Date   

CIP Developer update

Robert Marshall <robert.marshall@...>
 

As before we're including outstanding problems as gitlab
issues - read them for more information!

CIP

- build artifacts - we're still unable to retrieve these.
We have manually installed later versions of chef and worked
around issues with the validation.pem not being available but
are still getting 404 errors.
https://gitlab.com/cip-project/testing/issues/2

bson not installed error
https://gitlab.com/cip-project/testing/issues/3
still being investigated.

LAVA
LAVA2 tests now run, currently working around issues
with a DeviceDictionary error
https://gitlab.com/cip-project/testing/issues/5

Smoke test for QEMU created


Robert


Re: [PATCH 4.4-cip 0/6] Extend user-space ASLR range

Jan Kiszka
 

On 2016-12-09 13:20, Jan Kiszka wrote:
On 2016-12-09 00:56, Ben Hutchings wrote:
This is a backport of changes in 4.5 to extend the range of Address
Space Layout Randomisation for user-space processes. When enabled, this
should make some user-space vulnerabilities harder to exploit, but it
can also cause some applications to fail if they currently use a large
proportion of the virtual address space.

The default ASLR range remains the same, but it can be changed through
kernel config (CONFIG_ARCH_MMAP_RND_BITS) or at run-time through sysctl
(vm.mmap_rnd_bits). (For 32-bit compat tasks, the range is controlled
through CONFIG_ARCH_MMAP_RND_COMPAT_BITS and vm.mmap_rnd_compat_bits.)

This includes support for arm, arm64 and x86 (32- and 64-bit). (arm64
is not currently supported by CIP, but it was easier to include it in
the backport than to leave it out.)

For this and other backports, I'm looking for feedback like:
- Did I miss a follow-up fix or an earlier dependency?
- Does this cause a regression (other than as explained above)?
- Are you likely to use it?
- Are there related features you want in 4.4?

Ben.

Daniel Cashman (6):
mm: mmap: add new /proc tunable for mmap_base ASLR
arm: mm: support ARCH_MMAP_RND_BITS
arm64: mm: support ARCH_MMAP_RND_BITS
x86: mm: support ARCH_MMAP_RND_BITS
drivers: char: random: add get_random_long()
mm: ASLR: use get_random_long()

Documentation/sysctl/vm.txt | 29 +++++++++++++++++
arch/Kconfig | 68 ++++++++++++++++++++++++++++++++++++++++
arch/arm/Kconfig | 9 ++++++
arch/arm/mm/mmap.c | 3 +-
arch/arm64/Kconfig | 29 +++++++++++++++++
arch/arm64/mm/mmap.c | 8 +++--
arch/mips/mm/mmap.c | 4 +--
arch/powerpc/kernel/process.c | 4 +--
arch/powerpc/mm/mmap.c | 4 +--
arch/sparc/kernel/sys_sparc_64.c | 2 +-
arch/x86/Kconfig | 16 ++++++++++
arch/x86/mm/mmap.c | 12 +++----
drivers/char/random.c | 22 +++++++++++++
fs/binfmt_elf.c | 2 +-
include/linux/mm.h | 11 +++++++
include/linux/random.h | 1 +
kernel/sysctl.c | 22 +++++++++++++
mm/mmap.c | 12 +++++++
18 files changed, 240 insertions(+), 18 deletions(-)
Did you try to discuss the back-port topic with the KSPP folks or other
key persons involved in these patches? In the ideal case, the authors
can be CC'ed, do not get annoyed by "these crazy people doing legacy
stuff", and may even do some reviews.
I've chatted with Elena over this last week, and she talked to Kees who
pointed out that the Android people are also doing KSPP backports to 4.4
(thanks, folks!). I didn't check any details, just a heads-up to avoid
duplicate work.

Jan

--
Siemens AG, Corporate Technology, CT RDA ITP SES-DE
Corporate Competence Center Embedded Linux


CIP Developer update

Robert Marshall <robert.marshall@...>
 

CIP developer update, we're including outstanding problems as gitlab
issues and there's more information at the issue links.

CIP

- On retrieving build artifacts - we still have issues here. Is it
the VM? have other cip-kernelci users seen this? We've tried manually
entering other likely sounding URLs but without success.
https://gitlab.com/cip-project/testing/issues/2
- github branches have been created for the frontend repos to allow connections from the host
to the VM, with that fork, bson isn't installing for the
frontend - am investigating.
https://gitlab.com/cip-project/testing/issues/3

LAVA
We have created a VM server for LAVA testing; we're trying to get LAVA2
tests to run - it currently doesn't see available devices.
https://gitlab.com/cip-project/testing/issues/4

There'll be a face 2 face discussion between the developers tomorrow to
address the current issues

Robert


Update week 49

Agustin Benito Bethencourt <agustin.benito@...>
 

Hi,

this is an overview of what is happening at CIP. Feel free to answer this mail with your bits.

++ Meetings

* Members meeting on Mon Nov 28th
** The next f2f meeting will take place at ELC in Portland in February
** Testing effort status

++ Kernel Maintenance

* First backports to provide hardware support for Beaglebone Black sent to the list for comments and evaluation.

* CIP repository already mirrored in Gitlab.com: https://gitlab.com/cip-project/linux-cip/commits/linux-4.4.y-cip Thanks Yoshi!

++ Testing

* Progress in the VM with kernelci
** Have browser on host able to view kernelci pages
** Some work (not yet complete) on getting this setup to happen on provisioning of the vm).
** Investigating issues with retrieving the build artifacts.
** Installing of lava2 on the vm

* Added a project in Gitlab.com to mirror the kernelci front end repository.

* Introduction to CIP testing effort published on the wiki: https://wiki.linuxfoundation.org/civilinfrastructureplatform/ciptesting

++ Other topics

* Robert Marshall, that is currently working on the kernelci VM will be at FOSDEM, like myself.

++ Next Tasks

* In the coming days CIP kernel will update from 4.4.30 to 4.4.37 Once we have testing in place it will make sense to test every release and update as soon as is everything ok from our side.

* Keep working on the kernelci VM

* Patches review/merge

Best Regards

--
Agustin Benito Bethencourt
Principal Consultant - FOSS at Codethink
agustin.benito@codethink.co.uk


Re: [PATCH 4.4-cip 0/6] Extend user-space ASLR range

Jan Kiszka
 

On 2016-12-09 00:56, Ben Hutchings wrote:
This is a backport of changes in 4.5 to extend the range of Address
Space Layout Randomisation for user-space processes. When enabled, this
should make some user-space vulnerabilities harder to exploit, but it
can also cause some applications to fail if they currently use a large
proportion of the virtual address space.

The default ASLR range remains the same, but it can be changed through
kernel config (CONFIG_ARCH_MMAP_RND_BITS) or at run-time through sysctl
(vm.mmap_rnd_bits). (For 32-bit compat tasks, the range is controlled
through CONFIG_ARCH_MMAP_RND_COMPAT_BITS and vm.mmap_rnd_compat_bits.)

This includes support for arm, arm64 and x86 (32- and 64-bit). (arm64
is not currently supported by CIP, but it was easier to include it in
the backport than to leave it out.)

For this and other backports, I'm looking for feedback like:
- Did I miss a follow-up fix or an earlier dependency?
- Does this cause a regression (other than as explained above)?
- Are you likely to use it?
- Are there related features you want in 4.4?

Ben.

Daniel Cashman (6):
mm: mmap: add new /proc tunable for mmap_base ASLR
arm: mm: support ARCH_MMAP_RND_BITS
arm64: mm: support ARCH_MMAP_RND_BITS
x86: mm: support ARCH_MMAP_RND_BITS
drivers: char: random: add get_random_long()
mm: ASLR: use get_random_long()

Documentation/sysctl/vm.txt | 29 +++++++++++++++++
arch/Kconfig | 68 ++++++++++++++++++++++++++++++++++++++++
arch/arm/Kconfig | 9 ++++++
arch/arm/mm/mmap.c | 3 +-
arch/arm64/Kconfig | 29 +++++++++++++++++
arch/arm64/mm/mmap.c | 8 +++--
arch/mips/mm/mmap.c | 4 +--
arch/powerpc/kernel/process.c | 4 +--
arch/powerpc/mm/mmap.c | 4 +--
arch/sparc/kernel/sys_sparc_64.c | 2 +-
arch/x86/Kconfig | 16 ++++++++++
arch/x86/mm/mmap.c | 12 +++----
drivers/char/random.c | 22 +++++++++++++
fs/binfmt_elf.c | 2 +-
include/linux/mm.h | 11 +++++++
include/linux/random.h | 1 +
kernel/sysctl.c | 22 +++++++++++++
mm/mmap.c | 12 +++++++
18 files changed, 240 insertions(+), 18 deletions(-)
Did you try to discuss the back-port topic with the KSPP folks or other
key persons involved in these patches? In the ideal case, the authors
can be CC'ed, do not get annoyed by "these crazy people doing legacy
stuff", and may even do some reviews.

Jan

--
Siemens AG, Corporate Technology, CT RDA ITP SES-DE
Corporate Competence Center Embedded Linux


[PATCH 4.4-cip 23/23] mlx4: remove unused fields

Ben Hutchings <ben.hutchings@...>
 

From: David Decotigny <decot@googlers.com>

commit 5038056e6bd45788235e97e3bcfc43f96c52ca84 upstream.

This also can address following UBSAN warnings:
[ 36.640343] ================================================================================
[ 36.648772] UBSAN: Undefined behaviour in drivers/net/ethernet/mellanox/mlx4/fw.c:857:26
[ 36.656853] shift exponent 64 is too large for 32-bit type 'int'
[ 36.663348] ================================================================================
[ 36.671783] ================================================================================
[ 36.680213] UBSAN: Undefined behaviour in drivers/net/ethernet/mellanox/mlx4/fw.c:861:27
[ 36.688297] shift exponent 35 is too large for 32-bit type 'int'
[ 36.694702] ================================================================================

Tested:
reboot with UBSAN, no warning.

Signed-off-by: David Decotigny <decot@googlers.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Tariq Toukan <tariqt@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
---
drivers/net/ethernet/mellanox/mlx4/fw.c | 4 ----
drivers/net/ethernet/mellanox/mlx4/fw.h | 2 --
2 files changed, 6 deletions(-)

diff --git a/drivers/net/ethernet/mellanox/mlx4/fw.c b/drivers/net/ethernet/mellanox/mlx4/fw.c
index 90db94e83fde..ebff502db8ff 100644
--- a/drivers/net/ethernet/mellanox/mlx4/fw.c
+++ b/drivers/net/ethernet/mellanox/mlx4/fw.c
@@ -760,12 +760,8 @@ int mlx4_QUERY_DEV_CAP(struct mlx4_dev *dev, struct mlx4_dev_cap *dev_cap)
dev_cap->max_eqs = 1 << (field & 0xf);
MLX4_GET(field, outbox, QUERY_DEV_CAP_RSVD_MTT_OFFSET);
dev_cap->reserved_mtts = 1 << (field >> 4);
- MLX4_GET(field, outbox, QUERY_DEV_CAP_MAX_MRW_SZ_OFFSET);
- dev_cap->max_mrw_sz = 1 << field;
MLX4_GET(field, outbox, QUERY_DEV_CAP_RSVD_MRW_OFFSET);
dev_cap->reserved_mrws = 1 << (field & 0xf);
- MLX4_GET(field, outbox, QUERY_DEV_CAP_MAX_MTT_SEG_OFFSET);
- dev_cap->max_mtt_seg = 1 << (field & 0x3f);
MLX4_GET(size, outbox, QUERY_DEV_CAP_NUM_SYS_EQ_OFFSET);
dev_cap->num_sys_eqs = size & 0xfff;
MLX4_GET(field, outbox, QUERY_DEV_CAP_MAX_REQ_QP_OFFSET);
diff --git a/drivers/net/ethernet/mellanox/mlx4/fw.h b/drivers/net/ethernet/mellanox/mlx4/fw.h
index 08de5555c2f4..711af4e506f3 100644
--- a/drivers/net/ethernet/mellanox/mlx4/fw.h
+++ b/drivers/net/ethernet/mellanox/mlx4/fw.h
@@ -78,9 +78,7 @@ struct mlx4_dev_cap {
int max_eqs;
int num_sys_eqs;
int reserved_mtts;
- int max_mrw_sz;
int reserved_mrws;
- int max_mtt_seg;
int max_requester_per_qp;
int max_responder_per_qp;
int max_rdma_global;
--
2.10.2


--
Ben Hutchings
Software Developer, Codethink Ltd.


[PATCH 4.4-cip 22/23] net: get rid of an signed integer overflow in ip_idents_reserve()

Ben Hutchings <ben.hutchings@...>
 

From: Eric Dumazet <edumazet@google.com>

commit adb03115f4590baa280ddc440a8eff08a6be0cb7 upstream.

Jiri Pirko reported an UBSAN warning happening in ip_idents_reserve()

[] UBSAN: Undefined behaviour in ./arch/x86/include/asm/atomic.h:156:11
[] signed integer overflow:
[] -2117905507 + -695755206 cannot be represented in type 'int'

Since we do not have uatomic_add_return() yet, use atomic_cmpxchg()
so that the arithmetics can be done using unsigned int.

Fixes: 04ca6973f7c1 ("ip: make IP identifiers less predictable")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
---
net/ipv4/route.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index b050cf980a57..a0270af75fa5 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -476,12 +476,18 @@ u32 ip_idents_reserve(u32 hash, int segs)
atomic_t *p_id = ip_idents + hash % IP_IDENTS_SZ;
u32 old = ACCESS_ONCE(*p_tstamp);
u32 now = (u32)jiffies;
- u32 delta = 0;
+ u32 new, delta = 0;

if (old != now && cmpxchg(p_tstamp, old, now) == old)
delta = prandom_u32_max(now - old);

- return atomic_add_return(segs + delta, p_id) - segs;
+ /* Do not use atomic_add_return() as it makes UBSAN unhappy */
+ do {
+ old = (u32)atomic_read(p_id);
+ new = old + delta + segs;
+ } while (atomic_cmpxchg(p_id, old, new) != old);
+
+ return new - segs;
}
EXPORT_SYMBOL(ip_idents_reserve);

--
2.10.2



--
Ben Hutchings
Software Developer, Codethink Ltd.


[PATCH 4.4-cip 21/23] xfs: fix signed integer overflow

Ben Hutchings <ben.hutchings@...>
 

From: Xie XiuQi <xiexiuqi@huawei.com>

commit 79c350e45ebc5a718cc2d7114b45ad560069423d upstream.

Use 1U for unsigned int to avoid a overflow warning from UBSAN.

[ 31.910858] UBSAN: Undefined behaviour in fs/xfs/xfs_buf_item.c:889:25
[ 31.911252] signed integer overflow:
[ 31.911478] -2147483648 - 1 cannot be represented in type 'int'
[ 31.911846] CPU: 1 PID: 1011 Comm: tuned Tainted: G B ---- ------- 3.10.0-327.28.3.el7.x86_64 #1
[ 31.911857] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 01/07/2011
[ 31.911866] 1ffff1004069cd3b 0000000076bec3fd ffff8802034e69a0 ffffffff81ee3140
[ 31.911883] ffff8802034e69b8 ffffffff81ee31fd ffffffffa0ad79e0 ffff8802034e6b20
[ 31.911898] ffffffff81ee46e2 0000002d515470c0 0000000000000001 0000000041b58ab3
[ 31.911913] Call Trace:
[ 31.911932] [<ffffffff81ee3140>] dump_stack+0x1e/0x20
[ 31.911947] [<ffffffff81ee31fd>] ubsan_epilogue+0x12/0x55
[ 31.911964] [<ffffffff81ee46e2>] handle_overflow+0x1ba/0x215
[ 31.912083] [<ffffffff81ee4798>] __ubsan_handle_sub_overflow+0x2a/0x31
[ 31.912204] [<ffffffffa08676fb>] xfs_buf_item_log+0x34b/0x3f0 [xfs]
[ 31.912314] [<ffffffffa0880490>] xfs_trans_log_buf+0x120/0x260 [xfs]
[ 31.912402] [<ffffffffa079a890>] xfs_btree_log_recs+0x80/0xc0 [xfs]
[ 31.912490] [<ffffffffa07a29f8>] xfs_btree_delrec+0x11a8/0x2d50 [xfs]
[ 31.913589] [<ffffffffa07a86f9>] xfs_btree_delete+0xc9/0x260 [xfs]
[ 31.913762] [<ffffffffa075b5cf>] xfs_free_ag_extent+0x63f/0xe20 [xfs]
[ 31.914339] [<ffffffffa075ec0f>] xfs_free_extent+0x2af/0x3e0 [xfs]
[ 31.914641] [<ffffffffa0801b2b>] xfs_bmap_finish+0x32b/0x4b0 [xfs]
[ 31.914841] [<ffffffffa083c2e7>] xfs_itruncate_extents+0x3b7/0x740 [xfs]
[ 31.915216] [<ffffffffa08342fa>] xfs_setattr_size+0x60a/0x860 [xfs]
[ 31.915471] [<ffffffffa08345ea>] xfs_vn_setattr+0x9a/0xe0 [xfs]
[ 31.915590] [<ffffffff8149ad38>] notify_change+0x5c8/0x8a0
[ 31.915607] [<ffffffff81450f22>] do_truncate+0x122/0x1d0
[ 31.915640] [<ffffffff8147beee>] do_last+0x15de/0x2c80
[ 31.915707] [<ffffffff8147d777>] path_openat+0x1e7/0xcc0
[ 31.915802] [<ffffffff81480824>] do_filp_open+0xa4/0x160
[ 31.915848] [<ffffffff81453127>] do_sys_open+0x1b7/0x3f0
[ 31.915879] [<ffffffff81453392>] SyS_open+0x32/0x40
[ 31.915897] [<ffffffff81f08989>] system_call_fastpath+0x16/0x1b

[ 240.086809] UBSAN: Undefined behaviour in fs/xfs/xfs_buf_item.c:866:34
[ 240.086820] signed integer overflow:
[ 240.086830] -2147483648 - 1 cannot be represented in type 'int'
[ 240.086846] CPU: 1 PID: 12969 Comm: rm Tainted: G B ---- ------- 3.10.0-327.28.3.el7.x86_64 #1
[ 240.086857] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 01/07/2011
[ 240.086868] 1ffff10040491def 00000000e2ea59c1 ffff88020248ef40 ffffffff81ee3140
[ 240.086885] ffff88020248ef58 ffffffff81ee31fd ffffffffa0ad79e0 ffff88020248f0c0
[ 240.086901] ffffffff81ee46e2 0000002d02488000 0000000000000001 0000000041b58ab3
[ 240.086915] Call Trace:
[ 240.086938] [<ffffffff81ee3140>] dump_stack+0x1e/0x20
[ 240.086953] [<ffffffff81ee31fd>] ubsan_epilogue+0x12/0x55
[ 240.086971] [<ffffffff81ee46e2>] handle_overflow+0x1ba/0x215
...

Signed-off-by: Xie XiuQi <xiexiuqi@huawei.com>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
---
fs/xfs/xfs_buf_item.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/xfs/xfs_buf_item.c b/fs/xfs/xfs_buf_item.c
index 7e986da34f6c..04b1d96e49c1 100644
--- a/fs/xfs/xfs_buf_item.c
+++ b/fs/xfs/xfs_buf_item.c
@@ -865,7 +865,7 @@ xfs_buf_item_log_segment(
*/
if (bit) {
end_bit = MIN(bit + bits_to_set, (uint)NBWORD);
- mask = ((1 << (end_bit - bit)) - 1) << bit;
+ mask = ((1U << (end_bit - bit)) - 1) << bit;
*wordp |= mask;
wordp++;
bits_set = end_bit - bit;
@@ -888,7 +888,7 @@ xfs_buf_item_log_segment(
*/
end_bit = bits_to_set - bits_set;
if (end_bit) {
- mask = (1 << end_bit) - 1;
+ mask = (1U << end_bit) - 1;
*wordp |= mask;
}
}
--
2.10.2



--
Ben Hutchings
Software Developer, Codethink Ltd.


[PATCH 4.4-cip 20/23] drm: fix signed integer overflow

Ben Hutchings <ben.hutchings@...>
 

From: Xie XiuQi <xiexiuqi@huawei.com>

commit ae0119f5f73b1e9cf7177fbbeea68d74c5751def upstream.

Use 1UL for unsigned long, or we'll meet a overflow issue with UBSAN.

[ 15.589489] UBSAN: Undefined behaviour in drivers/gpu/drm/drm_hashtab.c:145:35
[ 15.589500] signed integer overflow:
[ 15.589999] -2147483648 - 1 cannot be represented in type 'int'
[ 15.590434] CPU: 2 PID: 294 Comm: plymouthd Not tainted 3.10.0-327.28.3.el7.x86_64 #1
[ 15.590653] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 01/07/2011
[ 15.591001] 1ffff1000670fe83 000000000d6b385e ffff88003387f3e0 ffffffff81ee3140
[ 15.591028] ffff88003387f3f8 ffffffff81ee31fd ffffffffa032f460 ffff88003387f560
[ 15.591044] ffffffff81ee46e2 0000002d00000009 0000000000000001 0000000041b58ab3
[ 15.591059] Call Trace:
[ 15.591078] [<ffffffff81ee3140>] dump_stack+0x1e/0x20
[ 15.591093] [<ffffffff81ee31fd>] ubsan_epilogue+0x12/0x55
[ 15.591109] [<ffffffff81ee46e2>] handle_overflow+0x1ba/0x215
[ 15.591126] [<ffffffff81ee4528>] ? __ubsan_handle_negate_overflow+0x162/0x162
[ 15.591146] [<ffffffff8103416c>] ? print_context_stack+0x9c/0x160
[ 15.591163] [<ffffffff81031df2>] ? dump_trace+0x252/0x750
[ 15.591181] [<ffffffff81739023>] ? __list_add+0x93/0x160
[ 15.591197] [<ffffffff81ee4798>] __ubsan_handle_sub_overflow+0x2a/0x31
[ 15.591261] [<ffffffffa0282140>] drm_ht_just_insert_please+0x1e0/0x200 [drm]
[ 15.591290] [<ffffffffa0528c7a>] ttm_base_object_init+0x10a/0x270 [ttm]
[ 15.591316] [<ffffffffa052a34c>] ttm_vt_lock+0x28c/0x3a0 [ttm]
[ 15.591343] [<ffffffffa052a0c0>] ? ttm_write_lock+0x180/0x180 [ttm]
[ 15.591362] [<ffffffff81419526>] ? kasan_unpoison_shadow+0x36/0x50
[ 15.591379] [<ffffffff81419526>] ? kasan_unpoison_shadow+0x36/0x50
[ 15.591396] [<ffffffff81419526>] ? kasan_unpoison_shadow+0x36/0x50
[ 15.591413] [<ffffffff81419526>] ? kasan_unpoison_shadow+0x36/0x50
[ 15.591442] [<ffffffffa061cbe1>] vmw_master_set+0x121/0x470 [vmwgfx]
[ 15.591459] [<ffffffff811773a5>] ? __init_waitqueue_head+0x45/0x70
[ 15.591487] [<ffffffffa061cac0>] ? vmw_master_drop+0x310/0x310 [vmwgfx]
[ 15.591535] [<ffffffffa026946a>] drm_open+0x92a/0xc00 [drm]
[ 15.591563] [<ffffffffa0619ff0>] ? vmw_driver_open+0x170/0x170 [vmwgfx]
[ 15.591610] [<ffffffffa0268b40>] ? drm_poll+0xe0/0xe0 [drm]
[ 15.591661] [<ffffffffa02797b4>] drm_stub_open+0x224/0x330 [drm]
[ 15.591711] [<ffffffffa0279590>] ? drm_minor_acquire+0x240/0x240 [drm]
[ 15.591727] [<ffffffff8145fa8a>] chrdev_open+0x1fa/0x3f0
[ 15.591742] [<ffffffff8145f890>] ? cdev_put+0x50/0x50
[ 15.591761] [<ffffffff814f6dc3>] ? __fsnotify_parent+0x53/0x210
[ 15.591778] [<ffffffff8144fde1>] do_dentry_open+0x351/0x670
[ 15.591792] [<ffffffff8145f890>] ? cdev_put+0x50/0x50
[ 15.591807] [<ffffffff814503c2>] vfs_open+0xa2/0x170
[ 15.591824] [<ffffffff8147b5df>] do_last+0xccf/0x2c80
[ 15.591842] [<ffffffff8147a910>] ? filename_create+0x320/0x320
[ 15.591858] [<ffffffff81472549>] ? path_init+0x1b9/0xa90
[ 15.591875] [<ffffffff81472390>] ? mountpoint_last+0x9a0/0x9a0
[ 15.591894] [<ffffffff815f9ccf>] ? selinux_file_alloc_security+0xcf/0x130
[ 15.591911] [<ffffffff8147d777>] path_openat+0x1e7/0xcc0
[ 15.591927] [<ffffffff81031df2>] ? dump_trace+0x252/0x750
[ 15.591943] [<ffffffff8147d590>] ? do_last+0x2c80/0x2c80
[ 15.591959] [<ffffffff81739023>] ? __list_add+0x93/0x160
[ 15.591974] [<ffffffff8104b48d>] ? save_stack_trace+0x7d/0xb0
[ 15.591989] [<ffffffff81480824>] do_filp_open+0xa4/0x160
[ 15.592004] [<ffffffff81480780>] ? user_path_mountpoint_at+0x50/0x50
[ 15.592022] [<ffffffff8149d755>] ? __alloc_fd+0x175/0x300
[ 15.592039] [<ffffffff81453127>] do_sys_open+0x1b7/0x3f0
[ 15.592054] [<ffffffff81452f70>] ? filp_open+0x80/0x80
[ 15.592070] [<ffffffff81453392>] SyS_open+0x32/0x40
[ 15.592088] [<ffffffff81f08989>] system_call_fastpath+0x16/0x1b

Signed-off-by: Xie XiuQi <xiexiuqi@huawei.com>
[seanpaul tweaked subject to remove "gpu/"]
Signed-off-by: Sean Paul <seanpaul@chromium.org>
Link: http://patchwork.freedesktop.org/patch/msgid/1473152138-25335-1-git-send-email-xiexiuqi@huawei.com
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
---
drivers/gpu/drm/drm_hashtab.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/drm_hashtab.c b/drivers/gpu/drm/drm_hashtab.c
index c3b80fd65d62..fbbd9f0c2eef 100644
--- a/drivers/gpu/drm/drm_hashtab.c
+++ b/drivers/gpu/drm/drm_hashtab.c
@@ -142,7 +142,7 @@ int drm_ht_just_insert_please(struct drm_open_hash *ht, struct drm_hash_item *it
unsigned long add)
{
int ret;
- unsigned long mask = (1 << bits) - 1;
+ unsigned long mask = (1UL << bits) - 1;
unsigned long first, unshifted_key;

unshifted_key = hash_long(seed, bits);
--
2.10.2



--
Ben Hutchings
Software Developer, Codethink Ltd.


[PATCH 4.4-cip 19/23] pwm: samsung: Fix to use lowest div for large enough modulation bits

Ben Hutchings <ben.hutchings@...>
 

From: Seung-Woo Kim <sw0312.kim@samsung.com>

commit 04d68dea26b0a409d44e87ea573a131b6dc67e78 upstream.

From pwm_samsung_calc_tin(), there is routine to find the lowest divider
possible to generate lower frequency than requested one. But it is
always possible to generate requested frequency with large enough
modulation bits except on s3c24xx, so this patch fixes to use lowest div
for the case. This patch removes following UBSAN warning:

UBSAN: Undefined behaviour in drivers/pwm/pwm-samsung.c:197:13
shift exponent 32 is too large for 32-bit type 'long unsigned int'
[...]
[<c0670248>] (ubsan_epilogue) from [<c06707b4>] (__ubsan_handle_shift_out_of_bounds+0xd8/0x120)
[<c06707b4>] (__ubsan_handle_shift_out_of_bounds) from [<c0694b28>] (pwm_samsung_config+0x508/0x6a4)
[<c0694b28>] (pwm_samsung_config) from [<c069286c>] (pwm_apply_state+0x174/0x40c)
[<c069286c>] (pwm_apply_state) from [<c0b2e070>] (pwm_fan_probe+0xc8/0x488)
[<c0b2e070>] (pwm_fan_probe) from [<c07ba8b0>] (platform_drv_probe+0x70/0x150)
[...]

Cc: Tomasz Figa <tomasz.figa@gmail.com>
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Reviewed-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
---
drivers/pwm/pwm-samsung.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/drivers/pwm/pwm-samsung.c b/drivers/pwm/pwm-samsung.c
index ada2d326dc3e..f113cda47032 100644
--- a/drivers/pwm/pwm-samsung.c
+++ b/drivers/pwm/pwm-samsung.c
@@ -193,9 +193,18 @@ static unsigned long pwm_samsung_calc_tin(struct samsung_pwm_chip *chip,
* divider settings and choose the lowest divisor that can generate
* frequencies lower than requested.
*/
- for (div = variant->div_base; div < 4; ++div)
- if ((rate >> (variant->bits + div)) < freq)
- break;
+ if (variant->bits < 32) {
+ /* Only for s3c24xx */
+ for (div = variant->div_base; div < 4; ++div)
+ if ((rate >> (variant->bits + div)) < freq)
+ break;
+ } else {
+ /*
+ * Other variants have enough counter bits to generate any
+ * requested rate, so no need to check higher divisors.
+ */
+ div = variant->div_base;
+ }

pwm_samsung_set_divisor(chip, chan, BIT(div));

--
2.10.2


--
Ben Hutchings
Software Developer, Codethink Ltd.


[PATCH 4.4-cip 18/23] time: Avoid undefined behaviour in ktime_add_safe()

Ben Hutchings <ben.hutchings@...>
 

From: Vegard Nossum <vegard.nossum@oracle.com>

commit 979515c5645830465739254abc1b1648ada41518 upstream.

I ran into this:

================================================================================
UBSAN: Undefined behaviour in kernel/time/hrtimer.c:310:16
signed integer overflow:
9223372036854775807 + 50000 cannot be represented in type 'long long int'
CPU: 2 PID: 4798 Comm: trinity-c2 Not tainted 4.8.0-rc1+ #91
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
0000000000000000 ffff88010ce6fb88 ffffffff82344740 0000000041b58ab3
ffffffff84f97a20 ffffffff82344694 ffff88010ce6fbb0 ffff88010ce6fb60
000000000000c350 ffff88010ce6f968 dffffc0000000000 ffffffff857bc320
Call Trace:
[<ffffffff82344740>] dump_stack+0xac/0xfc
[<ffffffff82344694>] ? _atomic_dec_and_lock+0xc4/0xc4
[<ffffffff8242df78>] ubsan_epilogue+0xd/0x8a
[<ffffffff8242e6b4>] handle_overflow+0x202/0x23d
[<ffffffff8242e4b2>] ? val_to_string.constprop.6+0x11e/0x11e
[<ffffffff8236df71>] ? timerqueue_add+0x151/0x410
[<ffffffff81485c48>] ? hrtimer_start_range_ns+0x3b8/0x1380
[<ffffffff81795631>] ? memset+0x31/0x40
[<ffffffff8242e6fd>] __ubsan_handle_add_overflow+0xe/0x10
[<ffffffff81488ac9>] hrtimer_nanosleep+0x5d9/0x790
[<ffffffff814884f0>] ? hrtimer_init_sleeper+0x80/0x80
[<ffffffff813a9ffb>] ? __might_sleep+0x5b/0x260
[<ffffffff8148be10>] common_nsleep+0x20/0x30
[<ffffffff814906c7>] SyS_clock_nanosleep+0x197/0x210
[<ffffffff81490530>] ? SyS_clock_getres+0x150/0x150
[<ffffffff823c7113>] ? __this_cpu_preempt_check+0x13/0x20
[<ffffffff8162ef60>] ? __context_tracking_exit.part.3+0x30/0x1b0
[<ffffffff81490530>] ? SyS_clock_getres+0x150/0x150
[<ffffffff81007bd3>] do_syscall_64+0x1b3/0x4b0
[<ffffffff845f85aa>] entry_SYSCALL64_slow_path+0x25/0x25
================================================================================

Add a new ktime_add_unsafe() helper which doesn't check for overflow, but
doesn't throw a UBSAN warning when it does overflow either.

Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Richard Cochran <richardcochran@gmail.com>
Cc: Prarit Bhargava <prarit@redhat.com>
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: John Stultz <john.stultz@linaro.org>
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
---
include/linux/ktime.h | 7 +++++++
kernel/time/hrtimer.c | 2 +-
2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/include/linux/ktime.h b/include/linux/ktime.h
index 2b6a204bd8d4..3ffc69ebe967 100644
--- a/include/linux/ktime.h
+++ b/include/linux/ktime.h
@@ -64,6 +64,13 @@ static inline ktime_t ktime_set(const s64 secs, const unsigned long nsecs)
({ (ktime_t){ .tv64 = (lhs).tv64 + (rhs).tv64 }; })

/*
+ * Same as ktime_add(), but avoids undefined behaviour on overflow; however,
+ * this means that you must check the result for overflow yourself.
+ */
+#define ktime_add_unsafe(lhs, rhs) \
+ ({ (ktime_t){ .tv64 = (u64) (lhs).tv64 + (rhs).tv64 }; })
+
+/*
* Add a ktime_t variable and a scalar nanosecond value.
* res = kt + nsval:
*/
diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c
index 17f7bcff1e02..1dc94768b5a3 100644
--- a/kernel/time/hrtimer.c
+++ b/kernel/time/hrtimer.c
@@ -312,7 +312,7 @@ EXPORT_SYMBOL_GPL(__ktime_divns);
*/
ktime_t ktime_add_safe(const ktime_t lhs, const ktime_t rhs)
{
- ktime_t res = ktime_add(lhs, rhs);
+ ktime_t res = ktime_add_unsafe(lhs, rhs);

/*
* We use KTIME_SEC_MAX here, the maximum timeout which we can
--
2.10.2



--
Ben Hutchings
Software Developer, Codethink Ltd.


[PATCH 4.4-cip 17/23] rhashtable: fix shift by 64 when shrinking

Ben Hutchings <ben.hutchings@...>
 

From: Vegard Nossum <vegard.nossum@oracle.com>

commit 12311959ecf8a3a64676c01b62ce67a0c5f0fd49 upstream.

I got this:

================================================================================
UBSAN: Undefined behaviour in ./include/linux/log2.h:63:13
shift exponent 64 is too large for 64-bit type 'long unsigned int'
CPU: 1 PID: 721 Comm: kworker/1:1 Not tainted 4.8.0-rc1+ #87
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
Workqueue: events rht_deferred_worker
0000000000000000 ffff88011661f8d8 ffffffff82344f50 0000000041b58ab3
ffffffff84f98000 ffffffff82344ea4 ffff88011661f900 ffff88011661f8b0
0000000000000001 ffff88011661f6b8 dffffc0000000000 ffffffff867f7640
Call Trace:
[<ffffffff82344f50>] dump_stack+0xac/0xfc
[<ffffffff82344ea4>] ? _atomic_dec_and_lock+0xc4/0xc4
[<ffffffff8242f5b8>] ubsan_epilogue+0xd/0x8a
[<ffffffff82430c41>] __ubsan_handle_shift_out_of_bounds+0x255/0x29a
[<ffffffff824309ec>] ? __ubsan_handle_out_of_bounds+0x180/0x180
[<ffffffff84003436>] ? nl80211_req_set_reg+0x256/0x2f0
[<ffffffff812112ba>] ? print_context_stack+0x8a/0x160
[<ffffffff81200031>] ? amd_pmu_reset+0x341/0x380
[<ffffffff823af808>] rht_deferred_worker+0x1618/0x1790
[<ffffffff823af808>] ? rht_deferred_worker+0x1618/0x1790
[<ffffffff823ae1f0>] ? rhashtable_jhash2+0x370/0x370
[<ffffffff8134c12d>] ? process_one_work+0x6fd/0x1970
[<ffffffff8134c1cf>] process_one_work+0x79f/0x1970
[<ffffffff8134c12d>] ? process_one_work+0x6fd/0x1970
[<ffffffff8134ba30>] ? try_to_grab_pending+0x4c0/0x4c0
[<ffffffff8134d564>] ? worker_thread+0x1c4/0x1340
[<ffffffff8134d8ff>] worker_thread+0x55f/0x1340
[<ffffffff845e904f>] ? __schedule+0x4df/0x1d40
[<ffffffff8134d3a0>] ? process_one_work+0x1970/0x1970
[<ffffffff8134d3a0>] ? process_one_work+0x1970/0x1970
[<ffffffff813642f7>] kthread+0x237/0x390
[<ffffffff813640c0>] ? __kthread_parkme+0x280/0x280
[<ffffffff845f8c93>] ? _raw_spin_unlock_irq+0x33/0x50
[<ffffffff845f95df>] ret_from_fork+0x1f/0x40
[<ffffffff813640c0>] ? __kthread_parkme+0x280/0x280
================================================================================

roundup_pow_of_two() is undefined when called with an argument of 0, so
let's avoid the call and just fall back to ht->p.min_size (which should
never be smaller than HASH_MIN_SIZE).

Cc: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
---
lib/rhashtable.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/lib/rhashtable.c b/lib/rhashtable.c
index 51282f579760..d7f5b4d035ff 100644
--- a/lib/rhashtable.c
+++ b/lib/rhashtable.c
@@ -324,12 +324,14 @@ static int rhashtable_expand(struct rhashtable *ht)
static int rhashtable_shrink(struct rhashtable *ht)
{
struct bucket_table *new_tbl, *old_tbl = rht_dereference(ht->tbl, ht);
- unsigned int size;
+ unsigned int nelems = atomic_read(&ht->nelems);
+ unsigned int size = 0;
int err;

ASSERT_RHT_MUTEX(ht);

- size = roundup_pow_of_two(atomic_read(&ht->nelems) * 3 / 2);
+ if (nelems)
+ size = roundup_pow_of_two(nelems * 3 / 2);
if (size < ht->p.min_size)
size = ht->p.min_size;

--
2.10.2



--
Ben Hutchings
Software Developer, Codethink Ltd.


[PATCH 4.4-cip 16/23] UBSAN: fix typo in format string

Ben Hutchings <ben.hutchings@...>
 

From: Nicolas Iooss <nicolas.iooss_linux@m4x.org>

commit 901d805c33fc4c029fc6b2d94ee5fb7d30278045 upstream.

handle_object_size_mismatch() used %pk to format a kernel pointer with
pr_err(). This seemed to be a misspelling for %pK, but using this to
format a kernel pointer does not make much sence here.

Therefore use %p instead, like in handle_missaligned_access().

Link: http://lkml.kernel.org/r/20160730083010.11569-1-nicolas.iooss_linux@m4x.org
Signed-off-by: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
Acked-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Joe Perches <joe@perches.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
---
lib/ubsan.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/ubsan.c b/lib/ubsan.c
index 8799ae5e2e42..fb0409df1bcf 100644
--- a/lib/ubsan.c
+++ b/lib/ubsan.c
@@ -308,7 +308,7 @@ static void handle_object_size_mismatch(struct type_mismatch_data *data,
return;

ubsan_prologue(&data->location, &flags);
- pr_err("%s address %pk with insufficient space\n",
+ pr_err("%s address %p with insufficient space\n",
type_check_kinds[data->type_check_kind],
(void *) ptr);
pr_err("for an object of type %s\n", data->type->type_name);
--
2.10.2



--
Ben Hutchings
Software Developer, Codethink Ltd.


[PATCH 4.4-cip 15/23] mmc: dw_mmc: remove UBSAN warning in dw_mci_setup_bus()

Ben Hutchings <ben.hutchings@...>
 

From: Seung-Woo Kim <sw0312.kim@samsung.com>

commit 65257a0deed5aee66b4e3708944f0be62a64cabc upstream.

This patch removes following UBSAN warnings in dw_mci_setup_bus().

UBSAN: Undefined behaviour in drivers/mmc/host/dw_mmc.c:1102:14
shift exponent 250 is too large for 32-bit type 'unsigned int'
Call trace:
[<ffffff90080908a8>] dump_backtrace+0x0/0x380
[<ffffff9008090c3c>] show_stack+0x14/0x20
[<ffffff90087457b8>] dump_stack+0xe0/0x120
[<ffffff90087b1360>] ubsan_epilogue+0x18/0x68
[<ffffff90087b1a94>] __ubsan_handle_shift_out_of_bounds+0x18c/0x1bc
[<ffffff9008d89cb8>] dw_mci_setup_bus+0x3a0/0x438
[...]

UBSAN: Undefined behaviour in drivers/mmc/host/dw_mmc.c:1132:27
shift exponent 250 is too large for 32-bit type 'unsigned int'
Call trace:
[<ffffff90080908a8>] dump_backtrace+0x0/0x380
[<ffffff9008090c3c>] show_stack+0x14/0x20
[<ffffff90087457b8>] dump_stack+0xe0/0x120
[<ffffff90087b1360>] ubsan_epilogue+0x18/0x68
[<ffffff90087b1a94>] __ubsan_handle_shift_out_of_bounds+0x18c/0x1bc
[<ffffff9008d89c9c>] dw_mci_setup_bus+0x384/0x438
[...]

The warnings are caused because of bit shift which is used to
filter spamming message for CONFIG_MMC_CLKGATE, but the config is
already removed. So this patch just removes the shift.

Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Signed-off-by: Jaehoon Chung <jh80.chung@samsung.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
---
drivers/mmc/host/dw_mmc.c | 14 +++++---------
drivers/mmc/host/dw_mmc.h | 4 ----
2 files changed, 5 insertions(+), 13 deletions(-)

diff --git a/drivers/mmc/host/dw_mmc.c b/drivers/mmc/host/dw_mmc.c
index fb204ee6ff89..0b38014ad315 100644
--- a/drivers/mmc/host/dw_mmc.c
+++ b/drivers/mmc/host/dw_mmc.c
@@ -1102,12 +1102,11 @@ static void dw_mci_setup_bus(struct dw_mci_slot *slot, bool force_clkinit)

div = (host->bus_hz != clock) ? DIV_ROUND_UP(div, 2) : 0;

- if ((clock << div) != slot->__clk_old || force_clkinit)
- dev_info(&slot->mmc->class_dev,
- "Bus speed (slot %d) = %dHz (slot req %dHz, actual %dHZ div = %d)\n",
- slot->id, host->bus_hz, clock,
- div ? ((host->bus_hz / div) >> 1) :
- host->bus_hz, div);
+ dev_info(&slot->mmc->class_dev,
+ "Bus speed (slot %d) = %dHz (slot req %dHz, actual %dHZ div = %d)\n",
+ slot->id, host->bus_hz, clock,
+ div ? ((host->bus_hz / div) >> 1) :
+ host->bus_hz, div);

/* disable clock */
mci_writel(host, CLKENA, 0);
@@ -1130,9 +1129,6 @@ static void dw_mci_setup_bus(struct dw_mci_slot *slot, bool force_clkinit)

/* inform CIU */
mci_send_cmd(slot, sdmmc_cmd_bits, 0);
-
- /* keep the clock with reflecting clock dividor */
- slot->__clk_old = clock << div;
}

host->current_speed = clock;
diff --git a/drivers/mmc/host/dw_mmc.h b/drivers/mmc/host/dw_mmc.h
index f695b58f0613..18fb8f5aaa34 100644
--- a/drivers/mmc/host/dw_mmc.h
+++ b/drivers/mmc/host/dw_mmc.h
@@ -242,9 +242,6 @@ extern int dw_mci_resume(struct dw_mci *host);
* @queue_node: List node for placing this node in the @queue list of
* &struct dw_mci.
* @clock: Clock rate configured by set_ios(). Protected by host->lock.
- * @__clk_old: The last updated clock with reflecting clock divider.
- * Keeping track of this helps us to avoid spamming the console
- * with CONFIG_MMC_CLKGATE.
* @flags: Random state bits associated with the slot.
* @id: Number of this slot.
* @sdio_id: Number of this slot in the SDIO interrupt registers.
@@ -259,7 +256,6 @@ struct dw_mci_slot {
struct list_head queue_node;

unsigned int clock;
- unsigned int __clk_old;

unsigned long flags;
#define DW_MMC_CARD_PRESENT 0
--
2.10.2



--
Ben Hutchings
Software Developer, Codethink Ltd.


[PATCH 4.4-cip 14/23] signal: move the "sig < SIGRTMIN" check into siginmask(sig)

Ben Hutchings <ben.hutchings@...>
 

From: Oleg Nesterov <oleg@redhat.com>

commit 5c8ccefdf46c5f87d87b694c7fbc04941c2c99a5 upstream.

All the users of siginmask() must ensure that sig < SIGRTMIN. sig_fatal()
doesn't and this is wrong:

UBSAN: Undefined behaviour in kernel/signal.c:911:6
shift exponent 32 is too large for 32-bit type 'long unsigned int'

the patch doesn't add the neccesary check to sig_fatal(), it moves the
check into siginmask() and updates other callers.

Link: http://lkml.kernel.org/r/20160517195052.GA15187@redhat.com
Reported-by: Meelis Roos <mroos@linux.ee>
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
---
include/linux/signal.h | 16 +++++++---------
1 file changed, 7 insertions(+), 9 deletions(-)

diff --git a/include/linux/signal.h b/include/linux/signal.h
index d80259afb9e5..d822bd15dddc 100644
--- a/include/linux/signal.h
+++ b/include/linux/signal.h
@@ -400,7 +400,9 @@ int unhandled_signal(struct task_struct *tsk, int sig);
#else
#define rt_sigmask(sig) sigmask(sig)
#endif
-#define siginmask(sig, mask) (rt_sigmask(sig) & (mask))
+
+#define siginmask(sig, mask) \
+ ((sig) < SIGRTMIN && (rt_sigmask(sig) & (mask)))

#define SIG_KERNEL_ONLY_MASK (\
rt_sigmask(SIGKILL) | rt_sigmask(SIGSTOP))
@@ -421,14 +423,10 @@ int unhandled_signal(struct task_struct *tsk, int sig);
rt_sigmask(SIGCONT) | rt_sigmask(SIGCHLD) | \
rt_sigmask(SIGWINCH) | rt_sigmask(SIGURG) )

-#define sig_kernel_only(sig) \
- (((sig) < SIGRTMIN) && siginmask(sig, SIG_KERNEL_ONLY_MASK))
-#define sig_kernel_coredump(sig) \
- (((sig) < SIGRTMIN) && siginmask(sig, SIG_KERNEL_COREDUMP_MASK))
-#define sig_kernel_ignore(sig) \
- (((sig) < SIGRTMIN) && siginmask(sig, SIG_KERNEL_IGNORE_MASK))
-#define sig_kernel_stop(sig) \
- (((sig) < SIGRTMIN) && siginmask(sig, SIG_KERNEL_STOP_MASK))
+#define sig_kernel_only(sig) siginmask(sig, SIG_KERNEL_ONLY_MASK)
+#define sig_kernel_coredump(sig) siginmask(sig, SIG_KERNEL_COREDUMP_MASK)
+#define sig_kernel_ignore(sig) siginmask(sig, SIG_KERNEL_IGNORE_MASK)
+#define sig_kernel_stop(sig) siginmask(sig, SIG_KERNEL_STOP_MASK)

#define sig_user_defined(t, signr) \
(((t)->sighand->action[(signr)-1].sa.sa_handler != SIG_DFL) && \
--
2.10.2



--
Ben Hutchings
Software Developer, Codethink Ltd.


[PATCH 4.4-cip 13/23] batman-adv: Fix integer overflow in batadv_iv_ogm_calc_tq

Ben Hutchings <ben.hutchings@...>
 

From: Sven Eckelmann <sven.eckelmann@open-mesh.com>

commit d285f52cc0f23564fd61976d43fd5b991b4828f6 upstream.

The undefined behavior sanatizer detected an signed integer overflow in a
setup with near perfect link quality

UBSAN: Undefined behaviour in net/batman-adv/bat_iv_ogm.c:1246:25
signed integer overflow:
8713350 * 255 cannot be represented in type 'int'

The problems happens because the calculation of mixed unsigned and signed
integers resulted in an integer multiplication.

batadv_ogm_packet::tq (u8 255)
* tq_own (u8 255)
* tq_asym_penalty (int 134; max 255)
* tq_iface_penalty (int 255; max 255)

The tq_iface_penalty, tq_asym_penalty and inv_asym_penalty can just be
changed to unsigned int because they are not expected to become negative.

Fixes: c039876892e3 ("batman-adv: add WiFi penalty")
Signed-off-by: Sven Eckelmann <sven.eckelmann@open-mesh.com>
Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
[bwh: Backported to 4.4: adjust context]

Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
---
net/batman-adv/bat_iv_ogm.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c
index 912d9c36fb1c..3fb6e9e8df7e 100644
--- a/net/batman-adv/bat_iv_ogm.c
+++ b/net/batman-adv/bat_iv_ogm.c
@@ -1140,9 +1140,10 @@ static int batadv_iv_ogm_calc_tq(struct batadv_orig_node *orig_node,
u8 total_count;
u8 orig_eq_count, neigh_rq_count, neigh_rq_inv, tq_own;
unsigned int neigh_rq_inv_cube, neigh_rq_max_cube;
- int tq_asym_penalty, inv_asym_penalty, if_num, ret = 0;
+ int if_num, ret = 0;
+ unsigned int tq_asym_penalty, inv_asym_penalty;
unsigned int combined_tq;
- int tq_iface_penalty;
+ unsigned int tq_iface_penalty;

/* find corresponding one hop neighbor */
rcu_read_lock();
--
2.10.2



--
Ben Hutchings
Software Developer, Codethink Ltd.


[PATCH 4.4-cip 12/23] blk-mq: fix undefined behaviour in order_to_size()

Ben Hutchings <ben.hutchings@...>
 

From: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>

commit b3a834b1596ac668df206aa2bb1f191c31f5f5e4 upstream.

When this_order variable in blk_mq_init_rq_map() becomes zero
the code incorrectly decrements the variable and passes the result
to order_to_size() helper causing undefined behaviour:

UBSAN: Undefined behaviour in block/blk-mq.c:1459:27
shift exponent 4294967295 is too large for 32-bit type 'unsigned int'
CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.6.0-rc6-00072-g33656a1 #22

Fix the code by checking this_order variable for not having the zero
value first.

Reported-by: Meelis Roos <mroos@linux.ee>
Fixes: 320ae51feed5 ("blk-mq: new multi-queue block IO queueing mechanism")
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
---
block/blk-mq.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/block/blk-mq.c b/block/blk-mq.c
index c3e461ec40e4..c58fdfdd9ea6 100644
--- a/block/blk-mq.c
+++ b/block/blk-mq.c
@@ -1494,7 +1494,7 @@ static struct blk_mq_tags *blk_mq_init_rq_map(struct blk_mq_tag_set *set,
int to_do;
void *p;

- while (left < order_to_size(this_order - 1) && this_order)
+ while (this_order && left < order_to_size(this_order - 1))
this_order--;

do {
--
2.10.2



--
Ben Hutchings
Software Developer, Codethink Ltd.


[PATCH 4.4-cip 11/23] btrfs: fix int32 overflow in shrink_delalloc().

Ben Hutchings <ben.hutchings@...>
 

From: Adam Borowski <kilobyte@angband.pl>

commit 8eb0dfdbda3f56bf7d248ed87fcc383df114ecbb upstream.

UBSAN: Undefined behaviour in fs/btrfs/extent-tree.c:4623:21
signed integer overflow:
10808 * 262144 cannot be represented in type 'int [8]'

If 8192<=items<16384, we request a writeback of an insane number of pages
which is benign (everything will be written). But if items>=16384, the
space reservation won't be enough.

Signed-off-by: Adam Borowski <kilobyte@angband.pl>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
---
fs/btrfs/extent-tree.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
index 47cdc6f3390b..a4d7dbe2619e 100644
--- a/fs/btrfs/extent-tree.c
+++ b/fs/btrfs/extent-tree.c
@@ -4568,7 +4568,7 @@ static void shrink_delalloc(struct btrfs_root *root, u64 to_reclaim, u64 orig,

/* Calc the number of the pages we need flush for space reservation */
items = calc_reclaim_items_nr(root, to_reclaim);
- to_reclaim = items * EXTENT_SIZE_PER_ITEM;
+ to_reclaim = (u64)items * EXTENT_SIZE_PER_ITEM;

trans = (struct btrfs_trans_handle *)current->journal_info;
block_rsv = &root->fs_info->delalloc_block_rsv;
--
2.10.2



--
Ben Hutchings
Software Developer, Codethink Ltd.


[PATCH 4.4-cip 10/23] drm/radeon: don't include RADEON_HPD_NONE in HPD IRQ enable bitsets

Ben Hutchings <ben.hutchings@...>
 

From: Nicolai Stange <nicstange@gmail.com>

commit b2c0cbd657173f024138d6421774007690ceeffd upstream.

The values of all but the RADEON_HPD_NONE members of the radeon_hpd_id
enum transform 1:1 into bit positions within the 'enabled' bitset as
assembled by evergreen_hpd_init():

enabled |= 1 << radeon_connector->hpd.hpd;

However, if ->hpd.hpd happens to equal RADEON_HPD_NONE == 0xff, UBSAN
reports

UBSAN: Undefined behaviour in drivers/gpu/drm/radeon/evergreen.c:1867:16
shift exponent 255 is too large for 32-bit type 'int'
[...]
Call Trace:
[<ffffffff818c4d35>] dump_stack+0xbc/0x117
[<ffffffff818c4c79>] ? _atomic_dec_and_lock+0x169/0x169
[<ffffffff819411bb>] ubsan_epilogue+0xd/0x4e
[<ffffffff81941cbc>] __ubsan_handle_shift_out_of_bounds+0x1fb/0x254
[<ffffffffa0ba7f2e>] ? atom_execute_table+0x3e/0x50 [radeon]
[<ffffffff81941ac1>] ? __ubsan_handle_load_invalid_value+0x158/0x158
[<ffffffffa0b87700>] ? radeon_get_pll_use_mask+0x130/0x130 [radeon]
[<ffffffff81219930>] ? wake_up_klogd_work_func+0x60/0x60
[<ffffffff8121a35e>] ? vprintk_default+0x3e/0x60
[<ffffffffa0c603c4>] evergreen_hpd_init+0x274/0x2d0 [radeon]
[<ffffffffa0c603c4>] ? evergreen_hpd_init+0x274/0x2d0 [radeon]
[<ffffffffa0bd196e>] radeon_modeset_init+0x8ce/0x18d0 [radeon]
[<ffffffffa0b71d86>] radeon_driver_load_kms+0x186/0x350 [radeon]
[<ffffffffa03b6b16>] drm_dev_register+0xc6/0x100 [drm]
[<ffffffffa03bc8c4>] drm_get_pci_dev+0xe4/0x490 [drm]
[<ffffffff814b83f0>] ? kfree+0x220/0x370
[<ffffffffa0b687c2>] radeon_pci_probe+0x112/0x140 [radeon]
[...]
=====================================================================
radeon 0000:01:00.0: No connectors reported connected with modes

At least on x86, there should be no user-visible impact as there

1 << 0xff == 1 << (0xff & 31) == 1 << 31

holds and 31 > RADEON_MAX_HPD_PINS. Thus, this patch is a cosmetic one.

All of the above applies analogously to evergreen_hpd_fini(),
r100_hpd_init(), r100_hpd_fini(), r600_hpd_init(), r600_hpd_fini(),
rs600_hpd_init() and rs600_hpd_fini()

Silence UBSAN by checking ->hpd.hpd for RADEON_HPD_NONE before oring it
into the 'enabled' bitset in the *_init()- or the 'disabled' bitset in
the *_fini()-functions respectively.

Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
---
drivers/gpu/drm/radeon/evergreen.c | 6 ++++--
drivers/gpu/drm/radeon/r100.c | 6 ++++--
drivers/gpu/drm/radeon/r600.c | 6 ++++--
drivers/gpu/drm/radeon/rs600.c | 6 ++++--
4 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/drivers/gpu/drm/radeon/evergreen.c b/drivers/gpu/drm/radeon/evergreen.c
index 32491355a1d4..6792df8ed01a 100644
--- a/drivers/gpu/drm/radeon/evergreen.c
+++ b/drivers/gpu/drm/radeon/evergreen.c
@@ -1864,7 +1864,8 @@ void evergreen_hpd_init(struct radeon_device *rdev)
break;
}
radeon_hpd_set_polarity(rdev, radeon_connector->hpd.hpd);
- enabled |= 1 << radeon_connector->hpd.hpd;
+ if (radeon_connector->hpd.hpd != RADEON_HPD_NONE)
+ enabled |= 1 << radeon_connector->hpd.hpd;
}
radeon_irq_kms_enable_hpd(rdev, enabled);
}
@@ -1907,7 +1908,8 @@ void evergreen_hpd_fini(struct radeon_device *rdev)
default:
break;
}
- disabled |= 1 << radeon_connector->hpd.hpd;
+ if (radeon_connector->hpd.hpd != RADEON_HPD_NONE)
+ disabled |= 1 << radeon_connector->hpd.hpd;
}
radeon_irq_kms_disable_hpd(rdev, disabled);
}
diff --git a/drivers/gpu/drm/radeon/r100.c b/drivers/gpu/drm/radeon/r100.c
index 9e7e2bf03b81..9c5f47099216 100644
--- a/drivers/gpu/drm/radeon/r100.c
+++ b/drivers/gpu/drm/radeon/r100.c
@@ -592,7 +592,8 @@ void r100_hpd_init(struct radeon_device *rdev)

list_for_each_entry(connector, &dev->mode_config.connector_list, head) {
struct radeon_connector *radeon_connector = to_radeon_connector(connector);
- enable |= 1 << radeon_connector->hpd.hpd;
+ if (radeon_connector->hpd.hpd != RADEON_HPD_NONE)
+ enable |= 1 << radeon_connector->hpd.hpd;
radeon_hpd_set_polarity(rdev, radeon_connector->hpd.hpd);
}
radeon_irq_kms_enable_hpd(rdev, enable);
@@ -614,7 +615,8 @@ void r100_hpd_fini(struct radeon_device *rdev)

list_for_each_entry(connector, &dev->mode_config.connector_list, head) {
struct radeon_connector *radeon_connector = to_radeon_connector(connector);
- disable |= 1 << radeon_connector->hpd.hpd;
+ if (radeon_connector->hpd.hpd != RADEON_HPD_NONE)
+ disable |= 1 << radeon_connector->hpd.hpd;
}
radeon_irq_kms_disable_hpd(rdev, disable);
}
diff --git a/drivers/gpu/drm/radeon/r600.c b/drivers/gpu/drm/radeon/r600.c
index cc2fdf0be37a..116373c24d08 100644
--- a/drivers/gpu/drm/radeon/r600.c
+++ b/drivers/gpu/drm/radeon/r600.c
@@ -1002,7 +1002,8 @@ void r600_hpd_init(struct radeon_device *rdev)
break;
}
}
- enable |= 1 << radeon_connector->hpd.hpd;
+ if (radeon_connector->hpd.hpd != RADEON_HPD_NONE)
+ enable |= 1 << radeon_connector->hpd.hpd;
radeon_hpd_set_polarity(rdev, radeon_connector->hpd.hpd);
}
radeon_irq_kms_enable_hpd(rdev, enable);
@@ -1055,7 +1056,8 @@ void r600_hpd_fini(struct radeon_device *rdev)
break;
}
}
- disable |= 1 << radeon_connector->hpd.hpd;
+ if (radeon_connector->hpd.hpd != RADEON_HPD_NONE)
+ disable |= 1 << radeon_connector->hpd.hpd;
}
radeon_irq_kms_disable_hpd(rdev, disable);
}
diff --git a/drivers/gpu/drm/radeon/rs600.c b/drivers/gpu/drm/radeon/rs600.c
index 6244f4e44e9a..4b35213fe028 100644
--- a/drivers/gpu/drm/radeon/rs600.c
+++ b/drivers/gpu/drm/radeon/rs600.c
@@ -413,7 +413,8 @@ void rs600_hpd_init(struct radeon_device *rdev)
default:
break;
}
- enable |= 1 << radeon_connector->hpd.hpd;
+ if (radeon_connector->hpd.hpd != RADEON_HPD_NONE)
+ enable |= 1 << radeon_connector->hpd.hpd;
radeon_hpd_set_polarity(rdev, radeon_connector->hpd.hpd);
}
radeon_irq_kms_enable_hpd(rdev, enable);
@@ -439,7 +440,8 @@ void rs600_hpd_fini(struct radeon_device *rdev)
default:
break;
}
- disable |= 1 << radeon_connector->hpd.hpd;
+ if (radeon_connector->hpd.hpd != RADEON_HPD_NONE)
+ disable |= 1 << radeon_connector->hpd.hpd;
}
radeon_irq_kms_disable_hpd(rdev, disable);
}
--
2.10.2



--
Ben Hutchings
Software Developer, Codethink Ltd.


[PATCH 4.4-cip 09/23] perf/x86/amd: Set the size of event map array to PERF_COUNT_HW_MAX

Ben Hutchings <ben.hutchings@...>
 

From: Adam Borowski <kilobyte@angband.pl>

commit 0a25556f84d5f79e68e9502bb1f32a43377ab2bf upstream.

The entry for PERF_COUNT_HW_REF_CPU_CYCLES is not used on AMD, but is
referenced by filter_events() which expects undefined events to have a
value of 0.

Found via KASAN:

UBSAN: Undefined behaviour in arch/x86/events/amd/core.c:132:30
index 9 is out of range for type 'u64 [9]'
UBSAN: Undefined behaviour in arch/x86/events/amd/core.c:132:9
load of address ffffffff81c021c8 with insufficient space for an object of type 'const u64'

Signed-off-by: Adam Borowski <kilobyte@angband.pl>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Borislav Petkov <bp@suse.de>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Mike Galbraith <efault@gmx.de>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Link: http://lkml.kernel.org/r/1461749731-30979-1-git-send-email-kilobyte@angband.pl
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[bwh: Backported to 4.4: adjust filename]

Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
---
arch/x86/kernel/cpu/perf_event_amd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/kernel/cpu/perf_event_amd.c b/arch/x86/kernel/cpu/perf_event_amd.c
index 1cee5d2d7ece..e671f3c2397e 100644
--- a/arch/x86/kernel/cpu/perf_event_amd.c
+++ b/arch/x86/kernel/cpu/perf_event_amd.c
@@ -115,7 +115,7 @@ static __initconst const u64 amd_hw_cache_event_ids
/*
* AMD Performance Monitor K7 and later.
*/
-static const u64 amd_perfmon_event_map[] =
+static const u64 amd_perfmon_event_map[PERF_COUNT_HW_MAX] =
{
[PERF_COUNT_HW_CPU_CYCLES] = 0x0076,
[PERF_COUNT_HW_INSTRUCTIONS] = 0x00c0,
--
2.10.2



--
Ben Hutchings
Software Developer, Codethink Ltd.

8241 - 8260 of 8370