shinys000114/linux
1
0
Fork 0
mirror of https://github.com/hardkernel/linux.git synced 2026-06-09 20:32:04 +09:00
Code Issues Packages Projects Releases Wiki Activity
651,272 Commits 55 Branches 2,486 Tags
308fdff35301779beacbd2fee9233ff72b881782
Commit Graph

651272 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Pengcheng Chen
308fdff353 osd: remove phys_to_vir to prevent crash on the 32bit & 2G boadr [1/1] 
PD#SWPL-3079

Problem:
phys_to_vir in height mem rw caused crashed.

Solution:
remove phys_to_vir(dd funs not work)

Verify:
tl1

Change-Id: Ic9679471a51974cabf84b61efe90c88e845d01ea
Signed-off-by: Pengcheng Chen <pengcheng.chen@amlogic.com>
 2019-02-26 18:15:11 +09:00
Hongmin Hua
860e27496f cec: add the port map for connect status [1/1] 
PD#SWPL-3010

Problem:
the arc can't work

Solution:
add the port map for connect status

Verify:
verified on darwin

Change-Id: I9f886c35de8670acdc431185bb26aa1836a8c150
Signed-off-by: Hongmin Hua <hongmin.hua@amlogic.com>
 2019-02-26 18:15:10 +09:00
Yi Zeng
a0ffcf1f04 nand: fix the free-node leak in rsv manager [1/1] 
PD#SWPL-2776

Problem:
did not release the free node of rsv information

Solution:
release free node and set bit mask in right way

Verify:
S400

Change-Id: I781f2374b91ca1e7cd1a66e75fc554318737c377
Signed-off-by: Yi Zeng <yi.zeng@amlogic.com>
 2019-02-26 18:13:09 +09:00
Jian Cao
2dcf3effec video: fix picdec coverity error [1/1] 
PD#SWPL-2797

Problem:
fix picdec coverity error

Solution:
solve picdec coverity issues

Verify:
verified on P212

Change-Id: Iee0a7beb3fbf8382e9dd4207075df85171ed62ae
Signed-off-by: Jian Cao <jian.cao@amlogic.com>
 2019-02-26 18:13:09 +09:00
Jian Cao
78c3172bbc video: fix ppmgr coverity error [1/1] 
PD#SWPL-2797

Problem:
fix ppmgr coverity error

Solution:
solve ppmgr coverity issues

Verify:
verified on P212

Change-Id: I05b837073ec9c981004320afaa0680648198d5b3
Signed-off-by: Jian Cao <jian.cao@amlogic.com>
 2019-02-26 18:13:09 +09:00
Jian Cao
89ecad7785 osd: fix ge2d coverity error [1/1] 
PD#SWPL-2798

Problem:
fix ge2d coverity error

Solution:
add return val timeout for waiting completion

Verify:
verified on P212

Change-Id: Iaacf3f5b30721eb5d72d3c355f0404f4848969b5
Signed-off-by: Jian Cao <jian.cao@amlogic.com>
 2019-02-26 18:13:09 +09:00
Jian Cao
825be7ff26 osd: fix osd coverity error [1/1] 
PD#SWPL-2798

Problem:
fix osd coverity error

Solution:
solve osd coverity issues

Verify:
verified on P212

Change-Id: I9714e3b229786d39ffa5a150633d59082bdf3549
Signed-off-by: Jian Cao <jian.cao@amlogic.com>
 2019-02-26 18:13:09 +09:00
MingLiang Dong
d1be185d61 hdr: Enable default output to HDR for HDR TV [1/1] 
PD#SWPL-3096

Problem:
G12A/G12B need enable sdr2hdr

Solution:
enable sdr2hdr function

Verify:
verify on G12A

Change-Id: I1e771a13d33fe675cfc36d8308afc37077545cd4
Signed-off-by: MingLiang Dong <mingliang.dong@amlogic.com>
 2019-02-26 18:13:09 +09:00
nengwen.chen
d7616d946e dtv_demod: DTV search menu does not have ISDB-T entry [4/6] 
PD#SWPL-1664

Problem:
DTV search menu does not have ISDB-T entry

Solution:
add ISDB-T system support.

Verify:
verified by einstein

Change-Id: Ie0bdc988d53256487e24c3123320b50f2a58cdf3
Signed-off-by: nengwen.chen <nengwen.chen@amlogic.com>
 2019-02-26 18:13:09 +09:00
Chuangcheng Peng
3411f700d2 dvb-core: compatile with 32bit in 64bit kernel [1/1] 
PD#SWPL-3009

Problem:
32bit frontend app can't call ioctl in 64bit-kernel

Solution:
Add 32bit define in header and handle in dvb_frontend in 64bit-kernel

Verify:
Verify at android_p at R311

Change-Id: I63178803cfb1cf7d670e3c2b55f104e97f5afa63
Signed-off-by: Chuangcheng Peng <chuangcheng.peng@amlogic.com>
 2019-02-26 18:13:09 +09:00
tao zeng
b682325e08 mm: check phys_to_xxxx macro on 32bit OS [1/1] 
PD#SWPL-1909

Problem:
If physical address of a memory location is not in linear mapping
range, then any caller with phys_to_xxxx to get a pointer will
cause bug.

Solution:
Check input address range for phys_to_xxxx to get a BUG output.
This change is used for debug

Verify:
P212

Change-Id: I13bcaa3983e2d730b8d2bc03cd28c62585f49969
Signed-off-by: tao zeng <tao.zeng@amlogic.com>
 2019-02-26 18:13:09 +09:00
qiu.zeng
247b345a8c BT: resolve bt remote re-connected fail [1/1] 
PD#SWPL-2735

Problem:
bt remote re-connected fail

Solution:
control bluetooth opwer up

Verify:
Verifying on Public Edition r311

Change-Id: I8c74442894f606d5afd992e52d6c80bada0aed9f
Signed-off-by: Qiu Zeng <qiu.zeng@amlogic.com>
 2019-02-26 18:13:09 +09:00
Brian Zhu
e80a91182d video: sr: add the missing bit mask for sr core1 [1/1] 
PD#SWPL-2948

Problem:
Miss the sr core1 bit mask to cause display abnormal

Solution:
Add the bit mask for sr core1

Verify:
Test pass by x301

Change-Id: I742d86b610a9748adad7c143d7a85c6796d3c8f7
Signed-off-by: Brian Zhu <brian.zhu@amlogic.com>
 2019-02-26 18:13:09 +09:00
Tao Zeng
85a1cc4b4c mm: subtract CMA isolated pages when allocate TVP [1/1] 
PD#SWPL-2933

Problem:
When allocate CMA pages in buildroot enverioment, system will
hung in congestion_wait:
Call trace:
[<ffffff8009086a78>] __switch_to+0xa0/0xc8
[<ffffff8009de3eb8>] __schedule+0x268/0x7d8
[<ffffff8009de4464>] schedule+0x3c/0xa0
[<ffffff8009de7c9c>] schedule_timeout+0x1b4/0x448
[<ffffff8009de3be8>] io_schedule_timeout+0x98/0x100
[<ffffff80091e3fb8>] congestion_wait+0x90/0x190
[<ffffff80091ebcf4>] isolate_migratepages_block+0x7ec/0x890
[<ffffff80091ec794>] isolate_migratepages_range+0x8c/0x100
[<ffffff8009a8f34c>] aml_alloc_contig_migrate_range+0x104/0x158
[<ffffff8009a8f518>] cma_boost_work_func+0x178/0x270
[<ffffff80090cc228>] kthread+0xf8/0x110
[<ffffff80090836c0>] ret_from_fork+0x10/0x50

Solution:
subtract isolated CMA pages when allocation large CMA for TVP.

Verify:
local

Change-Id: I96153cf104abb009a8965c2230a5242e495dd031
Signed-off-by: Tao Zeng <tao.zeng@amlogic.com>
 2019-02-26 18:13:09 +09:00
pengcheng chen
1eaed5c403 osd: fix afbc dd length error issue [1/1] 
PD#SWPL-2674

Problem:
fix afbc dd length error issue

Solution:
add afbc_len to set screen_size

Verify:
verified on g12a-u200

Change-Id: I00df7945f0f928efe2b8be88c56f10f20bb1700f
Signed-off-by: pengcheng chen <pengcheng.chen@amlogic.com>
 2019-02-26 18:13:09 +09:00
Hongmin Hua
c4d568050a cec: set the phy port the same as ui id [2/2] 
PD#SWPL-2685

Problem:
the atom switch wrong channel when wakeup by device

Solution:
set the phy port the same as ui id

Verify:
atom

Change-Id: I4e43f83af5bb30a2388df7e7030f135c3f0830ad
Signed-off-by: Hongmin Hua <hongmin.hua@amlogic.com>
 2019-02-26 18:13:09 +09:00
Jian Hu
f479fa7aa1 clk: g12a: add gen clock [1/1] 
PD#OTT-1025

Problem:
not support gen clock

Solution:
add gen clock

Verify:
test passed on g12a u200

Change-Id: I5199289d3cd1483fffbbd41f8d104369214ba302
Signed-off-by: Jian Hu <jian.hu@amlogic.com>
 2019-02-26 18:13:09 +09:00
Xingyu Chen
1eaaf0c9de pinctrl: meson: add gen_clk_ee/ao pin groups for G12A/B [1/1] 
PD#OTT-1025

Problem:
don't support gen_clk_ee and gen_clk_ao pin groups

Solution:
add gen_clk_ee/ao pin groups according to the corepinmux document

Verify:
test pass on U200

Change-Id: Ia3e61079def285c482d8dc4957b5f9e7db35847d
Signed-off-by: Xingyu Chen <xingyu.chen@amlogic.com>
 2019-02-26 18:13:09 +09:00
tao zeng
76789cadf7 mm: optimize thread stack usage on arm64 [1/1] 
PD#SWPL-1219

Problem:
On arm64, thread stack is 16KB for each task. If running task number
is large, this type of memory may over 40MB. It's a large amount on
small memory platform. But most case thread only use less 4KB stack.
It's waste of memory and we need optimize it.

Solution:
1. Pre-allocate a vmalloc address space for task stack;
2. Only map 1st page for stack and handle page fault in EL1
   when stack growth triggered exception;
3. handle stack switch for exception.

Verify:
p212

Change-Id: I47f511ccfa2868d982bc10a820ed6435b6d52ba9
Signed-off-by: tao zeng <tao.zeng@amlogic.com>
 2019-02-26 18:13:09 +09:00
Jihong Sui
19cd66c4b6 deinterlace: deinterlace: fix coverity error [1/1] 
PD#SWPL-2863

Problem:
cdev_add without checking return value.

Solution:
add check

Verify:
p212

Change-Id: Ib1d96f6e5ee07dd28f67eb4ee77acb6580a1f877
Signed-off-by: Jihong Sui <jihong.sui@amlogic.com>
 2019-02-26 18:13:09 +09:00
Jihong Sui
2085c6c8e1 deinterlace: deinterlace: set post_ctrl when no mirror [1/1] 
PD#SWPL-1076

Problem:
Kplayer 4KDemo.mp4, show green screen.

Solution:
add DI_IF1_GEN_REG set when no mirror

Verify:
p212

Change-Id: I2cfb27068393832fb47498ebdb9b93349f1fe635
Signed-off-by: Jihong Sui <jihong.sui@amlogic.com>
 2019-02-26 18:13:09 +09:00
Pengcheng Chen
35bd3f85f6 osd: add osd log module control [2/2] 
PD#SWPL-2551

Problem:
add osd log module control

Solution:
add osd log module control

Verify:
verified on P212

Change-Id: Iadbf795cb7afe4ddcab0f9283b9c7f542eca0b29
Signed-off-by: Pengcheng Chen <pengcheng.chen@amlogic.com>
 2019-02-26 18:13:09 +09:00
Jian Cao
ae2cfc82eb osd: range of mouse is wrong under 4K mode [1/2] 
PD#SWPL-2551

Problem:
range of mouse is wrong under 4K mode

Solution:
new cursor coordinate paras without using scale
add osd_cursor_hw_no_scale() to deal with it.

Verify:
verified on P212

Change-Id: I1748df569b96522eb58dc00af862983bca17815a
Signed-off-by: Jian Cao <jian.cao@amlogic.com>
 2019-02-26 18:13:09 +09:00
Tao Guo
79327826e1 media: add get free handle cmd [4/9] 
PD#SWPL-1081

Problem:
Need get freed handle for DRM frame mode

Solution:
Add ioctl cmd to get freed handle

Verify:
P212

Change-Id: Ic0ce64061e334fdea5580d9f92b3e0b58caa88eb
Signed-off-by: Tao Guo <tao.guo@amlogic.com>
 2019-02-26 18:13:09 +09:00
Evoke Zhang
9bf6dd1786 lcd: mipi_dsi: update clk_post timing for dphy [1/1] 
PD#SWPL-2436

Problem:
sometime the dphy clk_post is not match spec

Solution:
update clk_post config

Verify:
w400

Change-Id: Ib6b585f833bf923e72109991509915f4ad35d316
Signed-off-by: Evoke Zhang <evoke.zhang@amlogic.com>
 2019-02-26 18:13:09 +09:00
Zongdong Jiao
8bdb61f1ec hdmitx: parse colorattribute from uboot [2/2] 
PD#SWPL-2181

Problem:
For some Rx, if the Tx cold boots up, the HPD can't be got in uboot.
That is to say, the output mode is CVBS in uboot, even HDMI cable is
connected. And during kernel boots up, it will reset to hdmi mode.
During the Android boots up, it will set to hdmi mode again. Twice
hdmi mode setting may cause TV flicks.

Solution:
Add parsing colorattribute from uboot and assign $attr to prevent
the second Android mode setting.

Verify:
S905X/P212

Change-Id: I665227bc3e8481acb40c34dde2f5cb3c633c64a2
Signed-off-by: Zongdong Jiao <zongdong.jiao@amlogic.com>
 2019-02-26 18:13:09 +09:00
bichao.zheng
a08c296467 arm: dts: fix wifi 32K Frequency offset [2/2] 
PD#SWPL-2623

Problem:
wifi 32K Frequency offset too large

Solution:
Modification cycle

Verify:
x301

Change-Id: I04724b0eacdffc1760b67689be373cb8f671a125
Signed-off-by: bichao.zheng <bichao.zheng@amlogic.com>

Conflicts:
	arch/arm/boot/dts/amlogic/tl1_t962x2_x301.dts
 2019-02-26 18:13:09 +09:00
bichao.zheng
11a7f76221 arm64: dts: fix wifi 32K Frequency offset [2/1] 
PD#SWPL-2623

Problem:
wifi 32K Frequency offset too large

Solution:
Modification cycle

Verify:
axg u211 p321 r311 p212

Change-Id: Ica04bec99ba2097918387a980b94dc007bb4eca4
Signed-off-by: bichao.zheng <bichao.zheng@amlogic.com>
 2019-02-26 18:13:09 +09:00
Jihong Sui
5729bb56f5 deinterlace: reduce the screen flash when fast forward [1/1] 
PD#SWPL-2188

Problem:
1.fast forward/rewind operation, the screen flashes

Solution:
1.add function to update MCDI_MCVECRD_CTRL[9]

Verify:
1.txl

Change-Id: I1bf8583901fa49c518cca74e7716632447adf32f
Signed-off-by: Jihong Sui <jihong.sui@amlogic.com>
 2019-02-26 18:13:09 +09:00
Jian Hu
27d563b9bc clk: gxl: correct saradc clock id when check sardadc clock [1/1] 
PD#OTT-944

Problem:
saradc check the wrong clock id.

Solution:
correct saradc id.

Verify:
verified on P212 board

Change-Id: I7fdde80c21228e45ec165252549bf4ca5f21bd67
Signed-off-by: Jian Hu <jian.hu@amlogic.com>
 2019-02-26 18:13:09 +09:00
Daogao Xu
aba647b757 video: add fast and slow playback support [1/1] 
PD#SWPL-1690

Problem:
YouTube requires support playback rate 0.25, 0.50, 1.00, 1.25, 1.50,
2.00

Solution:
vsync_slow_factor can be used to slow playback, extend it's value to
support fast playback

Verify:
mesongxl_p212_32_kernel49

Change-Id: I94589a210b8531cc198414b3017c3caf82827565
Signed-off-by: Daogao Xu <daogao.xu@amlogic.com>
 2019-02-26 18:13:09 +09:00
wenfeng.guo
a064612c42 vpp: fix vpp covertiy error [1/1] 
PD#SWPL-2458

Problem:
vpp has covertiy error

Solution:
fix vpp covertiy error

Verify:
r311

Change-Id: Ic755420107b72fa0a56d73e288b708ab421f7609
Signed-off-by: Wenfeng Guo <wenfeng.guo@amlogic.com>
 2019-02-26 18:13:09 +09:00
Jiacheng Mei
744e1b6c69 dts: reduce isp memory usage [1/1] 
PD#SWPL-2512

Problem:
isp reserved mem too large

Solution:
reduce isp mem to 256M

Verify:
A311D-W400

Change-Id: I33ee2872daf961da5f0ba4ba4810b0ac9690e45f
Signed-off-by: Jiacheng Mei <jiacheng.mei@amlogic.com>
 2019-02-26 18:13:09 +09:00
Bencheng Jing
b0e61d50db amvecm: fix dnlp read scurv_mid2 debug interface error [1/1] 
PD#SWPL-2448

Problem:
can not read dnlp scurv_mid2 value

Solution:
fix the error

Verify:
t962x_r311

Change-Id: I7a7df769dd117fd83164065f6df8e3ae82c2499f
Signed-off-by: Bencheng Jing <bencheng.jing@amlogic.com>
 2019-02-26 18:13:09 +09:00
Guosong Zhou
d4391d7d16 picdec: add mmap interface for picdec [2/2] 
PD#SWPL-2280

Problem:
play picture crash

Solution:
add mmap interface for picdec

Verify:
verify by p321

Change-Id: Ib278de80035b0404884315e29fe933cd8f4b6cfe
Signed-off-by: Guosong Zhou <guosong.zhou@amlogic.com>
 2019-02-26 18:00:39 +09:00
Mauro (mdrjr) Ribeiro
c96db883a1 Merge tag 'v4.9.160' of git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable into odroidn2-4.9.y 
This is the 4.9.160 stable release
 2019-02-25 05:49:52 -03:00
Mauro (mdrjr) Ribeiro
b8fc2fa121 Merge tag 'v4.9.159' of git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable into odroidn2-4.9.y 
This is the 4.9.159 stable release
 2019-02-25 05:49:30 -03:00
Mauro (mdrjr) Ribeiro
a71f18485f Merge tag 'v4.9.158' of git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable into odroidn2-4.9.y 
This is the 4.9.158 stable release
 2019-02-25 05:49:05 -03:00
Mauro (mdrjr) Ribeiro
039a2ed13b Merge tag 'v4.9.157' of git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable into odroidn2-4.9.y 
This is the 4.9.157 stable release
 2019-02-25 05:48:43 -03:00
Mauro (mdrjr) Ribeiro
1da441a5ba ODROID-N2: config: enable UAS 
Change-Id: Idbb302e3ff68f054d6d9d33519e099b408c1f36e
 2019-02-25 05:47:15 -03:00
Mauro Ribeiro
463bedbced Merge "BACKPORT: USB Audio: add support for additional DSD raw capable devices" into odroidn2-4.9.y 2019-02-25 17:41:12 +09:00
Dongjin Kim
1251ca1b06 BACKPORT: USB Audio: add support for additional DSD raw capable devices 
Change-Id: If1a619e86f6c0f0893a8ce1d65fd8fe6c8f97b8c
Signed-off-by: Gé Koerkamp<ge.koerkamp@gmail.com>
Signed-off-by: Dongjin Kim <tobetter@gmail.com>
 2019-02-25 10:54:38 +09:00
Dongjin Kim
0ab894855c ODROID-N2: config: enable 'CONFIG_FHANDLE' for systemd 
Change-Id: I14f31de80b8bfca404bde3eda147adb7c8a1433b
Signed-off-by: Dongjin Kim <tobetter@gmail.com>
 2019-02-25 00:38:10 +09:00
Greg Kroah-Hartman
badcc565e1 Linux 4.9.160 2019-02-23 09:05:59 +01:00
Eric Dumazet
b5a50669d2 ax25: fix possible use-after-free 
commit 63530aba78 upstream.

syzbot found that ax25 routes where not properly protected
against concurrent use [1].

In this particular report the bug happened while
copying ax25->digipeat.

Fix this problem by making sure we call ax25_get_route()
while ax25_route_lock is held, so that no modification
could happen while using the route.

The current two ax25_get_route() callers do not sleep,
so this change should be fine.

Once we do that, ax25_get_route() no longer needs to
grab a reference on the found route.

[1]
ax25_connect(): syz-executor0 uses autobind, please contact jreuter@yaina.de
BUG: KASAN: use-after-free in memcpy include/linux/string.h:352 [inline]
BUG: KASAN: use-after-free in kmemdup+0x42/0x60 mm/util.c:113
Read of size 66 at addr ffff888066641a80 by task syz-executor2/531

ax25_connect(): syz-executor0 uses autobind, please contact jreuter@yaina.de
CPU: 1 PID: 531 Comm: syz-executor2 Not tainted 5.0.0-rc2+ #10
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1db/0x2d0 lib/dump_stack.c:113
 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
 kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
 check_memory_region_inline mm/kasan/generic.c:185 [inline]
 check_memory_region+0x123/0x190 mm/kasan/generic.c:191
 memcpy+0x24/0x50 mm/kasan/common.c:130
 memcpy include/linux/string.h:352 [inline]
 kmemdup+0x42/0x60 mm/util.c:113
 kmemdup include/linux/string.h:425 [inline]
 ax25_rt_autobind+0x25d/0x750 net/ax25/ax25_route.c:424
 ax25_connect.cold+0x30/0xa4 net/ax25/af_ax25.c:1224
 __sys_connect+0x357/0x490 net/socket.c:1664
 __do_sys_connect net/socket.c:1675 [inline]
 __se_sys_connect net/socket.c:1672 [inline]
 __x64_sys_connect+0x73/0xb0 net/socket.c:1672
 do_syscall_64+0x1a3/0x800 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x458099
Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f870ee22c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000458099
RDX: 0000000000000048 RSI: 0000000020000080 RDI: 0000000000000005
RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
ax25_connect(): syz-executor4 uses autobind, please contact jreuter@yaina.de
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f870ee236d4
R13: 00000000004be48e R14: 00000000004ce9a8 R15: 00000000ffffffff

Allocated by task 526:
 save_stack+0x45/0xd0 mm/kasan/common.c:73
 set_track mm/kasan/common.c:85 [inline]
 __kasan_kmalloc mm/kasan/common.c:496 [inline]
 __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:469
 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:504
ax25_connect(): syz-executor5 uses autobind, please contact jreuter@yaina.de
 kmem_cache_alloc_trace+0x151/0x760 mm/slab.c:3609
 kmalloc include/linux/slab.h:545 [inline]
 ax25_rt_add net/ax25/ax25_route.c:95 [inline]
 ax25_rt_ioctl+0x3b9/0x1270 net/ax25/ax25_route.c:233
 ax25_ioctl+0x322/0x10b0 net/ax25/af_ax25.c:1763
 sock_do_ioctl+0xe2/0x400 net/socket.c:950
 sock_ioctl+0x32f/0x6c0 net/socket.c:1074
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:509 [inline]
 do_vfs_ioctl+0x107b/0x17d0 fs/ioctl.c:696
 ksys_ioctl+0xab/0xd0 fs/ioctl.c:713
 __do_sys_ioctl fs/ioctl.c:720 [inline]
 __se_sys_ioctl fs/ioctl.c:718 [inline]
 __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
 do_syscall_64+0x1a3/0x800 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

ax25_connect(): syz-executor5 uses autobind, please contact jreuter@yaina.de
Freed by task 550:
 save_stack+0x45/0xd0 mm/kasan/common.c:73
 set_track mm/kasan/common.c:85 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/common.c:458
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:466
 __cache_free mm/slab.c:3487 [inline]
 kfree+0xcf/0x230 mm/slab.c:3806
 ax25_rt_add net/ax25/ax25_route.c:92 [inline]
 ax25_rt_ioctl+0x304/0x1270 net/ax25/ax25_route.c:233
 ax25_ioctl+0x322/0x10b0 net/ax25/af_ax25.c:1763
 sock_do_ioctl+0xe2/0x400 net/socket.c:950
 sock_ioctl+0x32f/0x6c0 net/socket.c:1074
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:509 [inline]
 do_vfs_ioctl+0x107b/0x17d0 fs/ioctl.c:696
 ksys_ioctl+0xab/0xd0 fs/ioctl.c:713
 __do_sys_ioctl fs/ioctl.c:720 [inline]
 __se_sys_ioctl fs/ioctl.c:718 [inline]
 __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
 do_syscall_64+0x1a3/0x800 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff888066641a80
 which belongs to the cache kmalloc-96 of size 96
The buggy address is located 0 bytes inside of
 96-byte region [ffff888066641a80, ffff888066641ae0)
The buggy address belongs to the page:
page:ffffea0001999040 count:1 mapcount:0 mapping:ffff88812c3f04c0 index:0x0
flags: 0x1fffc0000000200(slab)
ax25_connect(): syz-executor4 uses autobind, please contact jreuter@yaina.de
raw: 01fffc0000000200 ffffea0001817948 ffffea0002341dc8 ffff88812c3f04c0
raw: 0000000000000000 ffff888066641000 0000000100000020 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888066641980: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
 ffff888066641a00: 00 00 00 00 00 00 00 00 02 fc fc fc fc fc fc fc
>ffff888066641a80: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
                   ^
 ffff888066641b00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
 ffff888066641b80: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc

Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2019-02-23 09:05:59 +01:00
Eric Dumazet
f6f281bb15 mISDN: fix a race in dev_expire_timer() 
commit bdcc5bc255 upstream.

Since mISDN_close() uses dev->pending to iterate over active
timers, there is a chance that one timer got removed from the
->pending list in dev_expire_timer() but that the thread
has not called yet wake_up_interruptible()

So mISDN_close() could miss this and free dev before
completion of at least one dev_expire_timer()

syzbot was able to catch this race :

BUG: KASAN: use-after-free in register_lock_class+0x140c/0x1bf0 kernel/locking/lockdep.c:827
Write of size 8 at addr ffff88809fc18948 by task syz-executor1/24769

CPU: 1 PID: 24769 Comm: syz-executor1 Not tainted 5.0.0-rc5 #60
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x172/0x1f0 lib/dump_stack.c:113
 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
 kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
 __asan_report_store8_noabort+0x17/0x20 mm/kasan/generic_report.c:140
 register_lock_class+0x140c/0x1bf0 kernel/locking/lockdep.c:827
 __lock_acquire+0x11f/0x4700 kernel/locking/lockdep.c:3224
 lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:3841
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
 _raw_spin_lock_irqsave+0x95/0xcd kernel/locking/spinlock.c:152
 __wake_up_common_lock+0xc7/0x190 kernel/sched/wait.c:120
 __wake_up+0xe/0x10 kernel/sched/wait.c:145
 dev_expire_timer+0xe4/0x3b0 drivers/isdn/mISDN/timerdev.c:174
 call_timer_fn+0x190/0x720 kernel/time/timer.c:1325
protocol 88fb is buggy, dev hsr_slave_0
protocol 88fb is buggy, dev hsr_slave_1
 expire_timers kernel/time/timer.c:1362 [inline]
 __run_timers kernel/time/timer.c:1681 [inline]
 __run_timers kernel/time/timer.c:1649 [inline]
 run_timer_softirq+0x652/0x1700 kernel/time/timer.c:1694
 __do_softirq+0x266/0x95a kernel/softirq.c:292
 invoke_softirq kernel/softirq.c:373 [inline]
 irq_exit+0x180/0x1d0 kernel/softirq.c:413
 exiting_irq arch/x86/include/asm/apic.h:536 [inline]
 smp_apic_timer_interrupt+0x14a/0x570 arch/x86/kernel/apic/apic.c:1062
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:807
 </IRQ>
RIP: 0010:__sanitizer_cov_trace_pc+0x26/0x50 kernel/kcov.c:101
Code: 90 90 90 90 55 48 89 e5 48 8b 75 08 65 48 8b 04 25 40 ee 01 00 65 8b 15 98 12 92 7e 81 e2 00 01 1f 00 75 2b 8b 90 d8 12 00 00 <83> fa 02 75 20 48 8b 88 e0 12 00 00 8b 80 dc 12 00 00 48 8b 11 48
RSP: 0018:ffff8880589b7a60 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: ffff888087ce25c0 RBX: 0000000000000001 RCX: ffffffff818f8ca3
RDX: 0000000000000000 RSI: ffffffff818f8b48 RDI: 0000000000000001
RBP: ffff8880589b7a60 R08: ffff888087ce25c0 R09: ffffed1015d25bd0
R10: ffffed1015d25bcf R11: ffff8880ae92de7b R12: ffffea0001ae4680
R13: ffffea0001ae4688 R14: 0000000000000000 R15: ffffea0001b41648
 PageIdle include/linux/page-flags.h:398 [inline]
 page_is_idle include/linux/page_idle.h:29 [inline]
 mark_page_accessed+0x618/0x1140 mm/swap.c:398
 touch_buffer fs/buffer.c:59 [inline]
 __find_get_block+0x312/0xcc0 fs/buffer.c:1298
 sb_find_get_block include/linux/buffer_head.h:338 [inline]
 recently_deleted fs/ext4/ialloc.c:682 [inline]
 find_inode_bit.isra.0+0x202/0x510 fs/ext4/ialloc.c:722
 __ext4_new_inode+0x14ad/0x52c0 fs/ext4/ialloc.c:914
 ext4_symlink+0x3f8/0xbe0 fs/ext4/namei.c:3096
 vfs_symlink fs/namei.c:4126 [inline]
 vfs_symlink+0x378/0x5d0 fs/namei.c:4112
 do_symlinkat+0x22b/0x290 fs/namei.c:4153
 __do_sys_symlink fs/namei.c:4172 [inline]
 __se_sys_symlink fs/namei.c:4170 [inline]
 __x64_sys_symlink+0x59/0x80 fs/namei.c:4170
 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457b67
Code: 0f 1f 00 b8 5c 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83 6d bb fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 58 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 4d bb fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fff045ce0f8 EFLAGS: 00000202 ORIG_RAX: 0000000000000058
RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000457b67
RDX: 00007fff045ce173 RSI: 00000000004bd63f RDI: 00007fff045ce160
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000013
R10: 0000000000000075 R11: 0000000000000202 R12: 0000000000000000
R13: 0000000000000001 R14: 000000000000029b R15: 0000000000000001

Allocated by task 24763:
 save_stack+0x45/0xd0 mm/kasan/common.c:73
 set_track mm/kasan/common.c:85 [inline]
 __kasan_kmalloc mm/kasan/common.c:496 [inline]
 __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:469
 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:504
 kmem_cache_alloc_trace+0x151/0x760 mm/slab.c:3609
 kmalloc include/linux/slab.h:545 [inline]
 mISDN_open+0x9a/0x270 drivers/isdn/mISDN/timerdev.c:59
 misc_open+0x398/0x4c0 drivers/char/misc.c:141
 chrdev_open+0x247/0x6b0 fs/char_dev.c:417
 do_dentry_open+0x47d/0x1130 fs/open.c:771
 vfs_open+0xa0/0xd0 fs/open.c:880
 do_last fs/namei.c:3418 [inline]
 path_openat+0x10d7/0x4690 fs/namei.c:3534
 do_filp_open+0x1a1/0x280 fs/namei.c:3564
 do_sys_open+0x3fe/0x5d0 fs/open.c:1063
 __do_sys_openat fs/open.c:1090 [inline]
 __se_sys_openat fs/open.c:1084 [inline]
 __x64_sys_openat+0x9d/0x100 fs/open.c:1084
 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 24762:
 save_stack+0x45/0xd0 mm/kasan/common.c:73
 set_track mm/kasan/common.c:85 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/common.c:458
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:466
 __cache_free mm/slab.c:3487 [inline]
 kfree+0xcf/0x230 mm/slab.c:3806
 mISDN_close+0x2a1/0x390 drivers/isdn/mISDN/timerdev.c:97
 __fput+0x2df/0x8d0 fs/file_table.c:278
 ____fput+0x16/0x20 fs/file_table.c:309
 task_work_run+0x14a/0x1c0 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:188 [inline]
 exit_to_usermode_loop+0x273/0x2c0 arch/x86/entry/common.c:166
 prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:268 [inline]
 do_syscall_64+0x52d/0x610 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff88809fc18900
 which belongs to the cache kmalloc-192 of size 192
The buggy address is located 72 bytes inside of
 192-byte region [ffff88809fc18900, ffff88809fc189c0)
The buggy address belongs to the page:
page:ffffea00027f0600 count:1 mapcount:0 mapping:ffff88812c3f0040 index:0xffff88809fc18000
flags: 0x1fffc0000000200(slab)
raw: 01fffc0000000200 ffffea000269f648 ffffea00029f7408 ffff88812c3f0040
raw: ffff88809fc18000 ffff88809fc18000 000000010000000b 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88809fc18800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff88809fc18880: 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88809fc18900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                              ^
 ffff88809fc18980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff88809fc18a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Karsten Keil <isdn@linux-pingi.de>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2019-02-23 09:05:59 +01:00
Eric Dumazet
4833df3468 net/x25: do not hold the cpu too long in x25_new_lci() 
commit cf657d22ee upstream.

Due to quadratic behavior of x25_new_lci(), syzbot was able
to trigger an rcu stall.

Fix this by not blocking BH for the whole duration of
the function, and inserting a reschedule point when possible.

If we care enough, using a bitmap could get rid of the quadratic
behavior.

syzbot report :

rcu: INFO: rcu_preempt self-detected stall on CPU
rcu:    0-...!: (10500 ticks this GP) idle=4fa/1/0x4000000000000002 softirq=283376/283376 fqs=0
rcu:     (t=10501 jiffies g=383105 q=136)
rcu: rcu_preempt kthread starved for 10502 jiffies! g383105 f0x0 RCU_GP_WAIT_FQS(5) ->state=0x402 ->cpu=0
rcu: RCU grace-period kthread stack dump:
rcu_preempt     I28928    10      2 0x80000000
Call Trace:
 context_switch kernel/sched/core.c:2844 [inline]
 __schedule+0x817/0x1cc0 kernel/sched/core.c:3485
 schedule+0x92/0x180 kernel/sched/core.c:3529
 schedule_timeout+0x4db/0xfd0 kernel/time/timer.c:1803
 rcu_gp_fqs_loop kernel/rcu/tree.c:1948 [inline]
 rcu_gp_kthread+0x956/0x17a0 kernel/rcu/tree.c:2105
 kthread+0x357/0x430 kernel/kthread.c:246
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
NMI backtrace for cpu 0
CPU: 0 PID: 8759 Comm: syz-executor2 Not tainted 5.0.0-rc4+ #51
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x172/0x1f0 lib/dump_stack.c:113
 nmi_cpu_backtrace.cold+0x63/0xa4 lib/nmi_backtrace.c:101
 nmi_trigger_cpumask_backtrace+0x1be/0x236 lib/nmi_backtrace.c:62
 arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:38
 trigger_single_cpu_backtrace include/linux/nmi.h:164 [inline]
 rcu_dump_cpu_stacks+0x183/0x1cf kernel/rcu/tree.c:1211
 print_cpu_stall kernel/rcu/tree.c:1348 [inline]
 check_cpu_stall kernel/rcu/tree.c:1422 [inline]
 rcu_pending kernel/rcu/tree.c:3018 [inline]
 rcu_check_callbacks.cold+0x500/0xa4a kernel/rcu/tree.c:2521
 update_process_times+0x32/0x80 kernel/time/timer.c:1635
 tick_sched_handle+0xa2/0x190 kernel/time/tick-sched.c:161
 tick_sched_timer+0x47/0x130 kernel/time/tick-sched.c:1271
 __run_hrtimer kernel/time/hrtimer.c:1389 [inline]
 __hrtimer_run_queues+0x33e/0xde0 kernel/time/hrtimer.c:1451
 hrtimer_interrupt+0x314/0x770 kernel/time/hrtimer.c:1509
 local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1035 [inline]
 smp_apic_timer_interrupt+0x120/0x570 arch/x86/kernel/apic/apic.c:1060
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:807
 </IRQ>
RIP: 0010:__read_once_size include/linux/compiler.h:193 [inline]
RIP: 0010:queued_write_lock_slowpath+0x13e/0x290 kernel/locking/qrwlock.c:86
Code: 00 00 fc ff df 4c 8d 2c 01 41 83 c7 03 41 0f b6 45 00 41 38 c7 7c 08 84 c0 0f 85 0c 01 00 00 8b 03 3d 00 01 00 00 74 1a f3 90 <41> 0f b6 55 00 41 38 d7 7c eb 84 d2 74 e7 48 89 df e8 6c 0f 4f 00
RSP: 0018:ffff88805f117bd8 EFLAGS: 00000206 ORIG_RAX: ffffffffffffff13
RAX: 0000000000000300 RBX: ffffffff89413ba0 RCX: 1ffffffff1282774
RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffff89413ba0
RBP: ffff88805f117c70 R08: 1ffffffff1282774 R09: fffffbfff1282775
R10: fffffbfff1282774 R11: ffffffff89413ba3 R12: 00000000000000ff
R13: fffffbfff1282774 R14: 1ffff1100be22f7d R15: 0000000000000003
 queued_write_lock include/asm-generic/qrwlock.h:104 [inline]
 do_raw_write_lock+0x1d6/0x290 kernel/locking/spinlock_debug.c:203
 __raw_write_lock_bh include/linux/rwlock_api_smp.h:204 [inline]
 _raw_write_lock_bh+0x3b/0x50 kernel/locking/spinlock.c:312
 x25_insert_socket+0x21/0xe0 net/x25/af_x25.c:267
 x25_bind+0x273/0x340 net/x25/af_x25.c:705
 __sys_bind+0x23f/0x290 net/socket.c:1505
 __do_sys_bind net/socket.c:1516 [inline]
 __se_sys_bind net/socket.c:1514 [inline]
 __x64_sys_bind+0x73/0xb0 net/socket.c:1514
 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457e39
Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fafccd0dc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000031
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457e39
RDX: 0000000000000012 RSI: 0000000020000240 RDI: 0000000000000004
RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fafccd0e6d4
R13: 00000000004bdf8b R14: 00000000004ce4b8 R15: 00000000ffffffff
Sending NMI from CPU 0 to CPUs 1:
NMI backtrace for cpu 1
CPU: 1 PID: 8752 Comm: syz-executor4 Not tainted 5.0.0-rc4+ #51
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__x25_find_socket+0x78/0x120 net/x25/af_x25.c:328
Code: 89 f8 48 c1 e8 03 80 3c 18 00 0f 85 a6 00 00 00 4d 8b 64 24 68 4d 85 e4 74 7f e8 03 97 3d fb 49 83 ec 68 74 74 e8 f8 96 3d fb <49> 8d bc 24 88 04 00 00 48 89 f8 48 c1 e8 03 0f b6 04 18 84 c0 74
RSP: 0018:ffff8880639efc58 EFLAGS: 00000246
RAX: 0000000000040000 RBX: dffffc0000000000 RCX: ffffc9000e677000
RDX: 0000000000040000 RSI: ffffffff863244b8 RDI: ffff88806a764628
RBP: ffff8880639efc80 R08: ffff8880a80d05c0 R09: fffffbfff1282775
R10: fffffbfff1282774 R11: ffffffff89413ba3 R12: ffff88806a7645c0
R13: 0000000000000001 R14: ffff88809f29ac00 R15: 0000000000000000
FS:  00007fe8d0c58700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000001b32823000 CR3: 00000000672eb000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 x25_new_lci net/x25/af_x25.c:357 [inline]
 x25_connect+0x374/0xdf0 net/x25/af_x25.c:786
 __sys_connect+0x266/0x330 net/socket.c:1686
 __do_sys_connect net/socket.c:1697 [inline]
 __se_sys_connect net/socket.c:1694 [inline]
 __x64_sys_connect+0x73/0xb0 net/socket.c:1694
 do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457e39
Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fe8d0c57c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457e39
RDX: 0000000000000012 RSI: 0000000020000200 RDI: 0000000000000004
RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fe8d0c586d4
R13: 00000000004be378 R14: 00000000004ceb00 R15: 00000000ffffffff

Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: Andrew Hendry <andrew.hendry@gmail.com>
Cc: linux-x25@vger.kernel.org
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2019-02-23 09:05:59 +01:00
Qu Wenruo
de5f88f888 btrfs: Remove false alert when fiemap range is smaller than on-disk extent 
commit 848c23b78f upstream.

Commit 4751832da9 ("btrfs: fiemap: Cache and merge fiemap extent before
submit it to user") introduced a warning to catch unemitted cached
fiemap extent.

However such warning doesn't take the following case into consideration:

0			4K			8K
|<---- fiemap range --->|
|<----------- On-disk extent ------------------>|

In this case, the whole 0~8K is cached, and since it's larger than
fiemap range, it break the fiemap extent emit loop.
This leaves the fiemap extent cached but not emitted, and caught by the
final fiemap extent sanity check, causing kernel warning.

This patch removes the kernel warning and renames the sanity check to
emit_last_fiemap_cache() since it's possible and valid to have cached
fiemap extent.

Reported-by: David Sterba <dsterba@suse.cz>
Reported-by: Adam Borowski <kilobyte@angband.pl>
Fixes: 4751832da9 ("btrfs: fiemap: Cache and merge fiemap extent ...")
Signed-off-by: Qu Wenruo <quwenruo@cn.fujitsu.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2019-02-23 09:05:59 +01:00
Lorenzo Bianconi
575880f2d4 net: ipv4: use a dedicated counter for icmp_v4 redirect packets 
[ Upstream commit c09551c6ff ]

According to the algorithm described in the comment block at the
beginning of ip_rt_send_redirect, the host should try to send
'ip_rt_redirect_number' ICMP redirect packets with an exponential
backoff and then stop sending them at all assuming that the destination
ignores redirects.
If the device has previously sent some ICMP error packets that are
rate-limited (e.g TTL expired) and continues to receive traffic,
the redirect packets will never be transmitted. This happens since
peer->rate_tokens will be typically greater than 'ip_rt_redirect_number'
and so it will never be reset even if the redirect silence timeout
(ip_rt_redirect_silence) has elapsed without receiving any packet
requiring redirects.

Fix it by using a dedicated counter for the number of ICMP redirect
packets that has been sent by the host

I have not been able to identify a given commit that introduced the
issue since ip_rt_send_redirect implements the same rate-limiting
algorithm from commit 1da177e4c3 ("Linux-2.6.12-rc2")

Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2019-02-23 09:05:59 +01:00
Jose Abreu
2a3c68987c net: stmmac: Fix a race in EEE enable callback 
[ Upstream commit 8a7493e58a ]

We are saving the status of EEE even before we try to enable it. This
leads to a race with XMIT function that tries to arm EEE timer before we
set it up.

Fix this by only saving the EEE parameters after all operations are
performed with success.

Signed-off-by: Jose Abreu <joabreu@synopsys.com>
Fixes: d765955d2a ("stmmac: add the Energy Efficient Ethernet support")
Cc: Joao Pinto <jpinto@synopsys.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: Giuseppe Cavallaro <peppe.cavallaro@st.com>
Cc: Alexandre Torgue <alexandre.torgue@st.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2019-02-23 09:05:59 +01:00