HID: sony: Enable Bluetooth Gasia third-party PS3 controllers #222

vs7 · 2015-11-15T20:46:53Z

No description provided.

On Tue, 12 Jan 2016 11:07:16 +0100, Dmitry Vyukov wrote: > > Hello, > > The following program triggers GPF in snd_seq_fifo_clear: > > // autogenerated by syzkaller (http://github.com/google/syzkaller) > #include <unistd.h> > #include <sys/syscall.h> > #include <string.h> > #include <stdlib.h> > #include <stdint.h> > #include <pthread.h> > > int fd; > > void *thr(void *arg) > { > switch ((long)arg) { > case 0: > *(uint32_t*)0x20001fb0 = (uint32_t)0x1; > *(uint64_t*)0x20001fc8 = (uint64_t)0x0; > *(uint64_t*)0x20001fd0 = (uint64_t)0x0; > *(uint8_t*)0x20001fd8 = (uint8_t)0x3; > *(uint8_t*)0x20001fd9 = (uint8_t)0x32be; > *(uint8_t*)0x20001fda = (uint8_t)0x36; > *(uint8_t*)0x20001fdb = (uint8_t)0x5120; > *(uint32_t*)0x20001fdc = (uint32_t)0x0; > *(uint8_t*)0x20001fe0 = (uint8_t)0x4; > *(uint32_t*)0x20001fe4 = (uint32_t)0x0; > *(uint32_t*)0x20001fe8 = (uint32_t)0x0; > *(uint32_t*)0x20001fec = (uint32_t)0x0; > *(uint32_t*)0x20001ff0 = (uint32_t)0x0; > *(uint32_t*)0x20001ff4 = (uint32_t)0x0; > *(uint32_t*)0x20001ff8 = (uint32_t)0x0; > *(uint32_t*)0x20001ffc = (uint32_t)0x0; > *(uint32_t*)0x20002000 = (uint32_t)0x0; > *(uint32_t*)0x20002004 = (uint32_t)0x0; > *(uint32_t*)0x20002008 = (uint32_t)0x0; > syscall(SYS_ioctl, fd, 0x4040534eul, 0x20001fb0ul, 0, 0, 0); > break; > case 1: > *(uint32_t*)0x20006000 = (uint32_t)0xaff; > *(uint32_t*)0x20006004 = (uint32_t)0x5; > *(uint32_t*)0x20006008 = (uint32_t)0x101; > *(uint64_t*)0x20006010 = (uint64_t)0x0; > *(uint64_t*)0x20006018 = (uint64_t)0x989680; > *(uint32_t*)0x20006020 = (uint32_t)0x3; > *(uint32_t*)0x20006024 = (uint32_t)0x4; > *(uint8_t*)0x20006028 = (uint8_t)0x0; > *(uint8_t*)0x20006029 = (uint8_t)0x0; > *(uint8_t*)0x2000602a = (uint8_t)0x0; > *(uint8_t*)0x2000602b = (uint8_t)0x0; > *(uint8_t*)0x2000602c = (uint8_t)0x0; > *(uint8_t*)0x2000602d = (uint8_t)0x0; > *(uint8_t*)0x2000602e = (uint8_t)0x0; > *(uint8_t*)0x2000602f = (uint8_t)0x0; > *(uint8_t*)0x20006030 = (uint8_t)0x0; > *(uint8_t*)0x20006031 = (uint8_t)0x0; > *(uint8_t*)0x20006032 = (uint8_t)0x0; > *(uint8_t*)0x20006033 = (uint8_t)0x0; > *(uint8_t*)0x20006034 = (uint8_t)0x0; > *(uint8_t*)0x20006035 = (uint8_t)0x0; > *(uint8_t*)0x20006036 = (uint8_t)0x0; > *(uint8_t*)0x20006037 = (uint8_t)0x0; > *(uint8_t*)0x20006038 = (uint8_t)0x0; > *(uint8_t*)0x20006039 = (uint8_t)0x0; > *(uint8_t*)0x2000603a = (uint8_t)0x0; > *(uint8_t*)0x2000603b = (uint8_t)0x0; > *(uint8_t*)0x2000603c = (uint8_t)0x0; > *(uint8_t*)0x2000603d = (uint8_t)0x0; > *(uint8_t*)0x2000603e = (uint8_t)0x0; > *(uint8_t*)0x2000603f = (uint8_t)0x0; > *(uint8_t*)0x20006040 = (uint8_t)0x0; > *(uint8_t*)0x20006041 = (uint8_t)0x0; > *(uint8_t*)0x20006042 = (uint8_t)0x0; > *(uint8_t*)0x20006043 = (uint8_t)0x0; > *(uint8_t*)0x20006044 = (uint8_t)0x0; > *(uint8_t*)0x20006045 = (uint8_t)0x0; > *(uint8_t*)0x20006046 = (uint8_t)0x0; > *(uint8_t*)0x20006047 = (uint8_t)0x0; > *(uint8_t*)0x20006048 = (uint8_t)0x0; > *(uint8_t*)0x20006049 = (uint8_t)0x0; > *(uint8_t*)0x2000604a = (uint8_t)0x0; > *(uint8_t*)0x2000604b = (uint8_t)0x0; > *(uint8_t*)0x2000604c = (uint8_t)0x0; > *(uint8_t*)0x2000604d = (uint8_t)0x0; > *(uint8_t*)0x2000604e = (uint8_t)0x0; > *(uint8_t*)0x2000604f = (uint8_t)0x0; > *(uint8_t*)0x20006050 = (uint8_t)0x0; > *(uint8_t*)0x20006051 = (uint8_t)0x0; > *(uint8_t*)0x20006052 = (uint8_t)0x0; > *(uint8_t*)0x20006053 = (uint8_t)0x0; > *(uint8_t*)0x20006054 = (uint8_t)0x0; > *(uint8_t*)0x20006055 = (uint8_t)0x0; > *(uint8_t*)0x20006056 = (uint8_t)0x0; > *(uint8_t*)0x20006057 = (uint8_t)0x0; > *(uint8_t*)0x20006058 = (uint8_t)0x0; > *(uint8_t*)0x20006059 = (uint8_t)0x0; > *(uint8_t*)0x2000605a = (uint8_t)0x0; > *(uint8_t*)0x2000605b = (uint8_t)0x0; > *(uint8_t*)0x2000605c = (uint8_t)0x0; > *(uint8_t*)0x2000605d = (uint8_t)0x0; > *(uint8_t*)0x2000605e = (uint8_t)0x0; > *(uint8_t*)0x2000605f = (uint8_t)0x0; > *(uint8_t*)0x20006060 = (uint8_t)0x0; > *(uint8_t*)0x20006061 = (uint8_t)0x0; > *(uint8_t*)0x20006062 = (uint8_t)0x0; > *(uint8_t*)0x20006063 = (uint8_t)0x0; > *(uint8_t*)0x20006064 = (uint8_t)0x0; > *(uint8_t*)0x20006065 = (uint8_t)0x0; > *(uint8_t*)0x20006066 = (uint8_t)0x0; > *(uint8_t*)0x20006067 = (uint8_t)0x0; > syscall(SYS_ioctl, fd, 0x402c5342ul, 0x20006000ul, 0, 0, 0); > break; > case 2: > *(uint8_t*)0x20007fb0 = (uint8_t)0x1037; > *(uint8_t*)0x20007fb1 = (uint8_t)0x7; > *(uint8_t*)0x20007fb2 = (uint8_t)0x30b; > *(uint8_t*)0x20007fb3 = (uint8_t)0x34b0; > *(uint32_t*)0x20007fb4 = (uint32_t)0x5; > *(uint32_t*)0x20007fb8 = (uint32_t)0x7; > *(uint8_t*)0x20007fbc = (uint8_t)0x75d; > *(uint8_t*)0x20007fbd = (uint8_t)0x0; > *(uint8_t*)0x20007fbe = (uint8_t)0x0; > *(uint8_t*)0x20007fbf = (uint8_t)0x0; > *(uint8_t*)0x20007fc0 = (uint8_t)0x0; > *(uint8_t*)0x20007fc1 = (uint8_t)0x0; > *(uint8_t*)0x20007fc2 = (uint8_t)0x0; > *(uint8_t*)0x20007fc3 = (uint8_t)0x0; > *(uint8_t*)0x20007fc4 = (uint8_t)0x0; > *(uint8_t*)0x20007fc5 = (uint8_t)0x0; > *(uint8_t*)0x20007fc6 = (uint8_t)0x0; > *(uint8_t*)0x20007fc7 = (uint8_t)0x0; > *(uint8_t*)0x20007fc8 = (uint8_t)0x0; > *(uint8_t*)0x20007fc9 = (uint8_t)0x0; > *(uint8_t*)0x20007fca = (uint8_t)0x0; > *(uint8_t*)0x20007fcb = (uint8_t)0x0; > *(uint8_t*)0x20007fcc = (uint8_t)0x0; > *(uint8_t*)0x20007fcd = (uint8_t)0x0; > *(uint8_t*)0x20007fce = (uint8_t)0x0; > *(uint8_t*)0x20007fcf = (uint8_t)0x0; > *(uint8_t*)0x20007fd0 = (uint8_t)0x0; > *(uint8_t*)0x20007fd1 = (uint8_t)0x0; > *(uint8_t*)0x20007fd2 = (uint8_t)0x0; > *(uint8_t*)0x20007fd3 = (uint8_t)0x0; > *(uint8_t*)0x20007fd4 = (uint8_t)0x0; > *(uint8_t*)0x20007fd5 = (uint8_t)0x0; > *(uint8_t*)0x20007fd6 = (uint8_t)0x0; > *(uint8_t*)0x20007fd7 = (uint8_t)0x0; > *(uint8_t*)0x20007fd8 = (uint8_t)0x0; > *(uint8_t*)0x20007fd9 = (uint8_t)0x0; > *(uint8_t*)0x20007fda = (uint8_t)0x0; > *(uint8_t*)0x20007fdb = (uint8_t)0x0; > *(uint8_t*)0x20007fdc = (uint8_t)0x0; > *(uint8_t*)0x20007fdd = (uint8_t)0x0; > *(uint8_t*)0x20007fde = (uint8_t)0x0; > *(uint8_t*)0x20007fdf = (uint8_t)0x0; > *(uint8_t*)0x20007fe0 = (uint8_t)0x0; > *(uint8_t*)0x20007fe1 = (uint8_t)0x0; > *(uint8_t*)0x20007fe2 = (uint8_t)0x0; > *(uint8_t*)0x20007fe3 = (uint8_t)0x0; > *(uint8_t*)0x20007fe4 = (uint8_t)0x0; > *(uint8_t*)0x20007fe5 = (uint8_t)0x0; > *(uint8_t*)0x20007fe6 = (uint8_t)0x0; > *(uint8_t*)0x20007fe7 = (uint8_t)0x0; > *(uint8_t*)0x20007fe8 = (uint8_t)0x0; > *(uint8_t*)0x20007fe9 = (uint8_t)0x0; > *(uint8_t*)0x20007fea = (uint8_t)0x0; > *(uint8_t*)0x20007feb = (uint8_t)0x0; > *(uint8_t*)0x20007fec = (uint8_t)0x0; > *(uint8_t*)0x20007fed = (uint8_t)0x0; > *(uint8_t*)0x20007fee = (uint8_t)0x0; > *(uint8_t*)0x20007fef = (uint8_t)0x0; > *(uint8_t*)0x20007ff0 = (uint8_t)0x0; > *(uint8_t*)0x20007ff1 = (uint8_t)0x0; > *(uint8_t*)0x20007ff2 = (uint8_t)0x0; > *(uint8_t*)0x20007ff3 = (uint8_t)0x0; > *(uint8_t*)0x20007ff4 = (uint8_t)0x0; > *(uint8_t*)0x20007ff5 = (uint8_t)0x0; > *(uint8_t*)0x20007ff6 = (uint8_t)0x0; > *(uint8_t*)0x20007ff7 = (uint8_t)0x0; > *(uint8_t*)0x20007ff8 = (uint8_t)0x0; > *(uint8_t*)0x20007ff9 = (uint8_t)0x0; > *(uint8_t*)0x20007ffa = (uint8_t)0x0; > *(uint8_t*)0x20007ffb = (uint8_t)0x0; > *(uint8_t*)0x20007ffc = (uint8_t)0x0; > *(uint8_t*)0x20007ffd = (uint8_t)0x0; > *(uint8_t*)0x20007ffe = (uint8_t)0x0; > *(uint8_t*)0x20007fff = (uint8_t)0x0; > syscall(SYS_ioctl, fd, 0x40505331ul, 0x20007fb0ul, 0, 0, 0); > break; > } > return 0; > } > > int main() > { > long i; > pthread_t th; > > srand(getpid()); > syscall(SYS_mmap, 0x20000000ul, 0x8000ul, 0x3ul, 0x32ul, > 0xfffffffffffffffful, 0x0ul); > memcpy((void*)0x20005000, > "\x2f\x64\x65\x76\x2f\x73\x6e\x64\x2f\x73\x65\x71", 12); > fd = syscall(SYS_open, 0x20005000ul, 0x1ul, 0x0ul, 0, 0, 0); > for (i = 0; i < 6; i++) { > pthread_create(&th, 0, thr, (void*)(i%3)); > if (rand()%2==0) > usleep(rand()%1000); > } > usleep(10000); > return 0; > } > > > > kasan: CONFIG_KASAN_INLINE enabled[ 146.589109] kasan: > CONFIG_KASAN_INLINE enabledkasan: GPF could be caused by NULL-ptr > deref or user memory accessgeneral protection fault: 0000 [#1] SMP > DEBUG_PAGEALLOC KASAN > Modules linked in: > CPU: 2 PID: 6540 Comm: a.out Not tainted 4.4.0+ torvalds#222 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 > task: ffff880064ed0000 ti: ffff880063620000 task.ti: ffff880063620000 > RIP: 0010:[<ffffffff84b65301>] [<ffffffff84b65301>] > snd_seq_fifo_clear+0x31/0x1d0 > RSP: 0018:ffff880063627c48 EFLAGS: 00010202 > RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000 > RDX: 0000000000000015 RSI: 0000000020001ff0 RDI: 00000000000000a8 > RBP: ffff880063627c98 R08: 0000000000000001 R09: 0000000000000001 > R10: 0000000000000000 R11: 0000000000000001 R12: ffff880064de1ec0 > R13: dffffc0000000000 R14: ffff880063627d28 R15: 0000000000000001 > FS: 00007fc371e37700(0000) GS:ffff88006d600000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b > CR2: 0000000020002000 CR3: 0000000062a62000 CR4: 00000000000006e0 > Stack: > ffffffff867a5ce0 00000000000002b9 000000004040534e 0000000020001fb0 > ffff880063627c98 1ffff1000c6c4f95 ffff880064de1ec0 dffffc0000000000 > ffff880063627d28 0000000000000001 ffff880063627d50 ffffffff84b56918 > Call Trace: > [<ffffffff84b56918>] snd_seq_ioctl_remove_events+0x178/0x1b0 > sound/core/seq/seq_clientmgr.c:1966 > [<ffffffff84b5954a>] snd_seq_do_ioctl+0x19a/0x1c0 > sound/core/seq/seq_clientmgr.c:2209 > [<ffffffff84b5973d>] snd_seq_ioctl+0x5d/0x80 > sound/core/seq/seq_clientmgr.c:2224 > [< inline >] vfs_ioctl fs/ioctl.c:43 > [<ffffffff817b3531>] do_vfs_ioctl+0x681/0xe40 fs/ioctl.c:607 > [< inline >] SYSC_ioctl fs/ioctl.c:622 > [<ffffffff817b3d7f>] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:613 > [<ffffffff85e748f6>] entry_SYSCALL_64_fastpath+0x16/0x7a > arch/x86/entry/entry_64.S:185 > Code: 41 56 41 55 41 54 53 48 89 fb 48 83 ec 28 e8 47 aa 9f fc 48 8d > bb a8 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> > b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 > RIP [< inline >] __write_once_size include/linux/compiler.h:246 > RIP [< inline >] atomic_set ./arch/x86/include/asm/atomic.h:39 > RIP [<ffffffff84b65301>] snd_seq_fifo_clear+0x31/0x1d0 > sound/core/seq/seq_fifo.c:99 > RSP <ffff880063627c48> > ---[ end trace 3ee37e6a5304c762 ]--- > > > On commit afd2ff9 (Jan 10). Thanks for reporting. Fortunately this one looks like an easy problem, a simple missing NULL check. Could you check the patch below? Takashi -- 8< -- From: Takashi Iwai <[email protected]> Subject: [PATCH] ALSA: seq: Fix missing NULL check at remove_events ioctl snd_seq_ioctl_remove_events() calls snd_seq_fifo_clear() unconditionally even if there is no FIFO assigned, and this leads to an Oops due to NULL dereference. The fix is just to add a proper NULL check. Reported-by: Dmitry Vyukov <[email protected]> Cc: <[email protected]> Signed-off-by: Takashi Iwai <[email protected]>

Fix dwc3 crashes

…from ~A0400828/processor-sdk-linux:for-4.19/lcpd-18064 to processor-sdk-linux-4.19.y * commit '94daf78e001113dbb19ee01ba79ec29ff0618940': HACK: arm: dts: am57xx-idk: remove IRQ from PRU Ethernet PHYs

In __hci_req_enable_advertising, the HCI_LE_ADV hdev flag is temporarily cleared to allow the random address to be set, which exposes a race condition when an advertisement is configured immediately (<10ms) after software rotation starts to refresh an advertisement. In normal operation, the HCI_LE_ADV flag is updated as follows: 1. adv_timeout_expire is called, HCI_LE_ADV gets cleared in __hci_req_enable_advertising, but hci_req configures an enable request 2. hci_req is run, enable callback re-sets HCI_LE_ADV flag However, in this race condition, the following occurs: 1. adv_timeout_expire is called, HCI_LE_ADV gets cleared in __hci_req_enable_advertising, but hci_req configures an enable request 2. add_advertising is called, which also calls __hci_req_enable_advertising. Because HCI_LE_ADV was cleared in Step 1, no "disable" command is queued. 3. hci_req for adv_timeout_expire is run, which enables advertising and re-sets HCI_LE_ADV 4. hci_req for add_advertising is run, but because no "disable" command was queued, we try to set advertising parameters while advertising is active, causing a Command Disallowed error, failing the registration. To resolve the issue, this patch removes the check for the HCI_LE_ADV flag, and always queues the "disable" request, since HCI_LE_ADV could be very temporarily out-of-sync. According to the spec, there is no harm in calling "disable" when advertising is not active. An example trace showing the HCI error in setting advertising parameters is included below, with some notes annotating the states I mentioned above: @ MGMT Command: Add Ext Adv.. (0x0055) plen 35 {0x0001} [hci0]04:05.884 Instance: 3 Advertising data length: 24 16-bit Service UUIDs (complete): 2 entries Location and Navigation (0x1819) Phone Alert Status Service (0x180e) Company: not assigned (65283) Data: 3a3b3c3d3e Service Data (UUID 0x9993): 3132333435 Scan response length: 0 @ MGMT Event: Advertising Ad.. (0x0023) plen 1 {0x0005} [hci0]04:05.885 Instance: 3 === adv_timeout_expire request starts running. This request was created before our add advertising request > HCI Event: Command Complete (0x0e) plen 4 torvalds#220 [hci0]04:05.993 LE Set Advertising Data (0x08|0x0008) ncmd 1 Status: Success (0x00) < HCI Command: LE Set Scan.. (0x08|0x0009) plen 32 torvalds#221 [hci0]04:05.993 Length: 24 Service Data (UUID 0xabcd): 161718191a1b1c1d1e1f2021222324252627 > HCI Event: Command Complete (0x0e) plen 4 torvalds#222 [hci0]04:05.995 LE Set Scan Response Data (0x08|0x0009) ncmd 1 Status: Success (0x00) < HCI Command: LE Set Adver.. (0x08|0x000a) plen 1 torvalds#223 [hci0]04:05.995 Advertising: Disabled (0x00) > HCI Event: Command Complete (0x0e) plen 4 torvalds#224 [hci0]04:05.997 LE Set Advertise Enable (0x08|0x000a) ncmd 1 Status: Success (0x00) < HCI Command: LE Set Adve.. (0x08|0x0006) plen 15 torvalds#225 [hci0]04:05.997 Min advertising interval: 200.000 msec (0x0140) Max advertising interval: 200.000 msec (0x0140) Type: Connectable undirected - ADV_IND (0x00) Own address type: Public (0x00) Direct address type: Public (0x00) Direct address: 00:00:00:00:00:00 (OUI 00-00-00) Channel map: 37, 38, 39 (0x07) Filter policy: Allow Scan Request, Connect from Any (0x00) > HCI Event: Command Complete (0x0e) plen 4 torvalds#226 [hci0]04:05.998 LE Set Advertising Parameters (0x08|0x0006) ncmd 1 Status: Success (0x00) < HCI Command: LE Set Adver.. (0x08|0x000a) plen 1 torvalds#227 [hci0]04:05.999 Advertising: Enabled (0x01) > HCI Event: Command Complete (0x0e) plen 4 torvalds#228 [hci0]04:06.000 LE Set Advertise Enable (0x08|0x000a) ncmd 1 Status: Success (0x00) === Our new add_advertising request starts running < HCI Command: Read Local N.. (0x03|0x0014) plen 0 torvalds#229 [hci0]04:06.001 > HCI Event: Command Complete (0x0e) plen 252 torvalds#230 [hci0]04:06.005 Read Local Name (0x03|0x0014) ncmd 1 Status: Success (0x00) Name: Chromebook_FB3D === Although the controller is advertising, no disable command is sent < HCI Command: LE Set Adve.. (0x08|0x0006) plen 15 torvalds#231 [hci0]04:06.005 Min advertising interval: 200.000 msec (0x0140) Max advertising interval: 200.000 msec (0x0140) Type: Connectable undirected - ADV_IND (0x00) Own address type: Public (0x00) Direct address type: Public (0x00) Direct address: 00:00:00:00:00:00 (OUI 00-00-00) Channel map: 37, 38, 39 (0x07) Filter policy: Allow Scan Request, Connect from Any (0x00) > HCI Event: Command Complete (0x0e) plen 4 torvalds#232 [hci0]04:06.005 LE Set Advertising Parameters (0x08|0x0006) ncmd 1 Status: Command Disallowed (0x0c) Reviewed-by: Miao-chen Chou <[email protected]> Signed-off-by: Daniel Winkler <[email protected]>

…arams In __hci_req_enable_advertising, the HCI_LE_ADV hdev flag is temporarily cleared to allow the random address to be set, which exposes a race condition when an advertisement is configured immediately (<10ms) after software rotation starts to refresh an advertisement. In normal operation, the HCI_LE_ADV flag is updated as follows: 1. adv_timeout_expire is called, HCI_LE_ADV gets cleared in __hci_req_enable_advertising, but hci_req configures an enable request 2. hci_req is run, enable callback re-sets HCI_LE_ADV flag However, in this race condition, the following occurs: 1. adv_timeout_expire is called, HCI_LE_ADV gets cleared in __hci_req_enable_advertising, but hci_req configures an enable request 2. add_advertising is called, which also calls __hci_req_enable_advertising. Because HCI_LE_ADV was cleared in Step 1, no "disable" command is queued. 3. hci_req for adv_timeout_expire is run, which enables advertising and re-sets HCI_LE_ADV 4. hci_req for add_advertising is run, but because no "disable" command was queued, we try to set advertising parameters while advertising is active, causing a Command Disallowed error, failing the registration. To resolve the issue, this patch removes the check for the HCI_LE_ADV flag, and always queues the "disable" request, since HCI_LE_ADV could be very temporarily out-of-sync. According to the spec, there is no harm in calling "disable" when advertising is not active. An example trace showing the HCI error in setting advertising parameters is included below, with some notes annotating the states I mentioned above: @ MGMT Command: Add Ext Adv.. (0x0055) plen 35 {0x0001} [hci0]04:05.884 Instance: 3 Advertising data length: 24 16-bit Service UUIDs (complete): 2 entries Location and Navigation (0x1819) Phone Alert Status Service (0x180e) Company: not assigned (65283) Data: 3a3b3c3d3e Service Data (UUID 0x9993): 3132333435 Scan response length: 0 @ MGMT Event: Advertising Ad.. (0x0023) plen 1 {0x0005} [hci0]04:05.885 Instance: 3 === adv_timeout_expire request starts running. This request was created before our add advertising request > HCI Event: Command Complete (0x0e) plen 4 torvalds#220 [hci0]04:05.993 LE Set Advertising Data (0x08|0x0008) ncmd 1 Status: Success (0x00) < HCI Command: LE Set Scan.. (0x08|0x0009) plen 32 torvalds#221 [hci0]04:05.993 Length: 24 Service Data (UUID 0xabcd): 161718191a1b1c1d1e1f2021222324252627 > HCI Event: Command Complete (0x0e) plen 4 torvalds#222 [hci0]04:05.995 LE Set Scan Response Data (0x08|0x0009) ncmd 1 Status: Success (0x00) < HCI Command: LE Set Adver.. (0x08|0x000a) plen 1 torvalds#223 [hci0]04:05.995 Advertising: Disabled (0x00) > HCI Event: Command Complete (0x0e) plen 4 torvalds#224 [hci0]04:05.997 LE Set Advertise Enable (0x08|0x000a) ncmd 1 Status: Success (0x00) < HCI Command: LE Set Adve.. (0x08|0x0006) plen 15 torvalds#225 [hci0]04:05.997 Min advertising interval: 200.000 msec (0x0140) Max advertising interval: 200.000 msec (0x0140) Type: Connectable undirected - ADV_IND (0x00) Own address type: Public (0x00) Direct address type: Public (0x00) Direct address: 00:00:00:00:00:00 (OUI 00-00-00) Channel map: 37, 38, 39 (0x07) Filter policy: Allow Scan Request, Connect from Any (0x00) > HCI Event: Command Complete (0x0e) plen 4 torvalds#226 [hci0]04:05.998 LE Set Advertising Parameters (0x08|0x0006) ncmd 1 Status: Success (0x00) < HCI Command: LE Set Adver.. (0x08|0x000a) plen 1 torvalds#227 [hci0]04:05.999 Advertising: Enabled (0x01) > HCI Event: Command Complete (0x0e) plen 4 torvalds#228 [hci0]04:06.000 LE Set Advertise Enable (0x08|0x000a) ncmd 1 Status: Success (0x00) === Our new add_advertising request starts running < HCI Command: Read Local N.. (0x03|0x0014) plen 0 torvalds#229 [hci0]04:06.001 > HCI Event: Command Complete (0x0e) plen 252 torvalds#230 [hci0]04:06.005 Read Local Name (0x03|0x0014) ncmd 1 Status: Success (0x00) Name: Chromebook_FB3D === Although the controller is advertising, no disable command is sent < HCI Command: LE Set Adve.. (0x08|0x0006) plen 15 torvalds#231 [hci0]04:06.005 Min advertising interval: 200.000 msec (0x0140) Max advertising interval: 200.000 msec (0x0140) Type: Connectable undirected - ADV_IND (0x00) Own address type: Public (0x00) Direct address type: Public (0x00) Direct address: 00:00:00:00:00:00 (OUI 00-00-00) Channel map: 37, 38, 39 (0x07) Filter policy: Allow Scan Request, Connect from Any (0x00) > HCI Event: Command Complete (0x0e) plen 4 torvalds#232 [hci0]04:06.005 LE Set Advertising Parameters (0x08|0x0006) ncmd 1 Status: Command Disallowed (0x0c) Reviewed-by: Miao-chen Chou <[email protected]> Signed-off-by: Daniel Winkler <[email protected]> (am from https://patchwork.kernel.org/patch/12162043/) (also found at https://lore.kernel.org/r/20210324114645.v2.1.I53e6be1f7df0be198b7e55ae9fc45c7f5760132d@changeid) BUG=b:182382092 TEST=AdvHealth on kefka chromebook Change-Id: I53e6be1f7df0be198b7e55ae9fc45c7f5760132d Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/2775994 Reviewed-by: Sean Paul <[email protected]> Reviewed-by: Yu Liu <[email protected]> Reviewed-by: Alain Michaud <[email protected]> Reviewed-by: Miao-chen Chou <[email protected]> Commit-Queue: Daniel Winkler <[email protected]> Tested-by: Daniel Winkler <[email protected]>

…etting params" This reverts commit 398beab. Reason for revert: Regresses advertising registration on ThP and WP2 Original change's description: > FROMLIST: Bluetooth: Always call advertising disable before setting params > > In __hci_req_enable_advertising, the HCI_LE_ADV hdev flag is temporarily > cleared to allow the random address to be set, which exposes a race > condition when an advertisement is configured immediately (<10ms) after > software rotation starts to refresh an advertisement. > > In normal operation, the HCI_LE_ADV flag is updated as follows: > > 1. adv_timeout_expire is called, HCI_LE_ADV gets cleared in > __hci_req_enable_advertising, but hci_req configures an enable > request > 2. hci_req is run, enable callback re-sets HCI_LE_ADV flag > > However, in this race condition, the following occurs: > > 1. adv_timeout_expire is called, HCI_LE_ADV gets cleared in > __hci_req_enable_advertising, but hci_req configures an enable > request > 2. add_advertising is called, which also calls > __hci_req_enable_advertising. Because HCI_LE_ADV was cleared in Step > 1, no "disable" command is queued. > 3. hci_req for adv_timeout_expire is run, which enables advertising and > re-sets HCI_LE_ADV > 4. hci_req for add_advertising is run, but because no "disable" command > was queued, we try to set advertising parameters while advertising is > active, causing a Command Disallowed error, failing the registration. > > To resolve the issue, this patch removes the check for the HCI_LE_ADV > flag, and always queues the "disable" request, since HCI_LE_ADV could be > very temporarily out-of-sync. According to the spec, there is no harm in > calling "disable" when advertising is not active. > > An example trace showing the HCI error in setting advertising parameters > is included below, with some notes annotating the states I mentioned > above: > > @ MGMT Command: Add Ext Adv.. (0x0055) plen 35 {0x0001} [hci0]04:05.884 > Instance: 3 > Advertising data length: 24 > 16-bit Service UUIDs (complete): 2 entries > Location and Navigation (0x1819) > Phone Alert Status Service (0x180e) > Company: not assigned (65283) > Data: 3a3b3c3d3e > Service Data (UUID 0x9993): 3132333435 > Scan response length: 0 > @ MGMT Event: Advertising Ad.. (0x0023) plen 1 {0x0005} [hci0]04:05.885 > Instance: 3 > > === adv_timeout_expire request starts running. This request was created > before our add advertising request > > HCI Event: Command Complete (0x0e) plen 4 torvalds#220 [hci0]04:05.993 > LE Set Advertising Data (0x08|0x0008) ncmd 1 > Status: Success (0x00) > < HCI Command: LE Set Scan.. (0x08|0x0009) plen 32 torvalds#221 [hci0]04:05.993 > Length: 24 > Service Data (UUID 0xabcd): 161718191a1b1c1d1e1f2021222324252627 > > HCI Event: Command Complete (0x0e) plen 4 torvalds#222 [hci0]04:05.995 > LE Set Scan Response Data (0x08|0x0009) ncmd 1 > Status: Success (0x00) > < HCI Command: LE Set Adver.. (0x08|0x000a) plen 1 torvalds#223 [hci0]04:05.995 > Advertising: Disabled (0x00) > > HCI Event: Command Complete (0x0e) plen 4 torvalds#224 [hci0]04:05.997 > LE Set Advertise Enable (0x08|0x000a) ncmd 1 > Status: Success (0x00) > < HCI Command: LE Set Adve.. (0x08|0x0006) plen 15 torvalds#225 [hci0]04:05.997 > Min advertising interval: 200.000 msec (0x0140) > Max advertising interval: 200.000 msec (0x0140) > Type: Connectable undirected - ADV_IND (0x00) > Own address type: Public (0x00) > Direct address type: Public (0x00) > Direct address: 00:00:00:00:00:00 (OUI 00-00-00) > Channel map: 37, 38, 39 (0x07) > Filter policy: Allow Scan Request, Connect from Any (0x00) > > HCI Event: Command Complete (0x0e) plen 4 torvalds#226 [hci0]04:05.998 > LE Set Advertising Parameters (0x08|0x0006) ncmd 1 > Status: Success (0x00) > < HCI Command: LE Set Adver.. (0x08|0x000a) plen 1 torvalds#227 [hci0]04:05.999 > Advertising: Enabled (0x01) > > HCI Event: Command Complete (0x0e) plen 4 torvalds#228 [hci0]04:06.000 > LE Set Advertise Enable (0x08|0x000a) ncmd 1 > Status: Success (0x00) > > === Our new add_advertising request starts running > < HCI Command: Read Local N.. (0x03|0x0014) plen 0 torvalds#229 [hci0]04:06.001 > > HCI Event: Command Complete (0x0e) plen 252 torvalds#230 [hci0]04:06.005 > Read Local Name (0x03|0x0014) ncmd 1 > Status: Success (0x00) > Name: Chromebook_FB3D > > === Although the controller is advertising, no disable command is sent > < HCI Command: LE Set Adve.. (0x08|0x0006) plen 15 torvalds#231 [hci0]04:06.005 > Min advertising interval: 200.000 msec (0x0140) > Max advertising interval: 200.000 msec (0x0140) > Type: Connectable undirected - ADV_IND (0x00) > Own address type: Public (0x00) > Direct address type: Public (0x00) > Direct address: 00:00:00:00:00:00 (OUI 00-00-00) > Channel map: 37, 38, 39 (0x07) > Filter policy: Allow Scan Request, Connect from Any (0x00) > > HCI Event: Command Complete (0x0e) plen 4 torvalds#232 [hci0]04:06.005 > LE Set Advertising Parameters (0x08|0x0006) ncmd 1 > Status: Command Disallowed (0x0c) > > Reviewed-by: Miao-chen Chou <[email protected]> > Signed-off-by: Daniel Winkler <[email protected]> > (am from https://patchwork.kernel.org/patch/12162043/) > (also found at https://lore.kernel.org/r/20210324114645.v2.1.I53e6be1f7df0be198b7e55ae9fc45c7f5760132d@changeid) > > BUG=b:182382092 > TEST=AdvHealth on kefka chromebook > > Change-Id: I53e6be1f7df0be198b7e55ae9fc45c7f5760132d > Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/2775994 > Reviewed-by: Sean Paul <[email protected]> > Reviewed-by: Yu Liu <[email protected]> > Reviewed-by: Alain Michaud <[email protected]> > Reviewed-by: Miao-chen Chou <[email protected]> > Commit-Queue: Daniel Winkler <[email protected]> > Tested-by: Daniel Winkler <[email protected]> BUG=b:182382092 Change-Id: I5be2649e7887bc3a8139ea18037afd28e929d3b1 Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/2792003 Bot-Commit: Rubber Stamper <[email protected]> Commit-Queue: Daniel Winkler <[email protected]>

Add `UserSlicePtrWriter::clear`.

We got this UBSAN warning: UBSAN: shift-out-of-bounds in net/ieee802154/nl802154.c:920:44 shift exponent -1 is negative CPU: 3 PID: 8258 Comm: repro Not tainted 5.13.0+ torvalds#222 Call Trace: dump_stack_lvl+0x8d/0xcf ubsan_epilogue+0xa/0x4e __ubsan_handle_shift_out_of_bounds+0x161/0x182 nl802154_new_interface+0x3bf/0x3d0 genl_family_rcv_msg_doit.isra.15+0x12d/0x170 genl_rcv_msg+0x11a/0x240 netlink_rcv_skb+0x69/0x160 genl_rcv+0x24/0x40 NL802154_IFTYPE_UNSPEC is -1, so enum nl802154_iftype type now is a signed integer, which is assigned by nla_get_u32 in nl802154_new_interface(), this may cause type is negative and trigger this warning. Fixes: 6531868 ("ieee802154: add iftypes capability") Signed-off-by: YueHaibing <[email protected]>

The userspace program could pass any values to the driver through ioctl() interface. If the driver doesn't check the value of 'pixclock', it may cause divide error. Fix this by checking whether 'pixclock' is zero first. The following log reveals it: [ 33.396850] divide error: 0000 [#1] PREEMPT SMP KASAN PTI [ 33.396864] CPU: 5 PID: 11754 Comm: i740 Not tainted 5.14.0-rc2-00513-gac532c9bbcfb-dirty torvalds#222 [ 33.396883] RIP: 0010:riva_load_video_mode+0x417/0xf70 [ 33.396969] Call Trace: [ 33.396973] ? debug_smp_processor_id+0x1c/0x20 [ 33.396984] ? tick_nohz_tick_stopped+0x1a/0x90 [ 33.396996] ? rivafb_copyarea+0x3c0/0x3c0 [ 33.397003] ? wake_up_klogd.part.0+0x99/0xd0 [ 33.397014] ? vprintk_emit+0x110/0x4b0 [ 33.397024] ? vprintk_default+0x26/0x30 [ 33.397033] ? vprintk+0x9c/0x1f0 [ 33.397041] ? printk+0xba/0xed [ 33.397054] ? record_print_text.cold+0x16/0x16 [ 33.397063] ? __kasan_check_read+0x11/0x20 [ 33.397074] ? profile_tick+0xc0/0x100 [ 33.397084] ? __sanitizer_cov_trace_const_cmp4+0x24/0x80 [ 33.397094] ? riva_set_rop_solid+0x2a0/0x2a0 [ 33.397102] rivafb_set_par+0xbe/0x610 [ 33.397111] ? riva_set_rop_solid+0x2a0/0x2a0 [ 33.397119] fb_set_var+0x5bf/0xeb0 [ 33.397127] ? fb_blank+0x1a0/0x1a0 [ 33.397134] ? lock_acquire+0x1ef/0x530 [ 33.397143] ? lock_release+0x810/0x810 [ 33.397151] ? lock_is_held_type+0x100/0x140 [ 33.397159] ? ___might_sleep+0x1ee/0x2d0 [ 33.397170] ? __mutex_lock+0x620/0x1190 [ 33.397180] ? trace_hardirqs_on+0x6a/0x1c0 [ 33.397190] do_fb_ioctl+0x31e/0x700 Signed-off-by: Zheyu Ma <[email protected]>

The userspace program could pass any values to the driver through ioctl() interface. If the driver doesn't check the value of 'pixclock', it may cause divide error. Fix this by checking whether 'pixclock' is zero first. The following log reveals it: [ 33.396850] divide error: 0000 [#1] PREEMPT SMP KASAN PTI [ 33.396864] CPU: 5 PID: 11754 Comm: i740 Not tainted 5.14.0-rc2-00513-gac532c9bbcfb-dirty torvalds#222 [ 33.396883] RIP: 0010:riva_load_video_mode+0x417/0xf70 [ 33.396969] Call Trace: [ 33.396973] ? debug_smp_processor_id+0x1c/0x20 [ 33.396984] ? tick_nohz_tick_stopped+0x1a/0x90 [ 33.396996] ? rivafb_copyarea+0x3c0/0x3c0 [ 33.397003] ? wake_up_klogd.part.0+0x99/0xd0 [ 33.397014] ? vprintk_emit+0x110/0x4b0 [ 33.397024] ? vprintk_default+0x26/0x30 [ 33.397033] ? vprintk+0x9c/0x1f0 [ 33.397041] ? printk+0xba/0xed [ 33.397054] ? record_print_text.cold+0x16/0x16 [ 33.397063] ? __kasan_check_read+0x11/0x20 [ 33.397074] ? profile_tick+0xc0/0x100 [ 33.397084] ? __sanitizer_cov_trace_const_cmp4+0x24/0x80 [ 33.397094] ? riva_set_rop_solid+0x2a0/0x2a0 [ 33.397102] rivafb_set_par+0xbe/0x610 [ 33.397111] ? riva_set_rop_solid+0x2a0/0x2a0 [ 33.397119] fb_set_var+0x5bf/0xeb0 [ 33.397127] ? fb_blank+0x1a0/0x1a0 [ 33.397134] ? lock_acquire+0x1ef/0x530 [ 33.397143] ? lock_release+0x810/0x810 [ 33.397151] ? lock_is_held_type+0x100/0x140 [ 33.397159] ? ___might_sleep+0x1ee/0x2d0 [ 33.397170] ? __mutex_lock+0x620/0x1190 [ 33.397180] ? trace_hardirqs_on+0x6a/0x1c0 [ 33.397190] do_fb_ioctl+0x31e/0x700 Signed-off-by: Zheyu Ma <[email protected]> Signed-off-by: Sam Ravnborg <[email protected]> Link: https://patchwork.freedesktop.org/patch/msgid/[email protected]

[ Upstream commit f92763c ] The userspace program could pass any values to the driver through ioctl() interface. If the driver doesn't check the value of 'pixclock', it may cause divide error. Fix this by checking whether 'pixclock' is zero first. The following log reveals it: [ 33.396850] divide error: 0000 [#1] PREEMPT SMP KASAN PTI [ 33.396864] CPU: 5 PID: 11754 Comm: i740 Not tainted 5.14.0-rc2-00513-gac532c9bbcfb-dirty torvalds#222 [ 33.396883] RIP: 0010:riva_load_video_mode+0x417/0xf70 [ 33.396969] Call Trace: [ 33.396973] ? debug_smp_processor_id+0x1c/0x20 [ 33.396984] ? tick_nohz_tick_stopped+0x1a/0x90 [ 33.396996] ? rivafb_copyarea+0x3c0/0x3c0 [ 33.397003] ? wake_up_klogd.part.0+0x99/0xd0 [ 33.397014] ? vprintk_emit+0x110/0x4b0 [ 33.397024] ? vprintk_default+0x26/0x30 [ 33.397033] ? vprintk+0x9c/0x1f0 [ 33.397041] ? printk+0xba/0xed [ 33.397054] ? record_print_text.cold+0x16/0x16 [ 33.397063] ? __kasan_check_read+0x11/0x20 [ 33.397074] ? profile_tick+0xc0/0x100 [ 33.397084] ? __sanitizer_cov_trace_const_cmp4+0x24/0x80 [ 33.397094] ? riva_set_rop_solid+0x2a0/0x2a0 [ 33.397102] rivafb_set_par+0xbe/0x610 [ 33.397111] ? riva_set_rop_solid+0x2a0/0x2a0 [ 33.397119] fb_set_var+0x5bf/0xeb0 [ 33.397127] ? fb_blank+0x1a0/0x1a0 [ 33.397134] ? lock_acquire+0x1ef/0x530 [ 33.397143] ? lock_release+0x810/0x810 [ 33.397151] ? lock_is_held_type+0x100/0x140 [ 33.397159] ? ___might_sleep+0x1ee/0x2d0 [ 33.397170] ? __mutex_lock+0x620/0x1190 [ 33.397180] ? trace_hardirqs_on+0x6a/0x1c0 [ 33.397190] do_fb_ioctl+0x31e/0x700 Signed-off-by: Zheyu Ma <[email protected]> Signed-off-by: Sam Ravnborg <[email protected]> Link: https://patchwork.freedesktop.org/patch/msgid/[email protected] Signed-off-by: Sasha Levin <[email protected]>

[ Upstream commit f92763c ] The userspace program could pass any values to the driver through ioctl() interface. If the driver doesn't check the value of 'pixclock', it may cause divide error. Fix this by checking whether 'pixclock' is zero first. The following log reveals it: [ 33.396850] divide error: 0000 [#1] PREEMPT SMP KASAN PTI [ 33.396864] CPU: 5 PID: 11754 Comm: i740 Not tainted 5.14.0-rc2-00513-gac532c9bbcfb-dirty #222 [ 33.396883] RIP: 0010:riva_load_video_mode+0x417/0xf70 [ 33.396969] Call Trace: [ 33.396973] ? debug_smp_processor_id+0x1c/0x20 [ 33.396984] ? tick_nohz_tick_stopped+0x1a/0x90 [ 33.396996] ? rivafb_copyarea+0x3c0/0x3c0 [ 33.397003] ? wake_up_klogd.part.0+0x99/0xd0 [ 33.397014] ? vprintk_emit+0x110/0x4b0 [ 33.397024] ? vprintk_default+0x26/0x30 [ 33.397033] ? vprintk+0x9c/0x1f0 [ 33.397041] ? printk+0xba/0xed [ 33.397054] ? record_print_text.cold+0x16/0x16 [ 33.397063] ? __kasan_check_read+0x11/0x20 [ 33.397074] ? profile_tick+0xc0/0x100 [ 33.397084] ? __sanitizer_cov_trace_const_cmp4+0x24/0x80 [ 33.397094] ? riva_set_rop_solid+0x2a0/0x2a0 [ 33.397102] rivafb_set_par+0xbe/0x610 [ 33.397111] ? riva_set_rop_solid+0x2a0/0x2a0 [ 33.397119] fb_set_var+0x5bf/0xeb0 [ 33.397127] ? fb_blank+0x1a0/0x1a0 [ 33.397134] ? lock_acquire+0x1ef/0x530 [ 33.397143] ? lock_release+0x810/0x810 [ 33.397151] ? lock_is_held_type+0x100/0x140 [ 33.397159] ? ___might_sleep+0x1ee/0x2d0 [ 33.397170] ? __mutex_lock+0x620/0x1190 [ 33.397180] ? trace_hardirqs_on+0x6a/0x1c0 [ 33.397190] do_fb_ioctl+0x31e/0x700 Signed-off-by: Zheyu Ma <[email protected]> Signed-off-by: Sam Ravnborg <[email protected]> Link: https://patchwork.freedesktop.org/patch/msgid/[email protected] Signed-off-by: Sasha Levin <[email protected]>

[ Upstream commit f92763c ] The userspace program could pass any values to the driver through ioctl() interface. If the driver doesn't check the value of 'pixclock', it may cause divide error. Fix this by checking whether 'pixclock' is zero first. The following log reveals it: [ 33.396850] divide error: 0000 [#1] PREEMPT SMP KASAN PTI [ 33.396864] CPU: 5 PID: 11754 Comm: i740 Not tainted 5.14.0-rc2-00513-gac532c9bbcfb-dirty torvalds#222 [ 33.396883] RIP: 0010:riva_load_video_mode+0x417/0xf70 [ 33.396969] Call Trace: [ 33.396973] ? debug_smp_processor_id+0x1c/0x20 [ 33.396984] ? tick_nohz_tick_stopped+0x1a/0x90 [ 33.396996] ? rivafb_copyarea+0x3c0/0x3c0 [ 33.397003] ? wake_up_klogd.part.0+0x99/0xd0 [ 33.397014] ? vprintk_emit+0x110/0x4b0 [ 33.397024] ? vprintk_default+0x26/0x30 [ 33.397033] ? vprintk+0x9c/0x1f0 [ 33.397041] ? printk+0xba/0xed [ 33.397054] ? record_print_text.cold+0x16/0x16 [ 33.397063] ? __kasan_check_read+0x11/0x20 [ 33.397074] ? profile_tick+0xc0/0x100 [ 33.397084] ? __sanitizer_cov_trace_const_cmp4+0x24/0x80 [ 33.397094] ? riva_set_rop_solid+0x2a0/0x2a0 [ 33.397102] rivafb_set_par+0xbe/0x610 [ 33.397111] ? riva_set_rop_solid+0x2a0/0x2a0 [ 33.397119] fb_set_var+0x5bf/0xeb0 [ 33.397127] ? fb_blank+0x1a0/0x1a0 [ 33.397134] ? lock_acquire+0x1ef/0x530 [ 33.397143] ? lock_release+0x810/0x810 [ 33.397151] ? lock_is_held_type+0x100/0x140 [ 33.397159] ? ___might_sleep+0x1ee/0x2d0 [ 33.397170] ? __mutex_lock+0x620/0x1190 [ 33.397180] ? trace_hardirqs_on+0x6a/0x1c0 [ 33.397190] do_fb_ioctl+0x31e/0x700 Signed-off-by: Zheyu Ma <[email protected]> Signed-off-by: Sam Ravnborg <[email protected]> Link: https://patchwork.freedesktop.org/patch/msgid/[email protected] Signed-off-by: Sasha Levin <[email protected]>

./test_progs -t tc_link [ 1.409177] tsc: Refined TSC clocksource calibration: 3407.991 MHz [ 1.411604] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x311fcb8dbdf, max_idle_ns: 440795301826 ns [ 1.415577] clocksource: Switched to clocksource tsc [ 1.430401] bpf_testmod: loading out-of-tree module taints kernel. [ 1.432324] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel torvalds#220 tc_link_opts_after:OK torvalds#221 tc_link_opts_basic:OK torvalds#222 tc_link_opts_before:OK torvalds#223 tc_link_opts_both:OK torvalds#224 tc_link_opts_chain_classic:OK torvalds#225 tc_link_opts_first:OK torvalds#226 tc_link_opts_invalid:OK torvalds#227 tc_link_opts_last:OK torvalds#228 tc_link_opts_replace:OK torvalds#229 tc_link_opts_revision:OK Summary: 10/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann <[email protected]>

The following warning was reported when running "./test_progs -t test_bpf_ma/percpu_free_through_map_free": ------------[ cut here ]------------ WARNING: CPU: 1 PID: 68 at kernel/bpf/memalloc.c:342 CPU: 1 PID: 68 Comm: kworker/u16:2 Not tainted 6.6.0-rc2+ torvalds#222 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) Workqueue: events_unbound bpf_map_free_deferred RIP: 0010:bpf_mem_refill+0x21c/0x2a0 ...... Call Trace: <IRQ> ? bpf_mem_refill+0x21c/0x2a0 irq_work_single+0x27/0x70 irq_work_run_list+0x2a/0x40 irq_work_run+0x18/0x40 __sysvec_irq_work+0x1c/0xc0 sysvec_irq_work+0x73/0x90 </IRQ> <TASK> asm_sysvec_irq_work+0x1b/0x20 RIP: 0010:unit_free+0x50/0x80 ...... bpf_mem_free+0x46/0x60 __bpf_obj_drop_impl+0x40/0x90 bpf_obj_free_fields+0x17d/0x1a0 array_map_free+0x6b/0x170 bpf_map_free_deferred+0x54/0xa0 process_scheduled_works+0xba/0x370 worker_thread+0x16d/0x2e0 kthread+0x105/0x140 ret_from_fork+0x39/0x60 ret_from_fork_asm+0x1b/0x30 </TASK> ---[ end trace 0000000000000000 ]--- The reason is simple: __bpf_obj_drop_impl() does not know the freeing field is a per-cpu pointer and it uses bpf_global_ma to free the pointer. Because bpf_global_ma is not a per-cpu allocator, so ksize() is used to select the corresponding cache. The bpf_mem_cache with 16-bytes unit_size will always be selected to do the unmatched free and it will trigger the warning in free_bulk() eventually. Because per-cpu kptr doesn't support list or rb-tree now, so fix the problem by only checking whether or not the type of kptr is per-cpu in bpf_obj_free_fields(), and using bpf_global_percpu_ma to these kptrs. Signed-off-by: Hou Tao <[email protected]>

The following warning was reported when running "./test_progs -t test_bpf_ma/percpu_free_through_map_free": ------------[ cut here ]------------ WARNING: CPU: 1 PID: 68 at kernel/bpf/memalloc.c:342 CPU: 1 PID: 68 Comm: kworker/u16:2 Not tainted 6.6.0-rc2+ torvalds#222 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) Workqueue: events_unbound bpf_map_free_deferred RIP: 0010:bpf_mem_refill+0x21c/0x2a0 ...... Call Trace: <IRQ> ? bpf_mem_refill+0x21c/0x2a0 irq_work_single+0x27/0x70 irq_work_run_list+0x2a/0x40 irq_work_run+0x18/0x40 __sysvec_irq_work+0x1c/0xc0 sysvec_irq_work+0x73/0x90 </IRQ> <TASK> asm_sysvec_irq_work+0x1b/0x20 RIP: 0010:unit_free+0x50/0x80 ...... bpf_mem_free+0x46/0x60 __bpf_obj_drop_impl+0x40/0x90 bpf_obj_free_fields+0x17d/0x1a0 array_map_free+0x6b/0x170 bpf_map_free_deferred+0x54/0xa0 process_scheduled_works+0xba/0x370 worker_thread+0x16d/0x2e0 kthread+0x105/0x140 ret_from_fork+0x39/0x60 ret_from_fork_asm+0x1b/0x30 </TASK> ---[ end trace 0000000000000000 ]--- The reason is simple: __bpf_obj_drop_impl() does not know the freeing field is a per-cpu pointer and it uses bpf_global_ma to free the pointer. Because bpf_global_ma is not a per-cpu allocator, so ksize() is used to select the corresponding cache. The bpf_mem_cache with 16-bytes unit_size will always be selected to do the unmatched free and it will trigger the warning in free_bulk() eventually. Because per-cpu kptr doesn't support list or rb-tree now, so fix the problem by only checking whether or not the type of kptr is per-cpu in bpf_obj_free_fields(), and using bpf_global_percpu_ma to these kptrs. Signed-off-by: Hou Tao <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Alexei Starovoitov <[email protected]>

Changes: * rockchip_linux_defconfig: Build rk808_rtc as a module Signed-off-by: Stephen Chen <[email protected]>

As f837b44 introduce ethernet driver phytmac for D3000 (torvalds#222), enable config CONFIG_PHYTMAC{,_PLATFORM,PCI}=m.

HID: sony: Enable Bluetooth Gasia third-party PS3 controllers

bfb074d

commodo pushed a commit to commodo/linux that referenced this pull request Nov 2, 2018

Merge pull request torvalds#222 from analogdevicesinc/fix-dwc3-4.14

a14d257

Fix dwc3 crashes

ojeda added a commit to ojeda/linux that referenced this pull request Apr 29, 2021

Merge pull request torvalds#222 from wedsonaf/clear

e3dea04

Add `UserSlicePtrWriter::clear`.

RadxaStephen added a commit to RadxaStephen/linux that referenced this pull request Mar 6, 2024

Merge pull request torvalds#222 from vamrs-feng/linux-5.10-gen-rkr4.1

f19a444

Changes: * rockchip_linux_defconfig: Build rk808_rtc as a module Signed-off-by: Stephen Chen <[email protected]>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

HID: sony: Enable Bluetooth Gasia third-party PS3 controllers #222

HID: sony: Enable Bluetooth Gasia third-party PS3 controllers #222

vs7 commented Nov 15, 2015

HID: sony: Enable Bluetooth Gasia third-party PS3 controllers #222

Are you sure you want to change the base?

HID: sony: Enable Bluetooth Gasia third-party PS3 controllers #222

Conversation

vs7 commented Nov 15, 2015