1. 18 10月, 2019 2 次提交
  2. 12 10月, 2019 4 次提交
  3. 08 10月, 2019 2 次提交
  4. 05 10月, 2019 4 次提交
    • C
      quota: fix wrong condition in is_quota_modification() · 06098609
      Chao Yu 提交于
      commit 6565c182094f69e4ffdece337d395eb7ec760efc upstream.
      
      Quoted from
      commit 3da40c7b ("ext4: only call ext4_truncate when size <= isize")
      
      " At LSF we decided that if we truncate up from isize we shouldn't trim
        fallocated blocks that were fallocated with KEEP_SIZE and are past the
       new i_size.  This patch fixes ext4 to do this. "
      
      And generic/092 of fstest have covered this case for long time, however
      is_quota_modification() didn't adjust based on that rule, so that in
      below condition, we will lose to quota block change:
      - fallocate blocks beyond EOF
      - remount
      - truncate(file_path, file_size)
      
      Fix it.
      
      Link: https://lore.kernel.org/r/20190911093650.35329-1-yuchao0@huawei.com
      Fixes: 3da40c7b ("ext4: only call ext4_truncate when size <= isize")
      CC: stable@vger.kernel.org
      Signed-off-by: NChao Yu <yuchao0@huawei.com>
      Signed-off-by: NJan Kara <jack@suse.cz>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      06098609
    • M
      blk-mq: add callback of .cleanup_rq · 4ec3ca27
      Ming Lei 提交于
      [ Upstream commit 226b4fc75c78f9c497c5182d939101b260cfb9f3 ]
      
      SCSI maintains its own driver private data hooked off of each SCSI
      request, and the pridate data won't be freed after scsi_queue_rq()
      returns BLK_STS_RESOURCE or BLK_STS_DEV_RESOURCE. An upper layer driver
      (e.g. dm-rq) may need to retry these SCSI requests, before SCSI has
      fully dispatched them, due to a lower level SCSI driver's resource
      limitation identified in scsi_queue_rq(). Currently SCSI's per-request
      private data is leaked when the upper layer driver (dm-rq) frees and
      then retries these requests in response to BLK_STS_RESOURCE or
      BLK_STS_DEV_RESOURCE returns from scsi_queue_rq().
      
      This usecase is so specialized that it doesn't warrant training an
      existing blk-mq interface (e.g. blk_mq_free_request) to allow SCSI to
      account for freeing its driver private data -- doing so would add an
      extra branch for handling a special case that all other consumers of
      SCSI (and blk-mq) won't ever need to worry about.
      
      So the most pragmatic way forward is to delegate freeing SCSI driver
      private data to the upper layer driver (dm-rq).  Do so by adding
      new .cleanup_rq callback and calling a new blk_mq_cleanup_rq() method
      from dm-rq.  A following commit will implement the .cleanup_rq() hook
      in scsi_mq_ops.
      
      Cc: Ewan D. Milne <emilne@redhat.com>
      Cc: Bart Van Assche <bvanassche@acm.org>
      Cc: Hannes Reinecke <hare@suse.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Mike Snitzer <snitzer@redhat.com>
      Cc: dm-devel@redhat.com
      Cc: <stable@vger.kernel.org>
      Fixes: 396eaf21 ("blk-mq: improve DM's blk-mq IO merging via blk_insert_cloned_request feedback")
      Signed-off-by: NMing Lei <ming.lei@redhat.com>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      4ec3ca27
    • U
      mmc: core: Add helper function to indicate if SDIO IRQs is enabled · a0dd3d95
      Ulf Hansson 提交于
      [ Upstream commit bd880b00697befb73eff7220ee20bdae4fdd487b ]
      
      To avoid each host driver supporting SDIO IRQs, from keeping track
      internally about if SDIO IRQs has been claimed, let's introduce a common
      helper function, sdio_irq_claimed().
      
      The function returns true if SDIO IRQs are claimed, via using the
      information about the number of claimed irqs. This is safe, even without
      any locks, as long as the helper function is called only from
      runtime/system suspend callbacks of the host driver.
      Tested-by: NMatthias Kaehlcke <mka@chromium.org>
      Signed-off-by: NUlf Hansson <ulf.hansson@linaro.org>
      Reviewed-by: NDouglas Anderson <dianders@chromium.org>
      Signed-off-by: NUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      a0dd3d95
    • M
      kprobes: Prohibit probing on BUG() and WARN() address · fad90d4b
      Masami Hiramatsu 提交于
      [ Upstream commit e336b4027775cb458dc713745e526fa1a1996b2a ]
      
      Since BUG() and WARN() may use a trap (e.g. UD2 on x86) to
      get the address where the BUG() has occurred, kprobes can not
      do single-step out-of-line that instruction. So prohibit
      probing on such address.
      
      Without this fix, if someone put a kprobe on WARN(), the
      kernel will crash with invalid opcode error instead of
      outputing warning message, because kernel can not find
      correct bug address.
      Signed-off-by: NMasami Hiramatsu <mhiramat@kernel.org>
      Acked-by: NSteven Rostedt (VMware) <rostedt@goodmis.org>
      Acked-by: NNaveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
      Cc: Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com>
      Cc: David S . Miller <davem@davemloft.net>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Naveen N . Rao <naveen.n.rao@linux.ibm.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Steven Rostedt <rostedt@goodmis.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: https://lkml.kernel.org/r/156750890133.19112.3393666300746167111.stgit@devnote2Signed-off-by: NIngo Molnar <mingo@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      fad90d4b
  5. 01 10月, 2019 1 次提交
  6. 21 9月, 2019 2 次提交
  7. 19 9月, 2019 1 次提交
    • E
      isdn/capi: check message length in capi_write() · 2354e925
      Eric Biggers 提交于
      [ Upstream commit fe163e534e5eecdfd7b5920b0dfd24c458ee85d6 ]
      
      syzbot reported:
      
          BUG: KMSAN: uninit-value in capi_write+0x791/0xa90 drivers/isdn/capi/capi.c:700
          CPU: 0 PID: 10025 Comm: syz-executor379 Not tainted 4.20.0-rc7+ #2
          Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
          Call Trace:
            __dump_stack lib/dump_stack.c:77 [inline]
            dump_stack+0x173/0x1d0 lib/dump_stack.c:113
            kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:613
            __msan_warning+0x82/0xf0 mm/kmsan/kmsan_instr.c:313
            capi_write+0x791/0xa90 drivers/isdn/capi/capi.c:700
            do_loop_readv_writev fs/read_write.c:703 [inline]
            do_iter_write+0x83e/0xd80 fs/read_write.c:961
            vfs_writev fs/read_write.c:1004 [inline]
            do_writev+0x397/0x840 fs/read_write.c:1039
            __do_sys_writev fs/read_write.c:1112 [inline]
            __se_sys_writev+0x9b/0xb0 fs/read_write.c:1109
            __x64_sys_writev+0x4a/0x70 fs/read_write.c:1109
            do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
            entry_SYSCALL_64_after_hwframe+0x63/0xe7
          [...]
      
      The problem is that capi_write() is reading past the end of the message.
      Fix it by checking the message's length in the needed places.
      
      Reported-and-tested-by: syzbot+0849c524d9c634f5ae66@syzkaller.appspotmail.com
      Signed-off-by: NEric Biggers <ebiggers@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2354e925
  8. 16 9月, 2019 6 次提交
    • B
      gpio: don't WARN() on NULL descs if gpiolib is disabled · c9c90711
      Bartosz Golaszewski 提交于
      [ Upstream commit ffe0bbabb0cffceceae07484fde1ec2a63b1537c ]
      
      If gpiolib is disabled, we use the inline stubs from gpio/consumer.h
      instead of regular definitions of GPIO API. The stubs for 'optional'
      variants of gpiod_get routines return NULL in this case as if the
      relevant GPIO wasn't found. This is correct so far.
      
      Calling other (non-gpio_get) stubs from this header triggers a warning
      because the GPIO descriptor couldn't have been requested. The warning
      however is unconditional (WARN_ON(1)) and is emitted even if the passed
      descriptor pointer is NULL.
      
      We don't want to force the users of 'optional' gpio_get to check the
      returned pointer before calling e.g. gpiod_set_value() so let's only
      WARN on non-NULL descriptors.
      
      Cc: stable@vger.kernel.org
      Reported-by: NClaus H. Stovgaard <cst@phaseone.com>
      Signed-off-by: NBartosz Golaszewski <bgolaszewski@baylibre.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      c9c90711
    • Y
      dm mpath: fix missing call of path selector type->end_io · 69409854
      Yufen Yu 提交于
      [ Upstream commit 5de719e3d01b4abe0de0d7b857148a880ff2a90b ]
      
      After commit 396eaf21 ("blk-mq: improve DM's blk-mq IO merging via
      blk_insert_cloned_request feedback"), map_request() will requeue the tio
      when issued clone request return BLK_STS_RESOURCE or BLK_STS_DEV_RESOURCE.
      
      Thus, if device driver status is error, a tio may be requeued multiple
      times until the return value is not DM_MAPIO_REQUEUE.  That means
      type->start_io may be called multiple times, while type->end_io is only
      called when IO complete.
      
      In fact, even without commit 396eaf21, setup_clone() failure can
      also cause tio requeue and associated missed call to type->end_io.
      
      The service-time path selector selects path based on in_flight_size,
      which is increased by st_start_io() and decreased by st_end_io().
      Missed calls to st_end_io() can lead to in_flight_size count error and
      will cause the selector to make the wrong choice.  In addition,
      queue-length path selector will also be affected.
      
      To fix the problem, call type->end_io in ->release_clone_rq before tio
      requeue.  map_info is passed to ->release_clone_rq() for map_request()
      error path that result in requeue.
      
      Fixes: 396eaf21 ("blk-mq: improve DM's blk-mq IO merging via blk_insert_cloned_request feedback")
      Cc: stable@vger.kernl.org
      Signed-off-by: NYufen Yu <yuyufen@huawei.com>
      Signed-off-by: NMike Snitzer <snitzer@redhat.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      69409854
    • V
      drm/vblank: Allow dynamic per-crtc max_vblank_count · 2b4f5679
      Ville Syrjälä 提交于
      [ Upstream commit ed20151a7699bb2c77eba3610199789a126940c4 ]
      
      On i965gm we need to adjust max_vblank_count dynamically
      depending on whether the TV encoder is used or not. To
      that end add a per-crtc max_vblank_count that takes
      precedence over its device wide counterpart. The driver
      can now call drm_crtc_set_max_vblank_count() to configure
      the per-crtc value before calling drm_vblank_on().
      
      Also looks like there was some discussion about exynos needing
      similar treatment.
      
      v2: Drop the extra max_vblank_count!=0 check for the
          WARN(last!=current), will take care of it in i915 code (Daniel)
          WARN_ON(!inmodeset) (Daniel)
          WARN_ON(dev->max_vblank_count)
          Pimp up the docs (Daniel)
      
      Cc: stable@vger.kernel.org
      Cc: Inki Dae <inki.dae@samsung.com>
      Cc: Daniel Vetter <daniel@ffwll.ch>
      Signed-off-by: NVille Syrjälä <ville.syrjala@linux.intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20181127182004.28885-1-ville.syrjala@linux.intel.comReviewed-by: NDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      2b4f5679
    • D
      keys: Fix the use of the C++ keyword "private" in uapi/linux/keyctl.h · 3f3beae2
      David Howells 提交于
      [ Upstream commit 2ecefa0a15fd0ef88b9cd5d15ceb813008136431 ]
      
      The keyctl_dh_params struct in uapi/linux/keyctl.h contains the symbol
      "private" which means that the header file will cause compilation failure
      if #included in to a C++ program.  Further, the patch that added the same
      struct to the keyutils package named the symbol "priv", not "private".
      
      The previous attempt to fix this (commit 8a2336e5) did so by simply
      renaming the kernel's copy of the field to dh_private, but this then breaks
      existing userspace and as such has been reverted (commit 8c0f9f5b).
      
      [And note, to those who think that wrapping the struct in extern "C" {}
       will work: it won't; that only changes how symbol names are presented to
       the assembler and linker.].
      
      Instead, insert an anonymous union around the "private" member and add a
      second member in there with the name "priv" to match the one in the
      keyutils package.  The "private" member is then wrapped in !__cplusplus
      cpp-conditionals to hide it from C++.
      
      Fixes: ddbb4114 ("KEYS: Add KEYCTL_DH_COMPUTE command")
      Fixes: 8a2336e5 ("uapi/linux/keyctl.h: don't use C++ reserved keyword as a struct member name")
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      cc: Randy Dunlap <rdunlap@infradead.org>
      cc: Lubomir Rintel <lkundrak@v3.sk>
      cc: James Morris <jmorris@namei.org>
      cc: Mat Martineau <mathew.j.martineau@linux.intel.com>
      cc: Stephan Mueller <smueller@chronox.de>
      cc: Andrew Morton <akpm@linux-foundation.org>
      cc: Linus Torvalds <torvalds@linux-foundation.org>
      cc: stable@vger.kernel.org
      Signed-off-by: NJames Morris <james.morris@microsoft.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      3f3beae2
    • H
      media: cec/v4l2: move V4L2 specific CEC functions to V4L2 · 85130845
      Hans Verkuil 提交于
      [ Upstream commit 9cfd2753f8f3923f89cbb15f940f3aa0e7202d3e ]
      
      Several CEC functions are actually specific for use with receivers,
      i.e. they should be part of the V4L2 subsystem, not CEC.
      
      These functions deal with validating and modifying EDIDs for (HDMI)
      receivers, and they do not actually have anything to do with the CEC
      subsystem and whether or not CEC is enabled. The problem was that if
      the CEC_CORE config option was not set, then these functions would
      become stubs, but that's not right: they should always be valid.
      
      So replace the cec_ prefix by v4l2_ and move them to v4l2-dv-timings.c.
      Update all drivers that call these accordingly.
      Signed-off-by: NHans Verkuil <hans.verkuil@cisco.com>
      Reported-by: NLars-Peter Clausen <lars@metafoo.de>
      Cc: <stable@vger.kernel.org>      # for v4.17 and up
      Signed-off-by: NMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      85130845
    • M
      {nl,mac}80211: fix interface combinations on crypto controlled devices · 1aa38ece
      Manikanta Pubbisetty 提交于
      [ Upstream commit e6f4051123fd33901e9655a675b22aefcdc5d277 ]
      
      Commit 33d915d9e8ce ("{nl,mac}80211: allow 4addr AP operation on
      crypto controlled devices") has introduced a change which allows
      4addr operation on crypto controlled devices (ex: ath10k). This
      change has inadvertently impacted the interface combinations logic
      on such devices.
      
      General rule is that software interfaces like AP/VLAN should not be
      listed under supported interface combinations and should not be
      considered during validation of these combinations; because of the
      aforementioned change, AP/VLAN interfaces(if present) will be checked
      against interfaces supported by the device and blocks valid interface
      combinations.
      
      Consider a case where an AP and AP/VLAN are up and running; when a
      second AP device is brought up on the same physical device, this AP
      will be checked against the AP/VLAN interface (which will not be
      part of supported interface combinations of the device) and blocks
      second AP to come up.
      
      Add a new API cfg80211_iftype_allowed() to fix the problem, this
      API works for all devices with/without SW crypto control.
      Signed-off-by: NManikanta Pubbisetty <mpubbise@codeaurora.org>
      Fixes: 33d915d9e8ce ("{nl,mac}80211: allow 4addr AP operation on crypto controlled devices")
      Link: https://lore.kernel.org/r/1563779690-9716-1-git-send-email-mpubbise@codeaurora.orgSigned-off-by: NJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      1aa38ece
  9. 10 9月, 2019 5 次提交
    • L
      libceph: allow ceph_buffer_put() to receive a NULL ceph_buffer · 0f134f6e
      Luis Henriques 提交于
      [ Upstream commit 5c498950f730aa17c5f8a2cdcb903524e4002ed2 ]
      Signed-off-by: NLuis Henriques <lhenriques@suse.com>
      Reviewed-by: NJeff Layton <jlayton@kernel.org>
      Signed-off-by: NIlya Dryomov <idryomov@gmail.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      0f134f6e
    • Y
      gpio: Fix build error of function redefinition · 60520902
      YueHaibing 提交于
      [ Upstream commit 68e03b85474a51ec1921b4d13204782594ef7223 ]
      
      when do randbuilding, I got this error:
      
      In file included from drivers/hwmon/pmbus/ucd9000.c:19:0:
      ./include/linux/gpio/driver.h:576:1: error: redefinition of gpiochip_add_pin_range
       gpiochip_add_pin_range(struct gpio_chip *chip, const char *pinctl_name,
       ^~~~~~~~~~~~~~~~~~~~~~
      In file included from drivers/hwmon/pmbus/ucd9000.c:18:0:
      ./include/linux/gpio.h:245:1: note: previous definition of gpiochip_add_pin_range was here
       gpiochip_add_pin_range(struct gpio_chip *chip, const char *pinctl_name,
       ^~~~~~~~~~~~~~~~~~~~~~
      Reported-by: NHulk Robot <hulkci@huawei.com>
      Fixes: 964cb341 ("gpio: move pincontrol calls to <linux/gpio/driver.h>")
      Signed-off-by: NYueHaibing <yuehaibing@huawei.com>
      Link: https://lore.kernel.org/r/20190731123814.46624-1-yuehaibing@huawei.comSigned-off-by: NLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      60520902
    • P
      netfilter: nf_tables: use-after-free in failing rule with bound set · 5776970f
      Pablo Neira Ayuso 提交于
      [ Upstream commit 6a0a8d10a3661a036b55af695542a714c429ab7c ]
      
      If a rule that has already a bound anonymous set fails to be added, the
      preparation phase releases the rule and the bound set. However, the
      transaction object from the abort path still has a reference to the set
      object that is stale, leading to a use-after-free when checking for the
      set->bound field. Add a new field to the transaction that specifies if
      the set is bound, so the abort path can skip releasing it since the rule
      command owns it and it takes care of releasing it. After this update,
      the set->bound field is removed.
      
      [   24.649883] Unable to handle kernel paging request at virtual address 0000000000040434
      [   24.657858] Mem abort info:
      [   24.660686]   ESR = 0x96000004
      [   24.663769]   Exception class = DABT (current EL), IL = 32 bits
      [   24.669725]   SET = 0, FnV = 0
      [   24.672804]   EA = 0, S1PTW = 0
      [   24.675975] Data abort info:
      [   24.678880]   ISV = 0, ISS = 0x00000004
      [   24.682743]   CM = 0, WnR = 0
      [   24.685723] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000428952000
      [   24.692207] [0000000000040434] pgd=0000000000000000
      [   24.697119] Internal error: Oops: 96000004 [#1] SMP
      [...]
      [   24.889414] Call trace:
      [   24.891870]  __nf_tables_abort+0x3f0/0x7a0
      [   24.895984]  nf_tables_abort+0x20/0x40
      [   24.899750]  nfnetlink_rcv_batch+0x17c/0x588
      [   24.904037]  nfnetlink_rcv+0x13c/0x190
      [   24.907803]  netlink_unicast+0x18c/0x208
      [   24.911742]  netlink_sendmsg+0x1b0/0x350
      [   24.915682]  sock_sendmsg+0x4c/0x68
      [   24.919185]  ___sys_sendmsg+0x288/0x2c8
      [   24.923037]  __sys_sendmsg+0x7c/0xd0
      [   24.926628]  __arm64_sys_sendmsg+0x2c/0x38
      [   24.930744]  el0_svc_common.constprop.0+0x94/0x158
      [   24.935556]  el0_svc_handler+0x34/0x90
      [   24.939322]  el0_svc+0x8/0xc
      [   24.942216] Code: 37280300 f9404023 91014262 aa1703e0 (f9401863)
      [   24.948336] ---[ end trace cebbb9dcbed3b56f ]---
      
      Fixes: f6ac85858976 ("netfilter: nf_tables: unbind set in rule from commit path")
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      5776970f
    • C
      net_sched: fix a NULL pointer deref in ipt action · 38166934
      Cong Wang 提交于
      [ Upstream commit 981471bd3abf4d572097645d765391533aac327d ]
      
      The net pointer in struct xt_tgdtor_param is not explicitly
      initialized therefore is still NULL when dereferencing it.
      So we have to find a way to pass the correct net pointer to
      ipt_destroy_target().
      
      The best way I find is just saving the net pointer inside the per
      netns struct tcf_idrinfo, which could make this patch smaller.
      
      Fixes: 0c66dc1e ("netfilter: conntrack: register hooks in netns when needed by ruleset")
      Reported-and-tested-by: itugrok@yahoo.com
      Cc: Jamal Hadi Salim <jhs@mojatatu.com>
      Cc: Jiri Pirko <jiri@resnulli.us>
      Signed-off-by: NCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      38166934
    • V
      net: sched: act_sample: fix psample group handling on overwrite · 5ff0ab0c
      Vlad Buslov 提交于
      [ Upstream commit dbf47a2a094edf58983265e323ca4bdcdb58b5ee ]
      
      Action sample doesn't properly handle psample_group pointer in overwrite
      case. Following issues need to be fixed:
      
      - In tcf_sample_init() function RCU_INIT_POINTER() is used to set
        s->psample_group, even though we neither setting the pointer to NULL, nor
        preventing concurrent readers from accessing the pointer in some way.
        Use rcu_swap_protected() instead to safely reset the pointer.
      
      - Old value of s->psample_group is not released or deallocated in any way,
        which results resource leak. Use psample_group_put() on non-NULL value
        obtained with rcu_swap_protected().
      
      - The function psample_group_put() that released reference to struct
        psample_group pointed by rcu-pointer s->psample_group doesn't respect rcu
        grace period when deallocating it. Extend struct psample_group with rcu
        head and use kfree_rcu when freeing it.
      
      Fixes: 5c5670fa ("net/sched: Introduce sample tc action")
      Signed-off-by: NVlad Buslov <vladbu@mellanox.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5ff0ab0c
  10. 06 9月, 2019 3 次提交
  11. 29 8月, 2019 1 次提交
    • D
      rxrpc: Fix read-after-free in rxrpc_queue_local() · a05354cb
      David Howells 提交于
      commit 06d9532fa6b34f12a6d75711162d47c17c1add72 upstream.
      
      rxrpc_queue_local() attempts to queue the local endpoint it is given and
      then, if successful, prints a trace line.  The trace line includes the
      current usage count - but we're not allowed to look at the local endpoint
      at this point as we passed our ref on it to the workqueue.
      
      Fix this by reading the usage count before queuing the work item.
      
      Also fix the reading of local->debug_id for trace lines, which must be done
      with the same consideration as reading the usage count.
      
      Fixes: 09d2bf59 ("rxrpc: Add a tracepoint to track rxrpc_local refcounting")
      Reported-by: syzbot+78e71c5bab4f76a6a719@syzkaller.appspotmail.com
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a05354cb
  12. 25 8月, 2019 3 次提交
    • R
      drm/i915/cfl: Add a new CFL PCI ID. · 4af28b2f
      Rodrigo Vivi 提交于
      commit d0e062ebb3a44b56a7e672da568334c76f763552 upstream.
      
      One more CFL ID added to spec.
      
      Cc: José Roberto de Souza <jose.souza@intel.com>
      Signed-off-by: NRodrigo Vivi <rodrigo.vivi@intel.com>
      Reviewed-by: NJosé Roberto de Souza <jose.souza@intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20180803232721.20038-1-rodrigo.vivi@intel.comSigned-off-by: NWan Yusof, Wan Fahim AsqalaniX <wan.fahim.asqalanix.wan.yusof@intel.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4af28b2f
    • M
      KVM: arm/arm64: Sync ICH_VMCR_EL2 back when about to block · 8c7053d1
      Marc Zyngier 提交于
      commit 5eeaf10eec394b28fad2c58f1f5c3a5da0e87d1c upstream.
      
      Since commit commit 328e5664 ("KVM: arm/arm64: vgic: Defer
      touching GICH_VMCR to vcpu_load/put"), we leave ICH_VMCR_EL2 (or
      its GICv2 equivalent) loaded as long as we can, only syncing it
      back when we're scheduled out.
      
      There is a small snag with that though: kvm_vgic_vcpu_pending_irq(),
      which is indirectly called from kvm_vcpu_check_block(), needs to
      evaluate the guest's view of ICC_PMR_EL1. At the point were we
      call kvm_vcpu_check_block(), the vcpu is still loaded, and whatever
      changes to PMR is not visible in memory until we do a vcpu_put().
      
      Things go really south if the guest does the following:
      
      	mov x0, #0	// or any small value masking interrupts
      	msr ICC_PMR_EL1, x0
      
      	[vcpu preempted, then rescheduled, VMCR sampled]
      
      	mov x0, #ff	// allow all interrupts
      	msr ICC_PMR_EL1, x0
      	wfi		// traps to EL2, so samping of VMCR
      
      	[interrupt arrives just after WFI]
      
      Here, the hypervisor's view of PMR is zero, while the guest has enabled
      its interrupts. kvm_vgic_vcpu_pending_irq() will then say that no
      interrupts are pending (despite an interrupt being received) and we'll
      block for no reason. If the guest doesn't have a periodic interrupt
      firing once it has blocked, it will stay there forever.
      
      To avoid this unfortuante situation, let's resync VMCR from
      kvm_arch_vcpu_blocking(), ensuring that a following kvm_vcpu_check_block()
      will observe the latest value of PMR.
      
      This has been found by booting an arm64 Linux guest with the pseudo NMI
      feature, and thus using interrupt priorities to mask interrupts instead
      of the usual PSTATE masking.
      
      Cc: stable@vger.kernel.org # 4.12
      Fixes: 328e5664 ("KVM: arm/arm64: vgic: Defer touching GICH_VMCR to vcpu_load/put")
      Signed-off-by: NMarc Zyngier <maz@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      8c7053d1
    • Q
      asm-generic: fix -Wtype-limits compiler warnings · 0755b6b1
      Qian Cai 提交于
      [ Upstream commit cbedfe11347fe418621bd188d58a206beb676218 ]
      
      Commit d66acc39 ("bitops: Optimise get_order()") introduced a
      compilation warning because "rx_frag_size" is an "ushort" while
      PAGE_SHIFT here is 16.
      
      The commit changed the get_order() to be a multi-line macro where
      compilers insist to check all statements in the macro even when
      __builtin_constant_p(rx_frag_size) will return false as "rx_frag_size"
      is a module parameter.
      
      In file included from ./arch/powerpc/include/asm/page_64.h:107,
                       from ./arch/powerpc/include/asm/page.h:242,
                       from ./arch/powerpc/include/asm/mmu.h:132,
                       from ./arch/powerpc/include/asm/lppaca.h:47,
                       from ./arch/powerpc/include/asm/paca.h:17,
                       from ./arch/powerpc/include/asm/current.h:13,
                       from ./include/linux/thread_info.h:21,
                       from ./arch/powerpc/include/asm/processor.h:39,
                       from ./include/linux/prefetch.h:15,
                       from drivers/net/ethernet/emulex/benet/be_main.c:14:
      drivers/net/ethernet/emulex/benet/be_main.c: In function 'be_rx_cqs_create':
      ./include/asm-generic/getorder.h:54:9: warning: comparison is always
      true due to limited range of data type [-Wtype-limits]
         (((n) < (1UL << PAGE_SHIFT)) ? 0 :  \
               ^
      drivers/net/ethernet/emulex/benet/be_main.c:3138:33: note: in expansion
      of macro 'get_order'
        adapter->big_page_size = (1 << get_order(rx_frag_size)) * PAGE_SIZE;
                                       ^~~~~~~~~
      
      Fix it by moving all of this multi-line macro into a proper function,
      and killing __get_order() off.
      
      [akpm@linux-foundation.org: remove __get_order() altogether]
      [cai@lca.pw: v2]
        Link: http://lkml.kernel.org/r/1564000166-31428-1-git-send-email-cai@lca.pw
      Link: http://lkml.kernel.org/r/1563914986-26502-1-git-send-email-cai@lca.pw
      Fixes: d66acc39 ("bitops: Optimise get_order()")
      Signed-off-by: NQian Cai <cai@lca.pw>
      Reviewed-by: NNathan Chancellor <natechancellor@gmail.com>
      Cc: David S. Miller <davem@davemloft.net>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: David Howells <dhowells@redhat.com>
      Cc: Jakub Jelinek <jakub@redhat.com>
      Cc: Nick Desaulniers <ndesaulniers@google.com>
      Cc: Bill Wendling <morbo@google.com>
      Cc: James Y Knight <jyknight@google.com>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      0755b6b1
  13. 16 8月, 2019 4 次提交
  14. 09 8月, 2019 2 次提交
    • T
      cgroup: Include dying leaders with live threads in PROCS iterations · 4340d175
      Tejun Heo 提交于
      commit c03cd7738a83b13739f00546166969342c8ff014 upstream.
      
      CSS_TASK_ITER_PROCS currently iterates live group leaders; however,
      this means that a process with dying leader and live threads will be
      skipped.  IOW, cgroup.procs might be empty while cgroup.threads isn't,
      which is confusing to say the least.
      
      Fix it by making cset track dying tasks and include dying leaders with
      live threads in PROCS iteration.
      Signed-off-by: NTejun Heo <tj@kernel.org>
      Reported-and-tested-by: NTopi Miettinen <toiwoton@gmail.com>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4340d175
    • T
      cgroup: Implement css_task_iter_skip() · 370b9e63
      Tejun Heo 提交于
      commit b636fd38dc40113f853337a7d2a6885ad23b8811 upstream.
      
      When a task is moved out of a cset, task iterators pointing to the
      task are advanced using the normal css_task_iter_advance() call.  This
      is fine but we'll be tracking dying tasks on csets and thus moving
      tasks from cset->tasks to (to be added) cset->dying_tasks.  When we
      remove a task from cset->tasks, if we advance the iterators, they may
      move over to the next cset before we had the chance to add the task
      back on the dying list, which can allow the task to escape iteration.
      
      This patch separates out skipping from advancing.  Skipping only moves
      the affected iterators to the next pointer rather than fully advancing
      it and the following advancing will recognize that the cursor has
      already been moved forward and do the rest of advancing.  This ensures
      that when a task moves from one list to another in its cset, as long
      as it moves in the right direction, it's always visible to iteration.
      
      This doesn't cause any visible behavior changes.
      Signed-off-by: NTejun Heo <tj@kernel.org>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      370b9e63