New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allwinner v3.0 android v2 merge sun4i/sun5i nand driver #65
Allwinner v3.0 android v2 merge sun4i/sun5i nand driver #65
Conversation
for 3.0 I believe it's critical to not break .config compatibiliy. using a select should make this easily. btw, in 3.4 the joined var is called SUNXI_NAND, but I‘m fine with keeping the FLASH part too |
You'd think so - for some reason what happens instead is: SUN5I_NANDFLASH gets disabled instead of SUNXI_NANDFLASH getting enabled. Perhaps moving to SUNXI_NAND is better then :) Consistency and all. |
Dave Jones reported the following bug: "When fed mangled socket data, rds will trust what userspace gives it, and tries to allocate enormous amounts of memory larger than what kmalloc can satisfy." WARNING: at mm/page_alloc.c:2393 __alloc_pages_nodemask+0xa0d/0xbe0() Hardware name: GA-MA78GM-S2H Modules linked in: vmw_vsock_vmci_transport vmw_vmci vsock fuse bnep dlci bridge 8021q garp stp mrp binfmt_misc l2tp_ppp l2tp_core rfcomm s Pid: 24652, comm: trinity-child2 Not tainted 3.8.0+ #65 Call Trace: [<ffffffff81044155>] warn_slowpath_common+0x75/0xa0 [<ffffffff8104419a>] warn_slowpath_null+0x1a/0x20 [<ffffffff811444ad>] __alloc_pages_nodemask+0xa0d/0xbe0 [<ffffffff8100a196>] ? native_sched_clock+0x26/0x90 [<ffffffff810b2128>] ? trace_hardirqs_off_caller+0x28/0xc0 [<ffffffff810b21cd>] ? trace_hardirqs_off+0xd/0x10 [<ffffffff811861f8>] alloc_pages_current+0xb8/0x180 [<ffffffff8113eaaa>] __get_free_pages+0x2a/0x80 [<ffffffff811934fe>] kmalloc_order_trace+0x3e/0x1a0 [<ffffffff81193955>] __kmalloc+0x2f5/0x3a0 [<ffffffff8104df0c>] ? local_bh_enable_ip+0x7c/0xf0 [<ffffffffa0401ab3>] rds_message_alloc+0x23/0xb0 [rds] [<ffffffffa04043a1>] rds_sendmsg+0x2b1/0x990 [rds] [<ffffffff810b21cd>] ? trace_hardirqs_off+0xd/0x10 [<ffffffff81564620>] sock_sendmsg+0xb0/0xe0 [<ffffffff810b2052>] ? get_lock_stats+0x22/0x70 [<ffffffff810b24be>] ? put_lock_stats.isra.23+0xe/0x40 [<ffffffff81567f30>] sys_sendto+0x130/0x180 [<ffffffff810b872d>] ? trace_hardirqs_on+0xd/0x10 [<ffffffff816c547b>] ? _raw_spin_unlock_irq+0x3b/0x60 [<ffffffff816cd767>] ? sysret_check+0x1b/0x56 [<ffffffff810b8695>] ? trace_hardirqs_on_caller+0x115/0x1a0 [<ffffffff81341d8e>] ? trace_hardirqs_on_thunk+0x3a/0x3f [<ffffffff816cd742>] system_call_fastpath+0x16/0x1b ---[ end trace eed6ae990d018c8b ]--- Reported-by: Dave Jones <davej@redhat.com> Cc: Dave Jones <davej@redhat.com> Cc: David S. Miller <davem@davemloft.net> Cc: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com> Signed-off-by: Cong Wang <amwang@redhat.com> Acked-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
[ Upstream commit ece6b0a ] Dave Jones reported the following bug: "When fed mangled socket data, rds will trust what userspace gives it, and tries to allocate enormous amounts of memory larger than what kmalloc can satisfy." WARNING: at mm/page_alloc.c:2393 __alloc_pages_nodemask+0xa0d/0xbe0() Hardware name: GA-MA78GM-S2H Modules linked in: vmw_vsock_vmci_transport vmw_vmci vsock fuse bnep dlci bridge 8021q garp stp mrp binfmt_misc l2tp_ppp l2tp_core rfcomm s Pid: 24652, comm: trinity-child2 Not tainted 3.8.0+ #65 Call Trace: [<ffffffff81044155>] warn_slowpath_common+0x75/0xa0 [<ffffffff8104419a>] warn_slowpath_null+0x1a/0x20 [<ffffffff811444ad>] __alloc_pages_nodemask+0xa0d/0xbe0 [<ffffffff8100a196>] ? native_sched_clock+0x26/0x90 [<ffffffff810b2128>] ? trace_hardirqs_off_caller+0x28/0xc0 [<ffffffff810b21cd>] ? trace_hardirqs_off+0xd/0x10 [<ffffffff811861f8>] alloc_pages_current+0xb8/0x180 [<ffffffff8113eaaa>] __get_free_pages+0x2a/0x80 [<ffffffff811934fe>] kmalloc_order_trace+0x3e/0x1a0 [<ffffffff81193955>] __kmalloc+0x2f5/0x3a0 [<ffffffff8104df0c>] ? local_bh_enable_ip+0x7c/0xf0 [<ffffffffa0401ab3>] rds_message_alloc+0x23/0xb0 [rds] [<ffffffffa04043a1>] rds_sendmsg+0x2b1/0x990 [rds] [<ffffffff810b21cd>] ? trace_hardirqs_off+0xd/0x10 [<ffffffff81564620>] sock_sendmsg+0xb0/0xe0 [<ffffffff810b2052>] ? get_lock_stats+0x22/0x70 [<ffffffff810b24be>] ? put_lock_stats.isra.23+0xe/0x40 [<ffffffff81567f30>] sys_sendto+0x130/0x180 [<ffffffff810b872d>] ? trace_hardirqs_on+0xd/0x10 [<ffffffff816c547b>] ? _raw_spin_unlock_irq+0x3b/0x60 [<ffffffff816cd767>] ? sysret_check+0x1b/0x56 [<ffffffff810b8695>] ? trace_hardirqs_on_caller+0x115/0x1a0 [<ffffffff81341d8e>] ? trace_hardirqs_on_thunk+0x3a/0x3f [<ffffffff816cd742>] system_call_fastpath+0x16/0x1b ---[ end trace eed6ae990d018c8b ]--- Reported-by: Dave Jones <davej@redhat.com> Cc: Dave Jones <davej@redhat.com> Cc: David S. Miller <davem@davemloft.net> Cc: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com> Signed-off-by: Cong Wang <amwang@redhat.com> Acked-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit ece6b0a ] Dave Jones reported the following bug: "When fed mangled socket data, rds will trust what userspace gives it, and tries to allocate enormous amounts of memory larger than what kmalloc can satisfy." WARNING: at mm/page_alloc.c:2393 __alloc_pages_nodemask+0xa0d/0xbe0() Hardware name: GA-MA78GM-S2H Modules linked in: vmw_vsock_vmci_transport vmw_vmci vsock fuse bnep dlci bridge 8021q garp stp mrp binfmt_misc l2tp_ppp l2tp_core rfcomm s Pid: 24652, comm: trinity-child2 Not tainted 3.8.0+ #65 Call Trace: [<ffffffff81044155>] warn_slowpath_common+0x75/0xa0 [<ffffffff8104419a>] warn_slowpath_null+0x1a/0x20 [<ffffffff811444ad>] __alloc_pages_nodemask+0xa0d/0xbe0 [<ffffffff8100a196>] ? native_sched_clock+0x26/0x90 [<ffffffff810b2128>] ? trace_hardirqs_off_caller+0x28/0xc0 [<ffffffff810b21cd>] ? trace_hardirqs_off+0xd/0x10 [<ffffffff811861f8>] alloc_pages_current+0xb8/0x180 [<ffffffff8113eaaa>] __get_free_pages+0x2a/0x80 [<ffffffff811934fe>] kmalloc_order_trace+0x3e/0x1a0 [<ffffffff81193955>] __kmalloc+0x2f5/0x3a0 [<ffffffff8104df0c>] ? local_bh_enable_ip+0x7c/0xf0 [<ffffffffa0401ab3>] rds_message_alloc+0x23/0xb0 [rds] [<ffffffffa04043a1>] rds_sendmsg+0x2b1/0x990 [rds] [<ffffffff810b21cd>] ? trace_hardirqs_off+0xd/0x10 [<ffffffff81564620>] sock_sendmsg+0xb0/0xe0 [<ffffffff810b2052>] ? get_lock_stats+0x22/0x70 [<ffffffff810b24be>] ? put_lock_stats.isra.23+0xe/0x40 [<ffffffff81567f30>] sys_sendto+0x130/0x180 [<ffffffff810b872d>] ? trace_hardirqs_on+0xd/0x10 [<ffffffff816c547b>] ? _raw_spin_unlock_irq+0x3b/0x60 [<ffffffff816cd767>] ? sysret_check+0x1b/0x56 [<ffffffff810b8695>] ? trace_hardirqs_on_caller+0x115/0x1a0 [<ffffffff81341d8e>] ? trace_hardirqs_on_thunk+0x3a/0x3f [<ffffffff816cd742>] system_call_fastpath+0x16/0x1b ---[ end trace eed6ae990d018c8b ]--- Reported-by: Dave Jones <davej@redhat.com> Cc: Dave Jones <davej@redhat.com> Cc: David S. Miller <davem@davemloft.net> Cc: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com> Signed-off-by: Cong Wang <amwang@redhat.com> Acked-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
hi, I can generate the image, at compile time does not give any error. |
Turn it into (for example): [ 0.073380] x86: Booting SMP configuration: [ 0.074005] .... node #0, CPUs: #1 #2 #3 #4 #5 #6 #7 [ 0.603005] .... node #1, CPUs: #8 #9 #10 #11 #12 #13 #14 #15 [ 1.200005] .... node #2, CPUs: #16 #17 #18 #19 #20 #21 #22 #23 [ 1.796005] .... node #3, CPUs: #24 #25 #26 #27 #28 #29 #30 #31 [ 2.393005] .... node #4, CPUs: #32 #33 #34 #35 #36 #37 #38 #39 [ 2.996005] .... node #5, CPUs: #40 #41 #42 #43 #44 #45 #46 #47 [ 3.600005] .... node #6, CPUs: #48 #49 #50 #51 #52 #53 #54 #55 [ 4.202005] .... node #7, CPUs: #56 #57 #58 #59 #60 #61 #62 #63 [ 4.811005] .... node #8, CPUs: #64 #65 #66 #67 #68 #69 #70 #71 [ 5.421006] .... node #9, CPUs: #72 #73 #74 #75 #76 #77 #78 #79 [ 6.032005] .... node #10, CPUs: #80 #81 #82 #83 #84 #85 #86 #87 [ 6.648006] .... node #11, CPUs: #88 #89 #90 #91 #92 #93 #94 #95 [ 7.262005] .... node #12, CPUs: #96 #97 #98 #99 #100 #101 #102 #103 [ 7.865005] .... node #13, CPUs: #104 #105 #106 #107 #108 #109 #110 #111 [ 8.466005] .... node #14, CPUs: #112 #113 #114 #115 #116 #117 #118 #119 [ 9.073006] .... node #15, CPUs: #120 #121 #122 #123 #124 #125 #126 #127 [ 9.679901] x86: Booted up 16 nodes, 128 CPUs and drop useless elements. Change num_digits() to hpa's division-avoiding, cell-phone-typed version which he went at great lengths and pains to submit on a Saturday evening. Signed-off-by: Borislav Petkov <bp@suse.de> Cc: huawei.libin@huawei.com Cc: wangyijing@huawei.com Cc: fenghua.yu@intel.com Cc: guohanjun@huawei.com Cc: paul.gortmaker@windriver.com Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Peter Zijlstra <a.p.zijlstra@chello.nl> Cc: Thomas Gleixner <tglx@linutronix.de> Link: http://lkml.kernel.org/r/20130930095624.GB16383@pd.tnic Signed-off-by: Ingo Molnar <mingo@kernel.org>
When allocating RX buffers a fixed size is used, while freeing is based on actually received bytes, resulting in the following kernel warning when CONFIG_DMA_API_DEBUG is enabled: WARNING: CPU: 0 PID: 0 at lib/dma-debug.c:1051 check_unmap+0x258/0x894() macb e000b000.ethernet: DMA-API: device driver frees DMA memory with different size [device address=0x000000002d170040] [map size=1536 bytes] [unmap size=60 bytes] Modules linked in: CPU: 0 PID: 0 Comm: swapper/0 Not tainted 3.14.0-rc3-xilinx-00220-g49f84081ce4f #65 [<c001516c>] (unwind_backtrace) from [<c0011df8>] (show_stack+0x10/0x14) [<c0011df8>] (show_stack) from [<c03c775c>] (dump_stack+0x7c/0xc8) [<c03c775c>] (dump_stack) from [<c00245cc>] (warn_slowpath_common+0x60/0x84) [<c00245cc>] (warn_slowpath_common) from [<c0024670>] (warn_slowpath_fmt+0x2c/0x3c) [<c0024670>] (warn_slowpath_fmt) from [<c0227d44>] (check_unmap+0x258/0x894) [<c0227d44>] (check_unmap) from [<c0228588>] (debug_dma_unmap_page+0x64/0x70) [<c0228588>] (debug_dma_unmap_page) from [<c02ab78c>] (gem_rx+0x118/0x170) [<c02ab78c>] (gem_rx) from [<c02ac4d4>] (macb_poll+0x24/0x94) [<c02ac4d4>] (macb_poll) from [<c031222c>] (net_rx_action+0x6c/0x188) [<c031222c>] (net_rx_action) from [<c0028a28>] (__do_softirq+0x108/0x280) [<c0028a28>] (__do_softirq) from [<c0028e8c>] (irq_exit+0x84/0xf8) [<c0028e8c>] (irq_exit) from [<c000f360>] (handle_IRQ+0x68/0x8c) [<c000f360>] (handle_IRQ) from [<c0008528>] (gic_handle_irq+0x3c/0x60) [<c0008528>] (gic_handle_irq) from [<c0012904>] (__irq_svc+0x44/0x78) Exception stack(0xc056df20 to 0xc056df68) df20: 00000001 c0577430 00000000 c0577430 04ce8e0d 00000002 edfce238 00000000 df40: 04e20f78 00000002 c05981f4 00000000 00000008 c056df68 c0064008 c02d7658 df60: 20000013 ffffffff [<c0012904>] (__irq_svc) from [<c02d7658>] (cpuidle_enter_state+0x54/0xf8) [<c02d7658>] (cpuidle_enter_state) from [<c02d77dc>] (cpuidle_idle_call+0xe0/0x138) [<c02d77dc>] (cpuidle_idle_call) from [<c000f660>] (arch_cpu_idle+0x8/0x3c) [<c000f660>] (arch_cpu_idle) from [<c006bec4>] (cpu_startup_entry+0xbc/0x124) [<c006bec4>] (cpu_startup_entry) from [<c053daec>] (start_kernel+0x350/0x3b0) ---[ end trace d5fdc38641bd3a11 ]--- Mapped at: [<c0227184>] debug_dma_map_page+0x48/0x11c [<c02ab32c>] gem_rx_refill+0x154/0x1f8 [<c02ac7b4>] macb_open+0x270/0x3e0 [<c03152e0>] __dev_open+0x7c/0xfc [<c031554c>] __dev_change_flags+0x8c/0x140 Fixing this by passing the same size which is passed during mapping the memory to the unmap function as well. Signed-off-by: Soren Brinkmann <soren.brinkmann@xilinx.com> Reviewed-by: Ben Hutchings <ben@decadent.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
A malicious signal handler / restorer can DOS the system by fudging the user regs saved on stack, causing weird things such as sigreturn returning to user mode PC but cpu state still being kernel mode.... Ensure that in sigreturn path status32 always has U bit; any other bogosity (gargbage PC etc) will be taken care of by normal user mode exceptions mechanisms. Reproducer signal handler: void handle_sig(int signo, siginfo_t *info, void *context) { ucontext_t *uc = context; struct user_regs_struct *regs = &(uc->uc_mcontext.regs); regs->scratch.status32 = 0; } Before the fix, kernel would go off to weeds like below: --------->8----------- [ARCLinux]$ ./signal-test Path: /signal-test CPU: 0 PID: 61 Comm: signal-test Not tainted 4.0.0-rc5+ linux-sunxi#65 task: 8f177880 ti: 5ffe6000 task.ti: 8f15c000 [ECR ]: 0x00220200 => Invalid Write @ 0x00000010 by insn @ 0x00010698 [EFA ]: 0x00000010 [BLINK ]: 0x2007c1ee [ERET ]: 0x10698 [STAT32]: 0x00000000 : <-------- BTA: 0x00010680 SP: 0x5ffe7e48 FP: 0x00000000 LPS: 0x20003c6c LPE: 0x20003c70 LPC: 0x00000000 ... --------->8----------- Reported-by: Alexey Brodkin <abrodkin@synopsys.com> Cc: <stable@vger.kernel.org> Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
When sending a UDPv6 message longer than MTU, account for the length of fragmentable IPv6 extension headers in skb->network_header offset. Same as we do in alloc_new_skb path in __ip6_append_data(). This ensures that later on __ip6_make_skb() will make space in headroom for fragmentable extension headers: /* move skb->data to ip header from ext header */ if (skb->data < skb_network_header(skb)) __skb_pull(skb, skb_network_offset(skb)); Prevents a splat due to skb_under_panic: skbuff: skb_under_panic: text:ffffffff8143397b len:2126 put:14 \ head:ffff880005bacf50 data:ffff880005bacf4a tail:0x48 end:0xc0 dev:lo ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:104! invalid opcode: 0000 [#1] KASAN CPU: 0 PID: 160 Comm: reproducer Not tainted 4.6.0-rc2 #65 [...] Call Trace: [<ffffffff813eb7b9>] skb_push+0x79/0x80 [<ffffffff8143397b>] eth_header+0x2b/0x100 [<ffffffff8141e0d0>] neigh_resolve_output+0x210/0x310 [<ffffffff814eab77>] ip6_finish_output2+0x4a7/0x7c0 [<ffffffff814efe3a>] ip6_output+0x16a/0x280 [<ffffffff815440c1>] ip6_local_out+0xb1/0xf0 [<ffffffff814f1115>] ip6_send_skb+0x45/0xd0 [<ffffffff81518836>] udp_v6_send_skb+0x246/0x5d0 [<ffffffff8151985e>] udpv6_sendmsg+0xa6e/0x1090 [...] Reported-by: Ji Jianwen <jiji@redhat.com> Signed-off-by: Jakub Sitnicki <jkbs@redhat.com> Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net>
…fixes WARNING: please, no spaces at the start of a line linux-sunxi#26: FILE: fs/ocfs2/dlm/dlmrecovery.c:2271: + struct list_head *queue = NULL;$ WARNING: please, no spaces at the start of a line linux-sunxi#27: FILE: fs/ocfs2/dlm/dlmrecovery.c:2272: + int i;$ WARNING: please, no spaces at the start of a line linux-sunxi#60: FILE: fs/ocfs2/dlm/dlmrecovery.c:2285: + for (i = DLM_GRANTED_LIST; i <= DLM_BLOCKED_LIST; i++) {$ WARNING: suspect code indent for conditional statements (7, 15) linux-sunxi#60: FILE: fs/ocfs2/dlm/dlmrecovery.c:2285: + for (i = DLM_GRANTED_LIST; i <= DLM_BLOCKED_LIST; i++) { + queue = dlm_list_idx_to_ptr(res, i); ERROR: code indent should use tabs where possible linux-sunxi#61: FILE: fs/ocfs2/dlm/dlmrecovery.c:2286: + queue = dlm_list_idx_to_ptr(res, i);$ WARNING: please, no spaces at the start of a line linux-sunxi#61: FILE: fs/ocfs2/dlm/dlmrecovery.c:2286: + queue = dlm_list_idx_to_ptr(res, i);$ ERROR: code indent should use tabs where possible linux-sunxi#62: FILE: fs/ocfs2/dlm/dlmrecovery.c:2287: + list_for_each_entry_safe(lock, next, queue, list) {$ WARNING: please, no spaces at the start of a line linux-sunxi#62: FILE: fs/ocfs2/dlm/dlmrecovery.c:2287: + list_for_each_entry_safe(lock, next, queue, list) {$ WARNING: suspect code indent for conditional statements (15, 23) linux-sunxi#62: FILE: fs/ocfs2/dlm/dlmrecovery.c:2287: + list_for_each_entry_safe(lock, next, queue, list) { + if (lock->ml.node == dead_node) { ERROR: code indent should use tabs where possible linux-sunxi#63: FILE: fs/ocfs2/dlm/dlmrecovery.c:2288: + if (lock->ml.node == dead_node) {$ WARNING: please, no spaces at the start of a line linux-sunxi#63: FILE: fs/ocfs2/dlm/dlmrecovery.c:2288: + if (lock->ml.node == dead_node) {$ WARNING: suspect code indent for conditional statements (23, 31) linux-sunxi#63: FILE: fs/ocfs2/dlm/dlmrecovery.c:2288: + if (lock->ml.node == dead_node) { + list_del_init(&lock->list); ERROR: code indent should use tabs where possible linux-sunxi#64: FILE: fs/ocfs2/dlm/dlmrecovery.c:2289: + list_del_init(&lock->list);$ WARNING: please, no spaces at the start of a line linux-sunxi#64: FILE: fs/ocfs2/dlm/dlmrecovery.c:2289: + list_del_init(&lock->list);$ ERROR: code indent should use tabs where possible linux-sunxi#65: FILE: fs/ocfs2/dlm/dlmrecovery.c:2290: + dlm_lock_put(lock);$ WARNING: please, no spaces at the start of a line linux-sunxi#65: FILE: fs/ocfs2/dlm/dlmrecovery.c:2290: + dlm_lock_put(lock);$ ERROR: code indent should use tabs where possible linux-sunxi#66: FILE: fs/ocfs2/dlm/dlmrecovery.c:2291: + /* Can't schedule DLM_UNLOCK_FREE_LOCK$ ERROR: code indent should use tabs where possible linux-sunxi#67: FILE: fs/ocfs2/dlm/dlmrecovery.c:2292: + * do manually$ ERROR: code indent should use tabs where possible linux-sunxi#68: FILE: fs/ocfs2/dlm/dlmrecovery.c:2293: + */$ ERROR: code indent should use tabs where possible linux-sunxi#69: FILE: fs/ocfs2/dlm/dlmrecovery.c:2294: + dlm_lock_put(lock);$ WARNING: please, no spaces at the start of a line linux-sunxi#69: FILE: fs/ocfs2/dlm/dlmrecovery.c:2294: + dlm_lock_put(lock);$ ERROR: code indent should use tabs where possible linux-sunxi#70: FILE: fs/ocfs2/dlm/dlmrecovery.c:2295: + freed++;$ WARNING: please, no spaces at the start of a line linux-sunxi#70: FILE: fs/ocfs2/dlm/dlmrecovery.c:2295: + freed++;$ ERROR: code indent should use tabs where possible linux-sunxi#71: FILE: fs/ocfs2/dlm/dlmrecovery.c:2296: + }$ WARNING: please, no spaces at the start of a line linux-sunxi#71: FILE: fs/ocfs2/dlm/dlmrecovery.c:2296: + }$ total: 11 errors, 14 warnings, 51 lines checked NOTE: For some of the reported defects, checkpatch may be able to mechanically convert to the typical style using --fix or --fix-inplace. NOTE: Whitespace errors detected. You may wish to use scripts/cleanpatch or scripts/cleanfile ./patches/ocfs2-dlm-optimization-of-code-while-free-dead-node-locks.patch has style problems, please review. NOTE: If any of the errors are false positives, please report them to the maintainer, see CHECKPATCH in MAINTAINERS. Please run checkpatch prior to sending patches Cc: Guozhonghua <guozhonghua@h3c.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
[ Upstream commit e414081 ] A malicious signal handler / restorer can DOS the system by fudging the user regs saved on stack, causing weird things such as sigreturn returning to user mode PC but cpu state still being kernel mode.... Ensure that in sigreturn path status32 always has U bit; any other bogosity (gargbage PC etc) will be taken care of by normal user mode exceptions mechanisms. Reproducer signal handler: void handle_sig(int signo, siginfo_t *info, void *context) { ucontext_t *uc = context; struct user_regs_struct *regs = &(uc->uc_mcontext.regs); regs->scratch.status32 = 0; } Before the fix, kernel would go off to weeds like below: --------->8----------- [ARCLinux]$ ./signal-test Path: /signal-test CPU: 0 PID: 61 Comm: signal-test Not tainted 4.0.0-rc5+ #65 task: 8f177880 ti: 5ffe6000 task.ti: 8f15c000 [ECR ]: 0x00220200 => Invalid Write @ 0x00000010 by insn @ 0x00010698 [EFA ]: 0x00000010 [BLINK ]: 0x2007c1ee [ERET ]: 0x10698 [STAT32]: 0x00000000 : <-------- BTA: 0x00010680 SP: 0x5ffe7e48 FP: 0x00000000 LPS: 0x20003c6c LPE: 0x20003c70 LPC: 0x00000000 ... --------->8----------- Reported-by: Alexey Brodkin <abrodkin@synopsys.com> Cc: <stable@vger.kernel.org> Signed-off-by: Vineet Gupta <vgupta@synopsys.com> Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
…fixes WARNING: please, no spaces at the start of a line linux-sunxi#26: FILE: fs/ocfs2/dlm/dlmrecovery.c:2271: + struct list_head *queue = NULL;$ WARNING: please, no spaces at the start of a line linux-sunxi#27: FILE: fs/ocfs2/dlm/dlmrecovery.c:2272: + int i;$ WARNING: please, no spaces at the start of a line linux-sunxi#60: FILE: fs/ocfs2/dlm/dlmrecovery.c:2285: + for (i = DLM_GRANTED_LIST; i <= DLM_BLOCKED_LIST; i++) {$ WARNING: suspect code indent for conditional statements (7, 15) linux-sunxi#60: FILE: fs/ocfs2/dlm/dlmrecovery.c:2285: + for (i = DLM_GRANTED_LIST; i <= DLM_BLOCKED_LIST; i++) { + queue = dlm_list_idx_to_ptr(res, i); ERROR: code indent should use tabs where possible linux-sunxi#61: FILE: fs/ocfs2/dlm/dlmrecovery.c:2286: + queue = dlm_list_idx_to_ptr(res, i);$ WARNING: please, no spaces at the start of a line linux-sunxi#61: FILE: fs/ocfs2/dlm/dlmrecovery.c:2286: + queue = dlm_list_idx_to_ptr(res, i);$ ERROR: code indent should use tabs where possible linux-sunxi#62: FILE: fs/ocfs2/dlm/dlmrecovery.c:2287: + list_for_each_entry_safe(lock, next, queue, list) {$ WARNING: please, no spaces at the start of a line linux-sunxi#62: FILE: fs/ocfs2/dlm/dlmrecovery.c:2287: + list_for_each_entry_safe(lock, next, queue, list) {$ WARNING: suspect code indent for conditional statements (15, 23) linux-sunxi#62: FILE: fs/ocfs2/dlm/dlmrecovery.c:2287: + list_for_each_entry_safe(lock, next, queue, list) { + if (lock->ml.node == dead_node) { ERROR: code indent should use tabs where possible linux-sunxi#63: FILE: fs/ocfs2/dlm/dlmrecovery.c:2288: + if (lock->ml.node == dead_node) {$ WARNING: please, no spaces at the start of a line linux-sunxi#63: FILE: fs/ocfs2/dlm/dlmrecovery.c:2288: + if (lock->ml.node == dead_node) {$ WARNING: suspect code indent for conditional statements (23, 31) linux-sunxi#63: FILE: fs/ocfs2/dlm/dlmrecovery.c:2288: + if (lock->ml.node == dead_node) { + list_del_init(&lock->list); ERROR: code indent should use tabs where possible linux-sunxi#64: FILE: fs/ocfs2/dlm/dlmrecovery.c:2289: + list_del_init(&lock->list);$ WARNING: please, no spaces at the start of a line linux-sunxi#64: FILE: fs/ocfs2/dlm/dlmrecovery.c:2289: + list_del_init(&lock->list);$ ERROR: code indent should use tabs where possible linux-sunxi#65: FILE: fs/ocfs2/dlm/dlmrecovery.c:2290: + dlm_lock_put(lock);$ WARNING: please, no spaces at the start of a line linux-sunxi#65: FILE: fs/ocfs2/dlm/dlmrecovery.c:2290: + dlm_lock_put(lock);$ ERROR: code indent should use tabs where possible linux-sunxi#66: FILE: fs/ocfs2/dlm/dlmrecovery.c:2291: + /* Can't schedule DLM_UNLOCK_FREE_LOCK$ ERROR: code indent should use tabs where possible linux-sunxi#67: FILE: fs/ocfs2/dlm/dlmrecovery.c:2292: + * do manually$ ERROR: code indent should use tabs where possible linux-sunxi#68: FILE: fs/ocfs2/dlm/dlmrecovery.c:2293: + */$ ERROR: code indent should use tabs where possible linux-sunxi#69: FILE: fs/ocfs2/dlm/dlmrecovery.c:2294: + dlm_lock_put(lock);$ WARNING: please, no spaces at the start of a line linux-sunxi#69: FILE: fs/ocfs2/dlm/dlmrecovery.c:2294: + dlm_lock_put(lock);$ ERROR: code indent should use tabs where possible linux-sunxi#70: FILE: fs/ocfs2/dlm/dlmrecovery.c:2295: + freed++;$ WARNING: please, no spaces at the start of a line linux-sunxi#70: FILE: fs/ocfs2/dlm/dlmrecovery.c:2295: + freed++;$ ERROR: code indent should use tabs where possible linux-sunxi#71: FILE: fs/ocfs2/dlm/dlmrecovery.c:2296: + }$ WARNING: please, no spaces at the start of a line linux-sunxi#71: FILE: fs/ocfs2/dlm/dlmrecovery.c:2296: + }$ total: 11 errors, 14 warnings, 51 lines checked NOTE: For some of the reported defects, checkpatch may be able to mechanically convert to the typical style using --fix or --fix-inplace. NOTE: Whitespace errors detected. You may wish to use scripts/cleanpatch or scripts/cleanfile ./patches/ocfs2-dlm-optimization-of-code-while-free-dead-node-locks.patch has style problems, please review. NOTE: If any of the errors are false positives, please report them to the maintainer, see CHECKPATCH in MAINTAINERS. Please run checkpatch prior to sending patches Cc: Guozhonghua <guozhonghua@h3c.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
For implicit namespacing and clarity, prefix the common Port IEEE Priority Remapping registers macros with MV88E6095_PORT_IEEE_PRIO. The 88E6390 family turned the 0x18 register into a single indirect table, document that at the same time. Document the register and prefer ordered hex masks values for all Marvell 16-bit registers. Also fix the following checkpatch checks with a temporary variable: CHECK: Alignment should match open parenthesis #65: FILE: drivers/net/dsa/mv88e6xxx/port.c:932: + err = mv88e6xxx_port_ieeepmt_write(chip, port, + MV88E6390_PORT_IEEE_PRIO_MAP_TABLE_INGRESS_PCP, Signed-off-by: Vivien Didelot <vivien.didelot@savoirfairelinux.com> Signed-off-by: David S. Miller <davem@davemloft.net>
…fixes WARNING: please, no spaces at the start of a line linux-sunxi#26: FILE: fs/ocfs2/dlm/dlmrecovery.c:2271: + struct list_head *queue = NULL;$ WARNING: please, no spaces at the start of a line linux-sunxi#27: FILE: fs/ocfs2/dlm/dlmrecovery.c:2272: + int i;$ WARNING: please, no spaces at the start of a line linux-sunxi#60: FILE: fs/ocfs2/dlm/dlmrecovery.c:2285: + for (i = DLM_GRANTED_LIST; i <= DLM_BLOCKED_LIST; i++) {$ WARNING: suspect code indent for conditional statements (7, 15) linux-sunxi#60: FILE: fs/ocfs2/dlm/dlmrecovery.c:2285: + for (i = DLM_GRANTED_LIST; i <= DLM_BLOCKED_LIST; i++) { + queue = dlm_list_idx_to_ptr(res, i); ERROR: code indent should use tabs where possible linux-sunxi#61: FILE: fs/ocfs2/dlm/dlmrecovery.c:2286: + queue = dlm_list_idx_to_ptr(res, i);$ WARNING: please, no spaces at the start of a line linux-sunxi#61: FILE: fs/ocfs2/dlm/dlmrecovery.c:2286: + queue = dlm_list_idx_to_ptr(res, i);$ ERROR: code indent should use tabs where possible linux-sunxi#62: FILE: fs/ocfs2/dlm/dlmrecovery.c:2287: + list_for_each_entry_safe(lock, next, queue, list) {$ WARNING: please, no spaces at the start of a line linux-sunxi#62: FILE: fs/ocfs2/dlm/dlmrecovery.c:2287: + list_for_each_entry_safe(lock, next, queue, list) {$ WARNING: suspect code indent for conditional statements (15, 23) linux-sunxi#62: FILE: fs/ocfs2/dlm/dlmrecovery.c:2287: + list_for_each_entry_safe(lock, next, queue, list) { + if (lock->ml.node == dead_node) { ERROR: code indent should use tabs where possible linux-sunxi#63: FILE: fs/ocfs2/dlm/dlmrecovery.c:2288: + if (lock->ml.node == dead_node) {$ WARNING: please, no spaces at the start of a line linux-sunxi#63: FILE: fs/ocfs2/dlm/dlmrecovery.c:2288: + if (lock->ml.node == dead_node) {$ WARNING: suspect code indent for conditional statements (23, 31) linux-sunxi#63: FILE: fs/ocfs2/dlm/dlmrecovery.c:2288: + if (lock->ml.node == dead_node) { + list_del_init(&lock->list); ERROR: code indent should use tabs where possible linux-sunxi#64: FILE: fs/ocfs2/dlm/dlmrecovery.c:2289: + list_del_init(&lock->list);$ WARNING: please, no spaces at the start of a line linux-sunxi#64: FILE: fs/ocfs2/dlm/dlmrecovery.c:2289: + list_del_init(&lock->list);$ ERROR: code indent should use tabs where possible linux-sunxi#65: FILE: fs/ocfs2/dlm/dlmrecovery.c:2290: + dlm_lock_put(lock);$ WARNING: please, no spaces at the start of a line linux-sunxi#65: FILE: fs/ocfs2/dlm/dlmrecovery.c:2290: + dlm_lock_put(lock);$ ERROR: code indent should use tabs where possible linux-sunxi#66: FILE: fs/ocfs2/dlm/dlmrecovery.c:2291: + /* Can't schedule DLM_UNLOCK_FREE_LOCK$ ERROR: code indent should use tabs where possible linux-sunxi#67: FILE: fs/ocfs2/dlm/dlmrecovery.c:2292: + * do manually$ ERROR: code indent should use tabs where possible linux-sunxi#68: FILE: fs/ocfs2/dlm/dlmrecovery.c:2293: + */$ ERROR: code indent should use tabs where possible linux-sunxi#69: FILE: fs/ocfs2/dlm/dlmrecovery.c:2294: + dlm_lock_put(lock);$ WARNING: please, no spaces at the start of a line linux-sunxi#69: FILE: fs/ocfs2/dlm/dlmrecovery.c:2294: + dlm_lock_put(lock);$ ERROR: code indent should use tabs where possible linux-sunxi#70: FILE: fs/ocfs2/dlm/dlmrecovery.c:2295: + freed++;$ WARNING: please, no spaces at the start of a line linux-sunxi#70: FILE: fs/ocfs2/dlm/dlmrecovery.c:2295: + freed++;$ ERROR: code indent should use tabs where possible linux-sunxi#71: FILE: fs/ocfs2/dlm/dlmrecovery.c:2296: + }$ WARNING: please, no spaces at the start of a line linux-sunxi#71: FILE: fs/ocfs2/dlm/dlmrecovery.c:2296: + }$ total: 11 errors, 14 warnings, 51 lines checked NOTE: For some of the reported defects, checkpatch may be able to mechanically convert to the typical style using --fix or --fix-inplace. NOTE: Whitespace errors detected. You may wish to use scripts/cleanpatch or scripts/cleanfile ./patches/ocfs2-dlm-optimization-of-code-while-free-dead-node-locks.patch has style problems, please review. NOTE: If any of the errors are false positives, please report them to the maintainer, see CHECKPATCH in MAINTAINERS. Please run checkpatch prior to sending patches Cc: Guozhonghua <guozhonghua@h3c.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
…fixes WARNING: please, no spaces at the start of a line linux-sunxi#26: FILE: fs/ocfs2/dlm/dlmrecovery.c:2271: + struct list_head *queue = NULL;$ WARNING: please, no spaces at the start of a line linux-sunxi#27: FILE: fs/ocfs2/dlm/dlmrecovery.c:2272: + int i;$ WARNING: please, no spaces at the start of a line linux-sunxi#60: FILE: fs/ocfs2/dlm/dlmrecovery.c:2285: + for (i = DLM_GRANTED_LIST; i <= DLM_BLOCKED_LIST; i++) {$ WARNING: suspect code indent for conditional statements (7, 15) linux-sunxi#60: FILE: fs/ocfs2/dlm/dlmrecovery.c:2285: + for (i = DLM_GRANTED_LIST; i <= DLM_BLOCKED_LIST; i++) { + queue = dlm_list_idx_to_ptr(res, i); ERROR: code indent should use tabs where possible linux-sunxi#61: FILE: fs/ocfs2/dlm/dlmrecovery.c:2286: + queue = dlm_list_idx_to_ptr(res, i);$ WARNING: please, no spaces at the start of a line linux-sunxi#61: FILE: fs/ocfs2/dlm/dlmrecovery.c:2286: + queue = dlm_list_idx_to_ptr(res, i);$ ERROR: code indent should use tabs where possible linux-sunxi#62: FILE: fs/ocfs2/dlm/dlmrecovery.c:2287: + list_for_each_entry_safe(lock, next, queue, list) {$ WARNING: please, no spaces at the start of a line linux-sunxi#62: FILE: fs/ocfs2/dlm/dlmrecovery.c:2287: + list_for_each_entry_safe(lock, next, queue, list) {$ WARNING: suspect code indent for conditional statements (15, 23) linux-sunxi#62: FILE: fs/ocfs2/dlm/dlmrecovery.c:2287: + list_for_each_entry_safe(lock, next, queue, list) { + if (lock->ml.node == dead_node) { ERROR: code indent should use tabs where possible linux-sunxi#63: FILE: fs/ocfs2/dlm/dlmrecovery.c:2288: + if (lock->ml.node == dead_node) {$ WARNING: please, no spaces at the start of a line linux-sunxi#63: FILE: fs/ocfs2/dlm/dlmrecovery.c:2288: + if (lock->ml.node == dead_node) {$ WARNING: suspect code indent for conditional statements (23, 31) linux-sunxi#63: FILE: fs/ocfs2/dlm/dlmrecovery.c:2288: + if (lock->ml.node == dead_node) { + list_del_init(&lock->list); ERROR: code indent should use tabs where possible linux-sunxi#64: FILE: fs/ocfs2/dlm/dlmrecovery.c:2289: + list_del_init(&lock->list);$ WARNING: please, no spaces at the start of a line linux-sunxi#64: FILE: fs/ocfs2/dlm/dlmrecovery.c:2289: + list_del_init(&lock->list);$ ERROR: code indent should use tabs where possible linux-sunxi#65: FILE: fs/ocfs2/dlm/dlmrecovery.c:2290: + dlm_lock_put(lock);$ WARNING: please, no spaces at the start of a line linux-sunxi#65: FILE: fs/ocfs2/dlm/dlmrecovery.c:2290: + dlm_lock_put(lock);$ ERROR: code indent should use tabs where possible linux-sunxi#66: FILE: fs/ocfs2/dlm/dlmrecovery.c:2291: + /* Can't schedule DLM_UNLOCK_FREE_LOCK$ ERROR: code indent should use tabs where possible linux-sunxi#67: FILE: fs/ocfs2/dlm/dlmrecovery.c:2292: + * do manually$ ERROR: code indent should use tabs where possible linux-sunxi#68: FILE: fs/ocfs2/dlm/dlmrecovery.c:2293: + */$ ERROR: code indent should use tabs where possible linux-sunxi#69: FILE: fs/ocfs2/dlm/dlmrecovery.c:2294: + dlm_lock_put(lock);$ WARNING: please, no spaces at the start of a line linux-sunxi#69: FILE: fs/ocfs2/dlm/dlmrecovery.c:2294: + dlm_lock_put(lock);$ ERROR: code indent should use tabs where possible linux-sunxi#70: FILE: fs/ocfs2/dlm/dlmrecovery.c:2295: + freed++;$ WARNING: please, no spaces at the start of a line linux-sunxi#70: FILE: fs/ocfs2/dlm/dlmrecovery.c:2295: + freed++;$ ERROR: code indent should use tabs where possible linux-sunxi#71: FILE: fs/ocfs2/dlm/dlmrecovery.c:2296: + }$ WARNING: please, no spaces at the start of a line linux-sunxi#71: FILE: fs/ocfs2/dlm/dlmrecovery.c:2296: + }$ total: 11 errors, 14 warnings, 51 lines checked NOTE: For some of the reported defects, checkpatch may be able to mechanically convert to the typical style using --fix or --fix-inplace. NOTE: Whitespace errors detected. You may wish to use scripts/cleanpatch or scripts/cleanfile ./patches/ocfs2-dlm-optimization-of-code-while-free-dead-node-locks.patch has style problems, please review. NOTE: If any of the errors are false positives, please report them to the maintainer, see CHECKPATCH in MAINTAINERS. Please run checkpatch prior to sending patches Cc: Guozhonghua <guozhonghua@h3c.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
…fixes WARNING: please, no spaces at the start of a line linux-sunxi#26: FILE: fs/ocfs2/dlm/dlmrecovery.c:2271: + struct list_head *queue = NULL;$ WARNING: please, no spaces at the start of a line linux-sunxi#27: FILE: fs/ocfs2/dlm/dlmrecovery.c:2272: + int i;$ WARNING: please, no spaces at the start of a line linux-sunxi#60: FILE: fs/ocfs2/dlm/dlmrecovery.c:2285: + for (i = DLM_GRANTED_LIST; i <= DLM_BLOCKED_LIST; i++) {$ WARNING: suspect code indent for conditional statements (7, 15) linux-sunxi#60: FILE: fs/ocfs2/dlm/dlmrecovery.c:2285: + for (i = DLM_GRANTED_LIST; i <= DLM_BLOCKED_LIST; i++) { + queue = dlm_list_idx_to_ptr(res, i); ERROR: code indent should use tabs where possible linux-sunxi#61: FILE: fs/ocfs2/dlm/dlmrecovery.c:2286: + queue = dlm_list_idx_to_ptr(res, i);$ WARNING: please, no spaces at the start of a line linux-sunxi#61: FILE: fs/ocfs2/dlm/dlmrecovery.c:2286: + queue = dlm_list_idx_to_ptr(res, i);$ ERROR: code indent should use tabs where possible linux-sunxi#62: FILE: fs/ocfs2/dlm/dlmrecovery.c:2287: + list_for_each_entry_safe(lock, next, queue, list) {$ WARNING: please, no spaces at the start of a line linux-sunxi#62: FILE: fs/ocfs2/dlm/dlmrecovery.c:2287: + list_for_each_entry_safe(lock, next, queue, list) {$ WARNING: suspect code indent for conditional statements (15, 23) linux-sunxi#62: FILE: fs/ocfs2/dlm/dlmrecovery.c:2287: + list_for_each_entry_safe(lock, next, queue, list) { + if (lock->ml.node == dead_node) { ERROR: code indent should use tabs where possible linux-sunxi#63: FILE: fs/ocfs2/dlm/dlmrecovery.c:2288: + if (lock->ml.node == dead_node) {$ WARNING: please, no spaces at the start of a line linux-sunxi#63: FILE: fs/ocfs2/dlm/dlmrecovery.c:2288: + if (lock->ml.node == dead_node) {$ WARNING: suspect code indent for conditional statements (23, 31) linux-sunxi#63: FILE: fs/ocfs2/dlm/dlmrecovery.c:2288: + if (lock->ml.node == dead_node) { + list_del_init(&lock->list); ERROR: code indent should use tabs where possible linux-sunxi#64: FILE: fs/ocfs2/dlm/dlmrecovery.c:2289: + list_del_init(&lock->list);$ WARNING: please, no spaces at the start of a line linux-sunxi#64: FILE: fs/ocfs2/dlm/dlmrecovery.c:2289: + list_del_init(&lock->list);$ ERROR: code indent should use tabs where possible linux-sunxi#65: FILE: fs/ocfs2/dlm/dlmrecovery.c:2290: + dlm_lock_put(lock);$ WARNING: please, no spaces at the start of a line linux-sunxi#65: FILE: fs/ocfs2/dlm/dlmrecovery.c:2290: + dlm_lock_put(lock);$ ERROR: code indent should use tabs where possible linux-sunxi#66: FILE: fs/ocfs2/dlm/dlmrecovery.c:2291: + /* Can't schedule DLM_UNLOCK_FREE_LOCK$ ERROR: code indent should use tabs where possible linux-sunxi#67: FILE: fs/ocfs2/dlm/dlmrecovery.c:2292: + * do manually$ ERROR: code indent should use tabs where possible linux-sunxi#68: FILE: fs/ocfs2/dlm/dlmrecovery.c:2293: + */$ ERROR: code indent should use tabs where possible linux-sunxi#69: FILE: fs/ocfs2/dlm/dlmrecovery.c:2294: + dlm_lock_put(lock);$ WARNING: please, no spaces at the start of a line linux-sunxi#69: FILE: fs/ocfs2/dlm/dlmrecovery.c:2294: + dlm_lock_put(lock);$ ERROR: code indent should use tabs where possible linux-sunxi#70: FILE: fs/ocfs2/dlm/dlmrecovery.c:2295: + freed++;$ WARNING: please, no spaces at the start of a line linux-sunxi#70: FILE: fs/ocfs2/dlm/dlmrecovery.c:2295: + freed++;$ ERROR: code indent should use tabs where possible linux-sunxi#71: FILE: fs/ocfs2/dlm/dlmrecovery.c:2296: + }$ WARNING: please, no spaces at the start of a line linux-sunxi#71: FILE: fs/ocfs2/dlm/dlmrecovery.c:2296: + }$ total: 11 errors, 14 warnings, 51 lines checked NOTE: For some of the reported defects, checkpatch may be able to mechanically convert to the typical style using --fix or --fix-inplace. NOTE: Whitespace errors detected. You may wish to use scripts/cleanpatch or scripts/cleanfile ./patches/ocfs2-dlm-optimization-of-code-while-free-dead-node-locks.patch has style problems, please review. NOTE: If any of the errors are false positives, please report them to the maintainer, see CHECKPATCH in MAINTAINERS. Please run checkpatch prior to sending patches Cc: Guozhonghua <guozhonghua@h3c.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
…fixes WARNING: please, no spaces at the start of a line linux-sunxi#26: FILE: fs/ocfs2/dlm/dlmrecovery.c:2271: + struct list_head *queue = NULL;$ WARNING: please, no spaces at the start of a line linux-sunxi#27: FILE: fs/ocfs2/dlm/dlmrecovery.c:2272: + int i;$ WARNING: please, no spaces at the start of a line linux-sunxi#60: FILE: fs/ocfs2/dlm/dlmrecovery.c:2285: + for (i = DLM_GRANTED_LIST; i <= DLM_BLOCKED_LIST; i++) {$ WARNING: suspect code indent for conditional statements (7, 15) linux-sunxi#60: FILE: fs/ocfs2/dlm/dlmrecovery.c:2285: + for (i = DLM_GRANTED_LIST; i <= DLM_BLOCKED_LIST; i++) { + queue = dlm_list_idx_to_ptr(res, i); ERROR: code indent should use tabs where possible linux-sunxi#61: FILE: fs/ocfs2/dlm/dlmrecovery.c:2286: + queue = dlm_list_idx_to_ptr(res, i);$ WARNING: please, no spaces at the start of a line linux-sunxi#61: FILE: fs/ocfs2/dlm/dlmrecovery.c:2286: + queue = dlm_list_idx_to_ptr(res, i);$ ERROR: code indent should use tabs where possible linux-sunxi#62: FILE: fs/ocfs2/dlm/dlmrecovery.c:2287: + list_for_each_entry_safe(lock, next, queue, list) {$ WARNING: please, no spaces at the start of a line linux-sunxi#62: FILE: fs/ocfs2/dlm/dlmrecovery.c:2287: + list_for_each_entry_safe(lock, next, queue, list) {$ WARNING: suspect code indent for conditional statements (15, 23) linux-sunxi#62: FILE: fs/ocfs2/dlm/dlmrecovery.c:2287: + list_for_each_entry_safe(lock, next, queue, list) { + if (lock->ml.node == dead_node) { ERROR: code indent should use tabs where possible linux-sunxi#63: FILE: fs/ocfs2/dlm/dlmrecovery.c:2288: + if (lock->ml.node == dead_node) {$ WARNING: please, no spaces at the start of a line linux-sunxi#63: FILE: fs/ocfs2/dlm/dlmrecovery.c:2288: + if (lock->ml.node == dead_node) {$ WARNING: suspect code indent for conditional statements (23, 31) linux-sunxi#63: FILE: fs/ocfs2/dlm/dlmrecovery.c:2288: + if (lock->ml.node == dead_node) { + list_del_init(&lock->list); ERROR: code indent should use tabs where possible linux-sunxi#64: FILE: fs/ocfs2/dlm/dlmrecovery.c:2289: + list_del_init(&lock->list);$ WARNING: please, no spaces at the start of a line linux-sunxi#64: FILE: fs/ocfs2/dlm/dlmrecovery.c:2289: + list_del_init(&lock->list);$ ERROR: code indent should use tabs where possible linux-sunxi#65: FILE: fs/ocfs2/dlm/dlmrecovery.c:2290: + dlm_lock_put(lock);$ WARNING: please, no spaces at the start of a line linux-sunxi#65: FILE: fs/ocfs2/dlm/dlmrecovery.c:2290: + dlm_lock_put(lock);$ ERROR: code indent should use tabs where possible linux-sunxi#66: FILE: fs/ocfs2/dlm/dlmrecovery.c:2291: + /* Can't schedule DLM_UNLOCK_FREE_LOCK$ ERROR: code indent should use tabs where possible linux-sunxi#67: FILE: fs/ocfs2/dlm/dlmrecovery.c:2292: + * do manually$ ERROR: code indent should use tabs where possible linux-sunxi#68: FILE: fs/ocfs2/dlm/dlmrecovery.c:2293: + */$ ERROR: code indent should use tabs where possible linux-sunxi#69: FILE: fs/ocfs2/dlm/dlmrecovery.c:2294: + dlm_lock_put(lock);$ WARNING: please, no spaces at the start of a line linux-sunxi#69: FILE: fs/ocfs2/dlm/dlmrecovery.c:2294: + dlm_lock_put(lock);$ ERROR: code indent should use tabs where possible linux-sunxi#70: FILE: fs/ocfs2/dlm/dlmrecovery.c:2295: + freed++;$ WARNING: please, no spaces at the start of a line linux-sunxi#70: FILE: fs/ocfs2/dlm/dlmrecovery.c:2295: + freed++;$ ERROR: code indent should use tabs where possible linux-sunxi#71: FILE: fs/ocfs2/dlm/dlmrecovery.c:2296: + }$ WARNING: please, no spaces at the start of a line linux-sunxi#71: FILE: fs/ocfs2/dlm/dlmrecovery.c:2296: + }$ total: 11 errors, 14 warnings, 51 lines checked NOTE: For some of the reported defects, checkpatch may be able to mechanically convert to the typical style using --fix or --fix-inplace. NOTE: Whitespace errors detected. You may wish to use scripts/cleanpatch or scripts/cleanfile ./patches/ocfs2-dlm-optimization-of-code-while-free-dead-node-locks.patch has style problems, please review. NOTE: If any of the errors are false positives, please report them to the maintainer, see CHECKPATCH in MAINTAINERS. Please run checkpatch prior to sending patches Cc: Guozhonghua <guozhonghua@h3c.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au>
The l2tp_tunnel_create() function checks for v4mapped ipv6 sockets and cache that flag, so that l2tp core code can reusing it at xmit time. If the socket is provided by the userspace, the connection status of the tunnel sockets can change between the tunnel creation and the xmit call, so that syzbot is able to trigger the following splat: BUG: KASAN: use-after-free in ip6_dst_idev include/net/ip6_fib.h:192 [inline] BUG: KASAN: use-after-free in ip6_xmit+0x1f76/0x2260 net/ipv6/ip6_output.c:264 Read of size 8 at addr ffff8801bd949318 by task syz-executor4/23448 CPU: 0 PID: 23448 Comm: syz-executor4 Not tainted 4.16.0-rc4+ #65 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x24d lib/dump_stack.c:53 print_address_description+0x73/0x250 mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report+0x23c/0x360 mm/kasan/report.c:412 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433 ip6_dst_idev include/net/ip6_fib.h:192 [inline] ip6_xmit+0x1f76/0x2260 net/ipv6/ip6_output.c:264 inet6_csk_xmit+0x2fc/0x580 net/ipv6/inet6_connection_sock.c:139 l2tp_xmit_core net/l2tp/l2tp_core.c:1053 [inline] l2tp_xmit_skb+0x105f/0x1410 net/l2tp/l2tp_core.c:1148 pppol2tp_sendmsg+0x470/0x670 net/l2tp/l2tp_ppp.c:341 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg+0xca/0x110 net/socket.c:640 ___sys_sendmsg+0x767/0x8b0 net/socket.c:2046 __sys_sendmsg+0xe5/0x210 net/socket.c:2080 SYSC_sendmsg net/socket.c:2091 [inline] SyS_sendmsg+0x2d/0x50 net/socket.c:2087 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x453e69 RSP: 002b:00007f819593cc68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f819593d6d4 RCX: 0000000000453e69 RDX: 0000000000000081 RSI: 000000002037ffc8 RDI: 0000000000000004 RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 00000000000004c3 R14: 00000000006f72e8 R15: 0000000000000000 This change addresses the issues: * explicitly checking for TCP_ESTABLISHED for user space provided sockets * dropping the v4mapped flag usage - it can become outdated - and explicitly invoking ipv6_addr_v4mapped() instead The issue is apparently there since ancient times. v1 -> v2: (many thanks to Guillaume) - with csum issue introduced in v1 - replace pr_err with pr_debug - fix build issue with IPV6 disabled - move l2tp_sk_is_v4mapped in l2tp_core.c v2 -> v3: - don't update inet_daddr for v4mapped address, unneeded - drop rendundant check at creation time Reported-and-tested-by: syzbot+92fa328176eb07e4ac1a@syzkaller.appspotmail.com Fixes: 3557baa ("[L2TP]: PPP over L2TP driver core") Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
If polling completions are racing with the IRQ triggered by a completion, the IRQ handler will find no work and return IRQ_NONE. This can trigger complaints about spurious interrupts: [ 560.169153] irq 630: nobody cared (try booting with the "irqpoll" option) [ 560.175988] CPU: 40 PID: 0 Comm: swapper/40 Not tainted 4.17.0-rc2+ #65 [ 560.175990] Hardware name: Intel Corporation S2600STB/S2600STB, BIOS SE5C620.86B.00.01.0010.010920180151 01/09/2018 [ 560.175991] Call Trace: [ 560.175994] <IRQ> [ 560.176005] dump_stack+0x5c/0x7b [ 560.176010] __report_bad_irq+0x30/0xc0 [ 560.176013] note_interrupt+0x235/0x280 [ 560.176020] handle_irq_event_percpu+0x51/0x70 [ 560.176023] handle_irq_event+0x27/0x50 [ 560.176026] handle_edge_irq+0x6d/0x180 [ 560.176031] handle_irq+0xa5/0x110 [ 560.176036] do_IRQ+0x41/0xc0 [ 560.176042] common_interrupt+0xf/0xf [ 560.176043] </IRQ> [ 560.176050] RIP: 0010:cpuidle_enter_state+0x9b/0x2b0 [ 560.176052] RSP: 0018:ffffa0ed4659fe98 EFLAGS: 00000246 ORIG_RAX: ffffffffffffffdd [ 560.176055] RAX: ffff9527beb20a80 RBX: 000000826caee491 RCX: 000000000000001f [ 560.176056] RDX: 000000826caee491 RSI: 00000000335206ee RDI: 0000000000000000 [ 560.176057] RBP: 0000000000000001 R08: 00000000ffffffff R09: 0000000000000008 [ 560.176059] R10: ffffa0ed4659fe78 R11: 0000000000000001 R12: ffff9527beb29358 [ 560.176060] R13: ffffffffa235d4b8 R14: 0000000000000000 R15: 000000826caed593 [ 560.176065] ? cpuidle_enter_state+0x8b/0x2b0 [ 560.176071] do_idle+0x1f4/0x260 [ 560.176075] cpu_startup_entry+0x6f/0x80 [ 560.176080] start_secondary+0x184/0x1d0 [ 560.176085] secondary_startup_64+0xa5/0xb0 [ 560.176088] handlers: [ 560.178387] [<00000000efb612be>] nvme_irq [nvme] [ 560.183019] Disabling IRQ torvalds#630 A previous commit removed ->cqe_seen that was handling this case, but we need to handle this a bit differently due to completions now running outside the queue lock. Return IRQ_HANDLED from the IRQ handler, if the completion ring head was moved since we last saw it. Fixes: 5cb525c ("nvme-pci: handle completions outside of the queue lock") Reported-by: Keith Busch <keith.busch@intel.com> Reviewed-by: Keith Busch <keith.busch@intel.com> Tested-by: Keith Busch <keith.busch@intel.com> Signed-off-by: Jens Axboe <axboe@kernel.dk>
ncsi_rsp_handler_gc() allocates the filter arrays using GFP_KERNEL in softirq context, causing the below backtrace. This allocation is only a few dozen bytes during probing so allocate with GFP_ATOMIC instead. [ 42.813372] BUG: sleeping function called from invalid context at mm/slab.h:416 [ 42.820900] in_atomic(): 1, irqs_disabled(): 0, pid: 213, name: kworker/0:1 [ 42.827893] INFO: lockdep is turned off. [ 42.832023] CPU: 0 PID: 213 Comm: kworker/0:1 Tainted: G W 4.13.16-01441-gad99b38 #65 [ 42.841007] Hardware name: Generic DT based system [ 42.845966] Workqueue: events ncsi_dev_work [ 42.850251] [<8010a494>] (unwind_backtrace) from [<80107510>] (show_stack+0x20/0x24) [ 42.858046] [<80107510>] (show_stack) from [<80612770>] (dump_stack+0x20/0x28) [ 42.865309] [<80612770>] (dump_stack) from [<80148248>] (___might_sleep+0x230/0x2b0) [ 42.873241] [<80148248>] (___might_sleep) from [<80148334>] (__might_sleep+0x6c/0xac) [ 42.881129] [<80148334>] (__might_sleep) from [<80240d6c>] (__kmalloc+0x210/0x2fc) [ 42.888737] [<80240d6c>] (__kmalloc) from [<8060ad54>] (ncsi_rsp_handler_gc+0xd0/0x170) [ 42.896770] [<8060ad54>] (ncsi_rsp_handler_gc) from [<8060b454>] (ncsi_rcv_rsp+0x16c/0x1d4) [ 42.905314] [<8060b454>] (ncsi_rcv_rsp) from [<804d86c8>] (__netif_receive_skb_core+0x3c8/0xb50) [ 42.914158] [<804d86c8>] (__netif_receive_skb_core) from [<804d96cc>] (__netif_receive_skb+0x20/0x7c) [ 42.923420] [<804d96cc>] (__netif_receive_skb) from [<804de4b0>] (netif_receive_skb_internal+0x78/0x6a4) [ 42.932931] [<804de4b0>] (netif_receive_skb_internal) from [<804df980>] (netif_receive_skb+0x78/0x158) [ 42.942292] [<804df980>] (netif_receive_skb) from [<8042f204>] (ftgmac100_poll+0x43c/0x4e8) [ 42.950855] [<8042f204>] (ftgmac100_poll) from [<804e094c>] (net_rx_action+0x278/0x4c4) [ 42.958918] [<804e094c>] (net_rx_action) from [<801016a8>] (__do_softirq+0xe0/0x4c4) [ 42.966716] [<801016a8>] (__do_softirq) from [<8011cd9c>] (do_softirq.part.4+0x50/0x78) [ 42.974756] [<8011cd9c>] (do_softirq.part.4) from [<8011cebc>] (__local_bh_enable_ip+0xf8/0x11c) [ 42.983579] [<8011cebc>] (__local_bh_enable_ip) from [<804dde08>] (__dev_queue_xmit+0x260/0x890) [ 42.992392] [<804dde08>] (__dev_queue_xmit) from [<804df1f0>] (dev_queue_xmit+0x1c/0x20) [ 43.000689] [<804df1f0>] (dev_queue_xmit) from [<806099c0>] (ncsi_xmit_cmd+0x1c0/0x244) [ 43.008763] [<806099c0>] (ncsi_xmit_cmd) from [<8060dc14>] (ncsi_dev_work+0x2e0/0x4c8) [ 43.016725] [<8060dc14>] (ncsi_dev_work) from [<80133dfc>] (process_one_work+0x214/0x6f8) [ 43.024940] [<80133dfc>] (process_one_work) from [<80134328>] (worker_thread+0x48/0x558) [ 43.033070] [<80134328>] (worker_thread) from [<8013ba80>] (kthread+0x130/0x174) [ 43.040506] [<8013ba80>] (kthread) from [<80102950>] (ret_from_fork+0x14/0x24) Fixes: 062b3e1 ("net/ncsi: Refactor MAC, VLAN filters") Signed-off-by: Samuel Mendoza-Jonas <sam@mendozajonas.com> Signed-off-by: David S. Miller <davem@davemloft.net>
The function prototype used to call JITed eBPF code (ie. the type of the struct bpf_prog bpf_func field) returns an unsigned int. The MIPS n64 ABI that MIPS64 kernels target defines that 32 bit integers should always be sign extended when passed in registers as either arguments or return values. This means that when returning any value which may not already be sign extended (ie. of type REG_64BIT or REG_32BIT_ZERO_EX) we need to perform that sign extension in order to comply with the n64 ABI. Without this we see strange looking test failures from test_bpf.ko, such as: test_bpf: linux-sunxi#65 ALU64_MOV_X: dst = 4294967295 jited:1 ret -1 != -1 FAIL (1 times) Although the return value printed matches the expected value, this is only because printf is only examining the least significant 32 bits of the 64 bit register value we returned. The register holding the expected value is sign extended whilst the v0 register was set to a zero extended value by our JITed code, so when compared by a conditional branch instruction the values are not equal. We already handle this when the return value register is of type REG_32BIT_ZERO_EX, so simply extend this to also cover REG_64BIT. Signed-off-by: Paul Burton <paul.burton@mips.com> Fixes: b6bd53f ("MIPS: Add missing file for eBPF JIT.") Cc: stable@vger.kernel.org # v4.13+ Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
commit 1344315 upstream. The function prototype used to call JITed eBPF code (ie. the type of the struct bpf_prog bpf_func field) returns an unsigned int. The MIPS n64 ABI that MIPS64 kernels target defines that 32 bit integers should always be sign extended when passed in registers as either arguments or return values. This means that when returning any value which may not already be sign extended (ie. of type REG_64BIT or REG_32BIT_ZERO_EX) we need to perform that sign extension in order to comply with the n64 ABI. Without this we see strange looking test failures from test_bpf.ko, such as: test_bpf: linux-sunxi#65 ALU64_MOV_X: dst = 4294967295 jited:1 ret -1 != -1 FAIL (1 times) Although the return value printed matches the expected value, this is only because printf is only examining the least significant 32 bits of the 64 bit register value we returned. The register holding the expected value is sign extended whilst the v0 register was set to a zero extended value by our JITed code, so when compared by a conditional branch instruction the values are not equal. We already handle this when the return value register is of type REG_32BIT_ZERO_EX, so simply extend this to also cover REG_64BIT. Signed-off-by: Paul Burton <paul.burton@mips.com> Fixes: b6bd53f ("MIPS: Add missing file for eBPF JIT.") Cc: stable@vger.kernel.org # v4.13+ Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 1344315 upstream. The function prototype used to call JITed eBPF code (ie. the type of the struct bpf_prog bpf_func field) returns an unsigned int. The MIPS n64 ABI that MIPS64 kernels target defines that 32 bit integers should always be sign extended when passed in registers as either arguments or return values. This means that when returning any value which may not already be sign extended (ie. of type REG_64BIT or REG_32BIT_ZERO_EX) we need to perform that sign extension in order to comply with the n64 ABI. Without this we see strange looking test failures from test_bpf.ko, such as: test_bpf: linux-sunxi#65 ALU64_MOV_X: dst = 4294967295 jited:1 ret -1 != -1 FAIL (1 times) Although the return value printed matches the expected value, this is only because printf is only examining the least significant 32 bits of the 64 bit register value we returned. The register holding the expected value is sign extended whilst the v0 register was set to a zero extended value by our JITed code, so when compared by a conditional branch instruction the values are not equal. We already handle this when the return value register is of type REG_32BIT_ZERO_EX, so simply extend this to also cover REG_64BIT. Signed-off-by: Paul Burton <paul.burton@mips.com> Fixes: b6bd53f ("MIPS: Add missing file for eBPF JIT.") Cc: stable@vger.kernel.org # v4.13+ Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 071c379 ] Neigh timer can be scheduled multiple times from userspace adding multiple neigh entries and forcing the neigh timer scheduling passing NTF_USE in the netlink requests. This will result in a refcount leak and in the following dump stack: [ 32.465295] NEIGH: BUG, double timer add, state is 8 [ 32.465308] CPU: 0 PID: 416 Comm: double_timer_ad Not tainted 5.2.0+ linux-sunxi#65 [ 32.465311] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.12.0-2.fc30 04/01/2014 [ 32.465313] Call Trace: [ 32.465318] dump_stack+0x7c/0xc0 [ 32.465323] __neigh_event_send+0x20c/0x880 [ 32.465326] ? ___neigh_create+0x846/0xfb0 [ 32.465329] ? neigh_lookup+0x2a9/0x410 [ 32.465332] ? neightbl_fill_info.constprop.0+0x800/0x800 [ 32.465334] neigh_add+0x4f8/0x5e0 [ 32.465337] ? neigh_xmit+0x620/0x620 [ 32.465341] ? find_held_lock+0x85/0xa0 [ 32.465345] rtnetlink_rcv_msg+0x204/0x570 [ 32.465348] ? rtnl_dellink+0x450/0x450 [ 32.465351] ? mark_held_locks+0x90/0x90 [ 32.465354] ? match_held_lock+0x1b/0x230 [ 32.465357] netlink_rcv_skb+0xc4/0x1d0 [ 32.465360] ? rtnl_dellink+0x450/0x450 [ 32.465363] ? netlink_ack+0x420/0x420 [ 32.465366] ? netlink_deliver_tap+0x115/0x560 [ 32.465369] ? __alloc_skb+0xc9/0x2f0 [ 32.465372] netlink_unicast+0x270/0x330 [ 32.465375] ? netlink_attachskb+0x2f0/0x2f0 [ 32.465378] netlink_sendmsg+0x34f/0x5a0 [ 32.465381] ? netlink_unicast+0x330/0x330 [ 32.465385] ? move_addr_to_kernel.part.0+0x20/0x20 [ 32.465388] ? netlink_unicast+0x330/0x330 [ 32.465391] sock_sendmsg+0x91/0xa0 [ 32.465394] ___sys_sendmsg+0x407/0x480 [ 32.465397] ? copy_msghdr_from_user+0x200/0x200 [ 32.465401] ? _raw_spin_unlock_irqrestore+0x37/0x40 [ 32.465404] ? lockdep_hardirqs_on+0x17d/0x250 [ 32.465407] ? __wake_up_common_lock+0xcb/0x110 [ 32.465410] ? __wake_up_common+0x230/0x230 [ 32.465413] ? netlink_bind+0x3e1/0x490 [ 32.465416] ? netlink_setsockopt+0x540/0x540 [ 32.465420] ? __fget_light+0x9c/0xf0 [ 32.465423] ? sockfd_lookup_light+0x8c/0xb0 [ 32.465426] __sys_sendmsg+0xa5/0x110 [ 32.465429] ? __ia32_sys_shutdown+0x30/0x30 [ 32.465432] ? __fd_install+0xe1/0x2c0 [ 32.465435] ? lockdep_hardirqs_off+0xb5/0x100 [ 32.465438] ? mark_held_locks+0x24/0x90 [ 32.465441] ? do_syscall_64+0xf/0x270 [ 32.465444] do_syscall_64+0x63/0x270 [ 32.465448] entry_SYSCALL_64_after_hwframe+0x49/0xbe Fix the issue unscheduling neigh_timer if selected entry is in 'IN_TIMER' receiving a netlink request with NTF_USE flag set Reported-by: Marek Majkowski <marek@cloudflare.com> Fixes: 0c5c2d3 ("neigh: Allow for user space users of the neighbour table") Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com> Reviewed-by: David Ahern <dsahern@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
After previous fix for zero extension test_verifier tests #65 and #66 now fail. Before the fix we can see the alu32 mov op at insn 10 10: R0_w=map_value(id=0,off=0,ks=8,vs=8,imm=0) R1_w=invP(id=0, smin_value=4294967168,smax_value=4294967423, umin_value=4294967168,umax_value=4294967423, var_off=(0x0; 0x1ffffffff), s32_min_value=-2147483648,s32_max_value=2147483647, u32_min_value=0,u32_max_value=-1) R10=fp0 fp-8_w=mmmmmmmm 10: (bc) w1 = w1 11: R0_w=map_value(id=0,off=0,ks=8,vs=8,imm=0) R1_w=invP(id=0, smin_value=0,smax_value=2147483647, umin_value=0,umax_value=4294967295, var_off=(0x0; 0xffffffff), s32_min_value=-2147483648,s32_max_value=2147483647, u32_min_value=0,u32_max_value=-1) R10=fp0 fp-8_w=mmmmmmmm After the fix at insn 10 because we have 's32_min_value < 0' the following step 11 now has 'smax_value=U32_MAX' where before we pulled the s32_max_value bound into the smax_value as seen above in 11 with smax_value=2147483647. 10: R0_w=map_value(id=0,off=0,ks=8,vs=8,imm=0) R1_w=inv(id=0, smin_value=4294967168,smax_value=4294967423, umin_value=4294967168,umax_value=4294967423, var_off=(0x0; 0x1ffffffff), s32_min_value=-2147483648, s32_max_value=2147483647, u32_min_value=0,u32_max_value=-1) R10=fp0 fp-8_w=mmmmmmmm 10: (bc) w1 = w1 11: R0_w=map_value(id=0,off=0,ks=8,vs=8,imm=0) R1_w=inv(id=0, smin_value=0,smax_value=4294967295, umin_value=0,umax_value=4294967295, var_off=(0x0; 0xffffffff), s32_min_value=-2147483648, s32_max_value=2147483647, u32_min_value=0, u32_max_value=-1) R10=fp0 fp-8_w=mmmmmmmm The fall out of this is by the time we get to the failing instruction at step 14 where previously we had the following: 14: R0_w=map_value(id=0,off=0,ks=8,vs=8,imm=0) R1_w=inv(id=0, smin_value=72057594021150720,smax_value=72057594029539328, umin_value=72057594021150720,umax_value=72057594029539328, var_off=(0xffffffff000000; 0xffffff), s32_min_value=-16777216,s32_max_value=-1, u32_min_value=-16777216,u32_max_value=-1) R10=fp0 fp-8_w=mmmmmmmm 14: (0f) r0 += r1 We now have, 14: R0_w=map_value(id=0,off=0,ks=8,vs=8,imm=0) R1_w=inv(id=0, smin_value=0,smax_value=72057594037927935, umin_value=0,umax_value=72057594037927935, var_off=(0x0; 0xffffffffffffff), s32_min_value=-2147483648,s32_max_value=2147483647, u32_min_value=0,u32_max_value=-1) R10=fp0 fp-8_w=mmmmmmmm 14: (0f) r0 += r1 In the original step 14 'smin_value=72057594021150720' this trips the logic in the verifier function check_reg_sane_offset(), if (smin >= BPF_MAX_VAR_OFF || smin <= -BPF_MAX_VAR_OFF) { verbose(env, "value %lld makes %s pointer be out of bounds\n", smin, reg_type_str[type]); return false; } Specifically, the 'smin <= -BPF_MAX_VAR_OFF' check. But with the fix at step 14 we have bounds 'smin_value=0' so the above check is not tripped because BPF_MAX_VAR_OFF=1<<29. We have a smin_value=0 here because at step 10 the smaller smin_value=0 means the subtractions at steps 11 and 12 bring the smin_value negative. 11: (17) r1 -= 2147483584 12: (17) r1 -= 2147483584 13: (77) r1 >>= 8 Then the shift clears the top bit and smin_value is set to 0. Note we still have the smax_value in the fixed code so any reads will fail. An alternative would be to have reg_sane_check() do both smin and smax value tests. To fix the test we can omit the 'r1 >>=8' at line 13. This will change the err string, but keeps the intention of the test as suggseted by the title, "check after truncation of boundary-crossing range". If the verifier logic changes a different value is likely to be thrown in the error or the error will no longer be thrown forcing this test to be examined. With this change we see the new state at step 13. 13: R0_w=map_value(id=0,off=0,ks=8,vs=8,imm=0) R1_w=invP(id=0, smin_value=-4294967168,smax_value=127, umin_value=0,umax_value=18446744073709551615, s32_min_value=-2147483648,s32_max_value=2147483647, u32_min_value=0,u32_max_value=-1) R10=fp0 fp-8_w=mmmmmmmm Giving the expected out of bounds error, "value -4294967168 makes map_value pointer be out of bounds" However, for unpriv case we see a different error now because of the mixed signed bounds pointer arithmatic. This seems OK so I've only added the unpriv_errstr for this. Another optino may have been to do addition on r1 instead of subtraction but I favor the approach above slightly. Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Acked-by: Yonghong Song <yhs@fb.com> Link: https://lore.kernel.org/bpf/159077333942.6014.14004320043595756079.stgit@john-Precision-5820-Tower
[ Upstream commit 230db82 ] When a console stack dump is initiated with CONFIG_GCOV_PROFILE_ALL enabled, show_trace_log_lvl() gets out of sync with the ORC unwinder, causing the stack trace to show all text addresses as unreliable: # echo l > /proc/sysrq-trigger [ 477.521031] sysrq: Show backtrace of all active CPUs [ 477.523813] NMI backtrace for cpu 0 [ 477.524492] CPU: 0 PID: 1021 Comm: bash Not tainted 6.0.0 linux-sunxi#65 [ 477.525295] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-1.fc36 04/01/2014 [ 477.526439] Call Trace: [ 477.526854] <TASK> [ 477.527216] ? dump_stack_lvl+0xc7/0x114 [ 477.527801] ? dump_stack+0x13/0x1f [ 477.528331] ? nmi_cpu_backtrace.cold+0xb5/0x10d [ 477.528998] ? lapic_can_unplug_cpu+0xa0/0xa0 [ 477.529641] ? nmi_trigger_cpumask_backtrace+0x16a/0x1f0 [ 477.530393] ? arch_trigger_cpumask_backtrace+0x1d/0x30 [ 477.531136] ? sysrq_handle_showallcpus+0x1b/0x30 [ 477.531818] ? __handle_sysrq.cold+0x4e/0x1ae [ 477.532451] ? write_sysrq_trigger+0x63/0x80 [ 477.533080] ? proc_reg_write+0x92/0x110 [ 477.533663] ? vfs_write+0x174/0x530 [ 477.534265] ? handle_mm_fault+0x16f/0x500 [ 477.534940] ? ksys_write+0x7b/0x170 [ 477.535543] ? __x64_sys_write+0x1d/0x30 [ 477.536191] ? do_syscall_64+0x6b/0x100 [ 477.536809] ? entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 477.537609] </TASK> This happens when the compiled code for show_stack() has a single word on the stack, and doesn't use a tail call to show_stack_log_lvl(). (CONFIG_GCOV_PROFILE_ALL=y is the only known case of this.) Then the __unwind_start() skip logic hits an off-by-one bug and fails to unwind all the way to the intended starting frame. Fix it by reverting the following commit: f1d9a2a ("x86/unwind/orc: Don't skip the first frame for inactive tasks") The original justification for that commit no longer exists. That original issue was later fixed in a different way, with the following commit: f2ac57a ("x86/unwind/orc: Fix inactive tasks with stack pointer in %sp on GCC 10 compiled kernels") Fixes: f1d9a2a ("x86/unwind/orc: Don't skip the first frame for inactive tasks") Signed-off-by: Chen Zhongjin <chenzhongjin@huawei.com> [jpoimboe: rewrite commit log] Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org> Signed-off-by: Peter Zijlstra <peterz@infradead.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
Done as a pull request since It's quite a large change (files changed).
Arguments for doing this in this branch:
One downside is that current configs will end up with no nand. I attempted to get SUN4I_NANDFLASH/SUN5I_NANDFLASH to autoselect SUNXI_NANDFLASH, but no luck so far. So users have to manually reselect it.