commit 6f7da290413ba713f0cdd9ff1a2a9bb129ef4f6c Author: Linus Torvalds Date: Sun Jul 2 16:07:02 2017 -0700 Linux 4.12 Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 401e000ab90d7b81d8ea0735e3ff909548754876 Author: Sylvain 'ythier' Hitier Date: Sun Jul 2 15:21:56 2017 +0200 moduleparam: fix doc: hwparam_irq configures an IRQ Signed-off-by: Sylvain 'ythier' Hitier Signed-off-by: Linus Torvalds include/linux/moduleparam.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 79c496816963aa0561868b43c2c950dfeb282639 Merge: 3a61a54 8542363 Author: Linus Torvalds Date: Sun Jul 2 11:53:44 2017 -0700 Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus Pull MIPS fixes from Ralf Baechle: "Here's a final round of fixes for 4.12: - Fix misordered instructions in assembly code making kenel startup via UHB unreliable. - Fix special case of MADDF and MADDF emulation. - Fix alignment issue in address calculation in pm-cps on 64 bit. - Fix IRQ tracing & lockdep when rescheduling - Systems with MAARs require post-DMA cache flushes. The reordering fix and the MADDF/MSUBF fix have sat in linux-next for a number of days. The others haven't propagated from my pull tree to linux-next yet but all have survived manual testing and Imagination's automated test system and there are no pending bug reports" * 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus: MIPS: Avoid accidental raw backtrace MIPS: Perform post-DMA cache flushes on systems with MAARs MIPS: Fix IRQ tracing & lockdep when rescheduling MIPS: pm-cps: Drop manual cache-line alignment of ready_count MIPS: math-emu: Handle zero accumulator case in MADDF and MSUBF separately MIPS: head: Reorder instructions missing a delay slot commit 3a61a54cd72c93afa3b7246e3ed06f26ed37fde7 Merge: e18aca0 9e25ebf Author: Linus Torvalds Date: Sun Jul 2 10:09:40 2017 -0700 Merge branch 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm Pull ARM fix from Russell King: "One final fix for 4.12 - Doug found a boot failure case triggered by requesting a non-even MB vmalloc size" * 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm: ARM: 8685/1: ensure memblock-limit is pmd-aligned commit e18aca0236a2dac4a134ace4685e97ad09d3605b Merge: a527bf6 79298ac Author: Linus Torvalds Date: Sat Jul 1 09:10:17 2017 -0700 Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86 fixes from Thomas Gleixner: "Fixlets for x86: - Prevent kexec crash when KASLR is enabled, which was caused by an address calculation bug - Restore the freeing of PUDs on memory hot remove - Correct a negated pointer check in the intel uncore performance monitoring driver - Plug a memory leak in an error exit path in the RDT code" * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/intel_rdt: Fix memory leak on mount failure x86/boot/KASLR: Fix kexec crash due to 'virt_addr' calculation bug x86/boot/KASLR: Add checking for the offset of kernel virtual address randomization perf/x86/intel/uncore: Fix wrong box pointer check x86/mm/hotplug: Fix BUG_ON() after hot-remove by not freeing PUD commit a527bf61404cd36fedd81dc165a03b6f5529092e Merge: 46589d7 e3c2c4f Author: Linus Torvalds Date: Sat Jul 1 08:46:52 2017 -0700 Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull perf fix from Thomas Gleixner: "The last fix for perf for this cycles: - Prevent a segfault when kernel.kptr_restrict=2 is set by avoiding a null pointer dereference" * 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: perf machine: Fix segfault for kernel.kptr_restrict=2 commit 46589d7ab79a4b5f4d3183fafe1c8fb011f82210 Merge: fc93274 1d80df9 Author: Linus Torvalds Date: Sat Jul 1 08:39:13 2017 -0700 Merge tag 'pinctrl-v4.12-4' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl Pull pinctrl fix from Linus Walleij: "Brian noticed that this regression has not got a proper fix for the entire merge window and consequently we need to revert the offending commit. It's part of the RT-mainstream work, the dance goes like this, two steps forward, one step back. Summary: - A last fix for v4.12, an IRQ problem reported early in the merge window appears not to have been properly fixed, so the offending commit will be reverted and we will find the proper fix for v4.13. Hopefully" * tag 'pinctrl-v4.12-4' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl: Revert "pinctrl: rockchip: avoid hardirq-unsafe functions in irq_chip" commit fc93274ab5a455b1e31aea5d2c9e8ba1f699fded Merge: c0a0c7a c06632e Author: Linus Torvalds Date: Sat Jul 1 08:24:54 2017 -0700 Merge tag 'gpio-v4.12-4' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio Pull last minute fixes for GPIO from Linus Walleij: - Fix another ACPI problem with broken BIOSes. - Filter out the right GPIO events, making a very user-visible bug go away. * tag 'gpio-v4.12-4' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio: gpio: acpi: Skip _AEI entries without a handler rather then aborting the scan gpiolib: fix filtering out unwanted events commit c0a0c7a4e1200bfea439b9444e6d6b4bede9db23 Merge: fbd57629 9e52b32 Author: Linus Torvalds Date: Fri Jun 30 17:18:57 2017 -0700 Merge tag 'trace-v4.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace Pull last-minute tracing fixes from Steven Rostedt: "Two fixes: One is for a crash when using the :mod: trace probe command into stack_trace_filter. This bug was introduced during the last merge window. The other was there forever. It's a small bug that makes it impossible to name a module function for kprobes when the module starts with a digit" * tag 'trace-v4.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace: tracing/kprobes: Allow to create probe with a module name starting with a digit ftrace: Fix regression with module command in stack_trace_filter commit fbd576295d6f98b20356d1e6efbc8f976b17c8af Author: Zack Weinberg Date: Wed Jun 14 08:14:28 2017 -0700 uapi/linux/a.out.h: don't use deprecated system-specific predefines. uapi/linux/a.out.h uses a number of predefined macros that are deprecated because they're in the application namespace (e.g. '#ifdef linux' instead of '#ifdef __linux__'). This patch either corrects or just removes them if they are not applicable to Linux. The primary reason this is worth bothering to fix, considering how obsolete a.out binary support is, is that the GCC build process considers this such a severe error that it will copy the header into a private directory and change the macro names, which causes future updates to the header to be masked. This header probably doesn't get updated very often anymore, but it is the _only_ uapi header that gets this treatment, so IMHO it is worth patching just to drive that number all the way to zero. Signed-off-by: Zack Weinberg [hch: removed dead conditionals] Signed-off-by: Christoph Hellwig Signed-off-by: Linus Torvalds include/uapi/linux/a.out.h | 26 +------------------------- 1 file changed, 1 insertion(+), 25 deletions(-) commit dbd1877754338dc98818d200cd25cf398d8b5d9e Author: Jakub Kicinski Date: Wed Jun 28 21:25:48 2017 -0700 hashtable: remove repeated phrase from a comment "in a rcu enabled hashtable" is repeated twice in a comment. Signed-off-by: Jakub Kicinski Signed-off-by: Linus Torvalds include/linux/hashtable.h | 1 - 1 file changed, 1 deletion(-) commit 79298acc4ba097e9ab78644e3e38902d73547c92 Author: Vikas Shivappa Date: Mon Jun 26 11:55:49 2017 -0700 x86/intel_rdt: Fix memory leak on mount failure If mount fails, the kn_info directory is not freed causing memory leak. Add the missing error handling path. Fixes: 4e978d06dedb ("x86/intel_rdt: Add "info" files to resctrl file system") Signed-off-by: Vikas Shivappa Signed-off-by: Thomas Gleixner Cc: ravi.v.shankar@intel.com Cc: tony.luck@intel.com Cc: fenghua.yu@intel.com Cc: peterz@infradead.org Cc: vikas.shivappa@intel.com Cc: andi.kleen@intel.com Cc: stable@vger.kernel.org Link: http://lkml.kernel.org/r/1498503368-20173-3-git-send-email-vikas.shivappa@linux.intel.com arch/x86/kernel/cpu/intel_rdt_rdtgroup.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit b4df2e3537bef7d867338063da56b557c50f68f2 Merge: 27ab862 d6bd819 Author: Linus Torvalds Date: Fri Jun 30 10:55:34 2017 -0700 Merge tag 'powerpc-4.12-8' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux Pull powerpc fixes from Michael Ellerman: "Hopefully the last two powerpc fixes for 4.12. The CXL one is larger than I'd usually send at rc7, but it fixes new code this cycle, so better to have it working for the release. It was actually sent a few weeks back but got blocked in testing behind another fix that was causing issues. We are still tracking one crash in v4.12-rc7, but only one person has reproduced it and the commit identified by bisect doesn't touch any of the relevant code, so I think it's 50/50 whether that commit is actually the problem or it's some code layout / toolchain issue. Two fixes for code we merged this cycle: - cxl: Fixes for Coherent Accelerator Interface Architecture 2.0 - Avoid miscompilation w/GCC 4.6.3 on 32-bit - don't inline copy_to/from_user() Thanks to Al Viro, Larry Finger, Christophe Lombard" * tag 'powerpc-4.12-8' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux: powerpc/32: Avoid miscompilation w/GCC 4.6.3 - don't inline copy_to/from_user() cxl: Fixes for Coherent Accelerator Interface Architecture 2.0 commit 27ab862a3afdd7a0285b69a7475f8af7bd2434c4 Merge: 4adc6b9 84a21db Author: Linus Torvalds Date: Fri Jun 30 10:37:48 2017 -0700 Merge tag 'iommu-fixes-v4.12-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu Pull IOMMU fixes from Joerg Roedel: "Two fixes: - A fix for AMD IOMMU interrupt remapping code when IRQs are forwarded directly to KVM guests - Fixed check in the recently merged code to allow tboot with Intel VT-d disabled" * tag 'iommu-fixes-v4.12-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu: iommu/amd: Fix interrupt remapping when disable guest_mode iommu/vt-d: Correctly disable Intel IOMMU force on commit 4adc6b9382d5a2c1f39fa44b1e6ff29467e844e5 Merge: 86c3e00 d94815f Author: Linus Torvalds Date: Fri Jun 30 10:30:26 2017 -0700 Merge tag 'sound-4.12' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound Pull sound fixes from Takashi Iwai: "Two last-minute HD-audio fixes" * tag 'sound-4.12' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: ALSA: hda - Fix endless loop of codec configure ALSA: hda - set input_path bitmap to zero after moving it to new place commit 86c3e00afd64a507aef954cd581547f28807e51a Merge: 4d8a991 fbaf94e Author: Linus Torvalds Date: Fri Jun 30 10:22:59 2017 -0700 Merge branch 'overlayfs-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs Pull overlayfs fixes from Miklos Szeredi: "Fix two bugs in copy-up code. One introduced in 4.11 and one in 4.12-rc" * 'overlayfs-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs: ovl: don't set origin on broken lower hardlink ovl: copy-up: don't unlock between lookup and link commit 8eabf42ae5237e6b699aeac687b5b629e3537c8d Author: Baoquan He Date: Tue Jun 27 20:39:06 2017 +0800 x86/boot/KASLR: Fix kexec crash due to 'virt_addr' calculation bug Kernel text KASLR is separated into physical address and virtual address randomization. And for virtual address randomization, we only randomiza to get an offset between 16M and KERNEL_IMAGE_SIZE. So the initial value of 'virt_addr' should be LOAD_PHYSICAL_ADDR, but not the original kernel loading address 'output'. The bug will cause kernel boot failure if kernel is loaded at a different position than the address, 16M, which is decided at compiled time. Kexec/kdump is such practical case. To fix it, just assign LOAD_PHYSICAL_ADDR to virt_addr as initial value. Tested-by: Dave Young Signed-off-by: Baoquan He Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Fixes: 8391c73 ("x86/KASLR: Randomize virtual address separately") Link: http://lkml.kernel.org/r/1498567146-11990-3-git-send-email-bhe@redhat.com Signed-off-by: Ingo Molnar arch/x86/boot/compressed/kaslr.c | 3 --- arch/x86/boot/compressed/misc.c | 4 ++-- arch/x86/boot/compressed/misc.h | 2 -- 3 files changed, 2 insertions(+), 7 deletions(-) commit b892cb873ced2af57dc5a018557d128c53ed6ae0 Author: Baoquan He Date: Tue Jun 27 20:39:05 2017 +0800 x86/boot/KASLR: Add checking for the offset of kernel virtual address randomization For kernel text KASLR, the virtual address is confined to area of 1G, [0xffffffff80000000, 0xffffffffc0000000). For the implemenataion of virtual address randomization, we only randomize to get an offset between 16M and 1G, then add this offset to the starting address, 0xffffffff80000000. Here 16M is the offset which is decided at linking stage. So the amount of the local variable 'virt_addr' which respresents the offset plus the kernel output size can not exceed KERNEL_IMAGE_SIZE. Add a debug check for the offset. If out of bounds, print error message and hang there. Suggested-by: Ingo Molnar Signed-off-by: Baoquan He Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/1498567146-11990-2-git-send-email-bhe@redhat.com Signed-off-by: Ingo Molnar arch/x86/boot/compressed/misc.c | 2 ++ 1 file changed, 2 insertions(+) commit 9e52b32567126fe146f198971364f68d3bc5233f Author: Sabrina Dubroca Date: Thu Jun 22 11:24:42 2017 +0200 tracing/kprobes: Allow to create probe with a module name starting with a digit Always try to parse an address, since kstrtoul() will safely fail when given a symbol as input. If that fails (which will be the case for a symbol), try to parse a symbol instead. This allows creating a probe such as: p:probe/vlan_gro_receive 8021q:vlan_gro_receive+0 Which is necessary for this command to work: perf probe -m 8021q -a vlan_gro_receive Link: http://lkml.kernel.org/r/fd72d666f45b114e2c5b9cf7e27b91de1ec966f1.1498122881.git.sd@queasysnail.net Cc: stable@vger.kernel.org Fixes: 413d37d1e ("tracing: Add kprobe-based event tracer") Acked-by: Masami Hiramatsu Signed-off-by: Sabrina Dubroca Signed-off-by: Steven Rostedt (VMware) kernel/trace/trace_kprobe.c | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) commit 854236363370995a609a10b03e35fd3dc5e9e4a1 Author: James Hogan Date: Thu Jun 29 15:05:04 2017 +0100 MIPS: Avoid accidental raw backtrace Since commit 81a76d7119f6 ("MIPS: Avoid using unwind_stack() with usermode") show_backtrace() invokes the raw backtracer when cp0_status & ST0_KSU indicates user mode to fix issues on EVA kernels where user and kernel address spaces overlap. However this is used by show_stack() which creates its own pt_regs on the stack and leaves cp0_status uninitialised in most of the code paths. This results in the non deterministic use of the raw back tracer depending on the previous stack content. show_stack() deals exclusively with kernel mode stacks anyway, so explicitly initialise regs.cp0_status to KSU_KERNEL (i.e. 0) to ensure we get a useful backtrace. Fixes: 81a76d7119f6 ("MIPS: Avoid using unwind_stack() with usermode") Signed-off-by: James Hogan Cc: linux-mips@linux-mips.org Cc: # 3.15+ Patchwork: https://patchwork.linux-mips.org/patch/16656/ Signed-off-by: Ralf Baechle arch/mips/kernel/traps.c | 2 ++ 1 file changed, 2 insertions(+) commit cad482c1b1844136fc6d9e33f10d3386344fb045 Author: Paul Burton Date: Tue Jun 13 10:01:08 2017 -0700 MIPS: Perform post-DMA cache flushes on systems with MAARs Recent CPUs from Imagination Technologies such as the I6400 or P6600 are able to speculatively fetch data from memory into caches. This means that if used in a system with non-coherent DMA they require that caches be invalidated after a device performs DMA, and before the CPU reads the DMA'd data, in order to ensure that stale values weren't speculatively prefetched. Such CPUs also introduced Memory Accessibility Attribute Registers (MAARs) in order to control the regions in which they are allowed to speculate. Thus we can use the presence of MAARs as a good indication that the CPU requires the above cache maintenance. Use the presence of MAARs to determine the result of cpu_needs_post_dma_flush() in the default case, in order to handle these recent CPUs correctly. Note that the return type of cpu_needs_post_dma_flush() is changed to bool, such that it's clearer what's happening when cpu_has_maar is cast to bool for the return value. If this patch were backported to a pre-v4.7 kernel then MIPS_CPU_MAAR was 1ull<<34, so when cast to an int we would incorrectly return 0. It so happens that MIPS_CPU_MAAR is currently 1ull<<30, so when truncated to an int gives a non-zero value anyway, but even so the implicit conversion from long long int to bool makes it clearer to understand what will happen than the implicit conversion from long long int to int would. The bool return type also fits this usage better semantically, so seems like an all-round win. Thanks to Ed for spotting the issue for pre-v4.7 kernels & suggesting the return type change. Signed-off-by: Paul Burton Reviewed-by: Bryan O'Donoghue Tested-by: Bryan O'Donoghue Cc: Ed Blake Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/16363/ Signed-off-by: Ralf Baechle arch/mips/mm/dma-default.c | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) commit d8550860d910c6b7b70f830f59003b33daaa52c9 Author: Paul Burton Date: Fri Mar 3 15:26:05 2017 -0800 MIPS: Fix IRQ tracing & lockdep when rescheduling When the scheduler sets TIF_NEED_RESCHED & we call into the scheduler from arch/mips/kernel/entry.S we disable interrupts. This is true regardless of whether we reach work_resched from syscall_exit_work, resume_userspace or by looping after calling schedule(). Although we disable interrupts in these paths we don't call trace_hardirqs_off() before calling into C code which may acquire locks, and we therefore leave lockdep with an inconsistent view of whether interrupts are disabled or not when CONFIG_PROVE_LOCKING & CONFIG_DEBUG_LOCKDEP are both enabled. Without tracing this interrupt state lockdep will print warnings such as the following once a task returns from a syscall via syscall_exit_partial with TIF_NEED_RESCHED set: [ 49.927678] ------------[ cut here ]------------ [ 49.934445] WARNING: CPU: 0 PID: 1 at kernel/locking/lockdep.c:3687 check_flags.part.41+0x1dc/0x1e8 [ 49.946031] DEBUG_LOCKS_WARN_ON(current->hardirqs_enabled) [ 49.946355] CPU: 0 PID: 1 Comm: init Not tainted 4.10.0-00439-gc9fd5d362289-dirty #197 [ 49.963505] Stack : 0000000000000000 ffffffff81bb5d6a 0000000000000006 ffffffff801ce9c4 [ 49.974431] 0000000000000000 0000000000000000 0000000000000000 000000000000004a [ 49.985300] ffffffff80b7e487 ffffffff80a24498 a8000000ff160000 ffffffff80ede8b8 [ 49.996194] 0000000000000001 0000000000000000 0000000000000000 0000000077c8030c [ 50.007063] 000000007fd8a510 ffffffff801cd45c 0000000000000000 a8000000ff127c88 [ 50.017945] 0000000000000000 ffffffff801cf928 0000000000000001 ffffffff80a24498 [ 50.028827] 0000000000000000 0000000000000001 0000000000000000 0000000000000000 [ 50.039688] 0000000000000000 a8000000ff127bd0 0000000000000000 ffffffff805509bc [ 50.050575] 00000000140084e0 0000000000000000 0000000000000000 0000000000040a00 [ 50.061448] 0000000000000000 ffffffff8010e1b0 0000000000000000 ffffffff805509bc [ 50.072327] ... [ 50.076087] Call Trace: [ 50.079869] [] show_stack+0x80/0xa8 [ 50.086577] [] dump_stack+0x10c/0x190 [ 50.093498] [] __warn+0xf0/0x108 [ 50.099889] [] warn_slowpath_fmt+0x3c/0x48 [ 50.107241] [] check_flags.part.41+0x1dc/0x1e8 [ 50.114961] [] lock_is_held_type+0x8c/0xb0 [ 50.122291] [] __schedule+0x8c0/0x10f8 [ 50.129221] [] schedule+0x30/0x98 [ 50.135659] [] work_resched+0x8/0x34 [ 50.142397] ---[ end trace 0cb4f6ef5b99fe21 ]--- [ 50.148405] possible reason: unannotated irqs-off. [ 50.154600] irq event stamp: 400463 [ 50.159566] hardirqs last enabled at (400463): [] _raw_spin_unlock_irqrestore+0x40/0xa8 [ 50.171981] hardirqs last disabled at (400462): [] _raw_spin_lock_irqsave+0x30/0xb0 [ 50.183897] softirqs last enabled at (400450): [] __do_softirq+0x4ac/0x6a8 [ 50.195015] softirqs last disabled at (400425): [] irq_exit+0x110/0x128 Fix this by using the TRACE_IRQS_OFF macro to call trace_hardirqs_off() when CONFIG_TRACE_IRQFLAGS is enabled. This is done before invoking schedule() following the work_resched label because: 1) Interrupts are disabled regardless of the path we take to reach work_resched() & schedule(). 2) Performing the tracing here avoids the need to do it in paths which disable interrupts but don't call out to C code before hitting a path which uses the RESTORE_SOME macro that will call trace_hardirqs_on() or trace_hardirqs_off() as appropriate. We call trace_hardirqs_on() using the TRACE_IRQS_ON macro before calling syscall_trace_leave() for similar reasons, ensuring that lockdep has a consistent view of state after we re-enable interrupts. Signed-off-by: Paul Burton Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: linux-mips@linux-mips.org Cc: stable Patchwork: https://patchwork.linux-mips.org/patch/15385/ Signed-off-by: Ralf Baechle arch/mips/kernel/entry.S | 3 +++ 1 file changed, 3 insertions(+) commit 161c51ccb7a6faf45ffe09aa5cf1ad85ccdad503 Author: Paul Burton Date: Thu Mar 2 14:02:40 2017 -0800 MIPS: pm-cps: Drop manual cache-line alignment of ready_count We allocate memory for a ready_count variable per-CPU, which is accessed via a cached non-coherent TLB mapping to perform synchronisation between threads within the core using LL/SC instructions. In order to ensure that the variable is contained within its own data cache line we allocate 2 lines worth of memory & align the resulting pointer to a line boundary. This is however unnecessary, since kmalloc is guaranteed to return memory which is at least cache-line aligned (see ARCH_DMA_MINALIGN). Stop the redundant manual alignment. Besides cleaning up the code & avoiding needless work, this has the side effect of avoiding an arithmetic error found by Bryan on 64 bit systems due to the 32 bit size of the former dlinesz. This led the ready_count variable to have its upper 32b cleared erroneously for MIPS64 kernels, causing problems when ready_count was later used on MIPS64 via cpuidle. Signed-off-by: Paul Burton Fixes: 3179d37ee1ed ("MIPS: pm-cps: add PM state entry code for CPS systems") Reported-by: Bryan O'Donoghue Reviewed-by: Bryan O'Donoghue Tested-by: Bryan O'Donoghue Cc: linux-mips@linux-mips.org Cc: stable # v3.16+ Patchwork: https://patchwork.linux-mips.org/patch/15383/ Signed-off-by: Ralf Baechle arch/mips/kernel/pm-cps.c | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) commit 9e25ebfe56ece7541cd10a20d715cbdd148a2e06 Author: Doug Berger Date: Thu Jun 29 18:41:36 2017 +0100 ARM: 8685/1: ensure memblock-limit is pmd-aligned The pmd containing memblock_limit is cleared by prepare_page_table() which creates the opportunity for early_alloc() to allocate unmapped memory if memblock_limit is not pmd aligned causing a boot-time hang. Commit 965278dcb8ab ("ARM: 8356/1: mm: handle non-pmd-aligned end of RAM") attempted to resolve this problem, but there is a path through the adjust_lowmem_bounds() routine where if all memory regions start and end on pmd-aligned addresses the memblock_limit will be set to arm_lowmem_limit. Since arm_lowmem_limit can be affected by the vmalloc early parameter, the value of arm_lowmem_limit may not be pmd-aligned. This commit corrects this oversight such that memblock_limit is always rounded down to pmd-alignment. Fixes: 965278dcb8ab ("ARM: 8356/1: mm: handle non-pmd-aligned end of RAM") Signed-off-by: Doug Berger Suggested-by: Mark Rutland Signed-off-by: Russell King arch/arm/mm/mmu.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) commit 4d8a991d460d4fa4829beaffdcba45a217ca0fa7 Merge: 27bc344 d58299a Author: Linus Torvalds Date: Thu Jun 29 14:30:07 2017 -0700 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net Pull networking fixes from David Miller: 1) Need to access netdev->num_rx_queues behind an accessor in netvsc driver otherwise the build breaks with some configs, from Arnd Bergmann. 2) Add dummy xfrm_dev_event() so that build doesn't fail when CONFIG_XFRM_OFFLOAD is not set. From Hangbin Liu. 3) Don't OOPS when pfkey_msg2xfrm_state() signals an erros, from Dan Carpenter. 4) Fix MCDI command size for filter operations in sfc driver, from Martin Habets. 5) Fix UFO segmenting so that we don't calculate incorrect checksums, from Michal Kubecek. 6) When ipv6 datagram connects fail, reset destination address and port. From Wei Wang. 7) TCP disconnect must reset the cached receive DST, from WANG Cong. 8) Fix sign extension bug on 32-bit in dev_get_stats(), from Eric Dumazet. 9) fman driver has to depend on HAS_DMA, from Madalin Bucur. 10) Fix bpf pointer leak with xadd in verifier, from Daniel Borkmann. 11) Fix negative page counts with GFO, from Michal Kubecek. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (41 commits) sfc: fix attempt to translate invalid filter ID net: handle NAPI_GRO_FREE_STOLEN_HEAD case also in napi_frags_finish() bpf: prevent leaking pointer via xadd on unpriviledged arcnet: com20020-pci: add missing pdev setup in netdev structure arcnet: com20020-pci: fix dev_id calculation arcnet: com20020: remove needless base_addr assignment Trivial fix to spelling mistake in arc_printk message arcnet: change irq handler to lock irqsave rocker: move dereference before free mlxsw: spectrum_router: Fix NULL pointer dereference net: sched: Fix one possible panic when no destroy callback virtio-net: serialize tx routine during reset net: usb: asix88179_178a: Add support for the Belkin B2B128 fsl/fman: add dependency on HAS_DMA net: prevent sign extension in dev_get_stats() tcp: reset sk_rx_dst in tcp_disconnect() net: ipv6: reset daddr and dport in sk if connect() fails bnx2x: Don't log mc removal needlessly bnxt_en: Fix netpoll handling. bnxt_en: Add missing logic to handle TPA end error conditions. ... commit 27bc344014289a298a9fad4b828fcf61daa60aff Merge: 374bf88 00a0ea3 Author: Linus Torvalds Date: Thu Jun 29 14:23:02 2017 -0700 Merge tag 'for-4.12/dm-fixes-5' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm Pull device mapper fixes from Mike Snitzer: - dm thinp fix for crash that will occur when metadata device failure races with discard passdown to the underlying data device. - dm raid fix to not access the superblock's >= 1.9.0 'sectors' member unconditionally. * tag 'for-4.12/dm-fixes-5' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm: dm thin: do not queue freed thin mapping for next stage processing dm raid: fix oops on upgrading to extended superblock format commit 374bf8831aa99a445d6d26c56a65fb35db747d91 Merge: 6474924 9ae3b3f Author: Linus Torvalds Date: Thu Jun 29 14:10:37 2017 -0700 Merge branch 'for-linus' of git://git.kernel.dk/linux-block Pull block fixes from Jens Axboe: "Two fixes that should go into this release. One is an nvme regression fix from Keith, fixing a missing queue freeze if the controller is being reset. This causes the reset to hang. The other is a fix for a leak of the bio protection info, if smaller sized O_DIRECT is used. This fix should be more involved as we have other problematic paths in the kernel, but given as this isn't a regression in this series, we'll tackle those for 4.13" * 'for-linus' of git://git.kernel.dk/linux-block: block: provide bio_uninit() free freeing integrity/task associations nvme/pci: Fix stuck nvme reset commit d58299a478c416c0b48e4b31c6332fe7beb63000 Author: Edward Cree Date: Thu Jun 29 16:50:06 2017 +0100 sfc: fix attempt to translate invalid filter ID When filter insertion fails with no rollback, we were trying to convert EFX_EF10_FILTER_ID_INVALID to an id to store in 'ids' (which is either vlan->uc or vlan->mc). This would WARN_ON_ONCE and then record a bogus filter ID of 0x1fff, neither of which is a good thing. Fixes: 0ccb998bf46d ("sfc: fix filter_id misinterpretation in edge case") Signed-off-by: Edward Cree Signed-off-by: David S. Miller drivers/net/ethernet/sfc/ef10.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) commit e44699d2c28067f69698ccb68dd3ddeacfebc434 Author: Michal Kubeček Date: Thu Jun 29 11:13:36 2017 +0200 net: handle NAPI_GRO_FREE_STOLEN_HEAD case also in napi_frags_finish() Recently I started seeing warnings about pages with refcount -1. The problem was traced to packets being reused after their head was merged into a GRO packet by skb_gro_receive(). While bisecting the issue pointed to commit c21b48cc1bbf ("net: adjust skb->truesize in ___pskb_trim()") and I have never seen it on a kernel with it reverted, I believe the real problem appeared earlier when the option to merge head frag in GRO was implemented. Handling NAPI_GRO_FREE_STOLEN_HEAD state was only added to GRO_MERGED_FREE branch of napi_skb_finish() so that if the driver uses napi_gro_frags() and head is merged (which in my case happens after the skb_condense() call added by the commit mentioned above), the skb is reused including the head that has been merged. As a result, we release the page reference twice and eventually end up with negative page refcount. To fix the problem, handle NAPI_GRO_FREE_STOLEN_HEAD in napi_frags_finish() the same way it's done in napi_skb_finish(). Fixes: d7e8883cfcf4 ("net: make GRO aware of skb->head_frag") Signed-off-by: Michal Kubecek Signed-off-by: David S. Miller net/core/dev.c | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) commit 6bdf6abc56b53103324dfd270a86580306e1a232 Author: Daniel Borkmann Date: Thu Jun 29 03:04:59 2017 +0200 bpf: prevent leaking pointer via xadd on unpriviledged Leaking kernel addresses on unpriviledged is generally disallowed, for example, verifier rejects the following: 0: (b7) r0 = 0 1: (18) r2 = 0xffff897e82304400 3: (7b) *(u64 *)(r1 +48) = r2 R2 leaks addr into ctx Doing pointer arithmetic on them is also forbidden, so that they don't turn into unknown value and then get leaked out. However, there's xadd as a special case, where we don't check the src reg for being a pointer register, e.g. the following will pass: 0: (b7) r0 = 0 1: (7b) *(u64 *)(r1 +48) = r0 2: (18) r2 = 0xffff897e82304400 ; map 4: (db) lock *(u64 *)(r1 +48) += r2 5: (95) exit We could store the pointer into skb->cb, loose the type context, and then read it out from there again to leak it eventually out of a map value. Or more easily in a different variant, too: 0: (bf) r6 = r1 1: (7a) *(u64 *)(r10 -8) = 0 2: (bf) r2 = r10 3: (07) r2 += -8 4: (18) r1 = 0x0 6: (85) call bpf_map_lookup_elem#1 7: (15) if r0 == 0x0 goto pc+3 R0=map_value(ks=8,vs=8,id=0),min_value=0,max_value=0 R6=ctx R10=fp 8: (b7) r3 = 0 9: (7b) *(u64 *)(r0 +0) = r3 10: (db) lock *(u64 *)(r0 +0) += r6 11: (b7) r0 = 0 12: (95) exit from 7 to 11: R0=inv,min_value=0,max_value=0 R6=ctx R10=fp 11: (b7) r0 = 0 12: (95) exit Prevent this by checking xadd src reg for pointer types. Also add a couple of test cases related to this. Fixes: 1be7f75d1668 ("bpf: enable non-root eBPF programs") Fixes: 17a5267067f3 ("bpf: verifier (add verifier core)") Signed-off-by: Daniel Borkmann Acked-by: Alexei Starovoitov Acked-by: Martin KaFai Lau Acked-by: Edward Cree Signed-off-by: David S. Miller kernel/bpf/verifier.c | 5 +++ tools/testing/selftests/bpf/test_verifier.c | 66 +++++++++++++++++++++++++++++ 2 files changed, 71 insertions(+) commit 80c65fdb4c6920e332a9781a3de5877594b07522 Author: Kan Liang Date: Thu Jun 29 12:09:26 2017 -0700 perf/x86/intel/uncore: Fix wrong box pointer check Should not init a NULL box. It will cause system crash. The issue looks like caused by a typo. This was not noticed because there is no NULL box. Also, for most boxes, they are enabled by default. The init code is not critical. Fixes: fff4b87e594a ("perf/x86/intel/uncore: Make package handling more robust") Signed-off-by: Kan Liang Signed-off-by: Thomas Gleixner Cc: stable@vger.kernel.org Link: http://lkml.kernel.org/r/20170629190926.2456-1-kan.liang@intel.com arch/x86/events/intel/uncore.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 00778f7cadd393630a23e83ffaf60b70fe460879 Merge: acb4b7d 2a0ea04 Author: David S. Miller Date: Thu Jun 29 15:18:38 2017 -0400 Merge branch 'arcnet-fixes' Michael Grzeschik says: ==================== arcnet: Collection of latest fixes Here we sum up the recent fixes I collected on the way to use and stabilise the framework. Part of it is an possible deadlock that we prevent as well to fix the calculation of the dev_id that can be setup by an rotary encoder. Beside that we added an trivial spelling patch and fix some wrong and missing assignments that improves the code footprint. ==================== Signed-off-by: David S. Miller commit 2a0ea04c83ab82c3852c9171d2fa5cd9a1432c9b Author: Michael Grzeschik Date: Wed Jun 28 18:28:37 2017 +0200 arcnet: com20020-pci: add missing pdev setup in netdev structure We add the pdev data to the pci devices netdev structure. This way the interface get consistent device names in the userspace (udev). Signed-off-by: Michael Grzeschik Signed-off-by: David S. Miller drivers/net/arcnet/com20020-pci.c | 1 + 1 file changed, 1 insertion(+) commit cb108619f2fc77846bf7a7543517f3487f455b24 Author: Michael Grzeschik Date: Wed Jun 28 18:28:36 2017 +0200 arcnet: com20020-pci: fix dev_id calculation The dev_id was miscalculated. Only the two bits 4-5 are relevant for the MA1 card. PCIARC1 and PCIFB2 use the four bits 4-7 for id selection. Signed-off-by: Michael Grzeschik Signed-off-by: David S. Miller drivers/net/arcnet/com20020-pci.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) commit 0d494fcf867f95040b5b67e4bc5af739bcda37da Author: Michael Grzeschik Date: Wed Jun 28 18:28:35 2017 +0200 arcnet: com20020: remove needless base_addr assignment The assignment is superfluous. Signed-off-by: Michael Grzeschik Signed-off-by: David S. Miller drivers/net/arcnet/com20020.c | 2 -- 1 file changed, 2 deletions(-) commit 06908d7aee8d62a80cabfd134d0354dc4d2794bc Author: Colin Ian King Date: Wed Jun 28 18:28:34 2017 +0200 Trivial fix to spelling mistake in arc_printk message Signed-off-by: Colin Ian King Signed-off-by: Michael Grzeschik Signed-off-by: David S. Miller drivers/net/arcnet/capmode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 5b85840320151f61e04d83a23ef2567a07094503 Author: Michael Grzeschik Date: Wed Jun 28 18:28:33 2017 +0200 arcnet: change irq handler to lock irqsave This patch prevents the arcnet driver from the following deadlock. [ 41.273910] ====================================================== [ 41.280397] [ INFO: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected ] [ 41.287433] 4.4.0-00034-gc0ae784 #536 Not tainted [ 41.292366] ------------------------------------------------------ [ 41.298863] arcecho/233 [HC0[0]:SC0[2]:HE0:SE0] is trying to acquire: [ 41.305628] (&(&lp->lock)->rlock){+.+...}, at: [] arcnet_send_packet+0x60/0x1c0 [arcnet] [ 41.315199] [ 41.315199] and this task is already holding: [ 41.321324] (_xmit_ARCNET#2){+.-...}, at: [] packet_direct_xmit+0xfc/0x1c8 [ 41.329593] which would create a new lock dependency: [ 41.334893] (_xmit_ARCNET#2){+.-...} -> (&(&lp->lock)->rlock){+.+...} [ 41.341801] [ 41.341801] but this new dependency connects a SOFTIRQ-irq-safe lock: [ 41.350108] (_xmit_ARCNET#2){+.-...} ... which became SOFTIRQ-irq-safe at: [ 41.357539] [] _raw_spin_lock+0x30/0x40 [ 41.362677] [] dev_watchdog+0x5c/0x264 [ 41.367723] [] call_timer_fn+0x6c/0xf4 [ 41.372759] [] run_timer_softirq+0x154/0x210 [ 41.378340] [] __do_softirq+0x144/0x298 [ 41.383469] [] irq_exit+0xcc/0x130 [ 41.388138] [] __handle_domain_irq+0x60/0xb4 [ 41.393728] [] __irq_svc+0x58/0x78 [ 41.398402] [] arch_cpu_idle+0x24/0x3c [ 41.403443] [] cpu_startup_entry+0x1f8/0x25c [ 41.409029] [] start_kernel+0x3c0/0x3cc [ 41.414170] [ 41.414170] to a SOFTIRQ-irq-unsafe lock: [ 41.419931] (&(&lp->lock)->rlock){+.+...} ... which became SOFTIRQ-irq-unsafe at: [ 41.427996] ... [] _raw_spin_lock+0x30/0x40 [ 41.433409] [] arcnet_interrupt+0x2c/0x800 [arcnet] [ 41.439646] [] handle_nested_irq+0x8c/0xec [ 41.445063] [] regmap_irq_thread+0x190/0x314 [ 41.450661] [] irq_thread_fn+0x1c/0x34 [ 41.455700] [] irq_thread+0x13c/0x1dc [ 41.460649] [] kthread+0xe4/0xf8 [ 41.465158] [] ret_from_fork+0x14/0x24 [ 41.470207] [ 41.470207] other info that might help us debug this: [ 41.470207] [ 41.478627] Possible interrupt unsafe locking scenario: [ 41.478627] [ 41.485763] CPU0 CPU1 [ 41.490521] ---- ---- [ 41.495279] lock(&(&lp->lock)->rlock); [ 41.499414] local_irq_disable(); [ 41.505636] lock(_xmit_ARCNET#2); [ 41.511967] lock(&(&lp->lock)->rlock); [ 41.518741] [ 41.521490] lock(_xmit_ARCNET#2); [ 41.525356] [ 41.525356] *** DEADLOCK *** [ 41.525356] [ 41.531587] 1 lock held by arcecho/233: [ 41.535617] #0: (_xmit_ARCNET#2){+.-...}, at: [] packet_direct_xmit+0xfc/0x1c8 [ 41.544355] the dependencies between SOFTIRQ-irq-safe lock and the holding lock: [ 41.552362] -> (_xmit_ARCNET#2){+.-...} ops: 27 { [ 41.557357] HARDIRQ-ON-W at: [ 41.560664] [] _raw_spin_lock+0x30/0x40 [ 41.567445] [] dev_deactivate_many+0x114/0x304 [ 41.574866] [] dev_deactivate+0x24/0x38 [ 41.581646] [] linkwatch_do_dev+0x40/0x74 [ 41.588613] [] __linkwatch_run_queue+0xec/0x140 [ 41.596120] [] linkwatch_event+0x2c/0x34 [ 41.602991] [] process_one_work+0x188/0x40c [ 41.610131] [] worker_thread+0x4c/0x480 [ 41.616912] [] kthread+0xe4/0xf8 [ 41.623048] [] ret_from_fork+0x14/0x24 [ 41.629735] IN-SOFTIRQ-W at: [ 41.633039] [] _raw_spin_lock+0x30/0x40 [ 41.639820] [] dev_watchdog+0x5c/0x264 [ 41.646508] [] call_timer_fn+0x6c/0xf4 [ 41.653190] [] run_timer_softirq+0x154/0x210 [ 41.660425] [] __do_softirq+0x144/0x298 [ 41.667201] [] irq_exit+0xcc/0x130 [ 41.673518] [] __handle_domain_irq+0x60/0xb4 [ 41.680754] [] __irq_svc+0x58/0x78 [ 41.687077] [] arch_cpu_idle+0x24/0x3c [ 41.693769] [] cpu_startup_entry+0x1f8/0x25c [ 41.701006] [] start_kernel+0x3c0/0x3cc [ 41.707791] INITIAL USE at: [ 41.711003] [] _raw_spin_lock+0x30/0x40 [ 41.717696] [] dev_deactivate_many+0x114/0x304 [ 41.725026] [] dev_deactivate+0x24/0x38 [ 41.731718] [] linkwatch_do_dev+0x40/0x74 [ 41.738593] [] __linkwatch_run_queue+0xec/0x140 [ 41.746011] [] linkwatch_event+0x2c/0x34 [ 41.752789] [] process_one_work+0x188/0x40c [ 41.759847] [] worker_thread+0x4c/0x480 [ 41.766541] [] kthread+0xe4/0xf8 [ 41.772596] [] ret_from_fork+0x14/0x24 [ 41.779198] } [ 41.780945] ... key at: [] netdev_xmit_lock_key+0x38/0x1c8 [ 41.788192] ... acquired at: [ 41.791309] [] lock_acquire+0x70/0x90 [ 41.796361] [] _raw_spin_lock_irqsave+0x40/0x54 [ 41.802324] [] arcnet_send_packet+0x60/0x1c0 [arcnet] [ 41.808844] [] packet_direct_xmit+0x130/0x1c8 [ 41.814622] [] packet_sendmsg+0x3b8/0x680 [ 41.820034] [] sock_sendmsg+0x14/0x24 [ 41.825091] [] SyS_sendto+0xb8/0xe0 [ 41.829956] [] SyS_send+0x18/0x20 [ 41.834638] [] ret_fast_syscall+0x0/0x1c [ 41.839954] [ 41.841514] the dependencies between the lock to be acquired and SOFTIRQ-irq-unsafe lock: [ 41.850302] -> (&(&lp->lock)->rlock){+.+...} ops: 5 { [ 41.855644] HARDIRQ-ON-W at: [ 41.858945] [] _raw_spin_lock+0x30/0x40 [ 41.865726] [] arcnet_interrupt+0x2c/0x800 [arcnet] [ 41.873607] [] handle_nested_irq+0x8c/0xec [ 41.880666] [] regmap_irq_thread+0x190/0x314 [ 41.887901] [] irq_thread_fn+0x1c/0x34 [ 41.894593] [] irq_thread+0x13c/0x1dc [ 41.901195] [] kthread+0xe4/0xf8 [ 41.907338] [] ret_from_fork+0x14/0x24 [ 41.914025] SOFTIRQ-ON-W at: [ 41.917328] [] _raw_spin_lock+0x30/0x40 [ 41.924106] [] arcnet_interrupt+0x2c/0x800 [arcnet] [ 41.931981] [] handle_nested_irq+0x8c/0xec [ 41.939028] [] regmap_irq_thread+0x190/0x314 [ 41.946264] [] irq_thread_fn+0x1c/0x34 [ 41.952954] [] irq_thread+0x13c/0x1dc [ 41.959548] [] kthread+0xe4/0xf8 [ 41.965689] [] ret_from_fork+0x14/0x24 [ 41.972379] INITIAL USE at: [ 41.975595] [] _raw_spin_lock+0x30/0x40 [ 41.982283] [] arcnet_interrupt+0x2c/0x800 [arcnet] [ 41.990063] [] handle_nested_irq+0x8c/0xec [ 41.997027] [] regmap_irq_thread+0x190/0x314 [ 42.004172] [] irq_thread_fn+0x1c/0x34 [ 42.010766] [] irq_thread+0x13c/0x1dc [ 42.017267] [] kthread+0xe4/0xf8 [ 42.023314] [] ret_from_fork+0x14/0x24 [ 42.029903] } [ 42.031648] ... key at: [] __key.42091+0x0/0xfffff0f8 [arcnet] [ 42.039255] ... acquired at: [ 42.042372] [] lock_acquire+0x70/0x90 [ 42.047413] [] _raw_spin_lock_irqsave+0x40/0x54 [ 42.053364] [] arcnet_send_packet+0x60/0x1c0 [arcnet] [ 42.059872] [] packet_direct_xmit+0x130/0x1c8 [ 42.065634] [] packet_sendmsg+0x3b8/0x680 [ 42.071030] [] sock_sendmsg+0x14/0x24 [ 42.076069] [] SyS_sendto+0xb8/0xe0 [ 42.080926] [] SyS_send+0x18/0x20 [ 42.085601] [] ret_fast_syscall+0x0/0x1c [ 42.090918] [ 42.092481] [ 42.092481] stack backtrace: [ 42.097065] CPU: 0 PID: 233 Comm: arcecho Not tainted 4.4.0-00034-gc0ae784 #536 [ 42.104751] Hardware name: Generic AM33XX (Flattened Device Tree) [ 42.111183] [] (unwind_backtrace) from [] (show_stack+0x10/0x14) [ 42.119337] [] (show_stack) from [] (dump_stack+0x8c/0x9c) [ 42.126937] [] (dump_stack) from [] (check_usage+0x4bc/0x63c) [ 42.134815] [] (check_usage) from [] (check_irq_usage+0x58/0xb0) [ 42.142964] [] (check_irq_usage) from [] (__lock_acquire+0x1524/0x20b0) [ 42.151740] [] (__lock_acquire) from [] (lock_acquire+0x70/0x90) [ 42.159886] [] (lock_acquire) from [] (_raw_spin_lock_irqsave+0x40/0x54) [ 42.168768] [] (_raw_spin_lock_irqsave) from [] (arcnet_send_packet+0x60/0x1c0 [arcnet]) [ 42.179115] [] (arcnet_send_packet [arcnet]) from [] (packet_direct_xmit+0x130/0x1c8) [ 42.189182] [] (packet_direct_xmit) from [] (packet_sendmsg+0x3b8/0x680) [ 42.198059] [] (packet_sendmsg) from [] (sock_sendmsg+0x14/0x24) [ 42.206199] [] (sock_sendmsg) from [] (SyS_sendto+0xb8/0xe0) [ 42.213978] [] (SyS_sendto) from [] (SyS_send+0x18/0x20) [ 42.221388] [] (SyS_send) from [] (ret_fast_syscall+0x0/0x1c) Signed-off-by: Michael Grzeschik --- v1 -> v2: removed unneeded zero assignment of flags Signed-off-by: David S. Miller drivers/net/arcnet/arcnet.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) commit acb4b7df48b539cb391287921de57e4e5fae3460 Author: Dan Carpenter Date: Wed Jun 28 14:44:21 2017 +0300 rocker: move dereference before free My static checker complains that ofdpa_neigh_del() can sometimes free "found". It just makes sense to use it first before deleting it. Fixes: ecf244f753e0 ("rocker: fix maybe-uninitialized warning") Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller drivers/net/ethernet/rocker/rocker_ofdpa.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 6b27c8adf27edf1dabe2cdcfaa101ef7e2712415 Author: Ido Schimmel Date: Wed Jun 28 09:03:12 2017 +0300 mlxsw: spectrum_router: Fix NULL pointer dereference In case a VLAN device is enslaved to a bridge we shouldn't create a router interface (RIF) for it when it's configured with an IP address. This is already handled by the driver for other types of netdevs, such as physical ports and LAG devices. If this IP address is then removed and the interface is subsequently unlinked from the bridge, a NULL pointer dereference can happen, as the original 802.1d FID was replaced with an rFID which was then deleted. To reproduce: $ ip link set dev enp3s0np9 up $ ip link add name enp3s0np9.111 link enp3s0np9 type vlan id 111 $ ip link set dev enp3s0np9.111 up $ ip link add name br0 type bridge $ ip link set dev br0 up $ ip link set enp3s0np9.111 master br0 $ ip address add dev enp3s0np9.111 192.168.0.1/24 $ ip address del dev enp3s0np9.111 192.168.0.1/24 $ ip link set dev enp3s0np9.111 nomaster Fixes: 99724c18fc66 ("mlxsw: spectrum: Introduce support for router interfaces") Signed-off-by: Ido Schimmel Reported-by: Petr Machata Tested-by: Petr Machata Reviewed-by: Petr Machata Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c | 3 +++ 1 file changed, 3 insertions(+) commit c1a4872ebfb83b1af7144f7b29ac8c4b344a12a8 Author: Gao Feng Date: Wed Jun 28 12:53:54 2017 +0800 net: sched: Fix one possible panic when no destroy callback When qdisc fail to init, qdisc_create would invoke the destroy callback to cleanup. But there is no check if the callback exists really. So it would cause the panic if there is no real destroy callback like the qdisc codel, fq, and so on. Take codel as an example following: When a malicious user constructs one invalid netlink msg, it would cause codel_init->codel_change->nla_parse_nested failed. Then kernel would invoke the destroy callback directly but qdisc codel doesn't define one. It causes one panic as a result. Now add one the check for destroy to avoid the possible panic. Fixes: 87b60cfacf9f ("net_sched: fix error recovery at qdisc creation") Signed-off-by: Gao Feng Acked-by: Eric Dumazet Signed-off-by: David S. Miller net/sched/sch_api.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 713a98d90c5ea072c1bb00ef40617aee2cef2232 Author: Jason Wang Date: Wed Jun 28 09:51:03 2017 +0800 virtio-net: serialize tx routine during reset We don't hold any tx lock when trying to disable TX during reset, this would lead a use after free since ndo_start_xmit() tries to access the virtqueue which has already been freed. Fix this by using netif_tx_disable() before freeing the vqs, this could make sure no tx after vq freeing. Reported-by: Jean-Philippe Menil Tested-by: Jean-Philippe Menil Fixes commit f600b6905015 ("virtio_net: Add XDP support") Cc: John Fastabend Signed-off-by: Jason Wang Acked-by: Michael S. Tsirkin Acked-by: Robert McCabe Signed-off-by: David S. Miller drivers/net/virtio_net.c | 1 + 1 file changed, 1 insertion(+) commit 0f17976568b3f72e676450af0c0db6f8752253d6 Author: Steven Rostedt (VMware) Date: Thu Jun 29 10:05:45 2017 -0400 ftrace: Fix regression with module command in stack_trace_filter When doing the following command: # echo ":mod:kvm_intel" > /sys/kernel/tracing/stack_trace_filter it triggered a crash. This happened with the clean up of probes. It required all callers to the regex function (doing ftrace filtering) to have ops->private be a pointer to a trace_array. But for the stack tracer, that is not the case. Allow for the ops->private to be NULL, and change the function command callbacks to handle the trace_array pointer being NULL as well. Fixes: d2afd57a4b96 ("tracing/ftrace: Allow instances to have their own function probes") Signed-off-by: Steven Rostedt (VMware) kernel/trace/ftrace.c | 3 --- kernel/trace/trace.c | 3 +++ kernel/trace/trace_functions.c | 12 ++++++++++++ kernel/trace/trace_stack.c | 6 ++++-- 4 files changed, 19 insertions(+), 5 deletions(-) commit 1d80df93d9d170eba8c3654719e5857307efd077 Author: Brian Norris Date: Fri Jun 23 13:59:11 2017 -0700 Revert "pinctrl: rockchip: avoid hardirq-unsafe functions in irq_chip" This reverts commit 88bb94216f59e10802aaf78c858a4146085faf18. It introduced a new CONFIG_DEBUG_ATOMIC_SLEEP warning in v4.12-rc1: [ 7226.716713] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:238 [ 7226.716716] in_atomic(): 0, irqs_disabled(): 0, pid: 1708, name: bash [ 7226.716722] CPU: 1 PID: 1708 Comm: bash Not tainted 4.12.0-rc6+ #1213 [ 7226.716724] Hardware name: Google Kevin (DT) [ 7226.716726] Call trace: [ 7226.716738] [] dump_backtrace+0x0/0x24c [ 7226.716743] [] show_stack+0x20/0x28 [ 7226.716749] [] dump_stack+0x90/0xb0 [ 7226.716755] [] ___might_sleep+0x10c/0x124 [ 7226.716760] [] __might_sleep+0x78/0x88 [ 7226.716765] [] mutex_lock+0x2c/0x64 [ 7226.716771] [] rockchip_irq_bus_lock+0x30/0x3c [ 7226.716777] [] __irq_get_desc_lock+0x78/0x98 [ 7226.716782] [] irq_set_irq_wake+0x44/0x12c [ 7226.716787] [] dev_pm_arm_wake_irq+0x4c/0x58 [ 7226.716792] [] device_wakeup_arm_wake_irqs+0x3c/0x58 [ 7226.716796] [] dpm_suspend_noirq+0xf8/0x3a0 [ 7226.716800] [] suspend_devices_and_enter+0x1a4/0x9a8 [ 7226.716803] [] pm_suspend+0x664/0x6a4 [ 7226.716807] [] state_store+0xd4/0xf8 ... It was reported on -rc1, and it's still not fixed in -rc6, so it should just be reverted. Cc: John Keeping Signed-off-by: Brian Norris Reviewed-by: Heiko Stuebner Signed-off-by: Linus Walleij drivers/pinctrl/pinctrl-rockchip.c | 44 ++++---------------------------------- 1 file changed, 4 insertions(+), 40 deletions(-) commit c06632ea054c49510efacb42c52aab693c45b7ba Author: Hans de Goede Date: Fri Jun 23 09:26:13 2017 +0200 gpio: acpi: Skip _AEI entries without a handler rather then aborting the scan acpi_walk_resources will stop as soon as the callback passed in returns an error status. On a x86 tablet I have the first GpioInt in the _AEI resource list has no handler defined in the DSDT, causing acpi_walk_resources to abort scanning the rest of the resource list, which does define valid ACPI GPIO events. This commit changes the return for not finding a handler from AE_BAD_PARAMETER to AE_OK so that the rest of the resource list will get scanned normally in case of missing event handlers. Signed-off-by: Hans de Goede Acked-by: Mika Westerberg Acked-by: Andy Shevchenko Signed-off-by: Linus Walleij drivers/gpio/gpiolib-acpi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit ad537b822577fcc143325786cd6ad50d7b9df31c Author: Bartosz Golaszewski Date: Fri Jun 23 13:45:16 2017 +0200 gpiolib: fix filtering out unwanted events GPIOEVENT_REQUEST_BOTH_EDGES is not a single flag, but a binary OR of GPIOEVENT_REQUEST_RISING_EDGE and GPIOEVENT_REQUEST_FALLING_EDGE. The expression 'le->eflags & GPIOEVENT_REQUEST_BOTH_EDGES' we'll get evaluated to true even if only one event type was requested. Fix it by checking both RISING & FALLING flags explicitly. Cc: stable@vger.kernel.org Fixes: 61f922db7221 ("gpio: userspace ABI for reading GPIO line events") Signed-off-by: Bartosz Golaszewski Signed-off-by: Linus Walleij drivers/gpio/gpiolib.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 6474924e2b5ddb0030c355558966adcbe3b49022 Author: Tobias Klauser Date: Wed Jun 28 15:30:02 2017 +0200 arch: remove unused macro/function thread_saved_pc() The only user of thread_saved_pc() in non-arch-specific code was removed in commit 8243d5597793 ("sched/core: Remove pointless printout in sched_show_task()"). Remove the implementations as well. Some architectures use thread_saved_pc() in their arch-specific code. Leave their thread_saved_pc() intact. Signed-off-by: Tobias Klauser Acked-by: Geert Uytterhoeven Cc: Ingo Molnar Signed-off-by: Linus Torvalds arch/arc/include/asm/processor.h | 2 -- arch/blackfin/include/asm/processor.h | 5 ----- arch/c6x/include/asm/processor.h | 5 ----- arch/cris/arch-v10/kernel/process.c | 8 -------- arch/cris/arch-v32/kernel/process.c | 8 -------- arch/cris/include/asm/processor.h | 2 -- arch/frv/include/asm/processor.h | 5 ----- arch/frv/kernel/process.c | 9 --------- arch/h8300/include/asm/processor.h | 4 ---- arch/h8300/kernel/process.c | 5 ----- arch/hexagon/include/asm/processor.h | 3 --- arch/hexagon/kernel/process.c | 8 -------- arch/ia64/include/asm/processor.h | 17 ----------------- arch/m32r/include/asm/processor.h | 2 -- arch/m32r/kernel/process.c | 8 -------- arch/m68k/include/asm/processor.h | 2 -- arch/m68k/kernel/process.c | 14 -------------- arch/microblaze/include/asm/processor.h | 6 ------ arch/microblaze/kernel/process.c | 17 ----------------- arch/mn10300/include/asm/processor.h | 5 ----- arch/mn10300/kernel/process.c | 8 -------- arch/nios2/include/asm/processor.h | 3 --- arch/openrisc/include/asm/processor.h | 5 ----- arch/openrisc/kernel/process.c | 5 ----- arch/parisc/include/asm/processor.h | 5 ----- arch/parisc/kernel/process.c | 5 ----- arch/powerpc/include/asm/processor.h | 6 ------ arch/s390/include/asm/processor.h | 5 ----- arch/s390/kernel/process.c | 25 ------------------------- arch/score/include/asm/processor.h | 1 - arch/score/kernel/process.c | 5 ----- arch/sparc/include/asm/processor_32.h | 3 --- arch/sparc/include/asm/processor_64.h | 2 -- arch/sparc/kernel/process_32.c | 8 -------- arch/sparc/kernel/process_64.c | 19 ------------------- arch/tile/include/asm/processor.h | 7 ------- arch/um/include/asm/processor-generic.h | 2 -- arch/um/kernel/um_arch.c | 6 ------ arch/x86/include/asm/processor.h | 2 -- arch/x86/kernel/process.c | 11 ----------- arch/xtensa/include/asm/processor.h | 2 -- 41 files changed, 270 deletions(-) commit 9ae3b3f52c62ddd5eb12c57f195f4f38121faa01 Author: Jens Axboe Date: Wed Jun 28 15:30:13 2017 -0600 block: provide bio_uninit() free freeing integrity/task associations Wen reports significant memory leaks with DIF and O_DIRECT: "With nvme devive + T10 enabled, On a system it has 256GB and started logging /proc/meminfo & /proc/slabinfo for every minute and in an hour it increased by 15968128 kB or ~15+GB.. Approximately 256 MB / minute leaking. /proc/meminfo | grep SUnreclaim... SUnreclaim: 6752128 kB SUnreclaim: 6874880 kB SUnreclaim: 7238080 kB .... SUnreclaim: 22307264 kB SUnreclaim: 22485888 kB SUnreclaim: 22720256 kB When testcases with T10 enabled call into __blkdev_direct_IO_simple, code doesn't free memory allocated by bio_integrity_alloc. The patch fixes the issue. HTX has been run with +60 hours without failure." Since __blkdev_direct_IO_simple() allocates the bio on the stack, it doesn't go through the regular bio free. This means that any ancillary data allocated with the bio through the stack is not freed. Hence, we can leak the integrity data associated with the bio, if the device is using DIF/DIX. Fix this by providing a bio_uninit() and export it, so that we can use it to free this data. Note that this is a minimal fix for this issue. Any current user of bio's that are allocated outside of bio_alloc_bioset() suffers from this issue, most notably some drivers. We will fix those in a more comprehensive patch for 4.13. This also means that the commit marked as being fixed by this isn't the real culprit, it's just the most obvious one out there. Fixes: 542ff7bf18c6 ("block: new direct I/O implementation") Reported-by: Wen Xiong Reviewed-by: Christoph Hellwig Signed-off-by: Jens Axboe block/bio.c | 12 +++++++++--- fs/block_dev.c | 5 ++++- include/linux/bio.h | 1 + 3 files changed, 14 insertions(+), 4 deletions(-) commit e547204f1f4f314a7352f7b93332fdc1a2e4b24c Merge: 5a37be4 2e31b4c Author: Linus Torvalds Date: Wed Jun 28 13:27:15 2017 -0700 Merge tag 'nfs-for-4.12-3' of git://git.linux-nfs.org/projects/trondmy/linux-nfs Pull NFS client bugfixes from Trond Myklebust: "Bugfixes include: - stable fix for exclusive create if the server supports the umask attribute - trunking detection should handle ERESTARTSYS/EINTR - stable fix for a race in the LAYOUTGET function - stable fix to revert "nfs_rename() handle -ERESTARTSYS dentry left behind" - nfs4_callback_free_slot() cannot call nfs4_slot_tbl_drain_complete()" * tag 'nfs-for-4.12-3' of git://git.linux-nfs.org/projects/trondmy/linux-nfs: NFSv4.1: nfs4_callback_free_slot() cannot call nfs4_slot_tbl_drain_complete() Revert "NFS: nfs_rename() handle -ERESTARTSYS dentry left behind" NFSv4.1: Fix a race in nfs4_proc_layoutget NFS: Trunking detection should handle ERESTARTSYS/EINTR NFSv4.2: Don't send mode again in post-EXCLUSIVE4_1 SETATTR with umask commit 5a37be4b51bbf85e37cdb5831899c330505faf03 Merge: cf72349 9ff1beb Author: Linus Torvalds Date: Wed Jun 28 13:22:26 2017 -0700 Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux Pull drm fixes from Dave Airlie: "This is the final set of fixes for -rc8, just a few i915 and one vmwgfx ones. I'm off on holidays for a week, so if anything shows up for fixes I've asked Daniel or Sean Paul to herd it in the right direction" [ The additional etnaviv fixes were already herded towards me as seen in my previous pull - Linus ] * 'drm-fixes' of git://people.freedesktop.org/~airlied/linux: drm/vmwgfx: Free hash table allocated by cmdbuf managed res mgr drm/i915: Disable EXEC_OBJECT_ASYNC when doing relocations drm/i915: Hold struct_mutex for per-file stats in debugfs/i915_gem_object drm/i915: Retire the VMA's fence tracker before unbinding commit cf723497f2b0dfd688dd27949f1d6e26a5aec44c Merge: 3c2bfba 426ef1b Author: Linus Torvalds Date: Wed Jun 28 13:13:48 2017 -0700 Merge branch 'etnaviv/fixes' of git://git.pengutronix.de/git/lst/linux Pull drm/etnaviv fixes from Lucas Stach: "I realized I just missed the cut-off point for the final drm fixes pull, but I have 2 more etnaviv fixes that need to go into 4.12, as they fix fallout from the explicit sync work introduced in the last merge window" [ Pulling directly because Dave is on vacation. Noted by Daniel Vetter, and acked by Dave Airlie - Linus ] * 'etnaviv/fixes' of git://git.pengutronix.de/git/lst/linux: drm/etnaviv: Fix implicit/explicit sync sense inversion drm/etnaviv: fix submit flags getting overwritten by BO content commit 84a21dbdef0b96d773599c33c2afbb002198d303 Author: Suravee Suthikulpanit Date: Mon Jun 26 04:28:04 2017 -0500 iommu/amd: Fix interrupt remapping when disable guest_mode Pass-through devices to VM guest can get updated IRQ affinity information via irq_set_affinity() when not running in guest mode. Currently, AMD IOMMU driver in GA mode ignores the updated information if the pass-through device is setup to use vAPIC regardless of guest_mode. This could cause invalid interrupt remapping. Also, the guest_mode bit should be set and cleared only when SVM updates posted-interrupt interrupt remapping information. Signed-off-by: Suravee Suthikulpanit Cc: Joerg Roedel Fixes: d98de49a53e48 ('iommu/amd: Enable vAPIC interrupt remapping mode by default') Signed-off-by: Joerg Roedel drivers/iommu/amd_iommu.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) commit fbaf94ee3cd5cfa85fe2d4d04be968820cb00556 Author: Miklos Szeredi Date: Wed Jun 28 13:41:22 2017 +0200 ovl: don't set origin on broken lower hardlink When copying up a file that has multiple hard links we need to break any association with the origin file. This makes copy-up be essentially an atomic replace. The new file has nothing to do with the old one (except having the same data and metadata initially), so don't set the overlay.origin attribute. We can relax this in the future when we are able to index upper object by origin. Signed-off-by: Miklos Szeredi Fixes: 3a1e819b4e80 ("ovl: store file handle of lower inode on copy up") fs/overlayfs/copy_up.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) commit e85f82ff9b8ef503923a3be8ca6b5fd1908a7f3f Author: Miklos Szeredi Date: Wed Jun 28 13:41:22 2017 +0200 ovl: copy-up: don't unlock between lookup and link Nothing prevents mischief on upper layer while we are busy copying up the data. Move the lookup right before the looked up dentry is actually used. Signed-off-by: Miklos Szeredi Fixes: 01ad3eb8a073 ("ovl: concurrent copy up of regular files") Cc: # v4.11 fs/overlayfs/copy_up.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) commit d94815f917da770d42c377786dc428f542e38f71 Author: Takashi Iwai Date: Wed Jun 28 12:02:02 2017 +0200 ALSA: hda - Fix endless loop of codec configure azx_codec_configure() loops over the codecs found on the given controller via a linked list. The code used to work in the past, but in the current version, this may lead to an endless loop when a codec binding returns an error. The culprit is that the snd_hda_codec_configure() unregisters the device upon error, and this eventually deletes the given codec object from the bus. Since the list is initialized via list_del_init(), the next object points to the same device itself. This behavior change was introduced at splitting the HD-audio code code, and forgotten to adapt it here. For fixing this bug, just use a *_safe() version of list iteration. Fixes: d068ebc25e6e ("ALSA: hda - Move some codes up to hdac_bus struct") Reported-by: Daniel Vetter Cc: Signed-off-by: Takashi Iwai sound/pci/hda/hda_codec.h | 2 ++ sound/pci/hda/hda_controller.c | 8 ++++++-- 2 files changed, 8 insertions(+), 2 deletions(-) commit 426ef1bb40a3bd99ccd16d629bd1294805e96fc6 Author: Daniel Stone Date: Thu Jun 22 12:22:22 2017 +0100 drm/etnaviv: Fix implicit/explicit sync sense inversion We were reading the no-implicit sync flag the wrong way around, synchronizing too much for the explicit case, and not at all for the implicit case. Oops. Signed-off-by: Daniel Stone Signed-off-by: Lucas Stach drivers/gpu/drm/etnaviv/etnaviv_gem_submit.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit f4a4381ba4944603905167d044d865990356ba22 Author: Lucas Stach Date: Tue Jun 27 16:02:51 2017 +0200 drm/etnaviv: fix submit flags getting overwritten by BO content The addition of the flags member to etnaviv_gem_submit structure didn't take into account that the last member of this structure is a variable length array. Signed-off-by: Lucas Stach drivers/gpu/drm/etnaviv/etnaviv_gem.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 9ff1beb1d19ffe2b26bf9cd2d33e6073d4f4b5fe Merge: 5193c08 611cdf3 Author: Dave Airlie Date: Wed Jun 28 17:07:15 2017 +1000 Merge tag 'drm-intel-fixes-2017-06-27' of git://anongit.freedesktop.org/git/drm-intel into drm-fixes Just a few minor fixes. Important one is the execbuf async fix (aka ANDROID_native_sync). There was another patch for a display coherency corner case on APL, but we've random-walked in that space too much, and the cherry-pick looked really invasive. * tag 'drm-intel-fixes-2017-06-27' of git://anongit.freedesktop.org/git/drm-intel: drm/i915: Disable EXEC_OBJECT_ASYNC when doing relocations drm/i915: Hold struct_mutex for per-file stats in debugfs/i915_gem_object drm/i915: Retire the VMA's fence tracker before unbinding commit 5193c08c7e82248cb6b1e5d672d261c4da6bb47b Merge: c0bc126 82fcee5 Author: Dave Airlie Date: Wed Jun 28 17:06:58 2017 +1000 Merge branch 'vmwgfx-fixes-4.12' of git://people.freedesktop.org/~thomash/linux into drm-fixes Single vmwgfx fix * 'vmwgfx-fixes-4.12' of git://people.freedesktop.org/~thomash/linux: drm/vmwgfx: Free hash table allocated by cmdbuf managed res mgr commit a8f20fd25bdce81a8e41767c39f456d346b63427 Author: Hui Wang Date: Wed Jun 28 08:59:16 2017 +0800 ALSA: hda - set input_path bitmap to zero after moving it to new place Recently we met a problem, the codec has valid adcs and input pins, and they can form valid input paths, but the driver does not build valid controls for them like "Mic boost", "Capture Volume" and "Capture Switch". Through debugging, I found the driver needs to shrink the invalid adcs and input paths for this machine, so it will move the whole column bitmap value to the previous column, after moving it, the driver forgets to set the original column bitmap value to zero, as a result, the driver will invalidate the path whose index value is the original colume bitmap value. After executing this function, all valid input paths are invalidated by a mistake, there are no any valid input paths, so the driver won't build controls for them. Fixes: 3a65bcdc577a ("ALSA: hda - Fix inconsistent input_paths after ADC reduction") Cc: Signed-off-by: Hui Wang Signed-off-by: Takashi Iwai sound/pci/hda/hda_generic.c | 1 + 1 file changed, 1 insertion(+) commit 2e31b4cb895ae78db31dffb860cd255d86c6561c Author: Trond Myklebust Date: Tue Jun 27 17:40:50 2017 -0400 NFSv4.1: nfs4_callback_free_slot() cannot call nfs4_slot_tbl_drain_complete() The current code works only for the case where we have exactly one slot, which is no longer true. nfs4_free_slot() will automatically declare the callback channel to be drained when all slots have been returned. Signed-off-by: Trond Myklebust fs/nfs/callback_xdr.c | 1 - 1 file changed, 1 deletion(-) commit d9f2950006f110f54444a10442752372ee568289 Author: Benjamin Coddington Date: Fri Jun 16 11:12:59 2017 -0400 Revert "NFS: nfs_rename() handle -ERESTARTSYS dentry left behind" This reverts commit 920b4530fb80430ff30ef83efe21ba1fa5623731 which could call d_move() without holding the directory's i_mutex, and reverts commit d4ea7e3c5c0e341c15b073016dbf3ab6c65f12f3 "NFS: Fix old dentry rehash after move", which was a follow-up fix. Signed-off-by: Benjamin Coddington Fixes: 920b4530fb80 ("NFS: nfs_rename() handle -ERESTARTSYS dentry left behind") Cc: stable@vger.kernel.org # v4.10+ Reviewed-by: Jeff Layton Signed-off-by: Trond Myklebust fs/nfs/dir.c | 51 ++++++++++++++++++++++++--------------------------- 1 file changed, 24 insertions(+), 27 deletions(-) commit bd171930e6a3de4f5cffdafbb944e50093dfb59b Author: Trond Myklebust Date: Tue Jun 27 17:33:38 2017 -0400 NFSv4.1: Fix a race in nfs4_proc_layoutget If the task calling layoutget is signalled, then it is possible for the calls to nfs4_sequence_free_slot() and nfs4_layoutget_prepare() to race, in which case we leak a slot. The fix is to move the call to nfs4_sequence_free_slot() into the nfs4_layoutget_release() so that it gets called at task teardown time. Fixes: 2e80dbe7ac51 ("NFSv4.1: Close callback races for OPEN, LAYOUTGET...") Cc: stable@vger.kernel.org # v4.8+ Signed-off-by: Trond Myklebust fs/nfs/nfs4proc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 898fc11bb2bd4fbcefb685872d9fffaba2c8edaf Author: Trond Myklebust Date: Wed Jun 21 10:16:56 2017 -0400 NFS: Trunking detection should handle ERESTARTSYS/EINTR Currently, it will return EIO in those cases. Signed-off-by: Trond Myklebust fs/nfs/nfs4state.c | 2 ++ 1 file changed, 2 insertions(+) commit ddbfff7429a75d954bf5bdff9f2222bceb4c236a Author: Aleksandar Markovic Date: Mon Jun 19 17:50:12 2017 +0200 MIPS: math-emu: Handle zero accumulator case in MADDF and MSUBF separately If accumulator value is zero, just return the value of previously calculated product. This brings logic in MADDF/MSUBF implementation closer to the logic in ADD/SUB case. Signed-off-by: Miodrag Dinic Signed-off-by: Goran Ferenc Signed-off-by: Aleksandar Markovic Cc: James.Hogan@imgtec.com Cc: Paul.Burton@imgtec.com Cc: Raghu.Gandham@imgtec.com Cc: Leonid.Yegoshin@imgtec.com Cc: Douglas.Leung@imgtec.com Cc: Petar.Jovanovic@imgtec.com Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/16512/ Signed-off-by: Ralf Baechle arch/mips/math-emu/dp_maddf.c | 5 ++++- arch/mips/math-emu/sp_maddf.c | 5 ++++- 2 files changed, 8 insertions(+), 2 deletions(-) commit ebef7368571d88f0f80b817e6898075c62265b4e Author: Keith Busch Date: Tue Jun 27 17:44:05 2017 -0600 nvme/pci: Fix stuck nvme reset The controller state is set to resetting prior to disabling the controller, so this patch accounts for that state when deciding if it needs to freeze the queues. Without this, an 'nvme reset /dev/nvme0' blocks forever because the queues were never frozen. Fixes: 82b057caefaf ("nvme-pci: fix multiple ctrl removal scheduling") Signed-off-by: Keith Busch Reviewed-by: Christoph Hellwig Signed-off-by: Jens Axboe drivers/nvme/host/pci.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 25d8b92e0af75d72ce8b99e63e5a449cc0888efa Author: Karl Beldan Date: Tue Jun 27 19:22:16 2017 +0000 MIPS: head: Reorder instructions missing a delay slot In this sequence the 'move' is assumed in the delay slot of the 'beq', but head.S is in reorder mode and the former gets pushed one 'nop' farther by the assembler. The corrected behavior made booting with an UHI supplied dtb erratic. Fixes: 15f37e158892 ("MIPS: store the appended dtb address in a variable") Signed-off-by: Karl Beldan Reviewed-by: James Hogan Cc: Jonas Gorski Cc: linux-mips@linux-mips.org Cc: linux-kernel@vger.kernel.org Cc: stable@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/16614/ Signed-off-by: Ralf Baechle arch/mips/kernel/head.S | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit e20bd60bf62a2448be873653c7febca1d4d73afc Author: Andrew F. Davis Date: Mon Jun 26 12:41:20 2017 -0500 net: usb: asix88179_178a: Add support for the Belkin B2B128 The Belkin B2B128 is a USB 3.0 Hub + Gigabit Ethernet Adapter, the Ethernet adapter uses the ASIX AX88179 USB 3.0 to Gigabit Ethernet chip supported by this driver, add the USB ID for the same. This patch is based on work by Geoffrey Tran who has indicated they would like this upstreamed by someone more familiar with the upstreaming process. Signed-off-by: Andrew F. Davis Signed-off-by: David S. Miller drivers/net/usb/ax88179_178a.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) commit 85688d9adf68557233d974ef28971e69b89fb690 Author: Madalin Bucur Date: Mon Jun 26 18:47:00 2017 +0300 fsl/fman: add dependency on HAS_DMA A previous commit (5567e989198b5a8d) inserted a dependency on DMA API that requires HAS_DMA to be added in Kconfig. Signed-off-by: Madalin Bucur Signed-off-by: David S. Miller drivers/net/ethernet/freescale/fman/Kconfig | 1 + 1 file changed, 1 insertion(+) commit 00a0ea33b495ee6149bf5a77ac5807ce87323abb Author: Vallish Vaidyeshwara Date: Fri Jun 23 18:53:06 2017 +0000 dm thin: do not queue freed thin mapping for next stage processing process_prepared_discard_passdown_pt1() should cleanup dm_thin_new_mapping in cases of error. dm_pool_inc_data_range() can fail trying to get a block reference: metadata operation 'dm_pool_inc_data_range' failed: error = -61 When dm_pool_inc_data_range() fails, dm thin aborts current metadata transaction and marks pool as PM_READ_ONLY. Memory for thin mapping is released as well. However, current thin mapping will be queued onto next stage as part of queue_passdown_pt2() or passdown_endio(). This dangling thin mapping memory when processed and accessed in next stage will lead to device mapper crashing. Code flow without fix: -> process_prepared_discard_passdown_pt1(m) -> dm_thin_remove_range() -> discard passdown --> passdown_endio(m) queues m onto next stage -> dm_pool_inc_data_range() fails, frees memory m but does not remove it from next stage queue -> process_prepared_discard_passdown_pt2(m) -> processes freed memory m and crashes One such stack: Call Trace: [] dm_cell_release_no_holder+0x2f/0x70 [dm_bio_prison] [] cell_defer_no_holder+0x3c/0x80 [dm_thin_pool] [] process_prepared_discard_passdown_pt2+0x4b/0x90 [dm_thin_pool] [] process_prepared+0x81/0xa0 [dm_thin_pool] [] do_worker+0xc5/0x820 [dm_thin_pool] [] ? __schedule+0x244/0x680 [] ? pwq_activate_delayed_work+0x42/0xb0 [] process_one_work+0x153/0x3f0 [] worker_thread+0x12b/0x4b0 [] ? rescuer_thread+0x350/0x350 [] kthread+0xca/0xe0 [] ? kthread_park+0x60/0x60 [] ret_from_fork+0x25/0x30 The fix is to first take the block ref count for discarded block and then do a passdown discard of this block. If block ref count fails, then bail out aborting current metadata transaction, mark pool as PM_READ_ONLY and also free current thin mapping memory (existing error handling code) without queueing this thin mapping onto next stage of processing. If block ref count succeeds, then passdown discard of this block. Discard callback of passdown_endio() will queue this thin mapping onto next stage of processing. Code flow with fix: -> process_prepared_discard_passdown_pt1(m) -> dm_thin_remove_range() -> dm_pool_inc_data_range() --> if fails, free memory m and bail out -> discard passdown --> passdown_endio(m) queues m onto next stage Cc: stable # v4.9+ Reviewed-by: Eduardo Valentin Reviewed-by: Cristian Gafton Reviewed-by: Anchal Agarwal Signed-off-by: Vallish Vaidyeshwara Reviewed-by: Joe Thornber Signed-off-by: Mike Snitzer drivers/md/dm-thin.c | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) commit 6f64ec74515925cced6df4571638b5a099a49aae Author: Eric Dumazet Date: Tue Jun 27 07:02:20 2017 -0700 net: prevent sign extension in dev_get_stats() Similar to the fix provided by Dominik Heidler in commit 9b3dc0a17d73 ("l2tp: cast l2tp traffic counter to unsigned") we need to take care of 32bit kernels in dev_get_stats(). When using atomic_long_read(), we add a 'long' to u64 and might misinterpret high order bit, unless we cast to unsigned. Fixes: caf586e5f23ce ("net: add a core netdev->rx_dropped counter") Fixes: 015f0688f57ca ("net: net: add a core netdev->tx_dropped counter") Fixes: 6e7333d315a76 ("net: add rx_nohandler stat counter") Signed-off-by: Eric Dumazet Cc: Jarod Wilson Signed-off-by: David S. Miller net/core/dev.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit 3c2bfbaadff6e0c257bb6b16c9c97f43618b13dc Merge: da8b14e d360a68 Author: Linus Torvalds Date: Tue Jun 27 08:56:52 2017 -0700 Merge branch 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm Pull ARM fixes from Russell King: "Three more fixes: - Fix the previous fix merged in the last pull for the Thumb2 decompressor. - A fix from Vladimir to correctly identify the V7M cache type. - The optimised 3G vmsplit case does not work with LPAE, so don't allow this to be selected for LPAE configurations" * 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm: ARM: 8682/1: V7M: Set cacheid iff DminLine or IminLine is nonzero ARM: 8681/1: make VMSPLIT_3G_OPT depends on !ARM_LPAE ARM: 8680/1: boot/compressed: fix inappropriate Thumb2 mnemonic for __nop commit e3c2c4fb524b548e58108a8820c0ac7787667584 Merge: c0bc126 3f938ee Author: Ingo Molnar Date: Tue Jun 27 09:17:02 2017 +0200 Merge tag 'perf-urgent-for-mingo-4.12-20170626' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux into perf/urgent Pull perf/urgent fix from Arnaldo Carvalho de Melo: - Fix segfault for kernel.kptr_restrict=2 (Jiri Olsa) Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Ingo Molnar commit da8b14e45c8b8234cb9a609c947f7e4d15f8dbef Merge: 9d646c9 91ebcd1 Author: Linus Torvalds Date: Mon Jun 26 12:25:59 2017 -0700 Merge tag 'for-linus' of git://linux-c6x.org/git/projects/linux-c6x-upstreaming Pull c6x fixlet from Mark Salter: "Update maintainer email" * tag 'for-linus' of git://linux-c6x.org/git/projects/linux-c6x-upstreaming: MAINTAINERS: update email address for C6x maintainer commit 9d646c97e1abf777cf229031365860e7bc1c588c Merge: c0bc126 4130b28 Author: Linus Torvalds Date: Mon Jun 26 11:58:21 2017 -0700 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux Pull s390 bugfix from Martin Schwidefsky: "One last s390 patch for 4.12 Revert the re-IPL semantics back to the v4.7 state. It turned out that the memory layout may change due to memory hotplug if load-normal is used" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux: s390/ipl: revert Load Normal semantics for LPAR CCW-type re-IPL commit 3f938ee2f6c4fff8d95b24636a0964b5a93cf547 Author: Jiri Olsa Date: Mon Jun 26 11:51:53 2017 +0200 perf machine: Fix segfault for kernel.kptr_restrict=2 Michael reported the segfault when kernel.kptr_restrict=2 is set. $ perf record ls ... perf: Segmentation fault Obtained 16 stack frames. ./perf(dump_stack+0x2d) [0x5068df] ./perf(sighandler_dump_stack+0x2d) [0x5069bf] ./perf() [0x43e47b] /lib64/libc.so.6(+0x3594f) [0x7f762004794f] /lib64/libc.so.6(strlen+0x26) [0x7f762009ef86] /lib64/libc.so.6(__strdup+0xd) [0x7f762009ecbd] ./perf(maps__set_kallsyms_ref_reloc_sym+0x4d) [0x51590f] ./perf(machine__create_kernel_maps+0x136) [0x50a7de] ./perf(perf_session__create_kernel_maps+0x2c) [0x510a81] ./perf(perf_session__new+0x13d) [0x510e23] ./perf() [0x43fd61] ./perf(cmd_record+0x704) [0x441823] ./perf() [0x4bc1a0] ./perf() [0x4bc40d] ./perf() [0x4bc55f] ./perf(main+0x2d5) [0x4bc939] Segmentation fault (core dumped) The reason is that with kernel.kptr_restrict=2, we don't get the symbol from machine__get_running_kernel_start, which we want to use in maps__set_kallsyms_ref_reloc_sym and we crash. Check the symbol name value before calling maps__set_kallsyms_ref_reloc_sym() and succeed without ref_reloc_sym being set. It's safe because we check its existence before we use it. Reported-by: Michael Petlan Signed-off-by: Jiri Olsa Tested-by: Arnaldo Carvalho de Melo Cc: David Ahern Cc: Namhyung Kim Cc: Peter Zijlstra Link: http://lkml.kernel.org/r/20170626095153.553-1-jolsa@kernel.org Signed-off-by: Arnaldo Carvalho de Melo tools/perf/util/machine.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) commit d6bd8194e2867e85ac2de63486d3b83ccfae4e62 Author: Michael Ellerman Date: Mon Jun 26 11:30:57 2017 +1000 powerpc/32: Avoid miscompilation w/GCC 4.6.3 - don't inline copy_to/from_user() Larry Finger reported that his Powerbook G4 was no longer booting with v4.12-rc, userspace was up but giving weird errors such as: udevd[64]: starting version 175 udevd[64]: Unable to receive ctrl message: Bad address. modprobe: chdir(4.12-rc1): No such file or directory He bisected the problem to commit 3448890c32c3 ("powerpc: get rid of zeroing, switch to RAW_COPY_USER"). Al identified that the problem is actually a miscompilation by GCC 4.6.3, which is exposed by the above commit. Al also pointed out that inlining copy_to/from_user() is probably of little or no benefit, which is correct. Using Anton's copy_to_user benchmark, with a pathological single byte copy, we see a small increase in performance by *removing* inlining: Before (inlined): # time ./copy_to_user -w -l 1 -i 10000000 ( x 3 ) real 0m22.063s real 0m22.059s real 0m22.076s After: # time ./copy_to_user -w -l 1 -i 10000000 ( x 3 ) real 0m21.325s real 0m21.299s real 0m21.364s So as a small performance improvement and to avoid the miscompilation, drop inlining copy_to/from_user() on 32-bit. Fixes: 3448890c32c3 ("powerpc: get rid of zeroing, switch to RAW_COPY_USER") Reported-by: Larry Finger Suggested-by: Al Viro Signed-off-by: Michael Ellerman arch/powerpc/include/asm/uaccess.h | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) commit 82fcee526ba8ca2c5d378bdf51b21b7eb058fe3a Author: Deepak Rawat Date: Mon Jun 26 14:39:08 2017 +0200 drm/vmwgfx: Free hash table allocated by cmdbuf managed res mgr The hash table created during vmw_cmdbuf_res_man_create was never freed. This causes memory leak in context creation. Added the corresponding drm_ht_remove in vmw_cmdbuf_res_man_destroy. Tested for memory leak by running piglit overnight and kernel memory is not inflated which earlier was. Cc: Signed-off-by: Deepak Rawat Reviewed-by: Sinclair Yeh Signed-off-by: Thomas Hellstrom drivers/gpu/drm/vmwgfx/vmwgfx_cmdbuf_res.c | 1 + 1 file changed, 1 insertion(+) commit 98fe3633c5a44e5ee3d642907739eb0210407886 Author: Jérôme Glisse Date: Sat Jun 24 14:05:14 2017 -0400 x86/mm/hotplug: Fix BUG_ON() after hot-remove by not freeing PUD Since commit: af2cf278ef4f ("x86/mm/hotplug: Don't remove PGD entries in remove_pagetable()") we no longer free PUDs so that we do not have to synchronize all PGDs on hot-remove/vfree(). But the new 5-level page table patchset reverted that for 4-level page tables, in the following commit: f2a6a7050109: ("x86: Convert the rest of the code to support p4d_t") This patch restores the damage and disables free_pud() if we are in the 4-level page table case, thus avoiding BUG_ON() after hot-remove. Signed-off-by: Jérôme Glisse [ Clarified the changelog and the code comments. ] Reviewed-by: Kirill A. Shutemov Cc: Andrew Morton Cc: Andy Lutomirski Cc: Linus Torvalds Cc: Logan Gunthorpe Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: linux-mm@kvack.org Link: http://lkml.kernel.org/r/20170624180514.3821-1-jglisse@redhat.com Signed-off-by: Ingo Molnar arch/x86/mm/init_64.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) commit 611cdf3695a307fdca3ff3779a1e6cca935e2d31 Author: Chris Wilson Date: Fri Jun 16 15:05:18 2017 +0100 drm/i915: Disable EXEC_OBJECT_ASYNC when doing relocations If we write a relocation into the buffer, we require our own implicit synchronisation added after the start of the execbuf, outside of the user's control. As we may end up clflushing, or doing the patch itself on the GPU, asynchronously we need to look at the implicit serialisation on obj->resv and hence need to disable EXEC_OBJECT_ASYNC for this object. If the user does trigger a stall for relocations, we make sure the stall is complete enough so that the batch is not submitted before we complete those relocations. Fixes: 77ae9957897d ("drm/i915: Enable userspace to opt-out of implicit fencing") Signed-off-by: Chris Wilson Cc: Joonas Lahtinen Cc: Jason Ekstrand Reviewed-by: Joonas Lahtinen (cherry picked from commit 071750e550af46b5d3a84ad56c2a108c3e136284) [danvet: Resolve conflicts, resolution reviewed by Tvrtko on irc.] Signed-off-by: Daniel Vetter drivers/gpu/drm/i915/i915_gem_execbuffer.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) commit 2c7367626733e27d6f6d9906db7a31ada587566b Author: Chris Wilson Date: Sat Jun 17 12:57:44 2017 +0100 drm/i915: Hold struct_mutex for per-file stats in debugfs/i915_gem_object As we walk the obj->vma_list in per_file_stats(), we need to hold struct_mutex to prevent alteration of that list. Fixes: 1d2ac403ae3b ("drm: Protect dev->filelist with its own mutex") Fixes: c84455b4bacc ("drm/i915: Move debug only per-request pid tracking from request to ctx") Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=101460 Signed-off-by: Chris Wilson Cc: Daniel Vetter Cc: Joonas Lahtinen Link: http://patchwork.freedesktop.org/patch/msgid/20170617115744.4452-1-chris@chris-wilson.co.uk Reviewed-by: Tvrtko Ursulin (cherry picked from commit 0caf81b5c53d9bd332a95dbcb44db8de0b397a7c) Signed-off-by: Daniel Vetter drivers/gpu/drm/i915/i915_debugfs.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) commit d8462d0ad350ccd399899de051060ee562a5e537 Author: Chris Wilson Date: Tue Jun 20 13:43:19 2017 +0100 drm/i915: Retire the VMA's fence tracker before unbinding Since we may track unfenced access (GPU access to the vma that explicitly requires no fence), vma->last_fence may be set without any attached fence (vma->fence) and so will not be flushed when we call i915_vma_put_fence(). Since we stopped doing a full retire of the activity trackers for unbind, we need to explicitly retire each tracker. Fixes: b0decaf75bd9 ("drm/i915: Track active vma requests") Signed-off-by: Chris Wilson Cc: Joonas Lahtinen Cc: Tvrtko Ursulin Link: http://patchwork.freedesktop.org/patch/msgid/20170620124321.1108-1-chris@chris-wilson.co.uk Reviewed-by: Tvrtko Ursulin (cherry picked from commit 760a898d8069111704e1bd43f00ebf369ae46e57) Signed-off-by: Daniel Vetter drivers/gpu/drm/i915/i915_vma.c | 5 +++++ 1 file changed, 5 insertions(+) commit c0bc126f97fb929b3ae02c1c62322645d70eb408 Author: Linus Torvalds Date: Sun Jun 25 18:30:05 2017 -0700 Linux 4.12-rc7 Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit a4fd8b3accf43d407472e34403d4b0a4df5c0e71 Merge: 5f4b37d 26fcd95 Author: Linus Torvalds Date: Sun Jun 25 12:01:56 2017 -0700 Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86 fix from Thomas Gleixner: "A single fix to unbreak the vdso32 build for 64bit kernels caused by excess #includes in the mshyperv header" * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/mshyperv: Remove excess #includes from mshyperv.h commit 5f4b37d8784da4217ede8f8bcd301686853dcf8c Merge: 35d8d5d 8e6cec1c Author: Linus Torvalds Date: Sun Jun 25 11:59:19 2017 -0700 Merge branch 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull timer fixes from Thomas Gleixner: "A few fixes for timekeeping and timers: - Plug a subtle race due to a missing READ_ONCE() in the timekeeping code where reloading of a pointer results in an inconsistent callback argument being supplied to the clocksource->read function. - Correct the CLOCK_MONOTONIC_RAW sub-nanosecond accounting in the time keeping core code, to prevent a possible discontuity. - Apply a similar fix to the arm64 vdso clock_gettime() implementation - Add missing includes to clocksource drivers, which relied on indirect includes which fails in certain configs. - Use the proper iomem pointer for read/iounmap in a probe function" * 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: arm64/vdso: Fix nsec handling for CLOCK_MONOTONIC_RAW time: Fix CLOCK_MONOTONIC_RAW sub-nanosecond accounting time: Fix clock->read(clock) race around clocksource changes clocksource: Explicitly include linux/clocksource.h when needed clocksource/drivers/arm_arch_timer: Fix read and iounmap of incorrect variable commit 35d8d5d47c0ef066197f629f71cdd6039693b86d Merge: 1a8cca1 977282e Author: Linus Torvalds Date: Sun Jun 25 11:55:21 2017 -0700 Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull perf fixes from Thomas Gleixner: "Three fixlets for perf: - Return the proper error code if aux buffers for a event are not supported. - Calculate the probe offset for inlined functions correctly - Update the Skylake DTLB load/store miss event so it can count 1G TLB entries as well" * 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: perf probe: Fix probe definition for inlined functions perf/x86/intel: Add 1G DTLB load/store miss support for SKL perf/aux: Correct return code of rb_alloc_aux() if !has_aux(ev) commit 1a8cca1880e6127a22cf6604b3c4ccd8b27cbf65 Merge: 412572b 9f93d87 Author: Linus Torvalds Date: Sun Jun 25 11:53:36 2017 -0700 Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull irq fix from Thomas Gleixner: "A single fix for the MIPS GIC to prevent ftrace recursion" * 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: irqchip/mips-gic: Mark count and compare accessors notrace commit 412572bffa9d1bc0f3ebae39291a815dad1d0418 Merge: d5d5c18 9768935 Author: Linus Torvalds Date: Sun Jun 25 10:39:43 2017 -0700 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input Pull input fixes from Dmitry Torokhov: - a quirk to i8042 to ignore timeout bit on Lifebook AH544 - a fixup to Synaptics RMI function 54 that was breaking some Dells - a fix for memory leak in soc_button_array driver * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input: Input: synaptics-rmi4 - only read the F54 query registers which are used Input: i8042 - add Fujitsu Lifebook AH544 to notimeout list Input: soc_button_array - fix leaking the ACPI button descriptor buffer commit d5d5c1825e85a144e67448ad777eff441ddb907f Merge: bb9b8fd abb85a9 Author: Linus Torvalds Date: Sun Jun 25 10:36:44 2017 -0700 Merge git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending Pull SCSI target fixes from Nicholas Bellinger: "Here are the target-pending fixes for v4.12-rc7 that have been queued up for the last 2 weeks. This includes: - Fix a TMR related kref underflow detected by the recent refcount_t conversion in upstream. - Fix a iscsi-target corner case during explicit connection logout timeout failure. - Address last fallout in iscsi-target immediate data handling from v4.4 target-core now allowing control CDB payload underflow" * git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending: iscsi-target: Reject immediate data underflow larger than SCSI transfer length iscsi-target: Fix delayed logout processing greater than SECONDS_FOR_LOGOUT_COMP target: Fix kref->refcount underflow in transport_cmd_finish_abort commit d747a7a51b00984127a88113cdbbc26f91e9d815 Author: WANG Cong Date: Sat Jun 24 23:50:30 2017 -0700 tcp: reset sk_rx_dst in tcp_disconnect() We have to reset the sk->sk_rx_dst when we disconnect a TCP connection, because otherwise when we re-connect it this dst reference is simply overridden in tcp_finish_connect(). This fixes a dst leak which leads to a loopback dev refcnt leak. It is a long-standing bug, Kevin reported a very similar (if not same) bug before. Thanks to Andrei for providing such a reliable reproducer which greatly narrows down the problem. Fixes: 41063e9dd119 ("ipv4: Early TCP socket demux.") Reported-by: Andrei Vagin Reported-by: Kevin Xu Signed-off-by: Cong Wang Signed-off-by: David S. Miller net/ipv4/tcp.c | 2 ++ 1 file changed, 2 insertions(+) commit 85cb73ff9b74785a7fc752875d7f0fe17ca3ea7c Author: Wei Wang Date: Fri Jun 23 15:25:37 2017 -0700 net: ipv6: reset daddr and dport in sk if connect() fails In __ip6_datagram_connect(), reset sk->sk_v6_daddr and inet->dport if error occurs. In udp_v6_early_demux(), check for sk_state to make sure it is in TCP_ESTABLISHED state. Together, it makes sure unconnected UDP socket won't be considered as a valid candidate for early demux. v3: add TCP_ESTABLISHED state check in udp_v6_early_demux() v2: fix compilation error Fixes: 5425077d73e0 ("net: ipv6: Add early demux handler for UDP unicast") Signed-off-by: Wei Wang Acked-by: Maciej Żenczykowski Signed-off-by: David S. Miller net/ipv6/datagram.c | 8 +++++++- net/ipv6/udp.c | 3 ++- 2 files changed, 9 insertions(+), 2 deletions(-) commit d0c32a16235aeacd32c9de6ff90f9219614d7e4e Author: Mintz, Yuval Date: Sat Jun 24 15:37:00 2017 +0300 bnx2x: Don't log mc removal needlessly When mc configuration changes bnx2x_config_mcast() can return 0 for success, negative for failure and positive for benign reason preventing its immediate work, e.g., when the command awaits the completion of a previously sent command. When removing all configured macs on a 578xx adapter, if a positive value would be returned driver would errneously log it as an error. Fixes: c7b7b483ccc9 ("bnx2x: Don't flush multicast MACs") Signed-off-by: Yuval Mintz Signed-off-by: David S. Miller drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit bb9b8fd26b50c9ec822805b9d877bec9d88acff4 Merge: f65013d ad81810 Author: Linus Torvalds Date: Sat Jun 24 16:18:00 2017 -0700 Merge tag 'kbuild-fixes-v4.12-2' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild Pull Kbuild fixes from Masahiro Yamada: "Nothing scary, just some random fixes: - fix warnings of host programs - fix "make tags" when COMPILED_SOURCE=1 is specified along with O= - clarify help message of C=1 option - fix dependency for ncurses compatibility check - fix "make headers_install" for fakechroot environment" * tag 'kbuild-fixes-v4.12-2' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild: kconfig: fix sparse warnings in nconfig kbuild: fix header installation under fakechroot environment kconfig: Check for libncurses before menuconfig Kbuild: tiny correction on `make help` tags: honor COMPILED_SOURCE with apart output directory genksyms: add printf format attribute to error_with_pos() commit f65013d655ac9639f37d3b54189f6468f672e60b Merge: 94a6df2 57db7e4 Author: Linus Torvalds Date: Sat Jun 24 02:24:53 2017 -0700 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace Pull timer fix from Eric Biederman: "This fixes an issue of confusing injected signals with the signals from posix timers that has existed since posix timers have been in the kernel. This patch is slightly simpler than my earlier version of this patch as I discovered in testing that I had misspelled "#ifdef CONFIG_POSIX_TIMERS". So I deleted that unnecessary test and made setting of resched_timer uncondtional. I have tested this and verified that without this patch there is a nasty hang that is easy to trigger, and with this patch everything works properly" Thomas Gleixner dixit: "It fixes the problem at hand and covers the ptrace case as well, which I missed. Reviewed-and-tested-by: Thomas Gleixner " * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace: signal: Only reschedule timers on signals timers have sent commit 26fcd952d5c977a94ac64bb44ed409e37607b2c9 Author: Thomas Gleixner Date: Fri Jun 23 10:50:38 2017 +0200 x86/mshyperv: Remove excess #includes from mshyperv.h A recent commit included linux/slab.h in linux/irq.h. This breaks the build of vdso32 on a 64-bit kernel. The reason is that linux/irq.h gets included into the vdso code via linux/interrupt.h which is included from asm/mshyperv.h. That makes the 32-bit vdso compile fail, because slab.h includes the pgtable headers for 64-bit on a 64-bit build. Neither linux/clocksource.h nor linux/interrupt.h are needed in the mshyperv.h header file itself - it has a dependency on . Remove the includes and unbreak the build. Reported-by: Ingo Molnar Signed-off-by: Thomas Gleixner Cc: K. Y. Srinivasan Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Vitaly Kuznetsov Cc: devel@linuxdriverproject.org Fixes: dee863b571b0 ("hv: export current Hyper-V clocksource") Link: http://lkml.kernel.org/r/alpine.DEB.2.20.1706231038460.2647@nanos Signed-off-by: Ingo Molnar arch/x86/include/asm/mshyperv.h | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) commit 94a6df251dd08c6436ebd6d10c68f03659148ce1 Merge: cd5545a 34f19ff Author: Linus Torvalds Date: Fri Jun 23 17:53:16 2017 -0700 Merge tag 'powerpc-4.12-7' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux Pull powerpc fixes from Michael Ellerman: "Some more powerpc fixes for 4.12. Most of these actually came in last week but got held up for some more testing. - three fixes for kprobes/ftrace/livepatch interactions. - properly handle data breakpoints when using the Radix MMU. - fix for perf sampling of registers during call_usermodehelper(). - properly initialise the thread_info on our emergency stacks - add an explicit flush when doing TLB invalidations for a process using NPU2. Thanks to: Alistair Popple, Naveen N. Rao, Nicholas Piggin, Ravi Bangoria, Masami Hiramatsu" * tag 'powerpc-4.12-7' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux: powerpc/64: Initialise thread_info for emergency stacks powerpc/powernv/npu-dma: Add explicit flush when sending an ATSD powerpc/perf: Fix oops when kthread execs user process powerpc/64s: Handle data breakpoints in Radix mode powerpc/kprobes: Skip livepatch_handler() for jprobes powerpc/ftrace: Pass the correct stack pointer for DYNAMIC_FTRACE_WITH_REGS powerpc/kprobes: Pause function_graph tracing during jprobes handling commit cd5545ae87ed9ca76dba7753b436713ce8df2872 Merge: ba6cbdb e4330d8b Author: Linus Torvalds Date: Fri Jun 23 17:49:12 2017 -0700 Merge tag 'acpi-4.12-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull ACPI fix from Rafael Wysocki: "This fixes the ACPI-based enumeration of some I2C and SPI devices broken in 4.11. Specifics: - I2C and SPI devices are expected to be enumerated by the I2C and SPI subsystems, respectively, but due to a change made during the 4.11 cycle, in some cases the ACPI core marks them as already enumerated which causes the I2C and SPI subsystems to overlook them, so fix that (Jarkko Nikula)" * tag 'acpi-4.12-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: ACPI / scan: Fix enumeration for special SPI and I2C devices commit ba6cbdb673c287cee87a965266419fd2111e20c4 Merge: 25b2398 6c782a5 Author: Linus Torvalds Date: Fri Jun 23 17:46:10 2017 -0700 Merge branch 'i2c/for-current-fixed' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux Pull i2c fix from Wolfram Sang. * 'i2c/for-current-fixed' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux: i2c: imx: Use correct function to write to register commit 25b2398f5c0167accd6d0ab18db0561ac22ca6cc Merge: 51c933f 6c7515c Author: Linus Torvalds Date: Fri Jun 23 17:40:41 2017 -0700 Merge tag 'gpio-v4.12-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio Pull GPIO fix from Linus Walleij: "A single GPIO patch fixing the compatible string for the MVEBU PWM controller embedded in the GPIO controller before we release v4.12. Hopefully" * tag 'gpio-v4.12-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio: gpio: mvebu: change compatible string for PWM support commit 51c933f208c51b3e5371779ba3c246bde144ed11 Merge: 311548f c7ecb90 Author: Linus Torvalds Date: Fri Jun 23 17:37:56 2017 -0700 Merge tag 'sound-4.12-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound Pull sound fixes from Takashi Iwai: "Nothing exciting here, just a few stable fixes: - suppress spurious kernel WARNING in PCM core - fix potential spin deadlock at error handling in firewire - HD-audio PCI ID addition / fixup" * tag 'sound-4.12-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: ALSA: hda - Apply quirks to Broxton-T, too ALSA: firewire-lib: Fix stall of process context at packet error ALSA: pcm: Don't treat NULL chmap as a fatal error ALSA: hda - Add Coffelake PCI ID commit 311548f173ff53bd4c7407eaf52097d00d2ea4de Merge: 7139a06 33ce756 Author: Linus Torvalds Date: Fri Jun 23 17:35:57 2017 -0700 Merge tag 'drm-fixes-for-v4.12-rc7' of git://people.freedesktop.org/~airlied/linux Pull drm fixes from Dave Airlie: "A varied bunch of fixes, one for an API regression with connectors. Otherwise amdgpu and i915 have a bunch of varied fixes, the shrinker ones being the most important" * tag 'drm-fixes-for-v4.12-rc7' of git://people.freedesktop.org/~airlied/linux: drm: Fix GETCONNECTOR regression drm/radeon: add a quirk for Toshiba Satellite L20-183 drm/radeon: add a PX quirk for another K53TK variant drm/amdgpu: adjust default display clock drm/amdgpu/atom: fix ps allocation size for EnableDispPowerGating drm/amdgpu: add Polaris12 DID drm/i915: Don't enable backlight at setup time. drm/i915: Plumb the correct acquire ctx into intel_crtc_disable_noatomic() drm/i915: Fix deadlock witha the pipe A quirk during resume drm/i915: Remove __GFP_NORETRY from our buffer allocator drm/i915: Encourage our shrinker more when our shmemfs allocations fails drm/i915: Differentiate between sw write location into ring and last hw read commit 7139a06b1637fa09d826997d6b869c59d40ac5c1 Merge: 7ec2f7e 4a072c7 Author: Linus Torvalds Date: Fri Jun 23 17:33:46 2017 -0700 Merge tag 'random_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/random Pull random fixes from Ted Ts'o: "Fix some locking and gcc optimization issues from the most recent random_for_linus_stable pull request" * tag 'random_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/random: random: silence compiler warnings and fix race commit 7ec2f7e8d9b5d4186e407cdc0a3a84a932bc52f5 Merge: 337c6ba feb7695 Author: Linus Torvalds Date: Fri Jun 23 17:32:05 2017 -0700 Merge tag 'for-4.12/dm-fixes-4' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm Pull device mapper fixes from Mike Snitzer: - a revert of a DM mirror commit that has proven to make the code prone to crash - a DM io reference count fix that resolves a NULL pointer seen when issuing discards to a DM mirror target's device whose mirror legs do not all support discards - a couple DM integrity fixes * tag 'for-4.12/dm-fixes-4' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm: dm io: fix duplicate bio completion due to missing ref count dm integrity: fix to not disable/enable interrupts from interrupt context Revert "dm mirror: use all available legs on multiple failures" dm integrity: reject mappings too large for device commit 337c6ba2d8691596bcada9e73eb40f612e4f5735 Merge: 2592d2e 98da7d0 Author: Linus Torvalds Date: Fri Jun 23 16:30:52 2017 -0700 Merge branch 'akpm' (patches from Andrew) Merge misc fixes from Andrew Morton: "8 fixes" * emailed patches from Andrew Morton : fs/exec.c: account for argv/envp pointers ocfs2: fix deadlock caused by recursive locking in xattr slub: make sysfs file removal asynchronous lib/cmdline.c: fix get_options() overflow while parsing ranges fs/dax.c: fix inefficiency in dax_writeback_mapping_range() autofs: sanity check status reported with AUTOFS_DEV_IOCTL_FAIL mm/vmalloc.c: huge-vmap: fail gracefully on unexpected huge vmap mappings mm, thp: remove cond_resched from __collapse_huge_page_copy commit 98da7d08850fb8bdeb395d6368ed15753304aa0c Author: Kees Cook Date: Fri Jun 23 15:08:57 2017 -0700 fs/exec.c: account for argv/envp pointers When limiting the argv/envp strings during exec to 1/4 of the stack limit, the storage of the pointers to the strings was not included. This means that an exec with huge numbers of tiny strings could eat 1/4 of the stack limit in strings and then additional space would be later used by the pointers to the strings. For example, on 32-bit with a 8MB stack rlimit, an exec with 1677721 single-byte strings would consume less than 2MB of stack, the max (8MB / 4) amount allowed, but the pointers to the strings would consume the remaining additional stack space (1677721 * 4 == 6710884). The result (1677721 + 6710884 == 8388605) would exhaust stack space entirely. Controlling this stack exhaustion could result in pathological behavior in setuid binaries (CVE-2017-1000365). [akpm@linux-foundation.org: additional commenting from Kees] Fixes: b6a2fea39318 ("mm: variable length argument support") Link: http://lkml.kernel.org/r/20170622001720.GA32173@beast Signed-off-by: Kees Cook Acked-by: Rik van Riel Acked-by: Michal Hocko Cc: Alexander Viro Cc: Qualys Security Advisory Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/exec.c | 28 ++++++++++++++++++++++++---- 1 file changed, 24 insertions(+), 4 deletions(-) commit 8818efaaacb78c60a9d90c5705b6c99b75d7d442 Author: Eric Ren Date: Fri Jun 23 15:08:55 2017 -0700 ocfs2: fix deadlock caused by recursive locking in xattr Another deadlock path caused by recursive locking is reported. This kind of issue was introduced since commit 743b5f1434f5 ("ocfs2: take inode lock in ocfs2_iop_set/get_acl()"). Two deadlock paths have been fixed by commit b891fa5024a9 ("ocfs2: fix deadlock issue when taking inode lock at vfs entry points"). Yes, we intend to fix this kind of case in incremental way, because it's hard to find out all possible paths at once. This one can be reproduced like this. On node1, cp a large file from home directory to ocfs2 mountpoint. While on node2, run setfacl/getfacl. Both nodes will hang up there. The backtraces: On node1: __ocfs2_cluster_lock.isra.39+0x357/0x740 [ocfs2] ocfs2_inode_lock_full_nested+0x17d/0x840 [ocfs2] ocfs2_write_begin+0x43/0x1a0 [ocfs2] generic_perform_write+0xa9/0x180 __generic_file_write_iter+0x1aa/0x1d0 ocfs2_file_write_iter+0x4f4/0xb40 [ocfs2] __vfs_write+0xc3/0x130 vfs_write+0xb1/0x1a0 SyS_write+0x46/0xa0 On node2: __ocfs2_cluster_lock.isra.39+0x357/0x740 [ocfs2] ocfs2_inode_lock_full_nested+0x17d/0x840 [ocfs2] ocfs2_xattr_set+0x12e/0xe80 [ocfs2] ocfs2_set_acl+0x22d/0x260 [ocfs2] ocfs2_iop_set_acl+0x65/0xb0 [ocfs2] set_posix_acl+0x75/0xb0 posix_acl_xattr_set+0x49/0xa0 __vfs_setxattr+0x69/0x80 __vfs_setxattr_noperm+0x72/0x1a0 vfs_setxattr+0xa7/0xb0 setxattr+0x12d/0x190 path_setxattr+0x9f/0xb0 SyS_setxattr+0x14/0x20 Fix this one by using ocfs2_inode_{lock|unlock}_tracker, which is exported by commit 439a36b8ef38 ("ocfs2/dlmglue: prepare tracking logic to avoid recursive cluster lock"). Link: http://lkml.kernel.org/r/20170622014746.5815-1-zren@suse.com Fixes: 743b5f1434f5 ("ocfs2: take inode lock in ocfs2_iop_set/get_acl()") Signed-off-by: Eric Ren Reported-by: Thomas Voegtle Tested-by: Thomas Voegtle Reviewed-by: Joseph Qi Cc: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/ocfs2/dlmglue.c | 4 ++++ fs/ocfs2/xattr.c | 23 +++++++++++++---------- 2 files changed, 17 insertions(+), 10 deletions(-) commit 3b7b314053d021601940c50b07f5f1423ae67e21 Author: Tejun Heo Date: Fri Jun 23 15:08:52 2017 -0700 slub: make sysfs file removal asynchronous Commit bf5eb3de3847 ("slub: separate out sysfs_slab_release() from sysfs_slab_remove()") made slub sysfs file removals synchronous to kmem_cache shutdown. Unfortunately, this created a possible ABBA deadlock between slab_mutex and sysfs draining mechanism triggering the following lockdep warning. ====================================================== [ INFO: possible circular locking dependency detected ] 4.10.0-test+ #48 Not tainted ------------------------------------------------------- rmmod/1211 is trying to acquire lock: (s_active#120){++++.+}, at: [] kernfs_remove+0x23/0x40 but task is already holding lock: (slab_mutex){+.+.+.}, at: [] kmem_cache_destroy+0x41/0x2d0 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (slab_mutex){+.+.+.}: lock_acquire+0xf6/0x1f0 __mutex_lock+0x75/0x950 mutex_lock_nested+0x1b/0x20 slab_attr_store+0x75/0xd0 sysfs_kf_write+0x45/0x60 kernfs_fop_write+0x13c/0x1c0 __vfs_write+0x28/0x120 vfs_write+0xc8/0x1e0 SyS_write+0x49/0xa0 entry_SYSCALL_64_fastpath+0x1f/0xc2 -> #0 (s_active#120){++++.+}: __lock_acquire+0x10ed/0x1260 lock_acquire+0xf6/0x1f0 __kernfs_remove+0x254/0x320 kernfs_remove+0x23/0x40 sysfs_remove_dir+0x51/0x80 kobject_del+0x18/0x50 __kmem_cache_shutdown+0x3e6/0x460 kmem_cache_destroy+0x1fb/0x2d0 kvm_exit+0x2d/0x80 [kvm] vmx_exit+0x19/0xa1b [kvm_intel] SyS_delete_module+0x198/0x1f0 entry_SYSCALL_64_fastpath+0x1f/0xc2 other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(slab_mutex); lock(s_active#120); lock(slab_mutex); lock(s_active#120); *** DEADLOCK *** 2 locks held by rmmod/1211: #0: (cpu_hotplug.dep_map){++++++}, at: [] get_online_cpus+0x37/0x80 #1: (slab_mutex){+.+.+.}, at: [] kmem_cache_destroy+0x41/0x2d0 stack backtrace: CPU: 3 PID: 1211 Comm: rmmod Not tainted 4.10.0-test+ #48 Hardware name: Hewlett-Packard HP Compaq Pro 6300 SFF/339A, BIOS K01 v02.05 05/07/2012 Call Trace: print_circular_bug+0x1be/0x210 __lock_acquire+0x10ed/0x1260 lock_acquire+0xf6/0x1f0 __kernfs_remove+0x254/0x320 kernfs_remove+0x23/0x40 sysfs_remove_dir+0x51/0x80 kobject_del+0x18/0x50 __kmem_cache_shutdown+0x3e6/0x460 kmem_cache_destroy+0x1fb/0x2d0 kvm_exit+0x2d/0x80 [kvm] vmx_exit+0x19/0xa1b [kvm_intel] SyS_delete_module+0x198/0x1f0 ? SyS_delete_module+0x5/0x1f0 entry_SYSCALL_64_fastpath+0x1f/0xc2 It'd be the cleanest to deal with the issue by removing sysfs files without holding slab_mutex before the rest of shutdown; however, given the current code structure, it is pretty difficult to do so. This patch punts sysfs file removal to a work item. Before commit bf5eb3de3847, the removal was punted to a RCU delayed work item which is executed after release. Now, we're punting to a different work item on shutdown which still maintains the goal removing the sysfs files earlier when destroying kmem_caches. Link: http://lkml.kernel.org/r/20170620204512.GI21326@htj.duckdns.org Fixes: bf5eb3de3847 ("slub: separate out sysfs_slab_release() from sysfs_slab_remove()") Signed-off-by: Tejun Heo Reported-by: Steven Rostedt (VMware) Tested-by: Steven Rostedt (VMware) Cc: Christoph Lameter Cc: Pekka Enberg Cc: David Rientjes Cc: Joonsoo Kim Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds include/linux/slub_def.h | 1 + mm/slub.c | 40 ++++++++++++++++++++++++++-------------- 2 files changed, 27 insertions(+), 14 deletions(-) commit a91e0f680bcd9e10c253ae8b62462a38bd48f09f Author: Ilya Matveychikov Date: Fri Jun 23 15:08:49 2017 -0700 lib/cmdline.c: fix get_options() overflow while parsing ranges When using get_options() it's possible to specify a range of numbers, like 1-100500. The problem is that it doesn't track array size while calling internally to get_range() which iterates over the range and fills the memory with numbers. Link: http://lkml.kernel.org/r/2613C75C-B04D-4BFF-82A6-12F97BA0F620@gmail.com Signed-off-by: Ilya V. Matveychikov Cc: Jonathan Corbet Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds lib/cmdline.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit 1eb643d02b21412e603b42cdd96010a2ac31c05f Author: Jan Kara Date: Fri Jun 23 15:08:46 2017 -0700 fs/dax.c: fix inefficiency in dax_writeback_mapping_range() dax_writeback_mapping_range() fails to update iteration index when searching radix tree for entries needing cache flushing. Thus each pagevec worth of entries is searched starting from the start which is inefficient and prone to livelocks. Update index properly. Link: http://lkml.kernel.org/r/20170619124531.21491-1-jack@suse.cz Fixes: 9973c98ecfda3 ("dax: add support for fsync/sync") Signed-off-by: Jan Kara Reviewed-by: Ross Zwisler Cc: Dan Williams Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/dax.c | 1 + 1 file changed, 1 insertion(+) commit 9fa4eb8e490a28de40964b1b0e583d8db4c7e57c Author: NeilBrown Date: Fri Jun 23 15:08:43 2017 -0700 autofs: sanity check status reported with AUTOFS_DEV_IOCTL_FAIL If a positive status is passed with the AUTOFS_DEV_IOCTL_FAIL ioctl, autofs4_d_automount() will return ERR_PTR(status) with that status to follow_automount(), which will then dereference an invalid pointer. So treat a positive status the same as zero, and map to ENOENT. See comment in systemd src/core/automount.c::automount_send_ready(). Link: http://lkml.kernel.org/r/871sqwczx5.fsf@notabene.neil.brown.name Signed-off-by: NeilBrown Cc: Ian Kent Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/autofs4/dev-ioctl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 029c54b09599573015a5c18dbe59cbdf42742237 Author: Ard Biesheuvel Date: Fri Jun 23 15:08:41 2017 -0700 mm/vmalloc.c: huge-vmap: fail gracefully on unexpected huge vmap mappings Existing code that uses vmalloc_to_page() may assume that any address for which is_vmalloc_addr() returns true may be passed into vmalloc_to_page() to retrieve the associated struct page. This is not un unreasonable assumption to make, but on architectures that have CONFIG_HAVE_ARCH_HUGE_VMAP=y, it no longer holds, and we need to ensure that vmalloc_to_page() does not go off into the weeds trying to dereference huge PUDs or PMDs as table entries. Given that vmalloc() and vmap() themselves never create huge mappings or deal with compound pages at all, there is no correct answer in this case, so return NULL instead, and issue a warning. When reading /proc/kcore on arm64, you will hit an oops as soon as you hit the huge mappings used for the various segments that make up the mapping of vmlinux. With this patch applied, you will no longer hit the oops, but the kcore contents willl be incorrect (these regions will be zeroed out) We are fixing this for kcore specifically, so it avoids vread() for those regions. At least one other problematic user exists, i.e., /dev/kmem, but that is currently broken on arm64 for other reasons. Link: http://lkml.kernel.org/r/20170609082226.26152-1-ard.biesheuvel@linaro.org Signed-off-by: Ard Biesheuvel Acked-by: Mark Rutland Reviewed-by: Laura Abbott Cc: Michal Hocko Cc: zhong jiang Cc: Dave Hansen Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/vmalloc.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) commit c891d9f6bf2a78c9c657656872a60807820db4c8 Author: David Rientjes Date: Fri Jun 23 15:08:38 2017 -0700 mm, thp: remove cond_resched from __collapse_huge_page_copy This is a partial revert of commit 338a16ba1549 ("mm, thp: copying user pages must schedule on collapse") which added a cond_resched() to __collapse_huge_page_copy(). On x86 with CONFIG_HIGHPTE, __collapse_huge_page_copy is called in atomic context and thus scheduling is not possible. This is only a possible config on arm and i386. Although need_resched has been shown to be set for over 100 jiffies while doing the iteration in __collapse_huge_page_copy, this is better than doing if (in_atomic()) cond_resched() to cover only non-CONFIG_HIGHPTE configs. Link: http://lkml.kernel.org/r/alpine.DEB.2.10.1706191341550.97821@chino.kir.corp.google.com Signed-off-by: David Rientjes Reported-by: Larry Finger Tested-by: Larry Finger Acked-by: Michal Hocko Cc: Vlastimil Babka Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/khugepaged.c | 1 - 1 file changed, 1 deletion(-) commit 2592d2ef0448e24878fce24c3fc0ca525f65f286 Merge: 7b249bd 02d94e0 Author: Linus Torvalds Date: Fri Jun 23 12:25:37 2017 -0700 Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi Pull SCSI fixes from James Bottomley: "Two fixes to remove spurious WARN_ONs from the new(ish) qedi driver. The driver already prints a warning message, there's no need to panic users by printing something that looks like an oops as well" * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: scsi: qedi: Remove WARN_ON from clear task context. scsi: qedi: Remove WARN_ON for untracked cleanup. commit 7b249bdc3dec656b87bc569d4adcccbfbd525ec1 Merge: a38371c eb5e248 Author: Linus Torvalds Date: Fri Jun 23 12:23:06 2017 -0700 Merge tag 'xfs-4.12-fixes-5' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux Pull xfs fixes from Darrick Wong: "I have one more bugfix for you for 4.12-rc7 to fix a disk corruption problem: - don't allow swapon on files on the realtime device, because the swap code will swap pages out to blocks on the data device, thereby corrupting the filesystem" * tag 'xfs-4.12-fixes-5' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux: xfs: don't allow bmap on rt files commit 92cc8a5105e1236584e92288595ddbd2149bb6cf Merge: db9d8b2 2270bc5 Author: David S. Miller Date: Fri Jun 23 14:48:28 2017 -0400 Merge branch 'bnxt_en-fixes' Michael Chan says: ==================== bnxt_en: Error handling and netpoll fixes. Add missing error handling and fix netpoll handling. The current code handles RX and TX events in netpoll mode and is causing lots of warnings and errors in the RX code path in netpoll mode. The fix is to only handle TX events in netpoll mode. ==================== Signed-off-by: David S. Miller commit 2270bc5da34979454e6f2eb133d800b635156174 Author: Michael Chan Date: Fri Jun 23 14:01:01 2017 -0400 bnxt_en: Fix netpoll handling. To handle netpoll properly, the driver must only handle TX packets during NAPI. Handling RX events cause warnings and errors in netpoll mode. The ndo_poll_controller() method should call napi_schedule() directly so that a NAPI weight of zero will be used during netpoll mode. The bnxt_en driver supports 2 ring modes: combined, and separate rx/tx. In separate rx/tx mode, the ndo_poll_controller() method will only process the tx rings. In combined mode, the rx and tx completion entries are mixed in the completion ring and we need to drop the rx entries and recycle the rx buffers. Add a function bnxt_force_rx_discard() to handle this in netpoll mode when we see rx entries in combined ring mode. Reported-by: Calvin Owens Signed-off-by: Michael Chan Signed-off-by: David S. Miller drivers/net/ethernet/broadcom/bnxt/bnxt.c | 54 +++++++++++++++++++++++++++---- 1 file changed, 48 insertions(+), 6 deletions(-) commit 69c149e2e39e8d66437c9034bb4926ef2c1f7c23 Author: Michael Chan Date: Fri Jun 23 14:01:00 2017 -0400 bnxt_en: Add missing logic to handle TPA end error conditions. When we get a TPA_END completion to handle a completed LRO packet, it is possible that hardware would indicate errors. The current code is not checking for the error condition. Define the proper error bits and the macro to check for this error and abort properly. Signed-off-by: Michael Chan Signed-off-by: David S. Miller drivers/net/ethernet/broadcom/bnxt/bnxt.c | 7 ++++--- drivers/net/ethernet/broadcom/bnxt/bnxt.h | 6 +++++- 2 files changed, 9 insertions(+), 4 deletions(-) commit db9d8b29d19d2801793e4419f4c6272bf8951c62 Author: Richard Cochran Date: Fri Jun 23 17:51:31 2017 +0200 net: dp83640: Avoid NULL pointer dereference. The function, skb_complete_tx_timestamp(), used to allow passing in a NULL pointer for the time stamps, but that was changed in commit 62bccb8cdb69051b95a55ab0c489e3cab261c8ef ("net-timestamp: Make the clone operation stand-alone from phy timestamping"), and the existing call sites, all of which are in the dp83640 driver, were fixed up. Even though the kernel-doc was subsequently updated in commit 7a76a021cd5a292be875fbc616daf03eab1e6996 ("net-timestamp: Update skb_complete_tx_timestamp comment"), still a bug fix from Manfred Rudigier came into the driver using the old semantics. Probably Manfred derived that patch from an older kernel version. This fix should be applied to the stable trees as well. Fixes: 81e8f2e930fe ("net: dp83640: Fix tx timestamp overflow handling.") Signed-off-by: Richard Cochran Signed-off-by: David S. Miller drivers/net/phy/dp83640.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 43b786c6765945310cabc61a5e29b97ced85f7f0 Merge: 0ccc22f ca3a1b8 Author: David S. Miller Date: Fri Jun 23 14:11:26 2017 -0400 Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec Steffen Klassert says: ==================== pull request (net): ipsec 2017-06-23 1) Fix xfrm garbage collecting when unregistering a netdevice. From Hangbin Liu. 2) Fix NULL pointer derefernce when exiting a network namespace. From Hangbin Liu. 3) Fix some error codes in pfkey to prevent a NULL pointer derefernce. From Dan Carpenter. 4) Fix NULL pointer derefernce on allocation failure in pfkey. From Dan Carpenter. 5) Adjust IPv6 payload_len to include extension headers. Otherwise we corrupt the packets when doing ESP GRO on transport mode. From Yossi Kuperman. 6) Set nhoff to the proper offset of the IPv6 nexthdr when doing ESP GRO. From Yossi Kuperman. Please pull or let me know if there are problems. ==================== Signed-off-by: David S. Miller commit 0ccc22f425e56c4ede9c66f1945846de8ac1f352 Author: WANG Cong Date: Thu Jun 22 15:29:33 2017 -0700 sit: use __GFP_NOWARN for user controlled allocation The memory allocation size is controlled by user-space, if it is too large just fail silently and return NULL, not to mention there is a fallback allocation later. Reported-by: Andrey Konovalov Signed-off-by: Cong Wang Tested-by: Andrey Konovalov Signed-off-by: David S. Miller net/ipv6/sit.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit a5cb659bbc1c8644efa0c3138a757a1e432a4880 Author: Michal Kubeček Date: Mon Jun 19 13:03:43 2017 +0200 net: account for current skb length when deciding about UFO Our customer encountered stuck NFS writes for blocks starting at specific offsets w.r.t. page boundary caused by networking stack sending packets via UFO enabled device with wrong checksum. The problem can be reproduced by composing a long UDP datagram from multiple parts using MSG_MORE flag: sendto(sd, buff, 1000, MSG_MORE, ...); sendto(sd, buff, 1000, MSG_MORE, ...); sendto(sd, buff, 3000, 0, ...); Assume this packet is to be routed via a device with MTU 1500 and NETIF_F_UFO enabled. When second sendto() gets into __ip_append_data(), this condition is tested (among others) to decide whether to call ip_ufo_append_data(): ((length + fragheaderlen) > mtu) || (skb && skb_is_gso(skb)) At the moment, we already have skb with 1028 bytes of data which is not marked for GSO so that the test is false (fragheaderlen is usually 20). Thus we append second 1000 bytes to this skb without invoking UFO. Third sendto(), however, has sufficient length to trigger the UFO path so that we end up with non-UFO skb followed by a UFO one. Later on, udp_send_skb() uses udp_csum() to calculate the checksum but that assumes all fragments have correct checksum in skb->csum which is not true for UFO fragments. When checking against MTU, we need to add skb->len to length of new segment if we already have a partially filled skb and fragheaderlen only if there isn't one. In the IPv6 case, skb can only be null if this is the first segment so that we have to use headersize (length of the first IPv6 header) rather than fragheaderlen (length of IPv6 header of further fragments) for skb == NULL. Fixes: e89e9cf539a2 ("[IPv4/IPv6]: UFO Scatter-gather approach") Fixes: e4c5e13aa45c ("ipv6: Should use consistent conditional judgement for ip6 fragment between __ip6_append_data and ip6_finish_output") Signed-off-by: Michal Kubecek Acked-by: Vlad Yasevich Signed-off-by: David S. Miller net/ipv4/ip_output.c | 3 ++- net/ipv6/ip6_output.c | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) commit c4d097d13052d1e6f29b8798264aed6135d99568 Author: Heinz Mauelshagen Date: Fri Jun 23 17:27:01 2017 +0200 dm raid: fix oops on upgrading to extended superblock format When a RAID set was created on dm-raid version < 1.9.0 (old RAID superblock format), all of the new 1.9.0 members of the superblock are uninitialized (zero) -- including the device sectors member needed to support shrinking. All the other accesses to superblock fields new in 1.9.0 were reviewed and verified to be properly guarded against invalid use. The 'sectors' member was the only one used when the superblock version is < 1.9. Don't access the superblock's >= 1.9.0 'sectors' member unconditionally. Also add respective comments. Signed-off-by: Heinz Mauelshagen Signed-off-by: Mike Snitzer drivers/md/dm-raid.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) commit 977282ed17a0213c84d59498a1e3f7088e211470 Merge: fb3a505 7598f8b Author: Ingo Molnar Date: Fri Jun 23 10:03:27 2017 +0200 Merge tag 'perf-urgent-for-mingo-4.12-20170622' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux into perf/urgent Pull 'perf probe' fix from Arnaldo Carvalho de Melo: - Do not double the offset of inline expansions when using 'perf probe' on inlined functions (Björn Töpel) Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Ingo Molnar commit 9768935264c4f0e4afd788a185d8e8d89c28e41d Author: Andrew Duggan Date: Fri Jun 23 00:04:51 2017 -0700 Input: synaptics-rmi4 - only read the F54 query registers which are used The F54 driver is currently only using the first 6 bytes of F54 so there is no need to read all 27 bytes. Some Dell systems (Dell XP13 9333 and similar) have an issue with the touchpad or I2C bus when reading reports larger then 16 bytes. Reads larger then 16 bytes are reported in two HID reports. Something about the back to back reports seems to cause the next read to report incorrect data. This results in F30 failing to load and the click button failing to work. Previous issues with the I2C controller or touchpad were addressed in: commit 5b65c2a02966 ("HID: rmi: check sanity of the incoming report") Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=195949 Signed-off-by: Andrew Duggan Reviewed-by: Benjamin Tissoires Reviewed-by: Nick Dyer Signed-off-by: Dmitry Torokhov drivers/input/rmi4/rmi_f54.c | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) commit 797625deaedd9a0621376817db2813244b3246e3 Author: Christophe Lombard Date: Tue Jun 13 17:41:05 2017 +0200 cxl: Fixes for Coherent Accelerator Interface Architecture 2.0 A previous set of patches "cxl: Add support for Coherent Accelerator Interface Architecture 2.0" has introduced a new support for the CAPI cards. These patches have been tested on Simulation environment and quite a bit of them have been tested on real hardware. This patch brings new fixes after a series of tests carried out on new equipment: - Add POWER9 definition. - Re-enable any masked interrupts when the AFU is not activated after resetting the AFU. - Remove the api cxl_is_psl8/9 which is no longer useful. - Do not dump CAPI1 registers. - Rewrite cxl_is_page_fault() function. - Do not register slb callack on P9. Fixes: f24be42aab37 ("cxl: Add psl9 specific code") Signed-off-by: Christophe Lombard Acked-by: Frederic Barrat Signed-off-by: Michael Ellerman drivers/misc/cxl/context.c | 6 +++--- drivers/misc/cxl/cxl.h | 18 +++++------------- drivers/misc/cxl/fault.c | 23 +++++++++++++++-------- drivers/misc/cxl/main.c | 17 +++++++++++++---- drivers/misc/cxl/native.c | 29 +++++++++++++++++------------ drivers/misc/cxl/pci.c | 11 ++++------- 6 files changed, 57 insertions(+), 47 deletions(-) commit 34f19ff1b5a0d11e46df479623d6936460105c9f Author: Nicholas Piggin Date: Wed Jun 21 15:58:29 2017 +1000 powerpc/64: Initialise thread_info for emergency stacks Emergency stacks have their thread_info mostly uninitialised, which in particular means garbage preempt_count values. Emergency stack code runs with interrupts disabled entirely, and is used very rarely, so this has been unnoticed so far. It was found by a proposed new powerpc watchdog that takes a soft-NMI directly from the masked_interrupt handler and using the emergency stack. That crashed at BUG_ON(in_nmi()) in nmi_enter(). preempt_count()s were found to be garbage. To fix this, zero the entire THREAD_SIZE allocation, and initialize the thread_info. Cc: stable@vger.kernel.org Reported-by: Abdul Haleem Signed-off-by: Nicholas Piggin [mpe: Move it all into setup_64.c, use a function not a macro. Fix crashes on Cell by setting preempt_count to 0 not HARDIRQ_OFFSET] Signed-off-by: Michael Ellerman arch/powerpc/kernel/setup_64.c | 31 ++++++++++++++++++++++++++++--- 1 file changed, 28 insertions(+), 3 deletions(-) commit 33ce7563a4858430fdf38bb867513d3fbc3dda65 Merge: 816b4e4 e94ac35 Author: Dave Airlie Date: Fri Jun 23 11:44:51 2017 +1000 Merge tag 'drm-misc-fixes-2017-06-22' of git://anongit.freedesktop.org/git/drm-misc into drm-fixes UAPI Changes: - drm: Fix regression in GETCONNECTOR ioctl returning stale properties (Daniel) Cc: Daniel Vetter * tag 'drm-misc-fixes-2017-06-22' of git://anongit.freedesktop.org/git/drm-misc: drm: Fix GETCONNECTOR regression commit ad8181060788c80c0ad75b583f24c22fa962a7a6 Author: Randy Dunlap Date: Mon May 22 18:44:57 2017 -0700 kconfig: fix sparse warnings in nconfig Fix sparse warnings in scripts/kconfig/nconf* ('make nconfig'): ../scripts/kconfig/nconf.c:1071:32: warning: Using plain integer as NULL pointer ../scripts/kconfig/nconf.c:1238:30: warning: Using plain integer as NULL pointer ../scripts/kconfig/nconf.c:511:51: warning: Using plain integer as NULL pointer ../scripts/kconfig/nconf.c:1460:6: warning: symbol 'setup_windows' was not declared. Should it be static? ../scripts/kconfig/nconf.c:274:12: warning: symbol 'current_instructions' was not declared. Should it be static? ../scripts/kconfig/nconf.c:308:22: warning: symbol 'function_keys' was not declared. Should it be static? ../scripts/kconfig/nconf.gui.c:132:17: warning: non-ANSI function declaration of function 'set_colors' ../scripts/kconfig/nconf.gui.c:195:24: warning: Using plain integer as NULL pointer nconf.gui.o before/after files are the same. nconf.o before/after files are the same until the 'static' function declarations are added. Signed-off-by: Randy Dunlap Signed-off-by: Masahiro Yamada scripts/kconfig/nconf.c | 12 ++++++------ scripts/kconfig/nconf.gui.c | 4 ++-- 2 files changed, 8 insertions(+), 8 deletions(-) commit 7598f8bc1383ffd77686cb4e92e749bef3c75937 Author: Björn Töpel Date: Wed Jun 21 18:41:34 2017 +0200 perf probe: Fix probe definition for inlined functions In commit 613f050d68a8 ("perf probe: Fix to probe on gcc generated functions in modules"), the offset from symbol is, incorrectly, added to the trace point address. This leads to incorrect probe trace points for inlined functions and when using relative line number on symbols. Prior this patch: $ perf probe -m nf_nat -D in_range p:probe/in_range nf_nat:in_range.isra.9+0 $ perf probe -m i40e -D i40e_clean_rx_irq p:probe/i40e_clean_rx_irq i40e:i40e_napi_poll+2212 $ perf probe -m i40e -D i40e_clean_rx_irq:16 p:probe/i40e_clean_rx_irq i40e:i40e_lan_xmit_frame+626 After: $ perf probe -m nf_nat -D in_range p:probe/in_range nf_nat:in_range.isra.9+0 $ perf probe -m i40e -D i40e_clean_rx_irq p:probe/i40e_clean_rx_irq i40e:i40e_napi_poll+1106 $ perf probe -m i40e -D i40e_clean_rx_irq:16 p:probe/i40e_clean_rx_irq i40e:i40e_napi_poll+2665 Committer testing: Using 'pfunct', a tool found in the 'dwarves' package [1], one can ask what are the functions that while not being explicitely marked as inline, were inlined by the compiler: # pfunct --cc_inlined /lib/modules/4.12.0-rc4+/kernel/drivers/net/ethernet/intel/e1000e/e1000e.ko | head __ew32 e1000_regdump e1000e_dump_ps_pages e1000_desc_unused e1000e_systim_to_hwtstamp e1000e_rx_hwtstamp e1000e_update_rdt_wa e1000e_update_tdt_wa e1000_put_txbuf e1000_consume_page Then ask 'perf probe' to produce the kprobe_tracer probe definitions for two of them: # perf probe -m e1000e -D e1000e_rx_hwtstamp p:probe/e1000e_rx_hwtstamp e1000e:e1000_receive_skb+74 # perf probe -m e1000e -D e1000_consume_page p:probe/e1000_consume_page e1000e:e1000_clean_jumbo_rx_irq+876 p:probe/e1000_consume_page_1 e1000e:e1000_clean_jumbo_rx_irq+1506 p:probe/e1000_consume_page_2 e1000e:e1000_clean_rx_irq_ps+1074 Now lets concentrate on the 'e1000_consume_page' one, that was inlined twice in e1000_clean_jumbo_rx_irq(), lets see what readelf says about the DWARF tags for that function: $ readelf -wi /lib/modules/4.12.0-rc4+/kernel/drivers/net/ethernet/intel/e1000e/e1000e.ko <1><13e27b>: Abbrev Number: 121 (DW_TAG_subprogram) <13e27c> DW_AT_name : (indirect string, offset: 0xa8945): e1000_clean_jumbo_rx_irq <13e287> DW_AT_low_pc : 0x17a30 <3><13e6ef>: Abbrev Number: 119 (DW_TAG_inlined_subroutine) <13e6f0> DW_AT_abstract_origin: <0x13ed2c> <13e6f4> DW_AT_low_pc : 0x17be6 <1><13ed2c>: Abbrev Number: 142 (DW_TAG_subprogram) <13ed2e> DW_AT_name : (indirect string, offset: 0xa54c3): e1000_consume_page So, the first time in e1000_clean_jumbo_rx_irq() where e1000_consume_page() is inlined is at PC 0x17be6, which subtracted from e1000_clean_jumbo_rx_irq()'s address, gives us the offset we should use in the probe definition: 0x17be6 - 0x17a30 = 438 but above we have 876, which is twice as much. Lets see the second inline expansion of e1000_consume_page() in e1000_clean_jumbo_rx_irq(): <3><13e86e>: Abbrev Number: 119 (DW_TAG_inlined_subroutine) <13e86f> DW_AT_abstract_origin: <0x13ed2c> <13e873> DW_AT_low_pc : 0x17d21 0x17d21 - 0x17a30 = 753 So we where adding it at twice the offset from the containing function as we should. And then after this patch: # perf probe -m e1000e -D e1000e_rx_hwtstamp p:probe/e1000e_rx_hwtstamp e1000e:e1000_receive_skb+37 # perf probe -m e1000e -D e1000_consume_page p:probe/e1000_consume_page e1000e:e1000_clean_jumbo_rx_irq+438 p:probe/e1000_consume_page_1 e1000e:e1000_clean_jumbo_rx_irq+753 p:probe/e1000_consume_page_2 e1000e:e1000_clean_jumbo_rx_irq+1353 # Which matches the two first expansions and shows that because we were doubling the offset it would spill over the next function: readelf -sw /lib/modules/4.12.0-rc4+/kernel/drivers/net/ethernet/intel/e1000e/e1000e.ko 673: 0000000000017a30 1626 FUNC LOCAL DEFAULT 2 e1000_clean_jumbo_rx_irq 674: 0000000000018090 2013 FUNC LOCAL DEFAULT 2 e1000_clean_rx_irq_ps This is the 3rd inline expansion of e1000_consume_page() in e1000_clean_jumbo_rx_irq(): <3><13ec77>: Abbrev Number: 119 (DW_TAG_inlined_subroutine) <13ec78> DW_AT_abstract_origin: <0x13ed2c> <13ec7c> DW_AT_low_pc : 0x17f79 0x17f79 - 0x17a30 = 1353 So: 0x17a30 + 2 * 1353 = 0x184c2 And: 0x184c2 - 0x18090 = 1074 Which explains the bogus third expansion for e1000_consume_page() to end up at: p:probe/e1000_consume_page_2 e1000e:e1000_clean_rx_irq_ps+1074 All fixed now :-) [1] https://git.kernel.org/pub/scm/devel/pahole/pahole.git/ Signed-off-by: Björn Töpel Tested-by: Arnaldo Carvalho de Melo Acked-by: Magnus Karlsson Acked-by: Masami Hiramatsu Cc: stable@vger.kernel.org Fixes: 613f050d68a8 ("perf probe: Fix to probe on gcc generated functions in modules") Link: http://lkml.kernel.org/r/20170621164134.5701-1-bjorn.topel@gmail.com Signed-off-by: Arnaldo Carvalho de Melo tools/perf/util/probe-event.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit a38371cba67539ce6a5d5324db34bc2ddaf66cc1 Merge: 3f7ba7e 517a6e4 Author: Linus Torvalds Date: Thu Jun 22 11:16:55 2017 -0700 Merge branch 'for-next' of git://git.samba.org/sfrench/cifs-2.6 Pull cifs fixes from Steve French: "Various small fixes for stable" * 'for-next' of git://git.samba.org/sfrench/cifs-2.6: CIFS: Fix some return values in case of error in 'crypt_message' cifs: remove redundant return in cifs_creation_time_get CIFS: Improve readdir verbosity CIFS: check if pages is null rather than bv for a failed allocation CIFS: Set ->should_dirty in cifs_user_readv() commit 3f7ba7e13e70bbcba1af568dc105c1a4243b33c7 Merge: 4f92f0e c8401dd Author: Linus Torvalds Date: Thu Jun 22 11:03:09 2017 -0700 Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm Pull KVM fixes from Radim Krčmář: "MIPS: - Fix build with KVM, DYNAMIC_DEBUG and JUMP_LABEL. PPC: - Fix host crashes/hangs on POWER9. - Properly restore userspace state after KVM_RUN ioctl. s390: - Fix address translation in odd-ball cases (real-space designation ASCEs). x86: - Fix privilege escalation in 64-bit Windows guests All patches are for stable and the x86 also has a CVE" * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: KVM: x86: fix singlestepping over syscall KVM: s390: gaccess: fix real-space designation asce handling for gmap shadows KVM: MIPS: Fix maybe-uninitialized build failure KVM: PPC: Book3S HV: Ignore timebase offset on POWER9 DD1 KVM: PPC: Book3S HV: Save/restore host values of debug registers KVM: PPC: Book3S HV: Preserve userspace HTM state properly KVM: PPC: Book3S HV: Restore critical SPRs to host values on guest exit KVM: PPC: Book3S HV: Context-switch EBB registers properly KVM: PPC: Book3S HV: Cope with host using large decrementer mode commit 4f92f0e25a48212ae06e0761504ee0c9c23776ee Merge: 8d829b9 9e69672 Author: Linus Torvalds Date: Thu Jun 22 10:47:29 2017 -0700 Merge tag 'mfd-fixes-4.12' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd Pull MFD fixes from Lee Jones: - arizona: use address passed in, rather than hard coded value - correct STM32 clock-names value in DT binding documentation * tag 'mfd-fixes-4.12' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd: dt-bindings: mfd: Update STM32 timers clock names mfd: arizona: Fix typo using hard-coded register commit bb53f4d4f5116d3dae76bb12fb16bc73771f958a Author: Martin Habets Date: Thu Jun 22 10:50:41 2017 +0100 sfc: Fix MCDI command size for filter operations The 8000 series adapters uses catch-all filters for encapsulated traffic to support filtering VXLAN, NVGRE and GENEVE traffic. This new filter functionality requires a longer MCDI command. This patch increases the size of buffers on stack that were missed, which fixes a kernel panic from the stack protector. Fixes: 9b41080125176 ("sfc: insert catch-all filters for encapsulated traffic") Signed-off-by: Martin Habets Acked-by: Edward Cree Acked-by: Bert Kenward bkenward@solarflare.com Signed-off-by: David S. Miller drivers/net/ethernet/sfc/ef10.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) commit b92b7d3312033a08cae2c879b9243c42ad7de94b Author: Arnd Bergmann Date: Thu Jun 22 00:16:37 2017 +0200 netvsc: don't access netdev->num_rx_queues directly This structure member is hidden behind CONFIG_SYSFS, and we get a build error when that is disabled: drivers/net/hyperv/netvsc_drv.c: In function 'netvsc_set_channels': drivers/net/hyperv/netvsc_drv.c:754:49: error: 'struct net_device' has no member named 'num_rx_queues'; did you mean 'num_tx_queues'? drivers/net/hyperv/netvsc_drv.c: In function 'netvsc_set_rxfh': drivers/net/hyperv/netvsc_drv.c:1181:25: error: 'struct net_device' has no member named 'num_rx_queues'; did you mean 'num_tx_queues'? As the value is only set once to the argument of alloc_netdev_mq(), we can compare against that constant directly. Fixes: ff4a44199012 ("netvsc: allow get/set of RSS indirection table") Fixes: 2b01888d1b45 ("netvsc: allow more flexible setting of number of channels") Signed-off-by: Arnd Bergmann Reviewed-by: Haiyang Zhang Signed-off-by: Stephen Hemminger Signed-off-by: David S. Miller drivers/net/hyperv/netvsc_drv.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 60abc0be96e00ca71bac083215ac91ad2e575096 Author: WANG Cong Date: Wed Jun 21 14:34:58 2017 -0700 ipv6: avoid unregistering inet6_dev for loopback The per netns loopback_dev->ip6_ptr is unregistered and set to NULL when its mtu is set to smaller than IPV6_MIN_MTU, this leads to that we could set rt->rt6i_idev NULL after a rt6_uncached_list_flush_dev() and then crash after another call. In this case we should just bring its inet6_dev down, rather than unregistering it, at least prior to commit 176c39af29bc ("netns: fix addrconf_ifdown kernel panic") we always override the case for loopback. Thanks a lot to Andrey for finding a reliable reproducer. Fixes: 176c39af29bc ("netns: fix addrconf_ifdown kernel panic") Reported-by: Andrey Konovalov Cc: Andrey Konovalov Cc: Daniel Lezcano Cc: David Ahern Signed-off-by: Cong Wang Acked-by: David Ahern Tested-by: Andrey Konovalov Signed-off-by: David S. Miller net/ipv6/addrconf.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) commit 8c4354ef590ec8b3b10eb7f29d8c8ae56709b96b Merge: dfa523a 18c8c54 Author: David S. Miller Date: Thu Jun 22 11:17:43 2017 -0400 Merge branch 'macvlan-Fix-some-issues-with-changing-mac-addresses' Vladislav Yasevich says: ==================== macvlan: Fix some issues with changing mac addresses There are some issues in macvlan wrt to changing it's mac address. * An error is returned in the specified address is the same as an already assigned address. * In passthru mode, the mac address of the macvlan device doesn't change. * After changing the mac address of a passthru macvlan and then removing it, the mac address of the physical device remains changed. This patch series attempts to resolve these issues. V2: Address a small issue in p4 where we save the address from the lowerdev (from girish.moodalbail@oracle.com) ==================== Signed-off-by: David S. Miller commit 18c8c54de9a619ba5533419e0170433e20c0ee3e Author: Vlad Yasevich Date: Wed Jun 21 07:59:19 2017 -0400 macvlan: Let passthru macvlan correctly restore lower mac address Passthru macvlans directly change the mac address of the lower level device. That's OK, but after the macvlan is deleted, the lower device is left with changed address and one needs to reboot to bring back the origina HW addresses. This scenario is actually quite common with passthru macvtap devices. This patch attempts to solve this, by storing the mac address of the lower device in macvlan_port structure and keeping track of it through the changes. After this patch, any changes to the lower device mac address done trough the macvlan device, will be reverted back. Any changs done directly to the lower device mac address will be kept. Signed-off-by: Vladislav Yasevich Signed-off-by: David S. Miller drivers/net/macvlan.c | 47 ++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 44 insertions(+), 3 deletions(-) commit 43c2d578a0ce0d6067a02b46461811aced551425 Author: Vlad Yasevich Date: Wed Jun 21 07:59:18 2017 -0400 macvlan: convert port passthru to flags. Convert the port passthru boolean into flags with accesor functions. Signed-off-by: Vladislav Yasevich Signed-off-by: David S. Miller drivers/net/macvlan.c | 37 ++++++++++++++++++++++++------------- 1 file changed, 24 insertions(+), 13 deletions(-) commit e696cda7bd091411705a4e868ce480eaa3082dbf Author: Vlad Yasevich Date: Wed Jun 21 07:59:17 2017 -0400 macvlan: Fix passthru macvlan mac address inheritance When a lower device of the passthru macvlan changes it's address, passthru macvlan is supposed to change it's own address as well. However, that doesn't happen correctly because the check in macvlan_addr_busy() will catch the fact that the lower level (port) mac address is the same as the address we are trying to assign to the macvlan, and return an error. As a reasult, the address of the passthru macvlan device is never changed. The same thing happens when the user attempts to change the mac address of the passthru macvlan. The simple solution appers to be to not check against the lower device in case of passthru macvlan device, since the 2 addresses are _supposed_ to be the same. Signed-off-by: Vladislav Yasevich Signed-off-by: David S. Miller drivers/net/macvlan.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit e26f43faa0d79dd06e9e94829696b68b9940c2ee Author: Vlad Yasevich Date: Wed Jun 21 07:59:16 2017 -0400 macvlan: Do not return error when setting the same mac address The user currently gets an EBUSY error when attempting to set the mac address on a macvlan device to the same value. This should really be a no-op as nothing changes. Catch the condition and return early. Signed-off-by: Vladislav Yasevich Signed-off-by: David S. Miller drivers/net/macvlan.c | 4 ++++ 1 file changed, 4 insertions(+) commit dfa523ae9f2542bee4cddaea37b3be3e157f6e6b Author: Wei Liu Date: Wed Jun 21 10:21:22 2017 +0100 xen-netback: correctly schedule rate-limited queues Add a flag to indicate if a queue is rate-limited. Test the flag in NAPI poll handler and avoid rescheduling the queue if true, otherwise we risk locking up the host. The rescheduling will be done in the timer callback function. Reported-by: Jean-Louis Dupond Signed-off-by: Wei Liu Tested-by: Jean-Louis Dupond Reviewed-by: Paul Durrant Signed-off-by: David S. Miller drivers/net/xen-netback/common.h | 1 + drivers/net/xen-netback/interface.c | 6 +++++- drivers/net/xen-netback/netback.c | 6 +++++- 3 files changed, 11 insertions(+), 2 deletions(-) commit 191cdb3822e5df6b3c8b9f8cb8c4bf93f6cc90c7 Author: Serhey Popovych Date: Wed Jun 21 12:12:24 2017 +0300 veth: Be more robust on network device creation when no attributes There are number of problems with configuration peer network device in absence of IFLA_VETH_PEER attributes where attributes for main network device shared with peer. First it is not feasible to configure both network devices with same MAC address since this makes communication in such configuration problematic. This case can be reproduced with following sequence: # ip link add address 02:11:22:33:44:55 type veth # ip li sh ... 26: veth0@veth1: mtu 1500 qdisc \ noop state DOWN mode DEFAULT qlen 1000 link/ether 00:11:22:33:44:55 brd ff:ff:ff:ff:ff:ff 27: veth1@veth0: mtu 1500 qdisc \ noop state DOWN mode DEFAULT qlen 1000 link/ether 00:11:22:33:44:55 brd ff:ff:ff:ff:ff:ff Second it is not possible to register both main and peer network devices with same name, that happens when name for main interface is given with IFLA_IFNAME and same attribute reused for peer. This case can be reproduced with following sequence: # ip link add dev veth1a type veth RTNETLINK answers: File exists To fix both of the cases check if corresponding netlink attributes are taken from peer_tb when valid or name based on rtnl ops kind and random address is used. Signed-off-by: Serhey Popovych Signed-off-by: David S. Miller drivers/net/veth.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit b88ff4f8c9ef0279f82bca0a83ed860b654f0f8d Author: Lokesh Vutla Date: Wed Jun 21 14:12:04 2017 +0530 drivers: net: cpsw-common: Fix reading of mac address for am43 SoCs cpsw driver tries to get macid for am43xx SoCs using the compatible ti,am4372. But not all variants of am43x uses this complatible like epos evm uses ti,am438x. So use a generic compatible ti,am43 to get macid for all am43 based platforms. Reviewed-by: Dave Gerlach Signed-off-by: Lokesh Vutla Signed-off-by: David S. Miller drivers/net/ethernet/ti/cpsw-common.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 76da0704507bbc51875013f6557877ab308cfd0a Author: WANG Cong Date: Tue Jun 20 11:42:27 2017 -0700 ipv6: only call ip6_route_dev_notify() once for NETDEV_UNREGISTER In commit 242d3a49a2a1 ("ipv6: reorder ip6_route_dev_notifier after ipv6_dev_notf") I assumed NETDEV_REGISTER and NETDEV_UNREGISTER are paired, unfortunately, as reported by jeffy, netdev_wait_allrefs() could rebroadcast NETDEV_UNREGISTER event until all refs are gone. We have to add an additional check to avoid this corner case. For netdev_wait_allrefs() dev->reg_state is NETREG_UNREGISTERED, for dev_change_net_namespace(), dev->reg_state is NETREG_REGISTERED. So check for dev->reg_state != NETREG_UNREGISTERED. Fixes: 242d3a49a2a1 ("ipv6: reorder ip6_route_dev_notifier after ipv6_dev_notf") Reported-by: jeffy Cc: David Ahern Signed-off-by: Cong Wang Acked-by: David Ahern Signed-off-by: David S. Miller net/ipv6/route.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) commit b866203d872d5deeafcecd25ea429d6748b5bd56 Author: Zach Brown Date: Tue Jun 20 12:48:11 2017 -0500 net/phy: micrel: configure intterupts after autoneg workaround The commit ("net/phy: micrel: Add workaround for bad autoneg") fixes an autoneg failure case by resetting the hardware. This turns off intterupts. Things will work themselves out if the phy polls, as it will figure out it's state during a poll. However if the phy uses only intterupts, the phy will stall, since interrupts are off. This patch fixes the issue by calling config_intr after resetting the phy. Fixes: d2fd719bcb0e ("net/phy: micrel: Add workaround for bad autoneg ") Signed-off-by: Zach Brown Reviewed-by: Andrew Lunn Reviewed-by: Florian Fainelli Signed-off-by: David S. Miller drivers/net/phy/micrel.c | 2 ++ 1 file changed, 2 insertions(+) commit c8401dda2f0a00cd25c0af6a95ed50e478d25de4 Author: Paolo Bonzini Date: Wed Jun 7 15:13:14 2017 +0200 KVM: x86: fix singlestepping over syscall TF is handled a bit differently for syscall and sysret, compared to the other instructions: TF is checked after the instruction completes, so that the OS can disable #DB at a syscall by adding TF to FMASK. When the sysret is executed the #DB is taken "as if" the syscall insn just completed. KVM emulates syscall so that it can trap 32-bit syscall on Intel processors. Fix the behavior, otherwise you could get #DB on a user stack which is not nice. This does not affect Linux guests, as they use an IST or task gate for #DB. This fixes CVE-2017-7518. Cc: stable@vger.kernel.org Reported-by: Andy Lutomirski Signed-off-by: Paolo Bonzini Signed-off-by: Radim Krčmář arch/x86/include/asm/kvm_emulate.h | 1 + arch/x86/kvm/emulate.c | 1 + arch/x86/kvm/x86.c | 62 ++++++++++++++++++++------------------ 3 files changed, 34 insertions(+), 30 deletions(-) commit d6aa07c16941dcf438bd526a56dcf227991c5907 Merge: e27a9ec addb63c Author: Radim Krčmář Date: Thu Jun 22 16:13:06 2017 +0200 Merge tag 'kvm-s390-master-4.12-2' of git://git.kernel.org/pub/scm/linux/kernel/git/kvms390/linux KVM: s390: fix shadow table handling for nested guests Some odd-ball cases (real-space designation ASCEs) are handled wrong for the shadow page tables. Fix it. commit bbd5ff50afffcf4a01d05367524736c57607a478 Author: Alistair Popple Date: Tue Jun 20 18:37:28 2017 +1000 powerpc/powernv/npu-dma: Add explicit flush when sending an ATSD NPU2 requires an extra explicit flush to an active GPU PID when sending address translation shoot downs (ATSDs) to reliably flush the GPU TLB. This patch adds just such a flush at the end of each sequence of ATSDs. We can safely use PID 0 which is always reserved and active on the GPU. PID 0 is only used for init_mm which will never be a user mm on the GPU. To enforce this we add a check in pnv_npu2_init_context() just in case someone tries to use PID 0 on the GPU. Signed-off-by: Alistair Popple [mpe: Use true/false for bool literals] Signed-off-by: Michael Ellerman arch/powerpc/platforms/powernv/npu-dma.c | 94 ++++++++++++++++++++++---------- 1 file changed, 65 insertions(+), 29 deletions(-) commit addb63c18a0d52a9ce2611d039f981f7b6148d2b Author: Heiko Carstens Date: Mon Jun 19 08:02:28 2017 +0200 KVM: s390: gaccess: fix real-space designation asce handling for gmap shadows For real-space designation asces the asce origin part is only a token. The asce token origin must not be used to generate an effective address for storage references. This however is erroneously done within kvm_s390_shadow_tables(). Furthermore within the same function the wrong parts of virtual addresses are used to generate a corresponding real address (e.g. the region second index is used as region first index). Both of the above can result in incorrect address translations. Only for real space designations with a token origin of zero and addresses below one megabyte the translation was correct. Furthermore replace a "!asce.r" statement with a "!*fake" statement to make it more obvious that a specific condition has nothing to do with the architecture, but with the fake handling of real space designations. Fixes: 3218f7094b6b ("s390/mm: support real-space for gmap shadows") Cc: David Hildenbrand Cc: stable@vger.kernel.org Signed-off-by: Heiko Carstens Reviewed-by: Martin Schwidefsky Signed-off-by: Christian Borntraeger arch/s390/kvm/gaccess.c | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) commit fb3a5055cd7098f8d1dd0cd38d7172211113255f Author: Kan Liang Date: Mon Jun 19 07:26:09 2017 -0700 perf/x86/intel: Add 1G DTLB load/store miss support for SKL Current DTLB load/store miss events (0x608/0x649) only counts 4K,2M and 4M page size. Need to extend the events to support any page size (4K/2M/4M/1G). The complete DTLB load/store miss events are: DTLB_LOAD_MISSES.WALK_COMPLETED 0xe08 DTLB_STORE_MISSES.WALK_COMPLETED 0xe49 Signed-off-by: Kan Liang Cc: Cc: Alexander Shishkin Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: eranian@google.com Link: http://lkml.kernel.org/r/20170619142609.11058-1-kan.liang@intel.com Signed-off-by: Ingo Molnar arch/x86/events/intel/core.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 6c782a5ea56a799658e213a78dc1455264938afa Author: Michail Georgios Etairidis Date: Tue Jun 20 10:20:42 2017 +0200 i2c: imx: Use correct function to write to register The i2c-imx driver incorrectly uses readb()/writeb() to read and write to the appropriate registers when performing a repeated start. The appropriate imx_i2c_read_reg()/imx_i2c_write_reg() functions should be used instead. Performing a repeated start results in a kernel panic. The platform is imx. Signed-off-by: Michail G Etairidis Fixes: ce1a78840ff7 ("i2c: imx: add DMA support for freescale i2c driver") Fixes: 054b62d9f25c ("i2c: imx: fix the i2c bus hang issue when do repeat restart") Acked-by: Fugang Duan Acked-by: Uwe Kleine-König Signed-off-by: Wolfram Sang drivers/i2c/busses/i2c-imx.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) commit ca3a1b856636f596c691ab5b3764045a142186db Author: Yossi Kuperman Date: Thu Jun 22 11:37:11 2017 +0300 esp6_offload: Fix IP6CB(skb)->nhoff for ESP GRO IP6CB(skb)->nhoff is the offset of the nexthdr field in an IPv6 header, unless there are extension headers present, in which case nhoff points to the nexthdr field of the last extension header. In non-GRO code path, nhoff is set by ipv6_rcv before any XFRM code is executed. Conversely, in GRO code path (when esp6_offload is loaded), nhoff is not set. The following functions fail to read the correct value and eventually the packet is dropped: xfrm6_transport_finish xfrm6_tunnel_input xfrm6_rcv_tnl Set nhoff to the proper offset of nexthdr in esp6_gro_receive. Fixes: 7785bba299a8 ("esp: Add a software GRO codepath") Signed-off-by: Yossi Kuperman Signed-off-by: Steffen Klassert net/ipv6/esp6_offload.c | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) commit 7c88e21aefcf86fb41b48b2e04528db5a30fbe18 Author: Yossi Kuperman Date: Thu Jun 22 11:37:10 2017 +0300 xfrm6: Fix IPv6 payload_len in xfrm6_transport_finish IPv6 payload length indicates the size of the payload, including any extension headers. In xfrm6_transport_finish, ipv6_hdr(skb)->payload_len is set to the payload size only, regardless of the presence of any extension headers. After ESP GRO transport mode decapsulation, ipv6_rcv trims the packet according to the wrong payload_len, thus corrupting the packet. Set payload_len to account for extension headers as well. Fixes: 7785bba299a8 ("esp: Add a software GRO codepath") Signed-off-by: Yossi Kuperman Signed-off-by: Steffen Klassert net/ipv6/xfrm6_input.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 8d829b9bb878904f3419af8003176a12910b94e8 Merge: 48b6bbe 8e8320c Author: Linus Torvalds Date: Wed Jun 21 22:15:00 2017 -0700 Merge branch 'for-linus' of git://git.kernel.dk/linux-block Pull block fixes from Jens Axboe: "This contains a set of fixes for xen-blkback by way of Konrad, and a performance regression fix for blk-mq for shared tags. The latter could account for as much as a 50x reduction in performance, with the test case from the user with 500 name spaces. A more realistic setup on my end with 32 drives showed a 3.5x drop. The fix has been thoroughly tested before being committed" * 'for-linus' of git://git.kernel.dk/linux-block: blk-mq: fix performance regression with shared tags xen-blkback: don't leak stack data via response ring xen/blkback: don't use xen_blkif_get() in xen-blkback kthread xen/blkback: don't free be structure too early xen/blkback: fix disconnect while I/Os in flight commit eb5e248d502bec191bd99f04cae8b49992b3abde Author: Darrick J. Wong Date: Wed Jun 21 20:27:35 2017 -0700 xfs: don't allow bmap on rt files bmap returns a dumb LBA address but not the block device that goes with that LBA. Swapfiles don't care about this and will blindly assume that the data volume is the correct blockdev, which is totally bogus for files on the rt subvolume. This results in the swap code doing IOs to arbitrary locations on the data device(!) if the passed in mapping is a realtime file, so just turn off bmap for rt files. Signed-off-by: Darrick J. Wong Reviewed-by: Christoph Hellwig fs/xfs/xfs_aops.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) commit 2f263d145140ea4b9f5762b15886ae26195a764a Author: Richard Genoud Date: Thu Jun 15 10:36:22 2017 +0200 kbuild: fix header installation under fakechroot environment Since commit fcc8487d477a ("uapi: export all headers under uapi directories") fakechroot make bindeb-pkg fails, mismatching files for directories: touch: cannot touch 'usr/include/video/uvesafb.h/.install': Not a directory This due to a bug in fakechroot: when using the function $(wildcard $(srcdir)/*/.) in a makefile, under a fakechroot environment, not only directories but also files are returned. To circumvent that, we are using the functions: $(sort $(dir $(wildcard $(srcdir)/*/)))) Fixes: fcc8487d477a ("uapi: export all headers under uapi directories") Signed-off-by: Richard Genoud Signed-off-by: Masahiro Yamada scripts/Makefile.headersinst | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) commit e4330d8bf669139a983255d1801733b64c2ae841 Author: Jarkko Nikula Date: Mon Jun 19 15:53:01 2017 +0300 ACPI / scan: Fix enumeration for special SPI and I2C devices Commit f406270bf73d ("ACPI / scan: Set the visited flag for all enumerated devices") caused that two group of special SPI or I2C devices do not enumerate. SPI and I2C devices are expected to be enumerated by the SPI and I2C subsystems but change caused that acpi_bus_attach() marks those devices with acpi_device_set_enumerated(). First group of devices are matched using Device Tree compatible property with special _HID "PRP0001". Those devices have matched scan handler, acpi_scan_attach_handler() retuns 1 and acpi_bus_attach() marks them with acpi_device_set_enumerated(). Second group of devices without valid _HID such as "LNXVIDEO" have device->pnp.type.platform_id set to zero and change again marks them with acpi_device_set_enumerated(). Fix this by flagging the SPI and I2C devices during struct acpi_device object initialization time and let the code in acpi_bus_attach() to go through the device_attach() and acpi_default_enumeration() path for all SPI and I2C devices. Fixes: f406270bf73d (ACPI / scan: Set the visited flag for all enumerated devices) Signed-off-by: Jarkko Nikula Acked-by: Mika Westerberg Cc: 4.11+ # 4.11+ Signed-off-by: Rafael J. Wysocki drivers/acpi/scan.c | 67 +++++++++++++++++++++++++++---------------------- include/acpi/acpi_bus.h | 3 ++- 2 files changed, 39 insertions(+), 31 deletions(-) commit 48b6bbef9a1789f0365c1a385879a1fea4460016 Merge: ce879b6 b4846fc Author: Linus Torvalds Date: Wed Jun 21 12:40:20 2017 -0700 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net Pull networking fixes from David Miller: 1) Fix refcounting wrt timers which hold onto inet6 address objects, from Xin Long. 2) Fix an ancient bug in wireless wext ioctls, from Johannes Berg. 3) Firmware handling fixes in brcm80211 driver, from Arend Van Spriel. 4) Several mlx5 driver fixes (firmware readiness, timestamp cap reporting, devlink command validity checking, tc offloading, etc.) From Eli Cohen, Maor Dickman, Chris Mi, and Or Gerlitz. 5) Fix dst leak in IP/IP6 tunnels, from Haishuang Yan. 6) Fix dst refcount bug in decnet, from Wei Wang. 7) Netdev can be double freed in register_vlan_device(). Fix from Gao Feng. 8) Don't allow object to be destroyed while it is being dumped in SCTP, from Xin Long. 9) Fix dpaa_eth build when modular, from Madalin Bucur. 10) Fix throw route leaks, from Serhey Popovych. 11) IFLA_GROUP missing from if_nlmsg_size() and ifla_policy[] table, also from Serhey Popovych. 12) Fix premature TX SKB free in stmmac, from Niklas Cassel. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (36 commits) igmp: add a missing spin_lock_init() net: stmmac: free an skb first when there are no longer any descriptors using it sfc: remove duplicate up_write on VF filter_sem rtnetlink: add IFLA_GROUP to ifla_policy ipv6: Do not leak throw route references dt-bindings: net: sms911x: Add missing optional VDD regulators dpaa_eth: reuse the dma_ops provided by the FMan MAC device fsl/fman: propagate dma_ops net/core: remove explicit do_softirq() from busy_poll_stop() fib_rules: Resolve goto rules target on delete sctp: ensure ep is not destroyed before doing the dump net/hns:bugfix of ethtool -t phy self_test net: 8021q: Fix one possible panic caused by BUG_ON in free_netdev cxgb4: notify uP to route ctrlq compl to rdma rspq ip6_tunnel: Correct tos value in collect_md mode decnet: always not take dst->__refcnt when inserting dst into hash table ip6_tunnel: fix potential issue in __ip6_tnl_rcv ip_tunnel: fix potential issue in ip_tunnel_rcv brcmfmac: fix uninitialized warning in brcmf_usb_probe_phase2() net/mlx5e: Avoid doing a cleanup call if the profile doesn't have it ... commit ce879b64a7be347a315bce6785318e9662e31cb5 Merge: db1b5cc b7c747d Author: Linus Torvalds Date: Wed Jun 21 12:16:12 2017 -0700 Merge tag 'pinctrl-v4.12-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl Pull more pin control fixes from Linus Walleij: "Some late arriving fixes. I should have sent earlier, just swamped with work as usual. Thomas patch makes AMD systems usable despite firmware bugs so it is fairly important. - Make the AMD driver use a regular interrupt rather than a chained one, so the system does not lock up. - Fix a function call error deep inside the STM32 driver" * tag 'pinctrl-v4.12-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl: pinctrl: stm32: Fix bad function call pinctrl/amd: Use regular interrupt instead of chained commit db1b5ccd27a37840af5c868f82f36d5d33430b96 Merge: dcba710 900a88e Author: Linus Torvalds Date: Wed Jun 21 12:06:29 2017 -0700 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid Pull HID fixes from Jiri Kosina: - revert of a commit to magicmouse driver that regressess certain devices, from Daniel Stone - quirk for a specific Dell mouse, from Sebastian Parschauer * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid: Revert "HID: magicmouse: Set multi-touch keybits for Magic Mouse" HID: Add quirk for Dell PIXART OEM mouse commit dcba71086e0d1abf4f00cd381530b11d0db7fa1d Merge: 021f601 842c088 Author: Linus Torvalds Date: Wed Jun 21 12:02:48 2017 -0700 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/livepatching Pull livepatching fix from Jiri Kosina: "Fix the way how livepatches are being stacked with respect to RCU, from Petr Mladek" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/livepatching: livepatch: Fix stacking of patches with respect to RCU commit 021f601980ccf07e65bc03e40d0321243f782d34 Merge: bd726c9 77e9ce3 Author: Linus Torvalds Date: Wed Jun 21 11:30:52 2017 -0700 Merge branch 'ufs-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs Pull more ufs fixes from Al Viro: "More UFS fixes, unfortunately including build regression fix for the 64-bit s_dsize commit. Fixed in this pile: - trivial bug in signedness of 32bit timestamps on ufs1 - ESTALE instead of ufs_error() when doing open-by-fhandle on something deleted - build regression on 32bit in ufs_new_fragments() - calculating that many percents of u64 pulls libgcc stuff on some of those. Mea culpa. - fix hysteresis loop broken by typo in 2.4.14.7 (right next to the location of previous bug). - fix the insane limits of said hysteresis loop on filesystems with very low percentage of reserved blocks. If it's 5% or less, just use the OPTSPACE policy. - calculate those limits once and mount time. This tree does pass xfstests clean (both ufs1 and ufs2) and it _does_ survive cross-builds. Again, my apologies for missing that, especially since I have noticed a related percentage-of-64bit issue in earlier patches (when dealing with amount of reserved blocks). Self-LART applied..." * 'ufs-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: ufs: fix the logics for tail relocation ufs_iget(): fail with -ESTALE on deleted inode fix signedness of timestamps on ufs1 commit bd726c90b6b8ce87602208701b208a208e6d5600 Author: Helge Deller Date: Mon Jun 19 17:34:05 2017 +0200 Allow stack to grow up to address space limit Fix expand_upwards() on architectures with an upward-growing stack (parisc, metag and partly IA-64) to allow the stack to reliably grow exactly up to the address space limit given by TASK_SIZE. Signed-off-by: Helge Deller Acked-by: Hugh Dickins Signed-off-by: Linus Torvalds mm/mmap.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) commit f4cb767d76cf7ee72f97dd76f6cfa6c76a5edc89 Author: Hugh Dickins Date: Tue Jun 20 02:10:44 2017 -0700 mm: fix new crash in unmapped_area_topdown() Trinity gets kernel BUG at mm/mmap.c:1963! in about 3 minutes of mmap testing. That's the VM_BUG_ON(gap_end < gap_start) at the end of unmapped_area_topdown(). Linus points out how MAP_FIXED (which does not have to respect our stack guard gap intentions) could result in gap_end below gap_start there. Fix that, and the similar case in its alternative, unmapped_area(). Cc: stable@vger.kernel.org Fixes: 1be7107fbe18 ("mm: larger stack guard gap, between vmas") Reported-by: Dave Jones Debugged-by: Linus Torvalds Signed-off-by: Hugh Dickins Acked-by: Michal Hocko Signed-off-by: Linus Torvalds mm/mmap.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) commit 8e8320c9315c47a6a090188720ccff32a6a6ba18 Author: Jens Axboe Date: Tue Jun 20 17:56:13 2017 -0600 blk-mq: fix performance regression with shared tags If we have shared tags enabled, then every IO completion will trigger a full loop of every queue belonging to a tag set, and every hardware queue for each of those queues, even if nothing needs to be done. This causes a massive performance regression if you have a lot of shared devices. Instead of doing this huge full scan on every IO, add an atomic counter to the main queue that tracks how many hardware queues have been marked as needing a restart. With that, we can avoid looking for restartable queues, if we don't have to. Max reports that this restores performance. Before this patch, 4K IOPS was limited to 22-23K IOPS. With the patch, we are running at 950-970K IOPS. Fixes: 6d8c6c0f97ad ("blk-mq: Restart a single queue if tag sets are shared") Reported-by: Max Gurtovoy Tested-by: Max Gurtovoy Reviewed-by: Bart Van Assche Tested-by: Bart Van Assche Signed-off-by: Jens Axboe block/blk-mq-sched.c | 58 +++++++++++++++++++++++++++++++++++++++----------- block/blk-mq-sched.h | 9 -------- block/blk-mq.c | 16 +++++++++++--- include/linux/blkdev.h | 2 ++ 4 files changed, 61 insertions(+), 24 deletions(-) commit feb7695fe9fb83084aa29de0094774f4c9d4c9fc Author: Mike Snitzer Date: Tue Jun 20 19:14:30 2017 -0400 dm io: fix duplicate bio completion due to missing ref count If only a subset of the devices associated with multiple regions support a given special operation (eg. DISCARD) then the dec_count() that is used to set error for the region must increment the io->count. Otherwise, when the dec_count() is called it can cause the dm-io caller's bio to be completed multiple times. As was reported against the dm-mirror target that had mirror legs with a mix of discard capabilities. Bug: https://bugzilla.kernel.org/show_bug.cgi?id=196077 Reported-by: Zhang Yi Signed-off-by: Mike Snitzer drivers/md/dm-io.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 7def52b78a5fda14864aab9b6fd14f09a4d4ff72 Author: Mike Snitzer Date: Mon Jun 19 10:55:47 2017 -0400 dm integrity: fix to not disable/enable interrupts from interrupt context Use spin_lock_irqsave and spin_unlock_irqrestore rather than spin_{lock,unlock}_irq in submit_flush_bio(). Otherwise lockdep issues the following warning: DEBUG_LOCKS_WARN_ON(current->hardirq_context) WARNING: CPU: 1 PID: 0 at kernel/locking/lockdep.c:2748 trace_hardirqs_on_caller+0x107/0x180 Reported-by: Ondrej Kozina Tested-by: Ondrej Kozina Signed-off-by: Mike Snitzer Acked-by: Mikulas Patocka drivers/md/dm-integrity.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) commit 8a1898db51a3390241cd5fae267dc8aaa9db0f8b Author: Hendrik Brueckner Date: Tue Jun 20 12:26:39 2017 +0200 perf/aux: Correct return code of rb_alloc_aux() if !has_aux(ev) If the event for which an AUX area is about to be allocated, does not support setting up an AUX area, rb_alloc_aux() return -ENOTSUPP. This error condition is being returned unfiltered to the user space, and, for example, the perf tools fails with: failed to mmap with 524 (INTERNAL ERROR: strerror_r(524, 0x3fff497a1c8, 512)=22) This error can be easily seen with "perf record -m 128,256 -e cpu-clock". The 524 error code maps to -ENOTSUPP (in rb_alloc_aux()). The -ENOTSUPP error code shall be only used within the kernel. So the correct error code would then be -EOPNOTSUPP. With this commit, the perf tool then reports: failed to mmap with 95 (Operation not supported) which is more clear. Signed-off-by: Hendrik Brueckner Acked-by: Alexander Shishkin Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Pu Hou Cc: Thomas Gleixner Cc: Thomas-Mich Richter Cc: acme@kernel.org Cc: linux-s390@vger.kernel.org Link: http://lkml.kernel.org/r/1497954399-6355-1-git-send-email-brueckner@linux.vnet.ibm.com Signed-off-by: Ingo Molnar kernel/events/ring_buffer.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit e94ac3510b6a0f696f2c442c4fc4051c8101ef12 Author: Daniel Vetter Date: Tue Jun 20 22:28:37 2017 +0200 drm: Fix GETCONNECTOR regression In commit 91eefc05f0ac71902906b2058360e61bd25137fe Author: Daniel Vetter Date: Wed Dec 14 00:08:10 2016 +0100 drm: Tighten locking in drm_mode_getconnector I reordered the logic a bit in that IOCTL, but that broke userspace since it'll get the new mode list, but not the new property values. Fix that again. v2: Fix up the error path handling when copy_to_user for the modes failes (Dhinakaran). Fixes: 91eefc05f0ac ("drm: Tighten locking in drm_mode_getconnector") Cc: Sean Paul Cc: Daniel Vetter Cc: Jani Nikula Cc: David Airlie Cc: dri-devel@lists.freedesktop.org Reported-by: "H.J. Lu" Tested-by: "H.J. Lu" Cc: # v4.11+ Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=100576 Cc: "H.J. Lu" Cc: "Pandiyan, Dhinakaran" Reviewed-by: Sean Paul Reviewed-by: Dhinakaran Pandiyan Signed-off-by: Daniel Vetter Link: http://patchwork.freedesktop.org/patch/msgid/20170620202837.1701-1-daniel.vetter@ffwll.ch drivers/gpu/drm/drm_connector.c | 38 ++++++++++++++++++++------------------ 1 file changed, 20 insertions(+), 18 deletions(-) commit 517a6e43c4872c89794af5b377fa085e47345952 Author: Christophe Jaillet Date: Sun Jun 11 09:12:47 2017 +0200 CIFS: Fix some return values in case of error in 'crypt_message' 'rc' is known to be 0 at this point. So if 'init_sg' or 'kzalloc' fails, we should return -ENOMEM instead. Also remove a useless 'rc' in a debug message as it is meaningless here. Fixes: 026e93dc0a3ee ("CIFS: Encrypt SMB3 requests before sending") Signed-off-by: Christophe JAILLET Reviewed-by: Pavel Shilovsky Reviewed-by: Aurelien Aptel Signed-off-by: Steve French CC: Stable fs/cifs/smb2ops.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit 816b4e448c72cc388cdd0f6ea22302a47cd752a2 Merge: 09da4ba acfd6ee Author: Dave Airlie Date: Wed Jun 21 11:23:35 2017 +1000 Merge branch 'drm-fixes-4.12' of git://people.freedesktop.org/~agd5f/linux into drm-fixes A few fixes for 4.12: - Add a new Polaris12 pci id - A stack corruption fix - Suspend/resume fix - PX fix - Display flickering fix * 'drm-fixes-4.12' of git://people.freedesktop.org/~agd5f/linux: drm/radeon: add a quirk for Toshiba Satellite L20-183 drm/radeon: add a PX quirk for another K53TK variant drm/amdgpu: adjust default display clock drm/amdgpu/atom: fix ps allocation size for EnableDispPowerGating drm/amdgpu: add Polaris12 DID commit 09da4baa4d502833a1ac79aea4ff85d08bb48871 Merge: 41f1830 a8ae0a7 Author: Dave Airlie Date: Wed Jun 21 11:22:34 2017 +1000 Merge tag 'drm-intel-fixes-2017-06-20' of git://anongit.freedesktop.org/git/drm-intel into drm-fixes drm/i915 fixes for v4.12-rc7 * tag 'drm-intel-fixes-2017-06-20' of git://anongit.freedesktop.org/git/drm-intel: drm/i915: Don't enable backlight at setup time. drm/i915: Plumb the correct acquire ctx into intel_crtc_disable_noatomic() drm/i915: Fix deadlock witha the pipe A quirk during resume drm/i915: Remove __GFP_NORETRY from our buffer allocator drm/i915: Encourage our shrinker more when our shmemfs allocations fails drm/i915: Differentiate between sw write location into ring and last hw read commit e125f5284f81bbb765a504494622b45c02faf978 Author: Colin Ian King Date: Wed Jun 7 00:33:45 2017 +0100 cifs: remove redundant return in cifs_creation_time_get There is a redundant return in function cifs_creation_time_get that appears to be old vestigial code than can be removed. So remove it. Detected by CoverityScan, CID#1361924 ("Structurally dead code") Signed-off-by: Colin Ian King Signed-off-by: Steve French fs/cifs/xattr.c | 2 -- 1 file changed, 2 deletions(-) commit dcd87838c06f05ab7650b249ebf0d5b57ae63e1e Author: Pavel Shilovsky Date: Tue Jun 6 16:58:58 2017 -0700 CIFS: Improve readdir verbosity Downgrade the loglevel for SMB2 to prevent filling the log with messages if e.g. readdir was interrupted. Also make SMB2 and SMB1 codepaths do the same logging during readdir. Signed-off-by: Pavel Shilovsky Signed-off-by: Steve French CC: Stable fs/cifs/smb1ops.c | 9 +++++++-- fs/cifs/smb2ops.c | 4 ++-- 2 files changed, 9 insertions(+), 4 deletions(-) commit ecf3411a121e7a653e309ff50a820ffa87c537f8 Author: Colin Ian King Date: Wed May 17 19:24:15 2017 +0100 CIFS: check if pages is null rather than bv for a failed allocation pages is being allocated however a null check on bv is being used to see if the allocation failed. Fix this by checking if pages is null. Detected by CoverityScan, CID#1432974 ("Logically dead code") Fixes: ccf7f4088af2dd ("CIFS: Add asynchronous context to support kernel AIO") Signed-off-by: Colin Ian King Reviewed-by: Pavel Shilovsky Signed-off-by: Steve French fs/cifs/misc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 8a7b0d8e8d9962ec3b2ae64dd4e86d68a6fb9220 Author: Dan Carpenter Date: Fri May 5 08:30:40 2017 +0300 CIFS: Set ->should_dirty in cifs_user_readv() The current code causes a static checker warning because ITER_IOVEC is zero so the condition is never true. Fixes: 6685c5e2d1ac ("CIFS: Add asynchronous read support through kernel AIO") Signed-off-by: Dan Carpenter Signed-off-by: Steve French fs/cifs/file.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit b4846fc3c8559649277e3e4e6b5cec5348a8d208 Author: WANG Cong Date: Tue Jun 20 10:46:27 2017 -0700 igmp: add a missing spin_lock_init() Andrey reported a lockdep warning on non-initialized spinlock: INFO: trying to register non-static key. the code is fine but needs lockdep annotation. turning off the locking correctness validator. CPU: 1 PID: 4099 Comm: a.out Not tainted 4.12.0-rc6+ #9 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:16 dump_stack+0x292/0x395 lib/dump_stack.c:52 register_lock_class+0x717/0x1aa0 kernel/locking/lockdep.c:755 ? 0xffffffffa0000000 __lock_acquire+0x269/0x3690 kernel/locking/lockdep.c:3255 lock_acquire+0x22d/0x560 kernel/locking/lockdep.c:3855 __raw_spin_lock_bh ./include/linux/spinlock_api_smp.h:135 _raw_spin_lock_bh+0x36/0x50 kernel/locking/spinlock.c:175 spin_lock_bh ./include/linux/spinlock.h:304 ip_mc_clear_src+0x27/0x1e0 net/ipv4/igmp.c:2076 igmpv3_clear_delrec+0xee/0x4f0 net/ipv4/igmp.c:1194 ip_mc_destroy_dev+0x4e/0x190 net/ipv4/igmp.c:1736 We miss a spin_lock_init() in igmpv3_add_delrec(), probably because previously we never use it on this code path. Since we already unlink it from the global mc_tomb list, it is probably safe not to acquire this spinlock here. It does not harm to have it although, to avoid conditional locking. Fixes: c38b7d327aaf ("igmp: acquire pmc lock for ip_mc_clear_src()") Reported-by: Andrey Konovalov Signed-off-by: Cong Wang Signed-off-by: David S. Miller net/ipv4/igmp.c | 1 + 1 file changed, 1 insertion(+) commit 9f93d87cba63e3d18629261243b1f633519eabb5 Author: Marcin Nowakowski Date: Fri Jun 9 09:04:05 2017 +0200 irqchip/mips-gic: Mark count and compare accessors notrace gic_read_count(), gic_write_compare() and gic_write_cpu_compare() are often used in a sequence to update the compare register with a count value increased by a small offset. With small delta values used to update the compare register, the time to update function trace for these operations may be longer than the update timeout leading to update failure. Signed-off-by: Marcin Nowakowski Signed-off-by: Thomas Gleixner Cc: Marc Zyngier Cc: linux-mips@linux-mips.org Cc: Jason Cooper Link: http://lkml.kernel.org/r/1496991845-27031-1-git-send-email-marcin.nowakowski@imgtec.com drivers/irqchip/irq-mips-gic.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit afd64631f86c0c0ad440dcac09ed4a44968372d6 Merge: 05cf0d1 35abcd4 Author: David S. Miller Date: Tue Jun 20 15:41:56 2017 -0400 Merge tag 'wireless-drivers-for-davem-2017-06-20' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers Kalle Valo says: ==================== wireless-drivers fixes for 4.12 Two important fixes for brcmfmac. The rest of the brcmfmac patches are either code preparation and fixing a new build warning. brcmfmac * fix a NULL pointer dereference during resume * fix a NULL pointer dereference with USB devices, a regression from v4.12-rc1 ==================== Signed-off-by: David S. Miller commit 05cf0d1bf4ed722aefff92775244dbe9e1bb4679 Author: Niklas Cassel Date: Tue Jun 20 14:32:41 2017 +0200 net: stmmac: free an skb first when there are no longer any descriptors using it When having the skb pointer in the first descriptor, stmmac_tx_clean can get called at a moment where the IP has only cleared the own bit of the first descriptor, thus freeing the skb, even though there can be several descriptors whose buffers point into the same skb. By simply moving the skb pointer from the first descriptor to the last descriptor, a skb will get freed only when the IP has cleared the own bit of all the descriptors that are using that skb. Signed-off-by: Niklas Cassel Signed-off-by: David S. Miller drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) commit 57f0c9cf58ff7fe479137ab847a886d0eed3ad1d Author: Edward Cree Date: Tue Jun 20 13:08:51 2017 +0100 sfc: remove duplicate up_write on VF filter_sem Somehow two copies of the line 'up_write(&vf->efx->filter_sem);' got into efx_ef10_sriov_set_vf_vlan(). This would put the mutex in a bad state and cause all subsequent down attempts to hang. Fixes: 671b53eec2ed ("sfc: Ensure down_write(&filter_sem) and up_write() are matched before calling efx_net_open()") Signed-off-by: Edward Cree Signed-off-by: David S. Miller drivers/net/ethernet/sfc/ef10_sriov.c | 2 -- 1 file changed, 2 deletions(-) commit db833d40ad3263b2ee3b59a1ba168bb3cfed8137 Author: Serhey Popovych Date: Tue Jun 20 14:35:23 2017 +0300 rtnetlink: add IFLA_GROUP to ifla_policy Network interface groups support added while ago, however there is no IFLA_GROUP attribute description in policy and netlink message size calculations until now. Add IFLA_GROUP attribute to the policy. Fixes: cbda10fa97d7 ("net_device: add support for network device groups") Signed-off-by: Serhey Popovych Signed-off-by: David S. Miller net/core/rtnetlink.c | 2 ++ 1 file changed, 2 insertions(+) commit 07f615574f8ac499875b21c1142f26308234a92c Author: Serhey Popovych Date: Tue Jun 20 13:29:25 2017 +0300 ipv6: Do not leak throw route references While commit 73ba57bfae4a ("ipv6: fix backtracking for throw routes") does good job on error propagation to the fib_rules_lookup() in fib rules core framework that also corrects throw routes handling, it does not solve route reference leakage problem happened when we return -EAGAIN to the fib_rules_lookup() and leave routing table entry referenced in arg->result. If rule with matched throw route isn't last matched in the list we overwrite arg->result losing reference on throw route stored previously forever. We also partially revert commit ab997ad40839 ("ipv6: fix the incorrect return value of throw route") since we never return routing table entry with dst.error == -EAGAIN when CONFIG_IPV6_MULTIPLE_TABLES is on. Also there is no point to check for RTF_REJECT flag since it is always set throw route. Fixes: 73ba57bfae4a ("ipv6: fix backtracking for throw routes") Signed-off-by: Serhey Popovych Signed-off-by: David S. Miller net/ipv6/fib6_rules.c | 22 ++++++---------------- net/ipv6/ip6_fib.c | 3 +-- 2 files changed, 7 insertions(+), 18 deletions(-) commit 7e113321eccba2b52c0e9d11129d370c9511e4db Author: Krzysztof Kozlowski Date: Mon Jun 19 18:05:41 2017 +0200 dt-bindings: net: sms911x: Add missing optional VDD regulators The lan911x family of devices require supplying from 3.3 V power supplies (connected to VDD_IO, VDD_A and VREG_3.3 pins). The existing driver however obtains only VDD_IO and VDD_A regulators in an optional way so document this in bindings. Signed-off-by: Krzysztof Kozlowski Reviewed-by: Linus Walleij Signed-off-by: David S. Miller Documentation/devicetree/bindings/net/smsc911x.txt | 1 + 1 file changed, 1 insertion(+) commit 73b098d6fa175e4ecd98e6c1fe53c77ebf6b3eaa Merge: fe420d8 fb52728 Author: David S. Miller Date: Tue Jun 20 13:46:54 2017 -0400 Merge branch 'net-fix-loadable-module-for-DPAA-Ethernet' Madalin Bucur says: ==================== net: fix loadable module for DPAA Ethernet The DPAA Ethernet makes use of a symbol that is not exported. Address the issue by propagating the dma_ops rather than calling arch_setup_dma_ops(). ==================== Signed-off-by: David S. Miller commit fb52728a9294d97de808795b8e3f60fb8de50c00 Author: Madalin Bucur Date: Mon Jun 19 18:04:17 2017 +0300 dpaa_eth: reuse the dma_ops provided by the FMan MAC device Remove the use of arch_setup_dma_ops() that was not exported and was breaking loadable module compilation. Signed-off-by: Madalin Bucur Signed-off-by: David S. Miller drivers/net/ethernet/freescale/dpaa/dpaa_eth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 5567e989198b5a8d78f9b5868e48fc9f4726bdd5 Author: Madalin Bucur Date: Mon Jun 19 18:04:16 2017 +0300 fsl/fman: propagate dma_ops Make sure dma_ops are set, to be later used by the Ethernet driver. Signed-off-by: Madalin Bucur Signed-off-by: David S. Miller drivers/net/ethernet/freescale/fman/mac.c | 2 ++ 1 file changed, 2 insertions(+) commit fe420d87bbc234015b4195dd239b7d3052b140ea Author: Sebastian Siewior Date: Fri Jun 16 19:24:00 2017 +0200 net/core: remove explicit do_softirq() from busy_poll_stop() Since commit 217f69743681 ("net: busy-poll: allow preemption in sk_busy_loop()") there is an explicit do_softirq() invocation after local_bh_enable() has been invoked. I don't understand why we need this because local_bh_enable() will invoke do_softirq() once the softirq counter reached zero and we have softirq-related work pending. Signed-off-by: Sebastian Andrzej Siewior Signed-off-by: David S. Miller net/core/dev.c | 2 -- 1 file changed, 2 deletions(-) commit bdaf32c3ced3d111b692f0af585f880f82d686c5 Author: Serhey Popovych Date: Fri Jun 16 15:44:47 2017 +0300 fib_rules: Resolve goto rules target on delete We should avoid marking goto rules unresolved when their target is actually reachable after rule deletion. Consolder following sample scenario: # ip -4 ru sh 0: from all lookup local 32000: from all goto 32100 32100: from all lookup main 32100: from all lookup default 32766: from all lookup main 32767: from all lookup default # ip -4 ru del pref 32100 table main # ip -4 ru sh 0: from all lookup local 32000: from all goto 32100 [unresolved] 32100: from all lookup default 32766: from all lookup main 32767: from all lookup default After removal of first rule with preference 32100 we mark all goto rules as unreachable, even when rule with same preference as removed one still present. Check if next rule with same preference is available and make all rules with goto action pointing to it. Signed-off-by: Serhey Popovych Signed-off-by: David S. Miller net/core/fib_rules.c | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) commit acfd6ee4fa7ebeee75511825fe02be3f7ac1d668 Author: Alex Deucher Date: Mon Jun 19 15:59:58 2017 -0400 drm/radeon: add a quirk for Toshiba Satellite L20-183 Fixes resume from suspend. bug: https://bugzilla.kernel.org/show_bug.cgi?id=196121 Reported-by: Przemek Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org drivers/gpu/drm/radeon/radeon_combios.c | 7 +++++++ 1 file changed, 7 insertions(+) commit 4eb59793cca00b0e629b6d55b5abb5acb82c5868 Author: Alex Deucher Date: Mon Jun 19 12:52:47 2017 -0400 drm/radeon: add a PX quirk for another K53TK variant Disable PX on these systems. bug: https://bugs.freedesktop.org/show_bug.cgi?id=101491 Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Alex Deucher drivers/gpu/drm/radeon/radeon_device.c | 4 ++++ 1 file changed, 4 insertions(+) commit 52b482b0f4fd6d5267faf29fe91398e203f3c230 Author: Alex Deucher Date: Thu Jun 15 11:12:28 2017 -0400 drm/amdgpu: adjust default display clock Increase the default display clock on newer asics to accomodate some high res modes with really high refresh rates. bug: https://bugs.freedesktop.org/show_bug.cgi?id=93826 Acked-by: Chunming Zhou Acked-by: Christian König Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org drivers/gpu/drm/amd/amdgpu/amdgpu_atombios.c | 4 ++++ 1 file changed, 4 insertions(+) commit 05b4017b37f1fce4b7185f138126dd8decdb381f Author: Alex Deucher Date: Thu Jun 15 10:55:11 2017 -0400 drm/amdgpu/atom: fix ps allocation size for EnableDispPowerGating We were using the wrong structure which lead to an overflow on some boards. bug: https://bugs.freedesktop.org/show_bug.cgi?id=101387 Acked-by: Chunming Zhou Acked-by: Christian König Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org drivers/gpu/drm/amd/amdgpu/atombios_crtc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 9e69672e90ccff10dab6f0c9545226a886e5973c Author: Fabrice Gasnier Date: Wed Jun 14 17:13:14 2017 +0200 dt-bindings: mfd: Update STM32 timers clock names Clock name has been updated during driver/DT binding review: https://lkml.org/lkml/2016/12/13/718 Update DT binding doc to reflect this. Fixes: 8f9359c6c6a0 (dt-bindings: mfd: Add bindings for STM32 Timers driver) Signed-off-by: Fabrice Gasnier Acked-by: Benjamin Gaignard Signed-off-by: Lee Jones Documentation/devicetree/bindings/mfd/stm32-timers.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit e27a9eca5d4a392b96ce5d5238c8d637bcb0a52c Author: James Cowgill Date: Tue Jun 20 10:57:51 2017 +0100 KVM: MIPS: Fix maybe-uninitialized build failure This commit fixes a "maybe-uninitialized" build failure in arch/mips/kvm/tlb.c when KVM, DYNAMIC_DEBUG and JUMP_LABEL are all enabled. The failure is: In file included from ./include/linux/printk.h:329:0, from ./include/linux/kernel.h:13, from ./include/asm-generic/bug.h:15, from ./arch/mips/include/asm/bug.h:41, from ./include/linux/bug.h:4, from ./include/linux/thread_info.h:11, from ./include/asm-generic/current.h:4, from ./arch/mips/include/generated/asm/current.h:1, from ./include/linux/sched.h:11, from arch/mips/kvm/tlb.c:13: arch/mips/kvm/tlb.c: In function ‘kvm_mips_host_tlb_inv’: ./include/linux/dynamic_debug.h:126:3: error: ‘idx_kernel’ may be used uninitialized in this function [-Werror=maybe-uninitialized] __dynamic_pr_debug(&descriptor, pr_fmt(fmt), \ ^~~~~~~~~~~~~~~~~~ arch/mips/kvm/tlb.c:169:16: note: ‘idx_kernel’ was declared here int idx_user, idx_kernel; ^~~~~~~~~~ There is a similar error relating to "idx_user". Both errors were observed with GCC 6. As far as I can tell, it is impossible for either idx_user or idx_kernel to be uninitialized when they are later read in the calls to kvm_debug, but to satisfy the compiler, add zero initializers to both variables. Signed-off-by: James Cowgill Fixes: 57e3869cfaae ("KVM: MIPS/TLB: Generalise host TLB invalidate to kernel ASID") Cc: # 4.11+ Acked-by: James Hogan Signed-off-by: Radim Krčmář arch/mips/kvm/tlb.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) commit ec2f0fadde446e0ebe28c779ffcac655228b8f1e Merge: dc9edc4 089bc01 Author: Jens Axboe Date: Tue Jun 20 07:09:27 2017 -0600 Merge branch 'stable/for-jens-4.12' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen into for-linus Pull xen-blkback fixes from Konrad: "Security and memory leak fixes in xen block driver." commit c72544d85fd6e46cfca6056ba775a17dc272d810 Merge: 41f1830 3d3efb6 Author: Radim Krčmář Date: Tue Jun 20 14:32:57 2017 +0200 Merge branch 'kvm-ppc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/paulus/powerpc * fix problems that could cause hangs or crashes in the host on POWER9 * fix problems that could allow guests to potentially affect or disrupt the execution of the controlling userspace commit 6c7515c61ffa0985c57abd8892c7928b52b9a306 Author: Ralph Sennhauser Date: Thu Jun 1 22:08:20 2017 +0200 gpio: mvebu: change compatible string for PWM support As it turns out more than just Armada 370 and XP support using GPIO lines as PWM lines. For example the Armada 38x family has the same hardware support. As such "marvell,armada-370-xp-gpio" for the compatible string is a misnomer. Change the compatible string to "marvell,armada-370-gpio" before the driver makes it out of the -rc stage. This also follows the practice of using only the first device family supported as part of the name. Also update the documentation and comments in the code accordingly. Fixes: 757642f9a584 ("gpio: mvebu: Add limited PWM support") Signed-off-by: Ralph Sennhauser Acked-by: Gregory CLEMENT Acked-by: Rob Herring Signed-off-by: Linus Walleij Documentation/devicetree/bindings/gpio/gpio-mvebu.txt | 6 +++--- drivers/gpio/gpio-mvebu.c | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) commit 8e6cec1c7c5afa489687c90be15d6ed82c742975 Merge: dbb236c 459fa24 Author: Thomas Gleixner Date: Tue Jun 20 12:50:32 2017 +0200 Merge branch 'clockevents/4.12-fixes' of https://git.linaro.org/people/daniel.lezcano/linux into timers/urgent Pull clockevents fixes from Daniel Lezcano: - Fixed wrong iomem area unmapped in the arch_arm_timer (Frank Rowand) - Added missing includes for sun5i and cadence-ttc (Stephen Rothwell) commit 900a88ef348803cd2ad2aeb13ffe06e807c6ce65 Merge: 0ca4cd7 53145c2 Author: Jiri Kosina Date: Tue Jun 20 10:52:46 2017 +0200 Merge branch 'for-4.12/upstream-fixes' into for-linus commit 842c08846420baa619fe3cb8c9af538efdb89428 Author: Petr Mladek Date: Wed Jun 14 10:54:52 2017 +0200 livepatch: Fix stacking of patches with respect to RCU rcu_read_(un)lock(), list_*_rcu(), and synchronize_rcu() are used for a secure access and manipulation of the list of patches that modify the same function. In particular, it is the variable func_stack that is accessible from the ftrace handler via struct ftrace_ops and klp_ops. Of course, it synchronizes also some states of the patch on the top of the stack, e.g. func->transition in klp_ftrace_handler. At the same time, this mechanism guards also the manipulation of task->patch_state. It is modified according to the state of the transition and the state of the process. Now, all this works well as long as RCU works well. Sadly livepatching might get into some corner cases when this is not true. For example, RCU is not watching when rcu_read_lock() is taken in idle threads. It is because they might sleep and prevent reaching the grace period for too long. There are ways how to make RCU watching even in idle threads, see rcu_irq_enter(). But there is a small location inside RCU infrastructure when even this does not work. This small problematic location can be detected either before calling rcu_irq_enter() by rcu_irq_enter_disabled() or later by rcu_is_watching(). Sadly, there is no safe way how to handle it. Once we detect that RCU was not watching, we might see inconsistent state of the function stack and the related variables in klp_ftrace_handler(). Then we could do a wrong decision, use an incompatible implementation of the function and break the consistency of the system. We could warn but we could not avoid the damage. Fortunately, ftrace has similar problems and they seem to be solved well there. It uses a heavy weight implementation of some RCU operations. In particular, it replaces: + rcu_read_lock() with preempt_disable_notrace() + rcu_read_unlock() with preempt_enable_notrace() + synchronize_rcu() with schedule_on_each_cpu(sync_work) My understanding is that this is RCU implementation from a stone age. It meets the core RCU requirements but it is rather ineffective. Especially, it does not allow to batch or speed up the synchronize calls. On the other hand, it is very trivial. It allows to safely trace and/or livepatch even the RCU core infrastructure. And the effectiveness is a not a big issue because using ftrace or livepatches on productive systems is a rare operation. The safety is much more important than a negligible extra load. Note that the alternative implementation follows the RCU principles. Therefore, we could and actually must use list_*_rcu() variants when manipulating the func_stack. These functions allow to access the pointers in the right order and with the right barriers. But they do not use any other information that would be set only by rcu_read_lock(). Also note that there are actually two problems solved in ftrace: First, it cares about the consistency of RCU read sections. It is being solved the way as described and used in this patch. Second, ftrace needs to make sure that nobody is inside the dynamic trampoline when it is being freed. For this, it also calls synchronize_rcu_tasks() in preemptive kernel in ftrace_shutdown(). Livepatch has similar problem but it is solved by ftrace for free. klp_ftrace_handler() is a good guy and never sleeps. In addition, it is registered with FTRACE_OPS_FL_DYNAMIC. It causes that unregister_ftrace_function() calls: * schedule_on_each_cpu(ftrace_sync) - always * synchronize_rcu_tasks() - in preemptive kernel The effect is that nobody is neither inside the dynamic trampoline nor inside the ftrace handler after unregister_ftrace_function() returns. [jkosina@suse.cz: reformat changelog, fix comment] Signed-off-by: Petr Mladek Acked-by: Josh Poimboeuf Acked-by: Miroslav Benes Signed-off-by: Jiri Kosina kernel/livepatch/patch.c | 8 ++++++-- kernel/livepatch/transition.c | 36 +++++++++++++++++++++++++++++++----- 2 files changed, 37 insertions(+), 7 deletions(-) commit dbb236c1ceb697a559e0694ac4c9e7b9131d0b16 Author: Will Deacon Date: Thu Jun 8 16:44:22 2017 -0700 arm64/vdso: Fix nsec handling for CLOCK_MONOTONIC_RAW Recently vDSO support for CLOCK_MONOTONIC_RAW was added in 49eea433b326 ("arm64: Add support for CLOCK_MONOTONIC_RAW in clock_gettime() vDSO"). Noticing that the core timekeeping code never set tkr_raw.xtime_nsec, the vDSO implementation didn't bother exposing it via the data page and instead took the unshifted tk->raw_time.tv_nsec value which was then immediately shifted left in the vDSO code. Unfortunately, by accellerating the MONOTONIC_RAW clockid, it uncovered potential 1ns time inconsistencies caused by the timekeeping core not handing sub-ns resolution. Now that the core code has been fixed and is actually setting tkr_raw.xtime_nsec, we need to take that into account in the vDSO by adding it to the shifted raw_time value, in order to fix the user-visible inconsistency. Rather than do that at each use (and expand the data page in the process), instead perform the shift/addition operation when populating the data page and remove the shift from the vDSO code entirely. [jstultz: minor whitespace tweak, tried to improve commit message to make it more clear this fixes a regression] Reported-by: John Stultz Signed-off-by: Will Deacon Signed-off-by: John Stultz Tested-by: Daniel Mentz Acked-by: Kevin Brodsky Cc: Prarit Bhargava Cc: Richard Cochran Cc: Stephen Boyd Cc: "stable #4 . 8+" Cc: Miroslav Lichvar Link: http://lkml.kernel.org/r/1496965462-20003-4-git-send-email-john.stultz@linaro.org Signed-off-by: Thomas Gleixner arch/arm64/kernel/vdso.c | 5 +++-- arch/arm64/kernel/vdso/gettimeofday.S | 1 - 2 files changed, 3 insertions(+), 3 deletions(-) commit 3d88d56c5873f6eebe23e05c3da701960146b801 Author: John Stultz Date: Thu Jun 8 16:44:21 2017 -0700 time: Fix CLOCK_MONOTONIC_RAW sub-nanosecond accounting Due to how the MONOTONIC_RAW accumulation logic was handled, there is the potential for a 1ns discontinuity when we do accumulations. This small discontinuity has for the most part gone un-noticed, but since ARM64 enabled CLOCK_MONOTONIC_RAW in their vDSO clock_gettime implementation, we've seen failures with the inconsistency-check test in kselftest. This patch addresses the issue by using the same sub-ns accumulation handling that CLOCK_MONOTONIC uses, which avoids the issue for in-kernel users. Since the ARM64 vDSO implementation has its own clock_gettime calculation logic, this patch reduces the frequency of errors, but failures are still seen. The ARM64 vDSO will need to be updated to include the sub-nanosecond xtime_nsec values in its calculation for this issue to be completely fixed. Signed-off-by: John Stultz Tested-by: Daniel Mentz Cc: Prarit Bhargava Cc: Kevin Brodsky Cc: Richard Cochran Cc: Stephen Boyd Cc: Will Deacon Cc: "stable #4 . 8+" Cc: Miroslav Lichvar Link: http://lkml.kernel.org/r/1496965462-20003-3-git-send-email-john.stultz@linaro.org Signed-off-by: Thomas Gleixner include/linux/timekeeper_internal.h | 4 ++-- kernel/time/timekeeping.c | 19 ++++++++++--------- 2 files changed, 12 insertions(+), 11 deletions(-) commit ceea5e3771ed2378668455fa21861bead7504df5 Author: John Stultz Date: Thu Jun 8 16:44:20 2017 -0700 time: Fix clock->read(clock) race around clocksource changes In tests, which excercise switching of clocksources, a NULL pointer dereference can be observed on AMR64 platforms in the clocksource read() function: u64 clocksource_mmio_readl_down(struct clocksource *c) { return ~(u64)readl_relaxed(to_mmio_clksrc(c)->reg) & c->mask; } This is called from the core timekeeping code via: cycle_now = tkr->read(tkr->clock); tkr->read is the cached tkr->clock->read() function pointer. When the clocksource is changed then tkr->clock and tkr->read are updated sequentially. The code above results in a sequential load operation of tkr->read and tkr->clock as well. If the store to tkr->clock hits between the loads of tkr->read and tkr->clock, then the old read() function is called with the new clock pointer. As a consequence the read() function dereferences a different data structure and the resulting 'reg' pointer can point anywhere including NULL. This problem was introduced when the timekeeping code was switched over to use struct tk_read_base. Before that, it was theoretically possible as well when the compiler decided to reload clock in the code sequence: now = tk->clock->read(tk->clock); Add a helper function which avoids the issue by reading tk_read_base->clock once into a local variable clk and then issue the read function via clk->read(clk). This guarantees that the read() function always gets the proper clocksource pointer handed in. Since there is now no use for the tkr.read pointer, this patch also removes it, and to address stopping the fast timekeeper during suspend/resume, it introduces a dummy clocksource to use rather then just a dummy read function. Signed-off-by: John Stultz Acked-by: Ingo Molnar Cc: Prarit Bhargava Cc: Richard Cochran Cc: Stephen Boyd Cc: stable Cc: Miroslav Lichvar Cc: Daniel Mentz Link: http://lkml.kernel.org/r/1496965462-20003-2-git-send-email-john.stultz@linaro.org Signed-off-by: Thomas Gleixner include/linux/timekeeper_internal.h | 1 - kernel/time/timekeeping.c | 52 +++++++++++++++++++++++++------------ 2 files changed, 36 insertions(+), 17 deletions(-) commit 53145c2e354b5a5ed031cec7472b4f16bab060c7 Author: Daniel Stone Date: Thu Jun 15 13:35:50 2017 +0100 Revert "HID: magicmouse: Set multi-touch keybits for Magic Mouse" Setting these bits causes libinput to fail to initialize the device; setting BTN_TOUCH and BTN_TOOL_FINGER causes it to treat the mouse as a touchpad, and it then refuses to continue when it discovers ABS_X is not set. This breaks all known Wayland compositors, as well as Xorg when the libinput driver is being used. This reverts commit f4b65b9563216b3e01a5cc844c3ba68901d9b195. Signed-off-by: Daniel Stone Cc: Che-Liang Chiou Cc: Thierry Escande Cc: Jiri Kosina Cc: Benjamin Tissoires Acked-by: Benjamin Tissoires Signed-off-by: Jiri Kosina drivers/hid/hid-magicmouse.c | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) commit c7ecb9068e6772c43941ce609f08bc53f36e1dce Author: Takashi Iwai Date: Wed Jun 14 07:37:14 2017 +0200 ALSA: hda - Apply quirks to Broxton-T, too Broxton-T was a forgotten child and we didn't apply the quirks for Skylake+ properly. Meanwhile, a quirk for reducing the DMA latency seems specific to the early Broxton model, so we leave as is. Cc: Signed-off-by: Takashi Iwai sound/pci/hda/hda_intel.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) commit 817ae460c784f32cd45e60b2b1b21378c3c6a847 Author: Daniel Drake Date: Mon Jun 19 19:48:52 2017 -0700 Input: i8042 - add Fujitsu Lifebook AH544 to notimeout list Without this quirk, the touchpad is not responsive on this product, with the following message repeated in the logs: psmouse serio1: bad data from KBC - timeout Add it to the notimeout list alongside other similar Fujitsu laptops. Signed-off-by: Daniel Drake Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov drivers/input/serio/i8042-x86ia64io.h | 7 +++++++ 1 file changed, 7 insertions(+) commit 9705596d08ac87c18aee32cc97f2783b7d14624e Merge: 865be78 949bdfe Author: Linus Torvalds Date: Tue Jun 20 11:02:29 2017 +0800 Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux Pull clk fixes from Stephen Boyd: "One build fix for an Amlogic clk driver and a handful of Allwinner clk driver fixes for some DT bindings and a randconfig build error that all came in this merge window" * tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux: clk: sunxi-ng: a64: Export PLL_PERIPH0 clock for the PRCM clk: sunxi-ng: h3: Export PLL_PERIPH0 clock for the PRCM dt-bindings: clock: sunxi-ccu: Add pll-periph to PRCM's needed clocks clk: sunxi-ng: sun5i: Fix ahb_bist_clk definition clk: sunxi-ng: enable SUNXI_CCU_MP for PRCM clk: meson: gxbb: fix build error without RESET_CONTROLLER clk: sunxi-ng: v3s: Fix usb otg device reset bit clk: sunxi-ng: a31: Correct lcd1-ch1 clock register offset commit 865be78022e9ae8151c755d01201012ccf5e3232 Merge: 41f1830 88931ec Author: Linus Torvalds Date: Tue Jun 20 10:57:06 2017 +0800 Merge tag 'ntb-4.12-bugfixes' of git://github.com/jonmason/ntb Pull NTB fixes from Jon Mason: "NTB bug fixes to address the modinfo in ntb_perf, a couple of bugs in the NTB transport QP calculations, skx doorbells, and sleeping in ntb_async_tx_submit" * tag 'ntb-4.12-bugfixes' of git://github.com/jonmason/ntb: ntb: no sleep in ntb_async_tx_submit ntb: ntb_hw_intel: Skylake doorbells should be 32bits, not 64bits ntb_transport: fix bug calculating num_qps_mw ntb_transport: fix qp count bug NTB: ntb_test: fix bug printing ntb_perf results ntb: Correct modinfo usage statement for ntb_perf commit 02d94e04747c5df55410c7b19f3cf72a1a11899b Author: Manish Rangankar Date: Thu Jun 15 00:10:40 2017 -0700 scsi: qedi: Remove WARN_ON from clear task context. Signed-off-by: Manish Rangankar Reviewed-by: Lee Duncan Signed-off-by: Martin K. Petersen drivers/scsi/qedi/qedi_main.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) commit 6ebf81536d3be327c4f5f59bae3b841d62322343 Author: Manish Rangankar Date: Thu Jun 15 00:10:39 2017 -0700 scsi: qedi: Remove WARN_ON for untracked cleanup. Signed-off-by: Manish Rangankar Reviewed-by: Lee Duncan Signed-off-by: Martin K. Petersen drivers/scsi/qedi/qedi_fw.c | 1 - 1 file changed, 1 deletion(-) commit 4a072c71f49b0a0e495ea13423bdb850da73c58c Author: Jason A. Donenfeld Date: Thu Jun 15 00:45:26 2017 +0200 random: silence compiler warnings and fix race Odd versions of gcc for the sh4 architecture will actually warn about flags being used while uninitialized, so we set them to zero. Non crazy gccs will optimize that out again, so it doesn't make a difference. Next, over aggressive gccs could inline the expression that defines use_lock, which could then introduce a race resulting in a lock imbalance. By using READ_ONCE, we prevent that fate. Finally, we make that assignment const, so that gcc can still optimize a nice amount. Finally, we fix a potential deadlock between primary_crng.lock and batched_entropy_reset_lock, where they could be called in opposite order. Moving the call to invalidate_batched_entropy to outside the lock rectifies this issue. Fixes: b169c13de473a85b3c859bb36216a4cb5f00a54a Signed-off-by: Jason A. Donenfeld Signed-off-by: Theodore Ts'o Cc: stable@vger.kernel.org drivers/char/random.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) commit 6e88491cf2a3b17199c78bd53348b39dc6a88275 Author: Junshan Fang Date: Thu Jun 15 14:02:20 2017 +0800 drm/amdgpu: add Polaris12 DID Signed-off-by: Junshan Fang Reviewed-by: Roger.He Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Alex Deucher drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 1 + 1 file changed, 1 insertion(+) commit a8ae0a773d38b4b1d4566b0edcb6bb63f4a9d22f Author: Dhinakaran Pandiyan Date: Mon Jun 19 11:08:28 2017 -0700 drm/i915: Don't enable backlight at setup time. Maarten and Ville noticed that we are enabling backlight via DP aux very early in the modeset_init path via the intel_dp_aux_setup_backlight() function, since commit e7156c833903 ("drm/i915: Add Backlight Control using DPCD for eDP connectors (v9)"). Looks like all we need to do during _setup_backlight() is read the current brightness state instead of modifying it. v2: Rewrote commit message. Cc: Ville Syrjala Cc: Maarten Lankhorst Cc: Jani Nikula Cc: Yetunde Adebisi Signed-off-by: Dhinakaran Pandiyan Reviewed-by: Maarten Lankhorst Acked-by: Jani Nikula Tested-by: Puthikorn Voravootivat Fixes: e7156c833903 ("drm/i915: Add Backlight Control using DPCD for eDP connectors (v9)") Link: http://patchwork.freedesktop.org/patch/msgid/1497384239-2965-1-git-send-email-dhinakaran.pandiyan@intel.com Signed-off-by: Ville Syrjälä (cherry picked from commit f6262bda462e81e959b80a96dac799bd9df27f73) Signed-off-by: Jani Nikula Link: http://patchwork.freedesktop.org/patch/msgid/1497895708-19422-1-git-send-email-dhinakaran.pandiyan@intel.com drivers/gpu/drm/i915/intel_dp_aux_backlight.c | 2 -- 1 file changed, 2 deletions(-) commit 86fdb3448cc1ffe0e9f55380f1410f1d12c35f95 Author: Xin Long Date: Sat Jun 17 16:10:27 2017 +0800 sctp: ensure ep is not destroyed before doing the dump Now before dumping a sock in sctp_diag, it only holds the sock while the ep may be already destroyed. It can cause a use-after-free panic when accessing ep->asocs. This patch is to set sctp_sk(sk)->ep NULL in sctp_endpoint_destroy, and check if this ep is already destroyed before dumping this ep. Suggested-by: Marcelo Ricardo Leitner Signed-off-by: Xin Long Acked-by: Neil Horman Signed-off-by: David S. Miller net/sctp/endpointola.c | 1 + net/sctp/sctp_diag.c | 5 +++-- 2 files changed, 4 insertions(+), 2 deletions(-) commit 88931ec3dc11e7dbceb3b0df455693873b508fbe Author: Allen Hubbe Date: Fri Jun 9 18:06:36 2017 -0400 ntb: no sleep in ntb_async_tx_submit Do not sleep in ntb_async_tx_submit, which could deadlock. This reverts commit "8c874cc140d667f84ae4642bb5b5e0d6396d2ca4" Fixes: 8c874cc140d6 ("NTB: Address out of DMA descriptor issue with NTB") Reported-by: Jia-Ju Bai Signed-off-by: Allen Hubbe Acked-by: Dave Jiang Signed-off-by: Jon Mason drivers/ntb/ntb_transport.c | 50 +++++++-------------------------------------- 1 file changed, 7 insertions(+), 43 deletions(-) commit 5eb449e15d2396785a8eb15baf42cea33db9ae13 Author: Dave Jiang Date: Thu Jun 8 12:46:45 2017 -0700 ntb: ntb_hw_intel: Skylake doorbells should be 32bits, not 64bits Fixing doorbell register length to 32bits per spec. On Skylake NTB, the doorbell registers are 32bit write only registers. The source for the doorbell is a 64bit register that shows the interrupt bits. Signed-off-by: Dave Jiang Fixes: 783dfa6cc41b ("ntb: Adding Skylake Xeon NTB support") Acked-by: Allen Hubbe Signed-off-by: Jon Mason drivers/ntb/hw/intel/ntb_hw_intel.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 8e8496e0e9564b66165f5219a4e8ed20b0d3fc6b Author: Logan Gunthorpe Date: Mon Jun 5 14:00:53 2017 -0600 ntb_transport: fix bug calculating num_qps_mw A divide by zero error occurs if qp_count is less than mw_count because num_qps_mw is calculated to be zero. The calculation appears to be incorrect. The requirement is for num_qps_mw to be set to qp_count / mw_count with any remainder divided among the earlier mws. For example, if mw_count is 5 and qp_count is 12 then mws 0 and 1 will have 3 qps per window and mws 2 through 4 will have 2 qps per window. Thus, when mw_num < qp_count % mw_count, num_qps_mw is 1 higher than when mw_num >= qp_count. Signed-off-by: Logan Gunthorpe Fixes: e26a5843f7f5 ("NTB: Split ntb_hw_intel and ntb_transport drivers") Acked-by: Allen Hubbe Signed-off-by: Jon Mason drivers/ntb/ntb_transport.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit cb827ee6ccc3e480f0d9c0e8e53eef55be5b0414 Author: Logan Gunthorpe Date: Mon Jun 5 14:00:52 2017 -0600 ntb_transport: fix qp count bug In cases where there are more mw's than spads/2-2, the mw count gets reduced to match the limitation. ntb_transport also tries to ensure that there are fewer qps than mws but uses the full mw count instead of the reduced one. When this happens, the math in 'ntb_transport_setup_qp_mw' will get confused and result in a kernel paging request bug. This patch fixes the bug by reducing qp_count to the reduced mw count instead of the full mw count. Signed-off-by: Logan Gunthorpe Fixes: e26a5843f7f5 ("NTB: Split ntb_hw_intel and ntb_transport drivers") Acked-by: Allen Hubbe Signed-off-by: Jon Mason drivers/ntb/ntb_transport.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 07b0b22b3e58824f70b9188d085d400069ca3240 Author: Logan Gunthorpe Date: Mon Jun 5 10:13:24 2017 -0600 NTB: ntb_test: fix bug printing ntb_perf results The code mistakenly prints the local perf results for the remote test so the script reports identical results for both directions. Fix this by ensuring we print the remote result. Signed-off-by: Logan Gunthorpe Fixes: a9c59ef77458 ("ntb_test: Add a selftest script for the NTB subsystem") Acked-by: Allen Hubbe Signed-off-by: Jon Mason tools/testing/selftests/ntb/ntb_test.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 94fc795454f461134cdffb88bef4eb9f788c0b5d Author: Gary R Hook Date: Thu May 4 11:36:52 2017 -0500 ntb: Correct modinfo usage statement for ntb_perf The order parameters are powers of 2; adjust the usage information to use correct mathematical representations. Signed-off-by: Gary R Hook Fixes: 8a7b6a778a85 ("ntb: ntb perf tool") Acked-by: Dave Jiang Signed-off-by: Jon Mason drivers/ntb/test/ntb_perf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 7fe5b914313ff67d71cb2b5aa4b850e0884e75dd Author: Lin Yun Sheng Date: Fri Jun 16 17:24:51 2017 +0800 net/hns:bugfix of ethtool -t phy self_test This patch fixes the phy loopback self_test failed issue. when Marvell Phy Module is loaded, it will powerdown fiber when doing phy loopback self test, which cause phy loopback self_test fail. Signed-off-by: Lin Yun Sheng Signed-off-by: David S. Miller drivers/net/ethernet/hisilicon/hns/hns_ethtool.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) commit 9745e362add89432d2c951272a99b0a5fe4348a9 Author: Gao Feng Date: Fri Jun 16 15:00:02 2017 +0800 net: 8021q: Fix one possible panic caused by BUG_ON in free_netdev The register_vlan_device would invoke free_netdev directly, when register_vlan_dev failed. It would trigger the BUG_ON in free_netdev if the dev was already registered. In this case, the netdev would be freed in netdev_run_todo later. So add one condition check now. Only when dev is not registered, then free it directly. The following is the part coredump when netdev_upper_dev_link failed in register_vlan_dev. I removed the lines which are too long. [ 411.237457] ------------[ cut here ]------------ [ 411.237458] kernel BUG at net/core/dev.c:7998! [ 411.237484] invalid opcode: 0000 [#1] SMP [ 411.237705] [last unloaded: 8021q] [ 411.237718] CPU: 1 PID: 12845 Comm: vconfig Tainted: G E 4.12.0-rc5+ #6 [ 411.237737] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/02/2015 [ 411.237764] task: ffff9cbeb6685580 task.stack: ffffa7d2807d8000 [ 411.237782] RIP: 0010:free_netdev+0x116/0x120 [ 411.237794] RSP: 0018:ffffa7d2807dbdb0 EFLAGS: 00010297 [ 411.237808] RAX: 0000000000000002 RBX: ffff9cbeb6ba8fd8 RCX: 0000000000001878 [ 411.237826] RDX: 0000000000000001 RSI: 0000000000000282 RDI: 0000000000000000 [ 411.237844] RBP: ffffa7d2807dbdc8 R08: 0002986100029841 R09: 0002982100029801 [ 411.237861] R10: 0004000100029980 R11: 0004000100029980 R12: ffff9cbeb6ba9000 [ 411.238761] R13: ffff9cbeb6ba9060 R14: ffff9cbe60f1a000 R15: ffff9cbeb6ba9000 [ 411.239518] FS: 00007fb690d81700(0000) GS:ffff9cbebb640000(0000) knlGS:0000000000000000 [ 411.239949] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 411.240454] CR2: 00007f7115624000 CR3: 0000000077cdf000 CR4: 00000000003406e0 [ 411.240936] Call Trace: [ 411.241462] vlan_ioctl_handler+0x3f1/0x400 [8021q] [ 411.241910] sock_ioctl+0x18b/0x2c0 [ 411.242394] do_vfs_ioctl+0xa1/0x5d0 [ 411.242853] ? sock_alloc_file+0xa6/0x130 [ 411.243465] SyS_ioctl+0x79/0x90 [ 411.243900] entry_SYSCALL_64_fastpath+0x1e/0xa9 [ 411.244425] RIP: 0033:0x7fb69089a357 [ 411.244863] RSP: 002b:00007ffcd04e0fc8 EFLAGS: 00000202 ORIG_RAX: 0000000000000010 [ 411.245445] RAX: ffffffffffffffda RBX: 00007ffcd04e2884 RCX: 00007fb69089a357 [ 411.245903] RDX: 00007ffcd04e0fd0 RSI: 0000000000008983 RDI: 0000000000000003 [ 411.246527] RBP: 00007ffcd04e0fd0 R08: 0000000000000000 R09: 1999999999999999 [ 411.246976] R10: 000000000000053f R11: 0000000000000202 R12: 0000000000000004 [ 411.247414] R13: 00007ffcd04e1128 R14: 00007ffcd04e2888 R15: 0000000000000001 [ 411.249129] RIP: free_netdev+0x116/0x120 RSP: ffffa7d2807dbdb0 Signed-off-by: Gao Feng Signed-off-by: David S. Miller net/8021q/vlan.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 4a9bfafc64f44ef83de4e00ca1b57352af6cd8c2 Author: Takashi Sakamoto Date: Sun Jun 11 16:08:21 2017 +0900 ALSA: firewire-lib: Fix stall of process context at packet error At Linux v3.5, packet processing can be done in process context of ALSA PCM application as well as software IRQ context for OHCI 1394. Below is an example of the callgraph (some calls are omitted). ioctl(2) with e.g. HWSYNC (sound/core/pcm_native.c) ->snd_pcm_common_ioctl1() ->snd_pcm_hwsync() ->snd_pcm_stream_lock_irq (sound/core/pcm_lib.c) ->snd_pcm_update_hw_ptr() ->snd_pcm_udpate_hw_ptr0() ->struct snd_pcm_ops.pointer() (sound/firewire/*) = Each handler on drivers in ALSA firewire stack (sound/firewire/amdtp-stream.c) ->amdtp_stream_pcm_pointer() (drivers/firewire/core-iso.c) ->fw_iso_context_flush_completions() ->struct fw_card_driver.flush_iso_completion() (drivers/firewire/ohci.c) = flush_iso_completions() ->struct fw_iso_context.callback.sc (sound/firewire/amdtp-stream.c) = in_stream_callback() or out_stream_callback() ->... ->snd_pcm_stream_unlock_irq When packet queueing error occurs or detecting invalid packets in 'in_stream_callback()' or 'out_stream_callback()', 'snd_pcm_stop_xrun()' is called on local CPU with disabled IRQ. (sound/firewire/amdtp-stream.c) in_stream_callback() or out_stream_callback() ->amdtp_stream_pcm_abort() ->snd_pcm_stop_xrun() ->snd_pcm_stream_lock_irqsave() ->snd_pcm_stop() ->snd_pcm_stream_unlock_irqrestore() The process is stalled on the CPU due to attempt to acquire recursive lock. [ 562.630853] INFO: rcu_sched detected stalls on CPUs/tasks: [ 562.630861] 2-...: (1 GPs behind) idle=37d/140000000000000/0 softirq=38323/38323 fqs=7140 [ 562.630862] (detected by 3, t=15002 jiffies, g=21036, c=21035, q=5933) [ 562.630866] Task dump for CPU 2: [ 562.630867] alsa-source-OXF R running task 0 6619 1 0x00000008 [ 562.630870] Call Trace: [ 562.630876] ? vt_console_print+0x79/0x3e0 [ 562.630880] ? msg_print_text+0x9d/0x100 [ 562.630883] ? up+0x32/0x50 [ 562.630885] ? irq_work_queue+0x8d/0xa0 [ 562.630886] ? console_unlock+0x2b6/0x4b0 [ 562.630888] ? vprintk_emit+0x312/0x4a0 [ 562.630892] ? dev_vprintk_emit+0xbf/0x230 [ 562.630895] ? do_sys_poll+0x37a/0x550 [ 562.630897] ? dev_printk_emit+0x4e/0x70 [ 562.630900] ? __dev_printk+0x3c/0x80 [ 562.630903] ? _raw_spin_lock+0x20/0x30 [ 562.630909] ? snd_pcm_stream_lock+0x31/0x50 [snd_pcm] [ 562.630914] ? _snd_pcm_stream_lock_irqsave+0x2e/0x40 [snd_pcm] [ 562.630918] ? snd_pcm_stop_xrun+0x16/0x70 [snd_pcm] [ 562.630922] ? in_stream_callback+0x3e6/0x450 [snd_firewire_lib] [ 562.630925] ? handle_ir_packet_per_buffer+0x8e/0x1a0 [firewire_ohci] [ 562.630928] ? ohci_flush_iso_completions+0xa3/0x130 [firewire_ohci] [ 562.630932] ? fw_iso_context_flush_completions+0x15/0x20 [firewire_core] [ 562.630935] ? amdtp_stream_pcm_pointer+0x2d/0x40 [snd_firewire_lib] [ 562.630938] ? pcm_capture_pointer+0x19/0x20 [snd_oxfw] [ 562.630943] ? snd_pcm_update_hw_ptr0+0x47/0x3d0 [snd_pcm] [ 562.630945] ? poll_select_copy_remaining+0x150/0x150 [ 562.630947] ? poll_select_copy_remaining+0x150/0x150 [ 562.630952] ? snd_pcm_update_hw_ptr+0x10/0x20 [snd_pcm] [ 562.630956] ? snd_pcm_hwsync+0x45/0xb0 [snd_pcm] [ 562.630960] ? snd_pcm_common_ioctl1+0x1ff/0xc90 [snd_pcm] [ 562.630962] ? futex_wake+0x90/0x170 [ 562.630966] ? snd_pcm_capture_ioctl1+0x136/0x260 [snd_pcm] [ 562.630970] ? snd_pcm_capture_ioctl+0x27/0x40 [snd_pcm] [ 562.630972] ? do_vfs_ioctl+0xa3/0x610 [ 562.630974] ? vfs_read+0x11b/0x130 [ 562.630976] ? SyS_ioctl+0x79/0x90 [ 562.630978] ? entry_SYSCALL_64_fastpath+0x1e/0xad This commit fixes the above bug. This assumes two cases: 1. Any error is detected in software IRQ context of OHCI 1394 context. In this case, PCM substream should be aborted in packet handler. On the other hand, it should not be done in any process context. TO distinguish these two context, use 'in_interrupt()' macro. 2. Any error is detect in process context of ALSA PCM application. In this case, PCM substream should not be aborted in packet handler because PCM substream lock is acquired. The task to abort PCM substream should be done in ALSA PCM core. For this purpose, SNDRV_PCM_POS_XRUN is returned at 'struct snd_pcm_ops.pointer()'. Suggested-by: Clemens Ladisch Fixes: e9148dddc3c7("ALSA: firewire-lib: flush completed packets when reading PCM position") Cc: # 4.9+ Signed-off-by: Takashi Sakamoto Signed-off-by: Takashi Iwai sound/firewire/amdtp-stream.c | 8 ++++++-- sound/firewire/amdtp-stream.h | 2 +- 2 files changed, 7 insertions(+), 3 deletions(-) commit dec6b33163d24e2c19ba521c89fffbaab53ae986 Author: Raju Rangoju Date: Mon Jun 19 19:46:00 2017 +0530 cxgb4: notify uP to route ctrlq compl to rdma rspq During the module initialisation there is a possible race (basically race between uld and lld) where neither the uld nor lld notifies the uP about where to route the ctrl queue completions. LLD skips notifying uP as the rdma queues were not created by then (will leave it to ULD to notify the uP). As the ULD comes up, it also skips notifying the uP as the flag FULL_INIT_DONE is not set yet (ULD assumes that the interface is not up yet). Consequently, this race between uld and lld leaves uP unnotified about where to send the ctrl queue completions to, leading to iwarp RI_RES WR failure. Here is the race: CPU 0 CPU1 - allocates nic rx queus - t4_sge_alloc_ctrl_txq() (if rdma rsp queues exists, tell uP to route ctrl queue compl to rdma rspq) - acquires the mutex_lock - allocates rdma response queues - if FULL_INIT_DONE set, tell uP to route ctrl queue compl to rdma rspq - relinquishes mutex_lock - acquires the mutex_lock - enable_rx() - set FULL_INIT_DONE - relinquishes mutex_lock This patch fixes the above issue. Fixes: e7519f9926f1('cxgb4: avoid enabling napi twice to the same queue') Signed-off-by: Raju Rangoju Acked-by: Steve Wise CC: Stable # 4.9+ Signed-off-by: Ganesh Goudar Signed-off-by: David S. Miller drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) commit 41f1830f5a7af77cf5c86359aba3cbd706687e52 Author: Linus Torvalds Date: Mon Jun 19 22:19:37 2017 +0800 Linux 4.12-rc6 Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 1be7107fbe18eed3e319a6c3e83c78254b693acb Author: Hugh Dickins Date: Mon Jun 19 04:03:24 2017 -0700 mm: larger stack guard gap, between vmas Stack guard page is a useful feature to reduce a risk of stack smashing into a different mapping. We have been using a single page gap which is sufficient to prevent having stack adjacent to a different mapping. But this seems to be insufficient in the light of the stack usage in userspace. E.g. glibc uses as large as 64kB alloca() in many commonly used functions. Others use constructs liks gid_t buffer[NGROUPS_MAX] which is 256kB or stack strings with MAX_ARG_STRLEN. This will become especially dangerous for suid binaries and the default no limit for the stack size limit because those applications can be tricked to consume a large portion of the stack and a single glibc call could jump over the guard page. These attacks are not theoretical, unfortunatelly. Make those attacks less probable by increasing the stack guard gap to 1MB (on systems with 4k pages; but make it depend on the page size because systems with larger base pages might cap stack allocations in the PAGE_SIZE units) which should cover larger alloca() and VLA stack allocations. It is obviously not a full fix because the problem is somehow inherent, but it should reduce attack space a lot. One could argue that the gap size should be configurable from userspace, but that can be done later when somebody finds that the new 1MB is wrong for some special case applications. For now, add a kernel command line option (stack_guard_gap) to specify the stack gap size (in page units). Implementation wise, first delete all the old code for stack guard page: because although we could get away with accounting one extra page in a stack vma, accounting a larger gap can break userspace - case in point, a program run with "ulimit -S -v 20000" failed when the 1MB gap was counted for RLIMIT_AS; similar problems could come with RLIMIT_MLOCK and strict non-overcommit mode. Instead of keeping gap inside the stack vma, maintain the stack guard gap as a gap between vmas: using vm_start_gap() in place of vm_start (or vm_end_gap() in place of vm_end if VM_GROWSUP) in just those few places which need to respect the gap - mainly arch_get_unmapped_area(), and and the vma tree's subtree_gap support for that. Original-patch-by: Oleg Nesterov Original-patch-by: Michal Hocko Signed-off-by: Hugh Dickins Acked-by: Michal Hocko Tested-by: Helge Deller # parisc Signed-off-by: Linus Torvalds Documentation/admin-guide/kernel-parameters.txt | 7 ++ arch/arc/mm/mmap.c | 2 +- arch/arm/mm/mmap.c | 4 +- arch/frv/mm/elf-fdpic.c | 2 +- arch/mips/mm/mmap.c | 2 +- arch/parisc/kernel/sys_parisc.c | 15 ++- arch/powerpc/mm/hugetlbpage-radix.c | 2 +- arch/powerpc/mm/mmap.c | 4 +- arch/powerpc/mm/slice.c | 2 +- arch/s390/mm/mmap.c | 4 +- arch/sh/mm/mmap.c | 4 +- arch/sparc/kernel/sys_sparc_64.c | 4 +- arch/sparc/mm/hugetlbpage.c | 2 +- arch/tile/mm/hugetlbpage.c | 2 +- arch/x86/kernel/sys_x86_64.c | 4 +- arch/x86/mm/hugetlbpage.c | 2 +- arch/xtensa/kernel/syscall.c | 2 +- fs/hugetlbfs/inode.c | 2 +- fs/proc/task_mmu.c | 4 - include/linux/mm.h | 53 ++++----- mm/gup.c | 5 - mm/memory.c | 38 ------ mm/mmap.c | 149 ++++++++++++++---------- 23 files changed, 152 insertions(+), 163 deletions(-) commit 1132d5e7b64445b3fa3cb982e6723e33318f7655 Merge: 3696e4f a1858df Author: Linus Torvalds Date: Mon Jun 19 16:50:09 2017 +0800 Merge tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc Pull ARM SoC fixes from Olof Johansson: "Stream of fixes has slowed down, only a few this week: - Some DT fixes for Allwinner platforms, and addition of a clock to the R_CCU clock controller that had been missed. - A couple of small DT fixes for am335x-sl50" * tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc: arm64: allwinner: a64: Add PLL_PERIPH0 clock to the R_CCU ARM: sunxi: h3-h5: Add PLL_PERIPH0 clock to the R_CCU ARM: dts: am335x-sl50: Fix cannot claim requested pins for spi0 ARM: dts: am335x-sl50: Fix card detect pin for mmc1 arm64: allwinner: h5: Remove syslink to shared DTSI ARM: sunxi: h3/h5: fix the compatible of R_CCU commit b7f5dd36e0c5cb9ca1070a5e0f22f666bcff07ef Author: Ville Syrjälä Date: Thu Jun 1 17:36:14 2017 +0300 drm/i915: Plumb the correct acquire ctx into intel_crtc_disable_noatomic() If intel_crtc_disable_noatomic() were to ever get called during resume we'd end up deadlocking since resume has its own acqcuire_ctx but intel_crtc_disable_noatomic() still tries to use the mode_config.acquire_ctx. Pass down the correct acquire ctx from the top. Cc: stable@vger.kernel.org Cc: Maarten Lankhorst Fixes: e2c8b8701e2d ("drm/i915: Use atomic helpers for suspend, v2.") Signed-off-by: Ville Syrjälä Link: http://patchwork.freedesktop.org/patch/msgid/20170601143619.27840-3-ville.syrjala@linux.intel.com Reviewed-by: Maarten Lankhorst (cherry picked from commit da1d0e265535634bba80d44510b864c620549bee) Signed-off-by: Jani Nikula drivers/gpu/drm/i915/intel_display.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) commit 17b206c27366f3cee816eaf86fafc6a11f628ecf Author: Ville Syrjälä Date: Thu Jun 1 17:36:13 2017 +0300 drm/i915: Fix deadlock witha the pipe A quirk during resume Pass down the correct acquire context to the pipe A quirk load detect hack during display resume. Avoids deadlocking the entire thing. Cc: stable@vger.kernel.org Cc: Maarten Lankhorst Fixes: e2c8b8701e2d ("drm/i915: Use atomic helpers for suspend, v2.") Signed-off-by: Ville Syrjälä Link: http://patchwork.freedesktop.org/patch/msgid/20170601143619.27840-2-ville.syrjala@linux.intel.com Reviewed-by: Maarten Lankhorst (cherry picked from commit aecd36b8a16b2302b33f49ba3fa24c955f1e32f7) Signed-off-by: Jani Nikula drivers/gpu/drm/i915/intel_display.c | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) commit ce2c58724f7d07e76dadfeba53d6877a9e67341d Author: Chris Wilson Date: Fri Jun 9 12:03:47 2017 +0100 drm/i915: Remove __GFP_NORETRY from our buffer allocator I tried __GFP_NORETRY in the belief that __GFP_RECLAIM was effective. It struggles with handling reclaim of our dirty buffers and relies on reclaim via kswapd. As a result, a single pass of direct reclaim is unreliable when i915 occupies the majority of available memory, and the only means of effectively waiting on kswapd to amke progress is by not setting the __GFP_NORETRY flag and lopping. That leaves us with the dilemma of invoking the oomkiller instead of propagating the allocation failure back to userspace where it can be handled more gracefully (one hopes). In the future we may have __GFP_MAYFAIL to allow repeats up until we genuinely run out of memory and the oomkiller would have been invoked. Until then, let the oomkiller wreck havoc. v2: Stop playing with side-effects of gfp flags and await __GFP_MAYFAIL v3: Update comments that direct reclaim only appears to be ignoring our dirty buffers! Fixes: 24f8e00a8a2e ("drm/i915: Prefer to report ENOMEM rather than incur the oom for gfx allocations") Testcase: igt/gem_tiled_swapping Signed-off-by: Chris Wilson Cc: Mika Kuoppala Cc: Joonas Lahtinen Cc: Daniel Vetter Cc: Michal Hocko Link: http://patchwork.freedesktop.org/patch/msgid/20170609110350.1767-2-chris@chris-wilson.co.uk Reviewed-by: Joonas Lahtinen (cherry picked from commit eaf41801559a687cc7511c04dc712984765c9dd7) Signed-off-by: Jani Nikula drivers/gpu/drm/i915/i915_gem.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) commit b8d5a9ccfba5fc084b50b00b9f5b587a8e64b72c Author: Chris Wilson Date: Fri Jun 9 12:03:46 2017 +0100 drm/i915: Encourage our shrinker more when our shmemfs allocations fails Commit 24f8e00a8a2e ("drm/i915: Prefer to report ENOMEM rather than incur the oom for gfx allocations") made the bold decision to try and avoid the oomkiller by reporting -ENOMEM to userspace if our allocation failed after attempting to free enough buffer objects. In short, it appears we were giving up too easily (even before we start wondering if one pass of reclaim is as strong as we would like). Part of the problem is that if we only shrink just enough pages for our expected allocation, the likelihood of those pages becoming available to us is less than 100% To counter-act that we ask for twice the number of pages to be made available. Furthermore, we allow the shrinker to pull pages from the active list in later passes. v2: Be a little more cautious in paging out gfx buffers, and leave that to a more balanced approach from shrink_slab(). Important when combined with "drm/i915: Start writeback from the shrinker" as anything shrunk is immediately swapped out and so should be more conservative. Fixes: 24f8e00a8a2e ("drm/i915: Prefer to report ENOMEM rather than incur the oom for gfx allocations") Signed-off-by: Chris Wilson Cc: Mika Kuoppala Cc: Joonas Lahtinen Cc: Daniel Vetter Reviewed-by: Joonas Lahtinen Link: http://patchwork.freedesktop.org/patch/msgid/20170609110350.1767-1-chris@chris-wilson.co.uk (cherry picked from commit 4846bf0ca8cb4304dde6140eff33a92b3fe8ef24) Signed-off-by: Jani Nikula drivers/gpu/drm/i915/i915_gem.c | 50 ++++++++++++++++++++++++----------------- 1 file changed, 29 insertions(+), 21 deletions(-) commit a21ef715fbb8210c50b1d684145f8acdf2339596 Author: Chris Wilson Date: Thu Jun 15 14:11:29 2017 +0100 drm/i915: Differentiate between sw write location into ring and last hw read We need to keep track of the last location we ask the hw to read up to (RING_TAIL) separately from our last write location into the ring, so that in the event of a GPU reset we do not tell the HW to proceed into a partially written request (which can happen if that request is waiting for an external signal before being executed). v2: Refactor intel_ring_reset() (Mika) Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=100144 Testcase: igt/gem_exec_fence/await-hang Fixes: 821ed7df6e2a ("drm/i915: Update reset path to fix incomplete requests") Fixes: d55ac5bf97c6 ("drm/i915: Defer transfer onto execution timeline to actual hw submission") Signed-off-by: Chris Wilson Cc: Tvrtko Ursulin Cc: Mika Kuoppala Link: http://patchwork.freedesktop.org/patch/msgid/20170425130049.26147-1-chris@chris-wilson.co.uk Reviewed-by: Mika Kuoppala (cherry picked from commit e6ba9992de6c63fe86c028b4876338e1cb7dac34) Signed-off-by: Jani Nikula Link: http://patchwork.freedesktop.org/patch/msgid/20170615131129.3061-1-chris@chris-wilson.co.uk drivers/gpu/drm/i915/i915_gem_request.c | 2 +- drivers/gpu/drm/i915/i915_guc_submission.c | 4 +-- drivers/gpu/drm/i915/intel_lrc.c | 6 ++--- drivers/gpu/drm/i915/intel_ringbuffer.c | 41 ++++++++++++++++++++---------- drivers/gpu/drm/i915/intel_ringbuffer.h | 19 ++++++++++++-- 5 files changed, 48 insertions(+), 24 deletions(-) commit 4b153ca989a9bf61f622ded32e1d689df88edaa5 Merge: 46f8cd9 68dd02d Author: David S. Miller Date: Mon Jun 19 00:03:51 2017 -0400 Merge tag 'mac80211-for-davem-2017-06-16' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211 Johannes Berg says: ==================== Here's just the fix for that ancient bug: * remove wext calling ndo_do_ioctl, since nobody needs that now and it makes the type change easier * use struct iwreq instead of struct ifreq almost everywhere in wireless extensions code * copy only struct iwreq from userspace in dev_ioctl for the wireless extensions, since it's smaller than struct ifreq ==================== Signed-off-by: David S. Miller commit 46f8cd9d2fc1e4e8b82b53a0007f6c92e80c930b Author: Haishuang Yan Date: Sat Jun 17 11:38:05 2017 +0800 ip6_tunnel: Correct tos value in collect_md mode Same as ip_gre, geneve and vxlan, use key->tos as traffic class value. CC: Peter Dawson Fixes: 0e9a709560db ("ip6_tunnel, ip6_gre: fix setting of DSCP on encapsulated packets”) Signed-off-by: Haishuang Yan Acked-by: Peter Dawson Signed-off-by: David S. Miller net/ipv6/ip6_tunnel.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit a1858df975edf6706e7a5a3ae000e52d81076807 Merge: 51b6e28 f74994a Author: Olof Johansson Date: Sun Jun 18 20:42:21 2017 -0700 Merge tag 'sunxi-fixes-for-4.12' of https://git.kernel.org/pub/scm/linux/kernel/git/sunxi/linux into fixes Allwinner fixes for 4.12 A few fixes around the PRCM support that got in 4.12 with a wrong compatible, and a missing clock in the binding. * tag 'sunxi-fixes-for-4.12' of https://git.kernel.org/pub/scm/linux/kernel/git/sunxi/linux: arm64: allwinner: a64: Add PLL_PERIPH0 clock to the R_CCU ARM: sunxi: h3-h5: Add PLL_PERIPH0 clock to the R_CCU arm64: allwinner: h5: Remove syslink to shared DTSI ARM: sunxi: h3/h5: fix the compatible of R_CCU Signed-off-by: Olof Johansson commit 51b6e2813ca1d7cb530d5f834ea22f1ae52b7e35 Merge: 151d1d7 db145db Author: Olof Johansson Date: Sun Jun 18 18:55:12 2017 -0700 Merge tag 'omap-for-v4.12/fixes-sl50' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap into fixes Two fixes for am335x-sl50 to fix a boot time error for claiming SPI pins, and to fix a SDIO card detect pin for production version of the device. * tag 'omap-for-v4.12/fixes-sl50' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap: ARM: dts: am335x-sl50: Fix cannot claim requested pins for spi0 ARM: dts: am335x-sl50: Fix card detect pin for mmc1 Signed-off-by: Olof Johansson commit 3696e4f0b0072eb9753ffa1387be1dd2ebe2cb8f Merge: 7d62d94 e41b135 Author: Linus Torvalds Date: Mon Jun 19 09:25:05 2017 +0900 Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost Pull virtio bugfix from Michael Tsirkin: "It turns out balloon does not handle IOMMUs correctly. We should fix that at some point, for now let's just disable this configuration" * tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost: virtio_balloon: disable VIOMMU support commit 7d62d947605640b403fcb75d7928241d34231b4a Merge: b3ee4ed 17e8354 Author: Linus Torvalds Date: Mon Jun 19 09:20:25 2017 +0900 Merge branch 'i2c/for-current-fixed' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux Pull i2c fixes from Wolfram Sang: "Two driver bugfixes" * 'i2c/for-current-fixed' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux: i2c: ismt: fix wrong device address when unmap the data buffer i2c: rcar: use correct length when unmapping DMA commit b3ee4edd8a18a5ff7c077b6b112692f1d6e9dd16 Merge: edf9364 bcd7c45 Author: Linus Torvalds Date: Mon Jun 19 09:01:01 2017 +0900 Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus Pull MIPS fixes from Ralf Baechle: - Three highmem fixes: + Fixed mapping initialization + Adjust the pkmap location + Ensure we use at most one page for PTEs - Fix makefile dependencies for .its targets to depend on vmlinux - Fix reversed condition in BNEZC and JIALC software branch emulation - Only flush initialized flush_insn_slot to avoid NULL pointer dereference - perf: Remove incorrect odd/even counter handling for I6400 - ftrace: Fix init functions tracing * 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus: MIPS: .its targets depend on vmlinux MIPS: Fix bnezc/jialc return address calculation MIPS: kprobes: flush_insn_slot should flush only if probe initialised MIPS: ftrace: fix init functions tracing MIPS: mm: adjust PKMAP location MIPS: highmem: ensure that we don't use more than one page for PTEs MIPS: mm: fixed mappings: correct initialisation MIPS: perf: Remove incorrect odd/even counter handling for I6400 commit 779f19ac9d5858a2c159030c0c166f7da46b74ae Author: Hans de Goede Date: Sun Jun 18 15:10:26 2017 -0700 Input: soc_button_array - fix leaking the ACPI button descriptor buffer We are passing a buffer with ACPI_ALLOCATE_BUFFER set to acpi_evaluate_object, so we must free it when we are done with it. Signed-off-by: Hans de Goede Signed-off-by: Dmitry Torokhov drivers/input/misc/soc_button_array.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) commit e41b1355508debe45fda33ef8c03ff3ba5d206b9 Author: Michael S. Tsirkin Date: Tue Jun 13 20:56:44 2017 +0300 virtio_balloon: disable VIOMMU support virtio balloon bypasses the DMA API entirely so does not support the VIOMMU right now. It's not clear we need that support, for now let's just make sure we don't pretend to support it. Cc: stable@vger.kernel.org Cc: Wei Wang Fixes: 1a937693993f ("virtio: new feature to detect IOMMU device quirk") Signed-off-by: Michael S. Tsirkin Acked-by: Jason Wang drivers/virtio/virtio_balloon.c | 7 +++++++ 1 file changed, 7 insertions(+) commit edf9364d3f924aff6f77176b8e52a4b68e5c30d6 Merge: 4f51d57 d9ee35a Author: Linus Torvalds Date: Sun Jun 18 18:49:12 2017 +0900 Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86 fixes from Thomas Gleixner: "Two fixlets for x86: - Handle WARN_ONs proper with the new UD based WARN implementation - Disable 1G mappings when 2M mappings are disabled by kmemleak or debug_pagealloc. Otherwise 1G mappings might still be used, confusing the debug mechanisms" * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/mm: Disable 1GB direct mappings when disabling 2MB mappings x86/debug: Handle early WARN_ONs proper commit 4f51d57f3ff0f30bd805ff5bd04587a6145e1f73 Merge: 0be5255 94114c3 Author: Linus Torvalds Date: Sun Jun 18 18:46:51 2017 +0900 Merge branch 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull timer fixes from Thomas Gleixner: "Three fixlets for timers: - Two hot-fixes for the alarmtimer based posix timers, which prevent a nasty DOS by self rescheduling timers. The proper cleanup of that mess is queued for 4.13 - Make a function static" * 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: tick/broadcast: Make tick_broadcast_setup_oneshot() static alarmtimer: Rate limit periodic intervals alarmtimer: Prevent overflow of relative timers commit 0be5255c88dace8b4e0ef19f2a9c3d0f3598c6e6 Merge: a1ff31d 252d2a4 Author: Linus Torvalds Date: Sun Jun 18 18:45:17 2017 +0900 Merge branch 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull scheduler fixes from Thomas Gleixner: "Two small fixes for the schedulre core: - Use the proper switch_mm() variant in idle_task_exit() because that code is not called with interrupts disabled. - Fix a confusing typo in a printk" * 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: sched/core: Idle_task_exit() shouldn't use switch_mm_irqs_off() sched/fair: Fix typo in printk message commit a1ff31d74663077524aae3c2e90a76590c5002e8 Merge: 2277ba7 531c221 Author: Linus Torvalds Date: Sun Jun 18 18:42:31 2017 +0900 Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull perf fixes from Thomas Gleixner: "Three fixes for the perf user space side: - Fix the probing of precise_ip level, which got broken recently for x86. - Unbreak the ARCH=x86_64 build - Report module before trying to unwind into the module code, which avoids broken stack frames displayed" * 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: perf unwind: Report module before querying isactivation in dwfl unwind perf tools: Fix build with ARCH=x86_64 perf evsel: Fix probing of precise_ip level for default cycles event commit 2277ba7cfd43c557eab882757b64755eb0a8ea95 Merge: 0cbf341 fa07ab7 Author: Linus Torvalds Date: Sun Jun 18 18:40:41 2017 +0900 Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull irq fix from Thomas Gleixner: "Add a missing resource release to an error path" * 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: genirq: Release resources in __setup_irq() error path commit 0cbf3415087c9ec997300b8ba15c12d26ac28e0a Merge: 374d801 92b0a14 Author: Linus Torvalds Date: Sun Jun 18 18:38:42 2017 +0900 Merge branch 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull objtool fix from Thomas Gleixner: "A single fix which adds fortify_panic to the list of no return functions" * 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: objtool: Add fortify_panic as __noreturn function commit 374d801522fb4a809395c188b1a867c5ebcda752 Merge: 19ea9d6 436c4c45 Author: Linus Torvalds Date: Sun Jun 18 08:51:35 2017 +0900 Merge tag 'led_fixes_for_4.12-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/j.anaszewski/linux-leds Pull LED fixes from Jacek Anaszewski: "Two LED fixes: - fix signal source assignment for leds-bcm6328 - revert patch that intended to fix LED behavior on suspend but it had a side effect preventing suspend at all due to uevent being sent on trigger removal" * tag 'led_fixes_for_4.12-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/j.anaszewski/linux-leds: Revert "leds: handle suspend/resume in heartbeat trigger" leds: bcm6328: fix signal source assignment for leds 4 to 7 commit 19ea9d668a1f9f1e5e6752549150795a6693e6ad Merge: 1be627d f16443a Author: Linus Torvalds Date: Sun Jun 18 08:39:54 2017 +0900 Merge tag 'usb-4.12-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb Pull USB fixes from Greg KH: "Here are some small gadget and xhci USB fixes for 4.12-rc6. Nothing major, but one of the gadget patches does fix a reported oops, and the xhci ones resolve reported problems. All have been in linux-next with no reported issues" * tag 'usb-4.12-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: USB: gadgetfs, dummy-hcd, net2280: fix locking for callbacks usb: xhci: ASMedia ASM1042A chipset need shorts TX quirk usb: xhci: Fix USB 3.1 supported protocol parsing USB: gadget: fix GPF in gadgetfs usb: gadget: composite: make sure to reactivate function on unbind commit 1be627dfa74d9eee1eca1bc48653e461366a2bb9 Merge: 6e20350 ed6456a Author: Linus Torvalds Date: Sun Jun 18 08:36:30 2017 +0900 Merge tag 'staging-4.12-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging Pull staging and IIO fixes from Greg KH: "Here are some small staging and IIO driver fixes for 4.12-rc6. Nothing huge, just a few small driver fixes for reported issues. All have been in linux-next with no reported issues" * tag 'staging-4.12-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging: Staging: rtl8723bs: fix an error code in isFileReadable() iio: buffer-dmaengine: Add missing header buffer_impl.h iio: buffer-dma: Add missing header buffer_impl.h iio: adc: meson-saradc: fix potential crash in meson_sar_adc_clear_fifo iio: adc: mxs-lradc: Fix return value check in mxs_lradc_adc_probe() iio: imu: inv_mpu6050: add accel lpf setting for chip >= MPU6500 staging: iio: ad7152: Fix deadlock in ad7152_write_raw_samp_freq() commit 6e203506599bdd1e73f4850d94ccc762980fd9cd Merge: adc3110 4ca2fea Author: Linus Torvalds Date: Sun Jun 18 08:23:02 2017 +0900 Merge tag 'ceph-for-4.12-rc6' of git://github.com/ceph/ceph-client Pull ceph fixes from Ilya Dryomov: "A fix for an old ceph ->fh_to_* bug from Luis and two timestamp fixups from Zheng, prompted by the ongoing y2038 work" * tag 'ceph-for-4.12-rc6' of git://github.com/ceph/ceph-client: ceph: unify inode i_ctime update ceph: use current_kernel_time() to get request time stamp ceph: check i_nlink while converting a file handle to dentry commit 77e9ce327d9b607cd6e57c0f4524a654dc59c4b1 Author: Al Viro Date: Sat Jun 17 15:44:06 2017 -0400 ufs: fix the logics for tail relocation * original hysteresis loop got broken by typo back in 2002; now it never switches out of OPTTIME state. Fixed. * critical levels for switching from OPTTIME to OPTSPACE and back ought to be calculated once, at mount time. * we should use mul_u64_u32_div() for those calculations, now that ->s_dsize is 64bit. * to quote Kirk McKusick (in 1995 FreeBSD commit message): The threshold for switching from time-space and space-time is too small when minfree is 5%...so make it stay at space in this case. Signed-off-by: Al Viro fs/ufs/balloc.c | 22 ++++++---------------- fs/ufs/super.c | 9 +++++++++ fs/ufs/ufs_fs.h | 2 ++ 3 files changed, 17 insertions(+), 16 deletions(-) commit 57db7e4a2d92c2d3dfbca4ef8057849b2682436b Author: Eric W. Biederman Date: Tue Jun 13 04:31:16 2017 -0500 signal: Only reschedule timers on signals timers have sent Thomas Gleixner wrote: > The CRIU support added a 'feature' which allows a user space task to send > arbitrary (kernel) signals to itself. The changelog says: > > The kernel prevents sending of siginfo with positive si_code, because > these codes are reserved for kernel. I think we can allow a task to > send such a siginfo to itself. This operation should not be dangerous. > > Quite contrary to that claim, it turns out that it is outright dangerous > for signals with info->si_code == SI_TIMER. The following code sequence in > a user space task allows to crash the kernel: > > id = timer_create(CLOCK_XXX, ..... signo = SIGX); > timer_set(id, ....); > info->si_signo = SIGX; > info->si_code = SI_TIMER: > info->_sifields._timer._tid = id; > info->_sifields._timer._sys_private = 2; > rt_[tg]sigqueueinfo(..., SIGX, info); > sigemptyset(&sigset); > sigaddset(&sigset, SIGX); > rt_sigtimedwait(sigset, info); > > For timers based on CLOCK_PROCESS_CPUTIME_ID, CLOCK_THREAD_CPUTIME_ID this > results in a kernel crash because sigwait() dequeues the signal and the > dequeue code observes: > > info->si_code == SI_TIMER && info->_sifields._timer._sys_private != 0 > > which triggers the following callchain: > > do_schedule_next_timer() -> posix_cpu_timer_schedule() -> arm_timer() > > arm_timer() executes a list_add() on the timer, which is already armed via > the timer_set() syscall. That's a double list add which corrupts the posix > cpu timer list. As a consequence the kernel crashes on the next operation > touching the posix cpu timer list. > > Posix clocks which are internally implemented based on hrtimers are not > affected by this because hrtimer_start() can handle already armed timers > nicely, but it's a reliable way to trigger the WARN_ON() in > hrtimer_forward(), which complains about calling that function on an > already armed timer. This problem has existed since the posix timer code was merged into 2.5.63. A few releases earlier in 2.5.60 ptrace gained the ability to inject not just a signal (which linux has supported since 1.0) but the full siginfo of a signal. The core problem is that the code will reschedule in response to signals getting dequeued not just for signals the timers sent but for other signals that happen to a si_code of SI_TIMER. Avoid this confusion by testing to see if the queued signal was preallocated as all timer signals are preallocated, and so far only the timer code preallocates signals. Move the check for if a timer needs to be rescheduled up into collect_signal where the preallocation check must be performed, and pass the result back to dequeue_signal where the code reschedules timers. This makes it clear why the code cares about preallocated timers. Cc: stable@vger.kernel.org Reported-by: Thomas Gleixner History Tree: https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git Reference: 66dd34ad31e5 ("signal: allow to send any siginfo to itself") Reference: 1669ce53e2ff ("Add PTRACE_GETSIGINFO and PTRACE_SETSIGINFO") Fixes: db8b50ba75f2 ("[PATCH] POSIX clocks & timers") Signed-off-by: "Eric W. Biederman" kernel/signal.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) commit c0ef65d2928249e822b813beb41b6c1478c556ab Author: Al Viro Date: Fri Jun 16 23:54:47 2017 -0400 ufs_iget(): fail with -ESTALE on deleted inode Signed-off-by: Al Viro fs/ufs/inode.c | 21 ++++++++------------- 1 file changed, 8 insertions(+), 13 deletions(-) commit 23ac7cba73bb2c6e80f9cdebeb39dc3dad34ebb3 Author: Al Viro Date: Fri Jun 16 23:49:17 2017 -0400 fix signedness of timestamps on ufs1 Signed-off-by: Al Viro fs/ufs/inode.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit adc311034c356e884d180df25deb046cef3e8c75 Merge: c8636b9 95989c4 Author: Linus Torvalds Date: Sat Jun 17 17:34:41 2017 +0900 Merge tag 'xfs-4.12-fixes-4' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux Pull xfs fix from Darrick Wong: "One more bugfix for you for 4.12-rc6 to fix something that came up in an earlier rc: - Fix some bogus ASSERT failures on CONFIG_SMP=n and CONFIG_XFS_DEBUG=y" * tag 'xfs-4.12-fixes-4' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux: xfs: fix spurious spin_is_locked() assert failures on non-smp kernels commit c8636b90a091331beb0a26c455a0c87b93aa774a Merge: ccd3d90 a8fad98 Author: Linus Torvalds Date: Sat Jun 17 17:30:07 2017 +0900 Merge branch 'ufs-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs Pull ufs fixes from Al Viro: "Fix assorted ufs bugs: a couple of deadlocks, fs corruption in truncate(), oopsen on tail unpacking and truncate when racing with vmscan, mild fs corruption (free blocks stats summary buggered, *BSD fsck would complain and fix), several instances of broken logics around reserved blocks (starting with "check almost never triggers when it should" and then there are issues with sufficiently large UFS2)" [ Note: ufs hasn't gotten any loving in a long time, because nobody really seems to use it. These ufs fixes are triggered by people actually caring now, not some sudden influx of new bugs. - Linus ] * 'ufs-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: ufs_truncate_blocks(): fix the case when size is in the last direct block ufs: more deadlock prevention on tail unpacking ufs: avoid grabbing ->truncate_mutex if possible ufs_get_locked_page(): make sure we have buffer_heads ufs: fix s_size/s_dsize users ufs: fix reserved blocks check ufs: make ufs_freespace() return signed ufs: fix logics in "ufs: make fsck -f happy" commit ccd3d905f74abbfef4960d6262f057fbb4a02903 Merge: 1439ccf 4068367 Author: Linus Torvalds Date: Sat Jun 17 17:26:53 2017 +0900 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs Pull vfs fixes from Al Viro: "A couple of fixes; a leak in mntns_install() caught by Andrei (this cycle regression) + d_invalidate() softlockup fix - that had been reported by a bunch of people lately, but the problem is pretty old" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: fs: don't forget to put old mntns in mntns_install Hang/soft lockup in d_invalidate with simultaneous calls commit 1439ccf73d9c07654fdd5b4969fd53c2feb8684d Merge: 3a44829 98dbf5a Author: Linus Torvalds Date: Sat Jun 17 06:53:20 2017 +0900 Merge tag 'pci-v4.12-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci Pull PCI fixes from Bjorn Helgaas: - fix another PCI_ENDPOINT build error (merged for v4.12) - fix error codes added to config accessors for v4.12 * tag 'pci-v4.12-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci: PCI: endpoint: Select CRC32 to fix test build error PCI: Make error code types consistent in pci_{read,write}_config_* commit 3a448294b79ace48cf8ecbbffdeceae49bae00cc Merge: 162f73f b429f96 Author: Linus Torvalds Date: Sat Jun 17 06:51:25 2017 +0900 Merge tag 'fbdev-v4.12-rc6' of git://github.com/bzolnier/linux Pull fbdev fixes from Bartlomiej Zolnierkiewicz: - fix udlfb driver to stop spamming logs (Mike Gerow) - add missing endianness conversions in smscufx & udlfb drivers (Johan Hovold) - fix few gcc warnings/errors (Arnd Bergmann) * tag 'fbdev-v4.12-rc6' of git://github.com/bzolnier/linux: video: fbdev: udlfb: drop log level for blanking video: fbdev: via: remove possibly unused variables video: fbdev: add missing USB-descriptor endianness conversions video: fbdev: avoid int-in-bool-context warning commit 162f73f4b974aa08ab37e9d59f0428edfa8dbc51 Merge: 5ac447d d7143e3 Author: Linus Torvalds Date: Sat Jun 17 06:49:34 2017 +0900 Merge branch 'akpm' (patches from Andrew) Merge misc fixes from Andrew Morton: "5 fixes" * emailed patches from Andrew Morton : mm: correct the comment when reclaimed pages exceed the scanned pages userfaultfd: shmem: handle coredumping in handle_userfault() mm: numa: avoid waiting on freed migrated pages swap: cond_resched in swap_cgroup_prepare() mm/memory-failure.c: use compound_head() flags for huge pages commit d7143e31259cb029e207619209b31aa7520f8e28 Author: zhongjiang Date: Fri Jun 16 14:02:40 2017 -0700 mm: correct the comment when reclaimed pages exceed the scanned pages Commit e1587a494540 ("mm: vmpressure: fix sending wrong events on underflow") declared that reclaimed pages exceed the scanned pages due to the thp reclaim. That is incorrect because THP will be spilt to normal page and loop again, which will result in the scanned pages increment. [akpm@linux-foundation.org: tweak comment text] Link: http://lkml.kernel.org/r/1496824266-25235-1-git-send-email-zhongjiang@huawei.com Signed-off-by: zhongjiang Acked-by: Minchan Kim Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/vmpressure.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit 64c2b20301f62c697352c8028c569b1b2bdd8e82 Author: Andrea Arcangeli Date: Fri Jun 16 14:02:37 2017 -0700 userfaultfd: shmem: handle coredumping in handle_userfault() Anon and hugetlbfs handle FOLL_DUMP set by get_dump_page() internally to __get_user_pages(). shmem as opposed has no special FOLL_DUMP handling there so handle_mm_fault() is invoked without mmap_sem and ends up calling handle_userfault() that isn't expecting to be invoked without mmap_sem held. This makes handle_userfault() fail immediately if invoked through shmem_vm_ops->fault during coredumping and solves the problem. The side effect is a BUG_ON with no lock held triggered by the coredumping process which exits. Only 4.11 is affected, pre-4.11 anon memory holes are skipped in __get_user_pages by checking FOLL_DUMP explicitly against empty pagetables (mm/gup.c:no_page_table()). It's zero cost as we already had a check for current->flags to prevent futex to trigger userfaults during exit (PF_EXITING). Link: http://lkml.kernel.org/r/20170615214838.27429-1-aarcange@redhat.com Signed-off-by: Andrea Arcangeli Reported-by: "Dr. David Alan Gilbert" Cc: [4.11+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/userfaultfd.c | 29 +++++++++++++++++++++-------- 1 file changed, 21 insertions(+), 8 deletions(-) commit 3c226c637b69104f6b9f1c6ec5b08d7b741b3229 Author: Mark Rutland Date: Fri Jun 16 14:02:34 2017 -0700 mm: numa: avoid waiting on freed migrated pages In do_huge_pmd_numa_page(), we attempt to handle a migrating thp pmd by waiting until the pmd is unlocked before we return and retry. However, we can race with migrate_misplaced_transhuge_page(): // do_huge_pmd_numa_page // migrate_misplaced_transhuge_page() // Holds 0 refs on page // Holds 2 refs on page vmf->ptl = pmd_lock(vma->vm_mm, vmf->pmd); /* ... */ if (pmd_trans_migrating(*vmf->pmd)) { page = pmd_page(*vmf->pmd); spin_unlock(vmf->ptl); ptl = pmd_lock(mm, pmd); if (page_count(page) != 2)) { /* roll back */ } /* ... */ mlock_migrate_page(new_page, page); /* ... */ spin_unlock(ptl); put_page(page); put_page(page); // page freed here wait_on_page_locked(page); goto out; } This can result in the freed page having its waiters flag set unexpectedly, which trips the PAGE_FLAGS_CHECK_AT_PREP checks in the page alloc/free functions. This has been observed on arm64 KVM guests. We can avoid this by having do_huge_pmd_numa_page() take a reference on the page before dropping the pmd lock, mirroring what we do in __migration_entry_wait(). When we hit the race, migrate_misplaced_transhuge_page() will see the reference and abort the migration, as it may do today in other cases. Fixes: b8916634b77bffb2 ("mm: Prevent parallel splits during THP migration") Link: http://lkml.kernel.org/r/1497349722-6731-2-git-send-email-will.deacon@arm.com Signed-off-by: Mark Rutland Signed-off-by: Will Deacon Acked-by: Steve Capper Acked-by: Kirill A. Shutemov Acked-by: Vlastimil Babka Cc: Mel Gorman Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/huge_memory.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) commit ef70762948dde012146926720b70e79736336764 Author: Yu Zhao Date: Fri Jun 16 14:02:31 2017 -0700 swap: cond_resched in swap_cgroup_prepare() I saw need_resched() warnings when swapping on large swapfile (TBs) because continuously allocating many pages in swap_cgroup_prepare() took too long. We already cond_resched when freeing page in swap_cgroup_swapoff(). Do the same for the page allocation. Link: http://lkml.kernel.org/r/20170604200109.17606-1-yuzhao@google.com Signed-off-by: Yu Zhao Acked-by: Michal Hocko Acked-by: Vladimir Davydov Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/swap_cgroup.c | 3 +++ 1 file changed, 3 insertions(+) commit 7258ae5c5a2ce2f5969e8b18b881be40ab55433d Author: James Morse Date: Fri Jun 16 14:02:29 2017 -0700 mm/memory-failure.c: use compound_head() flags for huge pages memory_failure() chooses a recovery action function based on the page flags. For huge pages it uses the tail page flags which don't have anything interesting set, resulting in: > Memory failure: 0x9be3b4: Unknown page state > Memory failure: 0x9be3b4: recovery action for unknown page: Failed Instead, save a copy of the head page's flags if this is a huge page, this means if there are no relevant flags for this tail page, we use the head pages flags instead. This results in the me_huge_page() recovery action being called: > Memory failure: 0x9b7969: recovery action for huge page: Delayed For hugepages that have not yet been allocated, this allows the hugepage to be dequeued. Fixes: 524fca1e7356 ("HWPOISON: fix misjudgement of page_action() for errors on mlocked pages") Link: http://lkml.kernel.org/r/20170524130204.21845-1-james.morse@arm.com Signed-off-by: James Morse Tested-by: Punit Agrawal Acked-by: Punit Agrawal Acked-by: Naoya Horiguchi Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/memory-failure.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) commit 5ac447d268601f88264ad18a13e7177a455007bb Merge: ab2789b a093c92 Author: Linus Torvalds Date: Sat Jun 17 05:57:54 2017 +0900 Merge tag 'powerpc-4.12-6' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux Pull powerpc fixes from Michael Ellerman: "Three small fixes for recently merged code: - remove a spurious WARN_ON when a PCI device has no of_node, it's allowed in some circumstances for there to be no of_node. - fix the offset for store EOI MMIOs in the XIVE interrupt controller. - fix non-const WARN_ONs which were becoming BUGs due to them losing BUGFLAG_WARNING in a recent cleanup patch. Thanks to: Alexey Kardashevskiy, Alistair Popple, Benjamin Herrenschmidt" * tag 'powerpc-4.12-6' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux: powerpc/debug: Add missing warn flag to WARN_ON's non-builtin path powerpc/xive: Fix offset for store EOI MMIOs powerpc/npu-dma: Remove spurious WARN_ON when a PCI device has no of_node commit 531c221df182af5a7fc2bf7ba7eee89354fe9a10 Merge: 63f700a 9126cbb Author: Ingo Molnar Date: Fri Jun 16 21:33:48 2017 +0200 Merge tag 'perf-urgent-for-mingo-4.12-20170616' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux into perf/urgent Pull perf/urgent fixes from Arnaldo Carvalho de Melo: - Fix probing of precise_ip level for default cycles event, that got broken recently on x86_64 when its arch code started considering invalid requesting precise samples when not sampling (i.e. when attr.sample_period == 0). This also fixes another problem in s/390 where the precision probing with sample_period == 0 returned precise_ip > 0, that then, when setting up the real cycles event (not probing) would return EOPNOTSUPP for precise_ip > 0 (as determined previously by probing) and sample_period > 0. These problems resulted in attr_precise not being set to the highest precision available on x86.64 when no event was specified, i.e. the canonical: perf record ./workload would end up using attr.precise_ip = 0. As a workaround this would need to be done: perf record -e cycles:P ./workload And on s/390 it would plain not work, requiring using: perf record -e cycles ./workload as a workaround. (Arnaldo Carvalho de Melo) - Fix perf build with ARCH=x86_64, when ARCH should be transformed into ARCH=x86, just like with the main kernel Makefile and tools/objtool's, i.e. use SRCARCH. (Jiada Wang) - Avoid accessing uninitialized data structures when unwinding with elfutils's libdw, making it more closely mimic libunwind's unwinder. (Milian Wolff) Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Ingo Molnar commit 76371d2e3ad1f84426a30ebcd8c3b9b98f4c724f Author: Wei Wang Date: Fri Jun 16 10:46:37 2017 -0700 decnet: always not take dst->__refcnt when inserting dst into hash table In the existing dn_route.c code, dn_route_output_slow() takes dst->__refcnt before calling dn_insert_route() while dn_route_input_slow() does not take dst->__refcnt before calling dn_insert_route(). This makes the whole routing code very buggy. In dn_dst_check_expire(), dnrt_free() is called when rt expires. This makes the routes inserted by dn_route_output_slow() not able to be freed as the refcnt is not released. In dn_dst_gc(), dnrt_drop() is called to release rt which could potentially cause the dst->__refcnt to be dropped to -1. In dn_run_flush(), dst_free() is called to release all the dst. Again, it makes the dst inserted by dn_route_output_slow() not able to be released and also, it does not wait on the rcu and could potentially cause crash in the path where other users still refer to this dst. This patch makes sure both input and output path do not take dst->__refcnt before calling dn_insert_route() and also makes sure dnrt_free()/dst_free() is called when removing dst from the hash table. The only difference between those 2 calls is that dnrt_free() waits on the rcu while dst_free() does not. Signed-off-by: Wei Wang Acked-by: Martin KaFai Lau Signed-off-by: David S. Miller net/decnet/dn_route.c | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-) commit 9126cbbacecb8917bd0418809ef1d26616b2061e Author: Milian Wolff Date: Fri Jun 2 16:37:53 2017 +0200 perf unwind: Report module before querying isactivation in dwfl unwind The PC returned by dwfl_frame_pc() may map into a not-yet-reported module. We have to report it before we continue unwinding. But when we query for the isactivation flag in dwfl_frame_pc, libdw will actually do one more unwinding step internally which can then break and lead to missed frames or broken stacks. With libunwind we get e.g.: ~~~~~ heaptrack_gui 2228 135073.400474: 613969 cycles: 108c8e [unknown] (/usr/lib/libQt5Core.so.5.8.0) 1093bc [unknown] (/usr/lib/libQt5Core.so.5.8.0) 109e7b QLocale::QLocale (/usr/lib/libQt5Core.so.5.8.0) 1470ff [unknown] (/usr/lib/libQt5Core.so.5.8.0) 147f67 QSystemLocale::query (/usr/lib/libQt5Core.so.5.8.0) 109fbf QLocalePrivate::updateSystemPrivate (/usr/lib/libQt5Core.so.5.8.0) 10aa27 QLocale::QLocale (/usr/lib/libQt5Core.so.5.8.0) 1e02c3 [unknown] (/usr/lib/libQt5Core.so.5.8.0) 2113bb [unknown] (/usr/lib/libQt5Core.so.5.8.0) 211505 [unknown] (/usr/lib/libQt5Core.so.5.8.0) 1b5df0 QFileInfo::exists (/usr/lib/libQt5Core.so.5.8.0) 92eb2 [unknown] (/usr/lib/libQt5Core.so.5.8.0) 93423 [unknown] (/usr/lib/libQt5Core.so.5.8.0) 93d2a QLibraryInfo::location (/usr/lib/libQt5Core.so.5.8.0) 2170af [unknown] (/usr/lib/libQt5Core.so.5.8.0) 297c53 QCoreApplicationPrivate::init (/usr/lib/libQt5Core.so.5.8.0) f7cde QGuiApplicationPrivate::init (/usr/lib/libQt5Gui.so.5.8.0) 1589e8 QApplicationPrivate::init (/usr/lib/libQt5Widgets.so.5.8.0) 78622 main (/home/milian/projects/compiled/other/bin/heaptrack_gui) 20439 __libc_start_main (/usr/lib/libc-2.25.so) 78299 _start (/home/milian/projects/compiled/other/bin/heaptrack_gui) heaptrack_gui 2228 135073.401156: 569521 cycles: 131633 QString::endsWith (/usr/lib/libQt5Core.so.5.8.0) 1a0701 QDir::cleanPath (/usr/lib/libQt5Core.so.5.8.0) 21b82d [unknown] (/usr/lib/libQt5Core.so.5.8.0) 1b3727 QFileInfo::canonicalFilePath (/usr/lib/libQt5Core.so.5.8.0) 2780c7 QFactoryLoader::update (/usr/lib/libQt5Core.so.5.8.0) 279525 QFactoryLoader::QFactoryLoader (/usr/lib/libQt5Core.so.5.8.0) e5bd0 QPlatformIntegrationFactory::create (/usr/lib/libQt5Gui.so.5.8.0) f5a1c QGuiApplicationPrivate::createPlatformIntegration (/usr/lib/libQt5Gui.so.5.8.0) f650c QGuiApplicationPrivate::createEventDispatcher (/usr/lib/libQt5Gui.so.5.8.0) 298524 QCoreApplicationPrivate::init (/usr/lib/libQt5Core.so.5.8.0) f7cde QGuiApplicationPrivate::init (/usr/lib/libQt5Gui.so.5.8.0) 1589e8 QApplicationPrivate::init (/usr/lib/libQt5Widgets.so.5.8.0) 78622 main (/home/milian/projects/compiled/other/bin/heaptrack_gui) 20439 __libc_start_main (/usr/lib/libc-2.25.so) 78299 _start (/home/milian/projects/compiled/other/bin/heaptrack_gui) ~~~~~ Note the two frames 1589e8 and 78622 in the first sample. These are missing when unwinding with libdw. The second sample's breakage is more obvious: ~~~~~ heaptrack_gui 2228 135073.400474: 613969 cycles: 108c8e [unknown] (/usr/lib/libQt5Core.so.5.8.0) 1093bc [unknown] (/usr/lib/libQt5Core.so.5.8.0) 109e7b QLocale::QLocale (/usr/lib/libQt5Core.so.5.8.0) 1470ff [unknown] (/usr/lib/libQt5Core.so.5.8.0) 147f67 QSystemLocale::query (/usr/lib/libQt5Core.so.5.8.0) 109fbf QLocalePrivate::updateSystemPrivate (/usr/lib/libQt5Core.so.5.8.0) 10aa27 QLocale::QLocale (/usr/lib/libQt5Core.so.5.8.0) 1e02c3 [unknown] (/usr/lib/libQt5Core.so.5.8.0) 2113bb [unknown] (/usr/lib/libQt5Core.so.5.8.0) 211505 [unknown] (/usr/lib/libQt5Core.so.5.8.0) 1b5df0 QFileInfo::exists (/usr/lib/libQt5Core.so.5.8.0) 92eb2 [unknown] (/usr/lib/libQt5Core.so.5.8.0) 93423 [unknown] (/usr/lib/libQt5Core.so.5.8.0) 93d2a QLibraryInfo::location (/usr/lib/libQt5Core.so.5.8.0) 2170af [unknown] (/usr/lib/libQt5Core.so.5.8.0) 297c53 QCoreApplicationPrivate::init (/usr/lib/libQt5Core.so.5.8.0) f7cde QGuiApplicationPrivate::init (/usr/lib/libQt5Gui.so.5.8.0) 20439 __libc_start_main (/usr/lib/libc-2.25.so) 78299 _start (/home/milian/projects/compiled/other/bin/heaptrack_gui) heaptrack_gui 2228 135073.401156: 569521 cycles: 131633 QString::endsWith (/usr/lib/libQt5Core.so.5.8.0) 1a0701 QDir::cleanPath (/usr/lib/libQt5Core.so.5.8.0) 21b82d [unknown] (/usr/lib/libQt5Core.so.5.8.0) 1b3727 QFileInfo::canonicalFilePath (/usr/lib/libQt5Core.so.5.8.0) 2780c7 QFactoryLoader::update (/usr/lib/libQt5Core.so.5.8.0) 279525 QFactoryLoader::QFactoryLoader (/usr/lib/libQt5Core.so.5.8.0) e5bd0 QPlatformIntegrationFactory::create (/usr/lib/libQt5Gui.so.5.8.0) 723dbf [unknown] ([unknown]) ~~~~~ This patch fixes this issue and the libdw unwinder mimicks the libunwind behavior more closely. Signed-off-by: Milian Wolff Acked-by: Jan Kratochvil Cc: Jiri Olsa Cc: Namhyung Kim Link: http://lkml.kernel.org/r/20170602143753.16907-2-milian.wolff@kdab.com Signed-off-by: Arnaldo Carvalho de Melo tools/perf/util/unwind-libdw.c | 8 ++++++++ 1 file changed, 8 insertions(+) commit f1925ca50deb48eddafc01bc12c2a17bfbf54425 Author: Haishuang Yan Date: Thu Jun 15 10:29:30 2017 +0800 ip6_tunnel: fix potential issue in __ip6_tnl_rcv When __ip6_tnl_rcv fails, the tun_dst won't be freed, so call dst_release to free it in error code path. Fixes: 8d79266bc48c ("ip6_tunnel: add collect_md mode to IPv6 tunnels") CC: Alexei Starovoitov Tested-by: Zhang Shengju Signed-off-by: Haishuang Yan Signed-off-by: David S. Miller net/ipv6/ip6_tunnel.c | 2 ++ 1 file changed, 2 insertions(+) commit 469f87e158628fe66dcbbce9dd5e7b7acfe934a9 Author: Haishuang Yan Date: Thu Jun 15 10:29:29 2017 +0800 ip_tunnel: fix potential issue in ip_tunnel_rcv When ip_tunnel_rcv fails, the tun_dst won't be freed, so call dst_release to free it in error code path. Fixes: 2e15ea390e6f ("ip_gre: Add support to collect tunnel metadata.") Acked-by: Eric Dumazet Acked-by: Pravin B Shelar Tested-by: Zhang Shengju Signed-off-by: Haishuang Yan Signed-off-by: David S. Miller net/ipv4/ip_tunnel.c | 2 ++ 1 file changed, 2 insertions(+) commit bf05fc25f268cd62f147f368fe65ad3e5b04fe9f Author: Ravi Bangoria Date: Thu Jun 15 19:16:48 2017 +0530 powerpc/perf: Fix oops when kthread execs user process When a kthread calls call_usermodehelper() the steps are: 1. allocate current->mm 2. load_elf_binary() 3. populate current->thread.regs While doing this, interrupts are not disabled. If there is a perf interrupt in the middle of this process (i.e. step 1 has completed but not yet reached to step 3) and if perf tries to read userspace regs, kernel oops with following log: Unable to handle kernel paging request for data at address 0x00000000 Faulting instruction address: 0xc0000000000da0fc ... Call Trace: perf_output_sample_regs+0x6c/0xd0 perf_output_sample+0x4e4/0x830 perf_event_output_forward+0x64/0x90 __perf_event_overflow+0x8c/0x1e0 record_and_restart+0x220/0x5c0 perf_event_interrupt+0x2d8/0x4d0 performance_monitor_exception+0x54/0x70 performance_monitor_common+0x158/0x160 --- interrupt: f01 at avtab_search_node+0x150/0x1a0 LR = avtab_search_node+0x100/0x1a0 ... load_elf_binary+0x6e8/0x15a0 search_binary_handler+0xe8/0x290 do_execveat_common.isra.14+0x5f4/0x840 call_usermodehelper_exec_async+0x170/0x210 ret_from_kernel_thread+0x5c/0x7c Fix it by setting abi to PERF_SAMPLE_REGS_ABI_NONE when userspace pt_regs are not set. Fixes: ed4a4ef85cf5 ("powerpc/perf: Add support for sampling interrupt register state") Cc: stable@vger.kernel.org # v4.7+ Signed-off-by: Ravi Bangoria Acked-by: Naveen N. Rao Signed-off-by: Michael Ellerman arch/powerpc/perf/perf_regs.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit d89ba5353f301971dd7d2f9fdf25c4432728f38e Author: Naveen N. Rao Date: Wed Jun 14 00:12:00 2017 +0530 powerpc/64s: Handle data breakpoints in Radix mode On Power9, trying to use data breakpoints throws the splat shown below. This is because the check for a data breakpoint in DSISR is in do_hash_page(), which is not called when in Radix mode. Unable to handle kernel paging request for data at address 0xc000000000e19218 Faulting instruction address: 0xc0000000001155e8 cpu 0x0: Vector: 300 (Data Access) at [c0000000ef1e7b20] pc: c0000000001155e8: find_pid_ns+0x48/0xe0 lr: c000000000116ac4: find_task_by_vpid+0x44/0x90 sp: c0000000ef1e7da0 msr: 9000000000009033 dar: c000000000e19218 dsisr: 400000 Move the check to handle_page_fault() so as to catch data breakpoints in both Hash and Radix MMU modes. We have to change the check in do_hash_page() against 0xa410 to use 0xa450, so as to include the value of (DSISR_DABRMATCH << 16). There are two sites that call handle_page_fault() when in Radix, both already pass DSISR in r4. Fixes: caca285e5ab4 ("powerpc/mm/radix: Use STD_MMU_64 to properly isolate hash related code") Cc: stable@vger.kernel.org # v4.7+ Reported-by: Shriya R. Kulkarni Signed-off-by: Naveen N. Rao [mpe: Fix the fall-through case on hash, we need to reload DSISR] Signed-off-by: Michael Ellerman arch/powerpc/kernel/exceptions-64s.S | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) commit c05b8c4474c03026aaa7f8872e78369f69f1bb08 Author: Naveen N. Rao Date: Thu Jun 1 16:18:17 2017 +0530 powerpc/kprobes: Skip livepatch_handler() for jprobes ftrace_caller() depends on a modified regs->nip to detect if a certain function has been livepatched. However, with KPROBES_ON_FTRACE, it is possible for regs->nip to have been modified by the kprobes pre_handler (jprobes, for instance). In this case, we do not want to invoke the livepatch_handler so as not to consume the livepatch stack. To distinguish between the two (kprobes and livepatch), we check if there is an active kprobe on the current function. If there is, then we know for sure that it must have modified the NIP as we don't support livepatching a kprobe'd function. In this case, we simply skip the livepatch_handler and branch to the new NIP. Otherwise, the livepatch_handler is invoked. Fixes: ead514d5fb30 ("powerpc/kprobes: Add support for KPROBES_ON_FTRACE") Signed-off-by: Naveen N. Rao Reviewed-by: Masami Hiramatsu Signed-off-by: Michael Ellerman arch/powerpc/include/asm/kprobes.h | 1 + arch/powerpc/kernel/kprobes.c | 6 ++++ arch/powerpc/kernel/trace/ftrace_64_mprofile.S | 39 ++++++++++++++++++++++---- 3 files changed, 41 insertions(+), 5 deletions(-) commit a4979a7e71eb8da976cbe4a0a1fa50636e76b04f Author: Naveen N. Rao Date: Thu Jun 1 16:18:16 2017 +0530 powerpc/ftrace: Pass the correct stack pointer for DYNAMIC_FTRACE_WITH_REGS For DYNAMIC_FTRACE_WITH_REGS, we should be passing-in the original set of registers in pt_regs, to capture the state _before_ ftrace_caller. However, we are instead passing the stack pointer *after* allocating a stack frame in ftrace_caller. Fix this by saving the proper value of r1 in pt_regs. Also, use SAVE_10GPRS() to simplify the code. Fixes: 153086644fd1 ("powerpc/ftrace: Add support for -mprofile-kernel ftrace ABI") Cc: stable@vger.kernel.org # v4.6+ Signed-off-by: Naveen N. Rao Signed-off-by: Michael Ellerman arch/powerpc/kernel/trace/ftrace_64_mprofile.S | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) commit a9f8553e935f26cb5447f67e280946b0923cd2dc Author: Naveen N. Rao Date: Thu Jun 1 16:18:15 2017 +0530 powerpc/kprobes: Pause function_graph tracing during jprobes handling This fixes a crash when function_graph and jprobes are used together. This is essentially commit 237d28db036e ("ftrace/jprobes/x86: Fix conflict between jprobes and function graph tracing"), but for powerpc. Jprobes breaks function_graph tracing since the jprobe hook needs to use jprobe_return(), which never returns back to the hook, but instead to the original jprobe'd function. The solution is to momentarily pause function_graph tracing before invoking the jprobe hook and re-enable it when returning back to the original jprobe'd function. Fixes: 6794c78243bf ("powerpc64: port of the function graph tracer") Cc: stable@vger.kernel.org # v2.6.30+ Signed-off-by: Naveen N. Rao Acked-by: Masami Hiramatsu Acked-by: Steven Rostedt (VMware) Signed-off-by: Michael Ellerman arch/powerpc/kernel/kprobes.c | 11 +++++++++++ 1 file changed, 11 insertions(+) commit ab2789b72df3cf7a01e30636ea86cbbf44ba2e99 Merge: 20223f0 19e72d3 Author: Linus Torvalds Date: Fri Jun 16 18:45:47 2017 +0900 Merge tag 'configfs-for-4.12' of git://git.infradead.org/users/hch/configfs Pull configfs updates from Christoph Hellwig: "A fix from Nic for a race seen in production (including a stable tag). And while I'm sending you this I'm also sneaking in a trivial new helper from Bart so that we don't need inter-tree dependencies for the next merge window" * tag 'configfs-for-4.12' of git://git.infradead.org/users/hch/configfs: configfs: Introduce config_item_get_unless_zero() configfs: Fix race between create_link and configfs_rmdir commit 20223f0f39ea9d31ece08f04ac79f8c4e8d98246 Author: Christoph Hellwig Date: Fri Jun 16 11:08:24 2017 +0200 fs: pass on flags in compat_writev Fixes: 793b80ef14af ("vfs: pass a flags argument to vfs_readv/vfs_writev") Signed-off-by: Christoph Hellwig Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds fs/read_write.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 35abcd4f9f303ac4f10f99b3f7e993e5f2e6fa37 Author: Arend Van Spriel Date: Fri Jun 16 09:36:35 2017 +0100 brcmfmac: fix uninitialized warning in brcmf_usb_probe_phase2() This fixes the following warning: drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c: In function 'brcmf_usb_probe_phase2': drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c:1198:2: warning: 'devinfo' may be used uninitialized in this function [-Wmaybe-uninitialized] mutex_unlock(&devinfo->dev_init_lock); Fixes: 6d0507a777fb ("brcmfmac: add parameter to pass error code in firmware callback") Cc: Stephen Rothwell Reported-by: Kalle Valo Signed-off-by: Arend van Spriel Signed-off-by: Kalle Valo drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) commit 92b0a1416be587b87c8ff489b6a74fd929048ca7 Author: Kees Cook Date: Thu Jun 15 08:20:35 2017 -0500 objtool: Add fortify_panic as __noreturn function CONFIG_FORTIFY_SOURCE=y implements fortify_panic() as a __noreturn function, so objtool needs to know about it too. Suggested-by: Daniel Micay Tested-by: Stephen Rothwell Signed-off-by: Kees Cook Signed-off-by: Josh Poimboeuf Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/1497532835-32704-1-git-send-email-jpoimboe@redhat.com Signed-off-by: Ingo Molnar tools/objtool/builtin-check.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 3bee1970b32d0c9d1ce986df4b4b58e5e8185c80 Merge: db96d58 2483561 Author: Linus Torvalds Date: Fri Jun 16 17:49:52 2017 +0900 Merge tag 'mmc-v4.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc Pull MMC fix from Ulf Hansson: "MMC meson-gx host: work around broken SDIO with certain WiFi chips" * tag 'mmc-v4.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc: mmc: meson-gx: work around broken SDIO with certain WiFi chips commit db96d5853e7d55f1d469d51a93ab38ce3bd72daa Merge: 51ce5f3 7119dbd Author: Linus Torvalds Date: Fri Jun 16 17:46:47 2017 +0900 Merge tag 'drm-fixes-for-v4.12-rc6' of git://people.freedesktop.org/~airlied/linux Pull drm fixes from Dave Airlie: "This is the main fixes pull for 4.12-rc6, all pretty normal for this stage, nothing really stands out. The mxsfb one is probably the largest and it's for a black screen boot problem. AMD, i915, mgag200, msxfb, tegra fixes" * tag 'drm-fixes-for-v4.12-rc6' of git://people.freedesktop.org/~airlied/linux: drm: mxsfb_crtc: Reset the eLCDIF controller drm/mgag200: Fix to always set HiPri for G200e4 V2 drm/tegra: Correct idr_alloc() minimum id drm/tegra: Fix lockup on a use of staging API gpu: host1x: Fix error handling drm/radeon: Fix overflow of watermark calcs at > 4k resolutions. drm/amdgpu: Fix overflow of watermark calcs at > 4k resolutions. drm/radeon: fix "force the UVD DPB into VRAM as well" drm/i915: Fix GVT-g PVINFO version compatibility check drm/i915: Fix SKL+ watermarks for 90/270 rotation drm/i915: Fix scaling check for 90/270 degree plane rotation drm: dw-hdmi: Fix compilation breakage by selecting REGMAP_MMIO commit 51ce5f332940ea114426db57772fe0ed18cc2790 Merge: f69d64d d470264 Author: Linus Torvalds Date: Fri Jun 16 17:38:23 2017 +0900 Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma Pull rdma fixes from Doug Ledford: "I had thought at the time of the last pull request that there wouldn't be much more to go, but several things just kept trickling in over the last week. Instead of just the six patches to bnxt_re that I had anticipated, there are another five IPoIB patches, two qedr patches, and a few other miscellaneous patches. The bnxt_re patches are more lines of diff than I like to submit this late in the game. That's mostly because of the first two patches in the series of six. I almost dropped them just because of the lines of churn, but on a close review, a lot of the churn came from removing duplicated code sections and consolidating them into callable routines. I felt like this made the number of lines of change more acceptable, and they address problems, so I left them. The remainder of the patches are all small, well contained, and well understood. These have passed 0day testing, but have not been submitted to linux-next (but a local merge test with your current master was without any conflicts). Summary: - A fix for fix eea40b8f624 ("infiniband: call ipv6 route lookup via the stub interface") - Six patches against bnxt_re...the first two are considerably larger than I would like, but as they address real issues I went ahead and submitted them (it also helped that a good deal of the churn was removing code repeated in multiple places and consolidating it to one common function) - Two fixes against qedr that just came in - One fix against rxe that took a few revisions to get right plus time to get the proper reviews - Five late breaking IPoIB fixes - One late cxgb4 fix" * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma: rdma/cxgb4: Fix memory leaks during module exit IB/ipoib: Fix memory leak in create child syscall IB/ipoib: Fix access to un-initialized napi struct IB/ipoib: Delete napi in device uninit default IB/ipoib: Limit call to free rdma_netdev for capable devices IB/ipoib: Fix memory leaks for child interfaces priv rxe: Fix a sleep-in-atomic bug in post_one_send RDMA/qedr: Add 64KB PAGE_SIZE support to user-space queues RDMA/qedr: Initialize byte_len in WC of READ and SEND commands RDMA/bnxt_re: Remove FMR support RDMA/bnxt_re: Fix RQE posting logic RDMA/bnxt_re: Add HW workaround for avoiding stall for UD QPs RDMA/bnxt_re: Dereg MR in FW before freeing the fast_reg_page_list RDMA/bnxt_re: HW workarounds for handling specific conditions RDMA/bnxt_re: Fixing the Control path command and response handling IB/addr: Fix setting source address in addr6_resolve() commit f69d64deedc19ed1345d5e75176671a84e0cccdc Merge: e78e462 bf5d008 Author: Linus Torvalds Date: Fri Jun 16 17:30:44 2017 +0900 Merge tag 'platform-drivers-x86-v4.12-2' of git://git.infradead.org/linux-platform-drivers-x86 Pull x86 platform driver fix from Darren Hart: "Just a single patch to fix an oops in the intel_telemetry_debugfs module load/unload" * tag 'platform-drivers-x86-v4.12-2' of git://git.infradead.org/linux-platform-drivers-x86: platform/x86: intel_telemetry_debugfs: fix oops when load/unload module commit e78e4626d43ce3143cb6d2942735d75595be7d1e Merge: cbfb749 dc9edc4 Author: Linus Torvalds Date: Fri Jun 16 17:26:10 2017 +0900 Merge branch 'for-linus' of git://git.kernel.dk/linux-block Pull block layer fix from Jens Axboe: "Just a single fix this week, fixing a regression introduced in this release. When we put the final reference to the queue, we may need to block. Ensure that we can safely do so. From Bart" * 'for-linus' of git://git.kernel.dk/linux-block: block: Fix a blk_exit_rl() regression commit cbfb74973753e109f28705f6b98c8c8cc381b047 Merge: 550ad8e a814c35 Author: Linus Torvalds Date: Fri Jun 16 17:13:06 2017 +0900 Merge branch 'dmi-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jdelvare/staging Pull dmi fixes from Jean Delvare. * 'dmi-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jdelvare/staging: firmware: dmi_scan: Check DMI structure length firmware: dmi: Fix permissions of product_family firmware: dmi_scan: Make dmi_walk and dmi_walk_early return real error codes firmware: dmi_scan: Look for SMBIOS 3 entry point first commit 550ad8ef390cbd4c2efc7a8e398add2e753abe7e Merge: a090bd4 023f108 Author: Linus Torvalds Date: Fri Jun 16 17:00:29 2017 +0900 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security Pull selinux fix from James Morris: "Fix for a double free bug in SELinux" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: selinux: fix double free in selinux_parse_opts_str() commit a093c92dc7f96a15de98ec8cfe38e6f7610a5969 Author: Alexey Kardashevskiy Date: Wed Jun 14 13:01:25 2017 +1000 powerpc/debug: Add missing warn flag to WARN_ON's non-builtin path When trapped on WARN_ON(), report_bug() is expected to return BUG_TRAP_TYPE_WARN so the caller will increment NIP by 4 and continue. The __builtin_constant_p() path of the PPC's WARN_ON() calls (indirectly) __WARN_FLAGS() which has BUGFLAG_WARNING set, however the other branch does not which makes report_bug() report a bug rather than a warning. Fixes: f26dee15103f ("debug: Avoid setting BUGFLAG_WARNING twice") Signed-off-by: Alexey Kardashevskiy Signed-off-by: Michael Ellerman arch/powerpc/include/asm/bug.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 3d3efb68c19e539f0535c93a5258c1299270215f Author: Paul Mackerras Date: Tue Jun 6 14:35:30 2017 +1000 KVM: PPC: Book3S HV: Ignore timebase offset on POWER9 DD1 POWER9 DD1 has an erratum where writing to the TBU40 register, which is used to apply an offset to the timebase, can cause the timebase to lose counts. This results in the timebase on some CPUs getting out of sync with other CPUs, which then results in misbehaviour of the timekeeping code. To work around the problem, we make KVM ignore the timebase offset for all guests on POWER9 DD1 machines. This means that live migration cannot be supported on POWER9 DD1 machines. Cc: stable@vger.kernel.org # v4.10+ Signed-off-by: Paul Mackerras arch/powerpc/kvm/book3s_hv.c | 8 ++++++++ 1 file changed, 8 insertions(+) commit be56a099e0f990532e10c940a3778303cc5a0d91 Merge: 3b1bbaf 31ac933 Author: David S. Miller Date: Thu Jun 15 22:22:23 2017 -0400 Merge tag 'mlx5-fixes-2017-06-14' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux Saeed Mahameed says: ==================== Mellanox mlx5 fixes 2017-06-14 This series contains some fixes for the mlx5 core and netdev driver. Please pull and let me know if there's any problem. For -stable: ("net/mlx5: Wait for FW readiness before initializing command interface") kernels >= 4.4 ("net/mlx5e: Fix timestamping capabilities reporting") kernels >= 4.5 ("net/mlx5e: Avoid doing a cleanup call if the profile doesn't have it") kernels >= 4.9 ("net/mlx5e: Fix min inline value for VF rep SQs") kernels >= 4.11 The "net/mlx5e: Fix min inline .." (a oneliner patch) doesn't cleanly apply to 4.11, it hits a contextual conflict and can be easily resolved by: + mlx5_query_min_inline(mdev, &priv->params.tx_min_inline_mode); to the end of mlx5e_build_rep_netdev_priv. Note the 2nd parameter of mlx5_query_min_inline is slightly different from the original one. ==================== Signed-off-by: David S. Miller commit 7ceaa6dcd8c6f59588428cec37f3c8093dd1011f Author: Paul Mackerras Date: Fri Jun 16 11:53:19 2017 +1000 KVM: PPC: Book3S HV: Save/restore host values of debug registers At present, HV KVM on POWER8 and POWER9 machines loses any instruction or data breakpoint set in the host whenever a guest is run. Instruction breakpoints are currently only used by xmon, but ptrace and the perf_event subsystem can set data breakpoints as well as xmon. To fix this, we save the host values of the debug registers (CIABR, DAWR and DAWRX) before entering the guest and restore them on exit. To provide space to save them in the stack frame, we expand the stack frame allocated by kvmppc_hv_entry() from 112 to 144 bytes. Fixes: b005255e12a3 ("KVM: PPC: Book3S HV: Context-switch new POWER8 SPRs", 2014-01-08) Cc: stable@vger.kernel.org # v3.14+ Signed-off-by: Paul Mackerras arch/powerpc/kvm/book3s_hv_rmhandlers.S | 45 +++++++++++++++++++++++---------- 1 file changed, 32 insertions(+), 13 deletions(-) commit 7119dbdf7c52042acb1b02f116fa3257e97659ea Merge: 91c0719 c380f68 Author: Dave Airlie Date: Fri Jun 16 10:01:52 2017 +1000 Merge tag 'drm-intel-fixes-2017-06-15' of git://anongit.freedesktop.org/git/drm-intel into drm-fixes drm/i915 fixes for v4.12-rc6 * tag 'drm-intel-fixes-2017-06-15' of git://anongit.freedesktop.org/git/drm-intel: drm/i915: Fix GVT-g PVINFO version compatibility check drm/i915: Fix SKL+ watermarks for 90/270 rotation drm/i915: Fix scaling check for 90/270 degree plane rotation commit 91c0719c695a1fcba6a9728eb013eb6e3c7f3487 Merge: 1b22f6d7 0f93332 Author: Dave Airlie Date: Fri Jun 16 10:01:04 2017 +1000 Merge tag 'drm-misc-fixes-2017-06-15' of git://anongit.freedesktop.org/git/drm-misc into drm-fixes Driver Changes: - dw-hdmi: Fix compilation error if REGMAP_MMIO not selected (Laurent) - host1x: Fix incorrect return value (Christophe) - tegra: Shore up idr API usage in tegra staging code (Dmitry) - mgag200: Always use HiPri mode for G200e4v2 and limit max bandwidth (Mathieu) - mxsfb: Ensure display can be lit up without bootloader initialization (Fabio) Cc: Laurent Pinchart Cc: Christophe JAILLET Cc: Dmitry Osipenko Cc: Mathieu Larouche Cc: Fabio Estevam * tag 'drm-misc-fixes-2017-06-15' of git://anongit.freedesktop.org/git/drm-misc: drm: mxsfb_crtc: Reset the eLCDIF controller drm/mgag200: Fix to always set HiPri for G200e4 V2 drm/tegra: Correct idr_alloc() minimum id drm/tegra: Fix lockup on a use of staging API gpu: host1x: Fix error handling drm: dw-hdmi: Fix compilation breakage by selecting REGMAP_MMIO commit 1b22f6d72ab45e0a1912bc7af2efd43e70a5ab59 Merge: 32c1431 55f61a0 Author: Dave Airlie Date: Fri Jun 16 10:00:11 2017 +1000 Merge branch 'drm-fixes-4.12' of git://people.freedesktop.org/~agd5f/linux into drm-fixes A few fixes for 4.12: - fix a UVD regression on SI - fix overflow in watermark calcs on large modes * 'drm-fixes-4.12' of git://people.freedesktop.org/~agd5f/linux: drm/radeon: Fix overflow of watermark calcs at > 4k resolutions. drm/amdgpu: Fix overflow of watermark calcs at > 4k resolutions. drm/radeon: fix "force the UVD DPB into VRAM as well" commit 91ebcd1b97aea87172e8ae8871f1f328b9fa9c05 Author: Aurelien Jacquiot Date: Thu Jun 15 11:41:17 2017 +0200 MAINTAINERS: update email address for C6x maintainer Aurelien has moved. Signed-off-by: Aurelien Jacquiot Signed-off-by: Mark Salter MAINTAINERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 31ac93386d135a6c96de9c8bab406f5ccabf5a4d Author: Or Gerlitz Date: Thu Jun 15 20:08:32 2017 +0300 net/mlx5e: Avoid doing a cleanup call if the profile doesn't have it The error flow of mlx5e_create_netdev calls the cleanup call of the given profile without checking if it exists, fix that. Currently the VF reps don't register that callback and we crash if getting into error -- can be reproduced by the user doing ctrl^C while attempting to change the sriov mode from legacy to switchdev. Fixes: 26e59d8077a3 '(net/mlx5e: Implement mlx5e interface attach/detach callbacks') Signed-off-by: Or Gerlitz Reported-by: Sabrina Dubroca Signed-off-by: Saeed Mahameed drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 9cfb4f719264f3eeb68122371ad70fd5bf2e10bb Author: Or Gerlitz Date: Sun Jun 11 19:32:12 2017 +0300 net/mlx5e: Remove TC header re-write offloading of ip tos Currently the firmware API is partial and allows to offload only the dscp part of the tos, also, ipv6 support isn't there yet. As such, remove the offloading option of ipv4 dscp till the FW APIs are more comprehensive. Fixes: d79b6df6b10a ('net/mlx5e: Add parsing of TC pedit actions to HW format') Signed-off-by: Or Gerlitz Reviewed-by: Paul Blakey Signed-off-by: Saeed Mahameed drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 1 - 1 file changed, 1 deletion(-) commit 9d1cef196b2687e9338c4268a3aa0ca521686bc9 Author: Or Gerlitz Date: Sun Jun 4 19:36:17 2017 +0300 net/mlx5: Properly check applicability of devlink eswitch commands Currently we don't check that the link type is Eth and hence crash on IB ports when attempting to deref esw->xxx, fix that. To avoid repeating this check over and over, put the existing checks and the one on link type in a single helper. Fixes: 7768d1971de6 ('net/mlx5: E-Switch, Add control for encapsulation') Signed-off-by: Or Gerlitz Reported-by: Mohamad Badarnah Reviewed-by: Roi Dayan Signed-off-by: Saeed Mahameed .../ethernet/mellanox/mlx5/core/eswitch_offloads.c | 77 +++++++++++----------- 1 file changed, 40 insertions(+), 37 deletions(-) commit 5f195c2c5cba60241004146cd12d71451d6b0fc4 Author: Chris Mi Date: Tue May 16 07:07:11 2017 -0400 net/mlx5e: Fix min inline value for VF rep SQs The offending commit only changed the code path for PF/VF, but it didn't take care of VF representors. As a result, since params->tx_min_inline_mode for VF representors is kzalloced to 0 (MLX5_INLINE_MODE_NONE), all VF reps SQs were set to that mode. This actually works on CX5 by default but broke CX4. Fix that by adding a call to query the min inline mode from the VF rep build up code. Fixes: a6f402e49901 ("net/mlx5e: Tx, no inline copy on ConnectX-5") Signed-off-by: Chris Mi Reviewed-by: Or Gerlitz Signed-off-by: Saeed Mahameed drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 2 ++ 1 file changed, 2 insertions(+) commit f0b381178b01b831f9907d72f467d6443afdea67 Author: Maor Dickman Date: Thu May 18 15:15:08 2017 +0300 net/mlx5e: Fix timestamping capabilities reporting Misuse of (BIT) macro caused to report wrong flags for "Hardware Transmit Timestamp Modes" and "Hardware Receive Filter Modes" Fixes: ef9814deafd0 ('net/mlx5e: Add HW timestamping (TS) support') Signed-off-by: Maor Dickman Signed-off-by: Saeed Mahameed drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) commit 6c780a0267b8a1075f40b39851132eeaefefcff5 Author: Eli Cohen Date: Thu Jun 8 11:33:16 2017 -0500 net/mlx5: Wait for FW readiness before initializing command interface Before attempting to initialize the command interface we must wait till the fw_initializing bit is clear. If we fail to meet this condition the hardware will drop our configuration, specifically the descriptors page address. This scenario can happen when the firmware is still executing an FLR flow and did not finish yet so the driver needs to wait for that to finish. Fixes: e3297246c2c8 ('net/mlx5_core: Wait for FW readiness on startup') Signed-off-by: Eli Cohen Signed-off-by: Saeed Mahameed drivers/net/ethernet/mellanox/mlx5/core/main.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) commit f16443a034c7aa359ddf6f0f9bc40d01ca31faea Author: Alan Stern Date: Tue Jun 13 15:23:42 2017 -0400 USB: gadgetfs, dummy-hcd, net2280: fix locking for callbacks Using the syzkaller kernel fuzzer, Andrey Konovalov generated the following error in gadgetfs: > BUG: KASAN: use-after-free in __lock_acquire+0x3069/0x3690 > kernel/locking/lockdep.c:3246 > Read of size 8 at addr ffff88003a2bdaf8 by task kworker/3:1/903 > > CPU: 3 PID: 903 Comm: kworker/3:1 Not tainted 4.12.0-rc4+ #35 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 > Workqueue: usb_hub_wq hub_event > Call Trace: > __dump_stack lib/dump_stack.c:16 [inline] > dump_stack+0x292/0x395 lib/dump_stack.c:52 > print_address_description+0x78/0x280 mm/kasan/report.c:252 > kasan_report_error mm/kasan/report.c:351 [inline] > kasan_report+0x230/0x340 mm/kasan/report.c:408 > __asan_report_load8_noabort+0x19/0x20 mm/kasan/report.c:429 > __lock_acquire+0x3069/0x3690 kernel/locking/lockdep.c:3246 > lock_acquire+0x22d/0x560 kernel/locking/lockdep.c:3855 > __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] > _raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:151 > spin_lock include/linux/spinlock.h:299 [inline] > gadgetfs_suspend+0x89/0x130 drivers/usb/gadget/legacy/inode.c:1682 > set_link_state+0x88e/0xae0 drivers/usb/gadget/udc/dummy_hcd.c:455 > dummy_hub_control+0xd7e/0x1fb0 drivers/usb/gadget/udc/dummy_hcd.c:2074 > rh_call_control drivers/usb/core/hcd.c:689 [inline] > rh_urb_enqueue drivers/usb/core/hcd.c:846 [inline] > usb_hcd_submit_urb+0x92f/0x20b0 drivers/usb/core/hcd.c:1650 > usb_submit_urb+0x8b2/0x12c0 drivers/usb/core/urb.c:542 > usb_start_wait_urb+0x148/0x5b0 drivers/usb/core/message.c:56 > usb_internal_control_msg drivers/usb/core/message.c:100 [inline] > usb_control_msg+0x341/0x4d0 drivers/usb/core/message.c:151 > usb_clear_port_feature+0x74/0xa0 drivers/usb/core/hub.c:412 > hub_port_disable+0x123/0x510 drivers/usb/core/hub.c:4177 > hub_port_init+0x1ed/0x2940 drivers/usb/core/hub.c:4648 > hub_port_connect drivers/usb/core/hub.c:4826 [inline] > hub_port_connect_change drivers/usb/core/hub.c:4999 [inline] > port_event drivers/usb/core/hub.c:5105 [inline] > hub_event+0x1ae1/0x3d40 drivers/usb/core/hub.c:5185 > process_one_work+0xc08/0x1bd0 kernel/workqueue.c:2097 > process_scheduled_works kernel/workqueue.c:2157 [inline] > worker_thread+0xb2b/0x1860 kernel/workqueue.c:2233 > kthread+0x363/0x440 kernel/kthread.c:231 > ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:424 > > Allocated by task 9958: > save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59 > save_stack+0x43/0xd0 mm/kasan/kasan.c:513 > set_track mm/kasan/kasan.c:525 [inline] > kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:617 > kmem_cache_alloc_trace+0x87/0x280 mm/slub.c:2745 > kmalloc include/linux/slab.h:492 [inline] > kzalloc include/linux/slab.h:665 [inline] > dev_new drivers/usb/gadget/legacy/inode.c:170 [inline] > gadgetfs_fill_super+0x24f/0x540 drivers/usb/gadget/legacy/inode.c:1993 > mount_single+0xf6/0x160 fs/super.c:1192 > gadgetfs_mount+0x31/0x40 drivers/usb/gadget/legacy/inode.c:2019 > mount_fs+0x9c/0x2d0 fs/super.c:1223 > vfs_kern_mount.part.25+0xcb/0x490 fs/namespace.c:976 > vfs_kern_mount fs/namespace.c:2509 [inline] > do_new_mount fs/namespace.c:2512 [inline] > do_mount+0x41b/0x2d90 fs/namespace.c:2834 > SYSC_mount fs/namespace.c:3050 [inline] > SyS_mount+0xb0/0x120 fs/namespace.c:3027 > entry_SYSCALL_64_fastpath+0x1f/0xbe > > Freed by task 9960: > save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59 > save_stack+0x43/0xd0 mm/kasan/kasan.c:513 > set_track mm/kasan/kasan.c:525 [inline] > kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:590 > slab_free_hook mm/slub.c:1357 [inline] > slab_free_freelist_hook mm/slub.c:1379 [inline] > slab_free mm/slub.c:2961 [inline] > kfree+0xed/0x2b0 mm/slub.c:3882 > put_dev+0x124/0x160 drivers/usb/gadget/legacy/inode.c:163 > gadgetfs_kill_sb+0x33/0x60 drivers/usb/gadget/legacy/inode.c:2027 > deactivate_locked_super+0x8d/0xd0 fs/super.c:309 > deactivate_super+0x21e/0x310 fs/super.c:340 > cleanup_mnt+0xb7/0x150 fs/namespace.c:1112 > __cleanup_mnt+0x1b/0x20 fs/namespace.c:1119 > task_work_run+0x1a0/0x280 kernel/task_work.c:116 > exit_task_work include/linux/task_work.h:21 [inline] > do_exit+0x18a8/0x2820 kernel/exit.c:878 > do_group_exit+0x14e/0x420 kernel/exit.c:982 > get_signal+0x784/0x1780 kernel/signal.c:2318 > do_signal+0xd7/0x2130 arch/x86/kernel/signal.c:808 > exit_to_usermode_loop+0x1ac/0x240 arch/x86/entry/common.c:157 > prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline] > syscall_return_slowpath+0x3ba/0x410 arch/x86/entry/common.c:263 > entry_SYSCALL_64_fastpath+0xbc/0xbe > > The buggy address belongs to the object at ffff88003a2bdae0 > which belongs to the cache kmalloc-1024 of size 1024 > The buggy address is located 24 bytes inside of > 1024-byte region [ffff88003a2bdae0, ffff88003a2bdee0) > The buggy address belongs to the page: > page:ffffea0000e8ae00 count:1 mapcount:0 mapping: (null) > index:0x0 compound_mapcount: 0 > flags: 0x100000000008100(slab|head) > raw: 0100000000008100 0000000000000000 0000000000000000 0000000100170017 > raw: ffffea0000ed3020 ffffea0000f5f820 ffff88003e80efc0 0000000000000000 > page dumped because: kasan: bad access detected > > Memory state around the buggy address: > ffff88003a2bd980: fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > ffff88003a2bda00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > >ffff88003a2bda80: fc fc fc fc fc fc fc fc fc fc fc fc fb fb fb fb > ^ > ffff88003a2bdb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ffff88003a2bdb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ================================================================== What this means is that the gadgetfs_suspend() routine was trying to access dev->lock after it had been deallocated. The root cause is a race in the dummy_hcd driver; the dummy_udc_stop() routine can race with the rest of the driver because it contains no locking. And even when proper locking is added, it can still race with the set_link_state() function because that function incorrectly drops the private spinlock before invoking any gadget driver callbacks. The result of this race, as seen above, is that set_link_state() can invoke a callback in gadgetfs even after gadgetfs has been unbound from dummy_hcd's UDC and its private data structures have been deallocated. include/linux/usb/gadget.h documents that the ->reset, ->disconnect, ->suspend, and ->resume callbacks may be invoked in interrupt context. In general this is necessary, to prevent races with gadget driver removal. This patch fixes dummy_hcd to retain the spinlock across these calls, and it adds a spinlock acquisition to dummy_udc_stop() to prevent the race. The net2280 driver makes the same mistake of dropping the private spinlock for its ->disconnect and ->reset callback invocations. The patch fixes it too. Lastly, since gadgetfs_suspend() may be invoked in interrupt context, it cannot assume that interrupts are enabled when it runs. It must use spin_lock_irqsave() instead of spin_lock_irq(). The patch fixes that bug as well. Signed-off-by: Alan Stern Reported-and-tested-by: Andrey Konovalov CC: Acked-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman drivers/usb/gadget/legacy/inode.c | 5 +++-- drivers/usb/gadget/udc/dummy_hcd.c | 13 ++++--------- drivers/usb/gadget/udc/net2280.c | 9 +-------- 3 files changed, 8 insertions(+), 19 deletions(-) commit 3b1bbafbfd14474fee61487552c9916ec1b25c58 Author: xypron.glpk@gmx.de Date: Thu Jun 15 20:59:57 2017 +0200 Doc: net: dsa: b53: update location of referenced dsa.txt The referenced file dsa.txt is located at Documentation/devicetree/bindings/net/dsa/dsa.txt Reviewed-by: Florian Fainelli Signed-off-by: Heinrich Schuchardt Signed-off-by: David S. Miller Documentation/devicetree/bindings/net/dsa/b53.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 988c7322116970696211e902b468aefec95b6ec4 Author: Xin Long Date: Thu Jun 15 17:49:08 2017 +0800 sctp: return next obj by passing pos + 1 into sctp_transport_get_idx In sctp_for_each_transport, pos is used to save how many objs it has dumped. Now it gets the last obj by sctp_transport_get_idx, then gets the next obj by sctp_transport_get_next. The issue is that in the meanwhile if some objs in transport hashtable are removed and the objs nums are less than pos, sctp_transport_get_idx would return NULL and hti.walker.tbl is NULL as well. At this moment it should stop hti, instead of continue getting the next obj. Or it would cause a NULL pointer dereference in sctp_transport_get_next. This patch is to pass pos + 1 into sctp_transport_get_idx to get the next obj directly, even if pos > objs nums, it would return NULL and stop hti. Fixes: 626d16f50f39 ("sctp: export some apis or variables for sctp_diag and reuse some for proc") Signed-off-by: Xin Long Signed-off-by: David S. Miller net/sctp/socket.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) commit 0f933328f018c118ded2035f12068bbdfdef399d Author: Fabio Estevam Date: Fri May 5 15:01:41 2017 -0300 drm: mxsfb_crtc: Reset the eLCDIF controller According to the eLCDIF initialization steps listed in the MX6SX Reference Manual the eLCDIF block reset is mandatory. Without performing the eLCDIF reset the display shows garbage content when the kernel boots. In earlier tests this issue has not been observed because the bootloader was previously showing a splash screen and the bootloader display driver does properly implement the eLCDIF reset. Add the eLCDIF reset to the driver, so that it can operate correctly independently of the bootloader. Tested on a imx6sx-sdb board. Cc: Signed-off-by: Fabio Estevam Signed-off-by: Sean Paul Link: http://patchwork.freedesktop.org/patch/msgid/1494007301-14535-1-git-send-email-fabio.estevam@nxp.com drivers/gpu/drm/mxsfb/mxsfb_crtc.c | 42 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) commit 5f2f97656ada8d811d3c1bef503ced266fcd53a0 Author: David Howells Date: Thu Jun 15 00:12:24 2017 +0100 rxrpc: Fix several cases where a padded len isn't checked in ticket decode This fixes CVE-2017-7482. When a kerberos 5 ticket is being decoded so that it can be loaded into an rxrpc-type key, there are several places in which the length of a variable-length field is checked to make sure that it's not going to overrun the available data - but the data is padded to the nearest four-byte boundary and the code doesn't check for this extra. This could lead to the size-remaining variable wrapping and the data pointer going over the end of the buffer. Fix this by making the various variable-length data checks use the padded length. Reported-by: 石磊 Signed-off-by: David Howells Reviewed-by: Marc Dionne Reviewed-by: Dan Carpenter Signed-off-by: David S. Miller net/rxrpc/key.c | 64 ++++++++++++++++++++++++++++++--------------------------- 1 file changed, 34 insertions(+), 30 deletions(-) commit 0cbb738108927916a659b5b0b96e386fcd7cc6e1 Author: Mathieu Larouche Date: Wed Jun 14 10:39:42 2017 -0400 drm/mgag200: Fix to always set HiPri for G200e4 V2 - Changed the HiPri value for G200e4 to always be 0. - Added Bandwith limitation to block resolution above 1920x1200x60Hz Signed-off-by: Mathieu Larouche Acked-by: Dave Airlie [seanpaul removed some trailing whitespace from the patch] Signed-off-by: Sean Paul Link: http://patchwork.freedesktop.org/patch/msgid/ec0f8568d7ec41904dfe593c5deccf3f062d7bd8.1497450944.git.mathieu.larouche@matrox.com drivers/gpu/drm/mgag200/mgag200_mode.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) commit a2b7a622d6292b693544d7c94bb5d11c3f4676f8 Author: Arend Van Spriel Date: Mon Jun 12 12:56:35 2017 +0100 brcmfmac: fix brcmf_fws_add_interface() for USB devices USB devices rely on queuing functionality provided by the fwsignal module regardless the mode fwsignal is operating in. For this some data structure needs to be reserved which is tied to the interface, which is done by brcmf_fws_add_interface(). However, it checks the mode. Replace that by checking result from brcmf_fws_queue_skbs(). Otherwise the driver will crash in a null pointer dereference when data is transmitted on the interface. Fixes: fc0471e3e884 ("brcmfmac: ignore interfaces when fwsignal is disabled") Reviewed-by: Franky Lin Signed-off-by: Arend van Spriel Signed-off-by: Kalle Valo drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 7a51461fc2da82a6c565a3ee65c41c197f28225d Author: Arend Van Spriel Date: Mon Jun 12 12:47:34 2017 +0100 brcmfmac: unbind all devices upon failure in firmware callback When request firmware fails, brcmf_ops_sdio_remove is being called and brcmf_bus freed. In such circumstancies if you do a suspend/resume cycle the kernel hangs on resume due a NULL pointer dereference in resume function. So in brcmf_sdio_firmware_callback() we need to unbind the driver from both sdio_func devices when firmware load failure is indicated. Cc: stable@vger.kernel.org # 4.9.x- Tested-by: Enric Balletbo i Serra Reviewed-by: Hante Meuleman Reviewed-by: Pieter-Paul Giesberts Reviewed-by: Franky Lin Signed-off-by: Arend van Spriel Signed-off-by: Kalle Valo drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) commit 03fb0e8393fae8ebb6710a99387853ed0becbc8e Author: Arend Van Spriel Date: Mon Jun 12 12:47:33 2017 +0100 brcmfmac: use firmware callback upon failure to load When firmware loading failed the code used to unbind the device provided by the calling code. However, for the sdio driver two devices are bound and both need to be released upon failure. The callback has been extended with parameter to pass error code so add that in this commit upon firmware loading failure. Cc: stable@vger.kernel.org # 4.9.x- Reviewed-by: Hante Meuleman Reviewed-by: Pieter-Paul Giesberts Reviewed-by: Franky Lin Signed-off-by: Arend van Spriel Signed-off-by: Kalle Valo .../broadcom/brcm80211/brcmfmac/firmware.c | 27 +++++++++++----------- 1 file changed, 13 insertions(+), 14 deletions(-) commit 6d0507a777fbc533f7f1bf5664a81982dd50dece Author: Arend Van Spriel Date: Mon Jun 12 12:47:32 2017 +0100 brcmfmac: add parameter to pass error code in firmware callback Extend the parameters in the firmware callback so it can be called upon success and failure. This allows the caller to properly clear all resources in the failure path. Right now the error code is always zero, ie. success. Cc: stable@vger.kernel.org # 4.9.x- Reviewed-by: Hante Meuleman Reviewed-by: Pieter-Paul Giesberts Reviewed-by: Franky Lin Signed-off-by: Arend van Spriel Signed-off-by: Kalle Valo .../net/wireless/broadcom/brcm80211/brcmfmac/firmware.c | 10 +++++----- .../net/wireless/broadcom/brcm80211/brcmfmac/firmware.h | 4 ++-- drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c | 17 ++++++++++++----- drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 17 +++++++++++------ drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c | 6 ++++-- 5 files changed, 34 insertions(+), 20 deletions(-) commit f8a894b218138888542a5058d0e902378fd0d4ec Author: Xin Long Date: Thu Jun 15 16:33:58 2017 +0800 ipv6: fix calling in6_ifa_hold incorrectly for dad work Now when starting the dad work in addrconf_mod_dad_work, if the dad work is idle and queued, it needs to hold ifa. The problem is there's one gap in [1], during which if the pending dad work is removed elsewhere. It will miss to hold ifa, but the dad word is still idea and queue. if (!delayed_work_pending(&ifp->dad_work)) in6_ifa_hold(ifp); <--------------[1] mod_delayed_work(addrconf_wq, &ifp->dad_work, delay); An use-after-free issue can be caused by this. Chen Wei found this issue when WARN_ON(!hlist_unhashed(&ifp->addr_lst)) in net6_ifa_finish_destroy was hit because of it. As Hannes' suggestion, this patch is to fix it by holding ifa first in addrconf_mod_dad_work, then calling mod_delayed_work and putting ifa if the dad_work is already in queue. Note that this patch did not choose to fix it with: if (!mod_delayed_work(delay)) in6_ifa_hold(ifp); As with it, when delay == 0, dad_work would be scheduled immediately, all addrconf_mod_dad_work(0) callings had to be moved under ifp->lock. Reported-by: Wei Chen Suggested-by: Hannes Frederic Sowa Acked-by: Hannes Frederic Sowa Signed-off-by: Xin Long Signed-off-by: David S. Miller net/ipv6/addrconf.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit 7304e8f28bb2f3cb2baf37c1bb2caa0f54ca4e43 Author: Shaohua Li Date: Thu Jun 8 11:27:14 2017 -0700 iommu/vt-d: Correctly disable Intel IOMMU force on I made a mistake in commit bfd20f1. We should skip the force on with the option enabled instead of vice versa. Not sure why this passed our performance test, sorry. Fixes: bfd20f1cc850 ('x86, iommu/vt-d: Add an option to disable Intel IOMMU force on') Signed-off-by: Shaohua Li Signed-off-by: Joerg Roedel arch/x86/kernel/tboot.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 17e83549e199d89aace7788a9f11c108671eecf5 Author: Liwei Song Date: Tue Jun 13 00:59:53 2017 -0400 i2c: ismt: fix wrong device address when unmap the data buffer Fix the following kernel bug: kernel BUG at drivers/iommu/intel-iommu.c:3260! invalid opcode: 0000 [#5] PREEMPT SMP Hardware name: Intel Corp. Harcuvar/Server, BIOS HAVLCRB0.X64.0013.D39.1608311820 08/31/2016 task: ffff880175389950 ti: ffff880176bec000 task.ti: ffff880176bec000 RIP: 0010:[] [] intel_unmap+0x25b/0x260 RSP: 0018:ffff880176bef5e8 EFLAGS: 00010296 RAX: 0000000000000024 RBX: ffff8800773c7c88 RCX: 000000000000ce04 RDX: 0000000080000000 RSI: 0000000000000000 RDI: 0000000000000009 RBP: ffff880176bef638 R08: 0000000000000010 R09: 0000000000000004 R10: ffff880175389c78 R11: 0000000000000a4f R12: ffff8800773c7868 R13: 00000000ffffac88 R14: ffff8800773c7818 R15: 0000000000000001 FS: 00007fef21258700(0000) GS:ffff88017b5c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000066d6d8 CR3: 000000007118c000 CR4: 00000000003406e0 Stack: 00000000ffffac88 ffffffff8199867f ffff880176bef5f8 ffff880100000030 ffff880176bef668 ffff8800773c7c88 ffff880178288098 ffff8800772c0010 ffff8800773c7818 0000000000000001 ffff880176bef648 ffffffff8150a86e Call Trace: [] ? printk+0x46/0x48 [] intel_unmap_page+0xe/0x10 [] ismt_access+0x27b/0x8fa [i2c_ismt] [] ? __pm_runtime_suspend+0xa0/0xa0 [] ? pm_suspend_timer_fn+0x80/0x80 [] ? __pm_runtime_suspend+0xa0/0xa0 [] ? pm_suspend_timer_fn+0x80/0x80 [] ? pci_bus_read_dev_vendor_id+0xf0/0xf0 [] i2c_smbus_xfer+0xec/0x4b0 [] ? vprintk_emit+0x345/0x530 [] i2cdev_ioctl_smbus+0x12b/0x240 [i2c_dev] [] ? vprintk_default+0x29/0x40 [] i2cdev_ioctl+0x63/0x1ec [i2c_dev] [] do_vfs_ioctl+0x328/0x5d0 [] ? vfs_write+0x11c/0x190 [] ? rt_up_read+0x19/0x20 [] SyS_ioctl+0x81/0xa0 [] system_call_fastpath+0x16/0x6e This happen When run "i2cdetect -y 0" detect SMBus iSMT adapter. After finished I2C block read/write, when unmap the data buffer, a wrong device address was pass to dma_unmap_single(). To fix this, give dma_unmap_single() the "dev" parameter, just like what dma_map_single() does, then unmap can find the right devices. Fixes: 13f35ac14cd0 ("i2c: Adding support for Intel iSMT SMBus 2.0 host controller") Signed-off-by: Liwei Song Reviewed-by: Andy Shevchenko Signed-off-by: Wolfram Sang drivers/i2c/busses/i2c-ismt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 916335036d4fe33f9806240cb0d1900f4975b959 Author: Wolfram Sang Date: Sun May 28 09:52:17 2017 +0200 i2c: rcar: use correct length when unmapping DMA Because we need to transfer some bytes with PIO, the msg length is not the length of the DMA buffer. Use the correct value which we used when doing the mapping. Fixes: 73e8b0528346e8 ("i2c: rcar: add DMA support") Signed-off-by: Wolfram Sang Reviewed-by: Geert Uytterhoeven Reviewed-by: Niklas Söderlund Signed-off-by: Wolfram Sang drivers/i2c/busses/i2c-rcar.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 25642705b2359a705784bbbf1655c25a8f8efde2 Author: Benjamin Herrenschmidt Date: Wed Jun 14 10:19:25 2017 +1000 powerpc/xive: Fix offset for store EOI MMIOs Architecturally we should apply a 0x400 offset for these. Not doing it will break future HW implementations. The offset of 0 is supposed to remain for "triggers" though not all sources support both trigger and store EOI, and in P9 specifically, some sources will treat 0 as a store EOI. But future chips will not. So this makes us use the properly architected offset which should work always. Fixes: 243e25112d06 ("powerpc/xive: Native exploitation of the XIVE interrupt controller") Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Michael Ellerman arch/powerpc/include/asm/xive.h | 12 +++++++----- arch/powerpc/kvm/book3s_xive_template.c | 4 ++-- arch/powerpc/sysdev/xive/common.c | 2 +- 3 files changed, 10 insertions(+), 8 deletions(-) commit cd15fb64ee56192760ad5c1e2ad97a65e735b18b Author: Mike Snitzer Date: Thu Jun 15 08:39:15 2017 -0400 Revert "dm mirror: use all available legs on multiple failures" This reverts commit 12a7cf5ba6c776a2621d8972c7d42e8d3d959d20. This commit apparently attempted to fix an issue that didn't really exist, furthermore: this commit is the source of deadlocks and crashes seen in multiple cases related to failing the primary mirror dev while syncing. Reported-by: Jonathan Brassow Signed-off-by: Mike Snitzer drivers/md/dm-raid1.c | 21 +++++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) commit d6c153ec85856f5ad29adc20739ec28edeb7c042 Author: Dmitry Osipenko Date: Thu Jun 15 02:18:25 2017 +0300 drm/tegra: Correct idr_alloc() minimum id The client ID 0 is reserved by the host1x/cdma to mark the timeout timer work as already been scheduled and context ID is used as the clients one. This fixes spurious CDMA timeouts. Fixes: bdd2f9cd10eb ("drm/tegra: Don't leak kernel pointer to userspace") Signed-off-by: Dmitry Osipenko Reviewed-by: Mikko Perttunen Signed-off-by: Thierry Reding Link: http://patchwork.freedesktop.org/patch/msgid/9c19a44219acd988e678cf9abe21363911184625.1497480754.git.digetx@gmail.com drivers/gpu/drm/tegra/drm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 1066a8959d04785b9d2e9cbb91aaef922b710c4a Author: Dmitry Osipenko Date: Thu Jun 15 02:18:24 2017 +0300 drm/tegra: Fix lockup on a use of staging API Commit bdd2f9cd10eb ("Don't leak kernel pointer to userspace") added a mutex around staging IOCTL's, some of those mutexes are taken twice. Fixes: bdd2f9cd10eb ("drm/tegra: Don't leak kernel pointer to userspace") Signed-off-by: Dmitry Osipenko Reviewed-by: Mikko Perttunen Reviewed-by: Erik Faye-Lund Signed-off-by: Thierry Reding Link: http://patchwork.freedesktop.org/patch/msgid/7b70a506a9d2355ea6ff19a8c4f4d726b67719b3.1497480754.git.digetx@gmail.com drivers/gpu/drm/tegra/drm.c | 20 ++++---------------- 1 file changed, 4 insertions(+), 16 deletions(-) commit 59e04bc20de4bd1bd5bfa810bf04a4e50a27b9c1 Author: Christophe JAILLET Date: Mon Apr 10 22:29:22 2017 +0200 gpu: host1x: Fix error handling If 'devm_reset_control_get' returns an error, then we erroneously return success because error code is taken from 'host->clk' instead of 'host->rst'. Fixes: b386c6b73ac6 ("gpu: host1x: Support module reset") Signed-off-by: Christophe JAILLET Reviewed-by: Mikko Perttunen Signed-off-by: Thierry Reding Link: http://patchwork.freedesktop.org/patch/msgid/20170410202922.17665-1-christophe.jaillet@wanadoo.fr drivers/gpu/host1x/dev.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit a814c3597a6b6040e2ef9459748081a6d5b7312d Author: Jean Delvare Date: Thu Jun 15 13:46:01 2017 +0200 firmware: dmi_scan: Check DMI structure length Before accessing DMI data to record it for later, we should ensure that the DMI structures are large enough to contain the data in question. Signed-off-by: Jean Delvare Reviewed-by: Mika Westerberg Cc: Dmitry Torokhov Cc: Andy Shevchenko Cc: Linus Walleij drivers/firmware/dmi_scan.c | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) commit e0733e975385d25d88c1384dafb8ea4dcf7513c0 Author: Jean Delvare Date: Thu Jun 15 13:46:01 2017 +0200 firmware: dmi: Fix permissions of product_family This is not sensitive information like serial numbers, we can allow all users to read it. Fix odd alignment while we're here. Signed-off-by: Jean Delvare Fixes: c61872c9833d ("firmware: dmi: Add DMI_PRODUCT_FAMILY identification string") Reviewed-by: Andy Shevchenko Reviewed-by: Mika Westerberg Cc: Dmitry Torokhov Cc: Linus Walleij drivers/firmware/dmi-id.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit c926820085437a27b27e78996b2c7a5ad94e8055 Author: Andy Lutomirski Date: Thu Jun 15 13:46:00 2017 +0200 firmware: dmi_scan: Make dmi_walk and dmi_walk_early return real error codes Currently they return -1 on error, which will confuse callers if they try to interpret it as a normal negative error code. Signed-off-by: Andy Lutomirski Signed-off-by: Darren Hart (VMware) Signed-off-by: Jean Delvare drivers/firmware/dmi_scan.c | 9 +++++---- include/linux/dmi.h | 2 +- 2 files changed, 6 insertions(+), 5 deletions(-) commit c9aba14362a6eec583819ec8f4b872c1816f5cbe Author: Jean Delvare Date: Thu Jun 15 13:46:00 2017 +0200 firmware: dmi_scan: Look for SMBIOS 3 entry point first Since version 3.0.0 of the SMBIOS specification, there can be multiple entry points in memory, pointing to one or two DMI tables. If both a 32-bit ("_SM_") entry point and a 64-bit ("_SM3_") entry point are present, the specification requires that the latter points to a table which is a super-set of the table pointed to by the former. Therefore we should give preference to the 64-bit ("_SM3_") entry point. However, currently the code is picking the first valid entry point it finds. Per specification, we should look for a 64-bit ("_SM3_") entry point first, and if we can't find any, look for a 32-bit ("_SM_" or "_DMI_") entry point. Modify the code to do that. Signed-off-by: Jean Delvare drivers/firmware/dmi_scan.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) commit 4068367c9ca7b515a209f9c0c8741309a1e90495 Author: Andrei Vagin Date: Thu Jun 8 17:32:29 2017 -0700 fs: don't forget to put old mntns in mntns_install Fixes: 4f757f3cbf54 ("make sure that mntns_install() doesn't end up with referral for root") Cc: Al Viro Signed-off-by: Andrei Vagin Signed-off-by: Al Viro fs/namespace.c | 2 ++ 1 file changed, 2 insertions(+) commit 81be24d263dbeddaba35827036d6f6787a59c2c3 Author: Al Viro Date: Sat Jun 3 07:20:09 2017 +0100 Hang/soft lockup in d_invalidate with simultaneous calls It's not hard to trigger a bunch of d_invalidate() on the same dentry in parallel. They end up fighting each other - any dentry picked for removal by one will be skipped by the rest and we'll go for the next iteration through the entire subtree, even if everything is being skipped. Morevoer, we immediately go back to scanning the subtree. The only thing we really need is to dissolve all mounts in the subtree and as soon as we've nothing left to do, we can just unhash the dentry and bugger off. Signed-off-by: Al Viro fs/dcache.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) commit bcd7c45e0d5a82be9a64b90050f0e09d41a50758 Author: Paul Burton Date: Fri Jun 2 12:02:08 2017 -0700 MIPS: .its targets depend on vmlinux The .its targets require information about the kernel binary, such as its entry point, which is extracted from the vmlinux ELF. We therefore require that the ELF is built before the .its files are generated. Declare this requirement in the Makefile such that make will ensure this is always the case, otherwise in corner cases we can hit issues as the .its is generated with an incorrect (either invalid or stale) entry point. Signed-off-by: Paul Burton Fixes: cf2a5e0bb4c6 ("MIPS: Support generating Flattened Image Trees (.itb)") Cc: linux-mips@linux-mips.org Cc: stable # v4.9+ Patchwork: https://patchwork.linux-mips.org/patch/16179/ Signed-off-by: Ralf Baechle arch/mips/boot/Makefile | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) commit 1a73d9310e093fc3adffba4d0a67b9fab2ee3f63 Author: Paul Burton Date: Fri Jun 2 11:35:01 2017 -0700 MIPS: Fix bnezc/jialc return address calculation The code handling the pop76 opcode (ie. bnezc & jialc instructions) in __compute_return_epc_for_insn() needs to set the value of $31 in the jialc case, which is encoded with rs = 0. However its check to differentiate bnezc (rs != 0) from jialc (rs = 0) was unfortunately backwards, meaning that if we emulate a bnezc instruction we clobber $31 & if we emulate a jialc instruction it actually behaves like a jic instruction. Fix this by inverting the check of rs to match the way the instructions are actually encoded. Signed-off-by: Paul Burton Fixes: 28d6f93d201d ("MIPS: Emulate the new MIPS R6 BNEZC and JIALC instructions") Cc: stable # v4.0+ Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/16178/ Signed-off-by: Ralf Baechle arch/mips/kernel/branch.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit a090bd4ff8387c409732a8e059fbf264ea0bdd56 Merge: 54ed0f7 640f93c Author: Linus Torvalds Date: Thu Jun 15 18:09:47 2017 +0900 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net Pull networking fixes from David Miller: 1) The netlink attribute passed in to dev_set_alias() is not necessarily NULL terminated, don't use strlcpy() on it. From Alexander Potapenko. 2) Fix implementation of atomics in arm64 bpf JIT, from Daniel Borkmann. 3) Correct the release of netdevs and driver private data in certain circumstances. 4) Sanitize netlink message length properly in decnet, from Mateusz Jurczyk. 5) Don't leak kernel data in rtnl_fill_vfinfo() netlink blobs. From Yuval Mintz. 6) Hash secret is never initialized in ipv6 ILA translation code, from Arnd Bergmann. I guess those clang warnings about unused inline functions are useful for something! 7) Fix endian selection in bpf_endian.h, from Daniel Borkmann. 8) Sanitize sockaddr length before dereferncing any fields in AF_UNIX and CAIF. From Mateusz Jurczyk. 9) Fix timestamping for GMAC3 chips in stmmac driver, from Mario Molitor. 10) Do not leak netdev on dev_alloc_name() errors in mac80211, from Johannes Berg. 11) Fix locking in sctp_for_each_endpoint(), from Xin Long. 12) Fix wrong memset size on 32-bit in snmp6, from Christian Perle. 13) Fix use after free in ip_mc_clear_src(), from WANG Cong. 14) Fix regressions caused by ICMP rate limiting changes in 4.11, from Jesper Dangaard Brouer. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (91 commits) i40e: Fix a sleep-in-atomic bug net: don't global ICMP rate limit packets originating from loopback net/act_pedit: fix an error code net: update undefined ->ndo_change_mtu() comment net_sched: move tcf_lock down after gen_replace_estimator() caif: Add sockaddr length check before accessing sa_family in connect handler qed: fix dump of context data qmi_wwan: new Telewell and Sierra device IDs net: phy: Fix MDIO_THUNDER dependencies netconsole: Remove duplicate "netconsole: " logging prefix igmp: acquire pmc lock for ip_mc_clear_src() r8152: give the device version net: rps: fix uninitialized symbol warning mac80211: don't send SMPS action frame in AP mode when not needed mac80211/wpa: use constant time memory comparison for MACs mac80211: set bss_info data before configuring the channel mac80211: remove 5/10 MHz rate code from station MLME mac80211: Fix incorrect condition when checking rx timestamp mac80211: don't look at the PM bit of BAR frames i40e: fix handling of HW ATR eviction ... commit 54ed0f71f0a0cbf3218e2503a50364f178b1e855 Merge: 35e60a6 d41519a Author: Linus Torvalds Date: Thu Jun 15 17:54:51 2017 +0900 Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 Pull crypto fix from Herbert Xu: "This fixes a bug on sparc where we may dereference freed stack memory" * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: crypto: Work around deallocated stack frame reference gcc bug on sparc. commit 35e60a6b7577218ac7eb7777c8849822a080e127 Merge: 92091c4 9522933 Author: Linus Torvalds Date: Thu Jun 15 17:51:19 2017 +0900 Merge tag 'acpi-4.12-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull ACPI fixes from Rafael Wysocki: "These revert an ACPICA commit from the 4.11 cycle that causes problems to happen on some systems and add a protection against possible kernel crashes due to table reference counter imbalance. Specifics: - Revert a 4.11 ACPICA change that made assumptions which are not satisfied on some systems and caused the enumeration of resources to fail on them (Rafael Wysocki). - Add a mechanism to prevent tables from being unmapped prematurely due to reference counter overflows (Lv Zheng)" * tag 'acpi-4.12-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: ACPICA: Tables: Mechanism to handle late stage acpi_get_table() imbalance Revert "ACPICA: Disassembler: Enhance resource descriptor detection" commit 92091c438bad93ba2591e8c4ba86126227327be2 Merge: b45edc2 f63e4f7 Author: Linus Torvalds Date: Thu Jun 15 17:47:46 2017 +0900 Merge tag 'pm-4.12-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull power management fixes from Rafael Wysocki: "These revert a recent cpufreq schedutil governor change that turned out to be problematic and fix a few minor issues in cpufreq, cpuidle and the Exynos devfreq drivers. Specifics: - Revert a recent cpufreq schedutil governor change that caused some systems to behave undesirably (Rafael Wysocki). - Fix a cpufreq conservative governor issue introduced during the 3.10 cycle that prevents it from working as expected in some situations (Tomasz Wilczyński). - Fix an error code path in the generic cpuidle driver for DT-based systems (Christophe Jaillet). - Fix three minor issues in devfreq drivers for Exynos (Arvind Yadav, Krzysztof Kozlowski)" * tag 'pm-4.12-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: cpuidle: dt: Add missing 'of_node_put()' cpufreq: conservative: Allow down_threshold to take values from 1 to 10 Revert "cpufreq: schedutil: Reduce frequencies slower" PM / devfreq: exynos-ppmu: Staticize event list PM / devfreq: exynos-ppmu: Handle return value of clk_prepare_enable PM / devfreq: exynos-nocp: Handle return value of clk_prepare_enable commit b45edc2d02d50ba4657f29c0e2380e337d324aef Merge: 906e0c5 0ca4cd7 Author: Linus Torvalds Date: Thu Jun 15 17:44:41 2017 +0900 Merge branch 'for-4.12/driver-matching-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid Pull HID fix from Jiri Kosina: - ifdef-based bandaid for a long-standing issue with HID driver matching, avoiding regressions in cases where specific driver is not enabled in kernel .config, from Jiri Kosina * 'for-4.12/driver-matching-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid: HID: let generic driver yield control iff specific driver has been enabled commit 906e0c5b9f1261b516487f37a6d35eb48426786f Merge: 63f700a f9f314f Author: Linus Torvalds Date: Thu Jun 15 17:37:40 2017 +0900 Merge tag 'media/v4.12-3' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media Pull media fixes from Mauro Carvalho Chehab: - some build dependency issues at CEC core with randconfigs - fix an off by one error at vb2 - a race fix at cec core - driver fixes at tc358743, sir_ir and rainshadow-cec * tag 'media/v4.12-3' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media: [media] media/cec.h: use IS_REACHABLE instead of IS_ENABLED [media] cec: race fix: don't return -ENONET in cec_receive() [media] sir_ir: infinite loop in interrupt handler [media] cec-notifier.h: handle unreachable CONFIG_CEC_CORE [media] cec: improve MEDIA_CEC_RC dependencies [media] vb2: Fix an off by one error in 'vb2_plane_vaddr' [media] rainshadow-cec: Fix missing spin_lock_init() [media] tc358743: fix register i2c_rd/wr function fix commit a8fad984833832d5ca11a9ed64ddc55646da30e3 Author: Al Viro Date: Thu Jun 15 03:57:46 2017 -0400 ufs_truncate_blocks(): fix the case when size is in the last direct block The logics when deciding whether we need to do anything with direct blocks is broken when new size is within the last direct block. It's better to find the path to the last byte _not_ to be removed and use that instead of the path to the beginning of the first block to be freed... Signed-off-by: Al Viro fs/ufs/inode.c | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) commit 46a704f8409f79fd66567ad3f8a7304830a84293 Author: Paul Mackerras Date: Thu Jun 15 16:10:27 2017 +1000 KVM: PPC: Book3S HV: Preserve userspace HTM state properly If userspace attempts to call the KVM_RUN ioctl when it has hardware transactional memory (HTM) enabled, the values that it has put in the HTM-related SPRs TFHAR, TFIAR and TEXASR will get overwritten by guest values. To fix this, we detect this condition and save those SPR values in the thread struct, and disable HTM for the task. If userspace goes to access those SPRs or the HTM facility in future, a TM-unavailable interrupt will occur and the handler will reload those SPRs and re-enable HTM. If userspace has started a transaction and suspended it, we would currently lose the transactional state in the guest entry path and would almost certainly get a "TM Bad Thing" interrupt, which would cause the host to crash. To avoid this, we detect this case and return from the KVM_RUN ioctl with an EINVAL error, with the KVM exit reason set to KVM_EXIT_FAIL_ENTRY. Fixes: b005255e12a3 ("KVM: PPC: Book3S HV: Context-switch new POWER8 SPRs", 2014-01-08) Cc: stable@vger.kernel.org # v3.14+ Signed-off-by: Paul Mackerras arch/powerpc/kvm/book3s_hv.c | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) commit 4c3bb4ccd074e1a0552078c0bf94c662367a1658 Author: Paul Mackerras Date: Thu Jun 15 15:43:17 2017 +1000 KVM: PPC: Book3S HV: Restore critical SPRs to host values on guest exit This restores several special-purpose registers (SPRs) to sane values on guest exit that were missed before. TAR and VRSAVE are readable and writable by userspace, and we need to save and restore them to prevent the guest from potentially affecting userspace execution (not that TAR or VRSAVE are used by any known program that run uses the KVM_RUN ioctl). We save/restore these in kvmppc_vcpu_run_hv() rather than on every guest entry/exit. FSCR affects userspace execution in that it can prohibit access to certain facilities by userspace. We restore it to the normal value for the task on exit from the KVM_RUN ioctl. IAMR is normally 0, and is restored to 0 on guest exit. However, with a radix host on POWER9, it is set to a value that prevents the kernel from executing user-accessible memory. On POWER9, we save IAMR on guest entry and restore it on guest exit to the saved value rather than 0. On POWER8 we continue to set it to 0 on guest exit. PSPB is normally 0. We restore it to 0 on guest exit to prevent userspace taking advantage of the guest having set it non-zero (which would allow userspace to set its SMT priority to high). UAMOR is normally 0. We restore it to 0 on guest exit to prevent the AMR from being used as a covert channel between userspace processes, since the AMR is not context-switched at present. Fixes: b005255e12a3 ("KVM: PPC: Book3S HV: Context-switch new POWER8 SPRs", 2014-01-08) Cc: stable@vger.kernel.org # v3.14+ Signed-off-by: Paul Mackerras arch/powerpc/kvm/book3s_hv.c | 11 +++++++++-- arch/powerpc/kvm/book3s_hv_rmhandlers.S | 9 ++++++++- 2 files changed, 17 insertions(+), 3 deletions(-) commit 289dec5b895a7ecefb2f49da109e6aed9b0f1754 Author: Al Viro Date: Thu Jun 15 00:42:56 2017 -0400 ufs: more deadlock prevention on tail unpacking ->s_lock is not needed for ufs_change_blocknr() Signed-off-by: Al Viro fs/ufs/balloc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 09bf4f5b6e6013f0ad6b090d4a8deebd4e56d878 Author: Al Viro Date: Thu Jun 15 00:17:30 2017 -0400 ufs: avoid grabbing ->truncate_mutex if possible tail unpacking is done in a wrong place; the deadlocks galore is best dealt with by doing that in ->write_iter() (and switching to iomap, while we are at it), but that's rather painful to backport. The trouble comes from grabbing pages that cover the beginning of tail from inside of ufs_new_fragments(); ongoing pageout of any of those is going to deadlock on ->truncate_mutex with process that got around to extending the tail holding that and waiting for page to get unlocked, while ->writepage() on that page is waiting on ->truncate_mutex. The thing is, we don't need ->truncate_mutex when the fragment we are trying to map is within the tail - the damn thing is allocated (tail can't contain holes). Let's do a plain lookup and if the fragment is present, we can just pretend that we'd won the race in almost all cases. The only exception is a fragment between the end of tail and the end of block containing tail. Protect ->i_lastfrag with ->meta_lock - read_seqlock_excl() is sufficient. Signed-off-by: Al Viro fs/ufs/balloc.c | 10 ++++++---- fs/ufs/inode.c | 26 ++++++++++++++++++++------ 2 files changed, 26 insertions(+), 10 deletions(-) commit 640f93cc6ea7327588be3cc0849d1342aac0393a Author: Jia-Ju Bai Date: Wed Jun 14 16:35:31 2017 -0700 i40e: Fix a sleep-in-atomic bug The driver may sleep under a spin lock, and the function call path is: i40e_ndo_set_vf_port_vlan (acquire the lock by spin_lock_bh) i40e_vsi_remove_pvid i40e_vlan_stripping_disable i40e_aq_update_vsi_params i40e_asq_send_command mutex_lock --> may sleep To fixed it, the spin lock is released before "i40e_vsi_remove_pvid", and the lock is acquired again after this function. Signed-off-by: Jia-Ju Bai Tested-by: Andrew Bowers Signed-off-by: Jeff Kirsher Signed-off-by: David S. Miller drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c | 2 ++ 1 file changed, 2 insertions(+) commit 267309f394bf3cd8db001992890b1fa52b97974e Author: Al Viro Date: Wed Jun 14 23:32:19 2017 -0400 ufs_get_locked_page(): make sure we have buffer_heads callers rely upon that, but find_lock_page() racing with attempt of page eviction by memory pressure might have left us with * try_to_free_buffers() successfully done * __remove_mapping() failed, leaving the page in our mapping * find_lock_page() returning an uptodate page with no buffer_heads attached. Signed-off-by: Al Viro fs/ufs/util.c | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) commit 9522933454f4c4bd5bedf3d71c538708b7c5de5b Merge: 32c1431 83848fb Author: Rafael J. Wysocki Date: Thu Jun 15 01:52:32 2017 +0200 Merge branch 'acpica-fixes' * acpica-fixes: ACPICA: Tables: Mechanism to handle late stage acpi_get_table() imbalance Revert "ACPICA: Disassembler: Enhance resource descriptor detection" commit f63e4f7d4179c9157c51bbe82af7c8f6b5fb39dd Merge: b8e11f7 b2cdd8e 74b2c98 Author: Rafael J. Wysocki Date: Thu Jun 15 01:51:33 2017 +0200 Merge branches 'pm-cpufreq', 'pm-cpuidle' and 'pm-devfreq' * pm-cpufreq: cpufreq: conservative: Allow down_threshold to take values from 1 to 10 Revert "cpufreq: schedutil: Reduce frequencies slower" * pm-cpuidle: cpuidle: dt: Add missing 'of_node_put()' * pm-devfreq: PM / devfreq: exynos-ppmu: Staticize event list PM / devfreq: exynos-ppmu: Handle return value of clk_prepare_enable PM / devfreq: exynos-nocp: Handle return value of clk_prepare_enable commit 949bdfed4b0f74215da60992e9f5e14c9ecbb064 Merge: 658a7568 d85da22 Author: Stephen Boyd Date: Wed Jun 14 16:48:03 2017 -0700 Merge tag 'sunxi-clk-fixes-for-4.12' of https://git.kernel.org/pub/scm/linux/kernel/git/sunxi/linux into clk-fixes Allwinner clock fixes for 4.12 Some fixes that fix some bindings that went in 4.12, fix a few reset and clock offsets and a build error fix * tag 'sunxi-clk-fixes-for-4.12' of https://git.kernel.org/pub/scm/linux/kernel/git/sunxi/linux: clk: sunxi-ng: a64: Export PLL_PERIPH0 clock for the PRCM clk: sunxi-ng: h3: Export PLL_PERIPH0 clock for the PRCM dt-bindings: clock: sunxi-ccu: Add pll-periph to PRCM's needed clocks clk: sunxi-ng: enable SUNXI_CCU_MP for PRCM clk: sunxi-ng: v3s: Fix usb otg device reset bit clk: sunxi-ng: a31: Correct lcd1-ch1 clock register offset commit c596961d1b4ccc6f15754fe5a49c37ac6da57145 Author: Al Viro Date: Wed Jun 14 16:36:29 2017 -0400 ufs: fix s_size/s_dsize users For UFS2 we need 64bit variants; we even store them in uspi, but use 32bit ones instead. One wrinkle is in handling of reserved space - recalculating it every time had been stupid all along, but now it would become really ugly. Just calculate it once... Signed-off-by: Al Viro fs/ufs/balloc.c | 2 +- fs/ufs/super.c | 23 ++++++++++++----------- fs/ufs/ufs_fs.h | 7 +++---- fs/ufs/util.h | 11 +++-------- 4 files changed, 19 insertions(+), 24 deletions(-) commit b451cec4bbd913688f5381efad407762a64a92ce Author: Al Viro Date: Wed Jun 14 15:41:17 2017 -0400 ufs: fix reserved blocks check a) honour ->s_minfree; don't just go with default (5) b) don't bother with capability checks until we know we'll need them Signed-off-by: Al Viro fs/ufs/balloc.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) commit fffd70f58864f5a48b2c17d02730a460f86d4254 Author: Al Viro Date: Wed Jun 14 15:36:31 2017 -0400 ufs: make ufs_freespace() return signed as it is, checking that its return value is <= 0 is useless and that's how it's being used. Signed-off-by: Al Viro fs/ufs/util.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 849a44de91636c24cea799cb8ad8c36433feb913 Author: Jesper Dangaard Brouer Date: Wed Jun 14 13:27:37 2017 +0200 net: don't global ICMP rate limit packets originating from loopback Florian Weimer seems to have a glibc test-case which requires that loopback interfaces does not get ICMP ratelimited. This was broken by commit c0303efeab73 ("net: reduce cycles spend on ICMP replies that gets rate limited"). An ICMP response will usually be routed back-out the same incoming interface. Thus, take advantage of this and skip global ICMP ratelimit when the incoming device is loopback. In the unlikely event that the outgoing it not loopback, due to strange routing policy rules, ICMP rate limiting still works via peer ratelimiting via icmpv4_xrlim_allow(). Thus, we should still comply with RFC1812 (section 4.3.2.8 "Rate Limiting"). This seems to fix the reproducer given by Florian. While still avoiding to perform expensive and unneeded outgoing route lookup for rate limited packets (in the non-loopback case). Fixes: c0303efeab73 ("net: reduce cycles spend on ICMP replies that gets rate limited") Reported-by: Florian Weimer Reported-by: "H.J. Lu" Signed-off-by: Jesper Dangaard Brouer Signed-off-by: David S. Miller net/ipv4/icmp.c | 8 ++++++-- net/ipv6/icmp.c | 2 +- 2 files changed, 7 insertions(+), 3 deletions(-) commit dc9edc44de6cd7cc8cc7f5b36c1adb221eda3207 Author: Bart Van Assche Date: Wed Jun 14 13:27:50 2017 -0600 block: Fix a blk_exit_rl() regression Avoid that the following complaint is reported: BUG: sleeping function called from invalid context at kernel/workqueue.c:2790 in_atomic(): 1, irqs_disabled(): 0, pid: 41, name: rcuop/3 1 lock held by rcuop/3/41: #0: (rcu_callback){......}, at: [] rcu_nocb_kthread+0x282/0x500 Call Trace: dump_stack+0x86/0xcf ___might_sleep+0x174/0x260 __might_sleep+0x4a/0x80 flush_work+0x7e/0x2e0 __cancel_work_timer+0x143/0x1c0 cancel_work_sync+0x10/0x20 blk_throtl_exit+0x25/0x60 blkcg_exit_queue+0x35/0x40 blk_release_queue+0x42/0x130 kobject_put+0xa9/0x190 This happens since we invoke callbacks that need to block from the queue release handler. Fix this by pushing the final release to a workqueue. Reported-by: Ross Zwisler Fixes: commit b425e5049258 ("block: Avoid that blk_exit_rl() triggers a use-after-free") Signed-off-by: Bart Van Assche Tested-by: Ross Zwisler Updated changelog Signed-off-by: Jens Axboe block/blk-sysfs.c | 34 ++++++++++++++++++++++------------ include/linux/blkdev.h | 2 ++ 2 files changed, 24 insertions(+), 12 deletions(-) commit d4702645838c8e04893383b50406249382b4e6bf Author: Raju Rangoju Date: Fri Jun 9 22:17:49 2017 +0530 rdma/cxgb4: Fix memory leaks during module exit Fix memory leaks of iw_cxgb4 module in the exit path Signed-off-by: Raju Rangoju Reviewed-by: Steve Wise Signed-off-by: Doug Ledford drivers/infiniband/hw/cxgb4/device.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) commit c4f65b09b459c6f0ec27b1a1a65302f7fea5c96f Author: Dan Carpenter Date: Wed Jun 14 13:29:31 2017 +0300 net/act_pedit: fix an error code I'm reviewing static checker warnings where we do ERR_PTR(0), which is the same as NULL. I'm pretty sure we intended to return ERR_PTR(-EINVAL) here. Sometimes these bugs lead to a NULL dereference but I don't immediately see that problem here. Fixes: 71d0ed7079df ("net/act_pedit: Support using offset relative to the conventional network headers") Signed-off-by: Dan Carpenter Acked-by: Amir Vadai Signed-off-by: David S. Miller net/sched/act_pedit.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit 96ecff14225ad40a29f4d5cfa6bd9266c8e1e89a Author: Al Viro Date: Wed Jun 14 15:17:32 2017 -0400 ufs: fix logics in "ufs: make fsck -f happy" Storing stats _only_ at new locations is wrong for UFS1; old locations should always be kept updated. The check for "has been converted to use of new locations" is also wrong - it should be "->fs_maxbsize is equal to ->fs_bsize". Signed-off-by: Al Viro fs/ufs/super.c | 41 ++++++++++++++++++++++++++++------------- 1 file changed, 28 insertions(+), 13 deletions(-) commit 4542d66bb26f2d021c70a78e46f183c6675fc4c9 Author: Feras Daoud Date: Wed Jun 14 09:59:09 2017 +0300 IB/ipoib: Fix memory leak in create child syscall The flow of creating a new child goes through ipoib_vlan_add which allocates a new interface and checks the rtnl_lock. If the lock is taken, restart_syscall will be called to restart the system call again. In this case we are not releasing the already allocated interface, causing a leak. Fixes: 9baa0b036410 ("IB/ipoib: Add rtnl_link_ops support") Signed-off-by: Feras Daoud Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford drivers/infiniband/ulp/ipoib/ipoib_vlan.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit 560b7c3ffec1ca7d5de250d8ca7b1ca2349e98a4 Author: Alex Vesker Date: Wed Jun 14 09:59:08 2017 +0300 IB/ipoib: Fix access to un-initialized napi struct There is no need to re-enable napi since we set the initialized flag before calling ipoib_ib_dev_stop which will disable napi, disabling napi twice is harmless in case it was already disabled. One more reason for this fix is that when using IPoIB new device driver napi is not added to priv, this can lead to kernel panic when rn_ops ndo_open fails. [ 289.755840] invalid opcode: 0000 [#1] SMP [ 289.757111] task: ffff880036964440 ti: ffff880178ee8000 task.ti: ffff880178ee8000 [ 289.757111] RIP: 0010:[] [] napi_enable.part.24+0x4/0x6 [ib_ipoib] [ 289.757111] RSP: 0018:ffff880178eeb6d8 EFLAGS: 00010246 [ 289.757111] RAX: 0000000000000000 RBX: ffff880177a80010 RCX: 000000007fffffff [ 289.757111] RDX: ffffffff81d5f118 RSI: 0000000000000000 RDI: ffff880177a80010 [ 289.757111] RBP: ffff880178eeb6d8 R08: 0000000000000082 R09: 0000000000000283 [ 289.757111] R10: 0000000000000000 R11: 0000000000000000 R12: ffff880175a00000 [ 289.757111] R13: ffff880177a80080 R14: 0000000000000000 R15: 0000000000000001 [ 289.757111] FS: 00007fe2ee346880(0000) GS:ffff88017fc00000(0000) knlGS:0000000000000000 [ 289.757111] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 289.757111] CR2: 00007fffca979020 CR3: 00000001792e4000 CR4: 00000000000006f0 [ 289.757111] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 289.757111] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [ 289.757111] Stack: [ 289.796027] ffff880178eeb6f0 ffffffffa05251f5 ffff880177a80000 ffff880178eeb718 [ 289.796027] ffffffffa0528505 ffff880175a00000 ffff880177a80000 0000000000000000 [ 289.796027] ffff880178eeb748 ffffffffa051f0ab ffff880175a00000 ffffffffa0537d60 [ 289.796027] Call Trace: [ 289.796027] [] napi_enable+0x25/0x30 [ib_ipoib] [ 289.796027] [] ipoib_ib_dev_open+0x175/0x190 [ib_ipoib] [ 289.796027] [] ipoib_open+0x4b/0x160 [ib_ipoib] [ 289.796027] [] _dev_open+0xbf/0x130 [ 289.796027] [] __dev_change_flags+0x9d/0x170 [ 289.796027] [] dev_change_flags+0x29/0x60 [ 289.796027] [] do_setlink+0x397/0xa40 Fixes: cd565b4b51e5 ('IB/IPoIB: Support acceleration options callbacks') Signed-off-by: Alex Vesker Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford drivers/infiniband/ulp/ipoib/ipoib_ib.c | 1 - 1 file changed, 1 deletion(-) commit b53d4566cc117d9ab8d20b365ba7c2a519439725 Author: Alex Vesker Date: Wed Jun 14 09:59:07 2017 +0300 IB/ipoib: Delete napi in device uninit default This patch mekas init_default and uninit_default symmetric with a call to delete napi. Additionally, the uninit_default gained delete napi call in case of init_default fails. Fixes: 515ed4f3aab4 ('IB/IPoIB: Separate control and data related initializations') Signed-off-by: Alex Vesker Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford drivers/infiniband/ulp/ipoib/ipoib_main.c | 3 +++ 1 file changed, 3 insertions(+) commit 022d038a163f9e889428789d681b97bf07730fb7 Author: Alex Vesker Date: Wed Jun 14 09:59:06 2017 +0300 IB/ipoib: Limit call to free rdma_netdev for capable devices Limit calls to free_rdma_netdev() for capable devices only. Fixes: cd565b4b51e5 ('IB/IPoIB: Support acceleration options callbacks') Signed-off-by: Alex Vesker Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford drivers/infiniband/hw/mlx5/main.c | 6 ++++-- drivers/infiniband/ulp/ipoib/ipoib_main.c | 5 ++++- 2 files changed, 8 insertions(+), 3 deletions(-) commit ab156afd3eeb68ce7b875ec8d9ff4f64d1427776 Author: Alex Vesker Date: Wed Jun 14 09:59:05 2017 +0300 IB/ipoib: Fix memory leaks for child interfaces priv There is a need to free priv explicitly and not just to release the device, child priv is freed explicitly on remove flow and this patch also includes priv free on error flow in P_key creation and also in add_port. Fixes: cd565b4b51e5 ('IB/IPoIB: Support acceleration options callbacks') Signed-off-by: Alex Vesker Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford drivers/infiniband/ulp/ipoib/ipoib_main.c | 7 ++++++- drivers/infiniband/ulp/ipoib/ipoib_vlan.c | 5 ++++- 2 files changed, 10 insertions(+), 2 deletions(-) commit db46a0e1be7eac45d0bb1bdcd438b8d47c920451 Author: Magnus Damm Date: Wed Jun 14 16:15:24 2017 +0900 net: update undefined ->ndo_change_mtu() comment Update ->ndo_change_mtu() callback comment to remove text about returning error in case of undefined callback. This change makes the comment match the existing code behavior. Signed-off-by: Magnus Damm Signed-off-by: David S. Miller include/linux/netdevice.h | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) commit 7a759cd8e8272ee18922838ee711219c7c796a31 Author: Jiada Wang Date: Sun Apr 9 20:02:37 2017 -0700 perf tools: Fix build with ARCH=x86_64 With commit: 0a943cb10ce78 (tools build: Add HOSTARCH Makefile variable) when building for ARCH=x86_64, ARCH=x86_64 is passed to perf instead of ARCH=x86, so the perf build process searchs header files from tools/arch/x86_64/include, which doesn't exist. The following build failure is seen: In file included from util/event.c:2:0: tools/include/uapi/linux/mman.h:4:27: fatal error: uapi/asm/mman.h: No such file or directory compilation terminated. Fix this issue by using SRCARCH instead of ARCH in perf, just like the main kernel Makefile and tools/objtool's. Signed-off-by: Jiada Wang Tested-by: Arnaldo Carvalho de Melo Acked-by: Jiri Olsa Cc: Alexander Shishkin Cc: Andi Kleen Cc: Eugeniu Rosca Cc: Jan Stancek Cc: Masami Hiramatsu Cc: Peter Zijlstra Cc: Ravi Bangoria Cc: Rui Teng Cc: Sukadev Bhattiprolu Cc: Wang Nan Fixes: 0a943cb10ce7 ("tools build: Add HOSTARCH Makefile variable") Link: http://lkml.kernel.org/r/1491793357-14977-2-git-send-email-jiada_wang@mentor.com Signed-off-by: Arnaldo Carvalho de Melo tools/perf/Makefile.config | 38 +++++++++++++++++++------------------- tools/perf/Makefile.perf | 2 +- tools/perf/arch/Build | 2 +- tools/perf/pmu-events/Build | 4 ++-- tools/perf/tests/Build | 2 +- tools/perf/util/header.c | 2 +- 6 files changed, 25 insertions(+), 25 deletions(-) commit 7a1ac110c22eb726684c837544a2d42c33e07be7 Author: Arnaldo Carvalho de Melo Date: Fri Jun 9 16:54:28 2017 -0300 perf evsel: Fix probing of precise_ip level for default cycles event Since commit 18e7a45af91a ("perf/x86: Reject non sampling events with precise_ip") returns -EINVAL for sys_perf_event_open() with an attribute with (attr.precise_ip > 0 && attr.sample_period == 0), just like is done in the routine used to probe the max precise level when no events were passed to 'perf record' or 'perf top', i.e.: perf_evsel__new_cycles() perf_event_attr__set_max_precise_ip() The x86 code, in x86_pmu_hw_config(), which is called all the way from sys_perf_event_open() did, starting with the aforementioned commit: /* There's no sense in having PEBS for non sampling events: */ if (!is_sampling_event(event)) return -EINVAL; Which makes it fail for cycles:ppp, cycles:pp and cycles:p, always using just the non precise cycles variant. To make sure that this is the case, I tested it, before this patch, with: # perf probe -L x86_pmu_hw_config 0 int x86_pmu_hw_config(struct perf_event *event) 1 { 2 if (event->attr.precise_ip) { 17 if (event->attr.precise_ip > precise) 18 return -EOPNOTSUPP; /* There's no sense in having PEBS for non sampling events: */ 21 if (!is_sampling_event(event)) 22 return -EINVAL; } # perf probe x86_pmu_hw_config:22 Added new events: probe:x86_pmu_hw_config (on x86_pmu_hw_config:22) probe:x86_pmu_hw_config_1 (on x86_pmu_hw_config:22) You can now use it in all perf tools, such as: perf record -e probe:x86_pmu_hw_config_1 -aR sleep 1 # perf trace -e perf_event_open,probe:x86_pmu_hwconfig*/max-stack=16/ perf record usleep 1 0.000 ( 0.015 ms): perf/4150 perf_event_open(attr_uptr: 0x7ffebc8ba110, cpu: -1, group_fd: -1 ) ... 0.015 ( ): probe:x86_pmu_hw_config:(ffffffff9c0065e1)) x86_pmu_hw_config ([kernel.kallsyms]) hsw_hw_config ([kernel.kallsyms]) x86_pmu_event_init ([kernel.kallsyms]) perf_try_init_event ([kernel.kallsyms]) perf_event_alloc ([kernel.kallsyms]) SYSC_perf_event_open ([kernel.kallsyms]) sys_perf_event_open ([kernel.kallsyms]) do_syscall_64 ([kernel.kallsyms]) return_from_SYSCALL_64 ([kernel.kallsyms]) syscall (/usr/lib64/libc-2.24.so) perf_event_attr__set_max_precise_ip (/home/acme/bin/perf) perf_evsel__new_cycles (/home/acme/bin/perf) perf_evlist__add_default (/home/acme/bin/perf) cmd_record (/home/acme/bin/perf) run_builtin (/home/acme/bin/perf) handle_internal_command (/home/acme/bin/perf) 0.000 ( 0.021 ms): perf/4150 ... [continued]: perf_event_open()) = -1 EINVAL Invalid argument 0.023 ( 0.002 ms): perf/4150 perf_event_open(attr_uptr: 0x7ffebc8ba110, cpu: -1, group_fd: -1 ) ... 0.025 ( ): probe:x86_pmu_hw_config:(ffffffff9c0065e1)) x86_pmu_hw_config ([kernel.kallsyms]) hsw_hw_config ([kernel.kallsyms]) x86_pmu_event_init ([kernel.kallsyms]) perf_try_init_event ([kernel.kallsyms]) perf_event_alloc ([kernel.kallsyms]) SYSC_perf_event_open ([kernel.kallsyms]) sys_perf_event_open ([kernel.kallsyms]) do_syscall_64 ([kernel.kallsyms]) return_from_SYSCALL_64 ([kernel.kallsyms]) syscall (/usr/lib64/libc-2.24.so) perf_event_attr__set_max_precise_ip (/home/acme/bin/perf) perf_evsel__new_cycles (/home/acme/bin/perf) perf_evlist__add_default (/home/acme/bin/perf) cmd_record (/home/acme/bin/perf) run_builtin (/home/acme/bin/perf) handle_internal_command (/home/acme/bin/perf) 0.023 ( 0.004 ms): perf/4150 ... [continued]: perf_event_open()) = -1 EINVAL Invalid argument 0.028 ( 0.002 ms): perf/4150 perf_event_open(attr_uptr: 0x7ffebc8ba110, cpu: -1, group_fd: -1 ) ... 0.030 ( ): probe:x86_pmu_hw_config:(ffffffff9c0065e1)) x86_pmu_hw_config ([kernel.kallsyms]) hsw_hw_config ([kernel.kallsyms]) x86_pmu_event_init ([kernel.kallsyms]) perf_try_init_event ([kernel.kallsyms]) perf_event_alloc ([kernel.kallsyms]) SYSC_perf_event_open ([kernel.kallsyms]) sys_perf_event_open ([kernel.kallsyms]) do_syscall_64 ([kernel.kallsyms]) return_from_SYSCALL_64 ([kernel.kallsyms]) syscall (/usr/lib64/libc-2.24.so) perf_event_attr__set_max_precise_ip (/home/acme/bin/perf) perf_evsel__new_cycles (/home/acme/bin/perf) perf_evlist__add_default (/home/acme/bin/perf) cmd_record (/home/acme/bin/perf) run_builtin (/home/acme/bin/perf) handle_internal_command (/home/acme/bin/perf) 0.028 ( 0.004 ms): perf/4150 ... [continued]: perf_event_open()) = -1 EINVAL Invalid argument 41.018 ( 0.012 ms): perf/4150 perf_event_open(attr_uptr: 0x7ffebc8b5dd0, pid: -1, group_fd: -1, flags: FD_CLOEXEC) = 4 41.065 ( 0.011 ms): perf/4150 perf_event_open(attr_uptr: 0x3c7db78, pid: -1, group_fd: -1, flags: FD_CLOEXEC) = 4 41.080 ( 0.006 ms): perf/4150 perf_event_open(attr_uptr: 0x3c7db78, pid: -1, group_fd: -1, flags: FD_CLOEXEC) = 4 41.103 ( 0.010 ms): perf/4150 perf_event_open(attr_uptr: 0x3c4e748, pid: 4151 (perf), group_fd: -1, flags: FD_CLOEXEC) = 4 41.115 ( 0.006 ms): perf/4150 perf_event_open(attr_uptr: 0x3c4e748, pid: 4151 (perf), cpu: 1, group_fd: -1, flags: FD_CLOEXEC) = 5 41.122 ( 0.004 ms): perf/4150 perf_event_open(attr_uptr: 0x3c4e748, pid: 4151 (perf), cpu: 2, group_fd: -1, flags: FD_CLOEXEC) = 6 41.128 ( 0.008 ms): perf/4150 perf_event_open(attr_uptr: 0x3c4e748, pid: 4151 (perf), cpu: 3, group_fd: -1, flags: FD_CLOEXEC) = 8 [ perf record: Woken up 1 times to write data ] [ perf record: Captured and wrote 0.017 MB perf.data (2 samples) ] # I.e. that return -EINVAL in x86_pmu_hw_config() is hit three times. So fix it by just setting attr.sample_period Now, after this patch: # perf trace --max-stack=2 -e perf_event_open,probe:x86_pmu_hw_config* perf record usleep 1 [ perf record: Woken up 1 times to write data ] 0.000 ( 0.017 ms): perf/8469 perf_event_open(attr_uptr: 0x7ffe36c27d10, pid: -1, cpu: 3, group_fd: -1, flags: FD_CLOEXEC) = 4 syscall (/usr/lib64/libc-2.24.so) perf_event_open_cloexec_flag (/home/acme/bin/perf) 0.050 ( 0.031 ms): perf/8469 perf_event_open(attr_uptr: 0x24ebb78, pid: -1, group_fd: -1, flags: FD_CLOEXEC) = 4 syscall (/usr/lib64/libc-2.24.so) perf_evlist__config (/home/acme/bin/perf) 0.092 ( 0.040 ms): perf/8469 perf_event_open(attr_uptr: 0x24ebb78, pid: -1, group_fd: -1, flags: FD_CLOEXEC) = 4 syscall (/usr/lib64/libc-2.24.so) perf_evlist__config (/home/acme/bin/perf) 0.143 ( 0.007 ms): perf/8469 perf_event_open(attr_uptr: 0x24bc748, cpu: -1, group_fd: -1 ) = 4 syscall (/usr/lib64/libc-2.24.so) perf_event_attr__set_max_precise_ip (/home/acme/bin/perf) 0.161 ( 0.007 ms): perf/8469 perf_event_open(attr_uptr: 0x24bc748, pid: 8470 (perf), group_fd: -1, flags: FD_CLOEXEC) = 4 syscall (/usr/lib64/libc-2.24.so) perf_evsel__open (/home/acme/bin/perf) 0.171 ( 0.005 ms): perf/8469 perf_event_open(attr_uptr: 0x24bc748, pid: 8470 (perf), cpu: 1, group_fd: -1, flags: FD_CLOEXEC) = 5 syscall (/usr/lib64/libc-2.24.so) perf_evsel__open (/home/acme/bin/perf) 0.180 ( 0.007 ms): perf/8469 perf_event_open(attr_uptr: 0x24bc748, pid: 8470 (perf), cpu: 2, group_fd: -1, flags: FD_CLOEXEC) = 6 syscall (/usr/lib64/libc-2.24.so) perf_evsel__open (/home/acme/bin/perf) 0.190 ( 0.005 ms): perf/8469 perf_event_open(attr_uptr: 0x24bc748, pid: 8470 (perf), cpu: 3, group_fd: -1, flags: FD_CLOEXEC) = 8 syscall (/usr/lib64/libc-2.24.so) perf_evsel__open (/home/acme/bin/perf) [ perf record: Captured and wrote 0.017 MB perf.data (7 samples) ] # The probe one called from perf_event_attr__set_max_precise_ip() works the first time, with attr.precise_ip = 3, wit hthe next ones being the per cpu ones for the cycles:ppp event. And here is the text from a report and alternative proposed patch by Thomas-Mich Richter: --- On s390 the counter and sampling facility do not support a precise IP skid level and sometimes returns EOPNOTSUPP when structure member precise_ip in struct perf_event_attr is not set to zero. On s390 commnd 'perf record -- true' fails with error EOPNOTSUPP. This happens only when no events are specified on command line. The functions called are ... --> perf_evlist__add_default --> perf_evsel__new_cycles --> perf_event_attr__set_max_precise_ip The last function determines the value of structure member precise_ip by invoking the perf_event_open() system call and checking the return code. The first successful open is the value for precise_ip. However the value is determined without setting member sample_period and indicates no sampling. On s390 the counter facility and sampling facility are different. The above procedure determines a precise_ip value of 3 using the counter facility. Later it uses the sampling facility with a value of 3 and fails with EOPNOTSUPP. --- v2: Older compilers (e.g. gcc 4.4.7) don't support referencing members of unnamed union members in the container struct initialization, so move from: struct perf_event_attr attr = { ... .sample_period = 1, }; to right after it as: struct perf_event_attr attr = { ... }; attr.sample_period = 1; v3: We need to reset .sample_period to 0 to let the users of perf_evsel__new_cycles() to properly setup attr.sample_period or attr.sample_freq. Reported by Ingo Molnar. Reported-and-Acked-by: Thomas-Mich Richter Acked-by: Hendrik Brueckner Acked-by: Jiri Olsa Cc: Adrian Hunter Cc: Alexander Shishkin Cc: David Ahern Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Wang Nan Fixes: 18e7a45af91a ("perf/x86: Reject non sampling events with precise_ip") Link: http://lkml.kernel.org/n/tip-yv6nnkl7tzqocrm0hl3x7vf1@git.kernel.org Signed-off-by: Arnaldo Carvalho de Melo tools/perf/tests/task-exit.c | 2 +- tools/perf/util/evsel.c | 12 ++++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) commit 74030603dfd9f76c0f279f19f1dd1ee3028fee7a Author: WANG Cong Date: Tue Jun 13 13:36:24 2017 -0700 net_sched: move tcf_lock down after gen_replace_estimator() Laura reported a sleep-in-atomic kernel warning inside tcf_act_police_init() which calls gen_replace_estimator() with spinlock protection. It is not necessary in this case, we already have RTNL lock here so it is enough to protect concurrent writers. For the reader, i.e. tcf_act_police(), it needs to make decision based on this rate estimator, in the worst case we drop more/less packets than necessary while changing the rate in parallel, it is still acceptable. Reported-by: Laura Abbott Reported-by: Nick Huber Cc: Jamal Hadi Salim Signed-off-by: Cong Wang Acked-by: Jamal Hadi Salim Signed-off-by: David S. Miller net/sched/act_police.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) commit 4ca2fea6f8277ab381bd08b996d641255b6f7b00 Author: Yan, Zheng Date: Thu Jun 1 17:08:00 2017 +0800 ceph: unify inode i_ctime update Current __ceph_setattr() can set inode's i_ctime to current_time(), req->r_stamp or attr->ia_ctime. These time stamps may have minor differences. It may cause potential problem. Signed-off-by: "Yan, Zheng" Acked-by: Arnd Bergmann Signed-off-by: Ilya Dryomov fs/ceph/acl.c | 1 + fs/ceph/inode.c | 5 ++--- 2 files changed, 3 insertions(+), 3 deletions(-) commit 56199016e8672feb7b903eda003a863d5bf2b8c4 Author: Yan, Zheng Date: Thu Jun 1 16:44:53 2017 +0800 ceph: use current_kernel_time() to get request time stamp ceph uses ktime_get_real_ts() to get request time stamp. In most other cases, current_kernel_time() is used to get time stamp for filesystem operations (called by current_time()). There is granularity difference between ktime_get_real_ts() and current_kernel_time(). The later one can be up to one jiffy behind the former one. This can causes inode's ctime to go back. Signed-off-by: "Yan, Zheng" Signed-off-by: Ilya Dryomov fs/ceph/mds_client.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) commit 03f219041fdbeb31cecff41bb1cb4e1018f9cf75 Author: Luis Henriques Date: Wed May 17 12:21:07 2017 +0100 ceph: check i_nlink while converting a file handle to dentry Converting a file handle to a dentry can be done call after the inode unlink. This means that __fh_to_dentry() requires an extra check to verify the number of links is not 0. The issue can be easily reproduced using xfstest generic/426, which does something like: name_to_handle_at(&fh) echo 3 > /proc/sys/vm/drop_caches unlink() open_by_handle_at(&fh) The call to open_by_handle_at() should fail, as the file doesn't exist anymore. Link: http://tracker.ceph.com/issues/19958 Signed-off-by: Luis Henriques Reviewed-by: "Yan, Zheng" Signed-off-by: Ilya Dryomov fs/ceph/export.c | 4 ++++ 1 file changed, 4 insertions(+) commit 07d432bb97f19dd5e784175152f9fce3b2646133 Author: Jia-Ju Bai Date: Mon Jun 5 20:23:40 2017 +0800 rxe: Fix a sleep-in-atomic bug in post_one_send The driver may sleep under a spin lock, and the function call path is: post_one_send (acquire the lock by spin_lock_irqsave) init_send_wqe copy_from_user --> may sleep There is no flow that makes "qp->is_user" true, and copy_from_user may cause bug when a non-user pointer is used. So the lines of copy_from_user and check of "qp->is_user" are removed. Signed-off-by: Jia-Ju Bai Reviewed-by: Leon Romanovsky Acked-by: Moni Shoua Signed-off-by: Doug Ledford drivers/infiniband/sw/rxe/rxe_verbs.c | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) commit e57bb6be5e095351086d3e6de9853a0763342535 Author: Ram Amrani Date: Mon Jun 5 16:32:27 2017 +0300 RDMA/qedr: Add 64KB PAGE_SIZE support to user-space queues Add 64KB PAGE_SIZE support to user-space CQ, SQ and RQ queues. De-facto it means that code was added to translate 64KB pages to smaller 4KB pages that the FW can handle. Otherwise, the FW would wrap (or jump to the next page) when reaching 4KB while the user space library will continue on the same large page. Note that MR code remains as is since the FW supports larger pages for MRs. Signed-off-by: Ram Amrani Signed-off-by: Michal Kalderon Signed-off-by: Doug Ledford drivers/infiniband/hw/qedr/qedr.h | 5 ++- drivers/infiniband/hw/qedr/verbs.c | 64 ++++++++++++++++++++++---------------- 2 files changed, 41 insertions(+), 28 deletions(-) commit dac2738607de3d2bb99bae91c9054a2d753af18b Author: Michal Kalderon Date: Mon Jun 5 16:32:26 2017 +0300 RDMA/qedr: Initialize byte_len in WC of READ and SEND commands Initialize byte_len in work completion of RDMA_READ and RDMA_SEND. Exposed by uDAPL application. Signed-off-by: Michal Kalderon Signed-off-by: Doug Ledford drivers/infiniband/hw/qedr/verbs.c | 4 ++++ 1 file changed, 4 insertions(+) commit 86816a00ca57caf7e4bf5d30e20eb683f5a3ae35 Author: Selvin Xavier Date: Mon May 22 03:15:44 2017 -0700 RDMA/bnxt_re: Remove FMR support Some issues observed with FMR implementation while running stress traffic. So removing the FMR verbs support for now. Signed-off-by: Selvin Xavier Acked-by: Christoph Hellwig Reviewed-by: Leon Romanovsky Signed-off-by: Doug Ledford drivers/infiniband/hw/bnxt_re/ib_verbs.c | 98 +------------------------------- drivers/infiniband/hw/bnxt_re/ib_verbs.h | 6 -- drivers/infiniband/hw/bnxt_re/main.c | 4 -- 3 files changed, 2 insertions(+), 106 deletions(-) commit 018cf5995d69d25be7330c3b8bef4c31bf2b273b Author: Devesh Sharma Date: Mon May 22 03:15:40 2017 -0700 RDMA/bnxt_re: Fix RQE posting logic This patch adds code to ring RQ Doorbell aggressively so that the adapter can DMA RQ buffers sooner, instead of DMA all WQEs in the post_recv WR list together at the end of the post_recv verb. Also use spinlock to serialize RQ posting Signed-off-by: Kalesh AP Signed-off-by: Devesh Sharma Signed-off-by: Selvin Xavier Signed-off-by: Doug Ledford drivers/infiniband/hw/bnxt_re/bnxt_re.h | 2 ++ drivers/infiniband/hw/bnxt_re/ib_verbs.c | 18 +++++++++++++++++- drivers/infiniband/hw/bnxt_re/ib_verbs.h | 1 + 3 files changed, 20 insertions(+), 1 deletion(-) commit 3fb755b3d58084001c89e5f0fd558552bdef9051 Author: Somnath Kotur Date: Mon May 22 03:15:36 2017 -0700 RDMA/bnxt_re: Add HW workaround for avoiding stall for UD QPs HW stalls out after 0x800000 WQEs are posted for UD QPs. To workaround this problem, driver will send a modify_qp cmd to the HW at around the halfway mark(0x400000) so that FW can accordingly modify the QP context in the HW to prevent this stall. This workaround needs to be done for UD, QP1 and Raw Ethertype packets. Added a counter to keep track of WQEs posted during post_send. Signed-off-by: Somnath Kotur Signed-off-by: Selvin Xavier Signed-off-by: Doug Ledford drivers/infiniband/hw/bnxt_re/bnxt_re.h | 2 ++ drivers/infiniband/hw/bnxt_re/ib_verbs.c | 18 ++++++++++++++++++ drivers/infiniband/hw/bnxt_re/qplib_fp.c | 3 +++ drivers/infiniband/hw/bnxt_re/qplib_fp.h | 1 + 4 files changed, 24 insertions(+) commit 1c980b010f06696c9093c5d6a5ac7b5145f89a04 Author: Selvin Xavier Date: Mon May 22 03:15:34 2017 -0700 RDMA/bnxt_re: Dereg MR in FW before freeing the fast_reg_page_list If the host buffers are freed before destroying MR in HW, HW could try accessing these buffers. This could cause a host crash. Fixing the code to avoid this condition. Signed-off-by: Selvin Xavier Signed-off-by: Doug Ledford drivers/infiniband/hw/bnxt_re/ib_verbs.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) commit 9152e0b722b29092115da3bfbf63d26be1a461df Author: Eddie Wai Date: Wed Jun 14 03:26:23 2017 -0700 RDMA/bnxt_re: HW workarounds for handling specific conditions This patch implements the following HW workarounds 1. The SQ depth needs to be augmented by 128 + 1 to avoid running into an Out of order CQE issue 2. Workaround to handle the problem where the HW fast path engine continues to access DMA memory in retranmission mode even after the WQE has already been completed. If the HW reports this condition, driver detects it and posts a Fence WQE. The driver stops reporting the completions to stack until it receives completion for Fence WQE. Signed-off-by: Eddie Wai Signed-off-by: Sriharsha Basavapatna Signed-off-by: Selvin Xavier Reviewed-by: Leon Romanovsky Signed-off-by: Doug Ledford drivers/infiniband/hw/bnxt_re/ib_verbs.c | 373 ++++++++++++++++++++++++++---- drivers/infiniband/hw/bnxt_re/ib_verbs.h | 15 ++ drivers/infiniband/hw/bnxt_re/qplib_fp.c | 166 +++++++++++-- drivers/infiniband/hw/bnxt_re/qplib_fp.h | 17 +- drivers/infiniband/hw/bnxt_re/qplib_res.h | 1 - drivers/infiniband/hw/bnxt_re/qplib_sp.c | 5 + drivers/infiniband/hw/bnxt_re/qplib_sp.h | 2 + 7 files changed, 509 insertions(+), 70 deletions(-) commit 2deaeaf102d692cb6f764123b1df7aa118a8e97c Author: Takashi Iwai Date: Wed Jun 14 16:20:32 2017 +0200 ALSA: pcm: Don't treat NULL chmap as a fatal error The standard PCM chmap helper callbacks treat the NULL info->chmap as a fatal error and spews the kernel warning with stack trace when CONFIG_SND_DEBUG is on. This was OK, originally it was supposed to be always static and non-NULL. But, as the recent addition of Intel LPE audio driver shows, the chmap content may vary dynamically, and it can be even NULL when disconnected. The user still sees the kernel warning unnecessarily. For clearing such a confusion, this patch simply removes the snd_BUG_ON() in each place, just returns an error without warning. Cc: # v4.11+ Signed-off-by: Takashi Iwai sound/core/pcm_lib.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 4130b28f568688f79539b732797a1dc04b048442 Author: Heiko Carstens Date: Tue Jun 6 13:55:42 2017 +0200 s390/ipl: revert Load Normal semantics for LPAR CCW-type re-IPL This reverts the two commits 7afbeb6df2aa ("s390/ipl: always use load normal for CCW-type re-IPL") 0f7451ff3ab8 ("s390/ipl: use load normal for LPAR re-ipl") The two commits did not take into account that behavior of standby memory changes fundamentally if the re-IPL method is changed from Load Clear to Load Normal. In case of the old re-IPL clear method all memory that was initially in standby state will be put into standby state again within the re-IPL process. Or in other words: memory that was brought online before a re-IPL will be offline again after a reboot. Given that we use different re-IPL methods depending on the hypervisor and CCW-type vs SCSI re-IPL it is not easy to tell in advance when and why memory will stay online or will be offline after a re-IPL. This does also have other side effects, since memory that is online from the beginning will be in ZONE_NORMAL by default vs ZONE_MOVABLE for memory that is offline. Therefore, before the change, a user could online and offline memory easily since standby memory was always in ZONE_NORMAL. After the change, and a re-IPL, this depended on which memory parts were online before the re-IPL. From a usability point of view the current behavior is more than suboptimal. Therefore revert these changes until we have a better solution and get back to a consistent behavior. The bad thing about this is that the time required for a re-IPL will be significantly increased for configurations with several 100GB or 1TB of memory. Signed-off-by: Heiko Carstens Signed-off-by: Martin Schwidefsky arch/s390/kernel/ipl.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) commit 55f61a040e1b1ea0ba962e53ae341b4c51915bd1 Author: Mario Kleiner Date: Tue Jun 13 07:17:11 2017 +0200 drm/radeon: Fix overflow of watermark calcs at > 4k resolutions. Commit e6b9a6c84b93 ("drm/radeon: Make display watermark calculations more accurate") made watermark calculations more accurate, but not for > 4k resolutions on 32-Bit architectures, as it introduced an integer overflow for those setups and resolutions. Fix this by proper u64 casting and division. Signed-off-by: Mario Kleiner Reported-by: Ben Hutchings Fixes: e6b9a6c84b93 ("drm/radeon: Make display watermark calculations more accurate") Cc: Ben Hutchings Cc: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Alex Deucher drivers/gpu/drm/radeon/cik.c | 7 +++++-- drivers/gpu/drm/radeon/evergreen.c | 7 +++++-- drivers/gpu/drm/radeon/si.c | 7 +++++-- 3 files changed, 15 insertions(+), 6 deletions(-) commit bea10413934dcf98cb9b2dfcdc56e1d28f192897 Author: Mario Kleiner Date: Tue Jun 13 07:17:10 2017 +0200 drm/amdgpu: Fix overflow of watermark calcs at > 4k resolutions. Commit d63c277dc672e0 ("drm/amdgpu: Make display watermark calculations more accurate") made watermark calculations more accurate, but not for > 4k resolutions on 32-Bit architectures, as it introduced an integer overflow for those setups and resolutions. Fix this by proper u64 casting and division. Signed-off-by: Mario Kleiner Reported-by: Ben Hutchings Fixes: d63c277dc672 ("drm/amdgpu: Make display watermark calculations more accurate") Cc: Ben Hutchings Cc: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Alex Deucher drivers/gpu/drm/amd/amdgpu/dce_v10_0.c | 7 +++++-- drivers/gpu/drm/amd/amdgpu/dce_v11_0.c | 7 +++++-- drivers/gpu/drm/amd/amdgpu/dce_v6_0.c | 7 +++++-- drivers/gpu/drm/amd/amdgpu/dce_v8_0.c | 7 +++++-- 4 files changed, 20 insertions(+), 8 deletions(-) commit c0f83da96b906ea331e2eea2bd5d2e7f221d27ab Author: Christian König Date: Thu May 18 10:31:01 2017 +0200 drm/radeon: fix "force the UVD DPB into VRAM as well" The DPB must be in VRAM, but not in the first segment. Signed-off-by: Christian König Tested-by: Arthur Marsh Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher drivers/gpu/drm/radeon/radeon_uvd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 68dd02d19c811ca8ea60220a9d73e13b4bdad73a Author: Johannes Berg Date: Wed Jun 14 09:28:11 2017 +0200 dev_ioctl: copy only the smaller struct iwreq for wext Unfortunately, struct iwreq isn't a proper subset of struct ifreq, but is still handled by the same code path. Robert reported that then applications may (randomly) fault if the struct iwreq they pass happens to land within 8 bytes of the end of a mapping (the struct is only 32 bytes, vs. struct ifreq's 40 bytes). To fix this, pull out the code handling wireless extension ioctls and copy only the smaller structure in this case. This bug goes back a long time, I tracked that it was introduced into mainline in 2.1.15, over 20 years ago! This fixes https://bugzilla.kernel.org/show_bug.cgi?id=195869 Reported-by: Robert O'Callahan Signed-off-by: Johannes Berg include/net/wext.h | 4 ++-- net/core/dev_ioctl.c | 19 ++++++++++++++++--- net/wireless/wext-core.c | 6 +++--- 3 files changed, 21 insertions(+), 8 deletions(-) commit 4f39a1f5870104b1670df2c09c831ac281896545 Author: Johannes Berg Date: Wed Jun 14 09:21:58 2017 +0200 wireless: wext: use struct iwreq earlier in the call chain To make it clear that we never use struct ifreq, cast from it directly in the wext entrypoint and use struct iwreq from there on. The next patch will remove the cast again and pass the correct struct from the beginning. Signed-off-by: Johannes Berg net/wireless/wext-core.c | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) commit ed6456afef0da57edfd87ce9142813d08a571137 Author: Dan Carpenter Date: Wed Jun 14 12:10:56 2017 +0300 Staging: rtl8723bs: fix an error code in isFileReadable() The caller only cares about zero vs non-zero so this code actually works fine but we should be returning a negative error code instead of a valid pointer casted to int. Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") Signed-off-by: Dan Carpenter Signed-off-by: Greg Kroah-Hartman drivers/staging/rtl8723bs/os_dep/osdep_service.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit e747f64336fc15e1c823344942923195b800aa1e Author: Dan Carpenter Date: Wed Jun 14 13:35:37 2017 +0300 xfrm: NULL dereference on allocation failure The default error code in pfkey_msg2xfrm_state() is -ENOBUFS. We added a new call to security_xfrm_state_alloc() which sets "err" to zero so there several places where we can return ERR_PTR(0) if kmalloc() fails. The caller is expecting error pointers so it leads to a NULL dereference. Fixes: df71837d5024 ("[LSM-IPSec]: Security association restriction.") Signed-off-by: Dan Carpenter Signed-off-by: Steffen Klassert net/key/af_key.c | 1 + 1 file changed, 1 insertion(+) commit 1e3d0c2c70cd3edb5deed186c5f5c75f2b84a633 Author: Dan Carpenter Date: Wed Jun 14 13:34:05 2017 +0300 xfrm: Oops on error in pfkey_msg2xfrm_state() There are some missing error codes here so we accidentally return NULL instead of an error pointer. It results in a NULL pointer dereference. Fixes: df71837d5024 ("[LSM-IPSec]: Security association restriction.") Signed-off-by: Dan Carpenter Signed-off-by: Steffen Klassert net/key/af_key.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) commit b429f96aa5cb4023b915de9c2aa6e7720a939856 Author: Mike Gerow Date: Wed Jun 14 12:40:36 2017 +0200 video: fbdev: udlfb: drop log level for blanking Drop log level for blanking from info to debug. Xorg likes to habitually unblank when already unblanked and this can fill up logs over a long period of time. Signed-off-by: Mike Gerow Cc: bernie@plugable.com Signed-off-by: Bartlomiej Zolnierkiewicz drivers/video/fbdev/udlfb.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 484c7bbf2649831714da3a0fa30213977458e9b5 Author: Arnd Bergmann Date: Wed Jun 14 12:40:36 2017 +0200 video: fbdev: via: remove possibly unused variables When CONFIG_PROC_FS is disabled, we get warnings about unused variables as remove_proc_entry() evaluates to an empty macro. drivers/video/fbdev/via/viafbdev.c: In function 'viafb_remove_proc': drivers/video/fbdev/via/viafbdev.c:1635:4: error: unused variable 'iga2_entry' [-Werror=unused-variable] drivers/video/fbdev/via/viafbdev.c:1634:4: error: unused variable 'iga1_entry' [-Werror=unused-variable] These are easy to avoid by using the pointer from the structure. Signed-off-by: Arnd Bergmann Cc: Florian Tobias Schandinat Signed-off-by: Bartlomiej Zolnierkiewicz drivers/video/fbdev/via/viafbdev.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) commit 1235185521ba0d9528052578e27c2f4999d489c6 Author: Johan Hovold Date: Wed Jun 14 12:40:36 2017 +0200 video: fbdev: add missing USB-descriptor endianness conversions Add the missing endianness conversions when printing the USB device-descriptor idVendor, idProduct and bcdDevice fields during probe. Signed-off-by: Johan Hovold Cc: Steve Glendinning Cc: Bernie Thompson Signed-off-by: Bartlomiej Zolnierkiewicz drivers/video/fbdev/smscufx.c | 5 +++-- drivers/video/fbdev/udlfb.c | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) commit c544ad18bd47ee989eb433f09b6574a7f6d415c7 Author: Arnd Bergmann Date: Wed Jun 14 12:40:36 2017 +0200 video: fbdev: avoid int-in-bool-context warning gcc-7 suspects this code might be wrong because we use the result of a multiplication as a bool: drivers/video/fbdev/core/fbmon.c: In function 'fb_edid_add_monspecs': drivers/video/fbdev/core/fbmon.c:1051:84: error: '*' in boolean context, suggest '&&' instead [-Werror=int-in-bool-context] It's actually fine, so let's add a comparison to zero to make that clear to the compiler too. Signed-off-by: Arnd Bergmann Cc: Andrew Morton Signed-off-by: Bartlomiej Zolnierkiewicz drivers/video/fbdev/core/fbmon.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 64c667fe29ea697af0fce94857f26ae857951843 Merge: 32c1431 7981dc0 Author: Greg Kroah-Hartman Date: Wed Jun 14 12:00:41 2017 +0200 Merge tag 'iio-fixes-for-4.12b' of git://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio into staging-linus Jonathan writes: Second set of IIO fixes for the 4.12 cycle. * buffer-dma / buffer-dmaengine - Fix missing include of buffer_impl.h after the split of buffer.h. No driver in mainline is currently using these buffers so it wasn't picked up by automated build tests. * ad7152 - Fix a deadlock in ad7152_write_raw_samp_freq as the chip_state lock was already held. * inv_mpu6050 - Add low pass filter setting for chips newer than the MPU6500. None of use previously picked up no the fact it was different on these newer chips. It is separately set for the acceleration on these parts. There is no normal reason to set it differently so the userspace interface remains the same as for early parts. * meson-saradc: - Fix a potential crash by NULL pointer dereference in meson_sar_adc_clear_fifo. * mxs-lradc - Fix a return value check where IS_ERR is used on a function that returns NULL on error commit e79b0006c45c9b0b22f3ea54ff6e256b34c1f208 Author: Megha Dey Date: Wed Jun 14 09:51:56 2017 +0530 ALSA: hda - Add Coffelake PCI ID Coffelake is another Intel part, so need to add PCI ID for it. Signed-off-by: Megha Dey Signed-off-by: Subhransu S. Prusty Acked-by: Vinod Koul Cc: Signed-off-by: Takashi Iwai sound/pci/hda/hda_intel.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) commit 8bfb3676606454ffec836f56c5dc3e69dfc0956a Author: Johannes Berg Date: Wed Jun 14 09:17:38 2017 +0200 wireless: wext: remove ndo_do_ioctl fallback There are no longer any drivers (in the tree proper, I didn't check all the staging drivers) that take WEXT ioctls through this API, the only remaining ones that even have ndo_do_ioctl are using it only for private ioctls. Therefore, we can remove this call. Signed-off-by: Johannes Berg net/wireless/wext-core.c | 3 --- 1 file changed, 3 deletions(-) commit 377aa6b0efbaa29cfeecd8b9244641217f9544ca Author: Alistair Popple Date: Wed Jun 14 14:47:50 2017 +1000 powerpc/npu-dma: Remove spurious WARN_ON when a PCI device has no of_node Commit 4c3b89effc28 ("powerpc/powernv: Add sanity checks to pnv_pci_get_{gpu|npu}_dev") introduced explicit warnings in pnv_pci_get_npu_dev() when a PCIe device has no associated device-tree node. However not all PCIe devices have an of_node and pnv_pci_get_npu_dev() gets indirectly called at least once for every PCIe device in the system. This results in spurious WARN_ON()'s so remove it. The same situation should not exist for pnv_pci_get_gpu_dev() as any NPU based PCIe device requires a device-tree node. Fixes: 4c3b89effc28 ("powerpc/powernv: Add sanity checks to pnv_pci_get_{gpu|npu}_dev") Reported-by: Alexey Kardashevskiy Signed-off-by: Alistair Popple Signed-off-by: Michael Ellerman arch/powerpc/platforms/powernv/npu-dma.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 089bc0143f489bd3a4578bdff5f4ca68fb26f341 Author: Jan Beulich Date: Tue Jun 13 16:28:27 2017 -0400 xen-blkback: don't leak stack data via response ring Rather than constructing a local structure instance on the stack, fill the fields directly on the shared ring, just like other backends do. Build on the fact that all response structure flavors are actually identical (the old code did make this assumption too). This is XSA-216. Cc: stable@vger.kernel.org Signed-off-by: Jan Beulich Reviewed-by: Konrad Rzeszutek Wilk Signed-off-by: Konrad Rzeszutek Wilk drivers/block/xen-blkback/blkback.c | 23 ++++++++++++----------- drivers/block/xen-blkback/common.h | 25 +++++-------------------- 2 files changed, 17 insertions(+), 31 deletions(-) commit a24fa22ce22ae302b3bf8f7008896d52d5d57b8d Author: Juergen Gross Date: Thu May 18 17:28:49 2017 +0200 xen/blkback: don't use xen_blkif_get() in xen-blkback kthread There is no need to use xen_blkif_get()/xen_blkif_put() in the kthread of xen-blkback. Thread stopping is synchronous and using the blkif reference counting in the kthread will avoid to ever let the reference count drop to zero at the end of an I/O running concurrent to disconnecting and multiple rings. Setting ring->xenblkd to NULL after stopping the kthread isn't needed as the kthread does this already. Signed-off-by: Juergen Gross Tested-by: Steven Haigh Acked-by: Roger Pau Monné Signed-off-by: Konrad Rzeszutek Wilk drivers/block/xen-blkback/blkback.c | 3 --- drivers/block/xen-blkback/xenbus.c | 1 - 2 files changed, 4 deletions(-) commit 20a3d5bf5e5b13c02450ab6178ec374abd830686 Author: Mateusz Jurczyk Date: Tue Jun 13 20:06:12 2017 +0200 caif: Add sockaddr length check before accessing sa_family in connect handler Verify that the caller-provided sockaddr structure is large enough to contain the sa_family field, before accessing it in the connect() handler of the AF_CAIF socket. Since the syscall doesn't enforce a minimum size of the corresponding memory region, very short sockaddrs (zero or one byte long) result in operating on uninitialized memory while referencing sa_family. Signed-off-by: Mateusz Jurczyk Signed-off-by: David S. Miller net/caif/caif_socket.c | 4 ++++ 1 file changed, 4 insertions(+) commit 71df1d7ccad1c36f7321d6b3b48f2ea42681c363 Author: Juergen Gross Date: Thu May 18 17:28:48 2017 +0200 xen/blkback: don't free be structure too early The be structure must not be freed when freeing the blkif structure isn't done. Otherwise a use-after-free of be when unmapping the ring used for communicating with the frontend will occur in case of a late call of xenblk_disconnect() (e.g. due to an I/O still active when trying to disconnect). Signed-off-by: Juergen Gross Tested-by: Steven Haigh Acked-by: Roger Pau Monné Signed-off-by: Konrad Rzeszutek Wilk drivers/block/xen-blkback/xenbus.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) commit cc1ec769b87c7dea9092fb537c512e0b6b7a5dac Author: Devesh Sharma Date: Mon May 22 03:15:31 2017 -0700 RDMA/bnxt_re: Fixing the Control path command and response handling Fixing a concurrency issue with creq handling. Each caller was given a globally managed crsq element, which was accessed outside a lock. This could result in corruption, if lot of applications are simultaneously issuing Control Path commands. Now, each caller will provide its own response buffer and the responses will be copied under a lock. Also, Fixing the queue full condition check for the CMDQ. As a part of these changes, the control path code is refactored to remove the code replication in the response status checking. Signed-off-by: Devesh Sharma Signed-off-by: Selvin Xavier Signed-off-by: Doug Ledford drivers/infiniband/hw/bnxt_re/qplib_fp.c | 215 +++++-------------- drivers/infiniband/hw/bnxt_re/qplib_rcfw.c | 314 ++++++++++++++------------- drivers/infiniband/hw/bnxt_re/qplib_rcfw.h | 61 ++---- drivers/infiniband/hw/bnxt_re/qplib_res.h | 5 + drivers/infiniband/hw/bnxt_re/qplib_sp.c | 328 +++++++---------------------- 5 files changed, 318 insertions(+), 605 deletions(-) commit 46464411307746e6297a034a9983a22c9dfc5a0c Author: Juergen Gross Date: Thu May 18 17:28:47 2017 +0200 xen/blkback: fix disconnect while I/Os in flight Today disconnecting xen-blkback is broken in case there are still I/Os in flight: xen_blkif_disconnect() will bail out early without releasing all resources in the hope it will be called again when the last request has terminated. This, however, won't happen as xen_blkif_free() won't be called on termination of the last running request: xen_blkif_put() won't decrement the blkif refcnt to 0 as xen_blkif_disconnect() didn't finish before thus some xen_blkif_put() calls in xen_blkif_disconnect() didn't happen. To solve this deadlock xen_blkif_disconnect() and xen_blkif_alloc_rings() shouldn't use xen_blkif_put() and xen_blkif_get() but use some other way to do their accounting of resources. This at once fixes another error in xen_blkif_disconnect(): when it returned early with -EBUSY for another ring than 0 it would call xen_blkif_put() again for already handled rings on a subsequent call. This will lead to inconsistencies in the refcnt handling. Cc: stable@vger.kernel.org Signed-off-by: Juergen Gross Tested-by: Steven Haigh Acked-by: Roger Pau Monné Signed-off-by: Konrad Rzeszutek Wilk drivers/block/xen-blkback/common.h | 1 + drivers/block/xen-blkback/xenbus.c | 7 +++++-- 2 files changed, 6 insertions(+), 2 deletions(-) commit 7981dc07fe317e3506d706e5ef91b94da02656f4 Author: Phil Reid Date: Tue Jun 13 13:12:35 2017 +0800 iio: buffer-dmaengine: Add missing header buffer_impl.h Add buffer_impl.h as buffer.h was split into interface for using and for internals. Without this industrialio-buffer-dmaengine.c fails to compile. Fixes: commit 33dd94cb972175249258329c4aaffddcc82c2005 ("iio:buffer.h - split into buffer.h and buffer_impl.h") Signed-off-by: Phil Reid Signed-off-by: Jonathan Cameron drivers/iio/buffer/industrialio-buffer-dmaengine.c | 1 + 1 file changed, 1 insertion(+) commit 838519b89fa7e162f7190c70d888a65ee7889e12 Author: Phil Reid Date: Tue Jun 13 10:31:36 2017 +0800 iio: buffer-dma: Add missing header buffer_impl.h Add buffer_impl.h as buffer.h was split into interface for using and for internals. Without this industrialio-buffer-dma.c fails to compile. Fixes: commit 33dd94cb972175249258329c4aaffddcc82c2005 ("iio:buffer.h - split into buffer.h and buffer_impl.h") Signed-off-by: Phil Reid Signed-off-by: Jonathan Cameron drivers/iio/buffer/industrialio-buffer-dma.c | 1 + 1 file changed, 1 insertion(+) commit 436c4c45b5b9562b59cedbb51b7343ab4a6dd8cc Author: Zhang Bo Date: Tue Jun 13 10:39:20 2017 +0800 Revert "leds: handle suspend/resume in heartbeat trigger" This reverts commit 5ab92a7cb82c66bf30685583a38a18538e3807db. System cannot enter suspend mode because of heartbeat led trigger. In autosleep_wq, try_to_suspend function will try to enter suspend mode in specific period. it will get wakeup_count then call pm_notifier chain callback function and freeze processes. Heartbeat_pm_notifier is called and it call led_trigger_unregister to change the trigger of led device to none. It will send uevent message and the wakeup source count changed. As wakeup_count changed, suspend will abort. Fixes: 5ab92a7cb82c ("leds: handle suspend/resume in heartbeat trigger") Signed-off-by: Zhang Bo Acked-by: Pavel Machek Reviewed-by: Linus Walleij Signed-off-by: Jacek Anaszewski drivers/leds/trigger/ledtrig-heartbeat.c | 31 ------------------------------- 1 file changed, 31 deletions(-) commit 4f02b50ece11dcf75263fb7a4cfe8a5df1cfabea Author: Jonas Gorski Date: Fri Jun 2 14:17:05 2017 +0200 leds: bcm6328: fix signal source assignment for leds 4 to 7 Each nibble represents 4 LEDs, and in case of the higher register, bit 0 represents LED 4, so we need to use modulus for the LED number as well. Fixes: fd7b025a238d0a5440bfa26c585eb78097bf48dc ("leds: add BCM6328 LED driver") Signed-off-by: Jonas Gorski Acked-by: Álvaro Fernández Rojas Signed-off-by: Jacek Anaszewski drivers/leds/leds-bcm6328.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit bf5d008164dd84d671ca2dd569a1676051f9faff Author: Priyalee Kushwaha Date: Sat Jun 3 10:21:24 2017 -0700 platform/x86: intel_telemetry_debugfs: fix oops when load/unload module This fixes an oops found while testing load/unload of the intel_telemetry_debugfs module. module_init uses register_pm_notifier for PM callbacks, but unregister_pm_notifier was missing from module_exit. [ 97.481860] BUG: unable to handle kernel paging request at ffffffffa006f010 [ 97.489742] IP: blocking_notifier_chain_register+0x3a/0xa0 [ 97.495898] PGD 2e0a067 [ 97.495899] PUD 2e0b063 [ 97.498737] PMD 179e29067 [ 97.501573] PTE 0 [ 97.508423] Oops: 0000 1 PREEMPT SMP [ 97.512724] Modules linked in: intel_telemetry_debugfs intel_rapl gpio_keys dwc3 udc_core intel_telemetry_pltdrv intel_punit_ipc intel_telemetry_core rtc_cmos efivars x86_pkg_temp_thermal iwlwifi snd_hda_codec_hdmi soc_button_array btusb cfg80211 btrtl mei_me hci_uart btbcm mei btintel i915 bluetooth intel_pmc_ipc snd_hda_intel spi_pxa2xx_platform snd_hda_codec dwc3_pci snd_hda_core tpm_tis tpm_tis_core tpm efivarfs [ 97.558453] CPU: 0 PID: 889 Comm: modprobe Not tainted 4.11.0-rc6-intel-dev-bkc #1 [ 97.566950] Hardware name: Intel Corp. Joule DVT3/SDS, BIOS GTPP181A.X64.0143.B30.1701132137 01/13/2017 [ 97.577518] task: ffff8801793a21c0 task.stack: ffff8801793f0000 [ 97.584162] RIP: 0010:blocking_notifier_chain_register+0x3a/0xa0 [ 97.590903] RSP: 0018:ffff8801793f3c58 EFLAGS: 00010286 [ 97.596802] RAX: ffffffffa006f000 RBX: ffffffff81e3ea20 RCX: 0000000000000000 [ 97.604812] RDX: ffff880179eaf210 RSI: ffffffffa0131000 RDI: ffffffff81e3ea20 [ 97.612821] RBP: ffff8801793f3c68 R08: 0000000000000006 R09: 000000000000005c [ 97.620847] R10: 0000000000000000 R11: 0000000000000006 R12: ffffffffa0131000 [ 97.628855] R13: 0000000000000000 R14: ffff880176e35f48 R15: ffff8801793f3ea8 [ 97.636865] FS: 00007f7eeba07700(0000) GS:ffff88017fc00000(0000) knlGS:0000000000000000 [ 97.645948] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 97.652423] CR2: ffffffffa006f010 CR3: 00000001775ef000 CR4: 00000000003406f0 [ 97.660423] Call Trace: [ 97.663166] ? 0xffffffffa0031000 [ 97.666885] register_pm_notifier+0x18/0x20 [ 97.671581] telemetry_debugfs_init+0x92/0x1000 Signed-off-by: Priyalee Kushwaha Signed-off-by: Andy Shevchenko Signed-off-by: Darren Hart (VMware) drivers/platform/x86/intel_telemetry_debugfs.c | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) commit 7de84403a2020874714f6f40170f5ef9fc7ab58e Merge: c5549ee a1a745e Author: David S. Miller Date: Tue Jun 13 13:46:01 2017 -0400 Merge tag 'batadv-net-for-davem-20170613' of git://git.open-mesh.org/linux-merge Simon Wunderlich says: ==================== Here are two batman-adv bugfixes: - fix rx packet counters for local ARP replies, by Sven Eckelmann - fix memory leaks for unicast packetes received from another gateway in bridge loop avoidance, by Andreas Pape ==================== Signed-off-by: David S. Miller commit c5549ee40112f2511a794c9aad7eb6ac5f18b0eb Merge: ace17c3 b3dd827 Author: David S. Miller Date: Tue Jun 13 13:34:13 2017 -0400 Merge tag 'mac80211-for-davem-2017-06-13' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211 Johannes Berg says: ==================== Some fixes: * Avi fixes some fallout from my mac80211 RX flags changes * Emmanuel fixes an issue with adhering to the spec, and an oversight in the SMPS management code * Jason's patch makes mac80211 use constant-time memory comparisons for message authentication, to avoid having potentially observable timing differences * my fix makes mac80211 set the basic rates bitmap before the channel so the next update to the driver has more consistent data - this required another rework patch to remove some useless 5/10 MHz code that can never be hit ==================== Signed-off-by: David S. Miller commit ace17c369295f088dc8ac8ff468602646fa5cced Author: Tayar, Tomer Date: Tue Jun 13 12:15:59 2017 +0300 qed: fix dump of context data Currently when dumping a context data only word number '1' is read for the entire context. Fixes: c965db444629 ("qed: Add support for debug data collection") Signed-off-by: Tomer Tayar Signed-off-by: David S. Miller drivers/net/ethernet/qlogic/qed/qed_debug.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 60cfe1eaccb8af598ebe1bdc44e157ea30fcdd81 Author: Bjørn Mork Date: Tue Jun 13 19:10:18 2017 +0200 qmi_wwan: new Telewell and Sierra device IDs A new Sierra Wireless EM7305 device ID used in a Toshiba laptop, and two Longcheer device IDs entries used by Telewell TW-3G HSPA+ branded modems. Reported-by: Petr Kloc Reported-by: Teemu Likonen Signed-off-by: Bjørn Mork Signed-off-by: David S. Miller drivers/net/usb/qmi_wwan.c | 4 ++++ 1 file changed, 4 insertions(+) commit 665fff2923323e348728e03a7cdb0ce56f316d39 Author: Florian Fainelli Date: Mon Jun 12 17:18:51 2017 -0700 net: phy: Fix MDIO_THUNDER dependencies After commit 90eff9096c01 ("net: phy: Allow splitting MDIO bus/device support from PHYs") we could create a configuration where MDIO_DEVICE=y and PHYLIB=m which leads to the following undefined references: drivers/built-in.o: In function `thunder_mdiobus_pci_remove': >> mdio-thunder.c:(.text+0x2a212f): undefined reference to >> `mdiobus_unregister' >> mdio-thunder.c:(.text+0x2a2138): undefined reference to >> `mdiobus_free' drivers/built-in.o: In function `thunder_mdiobus_pci_probe': mdio-thunder.c:(.text+0x2a22e7): undefined reference to `devm_mdiobus_alloc_size' mdio-thunder.c:(.text+0x2a236f): undefined reference to `of_mdiobus_register' Reported-by: kbuild test robot Fixes: 90eff9096c01 ("net: phy: Allow splitting MDIO bus/device support from PHYs") Signed-off-by: Florian Fainelli Tested-by: Randy Dunlap Signed-off-by: David S. Miller drivers/net/phy/Kconfig | 1 + 1 file changed, 1 insertion(+) commit 4a6a97e2650c7dd7b1380ba763e9038c814e220c Author: Joe Perches Date: Mon Jun 12 16:39:51 2017 -0700 netconsole: Remove duplicate "netconsole: " logging prefix It's already added by pr_fmt so remove the explicit use. Signed-off-by: Joe Perches Signed-off-by: David S. Miller drivers/net/netconsole.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit c38b7d327aafd1e3ad7ff53eefac990673b65667 Author: WANG Cong Date: Mon Jun 12 09:52:26 2017 -0700 igmp: acquire pmc lock for ip_mc_clear_src() Andrey reported a use-after-free in add_grec(): for (psf = *psf_list; psf; psf = psf_next) { ... psf_next = psf->sf_next; where the struct ip_sf_list's were already freed by: kfree+0xe8/0x2b0 mm/slub.c:3882 ip_mc_clear_src+0x69/0x1c0 net/ipv4/igmp.c:2078 ip_mc_dec_group+0x19a/0x470 net/ipv4/igmp.c:1618 ip_mc_drop_socket+0x145/0x230 net/ipv4/igmp.c:2609 inet_release+0x4e/0x1c0 net/ipv4/af_inet.c:411 sock_release+0x8d/0x1e0 net/socket.c:597 sock_close+0x16/0x20 net/socket.c:1072 This happens because we don't hold pmc->lock in ip_mc_clear_src() and a parallel mr_ifc_timer timer could jump in and access them. The RCU lock is there but it is merely for pmc itself, this spinlock could actually ensure we don't access them in parallel. Thanks to Eric and Long for discussion on this bug. Reported-by: Andrey Konovalov Cc: Eric Dumazet Cc: Xin Long Signed-off-by: Cong Wang Reviewed-by: Xin Long Signed-off-by: David S. Miller net/ipv4/igmp.c | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) commit eb3c28c15555212227cfa8b9a3baa21ad5982a19 Author: Oliver Neukum Date: Mon Jun 12 13:56:51 2017 +0200 r8152: give the device version Getting the device version out of the driver really aids debugging. Signed-off-by: Oliver Neukum Signed-off-by: David S. Miller drivers/net/usb/r8152.c | 2 ++ 1 file changed, 2 insertions(+) commit 459fa246d8fa4a543ed9a3331f15c8fe1caf9937 Author: Stephen Rothwell Date: Sun Jun 11 15:22:10 2017 +1000 clocksource: Explicitly include linux/clocksource.h when needed The kbuild test robot reported errors in these files when doing an ia64 allmodconfig build. drivers/clocksource/timer-sun5i.c:52:21: error: field 'clksrc' has incomplete type struct clocksource clksrc; ^~~~~~ drivers/clocksource/cadence_ttc_timer.c:92:21: error: field 'cs' has incomplete type struct clocksource cs; ^~ (and many more errors for these files) Cc: Michal Simek Cc: "Sören Brinkmann" Cc: Daniel Lezcano Cc: Thomas Gleixner Cc: Maxime Ripard Cc: Chen-Yu Tsai Reported-by: kbuild test robot Signed-off-by: Stephen Rothwell Acked-by: Michal Simek Signed-off-by: Daniel Lezcano drivers/clocksource/cadence_ttc_timer.c | 1 + drivers/clocksource/timer-sun5i.c | 1 + 2 files changed, 2 insertions(+) commit 97d8b6e3b8538198aefb0003342920a82e062147 Author: Ashwanth Goli Date: Tue Jun 13 16:54:55 2017 +0530 net: rps: fix uninitialized symbol warning This patch fixes uninitialized symbol warning that got introduced by the following commit 773fc8f6e8d6 ("net: rps: send out pending IPI's on CPU hotplug") Signed-off-by: Ashwanth Goli Signed-off-by: David S. Miller net/core/dev.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 0ca4cd7bccf0b82d2c10069f295772bb7b76d006 Author: Jiri Kosina Date: Fri Jun 9 13:15:37 2017 +0200 HID: let generic driver yield control iff specific driver has been enabled There are many situations where generic HID driver provides some basic level of support for certain device, but later this support (usually by implementing vendor-specific extensions of HID protocol) is extended and the support moved over to a separate (usually per-vendor) specific driver. This might bring a rather unpleasant suprise for users, as all of a sudden there is a new config option they have to enable in order to get any support for their device whatsoever, although previous kernel versions provided basic support through the generic driver. Which is rightfully seen as a regression. Fix this by including the entry for a particular device in hid_have_special_driver[] iff the specific config option has been specified, and let generic driver handle the device otherwise. Also make the behavior of hid_scan_report() (where the same decision is being taken on a per-report level) consistent. While at it, reshuffle the hid_have_special_driver[] a bit to restore the alphabetical ordering (first order by config option, and within those sections order by VID). This is considered a short-term solution, before generic way of giving precedence to special drivers and falling back to generic driver is figured out. While at it, fixup a missing entry for GFRM driver; thanks to Hans de Geode for spotting this (and for discovering a few issues in the conversion). Signed-off-by: Jiri Kosina drivers/hid/hid-core.c | 282 ++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 221 insertions(+), 61 deletions(-) commit b3dd8279659f14f3624bb32559782d699fa6f7d1 Author: Emmanuel Grumbach Date: Sat Jun 10 13:52:45 2017 +0300 mac80211: don't send SMPS action frame in AP mode when not needed mac80211 allows to modify the SMPS state of an AP both, when it is started, and after it has been started. Such a change will trigger an action frame to all the peers that are currently connected, and will be remembered so that new peers will get notified as soon as they connect (since the SMPS setting in the beacon may not be the right one). This means that we need to remember the SMPS state currently requested as well as the SMPS state that was configured initially (and advertised in the beacon). The former is bss->req_smps and the latter is sdata->smps_mode. Initially, the AP interface could only be started with SMPS_OFF, which means that sdata->smps_mode was SMPS_OFF always. Later, a nl80211 API was added to be able to start an AP with a different AP mode. That code forgot to update bss->req_smps and because of that, if the AP interface was started with SMPS_DYNAMIC, we had: sdata->smps_mode = SMPS_DYNAMIC bss->req_smps = SMPS_OFF That configuration made mac80211 think it needs to fire off an action frame to any new station connecting to the AP in order to let it know that the actual SMPS configuration is SMPS_OFF. Fix that by properly setting bss->req_smps in ieee80211_start_ap. Fixes: f69931748730 ("mac80211: set smps_mode according to ap params") Signed-off-by: Emmanuel Grumbach Signed-off-by: Luca Coelho Signed-off-by: Johannes Berg net/mac80211/cfg.c | 2 ++ 1 file changed, 2 insertions(+) commit 98c67d187db7808b1f3c95f2110dd4392d034182 Author: Jason A. Donenfeld Date: Sat Jun 10 04:59:12 2017 +0200 mac80211/wpa: use constant time memory comparison for MACs Otherwise, we enable all sorts of forgeries via timing attack. Signed-off-by: Jason A. Donenfeld Cc: Johannes Berg Cc: linux-wireless@vger.kernel.org Cc: stable@vger.kernel.org Signed-off-by: Johannes Berg net/mac80211/wpa.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) commit c87905bec5dad66aa6bb43d11502cafdb33e07db Author: Johannes Berg Date: Sat Jun 10 13:52:43 2017 +0300 mac80211: set bss_info data before configuring the channel When mac80211 changes the channel, it also calls into the driver's bss_info_changed() callback, e.g. with BSS_CHANGED_IDLE. The driver may, like iwlwifi does, access more data from bss_info in that case and iwlwifi accesses the basic_rates bitmap, but if changing from a band with more (basic) rates to one with fewer, an out-of-bounds access of the rate array may result. While we can't avoid having invalid data at some point in time, we can avoid having it while we call the driver - so set up all the data before configuring the channel, and then apply it afterwards. This fixes https://bugzilla.kernel.org/show_bug.cgi?id=195677 Reported-by: Johannes Hirte Tested-by: Johannes Hirte Debugged-by: Emmanuel Grumbach Signed-off-by: Johannes Berg net/mac80211/mlme.c | 38 ++++++++++++++++++++++++++++---------- 1 file changed, 28 insertions(+), 10 deletions(-) commit 44f6d42cbd6e4c1d4d25f19502dd5f27aedf89d4 Author: Johannes Berg Date: Sat Jun 10 13:52:44 2017 +0300 mac80211: remove 5/10 MHz rate code from station MLME There's no need for the station MLME code to handle bitrates for 5 or 10 MHz channels when it can't ever create such a configuration. Remove the unnecessary code. Signed-off-by: Johannes Berg net/mac80211/mlme.c | 24 +++--------------------- 1 file changed, 3 insertions(+), 21 deletions(-) commit 204a7dbcb27bc4b461f42d7f96fdc875eb677f2f Author: Avraham Stern Date: Mon Jun 12 10:44:58 2017 +0300 mac80211: Fix incorrect condition when checking rx timestamp If the driver reports the rx timestamp at PLCP start, mac80211 can only handle legacy encoding, but the code checks that the encoding is not legacy. Fix this. Fixes: da6a4352e7c8 ("mac80211: separate encoding/bandwidth from flags") Signed-off-by: Avraham Stern Signed-off-by: Luca Coelho Signed-off-by: Johannes Berg net/mac80211/ieee80211_i.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 769dc04db3ed8484798aceb015b94deacc2ba557 Author: Emmanuel Grumbach Date: Thu Jun 8 14:00:49 2017 +0300 mac80211: don't look at the PM bit of BAR frames When a peer sends a BAR frame with PM bit clear, we should not modify its PM state as madated by the spec in 802.11-20012 10.2.1.2. Cc: stable@vger.kernel.org Signed-off-by: Emmanuel Grumbach Signed-off-by: Johannes Berg net/mac80211/rx.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) commit c380f681245d7ae57f17d9ebbbe8f8f1557ee1fb Author: Zhenyu Wang Date: Fri Jun 9 15:48:05 2017 +0800 drm/i915: Fix GVT-g PVINFO version compatibility check Current it's strictly checked if PVINFO version matches 1.0 for GVT-g i915 guest which doesn't help for compatibility at all and forces GVT-g host can't extend PVINFO easily with version bump for real compatibility check. This fixes that to check minimal required PVINFO version instead. v2: - drop unneeded version macro - use only major version for sanity check v3: - fix up PVInfo value with kernel type - one indent fix Reviewed-by: Joonas Lahtinen Cc: Chuanxiao Dong Cc: Joonas Lahtinen Cc: stable@vger.kernel.org # v4.10+ Signed-off-by: Zhenyu Wang Signed-off-by: Joonas Lahtinen Link: http://patchwork.freedesktop.org/patch/msgid/20170609074805.5101-1-zhenyuw@linux.intel.com (cherry picked from commit 0c8792d00d38de85b6ceb1dd67d3ee009d7c8e42) Signed-off-by: Jani Nikula drivers/gpu/drm/i915/i915_pvinfo.h | 8 ++------ drivers/gpu/drm/i915/i915_vgpu.c | 10 ++++------ 2 files changed, 6 insertions(+), 12 deletions(-) commit 1c2d6bbf0433ddf7c978ac5f2bd582e9e7d34687 Author: Ville Syrjälä Date: Thu Jun 8 17:40:02 2017 +0300 drm/i915: Fix SKL+ watermarks for 90/270 rotation skl_check_plane_surface() already rotates the clipped plane source coordinates to match the scanout direction because that's the way the GTT mapping is set up. Thus we no longer need to rotate the coordinates in the watermark code. For cursors we use the non-clipped coordinates which are not rotated appropriately, but that doesn't actually matter since cursors don't even support 90/270 degree rotation. v2: Resolve conflicts from SKL+ wm rework Cc: stable@vger.kernel.org Cc: Tvrtko Ursulin Fixes: b63a16f6cd89 ("drm/i915: Compute display surface offset in the plane check hook for SKL+") Signed-off-by: Ville Syrjälä Link: http://patchwork.freedesktop.org/patch/msgid/20170331180056.14086-3-ville.syrjala@linux.intel.com Tested-by: Tvrtko Ursulin Reviewed-by: Maarten Lankhorst (cherry picked from commit fce5adf568abb1e8264d677156e2e0deb529194d) Signed-off-by: Jani Nikula Link: http://patchwork.freedesktop.org/patch/msgid/20170608144002.1605-2-ville.syrjala@linux.intel.com drivers/gpu/drm/i915/intel_pm.c | 36 ++++++++++++++++++++++++------------ 1 file changed, 24 insertions(+), 12 deletions(-) commit 9a775e0308b575e3a17c66a586ed049b07f48199 Author: Ville Syrjälä Date: Thu Jun 8 17:40:01 2017 +0300 drm/i915: Fix scaling check for 90/270 degree plane rotation Starting from commit b63a16f6cd89 ("drm/i915: Compute display surface offset in the plane check hook for SKL+") we've already rotated the src coordinates by 270 degrees by the time we check if a scaler is needed or not, so we must not account for the rotation a second time. Previously we did these steps in the opposite order and hence the scaler check had to deal with rotation itself. The double rotation handling causes us to enable a scaler pretty much every time 90/270 degree plane rotation is requested, leading to fuzzier fonts and whatnot. v2: s/unsigned/unsigned int/ to appease checkpatch v3: s/DRM_ROTATE_0/DRM_MODE_ROTATE_0/ Cc: stable@vger.kernel.org Cc: Tvrtko Ursulin Reported-by: Tvrtko Ursulin Tested-by: Tvrtko Ursulin Fixes: b63a16f6cd89 ("drm/i915: Compute display surface offset in the plane check hook for SKL+") Signed-off-by: Ville Syrjälä Link: http://patchwork.freedesktop.org/patch/msgid/20170331180056.14086-2-ville.syrjala@linux.intel.com Reviewed-by: Maarten Lankhorst (cherry picked from commit d96a7d2adb040a67e163a82dad6316f9f572498a) Signed-off-by: Jani Nikula Link: http://patchwork.freedesktop.org/patch/msgid/20170608144002.1605-1-ville.syrjala@linux.intel.com drivers/gpu/drm/i915/intel_display.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) commit 023f108dcc187e34ef864bf10ed966cf25e14e2a Author: Paul Moore Date: Wed Jun 7 16:48:19 2017 -0400 selinux: fix double free in selinux_parse_opts_str() This patch is based on a discussion generated by an earlier patch from Tetsuo Handa: * https://marc.info/?t=149035659300001&r=1&w=2 The double free problem involves the mnt_opts field of the security_mnt_opts struct, selinux_parse_opts_str() frees the memory on error, but doesn't set the field to NULL so if the caller later attempts to call security_free_mnt_opts() we trigger the problem. In order to play it safe we change selinux_parse_opts_str() to call security_free_mnt_opts() on error instead of free'ing the memory directly. This should ensure that everything is handled correctly, regardless of what the caller may do. Fixes: e0007529893c1c06 ("LSM/SELinux: Interfaces to allow FS to control mount options") Cc: stable@vger.kernel.org Cc: Tetsuo Handa Reported-by: Dmitry Vyukov Signed-off-by: Paul Moore Signed-off-by: James Morris security/selinux/hooks.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) commit d9ee35acfabbc909c3be4360cd5655a006628b2e Author: Vlastimil Babka Date: Mon Jun 12 09:21:30 2017 +0200 x86/mm: Disable 1GB direct mappings when disabling 2MB mappings The kmemleak and debug_pagealloc features both disable using huge pages for direct mappings so they can do cpa() on page level granularity in any context. However they only do that for 2MB pages, which means 1GB pages can still be used if the CPU supports it, unless disabled by a boot param, which is non-obvious. Disable also 1GB pages when disabling 2MB pages. Signed-off-by: Vlastimil Babka Cc: Christian Borntraeger Cc: Linus Torvalds Cc: Pekka Enberg Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: Vegard Nossum Cc: linux-mm@kvack.org Link: http://lkml.kernel.org/r/2be70c78-6130-855d-3dfa-d87bd1dd4fda@suse.cz Signed-off-by: Ingo Molnar arch/x86/mm/init.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit 63f700aab4c11d46626de3cd051dae56cf7e9056 Merge: 2ab99b0 e5c8667 Author: Linus Torvalds Date: Tue Jun 13 15:09:10 2017 +0900 Merge tag 'xtensa-20170612' of git://github.com/jcmvbkbc/linux-xtensa Pull Xtensa fixes from Max Filippov: - don't use linux IRQ #0 in legacy irq domains: fixes timer interrupt assignment when it's hardware IRQ # is 0 and the kernel is built w/o device tree support - reduce reservation size for double exception vector literals from 48 to 20 bytes: fixes build on cores with small user exception vector - cleanups: use kmalloc_array instead of kmalloc in simdisk_init and seq_puts instead of seq_printf in c_show. * tag 'xtensa-20170612' of git://github.com/jcmvbkbc/linux-xtensa: xtensa: don't use linux IRQ #0 xtensa: reduce double exception literal reservation xtensa: ISS: Use kmalloc_array() in simdisk_init() xtensa: Use seq_puts() in c_show() commit 2ab99b001dea71c25bcf34f746f5781c880151bb Merge: 32c1431 16ddcc3 Author: Linus Torvalds Date: Tue Jun 13 15:07:11 2017 +0900 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux Pull s390 fixes from Martin Schwidefsky: - A fix for KVM to avoid kernel oopses in case of host protection faults due to runtime instrumentation - A fix for the AP bus to avoid dead devices after unbind / bind - A fix for a compile warning merged from the vfio_ccw tree - Updated default configurations * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux: s390: update defconfig s390/zcrypt: Fix blocking queue device after unbind/bind. s390/vfio_ccw: make some symbols static s390/kvm: do not rely on the ILC on kvm host protection fauls commit ca8efa1df1d15a1795a2da57f9f6aada6ed6b946 Author: Paul Mackerras Date: Tue Jun 6 16:47:22 2017 +1000 KVM: PPC: Book3S HV: Context-switch EBB registers properly This adds code to save the values of three SPRs (special-purpose registers) used by userspace to control event-based branches (EBBs), which are essentially interrupts that get delivered directly to userspace. These registers are loaded up with guest values when entering the guest, and their values are saved when exiting the guest, but we were not saving the host values and restoring them before going back to userspace. On POWER8 this would only affect userspace programs which explicitly request the use of EBBs and also use the KVM_RUN ioctl, since the only source of EBBs on POWER8 is the PMU, and there is an explicit enable bit in the PMU registers (and those PMU registers do get properly context-switched between host and guest). On POWER9 there is provision for externally-generated EBBs, and these are not subject to the control in the PMU registers. Since these registers only affect userspace, we can save them when we first come in from userspace and restore them before returning to userspace, rather than saving/restoring the host values on every guest entry/exit. Similarly, we don't need to worry about their values on offline secondary threads since they execute in the context of the idle task, which never executes in userspace. Fixes: b005255e12a3 ("KVM: PPC: Book3S HV: Context-switch new POWER8 SPRs", 2014-01-08) Cc: stable@vger.kernel.org # v3.14+ Signed-off-by: Paul Mackerras arch/powerpc/kvm/book3s_hv.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) commit 6964e53f55837b0c49ed60d36656d2e0ee4fc27b Author: Jacob Keller Date: Mon Jun 12 15:38:36 2017 -0700 i40e: fix handling of HW ATR eviction A recent commit to refactor the driver and remove the hw_disabled_flags field accidentally introduced two regressions. First, we overwrote pf->flags which removed various key flags including the MSI-X settings. Additionally, it was intended that we have now two flags, HW_ATR_EVICT_CAPABLE and HW_ATR_EVICT_ENABLED, but this was not done, and we accidentally were mis-using HW_ATR_EVICT_CAPABLE everywhere. This patch adds the missing piece, HW_ATR_EVICT_ENABLED, and safely updates pf->flags instead of overwriting it. Without this patch we will have many problems including disabling MSI-X support, and we'll attempt to use HW ATR eviction on devices which do not support it. Fixes: 47994c119a36 ("i40e: remove hw_disabled_flags in favor of using separate flag bits", 2017-04-19) Signed-off-by: Jacob Keller Tested-by: Andrew Bowers Signed-off-by: Jeff Kirsher Signed-off-by: David S. Miller drivers/net/ethernet/intel/i40e/i40e.h | 1 + drivers/net/ethernet/intel/i40e/i40e_ethtool.c | 4 ++-- drivers/net/ethernet/intel/i40e/i40e_main.c | 7 ++++--- drivers/net/ethernet/intel/i40e/i40e_txrx.c | 4 ++-- 4 files changed, 9 insertions(+), 7 deletions(-) commit fa07ab72cbb0d843429e61bf179308aed6cbe0dd Author: Heiner Kallweit Date: Sun Jun 11 00:38:36 2017 +0200 genirq: Release resources in __setup_irq() error path In case __irq_set_trigger() fails the resources requested via irq_request_resources() are not released. Add the missing release call into the error handling path. Fixes: c1bacbae8192 ("genirq: Provide irq_request/release_resources chip callbacks") Signed-off-by: Heiner Kallweit Signed-off-by: Thomas Gleixner Cc: stable@vger.kernel.org Link: http://lkml.kernel.org/r/655538f5-cb20-a892-ff15-fbd2dd1fa4ec@gmail.com kernel/irq/manage.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit 2ad50606f847a902303a5364b7cad64bdd6246f6 Author: Ondrej Mosnáček Date: Mon Jun 5 17:52:39 2017 +0200 dm integrity: reject mappings too large for device dm-integrity would successfully create mappings with the number of sectors greater than the provided data sector count. Attempts to read sectors of this mapping that were beyond the provided data sector count would then yield run-time messages of the form "device-mapper: integrity: Too big sector number: ...". Fix this by emitting an error when the requested mapping size is bigger than the provided data sector count. Signed-off-by: Ondrej Mosnacek Acked-by: Mikulas Patocka Signed-off-by: Mike Snitzer drivers/md/dm-integrity.c | 5 +++++ 1 file changed, 5 insertions(+) commit 98dbf5af4fdd142f6184dbb4e4164a8d1850d526 Author: Randy Dunlap Date: Mon Jun 12 15:43:03 2017 -0500 PCI: endpoint: Select CRC32 to fix test build error The PCI endpoint test driver uses crc32_le() so it should select CRC32. Fixes this build error (when CRC32=m): drivers/built-in.o: In function `pci_epf_test_cmd_handler': pci-epf-test.c:(.text+0x2d98d): undefined reference to `crc32_le' Fixes: 349e7a85b25f ("PCI: endpoint: functions: Add an EP function to test PCI") Reported-by: kbuild test robot Signed-off-by: Randy Dunlap Signed-off-by: Bjorn Helgaas Acked-by: Kishon Vijay Abraham I drivers/pci/endpoint/functions/Kconfig | 1 + 1 file changed, 1 insertion(+) commit 675c8da049fd6556eb2d6cdd745fe812752f07a8 Author: Karicheri, Muralidharan Date: Mon Jun 12 15:06:26 2017 -0400 hsr: fix incorrect warning When HSR interface is setup using ip link command, an annoying warning appears with the trace as below:- [ 203.019828] hsr_get_node: Non-HSR frame [ 203.019833] Modules linked in: [ 203.019848] CPU: 0 PID: 158 Comm: sd-resolve Tainted: G W 4.12.0-rc3-00052-g9fa6bf70 #2 [ 203.019853] Hardware name: Generic DRA74X (Flattened Device Tree) [ 203.019869] [] (unwind_backtrace) from [] (show_stack+0x10/0x14) [ 203.019880] [] (show_stack) from [] (dump_stack+0xac/0xe0) [ 203.019894] [] (dump_stack) from [] (__warn+0xd8/0x104) [ 203.019907] [] (__warn) from [] (warn_slowpath_fmt+0x34/0x44) root@am57xx-evm:~# [ 203.019921] [] (warn_slowpath_fmt) from [] (hsr_get_node+0x148/0x170) [ 203.019932] [] (hsr_get_node) from [] (hsr_forward_skb+0x110/0x7c0) [ 203.019942] [] (hsr_forward_skb) from [] (hsr_dev_xmit+0x2c/0x34) [ 203.019954] [] (hsr_dev_xmit) from [] (dev_hard_start_xmit+0xc4/0x3bc) [ 203.019963] [] (dev_hard_start_xmit) from [] (__dev_queue_xmit+0x7c4/0x98c) [ 203.019974] [] (__dev_queue_xmit) from [] (ip6_finish_output2+0x330/0xc1c) [ 203.019983] [] (ip6_finish_output2) from [] (ip6_output+0x58/0x454) [ 203.019994] [] (ip6_output) from [] (mld_sendpack+0x420/0x744) As this is an expected path to hsr_get_node() with frame coming from the master interface, add a check to ensure packet is not from the master port and then warn. Signed-off-by: Murali Karicheri Signed-off-by: David S. Miller net/hsr/hsr_forward.c | 3 +-- net/hsr/hsr_framereg.c | 9 +++++++-- net/hsr/hsr_framereg.h | 2 +- 3 files changed, 9 insertions(+), 5 deletions(-) commit 8a524f803a3e0290cdba6d373361b2cef9752934 Author: Peter Zijlstra Date: Mon Jun 12 13:52:46 2017 +0200 x86/debug: Handle early WARN_ONs proper Hans managed to trigger a WARN very early in the boot which killed his (Virtual) box. The reason is that the recent rework of WARN() to use UD0 forgot to add the fixup_bug() call to early_fixup_exception(). As a result the kernel does not handle the WARN_ON injected UD0 exception and panics. Add the missing fixup call, so early UD's injected by WARN() get handled. Fixes: 9a93848fe787 ("x86/debug: Implement __WARN() using UD0") Reported-and-tested-by: Hans de Goede Signed-off-by: Peter Zijlstra (Intel) Signed-off-by: Thomas Gleixner Cc: Linus Torvalds Cc: Frank Mehnert Cc: Hans de Goede Cc: Michael Thayer Link: http://lkml.kernel.org/r/20170612180108.w4vgu2ckucmllf3a@hirez.programming.kicks-ass.net arch/x86/include/asm/extable.h | 1 + arch/x86/kernel/traps.c | 2 +- arch/x86/mm/extable.c | 3 +++ 3 files changed, 5 insertions(+), 1 deletion(-) commit 94114c367553f3301747e47f6947cabde947575f Author: Stephen Boyd Date: Wed Jun 7 23:36:03 2017 -0700 tick/broadcast: Make tick_broadcast_setup_oneshot() static This function isn't used outside of tick-broadcast.c, so let's mark it static. Signed-off-by: Stephen Boyd Link: http://lkml.kernel.org/r/20170608063603.13276-1-sboyd@codeaurora.org Signed-off-by: Thomas Gleixner kernel/time/tick-broadcast.c | 4 +++- kernel/time/tick-internal.h | 2 -- 2 files changed, 3 insertions(+), 3 deletions(-) commit d360a687d99577110c181e67ebfb9a1b6fed63a2 Author: Vladimir Murzin Date: Mon Jun 12 13:35:52 2017 +0100 ARM: 8682/1: V7M: Set cacheid iff DminLine or IminLine is nonzero Cache support is optional feature in M-class cores, thus DminLine or IminLine of Cache Type Register is zero if caches are not implemented, but we check the whole CTR which has other features encoded there. Let's be more precise and check for DminLine and IminLine of CTR before we set cacheid. Signed-off-by: Vladimir Murzin Signed-off-by: Russell King arch/arm/kernel/setup.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit bbeedfda8eee0b17ea16e4e157c596095458676a Author: Yisheng Xie Date: Fri Jun 9 15:28:18 2017 +0100 ARM: 8681/1: make VMSPLIT_3G_OPT depends on !ARM_LPAE When both enable CONFIG_ARM_LPAE=y and CONFIG_VMSPLIT_3G_OPT=y, which means use PAGE_OFFSET=0xB0000000 with ARM_LPAE, the kernel will boot fail and stop after uncompressed: Starting kernel ... Uart base = 0x20001000 watchdog reg = 0x20013000 dtb addr = 0x80840308 Uncompressing Linux... done, booting the kernel. For ARM_LPAE only support 3:1, 2:2, 1:3 split of TTBR1, which mention in: http://elinux.org/images/6/6a/Elce11_marinas.pdf - p16 So we should make VMSPLIT_3G_OPT depends on !ARM_LPAE to avoid trigger this bug. Acked-by: Nicolas Pitre Signed-off-by: Yisheng Xie Signed-off-by: Russell King arch/arm/Kconfig | 1 + 1 file changed, 1 insertion(+) commit 60ce2858514ed9ccaf00dc7e9f4dc219537e9855 Author: Ard Biesheuvel Date: Fri Jun 9 10:14:53 2017 +0100 ARM: 8680/1: boot/compressed: fix inappropriate Thumb2 mnemonic for __nop Commit 06a4b6d009a1 ("ARM: 8677/1: boot/compressed: fix decompressor header layout for v7-M") fixed an issue in the layout of the header of the compressed kernel image that was caused by the assembler emitting narrow opcodes for 'mov r0, r0', and for this reason, the mnemonic was updated to use the W() macro, which will append the .w suffix (which forces a wide encoding) if required, i.e., when building the kernel in Thumb2 mode. However, this failed to take into account that on Thumb2 kernels built for CPUs that are also ARM capable, the entry point is entered in ARM mode, and so the instructions emitted here will be ARM instructions that only exist in a wide encoding to begin with, which is why the assembler rejects the .w suffix here and aborts the build with the following message: head.S: Assembler messages: head.S:132: Error: width suffixes are invalid in ARM mode -- `mov.w r0,r0' So replace the W(mov) with separate ARM and Thumb2 instructions, where the latter will only be used for THUMB2_ONLY builds. Fixes: 06a4b6d009a1 ("ARM: 8677/1: boot/compressed: fix decompressor ...") Reported-by: Arnd Bergmann Acked-by: Arnd Bergmann Signed-off-by: Ard Biesheuvel Signed-off-by: Russell King arch/arm/boot/compressed/efi-header.S | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit d2f48f05cd2a2a0a708fbfa45f1a00a87660d937 Author: Corentin Labbe Date: Fri Jun 9 14:48:41 2017 +0300 usb: xhci: ASMedia ASM1042A chipset need shorts TX quirk When plugging an USB webcam I see the following message: [106385.615559] xhci_hcd 0000:04:00.0: WARN Successful completion on short TX: needs XHCI_TRUST_TX_LENGTH quirk? [106390.583860] handle_tx_event: 913 callbacks suppressed With this patch applied, I get no more printing of this message. Cc: Signed-off-by: Corentin Labbe Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman drivers/usb/host/xhci-pci.c | 3 +++ 1 file changed, 3 insertions(+) commit b72eb8435b25be3a1880264cf32ac91e626ba5ba Author: YD Tseng Date: Fri Jun 9 14:48:40 2017 +0300 usb: xhci: Fix USB 3.1 supported protocol parsing xHCI host controllers can have both USB 3.1 and 3.0 extended speed protocol lists. If the USB3.1 speed is parsed first and 3.0 second then the minor revision supported will be overwritten by the 3.0 speeds and the USB3 roothub will only show support for USB 3.0 speeds. This was the case with a xhci controller with the supported protocol capability listed below. In xhci-mem.c, the USB 3.1 speed is parsed first, the min_rev of usb3_rhub is set as 0x10. And then USB 3.0 is parsed. However, the min_rev of usb3_rhub will be changed to 0x00. If USB 3.1 device is connected behind this host controller, the speed of USB 3.1 device just reports 5G speed using lsusb. 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 00 01 08 00 00 00 00 00 40 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 02 08 10 03 55 53 42 20 01 02 00 00 00 00 00 00 //USB 3.1 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 02 08 00 03 55 53 42 20 03 06 00 00 00 00 00 00 //USB 3.0 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 02 08 00 02 55 53 42 20 09 0E 19 00 00 00 00 00 //USB 2.0 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 This patch fixes the issue by only owerwriting the minor revision if it is higher than the existing one. [reword commit message -Mathias] Cc: Signed-off-by: YD Tseng Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman drivers/usb/host/xhci-mem.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) commit 8ada5f3ae96b0336145e453740b9168a56a0fc1d Merge: 32c1431 f50b878 Author: Greg Kroah-Hartman Date: Mon Jun 12 16:02:19 2017 +0200 Merge tag 'fixes-for-v4.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/balbi/usb into usb-linus Felipe writes: usb: fixes for v4.12-rc5 Alan Stern fixed a GPF in gadgetfs found by the kernel fuzzying project composite.c learned that if it deactivates a function during bind, it must reactivate it during unbind. commit 3500cd73dff48f28f4ba80c171c4c80034d40f76 Author: Christian Perle Date: Mon Jun 12 10:06:57 2017 +0200 proc: snmp6: Use correct type in memset Reading /proc/net/snmp6 yields bogus values on 32 bit kernels. Use "u64" instead of "unsigned long" in sizeof(). Fixes: 4a4857b1c81e ("proc: Reduce cache miss in snmp6_seq_show") Signed-off-by: Christian Perle Signed-off-by: David S. Miller net/ipv6/proc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 3db1200ca21f3c63c9044185dc5762ef996848cb Author: Frank Rowand Date: Fri Jun 9 17:26:32 2017 -0700 clocksource/drivers/arm_arch_timer: Fix read and iounmap of incorrect variable Fix boot warning 'Trying to vfree() nonexistent vm area' from arch_timer_mem_of_init(). Refactored code attempts to read and iounmap using address frame instead of address ioremap(frame->cntbase). Fixes: c389d701dfb70 ("clocksource: arm_arch_timer: split MMIO timer probing.") Signed-off-by: Frank Rowand Reviewed-by: Fu Wei Acked-by: Marc Zyngier Signed-off-by: Daniel Lezcano drivers/clocksource/arm_arch_timer.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 74b2c983960b1af193eafe6b4ea3bb1bf77e2650 Merge: 32c1431 6b1355f Author: Rafael J. Wysocki Date: Mon Jun 12 14:40:08 2017 +0200 Merge branch 'for-next' of https://git.kernel.org/pub/scm/linux/kernel/git/mzx/devfreq Pull devfreq fixes from MyungJoo Ham. * 'for-next' of https://git.kernel.org/pub/scm/linux/kernel/git/mzx/devfreq: PM / devfreq: exynos-ppmu: Staticize event list PM / devfreq: exynos-ppmu: Handle return value of clk_prepare_enable PM / devfreq: exynos-nocp: Handle return value of clk_prepare_enable commit b2cdd8e1b54849477a32d820acc2e87828a38f3d Author: Christophe Jaillet Date: Sun Jun 11 14:28:54 2017 +0200 cpuidle: dt: Add missing 'of_node_put()' 'of_node_put()' should be called on pointer returned by 'of_parse_phandle()' when done. In this function this is done in all path except this 'continue', so add it. Fixes: 97735da074fd (drivers: cpuidle: Add status property to ARM idle states) Signed-off-by: Christophe Jaillet Signed-off-by: Rafael J. Wysocki drivers/cpuidle/dt_idle_states.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit b8e11f7d2791bd9320be1c6e772a60b2aa093e45 Author: Tomasz Wilczyński Date: Sun Jun 11 17:28:39 2017 +0900 cpufreq: conservative: Allow down_threshold to take values from 1 to 10 Commit 27ed3cd2ebf4 (cpufreq: conservative: Fix the logic in frequency decrease checking) removed the 10 point substraction when comparing the load against down_threshold but did not remove the related limit for the down_threshold value. As a result, down_threshold lower than 11 is not allowed even though values from 1 to 10 do work correctly too. The comment ("cannot be lower than 11 otherwise freq will not fall") also does not apply after removing the substraction. For this reason, allow down_threshold to take any value from 1 to 99 and fix the related comment. Fixes: 27ed3cd2ebf4 (cpufreq: conservative: Fix the logic in frequency decrease checking) Signed-off-by: Tomasz Wilczyński Acked-by: Viresh Kumar Cc: 3.10+ # 3.10+ Signed-off-by: Rafael J. Wysocki drivers/cpufreq/cpufreq_conservative.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit ff0a6d6f932ff4b9eb8e8140f98cc1cf763d0d78 Author: Rafael J. Wysocki Date: Mon Jun 12 14:16:16 2017 +0200 Revert "cpufreq: schedutil: Reduce frequencies slower" Revert commit 39b64aa1c007 (cpufreq: schedutil: Reduce frequencies slower) that introduced unintentional changes in behavior leading to adverse effects on some systems. Reported-by: Viresh Kumar Signed-off-by: Rafael J. Wysocki kernel/sched/cpufreq_schedutil.c | 3 --- 1 file changed, 3 deletions(-) commit 83848fbe7e6af978c080a88c130a67178b1ac0e4 Author: Lv Zheng Date: Wed Jun 7 12:54:58 2017 +0800 ACPICA: Tables: Mechanism to handle late stage acpi_get_table() imbalance Considering this case: 1. A program opens a sysfs table file 65535 times, it can increase validation_count and first increment cause the table to be mapped: validation_count = 65535 2. AML execution causes "Load" to be executed on the same table, this time it cannot increase validation_count, so validation_count remains: validation_count = 65535 3. The program closes sysfs table file 65535 times, it can decrease validation_count and the last decrement cause the table to be unmapped: validation_count = 0 4. AML code still accessing the loaded table, kernel crash can be observed. To prevent that from happening, add a validation_count threashold. When it is reached, the validation_count can no longer be incremented/decremented to invalidate the table descriptor (means preventing table unmappings) Note that code added in acpi_tb_put_table() is actually a no-op but changes the warning message into a "warn once" one. Lv Zheng. Signed-off-by: Lv Zheng [ rjw: Changelog, comments ] Signed-off-by: Rafael J. Wysocki drivers/acpi/acpica/tbutils.c | 34 +++++++++++++++++++++++++--------- include/acpi/actbl.h | 14 ++++++++++++++ 2 files changed, 39 insertions(+), 9 deletions(-) commit 19e72d3abb63cb16d021a4066ce1a18880509e99 Author: Bart Van Assche Date: Thu Feb 9 17:28:50 2017 -0800 configfs: Introduce config_item_get_unless_zero() Signed-off-by: Bart Van Assche [hch: minor style tweak] Signed-off-by: Christoph Hellwig fs/configfs/item.c | 8 ++++++++ include/linux/configfs.h | 3 ++- 2 files changed, 10 insertions(+), 1 deletion(-) commit ba80aa909c99802c428682c352b0ee0baac0acd3 Author: Nicholas Bellinger Date: Thu Jun 8 04:51:54 2017 +0000 configfs: Fix race between create_link and configfs_rmdir This patch closes a long standing race in configfs between the creation of a new symlink in create_link(), while the symlink target's config_item is being concurrently removed via configfs_rmdir(). This can happen because the symlink target's reference is obtained by config_item_get() in create_link() before the CONFIGFS_USET_DROPPING bit set by configfs_detach_prep() during configfs_rmdir() shutdown is actually checked.. This originally manifested itself on ppc64 on v4.8.y under heavy load using ibmvscsi target ports with Novalink API: [ 7877.289863] rpadlpar_io: slot U8247.22L.212A91A-V1-C8 added [ 7879.893760] ------------[ cut here ]------------ [ 7879.893768] WARNING: CPU: 15 PID: 17585 at ./include/linux/kref.h:46 config_item_get+0x7c/0x90 [configfs] [ 7879.893811] CPU: 15 PID: 17585 Comm: targetcli Tainted: G O 4.8.17-customv2.22 #12 [ 7879.893812] task: c00000018a0d3400 task.stack: c0000001f3b40000 [ 7879.893813] NIP: d000000002c664ec LR: d000000002c60980 CTR: c000000000b70870 [ 7879.893814] REGS: c0000001f3b43810 TRAP: 0700 Tainted: G O (4.8.17-customv2.22) [ 7879.893815] MSR: 8000000000029033 CR: 28222242 XER: 00000000 [ 7879.893820] CFAR: d000000002c664bc SOFTE: 1 GPR00: d000000002c60980 c0000001f3b43a90 d000000002c70908 c0000000fbc06820 GPR04: c0000001ef1bd900 0000000000000004 0000000000000001 0000000000000000 GPR08: 0000000000000000 0000000000000001 d000000002c69560 d000000002c66d80 GPR12: c000000000b70870 c00000000e798700 c0000001f3b43ca0 c0000001d4949d40 GPR16: c00000014637e1c0 0000000000000000 0000000000000000 c0000000f2392940 GPR20: c0000001f3b43b98 0000000000000041 0000000000600000 0000000000000000 GPR24: fffffffffffff000 0000000000000000 d000000002c60be0 c0000001f1dac490 GPR28: 0000000000000004 0000000000000000 c0000001ef1bd900 c0000000f2392940 [ 7879.893839] NIP [d000000002c664ec] config_item_get+0x7c/0x90 [configfs] [ 7879.893841] LR [d000000002c60980] check_perm+0x80/0x2e0 [configfs] [ 7879.893842] Call Trace: [ 7879.893844] [c0000001f3b43ac0] [d000000002c60980] check_perm+0x80/0x2e0 [configfs] [ 7879.893847] [c0000001f3b43b10] [c000000000329770] do_dentry_open+0x2c0/0x460 [ 7879.893849] [c0000001f3b43b70] [c000000000344480] path_openat+0x210/0x1490 [ 7879.893851] [c0000001f3b43c80] [c00000000034708c] do_filp_open+0xfc/0x170 [ 7879.893853] [c0000001f3b43db0] [c00000000032b5bc] do_sys_open+0x1cc/0x390 [ 7879.893856] [c0000001f3b43e30] [c000000000009584] system_call+0x38/0xec [ 7879.893856] Instruction dump: [ 7879.893858] 409d0014 38210030 e8010010 7c0803a6 4e800020 3d220000 e94981e0 892a0000 [ 7879.893861] 2f890000 409effe0 39200001 992a0000 <0fe00000> 4bffffd0 60000000 60000000 [ 7879.893866] ---[ end trace 14078f0b3b5ad0aa ]--- To close this race, go ahead and obtain the symlink's target config_item reference only after the existing CONFIGFS_USET_DROPPING check succeeds. This way, if configfs_rmdir() wins create_link() will return -ENONET, and if create_link() wins configfs_rmdir() will return -EBUSY. Reported-by: Bryant G. Ly Tested-by: Bryant G. Ly Signed-off-by: Nicholas Bellinger Signed-off-by: Christoph Hellwig Cc: stable@vger.kernel.org fs/configfs/symlink.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) commit 138437f591dd9a42d53c6fed1a3c85e02678851c Author: Hangbin Liu Date: Sun Jun 11 09:44:20 2017 +0800 xfrm: move xfrm_garbage_collect out of xfrm_policy_flush Now we will force to do garbage collection if any policy removed in xfrm_policy_flush(). But during xfrm_net_exit(). We call flow_cache_fini() first and set set fc->percpu to NULL. Then after we call xfrm_policy_fini() -> frxm_policy_flush() -> flow_cache_flush(), we will get NULL pointer dereference when check percpu_empty. The code path looks like: flow_cache_fini() - fc->percpu = NULL xfrm_policy_fini() - xfrm_policy_flush() - xfrm_garbage_collect() - flow_cache_flush() - flow_cache_percpu_empty() - fcp = per_cpu_ptr(fc->percpu, cpu) To reproduce, just add ipsec in netns and then remove the netns. v2: As Xin Long suggested, since only two other places need to call it. move xfrm_garbage_collect() outside xfrm_policy_flush(). v3: Fix subject mismatch after v2 fix. Fixes: 35db06912189 ("xfrm: do the garbage collection after flushing policy") Signed-off-by: Hangbin Liu Reviewed-by: Xin Long Signed-off-by: Steffen Klassert net/key/af_key.c | 2 ++ net/xfrm/xfrm_policy.c | 4 ---- net/xfrm/xfrm_user.c | 1 + 3 files changed, 3 insertions(+), 4 deletions(-) commit 24835611a96e9b41ad57dd5024915106293be7e9 Author: Heiner Kallweit Date: Sat Jun 10 13:36:38 2017 +0200 mmc: meson-gx: work around broken SDIO with certain WiFi chips There have been reports about SDIO failing with certain WiFi chips in descriptor chain mode. SD / eMMC are working fine. So let's fall back to bounce buffer mode for command SD_IO_RW_EXTENDED. This was reported to fix the error. Fixes: 79ed05e329c3 "mmc: meson-gx: add support for descriptor chain mode" Signed-off-by: Heiner Kallweit Tested-by: Martin Blumenstingl Signed-off-by: Ulf Hansson drivers/mmc/host/meson-gx-mmc.c | 9 +++++++++ 1 file changed, 9 insertions(+) commit d758619ba6a5d250914b06b2b923a65e48bdd002 Author: Laurent Pinchart Date: Sat Jun 10 11:59:43 2017 +0300 drm: dw-hdmi: Fix compilation breakage by selecting REGMAP_MMIO The dw-hdmi driver switched to regmap-mmio, but lacks the dependency in Kconfig. This can result in compilation breakages. Fix it by selecting REGMAP_MMIO. Fixes: 80e2f97968b5 ("drm: bridge: dw-hdmi: Switch to regmap for register access") Reported-by: kbuild test robot Signed-off-by: Laurent Pinchart Signed-off-by: Archit Taneja Link: http://patchwork.freedesktop.org/patch/msgid/20170610085943.15788-1-laurent.pinchart+renesas@ideasonboard.com drivers/gpu/drm/bridge/synopsys/Kconfig | 1 + 1 file changed, 1 insertion(+) commit 6b1355f9ace06a65443c607e1b70872a5f613f80 Author: Krzysztof Kozlowski Date: Wed Jun 7 20:12:28 2017 +0200 PM / devfreq: exynos-ppmu: Staticize event list The ppmu_events array is accessed only in this compilation unit so it can be made static. Signed-off-by: Krzysztof Kozlowski Acked-by: Chanwoo Choi Signed-off-by: MyungJoo Ham drivers/devfreq/event/exynos-ppmu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 97a6ba5bd0b54544fabe090711fabefc7a703a5f Author: Arvind Yadav Date: Fri May 19 16:26:04 2017 +0530 PM / devfreq: exynos-ppmu: Handle return value of clk_prepare_enable clk_prepare_enable() can fail here and we must check its return value. Signed-off-by: Arvind Yadav Signed-off-by: MyungJoo Ham drivers/devfreq/event/exynos-ppmu.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) commit 973a27c7464231282489b2f14581e33cf29024b8 Author: Arvind Yadav Date: Fri May 19 16:20:35 2017 +0530 PM / devfreq: exynos-nocp: Handle return value of clk_prepare_enable clk_prepare_enable() can fail here and we must check its return value. Signed-off-by: Arvind Yadav Signed-off-by: MyungJoo Ham drivers/devfreq/event/exynos-nocp.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) commit 32c1431eea4881a6b17bd7c639315010aeefa452 Author: Linus Torvalds Date: Sun Jun 11 16:48:20 2017 -0700 Linux 4.12-rc5 Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 32627645e9e89b58e0e2fcf6f5f6755b9bd046bb Merge: 6d53cef 92347cf Author: Linus Torvalds Date: Sun Jun 11 16:17:29 2017 -0700 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security Pull key subsystem fixes from James Morris: "Here are a bunch of fixes for Linux keyrings, including: - Fix up the refcount handling now that key structs use the refcount_t type and the refcount_t ops don't allow a 0->1 transition. - Fix a potential NULL deref after error in x509_cert_parse(). - Don't put data for the crypto algorithms to use on the stack. - Fix the handling of a null payload being passed to add_key(). - Fix incorrect cleanup an uninitialised key_preparsed_payload in key_update(). - Explicit sanitisation of potentially secure data before freeing. - Fixes for the Diffie-Helman code" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (23 commits) KEYS: fix refcount_inc() on zero KEYS: Convert KEYCTL_DH_COMPUTE to use the crypto KPP API crypto : asymmetric_keys : verify_pefile:zero memory content before freeing KEYS: DH: add __user annotations to keyctl_kdf_params KEYS: DH: ensure the KDF counter is properly aligned KEYS: DH: don't feed uninitialized "otherinfo" into KDF KEYS: DH: forbid using digest_null as the KDF hash KEYS: sanitize key structs before freeing KEYS: trusted: sanitize all key material KEYS: encrypted: sanitize all key material KEYS: user_defined: sanitize key payloads KEYS: sanitize add_key() and keyctl() key payloads KEYS: fix freeing uninitialized memory in key_update() KEYS: fix dereferencing NULL payload with nonzero length KEYS: encrypted: use constant-time HMAC comparison KEYS: encrypted: fix race causing incorrect HMAC calculations KEYS: encrypted: fix buffer overread in valid_master_desc() KEYS: encrypted: avoid encrypting/decrypting stack buffers KEYS: put keyring if install_session_keyring_to_cred() fails KEYS: Delete an error message for a failed memory allocation in get_derived_key() ... commit 6d53cefb18e4646fb4bf62ccb6098fb3808486df Author: Linus Torvalds Date: Sun Jun 11 15:51:56 2017 -0700 compiler, clang: properly override 'inline' for clang Commit abb2ea7dfd82 ("compiler, clang: suppress warning for unused static inline functions") just caused more warnings due to re-defining the 'inline' macro. So undef it before re-defining it, and also add the 'notrace' attribute like the gcc version that this is overriding does. Maybe this makes clang happier. Signed-off-by: Linus Torvalds include/linux/compiler-clang.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 4b1f0d33db7d5bf92b5623e3ea2066e2de3999e3 Author: Donald Sharp Date: Sat Jun 10 16:30:17 2017 -0400 net: ipmr: Fix some mroute forwarding issues in vrf's This patch fixes two issues: 1) When forwarding on *,G mroutes that are in a vrf, the kernel was dropping information about the actual incoming interface when calling ip_mr_forward from ip_mr_input. This caused ip_mr_forward to send the multicast packet back out the incoming interface. Fix this by modifying ip_mr_forward to be handed the correctly resolved dev. 2) When a unresolved cache entry is created we store the incoming skb on the unresolved cache entry and upon mroute resolution from the user space daemon, we attempt to forward the packet. Again we were not resolving to the correct incoming device for a vrf scenario, before calling ip_mr_forward. Fix this by resolving to the correct interface and calling ip_mr_forward with the result. Fixes: e58e41596811 ("net: Enable support for VRF with ipv4 multicast") Signed-off-by: Donald Sharp Acked-by: David Ahern Acked-by: Nikolay Aleksandrov Reviewed-by: Yotam Gigi Signed-off-by: David S. Miller net/ipv4/ipmr.c | 32 +++++++++++++++----------------- 1 file changed, 15 insertions(+), 17 deletions(-) commit 062bb997d290879ea711d149189daf485bd777b3 Merge: 77a6bb5 91828bd Author: David S. Miller Date: Sun Jun 11 16:40:52 2017 -0400 Merge tag 'mlx5-fixes-2017-06-11' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux Saeed Mahameed says: ==================== Mellanox mlx5 fixes 2017-06-11 This series contains some fixes for the mlx5 core and netdev driver. Please pull and let me know if there's any problem. For -stable: ("net/mlx5e: Added BW check for DIM decision mechanism") kernels >= 4.9 ("net/mlx5e: Fix wrong indications in DIM due to counter wraparound") kernels >= 4.9 ("net/mlx5: Remove several module events out of ethtool stats") kernels >= 4.10 ("net/mlx5: Enable 4K UAR only when page size is bigger than 4K") kernels >= 4.11 *all patches apply with no issue on their -stable. ==================== Signed-off-by: David S. Miller commit 77a6bb5ac00dd48934dae0df4a24461cc7893d64 Merge: b87fa0f e7ff7ef Author: David S. Miller Date: Sun Jun 11 16:36:48 2017 -0400 Merge branch 'ena-fixes' Netanel Belgazal says: ==================== Bugs fixes in ena ethernet driver This patchset contains fixes for the bugs that were discovered so far. ==================== Signed-off-by: David S. Miller commit e7ff7efae5708513a795e329909ccbe2ac367b1a Author: Netanel Belgazal Date: Sun Jun 11 15:42:51 2017 +0300 net: ena: update ena driver to version 1.1.7 Signed-off-by: Netanel Belgazal Signed-off-by: David S. Miller drivers/net/ethernet/amazon/ena/ena_netdev.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 800c55cb76be6617232ef50a2be29830f3aa8e5c Author: Netanel Belgazal Date: Sun Jun 11 15:42:50 2017 +0300 net: ena: bug fix in lost tx packets detection mechanism check_for_missing_tx_completions() is called from a timer task and looking for lost tx packets. The old implementation accumulate all the lost tx packets and did not check if those packets were retrieved on a later stage. This cause to a situation where the driver reset the device for no reason. Fixes: 1738cd3ed342 ("Add a driver for Amazon Elastic Network Adapters (ENA)") Signed-off-by: Netanel Belgazal Signed-off-by: David S. Miller drivers/net/ethernet/amazon/ena/ena_ethtool.c | 1 - drivers/net/ethernet/amazon/ena/ena_netdev.c | 66 +++++++++++++++------------ drivers/net/ethernet/amazon/ena/ena_netdev.h | 14 +++++- 3 files changed, 50 insertions(+), 31 deletions(-) commit a2cc5198dac102775b21787752a2e0afe44ad311 Author: Netanel Belgazal Date: Sun Jun 11 15:42:49 2017 +0300 net: ena: disable admin msix while working in polling mode Fixes: 1738cd3ed342 ("Add a driver for Amazon Elastic Network Adapters (ENA)") Signed-off-by: Netanel Belgazal Signed-off-by: David S. Miller drivers/net/ethernet/amazon/ena/ena_com.c | 8 ++++++++ 1 file changed, 8 insertions(+) commit a3af7c18cfe545a711e5df7491b7d6df71eba2ff Author: Netanel Belgazal Date: Sun Jun 11 15:42:48 2017 +0300 net: ena: fix theoretical Rx hang on low memory systems For the rare case where the device runs out of free rx buffer descriptors (in case of pressure on kernel memory), and the napi handler continuously fail to refill new Rx descriptors until device rx queue totally runs out of all free rx buffers to post incoming packet, leading to a deadlock: * The device won't send interrupts since all the new Rx packets will be dropped. * The napi handler won't try to allocate new Rx descriptors since allocation is part of NAPI that's not being invoked any more The fix involves detecting this scenario and rescheduling NAPI (to refill buffers) by the keepalive/watchdog task. Fixes: 1738cd3ed342 ("Add a driver for Amazon Elastic Network Adapters (ENA)") Signed-off-by: Netanel Belgazal Signed-off-by: David S. Miller drivers/net/ethernet/amazon/ena/ena_ethtool.c | 1 + drivers/net/ethernet/amazon/ena/ena_netdev.c | 55 +++++++++++++++++++++++++++ drivers/net/ethernet/amazon/ena/ena_netdev.h | 2 + 3 files changed, 58 insertions(+) commit 0857d92f71b6cb75281fde913554b2d5436c394b Author: Netanel Belgazal Date: Sun Jun 11 15:42:47 2017 +0300 net: ena: add missing unmap bars on device removal This patch also change the mapping functions to devm_ functions Fixes: 1738cd3ed342 ("Add a driver for Amazon Elastic Network Adapters (ENA)") Signed-off-by: Netanel Belgazal Signed-off-by: David S. Miller drivers/net/ethernet/amazon/ena/ena_netdev.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) commit 661d2b0ccef6a63f48b61105cf7be17403d1db01 Author: Netanel Belgazal Date: Sun Jun 11 15:42:46 2017 +0300 net: ena: fix race condition between submit and completion admin command Bug: "Completion context is occupied" error printout will be noticed in dmesg. This error will cause the admin command to fail, which will lead to an ena_probe() failure or a watchdog reset (depends on which admin command failed). Root cause: __ena_com_submit_admin_cmd() is the function that submits new entries to the admin queue. The function have a check that makes sure the queue is not full and the function does not override any outstanding command. It uses head and tail indexes for this check. The head is increased by ena_com_handle_admin_completion() which runs from interrupt context, and the tail index is increased by the submit function (the function is running under ->q_lock, so there is no risk of multithread increment). Each command is associated with a completion context. This context allocated before call to __ena_com_submit_admin_cmd() and freed by ena_com_wait_and_process_admin_cq_interrupts(), right after the command was completed. This can lead to a state where the head was increased, the check passed, but the completion context is still in use. Solution: Use the atomic variable ->outstanding_cmds instead of using the head and the tail indexes. This variable is safe for use since it is bumped in get_comp_ctx() in __ena_com_submit_admin_cmd() and is freed by comp_ctxt_release() Fixes: 1738cd3ed342 ("Add a driver for Amazon Elastic Network Adapters (ENA)") Signed-off-by: Netanel Belgazal Signed-off-by: David S. Miller drivers/net/ethernet/amazon/ena/ena_com.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) commit 2d2c600a917127f16f179d5a88fc44ba3ed263ed Author: Netanel Belgazal Date: Sun Jun 11 15:42:45 2017 +0300 net: ena: add missing return when ena_com_get_io_handlers() fails Fixes: 1738cd3ed342 ("Add a driver for Amazon Elastic Network Adapters (ENA)") Signed-off-by: Netanel Belgazal Signed-off-by: David S. Miller drivers/net/ethernet/amazon/ena/ena_netdev.c | 2 ++ 1 file changed, 2 insertions(+) commit 418df30f7e9e8f4795fb2f3abf9744e5886df5ca Author: Netanel Belgazal Date: Sun Jun 11 15:42:44 2017 +0300 net: ena: fix bug that might cause hang after consecutive open/close interface. Fixing a bug that the driver does not unmask the IO interrupts in ndo_open(): occasionally, the MSI-X interrupt (for one or more IO queues) can be masked when ndo_close() was called. If that is followed by ndo open(), then the MSI-X will be still masked so no interrupt will be received by the driver. Fixes: 1738cd3ed342 ("Add a driver for Amazon Elastic Network Adapters (ENA)") Signed-off-by: Netanel Belgazal Signed-off-by: David S. Miller drivers/net/ethernet/amazon/ena/ena_netdev.c | 41 ++++++++++++++++++---------- 1 file changed, 26 insertions(+), 15 deletions(-) commit a77c1aafcc906f657d1a0890c1d898be9ee1d5c9 Author: Netanel Belgazal Date: Sun Jun 11 15:42:43 2017 +0300 net: ena: fix rare uncompleted admin command false alarm The current flow to detect admin completion is: while (command_not_completed) { if (timeout) error check_for_completion() sleep() } So in case the sleep took more than the timeout (in case the thread/workqueue was not scheduled due to higher priority task or prolonged VMexit), the driver can detect a stall even if the completion is present. The fix changes the order of this function to first check for completion and only after that check if the timeout expired. Fixes: 1738cd3ed342 ("Add a driver for Amazon Elastic Network Adapters (ENA)") Signed-off-by: Netanel Belgazal Signed-off-by: David S. Miller drivers/net/ethernet/amazon/ena/ena_com.c | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) commit 5ad9345d2321eb1442794098506d136d01cf8345 Merge: 5e38b72 b169c13 Author: Linus Torvalds Date: Sun Jun 11 12:02:01 2017 -0700 Merge tag 'random_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/random Pull randomness fixes from Ted Ts'o: "Improve performance by using a lockless update mechanism suggested by Linus, and make sure we refresh per-CPU entropy returned get_random_* as soon as the CRNG is initialized" * tag 'random_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/random: random: invalidate batched entropy after crng init random: use lockless method of accessing and updating f->reg_idx commit 5e38b72ac1b0000f1d7bd2b62fba7ee9053f5b94 Merge: f986e31 67a7d5f Author: Linus Torvalds Date: Sun Jun 11 11:57:47 2017 -0700 Merge tag 'ext4_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4 Pull ext4 fixes from Ted Ts'o: "Fix various bug fixes in ext4 caused by races and memory allocation failures" * tag 'ext4_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4: ext4: fix fdatasync(2) after extent manipulation operations ext4: fix data corruption for mmap writes ext4: fix data corruption with EXT4_GET_BLOCKS_ZERO ext4: fix quota charging for shared xattr blocks ext4: remove redundant check for encrypted file on dio write path ext4: remove unused d_name argument from ext4_search_dir() et al. ext4: fix off-by-one error when writing back pages before dio read ext4: fix off-by-one on max nr_pages in ext4_find_unwritten_pgoff() ext4: keep existing extra fields when inode expands ext4: handle the rest of ext4_mb_load_buddy() ENOMEM errors ext4: fix off-by-in in loop termination in ext4_find_unwritten_pgoff() ext4: fix SEEK_HOLE jbd2: preserve original nofs flag during journal restart ext4: clear lockdep subtype for quota files on quota off commit f986e31bb4d0dba0a10adc51308bf9de2d0e7e4a Merge: 9cd9cb0 fc7a906 Author: Linus Torvalds Date: Sun Jun 11 11:34:27 2017 -0700 Merge tag 'gpio-v4.12-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio Pull GPIO fixes from Linus Walleij: "A few overdue GPIO patches for the v4.12 kernel. - Fix debounce logic on the Aspeed platform. - Fix the "virtual gpio" things on the Intel Crystal Cove. - Fix the blink counter selection on the MVEBU platform" * tag 'gpio-v4.12-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio: gpio: mvebu: fix gpio bank registration when pwm is used gpio: mvebu: fix blink counter register selection MAINTAINERS: remove self from GPIO maintainers gpio: crystalcove: Do not write regular gpio registers for virtual GPIOs gpio: aspeed: Don't attempt to debounce if disabled commit 9cd9cb0ba3e9e55120d25be3a45ffafd299b1b14 Merge: 21c9eb7 ed45509 Author: Linus Torvalds Date: Sun Jun 11 11:29:15 2017 -0700 Merge tag 'char-misc-4.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc Pull char/misc driver fixes from Greg KH: "Here are some small driver fixes for 4.12-rc5. Nothing major here, just some small bugfixes found by people testing, and a MAINTAINERS file update for the genwqe driver. All have been in linux-next with no reported issues" [ The cxl driver fix came in through the powerpc tree earlier ] * tag 'char-misc-4.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: cxl: Avoid double free_irq() for psl,slice interrupts mei: make sysfs modalias format similar as uevent modalias drivers: char: mem: Fix wraparound check to allow mappings up to the end MAINTAINERS: Change maintainer of genwqe driver goldfish_pipe: use GFP_ATOMIC under spin lock firmware: vpd: do not leak kobjects firmware: vpd: avoid potential use-after-free when destroying section firmware: vpd: do not leave freed section attributes to the list commit 21c9eb7ca32be43a1c6fcb8194cf2d1aea771772 Merge: 246baac 26f4b1f Author: Linus Torvalds Date: Sun Jun 11 11:25:51 2017 -0700 Merge tag 'staging-4.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging Pull staging/IIO fixes from Greg KH: "These are mostly all IIO driver fixes, resolving a number of tiny issues. There's also a ccree and lustre fix in here as well, both fix problems found in those codebases. All have been in linux-next with no reported issues" * tag 'staging-4.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging: staging: ccree: fix buffer copy staging/lustre/lov: remove set_fs() call from lov_getstripe() staging: ccree: add CRYPTO dependency iio: adc: sun4i-gpadc-iio: fix parent device being used in devm function iio: light: ltr501 Fix interchanged als/ps register field iio: adc: bcm_iproc_adc: swap primary and secondary isr handler's iio: trigger: fix NULL pointer dereference in iio_trigger_write_current() iio: adc: max9611: Fix attribute measure unit iio: adc: ti_am335x_adc: allocating too much in probe iio: adc: sun4i-gpadc-iio: Fix module autoload when OF devices are registered iio: adc: sun4i-gpadc-iio: Fix module autoload when PLATFORM devices are registered iio: proximity: as3935: fix iio_trigger_poll issue iio: proximity: as3935: fix AS3935_INT mask iio: adc: Max9611: checking for ERR_PTR instead of NULL in probe iio: proximity: as3935: recalibrate RCO after resume commit 246baac2fd2917259ba5dd34f3be7d6d195cbeb8 Merge: ef918d3 29532e7 Author: Linus Torvalds Date: Sun Jun 11 11:23:10 2017 -0700 Merge tag 'usb-4.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb Pull USB fixes from Greg KH: "Here are some small USB fixes for 4.12-rc5 They are for some reported issues in the chipidea and gadget drivers. Nothing major. All have been in linux-next for a while with no reported issues" * tag 'usb-4.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: usb: gadget: udc: renesas_usb3: Fix PN_INT_ENA disabling timing usb: gadget: udc: renesas_usb3: lock for PN_ registers access usb: gadget: udc: renesas_usb3: fix deadlock by spinlock usb: gadget: udc: renesas_usb3: fix pm_runtime functions calling usb: gadget: f_mass_storage: Serialize wake and sleep execution usb: dwc2: add support for the DWC2 controller on Meson8 SoCs phy: qualcomm: phy-qcom-qmp: fix application of sizeof to pointer usb: musb: dsps: keep VBUS on for host-only mode usb: chipidea: core: check before accessing ci_role in ci_role_show usb: chipidea: debug: check before accessing ci_role phy: qcom-qmp: fix return value check in qcom_qmp_phy_create() usb: chipidea: udc: fix NULL pointer dereference if udc_start failed usb: chipidea: imx: Do not access CLKONOFF on i.MX51 commit ef918d3c80f5e2c42076f2b23c7ec4767b5ec925 Merge: 8f56821 e0f8e8c Author: Linus Torvalds Date: Sun Jun 11 11:21:08 2017 -0700 Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi Pull SCSI fixes from James Bottomley: "This is a set of user visible fixes (excepting one format string change). Four of the qla2xxx fixes only affect the firmware dump path, but it's still important to the enterprise. The rest are various NULL pointer crash conditions or outright driver hangs" * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: scsi: cxgb4i: libcxgbi: in error case RST tcp conn scsi: scsi_debug: Avoid PI being disabled when TPGS is enabled scsi: qla2xxx: Fix extraneous ref on sp's after adapter break scsi: lpfc: prevent potential null pointer dereference scsi: lpfc: Avoid NULL pointer dereference in lpfc_els_abort() scsi: lpfc: nvmet_fc: fix format string scsi: qla2xxx: Fix crash due to NULL pointer dereference of ctx scsi: qla2xxx: Fix mailbox pointer error in fwdump capture scsi: qla2xxx: Set bit 15 for DIAG_ECHO_TEST MBC scsi: qla2xxx: Modify T262 FW dump template to specify same start/end to debug customer issues scsi: qla2xxx: Fix crash due to mismatch mumber of Q-pair creation for Multi queue scsi: qla2xxx: Fix NULL pointer access due to redundant fc_host_port_name call scsi: qla2xxx: Fix recursive loop during target mode configuration for ISP25XX leaving system unresponsive scsi: bnx2fc: fix race condition in bnx2fc_get_host_stats() scsi: qla2xxx: don't disable a not previously enabled PCI device commit 8f56821d1db34b980ebe027a1b6fff2233471062 Merge: 9d66af6 b9d39d1 Author: Linus Torvalds Date: Sun Jun 11 11:15:09 2017 -0700 Merge branch 'libnvdimm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm Pull libnvdimm fix from Dan Williams: "We expanded the device-dax fs type in 4.12 to be a generic provider of a struct dax_device with an embedded inode. However, Sasha found some basic negative testing was not run to verify that this fs cleanly handles being mounted directly. Note that the fresh rebase was done to remove an unnecessary Cc: tag, but this commit otherwise had a build success notification from the 0day robot." * 'libnvdimm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm: device-dax: fix 'dax' device filesystem inode destruction crash commit 9d66af6bbf94d520e65e58a98543f67693ea4145 Merge: 9d0eb46 4d801cc Author: Linus Torvalds Date: Sun Jun 11 11:09:15 2017 -0700 Merge tag 'hexagon-for-linus-v4.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging Pull hexagon fix from Guenter Roeck: "This fixes a build error seen when building hexagon images. Richard sent me an Ack, but didn't reply when asked if he wants me to send the patch to you directly, so I figured I'd just do it" * tag 'hexagon-for-linus-v4.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging: hexagon: Use raw_copy_to_user commit 9d0eb4624601ac978b9e89be4aeadbd51ab2c830 Merge: 5faab9e 9bc1f09 Author: Linus Torvalds Date: Sun Jun 11 11:07:25 2017 -0700 Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm Pull KVM fixes from Paolo Bonzini: "Bug fixes (ARM, s390, x86)" * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: KVM: async_pf: avoid async pf injection when in guest mode KVM: cpuid: Fix read/write out-of-bounds vulnerability in cpuid emulation arm: KVM: Allow unaligned accesses at HYP arm64: KVM: Allow unaligned accesses at EL2 arm64: KVM: Preserve RES1 bits in SCTLR_EL2 KVM: arm/arm64: Handle possible NULL stage2 pud when ageing pages KVM: nVMX: Fix exception injection kvm: async_pf: fix rcu_irq_enter() with irqs enabled KVM: arm/arm64: vgic-v3: Fix nr_pre_bits bitfield extraction KVM: s390: fix ais handling vs cpu model KVM: arm/arm64: Fix isues with GICv2 on GICv3 migration commit 103a07d4278203d6299798cd74cdc4d209801cac Author: Martin Blumenstingl Date: Sun Jun 4 15:28:23 2017 +0200 iio: adc: meson-saradc: fix potential crash in meson_sar_adc_clear_fifo meson_sar_adc_clear_fifo passes a 0 as value-pointer to regmap_read(). In case of the meson-saradc driver this ends up in regmap_mmio_read(), where the value-pointer is de-referenced unconditionally to assign the value which was read. Fix this by passing an actual pointer, even though all we want to do is to discard the value. As a side-effect this fixes a sparse warning ("Using plain integer as NULL pointer") as reported by Paolo Cretaro. Fixes: 3adbf3427330 ("iio: adc: add a driver for the SAR ADC found in Amlogic Meson SoCs") Reported-by: Paolo Cretaro Signed-off-by: Martin Blumenstingl Cc: Signed-off-by: Jonathan Cameron drivers/iio/adc/meson_saradc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 91828bd89940e8145f91751a015bc11bc486aad0 Author: Majd Dibbiny Date: Sun May 28 14:47:56 2017 +0300 net/mlx5: Enable 4K UAR only when page size is bigger than 4K When the page size isn't bigger than 4K, there is no added value of enabling 4K UAR feature in the Firmware. Modified the condition of enabling the 4K UAR accordingly. Fixes: f502d834950a ("net/mlx5: Activate support for 4K UARs") Signed-off-by: Majd Dibbiny Signed-off-by: Saeed Mahameed drivers/net/ethernet/mellanox/mlx5/core/main.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) commit 53acd76ce571e3b71f9205f2d49ab285a9f1aad8 Author: Tal Gilboa Date: Mon May 29 17:02:55 2017 +0300 net/mlx5e: Fix wrong indications in DIM due to counter wraparound DIM (Dynamically-tuned Interrupt Moderation) is a mechanism designed for changing the channel interrupt moderation values in order to reduce CPU overhead for all traffic types. Each iteration of the algorithm, DIM calculates the difference in throughput, packet rate and interrupt rate from last iteration in order to make a decision. DIM relies on counters for each metric. When these counters get to their type's max value they wraparound. In this case the delta between 'end' and 'start' samples is negative and when translated to unsigned integers - very high. This results in a false indication to the algorithm and might result in a wrong decision. The fix calculates the 'distance' between 'end' and 'start' samples in a cyclic way around the relevant type's max value. It can also be viewed as an absolute value around the type's max value instead of around 0. Testing show higher stability in DIM profile selection and no wraparound issues. Fixes: cb3c7fd4f839 ("net/mlx5e: Support adaptive RX coalescing") Signed-off-by: Tal Gilboa Signed-off-by: Saeed Mahameed drivers/net/ethernet/mellanox/mlx5/core/en.h | 8 ++++---- drivers/net/ethernet/mellanox/mlx5/core/en_rx_am.c | 10 +++++++--- 2 files changed, 11 insertions(+), 7 deletions(-) commit c3164d2fc48fd4fa0477ab658b644559c3fe9073 Author: Tal Gilboa Date: Mon May 15 14:13:16 2017 +0300 net/mlx5e: Added BW check for DIM decision mechanism DIM (Dynamically-tuned Interrupt Moderation) is a mechanism designed for changing the channel interrupt moderation values in order to reduce CPU overhead for all traffic types. Until now only interrupt and packet rate were sampled. We found a scenario on which we get a false indication since a change in DIM caused more aggregation and reduced packet rate while increasing BW. We now regard a change as succesfull iff: current_BW > (prev_BW + threshold) or current_BW ~= prev_BW and current_PR > (prev_PR + threshold) or current_BW ~= prev_BW and current_PR ~= prev_PR and current_IR < (prev_IR - threshold) Where BW = Bandwidth, PR = Packet rate and IR = Interrupt rate Improvements (ConnectX-4Lx 25GbE, single RX queue, LRO off) -------------------------------------------------- packet size | before[Mb/s] | after[Mb/s] | gain | 2B | 343.4 | 359.4 | 4.5% | 16B | 2739.7 | 2814.8 | 2.7% | 64B | 9739 | 10185.3 | 4.5% | Fixes: cb3c7fd4f839 ("net/mlx5e: Support adaptive RX coalescing") Signed-off-by: Tal Gilboa Signed-off-by: Saeed Mahameed drivers/net/ethernet/mellanox/mlx5/core/en.h | 2 ++ drivers/net/ethernet/mellanox/mlx5/core/en_rx_am.c | 37 ++++++++++++---------- 2 files changed, 22 insertions(+), 17 deletions(-) commit f729860a177d097ac44321fb2f7d927a0c54c5a3 Author: Huy Nguyen Date: Mon May 8 11:46:50 2017 -0500 net/mlx5: Remove several module events out of ethtool stats Remove the following module event counters out of ethtool stats. The reason for removing these event counters is that these events do not occur without techinician's intervention. module_pwr_budget_exd module_long_range module_no_eeprom module_enforce_part module_unknown_id module_unknown_status module_plug Fixes: bedb7c909c19 ("net/mlx5e: Add port module event counters to ethtool stats") Signed-off-by: Huy Nguyen Reviewed by: Gal Pressman Signed-off-by: Saeed Mahameed drivers/net/ethernet/mellanox/mlx5/core/en_stats.h | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) commit 3fece5d676939f42f434c63dfe1bd42d7d94e6f0 Author: Mohamad Haj Yahia Date: Sun Apr 9 17:19:37 2017 +0300 net/mlx5: Continue health polling until it is explicitly stopped The issue is that when we get an assert we will stop polling the health and thus we cant enter error state when we have a real health issue. Fixes: fd76ee4da55a ('net/mlx5_core: Fix internal error detection conditions') Signed-off-by: Mohamad Haj Yahia Reviewed-by: Daniel Jurgens Signed-off-by: Saeed Mahameed drivers/net/ethernet/mellanox/mlx5/core/health.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) commit 57f35c93a2072c1f66ab1728a77a9ee4bc33bf42 Author: Mohamad Haj Yahia Date: Thu May 25 16:46:14 2017 +0300 net/mlx5: Fix create vport flow table flow Send vport number to the create flow table inner method instead of ignoring the vport argument and sending always 0. Fixes: b3ba51498bdd ('net/mlx5: Refactor create flow table method to accept underlay QP') Signed-off-by: Mohamad Haj Yahia Signed-off-by: Saeed Mahameed drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 252d2a4117bc181b287eeddf848863788da733ae Author: Andy Lutomirski Date: Fri Jun 9 11:49:15 2017 -0700 sched/core: Idle_task_exit() shouldn't use switch_mm_irqs_off() idle_task_exit() can be called with IRQs on x86 on and therefore should use switch_mm(), not switch_mm_irqs_off(). This doesn't seem to cause any problems right now, but it will confuse my upcoming TLB flush changes. Nonetheless, I think it should be backported because it's trivial. There won't be any meaningful performance impact because idle_task_exit() is only used when offlining a CPU. Signed-off-by: Andy Lutomirski Cc: Borislav Petkov Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: stable@vger.kernel.org Fixes: f98db6013c55 ("sched/core: Add switch_mm_irqs_off() and use it in the scheduler") Link: http://lkml.kernel.org/r/ca3d1a9fa93a0b49f5a8ff729eda3640fb6abdf9.1497034141.git.luto@kernel.org Signed-off-by: Ingo Molnar kernel/sched/core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit f67abed585efe251edda52dc9690020d6441890f Author: Marcin Nowakowski Date: Fri Jun 9 10:00:29 2017 +0200 sched/fair: Fix typo in printk message 'schedstats' kernel parameter should be set to enable/disable, so correct the printk hint saying that it should be set to 'enable' rather than 'enabled' to enable scheduler tracepoints. Signed-off-by: Marcin Nowakowski Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/1496995229-31245-1-git-send-email-marcin.nowakowski@imgtec.com Signed-off-by: Ingo Molnar kernel/sched/fair.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 9bc1f09f6fa76fdf31eb7d6a4a4df43574725f93 Author: Wanpeng Li Date: Thu Jun 8 20:13:40 2017 -0700 KVM: async_pf: avoid async pf injection when in guest mode INFO: task gnome-terminal-:1734 blocked for more than 120 seconds. Not tainted 4.12.0-rc4+ #8 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. gnome-terminal- D 0 1734 1015 0x00000000 Call Trace: __schedule+0x3cd/0xb30 schedule+0x40/0x90 kvm_async_pf_task_wait+0x1cc/0x270 ? __vfs_read+0x37/0x150 ? prepare_to_swait+0x22/0x70 do_async_page_fault+0x77/0xb0 ? do_async_page_fault+0x77/0xb0 async_page_fault+0x28/0x30 This is triggered by running both win7 and win2016 on L1 KVM simultaneously, and then gives stress to memory on L1, I can observed this hang on L1 when at least ~70% swap area is occupied on L0. This is due to async pf was injected to L2 which should be injected to L1, L2 guest starts receiving pagefault w/ bogus %cr2(apf token from the host actually), and L1 guest starts accumulating tasks stuck in D state in kvm_async_pf_task_wait() since missing PAGE_READY async_pfs. This patch fixes the hang by doing async pf when executing L1 guest. Cc: Paolo Bonzini Cc: Radim Krčmář Cc: stable@vger.kernel.org Signed-off-by: Wanpeng Li Signed-off-by: Paolo Bonzini arch/x86/kvm/mmu.c | 7 +++++-- arch/x86/kvm/mmu.h | 1 + arch/x86/kvm/x86.c | 3 +-- 3 files changed, 7 insertions(+), 4 deletions(-) commit 4d801cca0bb7011699c2d29f0139902dcfb3482d Author: Guenter Roeck Date: Tue May 2 20:44:16 2017 -0700 hexagon: Use raw_copy_to_user Commit ac4691fac8ad ("hexagon: switch to RAW_COPY_USER") replaced __copy_to_user_hexagon() with raw_copy_to_user(), but did not catch all callers, resulting in the following build error. arch/hexagon/mm/uaccess.c: In function '__clear_user_hexagon': arch/hexagon/mm/uaccess.c:40:3: error: implicit declaration of function '__copy_to_user_hexagon' Fixes: ac4691fac8ad ("hexagon: switch to RAW_COPY_USER") Cc: Al Viro Acked-by: Al Viro Acked-by: Richard Kuo Signed-off-by: Guenter Roeck arch/hexagon/mm/uaccess.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) commit b87fa0fafef4b16495740432f4eb8262efa500d0 Merge: 343eba6 a704bb5 Author: David S. Miller Date: Sat Jun 10 18:22:56 2017 -0400 Merge branch 'mvpp2-fixes' Thomas Petazzoni says: ==================== net: mvpp2: driver fixes As requested, here is a series of patches containing only bug fixes for the mvpp2 driver. It is based on the latest "net" branch. Changes since v1: - Fixed a build breakage that occurred when only PATCH 1 was only, and not later patches in the series. Was reported by the kbuild report on the first submission. - Added Tested-by from Marc Zyngier on PATCH 2. ==================== Signed-off-by: David S. Miller commit a704bb5c052bbd6b77c6530a2e83cef42486e335 Author: Thomas Petazzoni Date: Sat Jun 10 23:18:22 2017 +0200 net: mvpp2: use {get, put}_cpu() instead of smp_processor_id() smp_processor_id() should not be used in migration-enabled contexts. We originally thought it was OK in the specific situation of this driver, but it was wrong, and calling smp_processor_id() in a migration-enabled context prints a big fat warning when CONFIG_DEBUG_PREEMPT=y. Therefore, this commit replaces the smp_processor_id() in migration-enabled contexts by the appropriate get_cpu/put_cpu sections. Reported-by: Marc Zyngier Fixes: a786841df72e ("net: mvpp2: handle register mapping and access for PPv2.2") Signed-off-by: Thomas Petazzoni Tested-by: Marc Zyngier Signed-off-by: David S. Miller drivers/net/ethernet/marvell/mvpp2.c | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) commit 56b8aae959499508090b2d2db6961ed905f38164 Author: Thomas Petazzoni Date: Sat Jun 10 23:18:21 2017 +0200 net: mvpp2: remove mvpp2_bm_cookie_{build,pool_get} This commit removes the useless remove mvpp2_bm_cookie_{build,pool_get} functions. All what mvpp2_bm_cookie_build() was doing is compute a 32-bit value by concatenating the pool number and the CPU number... only to get the pool number re-extracted by mvpp2_bm_cookie_pool_get() later on. Instead, just get the pool number directly from RX descriptor status, and pass it to mvpp2_pool_refill() and mvpp2_rx_refill(). This has the added benefit of dropping a smp_processor_id() call in a migration-enabled context, which is wrong, and is the original motivation for making this change. Fixes: 3f518509dedc9 ("ethernet: Add new driver for Marvell Armada 375 network unit") Signed-off-by: Thomas Petazzoni Signed-off-by: David S. Miller drivers/net/ethernet/marvell/mvpp2.c | 47 +++++++++++------------------------- 1 file changed, 14 insertions(+), 33 deletions(-) commit 343eba69c6968190d8654b857aea952fed9a6749 Author: Jia-Ju Bai Date: Sat Jun 10 17:03:35 2017 +0800 net: tipc: Fix a sleep-in-atomic bug in tipc_msg_reverse The kernel may sleep under a rcu read lock in tipc_msg_reverse, and the function call path is: tipc_l2_rcv_msg (acquire the lock by rcu_read_lock) tipc_rcv tipc_sk_rcv tipc_msg_reverse pskb_expand_head(GFP_KERNEL) --> may sleep tipc_node_broadcast tipc_node_xmit_skb tipc_node_xmit tipc_sk_rcv tipc_msg_reverse pskb_expand_head(GFP_KERNEL) --> may sleep To fix it, "GFP_KERNEL" is replaced with "GFP_ATOMIC". Signed-off-by: Jia-Ju Bai Signed-off-by: David S. Miller net/tipc/msg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit f146e872eb12ebbe92d8e583b2637e0741440db3 Author: Jia-Ju Bai Date: Sat Jun 10 16:49:39 2017 +0800 net: caif: Fix a sleep-in-atomic bug in cfpkt_create_pfx The kernel may sleep under a rcu read lock in cfpkt_create_pfx, and the function call path is: cfcnfg_linkup_rsp (acquire the lock by rcu_read_lock) cfctrl_linkdown_req cfpkt_create cfpkt_create_pfx alloc_skb(GFP_KERNEL) --> may sleep cfserl_receive (acquire the lock by rcu_read_lock) cfpkt_split cfpkt_create_pfx alloc_skb(GFP_KERNEL) --> may sleep There is "in_interrupt" in cfpkt_create_pfx to decide use "GFP_KERNEL" or "GFP_ATOMIC". In this situation, "GFP_KERNEL" is used because the function is called under a rcu read lock, instead in interrupt. To fix it, only "GFP_ATOMIC" is used in cfpkt_create_pfx. Signed-off-by: Jia-Ju Bai Signed-off-by: David S. Miller net/caif/cfpkt_skbuff.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) commit 5aa32f53ab93175442dffbd95a231d0798cab4d1 Author: David S. Miller Date: Sat Jun 10 16:44:28 2017 -0400 Revert "net: fec: Add a fec_enet_clear_ethtool_stats() stub for CONFIG_M5272" This reverts commit bf292f1b2c813f1d6ac49b04bd1a9863d8314266. It belongs in 'net-next' not 'net'. Signed-off-by: David S. Miller drivers/net/ethernet/freescale/fec_main.c | 4 ---- 1 file changed, 4 deletions(-) commit 581409dacc9176b0de1f6c4ca8d66e13aa8e1b29 Author: Xin Long Date: Sat Jun 10 14:48:14 2017 +0800 sctp: disable BH in sctp_for_each_endpoint Now sctp holds read_lock when foreach sctp_ep_hashtable without disabling BH. If CPU schedules to another thread A at this moment, the thread A may be trying to hold the write_lock with disabling BH. As BH is disabled and CPU cannot schedule back to the thread holding the read_lock, while the thread A keeps waiting for the read_lock. A dead lock would be triggered by this. This patch is to fix this dead lock by calling read_lock_bh instead to disable BH when holding the read_lock in sctp_for_each_endpoint. Fixes: 626d16f50f39 ("sctp: export some apis or variables for sctp_diag and reuse some for proc") Reported-by: Xiumei Mu Signed-off-by: Xin Long Acked-by: Marcelo Ricardo Leitner Signed-off-by: David S. Miller net/sctp/socket.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit bf292f1b2c813f1d6ac49b04bd1a9863d8314266 Author: Fabio Estevam Date: Fri Jun 9 22:37:22 2017 -0300 net: fec: Add a fec_enet_clear_ethtool_stats() stub for CONFIG_M5272 Commit 2b30842b23b9 ("net: fec: Clear and enable MIB counters on imx51") introduced fec_enet_clear_ethtool_stats(), but missed to add a stub for the CONFIG_M5272=y case, causing build failure for the m5272c3_defconfig. Add the missing empty stub to fix the build failure. Reported-by: Paul Gortmaker Signed-off-by: Fabio Estevam Signed-off-by: David S. Miller drivers/net/ethernet/freescale/fec_main.c | 4 ++++ 1 file changed, 4 insertions(+) commit 9b3dc0a17d7388c4fb83736ca45253a93e994ce4 Author: Dominik Heidler Date: Fri Jun 9 16:29:47 2017 +0200 l2tp: cast l2tp traffic counter to unsigned This fixes a counter problem on 32bit systems: When the rx_bytes counter reached 2 GiB, it jumpd to (2^64 Bytes - 2GiB) Bytes. rtnl_link_stats64 has __u64 type and atomic_long_read returns atomic_long_t which is signed. Due to the conversation we get an incorrect value on 32bit systems if the MSB of the atomic_long_t value is set. CC: Tom Parkin Fixes: 7b7c0719cd7a ("l2tp: avoid deadlock in l2tp stats update") Signed-off-by: Dominik Heidler Signed-off-by: David S. Miller net/l2tp/l2tp_eth.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) commit d8dba51de5dfb55225b169653bbd7379ac0d0c63 Author: Philippe Reynes Date: Fri Jun 9 23:50:57 2017 +0200 net: aquantia: atlantic: remove declaration of hw_atl_utils_hw_set_power This function is not defined, so no need to declare it. As I don't have the hardware, I'd be very pleased if someone may test this patch. Signed-off-by: Philippe Reynes Signed-off-by: David S. Miller drivers/net/ethernet/aquantia/atlantic/hw_atl/hw_atl_utils.h | 3 --- 1 file changed, 3 deletions(-) commit d9a8d6a1023bb82ceadbd65f7cc54beb747fbfec Merge: f6d4c71 3523882 Author: David S. Miller Date: Sat Jun 10 16:02:56 2017 -0400 Merge branch 'bnx2x-Fix-malicious-VFs-indication' Yuval Mintz says: ==================== bnx2x: Fix malicious VFs indication It was discovered that for a VF there's a simple [yet uncommon] scenario which would cause device firmware to declare that VF as malicious - Add a vlan interface on top of a VF and disable txvlan offloading for that VF [causing VF to transmit packets where vlan is on payload]. Patch #1 corrects driver transmission to prevent this issue. Patch #2 is a by-product correcting PF behavior once a VF is declared malicious. ==================== Signed-off-by: David S. Miller commit 3523882229b903e967de05665b871dab87c5df0f Author: Mintz, Yuval Date: Fri Jun 9 17:17:02 2017 +0300 bnx2x: Don't post statistics to malicious VFs Once firmware indicates that a given VF is malicious and until that VF passes an FLR all bets are off - PF can't know anything is happening to the VF [since VF can't communicate anything to its PF]. But PF is currently still periodically asking device to collect statistics for the VF which might in turn fill logs by IOMMU blocking memory access done by the VF's PCI function [in the case VF has unmapped its buffers]. Signed-off-by: Yuval Mintz Signed-off-by: David S. Miller drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c | 13 ++++++++++++- drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.h | 1 + 2 files changed, 13 insertions(+), 1 deletion(-) commit 92f85f05caa51d844af6ea14ffbc7a786446a644 Author: Mintz, Yuval Date: Fri Jun 9 17:17:01 2017 +0300 bnx2x: Allow vfs to disable txvlan offload VF clients are configured as enforced, meaning firmware is validating the correctness of their ethertype/vid during transmission. Once txvlan is disabled, VF would start getting SKBs for transmission here vlan is on the payload - but it'll pass the packet's ethertype instead of the vid, leading to firmware declaring it as malicious. Signed-off-by: Yuval Mintz Signed-off-by: David S. Miller drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) commit 5faab9e0f03c4eef97886b45436015e107f79f5f Merge: 66cea28 67a7001 Author: Linus Torvalds Date: Sat Jun 10 11:09:23 2017 -0700 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs Pull UFS fixes from Al Viro: "This is just the obvious backport fodder; I'm pretty sure that there will be more - definitely so wrt performance and quite possibly correctness as well" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: ufs: we need to sync inode before freeing it excessive checks in ufs_write_failed() and ufs_evict_inode() ufs_getfrag_block(): we only grab ->truncate_mutex on block creation path ufs_extend_tail(): fix the braino in calling conventions of ufs_new_fragments() ufs: set correct ->s_maxsize ufs: restore maintaining ->i_blocks fix ufs_isblockset() ufs: restore proper tail allocation commit 66cea28a947739343ba3f804641de5cdf388cffa Merge: ac1a14a 70e7af2 Author: Linus Torvalds Date: Sat Jun 10 11:06:05 2017 -0700 Merge branch 'for-linus-4.12' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs Pull btrfs fixes from Chris Mason: "Some fixes that Dave Sterba collected. We've been hitting an early enospc problem on production machines that Omar tracked down to an old int->u64 mistake. I waited a bit on this pull to make sure it was really the problem from production, but it's on ~2100 hosts now and I think we're good. Omar also noticed a commit in the queue would make new early ENOSPC problems. I pulled that out for now, which is why the top three commits are younger than the rest. Otherwise these are all fixes, some explaining very old bugs that we've been poking at for a while" * 'for-linus-4.12' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs: Btrfs: fix delalloc accounting leak caused by u32 overflow Btrfs: clear EXTENT_DEFRAG bits in finish_ordered_io btrfs: tree-log.c: Wrong printk information about namelen btrfs: fix race with relocation recovery and fs_root setup btrfs: fix memory leak in update_space_info failure path btrfs: use correct types for page indices in btrfs_page_exists_in_range btrfs: fix incorrect error return ret being passed to mapping_set_error btrfs: Make flush bios explicitely sync btrfs: fiemap: Cache and merge fiemap extent before submit it to user commit ac1a14a239bb1a871dbd20daea4946aa5d289a1d Merge: 45b44f0 5b0bc9a Author: Linus Torvalds Date: Sat Jun 10 10:51:25 2017 -0700 Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86 fixes from Ingo Molnar: "Misc fixes: a Geode fix plus a microcode loader fix" * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/microcode/intel: Clear patch pointer before jettisoning the initrd x86/cpu/cyrix: Add alternative Device ID of Geode GX1 SoC commit 45b44f0f287d6d396b78466e13be1d1ea3d3097b Merge: 6b7ed45 40da1b1 Author: Linus Torvalds Date: Sat Jun 10 10:49:42 2017 -0700 Merge branch 'smp-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull CPU hotplug fix from Ingo Molnar: "An error handling corner case fix" * 'smp-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: cpu/hotplug: Drop the device lock on error commit 6b7ed4588ce681222534f901ce825d1ead31882a Merge: f701d86 8affb06 Author: Linus Torvalds Date: Sat Jun 10 10:22:35 2017 -0700 Merge branch 'rcu-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull RCU fixes from Ingo Molnar: "Fix an SRCU bug affecting KVM IRQ injection" * 'rcu-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: srcu: Allow use of Classic SRCU from both process and interrupt context srcu: Allow use of Tiny/Tree SRCU from both process and interrupt context commit f701d860af381265639244fb84b07797fbb5efca Merge: 9376906 47c1ded Author: Linus Torvalds Date: Sat Jun 10 10:15:47 2017 -0700 Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull perf fixes from Ingo Molnar: "This is mostly tooling fixes, plus an instruction pointer filtering fix. It's more fixes than usual - Arnaldo got back from a longer vacation and there was a backlog" * 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: (27 commits) perf symbols: Kill dso__build_id_is_kmod() perf symbols: Keep DSO->symtab_type after decompress perf tests: Decompress kernel module before objdump perf tools: Consolidate error path in __open_dso() perf tools: Decompress kernel module when reading DSO data perf annotate: Use dso__decompress_kmodule_path() perf tools: Introduce dso__decompress_kmodule_{fd,path} perf tools: Fix a memory leak in __open_dso() perf annotate: Fix symbolic link of build-id cache perf/core: Drop kernel samples even though :u is specified perf script python: Remove dups in documentation examples perf script python: Updated trace_unhandled() signature perf script python: Fix wrong code snippets in documentation perf script: Fix documentation errors perf script: Fix outdated comment for perf-trace-python perf probe: Fix examples section of documentation perf report: Ensure the perf DSO mapping matches what libdw sees perf report: Include partial stacks unwound with libdw perf annotate: Add missing powerpc triplet perf test: Disable breakpoint signal tests for powerpc ... commit 9376906c17fa975bf6a7ea9dd124be697bcda289 Merge: 179145e 792ef14 Author: Linus Torvalds Date: Sat Jun 10 10:12:14 2017 -0700 Merge branch 'efi-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull EFI fix from Ingo Molnar: "A boot crash fix for certain systems where the kernel would trust a piece of firmware data it should not have" * 'efi-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: efi: Fix boot panic because of invalid BGRT image address commit 67a70017fa0a152657bc7e337e69bb9c9f5549bf Author: Al Viro Date: Sat Jun 10 12:01:50 2017 -0400 ufs: we need to sync inode before freeing it Signed-off-by: Al Viro fs/ufs/inode.c | 1 + 1 file changed, 1 insertion(+) commit 179145e6312b1ccb1731841360d7fcaf2f4abc7a Merge: c7a1aef d3e01c5 Author: Linus Torvalds Date: Fri Jun 9 22:30:55 2017 -0700 Merge tag 'iommu-fixes-v4.12-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu Pull IOMMU fixes from Joerg Roedel: - another compile-fix for my header cleanup - a couple of fixes for the recently merged IOMMU probe deferal code - fixes for ACPI/IORT code necessary with IOMMU probe deferal * tag 'iommu-fixes-v4.12-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu: arm: dma-mapping: Reset the device's dma_ops ACPI/IORT: Move the check to get iommu_ops from translated fwspec ARM: dma-mapping: Don't tear down third-party mappings ACPI/IORT: Ignore all errors except EPROBE_DEFER iommu/of: Ignore all errors except EPROBE_DEFER iommu/of: Fix check for returning EPROBE_DEFER iommu/dma: Fix function declaration commit c7a1aefc47cc17b754180a18f77f508f2f210d2c Merge: 2833b7e a0897d5 Author: Linus Torvalds Date: Fri Jun 9 22:28:33 2017 -0700 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input Pull input fixes from Dmitry Torokhov: - mark "guest" RMI device as pass-through port to avoid "phantom" ALPS toouchpad on newer Lenovo Carbons - add two more laptops to the Elantech's lists of devices using CRC mode * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input: Input: synaptics-rmi4 - register F03 port as pass-through serio Input: elantech - add Fujitsu Lifebook E546/E557 to force crc_enabled commit 2833b7e913327855c2c0c842c37ca1d90602139e Merge: 42211f6 a415c0f Author: Linus Torvalds Date: Fri Jun 9 22:24:23 2017 -0700 Merge tag 'md/4.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/shli/md Pull MD bugfix from Shaohua Li: "One bug fix from Neil Brown for MD. The bug was introduced in this cycle" * tag 'md/4.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/shli/md: md: initialise ->writes_pending in personality modules. commit 42211f6cb6d7c3a39fe9b2892a93e4c065149d5f Merge: 39e4edf 8f9bebc Author: Linus Torvalds Date: Fri Jun 9 22:18:41 2017 -0700 Merge branch 'for-linus' of git://git.kernel.dk/linux-block Pull block fixes from Jens Axboe: "A set of fixes in the area of block IO, that should go into the next -rc release. This contains: - An OOPS fix from Dmitry, fixing a regression with the bio integrity code in this series. - Fix truncation of elevator io context cache name, from Eric Biggers. - NVMe pull from Christoph includes FC fixes from James, APST fixes/tweaks from Kai-Heng, removal fix from Rakesh, and an RDMA fix from Sagi. - Two tweaks for the block throttling code. One from Joseph Qi, fixing an oops from the timer code, and one from Shaohua, improving the behavior on rotatonal storage. - Two blk-mq fixes from Ming, fixing corner cases with the direct issue code. - Locking fix for bfq cgroups from Paolo" * 'for-linus' of git://git.kernel.dk/linux-block: block, bfq: access and cache blkg data only when safe Fix loop device flush before configure v3 blk-throttle: set default latency baseline for harddisk blk-throttle: fix NULL pointer dereference in throtl_schedule_pending_timer nvme: relax APST default max latency to 100ms nvme: only consider exit latency when choosing useful non-op power states nvme-fc: fix missing put reference on controller create failure nvme-fc: on lldd/transport io error, terminate association nvme-rdma: fast fail incoming requests while we reconnect nvme-pci: fix multiple ctrl removal scheduling nvme: fix hang in remove path elevator: fix truncation of icq_cache_name blk-mq: fix direct issue blk-mq: pass correct hctx to blk_mq_try_issue_directly bio-integrity: Do not allocate integrity context for bio w/o data commit 39e4edfdf5016bb28438093d030a0ef90ce2d30a Merge: 6107cc5 ba3021b Author: Linus Torvalds Date: Fri Jun 9 22:15:08 2017 -0700 Merge tag 'sound-4.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound Pull sound fixes from Takashi Iwai: "This update contains a slightly hight amount of changes due to the pending ASoC fixes: - ALSA timer core got a couple of fixes for races between read and ioctl, leading to potential read of uninitialized kmalloced memory - ASoC core fixed the de-registration pattern for use-after-free bug - The rewrite of probe code in ASoC Intel Skylake for i915 component - ASoC R-snd got a series of fixes for SSI - ASoC simple-card, atmel, da7213, and rt286 trivial fixes - HD-audio ALC269 quirk and rearrangement of quirk table" * tag 'sound-4.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: ALSA: timer: Fix missing queue indices reset at SNDRV_TIMER_IOCTL_SELECT ALSA: timer: Fix race between read and ioctl ALSA: hda/realtek - Reorder ALC269 ASUS quirk entries ALSA: hda/realtek: Fix mic and headset jack sense on Asus X705UD ASoC: rsnd: fixup parent_clk_name of AUDIO_CLKOUTx ASoC: Intel: Skylake: Fix to parse consecutive string tkns in manifest ASoC: Intel: Skylake: Fix IPC rx_list corruption ASoC: rsnd: SSI PIO adjust to 24bit mode MAINTAINERS: Update email address for patches to Wolfson parts ASoC: Fix use-after-free at card unregistration ASoC: simple-card: fix mic jack initialization ASoC: rsnd: don't call free_irq() on Parent SSI ASoC: atmel-classd: sync regcache when resuming ASoC: rsnd: don't use PDTA bit for 24bit on SSI ASoC: da7213: Fix incorrect usage of bitwise '&' operator for SRM check rt286: add Thinkpad Helix 2 to force_combo_jack_table ASoC: Intel: Skylake: Move i915 registration to worker thread commit 6107cc58f33c0581d4bbd847ed9145b76e61d57c Merge: eb4125d 6e88007 Author: Linus Torvalds Date: Fri Jun 9 22:12:06 2017 -0700 Merge tag 'drm-fixes-for-v4.12-rc5' of git://people.freedesktop.org/~airlied/linux Pull drm fixes from Dave Airlie: "Intel, nouveau, rockchip, vmwgfx, imx, meson, mediatek and core fixes. Bit more spread out fixes this time, fixes for 7 drivers + a couple of core fixes. i915 and vmwgfx are the main ones. The vmwgfx ones fix a bunch of regressions in their atomic rework, and a few fixes destined for stable. i915 has some 4.12 regressions and older things that need to be fixed in stable as well. nouveau also has some runtime pm fixes and a timer list handling fix, otherwise a couple of core and small driver regression fixes" * tag 'drm-fixes-for-v4.12-rc5' of git://people.freedesktop.org/~airlied/linux: (37 commits) drm/i915: fix warning for unused variable drm/meson: Fix driver bind when only CVBS is available drm/i915: Fix 90/270 rotated coordinates for FBC drm/i915: Restore has_fbc=1 for ILK-M drm/i915: Workaround VLV/CHV DSI scanline counter hardware fail drm/i915: Fix logical inversion for gen4 quirking drm/i915: Guard against i915_ggtt_disable_guc() being invoked unconditionally drm/i915: Always recompute watermarks when distrust_bios_wm is set, v2. drm/i915: Prevent the system suspend complete optimization drm/i915/psr: disable psr2 for resolution greater than 32X20 drm/i915: Hold a wakeref for probing the ring registers drm/i915: Short-circuit i915_gem_wait_for_idle() if already idle drm/i915: Disable decoupled MMIO drm/i915/guc: Remove stale comment for q_fail drm/vmwgfx: Bump driver minor and date drm/vmwgfx: Remove unused legacy cursor functions drm/vmwgfx: fix spelling mistake "exeeds" -> "exceeds" drm/vmwgfx: Fix large topology crash drm/vmwgfx: Make sure to update STDU when FB is updated drm/vmwgfx: Make sure backup_handle is always valid ... commit babef37dccbaa49249a22bae9150686815d7be71 Author: Al Viro Date: Fri Jun 9 16:20:34 2017 -0400 excessive checks in ufs_write_failed() and ufs_evict_inode() As it is, short copy in write() to append-only file will fail to truncate the excessive allocated blocks. As the matter of fact, all checks in ufs_truncate_blocks() are either redundant or wrong for that caller. As for the only other caller (ufs_evict_inode()), we only need the file type checks there. Cc: stable@vger.kernel.org Signed-off-by: Al Viro fs/ufs/inode.c | 18 +++++------------- 1 file changed, 5 insertions(+), 13 deletions(-) commit 006351ac8ead0d4a67dd3845e3ceffe650a23212 Author: Al Viro Date: Thu Jun 8 23:28:53 2017 -0400 ufs_getfrag_block(): we only grab ->truncate_mutex on block creation path Cc: stable@vger.kernel.org Signed-off-by: Al Viro fs/ufs/inode.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit 940ef1a0ed939c2ca029fca715e25e7778ce1e34 Author: Al Viro Date: Thu Jun 8 23:27:12 2017 -0400 ufs_extend_tail(): fix the braino in calling conventions of ufs_new_fragments() ... and it really needs splitting into "new" and "extend" cases, but that's for later Cc: stable@vger.kernel.org Signed-off-by: Al Viro fs/ufs/inode.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 6b0d144fa758869bdd652c50aa41aaf601232550 Author: Al Viro Date: Thu Jun 8 21:15:45 2017 -0400 ufs: set correct ->s_maxsize Cc: stable@vger.kernel.org Signed-off-by: Al Viro fs/ufs/super.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) commit eb315d2ae614493fd1ebb026c75a80573d84f7ad Author: Al Viro Date: Thu Jun 8 21:15:03 2017 -0400 ufs: restore maintaining ->i_blocks Cc: stable@vger.kernel.org Signed-off-by: Al Viro fs/stat.c | 1 + fs/ufs/balloc.c | 26 +++++++++++++++++++++++++- 2 files changed, 26 insertions(+), 1 deletion(-) commit 414cf7186dbec29bd946c138d6b5c09da5955a08 Author: Al Viro Date: Thu Jun 8 18:15:18 2017 -0400 fix ufs_isblockset() Cc: stable@vger.kernel.org Signed-off-by: Al Viro fs/ufs/util.h | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) commit 8785d84d002c2ce0f68fbcd6c2c86be859802c7e Author: Al Viro Date: Thu Jun 8 02:42:03 2017 -0400 ufs: restore proper tail allocation Cc: stable@vger.kernel.org Signed-off-by: Al Viro fs/ufs/inode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 70e7af244f24c94604ef6eca32ad297632018583 Author: Omar Sandoval Date: Fri Jun 2 01:20:01 2017 -0700 Btrfs: fix delalloc accounting leak caused by u32 overflow btrfs_calc_trans_metadata_size() does an unsigned 32-bit multiplication, which can overflow if num_items >= 4 GB / (nodesize * BTRFS_MAX_LEVEL * 2). For a nodesize of 16kB, this overflow happens at 16k items. Usually, num_items is a small constant passed to btrfs_start_transaction(), but we also use btrfs_calc_trans_metadata_size() for metadata reservations for extent items in btrfs_delalloc_{reserve,release}_metadata(). In drop_outstanding_extents(), num_items is calculated as inode->reserved_extents - inode->outstanding_extents. The difference between these two counters is usually small, but if many delalloc extents are reserved and then the outstanding extents are merged in btrfs_merge_extent_hook(), the difference can become large enough to overflow in btrfs_calc_trans_metadata_size(). The overflow manifests itself as a leak of a multiple of 4 GB in delalloc_block_rsv and the metadata bytes_may_use counter. This in turn can cause early ENOSPC errors. Additionally, these WARN_ONs in extent-tree.c will be hit when unmounting: WARN_ON(fs_info->delalloc_block_rsv.size > 0); WARN_ON(fs_info->delalloc_block_rsv.reserved > 0); WARN_ON(space_info->bytes_pinned > 0 || space_info->bytes_reserved > 0 || space_info->bytes_may_use > 0); Fix it by casting nodesize to a u64 so that btrfs_calc_trans_metadata_size() does a full 64-bit multiplication. While we're here, do the same in btrfs_calc_trunc_metadata_size(); this can't overflow with any existing uses, but it's better to be safe here than have another hard-to-debug problem later on. Cc: stable@vger.kernel.org Signed-off-by: Omar Sandoval Reviewed-by: David Sterba Signed-off-by: Chris Mason fs/btrfs/ctree.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 452e62b71fbbefe2646fad3a968371a026936c6d Author: Liu Bo Date: Fri May 26 17:44:23 2017 -0600 Btrfs: clear EXTENT_DEFRAG bits in finish_ordered_io Before this, we use 'filled' mode here, ie. if all range has been filled with EXTENT_DEFRAG bits, get to clear it, but if the defrag range joins the adjacent delalloc range, then we'll have EXTENT_DEFRAG bits in extent_state until releasing this inode's pages, and that prevents extent_data from being freed. This clears the bit if any was found within the ordered extent. Signed-off-by: Liu Bo Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Chris Mason fs/btrfs/inode.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 286b92f43c0d0ae2c29a61769b66219fe5ae6701 Author: Su Yue Date: Wed May 24 09:31:32 2017 +0800 btrfs: tree-log.c: Wrong printk information about namelen In verify_dir_item, it wants to printk name_len of dir_item but printk data_len acutally. Fix it by calling btrfs_dir_name_len instead of btrfs_dir_data_len. Signed-off-by: Su Yue Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Chris Mason fs/btrfs/dir-item.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit f6d4c7133257bb2d6f66723d11b19f1c49cdf2f7 Merge: c7a61cb 97edec3 Author: David S. Miller Date: Fri Jun 9 15:41:57 2017 -0400 Merge tag 'linux-can-fixes-for-4.12-20170609' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can Marc Kleine-Budde says: ==================== pull-request: can 2017-06-09 this is a pull request of 6 patches for net/master. There's a patch by Stephane Grosjean that fixes an uninitialized symbol warning in the peak_canfd driver. A patch by Johan Hovold to fix the product-id endianness in an error message in the the peak_usb driver. A patch by Oliver Hartkopp to enable CAN FD for virtual CAN devices by default. Three patches by me, one makes the helper function can_change_state() robust to be called with cf == NULL. The next patch fixes a memory leak in the gs_usb driver. And the last one fixes a lockdep splat by properly initialize the per-net can_rcvlists_lock spin_lock. ==================== Signed-off-by: David S. Miller commit c7a61cba71fd151cc7d9ebe53a090e0e61eeebf3 Author: Johannes Berg Date: Fri Jun 9 21:33:09 2017 +0200 mac80211: free netdev on dev_alloc_name() error The change to remove free_netdev() from ieee80211_if_free() erroneously didn't add the necessary free_netdev() for when ieee80211_if_free() is called directly in one place, rather than as the priv_destructor. Add the missing call. Fixes: cf124db566e6 ("net: Fix inconsistent teardown and release of private netdev state.") Signed-off-by: Johannes Berg Signed-off-by: David S. Miller net/mac80211/iface.c | 1 + 1 file changed, 1 insertion(+) commit 773fc8f6e8d63ec9d840588e161cbb73a01cfc45 Author: ashwanth@codeaurora.org Date: Fri Jun 9 14:24:58 2017 +0530 net: rps: send out pending IPI's on CPU hotplug IPI's from the victim cpu are not handled in dev_cpu_callback. So these pending IPI's would be sent to the remote cpu only when NET_RX is scheduled on the victim cpu and since this trigger is unpredictable it would result in packet latencies on the remote cpu. This patch add support to send the pending ipi's of victim cpu. Signed-off-by: Ashwanth Goli Signed-off-by: David S. Miller net/core/dev.c | 31 ++++++++++++++++++++++--------- 1 file changed, 22 insertions(+), 9 deletions(-) commit eb4125dfdb1f64a5e41da8315bff48f67e5d1712 Merge: a92f63c 753c09b Author: Linus Torvalds Date: Fri Jun 9 09:59:51 2017 -0700 Merge tag 'for-linus-4.12b-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip Pull xen fix from Juergen Gross: "A fix for Xen on ARM when dealing with 64kB page size of a guest" * tag 'for-linus-4.12b-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip: xen/privcmd: Support correctly 64KB page granularity when mapping memory commit a0897d5f2c2d884d20840c82aea517e8a7801441 Author: Dmitry Torokhov Date: Tue Jun 6 13:05:03 2017 -0700 Input: synaptics-rmi4 - register F03 port as pass-through serio The 5th generation Thinkpad X1 Carbons use Synaptics touchpads accessible over SMBus/RMI, combined with ALPS or Elantech trackpoint devices instead of classic IBM/Lenovo trackpoints. Unfortunately there is no way for ALPS driver to detect whether it is dealing with touchpad + trackpoint combination or just a trackpoint, so we end up with a "phantom" dualpoint ALPS device in addition to real touchpad and trackpoint. Given that we do not have any special advanced handling for ALPS or Elantech trackpoints (unlike IBM trackpoints that have separate driver and a host of options) we are better off keeping the trackpoints in PS/2 emulation mode. We achieve that by setting serio type to SERIO_PS_PSTHRU, which will limit number of protocols psmouse driver will try. In addition to getting rid of the "phantom" touchpads, this will also speed up probing of F03 pass-through port. Reported-by: Damjan Georgievski Suggested-by: Benjamin Tissoires Acked-by: Benjamin Tissoires Signed-off-by: Dmitry Torokhov drivers/input/rmi4/rmi_f03.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit a92f63cd13776e35d3ccb63187d1d95ab16f24a5 Merge: 788a73f c6ee9619 Author: Linus Torvalds Date: Fri Jun 9 09:44:46 2017 -0700 Merge tag 'powerpc-4.12-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux Pull powerpc fixes from Michael Ellerman: "Mostly fairly minor, of note are: - Fix percpu allocations to be NUMA aware - Limit 4k page size config to 64TB virtual address space - Avoid needlessly restoring FP and vector registers Thanks to Aneesh Kumar K.V, Breno Leitao, Christophe Leroy, Frederic Barrat, Madhavan Srinivasan, Michael Bringmann, Nicholas Piggin, Vaibhav Jain" * tag 'powerpc-4.12-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux: powerpc/book3s64: Move PPC_DT_CPU_FTRs and enable it by default powerpc/mm/4k: Limit 4k page size config to 64TB virtual address space cxl: Fix error path on bad ioctl powerpc/perf: Fix Power9 test_adder fields powerpc/numa: Fix percpu allocations to be NUMA aware cxl: Avoid double free_irq() for psl,slice interrupts powerpc/kernel: Initialize load_tm on task creation powerpc/kernel: Fix FP and vector register restoration powerpc/64: Reclaim CPU_FTR_SUBCORE powerpc/hotplug-mem: Fix missing endian conversion of aa_index powerpc/sysdev/simple_gpio: Fix oops in gpio save_regs function powerpc/spufs: Fix coredump of SPU contexts powerpc/64s: Add dt_cpu_ftrs boot time setup option commit 788a73f4e5c8f606a500a6c3fa35c6d9b2cd9979 Merge: 0d22df9 151d1d7 Author: Linus Torvalds Date: Fri Jun 9 09:40:08 2017 -0700 Merge tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc Pull ARM SoC fixes from Olof Johansson: "Been sitting on these for a couple of weeks waiting on some larger batches to come in but it's been pretty quiet. Just your garden variety fixes here: - A few maintainers updates (ep93xx, Exynos, TI, Marvell) - Some PM fixes for Atmel/at91 and Marvell - A few DT fixes for Marvell, Versatile, TI Keystone, bcm283x - A reset driver patch to set module license for symbol access" * tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc: MAINTAINERS: EP93XX: Update maintainership MAINTAINERS: remove kernel@stlinux.com obsolete mailing list ARM: dts: versatile: use #include "..." to include local DT MAINTAINERS: add device-tree files to TI DaVinci entry ARM: at91: select CONFIG_ARM_CPU_SUSPEND ARM: dts: keystone-k2l: fix broken Ethernet due to disabled OSR arm64: defconfig: enable some core options for 64bit Rockchip socs arm64: marvell: dts: fix interrupts in 7k/8k crypto nodes reset: hi6220: Set module license so that it can be loaded MAINTAINERS: add irqchip related drivers to Marvell EBU maintainers MAINTAINERS: sort F entries for Marvell EBU maintainers ARM: davinci: PM: Do not free useful resources in normal path in 'davinci_pm_init' ARM: davinci: PM: Free resources in error handling path in 'davinci_pm_init' ARM: dts: bcm283x: Reserve first page for firmware memory: atmel-ebi: mark PM ops as __maybe_unused MAINTAINERS: Remove Javier Martinez Canillas as reviewer for Exynos commit 33d4c4821323729b463e45d0b2d32f6a87dcba5b Author: Mario Molitor Date: Thu Jun 8 23:03:09 2017 +0200 stmmac: fix for hw timestamp of GMAC3 unit 1.) Bugfix of function stmmac_get_tx_hwtstamp. Corrected the tx timestamp available check (same as 4.8 and older) Change printout from info syslevel to debug. 2.) Bugfix of function stmmac_get_rx_hwtstamp. Corrected the rx timestamp available check (same as 4.8 and older) Change printout from info syslevel to debug. Fixes: ba1ffd74df74 ("stmmac: fix PTP support for GMAC4") Signed-off-by: Mario Molitor Signed-off-by: David S. Miller drivers/net/ethernet/stmicro/stmmac/dwmac4_descs.c | 11 +++++++---- drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 10 +++++----- 2 files changed, 12 insertions(+), 9 deletions(-) commit fd6720aefde06eacf17404eed2cad65c6ec103e1 Author: Mario Molitor Date: Thu Jun 8 22:41:02 2017 +0200 stmmac: fix ptp header for GMAC3 hw timestamp According the CYCLON V documention only the bit 16 of snaptypesel should set. (more information see Table 17-20 (cv_5v4.pdf) : Timestamp Snapshot Dependency on Register Bits) Fixes: d2042052a0aa ("stmmac: update the PTP header file") Signed-off-by: Mario Molitor Signed-off-by: David S. Miller drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 15 ++++++++++++--- drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.h | 3 ++- 2 files changed, 14 insertions(+), 4 deletions(-) commit ff85a1a80e00349dc7783c8dc4d6233d9a709283 Author: Borislav Petkov Date: Sun May 21 11:44:47 2017 +0200 kconfig: Check for libncurses before menuconfig There is a check and a nice user-friendly message when the curses library is not present on the system and the user wants to do "make menuconfig". It doesn't get issued, though. Instead, we fail the build when mconf.c doesn't find the curses.h header: HOSTCC scripts/kconfig/mconf.o In file included from scripts/kconfig/mconf.c:23:0: scripts/kconfig/lxdialog/dialog.h:38:20: fatal error: curses.h: No such file or directory #include CURSES_LOC ^ compilation terminated. Make that check a prerequisite to mconf so that the user sees the error message instead: $ make menuconfig *** Unable to find the ncurses libraries or the *** required header files. *** 'make menuconfig' requires the ncurses libraries. *** *** Install ncurses (ncurses-devel) and try again. *** scripts/kconfig/Makefile:203: recipe for target 'scripts/kconfig/dochecklxdialog' failed make[1]: *** [scripts/kconfig/dochecklxdialog] Error 1 Makefile:548: recipe for target 'menuconfig' failed make: *** [menuconfig] Error 2 Signed-off-by: Borislav Petkov Signed-off-by: Masahiro Yamada scripts/kconfig/Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit f186ce61bb8235d80068c390dc2aad7ca427a4c2 Author: Krister Johansen Date: Thu Jun 8 13:12:38 2017 -0700 Fix an intermittent pr_emerg warning about lo becoming free. It looks like this: Message from syslogd@flamingo at Apr 26 00:45:00 ... kernel:unregister_netdevice: waiting for lo to become free. Usage count = 4 They seem to coincide with net namespace teardown. The message is emitted by netdev_wait_allrefs(). Forced a kdump in netdev_run_todo, but found that the refcount on the lo device was already 0 at the time we got to the panic. Used bcc to check the blocking in netdev_run_todo. The only places where we're off cpu there are in the rcu_barrier() and msleep() calls. That behavior is expected. The msleep time coincides with the amount of time we spend waiting for the refcount to reach zero; the rcu_barrier() wait times are not excessive. After looking through the list of callbacks that the netdevice notifiers invoke in this path, it appears that the dst_dev_event is the most interesting. The dst_ifdown path places a hold on the loopback_dev as part of releasing the dev associated with the original dst cache entry. Most of our notifier callbacks are straight-forward, but this one a) looks complex, and b) places a hold on the network interface in question. I constructed a new bcc script that watches various events in the liftime of a dst cache entry. Note that dst_ifdown will take a hold on the loopback device until the invalidated dst entry gets freed. [ __dst_free] on DST: ffff883ccabb7900 IF tap1008300eth0 invoked at 1282115677036183 __dst_free rcu_nocb_kthread kthread ret_from_fork Acked-by: Eric Dumazet Signed-off-by: David S. Miller net/core/dst.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) commit b9d39d17e4819ca2e69ad1f14acaad12240a1de5 Author: Dan Williams Date: Fri Jun 9 08:50:49 2017 -0700 device-dax: fix 'dax' device filesystem inode destruction crash The inode destruction path for the 'dax' device filesystem incorrectly assumes that the inode was initialized through 'alloc_dax()'. However, if someone attempts to directly mount the dax filesystem with 'mount -t dax dax mnt' that will bypass 'alloc_dax()' and the following failure signatures may occur as a result: kill_dax() must be called before final iput() WARNING: CPU: 2 PID: 1188 at drivers/dax/super.c:243 dax_destroy_inode+0x48/0x50 RIP: 0010:dax_destroy_inode+0x48/0x50 Call Trace: destroy_inode+0x3b/0x60 evict+0x139/0x1c0 iput+0x1f9/0x2d0 dentry_unlink_inode+0xc3/0x160 __dentry_kill+0xcf/0x180 ? dput+0x37/0x3b0 dput+0x3a3/0x3b0 do_one_tree+0x36/0x40 shrink_dcache_for_umount+0x2d/0x90 generic_shutdown_super+0x1f/0x120 kill_anon_super+0x12/0x20 deactivate_locked_super+0x43/0x70 deactivate_super+0x4e/0x60 general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC RIP: 0010:kfree+0x6d/0x290 Call Trace: dax_i_callback+0x22/0x60 ? dax_destroy_inode+0x50/0x50 rcu_process_callbacks+0x298/0x740 ida_remove called for id=0 which is not allocated. WARNING: CPU: 0 PID: 0 at lib/idr.c:383 ida_remove+0x110/0x120 [..] Call Trace: ida_simple_remove+0x2b/0x50 ? dax_destroy_inode+0x50/0x50 dax_i_callback+0x3c/0x60 rcu_process_callbacks+0x298/0x740 Add missing initialization of the 'struct dax_device' and inode so that the destruction path does not kfree() or ida_simple_remove() uninitialized data. Fixes: 7b6be8444e0f ("dax: refactor dax-fs into a generic provider of 'struct dax_device' instances") Reported-by: Sasha Levin Signed-off-by: Dan Williams drivers/dax/super.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) commit defbcf2decc903a28d8398aa477b6881e711e3ea Author: Mateusz Jurczyk Date: Thu Jun 8 11:13:36 2017 +0200 af_unix: Add sockaddr length checks before accessing sa_family in bind and connect handlers Verify that the caller-provided sockaddr structure is large enough to contain the sa_family field, before accessing it in bind() and connect() handlers of the AF_UNIX socket. Since neither syscall enforces a minimum size of the corresponding memory region, very short sockaddrs (zero or one byte long) result in operating on uninitialized memory while referencing .sa_family. Signed-off-by: Mateusz Jurczyk Signed-off-by: David S. Miller net/unix/af_unix.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) commit fc5b775da468e359154795afeb27be79b509b76d Author: Joe Perches Date: Fri Jun 9 15:45:32 2017 +0200 net: phy: add missing SPEED_14000 Fixes: 0d7e2d2166f6 ("IB/ipoib: add get_link_ksettings in ethtool") Signed-off-by: Joe Perches Signed-off-by: Nicolas Dichtel Signed-off-by: David S. Miller drivers/net/phy/phy.c | 2 ++ 1 file changed, 2 insertions(+) commit f50b878fed33e360d01dcdc31a8eeb1815d033d5 Author: Alan Stern Date: Thu Jun 8 13:55:59 2017 -0400 USB: gadget: fix GPF in gadgetfs A NULL-pointer dereference bug in gadgetfs was uncovered by syzkaller: > kasan: GPF could be caused by NULL-ptr deref or user memory access > general protection fault: 0000 [#1] SMP KASAN > Dumping ftrace buffer: > (ftrace buffer empty) > Modules linked in: > CPU: 2 PID: 4820 Comm: syz-executor0 Not tainted 4.12.0-rc4+ #5 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 > task: ffff880039542dc0 task.stack: ffff88003bdd0000 > RIP: 0010:__list_del_entry_valid+0x7e/0x170 lib/list_debug.c:51 > RSP: 0018:ffff88003bdd6e50 EFLAGS: 00010246 > RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000010000 > RDX: 0000000000000000 RSI: ffffffff86504948 RDI: ffffffff86504950 > RBP: ffff88003bdd6e68 R08: ffff880039542dc0 R09: ffffffff8778ce00 > R10: ffff88003bdd6e68 R11: dffffc0000000000 R12: 0000000000000000 > R13: dffffc0000000000 R14: 1ffff100077badd2 R15: ffffffff864d2e40 > FS: 0000000000000000(0000) GS:ffff88006dc00000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 000000002014aff9 CR3: 0000000006022000 CR4: 00000000000006e0 > Call Trace: > __list_del_entry include/linux/list.h:116 [inline] > list_del include/linux/list.h:124 [inline] > usb_gadget_unregister_driver+0x166/0x4c0 drivers/usb/gadget/udc/core.c:1387 > dev_release+0x80/0x160 drivers/usb/gadget/legacy/inode.c:1187 > __fput+0x332/0x7f0 fs/file_table.c:209 > ____fput+0x15/0x20 fs/file_table.c:245 > task_work_run+0x19b/0x270 kernel/task_work.c:116 > exit_task_work include/linux/task_work.h:21 [inline] > do_exit+0x18a3/0x2820 kernel/exit.c:878 > do_group_exit+0x149/0x420 kernel/exit.c:982 > get_signal+0x77f/0x1780 kernel/signal.c:2318 > do_signal+0xd2/0x2130 arch/x86/kernel/signal.c:808 > exit_to_usermode_loop+0x1a7/0x240 arch/x86/entry/common.c:157 > prepare_exit_to_usermode arch/x86/entry/common.c:194 [inline] > syscall_return_slowpath+0x3ba/0x410 arch/x86/entry/common.c:263 > entry_SYSCALL_64_fastpath+0xbc/0xbe > RIP: 0033:0x4461f9 > RSP: 002b:00007fdac2b1ecf8 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca > RAX: fffffffffffffe00 RBX: 00000000007080c8 RCX: 00000000004461f9 > RDX: 0000000000000000 RSI: 0000000000000000 RDI: 00000000007080c8 > RBP: 00000000007080a8 R08: 0000000000000000 R09: 0000000000000000 > R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 > R13: 0000000000000000 R14: 00007fdac2b1f9c0 R15: 00007fdac2b1f700 > Code: 00 00 00 00 ad de 49 39 c4 74 6a 48 b8 00 02 00 00 00 00 ad de > 48 89 da 48 39 c3 74 74 48 c1 ea 03 48 b8 00 00 00 00 00 fc ff df <80> > 3c 02 00 0f 85 92 00 00 00 48 8b 13 48 39 f2 75 66 49 8d 7c > RIP: __list_del_entry_valid+0x7e/0x170 lib/list_debug.c:51 RSP: ffff88003bdd6e50 > ---[ end trace 30e94b1eec4831c8 ]--- > Kernel panic - not syncing: Fatal exception The bug was caused by dev_release() failing to turn off its gadget_registered flag after unregistering the gadget driver. As a result, when a later user closed the device file before writing a valid set of descriptors, dev_release() thought the gadget had been registered and tried to unregister it, even though it had not been. This led to the NULL pointer dereference. The fix is simple: turn off the flag when the gadget is unregistered. Signed-off-by: Alan Stern Reported-and-tested-by: Andrey Konovalov CC: Signed-off-by: Felipe Balbi drivers/usb/gadget/legacy/inode.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit 792ef14df5c585c19b2831673a077504a09e5203 Author: Dave Young Date: Fri Jun 9 08:45:58 2017 +0000 efi: Fix boot panic because of invalid BGRT image address Maniaxx reported a kernel boot crash in the EFI code, which I emulated by using same invalid phys addr in code: BUG: unable to handle kernel paging request at ffffffffff280001 IP: efi_bgrt_init+0xfb/0x153 ... Call Trace: ? bgrt_init+0xbc/0xbc acpi_parse_bgrt+0xe/0x12 acpi_table_parse+0x89/0xb8 acpi_boot_init+0x445/0x4e2 ? acpi_parse_x2apic+0x79/0x79 ? dmi_ignore_irq0_timer_override+0x33/0x33 setup_arch+0xb63/0xc82 ? early_idt_handler_array+0x120/0x120 start_kernel+0xb7/0x443 ? early_idt_handler_array+0x120/0x120 x86_64_start_reservations+0x29/0x2b x86_64_start_kernel+0x154/0x177 secondary_startup_64+0x9f/0x9f There is also a similar bug filed in bugzilla.kernel.org: https://bugzilla.kernel.org/show_bug.cgi?id=195633 The crash is caused by this commit: 7b0a911478c7 efi/x86: Move the EFI BGRT init code to early init code The root cause is the firmware on those machines provides invalid BGRT image addresses. In a kernel before above commit BGRT initializes late and uses ioremap() to map the image address. Ioremap validates the address, if it is not a valid physical address ioremap() just fails and returns. However in current kernel EFI BGRT initializes early and uses early_memremap() which does not validate the image address, and kernel panic happens. According to ACPI spec the BGRT image address should fall into EFI_BOOT_SERVICES_DATA, see the section 5.2.22.4 of below document: http://www.uefi.org/sites/default/files/resources/ACPI_6_1.pdf Fix this issue by validating the image address in efi_bgrt_init(). If the image address does not fall into any EFI_BOOT_SERVICES_DATA areas we just bail out with a warning message. Reported-by: Maniaxx Signed-off-by: Dave Young Signed-off-by: Ard Biesheuvel Cc: Linus Torvalds Cc: Matt Fleming Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: linux-efi@vger.kernel.org Fixes: 7b0a911478c7 ("efi/x86: Move the EFI BGRT init code to early init code") Link: http://lkml.kernel.org/r/20170609084558.26766-2-ard.biesheuvel@linaro.org Signed-off-by: Ingo Molnar drivers/firmware/efi/efi-bgrt.c | 26 +++++++++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) commit 97edec3a11cf6f73f2e45c3035b5ff8e4c3543dd Author: Oliver Hartkopp Date: Fri Jun 2 19:37:30 2017 +0200 can: enable CAN FD for virtual CAN devices by default CAN FD capable CAN interfaces can handle (classic) CAN 2.0 frames too. New users usually fail at their first attempt to explore CAN FD on virtual CAN interfaces due to the current CAN_MTU default. Set the MTU to CANFD_MTU by default to reduce this confusion. If someone *really* needs a 'classic CAN'-only device this can be set with the 'ip' tool with e.g. 'ip link set vcan0 mtu 16' as before. Signed-off-by: Oliver Hartkopp Signed-off-by: Marc Kleine-Budde drivers/net/can/vcan.c | 2 +- drivers/net/can/vxcan.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit 74b7b490886852582d986a33443c2ffa50970169 Author: Marc Kleine-Budde Date: Tue Jun 6 13:53:16 2017 +0200 can: af_can: namespace support: fix lockdep splat: properly initialize spin_lock This patch uses spin_lock_init() instead of __SPIN_LOCK_UNLOCKED() to initialize the per namespace net->can.can_rcvlists_lock lock to fix this lockdep warning: | INFO: trying to register non-static key. | the code is fine but needs lockdep annotation. | turning off the locking correctness validator. | CPU: 0 PID: 186 Comm: candump Not tainted 4.12.0-rc3+ #47 | Hardware name: Marvell Kirkwood (Flattened Device Tree) | [] (unwind_backtrace) from [] (show_stack+0x18/0x1c) | [] (show_stack) from [] (register_lock_class+0x1e4/0x55c) | [] (register_lock_class) from [] (__lock_acquire+0x148/0x1990) | [] (__lock_acquire) from [] (lock_acquire+0x174/0x210) | [] (lock_acquire) from [] (_raw_spin_lock+0x50/0x88) | [] (_raw_spin_lock) from [] (can_rx_register+0x94/0x15c [can]) | [] (can_rx_register [can]) from [] (raw_enable_filters+0x60/0xc0 [can_raw]) | [] (raw_enable_filters [can_raw]) from [] (raw_enable_allfilters+0x2c/0xa0 [can_raw]) | [] (raw_enable_allfilters [can_raw]) from [] (raw_bind+0xb0/0x250 [can_raw]) | [] (raw_bind [can_raw]) from [] (SyS_bind+0x70/0xac) | [] (SyS_bind) from [] (ret_fast_syscall+0x0/0x1c) Cc: Mario Kicherer Acked-by: Oliver Hartkopp Signed-off-by: Marc Kleine-Budde net/can/af_can.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) commit 5cda3ee5138e91ac369ed9d0b55eab0dab077686 Author: Marc Kleine-Budde Date: Sun Jun 4 14:03:42 2017 +0200 can: gs_usb: fix memory leak in gs_cmd_reset() This patch adds the missing kfree() in gs_cmd_reset() to free the memory that is not used anymore after usb_control_msg(). Cc: linux-stable Cc: Maximilian Schneider Signed-off-by: Marc Kleine-Budde drivers/net/can/usb/gs_usb.c | 2 ++ 1 file changed, 2 insertions(+) commit dadcd398b3f059a0aa9de1cac8030a1d5a3791a5 Author: Johan Hovold Date: Fri May 12 12:09:25 2017 +0200 can: peak_usb: fix product-id endianness in error message Make sure to use the USB device product-id stored in host-byte order in a probe error message. Also remove a redundant reassignment of the local usb_dev variable which had already been used to retrieve the product id. Signed-off-by: Johan Hovold Signed-off-by: Marc Kleine-Budde drivers/net/can/usb/peak_usb/pcan_usb_core.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) commit f2a918b40cea994f9524ace67fd05ef42a8d9e5b Author: Stephane Grosjean Date: Wed May 3 10:35:04 2017 +0200 can: peak_canfd: fix uninitialized symbol warnings This patch fixes two uninitialized symbol warnings in the new code adding support of the PEAK-System PCAN-PCI Express FD boards, in the socket-CAN network protocol family. Signed-off-by: Stephane Grosjean Reported-by: Dan Carpenter Signed-off-by: Marc Kleine-Budde drivers/net/can/peak_canfd/peak_canfd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit ff3416fb5b02cfae94591ef4395b0b4dc793f25e Author: Marc Kleine-Budde Date: Thu May 18 10:22:22 2017 +0200 can: dev: make can_change_state() robust to be called with cf == NULL In OOM situations where no skb can be allocated, can_change_state() may be called with cf == NULL. As this function updates the state and error statistics it's not an option to skip the call to can_change_state() in OOM situations. This patch makes can_change_state() robust, so that it can be called with cf == NULL. Signed-off-by: Marc Kleine-Budde drivers/net/can/dev.c | 3 +++ 1 file changed, 3 insertions(+) commit ed45509b550488f6a71a4b6cc5b12265e8c1f85d Author: Vaibhav Jain Date: Fri Jun 2 22:26:48 2017 +0530 cxl: Avoid double free_irq() for psl,slice interrupts During an eeh call to cxl_remove can result in double free_irq of psl,slice interrupts. This can happen if perst_reloads_same_image == 1 and call to cxl_configure_adapter() fails during slot_reset callback. In such a case we see a kernel oops with following back-trace: Oops: Kernel access of bad area, sig: 11 [#1] Call Trace: free_irq+0x88/0xd0 (unreliable) cxl_unmap_irq+0x20/0x40 [cxl] cxl_native_release_psl_irq+0x78/0xd8 [cxl] pci_deconfigure_afu+0xac/0x110 [cxl] cxl_remove+0x104/0x210 [cxl] pci_device_remove+0x6c/0x110 device_release_driver_internal+0x204/0x2e0 pci_stop_bus_device+0xa0/0xd0 pci_stop_and_remove_bus_device+0x28/0x40 pci_hp_remove_devices+0xb0/0x150 pci_hp_remove_devices+0x68/0x150 eeh_handle_normal_event+0x140/0x580 eeh_handle_event+0x174/0x360 eeh_event_handler+0x1e8/0x1f0 This patch fixes the issue of double free_irq by checking that variables that hold the virqs (err_hwirq, serr_hwirq, psl_virq) are not '0' before un-mapping and resetting these variables to '0' when they are un-mapped. Cc: stable@vger.kernel.org Signed-off-by: Vaibhav Jain Signed-off-by: Greg Kroah-Hartman drivers/misc/cxl/native.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) commit b7c747d4627462f25b3daabf49c18895a6722faa Author: Alexandre TORGUE Date: Tue May 30 16:43:04 2017 +0200 pinctrl: stm32: Fix bad function call In stm32_pconf_parse_conf function, stm32_pmx_gpio_set_direction is called with wrong parameter value. Indeed, using NULL value for range will raise an oops. Fixes: aceb16dc2da5 ("pinctrl: Add STM32 MCUs support") Reported-by: Dan Carpenter Signed-off-by: Alexandre TORGUE Signed-off-by: Linus Walleij drivers/pinctrl/stm32/pinctrl-stm32.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit ba714a9c1dea85e0bf2899d02dfeb9c70040427c Author: Thomas Gleixner Date: Tue May 23 23:23:32 2017 +0200 pinctrl/amd: Use regular interrupt instead of chained The AMD pinctrl driver uses a chained interrupt to demultiplex the GPIO interrupts. Kevin Vandeventer reported, that his new AMD Ryzen locks up hard on boot when the AMD pinctrl driver is initialized. The reason is an interrupt storm. It's not clear whether that's caused by hardware or firmware or both. Using chained interrupts on X86 is a dangerous endavour. If a system is misconfigured or the hardware buggy there is no safety net to catch an interrupt storm. Convert the driver to use a regular interrupt for the demultiplex handler. This allows the interrupt storm detector to catch the malfunction and lets the system boot up. This should be backported to stable because it's likely that more users run into this problem as the AMD Ryzen machines are spreading. Reported-by: Kevin Vandeventer Link: https://bugzilla.suse.com/show_bug.cgi?id=1034261 Signed-off-by: Thomas Gleixner Signed-off-by: Linus Walleij drivers/pinctrl/pinctrl-amd.c | 91 +++++++++++++++++++------------------------ 1 file changed, 41 insertions(+), 50 deletions(-) commit fc7a90686777e7d2da7a08cf0202c21f3b96febb Author: Richard Genoud Date: Thu Jun 1 14:18:26 2017 +0200 gpio: mvebu: fix gpio bank registration when pwm is used If more than one gpio bank has the "pwm" property, only one will be registered successfully, all the others will fail with: mvebu-gpio: probe of f1018140.gpio failed with error -17 That's because in alloc_pwms(), the chip->base (aka "int pwm"), was not set (thus, ==0) ; and 0 is a meaningful start value in alloc_pwm(). What was intended is mvpwm->chip->base = -1. Like that, the numbering will be done auto-magically Moreover, as the region might be already occupied by another pwm, we shouldn't force: mvpwm->chip->base = 0 nor mvpwm->chip->base = id * MVEBU_MAX_GPIO_PER_BANK; Tested on clearfog-pro (Marvell 88F6828) Fixes: 757642f9a584 ("gpio: mvebu: Add limited PWM support") Signed-off-by: Richard Genoud Reviewed-by: Gregory CLEMENT Signed-off-by: Linus Walleij drivers/gpio/gpio-mvebu.c | 7 +++++++ 1 file changed, 7 insertions(+) commit c528eb27a3be2600e724c8a57cb69eab1fd9afa2 Author: Richard Genoud Date: Thu Jun 1 14:18:25 2017 +0200 gpio: mvebu: fix blink counter register selection The blink counter A was always selected because 0 was forced in the blink select counter register. The variable 'set' was obviously there to be used as the register value, selecting the B counter when id==1 and A counter when id==0. Tested on clearfog-pro (Marvell 88F6828) Fixes: 757642f9a584 ("gpio: mvebu: Add limited PWM support") Reviewed-by: Gregory CLEMENT Reviewed-by: Ralph Sennhauser Signed-off-by: Richard Genoud Signed-off-by: Linus Walleij drivers/gpio/gpio-mvebu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 8affb06737ae565722764c2b309eb0e892538344 Merge: b29794e 1123a60 Author: Ingo Molnar Date: Fri Jun 9 08:17:10 2017 +0200 Merge branch 'rcu/urgent' of git://git.kernel.org/pub/scm/linux/kernel/git/paulmck/linux-rcu into rcu/urgent Pull RCU fix from Paul E. McKenney: " This series enables srcu_read_lock() and srcu_read_unlock() to be used from interrupt handlers, which fixes a bug in KVM's use of SRCU in delivery of interrupts to guest OSes. " Signed-off-by: Ingo Molnar commit abb85a9b512e8ca7ad04a5a8a6db9664fe644974 Author: Nicholas Bellinger Date: Wed Jun 7 20:29:50 2017 -0700 iscsi-target: Reject immediate data underflow larger than SCSI transfer length When iscsi WRITE underflow occurs there are two different scenarios that can happen. Normally in practice, when an EDTL vs. SCSI CDB TRANSFER LENGTH underflow is detected, the iscsi immediate data payload is the smaller SCSI CDB TRANSFER LENGTH. That is, when a host fabric LLD is using a fixed size EDTL for a specific control CDB, the SCSI CDB TRANSFER LENGTH and actual SCSI payload ends up being smaller than EDTL. In iscsi, this means the received iscsi immediate data payload matches the smaller SCSI CDB TRANSFER LENGTH, because there is no more SCSI payload to accept beyond SCSI CDB TRANSFER LENGTH. However, it's possible for a malicous host to send a WRITE underflow where EDTL is larger than SCSI CDB TRANSFER LENGTH, but incoming iscsi immediate data actually matches EDTL. In the wild, we've never had a iscsi host environment actually try to do this. For this special case, it's wrong to truncate part of the control CDB payload and continue to process the command during underflow when immediate data payload received was larger than SCSI CDB TRANSFER LENGTH, so go ahead and reject and drop the bogus payload as a defensive action. Note this potential bug was originally relaxed by the following for allowing WRITE underflow in MSFT FCP host environments: commit c72c5250224d475614a00c1d7e54a67f77cd3410 Author: Roland Dreier Date: Wed Jul 22 15:08:18 2015 -0700 target: allow underflow/overflow for PR OUT etc. commands Cc: Roland Dreier Cc: Mike Christie Cc: Hannes Reinecke Cc: Martin K. Petersen Cc: # v4.3+ Signed-off-by: Nicholas Bellinger drivers/target/iscsi/iscsi_target.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) commit 105fa2f44e504c830697b0c794822112d79808dc Author: Nicholas Bellinger Date: Sat Jun 3 05:35:47 2017 -0700 iscsi-target: Fix delayed logout processing greater than SECONDS_FOR_LOGOUT_COMP This patch fixes a BUG() in iscsit_close_session() that could be triggered when iscsit_logout_post_handler() execution from within tx thread context was not run for more than SECONDS_FOR_LOGOUT_COMP (15 seconds), and the TCP connection didn't already close before then forcing tx thread context to automatically exit. This would manifest itself during explicit logout as: [33206.974254] 1 connection(s) still exist for iSCSI session to iqn.1993-08.org.debian:01:3f5523242179 [33206.980184] INFO: NMI handler (kgdb_nmi_handler) took too long to run: 2100.772 msecs [33209.078643] ------------[ cut here ]------------ [33209.078646] kernel BUG at drivers/target/iscsi/iscsi_target.c:4346! Normally when explicit logout attempt fails, the tx thread context exits and iscsit_close_connection() from rx thread context does the extra cleanup once it detects conn->conn_logout_remove has not been cleared by the logout type specific post handlers. To address this special case, if the logout post handler in tx thread context detects conn->tx_thread_active has already been cleared, simply return and exit in order for existing iscsit_close_connection() logic from rx thread context do failed logout cleanup. Reported-by: Bart Van Assche Tested-by: Bart Van Assche Cc: Mike Christie Cc: Hannes Reinecke Cc: Sagi Grimberg Cc: stable@vger.kernel.org # 3.14+ Tested-by: Gary Guo Tested-by: Chu Yuan Lin Signed-off-by: Nicholas Bellinger drivers/target/iscsi/iscsi_target.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) commit 73d4e580ccc5c3e05cea002f18111f66c9c07034 Author: Nicholas Bellinger Date: Fri Jun 2 20:00:17 2017 -0700 target: Fix kref->refcount underflow in transport_cmd_finish_abort This patch fixes a se_cmd->cmd_kref underflow during CMD_T_ABORTED when a fabric driver drops it's second reference from below the target_core_tmr.c based callers of transport_cmd_finish_abort(). Recently with the conversion of kref to refcount_t, this bug was manifesting itself as: [705519.601034] refcount_t: underflow; use-after-free. [705519.604034] INFO: NMI handler (kgdb_nmi_handler) took too long to run: 20116.512 msecs [705539.719111] ------------[ cut here ]------------ [705539.719117] WARNING: CPU: 3 PID: 26510 at lib/refcount.c:184 refcount_sub_and_test+0x33/0x51 Since the original kref atomic_t based kref_put() didn't check for underflow and only invoked the final callback when zero was reached, this bug did not manifest in practice since all se_cmd memory is using preallocated tags. To address this, go ahead and propigate the existing return from transport_put_cmd() up via transport_cmd_finish_abort(), and change transport_cmd_finish_abort() + core_tmr_handle_tas_abort() callers to only do their local target_put_sess_cmd() if necessary. Reported-by: Bart Van Assche Tested-by: Bart Van Assche Cc: Mike Christie Cc: Hannes Reinecke Cc: Christoph Hellwig Cc: Himanshu Madhani Cc: Sagi Grimberg Cc: stable@vger.kernel.org # 3.14+ Tested-by: Gary Guo Tested-by: Chu Yuan Lin Signed-off-by: Nicholas Bellinger drivers/target/target_core_internal.h | 2 +- drivers/target/target_core_tmr.c | 16 ++++++++-------- drivers/target/target_core_transport.c | 9 ++++++--- 3 files changed, 15 insertions(+), 12 deletions(-) commit 92347cfd62c174ab91ad97dd4bfbaa1d4aa28e67 Author: Mark Rutland Date: Thu Jun 8 14:47:41 2017 +0100 KEYS: fix refcount_inc() on zero If a key's refcount is dropped to zero between key_lookup() peeking at the refcount and subsequently attempting to increment it, refcount_inc() will see a zero refcount. Here, refcount_inc() will WARN_ONCE(), and will *not* increment the refcount, which will remain zero. Once key_lookup() drops key_serial_lock, it is possible for the key to be freed behind our back. This patch uses refcount_inc_not_zero() to perform the peek and increment atomically. Fixes: fff292914d3a2f1e ("security, keys: convert key.usage from atomic_t to refcount_t") Signed-off-by: Mark Rutland Signed-off-by: David Howells Cc: David Windsor Cc: Elena Reshetova Cc: Hans Liljestrand Cc: James Morris Cc: Kees Cook Cc: Peter Zijlstra Signed-off-by: James Morris security/keys/key.c | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) commit 7cbe0932c2f2014d6e24e716e79ea3910b468950 Author: Mat Martineau Date: Thu Jun 8 14:50:11 2017 +0100 KEYS: Convert KEYCTL_DH_COMPUTE to use the crypto KPP API The initial Diffie-Hellman computation made direct use of the MPI library because the crypto module did not support DH at the time. Now that KPP is implemented, KEYCTL_DH_COMPUTE should use it to get rid of duplicate code and leverage possible hardware acceleration. This fixes an issue whereby the input to the KDF computation would include additional uninitialized memory when the result of the Diffie-Hellman computation was shorter than the input prime number. Signed-off-by: Mat Martineau Signed-off-by: David Howells Signed-off-by: James Morris security/keys/Kconfig | 2 +- security/keys/dh.c | 272 +++++++++++++++++++++++++++++++------------------- 2 files changed, 171 insertions(+), 103 deletions(-) commit da7798a7b6714cf35ea6084ad6b1fe0497566cf2 Author: Loganaden Velvindron Date: Thu Jun 8 14:50:04 2017 +0100 crypto : asymmetric_keys : verify_pefile:zero memory content before freeing Signed-off-by: Loganaden Velvindron Signed-off-by: Yasir Auleear Signed-off-by: David Howells Signed-off-by: James Morris crypto/asymmetric_keys/verify_pefile.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit a77395447b0aeab9473a066ff28fbee01130206b Author: Eric Biggers Date: Thu Jun 8 14:49:57 2017 +0100 KEYS: DH: add __user annotations to keyctl_kdf_params Signed-off-by: Eric Biggers Signed-off-by: David Howells Acked-by: Stephan Mueller Signed-off-by: James Morris include/uapi/linux/keyctl.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 0ddd9f1a6b7e5746b52959f645fc66859b805e88 Author: Eric Biggers Date: Thu Jun 8 14:49:49 2017 +0100 KEYS: DH: ensure the KDF counter is properly aligned Accessing a 'u8[4]' through a '__be32 *' violates alignment rules. Just make the counter a __be32 instead. Signed-off-by: Eric Biggers Signed-off-by: David Howells Acked-by: Stephan Mueller Signed-off-by: James Morris security/keys/dh.c | 16 +++------------- 1 file changed, 3 insertions(+), 13 deletions(-) commit 281590b4221779dbc4a5e2c33c0c5b0239cfe794 Author: Eric Biggers Date: Thu Jun 8 14:49:42 2017 +0100 KEYS: DH: don't feed uninitialized "otherinfo" into KDF If userspace called KEYCTL_DH_COMPUTE with kdf_params containing NULL otherinfo but nonzero otherinfolen, the kernel would allocate a buffer for the otherinfo, then feed it into the KDF without initializing it. Fix this by always doing the copy from userspace (which will fail with EFAULT in this scenario). Signed-off-by: Eric Biggers Signed-off-by: David Howells Acked-by: Stephan Mueller Signed-off-by: James Morris security/keys/dh.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit bbe240454d86be95151e0ecfd6ac55fe5ef5a6f5 Author: Eric Biggers Date: Thu Jun 8 14:49:34 2017 +0100 KEYS: DH: forbid using digest_null as the KDF hash Requesting "digest_null" in the keyctl_kdf_params caused an infinite loop in kdf_ctr() because the "null" hash has a digest size of 0. Fix it by rejecting hash algorithms with a digest size of 0. Signed-off-by: Eric Biggers Signed-off-by: David Howells Acked-by: Stephan Mueller Signed-off-by: James Morris security/keys/dh.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) commit 0620fddb56dfaf0e1034eeb69d79c73b361debbf Author: Eric Biggers Date: Thu Jun 8 14:49:26 2017 +0100 KEYS: sanitize key structs before freeing While a 'struct key' itself normally does not contain sensitive information, Documentation/security/keys.txt actually encourages this: "Having a payload is not required; and the payload can, in fact, just be a value stored in the struct key itself." In case someone has taken this advice, or will take this advice in the future, zero the key structure before freeing it. We might as well, and as a bonus this could make it a bit more difficult for an adversary to determine which keys have recently been in use. This is safe because the key_jar cache does not use a constructor. Signed-off-by: Eric Biggers Signed-off-by: David Howells Signed-off-by: James Morris include/linux/key.h | 1 - security/keys/gc.c | 4 +--- 2 files changed, 1 insertion(+), 4 deletions(-) commit ee618b4619b72527aaed765f0f0b74072b281159 Author: Eric Biggers Date: Thu Jun 8 14:49:18 2017 +0100 KEYS: trusted: sanitize all key material As the previous patch did for encrypted-keys, zero sensitive any potentially sensitive data related to the "trusted" key type before it is freed. Notably, we were not zeroing the tpm_buf structures in which the actual key is stored for TPM seal and unseal, nor were we zeroing the trusted_key_payload in certain error paths. Cc: Mimi Zohar Cc: David Safford Signed-off-by: Eric Biggers Signed-off-by: David Howells Signed-off-by: James Morris security/keys/trusted.c | 50 ++++++++++++++++++++++--------------------------- 1 file changed, 22 insertions(+), 28 deletions(-) commit a9dd74b252e04b7e41ffe78d418b896b33b70a13 Author: Eric Biggers Date: Thu Jun 8 14:49:11 2017 +0100 KEYS: encrypted: sanitize all key material For keys of type "encrypted", consistently zero sensitive key material before freeing it. This was already being done for the decrypted payloads of encrypted keys, but not for the master key and the keys derived from the master key. Out of an abundance of caution and because it is trivial to do so, also zero buffers containing the key payload in encrypted form, although depending on how the encrypted-keys feature is used such information does not necessarily need to be kept secret. Cc: Mimi Zohar Cc: David Safford Signed-off-by: Eric Biggers Signed-off-by: David Howells Signed-off-by: James Morris security/keys/encrypted-keys/encrypted.c | 31 +++++++++++++------------------ 1 file changed, 13 insertions(+), 18 deletions(-) commit 6966c74932b328b3d6df92b11b083bfbcd067986 Author: Eric Biggers Date: Thu Jun 8 14:49:04 2017 +0100 KEYS: user_defined: sanitize key payloads Zero the payloads of user and logon keys before freeing them. This prevents sensitive key material from being kept around in the slab caches after a key is released. Signed-off-by: Eric Biggers Signed-off-by: David Howells Signed-off-by: James Morris security/keys/user_defined.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) commit 57070c850a03ee0cea654fc22cb8032fc3139d39 Author: Eric Biggers Date: Thu Jun 8 14:48:57 2017 +0100 KEYS: sanitize add_key() and keyctl() key payloads Before returning from add_key() or one of the keyctl() commands that takes in a key payload, zero the temporary buffer that was allocated to hold the key payload copied from userspace. This may contain sensitive key material that should not be kept around in the slab caches. Signed-off-by: Eric Biggers Signed-off-by: David Howells Signed-off-by: James Morris security/keys/keyctl.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) commit 63a0b0509e700717a59f049ec6e4e04e903c7fe2 Author: Eric Biggers Date: Thu Jun 8 14:48:47 2017 +0100 KEYS: fix freeing uninitialized memory in key_update() key_update() freed the key_preparsed_payload even if it was not initialized first. This would cause a crash if userspace called keyctl_update() on a key with type like "asymmetric" that has a ->preparse() method but not an ->update() method. Possibly it could even be triggered for other key types by racing with keyctl_setperm() to make the KEY_NEED_WRITE check fail (the permission was already checked, so normally it wouldn't fail there). Reproducer with key type "asymmetric", given a valid cert.der: keyctl new_session keyid=$(keyctl padd asymmetric desc @s < cert.der) keyctl setperm $keyid 0x3f000000 keyctl update $keyid data [ 150.686666] BUG: unable to handle kernel NULL pointer dereference at 0000000000000001 [ 150.687601] IP: asymmetric_key_free_kids+0x12/0x30 [ 150.688139] PGD 38a3d067 [ 150.688141] PUD 3b3de067 [ 150.688447] PMD 0 [ 150.688745] [ 150.689160] Oops: 0000 [#1] SMP [ 150.689455] Modules linked in: [ 150.689769] CPU: 1 PID: 2478 Comm: keyctl Not tainted 4.11.0-rc4-xfstests-00187-ga9f6b6b8cd2f #742 [ 150.690916] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-20170228_101828-anatol 04/01/2014 [ 150.692199] task: ffff88003b30c480 task.stack: ffffc90000350000 [ 150.692952] RIP: 0010:asymmetric_key_free_kids+0x12/0x30 [ 150.693556] RSP: 0018:ffffc90000353e58 EFLAGS: 00010202 [ 150.694142] RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000004 [ 150.694845] RDX: ffffffff81ee3920 RSI: ffff88003d4b0700 RDI: 0000000000000001 [ 150.697569] RBP: ffffc90000353e60 R08: ffff88003d5d2140 R09: 0000000000000000 [ 150.702483] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001 [ 150.707393] R13: 0000000000000004 R14: ffff880038a4d2d8 R15: 000000000040411f [ 150.709720] FS: 00007fcbcee35700(0000) GS:ffff88003fd00000(0000) knlGS:0000000000000000 [ 150.711504] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 150.712733] CR2: 0000000000000001 CR3: 0000000039eab000 CR4: 00000000003406e0 [ 150.714487] Call Trace: [ 150.714975] asymmetric_key_free_preparse+0x2f/0x40 [ 150.715907] key_update+0xf7/0x140 [ 150.716560] ? key_default_cmp+0x20/0x20 [ 150.717319] keyctl_update_key+0xb0/0xe0 [ 150.718066] SyS_keyctl+0x109/0x130 [ 150.718663] entry_SYSCALL_64_fastpath+0x1f/0xc2 [ 150.719440] RIP: 0033:0x7fcbce75ff19 [ 150.719926] RSP: 002b:00007ffd5d167088 EFLAGS: 00000206 ORIG_RAX: 00000000000000fa [ 150.720918] RAX: ffffffffffffffda RBX: 0000000000404d80 RCX: 00007fcbce75ff19 [ 150.721874] RDX: 00007ffd5d16785e RSI: 000000002866cd36 RDI: 0000000000000002 [ 150.722827] RBP: 0000000000000006 R08: 000000002866cd36 R09: 00007ffd5d16785e [ 150.723781] R10: 0000000000000004 R11: 0000000000000206 R12: 0000000000404d80 [ 150.724650] R13: 00007ffd5d16784d R14: 00007ffd5d167238 R15: 000000000040411f [ 150.725447] Code: 83 c4 08 31 c0 5b 41 5c 41 5d 41 5e 41 5f 5d c3 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 85 ff 74 23 55 48 89 e5 53 48 89 fb <48> 8b 3f e8 06 21 c5 ff 48 8b 7b 08 e8 fd 20 c5 ff 48 89 df e8 [ 150.727489] RIP: asymmetric_key_free_kids+0x12/0x30 RSP: ffffc90000353e58 [ 150.728117] CR2: 0000000000000001 [ 150.728430] ---[ end trace f7f8fe1da2d5ae8d ]--- Fixes: 4d8c0250b841 ("KEYS: Call ->free_preparse() even after ->preparse() returns an error") Cc: stable@vger.kernel.org # 3.17+ Signed-off-by: Eric Biggers Signed-off-by: David Howells Signed-off-by: James Morris security/keys/key.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) commit 5649645d725c73df4302428ee4e02c869248b4c5 Author: Eric Biggers Date: Thu Jun 8 14:48:40 2017 +0100 KEYS: fix dereferencing NULL payload with nonzero length sys_add_key() and the KEYCTL_UPDATE operation of sys_keyctl() allowed a NULL payload with nonzero length to be passed to the key type's ->preparse(), ->instantiate(), and/or ->update() methods. Various key types including asymmetric, cifs.idmap, cifs.spnego, and pkcs7_test did not handle this case, allowing an unprivileged user to trivially cause a NULL pointer dereference (kernel oops) if one of these key types was present. Fix it by doing the copy_from_user() when 'plen' is nonzero rather than when '_payload' is non-NULL, causing the syscall to fail with EFAULT as expected when an invalid buffer is specified. Cc: stable@vger.kernel.org # 2.6.10+ Signed-off-by: Eric Biggers Signed-off-by: David Howells Signed-off-by: James Morris security/keys/keyctl.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 0f534e4a13496b02ae284f50fcb0263f6ea37007 Author: Eric Biggers Date: Thu Jun 8 14:48:32 2017 +0100 KEYS: encrypted: use constant-time HMAC comparison MACs should, in general, be compared using crypto_memneq() to prevent timing attacks. Cc: Mimi Zohar Cc: Herbert Xu Signed-off-by: Eric Biggers Signed-off-by: David Howells Signed-off-by: James Morris security/keys/encrypted-keys/encrypted.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) commit 64d107d3acca1565c39c044c459fd18f70943534 Author: Eric Biggers Date: Thu Jun 8 14:48:25 2017 +0100 KEYS: encrypted: fix race causing incorrect HMAC calculations The encrypted-keys module was using a single global HMAC transform, which could be rekeyed by multiple threads concurrently operating on different keys, causing incorrect HMAC values to be calculated. Fix this by allocating a new HMAC transform whenever we need to calculate a HMAC. Also simplify things a bit by allocating the shash_desc's using SHASH_DESC_ON_STACK() for both the HMAC and unkeyed hashes. The following script reproduces the bug: keyctl new_session keyctl add user master "abcdefghijklmnop" @s for i in $(seq 2); do ( set -e for j in $(seq 1000); do keyid=$(keyctl add encrypted desc$i "new user:master 25" @s) datablob="$(keyctl pipe $keyid)" keyctl unlink $keyid > /dev/null keyid=$(keyctl add encrypted desc$i "load $datablob" @s) keyctl unlink $keyid > /dev/null done ) & done Output with bug: [ 439.691094] encrypted_key: bad hmac (-22) add_key: Invalid argument add_key: Invalid argument Cc: Mimi Zohar Cc: Herbert Xu Signed-off-by: Eric Biggers Signed-off-by: David Howells Signed-off-by: James Morris security/keys/encrypted-keys/encrypted.c | 115 +++++++++---------------------- 1 file changed, 32 insertions(+), 83 deletions(-) commit 794b4bc292f5d31739d89c0202c54e7dc9bc3add Author: Eric Biggers Date: Thu Jun 8 14:48:18 2017 +0100 KEYS: encrypted: fix buffer overread in valid_master_desc() With the 'encrypted' key type it was possible for userspace to provide a data blob ending with a master key description shorter than expected, e.g. 'keyctl add encrypted desc "new x" @s'. When validating such a master key description, validate_master_desc() could read beyond the end of the buffer. Fix this by using strncmp() instead of memcmp(). [Also clean up the code to deduplicate some logic.] Cc: Mimi Zohar Signed-off-by: Eric Biggers Signed-off-by: David Howells Signed-off-by: James Morris security/keys/encrypted-keys/encrypted.c | 31 +++++++++++++++---------------- 1 file changed, 15 insertions(+), 16 deletions(-) commit e9ff56ac352446f55141aaef1553cee662b2e310 Author: Eric Biggers Date: Thu Jun 8 14:48:10 2017 +0100 KEYS: encrypted: avoid encrypting/decrypting stack buffers Since v4.9, the crypto API cannot (normally) be used to encrypt/decrypt stack buffers because the stack may be virtually mapped. Fix this for the padding buffers in encrypted-keys by using ZERO_PAGE for the encryption padding and by allocating a temporary heap buffer for the decryption padding. Tested with CONFIG_DEBUG_SG=y: keyctl new_session keyctl add user master "abcdefghijklmnop" @s keyid=$(keyctl add encrypted desc "new user:master 25" @s) datablob="$(keyctl pipe $keyid)" keyctl unlink $keyid keyid=$(keyctl add encrypted desc "load $datablob" @s) datablob2="$(keyctl pipe $keyid)" [ "$datablob" = "$datablob2" ] && echo "Success!" Cc: Andy Lutomirski Cc: Herbert Xu Cc: Mimi Zohar Cc: stable@vger.kernel.org # 4.9+ Signed-off-by: Eric Biggers Signed-off-by: David Howells Signed-off-by: James Morris security/keys/encrypted-keys/encrypted.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) commit d636bd9f12a66ea3775c9fabbf3f8e118253467a Author: Eric Biggers Date: Thu Jun 8 14:48:03 2017 +0100 KEYS: put keyring if install_session_keyring_to_cred() fails In join_session_keyring(), if install_session_keyring_to_cred() were to fail, we would leak the keyring reference, just like in the bug fixed by commit 23567fd052a9 ("KEYS: Fix keyring ref leak in join_session_keyring()"). Fortunately this cannot happen currently, but we really should be more careful. Do this by adding and using a new error label at which the keyring reference is dropped. Signed-off-by: Eric Biggers Signed-off-by: David Howells Signed-off-by: James Morris security/keys/process_keys.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) commit 41f1c53e0d7d6e79087d5f5e18c467747126a3fc Author: Markus Elfring Date: Thu Jun 8 14:47:56 2017 +0100 KEYS: Delete an error message for a failed memory allocation in get_derived_key() Omit an extra message for a memory allocation failure in this function. This issue was detected by using the Coccinelle software. Link: http://events.linuxfoundation.org/sites/events/files/slides/LCJ16-Refactor_Strings-WSang_0.pdf Signed-off-by: Markus Elfring Signed-off-by: David Howells Signed-off-by: James Morris security/keys/encrypted-keys/encrypted.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) commit 4e880168e9ffb1cdbdb72b3b48ab0324b30c2d62 Author: Dan Carpenter Date: Thu Jun 8 14:47:49 2017 +0100 X.509: Fix error code in x509_cert_parse() We forgot to set the error code on this path so it could result in returning NULL which leads to a NULL dereference. Fixes: db6c43bd2132 ("crypto: KEYS: convert public key and digsig asym to the akcipher api") Signed-off-by: Dan Carpenter Signed-off-by: David Howells Signed-off-by: James Morris crypto/asymmetric_keys/x509_cert_parser.c | 1 + 1 file changed, 1 insertion(+) commit 381f20fceba8ea540aef5241a9099f4552700d0c Author: Davidlohr Bueso Date: Thu Jun 8 14:47:34 2017 +0100 security: use READ_ONCE instead of deprecated ACCESS_ONCE With the new standardized functions, we can replace all ACCESS_ONCE() calls across relevant security/keyrings/. ACCESS_ONCE() does not work reliably on non-scalar types. For example gcc 4.6 and 4.7 might remove the volatile tag for such accesses during the SRA (scalar replacement of aggregates) step: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=58145 Update the new calls regardless of if it is a scalar type, this is cleaner than having three alternatives. Signed-off-by: Davidlohr Bueso Signed-off-by: David Howells Signed-off-by: James Morris security/keys/keyring.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) commit 47b2c3fff4932e6fc17ce13d51a43c6969714e20 Author: Bilal Amarni Date: Thu Jun 8 14:47:26 2017 +0100 security/keys: add CONFIG_KEYS_COMPAT to Kconfig CONFIG_KEYS_COMPAT is defined in arch-specific Kconfigs and is missing for several 64-bit architectures : mips, parisc, tile. At the moment and for those architectures, calling in 32-bit userspace the keyctl syscall would return an ENOSYS error. This patch moves the CONFIG_KEYS_COMPAT option to security/keys/Kconfig, to make sure the compatibility wrapper is registered by default for any 64-bit architecture as long as it is configured with CONFIG_COMPAT. [DH: Modified to remove arm64 compat enablement also as requested by Eric Biggers] Signed-off-by: Bilal Amarni Signed-off-by: David Howells Reviewed-by: Arnd Bergmann cc: Eric Biggers Signed-off-by: James Morris arch/arm64/Kconfig | 4 ---- arch/powerpc/Kconfig | 5 ----- arch/s390/Kconfig | 3 --- arch/sparc/Kconfig | 3 --- arch/x86/Kconfig | 4 ---- security/keys/Kconfig | 4 ++++ 6 files changed, 4 insertions(+), 19 deletions(-) commit 6e88007e224ce51969ccf9afeec645146c638816 Merge: 3d76917 1929e66 Author: Dave Airlie Date: Fri Jun 9 13:12:02 2017 +1000 Merge branch 'vmwgfx-fixes-4.12' of git://people.freedesktop.org/~thomash/linux into drm-fixes A bunch of fixes for vmwgfx 4.12 regressions and older stuff. In the latter case either trivial, cc'd stable or requiring backports for stable. * 'vmwgfx-fixes-4.12' of git://people.freedesktop.org/~thomash/linux: drm/vmwgfx: Bump driver minor and date drm/vmwgfx: Remove unused legacy cursor functions drm/vmwgfx: fix spelling mistake "exeeds" -> "exceeds" drm/vmwgfx: Fix large topology crash drm/vmwgfx: Make sure to update STDU when FB is updated drm/vmwgfx: Make sure backup_handle is always valid drm/vmwgfx: Handle vmalloc() failure in vmw_local_fifo_reserve() drm/vmwgfx: Don't create proxy surface for cursor drm/vmwgfx: limit the number of mip levels in vmw_gb_surface_define_ioctl() commit 3d76917f50a38870dc2d960287b07e239b3da2c3 Merge: b62dba5 ef6c4d7 Author: Dave Airlie Date: Fri Jun 9 12:18:07 2017 +1000 Merge tag 'drm-intel-fixes-2017-06-08' of git://anongit.freedesktop.org/git/drm-intel into drm-fixes drm/i915 fixes for v4.12-rc5 * tag 'drm-intel-fixes-2017-06-08' of git://anongit.freedesktop.org/git/drm-intel: drm/i915: fix warning for unused variable drm/i915: Fix 90/270 rotated coordinates for FBC drm/i915: Restore has_fbc=1 for ILK-M drm/i915: Workaround VLV/CHV DSI scanline counter hardware fail drm/i915: Fix logical inversion for gen4 quirking drm/i915: Guard against i915_ggtt_disable_guc() being invoked unconditionally drm/i915: Always recompute watermarks when distrust_bios_wm is set, v2. drm/i915: Prevent the system suspend complete optimization drm/i915/psr: disable psr2 for resolution greater than 32X20 drm/i915: Hold a wakeref for probing the ring registers drm/i915: Short-circuit i915_gem_wait_for_idle() if already idle drm/i915: Disable decoupled MMIO drm/i915/guc: Remove stale comment for q_fail drm/i915: Serialize GTT/Aperture accesses on BXT commit b62dba55779d9216128dc651204438be898fd16f Merge: 97f607f 8604889 Author: Dave Airlie Date: Fri Jun 9 12:17:27 2017 +1000 Merge tag 'drm-misc-fixes-2017-06-07' of git://anongit.freedesktop.org/git/drm-misc into drm-fixes Driver Changes: - kirin: Use correct dt port for the bridge (John) - meson: Fix regression caused by adding HDMI support to allow board configurations without HDMI (Neil) Cc: John Stultz Cc: Neil Armstrong * tag 'drm-misc-fixes-2017-06-07' of git://anongit.freedesktop.org/git/drm-misc: drm/meson: Fix driver bind when only CVBS is available drm: kirin: Fix drm_of_find_panel_or_bridge conversion commit 97f607fe0d4e8c49e4ee3251bda853f7b6aa75d0 Merge: dd44c95 014580f Author: Dave Airlie Date: Fri Jun 9 12:17:00 2017 +1000 Merge branch 'mediatek-drm-fixes-4.12-rc1' of https://github.com/ckhu-mediatek/linux.git-tags into drm-fixes mediatek fixes * 'mediatek-drm-fixes-4.12-rc1' of https://github.com/ckhu-mediatek/linux.git-tags: drm/mediatek: fix mtk_hdmi_setup_vendor_specific_infoframe mistake drm/mediatek: fix a timeout loop commit dd44c95739dffafac0e52076dd750911180295d4 Merge: e5b4ab1 b7dfee24 Author: Dave Airlie Date: Fri Jun 9 12:16:25 2017 +1000 Merge tag 'imx-drm-fixes-2017-06-08' of git://git.pengutronix.de/git/pza/linux into drm-fixes imx-drm: PRE clock gating, panelless LDB, and VDIC CSI selection fixes - Keep the external clock input to the PRE ungated and only use the internal soft reset to keep the module in low power state, to avoid sporadic startup failures. - Ignore -ENODEV return values from drm_of_find_panel_or_bridge in the LDB driver to fix probing for devices that still do not specify a panel in the device tree. - Fix the CSI input selection to the VDIC. According to experiments, the real behaviour differs a bit from the documentation. * tag 'imx-drm-fixes-2017-06-08' of git://git.pengutronix.de/git/pza/linux: gpu: ipu-v3: Fix CSI selection for VDIC drm/imx: imx-ldb: Accept drm_of_find_panel_or_bridge failure gpu: ipu-v3: pre: only use internal clock gating commit 0d22df90c7eadeaf852caca49ae8df9b2c3075a4 Merge: aea4156 fbd78af Author: Linus Torvalds Date: Thu Jun 8 17:40:32 2017 -0700 Merge tag 'pm-4.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull power management fixes from Rafael Wysocki: "These revert one problematic commit related to system sleep and fix one recent intel_pstate regression. Specifics: - Revert a recent commit that attempted to avoid spurious wakeups from suspend-to-idle via ACPI SCI, but introduced regressions on some systems (Rafael Wysocki). We will get back to the problem it tried to address in the next cycle. - Fix a possible division by 0 during intel_pstate initialization due to a missing check (Rafael Wysocki)" * tag 'pm-4.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: Revert "ACPI / sleep: Ignore spurious SCI wakeups from suspend-to-idle" cpufreq: intel_pstate: Avoid division by 0 in min_perf_pct_min() commit aea4156c308670699d74dedb182ebceffb633185 Merge: dc0cf5a 462c5a8 Author: Linus Torvalds Date: Thu Jun 8 16:28:49 2017 -0700 Merge tag 'modules-for-v4.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/jeyu/linux Pull module maintainer address change from Jessica Yu: "A single patch that advertises my email address change" * tag 'modules-for-v4.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/jeyu/linux: MAINTAINERS: update email address for Jessica Yu commit 097d3c9508dc58286344e4a22b300098cf0c1566 Author: David Ahern Date: Thu Jun 8 11:31:11 2017 -0600 net: vrf: Make add_fib_rules per network namespace flag Commit 1aa6c4f6b8cd8 ("net: vrf: Add l3mdev rules on first device create") adds the l3mdev FIB rule the first time a VRF device is created. However, it only creates the rule once and only in the namespace the first device is created - which may not be init_net. Fix by using the net_generic capability to make the add_fib_rules flag per network namespace. Fixes: 1aa6c4f6b8cd8 ("net: vrf: Add l3mdev rules on first device create") Reported-by: Petr Machata Signed-off-by: David Ahern Signed-off-by: David S. Miller drivers/net/vrf.c | 36 ++++++++++++++++++++++++++++++++---- 1 file changed, 32 insertions(+), 4 deletions(-) commit fbd78afe34d9cc3a86aff7cc214d9f06e815e63e Merge: 3c2993b 57caf4e f3b7eaa Author: Rafael J. Wysocki Date: Fri Jun 9 01:25:16 2017 +0200 Merge branches 'intel_pstate' and 'pm-sleep' * intel_pstate: cpufreq: intel_pstate: Avoid division by 0 in min_perf_pct_min() * pm-sleep: Revert "ACPI / sleep: Ignore spurious SCI wakeups from suspend-to-idle" commit 47c1ded7fef108c730b803cd386241beffcdd15c Merge: cc1582c b89fe63 Author: Ingo Molnar Date: Fri Jun 9 00:41:33 2017 +0200 Merge tag 'perf-urgent-for-mingo-4.12-20170608' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux into perf/urgent Pull perf/urgent fixes from Arnaldo Carvalho de Melo: - Fixes for handling compressed kernel modules (Namhyung Kim) - Fix handling old style build-id cache ($HOME/.debug/) (Namhyung Kim) - 'perf script' python/perl documentation fixes: outdated comments, invalid code snippets, etc (SeongJae Park) Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Ingo Molnar commit 78a5a93c1eeb4e6933d1f62b33e5496d53b46c5a Author: Daniel Borkmann Date: Thu Jun 8 19:06:25 2017 +0200 bpf, tests: fix endianness selection I noticed that test_l4lb was failing in selftests: # ./test_progs test_pkt_access:PASS:ipv4 77 nsec test_pkt_access:PASS:ipv6 44 nsec test_xdp:PASS:ipv4 2933 nsec test_xdp:PASS:ipv6 1500 nsec test_l4lb:PASS:ipv4 377 nsec test_l4lb:PASS:ipv6 544 nsec test_l4lb:FAIL:stats 6297600000 200000 test_tcp_estats:PASS: 0 nsec Summary: 7 PASSED, 1 FAILED Tracking down the issue actually revealed that endianness selection in bpf_endian.h is broken when compiled with clang with bpf target. test_pkt_access.c, test_l4lb.c is compiled with __BYTE_ORDER as __BIG_ENDIAN, test_xdp.c as __LITTLE_ENDIAN! test_l4lb noticeably fails, because the test accounts bytes via bpf_ntohs(ip6h->payload_len) and bpf_ntohs(iph->tot_len), and compares them against a defined value and given a wrong endianness, the test outcome is different, of course. Turns out that there are actually two bugs: i) when we do __BYTE_ORDER comparison with __LITTLE_ENDIAN/__BIG_ENDIAN, then depending on the include order we see different outcomes. Reason is that __BYTE_ORDER is undefined due to missing endian.h include. Before we include the asm/byteorder.h (e.g. through linux/in.h), then __BYTE_ORDER equals __LITTLE_ENDIAN since both are undefined, after the include which correctly pulls in linux/byteorder/little_endian.h, __LITTLE_ENDIAN is defined, but given __BYTE_ORDER is still undefined, we match on __BYTE_ORDER equals to __BIG_ENDIAN since __BIG_ENDIAN is also undefined at that point, sigh. ii) But even that would be wrong, since when compiling the test cases with clang, one can select between bpfeb and bpfel targets for cross compilation. Hence, we can also not rely on what the system's endian.h provides, but we need to look at the compiler's defined endianness. The compiler defines __BYTE_ORDER__, and we can match __ORDER_LITTLE_ENDIAN__ and __ORDER_BIG_ENDIAN__, which also reflects targets bpf (native), bpfel, bpfeb correctly, thus really only rely on that. After patch: # ./test_progs test_pkt_access:PASS:ipv4 74 nsec test_pkt_access:PASS:ipv6 42 nsec test_xdp:PASS:ipv4 2340 nsec test_xdp:PASS:ipv6 1461 nsec test_l4lb:PASS:ipv4 400 nsec test_l4lb:PASS:ipv6 530 nsec test_tcp_estats:PASS: 0 nsec Summary: 7 PASSED, 0 FAILED Fixes: 43bcf707ccdc ("bpf: fix _htons occurences in test_progs") Signed-off-by: Daniel Borkmann Acked-by: Alexei Starovoitov Signed-off-by: David S. Miller tools/testing/selftests/bpf/bpf_endian.h | 41 +++++++++++++++++++++++--------- 1 file changed, 30 insertions(+), 11 deletions(-) commit 297fb414d0d190ca82bf0b46fb19d7fda1598737 Author: Nicolas Dichtel Date: Thu Jun 8 11:18:13 2017 +0200 ethtool.h: remind to update 802.3ad when adding new speeds Each time a new speed is added, the bonding 802.3ad isn't updated. Add a comment to remind the developer to update this driver. Signed-off-by: Nicolas Dichtel Acked-by: Andy Gospodarek Signed-off-by: David S. Miller include/uapi/linux/ethtool.h | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) commit 3fcd64cfa0e9cb72b99aaba5c6bc13af9c03417f Author: Nicolas Dichtel Date: Thu Jun 8 11:18:12 2017 +0200 bonding: fix 802.3ad support for 14G speed This patch adds 14 Gbps enum definition, and fixes aggregated bandwidth calculation based on above slave links. Fixes: 0d7e2d2166f6 ("IB/ipoib: add get_link_ksettings in ethtool") Signed-off-by: Nicolas Dichtel Acked-by: Andy Gospodarek Signed-off-by: David S. Miller drivers/net/bonding/bond_3ad.c | 9 +++++++++ 1 file changed, 9 insertions(+) commit c7c550670afda2e16f9e2d06a1473885312eb6b5 Author: Thibaut Collet Date: Thu Jun 8 11:18:11 2017 +0200 bonding: fix 802.3ad support for 5G and 50G speeds This patch adds [5|50] Gbps enum definition, and fixes aggregated bandwidth calculation based on above slave links. Fixes: c9a70d43461d ("net-next: ethtool: Added port speed macros.") Signed-off-by: Thibaut Collet Signed-off-by: Nicolas Dichtel Acked-by: Andy Gospodarek Signed-off-by: David S. Miller drivers/net/bonding/bond_3ad.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) commit daa6630a310fe2ad90ce5f7d2d196cd0353ef4fa Author: Nicolas Dichtel Date: Thu Jun 8 10:37:45 2017 +0200 openvswitch: warn about missing first netlink attribute The first netlink attribute (value 0) must always be defined as none/unspec. Because we cannot change an existing UAPI, I add a comment to point the mistake and avoid to propagate it in a new ovs API in the future. Signed-off-by: Nicolas Dichtel Signed-off-by: David S. Miller include/uapi/linux/openvswitch.h | 1 + 1 file changed, 1 insertion(+) commit f9f314f323951a33d8b4a4f63f7d04b7f3bc0603 Author: Hans Verkuil Date: Thu Jun 8 15:37:44 2017 -0300 [media] media/cec.h: use IS_REACHABLE instead of IS_ENABLED Fix messages like this: adv7842.c:(.text+0x2edadd): undefined reference to `cec_unregister_adapter' when CEC_CORE=m but the driver including media/cec.h is built-in. In that case the static inlines provided in media/cec.h should be used by that driver. Reported-by: Randy Dunlap Reported-by: kbuild test robot Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab include/media/cec.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 0db47e3d323411beeb6ea97f2c4d19395c91fd8b Author: Arnd Bergmann Date: Thu Jun 8 09:54:24 2017 +0200 ila_xlat: add missing hash secret initialization While discussing the possible merits of clang warning about unused initialized functions, I found one function that was clearly meant to be called but never actually is. __ila_hash_secret_init() initializes the hash value for the ila locator, apparently this is intended to prevent hash collision attacks, but this ends up being a read-only zero constant since there is no caller. I could find no indication of why it was never called, the earliest patch submission for the module already was like this. If my interpretation is right, we certainly want to backport the patch to stable kernels as well. I considered adding it to the ila_xlat_init callback, but for best effect the random data is read as late as possible, just before it is first used. The underlying net_get_random_once() is already highly optimized to avoid overhead when called frequently. Fixes: 7f00feaf1076 ("ila: Add generic ILA translation facility") Cc: stable@vger.kernel.org Link: https://www.spinics.net/lists/kernel/msg2527243.html Signed-off-by: Arnd Bergmann Signed-off-by: David S. Miller net/ipv6/ila/ila_xlat.c | 1 + 1 file changed, 1 insertion(+) commit b89fe63fbafe307fb72546f7a2320380bf41bdd4 Author: Namhyung Kim Date: Thu Jun 8 16:31:09 2017 +0900 perf symbols: Kill dso__build_id_is_kmod() The commit e7ee40475760 ("perf symbols: Fix symbols searching for module in buildid-cache") added the function to check kernel modules reside in the build-id cache. This was because there's no way to identify a DSO which is actually a kernel module. So it searched linkname of the file and find ".ko" suffix. But this does not work for compressed kernel modules and now such DSOs hCcave correct symtab_type now. So no need to check it anymore. This patch essentially reverts the commit. Signed-off-by: Namhyung Kim Acked-by: Jiri Olsa Cc: Adrian Hunter Cc: David Ahern Cc: Peter Zijlstra Cc: Wang Nan Cc: kernel-team@lge.com Link: http://lkml.kernel.org/r/20170608073109.30699-10-namhyung@kernel.org Signed-off-by: Arnaldo Carvalho de Melo tools/perf/util/build-id.c | 45 --------------------------------------------- tools/perf/util/build-id.h | 1 - tools/perf/util/symbol.c | 4 ---- 3 files changed, 50 deletions(-) commit c25ec42f846f702f8f532fbc890171e3a1f6ec85 Author: Namhyung Kim Date: Thu Jun 8 16:31:08 2017 +0900 perf symbols: Keep DSO->symtab_type after decompress The symsrc__init() overwrites dso->symtab_type as symsrc->type in dso__load_sym(). But for compressed kernel modules in the build-id cache, it should have original symtab type to be decompressed as needed. This fixes perf annotate to show disassembly of the function properly. Signed-off-by: Namhyung Kim Acked-by: Jiri Olsa Cc: Adrian Hunter Cc: David Ahern Cc: Peter Zijlstra Cc: Wang Nan Cc: kernel-team@lge.com Link: http://lkml.kernel.org/r/20170608073109.30699-9-namhyung@kernel.org Signed-off-by: Arnaldo Carvalho de Melo tools/perf/util/symbol-elf.c | 2 ++ 1 file changed, 2 insertions(+) commit 94df1040b1e6aacd8dec0ba3c61d7e77cd695f26 Author: Namhyung Kim Date: Thu Jun 8 16:31:07 2017 +0900 perf tests: Decompress kernel module before objdump If a kernel modules is compressed, it should be decompressed before running objdump to parse binary data correctly. This fixes a failure of object code reading test for me. Signed-off-by: Namhyung Kim Acked-by: Adrian Hunter Acked-by: Jiri Olsa Cc: David Ahern Cc: Peter Zijlstra Cc: Wang Nan Cc: kernel-team@lge.com Link: http://lkml.kernel.org/r/20170608073109.30699-8-namhyung@kernel.org Signed-off-by: Arnaldo Carvalho de Melo tools/perf/tests/code-reading.c | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) commit 8ba29adf9a7cdff3c7283d5fc0dcf5e777d3b40f Author: Namhyung Kim Date: Thu Jun 8 16:31:06 2017 +0900 perf tools: Consolidate error path in __open_dso() On failure, it should free the 'name', so clean up the error path using goto. Signed-off-by: Namhyung Kim Suggested-by: Arnaldo Carvalho de Melo Acked-by: Jiri Olsa Cc: Adrian Hunter Cc: David Ahern Cc: Peter Zijlstra Cc: Wang Nan Cc: kernel-team@lge.com Link: http://lkml.kernel.org/r/20170608073109.30699-7-namhyung@kernel.org Signed-off-by: Arnaldo Carvalho de Melo tools/perf/util/dso.c | 19 ++++++++----------- 1 file changed, 8 insertions(+), 11 deletions(-) commit 1d6b3c9ba756a5134fd7ad1959acac776d17404b Author: Namhyung Kim Date: Thu Jun 8 16:31:05 2017 +0900 perf tools: Decompress kernel module when reading DSO data Currently perf decompresses kernel modules when loading the symbol table but it missed to do it when reading raw data. Signed-off-by: Namhyung Kim Acked-by: Jiri Olsa Cc: Adrian Hunter Cc: David Ahern Cc: Peter Zijlstra Cc: Wang Nan Cc: kernel-team@lge.com Link: http://lkml.kernel.org/r/20170608073109.30699-6-namhyung@kernel.org Signed-off-by: Arnaldo Carvalho de Melo tools/perf/util/dso.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) commit 3c84fd53044f98017271101b59a21ddb20fb312b Author: Namhyung Kim Date: Thu Jun 8 16:31:04 2017 +0900 perf annotate: Use dso__decompress_kmodule_path() Convert open-coded decompress routine to use the function. Signed-off-by: Namhyung Kim Acked-by: Jiri Olsa Cc: Adrian Hunter Cc: David Ahern Cc: Peter Zijlstra Cc: Wang Nan Cc: kernel-team@lge.com Link: http://lkml.kernel.org/r/20170608073109.30699-5-namhyung@kernel.org Signed-off-by: Arnaldo Carvalho de Melo tools/perf/util/annotate.c | 27 +++------------------------ 1 file changed, 3 insertions(+), 24 deletions(-) commit 42b3fa670825983fc8bd0ac7b80cc84ae3abb75b Author: Namhyung Kim Date: Thu Jun 8 16:31:03 2017 +0900 perf tools: Introduce dso__decompress_kmodule_{fd,path} Move decompress_kmodule() to util/dso.c and split it into two functions returning fd and (decompressed) file path. The existing user only wants the fd version but the path version will be used soon. Signed-off-by: Namhyung Kim Acked-by: Jiri Olsa Cc: Adrian Hunter Cc: David Ahern Cc: Peter Zijlstra Cc: Wang Nan Cc: kernel-team@lge.com Link: http://lkml.kernel.org/r/20170608073109.30699-4-namhyung@kernel.org Signed-off-by: Arnaldo Carvalho de Melo tools/perf/util/dso.c | 58 ++++++++++++++++++++++++++++++++++++++++++++ tools/perf/util/dso.h | 6 +++++ tools/perf/util/symbol-elf.c | 36 +-------------------------- 3 files changed, 65 insertions(+), 35 deletions(-) commit 44ad6b8852529eb39066edbedc027a6901da6803 Author: Namhyung Kim Date: Thu Jun 8 16:31:02 2017 +0900 perf tools: Fix a memory leak in __open_dso() The 'name' variable should be freed on the error path. Signed-off-by: Namhyung Kim Acked-by: Jiri Olsa Cc: Adrian Hunter Cc: David Ahern Cc: Peter Zijlstra Cc: Wang Nan Cc: kernel-team@lge.com Link: http://lkml.kernel.org/r/20170608073109.30699-3-namhyung@kernel.org Signed-off-by: Arnaldo Carvalho de Melo tools/perf/util/dso.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit 3619ef76b37d4803bc9daee9d03d82c8526db378 Author: Namhyung Kim Date: Thu Jun 8 16:31:01 2017 +0900 perf annotate: Fix symbolic link of build-id cache The commit 6ebd2547dd24 ("perf annotate: Fix a bug following symbolic link of a build-id file") changed to use dirname to follow the symlink. But it only considers new-style build-id cache names so old names fail on readlink() and force to use system path which might not available. Signed-off-by: Namhyung Kim Acked-by: Jiri Olsa Cc: Adrian Hunter Cc: David Ahern Cc: Peter Zijlstra Cc: Taeung Song Cc: Wang Nan Cc: kernel-team@lge.com Fixes: 6ebd2547dd24 ("perf annotate: Fix a bug following symbolic link of a build-id file") Link: http://lkml.kernel.org/r/20170608073109.30699-2-namhyung@kernel.org Signed-off-by: Arnaldo Carvalho de Melo tools/perf/util/annotate.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) commit dc0cf5a77db9d200284f54a60994c1f6d2fbfc5f Merge: d0aab7d dac8bbb Author: Linus Torvalds Date: Thu Jun 8 10:50:04 2017 -0700 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/pmladek/printk Pull printk fix from Petr Mladek: "This reverts a fix added into 4.12-rc1. It caused the kernel log to be printed on another console when two consoles of the same type were defined, e.g. console=ttyS0 console=ttyS1. This configuration was never supported by kernel itself, but it started to make sense with systemd. In other words, the commit broke userspace" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/pmladek/printk: Revert "printk: fix double printing with earlycon" commit d0aab7d4e93e0fd5df3e892e0f2087d7a5371b1a Merge: b29794e f3ad587 Author: Linus Torvalds Date: Thu Jun 8 10:02:58 2017 -0700 Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 Pull crypto fixes from Herbert Xu: "This fixes a couple of places in the crypto code that were doing interruptible sleeps dangerously. They have been converted to use non-interruptible sleeps. This also fixes a bug in asymmetric_keys where it would trigger a use-after-free if a request returned EBUSY due to a full device queue" * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: crypto: gcm - wait for crypto op not signal safe crypto: drbg - wait for crypto op not signal safe crypto: asymmetric_keys - handle EBUSY due to backlog correctly commit 0bed865060836dc5f26b68052de0a504d66d9fae Author: David S. Miller Date: Thu Jun 8 11:51:59 2017 -0400 net: Fix build regression in rtl8723bs staging driver. drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c: In function ‘rtw_cfg80211_add_monitor_if’: drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c:2670:10: error: ‘struct net_device’ has no member named ‘destructor’ mon_ndev->destructor = rtw_ndev_destructor; ^ Signed-off-by: David S. Miller drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c | 3 ++- drivers/staging/rtl8723bs/os_dep/os_intfs.c | 2 -- 2 files changed, 2 insertions(+), 3 deletions(-) commit 8f9bebc33dd718283183582fc4a762e178552fb8 Author: Paolo Valente Date: Mon Jun 5 10:11:15 2017 +0200 block, bfq: access and cache blkg data only when safe In blk-cgroup, operations on blkg objects are protected with the request_queue lock. This is no more the lock that protects I/O-scheduler operations in blk-mq. In fact, the latter are now protected with a finer-grained per-scheduler-instance lock. As a consequence, although blkg lookups are also rcu-protected, blk-mq I/O schedulers may see inconsistent data when they access blkg and blkg-related objects. BFQ does access these objects, and does incur this problem, in the following case. The blkg_lookup performed in bfq_get_queue, being protected (only) through rcu, may happen to return the address of a copy of the original blkg. If this is the case, then the blkg_get performed in bfq_get_queue, to pin down the blkg, is useless: it does not prevent blk-cgroup code from destroying both the original blkg and all objects directly or indirectly referred by the copy of the blkg. BFQ accesses these objects, which typically causes a crash for NULL-pointer dereference of memory-protection violation. Some additional protection mechanism should be added to blk-cgroup to address this issue. In the meantime, this commit provides a quick temporary fix for BFQ: cache (when safe) blkg data that might disappear right after a blkg_lookup. In particular, this commit exploits the following facts to achieve its goal without introducing further locks. Destroy operations on a blkg invoke, as a first step, hooks of the scheduler associated with the blkg. And these hooks are executed with bfqd->lock held for BFQ. As a consequence, for any blkg associated with the request queue an instance of BFQ is attached to, we are guaranteed that such a blkg is not destroyed, and that all the pointers it contains are consistent, while that instance is holding its bfqd->lock. A blkg_lookup performed with bfqd->lock held then returns a fully consistent blkg, which remains consistent until this lock is held. In more detail, this holds even if the returned blkg is a copy of the original one. Finally, also the object describing a group inside BFQ needs to be protected from destruction on the blkg_free of the original blkg (which invokes bfq_pd_free). This commit adds private refcounting for this object, to let it disappear only after no bfq_queue refers to it any longer. This commit also removes or updates some stale comments on locking issues related to blk-cgroup operations. Reported-by: Tomas Konir Reported-by: Lee Tibbert Reported-by: Marco Piazza Signed-off-by: Paolo Valente Tested-by: Tomas Konir Tested-by: Lee Tibbert Tested-by: Marco Piazza Signed-off-by: Jens Axboe block/bfq-cgroup.c | 116 +++++++++++++++++++++++++++++++++++++++++----------- block/bfq-iosched.c | 2 +- block/bfq-iosched.h | 23 +++++------ 3 files changed, 105 insertions(+), 36 deletions(-) commit bcdaa2b8a640d6e3d29d3257434fe741fcba4a9c Merge: 8397ed3 4f19c0d Author: David S. Miller Date: Thu Jun 8 11:45:49 2017 -0400 Merge branch 'netvsc-bug-fixes' Stephen Hemminger says: ==================== netvsc: bug fixes These are bugfixes for netvsc driver in 4.12. ==================== Signed-off-by: David S. Miller commit 4f19c0d8070cd4aa8e85bbf8a19d9ef5bef77c90 Author: stephen hemminger Date: Wed Jun 7 15:53:49 2017 -0700 netvsc: move filter setting to rndis_device The work queue and handling of network filter parameters should be in rndis_device. This gets rid of warning from RCU checks, eliminates a race and cleans up code. Signed-off-by: Stephen Hemminger Signed-off-by: David S. Miller drivers/net/hyperv/hyperv_net.h | 5 +++-- drivers/net/hyperv/netvsc_drv.c | 33 ++------------------------------- drivers/net/hyperv/rndis_filter.c | 30 +++++++++++++++++++++++++++++- 3 files changed, 34 insertions(+), 34 deletions(-) commit a5ecd43992a7cd9f91d5f98b0082ae44df5e543c Author: stephen hemminger Date: Wed Jun 7 15:53:48 2017 -0700 netvsc: fix net poll mode The ndo_poll_controller function needs to schedule NAPI to pick up arriving packets and send completions. Otherwise no data will ever be received. For simple case of netconsole, it also will allow send completions to happen. Without this netpoll will eventually get stuck. Signed-off-by: Stephen Hemminger Signed-off-by: David S. Miller drivers/net/hyperv/netvsc_drv.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) commit fbd4c7e768f1719bea340e40148800279d230922 Author: stephen hemminger Date: Wed Jun 7 15:53:47 2017 -0700 netvsc: fix rcu dereference warning from ethtool The ethtool info command calls the netvsc get_sset_count with RTNL but not with RCU. Which causes warning: drivers/net/hyperv/netvsc_drv.c:1010 suspicious rcu_dereference_check() usage! Signed-off-by: Stephen Hemminger Signed-off-by: David S. Miller drivers/net/hyperv/netvsc_drv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 1123a6041654e8f889014659593bad4168e542c2 Author: Paolo Bonzini Date: Wed May 31 14:03:11 2017 +0200 srcu: Allow use of Classic SRCU from both process and interrupt context Linu Cherian reported a WARN in cleanup_srcu_struct() when shutting down a guest running iperf on a VFIO assigned device. This happens because irqfd_wakeup() calls srcu_read_lock(&kvm->irq_srcu) in interrupt context, while a worker thread does the same inside kvm_set_irq(). If the interrupt happens while the worker thread is executing __srcu_read_lock(), updates to the Classic SRCU ->lock_count[] field or the Tree SRCU ->srcu_lock_count[] field can be lost. The docs say you are not supposed to call srcu_read_lock() and srcu_read_unlock() from irq context, but KVM interrupt injection happens from (host) interrupt context and it would be nice if SRCU supported the use case. KVM is using SRCU here not really for the "sleepable" part, but rather due to its IPI-free fast detection of grace periods. It is therefore not desirable to switch back to RCU, which would effectively revert commit 719d93cd5f5c ("kvm/irqchip: Speed up KVM_SET_GSI_ROUTING", 2014-01-16). However, the docs are overly conservative. You can have an SRCU instance only has users in irq context, and you can mix process and irq context as long as process context users disable interrupts. In addition, __srcu_read_unlock() actually uses this_cpu_dec() on both Tree SRCU and Classic SRCU. For those two implementations, only srcu_read_lock() is unsafe. When Classic SRCU's __srcu_read_unlock() was changed to use this_cpu_dec(), in commit 5a41344a3d83 ("srcu: Simplify __srcu_read_unlock() via this_cpu_dec()", 2012-11-29), __srcu_read_lock() did two increments. Therefore it kept __this_cpu_inc(), with preempt_disable/enable in the caller. Tree SRCU however only does one increment, so on most architectures it is more efficient for __srcu_read_lock() to use this_cpu_inc(), and any performance differences appear to be down in the noise. Cc: stable@vger.kernel.org Fixes: 719d93cd5f5c ("kvm/irqchip: Speed up KVM_SET_GSI_ROUTING") Reported-by: Linu Cherian Suggested-by: Linu Cherian Cc: kvm@vger.kernel.org Signed-off-by: Paolo Bonzini Cc: Linus Torvalds Signed-off-by: Paul E. McKenney include/linux/srcu.h | 2 -- kernel/rcu/srcu.c | 5 ++--- 2 files changed, 2 insertions(+), 5 deletions(-) commit cdf7abc4610a7f1c43d06cda246c5f748a4fd267 Author: Paolo Bonzini Date: Wed May 31 14:03:10 2017 +0200 srcu: Allow use of Tiny/Tree SRCU from both process and interrupt context Linu Cherian reported a WARN in cleanup_srcu_struct() when shutting down a guest running iperf on a VFIO assigned device. This happens because irqfd_wakeup() calls srcu_read_lock(&kvm->irq_srcu) in interrupt context, while a worker thread does the same inside kvm_set_irq(). If the interrupt happens while the worker thread is executing __srcu_read_lock(), updates to the Classic SRCU ->lock_count[] field or the Tree SRCU ->srcu_lock_count[] field can be lost. The docs say you are not supposed to call srcu_read_lock() and srcu_read_unlock() from irq context, but KVM interrupt injection happens from (host) interrupt context and it would be nice if SRCU supported the use case. KVM is using SRCU here not really for the "sleepable" part, but rather due to its IPI-free fast detection of grace periods. It is therefore not desirable to switch back to RCU, which would effectively revert commit 719d93cd5f5c ("kvm/irqchip: Speed up KVM_SET_GSI_ROUTING", 2014-01-16). However, the docs are overly conservative. You can have an SRCU instance only has users in irq context, and you can mix process and irq context as long as process context users disable interrupts. In addition, __srcu_read_unlock() actually uses this_cpu_dec() on both Tree SRCU and Classic SRCU. For those two implementations, only srcu_read_lock() is unsafe. When Classic SRCU's __srcu_read_unlock() was changed to use this_cpu_dec(), in commit 5a41344a3d83 ("srcu: Simplify __srcu_read_unlock() via this_cpu_dec()", 2012-11-29), __srcu_read_lock() did two increments. Therefore it kept __this_cpu_inc(), with preempt_disable/enable in the caller. Tree SRCU however only does one increment, so on most architectures it is more efficient for __srcu_read_lock() to use this_cpu_inc(), and any performance differences appear to be down in the noise. Unlike Classic and Tree SRCU, Tiny SRCU does increments and decrements on a single variable. Therefore, as Peter Zijlstra pointed out, Tiny SRCU's implementation already supports mixed-context use of srcu_read_lock() and srcu_read_unlock(), at least as long as uses of srcu_read_lock() and srcu_read_unlock() in each handler are nested and paired properly. In other words, it is still illegal to (say) invoke srcu_read_lock() in an interrupt handler and to invoke the matching srcu_read_unlock() in a softirq handler. Therefore, the only change required for Tiny SRCU is to its comments. Fixes: 719d93cd5f5c ("kvm/irqchip: Speed up KVM_SET_GSI_ROUTING") Reported-by: Linu Cherian Suggested-by: Linu Cherian Cc: kvm@vger.kernel.org Signed-off-by: Paolo Bonzini Cc: Linus Torvalds Signed-off-by: Paul E. McKenney Tested-by: Paolo Bonzini kernel/rcu/srcutiny.c | 7 ++++--- kernel/rcu/srcutree.c | 5 ++--- 2 files changed, 6 insertions(+), 6 deletions(-) commit 95989c46d2a156365867b1d795fdefce71bce378 Author: Brian Foster Date: Thu Jun 8 08:23:07 2017 -0700 xfs: fix spurious spin_is_locked() assert failures on non-smp kernels The 0-day kernel test robot reports assertion failures on !CONFIG_SMP kernels due to failed spin_is_locked() checks. As it turns out, spin_is_locked() is hardcoded to return zero on !CONFIG_SMP kernels and so this function cannot be relied on to verify spinlock state in this configuration. To avoid this problem, replace the associated asserts with lockdep variants that do the right thing regardless of kernel configuration. Drop the one assert that checks for an unlocked lock as there is no suitable lockdep variant for that case. This moves the spinlock checks from XFS debug code to lockdep, but generally provides the same level of protection. Reported-by: kbuild test robot Signed-off-by: Brian Foster Reviewed-by: Christoph Hellwig Reviewed-by: Darrick J. Wong Signed-off-by: Darrick J. Wong fs/xfs/xfs_buf.c | 2 +- fs/xfs/xfs_icache.c | 5 ++--- 2 files changed, 3 insertions(+), 4 deletions(-) commit 8397ed36b7c585f8d3e06c431f4137309124f78f Author: David Ahern Date: Wed Jun 7 12:26:23 2017 -0600 net: ipv6: Release route when device is unregistering Roopa reported attempts to delete a bond device that is referenced in a multipath route is hanging: $ ifdown bond2 # ifupdown2 command that deletes virtual devices unregister_netdevice: waiting for bond2 to become free. Usage count = 2 Steps to reproduce: echo 1 > /proc/sys/net/ipv6/conf/all/ignore_routes_with_linkdown ip link add dev bond12 type bond ip link add dev bond13 type bond ip addr add 2001:db8:2::0/64 dev bond12 ip addr add 2001:db8:3::0/64 dev bond13 ip route add 2001:db8:33::0/64 nexthop via 2001:db8:2::2 nexthop via 2001:db8:3::2 ip link del dev bond12 ip link del dev bond13 The root cause is the recent change to keep routes on a linkdown. Update the check to detect when the device is unregistering and release the route for that case. Fixes: a1a22c12060e4 ("net: ipv6: Keep nexthop of multipath route on admin down") Reported-by: Roopa Prabhu Signed-off-by: David Ahern Acked-by: Roopa Prabhu Signed-off-by: David S. Miller include/linux/netdevice.h | 5 +++++ net/ipv6/route.c | 1 + 2 files changed, 6 insertions(+) commit 0eed9cf58446b28b233388b7f224cbca268b6986 Author: Mintz, Yuval Date: Wed Jun 7 21:00:33 2017 +0300 net: Zero ifla_vf_info in rtnl_fill_vfinfo() Some of the structure's fields are not initialized by the rtnetlink. If driver doesn't set those in ndo_get_vf_config(), they'd leak memory to user. Signed-off-by: Yuval Mintz CC: Michal Schmidt Reviewed-by: Greg Rose Signed-off-by: David S. Miller net/core/rtnetlink.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit dd0da17b209ed91f39872766634ca967c170ada1 Author: Mateusz Jurczyk Date: Wed Jun 7 16:14:29 2017 +0200 decnet: dn_rtmsg: Improve input length sanitization in dnrmg_receive_user_skb Verify that the length of the socket buffer is sufficient to cover the nlmsghdr structure before accessing the nlh->nlmsg_len field for further input sanitization. If the client only supplies 1-3 bytes of data in sk_buff, then nlh->nlmsg_len remains partially uninitialized and contains leftover memory from the corresponding kernel allocation. Operating on such data may result in indeterminate evaluation of the nlmsg_len < sizeof(*nlh) expression. The bug was discovered by a runtime instrumentation designed to detect use of uninitialized memory in the kernel. The patch prevents this and other similar tools (e.g. KMSAN) from flagging this behavior in the future. Signed-off-by: Mateusz Jurczyk Signed-off-by: David S. Miller net/decnet/netfilter/dn_rtmsg.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit c164772dd32343ee19e276ce0137830557517834 Author: David S. Miller Date: Thu Jun 8 10:50:18 2017 -0400 Revert "decnet: dn_rtmsg: Improve input length sanitization in dnrmg_receive_user_skb" This reverts commit 85eac2ba35a2dbfbdd5767c7447a4af07444a5b4. There is an updated version of this fix which we should use instead. Signed-off-by: David S. Miller net/decnet/netfilter/dn_rtmsg.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) commit 9065bc386fcf52dee8f697450ddeb788e1bd514c Author: Christian Lamparter Date: Wed Jun 7 15:51:16 2017 +0200 net: emac: fix and unify emac_mdio functions emac_mdio_read_link() was not copying the requested phy settings back into the emac driver's own phy api. This has caused a link speed mismatch issue for the AR8035 as the emac driver kept trying to connect with 10/100MBps on a 1GBit/s link. This patch also unifies shared code between emac_setup_aneg() and emac_mdio_setup_forced(). And furthermore it removes a chunk of emac_mdio_init_phy(), that was copying the same data into itself. Signed-off-by: Christian Lamparter Reviewed-by: Andrew Lunn Signed-off-by: David S. Miller drivers/net/ethernet/ibm/emac/core.c | 41 ++++++++++++++++-------------------- 1 file changed, 18 insertions(+), 23 deletions(-) commit 19d90ece81da802207a9b91ce95a29fbdc40626e Author: Christian Lamparter Date: Wed Jun 7 15:51:15 2017 +0200 net: emac: fix reset timeout with AR8035 phy This patch fixes a problem where the AR8035 PHY can't be detected on an Cisco Meraki MR24, if the ethernet cable is not connected on boot. Russell Senior provided steps to reproduce the issue: |Disconnect ethernet cable, apply power, wait until device has booted, |plug in ethernet, check for interfaces, no eth0 is listed. | |This appears to be a problem during probing of the AR8035 Phy chip. |When ethernet has no link, the phy detection fails, and eth0 is not |created. Plugging ethernet later has no effect, because there is no |interface as far as the kernel is concerned. The relevant part of |the boot log looks like this: |this is the failing case: | |[ 0.876611] /plb/opb/emac-rgmii@ef601500: input 0 in RGMII mode |[ 0.882532] /plb/opb/ethernet@ef600c00: reset timeout |[ 0.888546] /plb/opb/ethernet@ef600c00: can't find PHY! |and the succeeding case: | |[ 0.876672] /plb/opb/emac-rgmii@ef601500: input 0 in RGMII mode |[ 0.883952] eth0: EMAC-0 /plb/opb/ethernet@ef600c00, MAC 00:01:.. |[ 0.890822] eth0: found Atheros 8035 Gigabit Ethernet PHY (0x01) Based on the comment and the commit message of commit 23fbb5a87c56 ("emac: Fix EMAC soft reset on 460EX/GT"). This is because the AR8035 PHY doesn't provide the TX Clock, if the ethernet cable is not attached. This causes the reset to timeout and the PHY detection code in emac_init_phy() is unable to detect the AR8035 PHY. As a result, the emac driver bails out early and the user left with no ethernet. In order to stay compatible with existing configurations, the driver tries the current reset approach at first. Only if the first attempt timed out, it does perform one more retry with the clock temporarily switched to the internal source for just the duration of the reset. LEDE-Bug: #687 Cc: Chris Blake Reported-by: Russell Senior Fixes: 23fbb5a87c56e98 ("emac: Fix EMAC soft reset on 460EX/GT") Signed-off-by: Christian Lamparter Reviewed-by: Andrew Lunn Signed-off-by: David S. Miller drivers/net/ethernet/ibm/emac/core.c | 26 ++++++++++++++++++++++---- 1 file changed, 22 insertions(+), 4 deletions(-) commit 85eac2ba35a2dbfbdd5767c7447a4af07444a5b4 Author: Mateusz Jurczyk Date: Wed Jun 7 15:14:29 2017 +0200 decnet: dn_rtmsg: Improve input length sanitization in dnrmg_receive_user_skb Verify that the length of the socket buffer is sufficient to cover the entire nlh->nlmsg_len field before accessing that field for further input sanitization. If the client only supplies 1-3 bytes of data in sk_buff, then nlh->nlmsg_len remains partially uninitialized and contains leftover memory from the corresponding kernel allocation. Operating on such data may result in indeterminate evaluation of the nlmsg_len < sizeof(*nlh) expression. The bug was discovered by a runtime instrumentation designed to detect use of uninitialized memory in the kernel. The patch prevents this and other similar tools (e.g. KMSAN) from flagging this behavior in the future. Signed-off-by: Mateusz Jurczyk Signed-off-by: David S. Miller net/decnet/netfilter/dn_rtmsg.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit 9e53932d888b7f32475db72f859f8f38cc2135fb Merge: a364163 1ba15b2 Author: Paolo Bonzini Date: Thu Jun 8 16:35:18 2017 +0200 Merge tag 'kvm-s390-master-4.12-1' of git://git.kernel.org/pub/scm/linux/kernel/git/kvms390/linux into HEAD KVM: s390: Fix for master (4.12) - The newly created AIS capability enables the feature unconditionally and ignores the cpu model commit 85d0331aedff4646b2a2b14561c8be3678ffcee2 Merge: 6460495 9947d6a Author: Jens Axboe Date: Thu Jun 8 08:33:45 2017 -0600 Merge branch 'nvme-4.12' of git://git.infradead.org/nvme into for-linus Christoph writes: "A few NVMe fixes for 4.12-rc, PCIe reset fixes and APST fixes, a RDMA reconnect fix, two FC fixes and a general controller removal fix." commit ed66e50d9587fc0bb032e276a2563c0068a5b63a Author: David S. Miller Date: Thu Jun 8 10:16:05 2017 -0400 hsi: Fix build regression due to netdev destructor fix. > ../drivers/hsi/clients/ssi_protocol.c:1069:5: error: 'struct net_device' has no member named 'destructor' Reported-by: Mark Brown Reported-by: Stephen Rothwell Signed-off-by: David S. Miller drivers/hsi/clients/ssi_protocol.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit cd1997f6c11483da819a7719aa013093b8003743 Author: Stephen Rothwell Date: Thu Jun 8 19:06:29 2017 +1000 net: s390: fix up for "Fix inconsistent teardown and release of private netdev state" Signed-off-by: Stephen Rothwell Signed-off-by: David S. Miller drivers/s390/net/netiucv.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit ef6c4d75e35345f8f362d6754bcd9a28292a897c Author: Jani Nikula Date: Thu Jun 8 16:58:23 2017 +0300 drm/i915: fix warning for unused variable drivers/gpu/drm/i915/intel_engine_cs.c: In function ‘intel_engine_is_idle’: drivers/gpu/drm/i915/intel_engine_cs.c:1103:27: error: unused variable ‘dev_priv’ [-Werror=unused-variable] struct drm_i915_private *dev_priv = engine->i915; ^~~~~~~~ Reviewed-by: Chris Wilson Signed-off-by: Jani Nikula drivers/gpu/drm/i915/intel_engine_cs.c | 2 -- 1 file changed, 2 deletions(-) commit 6460495709aeb651896bc8e5c134b2e4ca7d34a8 Author: James Wang Date: Thu Jun 8 14:52:51 2017 +0800 Fix loop device flush before configure v3 While installing SLES-12 (based on v4.4), I found that the installer will stall for 60+ seconds during LVM disk scan. The root cause was determined to be the removal of a bound device check in loop_flush() by commit b5dd2f6047ca ("block: loop: improve performance via blk-mq"). Restoring this check, examining ->lo_state as set by loop_set_fd() eliminates the bad behavior. Test method: modprobe loop max_loop=64 dd if=/dev/zero of=disk bs=512 count=200K for((i=0;i<4;i++))do losetup -f disk; done mkfs.ext4 -F /dev/loop0 for((i=0;i<4;i++))do mkdir t$i; mount /dev/loop$i t$i;done for f in `ls /dev/loop[0-9]*|sort`; do \ echo $f; dd if=$f of=/dev/null bs=512 count=1; \ done Test output: stock patched /dev/loop0 18.1217e-05 8.3842e-05 /dev/loop1 6.1114e-05 0.000147979 /dev/loop10 0.414701 0.000116564 /dev/loop11 0.7474 6.7942e-05 /dev/loop12 0.747986 8.9082e-05 /dev/loop13 0.746532 7.4799e-05 /dev/loop14 0.480041 9.3926e-05 /dev/loop15 1.26453 7.2522e-05 Note that from loop10 onward, the device is not mounted, yet the stock kernel consumes several orders of magnitude more wall time than it does for a mounted device. (Thanks for Mike Galbraith , give a changelog review.) Reviewed-by: Hannes Reinecke Reviewed-by: Ming Lei Signed-off-by: James Wang Fixes: b5dd2f6047ca ("block: loop: improve performance via blk-mq") Signed-off-by: Jens Axboe drivers/block/loop.c | 3 +++ 1 file changed, 3 insertions(+) commit 16ddcc34b8bde5d9257114a16565fac73237bef9 Author: Martin Schwidefsky Date: Tue Jan 17 12:32:15 2017 +0100 s390: update defconfig Signed-off-by: Martin Schwidefsky arch/s390/configs/default_defconfig | 39 ++++++++++++++++++++++++++++----- arch/s390/configs/gcov_defconfig | 28 +++++++++++++++++++---- arch/s390/configs/performance_defconfig | 27 +++++++++++++++++++---- arch/s390/configs/zfcpdump_defconfig | 6 +++-- arch/s390/defconfig | 8 +++---- 5 files changed, 87 insertions(+), 21 deletions(-) commit 698b851073ddf5a894910d63ca04605e0473414e Author: Marcin Nowakowski Date: Thu Jun 8 15:20:32 2017 +0200 MIPS: kprobes: flush_insn_slot should flush only if probe initialised When ftrace is used with kprobes, it is possible for a kprobe to contain an invalid location (ie. only initialised to 0 and not to a specific location in the code). Trying to perform a cache flush on such location leads to a crash r4k_flush_icache_range(). Fixes: c1bf207d6ee1 ("MIPS: kprobe: Add support.") Signed-off-by: Marcin Nowakowski Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/16296/ Signed-off-by: Ralf Baechle arch/mips/include/asm/kprobes.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit a3641631d14571242eec0d30c9faa786cbf52d44 Author: Wanpeng Li Date: Thu Jun 8 01:22:07 2017 -0700 KVM: cpuid: Fix read/write out-of-bounds vulnerability in cpuid emulation If "i" is the last element in the vcpu->arch.cpuid_entries[] array, it potentially can be exploited the vulnerability. this will out-of-bounds read and write. Luckily, the effect is small: /* when no next entry is found, the current entry[i] is reselected */ for (j = i + 1; ; j = (j + 1) % nent) { struct kvm_cpuid_entry2 *ej = &vcpu->arch.cpuid_entries[j]; if (ej->function == e->function) { It reads ej->maxphyaddr, which is user controlled. However... ej->flags |= KVM_CPUID_FLAG_STATE_READ_NEXT; After cpuid_entries there is int maxphyaddr; struct x86_emulate_ctxt emulate_ctxt; /* 16-byte aligned */ So we have: - cpuid_entries at offset 1B50 (6992) - maxphyaddr at offset 27D0 (6992 + 3200 = 10192) - padding at 27D4...27DF - emulate_ctxt at 27E0 And it writes in the padding. Pfew, writing the ops field of emulate_ctxt would have been much worse. This patch fixes it by modding the index to avoid the out-of-bounds access. Worst case, i == j and ej->function == e->function, the loop can bail out. Reported-by: Moguofang Cc: Paolo Bonzini Cc: Radim Krčmář Cc: Guofang Mo Cc: stable@vger.kernel.org Signed-off-by: Wanpeng Li Signed-off-by: Paolo Bonzini arch/x86/kvm/cpuid.c | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) commit 38a4f43d5698daec601f4c5652ec287e594faf84 Merge: d491221 33b5c38 Author: Paolo Bonzini Date: Thu Jun 8 15:04:38 2017 +0200 Merge tag 'kvm-arm-for-v4.12-rc5-take2' of git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm into HEAD KVM/ARM Fixes for v4.12-rc5 - Take 2 Changes include: - Fix an issue with migrating GICv2 VMs on GICv3 systems. - Squashed a bug for gicv3 when figuring out preemption levels. - Fix a potential null pointer derefence in KVM happening under memory pressure. - Maintain RES1 bits in the SCTLR_EL2 to make sure KVM works on new architecture revisions. - Allow unaligned accesses at EL2/HYP commit 87051ec120bb9abd9e57aecf2569c00d587b6f33 Author: Marcin Nowakowski Date: Tue May 23 12:56:43 2017 +0200 MIPS: ftrace: fix init functions tracing Since introduction of tracing for init functions the in_kernel_space() check is no longer correct, as it ignores the init sections. As a result, when probes are inserted (and disabled) in the init functions, a branch instruction is inserted instead of a nop, which is likely to result in random crashes during boot. Remove the MIPS-specific in_kernel_space() method and replace it with a generic core_kernel_text() that also checks for init sections during system boot stage. Fixes: 42c269c88dc1 ("ftrace: Allow for function tracing to record init functions on boot up") Signed-off-by: Marcin Nowakowski Tested-by: Matt Redfearn Cc: Steven Rostedt Cc: Ingo Molnar Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/16092/ Signed-off-by: Ralf Baechle arch/mips/kernel/ftrace.c | 24 +++++------------------- 1 file changed, 5 insertions(+), 19 deletions(-) commit c56e7a4c3e77f6fbd9b55c06c14eda65aae58958 Author: Marcin Nowakowski Date: Tue Apr 11 09:00:36 2017 +0200 MIPS: mm: adjust PKMAP location Space reserved for PKMap should span from PKMAP_BASE to FIXADDR_START. For large page sizes this is not the case as eg. for 64k pages the range currently defined is from 0xfe000000 to 0x102000000(!!) which obviously isn't right. Remove the hardcoded location and set the BASE address as an offset from FIXADDR_START. Since all PKMAP ptes have to be placed in a contiguous memory, ensure that this is the case by placing them all in a single page. This is achieved by aligning the end address to pkmap pages count pages. Signed-off-by: Marcin Nowakowski Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/15950/ Signed-off-by: Ralf Baechle arch/mips/include/asm/pgtable-32.h | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) commit 725a269b3dd149f36c206c218253336774ef26f5 Author: Marcin Nowakowski Date: Tue Apr 11 09:00:35 2017 +0200 MIPS: highmem: ensure that we don't use more than one page for PTEs All PTEs used by PKMAP should be allocated in a contiguous memory area, but we do not currently have a mechanism to enforce that, so ensure that we don't try to allocate more entries than would fit in a single page. Current fixed value of 1024 would not work with XPA enabled when sizeof(pte_t)==8 and we need two pages to store pte tables. Signed-off-by: Marcin Nowakowski Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/15949/ Signed-off-by: Ralf Baechle arch/mips/include/asm/highmem.h | 5 +++++ 1 file changed, 5 insertions(+) commit 71eb989ab5a110df8bcbb9609bacde73feacbedd Author: Marcin Nowakowski Date: Tue Apr 11 09:00:34 2017 +0200 MIPS: mm: fixed mappings: correct initialisation fixrange_init operates at PMD-granularity and expects the addresses to be PMD-size aligned, but currently that might not be the case for PKMAP_BASE unless it is defined properly, so ensure a correct alignment is used before passing the address to fixrange_init. fixed mappings: only align the start address that is passed to fixrange_init rather than the value before adding the size, as we may end up with uninitialised upper part of the range. Signed-off-by: Marcin Nowakowski Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/15948/ Signed-off-by: Ralf Baechle arch/mips/mm/pgtable-32.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit f7a31b5e7874f77464a4eae0a8ba84b9ae0b3a54 Author: Marcin Nowakowski Date: Wed Apr 19 14:07:43 2017 +0200 MIPS: perf: Remove incorrect odd/even counter handling for I6400 All performance counters on I6400 (odd and even) are capable of counting any of the available events, so drop current logic of using the extra bit to determine which counter to use. Signed-off-by: Marcin Nowakowski Fixes: 4e88a8621301 ("MIPS: Add cases for CPU_I6400") Fixes: fd716fca10fc ("MIPS: perf: Fix I6400 event numbers") Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/15991/ Signed-off-by: Ralf Baechle arch/mips/kernel/perf_event_mipsxx.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) commit c6ee9619e2edd9912316f7e2eaf9ffa14fafe9f9 Author: Michael Ellerman Date: Thu Jun 8 16:29:59 2017 +1000 powerpc/book3s64: Move PPC_DT_CPU_FTRs and enable it by default The PPC_DT_CPU_FTRs is a bit misplaced in menuconfig, it shows up with other general kernel options. It's really more at home in the "Platform Support" section, so move it there. Also enable it by default, for Book3s 64. It does mostly nothing unless the device tree properties are found, and we will want it enabled eventually in distro kernels, so turn it on to start getting more testing. Fixes: 5a61ef74f269 ("powerpc/64s: Support new device tree binding for discovering CPU features") Signed-off-by: Michael Ellerman arch/powerpc/Kconfig | 11 ----------- arch/powerpc/platforms/Kconfig | 11 +++++++++++ 2 files changed, 11 insertions(+), 11 deletions(-) commit 92d9dfda8b547cc292af27e11e11c9eff3bb574f Author: Aneesh Kumar K.V Date: Thu Jun 1 20:05:04 2017 +0530 powerpc/mm/4k: Limit 4k page size config to 64TB virtual address space Supporting 512TB requires us to do a order 3 allocation for level 1 page table (pgd). This results in page allocation failures with certain workloads. For now limit 4k linux page size config to 64TB. Fixes: f6eedbba7a26 ("powerpc/mm/hash: Increase VA range to 128TB") Reported-by: Hugh Dickins Signed-off-by: Aneesh Kumar K.V Signed-off-by: Michael Ellerman arch/powerpc/include/asm/book3s/64/hash-4k.h | 2 +- arch/powerpc/include/asm/processor.h | 25 ++++++++++++------------- arch/powerpc/kernel/setup-common.c | 2 +- arch/powerpc/mm/mmu_context_book3s64.c | 2 +- 4 files changed, 15 insertions(+), 16 deletions(-) commit cec422c11caeeccae709e9942058b6b644ce434c Author: Frederic Barrat Date: Tue Jun 6 11:43:41 2017 +0200 cxl: Fix error path on bad ioctl Fix error path if we can't copy user structure on CXL_IOCTL_START_WORK ioctl. We shouldn't unlock the context status mutex as it was not locked (yet). Fixes: 0712dc7e73e5 ("cxl: Fix issues when unmapping contexts") Cc: stable@vger.kernel.org # v3.19+ Signed-off-by: Frederic Barrat Reviewed-by: Vaibhav Jain Reviewed-by: Andrew Donnellan Signed-off-by: Michael Ellerman drivers/misc/cxl/file.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) commit b94aac64a4c17c5af92f9b4ba7164c5b384d5c02 Author: Hans Verkuil Date: Wed Jun 7 12:07:51 2017 -0300 [media] cec: race fix: don't return -ENONET in cec_receive() When calling CEC_RECEIVE do not check if the adapter is configured. Typically CEC_RECEIVE is called after a select() and if that indicates that there are messages in the receive queue, then you should always be able to dequeue a message. The race condition here is that a message has been received and is queued, so select() tells userspace that a message is available. But before the application calls CEC_RECEIVE the adapter is unconfigured (e.g. the HDMI cable is removed). Now select will always report that there is a message, but calling CEC_RECEIVE will always return -ENONET because the adapter is no longer configured and so will never actually dequeue the message. There is really no need for this check, and in fact the ENONET error code was never documented for CEC_RECEIVE. This may have been a left-over of old code that was never updated. Signed-off-by: Hans Verkuil Cc: # for v4.10 and up Signed-off-by: Mauro Carvalho Chehab drivers/media/cec/cec-api.c | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) commit dac8bbbae1d0ccba96402d25deeed3a2e87992c6 Author: Petr Mladek Date: Thu Jun 8 12:01:30 2017 +0200 Revert "printk: fix double printing with earlycon" This reverts commit cf39bf58afdaabc0b86f141630fb3fd18190294e. The commit regression to users that define both console=ttyS1 and console=ttyS0 on the command line, see https://lkml.kernel.org/r/20170509082915.GA13236@bistromath.localdomain The kernel log messages always appeared only on one serial port. It is even documented in Documentation/admin-guide/serial-console.rst: "Note that you can only define one console per device type (serial, video)." The above mentioned commit changed the order in which the command line parameters are searched. As a result, the kernel log messages go to the last mentioned ttyS* instead of the first one. We long thought that using two console=ttyS* on the command line did not make sense. But then we realized that console= parameters were handled also by systemd, see http://0pointer.de/blog/projects/serial-console.html "By default systemd will instantiate one serial-getty@.service on the main kernel console, if it is not a virtual terminal." where "[4] If multiple kernel consoles are used simultaneously, the main console is the one listed first in /sys/class/tty/console/active, which is the last one listed on the kernel command line." This puts the original report into another light. The system is running in qemu. The first serial port is used to store the messages into a file. The second one is used to login to the system via a socket. It depends on systemd and the historic kernel behavior. By other words, systemd causes that it makes sense to define both console=ttyS1 console=ttyS0 on the command line. The kernel fix caused regression related to userspace (systemd) and need to be reverted. In addition, it went out that the fix helped only partially. The messages still were duplicated when the boot console was removed early by late_initcall(printk_late_init). Then the entire log was replayed when the same console was registered as a normal one. Link: 20170606160339.GC7604@pathway.suse.cz Cc: Aleksey Makarov Cc: Sabrina Dubroca Cc: Sudeep Holla Cc: Greg Kroah-Hartman Cc: Peter Hurley Cc: Jiri Slaby Cc: Robin Murphy , Cc: Steven Rostedt Cc: "Nair, Jayachandran" Cc: linux-serial@vger.kernel.org Cc: linux-kernel@vger.kernel.org Reported-by: Sabrina Dubroca Acked-by: Sergey Senozhatsky Signed-off-by: Petr Mladek kernel/printk/printk.c | 46 ++++++++++------------------------------------ 1 file changed, 10 insertions(+), 36 deletions(-) commit d41519a69b35b10af7fda867fb9100df24fdf403 Author: David Miller Date: Fri Jun 2 11:28:54 2017 -0400 crypto: Work around deallocated stack frame reference gcc bug on sparc. On sparc, if we have an alloca() like situation, as is the case with SHASH_DESC_ON_STACK(), we can end up referencing deallocated stack memory. The result can be that the value is clobbered if a trap or interrupt arrives at just the right instruction. It only occurs if the function ends returning a value from that alloca() area and that value can be placed into the return value register using a single instruction. For example, in lib/libcrc32c.c:crc32c() we end up with a return sequence like: return %i7+8 lduw [%o5+16], %o0 ! MEM[(u32 *)__shash_desc.1_10 + 16B], %o5 holds the base of the on-stack area allocated for the shash descriptor. But the return released the stack frame and the register window. So if an intererupt arrives between 'return' and 'lduw', then the value read at %o5+16 can be corrupted. Add a data compiler barrier to work around this problem. This is exactly what the gcc fix will end up doing as well, and it absolutely should not change the code generated for other cpus (unless gcc on them has the same bug :-) With crucial insight from Eric Sandeen. Cc: Reported-by: Anatoly Pugachev Signed-off-by: David S. Miller Signed-off-by: Herbert Xu drivers/infiniband/sw/rxe/rxe.h | 5 ++++- fs/btrfs/hash.c | 5 ++++- fs/f2fs/f2fs.h | 5 ++++- lib/libcrc32c.c | 6 ++++-- 4 files changed, 16 insertions(+), 5 deletions(-) commit cc1582c231ea041fbc68861dfaf957eaf902b829 Author: Jin Yao Date: Thu May 25 18:09:07 2017 +0800 perf/core: Drop kernel samples even though :u is specified When doing sampling, for example: perf record -e cycles:u ... On workloads that do a lot of kernel entry/exits we see kernel samples, even though :u is specified. This is due to skid existing. This might be a security issue because it can leak kernel addresses even though kernel sampling support is disabled. The patch drops the kernel samples if exclude_kernel is specified. For example, test on Haswell desktop: perf record -e cycles:u perf report --stdio Before patch applied: 99.77% mgen mgen [.] buf_read 0.20% mgen mgen [.] rand_buf_init 0.01% mgen [kernel.vmlinux] [k] apic_timer_interrupt 0.00% mgen mgen [.] last_free_elem 0.00% mgen libc-2.23.so [.] __random_r 0.00% mgen libc-2.23.so [.] _int_malloc 0.00% mgen mgen [.] rand_array_init 0.00% mgen [kernel.vmlinux] [k] page_fault 0.00% mgen libc-2.23.so [.] __random 0.00% mgen libc-2.23.so [.] __strcasestr 0.00% mgen ld-2.23.so [.] strcmp 0.00% mgen ld-2.23.so [.] _dl_start 0.00% mgen libc-2.23.so [.] sched_setaffinity@@GLIBC_2.3.4 0.00% mgen ld-2.23.so [.] _start We can see kernel symbols apic_timer_interrupt and page_fault. After patch applied: 99.79% mgen mgen [.] buf_read 0.19% mgen mgen [.] rand_buf_init 0.00% mgen libc-2.23.so [.] __random_r 0.00% mgen mgen [.] rand_array_init 0.00% mgen mgen [.] last_free_elem 0.00% mgen libc-2.23.so [.] vfprintf 0.00% mgen libc-2.23.so [.] rand 0.00% mgen libc-2.23.so [.] __random 0.00% mgen libc-2.23.so [.] _int_malloc 0.00% mgen libc-2.23.so [.] _IO_doallocbuf 0.00% mgen ld-2.23.so [.] do_lookup_x 0.00% mgen ld-2.23.so [.] open_verify.constprop.7 0.00% mgen ld-2.23.so [.] _dl_important_hwcaps 0.00% mgen libc-2.23.so [.] sched_setaffinity@@GLIBC_2.3.4 0.00% mgen ld-2.23.so [.] _start There are only userspace symbols. Signed-off-by: Jin Yao Signed-off-by: Peter Zijlstra (Intel) Cc: Cc: Alexander Shishkin Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Linus Torvalds Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Thomas Gleixner Cc: Vince Weaver Cc: acme@kernel.org Cc: jolsa@kernel.org Cc: kan.liang@intel.com Cc: mark.rutland@arm.com Cc: will.deacon@arm.com Cc: yao.jin@intel.com Link: http://lkml.kernel.org/r/1495706947-3744-1-git-send-email-yao.jin@linux.intel.com Signed-off-by: Ingo Molnar kernel/events/core.c | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) commit 5b0bc9ac2ce4881ee318a21f31140584ce4dbdad Author: Dominik Brodowski Date: Wed Jun 7 11:58:19 2017 +0200 x86/microcode/intel: Clear patch pointer before jettisoning the initrd During early boot, load_ucode_intel_ap() uses __load_ucode_intel() to obtain a pointer to the relevant microcode patch (embedded in the initrd), and stores this value in 'intel_ucode_patch' to speed up the microcode patch application for subsequent CPUs. On resuming from suspend-to-RAM, however, load_ucode_ap() calls load_ucode_intel_ap() for each non-boot-CPU. By then the initramfs is long gone so the pointer stored in 'intel_ucode_patch' no longer points to a valid microcode patch. Clear that pointer so that we effectively fall back to the CPU hotplug notifier callbacks to update the microcode. Signed-off-by: Dominik Brodowski [ Edit and massage commit message. ] Signed-off-by: Borislav Petkov Cc: # 4.10.. Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/20170607095819.9754-1-bp@alien8.de Signed-off-by: Ingo Molnar arch/x86/kernel/cpu/microcode/intel.c | 3 +++ 1 file changed, 3 insertions(+) commit 462c5a826eba39fad819ccef916f9943ff42bf0d Author: Jessica Yu Date: Wed Jun 7 23:52:36 2017 -0700 MAINTAINERS: update email address for Jessica Yu I will be traveling in the upcoming months and it'll be much easier for me to access my kernel.org email rather than my work one. Change my email address in the MAINTAINERS file from jeyu@redhat.com to jeyu@kernel.org. Signed-off-by: Jessica Yu MAINTAINERS | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit b169c13de473a85b3c859bb36216a4cb5f00a54a Author: Jason A. Donenfeld Date: Wed Jun 7 19:45:31 2017 -0400 random: invalidate batched entropy after crng init It's possible that get_random_{u32,u64} is used before the crng has initialized, in which case, its output might not be cryptographically secure. For this problem, directly, this patch set is introducing the *_wait variety of functions, but even with that, there's a subtle issue: what happens to our batched entropy that was generated before initialization. Prior to this commit, it'd stick around, supplying bad numbers. After this commit, we force the entropy to be re-extracted after each phase of the crng has initialized. In order to avoid a race condition with the position counter, we introduce a simple rwlock for this invalidation. Since it's only during this awkward transition period, after things are all set up, we stop using it, so that it doesn't have an impact on performance. Signed-off-by: Jason A. Donenfeld Cc: Greg Kroah-Hartman Signed-off-by: Theodore Ts'o Cc: stable@vger.kernel.org # v4.11+ drivers/char/random.c | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) commit 14fc42fa1b3e7ea5160c84d0e686a3a0c1ffe619 Author: SeongJae Park Date: Tue May 30 20:18:25 2017 +0900 perf script python: Remove dups in documentation examples Few shell command examples in perf-script-python.txt has few nitpicks include: - tools/perf/scripts/python directory listing command is unnecessarily repeated. - few examples contain additional information in command prompt unnecessarily and inconsistently. This commit fixes them to enhance readability of the document. Signed-off-by: SeongJae Park Cc: Alexander Shishkin Cc: Frederic Weisbecker Cc: Peter Zijlstra Cc: Tom Zanussi Fixes: cff68e582237 ("perf/scripts: Add perf-trace-python Documentation") Link: http://lkml.kernel.org/r/20170530111827.21732-4-sj38.park@gmail.com Signed-off-by: Arnaldo Carvalho de Melo tools/perf/Documentation/perf-script-python.txt | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) commit 1bf8d5a4a5da19b1f6e7958fe67db4118fa7a1c1 Author: SeongJae Park Date: Tue May 30 20:18:27 2017 +0900 perf script python: Updated trace_unhandled() signature Default function signature of trace_unhandled() got changed to include a field dict, but its documentation, perf-script-python.txt has not been updated. Fix it. Signed-off-by: SeongJae Park Cc: Alexander Shishkin Cc: Peter Zijlstra Cc: Pierre Tardy Fixes: c02514850d67 ("perf scripts python: Give field dict to unhandled callback") Link: http://lkml.kernel.org/r/20170530111827.21732-6-sj38.park@gmail.com Signed-off-by: Arnaldo Carvalho de Melo tools/perf/Documentation/perf-script-python.txt | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) commit 26ddb8722df865aa67fbe459107d2f3f8e5c6829 Author: SeongJae Park Date: Tue May 30 20:18:26 2017 +0900 perf script python: Fix wrong code snippets in documentation This commit fixes wrong code snippets for trace_begin() and trace_end() function example definition. Signed-off-by: SeongJae Park Cc: Alexander Shishkin Cc: Frederic Weisbecker Cc: Peter Zijlstra Cc: Tom Zanussi Fixes: cff68e582237 ("perf/scripts: Add perf-trace-python Documentation") Link: http://lkml.kernel.org/r/20170530111827.21732-5-sj38.park@gmail.com Signed-off-by: Arnaldo Carvalho de Melo tools/perf/Documentation/perf-script-python.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 34d4453dac257be53c21abf2f713c992fb692b5c Author: SeongJae Park Date: Tue May 30 20:18:24 2017 +0900 perf script: Fix documentation errors This commit fixes two errors in documents for perf-script-python and perf-script-perl as below: - /sys/kernel/debug/tracing events -> /sys/kernel/debug/tracing/events/ - trace_handled -> trace_unhandled Signed-off-by: SeongJae Park Cc: Alexander Shishkin Cc: Frederic Weisbecker Cc: Peter Zijlstra Cc: Tom Zanussi Fixes: cff68e582237 ("perf/scripts: Add perf-trace-python Documentation") Link: http://lkml.kernel.org/r/20170530111827.21732-3-sj38.park@gmail.com Signed-off-by: Arnaldo Carvalho de Melo tools/perf/Documentation/perf-script-perl.txt | 2 +- tools/perf/Documentation/perf-script-python.txt | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) commit c76132dc5182776b98e946d674cb41c421661ea9 Author: SeongJae Park Date: Tue May 30 20:18:23 2017 +0900 perf script: Fix outdated comment for perf-trace-python Script generated by the '--gen-script' option contains an outdated comment. It mentions a 'perf-trace-python' document while it has been renamed to 'perf-script-python'. Fix it. Signed-off-by: SeongJae Park Cc: Alexander Shishkin Cc: Peter Zijlstra Cc: Thomas Gleixner Fixes: 133dc4c39c57 ("perf: Rename 'perf trace' to 'perf script'") Link: http://lkml.kernel.org/r/20170530111827.21732-2-sj38.park@gmail.com Signed-off-by: Arnaldo Carvalho de Melo tools/perf/util/scripting-engines/trace-event-python.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit d89269a89ebb6a74512f3f40e89cd12017f60a75 Author: SeongJae Park Date: Sun May 7 19:36:42 2017 +0900 perf probe: Fix examples section of documentation An example in perf-probe documentation for pattern of function name based probe addition is not providing example command for that case. This commit fixes the example to give appropriate example command. Signed-off-by: SeongJae Park Acked-by: Masami Hiramatsu Cc: Peter Zijlstra Cc: Taeung Song Fixes: ee391de876ae ("perf probe: Update perf probe document") Link: http://lkml.kernel.org/r/20170507103642.30560-1-sj38.park@gmail.com Signed-off-by: Arnaldo Carvalho de Melo tools/perf/Documentation/perf-probe.txt | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) commit 92e75428ffc90e2a0321062379f883f3671cfebe Author: Theodore Ts'o Date: Wed Jun 7 19:01:32 2017 -0400 random: use lockless method of accessing and updating f->reg_idx Linus pointed out that there is a much more efficient way of avoiding the problem that we were trying to address in commit 9dfa7bba35ac0: "fix race in drivers/char/random.c:get_reg()". Signed-off-by: Theodore Ts'o drivers/char/random.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) commit cf124db566e6b036b8bcbe8decbed740bdfac8c6 Author: David S. Miller Date: Mon May 8 12:52:56 2017 -0400 net: Fix inconsistent teardown and release of private netdev state. Network devices can allocate reasources and private memory using netdev_ops->ndo_init(). However, the release of these resources can occur in one of two different places. Either netdev_ops->ndo_uninit() or netdev->destructor(). The decision of which operation frees the resources depends upon whether it is necessary for all netdev refs to be released before it is safe to perform the freeing. netdev_ops->ndo_uninit() presumably can occur right after the NETDEV_UNREGISTER notifier completes and the unicast and multicast address lists are flushed. netdev->destructor(), on the other hand, does not run until the netdev references all go away. Further complicating the situation is that netdev->destructor() almost universally does also a free_netdev(). This creates a problem for the logic in register_netdevice(). Because all callers of register_netdevice() manage the freeing of the netdev, and invoke free_netdev(dev) if register_netdevice() fails. If netdev_ops->ndo_init() succeeds, but something else fails inside of register_netdevice(), it does call ndo_ops->ndo_uninit(). But it is not able to invoke netdev->destructor(). This is because netdev->destructor() will do a free_netdev() and then the caller of register_netdevice() will do the same. However, this means that the resources that would normally be released by netdev->destructor() will not be. Over the years drivers have added local hacks to deal with this, by invoking their destructor parts by hand when register_netdevice() fails. Many drivers do not try to deal with this, and instead we have leaks. Let's close this hole by formalizing the distinction between what private things need to be freed up by netdev->destructor() and whether the driver needs unregister_netdevice() to perform the free_netdev(). netdev->priv_destructor() performs all actions to free up the private resources that used to be freed by netdev->destructor(), except for free_netdev(). netdev->needs_free_netdev is a boolean that indicates whether free_netdev() should be done at the end of unregister_netdevice(). Now, register_netdevice() can sanely release all resources after ndo_ops->ndo_init() succeeds, by invoking both ndo_ops->ndo_uninit() and netdev->priv_destructor(). And at the end of unregister_netdevice(), we invoke netdev->priv_destructor() and optionally call free_netdev(). Signed-off-by: David S. Miller drivers/net/bonding/bond_main.c | 6 +++--- drivers/net/caif/caif_hsi.c | 2 +- drivers/net/caif/caif_serial.c | 2 +- drivers/net/caif/caif_spi.c | 2 +- drivers/net/caif/caif_virtio.c | 2 +- drivers/net/can/slcan.c | 7 +++---- drivers/net/can/vcan.c | 2 +- drivers/net/can/vxcan.c | 2 +- drivers/net/dummy.c | 4 ++-- drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 2 +- drivers/net/geneve.c | 2 +- drivers/net/gtp.c | 2 +- drivers/net/hamradio/6pack.c | 2 +- drivers/net/hamradio/bpqether.c | 2 +- drivers/net/ifb.c | 4 ++-- drivers/net/ipvlan/ipvlan_main.c | 2 +- drivers/net/loopback.c | 4 ++-- drivers/net/macsec.c | 4 ++-- drivers/net/macvlan.c | 2 +- drivers/net/nlmon.c | 2 +- drivers/net/slip/slip.c | 7 +++---- drivers/net/team/team.c | 4 ++-- drivers/net/tun.c | 4 ++-- drivers/net/usb/cdc-phonet.c | 2 +- drivers/net/usb/qmi_wwan.c | 2 +- drivers/net/veth.c | 4 ++-- drivers/net/vrf.c | 2 +- drivers/net/vsockmon.c | 2 +- drivers/net/vxlan.c | 2 +- drivers/net/wan/dlci.c | 2 +- drivers/net/wan/hdlc_fr.c | 2 +- drivers/net/wan/lapbether.c | 2 +- drivers/net/wireless/ath/ath6kl/main.c | 2 +- drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 1 - drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c | 3 ++- drivers/net/wireless/intersil/hostap/hostap_main.c | 2 +- drivers/net/wireless/mac80211_hwsim.c | 2 +- drivers/net/wireless/marvell/mwifiex/main.c | 2 +- drivers/staging/rtl8188eu/os_dep/mon.c | 2 +- drivers/usb/gadget/function/f_phonet.c | 2 +- include/linux/netdevice.h | 7 ++++--- net/8021q/vlan_dev.c | 4 ++-- net/batman-adv/soft-interface.c | 5 ++--- net/bluetooth/6lowpan.c | 2 +- net/bridge/br_device.c | 2 +- net/caif/chnl_net.c | 4 ++-- net/core/dev.c | 8 ++++++-- net/hsr/hsr_device.c | 4 ++-- net/ieee802154/6lowpan/core.c | 2 +- net/ipv4/ip_tunnel.c | 4 ++-- net/ipv4/ipmr.c | 2 +- net/ipv6/ip6_gre.c | 9 +++++---- net/ipv6/ip6_tunnel.c | 8 ++++---- net/ipv6/ip6_vti.c | 8 ++++---- net/ipv6/ip6mr.c | 2 +- net/ipv6/sit.c | 6 +++--- net/irda/irlan/irlan_eth.c | 2 +- net/l2tp/l2tp_eth.c | 2 +- net/mac80211/iface.c | 6 +++--- net/mac802154/iface.c | 7 +++---- net/openvswitch/vport-internal_dev.c | 4 ++-- net/phonet/pep-gprs.c | 2 +- 62 files changed, 105 insertions(+), 103 deletions(-) commit 7005cade1bdbb423413f8aafcbf17a1ec614a585 Author: Daniel Borkmann Date: Wed Jun 7 13:45:37 2017 +0200 bpf, arm64: use separate register for state in stxr Will reported that in BPF_XADD we must use a different register in stxr instruction for the status flag due to otherwise CONSTRAINED UNPREDICTABLE behavior per architecture. Reference manual says [1]: If s == t, then one of the following behaviors must occur: * The instruction is UNDEFINED. * The instruction executes as a NOP. * The instruction performs the store to the specified address, but the value stored is UNKNOWN. Thus, use a different temporary register for the status flag to fix it. Disassembly extract from test 226/STX_XADD_DW from test_bpf.ko: [...] 0000003c: c85f7d4b ldxr x11, [x10] 00000040: 8b07016b add x11, x11, x7 00000044: c80c7d4b stxr w12, x11, [x10] 00000048: 35ffffac cbnz w12, 0x0000003c [...] [1] https://static.docs.arm.com/ddi0487/b/DDI0487B_a_armv8_arm.pdf, p.6132 Fixes: 85f68fe89832 ("bpf, arm64: implement jiting of BPF_XADD") Reported-by: Will Deacon Signed-off-by: Daniel Borkmann Acked-by: Will Deacon Signed-off-by: David S. Miller arch/arm64/net/bpf_jit_comp.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) commit e173db36e3090d90651d97ab4bc45ace7f8cc0c6 Author: Antoine Ténart Date: Wed Jun 7 08:17:50 2017 +0200 net: mvpp2: do not bypass the mvpp22_port_mii_set function The mvpp22_port_mii_set() function was added by 2697582144dd, but the function directly returns without doing anything. This return was used when debugging and wasn't removed before sending the patch. Fix this. Fixes: 2697582144dd ("net: mvpp2: handle misc PPv2.1/PPv2.2 differences") Signed-off-by: Antoine Tenart Acked-by: Thomas Petazzoni Signed-off-by: David S. Miller drivers/net/ethernet/marvell/mvpp2.c | 2 -- 1 file changed, 2 deletions(-) commit 3a807b751c66e76bff39da4a9bd9828d7866d025 Author: John Allen Date: Tue Jun 6 16:55:52 2017 -0500 ibmvnic: Return failure on attempted mtu change Changing the mtu is currently not supported in the ibmvnic driver. Implement .ndo_change_mtu in the driver so that attempting to use ifconfig to change the mtu will fail and present the user with an error message. Signed-off-by: John Allen Signed-off-by: David S. Miller drivers/net/ethernet/ibm/ibmvnic.c | 6 ++++++ 1 file changed, 6 insertions(+) commit 79e25959403e6a79552db28a87abed34de32a1df Author: Roland Dreier Date: Tue Jun 6 09:22:00 2017 -0700 IB/addr: Fix setting source address in addr6_resolve() Commit eea40b8f624f ("infiniband: call ipv6 route lookup via the stub interface") introduced a regression in address resolution when connecting to IPv6 destination addresses. The old code called ip6_route_output(), while the new code calls ipv6_stub->ipv6_dst_lookup(). The two are almost the same, except that ipv6_dst_lookup() also calls ip6_route_get_saddr() if the source address is in6addr_any. This means that the test of ipv6_addr_any(&fl6.saddr) now never succeeds, and so we never copy the source address out. This ends up causing rdma_resolve_addr() to fail, because without a resolved source address, cma_acquire_dev() will fail to find an RDMA device to use. For me, this causes connecting to an NVMe over Fabrics target via RoCE / IPv6 to fail. Fix this by copying out fl6.saddr if ipv6_addr_any() is true for the original source address passed into addr6_resolve(). We can drop our call to ipv6_dev_get_saddr() because ipv6_dst_lookup() already does that work. Fixes: eea40b8f624 ("infiniband: call ipv6 route lookup via the stub interface") Cc: # 3.12+ Signed-off-by: Roland Dreier Acked-by: Paolo Abeni Signed-off-by: Doug Ledford drivers/infiniband/core/addr.c | 10 +--------- 1 file changed, 1 insertion(+), 9 deletions(-) commit 47eb0c8b4d9eb6368941c6a9bb443f00847a46d7 Author: Ulrik De Bie Date: Wed Jun 7 10:30:57 2017 -0700 Input: elantech - add Fujitsu Lifebook E546/E557 to force crc_enabled The Lifebook E546 and E557 touchpad were also not functioning and worked after running: echo "1" > /sys/devices/platform/i8042/serio2/crc_enabled Add them to the list of machines that need this workaround. Signed-off-by: Ulrik De Bie Reviewed-by: Arjan Opmeer Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov drivers/input/mouse/elantech.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) commit e4061d572cef1f990bb7761f45d00342daa27fbd Author: Michael S. Tsirkin Date: Tue Jun 6 19:01:37 2017 +0300 net: fix up hash documentation commit 61b905da33 ("net: Rename skb->rxhash to skb->hash") didn't update the documentation, fix this up. Cc: Tom Herbert Signed-off-by: Michael S. Tsirkin Signed-off-by: David S. Miller Documentation/networking/scaling.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 996652c7050c70008e4434af108be6f15f20fbd0 Author: Michal Schmidt Date: Tue Jun 6 16:30:31 2017 +0200 bnx2x: fix pf2vf bulletin DMA mapping leak When freeing VF's DMA mappings, an already NULLed pointer was checked again due to an apparent copy&paste error. Consequently, the pf2vf bulletin DMA mapping was not freed. Signed-off-by: Michal Schmidt Acked-by: Yuval Mintz Signed-off-by: David S. Miller drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit c28294b941232931fbd714099798eb7aa7e865d7 Author: Alexander Potapenko Date: Tue Jun 6 15:56:54 2017 +0200 net: don't call strlen on non-terminated string in dev_set_alias() KMSAN reported a use of uninitialized memory in dev_set_alias(), which was caused by calling strlcpy() (which in turn called strlen()) on the user-supplied non-terminated string. Signed-off-by: Alexander Potapenko Signed-off-by: David S. Miller net/core/dev.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 3e411b0ee7c7bf0cbe2bd5961f84a02f0451ad57 Merge: ba7b238 2538b9e Author: Ingo Molnar Date: Wed Jun 7 17:50:19 2017 +0200 Merge tag 'perf-urgent-for-mingo-4.12-20170606' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux into perf/urgent Pull perf/urgent fixes from Arnaldo Carvalho de Melo: - Only print NMI watchdog hint in 'perf stat' when it is enabled (Andi Kleen) - Fix sys_mmap/sys_old_mmap shandling in s390 in 'perf trace' (Jiri Olsa) - Disable breakpoint signal tests in powerpc, that lacks the perf kernel glue to set breakpoint events and makes 'perf test' always fail (Jiri Olsa) - Fix 'perf annotate' for branch instruction with multiple operands (Kim Phillips) - Add missing powerpc triplet when disassembling with 'objdump' in 'perf annotate' (Kim Phillips) - Do not trow away partial unwound stacks when using libdw, making callchains produced with it similar to those produced when linked with the other DWARF unwind library supported in perf, libunwind (Milian Wolff) - Fixes to properly handle kernel modules when processing build-id meta events (Namhyung Kim) - Fix handling of compressed modules in the build-id cache (Namhyung Kim) - Fix 'perf annotate' failure when filename has special chars (Ravi Bangoria) Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Ingo Molnar commit 6679a90c4b0dc2563383df1fe0eb170736952a2e Author: Shaohua Li Date: Tue Jun 6 12:40:43 2017 -0700 blk-throttle: set default latency baseline for harddisk hard disk IO latency varies a lot depending on spindle move. The latency range could be from several microseconds to several milliseconds. It's pretty hard to get the baseline latency used by io.low. We will use a different stragety here. The idea is only using IO with spindle move to determine if cgroup IO is in good state. For HD, if io latency is small (< 1ms), we ignore the IO. Such IO is likely from sequential IO, and is helpless to help determine if a cgroup's IO is impacted by other cgroups. With this, we only account IO with big latency. Then we can choose a hardcoded baseline latency for HD (4ms, which is typical IO latency with seek). With all these settings, the io.low latency works for both HD and SSD. Signed-off-by: Shaohua Li Signed-off-by: Jens Axboe block/blk-throttle.c | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) commit 8604889f83381cac42b849acc6c420af6df9b35b Author: Neil Armstrong Date: Mon May 29 16:15:52 2017 +0200 drm/meson: Fix driver bind when only CVBS is available While introducing HDMI support, component matching on connectors node were bypassed since no driver would actually bind on the DT node. But when only a CVBS connector is present, only a single node is found in the graph, but ignored and a NULL match table is given to the component code. This code permits bypassing the components framework by binding directly the DRM driver when no components needs to be loaded. Fixes: a41e82e6c457 ("drm/meson: Add support for components") Signed-off-by: Neil Armstrong Signed-off-by: Sean Paul Link: http://patchwork.freedesktop.org/patch/msgid/1496067352-8733-1-git-send-email-narmstrong@baylibre.com drivers/gpu/drm/meson/meson_drv.c | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) commit a41b816c174409417d91b4ceef0145c9f0bef67c Author: Joseph Qi Date: Wed Jun 7 11:36:14 2017 +0800 blk-throttle: fix NULL pointer dereference in throtl_schedule_pending_timer I have encountered a NULL pointer dereference in throtl_schedule_pending_timer: [ 413.735396] BUG: unable to handle kernel NULL pointer dereference at 0000000000000038 [ 413.735535] IP: [] throtl_schedule_pending_timer+0x3f/0x210 [ 413.735643] PGD 22c8cf067 PUD 22cb34067 PMD 0 [ 413.735713] Oops: 0000 [#1] SMP ...... This is caused by the following case: blk_throtl_bio throtl_schedule_next_dispatch <= sq is top level one without parent throtl_schedule_pending_timer sq_to_tg(sq)->td->throtl_slice <= sq_to_tg(sq) returns NULL Fix it by using sq_to_td instead of sq_to_tg(sq)->td, which will always return a valid td. Fixes: 297e3d854784 ("blk-throttle: make throtl_slice tunable") Signed-off-by: Joseph Qi Reviewed-by: Shaohua Li Signed-off-by: Jens Axboe block/blk-throttle.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 1065467ed8e2601bf2d7018cf47c557ccbea3769 Author: Ville Syrjälä Date: Fri Mar 31 21:00:56 2017 +0300 drm/i915: Fix 90/270 rotated coordinates for FBC The clipped src coordinates have already been rotated by 270 degrees for when the plane rotation is 90/270 degrees, hence the FBC code should no longer swap the width and height. Cc: stable@vger.kernel.org Cc: Tvrtko Ursulin Cc: Paulo Zanoni Fixes: b63a16f6cd89 ("drm/i915: Compute display surface offset in the plane check hook for SKL+") Signed-off-by: Ville Syrjälä Link: http://patchwork.freedesktop.org/patch/msgid/20170331180056.14086-4-ville.syrjala@linux.intel.com Reviewed-by: Paulo Zanoni Tested-by: Tvrtko Ursulin Reviewed-by: Maarten Lankhorst (cherry picked from commit 73714c05df97d7527e7eaaa771472ef2ede46fa3) Signed-off-by: Jani Nikula drivers/gpu/drm/i915/intel_fbc.c | 19 +++++++------------ 1 file changed, 7 insertions(+), 12 deletions(-) commit 27fe407cb5122f12cfe976813686e8206425c32a Author: Ville Syrjälä Date: Tue Jun 6 16:32:29 2017 +0300 drm/i915: Restore has_fbc=1 for ILK-M Restore the lost has_fbc flag for mobile ILK. Cc: Carlos Santa Cc: Rodrigo Vivi Fixes: a13233804686 ("drm/i915: Introduce GEN5_FEATURES for device info") Signed-off-by: Ville Syrjälä Link: http://patchwork.freedesktop.org/patch/msgid/20170606133229.12439-1-ville.syrjala@linux.intel.com Reviewed-by: Rodrigo Vivi (cherry picked from commit c2d1a0ced2603c4a17fa9c53c37e415905cf5a6d) Signed-off-by: Jani Nikula drivers/gpu/drm/i915/i915_pci.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 8f4d38099b3098eae75f7755e1801931f8141350 Author: Ville Syrjälä Date: Thu Dec 15 19:47:34 2016 +0200 drm/i915: Workaround VLV/CHV DSI scanline counter hardware fail The scanline counter is bonkers on VLV/CHV DSI. The scanline counter increment is not lined up with the start of vblank like it is on every other platform and output type. This causes problems for both the vblank timestamping and atomic update vblank evasion. On my FFRD8 machine at least, the scanline counter increment happens about 1/3 of a scanline ahead of the start of vblank (which is where all register latching happens still). That means we can't trust the scanline counter to tell us whether we're in vblank or not while we're on that particular line. In order to keep vblank timestamping in working condition when called from the vblank irq, we'll leave scanline_offset at one, which means that the entire line containing the start of vblank is considered to be inside the vblank. For the vblank evasion we'll need to consider that entire line to be bad, since we can't tell whether the registers already got latched or not. And we can't actually use the start of vblank interrupt to get us past that line as the interrupt would fire too soon, and then we'd up waiting for the next start of vblank instead. One way around that would using the frame start interrupt instead since that wouldn't fire until the next scanline, but that would require some bigger changes in the interrupt code. So for simplicity we'll just poll until we get past the bad line. v2: Adjust the comments a bit Cc: stable@vger.kernel.org Cc: Jonas Aaberg Tested-by: Jonas Aaberg Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=99086 Signed-off-by: Ville Syrjälä Link: http://patchwork.freedesktop.org/patch/msgid/20161215174734.28779-1-ville.syrjala@linux.intel.com Tested-by: Mika Kahola Reviewed-by: Mika Kahola (cherry picked from commit ec1b4ee2834e66884e5b0d3d465f347ff212e372) Signed-off-by: Jani Nikula drivers/gpu/drm/i915/intel_display.c | 9 +++++++++ drivers/gpu/drm/i915/intel_sprite.c | 21 +++++++++++++++++++++ 2 files changed, 30 insertions(+) commit 5857dbfabc15ae9e17fd5a355c4920b46295ff1f Author: Chris Wilson Date: Sun May 21 13:40:14 2017 +0100 drm/i915: Fix logical inversion for gen4 quirking The assertion that we want to make before disabling the pin of the pages for the unknown swizzling quirk is that the quirk is indeed active, and that the quirk is disabled before we do apply it to the pages. Fixes: 2c3a3f44dc13 ("drm/i915: Fix pages pin counting around swizzle quirk") Fixes: 957870f93412 ("drm/i915: Split out i915_gem_object_set_tiling()") Signed-off-by: Chris Wilson Cc: Chris Wilson Cc: Joonas Lahtinen Cc: Tvrtko Ursulin Link: http://patchwork.freedesktop.org/patch/msgid/20170521124014.27678-1-chris@chris-wilson.co.uk Reviewed-bhy: Joonas Lahtinen (cherry picked from commit 20bb377106af69d16269b1837e9a945b9f508a2e) Signed-off-by: Jani Nikula drivers/gpu/drm/i915/i915_gem_tiling.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit d90c98905afd00c15d5d255d845b646a37173ce9 Author: Chris Wilson Date: Wed May 31 20:05:14 2017 +0100 drm/i915: Guard against i915_ggtt_disable_guc() being invoked unconditionally Commit 7c3f86b6dc51 ("drm/i915: Invalidate the guc ggtt TLB upon insertion") added the restoration of the invalidation routine after the GuC was disabled, but missed that the GuC was unconditionally disabled when not used. This then overwrites the invalidate routine for the older chipsets, causing havoc and breaking resume as the most obvious victim. We place the guard inside i915_ggtt_disable_guc() to be backport friendly (the bug was introduced into v4.11) but it would be preferred to be in more control over when this was guard (i.e. do not try and teardown the data structures before we have enabled them). That should be true with the reorganisation of the guc loaders. Reported-by: Ville Syrjälä Signed-off-by: Chris Wilson Fixes: 7c3f86b6dc51 ("drm/i915: Invalidate the guc ggtt TLB upon insertion") Cc: Tvrtko Ursulin Cc: Joonas Lahtinen Cc: Oscar Mateo Cc: Daniele Ceraolo Spurio Cc: Michal Wajdeczko Cc: Arkadiusz Hiler Cc: # v4.11+ Link: http://patchwork.freedesktop.org/patch/msgid/20170531190514.3691-1-chris@chris-wilson.co.uk Reviewed-by: Michel Thierry (cherry picked from commit cb60606d835ca8b2f744835116bcabe64ce88849) Signed-off-by: Jani Nikula drivers/gpu/drm/i915/i915_gem_gtt.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 4e3aed844547f63614363a386de126e6304e55fb Author: Maarten Lankhorst Date: Wed May 31 17:42:36 2017 +0200 drm/i915: Always recompute watermarks when distrust_bios_wm is set, v2. On some systems there can be a race condition in which no crtc state is added to the first atomic commit. This results in all crtc's having a null DDB allocation, causing a FIFO underrun on any update until the first modeset. Changes since v1: - Do not take the connection_mutex, this is already done below. Reported-by: Maarten Lankhorst Inspired-by: Mahesh Kumar Signed-off-by: Maarten Lankhorst Fixes: 98d39494d375 ("drm/i915/gen9: Compute DDB allocation at atomic check time (v4)") Cc: # v4.8+ Cc: Mahesh Kumar Cc: Matt Roper Link: http://patchwork.freedesktop.org/patch/msgid/20170531154236.27180-1-maarten.lankhorst@linux.intel.com Reviewed-by: Mahesh Kumar Reviewed-by: Matt Roper (cherry picked from commit 367d73d2806085bb507ab44c1f532640917fd5ca) Signed-off-by: Jani Nikula drivers/gpu/drm/i915/intel_pm.c | 9 +++++++++ 1 file changed, 9 insertions(+) commit 6ab92afc95c9bd6877cb42e7b24f65be887a5440 Author: Imre Deak Date: Tue May 2 15:04:09 2017 +0300 drm/i915: Prevent the system suspend complete optimization Since commit bac2a909a096c9110525c18cbb8ce73c660d5f71 Author: Rafael J. Wysocki Date: Wed Jan 21 02:17:42 2015 +0100 PCI / PM: Avoid resuming PCI devices during system suspend PCI devices will default to allowing the system suspend complete optimization where devices are not woken up during system suspend if they were already runtime suspended. This however breaks the i915/HDA drivers for two reasons: - The i915 driver has system suspend specific steps that it needs to run, that bring the device to a different state than its runtime suspended state. - The HDA driver's suspend handler requires power that it will request from the i915 driver's power domain handler. This in turn requires the i915 driver to runtime resume itself, but this won't be possible if the suspend complete optimization is in effect: in this case the i915 runtime PM is disabled and trying to get an RPM reference returns -EACCESS. Solve this by requiring the PCI/PM core to resume the device during system suspend which in effect disables the suspend complete optimization. Regardless of the above commit the optimization stayed disabled for DRM devices until commit d14d2a8453d650bea32a1c5271af1458cd283a0f Author: Lukas Wunner Date: Wed Jun 8 12:49:29 2016 +0200 drm: Remove dev_pm_ops from drm_class so this patch is in practice a fix for this commit. Another reason for the bug staying hidden for so long is that the optimization for a device is disabled if it's disabled for any of its children devices. i915 may have a backlight device as its child which doesn't support runtime PM and so doesn't allow the optimization either. So if this backlight device got registered the bug stayed hidden. Credits to Marta, Tomi and David who enabled pstore logging, that caught one instance of this issue across a suspend/ resume-to-ram and Ville who rememberd that the optimization was enabled for some devices at one point. The first WARN triggered by the problem: [ 6250.746445] WARNING: CPU: 2 PID: 17384 at drivers/gpu/drm/i915/intel_runtime_pm.c:2846 intel_runtime_pm_get+0x6b/0xd0 [i915] [ 6250.746448] pm_runtime_get_sync() failed: -13 [ 6250.746451] Modules linked in: snd_hda_intel i915 vgem snd_hda_codec_hdmi x86_pkg_temp_thermal intel_powerclamp coretemp crct10dif_pclmul crc32_pclmul snd_hda_codec_realtek snd_hda_codec_generic ghash_clmulni_intel e1000e snd_hda_codec snd_hwdep snd_hda_core ptp mei_me pps_core snd_pcm lpc_ich mei prime_ numbers i2c_hid i2c_designware_platform i2c_designware_core [last unloaded: i915] [ 6250.746512] CPU: 2 PID: 17384 Comm: kworker/u8:0 Tainted: G U W 4.11.0-rc5-CI-CI_DRM_334+ #1 [ 6250.746515] Hardware name: /NUC5i5RYB, BIOS RYBDWi35.86A.0362.2017.0118.0940 01/18/2017 [ 6250.746521] Workqueue: events_unbound async_run_entry_fn [ 6250.746525] Call Trace: [ 6250.746530] dump_stack+0x67/0x92 [ 6250.746536] __warn+0xc6/0xe0 [ 6250.746542] ? pci_restore_standard_config+0x40/0x40 [ 6250.746546] warn_slowpath_fmt+0x46/0x50 [ 6250.746553] ? __pm_runtime_resume+0x56/0x80 [ 6250.746584] intel_runtime_pm_get+0x6b/0xd0 [i915] [ 6250.746610] intel_display_power_get+0x1b/0x40 [i915] [ 6250.746646] i915_audio_component_get_power+0x15/0x20 [i915] [ 6250.746654] snd_hdac_display_power+0xc8/0x110 [snd_hda_core] [ 6250.746661] azx_runtime_resume+0x218/0x280 [snd_hda_intel] [ 6250.746667] pci_pm_runtime_resume+0x76/0xa0 [ 6250.746672] __rpm_callback+0xb4/0x1f0 [ 6250.746677] ? pci_restore_standard_config+0x40/0x40 [ 6250.746682] rpm_callback+0x1f/0x80 [ 6250.746686] ? pci_restore_standard_config+0x40/0x40 [ 6250.746690] rpm_resume+0x4ba/0x740 [ 6250.746698] __pm_runtime_resume+0x49/0x80 [ 6250.746703] pci_pm_suspend+0x57/0x140 [ 6250.746709] dpm_run_callback+0x6f/0x330 [ 6250.746713] ? pci_pm_freeze+0xe0/0xe0 [ 6250.746718] __device_suspend+0xf9/0x370 [ 6250.746724] ? dpm_watchdog_set+0x60/0x60 [ 6250.746730] async_suspend+0x1a/0x90 [ 6250.746735] async_run_entry_fn+0x34/0x160 [ 6250.746741] process_one_work+0x1f2/0x6d0 [ 6250.746749] worker_thread+0x49/0x4a0 [ 6250.746755] kthread+0x107/0x140 [ 6250.746759] ? process_one_work+0x6d0/0x6d0 [ 6250.746763] ? kthread_create_on_node+0x40/0x40 [ 6250.746768] ret_from_fork+0x2e/0x40 [ 6250.746778] ---[ end trace 102a62fd2160f5e6 ]--- v2: - Use the new pci_dev->needs_resume flag, to avoid any overhead during the ->pm_prepare hook. (Rafael) v3: - Update commit message to reference the actual regressing commit. (Lukas) v4: - Rebase on v4 of patch 1/2. Fixes: d14d2a8453d6 ("drm: Remove dev_pm_ops from drm_class") References: https://bugs.freedesktop.org/show_bug.cgi?id=100378 References: https://bugs.freedesktop.org/show_bug.cgi?id=100770 Cc: Rafael J. Wysocki Cc: Marta Lofstedt Cc: David Weinehall Cc: Tomi Sarvela Cc: Ville Syrjälä Cc: Mika Kuoppala Cc: Chris Wilson Cc: Takashi Iwai Cc: Bjorn Helgaas Cc: Lukas Wunner Cc: linux-pci@vger.kernel.org Cc: # v4.10.x: 4d071c3 - PCI/PM: Add needs_resume flag Cc: # v4.10.x Signed-off-by: Imre Deak Reviewed-by: Chris Wilson Reported-and-tested-by: Marta Lofstedt Link: http://patchwork.freedesktop.org/patch/msgid/1493726649-32094-2-git-send-email-imre.deak@intel.com (cherry picked from commit adfdf85d795f4d4f487b61ee0b169d64c6e19081) Signed-off-by: Jani Nikula drivers/gpu/drm/i915/i915_drv.c | 9 +++++++++ 1 file changed, 9 insertions(+) commit bd709898a50184de4fe418bf85486c5b1e002901 Author: Nagaraju, Vathsala Date: Thu May 25 22:13:29 2017 +0530 drm/i915/psr: disable psr2 for resolution greater than 32X20 psr1 is also disabled for panel resolution greater than 32X20. Added psr2 check to disable only for psr2 panels having resolution greater than 32X20. issue was introduced by commit-id : "acf45d11050abd751dcec986ab121cb2367dcbba" commit message: "PSR2 is restricted to work with panel resolutions upto 3200x2000, move the check to intel_psr_match_conditions and fully block psr." v2: (Rodrigo) Add previous commit details which introduced the issue Fixes: acf45d11050a ("drm/i915/psr: disable psr2 for resolution greater than 32X20") Cc: Rodrigo Vivi Cc: Jim Bride Cc: Yaroslav Shabalin Reported-by: Yaroslav Shabalin Reviewed-by: Rodrigo Vivi Signed-off-by: vathsala nagaraju Signed-off-by: Rodrigo Vivi Link: http://patchwork.freedesktop.org/patch/msgid/49935bdff896ee3140bed471012b9f9110a863a4.1495729964.git.vathsala.nagaraju@intel.com (cherry picked from commit bef8c056fba09aa4629fe5a2d3efe64068d049db) Signed-off-by: Jani Nikula drivers/gpu/drm/i915/intel_psr.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) commit d9533f19d8401b7072da2d484a9514af0d473148 Author: Chris Wilson Date: Tue May 30 13:13:33 2017 +0100 drm/i915: Hold a wakeref for probing the ring registers Allow intel_engine_is_idle() to be called outside of the GT wakeref by acquiring the device runtime pm for ourselves. This allows the function to act as check after we assume the engine is idle and we release the GT wakeref held whilst we have requests. At the moment, we do not call it outside of an awake context but taking the wakeref as required makes it more convenient to use for quick debugging in future. [ 2613.401647] RPM wakelock ref not held during HW access [ 2613.401684] ------------[ cut here ]------------ [ 2613.401720] WARNING: CPU: 5 PID: 7739 at drivers/gpu/drm/i915/intel_drv.h:1787 gen6_read32+0x21f/0x2b0 [i915] [ 2613.401731] Modules linked in: snd_hda_intel i915 vgem snd_hda_codec_hdmi x86_pkg_temp_thermal intel_powerclamp snd_hda_codec_realtek coretemp snd_hda_codec_generic crct10dif_pclmul crc32_pclmul ghash_clmulni_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm r8169 mii mei_me lpc_ich mei prime_numbers [last unloaded: i915] [ 2613.401823] CPU: 5 PID: 7739 Comm: drv_missed_irq Tainted: G U 4.12.0-rc2-CI-CI_DRM_421+ #1 [ 2613.401825] Hardware name: MSI MS-7924/Z97M-G43(MS-7924), BIOS V1.12 02/15/2016 [ 2613.401840] task: ffff880409e3a740 task.stack: ffffc900084dc000 [ 2613.401861] RIP: 0010:gen6_read32+0x21f/0x2b0 [i915] [ 2613.401863] RSP: 0018:ffffc900084dfce8 EFLAGS: 00010292 [ 2613.401869] RAX: 000000000000002a RBX: ffff8804016a8000 RCX: 0000000000000006 [ 2613.401871] RDX: 0000000000000006 RSI: ffffffff81cbf2d9 RDI: ffffffff81c9e3a7 [ 2613.401874] RBP: ffffc900084dfd18 R08: ffff880409e3afc8 R09: 0000000000000000 [ 2613.401877] R10: 000000008a1c483f R11: 0000000000000000 R12: 000000000000209c [ 2613.401879] R13: 0000000000000001 R14: ffff8804016a8000 R15: ffff8804016ac150 [ 2613.401882] FS: 00007f39ef3dd8c0(0000) GS:ffff88041fb40000(0000) knlGS:0000000000000000 [ 2613.401885] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 2613.401887] CR2: 00000000023717c8 CR3: 00000002e7b34000 CR4: 00000000001406e0 [ 2613.401889] Call Trace: [ 2613.401912] intel_engine_is_idle+0x76/0x90 [i915] [ 2613.401931] i915_gem_wait_for_idle+0xe6/0x1e0 [i915] [ 2613.401951] fault_irq_set+0x40/0x90 [i915] [ 2613.401970] i915_ring_test_irq_set+0x42/0x50 [i915] [ 2613.401976] simple_attr_write+0xc7/0xe0 [ 2613.401981] full_proxy_write+0x4f/0x70 [ 2613.401987] __vfs_write+0x23/0x120 [ 2613.401992] ? rcu_read_lock_sched_held+0x75/0x80 [ 2613.401996] ? rcu_sync_lockdep_assert+0x2a/0x50 [ 2613.401999] ? __sb_start_write+0xfa/0x1f0 [ 2613.402004] vfs_write+0xc5/0x1d0 [ 2613.402008] ? trace_hardirqs_on_caller+0xe7/0x1c0 [ 2613.402013] SyS_write+0x44/0xb0 [ 2613.402020] entry_SYSCALL_64_fastpath+0x1c/0xb1 [ 2613.402022] RIP: 0033:0x7f39eded6670 [ 2613.402025] RSP: 002b:00007fffdcdcb1a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 2613.402030] RAX: ffffffffffffffda RBX: ffffffff81470203 RCX: 00007f39eded6670 [ 2613.402033] RDX: 0000000000000001 RSI: 000000000041bc33 RDI: 0000000000000006 [ 2613.402036] RBP: ffffc900084dff88 R08: 00007f39ef3dd8c0 R09: 0000000000000001 [ 2613.402038] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000041bc33 [ 2613.402041] R13: 0000000000000006 R14: 0000000000000000 R15: 0000000000000000 [ 2613.402046] ? __this_cpu_preempt_check+0x13/0x20 [ 2613.402052] Code: 01 9b fa e0 0f ff e9 28 fe ff ff 80 3d 6a dd 0e 00 00 0f 85 29 fe ff ff 48 c7 c7 48 19 29 a0 c6 05 56 dd 0e 00 01 e8 da 9a fa e0 <0f> ff e9 0f fe ff ff b9 01 00 00 00 ba 01 00 00 00 44 89 e6 48 [ 2613.402199] ---[ end trace 31f0cfa93ab632bf ]--- Fixes: 5400367a864d ("drm/i915: Ensure the engine is idle before manually changing HWS") Signed-off-by: Chris Wilson Cc: Mika Kuoppala Cc: Joonas Lahtinen Cc: Tvrtko Ursulin Link: http://patchwork.freedesktop.org/patch/msgid/20170530121334.17364-2-chris@chris-wilson.co.uk Reviewed-by: Tvrtko Ursulin (cherry picked from commit a091d4ee931b16ce4fef945d39a20b851a7e17b7) Signed-off-by: Jani Nikula drivers/gpu/drm/i915/intel_engine_cs.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) commit e0da1963fe84ee86b59dc4b9ff1a69cb4e1275c7 Author: Chris Wilson Date: Tue May 30 13:13:32 2017 +0100 drm/i915: Short-circuit i915_gem_wait_for_idle() if already idle If the device is asleep (no GT wakeref), we know the GPU is already idle. If we add an early return, we can avoid touching registers and checking hw state outside of the assumed GT wakelock. This prevents causing such errors whilst debugging: [ 2613.401647] RPM wakelock ref not held during HW access [ 2613.401684] ------------[ cut here ]------------ [ 2613.401720] WARNING: CPU: 5 PID: 7739 at drivers/gpu/drm/i915/intel_drv.h:1787 gen6_read32+0x21f/0x2b0 [i915] [ 2613.401731] Modules linked in: snd_hda_intel i915 vgem snd_hda_codec_hdmi x86_pkg_temp_thermal intel_powerclamp snd_hda_codec_realtek coretemp snd_hda_codec_generic crct10dif_pclmul crc32_pclmul ghash_clmulni_intel snd_hda_codec snd_hwdep snd_hda_core snd_pcm r8169 mii mei_me lpc_ich mei prime_numbers [last unloaded: i915] [ 2613.401823] CPU: 5 PID: 7739 Comm: drv_missed_irq Tainted: G U 4.12.0-rc2-CI-CI_DRM_421+ #1 [ 2613.401825] Hardware name: MSI MS-7924/Z97M-G43(MS-7924), BIOS V1.12 02/15/2016 [ 2613.401840] task: ffff880409e3a740 task.stack: ffffc900084dc000 [ 2613.401861] RIP: 0010:gen6_read32+0x21f/0x2b0 [i915] [ 2613.401863] RSP: 0018:ffffc900084dfce8 EFLAGS: 00010292 [ 2613.401869] RAX: 000000000000002a RBX: ffff8804016a8000 RCX: 0000000000000006 [ 2613.401871] RDX: 0000000000000006 RSI: ffffffff81cbf2d9 RDI: ffffffff81c9e3a7 [ 2613.401874] RBP: ffffc900084dfd18 R08: ffff880409e3afc8 R09: 0000000000000000 [ 2613.401877] R10: 000000008a1c483f R11: 0000000000000000 R12: 000000000000209c [ 2613.401879] R13: 0000000000000001 R14: ffff8804016a8000 R15: ffff8804016ac150 [ 2613.401882] FS: 00007f39ef3dd8c0(0000) GS:ffff88041fb40000(0000) knlGS:0000000000000000 [ 2613.401885] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 2613.401887] CR2: 00000000023717c8 CR3: 00000002e7b34000 CR4: 00000000001406e0 [ 2613.401889] Call Trace: [ 2613.401912] intel_engine_is_idle+0x76/0x90 [i915] [ 2613.401931] i915_gem_wait_for_idle+0xe6/0x1e0 [i915] [ 2613.401951] fault_irq_set+0x40/0x90 [i915] [ 2613.401970] i915_ring_test_irq_set+0x42/0x50 [i915] [ 2613.401976] simple_attr_write+0xc7/0xe0 [ 2613.401981] full_proxy_write+0x4f/0x70 [ 2613.401987] __vfs_write+0x23/0x120 [ 2613.401992] ? rcu_read_lock_sched_held+0x75/0x80 [ 2613.401996] ? rcu_sync_lockdep_assert+0x2a/0x50 [ 2613.401999] ? __sb_start_write+0xfa/0x1f0 [ 2613.402004] vfs_write+0xc5/0x1d0 [ 2613.402008] ? trace_hardirqs_on_caller+0xe7/0x1c0 [ 2613.402013] SyS_write+0x44/0xb0 [ 2613.402020] entry_SYSCALL_64_fastpath+0x1c/0xb1 [ 2613.402022] RIP: 0033:0x7f39eded6670 [ 2613.402025] RSP: 002b:00007fffdcdcb1a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 2613.402030] RAX: ffffffffffffffda RBX: ffffffff81470203 RCX: 00007f39eded6670 [ 2613.402033] RDX: 0000000000000001 RSI: 000000000041bc33 RDI: 0000000000000006 [ 2613.402036] RBP: ffffc900084dff88 R08: 00007f39ef3dd8c0 R09: 0000000000000001 [ 2613.402038] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000041bc33 [ 2613.402041] R13: 0000000000000006 R14: 0000000000000000 R15: 0000000000000000 [ 2613.402046] ? __this_cpu_preempt_check+0x13/0x20 [ 2613.402052] Code: 01 9b fa e0 0f ff e9 28 fe ff ff 80 3d 6a dd 0e 00 00 0f 85 29 fe ff ff 48 c7 c7 48 19 29 a0 c6 05 56 dd 0e 00 01 e8 da 9a fa e0 <0f> ff e9 0f fe ff ff b9 01 00 00 00 ba 01 00 00 00 44 89 e6 48 [ 2613.402199] ---[ end trace 31f0cfa93ab632bf ]--- Fixes: 25112b64b3d2 ("drm/i915: Wait for all engines to be idle as part of i915_gem_wait_for_idle()") Signed-off-by: Chris Wilson Cc: Joonas Lahtinen Cc: Tvrtko Ursulin Link: http://patchwork.freedesktop.org/patch/msgid/20170530121334.17364-1-chris@chris-wilson.co.uk Reviewed-by: Joonas Lahtinen (cherry picked from commit 863e9fde1a7061dad09bb299c65bed5f1ccb44ff) Signed-off-by: Jani Nikula drivers/gpu/drm/i915/i915_gem.c | 4 ++++ 1 file changed, 4 insertions(+) commit 4c4c565513cca1c53a12956640b5915727431631 Author: Kai Chen Date: Tue May 23 14:58:11 2017 -0700 drm/i915: Disable decoupled MMIO The decoupled MMIO feature doesn't work as intended by HW team. Enabling it with forcewake will only make debugging efforts more difficult, so let's disable it. Fixes: 85ee17ebeedd ("drm/i915/bxt: Broxton decoupled MMIO") Cc: Zhe Wang Cc: Praveen Paneri Cc: Tvrtko Ursulin Cc: Daniel Vetter Cc: Jani Nikula Cc: intel-gfx@lists.freedesktop.org Cc: # v4.10+ Signed-off-by: Kai Chen Reviewed-by: Tvrtko Ursulin Signed-off-by: Jani Nikula Link: http://patchwork.freedesktop.org/patch/msgid/20170523215812.18328-2-kai.chen@intel.com (cherry picked from commit 0051c10acabb631cfd439eae73289e6e4c39b2b7) Signed-off-by: Jani Nikula drivers/gpu/drm/i915/i915_pci.c | 1 - 1 file changed, 1 deletion(-) commit 4ca9a5821972b431cb94c6a1ac69a64aefe1c17d Author: Michal Wajdeczko Date: Thu May 18 11:31:02 2017 +0000 drm/i915/guc: Remove stale comment for q_fail This member was dropped long time ago. Fixes: 774439e1 ("drm/i915/guc: re-optimise i915_guc_client layout") Signed-off-by: Michal Wajdeczko Cc: Tvrtko Ursulin Link: http://patchwork.freedesktop.org/patch/msgid/20170518113104.54400-1-michal.wajdeczko@intel.com Reviewed-by: Chris Wilson Signed-off-by: Chris Wilson (cherry picked from commit 4afc67be8e203ee8f5e95e829c0777eae7a14702) Signed-off-by: Jani Nikula drivers/gpu/drm/i915/intel_uc.h | 2 -- 1 file changed, 2 deletions(-) commit 1929e6610bddf0cc44f0859fc72d4016cba0c1fa Author: Thomas Hellstrom Date: Wed Jun 7 14:46:15 2017 +0200 drm/vmwgfx: Bump driver minor and date While the atomic modesetting capability is signaled also elsewhere, also reflect it by a driver minor bump. Signed-off-by: Thomas Hellstrom drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit f470a7740f8c7577df1db5923ec89d890cf32040 Author: Sinclair Yeh Date: Wed Jun 7 14:24:08 2017 +0200 drm/vmwgfx: Remove unused legacy cursor functions These function implementations and/or declarations are no longer used now that atomic is enabled. Signed-off-by: Sinclair Yeh Reported-by: Daniel Vetter Reviewed-by: Thomas Hellstrom drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 114 ------------------------------------ drivers/gpu/drm/vmwgfx/vmwgfx_kms.h | 15 ----- 2 files changed, 129 deletions(-) commit a2e5a3e2f8cc48cc9ed10a919ae582ab0222da80 Author: Colin Ian King Date: Sat May 27 19:52:30 2017 +0100 drm/vmwgfx: fix spelling mistake "exeeds" -> "exceeds" Trivial fix to spelling mistake in DRM_ERROR error message. Signed-off-by: Colin Ian King Reviewed-by: Sinclair Yeh drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit a1ac633912305168bf432c3d47979d43b16164f8 Author: Sinclair Yeh Date: Fri Jun 2 07:55:50 2017 +0200 drm/vmwgfx: Fix large topology crash The previous attempt at this had an issue with with num_clips > 1 because it would always end up using the coordinates of the last clip while using width and height calculated from the bounding box of all the clips. So if the last clip happens to be not at the top-left corner of the bounding box, the CPU blit operation would go out of bounds. The original intent was to coalesce all the clips into one blit, and to do that we need to also track the starting point of the content buffer. Signed-off-by: Sinclair Yeh Reviewed-by: Thomas Hellstrom drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) commit 8a309c8a2d0619efe29ec652c163d6b89eff9f9f Author: Sinclair Yeh Date: Fri Jun 2 07:53:27 2017 +0200 drm/vmwgfx: Make sure to update STDU when FB is updated When a new FB is bound, we have to send an update command otherwise the new FB may not be shown Signed-off-by: Sinclair Yeh Reviewed-by: Thomas Hellstrom drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c | 5 +++++ 1 file changed, 5 insertions(+) commit 07678eca2cf9c9a18584e546c2b2a0d0c9a3150c Author: Sinclair Yeh Date: Fri Jun 2 07:50:57 2017 +0200 drm/vmwgfx: Make sure backup_handle is always valid When vmw_gb_surface_define_ioctl() is called with an existing buffer, we end up returning an uninitialized variable in the backup_handle. The fix is to first initialize backup_handle to 0 just to be sure, and second, when a user-provided buffer is found, we will use the req->buffer_handle as the backup_handle. Cc: Reported-by: Murray McAllister Signed-off-by: Sinclair Yeh Reviewed-by: Deepak Rawat drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) commit f0c62e9878024300319ba2438adc7b06c6b9c448 Author: Dan Carpenter Date: Thu Apr 27 12:12:08 2017 +0300 drm/vmwgfx: Handle vmalloc() failure in vmw_local_fifo_reserve() If vmalloc() fails then we need to a bit of cleanup before returning. Cc: Fixes: fb1d9738ca05 ("drm/vmwgfx: Add DRM driver for VMware Virtual GPU") Signed-off-by: Dan Carpenter Reviewed-by: Sinclair Yeh drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c | 2 ++ 1 file changed, 2 insertions(+) commit bbd5fefeea59412af4b4a325c2743f53a1d6c417 Author: Sinclair Yeh Date: Fri Jun 2 07:44:53 2017 +0200 drm/vmwgfx: Don't create proxy surface for cursor With atomic, the cursor surface is treated like a FB. Creating a proxy surface for cursor doesn't gain us much benefit. This fixes the issue on atomic enabled 2D VMs where the cursor disappears. Signed-off-by: Sinclair Yeh Reviewed-by: Thomas Hellstrom drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 1 + 1 file changed, 1 insertion(+) commit ee9c4e681ec4f58e42a83cb0c22a0289ade1aacf Author: Vladis Dronov Date: Fri Jun 2 07:42:09 2017 +0200 drm/vmwgfx: limit the number of mip levels in vmw_gb_surface_define_ioctl() The 'req->mip_levels' parameter in vmw_gb_surface_define_ioctl() is a user-controlled 'uint32_t' value which is used as a loop count limit. This can lead to a kernel lockup and DoS. Add check for 'req->mip_levels'. References: https://bugzilla.redhat.com/show_bug.cgi?id=1437431 Cc: Signed-off-by: Vladis Dronov Reviewed-by: Sinclair Yeh drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 3 +++ 1 file changed, 3 insertions(+) commit d86b18a06cf361e12ccdf61ae240d432182d8d6b Author: Jon Bloomfield Date: Wed May 24 08:54:11 2017 -0700 drm/i915: Serialize GTT/Aperture accesses on BXT BXT has a H/W issue with IOMMU which can lead to system hangs when Aperture accesses are queued within the GAM behind GTT Accesses. This patch avoids the condition by wrapping all GTT updates in stop_machine and using a flushing read prior to restarting the machine. The stop_machine guarantees no new Aperture accesses can begin while the PTE writes are being emmitted. The flushing read ensures that any following Aperture accesses cannot begin until the PTE writes have been cleared out of the GAM's fifo. Only FOLLOWING Aperture accesses need to be separated from in flight PTE updates. PTE Writes may follow tightly behind already in flight Aperture accesses, so no flushing read is required at the start of a PTE update sequence. This issue was reproduced by running igt/gem_readwrite and igt/gem_render_copy simultaneously from different processes, each in a tight loop, with INTEL_IOMMU enabled. This patch was originally published as: drm/i915: Serialize GTT Updates on BXT [Note: This will cause a performance penalty for some use cases, but avoiding hangs trumps performance hits. This may need to be worked around in Mesa to recover the lost performance.] v2: Move bxt/iommu detection into static function Remove #ifdef CONFIG_INTEL_IOMMU protection Make function names more reflective of purpose Move flushing read into static function v3: Tidy up for checkpatch.pl Testcase: igt/gem_concurrent_blit Signed-off-by: Jon Bloomfield Cc: John Harrison Cc: Chris Wilson Cc: Daniel Vetter Cc: Tvrtko Ursulin Cc: stable@vger.kernel.org Link: http://patchwork.freedesktop.org/patch/msgid/1495641251-30022-1-git-send-email-jon.bloomfield@intel.com Reviewed-by: Tvrtko Ursulin Signed-off-by: Chris Wilson (cherry picked from commit 0ef34ad6222abfa513117515fec720c33a58f105) Signed-off-by: Jani Nikula drivers/gpu/drm/i915/i915_drv.h | 10 ++++ drivers/gpu/drm/i915/i915_gem_gtt.c | 103 ++++++++++++++++++++++++++++++++++++ 2 files changed, 113 insertions(+) commit 753c09b5652bb4fe53e2db648002ec64b32b8827 Author: Julien Grall Date: Wed May 31 14:03:57 2017 +0100 xen/privcmd: Support correctly 64KB page granularity when mapping memory Commit 5995a68 "xen/privcmd: Add support for Linux 64KB page granularity" did not go far enough to support 64KB in mmap_batch_fn. The variable 'nr' is the number of 4KB chunk to map. However, when Linux is using 64KB page granularity the array of pages (vma->vm_private_data) contain one page per 64KB. Fix it by incrementing st->index correctly. Furthermore, st->va is not correctly incremented as PAGE_SIZE != XEN_PAGE_SIZE. Fixes: 5995a68 ("xen/privcmd: Add support for Linux 64KB page granularity") CC: stable@vger.kernel.org Reported-by: Feng Kan Signed-off-by: Julien Grall Reviewed-by: Boris Ostrovsky Signed-off-by: Juergen Gross drivers/xen/privcmd.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 9947d6a09cd71937dade2fc14640e4843ae19802 Author: Kai-Heng Feng Date: Wed Jun 7 15:25:43 2017 +0800 nvme: relax APST default max latency to 100ms Christoph Hellwig suggests we should to make APST work out of the box. Hence relax the the default max latency to make them able to enter deepest power state on default. Here are id-ctrl excerpts from two high latency NVMes: vid : 0x14a4 ssvid : 0x1b4b mn : CX2-GB1024-Q11 NVMe LITEON 1024GB ps 3 : mp:0.1000W non-operational enlat:5000 exlat:5000 rrt:3 rrl:3 rwt:3 rwl:3 idle_power:- active_power:- ps 4 : mp:0.0100W non-operational enlat:50000 exlat:100000 rrt:4 rrl:4 rwt:4 rwl:4 idle_power:- active_power:- vid : 0x15b7 ssvid : 0x1b4b mn : A400 NVMe SanDisk 512GB ps 3 : mp:0.0500W non-operational enlat:51000 exlat:10000 rrt:0 rrl:0 rwt:0 rwl:0 idle_power:- active_power:- ps 4 : mp:0.0055W non-operational enlat:1000000 exlat:100000 rrt:0 rrl:0 rwt:0 rwl:0 idle_power:- active_power:- Signed-off-by: Kai-Heng Feng Signed-off-by: Christoph Hellwig drivers/nvme/host/core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit da87591bea92204fcb921bac927666eb7141908e Author: Kai-Heng Feng Date: Wed Jun 7 15:25:42 2017 +0800 nvme: only consider exit latency when choosing useful non-op power states When a NVMe is in non-op states, the latency is exlat. The latency will be enlat + exlat only when the NVMe tries to transit from operational state right atfer it begins to transit to non-operational state, which should be a rare case. Therefore, as Andy Lutomirski suggests, use exlat only when deciding power states to trainsit to. Signed-off-by: Kai-Heng Feng Signed-off-by: Christoph Hellwig drivers/nvme/host/core.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) commit 24b7f0592f738a1127c72dbf5b72a83997dd6997 Author: James Smart Date: Mon Jun 5 15:03:42 2017 -0700 nvme-fc: fix missing put reference on controller create failure The failure case, of a create controller request, called nvme_uninit_ctrl() but didn't do a put to allow the nvme controller to be deleted. Signed-off-by: James Smart Signed-off-by: Christoph Hellwig drivers/nvme/host/fc.c | 1 + 1 file changed, 1 insertion(+) commit f874d5d079ec35158fa1a1509554c9d641bd5770 Author: James Smart Date: Thu Jun 1 22:54:21 2017 -0700 nvme-fc: on lldd/transport io error, terminate association Per FC-NVME, when lldd or transport detects an i/o error, the connection must be terminated, which in turn requires the association to be termianted. Currently the transport simply creates a nvme completion status of transport error and returns the io. The FC-NVME spec makes the mandate as initiator and host, depending on the error, can get out of sync on outstanding io counts (sqhd/sqtail). Implement the association teardown on lldd or transport detected errors. Signed-off-by: James Smart Signed-off-by: Christoph Hellwig Reviewed-by: Sagi Grimberg drivers/nvme/host/fc.c | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) commit e818a5b487fea20494b0e48548c1085634abdc0d Author: Sagi Grimberg Date: Mon Jun 5 20:35:56 2017 +0300 nvme-rdma: fast fail incoming requests while we reconnect When we encounter an transport/controller errors, error recovery kicks in which performs: 1. stops io/admin queues 2. moves transport queues out of LIVE state 3. fast fail pending io 4. schedule periodic reconnects. But we also need to fast fail incoming IO taht enters after we already scheduled. Given that our queue is not LIVE anymore, simply restart the request queues to fail in .queue_rq Reported-by: Alex Turin Reported-by: shahar.salzman Signed-off-by: Sagi Grimberg Signed-off-by: Christoph Hellwig Cc: stable@vger.kernel.org drivers/nvme/host/rdma.c | 44 +++++++++++++++++++++++++++++--------------- 1 file changed, 29 insertions(+), 15 deletions(-) commit 82b057caefaff2a891f821a617d939f46e03e844 Author: Rakesh Pandit Date: Mon Jun 5 14:43:11 2017 +0300 nvme-pci: fix multiple ctrl removal scheduling Commit c5f6ce97c1210 tries to address multiple resets but fails as work_busy doesn't involve any synchronization and can fail. This is reproducible easily as can be seen by WARNING below which is triggered with line: WARN_ON(dev->ctrl.state == NVME_CTRL_RESETTING) Allowing multiple resets can result in multiple controller removal as well if different conditions inside nvme_reset_work fail and which might deadlock on device_release_driver. [ 480.327007] WARNING: CPU: 3 PID: 150 at drivers/nvme/host/pci.c:1900 nvme_reset_work+0x36c/0xec0 [ 480.327008] Modules linked in: rfcomm fuse nf_conntrack_netbios_ns nf_conntrack_broadcast... [ 480.327044] btusb videobuf2_core ghash_clmulni_intel snd_hwdep cfg80211 acer_wmi hci_uart.. [ 480.327065] CPU: 3 PID: 150 Comm: kworker/u16:2 Not tainted 4.12.0-rc1+ #13 [ 480.327065] Hardware name: Acer Predator G9-591/Mustang_SLS, BIOS V1.10 03/03/2016 [ 480.327066] Workqueue: nvme nvme_reset_work [ 480.327067] task: ffff880498ad8000 task.stack: ffffc90002218000 [ 480.327068] RIP: 0010:nvme_reset_work+0x36c/0xec0 [ 480.327069] RSP: 0018:ffffc9000221bdb8 EFLAGS: 00010246 [ 480.327070] RAX: 0000000000460000 RBX: ffff880498a98128 RCX: dead000000000200 [ 480.327070] RDX: 0000000000000001 RSI: ffff8804b1028020 RDI: ffff880498a98128 [ 480.327071] RBP: ffffc9000221be50 R08: 0000000000000000 R09: 0000000000000000 [ 480.327071] R10: ffffc90001963ce8 R11: 000000000000020d R12: ffff880498a98000 [ 480.327072] R13: ffff880498a53500 R14: ffff880498a98130 R15: ffff880498a98128 [ 480.327072] FS: 0000000000000000(0000) GS:ffff8804c1cc0000(0000) knlGS:0000000000000000 [ 480.327073] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 480.327074] CR2: 00007ffcf3c37f78 CR3: 0000000001e09000 CR4: 00000000003406e0 [ 480.327074] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 480.327075] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 480.327075] Call Trace: [ 480.327079] ? __switch_to+0x227/0x400 [ 480.327081] process_one_work+0x18c/0x3a0 [ 480.327082] worker_thread+0x4e/0x3b0 [ 480.327084] kthread+0x109/0x140 [ 480.327085] ? process_one_work+0x3a0/0x3a0 [ 480.327087] ? kthread_park+0x60/0x60 [ 480.327102] ret_from_fork+0x2c/0x40 [ 480.327103] Code: e8 5a dc ff ff 85 c0 41 89 c1 0f..... This patch addresses the problem by using state of controller to decide whether reset should be queued or not as state change is synchronizated using controller spinlock. Also cancel_work_sync is used to make sure remove cancels the reset_work and waits for it to finish. This patch also changes return value from -ENODEV to more appropriate -EBUSY if nvme_reset fails to change state. Fixes: c5f6ce97c1210 ("nvme: don't schedule multiple resets") Signed-off-by: Rakesh Pandit Reviewed-by: Sagi Grimberg Signed-off-by: Christoph Hellwig drivers/nvme/host/pci.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) commit 82654b6b8ef8b93ee87a97fc562f87f081fc2f91 Author: Ming Lei Date: Fri Jun 2 16:32:08 2017 +0800 nvme: fix hang in remove path We need to start admin queues too in nvme_kill_queues() for avoiding hang in remove path[1]. This patch is very similar with 806f026f9b901eaf(nvme: use blk_mq_start_hw_queues() in nvme_kill_queues()). [1] hang stack trace [] blk_execute_rq+0x56/0x80 [] __nvme_submit_sync_cmd+0x89/0xf0 [] nvme_set_features+0x5e/0x90 [] nvme_configure_apst+0x166/0x200 [] nvme_set_latency_tolerance+0x35/0x50 [] apply_constraint+0xb1/0xc0 [] dev_pm_qos_constraints_destroy+0xf4/0x1f0 [] dpm_sysfs_remove+0x2a/0x60 [] device_del+0x101/0x320 [] device_unregister+0x1a/0x60 [] device_destroy+0x3c/0x50 [] nvme_uninit_ctrl+0x45/0xa0 [] nvme_remove+0x78/0x110 [] pci_device_remove+0x39/0xb0 [] device_release_driver_internal+0x155/0x210 [] device_release_driver+0x12/0x20 [] nvme_remove_dead_ctrl_work+0x6b/0x70 [] process_one_work+0x18c/0x3a0 [] worker_thread+0x4e/0x3b0 [] kthread+0x109/0x140 [] ret_from_fork+0x2c/0x40 [] 0xffffffffffffffff Fixes: c5552fde102fc("nvme: Enable autonomous power state transitions") Reported-by: Rakesh Pandit Tested-by: Rakesh Pandit Reviewed-by: Sagi Grimberg Signed-off-by: Ming Lei Signed-off-by: Christoph Hellwig drivers/nvme/host/core.c | 4 ++++ 1 file changed, 4 insertions(+) commit ba3021b2c79b2fa9114f92790a99deb27a65b728 Author: Takashi Iwai Date: Fri Jun 2 17:26:56 2017 +0200 ALSA: timer: Fix missing queue indices reset at SNDRV_TIMER_IOCTL_SELECT snd_timer_user_tselect() reallocates the queue buffer dynamically, but it forgot to reset its indices. Since the read may happen concurrently with ioctl and snd_timer_user_tselect() allocates the buffer via kmalloc(), this may lead to the leak of uninitialized kernel-space data, as spotted via KMSAN: BUG: KMSAN: use of unitialized memory in snd_timer_user_read+0x6c4/0xa10 CPU: 0 PID: 1037 Comm: probe Not tainted 4.11.0-rc5+ #2739 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:16 dump_stack+0x143/0x1b0 lib/dump_stack.c:52 kmsan_report+0x12a/0x180 mm/kmsan/kmsan.c:1007 kmsan_check_memory+0xc2/0x140 mm/kmsan/kmsan.c:1086 copy_to_user ./arch/x86/include/asm/uaccess.h:725 snd_timer_user_read+0x6c4/0xa10 sound/core/timer.c:2004 do_loop_readv_writev fs/read_write.c:716 __do_readv_writev+0x94c/0x1380 fs/read_write.c:864 do_readv_writev fs/read_write.c:894 vfs_readv fs/read_write.c:908 do_readv+0x52a/0x5d0 fs/read_write.c:934 SYSC_readv+0xb6/0xd0 fs/read_write.c:1021 SyS_readv+0x87/0xb0 fs/read_write.c:1018 This patch adds the missing reset of queue indices. Together with the previous fix for the ioctl/read race, we cover the whole problem. Reported-by: Alexander Potapenko Tested-by: Alexander Potapenko Cc: Signed-off-by: Takashi Iwai sound/core/timer.c | 1 + 1 file changed, 1 insertion(+) commit d11662f4f798b50d8c8743f433842c3e40fe3378 Author: Takashi Iwai Date: Fri Jun 2 15:03:38 2017 +0200 ALSA: timer: Fix race between read and ioctl The read from ALSA timer device, the function snd_timer_user_tread(), may access to an uninitialized struct snd_timer_user fields when the read is concurrently performed while the ioctl like snd_timer_user_tselect() is invoked. We have already fixed the races among ioctls via a mutex, but we seem to have forgotten the race between read vs ioctl. This patch simply applies (more exactly extends the already applied range of) tu->ioctl_lock in snd_timer_user_tread() for closing the race window. Reported-by: Alexander Potapenko Tested-by: Alexander Potapenko Cc: Signed-off-by: Takashi Iwai sound/core/timer.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) commit b81f884a547b5c264c13fdfaa3b65cf994bf1dcf Author: Hangbin Liu Date: Thu Jun 1 14:57:56 2017 +0800 xfrm: fix xfrm_dev_event() missing when compile without CONFIG_XFRM_OFFLOAD In commit d77e38e612a0 ("xfrm: Add an IPsec hardware offloading API") we make xfrm_device.o only compiled when enable option CONFIG_XFRM_OFFLOAD. But this will make xfrm_dev_event() missing if we only enable default XFRM options. Then if we set down and unregister an interface with IPsec on it. there will no xfrm_garbage_collect(), which will cause dev usage count hold and get error like: unregister_netdevice: waiting for to become free. Usage count = 4 Fixes: d77e38e612a0 ("xfrm: Add an IPsec hardware offloading API") Signed-off-by: Hangbin Liu Signed-off-by: Steffen Klassert include/net/xfrm.h | 7 ++----- net/xfrm/Makefile | 3 +-- net/xfrm/xfrm_device.c | 2 ++ 3 files changed, 5 insertions(+), 7 deletions(-) commit 151d1d752bb681f29898c68c966f6e17b446456c Author: Alexander Sverdlin Date: Mon May 22 15:30:21 2017 +0200 MAINTAINERS: EP93XX: Update maintainership As agreed with Ryan, change the maintainership. Signed-off-by: Alexander Sverdlin Acked-by: Ryan Mallon Acked-by: H Hartley Sweeten Signed-off-by: Olof Johansson MAINTAINERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit f3b7eaae1b35eb8077610eb7c7db042c9b0645e1 Author: Rafael J. Wysocki Date: Wed Jun 7 00:57:37 2017 +0200 Revert "ACPI / sleep: Ignore spurious SCI wakeups from suspend-to-idle" Revert commit eed4d47efe95 (ACPI / sleep: Ignore spurious SCI wakeups from suspend-to-idle) as it turned out to be premature and triggered a number of different issues on various systems. That includes, but is not limited to, premature suspend-to-RAM aborts on Dell XPS 13 (9343) reported by Dominik. The issue the commit in question attempted to address is real and will need to be taken care of going forward, but evidently more work is needed for this purpose. Reported-by: Dominik Brodowski Signed-off-by: Rafael J. Wysocki drivers/acpi/battery.c | 2 +- drivers/acpi/button.c | 5 ++--- drivers/acpi/device_pm.c | 3 +-- drivers/acpi/sleep.c | 28 ---------------------------- drivers/base/power/main.c | 5 +++++ drivers/base/power/wakeup.c | 18 ++++++------------ include/linux/suspend.h | 7 ++----- kernel/power/process.c | 2 +- kernel/power/suspend.c | 29 ++++------------------------- 9 files changed, 22 insertions(+), 77 deletions(-) commit b29794ec95c6856b316c2295904208bf11ffddd9 Merge: e87f327 1d3028f Author: Linus Torvalds Date: Tue Jun 6 14:30:17 2017 -0700 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net Pull networking fixes from David Miller: 1) Made TCP congestion control documentation match current reality, from Anmol Sarma. 2) Various build warning and failure fixes from Arnd Bergmann. 3) Fix SKB list leak in ipv6_gso_segment(). 4) Use after free in ravb driver, from Eugeniu Rosca. 5) Don't use udp_poll() in ping protocol driver, from Eric Dumazet. 6) Don't crash in PCI error recovery of cxgb4 driver, from Guilherme Piccoli. 7) _SRC_NAT_DONE_BIT needs to be cleared using atomics, from Liping Zhang. 8) Use after free in vxlan deletion, from Mark Bloch. 9) Fix ordering of NAPI poll enabled in ethoc driver, from Max Filippov. 10) Fix stmmac hangs with TSO, from Niklas Cassel. 11) Fix crash in CALIPSO ipv6, from Richard Haines. 12) Clear nh_flags properly on mpls link up. From Roopa Prabhu. 13) Fix regression in sk_err socket error queue handling, noticed by ping applications. From Soheil Hassas Yeganeh. 14) Update mlx4/mlx5 MAINTAINERS information. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (78 commits) net: stmmac: fix a broken u32 less than zero check net: stmmac: fix completely hung TX when using TSO net: ethoc: enable NAPI before poll may be scheduled net: bridge: fix a null pointer dereference in br_afspec ravb: Fix use-after-free on `ifconfig eth0 down` net/ipv6: Fix CALIPSO causing GPF with datagram support net: stmmac: ensure jumbo_frm error return is correctly checked for -ve value Revert "sit: reload iphdr in ipip6_rcv" i40e/i40evf: proper update of the page_offset field i40e: Fix state flags for bit set and clean operations of PF iwlwifi: fix host command memory leaks iwlwifi: fix min API version for 7265D, 3168, 8000 and 8265 iwlwifi: mvm: clear new beacon command template struct iwlwifi: mvm: don't fail when removing a key from an inexisting sta iwlwifi: pcie: only use d0i3 in suspend/resume if system_pm is set to d0i3 iwlwifi: mvm: fix firmware debug restart recording iwlwifi: tt: move ucode_loaded check under mutex iwlwifi: mvm: support ibss in dqa mode iwlwifi: mvm: Fix command queue number on d0i3 flow iwlwifi: mvm: rs: start using LQ command color ... commit e87f327ecd166e6cf0205e4e9b8003ec535add51 Merge: abb2ea7 b3aefc2 Author: Linus Torvalds Date: Tue Jun 6 14:28:18 2017 -0700 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc Pull sparc fixes from David Miller: 1) Fix TLB context wrap races, from Pavel Tatashin. 2) Cure some gcc-7 build issues. 3) Handle invalid setup_hugepagesz command line values properly, from Liam R Howlett. 4) Copy TSB using the correct address shift for the huge TSB, from Mike Kravetz. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc: sparc64: delete old wrap code sparc64: new context wrap sparc64: add per-cpu mm of secondary contexts sparc64: redefine first version sparc64: combine activate_mm and switch_mm sparc64: reset mm cpumask after wrap sparc/mm/hugepages: Fix setup_hugepagesz for invalid values. sparc: Machine description indices can vary sparc64: mm: fix copy_tsb to correctly copy huge page TSBs arch/sparc: support NR_CPUS = 4096 sparc64: Add __multi3 for gcc 7.x and later. sparc64: Fix build warnings with gcc 7. arch/sparc: increase CONFIG_NODES_SHIFT on SPARC64 to 5 commit abb2ea7dfd82451d85ce669b811310c05ab5ca46 Author: David Rientjes Date: Tue Jun 6 13:36:24 2017 -0700 compiler, clang: suppress warning for unused static inline functions GCC explicitly does not warn for unused static inline functions for -Wunused-function. The manual states: Warn whenever a static function is declared but not defined or a non-inline static function is unused. Clang does warn for static inline functions that are unused. It turns out that suppressing the warnings avoids potentially complex #ifdef directives, which also reduces LOC. Suppress the warning for clang. Signed-off-by: David Rientjes Signed-off-by: Linus Torvalds include/linux/compiler-clang.h | 7 +++++++ 1 file changed, 7 insertions(+) commit b3aefc2fbdff2576d0c5aca09b963c40f0299664 Merge: f322980 0197e41 Author: David S. Miller Date: Tue Jun 6 13:45:48 2017 -0700 Merge branch 'sparc64-context-wrap-fixes' Pavel Tatashin says: ==================== sparc64: context wrap fixes This patch series contains fixes for context wrap: when we are out of context ids, and need to get a new version. It fixes memory corruption issues which happen when more than number of context ids (currently set to 8K) number of processes are started simultaneously, and processes can get a wrong context. sparc64: new context wrap: - contains explanation of new wrap method, and also explanation of races that it solves sparc64: reset mm cpumask after wrap - explains issue of not reseting cpu mask on a wrap ==================== Signed-off-by: David S. Miller commit 0197e41ce70511dc3b71f7fefa1a676e2b5cd60b Author: Pavel Tatashin Date: Wed May 31 11:25:25 2017 -0400 sparc64: delete old wrap code The old method that is using xcall and softint to get new context id is deleted, as it is replaced by a method of using per_cpu_secondary_mm without xcall to perform the context wrap. Signed-off-by: Pavel Tatashin Reviewed-by: Bob Picco Reviewed-by: Steven Sistare Signed-off-by: David S. Miller arch/sparc/include/asm/mmu_context_64.h | 6 ------ arch/sparc/include/asm/pil.h | 1 - arch/sparc/kernel/kernel.h | 1 - arch/sparc/kernel/smp_64.c | 31 ------------------------------- arch/sparc/kernel/ttable_64.S | 2 +- arch/sparc/mm/ultra.S | 5 ----- 6 files changed, 1 insertion(+), 45 deletions(-) commit a0582f26ec9dfd5360ea2f35dd9a1b026f8adda0 Author: Pavel Tatashin Date: Wed May 31 11:25:24 2017 -0400 sparc64: new context wrap The current wrap implementation has a race issue: it is called outside of the ctx_alloc_lock, and also does not wait for all CPUs to complete the wrap. This means that a thread can get a new context with a new version and another thread might still be running with the same context. The problem is especially severe on CPUs with shared TLBs, like sun4v. I used the following test to very quickly reproduce the problem: - start over 8K processes (must be more than context IDs) - write and read values at a memory location in every process. Very quickly memory corruptions start happening, and what we read back does not equal what we wrote. Several approaches were explored before settling on this one: Approach 1: Move smp_new_mmu_context_version() inside ctx_alloc_lock, and wait for every process to complete the wrap. (Note: every CPU must WAIT before leaving smp_new_mmu_context_version_client() until every one arrives). This approach ends up with deadlocks, as some threads own locks which other threads are waiting for, and they never receive softint until these threads exit smp_new_mmu_context_version_client(). Since we do not allow the exit, deadlock happens. Approach 2: Handle wrap right during mondo interrupt. Use etrap/rtrap to enter into into C code, and issue new versions to every CPU. This approach adds some overhead to runtime: in switch_mm() we must add some checks to make sure that versions have not changed due to wrap while we were loading the new secondary context. (could be protected by PSTATE_IE but that degrades performance as on M7 and older CPUs as it takes 50 cycles for each access). Also, we still need a global per-cpu array of MMs to know where we need to load new contexts, otherwise we can change context to a thread that is going way (if we received mondo between switch_mm() and switch_to() time). Finally, there are some issues with window registers in rtrap() when context IDs are changed during CPU mondo time. The approach in this patch is the simplest and has almost no impact on runtime. We use the array with mm's where last secondary contexts were loaded onto CPUs and bump their versions to the new generation without changing context IDs. If a new process comes in to get a context ID, it will go through get_new_mmu_context() because of version mismatch. But the running processes do not need to be interrupted. And wrap is quicker as we do not need to xcall and wait for everyone to receive and complete wrap. Signed-off-by: Pavel Tatashin Reviewed-by: Bob Picco Reviewed-by: Steven Sistare Signed-off-by: David S. Miller arch/sparc/mm/init_64.c | 81 ++++++++++++++++++++++++++++++++----------------- 1 file changed, 54 insertions(+), 27 deletions(-) commit 7a5b4bbf49fe86ce77488a70c5dccfe2d50d7a2d Author: Pavel Tatashin Date: Wed May 31 11:25:23 2017 -0400 sparc64: add per-cpu mm of secondary contexts The new wrap is going to use information from this array to figure out mm's that currently have valid secondary contexts setup. Signed-off-by: Pavel Tatashin Reviewed-by: Bob Picco Reviewed-by: Steven Sistare Signed-off-by: David S. Miller arch/sparc/include/asm/mmu_context_64.h | 5 +++-- arch/sparc/mm/init_64.c | 1 + 2 files changed, 4 insertions(+), 2 deletions(-) commit c4415235b2be0cc791572e8e7f7466ab8f73a2bf Author: Pavel Tatashin Date: Wed May 31 11:25:22 2017 -0400 sparc64: redefine first version CTX_FIRST_VERSION defines the first context version, but also it defines first context. This patch redefines it to only include the first context version. Signed-off-by: Pavel Tatashin Reviewed-by: Bob Picco Reviewed-by: Steven Sistare Signed-off-by: David S. Miller arch/sparc/include/asm/mmu_64.h | 2 +- arch/sparc/mm/init_64.c | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) commit 14d0334c6748ff2aedb3f2f7fdc51ee90a9b54e7 Author: Pavel Tatashin Date: Wed May 31 11:25:21 2017 -0400 sparc64: combine activate_mm and switch_mm The only difference between these two functions is that in activate_mm we unconditionally flush context. However, there is no need to keep this difference after fixing a bug where cpumask was not reset on a wrap. So, in this patch we combine these. Signed-off-by: Pavel Tatashin Reviewed-by: Bob Picco Reviewed-by: Steven Sistare Signed-off-by: David S. Miller arch/sparc/include/asm/mmu_context_64.h | 21 +-------------------- 1 file changed, 1 insertion(+), 20 deletions(-) commit 588974857359861891f478a070b1dc7ae04a3880 Author: Pavel Tatashin Date: Wed May 31 11:25:20 2017 -0400 sparc64: reset mm cpumask after wrap After a wrap (getting a new context version) a process must get a new context id, which means that we would need to flush the context id from the TLB before running for the first time with this ID on every CPU. But, we use mm_cpumask to determine if this process has been running on this CPU before, and this mask is not reset after a wrap. So, there are two possible fixes for this issue: 1. Clear mm cpumask whenever mm gets a new context id 2. Unconditionally flush context every time process is running on a CPU This patch implements the first solution Signed-off-by: Pavel Tatashin Reviewed-by: Bob Picco Reviewed-by: Steven Sistare Signed-off-by: David S. Miller arch/sparc/mm/init_64.c | 2 ++ 1 file changed, 2 insertions(+) commit f322980b74a15e08f8c70a34a5864ecdbf957251 Author: Liam R. Howlett Date: Tue May 30 15:45:00 2017 -0400 sparc/mm/hugepages: Fix setup_hugepagesz for invalid values. hugetlb_bad_size needs to be called on invalid values. Also change the pr_warn to a pr_err to better align with other platforms. Signed-off-by: Liam R. Howlett Signed-off-by: David S. Miller arch/sparc/mm/init_64.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit c982aa9c304bf0b9a7522fd118fed4afa5a0263c Author: James Clarke Date: Mon May 29 20:17:56 2017 +0100 sparc: Machine description indices can vary VIO devices were being looked up by their index in the machine description node block, but this often varies over time as devices are added and removed. Instead, store the ID and look up using the type, config handle and ID. Signed-off-by: James Clarke Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=112541 Signed-off-by: David S. Miller arch/sparc/include/asm/vio.h | 1 + arch/sparc/kernel/vio.c | 68 +++++++++++++++++++++++++++++++++++++++++--- 2 files changed, 65 insertions(+), 4 deletions(-) commit 654f4807624a657f364417c2a7454f0df9961734 Author: Mike Kravetz Date: Fri Jun 2 14:51:12 2017 -0700 sparc64: mm: fix copy_tsb to correctly copy huge page TSBs When a TSB grows beyond its current capacity, a new TSB is allocated and copy_tsb is called to copy entries from the old TSB to the new. A hash shift based on page size is used to calculate the index of an entry in the TSB. copy_tsb has hard coded PAGE_SHIFT in these calculations. However, for huge page TSBs the value REAL_HPAGE_SHIFT should be used. As a result, when copy_tsb is called for a huge page TSB the entries are placed at the incorrect index in the newly allocated TSB. When doing hardware table walk, the MMU does not match these entries and we end up in the TSB miss handling code. This code will then create and write an entry to the correct index in the TSB. We take a performance hit for the table walk miss and recreation of these entries. Pass a new parameter to copy_tsb that is the page size shift to be used when copying the TSB. Suggested-by: Anthony Yznaga Signed-off-by: Mike Kravetz Signed-off-by: David S. Miller arch/sparc/kernel/tsb.S | 11 +++++++---- arch/sparc/mm/tsb.c | 7 +++++-- 2 files changed, 12 insertions(+), 6 deletions(-) commit c79a13734d104b5b147d7cb0870276ccdd660dae Author: Jane Chu Date: Tue Jun 6 14:32:29 2017 -0600 arch/sparc: support NR_CPUS = 4096 Linux SPARC64 limits NR_CPUS to 4064 because init_cpu_send_mondo_info() only allocates a single page for NR_CPUS mondo entries. Thus we cannot use all 4096 CPUs on some SPARC platforms. To fix, allocate (2^order) pages where order is set according to the size of cpu_list for possible cpus. Since cpu_list_pa and cpu_mondo_block_pa are not used in asm code, there are no imm13 offsets from the base PA that will break because they can only reach one page. Orabug: 25505750 Signed-off-by: Jane Chu Reviewed-by: Bob Picco Reviewed-by: Atish Patra Signed-off-by: David S. Miller arch/sparc/Kconfig | 4 ++-- arch/sparc/kernel/irq_64.c | 17 +++++++++++++---- 2 files changed, 15 insertions(+), 6 deletions(-) commit 1d3028f4c16487d63861ab6c68451768a7a109df Author: Colin Ian King Date: Tue Jun 6 14:10:49 2017 +0100 net: stmmac: fix a broken u32 less than zero check The check that queue is less or equal to zero is always true because queue is a u32; queue is decremented and will wrap around and never go -ve. Fix this by making queue an int. Detected by CoverityScan, CID#1428988 ("Unsigned compared against 0") Signed-off-by: Colin Ian King Signed-off-by: David S. Miller drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 426849e6611f2092553f8d53372ae310818a6292 Author: Niklas Cassel Date: Tue Jun 6 09:25:00 2017 +0200 net: stmmac: fix completely hung TX when using TSO stmmac_tso_allocator can fail to set the Last Descriptor bit on a descriptor that actually was the last descriptor. This happens when the buffer of the last descriptor ends up having a size of exactly TSO_MAX_BUFF_SIZE. When the IP eventually reaches the next last descriptor, which actually has the bit set, the DMA will hang. When the DMA hangs, we get a tx timeout, however, since stmmac does not do a complete reset of the IP in stmmac_tx_timeout, we end up in a state with completely hung TX. Signed-off-by: Niklas Cassel Acked-by: Giuseppe Cavallaro Acked-by: Alexandre TORGUE Signed-off-by: David S. Miller drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit d220b942a4b6a0640aee78841608f4aa5e8e185e Author: Max Filippov Date: Mon Jun 5 18:31:16 2017 -0700 net: ethoc: enable NAPI before poll may be scheduled ethoc_reset enables device interrupts, ethoc_interrupt may schedule a NAPI poll before NAPI is enabled in the ethoc_open, which results in device being unable to send or receive anything until it's closed and reopened. In case the device is flooded with ingress packets it may be unable to recover at all. Move napi_enable above ethoc_reset in the ethoc_open to fix that. Fixes: a1702857724f ("net: Add support for the OpenCores 10/100 Mbps Ethernet MAC.") Signed-off-by: Max Filippov Reviewed-by: Tobias Klauser Reviewed-by: Florian Fainelli Signed-off-by: David S. Miller drivers/net/ethernet/ethoc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 33b5c38852b29736f3b472dd095c9a18ec22746f Author: Marc Zyngier Date: Tue Jun 6 19:08:35 2017 +0100 arm: KVM: Allow unaligned accesses at HYP We currently have the HSCTLR.A bit set, trapping unaligned accesses at HYP, but we're not really prepared to deal with it. Since the rest of the kernel is pretty happy about that, let's follow its example and set HSCTLR.A to zero. Modern CPUs don't really care. Cc: stable@vger.kernel.org Signed-off-by: Marc Zyngier Signed-off-by: Christoffer Dall arch/arm/kvm/init.S | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) commit 78fd6dcf11468a5a131b8365580d0c613bcc02cb Author: Marc Zyngier Date: Tue Jun 6 19:08:34 2017 +0100 arm64: KVM: Allow unaligned accesses at EL2 We currently have the SCTLR_EL2.A bit set, trapping unaligned accesses at EL2, but we're not really prepared to deal with it. So far, this has been unnoticed, until GCC 7 started emitting those (in particular 64bit writes on a 32bit boundary). Since the rest of the kernel is pretty happy about that, let's follow its example and set SCTLR_EL2.A to zero. Modern CPUs don't really care. Cc: stable@vger.kernel.org Reported-by: Alexander Graf Signed-off-by: Marc Zyngier Signed-off-by: Christoffer Dall arch/arm64/kvm/hyp-init.S | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) commit d68c1f7fd1b7148dab5fe658321d511998969f2d Author: Marc Zyngier Date: Tue Jun 6 19:08:33 2017 +0100 arm64: KVM: Preserve RES1 bits in SCTLR_EL2 __do_hyp_init has the rather bad habit of ignoring RES1 bits and writing them back as zero. On a v8.0-8.2 CPU, this doesn't do anything bad, but may end-up being pretty nasty on future revisions of the architecture. Let's preserve those bits so that we don't have to fix this later on. Cc: stable@vger.kernel.org Signed-off-by: Marc Zyngier Signed-off-by: Christoffer Dall arch/arm64/include/asm/sysreg.h | 4 ++++ arch/arm64/kvm/hyp-init.S | 10 ++++++---- 2 files changed, 10 insertions(+), 4 deletions(-) commit 1020ce3108cc26fbf09d70550ea2937cb1a211d2 Author: Nikolay Aleksandrov Date: Tue Jun 6 01:26:24 2017 +0300 net: bridge: fix a null pointer dereference in br_afspec We might call br_afspec() with p == NULL which is a valid use case if the action is on the bridge device itself, but the bridge tunnel code dereferences the p pointer without checking, so check if p is null first. Reported-by: Gustavo A. R. Silva Fixes: efa5356b0d97 ("bridge: per vlan dst_metadata netlink support") Signed-off-by: Nikolay Aleksandrov Acked-by: Roopa Prabhu Signed-off-by: David S. Miller net/bridge/br_netlink.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 79514ef670e9e575a1fe36922268c439d0f0ca8a Author: Eugeniu Rosca Date: Tue Jun 6 00:08:10 2017 +0200 ravb: Fix use-after-free on `ifconfig eth0 down` Commit a47b70ea86bd ("ravb: unmap descriptors when freeing rings") has introduced the issue seen in [1] reproduced on H3ULCB board. Fix this by relocating the RX skb ringbuffer free operation, so that swiotlb page unmapping can be done first. Freeing of aligned TX buffers is not relevant to the issue seen in [1]. Still, reposition TX free calls as well, to have all kfree() operations performed consistently _after_ dma_unmap_*()/dma_free_*(). [1] Console screenshot with the problem reproduced: salvator-x login: root root@salvator-x:~# ifconfig eth0 up Micrel KSZ9031 Gigabit PHY e6800000.ethernet-ffffffff:00: \ attached PHY driver [Micrel KSZ9031 Gigabit PHY] \ (mii_bus:phy_addr=e6800000.ethernet-ffffffff:00, irq=235) IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready root@salvator-x:~# root@salvator-x:~# ifconfig eth0 down ================================================================== BUG: KASAN: use-after-free in swiotlb_tbl_unmap_single+0xc4/0x35c Write of size 1538 at addr ffff8006d884f780 by task ifconfig/1649 CPU: 0 PID: 1649 Comm: ifconfig Not tainted 4.12.0-rc4-00004-g112eb07287d1 #32 Hardware name: Renesas H3ULCB board based on r8a7795 (DT) Call trace: [] dump_backtrace+0x0/0x3a4 [] show_stack+0x14/0x1c [] dump_stack+0xf8/0x150 [] print_address_description+0x7c/0x330 [] kasan_report+0x2e0/0x2f4 [] check_memory_region+0x20/0x14c [] memcpy+0x48/0x68 [] swiotlb_tbl_unmap_single+0xc4/0x35c [] unmap_single+0x90/0xa4 [] swiotlb_unmap_page+0xc/0x14 [] __swiotlb_unmap_page+0xcc/0xe4 [] ravb_ring_free+0x514/0x870 [] ravb_close+0x288/0x36c [] __dev_close_many+0x14c/0x174 [] __dev_close+0xc8/0x144 [] __dev_change_flags+0xd8/0x194 [] dev_change_flags+0x60/0xb0 [] devinet_ioctl+0x484/0x9d4 [] inet_ioctl+0x190/0x194 [] sock_do_ioctl+0x78/0xa8 [] sock_ioctl+0x110/0x3c4 [] vfs_ioctl+0x90/0xa0 [] do_vfs_ioctl+0x148/0xc38 [] SyS_ioctl+0x44/0x74 [] el0_svc_naked+0x24/0x28 The buggy address belongs to the page: page:ffff7e001b6213c0 count:0 mapcount:0 mapping: (null) index:0x0 flags: 0x4000000000000000() raw: 4000000000000000 0000000000000000 0000000000000000 00000000ffffffff raw: 0000000000000000 ffff7e001b6213e0 0000000000000000 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8006d884f680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8006d884f700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff8006d884f780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8006d884f800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8006d884f880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== Disabling lock debugging due to kernel taint root@salvator-x:~# Fixes: a47b70ea86bd ("ravb: unmap descriptors when freeing rings") Signed-off-by: Eugeniu Rosca Acked-by: Sergei Shtylyov Signed-off-by: David S. Miller drivers/net/ethernet/renesas/ravb_main.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) commit e3ebdb20fddacded2740a333ff66781e0d28b05c Author: Richard Haines Date: Mon Jun 5 16:44:40 2017 +0100 net/ipv6: Fix CALIPSO causing GPF with datagram support When using CALIPSO with IPPROTO_UDP it is possible to trigger a GPF as the IP header may have moved. Also update the payload length after adding the CALIPSO option. Signed-off-by: Richard Haines Acked-by: Paul Moore Signed-off-by: Huw Davies Signed-off-by: David S. Miller net/ipv6/calipso.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) commit 594238158bf748c285f0a73222cd9b7ccf3c525d Author: Colin Ian King Date: Mon Jun 5 10:04:52 2017 +0100 net: stmmac: ensure jumbo_frm error return is correctly checked for -ve value The current comparison of entry < 0 will never be true since entry is an unsigned integer. Make entry an int to ensure -ve error return values from the call to jumbo_frm are correctly being caught. Detected by CoverityScan, CID#1238760 ("Macro compares unsigned to 0") Signed-off-by: Colin Ian King Signed-off-by: David S. Miller drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit dd8038ec56c18680ddddf948247f53d427054f45 Merge: 4eab0ea 7327a94 Author: Takashi Iwai Date: Tue Jun 6 20:03:46 2017 +0200 Merge tag 'asoc-fix-v4.12-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus ASoC: Fixes for v4.12 This is the usual collection of device specific fixes, all accumilated since the merge window, plus one fix from Takashi for a nasty use after free bug that bit some things with deferred probe and an update to the maintainer address for the former Wolfson parts. commit 9bd2bbc01d17ddd567cc0f81f77fe1163e497462 Author: Eric Biggers Date: Fri Jun 2 20:35:51 2017 -0700 elevator: fix truncation of icq_cache_name gcc 7.1 reports the following warning: block/elevator.c: In function ‘elv_register’: block/elevator.c:898:5: warning: ‘snprintf’ output may be truncated before the last format character [-Wformat-truncation=] "%s_io_cq", e->elevator_name); ^~~~~~~~~~ block/elevator.c:897:3: note: ‘snprintf’ output between 7 and 22 bytes into a destination of size 21 snprintf(e->icq_cache_name, sizeof(e->icq_cache_name), ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "%s_io_cq", e->elevator_name); ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The bug is that the name of the icq_cache is 6 characters longer than the elevator name, but only ELV_NAME_MAX + 5 characters were reserved for it --- so in the case of a maximum-length elevator name, the 'q' character in "_io_cq" would be truncated by snprintf(). Fix it by reserving ELV_NAME_MAX + 6 characters instead. Signed-off-by: Eric Biggers Reviewed-by: Bart Van Assche Signed-off-by: Jens Axboe include/linux/elevator.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 7b868fed00f6c72d3e0270bcb057b4f26c09e809 Merge: 80971df dc89481 Author: David S. Miller Date: Tue Jun 6 12:53:20 2017 -0400 Merge tag 'wireless-drivers-for-davem-2017-06-06' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers Kalle Valo says: ==================== wireless-drivers fixes for 4.12 It has been a slow start of cycle and this the first set of fixes for 4.12. Nothing really major here. wcn36xx * fix an issue with module reload brcmfmac * fix aligment regression on 64 bit systems iwlwifi * fixes for memory leaks, runtime PM, memory initialisation and other smaller problems * fix IBSS on devices using DQA mode (7260 and up) * fix the minimum firmware API requirement for 7265D, 3168, 8000 and 8265 ==================== Signed-off-by: David S. Miller commit 84c6c3035b1de00271362a9550389c605c7d28a0 Merge: ba7b238 963761a Author: Linus Torvalds Date: Tue Jun 6 09:37:44 2017 -0700 Merge tag 'media/v4.12-2' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media Pull media fixes from Mauro Carvalho Chehab: "Some bug fixes: - Don't fail build if atomisp has warnings - Some CEC Kconfig changes to allow it to be used by DRM without media dependencies - A race fix at RC initialization code - A driver fix at rainshadow-cec IMHO, the one that affects most people in this series is a build fix: if you try to build the Kernel with W=1 or using gcc7 and all[yes|mod]config, build will fail due to -Werror at atomisp makefiles" * tag 'media/v4.12-2' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media: [media] rc-core: race condition during ir_raw_event_register() [media] cec: drop MEDIA_CEC_DEBUG [media] cec: rename MEDIA_CEC_NOTIFIER to CEC_NOTIFIER [media] cec: select CEC_CORE instead of depend on it [media] rainshadow-cec: ensure exit_loop is intialized [media] atomisp: don't treat warnings as errors commit 80971dfbf047c25b4160f708711fed7e3b28c372 Merge: f4eb17e 2aae918 Author: David S. Miller Date: Tue Jun 6 12:12:57 2017 -0400 Merge branch '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/jkirsher/net-queue Jeff Kirsher says: ==================== Intel Wired LAN Driver Updates 2017-06-06 This series contains fixes to i40e and i40evf only. Mauro S. M. Rodrigues fixes a flood in the kernel log which was introduced in a previous commit because of a mistaken substitution of __I40E_VSI_DOWN instead of __I40E_DOWN when testing the state of the PF. Björn Töpel fixes an issue introduced in a previous commit where the offset was incorrect and could lead to data corruption for architectures using PAGE_SIZE larger than 8191. Fixed the issue by updating the page_offset correctly using the proper setting for truesize. ==================== Signed-off-by: David S. Miller commit d964f04a8fde84d978eff0d96561faa6e8de24de Author: Ming Lei Date: Tue Jun 6 23:22:00 2017 +0800 blk-mq: fix direct issue If queue is stopped, we shouldn't dispatch request into driver and hardware, unfortunately the check is removed in bd166ef183c2(blk-mq-sched: add framework for MQ capable IO schedulers). This patch fixes the issue by moving the check back into __blk_mq_try_issue_directly(). This patch fixes request use-after-free[1][2] during canceling requets of NVMe in nvme_dev_disable(), which can be triggered easily during NVMe reset & remove test. [1] oops kernel log when CONFIG_BLK_DEV_INTEGRITY is on [ 103.412969] BUG: unable to handle kernel NULL pointer dereference at 000000000000000a [ 103.412980] IP: bio_integrity_advance+0x48/0xf0 [ 103.412981] PGD 275a88067 [ 103.412981] P4D 275a88067 [ 103.412982] PUD 276c43067 [ 103.412983] PMD 0 [ 103.412984] [ 103.412986] Oops: 0000 [#1] SMP [ 103.412989] Modules linked in: vfat fat intel_rapl sb_edac x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel crypto_simd cryptd ipmi_ssif iTCO_wdt iTCO_vendor_support mxm_wmi glue_helper dcdbas ipmi_si mei_me pcspkr mei sg ipmi_devintf lpc_ich ipmi_msghandler shpchp acpi_power_meter wmi nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c sd_mod mgag200 i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm crc32c_intel nvme ahci nvme_core libahci libata tg3 i2c_core megaraid_sas ptp pps_core dm_mirror dm_region_hash dm_log dm_mod [ 103.413035] CPU: 0 PID: 102 Comm: kworker/0:2 Not tainted 4.11.0+ #1 [ 103.413036] Hardware name: Dell Inc. PowerEdge R730xd/072T6D, BIOS 2.2.5 09/06/2016 [ 103.413041] Workqueue: events nvme_remove_dead_ctrl_work [nvme] [ 103.413043] task: ffff9cc8775c8000 task.stack: ffffc033c252c000 [ 103.413045] RIP: 0010:bio_integrity_advance+0x48/0xf0 [ 103.413046] RSP: 0018:ffffc033c252fc10 EFLAGS: 00010202 [ 103.413048] RAX: 0000000000000000 RBX: ffff9cc8720a8cc0 RCX: ffff9cca72958240 [ 103.413049] RDX: ffff9cca72958000 RSI: 0000000000000008 RDI: ffff9cc872537f00 [ 103.413049] RBP: ffffc033c252fc28 R08: 0000000000000000 R09: ffffffffb963a0d5 [ 103.413050] R10: 000000000000063e R11: 0000000000000000 R12: ffff9cc8720a8d18 [ 103.413051] R13: 0000000000001000 R14: ffff9cc872682e00 R15: 00000000fffffffb [ 103.413053] FS: 0000000000000000(0000) GS:ffff9cc877c00000(0000) knlGS:0000000000000000 [ 103.413054] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 103.413055] CR2: 000000000000000a CR3: 0000000276c41000 CR4: 00000000001406f0 [ 103.413056] Call Trace: [ 103.413063] bio_advance+0x2a/0xe0 [ 103.413067] blk_update_request+0x76/0x330 [ 103.413072] blk_mq_end_request+0x1a/0x70 [ 103.413074] blk_mq_dispatch_rq_list+0x370/0x410 [ 103.413076] ? blk_mq_flush_busy_ctxs+0x94/0xe0 [ 103.413080] blk_mq_sched_dispatch_requests+0x173/0x1a0 [ 103.413083] __blk_mq_run_hw_queue+0x8e/0xa0 [ 103.413085] __blk_mq_delay_run_hw_queue+0x9d/0xa0 [ 103.413088] blk_mq_start_hw_queue+0x17/0x20 [ 103.413090] blk_mq_start_hw_queues+0x32/0x50 [ 103.413095] nvme_kill_queues+0x54/0x80 [nvme_core] [ 103.413097] nvme_remove_dead_ctrl_work+0x1f/0x40 [nvme] [ 103.413103] process_one_work+0x149/0x360 [ 103.413105] worker_thread+0x4d/0x3c0 [ 103.413109] kthread+0x109/0x140 [ 103.413111] ? rescuer_thread+0x380/0x380 [ 103.413113] ? kthread_park+0x60/0x60 [ 103.413120] ret_from_fork+0x2c/0x40 [ 103.413121] Code: 08 4c 8b 63 50 48 8b 80 80 00 00 00 48 8b 90 d0 03 00 00 31 c0 48 83 ba 40 02 00 00 00 48 8d 8a 40 02 00 00 48 0f 45 c1 c1 ee 09 <0f> b6 48 0a 0f b6 40 09 41 89 f5 83 e9 09 41 d3 ed 44 0f af e8 [ 103.413145] RIP: bio_integrity_advance+0x48/0xf0 RSP: ffffc033c252fc10 [ 103.413146] CR2: 000000000000000a [ 103.413157] ---[ end trace cd6875d16eb5a11e ]--- [ 103.455368] Kernel panic - not syncing: Fatal exception [ 103.459826] Kernel Offset: 0x37600000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 103.850916] ---[ end Kernel panic - not syncing: Fatal exception [ 103.857637] sched: Unexpected reschedule of offline CPU#1! [ 103.863762] ------------[ cut here ]------------ [2] kernel hang in blk_mq_freeze_queue_wait() when CONFIG_BLK_DEV_INTEGRITY is off [ 247.129825] INFO: task nvme-test:1772 blocked for more than 120 seconds. [ 247.137311] Not tainted 4.12.0-rc2.upstream+ #4 [ 247.142954] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 247.151704] Call Trace: [ 247.154445] __schedule+0x28a/0x880 [ 247.158341] schedule+0x36/0x80 [ 247.161850] blk_mq_freeze_queue_wait+0x4b/0xb0 [ 247.166913] ? remove_wait_queue+0x60/0x60 [ 247.171485] blk_freeze_queue+0x1a/0x20 [ 247.175770] blk_cleanup_queue+0x7f/0x140 [ 247.180252] nvme_ns_remove+0xa3/0xb0 [nvme_core] [ 247.185503] nvme_remove_namespaces+0x32/0x50 [nvme_core] [ 247.191532] nvme_uninit_ctrl+0x2d/0xa0 [nvme_core] [ 247.196977] nvme_remove+0x70/0x110 [nvme] [ 247.201545] pci_device_remove+0x39/0xc0 [ 247.205927] device_release_driver_internal+0x141/0x200 [ 247.211761] device_release_driver+0x12/0x20 [ 247.216531] pci_stop_bus_device+0x8c/0xa0 [ 247.221104] pci_stop_and_remove_bus_device_locked+0x1a/0x30 [ 247.227420] remove_store+0x7c/0x90 [ 247.231320] dev_attr_store+0x18/0x30 [ 247.235409] sysfs_kf_write+0x3a/0x50 [ 247.239497] kernfs_fop_write+0xff/0x180 [ 247.243867] __vfs_write+0x37/0x160 [ 247.247757] ? selinux_file_permission+0xe5/0x120 [ 247.253011] ? security_file_permission+0x3b/0xc0 [ 247.258260] vfs_write+0xb2/0x1b0 [ 247.261964] ? syscall_trace_enter+0x1d0/0x2b0 [ 247.266924] SyS_write+0x55/0xc0 [ 247.270540] do_syscall_64+0x67/0x150 [ 247.274636] entry_SYSCALL64_slow_path+0x25/0x25 [ 247.279794] RIP: 0033:0x7f5c96740840 [ 247.283785] RSP: 002b:00007ffd00e87ee8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 247.292238] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007f5c96740840 [ 247.300194] RDX: 0000000000000002 RSI: 00007f5c97060000 RDI: 0000000000000001 [ 247.308159] RBP: 00007f5c97060000 R08: 000000000000000a R09: 00007f5c97059740 [ 247.316123] R10: 0000000000000001 R11: 0000000000000246 R12: 00007f5c96a14400 [ 247.324087] R13: 0000000000000002 R14: 0000000000000001 R15: 0000000000000000 [ 370.016340] INFO: task nvme-test:1772 blocked for more than 120 seconds. Fixes: 12d70958a2e8(blk-mq: don't fail allocating driver tag for stopped hw queue) Cc: stable@vger.kernel.org Signed-off-by: Ming Lei Reviewed-by: Bart Van Assche Signed-off-by: Jens Axboe block/blk-mq.c | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) commit dad7a3be4960e5545882a0cd8d7613af22874314 Author: Ming Lei Date: Tue Jun 6 23:21:59 2017 +0800 blk-mq: pass correct hctx to blk_mq_try_issue_directly When direct issue is done on request picked up from plug list, the hctx need to be updated with the actual hw queue, otherwise wrong hctx is used and may hurt performance, especially when wrong SRCU readlock is acquired/released Reported-by: Bart Van Assche Signed-off-by: Ming Lei Signed-off-by: Jens Axboe block/blk-mq.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) commit f4eb17e1efe538d4da7d574bedb00a8dafcc26b7 Author: David S. Miller Date: Tue Jun 6 11:34:06 2017 -0400 Revert "sit: reload iphdr in ipip6_rcv" This reverts commit b699d0035836f6712917a41e7ae58d84359b8ff9. As per Eric Dumazet, the pskb_may_pull() is a NOP in this particular case, so the 'iph' reload is unnecessary. Signed-off-by: David S. Miller net/ipv6/sit.c | 1 - 1 file changed, 1 deletion(-) commit 9ba26a7283f56100eb08a2df48f17da600f60d52 Author: Cao jin Date: Tue Jun 6 17:07:53 2017 +0800 Kbuild: tiny correction on `make help` The help info of `make C=1` is little confusing, make it clear. Signed-off-by: Cao jin Signed-off-by: Masahiro Yamada Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit b2cc3c8071bee6e3defa54b701671d310cb94f3c Author: John Stultz Date: Tue May 23 09:40:26 2017 -0700 drm: kirin: Fix drm_of_find_panel_or_bridge conversion This fixes a regression introduced by ebc944613567 ("drm: convert drivers to use drm_of_find_panel_or_bridge") that was recently merged, causing HDMI output to not work. For the kirin driver, the port value should be 1 instead of 0, so this oneline patch fixes it and gets graphics working again. Cc: Rob Herring Cc: Archit Taneja Cc: Philipp Zabel Cc: Maxime Ripard Cc: Sean Paul Cc: Dave Airlie Cc: Xinliang Liu Fix-suggested-by: Rob Herring Signed-off-by: John Stultz Reviewed-by: Xinliang Liu Signed-off-by: Sean Paul Link: http://patchwork.freedesktop.org/patch/msgid/1495557626-25285-1-git-send-email-john.stultz@linaro.org drivers/gpu/drm/hisilicon/kirin/dw_drm_dsi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 26f4b1f7a8da3eaa6c32e12f87c9f5388196dc67 Author: Gilad Ben-Yossef Date: Tue Jun 6 11:00:45 2017 +0300 staging: ccree: fix buffer copy Fix a bug where the copying of scatterlist buffers incorrectly ignored bytes to skip in a scatterlist and ended 1 byte short. This fixes testmgr hmac and hash test failures currently obscured by hash import/export not being supported. Fixes: abefd6741d ("staging: ccree: introduce CryptoCell HW driver"). Signed-off-by: Gilad Ben-Yossef Signed-off-by: Greg Kroah-Hartman drivers/staging/ccree/ssi_buffer_mgr.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit d6dbdd3c8558cad3b6d74cc357b408622d122331 Author: Marc Zyngier Date: Mon Jun 5 19:17:18 2017 +0100 KVM: arm/arm64: Handle possible NULL stage2 pud when ageing pages Under memory pressure, we start ageing pages, which amounts to parsing the page tables. Since we don't want to allocate any extra level, we pass NULL for our private allocation cache. Which means that stage2_get_pud() is allowed to fail. This results in the following splat: [ 1520.409577] Unable to handle kernel NULL pointer dereference at virtual address 00000008 [ 1520.417741] pgd = ffff810f52fef000 [ 1520.421201] [00000008] *pgd=0000010f636c5003, *pud=0000010f56f48003, *pmd=0000000000000000 [ 1520.429546] Internal error: Oops: 96000006 [#1] PREEMPT SMP [ 1520.435156] Modules linked in: [ 1520.438246] CPU: 15 PID: 53550 Comm: qemu-system-aar Tainted: G W 4.12.0-rc4-00027-g1885c397eaec #7205 [ 1520.448705] Hardware name: FOXCONN R2-1221R-A4/C2U4N_MB, BIOS G31FB12A 10/26/2016 [ 1520.463726] task: ffff800ac5fb4e00 task.stack: ffff800ce04e0000 [ 1520.469666] PC is at stage2_get_pmd+0x34/0x110 [ 1520.474119] LR is at kvm_age_hva_handler+0x44/0xf0 [ 1520.478917] pc : [] lr : [] pstate: 40000145 [ 1520.486325] sp : ffff800ce04e33d0 [ 1520.489644] x29: ffff800ce04e33d0 x28: 0000000ffff40064 [ 1520.494967] x27: 0000ffff27e00000 x26: 0000000000000000 [ 1520.500289] x25: ffff81051ba65008 x24: 0000ffff40065000 [ 1520.505618] x23: 0000ffff40064000 x22: 0000000000000000 [ 1520.510947] x21: ffff810f52b20000 x20: 0000000000000000 [ 1520.516274] x19: 0000000058264000 x18: 0000000000000000 [ 1520.521603] x17: 0000ffffa6fe7438 x16: ffff000008278b70 [ 1520.526940] x15: 000028ccd8000000 x14: 0000000000000008 [ 1520.532264] x13: ffff7e0018298000 x12: 0000000000000002 [ 1520.537582] x11: ffff000009241b93 x10: 0000000000000940 [ 1520.542908] x9 : ffff0000092ef800 x8 : 0000000000000200 [ 1520.548229] x7 : ffff800ce04e36a8 x6 : 0000000000000000 [ 1520.553552] x5 : 0000000000000001 x4 : 0000000000000000 [ 1520.558873] x3 : 0000000000000000 x2 : 0000000000000008 [ 1520.571696] x1 : ffff000008fd5000 x0 : ffff0000080b149c [ 1520.577039] Process qemu-system-aar (pid: 53550, stack limit = 0xffff800ce04e0000) [...] [ 1521.510735] [] stage2_get_pmd+0x34/0x110 [ 1521.516221] [] kvm_age_hva_handler+0x44/0xf0 [ 1521.522054] [] handle_hva_to_gpa+0xb8/0xe8 [ 1521.527716] [] kvm_age_hva+0x44/0xf0 [ 1521.532854] [] kvm_mmu_notifier_clear_flush_young+0x70/0xc0 [ 1521.539992] [] __mmu_notifier_clear_flush_young+0x88/0xd0 [ 1521.546958] [] page_referenced_one+0xf0/0x188 [ 1521.552881] [] rmap_walk_anon+0xec/0x250 [ 1521.558370] [] rmap_walk+0x78/0xa0 [ 1521.563337] [] page_referenced+0x164/0x180 [ 1521.569002] [] shrink_active_list+0x178/0x3b8 [ 1521.574922] [] shrink_node_memcg+0x328/0x600 [ 1521.580758] [] shrink_node+0xc4/0x328 [ 1521.585986] [] do_try_to_free_pages+0xc0/0x340 [ 1521.592000] [] try_to_free_pages+0xcc/0x240 [...] The trivial fix is to handle this NULL pud value early, rather than dereferencing it blindly. Cc: stable@vger.kernel.org Signed-off-by: Marc Zyngier Reviewed-by: Christoffer Dall Signed-off-by: Christoffer Dall virt/kvm/arm/mmu.c | 3 +++ 1 file changed, 3 insertions(+) commit d4912215d1031e4fb3d1038d2e1857218dba0d0a Author: Wanpeng Li Date: Mon Jun 5 05:19:09 2017 -0700 KVM: nVMX: Fix exception injection WARNING: CPU: 3 PID: 2840 at arch/x86/kvm/vmx.c:10966 nested_vmx_vmexit+0xdcd/0xde0 [kvm_intel] CPU: 3 PID: 2840 Comm: qemu-system-x86 Tainted: G OE 4.12.0-rc3+ #23 RIP: 0010:nested_vmx_vmexit+0xdcd/0xde0 [kvm_intel] Call Trace: ? kvm_check_async_pf_completion+0xef/0x120 [kvm] ? rcu_read_lock_sched_held+0x79/0x80 vmx_queue_exception+0x104/0x160 [kvm_intel] ? vmx_queue_exception+0x104/0x160 [kvm_intel] kvm_arch_vcpu_ioctl_run+0x1171/0x1ce0 [kvm] ? kvm_arch_vcpu_load+0x47/0x240 [kvm] ? kvm_arch_vcpu_load+0x62/0x240 [kvm] kvm_vcpu_ioctl+0x384/0x7b0 [kvm] ? kvm_vcpu_ioctl+0x384/0x7b0 [kvm] ? __fget+0xf3/0x210 do_vfs_ioctl+0xa4/0x700 ? __fget+0x114/0x210 SyS_ioctl+0x79/0x90 do_syscall_64+0x81/0x220 entry_SYSCALL64_slow_path+0x25/0x25 This is triggered occasionally by running both win7 and win2016 in L2, in addition, EPT is disabled on both L1 and L2. It can't be reproduced easily. Commit 0b6ac343fc (KVM: nVMX: Correct handling of exception injection) mentioned that "KVM wants to inject page-faults which it got to the guest. This function assumes it is called with the exit reason in vmcs02 being a #PF exception". Commit e011c663 (KVM: nVMX: Check all exceptions for intercept during delivery to L2) allows to check all exceptions for intercept during delivery to L2. However, there is no guarantee the exit reason is exception currently, when there is an external interrupt occurred on host, maybe a time interrupt for host which should not be injected to guest, and somewhere queues an exception, then the function nested_vmx_check_exception() will be called and the vmexit emulation codes will try to emulate the "Acknowledge interrupt on exit" behavior, the warning is triggered. Reusing the exit reason from the L2->L0 vmexit is wrong in this case, the reason must always be EXCEPTION_NMI when injecting an exception into L1 as a nested vmexit. Cc: Paolo Bonzini Cc: Radim Krčmář Signed-off-by: Wanpeng Li Fixes: e011c663b9c7 ("KVM: nVMX: Check all exceptions for intercept during delivery to L2") Signed-off-by: Radim Krčmář arch/x86/kvm/vmx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 3db28271f0feae129262d30e41384a7c4c767987 Author: Sebastian Parschauer Date: Tue Jun 6 13:53:13 2017 +0200 HID: Add quirk for Dell PIXART OEM mouse This mouse is also known under other IDs. It needs the quirk ALWAYS_POLL or will disconnect in runlevel 1 or 3. Signed-off-by: Sebastian Parschauer CC: stable@vger.kernel.org Signed-off-by: Jiri Kosina drivers/hid/hid-ids.h | 3 +++ drivers/hid/usbhid/hid-quirks.c | 1 + 2 files changed, 4 insertions(+) commit bbaf0e2b1c1b4f88abd6ef49576f0efb1734eae5 Author: Paolo Bonzini Date: Wed Apr 26 16:56:26 2017 +0200 kvm: async_pf: fix rcu_irq_enter() with irqs enabled native_safe_halt enables interrupts, and you just shouldn't call rcu_irq_enter() with interrupts enabled. Reorder the call with the following local_irq_disable() to respect the invariant. Reported-by: Ross Zwisler Cc: stable@vger.kernel.org Signed-off-by: Paolo Bonzini Acked-by: Paul E. McKenney Tested-by: Wanpeng Li Signed-off-by: Radim Krčmář arch/x86/kernel/kvm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 0e3e97526a850f97c9fe8b646937b3a2bef58290 Author: Felipe Balbi Date: Tue Jun 6 14:47:29 2017 +0300 usb: gadget: composite: make sure to reactivate function on unbind If a function sets bind_deactivated flag, upon removal we will be left with an unbalanced deactivation. Let's make sure that we conditionally call usb_function_activate() from usb_remove_function() and make sure usb_remove_function() is called from remove_config(). Signed-off-by: Felipe Balbi drivers/usb/gadget/composite.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) commit 8c218578fcbbbdb10416c8614658bf32e3bf1655 Author: Madhavan Srinivasan Date: Fri May 26 13:38:27 2017 +0530 powerpc/perf: Fix Power9 test_adder fields Commit 8d911904f3ce4 ('powerpc/perf: Add restrictions to PMC5 in power9 DD1') was added to restrict the use of PMC5 in Power9 DD1. Intention was to disable the use of PMC5 using raw event code. But instead of updating the power9_isa207_pmu structure (used on DD1), the commit incorrectly updated the power9_pmu structure. Fix it. Fixes: 8d911904f3ce ("powerpc/perf: Add restrictions to PMC5 in power9 DD1") Reported-by: Shriya Signed-off-by: Madhavan Srinivasan Tested-by: Shriya Signed-off-by: Michael Ellerman arch/powerpc/perf/power9-pmu.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit ba4a648f12f4cd0a8003dd229b6ca8a53348ee4b Author: Michael Ellerman Date: Tue Jun 6 20:23:57 2017 +1000 powerpc/numa: Fix percpu allocations to be NUMA aware In commit 8c272261194d ("powerpc/numa: Enable USE_PERCPU_NUMA_NODE_ID"), we switched to the generic implementation of cpu_to_node(), which uses a percpu variable to hold the NUMA node for each CPU. Unfortunately we neglected to notice that we use cpu_to_node() in the allocation of our percpu areas, leading to a chicken and egg problem. In practice what happens is when we are setting up the percpu areas, cpu_to_node() reports that all CPUs are on node 0, so we allocate all percpu areas on node 0. This is visible in the dmesg output, as all pcpu allocs being in group 0: pcpu-alloc: [0] 00 01 02 03 [0] 04 05 06 07 pcpu-alloc: [0] 08 09 10 11 [0] 12 13 14 15 pcpu-alloc: [0] 16 17 18 19 [0] 20 21 22 23 pcpu-alloc: [0] 24 25 26 27 [0] 28 29 30 31 pcpu-alloc: [0] 32 33 34 35 [0] 36 37 38 39 pcpu-alloc: [0] 40 41 42 43 [0] 44 45 46 47 To fix it we need an early_cpu_to_node() which can run prior to percpu being setup. We already have the numa_cpu_lookup_table we can use, so just plumb it in. With the patch dmesg output shows two groups, 0 and 1: pcpu-alloc: [0] 00 01 02 03 [0] 04 05 06 07 pcpu-alloc: [0] 08 09 10 11 [0] 12 13 14 15 pcpu-alloc: [0] 16 17 18 19 [0] 20 21 22 23 pcpu-alloc: [1] 24 25 26 27 [1] 28 29 30 31 pcpu-alloc: [1] 32 33 34 35 [1] 36 37 38 39 pcpu-alloc: [1] 40 41 42 43 [1] 44 45 46 47 We can also check the data_offset in the paca of various CPUs, with the fix we see: CPU 0: data_offset = 0x0ffe8b0000 CPU 24: data_offset = 0x1ffe5b0000 And we can see from dmesg that CPU 24 has an allocation on node 1: node 0: [mem 0x0000000000000000-0x0000000fffffffff] node 1: [mem 0x0000001000000000-0x0000001fffffffff] Cc: stable@vger.kernel.org # v3.16+ Fixes: 8c272261194d ("powerpc/numa: Enable USE_PERCPU_NUMA_NODE_ID") Signed-off-by: Michael Ellerman Reviewed-by: Nicholas Piggin Signed-off-by: Michael Ellerman arch/powerpc/include/asm/topology.h | 14 ++++++++++++++ arch/powerpc/kernel/setup_64.c | 4 ++-- 2 files changed, 16 insertions(+), 2 deletions(-) commit 4eab0ea196f569ed2085a0fa3729f60eb8edaad1 Author: Takashi Iwai Date: Tue Jun 6 12:33:17 2017 +0200 ALSA: hda/realtek - Reorder ALC269 ASUS quirk entries A disorder is found in some ALC269 quirk entries for ASUS (1043:xxxx), which should have been sorted in PCI SSID order. Rearrange them, so that I won't overlook the already existing entry like I did a couple of times in the past... Signed-off-by: Takashi Iwai sound/pci/hda/patch_realtek.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) commit 28e8af8a163ed6afe9498f1d499a5061c2214755 Author: Chris Chiu Date: Mon Jun 5 15:05:30 2017 -0600 ALSA: hda/realtek: Fix mic and headset jack sense on Asus X705UD The ASUS X705UD laptop requires the known fixup ALC256_FIXUP_ASUS_MIC in order to fix headphone jack sensing and to enable use of the internal microphone. Unfortunately jack sensing for the headset mic is still not working. [rearranged the position to keep the PCI SSID order -- tiwai] Signed-off-by: Chris Chiu Signed-off-by: Daniel Drake Signed-off-by: Takashi Iwai sound/pci/hda/patch_realtek.c | 1 + 1 file changed, 1 insertion(+) commit f8c627fbabbe9ed6ae68dcfefb7519bd153a7ac0 Author: Sean Young Date: Tue May 16 04:56:14 2017 -0300 [media] sir_ir: infinite loop in interrupt handler Since this driver does no detection of hardware, it might be used with a non-sir port. Escape out if we are spinning. Reported-by: kbuild test robot Signed-off-by: Sean Young Signed-off-by: Mauro Carvalho Chehab drivers/media/rc/sir_ir.c | 6 ++++++ 1 file changed, 6 insertions(+) commit ae8eb443a17331a07579bc04817accaaaa62b78e Author: Arnd Bergmann Date: Fri May 12 16:39:21 2017 -0300 [media] cec-notifier.h: handle unreachable CONFIG_CEC_CORE Fix a link error in this specific combination of config options: CONFIG_MEDIA_CEC_SUPPORT=y CONFIG_CEC_CORE=m CONFIG_MEDIA_CEC_NOTIFIER=y CONFIG_VIDEO_STI_HDMI_CEC=m CONFIG_DRM_STI=y drivers/gpu/drm/sti/sti_hdmi.o: In function `sti_hdmi_remove': sti_hdmi.c:(.text.sti_hdmi_remove+0x10): undefined reference to `cec_notifier_set_phys_addr' sti_hdmi.c:(.text.sti_hdmi_remove+0x34): undefined reference to `cec_notifier_put' drivers/gpu/drm/sti/sti_hdmi.o: In function `sti_hdmi_connector_get_modes': sti_hdmi.c:(.text.sti_hdmi_connector_get_modes+0x4a): undefined reference to `cec_notifier_set_phys_addr_from_edid' drivers/gpu/drm/sti/sti_hdmi.o: In function `sti_hdmi_probe': sti_hdmi.c:(.text.sti_hdmi_probe+0x204): undefined reference to `cec_notifier_get' drivers/gpu/drm/sti/sti_hdmi.o: In function `sti_hdmi_connector_detect': sti_hdmi.c:(.text.sti_hdmi_connector_detect+0x36): undefined reference to `cec_notifier_set_phys_addr' drivers/gpu/drm/sti/sti_hdmi.o: In function `sti_hdmi_disable': sti_hdmi.c:(.text.sti_hdmi_disable+0xc0): undefined reference to `cec_notifier_set_phys_addr' The version below seems to work, though I don't particularly like the IS_REACHABLE() addition since that can be confusing to users. Signed-off-by: Arnd Bergmann Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab include/media/cec-notifier.h | 10 ++++++++++ 1 file changed, 10 insertions(+) commit 2302e5591a4ad2d66107c75b6be170121bff5ccd Author: Arnd Bergmann Date: Fri Apr 21 07:52:17 2017 -0300 [media] cec: improve MEDIA_CEC_RC dependencies Changing the IS_REACHABLE() into a plain #ifdef broke the case of CONFIG_MEDIA_RC=m && CONFIG_MEDIA_CEC=y: drivers/media/cec/cec-core.o: In function `cec_unregister_adapter': cec-core.c:(.text.cec_unregister_adapter+0x18): undefined reference to `rc_unregister_device' drivers/media/cec/cec-core.o: In function `cec_delete_adapter': cec-core.c:(.text.cec_delete_adapter+0x54): undefined reference to `rc_free_device' drivers/media/cec/cec-core.o: In function `cec_register_adapter': cec-core.c:(.text.cec_register_adapter+0x94): undefined reference to `rc_register_device' cec-core.c:(.text.cec_register_adapter+0xa4): undefined reference to `rc_free_device' cec-core.c:(.text.cec_register_adapter+0x110): undefined reference to `rc_unregister_device' drivers/media/cec/cec-core.o: In function `cec_allocate_adapter': cec-core.c:(.text.cec_allocate_adapter+0x234): undefined reference to `rc_allocate_device' drivers/media/cec/cec-adap.o: In function `cec_received_msg': cec-adap.c:(.text.cec_received_msg+0x734): undefined reference to `rc_keydown' cec-adap.c:(.text.cec_received_msg+0x768): undefined reference to `rc_keyup' This adds an additional dependency to explicitly forbid this combination. Fixes: 5f2c467c54f5 ("[media] cec: add MEDIA_CEC_RC config option") Signed-off-by: Arnd Bergmann Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab drivers/media/cec/Kconfig | 1 + 1 file changed, 1 insertion(+) commit 5ebb6dd36c9f5fb37b1077b393c254d70a14cb46 Author: Christophe JAILLET Date: Fri Apr 28 01:51:40 2017 -0300 [media] vb2: Fix an off by one error in 'vb2_plane_vaddr' We should ensure that 'plane_no' is '< vb->num_planes' as done in 'vb2_plane_cookie' just a few lines below. Fixes: e23ccc0ad925 ("[media] v4l: add videobuf2 Video for Linux 2 driver framework") Cc: stable@vger.kernel.org Signed-off-by: Christophe JAILLET Reviewed-by: Sakari Ailus Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab drivers/media/v4l2-core/videobuf2-core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit e0f2e5eb14668dc798942ff5f4241d9bd17f9655 Author: Wei Yongjun Date: Tue Apr 25 00:12:46 2017 -0300 [media] rainshadow-cec: Fix missing spin_lock_init() The driver allocates the spinlock but not initialize it. Use spin_lock_init() on it to initialize it correctly. This is detected by Coccinelle semantic patch. Fixes: 0f314f6c2e77 ("[media] rainshadow-cec: new RainShadow Tech HDMI CEC driver") Signed-off-by: Wei Yongjun Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab drivers/media/usb/rainshadow-cec/rainshadow-cec.c | 1 + 1 file changed, 1 insertion(+) commit 4b0755e90ae03ba40174842af6fa810355960fbc Author: Philipp Zabel Date: Thu May 4 12:20:17 2017 -0300 [media] tc358743: fix register i2c_rd/wr function fix The below mentioned fix contains a small but severe bug, fix it to make the driver work again. Fixes: 3538aa6ecfb2 ("[media] tc358743: fix register i2c_rd/wr functions") Cc: Hans Verkuil Cc: Mauro Carvalho Chehab Signed-off-by: Philipp Zabel Acked-by: Arnd Bergmann Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab drivers/media/i2c/tc358743.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 2aae918c7a21fb8388ab30b8abd4d9240e8ebd7f Author: Björn Töpel Date: Mon May 15 06:52:00 2017 +0200 i40e/i40evf: proper update of the page_offset field In f8b45b74cc62 ("i40e/i40evf: Use build_skb to build frames") i40e_build_skb updates the page_offset field with an incorrect offset, which can lead to data corruption. This patch updates page_offset correctly, by properly setting truesize. Note that the bug only appears on architectures where PAGE_SIZE is 8192 or larger. Fixes: f8b45b74cc62 ("i40e/i40evf: Use build_skb to build frames") Signed-off-by: Björn Töpel Acked-by: Alexander Duyck Tested-by: Andrew Bowers Signed-off-by: Jeff Kirsher drivers/net/ethernet/intel/i40e/i40e_txrx.c | 3 ++- drivers/net/ethernet/intel/i40evf/i40e_txrx.c | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) commit 9e6c9c0f2ce67534fda1fdd305fb5da3defece3e Author: Mauro S. M. Rodrigues Date: Fri May 12 23:26:56 2017 -0300 i40e: Fix state flags for bit set and clean operations of PF Commit 0da36b9774cc ("i40e: use DECLARE_BITMAP for state fields") introduced changes in the way i40e works with state flags converting them to bitmaps using kernel bitmap API. This change introduced a regression due to a mistaken substitution using __I40E_VSI_DOWN instead of __I40E_DOWN when testing state of a PF at i40e_reset_subtask() function. This caused a flood in the kernel log with the follow message: [49.013] i40e 0002:01:00.0: bad reset request 0x00000020 Commit d19cb64b9222 ("i40e: separate PF and VSI state flags") also introduced some misuse of the VSI and PF flags, so both could be considered as the offenders. This patch simply fixes the flags where it makes sense by changing __I40E_VSI_DOWN to __I40E_DOWN. Fixes: 0da36b9774cc ("i40e: use DECLARE_BITMAP for state fields") Fixes: d19cb64b9222 ("i40e: separate PF and VSI state flags") Reviewed-by: "Guilherme G. Piccoli" Signed-off-by: "Mauro S. M. Rodrigues" Tested-by: Andrew Bowers Signed-off-by: Jeff Kirsher drivers/net/ethernet/intel/i40e/i40e_main.c | 36 ++++++++++++++--------------- 1 file changed, 18 insertions(+), 18 deletions(-) commit 27fef9f8ecb0495d302deba210606a32e54db37a Author: Charles Keepax Date: Tue Jun 6 09:46:33 2017 +0100 mfd: arizona: Fix typo using hard-coded register A hardcoded register is accidentally used instead of the register address passed into the function. Correct this and use the appropriate variable. This would cause minor issues on wm5102, but all other devices using this driver would have been unaffected. Fixes: commit ef84f885e037 ("mfd: arizona: Refactor arizona_poll_reg") Reported-by: Andrzej Hajda Signed-off-by: Charles Keepax Signed-off-by: Lee Jones drivers/mfd/arizona-core.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) commit b3aa20ba2ba8072b73bd799605b8c98927b7056c Author: Vaibhav Jain Date: Fri Jun 2 22:26:48 2017 +0530 cxl: Avoid double free_irq() for psl,slice interrupts During an eeh call to cxl_remove can result in double free_irq of psl,slice interrupts. This can happen if perst_reloads_same_image == 1 and call to cxl_configure_adapter() fails during slot_reset callback. In such a case we see a kernel oops with following back-trace: Oops: Kernel access of bad area, sig: 11 [#1] Call Trace: free_irq+0x88/0xd0 (unreliable) cxl_unmap_irq+0x20/0x40 [cxl] cxl_native_release_psl_irq+0x78/0xd8 [cxl] pci_deconfigure_afu+0xac/0x110 [cxl] cxl_remove+0x104/0x210 [cxl] pci_device_remove+0x6c/0x110 device_release_driver_internal+0x204/0x2e0 pci_stop_bus_device+0xa0/0xd0 pci_stop_and_remove_bus_device+0x28/0x40 pci_hp_remove_devices+0xb0/0x150 pci_hp_remove_devices+0x68/0x150 eeh_handle_normal_event+0x140/0x580 eeh_handle_event+0x174/0x360 eeh_event_handler+0x1e8/0x1f0 This patch fixes the issue of double free_irq by checking that variables that hold the virqs (err_hwirq, serr_hwirq, psl_virq) are not '0' before un-mapping and resetting these variables to '0' when they are un-mapped. Cc: stable@vger.kernel.org Signed-off-by: Vaibhav Jain Reviewed-by: Andrew Donnellan Acked-by: Frederic Barrat Signed-off-by: Michael Ellerman drivers/misc/cxl/native.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) commit 7f22ced4377628074e2ac25f41a88f98eb3b03f1 Author: Breno Leitao Date: Mon Jun 5 11:40:59 2017 -0300 powerpc/kernel: Initialize load_tm on task creation Currently tsk->thread.load_tm is not initialized in the task creation and can contain garbage on a new task. This is an undesired behaviour, since it affects the timing to enable and disable the transactional memory laziness (disabling and enabling the MSR TM bit, which affects TM reclaim and recheckpoint in the scheduling process). Fixes: 5d176f751ee3 ("powerpc: tm: Enable transactional memory (TM) lazily for userspace") Cc: stable@vger.kernel.org # v4.9+ Signed-off-by: Breno Leitao Signed-off-by: Michael Ellerman arch/powerpc/kernel/process.c | 1 + 1 file changed, 1 insertion(+) commit b7dfee2433576f1f030cb84cdb04b70f36554992 Author: Marek Vasut Date: Sat Jun 3 11:57:21 2017 -0700 gpu: ipu-v3: Fix CSI selection for VDIC The description of the CSI_SEL bit in the i.MX6 reference manual is incorrect. It states "This bit defines which CSI is the input to the IC. This bit is effective only if IC_INPUT is bit cleared". From experiment it was found this is in fact not correct. The CSI_SEL bit selects which CSI is input to _both_ the VDIC _and_ the IC. If the IC_INPUT bit is set so that the IC is receiving from the VDIC, the IC ignores the CSI_SEL bit, but CSI_SEL still selects which CSI the VDIC receives from in that case. Signed-off-by: Marek Vasut Signed-off-by: Steve Longerbeam Signed-off-by: Philipp Zabel drivers/gpu/ipu-v3/ipu-common.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) commit e36aecba54bf24387271f2d7b989cc686a389931 Author: Leonard Crestez Date: Wed May 10 16:17:13 2017 +0300 drm/imx: imx-ldb: Accept drm_of_find_panel_or_bridge failure Not having an endpoint bound in DT should not cause a failure here, there are fallbacks. So explicitly accept a missing endpoint. This behavior change was introduced by refactoring in drm_of parsing code and it should not require dts changes. In particular this fixes imx6qdl-sabreauto boards. Link: https://lists.freedesktop.org/archives/dri-devel/2017-May/141233.html Fixes: ebc944613567 ("drm: convert drivers to use drm_of_find_panel_or_bridge") Signed-off-by: Leonard Crestez Signed-off-by: Philipp Zabel drivers/gpu/drm/imx/imx-ldb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 47c298f792992c6eda26fc4e4630c7ca54dcec47 Author: Lucas Stach Date: Wed May 3 10:38:18 2017 +0200 gpu: ipu-v3: pre: only use internal clock gating By setting the SFTRST bit, the PRE will be held in the lowest power state with clocks to the internal blocks gated. When external clock gating is used (from the external clock controller, or by setting the CLKGATE bit) the PRE will sporadically fail to start. Signed-off-by: Lucas Stach Fixes: d2a34232580a ("gpu: ipu-v3: add driver for Prefetch Resolve Engine") Signed-off-by: Philipp Zabel drivers/gpu/ipu-v3/ipu-pre.c | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) commit d68356cc51e304ff9a389f006b6249d41f2c2319 Author: Christoffer Dall Date: Sun Jun 4 22:17:02 2017 +0200 KVM: arm/arm64: vgic-v3: Fix nr_pre_bits bitfield extraction We used to extract PRIbits from the ICH_VT_EL2 which was the upper field in the register word, so a mask wasn't necessary, but as we switched to looking at PREbits, which is bits 26 through 28 with the PRIbits field being potentially non-zero, we really need to mask off the field value, otherwise fun things may happen. Signed-off-by: Christoffer Dall Acked-by: Marc Zyngier virt/kvm/arm/hyp/vgic-v3-sr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit e5b4ab1ffbe2553ee278cb1b6bcb671a31d86518 Merge: 1f779cd 75fb636 Author: Dave Airlie Date: Tue Jun 6 16:52:15 2017 +1000 Merge tag 'drm-misc-fixes-2017-06-02' of git://anongit.freedesktop.org/git/drm-misc into drm-fixes Core Changes: - Grab locks in drm_atomic_helper_resume() (Daniel) - Fix oops when unplugging USB device (expand cleanup in drm_unplug_dev) (Hans) Driver Changes: - rockchip: Don't output 10-bit format to 8-bit encoders (Mark) Cc: Mark yao Cc: Daniel Vetter Cc: Hans de Goede * tag 'drm-misc-fixes-2017-06-02' of git://anongit.freedesktop.org/git/drm-misc: drm: Fix oops + Xserver hang when unplugging USB drm devices drm: Fix locking in drm_atomic_helper_resume drm/rockchip: Correct vop out_mode configure commit 1f779cd74507d7cc3ea16087163f0509e74ef022 Merge: 3c2993b b4e382c Author: Dave Airlie Date: Tue Jun 6 16:10:16 2017 +1000 Merge branch 'linux-4.12' of git://github.com/skeggsb/linux into drm-fixes 4 nouveau regression fixes. * 'linux-4.12' of git://github.com/skeggsb/linux: drm/nouveau/tmr: fully separate alarm execution/pending lists drm/nouveau: enable autosuspend only when it'll actually be used drm/nouveau: replace multiple open-coded runpm support checks with function drm/nouveau/kms/nv50: add null check before pointer dereference commit b4e382ca7586a63b6c1e5221ce0863ff867c2df6 Author: Ben Skeggs Date: Mon Jun 5 17:23:32 2017 +1000 drm/nouveau/tmr: fully separate alarm execution/pending lists Reusing the list_head for both is a bad idea. Callback execution is done with the lock dropped so that alarms can be rescheduled from the callback, which means that with some unfortunate timing, lists can get corrupted. The execution list should not require its own locking, the single function that uses it can only be called from a single context. Signed-off-by: Ben Skeggs Cc: stable@vger.kernel.org drivers/gpu/drm/nouveau/include/nvkm/subdev/timer.h | 1 + drivers/gpu/drm/nouveau/nvkm/subdev/timer/base.c | 7 ++++--- 2 files changed, 5 insertions(+), 3 deletions(-) commit 8fa4338acca96cbc231e4125229632e879476464 Author: Ben Skeggs Date: Fri Jun 2 14:49:45 2017 +1000 drm/nouveau: enable autosuspend only when it'll actually be used This prevents a deadlock that somehow results from the suspend() -> forbid() -> resume() callchain. [ 125.266960] [drm] Initialized nouveau 1.3.1 20120801 for 0000:02:00.0 on minor 1 [ 370.120872] INFO: task kworker/4:1:77 blocked for more than 120 seconds. [ 370.120920] Tainted: G O 4.12.0-rc3 #20 [ 370.120947] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 370.120982] kworker/4:1 D13808 77 2 0x00000000 [ 370.120998] Workqueue: pm pm_runtime_work [ 370.121004] Call Trace: [ 370.121018] __schedule+0x2bf/0xb40 [ 370.121025] ? mark_held_locks+0x5f/0x90 [ 370.121038] schedule+0x3d/0x90 [ 370.121044] rpm_resume+0x107/0x870 [ 370.121052] ? finish_wait+0x90/0x90 [ 370.121065] ? pci_pm_runtime_resume+0xa0/0xa0 [ 370.121070] pm_runtime_forbid+0x4c/0x60 [ 370.121129] nouveau_pmops_runtime_suspend+0xaf/0xc0 [nouveau] [ 370.121139] pci_pm_runtime_suspend+0x5f/0x170 [ 370.121147] ? pci_pm_runtime_resume+0xa0/0xa0 [ 370.121152] __rpm_callback+0xb9/0x1e0 [ 370.121159] ? pci_pm_runtime_resume+0xa0/0xa0 [ 370.121166] rpm_callback+0x24/0x80 [ 370.121171] ? pci_pm_runtime_resume+0xa0/0xa0 [ 370.121176] rpm_suspend+0x138/0x6e0 [ 370.121192] pm_runtime_work+0x7b/0xc0 [ 370.121199] process_one_work+0x253/0x6a0 [ 370.121216] worker_thread+0x4d/0x3b0 [ 370.121229] kthread+0x133/0x150 [ 370.121234] ? process_one_work+0x6a0/0x6a0 [ 370.121238] ? kthread_create_on_node+0x70/0x70 [ 370.121246] ret_from_fork+0x2a/0x40 [ 370.121283] Showing all locks held in the system: [ 370.121291] 2 locks held by kworker/4:1/77: [ 370.121298] #0: ("pm"){.+.+.+}, at: [] process_one_work+0x1d0/0x6a0 [ 370.121315] #1: ((&dev->power.work)){+.+.+.}, at: [] process_one_work+0x1d0/0x6a0 [ 370.121330] 1 lock held by khungtaskd/81: [ 370.121333] #0: (tasklist_lock){.+.+..}, at: [] debug_show_all_locks+0x3d/0x1a0 [ 370.121355] 1 lock held by dmesg/1639: [ 370.121358] #0: (&user->lock){+.+.+.}, at: [] devkmsg_read+0x4d/0x360 [ 370.121377] ============================================= Signed-off-by: Ben Skeggs drivers/gpu/drm/nouveau/nouveau_drm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 321f5c5f2c494f3c94cec2289c8add678657ba2d Author: Ben Skeggs Date: Fri Jun 2 14:38:07 2017 +1000 drm/nouveau: replace multiple open-coded runpm support checks with function Signed-off-by: Ben Skeggs drivers/gpu/drm/nouveau/nouveau_drm.c | 34 +++++++++++++++------------------- drivers/gpu/drm/nouveau/nouveau_drv.h | 3 +-- drivers/gpu/drm/nouveau/nouveau_vga.c | 13 ++----------- 3 files changed, 18 insertions(+), 32 deletions(-) commit 86276921a17ee3090749c9f38f57dcfb73733bd4 Author: Gustavo A. R. Silva Date: Mon May 22 14:12:37 2017 -0500 drm/nouveau/kms/nv50: add null check before pointer dereference Add null check before dereferencing pointer asyc Addresses-Coverity-ID: 1397932 Signed-off-by: Gustavo A. R. Silva Signed-off-by: Ben Skeggs drivers/gpu/drm/nouveau/nv50_display.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit e5c86679d5e864947a52fb31e45a425dea3e7fa9 Author: Max Filippov Date: Mon Jun 5 02:43:51 2017 -0700 xtensa: don't use linux IRQ #0 Linux IRQ #0 is reserved for error reporting and may not be used. Increase NR_IRQS for one additional slot and increase irq_domain_add_legacy parameter first_irq value to 1, so that linux IRQ #0 is not associated with hardware IRQ #0 in legacy IRQ domains. Introduce macro XTENSA_PIC_LINUX_IRQ for static translation of xtensa PIC hardware IRQ # to linux IRQ #. Use this macro in XTFPGA platform data definitions. This fixes inability to use hardware IRQ #0 in configurations that don't use device tree and allows for non-identity mapping between linux IRQ # and hardware IRQ #. Cc: stable@vger.kernel.org Signed-off-by: Max Filippov arch/xtensa/include/asm/irq.h | 3 ++- arch/xtensa/kernel/irq.c | 5 ----- arch/xtensa/platforms/xtfpga/include/platform/hardware.h | 6 ++++-- arch/xtensa/platforms/xtfpga/setup.c | 10 +++++----- drivers/irqchip/irq-xtensa-mx.c | 2 +- drivers/irqchip/irq-xtensa-pic.c | 2 +- 6 files changed, 13 insertions(+), 15 deletions(-) commit cbf52a3e6a8a92beec6e0c70abf4111cd8f8faf7 Author: Robert Jarzmik Date: Mon Jun 5 13:59:15 2017 +0200 tags: honor COMPILED_SOURCE with apart output directory When the kernel is compiled with an "O=" argument, the object files are not in the source tree, but in the build tree. This patch fixes O= build by looking for object files in the build tree. Fixes: 923e02ecf3f8 ("scripts/tags.sh: Support compiled source") Signed-off-by: Robert Jarzmik Signed-off-by: Masahiro Yamada scripts/tags.sh | 1 + 1 file changed, 1 insertion(+) commit a415c0f10627913793709ddb75add09d2ea334dc Author: NeilBrown Date: Mon Jun 5 16:05:13 2017 +1000 md: initialise ->writes_pending in personality modules. The new per-cpu counter for writes_pending is initialised in md_alloc(), which is not called by dm-raid. So dm-raid fails when md_write_start() is called. Move the initialization to the personality modules that need it. This way it is always initialised when needed, but isn't unnecessarily initialized (requiring memory allocation) when the personality doesn't use writes_pending. Reported-by: Heinz Mauelshagen Fixes: 4ad23a976413 ("MD: use per-cpu counter for writes_pending") Signed-off-by: NeilBrown Signed-off-by: Shaohua Li drivers/md/md.c | 16 ++++++++++++---- drivers/md/md.h | 1 + drivers/md/raid1.c | 2 ++ drivers/md/raid10.c | 3 +++ drivers/md/raid5.c | 3 +++ 5 files changed, 21 insertions(+), 4 deletions(-) commit ba7b2387ad239a519041f2a2d35a1902bdd03dfb Merge: e543c8a 41c2570 Author: Linus Torvalds Date: Mon Jun 5 15:37:03 2017 -0700 Merge branch 'for-4.12-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup Pull cgroup fixes from Tejun Heo: "Two cgroup fixes. One to address RCU delay of cpuset removal affecting userland visible behaviors. The other fixes a race condition between controller disable and cgroup removal" * 'for-4.12-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup: cpuset: consider dying css as offline cgroup: Prevent kill_css() from being called more than once commit e543c8a92fb6eca8dd554561fa55bba5f2a90d09 Merge: 112eb07 f7cf69a Author: Linus Torvalds Date: Mon Jun 5 15:31:14 2017 -0700 Merge branch 'for-4.12-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata Pull libata fixes from Tejun Heo: - Revert of sata_mv devm_ioremap_resource() conversion. It made init fail if there are overlapping resources which led to detection failures on some setups. - A workaround for an Acer laptop which sometimes reports corrupt port map. - Other non-critical fixes. * 'for-4.12-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata: libata: fix error checking in in ata_parse_force_one() Revert "ata: sata_mv: Convert to devm_ioremap_resource()" ata: libahci: properly propagate return value of platform_get_irq() ata: sata_rcar: Handle return value of clk_prepare_enable ahci: Acer SA5-271 SSD Not Detected Fix commit 186f0a0d8e083505bd5cd23baa82b2205224d9ad Author: Rafael J. Wysocki Date: Mon Jun 5 23:33:39 2017 +0200 Revert "ACPICA: Disassembler: Enhance resource descriptor detection" Revert commit da28e1955d7f (ACPICA: Disassembler: Enhance resource descriptor detection) as it is based on an assumption that doesn't hold all the time and causes problems to happen because of that. Reported-by: Linda Knippers Signed-off-by: Rafael J. Wysocki drivers/acpi/acpica/utresrc.c | 9 --------- 1 file changed, 9 deletions(-) commit dc89481bb4c9af0700423e21c8371379d3d943b1 Merge: 1dbf647 dc1cd1d Author: Kalle Valo Date: Mon Jun 5 22:21:25 2017 +0300 Merge tag 'iwlwifi-for-kalle-2017-06-05' of git://git.kernel.org/pub/scm/linux/kernel/git/iwlwifi/iwlwifi-fixes Fixes for 4.12: * Some memory leaks; * IBSS support; * Some bugzilla bugs; * Some runtime PM fixes; * Rate-scaling issues; * Some locking problems; commit 6bf28969f617f0131e94deb5476f4c45f43fd847 Author: Max Filippov Date: Mon Jun 5 11:25:07 2017 -0700 xtensa: reduce double exception literal reservation Double exception vector only needs 20 bytes of space for 5 literals, not 48. Reduce the reservation for double exception vector literals accordingly. This fixes build for configurations with small user exception vector size. Signed-off-by: Max Filippov arch/xtensa/kernel/vmlinux.lds.S | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit dc1cd1d5ac22dbcd158c3de62b76ebb80e55d46b Author: Shahar S Matityahu Date: Thu Apr 6 13:35:38 2017 +0300 iwlwifi: fix host command memory leaks Sending host command with CMD_WANT_SKB flag demands the release of the response buffer with iwl_free_resp function. The patch adds the memory release in all the relevant places Signed-off-by: Shahar S Matityahu Signed-off-by: Luca Coelho drivers/net/wireless/intel/iwlwifi/pcie/tx-gen2.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) commit 15098803d38778070b8edfa5a3d5fc4fef10d0a1 Author: Luca Coelho Date: Tue Apr 25 10:18:10 2017 +0300 iwlwifi: fix min API version for 7265D, 3168, 8000 and 8265 In a previous commit, we removed support for API versions earlier than 22 for these NICs. By mistake, the *_UCODE_API_MIN definitions were set to 17. Fix that. Fixes: 4b87e5af638b ("iwlwifi: remove support for fw older than -17 and -22") Signed-off-by: Luca Coelho drivers/net/wireless/intel/iwlwifi/iwl-7000.c | 4 ++-- drivers/net/wireless/intel/iwlwifi/iwl-8000.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) commit 40cbeca3c09965f3084d591476559cbb3df150ec Author: Johannes Berg Date: Fri Mar 31 10:47:35 2017 +0200 iwlwifi: mvm: clear new beacon command template struct Clear the struct so that all reserved fields are zero when we send the struct down to the device. Signed-off-by: Johannes Berg Signed-off-by: Luca Coelho drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 71793b7d3eb0897ca0dc4a109ede608d3e2c70ed Author: Luca Coelho Date: Thu Mar 30 12:04:47 2017 +0300 iwlwifi: mvm: don't fail when removing a key from an inexisting sta The iwl_mvm_remove_sta_key() function handles removing a key when the sta doesn't exist anymore. Mistakenly, this was changed to return an error while fixing another bug. If the mvm_sta doesn't exist, we continue normally, but just don't try to remove the igtk key. Fixes: cd4d23c1ea9b ("iwlwifi: mvm: Fix removal of IGTK") Signed-off-by: Luca Coelho drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) commit e4c49c4937951de1cdbe35572ade40c948dec1e1 Author: Luca Coelho Date: Fri Mar 24 11:01:45 2017 +0200 iwlwifi: pcie: only use d0i3 in suspend/resume if system_pm is set to d0i3 We only need to handle d0i3 entry and exit during suspend resume if system_pm is set to IWL_PLAT_PM_MODE_D0I3, otherwise d0i3 entry failures will cause suspend to fail. This fixes https://bugzilla.kernel.org/show_bug.cgi?id=194791 Signed-off-by: Luca Coelho drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) commit addce854f164a68da9cb158e2e7e447705068549 Author: Emmanuel Grumbach Date: Wed Mar 29 10:21:09 2017 +0300 iwlwifi: mvm: fix firmware debug restart recording When we want to stop the recording of the firmware debug and restart it later without reloading the firmware we don't need to resend the configuration that comes with host commands. Sending those commands confused the hardware and led to an NMI 0x66. Change the flow as following: * read the relevant registers (DBGC_IN_SAMPLE, DBGC_OUT_CTRL) * clear those registers * wait for the hardware to complete its write to the buffer * get the data * restore the value of those registers (to restart the recording) For early start (where the configuration is already compiled in the firmware), we don't need to set those registers after the firmware has been loaded, but only when we want to restart the recording without having restarted the firmware. Signed-off-by: Emmanuel Grumbach Signed-off-by: Luca Coelho drivers/net/wireless/intel/iwlwifi/iwl-prph.h | 1 + drivers/net/wireless/intel/iwlwifi/mvm/fw-dbg.c | 12 +--------- drivers/net/wireless/intel/iwlwifi/mvm/mvm.h | 1 + drivers/net/wireless/intel/iwlwifi/mvm/ops.c | 32 ++++++++++++++++++------- 4 files changed, 27 insertions(+), 19 deletions(-) commit d9954405758a0cbbe258d9b4d4dc12a06fa48a28 Author: Johannes Berg Date: Wed Mar 22 22:00:10 2017 +0100 iwlwifi: tt: move ucode_loaded check under mutex The ucode_loaded check should be under the mutex, since it can otherwise change state after we looked at it and before we got the mutex. Fix that. Fixes: 5c89e7bc557e ("iwlwifi: mvm: add registration to cooling device") Signed-off-by: Johannes Berg Signed-off-by: Luca Coelho drivers/net/wireless/intel/iwlwifi/mvm/tt.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) commit ee48b72211f844a58a06819e9ccceee6acf04b2d Author: Liad Kaufman Date: Tue Mar 21 17:13:16 2017 +0200 iwlwifi: mvm: support ibss in dqa mode Allow working IBSS also when working in DQA mode. This is done by setting it to treat the queues the same as a BSS AP treats the queues. Fixes: 7948b87308a4 ("iwlwifi: mvm: enable dynamic queue allocation mode") Signed-off-by: Liad Kaufman Signed-off-by: Luca Coelho drivers/net/wireless/intel/iwlwifi/mvm/sta.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) commit c72c37b7f392ad7edc10b6092fa48c632ba6f4ed Author: Haim Dreyfuss Date: Thu Mar 16 17:26:03 2017 +0200 iwlwifi: mvm: Fix command queue number on d0i3 flow During d0i3 flow we flush all the queue except from the command queue. Currently, in this flow the command queue is hard coded to 9. In DQA the command queue number has changed from 9 to 0. Fix that. This fixes a problem in runtime PM resume flow. Fixes: 097129c9e625 ("iwlwifi: mvm: move cmd queue to be #0 in dqa mode") Signed-off-by: Haim Dreyfuss Signed-off-by: Luca Coelho drivers/net/wireless/intel/iwlwifi/mvm/mvm.h | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) commit ea42d1cbe3f067fb714c3ec3e1792fa273b99561 Author: Gregory Greenman Date: Mon Mar 6 11:15:41 2017 +0200 iwlwifi: mvm: rs: start using LQ command color Up until now, the driver was comparing the rate reported by the FW and the rate of the latest LQ command to avoid processing data belonging to the old LQ command. Recently, FW changed the meaning of the initial rate field in tx response and it holds the actual rate (which is not necessarily the initial rate of LQ's rate table). Use instead LQ cmd color to be able to filter out tx responses/BA notifications which where sent during earlier LQ commands' time frame. This fixes some throughput degradation in noisy environments. Signed-off-by: Gregory Greenman Signed-off-by: Luca Coelho drivers/net/wireless/intel/iwlwifi/mvm/fw-api-rs.h | 5 +++ drivers/net/wireless/intel/iwlwifi/mvm/fw-api-tx.h | 3 ++ drivers/net/wireless/intel/iwlwifi/mvm/rs.c | 46 ++++++---------------- drivers/net/wireless/intel/iwlwifi/mvm/rs.h | 15 +++++++ drivers/net/wireless/intel/iwlwifi/mvm/sta.h | 2 + drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 12 +++++- 6 files changed, 47 insertions(+), 36 deletions(-) commit 1b4af13ff2cc6897557bb0b8d9e2fad4fa4d67aa Author: David S. Miller Date: Mon Jun 5 11:28:57 2017 -0700 sparc64: Add __multi3 for gcc 7.x and later. Reported-by: Waldemar Brodkorb Signed-off-by: David S. Miller arch/sparc/lib/Makefile | 1 + arch/sparc/lib/multi3.S | 35 +++++++++++++++++++++++++++++++++++ 2 files changed, 36 insertions(+) commit 112eb07287d10bef6ec74e36f1ffd24f19bdd0a0 Merge: 3c2993b 06a4b6d Author: Linus Torvalds Date: Mon Jun 5 11:19:40 2017 -0700 Merge branch 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm Pull ARM fixes from Russell King: "Three fixes this time around: - Two fixes for noMMU, fixing the decompressor header layout, and preventing a build error with some configurations. - Fixing the hyp-stub updates that went in during the merge window for platforms that use MCPM" * 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm: ARM: 8677/1: boot/compressed: fix decompressor header layout for v7-M ARM: 8676/1: NOMMU: provide pgprot_device() macro ARM: 8675/1: MCPM: ensure not to enter __hyp_soft_restart from loopback and cpu_power_down commit 2538b9e2450ae255337c04356e9e0f8cb9ec48d9 Author: Milian Wolff Date: Fri Jun 2 16:37:52 2017 +0200 perf report: Ensure the perf DSO mapping matches what libdw sees In some situations the libdw unwinder stopped working properly. I.e. with libunwind we see: ~~~~~ heaptrack_gui 2228 135073.400112: 641314 cycles: e8ed _dl_fixup (/usr/lib/ld-2.25.so) 15f06 _dl_runtime_resolve_sse_vex (/usr/lib/ld-2.25.so) ed94c KDynamicJobTracker::KDynamicJobTracker (/home/milian/projects/compiled/kf5/lib64/libKF5KIOWidgets.so.5.35.0) 608f3 _GLOBAL__sub_I_kdynamicjobtracker.cpp (/home/milian/projects/compiled/kf5/lib64/libKF5KIOWidgets.so.5.35.0) f199 call_init.part.0 (/usr/lib/ld-2.25.so) f2a5 _dl_init (/usr/lib/ld-2.25.so) db9 _dl_start_user (/usr/lib/ld-2.25.so) ~~~~~ But with libdw and without this patch this sample is not properly unwound: ~~~~~ heaptrack_gui 2228 135073.400112: 641314 cycles: e8ed _dl_fixup (/usr/lib/ld-2.25.so) 15f06 _dl_runtime_resolve_sse_vex (/usr/lib/ld-2.25.so) ed94c KDynamicJobTracker::KDynamicJobTracker (/home/milian/projects/compiled/kf5/lib64/libKF5KIOWidgets.so.5.35.0) ~~~~~ Debug output showed me that libdw found a module for the last frame address, but it thinks it belongs to /usr/lib/ld-2.25.so. This patch double-checks what libdw sees and what perf knows. If the mappings mismatch, we now report the elf known to perf. This fixes the situation above, and the libdw unwinder produces the same stack as libunwind. Signed-off-by: Milian Wolff Cc: Jiri Olsa Cc: Namhyung Kim Link: http://lkml.kernel.org/r/20170602143753.16907-1-milian.wolff@kdab.com Signed-off-by: Arnaldo Carvalho de Melo tools/perf/util/unwind-libdw.c | 8 ++++++++ 1 file changed, 8 insertions(+) commit 5ea0416f51cc93436bbe497c62ab49fd9cb245b6 Author: Milian Wolff Date: Thu Jun 1 23:00:21 2017 +0200 perf report: Include partial stacks unwound with libdw So far the whole stack was thrown away when any error occurred before the maximum stack depth was unwound. This is actually a very common scenario though. The stacks that got unwound so far are still interesting. This removes a large chunk of differences when comparing perf script output for libunwind and libdw perf unwinding. E.g. with libunwind: ~~~~~ heaptrack_gui 2228 135073.388524: 479408 cycles: ffffffff811749ed perf_iterate_ctx ([kernel.kallsyms]) ffffffff81181662 perf_event_mmap ([kernel.kallsyms]) ffffffff811cf5ed mmap_region ([kernel.kallsyms]) ffffffff811cfe6b do_mmap ([kernel.kallsyms]) ffffffff811b0dca vm_mmap_pgoff ([kernel.kallsyms]) ffffffff811cdb0c sys_mmap_pgoff ([kernel.kallsyms]) ffffffff81033acb sys_mmap ([kernel.kallsyms]) ffffffff81631d37 entry_SYSCALL_64_fastpath ([kernel.kallsyms]) 192ca mmap64 (/usr/lib/ld-2.25.so) 59a9 _dl_map_object_from_fd (/usr/lib/ld-2.25.so) 83d0 _dl_map_object (/usr/lib/ld-2.25.so) cda1 openaux (/usr/lib/ld-2.25.so) 1834f _dl_catch_error (/usr/lib/ld-2.25.so) cfe2 _dl_map_object_deps (/usr/lib/ld-2.25.so) 3481 dl_main (/usr/lib/ld-2.25.so) 17387 _dl_sysdep_start (/usr/lib/ld-2.25.so) 4d37 _dl_start (/usr/lib/ld-2.25.so) d87 _start (/usr/lib/ld-2.25.so) heaptrack_gui 2228 135073.388677: 611329 cycles: 1a3e0 strcmp (/usr/lib/ld-2.25.so) 82b2 _dl_map_object (/usr/lib/ld-2.25.so) cda1 openaux (/usr/lib/ld-2.25.so) 1834f _dl_catch_error (/usr/lib/ld-2.25.so) cfe2 _dl_map_object_deps (/usr/lib/ld-2.25.so) 3481 dl_main (/usr/lib/ld-2.25.so) 17387 _dl_sysdep_start (/usr/lib/ld-2.25.so) 4d37 _dl_start (/usr/lib/ld-2.25.so) d87 _start (/usr/lib/ld-2.25.so) ~~~~~ With libdw without this patch: ~~~~~ heaptrack_gui 2228 135073.388524: 479408 cycles: ffffffff811749ed perf_iterate_ctx ([kernel.kallsyms]) ffffffff81181662 perf_event_mmap ([kernel.kallsyms]) ffffffff811cf5ed mmap_region ([kernel.kallsyms]) ffffffff811cfe6b do_mmap ([kernel.kallsyms]) ffffffff811b0dca vm_mmap_pgoff ([kernel.kallsyms]) ffffffff811cdb0c sys_mmap_pgoff ([kernel.kallsyms]) ffffffff81033acb sys_mmap ([kernel.kallsyms]) ffffffff81631d37 entry_SYSCALL_64_fastpath ([kernel.kallsyms]) heaptrack_gui 2228 135073.388677: 611329 cycles: ~~~~~ With this patch applied, the libdw unwinder will produce the same output as the libunwind unwinder. Signed-off-by: Milian Wolff Cc: Jiri Olsa Cc: Namhyung Kim Link: http://lkml.kernel.org/r/20170601210021.20046-1-milian.wolff@kdab.com Signed-off-by: Arnaldo Carvalho de Melo tools/perf/util/unwind-libdw.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 6db47fdec7562b02703e346c10f7f4efdda6af5a Author: Kim Phillips Date: Mon May 29 14:27:54 2017 -0500 perf annotate: Add missing powerpc triplet On an Ubuntu xenial system, 'perf annotate' says to install powerpc objdump on a system that already has binutils-powerpc-linux-gnu installed. Make perf aware of the missing triplet for the powerpc-linux-gnu target. Signed-off-by: Kim Phillips Cc: Alexander Shishkin Cc: He Kuang Cc: Jiri Olsa Cc: Peter Zijlstra Cc: Ravi Bangoria Link: http://lkml.kernel.org/r/20170529142754.7fbfb1152fd8f2663de0ea70@arm.com Signed-off-by: Arnaldo Carvalho de Melo tools/perf/arch/common.c | 1 + 1 file changed, 1 insertion(+) commit 598762cf91532e6e86dd21199b5e7f803df73f49 Author: Jiri Olsa Date: Thu Jun 1 22:54:50 2017 +0200 perf test: Disable breakpoint signal tests for powerpc The following tests are failing on powerpc: # perf test break 18: Breakpoint overflow signal handler : FAILED! 19: Breakpoint overflow sampling : FAILED! The powerpc kenel so far does not have support to even create instruction breakpoints using the perf event interface, so those tests fail early in the config phase. I added a '->is_supported()' callback to test struct to be able to disable specific tests. It seems better than putting ifdefs directly to the test array. Signed-off-by: Jiri Olsa Cc: David Ahern Cc: Namhyung Kim Cc: Peter Zijlstra Link: http://lkml.kernel.org/r/20170601205450.GA398@krava Signed-off-by: Arnaldo Carvalho de Melo tools/perf/tests/bp_signal.c | 14 ++++++++++++++ tools/perf/tests/builtin-test.c | 7 +++++++ tools/perf/tests/tests.h | 3 +++ 3 files changed, 24 insertions(+) commit a09935b878dc8efd4b030ed1ffa0553fc9011fb8 Author: Namhyung Kim Date: Wed May 31 21:01:05 2017 +0900 perf symbols: Use correct filename for compressed modules in build-id cache The decompress_kmodule() decompresses kernel modules in order to load symbols from it. In the DSO_BINARY_TYPE__BUILD_ID_CACHE case, it needs the full file path to extract the file extension to determine the decompression method. But overwriting 'name' will fail the decompression since it might point to a non-existing old file. Instead, use dso->long_name for having the correct extension and use the real filename to decompress. In the DSO_BINARY_TYPE__SYSTEM_PATH_KMODULE_COMP case, both names should be the same. This allows resolving symbols in the old modules. Before: $ perf report -i perf.data.old | grep scsi_mod 0.00% cc1 [scsi_mod] [k] 0x0000000000004aa6 0.00% as [scsi_mod] [k] 0x00000000000099e1 0.00% cc1 [scsi_mod] [k] 0x0000000000009830 0.00% cc1 [scsi_mod] [k] 0x0000000000001b8f After: 0.00% cc1 [scsi_mod] [k] scsi_handle_queue_ramp_up 0.00% as [scsi_mod] [k] scsi_sg_alloc 0.00% cc1 [scsi_mod] [k] scsi_setup_cmnd 0.00% cc1 [scsi_mod] [k] scsi_get_command Signed-off-by: Namhyung Kim Acked-by: Jiri Olsa Cc: Andi Kleen Cc: David Ahern Cc: Peter Zijlstra Cc: kernel-team@lge.com Link: http://lkml.kernel.org/r/20170531120105.21731-3-namhyung@kernel.org Signed-off-by: Arnaldo Carvalho de Melo tools/perf/util/symbol-elf.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) commit 6b335e8f545591c07df0f34231bd7ff7506c98c1 Author: Namhyung Kim Date: Wed May 31 21:01:04 2017 +0900 perf symbols: Set module info when build-id event found Like machine__findnew_module_dso(), it should set necessary info for kernel modules to find symbol info from the file. Factor out dso__set_module_info() to do it. This is needed for dso__needs_decompress() to detect such DSOs. Signed-off-by: Namhyung Kim Acked-by: Jiri Olsa Cc: Andi Kleen Cc: David Ahern Cc: Peter Zijlstra Cc: kernel-team@lge.com Link: http://lkml.kernel.org/r/20170531120105.21731-2-namhyung@kernel.org Signed-off-by: Arnaldo Carvalho de Melo tools/perf/util/dso.c | 15 +++++++++++++++ tools/perf/util/dso.h | 3 +++ tools/perf/util/header.c | 2 +- tools/perf/util/machine.c | 11 +---------- 4 files changed, 20 insertions(+), 11 deletions(-) commit 1deec1bd96ccd8beb04d2112a6d12fe20505c3a6 Author: Namhyung Kim Date: Wed May 31 21:01:03 2017 +0900 perf header: Set proper module name when build-id event found When perf processes build-id event, it creates DSOs with the build-id. But it didn't set the module short name (like '[module-name]') so when processing a kernel mmap event of the module, it cannot found the DSO as it only checks the short names. That leads for perf to create a same DSO without the build-id info and it'll lookup the system path even if the DSO is already in the build-id cache. After kernel was updated, perf cannot find the DSO and cannot show symbols in it anymore. You can see this if you have an old data file (w/ old kernel version): $ perf report -i perf.data.old -v |& grep scsi_mod build id event received for /lib/modules/3.19.2-1-ARCH/kernel/drivers/scsi/scsi_mod.ko.gz : cafe1ce6ca13a98a5d9ed3425cde249e57a27fc1 Failed to open /lib/modules/3.19.2-1-ARCH/kernel/drivers/scsi/scsi_mod.ko.gz, continuing without symbols ... The second message didn't show the build-id. With this patch: $ perf report -i perf.data.old -v |& grep scsi_mod build id event received for /lib/modules/3.19.2-1-ARCH/kernel/drivers/scsi/scsi_mod.ko.gz: cafe1ce6ca13a98a5d9ed3425cde249e57a27fc1 /lib/modules/3.19.2-1-ARCH/kernel/drivers/scsi/scsi_mod.ko.gz with build id cafe1ce6ca13a98a5d9ed3425cde249e57a27fc1 not found, continuing without symbols ... Now it shows the build-id but still cannot load the symbol table. This is a different problem which will be fixed in the next patch. Signed-off-by: Namhyung Kim Acked-by: Jiri Olsa Cc: Andi Kleen Cc: David Ahern Cc: Peter Zijlstra Cc: kernel-team@lge.com Link: http://lkml.kernel.org/r/20170531120105.21731-1-namhyung@kernel.org [ Fix the build on older compilers (debian <= 8, fedora <= 21, etc) wrt kmod_path var init ] Signed-off-by: Arnaldo Carvalho de Melo tools/perf/util/header.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) commit 501e7a4689378f8b1690089bfdd4f1e12ec22903 Author: Benjamin Coddington Date: Fri Jun 2 11:21:34 2017 -0400 NFSv4.2: Don't send mode again in post-EXCLUSIVE4_1 SETATTR with umask Now that we have umask support, we shouldn't re-send the mode in a SETATTR following an exclusive CREATE, or we risk having the same problem fixed in commit 5334c5bdac92 ("NFS: Send attributes in OPEN request for NFS4_CREATE_EXCLUSIVE4_1"), which is that files with S_ISGID will have that bit stripped away. Signed-off-by: Benjamin Coddington Fixes: dff25ddb4808 ("nfs: add support for the umask attribute") Cc: stable@vger.kernel.org # v4.10+ Signed-off-by: Trond Myklebust fs/nfs/nfs4proc.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 3def03441e53e29eed3afd9009974a5a42bf124a Author: Nicolas Iooss Date: Sat May 20 13:27:00 2017 +0200 genksyms: add printf format attribute to error_with_pos() When compiling with -Wsuggest-attribute=format in HOSTCFLAGS, gcc complains that error_with_pos() may be declared with a printf format attribute: scripts/genksyms/genksyms.c:726:3: warning: function might be possible candidate for ‘gnu_printf’ format attribute [-Wsuggest-attribute=format] vfprintf(stderr, fmt, args); ^~~~~~~~ This would allow catching printf-format errors at compile time in callers to error_with_pos(). Add this attribute. Signed-off-by: Nicolas Iooss Signed-off-by: Masahiro Yamada scripts/genksyms/genksyms.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 269f9883fe254d109afdfc657875c456d6fabb08 Author: Ido Shamay Date: Mon Jun 5 10:44:56 2017 +0300 net/mlx4: Check if Granular QoS per VF has been enabled before updating QP qos_vport The Granular QoS per VF feature must be enabled in FW before it can be used. Thus, the driver cannot modify a QP's qos_vport value (via the UPDATE_QP FW command) if the feature has not been enabled -- the FW returns an error if this is attempted. Fixes: 08068cd5683f ("net/mlx4: Added qos_vport QP configuration in VST mode") Signed-off-by: Ido Shamay Signed-off-by: Jack Morgenstein Signed-off-by: Tariq Toukan Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlx4/qp.c | 6 ++++++ drivers/net/ethernet/mellanox/mlx4/resource_tracker.c | 16 +++++++++++----- 2 files changed, 17 insertions(+), 5 deletions(-) commit 6c6ab3e73b391b38c9749c77775bf21479ed7d60 Author: Randy Dunlap Date: Sun Jun 4 19:46:53 2017 -0700 net: phy: fix kernel-doc warnings Fix kernel-doc warnings (typo) in drivers/net/phy/phy.c: ..//drivers/net/phy/phy.c:259: warning: No description found for parameter 'features' ..//drivers/net/phy/phy.c:259: warning: Excess function parameter 'feature' description in 'phy_lookup_setting' Signed-off-by: Randy Dunlap Reviewed-by: Andrew Lunn Signed-off-by: David S. Miller drivers/net/phy/phy.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 6044bd4a7d580d4459b992bc6631c817486a1514 Author: Haishuang Yan Date: Mon Jun 5 08:57:21 2017 +0800 devlink: fix potential memort leak We must free allocated skb when genlmsg_put() return fails. Fixes: 1555d204e743 ("devlink: Support for pipeline debug (dpipe)") Signed-off-by: Haishuang Yan Acked-by: Jiri Pirko Signed-off-by: David S. Miller net/core/devlink.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) commit 1e0ce2a1ee0d5fb334e82e80600f1e8e77df525c Author: Anmol Sarma Date: Sat Jun 3 17:40:54 2017 +0530 net: Update TCP congestion control documentation Update tcp.txt to fix mandatory congestion control ops and default CCA selection. Also, fix comment in tcp.h for undo_cwnd. Signed-off-by: Anmol Sarma Signed-off-by: David S. Miller Documentation/networking/tcp.txt | 31 +++++++++++++------------------ include/net/tcp.h | 2 +- 2 files changed, 14 insertions(+), 19 deletions(-) commit 57caf4ec2b8bfbcb4f738ab5a12eedf3a8786045 Author: Rafael J. Wysocki Date: Mon Jun 5 14:51:18 2017 +0200 cpufreq: intel_pstate: Avoid division by 0 in min_perf_pct_min() Commit c5a2ee7dde89 (cpufreq: intel_pstate: Active mode P-state limits rework) incorrectly assumed that pstate.turbo_pstate would always be nonzero for CPU0 in min_perf_pct_min() if cpufreq_register_driver() had succeeded which may not be the case in virtualized environments. If that assumption doesn't hold, it leads to an early crash on boot in intel_pstate_register_driver(), so add a sanity check to min_perf_pct_min() to prevent the crash from happening. Fixes: c5a2ee7dde89 (cpufreq: intel_pstate: Active mode P-state limits rework) Reported-and-tested-by: Jongman Heo Signed-off-by: Rafael J. Wysocki drivers/cpufreq/intel_pstate.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) commit 06a4b6d009a1b74a6ec46c5418b46cc53a79fcb8 Author: Ard Biesheuvel Date: Wed May 24 15:31:57 2017 +0100 ARM: 8677/1: boot/compressed: fix decompressor header layout for v7-M As reported by Patrice, the header layout of the decompressor is incorrect when building for v7-M. In this case, the __nop macro resolves to 'mov r0, r0', which is emitted as a narrow encoding, resulting in the header data fields to end up at lower offsets than required. Given the variety of targets we need to support with the same code, the startup sequence is a bit of a jumble, and uses instructions and macros whose encoding widths cannot be specified (badr), or only exist in a narrow encoding (bx) So force the use of a wide encoding in __nop, and replace the start sequence with a simple jump to the label marking the start of code, preceded by a Thumb2 mode switch if required (using explicit wide encodings where appropriate). The label itself can be moved to the start of code [where it belongs] due to the larger range of branch instructions as compared to adr instructions. Reported-by: Patrice CHOTARD Acked-by: Nicolas Pitre Signed-off-by: Ard Biesheuvel Signed-off-by: Russell King arch/arm/boot/compressed/efi-header.S | 4 +--- arch/arm/boot/compressed/head.S | 17 ++++++++++------- 2 files changed, 11 insertions(+), 10 deletions(-) commit 7ef4783e19a84fe1e8b58f4c27b858dfdcaef207 Author: Vladimir Murzin Date: Wed May 24 10:30:18 2017 +0100 ARM: 8676/1: NOMMU: provide pgprot_device() macro NOMMU build leads to the following error: CC drivers/pci/mmap.o drivers/pci/mmap.c: In function 'pci_mmap_resource_range': drivers/pci/mmap.c:60:3: error: implicit declaration of function 'pgprot_device' [-Werror=implicit-function-declaration] vma->vm_page_prot = pgprot_device(vma->vm_page_prot); ^ cc1: some warnings being treated as errors scripts/Makefile.build:302: recipe for target 'drivers/pci/mmap.o' failed make[2]: *** [drivers/pci/mmap.o] Error 1 scripts/Makefile.build:561: recipe for target 'drivers/pci' failed make[1]: *** [drivers/pci] Error 2 Makefile:1016: recipe for target 'drivers' failed make: *** [drivers] Error 2 Fix it with support of pgprot_device() macro for NOMMU. Fixes: 00d2904ffeac ("ARM/PCI: Use generic pci_mmap_resource_range()") Signed-off-by: Vladimir Murzin Signed-off-by: Russell King arch/arm/include/asm/pgtable-nommu.h | 1 + 1 file changed, 1 insertion(+) commit ae1d557d8f30cb097b4d1f2ab04fa294588ee1cf Author: Christian Sünkenberg Date: Sun Jun 4 19:18:39 2017 +0200 x86/cpu/cyrix: Add alternative Device ID of Geode GX1 SoC A SoC variant of Geode GX1, notably NSC branded SC1100, seems to report an inverted Device ID in its DIR0 configuration register, specifically 0xb instead of the expected 0x4. Catch this presumably quirky version so it's properly recognized as GX1 and has its cache switched to write-back mode, which provides a significant performance boost in most workloads. SC1100's datasheet "Geode™ SC1100 Information Appliance On a Chip", states in section 1.1.7.1 "Device ID" that device identification values are specified in SC1100's device errata. These, however, seem to not have been publicly released. Wading through a number of boot logs and /proc/cpuinfo dumps found on pastebin and blogs, this patch should mostly be relevant for a number of now admittedly aging Soekris NET4801 and PC Engines WRAP devices, the latter being the platform this issue was discovered on. Performance impact was verified using "openssl speed", with write-back caching scaling throughput between -3% and +41%. Signed-off-by: Christian Sünkenberg Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/1496596719.26725.14.camel@student.kit.edu Signed-off-by: Ingo Molnar arch/x86/kernel/cpu/cyrix.c | 1 + 1 file changed, 1 insertion(+) commit 1195892c091a15cc862f4e202482a36adc924e12 Author: Breno Leitao Date: Fri Jun 2 18:43:30 2017 -0300 powerpc/kernel: Fix FP and vector register restoration Currently tsk->thread->load_vec and load_fp are not initialized during task creation, which can lead to garbage values in these variables (non-zero values). These variables will be checked later in restore_math() to validate if the FP and vector registers are being utilized. Since these values might be non-zero, the restore_math() will continue to save the FP and vectors even if they were never utilized by the userspace application. load_fp and load_vec counters will then overflow (they wrap at 255) and the FP and Altivec will be finally disabled, but before that condition is reached (counter overflow) several context switches will have restored FP and vector registers without need, causing a performance degradation. Fixes: 70fe3d980f5f ("powerpc: Restore FPU/VEC/VSX if previously used") Cc: stable@vger.kernel.org # v4.6+ Signed-off-by: Breno Leitao Signed-off-by: Gustavo Romero Acked-by: Anton Blanchard Signed-off-by: Michael Ellerman arch/powerpc/kernel/process.c | 2 ++ 1 file changed, 2 insertions(+) commit 6dc06c08bef1c746ff8da33dab677cfbacdcad32 Author: Talat Batheesh Date: Sun Jun 4 14:30:07 2017 +0300 net/mlx4: Fix the check in attaching steering rules Our previous patch (cited below) introduced a regression for RAW Eth QPs. Fix it by checking if the QP number provided by user-space exists, hence allowing steering rules to be added for valid QPs only. Fixes: 89c557687a32 ("net/mlx4_en: Avoid adding steering rules with invalid ring") Reported-by: Or Gerlitz Signed-off-by: Talat Batheesh Signed-off-by: Tariq Toukan Acked-by: Or Gerlitz Reviewed-by: Leon Romanovsky Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlx4/en_ethtool.c | 5 ----- drivers/net/ethernet/mellanox/mlx4/mcg.c | 15 +++++++++++---- drivers/net/ethernet/mellanox/mlx4/qp.c | 13 +++++++++++++ include/linux/mlx4/qp.h | 1 + 4 files changed, 25 insertions(+), 9 deletions(-) commit b699d0035836f6712917a41e7ae58d84359b8ff9 Author: Haishuang Yan Date: Sun Jun 4 14:43:43 2017 +0800 sit: reload iphdr in ipip6_rcv Since iptunnel_pull_header() can call pskb_may_pull(), we must reload any pointer that was related to skb->head. Fixes: a09a4c8dd1ec ("tunnels: Remove encapsulation offloads on decap") Signed-off-by: Haishuang Yan Signed-off-by: David S. Miller net/ipv6/sit.c | 1 + 1 file changed, 1 insertion(+) commit 77d4b1d36926a9b8387c6b53eeba42bcaaffcea3 Author: Eric Dumazet Date: Sat Jun 3 09:29:25 2017 -0700 net: ping: do not abuse udp_poll() Alexander reported various KASAN messages triggered in recent kernels The problem is that ping sockets should not use udp_poll() in the first place, and recent changes in UDP stack finally exposed this old bug. Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind") Fixes: 6d0bfe226116 ("net: ipv6: Add IPv6 support to the ping socket.") Signed-off-by: Eric Dumazet Reported-by: Sasha Levin Cc: Solar Designer Cc: Vasiliy Kulikov Cc: Lorenzo Colitti Acked-By: Lorenzo Colitti Tested-By: Lorenzo Colitti Signed-off-by: David S. Miller include/net/ipv6.h | 1 + net/ipv4/af_inet.c | 2 +- net/ipv6/ping.c | 2 +- net/ipv6/raw.c | 2 +- 4 files changed, 4 insertions(+), 3 deletions(-) commit b07ac9894644202614ca87c69f3f45e424a82fef Author: Florian Fainelli Date: Fri Jun 2 22:05:23 2017 -0700 net: dsa: Fix stale cpu_switch reference after unbind then bind Commit 9520ed8fb841 ("net: dsa: use cpu_switch instead of ds[0]") replaced the use of dst->ds[0] with dst->cpu_switch since that is functionally equivalent, however, we can now run into an use after free scenario after unbinding then rebinding the switch driver. The use after free happens because we do correctly initialize dst->cpu_switch the first time we probe in dsa_cpu_parse(), then we unbind the driver: dsa_dst_unapply() is called, and we rebind again. dst->cpu_switch now points to a freed "ds" structure, and so when we finally dereference it in dsa_cpu_port_ethtool_setup(), we oops. To fix this, simply set dst->cpu_switch to NULL in dsa_dst_unapply() which guarantees that we always correctly re-assign dst->cpu_switch in dsa_cpu_parse(). Fixes: 9520ed8fb841 ("net: dsa: use cpu_switch instead of ds[0]") Signed-off-by: Florian Fainelli Reviewed-by: Vivien Didelot Signed-off-by: David S. Miller net/dsa/dsa2.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit e3e86b5119f81e5e2499bea7ea1ebe8ac6aab789 Author: David S. Miller Date: Sun Jun 4 21:41:10 2017 -0400 ipv6: Fix leak in ipv6_gso_segment(). If ip6_find_1stfragopt() fails and we return an error we have to free up 'segs' because nobody else is going to. Fixes: 2423496af35d ("ipv6: Prevent overrun when parsing v6 header options") Reported-by: Ben Hutchings Signed-off-by: David S. Miller net/ipv6/ip6_offload.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit 9a1c44d989bff4c992b8b9a112d9fda275ea5515 Author: Eric Garver Date: Fri Jun 2 14:54:10 2017 -0400 geneve: fix needed_headroom and max_mtu for collect_metadata Since commit 9b4437a5b870 ("geneve: Unify LWT and netdev handling.") when using COLLECT_METADATA geneve devices are created with too small of a needed_headroom and too large of a max_mtu. This is because ip_tunnel_info_af() is not valid with the device level info when using COLLECT_METADATA and we mistakenly fall into the IPv4 case. For COLLECT_METADATA, always use the worst case of ipv6 since both sockets are created. Fixes: 9b4437a5b870 ("geneve: Unify LWT and netdev handling.") Signed-off-by: Eric Garver Acked-by: Pravin B Shelar Signed-off-by: David S. Miller drivers/net/geneve.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 38b257938ac6655d0d6333743303231b9c465ec1 Author: Soheil Hassas Yeganeh Date: Fri Jun 2 12:38:22 2017 -0400 sock: reset sk_err when the error queue is empty Prior to f5f99309fa74 (sock: do not set sk_err in sock_dequeue_err_skb), sk_err was reset to the error of the skb on the head of the error queue. Applications, most notably ping, are relying on this behavior to reset sk_err for ICMP packets. Set sk_err to the ICMP error when there is an ICMP packet at the head of the error queue. Fixes: f5f99309fa74 (sock: do not set sk_err in sock_dequeue_err_skb) Reported-by: Cyril Hrubis Tested-by: Cyril Hrubis Signed-off-by: Soheil Hassas Yeganeh Signed-off-by: Eric Dumazet Signed-off-by: Willem de Bruijn Signed-off-by: David S. Miller net/core/skbuff.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) commit a7c0b8bee212e22725196fda8389bff9ade3ac68 Author: Michal Hocko Date: Fri Jun 2 17:54:08 2017 +0200 amd-xgbe: use PAGE_ALLOC_COSTLY_ORDER in xgbe_map_rx_buffer xgbe_map_rx_buffer is rather confused about what PAGE_ALLOC_COSTLY_ORDER means. It uses PAGE_ALLOC_COSTLY_ORDER-1 assuming that PAGE_ALLOC_COSTLY_ORDER is the first costly order which is not the case actually because orders larger than that are costly. And even that applies only to sleeping allocations which is not the case here. We simply do not perform any costly operations like reclaim or compaction for those. Simplify the code by dropping the order calculation and use PAGE_ALLOC_COSTLY_ORDER directly. Signed-off-by: Michal Hocko Acked-by: Tom Lendacky Signed-off-by: David S. Miller drivers/net/ethernet/amd/xgbe/xgbe-desc.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) commit 5f733ee68f9a4df94775299ac6a7ab260704f6ed Author: Liam McBirnie Date: Thu Jun 1 15:36:01 2017 +1000 ip6_tunnel: fix traffic class routing for tunnels ip6_route_output() requires that the flowlabel contains the traffic class for policy routing. Commit 0e9a709560db ("ip6_tunnel, ip6_gre: fix setting of DSCP on encapsulated packets") removed the code which previously added the traffic class to the flowlabel. The traffic class is added here because only route lookup needs the flowlabel to contain the traffic class. Fixes: 0e9a709560db ("ip6_tunnel, ip6_gre: fix setting of DSCP on encapsulated packets") Signed-off-by: Liam McBirnie Acked-by: Peter Dawson Signed-off-by: David S. Miller net/ipv6/ip6_tunnel.c | 3 +++ 1 file changed, 3 insertions(+) commit 3c2993b8c6143d8a5793746a54eba8f86f95240f Author: Linus Torvalds Date: Sun Jun 4 16:47:43 2017 -0700 Linux 4.12-rc4 Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 239e250e4acbc0104d514307029c0839e834a51a Author: Richard Narron Date: Sun Jun 4 16:23:18 2017 -0700 fs/ufs: Set UFS default maximum bytes per file This fixes a problem with reading files larger than 2GB from a UFS-2 file system: https://bugzilla.kernel.org/show_bug.cgi?id=195721 The incorrect UFS s_maxsize limit became a problem as of commit c2a9737f45e2 ("vfs,mm: fix a dead loop in truncate_inode_pages_range()") which started using s_maxbytes to avoid a page index overflow in do_generic_file_read(). That caused files to be truncated on UFS-2 file systems because the default maximum file size is 2GB (MAX_NON_LFS) and UFS didn't update it. Here I simply increase the default to a common value used by other file systems. Signed-off-by: Richard Narron Cc: Al Viro Cc: Will B Cc: Theodore Ts'o Cc: # v4.9 and backports of c2a9737f45e2 Signed-off-by: Linus Torvalds fs/ufs/super.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) commit 246096690be0742d9bb5f3456d2cb95b68f7b46d Author: Timur Tabi Date: Thu Jun 1 16:08:13 2017 -0500 net: qcom/emac: do not use hardware mdio automatic polling Use software polling (PHY_POLL) to check for link state changes instead of relying on the EMAC's hardware polling feature. Some PHY drivers are unable to get a functioning link because the HW polling is not robust enough. The EMAC is able to poll the PHY on the MDIO bus looking for link state changes (via the Link Status bit in the Status Register at address 0x1). When the link state changes, the EMAC triggers an interrupt and tells the driver what the new state is. The feature eliminates the need for software to poll the MDIO bus. Unfortunately, this feature is incompatible with phylib, because it ignores everything that the PHY core and PHY drivers are trying to do. In particular: 1. It assumes a compatible register set, so PHYs with different registers may not work. 2. It doesn't allow for hardware errata that have work-arounds implemented in the PHY driver. 3. It doesn't support multiple register pages. If the PHY core switches the register set to another page, the EMAC won't know the page has changed and will still attempt to read the same PHY register. 4. It only checks the copper side of the link, not the SGMII side. Some PHY drivers (e.g. at803x) may also check the SGMII side, and report the link as not ready during autonegotiation if the SGMII link is still down. Phylib then waits for another interrupt to query the PHY again, but the EMAC won't send another interrupt because it thinks the link is up. Cc: stable@vger.kernel.org # 4.11.x Tested-by: Manoj Iyer Signed-off-by: Timur Tabi Signed-off-by: David S. Miller drivers/net/ethernet/qualcomm/emac/emac-mac.c | 2 +- drivers/net/ethernet/qualcomm/emac/emac-phy.c | 75 ++------------------------- drivers/net/ethernet/qualcomm/emac/emac.c | 22 +------- 3 files changed, 6 insertions(+), 93 deletions(-) commit 125f42b0e226d201a2118b79a6c7f1ddb9aabe1d Merge: 3c06e6c 4f253e1 Author: Linus Torvalds Date: Sun Jun 4 11:56:53 2017 -0700 Merge tag 'nfs-for-4.12-2' of git://git.linux-nfs.org/projects/trondmy/linux-nfs Pull NFS client bugfixes from Trond Myklebust: "Bugfixes include: - Fix a typo in commit e092693443b ("NFS append COMMIT after synchronous COPY") that breaks copy offload - Fix the connect error propagation in xs_tcp_setup_socket() - Fix a lock leak in nfs40_walk_client_list - Verify that pNFS requests lie within the offset range of the layout segment" * tag 'nfs-for-4.12-2' of git://git.linux-nfs.org/projects/trondmy/linux-nfs: nfs: Mark unnecessarily extern functions as static SUNRPC: ensure correct error is reported by xs_tcp_setup_socket() NFSv4.0: Fix a lock leak in nfs40_walk_client_list pnfs: Fix the check for requests in range of layout segment xprtrdma: Delete an error message for a failed memory allocation in xprt_rdma_bc_setup() pNFS/flexfiles: missing error code in ff_layout_alloc_lseg() NFS fix COMMIT after COPY commit 3c06e6cbdb6a3faa73fbdfd9022e23f82d24c372 Merge: e00811b fc098af Author: Linus Torvalds Date: Sun Jun 4 11:41:41 2017 -0700 Merge tag 'tty-4.12-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty Pull tty fix from Greg KH: "Here is a single tty core fix for 4.12-rc4. It reverts a patch that a lot of people reported as causing lockdep and other warnings. Right after I reverted this in my tree, it seems like another "correct" fix might have shown up, but it's too late in the release cycle to be messing with tty core locking, so let's just revert this for now to go back how things always have been and try it again for 4.13. This has not been in linux-next as I only reverted it a few hours ago" * tag 'tty-4.12-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty: Revert "tty: fix port buffer locking" commit e00811b4ca520e5a876baf41c6831de4bc276d3e Merge: 9f03b2c 0fd5f22 Author: Linus Torvalds Date: Sun Jun 4 11:37:42 2017 -0700 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input Pull input subsystem fixes from Dmitry Torokhov: - a couple of regression fixes in synaptics and axp20x-pek drivers - try to ease transition from PS/2 to RMI for Synaptics touchpad users by ensuring we do not try to activate RMI mode when RMI SMBus support is not enabled, and nag users a bit to enable it - plus a couple of other changes that seemed worthwhile for this release * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input: Input: axp20x-pek - switch to acpi_dev_present and check for ACPI0011 too Input: axp20x-pek - only check for "INTCFD9" ACPI device on Cherry Trail Input: tm2-touchkey - use LEN_ON as boolean value instead of LED_FULL Input: synaptics - tell users to report when they should be using rmi-smbus Input: synaptics - warn the users when there is a better mode Input: synaptics - keep PS/2 around when RMI4_SMB is not enabled Input: synaptics - clear device info before filling in Input: silead - disable interrupt during suspend commit 9f03b2c7c576bbc427b4c214b2c548f3539b17a2 Merge: 1f915b7 6ceec69 Author: Linus Torvalds Date: Sun Jun 4 11:29:32 2017 -0700 Merge tag 'rtc-4.12-2' of git://git.kernel.org/pub/scm/linux/kernel/git/abelloni/linux Pull RTC fixlet from Alexandre Belloni: "A single patch, not really a fix but I don't think there is any reason to delay it. Change the mailing list address" * tag 'rtc-4.12-2' of git://git.kernel.org/pub/scm/linux/kernel/git/abelloni/linux: MAINTAINERS: update RTC mailing list commit 963761a0b2e85663ee4a5630f72930885a06598a Author: Sean Young Date: Wed May 24 06:24:51 2017 -0300 [media] rc-core: race condition during ir_raw_event_register() A rc device can call ir_raw_event_handle() after rc_allocate_device(), but before rc_register_device() has completed. This is racey because rcdev->raw is set before rcdev->raw->thread has a valid value. Cc: stable@kernel.org Reported-by: kbuild test robot Signed-off-by: Sean Young Signed-off-by: Mauro Carvalho Chehab drivers/media/rc/rc-ir-raw.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) commit 20249f84238e006ef7b726d3211a70de7454d045 Author: Hans Verkuil Date: Sun May 28 05:52:16 2017 -0300 [media] cec: drop MEDIA_CEC_DEBUG Just depend on DEBUG_FS, no need to invent a new kernel config. Especially since CEC can be enabled by drm without enabling MEDIA_SUPPORT. Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab drivers/media/cec/Kconfig | 6 ------ drivers/media/cec/cec-adap.c | 2 +- drivers/media/cec/cec-core.c | 4 ++-- 3 files changed, 3 insertions(+), 9 deletions(-) commit e94c32818d865b620c9bbd2656ab3199259ef9ec Author: Hans Verkuil Date: Sun May 28 05:58:04 2017 -0300 [media] cec: rename MEDIA_CEC_NOTIFIER to CEC_NOTIFIER This config option is strictly speaking independent of the media subsystem since it can be used by drm as well. Besides, it looks odd when drivers select CEC_CORE and MEDIA_CEC_NOTIFIER, that's inconsistent naming. Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab drivers/media/Kconfig | 2 +- drivers/media/cec/Makefile | 2 +- drivers/media/cec/cec-core.c | 4 ++-- drivers/media/platform/Kconfig | 4 ++-- include/media/cec-notifier.h | 2 +- include/media/cec.h | 4 ++-- 6 files changed, 9 insertions(+), 9 deletions(-) commit 9177e51d1434076a91f9bfb693deae8b955d6d57 Author: Hans Verkuil Date: Sun May 28 05:48:37 2017 -0300 [media] cec: select CEC_CORE instead of depend on it The CEC framework is used by both drm and media. That makes it tricky to get the dependencies right. This patch moves the CEC_CORE and MEDIA_CEC_NOTIFIER config options out of the media menu and instead drivers that want to use CEC should select CEC_CORE and MEDIA_CEC_NOTIFIER (if needed). Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab drivers/media/Kconfig | 6 ++++++ drivers/media/Makefile | 4 ++-- drivers/media/cec/Kconfig | 8 -------- drivers/media/i2c/Kconfig | 9 ++++++--- drivers/media/platform/Kconfig | 6 ++++-- drivers/media/platform/vivid/Kconfig | 3 ++- drivers/media/usb/pulse8-cec/Kconfig | 3 ++- drivers/media/usb/rainshadow-cec/Kconfig | 3 ++- 8 files changed, 24 insertions(+), 18 deletions(-) commit ca33784ba4949856a94a545c91429aae5c8b658d Author: Colin Ian King Date: Fri May 19 14:45:15 2017 -0300 [media] rainshadow-cec: ensure exit_loop is intialized exit_loop is not being initialized, so it contains garbage. Ensure it is initialized to false. Detected by CoverityScan, CID#1436409 ("Uninitialized scalar variable") Fixes: ea6a69defd3311 ("[media] rainshadow-cec: avoid -Wmaybe-uninitialized warning") Signed-off-by: Colin Ian King Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab drivers/media/usb/rainshadow-cec/rainshadow-cec.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit f224c5768c78cb42f582636c4720a4d81d452778 Author: Mauro Carvalho Chehab Date: Thu May 18 05:40:18 2017 -0300 [media] atomisp: don't treat warnings as errors Several atomisp files use: ccflags-y += -Werror As, on media, our usual procedure is to use W=1, and atomisp has *a lot* of warnings with such flag enabled,like: ./drivers/staging/media/atomisp/pci/atomisp2/css2400/hive_isp_css_common/host/system_local.h:62:26: warning: 'DDR_BASE' defined but not used [-Wunused-const-variable=] At the end, it causes our build to fail, impacting our workflow. So, remove this crap. If one wants to force -Werror, he can still build with it enabled by passing a parameter to make. Signed-off-by: Mauro Carvalho Chehab drivers/staging/media/atomisp/i2c/Makefile | 2 -- drivers/staging/media/atomisp/i2c/imx/Makefile | 2 -- drivers/staging/media/atomisp/i2c/ov5693/Makefile | 2 -- drivers/staging/media/atomisp/pci/atomisp2/Makefile | 2 +- 4 files changed, 1 insertion(+), 7 deletions(-) commit 1f915b7fedd605d69baa581130abc5a38334eaa5 Merge: 55cbdaf 75b6125 Author: Linus Torvalds Date: Sun Jun 4 11:15:43 2017 -0700 Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi Pull SCSI fixes from James Bottomley: "This is nine fixes, seven of which are for the qedi driver (new as of 4.10) the other two are a use after free in the cxgbi drivers and a potential NULL dereference in the rdac device handler" * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: scsi: libcxgbi: fix skb use after free scsi: qedi: Fix endpoint NULL panic during recovery. scsi: qedi: set max_fin_rt default value scsi: qedi: Set firmware tcp msl timer value. scsi: qedi: Fix endpoint NULL panic in qedi_set_path. scsi: qedi: Set dma_boundary to 0xfff. scsi: qedi: Correctly set firmware max supported BDs. scsi: qedi: Fix bad pte call trace when iscsiuio is stopped. scsi: scsi_dh_rdac: Use ctlr directly in rdac_failover_get() commit 55cbdaf6399de16b61d40d49b6c8bb739a877dea Merge: ea094f3 d3957b86 Author: Linus Torvalds Date: Sun Jun 4 10:41:32 2017 -0700 Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma Pull rdma fixes from Doug Ledford: "For the most part this is just a minor -rc cycle for the rdma subsystem. Even given that this is all of the -rc patches since the merge window closed, it's still only about 25 patches: - Multiple i40iw, nes, iw_cxgb4, hfi1, qib, mlx4, mlx5 fixes - A few upper layer protocol fixes (IPoIB, iSER, SRP) - A modest number of core fixes" * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma: (26 commits) RDMA/SA: Fix kernel panic in CMA request handler flow RDMA/umem: Fix missing mmap_sem in get umem ODP call RDMA/core: not to set page dirty bit if it's already set. RDMA/uverbs: Declare local function static and add brackets to sizeof RDMA/netlink: Reduce exposure of RDMA netlink functions RDMA/srp: Fix NULL deref at srp_destroy_qp() RDMA/IPoIB: Limit the ipoib_dev_uninit_default scope RDMA/IPoIB: Replace netdev_priv with ipoib_priv for ipoib_get_link_ksettings RDMA/qedr: add null check before pointer dereference RDMA/mlx5: set UMR wqe fence according to HCA cap net/mlx5: Define interface bits for fencing UMR wqe RDMA/mlx4: Fix MAD tunneling when SRIOV is enabled RDMA/qib,hfi1: Fix MR reference count leak on write with immediate RDMA/hfi1: Defer setting VL15 credits to link-up interrupt RDMA/hfi1: change PCI bar addr assignments to Linux API functions RDMA/hfi1: fix array termination by appending NULL to attr array RDMA/iw_cxgb4: fix the calculation of ipv6 header size RDMA/iw_cxgb4: calculate t4_eq_status_entries properly RDMA/iw_cxgb4: Avoid touch after free error in ARP failure handlers RDMA/nes: ACK MPA Reply frame ... commit ff86bf0c65f14346bf2440534f9ba5ac232c39a0 Author: Thomas Gleixner Date: Tue May 30 23:15:35 2017 +0200 alarmtimer: Rate limit periodic intervals The alarmtimer code has another source of potentially rearming itself too fast. Interval timers with a very samll interval have a similar CPU hog effect as the previously fixed overflow issue. The reason is that alarmtimers do not implement the normal protection against this kind of problem which the other posix timer use: timer expires -> queue signal -> deliver signal -> rearm timer This scheme brings the rearming under scheduler control and prevents permanently firing timers which hog the CPU. Bringing this scheme to the alarm timer code is a major overhaul because it lacks all the necessary mechanisms completely. So for a quick fix limit the interval to one jiffie. This is not problematic in practice as alarmtimers are usually backed by an RTC for suspend which have 1 second resolution. It could be therefor argued that the resolution of this clock should be set to 1 second in general, but that's outside the scope of this fix. Signed-off-by: Thomas Gleixner Cc: Peter Zijlstra Cc: Kostya Serebryany Cc: syzkaller Cc: John Stultz Cc: Dmitry Vyukov Cc: stable@vger.kernel.org Link: http://lkml.kernel.org/r/20170530211655.896767100@linutronix.de kernel/time/alarmtimer.c | 8 ++++++++ 1 file changed, 8 insertions(+) commit f4781e76f90df7aec400635d73ea4c35ee1d4765 Author: Thomas Gleixner Date: Tue May 30 23:15:34 2017 +0200 alarmtimer: Prevent overflow of relative timers Andrey reported a alartimer related RCU stall while fuzzing the kernel with syzkaller. The reason for this is an overflow in ktime_add() which brings the resulting time into negative space and causes immediate expiry of the timer. The following rearm with a small interval does not bring the timer back into positive space due to the same issue. This results in a permanent firing alarmtimer which hogs the CPU. Use ktime_add_safe() instead which detects the overflow and clamps the result to KTIME_SEC_MAX. Reported-by: Andrey Konovalov Signed-off-by: Thomas Gleixner Cc: Peter Zijlstra Cc: Kostya Serebryany Cc: syzkaller Cc: John Stultz Cc: Dmitry Vyukov Cc: stable@vger.kernel.org Link: http://lkml.kernel.org/r/20170530211655.802921648@linutronix.de kernel/time/alarmtimer.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit fc098af16b9ff6d470d779d8ddcfb2d91869045a Author: Greg Kroah-Hartman Date: Sun Jun 4 10:23:25 2017 +0200 Revert "tty: fix port buffer locking" This reverts commit 925bb1ce47f429f69aad35876df7ecd8c53deb7e. It causes lots of warnings and problems so for now, let's just revert it. Reported-by: Reported-by: Russell King Reported-by: Sergey Senozhatsky Reported-by: Geert Uytterhoeven Reported-by: Jiri Slaby Reported-by: Andrey Konovalov Acked-by: Vegard Nossum Signed-off-by: Greg Kroah-Hartman drivers/tty/tty_port.c | 2 -- 1 file changed, 2 deletions(-) commit 4f253e1eb628f5adf7ca4f43aab4bbb1bfffa081 Author: Jan Kara Date: Tue May 16 12:18:11 2017 +0200 nfs: Mark unnecessarily extern functions as static nfs_initialise_sb() and nfs_clone_super() are declared as extern even though they are used only in fs/nfs/super.c. Mark them as static. Also remove explicit 'inline' directive from nfs_initialise_sb() and leave it upto compiler to decide whether inlining is worth it. Signed-off-by: Jan Kara Signed-off-by: Trond Myklebust fs/nfs/internal.h | 2 -- fs/nfs/super.c | 5 +++-- 2 files changed, 3 insertions(+), 4 deletions(-) commit ea094f3c830a67f252677aacba5d04ebcf55c4d9 Merge: cc54874 5f348fa Author: Linus Torvalds Date: Sat Jun 3 08:45:03 2017 -0700 Merge tag 'hwmon-for-linus-v4.12-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging Pull hwmon fixes from Guenter Roeck: "A couple of patches for the aspeed pwm fan driver" * tag 'hwmon-for-linus-v4.12-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging: hwmon: (aspeed-pwm-tacho) make fan/pwm names start with index 1 hwmon: (aspeed-pwm-tacho) Call of_node_put() on a node not claimed hwmon: (aspeed-pwm-tacho) On read failure return -ETIMEDOUT hwmon: (aspeed-pwm-tacho) Select REGMAP commit cc54874055c007cd599138a394d1f039e4e0764b Merge: 104c08b 05e97a9 Author: Linus Torvalds Date: Sat Jun 3 08:42:30 2017 -0700 Merge tag 'for-linus-20170602' of git://git.infradead.org/linux-mtd Pull MTD fixes from Brian Norris: "NAND updates from Boris: tango fixes: - Add missing MODULE_DEVICE_TABLE() in tango_nand.c - Update the number of corrected bitflips core fixes: - Fix a long standing memory leak in nand_scan_tail() - Fix several bugs introduced by the per-vendor init/detection infrastructure (introduced in 4.12) - Add a static specifier to nand_ooblayout_lp_hamming_ops definition" * tag 'for-linus-20170602' of git://git.infradead.org/linux-mtd: mtd: nand: make nand_ooblayout_lp_hamming_ops static mtd: nand: tango: Update ecc_stats.corrected mtd: nand: tango: Export OF device ID table as module aliases mtd: nand: samsung: warn about un-parseable ECC info mtd: nand: free vendor-specific resources in init failure paths mtd: nand: drop unneeded module.h include mtd: nand: don't leak buffers when ->scan_bbt() fails commit 3116a23bb30272d74ea81baf5d0ee23f602dd15b Author: Dmitry Monakhov Date: Wed May 10 19:20:44 2017 +0400 bio-integrity: Do not allocate integrity context for bio w/o data If bio has no data, such as ones from blkdev_issue_flush(), then we have nothing to protect. This patch prevent bugon like follows: kfree_debugcheck: out of range ptr ac1fa1d106742a5ah kernel BUG at mm/slab.c:2773! invalid opcode: 0000 [#1] SMP Modules linked in: bcache CPU: 0 PID: 4428 Comm: xfs_io Tainted: G W 4.11.0-rc4-ext4-00041-g2ef0043-dirty #43 Hardware name: Virtuozzo KVM, BIOS seabios-1.7.5-11.vz7.4 04/01/2014 task: ffff880137786440 task.stack: ffffc90000ba8000 RIP: 0010:kfree_debugcheck+0x25/0x2a RSP: 0018:ffffc90000babde0 EFLAGS: 00010082 RAX: 0000000000000034 RBX: ac1fa1d106742a5a RCX: 0000000000000007 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88013f3ccb40 RBP: ffffc90000babde8 R08: 0000000000000000 R09: 0000000000000000 R10: 00000000fcb76420 R11: 00000000725172ed R12: 0000000000000282 R13: ffffffff8150e766 R14: ffff88013a145e00 R15: 0000000000000001 FS: 00007fb09384bf40(0000) GS:ffff88013f200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fd0172f9e40 CR3: 0000000137fa9000 CR4: 00000000000006f0 Call Trace: kfree+0xc8/0x1b3 bio_integrity_free+0xc3/0x16b bio_free+0x25/0x66 bio_put+0x14/0x26 blkdev_issue_flush+0x7a/0x85 blkdev_fsync+0x35/0x42 vfs_fsync_range+0x8e/0x9f vfs_fsync+0x1c/0x1e do_fsync+0x31/0x4a SyS_fsync+0x10/0x14 entry_SYSCALL_64_fastpath+0x1f/0xc2 Reviewed-by: Christoph Hellwig Reviewed-by: Hannes Reinecke Reviewed-by: Martin K. Petersen Signed-off-by: Dmitry Monakhov Signed-off-by: Jens Axboe block/bio-integrity.c | 3 +++ 1 file changed, 3 insertions(+) commit 5f348fa35a28b19cf7ee1eaa420757341a724c86 Author: Stefan Schaeckeler Date: Fri Jun 2 12:43:28 2017 -0700 hwmon: (aspeed-pwm-tacho) make fan/pwm names start with index 1 Make fan and pwm names in sysfs start with index 1 in accordance to Documentation/hwmon/sysfs-interface conventions. Current implementation starts with index 0, making tools such as sensors(1) skip the first fan. Signed-off-by: Stefan Schaeckeler Fixes: 2d7a548a3eff ("drivers: hwmon: Support for ASPEED PWM/Fan tach") Signed-off-by: Guenter Roeck drivers/hwmon/aspeed-pwm-tacho.c | 52 ++++++++++++++++++++-------------------- 1 file changed, 26 insertions(+), 26 deletions(-) commit 4d58e7329fdd87d37f04b319d6a5165aaff5d75c Author: Stefan Schaeckeler Date: Fri Jun 2 12:42:08 2017 -0700 hwmon: (aspeed-pwm-tacho) Call of_node_put() on a node not claimed Call of_node_put() on a node claimed with of_node_get() or by any other means such as for_each_child_of_node(). Signed-off-by: Stefan Schaeckeler Fixes: 2d7a548a3eff ("drivers: hwmon: Support for ASPEED PWM/Fan tach") Signed-off-by: Guenter Roeck drivers/hwmon/aspeed-pwm-tacho.c | 1 - 1 file changed, 1 deletion(-) commit 6f9193ec044a8f72d8b6ae94a5c4ab6e8b0f00ca Author: Pratyush Anand Date: Mon May 29 22:08:24 2017 +0300 mei: make sysfs modalias format similar as uevent modalias modprobe is not able to resolve sysfs modalias for mei devices. # cat /sys/class/watchdog/watchdog0/device/watchdog/watchdog0/device/modalias mei::05b79a6f-4628-4d7f-899d-a91514cb32ab: # modprobe --set-version 4.9.6-200.fc25.x86_64 -R mei::05b79a6f-4628-4d7f-899d-a91514cb32ab: modprobe: FATAL: Module mei::05b79a6f-4628-4d7f-899d-a91514cb32ab: not found in directory /lib/modules/4.9.6-200.fc25.x86_64 # cat /lib/modules/4.9.6-200.fc25.x86_64/modules.alias | grep 05b79a6f-4628-4d7f-899d-a91514cb32ab alias mei:*:05b79a6f-4628-4d7f-899d-a91514cb32ab:*:* mei_wdt commit b26864cad1c9 ("mei: bus: add client protocol version to the device alias"), however sysfs modalias is still in formmat mei:S:uuid:*. This patch equates format of uevent and sysfs modalias so that modprobe is able to resolve the aliases. Cc: 4.7+ Fixes: commit b26864cad1c9 ("mei: bus: add client protocol version to the device alias") Signed-off-by: Pratyush Anand Signed-off-by: Tomas Winkler Signed-off-by: Greg Kroah-Hartman drivers/misc/mei/bus.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit 32829da54d9368103a2f03269a5120aa9ee4d5da Author: Julius Werner Date: Fri Jun 2 15:36:39 2017 -0700 drivers: char: mem: Fix wraparound check to allow mappings up to the end A recent fix to /dev/mem prevents mappings from wrapping around the end of physical address space. However, the check was written in a way that also prevents a mapping reaching just up to the end of physical address space, which may be a valid use case (especially on 32-bit systems). This patch fixes it by checking the last mapped address (instead of the first address behind that) for overflow. Fixes: b299cde245 ("drivers: char: mem: Check for address space wraparound with mmap()") Cc: Reported-by: Nico Huber Signed-off-by: Julius Werner Signed-off-by: Greg Kroah-Hartman drivers/char/mem.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 1454e15bc28ba94aa5d6b31a83a42d5c03af2a6d Author: Wei Yongjun Date: Tue May 16 15:26:12 2017 +0000 iio: adc: mxs-lradc: Fix return value check in mxs_lradc_adc_probe() In case of error, the function devm_ioremap() returns NULL pointer not ERR_PTR(). The IS_ERR() test in the return value check should be replaced with NULL test. Also add NULL test for iores. Signed-off-by: Wei Yongjun Signed-off-by: Jonathan Cameron drivers/iio/adc/mxs-lradc-adc.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) commit 948588e25b8af5e66962ed3f53e1cae1656fa5af Author: Jean-Baptiste Maneyrol Date: Mon May 29 09:59:40 2017 +0000 iio: imu: inv_mpu6050: add accel lpf setting for chip >= MPU6500 Starting from MPU6500, accelerometer dlpf is set in a separate register named ACCEL_CONFIG_2. Add this new register in the map and set it for the corresponding chips. Signed-off-by: Jean-Baptiste Maneyrol Cc: stable@vger.kernel.org Signed-off-by: Jonathan Cameron drivers/iio/imu/inv_mpu6050/inv_mpu_core.c | 39 +++++++++++++++++++++++++++--- drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h | 3 +++ 2 files changed, 39 insertions(+), 3 deletions(-) commit 0a33252e060e97ed3fbdcec9517672f1e91aaef3 Author: Oleg Drokin Date: Fri May 26 23:40:33 2017 -0400 staging/lustre/lov: remove set_fs() call from lov_getstripe() lov_getstripe() calls set_fs(KERNEL_DS) so that it can handle a struct lov_user_md pointer from user- or kernel-space. This changes the behavior of copy_from_user() on SPARC and may result in a misaligned access exception which in turn oopses the kernel. In fact the relevant argument to lov_getstripe() is never called with a kernel-space pointer and so changing the address limits is unnecessary and so we remove the calls to save, set, and restore the address limits. Signed-off-by: John L. Hammond Reviewed-on: http://review.whamcloud.com/6150 Intel-bug-id: https://jira.hpdd.intel.com/browse/LU-3221 Reviewed-by: Andreas Dilger Reviewed-by: Li Wei Signed-off-by: Oleg Drokin Cc: stable Signed-off-by: Greg Kroah-Hartman drivers/staging/lustre/lustre/lov/lov_pack.c | 9 --------- 1 file changed, 9 deletions(-) commit 40da1b11f01e43aad1aa6cea64681b6125e8a2a7 Author: Sebastian Andrzej Siewior Date: Fri Jun 2 16:27:14 2017 +0200 cpu/hotplug: Drop the device lock on error If a custom CPU target is specified and that one is not available _or_ can't be interrupted then the code returns to userland without dropping a lock as notices by lockdep: |echo 133 > /sys/devices/system/cpu/cpu7/hotplug/target | ================================================ | [ BUG: lock held when returning to user space! ] | ------------------------------------------------ | bash/503 is leaving the kernel with locks still held! | 1 lock held by bash/503: | #0: (device_hotplug_lock){+.+...}, at: [] lock_device_hotplug_sysfs+0x10/0x40 So release the lock then. Fixes: 757c989b9994 ("cpu/hotplug: Make target state writeable") Signed-off-by: Sebastian Andrzej Siewior Signed-off-by: Thomas Gleixner Cc: stable@vger.kernel.org Link: http://lkml.kernel.org/r/20170602142714.3ogo25f2wbq6fjpj@linutronix.de kernel/cpu.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit f74994a94063bc85ac1d6ad677ed06b5279c101f Author: Chen-Yu Tsai Date: Wed May 31 15:58:24 2017 +0800 arm64: allwinner: a64: Add PLL_PERIPH0 clock to the R_CCU The AR100 clock within the R_CCU (PRCM) has the PLL_PERIPH0 as one of its parents. This adds the reference in the device tree describing this relationship. This patch uses a raw number for the clock index to ease merging by avoiding cross tree dependencies. Signed-off-by: Chen-Yu Tsai Signed-off-by: Maxime Ripard arch/arm64/boot/dts/allwinner/sun50i-a64.dtsi | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) commit 77125a701adb21bfc03a2af211f472f8b490a084 Author: Chen-Yu Tsai Date: Wed May 31 15:58:22 2017 +0800 ARM: sunxi: h3-h5: Add PLL_PERIPH0 clock to the R_CCU The AR100 clock within the R_CCU (PRCM) has the PLL_PERIPH0 as one of its parents. This adds the reference in the device tree describing this relationship. This patch uses a raw number for the clock index to ease merging by avoiding cross tree dependencies. Signed-off-by: Chen-Yu Tsai Signed-off-by: Maxime Ripard arch/arm/boot/dts/sunxi-h3-h5.dtsi | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) commit 29532e7b67f0ce0576e56f8ab0eeda311cde3b4b Merge: b132e4a2 9605bc4 Author: Greg Kroah-Hartman Date: Sat Jun 3 09:55:59 2017 +0900 Merge tag 'phy-for-4.12-rc-v2' of git://git.kernel.org/pub/scm/linux/kernel/git/kishon/linux-phy into usb-linus Kishon writes: phy: for 4.12-rc *) Fix return value check in phy-qcom-qmp driver *) Fix memory allocation bug in phy-qcom-qmp driver Signed-off-by: Kishon Vijay Abraham I commit 0fd5f221093870d93edb696f6903b058c4d75411 Author: Hans de Goede Date: Fri Jun 2 17:50:22 2017 -0700 Input: axp20x-pek - switch to acpi_dev_present and check for ACPI0011 too acpi_dev_found checks that there is a matching ACPI node, but it may be disabled (_STA method returns 0) in which case the soc_button_array driver will not bind to it and axp20x-pek should handle the power-button. This commit switches from acpi_dev_found to acpi_dev_present to avoid not registering an input-dev for the powerbutton when there is a disabled PNP0C40 device. The ACPI-6.0 standard defines a standard gpio button device using the ACPI0011 HID replacing the custom PNP0C40 gpio device, many newer devices define both PNP0C40 and ACPI0011 devices enabling one or the other depending on whether the BIOS thinks it is going to boot Android or Windows. This commit adds a check for the ACPI0011 device, so that if either device is present *and* enabled we don't register an input-dev for the powerbutton. Signed-off-by: Hans de Goede Signed-off-by: Dmitry Torokhov drivers/input/misc/axp20x-pek.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) commit 8d4b31376974855cd4fb176e5d63ba8e0407928e Author: Hans de Goede Date: Fri Jun 2 17:18:47 2017 -0700 Input: axp20x-pek - only check for "INTCFD9" ACPI device on Cherry Trail Commit 9b13a4ca8d2c ("Input: axp20x-pek - do not register input device on some systems") added a check for the INTCFD9 ACPI device which also handles the powerbutton as on some systems the powerbutton is connected to both the PMIC, handled by axp20x-pek, and to a gpio on the SoC, handled by soc_button_array which attaches itself to the INTCFD9 ACPI device. Testing + comparing DSDTs has shown that this only happens on Cherry Trail devices with an AXP288 PMIC, the AXP288 PMIC is also used on Bay Trail devices but there the power button is only connected to the PMIC and not handled by soc_button_array. This means that the INTCFD9 check has caused a regression on Bay Trail devices, causing power-button presses to no longer be seen. This commit fixes this by limiting the check to devices where the ACPI node for the AXP288 contains a _HRV (hardware revision) attribute with a value of 3 which indicates we are dealing with a Cherry Trail platform. Fixes: 9b13a4ca8d2c ("Input: axp20x-pek - do not register input ...") Reported-by: Сергей Трусов Signed-off-by: Hans de Goede Signed-off-by: Dmitry Torokhov drivers/input/misc/axp20x-pek.c | 43 ++++++++++++++++++++++++++++++++++------- 1 file changed, 36 insertions(+), 7 deletions(-) commit eadcbfa58ae8693f0d6a0f591d8f51d55cf068e1 Merge: c4beedb 5ed02db Author: Dmitry Torokhov Date: Fri Jun 2 17:49:10 2017 -0700 Merge tag 'v4.12-rc3' into for-linus Merge with mainline to get acpi_dev_present() needed by patches to axp20x-pek driver. commit b132e4a25dccf5d5857e6ce2d96541be51aa9c5e Merge: b3addcf afbbc79 Author: Greg Kroah-Hartman Date: Sat Jun 3 09:47:16 2017 +0900 Merge tag 'fixes-for-v4.12-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/balbi/usb into usb-linus Felipe writes: usb: fixes for v4.12-rc4 A fix to a really old synchronization bug on mass storage gadget. Support for Meson8 SoCs on dwc2 Synchronization fixes on renesas USB driver. commit 104c08ba8e921ef97abfdc10408d54921a6d9003 Merge: 89af529 6031913 Author: Linus Torvalds Date: Fri Jun 2 16:36:23 2017 -0700 Merge tag 'acpi-4.12-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull ACPI fixes from Rafael Wysocki: "These revert one more problematic commit related to the ACPI-based handling of laptop lids and make some unuseful error messages coming from ACPICA go away. Specifics: - Revert one more commit related to the ACPI-based handling of laptop lids that changed the default behavior on laptops that booted with closed lids and introduced a regression there (Benjamin Tissoires). - Add a missing acpi_put_table() to the code implementing the /sys/firmware/acpi/tables interface to prevent a counter in the ACPICA core from overflowing (Dan Williams). - Drop error messages printed by ACPICA on acpi_get_table() reference counting mismatches as they need not indicate real errors at this point (Lv Zheng)" * tag 'acpi-4.12-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: ACPICA: Tables: Fix regression introduced by a too early mechanism enabling Revert "ACPI / button: Change default behavior to lid_init_state=open" ACPI / sysfs: fix acpi_get_table() leak / acpi-sysfs denial of service commit 89af529a6469d612258fce5745a7d45430f316ce Merge: 5a4829b bb5710e Author: Linus Torvalds Date: Fri Jun 2 16:33:33 2017 -0700 Merge tag 'pm-4.12-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull power management fixes from Rafael Wysocki: "These fix two bugs in error code paths in the cpufreq core and in the kirkwood-cpufreq driver. Specifics: - Make cpufreq_register_driver() return an error if the ->init() calls fail for all CPUs to prevent non-functional drivers from hanging around for no reason (David Arcari). - Make kirkwood-cpufreq check the return value of clk_prepare_enable() (which may fail) as appropriate (Arvind Yadav)" * tag 'pm-4.12-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: cpufreq: kirkwood-cpufreq:- Handle return value of clk_prepare_enable() cpufreq: cpufreq_register_driver() should return -ENODEV if init fails commit 5a4829b564d2f69574dc55bba2ada3ee72022187 Merge: f219764 9dfa7bb Author: Linus Torvalds Date: Fri Jun 2 16:19:47 2017 -0700 Merge tag 'random_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/random Pull /dev/random bug fix from Ted Ts'o: "Fix a race on architectures with prioritized interrupts (such as m68k) which can causes crashes in drivers/char/random.c:get_reg()" * tag 'random_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/random: fix race in drivers/char/random.c:get_reg() commit f219764920c3d235713566013375cc01decd3d49 Merge: e6e6d07 d6c9708 Author: Linus Torvalds Date: Fri Jun 2 15:49:46 2017 -0700 Merge branch 'akpm' (patches from Andrew) Merge misc fixes from Andrew Morton: "15 fixes" * emailed patches from Andrew Morton : scripts/gdb: make lx-dmesg command work (reliably) mm: consider memblock reservations for deferred memory initialization sizing mm/hugetlb: report -EHWPOISON not -EFAULT when FOLL_HWPOISON is specified mlock: fix mlock count can not decrease in race condition mm/migrate: fix refcount handling when !hugepage_migration_supported() dax: fix race between colliding PMD & PTE entries mm: avoid spurious 'bad pmd' warning messages mm/page_alloc.c: make sure OOM victim can try allocations with no watermarks once pcmcia: remove left-over %Z format slub/memcg: cure the brainless abuse of sysfs attributes initramfs: fix disabling of initramfs (and its compression) mm: clarify why we want kmalloc before falling backto vmallock frv: declare jiffies to be located in the .data section include/linux/gfp.h: fix ___GFP_NOLOCKDEP value ksm: prevent crash after write_protect_page fails commit d6c9708737c2107c38bd75f133d14d5801b8d6d5 Author: André Draszik Date: Fri Jun 2 14:46:51 2017 -0700 scripts/gdb: make lx-dmesg command work (reliably) lx-dmesg needs access to the log_buf symbol from printk.c. Unfortunately, the symbol log_buf also exists in BPF's verifier.c and hence gdb can pick one or the other. If it happens to pick BPF's log_buf, lx-dmesg doesn't work: (gdb) lx-dmesg Python Exception Cannot access memory at address 0x0: Error occurred in Python command: Cannot access memory at address 0x0 (gdb) p log_buf $15 = 0x0 Luckily, GDB has a way to deal with this, see https://sourceware.org/gdb/onlinedocs/gdb/Symbols.html (gdb) info variables ^log_buf$ All variables matching regular expression "^log_buf$": File /kernel/bpf/verifier.c: static char *log_buf; File /kernel/printk/printk.c: static char *log_buf; (gdb) p 'verifier.c'::log_buf $1 = 0x0 (gdb) p 'printk.c'::log_buf $2 = 0x811a6aa0 <__log_buf> "" (gdb) p &log_buf $3 = (char **) 0x8120fe40 (gdb) p &'verifier.c'::log_buf $4 = (char **) 0x8120fe40 (gdb) p &'printk.c'::log_buf $5 = (char **) 0x8048b7d0 By being explicit about the location of the symbol, we can make lx-dmesg work again. While at it, do the same for the other symbols we need from printk.c Link: http://lkml.kernel.org/r/20170526112222.3414-1-git@andred.net Signed-off-by: André Draszik Tested-by: Kieran Bingham Acked-by: Jan Kiszka Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds scripts/gdb/linux/dmesg.py | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) commit 864b9a393dcb5aed09b8fd31b9bbda0fdda99374 Author: Michal Hocko Date: Fri Jun 2 14:46:49 2017 -0700 mm: consider memblock reservations for deferred memory initialization sizing We have seen an early OOM killer invocation on ppc64 systems with crashkernel=4096M: kthreadd invoked oom-killer: gfp_mask=0x16040c0(GFP_KERNEL|__GFP_COMP|__GFP_NOTRACK), nodemask=7, order=0, oom_score_adj=0 kthreadd cpuset=/ mems_allowed=7 CPU: 0 PID: 2 Comm: kthreadd Not tainted 4.4.68-1.gd7fe927-default #1 Call Trace: dump_stack+0xb0/0xf0 (unreliable) dump_header+0xb0/0x258 out_of_memory+0x5f0/0x640 __alloc_pages_nodemask+0xa8c/0xc80 kmem_getpages+0x84/0x1a0 fallback_alloc+0x2a4/0x320 kmem_cache_alloc_node+0xc0/0x2e0 copy_process.isra.25+0x260/0x1b30 _do_fork+0x94/0x470 kernel_thread+0x48/0x60 kthreadd+0x264/0x330 ret_from_kernel_thread+0x5c/0xa4 Mem-Info: active_anon:0 inactive_anon:0 isolated_anon:0 active_file:0 inactive_file:0 isolated_file:0 unevictable:0 dirty:0 writeback:0 unstable:0 slab_reclaimable:5 slab_unreclaimable:73 mapped:0 shmem:0 pagetables:0 bounce:0 free:0 free_pcp:0 free_cma:0 Node 7 DMA free:0kB min:0kB low:0kB high:0kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB isolated(anon):0kB isolated(file):0kB present:52428800kB managed:110016kB mlocked:0kB dirty:0kB writeback:0kB mapped:0kB shmem:0kB slab_reclaimable:320kB slab_unreclaimable:4672kB kernel_stack:1152kB pagetables:0kB unstable:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB writeback_tmp:0kB pages_scanned:0 all_unreclaimable? yes lowmem_reserve[]: 0 0 0 0 Node 7 DMA: 0*64kB 0*128kB 0*256kB 0*512kB 0*1024kB 0*2048kB 0*4096kB 0*8192kB 0*16384kB = 0kB 0 total pagecache pages 0 pages in swap cache Swap cache stats: add 0, delete 0, find 0/0 Free swap = 0kB Total swap = 0kB 819200 pages RAM 0 pages HighMem/MovableOnly 817481 pages reserved 0 pages cma reserved 0 pages hwpoisoned the reason is that the managed memory is too low (only 110MB) while the rest of the the 50GB is still waiting for the deferred intialization to be done. update_defer_init estimates the initial memoty to initialize to 2GB at least but it doesn't consider any memory allocated in that range. In this particular case we've had Reserving 4096MB of memory at 128MB for crashkernel (System RAM: 51200MB) so the low 2GB is mostly depleted. Fix this by considering memblock allocations in the initial static initialization estimation. Move the max_initialise to reset_deferred_meminit and implement a simple memblock_reserved_memory helper which iterates all reserved blocks and sums the size of all that start below the given address. The cumulative size is than added on top of the initial estimation. This is still not ideal because reset_deferred_meminit doesn't consider holes and so reservation might be above the initial estimation whihch we ignore but let's make the logic simpler until we really need to handle more complicated cases. Fixes: 3a80a7fa7989 ("mm: meminit: initialise a subset of struct pages if CONFIG_DEFERRED_STRUCT_PAGE_INIT is set") Link: http://lkml.kernel.org/r/20170531104010.GI27783@dhcp22.suse.cz Signed-off-by: Michal Hocko Acked-by: Mel Gorman Tested-by: Srikar Dronamraju Cc: [4.2+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds include/linux/memblock.h | 8 ++++++++ include/linux/mmzone.h | 1 + mm/memblock.c | 23 +++++++++++++++++++++++ mm/page_alloc.c | 33 ++++++++++++++++++++++----------- 4 files changed, 54 insertions(+), 11 deletions(-) commit 9a291a7c9428155e8e623e4a3989f8be47134df5 Author: James Morse Date: Fri Jun 2 14:46:46 2017 -0700 mm/hugetlb: report -EHWPOISON not -EFAULT when FOLL_HWPOISON is specified KVM uses get_user_pages() to resolve its stage2 faults. KVM sets the FOLL_HWPOISON flag causing faultin_page() to return -EHWPOISON when it finds a VM_FAULT_HWPOISON. KVM handles these hwpoison pages as a special case. (check_user_page_hwpoison()) When huge pages are involved, this doesn't work so well. get_user_pages() calls follow_hugetlb_page(), which stops early if it receives VM_FAULT_HWPOISON from hugetlb_fault(), eventually returning -EFAULT to the caller. The step to map this to -EHWPOISON based on the FOLL_ flags is missing. The hwpoison special case is skipped, and -EFAULT is returned to user-space, causing Qemu or kvmtool to exit. Instead, move this VM_FAULT_ to errno mapping code into a header file and use it from faultin_page() and follow_hugetlb_page(). With this, KVM works as expected. This isn't a problem for arm64 today as we haven't enabled MEMORY_FAILURE, but I can't see any reason this doesn't happen on x86 too, so I think this should be a fix. This doesn't apply earlier than stable's v4.11.1 due to all sorts of cleanup. [james.morse@arm.com: add vm_fault_to_errno() call to faultin_page()] suggested. Link: http://lkml.kernel.org/r/20170525171035.16359-1-james.morse@arm.com [akpm@linux-foundation.org: coding-style fixes] Link: http://lkml.kernel.org/r/20170524160900.28786-1-james.morse@arm.com Signed-off-by: James Morse Acked-by: Punit Agrawal Acked-by: Naoya Horiguchi Cc: "Kirill A . Shutemov" Cc: [4.11.1+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds include/linux/mm.h | 11 +++++++++++ mm/gup.c | 20 ++++++++------------ mm/hugetlb.c | 5 +++++ 3 files changed, 24 insertions(+), 12 deletions(-) commit 70feee0e1ef331b22cc51f383d532a0d043fbdcc Author: Yisheng Xie Date: Fri Jun 2 14:46:43 2017 -0700 mlock: fix mlock count can not decrease in race condition Kefeng reported that when running the follow test, the mlock count in meminfo will increase permanently: [1] testcase linux:~ # cat test_mlockal grep Mlocked /proc/meminfo for j in `seq 0 10` do for i in `seq 4 15` do ./p_mlockall >> log & done sleep 0.2 done # wait some time to let mlock counter decrease and 5s may not enough sleep 5 grep Mlocked /proc/meminfo linux:~ # cat p_mlockall.c #include #include #include #define SPACE_LEN 4096 int main(int argc, char ** argv) { int ret; void *adr = malloc(SPACE_LEN); if (!adr) return -1; ret = mlockall(MCL_CURRENT | MCL_FUTURE); printf("mlcokall ret = %d\n", ret); ret = munlockall(); printf("munlcokall ret = %d\n", ret); free(adr); return 0; } In __munlock_pagevec() we should decrement NR_MLOCK for each page where we clear the PageMlocked flag. Commit 1ebb7cc6a583 ("mm: munlock: batch NR_MLOCK zone state updates") has introduced a bug where we don't decrement NR_MLOCK for pages where we clear the flag, but fail to isolate them from the lru list (e.g. when the pages are on some other cpu's percpu pagevec). Since PageMlocked stays cleared, the NR_MLOCK accounting gets permanently disrupted by this. Fix it by counting the number of page whose PageMlock flag is cleared. Fixes: 1ebb7cc6a583 (" mm: munlock: batch NR_MLOCK zone state updates") Link: http://lkml.kernel.org/r/1495678405-54569-1-git-send-email-xieyisheng1@huawei.com Signed-off-by: Yisheng Xie Reported-by: Kefeng Wang Tested-by: Kefeng Wang Cc: Vlastimil Babka Cc: Joern Engel Cc: Mel Gorman Cc: Michel Lespinasse Cc: Hugh Dickins Cc: Rik van Riel Cc: Johannes Weiner Cc: Michal Hocko Cc: Xishi Qiu Cc: zhongjiang Cc: Hanjun Guo Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/mlock.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) commit 30809f559a0d348c2dfd7ab05e9a451e2384962e Author: Punit Agrawal Date: Fri Jun 2 14:46:40 2017 -0700 mm/migrate: fix refcount handling when !hugepage_migration_supported() On failing to migrate a page, soft_offline_huge_page() performs the necessary update to the hugepage ref-count. But when !hugepage_migration_supported() , unmap_and_move_hugepage() also decrements the page ref-count for the hugepage. The combined behaviour leaves the ref-count in an inconsistent state. This leads to soft lockups when running the overcommitted hugepage test from mce-tests suite. Soft offlining pfn 0x83ed600 at process virtual address 0x400000000000 soft offline: 0x83ed600: migration failed 1, type 1fffc00000008008 (uptodate|head) INFO: rcu_preempt detected stalls on CPUs/tasks: Tasks blocked on level-0 rcu_node (CPUs 0-7): P2715 (detected by 7, t=5254 jiffies, g=963, c=962, q=321) thugetlb_overco R running task 0 2715 2685 0x00000008 Call trace: dump_backtrace+0x0/0x268 show_stack+0x24/0x30 sched_show_task+0x134/0x180 rcu_print_detail_task_stall_rnp+0x54/0x7c rcu_check_callbacks+0xa74/0xb08 update_process_times+0x34/0x60 tick_sched_handle.isra.7+0x38/0x70 tick_sched_timer+0x4c/0x98 __hrtimer_run_queues+0xc0/0x300 hrtimer_interrupt+0xac/0x228 arch_timer_handler_phys+0x3c/0x50 handle_percpu_devid_irq+0x8c/0x290 generic_handle_irq+0x34/0x50 __handle_domain_irq+0x68/0xc0 gic_handle_irq+0x5c/0xb0 Address this by changing the putback_active_hugepage() in soft_offline_huge_page() to putback_movable_pages(). This only triggers on systems that enable memory failure handling (ARCH_SUPPORTS_MEMORY_FAILURE) but not hugepage migration (!ARCH_ENABLE_HUGEPAGE_MIGRATION). I imagine this wasn't triggered as there aren't many systems running this configuration. [akpm@linux-foundation.org: remove dead comment, per Naoya] Link: http://lkml.kernel.org/r/20170525135146.32011-1-punit.agrawal@arm.com Reported-by: Manoj Iyer Tested-by: Manoj Iyer Suggested-by: Naoya Horiguchi Signed-off-by: Punit Agrawal Cc: Joonsoo Kim Cc: Wanpeng Li Cc: Christoph Lameter Cc: Mel Gorman Cc: [3.14+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/memory-failure.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) commit e2093926a098a8ccf0f1d10f6df8dad452cb28d3 Author: Ross Zwisler Date: Fri Jun 2 14:46:37 2017 -0700 dax: fix race between colliding PMD & PTE entries We currently have two related PMD vs PTE races in the DAX code. These can both be easily triggered by having two threads reading and writing simultaneously to the same private mapping, with the key being that private mapping reads can be handled with PMDs but private mapping writes are always handled with PTEs so that we can COW. Here is the first race: CPU 0 CPU 1 (private mapping write) __handle_mm_fault() create_huge_pmd() - FALLBACK handle_pte_fault() passes check for pmd_devmap() (private mapping read) __handle_mm_fault() create_huge_pmd() dax_iomap_pmd_fault() inserts PMD dax_iomap_pte_fault() does a PTE fault, but we already have a DAX PMD installed in our page tables at this spot. Here's the second race: CPU 0 CPU 1 (private mapping read) __handle_mm_fault() passes check for pmd_none() create_huge_pmd() dax_iomap_pmd_fault() inserts PMD (private mapping write) __handle_mm_fault() create_huge_pmd() - FALLBACK (private mapping read) __handle_mm_fault() passes check for pmd_none() create_huge_pmd() handle_pte_fault() dax_iomap_pte_fault() inserts PTE dax_iomap_pmd_fault() inserts PMD, but we already have a PTE at this spot. The core of the issue is that while there is isolation between faults to the same range in the DAX fault handlers via our DAX entry locking, there is no isolation between faults in the code in mm/memory.c. This means for instance that this code in __handle_mm_fault() can run: if (pmd_none(*vmf.pmd) && transparent_hugepage_enabled(vma)) { ret = create_huge_pmd(&vmf); But by the time we actually get to run the fault handler called by create_huge_pmd(), the PMD is no longer pmd_none() because a racing PTE fault has installed a normal PMD here as a parent. This is the cause of the 2nd race. The first race is similar - there is the following check in handle_pte_fault(): } else { /* See comment in pte_alloc_one_map() */ if (pmd_devmap(*vmf->pmd) || pmd_trans_unstable(vmf->pmd)) return 0; So if a pmd_devmap() PMD (a DAX PMD) has been installed at vmf->pmd, we will bail and retry the fault. This is correct, but there is nothing preventing the PMD from being installed after this check but before we actually get to the DAX PTE fault handlers. In my testing these races result in the following types of errors: BUG: Bad rss-counter state mm:ffff8800a817d280 idx:1 val:1 BUG: non-zero nr_ptes on freeing mm: 15 Fix this issue by having the DAX fault handlers verify that it is safe to continue their fault after they have taken an entry lock to block other racing faults. [ross.zwisler@linux.intel.com: improve fix for colliding PMD & PTE entries] Link: http://lkml.kernel.org/r/20170526195932.32178-1-ross.zwisler@linux.intel.com Link: http://lkml.kernel.org/r/20170522215749.23516-2-ross.zwisler@linux.intel.com Signed-off-by: Ross Zwisler Reported-by: Pawel Lebioda Reviewed-by: Jan Kara Cc: "Darrick J. Wong" Cc: Alexander Viro Cc: Christoph Hellwig Cc: Dan Williams Cc: Dave Hansen Cc: Matthew Wilcox Cc: "Kirill A . Shutemov" Cc: Pawel Lebioda Cc: Dave Jiang Cc: Xiong Zhou Cc: Eryu Guan Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/dax.c | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) commit d0f0931de936a0a468d7e59284d39581c16d3a73 Author: Ross Zwisler Date: Fri Jun 2 14:46:34 2017 -0700 mm: avoid spurious 'bad pmd' warning messages When the pmd_devmap() checks were added by 5c7fb56e5e3f ("mm, dax: dax-pmd vs thp-pmd vs hugetlbfs-pmd") to add better support for DAX huge pages, they were all added to the end of if() statements after existing pmd_trans_huge() checks. So, things like: - if (pmd_trans_huge(*pmd)) + if (pmd_trans_huge(*pmd) || pmd_devmap(*pmd)) When further checks were added after pmd_trans_unstable() checks by commit 7267ec008b5c ("mm: postpone page table allocation until we have page to map") they were also added at the end of the conditional: + if (pmd_trans_unstable(fe->pmd) || pmd_devmap(*fe->pmd)) This ordering is fine for pmd_trans_huge(), but doesn't work for pmd_trans_unstable(). This is because DAX huge pages trip the bad_pmd() check inside of pmd_none_or_trans_huge_or_clear_bad() (called by pmd_trans_unstable()), which prints out a warning and returns 1. So, we do end up doing the right thing, but only after spamming dmesg with suspicious looking messages: mm/pgtable-generic.c:39: bad pmd ffff8808daa49b88(84000001006000a5) Reorder these checks in a helper so that pmd_devmap() is checked first, avoiding the error messages, and add a comment explaining why the ordering is important. Fixes: commit 7267ec008b5c ("mm: postpone page table allocation until we have page to map") Link: http://lkml.kernel.org/r/20170522215749.23516-1-ross.zwisler@linux.intel.com Signed-off-by: Ross Zwisler Reviewed-by: Jan Kara Cc: Pawel Lebioda Cc: "Darrick J. Wong" Cc: Alexander Viro Cc: Christoph Hellwig Cc: Dan Williams Cc: Dave Hansen Cc: Matthew Wilcox Cc: "Kirill A . Shutemov" Cc: Dave Jiang Cc: Xiong Zhou Cc: Eryu Guan Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/memory.c | 40 ++++++++++++++++++++++++++++++---------- 1 file changed, 30 insertions(+), 10 deletions(-) commit c288983dddf714216428774e022ad78f48dd8cb1 Author: Tetsuo Handa Date: Fri Jun 2 14:46:31 2017 -0700 mm/page_alloc.c: make sure OOM victim can try allocations with no watermarks once Roman Gushchin has reported that the OOM killer can trivially selects next OOM victim when a thread doing memory allocation from page fault path was selected as first OOM victim. allocate invoked oom-killer: gfp_mask=0x14280ca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO), nodemask=(null), order=0, oom_score_adj=0 allocate cpuset=/ mems_allowed=0 CPU: 1 PID: 492 Comm: allocate Not tainted 4.12.0-rc1-mm1+ #181 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 Call Trace: oom_kill_process+0x219/0x3e0 out_of_memory+0x11d/0x480 __alloc_pages_slowpath+0xc84/0xd40 __alloc_pages_nodemask+0x245/0x260 alloc_pages_vma+0xa2/0x270 __handle_mm_fault+0xca9/0x10c0 handle_mm_fault+0xf3/0x210 __do_page_fault+0x240/0x4e0 trace_do_page_fault+0x37/0xe0 do_async_page_fault+0x19/0x70 async_page_fault+0x28/0x30 ... Out of memory: Kill process 492 (allocate) score 899 or sacrifice child Killed process 492 (allocate) total-vm:2052368kB, anon-rss:1894576kB, file-rss:4kB, shmem-rss:0kB allocate: page allocation failure: order:0, mode:0x14280ca(GFP_HIGHUSER_MOVABLE|__GFP_ZERO), nodemask=(null) allocate cpuset=/ mems_allowed=0 CPU: 1 PID: 492 Comm: allocate Not tainted 4.12.0-rc1-mm1+ #181 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 Call Trace: __alloc_pages_slowpath+0xd32/0xd40 __alloc_pages_nodemask+0x245/0x260 alloc_pages_vma+0xa2/0x270 __handle_mm_fault+0xca9/0x10c0 handle_mm_fault+0xf3/0x210 __do_page_fault+0x240/0x4e0 trace_do_page_fault+0x37/0xe0 do_async_page_fault+0x19/0x70 async_page_fault+0x28/0x30 ... oom_reaper: reaped process 492 (allocate), now anon-rss:0kB, file-rss:0kB, shmem-rss:0kB ... allocate invoked oom-killer: gfp_mask=0x0(), nodemask=(null), order=0, oom_score_adj=0 allocate cpuset=/ mems_allowed=0 CPU: 1 PID: 492 Comm: allocate Not tainted 4.12.0-rc1-mm1+ #181 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 Call Trace: oom_kill_process+0x219/0x3e0 out_of_memory+0x11d/0x480 pagefault_out_of_memory+0x68/0x80 mm_fault_error+0x8f/0x190 ? handle_mm_fault+0xf3/0x210 __do_page_fault+0x4b2/0x4e0 trace_do_page_fault+0x37/0xe0 do_async_page_fault+0x19/0x70 async_page_fault+0x28/0x30 ... Out of memory: Kill process 233 (firewalld) score 10 or sacrifice child Killed process 233 (firewalld) total-vm:246076kB, anon-rss:20956kB, file-rss:0kB, shmem-rss:0kB There is a race window that the OOM reaper completes reclaiming the first victim's memory while nothing but mutex_trylock() prevents the first victim from calling out_of_memory() from pagefault_out_of_memory() after memory allocation for page fault path failed due to being selected as an OOM victim. This is a side effect of commit 9a67f6488eca926f ("mm: consolidate GFP_NOFAIL checks in the allocator slowpath") because that commit silently changed the behavior from /* Avoid allocations with no watermarks from looping endlessly */ to /* * Give up allocations without trying memory reserves if selected * as an OOM victim */ in __alloc_pages_slowpath() by moving the location to check TIF_MEMDIE flag. I have noticed this change but I didn't post a patch because I thought it is an acceptable change other than noise by warn_alloc() because !__GFP_NOFAIL allocations are allowed to fail. But we overlooked that failing memory allocation from page fault path makes difference due to the race window explained above. While it might be possible to add a check to pagefault_out_of_memory() that prevents the first victim from calling out_of_memory() or remove out_of_memory() from pagefault_out_of_memory(), changing pagefault_out_of_memory() does not suppress noise by warn_alloc() when allocating thread was selected as an OOM victim. There is little point with printing similar backtraces and memory information from both out_of_memory() and warn_alloc(). Instead, if we guarantee that current thread can try allocations with no watermarks once when current thread looping inside __alloc_pages_slowpath() was selected as an OOM victim, we can follow "who can use memory reserves" rules and suppress noise by warn_alloc() and prevent memory allocations from page fault path from calling pagefault_out_of_memory(). If we take the comment literally, this patch would do - if (test_thread_flag(TIF_MEMDIE)) - goto nopage; + if (alloc_flags == ALLOC_NO_WATERMARKS || (gfp_mask & __GFP_NOMEMALLOC)) + goto nopage; because gfp_pfmemalloc_allowed() returns false if __GFP_NOMEMALLOC is given. But if I recall correctly (I couldn't find the message), the condition is meant to apply to only OOM victims despite the comment. Therefore, this patch preserves TIF_MEMDIE check. Fixes: 9a67f6488eca926f ("mm: consolidate GFP_NOFAIL checks in the allocator slowpath") Link: http://lkml.kernel.org/r/201705192112.IAF69238.OQOHSJLFOFFMtV@I-love.SAKURA.ne.jp Signed-off-by: Tetsuo Handa Reported-by: Roman Gushchin Tested-by: Roman Gushchin Acked-by: Michal Hocko Cc: Johannes Weiner Cc: Vladimir Davydov Cc: [4.11] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/page_alloc.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit ff5a20169b98d84ad8d7f99f27c5ebbb008204d6 Author: Nicolas Iooss Date: Fri Jun 2 14:46:28 2017 -0700 pcmcia: remove left-over %Z format Commit 5b5e0928f742 ("lib/vsprintf.c: remove %Z support") removed some usages of format %Z but forgot "%.2Zx". This makes clang 4.0 reports a -Wformat-extra-args warning because it does not know about %Z. Replace %Z with %z. Link: http://lkml.kernel.org/r/20170520090946.22562-1-nicolas.iooss_linux@m4x.org Signed-off-by: Nicolas Iooss Cc: Harald Welte Cc: Alexey Dobriyan Cc: [4.11+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds drivers/char/pcmcia/cm4040_cs.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit 478fe3037b2278d276d4cd9cd0ab06c4cb2e9b32 Author: Thomas Gleixner Date: Fri Jun 2 14:46:25 2017 -0700 slub/memcg: cure the brainless abuse of sysfs attributes memcg_propagate_slab_attrs() abuses the sysfs attribute file functions to propagate settings from the root kmem_cache to a newly created kmem_cache. It does that with: attr->show(root, buf); attr->store(new, buf, strlen(bug); Aside of being a lazy and absurd hackery this is broken because it does not check the return value of the show() function. Some of the show() functions return 0 w/o touching the buffer. That means in such a case the store function is called with the stale content of the previous show(). That causes nonsense like invoking kmem_cache_shrink() on a newly created kmem_cache. In the worst case it would cause handing in an uninitialized buffer. This should be rewritten proper by adding a propagate() callback to those slub_attributes which must be propagated and avoid that insane conversion to and from ASCII, but that's too large for a hot fix. Check at least the return value of the show() function, so calling store() with stale content is prevented. Steven said: "It can cause a deadlock with get_online_cpus() that has been uncovered by recent cpu hotplug and lockdep changes that Thomas and Peter have been doing. Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(cpu_hotplug.lock); lock(slab_mutex); lock(cpu_hotplug.lock); lock(slab_mutex); *** DEADLOCK ***" Link: http://lkml.kernel.org/r/alpine.DEB.2.20.1705201244540.2255@nanos Signed-off-by: Thomas Gleixner Reported-by: Steven Rostedt Acked-by: David Rientjes Cc: Johannes Weiner Cc: Michal Hocko Cc: Peter Zijlstra Cc: Christoph Lameter Cc: Pekka Enberg Cc: Joonsoo Kim Cc: Christoph Hellwig Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/slub.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) commit 57ddfdaa9a72fe726a44d26d99db31bc137dbeff Author: Florian Fainelli Date: Fri Jun 2 14:46:22 2017 -0700 initramfs: fix disabling of initramfs (and its compression) Commit db2aa7fd15e8 ("initramfs: allow again choice of the embedded initram compression algorithm") introduced the possibility to select the initramfs compression algorithm from Kconfig and while this is a nice feature it broke the use case described below. Here is what my build system does: - kernel is initially configured not to have an initramfs included - build the user space root file system - re-configure the kernel to have an initramfs included (CONFIG_INITRAMFS_SOURCE="/path/to/romfs") and set relevant CONFIG_INITRAMFS options, in my case, no compression option (CONFIG_INITRAMFS_COMPRESSION_NONE) - kernel is re-built with these options -> kernel+initramfs image is copied - kernel is re-built again without these options -> kernel image is copied Building a kernel without an initramfs means setting this option: CONFIG_INITRAMFS_SOURCE="" (and this one only) whereas building a kernel with an initramfs means setting these options: CONFIG_INITRAMFS_SOURCE="/home/fainelli/work/uclinux-rootfs/romfs /home/fainelli/work/uclinux-rootfs/misc/initramfs.dev" CONFIG_INITRAMFS_ROOT_UID=1000 CONFIG_INITRAMFS_ROOT_GID=1000 CONFIG_INITRAMFS_COMPRESSION_NONE=y CONFIG_INITRAMFS_COMPRESSION="" Commit db2aa7fd15e85 ("initramfs: allow again choice of the embedded initram compression algorithm") is problematic because CONFIG_INITRAMFS_COMPRESSION which is used to determine the initramfs_data.cpio extension/compression is a string, and due to how Kconfig works it will evaluate in order, how to assign it. Setting CONFIG_INITRAMFS_COMPRESSION_NONE with CONFIG_INITRAMFS_SOURCE="" cannot possibly work (because of the depends on INITRAMFS_SOURCE!="" imposed on CONFIG_INITRAMFS_COMPRESSION ) yet we still get CONFIG_INITRAMFS_COMPRESSION assigned to ".gz" because CONFIG_RD_GZIP=y is set in my kernel, even when there is no initramfs being built. So we basically end-up generating two initramfs_data.cpio* files, one without extension, and one with .gz. This causes usr/Makefile to track usr/initramfs_data.cpio.gz, and not usr/initramfs_data.cpio anymore, that is also largely problematic after 9e3596b0c6539e ("kbuild: initramfs cleanup, set target from Kconfig") because we used to track all possible initramfs_data files in the $(targets) variable before that commit. The end result is that the kernel with an initramfs clearly does not contain what we expect it to, it has a stale initramfs_data.cpio file built into it, and we keep re-generating an initramfs_data.cpio.gz file which is not the one that we want to include in the kernel image proper. The fix consists in hiding CONFIG_INITRAMFS_COMPRESSION when CONFIG_INITRAMFS_SOURCE="". This puts us back in a state to the pre-4.10 behavior where we can properly disable and re-enable initramfs within the same kernel .config file, and be in control of what CONFIG_INITRAMFS_COMPRESSION is set to. Fixes: db2aa7fd15e8 ("initramfs: allow again choice of the embedded initram compression algorithm") Fixes: 9e3596b0c653 ("kbuild: initramfs cleanup, set target from Kconfig") Link: http://lkml.kernel.org/r/20170521033337.6197-1-f.fainelli@gmail.com Signed-off-by: Florian Fainelli Acked-by: Nicholas Piggin Cc: P J P Cc: Paul Bolle Cc: Michal Marek Cc: Daniel Thompson Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds usr/Kconfig | 1 + 1 file changed, 1 insertion(+) commit 4f4f2ba9c531b3d7cee293dd3654ba3b86e7d220 Author: Michal Hocko Date: Fri Jun 2 14:46:19 2017 -0700 mm: clarify why we want kmalloc before falling backto vmallock While converting drm_[cm]alloc* helpers to kvmalloc* variants Chris Wilson has wondered why we want to try kmalloc before vmalloc fallback even for larger allocations requests. Let's clarify that one larger physically contiguous block is less likely to fragment memory than many scattered pages which can prevent more large blocks from being created. [akpm@linux-foundation.org: coding-style fixes] Link: http://lkml.kernel.org/r/20170517080932.21423-1-mhocko@kernel.org Signed-off-by: Michal Hocko Suggested-by: Chris Wilson Reviewed-by: Chris Wilson Acked-by: Vlastimil Babka Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/util.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) commit 60b0a8c3d2480f3b57282b47b7cae7ee71c48635 Author: Matthias Kaehlcke Date: Fri Jun 2 14:46:16 2017 -0700 frv: declare jiffies to be located in the .data section Commit 7c30f352c852 ("jiffies.h: declare jiffies and jiffies_64 with ____cacheline_aligned_in_smp") removed a section specification from the jiffies declaration that caused conflicts on some platforms. Unfortunately this change broke the build for frv: kernel/built-in.o: In function `__do_softirq': (.text+0x6460): relocation truncated to fit: R_FRV_GPREL12 against symbol `jiffies' defined in *ABS* section in .tmp_vmlinux1 kernel/built-in.o: In function `__do_softirq': (.text+0x6574): relocation truncated to fit: R_FRV_GPREL12 against symbol `jiffies' defined in *ABS* section in .tmp_vmlinux1 kernel/built-in.o: In function `pwq_activate_delayed_work': workqueue.c:(.text+0x15b9c): relocation truncated to fit: R_FRV_GPREL12 against symbol `jiffies' defined in *ABS* section in .tmp_vmlinux1 ... Add __jiffy_arch_data to the declaration of jiffies and use it on frv to include the section specification. For all other platforms __jiffy_arch_data (currently) has no effect. Fixes: 7c30f352c852 ("jiffies.h: declare jiffies and jiffies_64 with ____cacheline_aligned_in_smp") Link: http://lkml.kernel.org/r/20170516221333.177280-1-mka@chromium.org Signed-off-by: Matthias Kaehlcke Reported-by: Guenter Roeck Tested-by: Guenter Roeck Reviewed-by: David Howells Cc: Sudip Mukherjee Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds arch/frv/include/asm/timex.h | 6 ++++++ include/linux/jiffies.h | 6 +++++- 2 files changed, 11 insertions(+), 1 deletion(-) commit 1bde33e051233f0ed93a8bc67137016ab38c3d2d Author: Michal Hocko Date: Fri Jun 2 14:46:13 2017 -0700 include/linux/gfp.h: fix ___GFP_NOLOCKDEP value Igor Stoppa has noticed that __GFP_NOLOCKDEP can use a lower bit. At the time commit 7e7844226f10 ("lockdep: allow to disable reclaim lockup detection") was written we still had __GFP_OTHER_NODE but I have removed it in commit 41b6167e8f74 ("mm: get rid of __GFP_OTHER_NODE") and forgot to lower the bit value. The current value is outside of __GFP_BITS_SHIFT so it cannot be used actually. Fixes: 7e7844226f10 ("lockdep: allow to disable reclaim lockup detection") Signed-off-by: Michal Hocko Reported-by: Igor Stoppa Acked-by: Vlastimil Babka Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds include/linux/gfp.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit a7306c3436e9c8e584a4b9fad5f3dc91be2a6076 Author: Andrea Arcangeli Date: Fri Jun 2 14:46:11 2017 -0700 ksm: prevent crash after write_protect_page fails "err" needs to be left set to -EFAULT if split_huge_page succeeds. Otherwise if "err" gets clobbered with zero and write_protect_page fails, try_to_merge_one_page() will succeed instead of returning -EFAULT and then try_to_merge_with_ksm_page() will continue thinking kpage is a PageKsm when in fact it's still an anonymous page. Eventually it'll crash in page_add_anon_rmap. This has been reproduced on Fedora25 kernel but I can reproduce with upstream too. The bug was introduced in commit f765f540598a ("ksm: prepare to new THP semantics") introduced in v4.5. page:fffff67546ce1cc0 count:4 mapcount:2 mapping:ffffa094551e36e1 index:0x7f0f46673 flags: 0x2ffffc0004007c(referenced|uptodate|dirty|lru|active|swapbacked) page dumped because: VM_BUG_ON_PAGE(!PageLocked(page)) page->mem_cgroup:ffffa09674bf0000 ------------[ cut here ]------------ kernel BUG at mm/rmap.c:1222! CPU: 1 PID: 76 Comm: ksmd Not tainted 4.9.3-200.fc25.x86_64 #1 RIP: do_page_add_anon_rmap+0x1c4/0x240 Call Trace: page_add_anon_rmap+0x18/0x20 try_to_merge_with_ksm_page+0x50b/0x780 ksm_scan_thread+0x1211/0x1410 ? prepare_to_wait_event+0x100/0x100 ? try_to_merge_with_ksm_page+0x780/0x780 kthread+0xd9/0xf0 ? kthread_park+0x60/0x60 ret_from_fork+0x25/0x30 Fixes: f765f54059 ("ksm: prepare to new THP semantics") Link: http://lkml.kernel.org/r/20170513131040.21732-1-aarcange@redhat.com Signed-off-by: Andrea Arcangeli Reported-by: Federico Simoncelli Acked-by: Kirill A. Shutemov Cc: Hugh Dickins Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/ksm.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) commit 60319130254084b337e02439d3b4ec301b6328bb Merge: 5ed02db 878d8db0 2ea6532 0de0e19 Author: Rafael J. Wysocki Date: Sat Jun 3 00:03:29 2017 +0200 Merge branches 'acpi-button', 'acpica' and 'acpi-sysfs' * acpi-button: Revert "ACPI / button: Change default behavior to lid_init_state=open" * acpica: ACPICA: Tables: Fix regression introduced by a too early mechanism enabling * acpi-sysfs: ACPI / sysfs: fix acpi_get_table() leak / acpi-sysfs denial of service commit bb5710e72c217e5bbdf0969a2fd84f5f5ad7fc2b Merge: 5ed02db 7575f82 Author: Rafael J. Wysocki Date: Sat Jun 3 00:01:45 2017 +0200 Merge branch 'pm-cpufreq' * pm-cpufreq: cpufreq: kirkwood-cpufreq:- Handle return value of clk_prepare_enable() cpufreq: cpufreq_register_driver() should return -ENODEV if init fails commit e6e6d074369c839e84071c3b056adf20ead8da6e Merge: b939c51 63db7c8 Author: Linus Torvalds Date: Fri Jun 2 12:29:03 2017 -0700 Merge tag 'xfs-4.12-fixes-3' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux Pull XFS fix from Darrick Wong: "I've one more bugfix for you for 4.12-rc4: Fix an unmount hang due to a race in io buffer accounting" * tag 'xfs-4.12-fixes-3' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux: xfs: use ->b_state to fix buffer I/O accounting release race commit b939c51445f0542e80a8f910014c418d04b5de6e Merge: 65d0332 cb7cf77 Author: Linus Torvalds Date: Fri Jun 2 12:06:27 2017 -0700 Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux Pull arm64 fixes from Catalin Marinas: "ACPI-related fixes for arm64: - GICC MADT entry validity check fix - Skip IRQ registration with pmu=off in an ACPI guest - struct acpi_pci_root_ops freeing on error path" * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux: ARM64/ACPI: Fix BAD_MADT_GICC_ENTRY() macro implementation drivers/perf: arm_pmu_acpi: avoid perf IRQ init when guest PMU is off ARM64: PCI: Fix struct acpi_pci_root_ops allocation failure path commit 65d03328aace31043be98f807f6e20332cdb19c8 Merge: 60c42a3 6ac5695 Author: Linus Torvalds Date: Fri Jun 2 12:03:07 2017 -0700 Merge tag 'ceph-for-4.12-rc4' of git://github.com/ceph/ceph-client Pull ceph fix from Ilya Dryomov: "A small fix for rbd FALLOC_FL_ZERO_RANGE/PUNCH_HOLE handling breakage introduced in -rc1" * tag 'ceph-for-4.12-rc4' of git://github.com/ceph/ceph-client: rbd: implement REQ_OP_WRITE_ZEROES commit e0f8e8cf3bf9305f36155a5ac6e16b3b910e6cec Author: Varun Prakash Date: Sat May 27 20:22:51 2017 +0530 scsi: cxgb4i: libcxgbi: in error case RST tcp conn If logout response is not received and ->ep_disconnect() is called then close tcp conn by RST instead of FIN to cleanup conn resources immediately. Also move ->csk_push_tx_frames() above 'done:' to avoid calling ->csk_push_tx_frames() in error cases. Signed-off-by: Varun Prakash Signed-off-by: Martin K. Petersen drivers/scsi/cxgbi/cxgb4i/cxgb4i.c | 1 - drivers/scsi/cxgbi/libcxgbi.c | 29 ++++++++++++++++++++++------- drivers/scsi/cxgbi/libcxgbi.h | 1 + 3 files changed, 23 insertions(+), 8 deletions(-) commit 60c42a31dc0fd307098486221dcb43b59057110f Merge: 6f37fa4 ff0361b Author: Linus Torvalds Date: Fri Jun 2 11:50:37 2017 -0700 Merge tag 'for-4.12/dm-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm Pull device mapper fixes from Mike Snitzer: - a DM verity fix for a mode when no salt is used - a fix to DM to account for the possibility that PREFLUSH or FUA are used without the SYNC flag if the underlying storage doesn't have a volatile write-cache - a DM ioctl memory allocation flag fix to use __GFP_HIGH to allow emergency forward progress (by using memory reserves as last resort) - a small DM integrity cleanup to use kvmalloc() instead of duplicating the same * tag 'for-4.12/dm-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm: dm: make flush bios explicitly sync dm ioctl: restore __GFP_HIGH in copy_params() dm integrity: use kvmalloc() instead of dm_integrity_kvmalloc() dm verity: fix no salt use case commit 6f37fa4364a1099b59f73d1a71538895fd2ef975 Merge: bb32985 5a8948f Author: Linus Torvalds Date: Fri Jun 2 11:47:24 2017 -0700 Merge tag 'md/4.12-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/shli/md Pull MD fixes from Shaohua Li: "Several patches for MD. One notable is making flush bios sync, others fix small issues" * tag 'md/4.12-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/shli/md: md: Make flush bios explicitely sync md: report sector of stripes with check mismatches md: uuid debug statement now in processor byte order. md-cluster: fix potential lock issue in add_new_disk commit bb329859effa06736c39adf6ce622e86e38fc274 Merge: 4635694 b425e50 Author: Linus Torvalds