commit c8d2bc9bc39ebea8437fd974fdbc21847bb897a3 Author: Linus Torvalds Date: Sun Oct 2 16:24:33 2016 -0700 Linux 4.8 Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit f76d9c61d91343806e59335493806e87daf78947 Merge: be67d60 117e5e9 Author: Linus Torvalds Date: Sun Oct 2 15:23:00 2016 -0700 Merge branch 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm Pull ARM fixes from Russell King: "Three relatively small fixes for ARM: - Roger noticed that dma_max_pfn() was calculating the upper limit wrongly, by adding the PFN offset of memory twice. - A fix from Robin to correct parsing of MPIDR values when the address size is larger than one BE32 unit. - A fix from Srinivas to ensure that we do not rely on the boot loader (or previous Linux kernel) setting the translation table base register a certain way in the decompressor, which can lead to crashes" * 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm: ARM: 8618/1: decompressor: reset ttbcr fields to use TTBR0 on ARMv7 ARM: 8617/1: dma: fix dma_max_pfn() ARM: 8616/1: dt: Respect property size when parsing CPUs commit 117e5e9c4cfcb7628f08de074fbfefec1bb678b7 Author: Srinivas Ramana Date: Fri Sep 30 15:03:31 2016 +0100 ARM: 8618/1: decompressor: reset ttbcr fields to use TTBR0 on ARMv7 If the bootloader uses the long descriptor format and jumps to kernel decompressor code, TTBCR may not be in a right state. Before enabling the MMU, it is required to clear the TTBCR.PD0 field to use TTBR0 for translation table walks. The commit dbece45894d3a ("ARM: 7501/1: decompressor: reset ttbcr for VMSA ARMv7 cores") does the reset of TTBCR.N, but doesn't consider all the bits for the size of TTBCR.N. Clear TTBCR.PD0 field and reset all the three bits of TTBCR.N to indicate the use of TTBR0 and the correct base address width. Fixes: dbece45894d3 ("ARM: 7501/1: decompressor: reset ttbcr for VMSA ARMv7 cores") Acked-by: Robin Murphy Signed-off-by: Srinivas Ramana Signed-off-by: Russell King arch/arm/boot/compressed/head.S | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit be67d60ba944bdd38571b79bdcd506e34c0f16c1 Merge: 66188fb 2fa5f04 Author: Linus Torvalds Date: Sun Oct 2 11:04:29 2016 -0700 Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86 fixes from Thomas Gleixner: "The last regression fixes for 4.8 final: - Two patches addressing the fallout of the CR4 optimizations which caused CR4-less machines to fail. - Fix the VDSO build on big endian machines - Take care of FPU initialization if no CPUID is available otherwise task struct size ends up being zero - Fix up context tracking in case load_gs_index fails" * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/entry/64: Fix context tracking state warning when load_gs_index fails x86/boot: Initialize FPU and X86_FEATURE_ALWAYS even if we don't have CPUID x86/vdso: Fix building on big endian host x86/boot: Fix another __read_cr4() case on 486 x86/init: Fix cr4_init_shadow() on CR4-less machines commit 66188fb11a82692629e85b6cbc3ecc08c752d2dc Merge: 0c7fc30 6605d15 Author: Linus Torvalds Date: Sun Oct 2 10:53:38 2016 -0700 Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus Pull MIPS fixes from Ralf Baechle: "Another round of fixes: - CM: Fix mips_cm_max_vp_width for non-MT kernels on MT systems - CPS: Avoid BUG() when offlining pre-r6 CPUs - DEC: Avoid gas warnings due to suspicious instruction scheduling by manually expanding assembler macros. - FTLB: Fix configuration by moving confiuguratoin after probing - FTLB: clear execution hazard after changing FTLB enable - Highmem: Fix detection of unsupported highmem with cache aliases - I6400: Don't touch FTLBP chicken bits - microMIPS: Fix BUILD_ROLLBACK_PROLOGUE - Malta: Fix IOCU disable switch read for MIPS64 - Octeon: Fix probing of devices attached to GPIO lines - uprobes: Misc small fixes" * 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus: MIPS: CM: Fix mips_cm_max_vp_width for non-MT kernels on MT systems MIPS: Fix detection of unsupported highmem with cache aliases MIPS: Malta: Fix IOCU disable switch read for MIPS64 MIPS: Fix BUILD_ROLLBACK_PROLOGUE for microMIPS MIPS: clear execution hazard after changing FTLB enable MIPS: Configure FTLB after probing TLB sizes from config4 MIPS: Stop setting I6400 FTLBP MIPS: DEC: Avoid la pseudo-instruction in delay slots MIPS: Octeon: mark GPIO controller node not populated after IRQ init. MIPS: uprobes: fix use of uninitialised variable MIPS: uprobes: remove incorrect set_orig_insn MIPS: fix uretprobe implementation MIPS: smp-cps: Avoid BUG() when offlining pre-r6 CPUs commit 0c7fc30f18220c0d1b8fb2636811a0c0d0d65714 Merge: bb6bbc7 2a0100d Author: Linus Torvalds Date: Sun Oct 2 10:42:26 2016 -0700 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc Pull sparc fixes from David Miller: 1) Fix section mismatches in some builds, from Paul Gortmaker. 2) Need to count huge zero page mappings when doing TSB sizing, from Mike Kravetz. 3) Fix handing of cpu_possible_mask when nr_cpus module option is specified, from Atish Patra. 4) Don't allocate irq stacks until nr_irqs has been processed, also from Atish Patra. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc: sparc64: Fix non-SMP build. sparc64: Fix irq stack bootmem allocation. sparc64: Fix cpu_possible_mask if nr_cpus is set sparc64 mm: Fix more TSB sizing issues sparc64: fix section mismatch in find_numa_latencies_for_group commit bb6bbc7ca2254fd885f5b85f4cc0cda7cf04f8c1 Merge: f51fdff 1cceda78 Author: Linus Torvalds Date: Sun Oct 2 10:36:41 2016 -0700 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net Pull networking fixes from David Miller: 1) Fix wrong TCP checksums on MTU probing when checksum offloading is disabled, from Douglas Caetano dos Santos. 2) Fix qdisc backlog updates in qfq and sfb schedulers, from Cong Wang. 3) Route lookup flow key protocol value is wrong in ip6gre_xmit_other(), fix from Lance Richardson. 4) Scheduling while atomic in multicast routing code of ipv4 and ipv6, fix from Nikolay Aleksandrov. 5) Fix packet alignment in fec driver, from Eric Nelson. 6) Fix perf regression in sctp due to struct layout and cache misses, from Xin Long. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: sctp: fix the issue sctp_diag uses lock_sock in rcu_read_lock sctp: change to check peer prsctp_capable when using prsctp polices sctp: remove prsctp_param from sctp_chunk sctp: move sent_count to the memory hole in sctp_chunk tg3: Avoid NULL pointer dereference in tg3_io_error_detected() act_ife: Fix false encoding act_ife: Fix external mac header on encode VSOCK: Don't dec ack backlog twice for rejected connections Revert "net: ethernet: bcmgenet: use phydev from struct net_device" net: fec: align IP header in hardware net: fec: remove QUIRK_HAS_RACC from i.mx27 net: fec: remove QUIRK_HAS_RACC from i.mx25 ipmr, ip6mr: fix scheduling while atomic and a deadlock with ipmr_get_route ip6_gre: fix flowi6_proto value in ip6gre_xmit_other() tcp: fix a compile error in DBGUNDO() tcp: fix wrong checksum calculation on MTU probing sch_sfb: keep backlog updated with qlen sch_qfq: keep backlog updated with qlen can: dev: fix deadlock reported after bus-off commit 6605d156bdfbb2502ba301bc4fbd8db696ae4b6d Author: Paul Burton Date: Fri Sep 30 17:25:01 2016 +0100 MIPS: CM: Fix mips_cm_max_vp_width for non-MT kernels on MT systems When discovering the number of VPEs per core, smp_num_siblings will be incorrect for kernels built without support for the MIPS MultiThreading (MT) ASE running on systems which implement said ASE. This leads to accesses to VPEs in secondary cores being performed incorrectly since mips_cm_vp_id calculates the wrong ID to write to the local "other" registers. Fix this by examining the number of VPEs in the core as reported by the CM. This patch presumes that the number of VPEs will be the same in each core of the system. As this path only applies to systems with CM version 2.5 or lower, and this property is true of all such known systems, this is likely to be fine but is described in a comment for good measure. Signed-off-by: Paul Burton Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/14338/ Signed-off-by: Ralf Baechle arch/mips/include/asm/mips-cm.h | 11 +++++++++++ 1 file changed, 11 insertions(+) commit f51fdffad5b7709d0ade40736b58a2da2707fa15 Merge: 2161a2a 539294b Author: Linus Torvalds Date: Sat Oct 1 07:37:15 2016 -0700 Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi Pull SCSI fix from James Bottomley: "One final fix before 4.8. There was a memory leak triggered by turning scsi mq off due to the fact that we assume on host release that the already running hosts weren't mq based because that's the state of the global flag (even though they were). Fix it by tracking this on a per host host basis" * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: scsi: Avoid that toggling use_blk_mq triggers a memory leak commit 2161a2a644a6d33a29d68395518d103ed805758f Merge: dbd8805 9fb6de1 Author: Linus Torvalds Date: Fri Sep 30 21:25:09 2016 -0700 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input Pull input fix from Dmitry Torokhov: "One small change to make joydev (which is used by older games) to bind to devices that export Z axis but not X or Y (such as TRC rudder)" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input: Input: joydev - recognize devices with Z axis as joysticks commit dbd8805b0ad46f04cababea5d01f072142961411 Merge: 9a2172a 37aa727 Author: Linus Torvalds Date: Fri Sep 30 15:51:10 2016 -0700 Merge branch 'akpm' (patches from Andrew) Merge more fixes from Andrew Morton: "Three fixes" * emailed patches from Andrew Morton : include/linux/property.h: fix typo/compile error ocfs2: fix deadlock on mmapped page in ocfs2_write_begin_nolock() mm: workingset: fix crash in shadow node shrinker caused by replace_page_cache_page() commit 37aa7271d9742b574763e5ce019bde9c49aa8bfe Author: John Youn Date: Fri Sep 30 15:11:35 2016 -0700 include/linux/property.h: fix typo/compile error This fixes commit d76eebfa175e ("include/linux/property.h: fix build issues with gcc-4.4.4"). With that commit we get the following compile error when using the PROPERTY_ENTRY_INTEGER_ARRAY macro. include/linux/property.h:201:39: error: `u32_data' undeclared (first use in this function) PROPERTY_ENTRY_INTEGER_ARRAY(_name_, u32, _val_) ^ include/linux/property.h:193:17: note: in definition of macro `PROPERTY_ENTRY_INTEGER_ARRAY' { .pointer = { _type_##_data = _val_ } }, \ ^ This needs a '.' to reference the union member. It seems this was just overlooked here since it is done correctly in similar constructs in other parts of the original commit. This fix is in preparation of upcoming commits that will use this macro. Fixes: commit d76eebfa175e ("include/linux/property.h: fix build issues with gcc-4.4.4") Link: http://lkml.kernel.org/r/2de3b929290d88a723ed829a3e3cbd02044714df.1475114627.git.johnyoun@synopsys.com Signed-off-by: John Youn Cc: "Rafael J. Wysocki" Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds include/linux/property.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit c33f0785bf292cf1d15f4fbe42869c63e205b21c Author: Eric Ren Date: Fri Sep 30 15:11:32 2016 -0700 ocfs2: fix deadlock on mmapped page in ocfs2_write_begin_nolock() The testcase "mmaptruncate" of ocfs2-test deadlocks occasionally. In this testcase, we create a 2*CLUSTER_SIZE file and mmap() on it; there are 2 process repeatedly performing the following operations respectively: one is doing memset(mmaped_addr + 2*CLUSTER_SIZE - 1, 'a', 1), while the another is playing ftruncate(fd, 2*CLUSTER_SIZE) and then ftruncate(fd, CLUSTER_SIZE) again and again. This is the backtrace when the deadlock happens: __wait_on_bit_lock+0x50/0xa0 __lock_page+0xb7/0xc0 ocfs2_write_begin_nolock+0x163f/0x1790 [ocfs2] ocfs2_page_mkwrite+0x1c7/0x2a0 [ocfs2] do_page_mkwrite+0x66/0xc0 handle_mm_fault+0x685/0x1350 __do_page_fault+0x1d8/0x4d0 trace_do_page_fault+0x37/0xf0 do_async_page_fault+0x19/0x70 async_page_fault+0x28/0x30 In ocfs2_write_begin_nolock(), we first grab the pages and then allocate disk space for this write; ocfs2_try_to_free_truncate_log() will be called if -ENOSPC is returned; if we're lucky to get enough clusters, which is usually the case, we start over again. But in ocfs2_free_write_ctxt() the target page isn't unlocked, so we will deadlock when trying to grab the target page again. Also, -ENOMEM might be returned in ocfs2_grab_pages_for_write(). Another deadlock will happen in __do_page_mkwrite() if ocfs2_page_mkwrite() returns non-VM_FAULT_LOCKED, and along with a locked target page. These two errors fail on the same path, so fix them by unlocking the target page manually before ocfs2_free_write_ctxt(). Jan Kara helps me clear out the JBD2 part, and suggest the hint for root cause. Changes since v1: 1. Also put ENOMEM error case into consideration. Link: http://lkml.kernel.org/r/1474173902-32075-1-git-send-email-zren@suse.com Signed-off-by: Eric Ren Reviewed-by: He Gang Acked-by: Joseph Qi Cc: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/ocfs2/aops.c | 10 ++++++++++ 1 file changed, 10 insertions(+) commit 22f2ac51b6d643666f4db093f13144f773ff3f3a Author: Johannes Weiner Date: Fri Sep 30 15:11:29 2016 -0700 mm: workingset: fix crash in shadow node shrinker caused by replace_page_cache_page() Antonio reports the following crash when using fuse under memory pressure: kernel BUG at /build/linux-a2WvEb/linux-4.4.0/mm/workingset.c:346! invalid opcode: 0000 [#1] SMP Modules linked in: all of them CPU: 2 PID: 63 Comm: kswapd0 Not tainted 4.4.0-36-generic #55-Ubuntu Hardware name: System manufacturer System Product Name/P8H67-M PRO, BIOS 3904 04/27/2013 task: ffff88040cae6040 ti: ffff880407488000 task.ti: ffff880407488000 RIP: shadow_lru_isolate+0x181/0x190 Call Trace: __list_lru_walk_one.isra.3+0x8f/0x130 list_lru_walk_one+0x23/0x30 scan_shadow_nodes+0x34/0x50 shrink_slab.part.40+0x1ed/0x3d0 shrink_zone+0x2ca/0x2e0 kswapd+0x51e/0x990 kthread+0xd8/0xf0 ret_from_fork+0x3f/0x70 which corresponds to the following sanity check in the shadow node tracking: BUG_ON(node->count & RADIX_TREE_COUNT_MASK); The workingset code tracks radix tree nodes that exclusively contain shadow entries of evicted pages in them, and this (somewhat obscure) line checks whether there are real pages left that would interfere with reclaim of the radix tree node under memory pressure. While discussing ways how fuse might sneak pages into the radix tree past the workingset code, Miklos pointed to replace_page_cache_page(), and indeed there is a problem there: it properly accounts for the old page being removed - __delete_from_page_cache() does that - but then does a raw raw radix_tree_insert(), not accounting for the replacement page. Eventually the page count bits in node->count underflow while leaving the node incorrectly linked to the shadow node LRU. To address this, make sure replace_page_cache_page() uses the tracked page insertion code, page_cache_tree_insert(). This fixes the page accounting and makes sure page-containing nodes are properly unlinked from the shadow node LRU again. Also, make the sanity checks a bit less obscure by using the helpers for checking the number of pages and shadows in a radix tree node. Fixes: 449dd6984d0e ("mm: keep page cache radix tree nodes in check") Link: http://lkml.kernel.org/r/20160919155822.29498-1-hannes@cmpxchg.org Signed-off-by: Johannes Weiner Reported-by: Antonio SJ Musumeci Debugged-by: Miklos Szeredi Cc: [3.15+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds include/linux/swap.h | 2 + mm/filemap.c | 114 +++++++++++++++++++++++++-------------------------- mm/workingset.c | 10 ++--- 3 files changed, 63 insertions(+), 63 deletions(-) commit 9a2172a8d52cf14ce44e9cadd8c9df84cf832d75 Author: Javi Merino Date: Fri Sep 30 13:14:28 2016 +0100 MAINTAINERS: Switch to kernel.org email address for Javi Merino Change my email address to my kernel.org account instead of the ARM one. Signed-off-by: Javi Merino Signed-off-by: Linus Torvalds .mailmap | 1 + MAINTAINERS | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) commit 2fa5f04f85730d0c4f49f984b7efeb4f8d5bd1fc Author: Wanpeng Li Date: Fri Sep 30 09:01:06 2016 +0800 x86/entry/64: Fix context tracking state warning when load_gs_index fails This warning: WARNING: CPU: 0 PID: 3331 at arch/x86/entry/common.c:45 enter_from_user_mode+0x32/0x50 CPU: 0 PID: 3331 Comm: ldt_gdt_64 Not tainted 4.8.0-rc7+ #13 Call Trace: dump_stack+0x99/0xd0 __warn+0xd1/0xf0 warn_slowpath_null+0x1d/0x20 enter_from_user_mode+0x32/0x50 error_entry+0x6d/0xc0 ? general_protection+0x12/0x30 ? native_load_gs_index+0xd/0x20 ? do_set_thread_area+0x19c/0x1f0 SyS_set_thread_area+0x24/0x30 do_int80_syscall_32+0x7c/0x220 entry_INT80_compat+0x38/0x50 ... can be reproduced by running the GS testcase of the ldt_gdt test unit in the x86 selftests. do_int80_syscall_32() will call enter_form_user_mode() to convert context tracking state from user state to kernel state. The load_gs_index() call can fail with user gsbase, gsbase will be fixed up and proceed if this happen. However, enter_from_user_mode() will be called again in the fixed up path though it is context tracking kernel state currently. This patch fixes it by just fixing up gsbase and telling lockdep that IRQs are off once load_gs_index() failed with user gsbase. Signed-off-by: Wanpeng Li Acked-by: Andy Lutomirski Cc: Borislav Petkov Cc: Brian Gerst Cc: Denys Vlasenko Cc: H. Peter Anvin Cc: Josh Poimboeuf Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/1475197266-3440-1-git-send-email-wanpeng.li@hotmail.com Signed-off-by: Ingo Molnar arch/x86/entry/entry_64.S | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 05fb3c199bb09f5b85de56cc3ede194ac95c5e1f Author: Andy Lutomirski Date: Wed Sep 28 16:06:33 2016 -0700 x86/boot: Initialize FPU and X86_FEATURE_ALWAYS even if we don't have CPUID Otherwise arch_task_struct_size == 0 and we die. While we're at it, set X86_FEATURE_ALWAYS, too. Reported-by: David Saggiorato Tested-by: David Saggiorato Signed-off-by: Andy Lutomirski Cc: Borislav Petkov Cc: Brian Gerst Cc: Dave Hansen Cc: Denys Vlasenko Cc: H. Peter Anvin Cc: Josh Poimboeuf Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: stable@vger.kernel.org Fixes: aaeb5c01c5b ("x86/fpu, sched: Introduce CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT and use it on x86") Link: http://lkml.kernel.org/r/8de723afbf0811071185039f9088733188b606c9.1475103911.git.luto@kernel.org Signed-off-by: Ingo Molnar arch/x86/kernel/cpu/common.c | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-) commit e4aad64597d7a2455a541f904365b48d607916db Author: Segher Boessenkool Date: Thu Sep 29 11:51:00 2016 +0000 x86/vdso: Fix building on big endian host We need to call GET_LE to read hdr->e_type. Fixes: 57f90c3dfc75 ("x86/vdso: Error out if the vDSO isn't a valid DSO") Reported-by: Paul Gortmaker Signed-off-by: Segher Boessenkool Acked-by: Andy Lutomirski Cc: Stephen Rothwell Cc: linux-next@vger.kernel.org Link: http://lkml.kernel.org/r/20160929193442.GA16617@gate.crashing.org Signed-off-by: Thomas Gleixner arch/x86/entry/vdso/vdso2c.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 192d1dccbfc5b901b66527df9df80304693cf06e Author: Andy Lutomirski Date: Thu Sep 29 12:48:11 2016 -0700 x86/boot: Fix another __read_cr4() case on 486 The condition for reading CR4 was wrong: there are some CPUs with CPUID but not CR4. Rather than trying to make the condition exact, use __read_cr4_safe(). Fixes: 18bc7bd523e0 ("x86/boot: Synchronize trampoline_cr4_features and mmu_cr4_features directly") Reported-by: david@saggiorato.net Signed-off-by: Andy Lutomirski Reviewed-by: Borislav Petkov Cc: Brian Gerst Link: http://lkml.kernel.org/r/8c453a61c4f44ab6ff43c29780ba04835234d2e5.1475178369.git.luto@kernel.org Signed-off-by: Thomas Gleixner arch/x86/kernel/setup.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) commit 1cceda7849809a8857fd9f26efe8846506c710e1 Author: Xin Long Date: Thu Sep 29 02:55:44 2016 +0800 sctp: fix the issue sctp_diag uses lock_sock in rcu_read_lock When sctp dumps all the ep->assocs, it needs to lock_sock first, but now it locks sock in rcu_read_lock, and lock_sock may sleep, which would break rcu_read_lock. This patch is to get and hold one sock when traversing the list. After that and get out of rcu_read_lock, lock and dump it. Then it will traverse the list again to get the next one until all sctp socks are dumped. For sctp_diag_dump_one, it fixes this issue by holding asoc and moving cb() out of rcu_read_lock in sctp_transport_lookup_process. Fixes: 8f840e47f190 ("sctp: add the sctp_diag.c file") Signed-off-by: Xin Long Signed-off-by: David S. Miller net/sctp/sctp_diag.c | 58 ++++++++++++++++++++++++++++++++++++---------------- net/sctp/socket.c | 10 ++++++--- 2 files changed, 47 insertions(+), 21 deletions(-) commit 75b005b949d3dc93b526c3da0a750fd1fc9a703a Merge: 1b0ff89 be4947b Author: David S. Miller Date: Fri Sep 30 02:07:10 2016 -0400 Merge branch 'sctp-fixes' Xin Long says: ==================== sctp: a bunch of fixes for prsctp polices This patchset is to fix 2 issues for prsctp polices: 1. patch 1 and 2 fix "netperf-Throughput_Mbps -37.2% regression" issue when overloading the CPU. 2. patch 3 fix "prsctp polices should check both sides' prsctp_capable, instead of only local side". ==================== Signed-off-by: David S. Miller commit be4947bf46cb0e7a7d089e03c61bab35f1e695ce Author: Xin Long Date: Thu Sep 29 02:37:28 2016 +0800 sctp: change to check peer prsctp_capable when using prsctp polices Now before using prsctp polices, sctp uses asoc->prsctp_enable to check if prsctp is enabled. However asoc->prsctp_enable is set only means local host support prsctp, sctp should not abandon packet if peer host doesn't enable prsctp. So this patch is to use asoc->peer.prsctp_capable to check if prsctp is enabled on both side, instead of asoc->prsctp_enable, as asoc's peer.prsctp_capable is set only when local and peer both enable prsctp. Fixes: a6c2f792873a ("sctp: implement prsctp TTL policy") Signed-off-by: Xin Long Signed-off-by: David S. Miller net/sctp/chunk.c | 4 ++-- net/sctp/outqueue.c | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) commit 0605483f6ace1f6b63e397c819a115ddcd13af0d Author: Xin Long Date: Thu Sep 29 02:37:27 2016 +0800 sctp: remove prsctp_param from sctp_chunk Now sctp uses chunk->prsctp_param to save the prsctp param for all the prsctp polices, we didn't need to introduce prsctp_param to sctp_chunk. We can just use chunk->sinfo.sinfo_timetolive for RTX and BUF polices, and reuse msg->expires_at for TTL policy, as the prsctp polices and old expires policy are mutual exclusive. This patch is to remove prsctp_param from sctp_chunk, and reuse msg's expires_at for TTL and chunk's sinfo.sinfo_timetolive for RTX and BUF polices. Note that sctp can't use chunk's sinfo.sinfo_timetolive for TTL policy, as it needs a u64 variables to save the expires_at time. This one also fixes the "netperf-Throughput_Mbps -37.2% regression" issue. Fixes: a6c2f792873a ("sctp: implement prsctp TTL policy") Signed-off-by: Xin Long Signed-off-by: David S. Miller include/net/sctp/structs.h | 7 ------- net/sctp/chunk.c | 9 +++++++-- net/sctp/outqueue.c | 4 ++-- net/sctp/sm_make_chunk.c | 15 --------------- 4 files changed, 9 insertions(+), 26 deletions(-) commit 73dca124cdbad2d67d47d6196c08325f18447d07 Author: Xin Long Date: Thu Sep 29 02:37:26 2016 +0800 sctp: move sent_count to the memory hole in sctp_chunk Now pahole sctp_chunk, it has 2 memory holes: struct sctp_chunk { struct list_head list; atomic_t refcnt; /* XXX 4 bytes hole, try to pack */ ... long unsigned int prsctp_param; int sent_count; /* XXX 4 bytes hole, try to pack */ This patch is to move up sent_count to fill the 1st one and eliminate the 2nd one. It's not just another struct compaction, it also fixes the "netperf- Throughput_Mbps -37.2% regression" issue when overloading the CPU. Fixes: a6c2f792873a ("sctp: implement prsctp TTL policy") Signed-off-by: Xin Long Signed-off-by: David S. Miller include/net/sctp/structs.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit 1b0ff89852d79354e8a091c81a88df21f5aa9f0a Author: Milton Miller Date: Thu Sep 29 13:24:08 2016 -0300 tg3: Avoid NULL pointer dereference in tg3_io_error_detected() While the driver is probing the adapter, an error may occur before the netdev structure is allocated and attached to pci_dev. In this case, not only netdev isn't available, but the tg3 private structure is also not available as it is just math from the NULL pointer, so dereferences must be skipped. The following trace is seen when the error is triggered: [1.402247] Unable to handle kernel paging request for data at address 0x00001a99 [1.402410] Faulting instruction address: 0xc0000000007e33f8 [1.402450] Oops: Kernel access of bad area, sig: 11 [#1] [1.402481] SMP NR_CPUS=2048 NUMA PowerNV [1.402513] Modules linked in: [1.402545] CPU: 0 PID: 651 Comm: eehd Not tainted 4.4.0-36-generic #55-Ubuntu [1.402591] task: c000001fe4e42a20 ti: c000001fe4e88000 task.ti: c000001fe4e88000 [1.402742] NIP: c0000000007e33f8 LR: c0000000007e3164 CTR: c000000000595ea0 [1.402787] REGS: c000001fe4e8b790 TRAP: 0300 Not tainted (4.4.0-36-generic) [1.402832] MSR: 9000000100009033 CR: 28000422 XER: 20000000 [1.403058] CFAR: c000000000008468 DAR: 0000000000001a99 DSISR: 42000000 SOFTE: 1 GPR00: c0000000007e3164 c000001fe4e8ba10 c0000000015c5e00 0000000000000000 GPR04: 0000000000000001 0000000000000000 0000000000000039 0000000000000299 GPR08: 0000000000000000 0000000000000001 c000001fe4e88000 0000000000000006 GPR12: 0000000000000000 c00000000fb40000 c0000000000e6558 c000003ca1bffd00 GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 GPR20: 0000000000000000 0000000000000000 0000000000000000 c000000000d52768 GPR24: c000000000d52740 0000000000000100 c000003ca1b52000 0000000000000002 GPR28: 0000000000000900 0000000000000000 c00000000152a0c0 c000003ca1b52000 [1.404226] NIP [c0000000007e33f8] tg3_io_error_detected+0x308/0x340 [1.404265] LR [c0000000007e3164] tg3_io_error_detected+0x74/0x340 This patch avoids the NULL pointer dereference by moving the access after the netdev NULL pointer check on tg3_io_error_detected(). Also, we add a check for netdev being NULL on tg3_io_resume() [suggested by Michael Chan]. Fixes: 0486a063b1ff ("tg3: prevent ifup/ifdown during PCI error recovery") Fixes: dfc8f370316b ("net/tg3: Release IRQs on permanent error") Tested-by: Guilherme G. Piccoli Signed-off-by: Milton Miller Signed-off-by: Guilherme G. Piccoli Acked-by: Michael Chan Signed-off-by: David S. Miller drivers/net/ethernet/broadcom/tg3.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) commit e3b3656ca63e23b5755183718df36fb9ff518b02 Merge: c6169de 90fd68d Author: Linus Torvalds Date: Thu Sep 29 20:16:57 2016 -0700 Merge tag 'drm-fixes-for-v4.8-final' of git://people.freedesktop.org/~airlied/linux Pull drm fixes from Dave Airlie: "drm fixes for final 4.8. One big regression fix for udl, along with two amdgpu fixes and two nouveau fixes. All seems pretty safe and useful" * tag 'drm-fixes-for-v4.8-final' of git://people.freedesktop.org/~airlied/linux: drm/udl: fix line iterator in damage handling drm/radeon/si/dpm: add workaround for for Jet parts drm/amdgpu: disable CRTCs before teardown drm/nouveau: Revert "bus: remove cpu_coherent flag" drm/nouveau/fifo/nv04: avoid ramht race against cookie insertion commit c6169de7308b397824bd418c5b871b5a42de83d2 Merge: 53061af 595c730 Author: Linus Torvalds Date: Thu Sep 29 14:59:11 2016 -0700 Merge branch 'libnvdimm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm Pull libnvdimm fixes from Dan Williams: - Four fixes for "flush hint" support. Flush hints are addresses advertised by the ACPI 6+ NFIT (NVDIMM Firmware Interface Table) that when written and fenced guarantee that writes pending in platform write buffers (outside the cpu) have been flushed to media. They might also be used by hypervisors as a trigger condition to flush guest-persistent memory ranges to storage. Fix a potential data corruption issue, a broken definition of the hint array, a wrong allocation size for the unit test implementation of the flush hint table, and missing NULL check in an error path. The unit test, while it did not prevent these bugs from being merged, at least triggered occasional crashes in advance of production usages. - Fix handling of ACPI DSM error status results. The DSM mechanism allows communication with platform and memory device firmware. We correctly parse known errors, but were silently ignoring others. Fix it to consistently fail any command with a non-zero status return that we otherwise do not interpret / handle. * 'libnvdimm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm: libnvdimm, region: fix flush hint table thinko nfit: fail DSMs that return non-zero status by default libnvdimm: fix devm_nvdimm_memremap() error path tools/testing/nvdimm: fix allocation range for mock flush hint tables nvdimm: fix PHYS_PFN/PFN_PHYS mixup commit e1bfc11c5a6f40222a698a818dc269113245820e Author: Andy Lutomirski Date: Wed Sep 28 12:34:14 2016 -0700 x86/init: Fix cr4_init_shadow() on CR4-less machines cr4_init_shadow() will panic on 486-like machines without CR4. Fix it using __read_cr4_safe(). Reported-by: david@saggiorato.net Signed-off-by: Andy Lutomirski Reviewed-by: Borislav Petkov Cc: Borislav Petkov Cc: Brian Gerst Cc: Denys Vlasenko Cc: H. Peter Anvin Cc: Josh Poimboeuf Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: stable@vger.kernel.org Fixes: 1e02ce4cccdc ("x86: Store a per-cpu shadow copy of CR4") Link: http://lkml.kernel.org/r/43a20f81fb504013bf613913dc25574b45336a61.1475091074.git.luto@kernel.org Signed-off-by: Ingo Molnar arch/x86/include/asm/tlbflush.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 058effe7fdc5776b017356f690976a857eea473f Author: Paul Burton Date: Fri Sep 2 15:17:31 2016 +0100 MIPS: Fix detection of unsupported highmem with cache aliases The paging_init() function contains code which detects that highmem is in use but unsupported due to dcache aliasing. However this code was ineffective because it was being run before the caches are probed, meaning that cpu_has_dc_aliases would always evaluate to false (unless a platform overrides it to a compile-time constant) and the detection of the unsupported case is never triggered. The kernel would then go on to attempt to use highmem & either hit coherency issues or trigger the BUG_ON in flush_kernel_dcache_page(). Fix this by running paging_init() later than cpu_cache_init(), such that the cpu_has_dc_aliases macro will evaluate correctly & the unsupported highmem case will be detected successfully. This then leads to a formerly hidden issue in that mem_init_free_highmem() will attempt to free all highmem pages, even though we're avoiding use of them & don't have valid page structs for them. This leads to an invalid pointer dereference & a TLB exception. Avoid this by skipping the loop in mem_init_free_highmem() if cpu_has_dc_aliases evaluates true. Signed-off-by: Paul Burton Cc: Rabin Vincent Cc: Matt Redfearn Cc: Jerome Marchand Cc: Alexander Sverdlin Cc: Aurelien Jarno Cc: Jaedon Shin Cc: Toshi Kani Cc: James Hogan Cc: Sergey Ryazanov Cc: Jonas Gorski Cc: Kirill A. Shutemov Cc: linux-mips@linux-mips.org Cc: linux-kernel@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/14184/ Signed-off-by: Ralf Baechle arch/mips/kernel/setup.c | 2 +- arch/mips/mm/init.c | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) commit 305723ab439e14debc1d339aa04e835d488b8253 Author: Paul Burton Date: Fri Sep 2 16:07:10 2016 +0100 MIPS: Malta: Fix IOCU disable switch read for MIPS64 Malta boards used with CPU emulators feature a switch to disable use of an IOCU. Software has to check this switch & ignore any present IOCU if the switch is closed. The read used to do this was unsafe for 64 bit kernels, as it simply casted the address 0xbf403000 to a pointer & dereferenced it. Whilst in a 32 bit kernel this would access kseg1, in a 64 bit kernel this attempts to access xuseg & results in an address error exception. Fix by accessing a correctly formed ckseg1 address generated using the CKSEG1ADDR macro. Whilst modifying this code, define the name of the register and the bit we care about within it, which indicates whether PCI DMA is routed to the IOCU or straight to DRAM. The code previously checked that bit 0 was also set, but the least significant 7 bits of the CONFIG_GEN0 register contain the value of the MReqInfo signal provided to the IOCU OCP bus, so singling out bit 0 makes little sense & that part of the check is dropped. Signed-off-by: Paul Burton Fixes: b6d92b4a6bdb ("MIPS: Add option to disable software I/O coherency.") Cc: Matt Redfearn Cc: Masahiro Yamada Cc: Kees Cook Cc: linux-mips@linux-mips.org Cc: linux-kernel@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/14187/ Signed-off-by: Ralf Baechle arch/mips/mti-malta/malta-setup.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) commit 1eefcbc89cf3a8e252e5aeb25825594699b47360 Author: Paul Burton Date: Fri Aug 19 18:15:40 2016 +0100 MIPS: Fix BUILD_ROLLBACK_PROLOGUE for microMIPS When the kernel is built for microMIPS, branches targets need to be known to be microMIPS code in order to result in bit 0 of the PC being set. The branch target in the BUILD_ROLLBACK_PROLOGUE macro was simply the end of the macro, which may be pointing at padding rather than at code. This results in recent enough GNU linkers complaining like so: mips-img-linux-gnu-ld: arch/mips/built-in.o: .text+0x3e3c: Unsupported branch between ISA modes. mips-img-linux-gnu-ld: final link failed: Bad value Makefile:936: recipe for target 'vmlinux' failed make: *** [vmlinux] Error 1 Fix this by changing the branch target to be the start of the appropriate handler, skipping over any padding. Signed-off-by: Paul Burton Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/14019/ Signed-off-by: Ralf Baechle arch/mips/kernel/genex.S | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) commit 67acd8d5c606cf42e6726767d705851dec9f6a34 Author: Paul Burton Date: Fri Aug 19 18:18:28 2016 +0100 MIPS: clear execution hazard after changing FTLB enable On current P-series cores from Imagination the FTLB can be enabled or disabled via a bit in the Config6 register, and an execution hazard is created by changing the value of bit. The ftlb_disable function already cleared that hazard but that does no good for other callers. Clear the hazard in the set_ftlb_enable function that creates it, and only for the cores where it applies. This has the effect of reverting c982c6d6c48b ("MIPS: cpu-probe: Remove cp0 hazard barrier when enabling the FTLB") which was incorrect. Signed-off-by: Paul Burton Fixes: c982c6d6c48b ("MIPS: cpu-probe: Remove cp0 hazard barrier when enabling the FTLB") Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/14023/ Signed-off-by: Ralf Baechle arch/mips/kernel/cpu-probe.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) commit ebd0e0f503d0774407a63ebb5ec1a90bb54941f5 Author: Paul Burton Date: Fri Aug 19 18:18:27 2016 +0100 MIPS: Configure FTLB after probing TLB sizes from config4 On some cores (proAptiv, P5600) we make use of the sizes of the TLBs to determine the desired FTLB:VTLB write ratio. However set_ftlb_enable & thus calculate_ftlb_probability is called before decode_config4. This results in us calculating a probability based on zero sizes, and we end up setting FTLBP=3 for a 3:1 FTLB:VTLB write ratio in all cases. This will make abysmal use of the available FTLB resources in the affected cores. Fix this by configuring the FTLB probability after having decoded config4. However we do need to have enabled the FTLB before that point such that fields in config4 actually reflect that an FTLB is present. So set_ftlb_enable is now called twice, with flags indicating that it should configure the write probability only the second time. Signed-off-by: Paul Burton Fixes: cf0a8aa0226d ("MIPS: cpu-probe: Set the FTLB probability bit on supported cores") Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/14022/ Signed-off-by: Ralf Baechle arch/mips/kernel/cpu-probe.c | 43 ++++++++++++++++++++++++++++--------------- 1 file changed, 28 insertions(+), 15 deletions(-) commit 72c70f010dfcc9ea6cc13500602a29e33748452f Author: Paul Burton Date: Fri Aug 19 18:18:26 2016 +0100 MIPS: Stop setting I6400 FTLBP The FTLBP field in Config7 for the I6400 is intended as chicken bits for debugging rather than as a field that software actually makes use of. For best performance, FTLBP should be left at its default value of 0 with all TLB writes hitting the FTLB by default. Additionally, since set_ftlb_enable is called from decode_configs before decode_config4 which determines the size of the TLBs, this was previously always setting FTLBP=3 for a 3:1 FTLB:VTLB write ratio which makes abysmal use of the available FTLB resources. This effectively reverts b0c4e1b79d8a ("MIPS: Set up FTLB probability for I6400"). Signed-off-by: Paul Burton Fixes: b0c4e1b79d8a ("MIPS: Set up FTLB probability for I6400") Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/14021/ Signed-off-by: Ralf Baechle arch/mips/include/asm/mipsregs.h | 2 -- arch/mips/kernel/cpu-probe.c | 9 ++------- 2 files changed, 2 insertions(+), 9 deletions(-) commit 3021773c7c3e75e20b693931a19362681e744ea9 Author: Ralf Baechle Date: Tue Sep 20 14:33:01 2016 +0200 MIPS: DEC: Avoid la pseudo-instruction in delay slots When expanding the la or dla pseudo-instruction in a delay slot the GNU assembler will complain should the pseudo-instruction expand to multiple actual instructions, since only the first of them will be in the delay slot leading to the pseudo-instruction being only partially executed if the branch is taken. Use of PTR_LA in the dec int-handler.S leads to such warnings: arch/mips/dec/int-handler.S: Assembler messages: arch/mips/dec/int-handler.S:149: Warning: macro instruction expanded into multiple instructions in a branch delay slot arch/mips/dec/int-handler.S:198: Warning: macro instruction expanded into multiple instructions in a branch delay slot Avoid this by open coding the PTR_LA macros. Signed-off-by: Ralf Baechle arch/mips/dec/int-handler.S | 40 ++++++++++++++++++++++++++++++++++++++-- 1 file changed, 38 insertions(+), 2 deletions(-) commit 0a900553715c39cfb6170ccc9846b194a4c13ceb Author: Steven J. Hill Date: Fri Aug 26 14:02:04 2016 -0500 MIPS: Octeon: mark GPIO controller node not populated after IRQ init. We clear the OF_POPULATED flag for the GPIO controller node on Octeon processors. Otherwise, none of the devices hanging on the GPIO lines are probed. The 'gpio-leds' driver on OCTEON failed to probe in addition to other devices on Cavium 71xx and 78xx development boards. Fixes: 15cc2ed6dcf9 ("of/irq: Mark initialised interrupt controllers as populated") Signed-off-by: Steven J. Hill Tested-by: Aaro Koskinen Cc: David Daney Cc: Rob Herring Cc: linux-mips@linux-mips.org Cc: devicetree@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/14091/ Signed-off-by: Ralf Baechle arch/mips/cavium-octeon/octeon-irq.c | 6 ++++++ 1 file changed, 6 insertions(+) commit ca86c9ef2b322ebf24772009fdea037688cbdac1 Author: Marcin Nowakowski Date: Thu Sep 22 15:38:33 2016 +0200 MIPS: uprobes: fix use of uninitialised variable arch_uprobe_pre_xol needs to emulate a branch if a branch instruction has been replaced with a breakpoint, but in fact an uninitialised local variable was passed to the emulator routine instead of the original instruction Signed-off-by: Marcin Nowakowski Fixes: 40e084a506eb ('MIPS: Add uprobes support.') Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/14300/ Signed-off-by: Ralf Baechle arch/mips/kernel/uprobes.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) commit ddabfa5c2e33f1b495f3e0176de7057850915c0b Author: Marcin Nowakowski Date: Thu Sep 22 15:38:32 2016 +0200 MIPS: uprobes: remove incorrect set_orig_insn Generic kernel code implements a weak version of set_orig_insn that moves cached 'insn' from arch_uprobe to the original code location when the trap is removed. MIPS variant used arch_uprobe->orig_inst which was never initialised properly, so this code only inserted a nop instead of the original instruction. With that change orig_inst can also be safely removed. Signed-off-by: Marcin Nowakowski Fixes: 40e084a506eb ('MIPS: Add uprobes support.') Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/14299/ Signed-off-by: Ralf Baechle arch/mips/include/asm/uprobes.h | 1 - arch/mips/kernel/uprobes.c | 18 ------------------ 2 files changed, 19 deletions(-) commit db06068a4fd44a57b642b369d2a295b8448f6b65 Author: Marcin Nowakowski Date: Thu Sep 22 15:38:31 2016 +0200 MIPS: fix uretprobe implementation arch_uretprobe_hijack_return_addr should replace the return address for a call with a trampoline address. Signed-off-by: Marcin Nowakowski Fixes: 40e084a506eb ('MIPS: Add uprobes support.') Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/14298/ Signed-off-by: Ralf Baechle arch/mips/kernel/uprobes.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 6ca8ac773e97e2dfa5734ae435c40e672dd19ac4 Author: Matt Redfearn Date: Thu Sep 22 11:59:47 2016 +0100 MIPS: smp-cps: Avoid BUG() when offlining pre-r6 CPUs Commit 0d2808f338c7 ("MIPS: smp-cps: Add support for CPU hotplug of MIPSr6 processors") added a call to mips_cm_lock_other in order to lock the CPC in CPUs containing a version 3 or higher Coherence Manager, which use the general CM core other register, where previous CMs had a dedicated core other register for the CPC. A kernel BUG() is triggered, however, if mips_cm_lock_other is called with a VP other than 0 on a CPU with CM < 3, a condition introduced by 0d2808f338c7. Avoid the BUG() by always locking VP0 when locking the CPC, since the required register, cpc_stat_conf, is shared by all vps in a core. Fixes: 0d2808f338c7 ("MIPS: smp-cps: Add support for CPU hotplug...) Signed-off-by: Matt Redfearn Cc: Qais Yousef Cc: Masahiro Yamada Cc: James Hogan Cc: Paul Burton Cc: Andrew Morton Cc: linux-mips@linux-mips.org Cc: linux-kernel@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/14297/ Signed-off-by: Ralf Baechle arch/mips/kernel/smp-cps.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit d248220f0465b818887baa9829e691fe662b2c5e Author: Roger Quadros Date: Thu Sep 29 08:32:55 2016 +0100 ARM: 8617/1: dma: fix dma_max_pfn() Since commit 6ce0d2001692 ("ARM: dma: Use dma_pfn_offset for dma address translation"), dma_to_pfn() already returns the PFN with the physical memory start offset so we don't need to add it again. This fixes USB mass storage lock-up problem on systems that can't do DMA over the entire physical memory range (e.g.) Keystone 2 systems with 4GB RAM can only do DMA over the first 2GB. [K2E-EVM]. What happens there is that without this patch SCSI layer sets a wrong bounce buffer limit in scsi_calculate_bounce_limit() for the USB mass storage device. dma_max_pfn() evaluates to 0x8fffff and bounce_limit is set to 0x8fffff000 whereas maximum DMA'ble physical memory on Keystone 2 is 0x87fffffff. This results in non DMA'ble pages being given to the USB controller and hence the lock-up. NOTE: in the above case, USB-SCSI-device's dma_pfn_offset was showing as 0. This should have really been 0x780000 as on K2e, LOWMEM_START is 0x80000000 and HIGHMEM_START is 0x800000000. DMA zone is 2GB so dma_max_pfn should be 0x87ffff. The incorrect dma_pfn_offset for the USB storage device is because USB devices are not correctly inheriting the dma_pfn_offset from the USB host controller. This will be fixed by a separate patch. Fixes: 6ce0d2001692 ("ARM: dma: Use dma_pfn_offset for dma address translation") Cc: stable@vger.kernel.org Cc: Greg Kroah-Hartman Cc: Santosh Shilimkar Cc: Arnd Bergmann Cc: Olof Johansson Cc: Catalin Marinas Cc: Linus Walleij Reported-by: Grygorii Strashko Signed-off-by: Roger Quadros Signed-off-by: Russell King arch/arm/include/asm/dma-mapping.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit ba6dea4f7cedb4b1c17e36f4087675d817c2e24b Author: Robin Murphy Date: Mon Sep 26 16:50:55 2016 +0100 ARM: 8616/1: dt: Respect property size when parsing CPUs Whilst MPIDR values themselves are less than 32 bits, it is still perfectly valid for a DT to have #address-cells > 1 in the CPUs node, resulting in the "reg" property having leading zero cell(s). In that situation, the big-endian nature of the data conspires with the current behaviour of only reading the first cell to cause the kernel to think all CPUs have ID 0, and become resoundingly unhappy as a consequence. Take the full property length into account when parsing CPUs so as to be correct under any circumstances. Cc: Russell King Signed-off-by: Robin Murphy Signed-off-by: Russell King arch/arm/kernel/devtree.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) commit 2a0100d7beebd2fb2c436852648f75396253e9f8 Author: David S. Miller Date: Wed Sep 28 20:40:52 2016 -0400 sparc64: Fix non-SMP build. Need to provide a dummy smp_fill_in_cpu_possible_map. Fixes: 9b2f753ec237 ("sparc64: Fix cpu_possible_mask if nr_cpus is set") Reported-by: kbuild test robot Signed-off-by: David S. Miller arch/sparc/include/asm/smp_64.h | 1 + 1 file changed, 1 insertion(+) commit 53061afee43bc5041b67a45b6d793e7afdcf9ca7 Merge: ae6dd8d 231e97e Author: Linus Torvalds Date: Wed Sep 28 16:20:24 2016 -0700 Merge branch 'akpm' (patches from Andrew) Merge fixes from Andrew Morton: "4 fixes" * emailed patches from Andrew Morton : mem-hotplug: use nodes that contain memory as mask in new_node_page() scripts/recordmcount.c: account for .softirqentry.text dma-mapping.h: preserve unmap info for CONFIG_DMA_API_DEBUG mm,ksm: fix endless looping in allocating memory when ksm enable commit 231e97e2b8ec9a1556ced5d8a89cda03a480b179 Author: Li Zhong Date: Wed Sep 28 15:22:38 2016 -0700 mem-hotplug: use nodes that contain memory as mask in new_node_page() 9bb627be47a5 ("mem-hotplug: don't clear the only node in new_node_page()") prevents allocating from an empty nodemask, but as David points out, it is still wrong. As node_online_map may include memoryless nodes, only allocating from these nodes is meaningless. This patch uses node_states[N_MEMORY] mask to prevent the above case. Fixes: 9bb627be47a5 ("mem-hotplug: don't clear the only node in new_node_page()") Fixes: 394e31d2ceb4 ("mem-hotplug: alloc new page from a nearest neighbor node when mem-offline") Link: http://lkml.kernel.org/r/1474447117.28370.6.camel@TP420 Signed-off-by: Li Zhong Suggested-by: David Rientjes Acked-by: Vlastimil Babka Cc: Michal Hocko Cc: John Allen Cc: Xishi Qiu Cc: Joonsoo Kim Cc: Naoya Horiguchi Cc: Tetsuo Handa Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/memory_hotplug.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) commit e436fd61a8f62cb7a16310a42b95ab076ff72eff Author: Dmitry Vyukov Date: Wed Sep 28 15:22:36 2016 -0700 scripts/recordmcount.c: account for .softirqentry.text be7635e7287e ("arch, ftrace: for KASAN put hard/soft IRQ entries into separate sections") added .softirqentry.text section, but it was not added to recordmcount. So functions in the section are untracable. Add the section to scripts/recordmcount.c and scripts/recordmcount.pl. Fixes: be7635e7287e ("arch, ftrace: for KASAN put hard/soft IRQ entries into separate sections") Link: http://lkml.kernel.org/r/1474902626-73468-1-git-send-email-dvyukov@google.com Signed-off-by: Dmitry Vyukov Acked-by: Steve Rostedt Cc: [4.6+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds scripts/recordmcount.c | 1 + scripts/recordmcount.pl | 1 + 2 files changed, 2 insertions(+) commit 2481366afd71a0c0b7cd725e6750c04cf589673b Author: Andrey Smirnov Date: Wed Sep 28 15:22:33 2016 -0700 dma-mapping.h: preserve unmap info for CONFIG_DMA_API_DEBUG When CONFIG_DMA_API_DEBUG is enabled we need to preserve unmapping address even if "unmap" is a no-op for our architecutre because we need debug_dma_unmap_page() to correctly cleanup all of the debug bookkeeping. Failing to do so results in a false positive warnings about previously mapped areas never being unmapped. Link: http://lkml.kernel.org/r/1474387125-3713-1-git-send-email-andrew.smirnov@gmail.com Signed-off-by: Andrey Smirnov Reviewed-by: Robin Murphy Cc: Joerg Roedel Cc: Will Deacon Cc: Zhen Lei Cc: "Luis R. Rodriguez" Cc: Christian Borntraeger Cc: Geliang Tang Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds include/linux/dma-mapping.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 5b398e416e880159fe55eefd93c6588fa072cd66 Author: zhong jiang Date: Wed Sep 28 15:22:30 2016 -0700 mm,ksm: fix endless looping in allocating memory when ksm enable I hit the following hung task when runing a OOM LTP test case with 4.1 kernel. Call trace: [] __switch_to+0x74/0x8c [] __schedule+0x23c/0x7bc [] schedule+0x3c/0x94 [] rwsem_down_write_failed+0x214/0x350 [] down_write+0x64/0x80 [] __ksm_exit+0x90/0x19c [] mmput+0x118/0x11c [] do_exit+0x2dc/0xa74 [] do_group_exit+0x4c/0xe4 [] get_signal+0x444/0x5e0 [] do_signal+0x1d8/0x450 [] do_notify_resume+0x70/0x78 The oom victim cannot terminate because it needs to take mmap_sem for write while the lock is held by ksmd for read which loops in the page allocator ksm_do_scan scan_get_next_rmap_item down_read get_next_rmap_item alloc_rmap_item #ksmd will loop permanently. There is no way forward because the oom victim cannot release any memory in 4.1 based kernel. Since 4.6 we have the oom reaper which would solve this problem because it would release the memory asynchronously. Nevertheless we can relax alloc_rmap_item requirements and use __GFP_NORETRY because the allocation failure is acceptable as ksm_do_scan would just retry later after the lock got dropped. Such a patch would be also easy to backport to older stable kernels which do not have oom_reaper. While we are at it add GFP_NOWARN so the admin doesn't have to be alarmed by the allocation failure. Link: http://lkml.kernel.org/r/1474165570-44398-1-git-send-email-zhongjiang@huawei.com Signed-off-by: zhong jiang Suggested-by: Hugh Dickins Suggested-by: Michal Hocko Acked-by: Michal Hocko Acked-by: Hugh Dickins Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/ksm.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit ae6dd8d61913b5341067c7c660e8e91430d22e7c Merge: 0a966fa f6d7c1b Author: Linus Torvalds Date: Wed Sep 28 12:53:08 2016 -0700 Merge tag 'for-linus-20160928' of git://git.infradead.org/linux-mtd Pull late MTD fixes from Brian Norris: "Another round of MTD fixes for v4.8 My apologies for sending this so late. I've been fairly absent as a maintainer this cycle, but I did queue these up weeks ago. In the meantime, Richard was able to handle some other fixes (thanks!) but didn't pick these up. On the bright side, these are very simple changes that should carry little risk. Summary: - Davinci NAND: fix a long-standing bug in how we clear/prep 4-bit ECC - OMAP NAND: an error-handling fix that made it into v4.8-rc1 caused error-handling cases in other configurations/code-paths; this fixes the fix" * tag 'for-linus-20160928' of git://git.infradead.org/linux-mtd: mtd: nand: davinci: Reinitialize the HW ECC engine in 4bit hwctl mtd: nand: omap2: Don't call dma_release_channel() if dma_request_chan() failed commit 0a966fa8914aafeb430f9e8489227e86d8468625 Author: Mark Fasheh Date: Wed Sep 28 12:51:04 2016 -0700 MAINTAINERS: Update my e-mail I will be starting employment at Versity next week and would like to update my MAINTAINERS e-mail to reflect that change. My versity e-mail is already activated so I shouldn't get any bounces on the new one. My ability to help with Ocfs2 kernel maintenance won't change as a result of the new job. Signed-off-by: Mark Fasheh Signed-off-by: Linus Torvalds MAINTAINERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit ebb99a4c12e4daabe1940ae936e8e7e97ae68c6f Author: Atish Patra Date: Thu Sep 15 14:54:41 2016 -0600 sparc64: Fix irq stack bootmem allocation. Currently, irq stack bootmem is allocated for all possible cpus before nr_cpus value changes the list of possible cpus. As a result, there is unnecessary wastage of bootmemory. Move the irq stack bootmem allocation so that it happens after possible cpu list is modified based on nr_cpus value. Signed-off-by: Atish Patra Reviewed-by: Bob Picco Reviewed-by: Vijay Kumar Signed-off-by: David S. Miller arch/sparc/kernel/setup_64.c | 25 +++++++++++++++++++++++++ arch/sparc/mm/init_64.c | 16 ---------------- 2 files changed, 25 insertions(+), 16 deletions(-) commit 9b2f753ec23710aa32c0d837d2499db92fe9115b Author: Atish Patra Date: Thu Sep 15 14:54:40 2016 -0600 sparc64: Fix cpu_possible_mask if nr_cpus is set If kernel boot parameter nr_cpus is set, it should define the number of CPUs that can ever be available in the system i.e. cpu_possible_mask. setup_nr_cpu_ids() overrides the nr_cpu_ids based on the cpu_possible_mask during kernel initialization. If cpu_possible_mask is not set based on the nr_cpus value, earlier part of the kernel would be initialized using nr_cpus value leading to a kernel crash. Set cpu_possible_mask based on nr_cpus value. Thus setup_nr_cpu_ids() becomes redundant and does not corrupt nr_cpu_ids value. Signed-off-by: Atish Patra Reviewed-by: Bob Picco Reviewed-by: Vijay Kumar Signed-off-by: David S. Miller arch/sparc/include/asm/smp_64.h | 1 + arch/sparc/kernel/setup_64.c | 1 + arch/sparc/kernel/smp_64.c | 14 ++++++++++++++ 3 files changed, 16 insertions(+) commit 1e953d846ac015fbfcf09c857e8f893924cb629c Author: Mike Kravetz Date: Wed Aug 31 13:48:19 2016 -0700 sparc64 mm: Fix more TSB sizing issues Commit af1b1a9b36b8 ("sparc64 mm: Fix base TSB sizing when hugetlb pages are used") addressed the difference between hugetlb and THP pages when computing TSB sizes. The following additional issues were also discovered while working with the code. In order to save memory, THP makes use of a huge zero page. This huge zero page does not count against a task's RSS, but it does consume TSB entries. This is similar to hugetlb pages. Therefore, count huge zero page entries in hugetlb_pte_count. Accounting of THP pages is done in the routine set_pmd_at(). Unfortunately, this does not catch the case where a THP page is split. To handle this case, decrement the count in pmdp_invalidate(). pmdp_invalidate is only called when splitting a THP. However, 'sanity checks' are added in case it is ever called for other purposes. A more general issue exists with HPAGE_SIZE accounting. hugetlb_pte_count tracks the number of HPAGE_SIZE (8M) pages. This value is used to size the TSB for HPAGE_SIZE pages. However, each HPAGE_SIZE page consists of two REAL_HPAGE_SIZE (4M) pages. The TSB contains an entry for each REAL_HPAGE_SIZE page. Therefore, the number of REAL_HPAGE_SIZE pages should be used to size the huge page TSB. A new compile time constant REAL_HPAGE_PER_HPAGE is used to multiply hugetlb_pte_count before sizing the TSB. Changes from V1 - Fixed build issue if hugetlb or THP not configured Signed-off-by: Mike Kravetz Signed-off-by: David S. Miller arch/sparc/include/asm/page_64.h | 1 + arch/sparc/mm/fault_64.c | 1 + arch/sparc/mm/tlb.c | 35 +++++++++++++++++++++++++++++++---- arch/sparc/mm/tsb.c | 18 ++++++++++++------ 4 files changed, 45 insertions(+), 10 deletions(-) commit bdf2f59e64eb9cd9e9dd90f990a9577640470c8a Author: Paul Gortmaker Date: Sat Aug 6 00:31:48 2016 -0400 sparc64: fix section mismatch in find_numa_latencies_for_group To fix: WARNING: vmlinux.o(.text.unlikely+0x580): Section mismatch in reference from the function find_numa_latencies_for_group() to the function .init.text:find_mlgroup() The function find_numa_latencies_for_group() references the function __init find_mlgroup(). This is often because find_numa_latencies_for_group lacks a __init annotation or the annotation of find_mlgroup is wrong. It turns out find_numa_latencies_for_group is only called from: static int __init numa_parse_mdesc(void) and hence we can tag find_numa_latencies_for_group with __init. In doing so we see that find_best_numa_node_for_mlgroup is only called from within __init and hence can also be marked with __init. Cc: "David S. Miller" Cc: Nitin Gupta Cc: Chris Hyser Cc: Santosh Shilimkar Cc: sparclinux@vger.kernel.org Signed-off-by: Paul Gortmaker Signed-off-by: David S. Miller arch/sparc/mm/init_64.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit 539294b76af8922297702a7ebb8cafe68f7e5376 Merge: 14a5916 8d58881 Author: James Bottomley Date: Tue Sep 27 22:30:51 2016 -0700 Merge remote-tracking branch 'mkp-scsi/4.8/scsi-fixes' into fixes commit 90fd68dcf9a763f7e575c8467415bd8a66d073f4 Author: David Herrmann Date: Fri Sep 23 12:36:02 2016 +0200 drm/udl: fix line iterator in damage handling The udl damage handler is supposed to render 'height' lines, but its iterator has an obvious typo that makes it miss most lines if the rectangle does not cover 0/0. Fix the damage handler to correctly render all lines. This is a fallout from: commit e375882406d0cc24030746638592004755ed4ae0 Author: Noralf Trønnes Date: Thu Apr 28 17:18:37 2016 +0200 drm/udl: Use drm_fb_helper deferred_io support Tested-by: poma Cc: stable@vger.kernel.org # 4.7+ Reviewed-by: Daniel Vetter Signed-off-by: David Herrmann Reviewed-by: Eric Engestrom Signed-off-by: Dave Airlie drivers/gpu/drm/udl/udl_fb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit aaee1d1e2d97e3cb99cf0e096d2172237d762e4e Merge: b86f9fa bad3d80 Author: Dave Airlie Date: Wed Sep 28 10:23:50 2016 +1000 Merge branch 'linux-4.8' of git://github.com/skeggsb/linux into drm-fixes nouveau: couple of fixes. * 'linux-4.8' of git://github.com/skeggsb/linux: drm/nouveau: Revert "bus: remove cpu_coherent flag" drm/nouveau/fifo/nv04: avoid ramht race against cookie insertion commit b86f9faa34b4f08f4fbca333648d999bfcf42192 Merge: 08895a8 670bb4f Author: Dave Airlie Date: Wed Sep 28 10:19:35 2016 +1000 Merge branch 'drm-fixes-4.8' of git://people.freedesktop.org/~agd5f/linux into drm-fixes two amd fixes. * 'drm-fixes-4.8' of git://people.freedesktop.org/~agd5f/linux: drm/radeon/si/dpm: add workaround for for Jet parts drm/amdgpu: disable CRTCs before teardown commit 8ab293e3a1376574e11f9059c09cc0db212546cb Merge: 08895a8 9157056 Author: Linus Torvalds Date: Tue Sep 27 16:43:11 2016 -0700 Merge branch 'for-4.8-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup Pull cgroup fixes from Tejun Heo: "Three late fixes for cgroup: Two cpuset ones, one trivial and the other pretty obscure, and a cgroup core fix for a bug which impacts cgroup v2 namespace users" * 'for-4.8-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup: cgroup: fix invalid controller enable rejections with cgroup namespace cpuset: fix non static symbol warning cpuset: handle race between CPU hotplug and cpuset_hotplug_work commit 670bb4fd21c966d0d2a59ad4a99bb4889f9a2987 Author: Alex Deucher Date: Mon Sep 26 15:32:50 2016 -0400 drm/radeon/si/dpm: add workaround for for Jet parts Add clock quirks for Jet parts. Reviewed-by: Sonny Jiang Tested-by: Sonny Jiang Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Alex Deucher drivers/gpu/drm/radeon/si_dpm.c | 6 ++++++ 1 file changed, 6 insertions(+) commit a951ed85abd4615e98e36b536e3b3b07b22a88ac Author: Grazvydas Ignotas Date: Sun Sep 25 23:34:48 2016 +0300 drm/amdgpu: disable CRTCs before teardown Some code called by drm_crtc_force_disable_all() wants to wait for all fences, so only do fence teardown after CRTCs are disabled. Fixes: 84b89bdcedf8 ("drm/amdgpu: Turn off CRTCs on driver unload") Cc: stable@vger.kernel.org # v4.8+ Signed-off-by: Grazvydas Ignotas Signed-off-by: Alex Deucher drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 7b8147aae741fedb7eab970361cd051d47bc8021 Merge: 1190cfd c006da0 Author: David S. Miller Date: Tue Sep 27 09:53:30 2016 -0400 Merge branch 'act_ife-fixes' Yotam Gigi says: ==================== Fix tc-ife bugs This patch-set contains two bugfixes in the tc-ife action, one fixing some random behaviour in encode side, and one fixing the decode side packet parsing logic. v2->v3 - Fix the encode side instead of the decode side ==================== Signed-off-by: David S. Miller commit c006da0be033b6ddcd27ee603d0ee01491236642 Author: Yotam Gigi Date: Mon Sep 26 13:45:26 2016 +0300 act_ife: Fix false encoding On ife encode side, the action stores the different tlvs inside the ife header, where each tlv length field should refer to the length of the whole tlv (without additional padding) and not just the data length. On ife decode side, the action iterates over the tlvs in the ife header and parses them one by one, where in each iteration the current pointer is advanced according to the tlv size. Before, the encoding encoded only the data length inside the tlv, which led to false parsing of ife the header. In addition, due to the fact that the loop counter was unsigned, it could lead to infinite parsing loop. This fix changes the loop counter to be signed and fixes the encoding to take into account the tlv type and size. Fixes: 28a10c426e81 ("net sched: fix encoding to use real length") Acked-by: Jamal Hadi Salim Signed-off-by: Yotam Gigi Signed-off-by: David S. Miller net/sched/act_ife.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 4b1d488a285a446329825d5fe91f987b7880e6e5 Author: Yotam Gigi Date: Mon Sep 26 13:45:25 2016 +0300 act_ife: Fix external mac header on encode On ife encode side, external mac header is copied from the original packet and may be overridden if the user requests. Before, the mac header copy was done from memory region that might not be accessible anymore, as skb_cow_head might free it and copy the packet. This led to random values in the external mac header once the values were not set by user. This fix takes the internal mac header from the packet, after the call to skb_cow_head. Fixes: ef6980b6becb ("net sched: introduce IFE action") Acked-by: Jamal Hadi Salim Signed-off-by: Yotam Gigi Signed-off-by: David S. Miller net/sched/act_ife.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) commit 1190cfdb1a19d89561ae51cff7d9c2ead24b3ebe Author: Jorgen Hansen Date: Mon Sep 26 23:59:53 2016 -0700 VSOCK: Don't dec ack backlog twice for rejected connections If a pending socket is marked as rejected, we will decrease the sk_ack_backlog twice. So don't decrement it for rejected sockets in vsock_pending_work(). Testing of the rejected socket path was done through code modifications. Reported-by: Stefan Hajnoczi Signed-off-by: Jorgen Hansen Reviewed-by: Adit Ranadive Reviewed-by: Aditya Sarwade Signed-off-by: David S. Miller net/vmw_vsock/af_vsock.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit bf1a85a8381a0f749aa321d7881b456b36eb398d Author: Florian Fainelli Date: Sat Sep 24 12:58:30 2016 -0700 Revert "net: ethernet: bcmgenet: use phydev from struct net_device" This reverts commit 62469c76007e ("net: ethernet: bcmgenet: use phydev from struct net_device") because it causes GENETv1/2/3 adapters to expose the following behavior after an ifconfig down/up sequence: PING fainelli-linux (10.112.156.244): 56 data bytes 64 bytes from 10.112.156.244: seq=1 ttl=61 time=1.352 ms 64 bytes from 10.112.156.244: seq=1 ttl=61 time=1.472 ms (DUP!) 64 bytes from 10.112.156.244: seq=1 ttl=61 time=1.496 ms (DUP!) 64 bytes from 10.112.156.244: seq=1 ttl=61 time=1.517 ms (DUP!) 64 bytes from 10.112.156.244: seq=1 ttl=61 time=1.536 ms (DUP!) 64 bytes from 10.112.156.244: seq=1 ttl=61 time=1.557 ms (DUP!) 64 bytes from 10.112.156.244: seq=1 ttl=61 time=752.448 ms (DUP!) This was previously fixed by commit 5dbebbb44a6a ("net: bcmgenet: Software reset EPHY after power on") but the commit we are reverting was essentially making this previous commit void, here is why. Without commit 62469c76007e we would have the following scenario after an ifconfig down then up sequence: - bcmgenet_open() calls bcmgenet_power_up() to make sure the PHY is initialized *before* we get to initialize the UniMAC, this is critical to ensure the PHY is in a correct state, priv->phydev is valid, this code executes fine - second time from bcmgenet_mii_probe(), through the normal phy_init_hw() call (which arguably could be optimized out) Everything is fine in that case. With commit 62469c76007e, we would have the following scenario to happen after an ifconfig down then up sequence: - bcmgenet_close() calls phy_disonnect() which makes dev->phydev become NULL - when bcmgenet_open() executes again and calls bcmgenet_mii_reset() from bcmgenet_power_up() to initialize the internal PHY, the NULL check becomes true, so we do not reset the PHY, yet we keep going on and initialize the UniMAC, causing MAC activity to occur - we call bcmgenet_mii_reset() from bcmgenet_mii_probe(), but this is too late, the PHY is botched, and causes the above bogus pings/packets transmission/reception to occur Reported-by: Jaedon Shin Signed-off-by: Florian Fainelli Signed-off-by: David S. Miller drivers/net/ethernet/broadcom/genet/bcmgenet.c | 45 ++++++++++++++------------ drivers/net/ethernet/broadcom/genet/bcmgenet.h | 1 + drivers/net/ethernet/broadcom/genet/bcmmii.c | 24 +++++++------- 3 files changed, 39 insertions(+), 31 deletions(-) commit 6c1394f30bae67d5dd8648a38679876ad4afc4f1 Merge: 2cf7507 3ac72b7 Author: David S. Miller Date: Tue Sep 27 07:39:38 2016 -0400 Merge branch 'fec-align' Eric Nelson says: ==================== net: fec: updates to align IP header This patch series is the outcome of investigation into very high numbers of alignment faults on kernel 4.1.33 from the linux-fslc tree: https://github.com/freescale/linux-fslc/tree/4.1-1.0.x-imx The first two patches remove support for the receive accelerator (RACC) from the i.MX25 and i.MX27 SoCs which don't support the function. The third patch enables hardware alignment of the ethernet packet payload (and especially the IP header) to prevent alignment faults in the IP stack. Testing on i.MX6UL on the 4.1.33 kernel showed that this patch removed on the order of 70k alignment faults during a 100MiB transfer using wget. Testing on an i.MX6Q (SABRE Lite) board on net-next (4.8.0-rc7) showed a much more modest improvement from 10's of faults, and it's not clear why that's the case. ==================== Acked-by: Fugang Duan Signed-off-by: David S. Miller commit 3ac72b7b63d57b231dda1e8f8d13872e0d7e8603 Author: Eric Nelson Date: Sat Sep 24 07:42:19 2016 -0700 net: fec: align IP header in hardware The FEC receive accelerator (RACC) supports shifting the data payload of received packets by 16-bits, which aligns the payload (IP header) on a 4-byte boundary, which is, if not required, at least strongly suggested by the Linux networking layer. Without this patch, a huge number of alignment faults will be taken by the IP stack, as seen in /proc/cpu/alignment: ~/$ cat /proc/cpu/alignment User: 0 System: 72645 (inet_gro_receive+0x104/0x27c) Skipped: 0 Half: 0 Word: 0 DWord: 0 Multi: 72645 User faults: 3 (fixup+warn) This patch was suggested by Andrew Lunn in this message to linux-netdev: http://marc.info/?l=linux-arm-kernel&m=147465452108384&w=2 and adapted from a patch by Russell King from 2014: http://git.arm.linux.org.uk/cgit/linux-arm.git/commit/?id=70d8a8a Signed-off-by: Eric Nelson Signed-off-by: David S. Miller drivers/net/ethernet/freescale/fec_main.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) commit 97dc499c1ae396bc0d529f5b1aef3138de1ae7de Author: Eric Nelson Date: Sat Sep 24 07:42:18 2016 -0700 net: fec: remove QUIRK_HAS_RACC from i.mx27 According to the i.MX27 reference manual, this SoC does not have support for the receive accelerator (RACC) register at offset 0x1C4. http://cache.nxp.com/files/32bit/doc/ref_manual/MCIMX27RM.pdf Signed-off-by: Eric Nelson Signed-off-by: David S. Miller drivers/net/ethernet/freescale/fec_main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 653d37d8bca0be2c7c53c8578980b06840482427 Author: Eric Nelson Date: Sat Sep 24 07:42:17 2016 -0700 net: fec: remove QUIRK_HAS_RACC from i.mx25 According to the i.MX25 reference manual, this SoC does not have support for the receive accelerator (RACC) register at offset 0x1C4. http://www.nxp.com/files/dsp/doc/ref_manual/IMX25RM.pdf Signed-off-by: Eric Nelson Signed-off-by: David S. Miller drivers/net/ethernet/freescale/fec_main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 9fb6de1b0bf4ec11573b76059da3c3b39ac7f2ff Author: Ville Ranki Date: Thu Sep 15 15:31:27 2016 -0700 Input: joydev - recognize devices with Z axis as joysticks Current implementation of joydev's input_device_id table recognizes only devices with ABS_X, ABS_WHEEL or ABS_THROTTLE axes as joysticks. There are joystick devices that do not have those axes, for example TRC Rudder device. The device in question has ABS_Z, ABS_RX and ABS_RY axes causing it not being detected as joystick. This patch adds ABS_Z to the input_device_id list allowing devices with ABS_Z axis to be detected correctly. Signed-off-by: Ville Ranki Signed-off-by: Dmitry Torokhov drivers/input/joydev.c | 6 ++++++ 1 file changed, 6 insertions(+) commit 8d58881b995904bf8b150dae69be0829f832e7be Author: Bart Van Assche Date: Thu Sep 22 14:20:54 2016 -0700 scsi: Avoid that toggling use_blk_mq triggers a memory leak This patch avoids that the following memory leak is triggered if use_blk_mq is disabled after a SCSI host has been allocated by the ib_srp driver and before the same SCSI host is freed: unreferenced object 0xffff8803a168c568 (size 256): backtrace: [] kmemleak_alloc+0x45/0xa0 [] __kmalloc_node+0x1e4/0x400 [] blk_mq_alloc_tag_set+0xb4/0x230 [] scsi_mq_setup_tags+0xc7/0xd0 [] scsi_add_host_with_dma+0x216/0x2d0 [] srp_create_target+0xe55/0x13d0 [ib_srp] [] dev_attr_store+0x13/0x20 [] sysfs_kf_write+0x40/0x50 [] kernfs_fop_write+0x137/0x1c0 [] __vfs_write+0x23/0x140 [] vfs_write+0xb0/0x190 [] SyS_write+0x44/0xa0 [] entry_SYSCALL_64_fastpath+0x18/0xa8 Fixes: 9aa9cc4221f5 ("scsi: remove the disable_blk_mq host flag") Signed-off-by: Bart Van Assche Cc: Christoph Hellwig Cc: Martin K. Petersen Cc: Reviewed-by: Christoph Hellwig Signed-off-by: Martin K. Petersen drivers/scsi/hosts.c | 2 ++ drivers/scsi/scsi.c | 1 - drivers/scsi/scsi_priv.h | 1 + include/scsi/scsi_host.h | 5 +---- 4 files changed, 4 insertions(+), 5 deletions(-) commit 2cf750704bb6d7ed8c7d732e071dd1bc890ea5e8 Author: Nikolay Aleksandrov Date: Sun Sep 25 23:08:31 2016 +0200 ipmr, ip6mr: fix scheduling while atomic and a deadlock with ipmr_get_route Since the commit below the ipmr/ip6mr rtnl_unicast() code uses the portid instead of the previous dst_pid which was copied from in_skb's portid. Since the skb is new the portid is 0 at that point so the packets are sent to the kernel and we get scheduling while atomic or a deadlock (depending on where it happens) by trying to acquire rtnl two times. Also since this is RTM_GETROUTE, it can be triggered by a normal user. Here's the sleeping while atomic trace: [ 7858.212557] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:620 [ 7858.212748] in_atomic(): 1, irqs_disabled(): 0, pid: 0, name: swapper/0 [ 7858.212881] 2 locks held by swapper/0/0: [ 7858.213013] #0: (((&mrt->ipmr_expire_timer))){+.-...}, at: [] call_timer_fn+0x5/0x350 [ 7858.213422] #1: (mfc_unres_lock){+.....}, at: [] ipmr_expire_process+0x25/0x130 [ 7858.213807] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.8.0-rc7+ #179 [ 7858.213934] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014 [ 7858.214108] 0000000000000000 ffff88005b403c50 ffffffff813a7804 0000000000000000 [ 7858.214412] ffffffff81a1338e ffff88005b403c78 ffffffff810a4a72 ffffffff81a1338e [ 7858.214716] 000000000000026c 0000000000000000 ffff88005b403ca8 ffffffff810a4b9f [ 7858.215251] Call Trace: [ 7858.215412] [] dump_stack+0x85/0xc1 [ 7858.215662] [] ___might_sleep+0x192/0x250 [ 7858.215868] [] __might_sleep+0x6f/0x100 [ 7858.216072] [] mutex_lock_nested+0x33/0x4d0 [ 7858.216279] [] ? netlink_lookup+0x25f/0x460 [ 7858.216487] [] rtnetlink_rcv+0x1b/0x40 [ 7858.216687] [] netlink_unicast+0x19c/0x260 [ 7858.216900] [] rtnl_unicast+0x20/0x30 [ 7858.217128] [] ipmr_destroy_unres+0xa9/0xf0 [ 7858.217351] [] ipmr_expire_process+0x8f/0x130 [ 7858.217581] [] ? ipmr_net_init+0x180/0x180 [ 7858.217785] [] ? ipmr_net_init+0x180/0x180 [ 7858.217990] [] call_timer_fn+0xa5/0x350 [ 7858.218192] [] ? call_timer_fn+0x5/0x350 [ 7858.218415] [] ? ipmr_net_init+0x180/0x180 [ 7858.218656] [] run_timer_softirq+0x260/0x640 [ 7858.218865] [] ? __do_softirq+0xbb/0x54f [ 7858.219068] [] __do_softirq+0xe8/0x54f [ 7858.219269] [] irq_exit+0xb8/0xc0 [ 7858.219463] [] smp_apic_timer_interrupt+0x42/0x50 [ 7858.219678] [] apic_timer_interrupt+0x8c/0xa0 [ 7858.219897] [] ? native_safe_halt+0x6/0x10 [ 7858.220165] [] ? trace_hardirqs_on+0xd/0x10 [ 7858.220373] [] default_idle+0x23/0x190 [ 7858.220574] [] arch_cpu_idle+0xf/0x20 [ 7858.220790] [] default_idle_call+0x4c/0x60 [ 7858.221016] [] cpu_startup_entry+0x39b/0x4d0 [ 7858.221257] [] rest_init+0x135/0x140 [ 7858.221469] [] start_kernel+0x50e/0x51b [ 7858.221670] [] ? early_idt_handler_array+0x120/0x120 [ 7858.221894] [] x86_64_start_reservations+0x2a/0x2c [ 7858.222113] [] x86_64_start_kernel+0x13b/0x14a Fixes: 2942e9005056 ("[RTNETLINK]: Use rtnl_unicast() for rtnetlink unicasts") Signed-off-by: Nikolay Aleksandrov Signed-off-by: David S. Miller include/linux/mroute.h | 2 +- include/linux/mroute6.h | 2 +- net/ipv4/ipmr.c | 3 ++- net/ipv4/route.c | 3 ++- net/ipv6/ip6mr.c | 5 +++-- net/ipv6/route.c | 4 +++- 6 files changed, 12 insertions(+), 7 deletions(-) commit 08895a8b6b06ed2323cd97a36ee40a116b3db8ed Author: Linus Torvalds Date: Sun Sep 25 18:47:13 2016 -0700 Linux 4.8-rc8 Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 4c04b4b534cbe8c0cc0661e232bbb9708e212bc2 Merge: 90b75db 1ae2293 Author: Linus Torvalds Date: Sun Sep 25 18:40:13 2016 -0700 Merge tag 'trace-v4.8-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace Pull tracefs fixes from Steven Rostedt: "Al Viro has been looking at the tracefs code, and has pointed out some issues. This contains one fix by me and one by Al. I'm sure that he'll come up with more but for now I tested these patches and they don't appear to have any negative impact on tracing" * tag 'trace-v4.8-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace: fix memory leaks in tracing_buffers_splice_read() tracing: Move mutex to protect against resetting of seq data commit 90b75db6498a19da96dac4b55c909ff3721f3045 Author: Dave Chinner Date: Mon Sep 26 09:57:33 2016 +1000 fault_in_multipages_readable() throws set-but-unused error When building XFS with -Werror, it now fails with: include/linux/pagemap.h: In function 'fault_in_multipages_readable': include/linux/pagemap.h:602:16: error: variable 'c' set but not used [-Werror=unused-but-set-variable] volatile char c; ^ This is a regression caused by commit e23d4159b109 ("fix fault_in_multipages_...() on architectures with no-op access_ok()"). Fix it by re-adding the "(void)c" trick taht was previously used to make the compiler think the variable is used. Signed-off-by: Dave Chinner Cc: Al Viro Signed-off-by: Linus Torvalds include/linux/pagemap.h | 1 + 1 file changed, 1 insertion(+) commit 38e088546522e1e86d2b8f401a1354ad3a9b3303 Author: Lorenzo Stoakes Date: Sun Sep 11 23:54:25 2016 +0100 mm: check VMA flags to avoid invalid PROT_NONE NUMA balancing The NUMA balancing logic uses an arch-specific PROT_NONE page table flag defined by pte_protnone() or pmd_protnone() to mark PTEs or huge page PMDs respectively as requiring balancing upon a subsequent page fault. User-defined PROT_NONE memory regions which also have this flag set will not normally invoke the NUMA balancing code as do_page_fault() will send a segfault to the process before handle_mm_fault() is even called. However if access_remote_vm() is invoked to access a PROT_NONE region of memory, handle_mm_fault() is called via faultin_page() and __get_user_pages() without any access checks being performed, meaning the NUMA balancing logic is incorrectly invoked on a non-NUMA memory region. A simple means of triggering this problem is to access PROT_NONE mmap'd memory using /proc/self/mem which reliably results in the NUMA handling functions being invoked when CONFIG_NUMA_BALANCING is set. This issue was reported in bugzilla (issue 99101) which includes some simple repro code. There are BUG_ON() checks in do_numa_page() and do_huge_pmd_numa_page() added at commit c0e7cad to avoid accidentally provoking strange behaviour by attempting to apply NUMA balancing to pages that are in fact PROT_NONE. The BUG_ON()'s are consistently triggered by the repro. This patch moves the PROT_NONE check into mm/memory.c rather than invoking BUG_ON() as faulting in these pages via faultin_page() is a valid reason for reaching the NUMA check with the PROT_NONE page table flag set and is therefore not always a bug. Link: https://bugzilla.kernel.org/show_bug.cgi?id=99101 Reported-by: Trevor Saunders Signed-off-by: Lorenzo Stoakes Acked-by: Rik van Riel Cc: Andrew Morton Cc: Mel Gorman Signed-off-by: Linus Torvalds mm/huge_memory.c | 3 --- mm/memory.c | 12 +++++++----- 2 files changed, 7 insertions(+), 8 deletions(-) commit 831e45d84a971495c882bc186d98bbb825b2ee59 Merge: 751b9a5 116e711 Author: Linus Torvalds Date: Sun Sep 25 13:59:52 2016 -0700 Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus Pull MIPS fixes from Ralf Baechle: "A round of 4.8 fixes: MIPS generic code: - Add a missing ".set pop" in an early commit - Fix memory regions reaching top of physical - MAAR: Fix address alignment - vDSO: Fix Malta EVA mapping to vDSO page structs - uprobes: fix incorrect uprobe brk handling - uprobes: select HAVE_REGS_AND_STACK_ACCESS_API - Avoid a BUG warning during PR_SET_FP_MODE prctl - SMP: Fix possibility of deadlock when bringing CPUs online - R6: Remove compact branch policy Kconfig entries - Fix size calc when avoiding IPIs for small icache flushes - Fix pre-r6 emulation FPU initialisation - Fix delay slot emulation count in debugfs ATH79: - Fix test for error return of clk_register_fixed_factor. Octeon: - Fix kernel header to work for VDSO build. - Fix initialization of platform device probing. paravirt: - Fix undefined reference to smp_bootstrap" * 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus: MIPS: Fix delay slot emulation count in debugfs MIPS: SMP: Fix possibility of deadlock when bringing CPUs online MIPS: Fix pre-r6 emulation FPU initialisation MIPS: vDSO: Fix Malta EVA mapping to vDSO page structs MIPS: Select HAVE_REGS_AND_STACK_ACCESS_API MIPS: Octeon: Fix platform bus probing MIPS: Octeon: mangle-port: fix build failure with VDSO code MIPS: Avoid a BUG warning during prctl(PR_SET_FP_MODE, ...) MIPS: c-r4k: Fix size calc when avoiding IPIs for small icache flushes MIPS: Add a missing ".set pop" in an early commit MIPS: paravirt: Fix undefined reference to smp_bootstrap MIPS: Remove compact branch policy Kconfig entries MIPS: MAAR: Fix address alignment MIPS: Fix memory regions reaching top of physical MIPS: uprobes: fix incorrect uprobe brk handling MIPS: ath79: Fix test for error return of clk_register_fixed_factor(). commit 751b9a5d16cf318d715b0e6c7f3631d8185143ee Merge: 8d2c0d3 b79331a Author: Linus Torvalds Date: Sun Sep 25 13:52:59 2016 -0700 Merge tag 'powerpc-4.8-7' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux Pull one more powerpc fix from Michael Ellerman: "powernv/pci: Fix m64 checks for SR-IOV and window alignment from Russell Currey" * tag 'powerpc-4.8-7' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux: powerpc/powernv/pci: Fix m64 checks for SR-IOV and window alignment commit 8d2c0d36d6826ddc3114801c599619d3f2932f0a Author: Linus Torvalds Date: Sun Sep 25 13:32:46 2016 -0700 radix tree: fix sibling entry handling in radix_tree_descend() The fixes to the radix tree test suite show that the multi-order case is broken. The basic reason is that the radix tree code uses tagged pointers with the "internal" bit in the low bits, and calculating the pointer indices was supposed to mask off those bits. But gcc will notice that we then use the index to re-create the pointer, and will avoid doing the arithmetic and use the tagged pointer directly. This cleans the code up, using the existing is_sibling_entry() helper to validate the sibling pointer range (instead of open-coding it), and using entry_to_node() to mask off the low tag bit from the pointer. And once you do that, you might as well just use the now cleaned-up pointer directly. [ Side note: the multi-order code isn't actually ever used in the kernel right now, and the only reason I didn't just delete all that code is that Kirill Shutemov piped up and said: "Well, my ext4-with-huge-pages patchset[1] uses multi-order entries. It also converts shmem-with-huge-pages and hugetlb to them. I'm okay with converting it to other mechanism, but I need something. (I looked into Konstantin's RFC patchset[2]. It looks okay, but I don't feel myself qualified to review it as I don't know much about radix-tree internals.)" [1] http://lkml.kernel.org/r/20160915115523.29737-1-kirill.shutemov@linux.intel.com [2] http://lkml.kernel.org/r/147230727479.9957.1087787722571077339.stgit@zurg ] Reported-by: Matthew Wilcox Cc: Andrew Morton Cc: Ross Zwisler Cc: Johannes Weiner Cc: Kirill A. Shutemov Cc: Konstantin Khlebnikov Cc: Cedric Blancher Signed-off-by: Linus Torvalds lib/radix-tree.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) commit 62fd5258ebe3ea240371234955a6e2cc99e0b6c3 Author: Matthew Wilcox Date: Thu Sep 22 11:53:34 2016 -0700 radix tree test suite: Test radix_tree_replace_slot() for multiorder entries When we replace a multiorder entry, check that all indices reflect the new value. Also, compile the test suite with -O2, which shows other problems with the code due to some dodgy pointer operations in the radix tree code. Signed-off-by: Matthew Wilcox Signed-off-by: Linus Torvalds tools/testing/radix-tree/Makefile | 2 +- tools/testing/radix-tree/multiorder.c | 16 ++++++++++++---- 2 files changed, 13 insertions(+), 5 deletions(-) commit 1ae2293dd6d2f5c823cf97e60b70d03631cd622f Author: Al Viro Date: Sat Sep 17 18:31:46 2016 -0400 fix memory leaks in tracing_buffers_splice_read() Cc: stable@vger.kernel.org Signed-off-by: Al Viro kernel/trace/trace.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) commit 1245800c0f96eb6ebb368593e251d66c01e61022 Author: Steven Rostedt (Red Hat) Date: Fri Sep 23 22:57:13 2016 -0400 tracing: Move mutex to protect against resetting of seq data The iter->seq can be reset outside the protection of the mutex. So can reading of user data. Move the mutex up to the beginning of the function. Fixes: d7350c3f45694 ("tracing/core: make the read callbacks reentrants") Cc: stable@vger.kernel.org # 2.6.30+ Reported-by: Al Viro Signed-off-by: Steven Rostedt kernel/trace/trace.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) commit 116e7111c8e3cc65ceef9664741bd593483e9517 Author: Paul Burton Date: Thu Sep 22 15:47:40 2016 +0100 MIPS: Fix delay slot emulation count in debugfs Commit 432c6bacbd0c ("MIPS: Use per-mm page to execute branch delay slot instructions") accidentally removed use of the MIPS_FPU_EMU_INC_STATS macro from do_dsemulret, leading to the ds_emul file in debugfs always returning zero even though we perform delay slot emulations. Fix this by re-adding the use of the MIPS_FPU_EMU_INC_STATS macro. Signed-off-by: Paul Burton Fixes: 432c6bacbd0c ("MIPS: Use per-mm page to execute branch delay slot instructions") Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/14301/ Signed-off-by: Ralf Baechle arch/mips/math-emu/dsemul.c | 1 + 1 file changed, 1 insertion(+) commit 8f46cca1e6c06a058374816887059bcc017b382f Author: Matt Redfearn Date: Thu Sep 22 17:15:47 2016 +0100 MIPS: SMP: Fix possibility of deadlock when bringing CPUs online This patch fixes the possibility of a deadlock when bringing up secondary CPUs. The deadlock occurs because the set_cpu_online() is called before synchronise_count_slave(). This can cause a deadlock if the boot CPU, having scheduled another thread, attempts to send an IPI to the secondary CPU, which it sees has been marked online. The secondary is blocked in synchronise_count_slave() waiting for the boot CPU to enter synchronise_count_master(), but the boot cpu is blocked in smp_call_function_many() waiting for the secondary to respond to it's IPI request. Fix this by marking the CPU online in cpu_callin_map and synchronising counters before declaring the CPU online and calculating the maps for IPIs. Signed-off-by: Matt Redfearn Reported-by: Justin Chen Tested-by: Justin Chen Cc: Florian Fainelli Cc: stable@vger.kernel.org # v4.1+ Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/14302/ Signed-off-by: Ralf Baechle arch/mips/kernel/smp.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) commit 9c0e28a7be656d737fb18998e2dcb0b8ce595643 Merge: 2507c85 3bf6215 Author: Linus Torvalds Date: Sat Sep 24 12:44:28 2016 -0700 Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull perf fixes from Thomas Gleixner: "Three fixlets for perf: - add a missing NULL pointer check in the intel BTS driver - make BTS an exclusive PMU because BTS can only handle one event at a time - ensure that exclusive events are limited to one PMU so that several exclusive events can be scheduled on different PMU instances" * 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: perf/core: Limit matching exclusive events to one PMU perf/x86/intel/bts: Make it an exclusive PMU perf/x86/intel/bts: Make sure debug store is valid commit 2507c856620cc7474e6101b0a05f82ac0ae5bf69 Merge: 709b8f6 96b03ab Author: Linus Torvalds Date: Sat Sep 24 12:41:19 2016 -0700 Merge branch 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull locking fixes from Thomas Gleixner: "Two smallish fixes: - use the proper asm constraint in the Super-H atomic_fetch_ops - a trivial typo fix in the Kconfig help text" * 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: locking/hung_task: Fix typo in CONFIG_DETECT_HUNG_TASK help text locking/atomic, arch/sh: Fix ATOMIC_FETCH_OP() commit 709b8f67d72078cbbd166aaecd2d0f48d1d1560c Merge: 4b8b0ff 7597cdc Author: Linus Torvalds Date: Sat Sep 24 12:35:26 2016 -0700 Merge branch 'efi-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull EFI fixes from Thomas Gleixner: "Two fixes for EFI/PAT: - a 32bit overflow bug in the PAT code which was unearthed by the large EFI mappings - prevent a boot hang on large systems when EFI mixed mode is enabled but not used" * 'efi-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/efi: Only map RAM into EFI page tables if in mixed-mode x86/mm/pat: Prevent hang during boot when mapping pages commit 4b8b0ff60f1d6553914a5fc17f16f9aa38a2036e Merge: 0f26574 e875bd6 Author: Linus Torvalds Date: Sat Sep 24 12:30:12 2016 -0700 Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull irq fixes from Thomas Gleixner: "Three fixes for irq core and irq chip drivers: - Do not set the irq type if type is NONE. Fixes a boot regression on various SoCs - Use the proper cpu for setting up the GIC target list. Discovered by the cpumask debugging code. - A rather large fix for the MIPS-GIC so per cpu local interrupts work again. This was discovered late because the code falls back to slower timers which use normal device interrupts" * 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: irqchip/mips-gic: Fix local interrupts irqchip/gicv3: Silence noisy DEBUG_PER_CPU_MAPS warning genirq: Skip chained interrupt trigger setup if type is IRQ_TYPE_NONE commit 595c73071e6641e59b83911fbb4026e767471000 Author: Dan Williams Date: Fri Sep 23 17:53:52 2016 -0700 libnvdimm, region: fix flush hint table thinko The definition of the flush hint table as: void __iomem *flush_wpq[0][0]; ...passed the unit test, but is broken as flush_wpq[0][1] and flush_wpq[1][0] refer to the same entry. Fix this to use a helper that calculates a slot in the table based on the geometry of flush hints in the region. This is important to get right since virtualization solutions use this mechanism to trigger hypervisor flushes to platform persistence. Reported-by: Dave Jiang Tested-by: Dave Jiang Signed-off-by: Dan Williams drivers/nvdimm/nd.h | 22 ++++++++++++++++++++-- drivers/nvdimm/region_devs.c | 20 ++++++++++++-------- 2 files changed, 32 insertions(+), 10 deletions(-) commit 0f26574178f6c698e5d76e66ca68a95cc35eef9f Merge: bd5dbcb b385d21 Author: Linus Torvalds Date: Sat Sep 24 11:31:45 2016 -0700 Merge branch 'hughd-fixes' (patches from Hugh Dickins) Merge VM fixes from High Dickins: "I get the impression that Andrew is away or busy at the moment, so I'm going to send you three independent uncontroversial little mm fixes directly - though none is strictly a 4.8 regression fix. - shmem: fix tmpfs to handle the huge= option properly from Toshi Kani is a one-liner to fix a major embarrassment in 4.8's hugepages on tmpfs feature: although Hillf pointed it out in June, somehow both Kirill and I repeatedly dropped the ball on this one. You might wonder if the feature got tested at all with that bug in: yes, it did, but for wider testing coverage, Kirill and I had each relied too much on an override which bypasses that condition. - huge tmpfs: fix Committed_AS leak just a run-of-the-mill accounting fix in the same feature. - mm: delete unnecessary and unsafe init_tlb_ubc() is an unrelated fix to 4.3's TLB flush batching in reclaim: the bug would be rare, and none of us will be shamed if this one misses 4.8; but it got such a quick ack from Mel today that I'm inclined to offer it along with the first two" * emailed patches from Hugh Dickins : mm: delete unnecessary and unsafe init_tlb_ubc() huge tmpfs: fix Committed_AS leak shmem: fix tmpfs to handle the huge= option properly commit b385d21f27d86426472f6ae92a231095f7de2a8d Author: Hugh Dickins Date: Fri Sep 23 20:27:04 2016 -0700 mm: delete unnecessary and unsafe init_tlb_ubc() init_tlb_ubc() looked unnecessary to me: tlb_ubc is statically initialized with zeroes in the init_task, and copied from parent to child while it is quiescent in arch_dup_task_struct(); so I went to delete it. But inserted temporary debug WARN_ONs in place of init_tlb_ubc() to check that it was always empty at that point, and found them firing: because memcg reclaim can recurse into global reclaim (when allocating biosets for swapout in my case), and arrive back at the init_tlb_ubc() in shrink_node_memcg(). Resetting tlb_ubc.flush_required at that point is wrong: if the upper level needs a deferred TLB flush, but the lower level turns out not to, we miss a TLB flush. But fortunately, that's the only part of the protocol that does not nest: with the initialization removed, cpumask collects bits from upper and lower levels, and flushes TLB when needed. Fixes: 72b252aed506 ("mm: send one IPI per CPU to TLB flush all entries after unmapping pages") Signed-off-by: Hugh Dickins Acked-by: Mel Gorman Cc: stable@vger.kernel.org # 4.3+ Signed-off-by: Linus Torvalds mm/vmscan.c | 19 ------------------- 1 file changed, 19 deletions(-) commit 71664665c3e3ca5ff61ef5fc65480f82cd575eb2 Author: Hugh Dickins Date: Fri Sep 23 20:24:23 2016 -0700 huge tmpfs: fix Committed_AS leak Under swapping load on huge tmpfs, /proc/meminfo's Committed_AS grows bigger and bigger: just a cosmetic issue for most users, but disabling for those who run without overcommit (/proc/sys/vm/overcommit_memory 2). shmem_uncharge() was forgetting to unaccount __vm_enough_memory's charge, and shmem_charge() was forgetting it on the filesystem-full error path. Fixes: 800d8c63b2e9 ("shmem: add huge pages support") Signed-off-by: Hugh Dickins Acked-by: Kirill A. Shutemov Signed-off-by: Linus Torvalds mm/shmem.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 3089bf614c7e2fd441ee001e3ff3d18326f6f091 Author: Toshi Kani Date: Fri Sep 23 20:21:56 2016 -0700 shmem: fix tmpfs to handle the huge= option properly shmem_get_unmapped_area() checks SHMEM_SB(sb)->huge incorrectly, which leads to a reversed effect of "huge=" mount option. Fix the check in shmem_get_unmapped_area(). Note, the default value of SHMEM_SB(sb)->huge remains as SHMEM_HUGE_NEVER. User will need to specify "huge=" option to enable huge page mappings. Reported-by: Hillf Danton Signed-off-by: Toshi Kani Acked-by: Kirill A. Shutemov Reviewed-by: Aneesh Kumar K.V Signed-off-by: Hugh Dickins Signed-off-by: Linus Torvalds mm/shmem.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit db32e4e49ce2b0e5fcc17803d011a401c0a637f6 Author: Lance Richardson Date: Fri Sep 23 15:50:29 2016 -0400 ip6_gre: fix flowi6_proto value in ip6gre_xmit_other() Similar to commit 3be07244b733 ("ip6_gre: fix flowi6_proto value in xmit path"), set flowi6_proto to IPPROTO_GRE for output route lookup. Up until now, ip6gre_xmit_other() has set flowi6_proto to a bogus value. This affected output route lookup for packets sent on an ip6gretap device in cases where routing was dependent on the value of flowi6_proto. Since the correct proto is already set in the tunnel flowi6 template via commit 252f3f5a1189 ("ip6_gre: Set flowi6_proto as IPPROTO_GRE in xmit path."), simply delete the line setting the incorrect flowi6_proto value. Suggested-by: Jiri Benc Fixes: c12b395a4664 ("gre: Support GRE over IPv6") Reviewed-by: Shmulik Ladkani Signed-off-by: Lance Richardson Signed-off-by: David S. Miller net/ipv6/ip6_gre.c | 1 - 1 file changed, 1 deletion(-) commit bd5dbcb4be37ce97b115bf9e8d48ae75f0d8a9a2 Merge: d0c1d15 331dcf4 Author: Linus Torvalds Date: Fri Sep 23 16:44:12 2016 -0700 Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux Pull i2c fixes from Wolfram Sang: "Three driver bugfixes: fixing uninitialized memory pointers (eg20t), pm/clock imbalance (qup), and a wrongly set cached variable (pc954x)" * 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux: i2c: qup: skip qup_i2c_suspend if the device is already runtime suspended i2c: mux: pca954x: retry updating the mux selection on failure i2c-eg20t: fix race between i2c init and interrupt enable commit d0c1d15f5ed7f028d2c284b7fed7e73575d9c24d Merge: 4ee6986 4af2ff9 Author: Linus Torvalds Date: Fri Sep 23 16:34:24 2016 -0700 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input Pull input updates from Dmitry Torokhov: "Just a fix up for the firmware handling to the Silead driver (which is a new driver in this release)" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input: Input: silead_gsl1680 - use "silead/" prefix for firmware loading Input: silead_gsl1680 - document firmware-name, fix implementation commit 4ee69866258620b105d06ae07da3bbe9fdb1699a Merge: b22734a c8712c6 Author: Linus Torvalds Date: Fri Sep 23 16:24:36 2016 -0700 Merge branch 'for-linus' of git://git.kernel.dk/linux-block Pull block fixes from Jens Axboe: "Three fixes, two regressions and one that poses a problem in blk-mq with the new nvmef code" * 'for-linus' of git://git.kernel.dk/linux-block: blk-mq: skip unmapped queues in blk_mq_alloc_request_hctx nvme-rdma: only clear queue flags after successful connect blk-throttle: Extend slice if throttle group is not empty commit 9157056da8f8c4a6305f15619e269f164b63a6de Author: Tejun Heo Date: Fri Sep 23 16:55:49 2016 -0400 cgroup: fix invalid controller enable rejections with cgroup namespace On the v2 hierarchy, "cgroup.subtree_control" rejects controller enables if the cgroup has processes in it. The enforcement of this logic assumes that the cgroup wouldn't have any css_sets associated with it if there are no tasks in the cgroup, which is no longer true since a79a908fd2b0 ("cgroup: introduce cgroup namespaces"). When a cgroup namespace is created, it pins the css_set of the creating task to use it as the root css_set of the namespace. This extra reference stays as long as the namespace is around and makes "cgroup.subtree_control" think that the namespace root cgroup is not empty even when it is and thus reject controller enables. Fix it by making cgroup_subtree_control() walk and test emptiness of each css_set instead of testing whether the list_head is empty. While at it, update the comment of cgroup_task_count() to indicate that the returned value may be higher than the number of tasks, which has always been true due to temporary references and doesn't break anything. Signed-off-by: Tejun Heo Reported-by: Evgeny Vereshchagin Cc: Serge E. Hallyn Cc: Aditya Kali Cc: Eric W. Biederman Cc: stable@vger.kernel.org # v4.6+ Fixes: a79a908fd2b0 ("cgroup: introduce cgroup namespaces") Link: https://github.com/systemd/systemd/pull/3589#issuecomment-249089541 kernel/cgroup.c | 29 +++++++++++++++++++++++++---- 1 file changed, 25 insertions(+), 4 deletions(-) commit b22734a55067adbc10216e459762dbd7dcef29d5 Merge: 78bbf15 325c50e Author: Linus Torvalds Date: Fri Sep 23 13:39:37 2016 -0700 Merge branch 'for-linus-4.8' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs Pull btrfs fixes from Chris Mason: "Josef fixed a problem when quotas are enabled with his latest ENOSPC rework, and Jeff added more checks into the subvol ioctls to avoid tripping up lookup_one_len" * 'for-linus-4.8' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs: btrfs: ensure that file descriptor used with subvol ioctls is a dir Btrfs: handle quota reserve failure properly commit 78bbf153fa96e5e40234b7b05567602535645460 Merge: 2ddfdd4 f0aa1ce Author: Linus Torvalds Date: Fri Sep 23 11:50:49 2016 -0700 Merge tag 'regmap-fix-v4.8-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regmap Pull regmap fix from Mark Brown: "A fix for an issue with double locking that was introduced earlier this release. I'd missed in review that we were already in a locked region when trying to drop part of the cache" * tag 'regmap-fix-v4.8-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regmap: regmap: fix deadlock on _regmap_raw_write() error path commit 2ddfdd428906749e45a6b765712d1c68e5daa723 Merge: 7d188ba 0cf43f5 Author: Linus Torvalds Date: Fri Sep 23 11:28:04 2016 -0700 Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 Pull crypto fixes from Herbert Xu: "This fixes a regression in RSA that was only half-fixed earlier in the cycle. It also fixes an older regression that breaks the keyring subsystem" * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: crypto: rsa-pkcs1pad - Handle leading zero for decryption KEYS: Fix skcipher IV clobbering commit 7d188bad6667bd94325201096eebd6fa33cfb469 Merge: d9d1ffe 67787b6 Author: Linus Torvalds Date: Fri Sep 23 11:24:42 2016 -0700 Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux Pull arm64 fixes from Catalin Marinas: "A couple of last-minute arm64 fixes for 4.8: - Fix secondary CPU to NUMA node assignment - Fix kgdb breakpoint insertion in read-only text sections (when CONFIG_DEBUG_RODATA or CONFIG_DEBUG_SET_MODULE_RONX are enabled)" * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux: arm64: kgdb: handle read-only text / modules arm64: Call numa_store_cpu_info() earlier. commit d9d1ffe00b90c0dab8b8d759fb41437290686f7e Merge: e7c5412 38178e7 Author: Linus Torvalds Date: Fri Sep 23 11:15:00 2016 -0700 Merge tag 'tags/nand-fixes-for-4.8-rc8' of git://git.infradead.org/linux-ubifs Pull MTD fixes from Richard Weinberger: "NAND Fixes for 4.8-rc8. This contains fixes for bugs which got introduced in -rc1. Usually Brian takes NAND patches from Boris, but since Brian is very busy these days with other stuff and Boris is not yet member of the kernel.org web of trust I stepped in. Boris will be in Berlin at ELCE, I'll sign his key and hopefully other Kernel developers too such that he can issue his own pull requests soon. Summary: - Fix a wrong OOB layout definition in the mxc driver - Fix incorrect ECC handling in the mtk driver" * tag 'tags/nand-fixes-for-4.8-rc8' of git://git.infradead.org/linux-ubifs: mtd: nand: mxc: fix obiwan error in mxc_nand_v[12]_ooblayout_free() functions mtd: nand: fix chances to create incomplete ECC data when writing mtd: nand: fix generating over-boundary ECC data when writing commit e7c5412f77ac41ff14873f445bce0db4fef5890c Merge: e47f2e5 005d675 Author: Linus Torvalds Date: Fri Sep 23 11:10:53 2016 -0700 Merge tag 'mmc-v4.8-rc7' of git://git.linaro.org/people/ulf.hansson/mmc Pull MMC fix from Ulf Hansson: "MMC host: - dw_mmc: fix the spamming log message" * tag 'mmc-v4.8-rc7' of git://git.linaro.org/people/ulf.hansson/mmc: mmc: dw_mmc: fix the spamming log message commit e47f2e50ead9dd9eb10b2626d739760e71ce6d43 Merge: b1f2beb 42857cf Author: Linus Torvalds Date: Fri Sep 23 09:45:15 2016 -0700 Merge tag 'configfs-for-4.8-2' of git://git.infradead.org/users/hch/configfs Pull configfs fix from Christoph Hellwig: "One more trivial fix for the binary attribute code from Phil Turnbull" * tag 'configfs-for-4.8-2' of git://git.infradead.org/users/hch/configfs: configfs: Return -EFBIG from configfs_write_bin_file. commit c8712c6a674e3382fe4d26d108251ccfa55d08e0 Author: Christoph Hellwig Date: Fri Sep 23 10:25:48 2016 -0600 blk-mq: skip unmapped queues in blk_mq_alloc_request_hctx This provides the caller a feedback that a given hctx is not mapped and thus no command can be sent on it. Signed-off-by: Christoph Hellwig Tested-by: Steve Wise Signed-off-by: Jens Axboe block/blk-mq.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) commit 7e956304eb8a285304a78582e4537e72c6365f20 Author: Paul Burton Date: Fri Sep 23 15:13:53 2016 +0100 MIPS: Fix pre-r6 emulation FPU initialisation In the mipsr2_decoder() function, used to emulate pre-MIPSr6 instructions that were removed in MIPSr6, the init_fpu() function is called if a removed pre-MIPSr6 floating point instruction is the first floating point instruction used by the task. However, init_fpu() performs varous actions that rely upon not being migrated. For example in the most basic case it sets the coprocessor 0 Status.CU1 bit to enable the FPU & then loads FP register context into the FPU registers. If the task were to migrate during this time, it may end up attempting to load FP register context on a different CPU where it hasn't set the CU1 bit, leading to errors such as: do_cpu invoked from kernel context![#2]: CPU: 2 PID: 7338 Comm: fp-prctl Tainted: G D 4.7.0-00424-g49b0c82 #2 task: 838e4000 ti: 88d38000 task.ti: 88d38000 $ 0 : 00000000 00000001 ffffffff 88d3fef8 $ 4 : 838e4000 88d38004 00000000 00000001 $ 8 : 3400fc01 801f8020 808e9100 24000000 $12 : dbffffff 807b69d8 807b0000 00000000 $16 : 00000000 80786150 00400fc4 809c0398 $20 : 809c0338 0040273c 88d3ff28 808e9d30 $24 : 808e9d30 00400fb4 $28 : 88d38000 88d3fe88 00000000 8011a2ac Hi : 0040273c Lo : 88d3ff28 epc : 80114178 _restore_fp+0x10/0xa0 ra : 8011a2ac mipsr2_decoder+0xd5c/0x1660 Status: 1400fc03 KERNEL EXL IE Cause : 1080002c (ExcCode 0b) PrId : 0001a920 (MIPS I6400) Modules linked in: Process fp-prctl (pid: 7338, threadinfo=88d38000, task=838e4000, tls=766527d0) Stack : 00000000 00000000 00000000 88d3fe98 00000000 00000000 809c0398 809c0338 808e9100 00000000 88d3ff28 00400fc4 00400fc4 0040273c 7fb69e18 004a0000 004a0000 004a0000 7664add0 8010de18 00000000 00000000 88d3fef8 88d3ff28 808e9100 00000000 766527d0 8010e534 000c0000 85755000 8181d580 00000000 00000000 00000000 004a0000 00000000 766527d0 7fb69e18 004a0000 80105c20 ... Call Trace: [<80114178>] _restore_fp+0x10/0xa0 [<8011a2ac>] mipsr2_decoder+0xd5c/0x1660 [<8010de18>] do_ri+0x90/0x6b8 [<80105c20>] ret_from_exception+0x0/0x10 Fix this by disabling preemption around the call to init_fpu(), ensuring that it starts & completes on one CPU. Signed-off-by: Paul Burton Fixes: b0a668fb2038 ("MIPS: kernel: mips-r2-to-r6-emul: Add R2 emulator for MIPS R6") Cc: linux-mips@linux-mips.org Cc: stable@vger.kernel.org # v4.0+ Patchwork: https://patchwork.linux-mips.org/patch/14305/ Signed-off-by: Ralf Baechle arch/mips/kernel/mips-r2-to-r6-emul.c | 2 ++ 1 file changed, 2 insertions(+) commit 019b1c9fe32a2a32c1153e31375f87ec3e591273 Author: Eric Dumazet Date: Thu Sep 22 17:54:00 2016 -0700 tcp: fix a compile error in DBGUNDO() If DBGUNDO() is enabled (FASTRETRANS_DEBUG > 1), a compile error will happen, since inet6_sk(sk)->daddr became sk->sk_v6_daddr Fixes: efe4208f47f9 ("ipv6: make lookups simpler and faster") Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller net/ipv4/tcp_input.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) commit 2fe664f1fcf7c4da6891f95708a7a56d3c024354 Author: Douglas Caetano dos Santos Date: Thu Sep 22 15:52:04 2016 -0300 tcp: fix wrong checksum calculation on MTU probing With TCP MTU probing enabled and offload TX checksumming disabled, tcp_mtu_probe() calculated the wrong checksum when a fragment being copied into the probe's SKB had an odd length. This was caused by the direct use of skb_copy_and_csum_bits() to calculate the checksum, as it pads the fragment being copied, if needed. When this fragment was not the last, a subsequent call used the previous checksum without considering this padding. The effect was a stale connection in one way, as even retransmissions wouldn't solve the problem, because the checksum was never recalculated for the full SKB length. Signed-off-by: Douglas Caetano dos Santos Signed-off-by: David S. Miller net/ipv4/tcp_output.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) commit f44ace4d06aab8210d29c731f70b657a7524198b Merge: 3d4357f 9abefcb Author: David S. Miller Date: Fri Sep 23 07:13:55 2016 -0400 Merge tag 'linux-can-fixes-for-4.8-20160922' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can Marc Kleine-Budde says: ==================== pull-request: can 2016-09-22 this is a pull request of one patch for the upcoming linux-4.8 release. The patch by Sergei Miroshnichenko fixes a potential deadlock in the generic CAN device code that cann occour after a bus-off. ==================== Signed-off-by: David S. Miller commit 3d4357fba82b3cf19ebf0a04d1c9cb086af15d02 Author: WANG Cong Date: Sun Sep 18 16:22:48 2016 -0700 sch_sfb: keep backlog updated with qlen Fixes: 2ccccf5fb43f ("net_sched: update hierarchical backlog too") Cc: Jamal Hadi Salim Signed-off-by: Cong Wang Acked-by: Jamal Hadi Salim Signed-off-by: David S. Miller net/sched/sch_sfb.c | 3 +++ 1 file changed, 3 insertions(+) commit 2ed5c3f09627f72a2e0e407a86b2ac05494190f9 Author: WANG Cong Date: Sun Sep 18 16:22:47 2016 -0700 sch_qfq: keep backlog updated with qlen Reported-by: Stas Nichiporovich Fixes: 2ccccf5fb43f ("net_sched: update hierarchical backlog too") Cc: Jamal Hadi Salim Signed-off-by: Cong Wang Acked-by: Jamal Hadi Salim Signed-off-by: David S. Miller net/sched/sch_qfq.c | 3 +++ 1 file changed, 3 insertions(+) commit 67787b68ec48c239d5ec12f9bf5adaf5c459517a Author: AKASHI Takahiro Date: Fri Sep 23 16:42:08 2016 +0900 arm64: kgdb: handle read-only text / modules Handle read-only cases when CONFIG_DEBUG_RODATA (4.0) or CONFIG_DEBUG_SET_MODULE_RONX (3.18) are enabled by using aarch64_insn_write() instead of probe_kernel_write() as introduced by commit 2f896d586610 ("arm64: use fixmap for text patching") in 4.0. Fixes: 11d91a770f1f ("arm64: Add CONFIG_DEBUG_SET_MODULE_RONX support") Signed-off-by: AKASHI Takahiro Reviewed-by: Mark Rutland Cc: Will Deacon Cc: Jason Wessel Signed-off-by: Catalin Marinas arch/arm64/include/asm/debug-monitors.h | 2 -- arch/arm64/kernel/kgdb.c | 36 ++++++++++++++++++++++----------- 2 files changed, 24 insertions(+), 14 deletions(-) commit c18df0adabf8400c1825b90382d06df5edc303fa Author: David Daney Date: Tue Sep 20 11:46:35 2016 -0700 arm64: Call numa_store_cpu_info() earlier. The wq_numa_init() function makes a private CPU to node map by calling cpu_to_node() early in the boot process, before the non-boot CPUs are brought online. Since the default implementation of cpu_to_node() returns zero for CPUs that have never been brought online, the workqueue system's view is that *all* CPUs are on node zero. When the unbound workqueue for a non-zero node is created, the tsk_cpus_allowed() for the worker threads is the empty set because there are, in the view of the workqueue system, no CPUs on non-zero nodes. The code in try_to_wake_up() using this empty cpumask ends up using the cpumask empty set value of NR_CPUS as an index into the per-CPU area pointer array, and gets garbage as it is one past the end of the array. This results in: [ 0.881970] Unable to handle kernel paging request at virtual address fffffb1008b926a4 [ 1.970095] pgd = fffffc00094b0000 [ 1.973530] [fffffb1008b926a4] *pgd=0000000000000000, *pud=0000000000000000, *pmd=0000000000000000 [ 1.982610] Internal error: Oops: 96000004 [#1] SMP [ 1.987541] Modules linked in: [ 1.990631] CPU: 48 PID: 295 Comm: cpuhp/48 Tainted: G W 4.8.0-rc6-preempt-vol+ #9 [ 1.999435] Hardware name: Cavium ThunderX CN88XX board (DT) [ 2.005159] task: fffffe0fe89cc300 task.stack: fffffe0fe8b8c000 [ 2.011158] PC is at try_to_wake_up+0x194/0x34c [ 2.015737] LR is at try_to_wake_up+0x150/0x34c [ 2.020318] pc : [] lr : [] pstate: 600000c5 [ 2.027803] sp : fffffe0fe8b8fb10 [ 2.031149] x29: fffffe0fe8b8fb10 x28: 0000000000000000 [ 2.036522] x27: fffffc0008c63bc8 x26: 0000000000001000 [ 2.041896] x25: fffffc0008c63c80 x24: fffffc0008bfb200 [ 2.047270] x23: 00000000000000c0 x22: 0000000000000004 [ 2.052642] x21: fffffe0fe89d25bc x20: 0000000000001000 [ 2.058014] x19: fffffe0fe89d1d00 x18: 0000000000000000 [ 2.063386] x17: 0000000000000000 x16: 0000000000000000 [ 2.068760] x15: 0000000000000018 x14: 0000000000000000 [ 2.074133] x13: 0000000000000000 x12: 0000000000000000 [ 2.079505] x11: 0000000000000000 x10: 0000000000000000 [ 2.084879] x9 : 0000000000000000 x8 : 0000000000000000 [ 2.090251] x7 : 0000000000000040 x6 : 0000000000000000 [ 2.095621] x5 : ffffffffffffffff x4 : 0000000000000000 [ 2.100991] x3 : 0000000000000000 x2 : 0000000000000000 [ 2.106364] x1 : fffffc0008be4c24 x0 : ffffff0ffffada80 [ 2.111737] [ 2.113236] Process cpuhp/48 (pid: 295, stack limit = 0xfffffe0fe8b8c020) [ 2.120102] Stack: (0xfffffe0fe8b8fb10 to 0xfffffe0fe8b90000) [ 2.125914] fb00: fffffe0fe8b8fb80 fffffc00080e7648 . . . [ 2.442859] Call trace: [ 2.445327] Exception stack(0xfffffe0fe8b8f940 to 0xfffffe0fe8b8fa70) [ 2.451843] f940: fffffe0fe89d1d00 0000040000000000 fffffe0fe8b8fb10 fffffc00080e7468 [ 2.459767] f960: fffffe0fe8b8f980 fffffc00080e4958 ffffff0ff91ab200 fffffc00080e4b64 [ 2.467690] f980: fffffe0fe8b8f9d0 fffffc00080e515c fffffe0fe8b8fa80 0000000000000000 [ 2.475614] f9a0: fffffe0fe8b8f9d0 fffffc00080e58e4 fffffe0fe8b8fa80 0000000000000000 [ 2.483540] f9c0: fffffe0fe8d10000 0000000000000040 fffffe0fe8b8fa50 fffffc00080e5ac4 [ 2.491465] f9e0: ffffff0ffffada80 fffffc0008be4c24 0000000000000000 0000000000000000 [ 2.499387] fa00: 0000000000000000 ffffffffffffffff 0000000000000000 0000000000000040 [ 2.507309] fa20: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 [ 2.515233] fa40: 0000000000000000 0000000000000000 0000000000000000 0000000000000018 [ 2.523156] fa60: 0000000000000000 0000000000000000 [ 2.528089] [] try_to_wake_up+0x194/0x34c [ 2.533723] [] wake_up_process+0x28/0x34 [ 2.539275] [] create_worker+0x110/0x19c [ 2.544824] [] alloc_unbound_pwq+0x3cc/0x4b0 [ 2.550724] [] wq_update_unbound_numa+0x10c/0x1e4 [ 2.557066] [] workqueue_online_cpu+0x220/0x28c [ 2.563234] [] cpuhp_invoke_callback+0x6c/0x168 [ 2.569398] [] cpuhp_up_callbacks+0x44/0xe4 [ 2.575210] [] cpuhp_thread_fun+0x13c/0x148 [ 2.581027] [] smpboot_thread_fn+0x19c/0x1a8 [ 2.586929] [] kthread+0xdc/0xf0 [ 2.591776] [] ret_from_fork+0x10/0x50 [ 2.597147] Code: b00057e1 91304021 91005021 b8626822 (b8606821) [ 2.603464] ---[ end trace 58c0cd36b88802bc ]--- [ 2.608138] Kernel panic - not syncing: Fatal exception Fix by moving call to numa_store_cpu_info() for all CPUs into smp_prepare_cpus(), which happens before wq_numa_init(). Since smp_store_cpu_info() now contains only a single function call, simplify by removing the function and out-lining its contents. Suggested-by: Robert Richter Fixes: 1a2db300348b ("arm64, numa: Add NUMA support for arm64 platforms.") Cc: # 4.7.x- Signed-off-by: David Daney Reviewed-by: Robert Richter Tested-by: Yisheng Xie Signed-off-by: Catalin Marinas arch/arm64/kernel/smp.c | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) commit 96b03ab86d843524ec4aed7fe0ceef412c684c68 Author: Vivien Didelot Date: Thu Sep 22 16:55:13 2016 -0400 locking/hung_task: Fix typo in CONFIG_DETECT_HUNG_TASK help text Fix the indefinitiley -> indefinitely typo in Kconfig.debug. Signed-off-by: Vivien Didelot Cc: Andrew Morton Cc: Linus Torvalds Cc: Paul E. McKenney Cc: Peter Zijlstra Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/20160922205513.17821-1-vivien.didelot@savoirfairelinux.com Signed-off-by: Ingo Molnar lib/Kconfig.debug | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 3b4ac78610690bd83fb33762ef97e8b8a89285ae Author: Sagi Grimberg Date: Thu Sep 22 19:58:17 2016 -0600 nvme-rdma: only clear queue flags after successful connect Otherwise, nvme_rdma_stop_and_clear_queue() will incorrectly try to stop/free rdma qps/cm_ids that are already freed. Fixes: e89ca58f9c90 ("nvme-rdma: add DELETING queue flag") Reported-by: Steve Wise Tested-by: Steve Wise Signed-off-by: Sagi Grimberg Reviewed-by: Christoph Hellwig Signed-off-by: Jens Axboe drivers/nvme/host/rdma.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 331dcf421c34d227784d07943eb01e4023a42b0a Author: Sudeep Holla Date: Thu Aug 25 12:23:39 2016 +0100 i2c: qup: skip qup_i2c_suspend if the device is already runtime suspended If the i2c device is already runtime suspended, if qup_i2c_suspend is executed during suspend-to-idle or suspend-to-ram it will result in the following splat: WARNING: CPU: 3 PID: 1593 at drivers/clk/clk.c:476 clk_core_unprepare+0x80/0x90 Modules linked in: CPU: 3 PID: 1593 Comm: bash Tainted: G W 4.8.0-rc3 #14 Hardware name: Qualcomm Technologies, Inc. APQ 8016 SBC (DT) PC is at clk_core_unprepare+0x80/0x90 LR is at clk_unprepare+0x28/0x40 pc : [] lr : [] pstate: 60000145 Call trace: clk_core_unprepare+0x80/0x90 qup_i2c_disable_clocks+0x2c/0x68 qup_i2c_suspend+0x10/0x20 platform_pm_suspend+0x24/0x68 ... This patch fixes the issue by executing qup_i2c_pm_suspend_runtime conditionally in qup_i2c_suspend. Signed-off-by: Sudeep Holla Reviewed-by: Andy Gross Signed-off-by: Wolfram Sang Cc: stable@kernel.org drivers/i2c/busses/i2c-qup.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit b1f2beb87bb034bb209773807994279f90cace78 Merge: f887c21 d8feef9 Author: Linus Torvalds Date: Thu Sep 22 09:04:49 2016 -0700 Merge tag 'media/v4.8-7' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media Pull media fixes from Mauro Carvalho Chehab: - several fixes for new drivers added for Kernel 4.8 addition (cec core, pulse8 cec driver and Mediatek vcodec) - a regression fix for cx23885 and saa7134 drivers - an important fix for rcar-fcp, making rcar_fcp_enable() return 0 on success * tag 'media/v4.8-7' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media: (25 commits) [media] cx23885/saa7134: assign q->dev to the PCI device [media] rcar-fcp: Make sure rcar_fcp_enable() returns 0 on success [media] cec: fix ioctl return code when not registered [media] cec: don't Feature Abort broadcast msgs when unregistered [media] vcodec:mediatek: Refine VP8 encoder driver [media] vcodec:mediatek: Refine H264 encoder driver [media] vcodec:mediatek: change H264 profile default to profile high [media] vcodec:mediatek: Add timestamp and timecode copy for V4L2 Encoder [media] vcodec:mediatek: Fix visible_height larger than coded_height issue in s_fmt_out [media] vcodec:mediatek: Fix fops_vcodec_release flow for V4L2 Encoder [media] vcodec:mediatek:code refine for v4l2 Encoder driver [media] cec-funcs.h: add missing vendor-specific messages [media] cec-edid: check for IEEE identifier [media] pulse8-cec: fix error handling [media] pulse8-cec: set correct Signal Free Time [media] mtk-vcodec: add HAS_DMA dependency [media] cec: ignore messages when log_addr_mask == 0 [media] cec: add item to TODO [media] cec: set unclaimed addresses to CEC_LOG_ADDR_INVALID [media] cec: add CEC_LOG_ADDRS_FL_ALLOW_UNREG_FALLBACK flag ... commit f887c21e214757e6b1b9dd65e396ee3e7cbb6b18 Merge: 7d1e042 7e32b44 Author: Linus Torvalds Date: Thu Sep 22 08:49:25 2016 -0700 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net Pull networking fixes from David Miller: "Mostly small bits scattered all over the place, which is usually how things go this late in the -rc series. 1) Proper driver init device resets in bnx2, from Baoquan He. 2) Fix accounting overflow in __tcp_retransmit_skb(), sk_forward_alloc, and ip_idents_reserve, from Eric Dumazet. 3) Fix crash in bna driver ethtool stats handling, from Ivan Vecera. 4) Missing check of skb_linearize() return value in mac80211, from Johannes Berg. 5) Endianness fix in nf_table_trace dumps, from Liping Zhang. 6) SSN comparison fix in SCTP, from Marcelo Ricardo Leitner. 7) Update DSA and b44 MAINTAINERS entries. 8) Make input path of vti6 driver work again, from Nicolas Dichtel. 9) Off-by-one in mlx4, from Sebastian Ott. 10) Fix fallback route lookup handling in ipv6, from Vincent Bernat. 11) Fix stack corruption on probe in qed driver, from Yuval Mintz. 12) PHY init fixes in r8152 from Hayes Wang. 13) Missing SKB free in irda_accept error path, from Phil Turnbull" * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (61 commits) tcp: properly account Fast Open SYN-ACK retrans tcp: fix under-accounting retransmit SNMP counters MAINTAINERS: Update b44 maintainer. net: get rid of an signed integer overflow in ip_idents_reserve() net/mlx4_core: Fix to clean devlink resources net: can: ifi: Configure transmitter delay vti6: fix input path ipmr, ip6mr: return lastuse relative to now r8152: disable ALDPS and EEE before setting PHY r8152: remove r8153_enable_eee r8152: move PHY settings to hw_phy_cfg r8152: move enabling PHY r8152: move some functions cxgb4/cxgb4vf: Allocate more queues for 25G and 100G adapter qed: Fix stack corruption on probe MAINTAINERS: Add an entry for the core network DSA code net: ipv6: fallback to full lookup if table lookup is unsuitable net/mlx5: E-Switch, Handle mode change failures net/mlx5: E-Switch, Fix error flow in the SRIOV e-switch init code net/mlx5: Fix flow counter bulk command out mailbox allocation ... commit 3bf6215a1b30db7df6083c708caab3fe1a8e8abe Author: Alexander Shishkin Date: Tue Sep 20 18:48:11 2016 +0300 perf/core: Limit matching exclusive events to one PMU An "exclusive" PMU is the one that can only have one event scheduled in at any given time. There may be more than one of such PMUs in a system, though, like Intel PT and BTS. It should be allowed to have one event for either of those inside the same context (there may be other constraints that may prevent this, but those would be hardware-specific). However, the exclusivity code is written so that only one event from any of the "exclusive" PMUs is allowed in a context. Fix this by making the exclusive event filter explicitly match two events' PMUs. Signed-off-by: Alexander Shishkin Acked-by: Peter Zijlstra Cc: Arnaldo Carvalho de Melo Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Thomas Gleixner Cc: Vince Weaver Cc: vince@deater.net Link: http://lkml.kernel.org/r/20160920154811.3255-3-alexander.shishkin@linux.intel.com Signed-off-by: Ingo Molnar kernel/events/core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 08b90f0655258411a1b41d856331e20e7ec8d55c Author: Alexander Shishkin Date: Tue Sep 20 18:48:10 2016 +0300 perf/x86/intel/bts: Make it an exclusive PMU Just like intel_pt, intel_bts can only handle one event at a time, which is the reason we introduced PERF_PMU_CAP_EXCLUSIVE in the first place. However, at the moment one can have as many intel_bts events within the same context at the same time as one pleases. Only one of them, however, will get scheduled and receive the actual trace data. Fix this by making intel_bts an "exclusive" PMU. Signed-off-by: Alexander Shishkin Acked-by: Peter Zijlstra Cc: Arnaldo Carvalho de Melo Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Thomas Gleixner Cc: Vince Weaver Cc: vince@deater.net Link: http://lkml.kernel.org/r/20160920154811.3255-2-alexander.shishkin@linux.intel.com Signed-off-by: Ingo Molnar arch/x86/events/intel/bts.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 9bf6ffdabdd6e70a0b69d032a0aff091afe1773e Author: Peter Zijlstra Date: Fri Aug 26 15:06:04 2016 +0200 locking/atomic, arch/sh: Fix ATOMIC_FETCH_OP() We cannot use the "z" constraint twice, since its a single register (r0). Change the one not used by movli.l/movco.l to "r". Reported-by: Fengguang Wu Tested-by: Fengguang Wu Signed-off-by: Peter Zijlstra (Intel) Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Rich Felker Cc: Thomas Gleixner Cc: Yoshinori Sato Signed-off-by: Ingo Molnar arch/sh/include/asm/atomic-llsc.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit f0aa1ce6259eb65f53f969b3250c1d0aac84f30b Author: Nikita Yushchenko Date: Thu Sep 22 12:02:25 2016 +0300 regmap: fix deadlock on _regmap_raw_write() error path Commit 815806e39bf6 ("regmap: drop cache if the bus transfer error") added a call to regcache_drop_region() to error path in _regmap_raw_write(). However that path runs with regmap lock taken, and regcache_drop_region() tries to re-take it, causing a deadlock. Fix that by calling map->cache_ops->drop() directly. Signed-off-by: Nikita Yushchenko Signed-off-by: Mark Brown drivers/base/regmap/regmap.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) commit 0cf43f509f72128196e23f5ade7e512a72152cc6 Author: Herbert Xu Date: Thu Sep 22 17:04:57 2016 +0800 crypto: rsa-pkcs1pad - Handle leading zero for decryption As the software RSA implementation now produces fixed-length output, we need to eliminate leading zeros in the calling code instead. This patch does just that for pkcs1pad decryption while signature verification was fixed in an earlier patch. Fixes: 9b45b7bba3d2 ("crypto: rsa - Generate fixed-length output") Reported-by: Mat Martineau Signed-off-by: Herbert Xu crypto/rsa-pkcs1pad.c | 41 ++++++++++++++++++++++++----------------- 1 file changed, 24 insertions(+), 17 deletions(-) commit 456bee986e0a372ad4beed5d3cedb3622633d9df Author: Herbert Xu Date: Tue Sep 20 20:35:55 2016 +0800 KEYS: Fix skcipher IV clobbering The IV must not be modified by the skcipher operation so we need to duplicate it. Fixes: c3917fd9dfbc ("KEYS: Use skcipher") Cc: stable@vger.kernel.org Reported-by: Mimi Zohar Signed-off-by: Herbert Xu security/keys/encrypted-keys/encrypted.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) commit 9abefcb1aaa58b9d5aa40a8bb12c87d02415e4c8 Author: Sergei Miroshnichenko Date: Wed Sep 7 16:51:12 2016 +0300 can: dev: fix deadlock reported after bus-off A timer was used to restart after the bus-off state, leading to a relatively large can_restart() executed in an interrupt context, which in turn sets up pinctrl. When this happens during system boot, there is a high probability of grabbing the pinctrl_list_mutex, which is locked already by the probe() of other device, making the kernel suspect a deadlock condition [1]. To resolve this issue, the restart_timer is replaced by a delayed work. [1] https://github.com/victronenergy/venus/issues/24 Signed-off-by: Sergei Miroshnichenko Cc: linux-stable Signed-off-by: Marc Kleine-Budde drivers/net/can/dev.c | 27 +++++++++++++++++---------- include/linux/can/dev.h | 3 ++- 2 files changed, 19 insertions(+), 11 deletions(-) commit 005d675aa1909ad70456dec8c5b0ba9b60b52d24 Author: Jaehoon Chung Date: Thu Sep 22 14:12:00 2016 +0900 mmc: dw_mmc: fix the spamming log message When there is no Card which is set to "broken-cd", it's displayed a clock information continuously. Because it's polling for detecting card. This patch is fixed this problem. Fixes: 65257a0deed5 ("mmc: dw_mmc: remove UBSAN warning in dw_mci_setup_bus()") Reported-by: Tobias Jakobi Signed-off-by: Jaehoon Chung Signed-off-by: Ulf Hansson drivers/mmc/host/dw_mmc.c | 14 +++++++++----- drivers/mmc/host/dw_mmc.h | 3 +++ 2 files changed, 12 insertions(+), 5 deletions(-) commit bad3d80fd001d3b74ab8bb3d561bc4d1b08797d3 Author: Karol Herbst Date: Sun Sep 18 12:21:56 2016 +0200 drm/nouveau: Revert "bus: remove cpu_coherent flag" This reverts commit aff51175cdbf345740ec9203eff88e772af88059. The commit caused fence timeouts within nvc0_screen_destroy and most likely other places as well. The most obvious effect is, that userspace processes take minutes to actually quit. Signed-off-by: Karol Herbst Signed-off-by: Ben Skeggs drivers/gpu/drm/nouveau/include/nvkm/core/device.h | 1 + drivers/gpu/drm/nouveau/nouveau_bo.c | 3 ++- drivers/gpu/drm/nouveau/nvkm/engine/device/pci.c | 1 + drivers/gpu/drm/nouveau/nvkm/engine/device/tegra.c | 1 + 4 files changed, 5 insertions(+), 1 deletion(-) commit 7e32b44361abc77fbc01f2b97b045c405b2583e5 Author: Yuchung Cheng Date: Wed Sep 21 16:16:15 2016 -0700 tcp: properly account Fast Open SYN-ACK retrans Since the TFO socket is accepted right off SYN-data, the socket owner can call getsockopt(TCP_INFO) to collect ongoing SYN-ACK retransmission or timeout stats (i.e., tcpi_total_retrans, tcpi_retransmits). Currently those stats are only updated upon handshake completes. This patch fixes it. Signed-off-by: Yuchung Cheng Signed-off-by: Eric Dumazet Signed-off-by: Neal Cardwell Signed-off-by: Soheil Hassas Yeganeh Signed-off-by: David S. Miller net/ipv4/tcp_input.c | 2 +- net/ipv4/tcp_output.c | 2 ++ net/ipv4/tcp_timer.c | 1 + 3 files changed, 4 insertions(+), 1 deletion(-) commit de1d657816c6fbb70f07b01d50ec669dff0d4e60 Author: Yuchung Cheng Date: Wed Sep 21 16:16:14 2016 -0700 tcp: fix under-accounting retransmit SNMP counters This patch fixes these under-accounting SNMP rtx stats LINUX_MIB_TCPFORWARDRETRANS LINUX_MIB_TCPFASTRETRANS LINUX_MIB_TCPSLOWSTARTRETRANS when retransmitting TSO packets Fixes: 10d3be569243 ("tcp-tso: do not split TSO packets at retransmit time") Signed-off-by: Yuchung Cheng Acked-by: Eric Dumazet Signed-off-by: David S. Miller net/ipv4/tcp_output.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 666ca3d8f19082f40745d75f3cc7cc0200ee87e3 Author: Ilia Mirkin Date: Fri Sep 9 22:34:02 2016 -0400 drm/nouveau/fifo/nv04: avoid ramht race against cookie insertion Signed-off-by: Ilia Mirkin Cc: stable@vger.kernel.org Signed-off-by: Ben Skeggs drivers/gpu/drm/nouveau/nvkm/engine/fifo/dmanv04.c | 3 +++ 1 file changed, 3 insertions(+) commit ba1ba25d3159573ffdc9e79e5c3dfcf9c5742964 Merge: 290b774 63c4378 Author: David S. Miller Date: Thu Sep 22 02:56:23 2016 -0400 Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec Steffen Klassert says: ==================== pull request (net): ipsec 2016-09-21 1) Propagate errors on security context allocation. From Mathias Krause. 2) Fix inbound policy checks for inter address family tunnels. From Thomas Zeitlhofer. 3) Fix an old memory leak on aead algorithm usage. From Ilan Tayari. 4) A recent patch fixed a possible NULL pointer dereference but broke the vti6 input path. Fix from Nicolas Dichtel. ==================== Signed-off-by: David S. Miller commit 290b774a1e0cb385658ba117452e2a2962323b1f Merge: 75c9510 8d58790 Author: David S. Miller Date: Thu Sep 22 02:47:46 2016 -0400 Merge tag 'linux-can-fixes-for-4.8-20160921' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can Marc Kleine-Budde says: ==================== pull-request: can 2016-09-21 this is another pull request of one patch for the upcoming linux-4.8 release. Marek Vasut fixes the CAN-FD bit rate switch in the ifi driver by configuring the transmitter delay. ==================== Signed-off-by: David S. Miller commit 75c9510b8f745f75280029a8a9f96567f55f401e Author: Michael Chan Date: Tue Sep 20 23:33:15 2016 -0400 MAINTAINERS: Update b44 maintainer. Taking over as maintainer since Gary Zambrano is no longer working for Broadcom. Signed-off-by: Michael Chan Acked-by: Florian Fainelli Signed-off-by: David S. Miller MAINTAINERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit adb03115f4590baa280ddc440a8eff08a6be0cb7 Author: Eric Dumazet Date: Tue Sep 20 18:06:17 2016 -0700 net: get rid of an signed integer overflow in ip_idents_reserve() Jiri Pirko reported an UBSAN warning happening in ip_idents_reserve() [] UBSAN: Undefined behaviour in ./arch/x86/include/asm/atomic.h:156:11 [] signed integer overflow: [] -2117905507 + -695755206 cannot be represented in type 'int' Since we do not have uatomic_add_return() yet, use atomic_cmpxchg() so that the arithmetics can be done using unsigned int. Fixes: 04ca6973f7c1 ("ip: make IP identifiers less predictable") Signed-off-by: Eric Dumazet Reported-by: Jiri Pirko Signed-off-by: David S. Miller net/ipv4/route.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) commit fba1296624bf95fc07057da1e26beee8a733180c Author: Kamal Heib Date: Tue Sep 20 14:55:31 2016 +0300 net/mlx4_core: Fix to clean devlink resources This patch cleans devlink resources by calling devlink_port_unregister() to avoid the following issues: - Kernel panic when triggering reset flow. - Memory leak due to unfreed resources in mlx4_init_port_info(). Fixes: 09d4d087cd48 ("mlx4: Implement devlink interface") Signed-off-by: Kamal Heib Signed-off-by: Tariq Toukan Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlx4/main.c | 3 +++ 1 file changed, 3 insertions(+) commit 7932aa1e43b4d4117be7671bb299103e549aec11 Merge: b5036cd db64c5f Author: David S. Miller Date: Wed Sep 21 21:45:19 2016 -0400 Merge tag 'wireless-drivers-for-davem-2016-09-20' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers Kalle Valo says: ==================== wireless-drivers fixes for 4.8 iwlwifi * fix to prevent firmware crash when sending off-channel frames ==================== Signed-off-by: David S. Miller commit 325c50e3cebb9208009083e841550f98a863bfa0 Author: Jeff Mahoney Date: Wed Sep 21 08:31:29 2016 -0400 btrfs: ensure that file descriptor used with subvol ioctls is a dir If the subvol/snapshot create/destroy ioctls are passed a regular file with execute permissions set, we'll eventually Oops while trying to do inode->i_op->lookup via lookup_one_len. This patch ensures that the file descriptor refers to a directory. Fixes: cb8e70901d (Btrfs: Fix subvolume creation locking rules) Fixes: 76dda93c6a (Btrfs: add snapshot/subvolume destroy ioctl) Cc: #v2.6.29+ Signed-off-by: Jeff Mahoney Signed-off-by: Chris Mason fs/btrfs/ioctl.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) commit 1e5ec2e709bd8c5588fdbdda909945e4e2be8d23 Author: Josef Bacik Date: Thu Sep 15 14:57:48 2016 -0400 Btrfs: handle quota reserve failure properly btrfs/022 was spitting a warning for the case that we exceed the quota. If we fail to make our quota reservation we need to clean up our data space reservation. Thanks, Signed-off-by: Josef Bacik Tested-by: Jeff Mahoney Signed-off-by: Chris Mason fs/btrfs/extent-tree.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) commit 463e8f845cbf1c01e4cc8aeef1703212991d8e1e Author: Peter Rosin Date: Wed Sep 14 15:24:12 2016 +0200 i2c: mux: pca954x: retry updating the mux selection on failure The cached value of the last selected channel prevents retries on the next call, even on failure to update the selected channel. Fix that. Signed-off-by: Peter Rosin Signed-off-by: Wolfram Sang Cc: stable@kernel.org drivers/i2c/muxes/i2c-mux-pca954x.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 11294d63ac915230a36b0603c62134ef7b173d0a Author: Dan Williams Date: Wed Sep 21 09:21:26 2016 -0700 nfit: fail DSMs that return non-zero status by default For the DSMs where the kernel knows the format of the output buffer and originates those DSMs from within the kernel, return -EIO for any non-zero status. If the BIOS is indicating a status that we do not know how to handle, fail the DSM. Cc: Signed-off-by: Dan Williams drivers/acpi/nfit/core.c | 48 ++++++++++++++++++++++++++++-------------------- 1 file changed, 28 insertions(+), 20 deletions(-) commit ecfb6d8a041cc2ca80bc69ffc20c00067d190df5 Author: Dan Williams Date: Wed Sep 21 09:22:33 2016 -0700 libnvdimm: fix devm_nvdimm_memremap() error path The internal alloc_nvdimm_map() helper might fail, particularly if the memory region is already busy. Report request_mem_region() failures and check for the failure. Reported-by: Ryan Chen Signed-off-by: Dan Williams drivers/nvdimm/core.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) commit 371a015344b6e270e7e3632107d9554ec6d27a6b Author: Yadi.hu Date: Sun Sep 18 18:52:31 2016 +0800 i2c-eg20t: fix race between i2c init and interrupt enable the eg20t driver call request_irq() function before the pch_base_address, base address of i2c controller's register, is assigned an effective value. there is one possible scenario that an interrupt which isn't inside eg20t arrives immediately after request_irq() is executed when i2c controller shares an interrupt number with others. since the interrupt handler pch_i2c_handler() has already active as shared action, it will be called and read its own register to determine if this interrupt is from itself. At that moment, since base address of i2c registers is not remapped in kernel space yet,so the INT handler will access an illegal address and then a error occurs. Signed-off-by: Yadi.hu Signed-off-by: Wolfram Sang Cc: stable@kernel.org drivers/i2c/busses/i2c-eg20t.c | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) commit 554af0c396380baf416f54c439b99b495180b2f4 Author: James Hogan Date: Wed Sep 7 13:37:01 2016 +0100 MIPS: vDSO: Fix Malta EVA mapping to vDSO page structs The page structures associated with the vDSO pages in the kernel image are calculated using virt_to_page(), which uses __pa() under the hood to find the pfn associated with the virtual address. The vDSO data pointers however point to kernel symbols, so __pa_symbol() should really be used instead. Since there is no equivalent to virt_to_page() which uses __pa_symbol(), fix init_vdso_image() to work directly with pfns, calculated with __phys_to_pfn(__pa_symbol(...)). This issue broke the Malta Enhanced Virtual Addressing (EVA) configuration which has a non-default implementation of __pa_symbol(). This is because it uses a physical alias so that the kernel executes from KSeg0 (VA 0x80000000 -> PA 0x00000000), while RAM is provided to the kernel in the KUSeg range (VA 0x00000000 -> PA 0x80000000) which uses the same underlying RAM. Since there are no page structures associated with the low physical address region, some arbitrary kernel memory would be interpreted as a page structure for the vDSO pages and badness ensues. Fixes: ebb5e78cc634 ("MIPS: Initial implementation of a VDSO") Signed-off-by: James Hogan Cc: Leonid Yegoshin Cc: linux-mips@linux-mips.org Cc: # 4.4.x- Patchwork: https://patchwork.linux-mips.org/patch/14229/ Signed-off-by: Ralf Baechle arch/mips/kernel/vdso.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) commit 8d58790b832e13d6006d842037732304af357c3c Author: Marek Vasut Date: Mon Sep 19 21:34:01 2016 +0200 net: can: ifi: Configure transmitter delay Configure the transmitter delay register at +0x1c to correctly handle the CAN FD bitrate switch (BRS). This moves the SSP (secondary sample point) to a proper offset, so that the TDC mechanism works and won't generate error frames on the CAN link. Signed-off-by: Marek Vasut Cc: Marc Kleine-Budde Cc: Mark Rutland Cc: Oliver Hartkopp Cc: Wolfgang Grandegger Cc: linux-stable Signed-off-by: Marc Kleine-Budde drivers/net/can/ifi_canfd/ifi_canfd.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) commit 63c43787d35e45562a6b5927e2edc8f4783d95b8 Author: Nicolas Dichtel Date: Mon Sep 19 16:17:57 2016 +0200 vti6: fix input path Since commit 1625f4529957, vti6 is broken, all input packets are dropped (LINUX_MIB_XFRMINNOSTATES is incremented). XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6 is set by vti6_rcv() before calling xfrm6_rcv()/xfrm6_rcv_spi(), thus we cannot set to NULL that value in xfrm6_rcv_spi(). A new function xfrm6_rcv_tnl() that enables to pass a value to xfrm6_rcv_spi() is added, so that xfrm6_rcv() is not touched (this function is used in several handlers). CC: Alexey Kodanev Fixes: 1625f4529957 ("net/xfrm_input: fix possible NULL deref of tunnel.ip6->parms.i_key") Signed-off-by: Nicolas Dichtel Signed-off-by: Steffen Klassert include/net/xfrm.h | 4 +++- net/ipv6/ip6_vti.c | 4 +--- net/ipv6/xfrm6_input.c | 16 +++++++++++----- net/ipv6/xfrm6_tunnel.c | 2 +- 4 files changed, 16 insertions(+), 10 deletions(-) commit b5036cd4ed3173ab8cdbc85e2ba74acf46bafb51 Author: Nikolay Aleksandrov Date: Tue Sep 20 16:17:22 2016 +0200 ipmr, ip6mr: return lastuse relative to now When I introduced the lastuse member I made a subtle error because it was returned as an absolute value but that is meaningless to user-space as it doesn't allow to see how old exactly an entry is. Let's make it similar to how the bridge returns such values and make it relative to "now" (jiffies). This allows us to show the actual age of the entries and is much more useful (e.g. user-space daemons can age out entries, iproute2 can display the lastuse properly). Fixes: 43b9e1274060 ("net: ipmr/ip6mr: add support for keeping an entry age") Reported-by: Satish Ashok Signed-off-by: Nikolay Aleksandrov Signed-off-by: David S. Miller net/ipv4/ipmr.c | 7 +++++-- net/ipv6/ip6mr.c | 7 +++++-- 2 files changed, 10 insertions(+), 4 deletions(-) commit 493d5f6db0ab12a9fcac587ae223f3e4e48dba6f Merge: 9b86a8d d768c61 Author: David S. Miller Date: Wed Sep 21 00:53:53 2016 -0400 Merge branch 'r8152-phy-fixes' Hayes Wang says: ==================== r8152: correct the flow of PHY First, to enable the PHY as early as possible. Some settings may fail if the PHY is power down. Move the other PHY settings to hw_phy_cfg() to make sure the order is correct. Finally, disable ALDPS and EEE before updating the PHY for RTL8153. ==================== Signed-off-by: David S. Miller commit d768c61bc353a0e0de3f839e1de99eee7d4eca10 Author: hayeswang Date: Tue Sep 20 16:22:09 2016 +0800 r8152: disable ALDPS and EEE before setting PHY Disable ALDPS and EEE to avoid the possible failure when setting the PHY. Signed-off-by: Hayes Wang Signed-off-by: David S. Miller drivers/net/usb/r8152.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) commit af0287ec10c62c84cc5cd1bad4fd37644a1ac41d Author: hayeswang Date: Tue Sep 20 16:22:08 2016 +0800 r8152: remove r8153_enable_eee Remove r8153_enable_eee(). Signed-off-by: Hayes Wang Signed-off-by: David S. Miller drivers/net/usb/r8152.c | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) commit ef39df8eaba48c0de779440f41a648b17a560953 Author: hayeswang Date: Tue Sep 20 16:22:07 2016 +0800 r8152: move PHY settings to hw_phy_cfg Move the PHY relative settings together to hw_phy_cfg(). Signed-off-by: Hayes Wang Signed-off-by: David S. Miller drivers/net/usb/r8152.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) commit 2dd436daac7848dbf3fe799cf59c1408871a14e3 Author: hayeswang Date: Tue Sep 20 16:22:06 2016 +0800 r8152: move enabling PHY Move enabling PHY to init(), otherwise some other settings may fail. Signed-off-by: Hayes Wang Signed-off-by: David S. Miller drivers/net/usb/r8152.c | 43 +++++++++++++++++++++++++------------------ 1 file changed, 25 insertions(+), 18 deletions(-) commit e6449539828ac3b7c74b648793291640bcca8259 Author: hayeswang Date: Tue Sep 20 16:22:05 2016 +0800 r8152: move some functions Move the following functions forward. r8152_mmd_indirect() r8152_mmd_read() r8152_mmd_write() r8152_eee_en() r8152b_enable_eee() r8153_eee_en() r8153_enable_eee() r8152b_enable_fc() r8153_aldps_en() Signed-off-by: Hayes Wang Signed-off-by: David S. Miller drivers/net/usb/r8152.c | 224 ++++++++++++++++++++++++------------------------ 1 file changed, 112 insertions(+), 112 deletions(-) commit 9b86a8d19bd6406a10de5f924bf2a003a502d427 Author: Hariprasad Shenai Date: Tue Sep 20 12:00:52 2016 +0530 cxgb4/cxgb4vf: Allocate more queues for 25G and 100G adapter We were missing check for 25G and 100G while checking port speed, which lead to less number of queues getting allocated for 25G & 100G adapters and leading to low throughput. Adding the missing check for both NIC and vNIC driver. Also fixes port advertisement for 25G and 100G in ethtool output. Signed-off-by: Hariprasad Shenai Signed-off-by: David S. Miller drivers/net/ethernet/chelsio/cxgb4/cxgb4.h | 4 ++-- drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 15 +++++++++++++-- drivers/net/ethernet/chelsio/cxgb4/t4_hw.c | 7 ++++++- drivers/net/ethernet/chelsio/cxgb4/t4fw_api.h | 6 ++++++ drivers/net/ethernet/chelsio/cxgb4vf/t4vf_common.h | 15 +++++++++++---- drivers/net/ethernet/chelsio/cxgb4vf/t4vf_hw.c | 9 +++++++-- 6 files changed, 45 insertions(+), 11 deletions(-) commit b79331a5eb9f96e4dfd216974581168ec4c8a4d4 Author: Russell Currey Date: Wed Sep 14 16:37:17 2016 +1000 powerpc/powernv/pci: Fix m64 checks for SR-IOV and window alignment Commit 5958d19a143e checks for prefetchable m64 BARs by comparing the addresses instead of using resource flags. This broke SR-IOV as the m64 check in pnv_pci_ioda_fixup_iov_resources() fails. The condition in pnv_pci_window_alignment() also changed to checking only IORESOURCE_MEM_64 instead of both IORESOURCE_MEM_64 and IORESOURCE_PREFETCH. Revert these cases to the previous behaviour, adding a new helper function to do so. This is named pnv_pci_is_m64_flags() to make it clear this function is only looking at resource flags and should not be relied on for non-SRIOV resources. Fixes: 5958d19a143e ("Fix incorrect PE reservation attempt on some 64-bit BARs") Reported-by: Alexey Kardashevskiy Signed-off-by: Russell Currey Tested-by: Alexey Kardashevskiy Signed-off-by: Michael Ellerman arch/powerpc/platforms/powernv/pci-ioda.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) commit ceb16a90136f42a0079b12d163c824b5825933f7 Merge: 67a99b7 4de349e Author: David S. Miller Date: Tue Sep 20 22:46:14 2016 -0400 Merge tag 'linux-can-fixes-for-4.8-20160919' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can Marc Kleine-Budde says: ==================== pull-request: can 2016-09-19 this is a pull request of one patch for the upcoming linux-4.8 release. The patch by Fabio Estevam fixes the pm handling in the flexcan driver. ==================== Signed-off-by: David S. Miller commit 7d1e042314619115153a0f6f06e4552c09a50e13 Merge: e23d415 aa4f060 Author: Linus Torvalds Date: Tue Sep 20 17:11:19 2016 -0700 Merge tag 'usercopy-v4.8-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux Pull usercopy hardening fix from Kees Cook: "Expand the arm64 vmalloc check to include skipping the module space too" * tag 'usercopy-v4.8-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: mm: usercopy: Check for module addresses commit e23d4159b109167126e5bcd7f3775c95de7fee47 Author: Al Viro Date: Tue Sep 20 20:07:42 2016 +0100 fix fault_in_multipages_...() on architectures with no-op access_ok() Switching iov_iter fault-in to multipages variants has exposed an old bug in underlying fault_in_multipages_...(); they break if the range passed to them wraps around. Normally access_ok() done by callers will prevent such (and it's a guaranteed EFAULT - ERR_PTR() values fall into such a range and they should not point to any valid objects). However, on architectures where userland and kernel live in different MMU contexts (e.g. s390) access_ok() is a no-op and on those a range with a wraparound can reach fault_in_multipages_...(). Since any wraparound means EFAULT there, the fix is trivial - turn those while (uaddr <= end) ... into if (unlikely(uaddr > end)) return -EFAULT; do ... while (uaddr <= end); Reported-by: Jan Stancek Tested-by: Jan Stancek Cc: stable@vger.kernel.org # v3.5+ Signed-off-by: Al Viro Signed-off-by: Linus Torvalds include/linux/pagemap.h | 38 +++++++++++++++++++------------------- 1 file changed, 19 insertions(+), 19 deletions(-) commit aa4f0601115319a52c80f468c8f007e5aa9277cb Author: Laura Abbott Date: Tue Sep 20 08:56:36 2016 -0700 mm: usercopy: Check for module addresses While running a compile on arm64, I hit a memory exposure usercopy: kernel memory exposure attempt detected from fffffc0000f3b1a8 (buffer_head) (1 bytes) ------------[ cut here ]------------ kernel BUG at mm/usercopy.c:75! Internal error: Oops - BUG: 0 [#1] SMP Modules linked in: ip6t_rpfilter ip6t_REJECT nf_reject_ipv6 xt_conntrack ip_set nfnetlink ebtable_broute bridge stp llc ebtable_nat ip6table_security ip6table_raw ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle iptable_security iptable_raw iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle ebtable_filter ebtables ip6table_filter ip6_tables vfat fat xgene_edac xgene_enet edac_core i2c_xgene_slimpro i2c_core at803x realtek xgene_dma mdio_xgene gpio_dwapb gpio_xgene_sb xgene_rng mailbox_xgene_slimpro nfsd auth_rpcgss nfs_acl lockd grace sunrpc xfs libcrc32c sdhci_of_arasan sdhci_pltfm sdhci mmc_core xhci_plat_hcd gpio_keys CPU: 0 PID: 19744 Comm: updatedb Tainted: G W 4.8.0-rc3-threadinfo+ #1 Hardware name: AppliedMicro X-Gene Mustang Board/X-Gene Mustang Board, BIOS 3.06.12 Aug 12 2016 task: fffffe03df944c00 task.stack: fffffe00d128c000 PC is at __check_object_size+0x70/0x3f0 LR is at __check_object_size+0x70/0x3f0 ... [] __check_object_size+0x70/0x3f0 [] filldir64+0x158/0x1a0 [] __fat_readdir+0x4a0/0x558 [fat] [] fat_readdir+0x34/0x40 [fat] [] iterate_dir+0x190/0x1e0 [] SyS_getdents64+0x88/0x120 [] el0_svc_naked+0x24/0x28 fffffc0000f3b1a8 is a module address. Modules may have compiled in strings which could get copied to userspace. In this instance, it looks like "." which matches with a size of 1 byte. Extend the is_vmalloc_addr check to be is_vmalloc_or_module_addr to cover all possible cases. Signed-off-by: Laura Abbott Signed-off-by: Kees Cook mm/usercopy.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) commit e875bd66dfb68f4e898e9a43ef42858c504a7f23 Author: Paul Burton Date: Tue Sep 13 17:53:35 2016 +0100 irqchip/mips-gic: Fix local interrupts Since the device hierarchy domain was added by commit c98c1822ee13 ("irqchip/mips-gic: Add device hierarchy domain"), GIC local interrupts have been broken. Users attempting to setup a per-cpu local IRQ, for example the GIC timer clock events code in drivers/clocksource/mips-gic-timer.c, the setup_percpu_irq function would refuse with -EINVAL because the GIC irqchip driver never called irq_set_percpu_devid so the IRQ_PER_CPU_DEVID flag was never set for the IRQ. This happens because irq_set_percpu_devid was being called from the gic_irq_domain_map function which is no longer called. Doing only that runs into further problems because gic_dev_domain_alloc set the struct irq_chip for all interrupts, local or shared, to gic_level_irq_controller despite that only being suitable for shared interrupts. The typical outcome of this is that gic_level_irq_controller callback functions are called for local interrupts, and then hwirq number calculations overflow & the driver ends up attempting to access some invalid register with an address calculated from an invalid hwirq number. Best case scenario is that this then leads to a bus error. This is fixed by abstracting the setup of the hwirq & chip to a new function gic_setup_dev_chip which is used by both the root GIC IRQ domain & the device domain. Finally, decoding local interrupts failed because gic_dev_domain_alloc only called irq_domain_alloc_irqs_parent for shared interrupts. Local ones were therefore never associated with hwirqs in the root GIC IRQ domain and the virq in gic_handle_local_int would always be 0. This is fixed by calling irq_domain_alloc_irqs_parent unconditionally & having gic_irq_domain_alloc handle both local & shared interrupts, which is easy due to the aforementioned abstraction of chip setup into gic_setup_dev_chip. This fixes use of the MIPS GIC timer for clock events, which has been broken since c98c1822ee13 ("irqchip/mips-gic: Add device hierarchy domain") but hadn't been noticed due to a silent fallback to the MIPS coprocessor 0 count/compare clock events device. Fixes: c98c1822ee13 ("irqchip/mips-gic: Add device hierarchy domain") Signed-off-by: Paul Burton Cc: linux-mips@linux-mips.org Cc: Jason Cooper Cc: Qais Yousef Cc: stable@vger.kernel.org Cc: Marc Zyngier Link: http://lkml.kernel.org/r/20160913165335.31389-1-paul.burton@imgtec.com Signed-off-by: Thomas Gleixner drivers/irqchip/irq-mips-gic.c | 105 ++++++++++++++++++++--------------------- 1 file changed, 50 insertions(+), 55 deletions(-) commit df04abfd181acc276ba6762c8206891ae10ae00d Author: Jiri Olsa Date: Thu Sep 8 09:57:08 2016 +0200 fs/proc/kcore.c: Add bounce buffer for ktext data We hit hardened usercopy feature check for kernel text access by reading kcore file: usercopy: kernel memory exposure attempt detected from ffffffff8179a01f () (4065 bytes) kernel BUG at mm/usercopy.c:75! Bypassing this check for kcore by adding bounce buffer for ktext data. Reported-by: Steve Best Fixes: f5509cc18daa ("mm: Hardened usercopy") Suggested-by: Kees Cook Signed-off-by: Jiri Olsa Acked-by: Kees Cook Signed-off-by: Linus Torvalds fs/proc/kcore.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) commit f5beeb1851ea6f8cfcf2657f26cb24c0582b4945 Author: Jiri Olsa Date: Thu Sep 8 09:57:07 2016 +0200 fs/proc/kcore.c: Make bounce buffer global for read Next patch adds bounce buffer for ktext area, so it's convenient to have single bounce buffer for both vmalloc/module and ktext cases. Suggested-by: Linus Torvalds Signed-off-by: Jiri Olsa Acked-by: Kees Cook Signed-off-by: Linus Torvalds fs/proc/kcore.c | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) commit 7597cdc066313bfd211cca2f9252dfeb41271391 Merge: d2ffb01 1297667 Author: Ingo Molnar Date: Tue Sep 20 16:56:56 2016 +0200 Merge tag 'efi-urgent' of git://git.kernel.org/pub/scm/linux/kernel/git/mfleming/efi into efi/urgent Pull EFI fixes from Matt Fleming: * Fix a boot hang on large memory machines (multiple terabyte) caused by type conversion errors in the x86 PAT code (Matt Fleming) Signed-off-by: Ingo Molnar commit f1e1c9e5e357c05253affb13be29285c5cb56bf0 Author: Sebastian Andrzej Siewior Date: Tue Sep 20 15:12:21 2016 +0200 perf/x86/intel/bts: Make sure debug store is valid Since commit 4d4c47412464 ("perf/x86/intel/bts: Fix BTS PMI detection") my box goes boom on boot: | .... node #0, CPUs: #1 #2 #3 #4 #5 #6 #7 | BUG: unable to handle kernel NULL pointer dereference at 0000000000000018 | IP: [] intel_bts_interrupt+0x43/0x130 | Call Trace: | d [] intel_pmu_handle_irq+0x51/0x4b0 | [] perf_event_nmi_handler+0x27/0x40 This happens because the code introduced in this commit dereferences the debug store pointer unconditionally. The debug store is not guaranteed to be available, so a NULL pointer check as on other places is required. Fixes: 4d4c47412464 ("perf/x86/intel/bts: Fix BTS PMI detection") Signed-off-by: Sebastian Andrzej Siewior Reviewed-by: Alexander Shishkin Cc: Arnaldo Carvalho de Melo Cc: Peter Zijlstra Cc: vince@deater.net Cc: eranian@google.com Link: http://lkml.kernel.org/r/20160920131220.xg5pbdjtznszuyzb@breakpoint.cc Signed-off-by: Thomas Gleixner arch/x86/events/intel/bts.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 1297667083d5442aafe3e337b9413bf02b114edb Author: Matt Fleming Date: Mon Sep 19 13:09:09 2016 +0100 x86/efi: Only map RAM into EFI page tables if in mixed-mode Waiman reported that booting with CONFIG_EFI_MIXED enabled on his multi-terabyte HP machine results in boot crashes, because the EFI region mapping functions loop forever while trying to map those regions describing RAM. While this patch doesn't fix the underlying hang, there's really no reason to map EFI_CONVENTIONAL_MEMORY regions into the EFI page tables when mixed-mode is not in use at runtime. Reported-by: Waiman Long Cc: Ard Biesheuvel Cc: Borislav Petkov Cc: Linus Torvalds CC: Theodore Ts'o Cc: Arnd Bergmann Cc: Greg Kroah-Hartman Cc: Scott J Norton Cc: Douglas Hatch Cc: # v4.6+ Signed-off-by: Matt Fleming arch/x86/platform/efi/efi_64.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit e535ec0899d1fe52ec3a84c9bc03457ac67ad6f7 Author: Matt Fleming Date: Tue Sep 20 14:26:21 2016 +0100 x86/mm/pat: Prevent hang during boot when mapping pages There's a mixture of signed 32-bit and unsigned 32-bit and 64-bit data types used for keeping track of how many pages have been mapped. This leads to hangs during boot when mapping large numbers of pages (multiple terabytes, as reported by Waiman) because those values are interpreted as being negative. commit 742563777e8d ("x86/mm/pat: Avoid truncation when converting cpa->numpages to address") fixed one of those bugs, but there is another lurking in __change_page_attr_set_clr(). Additionally, the return value type for the populate_*() functions can return negative values when a large number of pages have been mapped, triggering the error paths even though no error occurred. Consistently use 64-bit types on 64-bit platforms when counting pages. Even in the signed case this gives us room for regions 8PiB (pebibytes) in size whilst still allowing the usual negative value error checking idiom. Reported-by: Waiman Long Cc: Ard Biesheuvel Cc: Borislav Petkov Cc: Linus Torvalds CC: Theodore Ts'o Cc: Arnd Bergmann Cc: Greg Kroah-Hartman Cc: Scott J Norton Cc: Douglas Hatch Signed-off-by: Matt Fleming arch/x86/mm/pageattr.c | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) commit 67a99b7061c07b190ac6c39f136afedbb7aa86e9 Author: Yuval Mintz Date: Mon Sep 19 17:47:41 2016 +0300 qed: Fix stack corruption on probe Commit fe56b9e6a8d95 ("qed: Add module with basic common support") has introduced a stack corruption during probe, where filling a local struct with data to be sent to management firmware is incorrectly filled; The data is written outside of the struct and corrupts the stack. Changes from v1: ---------------- - Correct the value written [Caught by David Laight] Fixes: fe56b9e6a8d95 ("qed: Add module with basic common support") Signed-off-by: Yuval Mintz Signed-off-by: David S. Miller drivers/net/ethernet/qlogic/qed/qed_mcp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 3ed6e498b91a4dc5d0e8b6270a6c144061db2455 Author: Andrew Lunn Date: Sun Sep 18 21:17:19 2016 +0200 MAINTAINERS: Add an entry for the core network DSA code The core distributed switch architecture code currently does not have a MAINTAINERS entry, which results in some contributions not landing in the right peoples inbox. Signed-off-by: Andrew Lunn Acked-by: Florian Fainelli Acked-by: Vivien Didelot Signed-off-by: David S. Miller MAINTAINERS | 9 +++++++++ 1 file changed, 9 insertions(+) commit a435a07f9164dda7c0c26e8ad758881f4bafc127 Author: Vincent Bernat Date: Sun Sep 18 17:46:07 2016 +0200 net: ipv6: fallback to full lookup if table lookup is unsuitable Commit 8c14586fc320 ("net: ipv6: Use passed in table for nexthop lookups") introduced a regression: insertion of an IPv6 route in a table not containing the appropriate connected route for the gateway but which contained a non-connected route (like a default gateway) fails while it was previously working: $ ip link add eth0 type dummy $ ip link set up dev eth0 $ ip addr add 2001:db8::1/64 dev eth0 $ ip route add ::/0 via 2001:db8::5 dev eth0 table 20 $ ip route add 2001:db8:cafe::1/128 via 2001:db8::6 dev eth0 table 20 RTNETLINK answers: No route to host $ ip -6 route show table 20 default via 2001:db8::5 dev eth0 metric 1024 pref medium After this patch, we get: $ ip route add 2001:db8:cafe::1/128 via 2001:db8::6 dev eth0 table 20 $ ip -6 route show table 20 2001:db8:cafe::1 via 2001:db8::6 dev eth0 metric 1024 pref medium default via 2001:db8::5 dev eth0 metric 1024 pref medium Fixes: 8c14586fc320 ("net: ipv6: Use passed in table for nexthop lookups") Signed-off-by: Vincent Bernat Acked-by: David Ahern Tested-by: David Ahern Signed-off-by: David S. Miller net/ipv6/route.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) commit 7675bb2b176ea05bf4904223d760d1889f819714 Merge: 7ac3273 6c419ba Author: David S. Miller Date: Mon Sep 19 22:10:25 2016 -0400 Merge branch 'mlx5-fixes' Or Gerlitz says: ==================== mlx5 fixes to 4.8-rc6 This series series has a fix from Roi to memory corruption bug in the bulk flow counters code and two late and hopefully last fixes from me to the new eswitch offloads code. Series done over net commit 37dd348 "bna: fix crash in bnad_get_strings()" ==================== Signed-off-by: David S. Miller commit 6c419ba8e2580ab17c164db6e918e163d3537ec1 Author: Or Gerlitz Date: Sun Sep 18 18:20:29 2016 +0300 net/mlx5: E-Switch, Handle mode change failures E-switch mode changes involve creating HW tables, potentially allocating netdevices, etc, and things can fail. Add an attempt to rollback to the existing mode when changing to the new mode fails. Only if rollback fails, getting proper SRIOV functionality requires module unload or sriov disablement/enablement. Signed-off-by: Or Gerlitz Signed-off-by: David S. Miller .../ethernet/mellanox/mlx5/core/eswitch_offloads.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) commit 4eea37d7b92076fdeac2a21e5f4dbd92d286719d Author: Or Gerlitz Date: Sun Sep 18 18:20:28 2016 +0300 net/mlx5: E-Switch, Fix error flow in the SRIOV e-switch init code When enablement of the SRIOV e-switch in certain mode (switchdev or legacy) fails, we must set the mode to none. Otherwise, we'll run into double free based crashes when further attempting to deal with the e-switch (such as when disabling sriov or unloading the driver). Signed-off-by: Or Gerlitz Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlx5/core/eswitch.c | 1 + 1 file changed, 1 insertion(+) commit babd6134a54d70efe875fa5661a20eaecb63f278 Author: Roi Dayan Date: Sun Sep 18 18:20:27 2016 +0300 net/mlx5: Fix flow counter bulk command out mailbox allocation The FW command output length should be only the length of struct mlx5_cmd_fc_bulk out field. Failing to do so will cause the memcpy call which is invoked later in the driver to write over wrong memory address and corrupt kernel memory which results in random crashes. This bug was found using the kernel address sanitizer (kasan). Fixes: a351a1b03bf1 ('net/mlx5: Introduce bulk reading of flow counters') Signed-off-by: Roi Dayan Signed-off-by: Or Gerlitz Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlx5/core/fs_cmd.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 727653d6ce7103b245eb8041f55dd5885f4c3289 Author: James Morse Date: Mon Sep 19 18:29:15 2016 +0100 irqchip/gicv3: Silence noisy DEBUG_PER_CPU_MAPS warning gic_raise_softirq() walks the list of cpus using for_each_cpu(), it calls gic_compute_target_list() which advances the iterator by the number of CPUs in the cluster. If gic_compute_target_list() reaches the last CPU it leaves the iterator pointing at the last CPU. This means the next time round the for_each_cpu() loop cpumask_next() will be called with an invalid CPU. This triggers a warning when built with CONFIG_DEBUG_PER_CPU_MAPS: [ 3.077738] GICv3: CPU1: found redistributor 1 region 0:0x000000002f120000 [ 3.077943] CPU1: Booted secondary processor [410fd0f0] [ 3.078542] ------------[ cut here ]------------ [ 3.078746] WARNING: CPU: 1 PID: 0 at ../include/linux/cpumask.h:121 gic_raise_softirq+0x12c/0x170 [ 3.078812] Modules linked in: [ 3.078869] [ 3.078930] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.8.0-rc5+ #5188 [ 3.078994] Hardware name: Foundation-v8A (DT) [ 3.079059] task: ffff80087a1a0080 task.stack: ffff80087a19c000 [ 3.079145] PC is at gic_raise_softirq+0x12c/0x170 [ 3.079226] LR is at gic_raise_softirq+0xa4/0x170 [ 3.079296] pc : [] lr : [] pstate: 200001c9 [ 3.081139] Call trace: [ 3.081202] Exception stack(0xffff80087a19fbe0 to 0xffff80087a19fd10) [ 3.082269] [] gic_raise_softirq+0x12c/0x170 [ 3.082354] [] smp_send_reschedule+0x34/0x40 [ 3.082433] [] resched_curr+0x50/0x88 [ 3.082512] [] check_preempt_curr+0x60/0xd0 [ 3.082593] [] ttwu_do_wakeup+0x20/0xe8 [ 3.082672] [] ttwu_do_activate+0x90/0xc0 [ 3.082753] [] try_to_wake_up+0x224/0x370 [ 3.082836] [] default_wake_function+0x10/0x18 [ 3.082920] [] __wake_up_common+0x5c/0xa0 [ 3.083003] [] __wake_up_locked+0x14/0x20 [ 3.083086] [] complete+0x40/0x60 [ 3.083168] [] secondary_start_kernel+0x15c/0x1d0 [ 3.083240] [<00000000808911a4>] 0x808911a4 [ 3.113401] Detected PIPT I-cache on CPU2 Avoid updating the iterator if the next call to cpumask_next() would cause the for_each_cpu() loop to exit. There is no change to gic_raise_softirq()'s behaviour, (cpumask_next()s eventual call to _find_next_bit() will return early as start >= nbits), this patch just silences the warning. Fixes: 021f653791ad ("irqchip: gic-v3: Initial support for GICv3") Signed-off-by: James Morse Acked-by: Marc Zyngier Cc: linux-arm-kernel@lists.infradead.org Cc: Jason Cooper Link: http://lkml.kernel.org/r/1474306155-3303-1-git-send-email-james.morse@arm.com Signed-off-by: Thomas Gleixner drivers/irqchip/irq-gic-v3.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) commit d2ffb0103aaefa9b169da042cf39ce27bfb6cdbb Merge: 7fadce0 b92ae13 Author: Linus Torvalds Date: Mon Sep 19 16:08:03 2016 -0700 Merge branch 'akpm' (patches from Andrew) Merge fixes from Andrew Morton: "20 fixes" * emailed patches from Andrew Morton : rapidio/rio_cm: avoid GFP_KERNEL in atomic context Revert "ocfs2: bump up o2cb network protocol version" ocfs2: fix start offset to ocfs2_zero_range_for_truncate() cgroup: duplicate cgroup reference when cloning sockets mm: memcontrol: make per-cpu charge cache IRQ-safe for socket accounting ocfs2: fix double unlock in case retry after free truncate log fanotify: fix list corruption in fanotify_get_response() fsnotify: add a way to stop queueing events on group shutdown ocfs2: fix trans extend while free cached blocks ocfs2: fix trans extend while flush truncate log ipc/shm: fix crash if CONFIG_SHMEM is not set mm: fix the page_swap_info() BUG_ON check autofs: use dentry flags to block walks during expire MAINTAINERS: update email for VLYNQ bus entry mm: avoid endless recursion in dump_page() mm, thp: fix leaking mapped pte in __collapse_huge_page_swapin() khugepaged: fix use-after-free in collapse_huge_page() MAINTAINERS: Maik has moved ocfs2/dlm: fix race between convert and migration mem-hotplug: don't clear the only node in new_node_page() commit b92ae139c308c5223521ed6ec022148b81312809 Author: Alexandre Bounine Date: Mon Sep 19 14:44:47 2016 -0700 rapidio/rio_cm: avoid GFP_KERNEL in atomic context As reported by Alexey Khoroshilov (https://lkml.org/lkml/2016/9/9/737): riocm_send_close() is called from rio_cm_shutdown() under spin_lock_bh(idr_lock), but riocm_send_close() uses a GFP_KERNEL allocation. Fix by taking riocm_send_close() outside of spinlock protected code. [akpm@linux-foundation.org: remove unneeded `if (!list_empty())'] Link: http://lkml.kernel.org/r/20160915175402.10122-1-alexandre.bounine@idt.com Signed-off-by: Alexandre Bounine Reported-by: Alexey Khoroshilov Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds drivers/rapidio/rio_cm.c | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) commit 63b52c4936a2e679639c38ef51a50aa8ca1c5c07 Author: Junxiao Bi Date: Mon Sep 19 14:44:44 2016 -0700 Revert "ocfs2: bump up o2cb network protocol version" This reverts commit 38b52efd218b ("ocfs2: bump up o2cb network protocol version"). This commit made rolling upgrade fail. When one node is upgraded to new version with this commit, the remaining nodes will fail to establish connections to it, then the application like VMs on the remaining nodes can't be live migrated to the upgraded one. This will cause an outage. Since negotiate hb timeout behavior didn't change without this commit, so revert it. Fixes: 38b52efd218bf ("ocfs2: bump up o2cb network protocol version") Link: http://lkml.kernel.org/r/1471396924-10375-1-git-send-email-junxiao.bi@oracle.com Signed-off-by: Junxiao Bi Cc: Mark Fasheh Cc: Joel Becker Cc: Joseph Qi Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/ocfs2/cluster/tcp_internal.h | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) commit d21c353d5e99c56cdd5b5c1183ffbcaf23b8b960 Author: Ashish Samant Date: Mon Sep 19 14:44:42 2016 -0700 ocfs2: fix start offset to ocfs2_zero_range_for_truncate() If we punch a hole on a reflink such that following conditions are met: 1. start offset is on a cluster boundary 2. end offset is not on a cluster boundary 3. (end offset is somewhere in another extent) or (hole range > MAX_CONTIG_BYTES(1MB)), we dont COW the first cluster starting at the start offset. But in this case, we were wrongly passing this cluster to ocfs2_zero_range_for_truncate() to zero out. This will modify the cluster in place and zero it in the source too. Fix this by skipping this cluster in such a scenario. To reproduce: 1. Create a random file of say 10 MB xfs_io -c 'pwrite -b 4k 0 10M' -f 10MBfile 2. Reflink it reflink -f 10MBfile reflnktest 3. Punch a hole at starting at cluster boundary with range greater that 1MB. You can also use a range that will put the end offset in another extent. fallocate -p -o 0 -l 1048615 reflnktest 4. sync 5. Check the first cluster in the source file. (It will be zeroed out). dd if=10MBfile iflag=direct bs= count=1 | hexdump -C Link: http://lkml.kernel.org/r/1470957147-14185-1-git-send-email-ashish.samant@oracle.com Signed-off-by: Ashish Samant Reported-by: Saar Maoz Reviewed-by: Srinivas Eeda Cc: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Cc: Joseph Qi Cc: Eric Ren Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/ocfs2/file.c | 34 ++++++++++++++++++++++++---------- 1 file changed, 24 insertions(+), 10 deletions(-) commit d979a39d7242e0601bf9b60e89628fb8ac577179 Author: Johannes Weiner Date: Mon Sep 19 14:44:38 2016 -0700 cgroup: duplicate cgroup reference when cloning sockets When a socket is cloned, the associated sock_cgroup_data is duplicated but not its reference on the cgroup. As a result, the cgroup reference count will underflow when both sockets are destroyed later on. Fixes: bd1060a1d671 ("sock, cgroup: add sock->sk_cgroup") Link: http://lkml.kernel.org/r/20160914194846.11153-2-hannes@cmpxchg.org Signed-off-by: Johannes Weiner Acked-by: Tejun Heo Cc: Michal Hocko Cc: Vladimir Davydov Cc: [4.5+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds kernel/cgroup.c | 6 ++++++ net/core/sock.c | 5 ++++- 2 files changed, 10 insertions(+), 1 deletion(-) commit db2ba40c277dc545bab531671c3f45ac0afea6f8 Author: Johannes Weiner Date: Mon Sep 19 14:44:36 2016 -0700 mm: memcontrol: make per-cpu charge cache IRQ-safe for socket accounting During cgroup2 rollout into production, we started encountering css refcount underflows and css access crashes in the memory controller. Splitting the heavily shared css reference counter into logical users narrowed the imbalance down to the cgroup2 socket memory accounting. The problem turns out to be the per-cpu charge cache. Cgroup1 had a separate socket counter, but the new cgroup2 socket accounting goes through the common charge path that uses a shared per-cpu cache for all memory that is being tracked. Those caches are safe against scheduling preemption, but not against interrupts - such as the newly added packet receive path. When cache draining is interrupted by network RX taking pages out of the cache, the resuming drain operation will put references of in-use pages, thus causing the imbalance. Disable IRQs during all per-cpu charge cache operations. Fixes: f7e1cb6ec51b ("mm: memcontrol: account socket memory in unified hierarchy memory controller") Link: http://lkml.kernel.org/r/20160914194846.11153-1-hannes@cmpxchg.org Signed-off-by: Johannes Weiner Acked-by: Tejun Heo Cc: "David S. Miller" Cc: Michal Hocko Cc: Vladimir Davydov Cc: [4.5+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/memcontrol.c | 31 ++++++++++++++++++++++--------- 1 file changed, 22 insertions(+), 9 deletions(-) commit 3bb8b653c86f6b1d2cc05aa1744fed4b18f99485 Author: Joseph Qi Date: Mon Sep 19 14:44:33 2016 -0700 ocfs2: fix double unlock in case retry after free truncate log If ocfs2_reserve_cluster_bitmap_bits() fails with ENOSPC, it will try to free truncate log and then retry. Since ocfs2_try_to_free_truncate_log will lock/unlock global bitmap inode, we have to unlock it before calling this function. But when retry reserve and it fails with no global bitmap inode lock taken, it will unlock again in error handling branch and BUG. This issue also exists if no need retry and then ocfs2_inode_lock fails. So fix it. Fixes: 2070ad1aebff ("ocfs2: retry on ENOSPC if sufficient space in truncate log") Link: http://lkml.kernel.org/r/57D91939.6030809@huawei.com Signed-off-by: Joseph Qi Signed-off-by: Jiufei Xue Cc: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/ocfs2/suballoc.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) commit 96d41019e3ac55f6f0115b0ce97e4f24a3d636d2 Author: Jan Kara Date: Mon Sep 19 14:44:30 2016 -0700 fanotify: fix list corruption in fanotify_get_response() fanotify_get_response() calls fsnotify_remove_event() when it finds that group is being released from fanotify_release() (bypass_perm is set). However the event it removes need not be only in the group's notification queue but it can have already moved to access_list (userspace read the event before closing the fanotify instance fd) which is protected by a different lock. Thus when fsnotify_remove_event() races with fanotify_release() operating on access_list, the list can get corrupted. Fix the problem by moving all the logic removing permission events from the lists to one place - fanotify_release(). Fixes: 5838d4442bd5 ("fanotify: fix double free of pending permission events") Link: http://lkml.kernel.org/r/1473797711-14111-3-git-send-email-jack@suse.cz Signed-off-by: Jan Kara Reported-by: Miklos Szeredi Tested-by: Miklos Szeredi Reviewed-by: Miklos Szeredi Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/notify/fanotify/fanotify.c | 13 +------------ fs/notify/fanotify/fanotify_user.c | 36 ++++++++++++++++++++++++------------ fs/notify/notification.c | 15 --------------- include/linux/fsnotify_backend.h | 3 --- 4 files changed, 25 insertions(+), 42 deletions(-) commit 12703dbfeb15402260e7554d32a34ac40c233990 Author: Jan Kara Date: Mon Sep 19 14:44:27 2016 -0700 fsnotify: add a way to stop queueing events on group shutdown Implement a function that can be called when a group is being shutdown to stop queueing new events to the group. Fanotify will use this. Fixes: 5838d4442bd5 ("fanotify: fix double free of pending permission events") Link: http://lkml.kernel.org/r/1473797711-14111-2-git-send-email-jack@suse.cz Signed-off-by: Jan Kara Reviewed-by: Miklos Szeredi Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/notify/group.c | 19 +++++++++++++++++++ fs/notify/notification.c | 8 +++++++- include/linux/fsnotify_backend.h | 3 +++ 3 files changed, 29 insertions(+), 1 deletion(-) commit d5bf141893880f7283fe97e1812c58ff22c8f9a5 Author: Junxiao Bi Date: Mon Sep 19 14:44:24 2016 -0700 ocfs2: fix trans extend while free cached blocks The root cause of this issue is the same with the one fixed by the last patch, but this time credits for allocator inode and group descriptor may not be consumed before trans extend. The following error was caught: WARNING: CPU: 0 PID: 2037 at fs/jbd2/transaction.c:269 start_this_handle+0x4c3/0x510 [jbd2]() Modules linked in: ocfs2 nfsd lockd grace nfs_acl auth_rpcgss sunrpc autofs4 ocfs2_dlmfs ocfs2_stack_o2cb ocfs2_dlm ocfs2_nodemanager ocfs2_stackglue configfs sd_mod sg ip6t_REJECT nf_reject_ipv6 nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack ip6table_filter ip6_tables be2iscsi iscsi_boot_sysfs bnx2i cnic uio cxgb4i cxgb4 cxgb3i libcxgbi cxgb3 mdio ib_iser rdma_cm ib_cm iw_cm ib_sa ib_mad ib_core ib_addr ipv6 iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ppdev xen_kbdfront fb_sys_fops sysimgblt sysfillrect syscopyarea xen_netfront parport_pc parport pcspkr i2c_piix4 i2c_core acpi_cpufreq ext4 jbd2 mbcache xen_blkfront floppy pata_acpi ata_generic ata_piix dm_mirror dm_region_hash dm_log dm_mod CPU: 0 PID: 2037 Comm: rm Tainted: G W 4.1.12-37.6.3.el6uek.bug24573128v2.x86_64 #2 Hardware name: Xen HVM domU, BIOS 4.4.4OVM 02/11/2016 Call Trace: dump_stack+0x48/0x5c warn_slowpath_common+0x95/0xe0 warn_slowpath_null+0x1a/0x20 start_this_handle+0x4c3/0x510 [jbd2] jbd2__journal_restart+0x161/0x1b0 [jbd2] jbd2_journal_restart+0x13/0x20 [jbd2] ocfs2_extend_trans+0x74/0x220 [ocfs2] ocfs2_free_cached_blocks+0x16b/0x4e0 [ocfs2] ocfs2_run_deallocs+0x70/0x270 [ocfs2] ocfs2_commit_truncate+0x474/0x6f0 [ocfs2] ocfs2_truncate_for_delete+0xbd/0x380 [ocfs2] ocfs2_wipe_inode+0x136/0x6a0 [ocfs2] ocfs2_delete_inode+0x2a2/0x3e0 [ocfs2] ocfs2_evict_inode+0x28/0x60 [ocfs2] evict+0xab/0x1a0 iput_final+0xf6/0x190 iput+0xc8/0xe0 do_unlinkat+0x1b7/0x310 SyS_unlinkat+0x22/0x40 system_call_fastpath+0x12/0x71 ---[ end trace a62437cb060baa71 ]--- JBD2: rm wants too many credits (149 > 128) Link: http://lkml.kernel.org/r/1473674623-11810-2-git-send-email-junxiao.bi@oracle.com Signed-off-by: Junxiao Bi Reviewed-by: Joseph Qi Cc: Mark Fasheh Cc: Joel Becker Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/ocfs2/alloc.c | 27 +++++++++------------------ 1 file changed, 9 insertions(+), 18 deletions(-) commit 2b0ad0085aa47ace4756aa501274a7de0325c09c Author: Junxiao Bi Date: Mon Sep 19 14:44:21 2016 -0700 ocfs2: fix trans extend while flush truncate log Every time, ocfs2_extend_trans() included a credit for truncate log inode, but as that inode had been managed by jbd2 running transaction first time, it will not consume that credit until jbd2_journal_restart(). Since total credits to extend always included the un-consumed ones, there will be more and more un-consumed credit, at last jbd2_journal_restart() will fail due to credit number over the half of max transction credit. The following error was caught when unlinking a large file with many extents: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 13626 at fs/jbd2/transaction.c:269 start_this_handle+0x4c3/0x510 [jbd2]() Modules linked in: ocfs2 nfsd lockd grace nfs_acl auth_rpcgss sunrpc autofs4 ocfs2_dlmfs ocfs2_stack_o2cb ocfs2_dlm ocfs2_nodemanager ocfs2_stackglue configfs sd_mod sg ip6t_REJECT nf_reject_ipv6 nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack ip6table_filter ip6_tables be2iscsi iscsi_boot_sysfs bnx2i cnic uio cxgb4i cxgb4 cxgb3i libcxgbi cxgb3 mdio ib_iser rdma_cm ib_cm iw_cm ib_sa ib_mad ib_core ib_addr ipv6 iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ppdev xen_kbdfront xen_netfront fb_sys_fops sysimgblt sysfillrect syscopyarea parport_pc parport pcspkr i2c_piix4 i2c_core acpi_cpufreq ext4 jbd2 mbcache xen_blkfront floppy pata_acpi ata_generic ata_piix dm_mirror dm_region_hash dm_log dm_mod CPU: 0 PID: 13626 Comm: unlink Tainted: G W 4.1.12-37.6.3.el6uek.x86_64 #2 Hardware name: Xen HVM domU, BIOS 4.4.4OVM 02/11/2016 Call Trace: dump_stack+0x48/0x5c warn_slowpath_common+0x95/0xe0 warn_slowpath_null+0x1a/0x20 start_this_handle+0x4c3/0x510 [jbd2] jbd2__journal_restart+0x161/0x1b0 [jbd2] jbd2_journal_restart+0x13/0x20 [jbd2] ocfs2_extend_trans+0x74/0x220 [ocfs2] ocfs2_replay_truncate_records+0x93/0x360 [ocfs2] __ocfs2_flush_truncate_log+0x13e/0x3a0 [ocfs2] ocfs2_remove_btree_range+0x458/0x7f0 [ocfs2] ocfs2_commit_truncate+0x1b3/0x6f0 [ocfs2] ocfs2_truncate_for_delete+0xbd/0x380 [ocfs2] ocfs2_wipe_inode+0x136/0x6a0 [ocfs2] ocfs2_delete_inode+0x2a2/0x3e0 [ocfs2] ocfs2_evict_inode+0x28/0x60 [ocfs2] evict+0xab/0x1a0 iput_final+0xf6/0x190 iput+0xc8/0xe0 do_unlinkat+0x1b7/0x310 SyS_unlink+0x16/0x20 system_call_fastpath+0x12/0x71 ---[ end trace 28aa7410e69369cf ]--- JBD2: unlink wants too many credits (251 > 128) Link: http://lkml.kernel.org/r/1473674623-11810-1-git-send-email-junxiao.bi@oracle.com Signed-off-by: Junxiao Bi Reviewed-by: Joseph Qi Cc: Mark Fasheh Cc: Joel Becker Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/ocfs2/alloc.c | 29 ++++++++++------------------- 1 file changed, 10 insertions(+), 19 deletions(-) commit 31b4beb473e3bdee1bf79db849502dcb24b5c202 Author: Kirill A. Shutemov Date: Mon Sep 19 14:44:18 2016 -0700 ipc/shm: fix crash if CONFIG_SHMEM is not set Commit c01d5b300774 ("shmem: get_unmapped_area align huge page") makes use of shm_get_unmapped_area() in shm_file_operations() unconditional to CONFIG_MMU. As Tony Battersby pointed this can lead NULL-pointer dereference on machine with CONFIG_MMU=y and CONFIG_SHMEM=n. In this case ipc/shm is backed by ramfs which doesn't provide f_op->get_unmapped_area for configurations with MMU. The solution is to provide dummy f_op->get_unmapped_area for ramfs when CONFIG_MMU=y, which just call current->mm->get_unmapped_area(). Fixes: c01d5b300774 ("shmem: get_unmapped_area align huge page") Link: http://lkml.kernel.org/r/20160912102704.140442-1-kirill.shutemov@linux.intel.com Signed-off-by: Kirill A. Shutemov Reported-by: Tony Battersby Tested-by: Tony Battersby Cc: Hugh Dickins Cc: [4.7.x] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/ramfs/file-mmu.c | 9 +++++++++ 1 file changed, 9 insertions(+) commit c8de641b1e9c5489aa6ca57b7836acd68e7563f1 Author: Santosh Shilimkar Date: Mon Sep 19 14:44:15 2016 -0700 mm: fix the page_swap_info() BUG_ON check Commit 62c230bc1790 ("mm: add support for a filesystem to activate swap files and use direct_IO for writing swap pages") replaced the swap_aops dirty hook from __set_page_dirty_no_writeback() with swap_set_page_dirty(). For normal cases without these special SWP flags code path falls back to __set_page_dirty_no_writeback() so the behaviour is expected to be the same as before. But swap_set_page_dirty() makes use of the page_swap_info() helper to get the swap_info_struct to check for the flags like SWP_FILE, SWP_BLKDEV etc as desired for those features. This helper has BUG_ON(!PageSwapCache(page)) which is racy and safe only for the set_page_dirty_lock() path. For the set_page_dirty() path which is often needed for cases to be called from irq context, kswapd() can toggle the flag behind the back while the call is getting executed when system is low on memory and heavy swapping is ongoing. This ends up with undesired kernel panic. This patch just moves the check outside the helper to its users appropriately to fix kernel panic for the described path. Couple of users of helpers already take care of SwapCache condition so I skipped them. Link: http://lkml.kernel.org/r/1473460718-31013-1-git-send-email-santosh.shilimkar@oracle.com Signed-off-by: Santosh Shilimkar Cc: Mel Gorman Cc: Joe Perches Cc: Peter Zijlstra Cc: Rik van Riel Cc: David S. Miller Cc: Jens Axboe Cc: Michal Hocko Cc: Hugh Dickins Cc: Al Viro Cc: [4.7.x] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/page_io.c | 3 +++ mm/swapfile.c | 1 - 2 files changed, 3 insertions(+), 1 deletion(-) commit 7cbdb4a286a60c5d519cb9223fe2134d26870d39 Author: Ian Kent Date: Mon Sep 19 14:44:12 2016 -0700 autofs: use dentry flags to block walks during expire Somewhere along the way the autofs expire operation has changed to hold a spin lock over expired dentry selection. The autofs indirect mount expired dentry selection is complicated and quite lengthy so it isn't appropriate to hold a spin lock over the operation. Commit 47be61845c77 ("fs/dcache.c: avoid soft-lockup in dput()") added a might_sleep() to dput() causing a WARN_ONCE() about this usage to be issued. But the spin lock doesn't need to be held over this check, the autofs dentry info. flags are enough to block walks into dentrys during the expire. I've left the direct mount expire as it is (for now) because it is much simpler and quicker than the indirect mount expire and adding spin lock release and re-aquires would do nothing more than add overhead. Fixes: 47be61845c77 ("fs/dcache.c: avoid soft-lockup in dput()") Link: http://lkml.kernel.org/r/20160912014017.1773.73060.stgit@pluto.themaw.net Signed-off-by: Ian Kent Reported-by: Takashi Iwai Tested-by: Takashi Iwai Cc: Takashi Iwai Cc: NeilBrown Cc: Al Viro Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/autofs4/expire.c | 55 ++++++++++++++++++++++++++++++++++++++++------------- 1 file changed, 42 insertions(+), 13 deletions(-) commit 08eeb3061e44661afb4cb9eb08780e2fff8bfbc5 Author: Florian Fainelli Date: Mon Sep 19 14:44:09 2016 -0700 MAINTAINERS: update email for VLYNQ bus entry Link: http://lkml.kernel.org/r/1473218738-21836-1-git-send-email-f.fainelli@gmail.com Signed-off-by: Florian Fainelli Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds MAINTAINERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 4d35427ad7641cba08ea0deffae1a78147ad41c0 Author: Kirill A. Shutemov Date: Mon Sep 19 14:44:07 2016 -0700 mm: avoid endless recursion in dump_page() dump_page() uses page_mapcount() to get mapcount of the page. page_mapcount() has VM_BUG_ON_PAGE(PageSlab(page)) as mapcount doesn't make sense for slab pages and the field in struct page used for other information. It leads to recursion if dump_page() called for slub page and DEBUG_VM is enabled: dump_page() -> page_mapcount() -> VM_BUG_ON_PAGE() -> dump_page -> ... Let's avoid calling page_mapcount() for slab pages in dump_page(). Link: http://lkml.kernel.org/r/20160908082137.131076-1-kirill.shutemov@linux.intel.com Signed-off-by: Kirill A. Shutemov Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/debug.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) commit 982785c6b05a82c01e90687b7e25ee87c8970b2e Author: Ebru Akagunduz Date: Mon Sep 19 14:44:04 2016 -0700 mm, thp: fix leaking mapped pte in __collapse_huge_page_swapin() Currently, khugepaged does not permit swapin if there are enough young pages in a THP. The problem is when a THP does not have enough young pages, khugepaged leaks mapped ptes. This patch prohibits leaking mapped ptes. Link: http://lkml.kernel.org/r/1472820276-7831-1-git-send-email-ebru.akagunduz@gmail.com Signed-off-by: Ebru Akagunduz Suggested-by: Andrea Arcangeli Reviewed-by: Andrea Arcangeli Reviewed-by: Rik van Riel Cc: Vlastimil Babka Cc: Mel Gorman Cc: Kirill A. Shutemov Cc: Johannes Weiner Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/khugepaged.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) commit c131f751ab1a852d4dd4b490b3a7fbba7d738de5 Author: Kirill A. Shutemov Date: Mon Sep 19 14:44:01 2016 -0700 khugepaged: fix use-after-free in collapse_huge_page() hugepage_vma_revalidate() tries to re-check if we still should try to collapse small pages into huge one after the re-acquiring mmap_sem. The problem Dmitry Vyukov reported[1] is that the vma found by hugepage_vma_revalidate() can be suitable for huge pages, but not the same vma we had before dropping mmap_sem. And dereferencing original vma can lead to fun results.. Let's use vma hugepage_vma_revalidate() found instead of assuming it's the same as what we had before the lock was dropped. [1] http://lkml.kernel.org/r/CACT4Y+Z3gigBvhca9kRJFcjX0G70V_nRhbwKBU+yGoESBDKi9Q@mail.gmail.com Link: http://lkml.kernel.org/r/20160907122559.GA6542@black.fi.intel.com Signed-off-by: Kirill A. Shutemov Reported-by: Dmitry Vyukov Reviewed-by: Andrea Arcangeli Cc: Ebru Akagunduz Cc: Vlastimil Babka Cc: Mel Gorman Cc: Johannes Weiner Cc: Vegard Nossum Cc: Sasha Levin Cc: Konstantin Khlebnikov Cc: Andrey Ryabinin Cc: Greg Thelen Cc: Suleiman Souhlal Cc: Hugh Dickins Cc: David Rientjes Cc: syzkaller Cc: Kostya Serebryany Cc: Alexander Potapenko Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/khugepaged.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) commit d8e3875431956c1f78e142d531f490f76c760ce3 Author: Sudip Mukherjee Date: Mon Sep 19 14:43:58 2016 -0700 MAINTAINERS: Maik has moved Maik is no longer using the plusserver.de email, update with his current email. Link: http://lkml.kernel.org/r/1473007794-27960-1-git-send-email-sudipm.mukherjee@gmail.com Signed-off-by: Sudip Mukherjee Cc: Maik Broemme Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds MAINTAINERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit e6f0c6e6170fec175fe676495f29029aecdf486c Author: Joseph Qi Date: Mon Sep 19 14:43:55 2016 -0700 ocfs2/dlm: fix race between convert and migration Commit ac7cf246dfdb ("ocfs2/dlm: fix race between convert and recovery") checks if lockres master has changed to identify whether new master has finished recovery or not. This will introduce a race that right after old master does umount ( means master will change), a new convert request comes. In this case, it will reset lockres state to DLM_RECOVERING and then retry convert, and then fail with lockres->l_action being set to OCFS2_AST_INVALID, which will cause inconsistent lock level between ocfs2 and dlm, and then finally BUG. Since dlm recovery will clear lock->convert_pending in dlm_move_lockres_to_recovery_list, we can use it to correctly identify the race case between convert and recovery. So fix it. Fixes: ac7cf246dfdb ("ocfs2/dlm: fix race between convert and recovery") Link: http://lkml.kernel.org/r/57CE1569.8010704@huawei.com Signed-off-by: Joseph Qi Signed-off-by: Jun Piao Cc: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/ocfs2/dlm/dlmconvert.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) commit 9bb627be47a574b764e162e8513d5db78d49e7f5 Author: Li Zhong Date: Mon Sep 19 14:43:52 2016 -0700 mem-hotplug: don't clear the only node in new_node_page() Commit 394e31d2ceb4 ("mem-hotplug: alloc new page from a nearest neighbor node when mem-offline") introduced new_node_page() for memory hotplug. In new_node_page(), the nid is cleared before calling __alloc_pages_nodemask(). But if it is the only node of the system, and the first round allocation fails, it will not be able to get memory from an empty nodemask, and will trigger oom. The patch checks whether it is the last node on the system, and if it is, then don't clear the nid in the nodemask. Fixes: 394e31d2ceb4 ("mem-hotplug: alloc new page from a nearest neighbor node when mem-offline") Link: http://lkml.kernel.org/r/1473044391.4250.19.camel@TP420 Signed-off-by: Li Zhong Reported-by: John Allen Acked-by: Vlastimil Babka Cc: Xishi Qiu Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/memory_hotplug.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit 7fadce0d60d09427e0027d3d468781b08ca0b3d1 Author: Linus Torvalds Date: Mon Sep 19 14:49:08 2016 -0700 scripts/faddr2line: improve on base path filtering a bit Due to our compiler include directives, the build pathnames for header files often end up being of the form "$srcdir/./include/linux/xyz.h", which ends up having that extra "." path component after the build base in it. Teach faddr2line to skip that too, to make code generated in inline functions in header files match the filename for the regular C files. Rabin Vincent pointed out that I can't make a stricter regexp match by using the " at " prefix for the pathname, because that ends up being locale-dependent. But this does require that the path match be preceded by a space, to make it a bit more strict (that matters mainly if we didn't find any base_dir at all, and we only end up with the "./" part of the match) Acked-by: Josh Poimboeuf Cc: Rabin Vincent Signed-off-by: Linus Torvalds scripts/faddr2line | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 164c80ed84a7669114869d9347c0f3ea7f56ea89 Author: Vivek Goyal Date: Mon Sep 19 15:12:41 2016 -0600 blk-throttle: Extend slice if throttle group is not empty Right now, if slice is expired, we start a new slice. If a bio is queued, we keep on extending slice by throtle_slice interval (100ms). This worked well as long as pending timer function got executed with-in few milli seconds of scheduled time. But looks like with recent changes in timer subsystem, slack can be much longer depending on the expiry time of the scheduled timer. commit 500462a9de65 ("timers: Switch to a non-cascading wheel") This means, by the time timer function gets executed, it is possible the delay from scheduled time is more than 100ms. That means current code will conclude that existing slice has expired and a new one needs to be started. New slice will be 100ms by default and that will not be sufficient to meet rate requirement of group given the bio size and bio will not be dispatched and we will start a new timer function to wait. And when that timer expires, same process will repeat and we will wait again and this can easily be an infinite loop. Solve this issue by starting a new slice only if throttle gropup is empty. If it is not empty, that means there should be an active slice going on. Ideally it should not be expired but given the slack, it is possible that it has expired. Reported-by: Hou Tao Signed-off-by: Vivek Goyal Signed-off-by: Jens Axboe block/blk-throttle.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) commit 9d15ce9caaf9ecbec74e3be156a4a57451ed16c2 Author: Dan Williams Date: Mon Sep 19 13:49:48 2016 -0700 tools/testing/nvdimm: fix allocation range for mock flush hint tables Commit 480b6837aa57 "nvdimm: fix PHYS_PFN/PFN_PHYS mixup" identified that we were passing an invalid address to devm_nvdimm_ioremap(). With that fixed it exposed a bug in the memory reservation size for flush hint tables. Since we map a full page we need to mock a full page of memory to back the flush hint table entries. Cc: Oliver O'Halloran Signed-off-by: Dan Williams tools/testing/nvdimm/test/nfit.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 7bb91e06730140a693611e51a4a9636152448bd3 Merge: 8ff77206 2db34e7 Author: Linus Torvalds Date: Mon Sep 19 12:58:34 2016 -0700 Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 Pull crypto fixes from Herbert Xu: "This fixes a potential weakness in IPsec CBC IV generation, as well as a number of issues that arose out of an OOM crash on ARM with CTR-mode AES" * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: crypto: arm64/aes-ctr - fix NULL dereference in tail processing crypto: arm/aes-ctr - fix NULL dereference in tail processing crypto: skcipher - Fix blkcipher walk OOM crash crypto: echainiv - Replace chaining with multiplication commit 8ff77206aa36949afab46be43a3d14af75a4e270 Merge: 6732666 47a66e4 Author: Linus Torvalds Date: Mon Sep 19 12:27:31 2016 -0700 Merge tag 'drm-fixes-for-4.8-rc7' of git://people.freedesktop.org/~airlied/linux Pull exynos and one stable ABI fix from Dave Airlie: "One important drm 32/64 ABI fix came in so I'll dequeue what I have, the rest is just exynos runtime pm fixes, but the net removal of code seems like a win to me. I'm going to be sporadic this week due to school holidays, so if anything urgent turns up, Daniel will take care of it" * tag 'drm-fixes-for-4.8-rc7' of git://people.freedesktop.org/~airlied/linux: drm: Only use compat ioctl for addfb2 on X86/IA64 Subject: [PATCH, RESEND] drm: exynos: avoid unused function warning drm/exynos: g2d: fix system and runtime pm integration drm/exynos: rotator: fix system and runtime pm integration drm/exynos: gsc: fix system and runtime pm integration drm/exynos: fimc: fix system and runtime pm integration exynos-drm: Fix unsupported GEM memory type error message to be clear commit 67326666e2d45ebea7db3ed8e3e735f15e60dd91 Author: Josh Poimboeuf Date: Mon Sep 19 10:52:14 2016 -0500 scripts: add script for translating stack dump function offsets addr2line doesn't work with KASLR addresses. Add a basic addr2line wrapper script which takes the 'func+offset/size' format as input. Signed-off-by: Josh Poimboeuf Signed-off-by: Linus Torvalds scripts/faddr2line | 177 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 177 insertions(+) commit 08bccf43627e1972035c1fed5b4f570bdbde1b1e Author: Marcin Nowakowski Date: Fri Sep 2 10:13:21 2016 +0200 MIPS: Select HAVE_REGS_AND_STACK_ACCESS_API Add lost Kconfig symbol. This should have been part of 40e084a506eb ('MIPS: Add uprobes support.'). Fixes: 40e084a506eb ('MIPS: Add uprobes support.') Signed-off-by: Marcin Nowakowski Signed-off-by: Ralf Baechle arch/mips/Kconfig | 1 + 1 file changed, 1 insertion(+) commit 480b6837aa579991c6acc113bccf838e6a90843c Author: Oliver O'Halloran Date: Mon Sep 19 20:19:00 2016 +1000 nvdimm: fix PHYS_PFN/PFN_PHYS mixup nd_activate_region() iomaps any hint addresses required when activating a region. To prevent duplicate mappings it checks the PFN of the hint to be mapped against the PFNs of the already mapped hints. Unfortunately it doesn't convert the PFN back into a physical address before passing it to devm_nvdimm_ioremap(). Instead it applies PHYS_PFN a second time which ends about as well as you would imagine. Signed-off-by: Oliver O'Halloran Signed-off-by: Dan Williams drivers/nvdimm/region_devs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit d8feef9bd447381952a33e6284241006f394c080 Author: Hans Verkuil Date: Sun Sep 18 11:24:50 2016 -0300 [media] cx23885/saa7134: assign q->dev to the PCI device Fix a regression caused by commit 2bc46b3ad3c1 ("[media] media/pci: convert drivers to use the new vb2_queue dev field"). Three places where q->dev should be set were missed, causing a WARN. Fixes: 2bc46b3ad3c1 ("[media] media/pci: convert drivers to use the new vb2_queue dev field"). Signed-off-by: Hans Verkuil Reported-by: Marton Balint Signed-off-by: Mauro Carvalho Chehab drivers/media/pci/cx23885/cx23885-417.c | 1 + drivers/media/pci/saa7134/saa7134-dvb.c | 1 + drivers/media/pci/saa7134/saa7134-empress.c | 1 + 3 files changed, 3 insertions(+) commit 8074d7829595b7c86beba914c04ed5839cf4b3d6 Author: Aaro Koskinen Date: Tue Aug 23 21:39:43 2016 +0300 MIPS: Octeon: Fix platform bus probing Commit 44a7185c2ae6 ("of/platform: Add common method to populate default bus") added new arch_initcall of_platform_default_populate_init() that will override device_initcall octeon_publish_devices(). This broke many OCTEON boards as important devices are not getting probed anymore (e.g. on EdgeRouter Lite the USB mass storage/rootfs is missing). Fix by changing octeon_publish_devices() to arch_initcall. Fixes: 44a7185c2ae6 ("of/platform: Add common method to populate default bus") Signed-off-by: Aaro Koskinen Acked-by: Rob Herring Cc: David Daney Cc: Kefeng Wang Cc: linux-mips@linux-mips.org Cc: devicetree@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/14041/ Signed-off-by: Ralf Baechle arch/mips/cavium-octeon/octeon-platform.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 3312eca519ba3b68b1966705e27b9dd9134f092c Author: Aaro Koskinen Date: Tue Aug 23 01:07:35 2016 +0300 MIPS: Octeon: mangle-port: fix build failure with VDSO code Commit 1685ddbe35cd ("MIPS: Octeon: Changes to support readq()/writeq() usage.") added bitwise shift operations that assume that unsigned long is always 64-bits. This broke the build of VDSO code, as it gets compiled also in "faked" 32-bit mode. Althought the failing inline functions are never executed in 32-bit mode, they still need to pass the compilation. Fix by using 64-bit types explicitly. The patch fixes the following build failure: CC arch/mips/vdso/gettimeofday-o32.o In file included from los/git/devel/linux/arch/mips/include/asm/io.h:32:0, from los/git/devel/linux/arch/mips/include/asm/page.h:194, from los/git/devel/linux/arch/mips/vdso/vdso.h:26, from los/git/devel/linux/arch/mips/vdso/gettimeofday.c:11: los/git/devel/linux/arch/mips/include/asm/mach-cavium-octeon/mangle-port.h: In function '__should_swizzle_bits': los/git/devel/linux/arch/mips/include/asm/mach-cavium-octeon/mangle-port.h:19:40: error: right shift count >= width of type [-Werror=shift-count-overflow] unsigned long did = ((unsigned long)a >> 40) & 0xff; ^~ Fixes: 1685ddbe35cd ("MIPS: Octeon: Changes to support readq()/writeq() usage.") Signed-off-by: Aaro Koskinen Acked-by: David Daney Cc: David Daney Cc: Steven J. Hill Cc: Alex Smith Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/14039/ Signed-off-by: Ralf Baechle arch/mips/include/asm/mach-cavium-octeon/mangle-port.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit b244614a60ab7ce54c12a9cbe15cfbf8d79d0967 Author: Marcin Nowakowski Date: Wed Aug 31 12:33:23 2016 +0200 MIPS: Avoid a BUG warning during prctl(PR_SET_FP_MODE, ...) cpu_has_fpu macro uses smp_processor_id() and is currently executed with preemption enabled, that triggers the warning at runtime. It is assumed throughout the kernel that if any CPU has an FPU, then all CPUs would have an FPU as well, so it is safe to perform the check with preemption enabled - change the code to use raw_ variant of the check to avoid the warning. Signed-off-by: Marcin Nowakowski Cc: linux-mips@linux-mips.org Cc: stable@vger.kernel.org # 4.0+ Patchwork: https://patchwork.linux-mips.org/patch/14125/ Signed-off-by: Ralf Baechle arch/mips/kernel/process.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) commit 4de349e786a3a2d51bd02d56f3de151bbc3c3df9 Author: Fabio Estevam Date: Wed Aug 17 12:41:08 2016 -0300 can: flexcan: fix resume function On a imx6ul-pico board the following error is seen during system suspend: dpm_run_callback(): platform_pm_resume+0x0/0x54 returns -110 PM: Device 2090000.flexcan failed to resume: error -110 The reason for this suspend error is because when the CAN interface is not active the clocks are disabled and then flexcan_chip_enable() will always fail due to a timeout error. In order to fix this issue, only call flexcan_chip_enable/disable() when the CAN interface is active. Based on a patch from Dong Aisheng in the NXP kernel. Signed-off-by: Fabio Estevam Cc: linux-stable Signed-off-by: Marc Kleine-Budde drivers/net/can/flexcan.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) commit b588479358ce26f32138e0f0a7ab0678f8e3e601 Author: Ilan Tayari Date: Sun Sep 18 07:42:53 2016 +0000 xfrm: Fix memory leak of aead algorithm name commit 1a6509d99122 ("[IPSEC]: Add support for combined mode algorithms") introduced aead. The function attach_aead kmemdup()s the algorithm name during xfrm_state_construct(). However this memory is never freed. Implementation has since been slightly modified in commit ee5c23176fcc ("xfrm: Clone states properly on migration") without resolving this leak. This patch adds a kfree() call for the aead algorithm name. Fixes: 1a6509d99122 ("[IPSEC]: Add support for combined mode algorithms") Signed-off-by: Ilan Tayari Acked-by: Rami Rosen Signed-off-by: Steffen Klassert net/xfrm/xfrm_state.c | 1 + 1 file changed, 1 insertion(+) commit 38178e7b88dcbe1ab384f27a7370074e774dda81 Author: Lothar Waßmann Date: Mon Sep 19 11:09:40 2016 +0200 mtd: nand: mxc: fix obiwan error in mxc_nand_v[12]_ooblayout_free() functions commit a894cf6c5a82 ("mtd: nand: mxc: switch to mtd_ooblayout_ops") introduced a regression accessing the OOB area from the mxc_nand driver due to an Obiwan error in the mxc_nand_v[12]_ooblayout_free() functions. They report a bogus oobregion { 64, 7 } which leads to errors accessing bogus data when reading the oob area. Prior to the commit the mtd-oobtest module could be run without any errors. With the offending commit, this test fails with results like: |Running mtd-oobtest | |================================================= |mtd_oobtest: MTD device: 5 |mtd_oobtest: MTD device size 524288, eraseblock size 131072, page size 2048, count of eraseblocks 4, pages per eraseblock 64, OOB size 64 |mtd_test: scanning for bad eraseblocks |mtd_test: scanned 4 eraseblocks, 0 are bad |mtd_oobtest: test 1 of 5 |mtd_oobtest: writing OOBs of whole device |mtd_oobtest: written up to eraseblock 0 |mtd_oobtest: written 4 eraseblocks |mtd_oobtest: verifying all eraseblocks |mtd_oobtest: error @addr[0x0:0x19] 0x9a -> 0x78 diff 0xe2 |mtd_oobtest: error @addr[0x0:0x1a] 0xcc -> 0x0 diff 0xcc |mtd_oobtest: error @addr[0x0:0x1b] 0xe0 -> 0x85 diff 0x65 |mtd_oobtest: error @addr[0x0:0x1c] 0x60 -> 0x62 diff 0x2 |mtd_oobtest: error @addr[0x0:0x1d] 0x69 -> 0x45 diff 0x2c |mtd_oobtest: error @addr[0x0:0x1e] 0xcd -> 0xa0 diff 0x6d |mtd_oobtest: error @addr[0x0:0x1f] 0xf2 -> 0x60 diff 0x92 |mtd_oobtest: error: verify failed at 0x0 [...] Signed-off-by: Lothar Waßmann Fixes: a894cf6c5a82 ("mtd: nand: mxc: switch to mtd_ooblayout_ops") Cc: Signed-off-by: Boris Brezillon drivers/mtd/nand/mxc_nand.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 559e58e7ed2dadc310f174e609ead8a3e8acfc4e Author: RogerCC Lin Date: Mon Sep 19 10:53:26 2016 +0800 mtd: nand: fix chances to create incomplete ECC data when writing When mtk_nfc_do_write_page() comparing the sector number,because the sector number field is at the 12th-bit position of NFI_BYTELEN register,the masked register should be shifted 12 bits before being compared.The result of this bug may cause the second subpage has incomplete ECC parity bytes. Signed-off-by: RogerCC Lin Fixes: 1d6b1e464950 ("mtd: mediatek: driver for MTK Smart Device") Signed-off-by: Boris Brezillon drivers/mtd/nand/mtk_nand.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) commit 7a353289925f01cb188ebc6fc4f4a33456b7de44 Author: RogerCC Lin Date: Mon Sep 19 10:53:25 2016 +0800 mtd: nand: fix generating over-boundary ECC data when writing When mtk_ecc_encode() is writing the ECC parity data to the OOB region,because each register is 4 bytes in length,but the len's unit is in bytes,the operation in the for loop will cross the ECC's boundary. Signed-off-by: RogerCC Lin Fixes: 1d6b1e464950 ("mtd: mediatek: driver for MTK Smart Device") Signed-off-by: Boris Brezillon drivers/mtd/nand/mtk_ecc.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) commit 1984e075915cbae65336a99b1879865080d8e55e Author: Marc Zyngier Date: Mon Sep 19 09:49:27 2016 +0100 genirq: Skip chained interrupt trigger setup if type is IRQ_TYPE_NONE There is no point in trying to configure the trigger of a chained interrupt if no trigger information has been configured. At best this is ignored, and at the worse this confuses the underlying irqchip (which is likely not to handle such a thing), and unnecessarily alarms the user. Only apply the configuration if type is not IRQ_TYPE_NONE. Fixes: 1e12c4a9393b ("genirq: Correctly configure the trigger on chained interrupts") Reported-and-tested-by: Geert Uytterhoeven Signed-off-by: Marc Zyngier Link: https://lkml.kernel.org/r/CAMuHMdVW1eTn20=EtYcJ8hkVwohaSuH_yQXrY2MGBEvZ8fpFOg@mail.gmail.com Link: http://lkml.kernel.org/r/1474274967-15984-1-git-send-email-marc.zyngier@arm.com Signed-off-by: Thomas Gleixner kernel/irq/chip.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) commit 47a66e45d7a7613322549c2475ea9d809baaf514 Author: Kristian H. Kristensen Date: Tue Sep 13 14:20:45 2016 -0700 drm: Only use compat ioctl for addfb2 on X86/IA64 Similar to struct drm_update_draw, struct drm_mode_fb_cmd2 has an unaligned 64 bit field (modifier). This get packed differently between 32 bit and 64 bit modes on architectures that can handle unaligned 64 bit access (X86 and IA64). Other architectures pack the structs the same and don't need the compat wrapper. Use the same condition for drm_mode_fb_cmd2 as we use for drm_update_draw. Note that only the modifier will be packed differently between compat and non-compat versions. Reviewed-by: Rob Clark Signed-off-by: Kristian H. Kristensen [seanpaul added not at bottom of commit msg re: modifier] Signed-off-by: Sean Paul Link: http://patchwork.freedesktop.org/patch/msgid/1473801645-116011-1-git-send-email-hoegsberg@chromium.org Cc: stable@vger.kernel.org Signed-off-by: Dave Airlie drivers/gpu/drm/drm_ioc32.c | 4 ++++ 1 file changed, 4 insertions(+) commit f2543242adccd86bfeea3a4921800879e7187810 Merge: 09cb5b7 4158dbe Author: Dave Airlie Date: Mon Sep 19 14:22:56 2016 +1000 Merge branch 'exynos-drm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/daeinki/drm-exynos into drm-fixes Just fixup to runtime pm usage and some cleanups. * 'exynos-drm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/daeinki/drm-exynos: Subject: [PATCH, RESEND] drm: exynos: avoid unused function warning drm/exynos: g2d: fix system and runtime pm integration drm/exynos: rotator: fix system and runtime pm integration drm/exynos: gsc: fix system and runtime pm integration drm/exynos: fimc: fix system and runtime pm integration exynos-drm: Fix unsupported GEM memory type error message to be clear commit 7ac327318e09a53e3df431dfd3f664dac7aba4df Merge: 19cd120 85d5313 Author: David S. Miller Date: Sun Sep 18 22:26:49 2016 -0400 Merge tag 'mac80211-for-davem-2016-09-16' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211 Johannes Berg says: ==================== Two more fixes: * reject aggregation sessions for TSID/TID 8-16 that we can never use anyway and which could confuse drivers * check return value of skb_linearize() ==================== Signed-off-by: David S. Miller commit 19cd120319ef5390404a5d9c829c3a7962f184a8 Author: Giuseppe CAVALLARO Date: Fri Sep 16 10:50:13 2016 +0200 stmmac: fix PWRDWN into the PMT register for global unicast. MAC devices use the RWKPKTEN and MGKPKTEN bits of the PMT Control/Status register to generate power management events. So this patch is to properly set the RWKPKTEN [BIT(2)] inside the PMT register (needed in case of global unicast). Reported-by: Aditi SHARMA Signed-off-by: Giuseppe Cavallaro Cc: Alexandre TORGUE Signed-off-by: David S. Miller drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c | 2 +- drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit 4158dbe1be9b420e1fdd9ec5c033647a605ca485 Author: Arnd Bergmann Date: Sun Sep 18 22:51:38 2016 +0900 Subject: [PATCH, RESEND] drm: exynos: avoid unused function warning When CONFIG_PM is not set, we get a warning about an unused function: drivers/gpu/drm/exynos/exynos_drm_gsc.c:1219:12: error: 'gsc_clk_ctrl' defined but not used [-Werror=unused-function] static int gsc_clk_ctrl(struct gsc_context *ctx, bool enable) ^~~~~~~~~~~~ This removes the two #ifdef checks in this file and instead marks the functions as __maybe_unused, which is a more reliable way of doing the same, allowing better build coverage and avoiding the warning above. Signed-off-by: Arnd Bergmann Signed-off-by: Inki Dae drivers/gpu/drm/exynos/exynos_drm_gsc.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) commit 3be7988674ab33565700a37b210f502563d932e6 Author: Linus Torvalds Date: Sun Sep 18 17:27:41 2016 -0700 Linux 4.8-rc7 Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit b01cf676835b681c159a395dc6828f1d6e3b3db6 Merge: 88b4ad2 e06226e Author: Linus Torvalds Date: Sun Sep 18 12:07:05 2016 -0700 Merge tag 'usb-4.8-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb Pull USB fixes from Greg KH: "Here are two small fixes, and one new device id, for 4.8-rc7 The fixes solve a build error that was reported in your tree for the blackfin arch, and resolve an issue with a number of broken USB devices that reported the wrong interval rate. Included here is also a new device id for the usb-serial driver. All have been in linux-next with no reported issues" * tag 'usb-4.8-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: USB: change bInterval default to 10 ms usb: musb: Fix tusb6010 compile error on blackfin USB: serial: simple: add support for another Infineon flashloader commit 88b4ad287c91790e98fe9381b5cba7b381f359c0 Merge: 3286be9 8e4b720 Author: Linus Torvalds Date: Sun Sep 18 11:57:24 2016 -0700 Merge tag 'fixes-for-linus-v4.8-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging Pull uaccess fixes from Guenter Roeck: "Two patches fixing problems introduced with copy_from_user changes" * tag 'fixes-for-linus-v4.8-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging: openrisc: fix the fix of copy_from_user() avr32: fix 'undefined reference to `___copy_from_user' commit 3286be94808c403a5ca6bb2830d933439315cb99 Merge: 6ffa36a 080fe0b Author: Linus Torvalds Date: Sun Sep 18 11:50:48 2016 -0700 Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull perf fixes from Thomas Gleixner: "A couple of small fixes to x86 perf drivers: - Measure L2 for HW_CACHE* events on AMD - Fix the address filter handling in the intel/pt driver - Handle the BTS disabling at the proper place" * 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: perf/x86/amd: Make HW_CACHE_REFERENCES and HW_CACHE_MISSES measure L2 perf/x86/intel/pt: Do validate the size of a kernel address filter perf/x86/intel/pt: Fix kernel address filter's offset validation perf/x86/intel/pt: Fix an off-by-one in address filter configuration perf/x86/intel: Don't disable "intel_bts" around "intel" event batching commit 6ffa36a59a01691cc8823ef1113e328bb84c14de Merge: aaed4d0 6cfeaf5 Author: Linus Torvalds Date: Sun Sep 18 11:38:46 2016 -0700 Merge branch 'smp-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull SMP build fixlet from Thomas Gleixner: "Add a missing include in cpuhotplug.h" * 'smp-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: cpu/hotplug: Include linux/types.h in linux/cpuhotplug.h commit aaed4d0bddaef70640fa8ac0d52a380e2d3c6101 Merge: d4690f1 5eb0d6e Author: Linus Torvalds Date: Sun Sep 18 11:08:00 2016 -0700 Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull irq fixes from Thomas Gleixner: "Two patches from Boris which address a potential deadlock in the atmel irq chip driver" * 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: irqchip/atmel-aic: Fix potential deadlock in ->xlate() genirq: Provide irq_gc_{lock_irqsave,unlock_irqrestore}() helpers commit 8e4b72054f554967827e18be1de0e8122e6efc04 Author: Guenter Roeck Date: Sat Sep 17 12:57:24 2016 -0700 openrisc: fix the fix of copy_from_user() Since commit acb2505d0119 ("openrisc: fix copy_from_user()"), copy_from_user() returns the number of bytes requested, not the number of bytes not copied. Cc: Al Viro Fixes: acb2505d0119 ("openrisc: fix copy_from_user()") Signed-off-by: Guenter Roeck arch/openrisc/include/asm/uaccess.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 65c0044ca8d7c7bbccae37f0ff2972f0210e9f41 Author: Guenter Roeck Date: Sat Sep 17 07:52:49 2016 -0700 avr32: fix 'undefined reference to `___copy_from_user' avr32 builds fail with: arch/avr32/kernel/built-in.o: In function `arch_ptrace': (.text+0x650): undefined reference to `___copy_from_user' arch/avr32/kernel/built-in.o:(___ksymtab+___copy_from_user+0x0): undefined reference to `___copy_from_user' kernel/built-in.o: In function `proc_doulongvec_ms_jiffies_minmax': (.text+0x5dd8): undefined reference to `___copy_from_user' kernel/built-in.o: In function `proc_dointvec_minmax_sysadmin': sysctl.c:(.text+0x6174): undefined reference to `___copy_from_user' kernel/built-in.o: In function `ptrace_has_cap': ptrace.c:(.text+0x69c0): undefined reference to `___copy_from_user' kernel/built-in.o:ptrace.c:(.text+0x6b90): more undefined references to `___copy_from_user' follow Fixes: 8630c32275ba ("avr32: fix copy_from_user()") Cc: Al Viro Acked-by: Havard Skinnemoen Acked-by: Hans-Christian Noren Egtvedt Signed-off-by: Guenter Roeck arch/avr32/lib/copy_user.S | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit b05984e21a7e000bf5074ace00d7a574944b2c16 Author: Marek Szyprowski Date: Wed Aug 31 14:55:57 2016 +0200 drm/exynos: g2d: fix system and runtime pm integration Move code from system sleep pm to runtime pm callbacks to ensure proper driver state preservation when device is under power domain. Then, use generic helpers for using runtime pm for system sleep pm. Signed-off-by: Marek Szyprowski Signed-off-by: Inki Dae drivers/gpu/drm/exynos/exynos_drm_g2d.c | 29 +++++++---------------------- 1 file changed, 7 insertions(+), 22 deletions(-) commit 5b67723e6096f5470f361656cd108430d3b12c67 Author: Marek Szyprowski Date: Wed Aug 31 14:55:56 2016 +0200 drm/exynos: rotator: fix system and runtime pm integration Use generic helpers instead of open-coding usage of runtime pm for system sleep pm, which was potentially broken for some corner cases. Signed-off-by: Marek Szyprowski Signed-off-by: Inki Dae drivers/gpu/drm/exynos/exynos_drm_rotator.c | 26 ++------------------------ 1 file changed, 2 insertions(+), 24 deletions(-) commit 83bd7b20aaf499030bf857ef64de3c19309b107d Author: Marek Szyprowski Date: Wed Aug 31 14:55:55 2016 +0200 drm/exynos: gsc: fix system and runtime pm integration Use generic helpers instead of open-coding usage of runtime pm for system sleep pm, which was potentially broken for some corner cases. Signed-off-by: Marek Szyprowski Signed-off-by: Inki Dae drivers/gpu/drm/exynos/exynos_drm_gsc.c | 29 ++--------------------------- 1 file changed, 2 insertions(+), 27 deletions(-) commit 479f12545460809cfc9093d90d6ed82d76388e97 Author: Marek Szyprowski Date: Wed Aug 31 14:55:54 2016 +0200 drm/exynos: fimc: fix system and runtime pm integration Use generic helpers instead of open-coding usage of runtime pm for system sleep pm, which was potentially broken for some corner cases. Signed-off-by: Marek Szyprowski Signed-off-by: Inki Dae drivers/gpu/drm/exynos/exynos_drm_fimc.c | 29 ++--------------------------- 1 file changed, 2 insertions(+), 27 deletions(-) commit 6244bd651236d86f59387d43c531b5f942a92b38 Author: Shuah Khan Date: Mon Aug 8 17:48:20 2016 -0600 exynos-drm: Fix unsupported GEM memory type error message to be clear Fix unsupported GEM memory type error message to include the memory type information. Signed-off-by: Shuah Khan Signed-off-by: Inki Dae drivers/gpu/drm/exynos/exynos_drm_fb.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit d4690f1e1cdabb4d61207b6787b1605a0dc0aeab Author: Al Viro Date: Fri Sep 16 00:11:45 2016 +0100 fix iov_iter_fault_in_readable() ... by turning it into what used to be multipages counterpart Cc: stable@vger.kernel.org Signed-off-by: Al Viro Signed-off-by: Linus Torvalds include/linux/uio.h | 2 +- lib/iov_iter.c | 24 ++---------------------- 2 files changed, 3 insertions(+), 23 deletions(-) commit f32a10df2ed6b87a10c1ca11757b0bbb035486a4 Merge: baf009f df804d5 Author: Linus Torvalds Date: Sat Sep 17 12:59:57 2016 -0700 Merge tag 'mmc-v4.8-rc6' of git://git.linaro.org/people/ulf.hansson/mmc Pull MMC fixes from Ulf Hansson: "MMC host: - omap/omap_hsmmc: Initialize dma_slave_config to avoid random data - sdhci-st: Handle interconnect clock" * tag 'mmc-v4.8-rc6' of git://git.linaro.org/people/ulf.hansson/mmc: mmc: omap: Initialize dma_slave_config to avoid random data in it's fields mmc: omap_hsmmc: Initialize dma_slave_config to avoid random data mmc: sdhci-st: Handle interconnect clock dt-bindings: mmc: sdhci-st: Mention the discretionary "icn" clock commit baf009f92731c0fc1f036d8b7dba3bf5bb2c2a5e Merge: 4d2899d ed7d9a1 Author: Linus Torvalds Date: Sat Sep 17 12:52:01 2016 -0700 Merge tag 'powerpc-4.8-6' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux Pull powerpc fixes from Michael Ellerman: "Fixes for code merged this cycle: - Fix restore of SPRs upon wake up from hypervisor state loss from Gautham R Shenoy - Fix the state of root PE from Gavin Shan - Detach from PE on releasing PCI device from Gavin Shan - Fix size of NUM_CPU_FTR_KEYS on 32-bit - Fix missed TCE invalidations that should fallback to OPAL" * tag 'powerpc-4.8-6' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux: powerpc/powernv/pci: Fix missed TCE invalidations that should fallback to OPAL powerpc/powernv: Detach from PE on releasing PCI device powerpc/powernv: Fix the state of root PE powerpc/kernel: Fix size of NUM_CPU_FTR_KEYS on 32-bit powerpc/powernv: Fix restore of SPRs upon wake up from hypervisor state loss commit 37dd348270c1a48f0234354a06c0ce052b6c85b1 Author: Ivan Vecera Date: Thu Sep 15 22:47:52 2016 +0200 bna: fix crash in bnad_get_strings() Commit 6e7333d "net: add rx_nohandler stat counter" added the new entry rx_nohandler into struct rtnl_link_stats64. Unfortunately the bna driver foolishly depends on the structure. It uses part of it for ethtool statistics and it's not bad but the driver assumes its size is constant as it defines string for each existing entry. The problem occurs when the structure is extended because you need to modify bna driver as well. If not any attempt to retrieve ethtool statistics results in crash in bnad_get_strings(). The patch changes BNAD_ETHTOOL_STATS_NUM so it counts real number of strings in the array and also removes rtnl_link_stats64 entries that are not used in output and are always zero. Fixes: 6e7333d "net: add rx_nohandler stat counter" Signed-off-by: Ivan Vecera Signed-off-by: David S. Miller drivers/net/ethernet/brocade/bna/bnad_ethtool.c | 50 ++++++++++++------------- 1 file changed, 23 insertions(+), 27 deletions(-) commit 2835d2d9e366a2985b24051d228333bfba82f3a7 Author: Ivan Vecera Date: Thu Sep 15 22:47:51 2016 +0200 bna: add missing per queue ethtool stat Commit ba5ca784 "bna: check for dma mapping errors" added besides other things a statistic that counts number of DMA buffer mapping failures per each Rx queue. This counter is not included in ethtool stats output. Fixes: ba5ca784 "bna: check for dma mapping errors" Signed-off-by: Ivan Vecera Signed-off-by: David S. Miller drivers/net/ethernet/brocade/bna/bnad_ethtool.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) commit db64c5fa590b5d82ac0d5ec39bc498f95094e66b Merge: a071412 54c5ef2 Author: Kalle Valo Date: Sat Sep 17 17:06:22 2016 +0300 Merge tag 'iwlwifi-for-kalle-2016-09-15' of git://git.kernel.org/pub/scm/linux/kernel/git/iwlwifi/iwlwifi-fixes * fix to prevent firmware crash when sending off-channel frames commit 4496195ddd75c4ad57b783739414e69b7d79843e Author: Marcelo Ricardo Leitner Date: Thu Sep 15 15:02:38 2016 -0300 sctp: fix SSN comparision This function actually operates on u32 yet its paramteres were declared as u16, causing integer truncation upon calling. Note in patch context that ADDIP_SERIAL_SIGN_BIT is already 32 bits. Signed-off-by: Marcelo Ricardo Leitner Acked-by: Neil Horman Signed-off-by: David S. Miller include/net/sctp/sm.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 8ab86c00e349cef9fb14719093a7f198bcc72629 Author: phil.turnbull@oracle.com Date: Thu Sep 15 12:41:44 2016 -0400 irda: Free skb on irda_accept error path. skb is not freed if newsk is NULL. Rework the error path so free_skb is unconditionally called on function exit. Fixes: c3ea9fa27413 ("[IrDA] af_irda: IRDA_ASSERT cleanups") Signed-off-by: Phil Turnbull Signed-off-by: David S. Miller net/irda/af_irda.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) commit 20c64d5cd5a2bdcdc8982a06cb05e5e1bd851a3d Author: Eric Dumazet Date: Thu Sep 15 08:48:46 2016 -0700 net: avoid sk_forward_alloc overflows A malicious TCP receiver, sending SACK, can force the sender to split skbs in write queue and increase its memory usage. Then, when socket is closed and its write queue purged, we might overflow sk_forward_alloc (It becomes negative) sk_mem_reclaim() does nothing in this case, and more than 2GB are leaked from TCP perspective (tcp_memory_allocated is not changed) Then warnings trigger from inet_sock_destruct() and sk_stream_kill_queues() seeing a not zero sk_forward_alloc All TCP stack can be stuck because TCP is under memory pressure. A simple fix is to preemptively reclaim from sk_mem_uncharge(). This makes sure a socket wont have more than 2 MB forward allocated, after burst and idle period. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller include/net/sock.h | 10 ++++++++++ 1 file changed, 10 insertions(+) commit ffb4d6c8508657824bcef68a36b2a0f9d8c09d10 Author: Eric Dumazet Date: Thu Sep 15 08:12:33 2016 -0700 tcp: fix overflow in __tcp_retransmit_skb() If a TCP socket gets a large write queue, an overflow can happen in a test in __tcp_retransmit_skb() preventing all retransmits. The flow then stalls and resets after timeouts. Tested: sysctl -w net.core.wmem_max=1000000000 netperf -H dest -- -s 1000000000 Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller net/ipv4/tcp_output.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit cce94483e47e8e3d74cf4475dea33f9fd4b6ad9f Author: Filipe Manco Date: Thu Sep 15 17:10:46 2016 +0200 xen-netback: fix error handling on netback_probe() In case of error during netback_probe() (e.g. an entry missing on the xenstore) netback_remove() is called on the new device, which will set the device backend state to XenbusStateClosed by calling set_backend_state(). However, the backend state wasn't initialized by netback_probe() at this point, which will cause and invalid transaction and set_backend_state() to BUG(). Initialize the backend state at the beginning of netback_probe() to XenbusStateInitialising, and create two new valid state transitions on set_backend_state(), from XenbusStateInitialising to XenbusStateClosed, and from XenbusStateInitialising to XenbusStateInitWait. Signed-off-by: Filipe Manco Acked-by: Wei Liu Signed-off-by: David S. Miller drivers/net/xen-netback/xenbus.c | 46 ++++++++++++++++++++++++++-------------- 1 file changed, 30 insertions(+), 16 deletions(-) commit 4d2899d73c4734cd04edb9409a72d0ef637cfb06 Merge: 87ee128 348c1bf Author: Linus Torvalds Date: Fri Sep 16 17:09:48 2016 -0700 Merge branch 'for-next' of git://git.samba.org/sfrench/cifs-2.6 Pull cifs fixes from Steve French: "Small set of cifs fixes" * 'for-next' of git://git.samba.org/sfrench/cifs-2.6: Move check for prefix path to within cifs_get_root() Compare prepaths when comparing superblocks Fix memory leaks in cifs_do_mount() commit 87ee1280ff80e04adf9b36361235eef76cd80301 Merge: 5fbf3e3 bf2c4b6 Author: Linus Torvalds Date: Fri Sep 16 17:00:26 2016 -0700 Merge tag 'nfsd-4.8-2' of git://linux-nfs.org/~bfields/linux Pull nfsd bugfix from Bruce Fields: "Fix a memory corruption bug that I introduced in 4.7" * tag 'nfsd-4.8-2' of git://linux-nfs.org/~bfields/linux: svcauth_gss: Revert 64c59a3726f2 ("Remove unnecessary allocation") commit 5fbf3e3275a739f93fee9fb32c41e5a018c97b8d Merge: 095f5cf 09cb5b7 Author: Linus Torvalds Date: Fri Sep 16 16:27:30 2016 -0700 Merge tag 'drm-fixes-for-4.8-rc6' of git://people.freedesktop.org/~airlied/linux Pull drm fixes from Dave Airlie: "Two sets of i915 fixes, one set of vc4 crasher fixes, and a couple of atmel fixes. Nothing too out there at this stage, though I think some people are holidaying so it's been quiet enough" * tag 'drm-fixes-for-4.8-rc6' of git://people.freedesktop.org/~airlied/linux: drm/i915: Ignore OpRegion panel type except on select machines Revert "drm/i915/psr: Make idle_frames sensible again" drm/i915: Restore lost "Initialized i915" welcome message drm/vc4: mark vc4_bo_cache_purge() static drm/i915: Add GEN7_PCODE_MIN_FREQ_TABLE_GT_RATIO_OUT_OF_RANGE to SNB drm/i915: disable 48bit full PPGTT when vGPU is active drm/i915: enable vGPU detection for all drm/atmel-hlcdc: Make ->reset() implementation static drm: atmel-hlcdc: Fix vertical scaling drm/vc4: Allow some more signals to be packed with uniform resets. drm/i915/dvo: Remove dangling call to drm_encoder_cleanup() commit 095f5cfaea5f03db6c6bd7c3bd9aa790a21e797a Merge: dd5a477 7789357 Author: Linus Torvalds Date: Fri Sep 16 16:22:52 2016 -0700 Merge tag 'pm-4.8-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull power management fix from Rafael Wysocki: "More annotations of tracepoints in the runtime PM framework to prevent RCU from complaining when that code is invoked from the idle path (Paul McKenney)" * tag 'pm-4.8-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: PM / runtime: Use _rcuidle for runtime suspend tracepoints commit 09cb5b78af52208afb9f1b194c8a9154df4a4782 Merge: 9929c09 ea90383 Author: Dave Airlie Date: Sat Sep 17 07:57:55 2016 +1000 Merge tag 'drm-vc4-fixes-2016-09-14' of https://github.com/anholt/linux into drm-fixes This pull request brings in a fix for crashes in X on VC4. * tag 'drm-vc4-fixes-2016-09-14' of https://github.com/anholt/linux: drm/vc4: mark vc4_bo_cache_purge() static drm/vc4: Allow some more signals to be packed with uniform resets. commit 9929c09767da8c5936dda6ea6d5054e4c1bc5f6e Merge: 7eebfba ea54ff4 Author: Dave Airlie Date: Sat Sep 17 07:57:21 2016 +1000 Merge tag 'drm-intel-fixes-2016-09-15' of git://anongit.freedesktop.org/drm-intel into drm-fixes i915 fixes from Jani. * tag 'drm-intel-fixes-2016-09-15' of git://anongit.freedesktop.org/drm-intel: drm/i915: Ignore OpRegion panel type except on select machines Revert "drm/i915/psr: Make idle_frames sensible again" drm/i915: Restore lost "Initialized i915" welcome message commit dd5a477c7f31a44d9f16b24fbf015611eb13a9f2 Merge: 008f08d e4618d4 Author: Linus Torvalds Date: Fri Sep 16 13:51:42 2016 -0700 Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma Pull rdma fixes from Doug Ledford: "Round three of 4.8 rc fixes. This is likely the last rdma pull request this cycle. The new rxe driver had a few issues (you probably saw the boot bot bug report) and they should be addressed now. There are a couple other fixes here, mainly mlx4. There are still two outstanding issues that need resolved but I don't think their fix will make this kernel cycle. Summary: - Various fixes to rdmavt, ipoib, mlx5, mlx4, rxe" * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma: IB/rdmavt: Don't vfree a kzalloc'ed memory region IB/rxe: Fix kmem_cache leak IB/rxe: Fix race condition between requester and completer IB/rxe: Fix duplicate atomic request handling IB/rxe: Fix kernel panic in udp_setup_tunnel IB/mlx5: Set source mac address in FTE IB/mlx5: Enable MAD_IFC commands for IB ports only IB/mlx4: Diagnostic HW counters are not supported in slave mode IB/mlx4: Use correct subnet-prefix in QP1 mads under SR-IOV IB/mlx4: Fix code indentation in QP1 MAD flow IB/mlx4: Fix incorrect MC join state bit-masking on SR-IOV IB/ipoib: Don't allow MC joins during light MC flush IB/rxe: fix GFP_KERNEL in spinlock context commit 008f08d64a74a71a4ea99533d0520d804048a4a0 Merge: cac4662 6408649 Author: Linus Torvalds Date: Fri Sep 16 12:15:41 2016 -0700 Merge tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc Pull ARM SoC fixes from Arnd Bergmann: "Here are a couple of bugfixes for v4.8-rc. Most of them have actually been around for a while this time but for some reason didn't get applied early on. The shmobile regulator fix is the only one that isn't completely obvious. Device tree changes: - archtimer interrupts must be level triggered (multiple platforms) - fix for USB and MMC clocks on STiH410 - fix split DT repository in case of raspberry-pi 3 - a new use of skeleton.dtsi on arm64 has crept in after that was removed. defconfig updates: - xilinx vdma has a new Kconfig symbol name - keystone requires CONFIG_NOP_USB_XCEIV since v4.8-rc1 Code fixes: - fix regulator quirk on shmobile - suspend-to-ram regression on EXYNOS Maintainer updates: - Javier Martinez Canillas is now a reviewer for Samsung EXYNOS" * tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc: ARM: keystone: defconfig: Fix USB configuration arm64: dts: Fix broken architected timer interrupt trigger ARM: multi_v7_defconfig: update XILINX_VDMA ARM64: dts: bcm: Use a symlink to R-Pi dtsi files from arch=arm ARM: dts: Remove use of skeleton.dtsi from bcm283x.dtsi ARM: dts: STiH407-family: Provide interconnect clock for consumption in ST SDHCI ARM: dts: STiH410: Handle interconnect clock required by EHCI/OHCI (USB) ARM: shmobile: fix regulator quirk for Gen2 ARM: EXYNOS: Clear OF_POPULATED flag from PMU node in IRQ init callback MAINTAINERS: Add myself as reviewer for Samsung Exynos support commit cac4662a88702fc9e405ef19c429de375822d77a Merge: 22f6b4d 1a57c28 Author: Linus Torvalds Date: Fri Sep 16 12:08:13 2016 -0700 Merge branch 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm Pull ARM fixes from Russell King: "Most of this update are fixes primarily discovered from testing on the older StrongARM 1110 and PXA systems, as a result of recent interest from several people in these platforms: - Locomo interrupt handling incorrectly stores the handler data in the chip's private data slot: when Locomo is combined with an interrupt controller who's chip uses the chip private data, this leads to an oops. - SA1111 was missing a call to clk_disable() to clean up after a failed probe. - SA1111 and PCMCIA suspend/resume was broken: The PCMCIA "ds" layer was using the legacy bus suspend/resume methods, which the core PM code is no longer calling as a result of device_pm_check_callbacks() introduced in commit aa8e54b559479 ("PM / sleep: Go direct_complete if driver has no callbacks"). SA1111 was broken due to changes to PCMCIA which makes PCMCIA suspend itself later than the SA1111 code expects, and resume before the SA1111 code has initialised access to the pcmcia sub-device. - the default SA1111 interrupt mask polarity got messed up when it was converted to use a dynamic interrupt base number for its interrupts. - fix platform_get_irq() error code propagation, which was causing problems on platforms where the interrupt may not be available at probe time in DT setups. - fix the lack of clock to PCMCIA code on PXA platforms, which was omitted in conversions of PXA to CCF. - fix an oops in the PXA PCMCIA code caused by a previous commit not realising that Lubbock is different from the rest of the PXA PCMCIA drivers. - ensure that SA1111 low-level PCMCIA drivers propagate their error codes to the main probe function, rather than the driver silently accepting a failure. - fix the sa11xx debugfs reporting of timing information, which always indicated zero due to the clock being a factor of 1000 out. - fix the polarity of the status change signal reported from the sockets. Lastly, one ARM specific commit from Stefan Agner fixing the LPAE cache attributes" * 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm: ARM: pxa/lubbock: add pcmcia clock ARM: locomo: fix locomo irq handling ARM: 8612/1: LPAE: initialize cache policy correctly ARM: sa1111: fix missing clk_disable() ARM: sa1111: fix pcmcia suspend/resume ARM: sa1111: fix pcmcia interrupt mask polarity ARM: sa1111: fix error code propagation in sa1111_probe() pcmcia: lubbock: fix sockets configuration pcmcia: sa1111: fix propagation of lowlevel board init return code pcmcia: soc_common: fix SS_STSCHG polarity pcmcia: sa11xx_base: add units to the timing information pcmcia: sa11xx_base: fix reporting of timing information pcmcia: ds: fix suspend/resume commit e4618d40eb3dc1a6d1f55f7150ea25bb23ab410a Author: Colin Ian King Date: Fri Sep 9 08:15:37 2016 +0100 IB/rdmavt: Don't vfree a kzalloc'ed memory region The userspace memory region 'mr' is allocated with kzalloc in __rvt_alloc_mr however it is incorrectly being freed with vfree in __rvt_free_mr. Fix this by using kfree to free it. Signed-off-by: Colin Ian King Reviewed-by: Leon Romanovsky Acked-by: Dennis Dalessandro Signed-off-by: Doug Ledford drivers/infiniband/sw/rdmavt/mr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit c1cc72cb6ff95cbe02ed747866576dccab4a5911 Author: Yonatan Cohen Date: Wed Sep 7 14:04:07 2016 +0300 IB/rxe: Fix kmem_cache leak Decrement qp reference when handling error path in completer to prevent kmem_cache leak. Fixes: 8700e3e7c485 ("Soft RoCE driver") Signed-off-by: Yonatan Cohen Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford drivers/infiniband/sw/rxe/rxe_comp.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) commit 3050b99850247695cb07a5c15265afcc08bcf400 Author: Yonatan Cohen Date: Wed Sep 7 14:04:06 2016 +0300 IB/rxe: Fix race condition between requester and completer rxe_requester() is sending a pkt with rxe_xmit_packet() and then calls rxe_update() to update the wqe and qp's psn values. But sometimes the response is received before the requester had time to update the wqe in which case the completer acts on errornous wqe values. This fix updates the wqe and qp before actually sending the request and rolls back when xmit fails. Fixes: 8700e3e7c485 ("Soft RoCE driver") Signed-off-by: Yonatan Cohen Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford drivers/infiniband/sw/rxe/rxe_req.c | 57 ++++++++++++++++++++++++++++--------- 1 file changed, 44 insertions(+), 13 deletions(-) commit 908948877bbbb240f67d7eb27d3a392beb394a07 Author: Yonatan Cohen Date: Wed Sep 7 14:04:05 2016 +0300 IB/rxe: Fix duplicate atomic request handling When handling ack for atomic opcodes like "fetch&add" or "cmp&swp", the method send_atomic_ack() saves the ack before sending it, in case it gets lost and never reach the requester. In which case the method duplicate_request() will need to find it using the duplicated request.psn. But send_atomic_ack() used a wrong psn value and thus the above ack was never found. This fix uses the ack.psn to locate the ack in case its needed. This fix also copies the ack packet to the skb's control buffer since duplicate_request() will need it when calling rxe_xmit_packet() Fixes: 8700e3e7c485 ("Soft RoCE driver") Signed-off-by: Yonatan Cohen Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford drivers/infiniband/sw/rxe/rxe_resp.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) commit dfdd6158ca2c8838313470c5ab79243d04da70b2 Author: Yonatan Cohen Date: Wed Sep 7 14:04:04 2016 +0300 IB/rxe: Fix kernel panic in udp_setup_tunnel Disable creation of a UDP socket for ipv6 when CONFIG_IPV6 is not enabeld. Since udp_sock_create6() returns 0 when CONFIG_IPV6 is not set [ 46.888632] IP: [] setup_udp_tunnel_sock+0x6/0x4f [ 46.891355] *pdpt = 0000000000000000 *pde = f000ff53f000ff53 [ 46.893918] Oops: 0002 [#1] PREEMPT [ 46.896014] CPU: 0 PID: 1 Comm: swapper Not tainted 4.7.0-rc4-00001-g8700e3e #1 [ 46.900280] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Debian-1.8.2-1 04/01/2014 [ 46.904905] task: cf06c040 ti: cf05e000 task.ti: cf05e000 [ 46.907854] EIP: 0060:[] EFLAGS: 00210246 CPU: 0 [ 46.911137] EIP is at setup_udp_tunnel_sock+0x6/0x4f [ 46.914070] EAX: 00000044 EBX: 00000001 ECX: cf05fef0 EDX: ca8142e0 [ 46.917236] ESI: c2c4505b EDI: cf05fef0 EBP: cf05fed0 ESP: cf05fed0 [ 46.919836] DS: 007b ES: 007b FS: 0000 GS: 00e0 SS: 0068 [ 46.922046] CR0: 80050033 CR2: 000001fc CR3: 02cec000 CR4: 000006b0 [ 46.924550] Stack: [ 46.926014] cf05ff10 c1fd4657 ca8142e0 0000000a 00000000 00000000 0000b712 00000008 [ 46.931274] 00000000 6bb5bd01 c1fd48de 00000000 00000000 cf05ff1c 00000000 00000000 [ 46.936122] cf05ff1c c1fd4bdf 00000000 cf05ff28 c2c4507b ffffffff cf05ff88 c2bf1c74 [ 46.942350] Call Trace: [ 46.944403] [] rxe_setup_udp_tunnel+0x8f/0x99 [ 46.947689] [] ? net_to_rxe+0x4e/0x4e [ 46.950567] [] rxe_net_init+0xe/0xa4 [ 46.953147] [] rxe_module_init+0x20/0x4c [ 46.955448] [] do_one_initcall+0x89/0x113 [ 46.957797] [] ? set_debug_rodata+0xf/0xf [ 46.959966] [] ? kernel_init_freeable+0xbe/0x15b [ 46.962262] [] kernel_init_freeable+0xde/0x15b [ 46.964418] [] kernel_init+0x8/0xd0 [ 46.966618] [] ret_from_kernel_thread+0xe/0x24 [ 46.969592] [] ? rest_init+0x6f/0x6f Fixes: 8700e3e7c485 ("Soft RoCE driver") Signed-off-by: Yonatan Cohen Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford drivers/infiniband/sw/rxe/rxe.c | 25 +++++++++++++++-- drivers/infiniband/sw/rxe/rxe_net.c | 55 +++++++++++++++++-------------------- drivers/infiniband/sw/rxe/rxe_net.h | 5 +++- 3 files changed, 51 insertions(+), 34 deletions(-) commit ee3da804ad1b1dd4c766199a6e8443542b0aaaef Author: Maor Gottlieb Date: Mon Sep 12 19:16:24 2016 +0300 IB/mlx5: Set source mac address in FTE Set the source mac address in the FTE when L2 specification is provided. Fixes: 038d2ef87572 ('IB/mlx5: Add flow steering support') Signed-off-by: Maor Gottlieb Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford drivers/infiniband/hw/mlx5/main.c | 7 +++++++ 1 file changed, 7 insertions(+) commit 7fae6655a0c897875bd34501ec092232b526d3e4 Author: Noa Osherovich Date: Mon Sep 12 19:16:23 2016 +0300 IB/mlx5: Enable MAD_IFC commands for IB ports only MAD_IFC command is supported only for physical functions (PF) and when physical port is IB. The proposed fix enforces it. Fixes: d603c809ef91 ("IB/mlx5: Fix decision on using MAD_IFC") Reported-by: David Chang Signed-off-by: Noa Osherovich Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford drivers/infiniband/hw/mlx5/main.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit 69d269d38910e697e461ec5677368f57d2046cbe Author: Kamal Heib Date: Mon Sep 12 19:16:22 2016 +0300 IB/mlx4: Diagnostic HW counters are not supported in slave mode Modify the mlx4_ib_diag_counters() to avoid the following error in the hypervisor when the slave tries to query the hardware counters in SR-IOV mode. mlx4_core 0000:81:00.0: Unknown command:0x30 accepted from slave:1 Fixes: 3f85f2aaabf7 ("IB/mlx4: Add diagnostic hardware counters") Signed-off-by: Kamal Heib Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford drivers/infiniband/hw/mlx4/main.c | 3 +++ 1 file changed, 3 insertions(+) commit 8ec07bf8a8b57d6c58927a16a0a22c0115cf2855 Author: Jack Morgenstein Date: Mon Sep 12 19:16:20 2016 +0300 IB/mlx4: Use correct subnet-prefix in QP1 mads under SR-IOV When sending QP1 MAD packets which use a GRH, the source GID (which consists of the 64-bit subnet prefix, and the 64 bit port GUID) must be included in the packet GRH. For SR-IOV, a GID cache is used, since the source GID needs to be the slave's source GID, and not the Hypervisor's GID. This cache also included a subnet_prefix. Unfortunately, the subnet_prefix field in the cache was never initialized (to the default subnet prefix 0xfe80::0). As a result, this field remained all zeroes. Therefore, when SR-IOV was active, all QP1 packets which included a GRH had a source GID subnet prefix of all-zeroes. However, the subnet-prefix should initially be 0xfe80::0 (the default subnet prefix). In addition, if OpenSM modifies a port's subnet prefix, the new subnet prefix must be used in the GRH when sending QP1 packets. To fix this we now initialize the subnet prefix in the SR-IOV GID cache to the default subnet prefix. We update the cached value if/when OpenSM modifies the port's subnet prefix. We take this cached value when sending QP1 packets when SR-IOV is active. Note that the value is stored as an atomic64. This eliminates any need for locking when the subnet prefix is being updated. Note also that we depend on the FW generating the "port management change" event for tracking subnet-prefix changes performed by OpenSM. If running early FW (before 2.9.4630), subnet prefix changes will not be tracked (but the default subnet prefix still will be stored in the cache; therefore users who do not modify the subnet prefix will not have a problem). IF there is a need for such tracking also for early FW, we will add that capability in a subsequent patch. Fixes: 1ffeb2eb8be9 ("IB/mlx4: SR-IOV IB context objects and proxy/tunnel SQP support") Signed-off-by: Jack Morgenstein Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford drivers/infiniband/hw/mlx4/mad.c | 23 +++++++++++++++++++++++ drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 +- drivers/infiniband/hw/mlx4/qp.c | 5 +++-- 3 files changed, 27 insertions(+), 3 deletions(-) commit baa0be7026e2f7d1d40bfd45909044169e9e3c68 Author: Jack Morgenstein Date: Mon Sep 12 19:16:19 2016 +0300 IB/mlx4: Fix code indentation in QP1 MAD flow The indentation in the QP1 GRH flow in procedure build_mlx_header is really confusing. Fix it, in preparation for a commit which touches this code. Fixes: 1ffeb2eb8be9 ("IB/mlx4: SR-IOV IB context objects and proxy/tunnel SQP support") Signed-off-by: Jack Morgenstein Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford drivers/infiniband/hw/mlx4/qp.c | 36 +++++++++++++++++++----------------- 1 file changed, 19 insertions(+), 17 deletions(-) commit e5ac40cd66c2f3cd11bc5edc658f012661b16347 Author: Alex Vesker Date: Mon Sep 12 19:16:18 2016 +0300 IB/mlx4: Fix incorrect MC join state bit-masking on SR-IOV Because of an incorrect bit-masking done on the join state bits, when handling a join request we failed to detect a difference between the group join state and the request join state when joining as send only full member (0x8). This caused the MC join request not to be sent. This issue is relevant only when SRIOV is enabled and SM supports send only full member. This fix separates scope bits and join states bits a nibble each. Fixes: b9c5d6a64358 ('IB/mlx4: Add multicast group (MCG) paravirtualization for SR-IOV') Signed-off-by: Alex Vesker Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford drivers/infiniband/hw/mlx4/mcg.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) commit 344bacca8cd811809fc33a249f2738ab757d327f Author: Alex Vesker Date: Mon Sep 12 09:55:28 2016 +0300 IB/ipoib: Don't allow MC joins during light MC flush This fix solves a race between light flush and on the fly joins. Light flush doesn't set the device to down and unset IPOIB_OPER_UP flag, this means that if while flushing we have a MC join in progress and the QP was attached to BC MGID we can have a mismatches when re-attaching a QP to the BC MGID. The light flush would set the broadcast group to NULL causing an on the fly join to rejoin and reattach to the BC MCG as well as adding the BC MGID to the multicast list. The flush process would later on remove the BC MGID and detach it from the QP. On the next flush the BC MGID is present in the multicast list but not found when trying to detach it because of the previous double attach and single detach. [18332.714265] ------------[ cut here ]------------ [18332.717775] WARNING: CPU: 6 PID: 3767 at drivers/infiniband/core/verbs.c:280 ib_dealloc_pd+0xff/0x120 [ib_core] ... [18332.775198] Hardware name: Red Hat KVM, BIOS Bochs 01/01/2011 [18332.779411] 0000000000000000 ffff8800b50dfbb0 ffffffff813fed47 0000000000000000 [18332.784960] 0000000000000000 ffff8800b50dfbf0 ffffffff8109add1 0000011832f58300 [18332.790547] ffff880226a596c0 ffff880032482000 ffff880032482830 ffff880226a59280 [18332.796199] Call Trace: [18332.798015] [] dump_stack+0x63/0x8c [18332.801831] [] __warn+0xd1/0xf0 [18332.805403] [] warn_slowpath_null+0x1d/0x20 [18332.809706] [] ib_dealloc_pd+0xff/0x120 [ib_core] [18332.814384] [] ipoib_transport_dev_cleanup+0xfc/0x1d0 [ib_ipoib] [18332.820031] [] ipoib_ib_dev_cleanup+0x98/0x110 [ib_ipoib] [18332.825220] [] ipoib_dev_cleanup+0x2d8/0x550 [ib_ipoib] [18332.830290] [] ipoib_uninit+0x2f/0x40 [ib_ipoib] [18332.834911] [] rollback_registered_many+0x1aa/0x2c0 [18332.839741] [] rollback_registered+0x31/0x40 [18332.844091] [] unregister_netdevice_queue+0x48/0x80 [18332.848880] [] ipoib_vlan_delete+0x1fb/0x290 [ib_ipoib] [18332.853848] [] delete_child+0x7d/0xf0 [ib_ipoib] [18332.858474] [] dev_attr_store+0x18/0x30 [18332.862510] [] sysfs_kf_write+0x3a/0x50 [18332.866349] [] kernfs_fop_write+0x120/0x170 [18332.870471] [] __vfs_write+0x28/0xe0 [18332.874152] [] ? percpu_down_read+0x1f/0x50 [18332.878274] [] vfs_write+0xa2/0x1a0 [18332.881896] [] SyS_write+0x46/0xa0 [18332.885632] [] do_syscall_64+0x57/0xb0 [18332.889709] [] entry_SYSCALL64_slow_path+0x25/0x25 [18332.894727] ---[ end trace 09ebbe31f831ef17 ]--- Fixes: ee1e2c82c245 ("IPoIB: Refresh paths instead of flushing them on SM change events") Signed-off-by: Alex Vesker Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford drivers/infiniband/ulp/ipoib/ipoib_ib.c | 9 +++++++++ 1 file changed, 9 insertions(+) commit 5e102b3b4fa944815aead89e63eec2a35069a07b Author: Alexey Khoroshilov Date: Fri Sep 2 23:46:53 2016 +0300 IB/rxe: fix GFP_KERNEL in spinlock context There is skb_clone(skb, GFP_KERNEL) in spinlock context in rxe_rcv_mcast_pkt(). Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Alexey Khoroshilov Acked-by: Moni Shoua Signed-off-by: Doug Ledford drivers/infiniband/sw/rxe/rxe_recv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit e06226e66beafd6118aa81b511d88cb549ad7ea5 Merge: 08c5cd3 f190fd9 Author: Greg Kroah-Hartman Date: Fri Sep 16 17:42:10 2016 +0200 Merge tag 'usb-serial-4.8-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial into usb-linus Johan writes: USB-serial fixes for v4.8-rc7 Here's another Infineon flashloader device id. Signed-off-by: Johan Hovold commit 8a15b81741879fa89601b03c0e50b0d780d65bc0 Author: Wei Yongjun Date: Fri Sep 16 13:02:37 2016 +0000 cpuset: fix non static symbol warning Fixes the following sparse warning: kernel/cpuset.c:2088:6: warning: symbol 'cpuset_fork' was not declared. Should it be static? Signed-off-by: Wei Yongjun Signed-off-by: Tejun Heo kernel/cpuset.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 6408649115cfd73d6807398d04b2ba564db9211e Merge: a680588 b030485 Author: Arnd Bergmann Date: Fri Sep 16 16:29:48 2016 +0200 Merge tag 'samsung-fixes-4.8-2' of git://git.kernel.org/pub/scm/linux/kernel/git/krzk/linux into fixes Pull "ARM: exynos: Fixes for v4.8, secound round" from Krzysztof Kozłowski: 1. A recent change in populating irqchip devices from Device Tree broke Suspend to RAM on Exynos boards due to lack of probing of PMU (Power Management Unit) driver. Multiple drivers attach to the PMU's DT node: irqchip, clock controller and PMU platform driver for handling suspend. The new irqchip code marked the PMU's DT node as OF_POPULATED but we need to attach to this node also PMU platform driver. 2. Add Javier as additional reviewer for Exynos patches. * tag 'samsung-fixes-4.8-2' of git://git.kernel.org/pub/scm/linux/kernel/git/krzk/linux: ARM: EXYNOS: Clear OF_POPULATED flag from PMU node in IRQ init callback MAINTAINERS: Add myself as reviewer for Samsung Exynos support commit 08c5cd37480f59ea39682f4585d92269be6b1424 Author: Alan Stern Date: Fri Sep 16 10:24:26 2016 -0400 USB: change bInterval default to 10 ms Some full-speed mceusb infrared transceivers contain invalid endpoint descriptors for their interrupt endpoints, with bInterval set to 0. In the past they have worked out okay with the mceusb driver, because the driver sets the bInterval field in the descriptor to 1, overwriting whatever value may have been there before. However, this approach was never sanctioned by the USB core, and in fact it does not work with xHCI controllers, because they use the bInterval value that was present when the configuration was installed. Currently usbcore uses 32 ms as the default interval if the value in the endpoint descriptor is invalid. It turns out that these IR transceivers don't work properly unless the interval is set to 10 ms or below. To work around this mceusb problem, this patch changes the endpoint-descriptor parsing routine, making the default interval value be 10 ms rather than 32 ms. Signed-off-by: Alan Stern Tested-by: Wade Berrier CC: Signed-off-by: Greg Kroah-Hartman drivers/usb/core/config.c | 28 +++++++++++++++++----------- 1 file changed, 17 insertions(+), 11 deletions(-) commit ed3d6d0ac036bcff6e4649a6f8fb987bb4e34444 Author: Tony Lindgren Date: Fri Sep 16 09:24:44 2016 -0500 usb: musb: Fix tusb6010 compile error on blackfin We have CONFIG_BLACKFIN ifdef redefining all musb registers in musb_regs.h and tusb6010.h is never included causing a build error with blackfin-allmodconfig and COMPILE_TEST. Let's fix the issue by not building tusb6010 if CONFIG_BLACKFIN is selected. Reported-by: kbuild test robot Signed-off-by: Tony Lindgren Signed-off-by: Bin Liu Signed-off-by: Greg Kroah-Hartman drivers/usb/musb/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 080fe0b790ad438fc1b61621dac37c1964ce7f35 Author: Matt Fleming Date: Wed Aug 24 14:12:08 2016 +0100 perf/x86/amd: Make HW_CACHE_REFERENCES and HW_CACHE_MISSES measure L2 While the Intel PMU monitors the LLC when perf enables the HW_CACHE_REFERENCES and HW_CACHE_MISSES events, these events monitor L1 instruction cache fetches (0x0080) and instruction cache misses (0x0081) on the AMD PMU. This is extremely confusing when monitoring the same workload across Intel and AMD machines, since parameters like, $ perf stat -e cache-references,cache-misses measure completely different things. Instead, make the AMD PMU measure instruction/data cache and TLB fill requests to the L2 and instruction/data cache and TLB misses in the L2 when HW_CACHE_REFERENCES and HW_CACHE_MISSES are enabled, respectively. That way the events measure unified caches on both platforms. Signed-off-by: Matt Fleming Acked-by: Peter Zijlstra Cc: Cc: Borislav Petkov Cc: Linus Torvalds Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/1472044328-21302-1-git-send-email-matt@codeblueprint.co.uk Signed-off-by: Ingo Molnar arch/x86/events/amd/core.c | 4 ++-- arch/x86/kvm/pmu_amd.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) commit 42857cf512cb34c2c8cb50f1e766689d979d64e0 Author: Phil Turnbull Date: Thu Sep 15 12:20:12 2016 -0400 configfs: Return -EFBIG from configfs_write_bin_file. The check for writing more than cb_max_size bytes does not 'goto out' so it is a no-op which allows users to vmalloc an arbitrary amount. Fixes: 03607ace807b ("configfs: implement binary attributes") Cc: stable@kernel.org Signed-off-by: Phil Turnbull Signed-off-by: Christoph Hellwig fs/configfs/file.c | 1 + 1 file changed, 1 insertion(+) commit 1155bafcb79208abc6ae234c6e135ac70607755c Author: Alexander Shishkin Date: Thu Sep 15 18:13:52 2016 +0300 perf/x86/intel/pt: Do validate the size of a kernel address filter Right now, the kernel address filters in PT are prone to integer overflow that may happen in adding filter's size to its offset to obtain the end of the range. Such an overflow would also throw a #GP in the PT event configuration path. Fix this by explicitly validating the result of this calculation. Reported-by: Adrian Hunter Signed-off-by: Alexander Shishkin Acked-by: Peter Zijlstra Cc: Arnaldo Carvalho de Melo Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Thomas Gleixner Cc: Vince Weaver Cc: stable@vger.kernel.org # v4.7 Cc: stable@vger.kernel.org#v4.7 Cc: vince@deater.net Link: http://lkml.kernel.org/r/20160915151352.21306-4-alexander.shishkin@linux.intel.com Signed-off-by: Ingo Molnar arch/x86/events/intel/pt.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) commit ddfdad991e55b65c1cc4ee29502f6dceee04455a Author: Alexander Shishkin Date: Thu Sep 15 18:13:51 2016 +0300 perf/x86/intel/pt: Fix kernel address filter's offset validation The kernel_ip() filter is used mostly by the DS/LBR code to look at the branch addresses, but Intel PT also uses it to validate the address filter offsets for kernel addresses, for which it is not sufficient: supplying something in bits 64:48 that's not a sign extension of the lower address bits (like 0xf00d000000000000) throws a #GP. This patch adds address validation for the user supplied kernel filters. Reported-by: Adrian Hunter Signed-off-by: Alexander Shishkin Acked-by: Peter Zijlstra Cc: Arnaldo Carvalho de Melo Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Thomas Gleixner Cc: Vince Weaver Cc: stable@vger.kernel.org # v4.7 Cc: stable@vger.kernel.org#v4.7 Cc: vince@deater.net Link: http://lkml.kernel.org/r/20160915151352.21306-3-alexander.shishkin@linux.intel.com Signed-off-by: Ingo Molnar arch/x86/events/intel/pt.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) commit 95f60084acbcee6c466256cf26eb52191fad9edc Author: Alexander Shishkin Date: Thu Sep 15 18:13:50 2016 +0300 perf/x86/intel/pt: Fix an off-by-one in address filter configuration PT address filter configuration requires that a range is specified by its first and last address, but at the moment we're obtaining the end of the range by adding user specified size to its start, which is off by one from what it actually needs to be. Fix this and make sure that zero-sized filters don't pass the filter validation. Reported-by: Adrian Hunter Signed-off-by: Alexander Shishkin Acked-by: Peter Zijlstra Cc: Arnaldo Carvalho de Melo Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Thomas Gleixner Cc: Vince Weaver Cc: stable@vger.kernel.org # v4.7 Cc: stable@vger.kernel.org#v4.7 Cc: vince@deater.net Link: http://lkml.kernel.org/r/20160915151352.21306-2-alexander.shishkin@linux.intel.com Signed-off-by: Ingo Molnar arch/x86/events/intel/pt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 4253ef8f6f81405e65304eef5a5b182c32dec915 Merge: bc6c03f 732a59c Author: David S. Miller Date: Fri Sep 16 04:29:18 2016 -0400 Merge branch 'qeth-fixes' Ursula Braun says: ==================== 390: qeth patches here are several fixes for the s390 qeth driver, built for net. ==================== Signed-off-by: David S. Miller commit 732a59cb6e7faed7a40da6665a517945c95fc895 Author: Thomas Richter Date: Thu Sep 15 14:39:27 2016 +0200 s390/qeth: fix setting VIPA address commit 5f78e29ceebf ("qeth: optimize IP handling in rx_mode callback") restructured the internal address handling. This work broke setting a virtual IP address. The command echo 10.1.1.1 > /sys/bus/ccwgroup/devices//vipa/add4 fails with file exist error even if the IP address has not been set before. It turned out that the search result for the IP address search is handled incorrectly in the VIPA case. This patch fixes the setting of an virtual IP address. Signed-off-by: Thomas Richter Signed-off-by: Ursula Braun Signed-off-by: David S. Miller drivers/s390/net/qeth_l3_main.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 5722963a8e83309dad831cf6968c4c805aa342c0 Author: Ursula Braun Date: Thu Sep 15 14:39:26 2016 +0200 qeth: do not turn on SG per default According to recent performance measurements, turning on net_device feature NETIF_F_SG only behaves well, but turning on feature NETIF_F_GSO shows bad results. Since the kernel activates NETIF_F_GSO automatically as soon as the driver configures feature NETIF_F_SG, qeth should not activate feature NETIF_F_SG per default, until the qeth problems with NETIF_F_GSO are solved. Signed-off-by: Ursula Braun Reviewed-by: Thomas Richter Signed-off-by: David S. Miller drivers/s390/net/qeth_l2_main.c | 2 -- drivers/s390/net/qeth_l3_main.c | 1 - 2 files changed, 3 deletions(-) commit 243f750fc6f5d8e4dec984a9a785941c67452b8f Author: Ursula Braun Date: Thu Sep 15 14:39:25 2016 +0200 qeth: do not limit number of gso segments To reduce the need of skb_linearize() calls, gso_max_segs of qeth net_devices had been limited according to the maximum number of qdio SBAL elements. But a gso segment cannot be larger than the mtu-size, while an SBAL element can contain up to 4096 bytes. The gso_max_segs limitation limits the maximum packet size given to the qeth driver. Performance measurements with tso-enabled qeth network interfaces and mtu-size 1500 showed, that the disadvantage of smaller packets is much more severe than the advantage of fewer skb_linearize() calls. This patch gets rid of the gso_max_segs limitations in the qeth driver. Signed-off-by: Ursula Braun Reviewed-by: Thomas Richter Signed-off-by: David S. Miller drivers/s390/net/qeth_l2_main.c | 1 - drivers/s390/net/qeth_l3_main.c | 1 - 2 files changed, 2 deletions(-) commit 903e48531e8b5d414c8f1960eacac24c31f60344 Author: Ursula Braun Date: Thu Sep 15 14:39:24 2016 +0200 qeth: check not more than 16 SBALEs on the completion queue af_iucv socket programs with HiperSockets as transport make use of the qdio completion queue. Running such an af_iucv socket program may result in a crash: [90341.677709] Oops: 0038 ilc:2 [#1] SMP [90341.677743] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.6.0-20160720.0.0e86ec7.5e62689.fc23.s390xperformance #1 [90341.677744] Hardware name: IBM 2964 N96 703 (LPAR) [90341.677746] task: 00000000edb79f00 ti: 00000000edb84000 task.ti: 00000000edb84000 [90341.677748] Krnl PSW : 0704d00180000000 000000000075bc50 (qeth_qdio_input_handler+0x258/0x4e0) [90341.677756] R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:1 PM:0 RI:0 EA:3 Krnl GPRS: 000003d10391e900 0000000000000001 00000000e61e6000 0000000000000005 [90341.677759] 0000000000a9e6ec 5420040001a77400 0000000000000001 000000000000006f [90341.677761] 00000000e0d83f00 0000000000000003 0000000000000010 5420040001a77400 [90341.677784] 000000007ba8b000 0000000000943fd0 000000000075bc4e 00000000ed3b3c10 [90341.677793] Krnl Code: 000000000075bc42: e320cc180004 lg %r2,3096(%r12) 000000000075bc48: c0e5ffffc5cc brasl %r14,7547e0 #000000000075bc4e: 1816 lr %r1,%r6 >000000000075bc50: ba19b008 cs %r1,%r9,8(%r11) 000000000075bc54: ec180041017e cij %r1,1,8,75bcd6 000000000075bc5a: 5810b008 l %r1,8(%r11) 000000000075bc5e: ec16005c027e cij %r1,2,6,75bd16 000000000075bc64: 5090b008 st %r9,8(%r11) [90341.677807] Call Trace: [90341.677810] ([<000000000075bbc0>] qeth_qdio_input_handler+0x1c8/0x4e0) [90341.677812] ([<000000000070efbc>] qdio_kick_handler+0x124/0x2a8) [90341.677814] ([<0000000000713570>] __tiqdio_inbound_processing+0xf0/0xcd0) [90341.677818] ([<0000000000143312>] tasklet_action+0x92/0x120) [90341.677823] ([<00000000008b6e72>] __do_softirq+0x112/0x308) [90341.677824] ([<0000000000142bce>] irq_exit+0xd6/0xf8) [90341.677829] ([<000000000010b1d2>] do_IRQ+0x6a/0x88) [90341.677830] ([<00000000008b6322>] io_int_handler+0x112/0x220) [90341.677832] ([<0000000000102b2e>] enabled_wait+0x56/0xa8) [90341.677833] ([<0000000000000000>] (null)) [90341.677835] ([<0000000000102e32>] arch_cpu_idle+0x32/0x48) [90341.677838] ([<000000000018a126>] cpu_startup_entry+0x266/0x2b0) [90341.677841] ([<0000000000113b38>] smp_start_secondary+0x100/0x110) [90341.677843] ([<00000000008b68a6>] restart_int_handler+0x62/0x78) [90341.677845] ([<00000000008b6588>] psw_idle+0x3c/0x40) [90341.677846] Last Breaking-Event-Address: [90341.677848] [<00000000007547ec>] qeth_dbf_longtext+0xc/0xc0 [90341.677849] [90341.677850] Kernel panic - not syncing: Fatal exception in interrupt qeth_qdio_cq_handler() analyzes SBALs on this completion queue, but does not observe the limit of 16 SBAL elements per SBAL. This patch adds the additional check to process not more than 16 SBAL elements. Signed-off-by: Ursula Braun Signed-off-by: David S. Miller drivers/s390/net/qeth_core_main.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit a7531c1cc09855df5e33ceefe4fdfc2d74ccab19 Author: Ursula Braun Date: Thu Sep 15 14:39:23 2016 +0200 s390/qeth: allow hsuid configuration in DOWN state The qeth IP address mapping logic has been reworked recently. It causes now problems to specify qeth sysfs attribute "hsuid" in DOWN state, which is allowed. Postpone registering or deregistering of IP-addresses in this case. Signed-off-by: Ursula Braun Reviewed-by: Thomas Richter Signed-off-by: David S. Miller drivers/s390/net/qeth_l3_main.c | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) commit 016930b88a1d6eb6e6b3287d593e13ca06986acc Author: Ursula Braun Date: Thu Sep 15 14:39:22 2016 +0200 s390/qeth: use ip_lock for hsuid configuration qeth_l3_dev_hsuid_store() changes the ip hash table, which requires the ip_lock. Signed-off-by: Ursula Braun Signed-off-by: David S. Miller drivers/s390/net/qeth_l3_sys.c | 5 +++++ 1 file changed, 5 insertions(+) commit e830baa9c3f0023769ba9aab19eb44c892769d87 Author: Hans Wippel Date: Thu Sep 15 14:39:21 2016 +0200 qeth: restore device features after recovery After device recovery, only a basic set of network device features is enabled on the device. If features like checksum offloading or TSO were enabled by the user before the recovery, this results in a mismatch between the network device features, that the kernel assumes to be enabled on the device, and the features actually enabled on the device. This patch tries to restore previously set features, that require changes on the device, after the recovery of a device. In case of an error, the network device's features are changed to contain only the features that are actually turned on. Signed-off-by: Hans Wippel Signed-off-by: Ursula Braun Signed-off-by: David S. Miller drivers/s390/net/qeth_core.h | 1 + drivers/s390/net/qeth_core_main.c | 29 +++++++++++++++++++++++++++++ drivers/s390/net/qeth_l2_main.c | 3 +++ drivers/s390/net/qeth_l3_main.c | 1 + 4 files changed, 34 insertions(+) commit bc6c03fa3cacd31b873e36ca16ef9678269deae6 Author: Wei Yongjun Date: Thu Sep 15 03:45:07 2016 +0000 nfp: fix error return code in nfp_net_netdev_open() Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function. Fixes: 73725d9dfd99 ("nfp: allocate ring SW structs dynamically") Signed-off-by: Wei Yongjun Acked-by: Jakub Kicinski Signed-off-by: David S. Miller drivers/net/ethernet/netronome/nfp/nfp_net_common.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) commit d6f64d725bac20df66b2eacd847fc41d7a1905e0 Author: Mark Tomlinson Date: Thu Sep 15 11:40:05 2016 +1200 net: VRF: Pass original iif to ip_route_input() The function ip_rcv_finish() calls l3mdev_ip_rcv(). On any VRF except the global VRF, this replaces skb->dev with the VRF master interface. When calling ip_route_input_noref() from here, the checks for forwarding look at this master device instead of the initial ingress interface. This will allow packets to be routed which normally would be dropped. For example, an interface that is not assigned an IP address should drop packets, but because the checking is against the master device, the packet will be forwarded. The fix here is to still call l3mdev_ip_rcv(), but remember the initial net_device. This is passed to the other functions within ip_rcv_finish, so they still see the original interface. Signed-off-by: Mark Tomlinson Acked-by: David Ahern Signed-off-by: David S. Miller net/ipv4/ip_input.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) commit 7106a069f45b15e63d14484e72969e64798e641c Author: Ivan Mikhaylov Date: Wed Sep 14 19:06:45 2016 +0300 net/ibm/emac: add mutex to 'set multicast list' for preventing race conditions within ioctl calls. Signed-off-by: Ivan Mikhaylov Signed-off-by: David S. Miller drivers/net/ethernet/ibm/emac/core.c | 3 +++ 1 file changed, 3 insertions(+) commit 01afd972a737879c1466a12f696601a2ce91ea84 Author: Ivan Mikhaylov Date: Wed Sep 14 19:06:44 2016 +0300 net/ibm/emac: add set mac addr callback add realization for mac address set and remove dummy callback. Signed-off-by: Ivan Mikhaylov Signed-off-by: David S. Miller drivers/net/ethernet/ibm/emac/core.c | 31 +++++++++++++++++++++++++++++-- 1 file changed, 29 insertions(+), 2 deletions(-) commit 7077dc415b113ac17a6696c432bad2d66574e4fb Author: Sean Wang Date: Wed Sep 14 21:29:34 2016 +0800 net: ethernet: mediatek: fix module loading automatically based on MODULE_DEVICE_TABLE The device table is required to load modules based on modaliases. After adding MODULE_DEVICE_TABLE, below entries for example will be added to modules.alias: alias of:N*T*Cmediatek,mt7623-ethC* mtk_eth_soc Signed-off-by: Sean Wang Signed-off-by: David S. Miller drivers/net/ethernet/mediatek/mtk_eth_soc.c | 1 + 1 file changed, 1 insertion(+) commit 6777ae8083f132baa4270f40e31776274f989a07 Merge: 2a29282 1e5d343 Author: David S. Miller Date: Fri Sep 16 04:17:33 2016 -0400 Merge tag 'batadv-net-for-davem-20160914' of git://git.open-mesh.org/linux-merge Simon Wunderlich says: ==================== Here are two batman-adv bugfix patches: - Fix reference counting for last_bonding_candidate, by Sven Eckelmann - Fix head room reservation for ELP packets, by Linus Luessing ==================== Signed-off-by: David S. Miller commit 2a292822f00f7409fc0bd6b2d09efc5b8e6c9c5d Author: Sebastian Ott Date: Wed Sep 14 13:09:24 2016 +0200 net/mlx4_en: fix off by one in error handling If an error occurs in mlx4_init_eq_table the index used in the err_out_unmap label is one too big which results in a panic in mlx4_free_eq. This patch fixes the index in the error path. Signed-off-by: Sebastian Ott Reviewed-by: Tariq Toukan Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlx4/eq.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 3e454fd5db5f993a829160cd9783b759a63931af Merge: 440f895 ad5987b Author: David S. Miller Date: Fri Sep 16 01:34:08 2016 -0400 Merge tag 'mac80211-for-davem-2016-09-13' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211 Johannes Berg says: ==================== A few more fixes: * better mesh path fixing, from Thomas * fix TIM IE recalculation after sending frames to a sleeping station, from Felix * fix sequence number assignment while sending frames to a sleeping station, also from Felix * validate number of probe response CSA counter offsets, fixing a copy/paste bug (from myself) ==================== Signed-off-by: David S. Miller commit 778935778c3b88e5152a88765850009006ef2e32 Author: Paul E. McKenney Date: Tue Apr 26 10:42:25 2016 -0700 PM / runtime: Use _rcuidle for runtime suspend tracepoints Further testing with false negatives suppressed by commit 293e2421fe25 ("rcu: Remove superfluous versions of rcu_read_lock_sched_held()") identified a few more unprotected uses of RCU from the idle loop. Because RCU actively ignores idle-loop code (for energy-efficiency reasons, among other things), using RCU from the idle loop can result in too-short grace periods, in turn resulting in arbitrary misbehavior. The affected function is rpm_suspend(). The resulting lockdep-RCU splat is as follows: ------------------------------------------------------------------------ Warning from omap3 =============================== [ INFO: suspicious RCU usage. ] 4.6.0-rc5-next-20160426+ #1112 Not tainted ------------------------------- include/trace/events/rpm.h:63 suspicious rcu_dereference_check() usage! other info that might help us debug this: RCU used illegally from idle CPU! rcu_scheduler_active = 1, debug_locks = 0 RCU used illegally from extended quiescent state! 1 lock held by swapper/0/0: #0: (&(&dev->power.lock)->rlock){-.-...}, at: [] __pm_runtime_suspend+0x54/0x84 stack backtrace: CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.6.0-rc5-next-20160426+ #1112 Hardware name: Generic OMAP36xx (Flattened Device Tree) [] (unwind_backtrace) from [] (show_stack+0x10/0x14) [] (show_stack) from [] (dump_stack+0xb0/0xe4) [] (dump_stack) from [] (rpm_suspend+0x604/0x7e4) [] (rpm_suspend) from [] (__pm_runtime_suspend+0x64/0x84) [] (__pm_runtime_suspend) from [] (omap2_gpio_prepare_for_idle+0x5c/0x70) [] (omap2_gpio_prepare_for_idle) from [] (omap_sram_idle+0x140/0x244) [] (omap_sram_idle) from [] (omap3_enter_idle_bm+0xfc/0x1ec) [] (omap3_enter_idle_bm) from [] (cpuidle_enter_state+0x80/0x3d4) [] (cpuidle_enter_state) from [] (cpu_startup_entry+0x198/0x3a0) [] (cpu_startup_entry) from [] (start_kernel+0x354/0x3c8) [] (start_kernel) from [<8000807c>] (0x8000807c) ------------------------------------------------------------------------ Reported-by: Tony Lindgren Signed-off-by: Paul E. McKenney Tested-by: Tony Lindgren Tested-by: Guenter Roeck [ rjw: Subject ] Signed-off-by: Rafael J. Wysocki drivers/base/power/runtime.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 22f6b4d34fcf039c63a94e7670e0da24f8575a5a Author: Jann Horn Date: Fri Sep 16 00:31:22 2016 +0200 aio: mark AIO pseudo-fs noexec This ensures that do_mmap() won't implicitly make AIO memory mappings executable if the READ_IMPLIES_EXEC personality flag is set. Such behavior is problematic because the security_mmap_file LSM hook doesn't catch this case, potentially permitting an attacker to bypass a W^X policy enforced by SELinux. I have tested the patch on my machine. To test the behavior, compile and run this: #define _GNU_SOURCE #include #include #include #include #include #include #include int main(void) { personality(READ_IMPLIES_EXEC); aio_context_t ctx = 0; if (syscall(__NR_io_setup, 1, &ctx)) err(1, "io_setup"); char cmd[1000]; sprintf(cmd, "cat /proc/%d/maps | grep -F '/[aio]'", (int)getpid()); system(cmd); return 0; } In the output, "rw-s" is good, "rwxs" is bad. Signed-off-by: Jann Horn Signed-off-by: Linus Torvalds fs/aio.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) commit 024c7e3756d8a42fc41fe8a9488488b9b09d1dcc Merge: b71dbf1 b0eaf45 Author: Linus Torvalds Date: Thu Sep 15 15:15:41 2016 -0700 Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm Pull kvm fix from Paolo Bonzini: "One fix for an x86 regression in VM migration, mostly visible with Windows because it uses RTC periodic interrupts" * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: kvm: x86: correctly reset dest_map->vector when restoring LAPIC state commit b71dbf1032f546bf3efd60fb5d9d0cefd200a508 Author: Darrick J. Wong Date: Wed Sep 14 20:20:44 2016 -0700 vfs: cap dedupe request structure size at PAGE_SIZE Kirill A Shutemov reports that the kernel doesn't try to cap dest_count in any way, and uses the number to allocate kernel memory. This causes high order allocation warnings in the kernel log if someone passes in a big enough value. We should clamp the allocation at PAGE_SIZE to avoid stressing the VM. The two existing users of the dedupe ioctl never send more than 120 requests, so we can safely clamp dest_range at PAGE_SIZE, because with 4k pages we can handle up to 127 dedupe candidates. Given the max extent length of 16MB, we can end up doing 2GB of IO which is plenty. [ Note: the "offsetof()" can't overflow, because 'count' is just a 16-bit integer. That's not obvious in the limited context of the patch, so I'm noting it here because it made me go look. - Linus ] Reported-by: "Kirill A. Shutemov" Signed-off-by: Darrick J. Wong Signed-off-by: Linus Torvalds fs/ioctl.c | 4 ++++ 1 file changed, 4 insertions(+) commit 5297e0f0fe13305a1fc7f01986be0dccd063d57a Author: Darrick J. Wong Date: Wed Sep 14 20:20:00 2016 -0700 vfs: fix return type of ioctl_file_dedupe_range All the VFS functions in the dedupe ioctl path return int status, so the ioctl handler ought to as well. Found by Coverity, CID 1350952. Signed-off-by: Darrick J. Wong Signed-off-by: Linus Torvalds fs/ioctl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 46626600d120dc48ab605265677b858506a81011 Merge: 1c109fa 3bc42f3 Author: Linus Torvalds Date: Thu Sep 15 13:22:59 2016 -0700 Merge branch 'for-linus' of git://git.kernel.dk/linux-block Pull block fixes from Jens Axboe: "A set of fixes for the current series in the realm of block. Like the previous pull request, the meat of it are fixes for the nvme fabrics/target code. Outside of that, just one fix from Gabriel for not doing a queue suspend if we didn't get the admin queue setup in the first place" * 'for-linus' of git://git.kernel.dk/linux-block: nvme-rdma: add back dependency on CONFIG_BLOCK nvme-rdma: fix null pointer dereference on req->mr nvme-rdma: use ib_client API to detect device removal nvme-rdma: add DELETING queue flag nvme/quirk: Add a delay before checking device ready for memblaze device nvme: Don't suspend admin queue that wasn't created nvme-rdma: destroy nvme queue rdma resources on connect failure nvme_rdma: keep a ref on the ctrl during delete/flush iw_cxgb4: block module unload until all ep resources are released iw_cxgb4: call dev_put() on l2t allocation failure commit 1c109fabbd51863475cd12ac206bdd249aee35af Author: Al Viro Date: Thu Sep 15 02:35:29 2016 +0100 fix minor infoleak in get_user_ex() get_user_ex(x, ptr) should zero x on failure. It's not a lot of a leak (at most we are leaking uninitialized 64bit value off the kernel stack, and in a fairly constrained situation, at that), but the fix is trivial, so... Cc: stable@vger.kernel.org Signed-off-by: Al Viro [ This sat in different branch from the uaccess fixes since mid-August ] Signed-off-by: Linus Torvalds arch/x86/include/asm/uaccess.h | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) commit b0eaf4506f5f95d15d6731d72c0ddf4a2179eefa Author: Paolo Bonzini Date: Wed Sep 14 23:39:12 2016 +0200 kvm: x86: correctly reset dest_map->vector when restoring LAPIC state When userspace sends KVM_SET_LAPIC, KVM schedules a check between the vCPU's IRR and ISR and the IOAPIC redirection table, in order to re-establish the IOAPIC's dest_map (the list of CPUs servicing the real-time clock interrupt with the corresponding vectors). However, __rtc_irq_eoi_tracking_restore_one was forgetting to set dest_map->vectors. Because of this, the IOAPIC did not process the real-time clock interrupt EOI, ioapic->rtc_status.pending_eoi got stuck at a non-zero value, and further RTC interrupts were reported to userspace as coalesced. Fixes: 9e4aabe2bb3454c83dac8139cf9974503ee044db Fixes: 4d99ba898dd0c521ca6cdfdde55c9b58aea3cb3d Cc: stable@vger.kernel.org Cc: Joerg Roedel Cc: David Gilbert Reviewed-by: Radim Krčmář Signed-off-by: Paolo Bonzini arch/x86/kvm/ioapic.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) commit 54c5ef2e93ea002dc5dd63349298b2778fe59edb Author: Beni Lev Date: Wed Aug 10 17:03:43 2016 +0300 iwlwifi: mvm: update TX queue before making a copy of the skb Off-channel action frames (such as ANQP frames) must be sent either on the AUX queue or on the offchannel queue, otherwise the firmware will cause a SYSASSERT. In the current implementation, the queue to be used is correctly set in the original skb, but this is done after it is copied. Thus the copy remains with the original, incorrect queue. Fix this by setting the queue in the original skb before copying it. Fixes: commit 5c08b0f5026f ("iwlwifi: mvm: don't override the rate with the AMSDU len") Cc: stable@vger.kernel.org # v4.6+ Signed-off-by: Beni Lev Signed-off-by: Luca Coelho drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) commit 7892a1f64a447b6f65fe2888688883b7c26d81d3 Author: Geert Uytterhoeven Date: Tue Aug 9 12:36:41 2016 -0300 [media] rcar-fcp: Make sure rcar_fcp_enable() returns 0 on success When resuming from suspend-to-RAM on r8a7795/salvator-x: dpm_run_callback(): pm_genpd_resume_noirq+0x0/0x90 returns 1 PM: Device fe940000.fdp1 failed to resume noirq: error 1 dpm_run_callback(): pm_genpd_resume_noirq+0x0/0x90 returns 1 PM: Device fe944000.fdp1 failed to resume noirq: error 1 dpm_run_callback(): pm_genpd_resume_noirq+0x0/0x90 returns 1 PM: Device fe948000.fdp1 failed to resume noirq: error 1 According to its documentation, rcar_fcp_enable() returns 0 on success or a negative error code if an error occurs. Hence fdp1_pm_runtime_resume() and vsp1_pm_runtime_resume() forward its return value to their callers. However, rcar_fcp_enable() forwards the return value of pm_runtime_get_sync(), which can actually be 1 on success, leading to the resume failure above. To fix this, consider only negative values returned by pm_runtime_get_sync() to be failures. Fixes: 7b49235e83b2347c ("[media] v4l: Add Renesas R-Car FCP driver") Signed-off-by: Geert Uytterhoeven Reviewed-by: Laurent Pinchart Signed-off-by: Mauro Carvalho Chehab drivers/media/platform/rcar-fcp.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) commit a6805884e263e82d9fb87bd5f39ad4bb38cde246 Author: Roger Quadros Date: Wed Aug 17 13:44:50 2016 +0300 ARM: keystone: defconfig: Fix USB configuration Simply enabling CONFIG_KEYSTONE_USB_PHY doesn't work anymore as it depends on CONFIG_NOP_USB_XCEIV. We need to enable that as well. This fixes USB on Keystone boards from v4.8-rc1 onwards. Signed-off-by: Roger Quadros Acked-by: Santosh Shilimkar Signed-off-by: Arnd Bergmann arch/arm/configs/keystone_defconfig | 1 + 1 file changed, 1 insertion(+) commit cecf62352aee2b4fe114aafd1b8c5f265a4243ce Author: Alexander Shishkin Date: Thu Sep 15 11:22:33 2016 +0300 perf/x86/intel: Don't disable "intel_bts" around "intel" event batching At the moment, intel_bts events get disabled from intel PMU's disable callback, which includes event scheduling transactions of said PMU, which have nothing to do with intel_bts events. We do want to keep intel_bts events off inside the PMI handler to avoid filling up their buffer too soon. This patch moves intel_bts enabling/disabling directly to the PMI handler. Reported-by: Vince Weaver Signed-off-by: Alexander Shishkin Cc: Arnaldo Carvalho de Melo Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Thomas Gleixner Cc: vince@deater.net Link: http://lkml.kernel.org/r/20160915082233.11065-1-alexander.shishkin@linux.intel.com Signed-off-by: Ingo Molnar arch/x86/events/intel/core.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) commit 85d5313ed717ad60769491c7c072d23bc0a68e7a Author: Johannes Berg Date: Wed Sep 14 11:38:31 2016 +0200 mac80211: reject TSPEC TIDs (TSIDs) for aggregation Since mac80211 doesn't currently support TSIDs 8-15 which can only be used after QoS TSPEC negotiation (and not even after WMM negotiation), reject attempts to set up aggregation sessions for them, which might confuse drivers. In mac80211 we do correctly handle that, but the TSIDs should never get used anyway, and drivers might not be able to handle it. Cc: stable@vger.kernel.org Signed-off-by: Johannes Berg net/mac80211/agg-rx.c | 8 +++++++- net/mac80211/agg-tx.c | 3 +++ 2 files changed, 10 insertions(+), 1 deletion(-) commit ed7d9a1d7da6fe7b1c7477dc70e95051583fd60c Author: Michael Ellerman Date: Thu Sep 15 17:03:06 2016 +1000 powerpc/powernv/pci: Fix missed TCE invalidations that should fallback to OPAL In commit f0228c413011 ("powerpc/powernv/pci: Fallback to OPAL for TCE invalidations"), we added logic to fallback to OPAL for doing TCE invalidations if we can't do it in Linux. Ben sent a v2 of the patch, containing these additional call sites, but I had already applied v1 and didn't notice. So fix them now. Fixes: f0228c413011 ("powerpc/powernv/pci: Fallback to OPAL for TCE invalidations") Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Michael Ellerman arch/powerpc/platforms/powernv/pci-ioda.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 29bf282dec94f6015a675c007614cb29563f1c18 Author: Gavin Shan Date: Tue Sep 6 16:34:01 2016 +1000 powerpc/powernv: Detach from PE on releasing PCI device The PCI hotplug can be part of EEH error recovery. The @pdn and the device's PE number aren't removed and added afterwords. The PE number in @pdn should be set to an invalid one. Otherwise, the PE's device count is decreased on removing devices while failing to be increased on adding devices. It leads to unbalanced PE's device count and make normal PCI hotplug path broken. Fixes: c5f7700bbd2e ("powerpc/powernv: Dynamically release PE") Signed-off-by: Gavin Shan Signed-off-by: Michael Ellerman arch/powerpc/platforms/powernv/pci-ioda.c | 10 ++++++++++ 1 file changed, 10 insertions(+) commit 4cea8776571b18db7485930cb422faa739580c8c Merge: 77e5bdf 035ee28 Author: Linus Torvalds Date: Wed Sep 14 14:06:30 2016 -0700 Merge tag 'pci-v4.8-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci Pull PCI fixes from Bjorn Helgaas: "Here are two changes for v4.8. The first fixes a "[Firmware Bug]: reg 0x10: invalid BAR (can't size)" warning on Haswell, and the second fixes a problem in some new runtime suspend functionality we merged for v4.8. Summary: Enumeration: Mark Haswell Power Control Unit as having non-compliant BARs (Bjorn Helgaas) Power management: Fix bridge_d3 update on device removal (Lukas Wunner)" * tag 'pci-v4.8-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci: PCI: Fix bridge_d3 update on device removal PCI: Mark Haswell Power Control Unit as having non-compliant BARs commit d20ced23c7a019a9ca6fe69d6d1907bfd8c1a255 Merge: 7ccb8e6 f2a89d3 Author: Arnd Bergmann Date: Wed Sep 14 22:47:36 2016 +0200 Merge branch 'dt/irq-fix' into fixes * dt/irq-fix: arm64: dts: Fix broken architected timer interrupt trigger commit f2a89d3b2b85b90b05453872aaabfdb412a21a03 Author: Marc Zyngier Date: Mon Aug 1 10:54:16 2016 +0100 arm64: dts: Fix broken architected timer interrupt trigger The ARM architected timer specification mandates that the interrupt associated with each timer is level triggered (which corresponds to the "counter >= comparator" condition). A number of DTs are being remarkably creative, declaring the interrupt to be edge triggered. A quick look at the TRM for the corresponding ARM CPUs clearly shows that this is wrong, and I've corrected those. For non-ARM designs (and in the absence of a publicly available TRM), I've made them active low as well, which can't be completely wrong as the GIC cannot disinguish between level low and level high. The respective maintainers are of course welcome to prove me wrong. While I was at it, I took the liberty to fix a couple of related issue, such as some spurious affinity bits on ThunderX, and their complete absence on ls1043a (both of which seem to be related to copy-pasting from other DTs). Acked-by: Duc Dang Acked-by: Carlo Caione Acked-by: Michal Simek Acked-by: Krzysztof Kozlowski Acked-by: Dinh Nguyen Acked-by: Masahiro Yamada Signed-off-by: Marc Zyngier Signed-off-by: Arnd Bergmann arch/arm64/boot/dts/altera/socfpga_stratix10.dtsi | 8 ++++---- arch/arm64/boot/dts/amlogic/meson-gxbb.dtsi | 8 ++++---- arch/arm64/boot/dts/apm/apm-storm.dtsi | 8 ++++---- arch/arm64/boot/dts/broadcom/ns2.dtsi | 8 ++++---- arch/arm64/boot/dts/cavium/thunder-88xx.dtsi | 8 ++++---- arch/arm64/boot/dts/exynos/exynos7.dtsi | 8 ++++---- arch/arm64/boot/dts/freescale/fsl-ls1043a.dtsi | 8 ++++---- arch/arm64/boot/dts/freescale/fsl-ls2080a.dtsi | 8 ++++---- arch/arm64/boot/dts/marvell/armada-ap806.dtsi | 8 ++++---- arch/arm64/boot/dts/socionext/uniphier-ph1-ld20.dtsi | 8 ++++---- arch/arm64/boot/dts/xilinx/zynqmp.dtsi | 8 ++++---- 11 files changed, 44 insertions(+), 44 deletions(-) commit 7ccb8e633cfeb7969eba09bbf53346e746bb7f89 Author: Fabian Frederick Date: Mon Aug 15 19:34:44 2016 +0200 ARM: multi_v7_defconfig: update XILINX_VDMA Commit fde57a7c4474 ("dmaengine: xilinx: Rename driver and config") renamed config XILINX_VDMA to config XILINX_DMA Update defconfig accordingly. Signed-off-by: Fabian Frederick Signed-off-by: Arnd Bergmann arch/arm/configs/multi_v7_defconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 77e5bdf9f7b2d20939c8d807f3e68778d6e1557a Merge: b8f26e8 8630c32 Author: Linus Torvalds Date: Wed Sep 14 09:35:05 2016 -0700 Merge branch 'uaccess-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs Pull uaccess fixes from Al Viro: "Fixes for broken uaccess primitives - mostly lack of proper zeroing in copy_from_user()/get_user()/__get_user(), but for several architectures there's more (broken clear_user() on frv and strncpy_from_user() on hexagon)" * 'uaccess-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: (28 commits) avr32: fix copy_from_user() microblaze: fix __get_user() microblaze: fix copy_from_user() m32r: fix __get_user() blackfin: fix copy_from_user() sparc32: fix copy_from_user() sh: fix copy_from_user() sh64: failing __get_user() should zero score: fix copy_from_user() and friends score: fix __get_user/get_user s390: get_user() should zero on failure ppc32: fix copy_from_user() parisc: fix copy_from_user() openrisc: fix copy_from_user() nios2: fix __get_user() nios2: copy_from_user() should zero the tail of destination mn10300: copy_from_user() should zero on access_ok() failure... mn10300: failing __get_user() and get_user() should zero mips: copy_from_user() must zero the destination on access_ok() failure ARC: uaccess: get_user to zero out dest in cause of fault ... commit b8f26e880c8166604e0da741eccd9fe6d8e1b9fb Merge: 5924bbe de75abb Author: Linus Torvalds Date: Wed Sep 14 08:42:51 2016 -0700 Merge tag 'for-linus-4.8b-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip Pull xen regression fix from David Vrabel: "Fix SMP boot in arm guests" * tag 'for-linus-4.8b-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip: arm/xen: fix SMP guests boot commit de75abbe0121a6c3c9c6b04c75300088e57ad1d5 Author: Vitaly Kuznetsov Date: Thu Sep 8 11:48:28 2016 +0200 arm/xen: fix SMP guests boot Commit 88e957d6e47f ("xen: introduce xen_vcpu_id mapping") broke SMP ARM guests on Xen. When FIFO-based event channels are in use (this is the default), evtchn_fifo_alloc_control_block() is called on CPU_UP_PREPARE event and this happens before we set up xen_vcpu_id mapping in xen_starting_cpu. Temporary fix the issue by setting direct Linux CPU id <-> Xen vCPU id mapping for all possible CPUs at boot. We don't currently support kexec/kdump on Xen/ARM so these ids always match. In future, we have several ways to solve the issue, e.g.: - Eliminate all hypercalls from CPU_UP_PREPARE, do them from the starting CPU. This can probably be done for both x86 and ARM and, if done, will allow us to get Xen's idea of vCPU id from CPUID/MPIDR on the starting CPU directly, no messing with ACPI/device tree required. - Save vCPU id information from ACPI/device tree on ARM and use it to initialize xen_vcpu_id mapping. This is the same trick we currently do on x86. Reported-by: Julien Grall Tested-by: Wei Chen Signed-off-by: Vitaly Kuznetsov Acked-by: Stefano Stabellini Signed-off-by: David Vrabel arch/arm/xen/enlighten.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) commit 6cfeaf5125d425043d44002d0a1a8a147be582bf Author: Paul Burton Date: Wed Sep 14 11:00:26 2016 +0100 cpu/hotplug: Include linux/types.h in linux/cpuhotplug.h The linux/cpuhotplug.h header makes use of the bool type, but wasn't including linux/types.h to ensure that type has been defined. Fix this by including linux/types.h in preparation for including linux/cpuhotplug.h in a file that doesn't do so already. Signed-off-by: Paul Burton Cc: linux-mips@linux-mips.org Cc: Richard Cochran Cc: Sebastian Andrzej Siewior Cc: Ralf Baechle Cc: Anna-Maria Gleixner Link: http://lkml.kernel.org/r/20160914100027.20945-1-paul.burton@imgtec.com Signed-off-by: Thomas Gleixner include/linux/cpuhotplug.h | 2 ++ 1 file changed, 2 insertions(+) commit df804d5e27490151da1ce9f216031a31352203e6 Author: Peter Ujfalusi Date: Wed Sep 14 14:21:54 2016 +0300 mmc: omap: Initialize dma_slave_config to avoid random data in it's fields It is wrong to use uninitialized dma_slave_config and configure only certain fields as the DMAengine driver might look at non initialized (random data) fields and tries to interpret it. Signed-off-by: Peter Ujfalusi Signed-off-by: Ulf Hansson drivers/mmc/host/omap.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) commit e5789608766113ca9c30d596d93ca7d5cbd8b461 Author: Peter Ujfalusi Date: Wed Sep 14 14:22:07 2016 +0300 mmc: omap_hsmmc: Initialize dma_slave_config to avoid random data It is wrong to use uninitialized dma_slave_config and configure only certain fields as the DMAengine driver might look at non initialized (random data) fields and tries to interpret it. Signed-off-by: Peter Ujfalusi Signed-off-by: Ulf Hansson drivers/mmc/host/omap_hsmmc.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) commit 0b97a484e52cb423662eb98904aad82dafcc1f10 Author: Johannes Berg Date: Wed Sep 14 09:41:34 2016 +0200 mac80211: check skb_linearize() return value The A-MSDU TX code (within TXQs) didn't always check the return value of skb_linearize() properly, resulting in potentially passing a frag- list SKB down to the driver even when it said it can't handle it. Fix that. Fixes: 6e0456b545456 ("mac80211: add A-MSDU tx support") Signed-off-by: Johannes Berg net/mac80211/tx.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) commit ea54ff4008892b46c7a3e6bc8ab8aaec9d198639 Author: Ville Syrjälä Date: Tue Sep 13 12:22:19 2016 +0300 drm/i915: Ignore OpRegion panel type except on select machines Turns out commit a05628195a0d ("drm/i915: Get panel_type from OpRegion panel details") has regressed quite a few machines. So it looks like we can't use the panel type from OpRegion on all systems, and yet we absolutely must use it on some specific systems. Despite trying, I was unable to find any automagic way to determine if the OpRegion panel type is respectable or not. The only glimmer of hope I had was bit 8 in the SCIC response, but that turned out to not work either (it was always 0 on both types of systems). So, to fix the regressions without breaking the machine we know to need the OpRegion panel type, let's just add a quirk for this. Only specific machines known to require the OpRegion panel type will therefore use it. Everyone else will fall bck to the VBT panel type. The only known machine so far is a "Conrac GmbH IX45GM2". The PCI subsystem ID on this machine is just a generic 8086:2a42, so of no use. Instead we'll go with a DMI match. I suspect we can now also revert commit aeddda06c1a7 ("drm/i915: Ignore panel type from OpRegion on SKL") but let's leave that to a separate patch. v2: Do the DMI match in the opregion code directly, as dev_priv->quirks gets populated too late Cc: Rob Kramer Cc: Martin van Es Cc: Andrea Arcangeli Cc: Dave Airlie Cc: Marco Krüger Cc: Sean Greenslade Cc: Trudy Tective Cc: Robin Müller Cc: Alexander Kobel Cc: Alexey Shumitsky Cc: Emil Andersen Lauridsen Cc: oceans112@gmail.com Cc: James Hogan Cc: James Bottomley Cc: stable@vger.kernel.org References: https://lists.freedesktop.org/archives/intel-gfx/2016-August/105545.html References: https://lists.freedesktop.org/archives/dri-devel/2016-August/116888.html References: https://lists.freedesktop.org/archives/intel-gfx/2016-June/098826.html Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=94825 Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=97060 Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=97443 Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=97363 Fixes: a05628195a0d ("drm/i915: Get panel_type from OpRegion panel details") Tested-by: Marco Krüger Tested-by: Alexey Shumitsky Tested-by: Sean Greenslade Tested-by: Emil Andersen Lauridsen Tested-by: Robin Müller Tested-by: oceans112@gmail.com Tested-by: Rob Kramer Signed-off-by: Ville Syrjälä Link: http://patchwork.freedesktop.org/patch/msgid/1473758539-21565-1-git-send-email-ville.syrjala@linux.intel.com References: http://patchwork.freedesktop.org/patch/msgid/1473602239-15855-1-git-send-email-adrienverge@gmail.com Acked-by: Jani Nikula (cherry picked from commit c8ebfad7a063fe665417fa0eeb0da7cfe987d8ed) Signed-off-by: Jani Nikula drivers/gpu/drm/i915/intel_opregion.c | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) commit 86dfb76cba284114cf586005cd943eeb6e4f328d Author: Rodrigo Vivi Date: Wed Sep 7 17:42:31 2016 -0700 Revert "drm/i915/psr: Make idle_frames sensible again" This reverts commit 1c80c25fb622973dd135878e98d172be20859049 Author: Daniel Vetter Date: Wed May 18 18:47:12 2016 +0200 drm/i915/psr: Make idle_frames sensible again There are panels that needs 4 idle frames before entering PSR, but VBT is unproperly set. Also lately it was identified that idle frame count calculated at HW can be off by 1, what makes the minimum of 2, at least. Without the current vbt+1 we are with the risk of having HW calculating 0 idle frames and entering PSR when it shouldn't. Regardless the lack of link training. [Jani: there is some disagreement on the explanation, but the commit regresses so revert it is.] References: http://marc.info/?i=20160904191153.GA2328@light.dominikbrodowski.net Cc: Dominik Brodowski Cc: Jani Nikula Cc: Daniel Vetter Signed-off-by: Rodrigo Vivi Fixes: 1c80c25fb622 ("drm/i915/psr: Make idle_frames sensible again") Cc: drm-intel-fixes@lists.freedesktop.org # v4.8-rc1+ Signed-off-by: Jani Nikula Link: http://patchwork.freedesktop.org/patch/msgid/1473295351-8766-1-git-send-email-rodrigo.vivi@intel.com (cherry picked from commit 40918e0bb81be02f507a941f8b2741f0dc1771b0) Signed-off-by: Jani Nikula drivers/gpu/drm/i915/intel_psr.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) commit 74712339a4fc0f4ddc710e6bca836a6b78b7d8de Author: Chris Wilson Date: Thu Aug 25 08:23:14 2016 +0100 drm/i915: Restore lost "Initialized i915" welcome message A side effect of removing the midlayer from driver loading was the loss of a useful message announcing to userspace that i915 had successfully started, e.g.: [drm] Initialized i915 1.6.0 20160425 for 0000:00:02.0 on minor 0 Reported-by: Timo Aaltonen Signed-off-by: Chris Wilson Fixes: 8f460e2c78f2 ("drm/i915: Demidlayer driver loading") Cc: Daniel Vetter Cc: Ville Syrjälä Cc: drm-intel-fixes@lists.freedesktop.org Link: http://patchwork.freedesktop.org/patch/msgid/20160825072314.17402-1-chris@chris-wilson.co.uk Reviewed-by: Daniel Vetter (cherry picked from commit bc5ca47c0af4f949ba889e666b7da65569e36093) Signed-off-by: Jani Nikula drivers/gpu/drm/i915/i915_drv.c | 5 +++++ 1 file changed, 5 insertions(+) commit 6eaed1665fc6864fbdbffcc6f43a7f5d012f3052 Author: Gavin Shan Date: Tue Sep 13 16:40:24 2016 +1000 powerpc/powernv: Fix the state of root PE The PE for root bus (root PE) can be removed because of PCI hot remove in EEH recovery path for fenced PHB error. We need update @phb->root_pe_populated accordingly so that the root PE can be populated again in forthcoming PCI hot add path. Also, the PE shouldn't be destroyed as it's global and reserved resource. Fixes: c5f7700bbd2e ("powerpc/powernv: Dynamically release PE") Reported-by: Frederic Barrat Signed-off-by: Gavin Shan Signed-off-by: Michael Ellerman arch/powerpc/platforms/powernv/pci-ioda.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) commit 8630c32275bac2de6ffb8aea9d9b11663e7ad28e Author: Al Viro Date: Fri Sep 9 19:28:23 2016 -0400 avr32: fix copy_from_user() really ugly, but apparently avr32 compilers turns access_ok() into something so bad that they want it in assembler. Left that way, zeroing added in inline wrapper. Cc: stable@vger.kernel.org Signed-off-by: Al Viro arch/avr32/include/asm/uaccess.h | 11 ++++++++++- arch/avr32/kernel/avr32_ksyms.c | 2 +- arch/avr32/lib/copy_user.S | 4 ++-- 3 files changed, 13 insertions(+), 4 deletions(-) commit e98b9e37ae04562d52c96f46b3cf4c2e80222dc1 Author: Al Viro Date: Fri Sep 9 19:23:33 2016 -0400 microblaze: fix __get_user() Cc: stable@vger.kernel.org Signed-off-by: Al Viro arch/microblaze/include/asm/uaccess.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit d0cf385160c12abd109746cad1f13e3b3e8b50b8 Author: Al Viro Date: Fri Sep 9 19:22:34 2016 -0400 microblaze: fix copy_from_user() Cc: stable@vger.kernel.org Signed-off-by: Al Viro arch/microblaze/include/asm/uaccess.h | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) commit c90a3bc5061d57e7931a9b7ad14784e1a0ed497d Author: Al Viro Date: Fri Sep 9 19:20:13 2016 -0400 m32r: fix __get_user() Cc: stable@vger.kernel.org Signed-off-by: Al Viro arch/m32r/include/asm/uaccess.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 8f035983dd826d7e04f67b28acf8e2f08c347e41 Author: Al Viro Date: Fri Sep 9 19:16:58 2016 -0400 blackfin: fix copy_from_user() Cc: stable@vger.kernel.org Signed-off-by: Al Viro arch/blackfin/include/asm/uaccess.h | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) commit 917400cecb4b52b5cde5417348322bb9c8272fa6 Author: Al Viro Date: Mon Aug 22 00:23:07 2016 -0400 sparc32: fix copy_from_user() Cc: stable@vger.kernel.org Acked-by: David S. Miller Signed-off-by: Al Viro arch/sparc/include/asm/uaccess_32.h | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit 6e050503a150b2126620c1a1e9b3a368fcd51eac Author: Al Viro Date: Sun Aug 21 23:39:47 2016 -0400 sh: fix copy_from_user() Cc: stable@vger.kernel.org Signed-off-by: Al Viro arch/sh/include/asm/uaccess.h | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) commit c6852389228df9fb3067f94f3b651de2a7921b36 Author: Al Viro Date: Sun Aug 21 23:33:47 2016 -0400 sh64: failing __get_user() should zero It could be done in exception-handling bits in __get_user_b() et.al., but the surgery involved would take more knowledge of sh64 details than I have or _want_ to have. Cc: stable@vger.kernel.org Signed-off-by: Al Viro arch/sh/include/asm/uaccess_64.h | 1 + 1 file changed, 1 insertion(+) commit b615e3c74621e06cd97f86373ca90d43d6d998aa Author: Al Viro Date: Sun Aug 21 22:30:44 2016 -0400 score: fix copy_from_user() and friends Cc: stable@vger.kernel.org Signed-off-by: Al Viro arch/score/include/asm/uaccess.h | 41 ++++++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 21 deletions(-) commit c2f18fa4cbb3ad92e033a24efa27583978ce9600 Author: Al Viro Date: Sun Aug 21 22:13:39 2016 -0400 score: fix __get_user/get_user * should zero on any failure * __get_user() should use __copy_from_user(), not copy_from_user() Cc: stable@vger.kernel.org Signed-off-by: Al Viro arch/score/include/asm/uaccess.h | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) commit fd2d2b191fe75825c4c7a6f12f3fef35aaed7dd7 Author: Al Viro Date: Sun Aug 21 22:00:54 2016 -0400 s390: get_user() should zero on failure Cc: stable@vger.kernel.org Signed-off-by: Al Viro arch/s390/include/asm/uaccess.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) commit 224264657b8b228f949b42346e09ed8c90136a8e Author: Al Viro Date: Sun Aug 21 19:16:26 2016 -0400 ppc32: fix copy_from_user() should clear on access_ok() failures. Also remove the useless range truncation logics. Cc: stable@vger.kernel.org Signed-off-by: Al Viro arch/powerpc/include/asm/uaccess.h | 25 ++----------------------- 1 file changed, 2 insertions(+), 23 deletions(-) commit aace880feea38875fbc919761b77e5732a3659ef Author: Al Viro Date: Sat Aug 20 19:03:37 2016 -0400 parisc: fix copy_from_user() Cc: stable@vger.kernel.org Signed-off-by: Al Viro arch/parisc/include/asm/uaccess.h | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) commit acb2505d0119033a80c85ac8d02dccae41271667 Author: Al Viro Date: Sat Aug 20 17:05:21 2016 -0400 openrisc: fix copy_from_user() ... that should zero on faults. Also remove the helpful logics wrt range truncation copied from ppc32. Where it had ever been needed only in case of copy_from_user() *and* had not been merged into the mainline until a month after the need had disappeared. A decade before openrisc went into mainline, I might add... Cc: stable@vger.kernel.org Signed-off-by: Al Viro arch/openrisc/include/asm/uaccess.h | 35 +++++++++++------------------------ 1 file changed, 11 insertions(+), 24 deletions(-) commit 2e29f50ad5e23db37dde9be71410d95d50241ecd Author: Al Viro Date: Sat Aug 20 16:39:01 2016 -0400 nios2: fix __get_user() a) should not leave crap on fault b) should _not_ require access_ok() in any cases. Cc: stable@vger.kernel.org Signed-off-by: Al Viro arch/nios2/include/asm/uaccess.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit e33d1f6f72cc82fcfc3d1fb20c9e3ad83b1928fa Author: Al Viro Date: Sat Aug 20 16:36:36 2016 -0400 nios2: copy_from_user() should zero the tail of destination Cc: stable@vger.kernel.org Signed-off-by: Al Viro arch/nios2/include/asm/uaccess.h | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) commit ae7cc577ec2a4a6151c9e928fd1f595d953ecef1 Author: Al Viro Date: Sat Aug 20 16:33:10 2016 -0400 mn10300: copy_from_user() should zero on access_ok() failure... Cc: stable@vger.kernel.org Signed-off-by: Al Viro arch/mn10300/lib/usercopy.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit 43403eabf558d2800b429cd886e996fd555aa542 Author: Al Viro Date: Sat Aug 20 16:32:02 2016 -0400 mn10300: failing __get_user() and get_user() should zero Cc: stable@vger.kernel.org Signed-off-by: Al Viro arch/mn10300/include/asm/uaccess.h | 1 + 1 file changed, 1 insertion(+) commit e69d700535ac43a18032b3c399c69bf4639e89a2 Author: Al Viro Date: Sat Aug 20 16:18:53 2016 -0400 mips: copy_from_user() must zero the destination on access_ok() failure Cc: stable@vger.kernel.org Signed-off-by: Al Viro arch/mips/include/asm/uaccess.h | 3 +++ 1 file changed, 3 insertions(+) commit 05d9d0b96e53c52a113fd783c0c97c830c8dc7af Author: Vineet Gupta Date: Fri Aug 19 12:10:02 2016 -0700 ARC: uaccess: get_user to zero out dest in cause of fault Al reported potential issue with ARC get_user() as it wasn't clearing out destination pointer in case of fault due to bad address etc. Verified using following | { | u32 bogus1 = 0xdeadbeef; | u64 bogus2 = 0xdead; | int rc1, rc2; | | pr_info("Orig values %x %llx\n", bogus1, bogus2); | rc1 = get_user(bogus1, (u32 __user *)0x40000000); | rc2 = get_user(bogus2, (u64 __user *)0x50000000); | pr_info("access %d %d, new values %x %llx\n", | rc1, rc2, bogus1, bogus2); | } | [ARCLinux]# insmod /mnt/kernel-module/qtn.ko | Orig values deadbeef dead | access -14 -14, new values 0 0 Reported-by: Al Viro Cc: Linus Torvalds Cc: linux-snps-arc@lists.infradead.org Cc: linux-kernel@vger.kernel.org Cc: stable@vger.kernel.org Signed-off-by: Vineet Gupta Signed-off-by: Al Viro arch/arc/include/asm/uaccess.h | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) commit 8ae95ed4ae5fc7c3391ed668b2014c9e2079533b Author: Al Viro Date: Thu Aug 18 22:08:20 2016 -0400 metag: copy_from_user() should zero the destination on access_ok() failure Cc: stable@vger.kernel.org Acked-by: James Hogan Signed-off-by: Al Viro arch/metag/include/asm/uaccess.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit a5e541f796f17228793694d64b507f5f57db4cd7 Author: Al Viro Date: Thu Aug 18 21:31:41 2016 -0400 ia64: copy_from_user() should zero the destination on access_ok() failure Cc: stable@vger.kernel.org Signed-off-by: Al Viro arch/ia64/include/asm/uaccess.h | 25 +++++++++++-------------- 1 file changed, 11 insertions(+), 14 deletions(-) commit f35c1e0671728d1c9abc405d05ef548b5fcb2fc4 Author: Al Viro Date: Thu Aug 18 21:16:49 2016 -0400 hexagon: fix strncpy_from_user() error return It's -EFAULT, not -1 (and contrary to the comment in there, __strnlen_user() can return 0 - on faults). Cc: stable@vger.kernel.org Acked-by: Richard Kuo Signed-off-by: Al Viro arch/hexagon/include/asm/uaccess.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 3b8767a8f00cc6538ba6b1cf0f88502e2fd2eb90 Author: Al Viro Date: Thu Aug 18 20:54:02 2016 -0400 frv: fix clear_user() It should check access_ok(). Otherwise a bunch of places turn into trivially exploitable rootholes. Cc: stable@vger.kernel.org Signed-off-by: Al Viro arch/frv/include/asm/uaccess.h | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) commit eb47e0293baaa3044022059f1fa9ff474bfe35cb Author: Al Viro Date: Thu Aug 18 19:34:00 2016 -0400 cris: buggered copy_from_user/copy_to_user/clear_user * copy_from_user() on access_ok() failure ought to zero the destination * none of those primitives should skip the access_ok() check in case of small constant size. Cc: stable@vger.kernel.org Acked-by: Jesper Nilsson Signed-off-by: Al Viro arch/cris/include/asm/uaccess.h | 71 +++++++++++++++++++---------------------- 1 file changed, 32 insertions(+), 39 deletions(-) commit 9ad18b75c2f6e4a78ce204e79f37781f8815c0fa Author: Al Viro Date: Wed Aug 17 23:19:01 2016 -0400 asm-generic: make get_user() clear the destination on errors both for access_ok() failures and for faults halfway through Cc: stable@vger.kernel.org Signed-off-by: Al Viro include/asm-generic/uaccess.h | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) commit 035ee288ae7ade4152f1c3cf23a587b04fdc526c Author: Lukas Wunner Date: Tue Sep 6 06:20:46 2016 +0200 PCI: Fix bridge_d3 update on device removal Starting with v4.8, we allow a PCIe port to runtime suspend to D3hot if the port itself and its children satisfy a number of conditions. Once a child is removed, we recheck those conditions in case the removed device was blocking the port from suspending. The rechecking needs to happen *after* the device has been removed from the bus it resides on. Otherwise when walking the port's subordinate bus in pci_bridge_d3_update(), the device being removed would erroneously still be taken into account. However the device is removed from the bus_list in pci_destroy_dev() and we currently recheck *before* that. Fix it. Fixes: 9d26d3a8f1b0 ("PCI: Put PCIe ports into D3 during suspend") Signed-off-by: Lukas Wunner Signed-off-by: Bjorn Helgaas Reviewed-by: Mika Westerberg Acked-by: Rafael J. Wysocki drivers/pci/remove.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) commit 5924bbecd0267d87c24110cbe2041b5075173a25 Merge: fda6751 c291b01 Author: Linus Torvalds Date: Tue Sep 13 12:52:45 2016 -0700 Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86 fixes from Ingo Molnar: "Three fixes: - AMD microcode loading fix with randomization - an lguest tooling fix - and an APIC enumeration boundary condition fix" * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/apic: Fix num_processors value in case of failure tools/lguest: Don't bork the terminal in case of wrong args x86/microcode/AMD: Fix load of builtin microcode with randomized memory commit fda67514e444533b44106362baddca1cdbbba836 Merge: ee319d5 135e8c9 Author: Linus Torvalds Date: Tue Sep 13 12:49:40 2016 -0700 Merge branch 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull scheduler fix from Ingo Molnar: "A try_to_wake_up() memory ordering race fix causing a busy-loop in ttwu()" * 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: sched/core: Fix a race between try_to_wake_up() and a woken up task commit ee319d5834c80dce3ec17fec36ef74b716ea465d Merge: 504cb1c2 8ef9b84 Author: Linus Torvalds Date: Tue Sep 13 12:47:29 2016 -0700 Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull perf fixes from Ingo Molnar: "This contains: - a set of fixes found by directed-random perf fuzzing efforts by Vince Weaver, Alexander Shishkin and Peter Zijlstra - a cqm driver crash fix - an AMD uncore driver use after free fix" * 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: perf/x86/intel: Fix PEBSv3 record drain perf/x86/intel/bts: Kill a silly warning perf/x86/intel/bts: Fix BTS PMI detection perf/x86/intel/bts: Fix confused ordering of PMU callbacks perf/core: Fix aux_mmap_count vs aux_refcount order perf/core: Fix a race between mmap_close() and set_output() of AUX events perf/x86/amd/uncore: Prevent use after free perf/x86/intel/cqm: Check cqm/mbm enabled state in event init perf/core: Remove WARN from perf_event_read() commit 504cb1c25b63ca434e9ced4226c026b54097391d Merge: 7c2c114 d7127b5 Author: Linus Torvalds Date: Tue Sep 13 12:13:58 2016 -0700 Merge branch 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull locking fix from Ingo Molnar: "Another lockless_dereference() Sparse fix" * 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: locking/barriers: Don't use sizeof(void) in lockless_dereference() commit 7c2c1144164c0a6fd91642909042862db907e053 Merge: 106f2e5 cbf2f8a Author: Linus Torvalds Date: Tue Sep 13 12:02:00 2016 -0700 Merge branch 'efi-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull EFI fixes from Ingo Molnar: "This contains a Xen fix, an arm64 fix and a race condition / robustization set of fixes related to ExitBootServices() usage and boundary conditions" * 'efi-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/efi: Use efi_exit_boot_services() efi/libstub: Use efi_exit_boot_services() in FDT efi/libstub: Introduce ExitBootServices helper efi/libstub: Allocate headspace in efi_get_memory_map() efi: Fix handling error value in fdt_find_uefi_params efi: Make for_each_efi_memory_desc_in_map() cope with running on Xen commit 106f2e59ee3b89a2f93735f65499eae4e8d55abc Merge: 309a18a c944555 Author: Linus Torvalds Date: Tue Sep 13 11:19:52 2016 -0700 Merge tag 'md/4.8-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/shli/md Pull MD fixes from Shaohua Li: "A few bug fixes for MD: - Guoqing fixed a bug compiling md-cluster in kernel - I fixed a potential deadlock in raid5-cache superblock write, a hang in raid5 reshape resume and a race condition introduced in rc4" * tag 'md/4.8-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/shli/md: raid5: fix a small race condition md-cluster: make md-cluster also can work when compiled into kernel raid5: guarantee enough stripes to avoid reshape hang raid5-cache: fix a deadlock in superblock write commit ad5987b47e96a0fb6d13fea250e936aed000093c Author: Johannes Berg Date: Tue Sep 13 15:53:55 2016 +0200 nl80211: validate number of probe response CSA counters Due to an apparent copy/paste bug, the number of counters for the beacon configuration were checked twice, instead of checking the number of probe response counters. Fix this to check the number of probe response counters before parsing those. Cc: stable@vger.kernel.org Fixes: 9a774c78e211 ("cfg80211: Support multiple CSA counters") Signed-off-by: Johannes Berg net/wireless/nl80211.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 309a18ae360d1d8741c676a37a3daae319fe722a Merge: e8988e0 0bd2223 Author: Linus Torvalds Date: Tue Sep 13 11:10:49 2016 -0700 Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 Pull crypto bugfix from Herbert Xu: "Fix a bug in the cryptd code that may lead to crashes" * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: crypto: cryptd - initialize child shash_desc on import commit 440f895aa97f81a2bdc02993da5360a1f6da2fb5 Author: Christophe Jaillet Date: Sun Sep 11 21:43:34 2016 +0200 drivers: net: phy: xgene: Fix 'remove' function If 'IS_ERR(pdata->clk)' is true, then 'clk_disable_unprepare(pdata->clk)' will do nothing. It is likely that 'if (!IS_ERR(pdata->clk))' was expected here. In fact, the test can even be removed because 'clk_disable_unprepare' already handles such cases. Signed-off-by: Christophe JAILLET Signed-off-by: David S. Miller drivers/net/phy/mdio-xgene.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) commit 715f5552b1e90ba3eecf6d1a6d044d0d5226663f Author: Xin Long Date: Sat Sep 10 23:11:23 2016 +0800 sctp: hold the transport before using it in sctp_hash_cmp Since commit 4f0087812648 ("sctp: apply rhashtable api to send/recv path"), sctp uses transport rhashtable with .obj_cmpfn sctp_hash_cmp, in which it compares the members of the transport with the rhashtable args to check if it's the right transport. But sctp uses the transport without holding it in sctp_hash_cmp, it can cause a use-after-free panic. As after it gets transport from hashtable, another CPU may close the sk and free the asoc. In sctp_association_free, it frees all the transports, meanwhile, the assoc's refcnt may be reduced to 0, assoc can be destroyed by sctp_association_destroy. So after that, transport->assoc is actually an unavailable memory address in sctp_hash_cmp. Although sctp_hash_cmp is under rcu_read_lock, it still can not avoid this, as assoc is not freed by RCU. This patch is to hold the transport before checking it's members with sctp_transport_hold, in which it checks the refcnt first, holds it if it's not 0. Fixes: 4f0087812648 ("sctp: apply rhashtable api to send/recv path") Signed-off-by: Xin Long Acked-by: Marcelo Ricardo Leitner Signed-off-by: David S. Miller net/sctp/input.c | 27 +++++++++++++++++---------- 1 file changed, 17 insertions(+), 10 deletions(-) commit 801f823dc2d585253f2f8dd17c4a46d9da560579 Author: Paul Burton Date: Mon Sep 5 15:24:54 2016 +0100 MIPS: c-r4k: Fix size calc when avoiding IPIs for small icache flushes Commit f70ddc07b637 ("MIPS: c-r4k: Avoid small flush_icache_range SMP calls") adds checks to force use of hit-type cache ops for small icache flushes where they are globalised & index-type cache ops aren't, in order to avoid the overhead of IPIs in those cases. However it calculated the size of the region being flushed incorrectly, subtracting the end address from the start address rather than the reverse. This would have led to an overflow with size wrapping round to some large value, and likely to the special case for avoiding IPIs not actually being hit. Signed-off-by: Paul Burton Cc: James Hogan Fixes: f70ddc07b637 ("MIPS: c-r4k: Avoid small flush_icache_range SMP calls") Reviewed-by: James Hogan Reviewed-by: Florian Fainelli Cc: Huacai Chen Cc: linux-mips@linux-mips.org Cc: linux-kernel@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/14211/ Signed-off-by: Ralf Baechle arch/mips/mm/c-r4k.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 28b89b9e6f7b6c8fef7b3af39828722bca20cfee Author: Joonwoo Park Date: Sun Sep 11 21:14:58 2016 -0700 cpuset: handle race between CPU hotplug and cpuset_hotplug_work A discrepancy between cpu_online_mask and cpuset's effective_cpus mask is inevitable during hotplug since cpuset defers updating of effective_cpus mask using a workqueue, during which time nothing prevents the system from more hotplug operations. For that reason guarantee_online_cpus() walks up the cpuset hierarchy until it finds an intersection under the assumption that top cpuset's effective_cpus mask intersects with cpu_online_mask even with such a race occurring. However a sequence of CPU hotplugs can open a time window, during which none of the effective CPUs in the top cpuset intersect with cpu_online_mask. For example when there are 4 possible CPUs 0-3 and only CPU0 is online: ======================== =========================== cpu_online_mask top_cpuset.effective_cpus ======================== =========================== echo 1 > cpu2/online. CPU hotplug notifier woke up hotplug work but not yet scheduled. [0,2] [0] echo 0 > cpu0/online. The workqueue is still runnable. [2] [0] ======================== =========================== Now there is no intersection between cpu_online_mask and top_cpuset.effective_cpus. Thus invoking sys_sched_setaffinity() at this moment can cause following: Unable to handle kernel NULL pointer dereference at virtual address 000000d0 ------------[ cut here ]------------ Kernel BUG at ffffffc0001389b0 [verbose debug info unavailable] Internal error: Oops - BUG: 96000005 [#1] PREEMPT SMP Modules linked in: CPU: 2 PID: 1420 Comm: taskset Tainted: G W 4.4.8+ #98 task: ffffffc06a5c4880 ti: ffffffc06e124000 task.ti: ffffffc06e124000 PC is at guarantee_online_cpus+0x2c/0x58 LR is at cpuset_cpus_allowed+0x4c/0x6c Process taskset (pid: 1420, stack limit = 0xffffffc06e124020) Call trace: [] guarantee_online_cpus+0x2c/0x58 [] cpuset_cpus_allowed+0x4c/0x6c [] sched_setaffinity+0xc0/0x1ac [] SyS_sched_setaffinity+0x98/0xac [] el0_svc_naked+0x24/0x28 The top cpuset's effective_cpus are guaranteed to be identical to cpu_online_mask eventually. Hence fall back to cpu_online_mask when there is no intersection between top cpuset's effective_cpus and cpu_online_mask. Signed-off-by: Joonwoo Park Acked-by: Li Zefan Cc: Tejun Heo Cc: cgroups@vger.kernel.org Cc: linux-kernel@vger.kernel.org Cc: # 3.17+ Signed-off-by: Tejun Heo kernel/cpuset.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) commit 3cbc6fc9c99f1709203711f125bc3b79487aba06 Author: Huacai Chen Date: Mon Sep 5 08:48:03 2016 +0800 MIPS: Add a missing ".set pop" in an early commit Commit 842dfc11ea9a21 ("MIPS: Fix build with binutils 2.24.51+") missing a ".set pop" in macro fpu_restore_16even, so add it. Signed-off-by: Huacai Chen Acked-by: Manuel Lauss Cc: Steven J . Hill Cc: Fuxin Zhang Cc: Zhangjin Wu Cc: linux-mips@linux-mips.org Cc: stable@vger.kernel.org # 3.18+ Patchwork: https://patchwork.linux-mips.org/patch/14210/ Signed-off-by: Ralf Baechle arch/mips/include/asm/asmmacro.h | 1 + 1 file changed, 1 insertion(+) commit 3e1be7ad2d38c6bd6aeef96df9bd0a7822f4e51c Author: Baoquan He Date: Fri Sep 9 22:43:12 2016 +0800 bnx2: Reset device during driver initialization When system enters into kdump kernel because of kernel panic, it won't shutdown devices. On-flight DMA will continue transferring data until device driver initializes. All devices are supposed to reset during driver initialization. And this property is used to fix the kdump failure in system with intel iommu. Other systems with hardware iommu should be similar. Please check commit 091d42e ("iommu/vt-d: Copy translation tables from old kernel") and those commits around. But bnx2 driver doesn't reset device during driver initialization. The device resetting is deferred to net device up stage. This will cause hardware iommu handling failure on bnx2 device. And its resetting relies on firmware. So in this patch move the firmware requesting code to earlier bnx2_init_one(), then next call bnx2_reset_chip to reset device. Signed-off-by: Baoquan He Signed-off-by: David S. Miller drivers/net/ethernet/broadcom/bnx2.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) commit 67b9f0b737a41b8e10bcc3568830d546e6b9a68f Merge: da499f8 4440a2a Author: David S. Miller Date: Tue Sep 13 11:17:24 2016 -0400 Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf Pablo Neira Ayuso says: ==================== Netfilter fixes for net The following patchset contains Netfilter fixes for your net tree, they are: 1) Endianess fix for the new nf_tables netlink trace infrastructure, NFTA_TRACE_POLICY endianess was not correct, patch from Liping Zhang. 2) Fix broken re-route after userspace queueing in nf_tables route chain. This patch is large but it is simple since it is just getting this code in sync with iptable_mangle. Also from Liping. 3) NAT mangling via ctnetlink lies to userspace when nf_nat_setup_info() fails to setup the NAT conntrack extension. This problem has been there since the beginning, but it can now show up after rhashtable conversion. 4) Fix possible NULL pointer dereference due to failures in allocating the synproxy and seqadj conntrack extensions, from Gao feng. ==================== Signed-off-by: David S. Miller commit 5eb0d6eb3fac3daa60d9190eed9fa41cf809c756 Author: Boris Brezillon Date: Tue Sep 13 15:58:29 2016 +0200 irqchip/atmel-aic: Fix potential deadlock in ->xlate() aic5_irq_domain_xlate() and aic_irq_domain_xlate() take the generic chip lock without disabling interrupts, which can lead to a deadlock if an interrupt occurs while the lock is held in one of these functions. Replace irq_gc_{lock,unlock}() calls by irq_gc_{lock_irqsave,unlock_irqrestore}() ones to prevent this bug from happening. Fixes: b1479ebb7720 ("irqchip: atmel-aic: Add atmel AIC/AIC5 drivers") Signed-off-by: Boris Brezillon Acked-by: Marc Zyngier Cc: Jason Cooper Cc: Nicolas Ferre Cc: stable@vger.kernel.org Cc: Alexandre Belloni Link: http://lkml.kernel.org/r/1473775109-4192-2-git-send-email-boris.brezillon@free-electrons.com Signed-off-by: Thomas Gleixner drivers/irqchip/irq-atmel-aic.c | 5 +++-- drivers/irqchip/irq-atmel-aic5.c | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) commit ebf9ff753c041b296241990aef76163bbb2cc9c8 Author: Boris Brezillon Date: Tue Sep 13 15:58:28 2016 +0200 genirq: Provide irq_gc_{lock_irqsave,unlock_irqrestore}() helpers Some irqchip drivers need to take the generic chip lock outside of the irq context. Provide the irq_gc_{lock_irqsave,unlock_irqrestore}() helpers to allow one to disable irqs while entering a critical section protected by gc->lock. Note that we do not provide optimized version of these helpers for !SMP, because they are not called from the hot-path. [ tglx: Added a comment when these helpers should be [not] used ] Signed-off-by: Boris Brezillon Cc: Jason Cooper Cc: Marc Zyngier Cc: Nicolas Ferre Cc: stable@vger.kernel.org Cc: Alexandre Belloni Link: http://lkml.kernel.org/r/1473775109-4192-1-git-send-email-boris.brezillon@free-electrons.com Signed-off-by: Thomas Gleixner include/linux/irq.h | 10 ++++++++++ 1 file changed, 10 insertions(+) commit 951c39cd3bc0aedf67fbd8fb4b9380287e6205d1 Author: Matt Redfearn Date: Mon Sep 5 15:43:40 2016 +0100 MIPS: paravirt: Fix undefined reference to smp_bootstrap If the paravirt machine is compiles without CONFIG_SMP, the following linker error occurs arch/mips/kernel/head.o: In function `kernel_entry': (.ref.text+0x10): undefined reference to `smp_bootstrap' due to the kernel entry macro always including SMP startup code. Wrap this code in CONFIG_SMP to fix the error. Signed-off-by: Matt Redfearn Cc: linux-mips@linux-mips.org Cc: linux-kernel@vger.kernel.org Cc: stable@vger.kernel.org # 3.16+ Patchwork: https://patchwork.linux-mips.org/patch/14212/ Signed-off-by: Ralf Baechle arch/mips/include/asm/mach-paravirt/kernel-entry-init.h | 2 ++ 1 file changed, 2 insertions(+) commit 3bc42f3f0ef13a8239138a4c00a0b782f029f23d Merge: 015282c 2cfe199 Author: Jens Axboe Date: Tue Sep 13 07:58:34 2016 -0600 Merge branch 'nvmf-4.8-rc' of git://git.infradead.org/nvme-fabrics into for-linus Sagi writes: Here we have: - Kconfig dependencies fix from Arnd - nvme-rdma device removal fixes from Steve - possible bad deref fix from Colin commit b03c1e3b8eed9026733c473071d1f528358a0e50 Author: Paul Burton Date: Mon Sep 12 10:58:06 2016 +0100 MIPS: Remove compact branch policy Kconfig entries Commit c1a0e9bc885d ("MIPS: Allow compact branch policy to be changed") added Kconfig entries allowing for the compact branch policy used by the compiler for MIPSr6 kernels to be specified. This can be useful for debugging, particularly in systems where compact branches have recently been introduced. Unfortunately mainline gcc 5.x supports MIPSr6 but not the -mcompact-branches compiler flag, leading to MIPSr6 kernels failing to build with gcc 5.x with errors such as: mipsel-linux-gnu-gcc: error: unrecognized command line option '-mcompact-branches=optimal' make[2]: *** [kernel/bounds.s] Error 1 Fixing this by hiding the Kconfig entry behind another seems to be more hassle than it's worth, as MIPSr6 & compact branches have been around for a while now and if policy does need to be set for debug it can be done easily enough with KCFLAGS. Therefore remove the compact branch policy Kconfig entries & their handling in the Makefile. This reverts commit c1a0e9bc885d ("MIPS: Allow compact branch policy to be changed"). Signed-off-by: Paul Burton Reported-by: kbuild test robot Fixes: c1a0e9bc885d ("MIPS: Allow compact branch policy to be changed") Cc: stable # v4.4+ Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/14241/ Signed-off-by: Ralf Baechle arch/mips/Kconfig.debug | 36 ------------------------------------ arch/mips/Makefile | 4 ---- 2 files changed, 40 deletions(-) commit ac7e385f2bf1c39615cf58f7e58246fdd9da5bb9 Author: James Hogan Date: Tue Aug 9 13:21:49 2016 +0100 MIPS: MAAR: Fix address alignment The alignment of MIPS MAAR region addresses isn't quite right. - It rounds an already 64 KiB aligned start address up to the next 64 KiB boundary, e.g. 0x80000000 is rounded up to 0x80010000. - It assumes the end address is already on a 64 KiB boundary and doesn't round it down. Should that not be the case it will hit the second BUG_ON() in write_maar_pair(). Both cases are addressed by rounding up and down to 64 KiB boundaries in the more traditional way of adding 0xffff (for rounding up) and masking off the low 16 bits. Signed-off-by: James Hogan Cc: Paul Burton Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/13858/ Signed-off-by: Ralf Baechle arch/mips/mm/init.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) commit 58cae9b0f0c1d9cc55de018d927e65549b24cf5b Author: James Hogan Date: Tue Aug 9 13:21:48 2016 +0100 MIPS: Fix memory regions reaching top of physical Memory regions added with add_memory_region() at the top of the physical address space will have their end address overflow to 0. This causes them to be rejected as invalid, and would cause various other issues later on. This causes issues on Malta and Boston platforms when wanting to use all 2GB of RAM on a 32-bit kernel, either via highmem (using physical addresses 0x90000000..0xFFFFFFFF), or with the Malta Enhanced Virtual Addressing (EVA) layout which exposes the whole 0x80000000..0xFFFFFFFF physical address range to kernel mode at 0x00000000..0x7FFFFFFF. Due to the abundance of these non-overflow assumptions and the fact that memblock already avoids the arithmetic overflow by limiting the size of new memory regions without the arch code knowing it (in particular mem_init_free_highmem() will trigger a page dump due to nonzero mapcount on the last page), it is simpler and safer to just limit the size of the region in a similar way to memblock but at the arch level to allow most of the RAM to be used without arithmetic overflows. Therefore we detect this case specifically and reduce the size of the region slightly to avoid the arithmetic overflows and cause the last page to be ignored. Signed-off-by: James Hogan Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/13857/ Signed-off-by: Ralf Baechle arch/mips/kernel/setup.c | 7 +++++++ 1 file changed, 7 insertions(+) commit 2809328f6ef2139115665dda1b83ee9303c52431 Author: Marcin Nowakowski Date: Thu Aug 11 09:02:30 2016 +0200 MIPS: uprobes: fix incorrect uprobe brk handling When a uprobe-replacement breakpoint instruction is handled, a notifier is called with DIE_UPROBE argument, but a corresponding exception notify handler for MIPS attempts to handle DIE_BREAK instead. As a result the breakpoint instruction isn't handled by the uprobe code and the probed application terminates with SIGTRAP. Fix this by changing arch_uprobe_exception_notify code to handle DIE_UPROBE as a pre-singlestep condition instead of DIE_BREAK. Signed-off-by: Marcin Nowakowski Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/13884/ Signed-off-by: Ralf Baechle arch/mips/kernel/uprobes.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit e3b23148fd8af277fd55068183ed3ce4c8f51aa5 Author: Amitoj Kaur Chawla Date: Fri Aug 12 08:36:54 2016 +0530 MIPS: ath79: Fix test for error return of clk_register_fixed_factor(). clk_register_fixed_factor returns an ERR_PTR in case of an error and should have an IS_ERR check instead of a null check. The Coccinelle semantic patch used to find this issue is as follows: @@ expression e; statement S; @@ *e = clk_register_fixed_factor(...); if (!e) S Signed-off-by: Amitoj Kaur Chawla Cc: julia.lawall@lip6.fr Cc: linux-mips@linux-mips.org Cc: linux-kernel@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/13894/ Signed-off-by: Ralf Baechle arch/mips/ath79/clock.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 2db34e78f126c6001d79d3b66ab1abb482dc7caa Author: Ard Biesheuvel Date: Tue Sep 13 09:48:53 2016 +0100 crypto: arm64/aes-ctr - fix NULL dereference in tail processing The AES-CTR glue code avoids calling into the blkcipher API for the tail portion of the walk, by comparing the remainder of walk.nbytes modulo AES_BLOCK_SIZE with the residual nbytes, and jumping straight into the tail processing block if they are equal. This tail processing block checks whether nbytes != 0, and does nothing otherwise. However, in case of an allocation failure in the blkcipher layer, we may enter this code with walk.nbytes == 0, while nbytes > 0. In this case, we should not dereference the source and destination pointers, since they may be NULL. So instead of checking for nbytes != 0, check for (walk.nbytes % AES_BLOCK_SIZE) != 0, which implies the former in non-error conditions. Fixes: 49788fe2a128 ("arm64/crypto: AES-ECB/CBC/CTR/XTS using ARMv8 NEON and Crypto Extensions") Cc: stable@vger.kernel.org Reported-by: xiakaixu Signed-off-by: Ard Biesheuvel Signed-off-by: Herbert Xu arch/arm64/crypto/aes-glue.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit f82e90b28654804ab72881d577d87c3d5c65e2bc Author: Ard Biesheuvel Date: Tue Sep 13 09:48:52 2016 +0100 crypto: arm/aes-ctr - fix NULL dereference in tail processing The AES-CTR glue code avoids calling into the blkcipher API for the tail portion of the walk, by comparing the remainder of walk.nbytes modulo AES_BLOCK_SIZE with the residual nbytes, and jumping straight into the tail processing block if they are equal. This tail processing block checks whether nbytes != 0, and does nothing otherwise. However, in case of an allocation failure in the blkcipher layer, we may enter this code with walk.nbytes == 0, while nbytes > 0. In this case, we should not dereference the source and destination pointers, since they may be NULL. So instead of checking for nbytes != 0, check for (walk.nbytes % AES_BLOCK_SIZE) != 0, which implies the former in non-error conditions. Fixes: 86464859cc77 ("crypto: arm - AES in ECB/CBC/CTR/XTS modes using ARMv8 Crypto Extensions") Cc: stable@vger.kernel.org Reported-by: xiakaixu Signed-off-by: Ard Biesheuvel Signed-off-by: Herbert Xu arch/arm/crypto/aes-ce-glue.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit acdb04d0b36769b3e05990c488dc74d8b7ac8060 Author: Herbert Xu Date: Tue Sep 13 14:43:29 2016 +0800 crypto: skcipher - Fix blkcipher walk OOM crash When we need to allocate a temporary blkcipher_walk_next and it fails, the code is supposed to take the slow path of processing the data block by block. However, due to an unrelated change we instead end up dereferencing the NULL pointer. This patch fixes it by moving the unrelated bsize setting out of the way so that we enter the slow path as inteded. Fixes: 7607bd8ff03b ("[CRYPTO] blkcipher: Added blkcipher_walk_virt_block") Cc: stable@vger.kernel.org Reported-by: xiakaixu Reported-by: Ard Biesheuvel Signed-off-by: Herbert Xu Tested-by: Ard Biesheuvel crypto/blkcipher.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 53a5d5ddccf849dbc27a8c1bba0b43c3a45fb792 Author: Herbert Xu Date: Wed Sep 7 18:42:08 2016 +0800 crypto: echainiv - Replace chaining with multiplication The current implementation uses a global per-cpu array to store data which are used to derive the next IV. This is insecure as the attacker may change the stored data. This patch removes all traces of chaining and replaces it with multiplication of the salt and the sequence number. Fixes: a10f554fa7e0 ("crypto: echainiv - Add encrypted chain IV...") Cc: stable@vger.kernel.org Reported-by: Mathias Krause Signed-off-by: Herbert Xu crypto/echainiv.c | 115 ++++++++++++------------------------------------------ 1 file changed, 24 insertions(+), 91 deletions(-) commit 4440a2ab3b9f40dddbe006331ef0659c76859296 Author: Gao Feng Date: Tue Sep 13 08:49:18 2016 +0800 netfilter: synproxy: Check oom when adding synproxy and seqadj ct extensions When memory is exhausted, nfct_seqadj_ext_add may fail to add the synproxy and seqadj extensions. The function nf_ct_seqadj_init doesn't check if get valid seqadj pointer by the nfct_seqadj. Now drop the packet directly when fail to add seqadj extension to avoid dereference NULL pointer in nf_ct_seqadj_init from init_conntrack(). Signed-off-by: Gao Feng Signed-off-by: Pablo Neira Ayuso include/net/netfilter/nf_conntrack_synproxy.h | 14 ++++++++++++++ net/netfilter/nf_conntrack_core.c | 6 +++--- net/netfilter/nf_nat_core.c | 3 ++- 3 files changed, 19 insertions(+), 4 deletions(-) commit 7eebfba5c48f89e1729022459cde2b256696ba2a Merge: 062f531 1ba7db0 Author: Dave Airlie Date: Tue Sep 13 10:18:02 2016 +1000 Merge tag 'drm/atmel-hlcdc/4.8-fixes' of github.com:bbrezillon/linux-at91 into drm-fixes Two fixes for 4.8: - missing static specifier on atmel_hlcdc_crtc_reset() - bug in the hardware scaling logic * tag 'drm/atmel-hlcdc/4.8-fixes' of github.com:bbrezillon/linux-at91: drm/atmel-hlcdc: Make ->reset() implementation static drm: atmel-hlcdc: Fix vertical scaling commit 062f531ab2e959a2236ae76523be0881ade7058d Merge: 603f2c9 fc2780b Author: Dave Airlie Date: Tue Sep 13 10:17:31 2016 +1000 Merge tag 'drm-intel-fixes-2016-09-08' of git://anongit.freedesktop.org/drm-intel into drm-fixes i915 fixes from Jani. * tag 'drm-intel-fixes-2016-09-08' of git://anongit.freedesktop.org/drm-intel: drm/i915: Add GEN7_PCODE_MIN_FREQ_TABLE_GT_RATIO_OUT_OF_RANGE to SNB drm/i915: disable 48bit full PPGTT when vGPU is active drm/i915: enable vGPU detection for all drm/i915/dvo: Remove dangling call to drm_encoder_cleanup() commit e8988e0550b040265b8cdab82c553b5d6be627fb Merge: ac059c4 e4abe2b Author: Linus Torvalds Date: Mon Sep 12 14:49:21 2016 -0700 Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux Pull clk fixes from Stephen Boyd: "Some small fixes for the new sunxi clk driver introduced this merge window" * tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux: clk: sunxi-ng: Fix wrong reset register offsets clk: sunxi-ng: nk: Make ccu_nk_find_best static clk: sunxi-ng: Fix inverted test condition in ccu_helper_wait_for_lock clk: sunxi: Fix return value check in sun8i_a23_mbus_setup() clk: sunxi: pll2: Fix return value check in sun4i_pll2_setup() commit ac059c4fa78ff548ad7b2ecbad491e46bfbc6d2d Merge: 2c937eb 27bd44e Author: Linus Torvalds Date: Mon Sep 12 14:30:14 2016 -0700 Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm Pull KVM fixes from Paolo Bonzini: - s390: nested virt fixes (new 4.8 feature) - x86: fixes for 4.8 regressions - ARM: two small bugfixes * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: kvm-arm: Unmap shadow pagetables properly x86, clock: Fix kvm guest tsc initialization arm: KVM: Fix idmap overlap detection when the kernel is idmap'ed KVM: lapic: adjust preemption timer correctly when goes TSC backward KVM: s390: vsie: fix riccbd KVM: s390: don't use current->thread.fpu.* when accessing registers commit 2c937eb4ddca946bb74936cf63aba0f94aa0efb3 Merge: da499f8 b519d40 Author: Linus Torvalds Date: Mon Sep 12 14:13:45 2016 -0700 Merge tag 'nfs-for-4.8-4' of git://git.linux-nfs.org/projects/trondmy/linux-nfs Pull NFS client bugfixes from Trond Myklebust: "Highlights include: Stable patches: - We must serialise LAYOUTGET and LAYOUTRETURN to ensure correct state accounting - Fix the CREATE_SESSION slot number Bugfixes: - sunrpc: fix a UDP memory accounting regression - NFS: Fix an error reporting regression in nfs_file_write() - pNFS: Fix further layout stateid issues - RPC/rdma: Revert 3d4cf35bd4fa ("xprtrdma: Reply buffer exhaustion...") - RPC/rdma: Fix receive buffer accounting" * tag 'nfs-for-4.8-4' of git://git.linux-nfs.org/projects/trondmy/linux-nfs: NFSv4.1: Fix the CREATE_SESSION slot number accounting xprtrdma: Fix receive buffer accounting xprtrdma: Revert 3d4cf35bd4fa ("xprtrdma: Reply buffer exhaustion...") pNFS: Don't forget the layout stateid if there are outstanding LAYOUTGETs pNFS: Clear out all layout segments if the server unsets lrp->res.lrs_present pNFS: Fix pnfs_set_layout_stateid() to clear NFS_LAYOUT_INVALID_STID pNFS: Ensure LAYOUTGET and LAYOUTRETURN are properly serialised NFS: Fix error reporting in nfs_file_write() sunrpc: fix UDP memory accounting commit bf2c4b6f9b74c2ee1dd3c050b181e9b9c86fbcdb Author: Chuck Lever Date: Thu Sep 1 10:50:38 2016 -0400 svcauth_gss: Revert 64c59a3726f2 ("Remove unnecessary allocation") rsc_lookup steals the passed-in memory to avoid doing an allocation of its own, so we can't just pass in a pointer to memory that someone else is using. If we really want to avoid allocation there then maybe we should preallocate somwhere, or reference count these handles. For now we should revert. On occasion I see this on my server: kernel: kernel BUG at /home/cel/src/linux/linux-2.6/mm/slub.c:3851! kernel: invalid opcode: 0000 [#1] SMP kernel: Modules linked in: cts rpcsec_gss_krb5 sb_edac edac_core x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel lrw gf128mul glue_helper ablk_helper cryptd btrfs xor iTCO_wdt iTCO_vendor_support raid6_pq pcspkr i2c_i801 i2c_smbus lpc_ich mfd_core mei_me sg mei shpchp wmi ioatdma ipmi_si ipmi_msghandler acpi_pad acpi_power_meter rpcrdma ib_ipoib rdma_ucm ib_ucm ib_uverbs ib_umad rdma_cm ib_cm iw_cm nfsd nfs_acl lockd grace auth_rpcgss sunrpc ip_tables xfs libcrc32c mlx4_ib mlx4_en ib_core sr_mod cdrom sd_mod ast drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm crc32c_intel igb mlx4_core ahci libahci libata ptp pps_core dca i2c_algo_bit i2c_core dm_mirror dm_region_hash dm_log dm_mod kernel: CPU: 7 PID: 145 Comm: kworker/7:2 Not tainted 4.8.0-rc4-00006-g9d06b0b #15 kernel: Hardware name: Supermicro Super Server/X10SRL-F, BIOS 1.0c 09/09/2015 kernel: Workqueue: events do_cache_clean [sunrpc] kernel: task: ffff8808541d8000 task.stack: ffff880854344000 kernel: RIP: 0010:[] [] kfree+0x155/0x180 kernel: RSP: 0018:ffff880854347d70 EFLAGS: 00010246 kernel: RAX: ffffea0020fe7660 RBX: ffff88083f9db064 RCX: 146ff0f9d5ec5600 kernel: RDX: 000077ff80000000 RSI: ffff880853f01500 RDI: ffff88083f9db064 kernel: RBP: ffff880854347d88 R08: ffff8808594ee000 R09: ffff88087fdd8780 kernel: R10: 0000000000000000 R11: ffffea0020fe76c0 R12: ffff880853f01500 kernel: R13: ffffffffa013cf76 R14: ffffffffa013cff0 R15: ffffffffa04253a0 kernel: FS: 0000000000000000(0000) GS:ffff88087fdc0000(0000) knlGS:0000000000000000 kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 kernel: CR2: 00007fed60b020c3 CR3: 0000000001c06000 CR4: 00000000001406e0 kernel: Stack: kernel: ffff8808589f2f00 ffff880853f01500 0000000000000001 ffff880854347da0 kernel: ffffffffa013cf76 ffff8808589f2f00 ffff880854347db8 ffffffffa013d006 kernel: ffff8808589f2f20 ffff880854347e00 ffffffffa0406f60 0000000057c7044f kernel: Call Trace: kernel: [] rsc_free+0x16/0x90 [auth_rpcgss] kernel: [] rsc_put+0x16/0x30 [auth_rpcgss] kernel: [] cache_clean+0x2e0/0x300 [sunrpc] kernel: [] do_cache_clean+0xe/0x70 [sunrpc] kernel: [] process_one_work+0x1ff/0x3b0 kernel: [] worker_thread+0x2bc/0x4a0 kernel: [] ? rescuer_thread+0x3a0/0x3a0 kernel: [] kthread+0xe4/0xf0 kernel: [] ret_from_fork+0x1f/0x40 kernel: [] ? kthread_stop+0x110/0x110 kernel: Code: f7 ff ff eb 3b 65 8b 05 da 30 e2 7e 89 c0 48 0f a3 05 a0 38 b8 00 0f 92 c0 84 c0 0f 85 d1 fe ff ff 0f 1f 44 00 00 e9 f5 fe ff ff <0f> 0b 49 8b 03 31 f6 f6 c4 40 0f 85 62 ff ff ff e9 61 ff ff ff kernel: RIP [] kfree+0x155/0x180 kernel: RSP kernel: ---[ end trace 3fdec044969def26 ]--- It seems to be most common after a server reboot where a client has been using a Kerberos mount, and reconnects to continue its workload. Signed-off-by: Chuck Lever Cc: stable@vger.kernel.org Signed-off-by: J. Bruce Fields net/sunrpc/auth_gss/svcauth_gss.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) commit 2cfe199ca5a8816ee80fe15bcf202dd1020aaea0 Author: Arnd Bergmann Date: Tue Sep 6 14:58:06 2016 +0200 nvme-rdma: add back dependency on CONFIG_BLOCK A recent change removed the dependency on BLK_DEV_NVME, which implies the dependency on PCI and BLOCK. We don't need CONFIG_PCI, but without CONFIG_BLOCK we get tons of build errors, e.g. In file included from drivers/nvme/host/core.c:16:0: linux/blk-mq.h:182:33: error: 'struct gendisk' declared inside parameter list will not be visible outside of this definition or declaration [-Werror] drivers/nvme/host/core.c: In function 'nvme_setup_rw': drivers/nvme/host/core.c:295:21: error: implicit declaration of function 'rq_data_dir' [-Werror=implicit-function-declaration] drivers/nvme/host/nvme.h: In function 'nvme_map_len': drivers/nvme/host/nvme.h:217:6: error: implicit declaration of function 'req_op' [-Werror=implicit-function-declaration] drivers/nvme/host/scsi.c: In function 'nvme_trans_bdev_limits_page': drivers/nvme/host/scsi.c:768:85: error: implicit declaration of function 'queue_max_hw_sectors' [-Werror=implicit-function-declaration] This adds back the specific CONFIG_BLOCK dependency to avoid broken configurations. Signed-off-by: Arnd Bergmann Fixes: aa71987472a9 ("nvme: fabrics drivers don't need the nvme-pci driver") Signed-off-by: Sagi Grimberg drivers/nvme/host/Kconfig | 1 + 1 file changed, 1 insertion(+) commit 1bda18de8f15a611a61d1a935b679db2e153338a Author: Colin Ian King Date: Mon Sep 5 16:24:38 2016 +0100 nvme-rdma: fix null pointer dereference on req->mr If there is an error on req->mr, req->mr is set to null, however the following statement sets req->mr->need_inval causing a null pointer dereference. Fix this by bailing out to label 'out' to immediately return and hence skip over the offending null pointer dereference. Fixes: f5b7b559e1488 ("nvme-rdma: Get rid of duplicate variable") Signed-off-by: Colin Ian King Reviewed-by: Christoph Hellwig Signed-off-by: Sagi Grimberg drivers/nvme/host/rdma.c | 1 + 1 file changed, 1 insertion(+) commit e87a911fed07e368c6f97e75152e6297a7dfba48 Author: Steve Wise Date: Fri Sep 2 09:01:54 2016 -0700 nvme-rdma: use ib_client API to detect device removal Change nvme-rdma to use the IB Client API to detect device removal. This has the wonderful benefit of being able to blow away all the ib/rdma_cm resources for the device being removed. No craziness about not destroying the cm_id handling the event. No deadlocks due to broken iw_cm/rdma_cm/iwarp dependencies. And no need to have a bound cm_id around during controller recovery/reconnect to catch device removal events. We don't use the device_add aspect of the ib_client service since we only want to create resources for an IB device if we have a target utilizing that device. Reviewed-by: Christoph Hellwig Signed-off-by: Steve Wise Signed-off-by: Sagi Grimberg drivers/nvme/host/rdma.c | 108 ++++++++++++++++++----------------------------- 1 file changed, 40 insertions(+), 68 deletions(-) commit e89ca58f9c901c8c4cfb09f96d879b186bb01492 Author: Sagi Grimberg Date: Fri Sep 2 09:01:54 2016 -0700 nvme-rdma: add DELETING queue flag When we get a surprise disconnect from the target we queue a periodic reconnect (which is the sane thing to do...). We only move the queues out of CONNECTED when we retry to reconnect (after 10 seconds in the default case) but we stop the blk queues immediately so we are not bothered with traffic from now on. If delete() is kicking off in this period the queues are still in CONNECTED state. Part of the delete sequence is trying to issue ctrl shutdown if the admin queue is CONNECTED (which it is!). This request is issued but stuck in blk-mq waiting for the queues to start again. This might be the one preventing us from forward progress... The patch separates the queue flags to CONNECTED and DELETING. Now we will move out of CONNECTED as soon as error recovery kicks in (before stopping the queues) and DELETING is on when we start the queue deletion. Signed-off-by: Sagi Grimberg drivers/nvme/host/rdma.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) commit ecfcdfec7e0cc64215a194044305f02a5a836e6d Author: Pablo Neira Ayuso Date: Fri Sep 9 15:38:12 2016 +0200 netfilter: nf_nat: handle NF_DROP from nfnetlink_parse_nat_setup() nf_nat_setup_info() returns NF_* verdicts, so convert them to error codes that is what ctnelink expects. This has passed overlook without having any impact since this nf_nat_setup_info() has always returned NF_ACCEPT so far. Since 870190a9ec90 ("netfilter: nat: convert nat bysrc hash to rhashtable"), this is problem. Signed-off-by: Pablo Neira Ayuso net/netfilter/nf_nat_core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit da499f8f5385c181e29978fdaab15a58de185302 Merge: 9395452 373df31 Author: Linus Torvalds Date: Mon Sep 12 07:56:06 2016 -0700 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net Pull networking fixes from David Miller: "Mostly small sets of driver fixes scattered all over the place. 1) Mediatek driver fixes from Sean Wang. Forward port not written correctly during TX map, missed handling of EPROBE_DEFER, and mistaken use of put_page() instead of skb_free_frag(). 2) Fix socket double-free in KCM code, from WANG Cong. 3) QED driver fixes from Sudarsana Reddy Kalluru, including a fix for using the dcbx buffers before initializing them. 4) Mellanox Switch driver fixes from Jiri Pirko, including a fix for double fib removals and an error handling fix in mlxsw_sp_module_init(). 5) Fix kernel panic when enabling LLDP in i40e driver, from Dave Ertman. 6) Fix padding of TSO packets in thunderx driver, from Sunil Goutham. 7) TCP's rcv_wup not initialized properly when using fastopen, from Neal Cardwell. 8) Don't use uninitialized flow keys in flow dissector, from Gao Feng. 9) Use after free in l2tp module unload, from Sabrina Dubroca. 10) Fix interrupt registry ordering issues in smsc911x driver, from Jeremy Linton. 11) Fix crashes in bonding having to do with enslaving and rx_handler, from Mahesh Bandewar. 12) AF_UNIX deadlock fixes from Linus. 13) In mlx5 driver, don't read skb->xmit_mode after it might have been freed from the TX reclaim path. From Tariq Toukan. 14) Fix a bug from 2015 in TCP Yeah where the congestion window does not increase, from Artem Germanov. 15) Don't pad frames on receive in NFP driver, from Jakub Kicinski. 16) Fix chunk fragmenting in SCTP wrt. GSO, from Marcelo Ricardo Leitner. 17) Fix deletion of VRF routes, from Mark Tomlinson. 18) Fix device refcount leak when DAD fails in ipv6, from Wei Yongjun" * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (101 commits) net/mlx4_en: Fix panic on xmit while port is down net/mlx4_en: Fixes for DCBX net/mlx4_en: Fix the return value of mlx4_en_dcbnl_set_state() net/mlx4_en: Fix the return value of mlx4_en_dcbnl_set_all() net: ethernet: renesas: sh_eth: add POST registers for rz drivers: net: phy: mdio-xgene: Add hardware dependency dwc_eth_qos: do not register semi-initialized device sctp: identify chunks that need to be fragmented at IP level mlxsw: spectrum: Set port type before setting its address mlxsw: spectrum_router: Fix error path in mlxsw_sp_router_init nfp: don't pad frames on receive nfp: drop support for old firmware ABIs nfp: remove linux/version.h includes tcp: cwnd does not increase in TCP YeAH net/mlx5e: Fix parsing of vlan packets when updating lro header net/mlx5e: Fix global PFC counters replication net/mlx5e: Prevent casting overflow net/mlx5e: Move an_disable_cap bit to a new position net/mlx5e: Fix xmit_more counter race issue tcp: fastopen: avoid negative sk_forward_alloc ... commit 1a57c286d8ced1e4144c6201a19bbb70827edee6 Author: Russell King Date: Sun Sep 4 21:45:56 2016 +0100 ARM: pxa/lubbock: add pcmcia clock Add the required PCMCIA clock for the SA1111 "1800" device. This clock is used to compute timing information for the PCMCIA interface in the SoC device, rather than the SA1111. Hence, the provision of this clock is a convenience for the driver and does not reflect the hardware, so this must not be copied into DT. Acked-by: Robert Jarzmik Tested-by: Robert Jarzmik Signed-off-by: Russell King arch/arm/mach-pxa/lubbock.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) commit 07f56e6646228da27122e81d5a5a232fdf3d3a50 Author: Russell King Date: Fri Sep 2 22:08:45 2016 +0100 ARM: locomo: fix locomo irq handling Accidentally booting Collie on Assabet reveals that the locomo driver incorrectly overwrites gpio-sa1100's chip data for its parent interrupt, leading to oops in sa1100_gpio_unmask() and sa1100_update_edge_regs() when "gpio: sa1100: convert to use IO accessors" is applied. Fix locomo to use the handler data rather than chip data for its parent interrupt. Signed-off-by: Russell King arch/arm/common/locomo.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) commit 6b3142b2b852cd5e3216d1aa800a0a49377e6e1c Author: Stefan Agner Date: Wed Sep 7 21:56:09 2016 +0100 ARM: 8612/1: LPAE: initialize cache policy correctly The cachepolicy variable gets initialized using a masked pmd value. So far, the pmd has been masked with flags valid for the 2-page table format, but the 3-page table format requires a different mask. On LPAE, this lead to a wrong assumption of what initial cache policy has been used. Later a check forces the cache policy to writealloc and prints the following warning: Forcing write-allocate cache policy for SMP This patch introduces a new definition PMD_SECT_CACHE_MASK for both page table formats which masks in all cache flags in both cases. Signed-off-by: Stefan Agner Signed-off-by: Russell King arch/arm/include/asm/pgtable-2level-hwdef.h | 1 + arch/arm/include/asm/pgtable-3level-hwdef.h | 1 + arch/arm/mm/mmu.c | 2 +- 3 files changed, 3 insertions(+), 1 deletion(-) commit 5df20f2141eadb5430caaad20eceac61cfe0f139 Author: Pedersen, Thomas Date: Tue Sep 6 11:59:00 2016 -0700 mac80211: make mpath path fixing more robust A fixed mpath was not quite being treated as such: 1) if a PERR frame was received, a fixed mpath was deactivated. 2) queued path discovery for fixed mpath was potentially being considered, changing mpath state. 3) other mpath flags were potentially being inherited when fixing the mpath. Just assign PATH_FIXED and SN_VALID. This solves several issues when fixing a mesh path in one direction. The reverse direction mpath should probably also be fixed, or root announcements at least be enabled. Signed-off-by: Thomas Pedersen Signed-off-by: Johannes Berg net/mac80211/mesh_hwmp.c | 3 ++- net/mac80211/mesh_pathtbl.c | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) commit 1feafd64cbc31b75b7b08ab3ca0305311c3f6246 Merge: 817ed57 87d5dd6 Author: Russell King Date: Mon Sep 12 11:19:04 2016 +0100 Merge branches 'fixes-pcmcia' and 'fixes-sa1111' into fixes commit 87d5dd62c07f90ed2b0d6718f5c666f69e7d39b0 Author: Russell King Date: Tue Sep 6 16:09:17 2016 +0100 ARM: sa1111: fix missing clk_disable() SA1111 forgets to call clk_disable() in the probe error cleanup path. Add the necessary call. Signed-off-by: Russell King arch/arm/common/sa1111.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit 06dfe5cc0cc684e735cb0232fdb756d30780b05d Author: Russell King Date: Tue Sep 6 14:34:05 2016 +0100 ARM: sa1111: fix pcmcia suspend/resume SA1111 PCMCIA was broken when PCMCIA switched to using dev_pm_ops for the PCMCIA socket class. PCMCIA used to handle suspend/resume via the socket hosting device, which happened at normal device suspend/resume time. However, the referenced commit changed this: much of the resume now happens much earlier, in the noirq resume handler of dev_pm_ops. However, on SA1111, the PCMCIA device is not accessible as the SA1111 has not been resumed at _noirq time. It's slightly worse than that, because the SA1111 has already been put to sleep at _noirq time, so suspend doesn't work properly. Fix this by converting the core SA1111 code to use dev_pm_ops as well, and performing its own suspend/resume at noirq time. This fixes these errors in the kernel log: pcmcia_socket pcmcia_socket0: time out after reset pcmcia_socket pcmcia_socket1: time out after reset and the resulting lack of PCMCIA cards after a S2RAM cycle. Fixes: d7646f7632549 ("pcmcia: use dev_pm_ops for class pcmcia_socket_class") Signed-off-by: Russell King arch/arm/common/sa1111.c | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) commit 7c0091eceab231b59e51b80bbcf5a2205a0fa905 Author: Russell King Date: Tue Sep 6 14:21:46 2016 +0100 ARM: sa1111: fix pcmcia interrupt mask polarity The polarity of the high IRQs was being calculated using SA1111_IRQMASK_HI(), but this assumes a Linux interrupt number, not a hardware interrupt number. Hence, the resulting mask was incorrect. Fix this. Signed-off-by: Russell King arch/arm/common/sa1111.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit cb034407ec3f816540f359300cda1122faabdbbd Author: Russell King Date: Sat Sep 3 10:21:51 2016 +0100 ARM: sa1111: fix error code propagation in sa1111_probe() Ensure that we propagate the platform_get_irq() error code out of the probe function. This allows probe deferrals to work correctly should platform_get_irq() not be able to resolve the interrupt in a DT environment at probe time. Signed-off-by: Russell King arch/arm/common/sa1111.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 817ed5748e40bbc5b5f2aa0c3094c4a7adfb8881 Author: Robert Jarzmik Date: Thu Sep 1 08:31:08 2016 +0200 pcmcia: lubbock: fix sockets configuration On lubbock board, the probe of the driver crashes by dereferencing very early a platform_data structure which is not set, in pxa2xx_configure_sockets(). The stack fixed is : [ 0.244353] SA1111 Microprocessor Companion Chip: silicon revision 1, metal revision 1 [ 0.256321] sa1111 sa1111: Providing IRQ336-390 [ 0.340899] clocksource: Switched to clocksource oscr0 [ 0.472263] Unable to handle kernel NULL pointer dereference at virtual address 00000004 [ 0.480469] pgd = c0004000 [ 0.483432] [00000004] *pgd=00000000 [ 0.487105] Internal error: Oops: f5 [#1] ARM [ 0.491497] Modules linked in: [ 0.494650] CPU: 0 PID: 1 Comm: swapper Not tainted 4.8.0-rc3-00080-g1aaa68426f0c-dirty #2068 [ 0.503229] Hardware name: Intel DBPXA250 Development Platform (aka Lubbock) [ 0.510344] task: c3e42000 task.stack: c3e44000 [ 0.514984] PC is at pxa2xx_configure_sockets+0x4/0x24 (drivers/pcmcia/pxa2xx_base.c:227) [ 0.520193] LR is at pcmcia_lubbock_init+0x1c/0x38 [ 0.525079] pc : [] lr : [] psr: a0000053 [ 0.525079] sp : c3e45e70 ip : 100019ff fp : 00000000 [ 0.536651] r10: c0828900 r9 : c0434838 r8 : 00000000 [ 0.541953] r7 : c0820700 r6 : c0857b30 r5 : c3ec1400 r4 : c0820758 [ 0.548549] r3 : 00000000 r2 : 0000000c r1 : c3c09c40 r0 : c3ec1400 [ 0.555154] Flags: NzCv IRQs on FIQs off Mode SVC_32 ISA ARM Segment none [ 0.562450] Control: 0000397f Table: a0004000 DAC: 00000053 [ 0.568257] Process swapper (pid: 1, stack limit = 0xc3e44190) [ 0.574154] Stack: (0xc3e45e70 to 0xc3e46000) [ 0.578610] 5e60: c4849800 00000000 c3ec1400 c024769c [ 0.586928] 5e80: 00000000 c3ec140c c3c0ee0c c3ec1400 c3ec1434 c020c410 c3ec1400 c3ec1434 [ 0.595244] 5ea0: c0820700 c080b408 c0828900 c020c5f8 00000000 c0820700 c020c578 c020ac5c [ 0.603560] 5ec0: c3e687cc c3e71e10 c0820700 00000000 c3c02de0 c020bae4 c03c62f7 c03c62f7 [ 0.611872] 5ee0: c3e68780 c0820700 c042e034 00000000 c043c440 c020cdec c080b408 00000005 [ 0.620188] 5f00: c042e034 c00096c0 c0034440 c01c730c 20000053 ffffffff 00000000 00000000 [ 0.628502] 5f20: 00000000 c3ffcb87 c3ffcb90 c00346ac c3e66ba0 c03f7914 00000092 00000005 [ 0.636811] 5f40: 00000005 c03f847c 00000091 c03f847c 00000000 00000005 c0434828 00000005 [ 0.645125] 5f60: c043482c 00000092 c043c440 c0828900 c0434838 c0418d2c 00000005 00000005 [ 0.653430] 5f80: 00000000 c041858c 00000000 c032e9f0 00000000 00000000 00000000 00000000 [ 0.661729] 5fa0: 00000000 c032e9f8 00000000 c000f0f0 00000000 00000000 00000000 00000000 [ 0.670020] 5fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 0.678311] 5fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000 [ 0.686673] (pxa2xx_configure_sockets) from pcmcia_lubbock_init (/drivers/pcmcia/sa1111_lubbock.c:161) [ 0.696026] (pcmcia_lubbock_init) from pcmcia_probe (/drivers/pcmcia/sa1111_generic.c:213) [ 0.704358] (pcmcia_probe) from driver_probe_device (/drivers/base/dd.c:378 /drivers/base/dd.c:499) [ 0.712848] (driver_probe_device) from __driver_attach (/./include/linux/device.h:983 /drivers/base/dd.c:733) [ 0.721414] (__driver_attach) from bus_for_each_dev (/drivers/base/bus.c:313) [ 0.729723] (bus_for_each_dev) from bus_add_driver (/drivers/base/bus.c:708) [ 0.738036] (bus_add_driver) from driver_register (/drivers/base/driver.c:169) [ 0.746185] (driver_register) from do_one_initcall (/init/main.c:778) [ 0.754561] (do_one_initcall) from kernel_init_freeable (/init/main.c:843 /init/main.c:851 /init/main.c:869 /init/main.c:1016) [ 0.763409] (kernel_init_freeable) from kernel_init (/init/main.c:944) [ 0.771660] (kernel_init) from ret_from_fork (/arch/arm/kernel/entry-common.S:119) [ 0.779347] Code: c03c6305 c03c631e c03c632e e5903048 (e993000c) All code ======== 0: c03c6305 eorsgt r6, ip, r5, lsl #6 4: c03c631e eorsgt r6, ip, lr, lsl r3 8: c03c632e eorsgt r6, ip, lr, lsr #6 c: e5903048 ldr r3, [r0, #72] ; 0x48 10:* e993000c ldmib r3, {r2, r3} <-- trapping instruction Signed-off-by: Robert Jarzmik Signed-off-by: Russell King drivers/pcmcia/pxa2xx_base.c | 9 +++++---- drivers/pcmcia/pxa2xx_base.h | 2 +- drivers/pcmcia/sa1111_lubbock.c | 2 +- 3 files changed, 7 insertions(+), 6 deletions(-) commit 3f8df892b2312011f2ba73aedc0a192d70b8844e Author: Russell King Date: Fri Sep 2 10:14:20 2016 +0100 pcmcia: sa1111: fix propagation of lowlevel board init return code When testing Lubbock, it was noticed that the sa1111 pcmcia driver bound but was not functional due to no sockets being registered. This is because the return code from the lowlevel board initialisation was not being propagated out of the probe function. Fix this. Tested-by: Robert Jarzmik Signed-off-by: Russell King drivers/pcmcia/sa1111_badge4.c | 22 ++++++++-------------- drivers/pcmcia/sa1111_generic.c | 22 +++++++++++++++++----- drivers/pcmcia/sa1111_jornada720.c | 25 ++++++++++--------------- drivers/pcmcia/sa1111_lubbock.c | 32 +++++++++++++------------------- drivers/pcmcia/sa1111_neponset.c | 26 ++++++++++---------------- 5 files changed, 58 insertions(+), 69 deletions(-) commit a466ebd2fc6a793e55f028a008b9f094d7d30fe3 Author: Russell King Date: Wed Aug 31 08:49:43 2016 +0100 pcmcia: soc_common: fix SS_STSCHG polarity SS_STSCHG should be set for an IO card when the BVD1 signal is asserted low, not high. Signed-off-by: Russell King drivers/pcmcia/soc_common.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit cbd5a16820e576d26bf985ad62b8c4cdf792fb45 Author: Russell King Date: Wed Aug 31 08:49:43 2016 +0100 pcmcia: sa11xx_base: add units to the timing information Add units to the timing information, so we know that the numbers are nanoseconds. The output changes from: I/O : 165 (172) attribute: 300 (316) common : 300 (316) to: I/O : 165ns (172ns) attribute: 300ns (316ns) common : 300ns (316ns) Signed-off-by: Russell King drivers/pcmcia/sa11xx_base.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit 6dec04e8f30a8cf1e782500244d8601c1f8505ad Author: Russell King Date: Wed Aug 31 08:49:43 2016 +0100 pcmcia: sa11xx_base: fix reporting of timing information Fix the reporting of the currently programmed timing information. These entries have been showing zero due to the clock rate being a factor of 1000 too big. With this change, we go from: I/O : 165 (0) attribute: 300 (0) common : 300 (0) to: I/O : 165 (172) attribute: 300 (316) common : 300 (316) Signed-off-by: Russell King drivers/pcmcia/sa11xx_base.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit ad8d52b897a14711e026889053befbbee7fd51ba Author: Russell King Date: Wed Aug 31 08:49:43 2016 +0100 pcmcia: ds: fix suspend/resume PCMCIA suspend/resume no longer works since the commit mentioned below, as the callbacks are no longer made. Convert the driver to the new dev_pm_ops, which restores the suspend/resume functionality. Tested on the arm arch Assabet platform. Fixes: aa8e54b559479 ("PM / sleep: Go direct_complete if driver has no callbacks") Signed-off-by: Russell King drivers/pcmcia/ds.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) commit df6ef5d8a87ace995d5c10a7bd684be05911a321 Author: Felix Fietkau Date: Sun Sep 4 18:00:59 2016 +0200 mac80211: fix sequence number assignment for PS response frames When using intermediate queues, sequence number allocation is deferred until dequeue. This doesn't work for PS response frames, which bypass those queues. Signed-off-by: Felix Fietkau Signed-off-by: Johannes Berg net/mac80211/tx.c | 65 ++++++++++++++++++++++++++++--------------------------- 1 file changed, 33 insertions(+), 32 deletions(-) commit 83843c80dcf11a78995d167255b03072a1e49c2c Author: Felix Fietkau Date: Sun Aug 28 13:10:37 2016 +0200 mac80211: fix tim recalculation after PS response Handle the case where the mac80211 intermediate queues are empty and the driver has buffered frames Fixes: ba8c3d6f16a1 ("mac80211: add an intermediate software queue implementation") Signed-off-by: Felix Fietkau Signed-off-by: Johannes Berg net/mac80211/sta_info.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 3ae50f4512ce831e8b63eb54ad969417ff30ada7 Author: Lee Jones Date: Thu Sep 8 11:11:36 2016 +0200 mmc: sdhci-st: Handle interconnect clock Some ST platforms contain interconnect (ICN) clocks which must be handed correctly in order to obtain full functionality of a given IP. In this case, if the ICN clocks are not handled properly by the ST SDHCI driver MMC will break and the following output can be observed: [ 13.916949] mmc0: Timeout waiting for hardware interrupt. [ 13.922349] sdhci: =========== REGISTER DUMP (mmc0)=========== [ 13.928175] sdhci: Sys addr: 0x00000000 | Version: 0x00001002 [ 13.933999] sdhci: Blk size: 0x00007040 | Blk cnt: 0x00000001 [ 13.939825] sdhci: Argument: 0x00fffff0 | Trn mode: 0x00000013 [ 13.945650] sdhci: Present: 0x1fff0206 | Host ctl: 0x00000011 [ 13.951475] sdhci: Power: 0x0000000f | Blk gap: 0x00000080 [ 13.957300] sdhci: Wake-up: 0x00000000 | Clock: 0x00003f07 [ 13.963126] sdhci: Timeout: 0x00000004 | Int stat: 0x00000000 [ 13.968952] sdhci: Int enab: 0x02ff008b | Sig enab: 0x02ff008b [ 13.974777] sdhci: AC12 err: 0x00000000 | Slot int: 0x00000000 [ 13.980602] sdhci: Caps: 0x21ed3281 | Caps_1: 0x00000000 [ 13.986428] sdhci: Cmd: 0x0000063a | Max curr: 0x00000000 [ 13.992252] sdhci: Host ctl2: 0x00000000 [ 13.996166] sdhci: ADMA Err: 0x00000000 | ADMA Ptr: 0x7c048200 [ 14.001990] sdhci: =========================================== [ 14.009802] mmc0: Got data interrupt 0x02000000 even though no data operation was in progress. A decent point was raised about minimising the use of a local variable that we 'could' do without. I've chosen consistency over the possibility of reducing the local variable count by 1. Thinking that it's more important for the code to be grouped and authoured in a similar manner/style for greater maintainability/readability. Cc: stable@vger.kernel.org Tested-by: Peter Griffin Signed-off-by: Lee Jones Signed-off-by: Ulf Hansson drivers/mmc/host/sdhci-st.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) commit 981b178964d03f6f8e6cca01568c17d1dbafdf0e Author: Lee Jones Date: Thu Sep 8 11:11:35 2016 +0200 dt-bindings: mmc: sdhci-st: Mention the discretionary "icn" clock The interconnect (ICN) clock is required for functional working of MMC on some ST platforms. When not supplied it can result in broken MMC and the following output: [ 13.916949] mmc0: Timeout waiting for hardware interrupt. [ 13.922349] sdhci: =========== REGISTER DUMP (mmc0)=========== [ 13.928175] sdhci: Sys addr: 0x00000000 | Version: 0x00001002 [ 13.933999] sdhci: Blk size: 0x00007040 | Blk cnt: 0x00000001 [ 13.939825] sdhci: Argument: 0x00fffff0 | Trn mode: 0x00000013 [ 13.945650] sdhci: Present: 0x1fff0206 | Host ctl: 0x00000011 [ 13.951475] sdhci: Power: 0x0000000f | Blk gap: 0x00000080 [ 13.957300] sdhci: Wake-up: 0x00000000 | Clock: 0x00003f07 [ 13.963126] sdhci: Timeout: 0x00000004 | Int stat: 0x00000000 [ 13.968952] sdhci: Int enab: 0x02ff008b | Sig enab: 0x02ff008b [ 13.974777] sdhci: AC12 err: 0x00000000 | Slot int: 0x00000000 [ 13.980602] sdhci: Caps: 0x21ed3281 | Caps_1: 0x00000000 [ 13.986428] sdhci: Cmd: 0x0000063a | Max curr: 0x00000000 [ 13.992252] sdhci: Host ctl2: 0x00000000 [ 13.996166] sdhci: ADMA Err: 0x00000000 | ADMA Ptr: 0x7c048200 [ 14.001990] sdhci: =========================================== [ 14.009802] mmc0: Got data interrupt 0x02000000 even though no data operation was in progress. Signed-off-by: Lee Jones Signed-off-by: Ulf Hansson Documentation/devicetree/bindings/mmc/sdhci-st.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit f190fd92458da3e869b4e2c6289e2c617490ae53 Author: Daniele Palmas Date: Fri Sep 2 10:37:56 2016 +0200 USB: serial: simple: add support for another Infineon flashloader This patch adds support for Infineon flashloader 0x8087/0x0801. The flashloader is used in Telit LE940B modem family with Telit flashing application. Signed-off-by: Daniele Palmas Cc: stable Signed-off-by: Johan Hovold drivers/usb/serial/usb-serial-simple.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 9395452b4aab7bc2475ef8935b4a4fb99d778d70 Author: Linus Torvalds Date: Sun Sep 11 20:02:25 2016 -0700 Linux 4.8-rc6 Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit ffed15d3ce3f710b94e6f402e1ca2318f7d7c0e2 Author: Michael Ellerman Date: Mon Sep 12 12:48:28 2016 +1000 powerpc/kernel: Fix size of NUM_CPU_FTR_KEYS on 32-bit The number of CPU feature keys is meant to map 1:1 to the number of CPU feature flags defined in cputable.h, and the latter must fit in an unsigned long. In commit 4db7327194db ("powerpc: Add option to use jump label for cpu_has_feature()"), I incorrectly defined NUM_CPU_FTR_KEYS to 64. There should be no real adverse consequences of this bug, other than us allocating too many keys. Fix it by using BITS_PER_LONG. Fixes: 4db7327194db ("powerpc: Add option to use jump label for cpu_has_feature()") Tested-by: Meelis Roos Signed-off-by: Michael Ellerman arch/powerpc/include/asm/cpu_has_feature.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit bd00a240dc52e28706fbbe3aceda63e6c291b433 Author: Gautham R. Shenoy Date: Wed Sep 7 10:46:30 2016 +0530 powerpc/powernv: Fix restore of SPRs upon wake up from hypervisor state loss pnv_wakeup_tb_loss() currently expects cr4 to be "eq" if the CPU is waking up from a complete hypervisor state loss. Hence, it currently restores the SPR contents only if cr4 is "eq". However, after commit bcef83a00dc4 ("powerpc/powernv: Add platform support for stop instruction"), on ISA v3.0 CPUs, the function pnv_restore_hyp_resource() sets cr4 to contain the result of the comparison between the state the CPU has woken up from and the first deep stop state before calling pnv_wakeup_tb_loss(). Thus if the CPU woke up from a state that is deeper than the first deep stop state, cr4 will have "gt" set and hence, pnv_wakeup_tb_loss() will fail to restore the SPRs on waking up from such a state. Fix the code in pnv_wakeup_tb_loss() to restore the SPR states when cr4 is "eq" or "gt". Fixes: bcef83a00dc4 ("powerpc/powernv: Add platform support for stop instruction") Signed-off-by: Gautham R. Shenoy Reviewed-by: Shreyas B. Prabhu Signed-off-by: Michael Ellerman arch/powerpc/kernel/idle_book3s.S | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) commit 373df3131aa83bd3e0ea7cd15be92d942d75fc72 Merge: e148788 7a61fc8 Author: David S. Miller Date: Sun Sep 11 19:40:26 2016 -0700 Merge branch 'mlx4-fixes' Tariq Toukan says: ==================== mlx4 fixes This patchset contains several bug fixes from the team to the mlx4 Eth driver. Series generated against net commit: c2f57fb97da5 "drivers: net: phy: mdio-xgene: Add hardware dependency" v2: * excluded some cleanup patches. ==================== Signed-off-by: David S. Miller commit 7a61fc86af4a0c957c5b8c5777ab21d5cc286748 Author: Moshe Shemesh Date: Sun Sep 11 10:56:20 2016 +0300 net/mlx4_en: Fix panic on xmit while port is down When port is down, tx drop counter update is not needed. Updating the counter in this case can cause a kernel panic as when the port is down, ring can be NULL. Fixes: 63a664b7e92b ("net/mlx4_en: fix tx_dropped bug") Signed-off-by: Moshe Shemesh Signed-off-by: Tariq Toukan Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlx4/en_tx.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) commit 564ed9b187082da79726a2f25bb88a58ebeec7e8 Author: Tariq Toukan Date: Sun Sep 11 10:56:19 2016 +0300 net/mlx4_en: Fixes for DCBX This patch adds a capability check before enabling DCBX. In addition, it re-organizes the relevant data structures, and fixes a typo in a define. Fixes: af7d51852631 ("net/mlx4_en: Add DCB PFC support through CEE netlink commands") Signed-off-by: Tariq Toukan Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlx4/en_dcb_nl.c | 31 +++++++++++++------------- drivers/net/ethernet/mellanox/mlx4/en_netdev.c | 21 +++++++---------- drivers/net/ethernet/mellanox/mlx4/mlx4_en.h | 15 +++---------- drivers/net/ethernet/mellanox/mlx4/port.c | 4 ++-- 4 files changed, 28 insertions(+), 43 deletions(-) commit c677071741343381f4f555867c04af7ec4a90869 Author: Kamal Heib Date: Sun Sep 11 10:56:18 2016 +0300 net/mlx4_en: Fix the return value of mlx4_en_dcbnl_set_state() mlx4_en_dcbnl_set_state() returns u8, the return value from mlx4_en_setup_tc() could be negative in case of failure, so fix that. Fixes: af7d51852631 ("net/mlx4_en: Add DCB PFC support through CEE netlink commands") Signed-off-by: Kamal Heib Signed-off-by: Tariq Toukan Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlx4/en_dcb_nl.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) commit 74a9e9054456658f047bf71d9108844defde793d Author: Kamal Heib Date: Sun Sep 11 10:56:17 2016 +0300 net/mlx4_en: Fix the return value of mlx4_en_dcbnl_set_all() mlx4_en_dcbnl_set_all() returns u8, so return value can't be negative in case of failure. Fixes: af7d51852631 ("net/mlx4_en: Add DCB PFC support through CEE netlink commands") Signed-off-by: Kamal Heib Signed-off-by: Rana Shahout Reported-by: Dan Carpenter Signed-off-by: Tariq Toukan Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlx4/en_dcb_nl.c | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) commit bd0b841fee49de421f615cc173ccff063303672f Author: Linus Torvalds Date: Sun Sep 11 14:41:49 2016 -0700 nvme: make NVME_RDMA depend on BLOCK Commit aa71987472a9 ("nvme: fabrics drivers don't need the nvme-pci driver") removed the dependency on BLK_DEV_NVME, but the cdoe does depend on the block layer (which used to be an implicit dependency through BLK_DEV_NVME). Otherwise you get various errors from the kbuild test robot random config testing when that happens to hit a configuration with BLOCK device support disabled. Cc: Christoph Hellwig Cc: Jay Freyensee Cc: Sagi Grimberg Signed-off-by: Linus Torvalds drivers/nvme/host/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 2afe669acdcea66d95b94bbcdc1412210ea218d6 Merge: 61c3dae 72d508a Author: Linus Torvalds Date: Sun Sep 11 14:23:48 2016 -0700 Merge tag 'staging-4.8-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging Pull IIO fixes from Greg KH: "Here are a few small IIO fixes for 4.8-rc6. Nothing major, full details are in the shortlog, all of these have been in linux-next with no reported issues" * tag 'staging-4.8-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging: iio:core: fix IIO_VAL_FRACTIONAL sign handling iio: ensure ret is initialized to zero before entering do loop iio: accel: kxsd9: Fix scaling bug iio: accel: bmc150: reset chip at init time iio: fix pressure data output unit in hid-sensor-attributes tools:iio:iio_generic_buffer: fix trigger-less mode commit 61c3dae670436131647c2f05a9ba3571503b79ff Merge: 98ac9a6 6b98174 Author: Linus Torvalds Date: Sun Sep 11 14:10:29 2016 -0700 Merge tag 'usb-4.8-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb Pull USB fixes from Greg KH: "Here are some small USB gadget, phy, and xhci fixes for 4.8-rc6. All of these resolve minor issues that have been reported, and all have been in linux-next with no reported issues" * tag 'usb-4.8-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: usb: chipidea: udc: fix NULL ptr dereference in isr_setup_status_phase xhci: fix null pointer dereference in stop command timeout function usb: dwc3: pci: fix build warning on !PM_SLEEP usb: gadget: prevent potenial null pointer dereference on skb->len usb: renesas_usbhs: fix clearing the {BRDY,BEMP}STS condition usb: phy: phy-generic: Check clk_prepare_enable() error usb: gadget: udc: renesas-usb3: clear VBOUT bit in DRD_CON Revert "usb: dwc3: gadget: always decrement by 1" commit b519d408ea32040b1c7e10b155a3ee9a36660947 Author: Trond Myklebust Date: Sun Sep 11 14:50:01 2016 -0400 NFSv4.1: Fix the CREATE_SESSION slot number accounting Ensure that we conform to the algorithm described in RFC5661, section 18.36.4 for when to bump the sequence id. In essence we do it for all cases except when the RPC call timed out, or in case of the server returning NFS4ERR_DELAY or NFS4ERR_STALE_CLIENTID. Signed-off-by: Trond Myklebust Cc: stable@vger.kernel.org fs/nfs/nfs4proc.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) commit e1487888eccc83e9eb5a3659955f79b039dc7945 Author: Chris Brandt Date: Wed Sep 7 14:57:09 2016 -0400 net: ethernet: renesas: sh_eth: add POST registers for rz Due to a mistake in the hardware manual, the FWSLC and POST1-4 registers were not documented and left out of the driver for RZ/A making the CAM feature non-operational. Additionally, when the offset values for POST1-4 are left blank, the driver attempts to set them using an offset of 0xFFFF which can cause a memory corruption or panic. This patch fixes the panic and properly enables CAM. Reported-by: Daniel Palmer Signed-off-by: Chris Brandt Acked-by: Sergei Shtylyov Signed-off-by: David S. Miller drivers/net/ethernet/renesas/sh_eth.c | 7 +++++++ 1 file changed, 7 insertions(+) commit 4af2ff91ec3f42b538a65cf12df5f9faf6aaa914 Author: Hans de Goede Date: Wed Sep 7 19:32:14 2016 -0700 Input: silead_gsl1680 - use "silead/" prefix for firmware loading The silead touch-controller ICs use a different firmware per digitizer / tablet model. So there are going to be quite a few of then and they really should be under a separate subdir. This commit prefixes the default firmware names with "silead/" just like we are already doing for devicetree specified firmware names. Signed-off-by: Hans de Goede Signed-off-by: Dmitry Torokhov drivers/input/touchscreen/silead.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) commit 43ba588346455dcc984dc98a49af1c2eb1e9aa75 Author: Hans de Goede Date: Wed Sep 7 19:25:37 2016 -0700 Input: silead_gsl1680 - document firmware-name, fix implementation The driver has supported touchscreen-fw-name to specify the firmware to load since it has been merged, but this was omitted from the dt-binding documentation. During review of adding touchscreen-fw-name to the binding documentation it was brought up that there is a standard property name called "firmware-name" for this, which should be used. Since there are no users of touchscreen-fw-name yet, this commit adds documentation of "firmware-name" to the dt-binding documentation and switches the driver over to use this. This commit also makes the driver add a "silead/" prefix to the firmware name from dt before calling request_firmware. That the firmware files are stored under /lib/firmware/silead under Linux is an implementation detail and does not belong in devicetree. Signed-off-by: Hans de Goede Acked-by: Rob Herring Signed-off-by: Dmitry Torokhov .../devicetree/bindings/input/touchscreen/silead_gsl1680.txt | 1 + drivers/input/touchscreen/silead.c | 5 +++-- 2 files changed, 4 insertions(+), 2 deletions(-) commit 98ac9a608dc79ba8a20cee77fe959a6dfccdaa63 Merge: b8db371 1e8b8d9 Author: Linus Torvalds Date: Sat Sep 10 09:58:52 2016 -0700 Merge branch 'libnvdimm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm Pull libnvdimm fixes from Dan Williams: "nvdimm fixes for v4.8, two of them are tagged for -stable: - Fix devm_memremap_pages() to use track_pfn_insert(). Otherwise, DAX pmd mappings end up with an uncached pgprot, and unusable performance for the device-dax interface. The device-dax interface appeared in 4.7 so this is tagged for -stable. - Fix a couple VM_BUG_ON() checks in the show_smaps() path to understand DAX pmd entries. This fix is tagged for -stable. - Fix a mis-merge of the nfit machine-check handler to flip the polarity of an if() to match the final version of the patch that Vishal sent for 4.8-rc1. Without this the nfit machine check handler never detects / inserts new 'badblocks' entries which applications use to identify lost portions of files. - For test purposes, fix the nvdimm_clear_poison() path to operate on legacy / simulated nvdimm memory ranges. Without this fix a test can set badblocks, but never clear them on these ranges. - Fix the range checking done by dax_dev_pmd_fault(). This is not tagged for -stable since this problem is mitigated by specifying aligned resources at device-dax setup time. These patches have appeared in a next release over the past week. The recent rebase you can see in the timestamps was to drop an invalid fix as identified by the updated device-dax unit tests [1]. The -mm touches have an ack from Andrew" [1]: "[ndctl PATCH 0/3] device-dax test for recent kernel bugs" https://lists.01.org/pipermail/linux-nvdimm/2016-September/006855.html * 'libnvdimm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm: libnvdimm: allow legacy (e820) pmem region to clear bad blocks nfit, mce: Fix SPA matching logic in MCE handler mm: fix cache mode of dax pmd mappings mm: fix show_smap() for zone_device-pmd ranges dax: fix mapping size check commit b8db3714d7479881e23de20735f60f1733723241 Merge: 6905732 cbfff43 Author: Linus Torvalds Date: Sat Sep 10 09:43:10 2016 -0700 Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux Pull i2c fixes from Wolfram Sang: "Mostly driver bugfixes, but also a few cleanups which are nice to have out of the way" * 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux: i2c: rk3x: Restore clock settings at resume time i2c: Spelling s/acknowedge/acknowledge/ i2c: designware: save the preset value of DW_IC_SDA_HOLD Documentation: i2c: slave-interface: add note for driver development i2c: mux: demux-pinctrl: run properly with multiple instances i2c: bcm-kona: fix inconsistent indenting i2c: rcar: use proper device with dma_mapping_error i2c: sh_mobile: use proper device with dma_mapping_error i2c: mux: demux-pinctrl: invalidate properly when switching fails commit 6905732c80bc7f85602abbe27f7bdc3fe81f56d0 Merge: d0acc7d ba63f23 Author: Linus Torvalds Date: Sat Sep 10 09:18:33 2016 -0700 Merge tag 'for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4 Pull fscrypto fixes fromTed Ts'o: "Fix some brown-paper-bag bugs for fscrypto, including one one which allows a malicious user to set an encryption policy on an empty directory which they do not own" * tag 'for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4: fscrypto: require write access to mount to set encryption policy fscrypto: only allow setting encryption policy on directories fscrypto: add authorization check for setting encryption policy commit 8ef9b8455a2a3049efa9e46e8a6402b972a3eb41 Author: Peter Zijlstra Date: Wed Sep 7 14:42:55 2016 +0200 perf/x86/intel: Fix PEBSv3 record drain Alexander hit the WARN_ON_ONCE(!event) on his Skylake while running the perf fuzzer. This means the PEBSv3 record included a status bit for an inactive event, something that _should_ not happen. Move the code that filters the status bits against our known PEBS events up a spot to guarantee we only deal with events we know about. Further add "continue" statements to the WARN_ON_ONCE()s such that we'll not die nor generate silly events in case we ever do hit them again. Reported-by: Alexander Shishkin Tested-by: Alexander Shishkin Signed-off-by: Peter Zijlstra (Intel) Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Kan Liang Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Thomas Gleixner Cc: Vince Weaver Cc: stable@vger.kernel.org Fixes: a3d86542de88 ("perf/x86/intel/pebs: Add PEBSv3 decoding") Signed-off-by: Ingo Molnar arch/x86/events/intel/ds.c | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) commit ef9ef3befa0d76008e988a9ed9fe439e803351b9 Author: Alexander Shishkin Date: Tue Sep 6 16:23:53 2016 +0300 perf/x86/intel/bts: Kill a silly warning At the moment, intel_bts will WARN() out if there is more than one event writing to the same ring buffer, via SET_OUTPUT, and will only send data from one event to a buffer. There is no reason to have this warning in, so kill it. Signed-off-by: Alexander Shishkin Signed-off-by: Peter Zijlstra (Intel) Cc: Arnaldo Carvalho de Melo Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Thomas Gleixner Cc: vince@deater.net Link: http://lkml.kernel.org/r/20160906132353.19887-6-alexander.shishkin@linux.intel.com Signed-off-by: Ingo Molnar arch/x86/events/intel/bts.c | 2 -- 1 file changed, 2 deletions(-) commit 4d4c474124649198d9b0a065c06f9362cf18e14e Author: Alexander Shishkin Date: Tue Sep 6 16:23:52 2016 +0300 perf/x86/intel/bts: Fix BTS PMI detection Since BTS doesn't have a dedicated PMI status bit, the driver needs to take extra care to check for the condition that triggers it to avoid spurious NMI warnings. Regardless of the local BTS context state, the only way of knowing that the NMI is ours is to compare the write pointer against the interrupt threshold. Reported-by: Vince Weaver Signed-off-by: Alexander Shishkin Signed-off-by: Peter Zijlstra (Intel) Cc: Arnaldo Carvalho de Melo Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Thomas Gleixner Cc: vince@deater.net Link: http://lkml.kernel.org/r/20160906132353.19887-5-alexander.shishkin@linux.intel.com Signed-off-by: Ingo Molnar arch/x86/events/intel/bts.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) commit a9a94401c2b5805c71e39427b1af1bf1b9f67cd0 Author: Alexander Shishkin Date: Tue Sep 6 16:23:51 2016 +0300 perf/x86/intel/bts: Fix confused ordering of PMU callbacks The intel_bts driver is using a CPU-local 'started' variable to order callbacks and PMIs and make sure that AUX transactions don't get messed up. However, the ordering rules in regard to this variable is a complete mess, which recently resulted in perf_fuzzer-triggered warnings and panics. The general ordering rule that is patch is enforcing is that this cpu-local variable be set only when the cpu-local AUX transaction is active; consequently, this variable is to be checked before the AUX related bits can be touched. Reported-by: Vince Weaver Signed-off-by: Alexander Shishkin Signed-off-by: Peter Zijlstra (Intel) Cc: Arnaldo Carvalho de Melo Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Thomas Gleixner Cc: vince@deater.net Link: http://lkml.kernel.org/r/20160906132353.19887-4-alexander.shishkin@linux.intel.com Signed-off-by: Ingo Molnar arch/x86/events/intel/bts.c | 104 ++++++++++++++++++++++++++++++++++---------- 1 file changed, 80 insertions(+), 24 deletions(-) commit b79ccadd6bb10e72cf784a298ca6dc1398eb9a24 Author: Alexander Shishkin Date: Tue Sep 6 16:23:50 2016 +0300 perf/core: Fix aux_mmap_count vs aux_refcount order The order of accesses to ring buffer's aux_mmap_count and aux_refcount has to be preserved across the users, namely perf_mmap_close() and perf_aux_output_begin(), otherwise the inversion can result in the latter holding the last reference to the aux buffer and subsequently free'ing it in atomic context, triggering a warning. > ------------[ cut here ]------------ > WARNING: CPU: 0 PID: 257 at kernel/events/ring_buffer.c:541 __rb_free_aux+0x11a/0x130 > CPU: 0 PID: 257 Comm: stopbug Not tainted 4.8.0-rc1+ #2596 > Call Trace: > [] __warn+0xcb/0xf0 > [] warn_slowpath_null+0x1d/0x20 > [] __rb_free_aux+0x11a/0x130 > [] rb_free_aux+0x18/0x20 > [] perf_aux_output_begin+0x163/0x1e0 > [] bts_event_start+0x3a/0xd0 > [] bts_event_add+0x5d/0x80 > [] event_sched_in.isra.104+0xf6/0x2f0 > [] group_sched_in+0x6e/0x190 > [] ctx_sched_in+0x2fe/0x5f0 > [] perf_event_sched_in+0x60/0x80 > [] ctx_resched+0x5b/0x90 > [] __perf_event_enable+0x1e1/0x240 > [] event_function+0xa9/0x180 > [] ? perf_cgroup_attach+0x70/0x70 > [] remote_function+0x3f/0x50 > [] flush_smp_call_function_queue+0x83/0x150 > [] generic_smp_call_function_single_interrupt+0x13/0x60 > [] smp_call_function_single_interrupt+0x27/0x40 > [] call_function_single_interrupt+0x89/0x90 > [] finish_task_switch+0xa6/0x210 > [] ? finish_task_switch+0x67/0x210 > [] __schedule+0x3dd/0xb50 > [] schedule+0x35/0x80 > [] sys_sched_yield+0x61/0x70 > [] entry_SYSCALL_64_fastpath+0x18/0xa8 > ---[ end trace 6235f556f5ea83a9 ]--- This patch puts the checks in perf_aux_output_begin() in the same order as that of perf_mmap_close(). Reported-by: Vince Weaver Signed-off-by: Alexander Shishkin Signed-off-by: Peter Zijlstra (Intel) Cc: Arnaldo Carvalho de Melo Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Thomas Gleixner Cc: vince@deater.net Link: http://lkml.kernel.org/r/20160906132353.19887-3-alexander.shishkin@linux.intel.com Signed-off-by: Ingo Molnar kernel/events/ring_buffer.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) commit 767ae08678c2c796bcd7f582ee457aee20a28a1e Author: Alexander Shishkin Date: Tue Sep 6 16:23:49 2016 +0300 perf/core: Fix a race between mmap_close() and set_output() of AUX events In the mmap_close() path we need to stop all the AUX events that are writing data to the AUX area that we are unmapping, before we can safely free the pages. To determine if an event needs to be stopped, we're comparing its ->rb against the one that's getting unmapped. However, a SET_OUTPUT ioctl may turn up inside an AUX transaction and swizzle event::rb to some other ring buffer, but the transaction will keep writing data to the old ring buffer until the event gets scheduled out. At this point, mmap_close() will skip over such an event and will proceed to free the AUX area, while it's still being used by this event, which will set off a warning in the mmap_close() path and cause a memory corruption. To avoid this, always stop an AUX event before its ->rb is updated; this will release the (potentially) last reference on the AUX area of the buffer. If the event gets restarted, its new ring buffer will be used. If another SET_OUTPUT comes and switches it back to the old ring buffer that's getting unmapped, it's also fine: this ring buffer's aux_mmap_count will be zero and AUX transactions won't start any more. Reported-by: Vince Weaver Signed-off-by: Alexander Shishkin Signed-off-by: Peter Zijlstra (Intel) Cc: Arnaldo Carvalho de Melo Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Thomas Gleixner Cc: vince@deater.net Link: http://lkml.kernel.org/r/20160906132353.19887-2-alexander.shishkin@linux.intel.com Signed-off-by: Ingo Molnar kernel/events/core.c | 31 +++++++++++++++++++++++++------ 1 file changed, 25 insertions(+), 6 deletions(-) commit ba63f23d69a3a10e7e527a02702023da68ef8a6d Author: Eric Biggers Date: Thu Sep 8 14:20:38 2016 -0700 fscrypto: require write access to mount to set encryption policy Since setting an encryption policy requires writing metadata to the filesystem, it should be guarded by mnt_want_write/mnt_drop_write. Otherwise, a user could cause a write to a frozen or readonly filesystem. This was handled correctly by f2fs but not by ext4. Make fscrypt_process_policy() handle it rather than relying on the filesystem to get it right. Signed-off-by: Eric Biggers Cc: stable@vger.kernel.org # 4.1+; check fs/{ext4,f2fs} Signed-off-by: Theodore Ts'o Acked-by: Jaegeuk Kim fs/crypto/policy.c | 38 +++++++++++++++++++++++++------------- fs/ext4/ioctl.c | 2 +- fs/f2fs/file.c | 9 +-------- include/linux/fscrypto.h | 5 ++--- 4 files changed, 29 insertions(+), 25 deletions(-) commit 348c1bfa84dfc47da1f1234b7f2bf09fa798edea Author: Sachin Prabhu Date: Fri Jul 29 22:38:21 2016 +0100 Move check for prefix path to within cifs_get_root() Signed-off-by: Sachin Prabhu Tested-by: Aurelien Aptel Signed-off-by: Steve French fs/cifs/cifsfs.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) commit c1d8b24d18192764fe82067ec6aa8d4c3bf094e0 Author: Sachin Prabhu Date: Fri Jul 29 22:38:20 2016 +0100 Compare prepaths when comparing superblocks The patch fs/cifs: make share unaccessible at root level mountable makes use of prepaths when any component of the underlying path is inaccessible. When mounting 2 separate shares having different prepaths but are other wise similar in other respects, we end up sharing superblocks when we shouldn't be doing so. Signed-off-by: Sachin Prabhu Tested-by: Aurelien Aptel Signed-off-by: Steve French fs/cifs/connect.c | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) commit 4214ebf4654798309364d0c678b799e402f38288 Author: Sachin Prabhu Date: Fri Jul 29 22:38:19 2016 +0100 Fix memory leaks in cifs_do_mount() Fix memory leaks introduced by the patch fs/cifs: make share unaccessible at root level mountable Also move allocation of cifs_sb->prepath to cifs_setup_cifs_sb(). Signed-off-by: Sachin Prabhu Tested-by: Aurelien Aptel Signed-off-by: Steve French fs/cifs/cifsfs.c | 20 ++++++++------------ fs/cifs/cifsproto.h | 2 +- fs/cifs/connect.c | 10 +++++++++- 3 files changed, 18 insertions(+), 14 deletions(-) commit 002ced4be6429918800ce3e41d5cbc2d7c01822c Author: Eric Biggers Date: Thu Sep 8 11:36:39 2016 -0700 fscrypto: only allow setting encryption policy on directories The FS_IOC_SET_ENCRYPTION_POLICY ioctl allowed setting an encryption policy on nondirectory files. This was unintentional, and in the case of nonempty regular files did not behave as expected because existing data was not actually encrypted by the ioctl. In the case of ext4, the user could also trigger filesystem errors in ->empty_dir(), e.g. due to mismatched "directory" checksums when the kernel incorrectly tried to interpret a regular file as a directory. This bug affected ext4 with kernels v4.8-rc1 or later and f2fs with kernels v4.6 and later. It appears that older kernels only permitted directories and that the check was accidentally lost during the refactoring to share the file encryption code between ext4 and f2fs. This patch restores the !S_ISDIR() check that was present in older kernels. Signed-off-by: Eric Biggers Cc: stable@vger.kernel.org Signed-off-by: Theodore Ts'o fs/crypto/policy.c | 2 ++ 1 file changed, 2 insertions(+) commit 163ae1c6ad6299b19e22b4a35d5ab24a89791a98 Author: Eric Biggers Date: Thu Sep 8 10:57:08 2016 -0700 fscrypto: add authorization check for setting encryption policy On an ext4 or f2fs filesystem with file encryption supported, a user could set an encryption policy on any empty directory(*) to which they had readonly access. This is obviously problematic, since such a directory might be owned by another user and the new encryption policy would prevent that other user from creating files in their own directory (for example). Fix this by requiring inode_owner_or_capable() permission to set an encryption policy. This means that either the caller must own the file, or the caller must have the capability CAP_FOWNER. (*) Or also on any regular file, for f2fs v4.6 and later and ext4 v4.8-rc1 and later; a separate bug fix is coming for that. Signed-off-by: Eric Biggers Cc: stable@vger.kernel.org # 4.1+; check fs/{ext4,f2fs} Signed-off-by: Theodore Ts'o fs/crypto/policy.c | 3 +++ 1 file changed, 3 insertions(+) commit f6d7c1b5598b6407c3f1da795dd54acf99c1990c Author: Karl Beldan Date: Mon Aug 29 07:45:49 2016 +0000 mtd: nand: davinci: Reinitialize the HW ECC engine in 4bit hwctl This fixes subpage writes when using 4-bit HW ECC. There has been numerous reports about ECC errors with devices using this driver for a while. Also the 4-bit ECC has been reported as broken with subpages in [1] and with 16 bits NANDs in the driver and in mach* board files both in mainline and in the vendor BSPs. What I saw with 4-bit ECC on a 16bits NAND (on an LCDK) which got me to try reinitializing the ECC engine: - R/W on whole pages properly generates/checks RS code - try writing the 1st subpage only of a blank page, the subpage is well written and the RS code properly generated, re-reading the same page the HW detects some ECC error, reading the same page again no ECC error is detected Note that the ECC engine is already reinitialized in the 1-bit case. Tested on my LCDK with UBI+UBIFS using subpages. This could potentially get rid of the issue workarounded in [1]. [1] 28c015a9daab ("mtd: davinci-nand: disable subpage write for keystone-nand") Fixes: 6a4123e581b3 ("mtd: nand: davinci_nand, 4-bit ECC for smallpage") Cc: Signed-off-by: Karl Beldan Acked-by: Boris Brezillon Signed-off-by: Brian Norris drivers/mtd/nand/davinci_nand.c | 3 +++ 1 file changed, 3 insertions(+) commit c2f57fb97da5730509a50e316f353d3da17f6c25 Author: Jean Delvare Date: Thu Sep 8 16:25:15 2016 +0200 drivers: net: phy: mdio-xgene: Add hardware dependency The mdio-xgene driver is only useful on X-Gene SoC. Signed-off-by: Jean Delvare Cc: Iyappan Subramanian Cc: David S. Miller Acked-by: Iyappan Subramanian Signed-off-by: David S. Miller drivers/net/phy/Kconfig | 1 + 1 file changed, 1 insertion(+) commit 0808a29a20322873fbfd3f7b4093ae92d0018e65 Merge: 47b02f7 a071412 Author: David S. Miller Date: Fri Sep 9 19:21:07 2016 -0700 Merge tag 'wireless-drivers-for-davem-2016-09-08' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers Kalle Valo says: ==================== wireless-drivers fixes for 4.8 iwlwifi * fix P2P dump trigger * prevent a potential null dereference in iwlmvm * prevent an uninitialized value from being returned in iwlmvm * advertise support for channel width change in AP mode ath10k * fix racy rx status retrieval from htt context * QCA9887 support is not experimental anymore, remove the warning message ath9k * fix regression with led GPIOs * fix AR5416 GPIO access warning brcmfmac * avoid potential stack overflow in brcmf_cfg80211_start_ap() ==================== Signed-off-by: David S. Miller commit 47b02f7294a483387772a46931da942b2ca9d845 Author: Lars Persson Date: Thu Sep 8 13:24:21 2016 +0200 dwc_eth_qos: do not register semi-initialized device We move register_netdev() to the end of dwceqos_probe() to close any races where the netdev callbacks are called before the initialization has finished. Reported-by: Pavel Andrianov Signed-off-by: Lars Persson Signed-off-by: David S. Miller drivers/net/ethernet/synopsys/dwc_eth_qos.c | 38 ++++++++++++++--------------- 1 file changed, 18 insertions(+), 20 deletions(-) commit 7303a1475008bee5c3e82a06a282568415690d72 Author: Marcelo Ricardo Leitner Date: Thu Sep 8 17:54:11 2016 +0800 sctp: identify chunks that need to be fragmented at IP level Previously, without GSO, it was easy to identify it: if the chunk didn't fit and there was no data chunk in the packet yet, we could fragment at IP level. So if there was an auth chunk and we were bundling a big data chunk, it would fragment regardless of the size of the auth chunk. This also works for the context of PMTU reductions. But with GSO, we cannot distinguish such PMTU events anymore, as the packet is allowed to exceed PMTU. So we need another check: to ensure that the chunk that we are adding, actually fits the current PMTU. If it doesn't, trigger a flush and let it be fragmented at IP level in the next round. Signed-off-by: Marcelo Ricardo Leitner Signed-off-by: David S. Miller net/sctp/output.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) commit 1e8b8d9619f9476e94f32eb20cab000d50d236aa Author: Dave Jiang Date: Fri Sep 9 09:10:08 2016 -0700 libnvdimm: allow legacy (e820) pmem region to clear bad blocks Bad blocks can be injected via /sys/block/pmemN/badblocks. In a situation where legacy pmem is being used or a pmem region created by using memmap kernel parameter, the injected bad blocks are not cleared due to nvdimm_clear_poison() failing from lack of ndctl function pointer. In this case we need to just return as handled and allow the bad blocks to be cleared rather than fail. Reviewed-by: Vishal Verma Signed-off-by: Dave Jiang Signed-off-by: Dan Williams drivers/nvdimm/bus.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) commit 2e21807d4b131dfd4a8e5c82116a85b62f28aeec Author: Vishal Verma Date: Fri Sep 2 17:27:30 2016 -0600 nfit, mce: Fix SPA matching logic in MCE handler The check for a 'pmem' type SPA in the MCE handler was inverted due to a merge/rebase error. Fixes: 6839a6d nfit: do an ARS scrub on hitting a latent media error Cc: linux-acpi@vger.kernel.org Cc: Dan Williams Signed-off-by: Vishal Verma Signed-off-by: Dan Williams drivers/acpi/nfit/mce.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 9049771f7d5490a302589976984810064c83ab40 Author: Dan Williams Date: Wed Sep 7 08:51:21 2016 -0700 mm: fix cache mode of dax pmd mappings track_pfn_insert() in vmf_insert_pfn_pmd() is marking dax mappings as uncacheable rendering them impractical for application usage. DAX-pte mappings are cached and the goal of establishing DAX-pmd mappings is to attain more performance, not dramatically less (3 orders of magnitude). track_pfn_insert() relies on a previous call to reserve_memtype() to establish the expected page_cache_mode for the range. While memremap() arranges for reserve_memtype() to be called, devm_memremap_pages() does not. So, teach track_pfn_insert() and untrack_pfn() how to handle tracking without a vma, and arrange for devm_memremap_pages() to establish the write-back-cache reservation in the memtype tree. Cc: Cc: Matthew Wilcox Cc: Ross Zwisler Cc: Nilesh Choudhury Cc: Kirill A. Shutemov Reported-by: Toshi Kani Reported-by: Kai Zhang Acked-by: Andrew Morton Signed-off-by: Dan Williams arch/x86/mm/pat.c | 17 ++++++++++------- kernel/memremap.c | 9 +++++++++ 2 files changed, 19 insertions(+), 7 deletions(-) commit ca120cf688874f4423e579e7cc5ddf7244aeca45 Author: Dan Williams Date: Sat Sep 3 10:38:03 2016 -0700 mm: fix show_smap() for zone_device-pmd ranges Attempting to dump /proc//smaps for a process with pmd dax mappings currently results in the following VM_BUG_ONs: kernel BUG at mm/huge_memory.c:1105! task: ffff88045f16b140 task.stack: ffff88045be14000 RIP: 0010:[] [] follow_trans_huge_pmd+0x2cb/0x340 [..] Call Trace: [] smaps_pte_range+0xa0/0x4b0 [] ? vsnprintf+0x255/0x4c0 [] __walk_page_range+0x1fe/0x4d0 [] walk_page_vma+0x62/0x80 [] show_smap+0xa6/0x2b0 kernel BUG at fs/proc/task_mmu.c:585! RIP: 0010:[] [] smaps_pte_range+0x499/0x4b0 Call Trace: [] ? vsnprintf+0x255/0x4c0 [] __walk_page_range+0x1fe/0x4d0 [] walk_page_vma+0x62/0x80 [] show_smap+0xa6/0x2b0 These locations are sanity checking page flags that must be set for an anonymous transparent huge page, but are not set for the zone_device pages associated with dax mappings. Cc: Ross Zwisler Cc: Kirill A. Shutemov Acked-by: Andrew Morton Signed-off-by: Dan Williams fs/proc/task_mmu.c | 2 ++ mm/huge_memory.c | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) commit 1b672f5fefa80bfcb8d11df1d7ee1cb1bb4f4fb4 Merge: 2c2c8e3 3247ff2 Author: David S. Miller Date: Fri Sep 9 16:56:54 2016 -0700 Merge branch 'mlxsw-fixes' Jiri Pirko says: ==================== mlxsw: couple of fixes Couple of fixes from Ido and myself. ==================== Signed-off-by: David S. Miller commit 3247ff2b318f3eeaaf32163ce39ddaac23e9a6f9 Author: Ido Schimmel Date: Thu Sep 8 08:16:02 2016 +0200 mlxsw: spectrum: Set port type before setting its address During port init, we currently set the port's type to Ethernet after setting its MAC address. However, the hardware documentation states this should be the other way around. Align the driver with the hardware documentation and set the port's MAC address after setting its type. Fixes: 56ade8fe3fe1 ("mlxsw: spectrum: Add initial support for Spectrum ASIC") Signed-off-by: Ido Schimmel Signed-off-by: Jiri Pirko Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlxsw/spectrum.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) commit 40d259045500c6431633f215516c1f94bac8c62f Author: Jiri Pirko Date: Thu Sep 8 08:16:01 2016 +0200 mlxsw: spectrum_router: Fix error path in mlxsw_sp_router_init When neigh_init fails, we have to do proper cleanup including router_fini call. Fixes: 6cf3c971dc84cb ("mlxsw: spectrum_router: Add private neigh table") Signed-off-by: Jiri Pirko Acked-by: Ido Schimmel Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) commit 2545e5da080b4839dd859e3b09343a884f6ab0e3 Author: Al Viro Date: Wed Aug 17 16:36:37 2016 -0400 asm-generic: make copy_from_user() zero the destination properly ... in all cases, including the failing access_ok() Note that some architectures using asm-generic/uaccess.h have __copy_from_user() not zeroing the tail on failure halfway through. This variant works either way. Cc: stable@vger.kernel.org Signed-off-by: Al Viro include/asm-generic/uaccess.h | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) commit 2561d309dfd1555e781484af757ed0115035ddb3 Author: Al Viro Date: Wed Aug 17 16:02:32 2016 -0400 alpha: fix copy_from_user() it should clear the destination even when access_ok() fails. Cc: stable@vger.kernel.org Signed-off-by: Al Viro arch/alpha/include/asm/uaccess.h | 19 ++++++++----------- 1 file changed, 8 insertions(+), 11 deletions(-) commit 7d762e49c2117d3829eb3355f2617aea080ed3a7 Author: Sebastian Andrzej Siewior Date: Fri Sep 9 18:08:23 2016 +0200 perf/x86/amd/uncore: Prevent use after free The resent conversion of the cpu hotplug support in the uncore driver introduced a regression due to the way the callbacks are invoked at initialization time. The old code called the prepare/starting/online function on each online cpu as a block. The new code registers the hotplug callbacks in the core for each state. The core invokes the callbacks at each registration on all online cpus. The code implicitely relied on the prepare/starting/online callbacks being called as combo on a particular cpu, which was not obvious and completely undocumented. The resulting subtle wreckage happens due to the way how the uncore code manages shared data structures for cpus which share an uncore resource in hardware. The sharing is determined in the cpu starting callback, but the prepare callback allocates per cpu data for the upcoming cpu because potential sharing is unknown at this point. If the starting callback finds a online cpu which shares the hardware resource it takes a refcount on the percpu data of that cpu and puts the own data structure into a 'free_at_online' pointer of that shared data structure. The online callback frees that. With the old model this worked because in a starting callback only one non unused structure (the one of the starting cpu) was available. The new code allocates the data structures for all cpus when the prepare callback is registered. Now the starting function iterates through all online cpus and looks for a data structure (skipping its own) which has a matching hardware id. The id member of the data structure is initialized to 0, but the hardware id can be 0 as well. The resulting wreckage is: CPU0 finds a matching id on CPU1, takes a refcount on CPU1 data and puts its own data structure into CPU1s data structure to be freed. CPU1 skips CPU0 because the data structure is its allegedly unsued own. It finds a matching id on CPU2, takes a refcount on CPU1 data and puts its own data structure into CPU2s data structure to be freed. .... Now the online callbacks are invoked. CPU0 has a pointer to CPU1s data and frees the original CPU0 data. So far so good. CPU1 has a pointer to CPU2s data and frees the original CPU1 data, which is still referenced by CPU0 ---> Booom So there are two issues to be solved here: 1) The id field must be initialized at allocation time to a value which cannot be a valid hardware id, i.e. -1 This prevents the above scenario, but now CPU1 and CPU2 both stick their own data structure into the free_at_online pointer of CPU0. So we leak CPU1s data structure. 2) Fix the memory leak described in #1 Instead of having a single pointer, use a hlist to enqueue the superflous data structures which are then freed by the first cpu invoking the online callback. Ideally we should know the sharing _before_ invoking the prepare callback, but that's way beyond the scope of this bug fix. [ tglx: Rewrote changelog ] Fixes: 96b2bd3866a0 ("perf/x86/amd/uncore: Convert to hotplug state machine") Reported-and-tested-by: Eric Sandeen Signed-off-by: Sebastian Andrzej Siewior Cc: Borislav Petkov Link: http://lkml.kernel.org/r/20160909160822.lowgmkdwms2dheyv@linutronix.de Signed-off-by: Thomas Gleixner arch/x86/events/amd/uncore.c | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) commit d0acc7dfd90eb97e90ccd42a567034017ec60fb8 Merge: daf6b9b 5e59d9a Author: Linus Torvalds Date: Fri Sep 9 14:52:05 2016 -0700 Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost Pull virtio fixes from Michael Tsirkin: "This includes a couple of bugfixs for virtio. The virtio console patch is actually also in x86/tip targeting 4.9 because it helps vmap stacks, but it also fixes IOMMU_PLATFORM which was added in 4.8, and it seems important not to ship that in a broken configuration" * tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost: virtio_console: Stop doing DMA on the stack virtio: mark vring_dma_dev() static commit daf6b9b68fca57effe3fcf74a8528f17516c420f Merge: c4a6c70 8a2a835 Author: Linus Torvalds Date: Fri Sep 9 14:47:41 2016 -0700 Merge tag 'pm-4.8-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull power management fixes from Rafael Wysocki: "This includes a PM QoS framework fix from Tejun to prevent interrupts from being enabled unexpectedly during early boot and a cpufreq documentation fix. Specifics: - If the PM QoS framework invokes cancel_delayed_work_sync() during early boot, it will enable interrupts which is not expected at that point, so prevent it from happening (Tejun Heo) - Fix cpufreq statistic documentation to follow a recent change in behavior that forgot to update it as appropriate (Jean Delvare)" * tag 'pm-4.8-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: cpufreq-stats: Minor documentation fix PM / QoS: avoid calling cancel_delayed_work_sync() during early boot commit 8a2a835bbcaa6af0ec659606d3eabc23ccaaab80 Merge: c86d06b 3732b30 Author: Rafael J. Wysocki Date: Fri Sep 9 22:34:16 2016 +0200 Merge branches 'pm-core-fixes' and 'pm-cpufreq-fixes' * pm-core-fixes: PM / QoS: avoid calling cancel_delayed_work_sync() during early boot * pm-cpufreq-fixes: cpufreq-stats: Minor documentation fix commit c4a6c70f93638821519047ba751b0145f7a9f90b Merge: 6dc728c 56beac9 Author: Linus Torvalds Date: Fri Sep 9 13:09:50 2016 -0700 Merge tag 'gpio-v4.8-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio Pull GPIO fixes from Linus Walleij: "Some GPIO fixes that have been boiling the last two weeks or so. Nothing special, I'm trying to sort out some Kconfig business and Russell needs a fix in for -his SA1100 rework. Summary: - Revert a pointless attempt to add an include to solve the UM allyes compilation problem. - Make the mcp23s08 depend on OF_GPIO as it uses it and doesn't compile properly without it. - Fix a probing problem for ucb1x00" * tag 'gpio-v4.8-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio: gpio: sa1100: fix irq probing for ucb1x00 gpio: mcp23s08: make driver depend on OF_GPIO Revert "gpio: include in gpiolib-of" commit 6dc728ccd3c9db64d5a1fd2930ccb9bcfdf20f67 Merge: 5c44ad6 8fba54a Author: Linus Torvalds Date: Fri Sep 9 13:00:41 2016 -0700 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse Pull fuse fix from Miklos Szeredi: "This fixes a deadlock when fuse, direct I/O and loop device are combined" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse: fuse: direct-io: don't dirty ITER_BVEC pages commit 5c44ad6a35a9818039e301be289a1bb7ae77613e Merge: f4a9c16 e1ff3dd Author: Linus Torvalds Date: Fri Sep 9 12:56:28 2016 -0700 Merge branch 'overlayfs-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs Pull overlayfs fix from Miklos Szeredi: "This fixes a regression caused by the last pull request" * 'overlayfs-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs: ovl: fix workdir creation commit f4a9c169c29efea31b22aec0012ad29df6cf84d4 Merge: 067c2f4 b7f3c7d Author: Linus Torvalds Date: Fri Sep 9 12:52:31 2016 -0700 Merge branch 'for-linus-4.8' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs Pull btrfs fixes from Chris Mason: "I'm not proud of how long it took me to track down that one liner in btrfs_sync_log(), but the good news is the patches I was trying to blame for these problems were actually fine (sorry Filipe)" * 'for-linus-4.8' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs: btrfs: introduce tickets_id to determine whether asynchronous metadata reclaim work makes progress btrfs: remove root_log_ctx from ctx list before btrfs_sync_log returns btrfs: do not decrease bytes_may_use when replaying extents commit ea90383837334bcebe842e719ad4d8c966f4ef51 Author: Baoyou Xie Date: Thu Sep 8 19:03:20 2016 +0800 drm/vc4: mark vc4_bo_cache_purge() static We get 1 warning when building kernel with W=1: drivers/gpu/drm/vc4/vc4_bo.c:147:6: warning: no previous prototype for 'vc4_bo_cache_purge' [-Wmissing-prototypes] In fact, this function is only used in the file in which it is declared and don't need a declaration, but can be made static. So this patch marks it 'static'. Signed-off-by: Baoyou Xie Signed-off-by: Eric Anholt drivers/gpu/drm/vc4/vc4_bo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 067c2f472d81b8b235176ce8e2cb221c4edc1a9e Merge: e45eeb4 816f318 Author: Linus Torvalds Date: Fri Sep 9 12:02:46 2016 -0700 Merge tag 'sound-4.8-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound Pull sound fixes from Takashi Iwai: "We've got quite a few fixes at this time, and all are stable patches. syzkaller strikes back again (episode 19 or so), and we had to plug some holes in ALSA core part (mostly timer). In addition, a couple of FireWire audio fixes for the invalid copy user calls in locks, and a few quirks for HD-audio and USB-audio as usual are included" * tag 'sound-4.8-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: ALSA: rawmidi: Fix possible deadlock with virmidi registration ALSA: timer: Fix zero-division by continue of uninitialized instance ALSA: timer: fix NULL pointer dereference in read()/ioctl() race ALSA: fireworks: accessing to user space outside spinlock ALSA: firewire-tascam: accessing to user space outside spinlock ALSA: hda - Enable subwoofer on Dell Inspiron 7559 ALSA: hda - Add headset mic quirk for Dell Inspiron 5468 ALSA: usb-audio: Add sample rate inquiry quirk for B850V3 CP2114 ALSA: timer: fix NULL pointer dereference on memory allocation failure ALSA: timer: fix division by zero after SNDRV_TIMER_IOCTL_CONTINUE commit 5e59d9a1aed26abcc79abe78af5cfd34e53cbe7f Author: Andy Lutomirski Date: Tue Aug 30 08:04:15 2016 -0700 virtio_console: Stop doing DMA on the stack virtio_console uses a small DMA buffer for control requests. Move that buffer into heap memory. Doing virtio DMA on the stack is normally okay on non-DMA-API virtio systems (which is currently most of them), but it breaks completely if the stack is virtually mapped. Tested by typing both directions using picocom aimed at /dev/hvc0. Signed-off-by: Andy Lutomirski Signed-off-by: Michael S. Tsirkin Reviewed-by: Amit Shah drivers/char/virtio_console.c | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) commit af7c1beccfd98bad752644dc14ea93805d65b2c9 Author: Baoyou Xie Date: Thu Sep 1 19:02:57 2016 +0800 virtio: mark vring_dma_dev() static We get 1 warning when building kernel with W=1: drivers/virtio/virtio_ring.c:170:16: warning: no previous prototype for 'vring_dma_dev' [-Wmissing-prototypes] In fact, this function is only used in the file in which it is declared and don't need a declaration, but can be made static. so this patch marks this function with 'static'. Signed-off-by: Baoyou Xie Acked-by: Arnd Bergmann Signed-off-by: Michael S. Tsirkin drivers/virtio/virtio_ring.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit c94455558337eece474eebb6a16b905f98930418 Author: Shaohua Li Date: Thu Sep 8 10:43:58 2016 -0700 raid5: fix a small race condition commit 5f9d1fde7d54a5(raid5: fix memory leak of bio integrity data) moves bio_reset to bio_endio. But it introduces a small race condition. It does bio_reset after raid5_release_stripe, which could make the stripe reusable and hence reuse the bio just before bio_reset. Moving bio_reset before raid5_release_stripe is called should fix the race. Reported-and-tested-by: Stefan Priebe - Profihost AG Signed-off-by: Shaohua Li drivers/md/raid5.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit e45eeb43e67669f130c270a325383769d5fd73e2 Merge: 2771fc8 2b97434 Author: Linus Torvalds Date: Fri Sep 9 10:54:29 2016 -0700 Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux Pull arm64 fixes from Catalin Marinas: - smp_mb__before_spinlock() changed to smp_mb() on arm64 since the generic definition to smp_wmb() is not sufficient - avoid a recursive loop with the graph tracer by using using preempt_(enable|disable)_notrace in _percpu_(read|write) * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux: arm64: use preempt_disable_notrace in _percpu_read/write arm64: spinlocks: implement smp_mb__before_spinlock() as smp_mb() commit 56fe27beeb158e2046c10df0d5eb8292ecaf78c0 Merge: d31449a 78567f1 Author: Arnd Bergmann Date: Fri Sep 9 17:58:40 2016 +0200 Merge tag 'sti-dt-fixes-for-v4.8-rcs' of git://git.kernel.org/pub/scm/linux/kernel/git/pchotard/sti into fixes Pull "Handle STiH410 interconnect clock required for EHCI/OHCI and SDHCI" from Patrice Chotard: With the introduction of critical-clock support in v4.8, our developers' default configuration is to run with 'clk_ignore_unused' removed. This patch-set ensures they can achieve successful boot when a) booting from an SD Card and when b) booting using USB->Eth adaptors for NFS booting. * tag 'sti-dt-fixes-for-v4.8-rcs' of git://git.kernel.org/pub/scm/linux/kernel/git/pchotard/sti: ARM: dts: STiH407-family: Provide interconnect clock for consumption in ST SDHCI ARM: dts: STiH410: Handle interconnect clock required by EHCI/OHCI (USB) commit d31449a59aa3da72639ff24f8a4fde2d10af8898 Merge: 76aa759 c2f3211 Author: Arnd Bergmann Date: Fri Sep 9 17:56:40 2016 +0200 Merge tag 'renesas-fixes-for-v4.8' of git://git.kernel.org/pub/scm/linux/kernel/git/horms/renesas into fixes Merge "Renesas ARM Based SoC Fixes for v4.8" from Simon Horman: * Correct R-Car Gen2 regulator quirk * tag 'renesas-fixes-for-v4.8' of git://git.kernel.org/pub/scm/linux/kernel/git/horms/renesas: ARM: shmobile: fix regulator quirk for Gen2 commit 76aa7591688001839ec9ca838041f2d55d49ab92 Author: Ian Campbell Date: Wed Aug 3 15:12:45 2016 +0100 ARM64: dts: bcm: Use a symlink to R-Pi dtsi files from arch=arm The ../../../arm... style cross-references added by commit 9d56c22a7861 ("ARM: bcm2835: Add devicetree for the Raspberry Pi 3.") do not work in the context of the split device-tree repository[0] (where the directory structure differs). As with commit 8ee57b8182c4 ("ARM64: dts: vexpress: Use a symlink to vexpress-v2m-rs1.dtsi from arch=arm") use symlinks instead. [0] https://git.kernel.org/cgit/linux/kernel/git/devicetree/devicetree-rebasing.git/ Signed-off-by: Ian Campbell Acked-by: Mark Rutland Cc: Catalin Marinas Cc: Will Deacon Cc: Mark Rutland Cc: Rob Herring Cc: Frank Rowand Cc: Eric Anholt Cc: Stephen Warren Cc: Lee Jones Cc: Gerd Hoffmann Cc: devicetree@vger.kernel.org Cc: linux-kernel@vger.kernel.org Cc: linux-arm-kernel@lists.infradead.org Cc: linux-rpi-kernel@lists.infradead.org Cc: arm@kernel.org Signed-off-by: Arnd Bergmann arch/arm64/boot/dts/broadcom/bcm2835-rpi.dtsi | 1 + arch/arm64/boot/dts/broadcom/bcm2837-rpi-3-b.dts | 4 ++-- arch/arm64/boot/dts/broadcom/bcm2837.dtsi | 2 +- arch/arm64/boot/dts/broadcom/bcm283x-rpi-smsc9514.dtsi | 1 + arch/arm64/boot/dts/broadcom/bcm283x.dtsi | 1 + 5 files changed, 6 insertions(+), 3 deletions(-) commit 6b7b554d34fdbc5dc9fae9d4ca9dd37f6346be3d Author: Ian Campbell Date: Wed Aug 3 15:12:44 2016 +0100 ARM: dts: Remove use of skeleton.dtsi from bcm283x.dtsi This file is included from DTS files under arch/arm64 too (via broadcom/bcm2837-rpi-3-b.dts and broadcom/bcm2837.dtsi). There is a desire not to have skeleton.dtsi for ARM64. See commit 3ebee5a2e141 ("arm64: dts: kill skeleton.dtsi") for rationale for its removal. As well as the addition of #*-cells also requires adding the device_type to the rpi memory node explicitly. Note that this change results in the removal of an empty /aliases node from bcm2835-rpi-a.dtb and bcm2835-rpi-a-plus.dtb. I have no hardware to check if this is a problem or not. It also results in some reordering of the nodes in the DTBs (the /aliases and /memory nodes come later). This isn't supposed to matter but, again, I've no hardware to check if it is true in this particular case. Signed-off-by: Ian Campbell Acked-by: Mark Rutland Tested-by: Stefan Wahren Cc: Catalin Marinas Cc: Will Deacon Cc: Mark Rutland Cc: Rob Herring Cc: Frank Rowand Cc: Eric Anholt Cc: Stephen Warren Cc: Lee Jones Cc: Gerd Hoffmann Cc: devicetree@vger.kernel.org Cc: linux-kernel@vger.kernel.org Cc: linux-arm-kernel@lists.infradead.org Cc: linux-rpi-kernel@lists.infradead.org Cc: arm@kernel.org Signed-off-by: Arnd Bergmann arch/arm/boot/dts/bcm2835-rpi.dtsi | 1 + arch/arm/boot/dts/bcm283x.dtsi | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) commit 27bd44e06cf4e6c51b985810e7c56147bc8d94d5 Merge: a4497a8 293f293 Author: Paolo Bonzini Date: Fri Sep 9 17:45:56 2016 +0200 Merge tag 'kvm-arm-fixes-for-v4.8-round2' of git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm into kvm-master KVM/ARM Fixes for v4.8, round 2 Fixes an idmap issue on 32-bit KVM on ARM, and fixes a memory unmapping issue that we've had forever. commit 2771fc8ed60e43a0148a2f2c672a55b8f565f418 Merge: 53d5f1d f077aaf Author: Linus Torvalds Date: Fri Sep 9 08:43:42 2016 -0700 Merge tag 'powerpc-4.8-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux Pull powerpc fixes from Michael Ellerman: "Fixes marked for stable: - Don't alias user region to other regions below PAGE_OFFSET from Paul Mackerras - Fix again csum_partial_copy_generic() on 32-bit from Christophe Leroy - Fix corrupted PE allocation bitmap on releasing PE from Gavin Shan Fixes for code merged this cycle: - Fix crash on releasing compound PE from Gavin Shan - Fix processor numbers in OPAL ICP from Benjamin Herrenschmidt - Fix little endian build with CONFIG_KEXEC=n from Thiago Jung Bauermann" * tag 'powerpc-4.8-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux: powerpc/mm: Don't alias user region to other regions below PAGE_OFFSET powerpc/32: Fix again csum_partial_copy_generic() powerpc/powernv: Fix corrupted PE allocation bitmap on releasing PE powerpc/powernv: Fix crash on releasing compound PE powerpc/xics/opal: Fix processor numbers in OPAL ICP powerpc/pseries: Fix little endian build with CONFIG_KEXEC=n commit 53d5f1dcd1f41a0deb2015724f4466f7dc138aed Merge: 711bef6 da60626 Author: Linus Torvalds Date: Fri Sep 9 08:32:10 2016 -0700 Merge branch 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm Pull ARM fixes from Russell King: "A few ARM fixes: - Robin Murphy noticed that the non-secure privileged entry was relying on undefined behaviour, which needed to be fixed. - Vladimir Murzin noticed that prov-v7 fails to build for MMUless configurations because a required header file wasn't included. - A bunch of fixes for StrongARM regressions found while testing 4.8-rc on such platforms" * 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm: ARM: sa1100: clear reset status prior to reboot ARM: 8600/1: Enforce some NS-SVC initialisation ARM: 8599/1: mm: pull asm/memory.h explicitly ARM: sa1100: register clocks early ARM: sa1100: fix 3.6864MHz clock commit 60815d4a78204915f5cdf79a536bc96d5d23ae5f Author: Hans Verkuil Date: Wed Aug 24 07:17:22 2016 -0300 [media] cec: fix ioctl return code when not registered Don't return the confusing -EIO error code when the device is not registered, instead return -ENODEV which is the proper thing to do in this situation. Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab drivers/staging/media/cec/cec-api.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit a179b69359feb26ddb148bb6a2c0c53a8d1dc5be Author: Hans Verkuil Date: Wed Aug 24 05:36:53 2016 -0300 [media] cec: don't Feature Abort broadcast msgs when unregistered If the adapter is configured as 'Unregistered', then cec_receive_notify incorrectly thinks that broadcast messages are directed messages. The destination for broadcast messages is 0xf, and the logical address assigned to Unregistered devices is also 0xf and the logic didn't handle that correctly. Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab drivers/staging/media/cec/cec-adap.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) commit 6b98174b957ce87e0efe7c675d6cfd9e4c7a1912 Merge: 1b49dae 696118c Author: Greg Kroah-Hartman Date: Fri Sep 9 15:11:35 2016 +0200 Merge tag 'fixes-for-v4.8-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/balbi/usb into usb-linus Felipe writes: usb: fixes for v4.8-rc6 Unfortunately we have a bogus dwc3 patch leaked through the cracks and got merged into Linus' HEAD. That patch ended up causing off-by-1 error in our TRB accounting logic. Thankfully John Youn found out the problem and we provided a revert to the bogus dwc3 patch in no time. Apart from this off-by-1 error, we have two fixes to the Renesas drivers, a small fix to our generic phy driver, a NULL pointer dereference fix for f_eem and a build warning fix in dwc3. commit 1b49dae1ca65cd38221b28911ba08954627a2760 Merge: bcf42aa 6f3c4fb Author: Greg Kroah-Hartman Date: Fri Sep 9 13:47:20 2016 +0200 Merge tag 'usb-ci-v4.8-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/peter.chen/usb into usb-linus Peter writes: Fix the possible kernel panic when the hardware signal is bad for chipidea udc. commit 72d508ad488a63678396cf1039fc5a65e04caa9e Merge: c693593 171c009 Author: Greg Kroah-Hartman Date: Fri Sep 9 13:44:37 2016 +0200 Merge tag 'iio-fixes-for-4.8b' of git://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio into staging-linus Jonathan writes: Second set of IIO fixes for the 4.8 cycle. We have a big rework of the kxsd9 driver queued up behind the fix below and a fix for a recent fix that was marked for stable. Hence this fix series is perhaps a little more urgent than average for IIO. * core - a fix for a fix in the last set. The recent fix for blocking ops when ! task running left a path (unlikely one) in which the function return value was not set - so initialise it to 0. - The IIO_TYPE_FRACTIONAL code previously didn't cope with negative fractions. Turned out a fix for this was in Analog's tree but hadn't made it upstream. * bmc150 - reset chip at init time. At least one board out there ends up coming up in an unstable state due to noise during power up. The reset does no harm on other boards. * kxsd9 - Fix a bug in the reported scaling due to failing to set the integer part to 0. * hid-sensors-pressure - Output was in the wrong units to comply with the IIO ABI. * tools - iio_generic_buffer: Fix the trigger-less mode by ensuring we don't fault out for having no trigger when we explicitly said we didn't want to have one. commit 2b9743441a312e0b0a2d87deae363eccbe9d0f00 Author: Chunyan Zhang Date: Thu Sep 8 20:46:42 2016 +0800 arm64: use preempt_disable_notrace in _percpu_read/write When debug preempt or preempt tracer is enabled, preempt_count_add/sub() can be traced by function and function graph tracing, and preempt_disable/enable() would call preempt_count_add/sub(), so in Ftrace subsystem we should use preempt_disable/enable_notrace instead. In the commit 345ddcc882d8 ("ftrace: Have set_ftrace_pid use the bitmap like events do") the function this_cpu_read() was added to trace_graph_entry(), and if this_cpu_read() calls preempt_disable(), graph tracer will go into a recursive loop, even if the tracing_on is disabled. So this patch change to use preempt_enable/disable_notrace instead in this_cpu_read(). Since Yonghui Yang helped a lot to find the root cause of this problem, so also add his SOB. Signed-off-by: Yonghui Yang Signed-off-by: Chunyan Zhang Acked-by: Will Deacon Signed-off-by: Catalin Marinas arch/arm64/include/asm/percpu.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) commit 872c63fbf9e153146b07f0cece4da0d70b283eeb Author: Will Deacon Date: Mon Sep 5 11:56:05 2016 +0100 arm64: spinlocks: implement smp_mb__before_spinlock() as smp_mb() smp_mb__before_spinlock() is intended to upgrade a spin_lock() operation to a full barrier, such that prior stores are ordered with respect to loads and stores occuring inside the critical section. Unfortunately, the core code defines the barrier as smp_wmb(), which is insufficient to provide the required ordering guarantees when used in conjunction with our load-acquire-based spinlock implementation. This patch overrides the arm64 definition of smp_mb__before_spinlock() to map to a full smp_mb(). Cc: Cc: Peter Zijlstra Reported-by: Alan Stern Signed-off-by: Will Deacon Signed-off-by: Catalin Marinas arch/arm64/include/asm/spinlock.h | 10 ++++++++++ 1 file changed, 10 insertions(+) commit 293f293637b55db4f9f522a5a72514e98a541076 Author: Suzuki K Poulose Date: Thu Sep 8 16:25:49 2016 +0100 kvm-arm: Unmap shadow pagetables properly On arm/arm64, we depend on the kvm_unmap_hva* callbacks (via mmu_notifiers::invalidate_*) to unmap the stage2 pagetables when the userspace buffer gets unmapped. However, when the Hypervisor process exits without explicit unmap of the guest buffers, the only notifier we get is kvm_arch_flush_shadow_all() (via mmu_notifier::release ) which does nothing on arm. Later this causes us to access pages that were already released [via exit_mmap() -> unmap_vmas()] when we actually get to unmap the stage2 pagetable [via kvm_arch_destroy_vm() -> kvm_free_stage2_pgd()]. This triggers crashes with CONFIG_DEBUG_PAGEALLOC, which unmaps any free'd pages from the linear map. [ 757.644120] Unable to handle kernel paging request at virtual address ffff800661e00000 [ 757.652046] pgd = ffff20000b1a2000 [ 757.655471] [ffff800661e00000] *pgd=00000047fffe3003, *pud=00000047fcd8c003, *pmd=00000047fcc7c003, *pte=00e8004661e00712 [ 757.666492] Internal error: Oops: 96000147 [#3] PREEMPT SMP [ 757.672041] Modules linked in: [ 757.675100] CPU: 7 PID: 3630 Comm: qemu-system-aar Tainted: G D 4.8.0-rc1 #3 [ 757.683240] Hardware name: AppliedMicro X-Gene Mustang Board/X-Gene Mustang Board, BIOS 3.06.15 Aug 19 2016 [ 757.692938] task: ffff80069cdd3580 task.stack: ffff8006adb7c000 [ 757.698840] PC is at __flush_dcache_area+0x1c/0x40 [ 757.703613] LR is at kvm_flush_dcache_pmd+0x60/0x70 [ 757.708469] pc : [] lr : [] pstate: 20000145 ... [ 758.357249] [] __flush_dcache_area+0x1c/0x40 [ 758.363059] [] unmap_stage2_range+0x458/0x5f0 [ 758.368954] [] kvm_free_stage2_pgd+0x34/0x60 [ 758.374761] [] kvm_arch_destroy_vm+0x20/0x68 [ 758.380570] [] kvm_put_kvm+0x210/0x358 [ 758.385860] [] kvm_vm_release+0x2c/0x40 [ 758.391239] [] __fput+0x114/0x2e8 [ 758.396096] [] ____fput+0xc/0x18 [ 758.400869] [] task_work_run+0x108/0x138 [ 758.406332] [] do_exit+0x48c/0x10e8 [ 758.411363] [] do_group_exit+0x6c/0x130 [ 758.416739] [] get_signal+0x284/0xa18 [ 758.421943] [] do_signal+0x158/0x860 [ 758.427060] [] do_notify_resume+0x6c/0x88 [ 758.432608] [] work_pending+0x10/0x14 [ 758.437812] Code: 9ac32042 8b010001 d1000443 8a230000 (d50b7e20) This patch fixes the issue by moving the kvm_free_stage2_pgd() to kvm_arch_flush_shadow_all(). Cc: # 3.9+ Tested-by: Itaru Kitayama Reported-by: Itaru Kitayama Reported-by: James Morse Cc: Marc Zyngier Cc: Catalin Marinas Cc: Christoffer Dall Signed-off-by: Suzuki K Poulose Signed-off-by: Christoffer Dall arch/arm/kvm/arm.c | 2 -- arch/arm/kvm/mmu.c | 1 + 2 files changed, 1 insertion(+), 2 deletions(-) commit 6f3c4fb6d05e63c9c6d8968302491c3a5457be61 Author: Clemens Gruber Date: Mon Sep 5 19:29:58 2016 +0200 usb: chipidea: udc: fix NULL ptr dereference in isr_setup_status_phase Problems with the signal integrity of the high speed USB data lines or noise on reference ground lines can cause the i.MX6 USB controller to violate USB specs and exhibit unexpected behavior. It was observed that USBi_UI interrupts were triggered first and when isr_setup_status_phase was called, ci->status was NULL, which lead to a NULL pointer dereference kernel panic. This patch fixes the kernel panic, emits a warning once and returns -EPIPE to halt the device and let the host get stalled. It also adds a comment to point people, who are experiencing this issue, to their USB hardware design. Cc: #4.1+ Signed-off-by: Clemens Gruber Signed-off-by: Peter Chen drivers/usb/chipidea/udc.c | 9 +++++++++ 1 file changed, 9 insertions(+) commit 1fb81e09d487656aa23f2acb1232c7f56b4c2367 Author: thomas.zeitlhofer+lkml@ze-it.at Date: Wed Sep 7 20:40:38 2016 +0200 vti: use right inner_mode for inbound inter address family policy checks In case of inter address family tunneling (IPv6 over vti4 or IPv4 over vti6), the inbound policy checks in vti_rcv_cb() and vti6_rcv_cb() are using the wrong address family. As a result, all inbound inter address family traffic is dropped. Use the xfrm_ip2inner_mode() helper, as done in xfrm_input() (i.e., also increment LINUX_MIB_XFRMINSTATEMODEERROR in case of error), to select the inner_mode that contains the right address family for the inbound policy checks. Signed-off-by: Thomas Zeitlhofer Signed-off-by: Steffen Klassert net/ipv4/ip_vti.c | 15 ++++++++++++++- net/ipv6/ip6_vti.c | 15 ++++++++++++++- 2 files changed, 28 insertions(+), 2 deletions(-) commit 2f30ea5090cbc57ea573cdc66421264b3de3fb0a Author: Mathias Krause Date: Thu Sep 8 18:09:57 2016 +0200 xfrm_user: propagate sec ctx allocation errors When we fail to attach the security context in xfrm_state_construct() we'll return 0 as error value which, in turn, will wrongly claim success to userland when, in fact, we won't be adding / updating the XFRM state. This is a regression introduced by commit fd21150a0fe1 ("[XFRM] netlink: Inline attach_encap_tmpl(), attach_sec_ctx(), and attach_one_addr()"). Fix it by propagating the error returned by security_xfrm_state_alloc() in this case. Fixes: fd21150a0fe1 ("[XFRM] netlink: Inline attach_encap_tmpl()...") Signed-off-by: Mathias Krause Cc: Thomas Graf Signed-off-by: Steffen Klassert net/xfrm/xfrm_user.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) commit 2c2c8e33e4aa6e46f19ef7bba8e559759a74a4db Merge: db7196a ebecefc Author: David S. Miller Date: Thu Sep 8 17:18:42 2016 -0700 Merge branch 'nfp-fixes' Jakub Kicinski says: ==================== nfp: fixes and trivial cleanup First patch drops unnecessary version.h includes. Second one drops support for pre-release versions of FW ABI. Removing FW ABI 0.0 from supported set is particularly good since 0 could just be uninitialized memory. Last but not least I drop unnecessary padding of frames on RX which makes us count bytes incorrectly for the VF2VF traffic. ==================== Signed-off-by: David S. Miller commit ebecefc820ec791a216382a68b937577bb69d3f7 Author: Jakub Kicinski Date: Wed Sep 7 19:45:37 2016 +0100 nfp: don't pad frames on receive There is no need to pad frames to ETH_ZLEN on RX. Signed-off-by: Jakub Kicinski Reviewed-by: Simon Horman Reviewed-by: Dinan Gunawardena Signed-off-by: David S. Miller drivers/net/ethernet/netronome/nfp/nfp_net_common.c | 4 ---- 1 file changed, 4 deletions(-) commit 313b345cbff566340022c82267a377e1e493ef90 Author: Jakub Kicinski Date: Wed Sep 7 19:45:36 2016 +0100 nfp: drop support for old firmware ABIs Be more strict about FW versions. Drop support for old transitional revisions which were never used in production. Dropping support for FW ABI version 0.0.0.0 is particularly useful because 0 could just be uninitialized memory. Signed-off-by: Jakub Kicinski Reviewed-by: Dinan Gunawardena Signed-off-by: David S. Miller drivers/net/ethernet/netronome/nfp/nfp_netvf_main.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) commit 312fada1f9f87fb55ace4b5a55a70a9eea5100fd Author: Jakub Kicinski Date: Wed Sep 7 19:45:35 2016 +0100 nfp: remove linux/version.h includes Remove unnecessary version.h includes. Signed-off-by: Jakub Kicinski Reviewed-by: Simon Horman Reviewed-by: Dinan Gunawardena Signed-off-by: David S. Miller drivers/net/ethernet/netronome/nfp/nfp_net_common.c | 1 - drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c | 1 - drivers/net/ethernet/netronome/nfp/nfp_netvf_main.c | 1 - 3 files changed, 3 deletions(-) commit db7196a0d0984b933ccf2cd6a60e26abf466e8a3 Author: Artem Germanov Date: Wed Sep 7 10:49:36 2016 -0700 tcp: cwnd does not increase in TCP YeAH Commit 76174004a0f19785a328f40388e87e982bbf69b9 (tcp: do not slow start when cwnd equals ssthresh ) introduced regression in TCP YeAH. Using 100ms delay 1% loss virtual ethernet link kernel 4.2 shows bandwidth ~500KB/s for single TCP connection and kernel 4.3 and above (including 4.8-rc4) shows bandwidth ~100KB/s. That is caused by stalled cwnd when cwnd equals ssthresh. This patch fixes it by proper increasing cwnd in this case. Signed-off-by: Artem Germanov Acked-by: Dmitry Adamushko Signed-off-by: David S. Miller net/ipv4/tcp_yeah.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 81d1a366ff814211f3169e6b3e2c9eea682a679e Merge: 76061f6 cd17d23 Author: David S. Miller Date: Thu Sep 8 16:15:29 2016 -0700 Merge branch 'mlx5-fixes' Saeed Mahameed says: ==================== Mellanox 100G mlx5 fixes 2016-09-07 The following series contains bug fixes for the mlx5e driver. from Gal, - Static code checker cleanup (casting overflow) - Fix global PFC counter statistics reading - Fix HW LRO when vlan stripping is off From Bodong, - Deprecate old autoneg capability bit and use new one. From Tariq, - Fix xmit more counter race condition ==================== Signed-off-by: David S. Miller commit cd17d230dd060a12f7451c0caeedb3fd5158eaf9 Author: Gal Pressman Date: Wed Sep 7 19:08:01 2016 +0300 net/mlx5e: Fix parsing of vlan packets when updating lro header Currently vlan tagged packets were not parsed correctly and assumed to be regular IPv4/IPv6 packets. We should check for 802.1Q/802.1ad tags and update the lro header accordingly. This fixes the use case where LRO is on and rxvlan is off (vlan stripping is off). Fixes: e586b3b0baee ('net/mlx5: Ethernet Datapath files') Signed-off-by: Gal Pressman Signed-off-by: Saeed Mahameed Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) commit 4e39883d9c7426f8246ef86a32dc6a6f06f5aace Author: Gal Pressman Date: Wed Sep 7 19:08:00 2016 +0300 net/mlx5e: Fix global PFC counters replication Currently when reading global PFC statistics we left the counter iterator out of the equation and we ended up reading the same counter over and over again. Instead of reading the counter at index 0 on every iteration we now read the counter at index (i). Fixes: e989d5a532ce ('net/mlx5e: Expose flow control counters to ethtool') Signed-off-by: Gal Pressman Signed-off-by: Saeed Mahameed Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 7abc2110779b133e54ce681a4d0be3d89304eda1 Author: Gal Pressman Date: Wed Sep 7 19:07:59 2016 +0300 net/mlx5e: Prevent casting overflow On 64 bits architectures unsigned long is longer than u32, casting to unsigned long will result in overflow. We need to first allocate an unsigned long variable, then assign the wanted value. Fixes: 665bc53969d7 ('net/mlx5e: Use new ethtool get/set link ksettings API') Signed-off-by: Gal Pressman Signed-off-by: Saeed Mahameed Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) commit e7e31ca43d6bedf1c551b1f9c7e78d51c9a45790 Author: Bodong Wang Date: Wed Sep 7 19:07:58 2016 +0300 net/mlx5e: Move an_disable_cap bit to a new position Previous an_disable_cap position bit31 is deprecated to be use in driver with newer firmware. New firmware will advertise the same capability in bit29. Old capability didn't allow setting more than one protocol for a specific speed when autoneg is off, while newer firmware will allow this and it is indicated in the new capability location. Signed-off-by: Bodong Wang Signed-off-by: Saeed Mahameed Signed-off-by: David S. Miller include/linux/mlx5/mlx5_ifc.h | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) commit 0dbf657c3993a269fa0cd7dabbb9c02741d4aefa Author: Tariq Toukan Date: Wed Sep 7 19:07:57 2016 +0300 net/mlx5e: Fix xmit_more counter race issue Update the xmit_more counter before notifying the HW, to prevent a possible use-after-free of the skb. Fixes: c8cf78fe100b ("net/mlx5e: Add ethtool counter for TX xmit_more") Signed-off-by: Tariq Toukan Signed-off-by: Saeed Mahameed Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlx5/core/en_tx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 76061f631c2ea4ab9c4d66f3a96ecc5737f5aaf7 Author: Eric Dumazet Date: Wed Sep 7 08:34:11 2016 -0700 tcp: fastopen: avoid negative sk_forward_alloc When DATA and/or FIN are carried in a SYN/ACK message or SYN message, we append an skb in socket receive queue, but we forget to call sk_forced_mem_schedule(). Effect is that the socket has a negative sk->sk_forward_alloc as long as the message is not read by the application. Josh Hunt fixed a similar issue in commit d22e15371811 ("tcp: fix tcp fin memory accounting") Fixes: 168a8f58059a ("tcp: TCP Fast Open Server - main code path") Signed-off-by: Eric Dumazet Reviewed-by: Josh Hunt Signed-off-by: David S. Miller net/ipv4/tcp_fastopen.c | 1 + 1 file changed, 1 insertion(+) commit 3732b30a7d88dc32bef76e117067fb397e811703 Author: Jean Delvare Date: Thu Sep 8 23:05:07 2016 +0200 cpufreq-stats: Minor documentation fix The cpufreq-stats code can no longer be built as a module, so it now appears with square brackets in menuconfig. Signed-off-by: Jean Delvare Fixes: 1aefc75b2449 (cpufreq: stats: Make the stats code non-modular) Acked-by: Viresh Kumar Signed-off-by: Rafael J. Wysocki Documentation/cpu-freq/cpufreq-stats.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit cbfff439c54f37fc363b1d365183fa61af43585c Author: Doug Anderson Date: Mon Aug 29 14:22:36 2016 -0700 i2c: rk3x: Restore clock settings at resume time Depending on a number of factors including: - Which exact Rockchip SoC we're working with - How deep we suspend - Which i2c port we're on We might lose the state of the i2c registers at suspend time. Specifically we've found that on rk3399 the i2c ports that are not in the PMU power domain lose their state with the current suspend depth configured by ARM Tursted Firmware. Note that there are very few actual i2c registers that aren't configured per transfer anyway so all we actually need to re-configure are the clock config registers. We'll just add a call to rk3x_i2c_adapt_div() at resume time and be done with it. NOTE: On rk3399 on ports whose power was lost, I put printouts in at resume time. I saw things like: before: con=0x00010300, div=0x00060006 after: con=0x00010200, div=0x00180025 Signed-off-by: Douglas Anderson Reviewed-by: David Wu Tested-by: David Wu [wsa: removed duplicate const] Signed-off-by: Wolfram Sang drivers/i2c/busses/i2c-rk3x.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) commit e0603c8dd298171bd64227c65c6bbd6a861e1a78 Author: Geert Uytterhoeven Date: Wed Aug 31 11:38:48 2016 +0200 i2c: Spelling s/acknowedge/acknowledge/ Signed-off-by: Geert Uytterhoeven Signed-off-by: Wolfram Sang drivers/i2c/busses/i2c-cadence.c | 2 +- drivers/i2c/busses/i2c-rk3x.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit 664d58bf4d3406dc4404e29bcb8c89fd22589d57 Author: Zhuo-hao Lee Date: Sat Aug 27 15:39:30 2016 +0800 i2c: designware: save the preset value of DW_IC_SDA_HOLD There are several ways to set the SDA hold time for i2c controller, including: Device Tree, built-in device properties and ACPI. However, if the SDA hold time is not specified by above method, we should read the value, where it is preset by firmware, and save it to sda_hold_time. This is needed because when i2c controller enters runtime suspend, the DW_IC_SDA_HOLD value will be reset to chipset default value. And during runtime resume, i2c_dw_init will be called to reconfigure i2c controller. If sda_hold_time is zero, the chipset default hold time will be used, that will be too short for some platforms. Therefore, to have a better tolerance, the DW_IC_SDA_HOLD value should be kept by sda_hold_time. Signed-off-by: Zhuo-hao Lee Reviewed-by: Andy Shevchenko Acked-by: Jarkko Nikula Signed-off-by: Wolfram Sang drivers/i2c/busses/i2c-designware-core.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) commit 40e3012e6ea715e957347477a980145210735267 Merge: 9dd4aaef 11d7a0b Author: David S. Miller Date: Thu Sep 8 13:12:37 2016 -0700 Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec Steffen Klassert says: ==================== ipsec 2016-09-08 1) Fix a crash when xfrm_dump_sa returns an error. From Vegard Nossum. 2) Remove some incorrect WARN() on normal error handling. From Vegard Nossum. 3) Ignore socket policies when rebuilding hash tables, socket policies are not inserted into the hash tables. From Tobias Brunner. 4) Initialize and check tunnel pointers properly before we use it. From Alexey Kodanev. 5) Fix l3mdev oif setting on xfrm dst lookups. From David Ahern. ==================== Signed-off-by: David S. Miller commit e4abe2b9ab3ac79537d99dfceff7302739a586bc Merge: dc7066c 6654674 Author: Stephen Boyd Date: Thu Sep 8 12:54:24 2016 -0700 Merge tag 'sunxi-clk-fixes-for-4.8' of https://git.kernel.org/pub/scm/linux/kernel/git/mripard/linux into clk-fixes Clock Fixes for the Allwinner SoCs, 4.8 Edition The usual bunch of fixes to the our clock drivers, mostly targetted to the brand new sunxi-ng drivers. * tag 'sunxi-clk-fixes-for-4.8' of https://git.kernel.org/pub/scm/linux/kernel/git/mripard/linux: clk: sunxi-ng: Fix wrong reset register offsets clk: sunxi-ng: nk: Make ccu_nk_find_best static clk: sunxi-ng: Fix inverted test condition in ccu_helper_wait_for_lock clk: sunxi: Fix return value check in sun8i_a23_mbus_setup() clk: sunxi: pll2: Fix return value check in sun4i_pll2_setup() commit 711bef65e91d2a06730bf8c64bb00ecab48815a1 Merge: acdfffb 0f5aa88 Author: Linus Torvalds Date: Thu Sep 8 12:23:13 2016 -0700 Merge tag 'ceph-for-4.8-rc6' of git://github.com/ceph/ceph-client Pull ceph fix from Ilya Dryomov: "A fix for a 4.7 performance regression, caused by a typo in an if condition" * tag 'ceph-for-4.8-rc6' of git://github.com/ceph/ceph-client: ceph: do not modify fi->frag in need_reset_readdir() commit acdfffb5e003858e0f4a70525101f584e393323e Merge: e8b3b45 9b41b92 Author: Linus Torvalds Date: Thu Sep 8 12:19:24 2016 -0700 Merge branch 'dmi-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jdelvare/staging Pull dmi fix from Jean Delvare. * 'dmi-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jdelvare/staging: dmi-id: don't free dev structure after calling device_register commit e8b3b45de89117729cdc1a6b29da85500e4af7db Merge: d71f058 95390e3 Author: Linus Torvalds Date: Thu Sep 8 12:05:15 2016 -0700 Merge tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc Pull ARM SoC fixes from Olof Johansson: "This is a slightly larger batch of fixes that we've been sitting on a few -rcs. Most of them are simple oneliners, but there are two sets that are slightly larger and worth pointing out: - A set of patches to OMAP to deal with hwmod for RTC on am33xx (beaglebone SoC, among others). It's the only clock that ever has a valid offset of 0, so a new flag needed introduction once this problem was discovered. - A collection of CCI fixes for performance counters discovered once people started using it on X-Gene CPUs" * tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc: (37 commits) arm-cci: pmu: Fix typo in event name Revert "ARM: tegra: fix erroneous address in dts" ARM: dts: imx6qdl: Fix SPDIF regression ARM: imx6: add missing BM_CLPCR_BYPASS_PMIC_READY setting for imx6sx ARM: dts: imx7d-sdb: fix ti,x-plate-ohms property name ARM: dts: kirkwood: Fix PCIe label on OpenRD ARM: kirkwood: ib62x0: fix size of u-boot environment partition bus: arm-ccn: make event groups reliable bus: arm-ccn: fix hrtimer registration bus: arm-ccn: fix PMU interrupt flags ARM: tegra: Correct polarity for Tegra114 PMIC interrupt MAINTAINERS: add tree entry for ARM/UniPhier architecture ARM: sun5i: Fix typo in trip point temperature MAINTAINERS: Switch to kernel.org account for Krzysztof Kozlowski ARM: imx6ul: populates platform device at .init_machine bus: arm-ccn: Add missing event attribute exclusions for host/guest bus: arm-ccn: Correct required arguments for XP PMU events bus: arm-ccn: Fix XP watchpoint settings bitmask bus: arm-ccn: Do not attempt to configure XPs for cycle counter bus: arm-ccn: Fix PMU handling of MN ... commit 47a7b0d8888c04c9746812820b6e60553cc77bbc Author: Guoqing Jiang Date: Sun Sep 4 22:17:28 2016 -0400 md-cluster: make md-cluster also can work when compiled into kernel The md-cluster is compiled as module by default, if it is compiled by built-in way, then we can't make md-cluster works. [64782.630008] md/raid1:md127: active with 2 out of 2 mirrors [64782.630528] md-cluster module not found. [64782.630530] md127: Could not setup cluster service (-2) Fixes: edb39c9 ("Introduce md_cluster_operations to handle cluster functions") Cc: stable@vger.kernel.org (v4.1+) Reported-by: Marc Smith Reviewed-by: NeilBrown Signed-off-by: Guoqing Jiang Signed-off-by: Shaohua Li drivers/md/md.c | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) commit 015282c9eb6da05bfad6ff009078f91e06c0c98f Author: Wenbo Wang Date: Thu Sep 8 12:12:11 2016 -0400 nvme/quirk: Add a delay before checking device ready for memblaze device Signed-off-by: Wenbo Wang Signed-off-by: Jens Axboe drivers/nvme/host/pci.c | 2 ++ 1 file changed, 2 insertions(+) commit 30851a7c2155d0b321485e66386ea99191d8b3f5 Author: Wolfram Sang Date: Thu Aug 25 19:27:40 2016 +0200 Documentation: i2c: slave-interface: add note for driver development Make it clear that adding slave support shall not disable master functionality. We can have both, so we should. Signed-off-by: Wolfram Sang Documentation/i2c/slave-interface | 5 +++++ 1 file changed, 5 insertions(+) commit e35478eac030990e23a56bf11dc074c5a069124a Author: Wolfram Sang Date: Tue Aug 23 17:28:03 2016 +0200 i2c: mux: demux-pinctrl: run properly with multiple instances We can't use a static property for all the changesets, so we now create dynamic ones for each changeset. Signed-off-by: Wolfram Sang Fixes: 50a5ba87690814 ("i2c: mux: demux-pinctrl: add driver") Signed-off-by: Wolfram Sang drivers/i2c/muxes/i2c-demux-pinctrl.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) commit a4497a86fb9b855c5ac8503fdc959393b00bb643 Author: Prarit Bhargava Date: Thu Sep 8 10:15:28 2016 -0400 x86, clock: Fix kvm guest tsc initialization When booting a kvm guest on AMD with the latest kernel the following messages are displayed in the boot log: tsc: Unable to calibrate against PIT tsc: HPET/PMTIMER calibration failed aa297292d708 ("x86/tsc: Enumerate SKL cpu_khz and tsc_khz via CPUID") introduced a change to account for a difference in cpu and tsc frequencies for Intel SKL processors. Before this change the native tsc set x86_platform.calibrate_tsc to native_calibrate_tsc() which is a hardware calibration of the tsc, and in tsc_init() executed tsc_khz = x86_platform.calibrate_tsc(); cpu_khz = tsc_khz; The kvm code changed x86_platform.calibrate_tsc to kvm_get_tsc_khz() and executed the same tsc_init() function. This meant that KVM guests did not execute the native hardware calibration function. After aa297292d708, there are separate native calibrations for cpu_khz and tsc_khz. The code sets x86_platform.calibrate_tsc to native_calibrate_tsc() which is now an Intel specific calibration function, and x86_platform.calibrate_cpu to native_calibrate_cpu() which is the "old" native_calibrate_tsc() function (ie, the native hardware calibration function). tsc_init() now does cpu_khz = x86_platform.calibrate_cpu(); tsc_khz = x86_platform.calibrate_tsc(); if (tsc_khz == 0) tsc_khz = cpu_khz; else if (abs(cpu_khz - tsc_khz) * 10 > tsc_khz) cpu_khz = tsc_khz; The kvm code should not call the hardware initialization in native_calibrate_cpu(), as it isn't applicable for kvm and it didn't do that prior to aa297292d708. This patch resolves this issue by setting x86_platform.calibrate_cpu to kvm_get_tsc_khz(). v2: I had originally set x86_platform.calibrate_cpu to cpu_khz_from_cpuid(), however, pbonzini pointed out that the CPUID leaf in that function is not available in KVM. I have changed the function pointer to kvm_get_tsc_khz(). Fixes: aa297292d708 ("x86/tsc: Enumerate SKL cpu_khz and tsc_khz via CPUID") Signed-off-by: Prarit Bhargava Cc: Paolo Bonzini Cc: Radim Krčmář Cc: Thomas Gleixner Cc: Ingo Molnar Cc: "H. Peter Anvin" Cc: x86@kernel.org Cc: Len Brown Cc: "Peter Zijlstra (Intel)" Cc: Borislav Petkov Cc: Adrian Hunter Cc: "Christopher S. Hall" Cc: David Woodhouse Cc: kvm@vger.kernel.org Signed-off-by: Paolo Bonzini arch/x86/kernel/kvmclock.c | 1 + 1 file changed, 1 insertion(+) commit 78567f135d9bbbaf4538f63656d3e4d957c35fe9 Author: Lee Jones Date: Thu Sep 8 11:11:00 2016 +0200 ARM: dts: STiH407-family: Provide interconnect clock for consumption in ST SDHCI The STiH4{07,10} platform contains some interconnect clocks which are used by various IPs. If these clocks aren't handled correctly by ST's SDHCI driver MMC will break and the following output can be observed: [ 13.916949] mmc0: Timeout waiting for hardware interrupt. [ 13.922349] sdhci: =========== REGISTER DUMP (mmc0)=========== [ 13.928175] sdhci: Sys addr: 0x00000000 | Version: 0x00001002 [ 13.933999] sdhci: Blk size: 0x00007040 | Blk cnt: 0x00000001 [ 13.939825] sdhci: Argument: 0x00fffff0 | Trn mode: 0x00000013 [ 13.945650] sdhci: Present: 0x1fff0206 | Host ctl: 0x00000011 [ 13.951475] sdhci: Power: 0x0000000f | Blk gap: 0x00000080 [ 13.957300] sdhci: Wake-up: 0x00000000 | Clock: 0x00003f07 [ 13.963126] sdhci: Timeout: 0x00000004 | Int stat: 0x00000000 [ 13.968952] sdhci: Int enab: 0x02ff008b | Sig enab: 0x02ff008b [ 13.974777] sdhci: AC12 err: 0x00000000 | Slot int: 0x00000000 [ 13.980602] sdhci: Caps: 0x21ed3281 | Caps_1: 0x00000000 [ 13.986428] sdhci: Cmd: 0x0000063a | Max curr: 0x00000000 [ 13.992252] sdhci: Host ctl2: 0x00000000 [ 13.996166] sdhci: ADMA Err: 0x00000000 | ADMA Ptr: 0x7c048200 [ 14.001990] sdhci: =========================================== [ 14.009802] mmc0: Got data interrupt 0x02000000 even though no data operation was in progress. Cc: stable@vger.kernel.org Tested-by: Peter Griffin Signed-off-by: Lee Jones Acked-by: Patrice Chotard arch/arm/boot/dts/stih407-family.dtsi | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) commit 7e9d2850a8db4e0d85a20bb692198bf2cc4be3b7 Author: Lee Jones Date: Thu Sep 8 11:11:00 2016 +0200 ARM: dts: STiH410: Handle interconnect clock required by EHCI/OHCI (USB) The STiH4{07,10} platform contains some interconnect clocks which are used by various IPs. If this clock isn't handled correctly by ST's EHCI/OHCI drivers, their hub won't be found, the following error be shown and the result will be non-working USB: [ 97.221963] hub 2-1:1.0: hub_ext_port_status failed (err = -110) Cc: stable@vger.kernel.org Tested-by: Peter Griffin Signed-off-by: Lee Jones Acked-by: Patrice Chotard arch/arm/boot/dts/stih410.dtsi | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) commit 816f318b2364262a51024096da7ca3b84e78e3b5 Author: Takashi Iwai Date: Tue Aug 30 14:45:46 2016 +0200 ALSA: rawmidi: Fix possible deadlock with virmidi registration When a seq-virmidi driver is initialized, it registers a rawmidi instance with its callback to create an associated seq kernel client. Currently it's done throughly in rawmidi's register_mutex context. Recently it was found that this may lead to a deadlock another rawmidi device that is being attached with the sequencer is accessed, as both open with the same register_mutex. This was actually triggered by syzkaller, as Dmitry Vyukov reported: ====================================================== [ INFO: possible circular locking dependency detected ] 4.8.0-rc1+ #11 Not tainted ------------------------------------------------------- syz-executor/7154 is trying to acquire lock: (register_mutex#5){+.+.+.}, at: [] snd_rawmidi_kernel_open+0x4b/0x260 sound/core/rawmidi.c:341 but task is already holding lock: (&grp->list_mutex){++++.+}, at: [] check_and_subscribe_port+0x5b/0x5c0 sound/core/seq/seq_ports.c:495 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&grp->list_mutex){++++.+}: [] lock_acquire+0x208/0x430 kernel/locking/lockdep.c:3746 [] down_read+0x49/0xc0 kernel/locking/rwsem.c:22 [< inline >] deliver_to_subscribers sound/core/seq/seq_clientmgr.c:681 [] snd_seq_deliver_event+0x35e/0x890 sound/core/seq/seq_clientmgr.c:822 [] > snd_seq_kernel_client_dispatch+0x126/0x170 sound/core/seq/seq_clientmgr.c:2418 [] snd_seq_system_broadcast+0xb2/0xf0 sound/core/seq/seq_system.c:101 [] snd_seq_create_kernel_client+0x24a/0x330 sound/core/seq/seq_clientmgr.c:2297 [< inline >] snd_virmidi_dev_attach_seq sound/core/seq/seq_virmidi.c:383 [] snd_virmidi_dev_register+0x29f/0x750 sound/core/seq/seq_virmidi.c:450 [] snd_rawmidi_dev_register+0x30c/0xd40 sound/core/rawmidi.c:1645 [] __snd_device_register.part.0+0x63/0xc0 sound/core/device.c:164 [< inline >] __snd_device_register sound/core/device.c:162 [] snd_device_register_all+0xad/0x110 sound/core/device.c:212 [] snd_card_register+0xef/0x6c0 sound/core/init.c:749 [] snd_virmidi_probe+0x3ef/0x590 sound/drivers/virmidi.c:123 [] platform_drv_probe+0x8b/0x170 drivers/base/platform.c:564 ...... -> #0 (register_mutex#5){+.+.+.}: [< inline >] check_prev_add kernel/locking/lockdep.c:1829 [< inline >] check_prevs_add kernel/locking/lockdep.c:1939 [< inline >] validate_chain kernel/locking/lockdep.c:2266 [] __lock_acquire+0x4d44/0x4d80 kernel/locking/lockdep.c:3335 [] lock_acquire+0x208/0x430 kernel/locking/lockdep.c:3746 [< inline >] __mutex_lock_common kernel/locking/mutex.c:521 [] mutex_lock_nested+0xb1/0xa20 kernel/locking/mutex.c:621 [] snd_rawmidi_kernel_open+0x4b/0x260 sound/core/rawmidi.c:341 [] midisynth_subscribe+0xf7/0x350 sound/core/seq/seq_midi.c:188 [< inline >] subscribe_port sound/core/seq/seq_ports.c:427 [] check_and_subscribe_port+0x467/0x5c0 sound/core/seq/seq_ports.c:510 [] snd_seq_port_connect+0x2c9/0x500 sound/core/seq/seq_ports.c:579 [] snd_seq_ioctl_subscribe_port+0x1d8/0x2b0 sound/core/seq/seq_clientmgr.c:1480 [] snd_seq_do_ioctl+0x184/0x1e0 sound/core/seq/seq_clientmgr.c:2225 [] snd_seq_kernel_client_ctl+0xa8/0x110 sound/core/seq/seq_clientmgr.c:2440 [] snd_seq_oss_midi_open+0x3b4/0x610 sound/core/seq/oss/seq_oss_midi.c:375 [] snd_seq_oss_synth_setup_midi+0x107/0x4c0 sound/core/seq/oss/seq_oss_synth.c:281 [] snd_seq_oss_open+0x748/0x8d0 sound/core/seq/oss/seq_oss_init.c:274 [] odev_open+0x6a/0x90 sound/core/seq/oss/seq_oss.c:138 [] soundcore_open+0x30f/0x640 sound/sound_core.c:639 ...... other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&grp->list_mutex); lock(register_mutex#5); lock(&grp->list_mutex); lock(register_mutex#5); *** DEADLOCK *** ====================================================== The fix is to simply move the registration parts in snd_rawmidi_dev_register() to the outside of the register_mutex lock. The lock is needed only to manage the linked list, and it's not necessarily to cover the whole initialization process. Reported-by: Dmitry Vyukov Cc: Signed-off-by: Takashi Iwai sound/core/rawmidi.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit 9f8a7658bcafb2a7853f7a2eae8a94e87e6e695b Author: Takashi Iwai Date: Wed Sep 7 15:45:31 2016 +0200 ALSA: timer: Fix zero-division by continue of uninitialized instance When a user timer instance is continued without the explicit start beforehand, the system gets eventually zero-division error like: divide error: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN CPU: 1 PID: 27320 Comm: syz-executor Not tainted 4.8.0-rc3-next-20160825+ #8 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 task: ffff88003c9b2280 task.stack: ffff880027280000 RIP: 0010:[] [< inline >] ktime_divns include/linux/ktime.h:195 RIP: 0010:[] [] snd_hrtimer_callback+0x1bc/0x3c0 sound/core/hrtimer.c:62 Call Trace: [< inline >] __run_hrtimer kernel/time/hrtimer.c:1238 [] __hrtimer_run_queues+0x325/0xe70 kernel/time/hrtimer.c:1302 [] hrtimer_interrupt+0x18b/0x420 kernel/time/hrtimer.c:1336 [] local_apic_timer_interrupt+0x6f/0xe0 arch/x86/kernel/apic/apic.c:933 [] smp_apic_timer_interrupt+0x76/0xa0 arch/x86/kernel/apic/apic.c:957 [] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:487 ..... Although a similar issue was spotted and a fix patch was merged in commit [6b760bb2c63a: ALSA: timer: fix division by zero after SNDRV_TIMER_IOCTL_CONTINUE], it seems covering only a part of iceberg. In this patch, we fix the issue a bit more drastically. Basically the continue of an uninitialized timer is supposed to be a fresh start, so we do it for user timers. For the direct snd_timer_continue() call, there is no way to pass the initial tick value, so we kick out for the uninitialized case. Reported-by: Dmitry Vyukov Cc: Signed-off-by: Takashi Iwai sound/core/timer.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) commit 9b41b92bbae6a4d3e1f3adde87864fd481037814 Author: Allen Hung Date: Fri Jul 15 17:42:22 2016 +0800 dmi-id: don't free dev structure after calling device_register dmi_dev is freed in error exit code but, according to the document of device_register, it should never directly free device structure after calling this function, even if it returned an error! Use put_device() instead. Signed-off-by: Allen Hung Signed-off-by: Jean Delvare drivers/firmware/dmi-id.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) commit bcf42aa60c2832510b9be0f30c090bfd35bb172d Author: Mathias Nyman Date: Wed Sep 7 17:26:33 2016 +0300 xhci: fix null pointer dereference in stop command timeout function The stop endpoint command has its own 5 second timeout timer. If the timeout function is triggered between USB3 and USB2 host removal it will try to call usb_hc_died(xhci_to_hcd(xhci)->primary_hcd) the ->primary_hcd will be set to NULL at USB3 hcd removal. Fix this by first checking if the PCI host is being removed, and also by using only xhci_to_hcd() as it will always return the primary hcd. CC: Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman drivers/usb/host/xhci-ring.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) commit c291b015158577be533dd5a959dfc09bab119eed Author: Dou Liyang Date: Wed Sep 7 10:21:33 2016 +0800 x86/apic: Fix num_processors value in case of failure If the topology package map check of the APIC ID and the CPU is a failure, we don't generate the processor info for that APIC ID yet we increase disabled_cpus by one - which is buggy. Only increase num_processors once we are sure we don't fail. Signed-off-by: Dou Liyang Acked-by: David Rientjes Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/1473214893-16481-1-git-send-email-douly.fnst@cn.fujitsu.com [ Rewrote the changelog. ] Signed-off-by: Ingo Molnar arch/x86/kernel/apic/apic.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit db91e2370e087967cb6b6425c092188767fb5e00 Author: Daniel Baluta Date: Wed Sep 7 19:49:34 2016 +0930 tools/lguest: Don't bork the terminal in case of wrong args Running lguest without arguments or with a wrong argument name borks the terminal, because the cleanup handler is set up too late in the initialization process. Signed-off-by: Daniel Baluta Signed-off-by: Rusty Russell Cc: Andy Lutomirski Cc: Borislav Petkov Cc: Brian Gerst Cc: Denys Vlasenko Cc: H. Peter Anvin Cc: Josh Poimboeuf Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Signed-off-by: Ingo Molnar tools/lguest/lguest.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit d71f058617564750261b673ea9b3352382b9cde4 Merge: 80a7704 87260d3 Author: Linus Torvalds Date: Wed Sep 7 21:28:26 2016 -0700 Merge branch 'for-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux Pull thermal fix from Zhang Rui: "Only one patch this time, which fixes a crash in rcar_thermal driver. From Dirk Behme" * 'for-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux: thermal: rcar_thermal: Fix priv->zone error handling commit 95390e3290e8bf69091116e0d91b9754c0e93a24 Merge: 1d3ef9c 539d5c4 Author: Olof Johansson Date: Wed Sep 7 21:25:08 2016 -0700 Merge tag 'sunxi-fixes-for-4.8' of https://git.kernel.org/pub/scm/linux/kernel/git/mripard/linux into fixes Allwinner fixes for 4.8 A single patch fixing a typo in the temperature trip points in the A13 DTSI. * tag 'sunxi-fixes-for-4.8' of https://git.kernel.org/pub/scm/linux/kernel/git/mripard/linux: ARM: sun5i: Fix typo in trip point temperature Signed-off-by: Olof Johansson commit 1d3ef9c2dc699fcc09320a4b642e84eb3c038f26 Author: Suzuki K Poulose Date: Mon Sep 5 16:27:53 2016 +0100 arm-cci: pmu: Fix typo in event name For one of the CCI events exposed under sysfs, "snoop" was typo'd as "snopp". Correct this such that users see the expected event name when enumerating events via sysfs. Cc: arm@kernel.org Acked-by: Mark Rutland Signed-off-by: Suzuki K Poulose Signed-off-by: Olof Johansson drivers/bus/arm-cci.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 28fa9917368978e8272407f2d7f8829b17f024ea Merge: d8b795f f065e9e Author: Olof Johansson Date: Wed Sep 7 21:24:22 2016 -0700 Merge tag 'imx-fixes-4.8-2' of git://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux into fixes i.MX fixes for 4.8, 2nd round: - Fix misspelled "ti,x-plate-ohms" property name of touchscreen controller for imx7d-sdb DTS. - Add missing BM_CLPCR_BYPASS_PMIC_READY setting for i.MX6SX to get suspend/resume work properly. - Fix SPDIF regression on imx6qdl which caused by a clock update on spdif device node. * tag 'imx-fixes-4.8-2' of git://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux: ARM: dts: imx6qdl: Fix SPDIF regression ARM: imx6: add missing BM_CLPCR_BYPASS_PMIC_READY setting for imx6sx ARM: dts: imx7d-sdb: fix ti,x-plate-ohms property name Signed-off-by: Olof Johansson commit d8b795f5e3a3f81e0635919b3c9cd746631a6a76 Author: Olof Johansson Date: Wed Sep 7 21:16:40 2016 -0700 Revert "ARM: tegra: fix erroneous address in dts" This reverts commit b5c86b7496d74f6e454bcab5166efa023e1f0459. This is no longer needed due to other changes going into 4.8 to rename the unit addresses on a large number of device nodes. So it was picked up for v4.8-rc1 in error. Reported-by: Ralf Ramsauer Signed-off-by: Olof Johansson arch/arm/boot/dts/tegra124-jetson-tk1.dts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit f077aaf0754bcba0fffdbd925bc12f09cd1e38aa Author: Paul Mackerras Date: Fri Sep 2 21:47:59 2016 +1000 powerpc/mm: Don't alias user region to other regions below PAGE_OFFSET In commit c60ac5693c47 ("powerpc: Update kernel VSID range", 2013-03-13) we lost a check on the region number (the top four bits of the effective address) for addresses below PAGE_OFFSET. That commit replaced a check that the top 18 bits were all zero with a check that bits 46 - 59 were zero (performed for all addresses, not just user addresses). This means that userspace can access an address like 0x1000_0xxx_xxxx_xxxx and we will insert a valid SLB entry for it. The VSID used will be the same as if the top 4 bits were 0, but the page size will be some random value obtained by indexing beyond the end of the mm_ctx_high_slices_psize array in the paca. If that page size is the same as would be used for region 0, then userspace just has an alias of the region 0 space. If the page size is different, then no HPTE will be found for the access, and the process will get a SIGSEGV (since hash_page_mm() will refuse to create a HPTE for the bogus address). The access beyond the end of the mm_ctx_high_slices_psize can be at most 5.5MB past the array, and so will be in RAM somewhere. Since the access is a load performed in real mode, it won't fault or crash the kernel. At most this bug could perhaps leak a little bit of information about blocks of 32 bytes of memory located at offsets of i * 512kB past the paca->mm_ctx_high_slices_psize array, for 1 <= i <= 11. Fixes: c60ac5693c47 ("powerpc: Update kernel VSID range") Cc: stable@vger.kernel.org # v3.9+ Signed-off-by: Paul Mackerras Reviewed-by: Aneesh Kumar K.V Signed-off-by: Michael Ellerman arch/powerpc/mm/slb_low.S | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) commit 8540571e01f973d321b0821f4f32ed6e9ae8263c Author: Christophe Leroy Date: Fri Aug 26 16:45:13 2016 +0200 powerpc/32: Fix again csum_partial_copy_generic() Commit 7aef4136566b0 ("powerpc32: rewrite csum_partial_copy_generic() based on copy_tofrom_user()") introduced a bug when destination address is odd and len is lower than cacheline size. In that case the resulting csum value doesn't have to be rotated one byte because the cache-aligned copy part is skipped so no alignment is performed. Fixes: 7aef4136566b0 ("powerpc32: rewrite csum_partial_copy_generic() based on copy_tofrom_user()") Cc: stable@vger.kernel.org # v4.6+ Reported-by: Alessio Igor Bogani Signed-off-by: Christophe Leroy Tested-by: Alessio Igor Bogani Signed-off-by: Michael Ellerman arch/powerpc/lib/checksum_32.S | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) commit caa58f808834fca9a4443233fd09df5ab639690d Author: Gavin Shan Date: Tue Sep 6 14:17:18 2016 +1000 powerpc/powernv: Fix corrupted PE allocation bitmap on releasing PE In pnv_ioda_free_pe(), the PE object (including the associated PE number) is cleared before resetting the corresponding bit in the PE allocation bitmap. It means PE#0 is always released to the bitmap wrongly. This fixes above issue by caching the PE number before the PE object is cleared. Fixes: 1e9167726c41 ("powerpc/powernv: Use PE instead of number during setup and release" Cc: stable@vger.kernel.org # v4.7+ Signed-off-by: Gavin Shan Signed-off-by: Michael Ellerman arch/powerpc/platforms/powernv/pci-ioda.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 9dd4aaef194e45d96c2d0b6232a9cbc5430ad789 Author: Florian Fainelli Date: Tue Sep 6 20:22:21 2016 -0700 MAINTAINERS: Update CPMAC email address Signed-off-by: Florian Fainelli Signed-off-by: David S. Miller MAINTAINERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 56beac95cb88c188d2a885825a5da131edb41fe3 Author: Russell King Date: Mon Aug 29 11:24:10 2016 +0100 gpio: sa1100: fix irq probing for ucb1x00 ucb1x00 has used IRQ probing since it's dawn to find the GPIO interrupt that it's connected to. However, commit 23393d49fb75 ("gpio: kill off set_irq_flags usage") broke this by disabling IRQ probing on GPIO interrupts. Fix this. Fixes: 23393d49fb75 ("gpio: kill off set_irq_flags usage") Signed-off-by: Russell King Signed-off-by: Linus Walleij drivers/gpio/gpio-sa1100.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 60f749f8e4cfdfffa5f29c966050ed680eeedac2 Author: Linus Walleij Date: Wed Sep 7 23:13:20 2016 +0200 gpio: mcp23s08: make driver depend on OF_GPIO The MCP23S08 driver certainly accesses fields inside the struct gpio_chip that are only available under CONFIG_OF_GPIO not just CONFIG_OF, so update the Kconfig and driver to reflect this. Cc: Alexander Stein Cc: Phil Reid Reported-by: kbuild test robot Signed-off-by: Linus Walleij drivers/gpio/Kconfig | 1 + drivers/gpio/gpio-mcp23s08.c | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) commit c6c864993d9a20f8d7cacb4feaac5c46a2f2e4db Author: Linus Walleij Date: Wed Aug 24 13:51:33 2016 +0200 Revert "gpio: include in gpiolib-of" This reverts commit 7d4defe21c682c934a19fce1ba8b54b7bde61b08. The commit was pointless, manically trembling in the dark for a solution. The real fixes are: commit 048c28c91e56 ("gpio: make any OF dependent driver depend on OF_GPIO") commit 2527ecc9195e ("gpio: Fix OF build problem on UM") Reported-by: Chris Wilson Signed-off-by: Linus Walleij drivers/gpio/gpiolib-of.c | 1 - 1 file changed, 1 deletion(-) commit 80a77045daacc660659093b312ca0708b53ed558 Merge: ab29b33 8e1f74e Author: Linus Torvalds Date: Wed Sep 7 14:03:49 2016 -0700 Merge tag 'usercopy-v4.8-rc6-part2' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux Pull more hardened usercopyfixes from Kees Cook: - force check_object_size() to be inline too - move page-spanning check behind a CONFIG since it's triggering false positives [ Changed the page-spanning config option to depend on EXPERT in the merge. That way it still gets build testing, and you can enable it if you want to, but is never enabled for "normal" configurations ] * tag 'usercopy-v4.8-rc6-part2' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: usercopy: remove page-spanning test for now usercopy: force check_object_size() inline commit b7f3c7d345f72240055efcdf4111fb2e0d01be99 Merge: cbd60aa ce12965 Author: Chris Mason Date: Wed Sep 7 12:55:36 2016 -0700 Merge branch 'for-chris' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux into for-linus-4.8 commit 8e1f74ea02cf4562404c48c6882214821552c13f Author: Kees Cook Date: Wed Sep 7 09:54:34 2016 -0700 usercopy: remove page-spanning test for now A custom allocator without __GFP_COMP that copies to userspace has been found in vmw_execbuf_process[1], so this disables the page-span checker by placing it behind a CONFIG for future work where such things can be tracked down later. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1373326 Reported-by: Vinson Lee Fixes: f5509cc18daa ("mm: Hardened usercopy") Signed-off-by: Kees Cook mm/usercopy.c | 61 ++++++++++++++++++++++++++++++++------------------------ security/Kconfig | 11 ++++++++++ 2 files changed, 46 insertions(+), 26 deletions(-) commit a85d6b8242dc78ef3f4542a0f979aebcbe77fc4e Author: Kees Cook Date: Wed Sep 7 09:39:32 2016 -0700 usercopy: force check_object_size() inline Just for good measure, make sure that check_object_size() is always inlined too, as already done for copy_*_user() and __copy_*_user(). Suggested-by: Linus Torvalds Signed-off-by: Kees Cook include/linux/thread_info.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit ab29b33a84f6910ebf01a32f69a370886a4283dd Merge: 08411a7 4fadd04 Author: Linus Torvalds Date: Wed Sep 7 10:46:06 2016 -0700 Merge tag 'seccomp-v4.8-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux Pull seccomp fixes from Kees Cook: "Fix UM seccomp vs ptrace, after reordering landed" * tag 'seccomp-v4.8-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: seccomp: Remove 2-phase API documentation um/ptrace: Fix the syscall number update after a ptrace um/ptrace: Fix the syscall_trace_leave call commit a0714125d11bcf21599b08b25fdaf384c0db6712 Merge: ded8991 e34f2ff Author: Kalle Valo Date: Wed Sep 7 20:16:37 2016 +0300 Merge ath-current from ath.git ath.git fixes for 4.8. Major changes: ath10k * fix racy rx status retrieval from htt context * QCA9887 support is not experimental anymore, remove the warning message ath9k * fix regression with led GPIOs * fix AR5416 GPIO access warning commit 08411a7554248009f26e85635f445a209604bfb5 Merge: d060e0f 3c17648 Author: Linus Torvalds Date: Wed Sep 7 09:29:36 2016 -0700 Merge tag 'usercopy-v4.8-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux Pull hardened usercopy fixes from Kees Cook: - inline copy_*_user() for correct use of __builtin_const_p() for hardened usercopy and the recent compile-time checks. - switch hardened usercopy to only check non-const size arguments to avoid meaningless checks on likely-sane const values. - update lkdtm usercopy tests to compenstate for the const checking. * tag 'usercopy-v4.8-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: lkdtm: adjust usercopy tests to bypass const checks usercopy: fold builtin_const check into inline function x86/uaccess: force copy_*_user() to be inlined commit 4fadd04d504a82f7f1fdeaddc144a9c396d1285e Author: Mickaël Salaün Date: Mon Aug 1 23:01:57 2016 +0200 seccomp: Remove 2-phase API documentation Fixes: 8112c4f140fa ("seccomp: remove 2-phase API") Signed-off-by: Mickaël Salaün Acked-by: Kees Cook Cc: Andy Lutomirski Cc: James Morris Signed-off-by: James Morris Signed-off-by: Kees Cook arch/Kconfig | 11 ----------- 1 file changed, 11 deletions(-) commit ce29856a5e1aabe52e18b2c60db1490769a6ab55 Author: Mickaël Salaün Date: Mon Aug 1 23:01:56 2016 +0200 um/ptrace: Fix the syscall number update after a ptrace Update the syscall number after each PTRACE_SETREGS on ORIG_*AX. This is needed to get the potentially altered syscall number in the seccomp filters after RET_TRACE. This fix four seccomp_bpf tests: > [ RUN ] TRACE_syscall.skip_after_RET_TRACE > seccomp_bpf.c:1560:TRACE_syscall.skip_after_RET_TRACE:Expected -1 (18446744073709551615) == syscall(39) (26) > seccomp_bpf.c:1561:TRACE_syscall.skip_after_RET_TRACE:Expected 1 (1) == (*__errno_location ()) (22) > [ FAIL ] TRACE_syscall.skip_after_RET_TRACE > [ RUN ] TRACE_syscall.kill_after_RET_TRACE > TRACE_syscall.kill_after_RET_TRACE: Test exited normally instead of by signal (code: 1) > [ FAIL ] TRACE_syscall.kill_after_RET_TRACE > [ RUN ] TRACE_syscall.skip_after_ptrace > seccomp_bpf.c:1622:TRACE_syscall.skip_after_ptrace:Expected -1 (18446744073709551615) == syscall(39) (26) > seccomp_bpf.c:1623:TRACE_syscall.skip_after_ptrace:Expected 1 (1) == (*__errno_location ()) (22) > [ FAIL ] TRACE_syscall.skip_after_ptrace > [ RUN ] TRACE_syscall.kill_after_ptrace > TRACE_syscall.kill_after_ptrace: Test exited normally instead of by signal (code: 1) > [ FAIL ] TRACE_syscall.kill_after_ptrace Fixes: 26703c636c1f ("um/ptrace: run seccomp after ptrace") Signed-off-by: Mickaël Salaün Acked-by: Kees Cook Cc: Jeff Dike Cc: Richard Weinberger Cc: James Morris Cc: user-mode-linux-devel@lists.sourceforge.net Signed-off-by: James Morris Signed-off-by: Kees Cook arch/um/kernel/skas/syscall.c | 5 ----- arch/x86/um/ptrace_32.c | 3 +++ arch/x86/um/ptrace_64.c | 4 ++++ 3 files changed, 7 insertions(+), 5 deletions(-) commit 972939e28592ec61e2e8334786152be2c80de677 Author: Mickaël Salaün Date: Mon Aug 1 23:01:55 2016 +0200 um/ptrace: Fix the syscall_trace_leave call Keep the same semantic as before the commit 26703c636c1f: deallocate audit context and fake a proper syscall exit. This fix a kernel panic triggered by the seccomp_bpf test: > [ RUN ] global.ERRNO_valid > BUG: failure at kernel/auditsc.c:1504/__audit_syscall_entry()! > Kernel panic - not syncing: BUG! Fixes: 26703c636c1f ("um/ptrace: run seccomp after ptrace") Signed-off-by: Mickaël Salaün Acked-by: Kees Cook Cc: Jeff Dike Cc: Richard Weinberger Cc: James Morris Cc: user-mode-linux-devel@lists.sourceforge.net Signed-off-by: James Morris Signed-off-by: Kees Cook arch/um/kernel/skas/syscall.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) commit 82469c59d222f839ded5cd282172258e026f9112 Author: Gabriel Krisman Bertazi Date: Tue Sep 6 17:39:13 2016 -0300 nvme: Don't suspend admin queue that wasn't created This fixes a regression in my previous commit c21377f8366c ("nvme: Suspend all queues before deletion"), which provoked an Oops in the removal path when removing a device that became IO incapable very early at probe (i.e. after a failed EEH recovery). Turns out, if the error occurred very early at the probe path, before even configuring the admin queue, we might try to suspend the uninitialized admin queue, accessing bad memory. Fixes: c21377f8366c ("nvme: Suspend all queues before deletion") Signed-off-by: Gabriel Krisman Bertazi Reviewed-by: Jay Freyensee Signed-off-by: Jens Axboe drivers/nvme/host/pci.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) commit fc2780b66b15092ac68272644a522c1624c48547 Author: Chris Wilson Date: Fri Aug 26 11:59:26 2016 +0100 drm/i915: Add GEN7_PCODE_MIN_FREQ_TABLE_GT_RATIO_OUT_OF_RANGE to SNB According to the CI test machines, SNB also uses the GEN7_PCODE_MIN_FREQ_TABLE_GT_RATIO_OUT_OF_RANGE value to report a bad GEN6_PCODE_MIN_FREQ_TABLE request. [ 157.744641] WARNING: CPU: 5 PID: 9238 at drivers/gpu/drm/i915/intel_pm.c:7760 sandybridge_pcode_write+0x141/0x200 [i915] [ 157.744642] Missing switch case (16) in gen6_check_mailbox_status [ 157.744642] Modules linked in: snd_hda_intel i915 ax88179_178a usbnet mii x86_pkg_temp_thermal intel_powerclamp coretemp crct10dif_pclmul crc32_pclmul ghash_clmulni_intel snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic snd_hda_codec snd_hwdep snd_hda_core mei_me lpc_ich snd_pcm mei broadcom bcm_phy_lib tg3 ptp pps_core [last unloaded: vgem] [ 157.744658] CPU: 5 PID: 9238 Comm: drv_hangman Tainted: G U W 4.8.0-rc3-CI-CI_DRM_1589+ #1 [ 157.744658] Hardware name: Dell Inc. XPS 8300 /0Y2MRG, BIOS A06 10/17/2011 [ 157.744659] 0000000000000000 ffff88011f093a98 ffffffff81426415 ffff88011f093ae8 [ 157.744662] 0000000000000000 ffff88011f093ad8 ffffffff8107d2a6 00001e50810d3c9f [ 157.744663] ffff880128680000 0000000000000008 0000000000000000 ffff88012868a650 [ 157.744665] Call Trace: [ 157.744669] [] dump_stack+0x67/0x92 [ 157.744672] [] __warn+0xc6/0xe0 [ 157.744673] [] warn_slowpath_fmt+0x4a/0x50 [ 157.744685] [] sandybridge_pcode_write+0x141/0x200 [i915] [ 157.744697] [] intel_enable_gt_powersave+0x64a/0x1330 [i915] [ 157.744712] [] ? i9xx_emit_request+0x1b/0x80 [i915] [ 157.744725] [] __i915_add_request+0x1e3/0x370 [i915] [ 157.744738] [] i915_gem_do_execbuffer.isra.16+0xced/0x1b80 [i915] [ 157.744740] [] ? __might_fault+0x3e/0x90 [ 157.744752] [] i915_gem_execbuffer2+0xc2/0x2a0 [i915] [ 157.744753] [] drm_ioctl+0x207/0x4c0 [ 157.744765] [] ? i915_gem_execbuffer+0x360/0x360 [i915] [ 157.744767] [] ? debug_lockdep_rcu_enabled+0x1d/0x20 [ 157.744769] [] do_vfs_ioctl+0x8e/0x680 [ 157.744770] [] ? __might_fault+0x87/0x90 [ 157.744771] [] ? __might_fault+0x3e/0x90 [ 157.744773] [] ? trace_hardirqs_on_caller+0x122/0x1b0 [ 157.744774] [] SyS_ioctl+0x3c/0x70 [ 157.744776] [] entry_SYSCALL_64_fastpath+0x1c/0xac Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=97491 Fixes: 87660502f1a4 ("drm/i915/gen6+: Interpret mailbox error flags") Signed-off-by: Chris Wilson Cc: Lyude Cc: Matt Roper Cc: Maarten Lankhorst Cc: Daniel Vetter Cc: Ville Syrjälä Cc: stable@vger.kernel.org Link: http://patchwork.freedesktop.org/patch/msgid/20160826105926.3413-1-chris@chris-wilson.co.uk Acked-by: Mika Kuoppala (cherry picked from commit 7850d1c35344c7bd6a357240f2f9f60fc2c097b5) Signed-off-by: Jani Nikula drivers/gpu/drm/i915/intel_pm.c | 1 + 1 file changed, 1 insertion(+) commit ded89912156b1a47d940a0c954c43afbabd0c42c Author: Arend Van Spriel Date: Mon Sep 5 10:45:47 2016 +0100 brcmfmac: avoid potential stack overflow in brcmf_cfg80211_start_ap() User-space can choose to omit NL80211_ATTR_SSID and only provide raw IE TLV data. When doing so it can provide SSID IE with length exceeding the allowed size. The driver further processes this IE copying it into a local variable without checking the length. Hence stack can be corrupted and used as exploit. Cc: stable@vger.kernel.org # v4.7 Reported-by: Daxing Guo Reviewed-by: Hante Meuleman Reviewed-by: Pieter-Paul Giesberts Reviewed-by: Franky Lin Signed-off-by: Arend van Spriel Signed-off-by: Kalle Valo drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit e34f2ff40e0339f6a379e1ecf49e8f2759056453 Author: Giedrius Statkevičius Date: Thu Sep 1 20:47:02 2016 +0300 ath9k: bring back direction setting in ath9k_{start_stop} A regression was introduced in commit id 79d4db1214a ("ath9k: cleanup led_pin initial") that broken the WLAN status led on my laptop with AR9287 after suspending and resuming. Steps to reproduce: * Suspend (laptop) * Resume (laptop) * Observe that the WLAN led no longer turns ON/OFF depending on the status and is always red Even though for my case it only needs to be set to OUT in ath9k_start but for consistency bring back the IN direction setting as well. Fixes: 79d4db1214a0 ("ath9k: cleanup led_pin initial") Cc: Miaoqing Pan Cc: Kalle Valo Cc: # 4.7+ Link: https://bugzilla.kernel.org/show_bug.cgi?id=151711 Signed-off-by: Giedrius Statkevičius [kvalo@qca.qualcomm.com: improve commit log] Signed-off-by: Kalle Valo drivers/net/wireless/ath/ath9k/main.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) commit 0bd2223594a4dcddc1e34b15774a3a4776f7749e Author: Ard Biesheuvel Date: Thu Sep 1 14:25:43 2016 +0100 crypto: cryptd - initialize child shash_desc on import When calling .import() on a cryptd ahash_request, the structure members that describe the child transform in the shash_desc need to be initialized like they are when calling .init() Cc: stable@vger.kernel.org Signed-off-by: Ard Biesheuvel Signed-off-by: Herbert Xu crypto/cryptd.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) commit 696118c016dd5f5caaa05360f13f8acd8fb9d1a7 Author: Felipe Balbi Date: Wed Sep 7 13:39:37 2016 +0300 usb: dwc3: pci: fix build warning on !PM_SLEEP When building a kernel with CONFIG_PM_SLEEP=n, we get the following warning: drivers/usb/dwc3/dwc3-pci.c:253:12: warning: 'dwc3_pci_pm_dummy' defined but not used In order to fix this, we should only define dwc3_pci_pm_dummy() when CONFIG_PM_SLEEP is defined. Fixes: f6c274e11e3b ("usb: dwc3: pci: runtime_resume child device") Reported-by: Arnd Bergmann Acked-by: Arnd Bergmann Signed-off-by: Felipe Balbi drivers/usb/dwc3/dwc3-pci.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit 751eb6b6042a596b0080967c1a529a9fe98dac1d Author: Wei Yongjun Date: Mon Sep 5 16:06:31 2016 +0800 ipv6: addrconf: fix dev refcont leak when DAD failed In general, when DAD detected IPv6 duplicate address, ifp->state will be set to INET6_IFADDR_STATE_ERRDAD and DAD is stopped by a delayed work, the call tree should be like this: ndisc_recv_ns -> addrconf_dad_failure <- missing ifp put -> addrconf_mod_dad_work -> schedule addrconf_dad_work() -> addrconf_dad_stop() <- missing ifp hold before call it addrconf_dad_failure() called with ifp refcont holding but not put. addrconf_dad_work() call addrconf_dad_stop() without extra holding refcount. This will not cause any issue normally. But the race between addrconf_dad_failure() and addrconf_dad_work() may cause ifp refcount leak and netdevice can not be unregister, dmesg show the following messages: IPv6: eth0: IPv6 duplicate address fe80::XX:XXXX:XXXX:XX detected! ... unregister_netdevice: waiting for eth0 to become free. Usage count = 1 Cc: stable@vger.kernel.org Fixes: c15b1ccadb32 ("ipv6: move DAD and addrconf_verify processing to workqueue") Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller net/ipv6/addrconf.c | 2 ++ 1 file changed, 2 insertions(+) commit 9d13744bb75078175ab49408f2abb980e4dbccc9 Author: Michael Chan Date: Mon Sep 5 01:57:35 2016 -0400 bnxt_en: Fix TX push operation on ARM64. There is a code path where we are calling __iowrite64_copy() on an address that is not 64-bit aligned. This causes an exception on some architectures such as arm64. Fix that code path by using __iowrite32_copy(). Reported-by: JD Zheng Signed-off-by: Michael Chan Signed-off-by: David S. Miller drivers/net/ethernet/broadcom/bnxt/bnxt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 5a56a0b3a45dd0cc5b2f7bec6afd053a474ed9f5 Author: Mark Tomlinson Date: Mon Sep 5 10:20:20 2016 +1200 net: Don't delete routes in different VRFs When deleting an IP address from an interface, there is a clean-up of routes which refer to this local address. However, there was no check to see that the VRF matched. This meant that deletion wasn't confined to the VRF it should have been. To solve this, a new field has been added to fib_info to hold a table id. When removing fib entries corresponding to a local ip address, this table id is also used in the comparison. The table id is populated when the fib_info is created. This was already done in some places, but not in ip_rt_ioctl(). This has now been fixed. Fixes: 021dd3b8a142 ("net: Add routes to the table associated with the device") Acked-by: David Ahern Tested-by: David Ahern Signed-off-by: Mark Tomlinson Signed-off-by: David S. Miller include/net/ip_fib.h | 3 ++- net/ipv4/fib_frontend.c | 3 ++- net/ipv4/fib_semantics.c | 8 ++++++-- 3 files changed, 10 insertions(+), 4 deletions(-) commit daa7ee8dfa64233789221685e73a6ef8159f80de Author: Sudip Mukherjee Date: Sun Sep 4 23:02:21 2016 +0530 net: smsc: remove build warning of duplicate definition The build of m32r was giving warning: In file included from drivers/net/ethernet/smsc/smc91x.c:92:0: drivers/net/ethernet/smsc/smc91x.h:448:0: warning: "SMC_inb" redefined #define SMC_inb(ioaddr, reg) ({ BUG(); 0; }) drivers/net/ethernet/smsc/smc91x.h:106:0: note: this is the location of the previous definition #define SMC_inb(a, r) inb(((u32)a) + (r)) drivers/net/ethernet/smsc/smc91x.h:449:0: warning: "SMC_outb" redefined #define SMC_outb(x, ioaddr, reg) BUG() drivers/net/ethernet/smsc/smc91x.h:108:0: note: this is the location of the previous definition #define SMC_outb(v, a, r) outb(v, ((u32)a) + (r)) Signed-off-by: Sudip Mukherjee Signed-off-by: David S. Miller drivers/net/ethernet/smsc/smc91x.h | 2 ++ 1 file changed, 2 insertions(+) commit 007e4ba3ee137f4700f39aa6dbaf01a71047c5f6 Author: Helmut Buchsbaum Date: Sun Sep 4 18:09:47 2016 +0200 net: macb: initialize checksum when using checksum offloading I'm still struggling to get this fix right.. Changes since v2: - do not blindly modify SKB contents according to Dave's legitimate objection Changes since v1: - dropped disabling HW checksum offload for Zynq - initialize checksum similar to net/ethernet/freescale/fec_main.c -- >8 -- MACB/GEM needs the checksum field initialized to 0 to get correct results on transmit in all cases, e.g. on Zynq, UDP packets with payload <= 2 otherwise contain a wrong checksums. Signed-off-by: Helmut Buchsbaum Signed-off-by: David S. Miller drivers/net/ethernet/cadence/macb.c | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) commit 05c974669ecec510a85d8534099bb75404e82c41 Author: Chuck Lever Date: Tue Sep 6 11:22:58 2016 -0400 xprtrdma: Fix receive buffer accounting An RPC can terminate before its reply arrives, if a credential problem or a soft timeout occurs. After this happens, xprtrdma reports it is out of Receive buffers. A Receive buffer is posted before each RPC is sent, and returned to the buffer pool when a reply is received. If no reply is received for an RPC, that Receive buffer remains posted. But xprtrdma tries to post another when the next RPC is sent. If this happens a few dozen times, there are no receive buffers left to be posted at send time. I don't see a way for a transport connection to recover at that point, and it will spit warnings and unnecessarily delay RPCs on occasion for its remaining lifetime. Commit 1e465fd4ff47 ("xprtrdma: Replace send and receive arrays") removed a little bit of logic to detect this case and not provide a Receive buffer so no more buffers are posted, and then transport operation continues correctly. We didn't understand what that logic did, and it wasn't commented, so it was removed as part of the overhaul to support backchannel requests. Restore it, but be wary of the need to keep extra Receives posted to deal with backchannel requests. Fixes: 1e465fd4ff47 ("xprtrdma: Replace send and receive arrays") Signed-off-by: Chuck Lever Reviewed-by: Anna Schumaker Signed-off-by: Trond Myklebust net/sunrpc/xprtrdma/verbs.c | 41 +++++++++++++++++++++++++++++------------ net/sunrpc/xprtrdma/xprt_rdma.h | 1 + 2 files changed, 30 insertions(+), 12 deletions(-) commit 78d506e1b7071b24850fd5ac22b896c459b0a04c Author: Chuck Lever Date: Tue Sep 6 11:22:49 2016 -0400 xprtrdma: Revert 3d4cf35bd4fa ("xprtrdma: Reply buffer exhaustion...") Receive buffer exhaustion, if it were to actually occur, would be catastrophic. However, when there are no reply buffers to post, that means all of them have already been posted and are waiting for incoming replies. By design, there can never be more RPCs in flight than there are available receive buffers. A receive buffer can be left posted after an RPC exits without a received reply; say, due to a credential problem or a soft timeout. This does not result in fewer posted receive buffers than there are pending RPCs, and there is already logic in xprtrdma to deal appropriately with this case. It also looks like the "+ 2" that was removed was accidentally accommodating the number of extra receive buffers needed for receiving backchannel requests. That will need to be addressed by another patch. Fixes: 3d4cf35bd4fa ("xprtrdma: Reply buffer exhaustion can be...") Signed-off-by: Chuck Lever Reviewed-by: Anna Schumaker Signed-off-by: Trond Myklebust net/sunrpc/xprtrdma/verbs.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) commit 03c2778a938aaba0893f6d6cdc29511d91a79848 Author: Dave Jones Date: Fri Sep 2 14:39:50 2016 -0400 ipv6: release dst in ping_v6_sendmsg Neither the failure or success paths of ping_v6_sendmsg release the dst it acquires. This leads to a flood of warnings from "net/core/dst.c:288 dst_release" on older kernels that don't have 8bf4ada2e21378816b28205427ee6b0e1ca4c5f1 backported. That patch optimistically hoped this had been fixed post 3.10, but it seems at least one case wasn't, where I've seen this triggered a lot from machines doing unprivileged icmp sockets. Cc: Martin Lau Signed-off-by: Dave Jones Acked-by: Martin KaFai Lau Signed-off-by: David S. Miller net/ipv6/ping.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) commit d060e0f603a4156087813d221d818bb39ec91429 Merge: 46738ab 16170d9 Author: Linus Torvalds Date: Tue Sep 6 12:33:12 2016 -0700 Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma Pull rdma fixes from Doug Ledford: "This is the second pull request for the rdma subsystem. Most of the patches are small and obvious. I took two patches in that are larger than I wanted this late in the cycle. The first is the hfi1 patch that implements a work queue to test the QSFP read state. I originally rejected the first patch for this (which would have place up to 20 seconds worth of udelays in their probe routine). They then rewrote it the way I wanted (use delayed work tasks to wait asynchronously up to 20 seconds for the QSFP to come alive), so I can't really complain about the size of getting what I asked for :-/. The second is large because it switches the rcu locking in the debugfs code. Since a locking change like this is done all at once, the size it what it is. It resolves a litany of debug messages from the kernel, so I pulled it in for -rc. The rest are all typical -rc worthy patches I think. There will still be a third -rc pull request from the rdma subsystem this release. I hope to have that one ready to go by the end of this week or early next. Summary: - a smattering of small fixes across the core, ipoib, i40iw, isert, cxgb4, and mlx4 - a slightly larger group of fixes to each of mlx5 and hfi1" * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma: IB/hfi1: Rework debugfs to use SRCU IB/hfi1: Make n_krcvqs be an unsigned long integer IB/hfi1: Add QSFP sanity pre-check IB/hfi1: Fix AHG KDETH Intr shift IB/hfi1: Fix SGE length for misaligned PIO copy IB/mlx5: Don't return errors from poll_cq IB/mlx5: Use TIR number based on selector IB/mlx5: Simplify code by removing return variable IB/mlx5: Return EINVAL when caller specifies too many SGEs IB/mlx4: Don't return errors from poll_cq Revert "IB/mlx4: Return EAGAIN for any error in mlx4_ib_poll_one" IB/ipoib: Fix memory corruption in ipoib cm mode connect flow IB/core: Fix use after free in send_leave function IB/cxgb4: Make _free_qp static to silence build warning IB/isert: Properly release resources on DEVICE_REMOVAL IB/hfi1: Fix the size parameter to find_first_bit IB/mlx5: Fix the size parameter to find_first_bit IB/hfi1: Clean up type used and casting i40iw: Receive notification events correctly i40iw: Update hw_iwarp_state commit 3c17648c2816f6d28bd2be9293032a2901994a36 Author: Kees Cook Date: Tue Sep 6 11:26:12 2016 -0700 lkdtm: adjust usercopy tests to bypass const checks The hardened usercopy is now consistently avoiding checks against const sizes, since we really only want to perform runtime bounds checking on lengths that weren't known at build time. To test the hardened usercopy code, we must force the length arguments to be seen as non-const. Signed-off-by: Kees Cook drivers/misc/lkdtm_usercopy.c | 25 +++++++++++++++++-------- 1 file changed, 17 insertions(+), 8 deletions(-) commit 81409e9e28058811c9ea865345e1753f8f677e44 Author: Kees Cook Date: Wed Aug 31 16:04:21 2016 -0700 usercopy: fold builtin_const check into inline function Instead of having each caller of check_object_size() need to remember to check for a const size parameter, move the check into check_object_size() itself. This actually matches the original implementation in PaX, though this commit cleans up the now-redundant builtin_const() calls in the various architectures. Signed-off-by: Kees Cook arch/ia64/include/asm/uaccess.h | 12 ++++-------- arch/powerpc/include/asm/uaccess.h | 19 +++++++------------ arch/sparc/include/asm/uaccess_32.h | 9 +++------ arch/sparc/include/asm/uaccess_64.h | 7 +++---- include/linux/thread_info.h | 3 ++- 5 files changed, 19 insertions(+), 31 deletions(-) commit e6971009a95a74f28c58bbae415c40effad1226c Author: Kees Cook Date: Tue Sep 6 11:56:01 2016 -0700 x86/uaccess: force copy_*_user() to be inlined As already done with __copy_*_user(), mark copy_*_user() as __always_inline. Without this, the checks for things like __builtin_const_p() won't work consistently in either hardened usercopy nor the recent adjustments for detecting usercopy overflows at compile time. The change in kernel text size is detectable, but very small: text data bss dec hex filename 12118735 5768608 14229504 32116847 1ea106f vmlinux.before 12120207 5768608 14229504 32118319 1ea162f vmlinux.after Signed-off-by: Kees Cook arch/x86/include/asm/uaccess.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 46738ab31fe668ea1d4413dd459af2632f6fef8d Merge: 6296c41 a75e4a8 Author: Linus Torvalds Date: Tue Sep 6 11:15:07 2016 -0700 Merge branch 'mailbox-devel' of git://git.linaro.org/landing-teams/working/fujitsu/integration Pull mailbox fixes from Jassi Brar: "Misc fixes for BCM mailbox driver - Fix build warnings by making static functions used within the file. - Check for potential NULL before dereferencing - Fix link error by defining HAS_DMA dependency" * 'mailbox-devel' of git://git.linaro.org/landing-teams/working/fujitsu/integration: fix:mailbox:bcm-pdc-mailbox:mark symbols static where possible mailbox: bcm-pdc: potential NULL dereference in pdc_shutdown() mailbox: Add HAS_DMA Kconfig dependency to BCM_PDC_MBOX commit 6296c41259af263780a976d9e2db6bb581709d45 Merge: ec9a03d 14a5916 Author: Linus Torvalds Date: Tue Sep 6 11:06:52 2016 -0700 Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi Pull SCSI fixes from James Bottomley: "This is really three fixes, but the SES one comes in a bundle of three (making the replacement API available properly, using it and removing the non-working one). The SES problem causes an oops on hpsa devices because they attach virtual disks to the host which aren't SAS attached (the replacement API ignores them). The other two fixes are fairly minor: the sense key one means we actually resolve a newly added sense key and the RDAC device blacklisting is needed to prevent us annoying the universal XPORT lun of various RDAC arrays" * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: scsi: sas: remove is_sas_attached() scsi: ses: use scsi_is_sas_rphy instead of is_sas_attached scsi: sas: provide stub implementation for scsi_is_sas_rphy scsi: blacklist all RDAC devices for BLIST_NO_ULD_ATTACH scsi: fix upper bounds check of sense key in scsi_sense_key_string() commit ec9a03d47ed71364501c54ce3845af0bd81ff2f6 Merge: 8ded8f0 787ad90 Author: Linus Torvalds Date: Tue Sep 6 11:02:36 2016 -0700 Merge tag 'regmap-fix-v4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regmap Pull regmap fixes from Mark Brown: "Several fixes here, the main one being the change from Lars-Peter which I'd been letting soak in -next since the merge window in case it uncovered further issues as it's a minimal fix rather than a change addressing the root cause of the problems (which would've been too invasive for -rc): - The biggest change is a fix from Lars-Peter to ensure that we don't create overlapping rbtree nodes which in turn avoids returning corrupt cache values to users, fixing some issues that were exposed by some recent optimisations with certain access patterns but had been present for a long time. - A fix from Elaine Zhang to stop us updating the cache if we get an I/O error when writing to the hardware. - A fix fromm Maarten ter Huurne to avoid uninitialized defaults in cases where we have non-readable registers but are initializing the cache by reading from the device" * tag 'regmap-fix-v4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regmap: regmap: drop cache if the bus transfer error regmap: rbtree: Avoid overlapping nodes regmap: cache: Fix num_reg_defaults computation from reg_defaults_raw commit 8ded8f0030b9b44e9dcf48ce2421f9502cece39b Merge: 8fa5729 ae4860b Author: Linus Torvalds Date: Tue Sep 6 10:59:44 2016 -0700 Merge tag 'spi-fix-v4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi Pull spi fixes from Mark Brown: "As well as the usual driver fixes there's a couple of non-trivial core fixes in here: - Fixes for issues reported by Julia Lawall in the changes that were sent last time to fix interaction between the bus lock and the locking done for the SPI thread. I'd let this one cook for a while to make sure nothing else came up in testing. - A fix from Sien Wu for arithmetic overflows when calculating the timeout for larger transfers (espcially common with slow buses with flashes on them)" * tag 'spi-fix-v4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi: spi: Prevent unexpected SPI time out due to arithmetic overflow spi: pxa2xx-pci: fix ACPI-based enumeration of SPI devices MAINTAINERS: add myself as Samsung SPI maintainer spi: Drop io_mutex in error paths spi: sh-msiof: Avoid invalid clock generator parameters spi: img-spfi: Remove spi_master_put in img_spfi_remove() spi: mediatek: remove spi_master_put in mtk_spi_remove() spi: qup: Remove spi_master_put in spi_qup_remove() commit 8fa5729dc294af34968451a8dc558ac36ed8d7d8 Merge: 4c601e0 78cefcb Author: Linus Torvalds Date: Tue Sep 6 10:43:54 2016 -0700 Merge tag 'regulator-fix-v4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator Pull regulator fixes from Mark Brown: "Two things here, one an e-mail update for Krzysztof Kozlowski and the other a couple of fixes for issues with incorrectly described voltages in a couple of the Qualcomm regulator drivers that were breaking MMC on some platforms" * tag 'regulator-fix-v4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator: regulator: Change Krzysztof Kozlowski's email to kernel.org regulator: qcom_smd: Fix voltage ranges for pma8084 ftsmps and pldo regulator: qcom_smd: Fix voltage ranges for pm8x41 commit 4c601e0df765482ad338e8b98f35accd5f1b87a7 Merge: bc4dee5 486095f Author: Linus Torvalds Date: Tue Sep 6 10:36:12 2016 -0700 Merge tag 'pinctrl-v4.8-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl Pull pin control fixes from Linus Walleij: "Nothing special at all, just three SoC-specific driver fixes: - Fix routing problems in pistachio (Imagination) and sunxi (AllWinner) - Fix an interrupt problem in the Cherryview (Intel)" * tag 'pinctrl-v4.8-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl: pinctrl: sunxi: fix uart1 CTS/RTS pins at PG on A23/A33 pinctrl: cherryview: Do not mask all interrupts in probe pinctrl: pistachio: fix mfio pll_lock pinmux commit d1a6cba576fc7c43e476538fe5aa72fe04bd80e1 Author: Liping Zhang Date: Tue Sep 6 22:31:02 2016 +0800 netfilter: nft_chain_route: re-route before skb is queued to userspace Imagine such situation, user add the following nft rules, and queue the packets to userspace for further check: # ip rule add fwmark 0x0/0x1 lookup eth0 # ip rule add fwmark 0x1/0x1 lookup eth1 # nft add table filter # nft add chain filter output {type route hook output priority 0 \;} # nft add rule filter output mark set 0x1 # nft add rule filter output queue num 0 But after we reinject the skbuff, the packet will be sent via the wrong route, i.e. in this case, the packet will be routed via eth0 table, not eth1 table. Because we skip to do re-route when verdict is NF_QUEUE, even if the mark was changed. Acctually, we should not touch sk_buff if verdict is NF_DROP or NF_STOLEN, and when re-route fails, return NF_DROP with error code. This is consistent with the mangle table in iptables. Signed-off-by: Liping Zhang Signed-off-by: Pablo Neira Ayuso net/ipv4/netfilter/nft_chain_route_ipv4.c | 11 +++++++---- net/ipv6/netfilter/nft_chain_route_ipv6.c | 10 +++++++--- 2 files changed, 14 insertions(+), 7 deletions(-) commit ce129655c9d9aaa7b3bcc46529db1b36693575ed Author: Wang Xiaoguang Date: Fri Sep 2 10:58:46 2016 +0800 btrfs: introduce tickets_id to determine whether asynchronous metadata reclaim work makes progress In btrfs_async_reclaim_metadata_space(), we use ticket's address to determine whether asynchronous metadata reclaim work is making progress. ticket = list_first_entry(&space_info->tickets, struct reserve_ticket, list); if (last_ticket == ticket) { flush_state++; } else { last_ticket = ticket; flush_state = FLUSH_DELAYED_ITEMS_NR; if (commit_cycles) commit_cycles--; } But indeed it's wrong, we should not rely on local variable's address to do this check, because addresses may be same. In my test environment, I dd one 168MB file in a 256MB fs, found that for this file, every time wait_reserve_ticket() called, local variable ticket's address is same, For above codes, assume a previous ticket's address is addrA, last_ticket is addrA. Btrfs_async_reclaim_metadata_space() finished this ticket and wake up it, then another ticket is added, but with the same address addrA, now last_ticket will be same to current ticket, then current ticket's flush work will start from current flush_state, not initial FLUSH_DELAYED_ITEMS_NR, which may result in some enospc issues(I have seen this in my test machine). Signed-off-by: Wang Xiaoguang Reviewed-by: Josef Bacik Signed-off-by: David Sterba fs/btrfs/ctree.h | 1 + fs/btrfs/extent-tree.c | 11 ++++++----- 2 files changed, 7 insertions(+), 5 deletions(-) commit 557b1a8cae25e36ac2f125d93f003e60a7d0d014 Author: Zhi Wang Date: Tue Sep 6 12:04:12 2016 +0800 drm/i915: disable 48bit full PPGTT when vGPU is active Disable 48bit full PPGTT on vGPU too for now. Signed-off-by: Zhi Wang Signed-off-by: Zhenyu Wang Reviewed-by: Joonas Lahtinen Acked-by: Chris Wilson Cc: drm-intel-fixes@lists.freedesktop.org Signed-off-by: Jani Nikula Link: http://patchwork.freedesktop.org/patch/msgid/20160906040412.1274-3-zhenyuw@linux.intel.com (cherry picked from commit e320d40022128845dfff900422ea9fd69f576c98) Signed-off-by: Jani Nikula drivers/gpu/drm/i915/i915_gem_gtt.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) commit cd28e716c6869d2f06e64bcd679d0a45dd8a6295 Author: Ping Gao Date: Tue Sep 6 12:04:11 2016 +0800 drm/i915: enable vGPU detection for all vGPU capability is handled by GVT-g host driver, not needed to put extra HW check for vGPU detection. And we'll actually support vGPU from BDW. Signed-off-by: Ping Gao Signed-off-by: Zhenyu Wang Reviewed-by: Joonas Lahtinen Acked-by: Chris Wilson Cc: drm-intel-fixes@lists.freedesktop.org Signed-off-by: Jani Nikula Link: http://patchwork.freedesktop.org/patch/msgid/20160906040412.1274-2-zhenyuw@linux.intel.com (cherry picked from commit 8ef89995c735f978d5dfcb3ca6bce70d41728c91) Signed-off-by: Jani Nikula drivers/gpu/drm/i915/i915_vgpu.c | 3 --- 1 file changed, 3 deletions(-) commit cbd60aa7cd17d81a434234268c55192862147439 Author: Chris Mason Date: Tue Sep 6 05:37:40 2016 -0700 Btrfs: remove root_log_ctx from ctx list before btrfs_sync_log returns We use a btrfs_log_ctx structure to pass information into the tree log commit, and get error values out. It gets added to a per log-transaction list which we walk when things go bad. Commit d1433debe added an optimization to skip waiting for the log commit, but didn't take root_log_ctx out of the list. This patch makes sure we remove things before exiting. Signed-off-by: Chris Mason Fixes: d1433debe7f4346cf9fc0dafc71c3137d2a97bc4 cc: stable@vger.kernel.org # 3.15+ fs/btrfs/tree-log.c | 1 + 1 file changed, 1 insertion(+) commit 1ba7db07ccc2825669d6e376632316813a072887 Author: Thierry Reding Date: Mon Jul 11 12:19:40 2016 +0200 drm/atmel-hlcdc: Make ->reset() implementation static The atmel_hlcdc_crtc_reset() function is never used outside the file and can be static. This avoids a warning from sparse. Signed-off-by: Thierry Reding drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_crtc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit d31ed3f05763644840c654a384eaefa94c097ba2 Author: Jan Leupold Date: Wed Jul 6 13:22:35 2016 +0200 drm: atmel-hlcdc: Fix vertical scaling The code is applying the same scaling for the X and Y components, thus making the scaling feature only functional when both components have the same scaling factor. Do the s/_w/_h/ replacement where appropriate to fix vertical scaling. Signed-off-by: Jan Leupold Fixes: 1a396789f65a2 ("drm: add Atmel HLCDC Display Controller support") Cc: Signed-off-by: Boris Brezillon drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) commit 87260d3f7aecba9a5fadc6886c338b2a8fccfca9 Author: Dirk Behme Date: Thu Apr 21 12:24:55 2016 +0200 thermal: rcar_thermal: Fix priv->zone error handling In case thermal_zone_xxx_register() returns an error, priv->zone isn't NULL any more, but contains the error code. This is passed to thermal_zone_device_unregister(), then. This checks for priv->zone being NULL, but the error code is != NULL. So it works with the error code as a pointer. Crashing immediately. To fix this, reset priv->zone to NULL before entering rcar_gen3_thermal_remove(). Signed-off-by: Dirk Behme Reviewed-by: Geert Uytterhoeven Signed-off-by: Zhang Rui drivers/thermal/rcar_thermal.c | 1 + 1 file changed, 1 insertion(+) commit ae4860b5333586b60ca1798f3f83b8b37520904c Merge: c693593 764f216 2e365a7 2932c28 b70cd2d c3ccf35 d0716dd Author: Mark Brown Date: Tue Sep 6 12:32:09 2016 +0100 Merge remote-tracking branches 'spi/fix/lock', 'spi/fix/maintainers', 'spi/fix/put', 'spi/fix/pxa2xx', 'spi/fix/sh-msiof' and 'spi/fix/timeout' into spi-linus commit 78cefcbe60de8069c7382bcc15570873ba01f489 Merge: c693593 cea8aa3 c488f00 Author: Mark Brown Date: Tue Sep 6 12:31:34 2016 +0100 Merge remote-tracking branches 'regulator/fix/email' and 'regulator/fix/qcom-smd' into regulator-linus commit d2896d4b55b2e32b423072a4124d7da4dc1e6cb1 Author: Marc Zyngier Date: Mon Aug 22 09:01:17 2016 +0100 arm: KVM: Fix idmap overlap detection when the kernel is idmap'ed We're trying hard to detect when the HYP idmap overlaps with the HYP va, as it makes the teardown of a cpu dangerous. But there is one case where an overlap is completely safe, which is when the whole of the kernel is idmap'ed, which is likely to happen on 32bit when RAM is at 0x8000000 and we're using a 2G/2G VA split. In that case, we can proceed safely. Reported-by: Christoffer Dall Signed-off-by: Marc Zyngier Signed-off-by: Christoffer Dall arch/arm/kvm/mmu.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 79d102cbfd2e9d94257fcc7c82807ef1cdf80322 Author: Jiri Olsa Date: Mon Sep 5 17:30:07 2016 +0200 perf/x86/intel/cqm: Check cqm/mbm enabled state in event init Yanqiu Zhang reported kernel panic when using mbm event on system where CQM is detected but without mbm event support, like with perf: # perf stat -e 'intel_cqm/event=3/' -a BUG: unable to handle kernel NULL pointer dereference at 0000000000000020 IP: [] update_sample+0xbc/0xe0 ... [] __intel_mbm_event_init+0x18/0x20 [] flush_smp_call_function_queue+0x7b/0x160 [] generic_smp_call_function_single_interrupt+0x13/0x60 [] smp_call_function_interrupt+0x27/0x40 [] call_function_interrupt+0x8c/0xa0 ... The reason is that we currently allow to init mbm event even if mbm support is not detected. Adding checks for both cqm and mbm events and support into cqm's event_init. Fixes: 33c3cc7acfd9 ("perf/x86/mbm: Add Intel Memory B/W Monitoring enumeration and init") Reported-by: Yanqiu Zhang Signed-off-by: Jiri Olsa Acked-by: Peter Zijlstra Cc: Vikas Shivappa Cc: Tony Luck Cc: stable@vger.kernel.org Link: http://lkml.kernel.org/r/1473089407-21857-1-git-send-email-jolsa@kernel.org Signed-off-by: Thomas Gleixner arch/x86/events/intel/cqm.c | 9 +++++++++ 1 file changed, 9 insertions(+) commit 3ff488ab6000f1338684b227c499450317519cc1 Author: Colin Ian King Date: Mon Sep 5 16:37:12 2016 +0100 usb: gadget: prevent potenial null pointer dereference on skb->len An earlier fix partially fixed the null pointer dereference on skb->len by moving the assignment of len after the check on skb being non-null, however it failed to remove the erroneous dereference when assigning len. Correctly fix this by removing the initialisation of len as was originally intended. Fixes: 70237dc8efd092 ("usb: gadget: function: f_eem: socket buffer may be NULL") Acked-by: Peter Chen Signed-off-by: Colin Ian King Signed-off-by: Felipe Balbi drivers/usb/gadget/function/f_eem.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit b314427a52fd8daa1215d30e56de01e32edec531 Author: Gavin Shan Date: Tue Sep 6 14:16:44 2016 +1000 powerpc/powernv: Fix crash on releasing compound PE The compound PE is created to accommodate the devices attached to one specific PCI bus that consume multiple M64 segments. The compound PE is made up of one master PE and possibly multiple slave PEs. The slave PEs should be destroyed when releasing the master PE. A kernel crash happens when derferencing @pe->pdev on releasing the slave PE in pnv_ioda_deconfigure_pe(). # echo 0 > /sys/bus/pci/slots/C7/power iommu: Removing device 0000:01:00.1 from group 0 iommu: Removing device 0000:01:00.0 from group 0 Unable to handle kernel paging request for data at address 0x00000010 Faulting instruction address: 0xc00000000005d898 cpu 0x1: Vector: 300 (Data Access) at [c000000fe8217620] pc: c00000000005d898: pnv_ioda_release_pe+0x288/0x610 lr: c00000000005dbdc: pnv_ioda_release_pe+0x5cc/0x610 sp: c000000fe82178a0 msr: 9000000000009033 dar: 10 dsisr: 40000000 current = 0xc000000fe815ab80 paca = 0xc00000000ff00400 softe: 0 irq_happened: 0x01 pid = 2709, comm = sh Linux version 4.8.0-rc5-gavin-00006-g745efdb (gwshan@gwshan) \ (gcc version 4.9.3 (Buildroot 2016.02-rc2-00093-g5ea3bce) ) #586 SMP \ Tue Sep 6 13:37:29 AEST 2016 enter ? for help [c000000fe8217940] c00000000005d684 pnv_ioda_release_pe+0x74/0x610 [c000000fe82179e0] c000000000034460 pcibios_release_device+0x50/0x70 [c000000fe8217a10] c0000000004aba80 pci_release_dev+0x50/0xa0 [c000000fe8217a40] c000000000704898 device_release+0x58/0xf0 [c000000fe8217ac0] c000000000470510 kobject_release+0x80/0xf0 [c000000fe8217b00] c000000000704dd4 put_device+0x24/0x40 [c000000fe8217b20] c0000000004af94c pci_remove_bus_device+0x12c/0x150 [c000000fe8217b60] c000000000034244 pci_hp_remove_devices+0x94/0xd0 [c000000fe8217ba0] c0000000004ca444 pnv_php_disable_slot+0x64/0xb0 [c000000fe8217bd0] c0000000004c88c0 power_write_file+0xa0/0x190 [c000000fe8217c50] c0000000004c248c pci_slot_attr_store+0x3c/0x60 [c000000fe8217c70] c0000000002d6494 sysfs_kf_write+0x94/0xc0 [c000000fe8217cb0] c0000000002d50f0 kernfs_fop_write+0x180/0x260 [c000000fe8217d00] c0000000002334a0 __vfs_write+0x40/0x190 [c000000fe8217d90] c000000000234738 vfs_write+0xc8/0x240 [c000000fe8217de0] c000000000236250 SyS_write+0x60/0x110 [c000000fe8217e30] c000000000009524 system_call+0x38/0x108 It fixes the kernel crash by bypassing releasing resources (DMA, IO and memory segments, PELTM) because there are no resources assigned to the slave PE. Fixes: c5f7700bbd2e ("powerpc/powernv: Dynamically release PE") Reported-by: Frederic Barrat Signed-off-by: Gavin Shan Signed-off-by: Michael Ellerman arch/powerpc/platforms/powernv/pci-ioda.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) commit f8e33475b0da98c4bffc91017a3fbbfb443a7bdb Author: Benjamin Herrenschmidt Date: Tue Sep 6 13:43:45 2016 +1000 powerpc/xics/opal: Fix processor numbers in OPAL ICP When using the OPAL ICP backend we incorrectly pass Linux CPU numbers rather than HW CPU numbers to OPAL. Fixes: d74361881f0d ("powerpc/xics: Add ICP OPAL backend") Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Michael Ellerman arch/powerpc/sysdev/xics/icp-opal.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) commit d81d8258218228d3137055afe8acf981c3ebed46 Author: Thiago Jung Bauermann Date: Tue Aug 23 19:57:39 2016 -0300 powerpc/pseries: Fix little endian build with CONFIG_KEXEC=n On ppc64le, builds with CONFIG_KEXEC=n fail with: arch/powerpc/platforms/pseries/setup.c: In function ‘pseries_big_endian_exceptions’: arch/powerpc/platforms/pseries/setup.c:403:13: error: implicit declaration of function ‘kdump_in_progress’ if (rc && !kdump_in_progress()) This is because pseries/setup.c includes , but kdump_in_progress() is defined in . This is a problem because the former only includes the latter if CONFIG_KEXEC_CORE=y. Fix it by including directly, as is done in powernv/setup.c. Fixes: d3cbff1b5a90 ("powerpc: Put exception configuration in a common place") Signed-off-by: Thiago Jung Bauermann Signed-off-by: Michael Ellerman arch/powerpc/platforms/pseries/setup.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 171c0091837c81ed5c949fec6966bb5afff2d1cf Author: Gregor Boirie Date: Fri Sep 2 20:27:46 2016 +0200 iio:core: fix IIO_VAL_FRACTIONAL sign handling 7985e7c100 ("iio: Introduce a new fractional value type") introduced a new IIO_VAL_FRACTIONAL value type meant to represent rational type numbers expressed by a numerator and denominator combination. Formating of IIO_VAL_FRACTIONAL values relies upon do_div() usage. This fails handling negative values properly since parameters are reevaluated as unsigned values. Fix this by using div_s64_rem() instead. Computed integer part will carry properly signed value. Formatted fractional part will always be positive. Fixes: 7985e7c100 ("iio: Introduce a new fractional value type") Signed-off-by: Gregor Boirie Reviewed-by: Lars-Peter Clausen Cc: Signed-off-by: Jonathan Cameron drivers/iio/industrialio-core.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) commit 5dba4b14bafe801083d01e1f400816df7e5a8f2e Author: Colin Ian King Date: Mon Sep 5 15:39:06 2016 +0100 iio: ensure ret is initialized to zero before entering do loop A recent fix to iio_buffer_read_first_n_outer removed ret from being set by a return from wait_event_interruptible and also added a continue in a loop which causes the variable ret to not be set when it reaches the end of the loop. Fix this by initializing ret to zero. Also remove extraneous white space at the end of the loop. Fixes: fcf68f3c0bb2a5 ("fix sched WARNING "do not call blocking ops when !TASK_RUNNING") Signed-off-by: Colin Ian King Cc: Signed-off-by: Jonathan Cameron drivers/iio/industrialio-buffer.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit bc4dee5aa72723632a1f83fd0d3720066c93b433 Merge: 56291b2 8b18e23 Author: Linus Torvalds Date: Mon Sep 5 11:10:00 2016 -0700 Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 Pull crypto fixes from Herbert Xu: "This fixes a regression in the cryptd code that breaks certain accelerated AED algorithms as well as an older regression in the caam driver that breaks IPsec" * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: crypto: caam - fix IV loading for authenc (giv)decryption crypto: cryptd - Use correct tfm object for AEAD tracking commit 56291b271be032057c782e357ca728b27d89ff70 Merge: c693593 d3e2773 Author: Linus Torvalds Date: Mon Sep 5 10:55:55 2016 -0700 Merge branch 'rc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild Pull kbuild fix from Michal Marek: "Fix for 'make deb-pkg'. The bug got introduced in v4.8-rc1" * 'rc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild: builddeb: Skip gcc-plugins when not configured commit 5210d393ef84e5d2a4854671a9af2d97fd1b8dd4 Author: Liping Zhang Date: Fri Sep 2 20:49:12 2016 +0800 netfilter: nf_tables_trace: fix endiness when dump chain policy NFTA_TRACE_POLICY attribute is big endian, but we forget to call htonl to convert it. Fortunately, this attribute is parsed as big endian in libnftnl. Signed-off-by: Liping Zhang Signed-off-by: Pablo Neira Ayuso net/netfilter/nf_tables_trace.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit ed7a6948394305b810d0c6203268648715e5006f Author: Wang Xiaoguang Date: Fri Aug 26 11:33:14 2016 +0800 btrfs: do not decrease bytes_may_use when replaying extents When replaying extents, there is no need to update bytes_may_use in btrfs_alloc_logged_file_extent(), otherwise it'll trigger a WARN_ON about bytes_may_use. Fixes: ("btrfs: update btrfs_space_info's bytes_may_use timely") Signed-off-by: Wang Xiaoguang Reviewed-by: Josef Bacik Signed-off-by: David Sterba fs/btrfs/extent-tree.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) commit cbf2f8a99a2337894c3592c9ac2170e8c1f8f73f Merge: fa8410b d649340 Author: Thomas Gleixner Date: Mon Sep 5 17:14:17 2016 +0200 Merge tag 'efi-urgent' of git://git.kernel.org/pub/scm/linux/kernel/git/mfleming/efi into efi/urgent * Make for_each_efi_memory_desc_in_map() safe on Xen and prevent an infinte loop - Jan Beulich * Fix boot error on arm64 Qualcomm platforms by refactoring and improving the ExitBootServices() hack we already for x86 and moving it to the libstub - Jeffrey Hugo * Use correct return data type for of_get_flat_dt_subnode_by_name() so that we correctly handle errors - Andrzej Hajda commit 20218b86ad8adb4bf71db9425bb59680f345eafd Merge: e12c8f3 4d21cef Author: Paolo Bonzini Date: Mon Sep 5 16:15:22 2016 +0200 Merge tag 'kvm-s390-master-4.8-3' of git://git.kernel.org/pub/scm/linux/kernel/git/kvms390/linux into kvm-master A bugfix for the vsie code (setting the wrong field). commit e12c8f36f3f7a60d55938c5aed5999278fa92bcb Author: Wanpeng Li Date: Tue Aug 30 16:14:00 2016 +0800 KVM: lapic: adjust preemption timer correctly when goes TSC backward TSC_OFFSET will be adjusted if discovers TSC backward during vCPU load. The preemption timer, which relies on the guest tsc to reprogram its preemption timer value, is also reprogrammed if vCPU is scheded in to a different pCPU. However, the current implementation reprogram preemption timer before TSC_OFFSET is adjusted to the right value, resulting in the preemption timer firing prematurely. This patch fix it by adjusting TSC_OFFSET before reprogramming preemption timer if TSC backward. Cc: Paolo Bonzini Cc: Radim Krċmář Cc: Yunhong Jiang Signed-off-by: Wanpeng Li Signed-off-by: Paolo Bonzini arch/x86/kvm/x86.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) commit c86d06ba2818c5126078cb0cf4e0175ec381045b Author: Tejun Heo Date: Mon Sep 5 08:38:13 2016 -0400 PM / QoS: avoid calling cancel_delayed_work_sync() during early boot of_clk_init() ends up calling into pm_qos_update_request() very early during boot where irq is expected to stay disabled. pm_qos_update_request() uses cancel_delayed_work_sync() which correctly assumes that irq is enabled on invocation and unconditionally disables and re-enables it. Gate cancel_delayed_work_sync() invocation with kevented_up() to avoid enabling irq unexpectedly during early boot. Signed-off-by: Tejun Heo Reported-and-tested-by: Qiao Zhou Link: http://lkml.kernel.org/r/d2501c4c-8e7b-bea3-1b01-000b36b5dfe9@asrmicro.com Signed-off-by: Rafael J. Wysocki kernel/power/qos.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) commit 0f5aa88a7bb28b73253fb42b3df8202142769f39 Author: Nicolas Iooss Date: Sun Aug 28 18:47:12 2016 +0200 ceph: do not modify fi->frag in need_reset_readdir() Commit f3c4ebe65ea1 ("ceph: using hash value to compose dentry offset") modified "if (fpos_frag(new_pos) != fi->frag)" to "if (fi->frag |= fpos_frag(new_pos))" in need_reset_readdir(), thus replacing a comparison operator with an assignment one. This looks like a typo which is reported by clang when building the kernel with some warning flags: fs/ceph/dir.c:600:22: error: using the result of an assignment as a condition without parentheses [-Werror,-Wparentheses] } else if (fi->frag |= fpos_frag(new_pos)) { ~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~ fs/ceph/dir.c:600:22: note: place parentheses around the assignment to silence this warning } else if (fi->frag |= fpos_frag(new_pos)) { ^ ( ) fs/ceph/dir.c:600:22: note: use '!=' to turn this compound assignment into an inequality comparison } else if (fi->frag |= fpos_frag(new_pos)) { ^~ != Fixes: f3c4ebe65ea1 ("ceph: using hash value to compose dentry offset") Signed-off-by: Nicolas Iooss Signed-off-by: Ilya Dryomov fs/ceph/dir.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit e1ff3dd1ae52cef5b5373c8cc4ad949c2c25a71c Author: Miklos Szeredi Date: Mon Sep 5 13:55:20 2016 +0200 ovl: fix workdir creation Workdir creation fails in latest kernel. Fix by allowing EOPNOTSUPP as a valid return value from vfs_removexattr(XATTR_NAME_POSIX_ACL_*). Upper filesystem may not support ACL and still be perfectly able to support overlayfs. Reported-by: Martin Ziegler Signed-off-by: Miklos Szeredi Fixes: c11b9fdd6a61 ("ovl: remove posix_acl_default from workdir") Cc: fs/overlayfs/super.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 4d21cef3ea00ba3ac508eb61fb8db70e3e31df67 Author: David Hildenbrand Date: Fri Sep 2 12:33:49 2016 +0200 KVM: s390: vsie: fix riccbd We store the address of riccbd at the wrong location, overwriting gvrd. This means that our nested guest will not be able to use runtime instrumentation. Also, a memory leak, if our KVM guest actually sets gvrd. Not noticed until now, as KVM guests never make use of gvrd and runtime instrumentation wasn't completely tested yet. Reported-by: Fan Zhang Reviewed-by: Cornelia Huck Signed-off-by: David Hildenbrand Signed-off-by: Cornelia Huck arch/s390/kvm/vsie.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit d64934019f6cc39202e2f78063709f61ca5cb364 Author: Jeffrey Hugo Date: Mon Aug 29 14:38:54 2016 -0600 x86/efi: Use efi_exit_boot_services() The eboot code directly calls ExitBootServices. This is inadvisable as the UEFI spec details a complex set of errors, race conditions, and API interactions that the caller of ExitBootServices must get correct. The eboot code attempts allocations after calling ExitBootSerives which is not permitted per the spec. Call the efi_exit_boot_services() helper intead, which handles the allocation scenario properly. Signed-off-by: Jeffrey Hugo Cc: Ard Biesheuvel Cc: Mark Rutland Cc: Leif Lindholm Cc: Ingo Molnar Cc: Signed-off-by: Matt Fleming arch/x86/boot/compressed/eboot.c | 136 +++++++++++++++++++-------------------- 1 file changed, 67 insertions(+), 69 deletions(-) commit ed9cc156c42ff0c0bf9b1d09df48a12bf0873473 Author: Jeffrey Hugo Date: Mon Aug 29 14:38:53 2016 -0600 efi/libstub: Use efi_exit_boot_services() in FDT The FDT code directly calls ExitBootServices. This is inadvisable as the UEFI spec details a complex set of errors, race conditions, and API interactions that the caller of ExitBootServices must get correct. The FDT code does not handle EFI_INVALID_PARAMETER as required by the spec, which causes intermittent boot failures on the Qualcomm Technologies QDF2432. Call the efi_exit_boot_services() helper intead, which handles the EFI_INVALID_PARAMETER scenario properly. Signed-off-by: Jeffrey Hugo Cc: Ard Biesheuvel Cc: Mark Rutland Cc: Leif Lindholm Cc: Ingo Molnar Cc: Signed-off-by: Matt Fleming drivers/firmware/efi/libstub/fdt.c | 37 +++++++++++++++++++++++++++---------- 1 file changed, 27 insertions(+), 10 deletions(-) commit fc07716ba803483be91bc4b2344f9c84985e6f07 Author: Jeffrey Hugo Date: Mon Aug 29 14:38:52 2016 -0600 efi/libstub: Introduce ExitBootServices helper The spec allows ExitBootServices to fail with EFI_INVALID_PARAMETER if a race condition has occurred where the EFI has updated the memory map after the stub grabbed a reference to the map. The spec defines a retry proceedure with specific requirements to handle this scenario. This scenario was previously observed on x86 - commit d3768d885c6c ("x86, efi: retry ExitBootServices() on failure") but the current fix is not spec compliant and the scenario is now observed on the Qualcomm Technologies QDF2432 via the FDT stub which does not handle the error and thus causes boot failures. The user will notice the boot failure as the kernel is not executed and the system may drop back to a UEFI shell, but will be unresponsive to input and the system will require a power cycle to recover. Add a helper to the stub library that correctly adheres to the spec in the case of EFI_INVALID_PARAMETER from ExitBootServices and can be universally used across all stub implementations. Signed-off-by: Jeffrey Hugo Cc: Ard Biesheuvel Cc: Mark Rutland Cc: Leif Lindholm Cc: Ingo Molnar Cc: Signed-off-by: Matt Fleming drivers/firmware/efi/libstub/efi-stub-helper.c | 73 ++++++++++++++++++++++++++ include/linux/efi.h | 10 ++++ 2 files changed, 83 insertions(+) commit dadb57abc37499f565b23933dbf49b435c3ba8af Author: Jeffrey Hugo Date: Mon Aug 29 14:38:51 2016 -0600 efi/libstub: Allocate headspace in efi_get_memory_map() efi_get_memory_map() allocates a buffer to store the memory map that it retrieves. This buffer may need to be reused by the client after ExitBootServices() is called, at which point allocations are not longer permitted. To support this usecase, provide the allocated buffer size back to the client, and allocate some additional headroom to account for any reasonable growth in the map that is likely to happen between the call to efi_get_memory_map() and the client reusing the buffer. Signed-off-by: Jeffrey Hugo Cc: Ard Biesheuvel Cc: Mark Rutland Cc: Leif Lindholm Cc: Ingo Molnar Cc: Signed-off-by: Matt Fleming arch/x86/boot/compressed/eboot.c | 20 ++++-- drivers/firmware/efi/libstub/efi-stub-helper.c | 96 ++++++++++++++++++-------- drivers/firmware/efi/libstub/fdt.c | 17 +++-- drivers/firmware/efi/libstub/random.c | 12 +++- include/linux/efi.h | 15 ++-- 5 files changed, 111 insertions(+), 49 deletions(-) commit 519d8bd4b5d3d82c413eac5bb42b106bb4b9ec15 Author: Yoshihiro Shimoda Date: Mon Aug 29 18:00:38 2016 +0900 usb: renesas_usbhs: fix clearing the {BRDY,BEMP}STS condition The previous driver is possible to stop the transfer wrongly. For example: 1) An interrupt happens, but not BRDY interruption. 2) Read INTSTS0. And than state->intsts0 is not set to BRDY. 3) BRDY is set to 1 here. 4) Read BRDYSTS. 5) Clear the BRDYSTS. And then. the BRDY is cleared wrongly. Remarks: - The INTSTS0.BRDY is read only. - If any bits of BRDYSTS are set to 1, the BRDY is set to 1. - If BRDYSTS is 0, the BRDY is set to 0. So, this patch adds condition to avoid such situation. (And about NRDYSTS, this is not used for now. But, avoiding any side effects, this patch doesn't touch it.) Fixes: d5c6a1e024dd ("usb: renesas_usbhs: fixup interrupt status clear method") Cc: # v3.8+ Signed-off-by: Yoshihiro Shimoda Signed-off-by: Felipe Balbi drivers/usb/renesas_usbhs/mod.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) commit 7c113f7df710df2aed63709815e518608dbd338c Author: Fabio Estevam Date: Mon Aug 22 22:45:36 2016 -0300 usb: phy: phy-generic: Check clk_prepare_enable() error clk_prepare_enable() may fail, so we should better check its return value and propagate it in the case of failure. Signed-off-by: Fabio Estevam Signed-off-by: Felipe Balbi drivers/usb/phy/phy-generic.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) commit b2f1eaaee564c5593c303f4d15d827924cb6d20d Author: Yoshihiro Shimoda Date: Tue Aug 23 21:11:13 2016 +0900 usb: gadget: udc: renesas-usb3: clear VBOUT bit in DRD_CON This driver should clear the bit. Otherwise, the VBUS will output wrongly if the usb port on a board has VBUS output capability. Fixes: 746bfe63bba3 ("usb: gadget: renesas_usb3: add support for Renesas USB3.0 peripheral controller") Cc: # v4.5+ Signed-off-by: Yoshihiro Shimoda Signed-off-by: Felipe Balbi drivers/usb/gadget/udc/renesas_usb3.c | 2 ++ 1 file changed, 2 insertions(+) commit 9d7aba7786b6c9eec6d083e43fd639228c400c3a Author: John Youn Date: Fri Aug 26 18:43:01 2016 -0700 Revert "usb: dwc3: gadget: always decrement by 1" This reverts commit 6f8245b4e37c ("usb: dwc3: gadget: always decrement by 1"). We can't always decrement this value. We should decrement only if the calculation of free slots results in a LINK TRB being among one of the free slots (dequeue < enqueue). Otherwise, if the LINK TRB is not among the free slots then it should not be decremented. Signed-off-by: John Youn Signed-off-by: Felipe Balbi drivers/usb/dwc3/gadget.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) commit 4af9ed578a50cd331a725322cfd9d555251ce788 Author: Andrzej Hajda Date: Tue Aug 30 12:41:37 2016 +0200 efi: Fix handling error value in fdt_find_uefi_params of_get_flat_dt_subnode_by_name can return negative value in case of error. Assigning the result to unsigned variable and checking if the variable is lesser than zero is incorrect and always false. The patch fixes it by using signed variable to check the result. The problem has been detected using semantic patch scripts/coccinelle/tests/unsigned_lesser_than_zero.cocci Signed-off-by: Andrzej Hajda Cc: Bartlomiej Zolnierkiewicz Cc: Marek Szyprowski Cc: Ingo Molnar Cc: Thomas Gleixner Cc: "H. Peter Anvin" Cc: Shawn Lin Cc: Mark Rutland Cc: Signed-off-by: Matt Fleming drivers/firmware/efi/efi.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) commit d4c4fed08f31f3746000c46cb1b20bed2959547a Author: Jan Beulich Date: Mon Aug 15 09:05:45 2016 -0600 efi: Make for_each_efi_memory_desc_in_map() cope with running on Xen While commit 55f1ea15216 ("efi: Fix for_each_efi_memory_desc_in_map() for empty memmaps") made an attempt to deal with empty memory maps, it didn't address the case where the map field never gets set, as is apparently the case when running under Xen. Reported-by: Tested-by: Cc: Vitaly Kuznetsov Cc: Jiri Slaby Cc: Mark Rutland Cc: # v4.7+ Signed-off-by: Jan Beulich [ Guard the loop with a NULL check instead of pointer underflow ] Signed-off-by: Matt Fleming include/linux/efi.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 135e8c9250dd5c8c9aae5984fde6f230d0cbfeaf Author: Balbir Singh Date: Mon Sep 5 13:16:40 2016 +1000 sched/core: Fix a race between try_to_wake_up() and a woken up task The origin of the issue I've seen is related to a missing memory barrier between check for task->state and the check for task->on_rq. The task being woken up is already awake from a schedule() and is doing the following: do { schedule() set_current_state(TASK_(UN)INTERRUPTIBLE); } while (!cond); The waker, actually gets stuck doing the following in try_to_wake_up(): while (p->on_cpu) cpu_relax(); Analysis: The instance I've seen involves the following race: CPU1 CPU2 while () { if (cond) break; do { schedule(); set_current_state(TASK_UN..) } while (!cond); wakeup_routine() spin_lock_irqsave(wait_lock) raw_spin_lock_irqsave(wait_lock) wake_up_process() } try_to_wake_up() set_current_state(TASK_RUNNING); .. list_del(&waiter.list); CPU2 wakes up CPU1, but before it can get the wait_lock and set current state to TASK_RUNNING the following occurs: CPU3 wakeup_routine() raw_spin_lock_irqsave(wait_lock) if (!list_empty) wake_up_process() try_to_wake_up() raw_spin_lock_irqsave(p->pi_lock) .. if (p->on_rq && ttwu_wakeup()) .. while (p->on_cpu) cpu_relax() .. CPU3 tries to wake up the task on CPU1 again since it finds it on the wait_queue, CPU1 is spinning on wait_lock, but immediately after CPU2, CPU3 got it. CPU3 checks the state of p on CPU1, it is TASK_UNINTERRUPTIBLE and the task is spinning on the wait_lock. Interestingly since p->on_rq is checked under pi_lock, I've noticed that try_to_wake_up() finds p->on_rq to be 0. This was the most confusing bit of the analysis, but p->on_rq is changed under runqueue lock, rq_lock, the p->on_rq check is not reliable without this fix IMHO. The race is visible (based on the analysis) only when ttwu_queue() does a remote wakeup via ttwu_queue_remote. In which case the p->on_rq change is not done uder the pi_lock. The result is that after a while the entire system locks up on the raw_spin_irqlock_save(wait_lock) and the holder spins infintely Reproduction of the issue: The issue can be reproduced after a long run on my system with 80 threads and having to tweak available memory to very low and running memory stress-ng mmapfork test. It usually takes a long time to reproduce. I am trying to work on a test case that can reproduce the issue faster, but thats work in progress. I am still testing the changes on my still in a loop and the tests seem OK thus far. Big thanks to Benjamin and Nick for helping debug this as well. Ben helped catch the missing barrier, Nick caught every missing bit in my theory. Signed-off-by: Balbir Singh [ Updated comment to clarify matching barriers. Many architectures do not have a full barrier in switch_to() so that cannot be relied upon. ] Signed-off-by: Peter Zijlstra (Intel) Acked-by: Benjamin Herrenschmidt Cc: Alexey Kardashevskiy Cc: Linus Torvalds Cc: Nicholas Piggin Cc: Nicholas Piggin Cc: Oleg Nesterov Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: Link: http://lkml.kernel.org/r/e02cce7b-d9ca-1ad0-7a61-ea97c7582b37@gmail.com Signed-off-by: Ingo Molnar kernel/sched/core.c | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) commit 58763148758057ffc447bf990321d3ea86d199a0 Author: Peter Zijlstra Date: Tue Aug 30 10:15:03 2016 +0200 perf/core: Remove WARN from perf_event_read() This effectively reverts commit: 71e7bc2bab77 ("perf/core: Check return value of the perf_event_read() IPI") ... and puts in a comment explaining why we ignore the return value. Reported-by: Vegard Nossum Signed-off-by: Peter Zijlstra (Intel) Cc: David Carrillo-Cisneros Cc: Jiri Olsa Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Fixes: 71e7bc2bab77 ("perf/core: Check return value of the perf_event_read() IPI") Signed-off-by: Ingo Molnar kernel/events/core.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) commit d7127b5e5fa0551be21b86640f1648b224e36d43 Author: Johannes Berg Date: Fri Aug 26 08:16:00 2016 +0200 locking/barriers: Don't use sizeof(void) in lockless_dereference() My previous commit: 112dc0c8069e ("locking/barriers: Suppress sparse warnings in lockless_dereference()") caused sparse to complain that (in radix-tree.h) we use sizeof(void) since that rcu_dereference()s a void *. Really, all we need is to have the expression *p in here somewhere to make sure p is a pointer type, and sizeof(*p) was the thing that came to my mind first to make sure that's done without really doing anything at runtime. Another thing I had considered was using typeof(*p), but obviously we can't just declare a typeof(*p) variable either, since that may end up being void. Declaring a variable as typeof(*p)* gets around that, and still checks that typeof(*p) is valid, so do that. This type construction can't be done for _________p1 because that will actually be used and causes sparse address space warnings, so keep a separate unused variable for it. Reported-by: Fengguang Wu Signed-off-by: Johannes Berg Signed-off-by: Peter Zijlstra (Intel) Cc: Linus Torvalds Cc: Paul E . McKenney Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: kbuild-all@01.org Fixes: 112dc0c8069e ("locking/barriers: Suppress sparse warnings in lockless_dereference()") Link: http://lkml.kernel.org/r/1472192160-4049-1-git-send-email-johannes@sipsolutions.net Signed-off-by: Ingo Molnar include/linux/compiler.h | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) commit cc2187a6e037bc64404f63c6d650ff263c2200c0 Author: Borislav Petkov Date: Sun Sep 4 11:37:36 2016 +0200 x86/microcode/AMD: Fix load of builtin microcode with randomized memory We do not need to add the randomization offset when the microcode is built in. Reported-and-tested-by: Emanuel Czirai Signed-off-by: Borislav Petkov Link: http://lkml.kernel.org/r/20160904093736.GA11939@pd.tnic Signed-off-by: Thomas Gleixner arch/x86/kernel/cpu/microcode/amd.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) commit f065e9e4addd75c21bb976bb2558648bf4f61de6 Author: Fabio Estevam Date: Wed Aug 31 10:56:48 2016 -0300 ARM: dts: imx6qdl: Fix SPDIF regression Commit 833f2cbf7091 ("ARM: dts: imx6: change the core clock of spdif") changed many more clocks than only the SPDIF core clock as stated in the commit message. The MLB clock has been added and this causes SPDIF regression as reported by Xavi Drudis Ferran and also in this forum post: https://forum.digikey.com/thread/34240 The MX6Q Reference Manual does not mention that MLB is a clock related to SPDIF, so change it back to a dummy clock to restore SPDIF functionality. Thanks to Ambika for providing the fix at: https://community.nxp.com/thread/387131 Fixes: 833f2cbf7091 ("ARM: dts: imx6: change the core clock of spdif") Cc: # 4.4.x Reported-by: Xavi Drudis Ferran Signed-off-by: Fabio Estevam Tested-by: Xavi Drudis Ferran Signed-off-by: Shawn Guo arch/arm/boot/dts/imx6qdl.dtsi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit c6935931c1894ff857616ff8549b61236a19148f Author: Linus Torvalds Date: Sun Sep 4 14:31:46 2016 -0700 Linux 4.8-rc5 Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 6e1ce3c3451291142a57c4f3f6f999a29fb5b3bc Author: Linus Torvalds Date: Thu Sep 1 14:43:53 2016 -0700 af_unix: split 'u->readlock' into two: 'iolock' and 'bindlock' Right now we use the 'readlock' both for protecting some of the af_unix IO path and for making the bind be single-threaded. The two are independent, but using the same lock makes for a nasty deadlock due to ordering with regards to filesystem locking. The bind locking would want to nest outside the VSF pathname locking, but the IO locking wants to nest inside some of those same locks. We tried to fix this earlier with commit c845acb324aa ("af_unix: Fix splice-bind deadlock") which moved the readlock inside the vfs locks, but that caused problems with overlayfs that will then call back into filesystem routines that take the lock in the wrong order anyway. Splitting the locks means that we can go back to having the bind lock be the outermost lock, and we don't have any deadlocks with lock ordering. Acked-by: Rainer Weikusat Acked-by: Al Viro Signed-off-by: Linus Torvalds Acked-by: Hannes Frederic Sowa Signed-off-by: David S. Miller include/net/af_unix.h | 2 +- net/unix/af_unix.c | 45 +++++++++++++++++++++++---------------------- 2 files changed, 24 insertions(+), 23 deletions(-) commit 38f7bd94a97b542de86a2be9229289717e33a7a4 Author: Linus Torvalds Date: Thu Sep 1 14:56:49 2016 -0700 Revert "af_unix: Fix splice-bind deadlock" This reverts commit c845acb324aa85a39650a14e7696982ceea75dc1. It turns out that it just replaces one deadlock with another one: we can still get the wrong lock ordering with the readlock due to overlayfs calling back into the filesystem layer and still taking the vfs locks after the readlock. The proper solution ends up being to just split the readlock into two pieces: the bind lock (taken *outside* the vfs locks) and the IO lock (taken *inside* the filesystem locks). The two locks are independent anyway. Signed-off-by: Linus Torvalds Reviewed-by: Shmulik Ladkani Signed-off-by: David S. Miller net/unix/af_unix.c | 66 +++++++++++++++++++++--------------------------------- 1 file changed, 26 insertions(+), 40 deletions(-) commit 2f83a53a81f5695b0f13635d411cd78367e547d6 Merge: 24b27fc 3555621 Author: David S. Miller Date: Sun Sep 4 11:42:57 2016 -0700 Merge branch 'vxlan-fixes' Jiri Benc says: ==================== vxlan: fix error reporting This patchset improves checking for invalid configuration in VXLAN and fixes problems with duplicated and inappropriate error messages. ==================== Signed-off-by: David S. Miller commit 3555621de7fcceb79c4850f3d07d1ae4f652acf6 Author: Jiri Benc Date: Fri Sep 2 13:37:12 2016 +0200 vxlan: fix duplicated and wrong error messages vxlan_dev_configure outputs error messages before returning, no need to print again the same mesages in vxlan_newlink. Also, vxlan_dev_configure may return a particular error code for a different reason than vxlan_newlink thinks. Move the remaining error messages into vxlan_dev_configure and let vxlan_newlink just pass on the error code. Signed-off-by: Jiri Benc Signed-off-by: David S. Miller drivers/net/vxlan.c | 35 +++++++++-------------------------- 1 file changed, 9 insertions(+), 26 deletions(-) commit 9b4cdd516dadc1b68c55ba24520194a06adff10c Author: Jiri Benc Date: Fri Sep 2 13:37:11 2016 +0200 vxlan: reject multicast destination without an interface Currently, kernel accepts configurations such as: ip l a type vxlan dstport 4789 id 1 group 239.192.0.1 ip l a type vxlan dstport 4789 id 1 group ff0e::110 However, neither of those really works. In the IPv4 case, the interface cannot be brought up ("RTNETLINK answers: No such device"). This is because multicast join will be rejected without the interface being specified. In the IPv6 case, multicast wil be joined on the first interface found. This is not what the user wants as it depends on random factors (order of interfaces). Note that it's possible to add a local address but it doesn't solve anything. For IPv4, it's not considered in the multicast join (thus the same error as above is returned on ifup). This could be added but it wouldn't help for IPv6 anyway. For IPv6, we do need the interface. Just reject a configuration that sets multicast address and does not provide an interface. Nobody can depend on the previous behavior as it never worked. Signed-off-by: Jiri Benc Signed-off-by: David S. Miller drivers/net/vxlan.c | 3 +++ 1 file changed, 3 insertions(+) commit 24b27fc4cdf9e10c5e79e5923b6b7c2c5c95096c Author: Mahesh Bandewar Date: Thu Sep 1 22:18:34 2016 -0700 bonding: Fix bonding crash Following few steps will crash kernel - (a) Create bonding master > modprobe bonding miimon=50 (b) Create macvlan bridge on eth2 > ip link add link eth2 dev mvl0 address aa:0:0:0:0:01 \ type macvlan (c) Now try adding eth2 into the bond > echo +eth2 > /sys/class/net/bond0/bonding/slaves Bonding does lots of things before checking if the device enslaved is busy or not. In this case when the notifier call-chain sends notifications, the bond_netdev_event() assumes that the rx_handler /rx_handler_data is registered while the bond_enslave() hasn't progressed far enough to register rx_handler for the new slave. This patch adds a rx_handler check that can be performed right at the beginning of the enslave code to avoid getting into this situation. Signed-off-by: Mahesh Bandewar Acked-by: Eric Dumazet Signed-off-by: David S. Miller drivers/net/bonding/bond_main.c | 7 ++++--- include/linux/netdevice.h | 1 + net/core/dev.c | 16 ++++++++++++++++ 3 files changed, 21 insertions(+), 3 deletions(-) commit 334a8f37115bf35e38617315a360a91ac4f2b2c6 Author: Trond Myklebust Date: Sun Sep 4 12:46:35 2016 -0400 pNFS: Don't forget the layout stateid if there are outstanding LAYOUTGETs If there are outstanding LAYOUTGET rpc calls, then we want to ensure that we keep the layout stateid around so we that don't inadvertently pick up an old/misordered sequence id. The race is as follows: Client Server ====== ====== LAYOUTGET(seqid) LAYOUTGET(seqid) return LAYOUTGET(seqid+1) return LAYOUTGET(seqid+2) process LAYOUTGET(seqid+2) forget layout process LAYOUTGET(seqid+1) If it forgets the layout stateid before processing seqid+1, then the client will not check the layout->plh_barrier, and so will set the stateid with seqid+1. Signed-off-by: Trond Myklebust fs/nfs/pnfs.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 9ca581b50dab6103183396852cc08e440fcda18e Merge: 1c33336 d199299 Author: Linus Torvalds Date: Sun Sep 4 08:45:41 2016 -0700 Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86 fix from Thomas Gleixner: "A single fix for an AMD erratum so machines without a BIOS fix work" * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/AMD: Apply erratum 665 on machines without a BIOS fix commit 1c3333600b0ebca94edffb3bb431c78687dc3d36 Merge: 28e6815 08d07259 Author: Linus Torvalds Date: Sun Sep 4 08:43:45 2016 -0700 Merge branch 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull timer fixes from Thomas Gleixner: "Two fixlet from the timers departement: - A fix for scheduler stalls in the tick idle code affecting NOHZ_FULL kernels - A trivial compile fix" * 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: tick/nohz: Fix softlockup on scheduler stalls in kvm guest clocksource/drivers/atmel-pit: Fix compilation error commit f361e5a01ed35c0f9a00816d76a910d8a5cb4547 Author: Steve Wise Date: Fri Sep 2 09:01:27 2016 -0700 nvme-rdma: destroy nvme queue rdma resources on connect failure After address resolution, the nvme_rdma_queue rdma resources are allocated. If rdma route resolution or the connect fails, or the controller reconnect times out and gives up, then the rdma resources need to be freed. Otherwise, rdma resources are leaked. Reviewed-by: Christoph Hellwig Reviewed-by: Sagi Grimberg Signed-off-by: Steve Wise Signed-off-by: Sagi Grimberg drivers/nvme/host/rdma.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) commit cdbecc8d24b642b67ae79a0acc2ff18d3d0e677e Author: Steve Wise Date: Thu Sep 1 09:12:25 2016 -0700 nvme_rdma: keep a ref on the ctrl during delete/flush Reviewed-by: Christoph Hellwig Reviewed-by: Sagi Grimberg Signed-off-by: Steve Wise Signed-off-by: Sagi Grimberg drivers/nvme/host/rdma.c | 26 ++++++++++++++++++-------- 1 file changed, 18 insertions(+), 8 deletions(-) commit 37eb816c0867b1b0db273d22b530780a0a083980 Author: Steve Wise Date: Thu Sep 1 06:44:52 2016 -0700 iw_cxgb4: block module unload until all ep resources are released Otherwise an endpoint can be still closing down causing a touch after free crash. Also WARN_ON if ulps have failed to destroy various resources during device removal. Fixes: ad61a4c7a9b7 ("iw_cxgb4: don't block in destroy_qp awaiting the last deref") Reviewed-by: Sagi Grimberg Reviewed-by: Christoph Hellwig Signed-off-by: Steve Wise Signed-off-by: Sagi Grimberg drivers/infiniband/hw/cxgb4/cm.c | 2 ++ drivers/infiniband/hw/cxgb4/device.c | 5 +++++ drivers/infiniband/hw/cxgb4/iw_cxgb4.h | 1 + 3 files changed, 8 insertions(+) commit 609e941a6bcd7ceb1cbb561941c997f6465e8698 Author: Steve Wise Date: Thu Sep 1 06:43:46 2016 -0700 iw_cxgb4: call dev_put() on l2t allocation failure Reviewed-by: Sagi Grimberg Reviewed-by: Christoph Hellwig Signed-off-by: Steve Wise Signed-off-by: Sagi Grimberg drivers/infiniband/hw/cxgb4/cm.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit 28e68154c5e2793123b248d38cf17b34dcb16d87 Merge: 4b30b6d edd1ea2 Author: Linus Torvalds Date: Sat Sep 3 17:29:58 2016 -0700 Merge tag 'dm-4.8-fixes-4' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm Pull device mapper fixes from Mike Snitzer: - a stable fix in both DM crypt and DM log-writes for too large bios (as generated by bcache) - two other stable fixes for DM log-writes - a stable fix for a DM crypt bug that could result in freeing pointers from uninitialized memory in the tfm allocation error path - a DM bufio cleanup to discontinue using create_singlethread_workqueue() * tag 'dm-4.8-fixes-4' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm: dm bufio: remove use of deprecated create_singlethread_workqueue() dm crypt: fix free of bad values after tfm allocation failure dm crypt: fix error with too large bios dm log writes: fix check of kthread_run() return value dm log writes: fix bug with too large bios dm log writes: move IO accounting earlier to fix error path commit 4b30b6d126ca8b23b319f5329570f6855736a095 Merge: 2bece1a cb88708 Author: Linus Torvalds Date: Sat Sep 3 12:40:45 2016 -0700 Merge branch 'for-linus-4.8' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs Pull btrfs fixes from Chris Mason: "I'm still prepping a set of fixes for btrfs fsync, just nailing down a hard to trigger memory corruption. For now, these are tested and ready." * 'for-linus-4.8' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs: btrfs: fix one bug that process may endlessly wait for ticket in wait_reserve_ticket() Btrfs: fix endless loop in balancing block groups Btrfs: kill invalid ASSERT() in process_all_refs() commit 2bece1a0106497d065fb7db77abc525d32d3bf04 Merge: 593ee4e 744c6c3 Author: Linus Torvalds Date: Sat Sep 3 12:31:37 2016 -0700 Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux Pull arm64 fixes from Catalin Marinas: "arm64 and arm/perf fixes: - arm64 fix: debug exception unmasking on the CPU resume path - ARM PMU fixes: memory leak on error path and NULL pointer dereference" * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux: arm64: kernel: Fix unmasked debug exceptions when restoring mdscr_el1 drivers/perf: arm_pmu: Fix NULL pointer dereference during probe drivers/perf: arm_pmu: Fix leak in error path commit 593ee4edc51d99fadda9f6eea8c0201c59452de7 Merge: 4148820 ccdf3b8 Author: Linus Torvalds Date: Sat Sep 3 11:38:43 2016 -0700 Merge tag 'char-misc-4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc Pull char/misc driver fixes from Greg KH: "Here are a number of small driver fixes for 4.8-rc5. The largest thing here is deleting an obsolete driver, drivers/misc/bh1780gli.c, as the functionality of it was replaced by an iio driver a while ago. The other fixes are things that have been reported, or reverts of broken stuff (the binder change). All of these changes have been in linux-next for a while with no reported issues" * tag 'char-misc-4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: thunderbolt: Don't declare Falcon Ridge unsupported thunderbolt: Add support for INTEL_FALCON_RIDGE_2C controller. thunderbolt: Fix resume quirk for Falcon Ridge 4C. lkdtm: Mark lkdtm_rodata_do_nothing() notrace mei: me: disable driver on SPT SPS firmware Revert "android: binder: fix dangling pointer comparison" drivers/iio/light/Kconfig: SENSORS_BH1780 cleanup android: binder: fix dangling pointer comparison misc: delete bh1780 driver commit 41488202f1afac2e7425cc4d4a3b4208c3e2cc8c Merge: 018c81b8 17d0774 Author: Linus Torvalds Date: Sat Sep 3 11:36:55 2016 -0700 Merge tag 'driver-core-4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core Pull driver core fixes from Greg KH: "Here are three small fixes for 4.8-rc5. One for sysfs, one for kernfs, and one documentation fix, all for reported issues. All of these have been in linux-next for a while" * tag 'driver-core-4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core: sysfs: correctly handle read offset on PREALLOC attrs documentation: drivers/core/of: fix name of of_node symlink kernfs: don't depend on d_find_any_alias() when generating notifications commit 018c81b827563c4d64ad79f9b90ea985a65bff4d Merge: 39da979 eafe5cf Author: Linus Torvalds Date: Sat Sep 3 11:33:33 2016 -0700 Merge tag 'staging-4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging Pull staging/IIO driver fixes from Greg KH: "Here are a number of small fixes for staging and IIO drivers that resolve reported problems. Full details are in the shortlog. All of these have been in linux-next with no reported issues" * tag 'staging-4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging: (35 commits) arm: dts: rockchip: add reset node for the exist saradc SoCs arm64: dts: rockchip: add reset saradc node for rk3368 SoCs iio: adc: rockchip_saradc: reset saradc controller before programming it iio: accel: kxsd9: Fix raw read return iio: adc: ti_am335x_adc: Increase timeout value waiting for ADC sample iio: adc: ti_am335x_adc: Protect FIFO1 from concurrent access include/linux: fix excess fence.h kernel-doc notation staging: wilc1000: correctly check if associatedsta has not been found staging: wilc1000: NULL dereference on error staging: wilc1000: txq_event: Fix coding error MAINTAINERS: Add file patterns for ion device tree bindings MAINTAINERS: Update maintainer entry for wilc1000 iio: chemical: atlas-ph-sensor: fix typo in val assignment iio: fix sched WARNING "do not call blocking ops when !TASK_RUNNING" staging: comedi: ni_mio_common: fix AO inttrig backwards compatibility staging: comedi: dt2811: fix a precedence bug staging: comedi: adv_pci1760: Do not return EINVAL for CMDF_ROUND_DOWN. staging: comedi: ni_mio_common: fix wrong insn_write handler staging: comedi: comedi_test: fix timer race conditions staging: comedi: daqboard2000: bug fix board type matching code ... commit 39da979c98cf7516bc7b2c648ee4aed528eb1f36 Merge: 70dad49 c8d1924 Author: Linus Torvalds Date: Sat Sep 3 11:29:31 2016 -0700 Merge tag 'tty-4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty Pull serial driver fixes from Greg KH: "Here are some small serial driver fixes for 4.8-rc5. One fixes an oft-reported build issue with the fintek driver, another reverts a patch that was causing problems, one fixes a crash, and some new device ids were added. All of these have been in linux-next for a while" * tag 'tty-4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty: serial: 8250: added acces i/o products quad and octal serial cards serial: 8250_mid: fix divide error bug if baud rate is 0 Revert "tty/serial/8250: use mctrl_gpio helpers" 8250/fintek: rename IRQ_MODE macro commit 70dad4998ee482f08c85c5956765ea6c31da8734 Merge: 3e42394 2c55754 Author: Linus Torvalds Date: Sat Sep 3 11:24:23 2016 -0700 Merge tag 'usb-4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb Pull USB/PHY fixes from Greg KH: "Here are some USB and PHY driver fixes for 4.8-rc5 Nothing major, lots of little fixes for reported bugs, and a build fix for a missing .h file that the phy drivers needed. All of these have been in linux-next for a while with no reported issues" * tag 'usb-4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (24 commits) usb: musb: Fix locking errors for host only mode usb: dwc3: gadget: always decrement by 1 usb: dwc3: debug: fix ep name on trace output usb: gadget: udc: core: don't starve DMA resources USB: serial: option: add WeTelecom 0x6802 and 0x6803 products USB: avoid left shift by -1 USB: fix typo in wMaxPacketSize validation usb: gadget: Add the gserial port checking in gs_start_tx() usb: dwc3: gadget: don't rely on jiffies while holding spinlock usb: gadget: fsl_qe_udc: signedness bug in qe_get_frame() usb: gadget: function: f_rndis: socket buffer may be NULL usb: gadget: function: f_eem: socket buffer may be NULL usb: renesas_usbhs: gadget: fix return value check in usbhs_mod_gadget_probe() usb: dwc2: Add reset control to dwc2 usb: dwc3: core: allow device to runtime_suspend several times usb: dwc3: pci: runtime_resume child device USB: serial: option: add WeTelecom WM-D200 usb: chipidea: udc: don't touch DP when controller is in host mode USB: serial: mos7840: fix non-atomic allocation in write path USB: serial: mos7720: fix non-atomic allocation in write path ... commit 3e423945ea94412283eaba8bfbe9d6e0a80b434f Author: Linus Torvalds Date: Sat Sep 3 11:02:50 2016 -0700 devpts: return NULL pts 'priv' entry for non-devpts nodes In commit 8ead9dd54716 ("devpts: more pty driver interface cleanups") I made devpts_get_priv() just return the dentry->fs_data directly. And because I thought it wouldn't happen, I added a warning if you ever saw a pts node that wasn't on devpts. And no, that warning never triggered under any actual real use, but you can trigger it by creating nonsensical pts nodes by hand. So just revert the warning, and make devpts_get_priv() return NULL for that case like it used to. Reported-by: Dmitry Vyukov Cc: stable@vger.kernel.org # 4.6+ Cc: Eric W Biederman" Signed-off-by: Linus Torvalds fs/devpts/inode.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 4c3cb6e9a9d94d1553807854a565cd27ff4c22aa Author: Dan Williams Date: Sat Sep 3 10:36:00 2016 -0700 dax: fix mapping size check pgoff_to_phys() validates that both the starting address and the length of the mapping against the resource list. We need to check for a mapping size of PMD_SIZE not PAGE_SIZE in the pmd fault path. Signed-off-by: Dan Williams drivers/dax/dax.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 307fe9dd11ae44d4f8881ee449a7cbac36e1f5de Author: Linus Walleij Date: Thu Sep 1 11:44:35 2016 +0200 iio: accel: kxsd9: Fix scaling bug All the scaling of the KXSD9 involves multiplication with a fraction number < 1. However the scaling value returned from IIO_INFO_SCALE was unpredictable as only the micros of the value was assigned, and not the integer part, resulting in scaling like this: $cat in_accel_scale -1057462640.011978 Fix this by assigning zero to the integer part. Cc: stable@vger.kernel.org Tested-by: Jonathan Cameron Signed-off-by: Linus Walleij Signed-off-by: Jonathan Cameron drivers/iio/accel/kxsd9.c | 1 + 1 file changed, 1 insertion(+) commit 1c500840934a138bd6b13556c210516e9301fbee Author: Olof Johansson Date: Thu Aug 25 09:45:33 2016 -0700 iio: accel: bmc150: reset chip at init time In at least one known setup, the chip comes up in a state where reading the chip ID returns garbage unless it's been reset, due to noise on the wires during system boot. All supported chips have the same reset method, and based on the datasheets they all need 1.3 or 1.8ms to recover after reset. So, do the conservative thing here and always reset the chip. Signed-off-by: Olof Johansson Reviewed-by: Srinivas Pandruvada Cc: Signed-off-by: Jonathan Cameron drivers/iio/accel/bmc150-accel-core.c | 11 +++++++++++ 1 file changed, 11 insertions(+) commit 52ec7be2e27392201adf77892ba883f68df88c99 Author: Trond Myklebust Date: Sat Sep 3 11:05:28 2016 -0400 pNFS: Clear out all layout segments if the server unsets lrp->res.lrs_present If the server fails to set lrp->res.lrs_present in the LAYOUTRETURN reply, then that means it believes the client holds no more layout state for that file, and that the layout stateid is now invalid. Signed-off-by: Trond Myklebust fs/nfs/nfs4proc.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) commit 2a59a0411671ef9daf17ba21da57809c696f4119 Author: Trond Myklebust Date: Sat Sep 3 11:20:04 2016 -0400 pNFS: Fix pnfs_set_layout_stateid() to clear NFS_LAYOUT_INVALID_STID If the layout was marked as invalid, we want to ensure to initialise the layout header fields correctly. Signed-off-by: Trond Myklebust fs/nfs/pnfs.c | 36 +++++++++++++++++++----------------- 1 file changed, 19 insertions(+), 17 deletions(-) commit bf0291dd2267a2b9a4cd74d65249553d11bb45d6 Author: Trond Myklebust Date: Sat Sep 3 10:39:51 2016 -0400 pNFS: Ensure LAYOUTGET and LAYOUTRETURN are properly serialised According to RFC5661, the client is responsible for serialising LAYOUTGET and LAYOUTRETURN to avoid ambiguity. Consider the case where we send both in parallel. Client Server ====== ====== LAYOUTGET(seqid=X) LAYOUTRETURN(seqid=X) LAYOUTGET return seqid=X+1 LAYOUTRETURN return seqid=X+2 Process LAYOUTRETURN Forget layout stateid Process LAYOUTGET Set seqid=X+1 The client processes the layoutget/layoutreturn in the wrong order, and since the result of the layoutreturn was to clear the only existing layout segment, the client forgets the layout stateid. When the LAYOUTGET comes in, it is treated as having a completely new stateid, and so the client sets the wrong sequence id... Fix is to check if there are outstanding LAYOUTGET requests before we send the LAYOUTRETURN (note that LAYOUGET will already wait if it sees an outstanding LAYOUTRETURN). Signed-off-by: Trond Myklebust Cc: stable@vger.kernel.org # v4.5+ Signed-off-by: Trond Myklebust fs/nfs/pnfs.c | 3 +++ 1 file changed, 3 insertions(+) commit c49edecd513693ea7530ab18efbd7d6d5b7cbf90 Author: Trond Myklebust Date: Sat Sep 3 12:05:31 2016 -0400 NFS: Fix error reporting in nfs_file_write() When doing O_DSYNC writes, the actual write errors are reported through generic_write_sync(), so we must test the result. Reported-by: J. R. Okajima Fixes: 18290650b1c8 ("NFS: Move buffered I/O locking into nfs_file_write()") Signed-off-by: Trond Myklebust fs/nfs/file.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) commit 36afb176d3c9580651d7f410ed7f000ec48b5137 Author: Kweh, Hock Leong Date: Mon Aug 29 18:50:56 2016 +0800 iio: fix pressure data output unit in hid-sensor-attributes According to IIO ABI definition, IIO_PRESSURE data output unit is kilopascal: http://lxr.free-electrons.com/source/Documentation/ABI/testing/sysfs-bus-iio This patch fix output unit of HID pressure sensor IIO driver from pascal to kilopascal to follow IIO ABI definition. Signed-off-by: Kweh, Hock Leong Reviewed-by: Srinivas Pandruvada Cc: Signed-off-by: Jonathan Cameron drivers/iio/common/hid-sensors/hid-sensor-attributes.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit a41bd25ae67d3e4052c7f00ee9f2b4ba9219309e Author: Paolo Abeni Date: Thu Aug 25 18:42:35 2016 +0200 sunrpc: fix UDP memory accounting The commit f9b2ee714c5c ("SUNRPC: Move UDP receive data path into a workqueue context"), as a side effect, moved the skb_free_datagram() call outside the scope of the related socket lock, but UDP sockets require such lock to be held for proper memory accounting. Fix it by replacing skb_free_datagram() with skb_free_datagram_locked(). Fixes: f9b2ee714c5c ("SUNRPC: Move UDP receive data path into a workqueue context") Reported-and-tested-by: Jan Stancek Signed-off-by: Paolo Abeni Cc: stable@vger.kernel.org # 4.4+ Signed-off-by: Trond Myklebust net/sunrpc/xprtsock.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 787ad90332b3573d502a6c1aff52f708ca141976 Merge: f735aa2 1bc8da4 Author: Mark Brown Date: Sat Sep 3 12:10:09 2016 +0100 Merge remote-tracking branch 'regmap/fix/rbtree' into regmap-linus commit f735aa279021149ef600febe07333ad218783d79 Merge: 3eab887 815806e Author: Mark Brown Date: Sat Sep 3 12:10:08 2016 +0100 Merge remote-tracking branch 'regmap/fix/cache' into regmap-linus commit d0716dde375eb6bff332763bb2137302120d263d Author: Sien Wu Date: Thu Sep 1 18:24:29 2016 -0500 spi: Prevent unexpected SPI time out due to arithmetic overflow When reading SPI flash as MTD device, the transfer length is directly passed to the spi driver. If the requested data size exceeds 512KB, it will cause the time out calculation to overflow since transfer length is 32-bit unsigned integer. This issue is resolved by using 64-bit unsigned integer to perform the arithmetic. Signed-off-by: Sien Wu Acked-by: Brad Keryan Acked-by: Gratian Crisan Acked-by: Brad Mouring Natinst-ReviewBoard-ID 150232 Signed-off-by: Mark Brown drivers/spi/spi.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) commit 0141af184adc7f6ea9bd2f9631a15704d0806f8b Merge: 0ddc9e5 d8d8d9d Author: Linus Torvalds Date: Fri Sep 2 21:05:38 2016 -0700 Merge branch 'for-linus' of git://git.kernel.dk/linux-block Pull block fixes from Jens Axboe: "A collection of fixes for the nvme over fabrics code" * 'for-linus' of git://git.kernel.dk/linux-block: nvme-rdma: Get rid of redundant defines nvme-rdma: Get rid of duplicate variable nvme: fabrics drivers don't need the nvme-pci driver nvme-fabrics: get a reference when reusing a nvme_host structure nvme-fabrics: change NQN UUID to big-endian format nvme-loop: set sqsize to 0-based value, per spec nvme-rdma: fix sqsize/hsqsize per spec fabrics: define admin sqsize min default, per spec nvmet-rdma: +1 to *queue_size from hsqsize/hrqsize nvmet-rdma: Fix use after free nvme-rdma: initialize ret to zero to avoid returning garbage commit 312565a0c38ab12275b6ca5ec75d21f3f3ace844 Merge: 2f86953 f252974 Author: David S. Miller Date: Fri Sep 2 17:28:34 2016 -0700 Merge branch 'smsc911x-fixes' Jeremy Linton says: ==================== net: smsc911x: Move phy and interrupt config v2-v3: Move error handing into separate patch, replace a couple cases of fixed errors with the errors being returned from the failing functions. Hoist irq handler. The smsc911x driver is doing a number of things in its probe routine that should be delayed until the interface is started. Because of this, the module cannot be unloaded, the phy states are incorrect/stale if the interface isn't running, open's unnecessarily fail causing network configuration problems, and the /proc/irq nodes are incorrectly named. Clean up a number of these problems by moving the mdio and interrupt configuration into the smsc911x_open routine. ==================== Signed-off-by: David S. Miller commit f252974eaa64f64b940894f24bfa162a8e7f6b0d Author: Jeremy Linton Date: Thu Sep 1 15:15:09 2016 -0500 net: smsc911x: Move interrupt allocation to open/stop The /proc/irq/xx information is incorrect for smsc911x because the request_irq is happening before the register_netdev has the proper device name. Moving it to the open also fixes the case of when the device is renamed. Reported-by: Will Deacon Signed-off-by: Jeremy Linton Tested-by: Will Deacon Signed-off-by: David S. Miller drivers/net/ethernet/smsc/smsc911x.c | 47 ++++++++++++++---------------------- 1 file changed, 18 insertions(+), 29 deletions(-) commit a85f00c36ef53ea3cb5ebf3dee4ce9cc6726671f Author: Jeremy Linton Date: Thu Sep 1 15:15:08 2016 -0500 net: smsc911x: Move interrupt handler before open In preparation for the allocating/enabling interrupts in the ndo_open routine move the irq handler before it. Signed-off-by: Jeremy Linton Signed-off-by: David S. Miller drivers/net/ethernet/smsc/smsc911x.c | 122 +++++++++++++++++------------------ 1 file changed, 61 insertions(+), 61 deletions(-) commit aea95dd52db436f406f3f45a455a710774a3a210 Author: Jeremy Linton Date: Thu Sep 1 15:15:07 2016 -0500 net: smsc911x: Fix register_netdev, phy startup, driver unload ordering Move phy startup/shutdown into the smsc911x_open/stop routines. This allows the module to be unloaded because phy_connect_direct is no longer always holding the module use count. This one change also resolves a number of other problems. The link status of a downed interface no longer reflects a stale state. Errors caused by the net device being opened before the mdio/phy was configured. There is also a potential power savings as the phy's don't remain powered when the interface isn't running. Signed-off-by: Jeremy Linton Signed-off-by: David S. Miller drivers/net/ethernet/smsc/smsc911x.c | 48 ++++++++++++++++++------------------ 1 file changed, 24 insertions(+), 24 deletions(-) commit 1358bd5a7477b346dfb6b502051d61f29b11a200 Author: Jeremy Linton Date: Thu Sep 1 15:15:06 2016 -0500 net: smsc911x: Remove multiple exit points from smsc911x_open Rework the error handling in smsc911x open in preparation for the mdio startup being moved here. Signed-off-by: Jeremy Linton Signed-off-by: David S. Miller drivers/net/ethernet/smsc/smsc911x.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) commit 0ddc9e5a112489e1703143ad75b44fc57f9ac25a Merge: 601b586 4a29b34 Author: Linus Torvalds Date: Fri Sep 2 15:33:54 2016 -0700 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security Pull TPM bugfix from James Morris. * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: tpm: invalid self test error message commit 4a29b3484f857ff350f203a2d9bf3b428c9e0bf2 Author: Jarkko Sakkinen Date: Fri Sep 2 02:36:58 2016 +0300 tpm: invalid self test error message The driver emits invalid self test error message even though the init succeeds. Signed-off-by: Jarkko Sakkinen Fixes: cae8b441fc20 ("tpm: Factor out common startup code") Reviewed-by: James Morris Signed-off-by: James Morris drivers/char/tpm/tpm2-cmd.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) commit 601b58699440b421756e5a2b8f3f2211879dd94d Merge: 9a0bcc8 5331d9c Author: Linus Torvalds Date: Fri Sep 2 15:16:04 2016 -0700 Merge tag 'acpi-4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull ACPI fixes ffrom Rafael Wysocki: "Two stable-candidate fixes for the ACPI early device probing code added during the 4.4 cycle, one fixing a typo in a stub macro used when CONFIG_ACPI is unset and one that prevents sleeping functions from being called under a spinlock (Lorenzo Pieralisi)" * tag 'acpi-4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: ACPI / drivers: replace acpi_probe_lock spinlock with mutex ACPI / drivers: fix typo in ACPI_DECLARE_PROBE_ENTRY macro commit 9a0bcc8fe701bb6e05e622c19b5815e949c9b7c5 Merge: 15301a5 b654c62 Author: Linus Torvalds Date: Fri Sep 2 15:07:41 2016 -0700 Merge tag 'pm-4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull power management fixes from Rafael Wysocki: "This includes a stable-candidate cpufreq-dt driver problem fix and annotations of tracepoints in the runtime PM framework. Specifics: - Fix the definition of the cpufreq-dt driver's machines table introduced during the 4.7 cycle that should be NULL-terminated, but the termination entry is missing from it (Wei Yongjun). - Annotate tracepoints in the runtime PM framework's core so as to allow the functions containing them to be called from the idle code path without causing RCU to complain about illegal usage (Paul McKenney)" * tag 'pm-4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: PM / runtime: Add _rcuidle suffix to allow rpm_idle() use from idle PM / runtime: Add _rcuidle suffix to allow rpm_resume() to be called from idle cpufreq: dt: Add terminate entry for of_device_id tables commit b654c62e7734cdcd507a5751cd940077be2ad373 Merge: bd37e02 d7737ce Author: Rafael J. Wysocki Date: Fri Sep 2 22:38:30 2016 +0200 Merge branches 'pm-cpufreq-fixes' and 'pm-core-fixes' * pm-cpufreq-fixes: cpufreq: dt: Add terminate entry for of_device_id tables * pm-core-fixes: PM / runtime: Add _rcuidle suffix to allow rpm_idle() use from idle PM / runtime: Add _rcuidle suffix to allow rpm_resume() to be called from idle commit 5331d9cab32ef640b4cd38a43b0858874fbb7168 Author: Lorenzo Pieralisi Date: Tue Aug 16 16:59:53 2016 +0100 ACPI / drivers: replace acpi_probe_lock spinlock with mutex Commit e647b532275b ("ACPI: Add early device probing infrastructure") introduced code that allows inserting driver specific struct acpi_probe_entry probe entries into ACPI linker sections (one per-subsystem, eg irqchip, clocksource) that are then walked to retrieve the data and function hooks required to probe the respective kernel components. Probing for all entries in a section is triggered through the __acpi_probe_device_table() function, that in turn, according to the table ID a given probe entry reports parses the table with the function retrieved from the respective section structures (ie struct acpi_probe_entry). Owing to the current ACPI table parsing implementation, the __acpi_probe_device_table() function has to share global variables with the acpi_match_madt() function, so in order to guarantee mutual exclusion locking is required between the two functions. Current kernel code implements the locking through the acpi_probe_lock spinlock; this has the side effect of requiring all code called within the lock (ie struct acpi_probe_entry.probe_{table/subtbl} hooks) not to sleep. However, kernel subsystems that make use of the early probing infrastructure are relying on kernel APIs that may sleep (eg irq_domain_alloc_fwnode(), among others) in the function calls pointed at by struct acpi_probe_entry.{probe_table/subtbl} entries (eg gic_v2_acpi_init()), which is a bug. Since __acpi_probe_device_table() is called from context that is allowed to sleep the acpi_probe_lock spinlock can be replaced with a mutex; this fixes the issue whilst still guaranteeing mutual exclusion. Signed-off-by: Lorenzo Pieralisi Fixes: e647b532275b (ACPI: Add early device probing infrastructure) Cc: 4.4+ # 4.4+ Signed-off-by: Rafael J. Wysocki drivers/acpi/scan.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit 3feab13c919f99b0a17d0ca22ae00cf90f5d3fd1 Author: Lorenzo Pieralisi Date: Tue Aug 16 16:59:52 2016 +0100 ACPI / drivers: fix typo in ACPI_DECLARE_PROBE_ENTRY macro When the ACPI_DECLARE_PROBE_ENTRY macro was added in commit e647b532275b ("ACPI: Add early device probing infrastructure"), a stub macro adding an unused entry was added for the !CONFIG_ACPI Kconfig option case to make sure kernel code making use of the macro did not require to be guarded within CONFIG_ACPI in order to be compiled. The stub macro was never used since all kernel code that defines ACPI_DECLARE_PROBE_ENTRY entries is currently guarded within CONFIG_ACPI; it contains a typo that should be nonetheless fixed. Fix the typo in the stub (ie !CONFIG_ACPI) ACPI_DECLARE_PROBE_ENTRY() macro so that it can actually be used if needed. Signed-off-by: Lorenzo Pieralisi Fixes: e647b532275b (ACPI: Add early device probing infrastructure) Cc: 4.4+ # 4.4+ Signed-off-by: Rafael J. Wysocki include/linux/acpi.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 2f86953e7436c9b9a4690909c5e2db24799e173b Author: Sabrina Dubroca Date: Fri Sep 2 10:22:54 2016 +0200 l2tp: fix use-after-free during module unload Tunnel deletion is delayed by both a workqueue (l2tp_tunnel_delete -> wq -> l2tp_tunnel_del_work) and RCU (sk_destruct -> RCU -> l2tp_tunnel_destruct). By the time l2tp_tunnel_destruct() runs to destroy the tunnel and finish destroying the socket, the private data reserved via the net_generic mechanism has already been freed, but l2tp_tunnel_destruct() actually uses this data. Make sure tunnel deletion for the netns has completed before returning from l2tp_exit_net() by first flushing the tunnel removal workqueue, and then waiting for RCU callbacks to complete. Fixes: 167eb17e0b17 ("l2tp: create tunnel sockets in the right namespace") Signed-off-by: Sabrina Dubroca Signed-off-by: David S. Miller net/l2tp/l2tp_core.c | 3 +++ 1 file changed, 3 insertions(+) commit d1992996753132e2dafe955cccb2fb0714d3cfc4 Author: Emanuel Czirai Date: Fri Sep 2 07:35:50 2016 +0200 x86/AMD: Apply erratum 665 on machines without a BIOS fix AMD F12h machines have an erratum which can cause DIV/IDIV to behave unpredictably. The workaround is to set MSRC001_1029[31] but sometimes there is no BIOS update containing that workaround so let's do it ourselves unconditionally. It is simple enough. [ Borislav: Wrote commit message. ] Signed-off-by: Emanuel Czirai Signed-off-by: Borislav Petkov Cc: Yaowu Xu Cc: stable@vger.kernel.org Link: http://lkml.kernel.org/r/20160902053550.18097-1-bp@alien8.de Signed-off-by: Thomas Gleixner arch/x86/kernel/cpu/amd.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) commit 16170d9c102764f76c58aad244e947f4e3f44590 Author: Mike Marciniszyn Date: Wed Aug 31 07:24:46 2016 -0700 IB/hfi1: Rework debugfs to use SRCU The debugfs RCU trips many debug kernel warnings because of potential sleeps with an RCU read lock held. This includes both user copy calls and slab allocations throughout the file. This patch switches the RCU to use SRCU for file remove/access race protection. In one case, the SRCU is implicit in the use of the raw debugfs file object and just works. In the seq_file case, a wrapper around seq_read() and seq_lseek() is used to enforce the SRCU using the debugfs supplied functions debugfs_use_file_start() and debugfs_use_file_stop(). The sychronize_rcu() is deleted since the SRCU prevents the remove access race. The RCU locking is kept for qp_stats since the QP hash list is protected using the non-sleepable RCU. Reviewed-by: Sebastian Sanchez Signed-off-by: Mike Marciniszyn Signed-off-by: Dennis Dalessandro Signed-off-by: Doug Ledford drivers/infiniband/hw/hfi1/debugfs.c | 132 ++++++++++++++--------------------- 1 file changed, 52 insertions(+), 80 deletions(-) commit 429b6a721727d49d8565b50a6bc0dc42432383a9 Author: Harish Chegondi Date: Wed Aug 31 07:24:40 2016 -0700 IB/hfi1: Make n_krcvqs be an unsigned long integer The global variable n_krcvqs stores the sum of the number of kernel receive queues of VLs 0-7 which the user can pass to the driver through the module parameter array krcvqs which is of type unsigned integer. If the user passes large value(s) into krcvqs parameter array, it can cause an arithmetic overflow while calculating n_krcvqs which is also of type unsigned int. The overflow results in an incorrect value of n_krcvqs which can lead to kernel crash while loading the driver. Fix by changing the data type of n_krcvqs to unsigned long. This patch also changes the data type of other variables that get their values from n_krcvqs. Reviewed-by: Dennis Dalessandro Signed-off-by: Harish Chegondi Signed-off-by: Dennis Dalessandro Signed-off-by: Doug Ledford drivers/infiniband/hw/hfi1/chip.c | 6 +++--- drivers/infiniband/hw/hfi1/hfi.h | 2 +- drivers/infiniband/hw/hfi1/init.c | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) commit 673b975f1fbad5382f76afdb987e7513c5f4b71b Author: Dean Luick Date: Wed Aug 31 07:24:33 2016 -0700 IB/hfi1: Add QSFP sanity pre-check Sometimes a QSFP device does not respond in the expected time after a power-on. Add a read pre-check/retry when starting the link on driver load. Reviewed-by: Easwar Hariharan Signed-off-by: Dean Luick Signed-off-by: Dennis Dalessandro Signed-off-by: Doug Ledford drivers/infiniband/hw/hfi1/chip.c | 86 +++++++++++++++++++++++++++++++++++---- drivers/infiniband/hw/hfi1/chip.h | 1 + drivers/infiniband/hw/hfi1/hfi.h | 2 + drivers/infiniband/hw/hfi1/init.c | 1 + 4 files changed, 82 insertions(+), 8 deletions(-) commit af53493916693343955930556aaa83f875b8436a Author: Jubin John Date: Wed Aug 31 07:24:27 2016 -0700 IB/hfi1: Fix AHG KDETH Intr shift In the set_txreq_header_ahg(), The KDETH Intr bit is obtained from the header in the user sdma request using a KDETH_GET shift and mask macro. This value is then futher right shifted by 16 causing us to lose the value i.e it is shifted to zero, leading to the following smatch warning: drivers/infiniband/hw/hfi1/user_sdma.c:1482 set_txreq_header_ahg() warn: mask and shift to zero The Intr bit should be left shifted into its correct position in the KDETH header before the AHG update. Reported-by: Dan Carpenter Reviewed-by: Mitko Haralanov Reviewed-by: Harish Chegondi Signed-off-by: Jubin John Signed-off-by: Dennis Dalessandro Signed-off-by: Doug Ledford drivers/infiniband/hw/hfi1/user_sdma.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) commit 3e6c3b0fd5d071ed17bf91586aae35a6cfb8cdb3 Author: Sebastian Sanchez Date: Wed Aug 31 07:24:20 2016 -0700 IB/hfi1: Fix SGE length for misaligned PIO copy When trying to align the source pointer and there's a byte carry in an SGE copy, bytes are borrowed from the next quad-word X to complete the required quad-word copy. Then, the SGE length is reduced by the number of borrowed bytes. After this, if the remaining number of bytes from quad-word X (extra bytes) is greater than the new SGE length, the number of extra bytes needs to be updated to the new SGE length. Otherwise, when the SGE length gets updated again after the extra bytes are read to create the new byte carry, it goes negative, which then becomes a very large number as the SGE length is an unsigned integer. This causes SGE buffer to be over-read. Reviewed-by: Dean Luick Signed-off-by: Sebastian Sanchez Signed-off-by: Dennis Dalessandro Signed-off-by: Doug Ledford drivers/infiniband/hw/hfi1/pio_copy.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) commit dbdf7d4e7f911f79ceb08365a756bbf6eecac81c Author: Leon Romanovsky Date: Sun Aug 28 10:58:38 2016 +0300 IB/mlx5: Don't return errors from poll_cq Remove returning errors from mlx5 poll_cq function. Polling CQ operation in kernel never fails by Mellanox HCA architecture and respective driver design. Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford drivers/infiniband/hw/mlx5/cq.c | 22 ++-------------------- 1 file changed, 2 insertions(+), 20 deletions(-) commit d9f88e5ab9a73058ebdde589219c0d37da250f06 Author: Yishai Hadas Date: Sun Aug 28 10:58:37 2016 +0300 IB/mlx5: Use TIR number based on selector Use TIR number based on selector, it should be done to differentiate between RSS QP to RAW one. Reported-by: Sagi Grimberg Signed-off-by: Yishai Hadas Signed-off-by: Leon Romanovsky Tested-by: Sagi Grimberg Signed-off-by: Doug Ledford drivers/infiniband/hw/mlx5/main.c | 6 +++++- drivers/infiniband/hw/mlx5/mlx5_ib.h | 1 + drivers/infiniband/hw/mlx5/qp.c | 1 + 3 files changed, 7 insertions(+), 1 deletion(-) commit b2a232d21f301d600b02c6f9ccbc9f977331bb39 Author: Leon Romanovsky Date: Sun Aug 28 10:58:35 2016 +0300 IB/mlx5: Simplify code by removing return variable Return variable was set in a line before the actual return was called in begin_wqe function. This patch removes such variable and simplifies the code. Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford drivers/infiniband/hw/mlx5/qp.c | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) commit 24be409beede1a7cbe95b1740c4cdade3b6a8187 Author: Chuck Lever Date: Sun Aug 28 10:58:34 2016 +0300 IB/mlx5: Return EINVAL when caller specifies too many SGEs The returned value should be EINVAL, because it is caused by wrong caller and not by internal overflow event. Signed-off-by: Chuck Lever Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford drivers/infiniband/hw/mlx5/qp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 20697434b6ea9c6d895ebc5217a46f18850a109f Author: Leon Romanovsky Date: Sun Aug 28 10:58:33 2016 +0300 IB/mlx4: Don't return errors from poll_cq Remove returning errors from mlx4 poll_cq function. Polling CQ operation in kernel never fails by Mellanox HCA architecture and respective driver design. Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford drivers/infiniband/hw/mlx4/cq.c | 26 ++------------------------ 1 file changed, 2 insertions(+), 24 deletions(-) commit 25b64fc5f2c0779b53ec155d69cc06b7cdc6e99f Author: Leon Romanovsky Date: Sun Aug 28 10:58:32 2016 +0300 Revert "IB/mlx4: Return EAGAIN for any error in mlx4_ib_poll_one" By Mellanox HW design and SW implementation, poll_cq never fails and returns errors, so all these printks are to catch ULP bugs. In case of such bug, the reverted patch will cause reentry of the function, resulting in a printk storm. This reverts commit 5412352fcd8f ("IB/mlx4: Return EAGAIN for any error in mlx4_ib_poll_one") Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford drivers/infiniband/hw/mlx4/cq.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit 546481c2816ea3c061ee9d5658eb48070f69212e Author: Erez Shitrit Date: Sun Aug 28 10:58:31 2016 +0300 IB/ipoib: Fix memory corruption in ipoib cm mode connect flow When a new CM connection is being requested, ipoib driver copies data from the path pointer in the CM/tx object, the path object might be invalid at the point and memory corruption will happened later when now the CM driver will try using that data. The next scenario demonstrates it: neigh_add_path --> ipoib_cm_create_tx --> queue_work (pointer to path is in the cm/tx struct) #while the work is still in the queue, #the port goes down and causes the ipoib_flush_paths: ipoib_flush_paths --> path_free --> kfree(path) #at this point the work scheduled starts. ipoib_cm_tx_start --> copy from the (invalid)path pointer: (memcpy(&pathrec, &p->path->pathrec, sizeof pathrec);) -> memory corruption. To fix that the driver now starts the CM/tx connection only if that specific path exists in the general paths database. This check is protected with the relevant locks, and uses the gid from the neigh member in the CM/tx object which is valid according to the ref count that was taken by the CM/tx. Fixes: 839fcaba35 ('IPoIB: Connected mode experimental support') Signed-off-by: Erez Shitrit Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford drivers/infiniband/ulp/ipoib/ipoib.h | 1 + drivers/infiniband/ulp/ipoib/ipoib_cm.c | 16 ++++++++++++++++ drivers/infiniband/ulp/ipoib/ipoib_main.c | 2 +- 3 files changed, 18 insertions(+), 1 deletion(-) commit 68c6bcdd8bd00394c234b915ab9b97c74104130c Author: Erez Shitrit Date: Sun Aug 28 10:58:30 2016 +0300 IB/core: Fix use after free in send_leave function The function send_leave sets the member: group->query_id (group->query_id = ret) after calling the sa_query, but leave_handler can be executed before the setting and it might delete the group object, and will get a memory corruption. Additionally, this patch gets rid of group->query_id variable which is not used. Fixes: faec2f7b96b5 ('IB/sa: Track multicast join/leave requests') Signed-off-by: Erez Shitrit Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford drivers/infiniband/core/multicast.c | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) commit 656aacea6c90ce8e15c2bdef4f89b74b73e2e34a Author: Baoyou Xie Date: Sun Aug 28 22:57:11 2016 +0800 IB/cxgb4: Make _free_qp static to silence build warning We get 1 warning when build kernel with W=1: drivers/infiniband/hw/cxgb4/qp.c:686:6: warning: no previous prototype for '_free_qp' [-Wmissing-prototypes] In fact, this function is only used in the file in which it is declared and don't need a declaration, but can be made static. so this patch marks it 'static'. Signed-off-by: Baoyou Xie Reviewed-by: Yuval Shaia Reviewed-by: Leon Romanovsky Acked-by: Steve Wise Signed-off-by: Doug Ledford drivers/infiniband/hw/cxgb4/qp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 63b268d232b869dfbc92e49c77f7e0648e1d039c Author: Raju Rangoju Date: Mon Aug 29 17:15:49 2016 +0530 IB/isert: Properly release resources on DEVICE_REMOVAL When the low level driver exercises the hot unplug they would call rdma_cm cma_remove_one which would fire DEVICE_REMOVAL event to all cma consumers. Now, if consumer doesn't make sure they destroy all IB objects created on that IB device instance prior to finalizing all processing of DEVICE_REMOVAL callback, rdma_cm will let the lld to de-register with IB core and destroy the IB device instance. And if the consumer calls (say) ib_dereg_mr(), it will crash since that dev object is NULL. In the current implementation, iser-target just initiates the cleanup and returns from DEVICE_REMOVAL callback. This deferred work creates a race between iser-target cleaning IB objects(say MR) and lld destroying IB device instance. This patch includes the following fixes -> make sure that consumer frees all IB objects associated with device instance -> return non-zero from the callback to destroy the rdma_cm id Signed-off-by: Raju Rangoju Acked-by: Sagi Grimberg Signed-off-by: Doug Ledford drivers/infiniband/ulp/isert/ib_isert.c | 23 ++++++++++++++++++++--- drivers/infiniband/ulp/isert/ib_isert.h | 2 ++ 2 files changed, 22 insertions(+), 3 deletions(-) commit 6aaa382f1267644072f288916476879684502f73 Author: Christophe Jaillet Date: Fri Aug 26 06:49:09 2016 +0200 IB/hfi1: Fix the size parameter to find_first_bit The 2nd parameter of 'find_first_bit' is the number of bits to search. In this case, we are passing 'sizeof(u64)' which is 8. It is likely that the number of bits of 'port_mask' was expected here. Use sizeof() * 8 to get the correct number. It has been spotted by the following coccinelle script: @@ expression ret, x; @@ * ret = \(find_first_bit \| find_first_zero_bit\) (x, sizeof(...)); Signed-off-by: Christophe JAILLET Signed-off-by: Doug Ledford drivers/infiniband/hw/hfi1/mad.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) commit fffd68734dc685e208e86d8c5f6522cd695a8d60 Author: Christophe Jaillet Date: Fri Aug 26 07:16:17 2016 +0200 IB/mlx5: Fix the size parameter to find_first_bit The 2nd parameter of 'find_first_bit' is the number of bits to search. In this case, we are passing 'sizeof(tmp)' which is likely to be 4 or 8 because 'tmp' is an 'unsigned long'. It is likely that the number of bits of 'tmp' was expected here. So use BITS_PER_LONG instead. It has been spotted by the following coccinelle script: @@ expression ret, x; @@ * ret = \(find_first_bit \| find_first_zero_bit\) (x, sizeof(...)); Signed-off-by: Christophe JAILLET Acked-by: Majd Dibbiny Acked-by: Leon Romanovsky Signed-off-by: Doug Ledford drivers/infiniband/hw/mlx5/mem.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit 15301a570754c7af60335d094dd2d1808b0641a5 Author: Steven Rostedt Date: Wed May 25 13:47:26 2016 -0400 x86/paravirt: Do not trace _paravirt_ident_*() functions Łukasz Daniluk reported that on a RHEL kernel that his machine would lock up after enabling function tracer. I asked him to bisect the functions within available_filter_functions, which he did and it came down to three: _paravirt_nop(), _paravirt_ident_32() and _paravirt_ident_64() It was found that this is only an issue when noreplace-paravirt is added to the kernel command line. This means that those functions are most likely called within critical sections of the funtion tracer, and must not be traced. In newer kenels _paravirt_nop() is defined within gcc asm(), and is no longer an issue. But both _paravirt_ident_{32,64}() causes the following splat when they are traced: mm/pgtable-generic.c:33: bad pmd ffff8800d2435150(0000000001d00054) mm/pgtable-generic.c:33: bad pmd ffff8800d3624190(0000000001d00070) mm/pgtable-generic.c:33: bad pmd ffff8800d36a5110(0000000001d00054) mm/pgtable-generic.c:33: bad pmd ffff880118eb1450(0000000001d00054) NMI watchdog: BUG: soft lockup - CPU#2 stuck for 22s! [systemd-journal:469] Modules linked in: e1000e CPU: 2 PID: 469 Comm: systemd-journal Not tainted 4.6.0-rc4-test+ #513 Hardware name: Hewlett-Packard HP Compaq Pro 6300 SFF/339A, BIOS K01 v02.05 05/07/2012 task: ffff880118f740c0 ti: ffff8800d4aec000 task.ti: ffff8800d4aec000 RIP: 0010:[] [] queued_spin_lock_slowpath+0x118/0x1a0 RSP: 0018:ffff8800d4aefb90 EFLAGS: 00000246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88011eb16d40 RDX: ffffffff82485760 RSI: 000000001f288820 RDI: ffffea0000008030 RBP: ffff8800d4aefb90 R08: 00000000000c0000 R09: 0000000000000000 R10: ffffffff821c8e0e R11: 0000000000000000 R12: ffff880000200fb8 R13: 00007f7a4e3f7000 R14: ffffea000303f600 R15: ffff8800d4b562e0 FS: 00007f7a4e3d7840(0000) GS:ffff88011eb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f7a4e3f7000 CR3: 00000000d3e71000 CR4: 00000000001406e0 Call Trace: _raw_spin_lock+0x27/0x30 handle_pte_fault+0x13db/0x16b0 handle_mm_fault+0x312/0x670 __do_page_fault+0x1b1/0x4e0 do_page_fault+0x22/0x30 page_fault+0x28/0x30 __vfs_read+0x28/0xe0 vfs_read+0x86/0x130 SyS_read+0x46/0xa0 entry_SYSCALL_64_fastpath+0x1e/0xa8 Code: 12 48 c1 ea 0c 83 e8 01 83 e2 30 48 98 48 81 c2 40 6d 01 00 48 03 14 c5 80 6a 5d 82 48 89 0a 8b 41 08 85 c0 75 09 f3 90 8b 41 08 <85> c0 74 f7 4c 8b 09 4d 85 c9 74 08 41 0f 18 09 eb 02 f3 90 8b Reported-by: Łukasz Daniluk Signed-off-by: Steven Rostedt Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds arch/x86/kernel/paravirt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit f28929ba36b7b35feffd3f282ba17fbc0c4cc83e Merge: ac81038 026e5e0 Author: Linus Torvalds Date: Fri Sep 2 09:32:15 2016 -0700 Merge branch 'overlayfs-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs Pull overlayfs fixes from Miklos Szeredi: "Most of this is regression fixes for posix acl behavior introduced in 4.8-rc1 (these were caught by the pjd-fstest suite). The are also miscellaneous fixes marked as stable material and cleanups. Other than overlayfs code, it touches to add a constant with which to disable posix acl caching. No changes needed to the actual caching code, it automatically does the right thing, although later we may want to optimize this case. I'm now testing overlayfs with the following test suites to catch regressions: - unionmount-testsuite - xfstests - pjd-fstest" * 'overlayfs-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs: ovl: update doc ovl: listxattr: use strnlen() ovl: Switch to generic_getxattr ovl: copyattr after setting POSIX ACL ovl: Switch to generic_removexattr ovl: Get rid of ovl_xattr_noacl_handlers array ovl: Fix OVL_XATTR_PREFIX ovl: fix spelling mistake: "directries" -> "directories" ovl: don't cache acl on overlay layer ovl: use cached acl on underlying layer ovl: proper cleanup of workdir ovl: remove posix_acl_default from workdir ovl: handle umask and posix_acl_default correctly on creation ovl: don't copy up opaqueness commit db7b542e4a789156a4fb61278f2074795fe2eb9c Author: Miaoqing Pan Date: Thu Aug 4 15:48:34 2016 +0800 ath9k: fix AR5416 access GPIO warning The warning was seen on AR5416 chip, which invoke ath9k_hw_gio_get() before the GPIO initialized correctly. WARNING: CPU: 1 PID: 1159 at ~/drivers/net/wireless/ath/ath9k/hw.c:2776 ath9k_hw_gpio_get+0x148/0x1a0 [ath9k_hw] ... CPU: 1 PID: 1159 Comm: systemd-udevd Not tainted 4.7.0-rc7-aptosid-amd64 #1 aptosid 4.7~rc7-1~git92.slh.3 Hardware name: /DH67CL, BIOS BLH6710H.86A.0160.2012.1204.1156 12/04/2012 0000000000000286 00000000f912d633 ffffffff81290fd3 0000000000000000 0000000000000000 ffffffff81063fd4 ffff88040c6dc018 0000000000000000 0000000000000002 0000000000000000 0000000000000100 ffff88040c6dc018 Call Trace: [] ? dump_stack+0x5c/0x79 [] ? __warn+0xb4/0xd0 [] ? ath9k_hw_gpio_get+0x148/0x1a0 [ath9k_hw] Signed-off-by: Miaoqing Pan Reported-by: Stefan Lippers-Hollmann Tested-by: Stefan Lippers-Hollmann Signed-off-by: Kalle Valo drivers/net/wireless/ath/ath9k/hw.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 744c6c37cc18705d19e179622f927f5b781fe9cc Author: James Morse Date: Fri Aug 26 16:03:42 2016 +0100 arm64: kernel: Fix unmasked debug exceptions when restoring mdscr_el1 Changes to make the resume from cpu_suspend() code behave more like secondary boot caused debug exceptions to be unmasked early by __cpu_setup(). We then go on to restore mdscr_el1 in cpu_do_resume(), potentially taking break or watch points based on uninitialised registers. Mask debug exceptions in cpu_do_resume(), which is specific to resume from cpu_suspend(). Debug exceptions will be restored to their original state by local_dbg_restore() in cpu_suspend(), which runs after hw_breakpoint_restore() has re-initialised the other registers. Reported-by: Lorenzo Pieralisi Fixes: cabe1c81ea5b ("arm64: Change cpu_resume() to enable mmu early then access sleep_sp by va") Cc: # 4.7+ Signed-off-by: James Morse Acked-by: Will Deacon Signed-off-by: Catalin Marinas arch/arm64/mm/proc.S | 9 +++++++++ 1 file changed, 9 insertions(+) commit 63fb0a9516b2c4e23293d7253c14c40aa9c2b7d1 Author: Stefan Wahren Date: Sat Aug 27 16:19:50 2016 +0000 drivers/perf: arm_pmu: Fix NULL pointer dereference during probe Patch 7f1d642fbb5c ("drivers/perf: arm-pmu: Fix handling of SPI lacking interrupt-affinity property") unintended also fixes perf_event support for bcm2835 which doesn't have PMU interrupts. Unfortunately this change introduce a NULL pointer dereference on bcm2835, because irq_is_percpu always expected to be called with a valid IRQ. So fix this regression by validating the IRQ before. Tested-by: Kevin Hilman Signed-off-by: Stefan Wahren Fixes: 7f1d642fbb5c ("drivers/perf: arm-pmu: Fix handling of SPI lacking "interrupt-affinity" property") Signed-off-by: Will Deacon Signed-off-by: Catalin Marinas drivers/perf/arm_pmu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 753246840d012ae34ea80a1d40bc1546c62fb957 Author: Stefan Wahren Date: Sat Aug 27 16:19:49 2016 +0000 drivers/perf: arm_pmu: Fix leak in error path In case of a IRQ type mismatch in of_pmu_irq_cfg() the device node for interrupt affinity isn't freed. So fix this issue by calling of_node_put(). Signed-off-by: Stefan Wahren Fixes: fa8ad7889d83 ("arm: perf: factor arm_pmu core out to drivers") Signed-off-by: Will Deacon Signed-off-by: Catalin Marinas drivers/perf/arm_pmu.c | 1 + 1 file changed, 1 insertion(+) commit ac8103840b7bf9cca48b437fd5a8cb8b14b6bd02 Merge: b0be76b 32e8082 Author: Linus Torvalds Date: Fri Sep 2 07:58:31 2016 -0700 Merge tag 'dmaengine-fix-4.8-rc5' of git://git.infradead.org/users/vkoul/slave-dma Pull dmaengine fixes from Vinod Koul: "The fixes this time are all in drivers: - possible NULL dereference in img-mdc - correct device identity for free_irq in at_xdmac - missing of_node_put() in fsl probe - fix debug log and hotchain corner case for pxa-dma - fix checking hardware bits in isr in usb dmac" * tag 'dmaengine-fix-4.8-rc5' of git://git.infradead.org/users/vkoul/slave-dma: dmaengine: img-mdc: fix a possible NULL dereference dmaengine: at_xdmac: fix to pass correct device identity to free_irq() dmaengine: fsl_raid: add missing of_node_put() in fsl_re_probe() dmaengine: pxa_dma: fix debug message dmaengine: pxa_dma: fix hotchain corner case dmaengine: usb-dmac: check CHCR.DE bit in usb_dmac_isr_channel() commit b0be76bf54cbc1a002b266e35544eefb3a5417cf Merge: cc4163d 603f2c9 Author: Linus Torvalds Date: Fri Sep 2 07:53:00 2016 -0700 Merge tag 'drm-fixes-for-4.8-rc5' of git://people.freedesktop.org/~airlied/linux Pull drm fixes from Dave Airlie: "Contains fixes for imx, amdgpu, vc4, msm and one nouveau ACPI fix" * tag 'drm-fixes-for-4.8-rc5' of git://people.freedesktop.org/~airlied/linux: drm/amdgpu: record error code when ring test failed drm/amd/amdgpu: compute ring test fail during S4 on CI drm/amd/amdgpu: sdma resume fail during S4 on CI drm/nouveau/acpi: use DSM if bridge does not support D3cold drm/imx: fix crtc vblank state regression drm/imx: Add active plane reconfiguration support drm/msm: protect against faults from copy_from_user() in submit ioctl drm/msm: fix use of copy_from_user() while holding spinlock drm/vc4: Fix oops when userspace hands in a bad BO. drm/vc4: Fix overflow mem unreferencing when the binner runs dry. drm/vc4: Free hang state before destroying BO cache. drm/vc4: Fix handling of a pm_runtime_get_sync() success case. drm/vc4: Use drm_malloc_ab to fix large rendering jobs. drm/vc4: Use drm_free_large() on handles to match its allocation. commit 7064f623c4cc8c8537745b5cdd21d9896100445c Merge: 982098a d662ed2e Author: Arnd Bergmann Date: Fri Sep 2 16:11:14 2016 +0200 Merge tag 'ccn/fixes-for-4.8-v2' of git://git.linaro.org/people/pawel.moll/linux into fixes Merge "bus: ARM CCN PMU driver updates" from Paweł Moll: - Fixes and improvements for XP watchpoint and events handling - Added missing condition checks for KVM-related exclusions - Improved interrupt affinity handling - Fix for hrtimer use in polling mode - Event grouping implementation improvement * tag 'ccn/fixes-for-4.8-v2' of git://git.linaro.org/people/pawel.moll/linux: bus: arm-ccn: make event groups reliable bus: arm-ccn: fix hrtimer registration bus: arm-ccn: fix PMU interrupt flags bus: arm-ccn: Add missing event attribute exclusions for host/guest bus: arm-ccn: Correct required arguments for XP PMU events bus: arm-ccn: Fix XP watchpoint settings bitmask bus: arm-ccn: Do not attempt to configure XPs for cycle counter bus: arm-ccn: Fix PMU handling of MN commit 982098a9f7e2391e735e639a6816715da8dda3b9 Merge: 0a10e85 c721da1 Author: Arnd Bergmann Date: Fri Sep 2 16:02:01 2016 +0200 Merge tag 'mvebu-fixes-4.8-2' of git://git.infradead.org/linux-mvebu into fixes Merge "mvebu fixes for 4.8 (part 1)" from Gregory CLEMENT: Few device tree fix on kirkwood: - enable PCIe on OpenRD - use correct u-boot environment partition size on ib62x0 * tag 'mvebu-fixes-4.8-2' of git://git.infradead.org/linux-mvebu: ARM: dts: kirkwood: Fix PCIe label on OpenRD ARM: kirkwood: ib62x0: fix size of u-boot environment partition commit 11749e086b2766cccf6217a527ef5c5604ba069c Author: Vegard Nossum Date: Sun Aug 28 10:13:07 2016 +0200 ALSA: timer: fix NULL pointer dereference in read()/ioctl() race I got this with syzkaller: ================================================================== BUG: KASAN: null-ptr-deref on address 0000000000000020 Read of size 32 by task syz-executor/22519 CPU: 1 PID: 22519 Comm: syz-executor Not tainted 4.8.0-rc2+ #169 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2 014 0000000000000001 ffff880111a17a00 ffffffff81f9f141 ffff880111a17a90 ffff880111a17c50 ffff880114584a58 ffff880114584a10 ffff880111a17a80 ffffffff8161fe3f ffff880100000000 ffff880118d74a48 ffff880118d74a68 Call Trace: [] dump_stack+0x83/0xb2 [] kasan_report_error+0x41f/0x4c0 [] kasan_report+0x34/0x40 [] ? snd_timer_user_read+0x554/0x790 [] check_memory_region+0x13e/0x1a0 [] kasan_check_read+0x11/0x20 [] snd_timer_user_read+0x554/0x790 [] ? snd_timer_user_info_compat.isra.5+0x2b0/0x2b0 [] ? proc_fault_inject_write+0x1c1/0x250 [] ? next_tgid+0x2a0/0x2a0 [] ? do_group_exit+0x108/0x330 [] ? fsnotify+0x72a/0xca0 [] __vfs_read+0x10e/0x550 [] ? snd_timer_user_info_compat.isra.5+0x2b0/0x2b0 [] ? do_sendfile+0xc50/0xc50 [] ? __fsnotify_update_child_dentry_flags+0x60/0x60 [] ? kcov_ioctl+0x56/0x190 [] ? common_file_perm+0x2e2/0x380 [] ? __fsnotify_parent+0x5e/0x2b0 [] ? security_file_permission+0x86/0x1e0 [] ? rw_verify_area+0xe5/0x2b0 [] vfs_read+0x115/0x330 [] SyS_read+0xd1/0x1a0 [] ? vfs_write+0x4b0/0x4b0 [] ? __this_cpu_preempt_check+0x1c/0x20 [] ? __context_tracking_exit.part.4+0x3a/0x1e0 [] ? vfs_write+0x4b0/0x4b0 [] do_syscall_64+0x1c4/0x4e0 [] ? syscall_return_slowpath+0x16c/0x1d0 [] entry_SYSCALL64_slow_path+0x25/0x25 ================================================================== There are a couple of problems that I can see: - ioctl(SNDRV_TIMER_IOCTL_SELECT), which potentially sets tu->queue/tu->tqueue to NULL on memory allocation failure, so read() would get a NULL pointer dereference like the above splat - the same ioctl() can free tu->queue/to->tqueue which means read() could potentially see (and dereference) the freed pointer We can fix both by taking the ioctl_lock mutex when dereferencing ->queue/->tqueue, since that's always held over all the ioctl() code. Just looking at the code I find it likely that there are more problems here such as tu->qhead pointing outside the buffer if the size is changed concurrently using SNDRV_TIMER_IOCTL_PARAMS. Signed-off-by: Vegard Nossum Cc: Signed-off-by: Takashi Iwai sound/core/timer.c | 2 ++ 1 file changed, 2 insertions(+) commit 08d072599234c959b0b82b63fa252c129225a899 Author: Wanpeng Li Date: Fri Sep 2 14:38:23 2016 +0800 tick/nohz: Fix softlockup on scheduler stalls in kvm guest tick_nohz_start_idle() is prevented to be called if the idle tick can't be stopped since commit 1f3b0f8243cb934 ("tick/nohz: Optimize nohz idle enter"). As a result, after suspend/resume the host machine, full dynticks kvm guest will softlockup: NMI watchdog: BUG: soft lockup - CPU#0 stuck for 26s! [swapper/0:0] Call Trace: default_idle+0x31/0x1a0 arch_cpu_idle+0xf/0x20 default_idle_call+0x2a/0x50 cpu_startup_entry+0x39b/0x4d0 rest_init+0x138/0x140 ? rest_init+0x5/0x140 start_kernel+0x4c1/0x4ce ? set_init_arg+0x55/0x55 ? early_idt_handler_array+0x120/0x120 x86_64_start_reservations+0x24/0x26 x86_64_start_kernel+0x142/0x14f In addition, cat /proc/stat | grep cpu in guest or host: cpu 398 16 5049 15754 5490 0 1 46 0 0 cpu0 206 5 450 0 0 0 1 14 0 0 cpu1 81 0 3937 3149 1514 0 0 9 0 0 cpu2 45 6 332 6052 2243 0 0 11 0 0 cpu3 65 2 328 6552 1732 0 0 11 0 0 The idle and iowait states are weird 0 for cpu0(housekeeping). The bug is present in both guest and host kernels, and they both have cpu0's idle and iowait states issue, however, host kernel's suspend/resume path etc will touch watchdog to avoid the softlockup. - The watchdog will not be touched in tick_nohz_stop_idle path (need be touched since the scheduler stall is expected) if idle_active flags are not detected. - The idle and iowait states will not be accounted when exit idle loop (resched or interrupt) if idle start time and idle_active flags are not set. This patch fixes it by reverting commit 1f3b0f8243cb934 since can't stop idle tick doesn't mean can't be idle. Fixes: 1f3b0f8243cb934 ("tick/nohz: Optimize nohz idle enter") Signed-off-by: Wanpeng Li Cc: Sanjeev Yadav Cc: Gaurav Jindal Cc: stable@vger.kernel.org Cc: kvm@vger.kernel.org Cc: Radim Krčmář Cc: Peter Zijlstra Cc: Paolo Bonzini Link: http://lkml.kernel.org/r/1472798303-4154-1-git-send-email-wanpeng.li@hotmail.com Signed-off-by: Thomas Gleixner kernel/time/tick-sched.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit c2f321126e31cd69365e65ecd4a7c774e4fc71d2 Author: Wolfram Sang Date: Tue Aug 30 21:50:22 2016 +0200 ARM: shmobile: fix regulator quirk for Gen2 The current implementation only works if the da9xxx devices are added before their drivers are registered. Only then it can apply the fixes to both devices. Otherwise, the driver for the first device gets probed before the fix for the second device can be applied. This is what fails when using the IP core switcher or when having the i2c master driver as a module. So, we need to disable both da9xxx once we detected one of them. We now use i2c_transfer with hardcoded i2c_messages and device addresses, so we don't need the da9xxx client devices to be instantiated. Because the fixup is used on specific boards only, the addresses are not going to change. Fixes: 663fbb52159cca ("ARM: shmobile: R-Car Gen2: Add da9063/da9210 regulator quirk") Signed-off-by: Wolfram Sang Reviewed-by: Geert Uytterhoeven Tested-by: Geert Uytterhoeven (r8a7791/koelsch) Tested-by: Kuninori Morimoto Signed-off-by: Simon Horman arch/arm/mach-shmobile/regulator-quirk-rcar-gen2.c | 62 +++++++++------------- 1 file changed, 26 insertions(+), 36 deletions(-) commit ab34380162cbc9b5172afdadf5136643c687bb73 Author: Eli Cooper Date: Fri Aug 26 23:52:29 2016 +0800 ipv6: Don't unset flowi6_proto in ipxip6_tnl_xmit() Commit 8eb30be0352d0916 ("ipv6: Create ip6_tnl_xmit") unsets flowi6_proto in ip4ip6_tnl_xmit() and ip6ip6_tnl_xmit(). Since xfrm_selector_match() relies on this info, IPv6 packets sent by an ip6tunnel cannot be properly selected by their protocols after removing it. This patch puts flowi6_proto back. Cc: stable@vger.kernel.org Fixes: 8eb30be0352d ("ipv6: Create ip6_tnl_xmit") Signed-off-by: Eli Cooper Signed-off-by: David S. Miller net/ipv6/ip6_tunnel.c | 2 ++ 1 file changed, 2 insertions(+) commit 603f2c9f45c6620afd65b60ec084c1ea7c36b2ec Merge: 5322942 552416c Author: Dave Airlie Date: Fri Sep 2 15:55:15 2016 +1000 Merge tag 'drm-vc4-fixes-2016-08-29' of https://github.com/anholt/linux into drm-fixes This pull request brings in fixes for VC4 3D in 4.8, most of which are covered by testcases. * tag 'drm-vc4-fixes-2016-08-29' of https://github.com/anholt/linux: drm/vc4: Fix oops when userspace hands in a bad BO. drm/vc4: Fix overflow mem unreferencing when the binner runs dry. drm/vc4: Free hang state before destroying BO cache. drm/vc4: Fix handling of a pm_runtime_get_sync() success case. drm/vc4: Use drm_malloc_ab to fix large rendering jobs. drm/vc4: Use drm_free_large() on handles to match its allocation. commit b44e108b6f322eb5f20aa6eba39b468a1ffc10ff Author: Guilherme G. Piccoli Date: Wed Aug 31 12:11:57 2016 -0300 bnx2x: don't reset chip on cleanup if PCI function is offline When PCI error is detected, in some architectures (like PowerPC) a slot reset is performed - the driver's error handlers are in charge of "disable" device before the reset, and re-enable it after a successful slot reset. There are two cases though that another path is taken on the code: if the slot reset is not successful or if too many errors already happened in the specific adapter (meaning that possibly the device is experiencing a HW failure that slot reset is not able to solve), the core PCI error mechanism (called EEH in PowerPC) will remove the adapter from the system, since it will consider this as a permanent failure on device. In this case, a path is taken that leads to bnx2x_chip_cleanup() calling bnx2x_reset_hw(), which then tries to perform a HW reset on chip. This reset won't succeed since the HW is in a fault state, which can be seen by multiple messages on kernel log like below: bnx2x: [bnx2x_issue_dmae_with_comp:552(eth1)]DMAE timeout! bnx2x: [bnx2x_write_dmae:600(eth1)]DMAE returned failure -1 After some time, the PCI error mechanism gives up on waiting the driver's correct removal procedure and forcibly remove the adapter from the system. We can see soft lockup while core PCI error mechanism is waiting for driver to accomplish the right removal process. This patch adds a verification to avoid a chip reset whenever the function is in PCI error state - since this case is only reached when we have a device being removed because of a permanent failure, the HW chip reset is not expected to work fine neither is necessary. Also, as a minor improvement in error path, we avoid the MCP information dump in case of non-recoverable PCI error (when adapter is about to be removed), since it will certainly fail. Reported-by: Harsha Thyagaraja Signed-off-by: Guilherme G. Piccoli Acked-By: Yuval Mintz Signed-off-by: David S. Miller drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) commit 5322942527156178874eec3d3108a4fae148d87d Merge: 27dd735 a474478 Author: Dave Airlie Date: Fri Sep 2 15:48:38 2016 +1000 Merge tag 'imx-drm-fixes-2016-08-30' of git://git.pengutronix.de/git/pza/linux into drm-fixes imx-drm atomic modeset regression fixes - add active plane reconfiguration support - add back crtc vblank state reporting * tag 'imx-drm-fixes-2016-08-30' of git://git.pengutronix.de/git/pza/linux: drm/imx: fix crtc vblank state regression drm/imx: Add active plane reconfiguration support commit 635c223cfa05af9523146b2f37e119d945f449ae Author: Gao Feng Date: Wed Aug 31 14:15:05 2016 +0800 rps: flow_dissector: Fix uninitialized flow_keys used in __skb_get_hash possibly The original codes depend on that the function parameters are evaluated from left to right. But the parameter's evaluation order is not defined in C standard actually. When flow_keys_have_l4(&keys) is invoked before ___skb_get_hash(skb, &keys, hashrnd) with some compilers or environment, the keys passed to flow_keys_have_l4 is not initialized. Fixes: 6db61d79c1e1 ("flow_dissector: Ignore flow dissector return value from ___skb_get_hash") Acked-by: Eric Dumazet Signed-off-by: Gao Feng Signed-off-by: David S. Miller net/core/flow_dissector.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) commit cc4163daaaa1eb0a4ce0396a7d1da4a47b3e526a Merge: b9677fa dc7066c Author: Linus Torvalds Date: Thu Sep 1 20:32:18 2016 -0700 Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux Pull clk fixes from Stephen Boyd: "A collection of small fixes for various SoC vendor clk drivers" * tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux: clk: rockchip: mark aclk_emmc_noc as a critical clock on rk3399 clk: tegra: remove TEGRA_PLL_USE_LOCK for PLLD/PLLD2 clk: rockchip: fix incorrect GATE bits for {c, g}pll_aclk_perihp_src on rk3399 clk: rockchip: fix incorrect aclk_emmc source gate bits on rk3399 clk: renesas: r8a7795: Fix SD clocks clk: rockchip: fix rk3399 aclk_vio gate bit clk: sunxi-ng: Fix inverted test condition in ccu_helper_wait_for_lock commit b9677faf45bcf4c63431b62758bfd895404f0f3f Merge: 511a8cd b300692 Author: Linus Torvalds Date: Thu Sep 1 18:23:22 2016 -0700 Merge branch 'akpm' (patches from Andrew) Merge fixes from Andrew Morton: "14 fixes" * emailed patches from Andrew Morton : rapidio/tsi721: fix incorrect detection of address translation condition rapidio/documentation/mport_cdev: add missing parameter description kernel/fork: fix CLONE_CHILD_CLEARTID regression in nscd MAINTAINERS: Vladimir has moved mm, mempolicy: task->mempolicy must be NULL before dropping final reference printk/nmi: avoid direct printk()-s from __printk_nmi_flush() treewide: remove references to the now unnecessary DEFINE_PCI_DEVICE_TABLE drivers/scsi/wd719x.c: remove last declaration using DEFINE_PCI_DEVICE_TABLE mm, vmscan: only allocate and reclaim from zones with pages managed by the buddy allocator lib/test_hash.c: fix warning in preprocessor symbol evaluation lib/test_hash.c: fix warning in two-dimensional array init kconfig: tinyconfig: provide whole choice blocks to avoid warnings kexec: fix double-free when failing to relocate the purgatory mm, oom: prevent premature OOM killer invocation for high order request commit b30069291dc7f9b9a073c33d619818fe4a8e50de Author: Alexandre Bounine Date: Thu Sep 1 16:15:18 2016 -0700 rapidio/tsi721: fix incorrect detection of address translation condition Fix incorrect condition to identify involvment of a address translation mechanism. This bug results in NULL pointer kernel crash dump in cases when mapping of inbound RapidIO address range is requested within existing aprture. Link: http://lkml.kernel.org/r/20160901173144.2983-1-alexandre.bounine@idt.com Signed-off-by: Alexandre Bounine Cc: Matt Porter Cc: Andre van Herk Cc: Barry Wood Cc: [4.6+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds drivers/rapidio/devices/tsi721.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 1e1011af7a5725141aa4c8d30132acd93fe3da4e Author: Alexandre Bounine Date: Thu Sep 1 16:15:15 2016 -0700 rapidio/documentation/mport_cdev: add missing parameter description Add missing description for rio_mport_cdev driver parameter 'dma_timeout'. This patch is applicable to kernel versions starting from v4.6. Link: http://lkml.kernel.org/r/20160901173104.2928-1-alexandre.bounine@idt.com Signed-off-by: Alexandre Bounine Cc: Matt Porter Cc: Andre van Herk Cc: Barry Wood Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Documentation/rapidio/mport_cdev.txt | 4 ++++ 1 file changed, 4 insertions(+) commit 735f2770a770156100f534646158cb58cb8b2939 Author: Michal Hocko Date: Thu Sep 1 16:15:13 2016 -0700 kernel/fork: fix CLONE_CHILD_CLEARTID regression in nscd Commit fec1d0115240 ("[PATCH] Disable CLONE_CHILD_CLEARTID for abnormal exit") has caused a subtle regression in nscd which uses CLONE_CHILD_CLEARTID to clear the nscd_certainly_running flag in the shared databases, so that the clients are notified when nscd is restarted. Now, when nscd uses a non-persistent database, clients that have it mapped keep thinking the database is being updated by nscd, when in fact nscd has created a new (anonymous) one (for non-persistent databases it uses an unlinked file as backend). The original proposal for the CLONE_CHILD_CLEARTID change claimed (https://lkml.org/lkml/2006/10/25/233): : The NPTL library uses the CLONE_CHILD_CLEARTID flag on clone() syscalls : on behalf of pthread_create() library calls. This feature is used to : request that the kernel clear the thread-id in user space (at an address : provided in the syscall) when the thread disassociates itself from the : address space, which is done in mm_release(). : : Unfortunately, when a multi-threaded process incurs a core dump (such as : from a SIGSEGV), the core-dumping thread sends SIGKILL signals to all of : the other threads, which then proceed to clear their user-space tids : before synchronizing in exit_mm() with the start of core dumping. This : misrepresents the state of process's address space at the time of the : SIGSEGV and makes it more difficult for someone to debug NPTL and glibc : problems (misleading him/her to conclude that the threads had gone away : before the fault). : : The fix below is to simply avoid the CLONE_CHILD_CLEARTID action if a : core dump has been initiated. The resulting patch from Roland (https://lkml.org/lkml/2006/10/26/269) seems to have a larger scope than the original patch asked for. It seems that limitting the scope of the check to core dumping should work for SIGSEGV issue describe above. [Changelog partly based on Andreas' description] Fixes: fec1d0115240 ("[PATCH] Disable CLONE_CHILD_CLEARTID for abnormal exit") Link: http://lkml.kernel.org/r/1471968749-26173-1-git-send-email-mhocko@kernel.org Signed-off-by: Michal Hocko Tested-by: William Preston Acked-by: Oleg Nesterov Cc: Roland McGrath Cc: Andreas Schwab Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds kernel/fork.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) commit c4e297386bd1621b83f6f7d58a729fb770597a91 Author: Vladimir Davydov Date: Thu Sep 1 16:15:09 2016 -0700 MAINTAINERS: Vladimir has moved vdavydov@{parallels,virtuozzo}.com will bounce from now on. Link: http://lkml.kernel.org/r/20160831180752.GB10353@esperanza Signed-off-by: Vladimir Davydov Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds .mailmap | 2 ++ MAINTAINERS | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) commit c11600e4fed67ae4cd6a8096936afd445410e8ed Author: David Rientjes Date: Thu Sep 1 16:15:07 2016 -0700 mm, mempolicy: task->mempolicy must be NULL before dropping final reference KASAN allocates memory from the page allocator as part of kmem_cache_free(), and that can reference current->mempolicy through any number of allocation functions. It needs to be NULL'd out before the final reference is dropped to prevent a use-after-free bug: BUG: KASAN: use-after-free in alloc_pages_current+0x363/0x370 at addr ffff88010b48102c CPU: 0 PID: 15425 Comm: trinity-c2 Not tainted 4.8.0-rc2+ #140 ... Call Trace: dump_stack kasan_object_err kasan_report_error __asan_report_load2_noabort alloc_pages_current <-- use after free depot_save_stack save_stack kasan_slab_free kmem_cache_free __mpol_put <-- free do_exit This patch sets current->mempolicy to NULL before dropping the final reference. Link: http://lkml.kernel.org/r/alpine.DEB.2.10.1608301442180.63329@chino.kir.corp.google.com Fixes: cd11016e5f52 ("mm, kasan: stackdepot implementation. Enable stackdepot for SLAB") Signed-off-by: David Rientjes Reported-by: Vegard Nossum Acked-by: Andrey Ryabinin Cc: Alexander Potapenko Cc: Dmitry Vyukov Cc: [4.6+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds include/linux/mempolicy.h | 4 ++++ kernel/exit.c | 7 +------ mm/mempolicy.c | 17 +++++++++++++++++ 3 files changed, 22 insertions(+), 6 deletions(-) commit 19feeff18bbfde659baa58c2346f15a24d7c405e Author: Sergey Senozhatsky Date: Thu Sep 1 16:15:04 2016 -0700 printk/nmi: avoid direct printk()-s from __printk_nmi_flush() __printk_nmi_flush() can be called from nmi_panic(), therefore it has to test whether it's executed in NMI context and thus must route the messages through deferred printk() or via direct printk(). This is to avoid potential deadlocks, as described in commit cf9b1106c81c ("printk/nmi: flush NMI messages on the system panic"). However there remain two places where __printk_nmi_flush() does unconditional direct printk() calls: - pr_err("printk_nmi_flush: internal error ...") - pr_cont("\n") Factor out print_nmi_seq_line() parts into a new printk_nmi_flush_line() function, which takes care of in_nmi(), and use it in __printk_nmi_flush() for printing and error-reporting. Link: http://lkml.kernel.org/r/20160830161354.581-1-sergey.senozhatsky@gmail.com Signed-off-by: Sergey Senozhatsky Cc: Petr Mladek Cc: Jan Kara Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds kernel/printk/nmi.c | 38 +++++++++++++++++++++++--------------- 1 file changed, 23 insertions(+), 15 deletions(-) commit 7e932159901183283cd82d797bc9a7c681e48e9c Author: Joe Perches Date: Thu Sep 1 16:15:01 2016 -0700 treewide: remove references to the now unnecessary DEFINE_PCI_DEVICE_TABLE It's been eliminated from the sources, remove it from everywhere else. Link: http://lkml.kernel.org/r/076eff466fd7edb550c25c8b25d76924ca0eba62.1472660229.git.joe@perches.com Signed-off-by: Joe Perches Cc: "James E.J. Bottomley" Cc: "Martin K. Petersen" Cc: Bjorn Helgaas Cc: Andy Whitcroft Cc: Jonathan Corbet Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Documentation/PCI/pci.txt | 1 - include/linux/pci.h | 9 --------- scripts/checkpatch.pl | 9 --------- scripts/tags.sh | 1 - 4 files changed, 20 deletions(-) commit 8a793bea2745d9876030f892a84fc8be180f2e78 Author: Joe Perches Date: Thu Sep 1 16:14:58 2016 -0700 drivers/scsi/wd719x.c: remove last declaration using DEFINE_PCI_DEVICE_TABLE Convert it to the preferred const struct pci_device_id instead. Link: http://lkml.kernel.org/r/95c5e4100c3cd4eda643624f5b70e8d7abceb86c.1472660229.git.joe@perches.com Signed-off-by: Joe Perches Reviewed-by: Bart Van Assche Cc: "James E.J. Bottomley" Cc: "Martin K. Petersen" Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds drivers/scsi/wd719x.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 6aa303defb7454a2520c4ddcdf6b081f62a15890 Author: Mel Gorman Date: Thu Sep 1 16:14:55 2016 -0700 mm, vmscan: only allocate and reclaim from zones with pages managed by the buddy allocator Firmware Assisted Dump (FA_DUMP) on ppc64 reserves substantial amounts of memory when booting a secondary kernel. Srikar Dronamraju reported that multiple nodes may have no memory managed by the buddy allocator but still return true for populated_zone(). Commit 1d82de618ddd ("mm, vmscan: make kswapd reclaim in terms of nodes") was reported to cause kswapd to spin at 100% CPU usage when fadump was enabled. The old code happened to deal with the situation of a populated node with zero free pages by co-incidence but the current code tries to reclaim populated zones without realising that is impossible. We cannot just convert populated_zone() as many existing users really need to check for present_pages. This patch introduces a managed_zone() helper and uses it in the few cases where it is critical that the check is made for managed pages -- zonelist construction and page reclaim. Link: http://lkml.kernel.org/r/20160831195104.GB8119@techsingularity.net Signed-off-by: Mel Gorman Reported-by: Srikar Dronamraju Tested-by: Srikar Dronamraju Acked-by: Michal Hocko Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds include/linux/mmzone.h | 16 ++++++++++++++-- mm/page_alloc.c | 4 ++-- mm/vmscan.c | 22 +++++++++++----------- 3 files changed, 27 insertions(+), 15 deletions(-) commit e6173ba42bbdba05fd4f3021c0beda0506271507 Author: Geert Uytterhoeven Date: Thu Sep 1 16:14:53 2016 -0700 lib/test_hash.c: fix warning in preprocessor symbol evaluation Some versions of gcc don't like tests for the value of an undefined preprocessor symbol, even in the #else branch of an #ifndef: lib/test_hash.c:224:7: warning: "HAVE_ARCH__HASH_32" is not defined [-Wundef] #elif HAVE_ARCH__HASH_32 != 1 ^ lib/test_hash.c:229:7: warning: "HAVE_ARCH_HASH_32" is not defined [-Wundef] #elif HAVE_ARCH_HASH_32 != 1 ^ lib/test_hash.c:234:7: warning: "HAVE_ARCH_HASH_64" is not defined [-Wundef] #elif HAVE_ARCH_HASH_64 != 1 ^ Seen with gcc 4.9, not seen with 4.1.2. Change the logic to only check the value inside an #ifdef to fix this. Fixes: 468a9428521e7d00 (": Add support for architecture-specific functions") Link: http://lkml.kernel.org/r/20160829214952.1334674-4-arnd@arndb.de Signed-off-by: Geert Uytterhoeven Signed-off-by: Arnd Bergmann Acked-by: George Spelvin Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds lib/test_hash.c | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) commit ed76b7a131f41c91b0c725d472f9b969d75ce888 Author: Geert Uytterhoeven Date: Thu Sep 1 16:14:50 2016 -0700 lib/test_hash.c: fix warning in two-dimensional array init lib/test_hash.c: In function 'test_hash_init': lib/test_hash.c:146:2: warning: missing braces around initializer [-Wmissing-braces] Fixes: 468a9428521e7d00 (": Add support for architecture-specific functions") Link: http://lkml.kernel.org/r/20160829214952.1334674-3-arnd@arndb.de Signed-off-by: Geert Uytterhoeven Signed-off-by: Arnd Bergmann Acked-by: George Spelvin Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds lib/test_hash.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 236dec051078a8691950f56949612b4b74107e48 Author: Arnd Bergmann Date: Thu Sep 1 16:14:47 2016 -0700 kconfig: tinyconfig: provide whole choice blocks to avoid warnings Using "make tinyconfig" produces a couple of annoying warnings that show up for build test machines all the time: .config:966:warning: override: NOHIGHMEM changes choice state .config:965:warning: override: SLOB changes choice state .config:963:warning: override: KERNEL_XZ changes choice state .config:962:warning: override: CC_OPTIMIZE_FOR_SIZE changes choice state .config:933:warning: override: SLOB changes choice state .config:930:warning: override: CC_OPTIMIZE_FOR_SIZE changes choice state .config:870:warning: override: SLOB changes choice state .config:868:warning: override: KERNEL_XZ changes choice state .config:867:warning: override: CC_OPTIMIZE_FOR_SIZE changes choice state I've made a previous attempt at fixing them and we discussed a number of alternatives. I tried changing the Makefile to use "merge_config.sh -n $(fragment-list)" but couldn't get that to work properly. This is yet another approach, based on the observation that we do want to see a warning for conflicting 'choice' options, and that we can simply make them non-conflicting by listing all other options as disabled. This is a trivial patch that we can apply independent of plans for other changes. Link: http://lkml.kernel.org/r/20160829214952.1334674-2-arnd@arndb.de Link: https://storage.kernelci.org/mainline/v4.7-rc6/x86-tinyconfig/build.log https://patchwork.kernel.org/patch/9212749/ Signed-off-by: Arnd Bergmann Reviewed-by: Josh Triplett Reviewed-by: Masahiro Yamada Acked-by: Ingo Molnar Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds arch/x86/configs/tiny.config | 2 ++ kernel/configs/tiny.config | 8 ++++++++ 2 files changed, 10 insertions(+) commit 070c43eea5043e950daa423707ae3c77e2f48edb Author: Thiago Jung Bauermann Date: Thu Sep 1 16:14:44 2016 -0700 kexec: fix double-free when failing to relocate the purgatory If kexec_apply_relocations fails, kexec_load_purgatory frees pi->sechdrs and pi->purgatory_buf. This is redundant, because in case of error kimage_file_prepare_segments calls kimage_file_post_load_cleanup, which will also free those buffers. This causes two warnings like the following, one for pi->sechdrs and the other for pi->purgatory_buf: kexec-bzImage64: Loading purgatory failed ------------[ cut here ]------------ WARNING: CPU: 1 PID: 2119 at mm/vmalloc.c:1490 __vunmap+0xc1/0xd0 Trying to vfree() nonexistent vm area (ffffc90000e91000) Modules linked in: CPU: 1 PID: 2119 Comm: kexec Not tainted 4.8.0-rc3+ #5 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: dump_stack+0x4d/0x65 __warn+0xcb/0xf0 warn_slowpath_fmt+0x4f/0x60 ? find_vmap_area+0x19/0x70 ? kimage_file_post_load_cleanup+0x47/0xb0 __vunmap+0xc1/0xd0 vfree+0x2e/0x70 kimage_file_post_load_cleanup+0x5e/0xb0 SyS_kexec_file_load+0x448/0x680 ? putname+0x54/0x60 ? do_sys_open+0x190/0x1f0 entry_SYSCALL_64_fastpath+0x13/0x8f ---[ end trace 158bb74f5950ca2b ]--- Fix by setting pi->sechdrs an pi->purgatory_buf to NULL, since vfree won't try to free a NULL pointer. Link: http://lkml.kernel.org/r/1472083546-23683-1-git-send-email-bauerman@linux.vnet.ibm.com Signed-off-by: Thiago Jung Bauermann Acked-by: Baoquan He Cc: "Eric W. Biederman" Cc: Vivek Goyal Cc: Dave Young Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds kernel/kexec_file.c | 3 +++ 1 file changed, 3 insertions(+) commit 6b4e3181d7bd5ca5ab6f45929e4a5ffa7ab4ab7f Author: Michal Hocko Date: Thu Sep 1 16:14:41 2016 -0700 mm, oom: prevent premature OOM killer invocation for high order request There have been several reports about pre-mature OOM killer invocation in 4.7 kernel when order-2 allocation request (for the kernel stack) invoked OOM killer even during basic workloads (light IO or even kernel compile on some filesystems). In all reported cases the memory is fragmented and there are no order-2+ pages available. There is usually a large amount of slab memory (usually dentries/inodes) and further debugging has shown that there are way too many unmovable blocks which are skipped during the compaction. Multiple reporters have confirmed that the current linux-next which includes [1] and [2] helped and OOMs are not reproducible anymore. A simpler fix for the late rc and stable is to simply ignore the compaction feedback and retry as long as there is a reclaim progress and we are not getting OOM for order-0 pages. We already do that for CONFING_COMPACTION=n so let's reuse the same code when compaction is enabled as well. [1] http://lkml.kernel.org/r/20160810091226.6709-1-vbabka@suse.cz [2] http://lkml.kernel.org/r/f7a9ea9d-bb88-bfd6-e340-3a933559305a@suse.cz Fixes: 0a0337e0d1d1 ("mm, oom: rework oom detection") Link: http://lkml.kernel.org/r/20160823074339.GB23577@dhcp22.suse.cz Signed-off-by: Michal Hocko Tested-by: Olaf Hering Tested-by: Ralf-Peter Rohbeck Cc: Markus Trippelsdorf Cc: Arkadiusz Miskiewicz Cc: Ralf-Peter Rohbeck Cc: Jiri Slaby Cc: Vlastimil Babka Cc: Joonsoo Kim Cc: Tetsuo Handa Cc: David Rientjes Cc: [4.7.x] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/page_alloc.c | 51 ++------------------------------------------------- 1 file changed, 2 insertions(+), 49 deletions(-) commit cb887083d084d74421ae7bb18acca40568da791f Merge: 28a2359 e0af248 Author: Chris Mason Date: Thu Sep 1 17:29:34 2016 -0700 Merge tag 'for-chris' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux into for-linus-4.8 commit 28b346cbc0715ae45b2814d857f1d8a7e6817ed8 Author: Neal Cardwell Date: Tue Aug 30 11:55:23 2016 -0400 tcp: fastopen: fix rcv_wup initialization for TFO server on SYN/data Yuchung noticed that on the first TFO server data packet sent after the (TFO) handshake, the server echoed the TCP timestamp value in the SYN/data instead of the timestamp value in the final ACK of the handshake. This problem did not happen on regular opens. The tcp_replace_ts_recent() logic that decides whether to remember an incoming TS value needs tp->rcv_wup to hold the latest receive sequence number that we have ACKed (latest tp->rcv_nxt we have ACKed). This commit fixes this issue by ensuring that a TFO server properly updates tp->rcv_wup to match tp->rcv_nxt at the time it sends a SYN/ACK for the SYN/data. Reported-by: Yuchung Cheng Signed-off-by: Neal Cardwell Signed-off-by: Yuchung Cheng Signed-off-by: Eric Dumazet Signed-off-by: Soheil Hassas Yeganeh Fixes: 168a8f58059a ("tcp: TCP Fast Open Server - main code path") Signed-off-by: David S. Miller net/ipv4/tcp_fastopen.c | 1 + 1 file changed, 1 insertion(+) commit 85a3d4a9356b595d5440c3f1bf07ee7cecca1567 Author: Nikolay Aleksandrov Date: Tue Aug 30 17:44:29 2016 +0200 net: bridge: don't increment tx_dropped in br_do_proxy_arp pskb_may_pull may fail due to various reasons (e.g. alloc failure), but the skb isn't changed/dropped and processing continues so we shouldn't increment tx_dropped. CC: Kyeyoon Park CC: Roopa Prabhu CC: Stephen Hemminger CC: bridge@lists.linux-foundation.org Fixes: 958501163ddd ("bridge: Add support for IEEE 802.11 Proxy ARP") Signed-off-by: Nikolay Aleksandrov Signed-off-by: David S. Miller net/bridge/br_input.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) commit 511a8cdb650544b7efd1bbccf7967d3153aee5f6 Merge: 7d1ce60 5efc244 Author: Linus Torvalds Date: Thu Sep 1 15:55:56 2016 -0700 Merge branch 'stable-4.8' of git://git.infradead.org/users/pcmoore/audit Pull audit fixes from Paul Moore: "Two small patches to fix some bugs with the audit-by-executable functionality we introduced back in v4.3 (both patches are marked for the stable folks)" * 'stable-4.8' of git://git.infradead.org/users/pcmoore/audit: audit: fix exe_file access in audit_exe_compare mm: introduce get_task_exe_file commit 7d1ce606a37922879cbe40a6122047827105a332 Merge: 071e31e ea78d80 Author: Linus Torvalds Date: Thu Sep 1 15:33:16 2016 -0700 Merge tag 'xfs-iomap-for-linus-4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/dgc/linux-xfs Pull xfs and iomap fixes from Dave Chinner: "Most of these changes are small regression fixes that address problems introduced in the 4.8-rc1 window. The two fixes that aren't (IO completion fix and superblock inprogress check) are fixes for problems introduced some time ago and need to be pushed back to stable kernels. Changes in this update: - iomap FIEMAP_EXTENT_MERGED usage fix - additional mount-time feature restrictions - rmap btree query fixes - freeze/unmount io completion workqueue fix - memory corruption fix for deferred operations handling" * tag 'xfs-iomap-for-linus-4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/dgc/linux-xfs: xfs: track log done items directly in the deferred pending work item iomap: don't set FIEMAP_EXTENT_MERGED for extent based filesystems xfs: prevent dropping ioend completions during buftarg wait xfs: fix superblock inprogress check xfs: simple btree query range should look right if LE lookup fails xfs: fix some key handling problems in _btree_simple_query_range xfs: don't log the entire end of the AGF xfs: disallow mounting of realtime + rmap filesystems xfs: don't perform lookups on zero-height btrees commit 29c994e361009142ec0bca6493cc8f7b0d3c561a Author: Nicolas Dichtel Date: Tue Aug 30 10:09:22 2016 +0200 netconf: add a notif when settings are created All changes are notified, but the initial state was missing. Signed-off-by: Nicolas Dichtel Signed-off-by: David S. Miller net/ipv4/devinet.c | 11 +++++++---- net/ipv6/addrconf.c | 9 ++++++++- 2 files changed, 15 insertions(+), 5 deletions(-) commit d26c638c16cb54f6fb1507e27df93ede692db572 Author: Nicolas Dichtel Date: Tue Aug 30 10:09:21 2016 +0200 ipv6: add missing netconf notif when 'all' is updated The 'default' value was not advertised. Fixes: f3a1bfb11ccb ("rtnl/ipv6: use netconf msg to advertise forwarding status") Signed-off-by: Nicolas Dichtel Signed-off-by: David S. Miller net/ipv6/addrconf.c | 7 +++++++ 1 file changed, 7 insertions(+) commit d3ebc88efe464d93585e66ffa0cd402cd55a033d Merge: a036244 7ceb8a1 Author: David S. Miller Date: Thu Sep 1 14:50:47 2016 -0700 Merge branch 'thunderx-fixes' Sunil Goutham says: ==================== net: thunderx: Fixes for TSO offload issues This patch series fixes couple of issues w.r.t HW TSO offload ==================== Signed-off-by: David S. Miller commit 7ceb8a1319ec64954459d474dd4a8c3c60ff0999 Author: Sunil Goutham Date: Tue Aug 30 11:36:27 2016 +0530 net: thunderx: Fix for issues with multiple CQEs posted for a TSO packet On ThunderX 88xx pass 2.x chips when TSO is offloaded to HW, HW posts a CQE for every TSO segment transmitted. Current code does handles this, but is prone to issues when segment sizes are small resulting in SW processing too many CQEs and also at times frees a SKB which is not yet transmitted. This patch handles the errata in a different way and eliminates issues with earlier approach, TSO packet is submitted to HW with post_cqe=0, so that no CQE is posted upon completion of transmission of TSO packet but a additional HDR + IMMEDIATE descriptors are added to SQ due to which a CQE is posted and will have required info to be used while cleanup in napi. This way only one CQE is posted for a TSO packet. Signed-off-by: Sunil Goutham Signed-off-by: David S. Miller drivers/net/ethernet/cavium/thunder/nic.h | 1 + drivers/net/ethernet/cavium/thunder/nicvf_main.c | 20 +++++-- drivers/net/ethernet/cavium/thunder/nicvf_queues.c | 64 +++++++++++++++++++--- 3 files changed, 73 insertions(+), 12 deletions(-) commit 57e81d44b0e1aa4dcb479ff8de8fc34cf635d0e8 Author: Sunil Goutham Date: Tue Aug 30 11:36:26 2016 +0530 net: thunderx: Fix for HW issue while padding TSO packet There is a issue in HW where-in while sending GSO sized pkts as part of TSO, if pkt len falls below configured min packet size i.e 60, NIC will zero PAD packet and also updates IP total length. Hence set this value to lessthan min pkt size of MAC + IP + TCP headers, BGX will anyway do the padding to transmit 64 byte pkt including FCS. Signed-off-by: Sunil Goutham Signed-off-by: David S. Miller drivers/net/ethernet/cavium/thunder/nic_main.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) commit a036244c068612a43fa8c0f33a0eb4daa4d8dba0 Author: Dave Ertman Date: Mon Aug 29 17:38:26 2016 -0700 i40e: Fix kernel panic on enable/disable LLDP If DCB is configured on the link partner switch with an unsupported traffic class configuration (e.g. non-contiguous TCs), the driver is flagging DCB as disabled. But, for future DCB LLDPDUs, the driver was checking if the interface was DCB capable instead of enabled. This was causing a kernel panic when LLDP was enabled/disabled on the link partner switch. This patch corrects the situation by having the LLDP event handler check the correct flag in the pf structure. It also cleans up the setting and clearing of the enabled flag for other checks. Signed-off-by: Dave Ertman Tested-by: Andrew Bowers Signed-off-by: Jeff Kirsher Signed-off-by: David S. Miller drivers/net/ethernet/intel/i40e/i40e_main.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) commit da29838dcbde86b3bdf3b5702abb5937b4c31d18 Author: Andy Gospodarek Date: Mon Aug 29 16:51:30 2016 -0400 MAINTAINERS: update to working email address Signed-off-by: Andy Gospodarek Signed-off-by: David S. Miller MAINTAINERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit a0d4a992f259703fe4ed5c42f1fa3100f2573911 Merge: d2f394d bb87f02 Author: David S. Miller Date: Thu Sep 1 14:11:11 2016 -0700 Merge tag 'wireless-drivers-for-davem-2016-08-29' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers Kalle Valo says: ==================== wireless-drivers fixes for 4.8 ath9k * fix regression in client mode beacon configuration * fix a station pointer which resulted in spurious crashes mwifiex * fix large amsdu packets causing firmware hang brcmfmac * fix deadlock when removing interface * fix use of mutex in atomic context ==================== Signed-off-by: David S. Miller commit d2f394dc4816b7bd1b44981d83509f18f19c53f0 Author: Parthasarathy Bhuvaragan Date: Thu Sep 1 16:22:16 2016 +0200 tipc: fix random link resets while adding a second bearer In a dual bearer configuration, if the second tipc link becomes active while the first link still has pending nametable "bulk" updates, it randomly leads to reset of the second link. When a link is established, the function named_distribute(), fills the skb based on node mtu (allows room for TUNNEL_PROTOCOL) with NAME_DISTRIBUTOR message for each PUBLICATION. However, the function named_distribute() allocates the buffer by increasing the node mtu by INT_H_SIZE (to insert NAME_DISTRIBUTOR). This consumes the space allocated for TUNNEL_PROTOCOL. When establishing the second link, the link shall tunnel all the messages in the first link queue including the "bulk" update. As size of the NAME_DISTRIBUTOR messages while tunnelling, exceeds the link mtu the transmission fails (-EMSGSIZE). Thus, the synch point based on the message count of the tunnel packets is never reached leading to link timeout. In this commit, we adjust the size of name distributor message so that they can be tunnelled. Reviewed-by: Jon Maloy Signed-off-by: Parthasarathy Bhuvaragan Signed-off-by: David S. Miller net/tipc/name_distr.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) commit aabdd09d535073c35f746e46c3a5d3286088be3a Author: Ivan Vecera Date: Thu Sep 1 11:28:59 2016 +0200 tg3: Fix for disallow tx coalescing time to be 0 The recent commit 087d7a8c9174 "tg3: Fix for diasllow rx coalescing time to be 0" disallow to set Rx coalescing time to be 0 as this stops generating interrupts for the incoming packets. I found the zero Tx coalescing time stops generating interrupts for outgoing packets as well and fires Tx watchdog later. To avoid this, don't allow to set Tx coalescing time to 0 and also remove subsequent checks that become senseless. Cc: satish.baddipadige@broadcom.com Cc: siva.kallam@broadcom.com Cc: michael.chan@broadcom.com Signed-off-by: Ivan Vecera Acked-by: Siva Reddy Kallam Acked-by: Michael Chan Signed-off-by: David S. Miller drivers/net/ethernet/broadcom/tg3.c | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) commit 561ed23331dfefea4c8eec616463ee4d0c8fa4b7 Author: Wu Fengguang Date: Thu Sep 1 14:45:12 2016 +0800 qed: fix kzalloc-simple.cocci warnings drivers/net/ethernet/qlogic/qed/qed_dcbx.c:1230:13-20: WARNING: kzalloc should be used for dcbx_info, instead of kmalloc/memset drivers/net/ethernet/qlogic/qed/qed_dcbx.c:1192:13-20: WARNING: kzalloc should be used for dcbx_info, instead of kmalloc/memset Use kzalloc rather than kmalloc followed by memset with 0 This considers some simple cases that are common and easy to validate Note in particular that there are no ...s in the rule, so all of the matched code has to be contiguous Generated by: scripts/coccinelle/api/alloc/kzalloc-simple.cocci CC: Sudarsana Reddy Kalluru Signed-off-by: Fengguang Wu Acked-by: Yuval Mintz Signed-off-by: David S. Miller drivers/net/ethernet/qlogic/qed/qed_dcbx.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) commit cb849e3041e4238d2593b2a565a24757736b79fc Merge: c380428 aad8b6b Author: David S. Miller Date: Thu Sep 1 09:44:57 2016 -0700 Merge branch 'mlxsw-fixes' Jiri Pirko says: ==================== mlxsw: couple of fixes Couple of fixes from Ido and myself. ==================== Signed-off-by: David S. Miller commit aad8b6bae7c63fcf860c4c7ce693cb8ac5d4a511 Author: Ido Schimmel Date: Thu Sep 1 10:37:45 2016 +0200 mlxsw: spectrum: Use existing flood setup when adding VLANs When a VLAN is added on a bridge port we should use the existing unicast flood configuration of the port instead of assuming it's enabled. Fixes: 0293038e0c36 ("mlxsw: spectrum: Add support for flood control") Signed-off-by: Ido Schimmel Signed-off-by: Jiri Pirko Signed-off-by: David S. Miller .../ethernet/mellanox/mlxsw/spectrum_switchdev.c | 25 ++++++++-------------- 1 file changed, 9 insertions(+), 16 deletions(-) commit f1de7a28d53cfde8fa290d6c535eb690a4e1b5d5 Author: Ido Schimmel Date: Thu Sep 1 10:37:44 2016 +0200 mlxsw: spectrum: Don't take multiple references on a FID In commit 14d39461b3f4 ("mlxsw: spectrum: Use per-FID struct for the VLAN-aware bridge") I added a per-FID struct, which member ports can take a reference on upon VLAN membership configuration. However, sometimes only the VLAN flags (e.g. egress untagged) are toggled without changing the VLAN membership. In these cases we shouldn't take another reference on the FID. Fixes: 14d39461b3f4 ("mlxsw: spectrum: Use per-FID struct for the VLAN-aware bridge") Signed-off-by: Ido Schimmel Signed-off-by: Jiri Pirko Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c | 3 +++ 1 file changed, 3 insertions(+) commit e73226384948e9b35823150cadd9a3ea4ca9fc97 Author: Jiri Pirko Date: Thu Sep 1 10:37:43 2016 +0200 mlxsw: spectrum_router: Fix netevent notifier registration Currently the notifier is registered for every asic instance, however the same block. Fix this by moving the registration to module init. Fixes: c723c735fa6b ("mlxsw: spectrum_router: Periodically update the kernel's neigh table") Signed-off-by: Jiri Pirko Reviewed-by: Ido Schimmel Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlxsw/spectrum.c | 9 +++++++++ drivers/net/ethernet/mellanox/mlxsw/spectrum.h | 2 ++ drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c | 17 ++--------------- 3 files changed, 13 insertions(+), 15 deletions(-) commit de7d62952b01755f9885bbe945b141d9d4338e55 Author: Jiri Pirko Date: Thu Sep 1 10:37:42 2016 +0200 mlxsw: spectrum: Fix error path in mlxsw_sp_module_init Add forgotten notifier unregister. Fixes: 99724c18fc66 ("mlxsw: spectrum: Introduce support for router interfaces") Signed-off-by: Jiri Pirko Reviewed-by: Ido Schimmel Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlxsw/spectrum.c | 1 + 1 file changed, 1 insertion(+) commit 7146da31817aa21b19d7a01e95b94686c3f4bd97 Author: Jiri Pirko Date: Thu Sep 1 10:37:41 2016 +0200 mlxsw: spectrum_router: Fix fib entry update path Originally, I expected that there would be needed to call update operation in case RALUE record action is changed. However, that is not needed since write operation takes care of that nicely. Remove prepared construct and always call the write operation. Fixes: 61c503f976b5 ("mlxsw: spectrum_router: Implement fib4 add/del switchdev obj ops") Signed-off-by: Jiri Pirko Reviewed-by: Ido Schimmel Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) commit 5b004412e2b7894105ea6043d380b7ab21f244ef Author: Jiri Pirko Date: Thu Sep 1 10:37:40 2016 +0200 mlxsw: spectrum_router: Fix failure caused by double fib removal from HW In mlxsw we squash tables 254 and 255 together into HW. Kernel adds/dels /32 ip to/from both 254 and 255. On del path, that causes the same prefix being removed twice. Fix this by introducing reference counting for private mlxsw fib entries. That required a bit of code reshuffle. Also put dev into fib entry key so the same prefix could be represented once per every router interface. Fixes: 61c503f976b5 ("mlxsw: spectrum_router: Implement fib4 add/del switchdev obj ops") Signed-off-by: Jiri Pirko Signed-off-by: David S. Miller .../net/ethernet/mellanox/mlxsw/spectrum_router.c | 126 +++++++++++++++------ 1 file changed, 92 insertions(+), 34 deletions(-) commit e0af24849efb0eea572cf22d22bb65d164cb8a6f Author: Wang Xiaoguang Date: Wed Aug 31 19:46:16 2016 +0800 btrfs: fix one bug that process may endlessly wait for ticket in wait_reserve_ticket() If can_overcommit() in btrfs_calc_reclaim_metadata_size() returns true, btrfs_async_reclaim_metadata_space() will not reclaim metadata space, just return directly and also forget to wake up process which are waiting for their tickets, so these processes will wait endlessly. Fstests case generic/172 with mount option "-o compress=lzo" have revealed this bug in my test machine. Here if we have tickets to handle, we must handle them first. Signed-off-by: Wang Xiaoguang Reviewed-by: Josef Bacik Signed-off-by: David Sterba fs/btrfs/extent-tree.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) commit a9b1fc851db054ddec703dc7951ed00620600b26 Author: Liu Bo Date: Wed Aug 31 16:43:33 2016 -0700 Btrfs: fix endless loop in balancing block groups Qgroup function may overwrite the saved error 'err' with 0 in case quota is not enabled, and this ends up with a endless loop in balance because we keep going back to balance the same block group. It really should use 'ret' instead. Signed-off-by: Liu Bo Reviewed-by: Qu Wenruo Signed-off-by: David Sterba fs/btrfs/relocation.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) commit 3dc09ec895f098cedd789a620c90ff1bf7f779a1 Author: Josef Bacik Date: Wed Aug 24 11:57:52 2016 -0400 Btrfs: kill invalid ASSERT() in process_all_refs() Suppose you have the following tree in snap1 on a file system mounted with -o inode_cache so that inode numbers are recycled └── [ 258] a └── [ 257] b and then you remove b, rename a to c, and then re-create b in c so you have the following tree └── [ 258] c └── [ 257] b and then you try to do an incremental send you will hit ASSERT(pending_move == 0); in process_all_refs(). This is because we assume that any recycling of inodes will not have a pending change in our path, which isn't the case. This is the case for the DELETE side, since we want to remove the old file using the old path, but on the create side we could have a pending move and need to do the normal pending rename dance. So remove this ASSERT() and put a comment about why we ignore pending_move. Thanks, Signed-off-by: Josef Bacik Signed-off-by: David Sterba fs/btrfs/send.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) commit a9840c46ff9bb845d62d6f9592ab76c0e531c8f4 Merge: bb87f02 a904a08 Author: Kalle Valo Date: Thu Sep 1 17:11:42 2016 +0300 Merge tag 'iwlwifi-for-kalle-2016-08-29' of git://git.kernel.org/pub/scm/linux/kernel/git/iwlwifi/iwlwifi-fixes * Fix P2P dump trigger * Prevent a potential null dereference in iwlmvm * Prevent an uninitialized value from being returned in iwlmvm * Advertise support for channel width change in AP mode commit 6af7e4f77259ee946103387372cb159f2e99a6d4 Author: Bjorn Helgaas Date: Thu Sep 1 08:52:29 2016 -0500 PCI: Mark Haswell Power Control Unit as having non-compliant BARs The Haswell Power Control Unit has a non-PCI register (CONFIG_TDP_NOMINAL) where BAR 0 is supposed to be. This is erratum HSE43 in the spec update referenced below: The PCIe* Base Specification indicates that Configuration Space Headers have a base address register at offset 0x10. Due to this erratum, the Power Control Unit's CONFIG_TDP_NOMINAL CSR (Bus 1; Device 30; Function 3; Offset 0x10) is located where a base register is expected. Mark the PCU as having non-compliant BARs so we don't try to probe any of them. There are no other BARs on this device. Rename the quirk so it's not Broadwell-specific. Link: http://www.intel.com/content/www/us/en/processors/xeon/xeon-e5-v3-spec-update.html Link: http://www.intel.com/content/www/us/en/processors/xeon/xeon-e5-v3-datasheet-vol-2.html (section 5.4, Device 30 Function 3) Link: https://bugzilla.kernel.org/show_bug.cgi?id=153881 Reported-by: Paul Menzel Tested-by: Prarit Bhargava Signed-off-by: Bjorn Helgaas Acked-by: Myron Stowe arch/x86/pci/fixup.c | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) commit 026e5e0cc12474495515275d9c176ef823238c70 Author: Miklos Szeredi Date: Thu Sep 1 11:12:00 2016 +0200 ovl: update doc Some of the documented quirks no longer apply. Signed-off-by: Miklos Szeredi Documentation/filesystems/overlayfs.txt | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) commit 7cb35119d067191ce9ebc380a599db0b03cbd9d9 Author: Miklos Szeredi Date: Thu Sep 1 11:12:00 2016 +0200 ovl: listxattr: use strnlen() Be defensive about what underlying fs provides us in the returned xattr list buffer. If it's not properly null terminated, bail out with a warning insead of BUG. Signed-off-by: Miklos Szeredi Cc: fs/overlayfs/inode.c | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) commit 0eb45fc3bb7a2cf9c9c93d9e95986a841e5f4625 Author: Andreas Gruenbacher Date: Mon Aug 22 17:52:55 2016 +0200 ovl: Switch to generic_getxattr Now that overlayfs has xattr handlers for iop->{set,remove}xattr, use those same handlers for iop->getxattr as well. Signed-off-by: Andreas Gruenbacher Signed-off-by: Miklos Szeredi fs/overlayfs/dir.c | 2 +- fs/overlayfs/inode.c | 11 ++++------- fs/overlayfs/overlayfs.h | 4 ++-- fs/overlayfs/super.c | 26 ++++++++++++++++++++++++++ 4 files changed, 33 insertions(+), 10 deletions(-) commit ce31513a9114f74fe3e9caa6534d201bdac7238d Author: Miklos Szeredi Date: Thu Sep 1 11:12:00 2016 +0200 ovl: copyattr after setting POSIX ACL Setting POSIX acl may also modify the file mode, so need to copy that up to the overlay inode. Reported-by: Eryu Guan Fixes: d837a49bd57f ("ovl: fix POSIX ACL setting") Signed-off-by: Miklos Szeredi fs/overlayfs/super.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) commit 0e585ccc13b3edbb187fb4f1b7cc9397f17d64a9 Author: Andreas Gruenbacher Date: Mon Aug 22 17:22:11 2016 +0200 ovl: Switch to generic_removexattr Commit d837a49bd57f ("ovl: fix POSIX ACL setting") switches from iop->setxattr from ovl_setxattr to generic_setxattr, so switch from ovl_removexattr to generic_removexattr as well. As far as permission checking goes, the same rules should apply in either case. While doing that, rename ovl_setxattr to ovl_xattr_set to indicate that this is not an iop->setxattr implementation and remove the unused inode argument. Move ovl_other_xattr_set above ovl_own_xattr_set so that they match the order of handlers in ovl_xattr_handlers. Signed-off-by: Andreas Gruenbacher Fixes: d837a49bd57f ("ovl: fix POSIX ACL setting") Signed-off-by: Miklos Szeredi fs/overlayfs/dir.c | 2 +- fs/overlayfs/inode.c | 65 ++++++++++++++++-------------------------------- fs/overlayfs/overlayfs.h | 6 ++--- fs/overlayfs/super.c | 18 +++++++------- 4 files changed, 33 insertions(+), 58 deletions(-) commit 0c97be22f928b85110504c4bbb8574facb4bd0c0 Author: Andreas Gruenbacher Date: Mon Aug 22 16:36:49 2016 +0200 ovl: Get rid of ovl_xattr_noacl_handlers array Use an ordinary #ifdef to conditionally include the POSIX ACL handlers in ovl_xattr_handlers, like the other filesystems do. Flag the code that is now only used conditionally with __maybe_unused. Signed-off-by: Andreas Gruenbacher Signed-off-by: Miklos Szeredi fs/overlayfs/super.c | 28 ++++++++++++---------------- 1 file changed, 12 insertions(+), 16 deletions(-) commit fe2b75952347762a21f67d9df1199137ae5988b2 Author: Andreas Gruenbacher Date: Mon Aug 22 17:59:22 2016 +0200 ovl: Fix OVL_XATTR_PREFIX Make sure ovl_own_xattr_handler only matches attribute names starting with "overlay.", not "overlayXXX". Signed-off-by: Andreas Gruenbacher Fixes: d837a49bd57f ("ovl: fix POSIX ACL setting") Signed-off-by: Miklos Szeredi fs/overlayfs/inode.c | 5 ++--- fs/overlayfs/overlayfs.h | 4 ++-- 2 files changed, 4 insertions(+), 5 deletions(-) commit fd36570a8805f39b40a0ebde19b08603aa201d17 Author: Colin Ian King Date: Thu Aug 18 16:58:35 2016 +0100 ovl: fix spelling mistake: "directries" -> "directories" Trivial fix to spelling mistake in pr_err message. Signed-off-by: Colin Ian King Signed-off-by: Miklos Szeredi fs/overlayfs/super.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 2a3a2a3f35249412e35fbb48b743348c40373409 Author: Miklos Szeredi Date: Thu Sep 1 11:11:59 2016 +0200 ovl: don't cache acl on overlay layer Some operations (setxattr/chmod) can make the cached acl stale. We either need to clear overlay's acl cache for the affected inode or prevent acl caching on the overlay altogether. Preventing caching has the following advantages: - no double caching, less memory used - overlay cache doesn't go stale when fs clears it's own cache Possible disadvantage is performance loss. If that becomes a problem get_acl() can be optimized for overlayfs. This patch disables caching by pre setting i_*acl to a value that - has bit 0 set, so is_uncached_acl() will return true - is not equal to ACL_NOT_CACHED, so get_acl() will not overwrite it The constant -3 was chosen for this purpose. Fixes: 39a25b2b3762 ("ovl: define ->get_acl() for overlay inodes") Signed-off-by: Miklos Szeredi fs/overlayfs/inode.c | 3 +++ include/linux/fs.h | 1 + 2 files changed, 4 insertions(+) commit 5201dc449e4b6b6d7e92f7f974269b11681f98b5 Author: Miklos Szeredi Date: Thu Sep 1 11:11:59 2016 +0200 ovl: use cached acl on underlying layer Instead of calling ->get_acl() directly, use get_acl() to get the cached value. We will have the acl cached on the underlying inode anyway, because we do permission checking on the both the overlay and the underlying fs. So, since we already have double caching, this improves performance without any cost. Signed-off-by: Miklos Szeredi fs/overlayfs/inode.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) commit eea2fb4851e9dcbab6b991aaf47e2e024f1f55a0 Author: Miklos Szeredi Date: Thu Sep 1 11:11:59 2016 +0200 ovl: proper cleanup of workdir When mounting overlayfs it needs a clean "work" directory under the supplied workdir. Previously the mount code removed this directory if it already existed and created a new one. If the removal failed (e.g. directory was not empty) then it fell back to a read-only mount not using the workdir. While this has never been reported, it is possible to get a non-empty "work" dir from a previous mount of overlayfs in case of crash in the middle of an operation using the work directory. In this case the left over state should be discarded and the overlay filesystem will be consistent, guaranteed by the atomicity of operations on moving to/from the workdir to the upper layer. This patch implements cleaning out any files left in workdir. It is implemented using real recursion for simplicity, but the depth is limited to 2, because the worst case is that of a directory containing whiteouts under "work". Signed-off-by: Miklos Szeredi Cc: fs/overlayfs/overlayfs.h | 2 ++ fs/overlayfs/readdir.c | 63 +++++++++++++++++++++++++++++++++++++++++++++++- fs/overlayfs/super.c | 2 +- 3 files changed, 65 insertions(+), 2 deletions(-) commit c11b9fdd6a612f376a5e886505f1c54c16d8c380 Author: Miklos Szeredi Date: Thu Sep 1 11:11:59 2016 +0200 ovl: remove posix_acl_default from workdir Clear out posix acl xattrs on workdir and also reset the mode after creation so that an inherited sgid bit is cleared. Signed-off-by: Miklos Szeredi Cc: fs/overlayfs/super.c | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) commit 38b256973ea90fc7c2b7e1b734fa0e8b83538d50 Author: Miklos Szeredi Date: Thu Sep 1 11:11:59 2016 +0200 ovl: handle umask and posix_acl_default correctly on creation Setting MS_POSIXACL in sb->s_flags has the side effect of passing mode to create functions without masking against umask. Another problem when creating over a whiteout is that the default posix acl is not inherited from the parent dir (because the real parent dir at the time of creation is the work directory). Fix these problems by: a) If upper fs does not have MS_POSIXACL, then mask mode with umask. b) If creating over a whiteout, call posix_acl_create() to get the inherited acls. After creation (but before moving to the final destination) set these acls on the created file. posix_acl_create() also updates the file creation mode as appropriate. Fixes: 39a25b2b3762 ("ovl: define ->get_acl() for overlay inodes") Signed-off-by: Miklos Szeredi fs/overlayfs/dir.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) commit c3804289c90c1c88e447991c4c06cff6acdee7bc Merge: c0338af c5e801d Author: David S. Miller Date: Wed Aug 31 21:03:47 2016 -0700 Merge branch 'qed-fixes' Sudarsana Reddy Kalluru says: ==================== qed*: dcbx fix series. The series contains several small fixes for qed* dcbx module. ==================== Signed-off-by: David S. Miller commit c5e801dac4daff972013613ae3edae6668b2aa7c Author: Sudarsana Reddy Kalluru Date: Mon Aug 29 08:29:54 2016 -0400 qed: Clear dcbx memory buffers before the usage. This patch takes care of clearing the uninitialized buffer before using it. 1. pfc pri-enable bitmap need to be cleared before setting the requested enable bits. Without this, the un-touched values will be merged with requested values and sent to MFW. 2. The data in app-entry field need to be cleared before using it. 3. Clear the output data buffer used in qed_dcbx_query_params(). Signed-off-by: Sudarsana Reddy Kalluru Signed-off-by: Yuval Mintz Signed-off-by: David S. Miller drivers/net/ethernet/qlogic/qed/qed_dcbx.c | 4 ++++ 1 file changed, 4 insertions(+) commit 5ec5dfa4d29448002bb05018ba12620e7fafffd1 Author: Sudarsana Reddy Kalluru Date: Mon Aug 29 08:29:53 2016 -0400 qed: Set selection-field while configuring the app entry in ieee mode. Management firmware requires the selection-field (SF) to be set for configuring the application/protocol entry in IEEE mode. Without this setting, the app entry will be configured incorrectly in MFW. Signed-off-by: Sudarsana Reddy Kalluru Signed-off-by: Yuval Mintz Signed-off-by: David S. Miller drivers/net/ethernet/qlogic/qed/qed_dcbx.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) commit 5fe118c9fd6b8e129788c88a10ac0af82b255f81 Author: Sudarsana Reddy Kalluru Date: Mon Aug 29 08:29:52 2016 -0400 qed*: Disallow dcbx configuration for VF interfaces. Dcbx configuration is not supported for VF interfaces. Hence don't populate the callbacks for VFs and also fail the dcbx-query for VFs. Signed-off-by: Sudarsana Reddy Kalluru Signed-off-by: Yuval Mintz Signed-off-by: David S. Miller drivers/net/ethernet/qlogic/qed/qed_dcbx.c | 4 ++++ drivers/net/ethernet/qlogic/qede/qede_main.c | 3 ++- 2 files changed, 6 insertions(+), 1 deletion(-) commit c0338aff2260ea6c092806312dbb154cec07a242 Author: WANG Cong Date: Sun Aug 28 21:28:26 2016 -0700 kcm: fix a socket double free Dmitry reported a double free on kcm socket, which could be easily reproduced by: #include #include int main() { int fd = syscall(SYS_socket, 0x29ul, 0x5ul, 0x0ul, 0, 0, 0); syscall(SYS_ioctl, fd, 0x89e2ul, 0x20a98000ul, 0, 0, 0); return 0; } This is because on the error path, after we install the new socket file, we call sock_release() to clean up the socket, which leaves the fd pointing to a freed socket. Fix this by calling sys_close() on that fd directly. Fixes: ab7ac4eb9832 ("kcm: Kernel Connection Multiplexor module") Reported-by: Dmitry Vyukov Cc: Tom Herbert Signed-off-by: Cong Wang Signed-off-by: David S. Miller net/kcm/kcmsock.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 3b631e52f7c741a1813b6fc631acca25591972a4 Merge: 9264251 aa6e8a5 Author: David S. Miller Date: Wed Aug 31 20:53:49 2016 -0700 Merge branch 'mediatek-fixes' Sean Wang says: ==================== net: ethernet: mediatek: a couple of fixes a couple of fixes come out from integrating with linux-4.8 rc1 they all are verified and workable on linux-4.8 rc1 Changes since v1: - usage of loops to work out if all required clock are ready instead of tedious coding - remove redundant pinctrl setup that is already done by core driver thanks for careful and patient reviewing by Andrew Lunn - splitting distinct changes into the separate patches - change variable naming from err to ret for readable coding Changes since v2: - restore to original clock disabling sequence that is changed accidentally in the last version - refine the commit log that would cause misunderstanding what has been done in the changes - refine the commit log that would cause footnote losing due to improper delimiter use Changes since v3: - fix git rejects caused by mixing a change from net-next, so remake the patch set based on the current net branch again. ==================== Signed-off-by: David S. Miller commit aa6e8a54f653daaf34ff7fdceb2d992d714eea7c Author: Sean Wang Date: Thu Sep 1 10:47:35 2016 +0800 net: ethernet: mediatek: fix error handling inside mtk_mdio_init Return -ENODEV if the MDIO bus is disabled in the device tree. Signed-off-by: Sean Wang Acked-by: John Crispin Reviewed-by: Andrew Lunn Signed-off-by: David S. Miller drivers/net/ethernet/mediatek/mtk_eth_soc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 1e515b7fdbaeef29b1025c09b50ebbb132a39208 Author: Sean Wang Date: Thu Sep 1 10:47:34 2016 +0800 net: ethernet: mediatek: use devm_mdiobus_alloc instead of mdiobus_alloc inside mtk_mdio_init a lot of parts in the driver uses devm_* APIs to gain benefits from the device resource management, so devm_mdiobus_alloc is also used instead of mdiobus_alloc to have more elegant code flow. Using common code provided by the devm_* helps to 1) have simplified the code flow as [1] says 2) decrease the risk of incorrect error handling by human 3) only a few drivers used it since it was proposed on linux 3.16, so just hope to promote for this. Ref: [1] https://patchwork.ozlabs.org/patch/344093/ Signed-off-by: Sean Wang Reviewed-by: Andrew Lunn Signed-off-by: David S. Miller drivers/net/ethernet/mediatek/mtk_eth_soc.c | 23 ++++++----------------- 1 file changed, 6 insertions(+), 17 deletions(-) commit b5776f01bf1f36a6c89c6dc407dda6509002e0d7 Author: Sean Wang Date: Thu Sep 1 10:47:33 2016 +0800 net: ethernet: mediatek: fix the missing of_node_put() after node is used done inside mtk_mdio_init This patch adds the missing of_node_put() after finishing the usage of of_get_child_by_name. Signed-off-by: Sean Wang Acked-by: John Crispin Signed-off-by: David S. Miller drivers/net/ethernet/mediatek/mtk_eth_soc.c | 1 + 1 file changed, 1 insertion(+) commit 79e9a41438527a4cc2b426a2dfb92cd0825d7d29 Author: Sean Wang Date: Thu Sep 1 10:47:32 2016 +0800 net: ethernet: mediatek: fix issue of driver removal with interface is up mtk_stop() must be called to stop for freeing DMA resources acquired and restoring state changed by mtk_open() firstly when module removal. Signed-off-by: Sean Wang Signed-off-by: David S. Miller drivers/net/ethernet/mediatek/mtk_eth_soc.c | 8 ++++++++ 1 file changed, 8 insertions(+) commit 7c6b0d76fa02213393815e3b6d5e4a415bf3f0e2 Author: Sean Wang Date: Thu Sep 1 10:47:31 2016 +0800 net: ethernet: mediatek: fix logic unbalance between probe and remove original mdio_cleanup is not in the symmetric place against where mdio_init is, so relocate mdio_cleanup to the right one. Signed-off-by: Sean Wang Acked-by: John Crispin Signed-off-by: David S. Miller drivers/net/ethernet/mediatek/mtk_eth_soc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit d3bd1ce4db8e843dce421e2f8f123e5251a9c7d3 Author: Sean Wang Date: Thu Sep 1 10:47:30 2016 +0800 net: ethernet: mediatek: remove redundant free_irq for devm_request_irq allocated irq these irqs are not used for shared irq and disabled during ethernet stops. irq requested by devm_request_irq is safe to be freed automatically on driver detach. Signed-off-by: Sean Wang Acked-by: John Crispin Signed-off-by: David S. Miller drivers/net/ethernet/mediatek/mtk_eth_soc.c | 2 -- 1 file changed, 2 deletions(-) commit 1b43079906367d4d6e1ad00f04fff525a32e26c4 Author: Sean Wang Date: Thu Sep 1 10:47:29 2016 +0800 net: ethernet: mediatek: fix API usage with skb_free_frag use skb_free_frag() instead of legacy put_page() Signed-off-by: Sean Wang Acked-by: John Crispin Signed-off-by: David S. Miller drivers/net/ethernet/mediatek/mtk_eth_soc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 549e5495467ac2a76489f1304e2b4a7ad85e1644 Author: Sean Wang Date: Thu Sep 1 10:47:28 2016 +0800 net: ethernet: mediatek: fix incorrect return value of devm_clk_get with EPROBE_DEFER 1) If the return value of devm_clk_get is EPROBE_DEFER, we should defer probing the driver. The change is verified and works based on 4.8-rc1 staying with the latest clk-next code for MT7623. 2) Changing with the usage of loops to work out if all clocks required are fine Signed-off-by: Sean Wang Signed-off-by: David S. Miller drivers/net/ethernet/mediatek/mtk_eth_soc.c | 39 ++++++++++++++++------------- drivers/net/ethernet/mediatek/mtk_eth_soc.h | 22 ++++++++++------ 2 files changed, 36 insertions(+), 25 deletions(-) commit c6f1dc4d9ce275c1bd9d90b5630f36ca6abccc97 Author: Sean Wang Date: Thu Sep 1 10:47:27 2016 +0800 net: ethernet: mediatek: fix fails from TX housekeeping due to incorrect port setup which net device the SKB is complete for depends on the forward port on txd4 on the corresponding TX descriptor, but the information isn't set up well in case of SKB fragments that would lead to watchdog timeout from the upper layer, so fix it up. Signed-off-by: Sean Wang Acked-by: John Crispin Signed-off-by: David S. Miller drivers/net/ethernet/mediatek/mtk_eth_soc.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) commit 27dd73503f690ee3593a2e73a1b1864860e7f7b0 Merge: 8509eb1 d78d383 Author: Dave Airlie Date: Thu Sep 1 06:34:09 2016 +1000 Merge branch 'msm-fixes-4.8' of git://people.freedesktop.org/~robclark/linux into drm-fixes copy from user fixes. * 'msm-fixes-4.8' of git://people.freedesktop.org/~robclark/linux: drm/msm: protect against faults from copy_from_user() in submit ioctl drm/msm: fix use of copy_from_user() while holding spinlock commit 5efc244346f9f338765da3d592f7947b0afdc4b5 Author: Mateusz Guzik Date: Tue Aug 23 16:20:39 2016 +0200 audit: fix exe_file access in audit_exe_compare Prior to the change the function would blindly deference mm, exe_file and exe_file->f_inode, each of which could have been NULL or freed. Use get_task_exe_file to safely obtain stable exe_file. Signed-off-by: Mateusz Guzik Acked-by: Konstantin Khlebnikov Acked-by: Richard Guy Briggs Cc: # 4.3.x Signed-off-by: Paul Moore kernel/audit_watch.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) commit cd81a9170e69e018bbaba547c1fd85a585f5697a Author: Mateusz Guzik Date: Tue Aug 23 16:20:38 2016 +0200 mm: introduce get_task_exe_file For more convenient access if one has a pointer to the task. As a minor nit take advantage of the fact that only task lock + rcu are needed to safely grab ->exe_file. This saves mm refcount dance. Use the helper in proc_exe_link. Signed-off-by: Mateusz Guzik Acked-by: Konstantin Khlebnikov Acked-by: Richard Guy Briggs Cc: # 4.3.x Signed-off-by: Paul Moore fs/proc/base.c | 7 +------ include/linux/mm.h | 1 + kernel/fork.c | 23 +++++++++++++++++++++++ 3 files changed, 25 insertions(+), 6 deletions(-) commit 8509eb19618c050b017a3da7f6dd3180106cdf32 Merge: 279cf3f 1f703e6 Author: Dave Airlie Date: Thu Sep 1 06:03:35 2016 +1000 Merge branch 'drm-fixes-4.8' of git://people.freedesktop.org/~agd5f/linux into drm-fixes Fixes for 4.8: - 2 CI S4 fixes - error handling fix * 'drm-fixes-4.8' of git://people.freedesktop.org/~agd5f/linux: drm/amdgpu: record error code when ring test failed drm/amd/amdgpu: compute ring test fail during S4 on CI drm/amd/amdgpu: sdma resume fail during S4 on CI commit 1f703e6679f373f5bba4efe7093aa82e91af4037 Author: Chunming Zhou Date: Tue Aug 30 17:59:11 2016 +0800 drm/amdgpu: record error code when ring test failed Otherwise we may miss errors. Signed-off-by: Chunming Zhou Reviewed-by: Christian König Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org drivers/gpu/drm/amd/amdgpu/amdgpu_ib.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) commit 53960b4f89db58bc155d6f8aa0a44ccc59ccb26f Author: jimqu Date: Tue Aug 30 09:03:16 2016 +0800 drm/amd/amdgpu: compute ring test fail during S4 on CI unhalt Instrction Fetch Unit after all rings are inited. Signed-off-by: JimQu Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org drivers/gpu/drm/amd/amdgpu/gfx_v7_0.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) commit 10ea9434065e56fe14287f89258ecf2fb684ed1a Author: jimqu Date: Tue Aug 30 08:59:42 2016 +0800 drm/amd/amdgpu: sdma resume fail during S4 on CI SDMA could be fail in the thaw() and restore() processes, do software reset if each SDMA engine is busy. Signed-off-by: JimQu Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org drivers/gpu/drm/amd/amdgpu/cik_sdma.c | 3 +++ 1 file changed, 3 insertions(+) commit 071e31e254e0e0c438eecba3dba1d6e2d0da36c2 Merge: 9f834ec 901d3d4 Author: Linus Torvalds Date: Wed Aug 31 09:42:14 2016 -0700 Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 Pull crypto fixes from Herbert Xu: "This fixes the following issues: - Kconfig problem that prevented mxc-rnga from being enabled - bogus key sizes in qat aes-xts - buggy aes-xts code in vmx" * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: crypto: vmx - fix null dereference in p8_aes_xts_crypt crypto: qat - fix aes-xts key sizes hwrng: mxc-rnga - Fix Kconfig dependency commit 9264251ee2a55bce8fb93826b3f581fb9eb7e2c2 Author: Davide Caratti Date: Wed Aug 31 14:16:44 2016 +0200 bridge: re-introduce 'fix parsing of MLDv2 reports' commit bc8c20acaea1 ("bridge: multicast: treat igmpv3 report with INCLUDE and no sources as a leave") seems to have accidentally reverted commit 47cc84ce0c2f ("bridge: fix parsing of MLDv2 reports"). This commit brings back a change to br_ip6_multicast_mld2_report() where parsing of MLDv2 reports stops when the first group is successfully added to the MDB cache. Fixes: bc8c20acaea1 ("bridge: multicast: treat igmpv3 report with INCLUDE and no sources as a leave") Signed-off-by: Davide Caratti Acked-by: Nikolay Aleksandrov Acked-by: Thadeu Lima de Souza Cascardo Signed-off-by: David S. Miller net/bridge/br_multicast.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 9f834ec18defc369d73ccf9e87a2790bfa05bf46 Author: Linus Torvalds Date: Mon Aug 22 16:41:46 2016 -0700 binfmt_elf: switch to new creds when switching to new mm We used to delay switching to the new credentials until after we had mapped the executable (and possible elf interpreter). That was kind of odd to begin with, since the new executable will actually then _run_ with the new creds, but whatever. The bigger problem was that we also want to make sure that we turn off prof events and tracing before we start mapping the new executable state. So while this is a cleanup, it's also a fix for a possible information leak. Reported-by: Robert Święcki Tested-by: Peter Zijlstra Acked-by: David Howells Acked-by: Oleg Nesterov Acked-by: Andy Lutomirski Acked-by: Eric W. Biederman Cc: Willy Tarreau Cc: Kees Cook Cc: Al Viro Signed-off-by: Linus Torvalds fs/binfmt_elf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit ad5b0f7685dbfc4730987cd16af3c5ebe8133f10 Author: Shaohua Li Date: Tue Aug 30 10:29:33 2016 -0700 raid5: guarantee enough stripes to avoid reshape hang If there aren't enough stripes, reshape will hang. We have a check for this in new reshape, but miss it for reshape resume, hence we could see hang in reshape resume. This patch forces enough stripes existed if reshape resumes. Reviewed-by: NeilBrown Signed-off-by: Shaohua Li drivers/md/raid5.c | 10 ++++++++++ 1 file changed, 10 insertions(+) commit 8e018c21da3febb558586b48c8db0d6d66cb6593 Author: Shaohua Li Date: Thu Aug 25 10:09:39 2016 -0700 raid5-cache: fix a deadlock in superblock write There is a potential deadlock in superblock write. Discard could zero data, so before discard we must make sure superblock is updated to new log tail. Updating superblock (either directly call md_update_sb() or depend on md thread) must hold reconfig mutex. On the other hand, raid5_quiesce is called with reconfig_mutex hold. The first step of raid5_quiesce() is waitting for all IO finish, hence waitting for reclaim thread, while reclaim thread is calling this function and waitting for reconfig mutex. So there is a deadlock. We workaround this issue with a trylock. The downside of the solution is we could miss discard if we can't take reconfig mutex. But this should happen rarely (mainly in raid array stop), so miss discard shouldn't be a big problem. Cc: NeilBrown Signed-off-by: Shaohua Li drivers/md/raid5-cache.c | 46 +++++++++++++++------------------------------- 1 file changed, 15 insertions(+), 31 deletions(-) commit 8b18e2359aff2ab810aba84cebffc9da07fef78f Author: Horia Geantă Date: Mon Aug 29 14:52:14 2016 +0300 crypto: caam - fix IV loading for authenc (giv)decryption For algorithms that implement IV generators before the crypto ops, the IV needed for decryption is initially located in req->src scatterlist, not in req->iv. Avoid copying the IV into req->iv by modifying the (givdecrypt) descriptors to load it directly from req->src. aead_givdecrypt() is no longer needed and goes away. Cc: # 4.3+ Fixes: 479bcc7c5b9e ("crypto: caam - Convert authenc to new AEAD interface") Signed-off-by: Horia Geantă Signed-off-by: Herbert Xu drivers/crypto/caam/caamalg.c | 77 +++++++++++++++++++++---------------------- 1 file changed, 37 insertions(+), 40 deletions(-) commit 31bd44e7687be8a70e1e744e5cb84974b798d568 Author: Herbert Xu Date: Thu Aug 25 16:49:51 2016 +0800 crypto: cryptd - Use correct tfm object for AEAD tracking The AEAD code path incorrectly uses the child tfm to track the cryptd refcnt, and then potentially frees the child tfm. Fixes: 81760ea6a95a ("crypto: cryptd - Add helpers to check...") Reported-by: Sowmini Varadhan Signed-off-by: Herbert Xu crypto/cryptd.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit c8d192428f52f244130b84650ad616df09f2b1e1 Author: Jimi Damon Date: Wed Jul 20 17:00:40 2016 -0700 serial: 8250: added acces i/o products quad and octal serial cards Added devices ids for acces i/o products quad and octal serial cards that make use of existing Pericom PI7C9X7954 and PI7C9X7958 configurations . Signed-off-by: Jimi Damon Cc: stable Signed-off-by: Greg Kroah-Hartman drivers/tty/serial/8250/8250_pci.c | 139 +++++++++++++++++++++++++++++++++++++ 1 file changed, 139 insertions(+) commit 6b1ca4bcadf9ef077cc5f03c6822ba276ed14902 Author: Takashi Sakamoto Date: Wed Aug 31 22:58:42 2016 +0900 ALSA: fireworks: accessing to user space outside spinlock In hwdep interface of fireworks driver, accessing to user space is in a critical section with disabled local interrupt. Depending on architecture, accessing to user space can cause page fault exception. Then local processor stores machine status and handles the synchronous event. A handler corresponding to the event can call task scheduler to wait for preparing pages. In a case of usage of single core processor, the state to disable local interrupt is worse because it don't handle usual interrupts from hardware. This commit fixes this bug, performing the accessing outside spinlock. This commit also gives up counting the number of queued response messages to simplify ring-buffer management. Reported-by: Vaishali Thakkar Cc: stable@vger.kernel.org Fixes: 555e8a8f7f14('ALSA: fireworks: Add command/response functionality into hwdep interface') Signed-off-by: Takashi Sakamoto Signed-off-by: Takashi Iwai sound/firewire/fireworks/fireworks.h | 1 - sound/firewire/fireworks/fireworks_hwdep.c | 71 +++++++++++++++++------- sound/firewire/fireworks/fireworks_proc.c | 4 +- sound/firewire/fireworks/fireworks_transaction.c | 5 +- 4 files changed, 56 insertions(+), 25 deletions(-) commit 47b34d2ef266e2c283b514d65c8963c2ccd42474 Author: Andy Shevchenko Date: Fri Jul 1 17:21:49 2016 +0300 serial: 8250_mid: fix divide error bug if baud rate is 0 Since the commit c1a67b48f6a5 ("serial: 8250_pci: replace switch-case by formula for Intel MID"), the 8250 driver crashes in the byt_set_termios() function with a divide error. This is caused by the fact that a baud rate of 0 (B0) is not handled properly. Fix it by falling back to B9600 in this case. Reported-by: "Mendez Salinas, Fernando" Fixes: c1a67b48f6a5 ("serial: 8250_pci: replace switch-case by formula for Intel MID") Cc: stable@vger.kernel.org Signed-off-by: Andy Shevchenko Signed-off-by: Greg Kroah-Hartman drivers/tty/serial/8250/8250_mid.c | 3 +++ 1 file changed, 3 insertions(+) commit 5db4f7f80d165fc9725f356e99feec409e446baa Author: Andy Shevchenko Date: Tue Aug 16 15:06:54 2016 +0300 Revert "tty/serial/8250: use mctrl_gpio helpers" Serial console is broken in v4.8-rcX. Mika and I independently bisected down to commit 4ef03d328769 ("tty/serial/8250: use mctrl_gpio helpers"). Since neither author nor anyone else didn't propose a solution we better revert it for now. This reverts commit 4ef03d328769eddbfeca1f1c958fdb181a69c341. Link: https://lkml.kernel.org/r/20160809130229.GN1729@lahna.fi.intel.com Signed-off-by: Andy Shevchenko Tested-by: Heikki Krogerus Tested-by: Mika Westerberg Signed-off-by: Greg Kroah-Hartman Documentation/devicetree/bindings/serial/8250.txt | 19 ------------ drivers/tty/serial/8250/8250.h | 35 +---------------------- drivers/tty/serial/8250/8250_core.c | 9 ------ drivers/tty/serial/8250/8250_omap.c | 31 +++++++++----------- drivers/tty/serial/8250/8250_port.c | 7 +---- drivers/tty/serial/8250/Kconfig | 1 - include/linux/serial_8250.h | 1 - 7 files changed, 15 insertions(+), 88 deletions(-) commit 17d0774f80681020eccc9638d925a23f1fc4f671 Author: Konstantin Khlebnikov Date: Wed Jun 22 21:42:16 2016 +0300 sysfs: correctly handle read offset on PREALLOC attrs Attributes declared with __ATTR_PREALLOC use sysfs_kf_read() which returns zero bytes for non-zero offset. This breaks script checkarray in mdadm tool in debian where /bin/sh is 'dash' because its builtin 'read' reads only one byte at a time. Script gets 'i' instead of 'idle' when reads current action from /sys/block/$dev/md/sync_action and as a result does nothing. This patch adds trivial implementation of partial read: generate whole string and move required part into buffer head. Signed-off-by: Konstantin Khlebnikov Fixes: 4ef67a8c95f3 ("sysfs/kernfs: make read requests on pre-alloc files use the buffer.") Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=787950 Cc: Stable # v3.19+ Acked-by: Tejun Heo Signed-off-by: Greg Kroah-Hartman fs/sysfs/file.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) commit 96b0af4b729cabd44e237c5a6b9bd4e0ea4ed457 Author: Martin Fuzzey Date: Fri May 20 14:23:38 2016 +0200 documentation: drivers/core/of: fix name of of_node symlink commit 5590f3196b29 ("drivers/core/of: Add symlink to device-tree from devices with an OF node") added a symlink called "of_node" to sysfs however the documentation describes it as "of_path". Fix the documentation to match what the code actually does. Signed-off-by: Martin Fuzzey Acked-by: Rob Herring Signed-off-by: Greg Kroah-Hartman Documentation/ABI/stable/sysfs-devices | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit df6a58c5c5aa8ecb1e088ecead3fa33ae70181f1 Author: Tejun Heo Date: Fri Jun 17 17:51:17 2016 -0400 kernfs: don't depend on d_find_any_alias() when generating notifications kernfs_notify_workfn() sends out file modified events for the scheduled kernfs_nodes. Because the modifications aren't from userland, it doesn't have the matching file struct at hand and can't use fsnotify_modify(). Instead, it looked up the inode and then used d_find_any_alias() to find the dentry and used fsnotify_parent() and fsnotify() directly to generate notifications. The assumption was that the relevant dentries would have been pinned if there are listeners, which isn't true as inotify doesn't pin dentries at all and watching the parent doesn't pin the child dentries even for dnotify. This led to, for example, inotify watchers not getting notifications if the system is under memory pressure and the matching dentries got reclaimed. It can also be triggered through /proc/sys/vm/drop_caches or a remount attempt which involves shrinking dcache. fsnotify_parent() only uses the dentry to access the parent inode, which kernfs can do easily. Update kernfs_notify_workfn() so that it uses fsnotify() directly for both the parent and target inodes without going through d_find_any_alias(). While at it, supply the target file name to fsnotify() from kernfs_node->name. Signed-off-by: Tejun Heo Reported-by: Evgeny Vereshchagin Fixes: d911d9874801 ("kernfs: make kernfs_notify() trigger inotify events too") Cc: John McCutchan Cc: Robert Love Cc: Eric Paris Cc: stable@vger.kernel.org # v3.16+ Signed-off-by: Greg Kroah-Hartman fs/kernfs/file.c | 28 +++++++++++++++++++++------- 1 file changed, 21 insertions(+), 7 deletions(-) commit 04b2d9c9c319277ad4fbbb71855c256a9f4d5f98 Author: Takashi Sakamoto Date: Wed Aug 31 20:15:32 2016 +0900 ALSA: firewire-tascam: accessing to user space outside spinlock In hwdep interface of firewire-tascam driver, accessing to user space is in a critical section with disabled local interrupt. Depending on architecture, accessing to user space can cause page fault exception. Then local processor stores machine status and handle the synchronous event. A handler corresponding to the event can call task scheduler to wait for preparing pages. In a case of usage of single core processor, the state to disable local interrupt is worse because it doesn't handle usual interrupts from hardware. This commit fixes this bug, by performing the accessing outside spinlock. Reported-by: Vaishali Thakkar Cc: stable@vger.kernel.org Fixes: e5e0c3dd257b('ALSA: firewire-tascam: add hwdep interface') Signed-off-by: Takashi Sakamoto Signed-off-by: Takashi Iwai sound/firewire/tascam/tascam-hwdep.c | 33 +++++++++++---------------------- 1 file changed, 11 insertions(+), 22 deletions(-) commit ccdf3b888d87df1b914fedde91ed1848f0651c65 Author: Lukas Wunner Date: Wed Aug 3 10:44:12 2016 +0200 thunderbolt: Don't declare Falcon Ridge unsupported Falcon Ridge 4C has been supported by the driver from the beginning, Falcon Ridge 2C support was just added. Don't irritate users with a warning declaring the opposite. Signed-off-by: Lukas Wunner Signed-off-by: Andreas Noever Signed-off-by: Greg Kroah-Hartman drivers/thunderbolt/switch.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit 82a6a81c2a38aa7a7813a0c532637877773c50ae Author: Xavier Gnata Date: Tue Jul 26 18:40:38 2016 +0200 thunderbolt: Add support for INTEL_FALCON_RIDGE_2C controller. From: Xavier Gnata Add support to INTEL_FALCON_RIDGE_2C controller and corresponding quirk to support suspend/resume. Tested against 4.7 master on a MacBook Air 11" 2015. Signed-off-by: Andreas Noever Reviewed-by: Lukas Wunner Signed-off-by: Greg Kroah-Hartman drivers/pci/quirks.c | 4 ++++ drivers/thunderbolt/nhi.c | 6 ++++++ 2 files changed, 10 insertions(+) commit 25eb7e5c7454c9e8407c5382b9fe32d3b45fe163 Author: Andreas Noever Date: Tue Jul 26 18:40:37 2016 +0200 thunderbolt: Fix resume quirk for Falcon Ridge 4C. The quirk 'quirk_apple_wait_for_thunderbolt' did not fire on Falcon Ridge 4C controllers with subdevice/subvendor set to zero. This lead to lost pci devices on system resume. Older thunderbolt controllers (pre Falcon Ridge) used the same device id for bridges and for the controller. On Apple hardware the subvendor- & subdevice-ids were set for the controller, but not for bridges. So that is what was used to differentiate between the two. Starting with Falcon Ridge bridges and controllers received different device ids. Additionally on some MacBookPro models (but not all) the subvendor/subdevice was zeroed. Starting with a42fb351c (thunderbolt: Allow loading of module on recent Apple MacBooks with thunderbolt 2 controller) the thunderbolt driver binds to all Falcon Ridge 4C controllers (irregardless of subvendor/subdevice). The corresponding quirk was not updated. This commit changes the quirk to check the device class instead of its subvendor-/subdeviceids. This works for all generations of Thunderbolt controllers. Signed-off-by: Andreas Noever Reviewed-by: Lukas Wunner Signed-off-by: Greg Kroah-Hartman drivers/pci/quirks.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) commit c012268b37db6b10b59dac9b7f45956cb9a8bcb2 Author: Michael Ellerman Date: Fri Aug 5 14:25:53 2016 -0700 lkdtm: Mark lkdtm_rodata_do_nothing() notrace lkdtm_rodata_do_nothing() is an empty function which is generated in order to test the non-executability of rodata. Currently if function tracing is enabled then an mcount callsite will be generated for lkdtm_rodata_do_nothing(), and it will appear in the list of available functions for function tracing (available_filter_functions). Given it's purpose purely as a test function, it seems preferable for lkdtm_rodata_do_nothing() to be marked notrace, so it doesn't appear as traceable. This also avoids triggering a linker bug on powerpc: https://sourceware.org/bugzilla/show_bug.cgi?id=20428 When the linker sees code that needs to generate a call stub, eg. a branch to mcount(), it assumes the section is executable and dereferences a NULL pointer leading to a linker segfault. Marking lkdtm_rodata_do_nothing() notrace avoids triggering the bug because the function contains no other function calls. Signed-off-by: Michael Ellerman Signed-off-by: Kees Cook Signed-off-by: Greg Kroah-Hartman drivers/misc/lkdtm_rodata.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 4e80ffab0e722911842b59299dbf8033709673e5 Author: Mohammed Shafi Shajakhan Date: Fri Aug 19 13:37:37 2016 +0300 ath10k: Remove driver log suggesting QCA9887 support is experimental Support for QCA9887 is no longer experimental and if there are any issues we need to address them Signed-off-by: Mohammed Shafi Shajakhan Signed-off-by: Kalle Valo drivers/net/wireless/ath/ath10k/pci.c | 1 - 1 file changed, 1 deletion(-) commit 237e15dfd5d651868726111c3a9d828bec700490 Author: Ashok Raj Nagarajan Date: Fri Aug 19 13:37:37 2016 +0300 ath10k: fix get rx_status from htt context On handling amsdu on rx path, get the rx_status from htt context. Without this fix, we are seeing warnings when running DBDC traffic like this. WARNING: CPU: 0 PID: 0 at net/mac80211/rx.c:4105 ieee80211_rx_napi+0x88/0x7d8 [mac80211]() [ 1715.878248] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 3.18.21 #1 [ 1715.878273] [] (unwind_backtrace) from [] (show_stack+0x10/0x14) [ 1715.878293] [] (show_stack) from [] (dump_stack+0x70/0xbc) [ 1715.878315] [] (dump_stack) from [] (warn_slowpath_common+0x64/0x88) [ 1715.878339] [] (warn_slowpath_common) from [] (warn_slowpath_null+0x18/0x20) [ 1715.878395] [] (warn_slowpath_null) from [] (ieee80211_rx_napi+0x88/0x7d8 [mac80211]) [ 1715.878474] [] (ieee80211_rx_napi [mac80211]) from [] (ath10k_htt_t2h_msg_handler+0xb48/0xbfc [ath10k_core]) [ 1715.878535] [] (ath10k_htt_t2h_msg_handler [ath10k_core]) from [] (ath10k_htt_t2h_msg_handler+0xbf8/0xbfc [ath10k_core]) [ 1715.878597] [] (ath10k_htt_t2h_msg_handler [ath10k_core]) from [] (ath10k_htt_txrx_compl_task+0xa54/0x1170 [ath10k_core]) [ 1715.878639] [] (ath10k_htt_txrx_compl_task [ath10k_core]) from [] (tasklet_action+0xb4/0x130) [ 1715.878659] [] (tasklet_action) from [] (__do_softirq+0xe0/0x210) [ 1715.878678] [] (__do_softirq) from [] (irq_exit+0x84/0xe0) [ 1715.878700] [] (irq_exit) from [] (__handle_domain_irq+0x98/0xd0) [ 1715.878722] [] (__handle_domain_irq) from [] (gic_handle_irq+0x38/0x5c) [ 1715.878741] [] (gic_handle_irq) from [] (__irq_svc+0x40/0x74) [ 1715.878753] Exception stack(0xc05f9f50 to 0xc05f9f98) [ 1715.878767] 9f40: ffffffed 00000000 00399e1e c000a220 [ 1715.878786] 9f60: 00000000 c05f6780 c05f8000 00000000 c05f5db8 ffffffed c05f8000 c04d1980 [ 1715.878802] 9f80: 00000000 c05f9f98 c0018110 c0018114 60000013 ffffffff [ 1715.878822] [] (__irq_svc) from [] (arch_cpu_idle+0x2c/0x50) [ 1715.878844] [] (arch_cpu_idle) from [] (cpu_startup_entry+0x108/0x234) [ 1715.878866] [] (cpu_startup_entry) from [] (start_kernel+0x33c/0x3b8) [ 1715.878879] ---[ end trace 6d5e1cc0fef8ed6a ]--- [ 1715.878899] ------------[ cut here ]------------ Fixes: 18235664e7f9 ("ath10k: cleanup amsdu processing for rx indication") Signed-off-by: Ashok Raj Nagarajan Signed-off-by: Kalle Valo drivers/net/wireless/ath/ath10k/htt_rx.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) commit 279cf3f23870f7eb8ca071115e06d3d5ca0a2b9e Author: Peter Wu Date: Fri Aug 26 01:00:54 2016 +0200 drm/nouveau/acpi: use DSM if bridge does not support D3cold Even if PR3 support is available on the bridge, it will not be used if the PCI layer considers it unavailable (i.e. on all laptops from 2013 and 2014). Ensure that this condition is checked to allow a fallback to the Optimus DSM for device poweroff. Initially I wanted to call pci_d3cold_enable before checking bridge_d3 (in case the user changed d3cold_allowed), but that is such an unlikely case and likely fragile anyway. The current patch is suggested by Mika in http://www.spinics.net/lists/linux-pci/msg52599.html Cc: Mika Westerberg Signed-off-by: Peter Wu Reviewed-by: Mika Westerberg Signed-off-by: Dave Airlie drivers/gpu/drm/nouveau/nouveau_acpi.c | 11 +++++++++++ 1 file changed, 11 insertions(+) commit 2df5d103a646998c672a34db74d15613cf7a716d Merge: 1554369 c73c248 Author: David S. Miller Date: Tue Aug 30 22:02:09 2016 -0700 Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf Pablo Neira Ayuso says: ==================== Netfilter fixes for net The following patchset contains Netfilter fixes for your net tree, they are: 1) Allow nf_tables reject expression from input, forward and output hooks, since only there the routing information is available, otherwise we crash. 2) Fix unsafe list iteration when flushing timeout and accouting objects. 3) Fix refcount leak on timeout policy parsing failure. 4) Unlink timeout object for unconfirmed conntracks too 5) Missing validation of pkttype mangling from bridge family. 6) Fix refcount leak on ebtables on second lookup for the specific bridge match extension, this patch from Sabrina Dubroca. 7) Remove unnecessary ip_hdr() in nf_tables_netdev family. Patches from 1-5 and 7 from Liping Zhang. ==================== Signed-off-by: David S. Miller commit 15543692a010192b4264ade0d45390e8bb3dc639 Merge: e4e98c4 61aaa0e Author: David S. Miller Date: Tue Aug 30 21:34:48 2016 -0700 Merge tag 'mac80211-for-davem-2016-08-30' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211 Johannes Berg says: ==================== Three little fixes: * revert a recent wext patch, which Ben Hutchings noticed was wrong, and it turns out not to be necessary for any driver * fix an infinite loop that can occur under certain conditions in mac80211's TDLS code (depending on regulatory information) * add a cfg80211_get_station() static inline when cfg80211 isn't built, to allow other modules to not have to depend on it for it ==================== Signed-off-by: David S. Miller commit d7737ce964d944dd07e25b0f569edcd550ede18c Author: Paul E. McKenney Date: Tue Apr 26 13:03:51 2016 -0700 PM / runtime: Add _rcuidle suffix to allow rpm_idle() use from idle This commit appends a few _rcuidle suffixes to fix the following RCU-used-from-idle bug: > =============================== > [ INFO: suspicious RCU usage. ] > 4.6.0-rc5-next-20160426+ #1116 Not tainted > ------------------------------- > include/trace/events/rpm.h:95 suspicious rcu_dereference_check() usage! > > other info that might help us debug this: > > > RCU used illegally from idle CPU! > rcu_scheduler_active = 1, debug_locks = 0 > RCU used illegally from extended quiescent state! > 1 lock held by swapper/0/0: > #0: (&(&dev->power.lock)->rlock){-.-...}, at: [] __rpm_callback+0x58/0x60 > > stack backtrace: > CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.6.0-rc5-next-20160426+ #1116 > Hardware name: Generic OMAP36xx (Flattened Device Tree) > [] (unwind_backtrace) from [] (show_stack+0x10/0x14) > [] (show_stack) from [] (dump_stack+0xb0/0xe4) > [] (dump_stack) from [] (rpm_suspend+0x580/0x768) > [] (rpm_suspend) from [] (__pm_runtime_suspend+0x64/0x84) > [] (__pm_runtime_suspend) from [] (omap2_gpio_prepare_for_idle+0x5c/0x70) > [] (omap2_gpio_prepare_for_idle) from [] (omap_sram_idle+0x140/0x244) > [] (omap_sram_idle) from [] (omap3_enter_idle_bm+0xfc/0x1ec) > [] (omap3_enter_idle_bm) from [] (cpuidle_enter_state+0x80/0x3d4) > [] (cpuidle_enter_state) from [] (cpu_startup_entry+0x198/0x3a0) > [] (cpu_startup_entry) from [] (start_kernel+0x354/0x3c8) > [] (start_kernel) from [<8000807c>] (0x8000807c) In the immortal words of Steven Rostedt, "*Whack* *Whack* *Whack*!!!" Reported-by: Tony Lindgren Signed-off-by: Paul E. McKenney Tested-by: Tony Lindgren Tested-by: Guenter Roeck WhACKED-by: Steven Rostedt Signed-off-by: Rafael J. Wysocki drivers/base/power/runtime.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit d44c950e9398e639e124014e5872480a37b67259 Author: Paul E. McKenney Date: Tue Apr 26 13:38:55 2016 -0700 PM / runtime: Add _rcuidle suffix to allow rpm_resume() to be called from idle This commit applies another _rcuidle suffix to fix an RCU use from idle. > =============================== > [ INFO: suspicious RCU usage. ] > 4.6.0-rc5-next-20160426+ #1122 Not tainted > ------------------------------- > include/trace/events/rpm.h:69 suspicious rcu_dereference_check() usage! > > other info that might help us debug this: > > > RCU used illegally from idle CPU! > rcu_scheduler_active = 1, debug_locks = 0 > RCU used illegally from extended quiescent state! > 1 lock held by swapper/0/0: > #0: (&(&dev->power.lock)->rlock){-.-...}, at: [] __pm_runtime_resume+0x3c/0x64 > > stack backtrace: > CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.6.0-rc5-next-20160426+ #1122 > Hardware name: Generic OMAP36xx (Flattened Device Tree) > [] (unwind_backtrace) from [] (show_stack+0x10/0x14) > [] (show_stack) from [] (dump_stack+0xb0/0xe4) > [] (dump_stack) from [] (rpm_resume+0x5cc/0x7f4) > [] (rpm_resume) from [] (__pm_runtime_resume+0x4c/0x64) > [] (__pm_runtime_resume) from [] (omap2_gpio_resume_after_idle+0x54/0x68) > [] (omap2_gpio_resume_after_idle) from [] (omap3_enter_idle_bm+0xfc/0x1ec) > [] (omap3_enter_idle_bm) from [] (cpuidle_enter_state+0x80/0x3d4) > [] (cpuidle_enter_state) from [] (cpu_startup_entry+0x198/0x3a0) > [] (cpu_startup_entry) from [] (start_kernel+0x354/0x3c8) > [] (start_kernel) from [<8000807c>] (0x8000807c) Reported-by: Tony Lindgren Signed-off-by: Paul E. McKenney Tested-by: Tony Lindgren Tested-by: Guenter Roeck Signed-off-by: Rafael J. Wysocki drivers/base/power/runtime.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit bd37e022e334757a5dc1dae41baa29e16befe4ec Author: Wei Yongjun Date: Sun Aug 21 15:41:44 2016 +0000 cpufreq: dt: Add terminate entry for of_device_id tables Make sure of_device_id tables are NULL terminated. Signed-off-by: Wei Yongjun Acked-by: Viresh Kumar Fixes: f56aad1d98f1 (cpufreq: dt: Add generic platform-device creation support) CC: 4.7+ # 4.7+ Signed-off-by: Rafael J. Wysocki drivers/cpufreq/cpufreq-dt-platdev.c | 2 ++ 1 file changed, 2 insertions(+) commit edd1ea2a8a2549e4fe58e817d539445729491ecf Author: Bhaktipriya Shridhar Date: Tue Aug 30 22:19:11 2016 +0530 dm bufio: remove use of deprecated create_singlethread_workqueue() The workqueue "dm_bufio_wq" queues a single work item &dm_bufio_work so it doesn't require execution ordering. Hence, alloc_workqueue() has been used to replace the deprecated create_singlethread_workqueue(). The WQ_MEM_RECLAIM flag has been set since DM requires forward progress under memory pressure. Since there are fixed number of work items, explicit concurrency limit is unnecessary here. Signed-off-by: Bhaktipriya Shridhar Signed-off-by: Mike Snitzer drivers/md/dm-bufio.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 5d0be84ec0cacfc7a6d6ea548afdd07d481324cd Author: Eric Biggers Date: Tue Aug 30 09:51:44 2016 -0700 dm crypt: fix free of bad values after tfm allocation failure If crypt_alloc_tfms() had to allocate multiple tfms and it failed before the last allocation, then it would call crypt_free_tfms() and could free pointers from uninitialized memory -- due to the crypt_free_tfms() check for non-zero cc->tfms[i]. Fix by allocating zeroed memory. Signed-off-by: Eric Biggers Signed-off-by: Mike Snitzer Cc: stable@vger.kernel.org drivers/md/dm-crypt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 4e870e948fbabf62b78e8410f04c67703e7c816b Author: Mikulas Patocka Date: Tue Aug 30 16:38:42 2016 -0400 dm crypt: fix error with too large bios When dm-crypt processes writes, it allocates a new bio in crypt_alloc_buffer(). The bio is allocated from a bio set and it can have at most BIO_MAX_PAGES vector entries, however the incoming bio can be larger (e.g. if it was allocated by bcache). If the incoming bio is larger, bio_alloc_bioset() fails and an error is returned. To avoid the error, we test for a too large bio in the function crypt_map() and use dm_accept_partial_bio() to split the bio. dm_accept_partial_bio() trims the current bio to the desired size and asks DM core to send another bio with the rest of the data. Signed-off-by: Mikulas Patocka Signed-off-by: Mike Snitzer Cc: stable@vger.kernel.org # v3.16+ drivers/md/dm-crypt.c | 7 +++++++ 1 file changed, 7 insertions(+) commit 91e630d9ae6de6f740ef7c8176736eb55366833e Author: Vladimir Zapolskiy Date: Thu Mar 10 01:22:19 2016 +0200 dm log writes: fix check of kthread_run() return value The kthread_run() function returns either a valid task_struct or ERR_PTR() value, check for NULL is invalid. This change fixes potential for oops, e.g. in OOM situation. Signed-off-by: Vladimir Zapolskiy Signed-off-by: Mike Snitzer Cc: stable@vger.kernel.org drivers/md/dm-log-writes.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 61b5ebd6ffc3099618a2e79903e5ee0577c10799 Merge: 86a1679 485a252 Author: Linus Torvalds Date: Tue Aug 30 16:25:57 2016 -0700 Merge tag 'seccomp-v4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux Pull seccomp fix from Kees Cook: "Fix fatal signal delivery after ptrace reordering" * tag 'seccomp-v4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: seccomp: Fix tracer exit notifications during fatal signals commit 485a252a5559b45d7df04c819ec91177c62c270b Author: Kees Cook Date: Wed Aug 10 16:28:09 2016 -0700 seccomp: Fix tracer exit notifications during fatal signals This fixes a ptrace vs fatal pending signals bug as manifested in seccomp now that seccomp was reordered to happen after ptrace. The short version is that seccomp should not attempt to call do_exit() while fatal signals are pending under a tracer. The existing code was trying to be as defensively paranoid as possible, but it now ends up confusing ptrace. Instead, the syscall can just be skipped (which solves the original concern that the do_exit() was addressing) and normal signal handling, tracer notification, and process death can happen. Paraphrasing from the original bug report: If a tracee task is in a PTRACE_EVENT_SECCOMP trap, or has been resumed after such a trap but not yet been scheduled, and another task in the thread-group calls exit_group(), then the tracee task exits without the ptracer receiving a PTRACE_EVENT_EXIT notification. Test case here: https://gist.github.com/khuey/3c43ac247c72cef8c956ca73281c9be7 The bug happens because when __seccomp_filter() detects fatal_signal_pending(), it calls do_exit() without dequeuing the fatal signal. When do_exit() sends the PTRACE_EVENT_EXIT notification and that task is descheduled, __schedule() notices that there is a fatal signal pending and changes its state from TASK_TRACED to TASK_RUNNING. That prevents the ptracer's waitpid() from returning the ptrace event. A more detailed analysis is here: https://github.com/mozilla/rr/issues/1762#issuecomment-237396255. Reported-by: Robert O'Callahan Reported-by: Kyle Huey Tested-by: Kyle Huey Fixes: 93e35efb8de4 ("x86/ptrace: run seccomp after ptrace") Signed-off-by: Kees Cook Acked-by: Oleg Nesterov Acked-by: James Morris kernel/seccomp.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) commit 313a61d30761217ce4383018de1cc0d5d503a376 Author: Eric Anholt Date: Tue Aug 30 13:57:38 2016 -0700 drm/vc4: Allow some more signals to be packed with uniform resets. The intent was to make sure people don't sneak in a small immediate or something to change the interpretation of the uniform update args, but these signals are just fine. Fixes a validation failure in the current X server on some Render operation. Signed-off-by: Eric Anholt drivers/gpu/drm/vc4/vc4_validate_shaders.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) commit 7efb367320f56fc4d549875b6f3a6940018ef2e5 Author: Mikulas Patocka Date: Tue Aug 30 16:20:55 2016 -0400 dm log writes: fix bug with too large bios bio_alloc() can allocate a bio with at most BIO_MAX_PAGES (256) vector entries. However, the incoming bio may have more vector entries if it was allocated by other means. For example, bcache submits bios with more than BIO_MAX_PAGES entries. This results in bio_alloc() failure. To avoid the failure, change the code so that it allocates bio with at most BIO_MAX_PAGES entries. If the incoming bio has more entries, bio_add_page() will fail and a new bio will be allocated - the code that handles bio_add_page() failure already exists in the dm-log-writes target. Signed-off-by: Mikulas Patocka Reviewed-by: Josef Bacik Signed-off-by: Mike Snitzer Cc: stable@vger.kernel.org # v4.1+ drivers/md/dm-log-writes.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit a5d60783df61fbb67b7596b8a0f6b4b2e05251d5 Author: Mikulas Patocka Date: Tue Aug 30 16:11:53 2016 -0400 dm log writes: move IO accounting earlier to fix error path Move log_one_block()'s atomic_inc(&lc->io_blocks) before bio_alloc() to fix a bug that the target hangs if bio_alloc() fails. The error path does put_io_block(lc), so atomic_inc(&lc->io_blocks) must occur before invoking the error path to avoid underflow of lc->io_blocks. Signed-off-by: Mikulas Patocka Reviewed-by: Josef Bacik Signed-off-by: Mike Snitzer Cc: stable@vger.kernel.org drivers/md/dm-log-writes.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 86a1679860babbacd61fc1e8c0c0f43641d5860d Merge: 0cf21c6 45c91d8 Author: Linus Torvalds Date: Tue Aug 30 11:24:04 2016 -0700 Merge tag 'md/4.8-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/shli/md Pull MD fixes from Shaohua Li: "This includes several bug fixes: - Alexey Obitotskiy fixed a hang for faulty raid5 array with external management - Song Liu fixed two raid5 journal related bugs - Tomasz Majchrzak fixed a bad block recording issue and an accounting issue for raid10 - ZhengYuan Liu fixed an accounting issue for raid5 - I fixed a potential race condition and memory leak with DIF/DIX enabled - other trival fixes" * tag 'md/4.8-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/shli/md: raid5: avoid unnecessary bio data set raid5: fix memory leak of bio integrity data raid10: record correct address of bad block md-cluster: fix error return code in join() r5cache: set MD_JOURNAL_CLEAN correctly md: don't print the same repeated messages about delayed sync operation md: remove obsolete ret in md_start_sync md: do not count journal as spare in GET_ARRAY_INFO md: Prevent IO hold during accessing to faulty raid5 array MD: hold mddev lock to change bitmap location raid5: fix incorrectly counter of conf->empty_inactive_list_nr raid10: increment write counter after bio is split commit 0cf21c6609c582690a9407bddb72aec2732c6178 Merge: 0d025d2 98b0f80 Author: Linus Torvalds Date: Tue Aug 30 11:14:02 2016 -0700 Merge tag 'nfs-for-4.8-3' of git://git.linux-nfs.org/projects/trondmy/linux-nfs Pull NFS client bugfixes from Trond Myklebust: "Highlights include: Stable patches: - Fix a refcount leak in nfs_callback_up_net - Fix an Oopsable condition when the flexfile pNFS driver connection to the DS fails - Fix an Oopsable condition in NFSv4.1 server callback races - Ensure pNFS clients stop doing I/O to the DS if their lease has expired, as required by the NFSv4.1 protocol Bugfixes: - Fix potential looping in the NFSv4.x migration code - Patch series to close callback races for OPEN, LAYOUTGET and LAYOUTRETURN - Silence WARN_ON when NFSv4.1 over RDMA is in use - Fix a LAYOUTCOMMIT race in the pNFS/blocks client - Fix pNFS timeout issues when the DS fails" * tag 'nfs-for-4.8-3' of git://git.linux-nfs.org/projects/trondmy/linux-nfs: NFSv4.x: Fix a refcount leak in nfs_callback_up_net NFS4: Avoid migration loops pNFS/flexfiles: Fix an Oopsable condition when connection to the DS fails NFSv4.1: Remove obsolete and incorrrect assignment in nfs4_callback_sequence NFSv4.1: Close callback races for OPEN, LAYOUTGET and LAYOUTRETURN NFSv4.1: Defer bumping the slot sequence number until we free the slot NFSv4.1: Delay callback processing when there are referring triples NFSv4.1: Fix Oopsable condition in server callback races SUNRPC: Silence WARN_ON when NFSv4.1 over RDMA is in use pnfs/blocklayout: update last_write_offset atomically with extents pNFS: The client must not do I/O to the DS if it's lease has expired pNFS: Handle NFS4ERR_OLD_STATEID correctly in LAYOUTSTAT calls pNFS/flexfiles: Set reasonable default retrans values for the data channel NFS: Allow the mount option retrans=0 pNFS/flexfiles: Fix layoutstat periodic reporting commit 0d025d271e55f3de21f0aaaf54b42d20404d2b23 Author: Josh Poimboeuf Date: Tue Aug 30 08:04:16 2016 -0500 mm/usercopy: get rid of CONFIG_DEBUG_STRICT_USER_COPY_CHECKS There are three usercopy warnings which are currently being silenced for gcc 4.6 and newer: 1) "copy_from_user() buffer size is too small" compile warning/error This is a static warning which happens when object size and copy size are both const, and copy size > object size. I didn't see any false positives for this one. So the function warning attribute seems to be working fine here. Note this scenario is always a bug and so I think it should be changed to *always* be an error, regardless of CONFIG_DEBUG_STRICT_USER_COPY_CHECKS. 2) "copy_from_user() buffer size is not provably correct" compile warning This is another static warning which happens when I enable __compiletime_object_size() for new compilers (and CONFIG_DEBUG_STRICT_USER_COPY_CHECKS). It happens when object size is const, but copy size is *not*. In this case there's no way to compare the two at build time, so it gives the warning. (Note the warning is a byproduct of the fact that gcc has no way of knowing whether the overflow function will be called, so the call isn't dead code and the warning attribute is activated.) So this warning seems to only indicate "this is an unusual pattern, maybe you should check it out" rather than "this is a bug". I get 102(!) of these warnings with allyesconfig and the __compiletime_object_size() gcc check removed. I don't know if there are any real bugs hiding in there, but from looking at a small sample, I didn't see any. According to Kees, it does sometimes find real bugs. But the false positive rate seems high. 3) "Buffer overflow detected" runtime warning This is a runtime warning where object size is const, and copy size > object size. All three warnings (both static and runtime) were completely disabled for gcc 4.6 with the following commit: 2fb0815c9ee6 ("gcc4: disable __compiletime_object_size for GCC 4.6+") That commit mistakenly assumed that the false positives were caused by a gcc bug in __compiletime_object_size(). But in fact, __compiletime_object_size() seems to be working fine. The false positives were instead triggered by #2 above. (Though I don't have an explanation for why the warnings supposedly only started showing up in gcc 4.6.) So remove warning #2 to get rid of all the false positives, and re-enable warnings #1 and #3 by reverting the above commit. Furthermore, since #1 is a real bug which is detected at compile time, upgrade it to always be an error. Having done all that, CONFIG_DEBUG_STRICT_USER_COPY_CHECKS is no longer needed. Signed-off-by: Josh Poimboeuf Cc: Kees Cook Cc: Thomas Gleixner Cc: Ingo Molnar Cc: "H . Peter Anvin" Cc: Andy Lutomirski Cc: Steven Rostedt Cc: Brian Gerst Cc: Peter Zijlstra Cc: Frederic Weisbecker Cc: Byungchul Park Cc: Nilay Vaish Signed-off-by: Linus Torvalds arch/parisc/Kconfig | 1 - arch/parisc/configs/c8000_defconfig | 1 - arch/parisc/configs/generic-64bit_defconfig | 1 - arch/parisc/include/asm/uaccess.h | 22 ++++----- arch/s390/Kconfig | 1 - arch/s390/configs/default_defconfig | 1 - arch/s390/configs/gcov_defconfig | 1 - arch/s390/configs/performance_defconfig | 1 - arch/s390/defconfig | 1 - arch/s390/include/asm/uaccess.h | 19 +++++--- arch/tile/Kconfig | 1 - arch/tile/include/asm/uaccess.h | 22 +++++---- arch/x86/Kconfig | 1 - arch/x86/include/asm/uaccess.h | 69 ++++------------------------- include/asm-generic/uaccess.h | 1 + include/linux/compiler-gcc.h | 2 +- lib/Kconfig.debug | 18 -------- lib/Makefile | 1 - lib/usercopy.c | 9 ---- 19 files changed, 45 insertions(+), 128 deletions(-) commit d8dc020cac1d5335cab3ffadb1964ad83c2f8729 Merge: 748e7fc 9ebae9e Author: Linus Torvalds Date: Tue Aug 30 09:44:11 2016 -0700 Merge branch 'for-4.8-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata Pull libata fixes from Tejun Heo: "Two libata driver specific fixes for v4.8-rc4. Nothing too scary" * 'for-4.8-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata: pata_ninja32: Avoid corrupting status flags ahci: disable correct irq for dummy ports commit 748e7fc20983fccd742e93c5b6a38ece1f71f80f Merge: e4e98c4 568ac88 Author: Linus Torvalds Date: Tue Aug 30 09:31:59 2016 -0700 Merge branch 'for-4.8-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup Pull cgroup fixes from Tejun Heo: "Two fixes for cgroup. - There still was a hole in enforcing cpuset rules, fixed by Li. - The recent switch to global percpu_rwseom for threadgroup locking revealed a couple issues in how percpu_rwsem is implemented and used by cgroup. Balbir found that the read locking section was too wide unnecessarily including operations which can often depend on IOs. With percpu_rwsem updates (coming through a different tree) and reduction of read locking section, all the reported locking latency issues, including the android one, are resolved. It looks like we can keep global percpu_rwsem locking for now. If there actually are cases which can't be resolved, we can go back to more complex per-signal_struct locking" * 'for-4.8-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup: cgroup: reduce read locked section of cgroup_threadgroup_rwsem during fork cpuset: make sure new tasks conform to the current config of the cpuset commit 9ebae9e4bcd7dff22536af8a969d8f66e6f23900 Author: Alan Cox Date: Tue Aug 30 16:47:02 2016 +0100 pata_ninja32: Avoid corrupting status flags Ninja32 needs to set some flags to indicate it does 32bit IO. However it currently assigns this which loses the initializing flag and causes a warning spew. Fix it to use a logical or as is intended. Signed-off-by: Alan Cox Tested-by: Ellmar Stelnberger Signed-off-by: Tejun Heo drivers/ata/pata_ninja32.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 98b0f80c2396224bbbed81792b526e6c72ba9efa Author: Trond Myklebust Date: Mon Aug 29 11:15:36 2016 -0400 NFSv4.x: Fix a refcount leak in nfs_callback_up_net On error, the callers expect us to return without bumping nn->cb_users[]. Signed-off-by: Trond Myklebust Cc: stable@vger.kernel.org # v3.7+ fs/nfs/callback.c | 1 + 1 file changed, 1 insertion(+) commit 52442f9b11b7e5d4a38d99143011831fd171f8d9 Author: Benjamin Coddington Date: Tue Aug 30 09:20:32 2016 -0400 NFS4: Avoid migration loops If a server returns itself as a location while migrating, the client may end up getting stuck attempting to migrate twice to the same server. Catch this by checking if the nfs_client found is the same as the existing client. For the other two callers to nfs4_set_client, the nfs_client will always be ERR_PTR(-EINVAL). Signed-off-by: Benjamin Coddington Signed-off-by: Trond Myklebust fs/nfs/nfs4client.c | 5 +++++ 1 file changed, 5 insertions(+) commit 8c57cac1457f3125a5d13dc03635c0708c61bff0 Author: Tomas Winkler Date: Wed Jul 20 10:24:02 2016 +0300 mei: me: disable driver on SPT SPS firmware Sunrise Point PCH with SPS Firmware doesn't expose working MEI interface, we need to quirk it out. The SPS Firmware is identifiable only on the first PCI function of the device. Cc: #4.6+ Tested-by: Sujith Pandel Signed-off-by: Tomas Winkler Signed-off-by: Greg Kroah-Hartman drivers/misc/mei/hw-me.c | 10 ++++++++-- drivers/misc/mei/pci-me.c | 4 ++-- 2 files changed, 10 insertions(+), 4 deletions(-) commit 2c5575401e34de3d2fc90af1c95bc73435784093 Author: Tony Lindgren Date: Fri Aug 26 16:28:39 2016 -0500 usb: musb: Fix locking errors for host only mode If we have USB gadgets disabled and USB_MUSB_HOST set, we get errors "possible irq lock inverssion dependency detected" errors during boot. Let's fix the issue by adding start_musb flag and start the controller after we're out of the spinlock protected section. Reported-by: Ladislav Michl Tested-by: Ladislav Michl Signed-off-by: Tony Lindgren Signed-off-by: Bin Liu Signed-off-by: Greg Kroah-Hartman drivers/usb/musb/musb_virthub.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) commit 20b8f9e2dde171c69da4a79c34fccdc2a8492797 Merge: 3eab887 a7d4b8f Author: Paolo Bonzini Date: Tue Aug 30 14:11:33 2016 +0200 Merge tag 'kvm-s390-master-4.8-2' of git://git.kernel.org/pub/scm/linux/kernel/git/kvms390/linux into kvm-master KVM: s390: Fix for fpu register errors since 4.7 This fixes a regression that was introduced by a semantic change in commit 3f6813b9a5e0 ("s390/fpu: allocate 'struct fpu' with the task_struct"). Symptoms are broken host userspace fpu registers if the old FPU set/get ioctls are used. commit 3fa2a81e6e77f4308b4a3860aab2a1885a127f47 Merge: 83b4a3d 017300d Author: Greg Kroah-Hartman Date: Tue Aug 30 14:10:51 2016 +0200 Merge tag 'phy-for-4.8-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/kishon/linux-phy into usb-linus Kishon writes: phy: for 4.8 -rc *) Fix to get host-only mode working in sun4i *) Fix a compilation error because of missing header file *) Other minor fixes Signed-off-by: Kishon Vijay Abraham I commit 83b4a3d79efb291c17cd9b2182e187c1217f8276 Merge: d1228f4 c4e9417 Author: Greg Kroah-Hartman Date: Tue Aug 30 14:07:01 2016 +0200 Merge tag 'usb-ci-v4.8-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/peter.chen/usb into usb-linus Peter writes: Fix one bug that host can't work after insmod gadget module at dual-role mode, the root cause of this issue is the usbcmd.rs is cleared by chipidea udc code. commit 8aade778f787305fdbfd3c1d54e6b583601b5902 Author: Anson Huang Date: Mon Aug 22 23:53:25 2016 +0800 ARM: imx6: add missing BM_CLPCR_BYPASS_PMIC_READY setting for imx6sx i.MX6SX has bypass PMIC ready function, as this function is normally NOT enabled on the board design, so we need to bypass the PMIC ready pin check during DSM mode resume flow, otherwise, the internal DSM resume logic will be waiting for this signal to be ready forever and cause resume fail. Signed-off-by: Anson Huang Fixes: ff843d621bfc ("ARM: imx: add suspend support for i.mx6sx") Cc: Tested-by: Peter Chen Signed-off-by: Shawn Guo arch/arm/mach-imx/pm-imx6.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit c73c2484901139c28383b58eabcbf4d613e91518 Author: Liping Zhang Date: Sun Aug 28 16:59:52 2016 +0800 netfilter: nf_tables_netdev: remove redundant ip_hdr assignment We have already use skb_header_pointer to get the ip header pointer, so there's no need to use ip_hdr again. Moreover, in NETDEV INGRESS hook, ip header maybe not linear, so use ip_hdr is not appropriate, remove it. Signed-off-by: Liping Zhang Signed-off-by: Pablo Neira Ayuso net/netfilter/nf_tables_netdev.c | 1 - 1 file changed, 1 deletion(-) commit b030485220caf862c71db6fb8b8ad016ce7f7565 Author: Javier Martinez Canillas Date: Sun Aug 21 03:27:45 2016 -0400 ARM: EXYNOS: Clear OF_POPULATED flag from PMU node in IRQ init callback The Exynos PMU node is an interrupt, clock and PMU (Power Management Unit) controller, and these functionalities are supported by different drivers that matches the same compatible strings. Since commit 15cc2ed6dcf9 ("of/irq: Mark initialised interrupt controllers as populated") the OF core flags interrupt controllers registered with the IRQCHIP_DECLARE() macro as OF_POPULATED, so platform devices with the same compatible string as the interrupt controller will not be registered. This prevents the PMU platform device to be registered so the Exynos PMU driver is never probed. This breaks (among other things) Suspend-to-RAM. Fix this by clearing the OF_POPULATED flag in the PMU IRQ init callback, to allow the Exynos PMU platform driver to be probed. The patch is based on Philipp Zabel's "ARM: imx6: mark GPC node as not populated after irq init to probe pm domain driver". Fixes: 15cc2ed6dcf9 ("of/irq: Mark initialised interrupt controllers as populated") Signed-off-by: Javier Martinez Canillas Signed-off-by: Krzysztof Kozlowski arch/arm/mach-exynos/suspend.c | 6 ++++++ 1 file changed, 6 insertions(+) commit fd06c77eb9200b53d421da5fffe0dcd894b5d72a Author: Kai-Heng Feng Date: Tue Aug 30 15:36:34 2016 +0800 ALSA: hda - Enable subwoofer on Dell Inspiron 7559 The subwoofer on Inspiron 7559 was disabled originally. Applying a pin fixup to node 0x1b can enable it and make it work. Old pin: 0x411111f0 New pin: 0x90170151 Signed-off-by: Kai-Heng Feng Cc: Signed-off-by: Takashi Iwai sound/pci/hda/patch_realtek.c | 11 +++++++++++ 1 file changed, 11 insertions(+) commit a474478642d57641ea06645104a15acc0420f01a Author: Lucas Stach Date: Mon Aug 29 17:51:24 2016 +0200 drm/imx: fix crtc vblank state regression The atomic conversion lost the notification to let the DRM core know about the current state of the CRTC vblank interrupts. This regressed the ability of the core to reject page flip attempts on currently disabled CRTCs. Add back the notifications. Signed-off-by: Lucas Stach Signed-off-by: Philipp Zabel drivers/gpu/drm/imx/ipuv3-crtc.c | 4 ++++ 1 file changed, 4 insertions(+) commit 61aaa0e8c1c15d9e045f0577f046be50f2f571ab Author: Linus Lüssing Date: Fri Aug 19 22:02:48 2016 +0200 cfg80211: Add stub for cfg80211_get_station() This allows modules using this function (currently: batman-adv) to compile even if cfg80211 is not built at all, thus relaxing dependencies. Signed-off-by: Linus Lüssing Signed-off-by: Johannes Berg include/net/cfg80211.h | 9 +++++++++ 1 file changed, 9 insertions(+) commit 554d072e7bc3e56de5893c8181110a547b2062c9 Author: Arik Nemtsov Date: Mon Aug 29 12:37:35 2016 +0300 mac80211: TDLS: don't require beaconing for AP BW Stop downgrading TDLS chandef when reaching the AP BW. The AP provides the necessary regulatory protection in this case. This fixes https://bugzilla.kernel.org/show_bug.cgi?id=153961, which reported an infinite loop here. Reported-by: Kamil Toman Signed-off-by: Arik Nemtsov Signed-off-by: Johannes Berg net/mac80211/tdls.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) commit 311042d1b67d9a1856a8e1294e7729fb86f64014 Author: Shrirang Bagul Date: Mon Aug 29 15:19:27 2016 +0800 ALSA: hda - Add headset mic quirk for Dell Inspiron 5468 This patch enables headset microphone on some variants of Dell Inspiron 5468. (Dell SSID 0x07ad) BugLink: https://bugs.launchpad.net/bugs/1617900 Signed-off-by: Shrirang Bagul Cc: Signed-off-by: Takashi Iwai sound/pci/hda/patch_realtek.c | 4 ++++ 1 file changed, 4 insertions(+) commit ea78d80866ce375defb2fdd1c8a3aafec95e0f85 Author: Darrick J. Wong Date: Tue Aug 30 13:51:39 2016 +1000 xfs: track log done items directly in the deferred pending work item Christoph reports slab corruption when a deferred refcount update aborts during _defer_finish(). The cause of this was broken log item state tracking in xfs_defer_pending -- upon an abort, _defer_trans_abort() will call abort_intent on all intent items, including the ones that have already had a done item attached. This is incorrect because each intent item has 2 refcount: the first is released when the intent item is committed to the log; and the second is released when the _done_ item is committed to the log, or by the intent creator if there is no done item. In other words, once we log the done item, responsibility for releasing the intent item's second refcount is transferred to the done item and /must not/ be performed by anything else. The dfp_committed flag should have been tracking whether or not we had a done item so that _defer_trans_abort could decide if it needs to abort the intent item, but due to a thinko this was not the case. Rip it out and track the done item directly so that we do the right thing w.r.t. intent item freeing. Signed-off-by: Darrick J. Wong Reported-by: Christoph Hellwig Reviewed-by: Dave Chinner Signed-off-by: Dave Chinner fs/xfs/libxfs/xfs_defer.c | 17 ++++------------- fs/xfs/libxfs/xfs_defer.h | 2 +- fs/xfs/xfs_trace.h | 2 +- 3 files changed, 6 insertions(+), 15 deletions(-) commit e4e98c460ad38c78498622a164fd5ef09a2dc9cb Merge: b892772 3c32926 Author: Linus Torvalds Date: Mon Aug 29 19:12:35 2016 -0700 Merge tag 'hwmon-for-linus-v4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging Pull hwmon fix from Guenter Roeck: "Add missing sysfs attribute group terminator to it87 driver" * tag 'hwmon-for-linus-v4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging: hwmon: (it87) Add missing sysfs attribute group terminator commit dc7066c54107255f5f9a11bf3f82417c9b1aef51 Merge: af7c388 a45f9d4 Author: Stephen Boyd Date: Mon Aug 29 17:08:35 2016 -0700 Merge tag 'v4.8-rockchip-clk-fixes1' of git://git.kernel.org/pub/scm/linux/kernel/git/mmind/linux-rockchip into clk-fixes Some fixes for rk3399 register errors that revealed themself during actual use. * tag 'v4.8-rockchip-clk-fixes1' of git://git.kernel.org/pub/scm/linux/kernel/git/mmind/linux-rockchip: clk: rockchip: mark aclk_emmc_noc as a critical clock on rk3399 clk: rockchip: fix incorrect GATE bits for {c, g}pll_aclk_perihp_src on rk3399 clk: rockchip: fix incorrect aclk_emmc source gate bits on rk3399 clk: rockchip: fix rk3399 aclk_vio gate bit commit a93295a7e118b5c58391906e47183775b1eb7cb1 Author: Roger Quadros Date: Mon Aug 15 10:47:39 2016 +0300 mtd: nand: omap2: Don't call dma_release_channel() if dma_request_chan() failed dma_request_chan() can fail returning an error pointer. In this case prevent calling dma_release_channel() to prevent a ERR_PTR() dereference. As error path can be called even with no DMA configuration, info->dma can be NULL so don't call dma_release_channel() for that case either. Fixes: de3bfc4a1616: ("mtd: nand: omap2: fix return value check in omap_nand_probe()") Reported-by: Dan Carpenter Signed-off-by: Roger Quadros Acked-by: Boris Brezillon Signed-off-by: Brian Norris drivers/mtd/nand/omap2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit b8927721ae9d5ac0582d29d7b8c267d465ad5f00 Merge: 1f6a563 2e81a4e Author: Linus Torvalds Date: Mon Aug 29 12:37:11 2016 -0700 Merge tag 'ext4_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4 Pull ext4 fixes from Ted Ts'o: "Fix bugs that could cause kernel deadlocks or file system corruption while moving xattrs to expand the extended inode. Also add some sanity checks to the block group descriptors to make sure we don't end up overwriting the superblock" * tag 'ext4_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4: ext4: avoid deadlock when expanding inode size ext4: properly align shifted xattrs when expanding inodes ext4: fix xattr shifting when expanding inodes part 2 ext4: fix xattr shifting when expanding inodes ext4: validate that metadata blocks do not overlap superblock ext4: reserve xattr index for the Hurd commit 1f6a563ee0cd577a9292940eee389482db306765 Merge: cf4d377 b99b43b Author: Linus Torvalds Date: Mon Aug 29 12:29:13 2016 -0700 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net Pull networking fixes from David Miller: 1) Segregate namespaces properly in conntrack dumps, from Liping Zhang. 2) tcp listener refcount fix in netfilter tproxy, from Eric Dumazet. 3) Fix timeouts in qed driver due to xmit_more, from Yuval Mintz. 4) Fix use-after-free in tcp_xmit_retransmit_queue(). 5) Userspace header fixups (use of __u32, missing includes, etc.) from Mikko Rapeli. 6) Further refinements to fragmentation wrt gso and tunnels, from Shmulik Ladkani. 7) Trigger poll correctly for zero length UDP packets, from Eric Dumazet. 8) TCP window scaling fix, also from Eric Dumazet. 9) SLAB_DESTROY_BY_RCU is not relevant any more for UDP sockets. 10) Module refcount leak in qdisc_create_dflt(), from Eric Dumazet. 11) Fix deadlock in cp_rx_poll() of 8139cp driver, from Gao Feng. 12) Memory leak in rhashtable's alloc_bucket_locks(), from Eric Dumazet. 13) Add new device ID to alx driver, from Owen Lin. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (83 commits) Add Killer E2500 device ID in alx driver. net: smc91x: fix SMC accesses Documentation: networking: dsa: Remove platform device TODO net/mlx5: Increase number of ethtool steering priorities net/mlx5: Add error prints when validate ETS failed net/mlx5e: Fix memory leak if refreshing TIRs fails net/mlx5e: Add ethtool counter for TX xmit_more net/mlx5e: Fix ethtool -g/G rx ring parameter report with striding RQ net/mlx5e: Don't wait for SQ completions on close net/mlx5e: Don't post fragmented MPWQE when RQ is disabled net/mlx5e: Don't wait for RQ completions on close net/mlx5e: Limit UMR length to the device's limitation rhashtable: fix a memory leak in alloc_bucket_locks() sfc: fix potential stack corruption from running past stat bitmask team: loadbalance: push lacpdus to exact delivery net: hns: dereference ppe_cb->ppe_common_cb if it is non-null 8139cp: Fix one possible deadloop in cp_rx_poll i40e: Change some init flow for the client Revert "phy: IRQ cannot be shared" net: dsa: bcm_sf2: Fix race condition while unmasking interrupts ... commit a904a08b5fee5317ff0f7b8212aa5d0776795a52 Author: Peer, Ilan Date: Wed Aug 10 13:48:35 2016 +0300 iwlwifi: mvm: Advertise support for AP channel width change The iwlmvm driver supports channel width change in AP mode. Add the proper flag. Signed-off-by: Ilan Peer Signed-off-by: Luca Coelho drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 1 + 1 file changed, 1 insertion(+) commit ff6e58e648ed5f3cc43891767811d5c3c88bbd41 Author: Emmanuel Grumbach Date: Wed Aug 3 22:06:43 2016 +0300 iwlwifi: mvm: don't use ret when not initialised fw-dbg code return ret but that variable was either 0 or not initialised. Return 0 always. Signed-off-by: Emmanuel Grumbach Fixes: 6a95126763fb ("iwlwifi: mvm: send dbg config hcmds to fw if set in tlv") Signed-off-by: Luca Coelho drivers/net/wireless/intel/iwlwifi/mvm/fw-dbg.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit bdc98b13716eafc454457e068d6c8aaffaaa71e4 Author: Sharon Dvir Date: Mon Jul 25 16:11:05 2016 +0300 iwlwifi: mvm: check if vif is NULL before using it wdev_to_ieee80211_vif() might return NULL. Check that vif != NULL before dereferencing it. Signed-off-by: Sharon Dvir Signed-off-by: Luca Coelho drivers/net/wireless/intel/iwlwifi/mvm/mvm.h | 2 ++ 1 file changed, 2 insertions(+) commit 360647959323ec066cc55d82133df73e30530824 Author: Emmanuel Grumbach Date: Mon Jul 11 09:25:45 2016 +0300 iwlwifi: mvm: consider P2p device type for firmware dump triggers When the user really wanted a dump on P2P Client, he coudln't get it because we checked vif->type but didn't take vif->p2p into account. Fix that. Signed-off-by: Emmanuel Grumbach Signed-off-by: Luca Coelho drivers/net/wireless/intel/iwlwifi/mvm/fw-dbg.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 3dc147359e3dcdf0648f1e2c11f62cfae3160df0 Author: Trond Myklebust Date: Mon Aug 29 15:12:54 2016 -0400 pNFS/flexfiles: Fix an Oopsable condition when connection to the DS fails If the attempt to connect to a DS fails inside ff_layout_pg_init_read or ff_layout_pg_init_write, then we currently end up clearing the layout segment carried by the struct nfs_pageio_descriptor, causing an Oops when we later call into ff_layout_read_pagelist/ff_layout_write_pagelist. The fix is to ensure we return the layout and then retry. Fixes: 446ca2195303 ("pNFS/flexfiles: When initing reads or writes, we...") Cc: stable@vger.kernel.org # v4.7+ Signed-off-by: Trond Myklebust fs/nfs/flexfilelayout/flexfilelayout.c | 37 +++++++++++++++---------------- fs/nfs/flexfilelayout/flexfilelayoutdev.c | 19 ++++++++-------- 2 files changed, 28 insertions(+), 28 deletions(-) commit cf4d3779e5ccfc2886e1e4ca19adaf59636f963d Merge: 2a90309 da43bf0 Author: Linus Torvalds Date: Mon Aug 29 12:20:22 2016 -0700 Merge tag 'platform-drivers-x86-v4.8-4' of git://git.infradead.org/users/dvhart/linux-platform-drivers-x86 Pull x86 platform driver fixes from Darren Hart: "Remove module related code from two drivers that are only configurable as built-in: intel_pmic_gpio and platform/olpc" * tag 'platform-drivers-x86-v4.8-4' of git://git.infradead.org/users/dvhart/linux-platform-drivers-x86: intel_pmic_gpio: Make explicitly non-modular platform/olpc: Make ec explicitly non-modular commit 2a90309e062382ca0bd10bc2004abcab8fa0944b Merge: 3eab887 78a3e88 Author: Linus Torvalds Date: Mon Aug 29 12:12:15 2016 -0700 Merge tag 'powerpc-4.8-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux Pull powerpc fixes from Ben Herrenschmidt: "This was meant to be sent early last week, but I has a change pending on one of the fixes and other things made me forget all about. Ugh. We have some misc fixes for powerpc 4.8. Some trivial bits and some regressions, and a trivial cleanup or two that I saw no point in letting rot in patchwork" * tag 'powerpc-4.8-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux: powerpc: signals: Discard transaction state from signal frames powerpc/powernv : Drop reference added by kset_find_obj() powerpc/tm: do not use r13 for tabort_syscall powerpc: move hmi.c to arch/powerpc/kvm/ powerpc: sysdev: cpm: fix gpio save_regs functions powerpc/pseries: PACA save area fix for MCE vs MCE powerpc/pseries: PACA save area fix for general exception vs MCE powerpc/prom: Fix sub-processor option passed to ibm, client-architecture-support powerpc, hotplug: Avoid to touch non-existent cpumasks. powerpc: migrate exception table users off module.h and onto extable.h powerpc/powernv/pci: fix iterator signedness powerpc/pseries: use pci_host_bridge.release_fn() to kfree(phb) cxl: use pcibios_free_controller_deferred() when removing vPHBs powerpc: mpc8349emitx: Delete unnecessary assignment for the field "owner" powerpc/512x: Delete unnecessary assignment for the field "owner" drivers/macintosh: Delete owner assignment powerpc: cputhreads: Add missing include file commit bb87f02b7e4ccdb614a83cbf840524de81e9b321 Merge: b64abcb 7711aaf0 Author: Kalle Valo Date: Mon Aug 29 21:39:04 2016 +0300 Merge ath-current from ath.git ath.git fixes for 4.8. Major changes: ath9k * fix regression in client mode beacon configuration * fix a station pointer which resulted in spurious crashes commit f8e81d7e496ea89f377c6935b92022032bed62e5 Author: Gregor Boirie Date: Wed Aug 24 15:28:27 2016 +0200 tools:iio:iio_generic_buffer: fix trigger-less mode Passing the trigger-less mode option on the command line causes iio_generic_buffer to fail searching for an IIO trigger. Fix this by skipping trigger initialization if trigger-less mode is requested. Technically it actually fixes: 7c7e9dad70 where the bug was introduced but as the window to the patch below that changes the context was very small let's mark it with that. Signed-off-by: Gregor Boirie Fixes: deb4d1fdcb5af ("iio: generic_buffer: Fix --trigger-num option") Signed-off-by: Jonathan Cameron tools/iio/iio_generic_buffer.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 83d9956b7e6b310c1062df7894257251c625b22e Author: Ken Lin Date: Fri Aug 12 14:08:47 2016 -0400 ALSA: usb-audio: Add sample rate inquiry quirk for B850V3 CP2114 Avoid getting sample rate on B850V3 CP2114 as it is unsupported and causes noisy "current rate is different from the runtime rate" messages when playback starts. Signed-off-by: Ken Lin Signed-off-by: Akshay Bhat Cc: Signed-off-by: Takashi Iwai sound/usb/quirks.c | 1 + 1 file changed, 1 insertion(+) commit d8d8d9d789097f91edaeee65b77523079fa8cf3f Merge: 3eab887 4d8c6a7 Author: Jens Axboe Date: Mon Aug 29 08:39:22 2016 -0600 Merge branch 'nvmf-4.8-rc' of git://git.infradead.org/nvme-fabrics into for-linus Sagi writes: Mostly stability fixes and cleanups: - NQN endianess fix from Daniel - possible use-after-free fix from Vincent - nvme-rdma connect semantics fixes from Jay - Remove redundant variables in rdma driver - Kbuild fix from Christoph - nvmf_host referencing fix from Christoph - uninit variable fix from Colin commit c6c1f9bc798bee7cfc2e172cd2c9b48187d801a7 Author: Liu Ying Date: Mon Aug 15 16:41:13 2016 +0800 drm/imx: Add active plane reconfiguration support We don't support configuring active plane on-the-fly for imx-drm. The relevant CRTC should be disabled before the plane configuration. Of course, the plane itself should be disabled as well. This patch adds active plane reconfiguration support by forcing CRTC mode change and disabling-enabling plane in plane's ->atomic_update callback. Suggested-by: Daniel Vetter Cc: Philipp Zabel Cc: David Airlie Cc: Russell King Cc: Daniel Vetter Cc: Peter Senna Tschudin Signed-off-by: Liu Ying Tested-by: Peter Senna Tschudin Tested-by: Lucas Stach Signed-off-by: Philipp Zabel drivers/gpu/drm/imx/imx-drm-core.c | 26 +++++++++++++++++++++++++- drivers/gpu/drm/imx/ipuv3-plane.c | 21 ++++++++++++++------- 2 files changed, 39 insertions(+), 8 deletions(-) commit f7d3586f2dbe330a84f8d0d02c39ddb3fbde67d3 Author: Vladimir Zapolskiy Date: Mon Aug 29 04:41:50 2016 +0300 ARM: dts: imx7d-sdb: fix ti,x-plate-ohms property name Fix misspelled "ti,x-plate-ohms" property name of TI TSC2046 touchscreen controller. Fixes: d09e6beafa23 ("ARM: dts: imx7d-sdb: Add support for touchscreen") Signed-off-by: Vladimir Zapolskiy Signed-off-by: Shawn Guo arch/arm/boot/dts/imx7d-sdb.dts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit a75e4a85f49e7f5d71cf0e425bc009c15ad3b5c4 Author: Baoyou Xie Date: Sun Aug 28 01:15:24 2016 +0800 fix:mailbox:bcm-pdc-mailbox:mark symbols static where possible We get 2 warnings when biuld kernel with W=1: drivers/mailbox/bcm-pdc-mailbox.c:472:6: warning: no previous prototype for 'pdc_setup_debugfs' [-Wmissing-prototypes] drivers/mailbox/bcm-pdc-mailbox.c:488:6: warning: no previous prototype for 'pdc_free_debugfs' [-Wmissing-prototypes] In fact, these functions are only used in the file in which they are declared and don't need a declaration, but can be made static. so this patch marks these functions with 'static'. Signed-off-by: Baoyou Xie Acked-by: Arnd Bergmann Signed-off-by: Jassi Brar drivers/mailbox/bcm-pdc-mailbox.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 068cf29eca4ef25556496635b978143b170b862c Author: Dan Carpenter Date: Thu Aug 4 08:30:31 2016 +0300 mailbox: bcm-pdc: potential NULL dereference in pdc_shutdown() We can't pass NULL pointers to pdc_ring_free() so I moved the check for NULL. Signed-off-by: Dan Carpenter Signed-off-by: Jassi Brar drivers/mailbox/bcm-pdc-mailbox.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) commit e0c6fba45ab730afc22fa01ac1c42459893252ec Author: Rob Rice Date: Mon Aug 1 13:03:41 2016 -0400 mailbox: Add HAS_DMA Kconfig dependency to BCM_PDC_MBOX Add HAS_DMA Kconfig dependency to BCM_PDC_MBOX to avoid link error on some platforms. Reported-by: Fengguang Wu Signed-off-by: Rob Rice Acked-by: Geert Uytterhoeven Signed-off-by: Jassi Brar drivers/mailbox/Kconfig | 1 + 1 file changed, 1 insertion(+) commit 3c3292634fc2de1ab97b6aa3222fee647f737adb Author: Jean Delvare Date: Mon Aug 29 13:18:23 2016 +0200 hwmon: (it87) Add missing sysfs attribute group terminator Attribute array it87_attributes_in lacks its NULL terminator, causing random behavior when operating on the attribute group. Fixes: 52929715634a ("hwmon: (it87) Use is_visible for voltage sensors") Signed-off-by: Jean Delvare Cc: Martin Blumenstingl Cc: Guenter Roeck Cc: stable@vger.kernel.org Signed-off-by: Guenter Roeck drivers/hwmon/it87.c | 1 + 1 file changed, 1 insertion(+) commit 8a07fed44b126f48020f122b9e6bf05d8c48f281 Author: Chris Wilson Date: Tue Aug 23 10:25:58 2016 +0100 drm/i915/dvo: Remove dangling call to drm_encoder_cleanup() If we hit the error path, we have never called drm_encoder_init() and so have nothing to cleanup. Doing so hits a null dereference: [ 10.066261] BUG: unable to handle kernel NULL pointer dereference at 00000104 [ 10.066273] IP: [] mutex_lock+0xa/0x15 [ 10.066287] *pde = 00000000 [ 10.066295] Oops: 0002 [#1] [ 10.066302] Modules linked in: i915(+) video i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm iTCO_wdt iTCO_vendor_support ppdev evdev snd_intel8x0 snd_ac97_codec ac97_bus psmouse snd_pcm snd_timer snd pcspkr uhci_hcd ehci_pci soundcore sr_mod ehci_hcd serio_raw i2c_i801 usbcore i2c_smbus cdrom lpc_ich mfd_core rng_core e100 mii floppy parport_pc parport acpi_cpufreq button processor usb_common eeprom lm85 hwmon_vid autofs4 [ 10.066378] CPU: 0 PID: 132 Comm: systemd-udevd Not tainted 4.8.0-rc3-00013-gef0e1ea #34 [ 10.066389] Hardware name: MicroLink /D865GLC , BIOS BF86510A.86A.0077.P25.0508040031 08/04/2005 [ 10.066401] task: f62db800 task.stack: f5970000 [ 10.066409] EIP: 0060:[] EFLAGS: 00010286 CPU: 0 [ 10.066417] EIP is at mutex_lock+0xa/0x15 [ 10.066424] EAX: 00000104 EBX: 00000104 ECX: 00000000 EDX: 80000000 [ 10.066432] ESI: 00000000 EDI: 00000104 EBP: f5be8000 ESP: f5971b58 [ 10.066439] DS: 007b ES: 007b FS: 0000 GS: 00e0 SS: 0068 [ 10.066446] CR0: 80050033 CR2: 00000104 CR3: 35945000 CR4: 000006d0 [ 10.066453] Stack: [ 10.066459] f503d740 f824dddf 00000000 f61170c0 f61170c0 f82371ae f850f40e 00000001 [ 10.066476] f61170c0 f5971bcc f5be8000 f9c2d401 00000001 f8236fcc 00000001 00000000 [ 10.066491] f5144014 f5be8104 00000008 f9c5267c 00000007 f61170c0 f5144400 f9c4ff00 [ 10.066507] Call Trace: [ 10.066526] [] ? drm_modeset_lock_all+0x27/0xb3 [drm] [ 10.066545] [] ? drm_encoder_cleanup+0x1a/0x132 [drm] [ 10.066559] [] ? drm_atomic_helper_connector_reset+0x3f/0x5c [drm_kms_helper] [ 10.066644] [] ? intel_dvo_init+0x569/0x788 [i915] [ 10.066663] [] ? drm_encoder_init+0x43/0x20b [drm] [ 10.066734] [] ? intel_modeset_init+0x1436/0x17dd [i915] [ 10.066791] [] ? i915_driver_load+0x85a/0x15d3 [i915] [ 10.066846] [] ? i915_driver_open+0x5/0x5 [i915] [ 10.066857] [] ? firmware_map_add_entry.part.2+0xc/0xc [ 10.066868] [] ? pci_device_probe+0x8e/0x11c [ 10.066878] [] ? driver_probe_device+0x1db/0x62e [ 10.066888] [] ? kernfs_new_node+0x29/0x9c [ 10.066897] [] ? pci_match_device+0xd9/0x161 [ 10.066905] [] ? kernfs_create_dir_ns+0x42/0x88 [ 10.066914] [] ? __driver_attach+0xe6/0x11b [ 10.066924] [] ? kobject_add_internal+0x1bb/0x44f [ 10.066933] [] ? driver_probe_device+0x62e/0x62e [ 10.066941] [] ? bus_for_each_dev+0x46/0x7f [ 10.066950] [] ? driver_attach+0x1a/0x34 [ 10.066958] [] ? driver_probe_device+0x62e/0x62e [ 10.066966] [] ? bus_add_driver+0x217/0x32a [ 10.066975] [] ? 0xf8403000 [ 10.066982] [] ? driver_register+0x5f/0x108 [ 10.066991] [] ? do_one_initcall+0x49/0x1f6 [ 10.067000] [] ? pick_next_task_fair+0x14b/0x2a3 [ 10.067008] [] ? __schedule+0x15c/0x4fe [ 10.067016] [] ? preempt_schedule_common+0x19/0x3c [ 10.067027] [] ? do_init_module+0x17/0x230 [ 10.067035] [] ? _cond_resched+0x12/0x1a [ 10.067044] [] ? kmem_cache_alloc+0x8f/0x11f [ 10.067052] [] ? do_init_module+0x17/0x230 [ 10.067060] [] ? kfree+0x137/0x203 [ 10.067068] [] ? do_init_module+0x76/0x230 [ 10.067078] [] ? load_module+0x2a39/0x333f [ 10.067087] [] ? SyS_finit_module+0x96/0xd5 [ 10.067096] [] ? vm_mmap_pgoff+0x79/0xa0 [ 10.067105] [] ? do_fast_syscall_32+0xb5/0x1b0 [ 10.067114] [] ? sysenter_past_esp+0x47/0x75 [ 10.067121] Code: c8 f7 76 c1 e8 8e cc d2 ff e9 45 fe ff ff 66 90 66 90 66 90 66 90 90 ff 00 7f 05 e8 4e 0c 00 00 c3 53 89 c3 e8 75 ec ff ff 89 d8 08 79 05 e8 fa 0a 00 00 5b c3 53 89 c3 85 c0 74 1b 8b 03 83 [ 10.067180] EIP: [] mutex_lock+0xa/0x15 SS:ESP 0068:f5971b58 [ 10.067190] CR2: 0000000000000104 [ 10.067222] ---[ end trace 049f1f09da45a856 ]--- Reported-by: Meelis Roos Fixes: 580d8ed522e0 ("drm/i915: Give encoders useful names") Reviewed-by: David Weinehall Signed-off-by: Chris Wilson Cc: Ville Syrjälä Cc: drm-intel-fixes@lists.freedesktop.org Signed-off-by: Jani Nikula Link: http://patchwork.freedesktop.org/patch/msgid/20160823092558.14931-1-chris@chris-wilson.co.uk (cherry picked from commit 8f76aa0ebe0b7787afe768d9df80031e832d2520) drivers/gpu/drm/i915/intel_dvo.c | 1 - 1 file changed, 1 deletion(-) commit 98744b408c757901df57fa50cbd5826245dc3a1f Author: Daniel Lezcano Date: Mon Aug 29 08:44:03 2016 +0200 clocksource/drivers/atmel-pit: Fix compilation error The previous fix introduced a check against the ret variable which is not defined, hence producing a compilation error: linux/drivers/clocksource/timer-atmel-pit.c: In function ‘at91sam926x_pit_dt_init’: linux/drivers/clocksource/timer-atmel-pit.c:264:2: error: ‘ret’ undeclared (first use in this function) ret = clk_prepare_enable(data->mck); ^ linux/drivers/clocksource/timer-atmel-pit.c:264:2: note: each undeclared identifier is reported only once for each function it appears in Add the missing the variable 'ret'. Fixes: 504f34c9e45c "clocksource/drivers/atmel-pit: Convert init function to return error" Signed-off-by: Daniel Lezcano Cc: alexandre.belloni@free-electrons.com Cc: motobud@gmail.com Cc: realbright@lgcns.com Link: http://lkml.kernel.org/r/1472453043-24287-1-git-send-email-daniel.lezcano@linaro.org Signed-off-by: Thomas Gleixner drivers/clocksource/timer-atmel-pit.c | 1 + 1 file changed, 1 insertion(+) commit 8ddc05638ee42b18ba4fe99b5fb647fa3ad20456 Author: Vegard Nossum Date: Mon Aug 29 00:33:51 2016 +0200 ALSA: timer: fix NULL pointer dereference on memory allocation failure I hit this with syzkaller: kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 1327 Comm: a.out Not tainted 4.8.0-rc2+ #190 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014 task: ffff88011278d600 task.stack: ffff8801120c0000 RIP: 0010:[] [] snd_hrtimer_start+0x77/0x100 RSP: 0018:ffff8801120c7a60 EFLAGS: 00010006 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000007 RDX: 0000000000000009 RSI: 1ffff10023483091 RDI: 0000000000000048 RBP: ffff8801120c7a78 R08: ffff88011a5cf768 R09: ffff88011a5ba790 R10: 0000000000000002 R11: ffffed00234b9ef1 R12: ffff880114843980 R13: ffffffff84213c00 R14: ffff880114843ab0 R15: 0000000000000286 FS: 00007f72958f3700(0000) GS:ffff88011aa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000603001 CR3: 00000001126ab000 CR4: 00000000000006f0 Stack: ffff880114843980 ffff880111eb2dc0 ffff880114843a34 ffff8801120c7ad0 ffffffff82c81ab1 0000000000000000 ffffffff842138e0 0000000100000000 ffff880111eb2dd0 ffff880111eb2dc0 0000000000000001 ffff880111eb2dc0 Call Trace: [] snd_timer_start1+0x331/0x670 [] snd_timer_start+0x5d/0xa0 [] snd_timer_user_ioctl+0x88e/0x2830 [] ? __follow_pte.isra.49+0x430/0x430 [] ? snd_timer_pause+0x80/0x80 [] ? do_wp_page+0x3aa/0x1c90 [] ? put_prev_entity+0x108f/0x21a0 [] ? snd_timer_pause+0x80/0x80 [] do_vfs_ioctl+0x193/0x1050 [] ? cpuacct_account_field+0x12f/0x1a0 [] ? ioctl_preallocate+0x200/0x200 [] ? syscall_trace_enter+0x3cf/0xdb0 [] ? __context_tracking_exit.part.4+0x9a/0x1e0 [] ? exit_to_usermode_loop+0x190/0x190 [] ? check_preemption_disabled+0x37/0x1e0 [] ? security_file_ioctl+0x89/0xb0 [] SyS_ioctl+0x8f/0xc0 [] ? do_vfs_ioctl+0x1050/0x1050 [] do_syscall_64+0x1c4/0x4e0 [] entry_SYSCALL64_slow_path+0x25/0x25 Code: c7 c7 c4 b9 c8 82 48 89 d9 4c 89 ee e8 63 88 7f fe e8 7e 46 7b fe 48 8d 7b 48 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 04 84 c0 7e 65 80 7b 48 00 74 0e e8 52 46 RIP [] snd_hrtimer_start+0x77/0x100 RSP ---[ end trace 5955b08db7f2b029 ]--- This can happen if snd_hrtimer_open() fails to allocate memory and returns an error, which is currently not checked by snd_timer_open(): ioctl(SNDRV_TIMER_IOCTL_SELECT) - snd_timer_user_tselect() - snd_timer_close() - snd_hrtimer_close() - (struct snd_timer *) t->private_data = NULL - snd_timer_open() - snd_hrtimer_open() - kzalloc() fails; t->private_data is still NULL ioctl(SNDRV_TIMER_IOCTL_START) - snd_timer_user_start() - snd_timer_start() - snd_timer_start1() - snd_hrtimer_start() - t->private_data == NULL // boom Signed-off-by: Vegard Nossum Cc: Signed-off-by: Takashi Iwai sound/core/timer.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) commit 6b760bb2c63a9e322c0e4a0b5daf335ad93d5a33 Author: Vegard Nossum Date: Mon Aug 29 00:33:50 2016 +0200 ALSA: timer: fix division by zero after SNDRV_TIMER_IOCTL_CONTINUE I got this: divide error: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 1327 Comm: a.out Not tainted 4.8.0-rc2+ #189 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014 task: ffff8801120a9580 task.stack: ffff8801120b0000 RIP: 0010:[] [] snd_hrtimer_callback+0x1da/0x3f0 RSP: 0018:ffff88011aa87da8 EFLAGS: 00010006 RAX: 0000000000004f76 RBX: ffff880112655e88 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff880112655ea0 RDI: 0000000000000001 RBP: ffff88011aa87e00 R08: ffff88013fff905c R09: ffff88013fff9048 R10: ffff88013fff9050 R11: 00000001050a7b8c R12: ffff880114778a00 R13: ffff880114778ab4 R14: ffff880114778b30 R15: 0000000000000000 FS: 00007f071647c700(0000) GS:ffff88011aa80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000603001 CR3: 0000000112021000 CR4: 00000000000006e0 Stack: 0000000000000000 ffff880114778ab8 ffff880112655ea0 0000000000004f76 ffff880112655ec8 ffff880112655e80 ffff880112655e88 ffff88011aa98fc0 00000000b97ccf2b dffffc0000000000 ffff88011aa98fc0 ffff88011aa87ef0 Call Trace: [] __hrtimer_run_queues+0x347/0xa00 [] ? snd_hrtimer_close+0x130/0x130 [] ? retrigger_next_event+0x1b0/0x1b0 [] ? hrtimer_interrupt+0x136/0x4b0 [] hrtimer_interrupt+0x1b0/0x4b0 [] local_apic_timer_interrupt+0x6e/0xf0 [] ? kvm_guest_apic_eoi_write+0x13/0xc0 [] smp_apic_timer_interrupt+0x76/0xa0 [] apic_timer_interrupt+0x8c/0xa0 [] ? _raw_spin_unlock_irqrestore+0x2c/0x60 [] snd_timer_start1+0xdd/0x670 [] snd_timer_continue+0x45/0x80 [] snd_timer_user_ioctl+0x1030/0x2830 [] ? __follow_pte.isra.49+0x430/0x430 [] ? snd_timer_pause+0x80/0x80 [] ? do_wp_page+0x3aa/0x1c90 [] ? handle_mm_fault+0xbc8/0x27f0 [] ? __pmd_alloc+0x370/0x370 [] ? snd_timer_pause+0x80/0x80 [] do_vfs_ioctl+0x193/0x1050 [] ? ioctl_preallocate+0x200/0x200 [] ? syscall_trace_enter+0x3cf/0xdb0 [] ? __context_tracking_exit.part.4+0x9a/0x1e0 [] ? exit_to_usermode_loop+0x190/0x190 [] ? check_preemption_disabled+0x37/0x1e0 [] ? security_file_ioctl+0x89/0xb0 [] SyS_ioctl+0x8f/0xc0 [] ? do_vfs_ioctl+0x1050/0x1050 [] do_syscall_64+0x1c4/0x4e0 [] entry_SYSCALL64_slow_path+0x25/0x25 Code: e8 fc 42 7b fe 8b 0d 06 8a 50 03 49 0f af cf 48 85 c9 0f 88 7c 01 00 00 48 89 4d a8 e8 e0 42 7b fe 48 8b 45 c0 48 8b 4d a8 48 99 <48> f7 f9 49 01 c7 e8 cb 42 7b fe 48 8b 55 d0 48 b8 00 00 00 00 RIP [] snd_hrtimer_callback+0x1da/0x3f0 RSP ---[ end trace 6aa380f756a21074 ]--- The problem happens when you call ioctl(SNDRV_TIMER_IOCTL_CONTINUE) on a completely new/unused timer -- it will have ->sticks == 0, which causes a divide by 0 in snd_hrtimer_callback(). Signed-off-by: Vegard Nossum Cc: Signed-off-by: Takashi Iwai sound/core/timer.c | 1 + 1 file changed, 1 insertion(+) commit 6654674cb7b5953ac04fc9d7f5f511676ae97e29 Author: Jorik Jonker Date: Sat Aug 27 21:04:33 2016 +0200 clk: sunxi-ng: Fix wrong reset register offsets The reset register offsets for UART*, I2C* and SCR were off by a few bytes. Signed-off-by: Jorik Jonker Signed-off-by: Maxime Ripard drivers/clk/sunxi-ng/ccu-sun8i-h3.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) commit da43bf0c21e57fff0221da5de0a9a388ec0d27cd Author: Paul Gortmaker Date: Mon Aug 15 18:24:59 2016 -0400 intel_pmic_gpio: Make explicitly non-modular The Kconfig entry controlling compilation of this code is: drivers/platform/x86/Kconfig:config GPIO_INTEL_PMIC drivers/platform/x86/Kconfig: bool "Intel PMIC GPIO support" ...meaning that it currently is not being built as a module by anyone. Lets remove the couple traces of modular infrastructure use, so that when reading the driver there is no doubt it is builtin-only. We delete the MODULE_LICENSE tag etc. since all that information was (or is now) contained at the top of the file in the comments. We don't replace module.h with init.h since the file already has that. Cc: Alek Du Cc: platform-driver-x86@vger.kernel.org Signed-off-by: Paul Gortmaker Signed-off-by: Darren Hart drivers/platform/x86/intel_pmic_gpio.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) commit f48d1496b8537d75776478c6942dd87f34d7f270 Author: Paul Gortmaker Date: Mon Aug 15 18:25:17 2016 -0400 platform/olpc: Make ec explicitly non-modular The Kconfig entry controlling compilation of this code is: arch/x86/Kconfig:config OLPC arch/x86/Kconfig: bool "One Laptop Per Child support" ...meaning that it currently is not being built as a module by anyone. Lets remove the couple traces of modular infrastructure use, so that when reading the driver there is no doubt it is builtin-only. We delete the MODULE_LICENSE tag etc. since all that information was (or is now) contained at the top of the file in the comments. Cc: platform-driver-x86@vger.kernel.org Signed-off-by: Paul Gortmaker Acked-by: Andres Salomon Signed-off-by: Darren Hart drivers/platform/olpc/olpc-ec.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) commit b99b43bb4bdf1d361f7487cf03d803082bbf9101 Author: Owen Lin Date: Fri Aug 26 13:49:09 2016 +0800 Add Killer E2500 device ID in alx driver. Signed-off-by: David S. Miller drivers/net/ethernet/atheros/alx/main.c | 2 ++ drivers/net/ethernet/atheros/alx/reg.h | 1 + 2 files changed, 3 insertions(+) commit 2fb04fdf30192ff1e2b5834e9b7745889ea8bbcb Author: Russell King Date: Sat Aug 27 17:33:03 2016 +0100 net: smc91x: fix SMC accesses Commit b70661c70830 ("net: smc91x: use run-time configuration on all ARM machines") broke some ARM platforms through several mistakes. Firstly, the access size must correspond to the following rule: (a) at least one of 16-bit or 8-bit access size must be supported (b) 32-bit accesses are optional, and may be enabled in addition to the above. Secondly, it provides no emulation of 16-bit accesses, instead blindly making 16-bit accesses even when the platform specifies that only 8-bit is supported. Reorganise smc91x.h so we can make use of the existing 16-bit access emulation already provided - if 16-bit accesses are supported, use 16-bit accesses directly, otherwise if 8-bit accesses are supported, use the provided 16-bit access emulation. If neither, BUG(). This exactly reflects the driver behaviour prior to the commit being fixed. Since the conversion incorrectly cut down the available access sizes on several platforms, we also need to go through every platform and fix up the overly-restrictive access size: Arnd assumed that if a platform can perform 32-bit, 16-bit and 8-bit accesses, then only a 32-bit access size needed to be specified - not so, all available access sizes must be specified. This likely fixes some performance regressions in doing this: if a platform does not support 8-bit accesses, 8-bit accesses have been emulated by performing a 16-bit read-modify-write access. Tested on the Intel Assabet/Neponset platform, which supports only 8-bit accesses, which was broken by the original commit. Fixes: b70661c70830 ("net: smc91x: use run-time configuration on all ARM machines") Signed-off-by: Russell King Tested-by: Robert Jarzmik Signed-off-by: David S. Miller arch/arm/mach-pxa/idp.c | 3 +- arch/arm/mach-pxa/xcep.c | 3 +- arch/arm/mach-realview/core.c | 3 +- arch/arm/mach-sa1100/pleb.c | 2 +- arch/blackfin/mach-bf561/boards/cm_bf561.c | 3 +- arch/blackfin/mach-bf561/boards/ezkit.c | 3 +- drivers/net/ethernet/smsc/smc91x.c | 7 ++++ drivers/net/ethernet/smsc/smc91x.h | 65 +++++++++++++++++++++--------- include/linux/smc91x.h | 10 +++++ 9 files changed, 73 insertions(+), 26 deletions(-) commit 7d13eca09ed5e477f6ecfd97a35058762228b5e4 Author: Florian Fainelli Date: Sat Aug 27 15:34:20 2016 -0700 Documentation: networking: dsa: Remove platform device TODO Since commit 83c0afaec7b7 ("net: dsa: Add new binding implementation"), the shortcomings of the dsa platform device have been addressed, remove that TODO item. Signed-off-by: Florian Fainelli Acked-by: Andrew Lunn Signed-off-by: David S. Miller Documentation/networking/dsa/dsa.txt | 20 -------------------- 1 file changed, 20 deletions(-) commit e4d986a878e0eb9e46f851a564189f8204cc677f Merge: 9dbeea7 e5835f2 Author: David S. Miller Date: Sun Aug 28 23:24:24 2016 -0400 Merge branch 'mlx5-series' Saeed Mahameed says: ==================== Mellanox 100G mlx5 fixes 2016-08-29 This series contains some bug fixes for the mlx5 core and mlx5 ethernet driver. From Saeed, Fix UMR to consider hardware translation table field size limitation when calculating the maximum number of MTTs required by the driver. Three patches to speed-up netdevice close time by serializing channel (SQs & RQs) destruction rather than issuing and waiting for hardware interrupts to free them. From Eran, Fix ethtool ring parameter reporting for striding RQ layout. Add error prints on ETS validation failure. From Kamal, Fix memory leak on error flow. From Maor, Fix ethtool steering priorities number. ==================== Signed-off-by: David S. Miller commit e5835f2833b12808c53aa621d1d3aa085706b5b3 Author: Maor Gottlieb Date: Mon Aug 29 01:13:50 2016 +0300 net/mlx5: Increase number of ethtool steering priorities Ethtool has 11 flow tables, each flow table has its own priority. Increase the number of priorities to be aligned with the number of flow tables. Fixes: 1174fce8d141 ('net/mlx5e: Support l3/l4 flow type specs in ethtool flow steering') Signed-off-by: Maor Gottlieb Signed-off-by: Saeed Mahameed Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 1722b9694ecfbc602865017c3fa6da0e3ec234d8 Author: Eran Ben Elisha Date: Mon Aug 29 01:13:49 2016 +0300 net/mlx5: Add error prints when validate ETS failed Upon set ETS failure due to user invalid input, add error prints to specify the exact error to the user. Fixes: cdcf11212b22 ('net/mlx5e: Validate BW weight values of ETS') Signed-off-by: Eran Ben Elisha Signed-off-by: Saeed Mahameed Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) commit bf50082c15eb2bc47d1922e70f424c57f36646d5 Author: Kamal Heib Date: Mon Aug 29 01:13:48 2016 +0300 net/mlx5e: Fix memory leak if refreshing TIRs fails Free 'in' command object also when mlx5_core_modify_tir fails. Fixes: 724b2aa15126 ("net/mlx5e: TIRs management refactoring") Signed-off-by: Kamal Heib Signed-off-by: Saeed Mahameed Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlx5/core/en_common.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) commit c8cf78fe100b0d152a1932327c24cefc0ba4bdbe Author: Tariq Toukan Date: Mon Aug 29 01:13:47 2016 +0300 net/mlx5e: Add ethtool counter for TX xmit_more Add a counter in ethtool for the number of times that TX xmit_more was used. Signed-off-by: Tariq Toukan Signed-off-by: Saeed Mahameed Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 1 + drivers/net/ethernet/mellanox/mlx5/core/en_stats.h | 4 ++++ drivers/net/ethernet/mellanox/mlx5/core/en_tx.c | 1 + 3 files changed, 6 insertions(+) commit cc8e9ebf952699cb6870f1366a4920d05b036e31 Author: Eran Ben Elisha Date: Mon Aug 29 01:13:46 2016 +0300 net/mlx5e: Fix ethtool -g/G rx ring parameter report with striding RQ The driver RQ has two possible configurations: striding RQ and non-striding RQ. Until this patch, the driver always reported the number of hardware WQEs (ring descriptors). For non striding RQ configuration, this was OK since we have one WQE per pending packet For striding RQ, multiple packets can fit into one WQE. For better user experience we normalize the rx_pending parameter (size of wqe/mtu) as the average ring size in case of striding RQ. Fixes: 461017cb006a ('net/mlx5e: Support RX multi-packet WQE ...') Signed-off-by: Eran Ben Elisha Signed-off-by: Saeed Mahameed Signed-off-by: David S. Miller .../net/ethernet/mellanox/mlx5/core/en_ethtool.c | 76 +++++++++++++++++++--- 1 file changed, 67 insertions(+), 9 deletions(-) commit 6e8dd6d6f4bd2fd6fefdbf2e73bf251e36db59af Author: Saeed Mahameed Date: Mon Aug 29 01:13:45 2016 +0300 net/mlx5e: Don't wait for SQ completions on close Instead of asking the firmware to flush the SQ (Send Queue) via asynchronous completions when moved to error, we handle SQ flush manually (mlx5e_free_tx_descs) same as we did when SQ flush got timed out or on tx_timeout. This will reduce SQs flush time and speedup interface down procedure. Moved mlx5e_free_tx_descs to the end of en_tx.c for tx critical code locality. Fixes: 29429f3300a3 ('net/mlx5e: Timeout if SQ doesn't flush during close') Signed-off-by: Saeed Mahameed Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlx5/core/en.h | 3 +- drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 38 ++----------- drivers/net/ethernet/mellanox/mlx5/core/en_tx.c | 67 +++++++++++------------ drivers/net/ethernet/mellanox/mlx5/core/en_txrx.c | 6 +- 4 files changed, 44 insertions(+), 70 deletions(-) commit 8484f9ed13b26043be80ff5774506024956eae8f Author: Saeed Mahameed Date: Mon Aug 29 01:13:44 2016 +0300 net/mlx5e: Don't post fragmented MPWQE when RQ is disabled ICO (Internal control operations) SQ (Send Queue) is closed/disabled after RQ (Receive Queue). After RQ is closed an ICO SQ completion might post a fragmented MPWQE (Multi Packet Work Queue Element) into that RQ. As on regular RQ post, check if we are allowed to post to that RQ (RQ is enabled). Cleanup in-progress UMR MPWQE on mlx5e_free_rx_descs if needed. Fixes: bc77b240b3c5 ('net/mlx5e: Add fragmented memory support for RX multi packet WQE') Signed-off-by: Saeed Mahameed Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 4 ++++ drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 6 ++++++ 2 files changed, 10 insertions(+) commit f2fde18c52a7367a8f6cf6855e2a7174e601c8ee Author: Saeed Mahameed Date: Mon Aug 29 01:13:43 2016 +0300 net/mlx5e: Don't wait for RQ completions on close This will significantly reduce receive queue flush time on interface down. Instead of asking the firmware to flush the RQ (Receive Queue) via asynchronous completions when moved to error, we handle RQ flush manually (mlx5e_free_rx_descs) same as we did when RQ flush got timed out. This will reduce RQs flush time and speedup interface down procedure (ifconfig down) from 6 sec to 0.3 sec on a 48 cores system. Moved mlx5e_free_rx_descs en_main.c where it is needed, to keep en_rx.c free form non critical data path code for better code locality. Fixes: 6cd392a082de ('net/mlx5e: Handle RQ flush in error cases') Signed-off-by: Saeed Mahameed Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlx5/core/en.h | 4 +-- drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 37 +++++++++++------------ drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 23 ++------------ 3 files changed, 22 insertions(+), 42 deletions(-) commit fe4c988bdd1cc60402a4e3ca3976a686ea991b5a Author: Saeed Mahameed Date: Mon Aug 29 01:13:42 2016 +0300 net/mlx5e: Limit UMR length to the device's limitation ConnectX-4 UMR (User Memory Region) MTT translation table offset in WQE is limited to U16_MAX, before this patch we ignored that limitation and requested the maximum possible UMR translation length that the netdev might need (MAX channels * MAX pages per channel). In case of a system with #cores > 32 and when linear WQE allocation fails, falling back to using UMR WQEs will cause the RQ (Receive Queue) to get stuck. Here we limit UMR length to min(U16_MAX, max required pages) (while considering the required alignments) on driver load, by default U16_MAX is sufficient since the default RX rings value guarantees that we are in range, dynamically (on set_ringparam/set_channels) we will check if the new required UMR length (num mtts) is still in range, if not, fail the request. Fixes: bc77b240b3c5 ('net/mlx5e: Add fragmented memory support for RX multi packet WQE') Signed-off-by: Saeed Mahameed Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlx5/core/en.h | 14 +++++++------- drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c | 19 +++++++++++++++++++ drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 11 ++++++++--- drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 12 ++++++------ 4 files changed, 40 insertions(+), 16 deletions(-) commit 78a3e8889b4b6b99775ed954696ff3e017f5d19b Author: Cyril Bur Date: Tue Aug 23 10:46:17 2016 +1000 powerpc: signals: Discard transaction state from signal frames Userspace can begin and suspend a transaction within the signal handler which means they might enter sys_rt_sigreturn() with the processor in suspended state. sys_rt_sigreturn() wants to restore process context (which may have been in a transaction before signal delivery). To do this it must restore TM SPRS. To achieve this, any transaction initiated within the signal frame must be discarded in order to be able to restore TM SPRs as TM SPRs can only be manipulated non-transactionally.. >From the PowerPC ISA: TM Bad Thing Exception [Category: Transactional Memory] An attempt is made to execute a mtspr targeting a TM register in other than Non-transactional state. Not doing so results in a TM Bad Thing: [12045.221359] Kernel BUG at c000000000050a40 [verbose debug info unavailable] [12045.221470] Unexpected TM Bad Thing exception at c000000000050a40 (msr 0x201033) [12045.221540] Oops: Unrecoverable exception, sig: 6 [#1] [12045.221586] SMP NR_CPUS=2048 NUMA PowerNV [12045.221634] Modules linked in: xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter ip_tables x_tables kvm_hv kvm uio_pdrv_genirq ipmi_powernv uio powernv_rng ipmi_msghandler autofs4 ses enclosure scsi_transport_sas bnx2x ipr mdio libcrc32c [12045.222167] CPU: 68 PID: 6178 Comm: sigreturnpanic Not tainted 4.7.0 #34 [12045.222224] task: c0000000fce38600 ti: c0000000fceb4000 task.ti: c0000000fceb4000 [12045.222293] NIP: c000000000050a40 LR: c0000000000163bc CTR: 0000000000000000 [12045.222361] REGS: c0000000fceb7ac0 TRAP: 0700 Not tainted (4.7.0) [12045.222418] MSR: 9000000300201033 CR: 28444280 XER: 20000000 [12045.222625] CFAR: c0000000000163b8 SOFTE: 0 PACATMSCRATCH: 900000014280f033 GPR00: 01100000b8000001 c0000000fceb7d40 c00000000139c100 c0000000fce390d0 GPR04: 900000034280f033 0000000000000000 0000000000000000 0000000000000000 GPR08: 0000000000000000 b000000000001033 0000000000000001 0000000000000000 GPR12: 0000000000000000 c000000002926400 0000000000000000 0000000000000000 GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 GPR20: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 GPR24: 0000000000000000 00003ffff98cadd0 00003ffff98cb470 0000000000000000 GPR28: 900000034280f033 c0000000fceb7ea0 0000000000000001 c0000000fce390d0 [12045.223535] NIP [c000000000050a40] tm_restore_sprs+0xc/0x1c [12045.223584] LR [c0000000000163bc] tm_recheckpoint+0x5c/0xa0 [12045.223630] Call Trace: [12045.223655] [c0000000fceb7d80] [c000000000026e74] sys_rt_sigreturn+0x494/0x6c0 [12045.223738] [c0000000fceb7e30] [c0000000000092e0] system_call+0x38/0x108 [12045.223806] Instruction dump: [12045.223841] 7c800164 4e800020 7c0022a6 f80304a8 7c0222a6 f80304b0 7c0122a6 f80304b8 [12045.223955] 4e800020 e80304a8 7c0023a6 e80304b0 <7c0223a6> e80304b8 7c0123a6 4e800020 [12045.224074] ---[ end trace cb8002ee240bae76 ]--- It isn't clear exactly if there is really a use case for userspace returning with a suspended transaction, however, doing so doesn't (on its own) constitute a bad frame. As such, this patch simply discards the transactional state of the context calling the sigreturn and continues. Reported-by: Laurent Dufour Signed-off-by: Cyril Bur Tested-by: Laurent Dufour Reviewed-by: Laurent Dufour Acked-by: Simon Guo Signed-off-by: Benjamin Herrenschmidt Documentation/powerpc/transactional_memory.txt | 2 ++ arch/powerpc/kernel/signal_32.c | 14 ++++++++++++++ arch/powerpc/kernel/signal_64.c | 14 ++++++++++++++ 3 files changed, 30 insertions(+) commit a9cbf0b2195b695cbeeeecaa4e2770948c212e9a Author: Mukesh Ojha Date: Mon Aug 22 12:17:44 2016 +0530 powerpc/powernv : Drop reference added by kset_find_obj() In a situation, where Linux kernel gets notified about duplicate error log from OPAL, it is been observed that kernel fails to remove sysfs entries (/sys/firmware/opal/elog/0xXXXXXXXX) of such error logs. This is because, we currently search the error log/dump kobject in the kset list via 'kset_find_obj()' routine. Which eventually increment the reference count by one, once it founds the kobject. So, unless we decrement the reference count by one after it found the kobject, we would not be able to release the kobject properly later. This patch adds the 'kobject_put()' which was missing earlier. Signed-off-by: Mukesh Ojha Cc: stable@vger.kernel.org Reviewed-by: Vasant Hegde Signed-off-by: Benjamin Herrenschmidt arch/powerpc/platforms/powernv/opal-dump.c | 7 ++++++- arch/powerpc/platforms/powernv/opal-elog.c | 7 ++++++- 2 files changed, 12 insertions(+), 2 deletions(-) commit cc7786d3ee7e3c979799db834b528db2c0834c2e Author: Nicholas Piggin Date: Mon Jul 25 14:26:51 2016 +1000 powerpc/tm: do not use r13 for tabort_syscall tabort_syscall runs with RI=1, so a nested recoverable machine check will load the paca into r13 and overwrite what we loaded it with, because exceptions returning to privileged mode do not restore r13. Fixes: b4b56f9ecab4 (powerpc/tm: Abort syscalls in active transactions) Cc: stable@vger.kernel.org Signed-off-by: Nick Piggin Signed-off-by: Benjamin Herrenschmidt arch/powerpc/kernel/entry_64.S | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) commit 17de0a9ff3df8f54f2f47746d118112d4e61d973 Author: Christoph Hellwig Date: Mon Aug 29 11:33:58 2016 +1000 iomap: don't set FIEMAP_EXTENT_MERGED for extent based filesystems Filesystems like XFS that use extents should not set the FIEMAP_EXTENT_MERGED flag in the fiemap extent structures. To allow for both behaviors for the upcoming gfs2 usage split the iomap type field into type and flags, and only set FIEMAP_EXTENT_MERGED if the IOMAP_F_MERGED flag is set. The flags field will also come in handy for future features such as shared extents on reflink-enabled file systems. Reported-by: Andreas Gruenbacher Signed-off-by: Christoph Hellwig Acked-by: Darrick J. Wong Signed-off-by: Dave Chinner fs/iomap.c | 5 ++++- include/linux/iomap.h | 8 +++++++- 2 files changed, 11 insertions(+), 2 deletions(-) commit 3eab887a55424fc2c27553b7bfe32330df83f7b8 Author: Linus Torvalds Date: Sun Aug 28 15:04:33 2016 -0700 Linux 4.8-rc4 Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 25d0d91af77089ddf378568fd858b22612c52aff Merge: 908e373 add1fa7 Author: Linus Torvalds Date: Sun Aug 28 14:31:36 2016 -0700 Merge tag 'drm-fixes-for-4.8-rc4' of git://people.freedesktop.org/~airlied/linux Pull drm fixes from Dave Airlie: "A bunch of fixes covering i915, amdgpu, one tegra and some core DRM ones. Nothing too strange at this point" * tag 'drm-fixes-for-4.8-rc4' of git://people.freedesktop.org/~airlied/linux: (21 commits) drm/atomic: Don't potentially reset color_mgmt_changed on successive property updates. drm: Protect fb_defio in drivers with CONFIG_KMS_FBDEV_EMULATION drm/amdgpu: skip TV/CV in display parsing drm/amdgpu: avoid a possible array overflow drm/amdgpu: fix lru size grouping v2 drm/tegra: dsi: Enhance runtime power management drm/i915: Fix botched merge that downgrades CSR versions. drm/i915/skl: Ensure pipes with changed wms get added to the state drm/i915/gen9: Only copy WM results for changed pipes to skl_hw drm/i915/skl: Add support for the SAGV, fix underrun hangs drm/i915/gen6+: Interpret mailbox error flags drm/i915: Reattach comment, complete type specification drm/i915: Unconditionally flush any chipset buffers before execbuf drm/i915/gen9: Drop invalid WARN() during data rate calculation drm/i915/gen9: Initialize intel_state->active_crtcs during WM sanitization (v2) drm: Reject page_flip for !DRIVER_MODESET drm/amdgpu: fix timeout value check in amd_sched_job_recovery drm/amdgpu: fix sdma_v2_4_ring_test_ib drm/amdgpu: fix amdgpu_move_blit on 32bit systems drm/radeon: fix radeon_move_blit on 32bit systems ... commit add1fa75101263ab4d74240f93000998d4325624 Author: Mario Kleiner Date: Sat Aug 27 01:02:28 2016 +0200 drm/atomic: Don't potentially reset color_mgmt_changed on successive property updates. Due to assigning the 'replaced' value instead of or'ing it, if drm_atomic_crtc_set_property() gets called multiple times, the last call will define the color_mgmt_changed flag, so a non-updating call to a property can reset the flag and prevent actual hw state updates required by preceding property updates. Signed-off-by: Mario Kleiner Cc: Daniel Vetter Cc: # v4.6+ Reviewed-by: Daniel Vetter Signed-off-by: Dave Airlie drivers/gpu/drm/drm_atomic.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit d138027a8256a3e9d7657c8d0dae84c08ef2cfe1 Author: Trond Myklebust Date: Sun Aug 28 12:19:04 2016 -0400 NFSv4.1: Remove obsolete and incorrrect assignment in nfs4_callback_sequence Signed-off-by: Trond Myklebust fs/nfs/callback_proc.c | 1 - 1 file changed, 1 deletion(-) commit 2e80dbe7ac51a911e8a828407b1a48c5ba938cd2 Author: Trond Myklebust Date: Sun Aug 28 11:50:26 2016 -0400 NFSv4.1: Close callback races for OPEN, LAYOUTGET and LAYOUTRETURN Defer freeing the slot until after we have processed the results from OPEN and LAYOUTGET. This means that the server can rely on the mechanism in RFC5661 Section 2.10.6.3 to ensure that replies to an OPEN or LAYOUTGET/RETURN RPC call don't race with the callbacks that apply to them. Signed-off-by: Trond Myklebust fs/nfs/nfs4proc.c | 78 +++++++++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 65 insertions(+), 13 deletions(-) commit 07e8dcbda71ef87e9cbdc42b5bb16a44c1ab839b Author: Trond Myklebust Date: Sun Aug 28 10:28:25 2016 -0400 NFSv4.1: Defer bumping the slot sequence number until we free the slot For operations like OPEN or LAYOUTGET, which return recallable state (i.e. delegations and layouts) we want to enable the mechanism for resolving recall races in RFC5661 Section 2.10.6.3. To do so, we will want to defer bumping the slot's sequence number until we have finished processing the RPC results. Signed-off-by: Trond Myklebust fs/nfs/nfs4proc.c | 9 +++++++-- fs/nfs/nfs4session.h | 3 ++- 2 files changed, 9 insertions(+), 3 deletions(-) commit 045d2a6d076a2ecd7043ea543ea198af943f8b16 Author: Trond Myklebust Date: Sun Aug 28 13:25:43 2016 -0400 NFSv4.1: Delay callback processing when there are referring triples If CB_SEQUENCE tells us that the processing of this request depends on the completion of one or more referring triples (see RFC 5661 Section 2.10.6.3), delay the callback processing until after the RPC requests being referred to have completed. If we end up delaying for more than 1/2 second, then fall back to returning NFS4ERR_DELAY in reply to the callback. Signed-off-by: Trond Myklebust fs/nfs/callback_proc.c | 4 ++-- fs/nfs/nfs4proc.c | 2 ++ fs/nfs/nfs4session.c | 22 +++++++++++++++++++++- fs/nfs/nfs4session.h | 5 ++++- 4 files changed, 29 insertions(+), 4 deletions(-) commit e09c978aae5bedfdb379be80363b024b7d82638b Author: Trond Myklebust Date: Sat Aug 27 23:44:04 2016 -0400 NFSv4.1: Fix Oopsable condition in server callback races The slot table hasn't been an array since v3.7. Ensure that we use nfs4_lookup_slot() to access the slot correctly. Fixes: 87dda67e7386 ("NFSv4.1: Allow SEQUENCE to resize the slot table...") Signed-off-by: Trond Myklebust Cc: stable@vger.kernel.org # v3.8+ fs/nfs/callback_proc.c | 5 +---- fs/nfs/nfs4session.c | 33 +++++++++++++++++++++++++++++++++ fs/nfs/nfs4session.h | 1 + 3 files changed, 35 insertions(+), 4 deletions(-) commit 908e373f1c8102505d13cdb61ad56c1686d6a583 Merge: 5d84ee7 8b6a3fe Author: Linus Torvalds Date: Sun Aug 28 10:02:23 2016 -0700 Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull perf fixes from Thomas Gleixner: "A few fixes from the perf departement - prevent a imbalanced preemption disable in the events teardown code - prevent out of bound acces in perf userspace - make perf tools compile with UCLIBC again - a fix for the userspace unwinder utility" * 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: perf/core: Use this_cpu_ptr() when stopping AUX events perf evsel: Do not access outside hw cache name arrays tools lib: Reinstate strlcpy() header guard with __UCLIBC__ perf unwind: Use addr_location::addr instead of ip for entries commit 5d84ee7964489acea418122edf54d55f980a0383 Merge: 4340393 2e63ad4 Author: Linus Torvalds Date: Sun Aug 28 10:00:21 2016 -0700 Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86 fix from Thomas Gleixner: "A single bugfix to prevent irq remapping when the ioapic is disabled" * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/apic: Do not init irq remapping if ioapic is disabled commit 4340393e5a507a9a91bf807a03c73407a1344e20 Merge: 037d240 2564970 Author: Linus Torvalds Date: Sun Aug 28 09:52:40 2016 -0700 Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull irq fixes from Thomas Gleixner: "This lot provides: - plug a hotplug race in the new affinity infrastructure - a fix for the trigger type of chained interrupts - plug a potential memory leak in the core code - a few fixes for ARM and MIPS GICs" * 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: irqchip/mips-gic: Implement activate op for device domain irqchip/mips-gic: Cleanup chip and handler setup genirq/affinity: Use get/put_online_cpus around cpumask operations genirq: Fix potential memleak when failing to get irq pm irqchip/gicv3-its: Disable the ITS before initializing it irqchip/gicv3: Remove disabling redistributor and group1 non-secure interrupts irqchip/gic: Allow self-SGIs for SMP on UP configurations genirq: Correctly configure the trigger on chained interrupts commit d78d383ab354b0b9e1d23404ae0d9fbdeb9aa035 Author: Rob Clark Date: Mon Aug 22 15:28:38 2016 -0400 drm/msm: protect against faults from copy_from_user() in submit ioctl An evil userspace could try to cause deadlock by passing an unfaulted-in GEM bo as submit->bos (or submit->cmds) table. Which will trigger msm_gem_fault() while we already hold struct_mutex. See: https://github.com/freedreno/msmtest/blob/master/evilsubmittest.c Cc: stable@vger.kernel.org Signed-off-by: Rob Clark drivers/gpu/drm/msm/msm_drv.h | 6 ++++++ drivers/gpu/drm/msm/msm_gem.c | 9 +++++++++ drivers/gpu/drm/msm/msm_gem_submit.c | 3 +++ 3 files changed, 18 insertions(+) commit 89f82cbb0d5c0ab768c8d02914188aa2211cd2e3 Author: Rob Clark Date: Mon Aug 22 15:15:23 2016 -0400 drm/msm: fix use of copy_from_user() while holding spinlock Use instead __copy_from_user_inatomic() and fallback to slow-path where we drop and re-aquire the lock in case of fault. Cc: stable@vger.kernel.org Reported-by: Vaishali Thakkar Signed-off-by: Rob Clark drivers/gpu/drm/msm/msm_gem_submit.c | 27 ++++++++++++++++++++++----- 1 file changed, 22 insertions(+), 5 deletions(-) commit 037d2405d0ca0d276c481e40b98fb40e5d0360b8 Merge: af56ff2 b53e7d0 Author: Linus Torvalds Date: Sun Aug 28 09:03:05 2016 -0700 Merge branch 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull timer fixes from Thomas Gleixner: "A few updates for timers & co: - prevent a livelock in the timekeeping code when debugging is enabled - prevent out of bounds access in the timekeeping debug code - various fixes in clocksource drivers - a new maintainers entry" * 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function drivers/clocksource/pistachio: Fix memory corruption in init clocksource/drivers/timer-atmel-pit: Enable mck clock clocksource/drivers/pxa: Fix include files for compilation MAINTAINERS: Add ARM ARCHITECTED TIMER entry timekeeping: Cap array access in timekeeping_debug timekeeping: Avoid taking lock in NMI path with CONFIG_DEBUG_TIMEKEEPING commit 4d8c6a7946d53648d9ed0e3852a1c81ce07d40db Author: Sagi Grimberg Date: Fri Aug 26 00:37:52 2016 +0300 nvme-rdma: Get rid of redundant defines Signed-off-by: Sagi Grimberg Reviewed-by: Christoph Hellwig drivers/nvme/host/rdma.c | 4 ---- 1 file changed, 4 deletions(-) commit f5b7b559e14881b27d76f9c97817ec82bfc48827 Author: Sagi Grimberg Date: Wed Aug 24 12:25:56 2016 +0300 nvme-rdma: Get rid of duplicate variable We already have need_inval in ib_mr, lets use that instead. Signed-off-by: Sagi Grimberg Reviewed-by: Christoph Hellwig drivers/nvme/host/rdma.c | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) commit af56ff27eba54fceee5f5643e79bf6531f2e1739 Merge: 5e608a0 ba913e4 Author: Linus Torvalds Date: Sat Aug 27 15:51:50 2016 -0700 Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm Pull KVM fixes from Paolo Bonzini: "ARM: - fixes for ITS init issues, error handling, IRQ leakage, race conditions - an erratum workaround for timers - some removal of misleading use of errors and comments - a fix for GICv3 on 32-bit guests MIPS: - fix for where the guest could wrongly map the first page of physical memory x86: - nested virtualization fixes" * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: MIPS: KVM: Check for pfn noslot case kvm: nVMX: fix nested tsc scaling KVM: nVMX: postpone VMCS changes on MSR_IA32_APICBASE write KVM: nVMX: fix msr bitmaps to prevent L2 from accessing L0 x2APIC arm64: KVM: report configured SRE value to 32-bit world arm64: KVM: remove misleading comment on pmu status KVM: arm/arm64: timer: Workaround misconfigured timer interrupt arm64: Document workaround for Cortex-A72 erratum #853709 KVM: arm/arm64: Change misleading use of is_error_pfn KVM: arm64: ITS: avoid re-mapping LPIs KVM: arm64: check for ITS device on MSI injection KVM: arm64: ITS: move ITS registration into first VCPU run KVM: arm64: vgic-its: Make updates to propbaser/pendbaser atomic KVM: arm64: vgic-its: Plug race in vgic_put_irq KVM: arm64: vgic-its: Handle errors from vgic_add_lpi KVM: arm64: ITS: return 1 on successful MSI injection commit 5e608a027082ae426e100a582031e0ff40becc83 Merge: 65fc7d5 11bd969 Author: Linus Torvalds Date: Fri Aug 26 23:12:12 2016 -0700 Merge branch 'akpm' (patches from Andrew) Merge fixes from Andrew Morton: "11 fixes" * emailed patches from Andrew Morton : mm: silently skip readahead for DAX inodes dax: fix device-dax region base fs/seq_file: fix out-of-bounds read mm: memcontrol: avoid unused function warning mm: clarify COMPACTION Kconfig text treewide: replace config_enabled() with IS_ENABLED() (2nd round) printk: fix parsing of "brl=" option soft_dirty: fix soft_dirty during THP split sysctl: handle error writing UINT_MAX to u32 fields get_maintainer: quiet noisy implicit -f vcs_file_exists checking byteswap: don't use __builtin_bswap*() with sparse commit 65fc7d54efb6b03dcf61d98aa0fd68fe968c211c Merge: a3d3469 fd363bd Author: Linus Torvalds Date: Fri Aug 26 23:05:19 2016 -0700 Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux Pull ARM64 fix from Catalin Marinas: "ARM64 fix to avoid potential TLB conflict when CONFIG_RANDOMIZE_BASE is enabled" * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux: arm64: avoid TLB conflict with CONFIG_RANDOMIZE_BASE commit a3d34698086aec78ca9169b338468e3ce9bd4b3c Merge: 03cef71 049b1e7 Author: Linus Torvalds Date: Fri Aug 26 23:01:09 2016 -0700 Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma Pull rdma fixes from Doug Ledford: "Round one of 4.8 rc fixes. This should be the bulk of the -rc fixes for 4.8. I only have a few things that are still outstanding (two ipoib bugs for which the solution is not yet fully known, and a few queued items that came in after my last push and I didn't want to delay this pull request for late comers again). Even though the patch count is kind of high, everything is minor fixes so the overall churn is pretty low. Summary: - minor fixes to cxgb4 - minor fixes to mlx4 - one minor fix each to core, rxe, isert, srpt, mlx5, ocrdma, and usnic - six or so fixes to i40iw fixes - the rest are hfi1 fixes" * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma: (34 commits) i40iw: Send last streaming mode message for loopback connections IB/srpt: Update sport->port_guid with each port refresh RDMA/ocrdma: Fix the max_sge reported from FW i40iw: Avoid writing to freed memory i40iw: Fix double free of allocated_buffer IB/mlx5: Remove superfluous include of io-mapping.h i40iw: Do not set self-referencing pointer to NULL after kfree i40iw: Add missing NULL check for MPA private data iw_cxgb4: Fix cxgb4 arm CQ logic w/IB_CQ_REPORT_MISSED_EVENTS i40iw: Add missing check for interface already open i40iw: Protect req_resource_num update i40iw: Change mem_resources pointer to a u8 IB/core: Use memdup_user() rather than duplicating its implementation IB/qib: Use memdup_user() rather than duplicating its implementation iw_cxgb4: use the MPA initiator's IRD if < our ORD iw_cxgb4: limit IRD/ORD advertised to ULP by device max. IB/hfi1: Fix mm_struct use after free IB/rdmvat: Fix double vfree() in rvt_create_qp() error path IB/hfi1: Improve J_KEY generation IB/hfi1: Return invalid field for non-QSFP CableInfo queries ... commit 03cef71062cf185e95d588d90406f27bad740b3c Merge: 28687b9 a820cd3 Author: Linus Torvalds Date: Fri Aug 26 22:53:21 2016 -0700 Merge tag 'sound-4.8-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound Pull sound fixes from Takashi Iwai: "Here are a bunch of fixes as you can see in diffstat. One core change in ASoC is about the unexpected unbinding error, and another about debugfs cleanup. The rest are wide-spread driver-specific fixes: a series of LINE6 USB fixes, a HD-audio quirk, and various ASoC fixes including OMAP boot fixes and Intel SKL fixes" * tag 'sound-4.8-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (22 commits) ALSA: hda/realtek - fix headset mic detection for MSI MS-B120 ASoC: omap-mcpdm: Fix irq resource handling ASoC: max98371: Add terminate entry for i2c_device_id tables ALSA: line6: Fix POD sysfs attributes segfault ALSA: line6: Give up on the lock while URBs are released. ALSA: line6: Remove double line6_pcm_release() after failed acquire. ASoC: omap-abe-twl6040: Correct dmic-codec device registration ASoC: core: Clean up DAPM before the card debugfs ASoC: omap-mcpdm: Drop pdmclk clock handling ASoC: atmel_ssc_dai: Don't unconditionally reset SSC on stream startup ASoC: compress: Fix leak of a widget list in soc_compr_open_fe ASoC: Intel: Skylake: Fix error return code in skl_probe() ASoC: wm2000: Fix return of uninitialised varible ASoC: Fix leak of rtd in soc_bind_dai_link ASoC: da7213: Default to 64 BCLKs per WCLK to support all formats ASoC: nau8825: fix static check error about semaphone control ASoC: nau8825: fix bug in playback when suspend ASoC: samsung: Fix clock handling in S3C24XX_UDA134X card ASoC: simple-card-utils: add missing MODULE_xxx() ASoC: Intel: Skylake: Check list empty while getting module info ... commit 9dbeea7f08f3784b152d9fb3b86beb34aad77c72 Author: Eric Dumazet Date: Fri Aug 26 08:51:39 2016 -0700 rhashtable: fix a memory leak in alloc_bucket_locks() If vmalloc() was successful, do not attempt a kmalloc_array() Fixes: 4cf0b354d92e ("rhashtable: avoid large lock-array allocations") Reported-by: CAI Qian Signed-off-by: Eric Dumazet Cc: Florian Westphal Acked-by: Herbert Xu Tested-by: CAI Qian Signed-off-by: David S. Miller lib/rhashtable.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) commit e70c70c38d7a5ced76fc8b1c4a7ccee76e9c2911 Author: Andrew Rybchenko Date: Fri Aug 26 11:19:34 2016 +0100 sfc: fix potential stack corruption from running past stat bitmask On 32-bit systems, mask is only an array of 3 longs, not 4, so don't try to write to mask[3]. Also include build-time checks in case the size of the bitmask changes. Fixes: 3c36a2aded8c ("sfc: display vadaptor statistics for all interfaces") Signed-off-by: Edward Cree Signed-off-by: David S. Miller drivers/net/ethernet/sfc/ef10.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 5c1f5b457b86a263d0e21c8f3ebe83d515e7bcce Merge: c15e07b 4f34228 Author: David S. Miller Date: Fri Aug 26 21:09:17 2016 -0700 Merge branch 'for-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth Johan Hedberg says: ==================== pull request: bluetooth 2016-08-25 Here are a couple of important Bluetooth fixes for the 4.8 kernel: - Memory leak fix for HCI requests - Fix sk_filter handling with L2CAP - Fix sock_recvmsg behavior when MSG_TRUNC is not set Please let me know if there are any issues pulling. Thanks. ==================== Signed-off-by: David S. Miller commit 28687b935e93a9041a485b9ecdcab0e335f8eda5 Merge: 370f601 28a2359 Author: Linus Torvalds Date: Fri Aug 26 20:22:01 2016 -0700 Merge branch 'for-linus-4.8' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs Pull btrfs fixes from Chris Mason: "We've queued up a few different fixes in here. These range from enospc corners to fsync and quota fixes, and a few targeted at error handling for corrupt metadata/fuzzing" * 'for-linus-4.8' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs: Btrfs: fix lockdep warning on deadlock against an inode's log mutex Btrfs: detect corruption when non-root leaf has zero item Btrfs: check btree node's nritems btrfs: don't create or leak aliased root while cleaning up orphans Btrfs: fix em leak in find_first_block_group btrfs: do not background blkdev_put() Btrfs: clarify do_chunk_alloc()'s return value btrfs: fix fsfreeze hang caused by delayed iputs deal btrfs: update btrfs_space_info's bytes_may_use timely btrfs: divide btrfs_update_reserved_bytes() into two functions btrfs: use correct offset for reloc_inode in prealloc_file_extent_cluster() btrfs: qgroup: Fix qgroup incorrectness caused by log replay btrfs: relocation: Fix leaking qgroups numbers on data extents btrfs: qgroup: Refactor btrfs_qgroup_insert_dirty_extent() btrfs: waiting on qgroup rescan should not always be interruptible btrfs: properly track when rescan worker is running btrfs: flush_space: treat return value of do_chunk_alloc properly Btrfs: add ASSERT for block group's memory leak btrfs: backref: Fix soft lockup in __merge_refs function Btrfs: fix memory leak of reloc_root commit 370f6017295da81189d9aaed24e68c36e68a8947 Merge: 6ec675e 079d37d Author: Linus Torvalds Date: Fri Aug 26 20:18:49 2016 -0700 Merge tag 'dlm-4.8-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/teigland/linux-dlm Pull dlm fix from David Teigland: "This fixes a bug introduced by recent debugfs cleanup" * tag 'dlm-4.8-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/teigland/linux-dlm: dlm: fix malfunction of dlm_tool caused by debugfs changes commit 6ec675ede9d810f162da019db626f1ced63c3093 Merge: 67a8c7d 9c5a559 Author: Linus Torvalds Date: Fri Aug 26 20:15:32 2016 -0700 Merge tag 'dm-4.8-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm Pull device mapper fixes from Mike Snitzer: - another stable fix for DM flakey (that tweaks the previous fix that didn't factor in expected 'drop_writes' behavior for read IO). - a dm-log bio operation flags fix for the broader block changes that were merged during the 4.8 merge window. * tag 'dm-4.8-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm: dm log: fix unitialized bio operation flags dm flakey: fix reads to be issued if drop_writes configured commit 67a8c7d636886ee05cc139833b8f1aef0e685c2c Merge: fd1ae51 4df3618 Author: Linus Torvalds Date: Fri Aug 26 20:12:35 2016 -0700 Merge tag 'iommu-fixes-v4.8-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu Pull IOMMU fixes from Joerg Roedel: "Fixes from Will Deacon: - fix a couple of thinkos in the CMDQ error handling and short-descriptor page table code that have been there since day one - disable stalling faults, since they may result in hardware deadlock - fix an accidental BUG() when passing disable_bypass=1 on the cmdline" * tag 'iommu-fixes-v4.8-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu: iommu/arm-smmu: Don't BUG() if we find aborting STEs with disable_bypass iommu/arm-smmu: Disable stalling faults for all endpoints iommu/arm-smmu: Fix CMDQ error handling iommu/io-pgtable-arm-v7s: Fix attributes when splitting blocks commit fd1ae514528bfa7136640301523f646f396134e2 Merge: b09c412 869c554 Author: Linus Torvalds Date: Fri Aug 26 18:50:07 2016 -0700 Merge branch 'for-linus' of git://git.kernel.dk/linux-block Pull block fixes from Jens Axboe: "Here's a set of block fixes for the current 4.8-rc release. This contains: - a fix for a secure erase regression, from Adrian. - a fix for an mmc use-after-free bug regression, also from Adrian. - potential zero pointer deference in bdev freezing, from Andrey. - a race fix for blk_set_queue_dying() from Bart. - a set of xen blkfront fixes from Bob Liu. - three small fixes for bcache, from Eric and Kent. - a fix for a potential invalid NVMe state transition, from Gabriel. - blk-mq CPU offline fix, preventing us from issuing and completing a request on the wrong queue. From me. - revert two previous floppy changes, since they caused a user visibile regression. A better fix is in the works. - ensure that we don't send down bios that have more than 256 elements in them. Fixes a crash with bcache, for example. From Ming. - a fix for deferencing an error pointer with cgroup writeback. Fixes a regression. From Vegard" * 'for-linus' of git://git.kernel.dk/linux-block: mmc: fix use-after-free of struct request Revert "floppy: refactor open() flags handling" Revert "floppy: fix open(O_ACCMODE) for ioctl-only open" fs/block_dev: fix potential NULL ptr deref in freeze_bdev() blk-mq: improve warning for running a queue on the wrong CPU blk-mq: don't overwrite rq->mq_ctx block: make sure a big bio is split into at most 256 bvecs nvme: Fix nvme_get/set_features() with a NULL result pointer bdev: fix NULL pointer dereference xen-blkfront: free resources if xlvbd_alloc_gendisk fails xen-blkfront: introduce blkif_set_queue_limits() xen-blkfront: fix places not updated after introducing 64KB page granularity bcache: pr_err: more meaningful error message when nr_stripes is invalid bcache: RESERVE_PRIO is too small by one when prio_buckets() is a power of two. bcache: register_bcache(): call blkdev_put() when cache_alloc() fails block: Fix race triggered by blk_set_queue_dying() block: Fix secure erase nvme: Prevent controller state invalid transition commit b09c412aa4540d13b677a9f4af05f59048b78949 Merge: 219c04c e3a888a Author: Linus Torvalds Date: Fri Aug 26 18:36:23 2016 -0700 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input Pull input subsystem fixes from Dmitry Torokhov: "Simply small driver fixups" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input: Input: ads7846 - remove redundant regulator_disable call Input: synaptics-rmi4 - fix register descriptor subpacket map construction Input: tegra-kbc - fix inverted reset logic Input: silead - use devm_gpiod_get Input: i8042 - set up shared ps2_cmd_mutex for AUX ports commit 219c04cea3f17a6e3ab11d257af741f527c16195 Merge: 61c0457 21c80c9 Author: Linus Torvalds Date: Fri Aug 26 18:26:07 2016 -0700 Merge tag 'pci-v4.8-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci Pull PCI fixes from Bjorn Helgaas: "Resource management: - Update "pci=resource_alignment" documentation (Mathias Koehrer) MSI: - Use positive flags in pci_alloc_irq_vectors() (Christoph Hellwig) - Call pci_intx() when using legacy interrupts in pci_alloc_irq_vectors() (Christoph Hellwig) Intel VMD host bridge driver: - Fix infinite loop executing irq's (Keith Busch)" * tag 'pci-v4.8-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci: x86/PCI: VMD: Fix infinite loop executing irq's PCI: Call pci_intx() when using legacy interrupts in pci_alloc_irq_vectors() PCI: Use positive flags in pci_alloc_irq_vectors() PCI: Update "pci=resource_alignment" documentation commit 11bd969fdefea3ac0cb9791224f1e09784e21e58 Author: Ross Zwisler Date: Thu Aug 25 15:17:17 2016 -0700 mm: silently skip readahead for DAX inodes For DAX inodes we need to be careful to never have page cache pages in the mapping->page_tree. This radix tree should be composed only of DAX exceptional entries and zero pages. ltp's readahead02 test was triggering a warning because we were trying to insert a DAX exceptional entry but found that a page cache page had already been inserted into the tree. This page was being inserted into the radix tree in response to a readahead(2) call. Readahead doesn't make sense for DAX inodes, but we don't want it to report a failure either. Instead, we just return success and don't do any work. Link: http://lkml.kernel.org/r/20160824221429.21158-1-ross.zwisler@linux.intel.com Signed-off-by: Ross Zwisler Reported-by: Jeff Moyer Cc: Dan Williams Cc: Dave Chinner Cc: Dave Hansen Cc: Jan Kara Cc: [4.5+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/readahead.c | 9 +++++++++ 1 file changed, 9 insertions(+) commit d0e5845561c238619de9f5b77e0d763f4c331ca5 Author: Dan Williams Date: Thu Aug 25 15:17:14 2016 -0700 dax: fix device-dax region base The data offset for a dax region needs to account for a reservation in the resource range. Otherwise, device-dax is allowing mappings directly into the memmap or device-info-block area with crash signatures like the following: BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 IP: get_zone_device_page+0x11/0x30 Call Trace: follow_devmap_pmd+0x298/0x2c0 follow_page_mask+0x275/0x530 __get_user_pages+0xe3/0x750 __gfn_to_pfn_memslot+0x1b2/0x450 [kvm] tdp_page_fault+0x130/0x280 [kvm] kvm_mmu_page_fault+0x5f/0xf0 [kvm] handle_ept_violation+0x94/0x180 [kvm_intel] vmx_handle_exit+0x1d3/0x1440 [kvm_intel] kvm_arch_vcpu_ioctl_run+0x81d/0x16a0 [kvm] kvm_vcpu_ioctl+0x33c/0x620 [kvm] do_vfs_ioctl+0xa2/0x5d0 SyS_ioctl+0x79/0x90 entry_SYSCALL_64_fastpath+0x1a/0xa4 Fixes: ab68f2622136 ("/dev/dax, pmem: direct access to persistent memory") Link: http://lkml.kernel.org/r/147205536732.1606.8994275381938837346.stgit@dwillia2-desk3.amr.corp.intel.com Signed-off-by: Dan Williams Reported-by: Abhilash Kumar Mulumudi Reported-by: Toshi Kani Tested-by: Toshi Kani Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds drivers/dax/pmem.c | 3 +++ 1 file changed, 3 insertions(+) commit 088bf2ff5d12e2e32ee52a4024fec26e582f44d3 Author: Vegard Nossum Date: Thu Aug 25 15:17:11 2016 -0700 fs/seq_file: fix out-of-bounds read seq_read() is a nasty piece of work, not to mention buggy. It has (I think) an old bug which allows unprivileged userspace to read beyond the end of m->buf. I was getting these: BUG: KASAN: slab-out-of-bounds in seq_read+0xcd2/0x1480 at addr ffff880116889880 Read of size 2713 by task trinity-c2/1329 CPU: 2 PID: 1329 Comm: trinity-c2 Not tainted 4.8.0-rc1+ #96 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014 Call Trace: kasan_object_err+0x1c/0x80 kasan_report_error+0x2cb/0x7e0 kasan_report+0x4e/0x80 check_memory_region+0x13e/0x1a0 kasan_check_read+0x11/0x20 seq_read+0xcd2/0x1480 proc_reg_read+0x10b/0x260 do_loop_readv_writev.part.5+0x140/0x2c0 do_readv_writev+0x589/0x860 vfs_readv+0x7b/0xd0 do_readv+0xd8/0x2c0 SyS_readv+0xb/0x10 do_syscall_64+0x1b3/0x4b0 entry_SYSCALL64_slow_path+0x25/0x25 Object at ffff880116889100, in cache kmalloc-4096 size: 4096 Allocated: PID = 1329 save_stack_trace+0x26/0x80 save_stack+0x46/0xd0 kasan_kmalloc+0xad/0xe0 __kmalloc+0x1aa/0x4a0 seq_buf_alloc+0x35/0x40 seq_read+0x7d8/0x1480 proc_reg_read+0x10b/0x260 do_loop_readv_writev.part.5+0x140/0x2c0 do_readv_writev+0x589/0x860 vfs_readv+0x7b/0xd0 do_readv+0xd8/0x2c0 SyS_readv+0xb/0x10 do_syscall_64+0x1b3/0x4b0 return_from_SYSCALL_64+0x0/0x6a Freed: PID = 0 (stack is not available) Memory state around the buggy address: ffff88011688a000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88011688a080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff88011688a100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff88011688a180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88011688a200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Disabling lock debugging due to kernel taint This seems to be the same thing that Dave Jones was seeing here: https://lkml.org/lkml/2016/8/12/334 There are multiple issues here: 1) If we enter the function with a non-empty buffer, there is an attempt to flush it. But it was not clearing m->from after doing so, which means that if we try to do this flush twice in a row without any call to traverse() in between, we are going to be reading from the wrong place -- the splat above, fixed by this patch. 2) If there's a short write to userspace because of page faults, the buffer may already contain multiple lines (i.e. pos has advanced by more than 1), but we don't save the progress that was made so the next call will output what we've already returned previously. Since that is a much less serious issue (and I have a headache after staring at seq_read() for the past 8 hours), I'll leave that for now. Link: http://lkml.kernel.org/r/1471447270-32093-1-git-send-email-vegard.nossum@oracle.com Signed-off-by: Vegard Nossum Reported-by: Dave Jones Cc: Al Viro Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/seq_file.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit 358c07fcc3b60ab08d77f1684de8bd81bcf49a1a Author: Arnd Bergmann Date: Thu Aug 25 15:17:08 2016 -0700 mm: memcontrol: avoid unused function warning A bugfix in v4.8-rc2 introduced a harmless warning when CONFIG_MEMCG_SWAP is disabled but CONFIG_MEMCG is enabled: mm/memcontrol.c:4085:27: error: 'mem_cgroup_id_get_online' defined but not used [-Werror=unused-function] static struct mem_cgroup *mem_cgroup_id_get_online(struct mem_cgroup *memcg) This moves the function inside of the #ifdef block that hides the calling function, to avoid the warning. Fixes: 1f47b61fb407 ("mm: memcontrol: fix swap counter leak on swapout from offline cgroup") Link: http://lkml.kernel.org/r/20160824113733.2776701-1-arnd@arndb.de Signed-off-by: Arnd Bergmann Acked-by: Michal Hocko Acked-by: Vladimir Davydov Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/memcontrol.c | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) commit b32eaf71db6085f2ba54cf3ddf688bfc858219d0 Author: Michal Hocko Date: Thu Aug 25 15:17:05 2016 -0700 mm: clarify COMPACTION Kconfig text The current wording of the COMPACTION Kconfig help text doesn't emphasise that disabling COMPACTION might cripple the page allocator which relies on the compaction quite heavily for high order requests and an unexpected OOM can happen with the lack of compaction. Make sure we are vocal about that. Link: http://lkml.kernel.org/r/20160823091726.GK23577@dhcp22.suse.cz Signed-off-by: Michal Hocko Cc: Markus Trippelsdorf Cc: Mel Gorman Cc: Joonsoo Kim Cc: Vlastimil Babka Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/Kconfig | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) commit a5ff1b34e16c203397542d98c49c5c7783193946 Author: Masahiro Yamada Date: Thu Aug 25 15:17:02 2016 -0700 treewide: replace config_enabled() with IS_ENABLED() (2nd round) Commit 97f2645f358b ("tree-wide: replace config_enabled() with IS_ENABLED()") mostly killed config_enabled(), but some new users have appeared for v4.8-rc1. They are all used for a boolean option, so can be replaced with IS_ENABLED() safely. Link: http://lkml.kernel.org/r/1471970749-24867-1-git-send-email-yamada.masahiro@socionext.com Signed-off-by: Masahiro Yamada Acked-by: Kees Cook Acked-by: Peter Oberparleiter Cc: Martin Schwidefsky Cc: Heiko Carstens Cc: Ralf Baechle Cc: Ingo Molnar Cc: "H. Peter Anvin" Cc: Thomas Gleixner Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds arch/mips/include/asm/page.h | 4 ++-- arch/s390/kernel/setup.c | 6 ++---- arch/x86/mm/kaslr.c | 2 +- 3 files changed, 5 insertions(+), 7 deletions(-) commit ae6c33ba6e37eea3012fe2640b22400ef3f2d0f3 Author: Nicolas Iooss Date: Thu Aug 25 15:17:00 2016 -0700 printk: fix parsing of "brl=" option Commit bbeddf52adc1 ("printk: move braille console support into separate braille.[ch] files") moved the parsing of braille-related options into _braille_console_setup(), changing the type of variable str from char* to char**. In this commit, memcmp(str, "brl,", 4) was correctly updated to memcmp(*str, "brl,", 4) but not memcmp(str, "brl=", 4). Update the code to make "brl=" option work again and replace memcmp() with strncmp() to make the compiler able to detect such an issue. Fixes: bbeddf52adc1 ("printk: move braille console support into separate braille.[ch] files") Link: http://lkml.kernel.org/r/20160823165700.28952-1-nicolas.iooss_linux@m4x.org Signed-off-by: Nicolas Iooss Cc: Joe Perches Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds kernel/printk/braille.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 804dd150468cfd920d92d4b3cf00536fedef3902 Author: Andrea Arcangeli Date: Thu Aug 25 15:16:57 2016 -0700 soft_dirty: fix soft_dirty during THP split While adding proper userfaultfd_wp support with bits in pagetable and swap entry to avoid false positives WP userfaults through swap/fork/ KSM/etc, I've been adding a framework that mostly mirrors soft dirty. So I noticed in one place I had to add uffd_wp support to the pagetables that wasn't covered by soft_dirty and I think it should have. Example: in the THP migration code migrate_misplaced_transhuge_page() pmd_mkdirty is called unconditionally after mk_huge_pmd. entry = mk_huge_pmd(new_page, vma->vm_page_prot); entry = maybe_pmd_mkwrite(pmd_mkdirty(entry), vma); That sets soft dirty too (it's a false positive for soft dirty, the soft dirty bit could be more finegrained and transfer the bit like uffd_wp will do.. pmd/pte_uffd_wp() enforces the invariant that when it's set pmd/pte_write is not set). However in the THP split there's no unconditional pmd_mkdirty after mk_huge_pmd and pte_swp_mksoft_dirty isn't called after the migration entry is created. The code sets the dirty bit in the struct page instead of setting it in the pagetable (which is fully equivalent as far as the real dirty bit is concerned, as the whole point of pagetable bits is to be eventually flushed out of to the page, but that is not equivalent for the soft-dirty bit that gets lost in translation). This was found by code review only and totally untested as I'm working to actually replace soft dirty and I don't have time to test potential soft dirty bugfixes as well :). Transfer the soft_dirty from pmd to pte during THP splits. This fix avoids losing the soft_dirty bit and avoids userland memory corruption in the checkpoint. Fixes: eef1b3ba053aa6 ("thp: implement split_huge_pmd()") Link: http://lkml.kernel.org/r/1471610515-30229-2-git-send-email-aarcange@redhat.com Signed-off-by: Andrea Arcangeli Acked-by: Pavel Emelyanov Cc: "Kirill A. Shutemov" Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/huge_memory.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) commit e7d316a02f683864a12389f8808570e37fb90aa3 Author: Subash Abhinov Kasiviswanathan Date: Thu Aug 25 15:16:51 2016 -0700 sysctl: handle error writing UINT_MAX to u32 fields We have scripts which write to certain fields on 3.18 kernels but this seems to be failing on 4.4 kernels. An entry which we write to here is xfrm_aevent_rseqth which is u32. echo 4294967295 > /proc/sys/net/core/xfrm_aevent_rseqth Commit 230633d109e3 ("kernel/sysctl.c: detect overflows when converting to int") prevented writing to sysctl entries when integer overflow occurs. However, this does not apply to unsigned integers. Heinrich suggested that we introduce a new option to handle 64 bit limits and set min as 0 and max as UINT_MAX. This might not work as it leads to issues similar to __do_proc_doulongvec_minmax. Alternatively, we would need to change the datatype of the entry to 64 bit. static int __do_proc_doulongvec_minmax(void *data, struct ctl_table { i = (unsigned long *) data; //This cast is causing to read beyond the size of data (u32) vleft = table->maxlen / sizeof(unsigned long); //vleft is 0 because maxlen is sizeof(u32) which is lesser than sizeof(unsigned long) on x86_64. Introduce a new proc handler proc_douintvec. Individual proc entries will need to be updated to use the new handler. [akpm@linux-foundation.org: coding-style fixes] Fixes: 230633d109e3 ("kernel/sysctl.c:detect overflows when converting to int") Link: http://lkml.kernel.org/r/1471479806-5252-1-git-send-email-subashab@codeaurora.org Signed-off-by: Subash Abhinov Kasiviswanathan Cc: Heinrich Schuchardt Cc: Kees Cook Cc: "David S. Miller" Cc: Ingo Molnar Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds include/linux/sysctl.h | 2 ++ kernel/sysctl.c | 45 +++++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 45 insertions(+), 2 deletions(-) commit 8582fb59f7ee012f2b8118c2bb95168c1622a4c5 Author: Joe Perches Date: Thu Aug 25 15:16:48 2016 -0700 get_maintainer: quiet noisy implicit -f vcs_file_exists checking Checking command line filenames that are outside the git tree can emit a noisy and confusing message. Quiet that message by redirecting stderr. Verify that the command was executed successfully. Fixes: 4cad35a7ca69 ("get_maintainer.pl: reduce need for command-line option -f") Link: http://lkml.kernel.org/r/1970a1d2fecb258e384e2e4fdaacdc9ccf3e30a4.1470955439.git.joe@perches.com Signed-off-by: Joe Perches Reported-by: Wolfram Sang Tested-by: Wolfram Sang Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds scripts/get_maintainer.pl | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit 101b29a204f87c99377faa53bd378f101ebb1824 Author: Johannes Berg Date: Thu Aug 25 15:16:45 2016 -0700 byteswap: don't use __builtin_bswap*() with sparse Although sparse declares __builtin_bswap*(), it can't actually do constant folding inside them (yet). As such, things like switch (protocol) { case htons(ETH_P_IP): break; } which we do all over the place cause sparse to warn that it expects a constant instead of a function call. Disable __HAVE_BUILTIN_BSWAP*__ if __CHECKER__ is defined to avoid this. Fixes: 7322dd755e7d ("byteswap: try to avoid __builtin_constant_p gcc bug") Link: http://lkml.kernel.org/r/1470914102-26389-1-git-send-email-johannes@sipsolutions.net Signed-off-by: Johannes Berg Acked-by: Arnd Bergmann Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds include/linux/compiler-gcc.h | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) commit c15e07b02bf0450bc8e60f2cc51cb42daa371417 Author: Jiri Pirko Date: Thu Aug 25 18:30:52 2016 +0200 team: loadbalance: push lacpdus to exact delivery When team is in bridge and LACP is utilized, LACPDU packets are pushed to userspace using raw socket and there they are processed. However, since 8626c56c8279b, LACPDU skbs are dropped by bridge rx_handler so they never reach packet handlers in rx path. Fix this by explicity treat LACPDUs to be pushed to exact delivery in team rx_handler. Reported-by: Ido Schimmel Fixes: 8626c56c8279b ("bridge: fix potential use-after-free when hook returns QUEUE or STOLEN verdict") Signed-off-by: Jiri Pirko Signed-off-by: David S. Miller drivers/net/team/team_mode_loadbalance.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) commit c234af5875ffeab39d5a2c4230a477a35987a484 Author: Colin Ian King Date: Thu Aug 25 07:51:10 2016 +0100 net: hns: dereference ppe_cb->ppe_common_cb if it is non-null ppe_cb->ppe_common_cb is being dereferenced before a null check is being made on it. If ppe_cb->ppe_common_cb is null then we end up with a null pointer dereference when assigning dsaf_dev. Fix this by moving the initialisation of dsaf_dev once we know ppe_cb->ppe_common_cb is OK to dereference. Signed-off-by: Colin Ian King Acked-by: Yisen Zhuang Signed-off-by: David S. Miller drivers/net/ethernet/hisilicon/hns/hns_dsaf_ppe.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 079d37df3397d48aab0f014986c1b0a1ca6256aa Author: Eric Ren Date: Thu Aug 25 17:20:59 2016 +0800 dlm: fix malfunction of dlm_tool caused by debugfs changes With the current kernel, `dlm_tool lockdebug` fails as below: "dlm_tool lockdebug ED0BD86DCE724393918A1AE8FDBF1EE3 can't open /sys/kernel/debug/dlm/ED0BD86DCE724393918A1AE8FDBF1EE3: Operation not permitted" This is because table_open() depends on file->f_op to tell which seq_file ops should be passed down. But, the original file ops in file->f_op is replaced by "debugfs_full_proxy_file_operations" with commit 49d200deaa68 ("debugfs: prevent access to removed files' private data"). Currently, I can think up 2 solutions: 1st, replace debugfs_create_file() with debugfs_create_file_unsafe(); 2nd, make different table_open#() accordingly. The 1st one is neat, but I don't thoroughly understand its risk. Maybe someone has a better one. Signed-off-by: Eric Ren Signed-off-by: David Teigland fs/dlm/debug_fs.c | 62 ++++++++++++++++++++++++++++++++++++++++++------------- 1 file changed, 48 insertions(+), 14 deletions(-) commit 29617e1cfc2aa869154f5ed2580b756ec2c3cb28 Author: Javier Martinez Canillas Date: Thu Aug 25 10:56:48 2016 -0400 MAINTAINERS: Add myself as reviewer for Samsung Exynos support I've been helping reviewing and testing Exynos SoC support patches for the last couple of years. But it would be easier for me if I'm cc'ed for patches, so I'm adding myself as reviewer for this entry. Signed-off-by: Javier Martinez Canillas Acked-by: Kukjin Kim Acked-by: Sylwester Nawrocki Signed-off-by: Krzysztof Kozlowski MAINTAINERS | 1 + 1 file changed, 1 insertion(+) commit da60626e7d02a4f385cae80e450afc8b07035368 Author: Russell King Date: Fri Aug 19 16:34:45 2016 +0100 ARM: sa1100: clear reset status prior to reboot Clear the current reset status prior to rebooting the platform. This adds the bit missing from 04fef228fb00 ("[ARM] pxa: introduce reset_status and clear_reset_status for driver's usage"). Fixes: 04fef228fb00 ("[ARM] pxa: introduce reset_status and clear_reset_status for driver's usage") Signed-off-by: Russell King arch/arm/mach-sa1100/generic.c | 3 +++ 1 file changed, 3 insertions(+) commit 61a28d2b690a8b6c383a075a12d62d711850f9d7 Author: Christophe Jaillet Date: Fri Aug 26 06:49:25 2016 +0200 IB/hfi1: Clean up type used and casting In all other places in this file where 'find_first_bit' is called, port_num is defined as a 'u8' and no casting is done. Do the same here in order to be more consistent. Signed-off-by: Christophe JAILLET Signed-off-by: Doug Ledford drivers/infiniband/hw/hfi1/mad.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit b71121b4b70a995c0b794026e84c880c4f26c361 Author: Shiraz Saleem Date: Thu Aug 25 11:53:24 2016 -0500 i40iw: Receive notification events correctly Device notifications are not received after the first interface is closed; since there is an unregister for notifications on every interface close. Correct this by unregistering for device notifications only when the last interface is closed. Also, make all operations on the i40iw_notifiers_registered atomic as it can be read/modified concurrently. Fixes: 8e06af711bf2 ("i40iw: add main, hdr, status") Signed-off-by: Mustafa Ismail Signed-off-by: Shiraz Saleem Signed-off-by: Doug Ledford drivers/infiniband/hw/i40iw/i40iw_main.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) commit 866e0f4d73390ee6f5cd68aa92cf74eef3a2b0f2 Author: Mustafa Ismail Date: Thu Aug 25 11:52:47 2016 -0500 i40iw: Update hw_iwarp_state Update iwqp->hw_iwarp_state to reflect the new state of the CQP modify QP operation. This avoids reissuing a CQP operation to modify a QP to a state that it is already in. Fixes: 4e9042e647ff ("i40iw: add hw and utils files") Reported-by: Stefan Assmann Signed-off-by: Mustafa Ismail Signed-off-by: Shiraz Saleem Signed-off-by: Doug Ledford drivers/infiniband/hw/i40iw/i40iw_hw.c | 1 + 1 file changed, 1 insertion(+) commit b53e7d000d9e6e9fd2c6eb6b82d2783c67fd599e Author: Chen-Yu Tsai Date: Thu Aug 25 14:26:59 2016 +0800 clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function The bootloader (U-boot) sometimes uses this timer for various delays. It uses it as a ongoing counter, and does comparisons on the current counter value. The timer counter is never stopped. In some cases when the user interacts with the bootloader, or lets it idle for some time before loading Linux, the timer may expire, and an interrupt will be pending. This results in an unexpected interrupt when the timer interrupt is enabled by the kernel, at which point the event_handler isn't set yet. This results in a NULL pointer dereference exception, panic, and no way to reboot. Clear any pending interrupts after we stop the timer in the probe function to avoid this. Cc: stable@vger.kernel.org Signed-off-by: Chen-Yu Tsai Signed-off-by: Daniel Lezcano Acked-by: Maxime Ripard drivers/clocksource/sun4i_timer.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) commit 4d0e701659aa869a445823149e172e23faa6edac Author: Marcin Nowakowski Date: Wed Aug 17 12:22:33 2016 +0200 drivers/clocksource/pistachio: Fix memory corruption in init Driver init code incorrectly uses the block base address and as a result clears clocksource structure's fields instead of the hardware registers. Commit 09a998201649 ("timekeeping: Lift clocksource cacheline restriction") has changed the offsets within pistachio_clocksource structure and what has previously gone unnoticed now leads to a kernel panic during boot. Signed-off-by: Marcin Nowakowski Signed-off-by: Daniel Lezcano drivers/clocksource/time-pistachio.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) commit 699e36e5b8e9f77b2be4c23f0b309e53be4b2880 Author: Alexandre Belloni Date: Tue Aug 23 10:44:02 2016 +0200 clocksource/drivers/timer-atmel-pit: Enable mck clock mck is needed to get the PIT working. Explicitly prepare_enable it instead of assuming it is enabled. This solves an issue where the system is freezing when the ETM/ETB drivers are enabled. Reported-by: Olivier Schonken Reviewed-by: Boris Brezillon Acked-by: Nicolas Ferre Signed-off-by: Alexandre Belloni Signed-off-by: Daniel Lezcano drivers/clocksource/timer-atmel-pit.c | 6 ++++++ 1 file changed, 6 insertions(+) commit 1e5d343b8f23770e8ac5d31f5c439826bdb35148 Author: Linus Lüssing Date: Tue Aug 23 03:13:03 2016 +0200 batman-adv: fix elp packet data reservation The skb_reserve() call only reserved headroom for the mac header, but not the elp packet header itself. Fixing this by using skb_put()'ing towards the skb tail instead of skb_push()'ing towards the skb head. Fixes: d6f94d91f766 ("batman-adv: ELP - adding basic infrastructure") Signed-off-by: Linus Lüssing Signed-off-by: Marek Lindner Signed-off-by: Sven Eckelmann Signed-off-by: Simon Wunderlich net/batman-adv/bat_v_elp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 936523441bb64cdc9a5b263e8fd2782e70313a57 Author: Sven Eckelmann Date: Sat Aug 6 15:50:52 2016 +0200 batman-adv: Add missing refcnt for last_candidate batadv_find_router dereferences last_bonding_candidate from orig_node without making sure that it has a valid reference. This reference has to be retrieved by increasing the reference counter while holding neigh_list_lock. The lock is required to avoid that batadv_last_bonding_replace removes the current last_bonding_candidate, reduces the reference counter and maybe destroys the object in this process. Fixes: f3b3d9018975 ("batman-adv: add bonding again") Signed-off-by: Sven Eckelmann Signed-off-by: Marek Lindner Signed-off-by: Simon Wunderlich net/batman-adv/routing.c | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) commit c721da1d05760ad0b4e7670896dae31b6b07d8d6 Author: Gregory CLEMENT Date: Mon Aug 22 18:09:36 2016 +0200 ARM: dts: kirkwood: Fix PCIe label on OpenRD While converting PCIe node on kirkwood by using label, the following commit eb13cf8345e9 ("ARM: dts: kirkwood: Fixup pcie DT warnings") introduced a regression on the OpenRD boards: the PCIe didn't work anymore. As reported by Aaro Koskinen, the display/framebuffer was lost. This commit adds the forgotten label. Reported-by: Aaro Koskinen Tested-by: Aaro Koskinen Fixes: eb13cf8345e9 ("ARM: dts: kirkwood: Fixup pcie DT warnings") Cc: stable@vger.kernel.org Reviewed-by: Andrew Lunn Signed-off-by: Gregory CLEMENT arch/arm/boot/dts/kirkwood-openrd.dtsi | 4 ++++ 1 file changed, 4 insertions(+) commit a778937888867aac17a33887d1c429120790fbc2 Author: Simon Baatz Date: Fri Aug 12 19:12:50 2016 +0200 ARM: kirkwood: ib62x0: fix size of u-boot environment partition Commit 148c274ea644 ("ARM: kirkwood: ib62x0: add u-boot environment partition") split the "u-boot" partition into "u-boot" and "u-boot environment". However, instead of the size of the environment, an offset was given, resulting in overlapping partitions. Signed-off-by: Simon Baatz Fixes: 148c274ea644 ("ARM: kirkwood: ib62x0: add u-boot environment partition") Cc: Jason Cooper Cc: Andrew Lunn Cc: Gregory Clement Cc: Sebastian Hesselbarth Cc: Luka Perkov Cc: stable@vger.kernel.org # 3.13+ Reviewed-by: Andrew Lunn Signed-off-by: Gregory CLEMENT arch/arm/boot/dts/kirkwood-ib62x0.dts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit d662ed2e50c9dab1d4c25e80fa3e01ebe257bd65 Author: Mark Rutland Date: Thu Aug 11 10:50:43 2016 +0100 bus: arm-ccn: make event groups reliable The CCN PMU driver leaves the counting logic always enabled, and thus events are enabled while groups are manipulated. As each event is stopped and read individually, this leads to arbitrary skew across event groups, which can be seen if counting several identical events. To avoid this, implement pmu_{enable,disable} callbacks to stop and start all counters atomically around event manipulation. As the counters are now stopped, we cannot poll the cycle counter to wait for events to drain from the bus. However, as the counters are stopped and the events will not be read regardless, we can simply allow the bus to drain naturally. Signed-off-by: Mark Rutland Signed-off-by: Pawel Moll drivers/bus/arm-ccn.c | 29 ++++++++++++++++++++--------- 1 file changed, 20 insertions(+), 9 deletions(-) commit 5b1e01f3ce15d3a8f2af5d38cc31f0d5c3c11dae Author: Mark Rutland Date: Thu Aug 11 10:50:42 2016 +0100 bus: arm-ccn: fix hrtimer registration The CCN PMU driver has a single hrtimer, used to simulate a periodic interrupt on systems where the overflow interrupt is not possible to use. The hrtimer is started when any event is started, and cancelled when any event is stopped. Thus, stopping a single event is sufficient to disable to hrtimer, and overflows (of other events) may be lost. To avoid this, this patch reworks the hrtimer start/cancel to only occur when the first event is added to a PMU, and the last event removed, making use of the existing bitmap counting active events. Signed-off-by: Mark Rutland Signed-off-by: Pawel Moll drivers/bus/arm-ccn.c | 33 +++++++++++++++++++++------------ 1 file changed, 21 insertions(+), 12 deletions(-) commit 0811ef7e2f5470833a353426a6fbe0b845aea926 Author: Mark Rutland Date: Thu Aug 11 10:50:41 2016 +0100 bus: arm-ccn: fix PMU interrupt flags Currently the IRQ core is permitted to make the CCN PMU IRQ handler threaded, and will allow userspace to change the CPU affinity of the interrupt behind our back. Both of these could violate our synchronisation requirements with the core perf code, which relies upon strict CPU affinity and disabling of interrupts to guarantee mutual exclusion in some cases. As with the CPU PMU drivers, we should request the interrupt with IRQF_NOBALANCING and IRQF_NO_THREAD, to avoid these issues. Signed-off-by: Mark Rutland Acked-by: Pawel Moll Reviewed-by: Will Deacon Signed-off-by: Pawel Moll drivers/bus/arm-ccn.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) commit 800b2694f890cc35a1bda63501fc71c94389d517 Author: Brian Foster Date: Fri Aug 26 16:01:59 2016 +1000 xfs: prevent dropping ioend completions during buftarg wait xfs_wait_buftarg() waits for all pending I/O, drains the ioend completion workqueue and walks the LRU until all buffers in the cache have been released. This is traditionally an unmount operation` but the mechanism is also reused during filesystem freeze. xfs_wait_buftarg() invokes drain_workqueue() as part of the quiesce, which is intended more for a shutdown sequence in that it indicates to the queue that new operations are not expected once the drain has begun. New work jobs after this point result in a WARN_ON_ONCE() and are otherwise dropped. With filesystem freeze, however, read operations are allowed and can proceed during or after the workqueue drain. If such a read occurs during the drain sequence, the workqueue infrastructure complains about the queued ioend completion work item and drops it on the floor. As a result, the buffer remains on the LRU and the freeze never completes. Despite the fact that the overall buffer cache cleanup is not necessary during freeze, fix up this operation such that it is safe to invoke during non-unmount quiesce operations. Replace the drain_workqueue() call with flush_workqueue(), which runs a similar serialization on pending workqueue jobs without causing new jobs to be dropped. This is safe for unmount as unmount independently locks out new operations by the time xfs_wait_buftarg() is invoked. cc: Signed-off-by: Brian Foster Reviewed-by: Christoph Hellwig Signed-off-by: Dave Chinner fs/xfs/xfs_buf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit f3d7ebdeb2c297bd26272384e955033493ca291c Author: Dave Chinner Date: Fri Aug 26 16:01:30 2016 +1000 xfs: fix superblock inprogress check From inspection, the superblock sb_inprogress check is done in the verifier and triggered only for the primary superblock via a "bp->b_bn == XFS_SB_DADDR" check. Unfortunately, the primary superblock is an uncached buffer, and hence it is configured by xfs_buf_read_uncached() with: bp->b_bn = XFS_BUF_DADDR_NULL; /* always null for uncached buffers */ And so this check never triggers. Fix it. cc: Signed-off-by: Dave Chinner Reviewed-by: Brian Foster Reviewed-by: Christoph Hellwig Signed-off-by: Dave Chinner fs/xfs/libxfs/xfs_sb.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 5b5c2dbd3c9bcfa89fba9709c12ecc0a445c6e40 Author: Darrick J. Wong Date: Fri Aug 26 16:00:10 2016 +1000 xfs: simple btree query range should look right if LE lookup fails If the initial LOOKUP_LE in the simple query range fails to find anything, we should attempt to increment the btree cursor to see if there actually /are/ records for what we're trying to find. Without this patch, a bnobt range query of (0, $agsize) returns no results because the leftmost record never has a startblock of zero. Signed-off-by: Darrick J. Wong Reviewed-by: Christoph Hellwig Signed-off-by: Dave Chinner fs/xfs/libxfs/xfs_btree.c | 7 +++++++ 1 file changed, 7 insertions(+) commit 722278997bc964349e23e7061d541f8df3133a04 Author: Darrick J. Wong Date: Fri Aug 26 15:59:50 2016 +1000 xfs: fix some key handling problems in _btree_simple_query_range We only need the record's high key for the first record that we look at; for all records, we /definitely/ need the regular record key. Therefore, fix how the simple range query function gets its keys. Signed-off-by: Darrick J. Wong Reviewed-by: Christoph Hellwig Signed-off-by: Dave Chinner fs/xfs/libxfs/xfs_btree.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit da1f039d6947b1a49f13b39a6de0df2a3e9e1ed1 Author: Darrick J. Wong Date: Fri Aug 26 15:59:31 2016 +1000 xfs: don't log the entire end of the AGF When we're logging the last non-spare field in the AGF, we don't need to log the spare fields, so plumb in a new AGF logging flag to help us avoid that. Signed-off-by: Darrick J. Wong Reviewed-by: Christoph Hellwig Signed-off-by: Dave Chinner fs/xfs/libxfs/xfs_alloc.c | 2 ++ fs/xfs/libxfs/xfs_format.h | 6 ++++-- 2 files changed, 6 insertions(+), 2 deletions(-) commit 738f57c16a2bb527c705641f0fc1c68ff8cba72a Author: Darrick J. Wong Date: Fri Aug 26 15:59:19 2016 +1000 xfs: disallow mounting of realtime + rmap filesystems Since the kernel doesn't currently support the realtime rmapbt, don't allow such filesystems to be mounted. Support will appear in a future release. Signed-off-by: Darrick J. Wong Reviewed-by: Carlos Maiolino Reviewed-by: Christoph Hellwig Signed-off-by: Dave Chinner fs/xfs/xfs_super.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) commit ed150e1a5cf20c04cf0b2d2c34e498fc1d6519be Author: Darrick J. Wong Date: Fri Aug 26 15:58:40 2016 +1000 xfs: don't perform lookups on zero-height btrees If the caller passes in a cursor to a zero-height btree (which is impossible), we never set block to anything but NULL, which causes the later dereference of it to crash. Instead, just return -EFSCORRUPTED. Signed-off-by: Darrick J. Wong Reviewed-by: Christoph Hellwig Signed-off-by: Dave Chinner fs/xfs/libxfs/xfs_btree.c | 4 ++++ 1 file changed, 4 insertions(+) commit 0a10e85b6c546c2f34ee257b955f33dbb4ece746 Author: Jon Hunter Date: Wed Aug 24 15:14:38 2016 +0200 ARM: tegra: Correct polarity for Tegra114 PMIC interrupt The ARM GIC only supports interrupts with either level-high or rising-edge types for SPIs. The interrupt type for the Palmas PMIC used for Tegra114 boards is specified as level-low which is invalid for the GIC. This has gone undetected because until recently, failures to set the interrupt type when the interrupts are mapped via firmware (such as device-tree) have not been reported. Since commits 4b357daed698 ("genirq: Look-up trigger type if not specified by caller") and 1e2a7d78499e ("irqdomain: Don't set type when mapping an IRQ"), failure to set the interrupt type will cause the requesting of the interrupt to fail and exposing incorrectly configured interrupts. Please note that although the interrupt type was never being set for the Palmas PMIC, it was still working fine, because the default type setting for the interrupt, 'level-high', happen to match the correct type for the interrupt. Finally, it should be noted that the Palmas interrupt from the PMIC is actually 'level-low', however, this interrupt signal is inverted by the Tegra PMC and so the GIC actually sees a 'level-high' interrupt which is what should be specified in the device-tree interrupt specifier. Signed-off-by: Jon Hunter Signed-off-by: Thierry Reding Signed-off-by: Olof Johansson arch/arm/boot/dts/tegra114-dalmore.dts | 2 +- arch/arm/boot/dts/tegra114-roth.dts | 2 +- arch/arm/boot/dts/tegra114-tn7.dts | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) commit 633af91ddb9133d65da6f3a77bb8908cdbf6aced Merge: 1ce3b12 326dce0 Author: Olof Johansson Date: Thu Aug 25 17:29:32 2016 -0700 Merge tag 'samsung-fixes-4.8' of git://git.kernel.org/pub/scm/linux/kernel/git/krzk/linux into fixes Fix for v4.8-rc1: 1. Select proper eMMC HighSpeed mode on Odroid XU. DTS was mixing "samsung,exynos5250-dw-mshc" compatible (with HS200 as fastest mode) with a property "mmc-hs400-1_8v" thus leading to failures during probe. 2. Update Krzysztof Kozlowski's email address in maintainers. * tag 'samsung-fixes-4.8' of git://git.kernel.org/pub/scm/linux/kernel/git/krzk/linux: MAINTAINERS: Switch to kernel.org account for Krzysztof Kozlowski ARM: dts: exynos: Properly select eMMC HighSpeed mode on Odroid XU Signed-off-by: Olof Johansson commit 1ce3b12f43558d8f73dab57d58a89fdcdaaff997 Merge: becc8d3 cfee6b58 Author: Olof Johansson Date: Thu Aug 25 17:21:37 2016 -0700 Merge tag 'imx-fixes-4.8' of git://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux into fixes The i.MX fixes for 4.8: - Fix typo in imx6sx-sabreauto board wakeup property - Fix i.MX6UL suspend-to-standby support by adding the BM_CLPCR_BYP_MMDC_CH0_LPM_HS handling - Fix a i.MX6UL regression on suspend support, which is caused by commit 850bea2335e4 ("arm: Remove unnecessary of_platform_populate with default match table") * tag 'imx-fixes-4.8' of git://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux: ARM: imx6ul: populates platform device at .init_machine ARM: imx6: add missing BM_CLPCR_BYP_MMDC_CH0_LPM_HS setting for imx6ul ARM: dts: imx6sx-sabreauto: Fix misspelled property Signed-off-by: Olof Johansson commit becc8d3ccdcfa746fc4302092da11ad763bc9e49 Author: Masahiro Yamada Date: Thu Aug 18 03:08:22 2016 +0900 MAINTAINERS: add tree entry for ARM/UniPhier architecture Add T: entry for a new git tree, which I expect UniPhier SoC updates will be pulled from. Signed-off-by: Masahiro Yamada Signed-off-by: Olof Johansson MAINTAINERS | 1 + 1 file changed, 1 insertion(+) commit fd0381979799b4adcbf0eac74029e9804737cadb Merge: 8184a34 7391218 Author: Olof Johansson Date: Thu Aug 25 17:12:23 2016 -0700 Merge tag 'omap-for-v4.8/fixes-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap into fixes Fixes for omaps for v4.8-rc cycle, mostly a series of four fixes for am335x RTC zero offset for clkctrl register. Also few other fixes: - Add missing sysc information for DSI as at least n950 needs it for the working display - Fix old elm-id properties that cause nand boot to not work - Fix overo gpmc nand cs0 range - FIx overo gpmc nand on boards with ethernet - Fix logicpd torpedo nand ready pin nand interrupt configuration * tag 'omap-for-v4.8/fixes-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap: ARM: dts: logicpd-somlv: Fix NAND device nodes ARM: dts: logicpd-torpedo-som: Provide NAND ready pin ARM: dts: overo: fix gpmc nand on boards with ethernet ARM: dts: overo: fix gpmc nand cs0 range ARM: dts: am335x: Update elm phandle binding ARM: OMAP4+: CM: Remove redundant checks for clkctrl_offs of zero ARM: OMAP4+: Have _omap4_wait_target_* check for valid clkctrl_offs ARM: OMAP2+: AM33XX: Add HWMOD_OMAP4_ZERO_CLKCTRL_OFFSET flag to rtc hwmod ARM: OMAP4+: hwmod: Add hwmod flag for HWMOD_OMAP4_ZERO_CLKCTRL_OFFSET ARM: OMAP3: hwmod data: Add sysc information for DSI Signed-off-by: Olof Johansson commit b628d611a2a53858263fc419dba552f32431dba4 Author: Gao Feng Date: Thu Aug 25 09:45:39 2016 +0800 8139cp: Fix one possible deadloop in cp_rx_poll When cp_rx_poll does not get enough packet, it will check the rx interrupt status again. If so, it will jumpt to rx_status_loop again. But the goto jump resets the rx variable as zero too. As a result, it causes one possible deadloop. Assume this case, rx_status_loop only gets the packet count which is less than budget, and (cpr16(IntrStatus) & cp_rx_intr_mask) condition is always true. It causes the deadloop happens and system is blocked. Signed-off-by: Gao Feng Signed-off-by: David S. Miller drivers/net/ethernet/realtek/8139cp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 8184a34f1124c6529611c3e77e361f087ce2ee1c Merge: 84ba04f b079bd5 Author: Olof Johansson Date: Thu Aug 25 17:00:10 2016 -0700 Merge tag 'vexpress-fixes-4.8-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/sudeep.holla/linux into fixes SCPI/Vexpress fixes for v4.8-rc Couple of minor fixes to add missing of_node_put after calling of_parse_phandle in SCPI and vexpress-config bus drivers(Peter Chen) * tag 'vexpress-fixes-4.8-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/sudeep.holla/linux: firmware: arm_scpi: add missing of_node_put after calling of_parse_phandle bus: vexpress-config: add missing of_node_put after calling of_parse_phandle Signed-off-by: Olof Johansson commit f38ff2ee7727994685494bcc4d7c274b35b5418a Author: Anjali Singhai Jain Date: Wed Aug 24 17:51:53 2016 -0700 i40e: Change some init flow for the client This change makes a common flow for Client instance open during init and reset path. The Client subtask can handle both the cases instead of making a separate notify_client_of_open call. Also it may fix a bug during reset where the service task was leaking some memory and causing issues. Change-Id: I7232a32fd52b82e863abb54266fa83122f80a0cd Signed-off-by: Anjali Singhai Jain Tested-by: Andrew Bowers Signed-off-by: Jeff Kirsher Signed-off-by: David S. Miller drivers/net/ethernet/intel/i40e/i40e_client.c | 41 ++++++++++++++++++++------- drivers/net/ethernet/intel/i40e/i40e_main.c | 1 - 2 files changed, 30 insertions(+), 12 deletions(-) commit 84ba04f26d20d2f91516cd9078e5035f2c8c6087 Merge: 2586d61 23540d6 Author: Olof Johansson Date: Thu Aug 25 16:54:16 2016 -0700 Merge tag 'gpmc-omap-v4.8-rc1' of https://github.com/rogerq/linux into fixes OMAP-GPMC: fixes for v4.8-rc1 Allow other children of GPMC to probe even if any child fails. This fixes problem on Overo boards where networking device child doesn't probe due to broken NAND child. * tag 'gpmc-omap-v4.8-rc1' of https://github.com/rogerq/linux: memory: omap-gpmc: allow probe of child nodes to fail Signed-off-by: Olof Johansson commit c3e70edd7c2eed6acd234627a6007627f5c76e8e Author: Xander Huff Date: Wed Aug 24 16:47:53 2016 -0500 Revert "phy: IRQ cannot be shared" This reverts: commit 33c133cc7598 ("phy: IRQ cannot be shared") On hardware with multiple PHY devices hooked up to the same IRQ line, allow them to share it. Sergei Shtylyov says: "I'm not sure now what was the reason I concluded that the IRQ sharing was impossible... most probably I thought that the kernel IRQ handling code exited the loop over the IRQ actions once IRQ_HANDLED was returned -- which is obviously not so in reality..." Signed-off-by: Xander Huff Signed-off-by: Nathan Sullivan Signed-off-by: David S. Miller drivers/net/phy/phy.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) commit 2586d61f81ea4d84e325cbde2b316c9a8ca43e38 Merge: fa8410b d9fd3c9 Author: Olof Johansson Date: Thu Aug 25 16:52:29 2016 -0700 Merge tag 'mvebu-fixes-4.8-1' of git://git.infradead.org/linux-mvebu into fixes mvebu fixes for 4.8 (part 1) Fix lan numbering for the Armada 388 clearfog board * tag 'mvebu-fixes-4.8-1' of git://git.infradead.org/linux-mvebu: ARM: dts: armada-388-clearfog: number LAN ports properly Signed-off-by: Olof Johansson commit 4f101c47791cdcb831b3ef1f831b1cc51e4fe03c Author: Florian Fainelli Date: Wed Aug 24 11:01:20 2016 -0700 net: dsa: bcm_sf2: Fix race condition while unmasking interrupts We kept shadow copies of which interrupt sources we have enabled and disabled, but due to an order bug in how intrl2_mask_clear was defined, we could run into the following scenario: CPU0 CPU1 intrl2_1_mask_clear(..) sets INTRL2_CPU_MASK_CLEAR bcm_sf2_switch_1_isr read INTRL2_CPU_STATUS and masks with stale irq1_mask value updates irq1_mask value Which would make us loop again and again trying to process and interrupt we are not clearing since our copy of whether it was enabled before still indicates it was not. Fix this by updating the shadow copy first, and then unasking at the HW level. Fixes: 246d7f773c13 ("net: dsa: add Broadcom SF2 switch driver") Signed-off-by: Florian Fainelli Signed-off-by: David S. Miller drivers/net/dsa/bcm_sf2.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 166ee5b87866de07a3e56c1b757f2b5cabba72a5 Author: Eric Dumazet Date: Wed Aug 24 09:39:02 2016 -0700 qdisc: fix a module refcount leak in qdisc_create_dflt() Should qdisc_alloc() fail, we must release the module refcount we got right before. Fixes: 6da7c8fcbcbd ("qdisc: allow setting default queuing discipline") Signed-off-by: Eric Dumazet Acked-by: John Fastabend Acked-by: John Fastabend Signed-off-by: David S. Miller net/sched/sch_generic.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) commit a5de125dd46c851fc962806135953c1bd0a0f0df Author: Wei Yongjun Date: Wed Aug 24 13:32:19 2016 +0000 tipc: fix the error handling in tipc_udp_enable() Fix to return a negative error code in enable_mcast() error handling case, and release udp socket when necessary. Fixes: d0f91938bede ("tipc: add ip/udp media type") Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller net/tipc/udp_media.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) commit d1228f4ff3e7c257788ba86ed02a22f5266552ea Merge: 368907d 40d9c32 Author: Greg Kroah-Hartman Date: Thu Aug 25 17:00:01 2016 -0400 Merge tag 'usb-serial-4.8-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial into usb-linus Johan writes: USB-serial fixes for v4.8-rc4 Here are a couple of fixes for non-atomic allocations in write paths, and some new option device ids. Signed-off-by: Johan Hovold commit 869c554808ccf7ddd25be5317073b88ceddb8507 Author: Adrian Hunter Date: Thu Aug 25 14:11:43 2016 -0600 mmc: fix use-after-free of struct request We call mmc_req_is_special() after having processed a request, but it could be freed after that. Check that ahead of time, and use the cached value. Reported-by: Hans de Goede Tested-by: Hans de Goede Fixes: c2df40dfb8c0 ("drivers: use req op accessor") Signed-off-by: Jens Axboe drivers/mmc/card/block.c | 4 ++-- drivers/mmc/card/queue.c | 4 +++- 2 files changed, 5 insertions(+), 3 deletions(-) commit 969af80f770a86e65bf8be1f72b218b5f8556b56 Merge: 2b721f2 177d91a Author: Dave Airlie Date: Fri Aug 26 05:18:40 2016 +1000 Merge tag 'drm-intel-fixes-2016-08-25' of git://anongit.freedesktop.org/drm-intel into drm-fixes i915 fixes queue. * tag 'drm-intel-fixes-2016-08-25' of git://anongit.freedesktop.org/drm-intel: drm/i915: Fix botched merge that downgrades CSR versions. drm/i915/skl: Ensure pipes with changed wms get added to the state drm/i915/gen9: Only copy WM results for changed pipes to skl_hw drm/i915/skl: Add support for the SAGV, fix underrun hangs drm/i915/gen6+: Interpret mailbox error flags drm/i915: Reattach comment, complete type specification drm/i915: Unconditionally flush any chipset buffers before execbuf drm/i915/gen9: Drop invalid WARN() during data rate calculation drm/i915/gen9: Initialize intel_state->active_crtcs during WM sanitization (v2) commit 2b721f20770ccbca4d3dad58e1bd44aa570efb3f Author: Daniel Vetter Date: Wed Aug 10 18:52:38 2016 +0200 drm: Protect fb_defio in drivers with CONFIG_KMS_FBDEV_EMULATION For reasons that entirely elude me fb.h exposes all the structures, even when it is not enabled. Except for special stuff like fb_defio. Which means all the drivers which haven't yet switched over to the defio support in the helpers and still roll their own, will fail to compile when fbdev emulation is disabled. Protect just those bits, as a gnarly reminder that conversion to the core defio helpers would be good. Reviewed-by: Alex Deucher Signed-off-by: Daniel Vetter Link: http://patchwork.freedesktop.org/patch/msgid/1470847958-28465-6-git-send-email-daniel.vetter@ffwll.ch Signed-off-by: Dave Airlie drivers/gpu/drm/qxl/qxl_fb.c | 4 ++++ drivers/gpu/drm/udl/udl_fb.c | 4 ++++ 2 files changed, 8 insertions(+) commit 4f34228b67246ae3b3ab1dc33b980c77c0650ef4 Author: Luiz Augusto von Dentz Date: Mon Aug 15 16:02:20 2016 +0300 Bluetooth: Fix hci_sock_recvmsg when MSG_TRUNC is not set Similar to bt_sock_recvmsg MSG_TRUNC shall be checked using the original flags not msg_flags. Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Marcel Holtmann net/bluetooth/hci_sock.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 90a56f72edb088c678083c32d05936c7c8d9a948 Author: Luiz Augusto von Dentz Date: Fri Aug 12 15:11:28 2016 +0300 Bluetooth: Fix bt_sock_recvmsg when MSG_TRUNC is not set Commit b5f34f9420b50c9b5876b9a2b68e96be6d629054 attempt to introduce proper handling for MSG_TRUNC but recv and variants should still work as read if no flag is passed, but because the code may set MSG_TRUNC to msg->msg_flags that shall not be used as it may cause it to be behave as if MSG_TRUNC is always, so instead of using it this changes the code to use the flags parameter which shall contain the original flags. Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Marcel Holtmann net/bluetooth/af_bluetooth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit b31cc4b37e8e33e84e9f990d0d84387f37ef01a1 Author: Wolfram Sang Date: Mon Aug 15 00:47:22 2016 +0200 i2c: bcm-kona: fix inconsistent indenting smatch rightfully says: drivers/i2c/busses/i2c-bcm-kona.c:646 bcm_kona_i2c_xfer() warn: inconsistent indenting Signed-off-by: Wolfram Sang Reviewed-by: Tim Kryger drivers/i2c/busses/i2c-bcm-kona.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit c13c29186c59b056d6ec141b5967c2ca3efc0c16 Author: Wolfram Sang Date: Wed Aug 24 11:19:29 2016 +0200 i2c: rcar: use proper device with dma_mapping_error We must use the same device we used for mapping. Signed-off-by: Wolfram Sang Reviewed-by: Geert Uytterhoeven Signed-off-by: Wolfram Sang drivers/i2c/busses/i2c-rcar.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 488d69ea72457c7566b36eb0d484d579f19963c5 Author: Wolfram Sang Date: Wed Aug 24 11:19:28 2016 +0200 i2c: sh_mobile: use proper device with dma_mapping_error We must use the same device we used for mapping. Signed-off-by: Wolfram Sang Reviewed-by: Geert Uytterhoeven Signed-off-by: Wolfram Sang drivers/i2c/busses/i2c-sh_mobile.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 9a5382e8ffe86412f442f6a34fde43f94aae530b Author: Wolfram Sang Date: Mon Aug 22 16:52:21 2016 +0200 i2c: mux: demux-pinctrl: invalidate properly when switching fails Make sure the index to the active channel is invalidated when switching fails. Signed-off-by: Wolfram Sang Signed-off-by: Wolfram Sang drivers/i2c/muxes/i2c-demux-pinctrl.c | 1 + 1 file changed, 1 insertion(+) commit a820cd3d25c2891028b5f296a8a871ce6dd92c0d Merge: abaa227 cfb89f2 Author: Takashi Iwai Date: Thu Aug 25 17:56:09 2016 +0200 Merge tag 'asoc-fix-v4.8-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus ASoC: Fixes for v4.8 A clutch of fixes for v4.8. These are mainly driver specific, the most notable ones being those for OMAP which fix a series of issues that broke boot on some platforms there when deferred probe kicked in. There's also one core fix for an issue when unbinding a card which for some reason had managed to not manifest until recently. commit a7d4b8f2565ad0dfdff9a222d1d87990c73b36e8 Author: David Hildenbrand Date: Tue Aug 16 14:38:24 2016 +0200 KVM: s390: don't use current->thread.fpu.* when accessing registers As the meaning of these variables and pointers seems to change more frequently, let's directly access our save area, instead of going via current->thread. Right now, this is broken for set/get_fpu. They simply overwrite the host registers, as the pointers to the current save area were turned into the static host save area. Cc: stable@vger.kernel.org # 4.7 Fixes: 3f6813b9a5e0 ("s390/fpu: allocate 'struct fpu' with the task_struct") Reported-by: Hao QingFeng Signed-off-by: David Hildenbrand Signed-off-by: Christian Borntraeger arch/s390/kvm/kvm-s390.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) commit 049b1e7c7e5c21bbb64dc3fc10bb0c53f30b0b70 Merge: 716b076b 07c72d7 Author: Doug Ledford Date: Thu Aug 25 11:17:10 2016 -0400 Merge branch 'misc-fixes' into k.o/for-4.8-rc commit 07c72d7d54d138eb2ca37709a5a3d55fbcc01536 Author: Tatyana Nikolova Date: Wed Aug 24 13:59:17 2016 -0500 i40iw: Send last streaming mode message for loopback connections Send a zero length last streaming mode message for loopback connections to synchronize between accepting QP and connecting QP. This avoids data transfer to start on the accepting QP before the connecting QP is in RTS. Also remove function i40iw_loopback_nop() as it is no longer used. Fixes: f27b4746f378 ("i40iw: add connection management code") Signed-off-by: Tatyana Nikolova Signed-off-by: Shiraz Saleem Signed-off-by: Doug Ledford drivers/infiniband/hw/i40iw/i40iw_cm.c | 22 +--------------------- 1 file changed, 1 insertion(+), 21 deletions(-) commit f2791e7eadf437633f30faa51b30878cf15650be Author: Jens Axboe Date: Thu Aug 25 08:56:51 2016 -0600 Revert "floppy: refactor open() flags handling" This reverts commit 09954bad448791ef01202351d437abdd9497a804. drivers/block/floppy.c | 34 +++++++++++++++------------------- 1 file changed, 15 insertions(+), 19 deletions(-) commit 468c298ad3ed3f0d94a65f8ca00f6bfc6c2b4e33 Author: Jens Axboe Date: Thu Aug 25 08:56:44 2016 -0600 Revert "floppy: fix open(O_ACCMODE) for ioctl-only open" This reverts commit ff06db1efb2ad6db06eb5b99b88a0c15a9cc9b0e. drivers/block/floppy.c | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) commit 5bb53c0fb8e0fc2e34287d5d0fcadc784de913e1 Author: Andrey Ryabinin Date: Tue Aug 23 18:55:31 2016 +0300 fs/block_dev: fix potential NULL ptr deref in freeze_bdev() Calling freeze_bdev() twice on the same block device without mounted filesystem get_super() will return NULL, which will lead to NULL-ptr dereference later in drop_super(). Check get_super() result to fix that. Note, that this is a purely theoretical issue. We have only 3 freeze_bdev() callers. 2 of them are in filesystem code and used on a device with mounted fs. The third one in lock_fs() has protection in upper-layer code against freezing block device the second time without thawing it first. Signed-off-by: Andrey Ryabinin Reviewed-by: Christoph Hellwig Signed-off-by: Jens Axboe fs/block_dev.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 368907ddb2eda418e9fde6b772d1ed864666a296 Merge: 53e5f36 6f8245b Author: Greg Kroah-Hartman Date: Thu Aug 25 08:54:13 2016 -0400 Merge tag 'fixes-for-v4.8-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/balbi/usb into usb-linus Felipe writes: usb: fixes for v4.8-rc3 Few fixes on dwc3 again, the most important being a fix for pm_runtime to make it work with current intel platforms. Other than that, there's a signedness bug fix in fsl udc and some other minor fixes. commit 4249fc1f023a2106170bbf715e2e1a0ebc2d5b1f Author: Sabrina Dubroca Date: Tue Aug 23 10:20:31 2016 +0200 netfilter: ebtables: put module reference when an incorrect extension is found commit bcf493428840 ("netfilter: ebtables: Fix extension lookup with identical name") added a second lookup in case the extension that was found during the first lookup matched another extension with the same name, but didn't release the reference on the incorrect module. Fixes: bcf493428840 ("netfilter: ebtables: Fix extension lookup with identical name") Signed-off-by: Sabrina Dubroca Acked-by: Phil Sutter Signed-off-by: Pablo Neira Ayuso net/bridge/netfilter/ebtables.c | 2 ++ 1 file changed, 2 insertions(+) commit 960fa72f67f1be6891d63a5518860d1ae4e14b88 Author: Liping Zhang Date: Mon Aug 22 22:57:56 2016 +0800 netfilter: nft_meta: improve the validity check of pkttype set expr "meta pkttype set" is only supported on prerouting chain with bridge family and ingress chain with netdev family. But the validate check is incomplete, and the user can add the nft rules on input chain with bridge family, for example: # nft add table bridge filter # nft add chain bridge filter input {type filter hook input \ priority 0 \;} # nft add chain bridge filter test # nft add rule bridge filter test meta pkttype set unicast # nft add rule bridge filter input jump test This patch fixes the problem. Signed-off-by: Liping Zhang Signed-off-by: Pablo Neira Ayuso include/net/netfilter/nft_meta.h | 4 ++++ net/bridge/netfilter/nft_meta_bridge.c | 1 + net/netfilter/nft_meta.c | 17 +++++++++++++---- 3 files changed, 18 insertions(+), 4 deletions(-) commit 533e33009897c7dd1b0424c0d4b3331b222d5681 Author: Liping Zhang Date: Mon Aug 22 21:58:18 2016 +0800 netfilter: cttimeout: unlink timeout objs in the unconfirmed ct lists KASAN reported this bug: BUG: KASAN: use-after-free in icmp_packet+0x25/0x50 [nf_conntrack_ipv4] at addr ffff880002db08c8 Read of size 4 by task lt-nf-queue/19041 Call Trace: [] dump_stack+0x63/0x88 [] kasan_report_error+0x528/0x560 [] kasan_report+0x58/0x60 [] ? icmp_packet+0x25/0x50 [nf_conntrack_ipv4] [] __asan_load4+0x61/0x80 [] icmp_packet+0x25/0x50 [nf_conntrack_ipv4] [] nf_conntrack_in+0x550/0x980 [nf_conntrack] [] ? __nf_conntrack_confirm+0xb10/0xb10 [nf_conntrack] [ ... ] The main reason is that we missed to unlink the timeout objects in the unconfirmed ct lists, so we will access the timeout objects that have already been freed. Signed-off-by: Liping Zhang Signed-off-by: Pablo Neira Ayuso net/netfilter/nfnetlink_cttimeout.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) commit 23aaba5ad55547db62bada5066c8fb6412d5b1c2 Author: Liping Zhang Date: Mon Aug 22 21:58:17 2016 +0800 netfilter: cttimeout: put back l4proto when replacing timeout policy We forget to call nf_ct_l4proto_put when replacing the existing timeout policy. Acctually, there's no need to get ct l4proto before doing replace, so we can move it to a later position. Signed-off-by: Liping Zhang Signed-off-by: Pablo Neira Ayuso net/netfilter/nfnetlink_cttimeout.c | 33 +++++++++++++++------------------ 1 file changed, 15 insertions(+), 18 deletions(-) commit 93fac10b99d78eb2c50a739cba2e590c7332d539 Author: Liping Zhang Date: Mon Aug 22 21:58:16 2016 +0800 netfilter: nfnetlink: use list_for_each_entry_safe to delete all objects cttimeout and acct objects are deleted from the list while traversing it, so use list_for_each_entry is unsafe here. Signed-off-by: Liping Zhang Signed-off-by: Pablo Neira Ayuso net/netfilter/nfnetlink_acct.c | 6 +++--- net/netfilter/nfnetlink_cttimeout.c | 5 +++-- 2 files changed, 6 insertions(+), 5 deletions(-) commit 28a235931b56d4e7bdd51f6733daf95f2b269da8 Author: Filipe Manana Date: Tue Aug 23 21:13:51 2016 +0100 Btrfs: fix lockdep warning on deadlock against an inode's log mutex Commit 44f714dae50a ("Btrfs: improve performance on fsync against new inode after rename/unlink"), which landed in 4.8-rc2, introduced a possibility for a deadlock due to double locking of an inode's log mutex by the same task, which lockdep reports with: [23045.433975] ============================================= [23045.434748] [ INFO: possible recursive locking detected ] [23045.435426] 4.7.0-rc6-btrfs-next-34+ #1 Not tainted [23045.436044] --------------------------------------------- [23045.436044] xfs_io/3688 is trying to acquire lock: [23045.436044] (&ei->log_mutex){+.+...}, at: [] btrfs_log_inode+0x13a/0xc95 [btrfs] [23045.436044] but task is already holding lock: [23045.436044] (&ei->log_mutex){+.+...}, at: [] btrfs_log_inode+0x13a/0xc95 [btrfs] [23045.436044] other info that might help us debug this: [23045.436044] Possible unsafe locking scenario: [23045.436044] CPU0 [23045.436044] ---- [23045.436044] lock(&ei->log_mutex); [23045.436044] lock(&ei->log_mutex); [23045.436044] *** DEADLOCK *** [23045.436044] May be due to missing lock nesting notation [23045.436044] 3 locks held by xfs_io/3688: [23045.436044] #0: (&sb->s_type->i_mutex_key#15){+.+...}, at: [] btrfs_sync_file+0x14e/0x425 [btrfs] [23045.436044] #1: (sb_internal#2){.+.+.+}, at: [] __sb_start_write+0x5f/0xb0 [23045.436044] #2: (&ei->log_mutex){+.+...}, at: [] btrfs_log_inode+0x13a/0xc95 [btrfs] [23045.436044] stack backtrace: [23045.436044] CPU: 4 PID: 3688 Comm: xfs_io Not tainted 4.7.0-rc6-btrfs-next-34+ #1 [23045.436044] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.1-0-gb3ef39f-prebuilt.qemu-project.org 04/01/2014 [23045.436044] 0000000000000000 ffff88022f5f7860 ffffffff8127074d ffffffff82a54b70 [23045.436044] ffffffff82a54b70 ffff88022f5f7920 ffffffff81092897 ffff880228015d68 [23045.436044] 0000000000000000 ffffffff82a54b70 ffffffff829c3f00 ffff880228015d68 [23045.436044] Call Trace: [23045.436044] [] dump_stack+0x67/0x90 [23045.436044] [] __lock_acquire+0xcbb/0xe4e [23045.436044] [] ? mark_lock+0x24/0x201 [23045.436044] [] ? mark_held_locks+0x5e/0x74 [23045.436044] [] lock_acquire+0x12f/0x1c3 [23045.436044] [] ? lock_acquire+0x12f/0x1c3 [23045.436044] [] ? btrfs_log_inode+0x13a/0xc95 [btrfs] [23045.436044] [] ? btrfs_log_inode+0x13a/0xc95 [btrfs] [23045.436044] [] mutex_lock_nested+0x77/0x3a7 [23045.436044] [] ? btrfs_log_inode+0x13a/0xc95 [btrfs] [23045.436044] [] ? btrfs_release_delayed_node+0xb/0xd [btrfs] [23045.436044] [] btrfs_log_inode+0x13a/0xc95 [btrfs] [23045.436044] [] ? btrfs_log_inode+0x13a/0xc95 [btrfs] [23045.436044] [] ? vprintk_emit+0x453/0x465 [23045.436044] [] btrfs_log_inode+0x66e/0xc95 [btrfs] [23045.436044] [] log_new_dir_dentries+0x26c/0x359 [btrfs] [23045.436044] [] btrfs_log_inode_parent+0x4a6/0x628 [btrfs] [23045.436044] [] btrfs_log_dentry_safe+0x5a/0x75 [btrfs] [23045.436044] [] btrfs_sync_file+0x304/0x425 [btrfs] [23045.436044] [] vfs_fsync_range+0x8c/0x9e [23045.436044] [] vfs_fsync+0x1c/0x1e [23045.436044] [] do_fsync+0x31/0x4a [23045.436044] [] SyS_fsync+0x10/0x14 [23045.436044] [] entry_SYSCALL_64_fastpath+0x18/0xa8 [23045.436044] [] ? trace_hardirqs_off_caller+0x3f/0xaa An example reproducer for this is: $ mkfs.btrfs -f /dev/sdb $ mount /dev/sdb /mnt $ mkdir /mnt/dir $ touch /mnt/dir/foo $ sync $ mv /mnt/dir/foo /mnt/dir/bar $ touch /mnt/dir/foo $ xfs_io -c "fsync" /mnt/dir/bar This is because while logging the inode of file bar we end up logging its parent directory (since its inode has an unlink_trans field matching the current transaction id due to the rename operation), which in turn logs the inodes for all its new dentries, so that the new inode for the new file named foo gets logged which in turn triggered another logging attempt for the inode we are fsync'ing, since that inode had an old name that corresponds to the name of the new inode. So fix this by ensuring that when logging the inode for a new dentry that has a name matching an old name of some other inode, we don't log again the original inode that we are fsync'ing. Fixes: 44f714dae50a ("Btrfs: improve performance on fsync against new inode after rename/unlink") Signed-off-by: Filipe Manana Signed-off-by: David Sterba Signed-off-by: Chris Mason fs/btrfs/file.c | 2 +- fs/btrfs/tree-log.c | 5 +++-- fs/btrfs/tree-log.h | 5 ++++- 3 files changed, 8 insertions(+), 4 deletions(-) commit 1ba98d086fe3a14d6a31f2f66dbab70c45d00f63 Author: Liu Bo Date: Tue Aug 23 15:22:58 2016 -0700 Btrfs: detect corruption when non-root leaf has zero item Right now we treat leaf which has zero item as a valid one because we could have an empty tree, that is, a root that is also a leaf without any item, however, in the same case but when the leaf is not a root, we can end up with hitting the BUG_ON(1) in btrfs_extend_item() called by setup_inline_extent_backref(). This makes us check the situation as a corruption if leaf is not its own root. Signed-off-by: Liu Bo Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Chris Mason fs/btrfs/disk-io.c | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) commit 053ab70f0604224c7893b43f9d9d5efa283580d6 Author: Liu Bo Date: Tue Aug 23 17:37:45 2016 -0700 Btrfs: check btree node's nritems When btree node (level = 1) has nritems which equals to zero, we can end up with panic due to insert_ptr()'s BUG_ON(slot > nritems); where slot is 1 and nritems is 0, as copy_for_split() calls insert_ptr(.., path->slots[1] + 1, ...); A invalid value results in the whole mess, this adds the check for btree's node nritems so that we stop reading block when when something is wrong. Signed-off-by: Liu Bo Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Chris Mason fs/btrfs/disk-io.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) commit 35bbb97fc898aeb874cb7c8b746f091caa359994 Author: Jeff Mahoney Date: Wed Aug 17 21:58:33 2016 -0400 btrfs: don't create or leak aliased root while cleaning up orphans commit 909c3a22da3 (Btrfs: fix loading of orphan roots leading to BUG_ON) avoids the BUG_ON but can add an aliased root to the dead_roots list or leak the root. Since we've already been loading roots into the radix tree, we should use it before looking the root up on disk. Cc: # 4.5 Signed-off-by: Jeff Mahoney Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Chris Mason fs/btrfs/disk-io.c | 4 ++-- fs/btrfs/disk-io.h | 2 ++ fs/btrfs/root-tree.c | 27 ++++++++++++++++++--------- 3 files changed, 22 insertions(+), 11 deletions(-) commit 187ee58c62c1d0d238d3dc4835869d33e1869906 Author: Josef Bacik Date: Thu Aug 18 15:30:06 2016 -0400 Btrfs: fix em leak in find_first_block_group We need to call free_extent_map() on the em we look up. Signed-off-by: Josef Bacik Reviewed-by: Omar Sandoval Signed-off-by: David Sterba Signed-off-by: Chris Mason fs/btrfs/extent-tree.c | 1 + 1 file changed, 1 insertion(+) commit 142388194191a3edc9ba01cfcfd8b691e0971fb2 Author: Anand Jain Date: Fri Jul 22 06:04:53 2016 +0800 btrfs: do not background blkdev_put() At the end of unmount/dev-delete, if the device exclusive open is not actually closed, then there might be a race with another program in the userland who is trying to open the device in exclusive mode and it may fail for eg: unmount /btrfs; fsck /dev/x btrfs dev del /dev/x /btrfs; fsck /dev/x so here background blkdev_put() is not a choice Signed-off-by: Anand Jain Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Chris Mason fs/btrfs/volumes.c | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) commit 28b737f6ede3661fe610937706c4a6f50e9ab769 Author: Liu Bo Date: Fri Jul 29 11:09:50 2016 -0700 Btrfs: clarify do_chunk_alloc()'s return value Function start_transaction() can return ERR_PTR(1) when flush is BTRFS_RESERVE_FLUSH_LIMIT, so the call graph is start_transaction (return ERR_PTR(1)) -> btrfs_block_rsv_add (return 1) -> reserve_metadata_bytes (return 1) -> flush_space (return 1) -> do_chunk_alloc (return 1) With BTRFS_RESERVE_FLUSH_LIMIT, if flush_space is already on the flush_state of ALLOC_CHUNK and it successfully allocates a new chunk, then instead of trying to reserve space again, reserve_metadata_bytes returns 1 immediately. Eventually the callers who call start_transaction() usually just do the IS_ERR() check which ERR_PTR(1) can pass, then it'll get a panic when dereferencing a pointer which is ERR_PTR(1). The following patch fixes the above problem. "btrfs: flush_space: treat return value of do_chunk_alloc properly" https://patchwork.kernel.org/patch/7778651/ This add comments to clarify do_chunk_alloc()'s return value. Signed-off-by: Liu Bo Signed-off-by: David Sterba Signed-off-by: Chris Mason fs/btrfs/extent-tree.c | 9 +++++++++ 1 file changed, 9 insertions(+) commit 9e7cc91a6d18a4973c6d2cc104871439c9e94f3d Author: Wang Xiaoguang Date: Mon Aug 1 13:28:08 2016 +0800 btrfs: fix fsfreeze hang caused by delayed iputs deal When running fstests generic/068, sometimes we got below deadlock: xfs_io D ffff8800331dbb20 0 6697 6693 0x00000080 ffff8800331dbb20 ffff88007acfc140 ffff880034d895c0 ffff8800331dc000 ffff880032d243e8 fffffffeffffffff ffff880032d24400 0000000000000001 ffff8800331dbb38 ffffffff816a9045 ffff880034d895c0 ffff8800331dbba8 Call Trace: [] schedule+0x35/0x80 [] rwsem_down_read_failed+0xf2/0x140 [] ? __filemap_fdatawrite_range+0xd1/0x100 [] call_rwsem_down_read_failed+0x18/0x30 [] ? btrfs_alloc_block_rsv+0x2c/0xb0 [btrfs] [] percpu_down_read+0x35/0x50 [] __sb_start_write+0x2c/0x40 [] start_transaction+0x2a5/0x4d0 [btrfs] [] btrfs_join_transaction+0x17/0x20 [btrfs] [] btrfs_evict_inode+0x3c4/0x5d0 [btrfs] [] evict+0xba/0x1a0 [] iput+0x196/0x200 [] btrfs_run_delayed_iputs+0x70/0xc0 [btrfs] [] btrfs_commit_transaction+0x928/0xa80 [btrfs] [] btrfs_freeze+0x30/0x40 [btrfs] [] freeze_super+0xf0/0x190 [] do_vfs_ioctl+0x4a5/0x5c0 [] ? do_audit_syscall_entry+0x66/0x70 [] ? syscall_trace_enter_phase1+0x11f/0x140 [] SyS_ioctl+0x79/0x90 [] do_syscall_64+0x62/0x110 [] entry_SYSCALL64_slow_path+0x25/0x25 >From this warning, freeze_super() already holds SB_FREEZE_FS, but btrfs_freeze() will call btrfs_commit_transaction() again, if btrfs_commit_transaction() finds that it has delayed iputs to handle, it'll start_transaction(), which will try to get SB_FREEZE_FS lock again, then deadlock occurs. The root cause is that in btrfs, sync_filesystem(sb) does not make sure all metadata is updated. There still maybe some codes adding delayed iputs, see below sample race window: CPU1 | CPU2 |-> freeze_super() | |-> sync_filesystem(sb); | | |-> cleaner_kthread() | | |-> btrfs_delete_unused_bgs() | | |-> btrfs_remove_chunk() | | |-> btrfs_remove_block_group() | | |-> btrfs_add_delayed_iput() | | |-> sb->s_writers.frozen = SB_FREEZE_FS; | |-> sb_wait_write(sb, SB_FREEZE_FS); | | acquire SB_FREEZE_FS lock. | | | |-> btrfs_freeze() | |-> btrfs_commit_transaction() | |-> btrfs_run_delayed_iputs() | | will handle delayed iputs, | | that means start_transaction() | | will be called, which will try | | to get SB_FREEZE_FS lock. | To fix this issue, introduce a "int fs_frozen" to record internally whether fs has been frozen. If fs has been frozen, we can not handle delayed iputs. Signed-off-by: Wang Xiaoguang Reviewed-by: David Sterba [ add comment to btrfs_freeze ] Signed-off-by: David Sterba Signed-off-by: Chris Mason fs/btrfs/ctree.h | 2 ++ fs/btrfs/disk-io.c | 1 + fs/btrfs/super.c | 16 ++++++++++++++++ fs/btrfs/transaction.c | 7 ++++++- 4 files changed, 25 insertions(+), 1 deletion(-) commit 18513091af9483ba84328d42092bd4d42a3c958f Author: Wang Xiaoguang Date: Mon Jul 25 15:51:40 2016 +0800 btrfs: update btrfs_space_info's bytes_may_use timely This patch can fix some false ENOSPC errors, below test script can reproduce one false ENOSPC error: #!/bin/bash dd if=/dev/zero of=fs.img bs=$((1024*1024)) count=128 dev=$(losetup --show -f fs.img) mkfs.btrfs -f -M $dev mkdir /tmp/mntpoint mount $dev /tmp/mntpoint cd /tmp/mntpoint xfs_io -f -c "falloc 0 $((64*1024*1024))" testfile Above script will fail for ENOSPC reason, but indeed fs still has free space to satisfy this request. Please see call graph: btrfs_fallocate() |-> btrfs_alloc_data_chunk_ondemand() | bytes_may_use += 64M |-> btrfs_prealloc_file_range() |-> btrfs_reserve_extent() |-> btrfs_add_reserved_bytes() | alloc_type is RESERVE_ALLOC_NO_ACCOUNT, so it does not | change bytes_may_use, and bytes_reserved += 64M. Now | bytes_may_use + bytes_reserved == 128M, which is greater | than btrfs_space_info's total_bytes, false enospc occurs. | Note, the bytes_may_use decrease operation will be done in | end of btrfs_fallocate(), which is too late. Here is another simple case for buffered write: CPU 1 | CPU 2 | |-> cow_file_range() |-> __btrfs_buffered_write() |-> btrfs_reserve_extent() | | | | | | | | | ..... | |-> btrfs_check_data_free_space() | | | | |-> extent_clear_unlock_delalloc() | In CPU 1, btrfs_reserve_extent()->find_free_extent()-> btrfs_add_reserved_bytes() do not decrease bytes_may_use, the decrease operation will be delayed to be done in extent_clear_unlock_delalloc(). Assume in this case, btrfs_reserve_extent() reserved 128MB data, CPU2's btrfs_check_data_free_space() tries to reserve 100MB data space. If 100MB > data_sinfo->total_bytes - data_sinfo->bytes_used - data_sinfo->bytes_reserved - data_sinfo->bytes_pinned - data_sinfo->bytes_readonly - data_sinfo->bytes_may_use btrfs_check_data_free_space() will try to allcate new data chunk or call btrfs_start_delalloc_roots(), or commit current transaction in order to reserve some free space, obviously a lot of work. But indeed it's not necessary as long as decreasing bytes_may_use timely, we still have free space, decreasing 128M from bytes_may_use. To fix this issue, this patch chooses to update bytes_may_use for both data and metadata in btrfs_add_reserved_bytes(). For compress path, real extent length may not be equal to file content length, so introduce a ram_bytes argument for btrfs_reserve_extent(), find_free_extent() and btrfs_add_reserved_bytes(), it's becasue bytes_may_use is increased by file content length. Then compress path can update bytes_may_use correctly. Also now we can discard RESERVE_ALLOC_NO_ACCOUNT, RESERVE_ALLOC and RESERVE_FREE. As we know, usually EXTENT_DO_ACCOUNTING is used for error path. In run_delalloc_nocow(), for inode marked as NODATACOW or extent marked as PREALLOC, we also need to update bytes_may_use, but can not pass EXTENT_DO_ACCOUNTING, because it also clears metadata reservation, so here we introduce EXTENT_CLEAR_DATA_RESV flag to indicate btrfs_clear_bit_hook() to update btrfs_space_info's bytes_may_use. Meanwhile __btrfs_prealloc_file_range() will call btrfs_free_reserved_data_space() internally for both sucessful and failed path, btrfs_prealloc_file_range()'s callers does not need to call btrfs_free_reserved_data_space() any more. Signed-off-by: Wang Xiaoguang Reviewed-by: Josef Bacik Signed-off-by: David Sterba Signed-off-by: Chris Mason fs/btrfs/ctree.h | 2 +- fs/btrfs/extent-tree.c | 56 +++++++++++++++++--------------------------------- fs/btrfs/extent_io.h | 1 + fs/btrfs/file.c | 26 +++++++++++++---------- fs/btrfs/inode-map.c | 3 +-- fs/btrfs/inode.c | 37 ++++++++++++++++++++++++--------- fs/btrfs/relocation.c | 11 ++++++++-- 7 files changed, 73 insertions(+), 63 deletions(-) commit 4824f1f412f75e9f84b9cecbde828e8f4699f82d Author: Wang Xiaoguang Date: Mon Jul 25 15:51:39 2016 +0800 btrfs: divide btrfs_update_reserved_bytes() into two functions This patch divides btrfs_update_reserved_bytes() into btrfs_add_reserved_bytes() and btrfs_free_reserved_bytes(), and next patch will extend btrfs_add_reserved_bytes()to fix some false ENOSPC error, please see later patch for detailed info. Signed-off-by: Wang Xiaoguang Reviewed-by: Josef Bacik Signed-off-by: David Sterba Signed-off-by: Chris Mason fs/btrfs/extent-tree.c | 97 +++++++++++++++++++++++++++++--------------------- 1 file changed, 57 insertions(+), 40 deletions(-) commit dcb40c196fc85c6dfb28456480e5a882e26f567d Author: Wang Xiaoguang Date: Mon Jul 25 15:51:38 2016 +0800 btrfs: use correct offset for reloc_inode in prealloc_file_extent_cluster() In prealloc_file_extent_cluster(), btrfs_check_data_free_space() uses wrong file offset for reloc_inode, it uses cluster->start and cluster->end, which indeed are extent's bytenr. The correct value should be cluster->[start|end] minus block group's start bytenr. start bytenr cluster->start | | extent | extent | ...| extent | |----------------------------------------------------------------| | block group reloc_inode | Signed-off-by: Wang Xiaoguang Reviewed-by: Josef Bacik Signed-off-by: David Sterba Signed-off-by: Chris Mason fs/btrfs/relocation.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) commit df2c95f33e0a28b22509e4ee85365eedf32a1056 Author: Qu Wenruo Date: Mon Aug 15 10:36:52 2016 +0800 btrfs: qgroup: Fix qgroup incorrectness caused by log replay When doing log replay at mount time(after power loss), qgroup will leak numbers of replayed data extents. The cause is almost the same of balance. So fix it by manually informing qgroup for owner changed extents. The bug can be detected by btrfs/119 test case. Cc: Mark Fasheh Signed-off-by: Qu Wenruo Reviewed-and-Tested-by: Goldwyn Rodrigues Signed-off-by: David Sterba Signed-off-by: Chris Mason fs/btrfs/tree-log.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) commit 62b99540a1d91e46422f0e04de50fc723812c421 Author: Qu Wenruo Date: Mon Aug 15 10:36:51 2016 +0800 btrfs: relocation: Fix leaking qgroups numbers on data extents This patch fixes a REGRESSION introduced in 4.2, caused by the big quota rework. When balancing data extents, qgroup will leak all its numbers for relocated data extents. The relocation is done in the following steps for data extents: 1) Create data reloc tree and inode 2) Copy all data extents to data reloc tree And commit transaction 3) Create tree reloc tree(special snapshot) for any related subvolumes 4) Replace file extent in tree reloc tree with new extents in data reloc tree And commit transaction 5) Merge tree reloc tree with original fs, by swapping tree blocks For 1)~4), since tree reloc tree and data reloc tree doesn't count to qgroup, everything is OK. But for 5), the swapping of tree blocks will only info qgroup to track metadata extents. If metadata extents contain file extents, qgroup number for file extents will get lost, leading to corrupted qgroup accounting. The fix is, before commit transaction of step 5), manually info qgroup to track all file extents in data reloc tree. Since at commit transaction time, the tree swapping is done, and qgroup will account these data extents correctly. Cc: Mark Fasheh Reported-by: Mark Fasheh Reported-by: Filipe Manana Signed-off-by: Qu Wenruo Tested-by: Goldwyn Rodrigues Signed-off-by: David Sterba Signed-off-by: Chris Mason fs/btrfs/relocation.c | 109 +++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 103 insertions(+), 6 deletions(-) commit cb93b52cc005ba0e470845b519c662e661d5113c Author: Qu Wenruo Date: Mon Aug 15 10:36:50 2016 +0800 btrfs: qgroup: Refactor btrfs_qgroup_insert_dirty_extent() Refactor btrfs_qgroup_insert_dirty_extent() function, to two functions: 1. btrfs_qgroup_insert_dirty_extent_nolock() Almost the same with original code. For delayed_ref usage, which has delayed refs locked. Change the return value type to int, since caller never needs the pointer, but only needs to know if they need to free the allocated memory. 2. btrfs_qgroup_insert_dirty_extent() The more encapsulated version. Will do the delayed_refs lock, memory allocation, quota enabled check and other things. The original design is to keep exported functions to minimal, but since more btrfs hacks exposed, like replacing path in balance, we need to record dirty extents manually, so we have to add such functions. Also, add comment for both functions, to info developers how to keep qgroup correct when doing hacks. Cc: Mark Fasheh Signed-off-by: Qu Wenruo Reviewed-and-Tested-by: Goldwyn Rodrigues Signed-off-by: David Sterba Signed-off-by: Chris Mason fs/btrfs/delayed-ref.c | 7 ++----- fs/btrfs/extent-tree.c | 37 +++++-------------------------------- fs/btrfs/qgroup.c | 41 +++++++++++++++++++++++++++++++++++------ fs/btrfs/qgroup.h | 33 +++++++++++++++++++++++++++++---- 4 files changed, 71 insertions(+), 47 deletions(-) commit d06f23d6a947c9abae41dc46be69a56baf36f436 Author: Jeff Mahoney Date: Mon Aug 8 22:08:06 2016 -0400 btrfs: waiting on qgroup rescan should not always be interruptible We wait on qgroup rescan completion in three places: file system shutdown, the quota disable ioctl, and the rescan wait ioctl. If the user sends a signal while we're waiting, we continue happily along. This is expected behavior for the rescan wait ioctl. It's racy in the shutdown path but mostly works due to other unrelated synchronization points. In the quota disable path, it Oopses the kernel pretty much immediately. Cc: # v4.4+ Signed-off-by: Jeff Mahoney Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Chris Mason fs/btrfs/disk-io.c | 2 +- fs/btrfs/ioctl.c | 2 +- fs/btrfs/qgroup.c | 12 +++++++++--- fs/btrfs/qgroup.h | 3 ++- 4 files changed, 13 insertions(+), 6 deletions(-) commit d2c609b834d62f1e91f1635a27dca29f7806d3d6 Author: Jeff Mahoney Date: Mon Aug 15 12:10:33 2016 -0400 btrfs: properly track when rescan worker is running The qgroup_flags field is overloaded such that it reflects the on-disk status of qgroups and the runtime state. The BTRFS_QGROUP_STATUS_FLAG_RESCAN flag is used to indicate that a rescan operation is in progress, but if the file system is unmounted while a rescan is running, the rescan operation is paused. If the file system is then mounted read-only, the flag will still be present but the rescan operation will not have been resumed. When we go to umount, btrfs_qgroup_wait_for_completion will see the flag and interpret it to mean that the rescan worker is still running and will wait for a completion that will never come. This patch uses a separate flag to indicate when the worker is running. The locking and state surrounding the qgroup rescan worker needs a lot of attention beyond this patch but this is enough to avoid a hung umount. Cc: # v4.4+ Signed-off-by; Jeff Mahoney Reviewed-by: Qu Wenruo Signed-off-by: David Sterba Signed-off-by: Chris Mason fs/btrfs/ctree.h | 1 + fs/btrfs/disk-io.c | 1 + fs/btrfs/qgroup.c | 9 ++++++++- 3 files changed, 10 insertions(+), 1 deletion(-) commit eecba891d38051ebf7f4af6394d188a5fd151a6a Author: Alex Lyakas Date: Sun Dec 6 12:32:31 2015 +0200 btrfs: flush_space: treat return value of do_chunk_alloc properly do_chunk_alloc returns 1 when it succeeds to allocate a new chunk. But flush_space will not convert this to 0, and will also return 1. As a result, reserve_metadata_bytes will think that flush_space failed, and may potentially return this value "1" to the caller (depends how reserve_metadata_bytes was called). The caller will also treat this as an error. For example, btrfs_block_rsv_refill does: int ret = -ENOSPC; ... ret = reserve_metadata_bytes(root, block_rsv, num_bytes, flush); if (!ret) { block_rsv_add_bytes(block_rsv, num_bytes, 0); return 0; } return ret; So it will return -ENOSPC. Signed-off-by: Alex Lyakas Reviewed-by: Josef Bacik Reviewed-by: Liu Bo Signed-off-by: David Sterba Signed-off-by: Chris Mason fs/btrfs/extent-tree.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit f3bca8028bd934e96257b8bd1143e6474fe98465 Author: Liu Bo Date: Wed Jul 20 17:33:44 2016 -0700 Btrfs: add ASSERT for block group's memory leak This adds several ASSERT()' s to report memory leak of block group cache. Signed-off-by: Liu Bo Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Chris Mason fs/btrfs/extent-tree.c | 5 +++++ 1 file changed, 5 insertions(+) commit d8422ba334f9df16e071bc77707e55fd7f8446ae Author: Qu Wenruo Date: Wed Jul 20 15:04:18 2016 +0800 btrfs: backref: Fix soft lockup in __merge_refs function When over 1000 file extents refers to one extent, find_parent_nodes() will be obviously slow, due to the O(n^2)~O(n^3) loops inside __merge_refs(). The following ftrace shows the cubic growth of execution time: 256 refs 5) + 91.768 us | __add_keyed_refs.isra.12 [btrfs](); 5) 1.447 us | __add_missing_keys.isra.13 [btrfs](); 5) ! 114.544 us | __merge_refs [btrfs](); 5) ! 136.399 us | __merge_refs [btrfs](); 512 refs 6) ! 279.859 us | __add_keyed_refs.isra.12 [btrfs](); 6) 3.164 us | __add_missing_keys.isra.13 [btrfs](); 6) ! 442.498 us | __merge_refs [btrfs](); 6) # 2091.073 us | __merge_refs [btrfs](); and 1024 refs 7) ! 368.683 us | __add_keyed_refs.isra.12 [btrfs](); 7) 4.810 us | __add_missing_keys.isra.13 [btrfs](); 7) # 2043.428 us | __merge_refs [btrfs](); 7) * 18964.23 us | __merge_refs [btrfs](); And sort them into the following char: (Unit: us) ------------------------------------------------------------------------ Trace function | 256 ref | 512 refs | 1024 refs | ------------------------------------------------------------------------ __add_keyed_refs | 91 | 249 | 368 | __add_missing_keys | 1 | 3 | 4 | __merge_refs 1st call | 114 | 442 | 2043 | __merge_refs 2nd call | 136 | 2091 | 18964 | ------------------------------------------------------------------------ We can see the that __add_keyed_refs() grows almost in linear behavior. And __add_missing_keys() in this case doesn't change much or takes much time. While for the 1st __merge_refs() it's square growth for the 2nd __merge_refs() call it's cubic growth. It's no doubt that merge_refs() will take a long long time to execute if the number of refs continues its grows. So add a cond_resced() into the loop of __merge_refs(). Although this will solve the problem of soft lockup, we need to use the new rb_tree based structure introduced by Lu Fengqi to really solve the long execution time. Signed-off-by: Qu Wenruo Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Chris Mason fs/btrfs/backref.c | 1 + 1 file changed, 1 insertion(+) commit 1c1ea4f781db9f754842b9c31d1eff400d17cddc Author: Liu Bo Date: Tue Jul 19 15:36:05 2016 -0700 Btrfs: fix memory leak of reloc_root When some critical errors occur and FS would be flipped into RO, if we have an on-going balance, we can end up with a memory leak of root->reloc_root since btrfs_drop_snapshots() bails out without freeing reloc_root at the very early start. However, we're not able to free reloc_root in btrfs_drop_snapshots() because its caller, merge_reloc_roots(), still needs to access it to cleanup reloc_root's rbtree. This makes us free reloc_root when we're going to free fs/file roots. Signed-off-by: Liu Bo Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Chris Mason fs/btrfs/disk-io.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) commit 89e1f6d2b956649fbe0704d543a90b8e0cf872b0 Author: Liping Zhang Date: Mon Aug 22 01:02:18 2016 +0800 netfilter: nft_reject: restrict to INPUT/FORWARD/OUTPUT After I add the nft rule "nft add rule filter prerouting reject with tcp reset", kernel panic happened on my system: NULL pointer dereference at ... IP: [] nf_send_reset+0xaf/0x400 Call Trace: [] ? nf_reject_ip_tcphdr_get+0x160/0x160 [] nft_reject_ipv4_eval+0x61/0xb0 [nft_reject_ipv4] [] nft_do_chain+0x1fa/0x890 [nf_tables] [] ? __nft_trace_packet+0x170/0x170 [nf_tables] [] ? nf_ct_invert_tuple+0xb0/0xc0 [nf_conntrack] [] ? nf_nat_setup_info+0x5d4/0x650 [nf_nat] [...] Because in the PREROUTING chain, routing information is not exist, then we will dereference the NULL pointer and oops happen. So we restrict reject expression to INPUT, FORWARD and OUTPUT chain. This is consistent with iptables REJECT target. Signed-off-by: Liping Zhang Signed-off-by: Pablo Neira Ayuso include/net/netfilter/nft_reject.h | 4 ++++ net/ipv4/netfilter/nft_reject_ipv4.c | 1 + net/ipv6/netfilter/nft_reject_ipv6.c | 1 + net/netfilter/nft_reject.c | 16 ++++++++++++++++ net/netfilter/nft_reject_inet.c | 7 ++++++- 5 files changed, 28 insertions(+), 1 deletion(-) commit fd363bd417ddb6103564c69cfcbd92d9a7877431 Author: Mark Rutland Date: Wed Aug 24 18:02:08 2016 +0100 arm64: avoid TLB conflict with CONFIG_RANDOMIZE_BASE When CONFIG_RANDOMIZE_BASE is selected, we modify the page tables to remap the kernel at a newly-chosen VA range. We do this with the MMU disabled, but do not invalidate TLBs prior to re-enabling the MMU with the new tables. Thus the old mappings entries may still live in TLBs, and we risk violating Break-Before-Make requirements, leading to TLB conflicts and/or other issues. We invalidate TLBs when we uninsall the idmap in early setup code, but prior to this we are subject to issues relating to the Break-Before-Make violation. Avoid these issues by invalidating the TLBs before the new mappings can be used by the hardware. Fixes: f80fb3a3d508 ("arm64: add support for kernel ASLR") Cc: # 4.6+ Acked-by: Ard Biesheuvel Acked-by: Will Deacon Signed-off-by: Mark Rutland Signed-off-by: Catalin Marinas arch/arm64/kernel/head.S | 3 +++ 1 file changed, 3 insertions(+) commit 61c04572de404e52a655a36752e696bbcb483cf5 Merge: 4935e04 829bc78 Author: Linus Torvalds Date: Thu Aug 25 05:49:38 2016 -0400 Merge branch 'for-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux Pull thermal fixes from Zhang Rui: - Fix cpu_cooling to have separate thermal_cooling_device_ops structures for cpus with and without power model, to avoid NULL dereference in cpufreq_state2power. From Brendan Jackman. - Fix a possible NULL dereference in imx_thermal driver. From Corentin LABBE. - Another two trivial fixes, one typo fix and one deleting module owner. From Caesar Wang and Markus Elfring. * 'for-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux: thermal: imx: fix a possible NULL dereference thermal: trivial: fix the typo Thermal-INT3406: Delete owner assignment thermal: cpu_cooling: Fix NULL dereference in cpufreq_state2power commit 6f8245b4e37c2072d3daea24e19dbc0162ffd22c Author: Felipe Balbi Date: Wed Aug 24 14:40:13 2016 +0300 usb: dwc3: gadget: always decrement by 1 We need to decrement in both cases (enq > deq and enq < deq) Signed-off-by: Felipe Balbi drivers/usb/dwc3/gadget.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) commit 696fe69d7e631f00f23b0ef1694d9b90058dca54 Author: Felipe Balbi Date: Wed Aug 24 14:32:39 2016 +0300 usb: dwc3: debug: fix ep name on trace output There was a typo when generating endpoint name which would be very confusing when debugging. Fix it. Signed-off-by: Felipe Balbi drivers/usb/dwc3/debug.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 23fd537c9508fb6e3b93ddf23982f51afc087781 Author: Felipe Balbi Date: Wed Aug 24 14:33:27 2016 +0300 usb: gadget: udc: core: don't starve DMA resources Always unmap all SG entries as required by DMA API Fixes: a698908d3b3b ("usb: gadget: add generic map/unmap request utilities") Cc: # v3.4+ Signed-off-by: Felipe Balbi drivers/usb/gadget/udc/core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 179ca3bb2ce5cbae570ceec03993743cf438ab38 Merge: 30bffd1 611a150 Author: Dave Airlie Date: Thu Aug 25 12:50:30 2016 +1000 Merge branch 'drm-fixes-4.8' of git://people.freedesktop.org/~agd5f/linux into drm-fixes radeon and amdgpu fixes for 4.8. Nothing major: - fix a performance regression due to the LRU changes in 4.7 - 32 bit fixes - fix a PLL regression - misc bug fixes * 'drm-fixes-4.8' of git://people.freedesktop.org/~agd5f/linux: drm/amdgpu: skip TV/CV in display parsing drm/amdgpu: avoid a possible array overflow drm/amdgpu: fix lru size grouping v2 drm/amdgpu: fix timeout value check in amd_sched_job_recovery drm/amdgpu: fix sdma_v2_4_ring_test_ib drm/amdgpu: fix amdgpu_move_blit on 32bit systems drm/radeon: fix radeon_move_blit on 32bit systems drm/radeon: only apply the SS fractional workaround to RS[78]80 commit 30bffd1b44fcf6e0e1720b62c4c2011c5af5e884 Merge: 6f00975 87904c3 Author: Dave Airlie Date: Thu Aug 25 12:49:22 2016 +1000 Merge tag 'drm/tegra/for-4.8-rc4' of git://anongit.freedesktop.org/tegra/linux into drm-fixes drm/tegra: Fixes for v4.8-rc4 This contains one fix for DSI runtime power management support that was introduced in v4.8-rc1. This is slightly more elaborate than I would've wished, but there are a few corner cases that needed fixing. * tag 'drm/tegra/for-4.8-rc4' of git://anongit.freedesktop.org/tegra/linux: drm/tegra: dsi: Enhance runtime power management commit 16590a228109e2f318d2cc6466221134cfab723a Author: Chuck Lever Date: Mon Aug 22 14:57:42 2016 -0400 SUNRPC: Silence WARN_ON when NFSv4.1 over RDMA is in use Using NFSv4.1 on RDMA should be safe, so broaden the new checks in rpc_create(). WARN_ON_ONCE is used, matching most other WARN call sites in clnt.c. Fixes: 39a9beab5acb ("rpc: share one xps between all backchannels") Fixes: d50039ea5ee6 ("nfsd4/rpc: move backchannel create logic...") Signed-off-by: Chuck Lever Reviewed-by: J. Bruce Fields Signed-off-by: Trond Myklebust net/sunrpc/clnt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 9c5a559d9495bba6e5b6c5ee4e8e2f2b71088684 Author: Heinz Mauelshagen Date: Tue Aug 23 21:17:48 2016 +0200 dm log: fix unitialized bio operation flags Commit e6047149db ("dm: use bio op accessors") switched DM over to using bio_set_op_attrs() but didn't take care to initialize lc->io_req.bi_op_flags in dm-log.c:rw_header(). This caused rw_header()'s call to dm_io() to make bio->bi_op_flags be uninitialized in dm-io.c:do_region(), which ultimately resulted in a SCSI BUG() in sd_init_command(). Also, adjust rw_header() and its callers to use REQ_OP_{READ|WRITE}. Fixes: e6047149db ("dm: use bio op accessors") Signed-off-by: Heinz Mauelshagen Reviewed-by: Shaun Tancheff Signed-off-by: Mike Snitzer drivers/md/dm-log.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) commit 299f6230bc6d0ccd5f95bb0fb865d80a9c7d5ccc Author: Mike Snitzer Date: Wed Aug 24 21:12:58 2016 -0400 dm flakey: fix reads to be issued if drop_writes configured v4.8-rc3 commit 99f3c90d0d ("dm flakey: error READ bios during the down_interval") overlooked the 'drop_writes' feature, which is meant to allow reads to be issued rather than errored, during the down_interval. Fixes: 99f3c90d0d ("dm flakey: error READ bios during the down_interval") Reported-by: Qu Wenruo Signed-off-by: Mike Snitzer Cc: stable@vger.kernel.org drivers/md/dm-flakey.c | 27 ++++++++++++++++----------- 1 file changed, 16 insertions(+), 11 deletions(-) commit a45f9d41c9dd2c28e38b9b88f69c39bc63807de9 Author: Xing Zheng Date: Wed Aug 24 11:29:39 2016 -0700 clk: rockchip: mark aclk_emmc_noc as a critical clock on rk3399 We don't have code to handle any of the noc clocks in rk3399 and they're all just listed as critical clocks. Let's do the same for aclk_emmc_noc. Without this clock being marked as critical we have problems around suspend/resume after commit 20c389e656a8 ("clk: rockchip: fix incorrect aclk_emmc source gate bits on rk3399"). Before that change we were presumably not actually gating any of these clocks because we were setting the wrong gate. Fixes: 20c389e656a8 ("clk: rockchip: fix incorrect aclk_emmc source gate bits on rk3399") Signed-off-by: Xing Zheng Signed-off-by: Douglas Anderson Signed-off-by: Heiko Stuebner drivers/clk/rockchip/clk-rk3399.c | 1 + 1 file changed, 1 insertion(+) commit 0e87e58bf60edb6bb28e493c7a143f41b091a5e5 Author: Jens Axboe Date: Wed Aug 24 15:38:01 2016 -0600 blk-mq: improve warning for running a queue on the wrong CPU __blk_mq_run_hw_queue() currently warns if we are running the queue on a CPU that isn't set in its mask. However, this can happen if a CPU is being offlined, and the workqueue handling will place the work on CPU0 instead. Improve the warning so that it only triggers if the batch cpu in the hardware queue is currently online. If it triggers for that case, then it's indicative of a flow problem in blk-mq, so we want to retain it for that case. Signed-off-by: Jens Axboe block/blk-mq.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) commit e57690fe009b2ab0cee8a57f53be634540e49c9d Author: Jens Axboe Date: Wed Aug 24 15:34:35 2016 -0600 blk-mq: don't overwrite rq->mq_ctx We do this in a few places, if the CPU is offline. This isn't allowed, though, since on multi queue hardware, we can't just move a request from one software queue to another, if they map to different hardware queues. The request and tag isn't valid on another hardware queue. This can happen if plugging races with CPU offlining. But it does no harm, since it can only happen in the window where we are currently busy freezing the queue and flushing IO, in preparation for redoing the software <-> hardware queue mappings. Signed-off-by: Jens Axboe block/blk-mq.c | 55 ++++++++++++++++--------------------------------------- 1 file changed, 16 insertions(+), 39 deletions(-) commit 716b076ba4b273f5f85c97448c5110c6d21e73e6 Author: Doug Ledford Date: Wed Aug 24 12:14:19 2016 -0400 IB/srpt: Update sport->port_guid with each port refresh If port_guid is set with the default subnet_prefix, then we get a change event and run a port refresh, we don't update the port_guid. As a result, attempts to create a target device that uses the new subnet_prefix in the wwn will fail to find a match and be rejected by the ib_srpt driver. This makes it impossible to configure a port if it was initialized with a default subnet_prefix and later changed to any non-default subnet-prefix. Updating the port refresh task to always update the wwn based upon the current subnext_prefix solves this problem. Cc: Bart Van Assche Cc: nab@linux-iscsi.org Signed-off-by: Doug Ledford drivers/infiniband/ulp/srpt/ib_srpt.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) commit 4935e04ef431c7980ba6e8145ad4c697abccf6b9 Merge: 94ef71a dad2232 Author: Linus Torvalds Date: Wed Aug 24 16:04:59 2016 -0400 Merge branch 'for-linus-4.8-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/uml Pull UML fix from Richard Weinberger: "This contains a fix for a build regression introduced during the merge window" * 'for-linus-4.8-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/uml: um: Don't discard .text.exit section commit 94ef71a99a60cb03eda550410bc0b4db77ea50cf Merge: fe2dd21 17ce1eb Author: Linus Torvalds Date: Wed Aug 24 15:54:41 2016 -0400 Merge tag 'upstream-4.8-rc4' of git://git.infradead.org/linux-ubifs Pull UBIFS fixes from Richard Weinberger: "This pull requests contains fixes for two issues in UBI and UBIFS: - wrong UBIFS assertion. - a UBIFS xattr regression" * tag 'upstream-4.8-rc4' of git://git.infradead.org/linux-ubifs: ubifs: Fix xattr generic handler usage ubifs: Fix assertion in layout_in_gaps() commit cfb89f2e7505c6823020a18bbdc5410284305234 Merge: e8f0f8a 209c721 06746c6 a871967 1bc610e 1f85e11 fa54aad Author: Mark Brown Date: Wed Aug 24 19:05:25 2016 +0100 Merge remote-tracking branches 'asoc/fix/max98371', 'asoc/fix/nau8825', 'asoc/fix/omap', 'asoc/fix/samsung', 'asoc/fix/simple' and 'asoc/fix/wm2000' into asoc-linus commit e8f0f8aa4eb356bd729f15be8827db2558ea1ae6 Merge: d520519 3e103a6 b0f12c6 5d76491 d1e8142 Author: Mark Brown Date: Wed Aug 24 19:05:22 2016 +0100 Merge remote-tracking branches 'asoc/fix/atmel', 'asoc/fix/compress', 'asoc/fix/da7213' and 'asoc/fix/debugfs' into asoc-linus commit d520519518de1423c1a7b7df1a008e58e33de9f8 Merge: a74306f 93ca33c Author: Mark Brown Date: Wed Aug 24 19:05:21 2016 +0100 Merge remote-tracking branch 'asoc/fix/rcar' into asoc-linus commit a74306fe94c82429fd0ec9f4316de90b405012d2 Merge: b5db6c5 979cf59 Author: Mark Brown Date: Wed Aug 24 19:05:20 2016 +0100 Merge remote-tracking branch 'asoc/fix/intel' into asoc-linus commit b5db6c57c9fb7068cf50e82c27886cc00b9cd78e Merge: ae16842 8053f21 Author: Mark Brown Date: Wed Aug 24 19:05:18 2016 +0100 Merge remote-tracking branch 'asoc/fix/dapm' into asoc-linus commit ae16842306be347fa44ec6cc642d7f6ac8b7b889 Merge: fa8410b 70fcad4 Author: Mark Brown Date: Wed Aug 24 19:05:17 2016 +0100 Merge remote-tracking branch 'asoc/fix/core' into asoc-linus commit 611a1507fe8569ce1adab3abc982ea58ab559fb9 Author: Alex Deucher Date: Wed Aug 24 13:04:15 2016 -0400 drm/amdgpu: skip TV/CV in display parsing No asics supported by amdgpu support analog TV. Workaround for bug: https://bugs.freedesktop.org/show_bug.cgi?id=97460 Reviewed-by: Christian König Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c | 7 +++++++ 1 file changed, 7 insertions(+) commit fe2dd212828d5c8ebe2f650f5089c705afc78ce5 Merge: cad9d20 55467de Author: Linus Torvalds Date: Wed Aug 24 14:04:30 2016 -0400 Merge tag 'for-linus-4.8b-rc3-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip Pull xen regression fix from David Vrabel: "Fix a regression in the xenbus device preventing userspace tools from working" * tag 'for-linus-4.8b-rc3-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip: xen: change the type of xen_vcpu_id to uint32_t xenbus: don't look up transaction IDs for ordinary writes commit e1718d97aa88ea44a6a8f50ff464253dd0dacf01 Author: Alex Deucher Date: Wed Aug 24 12:31:36 2016 -0400 drm/amdgpu: avoid a possible array overflow When looking up the connector type make sure the index is valid. Avoids a later crash if we read past the end of the array. Workaround for bug: https://bugs.freedesktop.org/show_bug.cgi?id=97460 Reviewed-by: Christian König Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c | 6 ++++++ 1 file changed, 6 insertions(+) commit af7c388a9c2e5fdd36da6eaaa35fb86fb8aefd0b Author: Vince Hsu Date: Wed Aug 24 15:56:56 2016 +0200 clk: tegra: remove TEGRA_PLL_USE_LOCK for PLLD/PLLD2 Tegra114 has a HW bug that the PLLD/PLLD2 lock bit cannot be asserted when the DIS power domain is during up-powergating process but the clamp to this domain is not removed yet. That causes a timeout and aborts the power sequence, although the PLLD/PLLD2 has already locked. To remove the false alarm, we don't use the lock for PLLD/PLLD2. Just wait 1ms and treat the clocks as locked. Signed-off-by: Vince Hsu Tested-by: Jonathan Hunter Signed-off-by: Thierry Reding Signed-off-by: Stephen Boyd drivers/clk/tegra/clk-tegra114.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 45c91d808ff989d950e260dab9f89e8f4a3c9c2c Author: Shaohua Li Date: Mon Aug 22 21:14:02 2016 -0700 raid5: avoid unnecessary bio data set bio_reset doesn't change bi_io_vec and bi_max_vecs, so we don't need to set them every time. bi_private will be set before the bio is dispatched. Signed-off-by: Shaohua Li drivers/md/raid5.c | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) commit 5f9d1fde7d54a5d5fd8cccbee9c9c31474fcdcf2 Author: Shaohua Li Date: Mon Aug 22 21:14:01 2016 -0700 raid5: fix memory leak of bio integrity data Yi reported a memory leak of raid5 with DIF/DIX enabled disks. raid5 doesn't alloc/free bio, instead it reuses bios. There are two issues in current code: 1. the code calls bio_init (from init_stripe->raid5_build_block->bio_init) then bio_reset (ops_run_io). The bio is reused, so likely there is integrity data attached. bio_init will clear a pointer to integrity data and makes bio_reset can't release the data 2. bio_reset is called before dispatching bio. After bio is finished, it's possible we don't free bio's integrity data (eg, we don't call bio_reset again) Both issues will cause memory leak. The patch moves bio_init to stripe creation and bio_reset to bio end io. This will fix the two issues. Reported-by: Yi Zhang Signed-off-by: Shaohua Li drivers/md/raid5.c | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) commit 27028626b4b9022dcac23688e09ea43b36e1183c Author: Tomasz Majchrzak Date: Tue Aug 23 10:53:57 2016 +0200 raid10: record correct address of bad block For failed write request record block address on a device, not block address in an array. Signed-off-by: Tomasz Majchrzak Signed-off-by: Shaohua Li drivers/md/raid10.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) commit 0f6187dbe542d71ace8ba0908954b0f4f8a30a1e Author: Wei Yongjun Date: Sun Aug 21 14:42:25 2016 +0000 md-cluster: fix error return code in join() Fix to return error code -ENOMEM from the lockres_init() error handling case instead of 0, as done elsewhere in this function. Signed-off-by: Wei Yongjun Signed-off-by: Shaohua Li drivers/md/md-cluster.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) commit 486b0f7bcd64be027535811ef44195bc1027fbd3 Author: Song Liu Date: Fri Aug 19 15:34:01 2016 -0700 r5cache: set MD_JOURNAL_CLEAN correctly Currently, the code sets MD_JOURNAL_CLEAN when the array has MD_FEATURE_JOURNAL and the recovery_cp is MaxSector. The array will be MD_JOURNAL_CLEAN even if the journal device is missing. With this patch, the MD_JOURNAL_CLEAN is only set when the journal device presents. Signed-off-by: Song Liu Signed-off-by: Shaohua Li drivers/md/md.c | 5 +---- drivers/md/raid5.c | 13 ++++++++----- 2 files changed, 9 insertions(+), 9 deletions(-) commit 55467dea2967259f21f4f854fc99d39cc5fea60e Author: Vitaly Kuznetsov Date: Fri Jul 29 11:06:48 2016 +0200 xen: change the type of xen_vcpu_id to uint32_t We pass xen_vcpu_id mapping information to hypercalls which require uint32_t type so it would be cleaner to have it as uint32_t. The initializer to -1 can be dropped as we always do the mapping before using it and we never check the 'not set' value anyway. Signed-off-by: Vitaly Kuznetsov Signed-off-by: David Vrabel arch/arm/xen/enlighten.c | 2 +- arch/x86/xen/enlighten.c | 2 +- include/xen/xen-ops.h | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) commit 9a035a40f7f3f6708b79224b86c5777a3334f7ea Author: Jan Beulich Date: Mon Aug 15 09:02:38 2016 -0600 xenbus: don't look up transaction IDs for ordinary writes This should really only be done for XS_TRANSACTION_END messages, or else at least some of the xenstore-* tools don't work anymore. Fixes: 0beef634b8 ("xenbus: don't BUG() on user mode induced condition") Reported-by: Richard Schütz Cc: Signed-off-by: Jan Beulich Tested-by: Richard Schütz Signed-off-by: David Vrabel drivers/xen/xenbus/xenbus_dev_frontend.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 51af96b53469f3b8cfcfe0504d0ff87239175b78 Author: Yotam Gigi Date: Wed Aug 24 11:18:52 2016 +0200 mlxsw: router: Enable neighbors to be created on stacked devices Make the function mlxsw_router_neigh_construct search the rif according to the neighbour dev other than the dev that was passed to the ndo, thus allowing creating neigbhours upon stacked devices. Fixes: 6cf3c971dc84 ("mlxsw: spectrum_router: Add private neigh table") Signed-off-by: Yotam Gigi Reviewed-by: Ido Schimmel Signed-off-by: Jiri Pirko Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit f888f58795b640442165e60a6fa93e8e623d01a5 Author: Ido Schimmel Date: Wed Aug 24 11:18:51 2016 +0200 mlxsw: spectrum: Add missing flood to router port In case we have a layer 3 interface on top of a bridge (VLAN / FID RIF), then we should flood the following packet types to the router: * Broadcast: If DIP is the broadcast address of the interface, then we need to be able to get it to CPU by trapping it following route lookup. * Reserved IP multicast (224.0.0.X): Some control packets (e.g. OSPF) use this range and are trapped in the router block. Fixes: 99f44bb3527b ("mlxsw: spectrum: Enable L3 interfaces on top of bridge devices") Signed-off-by: Ido Schimmel Signed-off-by: Jiri Pirko Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlxsw/port.h | 1 + drivers/net/ethernet/mellanox/mlxsw/spectrum.c | 43 +++++++++++++++++++++++++- 2 files changed, 43 insertions(+), 1 deletion(-) commit 8fba54aebbdf1f999738121922e74bf796ad60ee Author: Miklos Szeredi Date: Wed Aug 24 18:17:04 2016 +0200 fuse: direct-io: don't dirty ITER_BVEC pages When reading from a loop device backed by a fuse file it deadlocks on lock_page(). This is because the page is already locked by the read() operation done on the loop device. In this case we don't want to either lock the page or dirty it. So do what fs/direct-io.c does: only dirty the page for ITER_IOVEC vectors. Reported-by: Sheng Yang Fixes: aa4d86163e4e ("block: loop: switch to VFS ITER_BVEC") Signed-off-by: Miklos Szeredi Cc: # v4.1+ Reviewed-by: Sheng Yang Reviewed-by: Ashish Samant Tested-by: Sheng Yang Tested-by: Ashish Samant fs/fuse/file.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) commit 3c199b4523c92dc5df027eeeffa657e2ccf453ab Author: Selvin Xavier Date: Wed Aug 24 01:17:41 2016 -0400 RDMA/ocrdma: Fix the max_sge reported from FW Current driver is reporting wrong values for max_sge and max_sge_rd in query_device. This breaks the nfs rdma and iser in some device profiles. Fixing the driver to report correct values from FW. Signed-off-by: Selvin Xavier Signed-off-by: Devesh Sharma Signed-off-by: Doug Ledford drivers/infiniband/hw/ocrdma/ocrdma_hw.c | 14 +++++++------- drivers/infiniband/hw/ocrdma/ocrdma_sli.h | 12 ++++++++---- drivers/infiniband/hw/ocrdma/ocrdma_verbs.c | 4 ++-- 3 files changed, 17 insertions(+), 13 deletions(-) commit 433c58139f6a7d59824aadd23d6c9cac1d4e6100 Author: Mustafa Ismail Date: Tue Aug 23 17:24:56 2016 -0500 i40iw: Avoid writing to freed memory iwpbl->iwmr points to the structure that contains iwpbl, which is iwmr. Setting this to NULL would result in writing to freed memory. So just free iwmr, and return. Fixes: d37498417947 ("i40iw: add files for iwarp interface") Reported-by: Stefan Assmann Signed-off-by: Mustafa Ismail Signed-off-by: Shiraz Saleem Signed-off-by: Doug Ledford drivers/infiniband/hw/i40iw/i40iw_verbs.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) commit d41d0910d97f05be987d2d60de7e8685c108963b Author: Mustafa Ismail Date: Tue Aug 23 16:50:13 2016 -0500 i40iw: Fix double free of allocated_buffer Memory allocated for iwqp; iwqp->allocated_buffer is freed twice in the create_qp error path. Correct this by having it freed only once in i40iw_free_qp_resources(). Fixes: d37498417947 ("i40iw: add files for iwarp interface") Signed-off-by: Mustafa Ismail Signed-off-by: Shiraz Saleem Signed-off-by: Doug Ledford drivers/infiniband/hw/i40iw/i40iw_verbs.c | 1 - 1 file changed, 1 deletion(-) commit 82d200cc6fc817dbf049b67e5e3215eab427e846 Author: Chris Wilson Date: Tue Aug 23 21:16:26 2016 +0100 IB/mlx5: Remove superfluous include of io-mapping.h This file does not use any structs or functions defined by io-mapping.h (nor does it directly use iomap, ioremap, iounamp or friends). Remove it to simplify verification of changes to io-mapping.h The include existed since its inception in commit e126ba97dba9edeb6fafa3665b5f8497fc9cdf8c Author: Eli Cohen Date: Sun Jul 7 17:25:49 2013 +0300 mlx5: Add driver for Mellanox Connect-IB adapters which looks like a copy across from the Mellanox ethernet driver. Signed-off-by: Chris Wilson Cc: Eli Cohen Cc: Jack Morgenstein Cc: Or Gerlitz Cc: Matan Barak Cc: Leon Romanovsky Cc: Doug Ledford Cc: Sean Hefty Cc: Hal Rosenstock Cc: linux-rdma@vger.kernel.org Reviewed-by: Leon Romanovsky Reviewed-by: Laurence Oberman Tested-by: Laurence Oberman Signed-off-by: Doug Ledford drivers/infiniband/hw/mlx5/main.c | 1 - 1 file changed, 1 deletion(-) commit 7eaf8313b1cfe93417a22bdc3f7380cac2a3dc6d Author: Mustafa Ismail Date: Mon Aug 22 19:01:47 2016 -0500 i40iw: Do not set self-referencing pointer to NULL after kfree In i40iw_free_virt_mem(), do not set mem->va to NULL after freeing it as mem->va is a self-referencing pointer to mem. Fixes: 4e9042e647ff ("i40iw: add hw and utils files") Reported-by: Stefan Assmann Signed-off-by: Mustafa Ismail Signed-off-by: Shiraz Saleem Signed-off-by: Doug Ledford drivers/infiniband/hw/i40iw/i40iw_utils.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) commit 5dfd5e5e3bc68ab3912acc712c8180942094fc69 Author: Shiraz Saleem Date: Mon Aug 22 18:16:37 2016 -0500 i40iw: Add missing NULL check for MPA private data Add NULL check for pdata and pdata->addr before the memcpy in i40iw_form_cm_frame(). This fixes a NULL pointer de-reference which occurs when the MPA private data pointer is NULL. Also only copy pdata->size bytes in the memcpy to prevent reading past the length of the private data buffer provided by upper layer. Fixes: f27b4746f378 ("i40iw: add connection management code") Reported-by: Stefan Assmann Signed-off-by: Mustafa Ismail Signed-off-by: Shiraz Saleem Signed-off-by: Doug Ledford drivers/infiniband/hw/i40iw/i40iw_cm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit dbb50887c8f619fc5c3489783ebc3122bc134a31 Author: Daniel Borkmann Date: Wed Jul 27 11:40:14 2016 -0700 Bluetooth: split sk_filter in l2cap_sock_recv_cb During an audit for sk_filter(), we found that rx_busy_skb handling in l2cap_sock_recv_cb() and l2cap_sock_recvmsg() looks not quite as intended. The assumption from commit e328140fdacb ("Bluetooth: Use event-driven approach for handling ERTM receive buffer") is that errors returned from sock_queue_rcv_skb() are due to receive buffer shortage. However, nothing should prevent doing a setsockopt() with SO_ATTACH_FILTER on the socket, that could drop some of the incoming skbs when handled in sock_queue_rcv_skb(). In that case sock_queue_rcv_skb() will return with -EPERM, propagated from sk_filter() and if in L2CAP_MODE_ERTM mode, wrong assumption was that we failed due to receive buffer being full. From that point onwards, due to the to-be-dropped skb being held in rx_busy_skb, we cannot make any forward progress as rx_busy_skb is never cleared from l2cap_sock_recvmsg(), due to the filter drop verdict over and over coming from sk_filter(). Meanwhile, in l2cap_sock_recv_cb() all new incoming skbs are being dropped due to rx_busy_skb being occupied. Instead, just use __sock_queue_rcv_skb() where an error really tells that there's a receive buffer issue. Split the sk_filter() and enable it for non-segmented modes at queuing time since at this point in time the skb has already been through the ERTM state machine and it has been acked, so dropping is not allowed. Instead, for ERTM and streaming mode, call sk_filter() in l2cap_data_rcv() so the packet can be dropped before the state machine sees it. Fixes: e328140fdacb ("Bluetooth: Use event-driven approach for handling ERTM receive buffer") Signed-off-by: Daniel Borkmann Signed-off-by: Mat Martineau Acked-by: Willem de Bruijn Signed-off-by: Marcel Holtmann net/bluetooth/l2cap_core.c | 8 ++++++++ net/bluetooth/l2cap_sock.c | 14 ++++++++++++-- 2 files changed, 20 insertions(+), 2 deletions(-) commit 9afee94939e3eda4c8bf239f7727cb56e158c976 Author: Frederic Dalleau Date: Tue Aug 23 07:59:19 2016 +0200 Bluetooth: Fix memory leak at end of hci requests In hci_req_sync_complete the event skb is referenced in hdev->req_skb. It is used (via hci_req_run_skb) from either __hci_cmd_sync_ev which will pass the skb to the caller, or __hci_req_sync which leaks. unreferenced object 0xffff880005339a00 (size 256): comm "kworker/u3:1", pid 1011, jiffies 4294671976 (age 107.389s) backtrace: [] kmemleak_alloc+0x49/0xa0 [] kmem_cache_alloc+0x128/0x180 [] skb_clone+0x4f/0xa0 [] hci_event_packet+0xc1/0x3290 [] hci_rx_work+0x18b/0x360 [] process_one_work+0x14a/0x440 [] worker_thread+0x43/0x4d0 [] kthread+0xc4/0xe0 [] ret_from_fork+0x1f/0x40 [] 0xffffffffffffffff Signed-off-by: Frédéric Dalleau Signed-off-by: Marcel Holtmann net/bluetooth/hci_request.c | 2 ++ 1 file changed, 2 insertions(+) commit 19d6837a52f1683cf448265952d559a44a7df924 Author: Tiffany Lin Date: Mon Aug 15 00:37:19 2016 -0300 [media] vcodec:mediatek: Refine VP8 encoder driver This patch remove field and function that unused anymore Signed-off-by: Tiffany Lin Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab drivers/media/platform/mtk-vcodec/venc/venc_vp8_if.c | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) commit 2d683b6dad73b5636297ac4978f73f2c638a0b19 Author: Tiffany Lin Date: Mon Aug 15 00:33:32 2016 -0300 [media] vcodec:mediatek: Refine H264 encoder driver This patch : 1. remove field and function that unused anymore 2. add support V4L2_MPEG_VIDEO_H264_LEVEL_4_2 Signed-off-by: Tiffany Lin Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab drivers/media/platform/mtk-vcodec/venc/venc_h264_if.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) commit 5661538749511d4c2f7d33e1e179f10c545b24d5 Author: Christian König Date: Wed Aug 17 13:44:20 2016 +0200 drm/amdgpu: fix lru size grouping v2 Adding a BO can make it the insertion point for larger sizes as well. v2: add a comment about the guard structure. Signed-off-by: Christian König Reviewed-by: Alex Deucher Reviewed-by: Felix Kuehling Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org drivers/gpu/drm/amd/amdgpu/amdgpu.h | 2 ++ drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c | 8 ++++++++ 2 files changed, 10 insertions(+) commit 158d6071bc0aad6663109d2fe9249c3cf570d423 Author: Tiffany Lin Date: Mon Aug 15 00:26:02 2016 -0300 [media] vcodec:mediatek: change H264 profile default to profile high This patch change default H264 profile from V4L2_MPEG_VIDEO_H264_PROFILE_MAIN to V4L2_MPEG_VIDEO_H264_PROFILE_HIGH Signed-off-by: Tiffany Lin Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab drivers/media/platform/mtk-vcodec/mtk_vcodec_enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 16060f7ef660a11f282909b01fb6096e21cf5389 Author: Tiffany Lin Date: Mon Aug 15 00:15:44 2016 -0300 [media] vcodec:mediatek: Add timestamp and timecode copy for V4L2 Encoder This patch add copying timestamp and timecode from src buffer to dst buffer Signed-off-by: Tiffany Lin Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab drivers/media/platform/mtk-vcodec/mtk_vcodec_enc.c | 23 ++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) commit 91ae0e1ec6ec91cd297933886b424f9a4a8acbd4 Author: Tiffany Lin Date: Mon Aug 15 00:08:03 2016 -0300 [media] vcodec:mediatek: Fix visible_height larger than coded_height issue in s_fmt_out The original code add extra 32 line to visible_height. It is incorrect, 32 line should be add to coded_height. The purpose is that user space could calcuate real buffer size needed by using coded_width * coded_height. But this method will make v4l2-compliance test fail, since g_fmt != s_fmt(g_fmt) So remove extend visible_height or coded_height, user space should just use sizeimage to get real buffer size needed Signed-off-by: Tiffany Lin Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab drivers/media/platform/mtk-vcodec/mtk_vcodec_enc.c | 10 ---------- 1 file changed, 10 deletions(-) commit ad34f5412d2a04a894b2cd2912538ae2e5d64e76 Author: Tiffany Lin Date: Sun Aug 14 23:47:20 2016 -0300 [media] vcodec:mediatek: Fix fops_vcodec_release flow for V4L2 Encoder This patch fix that mtk_vcodec_venc_release should be called after v4l2_m2m_ctx_release Signed-off-by: Tiffany Lin Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab drivers/media/platform/mtk-vcodec/mtk_vcodec_enc.c | 7 ++++++- drivers/media/platform/mtk-vcodec/mtk_vcodec_enc_drv.c | 6 +++++- 2 files changed, 11 insertions(+), 2 deletions(-) commit 0d06108c65e572085b2d1f7c8273f417cad68734 Author: Tiffany Lin Date: Sun Aug 14 23:31:13 2016 -0300 [media] vcodec:mediatek:code refine for v4l2 Encoder driver This patch remove unused header and define from haeder files Signed-off-by: Tiffany Lin Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab drivers/media/platform/mtk-vcodec/mtk_vcodec_drv.h | 1 - drivers/media/platform/mtk-vcodec/mtk_vcodec_intr.h | 1 - 2 files changed, 2 deletions(-) commit 4d70dca4eadf2f95abe389116ac02b8439c2d16c Author: Ming Lei Date: Tue Aug 23 21:49:45 2016 +0800 block: make sure a big bio is split into at most 256 bvecs After arbitrary bio size was introduced, the incoming bio may be very big. We have to split the bio into small bios so that each holds at most BIO_MAX_PAGES bvecs for safety reason, such as bio_clone(). This patch fixes the following kernel crash: > [ 172.660142] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028 > [ 172.660229] IP: [] bio_trim+0xf/0x2a > [ 172.660289] PGD 7faf3e067 PUD 7f9279067 PMD 0 > [ 172.660399] Oops: 0000 [#1] SMP > [...] > [ 172.664780] Call Trace: > [ 172.664813] [] ? raid1_make_request+0x2e8/0xad7 [raid1] > [ 172.664846] [] ? blk_queue_split+0x377/0x3d4 > [ 172.664880] [] ? md_make_request+0xf6/0x1e9 [md_mod] > [ 172.664912] [] ? generic_make_request+0xb5/0x155 > [ 172.664947] [] ? prio_io+0x85/0x95 [bcache] > [ 172.664981] [] ? register_cache_set+0x355/0x8d0 [bcache] > [ 172.665016] [] ? register_bcache+0x1006/0x1174 [bcache] The issue can be reproduced by the following steps: - create one raid1 over two virtio-blk - build bcache device over the above raid1 and another cache device and bucket size is set as 2Mbytes - set cache mode as writeback - run random write over ext4 on the bcache device Fixes: 54efd50(block: make generic_make_request handle arbitrarily sized bios) Reported-by: Sebastian Roesner Reported-by: Eric Wheeler Cc: stable@vger.kernel.org (4.3+) Cc: Shaohua Li Acked-by: Kent Overstreet Signed-off-by: Ming Lei Signed-off-by: Jens Axboe block/blk-merge.c | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) commit 9b47f77a680447e0132b2cf7fb82374e014bec1c Author: Andy Lutomirski Date: Wed Aug 24 03:52:12 2016 -0700 nvme: Fix nvme_get/set_features() with a NULL result pointer nvme_set_features() callers seem to expect that passing NULL as the result pointer is acceptable. Teach nvme_set_features() not to try to write to the NULL address. For symmetry, make the same change to nvme_get_features(), despite the fact that all current callers pass a valid result pointer. I assume that this bug hasn't been reported in practice because the callers that pass NULL are all in the SCSI translation layer and no one uses the relevant operations. Cc: stable@vger.kernel.org Signed-off-by: Andy Lutomirski Reviewed-by: Sagi Grimberg Signed-off-by: Jens Axboe drivers/nvme/host/core.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 87904c3e82319cf2bad8d656d79c5030dab9490e Author: Thierry Reding Date: Fri Aug 12 16:00:53 2016 +0200 drm/tegra: dsi: Enhance runtime power management The MIPI DSI output on Tegra SoCs requires some external logic to calibrate the MIPI pads before a video signal can be transmitted. This MIPI calibration logic requires to be powered on while the MIPI pads are being used, which is currently done as part of the DSI driver's probe implementation. This is suboptimal because it will leave the MIPI calibration logic powered up even if the DSI output is never used. On Tegra114 and earlier this behaviour also causes the driver to hang while trying to power up the MIPI calibration logic because the power partition that contains the MIPI calibration logic will be powered on by the display controller at output pipeline configuration time. Thus the power up sequence for the MIPI calibration logic happens before it's power partition is guaranteed to be enabled. Fix this by splitting up the API into a request/free pair of functions that manage the runtime dependency between the DSI and the calibration modules (no registers are accessed) and a set of enable, calibrate and disable functions that program the MIPI calibration logic at points in time where the power partition is really enabled. While at it, make sure that the runtime power management also works in ganged mode, which is currently also broken. Reported-by: Jonathan Hunter Tested-by: Jonathan Hunter Signed-off-by: Thierry Reding drivers/gpu/drm/tegra/dsi.c | 43 ++++++++++++++++++++++++++----- drivers/gpu/host1x/mipi.c | 63 ++++++++++++++++++++++----------------------- include/linux/host1x.h | 2 ++ 3 files changed, 69 insertions(+), 39 deletions(-) commit b64abcb7dae6060c67ab0e548da3ef923c49641d Author: mhiramat@kernel.org Date: Mon Aug 15 18:41:12 2016 +0900 brcmfmac: Change vif_event_lock to spinlock Change vif_event_lock to spinlock from mutex, since this lock is used in wait_event_timeout() via vif_event_equals(). This caused a warning report as below. As far as I can see, this lock protects regions where updating structure members, not function calls. Also, since those regions are not called from interrupt handlers (of course, it was a mutex), spin_lock is used instead of spin_lock_irqsave. [ 186.678550] ------------[ cut here ]------------ [ 186.678556] WARNING: CPU: 2 PID: 7140 at /home/mhiramat/ksrc/linux/kernel/sched/core.c:7545 __might_sleep+0x7c/0x80 [ 186.678560] do not call blocking ops when !TASK_RUNNING; state=2 set at [] prepare_to_wait_event+0x60/0x100 [ 186.678560] Modules linked in: brcmfmac xt_CHECKSUM rfcomm ipt_MASQUERADE nf_nat_masquerade_ipv4 xt_addrtype br_netfilter xt_tcpudp ip6t_rpfilter ip6t_REJECT nf_reject_ipv6 ipt_REJECT nf_reject_ipv4 xt_conntrack ip_set nfnetlink ebtable_nat ebtable_broute bridge stp llc ebtable_filter ebtables ip6table_raw ip6table_security ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle ip6table_filter ip6_tables iptable_raw iptable_security iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle iptable_filter ip_tables x_tables bnep nls_iso8859_1 i2c_designware_platform i2c_designware_core snd_hda_codec_hdmi snd_hda_codec_realtek dcdbas snd_hda_codec_generic snd_hda_intel snd_hda_codec intel_rapl snd_hda_core x86_pkg_temp_thermal intel_powerclamp coretemp [ 186.678594] snd_pcm crct10dif_pclmul crc32_pclmul aesni_intel aes_x86_64 joydev glue_helper snd_hwdep lrw gf128mul uvcvideo ablk_helper snd_seq_midi cryptd snd_seq_midi_event snd_rawmidi videobuf2_vmalloc videobuf2_memops snd_seq input_leds videobuf2_v4l2 cfg80211 videobuf2_core snd_timer videodev serio_raw btusb snd_seq_device media btrtl rtsx_pci_ms snd mei_me memstick hid_multitouch mei soundcore brcmutil idma64 virt_dma intel_lpss_pci processor_thermal_device intel_soc_dts_iosf hci_uart btbcm btqca btintel bluetooth int3403_thermal dell_smo8800 intel_lpss_acpi intel_lpss int3402_thermal int340x_thermal_zone intel_hid mac_hid int3400_thermal shpchp sparse_keymap acpi_pad acpi_thermal_rel acpi_als kfifo_buf industrialio kvm_intel kvm irqbypass parport_pc ppdev lp parport autofs4 btrfs xor raid6_pq [ 186.678631] usbhid nouveau ttm i915 rtsx_pci_sdmmc mxm_wmi i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops psmouse drm ahci rtsx_pci nvme nvme_core libahci i2c_hid hid pinctrl_sunrisepoint video wmi pinctrl_intel fjes [last unloaded: brcmfmac] [ 186.678646] CPU: 2 PID: 7140 Comm: wpa_supplicant Not tainted 4.8.0-rc1+ #8 [ 186.678647] Hardware name: Dell Inc. XPS 15 9550/0N7TVV, BIOS 01.02.00 04/07/2016 [ 186.678648] 0000000000000000 ffff9d8c64b5b900 ffffffff98442f23 ffff9d8c64b5b950 [ 186.678651] 0000000000000000 ffff9d8c64b5b940 ffffffff9808b22b 00001d790000000d [ 186.678653] ffffffff98c75e78 000000000000026c 0000000000000000 ffff9d8c2706d058 [ 186.678655] Call Trace: [ 186.678659] [] dump_stack+0x85/0xc2 [ 186.678666] [] __warn+0xcb/0xf0 [ 186.678668] [] warn_slowpath_fmt+0x4f/0x60 [ 186.678671] [] ? prepare_to_wait_event+0x60/0x100 [ 186.678672] [] ? prepare_to_wait_event+0x60/0x100 [ 186.678674] [] __might_sleep+0x7c/0x80 [ 186.678680] [] mutex_lock_nested+0x33/0x3b0 [ 186.678682] [] ? trace_hardirqs_on+0xd/0x10 [ 186.678689] [] brcmf_cfg80211_wait_vif_event+0xcd/0x130 [brcmfmac] [ 186.678691] [] ? wake_atomic_t_function+0x60/0x60 [ 186.678697] [] brcmf_p2p_del_vif+0xf9/0x220 [brcmfmac] [ 186.678702] [] brcmf_cfg80211_del_iface+0x21b/0x270 [brcmfmac] [ 186.678716] [] nl80211_del_interface+0xfe/0x3a0 [cfg80211] [ 186.678718] [] genl_family_rcv_msg+0x1b5/0x370 [ 186.678720] [] ? trace_hardirqs_on+0xd/0x10 [ 186.678721] [] genl_rcv_msg+0x7d/0xb0 [ 186.678722] [] ? genl_family_rcv_msg+0x370/0x370 [ 186.678724] [] netlink_rcv_skb+0x97/0xb0 [ 186.678726] [] genl_rcv+0x28/0x40 [ 186.678727] [] netlink_unicast+0x1d3/0x2f0 [ 186.678729] [] ? netlink_unicast+0x14b/0x2f0 [ 186.678731] [] netlink_sendmsg+0x2eb/0x3a0 [ 186.678733] [] sock_sendmsg+0x38/0x50 [ 186.678734] [] ___sys_sendmsg+0x27f/0x290 [ 186.678737] [] ? mntput_no_expire+0x5/0x3f0 [ 186.678739] [] ? mntput_no_expire+0x8e/0x3f0 [ 186.678741] [] ? mntput_no_expire+0x5/0x3f0 [ 186.678743] [] ? mntput+0x24/0x40 [ 186.678744] [] ? __fput+0x190/0x200 [ 186.678746] [] __sys_sendmsg+0x45/0x80 [ 186.678748] [] SyS_sendmsg+0x12/0x20 [ 186.678749] [] entry_SYSCALL_64_fastpath+0x23/0xc1 [ 186.678751] [] ? trace_hardirqs_off_caller+0x1f/0xc0 [ 186.678752] ---[ end trace e224d66c5d8408b5 ]--- Signed-off-by: Masami Hiramatsu Acked-by: Arend van Spriel Signed-off-by: Kalle Valo .../broadcom/brcm80211/brcmfmac/cfg80211.c | 26 +++++++++++----------- .../broadcom/brcm80211/brcmfmac/cfg80211.h | 2 +- 2 files changed, 14 insertions(+), 14 deletions(-) commit 15dacf880e49ce3ecee05eb1a0c6b8e363dbacdc Author: mhiramat@kernel.org Date: Mon Aug 15 18:40:57 2016 +0900 brcmfmac: Check rtnl_lock is locked when removing interface Check rtnl_lock is locked in brcmf_p2p_ifp_removed() by passing rtnl_locked flag. Actually the caller brcmf_del_if() checks whether the rtnl_lock is locked, but doesn't pass it to brcmf_p2p_ifp_removed(). Without this fix, wpa_supplicant goes softlockup with rtnl_lock holding (this means all other process using netlink are locked up too) e.g. [ 4495.876627] INFO: task wpa_supplicant:7307 blocked for more than 10 seconds. [ 4495.876632] Tainted: G W 4.8.0-rc1+ #8 [ 4495.876635] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 4495.876638] wpa_supplicant D ffff974c647b39a0 0 7307 1 0x00000000 [ 4495.876644] ffff974c647b39a0 0000000000000000 ffff974c00000000 ffff974c7dc59c58 [ 4495.876651] ffff974c6b7417c0 ffff974c645017c0 ffff974c647b4000 ffffffff86f16c08 [ 4495.876657] ffff974c645017c0 0000000000000246 00000000ffffffff ffff974c647b39b8 [ 4495.876664] Call Trace: [ 4495.876671] [] schedule+0x3c/0x90 [ 4495.876676] [] schedule_preempt_disabled+0x15/0x20 [ 4495.876682] [] mutex_lock_nested+0x176/0x3b0 [ 4495.876686] [] ? rtnl_lock+0x17/0x20 [ 4495.876690] [] rtnl_lock+0x17/0x20 [ 4495.876720] [] brcmf_p2p_ifp_removed+0x4d/0x70 [brcmfmac] [ 4495.876741] [] brcmf_remove_interface+0x196/0x1b0 [brcmfmac] [ 4495.876760] [] brcmf_p2p_del_vif+0x111/0x220 [brcmfmac] [ 4495.876777] [] brcmf_cfg80211_del_iface+0x21b/0x270 [brcmfmac] [ 4495.876820] [] nl80211_del_interface+0xfe/0x3a0 [cfg80211] [ 4495.876825] [] genl_family_rcv_msg+0x1b5/0x370 [ 4495.876832] [] ? trace_hardirqs_on+0xd/0x10 [ 4495.876836] [] genl_rcv_msg+0x7d/0xb0 [ 4495.876839] [] ? genl_family_rcv_msg+0x370/0x370 [ 4495.876846] [] netlink_rcv_skb+0x97/0xb0 [ 4495.876849] [] genl_rcv+0x28/0x40 [ 4495.876854] [] netlink_unicast+0x1d3/0x2f0 [ 4495.876860] [] ? netlink_unicast+0x14b/0x2f0 [ 4495.876866] [] netlink_sendmsg+0x2eb/0x3a0 [ 4495.876870] [] sock_sendmsg+0x38/0x50 [ 4495.876874] [] ___sys_sendmsg+0x27f/0x290 [ 4495.876882] [] ? mntput_no_expire+0x5/0x3f0 [ 4495.876888] [] ? mntput_no_expire+0x8e/0x3f0 [ 4495.876894] [] ? mntput_no_expire+0x5/0x3f0 [ 4495.876899] [] ? mntput+0x24/0x40 [ 4495.876904] [] ? __fput+0x190/0x200 [ 4495.876909] [] __sys_sendmsg+0x45/0x80 [ 4495.876914] [] SyS_sendmsg+0x12/0x20 [ 4495.876918] [] entry_SYSCALL_64_fastpath+0x23/0xc1 [ 4495.876924] [] ? trace_hardirqs_off_caller+0x1f/0xc0 Signed-off-by: Masami Hiramatsu Acked-by: Rafał Miłecki Signed-off-by: Kalle Valo drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c | 2 +- drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c | 8 +++++--- drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.h | 2 +- 3 files changed, 7 insertions(+), 5 deletions(-) commit 8b6a3fe8fab97716990a3abde1a01fb5a34552a3 Author: Will Deacon Date: Wed Aug 24 10:07:14 2016 +0100 perf/core: Use this_cpu_ptr() when stopping AUX events When tearing down an AUX buf for an event via perf_mmap_close(), __perf_event_output_stop() is called on the event's CPU to ensure that trace generation is halted before the process of unmapping and freeing the buffer pages begins. The callback is performed via cpu_function_call(), which ensures that it runs with interrupts disabled and is therefore not preemptible. Unfortunately, the current code grabs the per-cpu context pointer using get_cpu_ptr(), which unnecessarily disables preemption and doesn't pair the call with put_cpu_ptr(), leading to a preempt_count() imbalance and a BUG when freeing the AUX buffer later on: WARNING: CPU: 1 PID: 2249 at kernel/events/ring_buffer.c:539 __rb_free_aux+0x10c/0x120 Modules linked in: [...] Call Trace: [] dump_stack+0x4f/0x72 [] __warn+0xc6/0xe0 [] warn_slowpath_null+0x18/0x20 [] __rb_free_aux+0x10c/0x120 [] rb_free_aux+0x13/0x20 [] perf_mmap_close+0x29e/0x2f0 [] ? perf_iterate_ctx+0xe0/0xe0 [] remove_vma+0x25/0x60 [] exit_mmap+0x106/0x140 [] mmput+0x1c/0xd0 [] do_exit+0x253/0xbf0 [] do_group_exit+0x3e/0xb0 [] get_signal+0x249/0x640 [] do_signal+0x23/0x640 [] ? _raw_write_unlock_irq+0x12/0x30 [] ? _raw_spin_unlock_irq+0x9/0x10 [] ? __schedule+0x2c6/0x710 [] exit_to_usermode_loop+0x74/0x90 [] prepare_exit_to_usermode+0x26/0x30 [] retint_user+0x8/0x10 This patch uses this_cpu_ptr() instead of get_cpu_ptr(), since preemption is already disabled by the caller. Signed-off-by: Will Deacon Reviewed-by: Alexander Shishkin Cc: Arnaldo Carvalho de Melo Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: Vince Weaver Fixes: 95ff4ca26c49 ("perf/core: Free AUX pages in unmap path") Link: http://lkml.kernel.org/r/20160824091905.GA16944@arm.com Signed-off-by: Ingo Molnar kernel/events/core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 901d3d4fee83e9407d91e7178048e2fed6c91f6b Author: Li Zhong Date: Wed Aug 24 15:34:40 2016 +0800 crypto: vmx - fix null dereference in p8_aes_xts_crypt walk.iv is not assigned a value in blkcipher_walk_init. It makes iv uninitialized. It is possibly a null value(as shown below), which is then used by aes_p8_encrypt. This patch moves iv = walk.iv after blkcipher_walk_virt, in which walk.iv is set. [17856.268050] Unable to handle kernel paging request for data at address 0x00000000 [17856.268212] Faulting instruction address: 0xd000000002ff04bc 7:mon> t [link register ] d000000002ff47b8 p8_aes_xts_crypt+0x168/0x2a0 [vmx_crypto] (938) [c000000013b77960] d000000002ff4794 p8_aes_xts_crypt+0x144/0x2a0 [vmx_crypto] (unreliable) [c000000013b77a70] c000000000544d64 skcipher_decrypt_blkcipher+0x64/0x80 [c000000013b77ac0] d000000003c0175c crypt_convert+0x53c/0x620 [dm_crypt] [c000000013b77ba0] d000000003c043fc kcryptd_crypt+0x3cc/0x440 [dm_crypt] [c000000013b77c50] c0000000000f3070 process_one_work+0x1e0/0x590 [c000000013b77ce0] c0000000000f34c8 worker_thread+0xa8/0x660 [c000000013b77d80] c0000000000fc0b0 kthread+0x110/0x130 [c000000013b77e30] c0000000000098f0 ret_from_kernel_thread+0x5c/0x6c Signed-off-by: Li Zhong Signed-off-by: Herbert Xu drivers/crypto/vmx/aes_xts.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 10bb087ce381c812cd81a65ffd5e6f83e6399291 Author: Giovanni Cabiddu Date: Thu Aug 18 19:53:36 2016 +0100 crypto: qat - fix aes-xts key sizes Increase value of supported key sizes for qat_aes_xts. aes-xts keys consists of keys of equal size concatenated. Fixes: def14bfaf30d ("crypto: qat - add support for ctr(aes) and xts(aes)") Cc: stable@vger.kernel.org Reported-by: Wenqian Yu Signed-off-by: Giovanni Cabiddu Signed-off-by: Herbert Xu drivers/crypto/qat/qat_common/qat_algs.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit f74bdd4cb5d0d4c3e89919e850e0bbb8789f32f9 Author: Fabian Frederick Date: Tue Aug 16 21:49:45 2016 +0200 hwrng: mxc-rnga - Fix Kconfig dependency We can directly depend on SOC_IMX31 since commit c9ee94965dce ("ARM: imx: deconstruct mxc_rnga initialization") Since that commit, CONFIG_HW_RANDOM_MXC_RNGA could not be switched on with unknown symbol ARCH_HAS_RNGA and mxc-rnga.o can't be generated with ARCH=arm make M=drivers/char/hw_random Previously, HW_RANDOM_MXC_RNGA required ARCH_HAS_RNGA which was based on IMX_HAVE_PLATFORM_MXC_RNGA && ARCH_MXC. IMX_HAVE_PLATFORM_MXC_RNGA was based on SOC_IMX31. Fixes: c9ee94965dce ("ARM: imx: deconstruct mxc_rnga initialization") Signed-off-by: Fabian Frederick Acked-by: Arnd Bergmann Signed-off-by: Herbert Xu drivers/char/hw_random/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 40d9c32525cba79130612650b1abc47c0c0f19a8 Author: Aleksandr Makarov Date: Wed Aug 24 13:06:22 2016 +0300 USB: serial: option: add WeTelecom 0x6802 and 0x6803 products These product IDs are listed in Windows driver. 0x6803 corresponds to WeTelecom WM-D300. 0x6802 name is unknown. Signed-off-by: Aleksandr Makarov Cc: stable Signed-off-by: Johan Hovold drivers/usb/serial/option.c | 4 ++++ 1 file changed, 4 insertions(+) commit cad9d20784e9b31f0fa8eb82b4ae5dad633b560d Merge: b059152 a77ec83 Author: Linus Torvalds Date: Wed Aug 24 07:43:27 2016 -0400 Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost Pull vhost bugfix from Michael Tsirkin: "This includes a single bugfix for vhost-scsi" * tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost: vhost/scsi: fix reuse of &vq->iov[out] in response commit b70cd2de0ea85f5ab51a1d01893cba6415011b9d Author: Andy Shevchenko Date: Wed Aug 24 14:11:30 2016 +0300 spi: pxa2xx-pci: fix ACPI-based enumeration of SPI devices Slave devices are not enumerated by ACPI data because the ACPI handle for the core driver is NULL if it was enumerated by PCI. Propagate firmware node handle of the PCI device to the platform device. Suggested-by: Mika Westerberg Signed-off-by: Andy Shevchenko Signed-off-by: Mark Brown drivers/spi/spi-pxa2xx-pci.c | 1 + 1 file changed, 1 insertion(+) commit aa8c0f1ad7e862147f4efb32bbb71ff66eb38caa Author: Baoyou Xie Date: Tue Aug 23 23:19:29 2016 +0800 clocksource/drivers/pxa: Fix include files for compilation We get 1 warning about global functions without a declaration in the clocksource/drivers/pxa driver when building with W=1: drivers/clocksource/pxa_timer.c:221:13: warning: no previous prototype for 'pxa_timer_nodt_init' [-Wmissing-prototypes] void __init pxa_timer_nodt_init(int irq, void __iomem *base, In fact, this function is declared in pxa.h, so this patch add missing header dependencies. Signed-off-by: Baoyou Xie Reviewed-by: Arnd Bergmann Cc: daniel.lezcano@linaro.org Cc: xie.baoyou@zte.com.cn Cc: linux-arm-kernel@lists.infradead.org Link: http://lkml.kernel.org/r/1471965569-4104-1-git-send-email-baoyou.xie@linaro.org Signed-off-by: Thomas Gleixner drivers/clocksource/pxa_timer.c | 2 ++ 1 file changed, 2 insertions(+) commit 588deb614a0d3caa596dd8eba8c4d31eaaeb89b9 Author: Mark Rutland Date: Tue Aug 9 11:03:56 2016 +0100 MAINTAINERS: Add ARM ARCHITECTED TIMER entry The ARM architected timer driver falls under the drivers/clocksource/ catch-all in MAINTAINERS, and get_maintainers.pl doesn't suggest a number of people who should be Cc'd. The ARM architected timer is a core component of ARMv7+VE and ARMv8, and is critical to the correct operation of both architecture ports (and their respective KVM code), and patches to it should have review by knowledgeable interested parties. This patch adds a MAINTAINERS entry for the driver and its low-level arch components, such that get_maintainer.pl will always include relevant interested parties for modifications to the driver. For the timebeing, this means myself and Marc Zyngier. Signed-off-by: Mark Rutland Acked-by: Marc Zyngier Cc: Catalin Marinas Cc: Daniel Lezcano Cc: Will Deacon Cc: linux-arm-kernel@lists.infradead.org Link: http://lkml.kernel.org/r/1470737036-2082-1-git-send-email-mark.rutland@arm.com Signed-off-by: Thomas Gleixner MAINTAINERS | 9 +++++++++ 1 file changed, 9 insertions(+) commit abaa2274811d607679e8687b4118c4922a3517ac Author: Anisse Astier Date: Wed Aug 24 09:14:13 2016 +0200 ALSA: hda/realtek - fix headset mic detection for MSI MS-B120 MSI Cubi MS-B120 needs the same fixup as the Gigabyte BXBT-2807 for its mic to work. They both use a single 3-way jack for both mic and headset with an ALC283 codec, with the same pins used. Cc: Daniel Drake Signed-off-by: Anisse Astier Signed-off-by: Takashi Iwai sound/pci/hda/patch_realtek.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) commit 2e63ad4bd5dd583871e6602f9d398b9322d358d9 Author: Wanpeng Li Date: Tue Aug 23 20:07:19 2016 +0800 x86/apic: Do not init irq remapping if ioapic is disabled native_smp_prepare_cpus -> default_setup_apic_routing -> enable_IR_x2apic -> irq_remapping_prepare -> intel_prepare_irq_remapping -> intel_setup_irq_remapping So IR table is setup even if "noapic" boot parameter is added. As a result we crash later when the interrupt affinity is set due to a half initialized remapping infrastructure. Prevent remap initialization when IOAPIC is disabled. Signed-off-by: Wanpeng Li Cc: Peter Zijlstra Cc: Joerg Roedel Link: http://lkml.kernel.org/r/1471954039-3942-1-git-send-email-wanpeng.li@hotmail.com Cc: stable@vger.kernel.org Signed-off-by: Thomas Gleixner arch/x86/kernel/apic/apic.c | 3 +++ 1 file changed, 3 insertions(+) commit a4f8f6667f099036c88f231dcad4cf233652c824 Author: John Stultz Date: Tue Aug 23 16:08:22 2016 -0700 timekeeping: Cap array access in timekeeping_debug It was reported that hibernation could fail on the 2nd attempt, where the system hangs at hibernate() -> syscore_resume() -> i8237A_resume() -> claim_dma_lock(), because the lock has already been taken. However there is actually no other process would like to grab this lock on that problematic platform. Further investigation showed that the problem is triggered by setting /sys/power/pm_trace to 1 before the 1st hibernation. Since once pm_trace is enabled, the rtc becomes unmeaningful after suspend, and meanwhile some BIOSes would like to adjust the 'invalid' RTC (e.g, smaller than 1970) to the release date of that motherboard during POST stage, thus after resumed, it may seem that the system had a significant long sleep time which is a completely meaningless value. Then in timekeeping_resume -> tk_debug_account_sleep_time, if the bit31 of the sleep time happened to be set to 1, fls() returns 32 and we add 1 to sleep_time_bin[32], which causes an out of bounds array access and therefor memory being overwritten. As depicted by System.map: 0xffffffff81c9d080 b sleep_time_bin 0xffffffff81c9d100 B dma_spin_lock the dma_spin_lock.val is set to 1, which caused this problem. This patch adds a sanity check in tk_debug_account_sleep_time() to ensure we don't index past the sleep_time_bin array. [jstultz: Problem diagnosed and original patch by Chen Yu, I've solved the issue slightly differently, but borrowed his excelent explanation of the issue here.] Fixes: 5c83545f24ab "power: Add option to log time spent in suspend" Reported-by: Janek Kozicki Reported-by: Chen Yu Signed-off-by: John Stultz Cc: linux-pm@vger.kernel.org Cc: Peter Zijlstra Cc: Xunlei Pang Cc: "Rafael J. Wysocki" Cc: stable Cc: Zhang Rui Link: http://lkml.kernel.org/r/1471993702-29148-3-git-send-email-john.stultz@linaro.org Signed-off-by: Thomas Gleixner kernel/time/timekeeping_debug.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) commit 27727df240c7cc84f2ba6047c6f18d5addfd25ef Author: John Stultz Date: Tue Aug 23 16:08:21 2016 -0700 timekeeping: Avoid taking lock in NMI path with CONFIG_DEBUG_TIMEKEEPING When I added some extra sanity checking in timekeeping_get_ns() under CONFIG_DEBUG_TIMEKEEPING, I missed that the NMI safe __ktime_get_fast_ns() method was using timekeeping_get_ns(). Thus the locking added to the debug checks broke the NMI-safety of __ktime_get_fast_ns(). This patch open-codes the timekeeping_get_ns() logic for __ktime_get_fast_ns(), so can avoid any deadlocks in NMI. Fixes: 4ca22c2648f9 "timekeeping: Add warnings when overflows or underflows are observed" Reported-by: Steven Rostedt Reported-by: Peter Zijlstra Signed-off-by: John Stultz Cc: stable Link: http://lkml.kernel.org/r/1471993702-29148-2-git-send-email-john.stultz@linaro.org Signed-off-by: Thomas Gleixner kernel/time/timekeeping.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) commit d7226c7a4dd19929d6df4ae04698da2fcf6f875a Author: David Ahern Date: Tue Aug 23 21:05:27 2016 -0700 net: diag: Fix refcnt leak in error path destroying socket inet_diag_find_one_icsk takes a reference to a socket that is not released if sock_diag_destroy returns an error. Fix by changing tcp_diag_destroy to manage the refcnt for all cases and remove the sock_put calls from tcp_abort. Fixes: c1e64e298b8ca ("net: diag: Support destroying TCP sockets") Reported-by: Lorenzo Colitti Signed-off-by: David Ahern Signed-off-by: David S. Miller net/ipv4/tcp.c | 2 -- net/ipv4/tcp_diag.c | 7 ++++++- 2 files changed, 6 insertions(+), 3 deletions(-) commit 7b996243fab46092fb3a29c773c54be8152366e4 Author: Soheil Hassas Yeganeh Date: Tue Aug 23 18:22:33 2016 -0400 tun: fix transmit timestamp support Instead of using sock_tx_timestamp, use skb_tx_timestamp to record software transmit timestamp of a packet. sock_tx_timestamp resets and overrides the tx_flags of the skb. The function is intended to be called from within the protocol layer when creating the skb, not from a device driver. This is inconsistent with other drivers and will cause issues for TCP. In TCP, we intend to sample the timestamps for the last byte for each sendmsg/sendpage. For that reason, tcp_sendmsg calls tcp_tx_timestamp only with the last skb that it generates. For example, if a 128KB message is split into two 64KB packets we want to sample the SND timestamp of the last packet. The current code in the tun driver, however, will result in sampling the SND timestamp for both packets. Also, when the last packet is split into smaller packets for retranmission (see tcp_fragment), the tun driver will record timestamps for all of the retransmitted packets and not only the last packet. Fixes: eda297729171 (tun: Support software transmit time stamping.) Signed-off-by: Soheil Hassas Yeganeh Signed-off-by: Francis Yan Acked-by: Eric Dumazet Signed-off-by: David S. Miller drivers/net/tun.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) commit 75d855a5e93e6f3d9b37a8719d69a5318f051453 Author: Eric Dumazet Date: Tue Aug 23 09:57:51 2016 -0700 udp: get rid of SLAB_DESTROY_BY_RCU allocations After commit ca065d0cf80f ("udp: no longer use SLAB_DESTROY_BY_RCU") we do not need this special allocation mode anymore, even if it is harmless. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller net/ipv4/udp.c | 1 - net/ipv4/udplite.c | 1 - net/ipv6/udp.c | 1 - net/ipv6/udplite.c | 1 - 4 files changed, 4 deletions(-) commit b059152245e778c5526e198a99f0475c8fc26506 Merge: 7a1dcf6 20a3d61 Author: Linus Torvalds Date: Tue Aug 23 20:24:27 2016 -0400 Merge tag 'for-f2fs-v4.8-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs Pull f2fs fixes from Jaegeuk Kim: - fsmark regression - i_size race condition - wrong conditions in f2fs_move_file_range * tag 'for-f2fs-v4.8-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs: f2fs: avoid potential deadlock in f2fs_move_file_range f2fs: allow copying file range only in between regular files Revert "f2fs: move i_size_write in f2fs_write_end" Revert "f2fs: use percpu_rw_semaphore" commit 232cb53a45965f8789fbf0a9a1962f8c67ab1a3c Author: Lance Richardson Date: Tue Aug 23 11:40:52 2016 -0400 sctp: fix overrun in sctp_diag_dump_one() The function sctp_diag_dump_one() currently performs a memcpy() of 64 bytes from a 16 byte field into another 16 byte field. Fix by using correct size, use sizeof to obtain correct size instead of using a hard-coded constant. Fixes: 8f840e47f190 ("sctp: add the sctp_diag.c file") Signed-off-by: Lance Richardson Reviewed-by: Xin Long Acked-by: Marcelo Ricardo Leitner Signed-off-by: David S. Miller net/sctp/sctp_diag.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) commit a8184003c0bb1d6362c2af76c560b3caae6832cb Author: Rabin Vincent Date: Tue Aug 23 16:31:28 2016 +0200 dwc_eth_qos: fix interrupt enable race We currently enable interrupts before we enable NAPI. If an RX interrupt hits before we enabled NAPI then the NAPI callback is never called and we leave the hardware with RX interrupts disabled, which of course leads us to never handling received packets. Fix this by moving the interrupt enable to after we've enable NAPI and the reclaim tasklet. Fixes: cd5e41234729 ("dwc_eth_qos: do phy_start before resetting hardware") Signed-off-by: Rabin Vincent Signed-off-by: Lars Persson Signed-off-by: David S. Miller drivers/net/ethernet/synopsys/dwc_eth_qos.c | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) commit 53080fe9c451e7625e71b91c384e7bef1be72b00 Author: Fabio Estevam Date: Tue Aug 23 09:48:20 2016 -0300 net: lpc_eth: Check clk_prepare_enable() error clk_prepare_enable() may fail, so we should better check its return value and propagate it in the case of failure While at it, replace __lpc_eth_clock_enable() with a plain clk_prepare_enable/clk_disable_unprepare() call in order to simplify the code. Signed-off-by: Fabio Estevam Acked-by: Vladimir Zapolskiy Signed-off-by: David S. Miller drivers/net/ethernet/nxp/lpc_eth.c | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-) commit 1bc261fabe866c4cdc97f52319eaa0c7ee31026e Author: Jamie Lentin Date: Mon Aug 22 22:47:08 2016 +0100 net: mv88e6xxx: Fix ingress rate removal for mv6131 chips The PORT_RATE_CONTROL register works differently on 88e6095/6095f/6131 in comparison to 6123/61/65, and 0x0 disables. The distinction was lost Linux 4.1 --> 4.2 Signed-off-by: Jamie Lentin Reviewed-by: Andrew Lunn Signed-off-by: David S. Miller drivers/net/dsa/mv88e6xxx/chip.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) commit f64f14820e2deb5db056a05d7672ee2b1c6290e5 Author: Xander Huff Date: Mon Aug 22 15:57:16 2016 -0500 phy: micrel: Reenable interrupts during resume for ksz9031 Like the ksz8081, the ksz9031 has the behavior where it will clear the interrupt enable bits when leaving power down. This takes advantage of the solution provided by f5aba91. Signed-off-by: Xander Huff Signed-off-by: Nathan Sullivan Reviewed-by: Florian Fainelli Signed-off-by: David S. Miller drivers/net/phy/micrel.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 20a2b49fc538540819a0c552877086548cff8d8d Author: Eric Dumazet Date: Mon Aug 22 11:31:10 2016 -0700 tcp: properly scale window in tcp_v[46]_reqsk_send_ack() When sending an ack in SYN_RECV state, we must scale the offered window if wscale option was negotiated and accepted. Tested: Following packetdrill test demonstrates the issue : 0.000 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3 +0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0 +0 bind(3, ..., ...) = 0 +0 listen(3, 1) = 0 // Establish a connection. +0 < S 0:0(0) win 20000 +0 > S. 0:0(0) ack 1 win 28960 +0 < . 1:11(10) ack 1 win 156 // check that window is properly scaled ! +0 > . 1:1(0) ack 1 win 226 Signed-off-by: Eric Dumazet Cc: Yuchung Cheng Cc: Neal Cardwell Acked-by: Yuchung Cheng Acked-by: Neal Cardwell Signed-off-by: David S. Miller net/ipv4/tcp_ipv4.c | 8 +++++++- net/ipv6/tcp_ipv6.c | 8 +++++++- 2 files changed, 14 insertions(+), 2 deletions(-) commit 6c389fc931bcda88940c809f752ada6d7799482c Author: Zefir Kurtisi Date: Mon Aug 22 15:58:12 2016 +0200 gianfar: fix size of scatter-gathered frames The current scatter-gather logic in gianfar is flawed, since it does not consider the eTSEC's RxBD 'Data Length' field is context depening: for the last fragment it contains the full frame size, while fragments contain the fragment size, which equals the value written to register MRBLR. This causes data corruption as soon as the hardware starts to fragment receiving frames. As a result, the size of fragmented frames is increased by (nr_frags - 1) * MRBLR We first noticed this issue working with DSA, where an ICMP request sized 1472 bytes causes the scatter-gather logic to kick in. The full Ethernet frame (1518) gets increased by DSA (4), GMAC_FCB_LEN (8), and FSL_GIANFAR_DEV_HAS_TIMER (priv->padding=8) to a total of 1538 octets, which is fragmented by the hardware and reconstructed by the driver to a 3074 octet frame. This patch fixes the problem by adjusting the size of the last fragment. It was tested by setting MRBLR to different multiples of 64, proving correct scatter-gather operation on frames with up to 9000 octets in size. Signed-off-by: Zefir Kurtisi Signed-off-by: David S. Miller drivers/net/ethernet/freescale/gianfar.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) commit b323431bc017e9862870cbbac004774c769ee112 Author: Zefir Kurtisi Date: Mon Aug 22 15:56:38 2016 +0200 gianfar: prevent fragmentation in DSA environments The eTSEC register MRBLR defines the maximum space in the RX buffers and is set to 1536 by gianfar. This reasonably covers the common use case where the MTU is kept at default 1500. In that case, the largest Ethernet frame size of 1518 plus an optional GMAC_FCB_LEN of 8, and an additional padding of 8 to handle FSL_GIANFAR_DEV_HAS_TIMER totals to 1534 and nicely fit within the chosen MRBLR. Alas, if the eTSEC is attached to a DSA enabled switch, the (E)DSA header extension (4 or 8 bytes) causes every maximum sized frame to be fragmented by the hardware. This patch increases the maximum RX buffer size by 8 and rounds up to the next multiple of 64, which the hardware's defines as RX buffer granularity. Signed-off-by: Zefir Kurtisi Signed-off-by: David S. Miller drivers/net/ethernet/freescale/gianfar.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit e83c6744e81abc93a20d0eb3b7f504a176a6126a Author: Eric Dumazet Date: Tue Aug 23 13:59:33 2016 -0700 udp: fix poll() issue with zero sized packets Laura tracked poll() [and friends] regression caused by commit e6afc8ace6dd ("udp: remove headers from UDP packets before queueing") udp_poll() needs to know if there is a valid packet in receive queue, even if its payload length is 0. Change first_packet_length() to return an signed int, and use -1 as the indication of an empty queue. Fixes: e6afc8ace6dd ("udp: remove headers from UDP packets before queueing") Reported-by: Laura Abbott Signed-off-by: Eric Dumazet Tested-by: Laura Abbott Signed-off-by: David S. Miller net/ipv4/udp.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) commit eafe5cfe718926c1ed8b3dacd2191c189b3cdcd2 Merge: c0678b2 3d4267a Author: Greg Kroah-Hartman Date: Tue Aug 23 17:39:31 2016 -0400 Merge tag 'iio-fixes-for-4.8a' of git://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio into work-linus Jonathan writes: First round of IIO fixes for the 4.8 cycle. This is somewhat of a bumper set due to my unavailabilty earlier in the month. The only slightly unusual ones are the dts updates for the rockchip adc reset. The fix in the driver only makes sense with these and the rockchip maintainer is happy with them going through IIO to reach mainline. Core stuff * Fix an issue with a blocking op when !TASK_RUNNING. This been there a while and snuck in with seemingly minor additions to some core code paths. * Tools - generic_buffer failed to initialize the channel array pointer thus in the case of no channels blows up trying to free a random memory address. * sw-trigger: - Fix config group initialization when configfs is built as a module. Drivers * ad5933 - Fix an incorrect overwrite of an error value. * ad799x - A missed assignment of the update_scan_mode callback means buffered mode doesn't work on the ad7991, ad7995 or ad7999. * ads1015 - wrong pointer returned from i2c_get_clientdata (missmatch of assumptions) * am2315 - Timestamps are reported, but never actually acquired from anywhere (so always 0) - missing buffer selects in Kconfig * am335x adc - Protect fifo1 from concurrent access. - Increase timeout waiting for ADC to be long enough in all cases. * as3935 - Timestamps are reported, but never actually acquired from anywhere (so always 0) * at91 - Fix reading of channel 3. * atlas-ph-sensor - Typo means that the scale of electrical conductivity readings is way off. * bma220 - Timestamps are reported, but never actually acquired from anywhere (so always 0) - Missing buffer selects in Kconfig * bmp280 - pass the write pointer to PTR_ERR (i.e. the one that was just checked with IS_ERR). - suspend /resume crash due to wrong assumption about what dev_get_drvdata would return. * hdc100x - It superficially appeared that smbus_read_byte commands would allow reading of the outputs in two goes. In reality it doesn't work, but instead returns the same for the upper and lower bytes (nice catch from Alison!) * kxsd9 - Fix raw read return value to ensure it actually reports the value rather than a blank string. * max44000 - Missing buffer selects in Kconfig * rockchip_saradc - Add use of reset controller to enforce a clean state of the ADC. Some bootloaders can leave it in an 'intersting' state and effectively frozen without this. A couple of associated dts updates. * stk8ba50 - Missing buffer selects in Kconfig * stx104 - Fix a possible race due to use of devm_iio_device_register when there was other stuff in the remove function. commit 21c80c9fefc3db10b530a96eb0478c29eb28bf77 Author: Keith Busch Date: Tue Aug 23 16:36:42 2016 -0500 x86/PCI: VMD: Fix infinite loop executing irq's We can't initialize the list head on deletion as this causes the node to point to itself, which causes an infinite loop if vmd_irq() happens to be servicing that node. The list initialization was trying to fix a bug from multiple calls to disable the same IRQ. Fix this instead by having the VMD driver track if the interrupt is enabled. [bhelgaas: changelog, add "Fixes"] Fixes: 97e923063575 ("x86/PCI: VMD: Initialize list item in IRQ disable") Reported-by: Grzegorz Koczot Tested-by: Miroslaw Drost Signed-off-by: Keith Busch Signed-off-by: Bjorn Helgaas Acked-by Jon Derrick: arch/x86/pci/vmd.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) commit dad2232844073295c64e9cc2d734a0ade043e0f6 Author: Andrey Ryabinin Date: Wed Aug 17 18:10:11 2016 +0300 um: Don't discard .text.exit section Commit e41f501d3912 ("vmlinux.lds: account for destructor sections") added '.text.exit' to EXIT_TEXT which is discarded at link time by default. This breaks compilation of UML: `.text.exit' referenced in section `.fini_array' of /usr/lib/gcc/x86_64-linux-gnu/6/../../../x86_64-linux-gnu/libc.a(sdlerror.o): defined in discarded section `.text.exit' of /usr/lib/gcc/x86_64-linux-gnu/6/../../../x86_64-linux-gnu/libc.a(sdlerror.o) Apparently UML doesn't want to discard exit text, so let's place all EXIT_TEXT sections in .exit.text. Fixes: e41f501d3912 ("vmlinux.lds: account for destructor sections") Reported-by: Stefan Traby Signed-off-by: Andrey Ryabinin Cc: Acked-by: Dmitry Vyukov Signed-off-by: Richard Weinberger arch/um/include/asm/common.lds.S | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 17ce1eb0b64eb27d4f9180daae7495fa022c7b0d Author: Richard Weinberger Date: Sun Jul 31 21:42:23 2016 +0200 ubifs: Fix xattr generic handler usage UBIFS uses full names to work with xattrs, therefore we have to use xattr_full_name() to obtain the xattr prefix as string. Cc: Cc: Andreas Gruenbacher Fixes: 2b88fc21ca ("ubifs: Switch to generic xattr handlers") Signed-off-by: Richard Weinberger Reviewed-by: Andreas Gruenbacher Tested-by: Dongsheng Yang fs/ubifs/xattr.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) commit c0082e985fdf77b02fc9e0dac3b58504dcf11b7a Author: Vincent Stehlé Date: Fri Aug 12 15:26:30 2016 +0200 ubifs: Fix assertion in layout_in_gaps() An assertion in layout_in_gaps() verifies that the gap_lebs pointer is below the maximum bound. When computing this maximum bound the idx_lebs count is multiplied by sizeof(int), while C pointers arithmetic does take into account the size of the pointed elements implicitly already. Remove the multiplication to fix the assertion. Fixes: 1e51764a3c2ac05a ("UBIFS: add new flash file system") Cc: Signed-off-by: Vincent Stehlé Cc: Artem Bityutskiy Signed-off-by: Artem Bityutskiy Signed-off-by: Richard Weinberger fs/ubifs/tnc_commit.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 53e5f36fbd2453ad69a3369a1db62dc06c30a4aa Author: Alan Stern Date: Tue Aug 23 15:32:51 2016 -0400 USB: avoid left shift by -1 UBSAN complains about a left shift by -1 in proc_do_submiturb(). This can occur when an URB is submitted for a bulk or control endpoint on a high-speed device, since the code doesn't bother to check the endpoint type; normally only interrupt or isochronous endpoints have a nonzero bInterval value. Aside from the fact that the operation is illegal, it shouldn't matter because the result isn't used. Still, in theory it could cause a hardware exception or other problem, so we should work around it. This patch avoids doing the left shift unless the shift amount is >= 0. The same piece of code has another problem. When checking the device speed (the exponential encoding for interrupt endpoints is used only by high-speed or faster devices), we need to look for speed >= USB_SPEED_SUPER as well as speed == USB_SPEED HIGH. The patch adds this check. Signed-off-by: Alan Stern Reported-by: Vittorio Zecca Tested-by: Vittorio Zecca Suggested-by: Bjørn Mork CC: Signed-off-by: Greg Kroah-Hartman drivers/usb/core/devio.c | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) commit 7a1dcf6adaa7cc4b8cd93a3883267497a77b1051 Merge: d1fdafa 94cd97a Author: Linus Torvalds Date: Tue Aug 23 14:32:38 2016 -0400 Merge tag 'usercopy-v4.8-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux Pull hardened usercopy fixes from Kees Cook: - avoid signed math problems on unexpected compilers - avoid false positives at very end of kernel text range checks * tag 'usercopy-v4.8-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: usercopy: fix overlap check for kernel text usercopy: avoid potentially undefined behavior in pointer math commit d1fdafa10f80292ba31c2f45a3e94805873575a8 Merge: ef0e1ea e67479b Author: Linus Torvalds Date: Tue Aug 23 14:29:00 2016 -0400 Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 Pull crypto fixes from Herbert Xu: "This fixes a number of memory corruption bugs in the newly added sha256-mb/sha256-mb code" * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: crypto: sha512-mb - fix ctx pointer crypto: sha256-mb - fix ctx pointer and digest copy commit 3d4267a5a3a4b7619b80ad1839d8b3bedd8b7a8d Author: Caesar Wang Date: Wed Jul 27 22:24:07 2016 +0800 arm: dts: rockchip: add reset node for the exist saradc SoCs SARADC controller needs to be reset before programming it, otherwise it will not function properly. Signed-off-by: Caesar Wang Acked-by: Heiko Stuebner Cc: Signed-off-by: Jonathan Cameron arch/arm/boot/dts/rk3066a.dtsi | 2 ++ arch/arm/boot/dts/rk3288.dtsi | 2 ++ arch/arm/boot/dts/rk3xxx.dtsi | 2 ++ 3 files changed, 6 insertions(+) commit 78ec79bfd59e126e1cb394302bfa531a420b3ecd Author: Caesar Wang Date: Wed Jul 27 22:24:06 2016 +0800 arm64: dts: rockchip: add reset saradc node for rk3368 SoCs SARADC controller needs to be reset before programming it, otherwise it will not function properly. Signed-off-by: Caesar Wang Acked-by: Heiko Stuebner Cc: Signed-off-by: Jonathan Cameron arch/arm64/boot/dts/rockchip/rk3368.dtsi | 2 ++ 1 file changed, 2 insertions(+) commit 543852af8e5902aee8f7c72c89e1513663e0f696 Author: Caesar Wang Date: Wed Jul 27 22:24:04 2016 +0800 iio: adc: rockchip_saradc: reset saradc controller before programming it SARADC controller needs to be reset before programming it, otherwise it will not function properly. Signed-off-by: Caesar Wang Cc: Jonathan Cameron Cc: Heiko Stuebner Cc: Rob Herring Cc: linux-iio@vger.kernel.org Cc: linux-rockchip@lists.infradead.org Tested-by: Guenter Roeck Cc: Signed-off-by: Jonathan Cameron .../bindings/iio/adc/rockchip-saradc.txt | 7 +++++ drivers/iio/adc/Kconfig | 1 + drivers/iio/adc/rockchip_saradc.c | 30 ++++++++++++++++++++++ 3 files changed, 38 insertions(+) commit cff069b78c21559f427c3fefe9ef3294e3dec094 Author: Bharat Potnuri Date: Tue Aug 23 20:27:33 2016 +0530 iw_cxgb4: Fix cxgb4 arm CQ logic w/IB_CQ_REPORT_MISSED_EVENTS Current cxgb4 arm CQ logic ignores IB_CQ_REPORT_MISSED_EVENTS for request completion notification on a CQ. Due to this ib_poll_handler() assumes all events polled and avoids further iopoll scheduling. This patch adds logic to cxgb4 ib_req_notify_cq() handler to check if CQ is not empty and return accordingly. Based on the return value of ib_req_notify_cq() handler, ib_poll_handler() will schedule a run of iopoll handler. Signed-off-by: Potnuri Bharat Teja Reviewed-by: Steve Wise Signed-off-by: Doug Ledford drivers/infiniband/hw/cxgb4/cq.c | 10 +++++----- drivers/infiniband/hw/cxgb4/t4.h | 5 +++++ 2 files changed, 10 insertions(+), 5 deletions(-) commit faa739fb5df56aadab96bcd2f6eb3486cc3a3aec Author: Mustafa Ismail Date: Mon Aug 22 18:17:12 2016 -0500 i40iw: Add missing check for interface already open In i40iw_open(), check if interface is already open and return success if it is. Fixes: 8e06af711bf2 ("i40iw: add main, hdr, status") Reported-by: Stefan Assmann Signed-off-by: Mustafa Ismail Signed-off-by: Shiraz Saleem Signed-off-by: Doug Ledford drivers/infiniband/hw/i40iw/i40iw_main.c | 4 ++++ 1 file changed, 4 insertions(+) commit 44856be3e95c87f03e850ef4fdf8c0503c2dde18 Author: Mustafa Ismail Date: Mon Aug 22 18:15:58 2016 -0500 i40iw: Protect req_resource_num update In i40iw_alloc_resource(), ensure that the update to req_resource_num is protected by the lock. Fixes: 8e06af711bf2 ("i40iw: add main, hdr, status") Reported-by: Stefan Assmann Signed-off-by: Mustafa Ismail Signed-off-by: Shiraz Saleem Signed-off-by: Doug Ledford drivers/infiniband/hw/i40iw/i40iw.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 6c7d46fdb8165ece4b0a17fb8f0b9320dbfeffc2 Author: Shiraz Saleem Date: Mon Aug 22 18:09:14 2016 -0500 i40iw: Change mem_resources pointer to a u8 iwdev->mem_resources is incorrectly defined as an unsigned long instead of u8. As a result, the offset into the dynamic allocated structures in i40iw_initialize_hw_resources() is incorrectly calculated and would lead to writing of memory regions outside of the allocated buffer. Fixes: 8e06af711bf2 ("i40iw: add main, hdr, status") Reported-by: Stefan Assmann Signed-off-by: Mustafa Ismail Signed-off-by: Shiraz Saleem Signed-off-by: Doug Ledford drivers/infiniband/hw/i40iw/i40iw.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 92d27ae6b3bb3491c1685fb3ca7ae1b26d81bdf4 Author: Markus Elfring Date: Mon Aug 22 18:23:24 2016 +0200 IB/core: Use memdup_user() rather than duplicating its implementation * Reuse existing functionality from memdup_user() instead of keeping duplicate source code. This issue was detected by using the Coccinelle software. * The local variable "ret" will be set to an appropriate value a bit later. Thus omit the explicit initialisation at the beginning. Signed-off-by: Markus Elfring Signed-off-by: Doug Ledford include/rdma/ib_verbs.h | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) commit 48ef5865d08fa0a36d786f2f8e12c6194d27538b Author: Markus Elfring Date: Fri Aug 19 08:50:23 2016 +0200 IB/qib: Use memdup_user() rather than duplicating its implementation Reuse existing functionality from memdup_user() instead of keeping duplicate source code. This issue was detected by using the Coccinelle software. Signed-off-by: Markus Elfring Reviewed-by: Leon Romanovsky Signed-off-by: Doug Ledford drivers/infiniband/hw/qib/qib_fs.c | 26 +++++--------------------- 1 file changed, 5 insertions(+), 21 deletions(-) commit 41963c10c47a35185e68cb9049f7a3493c94d2d7 Author: Benjamin Coddington Date: Mon Aug 22 14:11:16 2016 -0400 pnfs/blocklayout: update last_write_offset atomically with extents Block/SCSI layout write completion may add committable extents to the extent tree before updating the layout's last-written byte under the inode lock. If a sync happens before this value is updated, then prepare_layoutcommit may find and encode these extents which would produce a LAYOUTCOMMIT request whose encoded extents are larger than the request's loca_length. Fix this by using a last-written byte value that is updated atomically with the extent tree so that commitable extents always match. Signed-off-by: Benjamin Coddington Signed-off-by: Trond Myklebust fs/nfs/blocklayout/blocklayout.c | 2 +- fs/nfs/blocklayout/blocklayout.h | 3 ++- fs/nfs/blocklayout/extent_tree.c | 10 +++++++--- 3 files changed, 10 insertions(+), 5 deletions(-) commit b88fa69eaa8649f11828158c7b65c4bcd886ebd5 Author: Trond Myklebust Date: Tue Aug 23 11:19:33 2016 -0400 pNFS: The client must not do I/O to the DS if it's lease has expired Ensure that the client conforms to the normative behaviour described in RFC5661 Section 12.7.2: "If a client believes its lease has expired, it MUST NOT send I/O to the storage device until it has validated its lease." So ensure that we wait for the lease to be validated before using the layout. Signed-off-by: Trond Myklebust Cc: stable@vger.kernel.org # v3.20+ fs/nfs/pnfs.c | 1 + 1 file changed, 1 insertion(+) commit a77ec83a57890240c546df00ca5df1cdeedb1cc3 Author: Benjamin Coddington Date: Mon Jun 6 18:07:59 2016 -0400 vhost/scsi: fix reuse of &vq->iov[out] in response The address of the iovec &vq->iov[out] is not guaranteed to contain the scsi command's response iovec throughout the lifetime of the command. Rather, it is more likely to contain an iovec from an immediately following command after looping back around to vhost_get_vq_desc(). Pass along the iovec entirely instead. Fixes: 79c14141a487 ("vhost/scsi: Convert completion path to use copy_to_iter") Cc: stable@vger.kernel.org Signed-off-by: Benjamin Coddington Signed-off-by: Michael S. Tsirkin drivers/vhost/scsi.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit a8719670687c46ed2e904c0d05fa4cd7e4950cd1 Author: Peter Ujfalusi Date: Tue Aug 23 10:27:19 2016 +0300 ASoC: omap-mcpdm: Fix irq resource handling Fixes: ddd17531ad908 ("ASoC: omap-mcpdm: Clean up with devm_* function") Managed irq request will not doing any good in ASoC probe level as it is not going to free up the irq when the driver is unbound from the sound card. Signed-off-by: Peter Ujfalusi Reported-by: Russell King Signed-off-by: Mark Brown sound/soc/omap/omap-mcpdm.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) commit 6c73358c83ce870c0cf32413e5cadb3b9a39c606 Author: Alan Stern Date: Mon Aug 22 16:58:53 2016 -0400 USB: fix typo in wMaxPacketSize validation The maximum value allowed for wMaxPacketSize of a high-speed interrupt endpoint is 1024 bytes, not 1023. Signed-off-by: Alan Stern Fixes: aed9d65ac327 ("USB: validate wMaxPacketValue entries in endpoint descriptors") CC: Signed-off-by: Greg Kroah-Hartman drivers/usb/core/config.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 486095fae3a8a6b1ae07c51844699d9bd5cfbebc Author: Icenowy Zheng Date: Tue Aug 23 13:58:25 2016 +0800 pinctrl: sunxi: fix uart1 CTS/RTS pins at PG on A23/A33 PG8, PG9 is said to be the CTS/RTS pins for UART1 according to the A23/33 datasheets. However, the function is wrongly named "uart2" in the pinctrl driver. This patch fixes this by modifying them to be named "uart1". Cc: stable@vger.kernel.org Signed-off-by: Icenowy Zheng Acked-by: Maxime Ripard Signed-off-by: Linus Walleij drivers/pinctrl/sunxi/pinctrl-sun8i-a23.c | 4 ++-- drivers/pinctrl/sunxi/pinctrl-sun8i-a33.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) commit 1527eda3ab290f4ab519fe495c70ede5b0ad699f Author: Robin Murphy Date: Fri Aug 19 19:38:41 2016 +0100 ARM: 8600/1: Enforce some NS-SVC initialisation Since the non-secure copies of banked registers lack architecturally defined reset values, there is no actual guarantee when entering in Hyp from secure-only firmware that the Non-Secure PL1 state will look the way that kernel entry (in particular the decompressor stub) expects. So far, we've been getting away with it thanks to implementation details of ARMv7 cores and/or bootloader behaviour, but for the sake of forwards compatibility let's try to ensure that we have a minimally sane state before dropping down into it. Cc: Russell King Reviewed-by: Marc Zyngier Reviewed-by: Christoffer Dall Signed-off-by: Robin Murphy Signed-off-by: Russell King arch/arm/kernel/hyp-stub.S | 13 +++++++++++++ 1 file changed, 13 insertions(+) commit f271b779f415455e904f3f10067ab7f2fb8af497 Author: Vladimir Murzin Date: Thu Aug 18 16:28:24 2016 +0100 ARM: 8599/1: mm: pull asm/memory.h explicitly Commit d78114554939a (""ARM: 8512/1: proc-v7.S: Adjust stack address when XIP_KERNEL"") introduced a macro which lives under asm/memory.h. Unfortunately, for MMU-less systems (like R-class) it leads to build failure: arch/arm/mm/proc-v7.S: Assembler messages: arch/arm/mm/proc-v7.S:538: Error: unrecognised relocation suffix make[1]: *** [arch/arm/mm/proc-v7.o] Error 1 make: *** [arch/arm/mm] Error 2 since it is implicitly pulled via asm/pgtable.h for MMU capable systems only. To fix it include asm/memory.h explicitly. Signed-off-by: Vladimir Murzin Signed-off-by: Russell King arch/arm/mm/proc-v7.S | 1 + 1 file changed, 1 insertion(+) commit 198b51e8a6a31d3a6f8e9dd9cade3635d0291f26 Author: Russell King Date: Fri Aug 19 12:47:54 2016 +0100 ARM: sa1100: register clocks early Since we switched to use pxa_timer, we need to provide the OSTIMER0 clock. However, as the clock is initialised early, we need to provide the clock early as well, so that pxa_timer can find it. Adding the clock to the clkdev table at core_initcall() time is way too late. Move the initialisation earlier. Fixes: ee3a4020f7c9 ("ARM: 8250/1: sa1100: provide OSTIMER0 clock for pxa_timer") Acked-by: Dmitry Eremin-Solenikov Signed-off-by: Russell King arch/arm/mach-sa1100/clock.c | 3 +-- arch/arm/mach-sa1100/generic.c | 1 + arch/arm/mach-sa1100/generic.h | 2 ++ 3 files changed, 4 insertions(+), 2 deletions(-) commit 02ba38a5b6d6e0bc89c7b74651f1873055028a56 Author: Russell King Date: Fri Aug 19 12:44:29 2016 +0100 ARM: sa1100: fix 3.6864MHz clock pxa_timer wants to be able to call clk_enable() etc on this clock, but our clk_enable() implementation expects non-NULL enable/disable operations. Provide these dummy implementations. Unable to handle kernel NULL pointer dereference at virtual address 00000000 pgd = c0204000 [00000000] *pgd=00000000 Internal error: Oops: 80000005 [#1] ARM Modules linked in: CPU: 0 PID: 0 Comm: swapper Not tainted 4.8.0-rc2+ #887 Hardware name: Intel-Assabet task: c0644590 task.stack: c0640000 PC is at 0x0 LR is at clk_enable+0x40/0x58 pc : [<00000000>] lr : [] psr: 600000d3 sp : c0641f60 ip : c0641f4c fp : c0641f74 r10: c1ffc7a0 r9 : 6901b118 r8 : 00000001 r7 : c0639a34 r6 : 0000001b r5 : a00000d3 r4 : c0645d70 r3 : c0645d78 r2 : 00000001 r1 : c0641ef0 r0 : c0645d70 Flags: nZCv IRQs off FIQs off Mode SVC_32 ISA ARM Segment none Control: c020717f Table: c020717f DAC: 00000053 Process swapper (pid: 0, stack limit = 0xc0640188) Stack: (0xc0641f60 to 0xc0642000) 1f60: 00384000 c08762e4 c0641f98 c0641f78 c063308c c021b144 00000000 00000000 1f80: 00000000 c0660b20 ffffffff c0641fa8 c0641f9c c06220ec c0633058 c0641fb8 1fa0: c0641fac c061f114 c06220dc c0641ff4 c0641fbc c061bb68 c061f0fc ffffffff 1fc0: ffffffff 00000000 c061b6cc c0639a34 c0660cd4 c0642038 c0639a30 c0645434 1fe0: c0204000 c06380f8 00000000 c0641ff8 c0208048 c061b954 00000000 00000000 Backtrace: [] (clk_enable) from [] (pxa_timer_nodt_init+0x40/0x120) r5:c08762e4 r4:00384000 [] (pxa_timer_nodt_init) from [] (sa1100_timer_init+0x1c/0x20) r6:ffffffff r5:c0660b20 r4:00000000 [] (sa1100_timer_init) from [] (time_init+0x24/0x2c) [] (time_init) from [] (start_kernel+0x220/0x42c) [] (start_kernel) from [] (0xc0208048) r10:c06380f8 r8:c0204000 r7:c0645434 r6:c0639a30 r5:c0642038 r4:c0660cd4 Code: bad PC value ---[ end trace 0000000000000000 ]--- Kernel panic - not syncing: Attempted to kill the idle task! Fixes: ee3a4020f7c9 ("ARM: 8250/1: sa1100: provide OSTIMER0 clock for pxa_timer") Acked-by: Dmitry Eremin-Solenikov Signed-off-by: Russell King arch/arm/mach-sa1100/clock.c | 2 ++ 1 file changed, 2 insertions(+) commit 28a10c426e81afc88514bca8e73affccf850fdf6 Author: Jamal Hadi Salim Date: Mon Aug 22 07:10:20 2016 -0400 net sched: fix encoding to use real length Encoding of the metadata was using the padded length as opposed to the real length of the data which is a bug per specification. This has not been an issue todate because all metadatum specified so far has been 32 bit where aligned and data length are the same width. This also includes a bug fix for validating the length of a u16 field. But since there is no metadata of size u16 yes we are fine to include it here. While at it get rid of magic numbers. Fixes: ef6980b6becb ("net sched: introduce IFE action") Signed-off-by: Jamal Hadi Salim Signed-off-by: David S. Miller net/sched/act_ife.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) commit 94cd97af690dd9537818dc9841d0ec68bb1dd877 Author: Josh Poimboeuf Date: Mon Aug 22 11:53:59 2016 -0500 usercopy: fix overlap check for kernel text When running with a local patch which moves the '_stext' symbol to the very beginning of the kernel text area, I got the following panic with CONFIG_HARDENED_USERCOPY: usercopy: kernel memory exposure attempt detected from ffff88103dfff000 () (4096 bytes) ------------[ cut here ]------------ kernel BUG at mm/usercopy.c:79! invalid opcode: 0000 [#1] SMP ... CPU: 0 PID: 4800 Comm: cp Not tainted 4.8.0-rc3.after+ #1 Hardware name: Dell Inc. PowerEdge R720/0X3D66, BIOS 2.5.4 01/22/2016 task: ffff880817444140 task.stack: ffff880816274000 RIP: 0010:[] __check_object_size+0x76/0x413 RSP: 0018:ffff880816277c40 EFLAGS: 00010246 RAX: 000000000000006b RBX: ffff88103dfff000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff88081f80dfa8 RDI: ffff88081f80dfa8 RBP: ffff880816277c90 R08: 000000000000054c R09: 0000000000000000 R10: 0000000000000005 R11: 0000000000000006 R12: 0000000000001000 R13: ffff88103e000000 R14: ffff88103dffffff R15: 0000000000000001 FS: 00007fb9d1750800(0000) GS:ffff88081f800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000021d2000 CR3: 000000081a08f000 CR4: 00000000001406f0 Stack: ffff880816277cc8 0000000000010000 000000043de07000 0000000000000000 0000000000001000 ffff880816277e60 0000000000001000 ffff880816277e28 000000000000c000 0000000000001000 ffff880816277ce8 ffffffff8136c3a6 Call Trace: [] copy_page_to_iter_iovec+0xa6/0x1c0 [] copy_page_to_iter+0x16/0x90 [] generic_file_read_iter+0x3e3/0x7c0 [] ? xfs_file_buffered_aio_write+0xad/0x260 [xfs] [] ? down_read+0x12/0x40 [] xfs_file_buffered_aio_read+0x51/0xc0 [xfs] [] xfs_file_read_iter+0x62/0xb0 [xfs] [] __vfs_read+0xdf/0x130 [] vfs_read+0x8e/0x140 [] SyS_read+0x55/0xc0 [] do_syscall_64+0x67/0x160 [] entry_SYSCALL64_slow_path+0x25/0x25 RIP: 0033:[<00007fb9d0c33c00>] 0x7fb9d0c33c00 RSP: 002b:00007ffc9c262f28 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: fffffffffff8ffff RCX: 00007fb9d0c33c00 RDX: 0000000000010000 RSI: 00000000021c3000 RDI: 0000000000000004 RBP: 00000000021c3000 R08: 0000000000000000 R09: 00007ffc9c264d6c R10: 00007ffc9c262c50 R11: 0000000000000246 R12: 0000000000010000 R13: 00007ffc9c2630b0 R14: 0000000000000004 R15: 0000000000010000 Code: 81 48 0f 44 d0 48 c7 c6 90 4d a3 81 48 c7 c0 bb b3 a2 81 48 0f 44 f0 4d 89 e1 48 89 d9 48 c7 c7 68 16 a3 81 31 c0 e8 f4 57 f7 ff <0f> 0b 48 8d 90 00 40 00 00 48 39 d3 0f 83 22 01 00 00 48 39 c3 RIP [] __check_object_size+0x76/0x413 RSP The checked object's range [ffff88103dfff000, ffff88103e000000) is valid, so there shouldn't have been a BUG. The hardened usercopy code got confused because the range's ending address is the same as the kernel's text starting address at 0xffff88103e000000. The overlap check is slightly off. Fixes: f5509cc18daa ("mm: Hardened usercopy") Signed-off-by: Josh Poimboeuf Signed-off-by: Kees Cook mm/usercopy.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 7329a655875a2f4bd6984fe8a7e00a6981e802f3 Author: Eric Biggers Date: Fri Aug 19 12:15:22 2016 -0700 usercopy: avoid potentially undefined behavior in pointer math check_bogus_address() checked for pointer overflow using this expression, where 'ptr' has type 'const void *': ptr + n < ptr Since pointer wraparound is undefined behavior, gcc at -O2 by default treats it like the following, which would not behave as intended: (long)n < 0 Fortunately, this doesn't currently happen for kernel code because kernel code is compiled with -fno-strict-overflow. But the expression should be fixed anyway to use well-defined integer arithmetic, since it could be treated differently by different compilers in the future or could be reported by tools checking for undefined behavior. Signed-off-by: Eric Biggers Signed-off-by: Kees Cook mm/usercopy.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 4870e704d901602e4ae5de462c4e65732cf2ed6c Author: Yuval Mintz Date: Mon Aug 22 12:03:29 2016 +0300 qed: FLR of active VFs might lead to FW assert Driver never bothered marking the VF's vport with the VF's sw_fid. As a result, FLR flows are not going to clean those vports. If the vport was active when FLRed, re-activating it would lead to a FW assertion. Fixes: dacd88d6f6851 ("qed: IOV l2 functionality") Signed-off-by: Yuval Mintz Signed-off-by: David S. Miller drivers/net/ethernet/qlogic/qed/qed.h | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) commit c0451fe1f27b815b3f400df2a63b9aecf589b7b0 Author: Shmulik Ladkani Date: Sun Aug 21 11:22:32 2016 +0300 net: ip_finish_output_gso: Allow fragmenting segments of tunneled skbs if their DF is unset In b8247f095e, "net: ip_finish_output_gso: If skb_gso_network_seglen exceeds MTU, allow segmentation for local udp tunneled skbs" gso skbs arriving from an ingress interface that go through UDP tunneling, are allowed to be fragmented if the resulting encapulated segments exceed the dst mtu of the egress interface. This aligned the behavior of gso skbs to non-gso skbs going through udp encapsulation path. However the non-gso vs gso anomaly is present also in the following cases of a GRE tunnel: - ip_gre in collect_md mode, where TUNNEL_DONT_FRAGMENT is not set (e.g. OvS vport-gre with df_default=false) - ip_gre in nopmtudisc mode, where IFLA_GRE_IGNORE_DF is set In both of the above cases, the non-gso skbs get fragmented, whereas the gso skbs (having skb_gso_network_seglen that exceeds dst mtu) get dropped, as they don't go through the segment+fragment code path. Fix: Setting IPSKB_FRAG_SEGS if the tunnel specified IP_DF bit is NOT set. Tunnels that do set IP_DF, will not go to fragmentation of segments. This preserves behavior of ip_gre in (the default) pmtudisc mode. Fixes: b8247f095e ("net: ip_finish_output_gso: If skb_gso_network_seglen exceeds MTU, allow segmentation for local udp tunneled skbs") Reported-by: wenxu Cc: Hannes Frederic Sowa Signed-off-by: Shmulik Ladkani Tested-by: wenxu Acked-by: Hannes Frederic Sowa Signed-off-by: David S. Miller net/ipv4/ip_tunnel_core.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) commit 85b51b12115c79cce7ea1ced6c0bd0339a165d3f Author: Mike Manning Date: Thu Aug 18 14:39:40 2016 +0100 net: ipv6: Remove addresses for failures with strict DAD If DAD fails with accept_dad set to 2, global addresses and host routes are incorrectly left in place. Even though disable_ipv6 is set, contrary to documentation, the addresses are not dynamically deleted from the interface. It is only on a subsequent link down/up that these are removed. The fix is not only to set the disable_ipv6 flag, but also to call addrconf_ifdown(), which is the action to carry out when disabling IPv6. This results in the addresses and routes being deleted immediately. The DAD failure for the LL addr is determined as before via netlink, or by the absence of the LL addr (which also previously would have had to be checked for in case of an intervening link down and up). As the call to addrconf_ifdown() requires an rtnl lock, the logic to disable IPv6 when DAD fails is moved to addrconf_dad_work(). Previous behavior: root@vm1:/# sysctl net.ipv6.conf.eth3.accept_dad=2 net.ipv6.conf.eth3.accept_dad = 2 root@vm1:/# ip -6 addr add 2000::10/64 dev eth3 root@vm1:/# ip link set up eth3 root@vm1:/# ip -6 addr show dev eth3 5: eth3: mtu 1500 qlen 1000 inet6 2000::10/64 scope global valid_lft forever preferred_lft forever inet6 fe80::5054:ff:fe43:dd5a/64 scope link tentative dadfailed valid_lft forever preferred_lft forever root@vm1:/# ip -6 route show dev eth3 2000::/64 proto kernel metric 256 fe80::/64 proto kernel metric 256 root@vm1:/# ip link set down eth3 root@vm1:/# ip link set up eth3 root@vm1:/# ip -6 addr show dev eth3 root@vm1:/# ip -6 route show dev eth3 root@vm1:/# New behavior: root@vm1:/# sysctl net.ipv6.conf.eth3.accept_dad=2 net.ipv6.conf.eth3.accept_dad = 2 root@vm1:/# ip -6 addr add 2000::10/64 dev eth3 root@vm1:/# ip link set up eth3 root@vm1:/# ip -6 addr show dev eth3 root@vm1:/# ip -6 route show dev eth3 root@vm1:/# Signed-off-by: Mike Manning Signed-off-by: David S. Miller net/ipv6/addrconf.c | 34 +++++++++++++++++++++------------- 1 file changed, 21 insertions(+), 13 deletions(-) commit 53dc65d4d33c422d086c9d9ad8c03ab400ffc0a1 Author: Mikko Rapeli Date: Mon Aug 22 20:33:21 2016 +0200 include/uapi/linux/ipx.h: fix conflicting defitions with glibc netipx/ipx.h Fixes these compiler warnings via libc-compat.h when glibc netipx/ipx.h is included before linux/ipx.h: ./linux/ipx.h:9:8: error: redefinition of ‘struct sockaddr_ipx’ ./linux/ipx.h:26:8: error: redefinition of ‘struct ipx_route_definition’ ./linux/ipx.h:32:8: error: redefinition of ‘struct ipx_interface_definition’ ./linux/ipx.h:49:8: error: redefinition of ‘struct ipx_config_data’ ./linux/ipx.h:58:8: error: redefinition of ‘struct ipx_route_def’ Signed-off-by: Mikko Rapeli Signed-off-by: David S. Miller include/uapi/linux/ipx.h | 13 ++++++++++++- include/uapi/linux/libc-compat.h | 26 ++++++++++++++++++++++++++ 2 files changed, 38 insertions(+), 1 deletion(-) commit a1d1f65ff5ac27276a585b41a619d30995bb92fe Author: Mikko Rapeli Date: Mon Aug 22 20:33:19 2016 +0200 include/uapi/linux/openvswitch.h: use __u32 from linux/types.h Kernel uapi header are supposed to use them. Fixes userspace compile error: linux/openvswitch.h:583:2: error: unknown type name ‘uint32_t’ Signed-off-by: Mikko Rapeli Signed-off-by: David S. Miller include/uapi/linux/openvswitch.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit cf00713a655d3019be7faa184402f16c43a0fed3 Author: Mikko Rapeli Date: Mon Aug 22 20:32:58 2016 +0200 include/uapi/linux/atm_zatm.h: include linux/time.h Fixes userspace compile error: error: field ‘real’ has incomplete type struct timeval real; /* real (wall-clock) time */ Signed-off-by: Mikko Rapeli Signed-off-by: David S. Miller include/uapi/linux/atm_zatm.h | 1 + 1 file changed, 1 insertion(+) commit e6571aa5cb65ff52a87843652d0d8120a48aae7c Author: Mikko Rapeli Date: Mon Aug 22 20:32:55 2016 +0200 include/uapi/linux/openvswitch.h: use __u32 from linux/types.h Fixes userspace compiler error: error: unknown type name ‘uint32_t’ Signed-off-by: Mikko Rapeli Signed-off-by: David S. Miller include/uapi/linux/openvswitch.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit eafe92114308acf14e45c6c3d154a5dad5523d1a Author: Mikko Rapeli Date: Mon Aug 22 20:32:43 2016 +0200 include/uapi/linux/if_pppox.h: include linux/in.h and linux/in6.h Fixes userspace compilation errors: error: field ‘addr’ has incomplete type struct sockaddr_in addr; /* IP address and port to send to */ error: field ‘addr’ has incomplete type struct sockaddr_in6 addr; /* IP address and port to send to */ Signed-off-by: Mikko Rapeli Signed-off-by: David S. Miller include/uapi/linux/if_pppox.h | 2 ++ 1 file changed, 2 insertions(+) commit 05ee5de7451796cf9a8aeb2f05a57790d4fd2336 Author: Mikko Rapeli Date: Mon Aug 22 20:32:42 2016 +0200 include/uapi/linux/if_pppol2tp.h: include linux/in.h and linux/in6.h Fixes userspace compilation errors like: error: field ‘addr’ has incomplete type struct sockaddr_in addr; /* IP address and port to send to */ ^ error: field ‘addr’ has incomplete type struct sockaddr_in6 addr; /* IP address and port to send to */ Signed-off-by: Mikko Rapeli Signed-off-by: David S. Miller include/uapi/linux/if_pppol2tp.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 1fe8e0f074c77aa41aaa579345a9e675acbebfa9 Author: Mikko Rapeli Date: Mon Aug 22 20:32:39 2016 +0200 include/uapi/linux/if_tunnel.h: include linux/if.h, linux/ip.h and linux/in6.h Fixes userspace compilation errors like: error: field ‘iph’ has incomplete type error: field ‘prefix’ has incomplete type Signed-off-by: Mikko Rapeli Signed-off-by: David S. Miller include/uapi/linux/if_tunnel.h | 3 +++ 1 file changed, 3 insertions(+) commit b47b0cc73032d3c8225b5ea9a077941632f16d91 Author: Mikko Rapeli Date: Mon Aug 22 20:32:38 2016 +0200 include/uapi/linux/if_pppox.h: include linux/if.h Fixes userspace compilation error: error: ‘IFNAMSIZ’ undeclared here (not in a function) Signed-off-by: Mikko Rapeli Signed-off-by: David S. Miller include/uapi/linux/if_pppox.h | 1 + 1 file changed, 1 insertion(+) commit ef0e1ea8856bed6ff8394d3dfe77f2cab487ecea Merge: 37c669b c57653d Author: Linus Torvalds Date: Mon Aug 22 17:53:02 2016 -0500 Merge tag 'arc-4.8-rc4-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc Pull ARC fixes from Vineet Gupta: - support for Syscall ABI v4 with upstream gcc 6.x - lockdep fix (Daniel Mentz) - gdb register clobber (Liav Rehana) - couple of missing exports for modules - other fixes here and there * tag 'arc-4.8-rc4-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc: ARC: export __udivdi3 for modules ARC: mm: fix build breakage with STRICT_MM_TYPECHECKS ARC: export kmap ARC: Support syscall ABI v4 ARC: use correct offset in pt_regs for saving/restoring user mode r25 ARC: Elide redundant setup of DMA callbacks ARC: Call trace_hardirqs_on() before enabling irqs commit 37c669b237499cc4b8279466a83bcafed1ca2829 Merge: fa8410b 048c28c Author: Linus Torvalds Date: Mon Aug 22 17:51:21 2016 -0500 Merge tag 'gpio-v4.8-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio Pull GPIO fixes from Linus Walleij: "Here are a few GPIO fixes for v4.8. I was expecting some fallout from the new chardev rework but nothing like that turned up att all. Instead a Kconfig confusion that I think I have finally nailed, then some ordinary driver noise and trivia. This fixes a Kconfig issue with UM: when I made GPIOLIB available to all archs, that included UM, but the OF part of GPIOLIB requires HAS_IOMEM, so we add HAS_IOMEM as a dependency to OF_GPIO. This in turn exposed the fact that a few GPIO drivers were implicitly assuming OF_GPIO as their dependency but instead depended on OF alone (the typical problem being a pointer inside gpio_chip not existing unless OF_GPIO is selected) and then UM would fail to compile with these drivers instead. Then I lost patience and made any GPIO driver depending on just OF depend on OF_GPIO instead, that is certainly what they meant and the only thing that makes sense anyway. GPIO with just OF but !OF_GPIO does not make sense. Also a fix for the max730x driver data pointer, and a minor comment fix for the GPIO tools" * tag 'gpio-v4.8-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio: gpio: make any OF dependent driver depend on OF_GPIO gpio: Fix OF build problem on UM gpio: max730x: set gpiochip data pointer before using it tools/gpio: fix gpio-event-mon header comment commit e3a888a4bff0bef0b256d55c58bc32c99fb44ece Author: Petr Cvek Date: Fri Aug 19 10:14:29 2016 -0700 Input: ads7846 - remove redundant regulator_disable call ADS7846 regulator is disabled twice in a row in ads7846_remove(). Valid one is in ads7846_disable(). Removing the ads7846 module causes warning about unbalanced disables. ... WARNING: CPU: 0 PID: 29269 at drivers/regulator/core.c:2251 _regulator_disable+0xf8/0x130 unbalanced disables for vads7846 CPU: 0 PID: 29269 Comm: rmmod Tainted: G D W 4.7.0+ #3 Hardware name: HTC Magician ... show_stack+0x10/0x14 __warn+0xd8/0x100 warn_slowpath_fmt+0x38/0x48 _regulator_disable+0xf8/0x130 regulator_disable+0x34/0x60 ads7846_remove+0x58/0xd4 [ads7846] spi_drv_remove+0x1c/0x34 __device_release_driver+0x84/0x114 driver_detach+0x8c/0x90 bus_remove_driver+0x5c/0xc8 SyS_delete_module+0x1a0/0x238 ret_fast_syscall+0x0/0x38 Signed-off-by: Petr Cvek Signed-off-by: Dmitry Torokhov drivers/input/touchscreen/ads7846.c | 1 - 1 file changed, 1 deletion(-) commit 3e29d6bb6433ebfa4e187b1164b80baf720d58c3 Author: Andrew Duggan Date: Mon Aug 22 11:28:11 2016 -0700 Input: synaptics-rmi4 - fix register descriptor subpacket map construction The map_offset variable is specific to the register and needs to be reset in the loop. Otherwise, subsequent register's subpacket maps will have their bits set at the wrong index. Signed-off-by: Andrew Duggan Tested-by: Nitin Chaudhary Reviewed-by: Benjamin Tissoires Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov drivers/input/rmi4/rmi_driver.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit fae16989be77b09bab86c79233e4b511ea769cea Author: Masahiro Yamada Date: Mon Aug 22 13:25:56 2016 -0700 Input: tegra-kbc - fix inverted reset logic Commit fe6b0dfaba68 ("Input: tegra-kbc - use reset framework") accidentally converted _deassert to _assert, so there is no code to wake up this hardware. Fixes: fe6b0dfaba68 ("Input: tegra-kbc - use reset framework") Signed-off-by: Masahiro Yamada Acked-by: Thierry Reding Acked-by: Laxman Dewangan Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov drivers/input/keyboard/tegra-kbc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 5cab4d84780573afbf5077ae9c3f919b4f305f20 Author: Hans de Goede Date: Mon Aug 22 13:49:59 2016 -0700 Input: silead - use devm_gpiod_get The silead code is using devm_foo for everything (and does not free any resources). Except that it is using gpiod_get instead of devm_gpiod_get (but is not freeing the gpio_desc), change this to use devm_gpiod_get so that the gpio will be properly released. Signed-off-by: Hans de Goede Signed-off-by: Dmitry Torokhov drivers/input/touchscreen/silead.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 30b03b1528b60623986ee0b50ec0e5dab9094be8 Author: Steve Wise Date: Fri Aug 19 07:29:08 2016 -0700 iw_cxgb4: use the MPA initiator's IRD if < our ORD The i40iw initiator sends an MPA-request with ird=16 and ord=16. The cxgb4 responder sends an MPA-reply with ord = 32 causing i40iw to terminate due to insufficient resources. The logic to reduce the ORD to <= peer's IRD was wrong. Reported-by: Shiraz Saleem Signed-off-by: Steve Wise Signed-off-by: Doug Ledford drivers/infiniband/hw/cxgb4/cm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 7f446abf12d741f4e29f00c633cb5fa67c2eee71 Author: Steve Wise Date: Fri Aug 19 07:29:07 2016 -0700 iw_cxgb4: limit IRD/ORD advertised to ULP by device max. The i40iw initiator sends an MPA-request with ird = 63, ord = 63. The cxgb4 responder sends a RST. Since the inbound ord=63 and it exceeds the max_ird/c4iw_max_read_depth (=32 default), chelsio decides to abort. Instead, cxgb4 should adjust the ord/ird down before presenting it to the ULP. Reported-by: Shiraz Saleem Signed-off-by: Steve Wise Signed-off-by: Doug Ledford drivers/infiniband/hw/cxgb4/cm.c | 4 ++++ 1 file changed, 4 insertions(+) commit e0cf75deab8155334c8228eb7f097b15127d0a49 Author: Ira Weiny Date: Tue Aug 16 13:27:03 2016 -0700 IB/hfi1: Fix mm_struct use after free Testing with CONFIG_SLUB_DEBUG_ON=y resulted in the kernel panic below. This is the result of the mm_struct sometimes being free'd prior to hfi1_file_close being called. This was due to the combination of 2 reasons: 1) hfi1_file_close is deferred in process exit and it therefore may not be called synchronously with process exit. 2) exit_mm is called prior to exit_files in do_exit. Normally this is ok however, our kernel bypass code requires us to have access to the mm_struct for house keeping both at "normal" close time as well as at process exit. Therefore, the fix is to simply keep a reference to the mm_struct until we are done with it. [ 3006.340150] general protection fault: 0000 [#1] SMP [ 3006.346469] Modules linked in: hfi1 rdmavt rpcrdma ib_isert iscsi_target_mod ib_iser libiscsi scsi_transport_iscsi ib_srpt target_core_mod ib_srp scsi_transport_srp ib_ipoib rdma_ucm ib_ucm ib_uverbs ib_umad rdma_cm ib_cm iw_cm dm_mirror dm_region_hash dm_log dm_mod snd_hda_code c_realtek iTCO_wdt snd_hda_codec_generic iTCO_vendor_support sb_edac edac_core x86_pkg_temp_thermal intel_powerclamp coretemp kvm irqbypass c rct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel lrw snd_hda_intel gf128mul snd_hda_codec glue_helper snd_hda_core ablk_helper sn d_hwdep cryptd snd_seq snd_seq_device snd_pcm snd_timer snd soundcore pcspkr shpchp mei_me sg lpc_ich mei i2c_i801 mfd_core ioatdma ipmi_devi ntf wmi ipmi_si ipmi_msghandler acpi_cpufreq nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables ext4 jbd2 mbcache mlx4_en ib_core sr_mod s d_mod cdrom crc32c_intel mgag200 drm_kms_helper syscopyarea sysfillrect igb sysimgblt fb_sys_fops ptp mlx4_core ttm isci pps_core ahci drm li bsas libahci dca firewire_ohci i2c_algo_bit scsi_transport_sas firewire_core crc_itu_t i2c_core libata [last unloaded: mlx4_ib] [ 3006.461759] CPU: 16 PID: 11624 Comm: mpi_stress Not tainted 4.7.0-rc5+ #1 [ 3006.469915] Hardware name: Intel Corporation W2600CR ........../W2600CR, BIOS SE5C600.86B.01.08.0003.022620131521 02/26/2013 [ 3006.483027] task: ffff8804102f0040 ti: ffff8804102f8000 task.ti: ffff8804102f8000 [ 3006.491971] RIP: 0010:[] [] __lock_acquire+0xb3/0x19e0 [ 3006.501905] RSP: 0018:ffff8804102fb908 EFLAGS: 00010002 [ 3006.508447] RAX: 6b6b6b6b6b6b6b6b RBX: 0000000000000001 RCX: 0000000000000000 [ 3006.517012] RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff880410b56a40 [ 3006.525569] RBP: ffff8804102fb9b0 R08: 0000000000000001 R09: 0000000000000000 [ 3006.534119] R10: ffff8804102f0040 R11: 0000000000000000 R12: 0000000000000000 [ 3006.542664] R13: ffff880410b56a40 R14: 0000000000000000 R15: 0000000000000000 [ 3006.551203] FS: 00007ff478c08700(0000) GS:ffff88042e200000(0000) knlGS:0000000000000000 [ 3006.560814] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 3006.567806] CR2: 00007f667f5109e0 CR3: 0000000001c06000 CR4: 00000000000406e0 [ 3006.576352] Stack: [ 3006.579157] ffffffff8124b819 ffffffffffffffff 0000000000000000 ffff8804102fb940 [ 3006.588072] 0000000000000002 0000000000000000 ffff8804102f0040 0000000000000007 [ 3006.596971] 0000000000000006 ffff8803cad6f000 0000000000000000 ffff8804102f0040 [ 3006.605878] Call Trace: [ 3006.609220] [] ? uncharge_batch+0x109/0x250 [ 3006.616382] [] lock_acquire+0xd3/0x220 [ 3006.623056] [] ? hfi1_release_user_pages+0x7c/0xa0 [hfi1] [ 3006.631593] [] down_write+0x49/0x80 [ 3006.638022] [] ? hfi1_release_user_pages+0x7c/0xa0 [hfi1] [ 3006.646569] [] hfi1_release_user_pages+0x7c/0xa0 [hfi1] [ 3006.654898] [] cacheless_tid_rb_remove+0x106/0x330 [hfi1] [ 3006.663417] [] ? mark_held_locks+0x66/0x90 [ 3006.670498] [] ? _raw_spin_unlock_irqrestore+0x36/0x60 [ 3006.678741] [] tid_rb_remove+0xe/0x10 [hfi1] [ 3006.686010] [] hfi1_mmu_rb_unregister+0xc5/0x100 [hfi1] [ 3006.694387] [] hfi1_user_exp_rcv_free+0x39/0x120 [hfi1] [ 3006.702732] [] hfi1_file_close+0x17a/0x330 [hfi1] [ 3006.710489] [] __fput+0xfa/0x230 [ 3006.716595] [] ____fput+0xe/0x10 [ 3006.722696] [] task_work_run+0x86/0xc0 [ 3006.729379] [] do_exit+0x323/0xc40 [ 3006.735672] [] do_group_exit+0x4c/0xc0 [ 3006.742371] [] get_signal+0x345/0x940 [ 3006.748958] [] do_signal+0x37/0x700 [ 3006.755328] [] ? poll_select_set_timeout+0x5a/0x90 [ 3006.763146] [] ? __audit_syscall_exit+0x1db/0x260 [ 3006.770853] [] ? rcu_read_lock_sched_held+0x93/0xa0 [ 3006.778765] [] ? kfree+0x1e4/0x2a0 [ 3006.784986] [] ? exit_to_usermode_loop+0x33/0xac [ 3006.792551] [] exit_to_usermode_loop+0x5e/0xac [ 3006.799907] [] do_syscall_64+0x12a/0x190 [ 3006.806664] [] entry_SYSCALL64_slow_path+0x25/0x25 [ 3006.814396] Code: 24 08 44 89 44 24 10 89 4c 24 18 e8 a8 d8 ff ff 48 85 c0 8b 4c 24 18 44 8b 44 24 10 44 8b 4c 24 08 4c 8b 14 24 0f 84 30 08 00 00 ff 80 98 01 00 00 8b 3d 48 ad be 01 45 8b a2 90 0b 00 00 85 [ 3006.837158] RIP [] __lock_acquire+0xb3/0x19e0 [ 3006.844401] RSP [ 3006.851170] ---[ end trace b7b9f21cf06c27df ]--- [ 3006.927420] Kernel panic - not syncing: Fatal exception [ 3006.933954] Kernel Offset: disabled [ 3006.940961] ---[ end Kernel panic - not syncing: Fatal exception [ 3006.948249] ------------[ cut here ]------------ Fixes: 3faa3d9a308e ("IB/hfi1: Make use of mm consistent") Reviewed-by: Dean Luick Signed-off-by: Ira Weiny Signed-off-by: Dennis Dalessandro Signed-off-by: Doug Ledford drivers/infiniband/hw/hfi1/file_ops.c | 2 ++ 1 file changed, 2 insertions(+) commit 56c8ca510de2884b2f741e5fd8d3df6161378de6 Author: Mike Marciniszyn Date: Tue Aug 16 13:26:29 2016 -0700 IB/rdmvat: Fix double vfree() in rvt_create_qp() error path The unwind logic for creating a user QP has a double vfree of the non-shared receive queue when handling a "too many qps" failure. The code unwinds the mmmap info by decrementing a reference count which will call rvt_release_mmap_info() which in turn does the vfree() of the r_rq.wq. The unwind code then does the same free. Fix by guarding the vfree() with the same test that is done in close and only do the vfree() if qp->ip is NULL. Reviewed-by: Dennis Dalessandro Signed-off-by: Mike Marciniszyn Signed-off-by: Dennis Dalessandro Signed-off-by: Doug Ledford drivers/infiniband/sw/rdmavt/qp.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 08fe16f6192bccd5798e9b60461f7aa151b34cd4 Author: Mitko Haralanov Date: Tue Aug 16 13:26:12 2016 -0700 IB/hfi1: Improve J_KEY generation Previously, J_KEY generation was based on the lower 16 bits of the user's UID. While this works, it was not good enough as a non-root user could collide with a root user given a sufficiently large UID. This patch attempt to improve the J_KEY generation by using the following algorithm: The 16 bit J_KEY space is partitioned into 3 separate spaces reserved for different user classes: * all users with administtor privileges (including 'root') will use J_KEYs in the range of 0 to 31, * all kernel protocols, which use KDETH packets will use J_KEYs in the range of 32 to 63, and * all other users will use J_KEYs in the range of 64 to 65535. The above separation is aimed at preventing different user levels from sending packets to each other and, additionally, separate kernel protocols from all other types of users. The later is meant to prevent the potential corruption of kernel memory by any other type of user. Reviewed-by: Ira Weiny Signed-off-by: Mitko Haralanov Signed-off-by: Dennis Dalessandro Signed-off-by: Doug Ledford drivers/infiniband/hw/hfi1/hfi.h | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) commit f29a08dc145e05de6a57f0aeaba6020464f80e15 Author: Easwar Hariharan Date: Tue Aug 16 13:25:34 2016 -0700 IB/hfi1: Return invalid field for non-QSFP CableInfo queries The driver does not check if the CableInfo query is supported for the port type. Return early if CableInfo is not supported for the port type, making compliance with the specification explicit and preventing lower level code from potentially doing the wrong thing if the query is not supported for the hardware implementation. Reviewed-by: Ira Weiny Signed-off-by: Easwar Hariharan Signed-off-by: Dennis Dalessandro Signed-off-by: Doug Ledford drivers/infiniband/hw/hfi1/mad.c | 5 +++++ 1 file changed, 5 insertions(+) commit 701b4bf6e3eeff1a856d6889e1ebb35edd6c019a Author: Leon Romanovsky Date: Tue Aug 16 12:29:46 2016 +0300 MAINTAINERS: Fix Soft RoCE location The Soft RoCE (rxe) is located in drivers/inifiniband/sw and not in drivers/infiniband/hw/. This patch fixes it. Fixes: 8700e3e7c485 ("Soft RoCE driver") Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford MAINTAINERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 539d5c48a4aff5a4afcff117418618b49126c54c Author: Hugo Grostabussiat Date: Tue Aug 16 20:34:07 2016 +0200 ARM: sun5i: Fix typo in trip point temperature Set cpu_alert0 temperature to 85°C instead of 850°C. Fixes: 32a5d2d170cc ("ARM: dts: sun5i: Add cpu thermal zones to dtsi") Signed-off-by: Hugo Grostabussiat Acked-by: Chen-Yu Tsai Signed-off-by: Maxime Ripard arch/arm/boot/dts/sun5i-a13.dtsi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 86cd747c6dd6cdbc825e36ad5f0029f3c5a37776 Author: Christophe Jaillet Date: Wed Aug 10 17:45:01 2016 +0200 IB/usnic: Fix error return code If 'pci_register_driver' fails, we return 'err' which is known to be 0. Return the error instead. Signed-off-by: Christophe JAILLET Signed-off-by: Doug Ledford drivers/infiniband/hw/usnic/usnic_ib_main.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 57bb562ad4651453c9f20d506a65e46e4d11042f Author: Christophe Jaillet Date: Wed Aug 10 07:34:27 2016 +0200 IB/hfi1: Add missing error code assignment before test It is likely that checking the result of 'setup_ctxt' is expected here. Signed-off-by: Christophe JAILLET Acked-by: Dennis Dalessandro Signed-off-by: Doug Ledford drivers/infiniband/hw/hfi1/file_ops.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 476d95bd02240894806ebe64f1c4dcf6dbba87f4 Author: Wei Yongjun Date: Wed Aug 10 03:14:04 2016 +0000 IB/hfi1: Using kfree_rcu() to simplify the code The callback function of call_rcu() just calls a kfree(), so we can use kfree_rcu() instead of call_rcu() + callback function. Signed-off-by: Wei Yongjun Tested-by: Mike Marciniszyn Acked-by: Mike Marciniszyn Tested-by: Mike Marciniszyn Acked-by: Mike Marciniszyn Signed-off-by: Doug Ledford drivers/infiniband/hw/hfi1/hfi.h | 1 - drivers/infiniband/hw/hfi1/init.c | 2 +- drivers/infiniband/hw/hfi1/mad.c | 9 +-------- 3 files changed, 2 insertions(+), 10 deletions(-) commit 69b9f4a4233b6f9ea168c25123b9eb629739d8e5 Author: Mike Marciniszyn Date: Tue Aug 9 11:19:56 2016 -0400 IB/hfi1: Validate header in set_armed_active Validate the etype to insure that the header is correct. Reviewed-by: Don Hiatt Signed-off-by: Mike Marciniszyn Signed-off-by: Doug Ledford drivers/infiniband/hw/hfi1/driver.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit c867caaf8ecd5498d399558d0f11825f175c6cdd Author: Mike Marciniszyn Date: Tue Aug 9 11:19:55 2016 -0400 IB/hfi1: Pass packet ptr to set_armed_active The "packet" parameter was being passed on the stack, change it to a pointer. Reviewed-by: Don Hiatt Signed-off-by: Mike Marciniszyn Signed-off-by: Doug Ledford drivers/infiniband/hw/hfi1/driver.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) commit 140690eae7626a820ea135f33ff9fe11c1bcee6d Author: Easwar Hariharan Date: Tue Aug 9 11:17:18 2016 -0400 IB/hfi1: Fetch monitor values on-demand for CableInfo query The monitor values from bytes 22 through 81 of the QSFP memory space (SFF 8636) are dynamic and serving them out of the QSFP memory cache maintained by the driver provides stale data to the CableInfo SMA query. This patch refreshes the dynamic values from the QSFP memory on request and overwrites the stale data from the cache for the overlap between the requested range and the monitor range. Reviewed-by: Jubin John Reviewed-by: Ira Weiny Signed-off-by: Easwar Hariharan Signed-off-by: Doug Ledford drivers/infiniband/hw/hfi1/qsfp.c | 32 ++++++++++++++++++++++++++++++-- drivers/infiniband/hw/hfi1/qsfp.h | 3 +++ 2 files changed, 33 insertions(+), 2 deletions(-) commit c62fb260a86dde3df5b2905432caa0e9f6898434 Author: Mike Marciniszyn Date: Fri Aug 12 11:17:37 2016 -0400 IB/hfi1,IB/qib: Fix qp_stats sleep with rcu read lock held The qp init function does a kzalloc() while holding the RCU lock that encounters the following warning with a debug kernel when a cat of the qp_stats is done: [ 231.723948] rcu_scheduler_active = 1, debug_locks = 0 [ 231.731939] 3 locks held by cat/11355: [ 231.736492] #0: (debugfs_srcu){......}, at: [] debugfs_use_file_start+0x5/0x90 [ 231.746955] #1: (&p->lock){+.+.+.}, at: [] seq_read+0x4c/0x3c0 [ 231.755873] #2: (rcu_read_lock){......}, at: [] _qp_stats_seq_start+0x5/0xd0 [hfi1] [ 231.766862] The init functions do an implicit next which requires the rcu read lock before the kzalloc(). Fix for both drivers is to change the scope of the init function to only do the allocation and the initialization of the just allocated iter. The implict next is moved back into the respective start functions to fix the issue. Signed-off-by: Ira Weiny Signed-off-by: Mike Marciniszyn CC: # 4.6.x- Reviewed-by: Leon Romanovsky Signed-off-by: Doug Ledford drivers/infiniband/hw/hfi1/debugfs.c | 14 +++++++++----- drivers/infiniband/hw/hfi1/qp.c | 4 ---- drivers/infiniband/hw/qib/qib_debugfs.c | 12 +++++++++--- drivers/infiniband/hw/qib/qib_qp.c | 4 ---- 4 files changed, 18 insertions(+), 16 deletions(-) commit abb658ef0529488cfa75e79a2a9f894cb95eaec3 Author: Wei Yongjun Date: Mon Aug 8 09:49:47 2016 +0000 IB/hfi1: Remove duplicated include from affinity.c Remove duplicated include. Signed-off-by: Wei Yongjun Reviewed-by: Leon Romanovsky Reviewed-by: Ira Weiny Signed-off-by: Doug Ledford drivers/infiniband/hw/hfi1/affinity.c | 1 - 1 file changed, 1 deletion(-) commit 1d5840c971455ad4ecece3f72012961cac8d0f00 Author: Wei Yongjun Date: Sun Aug 7 12:20:38 2016 +0000 IB/isert: fix error return code in isert_alloc_login_buf() Fix to return error code -ENOMEM from the alloc error handling case instead of 0, as done elsewhere in this function. Signed-off-by: Wei Yongjun Acked-by: Sagi Grimberg Reviewed-by: Leon Romanovsky Signed-off-by: Doug Ledford drivers/infiniband/ulp/isert/ib_isert.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 23d70503ee187819a3775c7ac73f17c5bfe3fad0 Author: Wei Yongjun Date: Fri Aug 5 13:46:49 2016 +0000 IB/core: Fix possible memory leak in cma_resolve_iboe_route() 'work' and 'route->path_rec' are malloced in cma_resolve_iboe_route() and should be freed before leaving from the error handling cases, otherwise it will cause memory leak. Fixes: 200298326b27 ('IB/core: Validate route when we init ah') Signed-off-by: Wei Yongjun Reviewed-by: Haggai Eran Signed-off-by: Doug Ledford drivers/infiniband/core/cma.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) commit 8303f683b161467b6595c153c8751b80f9df3508 Author: Tadeusz Struk Date: Wed Aug 3 20:19:32 2016 -0400 IB/hfi1: Allocate cpu mask on the heap to silence warning If CONFIG_FRAME_WARN is small (1K) and CONFIG_NR_CPUS big then a frame size warning is triggered during build. Allocate the cpu mask dynamically to silence the warning. Reviewed-by: Sebastian Sanchez Signed-off-by: Tadeusz Struk Signed-off-by: Doug Ledford drivers/infiniband/hw/hfi1/affinity.c | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) commit 5412352fcd8fba7f278ae8c9ba36296716f17ae8 Author: Yuval Shaia Date: Wed Jul 27 01:24:53 2016 -0700 IB/mlx4: Return EAGAIN for any error in mlx4_ib_poll_one Error code EAGAIN should be used when errors are temporary and next call might succeeds. When error code other than EAGAIN is returned, the caller (mlx4_ib_poll) will assume all CQE in the same bunch are error too and will drop them all. Signed-off-by: Yuval Shaia Signed-off-by: Doug Ledford drivers/infiniband/hw/mlx4/cq.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit e6a00f6684c9f348cd782922b4b277c68ab90b63 Author: Yuval Shaia Date: Wed Jul 27 01:24:52 2016 -0700 IB/mlx4: Make function use_tunnel_data return void No need to return int if function always returns 0 Signed-off-by: Yuval Shaia Signed-off-by: Doug Ledford drivers/infiniband/hw/mlx4/cq.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) commit 4808f721627c2a23b5d749f9bbd20d4529ea2b8d Author: Hans Verkuil Date: Sat Aug 20 07:54:38 2016 -0300 [media] cec-funcs.h: add missing vendor-specific messages The cec-funcs.h header was missing support for these three vendor-specific messages: CEC_MSG_VENDOR_COMMAND CEC_MSG_VENDOR_COMMAND_WITH_ID CEC_MSG_VENDOR_REMOTE_BUTTON_DOWN Add wrappers for these messages. I originally postponed adding these wrappers due to the fact that the argument is just a byte array which cec-ctl couldn't handle at the time, and then I just forgot to add them once the CEC framework was finalized. It wasn't until an attempt to transmit a vendor specific command was made that I realized that these wrappers were missing. Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab include/linux/cec-funcs.h | 69 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 69 insertions(+) commit 8ac6a1a53e9f195e8c4336a7edfba2e102fc14bb Author: Hans Verkuil Date: Thu Aug 18 04:13:42 2016 -0300 [media] cec-edid: check for IEEE identifier The cec_get_edid_spa_location() function did not verify that the IEEE identifier in the Vendor Specific Data Block matched the HDMI-LLC identifier. This could result in the wrong VSDB block being returned. For example, for HDMI 2.0 EDIDs there is also a HDMI Forum VSDB. So check the IEEE identifier as well. Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab drivers/media/cec-edid.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) commit 31f58e31dc0e170e117a83584103921269b7581b Author: Hans Verkuil Date: Fri Aug 12 06:46:06 2016 -0300 [media] pulse8-cec: fix error handling Support more error codes and fix a bug where MSGCODE_TRANSMIT_FAILED_LINE was mapped to CEC_TX_STATUS_ARB_LOST, which is wrong. Thanks to Pulse-Eight for providing me with the information needed to handle this correctly (I hope). Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab drivers/staging/media/pulse8-cec/pulse8-cec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) commit 1e6e97541ab51b65019bd823506af81ebb3730fc Author: Hans Verkuil Date: Fri Aug 12 06:44:27 2016 -0300 [media] pulse8-cec: set correct Signal Free Time Don't hardcode the signal free time to 3 bit periods, instead use the value for the signal free time as passed in by the CEC framework. Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab drivers/staging/media/pulse8-cec/pulse8-cec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 73b14977549e4e1214413e7da2d0e97a9947bf8d Author: Hans Verkuil Date: Sun Aug 14 06:45:54 2016 -0300 [media] mtk-vcodec: add HAS_DMA dependency This fixes this kbuild test robot error: tree: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master head: 329f4152911c276b074bec75a0443f88821afdb7 commit: c1023ba74fc77dc56dc317bd98f5060aab889ac1 [media] drivers/media/platform/Kconfig: fix VIDEO_MEDIATEK_VCODEC dependency config: m32r-allyesconfig (attached as .config) compiler: m32r-linux-gcc (GCC) 4.9.0 reproduce: wget https://git.kernel.org/cgit/linux/kernel/git/wfg/lkp-tests.git/plain/sbin/make.cross -O ~/bin/make.cross chmod +x ~/bin/make.cross git checkout c1023ba74fc77dc56dc317bd98f5060aab889ac1 # save the attached .config to linux build tree make.cross ARCH=m32r All errors (new ones prefixed by >>): drivers/media/v4l2-core/videobuf2-dma-contig.c: In function 'vb2_dc_get_userptr': >> >> drivers/media/v4l2-core/videobuf2-dma-contig.c:486:2: error: implicit declaration of function 'dma_get_cache_alignment' [-Werror=implicit-function-declaration] unsigned long dma_align = dma_get_cache_alignment(); ^ cc1: some warnings being treated as errors This driver depends on HAS_DMA for dma_get_cache_alignment(). Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab drivers/media/platform/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 3e92d8b238e48dfb539e8112bb2cc463e35e1b71 Author: Hans Verkuil Date: Fri Aug 12 13:32:07 2016 -0300 [media] cec: ignore messages when log_addr_mask == 0 Most CEC adapters will still receive broadcast messages, even if no logical addresses are claimed. But those messages should only be passed on for monitoring purposes, but not for processing by either kernel or userspace if userspace didn't call CEC_ADAP_S_LOG_ADDRS first. So if adap->log_addrs.log_addr_mask is 0, then just return before passing the received message on to the processing code. Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab drivers/staging/media/cec/cec-adap.c | 3 +++ 1 file changed, 3 insertions(+) commit 260ff1144a9dd1afb85cf5da462672d68412cbc4 Author: Hans Verkuil Date: Tue Jul 19 08:44:32 2016 -0300 [media] cec: add item to TODO Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab drivers/staging/media/cec/TODO | 1 + 1 file changed, 1 insertion(+) commit 0c1d61b0e4ed68d125b21fed375c38b6e3c2a658 Author: Hans Verkuil Date: Sun Aug 14 08:27:09 2016 -0300 [media] cec: set unclaimed addresses to CEC_LOG_ADDR_INVALID Up to 4 logical addresses can be claimed. Make sure that any unclaimed logical addresses are set to CEC_LOG_ADDR_INVALID as per the documentation. Take special care in the unregistered case: when falling back to unregistered num_log_addrs may be > 1, so mark those as invalid. Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab drivers/staging/media/cec/cec-adap.c | 4 ++++ 1 file changed, 4 insertions(+) commit dcceb1eaf210096831b14471bc87678375b086ed Author: Hans Verkuil Date: Wed Aug 10 09:24:45 2016 -0300 [media] cec: add CEC_LOG_ADDRS_FL_ALLOW_UNREG_FALLBACK flag Currently if none of the requested logical addresses can be claimed, the framework will fall back to the Unregistered logical address. Add a flag to enable this explicitly. By default it will just go back to the unconfigured state. Usually Unregistered is not something you want since the functionality is very limited. Unless the application has support for this, it will fail to work correctly. So require that the application explicitly requests this. Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab .../media/uapi/cec/cec-ioc-adap-g-log-addrs.rst | 21 ++++++++++++++++++++- drivers/staging/media/cec/cec-adap.c | 4 ++++ drivers/staging/media/cec/cec-api.c | 2 +- include/linux/cec.h | 5 ++++- 4 files changed, 29 insertions(+), 3 deletions(-) commit 2564970a381651865364974ea414384b569cb9c0 Author: Paul Burton Date: Fri Aug 19 18:07:15 2016 +0100 irqchip/mips-gic: Implement activate op for device domain If an IRQ is setup using __setup_irq(), which is used by the request_irq() family of functions, and we are using an SMP kernel then the affinity of the IRQ will be set via setup_affinity() immediately after the IRQ is enabled. This call to gic_set_affinity() will lead to the interrupt being mapped to a VPE. However there are other ways to use IRQs which don't cause affinity to be set, for example if it is used to chain to another IRQ controller with irq_set_chained_handler_and_data(). The irq_set_chained_handler_and_data() code path will enable the IRQ, but will not trigger a call to gic_set_affinity() and in this case nothing will map the interrupt to a VPE, meaning that the interrupt is never received. Fix this by implementing the activate operation for the GIC device IRQ domain, using gic_shared_irq_domain_map() to map the interrupt to the correct pin of cpu 0. Fixes: c98c1822ee13 ("irqchip/mips-gic: Add device hierarchy domain") Signed-off-by: Paul Burton Cc: linux-mips@linux-mips.org Cc: Jason Cooper Cc: Marc Zyngier Cc: stable@vger.kernel.org Link: http://lkml.kernel.org/r/20160819170715.27820-2-paul.burton@imgtec.com Signed-off-by: Thomas Gleixner drivers/irqchip/irq-mips-gic.c | 7 +++++++ 1 file changed, 7 insertions(+) commit 6a33fa2b87513fee44cb8f0cd17b1acd6316bc6b Author: Paul Burton Date: Fri Aug 19 18:07:14 2016 +0100 irqchip/mips-gic: Cleanup chip and handler setup gic_shared_irq_domain_map() is called from gic_irq_domain_alloc() where the wrong chip has been set, and is then overwritten. Tidy this up by setting the correct chip the first time, and setting the handle_level_irq handler from gic_irq_domain_alloc() too. gic_shared_irq_domain_map() is also called from gic_irq_domain_map(), which now calls irq_set_chip_and_handler() to retain its previous behaviour. This patch prepares for a follow-on which will call gic_shared_irq_domain_map() from a callback where the lock on the struct irq_desc is held, which without this change would cause the call to irq_set_chip_and_handler() to lead to a deadlock. Fixes: c98c1822ee13 ("irqchip/mips-gic: Add device hierarchy domain") Signed-off-by: Paul Burton Cc: linux-mips@linux-mips.org Cc: Jason Cooper Cc: Marc Zyngier Cc: stable@vger.kernel.org Link: http://lkml.kernel.org/r/20160819170715.27820-1-paul.burton@imgtec.com Signed-off-by: Thomas Gleixner drivers/irqchip/irq-mips-gic.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) commit 209c721ce27022656a9d792b89572c4fdd7d31a7 Author: Wei Yongjun Date: Sun Aug 21 15:37:16 2016 +0000 ASoC: max98371: Add terminate entry for i2c_device_id tables Make sure i2c_device_id tables are NULL terminated. Signed-off-by: Wei Yongjun Signed-off-by: Mark Brown sound/soc/codecs/max98371.c | 1 + 1 file changed, 1 insertion(+) commit 277f963cea4ec87144c6713377322fe3bf172a5e Author: Hans Verkuil Date: Wed Aug 10 06:00:53 2016 -0300 [media] cec: improve dqevent documentation The documentation for the cec_event_state_change struct was incomplete. This patch documents what happens in the corner cases. Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Documentation/media/uapi/cec/cec-ioc-dqevent.rst | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) commit 31dc8b7302f1e48952ec8e90cd49dca843146cd0 Author: Hans Verkuil Date: Wed Aug 10 08:01:38 2016 -0300 [media] cec-funcs.h: add reply argument for Record On/Off A reply parameter is added to the cec_msg_record_on/off functions in cec-funcs.h. The standard mandates that Record Status shall be replied to Record On, and it may be replied to Record Off. Signed-off-by: Johan Fjeldtvedt Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab include/linux/cec-funcs.h | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) commit 9ebf1945d757433a089ab3ee940673503e3e11ec Author: Hans Verkuil Date: Mon Aug 1 07:29:34 2016 -0300 [media] cec-funcs.h: fix typo: && should be & Fix typo where logical AND was used instead of bitwise AND. Reported-by: David Binderman Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab include/linux/cec-funcs.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 2ab25d35a91098ef0f42d478cc37f6a5591a4ab0 Author: Hans Verkuil Date: Tue Aug 2 08:13:57 2016 -0300 [media] cec: improve locking - The global lock was used in cec_get_device when it should have used the devnode lock. - cec_put_device also took the global lock, but since the release function takes that lock as well this could lead to a deadlock. Just don't take the lock here since there is no reason for it. - cec_devnode_register() should take the global lock when clearing the bit in the global bitmap. - In cec_devnode_unregister() place the devnode->(un)register tests and assignments under the devnode lock as well: this has to be in a critical block. Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab drivers/staging/media/cec/cec-core.c | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) commit 62148f0930a8e9bd5c5614f8387222f0220d7d47 Author: Hans Verkuil Date: Tue Aug 2 08:11:00 2016 -0300 [media] cec: rename cec_devnode fhs_lock to just lock This lock will be used to protect more than just the fhs list. So rename it to just 'lock'. Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab drivers/staging/media/cec/cec-adap.c | 12 ++++++------ drivers/staging/media/cec/cec-api.c | 8 ++++---- drivers/staging/media/cec/cec-core.c | 6 +++--- include/media/cec.h | 2 +- 4 files changed, 14 insertions(+), 14 deletions(-) commit 7711aaf08ad3fc4d0e937eec1de0a63620444ce7 Author: Felix Fietkau Date: Fri Aug 19 13:37:46 2016 +0300 ath9k: fix using sta->drv_priv before initializing it A station pointer can be passed to the driver on tx, before it has been marked as associated. Since ath9k_sta_state was initializing the entry too late, it resulted in some spurious crashes. Fixes: df3c6eb34da5 ("ath9k: Use sta_state() callback") Cc: stable@vger.kernel.org Signed-off-by: Felix Fietkau Signed-off-by: Kalle Valo drivers/net/wireless/ath/ath9k/main.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) commit 05860bed491b114a9f2d7a4f6e09fb02c0b69056 Author: Felix Fietkau Date: Fri Aug 19 13:37:38 2016 +0300 ath9k: fix client mode beacon configuration For pure station mode, iter_data.primary_beacon_vif was used and passed to ath_beacon_config, but not set to the station vif. This was causing the following warning: [ 100.310919] ------------[ cut here ]------------ [ 100.315683] WARNING: CPU: 0 PID: 7 at compat-wireless-2016-06-20/drivers/net/wireless/ath/ath9k/beacon.c:642 ath9k_calculate_summary_state+0x250/0x60c [ath9k]() [ 100.402028] CPU: 0 PID: 7 Comm: kworker/u2:1 Tainted: G W 4.4.15 #5 [ 100.409676] Workqueue: phy0 ieee80211_ibss_leave [mac80211] [ 100.415351] Stack : 8736e98c 870b4b20 87a25b54 800a6800 8782a080 80400d63 8039b96c 00000007 [ 100.415351] 803c5edc 87875914 80400000 800a47cc 87a25b54 800a6800 803a0fd8 80400000 [ 100.415351] 00000003 87875914 80400000 80094ae0 87a25b54 8787594c 00000000 801ef308 [ 100.415351] 803ffe70 801ef300 87193d58 87b3a400 87b3ad00 70687930 00000000 00000000 [ 100.415351] 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 100.415351] ... [ 100.451703] Call Trace: [ 100.454235] [<800a6800>] vprintk_default+0x24/0x30 [ 100.459110] [<800a47cc>] printk+0x2c/0x38 [ 100.463190] [<800a6800>] vprintk_default+0x24/0x30 [ 100.468072] [<80094ae0>] print_worker_info+0x148/0x174 [ 100.473378] [<801ef308>] serial8250_console_putchar+0x0/0x44 [ 100.479122] [<801ef300>] wait_for_xmitr+0xc4/0xcc [ 100.484014] [<87193d58>] ieee80211_ibss_leave+0xb90/0x1900 [mac80211] [ 100.490590] [<80081604>] warn_slowpath_common+0xa0/0xd0 [ 100.495922] [<801a359c>] dump_stack+0x14/0x28 [ 100.500350] [<80071a00>] show_stack+0x50/0x84 [ 100.504784] [<80081604>] warn_slowpath_common+0xa0/0xd0 [ 100.510106] [<87024c60>] ath9k_calculate_summary_state+0x250/0x60c [ath9k] [ 100.517105] [<800816b8>] warn_slowpath_null+0x18/0x24 [ 100.522256] [<87024c60>] ath9k_calculate_summary_state+0x250/0x60c [ath9k] [ 100.529273] [<87025418>] ath9k_set_txpower+0x148/0x498 [ath9k] [ 100.535302] [<871d2c64>] cleanup_module+0xa74/0xd4c [mac80211] [ 100.541237] [<801ef308>] serial8250_console_putchar+0x0/0x44 [ 100.547042] [<800a5d18>] wake_up_klogd+0x54/0x68 [ 100.551730] [<800a6650>] vprintk_emit+0x404/0x43c [ 100.556623] [<871b9db8>] ieee80211_sta_rx_notify+0x258/0x32c [mac80211] [ 100.563475] [<871ba6a4>] ieee80211_sta_rx_queued_mgmt+0x63c/0x734 [mac80211] [ 100.570693] [<871aa49c>] ieee80211_tx_prepare_skb+0x210/0x230 [mac80211] [ 100.577609] [<800af5d4>] mod_timer+0x15c/0x190 [ 100.582220] [<871ba8b8>] ieee80211_sta_work+0xfc/0xe1c [mac80211] [ 100.588539] [<871940b4>] ieee80211_ibss_leave+0xeec/0x1900 [mac80211] [ 100.595122] [<8009ec84>] dequeue_task_fair+0x44/0x130 [ 100.600281] [<80092a34>] process_one_work+0x1f8/0x334 [ 100.605454] [<80093830>] worker_thread+0x2b4/0x408 [ 100.610317] [<8009357c>] worker_thread+0x0/0x408 [ 100.615019] [<8009357c>] worker_thread+0x0/0x408 [ 100.619705] [<80097b68>] kthread+0xdc/0xe8 [ 100.623886] [<80097a8c>] kthread+0x0/0xe8 [ 100.627961] [<80060878>] ret_from_kernel_thread+0x14/0x1c [ 100.633448] [ 100.634956] ---[ end trace aafbe57e9ae6862f ]--- Fixes: cfda2d8e2314 ("ath9k: Fix beacon configuration for addition/removal of interfaces") Signed-off-by: Felix Fietkau Signed-off-by: Kalle Valo drivers/net/wireless/ath/ath9k/main.c | 1 + 1 file changed, 1 insertion(+) commit e9e5e3fae8da7e237049e00e0bfc9e32fd808fe8 Author: Vegard Nossum Date: Mon Aug 22 12:47:43 2016 +0200 bdev: fix NULL pointer dereference I got this: kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] PREEMPT SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) CPU: 0 PID: 5505 Comm: syz-executor Not tainted 4.8.0-rc2+ #161 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014 task: ffff880113415940 task.stack: ffff880118350000 RIP: 0010:[] [] bd_mount+0x52/0xa0 RSP: 0018:ffff880118357ca0 EFLAGS: 00010207 RAX: dffffc0000000000 RBX: ffffffffffffffff RCX: ffffc90000bb6000 RDX: 0000000000000018 RSI: ffffffff846d6b20 RDI: 00000000000000c7 RBP: ffff880118357cb0 R08: ffff880115967c68 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801188211e8 R13: ffffffff847baa20 R14: ffff8801139cb000 R15: 0000000000000080 FS: 00007fa3ff6c0700(0000) GS:ffff88011aa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fc1d8cc7e78 CR3: 0000000109f20000 CR4: 00000000000006f0 DR0: 000000000000001e DR1: 000000000000001e DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600 Stack: ffff880112cfd6c0 ffff8801188211e8 ffff880118357cf0 ffffffff8167f207 ffffffff816d7a1e ffff880112a413c0 ffffffff847baa20 ffff8801188211e8 0000000000000080 ffff880112cfd6c0 ffff880118357d38 ffffffff816dce0a Call Trace: [] mount_fs+0x97/0x2e0 [] ? alloc_vfsmnt+0x55e/0x760 [] vfs_kern_mount+0x7a/0x300 [] ? _raw_read_unlock+0x2c/0x50 [] do_mount+0x3d7/0x2730 [] ? trace_do_page_fault+0x1f4/0x3a0 [] ? copy_mount_string+0x40/0x40 [] ? memset+0x31/0x40 [] ? copy_mount_options+0x1ee/0x320 [] SyS_mount+0xb2/0x120 [] ? copy_mnt_ns+0x970/0x970 [] do_syscall_64+0x1c4/0x4e0 [] entry_SYSCALL64_slow_path+0x25/0x25 Code: 83 e8 63 1b fc ff 48 85 c0 48 89 c3 74 4c e8 56 35 d1 ff 48 8d bb c8 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 75 36 4c 8b a3 c8 00 00 00 48 b8 00 00 00 00 00 fc RIP [] bd_mount+0x52/0xa0 RSP ---[ end trace 13690ad962168b98 ]--- mount_pseudo() returns ERR_PTR(), not NULL, on error. Fixes: 3684aa7099e0 ("block-dev: enable writeback cgroup support") Cc: Shaohua Li Cc: Tejun Heo Cc: Jens Axboe Cc: stable@vger.kernel.org Signed-off-by: Vegard Nossum Signed-off-by: Jens Axboe fs/block_dev.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit bcb48cca23ec9852739e4a464307fa29515bbe48 Author: Mika Westerberg Date: Mon Aug 22 14:42:52 2016 +0300 pinctrl: cherryview: Do not mask all interrupts in probe The Cherryview GPIO controller has 8 or 16 wires connected to the I/O-APIC which can be used directly by the platform/BIOS or drivers. One such wire is used as SCI (System Control Interrupt) which ACPI depends on to be able to trigger GPEs (General Purpose Events). The pinctrl driver itself uses another IRQ resource which is wire OR of all the 8 (or 16) wires and follows what BIOS has programmed to the IntSel register of each pin. Currently the driver masks all interrupts at probe time and this prevents these direct interrupts from working as expected. The reason for this is that some early stage prototypes had some pins misconfigured causing lots of spurious interrupts. We fix this by leaving the interrupt mask untouched. This allows SCI and other direct interrupts work properly. What comes to the possible spurious interrupts we switch the default handler to be handle_bad_irq() instead of handle_simple_irq() (which was not correct anyway). Reported-by: Yu C Chen Reported-by: Anisse Astier Signed-off-by: Mika Westerberg Signed-off-by: Linus Walleij drivers/pinctrl/intel/pinctrl-cherryview.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) commit a32ac2912f97d7ea9b67eb67bb4aa30b9156a88e Author: James Hartley Date: Fri Aug 19 12:03:23 2016 +0100 pinctrl: pistachio: fix mfio pll_lock pinmux A previous patch attempted to fix the pinmuxes for mfio 84 - 89, but it omitted a change to pistachio_pin_group pistachio_groups, which results in incorrect pll_lock signals being routed. Apply the correct mux settings throughout the driver. fixes: cefc03e5995e ("pinctrl: Add Pistachio SoC pin control driver") fixes: e9adb336d0bf ("pinctrl: pistachio: fix mfio84-89 function description and pinmux.") Cc: # 4.4.x- Signed-off-by: James Hartley Reviewed-by: Sifan Naeem Signed-off-by: Linus Walleij drivers/pinctrl/pinctrl-pistachio.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) commit 177d91aaea4bcafb29232336bafaa521b85286aa Author: Maarten Lankhorst Date: Mon Aug 15 15:09:27 2016 +0200 drm/i915: Fix botched merge that downgrades CSR versions. Merge commit 5e580523d9128a4d8 reverts the version bumping parts of commit 4aa7fb9c3c4fa0. Bump the versions again and request the specific firmware version. The currently recommended versions are: SKL 1.26, KBL 1.01 and BXT 1.07. Cc: Patrik Jakobsson Cc: Imre Deak Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=97242 Cc: drm-intel-fixes@lists.freedesktop.org Fixes: 5e580523d912 ("Backmerge tag 'v4.7' into drm-next") Signed-off-by: Maarten Lankhorst Link: http://patchwork.freedesktop.org/patch/msgid/1471266567-22443-1-git-send-email-maarten.lankhorst@linux.intel.com Reviewed-by: Imre Deak (cherry picked from commit 536ab3ca19ef856e84389a155c5832c68559a28a) Signed-off-by: Jani Nikula drivers/gpu/drm/i915/intel_csr.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) commit 762c60ab0257d25eea8db3e3fec85ed53b5330fe Author: Lyude Date: Wed Aug 17 15:55:57 2016 -0400 drm/i915/skl: Ensure pipes with changed wms get added to the state If we're enabling a pipe, we'll need to modify the watermarks on all active planes. Since those planes won't be added to the state on their own, we need to add them ourselves. Signed-off-by: Lyude Reviewed-by: Matt Roper Cc: stable@vger.kernel.org Cc: Ville Syrjälä Cc: Daniel Vetter Cc: Radhakrishna Sripada Cc: Hans de Goede Signed-off-by: Maarten Lankhorst Link: http://patchwork.freedesktop.org/patch/msgid/1471463761-26796-6-git-send-email-cpaul@redhat.com (cherry picked from commit 05a76d3d6ad1ee9f9814f88949cc9305fc165460) Signed-off-by: Jani Nikula drivers/gpu/drm/i915/intel_pm.c | 4 ++++ 1 file changed, 4 insertions(+) commit 9909113cc48a7ce6e772573e3cc82a3f03ffa8ef Author: Matt Roper Date: Wed Aug 17 15:55:55 2016 -0400 drm/i915/gen9: Only copy WM results for changed pipes to skl_hw When we write watermark values to the hardware, those values are stored in dev_priv->wm.skl_hw. However with recent watermark changes, the results structure we're copying from only contains valid watermark and DDB values for the pipes that are actually changing; the values for other pipes remain 0. Thus a blind copy of the entire skl_wm_values structure will clobber the values for unchanged pipes...we need to be more selective and only copy over the values for the changing pipes. This mistake was hidden until recently due to another bug that caused us to erroneously re-calculate watermarks for all active pipes rather than changing pipes. Only when that bug was fixed was the impact of this bug discovered (e.g., modesets failing with "Requested display configuration exceeds system watermark limitations" messages and leaving watermarks non-functional, even ones initiated by intel_fbdev_restore_mode). Changes since v1: - Add a function for copying a pipe's wm values (skl_copy_wm_for_pipe()) so we can reuse this later Fixes: 734fa01f3a17 ("drm/i915/gen9: Calculate watermarks during atomic 'check' (v2)") Fixes: 9b6130227495 ("drm/i915/gen9: Re-allocate DDB only for changed pipes") Signed-off-by: Matt Roper Signed-off-by: Lyude Reviewed-by: Matt Roper Cc: stable@vger.kernel.org Cc: Maarten Lankhorst Cc: Ville Syrjälä Cc: Daniel Vetter Cc: Radhakrishna Sripada Cc: Hans de Goede Signed-off-by: Maarten Lankhorst Link: http://patchwork.freedesktop.org/patch/msgid/1471463761-26796-4-git-send-email-cpaul@redhat.com (cherry picked from commit 2722efb90b3420dee54b4cb3cdc7917efacc2dce) Signed-off-by: Jani Nikula drivers/gpu/drm/i915/intel_pm.c | 28 ++++++++++++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) commit f403372658fc7b652a77885a4141e58e57d9c75a Author: Lyude Date: Wed Aug 17 15:55:54 2016 -0400 drm/i915/skl: Add support for the SAGV, fix underrun hangs Since the watermark calculations for Skylake are still broken, we're apt to hitting underruns very easily under multi-monitor configurations. While it would be lovely if this was fixed, it's not. Another problem that's been coming from this however, is the mysterious issue of underruns causing full system hangs. An easy way to reproduce this with a skylake system: - Get a laptop with a skylake GPU, and hook up two external monitors to it - Move the cursor from the built-in LCD to one of the external displays as quickly as you can - You'll get a few pipe underruns, and eventually the entire system will just freeze. After doing a lot of investigation and reading through the bspec, I found the existence of the SAGV, which is responsible for adjusting the system agent voltage and clock frequencies depending on how much power we need. According to the bspec: "The display engine access to system memory is blocked during the adjustment time. SAGV defaults to enabled. Software must use the GT-driver pcode mailbox to disable SAGV when the display engine is not able to tolerate the blocking time." The rest of the bspec goes on to explain that software can simply leave the SAGV enabled, and disable it when we use interlaced pipes/have more then one pipe active. Sure enough, with this patchset the system hangs resulting from pipe underruns on Skylake have completely vanished on my T460s. Additionally, the bspec mentions turning off the SAGV with more then one pipe enabled as a workaround for display underruns. While this patch doesn't entirely fix that, it looks like it does improve the situation a little bit so it's likely this is going to be required to make watermarks on Skylake fully functional. This will still need additional work in the future: we shouldn't be enabling the SAGV if any of the currently enabled planes can't enable WM levels that introduce latencies >= 30 µs. Changes since v11: - Add skl_can_enable_sagv() - Make sure we don't enable SAGV when not all planes can enable watermarks >= the SAGV engine block time. I was originally going to save this for later, but I recently managed to run into a machine that was having problems with a single pipe configuration + SAGV. - Make comparisons to I915_SKL_SAGV_NOT_CONTROLLED explicit - Change I915_SAGV_DYNAMIC_FREQ to I915_SAGV_ENABLE - Move printks outside of mutexes - Don't print error messages twice Changes since v10: - Apparently sandybridge_pcode_read actually writes values and reads them back, despite it's misleading function name. This means we've been doing this mostly wrong and have been writing garbage to the SAGV control. Because of this, we no longer attempt to read the SAGV status during initialization (since there are no helpers for this). - mlankhorst noticed that this patch was breaking on some very early pre-release Skylake machines, which apparently don't allow you to disable the SAGV. To prevent machines from failing tests due to SAGV errors, if the first time we try to control the SAGV results in the mailbox indicating an invalid command, we just disable future attempts to control the SAGV state by setting dev_priv->skl_sagv_status to I915_SKL_SAGV_NOT_CONTROLLED and make a note of it in dmesg. - Move mutex_unlock() a little higher in skl_enable_sagv(). This doesn't actually fix anything, but lets us release the lock a little sooner since we're finished with it. Changes since v9: - Only enable/disable sagv on Skylake Changes since v8: - Add intel_state->modeset guard to the conditional for skl_enable_sagv() Changes since v7: - Remove GEN9_SAGV_LOW_FREQ, replace with GEN9_SAGV_IS_ENABLED (that's all we use it for anyway) - Use GEN9_SAGV_IS_ENABLED instead of 0x1 for clarification - Fix a styling error that snuck past me Changes since v6: - Protect skl_enable_sagv() with intel_state->modeset conditional in intel_atomic_commit_tail() Changes since v5: - Don't use is_power_of_2. Makes things confusing - Don't use the old state to figure out whether or not to enable/disable the sagv, use the new one - Split the loop in skl_disable_sagv into it's own function - Move skl_sagv_enable/disable() calls into intel_atomic_commit_tail() Changes since v4: - Use is_power_of_2 against active_crtcs to check whether we have > 1 pipe enabled - Fix skl_sagv_get_hw_state(): (temp & 0x1) indicates disabled, 0x0 enabled - Call skl_sagv_enable/disable() from pre/post-plane updates Changes since v3: - Use time_before() to compare timeout to jiffies Changes since v2: - Really apply minor style nitpicks to patch this time Changes since v1: - Added comments about this probably being one of the requirements to fixing Skylake's watermark issues - Minor style nitpicks from Matt Roper - Disable these functions on Broxton, since it doesn't have an SAGV Signed-off-by: Lyude Cc: Matt Roper Cc: Maarten Lankhorst Cc: Daniel Vetter Cc: Ville Syrjälä Cc: stable@vger.kernel.org Signed-off-by: Maarten Lankhorst Link: http://patchwork.freedesktop.org/patch/msgid/1471463761-26796-3-git-send-email-cpaul@redhat.com [mlankhorst: ENOSYS -> ENXIO, whitespace fixes] (cherry picked from commit 656d1b89e5ffb83036ab0e2a24be7558f34365c7) Signed-off-by: Jani Nikula drivers/gpu/drm/i915/i915_drv.h | 7 ++ drivers/gpu/drm/i915/i915_reg.h | 4 + drivers/gpu/drm/i915/intel_display.c | 11 +++ drivers/gpu/drm/i915/intel_drv.h | 3 + drivers/gpu/drm/i915/intel_pm.c | 148 +++++++++++++++++++++++++++++++++++ 5 files changed, 173 insertions(+) commit 5bc6abe7674d9cf41dbcdaaf98a19184da181439 Author: Lyude Date: Wed Aug 17 15:55:53 2016 -0400 drm/i915/gen6+: Interpret mailbox error flags In order to add proper support for the SAGV, we need to be able to know what the cause of a failure to change the SAGV through the pcode mailbox was. The reasoning for this is that some very early pre-release Skylake machines don't actually allow you to control the SAGV on them, and indicate an invalid mailbox command was sent. This also might come in handy in the future for debugging. Changes since v1: - Add functions for interpreting gen6 mailbox error codes along with gen7+ error codes, and actually interpret those codes properly - Renamed patch to reflect new behavior Signed-off-by: Lyude Cc: Matt Roper Cc: Maarten Lankhorst Cc: Daniel Vetter Cc: Ville Syrjälä Cc: stable@vger.kernel.org Signed-off-by: Maarten Lankhorst Link: http://patchwork.freedesktop.org/patch/msgid/1471463761-26796-2-git-send-email-cpaul@redhat.com [mlankhorst: -ENOSYS -> -ENXIO for checkpatch] (cherry picked from commit 87660502f1a4d51fb043e89a45d30c9917787c22) Signed-off-by: Jani Nikula drivers/gpu/drm/i915/i915_reg.h | 9 ++++++ drivers/gpu/drm/i915/intel_pm.c | 71 ++++++++++++++++++++++++++++++++++++++++- 2 files changed, 79 insertions(+), 1 deletion(-) commit 0184c2fff11705d0041c61356c57eac2e033c686 Author: Dave Gordon Date: Fri Aug 19 15:23:42 2016 +0100 drm/i915: Reattach comment, complete type specification In the recent patch bc3d674 drm/i915: Allow userspace to request no-error-capture upon ... the final version moved the flags and the associated #defines around so they were adjacent; unfortunately, they ended up between a comment and the thing (hw_id) to which the comment applies :( So this patch reshuffles the comment and subject back together. Also, as we're touching 'hw_id', let's change it from just 'unsigned' to a fully-specified 'unsigned int', because some code checking tools (including checkpatch) object to plain 'unsigned'. Fixes: bc3d674462e5 ("drm/i915: Allow userspace to request no-error-capture...") Signed-off-by: Dave Gordon Cc: Chris Wilson Link: http://patchwork.freedesktop.org/patch/msgid/1471616622-6919-1-git-send-email-david.s.gordon@intel.com Reviewed-by: Chris Wilson Signed-off-by: Chris Wilson (cherry picked from commit 0be81156b3fb4d4e8e2c94177e5222dc21c3ff10) Signed-off-by: Jani Nikula drivers/gpu/drm/i915/i915_drv.h | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) commit dcd79934b0dd803fdb29216fbd6f4a899a66f466 Author: Chris Wilson Date: Thu Aug 18 17:16:40 2016 +0100 drm/i915: Unconditionally flush any chipset buffers before execbuf If userspace is asynchronously streaming into the batch or other execobjects, we may not flush those writes along with a change in cache domain (as there is no change). Therefore those writes may end up in internal chipset buffers and not visible to the GPU upon execution. We must issue a flush command or otherwise we encounter incoherency in the batchbuffers and the GPU executing invalid commands (i.e. hanging) quite regularly. v2: Throw a paranoid wmb() into the general flush so that we remain consistent with before. Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=90841 Fixes: 1816f9236303 ("drm/i915: Support creation of unbound wc user...") Signed-off-by: Chris Wilson Cc: Akash Goel Cc: Daniel Vetter Cc: Tvrtko Ursulin Tested-by: Matti Hämäläinen Cc: stable@vger.kernel.org Reviewed-by: Mika Kuoppala Link: http://patchwork.freedesktop.org/patch/msgid/20160818161718.27187-1-chris@chris-wilson.co.uk (cherry picked from commit 600f436801deae65e48404847b61c89b4944e355) Signed-off-by: Jani Nikula drivers/gpu/drm/i915/i915_drv.h | 1 + drivers/gpu/drm/i915/i915_gem_execbuffer.c | 13 +++---------- 2 files changed, 4 insertions(+), 10 deletions(-) commit c7aca235aa60d1432c95b752812d359d0dbece4f Author: Matt Roper Date: Fri Jun 17 13:42:20 2016 -0700 drm/i915/gen9: Drop invalid WARN() during data rate calculation It's possible to have a non-zero plane mask and still wind up with a total data rate of zero. There are two cases where this can happen: * planes are active (from the KMS point of view), but are all fully clipped (positioned offscreen) * the only active plane on a CRTC is the cursor (which is handled independently and not counted into the general data rate computations These are both valid display setups (although unusual), so we need to drop the WARN(). Signed-off-by: Matt Roper Reviewed-by: Maarten Lankhorst Testcase: kms_universal_planes.cursor-only-pipe-* Signed-off-by: Maarten Lankhorst Link: http://patchwork.freedesktop.org/patch/msgid/1466196140-16336-4-git-send-email-matthew.d.roper@intel.com Cc: stable@vger.kernel.org #v4.7+ (cherry picked from commit 43aa7e87507f519b0b2497b6fac1e894554eaef2) Signed-off-by: Jani Nikula drivers/gpu/drm/i915/intel_pm.c | 2 -- 1 file changed, 2 deletions(-) commit f4750a46a0dee58f7a65b438b28a092669b609aa Author: Matt Roper Date: Fri Jun 17 13:42:18 2016 -0700 drm/i915/gen9: Initialize intel_state->active_crtcs during WM sanitization (v2) intel_state->active_crtcs is usually only initialized when doing a modeset. During our first atomic commit after boot, we're effectively faking a modeset to sanitize the DDB/wm setup, so ensure that this field gets initialized before use. v2: - Don't clobber active_crtcs if our first commit really is a modeset (Maarten) - Grab connection_mutex when faking a modeset during sanitization (Maarten) Reported-by: Tvrtko Ursulin Cc: Tvrtko Ursulin Cc: Maarten Lankhorst Signed-off-by: Matt Roper Tested-by: Tvrtko Ursulin Signed-off-by: Maarten Lankhorst Link: http://patchwork.freedesktop.org/patch/msgid/1466196140-16336-2-git-send-email-matthew.d.roper@intel.com Cc: stable@vger.kernel.org #v4.7+ (cherry picked from commit 1b54a880b250acc226b13cea221b90aa1b3e37dd) Signed-off-by: Jani Nikula drivers/gpu/drm/i915/intel_pm.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) commit 4df36185bb364f9727d1c0816acac3b9a5ae2603 Merge: fa8410b 5bc0a11 Author: Joerg Roedel Date: Mon Aug 22 12:33:56 2016 +0200 Merge branch 'for-joerg/arm-smmu/fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/will/linux into iommu/fixes commit b027d11263836a0cd335520175257dcb99b43757 Author: Andrej Krutak Date: Thu Aug 18 23:52:12 2016 +0200 ALSA: line6: Fix POD sysfs attributes segfault The commit 02fc76f6a changed base of the sysfs attributes from device to card. The "show" callbacks dereferenced wrong objects because of this. Fixes: 02fc76f6a7db ('ALSA: line6: Create sysfs via snd_card_add_dev_attr()') Cc: # v4.0+ Reviewed-by: Stefan Hajnoczi Signed-off-by: Andrej Krutak Signed-off-by: Takashi Iwai sound/usb/line6/pod.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) commit adc8a43a6d6688272ebffa81789fa857e603dec6 Author: Andrej Krutak Date: Thu Aug 18 23:52:11 2016 +0200 ALSA: line6: Give up on the lock while URBs are released. Done, because line6_stream_stop() locks and calls line6_unlink_audio_urbs(), which in turn invokes audio_out_callback(), which tries to lock 2nd time. Fixes: ============================================= [ INFO: possible recursive locking detected ] 4.4.15+ #15 Not tainted --------------------------------------------- mplayer/3591 is trying to acquire lock: (&(&line6pcm->out.lock)->rlock){-.-...}, at: [] audio_out_callback+0x70/0x110 [snd_usb_line6] but task is already holding lock: (&(&line6pcm->out.lock)->rlock){-.-...}, at: [] line6_stream_stop+0x24/0x5c [snd_usb_line6] other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&(&line6pcm->out.lock)->rlock); lock(&(&line6pcm->out.lock)->rlock); *** DEADLOCK *** May be due to missing lock nesting notation 3 locks held by mplayer/3591: #0: (snd_pcm_link_rwlock){.-.-..}, at: [] snd_pcm_stream_lock+0x1e/0x40 [snd_pcm] #1: (&(&substream->self_group.lock)->rlock){-.-...}, at: [] snd_pcm_stream_lock+0x26/0x40 [snd_pcm] #2: (&(&line6pcm->out.lock)->rlock){-.-...}, at: [] line6_stream_stop+0x24/0x5c [snd_usb_line6] stack backtrace: CPU: 0 PID: 3591 Comm: mplayer Not tainted 4.4.15+ #15 Hardware name: Generic AM33XX (Flattened Device Tree) [] (unwind_backtrace) from [] (show_stack+0x11/0x14) [] (show_stack) from [] (dump_stack+0x8b/0xac) [] (dump_stack) from [] (__lock_acquire+0xc8b/0x1780) [] (__lock_acquire) from [] (lock_acquire+0x99/0x1c0) [] (lock_acquire) from [] (_raw_spin_lock_irqsave+0x3f/0x4c) [] (_raw_spin_lock_irqsave) from [] (audio_out_callback+0x70/0x110 [snd_usb_line6]) [] (audio_out_callback [snd_usb_line6]) from [] (__usb_hcd_giveback_urb+0x53/0xd0) [] (__usb_hcd_giveback_urb) from [] (musb_giveback+0x3d/0x98) [] (musb_giveback) from [] (musb_urb_dequeue+0x6d/0x114) [] (musb_urb_dequeue) from [] (usb_hcd_unlink_urb+0x39/0x98) [] (usb_hcd_unlink_urb) from [] (line6_unlink_audio_urbs+0x6a/0x6c [snd_usb_line6]) [] (line6_unlink_audio_urbs [snd_usb_line6]) from [] (line6_stream_stop+0x42/0x5c [snd_usb_line6]) [] (line6_stream_stop [snd_usb_line6]) from [] (snd_line6_trigger+0xb6/0xf4 [snd_usb_line6]) [] (snd_line6_trigger [snd_usb_line6]) from [] (snd_pcm_do_stop+0x36/0x38 [snd_pcm]) [] (snd_pcm_do_stop [snd_pcm]) from [] (snd_pcm_action_single+0x22/0x40 [snd_pcm]) [] (snd_pcm_action_single [snd_pcm]) from [] (snd_pcm_action+0xac/0xb0 [snd_pcm]) [] (snd_pcm_action [snd_pcm]) from [] (snd_pcm_drop+0x38/0x64 [snd_pcm]) [] (snd_pcm_drop [snd_pcm]) from [] (snd_pcm_common_ioctl1+0x7fe/0xbe8 [snd_pcm]) [] (snd_pcm_common_ioctl1 [snd_pcm]) from [] (snd_pcm_playback_ioctl1+0x15c/0x51c [snd_pcm]) [] (snd_pcm_playback_ioctl1 [snd_pcm]) from [] (snd_pcm_playback_ioctl+0x20/0x28 [snd_pcm]) [] (snd_pcm_playback_ioctl [snd_pcm]) from [] (do_vfs_ioctl+0x3af/0x5c8) Fixes: 63e20df1e5b2 ('ALSA: line6: Reorganize PCM stream handling') Cc: # v4.0+ Reviewed-by: Stefan Hajnoczi Signed-off-by: Andrej Krutak Signed-off-by: Takashi Iwai sound/usb/line6/pcm.c | 2 ++ 1 file changed, 2 insertions(+) commit 7e4379eae0e31994ea645db1d13006ea8e5ce539 Author: Andrej Krutak Date: Thu Aug 18 23:52:10 2016 +0200 ALSA: line6: Remove double line6_pcm_release() after failed acquire. If there's an error, pcm is released in line6_pcm_acquire already. Fixes: 247d95ee6dd2 ('ALSA: line6: Handle error from line6_pcm_acquire()') Cc: # v4.0+ Reviewed-by: Stefan Hajnoczi Signed-off-by: Andrej Krutak Signed-off-by: Takashi Iwai sound/usb/line6/pcm.c | 1 - 1 file changed, 1 deletion(-) commit 3ee0ce2a54dff07d09440723594df89bc1a12e79 Author: Christoph Hellwig Date: Thu Aug 11 07:06:45 2016 -0700 genirq/affinity: Use get/put_online_cpus around cpumask operations Without locking out CPU mask operations we might end up with an inconsistent view of the cpumask in the function. Fixes: 5e385a6ef31f: "genirq: Add a helper to spread an affinity mask for MSI/MSI-X vectors" Signed-off-by: Christoph Hellwig Link: http://lkml.kernel.org/r/1470924405-25728-1-git-send-email-hch@lst.de Signed-off-by: Thomas Gleixner kernel/irq/affinity.c | 2 ++ 1 file changed, 2 insertions(+) commit 4396f46c8c628329bd35ee4b84140b8b001a11eb Author: Shawn Lin Date: Mon Aug 22 16:21:52 2016 +0800 genirq: Fix potential memleak when failing to get irq pm Obviously we should free action here if irq_chip_pm_get failed. Fixes: be45beb2df69: "genirq: Add runtime power management support for IRQ chips" Signed-off-by: Shawn Lin Cc: Jon Hunter Cc: Marc Zyngier Link: http://lkml.kernel.org/r/1471854112-13006-1-git-send-email-shawn.lin@rock-chips.com Signed-off-by: Thomas Gleixner kernel/irq/manage.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) commit d16c995fe43021c765186bf8b9f7e1cc4b043232 Merge: f3b0946 7611da8 Author: Thomas Gleixner Date: Mon Aug 22 10:34:13 2016 +0200 Merge tag 'irqchip-for-4.8-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/maz/arm-platforms into irq/urgent Pull genirq/irqchip fixes for 4.8-rc4 from Marc Zygnier - A critical fix for chained irqchip where we failed to configure the cascade interrupt trigger - A GIC fix for self-IPI in SMP-on-UP configurations - A PM fix for GICv3 - A initialization fix the the GICv3 ITS, triggered by kexec commit 511a36d2f357724312bb3776d2f6eed3890928b2 Author: Baolin Wang Date: Thu Jun 30 17:10:23 2016 +0800 usb: gadget: Add the gserial port checking in gs_start_tx() When usb gadget is set gadget serial function, it will be crash in below situation. It will clean the 'port->port_usb' pointer in gserial_disconnect() function when usb link is inactive, but it will release lock for disabling the endpoints in this function. Druing the lock release period, it maybe complete one request to issue gs_write_complete()--->gs_start_tx() function, but the 'port->port_usb' pointer had been set NULL, thus it will be crash in gs_start_tx() function. This patch adds the 'port->port_usb' pointer checking in gs_start_tx() function to avoid this situation. Signed-off-by: Baolin Wang Signed-off-by: Felipe Balbi drivers/usb/gadget/function/u_serial.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) commit d6011f6fc21b4d4ab1586f01c4f62becaa0a28d7 Author: Nicolas Saenz Julienne Date: Tue Aug 16 10:22:38 2016 +0100 usb: dwc3: gadget: don't rely on jiffies while holding spinlock __dwc3_gadget_wakeup() is called while holding a spinlock, then depends on jiffies in order to timeout while polling the USB core for a link state update. In the case the wakeup failed, the timeout will never happen and will also cause the cpu to stall until rcu_preempt kicks in. This switches to a "decrement variable and wait" timeout scheme. Signed-off-by: Nicolas Saenz Julienne Signed-off-by: Felipe Balbi drivers/usb/dwc3/gadget.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit f4693b08cc901912a87369c46537b94ed4084ea0 Author: Dan Carpenter Date: Fri Jul 15 14:15:47 2016 +0300 usb: gadget: fsl_qe_udc: signedness bug in qe_get_frame() We can't assign -EINVAL to a u16. Fixes: 3948f0e0c999 ('usb: add Freescale QE/CPM USB peripheral controller driver') Acked-by: Peter Chen Signed-off-by: Dan Carpenter Signed-off-by: Felipe Balbi drivers/usb/gadget/udc/fsl_qe_udc.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) commit 80d1642d7640ef00d8823f17a529785331aceb96 Author: Peter Chen Date: Thu Aug 11 15:51:46 2016 +0800 usb: gadget: function: f_rndis: socket buffer may be NULL In eth_start_xmit, the socket buffer may be NULL. So, add NULL pointer check at .wrap API. Signed-off-by: Peter Chen Signed-off-by: Felipe Balbi drivers/usb/gadget/function/f_rndis.c | 3 +++ 1 file changed, 3 insertions(+) commit 70237dc8efd092b93b40dc2eba812d66a5d65cb1 Author: Peter Chen Date: Thu Aug 11 15:51:45 2016 +0800 usb: gadget: function: f_eem: socket buffer may be NULL In eth_start_xmit, the socket buffer may be NULL. So, add NULL pointer check at .wrap API. Signed-off-by: Peter Chen Signed-off-by: Felipe Balbi drivers/usb/gadget/function/f_eem.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) commit 3295235fd70ed6d594aadee8c892a14f6a4b2d2e Author: Wei Yongjun Date: Sat Aug 13 01:28:24 2016 +0000 usb: renesas_usbhs: gadget: fix return value check in usbhs_mod_gadget_probe() In case of error, the function usb_get_phy() returns ERR_PTR() and never returns NULL. The NULL test in the return value check should be replaced with IS_ERR(). Fixes: b5a2875605ca ("usb: renesas_usbhs: Allow an OTG PHY driver to provide VBUS") Cc: # v4.3+ Acked-by: Yoshihiro Shimoda Signed-off-by: Wei Yongjun Signed-off-by: Felipe Balbi drivers/usb/renesas_usbhs/mod_gadget.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 83f8da562f8b5275fa1095b45762996971f7c607 Author: Dinh Nguyen Date: Wed Aug 10 08:53:34 2016 -0500 usb: dwc2: Add reset control to dwc2 Allow for platforms that have a reset controller driver in place to bring the USB IP out of reset. Signed-off-by: Dinh Nguyen Acked-by: John Youn Tested-by: Stefan Wahren Signed-off-by: Felipe Balbi drivers/usb/dwc2/core.h | 1 + drivers/usb/dwc2/platform.c | 22 ++++++++++++++++++++++ 2 files changed, 23 insertions(+) commit b74c2d875baaa07186f617c5617f4c5e3a8a41ad Author: Felipe Balbi Date: Thu Jul 28 13:07:07 2016 +0300 usb: dwc3: core: allow device to runtime_suspend several times After going through runtime_suspend/runtime_resume cycle once we would be left with an unbalanced pm_runtime_get() call. Fix that by making sure that we try to suspend right after resuming so things are balanced and device can runtime_suspend again. Signed-off-by: Felipe Balbi drivers/usb/dwc3/core.c | 1 + 1 file changed, 1 insertion(+) commit f6c274e11e3b31a5f95c23962b1ba593bd6a4759 Author: Felipe Balbi Date: Thu Jul 28 10:16:12 2016 +0300 usb: dwc3: pci: runtime_resume child device During runtime_resume of dwc3-pci.c, we need to runtime suspend our child device (which is dwc3 proper) otherwise nothing will happen. Signed-off-by: Felipe Balbi drivers/usb/dwc3/dwc3-pci.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) commit 32e80820de5d7eb778632af8f235727a32d3aeb2 Author: LABBE Corentin Date: Tue Aug 16 10:44:18 2016 +0200 dmaengine: img-mdc: fix a possible NULL dereference of_match_device could return NULL, and so cause a NULL pointer dereference later at line 850: mdma->soc = match->data; For fixing this problem, we use of_device_get_match_data(), this will simplify the code a little by using a standard function for getting the match data. This was reported by coverity (CID 1324134) Signed-off-by: LABBE Corentin Signed-off-by: Vinod Koul drivers/dma/img-mdc-dma.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) commit 6a8b0c6b18f62a277ffb2139d0c0253fe35d7feb Author: Wei Yongjun Date: Wed Aug 10 03:17:09 2016 +0000 dmaengine: at_xdmac: fix to pass correct device identity to free_irq() free_irq() expects the same device identity that was passed to corresponding request_irq(), otherwise the IRQ is not freed. Fixes: e1f7c9eee707 ("dmaengine: at_xdmac: creation of the atmel eXtended DMA Controller driver") Signed-off-by: Wei Yongjun Acked-by: Ludovic Desroches Signed-off-by: Vinod Koul drivers/dma/at_xdmac.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 93e11eb1b745ee8dbd4f98f24b542d496c8f1e03 Author: Wei Yongjun Date: Wed Aug 10 13:44:56 2016 +0000 dmaengine: fsl_raid: add missing of_node_put() in fsl_re_probe() When terminating for_each_compatible_node() iteration with break or return, of_node_put() should be used to prevent stale device node references from being left behind. Found by Coccinelle. Signed-off-by: Wei Yongjun Signed-off-by: Vinod Koul drivers/dma/fsl_raid.c | 1 + 1 file changed, 1 insertion(+) commit 11d7a0bb95eaaba1741bb24a7c3c169c82f09c7b Author: David Ahern Date: Sun Aug 14 19:52:56 2016 -0700 xfrm: Only add l3mdev oif to dst lookups Subash reported that commit 42a7b32b73d6 ("xfrm: Add oif to dst lookups") broke a wifi use case that uses fib rules and xfrms. The intent of 42a7b32b73d6 was driven by VRFs with IPsec. As a compromise relax the use of oif in xfrm lookups to L3 master devices only (ie., oif is either an L3 master device or is enslaved to a master device). Fixes: 42a7b32b73d6 ("xfrm: Add oif to dst lookups") Reported-by: Subash Abhinov Kasiviswanathan Signed-off-by: David Ahern Signed-off-by: Steffen Klassert net/ipv4/xfrm4_policy.c | 2 +- net/ipv6/xfrm6_policy.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit 6f00975c619064a18c23fd3aced325ae165a73b9 Author: Daniel Vetter Date: Sat Aug 20 12:22:11 2016 +0200 drm: Reject page_flip for !DRIVER_MODESET Somehow this one slipped through, which means drivers without modeset support can be oopsed (since those also don't call drm_mode_config_init, which means the crtc lookup will chase an uninitalized idr). Reported-by: Alexander Potapenko Cc: Alexander Potapenko Cc: stable@vger.kernel.org Signed-off-by: Daniel Vetter Reviewed-by: Chris Wilson Signed-off-by: Dave Airlie drivers/gpu/drm/drm_crtc.c | 3 +++ 1 file changed, 3 insertions(+) commit 7c379526d7e71d2041c8ca0bd9af4888916a14b9 Author: Paolo Bonzini Date: Thu Aug 11 15:07:43 2016 +0200 powerpc: move hmi.c to arch/powerpc/kvm/ hmi.c functions are unused unless sibling_subcore_state is nonzero, and that in turn happens only if KVM is in use. So move the code to arch/powerpc/kvm/, putting it under CONFIG_KVM_BOOK3S_HV_POSSIBLE rather than CONFIG_PPC_BOOK3S_64. The sibling_subcore_state is also included in struct paca_struct only if KVM is supported by the kernel. Cc: Daniel Axtens Cc: Michael Ellerman Cc: Mahesh Salgaonkar Cc: Paul Mackerras Cc: linuxppc-dev@lists.ozlabs.org Cc: kvm-ppc@vger.kernel.org Cc: kvm@vger.kernel.org Signed-off-by: Paolo Bonzini Signed-off-by: Benjamin Herrenschmidt arch/powerpc/include/asm/hmi.h | 2 +- arch/powerpc/include/asm/paca.h | 12 +++++---- arch/powerpc/kernel/Makefile | 2 +- arch/powerpc/kernel/hmi.c | 56 ---------------------------------------- arch/powerpc/kvm/Makefile | 1 + arch/powerpc/kvm/book3s_hv_hmi.c | 56 ++++++++++++++++++++++++++++++++++++++++ 6 files changed, 66 insertions(+), 63 deletions(-) commit 41017a7579cf49cb5513e17df1570dc918760079 Author: Christophe Leroy Date: Thu Aug 11 10:50:40 2016 +0200 powerpc: sysdev: cpm: fix gpio save_regs functions of_mm_gpiochip_add_data() calls mm_gc->save_regs() before setting the data. Therefore ->save_regs() cannot use gpiochip_get_data() [ 0.275940] Unable to handle kernel paging request for data at address 0x00000130 [ 0.283120] Faulting instruction address: 0xc01b44cc [ 0.288175] Oops: Kernel access of bad area, sig: 11 [#1] [ 0.293343] PREEMPT CMPC885 [ 0.296141] CPU: 0 PID: 1 Comm: swapper Not tainted 4.7.0-g65124df-dirty #68 [ 0.304131] task: c6074000 ti: c6080000 task.ti: c6080000 [ 0.309459] NIP: c01b44cc LR: c0011720 CTR: c0011708 [ 0.314372] REGS: c6081d90 TRAP: 0300 Not tainted (4.7.0-g65124df-dirty) [ 0.322267] MSR: 00009032 CR: 24000028 XER: 20000000 [ 0.328813] DAR: 00000130 DSISR: c0000000 GPR00: c01b6d0c c6081e40 c6074000 c6017000 c9028000 c601d028 c6081dd8 00000000 GPR08: c601d028 00000000 ffffffff 00000001 24000044 00000000 c0002790 00000000 GPR16: 00000000 00000000 00000000 00000000 00000000 00000000 c05643b0 00000083 GPR24: c04a1a6c c0560000 c04a8308 c04c6480 c0012498 c6017000 c7ffcc78 c6017000 [ 0.360806] NIP [c01b44cc] gpiochip_get_data+0x4/0xc [ 0.365684] LR [c0011720] cpm1_gpio16_save_regs+0x18/0x44 [ 0.370972] Call Trace: [ 0.373451] [c6081e50] [c01b6d0c] of_mm_gpiochip_add_data+0x70/0xdc [ 0.379624] [c6081e70] [c00124c0] cpm_init_par_io+0x28/0x118 [ 0.385238] [c6081e80] [c04a8ac0] do_one_initcall+0xb0/0x17c [ 0.390819] [c6081ef0] [c04a8cbc] kernel_init_freeable+0x130/0x1dc [ 0.396924] [c6081f30] [c00027a4] kernel_init+0x14/0x110 [ 0.402177] [c6081f40] [c000b424] ret_from_kernel_thread+0x5c/0x64 [ 0.408233] Instruction dump: [ 0.411168] 4182fafc 3f80c040 48234c6d 3bc0fff0 3b9c5ed0 4bfffaf4 81290020 712a0004 [ 0.418825] 4182fb34 48234c51 4bfffb2c 81230004 <80690130> 4e800020 7c0802a6 9421ffe0 [ 0.426763] ---[ end trace fe4113ee21d72ffa ]--- fixes: e65078f1f3490 ("powerpc: sysdev: cpm1: use gpiochip data pointer") fixes: a14a2d484b386 ("powerpc: cpm_common: use gpiochip data pointer") Cc: stable@vger.kernel.org Signed-off-by: Christophe Leroy Reviewed-by: Linus Walleij Signed-off-by: Benjamin Herrenschmidt arch/powerpc/sysdev/cpm1.c | 6 ++++-- arch/powerpc/sysdev/cpm_common.c | 3 ++- 2 files changed, 6 insertions(+), 3 deletions(-) commit a74599a5041979ae83aec7a6d5c8df9131db2ce6 Author: Nicholas Piggin Date: Wed Aug 10 20:48:43 2016 +1000 powerpc/pseries: PACA save area fix for MCE vs MCE MCE must not enable MSR_RI until PACA_EXMC is no longer being used. Signed-off-by: Benjamin Herrenschmidt arch/powerpc/kernel/exceptions-64s.S | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) commit 3f3b5dc14c25254d3fe98115c71b2a1f3ed97798 Author: Nicholas Piggin Date: Wed Aug 10 20:48:42 2016 +1000 powerpc/pseries: PACA save area fix for general exception vs MCE MCE must not use PACA_EXGEN. When a general exception enables MSR_RI, that means SPRN_SRR[01] and SPRN_SPRG are no longer used. However the PACA save area is still in use. Acked-by: Mahesh Salgaonkar Signed-off-by: Benjamin Herrenschmidt arch/powerpc/kernel/exceptions-64s.S | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) commit 66443efa83dc73775100b7442962ce2cb0d4472e Author: Michael Ellerman Date: Fri Aug 12 21:45:52 2016 +1000 powerpc/prom: Fix sub-processor option passed to ibm, client-architecture-support When booting from an OpenFirmware which supports it, we use the "ibm,client-architecture-support" firmware call to communicate our capabilities to firmware. The format of the structure we pass to firmware is specified in PAPR (Power Architecture Platform Requirements), or the public version LoPAPR (Linux on Power Architecture Platform Reference). Referring to table 244 in LoPAPR v1.1, option vector 5 contains a 4 byte field at bytes 17-20 for the "Platform Facilities Enable". This is followed by a 1 byte field at byte 21 for "Sub-Processor Represenation Level". Comparing to the code, there we have the Platform Facilities options (OV5_PFO_*) at byte 17, but we fail to pad that field out to its full width of 4 bytes. This means the OV5_SUB_PROCESSORS option is incorrectly placed at byte 18. Fix it by adding zero bytes for bytes 18, 19, 20, and comment the bytes to hopefully make it clearer in future. As far as I'm aware nothing actually consumes this value at this time, so the effect of this bug is nil in practice. It does mean we've been incorrectly setting bit 15 of the "Platform Facilities Enable" option for the past ~3 1/2 years, so we should avoid allocating that bit to anything else in future. Fixes: df77c7992029 ("powerpc/pseries: Update ibm,architecture.vec for PAPR 2.7/POWER8") Signed-off-by: Michael Ellerman Signed-off-by: Benjamin Herrenschmidt arch/powerpc/kernel/prom_init.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) commit 19ab58d19ef6291bab07c8e7110f3198c23432c1 Author: Boqun Feng Date: Tue Aug 16 19:50:12 2016 +0800 powerpc, hotplug: Avoid to touch non-existent cpumasks. We observed a kernel oops when running a PPC guest with config NR_CPUS=4 and qemu option "-smp cores=1,threads=8": [ 30.634781] Unable to handle kernel paging request for data at address 0xc00000014192eb17 [ 30.636173] Faulting instruction address: 0xc00000000003e5cc [ 30.637069] Oops: Kernel access of bad area, sig: 11 [#1] [ 30.637877] SMP NR_CPUS=4 NUMA pSeries [ 30.638471] Modules linked in: [ 30.638949] CPU: 3 PID: 27 Comm: migration/3 Not tainted 4.7.0-07963-g9714b26 #1 [ 30.640059] task: c00000001e29c600 task.stack: c00000001e2a8000 [ 30.640956] NIP: c00000000003e5cc LR: c00000000003e550 CTR: 0000000000000000 [ 30.642001] REGS: c00000001e2ab8e0 TRAP: 0300 Not tainted (4.7.0-07963-g9714b26) [ 30.643139] MSR: 8000000102803033 CR: 22004084 XER: 00000000 [ 30.644583] CFAR: c000000000009e98 DAR: c00000014192eb17 DSISR: 40000000 SOFTE: 0 GPR00: c00000000140a6b8 c00000001e2abb60 c0000000016dd300 0000000000000003 GPR04: 0000000000000000 0000000000000004 c0000000016e5920 0000000000000008 GPR08: 0000000000000004 c00000014192eb17 0000000000000000 0000000000000020 GPR12: c00000000140a6c0 c00000000ffffc00 c0000000000d3ea8 c00000001e005680 GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 GPR20: 0000000000000000 c00000001e6b3a00 0000000000000000 0000000000000001 GPR24: c00000001ff85138 c00000001ff85130 000000001eb6f000 0000000000000001 GPR28: 0000000000000000 c0000000017014e0 0000000000000000 0000000000000018 [ 30.653882] NIP [c00000000003e5cc] __cpu_disable+0xcc/0x190 [ 30.654713] LR [c00000000003e550] __cpu_disable+0x50/0x190 [ 30.655528] Call Trace: [ 30.655893] [c00000001e2abb60] [c00000000003e550] __cpu_disable+0x50/0x190 (unreliable) [ 30.657280] [c00000001e2abbb0] [c0000000000aca0c] take_cpu_down+0x5c/0x100 [ 30.658365] [c00000001e2abc10] [c000000000163918] multi_cpu_stop+0x1a8/0x1e0 [ 30.659617] [c00000001e2abc60] [c000000000163cc0] cpu_stopper_thread+0xf0/0x1d0 [ 30.660737] [c00000001e2abd20] [c0000000000d8d70] smpboot_thread_fn+0x290/0x2a0 [ 30.661879] [c00000001e2abd80] [c0000000000d3fa8] kthread+0x108/0x130 [ 30.662876] [c00000001e2abe30] [c000000000009968] ret_from_kernel_thread+0x5c/0x74 [ 30.664017] Instruction dump: [ 30.664477] 7bde1f24 38a00000 787f1f24 3b600001 39890008 7d204b78 7d05e214 7d0b07b4 [ 30.665642] 796b1f24 7d26582a 7d204a14 7d29f214 <7d4048a8> 7d4a3878 7d4049ad 40c2fff4 [ 30.666854] ---[ end trace 32643b7195717741 ]--- The reason of this is that in __cpu_disable(), when we try to set the cpu_sibling_mask or cpu_core_mask of the sibling CPUs of the disabled one, we don't check whether the current configuration employs those sibling CPUs(hw threads). And if a CPU is not employed by a configuration, the percpu structures cpu_{sibling,core}_mask are not allocated, therefore accessing those cpumasks will result in problems as above. This patch fixes this problem by adding an addition check on whether the id is no less than nr_cpu_ids in the sibling CPU iteration code. Signed-off-by: Boqun Feng Signed-off-by: Benjamin Herrenschmidt arch/powerpc/kernel/smp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 8a39b05f086904c3b2e04e4db3d81f30c0eae6ae Author: Paul Gortmaker Date: Tue Aug 16 10:57:34 2016 -0400 powerpc: migrate exception table users off module.h and onto extable.h These files were only including module.h for exception table related functions. We've now separated that content out into its own file "extable.h" so now move over to that and avoid all the extra header content in module.h that we don't really need to compile these files. Cc: Benjamin Herrenschmidt Cc: Paul Mackerras Cc: Michael Ellerman Cc: linuxppc-dev@lists.ozlabs.org Signed-off-by: Paul Gortmaker Signed-off-by: Benjamin Herrenschmidt arch/powerpc/kernel/kprobes.c | 2 +- arch/powerpc/kernel/traps.c | 3 ++- arch/powerpc/mm/fault.c | 2 +- arch/powerpc/platforms/embedded6xx/holly.c | 2 +- arch/powerpc/platforms/embedded6xx/mpc7448_hpc2.c | 2 +- arch/powerpc/sysdev/fsl_rio.c | 2 +- 6 files changed, 7 insertions(+), 6 deletions(-) commit 6096481649ac27466cf2b453f185b43f680bf541 Author: Andrzej Hajda Date: Wed Aug 17 12:03:05 2016 +0200 powerpc/powernv/pci: fix iterator signedness Unsigned type is always non-negative, so the loop could not end in case condition is never true. The problem has been detected using semantic patch scripts/coccinelle/tests/unsigned_lesser_than_zero.cocci Signed-off-by: Andrzej Hajda Signed-off-by: Benjamin Herrenschmidt arch/powerpc/platforms/powernv/pci-ioda.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 2dd9c11b9d4dfbd6c070eab7b81197f65e82f1a0 Author: Mauricio Faria de Oliveira Date: Thu Aug 11 17:25:40 2016 -0300 powerpc/pseries: use pci_host_bridge.release_fn() to kfree(phb) This patch leverages 'struct pci_host_bridge' from the PCI subsystem in order to free the pci_controller only after the last reference to its devices is dropped (avoiding an oops in pcibios_release_device() if the last reference is dropped after pcibios_free_controller()). The patch relies on pci_host_bridge.release_fn() (and .release_data), which is called automatically by the PCI subsystem when the root bus is released (i.e., the last reference is dropped). Those fields are set via pci_set_host_bridge_release() (e.g. in the platform-specific implementation of pcibios_root_bridge_prepare()). It introduces the 'pcibios_free_controller_deferred()' .release_fn() and it expects .release_data to hold a pointer to the pci_controller. The function implictly calls 'pcibios_free_controller()', so an user must *NOT* explicitly call it if using the new _deferred() callback. The functionality is enabled for pseries (although it isn't platform specific, and may be used by cxl). Details on not-so-elegant design choices: - Use 'pci_host_bridge.release_data' field as pointer to associated 'struct pci_controller' so *not* to 'pci_bus_to_host(bridge->bus)' in pcibios_free_controller_deferred(). That's because pci_remove_root_bus() sets 'host_bridge->bus = NULL' (so, if the last reference is released after pci_remove_root_bus() runs, which eventually reaches pcibios_free_controller_deferred(), that would hit a null pointer dereference). The cxl/vphb.c code calls pci_remove_root_bus(), and the cxl folks are interested in this fix. Test-case #1 (hold references) # ls -ld /sys/block/sd* | grep -m1 0021:01:00.0 <...> /sys/block/sdaa -> ../devices/pci0021:01/0021:01:00.0/<...> # ls -ld /sys/block/sd* | grep -m1 0021:01:00.1 <...> /sys/block/sdab -> ../devices/pci0021:01/0021:01:00.1/<...> # cat >/dev/sdaa & pid1=$! # cat >/dev/sdab & pid2=$! # drmgr -w 5 -d 1 -c phb -s 'PHB 33' -r Validating PHB DLPAR capability...yes. [ 594.306719] pci_hp_remove_devices: PCI: Removing devices on bus 0021:01 [ 594.306738] pci_hp_remove_devices: Removing 0021:01:00.0... ... [ 598.236381] pci_hp_remove_devices: Removing 0021:01:00.1... ... [ 611.972077] pci_bus 0021:01: busn_res: [bus 01-ff] is released [ 611.972140] rpadlpar_io: slot PHB 33 removed # kill -9 $pid1 # kill -9 $pid2 [ 632.918088] pcibios_free_controller_deferred: domain 33, dynamic 1 Test-case #2 (don't hold references) # drmgr -w 5 -d 1 -c phb -s 'PHB 33' -r Validating PHB DLPAR capability...yes. [ 916.357363] pci_hp_remove_devices: PCI: Removing devices on bus 0021:01 [ 916.357386] pci_hp_remove_devices: Removing 0021:01:00.0... ... [ 920.566527] pci_hp_remove_devices: Removing 0021:01:00.1... ... [ 933.955873] pci_bus 0021:01: busn_res: [bus 01-ff] is released [ 933.955977] pcibios_free_controller_deferred: domain 33, dynamic 1 [ 933.955999] rpadlpar_io: slot PHB 33 removed Suggested-By: Gavin Shan Signed-off-by: Mauricio Faria de Oliveira Reviewed-by: Gavin Shan Reviewed-by: Andrew Donnellan Tested-by: Andrew Donnellan # cxl Signed-off-by: Benjamin Herrenschmidt arch/powerpc/include/asm/pci-bridge.h | 1 + arch/powerpc/kernel/pci-common.c | 36 ++++++++++++++++++++++++++++++ arch/powerpc/platforms/pseries/pci.c | 4 ++++ arch/powerpc/platforms/pseries/pci_dlpar.c | 7 ++++-- 4 files changed, 46 insertions(+), 2 deletions(-) commit 6f38a8b9a45833495dc878c335c5431cd98a16ed Author: Andrew Donnellan Date: Thu Aug 18 17:35:14 2016 +1000 cxl: use pcibios_free_controller_deferred() when removing vPHBs When cxl removes a vPHB, it's possible that the pci_controller may be freed before all references to the devices on the vPHB have been released. This in turn causes an invalid memory access when the devices are eventually released, as pcibios_release_device() attempts to call the phb's release_device hook. In cxl_pci_vphb_remove(), remove the existing call to pcibios_free_controller(). Instead, use pcibios_free_controller_deferred() to free the pci_controller after all devices have been released. Export pci_set_host_bridge_release() so we can do this. Cc: stable@vger.kernel.org Signed-off-by: Andrew Donnellan Reviewed-by: Matthew R. Ochs Acked-by: Ian Munsie Signed-off-by: Benjamin Herrenschmidt drivers/misc/cxl/vphb.c | 10 +++++++++- drivers/pci/host-bridge.c | 1 + 2 files changed, 10 insertions(+), 1 deletion(-) commit f5ed841ce75ca33f413c394110d6dc002c097b01 Author: Markus Elfring Date: Mon Aug 15 22:36:05 2016 +0200 powerpc: mpc8349emitx: Delete unnecessary assignment for the field "owner" The field "owner" is set by the core. Thus delete an unneeded initialisation. Generated by: scripts/coccinelle/api/platform_no_drv_owner.cocci Signed-off-by: Markus Elfring Signed-off-by: Benjamin Herrenschmidt arch/powerpc/platforms/83xx/mcu_mpc8349emitx.c | 1 - 1 file changed, 1 deletion(-) commit e72e799c0901b689c83468623cfcb85df431e882 Author: Markus Elfring Date: Mon Aug 15 22:07:54 2016 +0200 powerpc/512x: Delete unnecessary assignment for the field "owner" The field "owner" is set by the core. Thus delete an unneeded initialisation. Generated by: scripts/coccinelle/api/platform_no_drv_owner.cocci Signed-off-by: Markus Elfring Signed-off-by: Benjamin Herrenschmidt arch/powerpc/platforms/512x/mpc512x_lpbfifo.c | 1 - 1 file changed, 1 deletion(-) commit aded76bac54d1dd0a9c9203aa29a78423edc4cde Author: Markus Elfring Date: Sun Aug 14 21:42:17 2016 +0200 drivers/macintosh: Delete owner assignment The field "owner" is set by core. Thus delete an extra initialisation. Generated by: scripts/coccinelle/api/platform_no_drv_owner.cocci Signed-off-by: Markus Elfring Signed-off-by: Benjamin Herrenschmidt drivers/macintosh/ams/ams-i2c.c | 1 - drivers/macintosh/windfarm_pm112.c | 1 - drivers/macintosh/windfarm_pm72.c | 1 - drivers/macintosh/windfarm_rm31.c | 1 - 4 files changed, 4 deletions(-) commit e340eca90ee18547027a6d5745ffabf7d173dfcc Author: Guenter Roeck Date: Sun Aug 14 13:53:17 2016 -0700 powerpc: cputhreads: Add missing include file Powerpc builds may fail with the following build error. Error log: In file included from ./arch/powerpc/include/asm/mmu_context.h:11:0, from ./include/linux/mmu_context.h:4, from mm/mmu_context.c:8: ./arch/powerpc/include/asm/cputhreads.h: In function 'get_tensr': ./arch/powerpc/include/asm/cputhreads.h:101:2: error: implicit declaration of function 'cpu_has_feature' The problem can be triggered by configuring ppc64e_defconfig and selecting CONFIG_TICK_CPU_ACCOUNTING instead of CONFIG_VIRT_CPU_ACCOUNTING_NATIVE. Fixes: b92a226e5284 ("powerpc: Move cpu_has_feature() to a separate file") Signed-off-by: Guenter Roeck Signed-off-by: Benjamin Herrenschmidt arch/powerpc/include/asm/cputhreads.h | 1 + 1 file changed, 1 insertion(+) commit fa8410b355251fd30341662a40ac6b22d3e38468 Author: Linus Torvalds Date: Sun Aug 21 16:14:10 2016 -0700 Linux 4.8-rc3 Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit d524d84b588e300418a99794eb5066683ec7c488 Author: Colin Ian King Date: Sun Aug 21 15:24:33 2016 +0100 net: tehuti: fix typo: "eneble" -> "enable" trivial typo fix in pr_err message Signed-off-by: Colin Ian King Signed-off-by: David S. Miller drivers/net/ethernet/tehuti/tehuti.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 46097f27180c7dd371c2b0391d40bb1fa36007af Merge: 4ec656b 3eb53b2 Author: Linus Torvalds Date: Sun Aug 21 14:28:24 2016 -0700 Merge branch 'parisc-4.8-2' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux Pull two parisc fixes from Helge Deller: "The first patch ensures that the high-res cr16 clocksource (which was added in kernel 4.7) gets choosen as default clocksource for parisc. The second patch moves the #define of EREFUSED down inside errno.h and thus unbreaks building the gccgo compiler" * 'parisc-4.8-2' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux: parisc: Fix order of EREFUSED define in errno.h parisc: Fix automatic selection of cr16 clocksource commit 7ac61a062f3147dc23e3f12b9dfe7c4dd35f9cb8 Author: Linus Walleij Date: Tue Aug 16 15:33:28 2016 +0200 iio: accel: kxsd9: Fix raw read return Any readings from the raw interface of the KXSD9 driver will return an empty string, because it does not return IIO_VAL_INT but rather some random value from the accelerometer to the caller. Cc: stable@vger.kernel.org Signed-off-by: Linus Walleij Signed-off-by: Jonathan Cameron drivers/iio/accel/kxsd9.c | 1 + 1 file changed, 1 insertion(+) commit 7175cce1c3f1d8c8840d2004f78f96a3904249b5 Author: Vignesh R Date: Wed Aug 17 17:43:01 2016 +0530 iio: adc: ti_am335x_adc: Increase timeout value waiting for ADC sample Now that open delay and sample delay for each channel is configurable via DT, the default IDLE_TIMEOUT value is not enough as this is calculated based on hardcoded macros. This results in driver returning EBUSY sometimes. Fix this by increasing the timeout value based on maximum value possible to open delay and sample delays for each channel. Fixes: 5dc11e810676e ("iio: adc: ti_am335x_adc: make sample delay, open delay, averaging DT parameters") Signed-off-by: Vignesh R Acked-by: Lee Jones Cc: Signed-off-by: Jonathan Cameron drivers/iio/adc/ti_am335x_adc.c | 2 +- include/linux/mfd/ti_am335x_tscadc.h | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) commit 90c43ec6997a892448f1f86180a515f59cafd8a3 Author: Vignesh R Date: Wed Aug 17 17:43:00 2016 +0530 iio: adc: ti_am335x_adc: Protect FIFO1 from concurrent access It is possible that two or more ADC channels can be simultaneously requested for raw samples, in which case there can be race in access to FIFO data resulting in loss of samples. If am335x_tsc_se_set_once() is called again from tiadc_read_raw(), when ADC is still acquired to sample one of the channels, the second process might be put into uninterruptible sleep state. Fix these issues, by protecting FIFO access and channel configurations with a mutex. Since tiadc_read_raw() might take anywhere between few microseconds to few milliseconds to finish execution (depending on averaging and delay values supplied via DT), its better to use mutex instead of spinlock. Fixes: 7ca6740cd1cd4 ("mfd: input: iio: ti_amm335x: Rework TSC/ADC synchronization") Signed-off-by: Vignesh R Cc: Signed-off-by: Jonathan Cameron drivers/iio/adc/ti_am335x_adc.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) commit 4ec656bdf43a13a655a8259b79dd63bc1f0b1e41 Author: Tony Luck Date: Sat Aug 20 16:27:58 2016 -0700 EDAC, skx_edac: Add EDAC driver for Skylake This is an entirely new driver instead of yet another set of patches to sb_edac.c because: 1) Mapping from PCI devices to socket/memory controller is significantly different. Skylake scatters devices on a socket across a number of PCI buses. 2) There is an extra level of interleaving via the "mcroute" register that would be a little messy to squeeze into the old driver. 3) Validation is getting too expensive. Changes to sb_edac need to be checked against Sandy Bridge, Ivy Bridge, Haswell, Broadwell and Knights Landing. Acked-by: Aristeu Rozanski Acked-by: Borislav Petkov Signed-off-by: Tony Luck Signed-off-by: Linus Torvalds MAINTAINERS | 6 + drivers/edac/Kconfig | 8 + drivers/edac/Makefile | 1 + drivers/edac/skx_edac.c | 1121 +++++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 1136 insertions(+) commit c0678b2d6648ab65b68703044709e367799ba9f9 Author: Randy Dunlap Date: Mon Aug 15 15:52:23 2016 -0700 include/linux: fix excess fence.h kernel-doc notation Fix excess fields in kernel-doc notation in after some struct fields were removed. Fixes these kernel-doc warnings: ..//include/linux/fence.h:85: warning: Excess struct/union/enum/typedef member 'child_list' description in 'fence' ..//include/linux/fence.h:85: warning: Excess struct/union/enum/typedef member 'active_list' description in 'fence' Fixes: 0431b9065f28 ("staging/android: bring struct sync_pt back") Cc: Daniel Vetter Cc: Sumit Semwal Cc: Luis de Bethencourt Signed-off-by: Randy Dunlap Reviewed-by: Gustavo Padovan Signed-off-by: Greg Kroah-Hartman include/linux/fence.h | 2 -- 1 file changed, 2 deletions(-) commit 6c08fda0306916135291103f23cc17248c422c49 Author: Colin Ian King Date: Mon Aug 15 17:09:52 2016 +0100 staging: wilc1000: correctly check if associatedsta has not been found The current check for associatedsta being set to -1 to indicate it has not been found is not working because associatedsta is initialized to zero and will never be -1. Fix this by initializing it to ~0 and checking for ~0 instead. Signed-off-by: Colin Ian King Signed-off-by: Greg Kroah-Hartman drivers/staging/wilc1000/wilc_wfi_cfgoperations.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 23436825e671cdd55c45d151ddc66fd3c47d10e9 Author: Dan Carpenter Date: Sat Jul 16 13:07:55 2016 +0300 staging: wilc1000: NULL dereference on error We can't pass NULL pointers to destroy_workqueue(). Signed-off-by: Dan Carpenter Signed-off-by: Greg Kroah-Hartman drivers/staging/wilc1000/host_interface.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) commit 23535c1322e42e71f32bfbeae9970f4dba31e3bd Author: Binoy Jayan Date: Thu Jul 21 13:26:56 2016 +0530 staging: wilc1000: txq_event: Fix coding error Fix incorrect usage of completion interface by replacing 'wait_for_completion' with 'complete'. This error was introduced accidentally while replacing semaphores with mutexes. Reported-by: Jiri Slaby Signed-off-by: Binoy Jayan Signed-off-by: Greg Kroah-Hartman drivers/staging/wilc1000/linux_wlan.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit e9d766b965a15816cf9ec353d86c11f27b783d4d Author: Geert Uytterhoeven Date: Sun May 22 11:05:38 2016 +0200 MAINTAINERS: Add file patterns for ion device tree bindings Submitters of device tree binding documentation may forget to CC the subsystem maintainer if this is missing. Signed-off-by: Geert Uytterhoeven Cc: Sumit Semwal Cc: devel@driverdev.osuosl.org Acked-by: Laura Abbott Signed-off-by: Greg Kroah-Hartman MAINTAINERS | 1 + 1 file changed, 1 insertion(+) commit d9a8594011080def9202f2c258f755647fe66683 Author: Aditya Shankar Date: Tue Aug 2 11:49:00 2016 +0200 MAINTAINERS: Update maintainer entry for wilc1000 Take the maintenance of the Atmel WIFI staging driver wilc1000. Former maintainers are no more with Atmel. Reported-by: Loic Lefort Signed-off-by: Aditya Shankar Signed-off-by: Ganesh Krishna Acked-by: Luis de Bethencourt Signed-off-by: Nicolas Ferre Signed-off-by: Greg Kroah-Hartman MAINTAINERS | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) commit ca64d4bc80a88845f7e1e266dbff798f928bcc06 Author: Colin Ian King Date: Mon Jul 25 23:06:56 2016 +0100 iio: chemical: atlas-ph-sensor: fix typo in val assignment Fix an incorrect assignment due to a typo on a variable name. The variable val2 should be assigned 100000 and not val. Signed-off-by: Colin Ian King Reviewed-By: Matt Ranostay Signed-off-by: Jonathan Cameron drivers/iio/chemical/atlas-ph-sensor.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit fcf68f3c0bb2a541aa47a2a38b8939edf84fd529 Author: Brian Norris Date: Mon Aug 8 17:19:38 2016 -0700 iio: fix sched WARNING "do not call blocking ops when !TASK_RUNNING" When using CONFIG_DEBUG_ATOMIC_SLEEP, the scheduler nicely points out that we're calling sleeping primitives within the wait_event loop, which means we might clobber the task state: [ 10.831289] do not call blocking ops when !TASK_RUNNING; state=1 set at [] [ 10.845531] ------------[ cut here ]------------ [ 10.850161] WARNING: at kernel/sched/core.c:7630 ... [ 12.164333] ---[ end trace 45409966a9a76438 ]--- [ 12.168942] Call trace: [ 12.171391] [] __might_sleep+0x64/0x90 [ 12.176699] [] mutex_lock_nested+0x50/0x3fc [ 12.182440] [] iio_kfifo_buf_data_available+0x28/0x4c [ 12.189043] [] iio_buffer_ready+0x60/0xe0 [ 12.194608] [] iio_buffer_read_first_n_outer+0x108/0x1a8 [ 12.201474] [] __vfs_read+0x58/0x114 [ 12.206606] [] vfs_read+0x94/0x118 [ 12.211564] [] SyS_read+0x64/0xb4 [ 12.216436] [] el0_svc_naked+0x24/0x28 To avoid this, we should (a la https://lwn.net/Articles/628628/) use the wait_woken() function, which avoids the nested sleeping while still handling races between waiting / wake-events. Signed-off-by: Brian Norris Reviewed-by: Lars-Peter Clausen Cc: # 3.19+ for introduction of wake_woken Signed-off-by: Jonathan Cameron drivers/iio/industrialio-buffer.c | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) commit f0f4b0cc3a8cffd983f5940d46cd0227f3f5710a Author: Ian Abbott Date: Tue Jul 19 12:17:39 2016 +0100 staging: comedi: ni_mio_common: fix AO inttrig backwards compatibility Commit ebb657babfa9 ("staging: comedi: ni_mio_common: clarify the cmd->start_arg validation and use") introduced a backwards compatibility issue in the use of asynchronous commands on the AO subdevice when `start_src` is `TRIG_EXT`. Valid values for `start_src` are `TRIG_INT` (for internal, software trigger), and `TRIG_EXT` (for external trigger). When set to `TRIG_EXT`. In both cases, the driver relies on an internal, software trigger to set things up (allowing the user application to write sufficient samples to the data buffer before the trigger), so it acts as a software "pre-trigger" in the `TRIG_EXT` case. The software trigger is handled by `ni_ao_inttrig()`. Prior to the above change, when `start_src` was `TRIG_INT`, `start_arg` was required to be 0, and `ni_ao_inttrig()` checked that the software trigger number was also 0. After the above change, when `start_src` was `TRIG_INT`, any value was allowed for `start_arg`, and `ni_ao_inttrig()` checked that the software trigger number matched this `start_arg` value. The backwards compatibility issue is that the internal trigger number now has to match `start_arg` when `start_src` is `TRIG_EXT` when it previously had to be 0. Fix the backwards compatibility issue in `ni_ao_inttrig()` by always allowing software trigger number 0 when `start_src` is something other than `TRIG_INT`. Thanks to Spencer Olson for reporting the issue. Signed-off-by: Ian Abbott Reported-by: Spencer Olson Fixes: ebb657babfa9 ("staging: comedi: ni_mio_common: clarify the cmd->start_arg validation and use") Cc: stable Reviewed-by: H Hartley Sweeten Signed-off-by: Greg Kroah-Hartman drivers/staging/comedi/drivers/ni_mio_common.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) commit 5ac5c3bcf57419d0aa3f53b12b8c07599a13fdcc Author: Dan Carpenter Date: Tue Jun 21 14:46:21 2016 +0300 staging: comedi: dt2811: fix a precedence bug Bitwise | has higher precedence than ?: so we need to add some parenthesis for this to work as intended. Fixes: 7c9574090d30 ('staging: comedi: dt2811: simplify A/D reference configuration') Signed-off-by: Dan Carpenter Reviewed-by: Ian Abbott Signed-off-by: Greg Kroah-Hartman drivers/staging/comedi/drivers/dt2811.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit c71f20ee76342376e3c4c67cdbe7421d8c4e886e Author: Phil Turnbull Date: Fri Jul 29 09:43:56 2016 -0400 staging: comedi: adv_pci1760: Do not return EINVAL for CMDF_ROUND_DOWN. The CMDF_ROUND_DOWN case falls through and so always returns -EINVAL. Fixes: 14b93bb6bbf0 ("staging: comedi: adv_pci_dio: separate out PCI-1760 support") Signed-off-by: Phil Turnbull Reviewed-by: Ian Abbott Signed-off-by: Greg Kroah-Hartman drivers/staging/comedi/drivers/adv_pci1760.c | 1 + 1 file changed, 1 insertion(+) commit 5ca05345c56cb979e1a25ab6146437002f95cac8 Author: Ian Abbott Date: Wed Jul 20 17:07:34 2016 +0100 staging: comedi: ni_mio_common: fix wrong insn_write handler For counter subdevices, the `s->insn_write` handler is being set to the wrong function, `ni_tio_insn_read()`. It should be `ni_tio_insn_write()`. Signed-off-by: Ian Abbott Reported-by: Éric Piel Fixes: 10f74377eec3 ("staging: comedi: ni_tio: make ni_tio_winsn() a proper comedi (*insn_write)" Cc: # 3.17+ Signed-off-by: Greg Kroah-Hartman drivers/staging/comedi/drivers/ni_mio_common.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 403fe7f34e3327ddac2e06a15e76a293d613381e Author: Ian Abbott Date: Thu Jun 30 19:58:32 2016 +0100 staging: comedi: comedi_test: fix timer race conditions Commit 73e0e4dfed4c ("staging: comedi: comedi_test: fix timer lock-up") fixed a lock-up in the timer routine `waveform_ai_timer()` (which was called `waveform_ai_interrupt()` at the time) caused by commit 240512474424 ("staging: comedi: comedi_test: use comedi_handle_events()"). However, it introduced a race condition that can result in the timer routine misbehaving, such as accessing freed memory or dereferencing a NULL pointer. 73e0... changed the timer routine to do nothing unless a `WAVEFORM_AI_RUNNING` flag was set, and changed `waveform_ai_cancel()` to clear the flag and replace a call to `del_timer_sync()` with a call to `del_timer()`. `waveform_ai_cancel()` may be called from the timer routine itself (via `comedi_handle_events()`), or from `do_cancel()`. (`do_cancel()` is called as a result of a file operation (usually a `COMEDI_CANCEL` ioctl command, or a release), or during device removal.) When called from `do_cancel()`, the call to `waveform_ai_cancel()` is followed by a call to `do_become_nonbusy()`, which frees up stuff for the current asynchronous command under the assumption that it is now safe to do so. The race condition occurs when the timer routine `waveform_ai_timer()` checks the `WAVEFORM_AI_RUNNING` flag just before it is cleared by `waveform_ai_cancel()`, and is still running during the call to `do_become_nonbusy()`. In particular, it can lead to a NULL pointer dereference: BUG: unable to handle kernel NULL pointer dereference at (null) IP: [] waveform_ai_timer+0x17d/0x290 [comedi_test] That corresponds to this line in `waveform_ai_timer()`: unsigned int chanspec = cmd->chanlist[async->cur_chan]; but `do_become_nonbusy()` frees `cmd->chanlist` and sets it to `NULL`. Fix the race by calling `del_timer_sync()` instead of `del_timer()` in `waveform_ai_cancel()` when not in an interrupt context. The only time `waveform_ai_cancel()` is called in an interrupt context is when it is called from the timer routine itself, via `comedi_handle_events()`. There is no longer any need for the `WAVEFORM_AI_RUNNING` flag, so get rid of it. The bug was copied from the AI subdevice to the AO when support for commands on the AO subdevice was added by commit 0cf55bbef2f9 ("staging: comedi: comedi_test: implement commands on AO subdevice"). That involves the timer routine `waveform_ao_timer()`, the comedi "cancel" routine `waveform_ao_cancel()`, and the flag `WAVEFORM_AO_RUNNING`. Fix it in the same way as for the AI subdevice. Fixes: 73e0e4dfed4c ("staging: comedi: comedi_test: fix timer lock-up") Fixes: 0cf55bbef2f9 ("staging: comedi: comedi_test: implement commands on AO subdevice") Reported-by: Éric Piel Signed-off-by: Ian Abbott Cc: # 4.4+ Cc: Éric Piel Signed-off-by: Greg Kroah-Hartman drivers/staging/comedi/drivers/comedi_test.c | 46 ++++++++-------------------- 1 file changed, 12 insertions(+), 34 deletions(-) commit 80e162ee9b31d77d851b10f8c5299132be1e120f Author: Ian Abbott Date: Wed Jun 29 20:27:44 2016 +0100 staging: comedi: daqboard2000: bug fix board type matching code `daqboard2000_find_boardinfo()` is supposed to check if the DaqBoard/2000 series model is supported, based on the PCI subvendor and subdevice ID. The current code is wrong as it is comparing the PCI device's subdevice ID to an expected, fixed value for the subvendor ID. It should be comparing the PCI device's subvendor ID to this fixed value. Correct it. Fixes: 7e8401b23e7f ("staging: comedi: daqboard2000: add back subsystem_device check") Signed-off-by: Ian Abbott Cc: # 3.7+ Signed-off-by: Greg Kroah-Hartman drivers/staging/comedi/drivers/daqboard2000.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 522caebb2c3684f4a1d154526fb5e33f1381e92a Author: Giorgio Dal Molin Date: Tue Aug 16 20:43:37 2016 +0200 iio:ti-ads1015: fix a wrong pointer definition. The call to i2c_get_clientdata(client) returns a struct iio_dev*, not the needed struct ads1015_data*. We need here an intermediate step as in the function: void ads1015_get_channels_config(struct i2c_client *client). Signed-off-by: Giorgio Dal Molin Fixes: ecc24e72f437 ("iio: adc: Add TI ADS1015 ADC driver support") Cc: Signed-off-by: Jonathan Cameron drivers/iio/adc/ti-ads1015.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 5575cf133cf7f564da991595c6bc9344afa7d89a Author: Daniel Romell Date: Fri Aug 19 14:12:01 2016 +0200 net: xilinx: emaclite: Fallback to random MAC address. If the address configured in the device tree is invalid, the driver will fallback to using a random address from the locally administered range. Signed-off-by: Daniel Romell Signed-off-by: David S. Miller drivers/net/ethernet/xilinx/xilinx_emaclite.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) commit 6695593e4a7659db49ac6eca98c164f7b5589f72 Author: Aleksandr Makarov Date: Sat Aug 20 13:29:41 2016 +0300 USB: serial: option: add WeTelecom WM-D200 Add support for WeTelecom WM-D200. T: Bus=03 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 4 Spd=12 MxCh= 0 D: Ver= 1.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=22de ProdID=6801 Rev=00.00 S: Manufacturer=WeTelecom Incorporated S: Product=WeTelecom Mobile Products C: #Ifs= 4 Cfg#= 1 Atr=80 MxPwr=500mA I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) I: If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) I: If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) I: If#= 3 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage Signed-off-by: Aleksandr Makarov Cc: stable Signed-off-by: Johan Hovold drivers/usb/serial/option.c | 5 +++++ 1 file changed, 5 insertions(+) commit 3eb53b20d7bd1374598cfb1feaa081fcac0e76cd Author: Helge Deller Date: Sat Aug 20 11:51:38 2016 +0200 parisc: Fix order of EREFUSED define in errno.h When building gccgo in userspace, errno.h gets parsed and the go include file sysinfo.go is generated. Since EREFUSED is defined to the same value as ECONNREFUSED, and ECONNREFUSED is defined later on in errno.h, this leads to go complaining that EREFUSED isn't defined yet. Fix this trivial problem by moving the define of EREFUSED down after ECONNREFUSED in errno.h (and clean up the indenting while touching this line). Signed-off-by: Helge Deller Cc: stable@vger.kernel.org arch/parisc/include/uapi/asm/errno.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit ae141830b118c3fb5b7eab6fa7c8ab7b7224b0a4 Author: Helge Deller Date: Fri Aug 19 22:39:02 2016 +0200 parisc: Fix automatic selection of cr16 clocksource Commit 54b66800907 (parisc: Add native high-resolution sched_clock() implementation) added support to use the CPU-internal cr16 counters as reliable clocksource with the help of HAVE_UNSTABLE_SCHED_CLOCK. Sadly the commit missed to remove the hack which prevented cr16 to become the default clocksource even on SMP systems. Signed-off-by: Helge Deller Cc: stable@vger.kernel.org # 4.7+ arch/parisc/kernel/processor.c | 8 -------- arch/parisc/kernel/time.c | 12 ------------ 2 files changed, 20 deletions(-) commit ff2e7d5d51469e98196f7933c83b781e96517e7c Author: Shrikrishna Khare Date: Fri Aug 19 10:33:42 2016 -0700 vmxnet3: fix tx data ring copy for variable size 'Commit 3c8b3efc061a ("vmxnet3: allow variable length transmit data ring buffer")' changed the size of the buffers in the tx data ring from a fixed size of 128 bytes to a variable size. However, while copying data to the data ring, vmxnet3_copy_hdr continues to carry the old code that assumes fixed buffer size of 128. This patch fixes it by adding correct offset based on the actual data ring buffer size. Signed-off-by: Guolin Yang Signed-off-by: Shrikrishna Khare Signed-off-by: David S. Miller drivers/net/vmxnet3/vmxnet3_drv.c | 4 +++- drivers/net/vmxnet3/vmxnet3_int.h | 4 ++-- 2 files changed, 5 insertions(+), 3 deletions(-) commit c10ac75aeed2d8486a73a316ac3a08f85d140894 Author: Alexander Duyck Date: Fri Aug 19 20:58:26 2016 -0700 ixgbe: Do not clear RAR entry when clearing VMDq for SAN MAC The RAR entry for the SAN MAC address was being cleared when we were clearing the VMDq pool bits. In order to prevent this we need to add an extra check to protect the SAN MAC from being cleared. Fixes: 6e982aeae ("ixgbe: Clear stale pool mappings") Signed-off-by: Alexander Duyck Tested-by: Andrew Bowers Signed-off-by: Jeff Kirsher Signed-off-by: David S. Miller drivers/net/ethernet/intel/ixgbe/ixgbe_common.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit 552416c146fadc67cd9b53ef7adf88d3381c43a6 Author: Eric Anholt Date: Tue Jul 26 13:47:15 2016 -0700 drm/vc4: Fix oops when userspace hands in a bad BO. We'd end up NULL pointer dereferencing because we didn't take the error path out in the parent. Fixes igt vc4_lookup_fail test. Signed-off-by: Eric Anholt Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.") Cc: stable@vger.kernel.org drivers/gpu/drm/vc4/vc4_gem.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 9326e6f25574bbb8bd48206d245654780e3fd665 Author: Eric Anholt Date: Tue Jul 26 13:47:14 2016 -0700 drm/vc4: Fix overflow mem unreferencing when the binner runs dry. Overflow memory handling is tricky: While it's still referenced by the BPO registers, we want to keep it from being freed. When we are putting a new set of overflow memory in the registers, we need to assign the old one to the last rendering job using it. We were looking at "what's currently running in the binner", but since the bin/render submission split, we may end up with the binner completing and having no new job while the renderer is still processing. So, if we don't find a bin job at all, look at the highest-seqno (last) render job to attach our overflow to. Signed-off-by: Eric Anholt Fixes: ca26d28bbaa3 ("drm/vc4: improve throughput by pipelining binning and rendering jobs") Cc: stable@vger.kernel.org drivers/gpu/drm/vc4/vc4_drv.h | 9 +++++++++ drivers/gpu/drm/vc4/vc4_irq.c | 4 +++- 2 files changed, 12 insertions(+), 1 deletion(-) commit def96527707e1978a0c88e75d13b082f51460d5c Author: Eric Anholt Date: Tue Jul 26 13:47:13 2016 -0700 drm/vc4: Free hang state before destroying BO cache. The BO cache will complain if BOs are still allocated when we try to destroy it (since freeing those BOs would try to hit the cache). You could hit this if you were to unload the module after a GPU hang. Signed-off-by: Eric Anholt Fixes: 214613656b51 ("drm/vc4: Add an interface for capturing the GPU state after a hang.") drivers/gpu/drm/vc4/vc4_gem.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 163195fc12cae0c8b5c0d74d3ba8d2c5f81773bc Author: Eric Anholt Date: Tue Jul 26 13:47:12 2016 -0700 drm/vc4: Fix handling of a pm_runtime_get_sync() success case. If the device was already up, a 1 is returned instead of 0. We were erroring out, leading the 3D driver to sometimes fail at screen initialization (generally with ENOENT returned to it). Signed-off-by: Eric Anholt Fixes: af713795c59f ("drm/vc4: Add a getparam ioctl for getting the V3D identity regs.") drivers/gpu/drm/vc4/vc4_drv.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit ece7267dccf0e9e08cb6e8dc6b7ad2be9c4eb444 Author: Eric Anholt Date: Tue Jul 19 11:32:44 2016 -0700 drm/vc4: Use drm_malloc_ab to fix large rendering jobs. If you exceeded the size that kmalloc would return, you'd get a dmesg warning and a return from the job submit. We can handle much allocations with vmalloc, and drm_malloc_ab makes that decision. Fixes failure in piglit's scissor-many. Signed-off-by: Eric Anholt drivers/gpu/drm/vc4/vc4_gem.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) commit d5fb46e0e3b7e49ee83ba92efc3ab4e1a545ecc1 Author: Eric Anholt Date: Tue Jul 26 13:47:10 2016 -0700 drm/vc4: Use drm_free_large() on handles to match its allocation. If you managed to exceed the limit to switch to vmalloc, we'd use the wrong free. Signed-off-by: Eric Anholt Fixes: d5b1a78a772f ("drm/vc4: Add support for drawing 3D frames.") Cc: stable@vger.kernel.org drivers/gpu/drm/vc4/vc4_gem.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 8912862f067276b480c4fed9da74c9c5601130a6 Author: Jiri Pirko Date: Fri Aug 19 14:43:48 2016 +0200 mlxsw: spectrum_buffers: Fix pool value handling in mlxsw_sp_sb_tc_pool_bind_set Pool index has to be converted by get_pool helper to work correctly for egress pool. In mlxsw the egress pool index starts from 0. Fixes: 0f433fa0ecc ("mlxsw: spectrum_buffers: Implement shared buffer configuration") Signed-off-by: Jiri Pirko Reviewed-by: Ido Schimmel Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlxsw/spectrum_buffers.c | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) commit 56cff471d0c62b721a298f806e7637501debb513 Author: Gao Feng Date: Fri Aug 19 13:36:23 2016 +0800 l2tp: Fix the connect status check in pppol2tp_getname The sk->sk_state is bits flag, so need use bit operation check instead of value check. Signed-off-by: Gao Feng Tested-by: Guillaume Nault Signed-off-by: David S. Miller net/l2tp/l2tp_ppp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 4c2f2454964477c66ef57745daab203b71783f66 Author: Marcelo Ricardo Leitner Date: Thu Aug 18 14:58:35 2016 -0300 sctp: linearize early if it's not GSO Because otherwise when crc computation is still needed it's way more expensive than on a linear buffer to the point that it affects performance. It's so expensive that netperf test gives a perf output as below: Overhead Command Shared Object Symbol 18,62% netserver [kernel.vmlinux] [k] crc32_generic_shift 2,57% netserver [kernel.vmlinux] [k] __pskb_pull_tail 1,94% netserver [kernel.vmlinux] [k] fib_table_lookup 1,90% netserver [kernel.vmlinux] [k] copy_user_enhanced_fast_string 1,66% swapper [kernel.vmlinux] [k] intel_idle 1,63% netserver [kernel.vmlinux] [k] _raw_spin_lock 1,59% netserver [sctp] [k] sctp_packet_transmit 1,55% netserver [kernel.vmlinux] [k] memcpy_erms 1,42% netserver [sctp] [k] sctp_rcv # netperf -H 192.168.10.1 -l 10 -t SCTP_STREAM -cC -- -m 12000 SCTP STREAM TEST from 0.0.0.0 (0.0.0.0) port 0 AF_INET to 192.168.10.1 () port 0 AF_INET Recv Send Send Utilization Service Demand Socket Socket Message Elapsed Send Recv Send Recv Size Size Size Time Throughput local remote local remote bytes bytes bytes secs. 10^6bits/s % S % S us/KB us/KB 212992 212992 12000 10.00 3016.42 2.88 3.78 1.874 2.462 After patch: Overhead Command Shared Object Symbol 2,75% netserver [kernel.vmlinux] [k] memcpy_erms 2,63% netserver [kernel.vmlinux] [k] copy_user_enhanced_fast_string 2,39% netserver [kernel.vmlinux] [k] fib_table_lookup 2,04% netserver [kernel.vmlinux] [k] __pskb_pull_tail 1,91% netserver [kernel.vmlinux] [k] _raw_spin_lock 1,91% netserver [sctp] [k] sctp_packet_transmit 1,72% netserver [mlx4_en] [k] mlx4_en_process_rx_cq 1,68% netserver [sctp] [k] sctp_rcv # netperf -H 192.168.10.1 -l 10 -t SCTP_STREAM -cC -- -m 12000 SCTP STREAM TEST from 0.0.0.0 (0.0.0.0) port 0 AF_INET to 192.168.10.1 () port 0 AF_INET Recv Send Send Utilization Service Demand Socket Socket Message Elapsed Send Recv Send Recv Size Size Size Time Throughput local remote local remote bytes bytes bytes secs. 10^6bits/s % S % S us/KB us/KB 212992 212992 12000 10.00 3681.77 3.83 3.46 2.045 1.849 Fixes: 3acb50c18d8d ("sctp: delay as much as possible skb_linearize") Signed-off-by: Marcelo Ricardo Leitner Signed-off-by: David S. Miller net/sctp/input.c | 11 +++++++---- net/sctp/inqueue.c | 13 ------------- 2 files changed, 7 insertions(+), 17 deletions(-) commit 187335cdfec32475677b8ea2e7a165843fc38675 Merge: 98a384e f96750f Author: David S. Miller Date: Fri Aug 19 16:09:57 2016 -0700 Merge branch 'mlx5-fixes' Saeed Mahameed says: ==================== Mellanox 100G mlx5 fixes 2016-08-16 This series includes some bug fixes for mlx5e driver. From Saeed and Tariq, Optimize MTU change to not reset when it is not required. From Paul, Command interface message length check to speedup firmware command preparation. From Mohamad, Save pci state when pci error is detected. From Amir, Flow counters "lastuse" update fix. From Hadar, Use correct flow dissector key on flower offloading. Plus a small optimization for switchdev hardware id query. From Or, three patches to address some E-Switch offloads issues. For -stable of 4.6.y and 4.7.y: net/mlx5e: Use correct flow dissector key on flower offloading net/mlx5: Fix pci error recovery flow net/mlx5: Added missing check of msg length in verifying its signature ==================== Signed-off-by: David S. Miller commit f96750f8d6bd64bb6f5a7a1146121b96bc6115f0 Author: Or Gerlitz Date: Thu Aug 18 21:09:11 2016 +0300 net/mlx5: E-Switch, Avoid ACLs in the offloads mode When we are in the switchdev/offloads mode, HW matching is done as dictated by the offloaded rules and hence we don't need to enable the ACLs mechanism used by the legacy mode. Signed-off-by: Or Gerlitz Signed-off-by: Saeed Mahameed Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlx5/core/eswitch.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) commit 1a8ee6f25b10da7e3de0899a184b221d793f2482 Author: Or Gerlitz Date: Thu Aug 18 21:09:10 2016 +0300 net/mlx5: E-Switch, Set the send-to-vport rules in the correct table While adding actual offloading support to the new switchdev mode, we didn't change the setup of the send-to-vport rules to put them in the slow path table, fix that. Fixes: 1033665e63b6 ('net/mlx5: E-Switch, Use two priorities for SRIOV offloads mode') Signed-off-by: Or Gerlitz Signed-off-by: Saeed Mahameed Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit ef78618b9d29d40c95ca7092493545b8487e226c Author: Or Gerlitz Date: Thu Aug 18 21:09:09 2016 +0300 net/mlx5: E-Switch, Return the correct devlink e-switch mode Since mlx5 has also the NONE e-switch mode, we must translate from mlx5 mode to devlink mode on the devlink eswitch mode get call, do that. While here, remove the mlx5_ prefix from the static function helpers that deal with the mode to comply with the rest of the code. Fixes: c930a3ad7453 ('net/mlx5e: Add devlink based SRIOV mode change') Signed-off-by: Or Gerlitz Signed-off-by: Saeed Mahameed Signed-off-by: David S. Miller .../ethernet/mellanox/mlx5/core/eswitch_offloads.c | 24 +++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) commit dbe413e3bb93e0634f6d8d00b01cda6f141e0acd Author: Hadar Hen Zion Date: Thu Aug 18 21:09:08 2016 +0300 net/mlx5e: Retrieve the switchdev id from the firmware only once Avoid firmware command execution each time the switchdev HW ID attr get call is made. We do that by reading the ID (PF NIC MAC) only once at load time and store it on the representor structure. Signed-off-by: Hadar Hen Zion Signed-off-by: Saeed Mahameed Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 5 +++++ drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 5 ++--- drivers/net/ethernet/mellanox/mlx5/core/eswitch.h | 1 + 3 files changed, 8 insertions(+), 3 deletions(-) commit 1dbd0d373ac338903d27fab5204b13122cc5accd Author: Hadar Hen Zion Date: Thu Aug 18 21:09:07 2016 +0300 net/mlx5e: Use correct flow dissector key on flower offloading The wrong key is used when extracting the address type field set by the flower offload code. We have to use the control key and not the basic key, fix that. Fixes: e3a2b7ed018e ('net/mlx5e: Support offload cls_flower with drop action') Signed-off-by: Hadar Hen Zion Signed-off-by: Saeed Mahameed Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 6c3b4f90861c7ed59d0287b0ff7f2623f9d93d73 Author: Amir Vadai Date: Thu Aug 18 21:09:06 2016 +0300 net/mlx5: Update last-use statistics for flow rules Set lastuse statistic, when number of packets is changed compared to last query. This was wrongly dropped when bulk counter reading was added. Fixes: a351a1b03bf1 ('net/mlx5: Introduce bulk reading of flow counters') Signed-off-by: Amir Vadai Reported-by: Paul Blakey Signed-off-by: Saeed Mahameed Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlx5/core/fs_counters.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) commit 2c0f8ce1b584a4d7b8ff53140d21dfed99834940 Author: Paul Blakey Date: Thu Aug 18 21:09:05 2016 +0300 net/mlx5: Added missing check of msg length in verifying its signature Set and verify signature calculates the signature for each of the mailbox nodes, even for those that are unused (from cache). Added a missing length check to set and verify only those which are used. While here, also moved the setting of msg's nodes token to where we already go over them. This saves a pass because checksum is disabled, and the only useful thing remaining that set signature does is setting the token. Fixes: e126ba97dba9 ('mlx5: Add driver for Mellanox Connect-IB adapters') Signed-off-by: Paul Blakey Signed-off-by: Saeed Mahameed Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 85 +++++++++++++++++---------- 1 file changed, 54 insertions(+), 31 deletions(-) commit 1061c90f524963a0a90e7d2f9a6bfa666458af51 Author: Mohamad Haj Yahia Date: Thu Aug 18 21:09:04 2016 +0300 net/mlx5: Fix pci error recovery flow When PCI error is detected we should save the state of the pci prior to disabling it. Also when receiving pci slot reset call we need to verify that the device is responsive. Fixes: 89d44f0a6c73 ('net/mlx5_core: Add pci error handlers to mlx5_core driver') Signed-off-by: Mohamad Haj Yahia Signed-off-by: Saeed Mahameed Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlx5/core/main.c | 59 +++++++++++++------------- 1 file changed, 29 insertions(+), 30 deletions(-) commit 506753b0b40997756d73f841c884a018f52401a0 Author: Tariq Toukan Date: Thu Aug 18 21:09:03 2016 +0300 net/mlx5e: Optimization for MTU change Avoid unnecessary interface down/up operations upon an MTU change when it does not affect the rings configuration. Fixes: 461017cb006a ("net/mlx5e: Support RX multi-packet WQE (Striding RQ)") Signed-off-by: Tariq Toukan Signed-off-by: Saeed Mahameed Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) commit 13f9bba7cd4f1665e4091143950a54e3f2984b07 Author: Saeed Mahameed Date: Thu Aug 18 21:09:02 2016 +0300 net/mlx5e: Set port MTU on netdev creation rather on open Port mtu shouldn't be written to hardware on every single interface open. Here we set it only when needed, on change_mtu and netdevice creation. Signed-off-by: Saeed Mahameed Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) commit c57653dc94d0db7bf63067433ceaa97bdcd0a312 Author: Vineet Gupta Date: Fri Aug 19 13:59:02 2016 -0700 ARC: export __udivdi3 for modules Some module using div_u64() was failing to link because the libgcc 64-bit divide assist routine was not being exported for modules Reported-by: avinashp@quantenna.com Cc: stable@vger.kernel.org Signed-off-by: Vineet Gupta arch/arc/kernel/arcksyms.c | 2 ++ 1 file changed, 2 insertions(+) commit 9a0fe86745b8e95f7ea39933a956f5771332c430 Author: Trond Myklebust Date: Fri Aug 19 15:33:12 2016 -0400 pNFS: Handle NFS4ERR_OLD_STATEID correctly in LAYOUTSTAT calls We normally want to update the stateid and then retry, Signed-off-by: Trond Myklebust fs/nfs/nfs42proc.c | 34 +++++++++++++++++++++++++++++----- fs/nfs/pnfs.c | 1 - 2 files changed, 29 insertions(+), 6 deletions(-) commit cbaaf6ef0e9fba6d842d4df07d3afaf1996b2181 Merge: c9d8fa6 9070609 Author: Jens Axboe Date: Fri Aug 19 14:03:05 2016 -0600 Merge branch 'v4.8-rc2-bcache-fixes' of https://bitbucket.org/ewheelerinc/linux into for-linus Eric writes: Please pull this bcache branch based on v4.8-rc2. These fix one deadlock, one use blkdev_put() use counter, and one dmesg output with a better pr_err() description. commit 6040e57658eee6eb1315a26119101ca832d1f854 Author: Linus Torvalds Date: Fri Aug 19 12:47:01 2016 -0700 Make the hardened user-copy code depend on having a hardened allocator The kernel test robot reported a usercopy failure in the new hardened sanity checks, due to a page-crossing copy of the FPU state into the task structure. This happened because the kernel test robot was testing with SLOB, which doesn't actually do the required book-keeping for slab allocations, and as a result the hardening code didn't realize that the task struct allocation was one single allocation - and the sanity checks fail. Since SLOB doesn't even claim to support hardening (and you really shouldn't use it), the straightforward solution is to just make the usercopy hardening code depend on the allocator supporting it. Reported-by: kernel test robot Cc: Kees Cook Signed-off-by: Linus Torvalds security/Kconfig | 1 + 1 file changed, 1 insertion(+) commit 8cc9dddd381d94f1cbeed62af275a8764583b349 Merge: 43f4d36 0268263 Author: Linus Torvalds Date: Fri Aug 19 12:10:06 2016 -0700 Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux Pull i2c fixes from Wolfram Sang: "I2C has some pretty standard driver bugfixes and one minor cleanup" * 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux: i2c: meson: Use complete() instead of complete_all() i2c: brcmstb: Use complete() instead of complete_all() i2c: bcm-kona: Use complete() instead of complete_all() i2c: bcm-iproc: Use complete() instead of complete_all() i2c: at91: fix support of the "alternative command" feature i2c: ocores: add missed clk_disable_unprepare() on failure paths i2c: cros-ec-tunnel: Fix usage of cros_ec_cmd_xfer() i2c: mux: demux-pinctrl: properly roll back when adding adapter fails commit 1c3c909303924d30145601f47b6c058fdd2cbc2e Author: Vineet Gupta Date: Tue Aug 16 18:27:07 2016 -0700 ARC: mm: fix build breakage with STRICT_MM_TYPECHECKS | CC mm/memory.o | In file included from ../mm/memory.c:53:0: | ../include/linux/pfn_t.h: In function ‘pfn_t_pte’: | ../include/linux/pfn_t.h:78:2: error: conversion to non-scalar type requested | return pfn_pte(pfn_t_to_pfn(pfn), pgprot); With STRICT_MM_TYPECHECKS pte_t is a struct and the offending code forces a cast which ends up shifting a struct and hence the gcc warning. Note that in recent past some of the arches (aarch64, s390) made STRICT_MM_TYPECHECKS default, but we don't for ARC as this leads to slightly worse generated code, given ARC ABI definition of returning structs (which pte_t would become) Quoting from ARC ABI... "Results of type struct are returned in a caller-supplied temporary variable whose address is passed in r0. For such functions, the arguments are shifted so that they are passed in r1 and up." So - struct to be returned would be allocated on stack requiring extra code at call sites - callee updates stack memory to facilitate the return (vs. simple MOV into return reg r0) Hence STRICT_MM_TYPECHECKS is not enabled by default for ARC Cc: #4.4+ Signed-off-by: Vineet Gupta arch/arc/include/asm/pgtable.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit d77976c414ed7f521b9c79b2a9dde0147a3cf754 Author: Vineet Gupta Date: Wed Aug 17 17:34:46 2016 -0700 ARC: export kmap | MODPOST 7 modules | ERROR: "kmap" [fs/ext2/ext2.ko] undefined! | ../scripts/Makefile.modpost:91: recipe for target '__modpost' failed Cc: Signed-off-by: Vineet Gupta arch/arc/mm/highmem.c | 1 + 1 file changed, 1 insertion(+) commit 840c054fd0efb048df6fceb0c46385ec5b66dfe6 Author: Vineet Gupta Date: Wed Aug 10 14:10:57 2016 -0700 ARC: Support syscall ABI v4 The syscall ABI includes the gcc functional calling ABI since a syscall implies userland caller and kernel callee. The current gcc ABI (v3) for ARCv2 ISA required 64-bit data be passed in even-odd register pairs, (potentially punching reg holes when passing such values as args). This was partly driven by the fact that the double-word LDD/STD instructions in ARCv2 expect the register alignment and thus gcc forcing this avoids extra MOV at the cost of a few unused register (which we have plenty anyways). This however was rejected as part of upstreaming gcc port to HS. So the new ABI v4 doesn't enforce the even-odd reg restriction. Do note that for ARCompact ISA builds v3 and v4 are practically the same in terms of gcc code generation. In terms of change management, we infer the new ABI if gcc 6.x onwards is used for building the kernel. This also needs a stable backport to enable older kernels to work with new tools/user-space Cc: Signed-off-by: Vineet Gupta arch/arc/include/uapi/asm/elf.h | 11 +++++++++-- arch/arc/kernel/process.c | 2 +- arch/arc/kernel/setup.c | 6 ++++-- 3 files changed, 14 insertions(+), 5 deletions(-) commit 86147e3cfa5e118b61e78f4f0bf29e920dcbd477 Author: Liav Rehana Date: Tue Aug 16 10:55:35 2016 +0300 ARC: use correct offset in pt_regs for saving/restoring user mode r25 User mode callee regs are explicitly collected before signal delivery or breakpoint trap. r25 is special for kernel as it serves as task pointer, so user mode value is clobbered very early. It is saved in pt_regs where generally only scratch (aka caller saved) regs are saved. The code to access the corresponding pt_regs location had a subtle bug as it was using load/store with scaling of offset, whereas the offset was already byte wise correct. So fix this by replacing LD.AS with a standard LD Cc: Signed-off-by: Liav Rehana Reviewed-by: Alexey Brodkin [vgupta: rewrote title and commit log] Signed-off-by: Vineet Gupta arch/arc/include/asm/entry.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 47af45d684b5f3ae000ad448db02ce4f13f73273 Author: Dmitry Torokhov Date: Tue Aug 16 17:38:54 2016 -0700 Input: i8042 - set up shared ps2_cmd_mutex for AUX ports The commit 4097461897df ("Input: i8042 - break load dependency ...") correctly set up ps2_cmd_mutex pointer for the KBD port but forgot to do the same for AUX port(s), which results in communication on KBD and AUX ports to clash with each other. Fixes: 4097461897df ("Input: i8042 - break load dependency ...") Reported-by: Bruno Wolff III Tested-by: Bruno Wolff III Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov drivers/input/serio/i8042.c | 1 + 1 file changed, 1 insertion(+) commit c9d8fa6d30f1660d3effc4b652c8ad1879efd565 Merge: 1b85608 4e876c2 Author: Jens Axboe Date: Fri Aug 19 10:51:15 2016 -0600 Merge branch 'stable/for-jens-4.8-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen into for-linus Konrad writes: Please git pull the following three fixes in to your 'for-linus' branch. It is against 'for-linus' instead of 'for-4.8/drivers' because we had some code in xen-blkfront go through the Xen tree (with your Ack). The reason was that you 'for-4.8/drivers' was based on 4.7-rc2, and the fixes needed to be against newer tag. This branch fixes as we are exercising the multiqueue components more aggressively. commit 43f4d36cbf82428374966568ea57a0bc0d664a20 Merge: b284879 9e7d936 Author: Linus Torvalds Date: Fri Aug 19 09:32:48 2016 -0700 Merge tag 'dm-4.8-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm Pull device mapper fixes from Mike Snitzer: - a stable fix for DM round robin multipath path selector to disable preemption before using this_cpu_ptr() - a slight increase in DM crypt's mempool reserves to make swap ontop of DM crypt more performant - a few DM raid fixes to issues found while testing changes that were merged in v4.8-rc1 * tag 'dm-4.8-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm: dm raid: support raid0 with missing metadata devices dm raid: enhance attempt_restore_of_faulty_devices() to support more devices dm raid: fix restoring of failed devices regression dm raid: fix frozen recovery regression dm crypt: increase mempool reserve to better support swapping dm round robin: do not use this_cpu_ptr() without having preemption disabled commit 4e876c2bd37fbb5c37a4554a79cf979d486f0e82 Author: Bob Liu Date: Wed Jul 27 17:42:04 2016 +0800 xen-blkfront: free resources if xlvbd_alloc_gendisk fails Current code forgets to free resources in the failure path of xlvbd_alloc_gendisk(), this patch fix it. Signed-off-by: Bob Liu Signed-off-by: Konrad Rzeszutek Wilk drivers/block/xen-blkfront.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) commit 172335ada40ce26806e514c83a504b45c14a4139 Author: Bob Liu Date: Fri Jul 1 17:43:39 2016 -0400 xen-blkfront: introduce blkif_set_queue_limits() blk_mq_update_nr_hw_queues() reset all queue limits to default which it's not as xen-blkfront expected, introducing blkif_set_queue_limits() to reset limits with initial correct values. Signed-off-by: Bob Liu Acked-by: Roger Pau Monné Signed-off-by: Konrad Rzeszutek Wilk drivers/block/xen-blkfront.c | 86 ++++++++++++++++++++++++-------------------- 1 file changed, 48 insertions(+), 38 deletions(-) commit 6c647b0eb01cd7326dca093590f5e123e3c68b9c Author: Bob Liu Date: Fri Jul 1 15:45:57 2016 -0400 xen-blkfront: fix places not updated after introducing 64KB page granularity Two places didn't get updated when 64KB page granularity was introduced, this patch fix them. Signed-off-by: Bob Liu Acked-by: Roger Pau Monné Signed-off-by: Konrad Rzeszutek Wilk drivers/block/xen-blkfront.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit bdf001374bfe12677ae6ec5076452493fb682012 Author: Christian König Date: Tue Aug 16 19:52:35 2016 +0200 drm/amdgpu: fix timeout value check in amd_sched_job_recovery Could be that we don't actually have a timeout set. Signed-off-by: Christian König Acked-by: Alex Deucher Reviewed-by: Chunming Zhou Signed-off-by: Alex Deucher drivers/gpu/drm/amd/scheduler/gpu_scheduler.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 847927bb3db2b18744ddec1b4fbb274ac7e05199 Author: Christian König Date: Wed Aug 17 14:10:37 2016 +0200 drm/amdgpu: fix sdma_v2_4_ring_test_ib Typo in checking the return code. Signed-off-by: Christian König Reviewed-by: Alex Deucher Reviewed-by: Chunming Zhou Signed-off-by: Alex Deucher drivers/gpu/drm/amd/amdgpu/sdma_v2_4.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 815d27a46f3119f74fe01fe10bf683aa5bc55597 Author: Christian König Date: Wed Aug 17 09:45:25 2016 +0200 drm/amdgpu: fix amdgpu_move_blit on 32bit systems This bug seems to be present for a very long time. Signed-off-by: Christian König Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit b28487928101f01e6a8c477940da701595304751 Merge: 080ebb1 01b3add Author: Linus Torvalds Date: Fri Aug 19 09:22:50 2016 -0700 Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi Pull SCSI fixes from James Bottomley: "Six fairly small fixes. The ipr, mpt3sas and ses ones all trigger oopses. The megaraid one fixes an attach failure on io mapped only cards, the fcoe one is an obvious problem in the error path and the aacraid one is a theoretical security issue (ability to trick the kernel into a buffer overrun)" * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: ses: Fix racy cleanup of /sys in remove_dev() mpt3sas: Fix resume on WarpDrive flash cards ipr: Fix sync scsi scan megaraid_sas: Fix probing cards without io port aacraid: Check size values after double-fetch from user fcoe: Use kfree_skb() instead of kfree() commit 13f479b9df4e2bbf2d16e7e1b02f3f55f70e2455 Author: Christian König Date: Wed Aug 17 09:46:42 2016 +0200 drm/radeon: fix radeon_move_blit on 32bit systems This bug seems to be present for a very long time. Signed-off-by: Christian König Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org drivers/gpu/drm/radeon/radeon_ttm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 080ebb158533ec050cb8c0665c0aef8d512427f1 Merge: a8414fa f1f6d9a Author: Linus Torvalds Date: Fri Aug 19 09:21:24 2016 -0700 Merge tag 'usb-4.8-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb Pull USB fixes from Greg KH: "Here are a number of USB fixes for reported issues for your tree. The normal amount of gadget fixes, xhci fixes, new device ids, and a few other minor things. All of them have been in linux-next for a while, the full details are in the shortlog below" * tag 'usb-4.8-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (43 commits) xhci: don't dereference a xhci member after removing xhci usb: xhci: Fix panic if disconnect xhci: really enqueue zero length TRBs. xhci: always handle "Command Ring Stopped" events cdc-acm: fix wrong pipe type on rx interrupt xfers usb: misc: usbtest: add fix for driver hang usb: dwc3: gadget: stop processing on HWO set usb: dwc3: don't set last bit for ISOC endpoints usb: gadget: rndis: free response queue during REMOTE_NDIS_RESET_MSG usb: udc: core: fix error handling usb: gadget: fsl_qe_udc: off by one in setup_received_handle() usb/gadget: fix gadgetfs aio support. usb: gadget: composite: Fix return value in case of error usb: gadget: uvc: Fix return value in case of error usb: gadget: fix check in sync read from ep in gadgetfs usb: misc: usbtest: usbtest_do_ioctl may return positive integer usb: dwc3: fix missing platform_set_drvdata() in dwc3_of_simple_probe() usb: phy: omap-otg: Fix missing platform_set_drvdata() in omap_otg_probe() usb: gadget: configfs: add mutex lock before unregister gadget usb: gadget: u_ether: fix dereference after null check coverify warning ... commit a8414fa3604f6a3edb8279dc96a456dcc6b99fac Merge: 3f318b3 32438cf Author: Linus Torvalds Date: Fri Aug 19 09:06:41 2016 -0700 Merge tag 'xfs-iomap-for-linus-4.8-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/dgc/linux-xfs Pull xfs and iomap fixes from Dave Chinner: "Changes in this update: Regression fixes for XFS changes introduce in 4.8-rc1: - buffer IO accounting assert failure - ENOSPC block accounting reservation issue - DAX IO path page cache invalidation fix - rmapbt on-disk block count in agf - correct classification of rmap block type when updating AGFL. - iomap support for attribute fork mapping Regression fixes for iomap infrastructure in 4.8-rc1: - fiemap: honor FIEMAP_FLAG_SYNC - fiemap: implement FIEMAP_FLAG_XATTR support to fix XFS regression - make mark_page_accessed and pagefault_disable usage consistent with other IO paths" * tag 'xfs-iomap-for-linus-4.8-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/dgc/linux-xfs: xfs: remove OWN_AG rmap when allocating a block from the AGFL xfs: (re-)implement FIEMAP_FLAG_XATTR xfs: simplify xfs_file_iomap_begin iomap: mark ->iomap_end as optional iomap: prepare iomap_fiemap for attribute mappings iomap: fiemap should honor the FIEMAP_FLAG_SYNC flag iomap: remove superflous pagefault_disable from iomap_write_actor iomap: remove superflous mark_page_accessed from iomap_write_actor xfs: store rmapbt block count in the AGF xfs: don't invalidate whole file on DAX read/write xfs: fix bogus space reservation in xfs_iomap_write_allocate xfs: don't assert fail on non-async buffers on ioacct decrement commit 3f318b3cf87821625965344fbb30ca0fe077ef57 Merge: 952b159 4a008c0 Author: Linus Torvalds Date: Fri Aug 19 08:52:17 2016 -0700 Merge tag 'hwmon-for-linus-v4.8-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging Pull hwmon fixes from Guenter Roeck: "Fix a bug in it87 driver and URLs in ftsteutates driver" * tag 'hwmon-for-linus-v4.8-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging: hwmon: (ftsteutates) Correct ftp urls in driver documentation hwmon: (it87) Features mask must be 32 bit wide commit ba913e4f72fc9cfd03dad968dfb110eb49211d80 Author: James Hogan Date: Fri Aug 19 14:30:29 2016 +0100 MIPS: KVM: Check for pfn noslot case When mapping a page into the guest we error check using is_error_pfn(), however this doesn't detect a value of KVM_PFN_NOSLOT, indicating an error HVA for the page. This can only happen on MIPS right now due to unusual memslot management (e.g. being moved / removed / resized), or with an Enhanced Virtual Memory (EVA) configuration where the default KVM_HVA_ERR_* and kvm_is_error_hva() definitions are unsuitable (fixed in a later patch). This case will be treated as a pfn of zero, mapping the first page of physical memory into the guest. It would appear the MIPS KVM port wasn't updated prior to being merged (in v3.10) to take commit 81c52c56e2b4 ("KVM: do not treat noslot pfn as a error pfn") into account (merged v3.8), which converted a bunch of is_error_pfn() calls to is_error_noslot_pfn(). Switch to using is_error_noslot_pfn() instead to catch this case properly. Fixes: 858dd5d45733 ("KVM/MIPS32: MMU/TLB operations for the Guest.") Signed-off-by: James Hogan Cc: Paolo Bonzini Cc: Radim Krčmář Cc: Ralf Baechle Cc: linux-mips@linux-mips.org Cc: kvm@vger.kernel.org Cc: # 3.10.y- Signed-off-by: Paolo Bonzini arch/mips/kvm/mmu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 14a5916e0cce6dbc9acedc99576261c6568689d2 Merge: 01b3add a0f81db Author: James Bottomley Date: Fri Aug 19 07:41:12 2016 -0700 Merge remote-tracking branch 'mkp-scsi/4.8/scsi-fixes' into fixes commit 21eb45db282317543ca46c821bbb8d5075e02cbe Author: Peter Ujfalusi Date: Fri Aug 19 09:34:24 2016 +0300 ASoC: omap-abe-twl6040: Correct dmic-codec device registration The dmic-codec was registered within the platform_driver's probe function, which can cause deferred probe to run in loops as reported and analyzed by Russell King. Use module_init/exit in the driver and handle the dmic-codec device registration and removal at that level instead of the platform_driver probe/remove. Signed-off-by: Peter Ujfalusi Reported-by: Russell King Tested-by: Russell King Signed-off-by: Mark Brown sound/soc/omap/omap-abe-twl6040.c | 61 ++++++++++++++++++++------------------- 1 file changed, 32 insertions(+), 29 deletions(-) commit 829bc78aa7628e81a9de717316b85cbee3c5eb86 Author: Corentin LABBE Date: Tue Aug 16 10:51:38 2016 +0200 thermal: imx: fix a possible NULL dereference of_match_device could return NULL, and so cause a NULL pointer dereference later at line 472: data->socdata = of_id->data; For fixing this problem, we use of_device_get_match_data(), this will simplify the code a little by using a standard function for getting the match data. Reported-by: coverity (CID 1324128) Signed-off-by: LABBE Corentin Signed-off-by: Zhang Rui drivers/thermal/imx_thermal.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) commit 55f2ac33adc78d429c470c9ca05e18c36dc24922 Author: Caesar Wang Date: Tue May 3 20:07:41 2016 +0800 thermal: trivial: fix the typo See the thermal code, the obvious typo from my editor. Signed-off-by: Caesar Wang Signed-off-by: Eduardo Valentin Signed-off-by: Zhang Rui Documentation/devicetree/bindings/thermal/thermal.txt | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) commit 57027db00d1094d0abd5776899b00ca55d42d37c Author: Markus Elfring Date: Mon Aug 15 11:22:40 2016 +0200 Thermal-INT3406: Delete owner assignment The field "owner" is set by core. Thus delete an extra initialisation. Generated by: scripts/coccinelle/api/platform_no_drv_owner.cocci Signed-off-by: Markus Elfring Signed-off-by: Zhang Rui drivers/thermal/int340x_thermal/int3406_thermal.c | 1 - 1 file changed, 1 deletion(-) commit a305a4387acb01cecadeeea5151c049a022a1bfc Author: Brendan Jackman Date: Wed Aug 17 16:14:59 2016 +0100 thermal: cpu_cooling: Fix NULL dereference in cpufreq_state2power Currently all CPU cooling devices share a `struct thermal_cooling_device_ops` instance. The thermal core uses the presence of functions in this struct to determine if a cooling device has a power model (see cdev_is_power_actor). cpu_cooling.c adds the power model functions to the shared struct when a device is registered with a power model. Therefore, if a CPU cooling device is registered using [of_]cpufreq_power_cooling_register, _all_ devices will be determined to have a power model, including any registered with [of_]cpufreq_cooling_register. This can result in cpufreq_state2power being called on a device where dyn_power_table is NULL. With this commit, instead of having a shared thermal_cooling_device_ops which is mutated, we have two versions: one with the power functions and one without. Signed-off-by: Brendan Jackman Cc: Amit Daniel Kachhap Cc: Viresh Kumar Cc: Javi Merino Acked-by: Viresh Kumar Acked-by: Javi Merino Signed-off-by: Zhang Rui drivers/thermal/cpu_cooling.c | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) commit 048c28c91e56781082bc17d181e460b81e7e8bcb Author: Linus Walleij Date: Tue Aug 16 12:07:31 2016 +0200 gpio: make any OF dependent driver depend on OF_GPIO The drivers that depend on OF but not OF_GPIO are wreaking havoc with the autobuilders for archs that have all requirements for OF but not for OF_GPIO, particularly the UM (Usermode) arch does not have iomem (NO_IOMEM) which result in configuring GPIOLIB but without OF_GPIO which is wrong if the driver is using the .of_node of the gpiochip, which only appears with OF_GPIO. After a brief look at the drivers just depending on OF it seems most if not all of them actually require stuff from gpiolib-of so the dependency is wrong in the first place. This simply patches the Kconfig so that all GPIO drivers using OF depend on OF_GPIO rather than just OF. Cc: Rabin Vincent Cc: Pramod Gurav Cc: Andreas Larsson Cc: Gregory CLEMENT Cc: Thierry Reding Cc: Laxman Dewangan Cc: Alexandre Courbot Cc: Geert Uytterhoeven Cc: Phil Reid Signed-off-by: Linus Walleij drivers/gpio/Kconfig | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) commit 2527ecc9195e9c66252af24c4689e8a67cd4ccb9 Author: Linus Walleij Date: Tue Aug 16 09:58:25 2016 +0200 gpio: Fix OF build problem on UM The UserMode (UM) Linux build was failing in gpiolib-of as it requires ioremap()/iounmap() to exist, which is absent from UM. The non-existence of IO memory is negatively defined as CONFIG_NO_IOMEM which means we need to depend on HAS_IOMEM. Cc: stable@vger.kernel.org Cc: Geert Uytterhoeven Reported-by: kbuild test robot Signed-off-by: Linus Walleij drivers/gpio/Kconfig | 1 + 1 file changed, 1 insertion(+) commit aa71987472a974f4f6dc4be377720564079ef42e Author: Christoph Hellwig Date: Thu Aug 18 11:16:36 2016 -0700 nvme: fabrics drivers don't need the nvme-pci driver So select the NVME_CORE symbol instead of depending on BLK_DEV_NVME. Signed-off-by: Christoph Hellwig Reviewed-by: Jay Freyensee Signed-off-by: Sagi Grimberg drivers/nvme/host/Kconfig | 2 +- drivers/nvme/target/Kconfig | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit 98096d8a787f05b1afe3869aa01e84981915c81d Author: Christoph Hellwig Date: Thu Aug 18 11:16:35 2016 -0700 nvme-fabrics: get a reference when reusing a nvme_host structure Without this we'll get a use after free after connecting two controller using the same hostnqn and then disconnecting one of them. Signed-off-by: Christoph Hellwig Reviewed-by: Jay Freyensee Signed-off-by: Sagi Grimberg drivers/nvme/host/fabrics.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit 06777c4ec78a43977b63f1d5045def057227c2c5 Author: Robert Jarzmik Date: Sun Aug 7 21:01:49 2016 +0200 dmaengine: pxa_dma: fix debug message In a very tight timeframe, the debug message in the transfer completion handler can be misleading, as the completion test report can change just after the message, and the code flow cannot be deduced from the debug message. This is just a cleanup to make debugging easier. Signed-off-by: Robert Jarzmik Signed-off-by: Vinod Koul drivers/dma/pxa_dma.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) commit d1e81428826221d7ff8e4d83db784d099cd232a7 Author: Mark Brown Date: Thu Aug 18 19:32:59 2016 +0100 ASoC: core: Clean up DAPM before the card debugfs Both the card and DAPM cleanups recursively delete their debugfs directories. Since the DAPM debugfs subdirectory for the card is located within the card debugfs this means we end up trying to double free the DAPM subdirectory. Reorder the cleanup to free the card debugfs after we've cleaned up DAPM and it has deleted its own subdirectory. Reported-by: Russell King - ARM Linux Tested-by: Russell King Signed-off-by: Mark Brown sound/soc/soc-core.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) commit 7a665d2f60b457c0d77b3e4f01e21c55ffc57069 Author: Daniel Verkamp Date: Tue Jun 28 11:20:23 2016 -0700 nvme-fabrics: change NQN UUID to big-endian format NVM Express 1.2.1 section 7.9, NVMe Qualified Names, specifies that the UUID format of NQN uses a UUID based on RFC 4122. RFC 4122 specifies that the UUID is encoded in big-endian byte order. Switch the NVMe over Fabrics host ID field from little-endian UUID to big-endian UUID to match the specification. Signed-off-by: Daniel Verkamp Reviewed-by: Jay Freyensee Signed-off-by: Sagi Grimberg drivers/nvme/host/fabrics.c | 10 +++++----- drivers/nvme/host/fabrics.h | 2 +- include/linux/nvme.h | 2 +- 3 files changed, 7 insertions(+), 7 deletions(-) commit 5bc0a11664e17e9f9551983f5b660bd48b57483c Author: Will Deacon Date: Tue Aug 16 14:29:16 2016 +0100 iommu/arm-smmu: Don't BUG() if we find aborting STEs with disable_bypass The disable_bypass cmdline option changes the SMMUv3 driver to put down faulting stream table entries by default, as opposed to bypassing transactions from unconfigured devices. In this mode of operation, it is entirely expected to see aborting entries in the stream table if and when we come to installing a valid translation, so don't trigger a BUG() as a result of misdiagnosing these entries as stream table corruption. Cc: Fixes: 48ec83bcbcf5 ("iommu/arm-smmu: Add initial driver support for ARM SMMUv3 devices") Tested-by: Robin Murphy Reported-by: Robin Murphy Reviewed-by: Robin Murphy Signed-off-by: Will Deacon drivers/iommu/arm-smmu-v3.c | 3 +++ 1 file changed, 3 insertions(+) commit 3714ce1d6655098ee69ede632883e5874d67e4ab Author: Will Deacon Date: Fri Aug 5 19:49:45 2016 +0100 iommu/arm-smmu: Disable stalling faults for all endpoints Enabling stalling faults can result in hardware deadlock on poorly designed systems, particularly those with a PCI root complex upstream of the SMMU. Although it's not really Linux's job to save hardware integrators from their own misfortune, it *is* our job to stop userspace (e.g. VFIO clients) from hosing the system for everybody else, even if they might already be required to have elevated privileges. Given that the fault handling code currently executes entirely in IRQ context, there is nothing that can sensibly be done to recover from things like page faults anyway, so let's rip this code out for now and avoid the potential for deadlock. Cc: Fixes: 48ec83bcbcf5 ("iommu/arm-smmu: Add initial driver support for ARM SMMUv3 devices") Reported-by: Matt Evans Signed-off-by: Will Deacon drivers/iommu/arm-smmu.c | 34 +++++++--------------------------- 1 file changed, 7 insertions(+), 27 deletions(-) commit 7611da865c1060b2a7c87a15de663a59035747f8 Author: David Daney Date: Thu Aug 18 15:41:58 2016 -0700 irqchip/gicv3-its: Disable the ITS before initializing it When starting a kexec/kdump kernel, the GIC ITS will already have been enabled. According to the ARM Generic Interrupt Controller Architecture Specification (GIC architecture Version 3.0 and version 4.0), writing to GITS_BASER or GITS_CBASER is "UNPREDICTABLE" when the ITS is enabled. On Cavium Thunder systems, this prevents the ITS from being initializing in the kexec/kdump kernel, resulting in failure to register/enable interrupts for all devices. The fix is to disable the ITS if it is not already in the disabled state. This allows the ITS to be properly initialized and then re-enabled in the kexec/kdump kernel. Acked-by: Marc Zyngier Signed-off-by: David Daney Signed-off-by: Marc Zyngier drivers/irqchip/irq-gic-v3-its.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) commit aea2037e0d3e23c3be1498feae29f71ca997d9e6 Author: Will Deacon Date: Fri Jul 29 11:15:37 2016 +0100 iommu/arm-smmu: Fix CMDQ error handling In the unlikely event of a global command queue error, the ARM SMMUv3 driver attempts to convert the problematic command into a CMD_SYNC and resume the command queue. Unfortunately, this code is pretty badly broken: 1. It uses the index into the error string table as the CMDQ index, so we probably read the wrong entry out of the queue 2. The arguments to queue_write are the wrong way round, so we end up writing from the queue onto the stack. These happily cancel out, so the kernel is likely to stay alive, but the command queue will probably fault again when we resume. This patch fixes the error handling code to use the correct queue index and write back the CMD_SYNC to the faulting entry. Cc: Fixes: 48ec83bcbcf5 ("iommu/arm-smmu: Add initial driver support for ARM SMMUv3 devices") Reported-by: Diwakar Subraveti Signed-off-by: Will Deacon drivers/iommu/arm-smmu-v3.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit e633fc7a1347528c3b4a6bbdeb41f5d63988242c Author: Robin Murphy Date: Thu Aug 11 17:44:05 2016 +0100 iommu/io-pgtable-arm-v7s: Fix attributes when splitting blocks Due to the attribute bits being all over the place in the different types of short-descriptor PTEs, when remapping an existing entry, e.g. splitting a section into pages, we take the approach of decomposing the PTE attributes back to the IOMMU API flags to start from scratch. On inspection, though, the existing code seems to have got the read-only bit backwards and ignored the XN bit. How embarrassing... Fortunately the primary user so far, the Mediatek IOMMU, both never splits blocks (because it only serves non-overlapping DMA API calls) and also ignores permissions anyway, but let's put things right before any future users trip up. Cc: Fixes: e5fc9753b1a8 ("iommu/io-pgtable: Add ARMv7 short descriptor support") Signed-off-by: Robin Murphy Signed-off-by: Will Deacon drivers/iommu/io-pgtable-arm-v7s.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit 98a384eca9c147f890b5ea31ae91da3769e47e07 Author: Xunlei Pang Date: Thu Aug 18 12:33:28 2016 +0800 fib_trie: Fix the description of pos and bits 1) Fix one typo: s/tn/tp/ 2) Fix the description about the "u" bits. Signed-off-by: Xunlei Pang Acked-by: Alexander Duyck Signed-off-by: David S. Miller net/ipv4/fib_trie.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 76507fdfc9b629209ae20cd469da2f6d093a507c Author: Robert Jarzmik Date: Sun Aug 7 21:01:48 2016 +0200 dmaengine: pxa_dma: fix hotchain corner case In the case where a descriptor is chained on a running channel, and as explained in the comment in the code 10 lines above, the success of the chaining is ensured either if : - the DMA is still running - or if the chained transfer is completed Unfortunately the transfer completness test was done on the descriptor to which the transfer was chained, and not the transfer being chained at the end, ie. hot-chained. This corner case is extremely hard to trigger, as usually the DMA chain is still running, and the first case takes care of returning success of the hot-chaining. It was seen by hot-chaining several "small transfers" to a running "big transfer", not in a real-life usecase but by testing the robustness of the driver. Signed-off-by: Robert Jarzmik Signed-off-by: Vinod Koul drivers/dma/pxa_dma.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 4587a996b458d0f1a905c648f3aa695cdcaa2a99 Merge: b9f63ae 575ced7 Author: David S. Miller Date: Thu Aug 18 23:25:34 2016 -0700 Merge branch 'kaweth-oopses' Oliver Neukum says: ==================== fixes to kaweth in response to Umap2 testing These patches fix an oops in firmware downloading and an oops due to a memory allocation failure ==================== Signed-off-by: David S. Miller commit 575ced7f8090c1a4e91e2daf8da9352a6a1fc7a7 Author: Oliver Neukum Date: Wed Aug 17 15:51:56 2016 +0200 kaweth: fix oops upon failed memory allocation Just return an error upon failure. Signed-off-by: Oliver Neukum Signed-off-by: David S. Miller drivers/net/usb/kaweth.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) commit 60bcabd080f53561efa9288be45c128feda1a8bb Author: Oliver Neukum Date: Wed Aug 17 15:51:55 2016 +0200 kaweth: fix firmware download This fixes the oops discovered by the Umap2 project and Alan Stern. The intf member needs to be set before the firmware is downloaded. Signed-off-by: Oliver Neukum Signed-off-by: David S. Miller drivers/net/usb/kaweth.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) commit b9f63ae7ba2de2ba19137c5757c0607ce40f3ed5 Author: Rafał Miłecki Date: Wed Aug 17 15:37:14 2016 +0200 net: bgmac: fix reversed check for MII registration error It was failing on successful registration returning meaningless errors. Signed-off-by: Rafał Miłecki Fixes: 55954f3bfdac ("net: ethernet: bgmac: move BCMA MDIO Phy code into a separate file") Signed-off-by: David S. Miller drivers/net/ethernet/broadcom/bgmac-bcma.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit bb1fceca22492109be12640d49f5ea5a544c6bb4 Author: Eric Dumazet Date: Wed Aug 17 05:56:26 2016 -0700 tcp: fix use after free in tcp_xmit_retransmit_queue() When tcp_sendmsg() allocates a fresh and empty skb, it puts it at the tail of the write queue using tcp_add_write_queue_tail() Then it attempts to copy user data into this fresh skb. If the copy fails, we undo the work and remove the fresh skb. Unfortunately, this undo lacks the change done to tp->highest_sack and we can leave a dangling pointer (to a freed skb) Later, tcp_xmit_retransmit_queue() can dereference this pointer and access freed memory. For regular kernels where memory is not unmapped, this might cause SACK bugs because tcp_highest_sack_seq() is buggy, returning garbage instead of tp->snd_nxt, but with various debug features like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel. This bug was found by Marco Grassi thanks to syzkaller. Fixes: 6859d49475d4 ("[TCP]: Abstract tp->highest_sack accessing & point to next skb") Reported-by: Marco Grassi Signed-off-by: Eric Dumazet Cc: Ilpo Järvinen Cc: Yuchung Cheng Cc: Neal Cardwell Acked-by: Neal Cardwell Reviewed-by: Cong Wang Signed-off-by: David S. Miller include/net/tcp.h | 2 ++ 1 file changed, 2 insertions(+) commit e0d8b2908696d30583ae5764e33332e71cbbccc9 Author: Hariprasad Shenai Date: Wed Aug 17 14:09:28 2016 +0530 cxgb4: Fixes resource allocation for ULD's in kdump kernel At present the code to check in kdump kernel was not disabling allocation of resources when CONFIG_CHELSIO_T4_DCB is defined, move the code outside #defines so that it gets disabled irrespective of #define, when in kdump kernel. Signed-off-by: Hariprasad Shenai Signed-off-by: David S. Miller drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) commit 1423661fed2c40d6d71b5e2e3aa390f85157f9d5 Author: David Daney Date: Tue Aug 16 13:30:36 2016 -0700 net: thunderx: Fix OOPs with ethtool --register-dump The ethtool_ops .get_regs function attempts to read the nonexistent register NIC_QSET_SQ_0_7_CNM_CHG, which produces a "bus error" type OOPs. Fix by not attempting to read, and removing the definition of, NIC_QSET_SQ_0_7_CNM_CHG. A zero is written into the register dump to keep the layout unchanged. Signed-off-by: David Daney Cc: # 4.4.x- Signed-off-by: David S. Miller drivers/net/ethernet/cavium/thunder/nic_reg.h | 1 - drivers/net/ethernet/cavium/thunder/nicvf_ethtool.c | 5 ++++- 2 files changed, 4 insertions(+), 2 deletions(-) commit 039a392733600d35c80d406a98151b2a9a0a74b4 Author: Yuval Mintz Date: Tue Aug 16 18:40:18 2016 +0300 qede: Fix Tx timeout due to xmit_more Driver uses netif_tx_queue_stopped() to make sure the xmit_more indication will be honored, but that only checks for DRV_XOFF. At the same time, it's possible that during transmission the DQL will close the transmission queue with STACK_XOFF indication. In re-configuration flows, when the threshold is relatively low, it's possible that the device has no pending tranmissions, and during tranmission the driver would miss doorbelling the HW. Since there are no pending transmission, there will never be a Tx completion [and thus the DQL would not remove the STACK_XOFF indication], eventually causing the Tx queue to timeout. While we're at it - also doorbell in case driver has to close the transmission queue on its own [although this one is less important - if the ring is full, we're bound to receive completion eventually, which means the doorbell would only be postponed and not indefinetly blocked]. Fixes: 312e06761c99 ("qede: Utilize xmit_more") Signed-off-by: Yuval Mintz Signed-off-by: David S. Miller drivers/net/ethernet/qlogic/qede/qede_main.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) commit 90706094d5be614ae7285b3c96c3125bb198618c Author: Eric Wheeler Date: Thu Aug 18 20:15:26 2016 -0700 bcache: pr_err: more meaningful error message when nr_stripes is invalid The original error was thought to be corruption, but was actually caused by: make-bcache --data-offset N where N was in bytes and should have been in sectors. While userspace tools should be updated to check --data-offset beyond end of volume, hopefully this will help others that might not have noticed the units. Signed-off-by: Eric Wheeler Cc: Kent Overstreet drivers/md/bcache/super.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit acc9cf8c66c66b2cbbdb4a375537edee72be64df Author: Kent Overstreet Date: Wed Aug 17 18:21:24 2016 -0700 bcache: RESERVE_PRIO is too small by one when prio_buckets() is a power of two. This patch fixes a cachedev registration-time allocation deadlock. This can deadlock on boot if your initrd auto-registeres bcache devices: Allocator thread: [ 720.727614] INFO: task bcache_allocato:3833 blocked for more than 120 seconds. [ 720.732361] [] schedule+0x37/0x90 [ 720.732963] [] bch_bucket_alloc+0x188/0x360 [bcache] [ 720.733538] [] ? prepare_to_wait_event+0xf0/0xf0 [ 720.734137] [] bch_prio_write+0x19d/0x340 [bcache] [ 720.734715] [] bch_allocator_thread+0x3ff/0x470 [bcache] [ 720.735311] [] ? __schedule+0x2dc/0x950 [ 720.735884] [] ? invalidate_buckets+0x980/0x980 [bcache] Registration thread: [ 720.710403] INFO: task bash:3531 blocked for more than 120 seconds. [ 720.715226] [] schedule+0x37/0x90 [ 720.715805] [] __bch_btree_map_nodes+0x12d/0x150 [bcache] [ 720.716409] [] ? bch_btree_insert_check_key+0x1c0/0x1c0 [bcache] [ 720.717008] [] bch_btree_insert+0xf4/0x170 [bcache] [ 720.717586] [] ? prepare_to_wait_event+0xf0/0xf0 [ 720.718191] [] bch_journal_replay+0x14a/0x290 [bcache] [ 720.718766] [] ? ttwu_do_activate.constprop.94+0x5d/0x70 [ 720.719369] [] ? try_to_wake_up+0x1d4/0x350 [ 720.719968] [] run_cache_set+0x580/0x8e0 [bcache] [ 720.720553] [] register_bcache+0xe2e/0x13b0 [bcache] [ 720.721153] [] kobj_attr_store+0xf/0x20 [ 720.721730] [] sysfs_kf_write+0x3d/0x50 [ 720.722327] [] kernfs_fop_write+0x12a/0x180 [ 720.722904] [] __vfs_write+0x37/0x110 [ 720.723503] [] ? __sb_start_write+0x58/0x110 [ 720.724100] [] ? security_file_permission+0x23/0xa0 [ 720.724675] [] vfs_write+0xa9/0x1b0 [ 720.725275] [] ? do_audit_syscall_entry+0x6c/0x70 [ 720.725849] [] SyS_write+0x55/0xd0 [ 720.726451] [] ? do_page_fault+0x30/0x80 [ 720.727045] [] system_call_fastpath+0x12/0x71 The fifo code in upstream bcache can't use the last element in the buffer, which was the cause of the bug: if you asked for a power of two size, it'd give you a fifo that could hold one less than what you asked for rather than allocating a buffer twice as big. Signed-off-by: Kent Overstreet Tested-by: Eric Wheeler Cc: stable@vger.kernel.org drivers/md/bcache/super.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit d9dc1702b297ec4a6bb9c0326a70641b322ba886 Author: Eric Wheeler Date: Fri Jun 17 15:01:54 2016 -0700 bcache: register_bcache(): call blkdev_put() when cache_alloc() fails register_cache() is supposed to return an error string on error so that register_bcache() will will blkdev_put and cleanup other user counters, but it does not set 'char *err' when cache_alloc() fails (eg, due to memory pressure) and thus register_bcache() performs no cleanup. register_bcache() <----------\ <- no jump to err_close, no blkdev_put() | | +->register_cache() | <- fails to set char *err | | +->cache_alloc() ---/ <- returns error This patch sets `char *err` for this failure case so that register_cache() will cause register_bcache() to correctly jump to err_close and do cleanup. This was tested under OOM conditions that triggered the bug. Signed-off-by: Eric Wheeler Cc: Kent Overstreet Cc: stable@vger.kernel.org drivers/md/bcache/super.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) commit 952b159f2919a8d514f13999f9f463bddcc1dae7 Merge: d8298d2 2c24ba2 Author: Linus Torvalds Date: Thu Aug 18 19:38:18 2016 -0700 Merge tag 'drm-fixes-for-4.8-rc3-2' of git://people.freedesktop.org/~airlied/linux Pull more drm fixes from Dave Airlie: "Daniel pointed out I'd missed some i915 fixes, and I also found a single etnaviv fix I missed. So here they are" * tag 'drm-fixes-for-4.8-rc3-2' of git://people.freedesktop.org/~airlied/linux: drm/etnaviv: take GPU lock later in the submit process drm/i915: Fix modeset handling during gpu reset, v5. drm/i915: fix aliasing_ppgtt leak drm/i915: fix WaInsertDummyPushConstPs drm/i915: Fix iboost setting for SKL Y/U DP DDI buffer translation entry 2 drm/i915/gen9: Give one extra block per line for SKL plane WM calculations drm/i915: Acquire audio powerwell for HD-Audio registers drm/i915: Add missing rpm wakelock to GGTT pread drm/i915/fbc: FBC causes display flicker when VT-d is enabled on Skylake drm/i915: Clean up the extra RPM ref on CHV with i915.enable_rc6=0 drm/i915: Program iboost settings for HDMI/DVI on SKL drm/i915: Fix iboost setting for DDI with 4 lanes on SKL drm/i915: Handle ENOSPC after failing to insert a mappable node drm/i915: Flush GT idle status upon reset commit d8298d268a172d1624ee9817e4141d86502c63d4 Merge: 5cae6fe 34276bb Author: Linus Torvalds Date: Thu Aug 18 19:31:08 2016 -0700 Merge tag 'devicetree-fixes-for-4.8' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux Pull DeviceTree fixes from Rob Herring: - a couple of DT node ref counting fixes - fix __unflatten_device_tree for PPC PCI hotplug case - rework marking irq controllers as OF_POPULATED in cases where real driver is used. - disable of_platform_default_populate_init on PPC. The change in initcall order causes problems which need to be sorted out later. * tag 'devicetree-fixes-for-4.8' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux: of: fix reference counting in of_graph_get_endpoint_by_regs of/platform: disable the of_platform_default_populate_init() for all the ppc boards ARM: imx6: mark GPC node as not populated after irq init to probe pm domain driver of/irq: Mark interrupt controllers as populated before initialisation drivers/of: Validate device node in __unflatten_device_tree() of: Delete an unnecessary check before the function call "of_node_put" commit a0f81dbeef13aa0aeaa8b955b38735dbf09de392 Author: Johannes Thumshirn Date: Wed Aug 17 11:46:18 2016 +0200 scsi: sas: remove is_sas_attached() As there are no more users of is_sas_attached() left, remove it. Signed-off-by: Johannes Thumshirn Reviewed-by: James E.J. Bottomley Signed-off-by: Martin K. Petersen drivers/scsi/scsi_transport_sas.c | 16 ---------------- include/scsi/scsi_transport_sas.h | 6 ------ 2 files changed, 22 deletions(-) commit 835831c57e9b0cccc24e96a812542875471d75b5 Author: Johannes Thumshirn Date: Wed Aug 17 11:46:17 2016 +0200 scsi: ses: use scsi_is_sas_rphy instead of is_sas_attached Use scsi_is_sas_rphy() instead of is_sas_attached() to decide whether we should obtain the SAS address from a scsi device or not. This will prevent us from tripping on the BUG_ON() in sas_sdev_to_rdev() if the rphy isn't attached to the SAS transport class, like it is with hpsa's logical devices. Fixes: 3f8d6f2a0 ('ses: fix discovery of SATA devices in SAS enclosures') Signed-off-by: Johannes Thumshirn Reviewed-by: James E.J. Bottomley Signed-off-by: Martin K. Petersen drivers/scsi/ses.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit c1a23f6d64552b4480208aa584ec7e9c13d6d9c3 Author: Johannes Thumshirn Date: Wed Aug 17 11:46:16 2016 +0200 scsi: sas: provide stub implementation for scsi_is_sas_rphy Provide a stub implementation for scsi_is_sas_rphy for kernel configurations which do not have CONFIG_SCSI_SAS_ATTRS defined. Reported-by: kbuild test robot Suggested-by: James Bottomley Reviewed-by: James E.J. Bottomley Signed-off-by: Johannes Thumshirn Signed-off-by: Martin K. Petersen include/scsi/scsi_transport_sas.h | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) commit 20a3d61d46e1fb45efa6eb4637c0dcd3f00a14e9 Author: Chao Yu Date: Thu Aug 4 20:13:03 2016 +0800 f2fs: avoid potential deadlock in f2fs_move_file_range Thread A Thread B - inode_lock fileA - inode_lock fileB - inode_lock fileA - inode_lock fileB We may encounter above potential deadlock during moving file range in concurrent scenario. This patch fixes the issue by using inode_trylock instead. Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim fs/f2fs/file.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) commit fe8494bfc8c2914fca821d4ae994aef039be5cf1 Author: Chao Yu Date: Thu Aug 4 20:13:02 2016 +0800 f2fs: allow copying file range only in between regular files Only if two input files are regular files, we allow copying data in range of them, otherwise, deny it. Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim fs/f2fs/file.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 3024c9a1fefb3ac0d1b0b078a2e3f2f69478daab Author: Chao Yu Date: Sat Aug 6 21:09:41 2016 +0800 Revert "f2fs: move i_size_write in f2fs_write_end" This reverts commit a2ee0a300344a6da76186129b078113354fe13d2. When testing with generic/032 of xfstest suit, failure message will be reported as below: generic/032 8s ... [failed, exit status 1] - output mismatch (see results/generic/032.out.bad) --- tests/generic/032.out 2015-01-11 16:52:27.643681072 +0800 +++ results/generic/032.out.bad 2016-08-06 13:44:43.861330500 +0800 @@ -1,5 +1,5 @@ QA output created by 032 -100 iterations -0000000 cdcd cdcd cdcd cdcd cdcd cdcd cdcd cdcd -* -0100000 +1: [768..775]: unwritten +Unwritten extents found! ... (Run 'diff -u tests/generic/032.out results/generic/032.out.bad' to see the entire diff) Ran: generic/032 Failures: generic/032 Failed 1 of 1 tests In write_end(), we should update i_size of inode before unlock page, otherwise, we will lose newly updated data in following race condition. Thread A Thread B - write_end - unlock page - writepages - lock_page - writepage if page is out-of-range of file size, we will skip writting the page. - update i_size Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim fs/f2fs/data.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit b873b798af6386f3c7ca1636d4989e9b8f9d1794 Author: Jaegeuk Kim Date: Thu Aug 4 11:38:25 2016 -0700 Revert "f2fs: use percpu_rw_semaphore" LKP reported -36.3% regression of fsmark.files_per_sec due to this patch. I've confirmed that fxmark [1] has also slight regression for DWAL. [1] https://github.com/sslab-gatech/fxmark This reverts commit ec795418c41850056feb956534edf059dc1155d4. fs/f2fs/f2fs.h | 12 ++++++------ fs/f2fs/node.c | 47 +++++++++++++++++++++++------------------------ fs/f2fs/super.c | 6 +----- 3 files changed, 30 insertions(+), 35 deletions(-) commit 5cae6fe27a1dc4053ae2f8f52ef1ef2ca860bbfb Merge: 3408fef d1669c8 Author: Linus Torvalds Date: Thu Aug 18 18:54:40 2016 -0700 Merge tag '4.8-doc-fixes' of git://git.lwn.net/linux Pull documentation fixes from Jonathan Corbet: "Three small fixes for Sphinx-formatted documentation generation" * tag '4.8-doc-fixes' of git://git.lwn.net/linux: doc-rst: customize RTD theme, drop padding of inline literal docs: kernel-documentation: remove some highlight directives docs: Set the Sphinx default highlight language to "guess" commit 53409afd3e6341d128e5120d3c202cf9a0b11dd2 Merge: 184ca82 b75911b Author: David S. Miller Date: Thu Aug 18 18:45:34 2016 -0700 Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf Pablo Neira Ayuso says: ==================== Netfilter fixes for net The following patchset contains Netfilter updates for your net tree, they are: 1) Dump only conntrack that belong to this namespace via /proc file. This is some fallout from the conversion to single conntrack table for all netns, patch from Liping Zhang. 2) Missing MODULE_ALIAS_NF_LOGGER() for the ARP family that prevents module autoloading, also from Liping Zhang. 3) Report overquota event to the right netnamespace, again from Liping. 4) Fix tproxy listener sk refcount that leads to crash, from Eric Dumazet. 5) Fix racy refcounting on object deletion from nfnetlink and rule removal both for nfacct and cttimeout, from Liping Zhang. ==================== Signed-off-by: David S. Miller commit c4e94174983a86c935be1537a73e496b778b0287 Author: Li Jun Date: Tue Aug 16 19:19:11 2016 +0800 usb: chipidea: udc: don't touch DP when controller is in host mode When the controller is configured to be dual role and it's in host mode, if bind udc and gadgt driver, those gadget operations will do gadget disconnect and finally pull down DP line, which will break host function. Cc: # 4.1+ Signed-off-by: Li Jun Signed-off-by: Peter Chen drivers/usb/chipidea/udc.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) commit 2c24ba2116d653b4a1315210e38eefbc9eeb1058 Merge: aae2d1f dfa2997 Author: Dave Airlie Date: Fri Aug 19 08:51:13 2016 +1000 Merge tag 'drm-intel-fixes-2016-08-15' of git://anongit.freedesktop.org/drm-intel into drm-fixes Collection of i915 fixes. * tag 'drm-intel-fixes-2016-08-15' of git://anongit.freedesktop.org/drm-intel: drm/i915: Fix modeset handling during gpu reset, v5. drm/i915: fix aliasing_ppgtt leak drm/i915: fix WaInsertDummyPushConstPs drm/i915: Fix iboost setting for SKL Y/U DP DDI buffer translation entry 2 drm/i915/gen9: Give one extra block per line for SKL plane WM calculations drm/i915: Acquire audio powerwell for HD-Audio registers drm/i915: Add missing rpm wakelock to GGTT pread drm/i915/fbc: FBC causes display flicker when VT-d is enabled on Skylake drm/i915: Clean up the extra RPM ref on CHV with i915.enable_rc6=0 drm/i915: Program iboost settings for HDMI/DVI on SKL drm/i915: Fix iboost setting for DDI with 4 lanes on SKL drm/i915: Handle ENOSPC after failing to insert a mappable node drm/i915: Flush GT idle status upon reset commit aae2d1fc8323cfc2c6b971bd2127e21af91d9af6 Merge: 91d62d9 d985349 Author: Dave Airlie Date: Fri Aug 19 08:50:42 2016 +1000 Merge branch 'drm-etnaviv-fixes' of git://git.pengutronix.de/git/lst/linux into drm-fixes Single GPU recovery fix * 'drm-etnaviv-fixes' of git://git.pengutronix.de/git/lst/linux: drm/etnaviv: take GPU lock later in the submit process commit 3408fef7448ce7d3c926978ee1a511e7707bffba Merge: b061b4f 7b0501b Author: Linus Torvalds Date: Thu Aug 18 15:09:41 2016 -0700 Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86 fixes from Ingo Molnar: "An initrd microcode loading fix, and an SMP bootup topology setup fix to resolve crashes on SGI/UV systems if the BIOS is configured in a certain way" * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/smp: Fix __max_logical_packages value setup x86/microcode/AMD: Fix initrd loading with CONFIG_RANDOMIZE_MEMORY=y commit b061b4f36d2fce94a866e41c68bea782a5673461 Merge: ac78bc7 be5769e Author: Linus Torvalds Date: Thu Aug 18 15:08:31 2016 -0700 Merge branch 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull timer fixes from Ingo Molnar: "Three clocksource driver fixes" * 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: clocksource/drivers/mips-gic-timer: Make gic_clocksource_of_init() return int clocksource/drivers/kona: Fix get_counter() error handling clocksource/drivers/time-armada-370-xp: Fix the clock reference commit ac78bc714bea30e7f4e84db9d406e85ed309f09d Merge: 0dcb7b6 03cbc73 Author: Linus Torvalds Date: Thu Aug 18 15:07:21 2016 -0700 Merge branch 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull scheduler fixes from Ingo Molnar: "Two cputime fixes - hopefully the last ones" * 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: sched/cputime: Resync steal time when guest & host lose sync sched/cputime: Fix NO_HZ_FULL getrusage() monotonicity regression commit 0dcb7b6f8f168869d4bc30445ed3cc4f303b145b Merge: bd3fd45 71e7bc2 Author: Linus Torvalds Date: Thu Aug 18 15:04:53 2016 -0700 Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull perf fixes from Ingo Molnar: "Mostly tooling fixes, but also start/stop filter related fixes, a perf event read() fix, a fix uncovered by fuzzing, and an uprobes leak fix" * 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: perf/core: Check return value of the perf_event_read() IPI perf/core: Enable mapping of the stop filters perf/core: Update filters only on executable mmap perf/core: Fix file name handling for start/stop filters perf/core: Fix event_function_local() uprobes: Fix the memcg accounting perf intel-pt: Fix occasional decoding errors when tracing system-wide tools: Sync kvm related header files for arm64 and s390 perf probe: Release resources on error when handling exit paths perf probe: Check for dup and fdopen failures perf symbols: Fix annotation of objects with debuginfo files perf script: Don't disable use_callchain if input is pipe perf script: Show proper message when failed list scripts perf jitdump: Add the right header to get the major()/minor() definitions perf ppc64le: Fix build failure when libelf is not present perf tools mem: Fix -t store option for record command perf intel-pt: Fix ip compression commit de737f33ab23b213650c624e79ee479f12e3c500 Merge: 71e7bc2 c53412e Author: Ingo Molnar Date: Thu Aug 18 22:50:36 2016 +0200 Merge tag 'perf-urgent-for-mingo-20160818' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux into perf/urgent Pull perf/urgent fixes from Arnaldo Carvalho de Melo: - Do not access outside hw cache name arrays (Arnaldo Carvalho de Melo) - Use addr_location::addr instead of ip for entries when unwinding using DWARF CFI, fixing the "srcline" information for userspace application callchains (Milian Wolff) - Reinstate strlcpy() header guard with __UCLIBC__, fixing the build with uclibc, detected when building for the ARC architecture (Vineet Gupta) Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Ingo Molnar commit bd3fd451ff3b205f0bde4d1bf7a310552c40d6e0 Merge: f28535c 112dc0c Author: Linus Torvalds Date: Thu Aug 18 13:45:48 2016 -0700 Merge branch 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull locking fixes from Ingo Molnar: "Two lockless_dereference() related fixes" * 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: locking/barriers: Suppress sparse warnings in lockless_dereference() Revert "drm/fb-helper: Reduce READ_ONCE(master) to lockless_dereference" commit c53412ee8c7ec31373a4176ff7f3a6b79296c05c Author: Arnaldo Carvalho de Melo Date: Thu Aug 18 16:30:28 2016 -0300 perf evsel: Do not access outside hw cache name arrays We have to check if the values are >= *_MAX, not just >, fix it. From the bugzilla report: ''In file /tools/perf/util/evsel.c function __perf_evsel__hw_cache_name it appears that there is a bug that reads beyond the end of the buffer. The statement "if (type > PERF_COUNT_HW_CACHE_MAX)" allows type to be equal to the maximum value. Later, when statement "if (!perf_evsel__is_cache_op_valid(type, op))" is executed, the function can access array perf_evsel__hw_cache_stat[type] beyond the end of the buffer. It appears to me that the statement "if (type > PERF_COUNT_HW_CACHE_MAX)" should be "if (type >= PERF_COUNT_HW_CACHE_MAX)" Bug found with Coverity and manual code review. No attempts were made to execute the code with a maximum type value.'' Committer note: Testing it: $ perf record -e $(echo $(perf list cache | cut -d \[ -f1) | sed 's/ /,/g') usleep 1 [ perf record: Woken up 16 times to write data ] [ perf record: Captured and wrote 0.023 MB perf.data (34 samples) ] $ perf evlist L1-dcache-load-misses L1-dcache-loads L1-dcache-stores L1-icache-load-misses LLC-load-misses LLC-loads LLC-store-misses LLC-stores branch-load-misses branch-loads dTLB-load-misses dTLB-loads dTLB-store-misses dTLB-stores iTLB-load-misses iTLB-loads node-load-misses node-loads node-store-misses node-stores $ perf list cache List of pre-defined events (to be used in -e): L1-dcache-load-misses [Hardware cache event] L1-dcache-loads [Hardware cache event] L1-dcache-stores [Hardware cache event] L1-icache-load-misses [Hardware cache event] LLC-load-misses [Hardware cache event] LLC-loads [Hardware cache event] LLC-store-misses [Hardware cache event] LLC-stores [Hardware cache event] branch-load-misses [Hardware cache event] branch-loads [Hardware cache event] dTLB-load-misses [Hardware cache event] dTLB-loads [Hardware cache event] dTLB-store-misses [Hardware cache event] dTLB-stores [Hardware cache event] iTLB-load-misses [Hardware cache event] iTLB-loads [Hardware cache event] node-load-misses [Hardware cache event] node-loads [Hardware cache event] node-store-misses [Hardware cache event] node-stores [Hardware cache event] $ Reported-by: Brian Sweeney Tested-by: Arnaldo Carvalho de Melo Cc: Jiri Olsa Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=153351 Signed-off-by: Arnaldo Carvalho de Melo tools/perf/util/evsel.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit 0215d59b154ab90c56c4fe49bc1deefe8bca18f1 Author: Vineet Gupta Date: Thu Aug 18 09:28:23 2016 -0700 tools lib: Reinstate strlcpy() header guard with __UCLIBC__ perf tools build in recent kernels spews splat when cross compiling with uClibc: | CC util/alias.o | In file included from tools/perf/util/../ui/../util/cache.h:8:0, | from tools/perf/util/../ui/helpline.h:7, | from tools/perf/util/debug.h:8, | from arch/../util/cpumap.h:9, | from arch/../util/env.h:5, | from arch/common.h:4, | from arch/common.c:3: | tools/include/linux/string.h:12:15: warning: redundant redeclaration of ‘strlcpy’ [-Wredundant-decls] | extern size_t strlcpy(char *dest, const char *src, size_t size); ^ This is after commit 61a6445e463a31 ("tools lib: Guard the strlcpy() header with __GLIBC__"). The problem is uClibc also defines __GLIBC__ for exported headers for applications. So add that specific check to not trip for uClibc. Signed-off-by: Vineet Gupta Cc: Adrian Hunter Cc: Alexey Brodkin Cc: David Ahern Cc: Jiri Olsa Cc: Josh Poimboeuf Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Petri Gynther Cc: Wang Nan Cc: linux-snps-arc@lists.infradead.org Link: http://lkml.kernel.org/r/1471537703-16439-1-git-send-email-vgupta@synopsys.com Signed-off-by: Arnaldo Carvalho de Melo tools/include/linux/string.h | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) commit f28535c100e3c3066ed3506d90948cf023dad21a Merge: 114e3ba a93a4d6 Author: Linus Torvalds Date: Thu Aug 18 11:17:13 2016 -0700 Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux Pull arm64 fixes from Catalin Marinas: - Avoid a literal load with the MMU off on the CPU resume path (potential inconsistency between cache and RAM) - Build error with CONFIG_ACPI=n fixed - Compiler warning in the arch/arm64/mm/dump.c code fixed * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux: arm64: Fix shift warning in arch/arm64/mm/dump.c arm64: kernel: avoid literal load of virtual address with MMU off arm64: Fix NUMA build error when !CONFIG_ACPI commit 114e3bae37a2976563fb7a678efe3cf3aff80ed2 Merge: 395c434 87eed3c Author: Linus Torvalds Date: Thu Aug 18 11:13:20 2016 -0700 Merge branch 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm Pull ARM fixes from Russell King: "Only three fixes this time: - Emil found an overflow problem with the memory layout sanity check. - Ard Biesheuvel noticed that late-allocated page tables (for EFI) weren't being properly constructed. - Guenter Roeck reported a problem found on qemu caused by the recent addr_limit changes" * 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm: ARM: fix address limit restoration for undefined instructions ARM: 8591/1: mm: use fully constructed struct pages for EFI pgd allocations ARM: 8590/1: sanity_check_meminfo(): avoid overflow on vmalloc_limit commit 395c4342920b5abd082e74af3808a74f221e2fdc Merge: 76dcd93 6c16f42 Author: Linus Torvalds Date: Thu Aug 18 11:09:43 2016 -0700 Merge tag 'pm-4.8-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull power management fixes from Rafael Wysocki: "More hibernation-related material: one fix for a recent regression in the core, one small cleanup of the x86-64 resume code and a documentation update. Specifics: - Fix a hibernate core regression resulting from uncovering a latent bug in its implementation of memory bitmaps by a recent commit (James Morse). - Use __pa() to compute a physical address in the x86-64 code finalizing resume from hibernation (Rafael Wysocki). - Update power management documentation related to system sleep states to remove outdated information from it and to add a description of a recently introduced hibernation debug feature to it (Rafael Wysocki)" * tag 'pm-4.8-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: PM / hibernate: Fix rtree_next_node() to avoid walking off list ends x86/power/64: Use __pa() for physical address computation PM / sleep: Update some system sleep documentation commit 76dcd9392af63ef8a1801ca727c20b3ccd1bff96 Merge: 184ca82 91d62d9 Author: Linus Torvalds Date: Thu Aug 18 10:58:50 2016 -0700 Merge tag 'drm-fixes-for-4.8-rc3' of git://people.freedesktop.org/~airlied/linux Pull drm fixes from Dave Airlie: "Pretty quiet so far: - a few amdgpu/radeon fixup for pcie pm changes - a couple of amdgpu fixes - some build fixes - printk fix" * tag 'drm-fixes-for-4.8-rc3' of git://people.freedesktop.org/~airlied/linux: drm/amdgpu: Change GART offset to 64-bit drm/mediatek: add ARM_SMCCC dependency drm/mediatek: add CONFIG_OF dependency drm/mediatek: add COMMON_CLK dependency drm/amdgpu: Fix memory trashing if UVD ring test fails drm/amdgpu: fix vm init error path drm/amdkfd: print doorbell offset as a hex value Revert "drm/radeon: work around lack of upstream ACPI support for D3cold" Revert "drm/amdgpu: work around lack of upstream ACPI support for D3cold" commit 87a713c8ffca33d8e497a8b6c02034332bd80394 Author: Arnd Bergmann Date: Wed Aug 10 23:54:13 2016 +0200 8250/fintek: rename IRQ_MODE macro A bugfix for the fintek driver required defining some macros, but one of them clashes with a system header on ARM: drivers/tty/serial/8250/8250_fintek.c:34:0: error: "IRQ_MODE" redefined [-Werror] #define IRQ_MODE 0x70 In file included from /git/arm-soc/arch/arm/include/asm/ptrace.h:13:0, from /git/arm-soc/arch/arm/include/asm/irqflags.h:6, from /git/arm-soc/include/linux/irqflags.h:15, from /git/arm-soc/arch/arm/include/asm/bitops.h:27, from /git/arm-soc/include/linux/bitops.h:36, from /git/arm-soc/include/linux/kernel.h:10, from /git/arm-soc/include/linux/list.h:8, from /git/arm-soc/include/linux/module.h:9, from /git/arm-soc/drivers/tty/serial/8250/8250_fintek.c:11: arch/arm/include/uapi/asm/ptrace.h:55:0: note: this is the location of the previous definition This renames the newly introduced 'IRQ_MODE' macro to FINTEK_IRQ_MODE. Signed-off-by: Arnd Bergmann Fixes: 4da22f1418cb ("serial: 8250_fintek: fix the mismatched IRQ mode") Link: https://patchwork.kernel.org/patch/9200119/ Acked-by: Ji-Ze Hong (Peter Hong) Acked-by: Ricardo Ribalda Delgado Signed-off-by: Greg Kroah-Hartman drivers/tty/serial/8250/8250_fintek.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 51c70261b2575962cb9406cd92246b1cee6a3c71 Author: Greg Kroah-Hartman Date: Thu Aug 18 17:21:37 2016 +0200 Revert "android: binder: fix dangling pointer comparison" This reverts commit 7b142d8fd0bd4c9bf06ccb72ac4daedb503f0124. It doesn't seem to be correct, no one seems to have tested it, and the email address of the submitter now bounces :( So revert it. Cc: Jann Horn Cc: Chen Feng Cc: stable Cc: Arve Hjønnevåg Signed-off-by: Greg Kroah-Hartman drivers/android/binder.c | 2 -- 1 file changed, 2 deletions(-) commit ae5b80d2b68eac945b124227dea34462118a6f01 Author: Christian König Date: Thu Aug 18 11:51:14 2016 +0200 drm/radeon: only apply the SS fractional workaround to RS[78]80 Looks like some RV6xx have problems with that. bug: https://bugs.freedesktop.org/show_bug.cgi?id=97099 Reviewed-by: Alex Deucher Signed-off-by: Christian König Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org drivers/gpu/drm/radeon/atombios_crtc.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit 479e2a86dc6aeaec6013165e1bd3525db6914f3a Author: Peter Ujfalusi Date: Thu Aug 18 14:00:59 2016 +0300 ASoC: omap-mcpdm: Drop pdmclk clock handling This reverts commit 65aca64d05b5eaa5ce15e18b458a8d338ddbd478. The patches for twl6040 MFD and clk missed the merge window and causing the McPDM driver to never probe since it is put back to the deferred list because the missing drivers. Signed-off-by: Peter Ujfalusi Signed-off-by: Mark Brown Documentation/devicetree/bindings/sound/omap-mcpdm.txt | 10 ---------- sound/soc/omap/omap-mcpdm.c | 17 ----------------- 2 files changed, 27 deletions(-) commit 112dc0c8069e5554e0ad29c58228f1e6ca49e13d Author: Johannes Berg Date: Thu Aug 11 11:50:22 2016 +0200 locking/barriers: Suppress sparse warnings in lockless_dereference() After Peter's commit: 331b6d8c7afc ("locking/barriers: Validate lockless_dereference() is used on a pointer type") ... we get a lot of sparse warnings (one for every rcu_dereference, and more) since the expression here is assigning to the wrong address space. Instead of validating that 'p' is a pointer this way, instead make it fail compilation when it's not by using sizeof(*(p)). This will not cause any sparse warnings (tested, likely since the address space is irrelevant for sizeof), and will fail compilation when 'p' isn't a pointer type. Tested-by: Paul E. McKenney Signed-off-by: Johannes Berg Signed-off-by: Peter Zijlstra (Intel) Cc: Andrew Morton Cc: Chris Wilson Cc: Daniel Vetter Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Fixes: 331b6d8c7afc ("locking/barriers: Validate lockless_dereference() is used on a pointer type") Link: http://lkml.kernel.org/r/1470909022-687-2-git-send-email-johannes@sipsolutions.net Signed-off-by: Ingo Molnar include/linux/compiler.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit f17b3ea3d2df7c9bf3ce1dbd65b5fd7061f8e787 Author: Johannes Berg Date: Thu Aug 11 11:50:21 2016 +0200 Revert "drm/fb-helper: Reduce READ_ONCE(master) to lockless_dereference" This reverts commit: fa7d81bb3c269 ("drm/fb-helper: Reduce READ_ONCE(master) to lockless_dereference") As Peter explained: [...] lockless_dereference() is _stronger_ than READ_ONCE(), not weaker. [...] Also, clue is in the name: 'dereference', you don't actually dereference the pointer here, only load it. My next patch breaks the compile without this revert, because it assumes you want to deference and thus also need the struct type visible (which it isn't here), so revert it. Tested-by: Paul E. McKenney Signed-off-by: Johannes Berg Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Daniel Vetter Cc: Andrew Morton Cc: Chris Wilson Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/1470909022-687-1-git-send-email-johannes@sipsolutions.net Signed-off-by: Ingo Molnar drivers/gpu/drm/drm_fb_helper.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit b75911b66ad508a3c3f006ce37d9f9ebee34da43 Author: Liping Zhang Date: Thu Aug 18 20:39:05 2016 +0800 netfilter: cttimeout: fix use after free error when delete netns In general, when we want to delete a netns, cttimeout_net_exit will be called before ipt_unregister_table, i.e. before ctnl_timeout_put. But after call kfree_rcu in cttimeout_net_exit, we will still decrease the timeout object's refcnt in ctnl_timeout_put, this is incorrect, and will cause a use after free error. It is easy to reproduce this problem: # while : ; do ip netns add xxx ip netns exec xxx nfct add timeout testx inet icmp timeout 200 ip netns exec xxx iptables -t raw -p icmp -I OUTPUT -j CT --timeout testx ip netns del xxx done ======================================================================= BUG kmalloc-96 (Tainted: G B E ): Poison overwritten ----------------------------------------------------------------------- INFO: 0xffff88002b5161e8-0xffff88002b5161e8. First byte 0x6a instead of 0x6b INFO: Allocated in cttimeout_new_timeout+0xd4/0x240 [nfnetlink_cttimeout] age=104 cpu=0 pid=3330 ___slab_alloc+0x4da/0x540 __slab_alloc+0x20/0x40 __kmalloc+0x1c8/0x240 cttimeout_new_timeout+0xd4/0x240 [nfnetlink_cttimeout] nfnetlink_rcv_msg+0x21a/0x230 [nfnetlink] [ ... ] So only when the refcnt decreased to 0, we call kfree_rcu to free the timeout object. And like nfnetlink_acct do, use atomic_cmpxchg to avoid race between ctnl_timeout_try_del and ctnl_timeout_put. Signed-off-by: Liping Zhang Signed-off-by: Pablo Neira Ayuso net/netfilter/nfnetlink_cttimeout.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) commit 12be15dd5ac928b60323b1ed8f6facd7335bb2cc Author: Liping Zhang Date: Sat Aug 13 23:13:01 2016 +0800 netfilter: nfnetlink_acct: fix race between nfacct del and xt_nfacct destroy Suppose that we input the following commands at first: # nfacct add test # iptables -A INPUT -m nfacct --nfacct-name test And now "test" acct's refcnt is 2, but later when we try to delete the "test" nfacct and the related iptables rule at the same time, race maybe happen: CPU0 CPU1 nfnl_acct_try_del nfnl_acct_put atomic_dec_and_test //ref=1,testfail - - atomic_dec_and_test //ref=0,testok - kfree_rcu atomic_inc //ref=1 - So after the rcu grace period, nf_acct will be freed but it is still linked in the nfnl_acct_list, and we can access it later, then oops will happen. Convert atomic_dec_and_test and atomic_inc combinaiton to one atomic operation atomic_cmpxchg here to fix this problem. Signed-off-by: Liping Zhang Signed-off-by: Pablo Neira Ayuso net/netfilter/nfnetlink_acct.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) commit 5d0bdf2867825a92c0a563957a2fb059149ab0d4 Author: Christoph Hellwig Date: Thu Aug 11 07:11:05 2016 -0700 PCI: Call pci_intx() when using legacy interrupts in pci_alloc_irq_vectors() ahci currently insists on an explicit call to pci_intx() before falling back from MSI or MSI-X to legacy IRQs. As pci_intx() is a no-op if the command register already contains the right value it seems safe and useful to add this call to pci_alloc_irq_vectors() so that ahci can just use pci_alloc_irq_vectors(). Signed-off-by: Christoph Hellwig Signed-off-by: Bjorn Helgaas drivers/pci/msi.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) commit c81396f3da22aa8f1e8fbf7943616a0839c4d63d Author: Cathy Luo Date: Thu Jul 21 16:30:24 2016 +0530 mwifiex: fix large amsdu packets causing firmware hang Sometimes host prepares and downloads a large amsdu packet to firmware which leads to a memory corruption in firmware. The reason is __dev_alloc_skb() may allocate larger buffer than required size. This patch solves the problem by checking "adapter->tx_buf_size" instead of relying on skb_tailroom(). Signed-off-by: Cathy Luo Signed-off-by: Amitkumar Karwar Signed-off-by: Kalle Valo drivers/net/wireless/marvell/mwifiex/11n_aggr.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit a93a4d62324123dcda383bdb4ab89151bbc0e499 Author: Catalin Marinas Date: Fri Dec 5 12:34:54 2014 +0000 arm64: Fix shift warning in arch/arm64/mm/dump.c When building with 48-bit VAs and 16K page configuration, it's possible to get the following warning when building the arm64 page table dumping code: arch/arm64/mm/dump.c: In function ‘walk_pud’: arch/arm64/mm/dump.c:274:102: warning: right shift count >= width of type [-Wshift-count-overflow] This is because pud_offset(pgd, 0) performs a shift to the right by 36 while the value 0 has the type 'int' by default, therefore 32-bit. This patch modifies all the p*_offset() uses in arch/arm64/mm/dump.c to use 0UL for the address argument. Acked-by: Mark Rutland Signed-off-by: Catalin Marinas arch/arm64/mm/dump.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit 2eeb321fd2e24c0910e96e82509a961d1531fa29 Merge: c95ba92 f7f6f2d Author: Paolo Bonzini Date: Thu Aug 18 12:19:19 2016 +0200 Merge tag 'kvm-arm-for-v4.8-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm into HEAD KVM/ARM Fixes for v4.8-rc3 This tag contains the following fixes on top of v4.8-rc1: - ITS init issues - ITS error handling issues - ITS IRQ leakage fix - Plug a couple of ITS race conditions - An erratum workaround for timers - Some removal of misleading use of errors and comments - A fix for GICv3 on 32-bit guests commit c95ba92afb238ac565c68968fc72e38ca8d1b6e8 Author: Peter Feiner Date: Wed Aug 17 09:36:47 2016 -0700 kvm: nVMX: fix nested tsc scaling When the host supported TSC scaling, L2 would use a TSC multiplier of 0, which causes a VM entry failure. Now L2's TSC uses the same multiplier as L1. Signed-off-by: Peter Feiner Signed-off-by: Paolo Bonzini arch/x86/kvm/vmx.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) commit dccbfcf52cebb8963246eba5b177b77f26b34da0 Author: Radim Krčmář Date: Mon Aug 8 20:16:23 2016 +0200 KVM: nVMX: postpone VMCS changes on MSR_IA32_APICBASE write If vmcs12 does not intercept APIC_BASE writes, then KVM will handle the write with vmcs02 as the current VMCS. This will incorrectly apply modifications intended for vmcs01 to vmcs02 and L2 can use it to gain access to L0's x2APIC registers by disabling virtualized x2APIC while using msr bitmap that assumes enabled. Postpone execution of vmx_set_virtual_x2apic_mode until vmcs01 is the current VMCS. An alternative solution would temporarily make vmcs01 the current VMCS, but it requires more care. Fixes: 8d14695f9542 ("x86, apicv: add virtual x2apic support") Reported-by: Jim Mattson Reviewed-by: Wanpeng Li Signed-off-by: Radim Krčmář arch/x86/kvm/vmx.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) commit d048c098218e91ed0e10dfa1f0f80e2567fe4ef7 Author: Radim Krčmář Date: Mon Aug 8 20:16:22 2016 +0200 KVM: nVMX: fix msr bitmaps to prevent L2 from accessing L0 x2APIC msr bitmap can be used to avoid a VM exit (interception) on guest MSR accesses. In some configurations of VMX controls, the guest can even directly access host's x2APIC MSRs. See SDM 29.5 VIRTUALIZING MSR-BASED APIC ACCESSES. L2 could read all L0's x2APIC MSRs and write TPR, EOI, and SELF_IPI. To do so, L1 would first trick KVM to disable all possible interceptions by enabling APICv features and then would turn those features off; nested_vmx_merge_msr_bitmap() only disabled interceptions, so VMX would not intercept previously enabled MSRs even though they were not safe with the new configuration. Correctly re-enabling interceptions is not enough as a second bug would still allow L1+L2 to access host's MSRs: msr bitmap was shared for all VMCSs, so L1 could trigger a race to get the desired combination of msr bitmap and VMX controls. This fix allocates a msr bitmap for every L1 VCPU, allows only safe x2APIC MSRs from L1's msr bitmap, and disables msr bitmaps if they would have to intercept everything anyway. Fixes: 3af18d9c5fe9 ("KVM: nVMX: Prepare for using hardware MSR bitmap") Reported-by: Jim Mattson Suggested-by: Wincy Van Reviewed-by: Wanpeng Li Signed-off-by: Radim Krčmář arch/x86/kvm/vmx.c | 107 ++++++++++++++++++++++------------------------------- 1 file changed, 44 insertions(+), 63 deletions(-) commit 815806e39bf6f7e7b34875d4a9609dbe76661782 Author: Elaine Zhang Date: Thu Aug 18 17:01:55 2016 +0800 regmap: drop cache if the bus transfer error regmap_write ->_regmap_raw_write -->regcache_write first and than use map->bus->write to wirte i2c or spi But if the i2c or spi transfer failed, But the cache is updated, So if I use regmap_read will get the cache data which is not the real register value. Signed-off-by: Elaine Zhang Signed-off-by: Mark Brown drivers/base/regmap/regmap.c | 2 ++ 1 file changed, 2 insertions(+) commit 2e365a703ea60de617287354ae63bf677e406feb Author: Andi Shyti Date: Thu Aug 18 16:25:55 2016 +0900 MAINTAINERS: add myself as Samsung SPI maintainer Create a new entry for the Samsung SPI driver supported by the drivers/spi/spi-s3c* and remove it from its original place under "ARM/SAMSUNG EXYNOS ARM ARCHITECTURES". The original maintainership inherited from the Samsung Exynos ARM Architecture is kept as it was (i.e. Kukjin and Krzysztof), I will help and co-maintain the driver. Signed-off-by: Andi Shyti Acked-by: Krzysztof Kozlowski Signed-off-by: Mark Brown MAINTAINERS | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) commit 03cbc732639ddcad15218c4b2046d255851ff1e3 Author: Wanpeng Li Date: Wed Aug 17 10:05:46 2016 +0800 sched/cputime: Resync steal time when guest & host lose sync Commit: 57430218317e ("sched/cputime: Count actually elapsed irq & softirq time") ... fixed a bug but also triggered a regression: On an i5 laptop, 4 pCPUs, 4vCPUs for one full dynticks guest, there are four CPU hog processes(for loop) running in the guest, I hot-unplug the pCPUs on host one by one until there is only one left, then observe CPU utilization via 'top' in the guest, it shows: 100% st for cpu0(housekeeping) 75% st for other CPUs (nohz full mode) However, w/o this commit it shows the correct 75% for all four CPUs. When a guest is interrupted for a longer amount of time, missed clock ticks are not redelivered later. Because of that, we should not limit the amount of steal time accounted to the amount of time that the calling functions think have passed. However, the interval returned by account_other_time() is NOT rounded down to the nearest jiffy, while the base interval in get_vtime_delta() it is subtracted from is, so the max cputime limit is required to avoid underflow. This patch fixes the regression by limiting the account_other_time() from get_vtime_delta() to avoid underflow, and lets the other three call sites (in account_other_time() and steal_account_process_time()) account however much steal time the host told us elapsed. Suggested-by: Rik van Riel Suggested-by: Paolo Bonzini Signed-off-by: Wanpeng Li Reviewed-by: Rik van Riel Cc: Frederic Weisbecker Cc: Linus Torvalds Cc: Mike Galbraith Cc: Peter Zijlstra Cc: Radim Krcmar Cc: Thomas Gleixner Cc: kvm@vger.kernel.org Link: http://lkml.kernel.org/r/1471399546-4069-1-git-send-email-wanpeng.li@hotmail.com [ Improved the changelog. ] Signed-off-by: Ingo Molnar kernel/sched/cputime.c | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) commit 173be9a14f7b2e901cf77c18b1aafd4d672e9d9e Author: Peter Zijlstra Date: Mon Aug 15 18:38:42 2016 +0200 sched/cputime: Fix NO_HZ_FULL getrusage() monotonicity regression Mike reports: Roughly 10% of the time, ltp testcase getrusage04 fails: getrusage04 0 TINFO : Expected timers granularity is 4000 us getrusage04 0 TINFO : Using 1 as multiply factor for max [us]time increment (1000+4000us)! getrusage04 0 TINFO : utime: 0us; stime: 179us getrusage04 0 TINFO : utime: 3751us; stime: 0us getrusage04 1 TFAIL : getrusage04.c:133: stime increased > 5000us: And tracked it down to the case where the task simply doesn't get _any_ [us]time ticks. Update the code to assume all rtime is utime when we lack information, thus ensuring a task that elides the tick gets time accounted. Reported-by: Mike Galbraith Tested-by: Mike Galbraith Signed-off-by: Peter Zijlstra (Intel) Cc: Frederic Weisbecker Cc: Fredrik Markstrom Cc: Linus Torvalds Cc: Paolo Bonzini Cc: Peter Zijlstra Cc: Radim Cc: Rik van Riel Cc: Stephane Eranian Cc: Thomas Gleixner Cc: Vince Weaver Cc: Wanpeng Li Cc: stable@vger.kernel.org # 4.3+ Fixes: 9d7fb0427648 ("sched/cputime: Guarantee stime + utime == rtime") Signed-off-by: Ingo Molnar kernel/sched/cputime.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) commit 71e7bc2bab77e64882c031c2af943c3256c1adb0 Author: David Carrillo-Cisneros Date: Wed Aug 17 13:55:04 2016 -0700 perf/core: Check return value of the perf_event_read() IPI The call to smp_call_function_single in perf_event_read() may fail if an invalid or not online CPU index is passed. Warn user if such bug is present and return error. Signed-off-by: David Carrillo-Cisneros Signed-off-by: Peter Zijlstra (Intel) Cc: Alexander Shishkin Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Kan Liang Cc: Linus Torvalds Cc: Paul Turner Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Thomas Gleixner Cc: Vegard Nossum Cc: Vince Weaver Link: http://lkml.kernel.org/r/1471467307-61171-2-git-send-email-davidcc@google.com Signed-off-by: Ingo Molnar kernel/events/core.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) commit 99f5bc9bfa9094e7c264a8e09f9507b391a3d1d1 Author: Mathieu Poirier Date: Mon Jul 18 10:43:07 2016 -0600 perf/core: Enable mapping of the stop filters At this time the perf_addr_filter_needs_mmap() function will _not_ return true on a user space 'stop' filter. But stop filters need exactly the same kind of mapping that range and start filters get. Signed-off-by: Mathieu Poirier Signed-off-by: Peter Zijlstra (Intel) Acked-by: Alexander Shishkin Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Thomas Gleixner Cc: Vince Weaver Link: http://lkml.kernel.org/r/1468860187-318-4-git-send-email-mathieu.poirier@linaro.org Signed-off-by: Ingo Molnar kernel/events/core.c | 15 +++++---------- 1 file changed, 5 insertions(+), 10 deletions(-) commit 12b40a2393719a37ff86a0b43bece6d28a75cbfc Author: Mathieu Poirier Date: Mon Jul 18 10:43:06 2016 -0600 perf/core: Update filters only on executable mmap Function perf_event_mmap() is called by the MM subsystem each time part of a binary is loaded in memory. There can be several mapping for a binary, many times unrelated to the code section. Each time a section of a binary is mapped address filters are updated, event when the map doesn't pertain to the code section. The end result is that filters are configured based on the last map event that was received rather than the last mapping of the code segment. For example if we have an executable 'main' that calls library 'libcstest.so.1.0', and that we want to collect traces on code that is in that library. The perf cmd line for this scenario would be: perf record -e cs_etm// --filter 'filter 0x72c/0x40@/opt/lib/libcstest.so.1.0' --per-thread ./main Resulting in binaries being mapped this way: root@linaro-nano:~# cat /proc/1950/maps 00400000-00401000 r-xp 00000000 08:02 33169 /home/linaro/main 00410000-00411000 r--p 00000000 08:02 33169 /home/linaro/main 00411000-00412000 rw-p 00001000 08:02 33169 /home/linaro/main 7fa2464000-7fa2474000 rw-p 00000000 00:00 0 7fa2474000-7fa25a4000 r-xp 00000000 08:02 543 /lib/aarch64-linux-gnu/libc-2.21.so 7fa25a4000-7fa25b3000 ---p 00130000 08:02 543 /lib/aarch64-linux-gnu/libc-2.21.so 7fa25b3000-7fa25b7000 r--p 0012f000 08:02 543 /lib/aarch64-linux-gnu/libc-2.21.so 7fa25b7000-7fa25b9000 rw-p 00133000 08:02 543 /lib/aarch64-linux-gnu/libc-2.21.so 7fa25b9000-7fa25bd000 rw-p 00000000 00:00 0 7fa25bd000-7fa25be000 r-xp 00000000 08:02 38308 /opt/lib/libcstest.so.1.0 7fa25be000-7fa25cd000 ---p 00001000 08:02 38308 /opt/lib/libcstest.so.1.0 7fa25cd000-7fa25ce000 r--p 00000000 08:02 38308 /opt/lib/libcstest.so.1.0 7fa25ce000-7fa25cf000 rw-p 00001000 08:02 38308 /opt/lib/libcstest.so.1.0 7fa25cf000-7fa25eb000 r-xp 00000000 08:02 574 /lib/aarch64-linux-gnu/ld-2.21.so 7fa25ef000-7fa25f2000 rw-p 00000000 00:00 0 7fa25f7000-7fa25f9000 rw-p 00000000 00:00 0 7fa25f9000-7fa25fa000 r--p 00000000 00:00 0 [vvar] 7fa25fa000-7fa25fb000 r-xp 00000000 00:00 0 [vdso] 7fa25fb000-7fa25fc000 r--p 0001c000 08:02 574 /lib/aarch64-linux-gnu/ld-2.21.so 7fa25fc000-7fa25fe000 rw-p 0001d000 08:02 574 /lib/aarch64-linux-gnu/ld-2.21.so 7ff2ea8000-7ff2ec9000 rw-p 00000000 00:00 0 [stack] root@linaro-nano:~# Before 'main()' can execute 'libcstest.so.1.0' has to be loaded in memory. Once that has been done perf_event_mmap() has been called 4 times, with the last map starting at address 0x7fa25ce000 and the address filter configured to start filtering when the IP has passed over address 0x0x7fa25ce72c (0x7fa25ce000 + 0x72c). But that is wrong since the code segment for library 'libcstest.so.1.0' as been mapped at 0x7fa25bd000, resulting in traces not being collected. This patch corrects the situation by requesting that address filters be updated only if the mapped event is for a code segment. Signed-off-by: Mathieu Poirier Signed-off-by: Peter Zijlstra (Intel) Acked-by: Alexander Shishkin Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Thomas Gleixner Cc: Vince Weaver Link: http://lkml.kernel.org/r/1468860187-318-3-git-send-email-mathieu.poirier@linaro.org Signed-off-by: Ingo Molnar kernel/events/core.c | 7 +++++++ 1 file changed, 7 insertions(+) commit 4059ffd09d694f704e18a4baf97fc0016c32e9ad Author: Mathieu Poirier Date: Mon Jul 18 10:43:05 2016 -0600 perf/core: Fix file name handling for start/stop filters Binary file names have to be supplied for both range and start/stop filters but the current code only processes the filename if an address range filter is specified. This code adds processing of the filename for start/stop filters. Signed-off-by: Mathieu Poirier Signed-off-by: Peter Zijlstra (Intel) Acked-by: Alexander Shishkin Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Thomas Gleixner Cc: Vince Weaver Link: http://lkml.kernel.org/r/1468860187-318-2-git-send-email-mathieu.poirier@linaro.org Signed-off-by: Ingo Molnar kernel/events/core.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) commit cca2094605efe6ccf43ff2876dd5bccc799202d8 Author: Peter Zijlstra Date: Tue Aug 16 13:33:26 2016 +0200 perf/core: Fix event_function_local() Vincent reported triggering the WARN_ON_ONCE() in event_function_local(). While thinking through cases I noticed that by using event_function() directly, we miss the inactive case usually handled by event_function_call(). Therefore construct a blend of event_function_call() and event_function() that handles the cases relevant to event_function_local(). Reported-by: Vince Weaver Signed-off-by: Peter Zijlstra (Intel) Cc: Alexander Shishkin Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Thomas Gleixner Cc: stable@vger.kernel.org # 4.5+ Fixes: fae3fde65138 ("perf: Collapse and fix event_function_call() users") Signed-off-by: Ingo Molnar kernel/events/core.c | 60 +++++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 48 insertions(+), 12 deletions(-) commit 7b0501b1e7cddd32b265178e32d332bdfbb532d4 Author: Jiri Olsa Date: Mon Aug 15 12:17:00 2016 +0200 x86/smp: Fix __max_logical_packages value setup Frank reported kernel panic when he disabled several cores in BIOS via following option: Core Disable Bitmap(Hex) [0] with number 0xFFE, which leaves 16 CPUs in system (out of 48). The kernel panic below goes along with following messages: smpboot: Max logical packages: 2^M smpboot: APIC(0) Converting physical 0 to logical package 0^M smpboot: APIC(20) Converting physical 1 to logical package 1^M smpboot: APIC(40) Package 2 exceeds logical package map^M smpboot: CPU 8 APICId 40 disabled^M smpboot: APIC(60) Package 3 exceeds logical package map^M smpboot: CPU 12 APICId 60 disabled^M ... general protection fault: 0000 [#1] SMP^M Modules linked in:^M CPU: 15 PID: 1 Comm: swapper/0 Not tainted 4.7.0-rc5+ #1^M Hardware name: SGI UV300/UV300, BIOS SGI UV 300 series BIOS 05/25/2016^M task: ffff8801673e0000 ti: ffff8801673ac000 task.ti: ffff8801673ac000^M RIP: 0010:[] [] uncore_change_context+0xd4/0x180^M ... [] uncore_event_init_cpu+0x6c/0x70^M [] intel_uncore_init+0x1c2/0x2dd^M [] ? uncore_cpu_setup+0x17/0x17^M [] do_one_initcall+0x50/0x190^M [] ? parse_args+0x293/0x480^M [] kernel_init_freeable+0x1a5/0x249^M [] ? set_debug_rodata+0x12/0x12^M [] kernel_init+0xe/0x110^M [] ret_from_fork+0x1f/0x40^M [] ? rest_init+0x80/0x80^M The reason for the panic is wrong value of __max_logical_packages, which lets logical_package_map uninitialized and the uncore code relying on this map being properly initialized (maybe we should add some safety checks there as well). The __max_logical_packages is computed as: DIV_ROUND_UP(total_cpus, ncpus); - ncpus being number of cores With above BIOS setup we get total_cpus == 16 which set __max_logical_packages to 2 (ncpus is 12). Once topology_update_package_map processes CPU with logical pkg over 2 we display above messages and fail to initialize the physical_to_logical_pkg map, which makes the uncore code crash. The fix is to remove logical_package_map bitmap completely and keep and update the logical_packages number instead. After we enumerate all the present CPUs, we check if the enumerated logical packages count is within its computed maximum from BIOS data. If it's not the case, we set this maximum to the new enumerated value and freeze any new addition of logical packages. The freeze is because lot of init code like uncore/rapl/cqm depends on having maximum logical package value set to allocate their data, so we can't change it later on. Prarit Bhargava tested the patch and confirms that it solves the problem: From dmidecode: Core Count: 24 Core Enabled: 24 Thread Count: 48 Orig kernel boot log: [ 0.464981] smpboot: Max logical packages: 19 [ 0.469861] smpboot: APIC(0) Converting physical 0 to logical package 0 [ 0.477261] smpboot: APIC(40) Converting physical 1 to logical package 1 [ 0.484760] smpboot: APIC(80) Converting physical 2 to logical package 2 [ 0.492258] smpboot: APIC(c0) Converting physical 3 to logical package 3 1. nr_cpus=8, should stop enumerating in package 0: [ 0.533664] smpboot: APIC(0) Converting physical 0 to logical package 0 [ 0.539596] smpboot: Max logical packages: 19 2. max_cpus=8, should still enumerate all packages: [ 0.526494] smpboot: APIC(0) Converting physical 0 to logical package 0 [ 0.532428] smpboot: APIC(40) Converting physical 1 to logical package 1 [ 0.538456] smpboot: APIC(80) Converting physical 2 to logical package 2 [ 0.544486] smpboot: APIC(c0) Converting physical 3 to logical package 3 [ 0.550524] smpboot: Max logical packages: 19 3. nr_cpus=49 ( 2 socket + 1 core on 3rd socket), should stop enumerating in package 2: [ 0.521378] smpboot: APIC(0) Converting physical 0 to logical package 0 [ 0.527314] smpboot: APIC(40) Converting physical 1 to logical package 1 [ 0.533345] smpboot: APIC(80) Converting physical 2 to logical package 2 [ 0.539368] smpboot: Max logical packages: 19 4. maxcpus=49, should still enumerate all packages: [ 0.525591] smpboot: APIC(0) Converting physical 0 to logical package 0 [ 0.531525] smpboot: APIC(40) Converting physical 1 to logical package 1 [ 0.537547] smpboot: APIC(80) Converting physical 2 to logical package 2 [ 0.543579] smpboot: APIC(c0) Converting physical 3 to logical package 3 [ 0.549624] smpboot: Max logical packages: 19 5. kdump (nr_cpus=1) works as well. Reported-by: Frank Ramsay Tested-by: Prarit Bhargava Signed-off-by: Jiri Olsa Reviewed-by: Prarit Bhargava Acked-by: Peter Zijlstra Cc: Linus Torvalds Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/20160815101700.GA30090@krava Signed-off-by: Ingo Molnar arch/x86/kernel/smpboot.c | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-) commit 88b2f634028f1f38dcc3d412e10ff1f224976daa Author: Borislav Petkov Date: Wed Aug 17 13:33:14 2016 +0200 x86/microcode/AMD: Fix initrd loading with CONFIG_RANDOMIZE_MEMORY=y Similar to: efaad554b4ff ("x86/microcode/intel: Fix initrd loading with CONFIG_RANDOMIZE_MEMORY=y") ... fix microcode loading from the initrd on AMD by adding the randomization offset to the microcode patch container within the initrd. Reported-and-tested-by: Brian Gerst Signed-off-by: Borislav Petkov Cc: Andy Lutomirski Cc: Borislav Petkov Cc: Denys Vlasenko Cc: H. Peter Anvin Cc: Josh Poimboeuf Cc: Kees Cook Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: linux-tip-commits@vger.kernel.org Link: http://lkml.kernel.org/r/20160817113314.GA19221@nazgul.tnic Signed-off-by: Ingo Molnar arch/x86/kernel/cpu/microcode/amd.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) commit 6c4687cc17a788a6dd8de3e27dbeabb7cbd3e066 Author: Oleg Nesterov Date: Wed Aug 17 17:36:29 2016 +0200 uprobes: Fix the memcg accounting __replace_page() wronlgy calls mem_cgroup_cancel_charge() in "success" path, it should only do this if page_check_address() fails. This means that every enable/disable leads to unbalanced mem_cgroup_uncharge() from put_page(old_page), it is trivial to underflow the page_counter->count and trigger OOM. Reported-and-tested-by: Brenden Blanco Signed-off-by: Oleg Nesterov Reviewed-by: Johannes Weiner Acked-by: Michal Hocko Cc: Alexander Shishkin Cc: Alexei Starovoitov Cc: Arnaldo Carvalho de Melo Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: Vladimir Davydov Cc: stable@vger.kernel.org # 3.17+ Fixes: 00501b531c47 ("mm: memcontrol: rewrite charge API") Link: http://lkml.kernel.org/r/20160817153629.GB29724@redhat.com Signed-off-by: Ingo Molnar kernel/events/uprobes.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) commit eadb7cf44105ae8250f0d638dc880c3ed511c4e2 Author: Jay Freyensee Date: Wed Aug 17 15:00:28 2016 -0700 nvme-loop: set sqsize to 0-based value, per spec Signed-off-by: Jay Freyensee Signed-off-by: Sagi Grimberg drivers/nvme/target/loop.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit c5af8654c422cfdd8480be3a244748e18cace6c5 Author: Jay Freyensee Date: Wed Aug 17 15:00:27 2016 -0700 nvme-rdma: fix sqsize/hsqsize per spec Per NVMe-over-Fabrics 1.0 spec, sqsize is represented as a 0-based value. Also per spec, the RDMA binding values shall be set to sqsize, which makes hsqsize 0-based values. Thus, the sqsize during NVMf connect() is now: [root@fedora23-fabrics-host1 for-48]# dmesg [ 318.720645] nvme_fabrics: nvmf_connect_admin_queue(): sqsize for admin queue: 31 [ 318.720884] nvme nvme0: creating 16 I/O queues. [ 318.810114] nvme_fabrics: nvmf_connect_io_queue(): sqsize for i/o queue: 127 Finally, current interpretation implies hrqsize is 1's based so set it appropriately. Reported-by: Daniel Verkamp Signed-off-by: Jay Freyensee Signed-off-by: Sagi Grimberg drivers/nvme/host/rdma.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) commit f994d9dc28bc27353acde2caaf718222d92a3e24 Author: Jay Freyensee Date: Wed Aug 17 15:00:26 2016 -0700 fabrics: define admin sqsize min default, per spec Upon admin queue connect(), the rdma qp was being set based on NVMF_AQ_DEPTH. However, the fabrics layer was using the sqsize field value set for I/O queues for the admin queue, which threw the nvme layer and rdma layer off-whack: root@fedora23-fabrics-host1 nvmf]# dmesg [ 3507.798642] nvme_fabrics: nvmf_connect_admin_queue():admin sqsize being sent is: 128 [ 3507.798858] nvme nvme0: creating 16 I/O queues. [ 3507.896407] nvme nvme0: new ctrl: NQN "nullside-nqn", addr 192.168.1.3:4420 Thus, to have a different admin queue value, we use NVMF_AQ_DEPTH for connect() and RDMA private data as the minimum depth specified in the NVMe-over-Fabrics 1.0 spec (and in that RDMA private data we treat hrqsize as 1's-based value, per current understanding of the fabrics spec). Reported-by: Daniel Verkamp Signed-off-by: Jay Freyensee Reviewed-by: Daniel Verkamp Signed-off-by: Sagi Grimberg drivers/nvme/host/fabrics.c | 9 ++++++++- drivers/nvme/host/rdma.c | 13 +++++++++++-- 2 files changed, 19 insertions(+), 3 deletions(-) commit b825b44c4ef4dabfdaf4e82db2263d377ac45d67 Author: Jay Freyensee Date: Wed Aug 17 15:00:25 2016 -0700 nvmet-rdma: +1 to *queue_size from hsqsize/hrqsize The host will be sending sqsize 0-based hsqsize value, the target need to be adjusted as well. Signed-off-by: Jay Freyensee Reviewed-by: Sagi Grimberg Signed-off-by: Sagi Grimberg drivers/nvme/target/rdma.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 91d62d9f30206be6f7749a0e6f7fa58c6d70c702 Merge: 93b1f14 cab0b8d Author: Dave Airlie Date: Thu Aug 18 12:51:27 2016 +1000 Merge branch 'drm-fixes-4.8' of git://people.freedesktop.org/~agd5f/linux into drm-fixes Single 64-bit gart size fix. * 'drm-fixes-4.8' of git://people.freedesktop.org/~agd5f/linux: drm/amdgpu: Change GART offset to 64-bit commit 6c16f42a4e01ef1543fb21e594c2b25d00697649 Merge: 694d0d0 924d869 Author: Rafael J. Wysocki Date: Thu Aug 18 03:27:08 2016 +0200 Merge branch 'pm-sleep' * pm-sleep: PM / hibernate: Fix rtree_next_node() to avoid walking off list ends x86/power/64: Use __pa() for physical address computation PM / sleep: Update some system sleep documentation commit 184ca823481c99dadd7d946e5afd4bb921eab30d Merge: 5ff132c b96c22c Author: Linus Torvalds Date: Wed Aug 17 17:26:58 2016 -0700 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net Pull networking fixes from David Miller: 1) Buffers powersave frame test is reversed in cfg80211, fix from Felix Fietkau. 2) Remove bogus WARN_ON in openvswitch, from Jarno Rajahalme. 3) Fix some tg3 ethtool logic bugs, and one that would cause no interrupts to be generated when rx-coalescing is set to 0. From Satish Baddipadige and Siva Reddy Kallam. 4) QLCNIC mailbox corruption and napi budget handling fix from Manish Chopra. 5) Fix fib_trie logic when walking the trie during /proc/net/route output than can access a stale node pointer. From David Forster. 6) Several sctp_diag fixes from Phil Sutter. 7) PAUSE frame handling fixes in mlxsw driver from Ido Schimmel. 8) Checksum fixup fixes in bpf from Daniel Borkmann. 9) Memork leaks in nfnetlink, from Liping Zhang. 10) Use after free in rxrpc, from David Howells. 11) Use after free in new skb_array code of macvtap driver, from Jason Wang. 12) Calipso resource leak, from Colin Ian King. 13) mediatek bug fixes (missing stats sync init, etc.) from Sean Wang. 14) Fix bpf non-linear packet write helpers, from Daniel Borkmann. 15) Fix lockdep splats in macsec, from Sabrina Dubroca. 16) hv_netvsc bug fixes from Vitaly Kuznetsov, mostly to do with VF handling. 17) Various tc-action bug fixes, from CONG Wang. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (116 commits) net_sched: allow flushing tc police actions net_sched: unify the init logic for act_police net_sched: convert tcf_exts from list to pointer array net_sched: move tc offload macros to pkt_cls.h net_sched: fix a typo in tc_for_each_action() net_sched: remove an unnecessary list_del() net_sched: remove the leftover cleanup_a() mlxsw: spectrum: Allow packets to be trapped from any PG mlxsw: spectrum: Unmap 802.1Q FID before destroying it mlxsw: spectrum: Add missing rollbacks in error path mlxsw: reg: Fix missing op field fill-up mlxsw: spectrum: Trap loop-backed packets mlxsw: spectrum: Add missing packet traps mlxsw: spectrum: Mark port as active before registering it mlxsw: spectrum: Create PVID vPort before registering netdevice mlxsw: spectrum: Remove redundant errors from the code mlxsw: spectrum: Don't return upon error in removal path i40e: check for and deal with non-contiguous TCs ixgbe: Re-enable ability to toggle VLAN filtering ixgbe: Force VLNCTRL.VFE to be set in all VMDq paths ... commit b96c22c071eb1126db4055de4bb75b02b05affd1 Merge: f4abf05 b5ac851 Author: David S. Miller Date: Wed Aug 17 19:27:58 2016 -0400 Merge branch 'tc_action-fixes' Cong Wang says: ==================== net_sched: tc action fixes and updates This patchset fixes a few regressions caused by the previous code refactor and more. Thanks to Jamal for catching them! Note, patch 3/7 and 4/7 are not strictly necessary for this patchset, I just want to carry them together. --- v4: adjust an indention for Jamal add two more patches v3: avoid list for fast path, suggested by Jamal v2: replace flex_array with regular dynamic array keep tcf_action_stats_update() in act_api.h fix macro typos found by Amir ==================== Signed-off-by: David S. Miller commit b5ac851885accffe0485aea2805df8f2d49c95a8 Author: Roman Mashak Date: Sat Aug 13 22:35:02 2016 -0700 net_sched: allow flushing tc police actions The act_police uses its own code to walk the action hashtable, which leads to that we could not flush standalone tc police actions, so just switch to tcf_generic_walker() like other actions. (Joint work from Roman and Cong.) Signed-off-by: Roman Mashak Signed-off-by: Cong Wang Acked-by: Jamal Hadi Salim Signed-off-by: David S. Miller net/sched/act_police.c | 43 +------------------------------------------ 1 file changed, 1 insertion(+), 42 deletions(-) commit 0852e455238f8550fa92b1e40355eb2c6805787e Author: WANG Cong Date: Sat Aug 13 22:35:01 2016 -0700 net_sched: unify the init logic for act_police Jamal reported a crash when we create a police action with a specific index, this is because the init logic is not correct, we should always create one for this case. Just unify the logic with other tc actions. Fixes: a03e6fe56971 ("act_police: fix a crash during removal") Reported-by: Jamal Hadi Salim Signed-off-by: Cong Wang Acked-by: Jamal Hadi Salim Signed-off-by: David S. Miller net/sched/act_police.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) commit 22dc13c837c33207548c8ee5116b64e2930a6e23 Author: WANG Cong Date: Sat Aug 13 22:35:00 2016 -0700 net_sched: convert tcf_exts from list to pointer array As pointed out by Jamal, an action could be shared by multiple filters, so we can't use list to chain them any more after we get rid of the original tc_action. Instead, we could just save pointers to these actions in tcf_exts, since they are refcount'ed, so convert the list to an array of pointers. The "ugly" part is the action API still accepts list as a parameter, I just introduce a helper function to convert the array of pointers to a list, instead of relying on the C99 feature to iterate the array. Fixes: a85a970af265 ("net_sched: move tc_action into tcf_common") Reported-by: Jamal Hadi Salim Cc: Jamal Hadi Salim Signed-off-by: Cong Wang Acked-by: Jamal Hadi Salim Signed-off-by: David S. Miller drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 4 +- drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 12 ++++-- drivers/net/ethernet/mellanox/mlxsw/spectrum.c | 4 +- include/net/act_api.h | 4 +- include/net/pkt_cls.h | 40 ++++++++++++------- net/sched/act_api.c | 11 +++--- net/sched/cls_api.c | 51 +++++++++++++++++-------- 7 files changed, 85 insertions(+), 41 deletions(-) commit 2734437ef3c2943090d0914bf91caa6b30451615 Author: WANG Cong Date: Sat Aug 13 22:34:59 2016 -0700 net_sched: move tc offload macros to pkt_cls.h struct tcf_exts belongs to filters, should not be visible to plain tc actions. Cc: Ido Schimmel Signed-off-by: Cong Wang Acked-by: Jamal Hadi Salim Signed-off-by: David S. Miller include/net/act_api.h | 19 +++---------------- include/net/pkt_cls.h | 19 +++++++++++++++++++ 2 files changed, 22 insertions(+), 16 deletions(-) commit 0c23c3e705691cfb99c94f2760df2b456fe45194 Author: WANG Cong Date: Sat Aug 13 22:34:58 2016 -0700 net_sched: fix a typo in tc_for_each_action() It is harmless because all users pass 'a' to this macro. Fixes: 00175aec941e ("net/sched: Macro instead of CONFIG_NET_CLS_ACT ifdef") Cc: Amir Vadai Signed-off-by: Cong Wang Acked-by: Jamal Hadi Salim Signed-off-by: David S. Miller include/net/act_api.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 824a7e8863b3eb283343f891b11a782b4ec0d0de Author: WANG Cong Date: Sat Aug 13 22:34:57 2016 -0700 net_sched: remove an unnecessary list_del() This list_del() for tc action is not needed actually, because we only use this list to chain bulk operations, therefore should not be carried for latter operations. Fixes: ec0595cc4495 ("net_sched: get rid of struct tcf_common") Cc: Jamal Hadi Salim Signed-off-by: Cong Wang Acked-by: Jamal Hadi Salim Signed-off-by: David S. Miller net/sched/act_api.c | 1 - 1 file changed, 1 deletion(-) commit f07fed82ad7994cc4d779ee79bdf7a46848c4b8f Author: WANG Cong Date: Sat Aug 13 22:34:56 2016 -0700 net_sched: remove the leftover cleanup_a() After refactoring tc_action into tcf_common, we no longer need to cleanup temporary "actions" in list, they are permanently stored in the hashtable. Fixes: a85a970af265 ("net_sched: move tc_action into tcf_common") Reported-by: Jamal Hadi Salim Cc: Jamal Hadi Salim Signed-off-by: Cong Wang Acked-by: Jamal Hadi Salim Signed-off-by: David S. Miller net/sched/act_api.c | 22 +++------------------- 1 file changed, 3 insertions(+), 19 deletions(-) commit f4abf05f54ddabacb702d1998296f3e610e62b23 Merge: 647f28c fbfe12c Author: David S. Miller Date: Wed Aug 17 19:20:24 2016 -0400 Merge branch '1GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/jkirsher/net-queue Jeff Kirsher says: ==================== Intel Wired LAN Driver Updates 2016-08-16 This series contains fixes to e1000e, igb, ixgbe and i40e. Kshitiz Gupta provides a fix for igb to resolve the PHY delay compensation math in several functions. Jarod Wilson provides a fix for e1000e which had to broken up into 2 patches, first is prepares the driver for expanding the list of NICs that have occasional ~10 hour clock jumps when being used for PTP. Second patch actually fixes i218 silicon which has been experiencing the clock jumps while using PTP. Alex provides 2 patches for ixgbe now that he is back at Intel. First fixes setting VLNCTRL.VFE bit, which was left unchanged in earlier patches which resulted in disabling VLAN filtering for all the VFs. Second corrects the support for disabling the VLAN tag filtering via the feature bit. Lastly, David fixes i40e which was causing a kernel panic when non-contiguous traffic classes or traffic classes not starting with TC0, were configured on a link partner switch. To fix this, changed the logic when determining the total number of TCs enabled. ==================== Signed-off-by: David S. Miller commit 647f28c7274a776c3babc3893f530513845b3666 Merge: a1560dd7 9ffcc37 Author: David S. Miller Date: Wed Aug 17 19:18:34 2016 -0400 Merge branch 'mlxsw-fixes' Jiri Pirko says: ==================== mlxsw: IPv4 UC router fixes Ido says: Patches 1-3 fix a long standing problem in the driver's init sequence, which manifests itself quite often when routing daemons try to configure an IP address on registered netdevs that don't yet have an associated vPort. Patches 4-9 add missing packet traps for the router to work properly and also fix ordering issue following the recent changes to the driver's init sequence. The last patch isn't related to the router, but fixes a general problem in which under certain conditions packets aren't trapped to CPU. v1->v2: - Change order of patch 7 - Add patch 6 following Ilan's comment - Add patchset name and cover letter ==================== Signed-off-by: David S. Miller commit 9ffcc3725f096e9f0d985f738b0e44214cd72d93 Author: Ido Schimmel Date: Wed Aug 17 16:39:37 2016 +0200 mlxsw: spectrum: Allow packets to be trapped from any PG When packets enter the device they are classified to a priority group (PG) buffer based on their PCP value. After their egress port and traffic class are determined they are moved to the switch's shared buffer and await transmission, if: (Ingress{Port}.Usage < Thres && Ingress{Port,PG}.Usage < Thres && Egress{Port}.Usage < Thres && Egress{Port,TC}.Usage < Thres) || (Ingress{Port}.Usage < Min || Ingress{Port,PG} < Min || Egress{Port}.Usage < Min || Egress{Port,TC}.Usage < Min) Packets scheduled to transmission through CPU port (trapped to CPU) use traffic class 7, which has a zero maximum and minimum quotas. However, when such packets arrive from PG 0 they are admitted to the shared buffer as PG 0 has a non-zero minimum quota. Allow all packets to be trapped to the CPU - regardless of the PG they were classified to - by assigning a 10KB minimum quota for CPU port and TC7. Fixes: 8e8dfe9fdf06 ("mlxsw: spectrum: Add IEEE 802.1Qaz ETS support") Reported-by: Tamir Winetroub Tested-by: Tamir Winetroub Signed-off-by: Ido Schimmel Signed-off-by: Jiri Pirko Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlxsw/spectrum_buffers.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 8168287b5dfac9227a549ed87f5e111b7005e8a4 Author: Ido Schimmel Date: Wed Aug 17 16:39:36 2016 +0200 mlxsw: spectrum: Unmap 802.1Q FID before destroying it Before destroying the 802.1Q FID we should first remove the VID-to-FID mapping. This makes mlxsw_sp_fid_destroy() symmetric with regards to mlxsw_sp_fid_create(). Fixes: 14d39461b3f4 ("mlxsw: spectrum: Use per-FID struct for the VLAN-aware bridge") Signed-off-by: Ido Schimmel Signed-off-by: Jiri Pirko Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c | 2 ++ 1 file changed, 2 insertions(+) commit 0583272d91f0f4e21f1eb666786286863185be7e Author: Ido Schimmel Date: Wed Aug 17 16:39:35 2016 +0200 mlxsw: spectrum: Add missing rollbacks in error path While going over the code I noticed we are missing two rollbacks in the port's creation error path. Add them and adjust the place of one of them in the port's removal sequence so that both are symmetric. Fixes: 56ade8fe3fe1 ("mlxsw: spectrum: Add initial support for Spectrum ASIC") Signed-off-by: Ido Schimmel Signed-off-by: Jiri Pirko Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlxsw/spectrum.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit 0e7df1a290abbcf3ecf697bbbbd4549c9a113db0 Author: Jiri Pirko Date: Wed Aug 17 16:39:34 2016 +0200 mlxsw: reg: Fix missing op field fill-up Ralue pack function needs to set op, otherwise it is 0 for add always. Fixes: d5a1c749d22 ("mlxsw: reg: Add Router Algorithmic LPM Unicast Entry Register definition") Signed-off-by: Jiri Pirko Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlxsw/reg.h | 1 + 1 file changed, 1 insertion(+) commit a94a614fa2bd32848a67f8261228e193beb826ca Author: Ido Schimmel Date: Wed Aug 17 16:39:33 2016 +0200 mlxsw: spectrum: Trap loop-backed packets One of the conditions to generate an ICMP Redirect Message is that "the packet is being forwarded out the same physical interface that it was received from" (RFC 1812). Therefore, we need to be able to trap such packets and let the kernel decide what to do with them. For each RIF, enable the loop-back filter, which will raise the LBERROR trap whenever the ingress RIF equals the egress RIF. Fixes: 99724c18fc66 ("mlxsw: spectrum: Introduce support for router interfaces") Reported-by: Ilan Tayari Signed-off-by: Ido Schimmel Signed-off-by: Jiri Pirko Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlxsw/reg.h | 10 ++++++++++ drivers/net/ethernet/mellanox/mlxsw/spectrum.c | 5 +++++ drivers/net/ethernet/mellanox/mlxsw/trap.h | 1 + 3 files changed, 16 insertions(+) commit c20b80187a93b4fcc1c5c46fc8a436df1f17636d Author: Elad Raz Date: Wed Aug 17 16:39:32 2016 +0200 mlxsw: spectrum: Add missing packet traps Add the following traps: 1) MTU Error: Trap packets whose size is bigger than the egress RIF's MTU. If DF bit isn't set, traffic will continue to be routed in slow path. 2) TTL Error: Trap packets whose TTL expired. This allows traceroute to work properly. 3) OSPF packets. Fixes: 7b27ce7bb9cd ("mlxsw: spectrum: Add traps needed for router implementation") Signed-off-by: Elad Raz Signed-off-by: Ido Schimmel Signed-off-by: Jiri Pirko Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlxsw/spectrum.c | 15 +++++++++++++++ drivers/net/ethernet/mellanox/mlxsw/trap.h | 3 +++ 2 files changed, 18 insertions(+) commit 2f25844c233650b2abb92b66b3d0af7d73b5f88f Author: Ido Schimmel Date: Wed Aug 17 16:39:31 2016 +0200 mlxsw: spectrum: Mark port as active before registering it Commit bbf2a4757b30 ("mlxsw: spectrum: Initialize ports at the end of init sequence") moved ports initialization to the end of the init sequence, which means ports are the first to be removed during fini. Since the FDB delayed work is still active when ports are removed it's possible for it to process FDB notifications of inactive ports, resulting in a warning message. Fix that by marking ports as inactive only after unregistering them. The NETDEV_UNREGISTER event will invoke bridge's driver port removal sequence that will cause the FDB (and FDB notifications) to be flushed. Fixes: bbf2a4757b30 ("mlxsw: spectrum: Initialize ports at the end of init sequence") Signed-off-by: Ido Schimmel Signed-off-by: Jiri Pirko Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlxsw/spectrum.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) commit 05978481e77e47b0bcb1767d3783fa0e5a18f399 Author: Ido Schimmel Date: Wed Aug 17 16:39:30 2016 +0200 mlxsw: spectrum: Create PVID vPort before registering netdevice After registering a netdevice it's possible for user space applications to configure an IP address on it. From the driver's perspective, this means a router interface (RIF) should be created for the PVID vPort. Therefore, we must create the PVID vPort before registering the netdevice. Fixes: 99724c18fc66 ("mlxsw: spectrum: Introduce support for router interfaces") Signed-off-by: Ido Schimmel Signed-off-by: Jiri Pirko Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlxsw/spectrum.c | 33 +++++++++++++----- drivers/net/ethernet/mellanox/mlxsw/spectrum.h | 2 -- .../ethernet/mellanox/mlxsw/spectrum_switchdev.c | 40 +++------------------- 3 files changed, 29 insertions(+), 46 deletions(-) commit fa66d7e3fea7504e241e9004998af2c71814da18 Author: Ido Schimmel Date: Wed Aug 17 16:39:29 2016 +0200 mlxsw: spectrum: Remove redundant errors from the code Currently, when device configuration fails we emit errors to the kernel log despite the fact we already get these from the EMAD transaction layer, so remove them. In addition to being unnecessary, removing these error messages will allow us to reuse mlxsw_sp_port_add_vid() to create the PVID vPort before registering the netdevice. Fixes: 99724c18fc66 ("mlxsw: spectrum: Introduce support for router interfaces") Signed-off-by: Ido Schimmel Signed-off-by: Jiri Pirko Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlxsw/spectrum.c | 21 +++++---------------- 1 file changed, 5 insertions(+), 16 deletions(-) commit 7a35583ec5b64f17559c9de8d7c47f7360e40362 Author: Ido Schimmel Date: Wed Aug 17 16:39:28 2016 +0200 mlxsw: spectrum: Don't return upon error in removal path When removing a VLAN filter from the device we shouldn't return upon the first error we encounter, as otherwise we'll have resources that will never be freed nor used. Instead, we should keep trying to free as much resources as possible in a best effort mode. Remove the error message as well, since we already get these from the EMAD transaction code. Fixes: 99724c18fc66 ("mlxsw: spectrum: Introduce support for router interfaces") Signed-off-by: Ido Schimmel Signed-off-by: Jiri Pirko Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlxsw/spectrum.c | 27 +++++--------------------- 1 file changed, 5 insertions(+), 22 deletions(-) commit dcbe35909c8426e1ace74b4b99c4cb403cdaca89 Author: Eric Dumazet Date: Wed Aug 17 09:56:46 2016 -0700 netfilter: tproxy: properly refcount tcp listeners inet_lookup_listener() and inet6_lookup_listener() no longer take a reference on the found listener. This minimal patch adds back the refcounting, but we might do this differently in net-next later. Fixes: 3b24d854cb35 ("tcp/dccp: do not touch listener sk_refcnt under synflood") Reported-and-tested-by: Denys Fedoryshchenko Signed-off-by: Eric Dumazet Signed-off-by: Pablo Neira Ayuso net/netfilter/xt_TPROXY.c | 4 ++++ 1 file changed, 4 insertions(+) commit aca300183ed4f723837f6619facff0890c46d313 Author: Liping Zhang Date: Sat Aug 13 23:13:02 2016 +0800 netfilter: nfnetlink_acct: report overquota to the right netns We should report the over quota message to the right net namespace instead of the init netns. Signed-off-by: Liping Zhang Signed-off-by: Pablo Neira Ayuso include/linux/netfilter/nfnetlink_acct.h | 4 ++-- net/netfilter/nfnetlink_acct.c | 9 +++++---- net/netfilter/xt_nfacct.c | 2 +- 3 files changed, 8 insertions(+), 7 deletions(-) commit 5ff132c07aa155d759ab3da946c86351313d3020 Merge: 3ec60b9 33e7664 Author: Linus Torvalds Date: Wed Aug 17 12:10:22 2016 -0700 Merge tag 'for-v4.8-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/sre/linux-power-supply Pull power supply fixes from Sebastian Reichel. * tag 'for-v4.8-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/sre/linux-power-supply: power_supply: tps65217-charger: fix missing platform_set_drvdata() power: reset: hisi-reboot: Unmap region obtained by of_iomap power: reset: reboot-mode: fix build error of missing ioremap/iounmap on UM power: supply: max17042_battery: fix model download bug. commit ccd9432a5c85f35df7b491a1b701560d247466a5 Author: Sudeep Holla Date: Wed Aug 17 13:49:19 2016 +0100 irqchip/gicv3: Remove disabling redistributor and group1 non-secure interrupts As per the GICv3 specification, to power down a processor using GICv3 and allow automatic power-on if an interrupt must be sent to a processor, software must set Enable to zero for all interrupt groups(by writing to GICC_CTLR or ICC_IGRPEN{0,1}_EL1/3 as appropriate. When commit 3708d52fc6bb ("irqchip: gic-v3: Implement CPU PM notifier") was introduced there were no firmware implementations(in particular PSCI) handling this. Linux kernel may not be aware of the CPU power state details and might fail to identify the power states that require quiescing the CPU interface. Even if it can be aware of those details, it can't determine which CPU power state have been triggered at the platform level and how the power control is implemented. This patch make disabling redistributor and group1 non-secure interrupts in the power down path and re-enabling of redistributor in the power-up path conditional. It will be handled in the kernel if and only if the non-secure accesses are permitted to access and modify control registers. It is left to the platform implementation otherwise. Cc: Marc Zyngier Cc: Lorenzo Pieralisi Cc: Thomas Gleixner Cc: Jason Cooper Tested-by: Christopher Covington Signed-off-by: Sudeep Holla Signed-off-by: Marc Zyngier drivers/irqchip/irq-gic-v3.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) commit 059e232089e45b0befc9933d31209c225e08b426 Author: Marc Zyngier Date: Tue Aug 9 07:50:44 2016 +0100 irqchip/gic: Allow self-SGIs for SMP on UP configurations On systems where a single CPU is present, the GIC may not support having SGIs delivered to a target list. In that case, we use the self-SGI mechanism to allow the interrupt to be delivered locally. Tested-by: Fabio Estevam Signed-off-by: Marc Zyngier drivers/irqchip/irq-gic.c | 7 +++++++ 1 file changed, 7 insertions(+) commit c622ca543bff8e73efacf4dafa0cc9851ecea511 Author: Artur Paszkiewicz Date: Tue Aug 16 14:26:08 2016 +0200 md: don't print the same repeated messages about delayed sync operation This fixes a long-standing bug that caused a flood of messages like: "md: delaying data-check of md1 until md2 has finished (they share one or more physical units)" It can be reproduced like this: 1. Create at least 3 raid1 arrays on a pair of disks, each on different partitions. 2. Request a sync operation like 'check' or 'repair' on 2 arrays by writing to their md/sync_action attribute files. One operation should start and one should be delayed and a message like the above will be printed. 3. Issue a write to the third array. Each write will cause 2 copies of the message to be printed. This happens when wake_up(&resync_wait) is called, usually by md_check_recovery(). Then the delayed sync thread again prints the message and is put to sleep. This patch adds a check in md_do_sync() to prevent printing this message more than once for the same pair of devices. Reported-by: Sven Koehler Link: https://bugzilla.kernel.org/show_bug.cgi?id=151801 Signed-off-by: Artur Paszkiewicz Signed-off-by: Shaohua Li drivers/md/md.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) commit 207efcd2b55e0460dfee35663fbb3d05efad990a Author: Guoqing Jiang Date: Fri Aug 12 13:42:40 2016 +0800 md: remove obsolete ret in md_start_sync The ret is not needed anymore since we have already move resync_start into md_do_sync in commit 41a9a0d. Reviewed-by: NeilBrown Signed-off-by: Guoqing Jiang Signed-off-by: Shaohua Li drivers/md/md.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) commit bc9f3d7788a88d080a30599bde68f383daf8f8a5 Author: Ard Biesheuvel Date: Wed Aug 17 17:54:41 2016 +0200 arm64: kernel: avoid literal load of virtual address with MMU off Literal loads of virtual addresses are subject to runtime relocation when CONFIG_RELOCATABLE=y, and given that the relocation routines run with the MMU and caches enabled, literal loads of relocated values performed with the MMU off are not guaranteed to return the latest value unless the memory covering the literal is cleaned to the PoC explicitly. So defer the literal load until after the MMU has been enabled, just like we do for primary_switch() and secondary_switch() in head.S. Fixes: 1e48ef7fcc37 ("arm64: add support for building vmlinux as a relocatable PIE binary") Cc: # 4.6+ Signed-off-by: Ard Biesheuvel Acked-by: Mark Rutland Signed-off-by: Catalin Marinas arch/arm64/kernel/sleep.S | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) commit bfe6c8a89e03f52bccf922f74ced8fe959e7fd36 Author: Catalin Marinas Date: Mon Aug 15 16:33:10 2016 +0100 arm64: Fix NUMA build error when !CONFIG_ACPI Since asm/acpi.h is only included by linux/acpi.h when CONFIG_ACPI is enabled, disabling the latter leads to the following build error on arm64: arch/arm64/mm/numa.c: In function ‘arm64_numa_init’: arch/arm64/mm/numa.c:395:24: error: ‘arm64_acpi_numa_init’ undeclared (first use in this function) if (!acpi_disabled && !numa_init(arm64_acpi_numa_init)) This patch include the asm/acpi.h explicitly in arch/arm64/mm/numa.c for the arm64_acpi_numa_init() definition. Fixes: d8b47fca8c23 ("arm64, ACPI, NUMA: NUMA support based on SRAT and SLIT") Reviewed-by: Hanjun Guo Signed-off-by: Catalin Marinas arch/arm64/mm/numa.c | 2 ++ 1 file changed, 2 insertions(+) commit 326dce0734b63c3b82b6a88e5645eab8b54c6692 Author: Krzysztof Kozlowski Date: Tue Aug 16 18:50:42 2016 +0200 MAINTAINERS: Switch to kernel.org account for Krzysztof Kozlowski Change my email address to kernel.org account instead of Samsung one. Add Bartlomiej Zolnierkiewicz as a co-maintainer of Maxim and Samsung PMIC drivers. These are used on many of our boards along with Exynos SoCs and Samsung R&D Institute Poland can still take care of them. Signed-off-by: Krzysztof Kozlowski Cc: Kukjin Kim Cc: linux-samsung-soc@vger.kernel.org Cc: Bartlomiej Zolnierkiewicz Acked-by: Sylwester Nawrocki Acked-by: Kukjin Kim .mailmap | 1 + MAINTAINERS | 15 +++++++++------ 2 files changed, 10 insertions(+), 6 deletions(-) commit 2497b84625466dc57b8c3a40cd41a659fe04cca6 Author: Liping Zhang Date: Sat Aug 13 22:46:04 2016 +0800 netfilter: nfnetlink_log: add "nf-logger-3-1" module alias name Otherwise, if nfnetlink_log.ko is not loaded, we cannot add rules to log packets to the userspace when we specify it with arp family, such as: # nft add rule arp filter input log group 0 :1:1-37: Error: Could not process rule: No such file or directory add rule arp filter input log group 0 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Signed-off-by: Liping Zhang Signed-off-by: Pablo Neira Ayuso net/netfilter/nfnetlink_log.c | 1 + 1 file changed, 1 insertion(+) commit e77e6ff502ea3d193872b5b9033bfd9717b36447 Author: Liping Zhang Date: Mon Aug 15 21:50:35 2016 +0800 netfilter: conntrack: do not dump other netns's conntrack entries via proc We should skip the conntracks that belong to a different namespace, otherwise other unrelated netns's conntrack entries will be dumped via /proc/net/nf_conntrack. Fixes: 56d52d4892d0 ("netfilter: conntrack: use a single hashtable for all namespaces") Signed-off-by: Liping Zhang Reviewed-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso net/netfilter/nf_conntrack_standalone.c | 4 ++++ 1 file changed, 4 insertions(+) commit cfee6b5874654fe4e7388bc3112d3afb76cd8b9e Author: Peter Chen Date: Tue Aug 16 10:05:15 2016 +0800 ARM: imx6ul: populates platform device at .init_machine At imx6ul_init_machine, it calls imx6ul_pm_init which needs to find platform device for ocram, but the default populate platform device is at of_platform_default_populate_init, which is located at arch_initcall_sync, and called later than arch_initcall (.init_machine is located at that). So below warning message will be showed during boots up: imx6q_suspend_init: failed to find ocram device! imx6_pm_common_init: No DDR LPM support with suspend -19! Due to lack of ocram device, the suspend mode "mem" which needs ocram to store suspend routine code is invalid. This commit populates platform device before imx6ul_pm_init like other imx6 platforms do, and the suspend mode "mem" can work successfully. Signed-off-by: Peter Chen Fixes: 850bea2335e4 ("arm: Remove unnecessary of_platform_populate with default match table") Cc: Anson Huang Cc: Fabio Estevam Cc: Kefeng Wang Cc: Rob Herring Reviewed-by: Fabio Estevam Signed-off-by: Shawn Guo arch/arm/mach-imx/mach-imx6ul.c | 1 + 1 file changed, 1 insertion(+) commit 9e7d9367e6a29e4cac85aa6df199f760dfa39c8a Author: Heinz Mauelshagen Date: Wed Aug 17 15:36:44 2016 +0200 dm raid: support raid0 with missing metadata devices The raid0 MD personality does not start a raid0 array with any of its data devices missing. dm-raid was removing data/metadata device pairs unconditionally if it failed to read a superblock off the respective metadata device of such pair, resulting in failure to start arrays with the raid0 personality. Avoid removing any data/metadata device pairs in case of raid0 (e.g. lvm2 segment type 'raid0_meta') thus allowing MD to start the array. Also, avoid region size validation for raid0. Signed-off-by: Heinz Mauelshagen Signed-off-by: Mike Snitzer drivers/md/dm-raid.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) commit 568ac888215c7fb2fabe8ea739b00ec3c1f5d440 Author: Balbir Singh Date: Wed Aug 10 15:43:06 2016 -0400 cgroup: reduce read locked section of cgroup_threadgroup_rwsem during fork cgroup_threadgroup_rwsem is acquired in read mode during process exit and fork. It is also grabbed in write mode during __cgroups_proc_write(). I've recently run into a scenario with lots of memory pressure and OOM and I am beginning to see systemd __switch_to+0x1f8/0x350 __schedule+0x30c/0x990 schedule+0x48/0xc0 percpu_down_write+0x114/0x170 __cgroup_procs_write.isra.12+0xb8/0x3c0 cgroup_file_write+0x74/0x1a0 kernfs_fop_write+0x188/0x200 __vfs_write+0x6c/0xe0 vfs_write+0xc0/0x230 SyS_write+0x6c/0x110 system_call+0x38/0xb4 This thread is waiting on the reader of cgroup_threadgroup_rwsem to exit. The reader itself is under memory pressure and has gone into reclaim after fork. There are times the reader also ends up waiting on oom_lock as well. __switch_to+0x1f8/0x350 __schedule+0x30c/0x990 schedule+0x48/0xc0 jbd2_log_wait_commit+0xd4/0x180 ext4_evict_inode+0x88/0x5c0 evict+0xf8/0x2a0 dispose_list+0x50/0x80 prune_icache_sb+0x6c/0x90 super_cache_scan+0x190/0x210 shrink_slab.part.15+0x22c/0x4c0 shrink_zone+0x288/0x3c0 do_try_to_free_pages+0x1dc/0x590 try_to_free_pages+0xdc/0x260 __alloc_pages_nodemask+0x72c/0xc90 alloc_pages_current+0xb4/0x1a0 page_table_alloc+0xc0/0x170 __pte_alloc+0x58/0x1f0 copy_page_range+0x4ec/0x950 copy_process.isra.5+0x15a0/0x1870 _do_fork+0xa8/0x4b0 ppc_clone+0x8/0xc In the meanwhile, all processes exiting/forking are blocked almost stalling the system. This patch moves the threadgroup_change_begin from before cgroup_fork() to just before cgroup_canfork(). There is no nee to worry about threadgroup changes till the task is actually added to the threadgroup. This avoids having to call reclaim with cgroup_threadgroup_rwsem held. tj: Subject and description edits. Signed-off-by: Balbir Singh Acked-by: Zefan Li Cc: Oleg Nesterov Cc: Andrew Morton Cc: stable@vger.kernel.org # v4.2+ Signed-off-by: Tejun Heo kernel/fork.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit cea8aa3a93d1734816e1e3f7b118e1dddf3f4aaa Author: Krzysztof Kozlowski Date: Wed Aug 17 14:07:46 2016 +0200 regulator: Change Krzysztof Kozlowski's email to kernel.org Change my email address to kernel.org instead of Samsung one for the purpose of any future contact. The copyrights remain untouched and are attributed to Samsung. Signed-off-by: Krzysztof Kozlowski Signed-off-by: Mark Brown drivers/regulator/max14577-regulator.c | 4 ++-- drivers/regulator/max77693-regulator.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) commit be5769e2061ac40b32daa83e28e1c4aac7133511 Author: Paul Gortmaker Date: Wed Aug 17 12:21:35 2016 +0200 clocksource/drivers/mips-gic-timer: Make gic_clocksource_of_init() return int In commit: d8152bf85d2c0 ("clocksource/drivers/mips-gic-timer: Convert init function to return error") several return values were added to a void function resulting in the following warnings: clocksource/mips-gic-timer.c: In function 'gic_clocksource_of_init': clocksource/mips-gic-timer.c:175:3: warning: 'return' with a value, in function returning void [enabled by default] clocksource/mips-gic-timer.c:183:4: warning: 'return' with a value, in function returning void [enabled by default] clocksource/mips-gic-timer.c:190:3: warning: 'return' with a value, in function returning void [enabled by default] clocksource/mips-gic-timer.c:195:3: warning: 'return' with a value, in function returning void [enabled by default] clocksource/mips-gic-timer.c:200:3: warning: 'return' with a value, in function returning void [enabled by default] clocksource/mips-gic-timer.c:211:2: warning: 'return' with a value, in function returning void [enabled by default] clocksource/mips-gic-timer.c: At top level: clocksource/mips-gic-timer.c:213:1: warning: comparison of distinct pointer types lacks a cast [enabled by default] clocksource/mips-gic-timer.c: In function 'gic_clocksource_of_init': clocksource/mips-gic-timer.c:183:18: warning: ignoring return value of 'PTR_ERR', declared with attribute warn_unused_result [-Wunused-result] Given that the addition of the return values was intentional, it seems that the conversion of the containing function from void to int was simply overlooked. Signed-off-by: Paul Gortmaker Signed-off-by: Daniel Lezcano Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: linux-mips@linux-mips.org Fixes: d8152bf85d2c ("clocksource/drivers/mips-gic-timer: Convert init function to return error") Link: http://lkml.kernel.org/r/1471429296-9053-3-git-send-email-daniel.lezcano@linaro.org Signed-off-by: Ingo Molnar drivers/clocksource/mips-gic-timer.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 16c8eba0fe01e03317f48868105103a8f5938e85 Author: Arnd Bergmann Date: Wed Aug 17 12:21:34 2016 +0200 clocksource/drivers/kona: Fix get_counter() error handling I could not figure out why, but GCC cannot prove that the kona_timer_init() function always initializes its two outputs, and we get a warning for the use of the 'lsw' variable later, which is obviously correct. drivers/clocksource/bcm_kona_timer.c: In function 'kona_timer_init': drivers/clocksource/bcm_kona_timer.c:119:13: error: 'lsw' may be used uninitialized in this function [-Werror=maybe-uninitialized] Slightly reordering the loop makes the warning disappear, after it becomes more obvious to the compiler that the loop is always entered on the first iteration. As pointed out by Ray Jui, there is a related problem in the way we deal with the loop running into the limit, as we just keep going there with an invalid counter data, so instead we now propagate a -ETIMEDOUT result to the caller. Signed-off-by: Arnd Bergmann Signed-off-by: Daniel Lezcano Acked-by: Ray Jui Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: bcm-kernel-feedback-list@broadcom.com Link: http://lkml.kernel.org/r/1471429296-9053-2-git-send-email-daniel.lezcano@linaro.org Link: https://patchwork.kernel.org/patch/9174261/ Signed-off-by: Ingo Molnar drivers/clocksource/bcm_kona_timer.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) commit 0e62fd836e4c2908cc1e32c68806529b4f859955 Author: Gregory CLEMENT Date: Wed Aug 17 12:21:33 2016 +0200 clocksource/drivers/time-armada-370-xp: Fix the clock reference While converting the init function to return an error, the wrong clock was get. This leads to the wrong clock rate and slows down the kernel. For example, it affects typical boot time: - without fix: over 1 minute - with fix: 15 seconds Tested-by: Stefan Roese Tested-by: Ralph Sennhauser Signed-off-by: Gregory CLEMENT Signed-off-by: Daniel Lezcano Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Fixes: 12549e27c63c ("clocksource/drivers/time-armada-370-xp: Convert init function to return error") Link: http://lkml.kernel.org/r/1471429296-9053-1-git-send-email-daniel.lezcano@linaro.org [ Refined the changelog. ] Signed-off-by: Ingo Molnar drivers/clocksource/time-armada-370-xp.c | 1 - 1 file changed, 1 deletion(-) commit f7f6f2d94f0027242ddfd665289b107a873fde43 Author: Vladimir Murzin Date: Wed Aug 10 10:49:43 2016 +0100 arm64: KVM: report configured SRE value to 32-bit world After commit b34f2bc ("arm64: KVM: Make ICC_SRE_EL1 access return the configured SRE value") we report SRE value to 64-bit guest, but 32-bit one still handled as RAZ/WI what leads to funny promise we do not keep: "GICv3: GIC: unable to set SRE (disabled at EL2), panic ahead" Instead, return the actual value of the ICC_SRE_EL1 register that the guest should see. [ Tweaked commit message - Christoffer ] Signed-off-by: Vladimir Murzin Acked-by: Marc Zyngier Signed-off-by: Christoffer Dall arch/arm64/kvm/sys_regs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit b63bebe2355cf2632a2979fd2982c88d080c44b6 Author: Vladimir Murzin Date: Wed Aug 10 10:49:42 2016 +0100 arm64: KVM: remove misleading comment on pmu status Comment about how PMU access is handled is not relavant since v4.6 where proper PMU support was added in. Signed-off-by: Vladimir Murzin Acked-by: Marc Zyngier Signed-off-by: Christoffer Dall arch/arm64/kvm/sys_regs.c | 8 -------- 1 file changed, 8 deletions(-) commit 3249bce459ff0bb7c1621b00a8e2d6afe24c53bb Author: Pawel Moll Date: Thu Aug 11 12:00:36 2016 +0100 bus: arm-ccn: Add missing event attribute exclusions for host/guest CCN PMUs have no knowledge into VM-related origins of the memory traffic, therefore can't handle requests for host-only or guest-only events. Added appropriate exclusions (they should have been there from the beginning). This required changing the error code returned, as the userspace tool only re-negotiates the options (exclude_guest is true by default) only for EINVAL. Signed-off-by: Pawel Moll drivers/bus/arm-ccn.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) commit 90d11e267a32a25d2cb69127174a96b9e518395e Author: Pawel Moll Date: Thu Aug 11 11:56:28 2016 +0100 bus: arm-ccn: Correct required arguments for XP PMU events XP can provide events from two sources: watchpoints, observing traffic on device ports and PMU looking at internal buses. Unfortunately the sysfs definition of the PMU events was requiring port number (instead of bus number) and direction (the buses are unidirectional), as these fields were shared with the watchpoint event. Although it does not introduce a major problem (port can be used as bus alias and direction is simply ignored for XP PMU events), it's better to fix it now, before external tools start depending on this behaviour. Signed-off-by: Pawel Moll Documentation/arm/CCN.txt | 16 ++++++++++------ drivers/bus/arm-ccn.c | 13 ++++++++++--- 2 files changed, 20 insertions(+), 9 deletions(-) commit 1e12c4a9393b75a744aada2c8115434572698bc3 Author: Marc Zyngier Date: Thu Aug 11 14:19:42 2016 +0100 genirq: Correctly configure the trigger on chained interrupts Commit 1e2a7d78499e ("irqdomain: Don't set type when mapping an IRQ") moved the trigger configuration call from the irqdomain mapping to the interrupt being actually requested. This patch failed to handle the case where we configure a chained interrupt, which doesn't get requested through the usual path. In order to solve this, let's call __irq_set_trigger just before starting the cascade interrupt. Special care must be taken to make the flow handler stick, as the .irq_set_type method could have reset it (it doesn't know we're dealing with a chained interrupt). Based on an initial patch by Jon Hunter. Fixes: 1e2a7d78499e ("irqdomain: Don't set type when mapping an IRQ") Reported-by: John Stultz Reported-by: Linus Walleij Tested-by: John Stultz Acked-by: Jon Hunter Signed-off-by: Marc Zyngier kernel/irq/chip.c | 11 +++++++++++ 1 file changed, 11 insertions(+) commit cabdc5c59ab46a1ec5ea98c5ac4022111fbfd63a Author: Marc Zyngier Date: Tue Aug 16 15:03:02 2016 +0100 KVM: arm/arm64: timer: Workaround misconfigured timer interrupt Similarily to f005bd7e3b84 ("clocksource/arm_arch_timer: Force per-CPU interrupt to be level-triggered"), make sure we can survive an interrupt that has been misconfigured as edge-triggered by forcing it to be level-triggered (active low is assumed, but the GIC doesn't really care whether this is high or low). Hopefully, the amount of shouting in the kernel log will convince the user to do something about their firmware. Signed-off-by: Marc Zyngier Signed-off-by: Christoffer Dall virt/kvm/arm/arch_timer.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) commit 674e70127069f3fd3c58fb0f94c60eb0f6567d78 Author: Marc Zyngier Date: Tue Aug 16 15:03:01 2016 +0100 arm64: Document workaround for Cortex-A72 erratum #853709 We already have a workaround for Cortex-A57 erratum #852523, but Cortex-A72 r0p0 to r0p2 do suffer from the same issue (known as erratum #853709). Let's document the fact that we already handle this. Acked-by: Will Deacon Signed-off-by: Marc Zyngier Signed-off-by: Christoffer Dall Documentation/arm64/silicon-errata.txt | 1 + arch/arm64/kvm/hyp/switch.c | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) commit b928466b2169e061822daad48ecf55b005445547 Author: Pawel Moll Date: Wed Aug 10 17:06:26 2016 +0100 bus: arm-ccn: Fix XP watchpoint settings bitmask The code setting XP watchpoint comparator and mask registers should, in order to be fully compliant with specification, zero one or more most significant bits of each field. In both L cases it means zeroing bit 63. The bitmask doing this was wrong, though, zeroing bit 60 instead. Fortunately, due to a lucky coincidence, this turned out to be fairly innocent with the existing hardware. Fixed now. Cc: stable@vger.kernel.org # 3.17+ Signed-off-by: Pawel Moll drivers/bus/arm-ccn.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit b7c1beb278e8e3dc664ed3df3fc786db126120a9 Author: Pawel Moll Date: Fri Aug 5 15:07:10 2016 +0100 bus: arm-ccn: Do not attempt to configure XPs for cycle counter Fuzzing the CCN perf driver revealed a small but definitely dangerous mistake in the event setup code. When a cycle counter is requested, the driver should not reconfigure the events bus at all, otherwise it will corrupt (in most but the simplest cases) its configuration and may end up accessing XP array out of its bounds and corrupting control registers. Reported-by: Mark Rutland Reviewed-by: Mark Rutland Tested-by: Mark Rutland Cc: stable@vger.kernel.org # 3.17+ Signed-off-by: Pawel Moll drivers/bus/arm-ccn.c | 4 ++++ 1 file changed, 4 insertions(+) commit 4e486cba285ff06a1f28f0fc2991dde1482d1dcf Author: Pawel Moll Date: Tue Aug 2 16:45:37 2016 +0100 bus: arm-ccn: Fix PMU handling of MN The "Miscellaneous Node" fell through cracks of node initialisation, as its ID is shared with HN-I. This patch treats MN as a special case (which it is), adding separate validation check for it and pre-defining the node ID in relevant events descriptions. That way one can simply run: # perf stat -a -e ccn/mn_ecbarrier/ Additionally, direction in the MN pseudo-events XP watchpoint definitions is corrected to be "TX" (1) as they are defined from the crosspoint point of view (thus barriers are transmitted from XP to MN). Cc: stable@vger.kernel.org # 3.17+ Signed-off-by: Pawel Moll drivers/bus/arm-ccn.c | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) commit 9ac715954682b23d293d910ad2697554171035e7 Author: Christoffer Dall Date: Wed Aug 17 10:46:10 2016 +0200 KVM: arm/arm64: Change misleading use of is_error_pfn When converting a gfn to a pfn, we call gfn_to_pfn_prot, which returns various kinds of error values. It turns out that is_error_pfn() only returns true when the gfn was found in a memory slot and could somehow not be used, but it does not return true if the gfn does not belong to any memory slot. Change use to is_error_noslot_pfn() which covers both cases. Note: Since we already check for kvm_is_error_hva(hva) explicitly in the caller of this function while holding the kvm->srcu lock protecting the memory slots, this should never be a problem, but nevertheless this change is warranted as it shows the intention of the code. Reported-by: James Hogan Signed-off-by: Christoffer Dall arch/arm/kvm/mmu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 1b856086813be9371929b6cc62045f9fd470f5a0 Author: Bart Van Assche Date: Tue Aug 16 16:48:36 2016 -0700 block: Fix race triggered by blk_set_queue_dying() blk_set_queue_dying() can be called while another thread is submitting I/O or changing queue flags, e.g. through dm_stop_queue(). Hence protect the QUEUE_FLAG_DYING flag change with locking. Signed-off-by: Bart Van Assche Cc: Christoph Hellwig Cc: Mike Snitzer Cc: stable Signed-off-by: Jens Axboe block/blk-core.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit b347af816ad2086c1dacf9f74973b82f83e877be Author: Song Liu Date: Thu Aug 11 17:14:45 2016 -0700 md: do not count journal as spare in GET_ARRAY_INFO GET_ARRAY_INFO counts journal as spare (spare_disks), which is not accurate. This patch fixes this. Reported-by: Yi Zhang Signed-off-by: Song Liu Signed-off-by: Shaohua Li drivers/md/md.c | 3 +++ 1 file changed, 3 insertions(+) commit 32438cf9d54bd53b531f6d98814e84dd278360c1 Merge: a03f1a6 1d4795e Author: Dave Chinner Date: Wed Aug 17 11:13:37 2016 +1000 Merge branch 'iomap-fixes-4.8-rc3' into for-next commit a03f1a6633144300ef4a3a33e95dfa11866f1299 Author: Darrick J. Wong Date: Wed Aug 17 11:12:57 2016 +1000 xfs: remove OWN_AG rmap when allocating a block from the AGFL When we're really tight on space, xfs_alloc_ag_vextent_small() can allocate a block from the AGFL and give it to the caller. Since the caller is never the AGFL-fixing method, we must remove the OWN_AG reverse mapping because it will clash with whatever rmap the caller wants to set up. This bug was discovered by running generic/299 repeatedly. Signed-off-by: Darrick J. Wong Reviewed-by: Dave Chinner Signed-off-by: Dave Chinner fs/xfs/libxfs/xfs_alloc.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) commit 3ec60b92d3bae719cf3a8b6e522af07ad3d1cc5b Merge: 45b6ae7 6be3ffa Author: Linus Torvalds Date: Tue Aug 16 15:51:57 2016 -0700 Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost Pull virtio/vhost fixes from Michael Tsirkin: - test fixes - a vsock fix * tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost: tools/virtio: add dma stubs vhost/test: fix after swiotlb changes vhost/vsock: drop space available check for TX vq ringtest: test build fix commit 45b6ae761e5259d457a797f66f4d4c16b620f268 Merge: ae5d68b af77521 Author: Linus Torvalds Date: Tue Aug 16 15:50:22 2016 -0700 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux Pull s390 fixes from Martin Schwidefsky: "A couple of bug fixes, minor cleanup and a change to the default config" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux: s390/dasd: fix failing CUIR assignment under LPAR s390/pageattr: handle numpages parameter correctly s390/dasd: fix hanging device after clear subchannel s390/qdio: avoid reschedule of outbound tasklet once killed s390/qdio: remove checks for ccw device internal state s390/qdio: fix double return code evaluation s390/qdio: get rid of spin_lock_irqsave usage s390/cio: remove subchannel_id from ccw_device_private s390/qdio: obtain subchannel_id via ccw_device_get_schid() s390/cio: stop using subchannel_id from ccw_device_private s390/config: make the vector optimized crc function builtin s390/lib: fix memcmp and strstr s390/crc32-vx: Fix checksum calculation for small sizes s390: clarify compressed image code path commit 1d4795e7bde075588c90df2175349bb2251802d5 Author: Christoph Hellwig Date: Wed Aug 17 08:45:30 2016 +1000 xfs: (re-)implement FIEMAP_FLAG_XATTR Use a special read-only iomap_ops implementation to support fiemap on the attr fork. Signed-off-by: Christoph Hellwig Reviewed-by: Dave Chinner Signed-off-by: Dave Chinner fs/xfs/xfs_iomap.c | 45 +++++++++++++++++++++++++++++++++++++++++++++ fs/xfs/xfs_iomap.h | 1 + fs/xfs/xfs_iops.c | 9 ++++++++- 3 files changed, 54 insertions(+), 1 deletion(-) commit b95a21271b30544a9fb992269d79ed1e1978e023 Author: Christoph Hellwig Date: Wed Aug 17 08:44:52 2016 +1000 xfs: simplify xfs_file_iomap_begin We'll never get nimap == 0 for a successful return from xfs_bmapi_read, so don't try to handle it. Signed-off-by: Christoph Hellwig Reviewed-by: Dave Chinner Signed-off-by: Dave Chinner fs/xfs/xfs_iomap.c | 14 ++++---------- fs/xfs/xfs_trace.h | 1 - 2 files changed, 4 insertions(+), 11 deletions(-) commit f20ac7ab17fcf7046bd9bc4166faf9580f713afd Author: Christoph Hellwig Date: Wed Aug 17 08:42:34 2016 +1000 iomap: mark ->iomap_end as optional No need to implement it for read-only mappings. Signed-off-by: Christoph Hellwig Reviewed-by: Dave Chinner Signed-off-by: Dave Chinner fs/iomap.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) commit ac2dc058bce81b83631ad5accb90b8f4abe613b7 Author: Dave Chinner Date: Wed Aug 17 08:41:34 2016 +1000 iomap: prepare iomap_fiemap for attribute mappings By bassing through an -ENOENT, similar to the old XFS implementation of FIEMAP_FLAG_XATTR. Signed-off-by: Dave Chinner [hch: split from a larger patch] Signed-off-by: Christoph Hellwig Reviewed-by: Dave Chinner Signed-off-by: Dave Chinner fs/iomap.c | 3 +++ 1 file changed, 3 insertions(+) commit 8896b8f60951ff0a8b7092f495a445714a1bddc4 Author: Dave Chinner Date: Wed Aug 17 08:41:10 2016 +1000 iomap: fiemap should honor the FIEMAP_FLAG_SYNC flag The flag is checked as supported, but then we do an unconditional sync of the file, regardless of whether the flag is set or not. Make the sync conditional on having the FIEMAP_FLAG_SYNC flag set. Signed-off-by: Dave Chinner Reviewed-by: Christoph Hellwig Signed-off-by: Dave Chinner fs/iomap.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) commit 274c887494cb248eb05f8180bda8298942d98625 Author: Christoph Hellwig Date: Wed Aug 17 08:40:18 2016 +1000 iomap: remove superflous pagefault_disable from iomap_write_actor iov_iter_copy_from_user_atomic disables page faults internally, no need to do it around the call. This also brings the iomap code in line with the original filemap version. Signed-off-by: Christoph Hellwig Reviewed-by: Dave Chinner Signed-off-by: Dave Chinner fs/iomap.c | 2 -- 1 file changed, 2 deletions(-) commit 97dd8c9ee60c98f09be86a2e7e61b18f8d8ed4e9 Author: Christoph Hellwig Date: Wed Aug 17 08:39:47 2016 +1000 iomap: remove superflous mark_page_accessed from iomap_write_actor This catches up with commit 2457ae ("mm: non-atomically mark page accessed during page cache allocation where possible"), which moved the initial access marking into the pagecache allocator. Signed-off-by: Christoph Hellwig Reviewed-by: Dave Chinner Signed-off-by: Dave Chinner fs/iomap.c | 1 - 1 file changed, 1 deletion(-) commit f32866fdc9ed077c3bc7160f4f53d6a479201d46 Author: Darrick J. Wong Date: Wed Aug 17 08:31:49 2016 +1000 xfs: store rmapbt block count in the AGF Track the number of blocks used for the rmapbt in the AGF. When we get to the AG reservation code we need this counter to quickly make our reservation during mount. Signed-off-by: Darrick J. Wong Reviewed-by: Dave Chinner Signed-off-by: Dave Chinner fs/xfs/libxfs/xfs_alloc.c | 1 + fs/xfs/libxfs/xfs_format.h | 11 ++++++++--- fs/xfs/libxfs/xfs_rmap_btree.c | 6 ++++++ fs/xfs/xfs_fsops.c | 1 + 4 files changed, 16 insertions(+), 3 deletions(-) commit 8b2180b3bf0338625cab07da6543acb436df9c40 Author: Dave Chinner Date: Wed Aug 17 08:31:33 2016 +1000 xfs: don't invalidate whole file on DAX read/write When we do DAX IO, we try to invalidate the entire page cache held on the file. This is incorrect as it will trash the entire mapping tree that now tracks dirty state in exceptional entries in the radix tree slots. What we are trying to do is remove cached pages (e.g from reads into holes) that sit in the radix tree over the range we are about to write to. Hence we should just limit the invalidation to the range we are about to overwrite. Reported-by: Jan Kara Signed-off-by: Dave Chinner Reviewed-by: Christoph Hellwig Signed-off-by: Dave Chinner fs/xfs/xfs_file.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) commit 0af32fb468b4a4434dd759d68611763658650b59 Author: Christoph Hellwig Date: Wed Aug 17 08:30:28 2016 +1000 xfs: fix bogus space reservation in xfs_iomap_write_allocate The space reservations was without an explaination in commit "Add error reporting calls in error paths that return EFSCORRUPTED" back in 2003. There is no reason to reserve disk blocks in the transaction when allocating blocks for delalloc space as we already reserved the space when creating the delalloc extent. With this fix we stop running out of the reserved pool in generic/229, which has happened for long time with small blocksize file systems, and has increased in severity with the new buffered write path. [ dchinner: we still need to pass the block reservation into xfs_bmapi_write() to ensure we don't deadlock during AG selection. See commit dbd5c8c ("xfs: pass total block res. as total xfs_bmapi_write() parameter") for more details on why this is necessary. ] Signed-off-by: Christoph Hellwig Reviewed-by: Dave Chinner Signed-off-by: Dave Chinner fs/xfs/xfs_iomap.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) commit 4dd3fd7197303739094183b139bae3142a3d55e6 Author: Brian Foster Date: Wed Aug 17 08:30:28 2016 +1000 xfs: don't assert fail on non-async buffers on ioacct decrement The buffer I/O accounting mechanism tracks async buffers under I/O. As an optimization, the buffer I/O count is incremented only once on the first async I/O for a given hold cycle of a buffer and decremented once the buffer is released to the LRU (or freed). xfs_buf_ioacct_dec() has an ASSERT() check for an XBF_ASYNC buffer, but we have one or two corner cases where a buffer can be submitted for I/O multiple times via different methods in a single hold cycle. If an async I/O occurs first, the I/O count is incremented. If a sync I/O occurs before the hold count drops, XBF_ASYNC is cleared by the time the I/O count is decremented. Remove the async assert check from xfs_buf_ioacct_dec() as this is a perfectly valid scenario. For the purposes of I/O accounting, we really only care about the buffer async state at I/O submission time. Discovered-and-analyzed-by: Dave Chinner Signed-off-by: Brian Foster Reviewed-by: Dave Chinner Signed-off-by: Dave Chinner fs/xfs/xfs_buf.c | 1 - 1 file changed, 1 deletion(-) commit ae5d68be42cd0275a91faf56d2b527b448c3caf4 Merge: c39378f a0118c8 Author: Linus Torvalds Date: Tue Aug 16 13:37:26 2016 -0700 Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 Pull crypto fixes from Herbert Xu: "This fixes the following issues: - Missing ULL suffixes for 64-bit constants in sha3. - Two caam AEAD regressions. - Bogus setkey hooks in non-hmac caam hashes. - Missing kbuild dependency for powerpc crc32c" * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: crypto: caam - fix non-hmac hashes crypto: powerpc - CRYPT_CRC32C_VPMSUM should depend on ALTIVEC crypto: caam - defer aead_set_sh_desc in case of zero authsize crypto: caam - fix echainiv(authenc) encrypt shared descriptor crypto: sha3 - Add missing ULL suffixes for 64-bit constants commit fbfe12c64f9650aa22f434dd9dd22df7ddf63221 Author: Dave Ertman Date: Fri Aug 12 09:56:32 2016 -0700 i40e: check for and deal with non-contiguous TCs The i40e driver was causing a kernel panic when non-contiguous Traffic Classes, or Traffic Classes not starting with TC0, were configured on a link partner switch. i40e does not support non-contiguous TCs. To fix this, the patch changes the logic when determining the total number of TCs enabled. Before, this would use the highest TC number enabled and assume that all TCs below it were also enabled. Now, we create a bitmask of enabled TCs and scan it to determine not only the number of TCs, but also if the set of enabled TCs starts at zero and is contiguous. If not, then DCB is disabled by only returning one TC. Signed-off-by: Dave Ertman Tested-by: Andrew Bowers Signed-off-by: Jeff Kirsher drivers/net/ethernet/intel/i40e/i40e_main.c | 35 ++++++++++++++++++++--------- 1 file changed, 25 insertions(+), 10 deletions(-) commit a3c06a389751192fdcbcdd8bba57bdb856eafe68 Author: Heinz Mauelshagen Date: Tue Aug 9 14:55:35 2016 +0200 dm raid: enhance attempt_restore_of_faulty_devices() to support more devices attempt_restore_of_faulty_devices() is limited to 64 when it should support the new maximum of 253 when identifying any failed devices. It clears any revivable devices via an MD personality hot remove and add cylce to allow for their recovery. Address by using existing functions to retrieve and update all failed devices' bitfield members in the dm raid superblocks on all RAID devices and check for any devices to clear in it. Whilst on it, don't call attempt_restore_of_faulty_devices() for any MD personality not providing disk hot add/remove methods (i.e. raid0 now), because such personalities don't support reviving of failed disks. Signed-off-by: Heinz Mauelshagen Signed-off-by: Mike Snitzer drivers/md/dm-raid.c | 32 ++++++++++++++++++++++++-------- 1 file changed, 24 insertions(+), 8 deletions(-) commit 3d951822be216d8c6fcfc8abf75e5ed307eeb646 Author: Alexander Duyck Date: Fri Aug 12 09:53:39 2016 -0700 ixgbe: Re-enable ability to toggle VLAN filtering Back when I submitted the GSO code I messed up and dropped the support for disabling the VLAN tag filtering via the feature bit. This patch re-enables the use of the NETIF_F_HW_VLAN_CTAG_FILTER to enable/disable the VLAN filtering independent of toggling promiscuous mode. Fixes: b83e30104b ("ixgbe/ixgbevf: Add support for GSO partial") Signed-off-by: Alexander Duyck Tested-by: Andrew Bowers Signed-off-by: Jeff Kirsher drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 1 + 1 file changed, 1 insertion(+) commit 31e10a41203dbc95e0c1e81ef49ad1773a50d4f9 Author: Heinz Mauelshagen Date: Wed Aug 10 02:45:59 2016 +0200 dm raid: fix restoring of failed devices regression 'lvchange --refresh RaidLV' causes a mapped device suspend/resume cycle aiming at device restore and resync after transient device failures. This failed because flag RT_FLAG_RS_RESUMED was always cleared in the suspend path, thus the device restore wasn't performed in the resume path. Solve by removing RT_FLAG_RS_RESUMED from the suspend path and resume unconditionally. Also, remove superfluous comment from raid_resume(). Signed-off-by: Heinz Mauelshagen Signed-off-by: Mike Snitzer drivers/md/dm-raid.c | 33 +++++++++++---------------------- 1 file changed, 11 insertions(+), 22 deletions(-) commit f60439bc21e3337429838e477903214f5bd8277f Author: Alexander Duyck Date: Thu Aug 11 14:51:56 2016 -0700 ixgbe: Force VLNCTRL.VFE to be set in all VMDq paths When I was adding the code for enabling VLAN promiscuous mode with SR-IOV enabled I had inadvertently left the VLNCTRL.VFE bit unchanged as I has assumed there was code in another path that was setting it when we enabled SR-IOV. This wasn't the case and as a result we were just disabling VLAN filtering for all the VFs apparently. Also the previous patches were always clearing CFIEN which was always set to 0 by the hardware anyway so I am dropping the redundant bit clearing. Fixes: 16369564915a ("ixgbe: Add support for VLAN promiscuous with SR-IOV") Signed-off-by: Alexander Duyck Tested-by: Andrew Bowers Signed-off-by: Jeff Kirsher drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) commit a4423287ec16e74c25de8ee3f261b1ea18c0af67 Author: Heinz Mauelshagen Date: Tue Aug 9 14:56:14 2016 +0200 dm raid: fix frozen recovery regression On LVM2 conversions via lvconvert(8), the target keeps mapped devices in frozen state when requesting RAID devices be resynchronized. This applies to e.g. adding legs to a raid1 device or taking over from raid0 to raid4 when the rebuild flag's set on the new raid1 legs or the added dedicated parity stripe. Also, fix frozen recovery for reshaping as well. Signed-off-by: Heinz Mauelshagen Signed-off-by: Mike Snitzer drivers/md/dm-raid.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) commit 4fe0d154880bb6eb833cbe84fa6f385f400f0b9c Author: Christoph Hellwig Date: Thu Aug 11 07:11:04 2016 -0700 PCI: Use positive flags in pci_alloc_irq_vectors() Instead of passing negative flags like PCI_IRQ_NOMSI to prevent use of certain interrupt types, pass positive flags like PCI_IRQ_LEGACY, PCI_IRQ_MSI, etc., to specify the acceptable interrupt types. This is based on a number of pending driver conversions that just happend to be a whole more obvious to read this way, and given that we have no users in the tree yet it can still easily be done. I've also added a PCI_IRQ_ALL_TYPES catchall to keep the case of accepting all interrupt types very simple. [bhelgaas: changelog, fix PCI_IRQ_AFFINITY doc typo, remove mention of PCI_IRQ_NOLEGACY] Signed-off-by: Christoph Hellwig Signed-off-by: Bjorn Helgaas Reviewed-by: Alexander Gordeev Documentation/PCI/MSI-HOWTO.txt | 24 ++++++++++-------------- drivers/pci/msi.c | 15 +++++++-------- include/linux/pci.h | 10 ++++++---- 3 files changed, 23 insertions(+), 26 deletions(-) commit c39378fc65cc83a65e8aed958bcbd18c113c6a74 Merge: 3684b03 e95d0df Author: Linus Torvalds Date: Tue Aug 16 11:49:02 2016 -0700 Merge tag 'pinctrl-v4.8-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl Pull pin control fixes from Linus Walleij: "Here are a few pin control fixes for the v4.8 series, nothing special about them: - Add the missing header to the Intel Merrifield driver to get rid of build mess. - Drop two instances of pinctrl_unregister() called for drivers using devm_* resource management. - Remove the default debounce time for the AMD driver" * tag 'pinctrl-v4.8-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl: pinctrl: intel: merrifield: Add missed header pinctrl/amd: Remove the default de-bounce time pinctrl: pistachio: Drop pinctrl_unregister for devm_ registered device pinctrl: meson: Drop pinctrl_unregister for devm_ registered device commit 67540759151aefafddade3e27c4671ab7b3d230f Author: Milian Wolff Date: Tue Aug 16 17:39:26 2016 +0200 perf unwind: Use addr_location::addr instead of ip for entries This fixes the srcline translation for call chains of user space applications. Before we got: perf report --stdio --no-children -s sym,srcline -g address 8.92% [.] main mandelbrot.h:41 | |--3.70%--main +8390240 | __libc_start_main +139950056726769 | _start +8388650 | |--2.74%--main +8390189 | --2.08%--main +8390296 __libc_start_main +139950056726769 _start +8388650 7.59% [.] main complex:1326 | |--4.79%--main +8390203 | __libc_start_main +139950056726769 | _start +8388650 | --2.80%--main +8390219 7.12% [.] __muldc3 libgcc2.c:1945 | |--3.76%--__muldc3 +139950060519490 | main +8390224 | __libc_start_main +139950056726769 | _start +8388650 | --3.32%--__muldc3 +139950060519512 main +8390224 With this patch applied, we instead get: perf report --stdio --no-children -s sym,srcline -g address 8.92% [.] main mandelbrot.h:41 | |--3.70%--main mandelbrot.h:41 | __libc_start_main +241 | _start +4194346 | |--2.74%--main mandelbrot.h:41 | --2.08%--main mandelbrot.h:41 __libc_start_main +241 _start +4194346 7.59% [.] main complex:1326 | |--4.79%--main complex:1326 | __libc_start_main +241 | _start +4194346 | --2.80%--main complex:1326 7.12% [.] __muldc3 libgcc2.c:1945 | |--3.76%--__muldc3 libgcc2.c:1945 | main mandelbrot.h:39 | __libc_start_main +241 | _start +4194346 | --3.32%--__muldc3 libgcc2.c:1945 main mandelbrot.h:39 Suggested-and-Acked-by: Namhyung Kim Signed-off-by: Milian Wolff Tested-by: Arnaldo Carvalho de Melo LPU-Reference: 20160816153926.11288-1-milian.wolff@kdab.com Signed-off-by: Arnaldo Carvalho de Melo tools/perf/util/unwind-libdw.c | 2 +- tools/perf/util/unwind-libunwind-local.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit 3cace81ea5bb0b3f2b97cab8e2c8e1fae2feb7ed Merge: 3684b03 3d918fb Author: Ingo Molnar Date: Tue Aug 16 20:08:56 2016 +0200 Merge tag 'perf-urgent-for-mingo-20160815' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux into perf/urgent Pull perf/urgent fixes from Arnaldo Carvalho de Melo: - Fix occasional decoding errors when tracing system-wide with Intel PT (Adrian Hunter) - Fix ip compression in Intel PT for some specific packet types not present on current hardware (Adrian Hunter) - Fix annotation of objects with debuginfo files (Anton Blanchard) - Fix build on Fedora Rawhide (25) wrt using the right header to get the major() & minor() definitions in the jitdump code, now it is deprecated getting those using sys/types.h, one has to use sys/sysmacros.h (Arnaldo Carvalho de Melo) - Sync arm64/s390 kvm related header files (Arnaldo Carvalho de Melo) - Check for dup and fdopen failures in 'perf probe' (Colin Ian King, Arnaldo Carvalho de Melo) - Fix showing callchains in pipe mode, i.e. perf record -g -o - workload | perf script now shows callchains (He Kuang) - Show proper message when the scripts directory points to some invalid location in 'perf script --list' (He Kuang) - Fix 'perf mem -t store' to record 'cpu/mem-stores/P' events again (Jiri Olsa) - Fix ppc64le build failure when libelf is not present (Ravi Bangoria) Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Ingo Molnar commit 8037dd60f45264c3fbbea4cc0cea5f2f0a774b5e Author: Jarod Wilson Date: Tue Jul 26 14:25:35 2016 -0400 e1000e: fix PTP on e1000_pch_lpt variants I've got reports that the Intel I-218V NIC in Intel NUC5i5RYH systems used as a PTP slave experiences random ~10 hour clock jumps, which are resolved if the same workaround for the 82574 and 82583 is employed, so set the appropriate flag2 in e1000_pch_lpt_info too. Reported-by: Rupesh Patel Signed-off-by: Jarod Wilson Tested-by: Aaron Brown Signed-off-by: Jeff Kirsher drivers/net/ethernet/intel/e1000e/ich8lan.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 0be5b96cd8400aeb4bf3f8c5e7f5efaa38ae5055 Author: Jarod Wilson Date: Tue Jul 26 14:25:34 2016 -0400 e1000e: factor out systim sanitization This is prepatory work for an expanding list of adapter families that have occasional ~10 hour clock jumps when being used for PTP. Factor out the sanitization function and convert to using a feature (bug) flag, per suggestion from Jesse Brandeburg. Littering functional code with device-specific checks is much messier than simply checking a flag, and having device-specific init set flags as needed. There are probably a number of other cases in the e1000e code that could/should be converted similarly. Suggested-by: Jesse Brandeburg Signed-off-by: Jarod Wilson Tested-by: Aaron Brown Signed-off-by: Jeff Kirsher drivers/net/ethernet/intel/e1000e/82571.c | 6 ++- drivers/net/ethernet/intel/e1000e/e1000.h | 1 + drivers/net/ethernet/intel/e1000e/netdev.c | 66 ++++++++++++++++++------------ 3 files changed, 44 insertions(+), 29 deletions(-) commit 0066c8b6f4050d7c57f6379d6fd4535e2f267f17 Author: Kshitiz Gupta Date: Sat Jul 16 02:23:45 2016 -0500 igb: fix adjusting PTP timestamps for Tx/Rx latency Fix PHY delay compensation math in igb_ptp_tx_hwtstamp() and igb_ptp_rx_rgtstamp. Add PHY delay compensation in igb_ptp_rx_pktstamp(). In the IGB driver, there are two functions that retrieve timestamps received by the PHY - igb_ptp_rx_rgtstamp() and igb_ptp_rx_pktstamp(). The previous commit only changed igb_ptp_rx_rgtstamp(), and the change was incorrect. There are two instances in which PHY delay compensations should be made: - Before the packet transmission over the PHY, the latency between when the packet is timestamped and transmission of the packets, should be an add operation, but it is currently a subtract. - After the packets are received from the PHY, the latency between the receiving and timestamping of the packets should be a subtract operation, but it is currently an add. Signed-off-by: Kshitiz Gupta Fixes: 3f544d2 (igb: adjust ptp timestamps for tx/rx latency) Tested-by: Aaron Brown Signed-off-by: Jeff Kirsher drivers/net/ethernet/intel/igb/igb_ptp.c | 26 +++++++++++++++++++++++--- 1 file changed, 23 insertions(+), 3 deletions(-) commit 286054a7a8674b256da16564d96772b88896eb35 Author: Andre Przywara Date: Tue Aug 16 17:51:06 2016 +0100 KVM: arm64: ITS: avoid re-mapping LPIs When a guest wants to map a device-ID/event-ID combination that is already mapped, we may end up in a situation where an LPI is never "put", thus never being freed. Since the GICv3 spec says that mapping an already mapped LPI is UNPREDICTABLE, lets just bail out early in this situation to avoid any potential leaks. Signed-off-by: Andre Przywara Reviewed-by: Christoffer Dall Signed-off-by: Christoffer Dall virt/kvm/arm/vgic/vgic-its.c | 27 +++++++++++++-------------- 1 file changed, 13 insertions(+), 14 deletions(-) commit 7afafc8a44bf0ab841b17d450b02aedb3a138985 Author: Adrian Hunter Date: Tue Aug 16 10:59:35 2016 +0300 block: Fix secure erase Commit 288dab8a35a0 ("block: add a separate operation type for secure erase") split REQ_OP_SECURE_ERASE from REQ_OP_DISCARD without considering all the places REQ_OP_DISCARD was being used to mean either. Fix those. Signed-off-by: Adrian Hunter Fixes: 288dab8a35a0 ("block: add a separate operation type for secure erase") Signed-off-by: Jens Axboe block/bio.c | 21 +++++++++++---------- block/blk-merge.c | 33 +++++++++++++++++++-------------- block/elevator.c | 2 +- drivers/mmc/card/block.c | 1 + drivers/mmc/card/queue.c | 3 ++- drivers/mmc/card/queue.h | 4 +++- include/linux/bio.h | 10 ++++++++-- include/linux/blkdev.h | 6 ++++-- kernel/trace/blktrace.c | 2 +- 9 files changed, 50 insertions(+), 32 deletions(-) commit 15d03055cf39fe61714aeda8d0a722b3137531ed Author: Trond Myklebust Date: Tue Aug 16 11:08:22 2016 -0400 pNFS/flexfiles: Set reasonable default retrans values for the data channel Prior to this patch, the retrans value was set at 5, meaning that we could see a maximum retransmission timeout value of more than 6 minutes. That's a tad high for NFSv3 where the protocol does allow the server to drop requests at any time. Since this is a data channel, let's just set retrans to 0, and the default timeout to 60s. The user can continue to adjust these defaults using the dataserver_retrans and dataserver_timeo module parameters. Signed-off-by: Trond Myklebust fs/nfs/flexfilelayout/flexfilelayoutdev.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit a956beda19a6b39fbc19d0aaf21947acdc18cf74 Author: Trond Myklebust Date: Tue Aug 16 10:26:47 2016 -0400 NFS: Allow the mount option retrans=0 We should allow retrans=0 as just meaning that every timeout is a major timeout, and that there is no increment in the timeout value. For instance, this means that we would allow TCP users to specify a flat timeout value of 60s, by specifying "timeo=600,retrans=0" in their mount option string. Siged-off-by: Trond Myklebust fs/nfs/client.c | 10 +++++----- fs/nfs/internal.h | 5 ++++- fs/nfs/super.c | 19 +++++++++++++++++-- 3 files changed, 26 insertions(+), 8 deletions(-) commit cab0b8d50e9bbef62c04067072c953433a87a9ff Author: Felix Kuehling Date: Fri Aug 12 19:25:21 2016 -0400 drm/amdgpu: Change GART offset to 64-bit The GART aperture size can be bigger than 4GB. Therefore the offset used in amdgpu_gart_bind and amdgpu_gart_unbind must be 64-bit. Reviewed-by: Christian König Signed-off-by: Felix Kuehling Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org drivers/gpu/drm/amd/amdgpu/amdgpu.h | 4 ++-- drivers/gpu/drm/amd/amdgpu/amdgpu_gart.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) commit 3256aaef5e9a851f6be47656868020726e102187 Author: Vincent Stehlé Date: Tue Aug 16 15:11:25 2016 +0200 nvmet-rdma: Fix use after free Avoid dereferencing the queue pointer in nvmet_rdma_release_queue_work() after it has been freed by nvmet_rdma_free_queue(). Fixes: d8f7750a08968b10 ("nvmet-rdma: Correctly handle RDMA device hot removal") Signed-off-by: Vincent Stehlé Cc: Sagi Grimberg Cc: Christoph Hellwig Signed-off-by: Sagi Grimberg drivers/nvme/target/rdma.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 3e103a65514c2947e53f3171b21255fbde8b60c6 Author: Christoph Huber Date: Mon Aug 15 18:59:25 2016 +0200 ASoC: atmel_ssc_dai: Don't unconditionally reset SSC on stream startup commit cbaadf0f90d6 ("ASoC: atmel_ssc_dai: refactor the startup and shutdown") refactored code such that the SSC is reset on every startup; this breaks duplex audio (e.g. first start audio playback, then start record, causing the playback to stop/hang) Fixes: cbaadf0f90d6 (ASoC: atmel_ssc_dai: refactor the startup and shutdown) Signed-off-by: Christoph Huber Signed-off-by: Peter Meerwald-Stadler Signed-off-by: Mark Brown Cc: stable@vger.kernel.org sound/soc/atmel/atmel_ssc_dai.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) commit 924d8696751c4b9e58263bc82efdafcf875596a6 Author: James Morse Date: Tue Aug 16 10:46:38 2016 +0100 PM / hibernate: Fix rtree_next_node() to avoid walking off list ends rtree_next_node() walks the linked list of leaf nodes to find the next block of pages in the struct memory_bitmap. If it walks off the end of the list of nodes, it walks the list of memory zones to find the next region of memory. If it walks off the end of the list of zones, it returns false. This leaves the struct bm_position's node and zone pointers pointing at their respective struct list_heads in struct mem_zone_bm_rtree. memory_bm_find_bit() uses struct bm_position's node and zone pointers to avoid walking lists and trees if the next bit appears in the same node/zone. It handles these values being stale. Swap rtree_next_node()s 'step then test' to 'test-next then step', this means if we reach the end of memory we return false and leave the node and zone pointers as they were. This fixes a panic on resume using AMD Seattle with 64K pages: [ 6.868732] Freezing user space processes ... (elapsed 0.000 seconds) done. [ 6.875753] Double checking all user space processes after OOM killer disable... (elapsed 0.000 seconds) [ 6.896453] PM: Using 3 thread(s) for decompression. [ 6.896453] PM: Loading and decompressing image data (5339 pages)... [ 7.318890] PM: Image loading progress: 0% [ 7.323395] Unable to handle kernel paging request at virtual address 00800040 [ 7.330611] pgd = ffff000008df0000 [ 7.334003] [00800040] *pgd=00000083fffe0003, *pud=00000083fffe0003, *pmd=00000083fffd0003, *pte=0000000000000000 [ 7.344266] Internal error: Oops: 96000005 [#1] PREEMPT SMP [ 7.349825] Modules linked in: [ 7.352871] CPU: 2 PID: 1 Comm: swapper/0 Tainted: G W I 4.8.0-rc1 #4737 [ 7.360512] Hardware name: AMD Overdrive/Supercharger/Default string, BIOS ROD1002C 04/08/2016 [ 7.369109] task: ffff8003c0220000 task.stack: ffff8003c0280000 [ 7.375020] PC is at set_bit+0x18/0x30 [ 7.378758] LR is at memory_bm_set_bit+0x24/0x30 [ 7.383362] pc : [] lr : [] pstate: 60000045 [ 7.390743] sp : ffff8003c0283b00 [ 7.473551] [ 7.475031] Process swapper/0 (pid: 1, stack limit = 0xffff8003c0280020) [ 7.481718] Stack: (0xffff8003c0283b00 to 0xffff8003c0284000) [ 7.800075] Call trace: [ 7.887097] [] set_bit+0x18/0x30 [ 7.891876] [] duplicate_memory_bitmap.constprop.38+0x54/0x70 [ 7.899172] [] snapshot_write_next+0x22c/0x47c [ 7.905166] [] load_image_lzo+0x754/0xa88 [ 7.910725] [] swsusp_read+0x144/0x230 [ 7.916025] [] load_image_and_restore+0x58/0x90 [ 7.922105] [] software_resume+0x2f0/0x338 [ 7.927752] [] do_one_initcall+0x38/0x11c [ 7.933314] [] kernel_init_freeable+0x14c/0x1ec [ 7.939395] [] kernel_init+0x10/0xfc [ 7.944520] [] ret_from_fork+0x10/0x40 [ 7.949820] Code: d2800022 8b400c21 f9800031 9ac32043 (c85f7c22) [ 7.955909] ---[ end trace 0024a5986e6ff323 ]--- [ 7.960529] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b Here struct mem_zone_bm_rtree's start_pfn has been returned instead of struct rtree_node's addr as the node/zone pointers are corrupt after we walked off the end of the lists during mark_unsafe_pages(). This behaviour was exposed by commit 6dbecfd345a6 ("PM / hibernate: Simplify mark_unsafe_pages()"), which caused mark_unsafe_pages() to call duplicate_memory_bitmap(), which uses memory_bm_find_bit() after walking off the end of the memory bitmap. Fixes: 3a20cb177961 (PM / Hibernate: Implement position keeping in radix tree) Signed-off-by: James Morse [ rjw: Subject ] Signed-off-by: Rafael J. Wysocki kernel/power/snapshot.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) commit b0f12c61de013ecb0abe19d5e64bdab45989de5a Author: Charles Keepax Date: Tue Aug 16 11:24:46 2016 +0100 ASoC: compress: Fix leak of a widget list in soc_compr_open_fe After we have called dpcm_path_get we should make sure to call dpcm_path_put on all error paths. This was not happening causing the allocated widget list to be leaked, this patch corrects this by adding a dpcm_path_put to the error path. Signed-off-by: Charles Keepax Signed-off-by: Mark Brown sound/soc/soc-compress.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit e67479b13ede47cc2f5beb5b51e67fdb30778ee8 Author: Xiaodong Liu Date: Fri Aug 12 06:28:31 2016 -0400 crypto: sha512-mb - fix ctx pointer 1. fix ctx pointer Use req_ctx which is the ctx for the next job that have been completed in the lanes instead of the first completed job rctx, whose completion could have been called and released. Signed-off-by: Xiaodong Liu Signed-off-by: Herbert Xu arch/x86/crypto/sha512-mb/sha512_mb.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 172b1d6b5a9337eb8c1ec294b80e448e03a9ac17 Author: Xiaodong Liu Date: Fri Aug 12 06:24:42 2016 -0400 crypto: sha256-mb - fix ctx pointer and digest copy 1. fix ctx pointer Use req_ctx which is the ctx for the next job that have been completed in the lanes instead of the first completed job rctx, whose completion could have been called and released. 2. fix digest copy Use XMM register to copy another 16 bytes sha256 digest instead of a regular register. Signed-off-by: Xiaodong Liu Signed-off-by: Herbert Xu arch/x86/crypto/sha256-mb/sha256_mb.c | 4 ++-- arch/x86/crypto/sha256-mb/sha256_mb_mgr_flush_avx2.S | 7 ++++--- 2 files changed, 6 insertions(+), 5 deletions(-) commit 39bbee4e549fbc358b2ef9137c4bf459abd164fb Author: Colin Ian King Date: Tue Aug 16 09:24:39 2016 +0100 nvme-rdma: initialize ret to zero to avoid returning garbage ret is not initialized so it contains garbage. Ensure garbage is not returned by initializing rc to 0. Signed-off-by: Colin Ian King Signed-off-by: Sagi Grimberg drivers/nvme/host/rdma.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit d3e2773c4ede5c62d2a92dae20e3a09b1ca55b6e Author: Kees Cook Date: Mon Aug 15 10:36:22 2016 -0700 builddeb: Skip gcc-plugins when not configured When attempting to build a Debian kernel package, the "scripts/gcc-plugins" directory does not exist in the output tree unless CONFIG_GCC_PLUGINS=y. To avoid errors when not defined, this wraps the failing "find" in a config test. Reported-by: Frank Paulsen Tested-by: Christian Kujau Signed-off-by: Kees Cook Signed-off-by: Michal Marek scripts/package/builddeb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit 83cf8df2d4fa48a80b384fea4b09b12180a2442e Author: Valentin Rothberg Date: Tue Aug 16 08:27:53 2016 +0200 drivers/iio/light/Kconfig: SENSORS_BH1780 cleanup Commit 7ef9153d9af5 ("misc: delete bh1780 driver") has removed the Kconfig option SENSORS_BH1780. Remove the last reference on this option. Signed-off-by: Valentin Rothberg Signed-off-by: Greg Kroah-Hartman drivers/iio/light/Kconfig | 1 - 1 file changed, 1 deletion(-) commit f1f6d9a8b540df22b87a5bf6bc104edaade81f47 Author: Mathias Nyman Date: Tue Aug 16 10:18:06 2016 +0300 xhci: don't dereference a xhci member after removing xhci Remove the hcd after checking for the xhci last quirks, not before. This caused a hang on a Alpine Ridge xhci based maching which remove the whole xhci controller when unplugging the last usb device CC: Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman drivers/usb/host/xhci-pci.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 88716a93766b8f095cdef37a8e8f2c93aa233b21 Author: Jim Lin Date: Tue Aug 16 10:18:05 2016 +0300 usb: xhci: Fix panic if disconnect After a device is disconnected, xhci_stop_device() will be invoked in xhci_bus_suspend(). Also the "disconnect" IRQ will have ISR to invoke xhci_free_virt_device() in this sequence. xhci_irq -> xhci_handle_event -> handle_cmd_completion -> xhci_handle_cmd_disable_slot -> xhci_free_virt_device If xhci->devs[slot_id] has been assigned to NULL in xhci_free_virt_device(), then virt_dev->eps[i].ring in xhci_stop_device() may point to an invlid address to cause kernel panic. virt_dev = xhci->devs[slot_id]; : if (virt_dev->eps[i].ring && virt_dev->eps[i].ring->dequeue) [] Unable to handle kernel paging request at virtual address 00001a68 [] pgd=ffffffc001430000 [] [00001a68] *pgd=000000013c807003, *pud=000000013c807003, *pmd=000000013c808003, *pte=0000000000000000 [] Internal error: Oops: 96000006 [#1] PREEMPT SMP [] CPU: 0 PID: 39 Comm: kworker/0:1 Tainted: G U [] Workqueue: pm pm_runtime_work [] task: ffffffc0bc0e0bc0 ti: ffffffc0bc0ec000 task.ti: ffffffc0bc0ec000 [] PC is at xhci_stop_device.constprop.11+0xb4/0x1a4 This issue is found when running with realtek ethernet device (0bda:8153). Signed-off-by: Jim Lin Cc: Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman drivers/usb/host/xhci-hub.c | 3 +++ 1 file changed, 3 insertions(+) commit 0d2daaded82565f807a4435d678343f437b8b848 Author: Alban Browaeys Date: Tue Aug 16 10:18:04 2016 +0300 xhci: really enqueue zero length TRBs. Enqueue the first TRB even if full_len is zero. Without this "adb install " freezes the system. Signed-off-by: Alban Browaeys Fixes: 86065c2719a5 ("xhci: don't rely on precalculated value of needed trbs in the enqueue loop") Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman drivers/usb/host/xhci-ring.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 33be126510974e2eb9679f1ca9bca4f67ee4c4c7 Author: Mathias Nyman Date: Tue Aug 16 10:18:03 2016 +0300 xhci: always handle "Command Ring Stopped" events Fix "Command completion event does not match command" errors by always handling the command ring stopped events. The command ring stopped event is generated as a result of aborting or stopping the command ring with a register write. It is not caused by a command in the command queue, and thus won't have a matching command in the comman list. Solve it by handling the command ring stopped event before checking for a matching command. In most command time out cases we abort the command ring, and get a command ring stopped event. The events command pointer will point at the current command ring dequeue, which in most cases matches the timed out command in the command list, and no error messages are seen. If we instead get a command aborted event before the command ring stopped event, the abort event will increse the command ring dequeue pointer, and the following command ring stopped events command pointer will point at the next, not yet queued command. This case triggered the error message Signed-off-by: Mathias Nyman CC: Signed-off-by: Greg Kroah-Hartman drivers/usb/host/xhci-ring.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) commit a1560dd7a47f983419760aa7f6a481e3b910b54b Merge: d2fbdf7 55a4e77 Author: David S. Miller Date: Mon Aug 15 23:02:45 2016 -0700 Merge branch 'mediatek-fixes' Sean Wang says: ==================== mediatek: Fix warning and issue This patch set fixes the following warning and issues v1 -> v2: Fix message typos and add coverletter v2 -> v3: Split from the previous series for submitting bug fixes as a series targeting 'net' ==================== Signed-off-by: David S. Miller commit 55a4e778191cfcf675aa1f9716edb71a3014d5fb Author: sean.wang@mediatek.com Date: Tue Aug 16 13:55:15 2016 +0800 net: ethernet: mediatek: fix runtime warning raised by inconsistent struct device pointers passed to DMA API Runtime warning occurs if DMA-API debug feature is enabled that would be raised by pointers passed to DMA API as arguments to inconsistent struct device objects, so that the patch makes them usage aligned between DMA operations such as dma_map_*() and dma_unmap_*() to eliminate the warning. Signed-off-by: Sean Wang Signed-off-by: David S. Miller drivers/net/ethernet/mediatek/mtk_eth_soc.c | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) commit b2025c7cc92d5bfc8c5ce756c8d8a6f57c776fbd Author: sean.wang@mediatek.com Date: Tue Aug 16 13:55:14 2016 +0800 net: ethernet: mediatek: fix flow control settings on GMAC0 is not being enabled properly Commit 08ef55c6f257acf3bdc6940813f80e8f0f5d90ec ("net-next: mediatek: fix gigabit and flow control advertisement") had supported proper flow control settings for GMAC1. But for GMAC0, 1.GMAC0 shares the common logic with GMAC1 inside mtk_phy_link_adjust() to adapt various settings for the target phy. 2.GMAC0 uses fixed-phy to connect to a builtin gigabit switch with fixed link speed as commit 0c72c50f6f93b0c3daa9ea35d89ab3a933c7b5a0 ("net-next: mediatek: add fixed-phy support") describes. 3.However, fixed-phy doesn't enable SUPPORTED_Pause & SUPPORTED_Asym_Pause supported flag on default that would cause mtk_phy_link_adjust() not to enable flow control setting on GMAC0 properly and cause packet dropped when high traffic. Due to these reasons, the patch adds SUPPORTED_Pause & SUPPORTED_Asym_Pause supported flags on fixed-phy used by the driver to have proper handling on the both GMAC with the shared common logic. Signed-off-by: Sean Wang Signed-off-by: David S. Miller drivers/net/ethernet/mediatek/mtk_eth_soc.c | 5 +++++ 1 file changed, 5 insertions(+) commit 8ca7f4fe0733342c862b8585dd6eb6521b9bf533 Author: sean.wang@mediatek.com Date: Tue Aug 16 13:55:13 2016 +0800 net: ethernet: mediatek: fix RMII mode and add REVMII supported by GMAC The patch fixes up the incorrect setup of reduced MII (RMII) on GMAC and adds the supplement for the setup of reverse MII (REVMII) on GMAC , and rearranges the error handling for invalid PHY argument. Signed-off-by: Sean Wang Signed-off-by: David S. Miller drivers/net/ethernet/mediatek/mtk_eth_soc.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) commit c6b269ba51be70fd11852bcad2e163c734e8e92a Author: Xose Vazquez Perez Date: Sat Aug 13 00:56:03 2016 +0200 scsi: blacklist all RDAC devices for BLIST_NO_ULD_ATTACH "Universal Xport" LUN is used for in-band storage array management. Cc: Sean Stewart Cc: Christophe Varoqui Cc: James E.J. Bottomley Cc: Martin K. Petersen Cc: SCSI ML Cc: device-mapper development Signed-off-by: Xose Vazquez Perez Acked-by: Sean Stewart Signed-off-by: Martin K. Petersen drivers/scsi/scsi_devinfo.c | 4 ++++ 1 file changed, 4 insertions(+) commit a87eeb900dbb9f8202f96604d56e47e67c936b9d Author: Tyrel Datwyler Date: Fri Aug 12 17:20:07 2016 -0500 scsi: fix upper bounds check of sense key in scsi_sense_key_string() Commit 655ee63cf371 ("scsi constants: command, sense key + additional sense string") added a "Completed" sense string with key 0xF to snstext[], but failed to updated the upper bounds check of the sense key in scsi_sense_key_string(). Fixes: 655ee63cf371 ("[SCSI] scsi constants: command, sense key + additional sense strings") Cc: # v3.12+ Signed-off-by: Tyrel Datwyler Reviewed-by: Bart Van Assche Signed-off-by: Martin K. Petersen drivers/scsi/constants.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) commit 5d87f493ddb1b86a0569fa3c4037fa9efc0c7183 Author: Rafael J. Wysocki Date: Sun Aug 14 04:07:32 2016 +0200 x86/power/64: Use __pa() for physical address computation The value of temp_level4_pgt is the physical address of the top-level page directory, so use __pa() to compute it. Signed-off-by: Rafael J. Wysocki Acked-by: Ingo Molnar arch/x86/power/hibernate_64.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 3d918fb13abdbeca7947578f5d7e426eafad7f5e Author: Adrian Hunter Date: Mon Aug 15 10:23:04 2016 +0300 perf intel-pt: Fix occasional decoding errors when tracing system-wide In order to successfully decode Intel PT traces, context switch events are needed from the moment the trace starts. Currently that is ensured by using the 'immediate' flag which enables the switch event when it is opened. However, since commit 86c2786994bd ("perf intel-pt: Add support for PERF_RECORD_SWITCH") that might not always happen. When tracing system-wide the context switch event is added to the tracking event which was not set as 'immediate'. Change that so it is. Signed-off-by: Adrian Hunter Cc: Jiri Olsa Cc: stable@vger.kernel.org # v4.4+ Fixes: 86c2786994bd ("perf intel-pt: Add support for PERF_RECORD_SWITCH") Link: http://lkml.kernel.org/r/1471245784-22580-1-git-send-email-adrian.hunter@intel.com Signed-off-by: Arnaldo Carvalho de Melo tools/perf/arch/x86/util/intel-pt.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) commit 9f3156903df3f7d9bba9acde810d78bca94305d5 Author: Arnaldo Carvalho de Melo Date: Mon Aug 15 17:42:30 2016 -0300 tools: Sync kvm related header files for arm64 and s390 From a quick look nothing stands out as requiring changes to kvm tools such as tools/perf/arch/s390/util/kvm-stat.c. Silences these header checking warnings: $ make -C tools/perf make: Entering directory '/home/acme/git/linux/tools/perf' BUILD: Doing 'make -j4' parallel build Warning: tools/arch/s390/include/uapi/asm/kvm.h differs from kernel Warning: tools/arch/s390/include/uapi/asm/sie.h differs from kernel Warning: tools/arch/arm64/include/uapi/asm/kvm.h differs from kernel Cc: Adrian Hunter Cc: Alexander Yarygin Cc: David Ahern Cc: Hemant Kumar Cc: Jiri Olsa Cc: Michael Ellerman Cc: Namhyung Kim Cc: Naveen N. Rao Cc: Scott Wood Cc: Srikar Dronamraju Cc: Wang Nan Link: http://lkml.kernel.org/n/tip-btutge414g516qmh6r5ienlj@git.kernel.org Signed-off-by: Arnaldo Carvalho de Melo tools/arch/arm64/include/uapi/asm/kvm.h | 2 ++ tools/arch/s390/include/uapi/asm/kvm.h | 41 +++++++++++++++++++++++++++++++++ tools/arch/s390/include/uapi/asm/sie.h | 1 + 3 files changed, 44 insertions(+) commit 60ebc159817fef86171616510b1228476d979556 Author: Arnaldo Carvalho de Melo Date: Mon Aug 15 17:06:47 2016 -0300 perf probe: Release resources on error when handling exit paths Cc: Adrian Hunter Cc: Colin King Cc: David Ahern Cc: Jiri Olsa Cc: Masami Hiramatsu Cc: Namhyung Kim Cc: Wang Nan Link: http://lkml.kernel.org/n/tip-zh2j4iqimralugke5qq7dn6d@git.kernel.org Signed-off-by: Arnaldo Carvalho de Melo tools/perf/util/probe-file.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) commit 33e7664a0af6e9a516f01014f39737aaa119b6d9 Author: Wei Yongjun Date: Tue Jul 26 14:49:04 2016 +0000 power_supply: tps65217-charger: fix missing platform_set_drvdata() Add missing platform_set_drvdata() in tps65217_charger_probe(), otherwise calling platform_get_drvdata() in remove returns NULL. This is detected by Coccinelle semantic patch. Fixes: 3636859b280c ("power_supply: Add support for tps65217-charger") Signed-off-by: Wei Yongjun Signed-off-by: Sebastian Reichel drivers/power/tps65217_charger.c | 1 + 1 file changed, 1 insertion(+) commit 505a19eec49ab36b314a05bc062749ebdfb0aa90 Author: Andre Przywara Date: Tue Aug 9 10:54:29 2016 +0100 KVM: arm64: check for ITS device on MSI injection When userspace provides the doorbell address for an MSI to be injected into the guest, we find a KVM device which feels responsible. Lets check that this device is really an emulated ITS before we make real use of the container_of-ed pointer. [ Moved NULL-pointer check to caller of static function - Christoffer ] Signed-off-by: Andre Przywara Reviewed-by: Christoffer Dall Signed-off-by: Christoffer Dall virt/kvm/arm/vgic/vgic-its.c | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) commit c7735769d5dd79afb07254532fabd9ccbd85b1fa Author: Andre Przywara Date: Mon Aug 8 16:45:43 2016 +0100 KVM: arm64: ITS: move ITS registration into first VCPU run Currently we register an ITS device upon userland issuing the CTLR_INIT ioctl to mark initialization of the ITS as done. This deviates from the initialization sequence of the existing GIC devices and does not play well with the way QEMU handles things. To be more in line with what we are used to, register the ITS(es) just before the first VCPU is about to run, so in the map_resources() call. This involves iterating through the list of KVM devices and map each ITS that we find. Signed-off-by: Andre Przywara Reviewed-by: Eric Auger Tested-by: Eric Auger Signed-off-by: Christoffer Dall virt/kvm/arm/vgic/vgic-its.c | 43 +++++++++++++++++++++++++++++++++---------- virt/kvm/arm/vgic/vgic-v3.c | 8 ++++++++ virt/kvm/arm/vgic/vgic.h | 6 ++++++ 3 files changed, 47 insertions(+), 10 deletions(-) commit d9ae449b3d14d7c55f69af329972f175d180e68d Author: Christoffer Dall Date: Wed Aug 3 18:03:44 2016 +0200 KVM: arm64: vgic-its: Make updates to propbaser/pendbaser atomic There are two problems with the current implementation of the MMIO handlers for the propbaser and pendbaser: First, the write to the value itself is not guaranteed to be an atomic 64-bit write so two concurrent writes to the structure field could be intermixed. Second, because we do a read-modify-update operation without any synchronization, if we have two 32-bit accesses to separate parts of the register, we can loose one of them. By using the atomic cmpxchg64 we should cover both issues above. Reviewed-by: Andre Przywara Signed-off-by: Christoffer Dall virt/kvm/arm/vgic/vgic-mmio-v3.c | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) commit d2fbdf76b85bcdfe57b8ef2ba09d20e8ada79abd Author: Vegard Nossum Date: Sat Jul 23 08:15:04 2016 +0200 tipc: fix NULL pointer dereference in shutdown() tipc_msg_create() can return a NULL skb and if so, we shouldn't try to call tipc_node_xmit_skb() on it. general protection fault: 0000 [#1] PREEMPT SMP KASAN CPU: 3 PID: 30298 Comm: trinity-c0 Not tainted 4.7.0-rc7+ #19 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 task: ffff8800baf09980 ti: ffff8800595b8000 task.ti: ffff8800595b8000 RIP: 0010:[] [] tipc_node_xmit_skb+0x6b/0x140 RSP: 0018:ffff8800595bfce8 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000003023b0e0 RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffffffff83d12580 RBP: ffff8800595bfd78 R08: ffffed000b2b7f32 R09: 0000000000000000 R10: fffffbfff0759725 R11: 0000000000000000 R12: 1ffff1000b2b7f9f R13: ffff8800595bfd58 R14: ffffffff83d12580 R15: dffffc0000000000 FS: 00007fcdde242700(0000) GS:ffff88011af80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fcddde1db10 CR3: 000000006874b000 CR4: 00000000000006e0 DR0: 00007fcdde248000 DR1: 00007fcddd73d000 DR2: 00007fcdde248000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000090602 Stack: 0000000000000018 0000000000000018 0000000041b58ab3 ffffffff83954208 ffffffff830bb400 ffff8800595bfd30 ffffffff8309d767 0000000000000018 0000000000000018 ffff8800595bfd78 ffffffff8309da1a 00000000810ee611 Call Trace: [] tipc_shutdown+0x553/0x880 [] SyS_shutdown+0x14b/0x170 [] do_syscall_64+0x19c/0x410 [] entry_SYSCALL64_slow_path+0x25/0x25 Code: 90 00 b4 0b 83 c7 00 f1 f1 f1 f1 4c 8d 6d e0 c7 40 04 00 00 00 f4 c7 40 08 f3 f3 f3 f3 48 89 d8 48 c1 e8 03 c7 45 b4 00 00 00 00 <80> 3c 30 00 75 78 48 8d 7b 08 49 8d 75 c0 48 b8 00 00 00 00 00 RIP [] tipc_node_xmit_skb+0x6b/0x140 RSP ---[ end trace 57b0484e351e71f1 ]--- I feel like we should maybe return -ENOMEM or -ENOBUFS, but I'm not sure userspace is equipped to handle that. Anyway, this is better than a GPF and looks somewhat consistent with other tipc_msg_create() callers. Signed-off-by: Vegard Nossum Acked-by: Ying Xue Acked-by: Jon Maloy Signed-off-by: David S. Miller net/tipc/socket.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit a8545b60a8d0d959424beb17b20f6b06b2305b2c Merge: 3d7b332 0dbff14 Author: David S. Miller Date: Mon Aug 15 13:48:08 2016 -0700 Merge branch 'hv_netvsc-VF-removal-fixes' Vitaly Kuznetsov says: ==================== hv_netvsc: fixes for VF removal path Kernel crash is reported after VF is removed and detached from netvsc device. Turns out we have multiple different (but related) issues on the VF removal path which I'm trying to address with PATCHes 2-5 of this series. PATCH1 is required to support the change. Changes since v1: - Re-arrange patches in the series to not introduce new issues [David Miller] - Add PATCH5 which fixes a new issue I discovered while testing. - Add Haiyang' A-b tags to PATCH1-4 With regards to Stephen's suggestion: I believe that switching to using RCU and eliminating vf_use_cnt/vf_inject is the right thing to do long-term, we can either put this on top of this series or do it later in net-next. ==================== Signed-off-by: David S. Miller commit 0dbff144a1e7310e2f8b7a957352c4be9aeb38e4 Author: Vitaly Kuznetsov Date: Mon Aug 15 17:48:43 2016 +0200 hv_netvsc: fix bonding devices check in netvsc_netdev_event() Bonding driver sets IFF_BONDING on both master (the bonding device) and slave (the real NIC) devices and in netvsc_netdev_event() we want to skip master devices only. Currently, there is an uncertainty when a slave interface is removed: if bonding module comes first in netdev_chain it clears IFF_BONDING flag on the netdev and netvsc_netdev_event() correctly handles NETDEV_UNREGISTER event, but in case netvsc comes first on the chain it sees the device with IFF_BONDING still attached and skips it. As we still hold vf_netdev pointer to the device we crash on the next inject. Signed-off-by: Vitaly Kuznetsov Acked-by: Haiyang Zhang Signed-off-by: David S. Miller drivers/net/hyperv/netvsc_drv.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) commit 0f20d795f78d182c4b743d880a5e8dc4d39892fe Author: Vitaly Kuznetsov Date: Mon Aug 15 17:48:42 2016 +0200 hv_netvsc: protect module refcount by checking net_device_ctx->vf_netdev We're not guaranteed to see NETDEV_REGISTER/NETDEV_UNREGISTER notifications only once per VF but we increase/decrease module refcount unconditionally. Check vf_netdev to make sure we don't take/release it twice. We presume that only one VF per netvsc device may exist. Signed-off-by: Vitaly Kuznetsov Acked-by: Haiyang Zhang Signed-off-by: David S. Miller drivers/net/hyperv/netvsc_drv.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 57c1826b991244d2144eb6e3d5d1b13a53cbea63 Author: Vitaly Kuznetsov Date: Mon Aug 15 17:48:41 2016 +0200 hv_netvsc: reset vf_inject on VF removal We reset vf_inject on VF going down (netvsc_vf_down()) but we don't on VF removal (netvsc_unregister_vf()) so vf_inject stays 'true' while vf_netdev is already NULL and we're trying to inject packets into NULL net device in netvsc_recv_callback() causing kernel to crash. Signed-off-by: Vitaly Kuznetsov Acked-by: Haiyang Zhang Signed-off-by: David S. Miller drivers/net/hyperv/netvsc_drv.c | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) commit d072218f214929194db06069564495b6b9fff34a Author: Vitaly Kuznetsov Date: Mon Aug 15 17:48:40 2016 +0200 hv_netvsc: avoid deadlocks between rtnl lock and vf_use_cnt wait Here is a deadlock scenario: - netvsc_vf_up() schedules netvsc_notify_peers() work and quits. - netvsc_vf_down() runs before netvsc_notify_peers() gets executed. As it is being executed from netdev notifier chain we hold rtnl lock when we get here. - we enter while (atomic_read(&net_device_ctx->vf_use_cnt) != 0) loop and wait till netvsc_notify_peers() drops vf_use_cnt. - netvsc_notify_peers() starts on some other CPU but netdev_notify_peers() will hang on rtnl_lock(). - deadlock! Instead of introducing additional synchronization I suggest we drop gwrk.dwrk completely and call NETDEV_NOTIFY_PEERS directly. As we're acting under rtnl lock this is legitimate. Signed-off-by: Vitaly Kuznetsov Acked-by: Haiyang Zhang Signed-off-by: David S. Miller drivers/net/hyperv/hyperv_net.h | 7 ------- drivers/net/hyperv/netvsc_drv.c | 33 +++++---------------------------- 2 files changed, 5 insertions(+), 35 deletions(-) commit f9a7da9130ef0143eb900794c7863dc5c9051fbc Author: Vitaly Kuznetsov Date: Mon Aug 15 17:48:39 2016 +0200 hv_netvsc: don't lose VF information struct netvsc_device is not suitable for storing VF information as this structure is being destroyed on MTU change / set channel operation (see rndis_filter_device_remove()). Move all VF related stuff to struct net_device_context which is persistent. Signed-off-by: Vitaly Kuznetsov Acked-by: Haiyang Zhang Signed-off-by: David S. Miller drivers/net/hyperv/hyperv_net.h | 19 ++++++++-------- drivers/net/hyperv/netvsc.c | 19 +++++++--------- drivers/net/hyperv/netvsc_drv.c | 49 +++++++++++++++++++++++------------------ 3 files changed, 45 insertions(+), 42 deletions(-) commit 3d7b33209201cbfa090d614db993571ca3c6b090 Author: Simon Horman Date: Mon Aug 15 13:06:24 2016 +0200 gre: set inner_protocol on xmit Ensure that the inner_protocol is set on transmit so that GSO segmentation, which relies on that field, works correctly. This is achieved by setting the inner_protocol in gre_build_header rather than each caller of that function. It ensures that the inner_protocol is set when gre_fb_xmit() is used to transmit GRE which was not previously the case. I have observed this is not the case when OvS transmits GRE using lwtunnel metadata (which it always does). Fixes: 38720352412a ("gre: Use inner_proto to obtain inner header protocol") Cc: Pravin Shelar Acked-by: Alexander Duyck Signed-off-by: Simon Horman Acked-by: Pravin B Shelar Signed-off-by: David S. Miller include/net/gre.h | 1 + net/ipv4/ip_gre.c | 1 - net/ipv6/ip6_gre.c | 2 -- 3 files changed, 1 insertion(+), 3 deletions(-) commit 0325862dc364d8af524bf2db53ef4360ed55b989 Author: Colin Ian King Date: Fri Aug 12 22:44:56 2016 +0100 perf probe: Check for dup and fdopen failures dup and fdopen can potentially fail, so add some extra error handling checks rather than assuming they always work. Signed-off-by: Colin King Acked-by: Masami Hiramatsu Cc: Alexander Shishkin Cc: Jiri Olsa Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Wang Nan Link: http://lkml.kernel.org/r/1471038296-12956-1-git-send-email-colin.king@canonical.com [ Free resources when those functions (now being verified) fail ] Signed-off-by: Arnaldo Carvalho de Melo tools/perf/util/probe-file.c | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) commit 50de1a0c54cdbc69a6dbcbc323f53daf95a4050e Author: Anton Blanchard Date: Sat Aug 13 11:55:33 2016 +1000 perf symbols: Fix annotation of objects with debuginfo files Commit 73cdf0c6ea9c ("perf symbols: Record text offset in dso to calculate objdump address") started storing the offset of the text section for all DSOs: if (elf_section_by_name(elf, &ehdr, &tshdr, ".text", NULL)) dso->text_offset = tshdr.sh_addr - tshdr.sh_offset; Unfortunately this breaks debuginfo files, because we need to calculate the offset of the text section in the associated executable file. As a result perf annotate returns junk for all debuginfo files. Fix this by using runtime_ss->elf which should point at the executable when parsing a debuginfo file. Signed-off-by: Anton Blanchard Reviewed-by: Naveen N. Rao Tested-by: Wang Nan Cc: Peter Zijlstra Cc: Ravi Bangoria Cc: stable@vger.kernel.org # v4.6+ Fixes: 73cdf0c6ea9c ("perf symbols: Record text offset in dso to calculate objdump address") Link: http://lkml.kernel.org/r/20160813115533.6de17912@kryten Signed-off-by: Arnaldo Carvalho de Melo tools/perf/util/symbol-elf.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 3684b03d8e9a889eda94ee74421959a9d55e5e19 Merge: f2fa30a c987ff0 Author: Linus Torvalds Date: Mon Aug 15 12:36:31 2016 -0700 Merge tag 'iommu-fixes-v4.8-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu Pull IOMMU fixes from Joerg Roedel: - Some functions defined in a header file for the mediatek driver were not marked inline. Fix that oversight. - Fix a potential crash in the ARM64 dma-mapping code when freeing a partially initialized domain. - Another fix for ARM64 dma-mapping to respect IOMMU mapping constraints when allocating IOVA addresses. * tag 'iommu-fixes-v4.8-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu: iommu/dma: Respect IOMMU aperture when allocating iommu/dma: Don't put uninitialised IOVA domains iommu/mediatek: Mark static functions in headers inline commit f2fa30a8b842920896f974010ac4011b8d697566 Merge: 694d0d0 c5b48fa Author: Linus Torvalds Date: Mon Aug 15 12:29:23 2016 -0700 Merge tag 'edac_fixes_for_4.8' of git://git.kernel.org/pub/scm/linux/kernel/git/bp/bp Pull EDAC fix from Borislav Petkov: "A fix to sb_edac correcting channel reporting on Knights Landing" * tag 'edac_fixes_for_4.8' of git://git.kernel.org/pub/scm/linux/kernel/git/bp/bp: EDAC, sb_edac: Fix channel reporting on Knights Landing commit 5e457896986e16c440c97bb94b9ccd95dd157292 Author: Lorenzo Colitti Date: Sat Aug 13 01:13:38 2016 +0900 net: ipv6: Fix ping to link-local addresses. ping_v6_sendmsg does not set flowi6_oif in response to sin6_scope_id or sk_bound_dev_if, so it is not possible to use these APIs to ping an IPv6 address on a different interface. Instead, it sets flowi6_iif, which is incorrect but harmless. Stop setting flowi6_iif, and support various ways of setting oif in the same priority order used by udpv6_sendmsg. Tested: https://android-review.googlesource.com/#/c/254470/ Signed-off-by: Lorenzo Colitti Signed-off-by: David S. Miller net/ipv6/ping.c | 33 +++++++++++++++++---------------- 1 file changed, 17 insertions(+), 16 deletions(-) commit 12311959ecf8a3a64676c01b62ce67a0c5f0fd49 Author: Vegard Nossum Date: Fri Aug 12 20:10:44 2016 +0200 rhashtable: fix shift by 64 when shrinking I got this: ================================================================================ UBSAN: Undefined behaviour in ./include/linux/log2.h:63:13 shift exponent 64 is too large for 64-bit type 'long unsigned int' CPU: 1 PID: 721 Comm: kworker/1:1 Not tainted 4.8.0-rc1+ #87 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014 Workqueue: events rht_deferred_worker 0000000000000000 ffff88011661f8d8 ffffffff82344f50 0000000041b58ab3 ffffffff84f98000 ffffffff82344ea4 ffff88011661f900 ffff88011661f8b0 0000000000000001 ffff88011661f6b8 dffffc0000000000 ffffffff867f7640 Call Trace: [] dump_stack+0xac/0xfc [] ? _atomic_dec_and_lock+0xc4/0xc4 [] ubsan_epilogue+0xd/0x8a [] __ubsan_handle_shift_out_of_bounds+0x255/0x29a [] ? __ubsan_handle_out_of_bounds+0x180/0x180 [] ? nl80211_req_set_reg+0x256/0x2f0 [] ? print_context_stack+0x8a/0x160 [] ? amd_pmu_reset+0x341/0x380 [] rht_deferred_worker+0x1618/0x1790 [] ? rht_deferred_worker+0x1618/0x1790 [] ? rhashtable_jhash2+0x370/0x370 [] ? process_one_work+0x6fd/0x1970 [] process_one_work+0x79f/0x1970 [] ? process_one_work+0x6fd/0x1970 [] ? try_to_grab_pending+0x4c0/0x4c0 [] ? worker_thread+0x1c4/0x1340 [] worker_thread+0x55f/0x1340 [] ? __schedule+0x4df/0x1d40 [] ? process_one_work+0x1970/0x1970 [] ? process_one_work+0x1970/0x1970 [] kthread+0x237/0x390 [] ? __kthread_parkme+0x280/0x280 [] ? _raw_spin_unlock_irq+0x33/0x50 [] ret_from_fork+0x1f/0x40 [] ? __kthread_parkme+0x280/0x280 ================================================================================ roundup_pow_of_two() is undefined when called with an argument of 0, so let's avoid the call and just fall back to ht->p.min_size (which should never be smaller than HASH_MIN_SIZE). Cc: Herbert Xu Signed-off-by: Vegard Nossum Acked-by: Herbert Xu Signed-off-by: David S. Miller lib/rhashtable.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) commit 99f1c013194e64d4b67d5d318148303b0e1585e1 Author: Oleg Drokin Date: Thu Jul 14 23:40:21 2016 -0400 staging/lustre/llite: Close atomic_open race with several openers Right now, if it's an open of a negative dentry, a race is possible with several openers who all try to instantiate/rehash the same dentry and would hit a BUG_ON in d_add. But in fact if we got a negative dentry in atomic_open, that means we just revalidated it so no point in talking to MDS at all, just return ENOENT and make the race go away completely. Signed-off-by: Oleg Drokin Cc: stable # 4.7+ Signed-off-by: Greg Kroah-Hartman drivers/staging/lustre/lustre/llite/namei.c | 43 ++++++++++++++++------------- 1 file changed, 24 insertions(+), 19 deletions(-) commit 71ac899b5ed7edfd8fa2a4e075194380b1de2d7f Author: He Kuang Date: Thu Aug 4 11:25:43 2016 +0000 perf script: Don't disable use_callchain if input is pipe Because perf data from pipe do not have a header with evsel attr, we should not check that and disable symbol_conf.use_callchain. Otherwise, perf script won't show callchains even if the data stream contains callchain. Before: $ perf record -g -o - uname |perf script Linux [ perf record: Woken up 1 times to write data ] [ perf record: Captured and wrote 0.000 MB - ] uname 1828 182630.186578: 250000 cpu-clock: ..b9499 setup_arg_pages uname 1828 182630.186850: 250000 cpu-clock: ..83b20 ___might_sleep uname 1828 182630.187153: 250000 cpu-clock: ..4b6be file_map_prot_ch ... After: $ perf record -g -o - uname |perf script Linux [ perf record: Woken up 1 times to write data ] [ perf record: Captured and wrote 0.000 MB - ] uname 1833 182675.927099: 250000 cpu-clock: ba5520 _raw_spin_lock+0xfe200040 ([kernel.kallsyms]) 389dd4 expand_downwards+0xfe200154 ([kernel.kallsyms]) 389f34 expand_stack+0xfe200024 ([kernel.kallsyms]) 3b957e setup_arg_pages+0xfe20019e ([kernel.kallsyms]) 40c80f load_elf_binary+0xfe20042f ([kernel.kallsyms]) ... Signed-off-by: He Kuang Tested-by: Arnaldo Carvalho de Melo Cc: Alexander Shishkin Cc: Peter Zijlstra Cc: Wang Nan Link: http://lkml.kernel.org/r/1470309943-153909-2-git-send-email-hekuang@huawei.com Signed-off-by: Arnaldo Carvalho de Melo tools/perf/builtin-script.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit 88ded4d8d94a550624e1827478e13fecf97a7b0a Author: He Kuang Date: Thu Aug 4 11:25:42 2016 +0000 perf script: Show proper message when failed list scripts Perf shows the usage message when perf scripts folder failed to open, which misleads users to let them think the command is being mistyped. This patch shows a proper message and guides users to check the PERF_EXEC_PATH environment variable in that case. Before: $ perf script --list Usage: perf script [] or: perf script [] record