Sync up with Linus #70
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The SCC PATA interface is only used by celleb. celleb has been dropped [1], so drop the drivers. [1] http://patchwork.ozlabs.org/patch/451730/ CC: "David S. Miller" <davem@davemloft.net> CC: linux-ide@vger.kernel.org CC: Valentin Rothberg <valentinrothberg@gmail.com> CC: mpe@ellerman.id.au CC: linuxppc-dev@lists.ozlab.org Acked-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com> Signed-off-by: Daniel Axtens <dja@axtens.net> Signed-off-by: Tejun Heo <tj@kernel.org>
Fix: drivers/spi/spi-bcm2835.c: In function 'chip_match_name': drivers/spi/spi-bcm2835.c:356:21: error: dereferencing pointer to incomplete type drivers/spi/spi-bcm2835.c: In function 'bcm2835_spi_setup': drivers/spi/spi-bcm2835.c:382:2: error: ` implicit declaration of function 'gpiochip_find' drivers/spi/spi-bcm2835.c:387:21: error: dereferencing pointer to incomplete type by adding the now mandatory GPIOLIB dependency. Fixes: a30a555 ("spi: bcm2835: transform native-cs to gpio-cs on first spi_setup") Cc: Martin Sperl <kernel@martin.sperl.org> Signed-off-by: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Mark Brown <broonie@kernel.org>
The way that the timeout code is written in the polling function the timeout does also trigger when interrupted or rescheduled while in the polling loop. This patch changes the timeout from effectively 20ms (=2 jiffies) to 1 second and removes the time that the transfer really takes out of the computation, as - per design - this is <30us and the jiffie resolution is 10ms so that does not make any difference what so ever. Signed-off-by: Martin Sperl <kernel@martin.sperl.org> Signed-off-by: Mark Brown <broonie@kernel.org>
Some spi device drivers use the same tx_buf and rx_buf repeatly for better performance such as driver/input/touchsreen/ads7846.c, but spi core grab tx_buf /rx_buf of transfer and set them as dummy_tx/dummy_rx once they are NULL. Thus, in the second time the tx_buf/rx_buf will be replaced by dummy_tx/dummy_rx and the data which produced by the last tx or rx may be wrongly sent to the device or handled by the upper level protocol. This patch just keep the orignal value of tx_buf/rx_buf if they are NULL after this transfer processed. Signed-off-by: Robin Gong <b38343@freescale.com> Signed-off-by: Mark Brown <broonie@kernel.org>
Reset dapswjdp is controlled by JTAG_TRSTN, if the iomux of this pin is not "jtag_trstn". the AP would think this pin is always high, so it can not reset before resume. When system resume, but the dapswjdp is not in a default state, it may Access some illegal address, it cause system crash during resume. Let's disable this jtag function by clear the dapdeviceen bit, it prohibit the dapswjdp to access memory and registers. This bit would be enable in MASKROM, so we need clear it in suspend everytime. Signed-off-by: Chris Zhong <zyw@rock-chips.com> Reviewed-by: Doug Anderson <dianders@chromium.org> Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Sometimes the debug module may not work well after resume, since it has not been correctly reset when wakeup from suspend. That cause system crash during reusme, and a 'undefined instruction' is displayed on the console. Set the GRF_FORCE_JTAG bit of RK3288_GRF_SOC_CON0 can ensure that debug modul is reset. And we can change the value of RK3288_GRF_SOC_CON0 back when system resume. Signed-off-by: Chris Zhong <zyw@rock-chips.com> Tested-by: Caesar Wang <wxt@rock-chips.com> Reviewed-by: Douglas Anderson <dianders@chromium.org> According to discussions, there does not seem a better solution available. Please also see the potential security implication described in the comment inline in the code. Signed-off-by: Heiko Stuebner <heiko@sntech.de>
timer7 supplies the architected timer and thus as has to run when the system clocksource and clockevents drivers are registered. While it should be the responsibility of the bootloader to do this, and there exists a fix in a community u-boot, all u-boot based systems that actually shipped have the mentioned issue. Therefore to not require every developer to update their u-boot, add a snippet for this, enabling the timer early in the kernel. Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Some controller drivers have no need of this callback (spi-altera even causes a NULL pointer dereference because it doesn't register the callback, falsely assuming that it is already optional). Fixes: 30af9b5 ("spi/bitbang: Drop empty setup() functions") Signed-off-by: Pelle Nilsson <per.nilsson@xelmo.com> Reviewed-by: Ezequiel Garcia <ezequiel.garcia@vanguardiasur.com.ar> Signed-off-by: Mark Brown <broonie@kernel.org>
Brian noticed while working on another SATA driver that uses libahci_platform,
an error in this driver; it tries to the the driver data for its
device, while libata also thinks it can set the driver data. See:
ahci_platform_init_host()
-> ata_host_alloc_pinfo()
-> ata_host_alloc()
-> dev_set_drvdata()
So instead of sticking the IP-specific platform data into drvdata, let's
use the plat_data variable that is reserved for this use.
Addtionally plat_data isn't set until ahci_platform_init_host() has been
called further down in probe(). So re-work the st_ahci_probe_resets and
st_ahci_deassert_resets functions to take ahci_host_priv *hpriv as a
parameter.
Signed-off-by: Peter Griffin <peter.griffin@linaro.org>
Suggested-by: Brian Norris <computersforpeace@gmail.com>
Cc: Srinivas Kandagatla <srinivas.kandagatla@gmail.com>
Cc: Maxime Coquelin <maxime.coquelin@st.com>
Cc: Patrice Chotard <patrice.chotard@st.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
On CPM2, the SPI parameter RAM is dynamically allocated in the dualport RAM whereas in CPM1, it is statically allocated to a default address with capability to relocate it somewhere else via the use of CPM micropatch. The address of the parameter RAM is given by the boot loader and expected to be mapped via devm_ioremap_resource() In the current implementation, in function fsl_spi_cpm_get_pram() there is a confusion between the SPI_BASE register and the base of the SPI parameter RAM. Fortunatly, it is working properly with MPC866 and MPC885 because they do set SPI_BASE, but on MPC860 and other old MPC8xx that doesn't set SPI_BASE, pram_ofs is not properly set. Also, the parameter RAM is not properly mapped with devm_ioremap_resource() as it should but still gets accessible by chance through the full RAM which is mapped from somewhere else. This patch applies to the SPI driver the same principle as for the CPM UART: when the CPM is of type CPM1, we simply do an devm_ioremap_resource() of the area provided via the device tree. Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr> Signed-off-by: Mark Brown <broonie@kernel.org>
Use the namespace's block format for reporting the max transfer length. Max unmap count is left as-is since NVMe doesn't provide a max, so the value the driver provided the block layer is valid for any format. Reported-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Keith Busch <keith.busch@intel.com> Signed-off-by: Jens Axboe <axboe@fb.com>
Firstly during CPU hotplug, even queue is freezed, timeout handler still may come and access hctx->tags, which may cause use after free, so this patch deactivates timeout handler inside CPU hotplug notifier. Secondly, tags can be shared by more than one queues, so we have to check if the hctx has been unmapped, otherwise still use-after-free on tags can be triggered. Cc: <stable@vger.kernel.org> Reported-by: Dongsu Park <dongsu.park@profitbricks.com> Tested-by: Dongsu Park <dongsu.park@profitbricks.com> Signed-off-by: Ming Lei <ming.lei@canonical.com> Signed-off-by: Jens Axboe <axboe@fb.com>
hctx->tags has to be set as NULL in case that it is to be unmapped no matter if set->tags[hctx->queue_num] is NULL or not in blk_mq_map_swqueue() because shared tags can be freed already from another request queue. The same situation has to be considered during handling CPU online too. Unmapped hw queue can be remapped after CPU topo is changed, so we need to allocate tags for the hw queue in blk_mq_map_swqueue(). Then tags allocation for hw queue can be removed in hctx cpu online notifier, and it is reasonable to do that after mapping is updated. Cc: <stable@vger.kernel.org> Reported-by: Dongsu Park <dongsu.park@profitbricks.com> Tested-by: Dongsu Park <dongsu.park@profitbricks.com> Signed-off-by: Ming Lei <ming.lei@canonical.com> Signed-off-by: Jens Axboe <axboe@fb.com>
mm/page-writeback.c has several places where 1 is added to the divisor to prevent division by zero exceptions; however, if the original divisor is equivalent to -1, adding 1 leads to division by zero. There are three places where +1 is used for this purpose - one in pos_ratio_polynom() and two in bdi_position_ratio(). The second one in bdi_position_ratio() actually triggered div-by-zero oops on a machine running a 3.10 kernel. The divisor is x_intercept - bdi_setpoint + 1 == span + 1 span is confirmed to be (u32)-1. It isn't clear how it ended up that but it could be from write bandwidth calculation underflow fixed by c72efb6 ("writeback: fix possible underflow in write bandwidth calculation"). At any rate, +1 isn't a proper protection against div-by-zero. This patch converts all +1 protections to |1. Note that bdi_update_dirty_ratelimit() was already using |1 before this patch. Signed-off-by: Tejun Heo <tj@kernel.org> Cc: stable@vger.kernel.org Reviewed-by: Jan Kara <jack@suse.cz> Signed-off-by: Jens Axboe <axboe@fb.com>
Our issue is descripted in below call path:
->elevator_init
->elevator_init_fn
->{cfq,deadline,noop}_init_queue
->elevator_alloc
->kzalloc_node
fail to call kzalloc_node and then put module in elevator_alloc;
fail to call elevator_init_fn and then put module again in elevator_init.
Remove elevator_put invoking in error path of elevator_alloc to avoid
double release issue.
Signed-off-by: Chao Yu <chao2.yu@samsung.com>
Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
The spi queue waits forever for spi_finalize_current_message() to be called, blocking the bus. Ensure that all error paths from omap2_mcspi_transfer_one_message() call spi_finalize_current_message(). Signed-off-by: Fionn Cleary <fionn.cleary@streamunlimited.com> Signed-off-by: Mark Brown <broonie@kernel.org>
…de', 'spi/fix/bitbang', 'spi/fix/fsl-cpm' and 'spi/fix/omap2-mcspi' into spi-linus
LS1021A chip also has the DSPI module. Add it to the dependence. Signed-off-by: Haikun Wang <haikun.wang@freescale.com> Signed-off-by: Mark Brown <broonie@kernel.org>
devm_ioremap_resource() doesn't return NULL but an ERR_PTR on error. Reported-by: Jonas Gorsky <jogo@openwrt.org> Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr> Signed-off-by: Mark Brown <broonie@kernel.org>
Without this system suspend is broken on systems that have drivers calling enable/disable_irq_wake() for interrupts based off the dummy irq hook. (e.g. drivers/gpio/gpio-pcf857x.c) Signed-off-by: Roger Quadros <rogerq@ti.com> Cc: <cw00.choi@samsung.com> Cc: <balbi@ti.com> Cc: <tony@atomide.com> Cc: Gregory Clement <gregory.clement@free-electrons.com> Link: http://lkml.kernel.org/r/552E1DD3.4040106@ti.com Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Now that the users of gic_arch_extn have been fixed, drop the "feature" for good. This leads to the removal of some now useless locking. Signed-off-by: Marc Zyngier <marc.zyngier@arm.com> Cc: linux-arm-kernel@lists.infradead.org Cc: Jason Cooper <jason@lakedaemon.net> Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
A clockevent device is marked DETACHED when it is replaced by another clockevent device. The device is shutdown properly for drivers that implement legacy ->set_mode() callback, as we call ->set_mode() for CLOCK_EVT_MODE_UNUSED as well. But for the new per-state callback interface, we skip shutting down the device, as we thought its an internal state change. That wasn't correct. The effect is that the device is left programmed in oneshot or periodic mode. Fall-back to 'case CLOCK_EVT_STATE_SHUTDOWN', to shutdown the device. Fixes: bd624d7 "clockevents: Introduce mode specific callbacks" Reported-by: Daniel Lezcano <daniel.lezcano@linaro.org> Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org> Cc: linaro-kernel@lists.linaro.org Cc: Peter Zijlstra <peterz@infradead.org> Link: http://lkml.kernel.org/r/eef0a91c51b74d4e52c8e5a95eca27b5a0563f07.1428650683.git.viresh.kumar@linaro.org Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
This patch makes possible for protocol drivers to do full-duplex SPI transfers properly. Until now this driver could only be used for half-duplex transfers, since it always expected an spi_transfer with non-null tx_buf to be only used for TX, and those with non-null rx_buf to be only used for RX. The fix consists in correcting the fsl_espi_transfer length by taking into consideration duplex spi_transfers, and not just by adding n_tx and n_rx. Furthermore, this correction has exposed an inconsistency in the protocol driver <-> controller driver interaction. The spi-fsl-espi driver artificially inserts TX bytes when message fragmentation is necessary (due to SPCOM_TRANLEN_MAX) instead of informing the protocol driver of the hardware limitation. This was tested with the m25p80 NOR flash protocol driver. Since fixing this issue may cause other client drivers to malfunction, it was left as is. Signed-off-by: Jonatas Rech <jonatas.rech@datacom.ind.br> Signed-off-by: Mark Brown <broonie@kernel.org>
This is a preparation commit that will allow to add other criteria according to which PHY events should be dropped. Signed-off-by: Gabriele Mazzotta <gabriele.mzt@gmail.com> Signed-off-by: Tejun Heo <tj@kernel.org> Cc: stable@vger.kernel.org
When the LPM policy is set to ATA_LPM_MAX_POWER, the device might generate a spurious PHY event that cuases errors on the link. Ignore this event if it occured within 10s after the policy change. The timeout was chosen observing that on a Dell XPS13 9333 these spurious events can occur up to roughly 6s after the policy change. Link: http://lkml.kernel.org/g/3352987.ugV1Ipy7Z5@xps13 Signed-off-by: Gabriele Mazzotta <gabriele.mzt@gmail.com> Signed-off-by: Tejun Heo <tj@kernel.org> Cc: stable@vger.kernel.org
The GPIO regulator for the SD-card isn't a ux500 SOC configuration, but instead it's specific to the board. Move the definition of it, into the board DTSs. Fixes: c94a4ab ("ARM: ux500: Disable the MMCI gpio-regulator by default") Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> Reviewed-by: Bjorn Andersson <bjorn.andersson@sonymobile.com> Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Fixes: c94a4ab ("ARM: ux500: Disable the MMCI gpio-regulator by default") Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> Reviewed-by: Bjorn Andersson <bjorn.andersson@sonymobile.com> Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Fixes: c94a4ab ("ARM: ux500: Disable the MMCI gpio-regulator by default") Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> Reviewed-by: Bjorn Andersson <bjorn.andersson@sonymobile.com> Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
There is no crystal connected to the internal RTC on the Open Block AX3. So let's disable it in order to prevent the kernel probing the driver uselessly. Eventually this patches removes the following warning message from the boot log: "rtc-mv d0010300.rtc: internal RTC not ticking" Acked-by: Andrew Lunn <andrew@lunn.ch> Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com> Cc: <stable@vger.kernel.org> # v3.8 +
path_openat() jumps to the wrong place after do_tmpfile() - it has already done path_cleanup() (as part of path_lookupat() called by do_tmpfile()), so doing that again can lead to double fput(). Cc: stable@vger.kernel.org # v3.11+ Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
…/git/viro/vfs Pull vfs fixes from Al Viro: "A couple of fixes for bugs caught while digging in fs/namei.c. The first one is this cycle regression, the second is 3.11 and later" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: path_openat(): fix double fput() namei: d_is_negative() should be checked before ->d_seq validation
This fixes a dumb bug in fs_fully_visible that allows proc or sys to be mounted if there is a bind mount of part of /proc/ or /sys/ visible. Cc: stable@vger.kernel.org Reported-by: Eric Windisch <ewindisch@docker.com> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
We cast away the volatile, but really, why make it volatile at all? We already do a mb() inside the cpumask_empty() loop. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
…m/linux/kernel/git/tip/tip Pull timer fix from Thomas Gleixner: "A simple fix to actually shut down a detached device instead of keeping it active" * 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: clockevents: Shutdown detached clockevent device
…inux/kernel/git/tip/tip
Pull irq updates from Thomas Gleixner:
"Two patches from the irq departement:
- a simple fix to make dummy_irq_chip usable for wakeup scenarios
- removal of the gic arch_extn hackery. Now that all users are
converted we really want to get rid of the interface so people wont
come up with new use cases"
* 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
irqchip: gic: Drop support for gic_arch_extn
genirq: Set IRQCHIP_SKIP_SET_WAKE flag for dummy_irq_chip
…/git/ebiederm/user-namespace Pull user-namespace fix from Eric Biederman: "Eric Windish recently reported a really bug that allows mounting fresh copies of proc and sysfs when it really should not be allowed. The code attempted to verify that proc and sysfs were fully visible but there is a test missing to ensure that the root of the filesystem is visible. Doh! The following patch fixes that. This fixes a containment issue that the docker folks are seeing" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace: mnt: Fix fs_fully_visible to verify the root directory is visible
…nel/git/arm/arm-soc
Pull ARM SoC fixes from Arnd Bergmann:
"A few patches have come up since the merge window. The largest one is
a rewrite of the PXA lubbock/mainstone IRQ handling. This was already
broken in 2011 by a change to the GPIO code and only noticed now.
The other changes contained here are:
MAINTAINERS file updates:
- Ray Jui and Scott Branden are now co-maintainers for some of the
mach-bcm chips, while Christian Daudt and Marc Carino have stepped
down.
- Andrew Victor is no longer maintaining at91. Instead, Alexandre
Belloni now becomes an official maintainer, after having done a
bulk of the work for a while.
- Baruch Siach, who added the mach-digicolor platform in 4.1 is now
listed as maintainer
- The git URL for mach-socfpga has changed
Bug fixes:
- Three bug fixes for new rockchip rk3288 code
- A regression fix to make SD card support work on certain ux500
boards
- multiple smaller dts fixes for imx, omap, mvebu, and shmobile
- a regression fiix for omap3 power consumption
- a fix for regression in the ARM CCI bus driver
Configuration changes:
- more imx platforms are now enabled in multi_v7_defconfig"
* tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc: (39 commits)
MAINTAINERS: add Conexant Digicolor machines entry
MAINTAINERS: socfpga: update the git repo for SoCFPGA
ARM: multi_v7_defconfig: Select more FSL SoCs
MAINTAINERS: replace an AT91 maintainer
drivers: CCI: fix used_mask init in validate_group()
bus: omap_l3_noc: Fix master id address decoding for OMAP5
bus: omap_l3_noc: Fix offset for DRA7 CLK1_HOST_CLK1_2 instance
ARM: dts: dra7: Fix efuse register size for ABB
ARM: dts: am57xx-beagle-x15: Switch GPIO fan number
ARM: dts: am57xx-beagle-x15: Switch UART mux pins
ARM: dts: am437x-sk: reduce col-scan-delay-us
ARM: dts: am437x-sk: fix for new newhaven display module revision
ARM: dts: am57xx-beagle-x15: Fix RTC aliases
ARM: dts: am57xx-beagle-x15: Fix IRQ type for mcp7941x
ARM: dts: omap3: Add #iommu-cells to isp and iva iommu
ARM: omap2plus_defconfig: Enable EXTCON_USB_GPIO
ARM: dts: OMAP3-N900: Add microphone bias voltages
ARM: OMAP2+: Fix omap off idle power consumption creeping up
MAINTAINERS: Update brcmstb entry
MAINTAINERS: Remove Christian Daudt for mach-bcm
...
Avoton AHCI occasionally sees drive probe timeouts at driver load time. When this happens SCR_STATUS indicates device detected, but no D2H FIS reception. Reset the internal link state machines by bouncing port-enable in the PCS register when this occurs. Cc: <stable@vger.kernel.org> Signed-off-by: Dan Williams <dan.j.williams@intel.com> Signed-off-by: Tejun Heo <tj@kernel.org>
…nel/git/kgene/linux-samsung Pull samsung fixes from Kukjin Kim: "Here is Samsung fixes for v4.1. Since I've missed to send this via arm-soc tree before v4.1-rc3, so I'm sending this to you directly - fix commit ea08de1 ("ARM: dts: Add DISP1 power domain for exynos5420") which causes 'unhandled fault: imprecise external abort' error when PD turned off. ("make DP a consumer of DISP1 power domain") - fix 's3c-rtc' probe failure on Odriod-X2/U2/U3 boards ("add 'rtc_src' clock to rtc node for source clock of rtc") - fix typo for 'cpu-crit-0' trip point on exynos5420/5440 - fix S2R failure on exynos5250-snow due to card power of Marvell WiFi driver (suspend/resume) ("add keep-power-in-susped to WiFi SDIO node")" * tag 'samsung-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/kgene/linux-samsung: ARM: dts: Add keep-power-in-suspend to WiFi SDIO node for exynos5250-snow ARM: dts: Fix typo in trip point temperature for exynos5420/5440 ARM: dts: add 'rtc_src' clock to rtc node for exynos4412-odroid boards ARM: dts: Make DP a consumer of DISP1 power domain on Exynos5420
Pull ARM fixes from Russell King:
"A set of ARM fixes:
- fix an off-by-one error in the iommu DMA ops, which caused errors
with a 4GiB size.
- remove comments mentioning the non-existent CONFIG_CPU_ARM1020_CPU_IDLE
macro.
- remove useless CONFIG_CPU_ICACHE_STREAMING_DISABLE blocks, where
this symbol never appeared in any Kconfig.
- fix Feroceon code to cope with a previous change correctly (it
incorrectly left an additional word in an assembly structure
definition)
- avoid a misleading IRQ affinity warning in the ARM PMU code for
IRQs which are already affine to their CPUs.
- fix the node name printed in the IRQ affinity warning"
* 'fixes' of git://ftp.arm.linux.org.uk/~rmk/linux-arm:
ARM: 8352/1: perf: Fix the pmu node name in warning message
ARM: 8351/1: perf: don't warn about missing interrupt-affinity property for PPIs
ARM: 8350/1: proc-feroceon: Fix feroceon_proc_info macro
ARM: 8349/1: arch/arm/mm/proc-arm925.S: remove dead #ifdef block
ARM: 8348/1: remove comments on CPU_ARM1020_CPU_IDLE
ARM: 8347/1: dma-mapping: fix off-by-one check in arm_setup_iommu_dma_ops
Since commit 844b03f we make sure that after vblank irq off, we return the last valid (vblank count, vblank timestamp) pair to clients, e.g., during modesets, which is good. An overlooked side effect of that commit for kms drivers without support for precise vblank timestamping is that at vblank irq enable, when we update the vblank counter from the hw counter, we can't update the corresponding vblank timestamp, so now we have a totally mismatched timestamp for the new count to confuse clients. Restore old client visible behaviour from before Linux 3.17, but zero out the timestamp at vblank counter update (instead of disable as in original implementation) if we can't generate a meaningful timestamp immediately for the new vblank counter. This will fix this regression, so callers know they need to retry again later if they need a valid timestamp, but at the same time preserves the improvements made in the commit mentioned above. Signed-off-by: Mario Kleiner <mario.kleiner.de@gmail.com> Cc: <stable@vger.kernel.org> #v3.17+ Cc: Ville Syrjälä <ville.syrjala@linux.intel.com> Cc: Daniel Vetter <daniel@ffwll.ch> Signed-off-by: Dave Airlie <airlied@redhat.com>
…rg/drm-intel into drm-fixes misc i915 fixes. * tag 'drm-intel-fixes-2015-05-08' of git://anongit.freedesktop.org/drm-intel: drm/i915: Drop PIPE-A quirk for 945GSE HP Mini drm/i915: Sink rate read should be saved in deca-kHz drm/i915/dp: there is no audio on port A drm/i915: Add missing MacBook Pro models with dual channel LVDS drm/i915: Assume dual channel LVDS if pixel clock necessitates it
Pull drm fixes from Dave Airlie: "I really need to get back to sending these on my Friday, instead of my Monday morning, but nothing too amazing in here: a few amdkfd fixes, a few radeon fixes, i915 fixes, one tegra fix and one core fix" * 'drm-fixes' of git://people.freedesktop.org/~airlied/linux: drm: Zero out invalid vblank timestamp in drm_update_vblank_count. drm/tegra: Don't use vblank_disable_immediate on incapable driver. drm/radeon: stop trying to suspend UVD sessions drm/radeon: more strictly validate the UVD codec drm/radeon: make UVD handle checking more strict drm/radeon: make VCE handle check more strict drm/radeon: fix userptr lockup drm/radeon: fix userptr BO unpin bug v3 drm/amdkfd: Initialize sdma vm when creating sdma queue drm/amdkfd: Don't report local memory size drm/amdkfd: allow unregister process with queues drm/i915: Drop PIPE-A quirk for 945GSE HP Mini drm/i915: Sink rate read should be saved in deca-kHz drm/i915/dp: there is no audio on port A drm/i915: Add missing MacBook Pro models with dual channel LVDS drm/i915: Assume dual channel LVDS if pixel clock necessitates it drm/radeon: don't setup audio on asics that don't support it drm/radeon: disable semaphores for UVD V1 (v2)
spi: Fixes for v4.1 A few driver fixes plus two changes for the core, one to make the setup_transfer() callback optional which fixes crashes in some drivers which were updated to use new interfaces without apparent testing and one to ensure we don't expose the data buffers we use for dummy transfers to drivers which avoids potential issues with multiple accesses to them or reuse. # gpg: Signature made Sat 25 Apr 2015 10:59:47 BST using RSA key ID 5D5487D0 # gpg: key CD7BEEBC: no public key for trusted key - skipped # gpg: key CD7BEEBC marked as ultimately trusted # gpg: key AF88CD16: no public key for trusted key - skipped # gpg: key AF88CD16 marked as ultimately trusted # gpg: key 16005C11: no public key for trusted key - skipped # gpg: key 16005C11 marked as ultimately trusted # gpg: key 5621E907: no public key for trusted key - skipped # gpg: key 5621E907 marked as ultimately trusted # gpg: key 5C6153AD: no public key for trusted key - skipped # gpg: key 5C6153AD marked as ultimately trusted # gpg: Good signature from "Mark Brown <broonie@sirena.org.uk>" # gpg: aka "Mark Brown <broonie@debian.org>" # gpg: aka "Mark Brown <broonie@kernel.org>" # gpg: aka "Mark Brown <broonie@tardis.ed.ac.uk>" # gpg: aka "Mark Brown <broonie@linaro.org>" # gpg: aka "Mark Brown <Mark.Brown@linaro.org>"
…and 'spi/fix/fsl-espi' into spi-linus
Stage 1 translation is controlled by two sets of page tables (TTBR0 and TTBR1) which grow up and down from zero respectively in the ARMv8 translation regime. For the SMMU, we only care about TTBR0 and, in the case of a 48-bit virtual space, we expect to map virtual addresses 0x0 through to 0xffff_ffff_ffff. Given that some masters may be incapable of emitting virtual addresses targetting TTBR1 (e.g. because they sit on a 48-bit bus), the SMMU architecture allows bit 47 to be sign-extended, halving the virtual range of TTBR0 but allowing TTBR1 to be used. This is controlled by the SEP field in TTBCR2. The SMMU driver incorrectly enables this sign-extension feature, which causes problems when userspace addresses are programmed into a master device with the SMMU expecting to map the incoming transactions via TTBR0; if the top bit of address is set, we will instead get a translation fault since TTBR1 walks are disabled in the TTBCR. This patch fixes the issue by disabling sign-extension of a fixed virtual address bit and instead basing the behaviour on the upstream bus size: the incoming address is zero extended unless the upstream bus is only 49 bits wide, in which case bit 48 is used as the sign bit and is replicated to the upper bits. Cc: <stable@vger.kernel.org> # v4.0+ Reported-by: Varun Sethi <varun.sethi@freescale.com> Signed-off-by: Will Deacon <will.deacon@arm.com> Signed-off-by: Joerg Roedel <jroedel@suse.de>
Pull md bugfixes from Neil Brown: "A few fixes for md. Most of these are related to the new "batched stripe writeout", but there are a few others" * tag 'md/4.1-rc3-fixes' of git://neil.brown.name/md: md/raid5: fix handling of degraded stripes in batches. md/raid5: fix allocation of 'scribble' array. md/raid5: don't record new size if resize_stripes fails. md/raid5: avoid reading parity blocks for full-stripe write to degraded array md/raid5: more incorrect BUG_ON in handle_stripe_fill. md/raid5: new alloc_stripe() to allocate an initialize a stripe. md-raid0: conditional mddev->queue access to suit dm-raid
…rnel/git/tj/libata
Pull libata fixes from Tejun Heo:
"Rather big for fixes pull.
- SCC controllers never lived to see the light of the day. Both
libata and ide drivers removed.
- In some configurations, link power management policy changes
sometimes cause delayed spurious PHY events which can develop into
noticeable failures. This has been reported several times over the
years. Gabriele's patches suppress PHY events for a while after
LPM policy changes which should help most of these failures without
causing too much problem for hotplug use cases.
- A few controller specific fixes"
[ Hmm. I don't think removing SSC support is really a "fix", but hey, it
removes a lot of lines of code. Which I like. So ... good riddance ]
* 'for-4.1-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata:
ahci: avoton port-disable reset-quirk
ata: select DW_DMAC in case of SATA_DWC
libata: Blacklist queued TRIM on all Samsung 800-series
libata: Ignore spurious PHY event on LPM policy change
libata: Add helper to determine when PHY events should be ignored
ata: ahci_st: fixup layering violations / drvdata errors
Remove celleb-only SCC PATA drivers
Pull crypto fixes from Herbert Xu: "This fixes a the implementation of CRC32 on arm64 where it incorrectly applied negation on the result. It also fixes the arm64 implementations of SHA/SHA256 where in some cases it may end up finalising the result twice" * git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: crypto: arm64/sha2-ce - prevent asm code finalization in final() path crypto: arm64/sha1-ce - prevent asm code finalization in final() path crypto: arm64/crc32 - bring in line with generic CRC32
…x/kernel/git/joro/iommu Pull iommu fixes from Joerg Roedel: "Three fixes have queued up: - reference count fix in the AMD IOMMUv2 driver - sign extension fix in the ARM-SMMU driver - build fix for rockchip driver with device tree" * tag 'iommu-fixes-v4.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu: iommu/arm-smmu: Fix sign-extension of upstream bus addresses at stage 1 iommu/rockchip: Fix build without CONFIG_OF iommu/amd: Fix bug in put_pasid_state_wait
…rnel/git/broonie/spi Pull spi fixes from Mark Brown: "A number of driver specific fixes (including several missing dependencies for randconfig type cases) plus two core fixes. One makes the setup_transfer() callback optional which unbreaks some drivers which had been merged with it omitted due to local versions of this patch and another ensures that we don't corrupt data by leaking internal dummy buffers to callers, causing the callers to think they allocated those buffers" * tag 'spi-fix-v4.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi: spi: fsl-espi: fix behaviour for full-duplex xfers spi: fsl-spi: fix devm_ioremap_resource() error case spi: Kconfig: Add SOC_LS1021A to SPI_FSL_DSPI dependence spi/omap2-mcpsi: Always call spi_finalize_current_message() spi: fsl-spi: use devm_ioremap_resource() to map parameter ram on CPM1 spi: bitbang: Make setup_transfer() callback optional spi: check tx_buf and rx_buf in spi_unmap_msg spi: bcm2835: change timeout of polling driver to 1s spi: bcm2835: Add GPIOLIB dependency
Pull nfsd bugfixes from Bruce Fields: "Mainly pnfs fixes (and for problems with generic callback code made more obvious by pnfs)" * 'for-4.1' of git://linux-nfs.org/~bfields/linux: nfsd: skip CB_NULL probes for 4.1 or later nfsd: fix callback restarts nfsd: split transport vs operation errors for callbacks svcrpc: fix potential GSSX_ACCEPT_SEC_CONTEXT decoding failures nfsd: fix pNFS return on close semantics nfsd: fix the check for confirmed openowner in nfs4_preprocess_stateid_op nfsd/blocklayout: pretend we can send deviceid notifications
dabrace
pushed a commit
that referenced
this pull request
Sep 18, 2017
We can enter a deadlock situation because there is no sufficient protection when ndo_get_stats64() runs in process context to guard against RX or TX NAPI contexts running in softirq, this can lead to the following lockdep splat and actual deadlock was experienced as well with an iperf session in the background and a while loop doing ifconfig + ethtool. [ 5.780350] ================================ [ 5.784679] WARNING: inconsistent lock state [ 5.789011] 4.13.0-rc7-02179-g32fae27c725d #70 Not tainted [ 5.794561] -------------------------------- [ 5.798890] inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage. [ 5.804971] swapper/0/0 [HC0[0]:SC1[1]:HE0:SE0] takes: [ 5.810175] (&syncp->seq#2){+.?...}, at: [<c0768a28>] bcm_sysport_tx_reclaim+0x30/0x54 [ 5.818327] {SOFTIRQ-ON-W} state was registered at: [ 5.823278] bcm_sysport_get_stats64+0x17c/0x258 [ 5.828053] dev_get_stats+0x38/0xac [ 5.831776] rtnl_fill_stats+0x30/0x118 [ 5.835761] rtnl_fill_ifinfo+0x538/0xe24 [ 5.839921] rtmsg_ifinfo_build_skb+0x6c/0xd8 [ 5.844430] rtmsg_ifinfo_event.part.5+0x14/0x44 [ 5.849201] rtmsg_ifinfo+0x20/0x28 [ 5.852837] register_netdevice+0x628/0x6b8 [ 5.857171] register_netdev+0x14/0x24 [ 5.861051] bcm_sysport_probe+0x30c/0x438 [ 5.865280] platform_drv_probe+0x50/0xb0 [ 5.869418] driver_probe_device+0x2e8/0x450 [ 5.873817] __driver_attach+0x104/0x120 [ 5.877871] bus_for_each_dev+0x7c/0xc0 [ 5.881834] bus_add_driver+0x1b0/0x270 [ 5.885797] driver_register+0x78/0xf4 [ 5.889675] do_one_initcall+0x54/0x190 [ 5.893646] kernel_init_freeable+0x144/0x1d0 [ 5.898135] kernel_init+0x8/0x110 [ 5.901665] ret_from_fork+0x14/0x2c [ 5.905363] irq event stamp: 24263 [ 5.908804] hardirqs last enabled at (24262): [<c08eecf0>] net_rx_action+0xc4/0x4e4 [ 5.916624] hardirqs last disabled at (24263): [<c0a7da00>] _raw_spin_lock_irqsave+0x1c/0x98 [ 5.925143] softirqs last enabled at (24258): [<c022a7fc>] irq_enter+0x84/0x98 [ 5.932524] softirqs last disabled at (24259): [<c022a918>] irq_exit+0x108/0x16c [ 5.939985] [ 5.939985] other info that might help us debug this: [ 5.946576] Possible unsafe locking scenario: [ 5.946576] [ 5.952556] CPU0 [ 5.955031] ---- [ 5.957506] lock(&syncp->seq#2); [ 5.960955] <Interrupt> [ 5.963604] lock(&syncp->seq#2); [ 5.967227] [ 5.967227] *** DEADLOCK *** [ 5.967227] [ 5.973222] 1 lock held by swapper/0/0: [ 5.977092] #0: (&(&ring->lock)->rlock){..-...}, at: [<c0768a18>] bcm_sysport_tx_reclaim+0x20/0x54 So just remove the u64_stats_update_begin()/end() pair in ndo_get_stats64() since it does not appear to be useful for anything. No inconsistency was observed with either ifconfig or ethtool, global TX counts equal the sum of per-queue TX counts on a 32-bit architecture. Fixes: 10377ba ("net: systemport: Support 64bit statistics") Signed-off-by: Florian Fainelli <f.fainelli@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
dabrace
pushed a commit
that referenced
this pull request
Jan 21, 2019
syzbot reported: BUG: KMSAN: uninit-value in strlen+0x3b/0xa0 lib/string.c:484 CPU: 1 PID: 6371 Comm: syz-executor652 Not tainted 4.19.0-rc8+ #70 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x306/0x460 lib/dump_stack.c:113 kmsan_report+0x1a2/0x2e0 mm/kmsan/kmsan.c:917 __msan_warning+0x7c/0xe0 mm/kmsan/kmsan_instr.c:500 strlen+0x3b/0xa0 lib/string.c:484 nla_put_string include/net/netlink.h:1011 [inline] tipc_nl_compat_bearer_enable+0x238/0x7b0 net/tipc/netlink_compat.c:389 __tipc_nl_compat_doit net/tipc/netlink_compat.c:311 [inline] tipc_nl_compat_doit+0x39f/0xae0 net/tipc/netlink_compat.c:344 tipc_nl_compat_recv+0x147c/0x2760 net/tipc/netlink_compat.c:1107 genl_family_rcv_msg net/netlink/genetlink.c:601 [inline] genl_rcv_msg+0x185c/0x1a20 net/netlink/genetlink.c:626 netlink_rcv_skb+0x394/0x640 net/netlink/af_netlink.c:2454 genl_rcv+0x63/0x80 net/netlink/genetlink.c:637 netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline] netlink_unicast+0x166d/0x1720 net/netlink/af_netlink.c:1343 netlink_sendmsg+0x1391/0x1420 net/netlink/af_netlink.c:1908 sock_sendmsg_nosec net/socket.c:621 [inline] sock_sendmsg net/socket.c:631 [inline] ___sys_sendmsg+0xe47/0x1200 net/socket.c:2116 __sys_sendmsg net/socket.c:2154 [inline] __do_sys_sendmsg net/socket.c:2163 [inline] __se_sys_sendmsg+0x307/0x460 net/socket.c:2161 __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161 do_syscall_64+0xbe/0x100 arch/x86/entry/common.c:291 entry_SYSCALL_64_after_hwframe+0x63/0xe7 RIP: 0033:0x440179 Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fffef7beee8 EFLAGS: 00000213 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440179 RDX: 0000000000000000 RSI: 0000000020000100 RDI: 0000000000000003 RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 R10: 0000000000000000 R11: 0000000000000213 R12: 0000000000401a00 R13: 0000000000401a90 R14: 0000000000000000 R15: 0000000000000000 Uninit was created at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:255 [inline] kmsan_internal_poison_shadow+0xc8/0x1d0 mm/kmsan/kmsan.c:180 kmsan_kmalloc+0xa4/0x120 mm/kmsan/kmsan_hooks.c:104 kmsan_slab_alloc+0x10/0x20 mm/kmsan/kmsan_hooks.c:113 slab_post_alloc_hook mm/slab.h:446 [inline] slab_alloc_node mm/slub.c:2727 [inline] __kmalloc_node_track_caller+0xb43/0x1400 mm/slub.c:4360 __kmalloc_reserve net/core/skbuff.c:138 [inline] __alloc_skb+0x422/0xe90 net/core/skbuff.c:206 alloc_skb include/linux/skbuff.h:996 [inline] netlink_alloc_large_skb net/netlink/af_netlink.c:1189 [inline] netlink_sendmsg+0xcaf/0x1420 net/netlink/af_netlink.c:1883 sock_sendmsg_nosec net/socket.c:621 [inline] sock_sendmsg net/socket.c:631 [inline] ___sys_sendmsg+0xe47/0x1200 net/socket.c:2116 __sys_sendmsg net/socket.c:2154 [inline] __do_sys_sendmsg net/socket.c:2163 [inline] __se_sys_sendmsg+0x307/0x460 net/socket.c:2161 __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161 do_syscall_64+0xbe/0x100 arch/x86/entry/common.c:291 entry_SYSCALL_64_after_hwframe+0x63/0xe7 The root cause is that we don't validate whether bear name is a valid string in tipc_nl_compat_bearer_enable(). Meanwhile, we also fix the same issue in the following functions: tipc_nl_compat_bearer_disable() tipc_nl_compat_link_stat_dump() tipc_nl_compat_media_set() tipc_nl_compat_bearer_set() Reported-by: syzbot+b33d5cae0efd35dbfe77@syzkaller.appspotmail.com Signed-off-by: Ying Xue <ying.xue@windriver.com> Signed-off-by: David S. Miller <davem@davemloft.net>
dabrace
pushed a commit
that referenced
this pull request
Jan 21, 2019
syzbot reported: BUG: KMSAN: uninit-value in __arch_swab32 arch/x86/include/uapi/asm/swab.h:10 [inline] BUG: KMSAN: uninit-value in __fswab32 include/uapi/linux/swab.h:59 [inline] BUG: KMSAN: uninit-value in tipc_nl_compat_name_table_dump+0x4a8/0xba0 net/tipc/netlink_compat.c:826 CPU: 0 PID: 6290 Comm: syz-executor848 Not tainted 4.19.0-rc8+ #70 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x306/0x460 lib/dump_stack.c:113 kmsan_report+0x1a2/0x2e0 mm/kmsan/kmsan.c:917 __msan_warning+0x7c/0xe0 mm/kmsan/kmsan_instr.c:500 __arch_swab32 arch/x86/include/uapi/asm/swab.h:10 [inline] __fswab32 include/uapi/linux/swab.h:59 [inline] tipc_nl_compat_name_table_dump+0x4a8/0xba0 net/tipc/netlink_compat.c:826 __tipc_nl_compat_dumpit+0x59e/0xdb0 net/tipc/netlink_compat.c:205 tipc_nl_compat_dumpit+0x63a/0x820 net/tipc/netlink_compat.c:270 tipc_nl_compat_handle net/tipc/netlink_compat.c:1151 [inline] tipc_nl_compat_recv+0x1402/0x2760 net/tipc/netlink_compat.c:1210 genl_family_rcv_msg net/netlink/genetlink.c:601 [inline] genl_rcv_msg+0x185c/0x1a20 net/netlink/genetlink.c:626 netlink_rcv_skb+0x394/0x640 net/netlink/af_netlink.c:2454 genl_rcv+0x63/0x80 net/netlink/genetlink.c:637 netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline] netlink_unicast+0x166d/0x1720 net/netlink/af_netlink.c:1343 netlink_sendmsg+0x1391/0x1420 net/netlink/af_netlink.c:1908 sock_sendmsg_nosec net/socket.c:621 [inline] sock_sendmsg net/socket.c:631 [inline] ___sys_sendmsg+0xe47/0x1200 net/socket.c:2116 __sys_sendmsg net/socket.c:2154 [inline] __do_sys_sendmsg net/socket.c:2163 [inline] __se_sys_sendmsg+0x307/0x460 net/socket.c:2161 __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161 do_syscall_64+0xbe/0x100 arch/x86/entry/common.c:291 entry_SYSCALL_64_after_hwframe+0x63/0xe7 RIP: 0033:0x440179 Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007ffecec49318 EFLAGS: 00000213 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440179 RDX: 0000000000000000 RSI: 0000000020000100 RDI: 0000000000000003 RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8 R10: 0000000000000000 R11: 0000000000000213 R12: 0000000000401a00 R13: 0000000000401a90 R14: 0000000000000000 R15: 0000000000000000 Uninit was created at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:255 [inline] kmsan_internal_poison_shadow+0xc8/0x1d0 mm/kmsan/kmsan.c:180 kmsan_kmalloc+0xa4/0x120 mm/kmsan/kmsan_hooks.c:104 kmsan_slab_alloc+0x10/0x20 mm/kmsan/kmsan_hooks.c:113 slab_post_alloc_hook mm/slab.h:446 [inline] slab_alloc_node mm/slub.c:2727 [inline] __kmalloc_node_track_caller+0xb43/0x1400 mm/slub.c:4360 __kmalloc_reserve net/core/skbuff.c:138 [inline] __alloc_skb+0x422/0xe90 net/core/skbuff.c:206 alloc_skb include/linux/skbuff.h:996 [inline] netlink_alloc_large_skb net/netlink/af_netlink.c:1189 [inline] netlink_sendmsg+0xcaf/0x1420 net/netlink/af_netlink.c:1883 sock_sendmsg_nosec net/socket.c:621 [inline] sock_sendmsg net/socket.c:631 [inline] ___sys_sendmsg+0xe47/0x1200 net/socket.c:2116 __sys_sendmsg net/socket.c:2154 [inline] __do_sys_sendmsg net/socket.c:2163 [inline] __se_sys_sendmsg+0x307/0x460 net/socket.c:2161 __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161 do_syscall_64+0xbe/0x100 arch/x86/entry/common.c:291 entry_SYSCALL_64_after_hwframe+0x63/0xe7 We cannot take for granted the thing that the length of data contained in TLV is longer than the size of struct tipc_name_table_query in tipc_nl_compat_name_table_dump(). Reported-by: syzbot+06e771a754829716a327@syzkaller.appspotmail.com Signed-off-by: Ying Xue <ying.xue@windriver.com> Signed-off-by: David S. Miller <davem@davemloft.net>
dabrace
pushed a commit
that referenced
this pull request
Mar 24, 2021
Christoph Paasch reported following crash: dst_release underflow WARNING: CPU: 0 PID: 1319 at net/core/dst.c:175 dst_release+0xc1/0xd0 net/core/dst.c:175 CPU: 0 PID: 1319 Comm: syz-executor217 Not tainted 5.11.0-rc6af8e85128b4d0d24083c5cac646e891227052e0c #70 Call Trace: rt_cache_route+0x12e/0x140 net/ipv4/route.c:1503 rt_set_nexthop.constprop.0+0x1fc/0x590 net/ipv4/route.c:1612 __mkroute_output net/ipv4/route.c:2484 [inline] ... The worker leaves msk->subflow alone even when it happened to close the subflow ssk associated with it. Fixes: 866f26f ("mptcp: always graft subflow socket to parent") Closes: multipath-tcp/mptcp_net-next#157 Reported-by: Christoph Paasch <cpaasch@apple.com> Suggested-by: Paolo Abeni <pabeni@redhat.com> Acked-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.