the user command is copied to the object 'msg'
from the userspace pointer 'src' through the function pointer 'cp_fn',
which eventually calls copy_from_user() to do the copy. Then, the adapter
number 'msg.adapter' is used to find out a matched adapter from the
'adapter_queue'. A matched adapter will be returned if it is found.
Otherwise, NULL is returned to indicate the failure of the verification on
the adapter number.
As mentioned above, if a matched adapter is returned, the function
diva_xdi_write() is invoked to perform the write operation. In this
function, the user command is copied once again from the userspace pointer
'src', which is the same as the 'src' pointer in diva_xdi_open_adapter() as
both of them are from the 'buf' pointer in divas_write(). Similarly, the
copy is achieved through the function pointer 'cp_fn', which finally calls
copy_from_user(). After the successful copy, the corresponding command
processing handler of the matched adapter is invoked to perform the write
operation.
It is obvious that there are two copies here from userspace, one is in
diva_xdi_open_adapter(), and one is in diva_xdi_write(). Plus, both of
these two copies share the same source userspace pointer, i.e., the 'buf'
pointer in divas_write(). Given that a malicious userspace process can race
to change the content pointed by the 'buf' pointer, this can pose potential
security issues. For example, in the first copy, the user provides a valid
adapter number to pass the verification process and a valid adapter can be
found. Then the user can modify the adapter number to an invalid number.
This way, the user can bypass the verification process of the adapter
number and inject inconsistent data.
This patch reuses the data copied in
diva_xdi_open_adapter() and passes it to diva_xdi_write(). This way, the
above issues can be avoided.
Signed-off-by: Wenwen Wang
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
---
drivers/isdn/hardware/eicon/diva.c | 22 +++---
drivers/isdn/hardware/eicon/diva.h |5 +++--
drivers/isdn/hardware/eicon/divasmain.c | 18 +++---
3 files changed, 29 insertions(+), 16 deletions(-)
--- a/drivers/isdn/hardware/eicon/diva.c
+++ b/drivers/isdn/hardware/eicon/diva.c
@@ -388,10 +388,10 @@ void divasa_xdi_driver_unload(void)
** Receive and process command from user mode utility
*/
void *diva_xdi_open_adapter(void *os_handle, const void __user *src,
- int length,
+ int length, void *mptr,
divas_xdi_copy_from_user_fn_t cp_fn)
{
- diva_xdi_um_cfg_cmd_t msg;
+ diva_xdi_um_cfg_cmd_t *msg = (diva_xdi_um_cfg_cmd_t *)mptr;
diva_os_xdi_adapter_t *a = NULL;
diva_os_spin_lock_magic_t old_irql;
struct list_head *tmp;
@@ -401,21 +401,21 @@ void *diva_xdi_open_adapter(void *os_han
length, sizeof(diva_xdi_um_cfg_cmd_t)))
return NULL;
}
- if ((*cp_fn) (os_handle, &msg, src, sizeof(msg)) <= 0) {
+ if ((*cp_fn) (os_handle, msg, src, sizeof(*msg)) <= 0) {
DBG_ERR(("A: A(?) open, write error"))
return NULL;
}
diva_os_enter_spin_lock(&adapter_lock, &old_irql, "open_adapter");
list_for_each(tmp, &adapter_queue) {
a = list_entry(tmp, diva_os_xdi_adapter_t, link);
- if (a->controller == (int)msg.adapter)
+ if (a->controller == (int)msg->adapter)
break;
a = NULL;
}
diva_os_leave_spin_lock(&adapter_lock, &old_irql, "open_adapter");
if (!a) {
- DBG_ERR(("A: A(%d) open, adapter not found", msg.adapter))
+ DBG_ERR(("A: A(%d) open, adapter not found", msg->adapter))
}
return (a);
@@ -437,8 +437,10 @@ void diva_xdi_close_adapter(void *adapte
int
diva_xdi_write(void *adapter, void *os_handle, const void __user *src,
- int length, divas_xdi_copy_from_user_fn_t cp_fn)
+ int length, void *mptr,
+ divas_xdi_copy_from_user_fn_t cp_fn)
{
+ diva_xdi_um_cfg_cmd_t *msg = (diva_xdi_um_cfg_cmd_t *)mptr;
diva_os_xdi_adapter_t *a = (diva_os_xdi_adapter_t *) adapter;
void *data;
@@ -459,7 +461,13 @@ diva_xdi_write(void *adapter, vo
[PATCH 4.14 15/41] ipv6: omit traffic class when calculating flow hash
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Michal Kubecek
[ Upstream commit fa1be7e01ea863e911349e30456706749518eeab ]
Some of the code paths calculating flow hash for IPv6 use flowlabel member
of struct flowi6 which, despite its name, encodes both flow label and
traffic class. If traffic class changes within a TCP connection (as e.g.
ssh does), ECMP route can switch between path. It's also inconsistent with
other code paths where ip6_flowlabel() (returning only flow label) is used
to feed the key.
Use only flow label everywhere, including one place where hash key is set
using ip6_flowinfo().
Fixes: 51ebd3181572 ("ipv6: add support of equal cost multipath (ECMP)")
Fixes: f70ea018da06 ("net: Add functions to get skb->hash based on flow
structures")
Signed-off-by: Michal Kubecek
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
---
include/net/ipv6.h|5 +
net/core/flow_dissector.c |2 +-
net/ipv6/route.c |2 +-
3 files changed, 7 insertions(+), 2 deletions(-)
--- a/include/net/ipv6.h
+++ b/include/net/ipv6.h
@@ -861,6 +861,11 @@ static inline __be32 ip6_make_flowinfo(u
return htonl(tclass << IPV6_TCLASS_SHIFT) | flowlabel;
}
+static inline __be32 flowi6_get_flowlabel(const struct flowi6 *fl6)
+{
+ return fl6->flowlabel & IPV6_FLOWLABEL_MASK;
+}
+
/*
* Prototypes exported by ipv6
*/
--- a/net/core/flow_dissector.c
+++ b/net/core/flow_dissector.c
@@ -1179,7 +1179,7 @@ __u32 __get_hash_from_flowi6(const struc
keys->ports.src = fl6->fl6_sport;
keys->ports.dst = fl6->fl6_dport;
keys->keyid.keyid = fl6->fl6_gre_key;
- keys->tags.flow_label = (__force u32)fl6->flowlabel;
+ keys->tags.flow_label = (__force u32)flowi6_get_flowlabel(fl6);
keys->basic.ip_proto = fl6->flowi6_proto;
return flow_hash_from_keys(keys);
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -1250,7 +1250,7 @@ out:
keys->control.addr_type = FLOW_DISSECTOR_KEY_IPV6_ADDRS;
keys->addrs.v6addrs.src = key_iph->saddr;
keys->addrs.v6addrs.dst = key_iph->daddr;
- keys->tags.flow_label = ip6_flowinfo(key_iph);
+ keys->tags.flow_label = ip6_flowlabel(key_iph);
keys->basic.ip_proto = key_iph->nexthdr;
}
[PATCH 4.14 27/41] team: use netdev_features_t instead of u32
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Dan Carpenter
[ Upstream commit 25ea66544bfd1d9df1b7e1502f8717e85fa1e6e6 ]
This code was introduced in 2011 around the same time that we made
netdev_features_t a u64 type. These days a u32 is not big enough to
hold all the potential features.
Signed-off-by: Dan Carpenter
Acked-by: Jiri Pirko
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
---
drivers/net/team/team.c |3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/net/team/team.c
+++ b/drivers/net/team/team.c
@@ -1004,7 +1004,8 @@ static void team_port_disable(struct tea
static void __team_compute_features(struct team *team)
{
struct team_port *port;
- u32 vlan_features = TEAM_VLAN_FEATURES & NETIF_F_ALL_FOR_ALL;
+ netdev_features_t vlan_features = TEAM_VLAN_FEATURES &
+ NETIF_F_ALL_FOR_ALL;
netdev_features_t enc_features = TEAM_ENC_FEATURES;
unsigned short max_hard_header_len = ETH_HLEN;
unsigned int dst_release_flag = IFF_XMIT_DST_RELEASE |
[PATCH 4.14 29/41] vrf: check the original netdevice for generating redirect
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Stephen Suryaputra
[ Upstream commit 2f17becfbea5e9a0529b51da7345783e96e69516 ]
Use the right device to determine if redirect should be sent especially
when using vrf. Same as well as when sending the redirect.
Signed-off-by: Stephen Suryaputra
Acked-by: David Ahern
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
---
net/ipv6/ip6_output.c |3 ++-
net/ipv6/ndisc.c |6 ++
2 files changed, 8 insertions(+), 1 deletion(-)
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -506,7 +506,8 @@ int ip6_forward(struct sk_buff *skb)
send redirects to source routed frames.
We don't send redirects to frames decapsulated from IPsec.
*/
- if (skb->dev == dst->dev && opt->srcrt == 0 && !skb_sec_path(skb)) {
+ if (IP6CB(skb)->iif == dst->dev->ifindex &&
+ opt->srcrt == 0 && !skb_sec_path(skb)) {
struct in6_addr *target = NULL;
struct inet_peer *peer;
struct rt6_info *rt;
--- a/net/ipv6/ndisc.c
+++ b/net/ipv6/ndisc.c
@@ -1568,6 +1568,12 @@ void ndisc_send_redirect(struct sk_buff
ops_data_buf[NDISC_OPS_REDIRECT_DATA_SPACE], *ops_data = NULL;
bool ret;
+ if (netif_is_l3_master(skb->dev)) {
+ dev = __dev_get_by_index(dev_net(skb->dev), IPCB(skb)->iif);
+ if (!dev)
+ return;
+ }
+
if (ipv6_get_lladdr(dev, &saddr_buf, IFA_F_TENTATIVE)) {
ND_PRINTK(2, warn, "Redirect: no link-local address on %s\n",
dev->name);
[PATCH 4.14 25/41] qed: Fix mask for physical address in ILT entry
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Shahed Shaikh
[ Upstream commit fdd13dd350dda1826579eb5c333d76b14513b812 ]
ILT entry requires 12 bit right shifted physical address.
Existing mask for ILT entry of physical address i.e.
ILT_ENTRY_PHY_ADDR_MASK is not sufficient to handle 64bit
address because upper 8 bits of 64 bit address were getting
masked which resulted in completer abort error on
PCIe bus due to invalid address.
Fix that mask to handle 64bit physical address.
Fixes: fe56b9e6a8d9 ("qed: Add module with basic common support")
Signed-off-by: Shahed Shaikh
Signed-off-by: Ariel Elior
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
---
drivers/net/ethernet/qlogic/qed/qed_cxt.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/ethernet/qlogic/qed/qed_cxt.c
+++ b/drivers/net/ethernet/qlogic/qed/qed_cxt.c
@@ -77,7 +77,7 @@
#define ILT_CFG_REG(cli, reg) PSWRQ2_REG_ ## cli ## _ ## reg ## _RT_OFFSET
/* ILT entry structure */
-#define ILT_ENTRY_PHY_ADDR_MASK0x000FFFULL
+#define ILT_ENTRY_PHY_ADDR_MASK(~0ULL >> 12)
#define ILT_ENTRY_PHY_ADDR_SHIFT 0
#define ILT_ENTRY_VALID_MASK 0x1ULL
#define ILT_ENTRY_VALID_SHIFT 52
[PATCH 4.14 24/41] packet: fix reserve calculation
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Willem de Bruijn
[ Upstream commit 9aad13b087ab0a588cd68259de618f100053360e ]
Commit b84bbaf7a6c8 ("packet: in packet_snd start writing at link
layer allocation") ensures that packet_snd always starts writing
the link layer header in reserved headroom allocated for this
purpose.
This is needed because packets may be shorter than hard_header_len,
in which case the space up to hard_header_len may be zeroed. But
that necessary padding is not accounted for in skb->len.
The fix, however, is buggy. It calls skb_push, which grows skb->len
when moving skb->data back. But in this case packet length should not
change.
Instead, call skb_reserve, which moves both skb->data and skb->tail
back, without changing length.
Fixes: b84bbaf7a6c8 ("packet: in packet_snd start writing at link layer
allocation")
Reported-by: Tariq Toukan
Signed-off-by: Willem de Bruijn
Acked-by: Soheil Hassas Yeganeh
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
---
net/packet/af_packet.c |2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -2920,7 +2920,7 @@ static int packet_snd(struct socket *soc
if (unlikely(offset < 0))
goto out_free;
} else if (reserve) {
- skb_push(skb, reserve);
+ skb_reserve(skb, -reserve);
}
/* Returns -EFAULT on error */
[PATCH 4.14 13/41] ipmr: properly check rhltable_init() return value
4.14-stable review patch. If anyone has any objections, please let me know.
--
From: Eric Dumazet
[ Upstream commit 66fb33254f45df4b049f487aff1cbde1ef919390 ]
commit 8fb472c09b9d ("ipmr: improve hash scalability")
added a call to rhltable_init() without checking its return value.
This problem was then later copied to IPv6 and factorized in commit
0bbbf0e7d0e7 ("ipmr, ip6mr: Unite creation of new mr_table")
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 31552 Comm: syz-executor7 Not tainted 4.17.0-rc5+ #60
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
01/01/2011
RIP: 0010:rht_key_hashfn include/linux/rhashtable.h:277 [inline]
RIP: 0010:__rhashtable_lookup include/linux/rhashtable.h:630 [inline]
RIP: 0010:rhltable_lookup include/linux/rhashtable.h:716 [inline]
RIP: 0010:mr_mfc_find_parent+0x2ad/0xbb0 net/ipv4/ipmr_base.c:63
RSP: 0018:8801826aef70 EFLAGS: 00010203
RAX: 0001 RBX: 0001 RCX: c90001ea
RDX: 0079 RSI: 8661e859 RDI: 000c
RBP: 8801826af1c0 R08: 8801b2212000 R09: ed003b5e46c2
R10: ed003b5e46c2 R11: 8801daf23613 R12: dc00
R13: 8801826af198 R14: 8801cf8225c0 R15: 8801826af658
FS: 7ff7fa732700() GS:8801daf0() knlGS:
CS: 0010 DS: ES: CR0: 80050033
CR2: 0003ff9c CR3: 0001b021 CR4: 001406e0
DR0: DR1: DR2:
DR3: DR6: fffe0ff0 DR7: 0400
Call Trace:
ip6mr_cache_find_parent net/ipv6/ip6mr.c:981 [inline]
ip6mr_mfc_delete+0x1fe/0x6b0 net/ipv6/ip6mr.c:1221
ip6_mroute_setsockopt+0x15c6/0x1d70 net/ipv6/ip6mr.c:1698
do_ipv6_setsockopt.isra.9+0x422/0x4660 net/ipv6/ipv6_sockglue.c:163
ipv6_setsockopt+0xbd/0x170 net/ipv6/ipv6_sockglue.c:922
rawv6_setsockopt+0x59/0x140 net/ipv6/raw.c:1060
sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:3039
__sys_setsockopt+0x1bd/0x390 net/socket.c:1903
__do_sys_setsockopt net/socket.c:1914 [inline]
__se_sys_setsockopt net/socket.c:1911 [inline]
__x64_sys_setsockopt+0xbe/0x150 net/socket.c:1911
do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Fixes: 8fb472c09b9d ("ipmr: improve hash scalability")
Fixes: 0bbbf0e7d0e7 ("ipmr, ip6mr: Unite creation of new mr_table")
Signed-off-by: Eric Dumazet
Cc: Nikolay Aleksandrov
Cc: Yuval Mintz
Reported-by: syzbot
Acked-by: Nikolay Aleksandrov
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
---
net/ipv4/ipmr.c |7 ++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/net/ipv4/ipmr.c
+++ b/net/ipv4/ipmr.c
@@ -323,6 +323,7 @@ static const struct rhashtable_params ip
static struct mr_table *ipmr_new_table(struct net *net, u32 id)
{
struct mr_table *mrt;
+ int err;
/* "pimreg%u" should not exceed 16 bytes (IFNAMSIZ) */
if (id != RT_TABLE_DEFAULT && id >= 10)
@@ -338,7 +339,11 @@ static struct mr_table *ipmr_new_table(s
write_pnet(&mrt->net, net);
mrt->id = id;
- rhltable_init(&mrt->mfc_hash, &ipmr_rht_params);
+ err = rhltable_init(&mrt->mfc_hash, &ipmr_rht_params);
+ if (err) {
+ kfree(mrt);
+ return ERR_PTR(err);
+ }
INIT_LIST_HEAD(&mrt->mfc_cache_list);
INIT_LIST_HEAD(&mrt->mfc_unres_queue);
