Guenter Roeck [Sun, 29 Jan 2017 19:12:08 +0000 (11:12 -0800)]
watchdog: RDC321X_WDT always depends on PCI
Without this dependency, platforms not supporting PCI (such as m68k)
report the following build warning when building allmodconfig
or allyesconfig.
drivers/watchdog/rdc321x_wdt.c: In function 'rdc321x_wdt_ioctl':
./arch/m68k/include/asm/uaccess_mm.h:61:1: warning:
'value' may be used uninitialized in this function
Bhumika Goyal [Sat, 28 Jan 2017 07:41:17 +0000 (13:11 +0530)]
watchdog: constify watchdog_ops structures
Declare watchdog_ops structures as const as they are only stored in the
ops field of a watchdog_device structure. This field is of type const, so
watchdog_ops structures having this property can be made const too.
Done using Coccinelle:
File size details before and after patching.
First line of every .o file shows the file size before patching
and second line shows the size after patching.
Size remains the same for the files drivers/watchdog/diag288_wdt.o
drivers/watchdog/asm9260_wdt.o and drivers/watchdog/atlas7_wdt.o
The following .o files did not compile:
drivers/watchdog/sun4v_wdt.o, drivers/watchdog/sbsa_gwdt.o,
drivers/watchdog/rt2880_wdt.o, drivers/watchdog/booke_wdt.o
drivers/watchdog/mt7621_wdt.o
Many watchdog drivers explicitly stop the watchdog when unregistering it.
While it is unclear if this is actually needed (the whatdog should not be
running at that time if it can be stopped), introduce a helper to
explicitly stop the watchdog in the watchdog core when unregistering it.
This helps reducing driver code size while retaining functionality.
watchdog: ebc-c384_wdt: Utilize devm_ functions in driver probe callback
The devm_ resource manager functions allow memory to be automatically
released when a device is unbound. This patch takes advantage of the
resource manager functions and replaces the watchdog_register_device
call with the devm_watchdog_register_device call. In addition, the
ebc_c384_wdt_remove function has been removed as no longer necessary due
to the use of the relevant devm_ resource manager functions.
Signed-off-by: William Breathitt Gray <vilhelm.gray@gmail.com> Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Guenter Roeck [Wed, 11 Jan 2017 02:09:11 +0000 (18:09 -0800)]
watchdog: tegra_wdt: Convert to use device managed functions
Use device managed functions to simplify error handling, reduce
source code size, improve readability, and reduce the likelyhood of bugs.
The conversion was done automatically with coccinelle using the
following semantic patches. The semantic patches and the scripts used
to generate this commit log are available at
https://github.com/groeck/coccinelle-patches
- Use devm_watchdog_register_driver() to register watchdog device
Guenter Roeck [Tue, 10 Jan 2017 23:21:47 +0000 (15:21 -0800)]
watchdog: da9063_wdt: Convert to use device managed functions
Use device managed functions to simplify error handling, reduce
source code size, improve readability, and reduce the likelyhood of bugs.
The conversion was done automatically with coccinelle using the
following semantic patches. The semantic patches and the scripts used
to generate this commit log are available at
https://github.com/groeck/coccinelle-patches
- Replace 'val = e; return val;' with 'return e;'
- Replace 'if (e) return e; return 0;' with 'return e;'
- Drop assignments to otherwise unused variables
- Drop unused variables
- Drop remove function
- Drop dev_set_drvdata()
- Use devm_watchdog_register_driver() to register watchdog device
Acked-by: Adam Thomson <Adam.Thomson.Opensource@diasemi.com> Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Guenter Roeck [Tue, 10 Jan 2017 23:21:47 +0000 (15:21 -0800)]
watchdog: da9062_wdt: Convert to use device managed functions
Use device managed functions to simplify error handling, reduce
source code size, improve readability, and reduce the likelyhood of bugs.
The conversion was done automatically with coccinelle using the
following semantic patches. The semantic patches and the scripts used
to generate this commit log are available at
https://github.com/groeck/coccinelle-patches
- Replace 'val = e; return val;' with 'return e;'
- Drop assignments to otherwise unused variables
- Drop remove function
- Drop dev_set_drvdata()
- Use devm_watchdog_register_driver() to register watchdog device
Acked-by: Adam Thomson <Adam.Thomson.Opensource@diasemi.com> Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Guenter Roeck [Tue, 10 Jan 2017 23:21:47 +0000 (15:21 -0800)]
watchdog: da9055_wdt: Convert to use device managed functions
Use device managed functions to simplify error handling, reduce
source code size, improve readability, and reduce the likelyhood of bugs.
The conversion was done automatically with coccinelle using the
following semantic patches. The semantic patches and the scripts used
to generate this commit log are available at
https://github.com/groeck/coccinelle-patches
- Replace 'goto l; ... l: return e;' with 'return e;'
- Drop assignments to otherwise unused variables
- Drop remove function
- Drop platform_set_drvdata()
- Use devm_watchdog_register_driver() to register watchdog device
Acked-by: Adam Thomson <Adam.Thomson.Opensource@diasemi.com> Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Guenter Roeck [Tue, 10 Jan 2017 23:21:47 +0000 (15:21 -0800)]
watchdog: da9052_wdt: Convert to use device managed functions
Use device managed functions to simplify error handling, reduce
source code size, improve readability, and reduce the likelyhood of bugs.
The conversion was done automatically with coccinelle using the
following semantic patches. The semantic patches and the scripts used
to generate this commit log are available at
https://github.com/groeck/coccinelle-patches
- Replace 'goto l; ... l: return e;' with 'return e;'
- Replace 'val = e; return val;' with 'return e;'
- Drop assignments to otherwise unused variables
- Replace 'if (e) { return expr; }' with 'if (e) return expr;'
- Drop remove function
- Drop platform_set_drvdata()
- Use devm_watchdog_register_driver() to register watchdog device
Acked-by: Adam Thomson <Adam.Thomson.Opensource@diasemi.com> Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Guenter Roeck [Tue, 10 Jan 2017 23:21:45 +0000 (15:21 -0800)]
watchdog: bcm2835_wdt: Convert to use device managed functions and other improvements
Use device managed functions to simplify error handling, reduce
source code size, improve readability, and reduce the likelyhood of bugs.
Other improvements as listed below.
The conversion was done automatically with coccinelle using the
following semantic patches. The semantic patches and the scripts used
to generate this commit log are available at
https://github.com/groeck/coccinelle-patches
- Drop assignments to otherwise unused variables
- Replace of_iomap() with platform_get_resource() followed by
devm_ioremap_resource()
- Replace &pdev->dev with dev if 'struct device *dev' is a declared
variable
- Use devm_watchdog_register_driver() to register watchdog device
- Replace shutdown function with call to watchdog_stop_on_reboot()
Cc: Stephen Warren <swarren@wwwdotorg.org> Cc: Lee Jones <lee@kernel.org> Cc: Florian Fainelli <f.fainelli@gmail.com> Cc: Ray Jui <rjui@broadcom.com> Cc: Scott Branden <sbranden@broadcom.com> Acked-by: Eric Anholt <eric@anholt.net> Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Guenter Roeck [Tue, 10 Jan 2017 23:21:52 +0000 (15:21 -0800)]
watchdog: mena21_wdt: Convert to use device managed functions and other improvements
Use device managed functions to simplify error handling, reduce
source code size, improve readability, and reduce the likelyhood of bugs.
Other improvements as listed below.
The conversion was done automatically with coccinelle using the
following semantic patches. The semantic patches and the scripts used
to generate this commit log are available at
https://github.com/groeck/coccinelle-patches
- Replace 'goto l; ... l: return e;' with 'return e;'
- Drop assignments to otherwise unused variables
- Drop remove function
- Drop unnecessary mutex_destroy() on allocated data
- Use devm_watchdog_register_driver() to register watchdog device
Acked-by: Johannes Thumshirn <morbidrsa@gmail.com> Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Guenter Roeck [Tue, 10 Jan 2017 23:22:01 +0000 (15:22 -0800)]
watchdog: wm831x_wdt: Convert to use device managed functions
Use device managed functions to simplify error handling, reduce
source code size, improve readability, and reduce the likelyhood of bugs.
The conversion was done automatically with coccinelle using the
following semantic patches. The semantic patches and the scripts used
to generate this commit log are available at
https://github.com/groeck/coccinelle-patches
- Replace 'goto l; ... l: return e;' with 'return e;'
- Replace 'val = e; return val;' with 'return e;'
- Drop assignments to otherwise unused variables
- Replace 'if (e) { return expr; }' with 'if (e) return expr;'
- Drop remove function
- Drop platform_set_drvdata()
- Use devm_watchdog_register_driver() to register watchdog device
Acked-by: Charles Keepax <ckeepax@opensource.wolfsonmicro.com> Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Guenter Roeck [Tue, 10 Jan 2017 23:21:48 +0000 (15:21 -0800)]
watchdog: digicolor_wdt: Convert to use device managed functions and other improvements
Use device managed functions to simplify error handling, reduce
source code size, improve readability, and reduce the likelyhood of bugs.
Other improvements as listed below.
The conversion was done automatically with coccinelle using the
following semantic patches. The semantic patches and the scripts used
to generate this commit log are available at
https://github.com/groeck/coccinelle-patches
- Replace 'goto l; ... l: return e;' with 'return e;'
- Replace 'val = e; return val;' with 'return e;'
- Drop assignments to otherwise unused variables
- Replace 'if (e) { return expr; }' with 'if (e) return expr;'
- Drop remove function
- Replace of_iomap() with platform_get_resource() followed by
devm_ioremap_resource()
- Drop platform_set_drvdata()
- Replace &pdev->dev with dev if 'struct device *dev' is a declared
variable
- Use devm_watchdog_register_driver() to register watchdog device
- Replace shutdown function with call to watchdog_stop_on_reboot()
Guenter Roeck [Tue, 10 Jan 2017 23:21:49 +0000 (15:21 -0800)]
watchdog: iTCO_wdt: Replace shutdown function with call to watchdog_stop_on_reboot
The shutdown function calls the stop function.
Call watchdog_stop_on_reboot() from probe instead.
The conversion was done automatically with coccinelle using the
following semantic patches. The semantic patches and the scripts used
to generate this commit log are available at
https://github.com/groeck/coccinelle-patches
- Replace shutdown function with call to watchdog_stop_on_reboot()
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com> Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Guenter Roeck [Tue, 10 Jan 2017 23:21:50 +0000 (15:21 -0800)]
watchdog: intel-mid_wdt: Convert to use device managed functions
Use device managed functions to simplify error handling, reduce
source code size, improve readability, and reduce the likelyhood of bugs.
The conversion was done automatically with coccinelle using the
following semantic patches. The semantic patches and the scripts used
to generate this commit log are available at
https://github.com/groeck/coccinelle-patches
- Drop assignments to otherwise unused variables
- Drop remove function
- Drop platform_set_drvdata()
- Use devm_watchdog_register_driver() to register watchdog device
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com> Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Guenter Roeck [Tue, 10 Jan 2017 23:21:53 +0000 (15:21 -0800)]
watchdog: meson_wdt: Convert to use device managed functions and other improvements
Use device managed functions to simplify error handling, reduce
source code size, improve readability, and reduce the likelyhood of bugs.
Other improvements as listed below.
The conversion was done automatically with coccinelle using the
following semantic patches. The semantic patches and the scripts used
to generate this commit log are available at
https://github.com/groeck/coccinelle-patches
- Drop assignments to otherwise unused variables
- Drop remove function
- Drop platform_set_drvdata()
- Use devm_watchdog_register_driver() to register watchdog device
- Replace shutdown function with call to watchdog_stop_on_reboot()
Cc: Carlo Caione <carlo@caione.org> Acked-by: Kevin Hilman <khilman@baylibre.com> Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Guenter Roeck [Tue, 10 Jan 2017 23:21:59 +0000 (15:21 -0800)]
watchdog: sunxi_wdt: Convert to use device managed functions and other improvements
Use device managed functions to simplify error handling, reduce
source code size, improve readability, and reduce the likelyhood of bugs.
Other improvements as listed below.
The conversion was done automatically with coccinelle using the
following semantic patches. The semantic patches and the scripts used
to generate this commit log are available at
https://github.com/groeck/coccinelle-patches
- Drop assignments to otherwise unused variables
- Drop remove function
- Drop platform_set_drvdata()
- Use devm_watchdog_register_driver() to register watchdog device
- Replace shutdown function with call to watchdog_stop_on_reboot()
Guenter Roeck [Tue, 10 Jan 2017 23:21:44 +0000 (15:21 -0800)]
watchdog: aspeed_wdt: Convert to use device managed functions
Use device managed functions to simplify error handling, reduce
source code size, improve readability, and reduce the likelyhood of bugs.
The conversion was done automatically with coccinelle using the
following semantic patches. The semantic patches and the scripts used
to generate this commit log are available at
https://github.com/groeck/coccinelle-patches
- Drop assignments to otherwise unused variables
- Drop remove function
- Drop platform_set_drvdata()
- Use devm_watchdog_register_driver() to register watchdog device
Acked-by: Joel Stanley <joel@jms.id.au> Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Guenter Roeck [Tue, 3 Jan 2017 11:03:27 +0000 (03:03 -0800)]
watchdog: coh901327_wdt: Keep clock enabled after loading driver
Enabling the clock before accessing chip registers and disabling it
afterwards does not really make sense and only adds complexity to
the driver. In addition to that, a comment int the driver suggests
that it does not serve a useful purpose either.
"The watchdog block is of course always clocked, the
clk_enable()/clk_disable() calls are mainly for performing reference
counting higher up in the clock hierarchy."
Signed-off-by: Colin Ian King <colin.king@canonical.com> Reviewed-by: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Guenter Roeck [Thu, 29 Dec 2016 15:20:23 +0000 (07:20 -0800)]
watchdog: Enable COMPILE_TEST where possible
Building all watchdog drivers is all but impossible since many depend
on platforms which are not enabled by test builds. Add dependency on
COMPILE_TEST where possible to improve the situation.
Guenter Roeck [Thu, 29 Dec 2016 16:34:50 +0000 (08:34 -0800)]
watchdog: pnx833x_wdt: Mark as broken
pnx833x_wdt does not compile if enabled. Bit operations expect an unsigned
long as argument. If that is fixed, the build still fails because put_user,
get_user, and copy_to_user are undefined.
Bhumika Goyal [Mon, 26 Dec 2016 17:05:11 +0000 (22:35 +0530)]
watchdog: constify watchdog_info structures
Declare watchdog_info structures as const as they are only stored in the
info field of watchdog_device structures. This field is of type const
struct watchdog_info *, so watchdog_info structures having this property
can be declared const too.
Done using Coccinelle:
Bhumika Goyal [Sun, 25 Dec 2016 08:00:24 +0000 (13:30 +0530)]
watchdog: pika_wdt: add __ro_after_init to ident
The object ident of type watchdog_info structure is not
modified after getting initialized by pikawdt_init. Apart from getting
referenced in init it is also passed as an argument to the function
copy_to_user but this argument is of type const void *. Therefore add
__ro_after_init to its declaration.
Bhumika Goyal [Sat, 24 Dec 2016 16:07:32 +0000 (21:37 +0530)]
watchdog: booke_wdt: add __ro_after_init to booke_wdt_info
The object booke_wdt_info of watchdog_info structure is not
modified after getting initialized by booke_wdt_init. Apart from getting
referenced in init it is also stored in the info field of watchdog_device
structure which is of type const struct watchdog_info *info. So, it
becomes read only after init and therefore add __ro_after_init to it's
declaration.
watchdog: sa11x0/pxa: fix error path of driver initialization
The change corrects release of captured resources on error path, namely
the clock is disabled and put if misc device registration fails and not
enabled clock is not disabled now.
Fixes: 6924089c488e ("watchdog: sa11x0/pxa: get rid of get_clock_tick_rate") Signed-off-by: Vladimir Zapolskiy <vz@mleia.com> Acked-by: Robert Jarzmik <robert.jarzmik@free.fr> Reviewed-by: Guenter Roeck <linux@roeck-us.net> Acked-by: Russell King <rmk+kernel@armlinux.org.uk> Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Al Viro [Sun, 19 Feb 2017 07:15:27 +0000 (07:15 +0000)]
Fix missing sanity check in /dev/sg
What happens is that a write to /dev/sg is given a request with non-zero
->iovec_count combined with zero ->dxfer_len. Or with ->dxferp pointing
to an array full of empty iovecs.
Having write permission to /dev/sg shouldn't be equivalent to the
ability to trigger BUG_ON() while holding spinlocks...
Found by Dmitry Vyukov and syzkaller.
[ The BUG_ON() got changed to a WARN_ON_ONCE(), but this fixes the
underlying issue. - Linus ]
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Reported-by: Dmitry Vyukov <dvyukov@google.com> Reviewed-by: Christoph Hellwig <hch@lst.de> Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Don't crash the machine just because of an empty transfer. Use WARN_ON()
combined with returning an error.
Found by Dmitry Vyukov and syzkaller.
[ Changed to "WARN_ON_ONCE()". Al has a patch that should fix the root
cause, but a BUG_ON() is not acceptable in any case, and a WARN_ON()
might still be a cause of excessive log spamming.
NOTE! If this warning ever triggers, we may end up leaking resources,
since this doesn't bother to try to clean the command up. So this
WARN_ON_ONCE() triggering does imply real problems. But BUG_ON() is
much worse.
People really need to stop using BUG_ON() for "this shouldn't ever
happen". It makes pretty much any bug worse. - Linus ]
Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de> Reported-by: Dmitry Vyukov <dvyukov@google.com> Cc: James Bottomley <jejb@linux.vnet.ibm.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: stable@kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Willem de Bruijn [Sun, 19 Feb 2017 00:00:45 +0000 (19:00 -0500)]
ipv6: release dst on error in ip6_dst_lookup_tail
If ip6_dst_lookup_tail has acquired a dst and fails the IPv4-mapped
check, release the dst before returning an error.
Fixes: ec5e3b0a1d41 ("ipv6: Inhibit IPv4-mapped src address on the wire.") Signed-off-by: Willem de Bruijn <willemb@google.com> Acked-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Linus Torvalds [Sun, 19 Feb 2017 01:38:09 +0000 (17:38 -0800)]
Merge tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc
Pull ARM SoC fixes from Arnd Bergmann:
"Two more bugfixes that came in during this week:
- a defconfig change to enable a vital driver used on some Qualcomm
based phones. This was already queued for 4.11, but the maintainer
asked to have it in 4.10 after all.
- a regression fix for the reset controller framework, this got
broken by a typo in the 4.10 merge window"
* tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc:
ARM: multi_v7_defconfig: enable Qualcomm RPMCC
reset: fix shared reset triggered_count decrement on error
Linus Torvalds [Sun, 19 Feb 2017 01:33:17 +0000 (17:33 -0800)]
Merge branch 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull locking fix from Thomas Gleixner:
"Move the futex init function to core initcall so user mode helper does
not run into an uninitialized futex syscall"
* 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
futex: Move futex_init() to core_initcall
Linus Torvalds [Sun, 19 Feb 2017 01:30:36 +0000 (17:30 -0800)]
Merge branch 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull timer fixes from Thomas Gleixner:
"Two small fixes::
- Prevent deadlock on the tick broadcast lock. Found and fixed by
Mike.
- Stop using printk() in the timekeeping debug code to prevent a
deadlock against the scheduler"
* 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
timekeeping: Use deferred printk() in debug code
tick/broadcast: Prevent deadlock on tick_broadcast_lock
1) Fix leak in dpaa_eth error paths, from Dan Carpenter.
2) Use after free when using IPV6_RECVPKTINFO, from Andrey Konovalov.
3) fanout_release() cannot be invoked from atomic contexts, from Anoob
Soman.
4) Fix bogus attempt at lockdep annotation in IRDA.
5) dev_fill_metadata_dst() can OOP on a NULL dst cache pointer, from
Paolo Abeni.
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net:
irda: Fix lockdep annotations in hashbin_delete().
vxlan: fix oops in dev_fill_metadata_dst
dccp: fix freeing skb too early for IPV6_RECVPKTINFO
dpaa_eth: small leak on error
packet: Do not call fanout_release from atomic contexts
This RCU warning, however, is suppressed by lockdep_off() in printk().
lockdep_off() increments the ->lockdep_recursion counter and thus
disables RCU_LOCKDEP_WARN() and debug_lockdep_rcu_enabled(), which want
lockdep to be enabled "current->lockdep_recursion == 0".
Link: http://lkml.kernel.org/r/20170217015932.11898-1-sergey.senozhatsky@gmail.com Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com> Reported-by: Tony Lindgren <tony@atomide.com> Tested-by: Tony Lindgren <tony@atomide.com> Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com> Acked-by: Steven Rostedt (VMware) <rostedt@goodmis.org> Cc: Petr Mladek <pmladek@suse.com> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Tony Lindgren <tony@atomide.com> Cc: Russell King <rmk@armlinux.org.uk> Cc: <stable@vger.kernel.org> [3.4+] Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Paolo Abeni [Fri, 17 Feb 2017 18:14:27 +0000 (19:14 +0100)]
vxlan: fix oops in dev_fill_metadata_dst
Since the commit 0c1d70af924b ("net: use dst_cache for vxlan device")
vxlan_fill_metadata_dst() calls vxlan_get_route() passing a NULL
dst_cache pointer, so the latter should explicitly check for
valid dst_cache ptr. Unfortunately the commit d71785ffc7e7 ("net: add
dst_cache to ovs vxlan lwtunnel") removed said check.
As a result is possible to trigger a null pointer access calling
vxlan_fill_metadata_dst(), e.g. with:
This commit addresses the issue passing to vxlan_get_route() the
dst_cache already available into the lwt info processed by
vxlan_fill_metadata_dst().
Fixes: d71785ffc7e7 ("net: add dst_cache to ovs vxlan lwtunnel") Signed-off-by: Paolo Abeni <pabeni@redhat.com> Acked-by: Jiri Benc <jbenc@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Andrey Konovalov [Thu, 16 Feb 2017 16:22:46 +0000 (17:22 +0100)]
dccp: fix freeing skb too early for IPV6_RECVPKTINFO
In the current DCCP implementation an skb for a DCCP_PKT_REQUEST packet
is forcibly freed via __kfree_skb in dccp_rcv_state_process if
dccp_v6_conn_request successfully returns.
However, if IPV6_RECVPKTINFO is set on a socket, the address of the skb
is saved to ireq->pktopts and the ref count for skb is incremented in
dccp_v6_conn_request, so skb is still in use. Nevertheless, it gets freed
in dccp_rcv_state_process.
Fix by calling consume_skb instead of doing goto discard and therefore
calling __kfree_skb.
Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Acked-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Linus Torvalds [Fri, 17 Feb 2017 17:51:05 +0000 (09:51 -0800)]
Merge tag 'ntb-4.10-bugfixes' of git://github.com/jonmason/ntb
Pull NTB bugfixes frfom Jon Mason:
"NTB bug fixes to address a crash when unloading the ntb module, a DMA
engine unmap leak, allowing the proper queue choice, and clearing the
SKX irq bit"
* tag 'ntb-4.10-bugfixes' of git://github.com/jonmason/ntb:
ntb: ntb_hw_intel: link_poll isn't clearing the pending status properly
ntb_transport: Pick an unused queue
ntb: ntb_perf missing dmaengine_unmap_put
NTB: ntb_transport: fix debugfs_remove_recursive
Dan Carpenter [Thu, 16 Feb 2017 09:56:10 +0000 (12:56 +0300)]
dpaa_eth: small leak on error
This should be >= instead of > here. It means that we don't increment
the free count enough so it becomes off by one.
Fixes: 9ad1a3749333 ("dpaa_eth: add support for DPAA Ethernet") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Arnd Bergmann [Fri, 17 Feb 2017 16:25:15 +0000 (17:25 +0100)]
Merge tag 'reset-for-4.10-fixes' of https://git.pengutronix.de/git/pza/linux into fixes
Pull "Reset controller fixes for v4.10" from Philipp Zabel:
- Remove erroneous negation of the error check of the reset function
to decrement trigger_count in the error case, not on success. This
fixes shared resets to actually only trigger once, as intended.
* tag 'reset-for-4.10-fixes' of https://git.pengutronix.de/git/pza/linux:
reset: fix shared reset triggered_count decrement on error
3. calling dev_remove_pack(&fanout->prot_hook), from inside
spin_lock(&po->bind_lock) or rcu_read-side critical-section. dev_remove_pack()
-> synchronize_net(), which might sleep.
4. fanout_release() races with calls from different CPU.
To fix the above problems, remove the call to fanout_release() under
rcu_read_lock(). Instead, call __dev_remove_pack(&fanout->prot_hook) and
netdev_run_todo will be happy that &dev->ptype_specific list is empty. In order
to achieve this, I moved dev_{add,remove}_pack() out of fanout_{add,release} to
__fanout_{link,unlink}. So, call to {,__}unregister_prot_hook() will make sure
fanout->prot_hook is removed as well.
Fixes: 6664498280cf ("packet: call fanout_release, while UNREGISTERING a netdev") Reported-by: Eric Dumazet <edumazet@google.com> Signed-off-by: Anoob Soman <anoob.soman@citrix.com> Acked-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Jerome Brunet [Wed, 15 Feb 2017 18:15:51 +0000 (19:15 +0100)]
reset: fix shared reset triggered_count decrement on error
For a shared reset, when the reset is successful, the triggered_count is
incremented when trying to call the reset callback, so that another device
sharing the same reset line won't trigger it again. If the reset has not
been triggered successfully, the trigger_count should be decremented.
The code does the opposite, and decrements the trigger_count on success.
As a consequence, another device sharing the reset will be able to trigger
it again.
Fixed be removing negation in from of the error code of the reset function.
Fixes: 7da33a37b48f ("reset: allow using reset_control_reset with shared reset") Signed-off-by: Jerome Brunet <jbrunet@baylibre.com> Acked-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com> Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
Dave Jiang [Thu, 16 Feb 2017 23:22:36 +0000 (16:22 -0700)]
ntb: ntb_hw_intel: link_poll isn't clearing the pending status properly
On Skylake hardware, the link_poll isn't clearing the pending interrupt
bit. Adding a new function for SKX that handles clearing of status bit the
right way.
Signed-off-by: Dave Jiang <dave.jiang@intel.com> Fixes: 783dfa6c ("ntb: Adding Skylake Xeon NTB support") Signed-off-by: Jon Mason <jdmason@kudzu.us>
Allen Hubbe [Tue, 27 Dec 2016 22:57:04 +0000 (17:57 -0500)]
NTB: ntb_transport: fix debugfs_remove_recursive
The call to debugfs_remove_recursive(qp->debugfs_dir) of the sub-level
directory must not be later than
debugfs_remove_recursive(nt_debugfs_dir) of the top-level directory.
Otherwise, the sub-level directory will not exist, and it would be
invalid (panic) to attempt to remove it. This removes the top-level
directory last, after sub-level directories have been cleaned up.
Signed-off-by: Allen Hubbe <Allen.Hubbe@dell.com> Fixes: e26a5843f ("NTB: Split ntb_hw_intel and ntb_transport drivers") Signed-off-by: Jon Mason <jdmason@kudzu.us>
Linus Torvalds [Fri, 17 Feb 2017 02:44:38 +0000 (18:44 -0800)]
Merge tag 'drm-fixes-for-v4.10-final' of git://people.freedesktop.org/~airlied/linux
Pull drm fixes from Dave Airlie:
"Just two last minute fixes, one for DP MST oopses and one for a radeon
regression"
* tag 'drm-fixes-for-v4.10-final' of git://people.freedesktop.org/~airlied/linux:
drm/radeon: Use mode h/vdisplay fields to hide out of bounds HW cursor
drm/dp/mst: fix kernel oops when turning off secondary monitor
Pavel reports that it causes occasional boot hangs for him that seem to
depend on just how the machine was booted. In particular, his machine
hangs at around the PCI fixups of the EHCI USB host controller, but only
hangs from cold boot, not from a warm boot.
Thomas Gleixner suspecs it's a CPU hotplug interaction, particularly
since Pavel also saw suspend/resume issues that seem to be related.
We're reverting for now while trying to figure out the root cause.
Reported-bisected-and-tested-by: Pavel Machek <pavel@ucw.cz> Acked-by: Frederic Weisbecker <fweisbec@gmail.com> Cc: Wanpeng Li <wanpeng.li@hotmail.com> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Rik van Riel <riel@redhat.com> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: stable@kernel.org # reverted commits were marked for stable Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Miklos Szeredi [Thu, 16 Feb 2017 16:49:02 +0000 (17:49 +0100)]
vfs: fix uninitialized flags in splice_to_pipe()
Flags (PIPE_BUF_FLAG_PACKET, PIPE_BUF_FLAG_GIFT) could remain on the
unused part of the pipe ring buffer. Previously splice_to_pipe() left
the flags value alone, which could result in incorrect behavior.
Uninitialized flags appears to have been there from the introduction of
the splice syscall.
Linus Torvalds [Thu, 16 Feb 2017 17:05:34 +0000 (09:05 -0800)]
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse
Pull fuse fixes from Miklos Szeredi:
"Fix a use after free bug introduced in 4.2 and using an uninitialized
value introduced in 4.9"
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse:
fuse: fix uninitialized flags in pipe_buffer
fuse: fix use after free issue in fuse_dev_do_read()
Linus Torvalds [Thu, 16 Feb 2017 17:03:37 +0000 (09:03 -0800)]
Merge tag 'pci-v4.10-fixes-4' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci
Pull PCI fix from Bjorn Helgaas:
"Add back pcie_pme_remove() so we free the IRQ when removing PCIe port
devices; previously the leaked IRQ caused an MSI BUG_ON"
* tag 'pci-v4.10-fixes-4' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
PCI/PME: Restore pcie_pme_driver.remove
1) In order to avoid problems in the future, make cgroup bpf overriding
explicit using BPF_F_ALLOW_OVERRIDE. From Alexei Staovoitov.
2) LLC sets skb->sk without proper skb->destructor and this explodes,
fix from Eric Dumazet.
3) Make sure when we have an ipv4 mapped source address, the
destination is either also an ipv4 mapped address or
ipv6_addr_any(). Fix from Jonathan T. Leighton.
4) Avoid packet loss in fec driver by programming the multicast filter
more intelligently. From Rui Sousa.
5) Handle multiple threads invoking fanout_add(), fix from Eric
Dumazet.
6) Since we can invoke the TCP input path in process context, without
BH being disabled, we have to accomodate that in the locking of the
TCP probe. Also from Eric Dumazet.
7) Fix erroneous emission of NETEVENT_DELAY_PROBE_TIME_UPDATE when we
aren't even updating that sysctl value. From Marcus Huewe.
8) Fix endian bugs in ibmvnic driver, from Thomas Falcon.
[ This is the second version of the pull that reverts the nested
rhashtable changes that looked a bit too scary for this late in the
release - Linus ]
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (27 commits)
rhashtable: Revert nested table changes.
ibmvnic: Fix endian errors in error reporting output
ibmvnic: Fix endian error when requesting device capabilities
net: neigh: Fix netevent NETEVENT_DELAY_PROBE_TIME_UPDATE notification
net: xilinx_emaclite: fix freezes due to unordered I/O
net: xilinx_emaclite: fix receive buffer overflow
bpf: kernel header files need to be copied into the tools directory
tcp: tcp_probe: use spin_lock_bh()
uapi: fix linux/if_pppol2tp.h userspace compilation errors
packet: fix races in fanout_add()
ibmvnic: Fix initial MTU settings
net: ethernet: ti: cpsw: fix cpsw assignment in resume
kcm: fix a null pointer dereference in kcm_sendmsg()
net: fec: fix multicast filtering hardware setup
ipv6: Handle IPv4-mapped src to in6addr_any dst.
ipv6: Inhibit IPv4-mapped src address on the wire.
net/mlx5e: Disable preemption when doing TC statistics upcall
rhashtable: Add nested tables
tipc: Fix tipc_sk_reinit race conditions
gfs2: Use rhashtable walk interface in glock_hash_walk
...
Michel Dänzer [Wed, 15 Feb 2017 02:28:45 +0000 (11:28 +0900)]
drm/radeon: Use mode h/vdisplay fields to hide out of bounds HW cursor
The crtc_h/vdisplay fields may not match the CRTC viewport dimensions
with special modes such as interlaced ones.
Fixes the HW cursor disappearing in the bottom half of the screen with
interlaced modes.
Fixes: 6b16cf7785a4 ("drm/radeon: Hide the HW cursor while it's out of bounds") Cc: stable@vger.kernel.org Reported-by: Ashutosh Kumar <ashutosh.kumar@amd.com> Tested-by: Sonny Jiang <sonny.jiang@amd.com> Reviewed-by: Alex Deucher <alexander.deucher@amd.com> Signed-off-by: Michel Dänzer <michel.daenzer@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Kees Cook [Thu, 16 Feb 2017 00:44:37 +0000 (01:44 +0100)]
ARM: 8658/1: uaccess: fix zeroing of 64-bit get_user()
The 64-bit get_user() wasn't clearing the high word due to a typo in the
error handler. The exception handler entry was already correct, though.
Noticed during recent usercopy test additions in lib/test_user_copy.c.
Signed-off-by: Kees Cook <keescook@chromium.org> Cc: stable@vger.kernel.org Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
In commit 76624175dcae ("arm64: uaccess: consistently check object sizes"),
the object size checks are moved outside the access_ok() so that bad
destinations are detected before hitting the "memset(dest, 0, size)" in the
copy_from_user() failure path.
This makes the same change for arm, with attention given to possibly
extracting the uaccess routines into a common header file for all
architectures in the future.
Suggested-by: Mark Rutland <mark.rutland@arm.com> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Jens Axboe [Thu, 16 Feb 2017 14:57:33 +0000 (07:57 -0700)]
cfq-iosched: don't call wbt_disable_default() with IRQs disabled
wbt_disable_default() calls del_timer_sync() to wait for the wbt
timer to finish before disabling throttling. We can't do this with
IRQs disable. This fixes a lockdep splat on boot, if non-root
cgroups are used.
Reported-by: Gabriel C <nix.or.die@gmail.com> Fixes: 87760e5eef35 ("block: hook up writeback throttling") Signed-off-by: Jens Axboe <axboe@fb.com>
Paul Mackerras [Thu, 16 Feb 2017 02:49:21 +0000 (13:49 +1100)]
powerpc/64: Disable use of radix under a hypervisor
Currently, if the kernel is running on a POWER9 processor under a
hypervisor, it may try to use the radix MMU even though it doesn't have
the necessary code to do so (it doesn't negotiate use of radix, and it
doesn't do the H_REGISTER_PROC_TBL hcall). If the hypervisor supports
both radix and HPT, then it will set up the guest to use HPT (since the
guest doesn't request radix in the CAS call), but if the radix feature
bit is set in the ibm,pa-features property (which is valid, since
ibm,pa-features is defined to represent the capabilities of the
processor) the guest will try to use radix, resulting in a crash when
it turns the MMU on.
This makes the minimal fix for the current code, which is to disable
radix unless we are running in hypervisor mode.
Fixes: 2bfd65e45e87 ("powerpc/mm/radix: Add radix callbacks for early init routines") Cc: stable@vger.kernel.org # v4.7+ Signed-off-by: Paul Mackerras <paulus@ozlabs.org> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Thomas Falcon [Wed, 15 Feb 2017 16:32:11 +0000 (10:32 -0600)]
ibmvnic: Fix endian error when requesting device capabilities
When a vNIC client driver requests a faulty device setting, the
server returns an acceptable value for the client to request.
This 64 bit value was incorrectly being swapped as a 32 bit value,
resulting in loss of data. This patch corrects that by using
the 64 bit swap function.
Signed-off-by: Thomas Falcon <tlfalcon@linux.vnet.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
When setting a neigh related sysctl parameter, we always send a
NETEVENT_DELAY_PROBE_TIME_UPDATE netevent. For instance, when
executing
sysctl net.ipv6.neigh.wlp3s0.retrans_time_ms=2000
a NETEVENT_DELAY_PROBE_TIME_UPDATE netevent is generated.
This is caused by commit 2a4501ae18b5 ("neigh: Send a
notification when DELAY_PROBE_TIME changes"). According to the
commit's description, it was intended to generate such an event
when setting the "delay_first_probe_time" sysctl parameter.
In order to fix this, only generate this event when actually
setting the "delay_first_probe_time" sysctl parameter. This fix
should not have any unintended side-effects, because all but one
registered netevent callbacks check for other netevent event
types (the registered callbacks were obtained by grepping for
"register_netevent_notifier"). The only callback that uses the
NETEVENT_DELAY_PROBE_TIME_UPDATE event is
mlxsw_sp_router_netevent_event() (in
drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c): in case
of this event, it only accesses the DELAY_PROBE_TIME of the
passed neigh_parms.
Fixes: 2a4501ae18b5 ("neigh: Send a notification when DELAY_PROBE_TIME changes") Signed-off-by: Marcus Huewe <suse-tux@gmx.de> Reviewed-by: Ido Schimmel <idosch@mellanox.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Anssi Hannula [Tue, 14 Feb 2017 17:11:45 +0000 (19:11 +0200)]
net: xilinx_emaclite: fix freezes due to unordered I/O
The xilinx_emaclite uses __raw_writel and __raw_readl for register
accesses. Those functions do not imply any kind of memory barriers and
they may be reordered.
The driver does not seem to take that into account, though, and the
driver does not satisfy the ordering requirements of the hardware.
For clear examples, see xemaclite_mdio_write() and xemaclite_mdio_read()
which try to set MDIO address before initiating the transaction.
I'm seeing system freezes with the driver with GCC 5.4 and current
Linux kernels on Zynq-7000 SoC immediately when trying to use the
interface.
In commit 123c1407af87 ("net: emaclite: Do not use microblaze and ppc
IO functions") the driver was switched from non-generic
in_be32/out_be32 (memory barriers, big endian) to
__raw_readl/__raw_writel (no memory barriers, native endian), so
apparently the device follows system endianness and the driver was
originally written with the assumption of memory barriers.
Rather than try to hunt for each case of missing barrier, just switch
the driver to use iowrite32/ioread32/iowrite32be/ioread32be depending
on endianness instead.
Tested on little-endian Zynq-7000 ARM SoC FPGA.
Signed-off-by: Anssi Hannula <anssi.hannula@bitwise.fi> Fixes: 123c1407af87 ("net: emaclite: Do not use microblaze and ppc IO
functions") Signed-off-by: David S. Miller <davem@davemloft.net>
Anssi Hannula [Tue, 14 Feb 2017 17:11:44 +0000 (19:11 +0200)]
net: xilinx_emaclite: fix receive buffer overflow
xilinx_emaclite looks at the received data to try to determine the
Ethernet packet length but does not properly clamp it if
proto_type == ETH_P_IP or 1500 < proto_type <= 1518, causing a buffer
overflow and a panic via skb_panic() as the length exceeds the allocated
skb size.
Fix those cases.
Also add an additional unconditional check with WARN_ON() at the end.
Signed-off-by: Anssi Hannula <anssi.hannula@bitwise.fi> Fixes: bb81b2ddfa19 ("net: add Xilinx emac lite device driver") Signed-off-by: David S. Miller <davem@davemloft.net>
Yinghai Lu [Wed, 15 Feb 2017 05:17:48 +0000 (21:17 -0800)]
PCI/PME: Restore pcie_pme_driver.remove
In addition to making PME non-modular, d7def2040077 ("PCI/PME: Make
explicitly non-modular") removed the pcie_pme_driver .remove() method,
pcie_pme_remove().
pcie_pme_remove() freed the PME IRQ that was requested in pci_pme_probe().
The fact that we don't free the IRQ after d7def2040077 causes the following
crash when removing a PCIe port device via /sys:
We cannot do printk() from tk_debug_account_sleep_time(), because
tk_debug_account_sleep_time() is called under tk_core seq lock.
The reason why printk() is unsafe there is that console_sem may
invoke scheduler (up()->wake_up_process()->activate_task()), which,
in turn, can return back to timekeeping code, for instance, via
get_time()->ktime_get(), deadlocking the system on tk_core seq lock.
[ 48.950592] ======================================================
[ 48.950622] [ INFO: possible circular locking dependency detected ]
[ 48.950622] 4.10.0-rc7-next-20170213+ #101 Not tainted
[ 48.950622] -------------------------------------------------------
[ 48.950622] kworker/0:0/3 is trying to acquire lock:
[ 48.950653] (tk_core){----..}, at: [<c01cc624>] retrigger_next_event+0x4c/0x90
[ 48.950683]
but task is already holding lock:
[ 48.950683] (hrtimer_bases.lock){-.-...}, at: [<c01cc610>] retrigger_next_event+0x38/0x90
[ 48.950714]
which lock already depends on the new lock.
[ 48.951782] 3 locks held by kworker/0:0/3:
[ 48.951782] #0: ("events"){.+.+.+}, at: [<c0156590>] process_one_work+0x1f8/0x808
[ 48.951812] #1: (hrtimer_work){+.+...}, at: [<c0156590>] process_one_work+0x1f8/0x808
[ 48.951843] #2: (hrtimer_bases.lock){-.-...}, at: [<c01cc610>] retrigger_next_event+0x38/0x90
[ 48.951843] stack backtrace:
[ 48.951873] CPU: 0 PID: 3 Comm: kworker/0:0 Not tainted 4.10.0-rc7-next-20170213+
[ 48.951904] Workqueue: events clock_was_set_work
[ 48.951904] [<c0110208>] (unwind_backtrace) from [<c010c224>] (show_stack+0x10/0x14)
[ 48.951934] [<c010c224>] (show_stack) from [<c04ca6c0>] (dump_stack+0xac/0xe0)
[ 48.951934] [<c04ca6c0>] (dump_stack) from [<c019b5cc>] (print_circular_bug+0x1d0/0x308)
[ 48.951965] [<c019b5cc>] (print_circular_bug) from [<c019d2a8>] (validate_chain+0xf50/0x1324)
[ 48.951965] [<c019d2a8>] (validate_chain) from [<c019ec18>] (__lock_acquire+0x468/0x7e8)
[ 48.951995] [<c019ec18>] (__lock_acquire) from [<c019f634>] (lock_acquire+0xe0/0x294)
[ 48.951995] [<c019f634>] (lock_acquire) from [<c01d0ea0>] (ktime_get_update_offsets_now+0x5c/0x1d4)
[ 48.952026] [<c01d0ea0>] (ktime_get_update_offsets_now) from [<c01cc624>] (retrigger_next_event+0x4c/0x90)
[ 48.952026] [<c01cc624>] (retrigger_next_event) from [<c01e4e24>] (on_each_cpu+0x40/0x7c)
[ 48.952056] [<c01e4e24>] (on_each_cpu) from [<c01cafc4>] (clock_was_set_work+0x14/0x20)
[ 48.952056] [<c01cafc4>] (clock_was_set_work) from [<c015664c>] (process_one_work+0x2b4/0x808)
[ 48.952087] [<c015664c>] (process_one_work) from [<c0157774>] (worker_thread+0x3c/0x550)
[ 48.952087] [<c0157774>] (worker_thread) from [<c015d644>] (kthread+0x104/0x148)
[ 48.952087] [<c015d644>] (kthread) from [<c0107830>] (ret_from_fork+0x14/0x24)
Replace printk() with printk_deferred(), which does not call into
the scheduler.
Fixes: 0bf43f15db85 ("timekeeping: Prints the amounts of time spent during suspend") Reported-and-tested-by: Tony Lindgren <tony@atomide.com> Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com> Cc: Petr Mladek <pmladek@suse.com> Cc: Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com> Cc: Peter Zijlstra <peterz@infradead.org> Cc: "Rafael J . Wysocki" <rjw@rjwysocki.net> Cc: Steven Rostedt <rostedt@goodmis.org> Cc: John Stultz <john.stultz@linaro.org> Cc: "[4.9+]" <stable@vger.kernel.org> Link: http://lkml.kernel.org/r/20170215044332.30449-1-sergey.senozhatsky@gmail.com Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
drm/dp/mst: fix kernel oops when turning off secondary monitor
100% reproducible issue found on SKL SkullCanyon NUC with two external
DP daisy-chained monitors in DP/MST mode. When turning off or changing
the input of the second monitor the machine stops with a kernel
oops. This issue happened with 4.8.8 as well as drm/drm-intel-nightly.
This issue is traced to an inconsistent control flow in
drm_dp_update_payload_part1(): the 'port' pointer is set to NULL at the
same time as 'req_payload.num_slots' is set to zero, but the pointer is
dereferenced even when req_payload.num_slot is zero.
The problematic dereference was introduced in commit dfda0df34
("drm/mst: rework payload table allocation to conform better") and may
impact all versions since v3.18
The fix suggested by Chris Wilson removes the kernel oops and was found to
work well after 10mn of monkey-testing with the second monitor power and
input buttons
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=98990 Fixes: dfda0df34264 ("drm/mst: rework payload table allocation to conform better.") Cc: Dave Airlie <airlied@redhat.com> Cc: Chris Wilson <chris@chris-wilson.co.uk> Cc: Nathan D Ciobanu <nathan.d.ciobanu@linux.intel.com> Cc: Dhinakaran Pandiyan <dhinakaran.pandiyan@intel.com> Cc: Sean Paul <seanpaul@chromium.org> Cc: <stable@vger.kernel.org> # v3.18+ Tested-by: Nathan D Ciobanu <nathan.d.ciobanu@linux.intel.com> Reviewed-by: Dhinakaran Pandiyan <dhinakaran.pandiyan@intel.com> Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com> Signed-off-by: Jani Nikula <jani.nikula@intel.com> Link: http://patchwork.freedesktop.org/patch/msgid/1487076561-2169-1-git-send-email-jani.nikula@intel.com
Sahitya Tummala [Wed, 8 Feb 2017 15:00:56 +0000 (20:30 +0530)]
fuse: fix use after free issue in fuse_dev_do_read()
There is a potential race between fuse_dev_do_write()
and request_wait_answer() contexts as shown below:
TASK 1:
__fuse_request_send():
|--spin_lock(&fiq->waitq.lock);
|--queue_request();
|--spin_unlock(&fiq->waitq.lock);
|--request_wait_answer():
|--if (test_bit(FR_SENT, &req->flags))
<gets pre-empted after it is validated true>
TASK 2:
fuse_dev_do_write():
|--clears bit FR_SENT,
|--request_end():
|--sets bit FR_FINISHED
|--spin_lock(&fiq->waitq.lock);
|--list_del_init(&req->intr_entry);
|--spin_unlock(&fiq->waitq.lock);
|--fuse_put_request();
|--queue_interrupt();
<request gets queued to interrupts list>
|--wake_up_locked(&fiq->waitq);
|--wait_event_freezable();
<as FR_FINISHED is set, it returns and then
the caller frees this request>
Now, the next fuse_dev_do_read(), see interrupts list is not empty
and then calls fuse_read_interrupt() which tries to access the request
which is already free'd and gets the below crash:
[11432.401266] Unable to handle kernel paging request at virtual address 6b6b6b6b6b6b6b6b
...
[11432.418518] Kernel BUG at ffffff80083720e0
[11432.456168] PC is at __list_del_entry+0x6c/0xc4
[11432.463573] LR is at fuse_dev_do_read+0x1ac/0x474
...
[11432.679999] [<ffffff80083720e0>] __list_del_entry+0x6c/0xc4
[11432.687794] [<ffffff80082c65e0>] fuse_dev_do_read+0x1ac/0x474
[11432.693180] [<ffffff80082c6b14>] fuse_dev_read+0x6c/0x78
[11432.699082] [<ffffff80081d5638>] __vfs_read+0xc0/0xe8
[11432.704459] [<ffffff80081d5efc>] vfs_read+0x90/0x108
[11432.709406] [<ffffff80081d67f0>] SyS_read+0x58/0x94
As FR_FINISHED bit is set before deleting the intr_entry with input
queue lock in request completion path, do the testing of this flag and
queueing atomically with the same lock in queue_interrupt().
Signed-off-by: Sahitya Tummala <stummala@codeaurora.org> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> Fixes: fd22d62ed0c3 ("fuse: no fc->lock for iqueue parts") Cc: <stable@vger.kernel.org> # 4.2+
Stephen Rothwell [Mon, 13 Feb 2017 21:22:20 +0000 (08:22 +1100)]
bpf: kernel header files need to be copied into the tools directory
Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au> Acked-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Eric Dumazet [Wed, 15 Feb 2017 01:11:14 +0000 (17:11 -0800)]
tcp: tcp_probe: use spin_lock_bh()
tcp_rcv_established() can now run in process context.
We need to disable BH while acquiring tcp probe spinlock,
or risk a deadlock.
Fixes: 5413d1babe8f ("net: do not block BH while processing socket backlog") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: Ricardo Nabinger Sanchez <rnsanchez@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
projects / karo-tx-linux.git / log