| Age | Commit message (Collapse) | Author |
|---|
|
commit 110080cea0d0e4dfdb0b536e7f8a5633ead6a781 upstream.
There are a couple potential integer overflows here.
round_up(m->size + (m->addr & ~PAGE_MASK), PAGE_SIZE);
The first thing is that the "m->size + (...)" addition could overflow,
and the second is that round_up() overflows to zero if the result is
within PAGE_SIZE of the type max.
In this code, the "m->size" variable is an u64 but we're saving the
result in "map_size" which is an unsigned long and genwqe_user_vmap()
takes an unsigned long as well. So I have used ULONG_MAX as the upper
bound. From a practical perspective unsigned long is fine/better than
trying to change all the types to u64.
Fixes: eaf4722d4645 ("GenWQE Character device and DDCB queue")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
commit 0ab93e9c99f8208c0a1a7b7170c827936268c996 upstream.
The genweq_add_file and genwqe_del_file by caching current without
using reference counting embed the assumption that a file descriptor
will never be passed from one process to another. It even embeds the
assumption that the the thread that opened the file will be in
existence when the process terminates. Neither of which are
guaranteed to be true.
Therefore replace caching the task_struct of the opener with
pid of the openers thread group id. All the knowledge of the
opener is used for is as the target of SIGKILL and a SIGKILL
will kill the entire process group.
Rename genwqe_force_sig to genwqe_terminate, remove it's unncessary
signal argument, update it's ownly caller, and use kill_pid
instead of force_sig.
The work force_sig does in changing signal handling state is not
relevant to SIGKILL sent as SEND_SIG_PRIV. The exact same processess
will be killed just with less work, and less confusion. The work done
by force_sig is really only needed for handling syncrhonous
exceptions.
It will still be possible to cause genwqe_device_remove to wait
8 seconds by passing a file descriptor to another process but
the possible user after free is fixed.
Fixes: eaf4722d4645 ("GenWQE Character device and DDCB queue")
Cc: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Frank Haverkamp <haver@linux.vnet.ibm.com>
Cc: Joerg-Stephan Vogt <jsvogt@de.ibm.com>
Cc: Michael Jung <mijung@gmx.net>
Cc: Michael Ruettger <michael@ibmra.de>
Cc: Kleber Sacilotto de Souza <klebers@linux.vnet.ibm.com>
Cc: Sebastian Ott <sebott@linux.vnet.ibm.com>
Cc: Eberhard S. Amann <esa@linux.vnet.ibm.com>
Cc: Gabriel Krisman Bertazi <krisman@linux.vnet.ibm.com>
Cc: Guilherme G. Piccoli <gpiccoli@linux.vnet.ibm.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
we received reports of failed allocations in genwqe code:
[ 733.550955] genwqe_gzip: page allocation failure: order:1, mode:0x20
[ 733.550964] CPU: 2 PID: 1846 Comm: genwqe_gzip Not tainted 4.3.0-rc3-00042-g3225031 #78
[ 733.550968] 000000002782b830 000000002782b8c0 0000000000000002 0000000000000000
000000002782b960 000000002782b8d8 000000002782b8d8 00000000001134a0
0000000000000000 0000000000892b2a 0000000000871d0a 000000000000000b
000000002782b920 000000002782b8c0 0000000000000000 0000000000000000
0000000000000000 00000000001134a0 000000002782b8c0 000000002782b920
[ 733.551003] Call Trace:
[ 733.551013] ([<0000000000113388>] show_trace+0xf8/0x158)
[ 733.551018] [<0000000000113452>] show_stack+0x6a/0xe8
[ 733.551024] [<00000000004611d4>] dump_stack+0x7c/0xd8
[ 733.551031] [<000000000024dc22>] warn_alloc_failed+0xda/0x150
[ 733.551036] [<000000000025268e>] __alloc_pages_nodemask+0x94e/0xbc0
[ 733.551041] [<000000000012bcd8>] s390_dma_alloc+0x70/0x1a0
[ 733.551054] [<000003ff804d8e8c>] __genwqe_alloc_consistent+0x84/0xd0 [genwqe_card]
[ 733.551063] [<000003ff804d90c2>] genwqe_alloc_sync_sgl+0x13a/0x328 [genwqe_card]
[ 733.551066] [<000003ff804d41a0>] do_execute_ddcb+0x1f8/0x388 [genwqe_card]
[ 733.551069] [<000003ff804d48c8>] genwqe_ioctl+0x598/0xd50 [genwqe_card]
[ 733.551072] [<00000000002cc90c>] do_vfs_ioctl+0x3f4/0x590
[ 733.551074] [<00000000002ccb46>] SyS_ioctl+0x9e/0xb0
[ 733.551078] [<00000000006c8166>] system_call+0xd6/0x258
[ 733.551080] [<000003fffd25819a>] 0x3fffd25819a
[ 733.551082] no locks held by genwqe_gzip/1846.
This specific allocation and some others in genwqe are unnecessary flagged
as atomic.
All of genwqe's atomic allocations happen in a context where it's allowed
to sleep. Change these to use GFP_KERNEL.
Signed-off-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
Acked-by: Frank Haverkamp <haver@linux.vnet.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
With two exceptions (drm/qxl and drm/radeon) all vm_operations_struct
structs should be constant.
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Minchan Kim <minchan@kernel.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
|
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
|
When the GenWQE hardware queue was busy, the driver returned simply
-EBUSY. This caused polling by applications which increased the load
on the already busy system. This change implements the possiblity to
sleep on a waitqueue instead when the DDCB queue is busy. The
requestor is woken up when there is free space on the queue again.
The old way to get -EBUSY is still available if the device is openend
with O_NONBLOCKING. The default is now blocking behavior.
Signed-off-by: Frank Haverkamp <haver@linux.vnet.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
The checkpatch.pl script got improved. I ran it on the latest GenWQE
sources and fixed what it complained about.
Signed-off-by: Frank Haverkamp <haver@linux.vnet.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
Updated email address of co-author.
Signed-off-by: Frank Haverkamp <haver@linux.vnet.ibm.com>
Signed-off-by: Michael Jung <mijung@gmx.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
This patch implements the callbacks and functions necessary to have EEH
recovery support.
It adds a config option to enable or disable explicit calls to trigger
platform specific mechanisms on error recovery paths. This option is
enabled by default only on PPC64 systems and can be overritten via
debugfs. If this option is enabled, on the error recovery path the
driver will call pci_channel_offline() to check for error condition and
issue non-raw MMIO reads to trigger early EEH detection in case of
hardware failures. This is necessary since the driver MMIO helper
funtions use raw accessors.
Signed-off-by: Kleber Sacilotto de Souza <klebers@linux.vnet.ibm.com>
Acked-by: Frank Haverkamp <haver@linux.vnet.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
When being used in a multithreaded application there were problems
with memory pages/cachelines accessed by multiple threads/cpus at the
same time, while doing DMA transfers to/from those. To avoid such
situations this fix is creating a copy of the first and the last page
if it is not fully used. The data is copied from user-space into those
pages and results are copied back when the DDCB-request is
successfully finished.
Signed-off-by: Frank Haverkamp <haver@linux.vnet.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
In addition to the two flash partitions we used so far, there is a 3rd
one which is enabled for usage by this fix.
Signed-off-by: Frank Haverkamp <haver@linux.vnet.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
Fix a memory leak in the genwqe_pin_mem() error path as called by
ioctl GENWQE_PIN_MEM. In case there is an error encountered when
mapping memory, the already allocated dma_mapping struct needs to
be freed correctly.
Detected by Coverity: CID 1162606.
Signed-off-by: Christian Engelmayer <cengelma@gmx.at>
Acked-by: Frank Haverkamp <haver@linux.vnet.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
In case of error, the function device_create_with_groups()
returns ERR_PTR() and never returns NULL. The NULL test in
the return value check should be replaced with IS_ERR().
Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Acked-by: Frank Haverkamp <haver@linux.vnet.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
dma_addr_t was not used, where it should have been used.
Some format strings were not optimal.
Reported-by: kbuild test robot <fengguang.wu@intel.com>
Signed-off-by: Frank Haverkamp <haver@linux.vnet.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
Instead of remaining bytes of a failing copy_to_user, the flash-update
ioctl is returning now -EFAULT. In addtion Dan discovered user triggerable
dev_errs(). Those I removed now from card_dev.c too. Some dev_infos()
were deleted and some others turned into dev_dbgs().
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Frank Haverkamp <haver@linux.vnet.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
Fengguang Wu used CF=-D__CHECK_ENDIAN__ to check the GenWQE driver for
endian issues. Sparse found a couple of those. Most of them were caused
by not correctly handling __be64/32 and __u64/32. Those I was able to
fix with appropriate castings.
One more serious issue was the ATS entry in struct genwqe_ddcb_cmd.
The kernel expected it in big-endian, but the type was defined __u64.
I decided that it is better to keep the interface consistent using
host endian byte-odering instead of having a mixture. With this change
the kernel likes to see host endian byte order for the ATS entry. That
would have been an interface change, if someone would have used the
driver already. Since this is not the case, I hope it is ok to fix it
now.
For the genqwe_readq/writeq/readl/writel functions I enforced the casts.
It still complains, as far as I can see, about some copy_to/from_user()
usages:
CHECK char-misc/drivers/misc/genwqe/card_dev.c
char-misc/arch/x86/include/asm/uaccess.h:625:18: warning: incorrect type in argument 1 (different modifiers)
char-misc/arch/x86/include/asm/uaccess.h:625:18: expected void *<noident>
char-misc/arch/x86/include/asm/uaccess.h:625:18: got void const *from
char-misc/arch/x86/include/asm/uaccess.h:625:18: warning: incorrect type in argument 1 (different modifiers)
char-misc/arch/x86/include/asm/uaccess.h:625:18: expected void *<noident>
char-misc/arch/x86/include/asm/uaccess.h:625:18: got void const *from
char-misc/arch/x86/include/asm/uaccess.h:625:18: warning: incorrect type in argument 1 (different modifiers)
char-misc/arch/x86/include/asm/uaccess.h:625:18: expected void *<noident>
char-misc/arch/x86/include/asm/uaccess.h:625:18: got void const *from
char-misc/arch/x86/include/asm/uaccess.h:625:18: warning: incorrect type in argument 1 (different modifiers)
char-misc/arch/x86/include/asm/uaccess.h:625:18: expected void *<noident>
char-misc/arch/x86/include/asm/uaccess.h:625:18: got void const *from
CC [M] drivers/misc/genwqe/card_dev.o
CHECK char-misc/drivers/misc/genwqe/card_ddcb.c
char-misc/arch/x86/include/asm/uaccess.h:625:18: warning: incorrect type in argument 1 (different modifiers)
char-misc/arch/x86/include/asm/uaccess.h:625:18: expected void *<noident>
char-misc/arch/x86/include/asm/uaccess.h:625:18: got void const *from
char-misc/arch/x86/include/asm/uaccess.h:625:18: warning: incorrect type in argument 1 (different modifiers)
char-misc/arch/x86/include/asm/uaccess.h:625:18: expected void *<noident>
char-misc/arch/x86/include/asm/uaccess.h:625:18: got void const *from
CC [M] drivers/misc/genwqe/card_ddcb.o
LD [M] drivers/misc/genwqe/genwqe_card.o
I appreciate some help from you to figure out what is causig those, and
making a proposal how to fix them.
I included the missing header file to fix the
implicit-function-declaration warning when using dynamic_hex_dump.
Signed-off-by: Frank Haverkamp <haver@linux.vnet.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
|
The GenWQE card itself provides access to a generic work queue into
which the work can be put, which should be executed, e.g. compression
or decompression request, or whatever the card was configured to do.
Each request comes with a set of input data (ASV) and will produce some
output data (ASIV). The request will also contain a sequence number,
some timestamps and a command code/subcode plus some fields for hardware-/
software-interaction.
A request can contain references to blocks of memory. Since the card
requires DMA-addresses of that memory, the driver provides two ways to
solve that task:
1) The drivers mmap() will allocate some DMAable memory for the user.
The driver has a lookup table such that the virtual userspace
address can properly be replaced and checked.
2) The user allocates memory and the driver will pin/unpin that
memory and setup a scatter gatherlist with matching DMA addresses.
Currently work requests are synchronous.
Signed-off-by: Frank Haverkamp <haver@linux.vnet.ibm.com>
Co-authors: Joerg-Stephan Vogt <jsvogt@de.ibm.com>,
Michael Jung <MIJUNG@de.ibm.com>,
Michael Ruettger <michael@ibmra.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
