This is the start of the stable review cycle for the 5.4.69 release.
There are 388 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Thu, 01 Oct 2020 10:59:03 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.69-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <[email protected]>
Linux 5.4.69-rc1
Jiri Slaby <[email protected]>
ata: sata_mv, avoid trigerrable BUG_ON
Jiri Slaby <[email protected]>
ata: make qc_prep return ata_completion_errors
Jiri Slaby <[email protected]>
ata: define AC_ERR_OK
Muchun Song <[email protected]>
kprobes: Fix compiler warning for !CONFIG_KPROBES_ON_FTRACE
Mike Snitzer <[email protected]>
dm: fix bio splitting and its bio completion order for regular IO
Marc Zyngier <[email protected]>
KVM: arm64: Assume write fault on S1PTW permission fault on instruction fetch
Christian Borntraeger <[email protected]>
s390/zcrypt: Fix ZCRYPT_PERDEV_REQCNT ioctl
Vasily Gorbik <[email protected]>
mm/gup: fix gup_fast with dynamic page table folding
Gao Xiang <[email protected]>
mm, THP, swap: fix allocating cluster for swapfile by mistake
Charan Teja Reddy <[email protected]>
dmabuf: fix NULL pointer dereference in dma_buf_release()
Johannes Thumshirn <[email protected]>
btrfs: fix overflow when copying corrupt csums for a message
Masami Hiramatsu <[email protected]>
kprobes: tracing/kprobes: Fix to kill kprobes on initmem after boot
Masami Hiramatsu <[email protected]>
kprobes: Fix to check probe enabled before disarm_kprobe_ftrace()
Jan Höppner <[email protected]>
s390/dasd: Fix zero write for FBA devices
Tom Rix <[email protected]>
tracing: fix double free
Nick Desaulniers <[email protected]>
lib/string.c: implement stpcpy
Kai-Heng Feng <[email protected]>
ALSA: hda/realtek: Enable front panel headset LED on Lenovo ThinkStation P520
Hui Wang <[email protected]>
ALSA: hda/realtek - Couldn't detect Mic if booting with headset plugged
Joakim Tjernlund <[email protected]>
ALSA: usb-audio: Add delay quirk for H570e USB headsets
James Smart <[email protected]>
scsi: lpfc: Fix initial FLOGI failure due to BBSCN not supported
Thomas Gleixner <[email protected]>
x86/ioapic: Unbreak check_timer()
Mikulas Patocka <[email protected]>
arch/x86/lib/usercopy_64.c: fix __copy_user_flushcache() cache writeback
Minchan Kim <[email protected]>
mm: validate pmd after splitting
Tom Lendacky <[email protected]>
KVM: SVM: Add a dedicated INVD intercept routine
Sean Christopherson <[email protected]>
KVM: x86: Reset MMU context if guest toggles CR4.SMAP or CR4.PKE
Icenowy Zheng <[email protected]>
regulator: axp20x: fix LDO2/4 description
Wei Li <[email protected]>
MIPS: Add the missing 'CPU_1074K' into __get_cpu_type()
Dmitry Baryshkov <[email protected]>
regmap: fix page selection for noinc writes
Dmitry Baryshkov <[email protected]>
regmap: fix page selection for noinc reads
Tom Rix <[email protected]>
ALSA: asihpi: fix iounmap in error handler
Necip Fazil Yildiran <[email protected]>
lib80211: fix unmet direct dependendices config warning when !CRYPTO
Yonghong Song <[email protected]>
bpf: Fix a rcu warning for bpffs map pretty-print
Linus Lüssing <[email protected]>
batman-adv: mcast: fix duplicate mcast packets from BLA backbone to mesh
Linus Lüssing <[email protected]>
batman-adv: mcast: fix duplicate mcast packets in BLA backbone from mesh
Linus Lüssing <[email protected]>
batman-adv: mcast: fix duplicate mcast packets in BLA backbone from LAN
Necip Fazil Yildiran <[email protected]>
nvme-tcp: fix kconfig dependency warning when !CRYPTO
Sven Eckelmann <[email protected]>
batman-adv: Add missing include for in_interrupt()
Martin Cerveny <[email protected]>
drm/sun4i: sun8i-csc: Secondary CSC register correction
Dmitry Bogdanov <[email protected]>
net: qed: RDMA personality shouldn't fail VF load
Dmitry Bogdanov <[email protected]>
net: qede: Disable aRFS for NPAR and 100G
Dmitry Bogdanov <[email protected]>
net: qed: Disable aRFS for NPAR and 100G
Marek Szyprowski <[email protected]>
drm/vc4/vc4_hdmi: fill ASoC card owner
Daniel Borkmann <[email protected]>
bpf: Fix clobbering of r2 in bpf_gen_ld_abs
Eric Dumazet <[email protected]>
mac802154: tx: fix use-after-free
Eelco Chaudron <[email protected]>
netfilter: conntrack: nf_conncount_init is failing with IPv6 disabled
Linus Lüssing <[email protected]>
batman-adv: mcast/TT: fix wrongly dropped or rerouted packets
Jing Xiangfeng <[email protected]>
atm: eni: fix the missed pci_disable_device() for eni_init_one()
Linus Lüssing <[email protected]>
batman-adv: bla: fix type misuse for backbone_gw hash indexing
Maximilian Luz <[email protected]>
mwifiex: Increase AES key storage size to 256 bits
Tianjia Zhang <[email protected]>
clocksource/drivers/h8300_timer8: Fix wrong return value in h8300_8timer_init()
Tom Rix <[email protected]>
ieee802154/adf7242: check status of adf7242_read_reg
Liu Jian <[email protected]>
ieee802154: fix one possible memleak in ca8210_dev_com_init
Josh Poimboeuf <[email protected]>
objtool: Fix noreturn detection for ignored functions
Hans de Goede <[email protected]>
i2c: core: Call i2c_acpi_install_space_handler() before i2c_acpi_register_devices()
Michel Dänzer <[email protected]>
drm/amdgpu/dc: Require primary plane to be enabled whenever the CRTC is
Jun Lei <[email protected]>
drm/amd/display: update nv1x stutter latencies
Dennis Li <[email protected]>
drm/amdkfd: fix a memory leak issue
Borislav Petkov <[email protected]>
EDAC/ghes: Check whether the driver is on the safe list correctly
Sven Schnelle <[email protected]>
lockdep: fix order in trace_hardirqs_off_caller()
Ilya Leoshkevich <[email protected]>
s390/init: add missing __init annotations
Eddie James <[email protected]>
i2c: aspeed: Mask IRQ status to relevant bits
Palmer Dabbelt <[email protected]>
RISC-V: Take text_mutex in ftrace_init_nop()
Hans de Goede <[email protected]>
ASoC: Intel: bytcr_rt5640: Add quirk for MPMAN Converter9 2-in-1
Sylwester Nawrocki <[email protected]>
ASoC: wm8994: Ensure the device is resumed in wm89xx_mic_detect functions
Sylwester Nawrocki <[email protected]>
ASoC: wm8994: Skip setting of the WM8994_MICBIAS register for WM1811
Kuninori Morimoto <[email protected]>
ASoC: pcm3168a: ignore 0 Hz settings
Amol Grover <[email protected]>
device_cgroup: Fix RCU list debugging warning
Anthony Iliopoulos <[email protected]>
nvme: explicitly update mpath disk capacity on revalidation
Tonghao Zhang <[email protected]>
net: openvswitch: use div_u64() for 64-by-32 divisions
Takashi Iwai <[email protected]>
ALSA: hda: Workaround for spurious wakeups on some Intel platforms
Takashi Iwai <[email protected]>
ALSA: hda: Always use jackpoll helper for jack update after resume
Jin Yao <[email protected]>
perf parse-events: Use strcmp() to compare the PMU name
Walter Lozano <[email protected]>
opp: Increase parsed_static_opps in _of_add_opp_table_v1()
Arnd Bergmann <[email protected]>
mt76: fix LED link time failure
Hou Tao <[email protected]>
ubi: fastmap: Free unused fastmap anchor peb during detach
Quinn Tran <[email protected]>
scsi: qla2xxx: Retry PLOGI on FC-NVMe PRLI failure
Thomas Richter <[email protected]>
perf tests: Fix test 68 zstd compression for s390
Qu Wenruo <[email protected]>
btrfs: qgroup: fix data leak caused by race between writeback and truncate
Zeng Tao <[email protected]>
vfio/pci: fix racy on error and request eventfd ctx
Andy Lutomirski <[email protected]>
selftests/x86/syscall_nt: Clear weird flags after each test
Javed Hasan <[email protected]>
scsi: libfc: Skip additional kref updating work event
Javed Hasan <[email protected]>
scsi: libfc: Handling of extra kref
Markus Theil <[email protected]>
mac80211: skip mpath lookup also for control port tx
Sagi Grimberg <[email protected]>
nvme: fix possible deadlock when I/O is blocked
Zhang Xiaoxu <[email protected]>
cifs: Fix double add page to memcg when cifs_readpages
Alex Williamson <[email protected]>
vfio/pci: Clear error and request eventfd ctx after releasing
Chuck Lever <[email protected]>
NFS: nfs_xdr_status should record the procedure name
Thomas Gleixner <[email protected]>
x86/speculation/mds: Mark mds_user_clear_cpu_buffers() __always_inline
Boris Brezillon <[email protected]>
mtd: parser: cmdline: Support MTD names containing one or more colons
Madhuparna Bhowmik <[email protected]>
rapidio: avoid data race between file operation callbacks and mport_cdev_add().
Johannes Weiner <[email protected]>
mm: memcontrol: fix stat-corrupting race in charge moving
Qian Cai <[email protected]>
mm/swap_state: fix a data race in swapin_nr_pages
Jeff Layton <[email protected]>
ceph: fix potential race in ceph_check_caps
Dinghao Liu <[email protected]>
PCI: tegra: Fix runtime PM imbalance on error
Dinghao Liu <[email protected]>
mtd: rawnand: omap_elm: Fix runtime PM imbalance on error
Dinghao Liu <[email protected]>
mtd: rawnand: gpmi: Fix runtime PM imbalance on error
Dinghao Liu <[email protected]>
wlcore: fix runtime pm imbalance in wlcore_regdomain_config
Dinghao Liu <[email protected]>
wlcore: fix runtime pm imbalance in wl1271_tx_work
Dinghao Liu <[email protected]>
ASoC: img-i2s-out: Fix runtime PM imbalance on error
Dinghao Liu <[email protected]>
PCI: tegra194: Fix runtime PM imbalance on error
Adrian Hunter <[email protected]>
perf kcore_copy: Fix module map when there are no modules loaded
Ian Rogers <[email protected]>
perf metricgroup: Free metric_events on error
Xie XiuQi <[email protected]>
perf util: Fix memory leak of prefix_if_not_in
Jiri Olsa <[email protected]>
perf stat: Fix duration_time value for higher intervals
Ian Rogers <[email protected]>
perf trace: Fix the selection for architectures to generate the errno name tables
Ian Rogers <[email protected]>
perf evsel: Fix 2 memory leaks
Paul Mackerras <[email protected]>
KVM: PPC: Book3S HV: Close race with page faults around memslot flushes
Qian Cai <[email protected]>
vfio/pci: fix memory leaks of eventfd ctx
Dinghao Liu <[email protected]>
gpio: rcar: Fix runtime PM imbalance on error
Omar Sandoval <[email protected]>
btrfs: fix double __endio_write_update_ordered in direct I/O
David Sterba <[email protected]>
btrfs: don't force read-only after error in drop snapshot
Yu Chen <[email protected]>
usb: dwc3: Increase timeout for CmdAct cleared by device controller
Shreyas Joshi <[email protected]>
printk: handle blank console arguments passed in.
Dinghao Liu <[email protected]>
drm/nouveau/dispnv50: fix runtime pm imbalance on error
Dinghao Liu <[email protected]>
drm/nouveau: fix runtime pm imbalance on error
Dinghao Liu <[email protected]>
drm/nouveau/debugfs: fix runtime pm imbalance on error
Alexander Duyck <[email protected]>
e1000: Do not perform reset in reset_task if we are already down
Philip Yang <[email protected]>
drm/amdkfd: fix restore worker race condition
Anshuman Khandual <[email protected]>
arm64/cpufeature: Drop TraceFilt feature exposure from ID_DFR0 register
Wei Yongjun <[email protected]>
scsi: cxlflash: Fix error return code in cxlflash_probe()
James Morse <[email protected]>
arm64: acpi: Make apei_claim_sea() synchronise with APEI's irq work
Suzuki K Poulose <[email protected]>
coresight: etm4x: Fix use-after-free of per-cpu etm drvdata
Colin Ian King <[email protected]>
USB: EHCI: ehci-mv: fix less than zero comparison of an unsigned int
Miklos Szeredi <[email protected]>
fuse: update attr_version counter on fuse_notify_inval_inode()
Miklos Szeredi <[email protected]>
fuse: don't check refcount after stealing page
Chuck Lever <[email protected]>
svcrdma: Fix backchannel return code
Nicholas Piggin <[email protected]>
powerpc/traps: Make unrecoverable NMIs die instead of panic
Tang Bin <[email protected]>
ipmi:bt-bmc: Fix error handling and status check
Christophe JAILLET <[email protected]>
drm/exynos: dsi: Remove bridge node reference in error handling path in probe function
Takashi Iwai <[email protected]>
ALSA: hda: Fix potential race in unsol event handler
Jonathan Bakker <[email protected]>
tty: serial: samsung: Correct clock selection logic
Tuong Lien <[email protected]>
tipc: fix memory leak in service subscripting
Paolo Bonzini <[email protected]>
KVM: x86: handle wrap around 32-bit address space
Tang Bin <[email protected]>
USB: EHCI: ehci-mv: fix error handling in mv_ehci_probe()
Sonny Sasaka <[email protected]>
Bluetooth: Handle Inquiry Cancel error after Inquiry Complete
Jonathan Bakker <[email protected]>
phy: samsung: s5pv210-usb2: Add delay after reset
Jonathan Bakker <[email protected]>
power: supply: max17040: Correct voltage reading
Thierry Reding <[email protected]>
i2c: tegra: Restore pinmux on system resume
Waiman Long <[email protected]>
mm/slub: fix incorrect interpretation of s->offset
Ian Rogers <[email protected]>
perf mem2node: Avoid double free related to realloc
Stanimir Varbanov <[email protected]>
media: venus: vdec: Init registered list unconditionally
Cong Wang <[email protected]>
atm: fix a memory leak of vcc->user_back
Aya Levin <[email protected]>
devlink: Fix reporter's recovery condition
Krzysztof Kozlowski <[email protected]>
dt-bindings: sound: wm8994: Correct required supplies based on actual implementaion
Wei Yongjun <[email protected]>
dpaa2-eth: fix error return code in setup_dpni()
Paul Turner <[email protected]>
sched/fair: Eliminate bandwidth race between throttling and distribution
Will Deacon <[email protected]>
arm64: cpufeature: Relax checks for AArch32 support at EL[0-2]
Wei Yongjun <[email protected]>
sparc64: vcc: Fix error return code in vcc_probe()
Ivan Safonov <[email protected]>
staging:r8188eu: avoid skb_clone for amsdu to msdu conversion
Christophe JAILLET <[email protected]>
scsi: aacraid: Fix error handling paths in aac_probe_one()
Tonghao Zhang <[email protected]>
net: openvswitch: use u64 for meter bucket
Zenghui Yu <[email protected]>
KVM: arm64: vgic-its: Fix memory leak on the error path of vgic_add_lpi()
Zenghui Yu <[email protected]>
KVM: arm64: vgic-v3: Retire all pending LPIs on vcpu destroy
Madhuparna Bhowmik <[email protected]>
drivers: char: tlclk.c: Avoid data race between init and interrupt handler
Douglas Anderson <[email protected]>
bdev: Reduce time holding bd_mutex in sync in blkdev_close()
Stephane Eranian <[email protected]>
perf stat: Force error in fallback on :k events
Steve Rutherford <[email protected]>
KVM: Remove CREATE_IRQCHIP/SET_PIT2 race
Josef Bacik <[email protected]>
btrfs: fix setting last_trans for reloc roots
Raviteja Narayanam <[email protected]>
serial: uartps: Wait for tx_empty in console setup
Nilesh Javali <[email protected]>
scsi: qedi: Fix termination timeouts in session logout
Takashi Iwai <[email protected]>
ALSA: hda: Skip controller resume if not needed
Jaewon Kim <[email protected]>
mm/mmap.c: initialize align_offset explicitly for vm_unmapped_area
Jack Zhang <[email protected]>
drm/amdgpu/sriov add amdgpu_amdkfd_pre_reset in gpu reset
Sebastian Andrzej Siewior <[email protected]>
workqueue: Remove the warning in wq_worker_sleeping()
Israel Rukshin <[email protected]>
nvmet-rdma: fix double free of rdma queue
Trond Myklebust <[email protected]>
SUNRPC: Don't start a timer on an already queued rpc task
Qian Cai <[email protected]>
mm/vmscan.c: fix data races using kswapd_classzone_idx
Qian Cai <[email protected]>
mm/swapfile: fix data races in try_to_unuse()
Xianting Tian <[email protected]>
mm/filemap.c: clear page error before actual read
Nathan Chancellor <[email protected]>
mm/kmemleak.c: use address-of operator on section symbols
Anju T Sudhakar <[email protected]>
powerpc/perf: Implement a global lock to avoid races between trace, core and thread imc events.
James Zhu <[email protected]>
drm/amdgpu/vcn2.0: stall DPG when WPTR/RPTR reset
Trond Myklebust <[email protected]>
NFS: Fix races nfs_page_group_destroy() vs nfs_destroy_unlinked_subrequests()
Stuart Hayes <[email protected]>
PCI: pciehp: Fix MSI interrupt race
Andreas Steinmetz <[email protected]>
ALSA: usb-audio: Fix case when USB MIDI interface has more than one extra endpoint descriptor
Liu Song <[email protected]>
ubifs: Fix out-of-bounds memory access caused by abnormal value of node_len
Zhihao Cheng <[email protected]>
ubifs: ubifs_add_orphan: Fix a memory leak bug
Zhihao Cheng <[email protected]>
ubifs: ubifs_jnl_write_inode: Fix a memory leak bug
Mikel Rychliski <[email protected]>
PCI: Use ioremap(), not phys_to_virt() for platform ROM
Qian Cai <[email protected]>
netfilter: nf_tables: silence a RCU-list warning in nft_table_lookup()
Chuck Lever <[email protected]>
svcrdma: Fix leak of transport addresses
Christophe JAILLET <[email protected]>
SUNRPC: Fix a potential buffer overflow in 'svc_print_xprts()'
Don Brace <[email protected]>
scsi: hpsa: correct race condition in offload enabled
Sergey Gorenko <[email protected]>
IB/iser: Always check sig MR before putting it to the free pool
Zhu Yanjun <[email protected]>
RDMA/rxe: Set sys_image_guid to be aligned with HW IB devices
Darrick J. Wong <[email protected]>
xfs: prohibit fs freezing when using empty transactions
Raveendran Somu <[email protected]>
brcmfmac: Fix double freeing in the fmac usb data path
Israel Rukshin <[email protected]>
nvme: Fix controller creation races with teardown flow
Israel Rukshin <[email protected]>
nvme: Fix ctrl use-after-free during sysfs deletion
John Meneghini <[email protected]>
nvme-multipath: do not reset on unknown status
Bernd Edlinger <[email protected]>
perf: Use new infrastructure to fix deadlocks in execve
Bernd Edlinger <[email protected]>
proc: io_accounting: Use new infrastructure to fix deadlocks in execve
Bernd Edlinger <[email protected]>
proc: Use new infrastructure to fix deadlocks in execve
Bernd Edlinger <[email protected]>
kernel/kcmp.c: Use new infrastructure to fix deadlocks in execve
Bernd Edlinger <[email protected]>
selftests/ptrace: add test cases for dead-locks
Bernd Edlinger <[email protected]>
exec: Fix a deadlock in strace
Eric W. Biederman <[email protected]>
exec: Add exec_update_mutex to replace cred_guard_mutex
Gabriel Ravier <[email protected]>
tools: gpio-hammer: Avoid potential overflow in main
Pratik Rajesh Sampat <[email protected]>
cpufreq: powernv: Fix frame-size-overflow in powernv_cpufreq_work_fn
Andre Przywara <[email protected]>
net: axienet: Propagate failure of DMA descriptor setup
Andre Przywara <[email protected]>
net: axienet: Convert DMA error handler to a work queue
Christophe JAILLET <[email protected]>
perf cpumap: Fix snprintf overflow check
Vignesh Raghavendra <[email protected]>
serial: 8250: 8250_omap: Terminate DMA before pushing data on RX timeout
Peter Ujfalusi <[email protected]>
serial: 8250_omap: Fix sleeping function called from invalid context during probe
Vignesh Raghavendra <[email protected]>
serial: 8250_port: Don't service RX FIFO if throttled
Heiner Kallweit <[email protected]>
r8169: improve RTL8168b FIFO overflow workaround
Josef Bacik <[email protected]>
btrfs: free the reloc_control in a consistent way
Josef Bacik <[email protected]>
btrfs: do not init a reloc root if we aren't relocating
Ian Rogers <[email protected]>
perf parse-events: Fix 3 use after frees found with clang ASAN
He Zhe <[email protected]>
KVM: LAPIC: Mark hrtimer for period or oneshot mode to expire in hard interrupt context
Niklas Söderlund <[email protected]>
thermal: rcar_thermal: Handle probe error gracefully
Nathan Chancellor <[email protected]>
tracing: Use address-of operator on section symbols
Jordan Crouse <[email protected]>
drm/msm/a5xx: Always set an OPP supported hardware value
Pavel Machek <[email protected]>
drm/msm: fix leaks if initialization fails
Gustavo Romero <[email protected]>
KVM: PPC: Book3S HV: Treat TM-related invalid form instructions on P9 like the valid ones
Alexander Shishkin <[email protected]>
intel_th: Disallow multi mode on devices where it's broken
Jason Gunthorpe <[email protected]>
RDMA/cm: Remove a race freeing timewait_info
Trond Myklebust <[email protected]>
nfsd: Don't add locks to closed or closing open stateids
Alexandre Belloni <[email protected]>
rtc: ds1374: fix possible race condition
Alexandre Belloni <[email protected]>
rtc: sa1100: fix possible race condition
Stefan Berger <[email protected]>
tpm: ibmvtpm: Wait for buffer to be set before proceeding
Dmitry Monakhov <[email protected]>
ext4: mark block bitmap corrupted when found instead of BUGON
Darrick J. Wong <[email protected]>
xfs: mark dir corrupt when lookup-by-hash fails
Darrick J. Wong <[email protected]>
xfs: don't ever return a stale pointer from __xfs_dir3_free_read
Palmer Dabbelt <[email protected]>
tty: sifive: Finish transmission before changing the clock
Colin Ian King <[email protected]>
media: tda10071: fix unsigned sign extension overflow
Howard Chung <[email protected]>
Bluetooth: L2CAP: handle l2cap config request during open state
Sagar Biradar <[email protected]>
scsi: aacraid: Disabling TM path and only processing IOP reset
Wen Gong <[email protected]>
ath10k: use kzalloc to read for ath10k_sdio_hif_diag_read
Leo Yan <[email protected]>
perf cs-etm: Correct synthesizing instruction samples
Leo Yan <[email protected]>
perf cs-etm: Swap packets for instruction samples
afzal mohammed <[email protected]>
s390/irq: replace setup_irq() by request_irq()
Zeng Tao <[email protected]>
cpu-topology: Fix the potential data corruption
Anson Huang <[email protected]>
clk: imx: Fix division by zero warning on pfdv2
Rodrigo Siqueira <[email protected]>
drm/amd/display: Stop if retimer is not available
Tony Lindgren <[email protected]>
ARM: OMAP2+: Handle errors for cpu_pm
John Clements <[email protected]>
drm/amdgpu: increase atombios cmd timeout
Kirill A. Shutemov <[email protected]>
mm: avoid data corruption on CoW fault into PFN-mapped VMA
John Garry <[email protected]>
perf jevents: Fix leak of mapfile memory
Qiujun Huang <[email protected]>
ext4: fix a data race at inode->i_disksize
Wenjing Liu <[email protected]>
drm/amd/display: fix image corruption with ODM 2:1 DSC 2 slice
Alexey Kardashevskiy <[email protected]>
powerpc/book3s64: Fix error handling in mm_iommu_do_alloc()
Wen Yang <[email protected]>
timekeeping: Prevent 32bit truncation in scale64_check_overflow()
Alain Michaud <[email protected]>
Bluetooth: guard against controllers sending zero'd events
Takashi Iwai <[email protected]>
media: go7007: Fix URB type for interrupt handling
Jaska Uimonen <[email protected]>
ASoC: SOF: ipc: check ipc return value before data copy
John Garry <[email protected]>
bus: hisi_lpc: Fixup IO ports addresses to avoid use-after-free in host removal
Qian Cai <[email protected]>
random: fix data races at timer_rand_state
James Morse <[email protected]>
firmware: arm_sdei: Use cpus_read_lock() to avoid races with cpuhp
Jiri Pirko <[email protected]>
iavf: use tc_cls_can_offload_and_chain0() instead of chain check
Laurent Pinchart <[email protected]>
drm/omap: dss: Cleanup DSS ports on initialisation failure
Aric Cyr <[email protected]>
drm/amd/display: dal_ddc_i2c_payloads_create can fail causing panic
Pierre-Louis Bossart <[email protected]>
soundwire: bus: disable pm_runtime in sdw_slave_delete
Dmitry Osipenko <[email protected]>
dmaengine: tegra-apb: Prevent race conditions on channel's freeing
Amelie Delaunay <[email protected]>
dmaengine: stm32-dma: use vchan_terminate_vdesc() in .terminate_all
Thomas Gleixner <[email protected]>
bpf: Remove recursion prevention from rcu free callback
Dave Hansen <[email protected]>
x86/pkeys: Add check for pkey "overflow"
Dan Carpenter <[email protected]>
media: staging/imx: Missing assignment in imx_media_capture_device_register()
Amelie Delaunay <[email protected]>
dmaengine: stm32-mdma: use vchan_terminate_vdesc() in .terminate_all
wanpeng li <[email protected]>
KVM: nVMX: Hold KVM's srcu lock when syncing vmcs12->shadow
Paolo Bonzini <[email protected]>
KVM: x86: fix incorrect comparison in trace event
Bart Van Assche <[email protected]>
RDMA/rxe: Fix configuration of atomic queue pair attributes
Thomas Richter <[email protected]>
perf test: Fix test trace+probe_vfs_getname.sh on s390
Takashi Iwai <[email protected]>
ALSA: usb-audio: Don't create a mixer element with bogus volume range
Felix Fietkau <[email protected]>
mt76: fix handling full tx queues in mt76_dma_tx_queue_skb_raw
Felix Fietkau <[email protected]>
mt76: clear skb pointers from rx aggregation reorder buffer during cleanup
Ayush Sawal <[email protected]>
crypto: chelsio - This fixes the kernel panic which occurs during a libkcapi test
Dinh Nguyen <[email protected]>
clk: stratix10: use do_div() for 64-bit calculation
Waiman Long <[email protected]>
locking/lockdep: Decrement IRQ context counters when removing lock chain
Wen Yang <[email protected]>
drm/omap: fix possible object reference leak
James Smart <[email protected]>
scsi: lpfc: Fix coverity errors in fmdi attribute handling
James Smart <[email protected]>
scsi: lpfc: Fix release of hwq to clear the eq relationship
James Smart <[email protected]>
scsi: lpfc: Fix RQ buffer leakage when no IOCBs available
Vasily Averin <[email protected]>
selinux: sel_avc_get_stat_idx should increase position index
Steve Grubb <[email protected]>
audit: CONFIG_CHANGE don't log internal bookkeeping as an event
Tony Cheng <[email protected]>
drm/amd/display: fix workaround for incorrect double buffer register for DLG ADL and TTU
Trond Myklebust <[email protected]>
nfsd: Fix a perf warning
Qian Cai <[email protected]>
skbuff: fix a data race in skb_queue_len()
Mohan Kumar <[email protected]>
ALSA: hda: Clear RIRB status before reading WP
Zhuang Yanying <[email protected]>
KVM: fix overflow of zero page refcount with ksm running
Hillf Danton <[email protected]>
Bluetooth: prefetch channel before killing sock
Steven Price <[email protected]>
mm: pagewalk: fix termination condition in walk_pte_range()
Vasily Averin <[email protected]>
mm/swapfile.c: swap_next should increase position index
Manish Mandlik <[email protected]>
Bluetooth: Fix refcount use-after-free issue
Doug Smythies <[email protected]>
tools/power/x86/intel_pstate_tracer: changes for python 3 compatibility
Sven Schnelle <[email protected]>
selftests/ftrace: fix glob selftest
Jeff Layton <[email protected]>
ceph: ensure we have a new cap before continuing in fill_inode
Mert Dirik <[email protected]>
ar5523: Add USB ID of SMCWUSBT-G2 wireless adapter
Vincent Whitchurch <[email protected]>
ARM: 8948/1: Prevent OOB access in stacktrace
Josef Bacik <[email protected]>
tracing: Set kernel_stack's caller size properly
Maxim Mikityanskiy <[email protected]>
Bluetooth: btrtl: Use kvmalloc for FW allocations
Oliver O'Halloran <[email protected]>
powerpc/eeh: Only dump stack once if an MMIO loop is detected
Trond Myklebust <[email protected]>
nfsd: Fix a soft lockup race in nfsd_file_mark_find_or_create()
Thomas Richter <[email protected]>
s390/cpum_sf: Use kzalloc and minor changes
Matthias Fend <[email protected]>
dmaengine: zynqmp_dma: fix burst length configuration
Qu Wenruo <[email protected]>
btrfs: tree-checker: Check leaf chunk item size
Dmitry Osipenko <[email protected]>
i2c: tegra: Prevent interrupt triggering after transfer timeout
David Francis <[email protected]>
drm/amd/display: Initialize DSC PPS variables to 0
Bart Van Assche <[email protected]>
scsi: ufs: Fix a race condition in the tracing code
Bart Van Assche <[email protected]>
scsi: ufs: Make ufshcd_add_command_trace() easier to read
Rafael J. Wysocki <[email protected]>
ACPI: EC: Reference count query handlers under lock
Kevin Kou <[email protected]>
sctp: move trace_sctp_probe_path into sctp_outq_sack
James Smart <[email protected]>
scsi: lpfc: Fix incomplete NVME discovery when target
Quinn Tran <[email protected]>
scsi: qla2xxx: Fix stuck session in GNL
Viresh Kumar <[email protected]>
opp: Replace list_kref with a local counter
Nikhil Devshatwar <[email protected]>
media: ti-vpe: cal: Restrict DMA to avoid memory corruption
Andrey Grodzovsky <[email protected]>
drm/scheduler: Avoid accessing freed bad job.
Marco Elver <[email protected]>
seqlock: Require WRITE_ONCE surrounding raw_seqcount_barrier
Stephan Gerhold <[email protected]>
drm/mcde: Handle pending vblank while disabling display
Vasily Averin <[email protected]>
ipv6_route_seq_next should increase position index
Vasily Averin <[email protected]>
rt_cpu_seq_next should increase position index
Vasily Averin <[email protected]>
neigh_stat_seq_next() should increase position index
Vasily Averin <[email protected]>
vcc_seq_next should increase position index
Tuong Lien <[email protected]>
tipc: fix link overflow issue at socket shutdown
Kai Vehmanen <[email protected]>
ALSA: hda: enable regmap internal locking
Darrick J. Wong <[email protected]>
xfs: fix log reservation overflows when allocating large rt extents
Steven Rostedt (VMware) <[email protected]>
module: Remove accidental change of module_enable_x()
Miaohe Lin <[email protected]>
KVM: arm/arm64: vgic: Fix potential double free dist->spis in __kvm_vgic_destroy()
Joe Perches <[email protected]>
kernel/sys.c: avoid copying possible padding bytes in copy_to_user
Xiaoming Ni <[email protected]>
kernel/notifier.c: intercept duplicate registrations to avoid infinite loops
Stanislav Fomichev <[email protected]>
selftests/bpf: De-flake test_tcpbpf
Mark Rutland <[email protected]>
arm64: insn: consistently handle exit text
Monk Liu <[email protected]>
drm/amdgpu: fix calltrace during kmd unload(v3)
Omar Sandoval <[email protected]>
xfs: fix realtime file data space leak
Vasily Gorbik <[email protected]>
s390: avoid misusing CALL_ON_STACK for task stack setup
Max Filippov <[email protected]>
xtensa: fix system_call interaction with ptrace
Tzung-Bi Shih <[email protected]>
ASoC: max98090: remove msleep in PLL unlocked workaround
Jaegeuk Kim <[email protected]>
f2fs: stop GC when the victim becomes fully valid
Pavel Shilovsky <[email protected]>
CIFS: Properly process SMB3 lease breaks
Markus Elfring <[email protected]>
CIFS: Use common error handling code in smb2_ioctl_query_info()
Chuck Lever <[email protected]>
SUNRPC: Capture completion of all RPC tasks
Kusanagi Kouichi <[email protected]>
debugfs: Fix !DEBUG_FS debugfs_create_automount
Felix Fietkau <[email protected]>
mt76: add missing locking around ampdu action
Felix Fietkau <[email protected]>
mt76: do not use devm API for led classdev
peter chang <[email protected]>
scsi: pm80xx: Cleanup command when a reset times out
Bob Peterson <[email protected]>
gfs2: clean up iopen glock mess in gfs2_create_inode
Bradley Bolen <[email protected]>
mmc: core: Fix size overflow for mmc partitions
Sascha Hauer <[email protected]>
ubi: Fix producing anchor PEBs
Christophe JAILLET <[email protected]>
RDMA/iw_cgxb4: Fix an error handling path in 'c4iw_connect()'
Brian Foster <[email protected]>
xfs: fix attr leaf header freemap.size underflow
Al Viro <[email protected]>
fix dget_parent() fastpath race
Nicholas Johnson <[email protected]>
PCI: Avoid double hpmemsize MMIO window assignment
Pan Bian <[email protected]>
RDMA/i40iw: Fix potential use after free
Pan Bian <[email protected]>
RDMA/qedr: Fix potential use after free
Lianbo Jiang <[email protected]>
x86/kdump: Always reserve the low 1M when the crashkernel option is specified
Satendra Singh Thakur <[email protected]>
dmaengine: mediatek: hsdma_probe: fixed a memory leak when devm_request_irq fails
Guoju Fang <[email protected]>
bcache: fix a lost wake-up problem caused by mca_cannibalize_lock
Divya Indi <[email protected]>
tracing: Adding NULL checks for trace_array descriptor pointer
Divya Indi <[email protected]>
tracing: Verify if trace array exists before destroying it.
Ivan Lazeev <[email protected]>
tpm_crb: fix fTPM on AMD Zen+ CPUs
Alex Deucher <[email protected]>
drm/amdgpu/powerplay/smu7: fix AVFS handling with custom powerplay table
Lee Jones <[email protected]>
mfd: mfd-core: Protect against NULL call-back function pointer
Hou Tao <[email protected]>
mtd: cfi_cmdset_0002: don't free cfi->cfiq in error path of cfi_amdstd_setup()
Usha Ketineni <[email protected]>
ice: Fix to change Rx/Tx ring descriptor size via ethtool with DCBx
Alex Deucher <[email protected]>
drm/amdgpu/powerplay: fix AVFS handling with custom powerplay table
Stephen Kitt <[email protected]>
clk/ti/adpll: allocate room for terminating null
Jaegeuk Kim <[email protected]>
f2fs: avoid kernel panic on corruption test
Andreas Gruenbacher <[email protected]>
iomap: Fix overflow in iomap_page_mkwrite
Dan Williams <[email protected]>
dax: Fix alloc_dax_region() compile warning
Eric Dumazet <[email protected]>
net: silence data-races on sk_backlog.tail
Michael Ellerman <[email protected]>
powerpc/64s: Always disable branch profiling for prom_init.o
James Smart <[email protected]>
scsi: lpfc: Fix kernel crash at lpfc_nvme_info_show during remote port bounce
Pan Bian <[email protected]>
scsi: fnic: fix use after free
Dmitry Osipenko <[email protected]>
PM / devfreq: tegra30: Fix integer overflow on CPU's freq max out
Mike Snitzer <[email protected]>
dm table: do not allow request-based DM to stack on partitions
Oleh Kravchenko <[email protected]>
leds: mlxreg: Fix possible buffer overflow
Dave Chinner <[email protected]>
xfs: properly serialise fallocate against AIO+DIO
Nicholas Kazlauskas <[email protected]>
drm/amd/display: Free gamma after calculating legacy transfer function
Sakari Ailus <[email protected]>
media: smiapp: Fix error handling at NVM reading
Pierre-Louis Bossart <[email protected]>
soundwire: intel/cadence: fix startup sequence
Russell King <[email protected]>
ASoC: kirkwood: fix IRQ error handling
Kangjie Lu <[email protected]>
gma/gma500: fix a memory disclosure bug due to uninitialized bytes
Dave Chinner <[email protected]>
xfs: fix inode fork extent count overflow
Fuqian Huang <[email protected]>
m68k: q40: Fix info-leak in rtc_ioctl
Balsundar P <[email protected]>
scsi: aacraid: fix illegal IO beyond last LBA
Jia He <[email protected]>
mm: fix double page fault on arm64 if PTE_AF is cleared
Pierre Crégut <[email protected]>
PCI/IOV: Serialize sysfs sriov_numvfs reads vs writes
Miaoqing Pan <[email protected]>
ath10k: fix memory leak for tpc_stats_final
Miaoqing Pan <[email protected]>
ath10k: fix array out-of-bounds access
Quinn Tran <[email protected]>
scsi: qla2xxx: Add error handling for PLOGI ELS passthrough
Chris Wilson <[email protected]>
dma-fence: Serialise signal enabling (dma_fence_enable_sw_signaling)
Jay Cornwall <[email protected]>
drm/amdkfd: Fix race in gfx10 context restore handler
Wesley Chalmers <[email protected]>
drm/amd/display: Do not double-buffer DTO adjustments
zhengbin <[email protected]>
media: mc-device.c: fix memleak in media_device_register_entity
Jonathan Lebon <[email protected]>
selinux: allow labeling before policy is loaded
Sreekanth Reddy <[email protected]>
scsi: mpt3sas: Free diag buffer without any status check
James Smart <[email protected]>
scsi: lpfc: Fix pt2pt discovery on SLI3 HBAs
Iurii Zaikin <[email protected]>
kernel/sysctl-test: Add null pointer test for sysctl.c:proc_dointvec()
-------------
Diffstat:
Documentation/devicetree/bindings/sound/wm8994.txt | 18 +-
Documentation/driver-api/libata.rst | 2 +-
Makefile | 4 +-
arch/arm/include/asm/kvm_emulate.h | 11 +-
arch/arm/kernel/stacktrace.c | 2 +
arch/arm/kernel/traps.c | 6 +-
arch/arm/mach-omap2/cpuidle34xx.c | 9 +-
arch/arm/mach-omap2/cpuidle44xx.c | 26 +-
arch/arm/mach-omap2/pm34xx.c | 8 +-
arch/arm64/include/asm/kvm_emulate.h | 12 +-
arch/arm64/include/asm/sections.h | 1 +
arch/arm64/kernel/acpi.c | 25 ++
arch/arm64/kernel/cpufeature.c | 12 +-
arch/arm64/kernel/insn.c | 22 +-
arch/arm64/kernel/vmlinux.lds.S | 3 +
arch/arm64/kvm/hyp/switch.c | 2 +-
arch/arm64/mm/fault.c | 12 +-
arch/m68k/q40/config.c | 1 +
arch/mips/include/asm/cpu-type.h | 1 +
arch/powerpc/include/asm/kvm_asm.h | 3 +
arch/powerpc/kernel/Makefile | 2 +-
arch/powerpc/kernel/eeh.c | 2 +-
arch/powerpc/kernel/traps.c | 6 +-
arch/powerpc/kvm/book3s_64_mmu_radix.c | 5 +
arch/powerpc/kvm/book3s_hv_tm.c | 28 +-
arch/powerpc/kvm/book3s_hv_tm_builtin.c | 16 +-
arch/powerpc/mm/book3s64/iommu_api.c | 39 +-
arch/powerpc/perf/imc-pmu.c | 173 +++++++--
arch/riscv/include/asm/ftrace.h | 7 +
arch/riscv/kernel/ftrace.c | 19 +
arch/s390/include/asm/pgtable.h | 44 ++-
arch/s390/include/asm/stacktrace.h | 11 +
arch/s390/kernel/irq.c | 8 +-
arch/s390/kernel/perf_cpum_sf.c | 9 +-
arch/s390/kernel/setup.c | 15 +-
arch/s390/kernel/smp.c | 2 +-
arch/x86/include/asm/crash.h | 6 +
arch/x86/include/asm/nospec-branch.h | 4 +-
arch/x86/include/asm/pkeys.h | 5 +
arch/x86/kernel/apic/io_apic.c | 1 +
arch/x86/kernel/crash.c | 15 +
arch/x86/kernel/fpu/xstate.c | 9 +-
arch/x86/kvm/emulate.c | 2 +
arch/x86/kvm/lapic.c | 2 +-
arch/x86/kvm/mmutrace.h | 2 +-
arch/x86/kvm/svm.c | 11 +-
arch/x86/kvm/vmx/vmx.c | 26 +-
arch/x86/kvm/x86.c | 13 +-
arch/x86/lib/usercopy_64.c | 2 +-
arch/x86/realmode/init.c | 2 +
arch/xtensa/kernel/entry.S | 4 +-
arch/xtensa/kernel/ptrace.c | 18 +-
drivers/acpi/ec.c | 16 +-
drivers/ata/acard-ahci.c | 6 +-
drivers/ata/libahci.c | 6 +-
drivers/ata/libata-core.c | 9 +-
drivers/ata/libata-sff.c | 12 +-
drivers/ata/pata_macio.c | 6 +-
drivers/ata/pata_pxa.c | 8 +-
drivers/ata/pdc_adma.c | 7 +-
drivers/ata/sata_fsl.c | 4 +-
drivers/ata/sata_inic162x.c | 4 +-
drivers/ata/sata_mv.c | 34 +-
drivers/ata/sata_nv.c | 18 +-
drivers/ata/sata_promise.c | 6 +-
drivers/ata/sata_qstor.c | 8 +-
drivers/ata/sata_rcar.c | 6 +-
drivers/ata/sata_sil.c | 8 +-
drivers/ata/sata_sil24.c | 6 +-
drivers/ata/sata_sx4.c | 6 +-
drivers/atm/eni.c | 2 +-
drivers/base/arch_topology.c | 4 +-
drivers/base/regmap/internal.h | 2 +-
drivers/base/regmap/regcache.c | 2 +-
drivers/base/regmap/regmap.c | 33 +-
drivers/bluetooth/btrtl.c | 20 +-
drivers/bus/hisi_lpc.c | 27 +-
drivers/char/ipmi/bt-bmc.c | 12 +-
drivers/char/random.c | 12 +-
drivers/char/tlclk.c | 17 +-
drivers/char/tpm/tpm_crb.c | 123 +++++--
drivers/char/tpm/tpm_ibmvtpm.c | 9 +
drivers/char/tpm/tpm_ibmvtpm.h | 1 +
drivers/clk/imx/clk-pfdv2.c | 6 +
drivers/clk/socfpga/clk-pll-s10.c | 4 +-
drivers/clk/ti/adpll.c | 11 +-
drivers/clocksource/h8300_timer8.c | 2 +-
drivers/cpufreq/powernv-cpufreq.c | 13 +-
drivers/crypto/chelsio/chcr_algo.c | 5 +-
drivers/crypto/chelsio/chtls/chtls_io.c | 10 +-
drivers/dax/bus.c | 2 +-
drivers/dax/bus.h | 2 +-
drivers/dax/dax-private.h | 2 +-
drivers/devfreq/tegra30-devfreq.c | 4 +-
drivers/dma-buf/dma-buf.c | 2 +
drivers/dma-buf/dma-fence.c | 78 ++--
drivers/dma/mediatek/mtk-hsdma.c | 4 +-
drivers/dma/stm32-dma.c | 9 +-
drivers/dma/stm32-mdma.c | 9 +-
drivers/dma/tegra20-apb-dma.c | 3 +-
drivers/dma/xilinx/zynqmp_dma.c | 24 +-
drivers/edac/ghes_edac.c | 4 +
drivers/firmware/arm_sdei.c | 26 +-
drivers/gpio/gpio-rcar.c | 4 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gfx_v10.c | 3 +
drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gfx_v9.c | 3 +
drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd_gpuvm.c | 6 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c | 31 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 +
drivers/gpu/drm/amd/amdgpu/amdgpu_rlc.c | 10 +-
drivers/gpu/drm/amd/amdgpu/atom.c | 4 +-
drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c | 58 +--
drivers/gpu/drm/amd/amdgpu/gfx_v7_0.c | 2 +
drivers/gpu/drm/amd/amdgpu/gfx_v8_0.c | 40 +--
drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 40 +--
drivers/gpu/drm/amd/amdgpu/vcn_v2_0.c | 16 +
drivers/gpu/drm/amd/amdkfd/cwsr_trap_handler.h | 139 ++++----
.../gpu/drm/amd/amdkfd/cwsr_trap_handler_gfx10.asm | 1 +
.../gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 2 +
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 32 +-
.../drm/amd/display/amdgpu_dm/amdgpu_dm_color.c | 2 +
drivers/gpu/drm/amd/display/dc/core/dc_link.c | 67 ++--
drivers/gpu/drm/amd/display/dc/core/dc_link_ddc.c | 52 ++-
drivers/gpu/drm/amd/display/dc/core/dc_link_hwss.c | 5 +
drivers/gpu/drm/amd/display/dc/dcn20/dcn20_dccg.c | 26 --
drivers/gpu/drm/amd/display/dc/dcn20/dcn20_dsc.c | 5 +-
.../gpu/drm/amd/display/dc/dcn20/dcn20_resource.c | 5 +-
drivers/gpu/drm/amd/display/dc/dcn21/dcn21_hubp.c | 35 +-
drivers/gpu/drm/amd/display/dc/inc/hw/dsc.h | 1 +
drivers/gpu/drm/amd/powerplay/hwmgr/smu7_hwmgr.c | 7 +
drivers/gpu/drm/amd/powerplay/hwmgr/vega10_hwmgr.c | 7 +
drivers/gpu/drm/exynos/exynos_drm_dsi.c | 20 +-
drivers/gpu/drm/gma500/cdv_intel_display.c | 2 +
drivers/gpu/drm/mcde/mcde_display.c | 10 +
drivers/gpu/drm/msm/adreno/a5xx_gpu.c | 27 +-
drivers/gpu/drm/msm/msm_drv.c | 6 +-
drivers/gpu/drm/nouveau/dispnv50/disp.c | 4 +-
drivers/gpu/drm/nouveau/nouveau_debugfs.c | 5 +-
drivers/gpu/drm/nouveau/nouveau_gem.c | 4 +-
.../gpu/drm/nouveau/nvkm/subdev/bios/shadowpci.c | 17 +-
drivers/gpu/drm/omapdrm/dss/dss.c | 43 ++-
drivers/gpu/drm/omapdrm/dss/omapdss-boot-init.c | 4 +-
drivers/gpu/drm/radeon/radeon_bios.c | 30 +-
drivers/gpu/drm/scheduler/sched_main.c | 27 ++
drivers/gpu/drm/sun4i/sun8i_csc.h | 2 +-
drivers/gpu/drm/vc4/vc4_hdmi.c | 1 +
drivers/hwtracing/coresight/coresight-etm4x.c | 1 +
drivers/hwtracing/intel_th/intel_th.h | 2 +
drivers/hwtracing/intel_th/msu.c | 11 +-
drivers/hwtracing/intel_th/pci.c | 8 +-
drivers/i2c/busses/i2c-aspeed.c | 2 +
drivers/i2c/busses/i2c-tegra.c | 93 +++--
drivers/i2c/i2c-core-base.c | 2 +-
drivers/infiniband/core/cm.c | 25 +-
drivers/infiniband/hw/cxgb4/cm.c | 4 +-
drivers/infiniband/hw/i40iw/i40iw_cm.c | 2 +-
drivers/infiniband/hw/qedr/qedr_iw_cm.c | 2 +-
drivers/infiniband/sw/rxe/rxe.c | 2 +
drivers/infiniband/sw/rxe/rxe_qp.c | 7 +-
drivers/infiniband/ulp/iser/iser_memory.c | 21 +-
drivers/leds/leds-mlxreg.c | 4 +-
drivers/md/bcache/bcache.h | 1 +
drivers/md/bcache/btree.c | 12 +-
drivers/md/bcache/super.c | 1 +
drivers/md/dm-table.c | 27 +-
drivers/md/dm.c | 23 +-
drivers/media/dvb-frontends/tda10071.c | 9 +-
drivers/media/i2c/smiapp/smiapp-core.c | 3 +-
drivers/media/mc/mc-device.c | 65 ++--
drivers/media/platform/qcom/venus/vdec.c | 5 +-
drivers/media/platform/ti-vpe/cal.c | 6 +-
drivers/media/usb/go7007/go7007-usb.c | 4 +-
drivers/mfd/mfd-core.c | 10 +
drivers/mmc/core/mmc.c | 9 +-
drivers/mtd/chips/cfi_cmdset_0002.c | 1 -
drivers/mtd/nand/raw/gpmi-nand/gpmi-nand.c | 4 +-
drivers/mtd/nand/raw/omap_elm.c | 1 +
drivers/mtd/parsers/cmdlinepart.c | 23 +-
drivers/mtd/ubi/fastmap-wl.c | 46 ++-
drivers/mtd/ubi/fastmap.c | 14 +-
drivers/mtd/ubi/ubi.h | 6 +-
drivers/mtd/ubi/wl.c | 32 +-
drivers/mtd/ubi/wl.h | 1 -
drivers/net/ethernet/freescale/dpaa2/dpaa2-eth.c | 4 +-
drivers/net/ethernet/intel/e1000/e1000_main.c | 18 +-
drivers/net/ethernet/intel/iavf/iavf_main.c | 8 +-
drivers/net/ethernet/intel/ice/ice_ethtool.c | 14 +-
drivers/net/ethernet/qlogic/qed/qed_dev.c | 11 +-
drivers/net/ethernet/qlogic/qed/qed_l2.c | 3 +
drivers/net/ethernet/qlogic/qed/qed_main.c | 2 +
drivers/net/ethernet/qlogic/qed/qed_sriov.c | 1 +
drivers/net/ethernet/qlogic/qede/qede_filter.c | 3 +
drivers/net/ethernet/qlogic/qede/qede_main.c | 11 +-
drivers/net/ethernet/realtek/r8169_main.c | 3 +-
drivers/net/ethernet/xilinx/xilinx_axienet.h | 2 +-
drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 50 ++-
drivers/net/ieee802154/adf7242.c | 4 +-
drivers/net/ieee802154/ca8210.c | 1 +
drivers/net/wireless/ath/ar5523/ar5523.c | 2 +
drivers/net/wireless/ath/ath10k/debug.c | 3 +-
drivers/net/wireless/ath/ath10k/sdio.c | 18 +-
drivers/net/wireless/ath/ath10k/wmi.c | 49 ++-
.../broadcom/brcm80211/brcmfmac/fwsignal.c | 3 +-
drivers/net/wireless/marvell/mwifiex/fw.h | 2 +-
drivers/net/wireless/marvell/mwifiex/sta_cmdresp.c | 4 +-
drivers/net/wireless/mediatek/mt76/agg-rx.c | 1 +
drivers/net/wireless/mediatek/mt76/dma.c | 9 +-
drivers/net/wireless/mediatek/mt76/mac80211.c | 12 +-
drivers/net/wireless/mediatek/mt76/mt7603/main.c | 2 +
drivers/net/wireless/mediatek/mt76/mt7615/main.c | 2 +
drivers/net/wireless/mediatek/mt76/mt76x02_util.c | 2 +
drivers/net/wireless/ti/wlcore/main.c | 4 +-
drivers/net/wireless/ti/wlcore/tx.c | 1 +
drivers/nvme/host/Kconfig | 1 +
drivers/nvme/host/core.c | 14 +-
drivers/nvme/host/fc.c | 4 +-
drivers/nvme/host/multipath.c | 21 +-
drivers/nvme/host/nvme.h | 19 +-
drivers/nvme/host/pci.c | 1 -
drivers/nvme/host/rdma.c | 3 +-
drivers/nvme/host/tcp.c | 3 +-
drivers/nvme/target/loop.c | 3 +-
drivers/nvme/target/rdma.c | 30 +-
drivers/opp/core.c | 48 +--
drivers/opp/of.c | 30 +-
drivers/opp/opp.h | 6 +-
drivers/pci/controller/dwc/pcie-tegra194.c | 5 +-
drivers/pci/controller/pci-tegra.c | 3 +-
drivers/pci/hotplug/pciehp_hpc.c | 26 +-
drivers/pci/iov.c | 8 +-
drivers/pci/rom.c | 17 -
drivers/pci/setup-bus.c | 38 +-
drivers/phy/samsung/phy-s5pv210-usb2.c | 4 +
drivers/power/supply/max17040_battery.c | 2 +-
drivers/rapidio/devices/rio_mport_cdev.c | 14 +-
drivers/regulator/axp20x-regulator.c | 7 +-
drivers/rtc/rtc-ds1374.c | 15 +-
drivers/rtc/rtc-sa1100.c | 18 +-
drivers/s390/block/dasd_fba.c | 9 +-
drivers/s390/cio/airq.c | 8 +-
drivers/s390/cio/cio.c | 8 +-
drivers/s390/crypto/zcrypt_api.c | 3 +-
drivers/scsi/aacraid/aachba.c | 8 +-
drivers/scsi/aacraid/commsup.c | 2 +-
drivers/scsi/aacraid/linit.c | 46 ++-
drivers/scsi/cxlflash/main.c | 1 +
drivers/scsi/fnic/fnic_scsi.c | 3 +-
drivers/scsi/hpsa.c | 80 +++--
drivers/scsi/libfc/fc_rport.c | 13 +-
drivers/scsi/lpfc/lpfc_attr.c | 40 +--
drivers/scsi/lpfc/lpfc_ct.c | 137 +++----
drivers/scsi/lpfc/lpfc_hbadisc.c | 76 ++--
drivers/scsi/lpfc/lpfc_hw.h | 36 +-
drivers/scsi/lpfc/lpfc_init.c | 1 +
drivers/scsi/lpfc/lpfc_nportdisc.c | 233 ++++++++++--
drivers/scsi/lpfc/lpfc_sli.c | 4 +
drivers/scsi/mpt3sas/mpt3sas_ctl.c | 6 -
drivers/scsi/pm8001/pm8001_sas.c | 50 ++-
drivers/scsi/qedi/qedi_iscsi.c | 3 +
drivers/scsi/qla2xxx/qla_init.c | 43 +--
drivers/scsi/qla2xxx/qla_iocb.c | 101 +++++-
drivers/scsi/qla2xxx/qla_target.c | 21 +-
drivers/scsi/ufs/ufshcd.c | 14 +-
drivers/soundwire/bus.c | 2 +
drivers/soundwire/cadence_master.c | 80 +++--
drivers/soundwire/cadence_master.h | 1 +
drivers/soundwire/intel.c | 14 +-
drivers/staging/media/imx/imx-media-capture.c | 2 +-
drivers/staging/rtl8188eu/core/rtw_recv.c | 19 +-
drivers/thermal/rcar_thermal.c | 6 +-
drivers/tty/serial/8250/8250_omap.c | 8 +-
drivers/tty/serial/8250/8250_port.c | 16 +-
drivers/tty/serial/samsung.c | 8 +-
drivers/tty/serial/sifive.c | 28 +-
drivers/tty/serial/xilinx_uartps.c | 8 +
drivers/tty/vcc.c | 1 +
drivers/usb/dwc3/gadget.c | 2 +-
drivers/usb/host/ehci-mv.c | 8 +-
drivers/vfio/pci/vfio_pci.c | 13 +
fs/block_dev.c | 10 +
fs/btrfs/disk-io.c | 11 +-
fs/btrfs/extent-tree.c | 2 -
fs/btrfs/inode.c | 201 +++++------
fs/btrfs/relocation.c | 45 ++-
fs/btrfs/tree-checker.c | 40 ++-
fs/ceph/caps.c | 14 +-
fs/ceph/inode.c | 5 +-
fs/cifs/cifsglob.h | 9 +-
fs/cifs/file.c | 21 +-
fs/cifs/misc.c | 17 +-
fs/cifs/smb1ops.c | 8 +-
fs/cifs/smb2misc.c | 32 +-
fs/cifs/smb2ops.c | 89 +++--
fs/cifs/smb2pdu.h | 2 +-
fs/dcache.c | 4 +-
fs/exec.c | 22 +-
fs/ext4/inode.c | 2 +-
fs/ext4/mballoc.c | 11 +-
fs/f2fs/gc.c | 10 +-
fs/f2fs/node.c | 1 -
fs/fuse/dev.c | 1 -
fs/fuse/inode.c | 7 +
fs/gfs2/inode.c | 13 +-
fs/iomap/buffered-io.c | 7 +-
fs/nfs/nfstrace.h | 15 +-
fs/nfs/pagelist.c | 67 ++--
fs/nfs/write.c | 10 +-
fs/nfsd/filecache.c | 8 +-
fs/nfsd/nfs4state.c | 73 ++--
fs/nfsd/trace.h | 12 +-
fs/proc/base.c | 10 +-
fs/ubifs/io.c | 16 +-
fs/ubifs/journal.c | 1 +
fs/ubifs/orphan.c | 9 +-
fs/xfs/libxfs/xfs_attr_leaf.c | 22 +-
fs/xfs/libxfs/xfs_bmap.c | 25 +-
fs/xfs/libxfs/xfs_dir2_node.c | 1 +
fs/xfs/libxfs/xfs_dir2_sf.c | 2 +-
fs/xfs/libxfs/xfs_iext_tree.c | 2 +-
fs/xfs/libxfs/xfs_inode_fork.c | 8 +-
fs/xfs/libxfs/xfs_inode_fork.h | 14 +-
fs/xfs/libxfs/xfs_trans_resv.c | 96 ++++-
fs/xfs/scrub/dir.c | 3 +
fs/xfs/scrub/scrub.c | 9 +
fs/xfs/xfs_bmap_util.c | 8 +-
fs/xfs/xfs_file.c | 30 ++
fs/xfs/xfs_fsmap.c | 9 +
fs/xfs/xfs_ioctl.c | 1 +
fs/xfs/xfs_trans.c | 5 +
include/asm-generic/pgtable.h | 10 +
include/linux/binfmts.h | 8 +-
include/linux/debugfs.h | 5 +-
include/linux/kprobes.h | 5 +
include/linux/libata.h | 13 +-
include/linux/mmc/card.h | 2 +-
include/linux/nfs_page.h | 2 +
include/linux/pci.h | 1 -
include/linux/qed/qed_if.h | 1 +
include/linux/sched/signal.h | 9 +-
include/linux/seqlock.h | 11 +-
include/linux/skbuff.h | 14 +-
include/linux/sunrpc/svc_rdma.h | 5 +-
include/net/sock.h | 4 +-
include/sound/hda_codec.h | 5 +
include/trace/events/sctp.h | 9 -
include/trace/events/sunrpc.h | 1 +
init/init_task.c | 1 +
init/main.c | 2 +
kernel/Makefile | 2 +
kernel/audit_watch.c | 2 -
kernel/bpf/hashtab.c | 8 -
kernel/bpf/inode.c | 4 +-
kernel/events/core.c | 12 +-
kernel/fork.c | 5 +-
kernel/kcmp.c | 8 +-
kernel/kprobes.c | 44 ++-
kernel/locking/lockdep.c | 40 ++-
kernel/locking/lockdep_internals.h | 6 +
kernel/notifier.c | 5 +-
kernel/printk/printk.c | 3 +
kernel/sched/core.c | 3 +-
kernel/sched/fair.c | 79 +++--
kernel/sys.c | 4 +-
kernel/sysctl-test.c | 392 +++++++++++++++++++++
kernel/time/timekeeping.c | 3 +-
kernel/trace/trace.c | 20 +-
kernel/trace/trace_entries.h | 2 +-
kernel/trace/trace_events.c | 2 +
kernel/trace/trace_events_hist.c | 1 -
kernel/trace/trace_preemptirq.c | 4 +-
kernel/workqueue.c | 6 +-
lib/Kconfig.debug | 11 +
lib/string.c | 24 ++
mm/filemap.c | 8 +
mm/gup.c | 18 +-
mm/kmemleak.c | 2 +-
mm/madvise.c | 2 +-
mm/memcontrol.c | 26 +-
mm/memory.c | 121 ++++++-
mm/mmap.c | 2 +
mm/pagewalk.c | 4 +-
mm/slub.c | 45 ++-
mm/swap_state.c | 5 +-
mm/swapfile.c | 12 +-
mm/vmscan.c | 45 ++-
net/atm/lec.c | 6 +
net/atm/proc.c | 3 +-
net/batman-adv/bridge_loop_avoidance.c | 145 ++++++--
net/batman-adv/bridge_loop_avoidance.h | 4 +-
net/batman-adv/multicast.c | 46 ++-
net/batman-adv/multicast.h | 15 +
net/batman-adv/routing.c | 4 +
net/batman-adv/soft-interface.c | 11 +-
net/bluetooth/hci_event.c | 25 +-
net/bluetooth/l2cap_core.c | 29 +-
net/bluetooth/l2cap_sock.c | 18 +-
net/core/devlink.c | 7 +-
net/core/filter.c | 4 +-
net/core/neighbour.c | 1 +
net/ipv4/route.c | 1 +
net/ipv4/tcp.c | 2 +-
net/ipv6/ip6_fib.c | 7 +-
net/llc/af_llc.c | 2 +-
net/mac80211/tx.c | 6 +-
net/mac802154/tx.c | 8 +-
net/netfilter/nf_conntrack_proto.c | 2 +
net/netfilter/nf_tables_api.c | 3 +-
net/openvswitch/meter.c | 4 +-
net/openvswitch/meter.h | 2 +-
net/sctp/outqueue.c | 6 +
net/sunrpc/sched.c | 20 +-
net/sunrpc/svc_xprt.c | 19 +-
net/sunrpc/xprtrdma/svc_rdma_backchannel.c | 39 +-
net/sunrpc/xprtrdma/svc_rdma_recvfrom.c | 11 +-
net/tipc/socket.c | 53 +--
net/tipc/topsrv.c | 4 +-
net/unix/af_unix.c | 11 +-
net/wireless/Kconfig | 1 +
security/device_cgroup.c | 3 +-
security/selinux/hooks.c | 12 +
security/selinux/selinuxfs.c | 1 +
sound/hda/hdac_bus.c | 4 +
sound/hda/hdac_regmap.c | 1 -
sound/pci/asihpi/hpioctl.c | 4 +-
sound/pci/hda/hda_codec.c | 28 +-
sound/pci/hda/hda_controller.c | 11 +-
sound/pci/hda/hda_controller.h | 2 +-
sound/pci/hda/hda_intel.c | 40 ++-
sound/pci/hda/patch_realtek.c | 13 +-
sound/soc/codecs/max98090.c | 8 +-
sound/soc/codecs/pcm3168a.c | 7 +
sound/soc/codecs/wm8994.c | 10 +
sound/soc/codecs/wm_hubs.c | 3 +
sound/soc/codecs/wm_hubs.h | 1 +
sound/soc/img/img-i2s-out.c | 8 +-
sound/soc/intel/boards/bytcr_rt5640.c | 10 +
sound/soc/kirkwood/kirkwood-dma.c | 2 +-
sound/soc/sof/ipc.c | 12 +-
sound/usb/midi.c | 29 +-
sound/usb/mixer.c | 10 +
sound/usb/quirks.c | 7 +-
tools/gpio/gpio-hammer.c | 17 +-
tools/objtool/check.c | 2 +-
tools/perf/builtin-stat.c | 2 +-
tools/perf/pmu-events/jevents.c | 15 +-
tools/perf/tests/shell/lib/probe_vfs_getname.sh | 2 +-
tools/perf/tests/shell/record+zstd_comp_decomp.sh | 3 +-
tools/perf/trace/beauty/arch_errno_names.sh | 2 +-
tools/perf/util/cpumap.c | 10 +-
tools/perf/util/cs-etm.c | 126 +++++--
tools/perf/util/evsel.c | 7 +
tools/perf/util/mem2node.c | 3 +-
tools/perf/util/metricgroup.c | 3 +
tools/perf/util/parse-events.c | 9 +-
tools/perf/util/sort.c | 2 +-
tools/perf/util/symbol-elf.c | 7 +
.../x86/intel_pstate_tracer/intel_pstate_tracer.py | 22 +-
.../testing/selftests/bpf/progs/test_tcpbpf_kern.c | 1 +
tools/testing/selftests/bpf/test_tcpbpf.h | 1 +
tools/testing/selftests/bpf/test_tcpbpf_user.c | 25 +-
.../ftrace/test.d/ftrace/func-filter-glob.tc | 2 +-
tools/testing/selftests/ptrace/Makefile | 4 +-
tools/testing/selftests/ptrace/vmaccess.c | 86 +++++
tools/testing/selftests/x86/syscall_nt.c | 1 +
virt/kvm/arm/mmio.c | 2 +-
virt/kvm/arm/mmu.c | 2 +-
virt/kvm/arm/vgic/vgic-init.c | 11 +-
virt/kvm/arm/vgic/vgic-its.c | 11 +-
virt/kvm/kvm_main.c | 1 +
469 files changed, 5174 insertions(+), 2467 deletions(-)
From: Hou Tao <[email protected]>
[ Upstream commit 03976af89e3bd9489d542582a325892e6a8cacc0 ]
Else there may be a double-free problem, because cfi->cfiq will
be freed by mtd_do_chip_probe() if both the two invocations of
check_cmd_set() return failure.
Signed-off-by: Hou Tao <[email protected]>
Reviewed-by: Richard Weinberger <[email protected]>
Signed-off-by: Vignesh Raghavendra <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/mtd/chips/cfi_cmdset_0002.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/mtd/chips/cfi_cmdset_0002.c b/drivers/mtd/chips/cfi_cmdset_0002.c
index a4f2d8cdca120..c8b9ab40a1027 100644
--- a/drivers/mtd/chips/cfi_cmdset_0002.c
+++ b/drivers/mtd/chips/cfi_cmdset_0002.c
@@ -794,7 +794,6 @@ static struct mtd_info *cfi_amdstd_setup(struct mtd_info *mtd)
kfree(mtd->eraseregions);
kfree(mtd);
kfree(cfi->cmdset_priv);
- kfree(cfi->cfiq);
return NULL;
}
--
2.25.1
From: Bob Peterson <[email protected]>
[ Upstream commit 2c47c1be51fbded1f7baa2ceaed90f97932f79be ]
Before this patch, gfs2_create_inode had a use-after-free for the
iopen glock in some error paths because it did this:
gfs2_glock_put(io_gl);
fail_gunlock2:
if (io_gl)
clear_bit(GLF_INODE_CREATING, &io_gl->gl_flags);
In some cases, the io_gl was used for create and only had one
reference, so the glock might be freed before the clear_bit().
This patch tries to straighten it out by only jumping to the
error paths where iopen is properly set, and moving the
gfs2_glock_put after the clear_bit.
Signed-off-by: Bob Peterson <[email protected]>
Signed-off-by: Andreas Gruenbacher <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
fs/gfs2/inode.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/fs/gfs2/inode.c b/fs/gfs2/inode.c
index 8466166f22e3d..988bb7b17ed8f 100644
--- a/fs/gfs2/inode.c
+++ b/fs/gfs2/inode.c
@@ -712,7 +712,7 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
error = gfs2_trans_begin(sdp, blocks, 0);
if (error)
- goto fail_gunlock2;
+ goto fail_free_inode;
if (blocks > 1) {
ip->i_eattr = ip->i_no_addr + 1;
@@ -723,7 +723,7 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
error = gfs2_glock_get(sdp, ip->i_no_addr, &gfs2_iopen_glops, CREATE, &io_gl);
if (error)
- goto fail_gunlock2;
+ goto fail_free_inode;
BUG_ON(test_and_set_bit(GLF_INODE_CREATING, &io_gl->gl_flags));
@@ -732,7 +732,6 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
goto fail_gunlock2;
glock_set_object(ip->i_iopen_gh.gh_gl, ip);
- gfs2_glock_put(io_gl);
gfs2_set_iop(inode);
insert_inode_hash(inode);
@@ -765,6 +764,8 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
mark_inode_dirty(inode);
d_instantiate(dentry, inode);
+ /* After instantiate, errors should result in evict which will destroy
+ * both inode and iopen glocks properly. */
if (file) {
file->f_mode |= FMODE_CREATED;
error = finish_open(file, dentry, gfs2_open_common);
@@ -772,15 +773,15 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
gfs2_glock_dq_uninit(ghs);
gfs2_glock_dq_uninit(ghs + 1);
clear_bit(GLF_INODE_CREATING, &io_gl->gl_flags);
+ gfs2_glock_put(io_gl);
return error;
fail_gunlock3:
glock_clear_object(io_gl, ip);
gfs2_glock_dq_uninit(&ip->i_iopen_gh);
- gfs2_glock_put(io_gl);
fail_gunlock2:
- if (io_gl)
- clear_bit(GLF_INODE_CREATING, &io_gl->gl_flags);
+ clear_bit(GLF_INODE_CREATING, &io_gl->gl_flags);
+ gfs2_glock_put(io_gl);
fail_free_inode:
if (ip->i_gl) {
glock_clear_object(ip->i_gl, ip);
--
2.25.1
From: Pan Bian <[email protected]>
[ Upstream commit da046d5f895fca18d63b15ac8faebd5bf784e23a ]
Release variable dst after logging dst->error to avoid possible use after
free.
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Pan Bian <[email protected]>
Reviewed-by: Jason Gunthorpe <[email protected]>
Signed-off-by: Jason Gunthorpe <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/infiniband/hw/i40iw/i40iw_cm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/i40iw/i40iw_cm.c b/drivers/infiniband/hw/i40iw/i40iw_cm.c
index b1df93b69df44..fa7a5ff498c73 100644
--- a/drivers/infiniband/hw/i40iw/i40iw_cm.c
+++ b/drivers/infiniband/hw/i40iw/i40iw_cm.c
@@ -2074,9 +2074,9 @@ static int i40iw_addr_resolve_neigh_ipv6(struct i40iw_device *iwdev,
dst = i40iw_get_dst_ipv6(&src_addr, &dst_addr);
if (!dst || dst->error) {
if (dst) {
- dst_release(dst);
i40iw_pr_err("ip6_route_output returned dst->error = %d\n",
dst->error);
+ dst_release(dst);
}
return rc;
}
--
2.25.1
From: Chris Wilson <[email protected]>
[ Upstream commit 9c98f021e4e717ffd9948fa65340ea3ef12b7935 ]
Make dma_fence_enable_sw_signaling() behave like its
dma_fence_add_callback() and dma_fence_default_wait() counterparts and
perform the test to enable signaling under the fence->lock, along with
the action to do so. This ensure that should an implementation be trying
to flush the cb_list (by signaling) on retirement before freeing the
fence, it can do so in a race-free manner.
See also 0fc89b6802ba ("dma-fence: Simply wrap dma_fence_signal_locked
with dma_fence_signal").
v2: Refactor all 3 enable_signaling paths to use a common function.
v3: Don't argue, just keep the tracepoint in the existing spot.
Signed-off-by: Chris Wilson <[email protected]>
Cc: Tvrtko Ursulin <[email protected]>
Reviewed-by: Tvrtko Ursulin <[email protected]>
Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/dma-buf/dma-fence.c | 78 +++++++++++++++++--------------------
1 file changed, 35 insertions(+), 43 deletions(-)
diff --git a/drivers/dma-buf/dma-fence.c b/drivers/dma-buf/dma-fence.c
index 2c136aee3e794..052a41e2451c1 100644
--- a/drivers/dma-buf/dma-fence.c
+++ b/drivers/dma-buf/dma-fence.c
@@ -273,6 +273,30 @@ void dma_fence_free(struct dma_fence *fence)
}
EXPORT_SYMBOL(dma_fence_free);
+static bool __dma_fence_enable_signaling(struct dma_fence *fence)
+{
+ bool was_set;
+
+ lockdep_assert_held(fence->lock);
+
+ was_set = test_and_set_bit(DMA_FENCE_FLAG_ENABLE_SIGNAL_BIT,
+ &fence->flags);
+
+ if (test_bit(DMA_FENCE_FLAG_SIGNALED_BIT, &fence->flags))
+ return false;
+
+ if (!was_set && fence->ops->enable_signaling) {
+ trace_dma_fence_enable_signal(fence);
+
+ if (!fence->ops->enable_signaling(fence)) {
+ dma_fence_signal_locked(fence);
+ return false;
+ }
+ }
+
+ return true;
+}
+
/**
* dma_fence_enable_sw_signaling - enable signaling on fence
* @fence: the fence to enable
@@ -285,19 +309,12 @@ void dma_fence_enable_sw_signaling(struct dma_fence *fence)
{
unsigned long flags;
- if (!test_and_set_bit(DMA_FENCE_FLAG_ENABLE_SIGNAL_BIT,
- &fence->flags) &&
- !test_bit(DMA_FENCE_FLAG_SIGNALED_BIT, &fence->flags) &&
- fence->ops->enable_signaling) {
- trace_dma_fence_enable_signal(fence);
-
- spin_lock_irqsave(fence->lock, flags);
-
- if (!fence->ops->enable_signaling(fence))
- dma_fence_signal_locked(fence);
+ if (test_bit(DMA_FENCE_FLAG_SIGNALED_BIT, &fence->flags))
+ return;
- spin_unlock_irqrestore(fence->lock, flags);
- }
+ spin_lock_irqsave(fence->lock, flags);
+ __dma_fence_enable_signaling(fence);
+ spin_unlock_irqrestore(fence->lock, flags);
}
EXPORT_SYMBOL(dma_fence_enable_sw_signaling);
@@ -331,7 +348,6 @@ int dma_fence_add_callback(struct dma_fence *fence, struct dma_fence_cb *cb,
{
unsigned long flags;
int ret = 0;
- bool was_set;
if (WARN_ON(!fence || !func))
return -EINVAL;
@@ -343,25 +359,14 @@ int dma_fence_add_callback(struct dma_fence *fence, struct dma_fence_cb *cb,
spin_lock_irqsave(fence->lock, flags);
- was_set = test_and_set_bit(DMA_FENCE_FLAG_ENABLE_SIGNAL_BIT,
- &fence->flags);
-
- if (test_bit(DMA_FENCE_FLAG_SIGNALED_BIT, &fence->flags))
- ret = -ENOENT;
- else if (!was_set && fence->ops->enable_signaling) {
- trace_dma_fence_enable_signal(fence);
-
- if (!fence->ops->enable_signaling(fence)) {
- dma_fence_signal_locked(fence);
- ret = -ENOENT;
- }
- }
-
- if (!ret) {
+ if (__dma_fence_enable_signaling(fence)) {
cb->func = func;
list_add_tail(&cb->node, &fence->cb_list);
- } else
+ } else {
INIT_LIST_HEAD(&cb->node);
+ ret = -ENOENT;
+ }
+
spin_unlock_irqrestore(fence->lock, flags);
return ret;
@@ -461,7 +466,6 @@ dma_fence_default_wait(struct dma_fence *fence, bool intr, signed long timeout)
struct default_wait_cb cb;
unsigned long flags;
signed long ret = timeout ? timeout : 1;
- bool was_set;
if (test_bit(DMA_FENCE_FLAG_SIGNALED_BIT, &fence->flags))
return ret;
@@ -473,21 +477,9 @@ dma_fence_default_wait(struct dma_fence *fence, bool intr, signed long timeout)
goto out;
}
- was_set = test_and_set_bit(DMA_FENCE_FLAG_ENABLE_SIGNAL_BIT,
- &fence->flags);
-
- if (test_bit(DMA_FENCE_FLAG_SIGNALED_BIT, &fence->flags))
+ if (!__dma_fence_enable_signaling(fence))
goto out;
- if (!was_set && fence->ops->enable_signaling) {
- trace_dma_fence_enable_signal(fence);
-
- if (!fence->ops->enable_signaling(fence)) {
- dma_fence_signal_locked(fence);
- goto out;
- }
- }
-
if (!timeout) {
ret = 0;
goto out;
--
2.25.1
From: Brian Foster <[email protected]>
[ Upstream commit 2a2b5932db67586bacc560cc065d62faece5b996 ]
The leaf format xattr addition helper xfs_attr3_leaf_add_work()
adjusts the block freemap in a couple places. The first update drops
the size of the freemap that the caller had already selected to
place the xattr name/value data. Before the function returns, it
also checks whether the entries array has encroached on a freemap
range by virtue of the new entry addition. This is necessary because
the entries array grows from the start of the block (but end of the
block header) towards the end of the block while the name/value data
grows from the end of the block in the opposite direction. If the
associated freemap is already empty, however, size is zero and the
subtraction underflows the field and causes corruption.
This is reproduced rarely by generic/070. The observed behavior is
that a smaller sized freemap is aligned to the end of the entries
list, several subsequent xattr additions land in larger freemaps and
the entries list expands into the smaller freemap until it is fully
consumed and then underflows. Note that it is not otherwise a
corruption for the entries array to consume an empty freemap because
the nameval list (i.e. the firstused pointer in the xattr header)
starts beyond the end of the corrupted freemap.
Update the freemap size modification to account for the fact that
the freemap entry can be empty and thus stale.
Signed-off-by: Brian Foster <[email protected]>
Reviewed-by: Darrick J. Wong <[email protected]>
Signed-off-by: Darrick J. Wong <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
fs/xfs/libxfs/xfs_attr_leaf.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/fs/xfs/libxfs/xfs_attr_leaf.c b/fs/xfs/libxfs/xfs_attr_leaf.c
index f943c77133dcd..de33efc9b4f94 100644
--- a/fs/xfs/libxfs/xfs_attr_leaf.c
+++ b/fs/xfs/libxfs/xfs_attr_leaf.c
@@ -1451,7 +1451,9 @@ xfs_attr3_leaf_add_work(
for (i = 0; i < XFS_ATTR_LEAF_MAPSIZE; i++) {
if (ichdr->freemap[i].base == tmp) {
ichdr->freemap[i].base += sizeof(xfs_attr_leaf_entry_t);
- ichdr->freemap[i].size -= sizeof(xfs_attr_leaf_entry_t);
+ ichdr->freemap[i].size -=
+ min_t(uint16_t, ichdr->freemap[i].size,
+ sizeof(xfs_attr_leaf_entry_t));
}
}
ichdr->usedbytes += xfs_attr_leaf_entsize(leaf, args->index);
--
2.25.1
From: Satendra Singh Thakur <[email protected]>
[ Upstream commit 1ff95243257fad07290dcbc5f7a6ad79d6e703e2 ]
When devm_request_irq fails, currently, the function
dma_async_device_unregister gets called. This doesn't free
the resources allocated by of_dma_controller_register.
Therefore, we have called of_dma_controller_free for this purpose.
Signed-off-by: Satendra Singh Thakur <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Vinod Koul <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/dma/mediatek/mtk-hsdma.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/dma/mediatek/mtk-hsdma.c b/drivers/dma/mediatek/mtk-hsdma.c
index 1a2028e1c29e9..4c58da7421432 100644
--- a/drivers/dma/mediatek/mtk-hsdma.c
+++ b/drivers/dma/mediatek/mtk-hsdma.c
@@ -997,7 +997,7 @@ static int mtk_hsdma_probe(struct platform_device *pdev)
if (err) {
dev_err(&pdev->dev,
"request_irq failed with err %d\n", err);
- goto err_unregister;
+ goto err_free;
}
platform_set_drvdata(pdev, hsdma);
@@ -1006,6 +1006,8 @@ static int mtk_hsdma_probe(struct platform_device *pdev)
return 0;
+err_free:
+ of_dma_controller_free(pdev->dev.of_node);
err_unregister:
dma_async_device_unregister(dd);
--
2.25.1
From: Xiaoming Ni <[email protected]>
[ Upstream commit 1a50cb80f219c44adb6265f5071b81fc3c1deced ]
Registering the same notifier to a hook repeatedly can cause the hook
list to form a ring or lose other members of the list.
case1: An infinite loop in notifier_chain_register() can cause soft lockup
atomic_notifier_chain_register(&test_notifier_list, &test1);
atomic_notifier_chain_register(&test_notifier_list, &test1);
atomic_notifier_chain_register(&test_notifier_list, &test2);
case2: An infinite loop in notifier_chain_register() can cause soft lockup
atomic_notifier_chain_register(&test_notifier_list, &test1);
atomic_notifier_chain_register(&test_notifier_list, &test1);
atomic_notifier_call_chain(&test_notifier_list, 0, NULL);
case3: lose other hook test2
atomic_notifier_chain_register(&test_notifier_list, &test1);
atomic_notifier_chain_register(&test_notifier_list, &test2);
atomic_notifier_chain_register(&test_notifier_list, &test1);
case4: Unregister returns 0, but the hook is still in the linked list,
and it is not really registered. If you call
notifier_call_chain after ko is unloaded, it will trigger oops.
If the system is configured with softlockup_panic and the same hook is
repeatedly registered on the panic_notifier_list, it will cause a loop
panic.
Add a check in notifier_chain_register(), intercepting duplicate
registrations to avoid infinite loops
Link: http://lkml.kernel.org/r/[email protected]
Signed-off-by: Xiaoming Ni <[email protected]>
Reviewed-by: Vasily Averin <[email protected]>
Reviewed-by: Andrew Morton <[email protected]>
Cc: Alexey Dobriyan <[email protected]>
Cc: Anna Schumaker <[email protected]>
Cc: Arjan van de Ven <[email protected]>
Cc: J. Bruce Fields <[email protected]>
Cc: Chuck Lever <[email protected]>
Cc: David S. Miller <[email protected]>
Cc: Jeff Layton <[email protected]>
Cc: Andy Lutomirski <[email protected]>
Cc: Ingo Molnar <[email protected]>
Cc: Nadia Derbey <[email protected]>
Cc: "Paul E. McKenney" <[email protected]>
Cc: Sam Protsenko <[email protected]>
Cc: Alan Stern <[email protected]>
Cc: Thomas Gleixner <[email protected]>
Cc: Trond Myklebust <[email protected]>
Cc: Viresh Kumar <[email protected]>
Cc: Xiaoming Ni <[email protected]>
Cc: YueHaibing <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
kernel/notifier.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/kernel/notifier.c b/kernel/notifier.c
index 157d7c29f7207..f6d5ffe4e72ec 100644
--- a/kernel/notifier.c
+++ b/kernel/notifier.c
@@ -23,7 +23,10 @@ static int notifier_chain_register(struct notifier_block **nl,
struct notifier_block *n)
{
while ((*nl) != NULL) {
- WARN_ONCE(((*nl) == n), "double register detected");
+ if (unlikely((*nl) == n)) {
+ WARN(1, "double register detected");
+ return 0;
+ }
if (n->priority > (*nl)->priority)
break;
nl = &((*nl)->next);
--
2.25.1
From: Pan Bian <[email protected]>
[ Upstream commit 960657b732e1ce21b07be5ab48a7ad3913d72ba4 ]
Move the release operation after error log to avoid possible use after
free.
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Pan Bian <[email protected]>
Acked-by: Michal Kalderon <[email protected]>
Reviewed-by: Jason Gunthorpe <[email protected]>
Signed-off-by: Jason Gunthorpe <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/infiniband/hw/qedr/qedr_iw_cm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/qedr/qedr_iw_cm.c b/drivers/infiniband/hw/qedr/qedr_iw_cm.c
index a7a926b7b5628..6dea49e11f5f0 100644
--- a/drivers/infiniband/hw/qedr/qedr_iw_cm.c
+++ b/drivers/infiniband/hw/qedr/qedr_iw_cm.c
@@ -490,10 +490,10 @@ qedr_addr6_resolve(struct qedr_dev *dev,
if ((!dst) || dst->error) {
if (dst) {
- dst_release(dst);
DP_ERR(dev,
"ip6_route_output returned dst->error = %d\n",
dst->error);
+ dst_release(dst);
}
return -EINVAL;
}
--
2.25.1
From: Alex Deucher <[email protected]>
[ Upstream commit 901245624c7812b6c95d67177bae850e783b5212 ]
When a custom powerplay table is provided, we need to update
the OD VDDC flag to avoid AVFS being enabled when it shouldn't be.
Bug: https://bugzilla.kernel.org/show_bug.cgi?id=205393
Reviewed-by: Evan Quan <[email protected]>
Signed-off-by: Alex Deucher <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/gpu/drm/amd/powerplay/hwmgr/smu7_hwmgr.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/gpu/drm/amd/powerplay/hwmgr/smu7_hwmgr.c b/drivers/gpu/drm/amd/powerplay/hwmgr/smu7_hwmgr.c
index 3a2a1dc9a786a..1b55f037ba4a7 100644
--- a/drivers/gpu/drm/amd/powerplay/hwmgr/smu7_hwmgr.c
+++ b/drivers/gpu/drm/amd/powerplay/hwmgr/smu7_hwmgr.c
@@ -3987,6 +3987,13 @@ static int smu7_set_power_state_tasks(struct pp_hwmgr *hwmgr, const void *input)
"Failed to populate and upload SCLK MCLK DPM levels!",
result = tmp_result);
+ /*
+ * If a custom pp table is loaded, set DPMTABLE_OD_UPDATE_VDDC flag.
+ * That effectively disables AVFS feature.
+ */
+ if (hwmgr->hardcode_pp_table != NULL)
+ data->need_update_smu7_dpm_table |= DPMTABLE_OD_UPDATE_VDDC;
+
tmp_result = smu7_update_avfs(hwmgr);
PP_ASSERT_WITH_CODE((0 == tmp_result),
"Failed to update avfs voltages!",
--
2.25.1
From: Alex Deucher <[email protected]>
[ Upstream commit 53dbc27ad5a93932ff1892a8e4ef266827d74a0f ]
When a custom powerplay table is provided, we need to update
the OD VDDC flag to avoid AVFS being enabled when it shouldn't be.
Bug: https://bugzilla.kernel.org/show_bug.cgi?id=205393
Reviewed-by: Evan Quan <[email protected]>
Signed-off-by: Alex Deucher <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/gpu/drm/amd/powerplay/hwmgr/vega10_hwmgr.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/gpu/drm/amd/powerplay/hwmgr/vega10_hwmgr.c b/drivers/gpu/drm/amd/powerplay/hwmgr/vega10_hwmgr.c
index beacfffbdc3eb..ecbc9daea57e0 100644
--- a/drivers/gpu/drm/amd/powerplay/hwmgr/vega10_hwmgr.c
+++ b/drivers/gpu/drm/amd/powerplay/hwmgr/vega10_hwmgr.c
@@ -3691,6 +3691,13 @@ static int vega10_set_power_state_tasks(struct pp_hwmgr *hwmgr,
PP_ASSERT_WITH_CODE(!result,
"Failed to upload PPtable!", return result);
+ /*
+ * If a custom pp table is loaded, set DPMTABLE_OD_UPDATE_VDDC flag.
+ * That effectively disables AVFS feature.
+ */
+ if(hwmgr->hardcode_pp_table != NULL)
+ data->need_update_dpm_table |= DPMTABLE_OD_UPDATE_VDDC;
+
vega10_update_avfs(hwmgr);
/*
--
2.25.1
From: Ivan Lazeev <[email protected]>
[ Upstream commit 3ef193822b25e9ee629974f66dc1ff65167f770c ]
Bug link: https://bugzilla.kernel.org/show_bug.cgi?id=195657
cmd/rsp buffers are expected to be in the same ACPI region.
For Zen+ CPUs BIOS's might report two different regions, some of
them also report region sizes inconsistent with values from TPM
registers.
Memory configuration on ASRock x470 ITX:
db0a0000-dc59efff : Reserved
dc57e000-dc57efff : MSFT0101:00
dc582000-dc582fff : MSFT0101:00
Work around the issue by storing ACPI regions declared for the
device in a fixed array and adding an array for pointers to
corresponding possibly allocated resources in crb_map_io function.
This data was previously held for a single resource
in struct crb_priv (iobase field) and local variable io_res in
crb_map_io function. ACPI resources array is used to find index of
corresponding region for each buffer and make the buffer size
consistent with region's length. Array of pointers to allocated
resources is used to map the region at most once.
Signed-off-by: Ivan Lazeev <[email protected]>
Tested-by: Jerry Snitselaar <[email protected]>
Tested-by: Jarkko Sakkinen <[email protected]>
Reviewed-by: Jarkko Sakkinen <[email protected]>
Signed-off-by: Jarkko Sakkinen <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/char/tpm/tpm_crb.c | 123 +++++++++++++++++++++++++++----------
1 file changed, 90 insertions(+), 33 deletions(-)
diff --git a/drivers/char/tpm/tpm_crb.c b/drivers/char/tpm/tpm_crb.c
index e59f1f91d7f3e..a9dcf31eadd21 100644
--- a/drivers/char/tpm/tpm_crb.c
+++ b/drivers/char/tpm/tpm_crb.c
@@ -22,6 +22,7 @@
#include "tpm.h"
#define ACPI_SIG_TPM2 "TPM2"
+#define TPM_CRB_MAX_RESOURCES 3
static const guid_t crb_acpi_start_guid =
GUID_INIT(0x6BBF6CAB, 0x5463, 0x4714,
@@ -91,7 +92,6 @@ enum crb_status {
struct crb_priv {
u32 sm;
const char *hid;
- void __iomem *iobase;
struct crb_regs_head __iomem *regs_h;
struct crb_regs_tail __iomem *regs_t;
u8 __iomem *cmd;
@@ -434,21 +434,27 @@ static const struct tpm_class_ops tpm_crb = {
static int crb_check_resource(struct acpi_resource *ares, void *data)
{
- struct resource *io_res = data;
+ struct resource *iores_array = data;
struct resource_win win;
struct resource *res = &(win.res);
+ int i;
if (acpi_dev_resource_memory(ares, res) ||
acpi_dev_resource_address_space(ares, &win)) {
- *io_res = *res;
- io_res->name = NULL;
+ for (i = 0; i < TPM_CRB_MAX_RESOURCES + 1; ++i) {
+ if (resource_type(iores_array + i) != IORESOURCE_MEM) {
+ iores_array[i] = *res;
+ iores_array[i].name = NULL;
+ break;
+ }
+ }
}
return 1;
}
-static void __iomem *crb_map_res(struct device *dev, struct crb_priv *priv,
- struct resource *io_res, u64 start, u32 size)
+static void __iomem *crb_map_res(struct device *dev, struct resource *iores,
+ void __iomem **iobase_ptr, u64 start, u32 size)
{
struct resource new_res = {
.start = start,
@@ -460,10 +466,16 @@ static void __iomem *crb_map_res(struct device *dev, struct crb_priv *priv,
if (start != new_res.start)
return (void __iomem *) ERR_PTR(-EINVAL);
- if (!resource_contains(io_res, &new_res))
+ if (!iores)
return devm_ioremap_resource(dev, &new_res);
- return priv->iobase + (new_res.start - io_res->start);
+ if (!*iobase_ptr) {
+ *iobase_ptr = devm_ioremap_resource(dev, iores);
+ if (IS_ERR(*iobase_ptr))
+ return *iobase_ptr;
+ }
+
+ return *iobase_ptr + (new_res.start - iores->start);
}
/*
@@ -490,9 +502,13 @@ static u64 crb_fixup_cmd_size(struct device *dev, struct resource *io_res,
static int crb_map_io(struct acpi_device *device, struct crb_priv *priv,
struct acpi_table_tpm2 *buf)
{
- struct list_head resources;
- struct resource io_res;
+ struct list_head acpi_resource_list;
+ struct resource iores_array[TPM_CRB_MAX_RESOURCES + 1] = { {0} };
+ void __iomem *iobase_array[TPM_CRB_MAX_RESOURCES] = {NULL};
struct device *dev = &device->dev;
+ struct resource *iores;
+ void __iomem **iobase_ptr;
+ int i;
u32 pa_high, pa_low;
u64 cmd_pa;
u32 cmd_size;
@@ -501,21 +517,41 @@ static int crb_map_io(struct acpi_device *device, struct crb_priv *priv,
u32 rsp_size;
int ret;
- INIT_LIST_HEAD(&resources);
- ret = acpi_dev_get_resources(device, &resources, crb_check_resource,
- &io_res);
+ INIT_LIST_HEAD(&acpi_resource_list);
+ ret = acpi_dev_get_resources(device, &acpi_resource_list,
+ crb_check_resource, iores_array);
if (ret < 0)
return ret;
- acpi_dev_free_resource_list(&resources);
+ acpi_dev_free_resource_list(&acpi_resource_list);
- if (resource_type(&io_res) != IORESOURCE_MEM) {
+ if (resource_type(iores_array) != IORESOURCE_MEM) {
dev_err(dev, FW_BUG "TPM2 ACPI table does not define a memory resource\n");
return -EINVAL;
+ } else if (resource_type(iores_array + TPM_CRB_MAX_RESOURCES) ==
+ IORESOURCE_MEM) {
+ dev_warn(dev, "TPM2 ACPI table defines too many memory resources\n");
+ memset(iores_array + TPM_CRB_MAX_RESOURCES,
+ 0, sizeof(*iores_array));
+ iores_array[TPM_CRB_MAX_RESOURCES].flags = 0;
}
- priv->iobase = devm_ioremap_resource(dev, &io_res);
- if (IS_ERR(priv->iobase))
- return PTR_ERR(priv->iobase);
+ iores = NULL;
+ iobase_ptr = NULL;
+ for (i = 0; resource_type(iores_array + i) == IORESOURCE_MEM; ++i) {
+ if (buf->control_address >= iores_array[i].start &&
+ buf->control_address + sizeof(struct crb_regs_tail) - 1 <=
+ iores_array[i].end) {
+ iores = iores_array + i;
+ iobase_ptr = iobase_array + i;
+ break;
+ }
+ }
+
+ priv->regs_t = crb_map_res(dev, iores, iobase_ptr, buf->control_address,
+ sizeof(struct crb_regs_tail));
+
+ if (IS_ERR(priv->regs_t))
+ return PTR_ERR(priv->regs_t);
/* The ACPI IO region starts at the head area and continues to include
* the control area, as one nice sane region except for some older
@@ -523,9 +559,10 @@ static int crb_map_io(struct acpi_device *device, struct crb_priv *priv,
*/
if ((priv->sm == ACPI_TPM2_COMMAND_BUFFER) ||
(priv->sm == ACPI_TPM2_MEMORY_MAPPED)) {
- if (buf->control_address == io_res.start +
+ if (iores &&
+ buf->control_address == iores->start +
sizeof(*priv->regs_h))
- priv->regs_h = priv->iobase;
+ priv->regs_h = *iobase_ptr;
else
dev_warn(dev, FW_BUG "Bad ACPI memory layout");
}
@@ -534,13 +571,6 @@ static int crb_map_io(struct acpi_device *device, struct crb_priv *priv,
if (ret)
return ret;
- priv->regs_t = crb_map_res(dev, priv, &io_res, buf->control_address,
- sizeof(struct crb_regs_tail));
- if (IS_ERR(priv->regs_t)) {
- ret = PTR_ERR(priv->regs_t);
- goto out_relinquish_locality;
- }
-
/*
* PTT HW bug w/a: wake up the device to access
* possibly not retained registers.
@@ -552,13 +582,26 @@ static int crb_map_io(struct acpi_device *device, struct crb_priv *priv,
pa_high = ioread32(&priv->regs_t->ctrl_cmd_pa_high);
pa_low = ioread32(&priv->regs_t->ctrl_cmd_pa_low);
cmd_pa = ((u64)pa_high << 32) | pa_low;
- cmd_size = crb_fixup_cmd_size(dev, &io_res, cmd_pa,
- ioread32(&priv->regs_t->ctrl_cmd_size));
+ cmd_size = ioread32(&priv->regs_t->ctrl_cmd_size);
+
+ iores = NULL;
+ iobase_ptr = NULL;
+ for (i = 0; iores_array[i].end; ++i) {
+ if (cmd_pa >= iores_array[i].start &&
+ cmd_pa <= iores_array[i].end) {
+ iores = iores_array + i;
+ iobase_ptr = iobase_array + i;
+ break;
+ }
+ }
+
+ if (iores)
+ cmd_size = crb_fixup_cmd_size(dev, iores, cmd_pa, cmd_size);
dev_dbg(dev, "cmd_hi = %X cmd_low = %X cmd_size %X\n",
pa_high, pa_low, cmd_size);
- priv->cmd = crb_map_res(dev, priv, &io_res, cmd_pa, cmd_size);
+ priv->cmd = crb_map_res(dev, iores, iobase_ptr, cmd_pa, cmd_size);
if (IS_ERR(priv->cmd)) {
ret = PTR_ERR(priv->cmd);
goto out;
@@ -566,11 +609,25 @@ static int crb_map_io(struct acpi_device *device, struct crb_priv *priv,
memcpy_fromio(&__rsp_pa, &priv->regs_t->ctrl_rsp_pa, 8);
rsp_pa = le64_to_cpu(__rsp_pa);
- rsp_size = crb_fixup_cmd_size(dev, &io_res, rsp_pa,
- ioread32(&priv->regs_t->ctrl_rsp_size));
+ rsp_size = ioread32(&priv->regs_t->ctrl_rsp_size);
+
+ iores = NULL;
+ iobase_ptr = NULL;
+ for (i = 0; resource_type(iores_array + i) == IORESOURCE_MEM; ++i) {
+ if (rsp_pa >= iores_array[i].start &&
+ rsp_pa <= iores_array[i].end) {
+ iores = iores_array + i;
+ iobase_ptr = iobase_array + i;
+ break;
+ }
+ }
+
+ if (iores)
+ rsp_size = crb_fixup_cmd_size(dev, iores, rsp_pa, rsp_size);
if (cmd_pa != rsp_pa) {
- priv->rsp = crb_map_res(dev, priv, &io_res, rsp_pa, rsp_size);
+ priv->rsp = crb_map_res(dev, iores, iobase_ptr,
+ rsp_pa, rsp_size);
ret = PTR_ERR_OR_ZERO(priv->rsp);
goto out;
}
--
2.25.1
From: Nicholas Kazlauskas <[email protected]>
[ Upstream commit 0e3a7c2ec93b15f43a2653e52e9608484391aeaf ]
[Why]
We're leaking memory by not freeing the gamma used to calculate the
transfer function for legacy gamma.
[How]
Release the gamma after we're done with it.
Signed-off-by: Nicholas Kazlauskas <[email protected]>
Reviewed-by: Leo Li <[email protected]>
Signed-off-by: Alex Deucher <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_color.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_color.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_color.c
index b43bb7f90e4e9..2233d293a707a 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_color.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_color.c
@@ -210,6 +210,8 @@ static int __set_legacy_tf(struct dc_transfer_func *func,
res = mod_color_calculate_regamma_params(func, gamma, true, has_rom,
NULL);
+ dc_gamma_release(&gamma);
+
return res ? 0 : -ENOMEM;
}
--
2.25.1
From: Dmitry Osipenko <[email protected]>
[ Upstream commit 53b4b2aeee26f42cde5ff2a16dd0d8590c51a55a ]
There is another kHz-conversion bug in the code, resulting in integer
overflow. Although, this time the resulting value is 4294966296 and it's
close to ULONG_MAX, which is okay in this case.
Reviewed-by: Chanwoo Choi <[email protected]>
Tested-by: Peter Geis <[email protected]>
Signed-off-by: Dmitry Osipenko <[email protected]>
Signed-off-by: Chanwoo Choi <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/devfreq/tegra30-devfreq.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/devfreq/tegra30-devfreq.c b/drivers/devfreq/tegra30-devfreq.c
index a6ba75f4106d8..e273011c83fbd 100644
--- a/drivers/devfreq/tegra30-devfreq.c
+++ b/drivers/devfreq/tegra30-devfreq.c
@@ -68,6 +68,8 @@
#define KHZ 1000
+#define KHZ_MAX (ULONG_MAX / KHZ)
+
/* Assume that the bus is saturated if the utilization is 25% */
#define BUS_SATURATION_RATIO 25
@@ -169,7 +171,7 @@ struct tegra_actmon_emc_ratio {
};
static struct tegra_actmon_emc_ratio actmon_emc_ratios[] = {
- { 1400000, ULONG_MAX },
+ { 1400000, KHZ_MAX },
{ 1200000, 750000 },
{ 1100000, 600000 },
{ 1000000, 500000 },
--
2.25.1
From: Felix Fietkau <[email protected]>
[ Upstream commit 36f7e2b2bb1de86f0072cd49ca93d82b9e8fd894 ]
With the devm API, the unregister happens after the device cleanup is done,
after which the struct mt76_dev which contains the led_cdev has already been
freed. This leads to a use-after-free bug that can crash the system.
Signed-off-by: Felix Fietkau <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/net/wireless/mediatek/mt76/mac80211.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mac80211.c b/drivers/net/wireless/mediatek/mt76/mac80211.c
index 1a2c143b34d01..7be5806a1c398 100644
--- a/drivers/net/wireless/mediatek/mt76/mac80211.c
+++ b/drivers/net/wireless/mediatek/mt76/mac80211.c
@@ -105,7 +105,15 @@ static int mt76_led_init(struct mt76_dev *dev)
dev->led_al = of_property_read_bool(np, "led-active-low");
}
- return devm_led_classdev_register(dev->dev, &dev->led_cdev);
+ return led_classdev_register(dev->dev, &dev->led_cdev);
+}
+
+static void mt76_led_cleanup(struct mt76_dev *dev)
+{
+ if (!dev->led_cdev.brightness_set && !dev->led_cdev.blink_set)
+ return;
+
+ led_classdev_unregister(&dev->led_cdev);
}
static void mt76_init_stream_cap(struct mt76_dev *dev,
@@ -360,6 +368,7 @@ void mt76_unregister_device(struct mt76_dev *dev)
{
struct ieee80211_hw *hw = dev->hw;
+ mt76_led_cleanup(dev);
mt76_tx_status_check(dev, NULL, true);
ieee80211_unregister_hw(hw);
}
--
2.25.1
From: Nicholas Johnson <[email protected]>
[ Upstream commit c13704f5685deb7d6eb21e293233e0901ed77377 ]
Previously, the kernel sometimes assigned more MMIO or MMIO_PREF space than
desired. For example, if the user requested 128M of space with
"pci=realloc,hpmemsize=128M", we sometimes assigned 256M:
pci 0000:06:01.0: BAR 14: assigned [mem 0x90100000-0xa00fffff] = 256M
pci 0000:06:04.0: BAR 14: assigned [mem 0xa0200000-0xb01fffff] = 256M
With this patch applied:
pci 0000:06:01.0: BAR 14: assigned [mem 0x90100000-0x980fffff] = 128M
pci 0000:06:04.0: BAR 14: assigned [mem 0x98200000-0xa01fffff] = 128M
This happened when in the first pass, the MMIO_PREF succeeded but the MMIO
failed. In the next pass, because MMIO_PREF was already assigned, the
attempt to assign MMIO_PREF returned an error code instead of success
(nothing more to do, already allocated). Hence, the size which was actually
allocated, but thought to have failed, was placed in the MMIO window.
The bug resulted in the MMIO_PREF being added to the MMIO window, which
meant doubling if MMIO_PREF size = MMIO size. With a large MMIO_PREF, the
MMIO window would likely fail to be assigned altogether due to lack of
32-bit address space.
Change find_free_bus_resource() to do the following:
- Return first unassigned resource of the correct type.
- If there is none, return first assigned resource of the correct type.
- If none of the above, return NULL.
Returning an assigned resource of the correct type allows the caller to
distinguish between already assigned and no resource of the correct type.
Add checks in pbus_size_io() and pbus_size_mem() to return success if
resource returned from find_free_bus_resource() is already allocated.
This avoids pbus_size_io() and pbus_size_mem() returning error code to
__pci_bus_size_bridges() when a resource has been successfully assigned in
a previous pass. This fixes the existing behaviour where space for a
resource could be reserved multiple times in different parent bridge
windows.
Link: https://lore.kernel.org/lkml/[email protected]/T/#u
Link: https://bugzilla.kernel.org/show_bug.cgi?id=203243
Link: https://lore.kernel.org/r/PS2P216MB075563AA6AD242AA666EDC6A80760@PS2P216MB0755.KORP216.PROD.OUTLOOK.COM
Reported-by: Kit Chow <[email protected]>
Reported-by: Nicholas Johnson <[email protected]>
Signed-off-by: Nicholas Johnson <[email protected]>
Signed-off-by: Bjorn Helgaas <[email protected]>
Reviewed-by: Mika Westerberg <[email protected]>
Reviewed-by: Logan Gunthorpe <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/pci/setup-bus.c | 38 +++++++++++++++++++++++++++-----------
1 file changed, 27 insertions(+), 11 deletions(-)
diff --git a/drivers/pci/setup-bus.c b/drivers/pci/setup-bus.c
index 5356630e0e483..44f4866d95d8c 100644
--- a/drivers/pci/setup-bus.c
+++ b/drivers/pci/setup-bus.c
@@ -752,24 +752,32 @@ static void pci_bridge_check_ranges(struct pci_bus *bus)
}
/*
- * Helper function for sizing routines: find first available bus resource
- * of a given type. Note: we intentionally skip the bus resources which
- * have already been assigned (that is, have non-NULL parent resource).
+ * Helper function for sizing routines. Assigned resources have non-NULL
+ * parent resource.
+ *
+ * Return first unassigned resource of the correct type. If there is none,
+ * return first assigned resource of the correct type. If none of the
+ * above, return NULL.
+ *
+ * Returning an assigned resource of the correct type allows the caller to
+ * distinguish between already assigned and no resource of the correct type.
*/
-static struct resource *find_free_bus_resource(struct pci_bus *bus,
- unsigned long type_mask,
- unsigned long type)
+static struct resource *find_bus_resource_of_type(struct pci_bus *bus,
+ unsigned long type_mask,
+ unsigned long type)
{
+ struct resource *r, *r_assigned = NULL;
int i;
- struct resource *r;
pci_bus_for_each_resource(bus, r, i) {
if (r == &ioport_resource || r == &iomem_resource)
continue;
if (r && (r->flags & type_mask) == type && !r->parent)
return r;
+ if (r && (r->flags & type_mask) == type && !r_assigned)
+ r_assigned = r;
}
- return NULL;
+ return r_assigned;
}
static resource_size_t calculate_iosize(resource_size_t size,
@@ -866,8 +874,8 @@ static void pbus_size_io(struct pci_bus *bus, resource_size_t min_size,
struct list_head *realloc_head)
{
struct pci_dev *dev;
- struct resource *b_res = find_free_bus_resource(bus, IORESOURCE_IO,
- IORESOURCE_IO);
+ struct resource *b_res = find_bus_resource_of_type(bus, IORESOURCE_IO,
+ IORESOURCE_IO);
resource_size_t size = 0, size0 = 0, size1 = 0;
resource_size_t children_add_size = 0;
resource_size_t min_align, align;
@@ -875,6 +883,10 @@ static void pbus_size_io(struct pci_bus *bus, resource_size_t min_size,
if (!b_res)
return;
+ /* If resource is already assigned, nothing more to do */
+ if (b_res->parent)
+ return;
+
min_align = window_alignment(bus, IORESOURCE_IO);
list_for_each_entry(dev, &bus->devices, bus_list) {
int i;
@@ -978,7 +990,7 @@ static int pbus_size_mem(struct pci_bus *bus, unsigned long mask,
resource_size_t min_align, align, size, size0, size1;
resource_size_t aligns[18]; /* Alignments from 1MB to 128GB */
int order, max_order;
- struct resource *b_res = find_free_bus_resource(bus,
+ struct resource *b_res = find_bus_resource_of_type(bus,
mask | IORESOURCE_PREFETCH, type);
resource_size_t children_add_size = 0;
resource_size_t children_add_align = 0;
@@ -987,6 +999,10 @@ static int pbus_size_mem(struct pci_bus *bus, unsigned long mask,
if (!b_res)
return -ENOSPC;
+ /* If resource is already assigned, nothing more to do */
+ if (b_res->parent)
+ return 0;
+
memset(aligns, 0, sizeof(aligns));
max_order = 0;
size = 0;
--
2.25.1
From: Dave Chinner <[email protected]>
[ Upstream commit 3f8a4f1d876d3e3e49e50b0396eaffcc4ba71b08 ]
[commit message is verbose for discussion purposes - will trim it
down later. Some questions about implementation details at the end.]
Zorro Lang recently ran a new test to stress single inode extent
counts now that they are no longer limited by memory allocation.
The test was simply:
# xfs_io -f -c "falloc 0 40t" /mnt/scratch/big-file
# ~/src/xfstests-dev/punch-alternating /mnt/scratch/big-file
This test uncovered a problem where the hole punching operation
appeared to finish with no error, but apparently only created 268M
extents instead of the 10 billion it was supposed to.
Further, trying to punch out extents that should have been present
resulted in success, but no change in the extent count. It looked
like a silent failure.
While running the test and observing the behaviour in real time,
I observed the extent coutn growing at ~2M extents/minute, and saw
this after about an hour:
# xfs_io -f -c "stat" /mnt/scratch/big-file |grep next ; \
> sleep 60 ; \
> xfs_io -f -c "stat" /mnt/scratch/big-file |grep next
fsxattr.nextents = 127657993
fsxattr.nextents = 129683339
#
And a few minutes later this:
# xfs_io -f -c "stat" /mnt/scratch/big-file |grep next
fsxattr.nextents = 4177861124
#
Ah, what? Where did that 4 billion extra extents suddenly come from?
Stop the workload, unmount, mount:
# xfs_io -f -c "stat" /mnt/scratch/big-file |grep next
fsxattr.nextents = 166044375
#
And it's back at the expected number. i.e. the extent count is
correct on disk, but it's screwed up in memory. I loaded up the
extent list, and immediately:
# xfs_io -f -c "stat" /mnt/scratch/big-file |grep next
fsxattr.nextents = 4192576215
#
It's bad again. So, where does that number come from?
xfs_fill_fsxattr():
if (ip->i_df.if_flags & XFS_IFEXTENTS)
fa->fsx_nextents = xfs_iext_count(&ip->i_df);
else
fa->fsx_nextents = ip->i_d.di_nextents;
And that's the behaviour I just saw in a nutshell. The on disk count
is correct, but once the tree is loaded into memory, it goes whacky.
Clearly there's something wrong with xfs_iext_count():
inline xfs_extnum_t xfs_iext_count(struct xfs_ifork *ifp)
{
return ifp->if_bytes / sizeof(struct xfs_iext_rec);
}
Simple enough, but 134M extents is 2**27, and that's right about
where things went wrong. A struct xfs_iext_rec is 16 bytes in size,
which means 2**27 * 2**4 = 2**31 and we're right on target for an
integer overflow. And, sure enough:
struct xfs_ifork {
int if_bytes; /* bytes in if_u1 */
....
Once we get 2**27 extents in a file, we overflow if_bytes and the
in-core extent count goes wrong. And when we reach 2**28 extents,
if_bytes wraps back to zero and things really start to go wrong
there. This is where the silent failure comes from - only the first
2**28 extents can be looked up directly due to the overflow, all the
extents above this index wrap back to somewhere in the first 2**28
extents. Hence with a regular pattern, trying to punch a hole in the
range that didn't have holes mapped to a hole in the first 2**28
extents and so "succeeded" without changing anything. Hence "silent
failure"...
Fix this by converting if_bytes to a int64_t and converting all the
index variables and size calculations to use int64_t types to avoid
overflows in future. Signed integers are still used to enable easy
detection of extent count underflows. This enables scalability of
extent counts to the limits of the on-disk format - MAXEXTNUM
(2**31) extents.
Current testing is at over 500M extents and still going:
fsxattr.nextents = 517310478
Reported-by: Zorro Lang <[email protected]>
Signed-off-by: Dave Chinner <[email protected]>
Reviewed-by: Darrick J. Wong <[email protected]>
Signed-off-by: Darrick J. Wong <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
fs/xfs/libxfs/xfs_attr_leaf.c | 18 ++++++++++--------
fs/xfs/libxfs/xfs_dir2_sf.c | 2 +-
fs/xfs/libxfs/xfs_iext_tree.c | 2 +-
fs/xfs/libxfs/xfs_inode_fork.c | 8 ++++----
fs/xfs/libxfs/xfs_inode_fork.h | 14 ++++++++------
5 files changed, 24 insertions(+), 20 deletions(-)
diff --git a/fs/xfs/libxfs/xfs_attr_leaf.c b/fs/xfs/libxfs/xfs_attr_leaf.c
index 5472ed3ce6943..f943c77133dcd 100644
--- a/fs/xfs/libxfs/xfs_attr_leaf.c
+++ b/fs/xfs/libxfs/xfs_attr_leaf.c
@@ -453,13 +453,15 @@ xfs_attr_copy_value(
* special case for dev/uuid inodes, they have fixed size data forks.
*/
int
-xfs_attr_shortform_bytesfit(xfs_inode_t *dp, int bytes)
+xfs_attr_shortform_bytesfit(
+ struct xfs_inode *dp,
+ int bytes)
{
- int offset;
- int minforkoff; /* lower limit on valid forkoff locations */
- int maxforkoff; /* upper limit on valid forkoff locations */
- int dsize;
- xfs_mount_t *mp = dp->i_mount;
+ struct xfs_mount *mp = dp->i_mount;
+ int64_t dsize;
+ int minforkoff;
+ int maxforkoff;
+ int offset;
/* rounded down */
offset = (XFS_LITINO(mp, dp->i_d.di_version) - bytes) >> 3;
@@ -525,7 +527,7 @@ xfs_attr_shortform_bytesfit(xfs_inode_t *dp, int bytes)
* A data fork btree root must have space for at least
* MINDBTPTRS key/ptr pairs if the data fork is small or empty.
*/
- minforkoff = max(dsize, XFS_BMDR_SPACE_CALC(MINDBTPTRS));
+ minforkoff = max_t(int64_t, dsize, XFS_BMDR_SPACE_CALC(MINDBTPTRS));
minforkoff = roundup(minforkoff, 8) >> 3;
/* attr fork btree root can have at least this many key/ptr pairs */
@@ -924,7 +926,7 @@ xfs_attr_shortform_verify(
char *endp;
struct xfs_ifork *ifp;
int i;
- int size;
+ int64_t size;
ASSERT(ip->i_d.di_aformat == XFS_DINODE_FMT_LOCAL);
ifp = XFS_IFORK_PTR(ip, XFS_ATTR_FORK);
diff --git a/fs/xfs/libxfs/xfs_dir2_sf.c b/fs/xfs/libxfs/xfs_dir2_sf.c
index 85f14fc2a8da9..ae16ca7c422a9 100644
--- a/fs/xfs/libxfs/xfs_dir2_sf.c
+++ b/fs/xfs/libxfs/xfs_dir2_sf.c
@@ -628,7 +628,7 @@ xfs_dir2_sf_verify(
int i;
int i8count;
int offset;
- int size;
+ int64_t size;
int error;
uint8_t filetype;
diff --git a/fs/xfs/libxfs/xfs_iext_tree.c b/fs/xfs/libxfs/xfs_iext_tree.c
index 7bc87408f1a0a..52451809c4786 100644
--- a/fs/xfs/libxfs/xfs_iext_tree.c
+++ b/fs/xfs/libxfs/xfs_iext_tree.c
@@ -596,7 +596,7 @@ xfs_iext_realloc_root(
struct xfs_ifork *ifp,
struct xfs_iext_cursor *cur)
{
- size_t new_size = ifp->if_bytes + sizeof(struct xfs_iext_rec);
+ int64_t new_size = ifp->if_bytes + sizeof(struct xfs_iext_rec);
void *new;
/* account for the prev/next pointers */
diff --git a/fs/xfs/libxfs/xfs_inode_fork.c b/fs/xfs/libxfs/xfs_inode_fork.c
index c643beeb5a248..8fdd0424070e0 100644
--- a/fs/xfs/libxfs/xfs_inode_fork.c
+++ b/fs/xfs/libxfs/xfs_inode_fork.c
@@ -129,7 +129,7 @@ xfs_init_local_fork(
struct xfs_inode *ip,
int whichfork,
const void *data,
- int size)
+ int64_t size)
{
struct xfs_ifork *ifp = XFS_IFORK_PTR(ip, whichfork);
int mem_size = size, real_size = 0;
@@ -467,11 +467,11 @@ xfs_iroot_realloc(
void
xfs_idata_realloc(
struct xfs_inode *ip,
- int byte_diff,
+ int64_t byte_diff,
int whichfork)
{
struct xfs_ifork *ifp = XFS_IFORK_PTR(ip, whichfork);
- int new_size = (int)ifp->if_bytes + byte_diff;
+ int64_t new_size = ifp->if_bytes + byte_diff;
ASSERT(new_size >= 0);
ASSERT(new_size <= XFS_IFORK_SIZE(ip, whichfork));
@@ -552,7 +552,7 @@ xfs_iextents_copy(
struct xfs_ifork *ifp = XFS_IFORK_PTR(ip, whichfork);
struct xfs_iext_cursor icur;
struct xfs_bmbt_irec rec;
- int copied = 0;
+ int64_t copied = 0;
ASSERT(xfs_isilocked(ip, XFS_ILOCK_EXCL | XFS_ILOCK_SHARED));
ASSERT(ifp->if_bytes > 0);
diff --git a/fs/xfs/libxfs/xfs_inode_fork.h b/fs/xfs/libxfs/xfs_inode_fork.h
index 00c62ce170d0e..7b845c052fb45 100644
--- a/fs/xfs/libxfs/xfs_inode_fork.h
+++ b/fs/xfs/libxfs/xfs_inode_fork.h
@@ -13,16 +13,16 @@ struct xfs_dinode;
* File incore extent information, present for each of data & attr forks.
*/
struct xfs_ifork {
- int if_bytes; /* bytes in if_u1 */
- unsigned int if_seq; /* fork mod counter */
+ int64_t if_bytes; /* bytes in if_u1 */
struct xfs_btree_block *if_broot; /* file's incore btree root */
- short if_broot_bytes; /* bytes allocated for root */
- unsigned char if_flags; /* per-fork flags */
+ unsigned int if_seq; /* fork mod counter */
int if_height; /* height of the extent tree */
union {
void *if_root; /* extent tree root */
char *if_data; /* inline file data */
} if_u1;
+ short if_broot_bytes; /* bytes allocated for root */
+ unsigned char if_flags; /* per-fork flags */
};
/*
@@ -93,12 +93,14 @@ int xfs_iformat_fork(struct xfs_inode *, struct xfs_dinode *);
void xfs_iflush_fork(struct xfs_inode *, struct xfs_dinode *,
struct xfs_inode_log_item *, int);
void xfs_idestroy_fork(struct xfs_inode *, int);
-void xfs_idata_realloc(struct xfs_inode *, int, int);
+void xfs_idata_realloc(struct xfs_inode *ip, int64_t byte_diff,
+ int whichfork);
void xfs_iroot_realloc(struct xfs_inode *, int, int);
int xfs_iread_extents(struct xfs_trans *, struct xfs_inode *, int);
int xfs_iextents_copy(struct xfs_inode *, struct xfs_bmbt_rec *,
int);
-void xfs_init_local_fork(struct xfs_inode *, int, const void *, int);
+void xfs_init_local_fork(struct xfs_inode *ip, int whichfork,
+ const void *data, int64_t size);
xfs_extnum_t xfs_iext_count(struct xfs_ifork *ifp);
void xfs_iext_insert(struct xfs_inode *, struct xfs_iext_cursor *cur,
--
2.25.1
From: Sreekanth Reddy <[email protected]>
[ Upstream commit 764f472ba4a7a0c18107ebfbe1a9f1f5f5a1e411 ]
Memory leak can happen when diag buffer is released but not unregistered
(where buffer is deallocated) by the user. During module unload time driver
is not deallocating the buffer if the buffer is in released state.
Deallocate the diag buffer during module unload time without any diag
buffer status checks.
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Sreekanth Reddy <[email protected]>
Signed-off-by: Martin K. Petersen <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/scsi/mpt3sas/mpt3sas_ctl.c | 6 ------
1 file changed, 6 deletions(-)
diff --git a/drivers/scsi/mpt3sas/mpt3sas_ctl.c b/drivers/scsi/mpt3sas/mpt3sas_ctl.c
index d5a62fea8fe3e..bae7cf70ee177 100644
--- a/drivers/scsi/mpt3sas/mpt3sas_ctl.c
+++ b/drivers/scsi/mpt3sas/mpt3sas_ctl.c
@@ -3717,12 +3717,6 @@ mpt3sas_ctl_exit(ushort hbas_to_enumerate)
for (i = 0; i < MPI2_DIAG_BUF_TYPE_COUNT; i++) {
if (!ioc->diag_buffer[i])
continue;
- if (!(ioc->diag_buffer_status[i] &
- MPT3_DIAG_BUFFER_IS_REGISTERED))
- continue;
- if ((ioc->diag_buffer_status[i] &
- MPT3_DIAG_BUFFER_IS_RELEASED))
- continue;
dma_free_coherent(&ioc->pdev->dev,
ioc->diag_buffer_sz[i],
ioc->diag_buffer[i],
--
2.25.1
From: Sakari Ailus <[email protected]>
[ Upstream commit a5b1d5413534607b05fb34470ff62bf395f5c8d0 ]
If NVM reading failed, the device was left powered on. Fix that.
Signed-off-by: Sakari Ailus <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/media/i2c/smiapp/smiapp-core.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/media/i2c/smiapp/smiapp-core.c b/drivers/media/i2c/smiapp/smiapp-core.c
index 42805dfbffeb9..06edbe8749c64 100644
--- a/drivers/media/i2c/smiapp/smiapp-core.c
+++ b/drivers/media/i2c/smiapp/smiapp-core.c
@@ -2327,11 +2327,12 @@ smiapp_sysfs_nvm_read(struct device *dev, struct device_attribute *attr,
if (rval < 0) {
if (rval != -EBUSY && rval != -EAGAIN)
pm_runtime_set_active(&client->dev);
- pm_runtime_put(&client->dev);
+ pm_runtime_put_noidle(&client->dev);
return -ENODEV;
}
if (smiapp_read_nvm(sensor, sensor->nvm)) {
+ pm_runtime_put(&client->dev);
dev_err(&client->dev, "nvm read failed\n");
return -ENODEV;
}
--
2.25.1
From: zhengbin <[email protected]>
[ Upstream commit 713f871b30a66dc4daff4d17b760c9916aaaf2e1 ]
In media_device_register_entity, if media_graph_walk_init fails,
need to free the previously memory.
Reported-by: Hulk Robot <[email protected]>
Signed-off-by: zhengbin <[email protected]>
Signed-off-by: Sakari Ailus <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/media/mc/mc-device.c | 65 ++++++++++++++++++------------------
1 file changed, 33 insertions(+), 32 deletions(-)
diff --git a/drivers/media/mc/mc-device.c b/drivers/media/mc/mc-device.c
index e19df5165e78c..da80883511352 100644
--- a/drivers/media/mc/mc-device.c
+++ b/drivers/media/mc/mc-device.c
@@ -575,6 +575,38 @@ static void media_device_release(struct media_devnode *devnode)
dev_dbg(devnode->parent, "Media device released\n");
}
+static void __media_device_unregister_entity(struct media_entity *entity)
+{
+ struct media_device *mdev = entity->graph_obj.mdev;
+ struct media_link *link, *tmp;
+ struct media_interface *intf;
+ unsigned int i;
+
+ ida_free(&mdev->entity_internal_idx, entity->internal_idx);
+
+ /* Remove all interface links pointing to this entity */
+ list_for_each_entry(intf, &mdev->interfaces, graph_obj.list) {
+ list_for_each_entry_safe(link, tmp, &intf->links, list) {
+ if (link->entity == entity)
+ __media_remove_intf_link(link);
+ }
+ }
+
+ /* Remove all data links that belong to this entity */
+ __media_entity_remove_links(entity);
+
+ /* Remove all pads that belong to this entity */
+ for (i = 0; i < entity->num_pads; i++)
+ media_gobj_destroy(&entity->pads[i].graph_obj);
+
+ /* Remove the entity */
+ media_gobj_destroy(&entity->graph_obj);
+
+ /* invoke entity_notify callbacks to handle entity removal?? */
+
+ entity->graph_obj.mdev = NULL;
+}
+
/**
* media_device_register_entity - Register an entity with a media device
* @mdev: The media device
@@ -632,6 +664,7 @@ int __must_check media_device_register_entity(struct media_device *mdev,
*/
ret = media_graph_walk_init(&new, mdev);
if (ret) {
+ __media_device_unregister_entity(entity);
mutex_unlock(&mdev->graph_mutex);
return ret;
}
@@ -644,38 +677,6 @@ int __must_check media_device_register_entity(struct media_device *mdev,
}
EXPORT_SYMBOL_GPL(media_device_register_entity);
-static void __media_device_unregister_entity(struct media_entity *entity)
-{
- struct media_device *mdev = entity->graph_obj.mdev;
- struct media_link *link, *tmp;
- struct media_interface *intf;
- unsigned int i;
-
- ida_free(&mdev->entity_internal_idx, entity->internal_idx);
-
- /* Remove all interface links pointing to this entity */
- list_for_each_entry(intf, &mdev->interfaces, graph_obj.list) {
- list_for_each_entry_safe(link, tmp, &intf->links, list) {
- if (link->entity == entity)
- __media_remove_intf_link(link);
- }
- }
-
- /* Remove all data links that belong to this entity */
- __media_entity_remove_links(entity);
-
- /* Remove all pads that belong to this entity */
- for (i = 0; i < entity->num_pads; i++)
- media_gobj_destroy(&entity->pads[i].graph_obj);
-
- /* Remove the entity */
- media_gobj_destroy(&entity->graph_obj);
-
- /* invoke entity_notify callbacks to handle entity removal?? */
-
- entity->graph_obj.mdev = NULL;
-}
-
void media_device_unregister_entity(struct media_entity *entity)
{
struct media_device *mdev = entity->graph_obj.mdev;
--
2.25.1
From: Balsundar P <[email protected]>
[ Upstream commit c86fbe484c10b2cd1e770770db2d6b2c88801c1d ]
The driver fails to handle data when read or written beyond device reported
LBA, which triggers kernel panic
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Balsundar P <[email protected]>
Signed-off-by: Martin K. Petersen <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/scsi/aacraid/aachba.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/scsi/aacraid/aachba.c b/drivers/scsi/aacraid/aachba.c
index 0ed3f806ace54..2388143d59f5d 100644
--- a/drivers/scsi/aacraid/aachba.c
+++ b/drivers/scsi/aacraid/aachba.c
@@ -2467,13 +2467,13 @@ static int aac_read(struct scsi_cmnd * scsicmd)
scsicmd->result = DID_OK << 16 | COMMAND_COMPLETE << 8 |
SAM_STAT_CHECK_CONDITION;
set_sense(&dev->fsa_dev[cid].sense_data,
- HARDWARE_ERROR, SENCODE_INTERNAL_TARGET_FAILURE,
+ ILLEGAL_REQUEST, SENCODE_LBA_OUT_OF_RANGE,
ASENCODE_INTERNAL_TARGET_FAILURE, 0, 0);
memcpy(scsicmd->sense_buffer, &dev->fsa_dev[cid].sense_data,
min_t(size_t, sizeof(dev->fsa_dev[cid].sense_data),
SCSI_SENSE_BUFFERSIZE));
scsicmd->scsi_done(scsicmd);
- return 1;
+ return 0;
}
dprintk((KERN_DEBUG "aac_read[cpu %d]: lba = %llu, t = %ld.\n",
@@ -2559,13 +2559,13 @@ static int aac_write(struct scsi_cmnd * scsicmd)
scsicmd->result = DID_OK << 16 | COMMAND_COMPLETE << 8 |
SAM_STAT_CHECK_CONDITION;
set_sense(&dev->fsa_dev[cid].sense_data,
- HARDWARE_ERROR, SENCODE_INTERNAL_TARGET_FAILURE,
+ ILLEGAL_REQUEST, SENCODE_LBA_OUT_OF_RANGE,
ASENCODE_INTERNAL_TARGET_FAILURE, 0, 0);
memcpy(scsicmd->sense_buffer, &dev->fsa_dev[cid].sense_data,
min_t(size_t, sizeof(dev->fsa_dev[cid].sense_data),
SCSI_SENSE_BUFFERSIZE));
scsicmd->scsi_done(scsicmd);
- return 1;
+ return 0;
}
dprintk((KERN_DEBUG "aac_write[cpu %d]: lba = %llu, t = %ld.\n",
--
2.25.1
From: Lee Jones <[email protected]>
[ Upstream commit b195e101580db390f50b0d587b7f66f241d2bc88 ]
If a child device calls mfd_cell_{en,dis}able() without an appropriate
call-back being set, we are likely to encounter a panic. Avoid this
by adding suitable checking.
Signed-off-by: Lee Jones <[email protected]>
Reviewed-by: Daniel Thompson <[email protected]>
Reviewed-by: Mark Brown <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/mfd/mfd-core.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/mfd/mfd-core.c b/drivers/mfd/mfd-core.c
index 23276a80e3b48..96d02b6f06fd8 100644
--- a/drivers/mfd/mfd-core.c
+++ b/drivers/mfd/mfd-core.c
@@ -28,6 +28,11 @@ int mfd_cell_enable(struct platform_device *pdev)
const struct mfd_cell *cell = mfd_get_cell(pdev);
int err = 0;
+ if (!cell->enable) {
+ dev_dbg(&pdev->dev, "No .enable() call-back registered\n");
+ return 0;
+ }
+
/* only call enable hook if the cell wasn't previously enabled */
if (atomic_inc_return(cell->usage_count) == 1)
err = cell->enable(pdev);
@@ -45,6 +50,11 @@ int mfd_cell_disable(struct platform_device *pdev)
const struct mfd_cell *cell = mfd_get_cell(pdev);
int err = 0;
+ if (!cell->disable) {
+ dev_dbg(&pdev->dev, "No .disable() call-back registered\n");
+ return 0;
+ }
+
/* only disable if no other clients are using it */
if (atomic_dec_return(cell->usage_count) == 0)
err = cell->disable(pdev);
--
2.25.1
From: Andreas Gruenbacher <[email protected]>
[ Upstream commit add66fcbd3fbe5aa0dd4dddfa23e119c12989a27 ]
On architectures where loff_t is wider than pgoff_t, the expression
((page->index + 1) << PAGE_SHIFT) can overflow. Rewrite to use the page
offset, which we already compute here anyway.
Signed-off-by: Andreas Gruenbacher <[email protected]>
Reviewed-by: Christoph Hellwig <[email protected]>
Reviewed-by: Darrick J. Wong <[email protected]>
Signed-off-by: Darrick J. Wong <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
fs/iomap/buffered-io.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/fs/iomap/buffered-io.c b/fs/iomap/buffered-io.c
index e25901ae3ff44..a30ea7ecb790a 100644
--- a/fs/iomap/buffered-io.c
+++ b/fs/iomap/buffered-io.c
@@ -1040,20 +1040,19 @@ vm_fault_t iomap_page_mkwrite(struct vm_fault *vmf, const struct iomap_ops *ops)
lock_page(page);
size = i_size_read(inode);
- if ((page->mapping != inode->i_mapping) ||
- (page_offset(page) > size)) {
+ offset = page_offset(page);
+ if (page->mapping != inode->i_mapping || offset > size) {
/* We overload EFAULT to mean page got truncated */
ret = -EFAULT;
goto out_unlock;
}
/* page is wholly or partially inside EOF */
- if (((page->index + 1) << PAGE_SHIFT) > size)
+ if (offset > size - PAGE_SIZE)
length = offset_in_page(size);
else
length = PAGE_SIZE;
- offset = page_offset(page);
while (length > 0) {
ret = iomap_apply(inode, offset, length,
IOMAP_WRITE | IOMAP_FAULT, ops, page,
--
2.25.1
From: Fuqian Huang <[email protected]>
[ Upstream commit 7cf78b6b12fd5550545e4b73b35dca18bd46b44c ]
When the option is RTC_PLL_GET, pll will be copied to userland
via copy_to_user. pll is initialized using mach_get_rtc_pll indirect
call and mach_get_rtc_pll is only assigned with function
q40_get_rtc_pll in arch/m68k/q40/config.c.
In function q40_get_rtc_pll, the field pll_ctrl is not initialized.
This will leak uninitialized stack content to userland.
Fix this by zeroing the uninitialized field.
Signed-off-by: Fuqian Huang <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Geert Uytterhoeven <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
arch/m68k/q40/config.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/m68k/q40/config.c b/arch/m68k/q40/config.c
index e63eb5f069995..f31890078197e 100644
--- a/arch/m68k/q40/config.c
+++ b/arch/m68k/q40/config.c
@@ -264,6 +264,7 @@ static int q40_get_rtc_pll(struct rtc_pll_info *pll)
{
int tmp = Q40_RTC_CTRL;
+ pll->pll_ctrl = 0;
pll->pll_value = tmp & Q40_RTC_PLL_MASK;
if (tmp & Q40_RTC_PLL_SIGN)
pll->pll_value = -pll->pll_value;
--
2.25.1
From: Miaoqing Pan <[email protected]>
[ Upstream commit c5329b2d5b8b4e41be14d31ee8505b4f5607bf9b ]
If firmware reports rate_max > WMI_TPC_RATE_MAX(WMI_TPC_FINAL_RATE_MAX)
or num_tx_chain > WMI_TPC_TX_N_CHAIN, it will cause array out-of-bounds
access, so print a warning and reset to avoid memory corruption.
Tested HW: QCA9984
Tested FW: 10.4-3.9.0.2-00035
Signed-off-by: Miaoqing Pan <[email protected]>
Signed-off-by: Kalle Valo <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/net/wireless/ath/ath10k/debug.c | 2 +-
drivers/net/wireless/ath/ath10k/wmi.c | 49 ++++++++++++++++---------
2 files changed, 32 insertions(+), 19 deletions(-)
diff --git a/drivers/net/wireless/ath/ath10k/debug.c b/drivers/net/wireless/ath/ath10k/debug.c
index bd2b5628f850b..40baf25ac99f3 100644
--- a/drivers/net/wireless/ath/ath10k/debug.c
+++ b/drivers/net/wireless/ath/ath10k/debug.c
@@ -1516,7 +1516,7 @@ static void ath10k_tpc_stats_print(struct ath10k_tpc_stats *tpc_stats,
*len += scnprintf(buf + *len, buf_len - *len,
"No. Preamble Rate_code ");
- for (i = 0; i < WMI_TPC_TX_N_CHAIN; i++)
+ for (i = 0; i < tpc_stats->num_tx_chain; i++)
*len += scnprintf(buf + *len, buf_len - *len,
"tpc_value%d ", i);
diff --git a/drivers/net/wireless/ath/ath10k/wmi.c b/drivers/net/wireless/ath/ath10k/wmi.c
index 90f1197a6ad84..2675174cc4fec 100644
--- a/drivers/net/wireless/ath/ath10k/wmi.c
+++ b/drivers/net/wireless/ath/ath10k/wmi.c
@@ -4668,16 +4668,13 @@ static void ath10k_tpc_config_disp_tables(struct ath10k *ar,
}
pream_idx = 0;
- for (i = 0; i < __le32_to_cpu(ev->rate_max); i++) {
+ for (i = 0; i < tpc_stats->rate_max; i++) {
memset(tpc_value, 0, sizeof(tpc_value));
memset(buff, 0, sizeof(buff));
if (i == pream_table[pream_idx])
pream_idx++;
- for (j = 0; j < WMI_TPC_TX_N_CHAIN; j++) {
- if (j >= __le32_to_cpu(ev->num_tx_chain))
- break;
-
+ for (j = 0; j < tpc_stats->num_tx_chain; j++) {
tpc[j] = ath10k_tpc_config_get_rate(ar, ev, i, j + 1,
rate_code[i],
type);
@@ -4790,7 +4787,7 @@ void ath10k_wmi_tpc_config_get_rate_code(u8 *rate_code, u16 *pream_table,
void ath10k_wmi_event_pdev_tpc_config(struct ath10k *ar, struct sk_buff *skb)
{
- u32 num_tx_chain;
+ u32 num_tx_chain, rate_max;
u8 rate_code[WMI_TPC_RATE_MAX];
u16 pream_table[WMI_TPC_PREAM_TABLE_MAX];
struct wmi_pdev_tpc_config_event *ev;
@@ -4806,6 +4803,13 @@ void ath10k_wmi_event_pdev_tpc_config(struct ath10k *ar, struct sk_buff *skb)
return;
}
+ rate_max = __le32_to_cpu(ev->rate_max);
+ if (rate_max > WMI_TPC_RATE_MAX) {
+ ath10k_warn(ar, "number of rate is %d greater than TPC configured rate %d\n",
+ rate_max, WMI_TPC_RATE_MAX);
+ rate_max = WMI_TPC_RATE_MAX;
+ }
+
tpc_stats = kzalloc(sizeof(*tpc_stats), GFP_ATOMIC);
if (!tpc_stats)
return;
@@ -4822,8 +4826,8 @@ void ath10k_wmi_event_pdev_tpc_config(struct ath10k *ar, struct sk_buff *skb)
__le32_to_cpu(ev->twice_antenna_reduction);
tpc_stats->power_limit = __le32_to_cpu(ev->power_limit);
tpc_stats->twice_max_rd_power = __le32_to_cpu(ev->twice_max_rd_power);
- tpc_stats->num_tx_chain = __le32_to_cpu(ev->num_tx_chain);
- tpc_stats->rate_max = __le32_to_cpu(ev->rate_max);
+ tpc_stats->num_tx_chain = num_tx_chain;
+ tpc_stats->rate_max = rate_max;
ath10k_tpc_config_disp_tables(ar, ev, tpc_stats,
rate_code, pream_table,
@@ -5018,16 +5022,13 @@ ath10k_wmi_tpc_stats_final_disp_tables(struct ath10k *ar,
}
pream_idx = 0;
- for (i = 0; i < __le32_to_cpu(ev->rate_max); i++) {
+ for (i = 0; i < tpc_stats->rate_max; i++) {
memset(tpc_value, 0, sizeof(tpc_value));
memset(buff, 0, sizeof(buff));
if (i == pream_table[pream_idx])
pream_idx++;
- for (j = 0; j < WMI_TPC_TX_N_CHAIN; j++) {
- if (j >= __le32_to_cpu(ev->num_tx_chain))
- break;
-
+ for (j = 0; j < tpc_stats->num_tx_chain; j++) {
tpc[j] = ath10k_wmi_tpc_final_get_rate(ar, ev, i, j + 1,
rate_code[i],
type, pream_idx);
@@ -5043,7 +5044,7 @@ ath10k_wmi_tpc_stats_final_disp_tables(struct ath10k *ar,
void ath10k_wmi_event_tpc_final_table(struct ath10k *ar, struct sk_buff *skb)
{
- u32 num_tx_chain;
+ u32 num_tx_chain, rate_max;
u8 rate_code[WMI_TPC_FINAL_RATE_MAX];
u16 pream_table[WMI_TPC_PREAM_TABLE_MAX];
struct wmi_pdev_tpc_final_table_event *ev;
@@ -5051,12 +5052,24 @@ void ath10k_wmi_event_tpc_final_table(struct ath10k *ar, struct sk_buff *skb)
ev = (struct wmi_pdev_tpc_final_table_event *)skb->data;
+ num_tx_chain = __le32_to_cpu(ev->num_tx_chain);
+ if (num_tx_chain > WMI_TPC_TX_N_CHAIN) {
+ ath10k_warn(ar, "number of tx chain is %d greater than TPC final configured tx chain %d\n",
+ num_tx_chain, WMI_TPC_TX_N_CHAIN);
+ return;
+ }
+
+ rate_max = __le32_to_cpu(ev->rate_max);
+ if (rate_max > WMI_TPC_FINAL_RATE_MAX) {
+ ath10k_warn(ar, "number of rate is %d greater than TPC final configured rate %d\n",
+ rate_max, WMI_TPC_FINAL_RATE_MAX);
+ rate_max = WMI_TPC_FINAL_RATE_MAX;
+ }
+
tpc_stats = kzalloc(sizeof(*tpc_stats), GFP_ATOMIC);
if (!tpc_stats)
return;
- num_tx_chain = __le32_to_cpu(ev->num_tx_chain);
-
ath10k_wmi_tpc_config_get_rate_code(rate_code, pream_table,
num_tx_chain);
@@ -5069,8 +5082,8 @@ void ath10k_wmi_event_tpc_final_table(struct ath10k *ar, struct sk_buff *skb)
__le32_to_cpu(ev->twice_antenna_reduction);
tpc_stats->power_limit = __le32_to_cpu(ev->power_limit);
tpc_stats->twice_max_rd_power = __le32_to_cpu(ev->twice_max_rd_power);
- tpc_stats->num_tx_chain = __le32_to_cpu(ev->num_tx_chain);
- tpc_stats->rate_max = __le32_to_cpu(ev->rate_max);
+ tpc_stats->num_tx_chain = num_tx_chain;
+ tpc_stats->rate_max = rate_max;
ath10k_wmi_tpc_stats_final_disp_tables(ar, ev, tpc_stats,
rate_code, pream_table,
--
2.25.1
From: Divya Indi <[email protected]>
[ Upstream commit e585e6469d6f476b82aa148dc44aaf7ae269a4e2 ]
A trace array can be destroyed from userspace or kernel. Verify if the
trace array exists before proceeding to destroy/remove it.
Link: http://lkml.kernel.org/r/[email protected]
Reviewed-by: Aruna Ramakrishna <[email protected]>
Signed-off-by: Divya Indi <[email protected]>
[ Removed unneeded braces ]
Signed-off-by: Steven Rostedt (VMware) <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
kernel/module.c | 6 +++++-
kernel/trace/trace.c | 15 ++++++++++++---
2 files changed, 17 insertions(+), 4 deletions(-)
diff --git a/kernel/module.c b/kernel/module.c
index 819c5d3b4c295..0e3743dd3a568 100644
--- a/kernel/module.c
+++ b/kernel/module.c
@@ -3753,7 +3753,6 @@ static int complete_formation(struct module *mod, struct load_info *info)
module_enable_ro(mod, false);
module_enable_nx(mod);
- module_enable_x(mod);
/* Mark state as coming so strong_try_module_get() ignores us,
* but kallsyms etc. can see us. */
@@ -3776,6 +3775,11 @@ static int prepare_coming_module(struct module *mod)
if (err)
return err;
+ /* Make module executable after ftrace is enabled */
+ mutex_lock(&module_mutex);
+ module_enable_x(mod);
+ mutex_unlock(&module_mutex);
+
blocking_notifier_call_chain(&module_notify_list,
MODULE_STATE_COMING, mod);
return 0;
diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
index f9c2bdbbd8936..cd3d91554aff1 100644
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -8502,17 +8502,26 @@ static int __remove_instance(struct trace_array *tr)
return 0;
}
-int trace_array_destroy(struct trace_array *tr)
+int trace_array_destroy(struct trace_array *this_tr)
{
+ struct trace_array *tr;
int ret;
- if (!tr)
+ if (!this_tr)
return -EINVAL;
mutex_lock(&event_mutex);
mutex_lock(&trace_types_lock);
- ret = __remove_instance(tr);
+ ret = -ENODEV;
+
+ /* Making sure trace array exists before destroying it. */
+ list_for_each_entry(tr, &ftrace_trace_arrays, list) {
+ if (tr == this_tr) {
+ ret = __remove_instance(tr);
+ break;
+ }
+ }
mutex_unlock(&trace_types_lock);
mutex_unlock(&event_mutex);
--
2.25.1
From: Oleh Kravchenko <[email protected]>
[ Upstream commit 7c6082b903ac28dc3f383fba57c6f9e7e2594178 ]
Error was detected by PVS-Studio:
V512 A call of the 'sprintf' function will lead to overflow of
the buffer 'led_data->led_cdev_name'.
Acked-by: Jacek Anaszewski <[email protected]>
Acked-by: Pavel Machek <[email protected]>
Signed-off-by: Oleh Kravchenko <[email protected]>
Signed-off-by: Pavel Machek <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/leds/leds-mlxreg.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/leds/leds-mlxreg.c b/drivers/leds/leds-mlxreg.c
index cabe379071a7c..82aea1cd0c125 100644
--- a/drivers/leds/leds-mlxreg.c
+++ b/drivers/leds/leds-mlxreg.c
@@ -228,8 +228,8 @@ static int mlxreg_led_config(struct mlxreg_led_priv_data *priv)
brightness = LED_OFF;
led_data->base_color = MLXREG_LED_GREEN_SOLID;
}
- sprintf(led_data->led_cdev_name, "%s:%s", "mlxreg",
- data->label);
+ snprintf(led_data->led_cdev_name, sizeof(led_data->led_cdev_name),
+ "mlxreg:%s", data->label);
led_cdev->name = led_data->led_cdev_name;
led_cdev->brightness = brightness;
led_cdev->max_brightness = LED_ON;
--
2.25.1
From: Pierre Crégut <[email protected]>
[ Upstream commit 35ff867b76576e32f34c698ccd11343f7d616204 ]
When sriov_numvfs is being updated, we call the driver->sriov_configure()
function, which may enable VFs and call probe functions, which may make new
devices visible. This all happens before before sriov_numvfs_store()
updates sriov->num_VFs, so previously, concurrent sysfs reads of
sriov_numvfs returned stale values.
Serialize the sysfs read vs the write so the read returns the correct
num_VFs value.
[bhelgaas: hold device_lock instead of checking mutex_is_locked()]
Link: https://bugzilla.kernel.org/show_bug.cgi?id=202991
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Pierre Crégut <[email protected]>
Signed-off-by: Bjorn Helgaas <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/pci/iov.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/pci/iov.c b/drivers/pci/iov.c
index deec9f9e0b616..9c116cbaa95d8 100644
--- a/drivers/pci/iov.c
+++ b/drivers/pci/iov.c
@@ -253,8 +253,14 @@ static ssize_t sriov_numvfs_show(struct device *dev,
char *buf)
{
struct pci_dev *pdev = to_pci_dev(dev);
+ u16 num_vfs;
+
+ /* Serialize vs sriov_numvfs_store() so readers see valid num_VFs */
+ device_lock(&pdev->dev);
+ num_vfs = pdev->sriov->num_VFs;
+ device_unlock(&pdev->dev);
- return sprintf(buf, "%u\n", pdev->sriov->num_VFs);
+ return sprintf(buf, "%u\n", num_vfs);
}
/*
--
2.25.1
From: Iurii Zaikin <[email protected]>
[ Upstream commit 2cb80dbbbaba4f2f86f686c34cb79ea5cbfb0edb ]
KUnit tests for initialized data behavior of proc_dointvec that is
explicitly checked in the code. Includes basic parsing tests including
int min/max overflow.
Signed-off-by: Iurii Zaikin <[email protected]>
Signed-off-by: Brendan Higgins <[email protected]>
Reviewed-by: Greg Kroah-Hartman <[email protected]>
Reviewed-by: Logan Gunthorpe <[email protected]>
Acked-by: Luis Chamberlain <[email protected]>
Reviewed-by: Stephen Boyd <[email protected]>
Signed-off-by: Shuah Khan <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
kernel/Makefile | 2 +
kernel/sysctl-test.c | 392 +++++++++++++++++++++++++++++++++++++++++++
lib/Kconfig.debug | 11 ++
3 files changed, 405 insertions(+)
create mode 100644 kernel/sysctl-test.c
diff --git a/kernel/Makefile b/kernel/Makefile
index 42557f251fea6..f2cc0d118a0bc 100644
--- a/kernel/Makefile
+++ b/kernel/Makefile
@@ -115,6 +115,8 @@ obj-$(CONFIG_TORTURE_TEST) += torture.o
obj-$(CONFIG_HAS_IOMEM) += iomem.o
obj-$(CONFIG_RSEQ) += rseq.o
+obj-$(CONFIG_SYSCTL_KUNIT_TEST) += sysctl-test.o
+
obj-$(CONFIG_GCC_PLUGIN_STACKLEAK) += stackleak.o
KASAN_SANITIZE_stackleak.o := n
KCOV_INSTRUMENT_stackleak.o := n
diff --git a/kernel/sysctl-test.c b/kernel/sysctl-test.c
new file mode 100644
index 0000000000000..2a63241a8453b
--- /dev/null
+++ b/kernel/sysctl-test.c
@@ -0,0 +1,392 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * KUnit test of proc sysctl.
+ */
+
+#include <kunit/test.h>
+#include <linux/sysctl.h>
+
+#define KUNIT_PROC_READ 0
+#define KUNIT_PROC_WRITE 1
+
+static int i_zero;
+static int i_one_hundred = 100;
+
+/*
+ * Test that proc_dointvec will not try to use a NULL .data field even when the
+ * length is non-zero.
+ */
+static void sysctl_test_api_dointvec_null_tbl_data(struct kunit *test)
+{
+ struct ctl_table null_data_table = {
+ .procname = "foo",
+ /*
+ * Here we are testing that proc_dointvec behaves correctly when
+ * we give it a NULL .data field. Normally this would point to a
+ * piece of memory where the value would be stored.
+ */
+ .data = NULL,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = proc_dointvec,
+ .extra1 = &i_zero,
+ .extra2 = &i_one_hundred,
+ };
+ /*
+ * proc_dointvec expects a buffer in user space, so we allocate one. We
+ * also need to cast it to __user so sparse doesn't get mad.
+ */
+ void __user *buffer = (void __user *)kunit_kzalloc(test, sizeof(int),
+ GFP_USER);
+ size_t len;
+ loff_t pos;
+
+ /*
+ * We don't care what the starting length is since proc_dointvec should
+ * not try to read because .data is NULL.
+ */
+ len = 1234;
+ KUNIT_EXPECT_EQ(test, 0, proc_dointvec(&null_data_table,
+ KUNIT_PROC_READ, buffer, &len,
+ &pos));
+ KUNIT_EXPECT_EQ(test, (size_t)0, len);
+
+ /*
+ * See above.
+ */
+ len = 1234;
+ KUNIT_EXPECT_EQ(test, 0, proc_dointvec(&null_data_table,
+ KUNIT_PROC_WRITE, buffer, &len,
+ &pos));
+ KUNIT_EXPECT_EQ(test, (size_t)0, len);
+}
+
+/*
+ * Similar to the previous test, we create a struct ctrl_table that has a .data
+ * field that proc_dointvec cannot do anything with; however, this time it is
+ * because we tell proc_dointvec that the size is 0.
+ */
+static void sysctl_test_api_dointvec_table_maxlen_unset(struct kunit *test)
+{
+ int data = 0;
+ struct ctl_table data_maxlen_unset_table = {
+ .procname = "foo",
+ .data = &data,
+ /*
+ * So .data is no longer NULL, but we tell proc_dointvec its
+ * length is 0, so it still shouldn't try to use it.
+ */
+ .maxlen = 0,
+ .mode = 0644,
+ .proc_handler = proc_dointvec,
+ .extra1 = &i_zero,
+ .extra2 = &i_one_hundred,
+ };
+ void __user *buffer = (void __user *)kunit_kzalloc(test, sizeof(int),
+ GFP_USER);
+ size_t len;
+ loff_t pos;
+
+ /*
+ * As before, we don't care what buffer length is because proc_dointvec
+ * cannot do anything because its internal .data buffer has zero length.
+ */
+ len = 1234;
+ KUNIT_EXPECT_EQ(test, 0, proc_dointvec(&data_maxlen_unset_table,
+ KUNIT_PROC_READ, buffer, &len,
+ &pos));
+ KUNIT_EXPECT_EQ(test, (size_t)0, len);
+
+ /*
+ * See previous comment.
+ */
+ len = 1234;
+ KUNIT_EXPECT_EQ(test, 0, proc_dointvec(&data_maxlen_unset_table,
+ KUNIT_PROC_WRITE, buffer, &len,
+ &pos));
+ KUNIT_EXPECT_EQ(test, (size_t)0, len);
+}
+
+/*
+ * Here we provide a valid struct ctl_table, but we try to read and write from
+ * it using a buffer of zero length, so it should still fail in a similar way as
+ * before.
+ */
+static void sysctl_test_api_dointvec_table_len_is_zero(struct kunit *test)
+{
+ int data = 0;
+ /* Good table. */
+ struct ctl_table table = {
+ .procname = "foo",
+ .data = &data,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = proc_dointvec,
+ .extra1 = &i_zero,
+ .extra2 = &i_one_hundred,
+ };
+ void __user *buffer = (void __user *)kunit_kzalloc(test, sizeof(int),
+ GFP_USER);
+ /*
+ * However, now our read/write buffer has zero length.
+ */
+ size_t len = 0;
+ loff_t pos;
+
+ KUNIT_EXPECT_EQ(test, 0, proc_dointvec(&table, KUNIT_PROC_READ, buffer,
+ &len, &pos));
+ KUNIT_EXPECT_EQ(test, (size_t)0, len);
+
+ KUNIT_EXPECT_EQ(test, 0, proc_dointvec(&table, KUNIT_PROC_WRITE, buffer,
+ &len, &pos));
+ KUNIT_EXPECT_EQ(test, (size_t)0, len);
+}
+
+/*
+ * Test that proc_dointvec refuses to read when the file position is non-zero.
+ */
+static void sysctl_test_api_dointvec_table_read_but_position_set(
+ struct kunit *test)
+{
+ int data = 0;
+ /* Good table. */
+ struct ctl_table table = {
+ .procname = "foo",
+ .data = &data,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = proc_dointvec,
+ .extra1 = &i_zero,
+ .extra2 = &i_one_hundred,
+ };
+ void __user *buffer = (void __user *)kunit_kzalloc(test, sizeof(int),
+ GFP_USER);
+ /*
+ * We don't care about our buffer length because we start off with a
+ * non-zero file position.
+ */
+ size_t len = 1234;
+ /*
+ * proc_dointvec should refuse to read into the buffer since the file
+ * pos is non-zero.
+ */
+ loff_t pos = 1;
+
+ KUNIT_EXPECT_EQ(test, 0, proc_dointvec(&table, KUNIT_PROC_READ, buffer,
+ &len, &pos));
+ KUNIT_EXPECT_EQ(test, (size_t)0, len);
+}
+
+/*
+ * Test that we can read a two digit number in a sufficiently size buffer.
+ * Nothing fancy.
+ */
+static void sysctl_test_dointvec_read_happy_single_positive(struct kunit *test)
+{
+ int data = 0;
+ /* Good table. */
+ struct ctl_table table = {
+ .procname = "foo",
+ .data = &data,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = proc_dointvec,
+ .extra1 = &i_zero,
+ .extra2 = &i_one_hundred,
+ };
+ size_t len = 4;
+ loff_t pos = 0;
+ char *buffer = kunit_kzalloc(test, len, GFP_USER);
+ char __user *user_buffer = (char __user *)buffer;
+ /* Store 13 in the data field. */
+ *((int *)table.data) = 13;
+
+ KUNIT_EXPECT_EQ(test, 0, proc_dointvec(&table, KUNIT_PROC_READ,
+ user_buffer, &len, &pos));
+ KUNIT_ASSERT_EQ(test, (size_t)3, len);
+ buffer[len] = '\0';
+ /* And we read 13 back out. */
+ KUNIT_EXPECT_STREQ(test, "13\n", buffer);
+}
+
+/*
+ * Same as previous test, just now with negative numbers.
+ */
+static void sysctl_test_dointvec_read_happy_single_negative(struct kunit *test)
+{
+ int data = 0;
+ /* Good table. */
+ struct ctl_table table = {
+ .procname = "foo",
+ .data = &data,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = proc_dointvec,
+ .extra1 = &i_zero,
+ .extra2 = &i_one_hundred,
+ };
+ size_t len = 5;
+ loff_t pos = 0;
+ char *buffer = kunit_kzalloc(test, len, GFP_USER);
+ char __user *user_buffer = (char __user *)buffer;
+ *((int *)table.data) = -16;
+
+ KUNIT_EXPECT_EQ(test, 0, proc_dointvec(&table, KUNIT_PROC_READ,
+ user_buffer, &len, &pos));
+ KUNIT_ASSERT_EQ(test, (size_t)4, len);
+ buffer[len] = '\0';
+ KUNIT_EXPECT_STREQ(test, "-16\n", (char *)buffer);
+}
+
+/*
+ * Test that a simple positive write works.
+ */
+static void sysctl_test_dointvec_write_happy_single_positive(struct kunit *test)
+{
+ int data = 0;
+ /* Good table. */
+ struct ctl_table table = {
+ .procname = "foo",
+ .data = &data,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = proc_dointvec,
+ .extra1 = &i_zero,
+ .extra2 = &i_one_hundred,
+ };
+ char input[] = "9";
+ size_t len = sizeof(input) - 1;
+ loff_t pos = 0;
+ char *buffer = kunit_kzalloc(test, len, GFP_USER);
+ char __user *user_buffer = (char __user *)buffer;
+
+ memcpy(buffer, input, len);
+
+ KUNIT_EXPECT_EQ(test, 0, proc_dointvec(&table, KUNIT_PROC_WRITE,
+ user_buffer, &len, &pos));
+ KUNIT_EXPECT_EQ(test, sizeof(input) - 1, len);
+ KUNIT_EXPECT_EQ(test, sizeof(input) - 1, (size_t)pos);
+ KUNIT_EXPECT_EQ(test, 9, *((int *)table.data));
+}
+
+/*
+ * Same as previous test, but now with negative numbers.
+ */
+static void sysctl_test_dointvec_write_happy_single_negative(struct kunit *test)
+{
+ int data = 0;
+ struct ctl_table table = {
+ .procname = "foo",
+ .data = &data,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = proc_dointvec,
+ .extra1 = &i_zero,
+ .extra2 = &i_one_hundred,
+ };
+ char input[] = "-9";
+ size_t len = sizeof(input) - 1;
+ loff_t pos = 0;
+ char *buffer = kunit_kzalloc(test, len, GFP_USER);
+ char __user *user_buffer = (char __user *)buffer;
+
+ memcpy(buffer, input, len);
+
+ KUNIT_EXPECT_EQ(test, 0, proc_dointvec(&table, KUNIT_PROC_WRITE,
+ user_buffer, &len, &pos));
+ KUNIT_EXPECT_EQ(test, sizeof(input) - 1, len);
+ KUNIT_EXPECT_EQ(test, sizeof(input) - 1, (size_t)pos);
+ KUNIT_EXPECT_EQ(test, -9, *((int *)table.data));
+}
+
+/*
+ * Test that writing a value smaller than the minimum possible value is not
+ * allowed.
+ */
+static void sysctl_test_api_dointvec_write_single_less_int_min(
+ struct kunit *test)
+{
+ int data = 0;
+ struct ctl_table table = {
+ .procname = "foo",
+ .data = &data,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = proc_dointvec,
+ .extra1 = &i_zero,
+ .extra2 = &i_one_hundred,
+ };
+ size_t max_len = 32, len = max_len;
+ loff_t pos = 0;
+ char *buffer = kunit_kzalloc(test, max_len, GFP_USER);
+ char __user *user_buffer = (char __user *)buffer;
+ unsigned long abs_of_less_than_min = (unsigned long)INT_MAX
+ - (INT_MAX + INT_MIN) + 1;
+
+ /*
+ * We use this rigmarole to create a string that contains a value one
+ * less than the minimum accepted value.
+ */
+ KUNIT_ASSERT_LT(test,
+ (size_t)snprintf(buffer, max_len, "-%lu",
+ abs_of_less_than_min),
+ max_len);
+
+ KUNIT_EXPECT_EQ(test, -EINVAL, proc_dointvec(&table, KUNIT_PROC_WRITE,
+ user_buffer, &len, &pos));
+ KUNIT_EXPECT_EQ(test, max_len, len);
+ KUNIT_EXPECT_EQ(test, 0, *((int *)table.data));
+}
+
+/*
+ * Test that writing the maximum possible value works.
+ */
+static void sysctl_test_api_dointvec_write_single_greater_int_max(
+ struct kunit *test)
+{
+ int data = 0;
+ struct ctl_table table = {
+ .procname = "foo",
+ .data = &data,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = proc_dointvec,
+ .extra1 = &i_zero,
+ .extra2 = &i_one_hundred,
+ };
+ size_t max_len = 32, len = max_len;
+ loff_t pos = 0;
+ char *buffer = kunit_kzalloc(test, max_len, GFP_USER);
+ char __user *user_buffer = (char __user *)buffer;
+ unsigned long greater_than_max = (unsigned long)INT_MAX + 1;
+
+ KUNIT_ASSERT_GT(test, greater_than_max, (unsigned long)INT_MAX);
+ KUNIT_ASSERT_LT(test, (size_t)snprintf(buffer, max_len, "%lu",
+ greater_than_max),
+ max_len);
+ KUNIT_EXPECT_EQ(test, -EINVAL, proc_dointvec(&table, KUNIT_PROC_WRITE,
+ user_buffer, &len, &pos));
+ KUNIT_ASSERT_EQ(test, max_len, len);
+ KUNIT_EXPECT_EQ(test, 0, *((int *)table.data));
+}
+
+static struct kunit_case sysctl_test_cases[] = {
+ KUNIT_CASE(sysctl_test_api_dointvec_null_tbl_data),
+ KUNIT_CASE(sysctl_test_api_dointvec_table_maxlen_unset),
+ KUNIT_CASE(sysctl_test_api_dointvec_table_len_is_zero),
+ KUNIT_CASE(sysctl_test_api_dointvec_table_read_but_position_set),
+ KUNIT_CASE(sysctl_test_dointvec_read_happy_single_positive),
+ KUNIT_CASE(sysctl_test_dointvec_read_happy_single_negative),
+ KUNIT_CASE(sysctl_test_dointvec_write_happy_single_positive),
+ KUNIT_CASE(sysctl_test_dointvec_write_happy_single_negative),
+ KUNIT_CASE(sysctl_test_api_dointvec_write_single_less_int_min),
+ KUNIT_CASE(sysctl_test_api_dointvec_write_single_greater_int_max),
+ {}
+};
+
+static struct kunit_suite sysctl_test_suite = {
+ .name = "sysctl_test",
+ .test_cases = sysctl_test_cases,
+};
+
+kunit_test_suite(sysctl_test_suite);
diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
index 6118d99117daa..ee00c6c8a373e 100644
--- a/lib/Kconfig.debug
+++ b/lib/Kconfig.debug
@@ -1939,6 +1939,17 @@ config TEST_SYSCTL
If unsure, say N.
+config SYSCTL_KUNIT_TEST
+ bool "KUnit test for sysctl"
+ depends on KUNIT
+ help
+ This builds the proc sysctl unit test, which runs on boot.
+ Tests the API contract and implementation correctness of sysctl.
+ For more information on KUnit and unit tests in general please refer
+ to the KUnit documentation in Documentation/dev-tools/kunit/.
+
+ If unsure, say N.
+
config TEST_UDELAY
tristate "udelay test driver"
help
--
2.25.1
From: Stephen Kitt <[email protected]>
[ Upstream commit 7f6ac72946b88b89ee44c1c527aa8591ac5ffcbe ]
The buffer allocated in ti_adpll_clk_get_name doesn't account for the
terminating null. This patch switches to devm_kasprintf to avoid
overflowing.
Signed-off-by: Stephen Kitt <[email protected]>
Link: https://lkml.kernel.org/r/[email protected]
Acked-by: Tony Lindgren <[email protected]>
Signed-off-by: Stephen Boyd <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/clk/ti/adpll.c | 11 ++---------
1 file changed, 2 insertions(+), 9 deletions(-)
diff --git a/drivers/clk/ti/adpll.c b/drivers/clk/ti/adpll.c
index fdfb90058504c..bb2f2836dab22 100644
--- a/drivers/clk/ti/adpll.c
+++ b/drivers/clk/ti/adpll.c
@@ -194,15 +194,8 @@ static const char *ti_adpll_clk_get_name(struct ti_adpll_data *d,
if (err)
return NULL;
} else {
- const char *base_name = "adpll";
- char *buf;
-
- buf = devm_kzalloc(d->dev, 8 + 1 + strlen(base_name) + 1 +
- strlen(postfix), GFP_KERNEL);
- if (!buf)
- return NULL;
- sprintf(buf, "%08lx.%s.%s", d->pa, base_name, postfix);
- name = buf;
+ name = devm_kasprintf(d->dev, GFP_KERNEL, "%08lx.adpll.%s",
+ d->pa, postfix);
}
return name;
--
2.25.1
From: Dave Chinner <[email protected]>
[ Upstream commit 249bd9087a5264d2b8a974081870e2e27671b4dc ]
AIO+DIO can extend the file size on IO completion, and it holds
no inode locks while the IO is in flight. Therefore, a race
condition exists in file size updates if we do something like this:
aio-thread fallocate-thread
lock inode
submit IO beyond inode->i_size
unlock inode
.....
lock inode
break layouts
if (off + len > inode->i_size)
new_size = off + len
.....
inode_dio_wait()
<blocks>
.....
completes
inode->i_size updated
inode_dio_done()
....
<wakes>
<does stuff no long beyond EOF>
if (new_size)
xfs_vn_setattr(inode, new_size)
Yup, that attempt to extend the file size in the fallocate code
turns into a truncate - it removes the whatever the aio write
allocated and put to disk, and reduced the inode size back down to
where the fallocate operation ends.
Fundamentally, xfs_file_fallocate() not compatible with racing
AIO+DIO completions, so we need to move the inode_dio_wait() call
up to where the lock the inode and break the layouts.
Secondly, storing the inode size and then using it unchecked without
holding the ILOCK is not safe; we can only do such a thing if we've
locked out and drained all IO and other modification operations,
which we don't do initially in xfs_file_fallocate.
It should be noted that some of the fallocate operations are
compound operations - they are made up of multiple manipulations
that may zero data, and so we may need to flush and invalidate the
file multiple times during an operation. However, we only need to
lock out IO and other space manipulation operations once, as that
lockout is maintained until the entire fallocate operation has been
completed.
Signed-off-by: Dave Chinner <[email protected]>
Reviewed-by: Christoph Hellwig <[email protected]>
Reviewed-by: Brian Foster <[email protected]>
Reviewed-by: Darrick J. Wong <[email protected]>
Signed-off-by: Darrick J. Wong <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
fs/xfs/xfs_bmap_util.c | 8 +-------
fs/xfs/xfs_file.c | 30 ++++++++++++++++++++++++++++++
fs/xfs/xfs_ioctl.c | 1 +
3 files changed, 32 insertions(+), 7 deletions(-)
diff --git a/fs/xfs/xfs_bmap_util.c b/fs/xfs/xfs_bmap_util.c
index 0c71acc1b8317..d6d78e1276254 100644
--- a/fs/xfs/xfs_bmap_util.c
+++ b/fs/xfs/xfs_bmap_util.c
@@ -1039,6 +1039,7 @@ out_trans_cancel:
goto out_unlock;
}
+/* Caller must first wait for the completion of any pending DIOs if required. */
int
xfs_flush_unmap_range(
struct xfs_inode *ip,
@@ -1050,9 +1051,6 @@ xfs_flush_unmap_range(
xfs_off_t rounding, start, end;
int error;
- /* wait for the completion of any pending DIOs */
- inode_dio_wait(inode);
-
rounding = max_t(xfs_off_t, 1 << mp->m_sb.sb_blocklog, PAGE_SIZE);
start = round_down(offset, rounding);
end = round_up(offset + len, rounding) - 1;
@@ -1084,10 +1082,6 @@ xfs_free_file_space(
if (len <= 0) /* if nothing being freed */
return 0;
- error = xfs_flush_unmap_range(ip, offset, len);
- if (error)
- return error;
-
startoffset_fsb = XFS_B_TO_FSB(mp, offset);
endoffset_fsb = XFS_B_TO_FSBT(mp, offset + len);
diff --git a/fs/xfs/xfs_file.c b/fs/xfs/xfs_file.c
index 1e2176190c86f..203065a647652 100644
--- a/fs/xfs/xfs_file.c
+++ b/fs/xfs/xfs_file.c
@@ -818,6 +818,36 @@ xfs_file_fallocate(
if (error)
goto out_unlock;
+ /*
+ * Must wait for all AIO to complete before we continue as AIO can
+ * change the file size on completion without holding any locks we
+ * currently hold. We must do this first because AIO can update both
+ * the on disk and in memory inode sizes, and the operations that follow
+ * require the in-memory size to be fully up-to-date.
+ */
+ inode_dio_wait(inode);
+
+ /*
+ * Now AIO and DIO has drained we flush and (if necessary) invalidate
+ * the cached range over the first operation we are about to run.
+ *
+ * We care about zero and collapse here because they both run a hole
+ * punch over the range first. Because that can zero data, and the range
+ * of invalidation for the shift operations is much larger, we still do
+ * the required flush for collapse in xfs_prepare_shift().
+ *
+ * Insert has the same range requirements as collapse, and we extend the
+ * file first which can zero data. Hence insert has the same
+ * flush/invalidate requirements as collapse and so they are both
+ * handled at the right time by xfs_prepare_shift().
+ */
+ if (mode & (FALLOC_FL_PUNCH_HOLE | FALLOC_FL_ZERO_RANGE |
+ FALLOC_FL_COLLAPSE_RANGE)) {
+ error = xfs_flush_unmap_range(ip, offset, len);
+ if (error)
+ goto out_unlock;
+ }
+
if (mode & FALLOC_FL_PUNCH_HOLE) {
error = xfs_free_file_space(ip, offset, len);
if (error)
diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c
index c93c4b7328ef7..60c4526312771 100644
--- a/fs/xfs/xfs_ioctl.c
+++ b/fs/xfs/xfs_ioctl.c
@@ -622,6 +622,7 @@ xfs_ioc_space(
error = xfs_break_layouts(inode, &iolock, BREAK_UNMAP);
if (error)
goto out_unlock;
+ inode_dio_wait(inode);
switch (bf->l_whence) {
case 0: /*SEEK_SET*/
--
2.25.1
From: Divya Indi <[email protected]>
[ Upstream commit 953ae45a0c25e09428d4a03d7654f97ab8a36647 ]
As part of commit f45d1225adb0 ("tracing: Kernel access to Ftrace
instances") we exported certain functions. Here, we are adding some additional
NULL checks to ensure safe usage by users of these APIs.
Link: http://lkml.kernel.org/r/[email protected]
Signed-off-by: Divya Indi <[email protected]>
Signed-off-by: Steven Rostedt (VMware) <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
kernel/trace/trace.c | 3 +++
kernel/trace/trace_events.c | 2 ++
2 files changed, 5 insertions(+)
diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
index cd3d91554aff1..9007f5edbb207 100644
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -3233,6 +3233,9 @@ int trace_array_printk(struct trace_array *tr,
if (!(global_trace.trace_flags & TRACE_ITER_PRINTK))
return 0;
+ if (!tr)
+ return -ENOENT;
+
va_start(ap, fmt);
ret = trace_array_vprintk(tr, ip, fmt, ap);
va_end(ap);
diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c
index ed9eb97b64b47..309b2b3c5349e 100644
--- a/kernel/trace/trace_events.c
+++ b/kernel/trace/trace_events.c
@@ -793,6 +793,8 @@ int ftrace_set_clr_event(struct trace_array *tr, char *buf, int set)
char *event = NULL, *sub = NULL, *match;
int ret;
+ if (!tr)
+ return -ENOENT;
/*
* The buf format can be <subsystem>:<event-name>
* *:<event-name> means any event by that name.
--
2.25.1
From: Pierre-Louis Bossart <[email protected]>
[ Upstream commit 49ea07d33d9a32c17e18b322e789507280ceb2a3 ]
Multiple changes squashed in single patch to avoid tick-tock effect
and avoid breaking compilation/bisect
1. Per the hardware documentation, all changes to MCP_CONFIG,
MCP_CONTROL, MCP_CMDCTRL and MCP_PHYCTRL need to be validated with a
self-clearing write to MCP_CONFIG_UPDATE. Add a helper and do the
update when the CONFIG is changed.
2. Move interrupt enable after interrupt handler registration
3. Add a new helper to start the hardware bus reset with maximum duration
to make sure the Slave(s) correctly detect the reset pattern and to
ensure electrical conflicts can be resolved.
4. flush command FIFOs
Better error handling will be provided after interrupt disable is
provided in follow-up patches.
Signed-off-by: Pierre-Louis Bossart <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Vinod Koul <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/soundwire/cadence_master.c | 80 +++++++++++++++++++++---------
drivers/soundwire/cadence_master.h | 1 +
drivers/soundwire/intel.c | 14 +++++-
3 files changed, 69 insertions(+), 26 deletions(-)
diff --git a/drivers/soundwire/cadence_master.c b/drivers/soundwire/cadence_master.c
index 502ed4ec8f070..e3d06330d1258 100644
--- a/drivers/soundwire/cadence_master.c
+++ b/drivers/soundwire/cadence_master.c
@@ -231,6 +231,22 @@ static int cdns_clear_bit(struct sdw_cdns *cdns, int offset, u32 value)
return -EAGAIN;
}
+/*
+ * all changes to the MCP_CONFIG, MCP_CONTROL, MCP_CMDCTRL and MCP_PHYCTRL
+ * need to be confirmed with a write to MCP_CONFIG_UPDATE
+ */
+static int cdns_update_config(struct sdw_cdns *cdns)
+{
+ int ret;
+
+ ret = cdns_clear_bit(cdns, CDNS_MCP_CONFIG_UPDATE,
+ CDNS_MCP_CONFIG_UPDATE_BIT);
+ if (ret < 0)
+ dev_err(cdns->dev, "Config update timedout\n");
+
+ return ret;
+}
+
/*
* debugfs
*/
@@ -752,7 +768,38 @@ EXPORT_SYMBOL(sdw_cdns_thread);
/*
* init routines
*/
-static int _cdns_enable_interrupt(struct sdw_cdns *cdns)
+
+/**
+ * sdw_cdns_exit_reset() - Program reset parameters and start bus operations
+ * @cdns: Cadence instance
+ */
+int sdw_cdns_exit_reset(struct sdw_cdns *cdns)
+{
+ /* program maximum length reset to be safe */
+ cdns_updatel(cdns, CDNS_MCP_CONTROL,
+ CDNS_MCP_CONTROL_RST_DELAY,
+ CDNS_MCP_CONTROL_RST_DELAY);
+
+ /* use hardware generated reset */
+ cdns_updatel(cdns, CDNS_MCP_CONTROL,
+ CDNS_MCP_CONTROL_HW_RST,
+ CDNS_MCP_CONTROL_HW_RST);
+
+ /* enable bus operations with clock and data */
+ cdns_updatel(cdns, CDNS_MCP_CONFIG,
+ CDNS_MCP_CONFIG_OP,
+ CDNS_MCP_CONFIG_OP_NORMAL);
+
+ /* commit changes */
+ return cdns_update_config(cdns);
+}
+EXPORT_SYMBOL(sdw_cdns_exit_reset);
+
+/**
+ * sdw_cdns_enable_interrupt() - Enable SDW interrupts and update config
+ * @cdns: Cadence instance
+ */
+int sdw_cdns_enable_interrupt(struct sdw_cdns *cdns)
{
u32 mask;
@@ -784,24 +831,8 @@ static int _cdns_enable_interrupt(struct sdw_cdns *cdns)
cdns_writel(cdns, CDNS_MCP_INTMASK, mask);
- return 0;
-}
-
-/**
- * sdw_cdns_enable_interrupt() - Enable SDW interrupts and update config
- * @cdns: Cadence instance
- */
-int sdw_cdns_enable_interrupt(struct sdw_cdns *cdns)
-{
- int ret;
-
- _cdns_enable_interrupt(cdns);
- ret = cdns_clear_bit(cdns, CDNS_MCP_CONFIG_UPDATE,
- CDNS_MCP_CONFIG_UPDATE_BIT);
- if (ret < 0)
- dev_err(cdns->dev, "Config update timedout\n");
-
- return ret;
+ /* commit changes */
+ return cdns_update_config(cdns);
}
EXPORT_SYMBOL(sdw_cdns_enable_interrupt);
@@ -975,6 +1006,10 @@ int sdw_cdns_init(struct sdw_cdns *cdns)
cdns_writel(cdns, CDNS_MCP_SSP_CTRL0, CDNS_DEFAULT_SSP_INTERVAL);
cdns_writel(cdns, CDNS_MCP_SSP_CTRL1, CDNS_DEFAULT_SSP_INTERVAL);
+ /* flush command FIFOs */
+ cdns_updatel(cdns, CDNS_MCP_CONTROL, CDNS_MCP_CONTROL_CMD_RST,
+ CDNS_MCP_CONTROL_CMD_RST);
+
/* Set cmd accept mode */
cdns_updatel(cdns, CDNS_MCP_CONTROL, CDNS_MCP_CONTROL_CMD_ACCEPT,
CDNS_MCP_CONTROL_CMD_ACCEPT);
@@ -997,13 +1032,10 @@ int sdw_cdns_init(struct sdw_cdns *cdns)
/* Set cmd mode for Tx and Rx cmds */
val &= ~CDNS_MCP_CONFIG_CMD;
- /* Set operation to normal */
- val &= ~CDNS_MCP_CONFIG_OP;
- val |= CDNS_MCP_CONFIG_OP_NORMAL;
-
cdns_writel(cdns, CDNS_MCP_CONFIG, val);
- return 0;
+ /* commit changes */
+ return cdns_update_config(cdns);
}
EXPORT_SYMBOL(sdw_cdns_init);
diff --git a/drivers/soundwire/cadence_master.h b/drivers/soundwire/cadence_master.h
index 0b72b70947352..1a67728c5000f 100644
--- a/drivers/soundwire/cadence_master.h
+++ b/drivers/soundwire/cadence_master.h
@@ -161,6 +161,7 @@ irqreturn_t sdw_cdns_thread(int irq, void *dev_id);
int sdw_cdns_init(struct sdw_cdns *cdns);
int sdw_cdns_pdi_init(struct sdw_cdns *cdns,
struct sdw_cdns_stream_config config);
+int sdw_cdns_exit_reset(struct sdw_cdns *cdns);
int sdw_cdns_enable_interrupt(struct sdw_cdns *cdns);
#ifdef CONFIG_DEBUG_FS
diff --git a/drivers/soundwire/intel.c b/drivers/soundwire/intel.c
index 243af8198d1c6..a2da04946f0b4 100644
--- a/drivers/soundwire/intel.c
+++ b/drivers/soundwire/intel.c
@@ -1050,8 +1050,6 @@ static int intel_probe(struct platform_device *pdev)
if (ret)
goto err_init;
- ret = sdw_cdns_enable_interrupt(&sdw->cdns);
-
/* Read the PDI config and initialize cadence PDI */
intel_pdi_init(sdw, &config);
ret = sdw_cdns_pdi_init(&sdw->cdns, config);
@@ -1069,6 +1067,18 @@ static int intel_probe(struct platform_device *pdev)
goto err_init;
}
+ ret = sdw_cdns_enable_interrupt(&sdw->cdns);
+ if (ret < 0) {
+ dev_err(sdw->cdns.dev, "cannot enable interrupts\n");
+ goto err_init;
+ }
+
+ ret = sdw_cdns_exit_reset(&sdw->cdns);
+ if (ret < 0) {
+ dev_err(sdw->cdns.dev, "unable to exit bus reset sequence\n");
+ goto err_init;
+ }
+
/* Register DAIs */
ret = intel_register_dai(sdw);
if (ret) {
--
2.25.1
From: Jonathan Lebon <[email protected]>
[ Upstream commit 3e3e24b42043eceb97ed834102c2d094dfd7aaa6 ]
Currently, the SELinux LSM prevents one from setting the
`security.selinux` xattr on an inode without a policy first being
loaded. However, this restriction is problematic: it makes it impossible
to have newly created files with the correct label before actually
loading the policy.
This is relevant in distributions like Fedora, where the policy is
loaded by systemd shortly after pivoting out of the initrd. In such
instances, all files created prior to pivoting will be unlabeled. One
then has to relabel them after pivoting, an operation which inherently
races with other processes trying to access those same files.
Going further, there are use cases for creating the entire root
filesystem on first boot from the initrd (e.g. Container Linux supports
this today[1], and we'd like to support it in Fedora CoreOS as well[2]).
One can imagine doing this in two ways: at the block device level (e.g.
laying down a disk image), or at the filesystem level. In the former,
labeling can simply be part of the image. But even in the latter
scenario, one still really wants to be able to set the right labels when
populating the new filesystem.
This patch enables this by changing behaviour in the following two ways:
1. allow `setxattr` if we're not initialized
2. don't try to set the in-core inode SID if we're not initialized;
instead leave it as `LABEL_INVALID` so that revalidation may be
attempted at a later time
Note the first hunk of this patch is mostly the same as a previously
discussed one[3], though it was part of a larger series which wasn't
accepted.
[1] https://coreos.com/os/docs/latest/root-filesystem-placement.html
[2] https://github.com/coreos/fedora-coreos-tracker/issues/94
[3] https://www.spinics.net/lists/linux-initramfs/msg04593.html
Co-developed-by: Victor Kamensky <[email protected]>
Signed-off-by: Victor Kamensky <[email protected]>
Signed-off-by: Jonathan Lebon <[email protected]>
Signed-off-by: Paul Moore <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
security/selinux/hooks.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 552e73d90fd25..212f48025db81 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3156,6 +3156,9 @@ static int selinux_inode_setxattr(struct dentry *dentry, const char *name,
return dentry_has_perm(current_cred(), dentry, FILE__SETATTR);
}
+ if (!selinux_state.initialized)
+ return (inode_owner_or_capable(inode) ? 0 : -EPERM);
+
sbsec = inode->i_sb->s_security;
if (!(sbsec->flags & SBLABEL_MNT))
return -EOPNOTSUPP;
@@ -3239,6 +3242,15 @@ static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name,
return;
}
+ if (!selinux_state.initialized) {
+ /* If we haven't even been initialized, then we can't validate
+ * against a policy, so leave the label as invalid. It may
+ * resolve to a valid label on the next revalidation try if
+ * we've since initialized.
+ */
+ return;
+ }
+
rc = security_context_to_sid_force(&selinux_state, value, size,
&newsid);
if (rc) {
--
2.25.1
From: Jia He <[email protected]>
[ Upstream commit 83d116c53058d505ddef051e90ab27f57015b025 ]
When we tested pmdk unit test [1] vmmalloc_fork TEST3 on arm64 guest, there
will be a double page fault in __copy_from_user_inatomic of cow_user_page.
To reproduce the bug, the cmd is as follows after you deployed everything:
make -C src/test/vmmalloc_fork/ TEST_TIME=60m check
Below call trace is from arm64 do_page_fault for debugging purpose:
[ 110.016195] Call trace:
[ 110.016826] do_page_fault+0x5a4/0x690
[ 110.017812] do_mem_abort+0x50/0xb0
[ 110.018726] el1_da+0x20/0xc4
[ 110.019492] __arch_copy_from_user+0x180/0x280
[ 110.020646] do_wp_page+0xb0/0x860
[ 110.021517] __handle_mm_fault+0x994/0x1338
[ 110.022606] handle_mm_fault+0xe8/0x180
[ 110.023584] do_page_fault+0x240/0x690
[ 110.024535] do_mem_abort+0x50/0xb0
[ 110.025423] el0_da+0x20/0x24
The pte info before __copy_from_user_inatomic is (PTE_AF is cleared):
[ffff9b007000] pgd=000000023d4f8003, pud=000000023da9b003,
pmd=000000023d4b3003, pte=360000298607bd3
As told by Catalin: "On arm64 without hardware Access Flag, copying from
user will fail because the pte is old and cannot be marked young. So we
always end up with zeroed page after fork() + CoW for pfn mappings. we
don't always have a hardware-managed access flag on arm64."
This patch fixes it by calling pte_mkyoung. Also, the parameter is
changed because vmf should be passed to cow_user_page()
Add a WARN_ON_ONCE when __copy_from_user_inatomic() returns error
in case there can be some obscure use-case (by Kirill).
[1] https://github.com/pmem/pmdk/tree/master/src/test/vmmalloc_fork
Signed-off-by: Jia He <[email protected]>
Reported-by: Yibo Cai <[email protected]>
Reviewed-by: Catalin Marinas <[email protected]>
Acked-by: Kirill A. Shutemov <[email protected]>
Signed-off-by: Catalin Marinas <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
mm/memory.c | 104 ++++++++++++++++++++++++++++++++++++++++++++--------
1 file changed, 89 insertions(+), 15 deletions(-)
diff --git a/mm/memory.c b/mm/memory.c
index cb7c940cf800c..9ea917e28ef4e 100644
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -118,6 +118,18 @@ int randomize_va_space __read_mostly =
2;
#endif
+#ifndef arch_faults_on_old_pte
+static inline bool arch_faults_on_old_pte(void)
+{
+ /*
+ * Those arches which don't have hw access flag feature need to
+ * implement their own helper. By default, "true" means pagefault
+ * will be hit on old pte.
+ */
+ return true;
+}
+#endif
+
static int __init disable_randmaps(char *s)
{
randomize_va_space = 0;
@@ -2145,32 +2157,82 @@ static inline int pte_unmap_same(struct mm_struct *mm, pmd_t *pmd,
return same;
}
-static inline void cow_user_page(struct page *dst, struct page *src, unsigned long va, struct vm_area_struct *vma)
+static inline bool cow_user_page(struct page *dst, struct page *src,
+ struct vm_fault *vmf)
{
+ bool ret;
+ void *kaddr;
+ void __user *uaddr;
+ bool force_mkyoung;
+ struct vm_area_struct *vma = vmf->vma;
+ struct mm_struct *mm = vma->vm_mm;
+ unsigned long addr = vmf->address;
+
debug_dma_assert_idle(src);
+ if (likely(src)) {
+ copy_user_highpage(dst, src, addr, vma);
+ return true;
+ }
+
/*
* If the source page was a PFN mapping, we don't have
* a "struct page" for it. We do a best-effort copy by
* just copying from the original user address. If that
* fails, we just zero-fill it. Live with it.
*/
- if (unlikely(!src)) {
- void *kaddr = kmap_atomic(dst);
- void __user *uaddr = (void __user *)(va & PAGE_MASK);
+ kaddr = kmap_atomic(dst);
+ uaddr = (void __user *)(addr & PAGE_MASK);
+
+ /*
+ * On architectures with software "accessed" bits, we would
+ * take a double page fault, so mark it accessed here.
+ */
+ force_mkyoung = arch_faults_on_old_pte() && !pte_young(vmf->orig_pte);
+ if (force_mkyoung) {
+ pte_t entry;
+
+ vmf->pte = pte_offset_map_lock(mm, vmf->pmd, addr, &vmf->ptl);
+ if (!likely(pte_same(*vmf->pte, vmf->orig_pte))) {
+ /*
+ * Other thread has already handled the fault
+ * and we don't need to do anything. If it's
+ * not the case, the fault will be triggered
+ * again on the same address.
+ */
+ ret = false;
+ goto pte_unlock;
+ }
+ entry = pte_mkyoung(vmf->orig_pte);
+ if (ptep_set_access_flags(vma, addr, vmf->pte, entry, 0))
+ update_mmu_cache(vma, addr, vmf->pte);
+ }
+
+ /*
+ * This really shouldn't fail, because the page is there
+ * in the page tables. But it might just be unreadable,
+ * in which case we just give up and fill the result with
+ * zeroes.
+ */
+ if (__copy_from_user_inatomic(kaddr, uaddr, PAGE_SIZE)) {
/*
- * This really shouldn't fail, because the page is there
- * in the page tables. But it might just be unreadable,
- * in which case we just give up and fill the result with
- * zeroes.
+ * Give a warn in case there can be some obscure
+ * use-case
*/
- if (__copy_from_user_inatomic(kaddr, uaddr, PAGE_SIZE))
- clear_page(kaddr);
- kunmap_atomic(kaddr);
- flush_dcache_page(dst);
- } else
- copy_user_highpage(dst, src, va, vma);
+ WARN_ON_ONCE(1);
+ clear_page(kaddr);
+ }
+
+ ret = true;
+
+pte_unlock:
+ if (force_mkyoung)
+ pte_unmap_unlock(vmf->pte, vmf->ptl);
+ kunmap_atomic(kaddr);
+ flush_dcache_page(dst);
+
+ return ret;
}
static gfp_t __get_fault_gfp_mask(struct vm_area_struct *vma)
@@ -2342,7 +2404,19 @@ static vm_fault_t wp_page_copy(struct vm_fault *vmf)
vmf->address);
if (!new_page)
goto oom;
- cow_user_page(new_page, old_page, vmf->address, vma);
+
+ if (!cow_user_page(new_page, old_page, vmf)) {
+ /*
+ * COW failed, if the fault was solved by other,
+ * it's fine. If not, userspace would re-fault on
+ * the same address and we will handle the fault
+ * from the second attempt.
+ */
+ put_page(new_page);
+ if (old_page)
+ put_page(old_page);
+ return 0;
+ }
}
if (mem_cgroup_try_charge_delay(new_page, mm, GFP_KERNEL, &memcg, false))
--
2.25.1
From: Miaoqing Pan <[email protected]>
[ Upstream commit 486a8849843455298d49e694cca9968336ce2327 ]
The memory of ar->debug.tpc_stats_final is reallocated every debugfs
reading, it should be freed in ath10k_debug_destroy() for the last
allocation.
Tested HW: QCA9984
Tested FW: 10.4-3.9.0.2-00035
Signed-off-by: Miaoqing Pan <[email protected]>
Signed-off-by: Kalle Valo <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/net/wireless/ath/ath10k/debug.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/wireless/ath/ath10k/debug.c b/drivers/net/wireless/ath/ath10k/debug.c
index 40baf25ac99f3..04c50a26a4f47 100644
--- a/drivers/net/wireless/ath/ath10k/debug.c
+++ b/drivers/net/wireless/ath/ath10k/debug.c
@@ -2532,6 +2532,7 @@ void ath10k_debug_destroy(struct ath10k *ar)
ath10k_debug_fw_stats_reset(ar);
kfree(ar->debug.tpc_stats);
+ kfree(ar->debug.tpc_stats_final);
}
int ath10k_debug_register(struct ath10k *ar)
--
2.25.1
From: Kangjie Lu <[email protected]>
[ Upstream commit 57a25a5f754ce27da2cfa6f413cfd366f878db76 ]
`best_clock` is an object that may be sent out. Object `clock`
contains uninitialized bytes that are copied to `best_clock`,
which leads to memory disclosure and information leak.
Signed-off-by: Kangjie Lu <[email protected]>
Signed-off-by: Daniel Vetter <[email protected]>
Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]
Signed-off-by: Sasha Levin <[email protected]>
---
drivers/gpu/drm/gma500/cdv_intel_display.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/gpu/drm/gma500/cdv_intel_display.c b/drivers/gpu/drm/gma500/cdv_intel_display.c
index f56852a503e8d..8b784947ed3b9 100644
--- a/drivers/gpu/drm/gma500/cdv_intel_display.c
+++ b/drivers/gpu/drm/gma500/cdv_intel_display.c
@@ -405,6 +405,8 @@ static bool cdv_intel_find_dp_pll(const struct gma_limit_t *limit,
struct gma_crtc *gma_crtc = to_gma_crtc(crtc);
struct gma_clock_t clock;
+ memset(&clock, 0, sizeof(clock));
+
switch (refclk) {
case 27000:
if (target < 200000) {
--
2.25.1
From: Darrick J. Wong <[email protected]>
[ Upstream commit b1de6fc7520fe12949c070af0e8c0e4044cd3420 ]
Omar Sandoval reported that a 4G fallocate on the realtime device causes
filesystem shutdowns due to a log reservation overflow that happens when
we log the rtbitmap updates. Factor rtbitmap/rtsummary updates into the
the tr_write and tr_itruncate log reservation calculation.
"The following reproducer results in a transaction log overrun warning
for me:
mkfs.xfs -f -r rtdev=/dev/vdc -d rtinherit=1 -m reflink=0 /dev/vdb
mount -o rtdev=/dev/vdc /dev/vdb /mnt
fallocate -l 4G /mnt/foo
Reported-by: Omar Sandoval <[email protected]>
Tested-by: Omar Sandoval <[email protected]>
Signed-off-by: Darrick J. Wong <[email protected]>
Reviewed-by: Brian Foster <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
---
fs/xfs/libxfs/xfs_trans_resv.c | 96 +++++++++++++++++++++++++++-------
1 file changed, 77 insertions(+), 19 deletions(-)
diff --git a/fs/xfs/libxfs/xfs_trans_resv.c b/fs/xfs/libxfs/xfs_trans_resv.c
index d12bbd526e7c0..b3584cd2cc164 100644
--- a/fs/xfs/libxfs/xfs_trans_resv.c
+++ b/fs/xfs/libxfs/xfs_trans_resv.c
@@ -196,6 +196,24 @@ xfs_calc_inode_chunk_res(
return res;
}
+/*
+ * Per-extent log reservation for the btree changes involved in freeing or
+ * allocating a realtime extent. We have to be able to log as many rtbitmap
+ * blocks as needed to mark inuse MAXEXTLEN blocks' worth of realtime extents,
+ * as well as the realtime summary block.
+ */
+unsigned int
+xfs_rtalloc_log_count(
+ struct xfs_mount *mp,
+ unsigned int num_ops)
+{
+ unsigned int blksz = XFS_FSB_TO_B(mp, 1);
+ unsigned int rtbmp_bytes;
+
+ rtbmp_bytes = (MAXEXTLEN / mp->m_sb.sb_rextsize) / NBBY;
+ return (howmany(rtbmp_bytes, blksz) + 1) * num_ops;
+}
+
/*
* Various log reservation values.
*
@@ -218,13 +236,21 @@ xfs_calc_inode_chunk_res(
/*
* In a write transaction we can allocate a maximum of 2
- * extents. This gives:
+ * extents. This gives (t1):
* the inode getting the new extents: inode size
* the inode's bmap btree: max depth * block size
* the agfs of the ags from which the extents are allocated: 2 * sector
* the superblock free block counter: sector size
* the allocation btrees: 2 exts * 2 trees * (2 * max depth - 1) * block size
- * And the bmap_finish transaction can free bmap blocks in a join:
+ * Or, if we're writing to a realtime file (t2):
+ * the inode getting the new extents: inode size
+ * the inode's bmap btree: max depth * block size
+ * the agfs of the ags from which the extents are allocated: 2 * sector
+ * the superblock free block counter: sector size
+ * the realtime bitmap: ((MAXEXTLEN / rtextsize) / NBBY) bytes
+ * the realtime summary: 1 block
+ * the allocation btrees: 2 trees * (2 * max depth - 1) * block size
+ * And the bmap_finish transaction can free bmap blocks in a join (t3):
* the agfs of the ags containing the blocks: 2 * sector size
* the agfls of the ags containing the blocks: 2 * sector size
* the super block free block counter: sector size
@@ -234,40 +260,72 @@ STATIC uint
xfs_calc_write_reservation(
struct xfs_mount *mp)
{
- return XFS_DQUOT_LOGRES(mp) +
- max((xfs_calc_inode_res(mp, 1) +
+ unsigned int t1, t2, t3;
+ unsigned int blksz = XFS_FSB_TO_B(mp, 1);
+
+ t1 = xfs_calc_inode_res(mp, 1) +
+ xfs_calc_buf_res(XFS_BM_MAXLEVELS(mp, XFS_DATA_FORK), blksz) +
+ xfs_calc_buf_res(3, mp->m_sb.sb_sectsize) +
+ xfs_calc_buf_res(xfs_allocfree_log_count(mp, 2), blksz);
+
+ if (xfs_sb_version_hasrealtime(&mp->m_sb)) {
+ t2 = xfs_calc_inode_res(mp, 1) +
xfs_calc_buf_res(XFS_BM_MAXLEVELS(mp, XFS_DATA_FORK),
- XFS_FSB_TO_B(mp, 1)) +
+ blksz) +
xfs_calc_buf_res(3, mp->m_sb.sb_sectsize) +
- xfs_calc_buf_res(xfs_allocfree_log_count(mp, 2),
- XFS_FSB_TO_B(mp, 1))),
- (xfs_calc_buf_res(5, mp->m_sb.sb_sectsize) +
- xfs_calc_buf_res(xfs_allocfree_log_count(mp, 2),
- XFS_FSB_TO_B(mp, 1))));
+ xfs_calc_buf_res(xfs_rtalloc_log_count(mp, 1), blksz) +
+ xfs_calc_buf_res(xfs_allocfree_log_count(mp, 1), blksz);
+ } else {
+ t2 = 0;
+ }
+
+ t3 = xfs_calc_buf_res(5, mp->m_sb.sb_sectsize) +
+ xfs_calc_buf_res(xfs_allocfree_log_count(mp, 2), blksz);
+
+ return XFS_DQUOT_LOGRES(mp) + max3(t1, t2, t3);
}
/*
- * In truncating a file we free up to two extents at once. We can modify:
+ * In truncating a file we free up to two extents at once. We can modify (t1):
* the inode being truncated: inode size
* the inode's bmap btree: (max depth + 1) * block size
- * And the bmap_finish transaction can free the blocks and bmap blocks:
+ * And the bmap_finish transaction can free the blocks and bmap blocks (t2):
* the agf for each of the ags: 4 * sector size
* the agfl for each of the ags: 4 * sector size
* the super block to reflect the freed blocks: sector size
* worst case split in allocation btrees per extent assuming 4 extents:
* 4 exts * 2 trees * (2 * max depth - 1) * block size
+ * Or, if it's a realtime file (t3):
+ * the agf for each of the ags: 2 * sector size
+ * the agfl for each of the ags: 2 * sector size
+ * the super block to reflect the freed blocks: sector size
+ * the realtime bitmap: 2 exts * ((MAXEXTLEN / rtextsize) / NBBY) bytes
+ * the realtime summary: 2 exts * 1 block
+ * worst case split in allocation btrees per extent assuming 2 extents:
+ * 2 exts * 2 trees * (2 * max depth - 1) * block size
*/
STATIC uint
xfs_calc_itruncate_reservation(
struct xfs_mount *mp)
{
- return XFS_DQUOT_LOGRES(mp) +
- max((xfs_calc_inode_res(mp, 1) +
- xfs_calc_buf_res(XFS_BM_MAXLEVELS(mp, XFS_DATA_FORK) + 1,
- XFS_FSB_TO_B(mp, 1))),
- (xfs_calc_buf_res(9, mp->m_sb.sb_sectsize) +
- xfs_calc_buf_res(xfs_allocfree_log_count(mp, 4),
- XFS_FSB_TO_B(mp, 1))));
+ unsigned int t1, t2, t3;
+ unsigned int blksz = XFS_FSB_TO_B(mp, 1);
+
+ t1 = xfs_calc_inode_res(mp, 1) +
+ xfs_calc_buf_res(XFS_BM_MAXLEVELS(mp, XFS_DATA_FORK) + 1, blksz);
+
+ t2 = xfs_calc_buf_res(9, mp->m_sb.sb_sectsize) +
+ xfs_calc_buf_res(xfs_allocfree_log_count(mp, 4), blksz);
+
+ if (xfs_sb_version_hasrealtime(&mp->m_sb)) {
+ t3 = xfs_calc_buf_res(5, mp->m_sb.sb_sectsize) +
+ xfs_calc_buf_res(xfs_rtalloc_log_count(mp, 2), blksz) +
+ xfs_calc_buf_res(xfs_allocfree_log_count(mp, 2), blksz);
+ } else {
+ t3 = 0;
+ }
+
+ return XFS_DQUOT_LOGRES(mp) + max3(t1, t2, t3);
}
/*
--
2.25.1
On Tue, Sep 29, 2020 at 12:55:31PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.4.69 release.
> There are 388 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 01 Oct 2020 10:59:03 +0000.
> Anything received after that time might be too late.
>
Build results:
total: 157 pass: 157 fail: 0
Qemu test results:
total: 430 pass: 430 fail: 0
Tested-by: Guenter Roeck <[email protected]>
Guenter
On Tue, 29 Sep 2020 at 17:05, Greg Kroah-Hartman
<[email protected]> wrote:
>
> This is the start of the stable review cycle for the 5.4.69 release.
> There are 388 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 01 Oct 2020 10:59:03 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.69-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.
Tested-by: Linux Kernel Functional Testing <[email protected]>
Summary
------------------------------------------------------------------------
kernel: 5.4.69-rc1
git repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
git branch: linux-5.4.y
git commit: 256bdd45e196b3d68513dcd043370c3809a97654
git describe: v5.4.68-389-g256bdd45e196
Test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-5.4.y/build/v5.4.68-389-g256bdd45e196
No regressions (compared to build v5.4.68)
No fixes (compared to build v5.4.68)
Ran 27670 total tests in the following environments and test suites.
Environments
--------------
- dragonboard-410c
- hi6220-hikey
- i386
- juno-r2
- nxp-ls2088
- qemu_arm
- qemu_arm64
- qemu_i386
- qemu_x86_64
- x15
- x86
- x86-kasan
Test Suites
-----------
* build
* install-android-platform-tools-r2600
* kselftest
* libhugetlbfs
* linux-log-parser
* ltp-cap_bounds-tests
* ltp-commands-tests
* ltp-containers-tests
* ltp-controllers-tests
* ltp-cpuhotplug-tests
* ltp-crypto-tests
* ltp-dio-tests
* ltp-fcntl-locktests-tests
* ltp-filecaps-tests
* ltp-fs_bind-tests
* ltp-fs_perms_simple-tests
* ltp-fsx-tests
* ltp-hugetlb-tests
* ltp-io-tests
* ltp-math-tests
* ltp-mm-tests
* ltp-nptl-tests
* ltp-pty-tests
* ltp-securebits-tests
* ltp-syscalls-tests
* ltp-tracing-tests
* perf
* v4l2-compliance
* ltp-cve-tests
* ltp-sched-tests
* network-basic-tests
* ltp-fs-tests
* ltp-ipc-tests
* ltp-open-posix-tests
* kselftest-vsyscall
* kselftest-vsyscall-mode-native
* kselftest-vsyscall-mode-none
* ssuite
--
Linaro LKFT
https://lkft.linaro.org
On 9/29/20 4:55 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.4.69 release.
> There are 388 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 01 Oct 2020 10:59:03 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.69-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
Compiled and booted on my test system. No dmesg regressions.
Tested-by: Shuah Khan <[email protected]>
thanks,
-- Shuah