| Age | Commit message (Collapse) | Author |
|---|
|
git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux
Pull hardened usercopy fixes from Kees Cook:
- inline copy_*_user() for correct use of __builtin_const_p() for
hardened usercopy and the recent compile-time checks.
- switch hardened usercopy to only check non-const size arguments to
avoid meaningless checks on likely-sane const values.
- update lkdtm usercopy tests to compenstate for the const checking.
* tag 'usercopy-v4.8-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
lkdtm: adjust usercopy tests to bypass const checks
usercopy: fold builtin_const check into inline function
x86/uaccess: force copy_*_user() to be inlined
|
|
Fixes: 8112c4f140fa ("seccomp: remove 2-phase API")
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: James Morris <jmorris@namei.org>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
|
|
Update the syscall number after each PTRACE_SETREGS on ORIG_*AX.
This is needed to get the potentially altered syscall number in the
seccomp filters after RET_TRACE.
This fix four seccomp_bpf tests:
> [ RUN ] TRACE_syscall.skip_after_RET_TRACE
> seccomp_bpf.c:1560:TRACE_syscall.skip_after_RET_TRACE:Expected -1 (18446744073709551615) == syscall(39) (26)
> seccomp_bpf.c:1561:TRACE_syscall.skip_after_RET_TRACE:Expected 1 (1) == (*__errno_location ()) (22)
> [ FAIL ] TRACE_syscall.skip_after_RET_TRACE
> [ RUN ] TRACE_syscall.kill_after_RET_TRACE
> TRACE_syscall.kill_after_RET_TRACE: Test exited normally instead of by signal (code: 1)
> [ FAIL ] TRACE_syscall.kill_after_RET_TRACE
> [ RUN ] TRACE_syscall.skip_after_ptrace
> seccomp_bpf.c:1622:TRACE_syscall.skip_after_ptrace:Expected -1 (18446744073709551615) == syscall(39) (26)
> seccomp_bpf.c:1623:TRACE_syscall.skip_after_ptrace:Expected 1 (1) == (*__errno_location ()) (22)
> [ FAIL ] TRACE_syscall.skip_after_ptrace
> [ RUN ] TRACE_syscall.kill_after_ptrace
> TRACE_syscall.kill_after_ptrace: Test exited normally instead of by signal (code: 1)
> [ FAIL ] TRACE_syscall.kill_after_ptrace
Fixes: 26703c636c1f ("um/ptrace: run seccomp after ptrace")
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: Jeff Dike <jdike@addtoit.com>
Cc: Richard Weinberger <richard@nod.at>
Cc: James Morris <jmorris@namei.org>
Cc: user-mode-linux-devel@lists.sourceforge.net
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
|
|
Keep the same semantic as before the commit 26703c636c1f: deallocate
audit context and fake a proper syscall exit.
This fix a kernel panic triggered by the seccomp_bpf test:
> [ RUN ] global.ERRNO_valid
> BUG: failure at kernel/auditsc.c:1504/__audit_syscall_entry()!
> Kernel panic - not syncing: BUG!
Fixes: 26703c636c1f ("um/ptrace: run seccomp after ptrace")
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: Jeff Dike <jdike@addtoit.com>
Cc: Richard Weinberger <richard@nod.at>
Cc: James Morris <jmorris@namei.org>
Cc: user-mode-linux-devel@lists.sourceforge.net
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
|
|
This fixes a regression in my previous commit c21377f8366c ("nvme:
Suspend all queues before deletion"), which provoked an Oops in the
removal path when removing a device that became IO incapable very early
at probe (i.e. after a failed EEH recovery).
Turns out, if the error occurred very early at the probe path, before
even configuring the admin queue, we might try to suspend the
uninitialized admin queue, accessing bad memory.
Fixes: c21377f8366c ("nvme: Suspend all queues before deletion")
Signed-off-by: Gabriel Krisman Bertazi <krisman@linux.vnet.ibm.com>
Reviewed-by: Jay Freyensee <james_p_freyensee@linux.intel.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
|
|
According to the CI test machines, SNB also uses the
GEN7_PCODE_MIN_FREQ_TABLE_GT_RATIO_OUT_OF_RANGE value to report a bad
GEN6_PCODE_MIN_FREQ_TABLE request.
[ 157.744641] WARNING: CPU: 5 PID: 9238 at
drivers/gpu/drm/i915/intel_pm.c:7760 sandybridge_pcode_write+0x141/0x200 [i915]
[ 157.744642] Missing switch case (16) in gen6_check_mailbox_status
[ 157.744642] Modules linked in: snd_hda_intel i915 ax88179_178a usbnet mii x86_pkg_temp_thermal intel_powerclamp coretemp crct10dif_pclmul crc32_pclmul ghash_clmulni_intel snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic snd_hda_codec snd_hwdep snd_hda_core mei_me lpc_ich snd_pcm mei broadcom bcm_phy_lib tg3 ptp pps_core [last unloaded: vgem]
[ 157.744658] CPU: 5 PID: 9238 Comm: drv_hangman Tainted: G U W 4.8.0-rc3-CI-CI_DRM_1589+ #1
[ 157.744658] Hardware name: Dell Inc. XPS 8300 /0Y2MRG, BIOS A06 10/17/2011
[ 157.744659] 0000000000000000 ffff88011f093a98 ffffffff81426415 ffff88011f093ae8
[ 157.744662] 0000000000000000 ffff88011f093ad8 ffffffff8107d2a6 00001e50810d3c9f
[ 157.744663] ffff880128680000 0000000000000008 0000000000000000 ffff88012868a650
[ 157.744665] Call Trace:
[ 157.744669] [<ffffffff81426415>] dump_stack+0x67/0x92
[ 157.744672] [<ffffffff8107d2a6>] __warn+0xc6/0xe0
[ 157.744673] [<ffffffff8107d30a>] warn_slowpath_fmt+0x4a/0x50
[ 157.744685] [<ffffffffa0029831>] sandybridge_pcode_write+0x141/0x200 [i915]
[ 157.744697] [<ffffffffa002a88a>] intel_enable_gt_powersave+0x64a/0x1330 [i915]
[ 157.744712] [<ffffffffa006b4cb>] ? i9xx_emit_request+0x1b/0x80 [i915]
[ 157.744725] [<ffffffffa0055ed3>] __i915_add_request+0x1e3/0x370 [i915]
[ 157.744738] [<ffffffffa00428bd>] i915_gem_do_execbuffer.isra.16+0xced/0x1b80 [i915]
[ 157.744740] [<ffffffff811a232e>] ? __might_fault+0x3e/0x90
[ 157.744752] [<ffffffffa0043b72>] i915_gem_execbuffer2+0xc2/0x2a0 [i915]
[ 157.744753] [<ffffffff815485b7>] drm_ioctl+0x207/0x4c0
[ 157.744765] [<ffffffffa0043ab0>] ? i915_gem_execbuffer+0x360/0x360 [i915]
[ 157.744767] [<ffffffff810ea4ad>] ? debug_lockdep_rcu_enabled+0x1d/0x20
[ 157.744769] [<ffffffff811fe09e>] do_vfs_ioctl+0x8e/0x680
[ 157.744770] [<ffffffff811a2377>] ? __might_fault+0x87/0x90
[ 157.744771] [<ffffffff811a232e>] ? __might_fault+0x3e/0x90
[ 157.744773] [<ffffffff810d3df2>] ? trace_hardirqs_on_caller+0x122/0x1b0
[ 157.744774] [<ffffffff811fe6cc>] SyS_ioctl+0x3c/0x70
[ 157.744776] [<ffffffff8180fe69>] entry_SYSCALL_64_fastpath+0x1c/0xac
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=97491
Fixes: 87660502f1a4 ("drm/i915/gen6+: Interpret mailbox error flags")
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Lyude <cpaul@redhat.com>
Cc: Matt Roper <matthew.d.roper@intel.com>
Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
Cc: stable@vger.kernel.org
Link: http://patchwork.freedesktop.org/patch/msgid/20160826105926.3413-1-chris@chris-wilson.co.uk
Acked-by: Mika Kuoppala <mika.kuoppala@intel.com>
(cherry picked from commit 7850d1c35344c7bd6a357240f2f9f60fc2c097b5)
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
|
|
User-space can choose to omit NL80211_ATTR_SSID and only provide raw
IE TLV data. When doing so it can provide SSID IE with length exceeding
the allowed size. The driver further processes this IE copying it
into a local variable without checking the length. Hence stack can be
corrupted and used as exploit.
Cc: stable@vger.kernel.org # v4.7
Reported-by: Daxing Guo <freener.gdx@gmail.com>
Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
Reviewed-by: Franky Lin <franky.lin@broadcom.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
|
|
A regression was introduced in commit id 79d4db1214a ("ath9k: cleanup
led_pin initial") that broken the WLAN status led on my laptop with
AR9287 after suspending and resuming.
Steps to reproduce:
* Suspend (laptop)
* Resume (laptop)
* Observe that the WLAN led no longer turns ON/OFF depending on the
status and is always red
Even though for my case it only needs to be set to OUT in ath9k_start
but for consistency bring back the IN direction setting as well.
Fixes: 79d4db1214a0 ("ath9k: cleanup led_pin initial")
Cc: Miaoqing Pan <miaoqing@codeaurora.org>
Cc: Kalle Valo <kvalo@qca.qualcomm.com>
Cc: <stable@vger.kernel.org> # 4.7+
Link: https://bugzilla.kernel.org/show_bug.cgi?id=151711
Signed-off-by: Giedrius Statkevičius <giedrius.statkevicius@gmail.com>
[kvalo@qca.qualcomm.com: improve commit log]
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
|
|
When calling .import() on a cryptd ahash_request, the structure members
that describe the child transform in the shash_desc need to be initialized
like they are when calling .init()
Cc: stable@vger.kernel.org
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
|
|
WARN if CRTC is touched without CRTC lock. The crtc functions should
not be called simultaneously from multiple threads. Having the DRM
CRTC lock should take care of that.
Signed-off-by: Jyri Sarha <jsarha@ti.com>
Reviewed-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
|
|
Take CRTC lock when calling tilcdc_crtc_disable() in
tilcdc_crtc_destroy().
In theory there could still be some operation ongoing, which should
finish before destroying the CRTC. However, the main reason for
adding this is to be able to add WARNing in tilcdc_crtc_disable() if
CRTC is not locked.
Signed-off-by: Jyri Sarha <jsarha@ti.com>
Reviewed-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
|
|
Remove unnecessary tilcdc_crtc_disable() from tilcdc_unload(). The
tilcdc_crtc_disable() called via tilcdc_crtc_destroy() by
drm_mode_config_cleanup() couple of lines later.
The early call to tilcdc_crtc_disable() was a wrong fix (that worked)
for calling drm_flip_work_cleanup() before flushing the flip-work
queue.
Signed-off-by: Jyri Sarha <jsarha@ti.com>
Reviewed-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
|
|
Flush flip-work workqueue before drm_flip_work_cleanup(). It causes a
nasty warning if there is unfinished flip-work in the queue when
drm_flip_work_cleanup() is called. The flush_workqueue() has to be
called before drm_crtc_cleanup() for unref_worker() to be able to do
its job.
Signed-off-by: Jyri Sarha <jsarha@ti.com>
Reviewed-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
|
|
Clean up LCDC functional clock rate setting code.
The LCDC functional clock is set by two functions: mode_set_nofb() and
cpufreq_transition().
When tilcdc_crtc_mode_set_nofb() is called in atomic commit phase the
drm atomic helpers have taken all the necessary drm locks and turned
off the crtc, while tilcdc_commit() is keeping LCDC powered on. For
mode_set_nofb() just a simple clock setting function without any
locking or power management code is enough. The new tilcdc_crtc_set_clk()
is implemented for that purpose.
cpufreq_transition() on the other hand is called from outside DRM and
it needs to take the necessary locks and turn off the CRTC while
keeping the LCDC powered. The reimplemented tilcdc_crtc_update_clk()
is for that purpose and it uses the new tilcdc_crtc_set_clk() to
actually set the clock.
Signed-off-by: Jyri Sarha <jsarha@ti.com>
Reviewed-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
|
|
Take crtc modeset lock while updating the crtc clock rate. To avoid a
race in tilcdc_crtc_update_clk(), we do not want crtc mode to change
while we update crtc clock.
Signed-off-by: Jyri Sarha <jsarha@ti.com>
Reviewed-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
|
|
When building a kernel with CONFIG_PM_SLEEP=n, we
get the following warning:
drivers/usb/dwc3/dwc3-pci.c:253:12: warning: 'dwc3_pci_pm_dummy' defined but not used
In order to fix this, we should only define
dwc3_pci_pm_dummy() when CONFIG_PM_SLEEP is defined.
Fixes: f6c274e11e3b ("usb: dwc3: pci: runtime_resume child device")
Reported-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
|
|
Add HDMI audio support. Adds mcasp0_pins, clk_mcasp0_fixed,
clk_mcasp0, mcasp0, sound node, and updates the tda19988 node to
follow the new binding.
Signed-off-by: Jyri Sarha <jsarha@ti.com>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
|
|
Register ASoC HDMI codec for audio functionality and adds device tree
binding for audio configuration.
With the registered HDMI codec the tda998x node can be used like a
regular codec node in ASoC card configurations. HDMI audio info-frame
and audio stream header is generated by the ASoC HDMI codec. The codec
also applies constraints for available sample-rates based on Edid Like
Data from the display. The device tree binding document has been
updated [1].
Part of this patch has been inspired by Jean Francoise's "drm/i2c: tda998x:
Add support of a DT graph of ports"-patch [2]. There may still be some
identical lines left from the original patch and some of the ideas
have come from there.
[1] Documentation/devicetree/bindings/display/bridge/tda998x.txt
[2] http://mailman.alsa-project.org/pipermail/alsa-devel/2015-July/095255.html
Signed-off-by: Jyri Sarha <jsarha@ti.com>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
|
|
Define struct tda998x_audio_params in include/drm/i2c/tda998x.h and
use it in pdata and for tda998x_configure_audio() parameters. Also
updates tda998x_write_aif() to take struct hdmi_audio_infoframe *
directly as a parameter.
Signed-off-by: Jyri Sarha <jsarha@ti.com>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
|
|
called with private data") into drm-tda998x-devel
This commit is required for the TDA998x ASoC support, so to avoid build
errors, merge this commit into this branch prior to commiting Jiri's
patches.
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
|
|
This reverts commit 237ed86c693d8a8e4db476976aeb30df4deac74b.
Our current implementation of live status check (repeat 9 times
with 10ms delays between each attempt as a workaround for
buggy displays) imposes a rather serious penalty, time wise,
on intel_hdmi_detect(). Since we we already skip live status
checks on platforms before gen 7, and since we seem to have
coped quite well before the live status check was introduced
for newer platforms too, the previous behaviour is probably
preferable, at least unless someone can point to a use-case
that the live status check improves (apart from "Bspec says so".)
Signed-off-by: David Weinehall <david.weinehall@linux.intel.com>
Fixes: 237ed86c693d ("drm/i915: Check live status before reading edid")
Fixes: f8d03ea0053b ("drm/i915: increase the tries for HDMI hotplug live status checking")
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=97139
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=94014
Acked-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: stable@vger.kernel.org # v4.4+
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20160817124748.31208-1-david.weinehall@linux.intel.com
|
|
i915 sometimes needs to disable planes in the middle of an atomic
commit, and then reenable them later in the same commit. Because of
this, we can't make the assumption that the state of the plane actually
changed. Since the state of the plane hasn't actually changed, neither
have it's watermarks. And if the watermarks hasn't changed then we
haven't populated skl_results with anything, which means we'll end up
zeroing out a plane's watermarks in the middle of the atomic commit
without restoring them later.
Simple reproduction recipe:
- Get a SKL laptop, launch any kind of X session
- Get two extra monitors
- Keep hotplugging both displays (so that the display configuration
jumps from 1 active pipe to 3 active pipes and back)
- Eventually underrun
Changes since v1:
- Fix incorrect use of "it's"
Changes since v2:
- Add reproduction recipe
Signed-off-by: Lyude <cpaul@redhat.com>
Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Fixes: 62e0fb880123 ("drm/i915/skl: Update plane watermarks atomically during plane updates")
Signed-off-by: Lyude <cpaul@redhat.com>
Testcase: kms_plane
Signed-off-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/1472488288-27280-1-git-send-email-cpaul@redhat.com
Cc: drm-intel-fixes@lists.freedesktop.org
|
|
This reverts commit 77953bd136d2a70bca2dc93b3ccda07a2b37076f.
This causes a kernel panic when trying to assign a blob to a property,
and has obviously never been tested.
Fixes: 77953bd136d2 ("drm: Unify handling of blob and object properties")
Signed-off-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Tested-by: Liu Ying <gnuiyl@gmail.com>
Acked-by: Daniel Stone <daniels@collabora.com>
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/8c0d3482-1bb5-6a15-b105-6bda2b31b5dc@linux.intel.com
|
|
In general, when DAD detected IPv6 duplicate address, ifp->state
will be set to INET6_IFADDR_STATE_ERRDAD and DAD is stopped by a
delayed work, the call tree should be like this:
ndisc_recv_ns
-> addrconf_dad_failure <- missing ifp put
-> addrconf_mod_dad_work
-> schedule addrconf_dad_work()
-> addrconf_dad_stop() <- missing ifp hold before call it
addrconf_dad_failure() called with ifp refcont holding but not put.
addrconf_dad_work() call addrconf_dad_stop() without extra holding
refcount. This will not cause any issue normally.
But the race between addrconf_dad_failure() and addrconf_dad_work()
may cause ifp refcount leak and netdevice can not be unregister,
dmesg show the following messages:
IPv6: eth0: IPv6 duplicate address fe80::XX:XXXX:XXXX:XX detected!
...
unregister_netdevice: waiting for eth0 to become free. Usage count = 1
Cc: stable@vger.kernel.org
Fixes: c15b1ccadb32 ("ipv6: move DAD and addrconf_verify processing
to workqueue")
Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
There is a code path where we are calling __iowrite64_copy() on
an address that is not 64-bit aligned. This causes an exception on
some architectures such as arm64. Fix that code path by using
__iowrite32_copy().
Reported-by: JD Zheng <jiandong.zheng@broadcom.com>
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
When deleting an IP address from an interface, there is a clean-up of
routes which refer to this local address. However, there was no check to
see that the VRF matched. This meant that deletion wasn't confined to
the VRF it should have been.
To solve this, a new field has been added to fib_info to hold a table
id. When removing fib entries corresponding to a local ip address, this
table id is also used in the comparison.
The table id is populated when the fib_info is created. This was already
done in some places, but not in ip_rt_ioctl(). This has now been fixed.
Fixes: 021dd3b8a142 ("net: Add routes to the table associated with the device")
Acked-by: David Ahern <dsa@cumulusnetworks.com>
Tested-by: David Ahern <dsa@cumulusnetworks.com>
Signed-off-by: Mark Tomlinson <mark.tomlinson@alliedtelesis.co.nz>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
The build of m32r was giving warning:
In file included from drivers/net/ethernet/smsc/smc91x.c:92:0:
drivers/net/ethernet/smsc/smc91x.h:448:0: warning: "SMC_inb" redefined
#define SMC_inb(ioaddr, reg) ({ BUG(); 0; })
drivers/net/ethernet/smsc/smc91x.h:106:0:
note: this is the location of the previous definition
#define SMC_inb(a, r) inb(((u32)a) + (r))
drivers/net/ethernet/smsc/smc91x.h:449:0: warning: "SMC_outb" redefined
#define SMC_outb(x, ioaddr, reg) BUG()
drivers/net/ethernet/smsc/smc91x.h:108:0:
note: this is the location of the previous definition
#define SMC_outb(v, a, r) outb(v, ((u32)a) + (r))
Signed-off-by: Sudip Mukherjee <sudip.mukherjee@codethink.co.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
I'm still struggling to get this fix right..
Changes since v2:
- do not blindly modify SKB contents according to Dave's legitimate
objection
Changes since v1:
- dropped disabling HW checksum offload for Zynq
- initialize checksum similar to net/ethernet/freescale/fec_main.c
-- >8 --
MACB/GEM needs the checksum field initialized to 0 to get correct
results on transmit in all cases, e.g. on Zynq, UDP packets with
payload <= 2 otherwise contain a wrong checksums.
Signed-off-by: Helmut Buchsbaum <helmut.buchsbaum@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
An RPC can terminate before its reply arrives, if a credential
problem or a soft timeout occurs. After this happens, xprtrdma
reports it is out of Receive buffers.
A Receive buffer is posted before each RPC is sent, and returned to
the buffer pool when a reply is received. If no reply is received
for an RPC, that Receive buffer remains posted. But xprtrdma tries
to post another when the next RPC is sent.
If this happens a few dozen times, there are no receive buffers left
to be posted at send time. I don't see a way for a transport
connection to recover at that point, and it will spit warnings and
unnecessarily delay RPCs on occasion for its remaining lifetime.
Commit 1e465fd4ff47 ("xprtrdma: Replace send and receive arrays")
removed a little bit of logic to detect this case and not provide
a Receive buffer so no more buffers are posted, and then transport
operation continues correctly. We didn't understand what that logic
did, and it wasn't commented, so it was removed as part of the
overhaul to support backchannel requests.
Restore it, but be wary of the need to keep extra Receives posted
to deal with backchannel requests.
Fixes: 1e465fd4ff47 ("xprtrdma: Replace send and receive arrays")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Reviewed-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
|
|
Receive buffer exhaustion, if it were to actually occur, would be
catastrophic. However, when there are no reply buffers to post, that
means all of them have already been posted and are waiting for
incoming replies. By design, there can never be more RPCs in flight
than there are available receive buffers.
A receive buffer can be left posted after an RPC exits without a
received reply; say, due to a credential problem or a soft timeout.
This does not result in fewer posted receive buffers than there are
pending RPCs, and there is already logic in xprtrdma to deal
appropriately with this case.
It also looks like the "+ 2" that was removed was accidentally
accommodating the number of extra receive buffers needed for
receiving backchannel requests. That will need to be addressed by
another patch.
Fixes: 3d4cf35bd4fa ("xprtrdma: Reply buffer exhaustion can be...")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Reviewed-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
|
|
Neither the failure or success paths of ping_v6_sendmsg release
the dst it acquires. This leads to a flood of warnings from
"net/core/dst.c:288 dst_release" on older kernels that
don't have 8bf4ada2e21378816b28205427ee6b0e1ca4c5f1 backported.
That patch optimistically hoped this had been fixed post 3.10, but
it seems at least one case wasn't, where I've seen this triggered
a lot from machines doing unprivileged icmp sockets.
Cc: Martin Lau <kafai@fb.com>
Signed-off-by: Dave Jones <davej@codemonkey.org.uk>
Acked-by: Martin KaFai Lau <kafai@fb.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma
Pull rdma fixes from Doug Ledford:
"This is the second pull request for the rdma subsystem. Most of the
patches are small and obvious. I took two patches in that are larger
than I wanted this late in the cycle.
The first is the hfi1 patch that implements a work queue to test the
QSFP read state. I originally rejected the first patch for this
(which would have place up to 20 seconds worth of udelays in their
probe routine). They then rewrote it the way I wanted (use delayed
work tasks to wait asynchronously up to 20 seconds for the QSFP to
come alive), so I can't really complain about the size of getting what
I asked for :-/.
The second is large because it switches the rcu locking in the debugfs
code. Since a locking change like this is done all at once, the size
it what it is. It resolves a litany of debug messages from the
kernel, so I pulled it in for -rc.
The rest are all typical -rc worthy patches I think.
There will still be a third -rc pull request from the rdma subsystem
this release. I hope to have that one ready to go by the end of this
week or early next.
Summary:
- a smattering of small fixes across the core, ipoib, i40iw, isert,
cxgb4, and mlx4
- a slightly larger group of fixes to each of mlx5 and hfi1"
* tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma:
IB/hfi1: Rework debugfs to use SRCU
IB/hfi1: Make n_krcvqs be an unsigned long integer
IB/hfi1: Add QSFP sanity pre-check
IB/hfi1: Fix AHG KDETH Intr shift
IB/hfi1: Fix SGE length for misaligned PIO copy
IB/mlx5: Don't return errors from poll_cq
IB/mlx5: Use TIR number based on selector
IB/mlx5: Simplify code by removing return variable
IB/mlx5: Return EINVAL when caller specifies too many SGEs
IB/mlx4: Don't return errors from poll_cq
Revert "IB/mlx4: Return EAGAIN for any error in mlx4_ib_poll_one"
IB/ipoib: Fix memory corruption in ipoib cm mode connect flow
IB/core: Fix use after free in send_leave function
IB/cxgb4: Make _free_qp static to silence build warning
IB/isert: Properly release resources on DEVICE_REMOVAL
IB/hfi1: Fix the size parameter to find_first_bit
IB/mlx5: Fix the size parameter to find_first_bit
IB/hfi1: Clean up type used and casting
i40iw: Receive notification events correctly
i40iw: Update hw_iwarp_state
|
|
The hardened usercopy is now consistently avoiding checks against const
sizes, since we really only want to perform runtime bounds checking
on lengths that weren't known at build time. To test the hardened usercopy
code, we must force the length arguments to be seen as non-const.
Signed-off-by: Kees Cook <keescook@chromium.org>
|
|
Instead of having each caller of check_object_size() need to remember to
check for a const size parameter, move the check into check_object_size()
itself. This actually matches the original implementation in PaX, though
this commit cleans up the now-redundant builtin_const() calls in the
various architectures.
Signed-off-by: Kees Cook <keescook@chromium.org>
|
|
As already done with __copy_*_user(), mark copy_*_user() as __always_inline.
Without this, the checks for things like __builtin_const_p() won't work
consistently in either hardened usercopy nor the recent adjustments for
detecting usercopy overflows at compile time.
The change in kernel text size is detectable, but very small:
text data bss dec hex filename
12118735 5768608 14229504 32116847 1ea106f vmlinux.before
12120207 5768608 14229504 32118319 1ea162f vmlinux.after
Signed-off-by: Kees Cook <keescook@chromium.org>
|
|
git://git.linaro.org/landing-teams/working/fujitsu/integration
Pull mailbox fixes from Jassi Brar:
"Misc fixes for BCM mailbox driver
- Fix build warnings by making static functions used within the file.
- Check for potential NULL before dereferencing
- Fix link error by defining HAS_DMA dependency"
* 'mailbox-devel' of git://git.linaro.org/landing-teams/working/fujitsu/integration:
fix:mailbox:bcm-pdc-mailbox:mark symbols static where possible
mailbox: bcm-pdc: potential NULL dereference in pdc_shutdown()
mailbox: Add HAS_DMA Kconfig dependency to BCM_PDC_MBOX
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi
Pull SCSI fixes from James Bottomley:
"This is really three fixes, but the SES one comes in a bundle of three
(making the replacement API available properly, using it and removing
the non-working one). The SES problem causes an oops on hpsa devices
because they attach virtual disks to the host which aren't SAS
attached (the replacement API ignores them).
The other two fixes are fairly minor: the sense key one means we
actually resolve a newly added sense key and the RDAC device
blacklisting is needed to prevent us annoying the universal XPORT lun
of various RDAC arrays"
* tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
scsi: sas: remove is_sas_attached()
scsi: ses: use scsi_is_sas_rphy instead of is_sas_attached
scsi: sas: provide stub implementation for scsi_is_sas_rphy
scsi: blacklist all RDAC devices for BLIST_NO_ULD_ATTACH
scsi: fix upper bounds check of sense key in scsi_sense_key_string()
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regmap
Pull regmap fixes from Mark Brown:
"Several fixes here, the main one being the change from Lars-Peter
which I'd been letting soak in -next since the merge window in case it
uncovered further issues as it's a minimal fix rather than a change
addressing the root cause of the problems (which would've been too
invasive for -rc):
- The biggest change is a fix from Lars-Peter to ensure that we don't
create overlapping rbtree nodes which in turn avoids returning
corrupt cache values to users, fixing some issues that were exposed
by some recent optimisations with certain access patterns but had
been present for a long time.
- A fix from Elaine Zhang to stop us updating the cache if we get an
I/O error when writing to the hardware.
- A fix fromm Maarten ter Huurne to avoid uninitialized defaults in
cases where we have non-readable registers but are initializing the
cache by reading from the device"
* tag 'regmap-fix-v4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regmap:
regmap: drop cache if the bus transfer error
regmap: rbtree: Avoid overlapping nodes
regmap: cache: Fix num_reg_defaults computation from reg_defaults_raw
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi
Pull spi fixes from Mark Brown:
"As well as the usual driver fixes there's a couple of non-trivial core
fixes in here:
- Fixes for issues reported by Julia Lawall in the changes that were
sent last time to fix interaction between the bus lock and the
locking done for the SPI thread. I'd let this one cook for a while
to make sure nothing else came up in testing.
- A fix from Sien Wu for arithmetic overflows when calculating the
timeout for larger transfers (espcially common with slow buses with
flashes on them)"
* tag 'spi-fix-v4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi:
spi: Prevent unexpected SPI time out due to arithmetic overflow
spi: pxa2xx-pci: fix ACPI-based enumeration of SPI devices
MAINTAINERS: add myself as Samsung SPI maintainer
spi: Drop io_mutex in error paths
spi: sh-msiof: Avoid invalid clock generator parameters
spi: img-spfi: Remove spi_master_put in img_spfi_remove()
spi: mediatek: remove spi_master_put in mtk_spi_remove()
spi: qup: Remove spi_master_put in spi_qup_remove()
|
|
The usb_driver suspend and resume function pointers must be populated
to prevent forced unbinding of USB interface driver. See usb/core/driver.c:
unbind_no_pm_drivers_interfaces().
Restore mode and damage the entire frame buffer upon resume.
TEST=suspend and resume with the same UDL device connected
TEST=suspend with UDL, unplug UDL and resume
TEST=suspend with UDL, unplug and connect another UDL device then resume
Signed-off-by: Haixia Shi <hshi@chromium.org>
Reviewed-by: Stéphane Marchesin <marcheu@chromium.org>
[seanpaul fixed checkpatch warnings and gave marcheu his é back]
Signed-off-by: Sean Paul <seanpaul@chromium.org>
Link: http://patchwork.freedesktop.org/patch/msgid/1472593821-38429-2-git-send-email-hshi@chromium.org
|
|
Use 1UL for unsigned long, or we'll meet a overflow issue with UBSAN.
[ 15.589489] UBSAN: Undefined behaviour in drivers/gpu/drm/drm_hashtab.c:145:35
[ 15.589500] signed integer overflow:
[ 15.589999] -2147483648 - 1 cannot be represented in type 'int'
[ 15.590434] CPU: 2 PID: 294 Comm: plymouthd Not tainted 3.10.0-327.28.3.el7.x86_64 #1
[ 15.590653] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 01/07/2011
[ 15.591001] 1ffff1000670fe83 000000000d6b385e ffff88003387f3e0 ffffffff81ee3140
[ 15.591028] ffff88003387f3f8 ffffffff81ee31fd ffffffffa032f460 ffff88003387f560
[ 15.591044] ffffffff81ee46e2 0000002d00000009 0000000000000001 0000000041b58ab3
[ 15.591059] Call Trace:
[ 15.591078] [<ffffffff81ee3140>] dump_stack+0x1e/0x20
[ 15.591093] [<ffffffff81ee31fd>] ubsan_epilogue+0x12/0x55
[ 15.591109] [<ffffffff81ee46e2>] handle_overflow+0x1ba/0x215
[ 15.591126] [<ffffffff81ee4528>] ? __ubsan_handle_negate_overflow+0x162/0x162
[ 15.591146] [<ffffffff8103416c>] ? print_context_stack+0x9c/0x160
[ 15.591163] [<ffffffff81031df2>] ? dump_trace+0x252/0x750
[ 15.591181] [<ffffffff81739023>] ? __list_add+0x93/0x160
[ 15.591197] [<ffffffff81ee4798>] __ubsan_handle_sub_overflow+0x2a/0x31
[ 15.591261] [<ffffffffa0282140>] drm_ht_just_insert_please+0x1e0/0x200 [drm]
[ 15.591290] [<ffffffffa0528c7a>] ttm_base_object_init+0x10a/0x270 [ttm]
[ 15.591316] [<ffffffffa052a34c>] ttm_vt_lock+0x28c/0x3a0 [ttm]
[ 15.591343] [<ffffffffa052a0c0>] ? ttm_write_lock+0x180/0x180 [ttm]
[ 15.591362] [<ffffffff81419526>] ? kasan_unpoison_shadow+0x36/0x50
[ 15.591379] [<ffffffff81419526>] ? kasan_unpoison_shadow+0x36/0x50
[ 15.591396] [<ffffffff81419526>] ? kasan_unpoison_shadow+0x36/0x50
[ 15.591413] [<ffffffff81419526>] ? kasan_unpoison_shadow+0x36/0x50
[ 15.591442] [<ffffffffa061cbe1>] vmw_master_set+0x121/0x470 [vmwgfx]
[ 15.591459] [<ffffffff811773a5>] ? __init_waitqueue_head+0x45/0x70
[ 15.591487] [<ffffffffa061cac0>] ? vmw_master_drop+0x310/0x310 [vmwgfx]
[ 15.591535] [<ffffffffa026946a>] drm_open+0x92a/0xc00 [drm]
[ 15.591563] [<ffffffffa0619ff0>] ? vmw_driver_open+0x170/0x170 [vmwgfx]
[ 15.591610] [<ffffffffa0268b40>] ? drm_poll+0xe0/0xe0 [drm]
[ 15.591661] [<ffffffffa02797b4>] drm_stub_open+0x224/0x330 [drm]
[ 15.591711] [<ffffffffa0279590>] ? drm_minor_acquire+0x240/0x240 [drm]
[ 15.591727] [<ffffffff8145fa8a>] chrdev_open+0x1fa/0x3f0
[ 15.591742] [<ffffffff8145f890>] ? cdev_put+0x50/0x50
[ 15.591761] [<ffffffff814f6dc3>] ? __fsnotify_parent+0x53/0x210
[ 15.591778] [<ffffffff8144fde1>] do_dentry_open+0x351/0x670
[ 15.591792] [<ffffffff8145f890>] ? cdev_put+0x50/0x50
[ 15.591807] [<ffffffff814503c2>] vfs_open+0xa2/0x170
[ 15.591824] [<ffffffff8147b5df>] do_last+0xccf/0x2c80
[ 15.591842] [<ffffffff8147a910>] ? filename_create+0x320/0x320
[ 15.591858] [<ffffffff81472549>] ? path_init+0x1b9/0xa90
[ 15.591875] [<ffffffff81472390>] ? mountpoint_last+0x9a0/0x9a0
[ 15.591894] [<ffffffff815f9ccf>] ? selinux_file_alloc_security+0xcf/0x130
[ 15.591911] [<ffffffff8147d777>] path_openat+0x1e7/0xcc0
[ 15.591927] [<ffffffff81031df2>] ? dump_trace+0x252/0x750
[ 15.591943] [<ffffffff8147d590>] ? do_last+0x2c80/0x2c80
[ 15.591959] [<ffffffff81739023>] ? __list_add+0x93/0x160
[ 15.591974] [<ffffffff8104b48d>] ? save_stack_trace+0x7d/0xb0
[ 15.591989] [<ffffffff81480824>] do_filp_open+0xa4/0x160
[ 15.592004] [<ffffffff81480780>] ? user_path_mountpoint_at+0x50/0x50
[ 15.592022] [<ffffffff8149d755>] ? __alloc_fd+0x175/0x300
[ 15.592039] [<ffffffff81453127>] do_sys_open+0x1b7/0x3f0
[ 15.592054] [<ffffffff81452f70>] ? filp_open+0x80/0x80
[ 15.592070] [<ffffffff81453392>] SyS_open+0x32/0x40
[ 15.592088] [<ffffffff81f08989>] system_call_fastpath+0x16/0x1b
Signed-off-by: Xie XiuQi <xiexiuqi@huawei.com>
[seanpaul tweaked subject to remove "gpu/"]
Signed-off-by: Sean Paul <seanpaul@chromium.org>
Link: http://patchwork.freedesktop.org/patch/msgid/1473152138-25335-1-git-send-email-xiexiuqi@huawei.com
|
|
The legacy setprop ioctl doesn't attempt to set properties
that are not enumerated on the object. The atomic ioctl does,
fix this by validating first.
Signed-off-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Signed-off-by: Sean Paul <seanpaul@chromium.org>
Link: http://patchwork.freedesktop.org/patch/msgid/1473062773-5045-1-git-send-email-maarten.lankhorst@linux.intel.com
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator
Pull regulator fixes from Mark Brown:
"Two things here, one an e-mail update for Krzysztof Kozlowski and the
other a couple of fixes for issues with incorrectly described voltages
in a couple of the Qualcomm regulator drivers that were breaking MMC
on some platforms"
* tag 'regulator-fix-v4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator:
regulator: Change Krzysztof Kozlowski's email to kernel.org
regulator: qcom_smd: Fix voltage ranges for pma8084 ftsmps and pldo
regulator: qcom_smd: Fix voltage ranges for pm8x41
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl
Pull pin control fixes from Linus Walleij:
"Nothing special at all, just three SoC-specific driver fixes:
- Fix routing problems in pistachio (Imagination) and sunxi
(AllWinner)
- Fix an interrupt problem in the Cherryview (Intel)"
* tag 'pinctrl-v4.8-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
pinctrl: sunxi: fix uart1 CTS/RTS pins at PG on A23/A33
pinctrl: cherryview: Do not mask all interrupts in probe
pinctrl: pistachio: fix mfio pll_lock pinmux
|
|
We don't have safe 64-bit mmio writes as they are really split into
2x32-bit writes. This tearing is dangerous as the hardware *will*
operate on the intermediate value, requiring great care when assigning.
(See, for example, i965_write_fence_reg.) As such we don't currently use
them and strongly advise not to us them. Go one step further and remove
the 64-bit write vfuncs.
v2: Add some more details to the comment about why WRITE64 is absent,
and why you need to think twice before using READ64.
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Reviewed-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20160906144538.4204-1-chris@chris-wilson.co.uk
|
|
Imagine such situation, user add the following nft rules, and queue
the packets to userspace for further check:
# ip rule add fwmark 0x0/0x1 lookup eth0
# ip rule add fwmark 0x1/0x1 lookup eth1
# nft add table filter
# nft add chain filter output {type route hook output priority 0 \;}
# nft add rule filter output mark set 0x1
# nft add rule filter output queue num 0
But after we reinject the skbuff, the packet will be sent via the
wrong route, i.e. in this case, the packet will be routed via eth0
table, not eth1 table. Because we skip to do re-route when verdict
is NF_QUEUE, even if the mark was changed.
Acctually, we should not touch sk_buff if verdict is NF_DROP or
NF_STOLEN, and when re-route fails, return NF_DROP with error code.
This is consistent with the mangle table in iptables.
Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
reclaim work makes progress
In btrfs_async_reclaim_metadata_space(), we use ticket's address to
determine whether asynchronous metadata reclaim work is making progress.
ticket = list_first_entry(&space_info->tickets,
struct reserve_ticket, list);
if (last_ticket == ticket) {
flush_state++;
} else {
last_ticket = ticket;
flush_state = FLUSH_DELAYED_ITEMS_NR;
if (commit_cycles)
commit_cycles--;
}
But indeed it's wrong, we should not rely on local variable's address to
do this check, because addresses may be same. In my test environment, I
dd one 168MB file in a 256MB fs, found that for this file, every time
wait_reserve_ticket() called, local variable ticket's address is same,
For above codes, assume a previous ticket's address is addrA, last_ticket
is addrA. Btrfs_async_reclaim_metadata_space() finished this ticket and
wake up it, then another ticket is added, but with the same address addrA,
now last_ticket will be same to current ticket, then current ticket's flush
work will start from current flush_state, not initial FLUSH_DELAYED_ITEMS_NR,
which may result in some enospc issues(I have seen this in my test machine).
Signed-off-by: Wang Xiaoguang <wangxg.fnst@cn.fujitsu.com>
Reviewed-by: Josef Bacik <jbacik@fb.com>
Signed-off-by: David Sterba <dsterba@suse.com>
|
|
Disable 48bit full PPGTT on vGPU too for now.
Signed-off-by: Zhi Wang <zhi.a.wang@intel.com>
Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>
Reviewed-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Acked-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: drm-intel-fixes@lists.freedesktop.org
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20160906040412.1274-3-zhenyuw@linux.intel.com
(cherry picked from commit e320d40022128845dfff900422ea9fd69f576c98)
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
|
|
vGPU capability is handled by GVT-g host driver, not needed to
put extra HW check for vGPU detection. And we'll actually support
vGPU from BDW.
Signed-off-by: Ping Gao <ping.a.gao@intel.com>
Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>
Reviewed-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Acked-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: drm-intel-fixes@lists.freedesktop.org
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20160906040412.1274-2-zhenyuw@linux.intel.com
(cherry picked from commit 8ef89995c735f978d5dfcb3ca6bce70d41728c91)
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
|
|
Disable 48bit full PPGTT on vGPU too for now.
Signed-off-by: Zhi Wang <zhi.a.wang@intel.com>
Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>
Reviewed-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Acked-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: drm-intel-fixes@lists.freedesktop.org
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20160906040412.1274-3-zhenyuw@linux.intel.com
|
