commit c8d2bc9bc39ebea8437fd974fdbc21847bb897a3 Author: Linus Torvalds Date: Sun Oct 2 16:24:33 2016 -0700 Linux 4.8 Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit f76d9c61d91343806e59335493806e87daf78947 Merge: be67d60 117e5e9 Author: Linus Torvalds Date: Sun Oct 2 15:23:00 2016 -0700 Merge branch 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm Pull ARM fixes from Russell King: "Three relatively small fixes for ARM: - Roger noticed that dma_max_pfn() was calculating the upper limit wrongly, by adding the PFN offset of memory twice. - A fix from Robin to correct parsing of MPIDR values when the address size is larger than one BE32 unit. - A fix from Srinivas to ensure that we do not rely on the boot loader (or previous Linux kernel) setting the translation table base register a certain way in the decompressor, which can lead to crashes" * 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm: ARM: 8618/1: decompressor: reset ttbcr fields to use TTBR0 on ARMv7 ARM: 8617/1: dma: fix dma_max_pfn() ARM: 8616/1: dt: Respect property size when parsing CPUs commit 117e5e9c4cfcb7628f08de074fbfefec1bb678b7 Author: Srinivas Ramana Date: Fri Sep 30 15:03:31 2016 +0100 ARM: 8618/1: decompressor: reset ttbcr fields to use TTBR0 on ARMv7 If the bootloader uses the long descriptor format and jumps to kernel decompressor code, TTBCR may not be in a right state. Before enabling the MMU, it is required to clear the TTBCR.PD0 field to use TTBR0 for translation table walks. The commit dbece45894d3a ("ARM: 7501/1: decompressor: reset ttbcr for VMSA ARMv7 cores") does the reset of TTBCR.N, but doesn't consider all the bits for the size of TTBCR.N. Clear TTBCR.PD0 field and reset all the three bits of TTBCR.N to indicate the use of TTBR0 and the correct base address width. Fixes: dbece45894d3 ("ARM: 7501/1: decompressor: reset ttbcr for VMSA ARMv7 cores") Acked-by: Robin Murphy Signed-off-by: Srinivas Ramana Signed-off-by: Russell King arch/arm/boot/compressed/head.S | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit be67d60ba944bdd38571b79bdcd506e34c0f16c1 Merge: 66188fb 2fa5f04 Author: Linus Torvalds Date: Sun Oct 2 11:04:29 2016 -0700 Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86 fixes from Thomas Gleixner: "The last regression fixes for 4.8 final: - Two patches addressing the fallout of the CR4 optimizations which caused CR4-less machines to fail. - Fix the VDSO build on big endian machines - Take care of FPU initialization if no CPUID is available otherwise task struct size ends up being zero - Fix up context tracking in case load_gs_index fails" * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/entry/64: Fix context tracking state warning when load_gs_index fails x86/boot: Initialize FPU and X86_FEATURE_ALWAYS even if we don't have CPUID x86/vdso: Fix building on big endian host x86/boot: Fix another __read_cr4() case on 486 x86/init: Fix cr4_init_shadow() on CR4-less machines commit 66188fb11a82692629e85b6cbc3ecc08c752d2dc Merge: 0c7fc30 6605d15 Author: Linus Torvalds Date: Sun Oct 2 10:53:38 2016 -0700 Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus Pull MIPS fixes from Ralf Baechle: "Another round of fixes: - CM: Fix mips_cm_max_vp_width for non-MT kernels on MT systems - CPS: Avoid BUG() when offlining pre-r6 CPUs - DEC: Avoid gas warnings due to suspicious instruction scheduling by manually expanding assembler macros. - FTLB: Fix configuration by moving confiuguratoin after probing - FTLB: clear execution hazard after changing FTLB enable - Highmem: Fix detection of unsupported highmem with cache aliases - I6400: Don't touch FTLBP chicken bits - microMIPS: Fix BUILD_ROLLBACK_PROLOGUE - Malta: Fix IOCU disable switch read for MIPS64 - Octeon: Fix probing of devices attached to GPIO lines - uprobes: Misc small fixes" * 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus: MIPS: CM: Fix mips_cm_max_vp_width for non-MT kernels on MT systems MIPS: Fix detection of unsupported highmem with cache aliases MIPS: Malta: Fix IOCU disable switch read for MIPS64 MIPS: Fix BUILD_ROLLBACK_PROLOGUE for microMIPS MIPS: clear execution hazard after changing FTLB enable MIPS: Configure FTLB after probing TLB sizes from config4 MIPS: Stop setting I6400 FTLBP MIPS: DEC: Avoid la pseudo-instruction in delay slots MIPS: Octeon: mark GPIO controller node not populated after IRQ init. MIPS: uprobes: fix use of uninitialised variable MIPS: uprobes: remove incorrect set_orig_insn MIPS: fix uretprobe implementation MIPS: smp-cps: Avoid BUG() when offlining pre-r6 CPUs commit 0c7fc30f18220c0d1b8fb2636811a0c0d0d65714 Merge: bb6bbc7 2a0100d Author: Linus Torvalds Date: Sun Oct 2 10:42:26 2016 -0700 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc Pull sparc fixes from David Miller: 1) Fix section mismatches in some builds, from Paul Gortmaker. 2) Need to count huge zero page mappings when doing TSB sizing, from Mike Kravetz. 3) Fix handing of cpu_possible_mask when nr_cpus module option is specified, from Atish Patra. 4) Don't allocate irq stacks until nr_irqs has been processed, also from Atish Patra. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc: sparc64: Fix non-SMP build. sparc64: Fix irq stack bootmem allocation. sparc64: Fix cpu_possible_mask if nr_cpus is set sparc64 mm: Fix more TSB sizing issues sparc64: fix section mismatch in find_numa_latencies_for_group commit bb6bbc7ca2254fd885f5b85f4cc0cda7cf04f8c1 Merge: f51fdff 1cceda78 Author: Linus Torvalds Date: Sun Oct 2 10:36:41 2016 -0700 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net Pull networking fixes from David Miller: 1) Fix wrong TCP checksums on MTU probing when checksum offloading is disabled, from Douglas Caetano dos Santos. 2) Fix qdisc backlog updates in qfq and sfb schedulers, from Cong Wang. 3) Route lookup flow key protocol value is wrong in ip6gre_xmit_other(), fix from Lance Richardson. 4) Scheduling while atomic in multicast routing code of ipv4 and ipv6, fix from Nikolay Aleksandrov. 5) Fix packet alignment in fec driver, from Eric Nelson. 6) Fix perf regression in sctp due to struct layout and cache misses, from Xin Long. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: sctp: fix the issue sctp_diag uses lock_sock in rcu_read_lock sctp: change to check peer prsctp_capable when using prsctp polices sctp: remove prsctp_param from sctp_chunk sctp: move sent_count to the memory hole in sctp_chunk tg3: Avoid NULL pointer dereference in tg3_io_error_detected() act_ife: Fix false encoding act_ife: Fix external mac header on encode VSOCK: Don't dec ack backlog twice for rejected connections Revert "net: ethernet: bcmgenet: use phydev from struct net_device" net: fec: align IP header in hardware net: fec: remove QUIRK_HAS_RACC from i.mx27 net: fec: remove QUIRK_HAS_RACC from i.mx25 ipmr, ip6mr: fix scheduling while atomic and a deadlock with ipmr_get_route ip6_gre: fix flowi6_proto value in ip6gre_xmit_other() tcp: fix a compile error in DBGUNDO() tcp: fix wrong checksum calculation on MTU probing sch_sfb: keep backlog updated with qlen sch_qfq: keep backlog updated with qlen can: dev: fix deadlock reported after bus-off commit 6605d156bdfbb2502ba301bc4fbd8db696ae4b6d Author: Paul Burton Date: Fri Sep 30 17:25:01 2016 +0100 MIPS: CM: Fix mips_cm_max_vp_width for non-MT kernels on MT systems When discovering the number of VPEs per core, smp_num_siblings will be incorrect for kernels built without support for the MIPS MultiThreading (MT) ASE running on systems which implement said ASE. This leads to accesses to VPEs in secondary cores being performed incorrectly since mips_cm_vp_id calculates the wrong ID to write to the local "other" registers. Fix this by examining the number of VPEs in the core as reported by the CM. This patch presumes that the number of VPEs will be the same in each core of the system. As this path only applies to systems with CM version 2.5 or lower, and this property is true of all such known systems, this is likely to be fine but is described in a comment for good measure. Signed-off-by: Paul Burton Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/14338/ Signed-off-by: Ralf Baechle arch/mips/include/asm/mips-cm.h | 11 +++++++++++ 1 file changed, 11 insertions(+) commit f51fdffad5b7709d0ade40736b58a2da2707fa15 Merge: 2161a2a 539294b Author: Linus Torvalds Date: Sat Oct 1 07:37:15 2016 -0700 Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi Pull SCSI fix from James Bottomley: "One final fix before 4.8. There was a memory leak triggered by turning scsi mq off due to the fact that we assume on host release that the already running hosts weren't mq based because that's the state of the global flag (even though they were). Fix it by tracking this on a per host host basis" * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: scsi: Avoid that toggling use_blk_mq triggers a memory leak commit 2161a2a644a6d33a29d68395518d103ed805758f Merge: dbd8805 9fb6de1 Author: Linus Torvalds Date: Fri Sep 30 21:25:09 2016 -0700 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input Pull input fix from Dmitry Torokhov: "One small change to make joydev (which is used by older games) to bind to devices that export Z axis but not X or Y (such as TRC rudder)" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input: Input: joydev - recognize devices with Z axis as joysticks commit dbd8805b0ad46f04cababea5d01f072142961411 Merge: 9a2172a 37aa727 Author: Linus Torvalds Date: Fri Sep 30 15:51:10 2016 -0700 Merge branch 'akpm' (patches from Andrew) Merge more fixes from Andrew Morton: "Three fixes" * emailed patches from Andrew Morton : include/linux/property.h: fix typo/compile error ocfs2: fix deadlock on mmapped page in ocfs2_write_begin_nolock() mm: workingset: fix crash in shadow node shrinker caused by replace_page_cache_page() commit 37aa7271d9742b574763e5ce019bde9c49aa8bfe Author: John Youn Date: Fri Sep 30 15:11:35 2016 -0700 include/linux/property.h: fix typo/compile error This fixes commit d76eebfa175e ("include/linux/property.h: fix build issues with gcc-4.4.4"). With that commit we get the following compile error when using the PROPERTY_ENTRY_INTEGER_ARRAY macro. include/linux/property.h:201:39: error: `u32_data' undeclared (first use in this function) PROPERTY_ENTRY_INTEGER_ARRAY(_name_, u32, _val_) ^ include/linux/property.h:193:17: note: in definition of macro `PROPERTY_ENTRY_INTEGER_ARRAY' { .pointer = { _type_##_data = _val_ } }, \ ^ This needs a '.' to reference the union member. It seems this was just overlooked here since it is done correctly in similar constructs in other parts of the original commit. This fix is in preparation of upcoming commits that will use this macro. Fixes: commit d76eebfa175e ("include/linux/property.h: fix build issues with gcc-4.4.4") Link: http://lkml.kernel.org/r/2de3b929290d88a723ed829a3e3cbd02044714df.1475114627.git.johnyoun@synopsys.com Signed-off-by: John Youn Cc: "Rafael J. Wysocki" Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds include/linux/property.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit c33f0785bf292cf1d15f4fbe42869c63e205b21c Author: Eric Ren Date: Fri Sep 30 15:11:32 2016 -0700 ocfs2: fix deadlock on mmapped page in ocfs2_write_begin_nolock() The testcase "mmaptruncate" of ocfs2-test deadlocks occasionally. In this testcase, we create a 2*CLUSTER_SIZE file and mmap() on it; there are 2 process repeatedly performing the following operations respectively: one is doing memset(mmaped_addr + 2*CLUSTER_SIZE - 1, 'a', 1), while the another is playing ftruncate(fd, 2*CLUSTER_SIZE) and then ftruncate(fd, CLUSTER_SIZE) again and again. This is the backtrace when the deadlock happens: __wait_on_bit_lock+0x50/0xa0 __lock_page+0xb7/0xc0 ocfs2_write_begin_nolock+0x163f/0x1790 [ocfs2] ocfs2_page_mkwrite+0x1c7/0x2a0 [ocfs2] do_page_mkwrite+0x66/0xc0 handle_mm_fault+0x685/0x1350 __do_page_fault+0x1d8/0x4d0 trace_do_page_fault+0x37/0xf0 do_async_page_fault+0x19/0x70 async_page_fault+0x28/0x30 In ocfs2_write_begin_nolock(), we first grab the pages and then allocate disk space for this write; ocfs2_try_to_free_truncate_log() will be called if -ENOSPC is returned; if we're lucky to get enough clusters, which is usually the case, we start over again. But in ocfs2_free_write_ctxt() the target page isn't unlocked, so we will deadlock when trying to grab the target page again. Also, -ENOMEM might be returned in ocfs2_grab_pages_for_write(). Another deadlock will happen in __do_page_mkwrite() if ocfs2_page_mkwrite() returns non-VM_FAULT_LOCKED, and along with a locked target page. These two errors fail on the same path, so fix them by unlocking the target page manually before ocfs2_free_write_ctxt(). Jan Kara helps me clear out the JBD2 part, and suggest the hint for root cause. Changes since v1: 1. Also put ENOMEM error case into consideration. Link: http://lkml.kernel.org/r/1474173902-32075-1-git-send-email-zren@suse.com Signed-off-by: Eric Ren Reviewed-by: He Gang Acked-by: Joseph Qi Cc: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/ocfs2/aops.c | 10 ++++++++++ 1 file changed, 10 insertions(+) commit 22f2ac51b6d643666f4db093f13144f773ff3f3a Author: Johannes Weiner Date: Fri Sep 30 15:11:29 2016 -0700 mm: workingset: fix crash in shadow node shrinker caused by replace_page_cache_page() Antonio reports the following crash when using fuse under memory pressure: kernel BUG at /build/linux-a2WvEb/linux-4.4.0/mm/workingset.c:346! invalid opcode: 0000 [#1] SMP Modules linked in: all of them CPU: 2 PID: 63 Comm: kswapd0 Not tainted 4.4.0-36-generic #55-Ubuntu Hardware name: System manufacturer System Product Name/P8H67-M PRO, BIOS 3904 04/27/2013 task: ffff88040cae6040 ti: ffff880407488000 task.ti: ffff880407488000 RIP: shadow_lru_isolate+0x181/0x190 Call Trace: __list_lru_walk_one.isra.3+0x8f/0x130 list_lru_walk_one+0x23/0x30 scan_shadow_nodes+0x34/0x50 shrink_slab.part.40+0x1ed/0x3d0 shrink_zone+0x2ca/0x2e0 kswapd+0x51e/0x990 kthread+0xd8/0xf0 ret_from_fork+0x3f/0x70 which corresponds to the following sanity check in the shadow node tracking: BUG_ON(node->count & RADIX_TREE_COUNT_MASK); The workingset code tracks radix tree nodes that exclusively contain shadow entries of evicted pages in them, and this (somewhat obscure) line checks whether there are real pages left that would interfere with reclaim of the radix tree node under memory pressure. While discussing ways how fuse might sneak pages into the radix tree past the workingset code, Miklos pointed to replace_page_cache_page(), and indeed there is a problem there: it properly accounts for the old page being removed - __delete_from_page_cache() does that - but then does a raw raw radix_tree_insert(), not accounting for the replacement page. Eventually the page count bits in node->count underflow while leaving the node incorrectly linked to the shadow node LRU. To address this, make sure replace_page_cache_page() uses the tracked page insertion code, page_cache_tree_insert(). This fixes the page accounting and makes sure page-containing nodes are properly unlinked from the shadow node LRU again. Also, make the sanity checks a bit less obscure by using the helpers for checking the number of pages and shadows in a radix tree node. Fixes: 449dd6984d0e ("mm: keep page cache radix tree nodes in check") Link: http://lkml.kernel.org/r/20160919155822.29498-1-hannes@cmpxchg.org Signed-off-by: Johannes Weiner Reported-by: Antonio SJ Musumeci Debugged-by: Miklos Szeredi Cc: [3.15+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds include/linux/swap.h | 2 + mm/filemap.c | 114 +++++++++++++++++++++++++-------------------------- mm/workingset.c | 10 ++--- 3 files changed, 63 insertions(+), 63 deletions(-) commit 9a2172a8d52cf14ce44e9cadd8c9df84cf832d75 Author: Javi Merino Date: Fri Sep 30 13:14:28 2016 +0100 MAINTAINERS: Switch to kernel.org email address for Javi Merino Change my email address to my kernel.org account instead of the ARM one. Signed-off-by: Javi Merino Signed-off-by: Linus Torvalds .mailmap | 1 + MAINTAINERS | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) commit 2fa5f04f85730d0c4f49f984b7efeb4f8d5bd1fc Author: Wanpeng Li Date: Fri Sep 30 09:01:06 2016 +0800 x86/entry/64: Fix context tracking state warning when load_gs_index fails This warning: WARNING: CPU: 0 PID: 3331 at arch/x86/entry/common.c:45 enter_from_user_mode+0x32/0x50 CPU: 0 PID: 3331 Comm: ldt_gdt_64 Not tainted 4.8.0-rc7+ #13 Call Trace: dump_stack+0x99/0xd0 __warn+0xd1/0xf0 warn_slowpath_null+0x1d/0x20 enter_from_user_mode+0x32/0x50 error_entry+0x6d/0xc0 ? general_protection+0x12/0x30 ? native_load_gs_index+0xd/0x20 ? do_set_thread_area+0x19c/0x1f0 SyS_set_thread_area+0x24/0x30 do_int80_syscall_32+0x7c/0x220 entry_INT80_compat+0x38/0x50 ... can be reproduced by running the GS testcase of the ldt_gdt test unit in the x86 selftests. do_int80_syscall_32() will call enter_form_user_mode() to convert context tracking state from user state to kernel state. The load_gs_index() call can fail with user gsbase, gsbase will be fixed up and proceed if this happen. However, enter_from_user_mode() will be called again in the fixed up path though it is context tracking kernel state currently. This patch fixes it by just fixing up gsbase and telling lockdep that IRQs are off once load_gs_index() failed with user gsbase. Signed-off-by: Wanpeng Li Acked-by: Andy Lutomirski Cc: Borislav Petkov Cc: Brian Gerst Cc: Denys Vlasenko Cc: H. Peter Anvin Cc: Josh Poimboeuf Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/1475197266-3440-1-git-send-email-wanpeng.li@hotmail.com Signed-off-by: Ingo Molnar arch/x86/entry/entry_64.S | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 05fb3c199bb09f5b85de56cc3ede194ac95c5e1f Author: Andy Lutomirski Date: Wed Sep 28 16:06:33 2016 -0700 x86/boot: Initialize FPU and X86_FEATURE_ALWAYS even if we don't have CPUID Otherwise arch_task_struct_size == 0 and we die. While we're at it, set X86_FEATURE_ALWAYS, too. Reported-by: David Saggiorato Tested-by: David Saggiorato Signed-off-by: Andy Lutomirski Cc: Borislav Petkov Cc: Brian Gerst Cc: Dave Hansen Cc: Denys Vlasenko Cc: H. Peter Anvin Cc: Josh Poimboeuf Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: stable@vger.kernel.org Fixes: aaeb5c01c5b ("x86/fpu, sched: Introduce CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT and use it on x86") Link: http://lkml.kernel.org/r/8de723afbf0811071185039f9088733188b606c9.1475103911.git.luto@kernel.org Signed-off-by: Ingo Molnar arch/x86/kernel/cpu/common.c | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-) commit e4aad64597d7a2455a541f904365b48d607916db Author: Segher Boessenkool Date: Thu Sep 29 11:51:00 2016 +0000 x86/vdso: Fix building on big endian host We need to call GET_LE to read hdr->e_type. Fixes: 57f90c3dfc75 ("x86/vdso: Error out if the vDSO isn't a valid DSO") Reported-by: Paul Gortmaker Signed-off-by: Segher Boessenkool Acked-by: Andy Lutomirski Cc: Stephen Rothwell Cc: linux-next@vger.kernel.org Link: http://lkml.kernel.org/r/20160929193442.GA16617@gate.crashing.org Signed-off-by: Thomas Gleixner arch/x86/entry/vdso/vdso2c.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 192d1dccbfc5b901b66527df9df80304693cf06e Author: Andy Lutomirski Date: Thu Sep 29 12:48:11 2016 -0700 x86/boot: Fix another __read_cr4() case on 486 The condition for reading CR4 was wrong: there are some CPUs with CPUID but not CR4. Rather than trying to make the condition exact, use __read_cr4_safe(). Fixes: 18bc7bd523e0 ("x86/boot: Synchronize trampoline_cr4_features and mmu_cr4_features directly") Reported-by: david@saggiorato.net Signed-off-by: Andy Lutomirski Reviewed-by: Borislav Petkov Cc: Brian Gerst Link: http://lkml.kernel.org/r/8c453a61c4f44ab6ff43c29780ba04835234d2e5.1475178369.git.luto@kernel.org Signed-off-by: Thomas Gleixner arch/x86/kernel/setup.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) commit 1cceda7849809a8857fd9f26efe8846506c710e1 Author: Xin Long Date: Thu Sep 29 02:55:44 2016 +0800 sctp: fix the issue sctp_diag uses lock_sock in rcu_read_lock When sctp dumps all the ep->assocs, it needs to lock_sock first, but now it locks sock in rcu_read_lock, and lock_sock may sleep, which would break rcu_read_lock. This patch is to get and hold one sock when traversing the list. After that and get out of rcu_read_lock, lock and dump it. Then it will traverse the list again to get the next one until all sctp socks are dumped. For sctp_diag_dump_one, it fixes this issue by holding asoc and moving cb() out of rcu_read_lock in sctp_transport_lookup_process. Fixes: 8f840e47f190 ("sctp: add the sctp_diag.c file") Signed-off-by: Xin Long Signed-off-by: David S. Miller net/sctp/sctp_diag.c | 58 ++++++++++++++++++++++++++++++++++++---------------- net/sctp/socket.c | 10 ++++++--- 2 files changed, 47 insertions(+), 21 deletions(-) commit 75b005b949d3dc93b526c3da0a750fd1fc9a703a Merge: 1b0ff89 be4947b Author: David S. Miller Date: Fri Sep 30 02:07:10 2016 -0400 Merge branch 'sctp-fixes' Xin Long says: ==================== sctp: a bunch of fixes for prsctp polices This patchset is to fix 2 issues for prsctp polices: 1. patch 1 and 2 fix "netperf-Throughput_Mbps -37.2% regression" issue when overloading the CPU. 2. patch 3 fix "prsctp polices should check both sides' prsctp_capable, instead of only local side". ==================== Signed-off-by: David S. Miller commit be4947bf46cb0e7a7d089e03c61bab35f1e695ce Author: Xin Long Date: Thu Sep 29 02:37:28 2016 +0800 sctp: change to check peer prsctp_capable when using prsctp polices Now before using prsctp polices, sctp uses asoc->prsctp_enable to check if prsctp is enabled. However asoc->prsctp_enable is set only means local host support prsctp, sctp should not abandon packet if peer host doesn't enable prsctp. So this patch is to use asoc->peer.prsctp_capable to check if prsctp is enabled on both side, instead of asoc->prsctp_enable, as asoc's peer.prsctp_capable is set only when local and peer both enable prsctp. Fixes: a6c2f792873a ("sctp: implement prsctp TTL policy") Signed-off-by: Xin Long Signed-off-by: David S. Miller net/sctp/chunk.c | 4 ++-- net/sctp/outqueue.c | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) commit 0605483f6ace1f6b63e397c819a115ddcd13af0d Author: Xin Long Date: Thu Sep 29 02:37:27 2016 +0800 sctp: remove prsctp_param from sctp_chunk Now sctp uses chunk->prsctp_param to save the prsctp param for all the prsctp polices, we didn't need to introduce prsctp_param to sctp_chunk. We can just use chunk->sinfo.sinfo_timetolive for RTX and BUF polices, and reuse msg->expires_at for TTL policy, as the prsctp polices and old expires policy are mutual exclusive. This patch is to remove prsctp_param from sctp_chunk, and reuse msg's expires_at for TTL and chunk's sinfo.sinfo_timetolive for RTX and BUF polices. Note that sctp can't use chunk's sinfo.sinfo_timetolive for TTL policy, as it needs a u64 variables to save the expires_at time. This one also fixes the "netperf-Throughput_Mbps -37.2% regression" issue. Fixes: a6c2f792873a ("sctp: implement prsctp TTL policy") Signed-off-by: Xin Long Signed-off-by: David S. Miller include/net/sctp/structs.h | 7 ------- net/sctp/chunk.c | 9 +++++++-- net/sctp/outqueue.c | 4 ++-- net/sctp/sm_make_chunk.c | 15 --------------- 4 files changed, 9 insertions(+), 26 deletions(-) commit 73dca124cdbad2d67d47d6196c08325f18447d07 Author: Xin Long Date: Thu Sep 29 02:37:26 2016 +0800 sctp: move sent_count to the memory hole in sctp_chunk Now pahole sctp_chunk, it has 2 memory holes: struct sctp_chunk { struct list_head list; atomic_t refcnt; /* XXX 4 bytes hole, try to pack */ ... long unsigned int prsctp_param; int sent_count; /* XXX 4 bytes hole, try to pack */ This patch is to move up sent_count to fill the 1st one and eliminate the 2nd one. It's not just another struct compaction, it also fixes the "netperf- Throughput_Mbps -37.2% regression" issue when overloading the CPU. Fixes: a6c2f792873a ("sctp: implement prsctp TTL policy") Signed-off-by: Xin Long Signed-off-by: David S. Miller include/net/sctp/structs.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit 1b0ff89852d79354e8a091c81a88df21f5aa9f0a Author: Milton Miller Date: Thu Sep 29 13:24:08 2016 -0300 tg3: Avoid NULL pointer dereference in tg3_io_error_detected() While the driver is probing the adapter, an error may occur before the netdev structure is allocated and attached to pci_dev. In this case, not only netdev isn't available, but the tg3 private structure is also not available as it is just math from the NULL pointer, so dereferences must be skipped. The following trace is seen when the error is triggered: [1.402247] Unable to handle kernel paging request for data at address 0x00001a99 [1.402410] Faulting instruction address: 0xc0000000007e33f8 [1.402450] Oops: Kernel access of bad area, sig: 11 [#1] [1.402481] SMP NR_CPUS=2048 NUMA PowerNV [1.402513] Modules linked in: [1.402545] CPU: 0 PID: 651 Comm: eehd Not tainted 4.4.0-36-generic #55-Ubuntu [1.402591] task: c000001fe4e42a20 ti: c000001fe4e88000 task.ti: c000001fe4e88000 [1.402742] NIP: c0000000007e33f8 LR: c0000000007e3164 CTR: c000000000595ea0 [1.402787] REGS: c000001fe4e8b790 TRAP: 0300 Not tainted (4.4.0-36-generic) [1.402832] MSR: 9000000100009033 CR: 28000422 XER: 20000000 [1.403058] CFAR: c000000000008468 DAR: 0000000000001a99 DSISR: 42000000 SOFTE: 1 GPR00: c0000000007e3164 c000001fe4e8ba10 c0000000015c5e00 0000000000000000 GPR04: 0000000000000001 0000000000000000 0000000000000039 0000000000000299 GPR08: 0000000000000000 0000000000000001 c000001fe4e88000 0000000000000006 GPR12: 0000000000000000 c00000000fb40000 c0000000000e6558 c000003ca1bffd00 GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 GPR20: 0000000000000000 0000000000000000 0000000000000000 c000000000d52768 GPR24: c000000000d52740 0000000000000100 c000003ca1b52000 0000000000000002 GPR28: 0000000000000900 0000000000000000 c00000000152a0c0 c000003ca1b52000 [1.404226] NIP [c0000000007e33f8] tg3_io_error_detected+0x308/0x340 [1.404265] LR [c0000000007e3164] tg3_io_error_detected+0x74/0x340 This patch avoids the NULL pointer dereference by moving the access after the netdev NULL pointer check on tg3_io_error_detected(). Also, we add a check for netdev being NULL on tg3_io_resume() [suggested by Michael Chan]. Fixes: 0486a063b1ff ("tg3: prevent ifup/ifdown during PCI error recovery") Fixes: dfc8f370316b ("net/tg3: Release IRQs on permanent error") Tested-by: Guilherme G. Piccoli Signed-off-by: Milton Miller Signed-off-by: Guilherme G. Piccoli Acked-by: Michael Chan Signed-off-by: David S. Miller drivers/net/ethernet/broadcom/tg3.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) commit e3b3656ca63e23b5755183718df36fb9ff518b02 Merge: c6169de 90fd68d Author: Linus Torvalds Date: Thu Sep 29 20:16:57 2016 -0700 Merge tag 'drm-fixes-for-v4.8-final' of git://people.freedesktop.org/~airlied/linux Pull drm fixes from Dave Airlie: "drm fixes for final 4.8. One big regression fix for udl, along with two amdgpu fixes and two nouveau fixes. All seems pretty safe and useful" * tag 'drm-fixes-for-v4.8-final' of git://people.freedesktop.org/~airlied/linux: drm/udl: fix line iterator in damage handling drm/radeon/si/dpm: add workaround for for Jet parts drm/amdgpu: disable CRTCs before teardown drm/nouveau: Revert "bus: remove cpu_coherent flag" drm/nouveau/fifo/nv04: avoid ramht race against cookie insertion commit c6169de7308b397824bd418c5b871b5a42de83d2 Merge: 53061af 595c730 Author: Linus Torvalds Date: Thu Sep 29 14:59:11 2016 -0700 Merge branch 'libnvdimm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm Pull libnvdimm fixes from Dan Williams: - Four fixes for "flush hint" support. Flush hints are addresses advertised by the ACPI 6+ NFIT (NVDIMM Firmware Interface Table) that when written and fenced guarantee that writes pending in platform write buffers (outside the cpu) have been flushed to media. They might also be used by hypervisors as a trigger condition to flush guest-persistent memory ranges to storage. Fix a potential data corruption issue, a broken definition of the hint array, a wrong allocation size for the unit test implementation of the flush hint table, and missing NULL check in an error path. The unit test, while it did not prevent these bugs from being merged, at least triggered occasional crashes in advance of production usages. - Fix handling of ACPI DSM error status results. The DSM mechanism allows communication with platform and memory device firmware. We correctly parse known errors, but were silently ignoring others. Fix it to consistently fail any command with a non-zero status return that we otherwise do not interpret / handle. * 'libnvdimm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm: libnvdimm, region: fix flush hint table thinko nfit: fail DSMs that return non-zero status by default libnvdimm: fix devm_nvdimm_memremap() error path tools/testing/nvdimm: fix allocation range for mock flush hint tables nvdimm: fix PHYS_PFN/PFN_PHYS mixup commit e1bfc11c5a6f40222a698a818dc269113245820e Author: Andy Lutomirski Date: Wed Sep 28 12:34:14 2016 -0700 x86/init: Fix cr4_init_shadow() on CR4-less machines cr4_init_shadow() will panic on 486-like machines without CR4. Fix it using __read_cr4_safe(). Reported-by: david@saggiorato.net Signed-off-by: Andy Lutomirski Reviewed-by: Borislav Petkov Cc: Borislav Petkov Cc: Brian Gerst Cc: Denys Vlasenko Cc: H. Peter Anvin Cc: Josh Poimboeuf Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: stable@vger.kernel.org Fixes: 1e02ce4cccdc ("x86: Store a per-cpu shadow copy of CR4") Link: http://lkml.kernel.org/r/43a20f81fb504013bf613913dc25574b45336a61.1475091074.git.luto@kernel.org Signed-off-by: Ingo Molnar arch/x86/include/asm/tlbflush.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 058effe7fdc5776b017356f690976a857eea473f Author: Paul Burton Date: Fri Sep 2 15:17:31 2016 +0100 MIPS: Fix detection of unsupported highmem with cache aliases The paging_init() function contains code which detects that highmem is in use but unsupported due to dcache aliasing. However this code was ineffective because it was being run before the caches are probed, meaning that cpu_has_dc_aliases would always evaluate to false (unless a platform overrides it to a compile-time constant) and the detection of the unsupported case is never triggered. The kernel would then go on to attempt to use highmem & either hit coherency issues or trigger the BUG_ON in flush_kernel_dcache_page(). Fix this by running paging_init() later than cpu_cache_init(), such that the cpu_has_dc_aliases macro will evaluate correctly & the unsupported highmem case will be detected successfully. This then leads to a formerly hidden issue in that mem_init_free_highmem() will attempt to free all highmem pages, even though we're avoiding use of them & don't have valid page structs for them. This leads to an invalid pointer dereference & a TLB exception. Avoid this by skipping the loop in mem_init_free_highmem() if cpu_has_dc_aliases evaluates true. Signed-off-by: Paul Burton Cc: Rabin Vincent Cc: Matt Redfearn Cc: Jerome Marchand Cc: Alexander Sverdlin Cc: Aurelien Jarno Cc: Jaedon Shin Cc: Toshi Kani Cc: James Hogan Cc: Sergey Ryazanov Cc: Jonas Gorski Cc: Kirill A. Shutemov Cc: linux-mips@linux-mips.org Cc: linux-kernel@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/14184/ Signed-off-by: Ralf Baechle arch/mips/kernel/setup.c | 2 +- arch/mips/mm/init.c | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) commit 305723ab439e14debc1d339aa04e835d488b8253 Author: Paul Burton Date: Fri Sep 2 16:07:10 2016 +0100 MIPS: Malta: Fix IOCU disable switch read for MIPS64 Malta boards used with CPU emulators feature a switch to disable use of an IOCU. Software has to check this switch & ignore any present IOCU if the switch is closed. The read used to do this was unsafe for 64 bit kernels, as it simply casted the address 0xbf403000 to a pointer & dereferenced it. Whilst in a 32 bit kernel this would access kseg1, in a 64 bit kernel this attempts to access xuseg & results in an address error exception. Fix by accessing a correctly formed ckseg1 address generated using the CKSEG1ADDR macro. Whilst modifying this code, define the name of the register and the bit we care about within it, which indicates whether PCI DMA is routed to the IOCU or straight to DRAM. The code previously checked that bit 0 was also set, but the least significant 7 bits of the CONFIG_GEN0 register contain the value of the MReqInfo signal provided to the IOCU OCP bus, so singling out bit 0 makes little sense & that part of the check is dropped. Signed-off-by: Paul Burton Fixes: b6d92b4a6bdb ("MIPS: Add option to disable software I/O coherency.") Cc: Matt Redfearn Cc: Masahiro Yamada Cc: Kees Cook Cc: linux-mips@linux-mips.org Cc: linux-kernel@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/14187/ Signed-off-by: Ralf Baechle arch/mips/mti-malta/malta-setup.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) commit 1eefcbc89cf3a8e252e5aeb25825594699b47360 Author: Paul Burton Date: Fri Aug 19 18:15:40 2016 +0100 MIPS: Fix BUILD_ROLLBACK_PROLOGUE for microMIPS When the kernel is built for microMIPS, branches targets need to be known to be microMIPS code in order to result in bit 0 of the PC being set. The branch target in the BUILD_ROLLBACK_PROLOGUE macro was simply the end of the macro, which may be pointing at padding rather than at code. This results in recent enough GNU linkers complaining like so: mips-img-linux-gnu-ld: arch/mips/built-in.o: .text+0x3e3c: Unsupported branch between ISA modes. mips-img-linux-gnu-ld: final link failed: Bad value Makefile:936: recipe for target 'vmlinux' failed make: *** [vmlinux] Error 1 Fix this by changing the branch target to be the start of the appropriate handler, skipping over any padding. Signed-off-by: Paul Burton Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/14019/ Signed-off-by: Ralf Baechle arch/mips/kernel/genex.S | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) commit 67acd8d5c606cf42e6726767d705851dec9f6a34 Author: Paul Burton Date: Fri Aug 19 18:18:28 2016 +0100 MIPS: clear execution hazard after changing FTLB enable On current P-series cores from Imagination the FTLB can be enabled or disabled via a bit in the Config6 register, and an execution hazard is created by changing the value of bit. The ftlb_disable function already cleared that hazard but that does no good for other callers. Clear the hazard in the set_ftlb_enable function that creates it, and only for the cores where it applies. This has the effect of reverting c982c6d6c48b ("MIPS: cpu-probe: Remove cp0 hazard barrier when enabling the FTLB") which was incorrect. Signed-off-by: Paul Burton Fixes: c982c6d6c48b ("MIPS: cpu-probe: Remove cp0 hazard barrier when enabling the FTLB") Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/14023/ Signed-off-by: Ralf Baechle arch/mips/kernel/cpu-probe.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) commit ebd0e0f503d0774407a63ebb5ec1a90bb54941f5 Author: Paul Burton Date: Fri Aug 19 18:18:27 2016 +0100 MIPS: Configure FTLB after probing TLB sizes from config4 On some cores (proAptiv, P5600) we make use of the sizes of the TLBs to determine the desired FTLB:VTLB write ratio. However set_ftlb_enable & thus calculate_ftlb_probability is called before decode_config4. This results in us calculating a probability based on zero sizes, and we end up setting FTLBP=3 for a 3:1 FTLB:VTLB write ratio in all cases. This will make abysmal use of the available FTLB resources in the affected cores. Fix this by configuring the FTLB probability after having decoded config4. However we do need to have enabled the FTLB before that point such that fields in config4 actually reflect that an FTLB is present. So set_ftlb_enable is now called twice, with flags indicating that it should configure the write probability only the second time. Signed-off-by: Paul Burton Fixes: cf0a8aa0226d ("MIPS: cpu-probe: Set the FTLB probability bit on supported cores") Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/14022/ Signed-off-by: Ralf Baechle arch/mips/kernel/cpu-probe.c | 43 ++++++++++++++++++++++++++++--------------- 1 file changed, 28 insertions(+), 15 deletions(-) commit 72c70f010dfcc9ea6cc13500602a29e33748452f Author: Paul Burton Date: Fri Aug 19 18:18:26 2016 +0100 MIPS: Stop setting I6400 FTLBP The FTLBP field in Config7 for the I6400 is intended as chicken bits for debugging rather than as a field that software actually makes use of. For best performance, FTLBP should be left at its default value of 0 with all TLB writes hitting the FTLB by default. Additionally, since set_ftlb_enable is called from decode_configs before decode_config4 which determines the size of the TLBs, this was previously always setting FTLBP=3 for a 3:1 FTLB:VTLB write ratio which makes abysmal use of the available FTLB resources. This effectively reverts b0c4e1b79d8a ("MIPS: Set up FTLB probability for I6400"). Signed-off-by: Paul Burton Fixes: b0c4e1b79d8a ("MIPS: Set up FTLB probability for I6400") Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/14021/ Signed-off-by: Ralf Baechle arch/mips/include/asm/mipsregs.h | 2 -- arch/mips/kernel/cpu-probe.c | 9 ++------- 2 files changed, 2 insertions(+), 9 deletions(-) commit 3021773c7c3e75e20b693931a19362681e744ea9 Author: Ralf Baechle Date: Tue Sep 20 14:33:01 2016 +0200 MIPS: DEC: Avoid la pseudo-instruction in delay slots When expanding the la or dla pseudo-instruction in a delay slot the GNU assembler will complain should the pseudo-instruction expand to multiple actual instructions, since only the first of them will be in the delay slot leading to the pseudo-instruction being only partially executed if the branch is taken. Use of PTR_LA in the dec int-handler.S leads to such warnings: arch/mips/dec/int-handler.S: Assembler messages: arch/mips/dec/int-handler.S:149: Warning: macro instruction expanded into multiple instructions in a branch delay slot arch/mips/dec/int-handler.S:198: Warning: macro instruction expanded into multiple instructions in a branch delay slot Avoid this by open coding the PTR_LA macros. Signed-off-by: Ralf Baechle arch/mips/dec/int-handler.S | 40 ++++++++++++++++++++++++++++++++++++++-- 1 file changed, 38 insertions(+), 2 deletions(-) commit 0a900553715c39cfb6170ccc9846b194a4c13ceb Author: Steven J. Hill Date: Fri Aug 26 14:02:04 2016 -0500 MIPS: Octeon: mark GPIO controller node not populated after IRQ init. We clear the OF_POPULATED flag for the GPIO controller node on Octeon processors. Otherwise, none of the devices hanging on the GPIO lines are probed. The 'gpio-leds' driver on OCTEON failed to probe in addition to other devices on Cavium 71xx and 78xx development boards. Fixes: 15cc2ed6dcf9 ("of/irq: Mark initialised interrupt controllers as populated") Signed-off-by: Steven J. Hill Tested-by: Aaro Koskinen Cc: David Daney Cc: Rob Herring Cc: linux-mips@linux-mips.org Cc: devicetree@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/14091/ Signed-off-by: Ralf Baechle arch/mips/cavium-octeon/octeon-irq.c | 6 ++++++ 1 file changed, 6 insertions(+) commit ca86c9ef2b322ebf24772009fdea037688cbdac1 Author: Marcin Nowakowski Date: Thu Sep 22 15:38:33 2016 +0200 MIPS: uprobes: fix use of uninitialised variable arch_uprobe_pre_xol needs to emulate a branch if a branch instruction has been replaced with a breakpoint, but in fact an uninitialised local variable was passed to the emulator routine instead of the original instruction Signed-off-by: Marcin Nowakowski Fixes: 40e084a506eb ('MIPS: Add uprobes support.') Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/14300/ Signed-off-by: Ralf Baechle arch/mips/kernel/uprobes.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) commit ddabfa5c2e33f1b495f3e0176de7057850915c0b Author: Marcin Nowakowski Date: Thu Sep 22 15:38:32 2016 +0200 MIPS: uprobes: remove incorrect set_orig_insn Generic kernel code implements a weak version of set_orig_insn that moves cached 'insn' from arch_uprobe to the original code location when the trap is removed. MIPS variant used arch_uprobe->orig_inst which was never initialised properly, so this code only inserted a nop instead of the original instruction. With that change orig_inst can also be safely removed. Signed-off-by: Marcin Nowakowski Fixes: 40e084a506eb ('MIPS: Add uprobes support.') Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/14299/ Signed-off-by: Ralf Baechle arch/mips/include/asm/uprobes.h | 1 - arch/mips/kernel/uprobes.c | 18 ------------------ 2 files changed, 19 deletions(-) commit db06068a4fd44a57b642b369d2a295b8448f6b65 Author: Marcin Nowakowski Date: Thu Sep 22 15:38:31 2016 +0200 MIPS: fix uretprobe implementation arch_uretprobe_hijack_return_addr should replace the return address for a call with a trampoline address. Signed-off-by: Marcin Nowakowski Fixes: 40e084a506eb ('MIPS: Add uprobes support.') Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/14298/ Signed-off-by: Ralf Baechle arch/mips/kernel/uprobes.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 6ca8ac773e97e2dfa5734ae435c40e672dd19ac4 Author: Matt Redfearn Date: Thu Sep 22 11:59:47 2016 +0100 MIPS: smp-cps: Avoid BUG() when offlining pre-r6 CPUs Commit 0d2808f338c7 ("MIPS: smp-cps: Add support for CPU hotplug of MIPSr6 processors") added a call to mips_cm_lock_other in order to lock the CPC in CPUs containing a version 3 or higher Coherence Manager, which use the general CM core other register, where previous CMs had a dedicated core other register for the CPC. A kernel BUG() is triggered, however, if mips_cm_lock_other is called with a VP other than 0 on a CPU with CM < 3, a condition introduced by 0d2808f338c7. Avoid the BUG() by always locking VP0 when locking the CPC, since the required register, cpc_stat_conf, is shared by all vps in a core. Fixes: 0d2808f338c7 ("MIPS: smp-cps: Add support for CPU hotplug...) Signed-off-by: Matt Redfearn Cc: Qais Yousef Cc: Masahiro Yamada Cc: James Hogan Cc: Paul Burton Cc: Andrew Morton Cc: linux-mips@linux-mips.org Cc: linux-kernel@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/14297/ Signed-off-by: Ralf Baechle arch/mips/kernel/smp-cps.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit d248220f0465b818887baa9829e691fe662b2c5e Author: Roger Quadros Date: Thu Sep 29 08:32:55 2016 +0100 ARM: 8617/1: dma: fix dma_max_pfn() Since commit 6ce0d2001692 ("ARM: dma: Use dma_pfn_offset for dma address translation"), dma_to_pfn() already returns the PFN with the physical memory start offset so we don't need to add it again. This fixes USB mass storage lock-up problem on systems that can't do DMA over the entire physical memory range (e.g.) Keystone 2 systems with 4GB RAM can only do DMA over the first 2GB. [K2E-EVM]. What happens there is that without this patch SCSI layer sets a wrong bounce buffer limit in scsi_calculate_bounce_limit() for the USB mass storage device. dma_max_pfn() evaluates to 0x8fffff and bounce_limit is set to 0x8fffff000 whereas maximum DMA'ble physical memory on Keystone 2 is 0x87fffffff. This results in non DMA'ble pages being given to the USB controller and hence the lock-up. NOTE: in the above case, USB-SCSI-device's dma_pfn_offset was showing as 0. This should have really been 0x780000 as on K2e, LOWMEM_START is 0x80000000 and HIGHMEM_START is 0x800000000. DMA zone is 2GB so dma_max_pfn should be 0x87ffff. The incorrect dma_pfn_offset for the USB storage device is because USB devices are not correctly inheriting the dma_pfn_offset from the USB host controller. This will be fixed by a separate patch. Fixes: 6ce0d2001692 ("ARM: dma: Use dma_pfn_offset for dma address translation") Cc: stable@vger.kernel.org Cc: Greg Kroah-Hartman Cc: Santosh Shilimkar Cc: Arnd Bergmann Cc: Olof Johansson Cc: Catalin Marinas Cc: Linus Walleij Reported-by: Grygorii Strashko Signed-off-by: Roger Quadros Signed-off-by: Russell King arch/arm/include/asm/dma-mapping.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit ba6dea4f7cedb4b1c17e36f4087675d817c2e24b Author: Robin Murphy Date: Mon Sep 26 16:50:55 2016 +0100 ARM: 8616/1: dt: Respect property size when parsing CPUs Whilst MPIDR values themselves are less than 32 bits, it is still perfectly valid for a DT to have #address-cells > 1 in the CPUs node, resulting in the "reg" property having leading zero cell(s). In that situation, the big-endian nature of the data conspires with the current behaviour of only reading the first cell to cause the kernel to think all CPUs have ID 0, and become resoundingly unhappy as a consequence. Take the full property length into account when parsing CPUs so as to be correct under any circumstances. Cc: Russell King Signed-off-by: Robin Murphy Signed-off-by: Russell King arch/arm/kernel/devtree.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) commit 2a0100d7beebd2fb2c436852648f75396253e9f8 Author: David S. Miller Date: Wed Sep 28 20:40:52 2016 -0400 sparc64: Fix non-SMP build. Need to provide a dummy smp_fill_in_cpu_possible_map. Fixes: 9b2f753ec237 ("sparc64: Fix cpu_possible_mask if nr_cpus is set") Reported-by: kbuild test robot Signed-off-by: David S. Miller arch/sparc/include/asm/smp_64.h | 1 + 1 file changed, 1 insertion(+) commit 53061afee43bc5041b67a45b6d793e7afdcf9ca7 Merge: ae6dd8d 231e97e Author: Linus Torvalds Date: Wed Sep 28 16:20:24 2016 -0700 Merge branch 'akpm' (patches from Andrew) Merge fixes from Andrew Morton: "4 fixes" * emailed patches from Andrew Morton : mem-hotplug: use nodes that contain memory as mask in new_node_page() scripts/recordmcount.c: account for .softirqentry.text dma-mapping.h: preserve unmap info for CONFIG_DMA_API_DEBUG mm,ksm: fix endless looping in allocating memory when ksm enable commit 231e97e2b8ec9a1556ced5d8a89cda03a480b179 Author: Li Zhong Date: Wed Sep 28 15:22:38 2016 -0700 mem-hotplug: use nodes that contain memory as mask in new_node_page() 9bb627be47a5 ("mem-hotplug: don't clear the only node in new_node_page()") prevents allocating from an empty nodemask, but as David points out, it is still wrong. As node_online_map may include memoryless nodes, only allocating from these nodes is meaningless. This patch uses node_states[N_MEMORY] mask to prevent the above case. Fixes: 9bb627be47a5 ("mem-hotplug: don't clear the only node in new_node_page()") Fixes: 394e31d2ceb4 ("mem-hotplug: alloc new page from a nearest neighbor node when mem-offline") Link: http://lkml.kernel.org/r/1474447117.28370.6.camel@TP420 Signed-off-by: Li Zhong Suggested-by: David Rientjes Acked-by: Vlastimil Babka Cc: Michal Hocko Cc: John Allen Cc: Xishi Qiu Cc: Joonsoo Kim Cc: Naoya Horiguchi Cc: Tetsuo Handa Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/memory_hotplug.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) commit e436fd61a8f62cb7a16310a42b95ab076ff72eff Author: Dmitry Vyukov Date: Wed Sep 28 15:22:36 2016 -0700 scripts/recordmcount.c: account for .softirqentry.text be7635e7287e ("arch, ftrace: for KASAN put hard/soft IRQ entries into separate sections") added .softirqentry.text section, but it was not added to recordmcount. So functions in the section are untracable. Add the section to scripts/recordmcount.c and scripts/recordmcount.pl. Fixes: be7635e7287e ("arch, ftrace: for KASAN put hard/soft IRQ entries into separate sections") Link: http://lkml.kernel.org/r/1474902626-73468-1-git-send-email-dvyukov@google.com Signed-off-by: Dmitry Vyukov Acked-by: Steve Rostedt Cc: [4.6+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds scripts/recordmcount.c | 1 + scripts/recordmcount.pl | 1 + 2 files changed, 2 insertions(+) commit 2481366afd71a0c0b7cd725e6750c04cf589673b Author: Andrey Smirnov Date: Wed Sep 28 15:22:33 2016 -0700 dma-mapping.h: preserve unmap info for CONFIG_DMA_API_DEBUG When CONFIG_DMA_API_DEBUG is enabled we need to preserve unmapping address even if "unmap" is a no-op for our architecutre because we need debug_dma_unmap_page() to correctly cleanup all of the debug bookkeeping. Failing to do so results in a false positive warnings about previously mapped areas never being unmapped. Link: http://lkml.kernel.org/r/1474387125-3713-1-git-send-email-andrew.smirnov@gmail.com Signed-off-by: Andrey Smirnov Reviewed-by: Robin Murphy Cc: Joerg Roedel Cc: Will Deacon Cc: Zhen Lei Cc: "Luis R. Rodriguez" Cc: Christian Borntraeger Cc: Geliang Tang Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds include/linux/dma-mapping.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 5b398e416e880159fe55eefd93c6588fa072cd66 Author: zhong jiang Date: Wed Sep 28 15:22:30 2016 -0700 mm,ksm: fix endless looping in allocating memory when ksm enable I hit the following hung task when runing a OOM LTP test case with 4.1 kernel. Call trace: [] __switch_to+0x74/0x8c [] __schedule+0x23c/0x7bc [] schedule+0x3c/0x94 [] rwsem_down_write_failed+0x214/0x350 [] down_write+0x64/0x80 [] __ksm_exit+0x90/0x19c [] mmput+0x118/0x11c [] do_exit+0x2dc/0xa74 [] do_group_exit+0x4c/0xe4 [] get_signal+0x444/0x5e0 [] do_signal+0x1d8/0x450 [] do_notify_resume+0x70/0x78 The oom victim cannot terminate because it needs to take mmap_sem for write while the lock is held by ksmd for read which loops in the page allocator ksm_do_scan scan_get_next_rmap_item down_read get_next_rmap_item alloc_rmap_item #ksmd will loop permanently. There is no way forward because the oom victim cannot release any memory in 4.1 based kernel. Since 4.6 we have the oom reaper which would solve this problem because it would release the memory asynchronously. Nevertheless we can relax alloc_rmap_item requirements and use __GFP_NORETRY because the allocation failure is acceptable as ksm_do_scan would just retry later after the lock got dropped. Such a patch would be also easy to backport to older stable kernels which do not have oom_reaper. While we are at it add GFP_NOWARN so the admin doesn't have to be alarmed by the allocation failure. Link: http://lkml.kernel.org/r/1474165570-44398-1-git-send-email-zhongjiang@huawei.com Signed-off-by: zhong jiang Suggested-by: Hugh Dickins Suggested-by: Michal Hocko Acked-by: Michal Hocko Acked-by: Hugh Dickins Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/ksm.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit ae6dd8d61913b5341067c7c660e8e91430d22e7c Merge: 0a966fa f6d7c1b Author: Linus Torvalds Date: Wed Sep 28 12:53:08 2016 -0700 Merge tag 'for-linus-20160928' of git://git.infradead.org/linux-mtd Pull late MTD fixes from Brian Norris: "Another round of MTD fixes for v4.8 My apologies for sending this so late. I've been fairly absent as a maintainer this cycle, but I did queue these up weeks ago. In the meantime, Richard was able to handle some other fixes (thanks!) but didn't pick these up. On the bright side, these are very simple changes that should carry little risk. Summary: - Davinci NAND: fix a long-standing bug in how we clear/prep 4-bit ECC - OMAP NAND: an error-handling fix that made it into v4.8-rc1 caused error-handling cases in other configurations/code-paths; this fixes the fix" * tag 'for-linus-20160928' of git://git.infradead.org/linux-mtd: mtd: nand: davinci: Reinitialize the HW ECC engine in 4bit hwctl mtd: nand: omap2: Don't call dma_release_channel() if dma_request_chan() failed commit 0a966fa8914aafeb430f9e8489227e86d8468625 Author: Mark Fasheh Date: Wed Sep 28 12:51:04 2016 -0700 MAINTAINERS: Update my e-mail I will be starting employment at Versity next week and would like to update my MAINTAINERS e-mail to reflect that change. My versity e-mail is already activated so I shouldn't get any bounces on the new one. My ability to help with Ocfs2 kernel maintenance won't change as a result of the new job. Signed-off-by: Mark Fasheh Signed-off-by: Linus Torvalds MAINTAINERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit ebb99a4c12e4daabe1940ae936e8e7e97ae68c6f Author: Atish Patra Date: Thu Sep 15 14:54:41 2016 -0600 sparc64: Fix irq stack bootmem allocation. Currently, irq stack bootmem is allocated for all possible cpus before nr_cpus value changes the list of possible cpus. As a result, there is unnecessary wastage of bootmemory. Move the irq stack bootmem allocation so that it happens after possible cpu list is modified based on nr_cpus value. Signed-off-by: Atish Patra Reviewed-by: Bob Picco Reviewed-by: Vijay Kumar Signed-off-by: David S. Miller arch/sparc/kernel/setup_64.c | 25 +++++++++++++++++++++++++ arch/sparc/mm/init_64.c | 16 ---------------- 2 files changed, 25 insertions(+), 16 deletions(-) commit 9b2f753ec23710aa32c0d837d2499db92fe9115b Author: Atish Patra Date: Thu Sep 15 14:54:40 2016 -0600 sparc64: Fix cpu_possible_mask if nr_cpus is set If kernel boot parameter nr_cpus is set, it should define the number of CPUs that can ever be available in the system i.e. cpu_possible_mask. setup_nr_cpu_ids() overrides the nr_cpu_ids based on the cpu_possible_mask during kernel initialization. If cpu_possible_mask is not set based on the nr_cpus value, earlier part of the kernel would be initialized using nr_cpus value leading to a kernel crash. Set cpu_possible_mask based on nr_cpus value. Thus setup_nr_cpu_ids() becomes redundant and does not corrupt nr_cpu_ids value. Signed-off-by: Atish Patra Reviewed-by: Bob Picco Reviewed-by: Vijay Kumar Signed-off-by: David S. Miller arch/sparc/include/asm/smp_64.h | 1 + arch/sparc/kernel/setup_64.c | 1 + arch/sparc/kernel/smp_64.c | 14 ++++++++++++++ 3 files changed, 16 insertions(+) commit 1e953d846ac015fbfcf09c857e8f893924cb629c Author: Mike Kravetz Date: Wed Aug 31 13:48:19 2016 -0700 sparc64 mm: Fix more TSB sizing issues Commit af1b1a9b36b8 ("sparc64 mm: Fix base TSB sizing when hugetlb pages are used") addressed the difference between hugetlb and THP pages when computing TSB sizes. The following additional issues were also discovered while working with the code. In order to save memory, THP makes use of a huge zero page. This huge zero page does not count against a task's RSS, but it does consume TSB entries. This is similar to hugetlb pages. Therefore, count huge zero page entries in hugetlb_pte_count. Accounting of THP pages is done in the routine set_pmd_at(). Unfortunately, this does not catch the case where a THP page is split. To handle this case, decrement the count in pmdp_invalidate(). pmdp_invalidate is only called when splitting a THP. However, 'sanity checks' are added in case it is ever called for other purposes. A more general issue exists with HPAGE_SIZE accounting. hugetlb_pte_count tracks the number of HPAGE_SIZE (8M) pages. This value is used to size the TSB for HPAGE_SIZE pages. However, each HPAGE_SIZE page consists of two REAL_HPAGE_SIZE (4M) pages. The TSB contains an entry for each REAL_HPAGE_SIZE page. Therefore, the number of REAL_HPAGE_SIZE pages should be used to size the huge page TSB. A new compile time constant REAL_HPAGE_PER_HPAGE is used to multiply hugetlb_pte_count before sizing the TSB. Changes from V1 - Fixed build issue if hugetlb or THP not configured Signed-off-by: Mike Kravetz Signed-off-by: David S. Miller arch/sparc/include/asm/page_64.h | 1 + arch/sparc/mm/fault_64.c | 1 + arch/sparc/mm/tlb.c | 35 +++++++++++++++++++++++++++++++---- arch/sparc/mm/tsb.c | 18 ++++++++++++------ 4 files changed, 45 insertions(+), 10 deletions(-) commit bdf2f59e64eb9cd9e9dd90f990a9577640470c8a Author: Paul Gortmaker Date: Sat Aug 6 00:31:48 2016 -0400 sparc64: fix section mismatch in find_numa_latencies_for_group To fix: WARNING: vmlinux.o(.text.unlikely+0x580): Section mismatch in reference from the function find_numa_latencies_for_group() to the function .init.text:find_mlgroup() The function find_numa_latencies_for_group() references the function __init find_mlgroup(). This is often because find_numa_latencies_for_group lacks a __init annotation or the annotation of find_mlgroup is wrong. It turns out find_numa_latencies_for_group is only called from: static int __init numa_parse_mdesc(void) and hence we can tag find_numa_latencies_for_group with __init. In doing so we see that find_best_numa_node_for_mlgroup is only called from within __init and hence can also be marked with __init. Cc: "David S. Miller" Cc: Nitin Gupta Cc: Chris Hyser Cc: Santosh Shilimkar Cc: sparclinux@vger.kernel.org Signed-off-by: Paul Gortmaker Signed-off-by: David S. Miller arch/sparc/mm/init_64.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit 539294b76af8922297702a7ebb8cafe68f7e5376 Merge: 14a5916 8d58881 Author: James Bottomley Date: Tue Sep 27 22:30:51 2016 -0700 Merge remote-tracking branch 'mkp-scsi/4.8/scsi-fixes' into fixes commit 90fd68dcf9a763f7e575c8467415bd8a66d073f4 Author: David Herrmann Date: Fri Sep 23 12:36:02 2016 +0200 drm/udl: fix line iterator in damage handling The udl damage handler is supposed to render 'height' lines, but its iterator has an obvious typo that makes it miss most lines if the rectangle does not cover 0/0. Fix the damage handler to correctly render all lines. This is a fallout from: commit e375882406d0cc24030746638592004755ed4ae0 Author: Noralf Trønnes Date: Thu Apr 28 17:18:37 2016 +0200 drm/udl: Use drm_fb_helper deferred_io support Tested-by: poma Cc: stable@vger.kernel.org # 4.7+ Reviewed-by: Daniel Vetter Signed-off-by: David Herrmann Reviewed-by: Eric Engestrom Signed-off-by: Dave Airlie drivers/gpu/drm/udl/udl_fb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit aaee1d1e2d97e3cb99cf0e096d2172237d762e4e Merge: b86f9fa bad3d80 Author: Dave Airlie Date: Wed Sep 28 10:23:50 2016 +1000 Merge branch 'linux-4.8' of git://github.com/skeggsb/linux into drm-fixes nouveau: couple of fixes. * 'linux-4.8' of git://github.com/skeggsb/linux: drm/nouveau: Revert "bus: remove cpu_coherent flag" drm/nouveau/fifo/nv04: avoid ramht race against cookie insertion commit b86f9faa34b4f08f4fbca333648d999bfcf42192 Merge: 08895a8 670bb4f Author: Dave Airlie Date: Wed Sep 28 10:19:35 2016 +1000 Merge branch 'drm-fixes-4.8' of git://people.freedesktop.org/~agd5f/linux into drm-fixes two amd fixes. * 'drm-fixes-4.8' of git://people.freedesktop.org/~agd5f/linux: drm/radeon/si/dpm: add workaround for for Jet parts drm/amdgpu: disable CRTCs before teardown commit 8ab293e3a1376574e11f9059c09cc0db212546cb Merge: 08895a8 9157056 Author: Linus Torvalds Date: Tue Sep 27 16:43:11 2016 -0700 Merge branch 'for-4.8-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup Pull cgroup fixes from Tejun Heo: "Three late fixes for cgroup: Two cpuset ones, one trivial and the other pretty obscure, and a cgroup core fix for a bug which impacts cgroup v2 namespace users" * 'for-4.8-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup: cgroup: fix invalid controller enable rejections with cgroup namespace cpuset: fix non static symbol warning cpuset: handle race between CPU hotplug and cpuset_hotplug_work commit 670bb4fd21c966d0d2a59ad4a99bb4889f9a2987 Author: Alex Deucher Date: Mon Sep 26 15:32:50 2016 -0400 drm/radeon/si/dpm: add workaround for for Jet parts Add clock quirks for Jet parts. Reviewed-by: Sonny Jiang Tested-by: Sonny Jiang Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Alex Deucher drivers/gpu/drm/radeon/si_dpm.c | 6 ++++++ 1 file changed, 6 insertions(+) commit a951ed85abd4615e98e36b536e3b3b07b22a88ac Author: Grazvydas Ignotas Date: Sun Sep 25 23:34:48 2016 +0300 drm/amdgpu: disable CRTCs before teardown Some code called by drm_crtc_force_disable_all() wants to wait for all fences, so only do fence teardown after CRTCs are disabled. Fixes: 84b89bdcedf8 ("drm/amdgpu: Turn off CRTCs on driver unload") Cc: stable@vger.kernel.org # v4.8+ Signed-off-by: Grazvydas Ignotas Signed-off-by: Alex Deucher drivers/gpu/drm/amd/amdgpu/amdgpu_device.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 7b8147aae741fedb7eab970361cd051d47bc8021 Merge: 1190cfd c006da0 Author: David S. Miller Date: Tue Sep 27 09:53:30 2016 -0400 Merge branch 'act_ife-fixes' Yotam Gigi says: ==================== Fix tc-ife bugs This patch-set contains two bugfixes in the tc-ife action, one fixing some random behaviour in encode side, and one fixing the decode side packet parsing logic. v2->v3 - Fix the encode side instead of the decode side ==================== Signed-off-by: David S. Miller commit c006da0be033b6ddcd27ee603d0ee01491236642 Author: Yotam Gigi Date: Mon Sep 26 13:45:26 2016 +0300 act_ife: Fix false encoding On ife encode side, the action stores the different tlvs inside the ife header, where each tlv length field should refer to the length of the whole tlv (without additional padding) and not just the data length. On ife decode side, the action iterates over the tlvs in the ife header and parses them one by one, where in each iteration the current pointer is advanced according to the tlv size. Before, the encoding encoded only the data length inside the tlv, which led to false parsing of ife the header. In addition, due to the fact that the loop counter was unsigned, it could lead to infinite parsing loop. This fix changes the loop counter to be signed and fixes the encoding to take into account the tlv type and size. Fixes: 28a10c426e81 ("net sched: fix encoding to use real length") Acked-by: Jamal Hadi Salim Signed-off-by: Yotam Gigi Signed-off-by: David S. Miller net/sched/act_ife.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 4b1d488a285a446329825d5fe91f987b7880e6e5 Author: Yotam Gigi Date: Mon Sep 26 13:45:25 2016 +0300 act_ife: Fix external mac header on encode On ife encode side, external mac header is copied from the original packet and may be overridden if the user requests. Before, the mac header copy was done from memory region that might not be accessible anymore, as skb_cow_head might free it and copy the packet. This led to random values in the external mac header once the values were not set by user. This fix takes the internal mac header from the packet, after the call to skb_cow_head. Fixes: ef6980b6becb ("net sched: introduce IFE action") Acked-by: Jamal Hadi Salim Signed-off-by: Yotam Gigi Signed-off-by: David S. Miller net/sched/act_ife.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) commit 1190cfdb1a19d89561ae51cff7d9c2ead24b3ebe Author: Jorgen Hansen Date: Mon Sep 26 23:59:53 2016 -0700 VSOCK: Don't dec ack backlog twice for rejected connections If a pending socket is marked as rejected, we will decrease the sk_ack_backlog twice. So don't decrement it for rejected sockets in vsock_pending_work(). Testing of the rejected socket path was done through code modifications. Reported-by: Stefan Hajnoczi Signed-off-by: Jorgen Hansen Reviewed-by: Adit Ranadive Reviewed-by: Aditya Sarwade Signed-off-by: David S. Miller net/vmw_vsock/af_vsock.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit bf1a85a8381a0f749aa321d7881b456b36eb398d Author: Florian Fainelli Date: Sat Sep 24 12:58:30 2016 -0700 Revert "net: ethernet: bcmgenet: use phydev from struct net_device" This reverts commit 62469c76007e ("net: ethernet: bcmgenet: use phydev from struct net_device") because it causes GENETv1/2/3 adapters to expose the following behavior after an ifconfig down/up sequence: PING fainelli-linux (10.112.156.244): 56 data bytes 64 bytes from 10.112.156.244: seq=1 ttl=61 time=1.352 ms 64 bytes from 10.112.156.244: seq=1 ttl=61 time=1.472 ms (DUP!) 64 bytes from 10.112.156.244: seq=1 ttl=61 time=1.496 ms (DUP!) 64 bytes from 10.112.156.244: seq=1 ttl=61 time=1.517 ms (DUP!) 64 bytes from 10.112.156.244: seq=1 ttl=61 time=1.536 ms (DUP!) 64 bytes from 10.112.156.244: seq=1 ttl=61 time=1.557 ms (DUP!) 64 bytes from 10.112.156.244: seq=1 ttl=61 time=752.448 ms (DUP!) This was previously fixed by commit 5dbebbb44a6a ("net: bcmgenet: Software reset EPHY after power on") but the commit we are reverting was essentially making this previous commit void, here is why. Without commit 62469c76007e we would have the following scenario after an ifconfig down then up sequence: - bcmgenet_open() calls bcmgenet_power_up() to make sure the PHY is initialized *before* we get to initialize the UniMAC, this is critical to ensure the PHY is in a correct state, priv->phydev is valid, this code executes fine - second time from bcmgenet_mii_probe(), through the normal phy_init_hw() call (which arguably could be optimized out) Everything is fine in that case. With commit 62469c76007e, we would have the following scenario to happen after an ifconfig down then up sequence: - bcmgenet_close() calls phy_disonnect() which makes dev->phydev become NULL - when bcmgenet_open() executes again and calls bcmgenet_mii_reset() from bcmgenet_power_up() to initialize the internal PHY, the NULL check becomes true, so we do not reset the PHY, yet we keep going on and initialize the UniMAC, causing MAC activity to occur - we call bcmgenet_mii_reset() from bcmgenet_mii_probe(), but this is too late, the PHY is botched, and causes the above bogus pings/packets transmission/reception to occur Reported-by: Jaedon Shin Signed-off-by: Florian Fainelli Signed-off-by: David S. Miller drivers/net/ethernet/broadcom/genet/bcmgenet.c | 45 ++++++++++++++------------ drivers/net/ethernet/broadcom/genet/bcmgenet.h | 1 + drivers/net/ethernet/broadcom/genet/bcmmii.c | 24 +++++++------- 3 files changed, 39 insertions(+), 31 deletions(-) commit 6c1394f30bae67d5dd8648a38679876ad4afc4f1 Merge: 2cf7507 3ac72b7 Author: David S. Miller Date: Tue Sep 27 07:39:38 2016 -0400 Merge branch 'fec-align' Eric Nelson says: ==================== net: fec: updates to align IP header This patch series is the outcome of investigation into very high numbers of alignment faults on kernel 4.1.33 from the linux-fslc tree: https://github.com/freescale/linux-fslc/tree/4.1-1.0.x-imx The first two patches remove support for the receive accelerator (RACC) from the i.MX25 and i.MX27 SoCs which don't support the function. The third patch enables hardware alignment of the ethernet packet payload (and especially the IP header) to prevent alignment faults in the IP stack. Testing on i.MX6UL on the 4.1.33 kernel showed that this patch removed on the order of 70k alignment faults during a 100MiB transfer using wget. Testing on an i.MX6Q (SABRE Lite) board on net-next (4.8.0-rc7) showed a much more modest improvement from 10's of faults, and it's not clear why that's the case. ==================== Acked-by: Fugang Duan Signed-off-by: David S. Miller commit 3ac72b7b63d57b231dda1e8f8d13872e0d7e8603 Author: Eric Nelson Date: Sat Sep 24 07:42:19 2016 -0700 net: fec: align IP header in hardware The FEC receive accelerator (RACC) supports shifting the data payload of received packets by 16-bits, which aligns the payload (IP header) on a 4-byte boundary, which is, if not required, at least strongly suggested by the Linux networking layer. Without this patch, a huge number of alignment faults will be taken by the IP stack, as seen in /proc/cpu/alignment: ~/$ cat /proc/cpu/alignment User: 0 System: 72645 (inet_gro_receive+0x104/0x27c) Skipped: 0 Half: 0 Word: 0 DWord: 0 Multi: 72645 User faults: 3 (fixup+warn) This patch was suggested by Andrew Lunn in this message to linux-netdev: http://marc.info/?l=linux-arm-kernel&m=147465452108384&w=2 and adapted from a patch by Russell King from 2014: http://git.arm.linux.org.uk/cgit/linux-arm.git/commit/?id=70d8a8a Signed-off-by: Eric Nelson Signed-off-by: David S. Miller drivers/net/ethernet/freescale/fec_main.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) commit 97dc499c1ae396bc0d529f5b1aef3138de1ae7de Author: Eric Nelson Date: Sat Sep 24 07:42:18 2016 -0700 net: fec: remove QUIRK_HAS_RACC from i.mx27 According to the i.MX27 reference manual, this SoC does not have support for the receive accelerator (RACC) register at offset 0x1C4. http://cache.nxp.com/files/32bit/doc/ref_manual/MCIMX27RM.pdf Signed-off-by: Eric Nelson Signed-off-by: David S. Miller drivers/net/ethernet/freescale/fec_main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 653d37d8bca0be2c7c53c8578980b06840482427 Author: Eric Nelson Date: Sat Sep 24 07:42:17 2016 -0700 net: fec: remove QUIRK_HAS_RACC from i.mx25 According to the i.MX25 reference manual, this SoC does not have support for the receive accelerator (RACC) register at offset 0x1C4. http://www.nxp.com/files/dsp/doc/ref_manual/IMX25RM.pdf Signed-off-by: Eric Nelson Signed-off-by: David S. Miller drivers/net/ethernet/freescale/fec_main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 9fb6de1b0bf4ec11573b76059da3c3b39ac7f2ff Author: Ville Ranki Date: Thu Sep 15 15:31:27 2016 -0700 Input: joydev - recognize devices with Z axis as joysticks Current implementation of joydev's input_device_id table recognizes only devices with ABS_X, ABS_WHEEL or ABS_THROTTLE axes as joysticks. There are joystick devices that do not have those axes, for example TRC Rudder device. The device in question has ABS_Z, ABS_RX and ABS_RY axes causing it not being detected as joystick. This patch adds ABS_Z to the input_device_id list allowing devices with ABS_Z axis to be detected correctly. Signed-off-by: Ville Ranki Signed-off-by: Dmitry Torokhov drivers/input/joydev.c | 6 ++++++ 1 file changed, 6 insertions(+) commit 8d58881b995904bf8b150dae69be0829f832e7be Author: Bart Van Assche Date: Thu Sep 22 14:20:54 2016 -0700 scsi: Avoid that toggling use_blk_mq triggers a memory leak This patch avoids that the following memory leak is triggered if use_blk_mq is disabled after a SCSI host has been allocated by the ib_srp driver and before the same SCSI host is freed: unreferenced object 0xffff8803a168c568 (size 256): backtrace: [] kmemleak_alloc+0x45/0xa0 [] __kmalloc_node+0x1e4/0x400 [] blk_mq_alloc_tag_set+0xb4/0x230 [] scsi_mq_setup_tags+0xc7/0xd0 [] scsi_add_host_with_dma+0x216/0x2d0 [] srp_create_target+0xe55/0x13d0 [ib_srp] [] dev_attr_store+0x13/0x20 [] sysfs_kf_write+0x40/0x50 [] kernfs_fop_write+0x137/0x1c0 [] __vfs_write+0x23/0x140 [] vfs_write+0xb0/0x190 [] SyS_write+0x44/0xa0 [] entry_SYSCALL_64_fastpath+0x18/0xa8 Fixes: 9aa9cc4221f5 ("scsi: remove the disable_blk_mq host flag") Signed-off-by: Bart Van Assche Cc: Christoph Hellwig Cc: Martin K. Petersen Cc: Reviewed-by: Christoph Hellwig Signed-off-by: Martin K. Petersen drivers/scsi/hosts.c | 2 ++ drivers/scsi/scsi.c | 1 - drivers/scsi/scsi_priv.h | 1 + include/scsi/scsi_host.h | 5 +---- 4 files changed, 4 insertions(+), 5 deletions(-) commit 2cf750704bb6d7ed8c7d732e071dd1bc890ea5e8 Author: Nikolay Aleksandrov Date: Sun Sep 25 23:08:31 2016 +0200 ipmr, ip6mr: fix scheduling while atomic and a deadlock with ipmr_get_route Since the commit below the ipmr/ip6mr rtnl_unicast() code uses the portid instead of the previous dst_pid which was copied from in_skb's portid. Since the skb is new the portid is 0 at that point so the packets are sent to the kernel and we get scheduling while atomic or a deadlock (depending on where it happens) by trying to acquire rtnl two times. Also since this is RTM_GETROUTE, it can be triggered by a normal user. Here's the sleeping while atomic trace: [ 7858.212557] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:620 [ 7858.212748] in_atomic(): 1, irqs_disabled(): 0, pid: 0, name: swapper/0 [ 7858.212881] 2 locks held by swapper/0/0: [ 7858.213013] #0: (((&mrt->ipmr_expire_timer))){+.-...}, at: [] call_timer_fn+0x5/0x350 [ 7858.213422] #1: (mfc_unres_lock){+.....}, at: [] ipmr_expire_process+0x25/0x130 [ 7858.213807] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.8.0-rc7+ #179 [ 7858.213934] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014 [ 7858.214108] 0000000000000000 ffff88005b403c50 ffffffff813a7804 0000000000000000 [ 7858.214412] ffffffff81a1338e ffff88005b403c78 ffffffff810a4a72 ffffffff81a1338e [ 7858.214716] 000000000000026c 0000000000000000 ffff88005b403ca8 ffffffff810a4b9f [ 7858.215251] Call Trace: [ 7858.215412] [] dump_stack+0x85/0xc1 [ 7858.215662] [] ___might_sleep+0x192/0x250 [ 7858.215868] [] __might_sleep+0x6f/0x100 [ 7858.216072] [] mutex_lock_nested+0x33/0x4d0 [ 7858.216279] [] ? netlink_lookup+0x25f/0x460 [ 7858.216487] [] rtnetlink_rcv+0x1b/0x40 [ 7858.216687] [] netlink_unicast+0x19c/0x260 [ 7858.216900] [] rtnl_unicast+0x20/0x30 [ 7858.217128] [] ipmr_destroy_unres+0xa9/0xf0 [ 7858.217351] [] ipmr_expire_process+0x8f/0x130 [ 7858.217581] [] ? ipmr_net_init+0x180/0x180 [ 7858.217785] [] ? ipmr_net_init+0x180/0x180 [ 7858.217990] [] call_timer_fn+0xa5/0x350 [ 7858.218192] [] ? call_timer_fn+0x5/0x350 [ 7858.218415] [] ? ipmr_net_init+0x180/0x180 [ 7858.218656] [] run_timer_softirq+0x260/0x640 [ 7858.218865] [] ? __do_softirq+0xbb/0x54f [ 7858.219068] [] __do_softirq+0xe8/0x54f [ 7858.219269] [] irq_exit+0xb8/0xc0 [ 7858.219463] [] smp_apic_timer_interrupt+0x42/0x50 [ 7858.219678] [] apic_timer_interrupt+0x8c/0xa0 [ 7858.219897] [] ? native_safe_halt+0x6/0x10 [ 7858.220165] [] ? trace_hardirqs_on+0xd/0x10 [ 7858.220373] [] default_idle+0x23/0x190 [ 7858.220574] [] arch_cpu_idle+0xf/0x20 [ 7858.220790] [] default_idle_call+0x4c/0x60 [ 7858.221016] [] cpu_startup_entry+0x39b/0x4d0 [ 7858.221257] [] rest_init+0x135/0x140 [ 7858.221469] [] start_kernel+0x50e/0x51b [ 7858.221670] [] ? early_idt_handler_array+0x120/0x120 [ 7858.221894] [] x86_64_start_reservations+0x2a/0x2c [ 7858.222113] [] x86_64_start_kernel+0x13b/0x14a Fixes: 2942e9005056 ("[RTNETLINK]: Use rtnl_unicast() for rtnetlink unicasts") Signed-off-by: Nikolay Aleksandrov Signed-off-by: David S. Miller include/linux/mroute.h | 2 +- include/linux/mroute6.h | 2 +- net/ipv4/ipmr.c | 3 ++- net/ipv4/route.c | 3 ++- net/ipv6/ip6mr.c | 5 +++-- net/ipv6/route.c | 4 +++- 6 files changed, 12 insertions(+), 7 deletions(-) commit 08895a8b6b06ed2323cd97a36ee40a116b3db8ed Author: Linus Torvalds Date: Sun Sep 25 18:47:13 2016 -0700 Linux 4.8-rc8 Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 4c04b4b534cbe8c0cc0661e232bbb9708e212bc2 Merge: 90b75db 1ae2293 Author: Linus Torvalds Date: Sun Sep 25 18:40:13 2016 -0700 Merge tag 'trace-v4.8-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace Pull tracefs fixes from Steven Rostedt: "Al Viro has been looking at the tracefs code, and has pointed out some issues. This contains one fix by me and one by Al. I'm sure that he'll come up with more but for now I tested these patches and they don't appear to have any negative impact on tracing" * tag 'trace-v4.8-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace: fix memory leaks in tracing_buffers_splice_read() tracing: Move mutex to protect against resetting of seq data commit 90b75db6498a19da96dac4b55c909ff3721f3045 Author: Dave Chinner Date: Mon Sep 26 09:57:33 2016 +1000 fault_in_multipages_readable() throws set-but-unused error When building XFS with -Werror, it now fails with: include/linux/pagemap.h: In function 'fault_in_multipages_readable': include/linux/pagemap.h:602:16: error: variable 'c' set but not used [-Werror=unused-but-set-variable] volatile char c; ^ This is a regression caused by commit e23d4159b109 ("fix fault_in_multipages_...() on architectures with no-op access_ok()"). Fix it by re-adding the "(void)c" trick taht was previously used to make the compiler think the variable is used. Signed-off-by: Dave Chinner Cc: Al Viro Signed-off-by: Linus Torvalds include/linux/pagemap.h | 1 + 1 file changed, 1 insertion(+) commit 38e088546522e1e86d2b8f401a1354ad3a9b3303 Author: Lorenzo Stoakes Date: Sun Sep 11 23:54:25 2016 +0100 mm: check VMA flags to avoid invalid PROT_NONE NUMA balancing The NUMA balancing logic uses an arch-specific PROT_NONE page table flag defined by pte_protnone() or pmd_protnone() to mark PTEs or huge page PMDs respectively as requiring balancing upon a subsequent page fault. User-defined PROT_NONE memory regions which also have this flag set will not normally invoke the NUMA balancing code as do_page_fault() will send a segfault to the process before handle_mm_fault() is even called. However if access_remote_vm() is invoked to access a PROT_NONE region of memory, handle_mm_fault() is called via faultin_page() and __get_user_pages() without any access checks being performed, meaning the NUMA balancing logic is incorrectly invoked on a non-NUMA memory region. A simple means of triggering this problem is to access PROT_NONE mmap'd memory using /proc/self/mem which reliably results in the NUMA handling functions being invoked when CONFIG_NUMA_BALANCING is set. This issue was reported in bugzilla (issue 99101) which includes some simple repro code. There are BUG_ON() checks in do_numa_page() and do_huge_pmd_numa_page() added at commit c0e7cad to avoid accidentally provoking strange behaviour by attempting to apply NUMA balancing to pages that are in fact PROT_NONE. The BUG_ON()'s are consistently triggered by the repro. This patch moves the PROT_NONE check into mm/memory.c rather than invoking BUG_ON() as faulting in these pages via faultin_page() is a valid reason for reaching the NUMA check with the PROT_NONE page table flag set and is therefore not always a bug. Link: https://bugzilla.kernel.org/show_bug.cgi?id=99101 Reported-by: Trevor Saunders Signed-off-by: Lorenzo Stoakes Acked-by: Rik van Riel Cc: Andrew Morton Cc: Mel Gorman Signed-off-by: Linus Torvalds mm/huge_memory.c | 3 --- mm/memory.c | 12 +++++++----- 2 files changed, 7 insertions(+), 8 deletions(-) commit 831e45d84a971495c882bc186d98bbb825b2ee59 Merge: 751b9a5 116e711 Author: Linus Torvalds Date: Sun Sep 25 13:59:52 2016 -0700 Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus Pull MIPS fixes from Ralf Baechle: "A round of 4.8 fixes: MIPS generic code: - Add a missing ".set pop" in an early commit - Fix memory regions reaching top of physical - MAAR: Fix address alignment - vDSO: Fix Malta EVA mapping to vDSO page structs - uprobes: fix incorrect uprobe brk handling - uprobes: select HAVE_REGS_AND_STACK_ACCESS_API - Avoid a BUG warning during PR_SET_FP_MODE prctl - SMP: Fix possibility of deadlock when bringing CPUs online - R6: Remove compact branch policy Kconfig entries - Fix size calc when avoiding IPIs for small icache flushes - Fix pre-r6 emulation FPU initialisation - Fix delay slot emulation count in debugfs ATH79: - Fix test for error return of clk_register_fixed_factor. Octeon: - Fix kernel header to work for VDSO build. - Fix initialization of platform device probing. paravirt: - Fix undefined reference to smp_bootstrap" * 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus: MIPS: Fix delay slot emulation count in debugfs MIPS: SMP: Fix possibility of deadlock when bringing CPUs online MIPS: Fix pre-r6 emulation FPU initialisation MIPS: vDSO: Fix Malta EVA mapping to vDSO page structs MIPS: Select HAVE_REGS_AND_STACK_ACCESS_API MIPS: Octeon: Fix platform bus probing MIPS: Octeon: mangle-port: fix build failure with VDSO code MIPS: Avoid a BUG warning during prctl(PR_SET_FP_MODE, ...) MIPS: c-r4k: Fix size calc when avoiding IPIs for small icache flushes MIPS: Add a missing ".set pop" in an early commit MIPS: paravirt: Fix undefined reference to smp_bootstrap MIPS: Remove compact branch policy Kconfig entries MIPS: MAAR: Fix address alignment MIPS: Fix memory regions reaching top of physical MIPS: uprobes: fix incorrect uprobe brk handling MIPS: ath79: Fix test for error return of clk_register_fixed_factor(). commit 751b9a5d16cf318d715b0e6c7f3631d8185143ee Merge: 8d2c0d3 b79331a Author: Linus Torvalds Date: Sun Sep 25 13:52:59 2016 -0700 Merge tag 'powerpc-4.8-7' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux Pull one more powerpc fix from Michael Ellerman: "powernv/pci: Fix m64 checks for SR-IOV and window alignment from Russell Currey" * tag 'powerpc-4.8-7' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux: powerpc/powernv/pci: Fix m64 checks for SR-IOV and window alignment commit 8d2c0d36d6826ddc3114801c599619d3f2932f0a Author: Linus Torvalds Date: Sun Sep 25 13:32:46 2016 -0700 radix tree: fix sibling entry handling in radix_tree_descend() The fixes to the radix tree test suite show that the multi-order case is broken. The basic reason is that the radix tree code uses tagged pointers with the "internal" bit in the low bits, and calculating the pointer indices was supposed to mask off those bits. But gcc will notice that we then use the index to re-create the pointer, and will avoid doing the arithmetic and use the tagged pointer directly. This cleans the code up, using the existing is_sibling_entry() helper to validate the sibling pointer range (instead of open-coding it), and using entry_to_node() to mask off the low tag bit from the pointer. And once you do that, you might as well just use the now cleaned-up pointer directly. [ Side note: the multi-order code isn't actually ever used in the kernel right now, and the only reason I didn't just delete all that code is that Kirill Shutemov piped up and said: "Well, my ext4-with-huge-pages patchset[1] uses multi-order entries. It also converts shmem-with-huge-pages and hugetlb to them. I'm okay with converting it to other mechanism, but I need something. (I looked into Konstantin's RFC patchset[2]. It looks okay, but I don't feel myself qualified to review it as I don't know much about radix-tree internals.)" [1] http://lkml.kernel.org/r/20160915115523.29737-1-kirill.shutemov@linux.intel.com [2] http://lkml.kernel.org/r/147230727479.9957.1087787722571077339.stgit@zurg ] Reported-by: Matthew Wilcox Cc: Andrew Morton Cc: Ross Zwisler Cc: Johannes Weiner Cc: Kirill A. Shutemov Cc: Konstantin Khlebnikov Cc: Cedric Blancher Signed-off-by: Linus Torvalds lib/radix-tree.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) commit 62fd5258ebe3ea240371234955a6e2cc99e0b6c3 Author: Matthew Wilcox Date: Thu Sep 22 11:53:34 2016 -0700 radix tree test suite: Test radix_tree_replace_slot() for multiorder entries When we replace a multiorder entry, check that all indices reflect the new value. Also, compile the test suite with -O2, which shows other problems with the code due to some dodgy pointer operations in the radix tree code. Signed-off-by: Matthew Wilcox Signed-off-by: Linus Torvalds tools/testing/radix-tree/Makefile | 2 +- tools/testing/radix-tree/multiorder.c | 16 ++++++++++++---- 2 files changed, 13 insertions(+), 5 deletions(-) commit 1ae2293dd6d2f5c823cf97e60b70d03631cd622f Author: Al Viro Date: Sat Sep 17 18:31:46 2016 -0400 fix memory leaks in tracing_buffers_splice_read() Cc: stable@vger.kernel.org Signed-off-by: Al Viro kernel/trace/trace.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) commit 1245800c0f96eb6ebb368593e251d66c01e61022 Author: Steven Rostedt (Red Hat) Date: Fri Sep 23 22:57:13 2016 -0400 tracing: Move mutex to protect against resetting of seq data The iter->seq can be reset outside the protection of the mutex. So can reading of user data. Move the mutex up to the beginning of the function. Fixes: d7350c3f45694 ("tracing/core: make the read callbacks reentrants") Cc: stable@vger.kernel.org # 2.6.30+ Reported-by: Al Viro Signed-off-by: Steven Rostedt kernel/trace/trace.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) commit 116e7111c8e3cc65ceef9664741bd593483e9517 Author: Paul Burton Date: Thu Sep 22 15:47:40 2016 +0100 MIPS: Fix delay slot emulation count in debugfs Commit 432c6bacbd0c ("MIPS: Use per-mm page to execute branch delay slot instructions") accidentally removed use of the MIPS_FPU_EMU_INC_STATS macro from do_dsemulret, leading to the ds_emul file in debugfs always returning zero even though we perform delay slot emulations. Fix this by re-adding the use of the MIPS_FPU_EMU_INC_STATS macro. Signed-off-by: Paul Burton Fixes: 432c6bacbd0c ("MIPS: Use per-mm page to execute branch delay slot instructions") Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/14301/ Signed-off-by: Ralf Baechle arch/mips/math-emu/dsemul.c | 1 + 1 file changed, 1 insertion(+) commit 8f46cca1e6c06a058374816887059bcc017b382f Author: Matt Redfearn Date: Thu Sep 22 17:15:47 2016 +0100 MIPS: SMP: Fix possibility of deadlock when bringing CPUs online This patch fixes the possibility of a deadlock when bringing up secondary CPUs. The deadlock occurs because the set_cpu_online() is called before synchronise_count_slave(). This can cause a deadlock if the boot CPU, having scheduled another thread, attempts to send an IPI to the secondary CPU, which it sees has been marked online. The secondary is blocked in synchronise_count_slave() waiting for the boot CPU to enter synchronise_count_master(), but the boot cpu is blocked in smp_call_function_many() waiting for the secondary to respond to it's IPI request. Fix this by marking the CPU online in cpu_callin_map and synchronising counters before declaring the CPU online and calculating the maps for IPIs. Signed-off-by: Matt Redfearn Reported-by: Justin Chen Tested-by: Justin Chen Cc: Florian Fainelli Cc: stable@vger.kernel.org # v4.1+ Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/14302/ Signed-off-by: Ralf Baechle arch/mips/kernel/smp.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) commit 9c0e28a7be656d737fb18998e2dcb0b8ce595643 Merge: 2507c85 3bf6215 Author: Linus Torvalds Date: Sat Sep 24 12:44:28 2016 -0700 Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull perf fixes from Thomas Gleixner: "Three fixlets for perf: - add a missing NULL pointer check in the intel BTS driver - make BTS an exclusive PMU because BTS can only handle one event at a time - ensure that exclusive events are limited to one PMU so that several exclusive events can be scheduled on different PMU instances" * 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: perf/core: Limit matching exclusive events to one PMU perf/x86/intel/bts: Make it an exclusive PMU perf/x86/intel/bts: Make sure debug store is valid commit 2507c856620cc7474e6101b0a05f82ac0ae5bf69 Merge: 709b8f6 96b03ab Author: Linus Torvalds Date: Sat Sep 24 12:41:19 2016 -0700 Merge branch 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull locking fixes from Thomas Gleixner: "Two smallish fixes: - use the proper asm constraint in the Super-H atomic_fetch_ops - a trivial typo fix in the Kconfig help text" * 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: locking/hung_task: Fix typo in CONFIG_DETECT_HUNG_TASK help text locking/atomic, arch/sh: Fix ATOMIC_FETCH_OP() commit 709b8f67d72078cbbd166aaecd2d0f48d1d1560c Merge: 4b8b0ff 7597cdc Author: Linus Torvalds Date: Sat Sep 24 12:35:26 2016 -0700 Merge branch 'efi-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull EFI fixes from Thomas Gleixner: "Two fixes for EFI/PAT: - a 32bit overflow bug in the PAT code which was unearthed by the large EFI mappings - prevent a boot hang on large systems when EFI mixed mode is enabled but not used" * 'efi-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/efi: Only map RAM into EFI page tables if in mixed-mode x86/mm/pat: Prevent hang during boot when mapping pages commit 4b8b0ff60f1d6553914a5fc17f16f9aa38a2036e Merge: 0f26574 e875bd6 Author: Linus Torvalds Date: Sat Sep 24 12:30:12 2016 -0700 Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull irq fixes from Thomas Gleixner: "Three fixes for irq core and irq chip drivers: - Do not set the irq type if type is NONE. Fixes a boot regression on various SoCs - Use the proper cpu for setting up the GIC target list. Discovered by the cpumask debugging code. - A rather large fix for the MIPS-GIC so per cpu local interrupts work again. This was discovered late because the code falls back to slower timers which use normal device interrupts" * 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: irqchip/mips-gic: Fix local interrupts irqchip/gicv3: Silence noisy DEBUG_PER_CPU_MAPS warning genirq: Skip chained interrupt trigger setup if type is IRQ_TYPE_NONE commit 595c73071e6641e59b83911fbb4026e767471000 Author: Dan Williams Date: Fri Sep 23 17:53:52 2016 -0700 libnvdimm, region: fix flush hint table thinko The definition of the flush hint table as: void __iomem *flush_wpq[0][0]; ...passed the unit test, but is broken as flush_wpq[0][1] and flush_wpq[1][0] refer to the same entry. Fix this to use a helper that calculates a slot in the table based on the geometry of flush hints in the region. This is important to get right since virtualization solutions use this mechanism to trigger hypervisor flushes to platform persistence. Reported-by: Dave Jiang Tested-by: Dave Jiang Signed-off-by: Dan Williams drivers/nvdimm/nd.h | 22 ++++++++++++++++++++-- drivers/nvdimm/region_devs.c | 20 ++++++++++++-------- 2 files changed, 32 insertions(+), 10 deletions(-) commit 0f26574178f6c698e5d76e66ca68a95cc35eef9f Merge: bd5dbcb b385d21 Author: Linus Torvalds Date: Sat Sep 24 11:31:45 2016 -0700 Merge branch 'hughd-fixes' (patches from Hugh Dickins) Merge VM fixes from High Dickins: "I get the impression that Andrew is away or busy at the moment, so I'm going to send you three independent uncontroversial little mm fixes directly - though none is strictly a 4.8 regression fix. - shmem: fix tmpfs to handle the huge= option properly from Toshi Kani is a one-liner to fix a major embarrassment in 4.8's hugepages on tmpfs feature: although Hillf pointed it out in June, somehow both Kirill and I repeatedly dropped the ball on this one. You might wonder if the feature got tested at all with that bug in: yes, it did, but for wider testing coverage, Kirill and I had each relied too much on an override which bypasses that condition. - huge tmpfs: fix Committed_AS leak just a run-of-the-mill accounting fix in the same feature. - mm: delete unnecessary and unsafe init_tlb_ubc() is an unrelated fix to 4.3's TLB flush batching in reclaim: the bug would be rare, and none of us will be shamed if this one misses 4.8; but it got such a quick ack from Mel today that I'm inclined to offer it along with the first two" * emailed patches from Hugh Dickins : mm: delete unnecessary and unsafe init_tlb_ubc() huge tmpfs: fix Committed_AS leak shmem: fix tmpfs to handle the huge= option properly commit b385d21f27d86426472f6ae92a231095f7de2a8d Author: Hugh Dickins Date: Fri Sep 23 20:27:04 2016 -0700 mm: delete unnecessary and unsafe init_tlb_ubc() init_tlb_ubc() looked unnecessary to me: tlb_ubc is statically initialized with zeroes in the init_task, and copied from parent to child while it is quiescent in arch_dup_task_struct(); so I went to delete it. But inserted temporary debug WARN_ONs in place of init_tlb_ubc() to check that it was always empty at that point, and found them firing: because memcg reclaim can recurse into global reclaim (when allocating biosets for swapout in my case), and arrive back at the init_tlb_ubc() in shrink_node_memcg(). Resetting tlb_ubc.flush_required at that point is wrong: if the upper level needs a deferred TLB flush, but the lower level turns out not to, we miss a TLB flush. But fortunately, that's the only part of the protocol that does not nest: with the initialization removed, cpumask collects bits from upper and lower levels, and flushes TLB when needed. Fixes: 72b252aed506 ("mm: send one IPI per CPU to TLB flush all entries after unmapping pages") Signed-off-by: Hugh Dickins Acked-by: Mel Gorman Cc: stable@vger.kernel.org # 4.3+ Signed-off-by: Linus Torvalds mm/vmscan.c | 19 ------------------- 1 file changed, 19 deletions(-) commit 71664665c3e3ca5ff61ef5fc65480f82cd575eb2 Author: Hugh Dickins Date: Fri Sep 23 20:24:23 2016 -0700 huge tmpfs: fix Committed_AS leak Under swapping load on huge tmpfs, /proc/meminfo's Committed_AS grows bigger and bigger: just a cosmetic issue for most users, but disabling for those who run without overcommit (/proc/sys/vm/overcommit_memory 2). shmem_uncharge() was forgetting to unaccount __vm_enough_memory's charge, and shmem_charge() was forgetting it on the filesystem-full error path. Fixes: 800d8c63b2e9 ("shmem: add huge pages support") Signed-off-by: Hugh Dickins Acked-by: Kirill A. Shutemov Signed-off-by: Linus Torvalds mm/shmem.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 3089bf614c7e2fd441ee001e3ff3d18326f6f091 Author: Toshi Kani Date: Fri Sep 23 20:21:56 2016 -0700 shmem: fix tmpfs to handle the huge= option properly shmem_get_unmapped_area() checks SHMEM_SB(sb)->huge incorrectly, which leads to a reversed effect of "huge=" mount option. Fix the check in shmem_get_unmapped_area(). Note, the default value of SHMEM_SB(sb)->huge remains as SHMEM_HUGE_NEVER. User will need to specify "huge=" option to enable huge page mappings. Reported-by: Hillf Danton Signed-off-by: Toshi Kani Acked-by: Kirill A. Shutemov Reviewed-by: Aneesh Kumar K.V Signed-off-by: Hugh Dickins Signed-off-by: Linus Torvalds mm/shmem.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit db32e4e49ce2b0e5fcc17803d011a401c0a637f6 Author: Lance Richardson Date: Fri Sep 23 15:50:29 2016 -0400 ip6_gre: fix flowi6_proto value in ip6gre_xmit_other() Similar to commit 3be07244b733 ("ip6_gre: fix flowi6_proto value in xmit path"), set flowi6_proto to IPPROTO_GRE for output route lookup. Up until now, ip6gre_xmit_other() has set flowi6_proto to a bogus value. This affected output route lookup for packets sent on an ip6gretap device in cases where routing was dependent on the value of flowi6_proto. Since the correct proto is already set in the tunnel flowi6 template via commit 252f3f5a1189 ("ip6_gre: Set flowi6_proto as IPPROTO_GRE in xmit path."), simply delete the line setting the incorrect flowi6_proto value. Suggested-by: Jiri Benc Fixes: c12b395a4664 ("gre: Support GRE over IPv6") Reviewed-by: Shmulik Ladkani Signed-off-by: Lance Richardson Signed-off-by: David S. Miller net/ipv6/ip6_gre.c | 1 - 1 file changed, 1 deletion(-) commit bd5dbcb4be37ce97b115bf9e8d48ae75f0d8a9a2 Merge: d0c1d15 331dcf4 Author: Linus Torvalds Date: Fri Sep 23 16:44:12 2016 -0700 Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux Pull i2c fixes from Wolfram Sang: "Three driver bugfixes: fixing uninitialized memory pointers (eg20t), pm/clock imbalance (qup), and a wrongly set cached variable (pc954x)" * 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux: i2c: qup: skip qup_i2c_suspend if the device is already runtime suspended i2c: mux: pca954x: retry updating the mux selection on failure i2c-eg20t: fix race between i2c init and interrupt enable commit d0c1d15f5ed7f028d2c284b7fed7e73575d9c24d Merge: 4ee6986 4af2ff9 Author: Linus Torvalds Date: Fri Sep 23 16:34:24 2016 -0700 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input Pull input updates from Dmitry Torokhov: "Just a fix up for the firmware handling to the Silead driver (which is a new driver in this release)" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input: Input: silead_gsl1680 - use "silead/" prefix for firmware loading Input: silead_gsl1680 - document firmware-name, fix implementation commit 4ee69866258620b105d06ae07da3bbe9fdb1699a Merge: b22734a c8712c6 Author: Linus Torvalds Date: Fri Sep 23 16:24:36 2016 -0700 Merge branch 'for-linus' of git://git.kernel.dk/linux-block Pull block fixes from Jens Axboe: "Three fixes, two regressions and one that poses a problem in blk-mq with the new nvmef code" * 'for-linus' of git://git.kernel.dk/linux-block: blk-mq: skip unmapped queues in blk_mq_alloc_request_hctx nvme-rdma: only clear queue flags after successful connect blk-throttle: Extend slice if throttle group is not empty commit 9157056da8f8c4a6305f15619e269f164b63a6de Author: Tejun Heo Date: Fri Sep 23 16:55:49 2016 -0400 cgroup: fix invalid controller enable rejections with cgroup namespace On the v2 hierarchy, "cgroup.subtree_control" rejects controller enables if the cgroup has processes in it. The enforcement of this logic assumes that the cgroup wouldn't have any css_sets associated with it if there are no tasks in the cgroup, which is no longer true since a79a908fd2b0 ("cgroup: introduce cgroup namespaces"). When a cgroup namespace is created, it pins the css_set of the creating task to use it as the root css_set of the namespace. This extra reference stays as long as the namespace is around and makes "cgroup.subtree_control" think that the namespace root cgroup is not empty even when it is and thus reject controller enables. Fix it by making cgroup_subtree_control() walk and test emptiness of each css_set instead of testing whether the list_head is empty. While at it, update the comment of cgroup_task_count() to indicate that the returned value may be higher than the number of tasks, which has always been true due to temporary references and doesn't break anything. Signed-off-by: Tejun Heo Reported-by: Evgeny Vereshchagin Cc: Serge E. Hallyn Cc: Aditya Kali Cc: Eric W. Biederman Cc: stable@vger.kernel.org # v4.6+ Fixes: a79a908fd2b0 ("cgroup: introduce cgroup namespaces") Link: https://github.com/systemd/systemd/pull/3589#issuecomment-249089541 kernel/cgroup.c | 29 +++++++++++++++++++++++++---- 1 file changed, 25 insertions(+), 4 deletions(-) commit b22734a55067adbc10216e459762dbd7dcef29d5 Merge: 78bbf15 325c50e Author: Linus Torvalds Date: Fri Sep 23 13:39:37 2016 -0700 Merge branch 'for-linus-4.8' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs Pull btrfs fixes from Chris Mason: "Josef fixed a problem when quotas are enabled with his latest ENOSPC rework, and Jeff added more checks into the subvol ioctls to avoid tripping up lookup_one_len" * 'for-linus-4.8' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs: btrfs: ensure that file descriptor used with subvol ioctls is a dir Btrfs: handle quota reserve failure properly commit 78bbf153fa96e5e40234b7b05567602535645460 Merge: 2ddfdd4 f0aa1ce Author: Linus Torvalds Date: Fri Sep 23 11:50:49 2016 -0700 Merge tag 'regmap-fix-v4.8-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regmap Pull regmap fix from Mark Brown: "A fix for an issue with double locking that was introduced earlier this release. I'd missed in review that we were already in a locked region when trying to drop part of the cache" * tag 'regmap-fix-v4.8-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regmap: regmap: fix deadlock on _regmap_raw_write() error path commit 2ddfdd428906749e45a6b765712d1c68e5daa723 Merge: 7d188ba 0cf43f5 Author: Linus Torvalds Date: Fri Sep 23 11:28:04 2016 -0700 Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 Pull crypto fixes from Herbert Xu: "This fixes a regression in RSA that was only half-fixed earlier in the cycle. It also fixes an older regression that breaks the keyring subsystem" * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: crypto: rsa-pkcs1pad - Handle leading zero for decryption KEYS: Fix skcipher IV clobbering commit 7d188bad6667bd94325201096eebd6fa33cfb469 Merge: d9d1ffe 67787b6 Author: Linus Torvalds Date: Fri Sep 23 11:24:42 2016 -0700 Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux Pull arm64 fixes from Catalin Marinas: "A couple of last-minute arm64 fixes for 4.8: - Fix secondary CPU to NUMA node assignment - Fix kgdb breakpoint insertion in read-only text sections (when CONFIG_DEBUG_RODATA or CONFIG_DEBUG_SET_MODULE_RONX are enabled)" * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux: arm64: kgdb: handle read-only text / modules arm64: Call numa_store_cpu_info() earlier. commit d9d1ffe00b90c0dab8b8d759fb41437290686f7e Merge: e7c5412 38178e7 Author: Linus Torvalds Date: Fri Sep 23 11:15:00 2016 -0700 Merge tag 'tags/nand-fixes-for-4.8-rc8' of git://git.infradead.org/linux-ubifs Pull MTD fixes from Richard Weinberger: "NAND Fixes for 4.8-rc8. This contains fixes for bugs which got introduced in -rc1. Usually Brian takes NAND patches from Boris, but since Brian is very busy these days with other stuff and Boris is not yet member of the kernel.org web of trust I stepped in. Boris will be in Berlin at ELCE, I'll sign his key and hopefully other Kernel developers too such that he can issue his own pull requests soon. Summary: - Fix a wrong OOB layout definition in the mxc driver - Fix incorrect ECC handling in the mtk driver" * tag 'tags/nand-fixes-for-4.8-rc8' of git://git.infradead.org/linux-ubifs: mtd: nand: mxc: fix obiwan error in mxc_nand_v[12]_ooblayout_free() functions mtd: nand: fix chances to create incomplete ECC data when writing mtd: nand: fix generating over-boundary ECC data when writing commit e7c5412f77ac41ff14873f445bce0db4fef5890c Merge: e47f2e5 005d675 Author: Linus Torvalds Date: Fri Sep 23 11:10:53 2016 -0700 Merge tag 'mmc-v4.8-rc7' of git://git.linaro.org/people/ulf.hansson/mmc Pull MMC fix from Ulf Hansson: "MMC host: - dw_mmc: fix the spamming log message" * tag 'mmc-v4.8-rc7' of git://git.linaro.org/people/ulf.hansson/mmc: mmc: dw_mmc: fix the spamming log message commit e47f2e50ead9dd9eb10b2626d739760e71ce6d43 Merge: b1f2beb 42857cf Author: Linus Torvalds Date: Fri Sep 23 09:45:15 2016 -0700 Merge tag 'configfs-for-4.8-2' of git://git.infradead.org/users/hch/configfs Pull configfs fix from Christoph Hellwig: "One more trivial fix for the binary attribute code from Phil Turnbull" * tag 'configfs-for-4.8-2' of git://git.infradead.org/users/hch/configfs: configfs: Return -EFBIG from configfs_write_bin_file. commit c8712c6a674e3382fe4d26d108251ccfa55d08e0 Author: Christoph Hellwig Date: Fri Sep 23 10:25:48 2016 -0600 blk-mq: skip unmapped queues in blk_mq_alloc_request_hctx This provides the caller a feedback that a given hctx is not mapped and thus no command can be sent on it. Signed-off-by: Christoph Hellwig Tested-by: Steve Wise Signed-off-by: Jens Axboe block/blk-mq.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) commit 7e956304eb8a285304a78582e4537e72c6365f20 Author: Paul Burton Date: Fri Sep 23 15:13:53 2016 +0100 MIPS: Fix pre-r6 emulation FPU initialisation In the mipsr2_decoder() function, used to emulate pre-MIPSr6 instructions that were removed in MIPSr6, the init_fpu() function is called if a removed pre-MIPSr6 floating point instruction is the first floating point instruction used by the task. However, init_fpu() performs varous actions that rely upon not being migrated. For example in the most basic case it sets the coprocessor 0 Status.CU1 bit to enable the FPU & then loads FP register context into the FPU registers. If the task were to migrate during this time, it may end up attempting to load FP register context on a different CPU where it hasn't set the CU1 bit, leading to errors such as: do_cpu invoked from kernel context![#2]: CPU: 2 PID: 7338 Comm: fp-prctl Tainted: G D 4.7.0-00424-g49b0c82 #2 task: 838e4000 ti: 88d38000 task.ti: 88d38000 $ 0 : 00000000 00000001 ffffffff 88d3fef8 $ 4 : 838e4000 88d38004 00000000 00000001 $ 8 : 3400fc01 801f8020 808e9100 24000000 $12 : dbffffff 807b69d8 807b0000 00000000 $16 : 00000000 80786150 00400fc4 809c0398 $20 : 809c0338 0040273c 88d3ff28 808e9d30 $24 : 808e9d30 00400fb4 $28 : 88d38000 88d3fe88 00000000 8011a2ac Hi : 0040273c Lo : 88d3ff28 epc : 80114178 _restore_fp+0x10/0xa0 ra : 8011a2ac mipsr2_decoder+0xd5c/0x1660 Status: 1400fc03 KERNEL EXL IE Cause : 1080002c (ExcCode 0b) PrId : 0001a920 (MIPS I6400) Modules linked in: Process fp-prctl (pid: 7338, threadinfo=88d38000, task=838e4000, tls=766527d0) Stack : 00000000 00000000 00000000 88d3fe98 00000000 00000000 809c0398 809c0338 808e9100 00000000 88d3ff28 00400fc4 00400fc4 0040273c 7fb69e18 004a0000 004a0000 004a0000 7664add0 8010de18 00000000 00000000 88d3fef8 88d3ff28 808e9100 00000000 766527d0 8010e534 000c0000 85755000 8181d580 00000000 00000000 00000000 004a0000 00000000 766527d0 7fb69e18 004a0000 80105c20 ... Call Trace: [<80114178>] _restore_fp+0x10/0xa0 [<8011a2ac>] mipsr2_decoder+0xd5c/0x1660 [<8010de18>] do_ri+0x90/0x6b8 [<80105c20>] ret_from_exception+0x0/0x10 Fix this by disabling preemption around the call to init_fpu(), ensuring that it starts & completes on one CPU. Signed-off-by: Paul Burton Fixes: b0a668fb2038 ("MIPS: kernel: mips-r2-to-r6-emul: Add R2 emulator for MIPS R6") Cc: linux-mips@linux-mips.org Cc: stable@vger.kernel.org # v4.0+ Patchwork: https://patchwork.linux-mips.org/patch/14305/ Signed-off-by: Ralf Baechle arch/mips/kernel/mips-r2-to-r6-emul.c | 2 ++ 1 file changed, 2 insertions(+) commit 019b1c9fe32a2a32c1153e31375f87ec3e591273 Author: Eric Dumazet Date: Thu Sep 22 17:54:00 2016 -0700 tcp: fix a compile error in DBGUNDO() If DBGUNDO() is enabled (FASTRETRANS_DEBUG > 1), a compile error will happen, since inet6_sk(sk)->daddr became sk->sk_v6_daddr Fixes: efe4208f47f9 ("ipv6: make lookups simpler and faster") Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller net/ipv4/tcp_input.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) commit 2fe664f1fcf7c4da6891f95708a7a56d3c024354 Author: Douglas Caetano dos Santos Date: Thu Sep 22 15:52:04 2016 -0300 tcp: fix wrong checksum calculation on MTU probing With TCP MTU probing enabled and offload TX checksumming disabled, tcp_mtu_probe() calculated the wrong checksum when a fragment being copied into the probe's SKB had an odd length. This was caused by the direct use of skb_copy_and_csum_bits() to calculate the checksum, as it pads the fragment being copied, if needed. When this fragment was not the last, a subsequent call used the previous checksum without considering this padding. The effect was a stale connection in one way, as even retransmissions wouldn't solve the problem, because the checksum was never recalculated for the full SKB length. Signed-off-by: Douglas Caetano dos Santos Signed-off-by: David S. Miller net/ipv4/tcp_output.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) commit f44ace4d06aab8210d29c731f70b657a7524198b Merge: 3d4357f 9abefcb Author: David S. Miller Date: Fri Sep 23 07:13:55 2016 -0400 Merge tag 'linux-can-fixes-for-4.8-20160922' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can Marc Kleine-Budde says: ==================== pull-request: can 2016-09-22 this is a pull request of one patch for the upcoming linux-4.8 release. The patch by Sergei Miroshnichenko fixes a potential deadlock in the generic CAN device code that cann occour after a bus-off. ==================== Signed-off-by: David S. Miller commit 3d4357fba82b3cf19ebf0a04d1c9cb086af15d02 Author: WANG Cong Date: Sun Sep 18 16:22:48 2016 -0700 sch_sfb: keep backlog updated with qlen Fixes: 2ccccf5fb43f ("net_sched: update hierarchical backlog too") Cc: Jamal Hadi Salim Signed-off-by: Cong Wang Acked-by: Jamal Hadi Salim Signed-off-by: David S. Miller net/sched/sch_sfb.c | 3 +++ 1 file changed, 3 insertions(+) commit 2ed5c3f09627f72a2e0e407a86b2ac05494190f9 Author: WANG Cong Date: Sun Sep 18 16:22:47 2016 -0700 sch_qfq: keep backlog updated with qlen Reported-by: Stas Nichiporovich Fixes: 2ccccf5fb43f ("net_sched: update hierarchical backlog too") Cc: Jamal Hadi Salim Signed-off-by: Cong Wang Acked-by: Jamal Hadi Salim Signed-off-by: David S. Miller net/sched/sch_qfq.c | 3 +++ 1 file changed, 3 insertions(+) commit 67787b68ec48c239d5ec12f9bf5adaf5c459517a Author: AKASHI Takahiro Date: Fri Sep 23 16:42:08 2016 +0900 arm64: kgdb: handle read-only text / modules Handle read-only cases when CONFIG_DEBUG_RODATA (4.0) or CONFIG_DEBUG_SET_MODULE_RONX (3.18) are enabled by using aarch64_insn_write() instead of probe_kernel_write() as introduced by commit 2f896d586610 ("arm64: use fixmap for text patching") in 4.0. Fixes: 11d91a770f1f ("arm64: Add CONFIG_DEBUG_SET_MODULE_RONX support") Signed-off-by: AKASHI Takahiro Reviewed-by: Mark Rutland Cc: Will Deacon Cc: Jason Wessel Signed-off-by: Catalin Marinas arch/arm64/include/asm/debug-monitors.h | 2 -- arch/arm64/kernel/kgdb.c | 36 ++++++++++++++++++++++----------- 2 files changed, 24 insertions(+), 14 deletions(-) commit c18df0adabf8400c1825b90382d06df5edc303fa Author: David Daney Date: Tue Sep 20 11:46:35 2016 -0700 arm64: Call numa_store_cpu_info() earlier. The wq_numa_init() function makes a private CPU to node map by calling cpu_to_node() early in the boot process, before the non-boot CPUs are brought online. Since the default implementation of cpu_to_node() returns zero for CPUs that have never been brought online, the workqueue system's view is that *all* CPUs are on node zero. When the unbound workqueue for a non-zero node is created, the tsk_cpus_allowed() for the worker threads is the empty set because there are, in the view of the workqueue system, no CPUs on non-zero nodes. The code in try_to_wake_up() using this empty cpumask ends up using the cpumask empty set value of NR_CPUS as an index into the per-CPU area pointer array, and gets garbage as it is one past the end of the array. This results in: [ 0.881970] Unable to handle kernel paging request at virtual address fffffb1008b926a4 [ 1.970095] pgd = fffffc00094b0000 [ 1.973530] [fffffb1008b926a4] *pgd=0000000000000000, *pud=0000000000000000, *pmd=0000000000000000 [ 1.982610] Internal error: Oops: 96000004 [#1] SMP [ 1.987541] Modules linked in: [ 1.990631] CPU: 48 PID: 295 Comm: cpuhp/48 Tainted: G W 4.8.0-rc6-preempt-vol+ #9 [ 1.999435] Hardware name: Cavium ThunderX CN88XX board (DT) [ 2.005159] task: fffffe0fe89cc300 task.stack: fffffe0fe8b8c000 [ 2.011158] PC is at try_to_wake_up+0x194/0x34c [ 2.015737] LR is at try_to_wake_up+0x150/0x34c [ 2.020318] pc : [] lr : [] pstate: 600000c5 [ 2.027803] sp : fffffe0fe8b8fb10 [ 2.031149] x29: fffffe0fe8b8fb10 x28: 0000000000000000 [ 2.036522] x27: fffffc0008c63bc8 x26: 0000000000001000 [ 2.041896] x25: fffffc0008c63c80 x24: fffffc0008bfb200 [ 2.047270] x23: 00000000000000c0 x22: 0000000000000004 [ 2.052642] x21: fffffe0fe89d25bc x20: 0000000000001000 [ 2.058014] x19: fffffe0fe89d1d00 x18: 0000000000000000 [ 2.063386] x17: 0000000000000000 x16: 0000000000000000 [ 2.068760] x15: 0000000000000018 x14: 0000000000000000 [ 2.074133] x13: 0000000000000000 x12: 0000000000000000 [ 2.079505] x11: 0000000000000000 x10: 0000000000000000 [ 2.084879] x9 : 0000000000000000 x8 : 0000000000000000 [ 2.090251] x7 : 0000000000000040 x6 : 0000000000000000 [ 2.095621] x5 : ffffffffffffffff x4 : 0000000000000000 [ 2.100991] x3 : 0000000000000000 x2 : 0000000000000000 [ 2.106364] x1 : fffffc0008be4c24 x0 : ffffff0ffffada80 [ 2.111737] [ 2.113236] Process cpuhp/48 (pid: 295, stack limit = 0xfffffe0fe8b8c020) [ 2.120102] Stack: (0xfffffe0fe8b8fb10 to 0xfffffe0fe8b90000) [ 2.125914] fb00: fffffe0fe8b8fb80 fffffc00080e7648 . . . [ 2.442859] Call trace: [ 2.445327] Exception stack(0xfffffe0fe8b8f940 to 0xfffffe0fe8b8fa70) [ 2.451843] f940: fffffe0fe89d1d00 0000040000000000 fffffe0fe8b8fb10 fffffc00080e7468 [ 2.459767] f960: fffffe0fe8b8f980 fffffc00080e4958 ffffff0ff91ab200 fffffc00080e4b64 [ 2.467690] f980: fffffe0fe8b8f9d0 fffffc00080e515c fffffe0fe8b8fa80 0000000000000000 [ 2.475614] f9a0: fffffe0fe8b8f9d0 fffffc00080e58e4 fffffe0fe8b8fa80 0000000000000000 [ 2.483540] f9c0: fffffe0fe8d10000 0000000000000040 fffffe0fe8b8fa50 fffffc00080e5ac4 [ 2.491465] f9e0: ffffff0ffffada80 fffffc0008be4c24 0000000000000000 0000000000000000 [ 2.499387] fa00: 0000000000000000 ffffffffffffffff 0000000000000000 0000000000000040 [ 2.507309] fa20: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 [ 2.515233] fa40: 0000000000000000 0000000000000000 0000000000000000 0000000000000018 [ 2.523156] fa60: 0000000000000000 0000000000000000 [ 2.528089] [] try_to_wake_up+0x194/0x34c [ 2.533723] [] wake_up_process+0x28/0x34 [ 2.539275] [] create_worker+0x110/0x19c [ 2.544824] [] alloc_unbound_pwq+0x3cc/0x4b0 [ 2.550724] [] wq_update_unbound_numa+0x10c/0x1e4 [ 2.557066] [] workqueue_online_cpu+0x220/0x28c [ 2.563234] [] cpuhp_invoke_callback+0x6c/0x168 [ 2.569398] [] cpuhp_up_callbacks+0x44/0xe4 [ 2.575210] [] cpuhp_thread_fun+0x13c/0x148 [ 2.581027] [] smpboot_thread_fn+0x19c/0x1a8 [ 2.586929] [] kthread+0xdc/0xf0 [ 2.591776] [] ret_from_fork+0x10/0x50 [ 2.597147] Code: b00057e1 91304021 91005021 b8626822 (b8606821) [ 2.603464] ---[ end trace 58c0cd36b88802bc ]--- [ 2.608138] Kernel panic - not syncing: Fatal exception Fix by moving call to numa_store_cpu_info() for all CPUs into smp_prepare_cpus(), which happens before wq_numa_init(). Since smp_store_cpu_info() now contains only a single function call, simplify by removing the function and out-lining its contents. Suggested-by: Robert Richter Fixes: 1a2db300348b ("arm64, numa: Add NUMA support for arm64 platforms.") Cc: # 4.7.x- Signed-off-by: David Daney Reviewed-by: Robert Richter Tested-by: Yisheng Xie Signed-off-by: Catalin Marinas arch/arm64/kernel/smp.c | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) commit 96b03ab86d843524ec4aed7fe0ceef412c684c68 Author: Vivien Didelot Date: Thu Sep 22 16:55:13 2016 -0400 locking/hung_task: Fix typo in CONFIG_DETECT_HUNG_TASK help text Fix the indefinitiley -> indefinitely typo in Kconfig.debug. Signed-off-by: Vivien Didelot Cc: Andrew Morton Cc: Linus Torvalds Cc: Paul E. McKenney Cc: Peter Zijlstra Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/20160922205513.17821-1-vivien.didelot@savoirfairelinux.com Signed-off-by: Ingo Molnar lib/Kconfig.debug | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 3b4ac78610690bd83fb33762ef97e8b8a89285ae Author: Sagi Grimberg Date: Thu Sep 22 19:58:17 2016 -0600 nvme-rdma: only clear queue flags after successful connect Otherwise, nvme_rdma_stop_and_clear_queue() will incorrectly try to stop/free rdma qps/cm_ids that are already freed. Fixes: e89ca58f9c90 ("nvme-rdma: add DELETING queue flag") Reported-by: Steve Wise Tested-by: Steve Wise Signed-off-by: Sagi Grimberg Reviewed-by: Christoph Hellwig Signed-off-by: Jens Axboe drivers/nvme/host/rdma.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 331dcf421c34d227784d07943eb01e4023a42b0a Author: Sudeep Holla Date: Thu Aug 25 12:23:39 2016 +0100 i2c: qup: skip qup_i2c_suspend if the device is already runtime suspended If the i2c device is already runtime suspended, if qup_i2c_suspend is executed during suspend-to-idle or suspend-to-ram it will result in the following splat: WARNING: CPU: 3 PID: 1593 at drivers/clk/clk.c:476 clk_core_unprepare+0x80/0x90 Modules linked in: CPU: 3 PID: 1593 Comm: bash Tainted: G W 4.8.0-rc3 #14 Hardware name: Qualcomm Technologies, Inc. APQ 8016 SBC (DT) PC is at clk_core_unprepare+0x80/0x90 LR is at clk_unprepare+0x28/0x40 pc : [] lr : [] pstate: 60000145 Call trace: clk_core_unprepare+0x80/0x90 qup_i2c_disable_clocks+0x2c/0x68 qup_i2c_suspend+0x10/0x20 platform_pm_suspend+0x24/0x68 ... This patch fixes the issue by executing qup_i2c_pm_suspend_runtime conditionally in qup_i2c_suspend. Signed-off-by: Sudeep Holla Reviewed-by: Andy Gross Signed-off-by: Wolfram Sang Cc: stable@kernel.org drivers/i2c/busses/i2c-qup.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit b1f2beb87bb034bb209773807994279f90cace78 Merge: f887c21 d8feef9 Author: Linus Torvalds Date: Thu Sep 22 09:04:49 2016 -0700 Merge tag 'media/v4.8-7' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media Pull media fixes from Mauro Carvalho Chehab: - several fixes for new drivers added for Kernel 4.8 addition (cec core, pulse8 cec driver and Mediatek vcodec) - a regression fix for cx23885 and saa7134 drivers - an important fix for rcar-fcp, making rcar_fcp_enable() return 0 on success * tag 'media/v4.8-7' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media: (25 commits) [media] cx23885/saa7134: assign q->dev to the PCI device [media] rcar-fcp: Make sure rcar_fcp_enable() returns 0 on success [media] cec: fix ioctl return code when not registered [media] cec: don't Feature Abort broadcast msgs when unregistered [media] vcodec:mediatek: Refine VP8 encoder driver [media] vcodec:mediatek: Refine H264 encoder driver [media] vcodec:mediatek: change H264 profile default to profile high [media] vcodec:mediatek: Add timestamp and timecode copy for V4L2 Encoder [media] vcodec:mediatek: Fix visible_height larger than coded_height issue in s_fmt_out [media] vcodec:mediatek: Fix fops_vcodec_release flow for V4L2 Encoder [media] vcodec:mediatek:code refine for v4l2 Encoder driver [media] cec-funcs.h: add missing vendor-specific messages [media] cec-edid: check for IEEE identifier [media] pulse8-cec: fix error handling [media] pulse8-cec: set correct Signal Free Time [media] mtk-vcodec: add HAS_DMA dependency [media] cec: ignore messages when log_addr_mask == 0 [media] cec: add item to TODO [media] cec: set unclaimed addresses to CEC_LOG_ADDR_INVALID [media] cec: add CEC_LOG_ADDRS_FL_ALLOW_UNREG_FALLBACK flag ... commit f887c21e214757e6b1b9dd65e396ee3e7cbb6b18 Merge: 7d1e042 7e32b44 Author: Linus Torvalds Date: Thu Sep 22 08:49:25 2016 -0700 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net Pull networking fixes from David Miller: "Mostly small bits scattered all over the place, which is usually how things go this late in the -rc series. 1) Proper driver init device resets in bnx2, from Baoquan He. 2) Fix accounting overflow in __tcp_retransmit_skb(), sk_forward_alloc, and ip_idents_reserve, from Eric Dumazet. 3) Fix crash in bna driver ethtool stats handling, from Ivan Vecera. 4) Missing check of skb_linearize() return value in mac80211, from Johannes Berg. 5) Endianness fix in nf_table_trace dumps, from Liping Zhang. 6) SSN comparison fix in SCTP, from Marcelo Ricardo Leitner. 7) Update DSA and b44 MAINTAINERS entries. 8) Make input path of vti6 driver work again, from Nicolas Dichtel. 9) Off-by-one in mlx4, from Sebastian Ott. 10) Fix fallback route lookup handling in ipv6, from Vincent Bernat. 11) Fix stack corruption on probe in qed driver, from Yuval Mintz. 12) PHY init fixes in r8152 from Hayes Wang. 13) Missing SKB free in irda_accept error path, from Phil Turnbull" * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (61 commits) tcp: properly account Fast Open SYN-ACK retrans tcp: fix under-accounting retransmit SNMP counters MAINTAINERS: Update b44 maintainer. net: get rid of an signed integer overflow in ip_idents_reserve() net/mlx4_core: Fix to clean devlink resources net: can: ifi: Configure transmitter delay vti6: fix input path ipmr, ip6mr: return lastuse relative to now r8152: disable ALDPS and EEE before setting PHY r8152: remove r8153_enable_eee r8152: move PHY settings to hw_phy_cfg r8152: move enabling PHY r8152: move some functions cxgb4/cxgb4vf: Allocate more queues for 25G and 100G adapter qed: Fix stack corruption on probe MAINTAINERS: Add an entry for the core network DSA code net: ipv6: fallback to full lookup if table lookup is unsuitable net/mlx5: E-Switch, Handle mode change failures net/mlx5: E-Switch, Fix error flow in the SRIOV e-switch init code net/mlx5: Fix flow counter bulk command out mailbox allocation ... commit 3bf6215a1b30db7df6083c708caab3fe1a8e8abe Author: Alexander Shishkin Date: Tue Sep 20 18:48:11 2016 +0300 perf/core: Limit matching exclusive events to one PMU An "exclusive" PMU is the one that can only have one event scheduled in at any given time. There may be more than one of such PMUs in a system, though, like Intel PT and BTS. It should be allowed to have one event for either of those inside the same context (there may be other constraints that may prevent this, but those would be hardware-specific). However, the exclusivity code is written so that only one event from any of the "exclusive" PMUs is allowed in a context. Fix this by making the exclusive event filter explicitly match two events' PMUs. Signed-off-by: Alexander Shishkin Acked-by: Peter Zijlstra Cc: Arnaldo Carvalho de Melo Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Thomas Gleixner Cc: Vince Weaver Cc: vince@deater.net Link: http://lkml.kernel.org/r/20160920154811.3255-3-alexander.shishkin@linux.intel.com Signed-off-by: Ingo Molnar kernel/events/core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 08b90f0655258411a1b41d856331e20e7ec8d55c Author: Alexander Shishkin Date: Tue Sep 20 18:48:10 2016 +0300 perf/x86/intel/bts: Make it an exclusive PMU Just like intel_pt, intel_bts can only handle one event at a time, which is the reason we introduced PERF_PMU_CAP_EXCLUSIVE in the first place. However, at the moment one can have as many intel_bts events within the same context at the same time as one pleases. Only one of them, however, will get scheduled and receive the actual trace data. Fix this by making intel_bts an "exclusive" PMU. Signed-off-by: Alexander Shishkin Acked-by: Peter Zijlstra Cc: Arnaldo Carvalho de Melo Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Thomas Gleixner Cc: Vince Weaver Cc: vince@deater.net Link: http://lkml.kernel.org/r/20160920154811.3255-2-alexander.shishkin@linux.intel.com Signed-off-by: Ingo Molnar arch/x86/events/intel/bts.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 9bf6ffdabdd6e70a0b69d032a0aff091afe1773e Author: Peter Zijlstra Date: Fri Aug 26 15:06:04 2016 +0200 locking/atomic, arch/sh: Fix ATOMIC_FETCH_OP() We cannot use the "z" constraint twice, since its a single register (r0). Change the one not used by movli.l/movco.l to "r". Reported-by: Fengguang Wu Tested-by: Fengguang Wu Signed-off-by: Peter Zijlstra (Intel) Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Rich Felker Cc: Thomas Gleixner Cc: Yoshinori Sato Signed-off-by: Ingo Molnar arch/sh/include/asm/atomic-llsc.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit f0aa1ce6259eb65f53f969b3250c1d0aac84f30b Author: Nikita Yushchenko Date: Thu Sep 22 12:02:25 2016 +0300 regmap: fix deadlock on _regmap_raw_write() error path Commit 815806e39bf6 ("regmap: drop cache if the bus transfer error") added a call to regcache_drop_region() to error path in _regmap_raw_write(). However that path runs with regmap lock taken, and regcache_drop_region() tries to re-take it, causing a deadlock. Fix that by calling map->cache_ops->drop() directly. Signed-off-by: Nikita Yushchenko Signed-off-by: Mark Brown drivers/base/regmap/regmap.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) commit 0cf43f509f72128196e23f5ade7e512a72152cc6 Author: Herbert Xu Date: Thu Sep 22 17:04:57 2016 +0800 crypto: rsa-pkcs1pad - Handle leading zero for decryption As the software RSA implementation now produces fixed-length output, we need to eliminate leading zeros in the calling code instead. This patch does just that for pkcs1pad decryption while signature verification was fixed in an earlier patch. Fixes: 9b45b7bba3d2 ("crypto: rsa - Generate fixed-length output") Reported-by: Mat Martineau Signed-off-by: Herbert Xu crypto/rsa-pkcs1pad.c | 41 ++++++++++++++++++++++++----------------- 1 file changed, 24 insertions(+), 17 deletions(-) commit 456bee986e0a372ad4beed5d3cedb3622633d9df Author: Herbert Xu Date: Tue Sep 20 20:35:55 2016 +0800 KEYS: Fix skcipher IV clobbering The IV must not be modified by the skcipher operation so we need to duplicate it. Fixes: c3917fd9dfbc ("KEYS: Use skcipher") Cc: stable@vger.kernel.org Reported-by: Mimi Zohar Signed-off-by: Herbert Xu security/keys/encrypted-keys/encrypted.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) commit 9abefcb1aaa58b9d5aa40a8bb12c87d02415e4c8 Author: Sergei Miroshnichenko Date: Wed Sep 7 16:51:12 2016 +0300 can: dev: fix deadlock reported after bus-off A timer was used to restart after the bus-off state, leading to a relatively large can_restart() executed in an interrupt context, which in turn sets up pinctrl. When this happens during system boot, there is a high probability of grabbing the pinctrl_list_mutex, which is locked already by the probe() of other device, making the kernel suspect a deadlock condition [1]. To resolve this issue, the restart_timer is replaced by a delayed work. [1] https://github.com/victronenergy/venus/issues/24 Signed-off-by: Sergei Miroshnichenko Cc: linux-stable Signed-off-by: Marc Kleine-Budde drivers/net/can/dev.c | 27 +++++++++++++++++---------- include/linux/can/dev.h | 3 ++- 2 files changed, 19 insertions(+), 11 deletions(-) commit 005d675aa1909ad70456dec8c5b0ba9b60b52d24 Author: Jaehoon Chung Date: Thu Sep 22 14:12:00 2016 +0900 mmc: dw_mmc: fix the spamming log message When there is no Card which is set to "broken-cd", it's displayed a clock information continuously. Because it's polling for detecting card. This patch is fixed this problem. Fixes: 65257a0deed5 ("mmc: dw_mmc: remove UBSAN warning in dw_mci_setup_bus()") Reported-by: Tobias Jakobi Signed-off-by: Jaehoon Chung Signed-off-by: Ulf Hansson drivers/mmc/host/dw_mmc.c | 14 +++++++++----- drivers/mmc/host/dw_mmc.h | 3 +++ 2 files changed, 12 insertions(+), 5 deletions(-) commit bad3d80fd001d3b74ab8bb3d561bc4d1b08797d3 Author: Karol Herbst Date: Sun Sep 18 12:21:56 2016 +0200 drm/nouveau: Revert "bus: remove cpu_coherent flag" This reverts commit aff51175cdbf345740ec9203eff88e772af88059. The commit caused fence timeouts within nvc0_screen_destroy and most likely other places as well. The most obvious effect is, that userspace processes take minutes to actually quit. Signed-off-by: Karol Herbst Signed-off-by: Ben Skeggs drivers/gpu/drm/nouveau/include/nvkm/core/device.h | 1 + drivers/gpu/drm/nouveau/nouveau_bo.c | 3 ++- drivers/gpu/drm/nouveau/nvkm/engine/device/pci.c | 1 + drivers/gpu/drm/nouveau/nvkm/engine/device/tegra.c | 1 + 4 files changed, 5 insertions(+), 1 deletion(-) commit 7e32b44361abc77fbc01f2b97b045c405b2583e5 Author: Yuchung Cheng Date: Wed Sep 21 16:16:15 2016 -0700 tcp: properly account Fast Open SYN-ACK retrans Since the TFO socket is accepted right off SYN-data, the socket owner can call getsockopt(TCP_INFO) to collect ongoing SYN-ACK retransmission or timeout stats (i.e., tcpi_total_retrans, tcpi_retransmits). Currently those stats are only updated upon handshake completes. This patch fixes it. Signed-off-by: Yuchung Cheng Signed-off-by: Eric Dumazet Signed-off-by: Neal Cardwell Signed-off-by: Soheil Hassas Yeganeh Signed-off-by: David S. Miller net/ipv4/tcp_input.c | 2 +- net/ipv4/tcp_output.c | 2 ++ net/ipv4/tcp_timer.c | 1 + 3 files changed, 4 insertions(+), 1 deletion(-) commit de1d657816c6fbb70f07b01d50ec669dff0d4e60 Author: Yuchung Cheng Date: Wed Sep 21 16:16:14 2016 -0700 tcp: fix under-accounting retransmit SNMP counters This patch fixes these under-accounting SNMP rtx stats LINUX_MIB_TCPFORWARDRETRANS LINUX_MIB_TCPFASTRETRANS LINUX_MIB_TCPSLOWSTARTRETRANS when retransmitting TSO packets Fixes: 10d3be569243 ("tcp-tso: do not split TSO packets at retransmit time") Signed-off-by: Yuchung Cheng Acked-by: Eric Dumazet Signed-off-by: David S. Miller net/ipv4/tcp_output.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 666ca3d8f19082f40745d75f3cc7cc0200ee87e3 Author: Ilia Mirkin Date: Fri Sep 9 22:34:02 2016 -0400 drm/nouveau/fifo/nv04: avoid ramht race against cookie insertion Signed-off-by: Ilia Mirkin Cc: stable@vger.kernel.org Signed-off-by: Ben Skeggs drivers/gpu/drm/nouveau/nvkm/engine/fifo/dmanv04.c | 3 +++ 1 file changed, 3 insertions(+) commit ba1ba25d3159573ffdc9e79e5c3dfcf9c5742964 Merge: 290b774 63c4378 Author: David S. Miller Date: Thu Sep 22 02:56:23 2016 -0400 Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec Steffen Klassert says: ==================== pull request (net): ipsec 2016-09-21 1) Propagate errors on security context allocation. From Mathias Krause. 2) Fix inbound policy checks for inter address family tunnels. From Thomas Zeitlhofer. 3) Fix an old memory leak on aead algorithm usage. From Ilan Tayari. 4) A recent patch fixed a possible NULL pointer dereference but broke the vti6 input path. Fix from Nicolas Dichtel. ==================== Signed-off-by: David S. Miller commit 290b774a1e0cb385658ba117452e2a2962323b1f Merge: 75c9510 8d58790 Author: David S. Miller Date: Thu Sep 22 02:47:46 2016 -0400 Merge tag 'linux-can-fixes-for-4.8-20160921' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can Marc Kleine-Budde says: ==================== pull-request: can 2016-09-21 this is another pull request of one patch for the upcoming linux-4.8 release. Marek Vasut fixes the CAN-FD bit rate switch in the ifi driver by configuring the transmitter delay. ==================== Signed-off-by: David S. Miller commit 75c9510b8f745f75280029a8a9f96567f55f401e Author: Michael Chan Date: Tue Sep 20 23:33:15 2016 -0400 MAINTAINERS: Update b44 maintainer. Taking over as maintainer since Gary Zambrano is no longer working for Broadcom. Signed-off-by: Michael Chan Acked-by: Florian Fainelli Signed-off-by: David S. Miller MAINTAINERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit adb03115f4590baa280ddc440a8eff08a6be0cb7 Author: Eric Dumazet Date: Tue Sep 20 18:06:17 2016 -0700 net: get rid of an signed integer overflow in ip_idents_reserve() Jiri Pirko reported an UBSAN warning happening in ip_idents_reserve() [] UBSAN: Undefined behaviour in ./arch/x86/include/asm/atomic.h:156:11 [] signed integer overflow: [] -2117905507 + -695755206 cannot be represented in type 'int' Since we do not have uatomic_add_return() yet, use atomic_cmpxchg() so that the arithmetics can be done using unsigned int. Fixes: 04ca6973f7c1 ("ip: make IP identifiers less predictable") Signed-off-by: Eric Dumazet Reported-by: Jiri Pirko Signed-off-by: David S. Miller net/ipv4/route.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) commit fba1296624bf95fc07057da1e26beee8a733180c Author: Kamal Heib Date: Tue Sep 20 14:55:31 2016 +0300 net/mlx4_core: Fix to clean devlink resources This patch cleans devlink resources by calling devlink_port_unregister() to avoid the following issues: - Kernel panic when triggering reset flow. - Memory leak due to unfreed resources in mlx4_init_port_info(). Fixes: 09d4d087cd48 ("mlx4: Implement devlink interface") Signed-off-by: Kamal Heib Signed-off-by: Tariq Toukan Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlx4/main.c | 3 +++ 1 file changed, 3 insertions(+) commit 7932aa1e43b4d4117be7671bb299103e549aec11 Merge: b5036cd db64c5f Author: David S. Miller Date: Wed Sep 21 21:45:19 2016 -0400 Merge tag 'wireless-drivers-for-davem-2016-09-20' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers Kalle Valo says: ==================== wireless-drivers fixes for 4.8 iwlwifi * fix to prevent firmware crash when sending off-channel frames ==================== Signed-off-by: David S. Miller commit 325c50e3cebb9208009083e841550f98a863bfa0 Author: Jeff Mahoney Date: Wed Sep 21 08:31:29 2016 -0400 btrfs: ensure that file descriptor used with subvol ioctls is a dir If the subvol/snapshot create/destroy ioctls are passed a regular file with execute permissions set, we'll eventually Oops while trying to do inode->i_op->lookup via lookup_one_len. This patch ensures that the file descriptor refers to a directory. Fixes: cb8e70901d (Btrfs: Fix subvolume creation locking rules) Fixes: 76dda93c6a (Btrfs: add snapshot/subvolume destroy ioctl) Cc: #v2.6.29+ Signed-off-by: Jeff Mahoney Signed-off-by: Chris Mason fs/btrfs/ioctl.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) commit 1e5ec2e709bd8c5588fdbdda909945e4e2be8d23 Author: Josef Bacik Date: Thu Sep 15 14:57:48 2016 -0400 Btrfs: handle quota reserve failure properly btrfs/022 was spitting a warning for the case that we exceed the quota. If we fail to make our quota reservation we need to clean up our data space reservation. Thanks, Signed-off-by: Josef Bacik Tested-by: Jeff Mahoney Signed-off-by: Chris Mason fs/btrfs/extent-tree.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) commit 463e8f845cbf1c01e4cc8aeef1703212991d8e1e Author: Peter Rosin Date: Wed Sep 14 15:24:12 2016 +0200 i2c: mux: pca954x: retry updating the mux selection on failure The cached value of the last selected channel prevents retries on the next call, even on failure to update the selected channel. Fix that. Signed-off-by: Peter Rosin Signed-off-by: Wolfram Sang Cc: stable@kernel.org drivers/i2c/muxes/i2c-mux-pca954x.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 11294d63ac915230a36b0603c62134ef7b173d0a Author: Dan Williams Date: Wed Sep 21 09:21:26 2016 -0700 nfit: fail DSMs that return non-zero status by default For the DSMs where the kernel knows the format of the output buffer and originates those DSMs from within the kernel, return -EIO for any non-zero status. If the BIOS is indicating a status that we do not know how to handle, fail the DSM. Cc: Signed-off-by: Dan Williams drivers/acpi/nfit/core.c | 48 ++++++++++++++++++++++++++++-------------------- 1 file changed, 28 insertions(+), 20 deletions(-) commit ecfb6d8a041cc2ca80bc69ffc20c00067d190df5 Author: Dan Williams Date: Wed Sep 21 09:22:33 2016 -0700 libnvdimm: fix devm_nvdimm_memremap() error path The internal alloc_nvdimm_map() helper might fail, particularly if the memory region is already busy. Report request_mem_region() failures and check for the failure. Reported-by: Ryan Chen Signed-off-by: Dan Williams drivers/nvdimm/core.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) commit 371a015344b6e270e7e3632107d9554ec6d27a6b Author: Yadi.hu Date: Sun Sep 18 18:52:31 2016 +0800 i2c-eg20t: fix race between i2c init and interrupt enable the eg20t driver call request_irq() function before the pch_base_address, base address of i2c controller's register, is assigned an effective value. there is one possible scenario that an interrupt which isn't inside eg20t arrives immediately after request_irq() is executed when i2c controller shares an interrupt number with others. since the interrupt handler pch_i2c_handler() has already active as shared action, it will be called and read its own register to determine if this interrupt is from itself. At that moment, since base address of i2c registers is not remapped in kernel space yet,so the INT handler will access an illegal address and then a error occurs. Signed-off-by: Yadi.hu Signed-off-by: Wolfram Sang Cc: stable@kernel.org drivers/i2c/busses/i2c-eg20t.c | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) commit 554af0c396380baf416f54c439b99b495180b2f4 Author: James Hogan Date: Wed Sep 7 13:37:01 2016 +0100 MIPS: vDSO: Fix Malta EVA mapping to vDSO page structs The page structures associated with the vDSO pages in the kernel image are calculated using virt_to_page(), which uses __pa() under the hood to find the pfn associated with the virtual address. The vDSO data pointers however point to kernel symbols, so __pa_symbol() should really be used instead. Since there is no equivalent to virt_to_page() which uses __pa_symbol(), fix init_vdso_image() to work directly with pfns, calculated with __phys_to_pfn(__pa_symbol(...)). This issue broke the Malta Enhanced Virtual Addressing (EVA) configuration which has a non-default implementation of __pa_symbol(). This is because it uses a physical alias so that the kernel executes from KSeg0 (VA 0x80000000 -> PA 0x00000000), while RAM is provided to the kernel in the KUSeg range (VA 0x00000000 -> PA 0x80000000) which uses the same underlying RAM. Since there are no page structures associated with the low physical address region, some arbitrary kernel memory would be interpreted as a page structure for the vDSO pages and badness ensues. Fixes: ebb5e78cc634 ("MIPS: Initial implementation of a VDSO") Signed-off-by: James Hogan Cc: Leonid Yegoshin Cc: linux-mips@linux-mips.org Cc: # 4.4.x- Patchwork: https://patchwork.linux-mips.org/patch/14229/ Signed-off-by: Ralf Baechle arch/mips/kernel/vdso.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) commit 8d58790b832e13d6006d842037732304af357c3c Author: Marek Vasut Date: Mon Sep 19 21:34:01 2016 +0200 net: can: ifi: Configure transmitter delay Configure the transmitter delay register at +0x1c to correctly handle the CAN FD bitrate switch (BRS). This moves the SSP (secondary sample point) to a proper offset, so that the TDC mechanism works and won't generate error frames on the CAN link. Signed-off-by: Marek Vasut Cc: Marc Kleine-Budde Cc: Mark Rutland Cc: Oliver Hartkopp Cc: Wolfgang Grandegger Cc: linux-stable Signed-off-by: Marc Kleine-Budde drivers/net/can/ifi_canfd/ifi_canfd.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) commit 63c43787d35e45562a6b5927e2edc8f4783d95b8 Author: Nicolas Dichtel Date: Mon Sep 19 16:17:57 2016 +0200 vti6: fix input path Since commit 1625f4529957, vti6 is broken, all input packets are dropped (LINUX_MIB_XFRMINNOSTATES is incremented). XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6 is set by vti6_rcv() before calling xfrm6_rcv()/xfrm6_rcv_spi(), thus we cannot set to NULL that value in xfrm6_rcv_spi(). A new function xfrm6_rcv_tnl() that enables to pass a value to xfrm6_rcv_spi() is added, so that xfrm6_rcv() is not touched (this function is used in several handlers). CC: Alexey Kodanev Fixes: 1625f4529957 ("net/xfrm_input: fix possible NULL deref of tunnel.ip6->parms.i_key") Signed-off-by: Nicolas Dichtel Signed-off-by: Steffen Klassert include/net/xfrm.h | 4 +++- net/ipv6/ip6_vti.c | 4 +--- net/ipv6/xfrm6_input.c | 16 +++++++++++----- net/ipv6/xfrm6_tunnel.c | 2 +- 4 files changed, 16 insertions(+), 10 deletions(-) commit b5036cd4ed3173ab8cdbc85e2ba74acf46bafb51 Author: Nikolay Aleksandrov Date: Tue Sep 20 16:17:22 2016 +0200 ipmr, ip6mr: return lastuse relative to now When I introduced the lastuse member I made a subtle error because it was returned as an absolute value but that is meaningless to user-space as it doesn't allow to see how old exactly an entry is. Let's make it similar to how the bridge returns such values and make it relative to "now" (jiffies). This allows us to show the actual age of the entries and is much more useful (e.g. user-space daemons can age out entries, iproute2 can display the lastuse properly). Fixes: 43b9e1274060 ("net: ipmr/ip6mr: add support for keeping an entry age") Reported-by: Satish Ashok Signed-off-by: Nikolay Aleksandrov Signed-off-by: David S. Miller net/ipv4/ipmr.c | 7 +++++-- net/ipv6/ip6mr.c | 7 +++++-- 2 files changed, 10 insertions(+), 4 deletions(-) commit 493d5f6db0ab12a9fcac587ae223f3e4e48dba6f Merge: 9b86a8d d768c61 Author: David S. Miller Date: Wed Sep 21 00:53:53 2016 -0400 Merge branch 'r8152-phy-fixes' Hayes Wang says: ==================== r8152: correct the flow of PHY First, to enable the PHY as early as possible. Some settings may fail if the PHY is power down. Move the other PHY settings to hw_phy_cfg() to make sure the order is correct. Finally, disable ALDPS and EEE before updating the PHY for RTL8153. ==================== Signed-off-by: David S. Miller commit d768c61bc353a0e0de3f839e1de99eee7d4eca10 Author: hayeswang Date: Tue Sep 20 16:22:09 2016 +0800 r8152: disable ALDPS and EEE before setting PHY Disable ALDPS and EEE to avoid the possible failure when setting the PHY. Signed-off-by: Hayes Wang Signed-off-by: David S. Miller drivers/net/usb/r8152.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) commit af0287ec10c62c84cc5cd1bad4fd37644a1ac41d Author: hayeswang Date: Tue Sep 20 16:22:08 2016 +0800 r8152: remove r8153_enable_eee Remove r8153_enable_eee(). Signed-off-by: Hayes Wang Signed-off-by: David S. Miller drivers/net/usb/r8152.c | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) commit ef39df8eaba48c0de779440f41a648b17a560953 Author: hayeswang Date: Tue Sep 20 16:22:07 2016 +0800 r8152: move PHY settings to hw_phy_cfg Move the PHY relative settings together to hw_phy_cfg(). Signed-off-by: Hayes Wang Signed-off-by: David S. Miller drivers/net/usb/r8152.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) commit 2dd436daac7848dbf3fe799cf59c1408871a14e3 Author: hayeswang Date: Tue Sep 20 16:22:06 2016 +0800 r8152: move enabling PHY Move enabling PHY to init(), otherwise some other settings may fail. Signed-off-by: Hayes Wang Signed-off-by: David S. Miller drivers/net/usb/r8152.c | 43 +++++++++++++++++++++++++------------------ 1 file changed, 25 insertions(+), 18 deletions(-) commit e6449539828ac3b7c74b648793291640bcca8259 Author: hayeswang Date: Tue Sep 20 16:22:05 2016 +0800 r8152: move some functions Move the following functions forward. r8152_mmd_indirect() r8152_mmd_read() r8152_mmd_write() r8152_eee_en() r8152b_enable_eee() r8153_eee_en() r8153_enable_eee() r8152b_enable_fc() r8153_aldps_en() Signed-off-by: Hayes Wang Signed-off-by: David S. Miller drivers/net/usb/r8152.c | 224 ++++++++++++++++++++++++------------------------ 1 file changed, 112 insertions(+), 112 deletions(-) commit 9b86a8d19bd6406a10de5f924bf2a003a502d427 Author: Hariprasad Shenai Date: Tue Sep 20 12:00:52 2016 +0530 cxgb4/cxgb4vf: Allocate more queues for 25G and 100G adapter We were missing check for 25G and 100G while checking port speed, which lead to less number of queues getting allocated for 25G & 100G adapters and leading to low throughput. Adding the missing check for both NIC and vNIC driver. Also fixes port advertisement for 25G and 100G in ethtool output. Signed-off-by: Hariprasad Shenai Signed-off-by: David S. Miller drivers/net/ethernet/chelsio/cxgb4/cxgb4.h | 4 ++-- drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c | 15 +++++++++++++-- drivers/net/ethernet/chelsio/cxgb4/t4_hw.c | 7 ++++++- drivers/net/ethernet/chelsio/cxgb4/t4fw_api.h | 6 ++++++ drivers/net/ethernet/chelsio/cxgb4vf/t4vf_common.h | 15 +++++++++++---- drivers/net/ethernet/chelsio/cxgb4vf/t4vf_hw.c | 9 +++++++-- 6 files changed, 45 insertions(+), 11 deletions(-) commit b79331a5eb9f96e4dfd216974581168ec4c8a4d4 Author: Russell Currey Date: Wed Sep 14 16:37:17 2016 +1000 powerpc/powernv/pci: Fix m64 checks for SR-IOV and window alignment Commit 5958d19a143e checks for prefetchable m64 BARs by comparing the addresses instead of using resource flags. This broke SR-IOV as the m64 check in pnv_pci_ioda_fixup_iov_resources() fails. The condition in pnv_pci_window_alignment() also changed to checking only IORESOURCE_MEM_64 instead of both IORESOURCE_MEM_64 and IORESOURCE_PREFETCH. Revert these cases to the previous behaviour, adding a new helper function to do so. This is named pnv_pci_is_m64_flags() to make it clear this function is only looking at resource flags and should not be relied on for non-SRIOV resources. Fixes: 5958d19a143e ("Fix incorrect PE reservation attempt on some 64-bit BARs") Reported-by: Alexey Kardashevskiy Signed-off-by: Russell Currey Tested-by: Alexey Kardashevskiy Signed-off-by: Michael Ellerman arch/powerpc/platforms/powernv/pci-ioda.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) commit ceb16a90136f42a0079b12d163c824b5825933f7 Merge: 67a99b7 4de349e Author: David S. Miller Date: Tue Sep 20 22:46:14 2016 -0400 Merge tag 'linux-can-fixes-for-4.8-20160919' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can Marc Kleine-Budde says: ==================== pull-request: can 2016-09-19 this is a pull request of one patch for the upcoming linux-4.8 release. The patch by Fabio Estevam fixes the pm handling in the flexcan driver. ==================== Signed-off-by: David S. Miller commit 7d1e042314619115153a0f6f06e4552c09a50e13 Merge: e23d415 aa4f060 Author: Linus Torvalds Date: Tue Sep 20 17:11:19 2016 -0700 Merge tag 'usercopy-v4.8-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux Pull usercopy hardening fix from Kees Cook: "Expand the arm64 vmalloc check to include skipping the module space too" * tag 'usercopy-v4.8-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: mm: usercopy: Check for module addresses commit e23d4159b109167126e5bcd7f3775c95de7fee47 Author: Al Viro Date: Tue Sep 20 20:07:42 2016 +0100 fix fault_in_multipages_...() on architectures with no-op access_ok() Switching iov_iter fault-in to multipages variants has exposed an old bug in underlying fault_in_multipages_...(); they break if the range passed to them wraps around. Normally access_ok() done by callers will prevent such (and it's a guaranteed EFAULT - ERR_PTR() values fall into such a range and they should not point to any valid objects). However, on architectures where userland and kernel live in different MMU contexts (e.g. s390) access_ok() is a no-op and on those a range with a wraparound can reach fault_in_multipages_...(). Since any wraparound means EFAULT there, the fix is trivial - turn those while (uaddr <= end) ... into if (unlikely(uaddr > end)) return -EFAULT; do ... while (uaddr <= end); Reported-by: Jan Stancek Tested-by: Jan Stancek Cc: stable@vger.kernel.org # v3.5+ Signed-off-by: Al Viro Signed-off-by: Linus Torvalds include/linux/pagemap.h | 38 +++++++++++++++++++------------------- 1 file changed, 19 insertions(+), 19 deletions(-) commit aa4f0601115319a52c80f468c8f007e5aa9277cb Author: Laura Abbott Date: Tue Sep 20 08:56:36 2016 -0700 mm: usercopy: Check for module addresses While running a compile on arm64, I hit a memory exposure usercopy: kernel memory exposure attempt detected from fffffc0000f3b1a8 (buffer_head) (1 bytes) ------------[ cut here ]------------ kernel BUG at mm/usercopy.c:75! Internal error: Oops - BUG: 0 [#1] SMP Modules linked in: ip6t_rpfilter ip6t_REJECT nf_reject_ipv6 xt_conntrack ip_set nfnetlink ebtable_broute bridge stp llc ebtable_nat ip6table_security ip6table_raw ip6table_nat nf_conntrack_ipv6 nf_defrag_ipv6 nf_nat_ipv6 ip6table_mangle iptable_security iptable_raw iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_mangle ebtable_filter ebtables ip6table_filter ip6_tables vfat fat xgene_edac xgene_enet edac_core i2c_xgene_slimpro i2c_core at803x realtek xgene_dma mdio_xgene gpio_dwapb gpio_xgene_sb xgene_rng mailbox_xgene_slimpro nfsd auth_rpcgss nfs_acl lockd grace sunrpc xfs libcrc32c sdhci_of_arasan sdhci_pltfm sdhci mmc_core xhci_plat_hcd gpio_keys CPU: 0 PID: 19744 Comm: updatedb Tainted: G W 4.8.0-rc3-threadinfo+ #1 Hardware name: AppliedMicro X-Gene Mustang Board/X-Gene Mustang Board, BIOS 3.06.12 Aug 12 2016 task: fffffe03df944c00 task.stack: fffffe00d128c000 PC is at __check_object_size+0x70/0x3f0 LR is at __check_object_size+0x70/0x3f0 ... [] __check_object_size+0x70/0x3f0 [] filldir64+0x158/0x1a0 [] __fat_readdir+0x4a0/0x558 [fat] [] fat_readdir+0x34/0x40 [fat] [] iterate_dir+0x190/0x1e0 [] SyS_getdents64+0x88/0x120 [] el0_svc_naked+0x24/0x28 fffffc0000f3b1a8 is a module address. Modules may have compiled in strings which could get copied to userspace. In this instance, it looks like "." which matches with a size of 1 byte. Extend the is_vmalloc_addr check to be is_vmalloc_or_module_addr to cover all possible cases. Signed-off-by: Laura Abbott Signed-off-by: Kees Cook mm/usercopy.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) commit e875bd66dfb68f4e898e9a43ef42858c504a7f23 Author: Paul Burton Date: Tue Sep 13 17:53:35 2016 +0100 irqchip/mips-gic: Fix local interrupts Since the device hierarchy domain was added by commit c98c1822ee13 ("irqchip/mips-gic: Add device hierarchy domain"), GIC local interrupts have been broken. Users attempting to setup a per-cpu local IRQ, for example the GIC timer clock events code in drivers/clocksource/mips-gic-timer.c, the setup_percpu_irq function would refuse with -EINVAL because the GIC irqchip driver never called irq_set_percpu_devid so the IRQ_PER_CPU_DEVID flag was never set for the IRQ. This happens because irq_set_percpu_devid was being called from the gic_irq_domain_map function which is no longer called. Doing only that runs into further problems because gic_dev_domain_alloc set the struct irq_chip for all interrupts, local or shared, to gic_level_irq_controller despite that only being suitable for shared interrupts. The typical outcome of this is that gic_level_irq_controller callback functions are called for local interrupts, and then hwirq number calculations overflow & the driver ends up attempting to access some invalid register with an address calculated from an invalid hwirq number. Best case scenario is that this then leads to a bus error. This is fixed by abstracting the setup of the hwirq & chip to a new function gic_setup_dev_chip which is used by both the root GIC IRQ domain & the device domain. Finally, decoding local interrupts failed because gic_dev_domain_alloc only called irq_domain_alloc_irqs_parent for shared interrupts. Local ones were therefore never associated with hwirqs in the root GIC IRQ domain and the virq in gic_handle_local_int would always be 0. This is fixed by calling irq_domain_alloc_irqs_parent unconditionally & having gic_irq_domain_alloc handle both local & shared interrupts, which is easy due to the aforementioned abstraction of chip setup into gic_setup_dev_chip. This fixes use of the MIPS GIC timer for clock events, which has been broken since c98c1822ee13 ("irqchip/mips-gic: Add device hierarchy domain") but hadn't been noticed due to a silent fallback to the MIPS coprocessor 0 count/compare clock events device. Fixes: c98c1822ee13 ("irqchip/mips-gic: Add device hierarchy domain") Signed-off-by: Paul Burton Cc: linux-mips@linux-mips.org Cc: Jason Cooper Cc: Qais Yousef Cc: stable@vger.kernel.org Cc: Marc Zyngier Link: http://lkml.kernel.org/r/20160913165335.31389-1-paul.burton@imgtec.com Signed-off-by: Thomas Gleixner drivers/irqchip/irq-mips-gic.c | 105 ++++++++++++++++++++--------------------- 1 file changed, 50 insertions(+), 55 deletions(-) commit df04abfd181acc276ba6762c8206891ae10ae00d Author: Jiri Olsa Date: Thu Sep 8 09:57:08 2016 +0200 fs/proc/kcore.c: Add bounce buffer for ktext data We hit hardened usercopy feature check for kernel text access by reading kcore file: usercopy: kernel memory exposure attempt detected from ffffffff8179a01f () (4065 bytes) kernel BUG at mm/usercopy.c:75! Bypassing this check for kcore by adding bounce buffer for ktext data. Reported-by: Steve Best Fixes: f5509cc18daa ("mm: Hardened usercopy") Suggested-by: Kees Cook Signed-off-by: Jiri Olsa Acked-by: Kees Cook Signed-off-by: Linus Torvalds fs/proc/kcore.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) commit f5beeb1851ea6f8cfcf2657f26cb24c0582b4945 Author: Jiri Olsa Date: Thu Sep 8 09:57:07 2016 +0200 fs/proc/kcore.c: Make bounce buffer global for read Next patch adds bounce buffer for ktext area, so it's convenient to have single bounce buffer for both vmalloc/module and ktext cases. Suggested-by: Linus Torvalds Signed-off-by: Jiri Olsa Acked-by: Kees Cook Signed-off-by: Linus Torvalds fs/proc/kcore.c | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) commit 7597cdc066313bfd211cca2f9252dfeb41271391 Merge: d2ffb01 1297667 Author: Ingo Molnar Date: Tue Sep 20 16:56:56 2016 +0200 Merge tag 'efi-urgent' of git://git.kernel.org/pub/scm/linux/kernel/git/mfleming/efi into efi/urgent Pull EFI fixes from Matt Fleming: * Fix a boot hang on large memory machines (multiple terabyte) caused by type conversion errors in the x86 PAT code (Matt Fleming) Signed-off-by: Ingo Molnar commit f1e1c9e5e357c05253affb13be29285c5cb56bf0 Author: Sebastian Andrzej Siewior Date: Tue Sep 20 15:12:21 2016 +0200 perf/x86/intel/bts: Make sure debug store is valid Since commit 4d4c47412464 ("perf/x86/intel/bts: Fix BTS PMI detection") my box goes boom on boot: | .... node #0, CPUs: #1 #2 #3 #4 #5 #6 #7 | BUG: unable to handle kernel NULL pointer dereference at 0000000000000018 | IP: [] intel_bts_interrupt+0x43/0x130 | Call Trace: | d [] intel_pmu_handle_irq+0x51/0x4b0 | [] perf_event_nmi_handler+0x27/0x40 This happens because the code introduced in this commit dereferences the debug store pointer unconditionally. The debug store is not guaranteed to be available, so a NULL pointer check as on other places is required. Fixes: 4d4c47412464 ("perf/x86/intel/bts: Fix BTS PMI detection") Signed-off-by: Sebastian Andrzej Siewior Reviewed-by: Alexander Shishkin Cc: Arnaldo Carvalho de Melo Cc: Peter Zijlstra Cc: vince@deater.net Cc: eranian@google.com Link: http://lkml.kernel.org/r/20160920131220.xg5pbdjtznszuyzb@breakpoint.cc Signed-off-by: Thomas Gleixner arch/x86/events/intel/bts.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 1297667083d5442aafe3e337b9413bf02b114edb Author: Matt Fleming Date: Mon Sep 19 13:09:09 2016 +0100 x86/efi: Only map RAM into EFI page tables if in mixed-mode Waiman reported that booting with CONFIG_EFI_MIXED enabled on his multi-terabyte HP machine results in boot crashes, because the EFI region mapping functions loop forever while trying to map those regions describing RAM. While this patch doesn't fix the underlying hang, there's really no reason to map EFI_CONVENTIONAL_MEMORY regions into the EFI page tables when mixed-mode is not in use at runtime. Reported-by: Waiman Long Cc: Ard Biesheuvel Cc: Borislav Petkov Cc: Linus Torvalds CC: Theodore Ts'o Cc: Arnd Bergmann Cc: Greg Kroah-Hartman Cc: Scott J Norton Cc: Douglas Hatch Cc: # v4.6+ Signed-off-by: Matt Fleming arch/x86/platform/efi/efi_64.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit e535ec0899d1fe52ec3a84c9bc03457ac67ad6f7 Author: Matt Fleming Date: Tue Sep 20 14:26:21 2016 +0100 x86/mm/pat: Prevent hang during boot when mapping pages There's a mixture of signed 32-bit and unsigned 32-bit and 64-bit data types used for keeping track of how many pages have been mapped. This leads to hangs during boot when mapping large numbers of pages (multiple terabytes, as reported by Waiman) because those values are interpreted as being negative. commit 742563777e8d ("x86/mm/pat: Avoid truncation when converting cpa->numpages to address") fixed one of those bugs, but there is another lurking in __change_page_attr_set_clr(). Additionally, the return value type for the populate_*() functions can return negative values when a large number of pages have been mapped, triggering the error paths even though no error occurred. Consistently use 64-bit types on 64-bit platforms when counting pages. Even in the signed case this gives us room for regions 8PiB (pebibytes) in size whilst still allowing the usual negative value error checking idiom. Reported-by: Waiman Long Cc: Ard Biesheuvel Cc: Borislav Petkov Cc: Linus Torvalds CC: Theodore Ts'o Cc: Arnd Bergmann Cc: Greg Kroah-Hartman Cc: Scott J Norton Cc: Douglas Hatch Signed-off-by: Matt Fleming arch/x86/mm/pageattr.c | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) commit 67a99b7061c07b190ac6c39f136afedbb7aa86e9 Author: Yuval Mintz Date: Mon Sep 19 17:47:41 2016 +0300 qed: Fix stack corruption on probe Commit fe56b9e6a8d95 ("qed: Add module with basic common support") has introduced a stack corruption during probe, where filling a local struct with data to be sent to management firmware is incorrectly filled; The data is written outside of the struct and corrupts the stack. Changes from v1: ---------------- - Correct the value written [Caught by David Laight] Fixes: fe56b9e6a8d95 ("qed: Add module with basic common support") Signed-off-by: Yuval Mintz Signed-off-by: David S. Miller drivers/net/ethernet/qlogic/qed/qed_mcp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 3ed6e498b91a4dc5d0e8b6270a6c144061db2455 Author: Andrew Lunn Date: Sun Sep 18 21:17:19 2016 +0200 MAINTAINERS: Add an entry for the core network DSA code The core distributed switch architecture code currently does not have a MAINTAINERS entry, which results in some contributions not landing in the right peoples inbox. Signed-off-by: Andrew Lunn Acked-by: Florian Fainelli Acked-by: Vivien Didelot Signed-off-by: David S. Miller MAINTAINERS | 9 +++++++++ 1 file changed, 9 insertions(+) commit a435a07f9164dda7c0c26e8ad758881f4bafc127 Author: Vincent Bernat Date: Sun Sep 18 17:46:07 2016 +0200 net: ipv6: fallback to full lookup if table lookup is unsuitable Commit 8c14586fc320 ("net: ipv6: Use passed in table for nexthop lookups") introduced a regression: insertion of an IPv6 route in a table not containing the appropriate connected route for the gateway but which contained a non-connected route (like a default gateway) fails while it was previously working: $ ip link add eth0 type dummy $ ip link set up dev eth0 $ ip addr add 2001:db8::1/64 dev eth0 $ ip route add ::/0 via 2001:db8::5 dev eth0 table 20 $ ip route add 2001:db8:cafe::1/128 via 2001:db8::6 dev eth0 table 20 RTNETLINK answers: No route to host $ ip -6 route show table 20 default via 2001:db8::5 dev eth0 metric 1024 pref medium After this patch, we get: $ ip route add 2001:db8:cafe::1/128 via 2001:db8::6 dev eth0 table 20 $ ip -6 route show table 20 2001:db8:cafe::1 via 2001:db8::6 dev eth0 metric 1024 pref medium default via 2001:db8::5 dev eth0 metric 1024 pref medium Fixes: 8c14586fc320 ("net: ipv6: Use passed in table for nexthop lookups") Signed-off-by: Vincent Bernat Acked-by: David Ahern Tested-by: David Ahern Signed-off-by: David S. Miller net/ipv6/route.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) commit 7675bb2b176ea05bf4904223d760d1889f819714 Merge: 7ac3273 6c419ba Author: David S. Miller Date: Mon Sep 19 22:10:25 2016 -0400 Merge branch 'mlx5-fixes' Or Gerlitz says: ==================== mlx5 fixes to 4.8-rc6 This series series has a fix from Roi to memory corruption bug in the bulk flow counters code and two late and hopefully last fixes from me to the new eswitch offloads code. Series done over net commit 37dd348 "bna: fix crash in bnad_get_strings()" ==================== Signed-off-by: David S. Miller commit 6c419ba8e2580ab17c164db6e918e163d3537ec1 Author: Or Gerlitz Date: Sun Sep 18 18:20:29 2016 +0300 net/mlx5: E-Switch, Handle mode change failures E-switch mode changes involve creating HW tables, potentially allocating netdevices, etc, and things can fail. Add an attempt to rollback to the existing mode when changing to the new mode fails. Only if rollback fails, getting proper SRIOV functionality requires module unload or sriov disablement/enablement. Signed-off-by: Or Gerlitz Signed-off-by: David S. Miller .../ethernet/mellanox/mlx5/core/eswitch_offloads.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) commit 4eea37d7b92076fdeac2a21e5f4dbd92d286719d Author: Or Gerlitz Date: Sun Sep 18 18:20:28 2016 +0300 net/mlx5: E-Switch, Fix error flow in the SRIOV e-switch init code When enablement of the SRIOV e-switch in certain mode (switchdev or legacy) fails, we must set the mode to none. Otherwise, we'll run into double free based crashes when further attempting to deal with the e-switch (such as when disabling sriov or unloading the driver). Signed-off-by: Or Gerlitz Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlx5/core/eswitch.c | 1 + 1 file changed, 1 insertion(+) commit babd6134a54d70efe875fa5661a20eaecb63f278 Author: Roi Dayan Date: Sun Sep 18 18:20:27 2016 +0300 net/mlx5: Fix flow counter bulk command out mailbox allocation The FW command output length should be only the length of struct mlx5_cmd_fc_bulk out field. Failing to do so will cause the memcpy call which is invoked later in the driver to write over wrong memory address and corrupt kernel memory which results in random crashes. This bug was found using the kernel address sanitizer (kasan). Fixes: a351a1b03bf1 ('net/mlx5: Introduce bulk reading of flow counters') Signed-off-by: Roi Dayan Signed-off-by: Or Gerlitz Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlx5/core/fs_cmd.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 727653d6ce7103b245eb8041f55dd5885f4c3289 Author: James Morse Date: Mon Sep 19 18:29:15 2016 +0100 irqchip/gicv3: Silence noisy DEBUG_PER_CPU_MAPS warning gic_raise_softirq() walks the list of cpus using for_each_cpu(), it calls gic_compute_target_list() which advances the iterator by the number of CPUs in the cluster. If gic_compute_target_list() reaches the last CPU it leaves the iterator pointing at the last CPU. This means the next time round the for_each_cpu() loop cpumask_next() will be called with an invalid CPU. This triggers a warning when built with CONFIG_DEBUG_PER_CPU_MAPS: [ 3.077738] GICv3: CPU1: found redistributor 1 region 0:0x000000002f120000 [ 3.077943] CPU1: Booted secondary processor [410fd0f0] [ 3.078542] ------------[ cut here ]------------ [ 3.078746] WARNING: CPU: 1 PID: 0 at ../include/linux/cpumask.h:121 gic_raise_softirq+0x12c/0x170 [ 3.078812] Modules linked in: [ 3.078869] [ 3.078930] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.8.0-rc5+ #5188 [ 3.078994] Hardware name: Foundation-v8A (DT) [ 3.079059] task: ffff80087a1a0080 task.stack: ffff80087a19c000 [ 3.079145] PC is at gic_raise_softirq+0x12c/0x170 [ 3.079226] LR is at gic_raise_softirq+0xa4/0x170 [ 3.079296] pc : [] lr : [] pstate: 200001c9 [ 3.081139] Call trace: [ 3.081202] Exception stack(0xffff80087a19fbe0 to 0xffff80087a19fd10) [ 3.082269] [] gic_raise_softirq+0x12c/0x170 [ 3.082354] [] smp_send_reschedule+0x34/0x40 [ 3.082433] [] resched_curr+0x50/0x88 [ 3.082512] [] check_preempt_curr+0x60/0xd0 [ 3.082593] [] ttwu_do_wakeup+0x20/0xe8 [ 3.082672] [] ttwu_do_activate+0x90/0xc0 [ 3.082753] [] try_to_wake_up+0x224/0x370 [ 3.082836] [] default_wake_function+0x10/0x18 [ 3.082920] [] __wake_up_common+0x5c/0xa0 [ 3.083003] [] __wake_up_locked+0x14/0x20 [ 3.083086] [] complete+0x40/0x60 [ 3.083168] [] secondary_start_kernel+0x15c/0x1d0 [ 3.083240] [<00000000808911a4>] 0x808911a4 [ 3.113401] Detected PIPT I-cache on CPU2 Avoid updating the iterator if the next call to cpumask_next() would cause the for_each_cpu() loop to exit. There is no change to gic_raise_softirq()'s behaviour, (cpumask_next()s eventual call to _find_next_bit() will return early as start >= nbits), this patch just silences the warning. Fixes: 021f653791ad ("irqchip: gic-v3: Initial support for GICv3") Signed-off-by: James Morse Acked-by: Marc Zyngier Cc: linux-arm-kernel@lists.infradead.org Cc: Jason Cooper Link: http://lkml.kernel.org/r/1474306155-3303-1-git-send-email-james.morse@arm.com Signed-off-by: Thomas Gleixner drivers/irqchip/irq-gic-v3.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) commit d2ffb0103aaefa9b169da042cf39ce27bfb6cdbb Merge: 7fadce0 b92ae13 Author: Linus Torvalds Date: Mon Sep 19 16:08:03 2016 -0700 Merge branch 'akpm' (patches from Andrew) Merge fixes from Andrew Morton: "20 fixes" * emailed patches from Andrew Morton : rapidio/rio_cm: avoid GFP_KERNEL in atomic context Revert "ocfs2: bump up o2cb network protocol version" ocfs2: fix start offset to ocfs2_zero_range_for_truncate() cgroup: duplicate cgroup reference when cloning sockets mm: memcontrol: make per-cpu charge cache IRQ-safe for socket accounting ocfs2: fix double unlock in case retry after free truncate log fanotify: fix list corruption in fanotify_get_response() fsnotify: add a way to stop queueing events on group shutdown ocfs2: fix trans extend while free cached blocks ocfs2: fix trans extend while flush truncate log ipc/shm: fix crash if CONFIG_SHMEM is not set mm: fix the page_swap_info() BUG_ON check autofs: use dentry flags to block walks during expire MAINTAINERS: update email for VLYNQ bus entry mm: avoid endless recursion in dump_page() mm, thp: fix leaking mapped pte in __collapse_huge_page_swapin() khugepaged: fix use-after-free in collapse_huge_page() MAINTAINERS: Maik has moved ocfs2/dlm: fix race between convert and migration mem-hotplug: don't clear the only node in new_node_page() commit b92ae139c308c5223521ed6ec022148b81312809 Author: Alexandre Bounine Date: Mon Sep 19 14:44:47 2016 -0700 rapidio/rio_cm: avoid GFP_KERNEL in atomic context As reported by Alexey Khoroshilov (https://lkml.org/lkml/2016/9/9/737): riocm_send_close() is called from rio_cm_shutdown() under spin_lock_bh(idr_lock), but riocm_send_close() uses a GFP_KERNEL allocation. Fix by taking riocm_send_close() outside of spinlock protected code. [akpm@linux-foundation.org: remove unneeded `if (!list_empty())'] Link: http://lkml.kernel.org/r/20160915175402.10122-1-alexandre.bounine@idt.com Signed-off-by: Alexandre Bounine Reported-by: Alexey Khoroshilov Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds drivers/rapidio/rio_cm.c | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) commit 63b52c4936a2e679639c38ef51a50aa8ca1c5c07 Author: Junxiao Bi Date: Mon Sep 19 14:44:44 2016 -0700 Revert "ocfs2: bump up o2cb network protocol version" This reverts commit 38b52efd218b ("ocfs2: bump up o2cb network protocol version"). This commit made rolling upgrade fail. When one node is upgraded to new version with this commit, the remaining nodes will fail to establish connections to it, then the application like VMs on the remaining nodes can't be live migrated to the upgraded one. This will cause an outage. Since negotiate hb timeout behavior didn't change without this commit, so revert it. Fixes: 38b52efd218bf ("ocfs2: bump up o2cb network protocol version") Link: http://lkml.kernel.org/r/1471396924-10375-1-git-send-email-junxiao.bi@oracle.com Signed-off-by: Junxiao Bi Cc: Mark Fasheh Cc: Joel Becker Cc: Joseph Qi Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/ocfs2/cluster/tcp_internal.h | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) commit d21c353d5e99c56cdd5b5c1183ffbcaf23b8b960 Author: Ashish Samant Date: Mon Sep 19 14:44:42 2016 -0700 ocfs2: fix start offset to ocfs2_zero_range_for_truncate() If we punch a hole on a reflink such that following conditions are met: 1. start offset is on a cluster boundary 2. end offset is not on a cluster boundary 3. (end offset is somewhere in another extent) or (hole range > MAX_CONTIG_BYTES(1MB)), we dont COW the first cluster starting at the start offset. But in this case, we were wrongly passing this cluster to ocfs2_zero_range_for_truncate() to zero out. This will modify the cluster in place and zero it in the source too. Fix this by skipping this cluster in such a scenario. To reproduce: 1. Create a random file of say 10 MB xfs_io -c 'pwrite -b 4k 0 10M' -f 10MBfile 2. Reflink it reflink -f 10MBfile reflnktest 3. Punch a hole at starting at cluster boundary with range greater that 1MB. You can also use a range that will put the end offset in another extent. fallocate -p -o 0 -l 1048615 reflnktest 4. sync 5. Check the first cluster in the source file. (It will be zeroed out). dd if=10MBfile iflag=direct bs= count=1 | hexdump -C Link: http://lkml.kernel.org/r/1470957147-14185-1-git-send-email-ashish.samant@oracle.com Signed-off-by: Ashish Samant Reported-by: Saar Maoz Reviewed-by: Srinivas Eeda Cc: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Cc: Joseph Qi Cc: Eric Ren Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/ocfs2/file.c | 34 ++++++++++++++++++++++++---------- 1 file changed, 24 insertions(+), 10 deletions(-) commit d979a39d7242e0601bf9b60e89628fb8ac577179 Author: Johannes Weiner Date: Mon Sep 19 14:44:38 2016 -0700 cgroup: duplicate cgroup reference when cloning sockets When a socket is cloned, the associated sock_cgroup_data is duplicated but not its reference on the cgroup. As a result, the cgroup reference count will underflow when both sockets are destroyed later on. Fixes: bd1060a1d671 ("sock, cgroup: add sock->sk_cgroup") Link: http://lkml.kernel.org/r/20160914194846.11153-2-hannes@cmpxchg.org Signed-off-by: Johannes Weiner Acked-by: Tejun Heo Cc: Michal Hocko Cc: Vladimir Davydov Cc: [4.5+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds kernel/cgroup.c | 6 ++++++ net/core/sock.c | 5 ++++- 2 files changed, 10 insertions(+), 1 deletion(-) commit db2ba40c277dc545bab531671c3f45ac0afea6f8 Author: Johannes Weiner Date: Mon Sep 19 14:44:36 2016 -0700 mm: memcontrol: make per-cpu charge cache IRQ-safe for socket accounting During cgroup2 rollout into production, we started encountering css refcount underflows and css access crashes in the memory controller. Splitting the heavily shared css reference counter into logical users narrowed the imbalance down to the cgroup2 socket memory accounting. The problem turns out to be the per-cpu charge cache. Cgroup1 had a separate socket counter, but the new cgroup2 socket accounting goes through the common charge path that uses a shared per-cpu cache for all memory that is being tracked. Those caches are safe against scheduling preemption, but not against interrupts - such as the newly added packet receive path. When cache draining is interrupted by network RX taking pages out of the cache, the resuming drain operation will put references of in-use pages, thus causing the imbalance. Disable IRQs during all per-cpu charge cache operations. Fixes: f7e1cb6ec51b ("mm: memcontrol: account socket memory in unified hierarchy memory controller") Link: http://lkml.kernel.org/r/20160914194846.11153-1-hannes@cmpxchg.org Signed-off-by: Johannes Weiner Acked-by: Tejun Heo Cc: "David S. Miller" Cc: Michal Hocko Cc: Vladimir Davydov Cc: [4.5+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/memcontrol.c | 31 ++++++++++++++++++++++--------- 1 file changed, 22 insertions(+), 9 deletions(-) commit 3bb8b653c86f6b1d2cc05aa1744fed4b18f99485 Author: Joseph Qi Date: Mon Sep 19 14:44:33 2016 -0700 ocfs2: fix double unlock in case retry after free truncate log If ocfs2_reserve_cluster_bitmap_bits() fails with ENOSPC, it will try to free truncate log and then retry. Since ocfs2_try_to_free_truncate_log will lock/unlock global bitmap inode, we have to unlock it before calling this function. But when retry reserve and it fails with no global bitmap inode lock taken, it will unlock again in error handling branch and BUG. This issue also exists if no need retry and then ocfs2_inode_lock fails. So fix it. Fixes: 2070ad1aebff ("ocfs2: retry on ENOSPC if sufficient space in truncate log") Link: http://lkml.kernel.org/r/57D91939.6030809@huawei.com Signed-off-by: Joseph Qi Signed-off-by: Jiufei Xue Cc: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/ocfs2/suballoc.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) commit 96d41019e3ac55f6f0115b0ce97e4f24a3d636d2 Author: Jan Kara Date: Mon Sep 19 14:44:30 2016 -0700 fanotify: fix list corruption in fanotify_get_response() fanotify_get_response() calls fsnotify_remove_event() when it finds that group is being released from fanotify_release() (bypass_perm is set). However the event it removes need not be only in the group's notification queue but it can have already moved to access_list (userspace read the event before closing the fanotify instance fd) which is protected by a different lock. Thus when fsnotify_remove_event() races with fanotify_release() operating on access_list, the list can get corrupted. Fix the problem by moving all the logic removing permission events from the lists to one place - fanotify_release(). Fixes: 5838d4442bd5 ("fanotify: fix double free of pending permission events") Link: http://lkml.kernel.org/r/1473797711-14111-3-git-send-email-jack@suse.cz Signed-off-by: Jan Kara Reported-by: Miklos Szeredi Tested-by: Miklos Szeredi Reviewed-by: Miklos Szeredi Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/notify/fanotify/fanotify.c | 13 +------------ fs/notify/fanotify/fanotify_user.c | 36 ++++++++++++++++++++++++------------ fs/notify/notification.c | 15 --------------- include/linux/fsnotify_backend.h | 3 --- 4 files changed, 25 insertions(+), 42 deletions(-) commit 12703dbfeb15402260e7554d32a34ac40c233990 Author: Jan Kara Date: Mon Sep 19 14:44:27 2016 -0700 fsnotify: add a way to stop queueing events on group shutdown Implement a function that can be called when a group is being shutdown to stop queueing new events to the group. Fanotify will use this. Fixes: 5838d4442bd5 ("fanotify: fix double free of pending permission events") Link: http://lkml.kernel.org/r/1473797711-14111-2-git-send-email-jack@suse.cz Signed-off-by: Jan Kara Reviewed-by: Miklos Szeredi Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/notify/group.c | 19 +++++++++++++++++++ fs/notify/notification.c | 8 +++++++- include/linux/fsnotify_backend.h | 3 +++ 3 files changed, 29 insertions(+), 1 deletion(-) commit d5bf141893880f7283fe97e1812c58ff22c8f9a5 Author: Junxiao Bi Date: Mon Sep 19 14:44:24 2016 -0700 ocfs2: fix trans extend while free cached blocks The root cause of this issue is the same with the one fixed by the last patch, but this time credits for allocator inode and group descriptor may not be consumed before trans extend. The following error was caught: WARNING: CPU: 0 PID: 2037 at fs/jbd2/transaction.c:269 start_this_handle+0x4c3/0x510 [jbd2]() Modules linked in: ocfs2 nfsd lockd grace nfs_acl auth_rpcgss sunrpc autofs4 ocfs2_dlmfs ocfs2_stack_o2cb ocfs2_dlm ocfs2_nodemanager ocfs2_stackglue configfs sd_mod sg ip6t_REJECT nf_reject_ipv6 nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack ip6table_filter ip6_tables be2iscsi iscsi_boot_sysfs bnx2i cnic uio cxgb4i cxgb4 cxgb3i libcxgbi cxgb3 mdio ib_iser rdma_cm ib_cm iw_cm ib_sa ib_mad ib_core ib_addr ipv6 iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ppdev xen_kbdfront fb_sys_fops sysimgblt sysfillrect syscopyarea xen_netfront parport_pc parport pcspkr i2c_piix4 i2c_core acpi_cpufreq ext4 jbd2 mbcache xen_blkfront floppy pata_acpi ata_generic ata_piix dm_mirror dm_region_hash dm_log dm_mod CPU: 0 PID: 2037 Comm: rm Tainted: G W 4.1.12-37.6.3.el6uek.bug24573128v2.x86_64 #2 Hardware name: Xen HVM domU, BIOS 4.4.4OVM 02/11/2016 Call Trace: dump_stack+0x48/0x5c warn_slowpath_common+0x95/0xe0 warn_slowpath_null+0x1a/0x20 start_this_handle+0x4c3/0x510 [jbd2] jbd2__journal_restart+0x161/0x1b0 [jbd2] jbd2_journal_restart+0x13/0x20 [jbd2] ocfs2_extend_trans+0x74/0x220 [ocfs2] ocfs2_free_cached_blocks+0x16b/0x4e0 [ocfs2] ocfs2_run_deallocs+0x70/0x270 [ocfs2] ocfs2_commit_truncate+0x474/0x6f0 [ocfs2] ocfs2_truncate_for_delete+0xbd/0x380 [ocfs2] ocfs2_wipe_inode+0x136/0x6a0 [ocfs2] ocfs2_delete_inode+0x2a2/0x3e0 [ocfs2] ocfs2_evict_inode+0x28/0x60 [ocfs2] evict+0xab/0x1a0 iput_final+0xf6/0x190 iput+0xc8/0xe0 do_unlinkat+0x1b7/0x310 SyS_unlinkat+0x22/0x40 system_call_fastpath+0x12/0x71 ---[ end trace a62437cb060baa71 ]--- JBD2: rm wants too many credits (149 > 128) Link: http://lkml.kernel.org/r/1473674623-11810-2-git-send-email-junxiao.bi@oracle.com Signed-off-by: Junxiao Bi Reviewed-by: Joseph Qi Cc: Mark Fasheh Cc: Joel Becker Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/ocfs2/alloc.c | 27 +++++++++------------------ 1 file changed, 9 insertions(+), 18 deletions(-) commit 2b0ad0085aa47ace4756aa501274a7de0325c09c Author: Junxiao Bi Date: Mon Sep 19 14:44:21 2016 -0700 ocfs2: fix trans extend while flush truncate log Every time, ocfs2_extend_trans() included a credit for truncate log inode, but as that inode had been managed by jbd2 running transaction first time, it will not consume that credit until jbd2_journal_restart(). Since total credits to extend always included the un-consumed ones, there will be more and more un-consumed credit, at last jbd2_journal_restart() will fail due to credit number over the half of max transction credit. The following error was caught when unlinking a large file with many extents: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 13626 at fs/jbd2/transaction.c:269 start_this_handle+0x4c3/0x510 [jbd2]() Modules linked in: ocfs2 nfsd lockd grace nfs_acl auth_rpcgss sunrpc autofs4 ocfs2_dlmfs ocfs2_stack_o2cb ocfs2_dlm ocfs2_nodemanager ocfs2_stackglue configfs sd_mod sg ip6t_REJECT nf_reject_ipv6 nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack ip6table_filter ip6_tables be2iscsi iscsi_boot_sysfs bnx2i cnic uio cxgb4i cxgb4 cxgb3i libcxgbi cxgb3 mdio ib_iser rdma_cm ib_cm iw_cm ib_sa ib_mad ib_core ib_addr ipv6 iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ppdev xen_kbdfront xen_netfront fb_sys_fops sysimgblt sysfillrect syscopyarea parport_pc parport pcspkr i2c_piix4 i2c_core acpi_cpufreq ext4 jbd2 mbcache xen_blkfront floppy pata_acpi ata_generic ata_piix dm_mirror dm_region_hash dm_log dm_mod CPU: 0 PID: 13626 Comm: unlink Tainted: G W 4.1.12-37.6.3.el6uek.x86_64 #2 Hardware name: Xen HVM domU, BIOS 4.4.4OVM 02/11/2016 Call Trace: dump_stack+0x48/0x5c warn_slowpath_common+0x95/0xe0 warn_slowpath_null+0x1a/0x20 start_this_handle+0x4c3/0x510 [jbd2] jbd2__journal_restart+0x161/0x1b0 [jbd2] jbd2_journal_restart+0x13/0x20 [jbd2] ocfs2_extend_trans+0x74/0x220 [ocfs2] ocfs2_replay_truncate_records+0x93/0x360 [ocfs2] __ocfs2_flush_truncate_log+0x13e/0x3a0 [ocfs2] ocfs2_remove_btree_range+0x458/0x7f0 [ocfs2] ocfs2_commit_truncate+0x1b3/0x6f0 [ocfs2] ocfs2_truncate_for_delete+0xbd/0x380 [ocfs2] ocfs2_wipe_inode+0x136/0x6a0 [ocfs2] ocfs2_delete_inode+0x2a2/0x3e0 [ocfs2] ocfs2_evict_inode+0x28/0x60 [ocfs2] evict+0xab/0x1a0 iput_final+0xf6/0x190 iput+0xc8/0xe0 do_unlinkat+0x1b7/0x310 SyS_unlink+0x16/0x20 system_call_fastpath+0x12/0x71 ---[ end trace 28aa7410e69369cf ]--- JBD2: unlink wants too many credits (251 > 128) Link: http://lkml.kernel.org/r/1473674623-11810-1-git-send-email-junxiao.bi@oracle.com Signed-off-by: Junxiao Bi Reviewed-by: Joseph Qi Cc: Mark Fasheh Cc: Joel Becker Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/ocfs2/alloc.c | 29 ++++++++++------------------- 1 file changed, 10 insertions(+), 19 deletions(-) commit 31b4beb473e3bdee1bf79db849502dcb24b5c202 Author: Kirill A. Shutemov Date: Mon Sep 19 14:44:18 2016 -0700 ipc/shm: fix crash if CONFIG_SHMEM is not set Commit c01d5b300774 ("shmem: get_unmapped_area align huge page") makes use of shm_get_unmapped_area() in shm_file_operations() unconditional to CONFIG_MMU. As Tony Battersby pointed this can lead NULL-pointer dereference on machine with CONFIG_MMU=y and CONFIG_SHMEM=n. In this case ipc/shm is backed by ramfs which doesn't provide f_op->get_unmapped_area for configurations with MMU. The solution is to provide dummy f_op->get_unmapped_area for ramfs when CONFIG_MMU=y, which just call current->mm->get_unmapped_area(). Fixes: c01d5b300774 ("shmem: get_unmapped_area align huge page") Link: http://lkml.kernel.org/r/20160912102704.140442-1-kirill.shutemov@linux.intel.com Signed-off-by: Kirill A. Shutemov Reported-by: Tony Battersby Tested-by: Tony Battersby Cc: Hugh Dickins Cc: [4.7.x] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/ramfs/file-mmu.c | 9 +++++++++ 1 file changed, 9 insertions(+) commit c8de641b1e9c5489aa6ca57b7836acd68e7563f1 Author: Santosh Shilimkar Date: Mon Sep 19 14:44:15 2016 -0700 mm: fix the page_swap_info() BUG_ON check Commit 62c230bc1790 ("mm: add support for a filesystem to activate swap files and use direct_IO for writing swap pages") replaced the swap_aops dirty hook from __set_page_dirty_no_writeback() with swap_set_page_dirty(). For normal cases without these special SWP flags code path falls back to __set_page_dirty_no_writeback() so the behaviour is expected to be the same as before. But swap_set_page_dirty() makes use of the page_swap_info() helper to get the swap_info_struct to check for the flags like SWP_FILE, SWP_BLKDEV etc as desired for those features. This helper has BUG_ON(!PageSwapCache(page)) which is racy and safe only for the set_page_dirty_lock() path. For the set_page_dirty() path which is often needed for cases to be called from irq context, kswapd() can toggle the flag behind the back while the call is getting executed when system is low on memory and heavy swapping is ongoing. This ends up with undesired kernel panic. This patch just moves the check outside the helper to its users appropriately to fix kernel panic for the described path. Couple of users of helpers already take care of SwapCache condition so I skipped them. Link: http://lkml.kernel.org/r/1473460718-31013-1-git-send-email-santosh.shilimkar@oracle.com Signed-off-by: Santosh Shilimkar Cc: Mel Gorman Cc: Joe Perches Cc: Peter Zijlstra Cc: Rik van Riel Cc: David S. Miller Cc: Jens Axboe Cc: Michal Hocko Cc: Hugh Dickins Cc: Al Viro Cc: [4.7.x] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/page_io.c | 3 +++ mm/swapfile.c | 1 - 2 files changed, 3 insertions(+), 1 deletion(-) commit 7cbdb4a286a60c5d519cb9223fe2134d26870d39 Author: Ian Kent Date: Mon Sep 19 14:44:12 2016 -0700 autofs: use dentry flags to block walks during expire Somewhere along the way the autofs expire operation has changed to hold a spin lock over expired dentry selection. The autofs indirect mount expired dentry selection is complicated and quite lengthy so it isn't appropriate to hold a spin lock over the operation. Commit 47be61845c77 ("fs/dcache.c: avoid soft-lockup in dput()") added a might_sleep() to dput() causing a WARN_ONCE() about this usage to be issued. But the spin lock doesn't need to be held over this check, the autofs dentry info. flags are enough to block walks into dentrys during the expire. I've left the direct mount expire as it is (for now) because it is much simpler and quicker than the indirect mount expire and adding spin lock release and re-aquires would do nothing more than add overhead. Fixes: 47be61845c77 ("fs/dcache.c: avoid soft-lockup in dput()") Link: http://lkml.kernel.org/r/20160912014017.1773.73060.stgit@pluto.themaw.net Signed-off-by: Ian Kent Reported-by: Takashi Iwai Tested-by: Takashi Iwai Cc: Takashi Iwai Cc: NeilBrown Cc: Al Viro Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/autofs4/expire.c | 55 ++++++++++++++++++++++++++++++++++++++++------------- 1 file changed, 42 insertions(+), 13 deletions(-) commit 08eeb3061e44661afb4cb9eb08780e2fff8bfbc5 Author: Florian Fainelli Date: Mon Sep 19 14:44:09 2016 -0700 MAINTAINERS: update email for VLYNQ bus entry Link: http://lkml.kernel.org/r/1473218738-21836-1-git-send-email-f.fainelli@gmail.com Signed-off-by: Florian Fainelli Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds MAINTAINERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 4d35427ad7641cba08ea0deffae1a78147ad41c0 Author: Kirill A. Shutemov Date: Mon Sep 19 14:44:07 2016 -0700 mm: avoid endless recursion in dump_page() dump_page() uses page_mapcount() to get mapcount of the page. page_mapcount() has VM_BUG_ON_PAGE(PageSlab(page)) as mapcount doesn't make sense for slab pages and the field in struct page used for other information. It leads to recursion if dump_page() called for slub page and DEBUG_VM is enabled: dump_page() -> page_mapcount() -> VM_BUG_ON_PAGE() -> dump_page -> ... Let's avoid calling page_mapcount() for slab pages in dump_page(). Link: http://lkml.kernel.org/r/20160908082137.131076-1-kirill.shutemov@linux.intel.com Signed-off-by: Kirill A. Shutemov Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/debug.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) commit 982785c6b05a82c01e90687b7e25ee87c8970b2e Author: Ebru Akagunduz Date: Mon Sep 19 14:44:04 2016 -0700 mm, thp: fix leaking mapped pte in __collapse_huge_page_swapin() Currently, khugepaged does not permit swapin if there are enough young pages in a THP. The problem is when a THP does not have enough young pages, khugepaged leaks mapped ptes. This patch prohibits leaking mapped ptes. Link: http://lkml.kernel.org/r/1472820276-7831-1-git-send-email-ebru.akagunduz@gmail.com Signed-off-by: Ebru Akagunduz Suggested-by: Andrea Arcangeli Reviewed-by: Andrea Arcangeli Reviewed-by: Rik van Riel Cc: Vlastimil Babka Cc: Mel Gorman Cc: Kirill A. Shutemov Cc: Johannes Weiner Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/khugepaged.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) commit c131f751ab1a852d4dd4b490b3a7fbba7d738de5 Author: Kirill A. Shutemov Date: Mon Sep 19 14:44:01 2016 -0700 khugepaged: fix use-after-free in collapse_huge_page() hugepage_vma_revalidate() tries to re-check if we still should try to collapse small pages into huge one after the re-acquiring mmap_sem. The problem Dmitry Vyukov reported[1] is that the vma found by hugepage_vma_revalidate() can be suitable for huge pages, but not the same vma we had before dropping mmap_sem. And dereferencing original vma can lead to fun results.. Let's use vma hugepage_vma_revalidate() found instead of assuming it's the same as what we had before the lock was dropped. [1] http://lkml.kernel.org/r/CACT4Y+Z3gigBvhca9kRJFcjX0G70V_nRhbwKBU+yGoESBDKi9Q@mail.gmail.com Link: http://lkml.kernel.org/r/20160907122559.GA6542@black.fi.intel.com Signed-off-by: Kirill A. Shutemov Reported-by: Dmitry Vyukov Reviewed-by: Andrea Arcangeli Cc: Ebru Akagunduz Cc: Vlastimil Babka Cc: Mel Gorman Cc: Johannes Weiner Cc: Vegard Nossum Cc: Sasha Levin Cc: Konstantin Khlebnikov Cc: Andrey Ryabinin Cc: Greg Thelen Cc: Suleiman Souhlal Cc: Hugh Dickins Cc: David Rientjes Cc: syzkaller Cc: Kostya Serebryany Cc: Alexander Potapenko Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/khugepaged.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) commit d8e3875431956c1f78e142d531f490f76c760ce3 Author: Sudip Mukherjee Date: Mon Sep 19 14:43:58 2016 -0700 MAINTAINERS: Maik has moved Maik is no longer using the plusserver.de email, update with his current email. Link: http://lkml.kernel.org/r/1473007794-27960-1-git-send-email-sudipm.mukherjee@gmail.com Signed-off-by: Sudip Mukherjee Cc: Maik Broemme Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds MAINTAINERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit e6f0c6e6170fec175fe676495f29029aecdf486c Author: Joseph Qi Date: Mon Sep 19 14:43:55 2016 -0700 ocfs2/dlm: fix race between convert and migration Commit ac7cf246dfdb ("ocfs2/dlm: fix race between convert and recovery") checks if lockres master has changed to identify whether new master has finished recovery or not. This will introduce a race that right after old master does umount ( means master will change), a new convert request comes. In this case, it will reset lockres state to DLM_RECOVERING and then retry convert, and then fail with lockres->l_action being set to OCFS2_AST_INVALID, which will cause inconsistent lock level between ocfs2 and dlm, and then finally BUG. Since dlm recovery will clear lock->convert_pending in dlm_move_lockres_to_recovery_list, we can use it to correctly identify the race case between convert and recovery. So fix it. Fixes: ac7cf246dfdb ("ocfs2/dlm: fix race between convert and recovery") Link: http://lkml.kernel.org/r/57CE1569.8010704@huawei.com Signed-off-by: Joseph Qi Signed-off-by: Jun Piao Cc: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/ocfs2/dlm/dlmconvert.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) commit 9bb627be47a574b764e162e8513d5db78d49e7f5 Author: Li Zhong Date: Mon Sep 19 14:43:52 2016 -0700 mem-hotplug: don't clear the only node in new_node_page() Commit 394e31d2ceb4 ("mem-hotplug: alloc new page from a nearest neighbor node when mem-offline") introduced new_node_page() for memory hotplug. In new_node_page(), the nid is cleared before calling __alloc_pages_nodemask(). But if it is the only node of the system, and the first round allocation fails, it will not be able to get memory from an empty nodemask, and will trigger oom. The patch checks whether it is the last node on the system, and if it is, then don't clear the nid in the nodemask. Fixes: 394e31d2ceb4 ("mem-hotplug: alloc new page from a nearest neighbor node when mem-offline") Link: http://lkml.kernel.org/r/1473044391.4250.19.camel@TP420 Signed-off-by: Li Zhong Reported-by: John Allen Acked-by: Vlastimil Babka Cc: Xishi Qiu Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/memory_hotplug.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit 7fadce0d60d09427e0027d3d468781b08ca0b3d1 Author: Linus Torvalds Date: Mon Sep 19 14:49:08 2016 -0700 scripts/faddr2line: improve on base path filtering a bit Due to our compiler include directives, the build pathnames for header files often end up being of the form "$srcdir/./include/linux/xyz.h", which ends up having that extra "." path component after the build base in it. Teach faddr2line to skip that too, to make code generated in inline functions in header files match the filename for the regular C files. Rabin Vincent pointed out that I can't make a stricter regexp match by using the " at " prefix for the pathname, because that ends up being locale-dependent. But this does require that the path match be preceded by a space, to make it a bit more strict (that matters mainly if we didn't find any base_dir at all, and we only end up with the "./" part of the match) Acked-by: Josh Poimboeuf Cc: Rabin Vincent Signed-off-by: Linus Torvalds scripts/faddr2line | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 164c80ed84a7669114869d9347c0f3ea7f56ea89 Author: Vivek Goyal Date: Mon Sep 19 15:12:41 2016 -0600 blk-throttle: Extend slice if throttle group is not empty Right now, if slice is expired, we start a new slice. If a bio is queued, we keep on extending slice by throtle_slice interval (100ms). This worked well as long as pending timer function got executed with-in few milli seconds of scheduled time. But looks like with recent changes in timer subsystem, slack can be much longer depending on the expiry time of the scheduled timer. commit 500462a9de65 ("timers: Switch to a non-cascading wheel") This means, by the time timer function gets executed, it is possible the delay from scheduled time is more than 100ms. That means current code will conclude that existing slice has expired and a new one needs to be started. New slice will be 100ms by default and that will not be sufficient to meet rate requirement of group given the bio size and bio will not be dispatched and we will start a new timer function to wait. And when that timer expires, same process will repeat and we will wait again and this can easily be an infinite loop. Solve this issue by starting a new slice only if throttle gropup is empty. If it is not empty, that means there should be an active slice going on. Ideally it should not be expired but given the slack, it is possible that it has expired. Reported-by: Hou Tao Signed-off-by: Vivek Goyal Signed-off-by: Jens Axboe block/blk-throttle.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) commit 9d15ce9caaf9ecbec74e3be156a4a57451ed16c2 Author: Dan Williams Date: Mon Sep 19 13:49:48 2016 -0700 tools/testing/nvdimm: fix allocation range for mock flush hint tables Commit 480b6837aa57 "nvdimm: fix PHYS_PFN/PFN_PHYS mixup" identified that we were passing an invalid address to devm_nvdimm_ioremap(). With that fixed it exposed a bug in the memory reservation size for flush hint tables. Since we map a full page we need to mock a full page of memory to back the flush hint table entries. Cc: Oliver O'Halloran Signed-off-by: Dan Williams tools/testing/nvdimm/test/nfit.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 7bb91e06730140a693611e51a4a9636152448bd3 Merge: 8ff77206 2db34e7 Author: Linus Torvalds Date: Mon Sep 19 12:58:34 2016 -0700 Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 Pull crypto fixes from Herbert Xu: "This fixes a potential weakness in IPsec CBC IV generation, as well as a number of issues that arose out of an OOM crash on ARM with CTR-mode AES" * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: crypto: arm64/aes-ctr - fix NULL dereference in tail processing crypto: arm/aes-ctr - fix NULL dereference in tail processing crypto: skcipher - Fix blkcipher walk OOM crash crypto: echainiv - Replace chaining with multiplication commit 8ff77206aa36949afab46be43a3d14af75a4e270 Merge: 6732666 47a66e4 Author: Linus Torvalds Date: Mon Sep 19 12:27:31 2016 -0700 Merge tag 'drm-fixes-for-4.8-rc7' of git://people.freedesktop.org/~airlied/linux Pull exynos and one stable ABI fix from Dave Airlie: "One important drm 32/64 ABI fix came in so I'll dequeue what I have, the rest is just exynos runtime pm fixes, but the net removal of code seems like a win to me. I'm going to be sporadic this week due to school holidays, so if anything urgent turns up, Daniel will take care of it" * tag 'drm-fixes-for-4.8-rc7' of git://people.freedesktop.org/~airlied/linux: drm: Only use compat ioctl for addfb2 on X86/IA64 Subject: [PATCH, RESEND] drm: exynos: avoid unused function warning drm/exynos: g2d: fix system and runtime pm integration drm/exynos: rotator: fix system and runtime pm integration drm/exynos: gsc: fix system and runtime pm integration drm/exynos: fimc: fix system and runtime pm integration exynos-drm: Fix unsupported GEM memory type error message to be clear commit 67326666e2d45ebea7db3ed8e3e735f15e60dd91 Author: Josh Poimboeuf Date: Mon Sep 19 10:52:14 2016 -0500 scripts: add script for translating stack dump function offsets addr2line doesn't work with KASLR addresses. Add a basic addr2line wrapper script which takes the 'func+offset/size' format as input. Signed-off-by: Josh Poimboeuf Signed-off-by: Linus Torvalds scripts/faddr2line | 177 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 177 insertions(+) commit 08bccf43627e1972035c1fed5b4f570bdbde1b1e Author: Marcin Nowakowski Date: Fri Sep 2 10:13:21 2016 +0200 MIPS: Select HAVE_REGS_AND_STACK_ACCESS_API Add lost Kconfig symbol. This should have been part of 40e084a506eb ('MIPS: Add uprobes support.'). Fixes: 40e084a506eb ('MIPS: Add uprobes support.') Signed-off-by: Marcin Nowakowski Signed-off-by: Ralf Baechle arch/mips/Kconfig | 1 + 1 file changed, 1 insertion(+) commit 480b6837aa579991c6acc113bccf838e6a90843c Author: Oliver O'Halloran Date: Mon Sep 19 20:19:00 2016 +1000 nvdimm: fix PHYS_PFN/PFN_PHYS mixup nd_activate_region() iomaps any hint addresses required when activating a region. To prevent duplicate mappings it checks the PFN of the hint to be mapped against the PFNs of the already mapped hints. Unfortunately it doesn't convert the PFN back into a physical address before passing it to devm_nvdimm_ioremap(). Instead it applies PHYS_PFN a second time which ends about as well as you would imagine. Signed-off-by: Oliver O'Halloran Signed-off-by: Dan Williams drivers/nvdimm/region_devs.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit d8feef9bd447381952a33e6284241006f394c080 Author: Hans Verkuil Date: Sun Sep 18 11:24:50 2016 -0300 [media] cx23885/saa7134: assign q->dev to the PCI device Fix a regression caused by commit 2bc46b3ad3c1 ("[media] media/pci: convert drivers to use the new vb2_queue dev field"). Three places where q->dev should be set were missed, causing a WARN. Fixes: 2bc46b3ad3c1 ("[media] media/pci: convert drivers to use the new vb2_queue dev field"). Signed-off-by: Hans Verkuil Reported-by: Marton Balint Signed-off-by: Mauro Carvalho Chehab drivers/media/pci/cx23885/cx23885-417.c | 1 + drivers/media/pci/saa7134/saa7134-dvb.c | 1 + drivers/media/pci/saa7134/saa7134-empress.c | 1 + 3 files changed, 3 insertions(+) commit 8074d7829595b7c86beba914c04ed5839cf4b3d6 Author: Aaro Koskinen Date: Tue Aug 23 21:39:43 2016 +0300 MIPS: Octeon: Fix platform bus probing Commit 44a7185c2ae6 ("of/platform: Add common method to populate default bus") added new arch_initcall of_platform_default_populate_init() that will override device_initcall octeon_publish_devices(). This broke many OCTEON boards as important devices are not getting probed anymore (e.g. on EdgeRouter Lite the USB mass storage/rootfs is missing). Fix by changing octeon_publish_devices() to arch_initcall. Fixes: 44a7185c2ae6 ("of/platform: Add common method to populate default bus") Signed-off-by: Aaro Koskinen Acked-by: Rob Herring Cc: David Daney Cc: Kefeng Wang Cc: linux-mips@linux-mips.org Cc: devicetree@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/14041/ Signed-off-by: Ralf Baechle arch/mips/cavium-octeon/octeon-platform.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 3312eca519ba3b68b1966705e27b9dd9134f092c Author: Aaro Koskinen Date: Tue Aug 23 01:07:35 2016 +0300 MIPS: Octeon: mangle-port: fix build failure with VDSO code Commit 1685ddbe35cd ("MIPS: Octeon: Changes to support readq()/writeq() usage.") added bitwise shift operations that assume that unsigned long is always 64-bits. This broke the build of VDSO code, as it gets compiled also in "faked" 32-bit mode. Althought the failing inline functions are never executed in 32-bit mode, they still need to pass the compilation. Fix by using 64-bit types explicitly. The patch fixes the following build failure: CC arch/mips/vdso/gettimeofday-o32.o In file included from los/git/devel/linux/arch/mips/include/asm/io.h:32:0, from los/git/devel/linux/arch/mips/include/asm/page.h:194, from los/git/devel/linux/arch/mips/vdso/vdso.h:26, from los/git/devel/linux/arch/mips/vdso/gettimeofday.c:11: los/git/devel/linux/arch/mips/include/asm/mach-cavium-octeon/mangle-port.h: In function '__should_swizzle_bits': los/git/devel/linux/arch/mips/include/asm/mach-cavium-octeon/mangle-port.h:19:40: error: right shift count >= width of type [-Werror=shift-count-overflow] unsigned long did = ((unsigned long)a >> 40) & 0xff; ^~ Fixes: 1685ddbe35cd ("MIPS: Octeon: Changes to support readq()/writeq() usage.") Signed-off-by: Aaro Koskinen Acked-by: David Daney Cc: David Daney Cc: Steven J. Hill Cc: Alex Smith Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/14039/ Signed-off-by: Ralf Baechle arch/mips/include/asm/mach-cavium-octeon/mangle-port.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit b244614a60ab7ce54c12a9cbe15cfbf8d79d0967 Author: Marcin Nowakowski Date: Wed Aug 31 12:33:23 2016 +0200 MIPS: Avoid a BUG warning during prctl(PR_SET_FP_MODE, ...) cpu_has_fpu macro uses smp_processor_id() and is currently executed with preemption enabled, that triggers the warning at runtime. It is assumed throughout the kernel that if any CPU has an FPU, then all CPUs would have an FPU as well, so it is safe to perform the check with preemption enabled - change the code to use raw_ variant of the check to avoid the warning. Signed-off-by: Marcin Nowakowski Cc: linux-mips@linux-mips.org Cc: stable@vger.kernel.org # 4.0+ Patchwork: https://patchwork.linux-mips.org/patch/14125/ Signed-off-by: Ralf Baechle arch/mips/kernel/process.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) commit 4de349e786a3a2d51bd02d56f3de151bbc3c3df9 Author: Fabio Estevam Date: Wed Aug 17 12:41:08 2016 -0300 can: flexcan: fix resume function On a imx6ul-pico board the following error is seen during system suspend: dpm_run_callback(): platform_pm_resume+0x0/0x54 returns -110 PM: Device 2090000.flexcan failed to resume: error -110 The reason for this suspend error is because when the CAN interface is not active the clocks are disabled and then flexcan_chip_enable() will always fail due to a timeout error. In order to fix this issue, only call flexcan_chip_enable/disable() when the CAN interface is active. Based on a patch from Dong Aisheng in the NXP kernel. Signed-off-by: Fabio Estevam Cc: linux-stable Signed-off-by: Marc Kleine-Budde drivers/net/can/flexcan.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) commit b588479358ce26f32138e0f0a7ab0678f8e3e601 Author: Ilan Tayari Date: Sun Sep 18 07:42:53 2016 +0000 xfrm: Fix memory leak of aead algorithm name commit 1a6509d99122 ("[IPSEC]: Add support for combined mode algorithms") introduced aead. The function attach_aead kmemdup()s the algorithm name during xfrm_state_construct(). However this memory is never freed. Implementation has since been slightly modified in commit ee5c23176fcc ("xfrm: Clone states properly on migration") without resolving this leak. This patch adds a kfree() call for the aead algorithm name. Fixes: 1a6509d99122 ("[IPSEC]: Add support for combined mode algorithms") Signed-off-by: Ilan Tayari Acked-by: Rami Rosen Signed-off-by: Steffen Klassert net/xfrm/xfrm_state.c | 1 + 1 file changed, 1 insertion(+) commit 38178e7b88dcbe1ab384f27a7370074e774dda81 Author: Lothar Waßmann Date: Mon Sep 19 11:09:40 2016 +0200 mtd: nand: mxc: fix obiwan error in mxc_nand_v[12]_ooblayout_free() functions commit a894cf6c5a82 ("mtd: nand: mxc: switch to mtd_ooblayout_ops") introduced a regression accessing the OOB area from the mxc_nand driver due to an Obiwan error in the mxc_nand_v[12]_ooblayout_free() functions. They report a bogus oobregion { 64, 7 } which leads to errors accessing bogus data when reading the oob area. Prior to the commit the mtd-oobtest module could be run without any errors. With the offending commit, this test fails with results like: |Running mtd-oobtest | |================================================= |mtd_oobtest: MTD device: 5 |mtd_oobtest: MTD device size 524288, eraseblock size 131072, page size 2048, count of eraseblocks 4, pages per eraseblock 64, OOB size 64 |mtd_test: scanning for bad eraseblocks |mtd_test: scanned 4 eraseblocks, 0 are bad |mtd_oobtest: test 1 of 5 |mtd_oobtest: writing OOBs of whole device |mtd_oobtest: written up to eraseblock 0 |mtd_oobtest: written 4 eraseblocks |mtd_oobtest: verifying all eraseblocks |mtd_oobtest: error @addr[0x0:0x19] 0x9a -> 0x78 diff 0xe2 |mtd_oobtest: error @addr[0x0:0x1a] 0xcc -> 0x0 diff 0xcc |mtd_oobtest: error @addr[0x0:0x1b] 0xe0 -> 0x85 diff 0x65 |mtd_oobtest: error @addr[0x0:0x1c] 0x60 -> 0x62 diff 0x2 |mtd_oobtest: error @addr[0x0:0x1d] 0x69 -> 0x45 diff 0x2c |mtd_oobtest: error @addr[0x0:0x1e] 0xcd -> 0xa0 diff 0x6d |mtd_oobtest: error @addr[0x0:0x1f] 0xf2 -> 0x60 diff 0x92 |mtd_oobtest: error: verify failed at 0x0 [...] Signed-off-by: Lothar Waßmann Fixes: a894cf6c5a82 ("mtd: nand: mxc: switch to mtd_ooblayout_ops") Cc: Signed-off-by: Boris Brezillon drivers/mtd/nand/mxc_nand.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 559e58e7ed2dadc310f174e609ead8a3e8acfc4e Author: RogerCC Lin Date: Mon Sep 19 10:53:26 2016 +0800 mtd: nand: fix chances to create incomplete ECC data when writing When mtk_nfc_do_write_page() comparing the sector number,because the sector number field is at the 12th-bit position of NFI_BYTELEN register,the masked register should be shifted 12 bits before being compared.The result of this bug may cause the second subpage has incomplete ECC parity bytes. Signed-off-by: RogerCC Lin Fixes: 1d6b1e464950 ("mtd: mediatek: driver for MTK Smart Device") Signed-off-by: Boris Brezillon drivers/mtd/nand/mtk_nand.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) commit 7a353289925f01cb188ebc6fc4f4a33456b7de44 Author: RogerCC Lin Date: Mon Sep 19 10:53:25 2016 +0800 mtd: nand: fix generating over-boundary ECC data when writing When mtk_ecc_encode() is writing the ECC parity data to the OOB region,because each register is 4 bytes in length,but the len's unit is in bytes,the operation in the for loop will cross the ECC's boundary. Signed-off-by: RogerCC Lin Fixes: 1d6b1e464950 ("mtd: mediatek: driver for MTK Smart Device") Signed-off-by: Boris Brezillon drivers/mtd/nand/mtk_ecc.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) commit 1984e075915cbae65336a99b1879865080d8e55e Author: Marc Zyngier Date: Mon Sep 19 09:49:27 2016 +0100 genirq: Skip chained interrupt trigger setup if type is IRQ_TYPE_NONE There is no point in trying to configure the trigger of a chained interrupt if no trigger information has been configured. At best this is ignored, and at the worse this confuses the underlying irqchip (which is likely not to handle such a thing), and unnecessarily alarms the user. Only apply the configuration if type is not IRQ_TYPE_NONE. Fixes: 1e12c4a9393b ("genirq: Correctly configure the trigger on chained interrupts") Reported-and-tested-by: Geert Uytterhoeven Signed-off-by: Marc Zyngier Link: https://lkml.kernel.org/r/CAMuHMdVW1eTn20=EtYcJ8hkVwohaSuH_yQXrY2MGBEvZ8fpFOg@mail.gmail.com Link: http://lkml.kernel.org/r/1474274967-15984-1-git-send-email-marc.zyngier@arm.com Signed-off-by: Thomas Gleixner kernel/irq/chip.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) commit 47a66e45d7a7613322549c2475ea9d809baaf514 Author: Kristian H. Kristensen Date: Tue Sep 13 14:20:45 2016 -0700 drm: Only use compat ioctl for addfb2 on X86/IA64 Similar to struct drm_update_draw, struct drm_mode_fb_cmd2 has an unaligned 64 bit field (modifier). This get packed differently between 32 bit and 64 bit modes on architectures that can handle unaligned 64 bit access (X86 and IA64). Other architectures pack the structs the same and don't need the compat wrapper. Use the same condition for drm_mode_fb_cmd2 as we use for drm_update_draw. Note that only the modifier will be packed differently between compat and non-compat versions. Reviewed-by: Rob Clark Signed-off-by: Kristian H. Kristensen [seanpaul added not at bottom of commit msg re: modifier] Signed-off-by: Sean Paul Link: http://patchwork.freedesktop.org/patch/msgid/1473801645-116011-1-git-send-email-hoegsberg@chromium.org Cc: stable@vger.kernel.org Signed-off-by: Dave Airlie drivers/gpu/drm/drm_ioc32.c | 4 ++++ 1 file changed, 4 insertions(+) commit f2543242adccd86bfeea3a4921800879e7187810 Merge: 09cb5b7 4158dbe Author: Dave Airlie Date: Mon Sep 19 14:22:56 2016 +1000 Merge branch 'exynos-drm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/daeinki/drm-exynos into drm-fixes Just fixup to runtime pm usage and some cleanups. * 'exynos-drm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/daeinki/drm-exynos: Subject: [PATCH, RESEND] drm: exynos: avoid unused function warning drm/exynos: g2d: fix system and runtime pm integration drm/exynos: rotator: fix system and runtime pm integration drm/exynos: gsc: fix system and runtime pm integration drm/exynos: fimc: fix system and runtime pm integration exynos-drm: Fix unsupported GEM memory type error message to be clear commit 7ac327318e09a53e3df431dfd3f664dac7aba4df Merge: 19cd120 85d5313 Author: David S. Miller Date: Sun Sep 18 22:26:49 2016 -0400 Merge tag 'mac80211-for-davem-2016-09-16' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211 Johannes Berg says: ==================== Two more fixes: * reject aggregation sessions for TSID/TID 8-16 that we can never use anyway and which could confuse drivers * check return value of skb_linearize() ==================== Signed-off-by: David S. Miller commit 19cd120319ef5390404a5d9c829c3a7962f184a8 Author: Giuseppe CAVALLARO Date: Fri Sep 16 10:50:13 2016 +0200 stmmac: fix PWRDWN into the PMT register for global unicast. MAC devices use the RWKPKTEN and MGKPKTEN bits of the PMT Control/Status register to generate power management events. So this patch is to properly set the RWKPKTEN [BIT(2)] inside the PMT register (needed in case of global unicast). Reported-by: Aditi SHARMA Signed-off-by: Giuseppe Cavallaro Cc: Alexandre TORGUE Signed-off-by: David S. Miller drivers/net/ethernet/stmicro/stmmac/dwmac1000_core.c | 2 +- drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit 4158dbe1be9b420e1fdd9ec5c033647a605ca485 Author: Arnd Bergmann Date: Sun Sep 18 22:51:38 2016 +0900 Subject: [PATCH, RESEND] drm: exynos: avoid unused function warning When CONFIG_PM is not set, we get a warning about an unused function: drivers/gpu/drm/exynos/exynos_drm_gsc.c:1219:12: error: 'gsc_clk_ctrl' defined but not used [-Werror=unused-function] static int gsc_clk_ctrl(struct gsc_context *ctx, bool enable) ^~~~~~~~~~~~ This removes the two #ifdef checks in this file and instead marks the functions as __maybe_unused, which is a more reliable way of doing the same, allowing better build coverage and avoiding the warning above. Signed-off-by: Arnd Bergmann Signed-off-by: Inki Dae drivers/gpu/drm/exynos/exynos_drm_gsc.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) commit 3be7988674ab33565700a37b210f502563d932e6 Author: Linus Torvalds Date: Sun Sep 18 17:27:41 2016 -0700 Linux 4.8-rc7 Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit b01cf676835b681c159a395dc6828f1d6e3b3db6 Merge: 88b4ad2 e06226e Author: Linus Torvalds Date: Sun Sep 18 12:07:05 2016 -0700 Merge tag 'usb-4.8-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb Pull USB fixes from Greg KH: "Here are two small fixes, and one new device id, for 4.8-rc7 The fixes solve a build error that was reported in your tree for the blackfin arch, and resolve an issue with a number of broken USB devices that reported the wrong interval rate. Included here is also a new device id for the usb-serial driver. All have been in linux-next with no reported issues" * tag 'usb-4.8-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: USB: change bInterval default to 10 ms usb: musb: Fix tusb6010 compile error on blackfin USB: serial: simple: add support for another Infineon flashloader commit 88b4ad287c91790e98fe9381b5cba7b381f359c0 Merge: 3286be9 8e4b720 Author: Linus Torvalds Date: Sun Sep 18 11:57:24 2016 -0700 Merge tag 'fixes-for-linus-v4.8-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging Pull uaccess fixes from Guenter Roeck: "Two patches fixing problems introduced with copy_from_user changes" * tag 'fixes-for-linus-v4.8-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging: openrisc: fix the fix of copy_from_user() avr32: fix 'undefined reference to `___copy_from_user' commit 3286be94808c403a5ca6bb2830d933439315cb99 Merge: 6ffa36a 080fe0b Author: Linus Torvalds Date: Sun Sep 18 11:50:48 2016 -0700 Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull perf fixes from Thomas Gleixner: "A couple of small fixes to x86 perf drivers: - Measure L2 for HW_CACHE* events on AMD - Fix the address filter handling in the intel/pt driver - Handle the BTS disabling at the proper place" * 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: perf/x86/amd: Make HW_CACHE_REFERENCES and HW_CACHE_MISSES measure L2 perf/x86/intel/pt: Do validate the size of a kernel address filter perf/x86/intel/pt: Fix kernel address filter's offset validation perf/x86/intel/pt: Fix an off-by-one in address filter configuration perf/x86/intel: Don't disable "intel_bts" around "intel" event batching commit 6ffa36a59a01691cc8823ef1113e328bb84c14de Merge: aaed4d0 6cfeaf5 Author: Linus Torvalds Date: Sun Sep 18 11:38:46 2016 -0700 Merge branch 'smp-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull SMP build fixlet from Thomas Gleixner: "Add a missing include in cpuhotplug.h" * 'smp-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: cpu/hotplug: Include linux/types.h in linux/cpuhotplug.h commit aaed4d0bddaef70640fa8ac0d52a380e2d3c6101 Merge: d4690f1 5eb0d6e Author: Linus Torvalds Date: Sun Sep 18 11:08:00 2016 -0700 Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull irq fixes from Thomas Gleixner: "Two patches from Boris which address a potential deadlock in the atmel irq chip driver" * 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: irqchip/atmel-aic: Fix potential deadlock in ->xlate() genirq: Provide irq_gc_{lock_irqsave,unlock_irqrestore}() helpers commit 8e4b72054f554967827e18be1de0e8122e6efc04 Author: Guenter Roeck Date: Sat Sep 17 12:57:24 2016 -0700 openrisc: fix the fix of copy_from_user() Since commit acb2505d0119 ("openrisc: fix copy_from_user()"), copy_from_user() returns the number of bytes requested, not the number of bytes not copied. Cc: Al Viro Fixes: acb2505d0119 ("openrisc: fix copy_from_user()") Signed-off-by: Guenter Roeck arch/openrisc/include/asm/uaccess.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 65c0044ca8d7c7bbccae37f0ff2972f0210e9f41 Author: Guenter Roeck Date: Sat Sep 17 07:52:49 2016 -0700 avr32: fix 'undefined reference to `___copy_from_user' avr32 builds fail with: arch/avr32/kernel/built-in.o: In function `arch_ptrace': (.text+0x650): undefined reference to `___copy_from_user' arch/avr32/kernel/built-in.o:(___ksymtab+___copy_from_user+0x0): undefined reference to `___copy_from_user' kernel/built-in.o: In function `proc_doulongvec_ms_jiffies_minmax': (.text+0x5dd8): undefined reference to `___copy_from_user' kernel/built-in.o: In function `proc_dointvec_minmax_sysadmin': sysctl.c:(.text+0x6174): undefined reference to `___copy_from_user' kernel/built-in.o: In function `ptrace_has_cap': ptrace.c:(.text+0x69c0): undefined reference to `___copy_from_user' kernel/built-in.o:ptrace.c:(.text+0x6b90): more undefined references to `___copy_from_user' follow Fixes: 8630c32275ba ("avr32: fix copy_from_user()") Cc: Al Viro Acked-by: Havard Skinnemoen Acked-by: Hans-Christian Noren Egtvedt Signed-off-by: Guenter Roeck arch/avr32/lib/copy_user.S | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit b05984e21a7e000bf5074ace00d7a574944b2c16 Author: Marek Szyprowski Date: Wed Aug 31 14:55:57 2016 +0200 drm/exynos: g2d: fix system and runtime pm integration Move code from system sleep pm to runtime pm callbacks to ensure proper driver state preservation when device is under power domain. Then, use generic helpers for using runtime pm for system sleep pm. Signed-off-by: Marek Szyprowski Signed-off-by: Inki Dae drivers/gpu/drm/exynos/exynos_drm_g2d.c | 29 +++++++---------------------- 1 file changed, 7 insertions(+), 22 deletions(-) commit 5b67723e6096f5470f361656cd108430d3b12c67 Author: Marek Szyprowski Date: Wed Aug 31 14:55:56 2016 +0200 drm/exynos: rotator: fix system and runtime pm integration Use generic helpers instead of open-coding usage of runtime pm for system sleep pm, which was potentially broken for some corner cases. Signed-off-by: Marek Szyprowski Signed-off-by: Inki Dae drivers/gpu/drm/exynos/exynos_drm_rotator.c | 26 ++------------------------ 1 file changed, 2 insertions(+), 24 deletions(-) commit 83bd7b20aaf499030bf857ef64de3c19309b107d Author: Marek Szyprowski Date: Wed Aug 31 14:55:55 2016 +0200 drm/exynos: gsc: fix system and runtime pm integration Use generic helpers instead of open-coding usage of runtime pm for system sleep pm, which was potentially broken for some corner cases. Signed-off-by: Marek Szyprowski Signed-off-by: Inki Dae drivers/gpu/drm/exynos/exynos_drm_gsc.c | 29 ++--------------------------- 1 file changed, 2 insertions(+), 27 deletions(-) commit 479f12545460809cfc9093d90d6ed82d76388e97 Author: Marek Szyprowski Date: Wed Aug 31 14:55:54 2016 +0200 drm/exynos: fimc: fix system and runtime pm integration Use generic helpers instead of open-coding usage of runtime pm for system sleep pm, which was potentially broken for some corner cases. Signed-off-by: Marek Szyprowski Signed-off-by: Inki Dae drivers/gpu/drm/exynos/exynos_drm_fimc.c | 29 ++--------------------------- 1 file changed, 2 insertions(+), 27 deletions(-) commit 6244bd651236d86f59387d43c531b5f942a92b38 Author: Shuah Khan Date: Mon Aug 8 17:48:20 2016 -0600 exynos-drm: Fix unsupported GEM memory type error message to be clear Fix unsupported GEM memory type error message to include the memory type information. Signed-off-by: Shuah Khan Signed-off-by: Inki Dae drivers/gpu/drm/exynos/exynos_drm_fb.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit d4690f1e1cdabb4d61207b6787b1605a0dc0aeab Author: Al Viro Date: Fri Sep 16 00:11:45 2016 +0100 fix iov_iter_fault_in_readable() ... by turning it into what used to be multipages counterpart Cc: stable@vger.kernel.org Signed-off-by: Al Viro Signed-off-by: Linus Torvalds include/linux/uio.h | 2 +- lib/iov_iter.c | 24 ++---------------------- 2 files changed, 3 insertions(+), 23 deletions(-) commit f32a10df2ed6b87a10c1ca11757b0bbb035486a4 Merge: baf009f df804d5 Author: Linus Torvalds Date: Sat Sep 17 12:59:57 2016 -0700 Merge tag 'mmc-v4.8-rc6' of git://git.linaro.org/people/ulf.hansson/mmc Pull MMC fixes from Ulf Hansson: "MMC host: - omap/omap_hsmmc: Initialize dma_slave_config to avoid random data - sdhci-st: Handle interconnect clock" * tag 'mmc-v4.8-rc6' of git://git.linaro.org/people/ulf.hansson/mmc: mmc: omap: Initialize dma_slave_config to avoid random data in it's fields mmc: omap_hsmmc: Initialize dma_slave_config to avoid random data mmc: sdhci-st: Handle interconnect clock dt-bindings: mmc: sdhci-st: Mention the discretionary "icn" clock commit baf009f92731c0fc1f036d8b7dba3bf5bb2c2a5e Merge: 4d2899d ed7d9a1 Author: Linus Torvalds Date: Sat Sep 17 12:52:01 2016 -0700 Merge tag 'powerpc-4.8-6' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux Pull powerpc fixes from Michael Ellerman: "Fixes for code merged this cycle: - Fix restore of SPRs upon wake up from hypervisor state loss from Gautham R Shenoy - Fix the state of root PE from Gavin Shan - Detach from PE on releasing PCI device from Gavin Shan - Fix size of NUM_CPU_FTR_KEYS on 32-bit - Fix missed TCE invalidations that should fallback to OPAL" * tag 'powerpc-4.8-6' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux: powerpc/powernv/pci: Fix missed TCE invalidations that should fallback to OPAL powerpc/powernv: Detach from PE on releasing PCI device powerpc/powernv: Fix the state of root PE powerpc/kernel: Fix size of NUM_CPU_FTR_KEYS on 32-bit powerpc/powernv: Fix restore of SPRs upon wake up from hypervisor state loss commit 37dd348270c1a48f0234354a06c0ce052b6c85b1 Author: Ivan Vecera Date: Thu Sep 15 22:47:52 2016 +0200 bna: fix crash in bnad_get_strings() Commit 6e7333d "net: add rx_nohandler stat counter" added the new entry rx_nohandler into struct rtnl_link_stats64. Unfortunately the bna driver foolishly depends on the structure. It uses part of it for ethtool statistics and it's not bad but the driver assumes its size is constant as it defines string for each existing entry. The problem occurs when the structure is extended because you need to modify bna driver as well. If not any attempt to retrieve ethtool statistics results in crash in bnad_get_strings(). The patch changes BNAD_ETHTOOL_STATS_NUM so it counts real number of strings in the array and also removes rtnl_link_stats64 entries that are not used in output and are always zero. Fixes: 6e7333d "net: add rx_nohandler stat counter" Signed-off-by: Ivan Vecera Signed-off-by: David S. Miller drivers/net/ethernet/brocade/bna/bnad_ethtool.c | 50 ++++++++++++------------- 1 file changed, 23 insertions(+), 27 deletions(-) commit 2835d2d9e366a2985b24051d228333bfba82f3a7 Author: Ivan Vecera Date: Thu Sep 15 22:47:51 2016 +0200 bna: add missing per queue ethtool stat Commit ba5ca784 "bna: check for dma mapping errors" added besides other things a statistic that counts number of DMA buffer mapping failures per each Rx queue. This counter is not included in ethtool stats output. Fixes: ba5ca784 "bna: check for dma mapping errors" Signed-off-by: Ivan Vecera Signed-off-by: David S. Miller drivers/net/ethernet/brocade/bna/bnad_ethtool.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) commit db64c5fa590b5d82ac0d5ec39bc498f95094e66b Merge: a071412 54c5ef2 Author: Kalle Valo Date: Sat Sep 17 17:06:22 2016 +0300 Merge tag 'iwlwifi-for-kalle-2016-09-15' of git://git.kernel.org/pub/scm/linux/kernel/git/iwlwifi/iwlwifi-fixes * fix to prevent firmware crash when sending off-channel frames commit 4496195ddd75c4ad57b783739414e69b7d79843e Author: Marcelo Ricardo Leitner Date: Thu Sep 15 15:02:38 2016 -0300 sctp: fix SSN comparision This function actually operates on u32 yet its paramteres were declared as u16, causing integer truncation upon calling. Note in patch context that ADDIP_SERIAL_SIGN_BIT is already 32 bits. Signed-off-by: Marcelo Ricardo Leitner Acked-by: Neil Horman Signed-off-by: David S. Miller include/net/sctp/sm.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 8ab86c00e349cef9fb14719093a7f198bcc72629 Author: phil.turnbull@oracle.com Date: Thu Sep 15 12:41:44 2016 -0400 irda: Free skb on irda_accept error path. skb is not freed if newsk is NULL. Rework the error path so free_skb is unconditionally called on function exit. Fixes: c3ea9fa27413 ("[IrDA] af_irda: IRDA_ASSERT cleanups") Signed-off-by: Phil Turnbull Signed-off-by: David S. Miller net/irda/af_irda.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) commit 20c64d5cd5a2bdcdc8982a06cb05e5e1bd851a3d Author: Eric Dumazet Date: Thu Sep 15 08:48:46 2016 -0700 net: avoid sk_forward_alloc overflows A malicious TCP receiver, sending SACK, can force the sender to split skbs in write queue and increase its memory usage. Then, when socket is closed and its write queue purged, we might overflow sk_forward_alloc (It becomes negative) sk_mem_reclaim() does nothing in this case, and more than 2GB are leaked from TCP perspective (tcp_memory_allocated is not changed) Then warnings trigger from inet_sock_destruct() and sk_stream_kill_queues() seeing a not zero sk_forward_alloc All TCP stack can be stuck because TCP is under memory pressure. A simple fix is to preemptively reclaim from sk_mem_uncharge(). This makes sure a socket wont have more than 2 MB forward allocated, after burst and idle period. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller include/net/sock.h | 10 ++++++++++ 1 file changed, 10 insertions(+) commit ffb4d6c8508657824bcef68a36b2a0f9d8c09d10 Author: Eric Dumazet Date: Thu Sep 15 08:12:33 2016 -0700 tcp: fix overflow in __tcp_retransmit_skb() If a TCP socket gets a large write queue, an overflow can happen in a test in __tcp_retransmit_skb() preventing all retransmits. The flow then stalls and resets after timeouts. Tested: sysctl -w net.core.wmem_max=1000000000 netperf -H dest -- -s 1000000000 Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller net/ipv4/tcp_output.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit cce94483e47e8e3d74cf4475dea33f9fd4b6ad9f Author: Filipe Manco Date: Thu Sep 15 17:10:46 2016 +0200 xen-netback: fix error handling on netback_probe() In case of error during netback_probe() (e.g. an entry missing on the xenstore) netback_remove() is called on the new device, which will set the device backend state to XenbusStateClosed by calling set_backend_state(). However, the backend state wasn't initialized by netback_probe() at this point, which will cause and invalid transaction and set_backend_state() to BUG(). Initialize the backend state at the beginning of netback_probe() to XenbusStateInitialising, and create two new valid state transitions on set_backend_state(), from XenbusStateInitialising to XenbusStateClosed, and from XenbusStateInitialising to XenbusStateInitWait. Signed-off-by: Filipe Manco Acked-by: Wei Liu Signed-off-by: David S. Miller drivers/net/xen-netback/xenbus.c | 46 ++++++++++++++++++++++++++-------------- 1 file changed, 30 insertions(+), 16 deletions(-) commit 4d2899d73c4734cd04edb9409a72d0ef637cfb06 Merge: 87ee128 348c1bf Author: Linus Torvalds Date: Fri Sep 16 17:09:48 2016 -0700 Merge branch 'for-next' of git://git.samba.org/sfrench/cifs-2.6 Pull cifs fixes from Steve French: "Small set of cifs fixes" * 'for-next' of git://git.samba.org/sfrench/cifs-2.6: Move check for prefix path to within cifs_get_root() Compare prepaths when comparing superblocks Fix memory leaks in cifs_do_mount() commit 87ee1280ff80e04adf9b36361235eef76cd80301 Merge: 5fbf3e3 bf2c4b6 Author: Linus Torvalds Date: Fri Sep 16 17:00:26 2016 -0700 Merge tag 'nfsd-4.8-2' of git://linux-nfs.org/~bfields/linux Pull nfsd bugfix from Bruce Fields: "Fix a memory corruption bug that I introduced in 4.7" * tag 'nfsd-4.8-2' of git://linux-nfs.org/~bfields/linux: svcauth_gss: Revert 64c59a3726f2 ("Remove unnecessary allocation") commit 5fbf3e3275a739f93fee9fb32c41e5a018c97b8d Merge: 095f5cf 09cb5b7 Author: Linus Torvalds Date: Fri Sep 16 16:27:30 2016 -0700 Merge tag 'drm-fixes-for-4.8-rc6' of git://people.freedesktop.org/~airlied/linux Pull drm fixes from Dave Airlie: "Two sets of i915 fixes, one set of vc4 crasher fixes, and a couple of atmel fixes. Nothing too out there at this stage, though I think some people are holidaying so it's been quiet enough" * tag 'drm-fixes-for-4.8-rc6' of git://people.freedesktop.org/~airlied/linux: drm/i915: Ignore OpRegion panel type except on select machines Revert "drm/i915/psr: Make idle_frames sensible again" drm/i915: Restore lost "Initialized i915" welcome message drm/vc4: mark vc4_bo_cache_purge() static drm/i915: Add GEN7_PCODE_MIN_FREQ_TABLE_GT_RATIO_OUT_OF_RANGE to SNB drm/i915: disable 48bit full PPGTT when vGPU is active drm/i915: enable vGPU detection for all drm/atmel-hlcdc: Make ->reset() implementation static drm: atmel-hlcdc: Fix vertical scaling drm/vc4: Allow some more signals to be packed with uniform resets. drm/i915/dvo: Remove dangling call to drm_encoder_cleanup() commit 095f5cfaea5f03db6c6bd7c3bd9aa790a21e797a Merge: dd5a477 7789357 Author: Linus Torvalds Date: Fri Sep 16 16:22:52 2016 -0700 Merge tag 'pm-4.8-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull power management fix from Rafael Wysocki: "More annotations of tracepoints in the runtime PM framework to prevent RCU from complaining when that code is invoked from the idle path (Paul McKenney)" * tag 'pm-4.8-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: PM / runtime: Use _rcuidle for runtime suspend tracepoints commit 09cb5b78af52208afb9f1b194c8a9154df4a4782 Merge: 9929c09 ea90383 Author: Dave Airlie Date: Sat Sep 17 07:57:55 2016 +1000 Merge tag 'drm-vc4-fixes-2016-09-14' of https://github.com/anholt/linux into drm-fixes This pull request brings in a fix for crashes in X on VC4. * tag 'drm-vc4-fixes-2016-09-14' of https://github.com/anholt/linux: drm/vc4: mark vc4_bo_cache_purge() static drm/vc4: Allow some more signals to be packed with uniform resets. commit 9929c09767da8c5936dda6ea6d5054e4c1bc5f6e Merge: 7eebfba ea54ff4 Author: Dave Airlie Date: Sat Sep 17 07:57:21 2016 +1000 Merge tag 'drm-intel-fixes-2016-09-15' of git://anongit.freedesktop.org/drm-intel into drm-fixes i915 fixes from Jani. * tag 'drm-intel-fixes-2016-09-15' of git://anongit.freedesktop.org/drm-intel: drm/i915: Ignore OpRegion panel type except on select machines Revert "drm/i915/psr: Make idle_frames sensible again" drm/i915: Restore lost "Initialized i915" welcome message commit dd5a477c7f31a44d9f16b24fbf015611eb13a9f2 Merge: 008f08d e4618d4 Author: Linus Torvalds Date: Fri Sep 16 13:51:42 2016 -0700 Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma Pull rdma fixes from Doug Ledford: "Round three of 4.8 rc fixes. This is likely the last rdma pull request this cycle. The new rxe driver had a few issues (you probably saw the boot bot bug report) and they should be addressed now. There are a couple other fixes here, mainly mlx4. There are still two outstanding issues that need resolved but I don't think their fix will make this kernel cycle. Summary: - Various fixes to rdmavt, ipoib, mlx5, mlx4, rxe" * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma: IB/rdmavt: Don't vfree a kzalloc'ed memory region IB/rxe: Fix kmem_cache leak IB/rxe: Fix race condition between requester and completer IB/rxe: Fix duplicate atomic request handling IB/rxe: Fix kernel panic in udp_setup_tunnel IB/mlx5: Set source mac address in FTE IB/mlx5: Enable MAD_IFC commands for IB ports only IB/mlx4: Diagnostic HW counters are not supported in slave mode IB/mlx4: Use correct subnet-prefix in QP1 mads under SR-IOV IB/mlx4: Fix code indentation in QP1 MAD flow IB/mlx4: Fix incorrect MC join state bit-masking on SR-IOV IB/ipoib: Don't allow MC joins during light MC flush IB/rxe: fix GFP_KERNEL in spinlock context commit 008f08d64a74a71a4ea99533d0520d804048a4a0 Merge: cac4662 6408649 Author: Linus Torvalds Date: Fri Sep 16 12:15:41 2016 -0700 Merge tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc Pull ARM SoC fixes from Arnd Bergmann: "Here are a couple of bugfixes for v4.8-rc. Most of them have actually been around for a while this time but for some reason didn't get applied early on. The shmobile regulator fix is the only one that isn't completely obvious. Device tree changes: - archtimer interrupts must be level triggered (multiple platforms) - fix for USB and MMC clocks on STiH410 - fix split DT repository in case of raspberry-pi 3 - a new use of skeleton.dtsi on arm64 has crept in after that was removed. defconfig updates: - xilinx vdma has a new Kconfig symbol name - keystone requires CONFIG_NOP_USB_XCEIV since v4.8-rc1 Code fixes: - fix regulator quirk on shmobile - suspend-to-ram regression on EXYNOS Maintainer updates: - Javier Martinez Canillas is now a reviewer for Samsung EXYNOS" * tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc: ARM: keystone: defconfig: Fix USB configuration arm64: dts: Fix broken architected timer interrupt trigger ARM: multi_v7_defconfig: update XILINX_VDMA ARM64: dts: bcm: Use a symlink to R-Pi dtsi files from arch=arm ARM: dts: Remove use of skeleton.dtsi from bcm283x.dtsi ARM: dts: STiH407-family: Provide interconnect clock for consumption in ST SDHCI ARM: dts: STiH410: Handle interconnect clock required by EHCI/OHCI (USB) ARM: shmobile: fix regulator quirk for Gen2 ARM: EXYNOS: Clear OF_POPULATED flag from PMU node in IRQ init callback MAINTAINERS: Add myself as reviewer for Samsung Exynos support commit cac4662a88702fc9e405ef19c429de375822d77a Merge: 22f6b4d 1a57c28 Author: Linus Torvalds Date: Fri Sep 16 12:08:13 2016 -0700 Merge branch 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm Pull ARM fixes from Russell King: "Most of this update are fixes primarily discovered from testing on the older StrongARM 1110 and PXA systems, as a result of recent interest from several people in these platforms: - Locomo interrupt handling incorrectly stores the handler data in the chip's private data slot: when Locomo is combined with an interrupt controller who's chip uses the chip private data, this leads to an oops. - SA1111 was missing a call to clk_disable() to clean up after a failed probe. - SA1111 and PCMCIA suspend/resume was broken: The PCMCIA "ds" layer was using the legacy bus suspend/resume methods, which the core PM code is no longer calling as a result of device_pm_check_callbacks() introduced in commit aa8e54b559479 ("PM / sleep: Go direct_complete if driver has no callbacks"). SA1111 was broken due to changes to PCMCIA which makes PCMCIA suspend itself later than the SA1111 code expects, and resume before the SA1111 code has initialised access to the pcmcia sub-device. - the default SA1111 interrupt mask polarity got messed up when it was converted to use a dynamic interrupt base number for its interrupts. - fix platform_get_irq() error code propagation, which was causing problems on platforms where the interrupt may not be available at probe time in DT setups. - fix the lack of clock to PCMCIA code on PXA platforms, which was omitted in conversions of PXA to CCF. - fix an oops in the PXA PCMCIA code caused by a previous commit not realising that Lubbock is different from the rest of the PXA PCMCIA drivers. - ensure that SA1111 low-level PCMCIA drivers propagate their error codes to the main probe function, rather than the driver silently accepting a failure. - fix the sa11xx debugfs reporting of timing information, which always indicated zero due to the clock being a factor of 1000 out. - fix the polarity of the status change signal reported from the sockets. Lastly, one ARM specific commit from Stefan Agner fixing the LPAE cache attributes" * 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm: ARM: pxa/lubbock: add pcmcia clock ARM: locomo: fix locomo irq handling ARM: 8612/1: LPAE: initialize cache policy correctly ARM: sa1111: fix missing clk_disable() ARM: sa1111: fix pcmcia suspend/resume ARM: sa1111: fix pcmcia interrupt mask polarity ARM: sa1111: fix error code propagation in sa1111_probe() pcmcia: lubbock: fix sockets configuration pcmcia: sa1111: fix propagation of lowlevel board init return code pcmcia: soc_common: fix SS_STSCHG polarity pcmcia: sa11xx_base: add units to the timing information pcmcia: sa11xx_base: fix reporting of timing information pcmcia: ds: fix suspend/resume commit e4618d40eb3dc1a6d1f55f7150ea25bb23ab410a Author: Colin Ian King Date: Fri Sep 9 08:15:37 2016 +0100 IB/rdmavt: Don't vfree a kzalloc'ed memory region The userspace memory region 'mr' is allocated with kzalloc in __rvt_alloc_mr however it is incorrectly being freed with vfree in __rvt_free_mr. Fix this by using kfree to free it. Signed-off-by: Colin Ian King Reviewed-by: Leon Romanovsky Acked-by: Dennis Dalessandro Signed-off-by: Doug Ledford drivers/infiniband/sw/rdmavt/mr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit c1cc72cb6ff95cbe02ed747866576dccab4a5911 Author: Yonatan Cohen Date: Wed Sep 7 14:04:07 2016 +0300 IB/rxe: Fix kmem_cache leak Decrement qp reference when handling error path in completer to prevent kmem_cache leak. Fixes: 8700e3e7c485 ("Soft RoCE driver") Signed-off-by: Yonatan Cohen Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford drivers/infiniband/sw/rxe/rxe_comp.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) commit 3050b99850247695cb07a5c15265afcc08bcf400 Author: Yonatan Cohen Date: Wed Sep 7 14:04:06 2016 +0300 IB/rxe: Fix race condition between requester and completer rxe_requester() is sending a pkt with rxe_xmit_packet() and then calls rxe_update() to update the wqe and qp's psn values. But sometimes the response is received before the requester had time to update the wqe in which case the completer acts on errornous wqe values. This fix updates the wqe and qp before actually sending the request and rolls back when xmit fails. Fixes: 8700e3e7c485 ("Soft RoCE driver") Signed-off-by: Yonatan Cohen Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford drivers/infiniband/sw/rxe/rxe_req.c | 57 ++++++++++++++++++++++++++++--------- 1 file changed, 44 insertions(+), 13 deletions(-) commit 908948877bbbb240f67d7eb27d3a392beb394a07 Author: Yonatan Cohen Date: Wed Sep 7 14:04:05 2016 +0300 IB/rxe: Fix duplicate atomic request handling When handling ack for atomic opcodes like "fetch&add" or "cmp&swp", the method send_atomic_ack() saves the ack before sending it, in case it gets lost and never reach the requester. In which case the method duplicate_request() will need to find it using the duplicated request.psn. But send_atomic_ack() used a wrong psn value and thus the above ack was never found. This fix uses the ack.psn to locate the ack in case its needed. This fix also copies the ack packet to the skb's control buffer since duplicate_request() will need it when calling rxe_xmit_packet() Fixes: 8700e3e7c485 ("Soft RoCE driver") Signed-off-by: Yonatan Cohen Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford drivers/infiniband/sw/rxe/rxe_resp.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) commit dfdd6158ca2c8838313470c5ab79243d04da70b2 Author: Yonatan Cohen Date: Wed Sep 7 14:04:04 2016 +0300 IB/rxe: Fix kernel panic in udp_setup_tunnel Disable creation of a UDP socket for ipv6 when CONFIG_IPV6 is not enabeld. Since udp_sock_create6() returns 0 when CONFIG_IPV6 is not set [ 46.888632] IP: [] setup_udp_tunnel_sock+0x6/0x4f [ 46.891355] *pdpt = 0000000000000000 *pde = f000ff53f000ff53 [ 46.893918] Oops: 0002 [#1] PREEMPT [ 46.896014] CPU: 0 PID: 1 Comm: swapper Not tainted 4.7.0-rc4-00001-g8700e3e #1 [ 46.900280] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Debian-1.8.2-1 04/01/2014 [ 46.904905] task: cf06c040 ti: cf05e000 task.ti: cf05e000 [ 46.907854] EIP: 0060:[] EFLAGS: 00210246 CPU: 0 [ 46.911137] EIP is at setup_udp_tunnel_sock+0x6/0x4f [ 46.914070] EAX: 00000044 EBX: 00000001 ECX: cf05fef0 EDX: ca8142e0 [ 46.917236] ESI: c2c4505b EDI: cf05fef0 EBP: cf05fed0 ESP: cf05fed0 [ 46.919836] DS: 007b ES: 007b FS: 0000 GS: 00e0 SS: 0068 [ 46.922046] CR0: 80050033 CR2: 000001fc CR3: 02cec000 CR4: 000006b0 [ 46.924550] Stack: [ 46.926014] cf05ff10 c1fd4657 ca8142e0 0000000a 00000000 00000000 0000b712 00000008 [ 46.931274] 00000000 6bb5bd01 c1fd48de 00000000 00000000 cf05ff1c 00000000 00000000 [ 46.936122] cf05ff1c c1fd4bdf 00000000 cf05ff28 c2c4507b ffffffff cf05ff88 c2bf1c74 [ 46.942350] Call Trace: [ 46.944403] [] rxe_setup_udp_tunnel+0x8f/0x99 [ 46.947689] [] ? net_to_rxe+0x4e/0x4e [ 46.950567] [] rxe_net_init+0xe/0xa4 [ 46.953147] [] rxe_module_init+0x20/0x4c [ 46.955448] [] do_one_initcall+0x89/0x113 [ 46.957797] [] ? set_debug_rodata+0xf/0xf [ 46.959966] [] ? kernel_init_freeable+0xbe/0x15b [ 46.962262] [] kernel_init_freeable+0xde/0x15b [ 46.964418] [] kernel_init+0x8/0xd0 [ 46.966618] [] ret_from_kernel_thread+0xe/0x24 [ 46.969592] [] ? rest_init+0x6f/0x6f Fixes: 8700e3e7c485 ("Soft RoCE driver") Signed-off-by: Yonatan Cohen Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford drivers/infiniband/sw/rxe/rxe.c | 25 +++++++++++++++-- drivers/infiniband/sw/rxe/rxe_net.c | 55 +++++++++++++++++-------------------- drivers/infiniband/sw/rxe/rxe_net.h | 5 +++- 3 files changed, 51 insertions(+), 34 deletions(-) commit ee3da804ad1b1dd4c766199a6e8443542b0aaaef Author: Maor Gottlieb Date: Mon Sep 12 19:16:24 2016 +0300 IB/mlx5: Set source mac address in FTE Set the source mac address in the FTE when L2 specification is provided. Fixes: 038d2ef87572 ('IB/mlx5: Add flow steering support') Signed-off-by: Maor Gottlieb Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford drivers/infiniband/hw/mlx5/main.c | 7 +++++++ 1 file changed, 7 insertions(+) commit 7fae6655a0c897875bd34501ec092232b526d3e4 Author: Noa Osherovich Date: Mon Sep 12 19:16:23 2016 +0300 IB/mlx5: Enable MAD_IFC commands for IB ports only MAD_IFC command is supported only for physical functions (PF) and when physical port is IB. The proposed fix enforces it. Fixes: d603c809ef91 ("IB/mlx5: Fix decision on using MAD_IFC") Reported-by: David Chang Signed-off-by: Noa Osherovich Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford drivers/infiniband/hw/mlx5/main.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit 69d269d38910e697e461ec5677368f57d2046cbe Author: Kamal Heib Date: Mon Sep 12 19:16:22 2016 +0300 IB/mlx4: Diagnostic HW counters are not supported in slave mode Modify the mlx4_ib_diag_counters() to avoid the following error in the hypervisor when the slave tries to query the hardware counters in SR-IOV mode. mlx4_core 0000:81:00.0: Unknown command:0x30 accepted from slave:1 Fixes: 3f85f2aaabf7 ("IB/mlx4: Add diagnostic hardware counters") Signed-off-by: Kamal Heib Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford drivers/infiniband/hw/mlx4/main.c | 3 +++ 1 file changed, 3 insertions(+) commit 8ec07bf8a8b57d6c58927a16a0a22c0115cf2855 Author: Jack Morgenstein Date: Mon Sep 12 19:16:20 2016 +0300 IB/mlx4: Use correct subnet-prefix in QP1 mads under SR-IOV When sending QP1 MAD packets which use a GRH, the source GID (which consists of the 64-bit subnet prefix, and the 64 bit port GUID) must be included in the packet GRH. For SR-IOV, a GID cache is used, since the source GID needs to be the slave's source GID, and not the Hypervisor's GID. This cache also included a subnet_prefix. Unfortunately, the subnet_prefix field in the cache was never initialized (to the default subnet prefix 0xfe80::0). As a result, this field remained all zeroes. Therefore, when SR-IOV was active, all QP1 packets which included a GRH had a source GID subnet prefix of all-zeroes. However, the subnet-prefix should initially be 0xfe80::0 (the default subnet prefix). In addition, if OpenSM modifies a port's subnet prefix, the new subnet prefix must be used in the GRH when sending QP1 packets. To fix this we now initialize the subnet prefix in the SR-IOV GID cache to the default subnet prefix. We update the cached value if/when OpenSM modifies the port's subnet prefix. We take this cached value when sending QP1 packets when SR-IOV is active. Note that the value is stored as an atomic64. This eliminates any need for locking when the subnet prefix is being updated. Note also that we depend on the FW generating the "port management change" event for tracking subnet-prefix changes performed by OpenSM. If running early FW (before 2.9.4630), subnet prefix changes will not be tracked (but the default subnet prefix still will be stored in the cache; therefore users who do not modify the subnet prefix will not have a problem). IF there is a need for such tracking also for early FW, we will add that capability in a subsequent patch. Fixes: 1ffeb2eb8be9 ("IB/mlx4: SR-IOV IB context objects and proxy/tunnel SQP support") Signed-off-by: Jack Morgenstein Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford drivers/infiniband/hw/mlx4/mad.c | 23 +++++++++++++++++++++++ drivers/infiniband/hw/mlx4/mlx4_ib.h | 2 +- drivers/infiniband/hw/mlx4/qp.c | 5 +++-- 3 files changed, 27 insertions(+), 3 deletions(-) commit baa0be7026e2f7d1d40bfd45909044169e9e3c68 Author: Jack Morgenstein Date: Mon Sep 12 19:16:19 2016 +0300 IB/mlx4: Fix code indentation in QP1 MAD flow The indentation in the QP1 GRH flow in procedure build_mlx_header is really confusing. Fix it, in preparation for a commit which touches this code. Fixes: 1ffeb2eb8be9 ("IB/mlx4: SR-IOV IB context objects and proxy/tunnel SQP support") Signed-off-by: Jack Morgenstein Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford drivers/infiniband/hw/mlx4/qp.c | 36 +++++++++++++++++++----------------- 1 file changed, 19 insertions(+), 17 deletions(-) commit e5ac40cd66c2f3cd11bc5edc658f012661b16347 Author: Alex Vesker Date: Mon Sep 12 19:16:18 2016 +0300 IB/mlx4: Fix incorrect MC join state bit-masking on SR-IOV Because of an incorrect bit-masking done on the join state bits, when handling a join request we failed to detect a difference between the group join state and the request join state when joining as send only full member (0x8). This caused the MC join request not to be sent. This issue is relevant only when SRIOV is enabled and SM supports send only full member. This fix separates scope bits and join states bits a nibble each. Fixes: b9c5d6a64358 ('IB/mlx4: Add multicast group (MCG) paravirtualization for SR-IOV') Signed-off-by: Alex Vesker Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford drivers/infiniband/hw/mlx4/mcg.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) commit 344bacca8cd811809fc33a249f2738ab757d327f Author: Alex Vesker Date: Mon Sep 12 09:55:28 2016 +0300 IB/ipoib: Don't allow MC joins during light MC flush This fix solves a race between light flush and on the fly joins. Light flush doesn't set the device to down and unset IPOIB_OPER_UP flag, this means that if while flushing we have a MC join in progress and the QP was attached to BC MGID we can have a mismatches when re-attaching a QP to the BC MGID. The light flush would set the broadcast group to NULL causing an on the fly join to rejoin and reattach to the BC MCG as well as adding the BC MGID to the multicast list. The flush process would later on remove the BC MGID and detach it from the QP. On the next flush the BC MGID is present in the multicast list but not found when trying to detach it because of the previous double attach and single detach. [18332.714265] ------------[ cut here ]------------ [18332.717775] WARNING: CPU: 6 PID: 3767 at drivers/infiniband/core/verbs.c:280 ib_dealloc_pd+0xff/0x120 [ib_core] ... [18332.775198] Hardware name: Red Hat KVM, BIOS Bochs 01/01/2011 [18332.779411] 0000000000000000 ffff8800b50dfbb0 ffffffff813fed47 0000000000000000 [18332.784960] 0000000000000000 ffff8800b50dfbf0 ffffffff8109add1 0000011832f58300 [18332.790547] ffff880226a596c0 ffff880032482000 ffff880032482830 ffff880226a59280 [18332.796199] Call Trace: [18332.798015] [] dump_stack+0x63/0x8c [18332.801831] [] __warn+0xd1/0xf0 [18332.805403] [] warn_slowpath_null+0x1d/0x20 [18332.809706] [] ib_dealloc_pd+0xff/0x120 [ib_core] [18332.814384] [] ipoib_transport_dev_cleanup+0xfc/0x1d0 [ib_ipoib] [18332.820031] [] ipoib_ib_dev_cleanup+0x98/0x110 [ib_ipoib] [18332.825220] [] ipoib_dev_cleanup+0x2d8/0x550 [ib_ipoib] [18332.830290] [] ipoib_uninit+0x2f/0x40 [ib_ipoib] [18332.834911] [] rollback_registered_many+0x1aa/0x2c0 [18332.839741] [] rollback_registered+0x31/0x40 [18332.844091] [] unregister_netdevice_queue+0x48/0x80 [18332.848880] [] ipoib_vlan_delete+0x1fb/0x290 [ib_ipoib] [18332.853848] [] delete_child+0x7d/0xf0 [ib_ipoib] [18332.858474] [] dev_attr_store+0x18/0x30 [18332.862510] [] sysfs_kf_write+0x3a/0x50 [18332.866349] [] kernfs_fop_write+0x120/0x170 [18332.870471] [] __vfs_write+0x28/0xe0 [18332.874152] [] ? percpu_down_read+0x1f/0x50 [18332.878274] [] vfs_write+0xa2/0x1a0 [18332.881896] [] SyS_write+0x46/0xa0 [18332.885632] [] do_syscall_64+0x57/0xb0 [18332.889709] [] entry_SYSCALL64_slow_path+0x25/0x25 [18332.894727] ---[ end trace 09ebbe31f831ef17 ]--- Fixes: ee1e2c82c245 ("IPoIB: Refresh paths instead of flushing them on SM change events") Signed-off-by: Alex Vesker Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford drivers/infiniband/ulp/ipoib/ipoib_ib.c | 9 +++++++++ 1 file changed, 9 insertions(+) commit 5e102b3b4fa944815aead89e63eec2a35069a07b Author: Alexey Khoroshilov Date: Fri Sep 2 23:46:53 2016 +0300 IB/rxe: fix GFP_KERNEL in spinlock context There is skb_clone(skb, GFP_KERNEL) in spinlock context in rxe_rcv_mcast_pkt(). Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Alexey Khoroshilov Acked-by: Moni Shoua Signed-off-by: Doug Ledford drivers/infiniband/sw/rxe/rxe_recv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit e06226e66beafd6118aa81b511d88cb549ad7ea5 Merge: 08c5cd3 f190fd9 Author: Greg Kroah-Hartman Date: Fri Sep 16 17:42:10 2016 +0200 Merge tag 'usb-serial-4.8-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial into usb-linus Johan writes: USB-serial fixes for v4.8-rc7 Here's another Infineon flashloader device id. Signed-off-by: Johan Hovold commit 8a15b81741879fa89601b03c0e50b0d780d65bc0 Author: Wei Yongjun Date: Fri Sep 16 13:02:37 2016 +0000 cpuset: fix non static symbol warning Fixes the following sparse warning: kernel/cpuset.c:2088:6: warning: symbol 'cpuset_fork' was not declared. Should it be static? Signed-off-by: Wei Yongjun Signed-off-by: Tejun Heo kernel/cpuset.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 6408649115cfd73d6807398d04b2ba564db9211e Merge: a680588 b030485 Author: Arnd Bergmann Date: Fri Sep 16 16:29:48 2016 +0200 Merge tag 'samsung-fixes-4.8-2' of git://git.kernel.org/pub/scm/linux/kernel/git/krzk/linux into fixes Pull "ARM: exynos: Fixes for v4.8, secound round" from Krzysztof Kozłowski: 1. A recent change in populating irqchip devices from Device Tree broke Suspend to RAM on Exynos boards due to lack of probing of PMU (Power Management Unit) driver. Multiple drivers attach to the PMU's DT node: irqchip, clock controller and PMU platform driver for handling suspend. The new irqchip code marked the PMU's DT node as OF_POPULATED but we need to attach to this node also PMU platform driver. 2. Add Javier as additional reviewer for Exynos patches. * tag 'samsung-fixes-4.8-2' of git://git.kernel.org/pub/scm/linux/kernel/git/krzk/linux: ARM: EXYNOS: Clear OF_POPULATED flag from PMU node in IRQ init callback MAINTAINERS: Add myself as reviewer for Samsung Exynos support commit 08c5cd37480f59ea39682f4585d92269be6b1424 Author: Alan Stern Date: Fri Sep 16 10:24:26 2016 -0400 USB: change bInterval default to 10 ms Some full-speed mceusb infrared transceivers contain invalid endpoint descriptors for their interrupt endpoints, with bInterval set to 0. In the past they have worked out okay with the mceusb driver, because the driver sets the bInterval field in the descriptor to 1, overwriting whatever value may have been there before. However, this approach was never sanctioned by the USB core, and in fact it does not work with xHCI controllers, because they use the bInterval value that was present when the configuration was installed. Currently usbcore uses 32 ms as the default interval if the value in the endpoint descriptor is invalid. It turns out that these IR transceivers don't work properly unless the interval is set to 10 ms or below. To work around this mceusb problem, this patch changes the endpoint-descriptor parsing routine, making the default interval value be 10 ms rather than 32 ms. Signed-off-by: Alan Stern Tested-by: Wade Berrier CC: Signed-off-by: Greg Kroah-Hartman drivers/usb/core/config.c | 28 +++++++++++++++++----------- 1 file changed, 17 insertions(+), 11 deletions(-) commit ed3d6d0ac036bcff6e4649a6f8fb987bb4e34444 Author: Tony Lindgren Date: Fri Sep 16 09:24:44 2016 -0500 usb: musb: Fix tusb6010 compile error on blackfin We have CONFIG_BLACKFIN ifdef redefining all musb registers in musb_regs.h and tusb6010.h is never included causing a build error with blackfin-allmodconfig and COMPILE_TEST. Let's fix the issue by not building tusb6010 if CONFIG_BLACKFIN is selected. Reported-by: kbuild test robot Signed-off-by: Tony Lindgren Signed-off-by: Bin Liu Signed-off-by: Greg Kroah-Hartman drivers/usb/musb/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 080fe0b790ad438fc1b61621dac37c1964ce7f35 Author: Matt Fleming Date: Wed Aug 24 14:12:08 2016 +0100 perf/x86/amd: Make HW_CACHE_REFERENCES and HW_CACHE_MISSES measure L2 While the Intel PMU monitors the LLC when perf enables the HW_CACHE_REFERENCES and HW_CACHE_MISSES events, these events monitor L1 instruction cache fetches (0x0080) and instruction cache misses (0x0081) on the AMD PMU. This is extremely confusing when monitoring the same workload across Intel and AMD machines, since parameters like, $ perf stat -e cache-references,cache-misses measure completely different things. Instead, make the AMD PMU measure instruction/data cache and TLB fill requests to the L2 and instruction/data cache and TLB misses in the L2 when HW_CACHE_REFERENCES and HW_CACHE_MISSES are enabled, respectively. That way the events measure unified caches on both platforms. Signed-off-by: Matt Fleming Acked-by: Peter Zijlstra Cc: Cc: Borislav Petkov Cc: Linus Torvalds Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/1472044328-21302-1-git-send-email-matt@codeblueprint.co.uk Signed-off-by: Ingo Molnar arch/x86/events/amd/core.c | 4 ++-- arch/x86/kvm/pmu_amd.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) commit 42857cf512cb34c2c8cb50f1e766689d979d64e0 Author: Phil Turnbull Date: Thu Sep 15 12:20:12 2016 -0400 configfs: Return -EFBIG from configfs_write_bin_file. The check for writing more than cb_max_size bytes does not 'goto out' so it is a no-op which allows users to vmalloc an arbitrary amount. Fixes: 03607ace807b ("configfs: implement binary attributes") Cc: stable@kernel.org Signed-off-by: Phil Turnbull Signed-off-by: Christoph Hellwig fs/configfs/file.c | 1 + 1 file changed, 1 insertion(+) commit 1155bafcb79208abc6ae234c6e135ac70607755c Author: Alexander Shishkin Date: Thu Sep 15 18:13:52 2016 +0300 perf/x86/intel/pt: Do validate the size of a kernel address filter Right now, the kernel address filters in PT are prone to integer overflow that may happen in adding filter's size to its offset to obtain the end of the range. Such an overflow would also throw a #GP in the PT event configuration path. Fix this by explicitly validating the result of this calculation. Reported-by: Adrian Hunter Signed-off-by: Alexander Shishkin Acked-by: Peter Zijlstra Cc: Arnaldo Carvalho de Melo Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Thomas Gleixner Cc: Vince Weaver Cc: stable@vger.kernel.org # v4.7 Cc: stable@vger.kernel.org#v4.7 Cc: vince@deater.net Link: http://lkml.kernel.org/r/20160915151352.21306-4-alexander.shishkin@linux.intel.com Signed-off-by: Ingo Molnar arch/x86/events/intel/pt.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) commit ddfdad991e55b65c1cc4ee29502f6dceee04455a Author: Alexander Shishkin Date: Thu Sep 15 18:13:51 2016 +0300 perf/x86/intel/pt: Fix kernel address filter's offset validation The kernel_ip() filter is used mostly by the DS/LBR code to look at the branch addresses, but Intel PT also uses it to validate the address filter offsets for kernel addresses, for which it is not sufficient: supplying something in bits 64:48 that's not a sign extension of the lower address bits (like 0xf00d000000000000) throws a #GP. This patch adds address validation for the user supplied kernel filters. Reported-by: Adrian Hunter Signed-off-by: Alexander Shishkin Acked-by: Peter Zijlstra Cc: Arnaldo Carvalho de Melo Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Thomas Gleixner Cc: Vince Weaver Cc: stable@vger.kernel.org # v4.7 Cc: stable@vger.kernel.org#v4.7 Cc: vince@deater.net Link: http://lkml.kernel.org/r/20160915151352.21306-3-alexander.shishkin@linux.intel.com Signed-off-by: Ingo Molnar arch/x86/events/intel/pt.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) commit 95f60084acbcee6c466256cf26eb52191fad9edc Author: Alexander Shishkin Date: Thu Sep 15 18:13:50 2016 +0300 perf/x86/intel/pt: Fix an off-by-one in address filter configuration PT address filter configuration requires that a range is specified by its first and last address, but at the moment we're obtaining the end of the range by adding user specified size to its start, which is off by one from what it actually needs to be. Fix this and make sure that zero-sized filters don't pass the filter validation. Reported-by: Adrian Hunter Signed-off-by: Alexander Shishkin Acked-by: Peter Zijlstra Cc: Arnaldo Carvalho de Melo Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Thomas Gleixner Cc: Vince Weaver Cc: stable@vger.kernel.org # v4.7 Cc: stable@vger.kernel.org#v4.7 Cc: vince@deater.net Link: http://lkml.kernel.org/r/20160915151352.21306-2-alexander.shishkin@linux.intel.com Signed-off-by: Ingo Molnar arch/x86/events/intel/pt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 4253ef8f6f81405e65304eef5a5b182c32dec915 Merge: bc6c03f 732a59c Author: David S. Miller Date: Fri Sep 16 04:29:18 2016 -0400 Merge branch 'qeth-fixes' Ursula Braun says: ==================== 390: qeth patches here are several fixes for the s390 qeth driver, built for net. ==================== Signed-off-by: David S. Miller commit 732a59cb6e7faed7a40da6665a517945c95fc895 Author: Thomas Richter Date: Thu Sep 15 14:39:27 2016 +0200 s390/qeth: fix setting VIPA address commit 5f78e29ceebf ("qeth: optimize IP handling in rx_mode callback") restructured the internal address handling. This work broke setting a virtual IP address. The command echo 10.1.1.1 > /sys/bus/ccwgroup/devices//vipa/add4 fails with file exist error even if the IP address has not been set before. It turned out that the search result for the IP address search is handled incorrectly in the VIPA case. This patch fixes the setting of an virtual IP address. Signed-off-by: Thomas Richter Signed-off-by: Ursula Braun Signed-off-by: David S. Miller drivers/s390/net/qeth_l3_main.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 5722963a8e83309dad831cf6968c4c805aa342c0 Author: Ursula Braun Date: Thu Sep 15 14:39:26 2016 +0200 qeth: do not turn on SG per default According to recent performance measurements, turning on net_device feature NETIF_F_SG only behaves well, but turning on feature NETIF_F_GSO shows bad results. Since the kernel activates NETIF_F_GSO automatically as soon as the driver configures feature NETIF_F_SG, qeth should not activate feature NETIF_F_SG per default, until the qeth problems with NETIF_F_GSO are solved. Signed-off-by: Ursula Braun Reviewed-by: Thomas Richter Signed-off-by: David S. Miller drivers/s390/net/qeth_l2_main.c | 2 -- drivers/s390/net/qeth_l3_main.c | 1 - 2 files changed, 3 deletions(-) commit 243f750fc6f5d8e4dec984a9a785941c67452b8f Author: Ursula Braun Date: Thu Sep 15 14:39:25 2016 +0200 qeth: do not limit number of gso segments To reduce the need of skb_linearize() calls, gso_max_segs of qeth net_devices had been limited according to the maximum number of qdio SBAL elements. But a gso segment cannot be larger than the mtu-size, while an SBAL element can contain up to 4096 bytes. The gso_max_segs limitation limits the maximum packet size given to the qeth driver. Performance measurements with tso-enabled qeth network interfaces and mtu-size 1500 showed, that the disadvantage of smaller packets is much more severe than the advantage of fewer skb_linearize() calls. This patch gets rid of the gso_max_segs limitations in the qeth driver. Signed-off-by: Ursula Braun Reviewed-by: Thomas Richter Signed-off-by: David S. Miller drivers/s390/net/qeth_l2_main.c | 1 - drivers/s390/net/qeth_l3_main.c | 1 - 2 files changed, 2 deletions(-) commit 903e48531e8b5d414c8f1960eacac24c31f60344 Author: Ursula Braun Date: Thu Sep 15 14:39:24 2016 +0200 qeth: check not more than 16 SBALEs on the completion queue af_iucv socket programs with HiperSockets as transport make use of the qdio completion queue. Running such an af_iucv socket program may result in a crash: [90341.677709] Oops: 0038 ilc:2 [#1] SMP [90341.677743] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.6.0-20160720.0.0e86ec7.5e62689.fc23.s390xperformance #1 [90341.677744] Hardware name: IBM 2964 N96 703 (LPAR) [90341.677746] task: 00000000edb79f00 ti: 00000000edb84000 task.ti: 00000000edb84000 [90341.677748] Krnl PSW : 0704d00180000000 000000000075bc50 (qeth_qdio_input_handler+0x258/0x4e0) [90341.677756] R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:1 PM:0 RI:0 EA:3 Krnl GPRS: 000003d10391e900 0000000000000001 00000000e61e6000 0000000000000005 [90341.677759] 0000000000a9e6ec 5420040001a77400 0000000000000001 000000000000006f [90341.677761] 00000000e0d83f00 0000000000000003 0000000000000010 5420040001a77400 [90341.677784] 000000007ba8b000 0000000000943fd0 000000000075bc4e 00000000ed3b3c10 [90341.677793] Krnl Code: 000000000075bc42: e320cc180004 lg %r2,3096(%r12) 000000000075bc48: c0e5ffffc5cc brasl %r14,7547e0 #000000000075bc4e: 1816 lr %r1,%r6 >000000000075bc50: ba19b008 cs %r1,%r9,8(%r11) 000000000075bc54: ec180041017e cij %r1,1,8,75bcd6 000000000075bc5a: 5810b008 l %r1,8(%r11) 000000000075bc5e: ec16005c027e cij %r1,2,6,75bd16 000000000075bc64: 5090b008 st %r9,8(%r11) [90341.677807] Call Trace: [90341.677810] ([<000000000075bbc0>] qeth_qdio_input_handler+0x1c8/0x4e0) [90341.677812] ([<000000000070efbc>] qdio_kick_handler+0x124/0x2a8) [90341.677814] ([<0000000000713570>] __tiqdio_inbound_processing+0xf0/0xcd0) [90341.677818] ([<0000000000143312>] tasklet_action+0x92/0x120) [90341.677823] ([<00000000008b6e72>] __do_softirq+0x112/0x308) [90341.677824] ([<0000000000142bce>] irq_exit+0xd6/0xf8) [90341.677829] ([<000000000010b1d2>] do_IRQ+0x6a/0x88) [90341.677830] ([<00000000008b6322>] io_int_handler+0x112/0x220) [90341.677832] ([<0000000000102b2e>] enabled_wait+0x56/0xa8) [90341.677833] ([<0000000000000000>] (null)) [90341.677835] ([<0000000000102e32>] arch_cpu_idle+0x32/0x48) [90341.677838] ([<000000000018a126>] cpu_startup_entry+0x266/0x2b0) [90341.677841] ([<0000000000113b38>] smp_start_secondary+0x100/0x110) [90341.677843] ([<00000000008b68a6>] restart_int_handler+0x62/0x78) [90341.677845] ([<00000000008b6588>] psw_idle+0x3c/0x40) [90341.677846] Last Breaking-Event-Address: [90341.677848] [<00000000007547ec>] qeth_dbf_longtext+0xc/0xc0 [90341.677849] [90341.677850] Kernel panic - not syncing: Fatal exception in interrupt qeth_qdio_cq_handler() analyzes SBALs on this completion queue, but does not observe the limit of 16 SBAL elements per SBAL. This patch adds the additional check to process not more than 16 SBAL elements. Signed-off-by: Ursula Braun Signed-off-by: David S. Miller drivers/s390/net/qeth_core_main.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit a7531c1cc09855df5e33ceefe4fdfc2d74ccab19 Author: Ursula Braun Date: Thu Sep 15 14:39:23 2016 +0200 s390/qeth: allow hsuid configuration in DOWN state The qeth IP address mapping logic has been reworked recently. It causes now problems to specify qeth sysfs attribute "hsuid" in DOWN state, which is allowed. Postpone registering or deregistering of IP-addresses in this case. Signed-off-by: Ursula Braun Reviewed-by: Thomas Richter Signed-off-by: David S. Miller drivers/s390/net/qeth_l3_main.c | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) commit 016930b88a1d6eb6e6b3287d593e13ca06986acc Author: Ursula Braun Date: Thu Sep 15 14:39:22 2016 +0200 s390/qeth: use ip_lock for hsuid configuration qeth_l3_dev_hsuid_store() changes the ip hash table, which requires the ip_lock. Signed-off-by: Ursula Braun Signed-off-by: David S. Miller drivers/s390/net/qeth_l3_sys.c | 5 +++++ 1 file changed, 5 insertions(+) commit e830baa9c3f0023769ba9aab19eb44c892769d87 Author: Hans Wippel Date: Thu Sep 15 14:39:21 2016 +0200 qeth: restore device features after recovery After device recovery, only a basic set of network device features is enabled on the device. If features like checksum offloading or TSO were enabled by the user before the recovery, this results in a mismatch between the network device features, that the kernel assumes to be enabled on the device, and the features actually enabled on the device. This patch tries to restore previously set features, that require changes on the device, after the recovery of a device. In case of an error, the network device's features are changed to contain only the features that are actually turned on. Signed-off-by: Hans Wippel Signed-off-by: Ursula Braun Signed-off-by: David S. Miller drivers/s390/net/qeth_core.h | 1 + drivers/s390/net/qeth_core_main.c | 29 +++++++++++++++++++++++++++++ drivers/s390/net/qeth_l2_main.c | 3 +++ drivers/s390/net/qeth_l3_main.c | 1 + 4 files changed, 34 insertions(+) commit bc6c03fa3cacd31b873e36ca16ef9678269deae6 Author: Wei Yongjun Date: Thu Sep 15 03:45:07 2016 +0000 nfp: fix error return code in nfp_net_netdev_open() Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function. Fixes: 73725d9dfd99 ("nfp: allocate ring SW structs dynamically") Signed-off-by: Wei Yongjun Acked-by: Jakub Kicinski Signed-off-by: David S. Miller drivers/net/ethernet/netronome/nfp/nfp_net_common.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) commit d6f64d725bac20df66b2eacd847fc41d7a1905e0 Author: Mark Tomlinson Date: Thu Sep 15 11:40:05 2016 +1200 net: VRF: Pass original iif to ip_route_input() The function ip_rcv_finish() calls l3mdev_ip_rcv(). On any VRF except the global VRF, this replaces skb->dev with the VRF master interface. When calling ip_route_input_noref() from here, the checks for forwarding look at this master device instead of the initial ingress interface. This will allow packets to be routed which normally would be dropped. For example, an interface that is not assigned an IP address should drop packets, but because the checking is against the master device, the packet will be forwarded. The fix here is to still call l3mdev_ip_rcv(), but remember the initial net_device. This is passed to the other functions within ip_rcv_finish, so they still see the original interface. Signed-off-by: Mark Tomlinson Acked-by: David Ahern Signed-off-by: David S. Miller net/ipv4/ip_input.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) commit 7106a069f45b15e63d14484e72969e64798e641c Author: Ivan Mikhaylov Date: Wed Sep 14 19:06:45 2016 +0300 net/ibm/emac: add mutex to 'set multicast list' for preventing race conditions within ioctl calls. Signed-off-by: Ivan Mikhaylov Signed-off-by: David S. Miller drivers/net/ethernet/ibm/emac/core.c | 3 +++ 1 file changed, 3 insertions(+) commit 01afd972a737879c1466a12f696601a2ce91ea84 Author: Ivan Mikhaylov Date: Wed Sep 14 19:06:44 2016 +0300 net/ibm/emac: add set mac addr callback add realization for mac address set and remove dummy callback. Signed-off-by: Ivan Mikhaylov Signed-off-by: David S. Miller drivers/net/ethernet/ibm/emac/core.c | 31 +++++++++++++++++++++++++++++-- 1 file changed, 29 insertions(+), 2 deletions(-) commit 7077dc415b113ac17a6696c432bad2d66574e4fb Author: Sean Wang Date: Wed Sep 14 21:29:34 2016 +0800 net: ethernet: mediatek: fix module loading automatically based on MODULE_DEVICE_TABLE The device table is required to load modules based on modaliases. After adding MODULE_DEVICE_TABLE, below entries for example will be added to modules.alias: alias of:N*T*Cmediatek,mt7623-ethC* mtk_eth_soc Signed-off-by: Sean Wang Signed-off-by: David S. Miller drivers/net/ethernet/mediatek/mtk_eth_soc.c | 1 + 1 file changed, 1 insertion(+) commit 6777ae8083f132baa4270f40e31776274f989a07 Merge: 2a29282 1e5d343 Author: David S. Miller Date: Fri Sep 16 04:17:33 2016 -0400 Merge tag 'batadv-net-for-davem-20160914' of git://git.open-mesh.org/linux-merge Simon Wunderlich says: ==================== Here are two batman-adv bugfix patches: - Fix reference counting for last_bonding_candidate, by Sven Eckelmann - Fix head room reservation for ELP packets, by Linus Luessing ==================== Signed-off-by: David S. Miller commit 2a292822f00f7409fc0bd6b2d09efc5b8e6c9c5d Author: Sebastian Ott Date: Wed Sep 14 13:09:24 2016 +0200 net/mlx4_en: fix off by one in error handling If an error occurs in mlx4_init_eq_table the index used in the err_out_unmap label is one too big which results in a panic in mlx4_free_eq. This patch fixes the index in the error path. Signed-off-by: Sebastian Ott Reviewed-by: Tariq Toukan Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlx4/eq.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 3e454fd5db5f993a829160cd9783b759a63931af Merge: 440f895 ad5987b Author: David S. Miller Date: Fri Sep 16 01:34:08 2016 -0400 Merge tag 'mac80211-for-davem-2016-09-13' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211 Johannes Berg says: ==================== A few more fixes: * better mesh path fixing, from Thomas * fix TIM IE recalculation after sending frames to a sleeping station, from Felix * fix sequence number assignment while sending frames to a sleeping station, also from Felix * validate number of probe response CSA counter offsets, fixing a copy/paste bug (from myself) ==================== Signed-off-by: David S. Miller commit 778935778c3b88e5152a88765850009006ef2e32 Author: Paul E. McKenney Date: Tue Apr 26 10:42:25 2016 -0700 PM / runtime: Use _rcuidle for runtime suspend tracepoints Further testing with false negatives suppressed by commit 293e2421fe25 ("rcu: Remove superfluous versions of rcu_read_lock_sched_held()") identified a few more unprotected uses of RCU from the idle loop. Because RCU actively ignores idle-loop code (for energy-efficiency reasons, among other things), using RCU from the idle loop can result in too-short grace periods, in turn resulting in arbitrary misbehavior. The affected function is rpm_suspend(). The resulting lockdep-RCU splat is as follows: ------------------------------------------------------------------------ Warning from omap3 =============================== [ INFO: suspicious RCU usage. ] 4.6.0-rc5-next-20160426+ #1112 Not tainted ------------------------------- include/trace/events/rpm.h:63 suspicious rcu_dereference_check() usage! other info that might help us debug this: RCU used illegally from idle CPU! rcu_scheduler_active = 1, debug_locks = 0 RCU used illegally from extended quiescent state! 1 lock held by swapper/0/0: #0: (&(&dev->power.lock)->rlock){-.-...}, at: [] __pm_runtime_suspend+0x54/0x84 stack backtrace: CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.6.0-rc5-next-20160426+ #1112 Hardware name: Generic OMAP36xx (Flattened Device Tree) [] (unwind_backtrace) from [] (show_stack+0x10/0x14) [] (show_stack) from [] (dump_stack+0xb0/0xe4) [] (dump_stack) from [] (rpm_suspend+0x604/0x7e4) [] (rpm_suspend) from [] (__pm_runtime_suspend+0x64/0x84) [] (__pm_runtime_suspend) from [] (omap2_gpio_prepare_for_idle+0x5c/0x70) [] (omap2_gpio_prepare_for_idle) from [] (omap_sram_idle+0x140/0x244) [] (omap_sram_idle) from [] (omap3_enter_idle_bm+0xfc/0x1ec) [] (omap3_enter_idle_bm) from [] (cpuidle_enter_state+0x80/0x3d4) [] (cpuidle_enter_state) from [] (cpu_startup_entry+0x198/0x3a0) [] (cpu_startup_entry) from [] (start_kernel+0x354/0x3c8) [] (start_kernel) from [<8000807c>] (0x8000807c) ------------------------------------------------------------------------ Reported-by: Tony Lindgren Signed-off-by: Paul E. McKenney Tested-by: Tony Lindgren Tested-by: Guenter Roeck [ rjw: Subject ] Signed-off-by: Rafael J. Wysocki drivers/base/power/runtime.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 22f6b4d34fcf039c63a94e7670e0da24f8575a5a Author: Jann Horn Date: Fri Sep 16 00:31:22 2016 +0200 aio: mark AIO pseudo-fs noexec This ensures that do_mmap() won't implicitly make AIO memory mappings executable if the READ_IMPLIES_EXEC personality flag is set. Such behavior is problematic because the security_mmap_file LSM hook doesn't catch this case, potentially permitting an attacker to bypass a W^X policy enforced by SELinux. I have tested the patch on my machine. To test the behavior, compile and run this: #define _GNU_SOURCE #include #include #include #include #include #include #include int main(void) { personality(READ_IMPLIES_EXEC); aio_context_t ctx = 0; if (syscall(__NR_io_setup, 1, &ctx)) err(1, "io_setup"); char cmd[1000]; sprintf(cmd, "cat /proc/%d/maps | grep -F '/[aio]'", (int)getpid()); system(cmd); return 0; } In the output, "rw-s" is good, "rwxs" is bad. Signed-off-by: Jann Horn Signed-off-by: Linus Torvalds fs/aio.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) commit 024c7e3756d8a42fc41fe8a9488488b9b09d1dcc Merge: b71dbf1 b0eaf45 Author: Linus Torvalds Date: Thu Sep 15 15:15:41 2016 -0700 Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm Pull kvm fix from Paolo Bonzini: "One fix for an x86 regression in VM migration, mostly visible with Windows because it uses RTC periodic interrupts" * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: kvm: x86: correctly reset dest_map->vector when restoring LAPIC state commit b71dbf1032f546bf3efd60fb5d9d0cefd200a508 Author: Darrick J. Wong Date: Wed Sep 14 20:20:44 2016 -0700 vfs: cap dedupe request structure size at PAGE_SIZE Kirill A Shutemov reports that the kernel doesn't try to cap dest_count in any way, and uses the number to allocate kernel memory. This causes high order allocation warnings in the kernel log if someone passes in a big enough value. We should clamp the allocation at PAGE_SIZE to avoid stressing the VM. The two existing users of the dedupe ioctl never send more than 120 requests, so we can safely clamp dest_range at PAGE_SIZE, because with 4k pages we can handle up to 127 dedupe candidates. Given the max extent length of 16MB, we can end up doing 2GB of IO which is plenty. [ Note: the "offsetof()" can't overflow, because 'count' is just a 16-bit integer. That's not obvious in the limited context of the patch, so I'm noting it here because it made me go look. - Linus ] Reported-by: "Kirill A. Shutemov" Signed-off-by: Darrick J. Wong Signed-off-by: Linus Torvalds fs/ioctl.c | 4 ++++ 1 file changed, 4 insertions(+) commit 5297e0f0fe13305a1fc7f01986be0dccd063d57a Author: Darrick J. Wong Date: Wed Sep 14 20:20:00 2016 -0700 vfs: fix return type of ioctl_file_dedupe_range All the VFS functions in the dedupe ioctl path return int status, so the ioctl handler ought to as well. Found by Coverity, CID 1350952. Signed-off-by: Darrick J. Wong Signed-off-by: Linus Torvalds fs/ioctl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 46626600d120dc48ab605265677b858506a81011 Merge: 1c109fa 3bc42f3 Author: Linus Torvalds Date: Thu Sep 15 13:22:59 2016 -0700 Merge branch 'for-linus' of git://git.kernel.dk/linux-block Pull block fixes from Jens Axboe: "A set of fixes for the current series in the realm of block. Like the previous pull request, the meat of it are fixes for the nvme fabrics/target code. Outside of that, just one fix from Gabriel for not doing a queue suspend if we didn't get the admin queue setup in the first place" * 'for-linus' of git://git.kernel.dk/linux-block: nvme-rdma: add back dependency on CONFIG_BLOCK nvme-rdma: fix null pointer dereference on req->mr nvme-rdma: use ib_client API to detect device removal nvme-rdma: add DELETING queue flag nvme/quirk: Add a delay before checking device ready for memblaze device nvme: Don't suspend admin queue that wasn't created nvme-rdma: destroy nvme queue rdma resources on connect failure nvme_rdma: keep a ref on the ctrl during delete/flush iw_cxgb4: block module unload until all ep resources are released iw_cxgb4: call dev_put() on l2t allocation failure commit 1c109fabbd51863475cd12ac206bdd249aee35af Author: Al Viro Date: Thu Sep 15 02:35:29 2016 +0100 fix minor infoleak in get_user_ex() get_user_ex(x, ptr) should zero x on failure. It's not a lot of a leak (at most we are leaking uninitialized 64bit value off the kernel stack, and in a fairly constrained situation, at that), but the fix is trivial, so... Cc: stable@vger.kernel.org Signed-off-by: Al Viro [ This sat in different branch from the uaccess fixes since mid-August ] Signed-off-by: Linus Torvalds arch/x86/include/asm/uaccess.h | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) commit b0eaf4506f5f95d15d6731d72c0ddf4a2179eefa Author: Paolo Bonzini Date: Wed Sep 14 23:39:12 2016 +0200 kvm: x86: correctly reset dest_map->vector when restoring LAPIC state When userspace sends KVM_SET_LAPIC, KVM schedules a check between the vCPU's IRR and ISR and the IOAPIC redirection table, in order to re-establish the IOAPIC's dest_map (the list of CPUs servicing the real-time clock interrupt with the corresponding vectors). However, __rtc_irq_eoi_tracking_restore_one was forgetting to set dest_map->vectors. Because of this, the IOAPIC did not process the real-time clock interrupt EOI, ioapic->rtc_status.pending_eoi got stuck at a non-zero value, and further RTC interrupts were reported to userspace as coalesced. Fixes: 9e4aabe2bb3454c83dac8139cf9974503ee044db Fixes: 4d99ba898dd0c521ca6cdfdde55c9b58aea3cb3d Cc: stable@vger.kernel.org Cc: Joerg Roedel Cc: David Gilbert Reviewed-by: Radim Krčmář Signed-off-by: Paolo Bonzini arch/x86/kvm/ioapic.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) commit 54c5ef2e93ea002dc5dd63349298b2778fe59edb Author: Beni Lev Date: Wed Aug 10 17:03:43 2016 +0300 iwlwifi: mvm: update TX queue before making a copy of the skb Off-channel action frames (such as ANQP frames) must be sent either on the AUX queue or on the offchannel queue, otherwise the firmware will cause a SYSASSERT. In the current implementation, the queue to be used is correctly set in the original skb, but this is done after it is copied. Thus the copy remains with the original, incorrect queue. Fix this by setting the queue in the original skb before copying it. Fixes: commit 5c08b0f5026f ("iwlwifi: mvm: don't override the rate with the AMSDU len") Cc: stable@vger.kernel.org # v4.6+ Signed-off-by: Beni Lev Signed-off-by: Luca Coelho drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) commit 7892a1f64a447b6f65fe2888688883b7c26d81d3 Author: Geert Uytterhoeven Date: Tue Aug 9 12:36:41 2016 -0300 [media] rcar-fcp: Make sure rcar_fcp_enable() returns 0 on success When resuming from suspend-to-RAM on r8a7795/salvator-x: dpm_run_callback(): pm_genpd_resume_noirq+0x0/0x90 returns 1 PM: Device fe940000.fdp1 failed to resume noirq: error 1 dpm_run_callback(): pm_genpd_resume_noirq+0x0/0x90 returns 1 PM: Device fe944000.fdp1 failed to resume noirq: error 1 dpm_run_callback(): pm_genpd_resume_noirq+0x0/0x90 returns 1 PM: Device fe948000.fdp1 failed to resume noirq: error 1 According to its documentation, rcar_fcp_enable() returns 0 on success or a negative error code if an error occurs. Hence fdp1_pm_runtime_resume() and vsp1_pm_runtime_resume() forward its return value to their callers. However, rcar_fcp_enable() forwards the return value of pm_runtime_get_sync(), which can actually be 1 on success, leading to the resume failure above. To fix this, consider only negative values returned by pm_runtime_get_sync() to be failures. Fixes: 7b49235e83b2347c ("[media] v4l: Add Renesas R-Car FCP driver") Signed-off-by: Geert Uytterhoeven Reviewed-by: Laurent Pinchart Signed-off-by: Mauro Carvalho Chehab drivers/media/platform/rcar-fcp.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) commit a6805884e263e82d9fb87bd5f39ad4bb38cde246 Author: Roger Quadros Date: Wed Aug 17 13:44:50 2016 +0300 ARM: keystone: defconfig: Fix USB configuration Simply enabling CONFIG_KEYSTONE_USB_PHY doesn't work anymore as it depends on CONFIG_NOP_USB_XCEIV. We need to enable that as well. This fixes USB on Keystone boards from v4.8-rc1 onwards. Signed-off-by: Roger Quadros Acked-by: Santosh Shilimkar Signed-off-by: Arnd Bergmann arch/arm/configs/keystone_defconfig | 1 + 1 file changed, 1 insertion(+) commit cecf62352aee2b4fe114aafd1b8c5f265a4243ce Author: Alexander Shishkin Date: Thu Sep 15 11:22:33 2016 +0300 perf/x86/intel: Don't disable "intel_bts" around "intel" event batching At the moment, intel_bts events get disabled from intel PMU's disable callback, which includes event scheduling transactions of said PMU, which have nothing to do with intel_bts events. We do want to keep intel_bts events off inside the PMI handler to avoid filling up their buffer too soon. This patch moves intel_bts enabling/disabling directly to the PMI handler. Reported-by: Vince Weaver Signed-off-by: Alexander Shishkin Cc: Arnaldo Carvalho de Melo Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Thomas Gleixner Cc: vince@deater.net Link: http://lkml.kernel.org/r/20160915082233.11065-1-alexander.shishkin@linux.intel.com Signed-off-by: Ingo Molnar arch/x86/events/intel/core.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) commit 85d5313ed717ad60769491c7c072d23bc0a68e7a Author: Johannes Berg Date: Wed Sep 14 11:38:31 2016 +0200 mac80211: reject TSPEC TIDs (TSIDs) for aggregation Since mac80211 doesn't currently support TSIDs 8-15 which can only be used after QoS TSPEC negotiation (and not even after WMM negotiation), reject attempts to set up aggregation sessions for them, which might confuse drivers. In mac80211 we do correctly handle that, but the TSIDs should never get used anyway, and drivers might not be able to handle it. Cc: stable@vger.kernel.org Signed-off-by: Johannes Berg net/mac80211/agg-rx.c | 8 +++++++- net/mac80211/agg-tx.c | 3 +++ 2 files changed, 10 insertions(+), 1 deletion(-) commit ed7d9a1d7da6fe7b1c7477dc70e95051583fd60c Author: Michael Ellerman Date: Thu Sep 15 17:03:06 2016 +1000 powerpc/powernv/pci: Fix missed TCE invalidations that should fallback to OPAL In commit f0228c413011 ("powerpc/powernv/pci: Fallback to OPAL for TCE invalidations"), we added logic to fallback to OPAL for doing TCE invalidations if we can't do it in Linux. Ben sent a v2 of the patch, containing these additional call sites, but I had already applied v1 and didn't notice. So fix them now. Fixes: f0228c413011 ("powerpc/powernv/pci: Fallback to OPAL for TCE invalidations") Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Michael Ellerman arch/powerpc/platforms/powernv/pci-ioda.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 29bf282dec94f6015a675c007614cb29563f1c18 Author: Gavin Shan Date: Tue Sep 6 16:34:01 2016 +1000 powerpc/powernv: Detach from PE on releasing PCI device The PCI hotplug can be part of EEH error recovery. The @pdn and the device's PE number aren't removed and added afterwords. The PE number in @pdn should be set to an invalid one. Otherwise, the PE's device count is decreased on removing devices while failing to be increased on adding devices. It leads to unbalanced PE's device count and make normal PCI hotplug path broken. Fixes: c5f7700bbd2e ("powerpc/powernv: Dynamically release PE") Signed-off-by: Gavin Shan Signed-off-by: Michael Ellerman arch/powerpc/platforms/powernv/pci-ioda.c | 10 ++++++++++ 1 file changed, 10 insertions(+) commit 4cea8776571b18db7485930cb422faa739580c8c Merge: 77e5bdf 035ee28 Author: Linus Torvalds Date: Wed Sep 14 14:06:30 2016 -0700 Merge tag 'pci-v4.8-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci Pull PCI fixes from Bjorn Helgaas: "Here are two changes for v4.8. The first fixes a "[Firmware Bug]: reg 0x10: invalid BAR (can't size)" warning on Haswell, and the second fixes a problem in some new runtime suspend functionality we merged for v4.8. Summary: Enumeration: Mark Haswell Power Control Unit as having non-compliant BARs (Bjorn Helgaas) Power management: Fix bridge_d3 update on device removal (Lukas Wunner)" * tag 'pci-v4.8-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci: PCI: Fix bridge_d3 update on device removal PCI: Mark Haswell Power Control Unit as having non-compliant BARs commit d20ced23c7a019a9ca6fe69d6d1907bfd8c1a255 Merge: 7ccb8e6 f2a89d3 Author: Arnd Bergmann Date: Wed Sep 14 22:47:36 2016 +0200 Merge branch 'dt/irq-fix' into fixes * dt/irq-fix: arm64: dts: Fix broken architected timer interrupt trigger commit f2a89d3b2b85b90b05453872aaabfdb412a21a03 Author: Marc Zyngier Date: Mon Aug 1 10:54:16 2016 +0100 arm64: dts: Fix broken architected timer interrupt trigger The ARM architected timer specification mandates that the interrupt associated with each timer is level triggered (which corresponds to the "counter >= comparator" condition). A number of DTs are being remarkably creative, declaring the interrupt to be edge triggered. A quick look at the TRM for the corresponding ARM CPUs clearly shows that this is wrong, and I've corrected those. For non-ARM designs (and in the absence of a publicly available TRM), I've made them active low as well, which can't be completely wrong as the GIC cannot disinguish between level low and level high. The respective maintainers are of course welcome to prove me wrong. While I was at it, I took the liberty to fix a couple of related issue, such as some spurious affinity bits on ThunderX, and their complete absence on ls1043a (both of which seem to be related to copy-pasting from other DTs). Acked-by: Duc Dang Acked-by: Carlo Caione Acked-by: Michal Simek Acked-by: Krzysztof Kozlowski Acked-by: Dinh Nguyen Acked-by: Masahiro Yamada Signed-off-by: Marc Zyngier Signed-off-by: Arnd Bergmann arch/arm64/boot/dts/altera/socfpga_stratix10.dtsi | 8 ++++---- arch/arm64/boot/dts/amlogic/meson-gxbb.dtsi | 8 ++++---- arch/arm64/boot/dts/apm/apm-storm.dtsi | 8 ++++---- arch/arm64/boot/dts/broadcom/ns2.dtsi | 8 ++++---- arch/arm64/boot/dts/cavium/thunder-88xx.dtsi | 8 ++++---- arch/arm64/boot/dts/exynos/exynos7.dtsi | 8 ++++---- arch/arm64/boot/dts/freescale/fsl-ls1043a.dtsi | 8 ++++---- arch/arm64/boot/dts/freescale/fsl-ls2080a.dtsi | 8 ++++---- arch/arm64/boot/dts/marvell/armada-ap806.dtsi | 8 ++++---- arch/arm64/boot/dts/socionext/uniphier-ph1-ld20.dtsi | 8 ++++---- arch/arm64/boot/dts/xilinx/zynqmp.dtsi | 8 ++++---- 11 files changed, 44 insertions(+), 44 deletions(-) commit 7ccb8e633cfeb7969eba09bbf53346e746bb7f89 Author: Fabian Frederick Date: Mon Aug 15 19:34:44 2016 +0200 ARM: multi_v7_defconfig: update XILINX_VDMA Commit fde57a7c4474 ("dmaengine: xilinx: Rename driver and config") renamed config XILINX_VDMA to config XILINX_DMA Update defconfig accordingly. Signed-off-by: Fabian Frederick Signed-off-by: Arnd Bergmann arch/arm/configs/multi_v7_defconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 77e5bdf9f7b2d20939c8d807f3e68778d6e1557a Merge: b8f26e8 8630c32 Author: Linus Torvalds Date: Wed Sep 14 09:35:05 2016 -0700 Merge branch 'uaccess-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs Pull uaccess fixes from Al Viro: "Fixes for broken uaccess primitives - mostly lack of proper zeroing in copy_from_user()/get_user()/__get_user(), but for several architectures there's more (broken clear_user() on frv and strncpy_from_user() on hexagon)" * 'uaccess-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: (28 commits) avr32: fix copy_from_user() microblaze: fix __get_user() microblaze: fix copy_from_user() m32r: fix __get_user() blackfin: fix copy_from_user() sparc32: fix copy_from_user() sh: fix copy_from_user() sh64: failing __get_user() should zero score: fix copy_from_user() and friends score: fix __get_user/get_user s390: get_user() should zero on failure ppc32: fix copy_from_user() parisc: fix copy_from_user() openrisc: fix copy_from_user() nios2: fix __get_user() nios2: copy_from_user() should zero the tail of destination mn10300: copy_from_user() should zero on access_ok() failure... mn10300: failing __get_user() and get_user() should zero mips: copy_from_user() must zero the destination on access_ok() failure ARC: uaccess: get_user to zero out dest in cause of fault ... commit b8f26e880c8166604e0da741eccd9fe6d8e1b9fb Merge: 5924bbe de75abb Author: Linus Torvalds Date: Wed Sep 14 08:42:51 2016 -0700 Merge tag 'for-linus-4.8b-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip Pull xen regression fix from David Vrabel: "Fix SMP boot in arm guests" * tag 'for-linus-4.8b-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip: arm/xen: fix SMP guests boot commit de75abbe0121a6c3c9c6b04c75300088e57ad1d5 Author: Vitaly Kuznetsov Date: Thu Sep 8 11:48:28 2016 +0200 arm/xen: fix SMP guests boot Commit 88e957d6e47f ("xen: introduce xen_vcpu_id mapping") broke SMP ARM guests on Xen. When FIFO-based event channels are in use (this is the default), evtchn_fifo_alloc_control_block() is called on CPU_UP_PREPARE event and this happens before we set up xen_vcpu_id mapping in xen_starting_cpu. Temporary fix the issue by setting direct Linux CPU id <-> Xen vCPU id mapping for all possible CPUs at boot. We don't currently support kexec/kdump on Xen/ARM so these ids always match. In future, we have several ways to solve the issue, e.g.: - Eliminate all hypercalls from CPU_UP_PREPARE, do them from the starting CPU. This can probably be done for both x86 and ARM and, if done, will allow us to get Xen's idea of vCPU id from CPUID/MPIDR on the starting CPU directly, no messing with ACPI/device tree required. - Save vCPU id information from ACPI/device tree on ARM and use it to initialize xen_vcpu_id mapping. This is the same trick we currently do on x86. Reported-by: Julien Grall Tested-by: Wei Chen Signed-off-by: Vitaly Kuznetsov Acked-by: Stefano Stabellini Signed-off-by: David Vrabel arch/arm/xen/enlighten.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) commit 6cfeaf5125d425043d44002d0a1a8a147be582bf Author: Paul Burton Date: Wed Sep 14 11:00:26 2016 +0100 cpu/hotplug: Include linux/types.h in linux/cpuhotplug.h The linux/cpuhotplug.h header makes use of the bool type, but wasn't including linux/types.h to ensure that type has been defined. Fix this by including linux/types.h in preparation for including linux/cpuhotplug.h in a file that doesn't do so already. Signed-off-by: Paul Burton Cc: linux-mips@linux-mips.org Cc: Richard Cochran Cc: Sebastian Andrzej Siewior Cc: Ralf Baechle Cc: Anna-Maria Gleixner Link: http://lkml.kernel.org/r/20160914100027.20945-1-paul.burton@imgtec.com Signed-off-by: Thomas Gleixner include/linux/cpuhotplug.h | 2 ++ 1 file changed, 2 insertions(+) commit df804d5e27490151da1ce9f216031a31352203e6 Author: Peter Ujfalusi Date: Wed Sep 14 14:21:54 2016 +0300 mmc: omap: Initialize dma_slave_config to avoid random data in it's fields It is wrong to use uninitialized dma_slave_config and configure only certain fields as the DMAengine driver might look at non initialized (random data) fields and tries to interpret it. Signed-off-by: Peter Ujfalusi Signed-off-by: Ulf Hansson drivers/mmc/host/omap.c | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) commit e5789608766113ca9c30d596d93ca7d5cbd8b461 Author: Peter Ujfalusi Date: Wed Sep 14 14:22:07 2016 +0300 mmc: omap_hsmmc: Initialize dma_slave_config to avoid random data It is wrong to use uninitialized dma_slave_config and configure only certain fields as the DMAengine driver might look at non initialized (random data) fields and tries to interpret it. Signed-off-by: Peter Ujfalusi Signed-off-by: Ulf Hansson drivers/mmc/host/omap_hsmmc.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) commit 0b97a484e52cb423662eb98904aad82dafcc1f10 Author: Johannes Berg Date: Wed Sep 14 09:41:34 2016 +0200 mac80211: check skb_linearize() return value The A-MSDU TX code (within TXQs) didn't always check the return value of skb_linearize() properly, resulting in potentially passing a frag- list SKB down to the driver even when it said it can't handle it. Fix that. Fixes: 6e0456b545456 ("mac80211: add A-MSDU tx support") Signed-off-by: Johannes Berg net/mac80211/tx.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) commit ea54ff4008892b46c7a3e6bc8ab8aaec9d198639 Author: Ville Syrjälä Date: Tue Sep 13 12:22:19 2016 +0300 drm/i915: Ignore OpRegion panel type except on select machines Turns out commit a05628195a0d ("drm/i915: Get panel_type from OpRegion panel details") has regressed quite a few machines. So it looks like we can't use the panel type from OpRegion on all systems, and yet we absolutely must use it on some specific systems. Despite trying, I was unable to find any automagic way to determine if the OpRegion panel type is respectable or not. The only glimmer of hope I had was bit 8 in the SCIC response, but that turned out to not work either (it was always 0 on both types of systems). So, to fix the regressions without breaking the machine we know to need the OpRegion panel type, let's just add a quirk for this. Only specific machines known to require the OpRegion panel type will therefore use it. Everyone else will fall bck to the VBT panel type. The only known machine so far is a "Conrac GmbH IX45GM2". The PCI subsystem ID on this machine is just a generic 8086:2a42, so of no use. Instead we'll go with a DMI match. I suspect we can now also revert commit aeddda06c1a7 ("drm/i915: Ignore panel type from OpRegion on SKL") but let's leave that to a separate patch. v2: Do the DMI match in the opregion code directly, as dev_priv->quirks gets populated too late Cc: Rob Kramer Cc: Martin van Es Cc: Andrea Arcangeli Cc: Dave Airlie Cc: Marco Krüger Cc: Sean Greenslade Cc: Trudy Tective Cc: Robin Müller Cc: Alexander Kobel Cc: Alexey Shumitsky Cc: Emil Andersen Lauridsen Cc: oceans112@gmail.com Cc: James Hogan Cc: James Bottomley Cc: stable@vger.kernel.org References: https://lists.freedesktop.org/archives/intel-gfx/2016-August/105545.html References: https://lists.freedesktop.org/archives/dri-devel/2016-August/116888.html References: https://lists.freedesktop.org/archives/intel-gfx/2016-June/098826.html Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=94825 Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=97060 Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=97443 Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=97363 Fixes: a05628195a0d ("drm/i915: Get panel_type from OpRegion panel details") Tested-by: Marco Krüger Tested-by: Alexey Shumitsky Tested-by: Sean Greenslade Tested-by: Emil Andersen Lauridsen Tested-by: Robin Müller Tested-by: oceans112@gmail.com Tested-by: Rob Kramer Signed-off-by: Ville Syrjälä Link: http://patchwork.freedesktop.org/patch/msgid/1473758539-21565-1-git-send-email-ville.syrjala@linux.intel.com References: http://patchwork.freedesktop.org/patch/msgid/1473602239-15855-1-git-send-email-adrienverge@gmail.com Acked-by: Jani Nikula (cherry picked from commit c8ebfad7a063fe665417fa0eeb0da7cfe987d8ed) Signed-off-by: Jani Nikula drivers/gpu/drm/i915/intel_opregion.c | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) commit 86dfb76cba284114cf586005cd943eeb6e4f328d Author: Rodrigo Vivi Date: Wed Sep 7 17:42:31 2016 -0700 Revert "drm/i915/psr: Make idle_frames sensible again" This reverts commit 1c80c25fb622973dd135878e98d172be20859049 Author: Daniel Vetter Date: Wed May 18 18:47:12 2016 +0200 drm/i915/psr: Make idle_frames sensible again There are panels that needs 4 idle frames before entering PSR, but VBT is unproperly set. Also lately it was identified that idle frame count calculated at HW can be off by 1, what makes the minimum of 2, at least. Without the current vbt+1 we are with the risk of having HW calculating 0 idle frames and entering PSR when it shouldn't. Regardless the lack of link training. [Jani: there is some disagreement on the explanation, but the commit regresses so revert it is.] References: http://marc.info/?i=20160904191153.GA2328@light.dominikbrodowski.net Cc: Dominik Brodowski Cc: Jani Nikula Cc: Daniel Vetter Signed-off-by: Rodrigo Vivi Fixes: 1c80c25fb622 ("drm/i915/psr: Make idle_frames sensible again") Cc: drm-intel-fixes@lists.freedesktop.org # v4.8-rc1+ Signed-off-by: Jani Nikula Link: http://patchwork.freedesktop.org/patch/msgid/1473295351-8766-1-git-send-email-rodrigo.vivi@intel.com (cherry picked from commit 40918e0bb81be02f507a941f8b2741f0dc1771b0) Signed-off-by: Jani Nikula drivers/gpu/drm/i915/intel_psr.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) commit 74712339a4fc0f4ddc710e6bca836a6b78b7d8de Author: Chris Wilson Date: Thu Aug 25 08:23:14 2016 +0100 drm/i915: Restore lost "Initialized i915" welcome message A side effect of removing the midlayer from driver loading was the loss of a useful message announcing to userspace that i915 had successfully started, e.g.: [drm] Initialized i915 1.6.0 20160425 for 0000:00:02.0 on minor 0 Reported-by: Timo Aaltonen Signed-off-by: Chris Wilson Fixes: 8f460e2c78f2 ("drm/i915: Demidlayer driver loading") Cc: Daniel Vetter Cc: Ville Syrjälä Cc: drm-intel-fixes@lists.freedesktop.org Link: http://patchwork.freedesktop.org/patch/msgid/20160825072314.17402-1-chris@chris-wilson.co.uk Reviewed-by: Daniel Vetter (cherry picked from commit bc5ca47c0af4f949ba889e666b7da65569e36093) Signed-off-by: Jani Nikula drivers/gpu/drm/i915/i915_drv.c | 5 +++++ 1 file changed, 5 insertions(+) commit 6eaed1665fc6864fbdbffcc6f43a7f5d012f3052 Author: Gavin Shan Date: Tue Sep 13 16:40:24 2016 +1000 powerpc/powernv: Fix the state of root PE The PE for root bus (root PE) can be removed because of PCI hot remove in EEH recovery path for fenced PHB error. We need update @phb->root_pe_populated accordingly so that the root PE can be populated again in forthcoming PCI hot add path. Also, the PE shouldn't be destroyed as it's global and reserved resource. Fixes: c5f7700bbd2e ("powerpc/powernv: Dynamically release PE") Reported-by: Frederic Barrat Signed-off-by: Gavin Shan Signed-off-by: Michael Ellerman arch/powerpc/platforms/powernv/pci-ioda.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) commit 8630c32275bac2de6ffb8aea9d9b11663e7ad28e Author: Al Viro Date: Fri Sep 9 19:28:23 2016 -0400 avr32: fix copy_from_user() really ugly, but apparently avr32 compilers turns access_ok() into something so bad that they want it in assembler. Left that way, zeroing added in inline wrapper. Cc: stable@vger.kernel.org Signed-off-by: Al Viro arch/avr32/include/asm/uaccess.h | 11 ++++++++++- arch/avr32/kernel/avr32_ksyms.c | 2 +- arch/avr32/lib/copy_user.S | 4 ++-- 3 files changed, 13 insertions(+), 4 deletions(-) commit e98b9e37ae04562d52c96f46b3cf4c2e80222dc1 Author: Al Viro Date: Fri Sep 9 19:23:33 2016 -0400 microblaze: fix __get_user() Cc: stable@vger.kernel.org Signed-off-by: Al Viro arch/microblaze/include/asm/uaccess.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit d0cf385160c12abd109746cad1f13e3b3e8b50b8 Author: Al Viro Date: Fri Sep 9 19:22:34 2016 -0400 microblaze: fix copy_from_user() Cc: stable@vger.kernel.org Signed-off-by: Al Viro arch/microblaze/include/asm/uaccess.h | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) commit c90a3bc5061d57e7931a9b7ad14784e1a0ed497d Author: Al Viro Date: Fri Sep 9 19:20:13 2016 -0400 m32r: fix __get_user() Cc: stable@vger.kernel.org Signed-off-by: Al Viro arch/m32r/include/asm/uaccess.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 8f035983dd826d7e04f67b28acf8e2f08c347e41 Author: Al Viro Date: Fri Sep 9 19:16:58 2016 -0400 blackfin: fix copy_from_user() Cc: stable@vger.kernel.org Signed-off-by: Al Viro arch/blackfin/include/asm/uaccess.h | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) commit 917400cecb4b52b5cde5417348322bb9c8272fa6 Author: Al Viro Date: Mon Aug 22 00:23:07 2016 -0400 sparc32: fix copy_from_user() Cc: stable@vger.kernel.org Acked-by: David S. Miller Signed-off-by: Al Viro arch/sparc/include/asm/uaccess_32.h | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit 6e050503a150b2126620c1a1e9b3a368fcd51eac Author: Al Viro Date: Sun Aug 21 23:39:47 2016 -0400 sh: fix copy_from_user() Cc: stable@vger.kernel.org Signed-off-by: Al Viro arch/sh/include/asm/uaccess.h | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) commit c6852389228df9fb3067f94f3b651de2a7921b36 Author: Al Viro Date: Sun Aug 21 23:33:47 2016 -0400 sh64: failing __get_user() should zero It could be done in exception-handling bits in __get_user_b() et.al., but the surgery involved would take more knowledge of sh64 details than I have or _want_ to have. Cc: stable@vger.kernel.org Signed-off-by: Al Viro arch/sh/include/asm/uaccess_64.h | 1 + 1 file changed, 1 insertion(+) commit b615e3c74621e06cd97f86373ca90d43d6d998aa Author: Al Viro Date: Sun Aug 21 22:30:44 2016 -0400 score: fix copy_from_user() and friends Cc: stable@vger.kernel.org Signed-off-by: Al Viro arch/score/include/asm/uaccess.h | 41 ++++++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 21 deletions(-) commit c2f18fa4cbb3ad92e033a24efa27583978ce9600 Author: Al Viro Date: Sun Aug 21 22:13:39 2016 -0400 score: fix __get_user/get_user * should zero on any failure * __get_user() should use __copy_from_user(), not copy_from_user() Cc: stable@vger.kernel.org Signed-off-by: Al Viro arch/score/include/asm/uaccess.h | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) commit fd2d2b191fe75825c4c7a6f12f3fef35aaed7dd7 Author: Al Viro Date: Sun Aug 21 22:00:54 2016 -0400 s390: get_user() should zero on failure Cc: stable@vger.kernel.org Signed-off-by: Al Viro arch/s390/include/asm/uaccess.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) commit 224264657b8b228f949b42346e09ed8c90136a8e Author: Al Viro Date: Sun Aug 21 19:16:26 2016 -0400 ppc32: fix copy_from_user() should clear on access_ok() failures. Also remove the useless range truncation logics. Cc: stable@vger.kernel.org Signed-off-by: Al Viro arch/powerpc/include/asm/uaccess.h | 25 ++----------------------- 1 file changed, 2 insertions(+), 23 deletions(-) commit aace880feea38875fbc919761b77e5732a3659ef Author: Al Viro Date: Sat Aug 20 19:03:37 2016 -0400 parisc: fix copy_from_user() Cc: stable@vger.kernel.org Signed-off-by: Al Viro arch/parisc/include/asm/uaccess.h | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) commit acb2505d0119033a80c85ac8d02dccae41271667 Author: Al Viro Date: Sat Aug 20 17:05:21 2016 -0400 openrisc: fix copy_from_user() ... that should zero on faults. Also remove the helpful logics wrt range truncation copied from ppc32. Where it had ever been needed only in case of copy_from_user() *and* had not been merged into the mainline until a month after the need had disappeared. A decade before openrisc went into mainline, I might add... Cc: stable@vger.kernel.org Signed-off-by: Al Viro arch/openrisc/include/asm/uaccess.h | 35 +++++++++++------------------------ 1 file changed, 11 insertions(+), 24 deletions(-) commit 2e29f50ad5e23db37dde9be71410d95d50241ecd Author: Al Viro Date: Sat Aug 20 16:39:01 2016 -0400 nios2: fix __get_user() a) should not leave crap on fault b) should _not_ require access_ok() in any cases. Cc: stable@vger.kernel.org Signed-off-by: Al Viro arch/nios2/include/asm/uaccess.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit e33d1f6f72cc82fcfc3d1fb20c9e3ad83b1928fa Author: Al Viro Date: Sat Aug 20 16:36:36 2016 -0400 nios2: copy_from_user() should zero the tail of destination Cc: stable@vger.kernel.org Signed-off-by: Al Viro arch/nios2/include/asm/uaccess.h | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) commit ae7cc577ec2a4a6151c9e928fd1f595d953ecef1 Author: Al Viro Date: Sat Aug 20 16:33:10 2016 -0400 mn10300: copy_from_user() should zero on access_ok() failure... Cc: stable@vger.kernel.org Signed-off-by: Al Viro arch/mn10300/lib/usercopy.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit 43403eabf558d2800b429cd886e996fd555aa542 Author: Al Viro Date: Sat Aug 20 16:32:02 2016 -0400 mn10300: failing __get_user() and get_user() should zero Cc: stable@vger.kernel.org Signed-off-by: Al Viro arch/mn10300/include/asm/uaccess.h | 1 + 1 file changed, 1 insertion(+) commit e69d700535ac43a18032b3c399c69bf4639e89a2 Author: Al Viro Date: Sat Aug 20 16:18:53 2016 -0400 mips: copy_from_user() must zero the destination on access_ok() failure Cc: stable@vger.kernel.org Signed-off-by: Al Viro arch/mips/include/asm/uaccess.h | 3 +++ 1 file changed, 3 insertions(+) commit 05d9d0b96e53c52a113fd783c0c97c830c8dc7af Author: Vineet Gupta Date: Fri Aug 19 12:10:02 2016 -0700 ARC: uaccess: get_user to zero out dest in cause of fault Al reported potential issue with ARC get_user() as it wasn't clearing out destination pointer in case of fault due to bad address etc. Verified using following | { | u32 bogus1 = 0xdeadbeef; | u64 bogus2 = 0xdead; | int rc1, rc2; | | pr_info("Orig values %x %llx\n", bogus1, bogus2); | rc1 = get_user(bogus1, (u32 __user *)0x40000000); | rc2 = get_user(bogus2, (u64 __user *)0x50000000); | pr_info("access %d %d, new values %x %llx\n", | rc1, rc2, bogus1, bogus2); | } | [ARCLinux]# insmod /mnt/kernel-module/qtn.ko | Orig values deadbeef dead | access -14 -14, new values 0 0 Reported-by: Al Viro Cc: Linus Torvalds Cc: linux-snps-arc@lists.infradead.org Cc: linux-kernel@vger.kernel.org Cc: stable@vger.kernel.org Signed-off-by: Vineet Gupta Signed-off-by: Al Viro arch/arc/include/asm/uaccess.h | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) commit 8ae95ed4ae5fc7c3391ed668b2014c9e2079533b Author: Al Viro Date: Thu Aug 18 22:08:20 2016 -0400 metag: copy_from_user() should zero the destination on access_ok() failure Cc: stable@vger.kernel.org Acked-by: James Hogan Signed-off-by: Al Viro arch/metag/include/asm/uaccess.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit a5e541f796f17228793694d64b507f5f57db4cd7 Author: Al Viro Date: Thu Aug 18 21:31:41 2016 -0400 ia64: copy_from_user() should zero the destination on access_ok() failure Cc: stable@vger.kernel.org Signed-off-by: Al Viro arch/ia64/include/asm/uaccess.h | 25 +++++++++++-------------- 1 file changed, 11 insertions(+), 14 deletions(-) commit f35c1e0671728d1c9abc405d05ef548b5fcb2fc4 Author: Al Viro Date: Thu Aug 18 21:16:49 2016 -0400 hexagon: fix strncpy_from_user() error return It's -EFAULT, not -1 (and contrary to the comment in there, __strnlen_user() can return 0 - on faults). Cc: stable@vger.kernel.org Acked-by: Richard Kuo Signed-off-by: Al Viro arch/hexagon/include/asm/uaccess.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 3b8767a8f00cc6538ba6b1cf0f88502e2fd2eb90 Author: Al Viro Date: Thu Aug 18 20:54:02 2016 -0400 frv: fix clear_user() It should check access_ok(). Otherwise a bunch of places turn into trivially exploitable rootholes. Cc: stable@vger.kernel.org Signed-off-by: Al Viro arch/frv/include/asm/uaccess.h | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) commit eb47e0293baaa3044022059f1fa9ff474bfe35cb Author: Al Viro Date: Thu Aug 18 19:34:00 2016 -0400 cris: buggered copy_from_user/copy_to_user/clear_user * copy_from_user() on access_ok() failure ought to zero the destination * none of those primitives should skip the access_ok() check in case of small constant size. Cc: stable@vger.kernel.org Acked-by: Jesper Nilsson Signed-off-by: Al Viro arch/cris/include/asm/uaccess.h | 71 +++++++++++++++++++---------------------- 1 file changed, 32 insertions(+), 39 deletions(-) commit 9ad18b75c2f6e4a78ce204e79f37781f8815c0fa Author: Al Viro Date: Wed Aug 17 23:19:01 2016 -0400 asm-generic: make get_user() clear the destination on errors both for access_ok() failures and for faults halfway through Cc: stable@vger.kernel.org Signed-off-by: Al Viro include/asm-generic/uaccess.h | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) commit 035ee288ae7ade4152f1c3cf23a587b04fdc526c Author: Lukas Wunner Date: Tue Sep 6 06:20:46 2016 +0200 PCI: Fix bridge_d3 update on device removal Starting with v4.8, we allow a PCIe port to runtime suspend to D3hot if the port itself and its children satisfy a number of conditions. Once a child is removed, we recheck those conditions in case the removed device was blocking the port from suspending. The rechecking needs to happen *after* the device has been removed from the bus it resides on. Otherwise when walking the port's subordinate bus in pci_bridge_d3_update(), the device being removed would erroneously still be taken into account. However the device is removed from the bus_list in pci_destroy_dev() and we currently recheck *before* that. Fix it. Fixes: 9d26d3a8f1b0 ("PCI: Put PCIe ports into D3 during suspend") Signed-off-by: Lukas Wunner Signed-off-by: Bjorn Helgaas Reviewed-by: Mika Westerberg Acked-by: Rafael J. Wysocki drivers/pci/remove.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) commit 5924bbecd0267d87c24110cbe2041b5075173a25 Merge: fda6751 c291b01 Author: Linus Torvalds Date: Tue Sep 13 12:52:45 2016 -0700 Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86 fixes from Ingo Molnar: "Three fixes: - AMD microcode loading fix with randomization - an lguest tooling fix - and an APIC enumeration boundary condition fix" * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/apic: Fix num_processors value in case of failure tools/lguest: Don't bork the terminal in case of wrong args x86/microcode/AMD: Fix load of builtin microcode with randomized memory commit fda67514e444533b44106362baddca1cdbbba836 Merge: ee319d5 135e8c9 Author: Linus Torvalds Date: Tue Sep 13 12:49:40 2016 -0700 Merge branch 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull scheduler fix from Ingo Molnar: "A try_to_wake_up() memory ordering race fix causing a busy-loop in ttwu()" * 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: sched/core: Fix a race between try_to_wake_up() and a woken up task commit ee319d5834c80dce3ec17fec36ef74b716ea465d Merge: 504cb1c2 8ef9b84 Author: Linus Torvalds Date: Tue Sep 13 12:47:29 2016 -0700 Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull perf fixes from Ingo Molnar: "This contains: - a set of fixes found by directed-random perf fuzzing efforts by Vince Weaver, Alexander Shishkin and Peter Zijlstra - a cqm driver crash fix - an AMD uncore driver use after free fix" * 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: perf/x86/intel: Fix PEBSv3 record drain perf/x86/intel/bts: Kill a silly warning perf/x86/intel/bts: Fix BTS PMI detection perf/x86/intel/bts: Fix confused ordering of PMU callbacks perf/core: Fix aux_mmap_count vs aux_refcount order perf/core: Fix a race between mmap_close() and set_output() of AUX events perf/x86/amd/uncore: Prevent use after free perf/x86/intel/cqm: Check cqm/mbm enabled state in event init perf/core: Remove WARN from perf_event_read() commit 504cb1c25b63ca434e9ced4226c026b54097391d Merge: 7c2c114 d7127b5 Author: Linus Torvalds Date: Tue Sep 13 12:13:58 2016 -0700 Merge branch 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull locking fix from Ingo Molnar: "Another lockless_dereference() Sparse fix" * 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: locking/barriers: Don't use sizeof(void) in lockless_dereference() commit 7c2c1144164c0a6fd91642909042862db907e053 Merge: 106f2e5 cbf2f8a Author: Linus Torvalds Date: Tue Sep 13 12:02:00 2016 -0700 Merge branch 'efi-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull EFI fixes from Ingo Molnar: "This contains a Xen fix, an arm64 fix and a race condition / robustization set of fixes related to ExitBootServices() usage and boundary conditions" * 'efi-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/efi: Use efi_exit_boot_services() efi/libstub: Use efi_exit_boot_services() in FDT efi/libstub: Introduce ExitBootServices helper efi/libstub: Allocate headspace in efi_get_memory_map() efi: Fix handling error value in fdt_find_uefi_params efi: Make for_each_efi_memory_desc_in_map() cope with running on Xen commit 106f2e59ee3b89a2f93735f65499eae4e8d55abc Merge: 309a18a c944555 Author: Linus Torvalds Date: Tue Sep 13 11:19:52 2016 -0700 Merge tag 'md/4.8-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/shli/md Pull MD fixes from Shaohua Li: "A few bug fixes for MD: - Guoqing fixed a bug compiling md-cluster in kernel - I fixed a potential deadlock in raid5-cache superblock write, a hang in raid5 reshape resume and a race condition introduced in rc4" * tag 'md/4.8-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/shli/md: raid5: fix a small race condition md-cluster: make md-cluster also can work when compiled into kernel raid5: guarantee enough stripes to avoid reshape hang raid5-cache: fix a deadlock in superblock write commit ad5987b47e96a0fb6d13fea250e936aed000093c Author: Johannes Berg Date: Tue Sep 13 15:53:55 2016 +0200 nl80211: validate number of probe response CSA counters Due to an apparent copy/paste bug, the number of counters for the beacon configuration were checked twice, instead of checking the number of probe response counters. Fix this to check the number of probe response counters before parsing those. Cc: stable@vger.kernel.org Fixes: 9a774c78e211 ("cfg80211: Support multiple CSA counters") Signed-off-by: Johannes Berg net/wireless/nl80211.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 309a18ae360d1d8741c676a37a3daae319fe722a Merge: e8988e0 0bd2223 Author: Linus Torvalds Date: Tue Sep 13 11:10:49 2016 -0700 Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 Pull crypto bugfix from Herbert Xu: "Fix a bug in the cryptd code that may lead to crashes" * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: crypto: cryptd - initialize child shash_desc on import commit 440f895aa97f81a2bdc02993da5360a1f6da2fb5 Author: Christophe Jaillet Date: Sun Sep 11 21:43:34 2016 +0200 drivers: net: phy: xgene: Fix 'remove' function If 'IS_ERR(pdata->clk)' is true, then 'clk_disable_unprepare(pdata->clk)' will do nothing. It is likely that 'if (!IS_ERR(pdata->clk))' was expected here. In fact, the test can even be removed because 'clk_disable_unprepare' already handles such cases. Signed-off-by: Christophe JAILLET Signed-off-by: David S. Miller drivers/net/phy/mdio-xgene.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) commit 715f5552b1e90ba3eecf6d1a6d044d0d5226663f Author: Xin Long Date: Sat Sep 10 23:11:23 2016 +0800 sctp: hold the transport before using it in sctp_hash_cmp Since commit 4f0087812648 ("sctp: apply rhashtable api to send/recv path"), sctp uses transport rhashtable with .obj_cmpfn sctp_hash_cmp, in which it compares the members of the transport with the rhashtable args to check if it's the right transport. But sctp uses the transport without holding it in sctp_hash_cmp, it can cause a use-after-free panic. As after it gets transport from hashtable, another CPU may close the sk and free the asoc. In sctp_association_free, it frees all the transports, meanwhile, the assoc's refcnt may be reduced to 0, assoc can be destroyed by sctp_association_destroy. So after that, transport->assoc is actually an unavailable memory address in sctp_hash_cmp. Although sctp_hash_cmp is under rcu_read_lock, it still can not avoid this, as assoc is not freed by RCU. This patch is to hold the transport before checking it's members with sctp_transport_hold, in which it checks the refcnt first, holds it if it's not 0. Fixes: 4f0087812648 ("sctp: apply rhashtable api to send/recv path") Signed-off-by: Xin Long Acked-by: Marcelo Ricardo Leitner Signed-off-by: David S. Miller net/sctp/input.c | 27 +++++++++++++++++---------- 1 file changed, 17 insertions(+), 10 deletions(-) commit 801f823dc2d585253f2f8dd17c4a46d9da560579 Author: Paul Burton Date: Mon Sep 5 15:24:54 2016 +0100 MIPS: c-r4k: Fix size calc when avoiding IPIs for small icache flushes Commit f70ddc07b637 ("MIPS: c-r4k: Avoid small flush_icache_range SMP calls") adds checks to force use of hit-type cache ops for small icache flushes where they are globalised & index-type cache ops aren't, in order to avoid the overhead of IPIs in those cases. However it calculated the size of the region being flushed incorrectly, subtracting the end address from the start address rather than the reverse. This would have led to an overflow with size wrapping round to some large value, and likely to the special case for avoiding IPIs not actually being hit. Signed-off-by: Paul Burton Cc: James Hogan Fixes: f70ddc07b637 ("MIPS: c-r4k: Avoid small flush_icache_range SMP calls") Reviewed-by: James Hogan Reviewed-by: Florian Fainelli Cc: Huacai Chen Cc: linux-mips@linux-mips.org Cc: linux-kernel@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/14211/ Signed-off-by: Ralf Baechle arch/mips/mm/c-r4k.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 28b89b9e6f7b6c8fef7b3af39828722bca20cfee Author: Joonwoo Park Date: Sun Sep 11 21:14:58 2016 -0700 cpuset: handle race between CPU hotplug and cpuset_hotplug_work A discrepancy between cpu_online_mask and cpuset's effective_cpus mask is inevitable during hotplug since cpuset defers updating of effective_cpus mask using a workqueue, during which time nothing prevents the system from more hotplug operations. For that reason guarantee_online_cpus() walks up the cpuset hierarchy until it finds an intersection under the assumption that top cpuset's effective_cpus mask intersects with cpu_online_mask even with such a race occurring. However a sequence of CPU hotplugs can open a time window, during which none of the effective CPUs in the top cpuset intersect with cpu_online_mask. For example when there are 4 possible CPUs 0-3 and only CPU0 is online: ======================== =========================== cpu_online_mask top_cpuset.effective_cpus ======================== =========================== echo 1 > cpu2/online. CPU hotplug notifier woke up hotplug work but not yet scheduled. [0,2] [0] echo 0 > cpu0/online. The workqueue is still runnable. [2] [0] ======================== =========================== Now there is no intersection between cpu_online_mask and top_cpuset.effective_cpus. Thus invoking sys_sched_setaffinity() at this moment can cause following: Unable to handle kernel NULL pointer dereference at virtual address 000000d0 ------------[ cut here ]------------ Kernel BUG at ffffffc0001389b0 [verbose debug info unavailable] Internal error: Oops - BUG: 96000005 [#1] PREEMPT SMP Modules linked in: CPU: 2 PID: 1420 Comm: taskset Tainted: G W 4.4.8+ #98 task: ffffffc06a5c4880 ti: ffffffc06e124000 task.ti: ffffffc06e124000 PC is at guarantee_online_cpus+0x2c/0x58 LR is at cpuset_cpus_allowed+0x4c/0x6c Process taskset (pid: 1420, stack limit = 0xffffffc06e124020) Call trace: [] guarantee_online_cpus+0x2c/0x58 [] cpuset_cpus_allowed+0x4c/0x6c [] sched_setaffinity+0xc0/0x1ac [] SyS_sched_setaffinity+0x98/0xac [] el0_svc_naked+0x24/0x28 The top cpuset's effective_cpus are guaranteed to be identical to cpu_online_mask eventually. Hence fall back to cpu_online_mask when there is no intersection between top cpuset's effective_cpus and cpu_online_mask. Signed-off-by: Joonwoo Park Acked-by: Li Zefan Cc: Tejun Heo Cc: cgroups@vger.kernel.org Cc: linux-kernel@vger.kernel.org Cc: # 3.17+ Signed-off-by: Tejun Heo kernel/cpuset.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) commit 3cbc6fc9c99f1709203711f125bc3b79487aba06 Author: Huacai Chen Date: Mon Sep 5 08:48:03 2016 +0800 MIPS: Add a missing ".set pop" in an early commit Commit 842dfc11ea9a21 ("MIPS: Fix build with binutils 2.24.51+") missing a ".set pop" in macro fpu_restore_16even, so add it. Signed-off-by: Huacai Chen Acked-by: Manuel Lauss Cc: Steven J . Hill Cc: Fuxin Zhang Cc: Zhangjin Wu Cc: linux-mips@linux-mips.org Cc: stable@vger.kernel.org # 3.18+ Patchwork: https://patchwork.linux-mips.org/patch/14210/ Signed-off-by: Ralf Baechle arch/mips/include/asm/asmmacro.h | 1 + 1 file changed, 1 insertion(+) commit 3e1be7ad2d38c6bd6aeef96df9bd0a7822f4e51c Author: Baoquan He Date: Fri Sep 9 22:43:12 2016 +0800 bnx2: Reset device during driver initialization When system enters into kdump kernel because of kernel panic, it won't shutdown devices. On-flight DMA will continue transferring data until device driver initializes. All devices are supposed to reset during driver initialization. And this property is used to fix the kdump failure in system with intel iommu. Other systems with hardware iommu should be similar. Please check commit 091d42e ("iommu/vt-d: Copy translation tables from old kernel") and those commits around. But bnx2 driver doesn't reset device during driver initialization. The device resetting is deferred to net device up stage. This will cause hardware iommu handling failure on bnx2 device. And its resetting relies on firmware. So in this patch move the firmware requesting code to earlier bnx2_init_one(), then next call bnx2_reset_chip to reset device. Signed-off-by: Baoquan He Signed-off-by: David S. Miller drivers/net/ethernet/broadcom/bnx2.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) commit 67b9f0b737a41b8e10bcc3568830d546e6b9a68f Merge: da499f8 4440a2a Author: David S. Miller Date: Tue Sep 13 11:17:24 2016 -0400 Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf Pablo Neira Ayuso says: ==================== Netfilter fixes for net The following patchset contains Netfilter fixes for your net tree, they are: 1) Endianess fix for the new nf_tables netlink trace infrastructure, NFTA_TRACE_POLICY endianess was not correct, patch from Liping Zhang. 2) Fix broken re-route after userspace queueing in nf_tables route chain. This patch is large but it is simple since it is just getting this code in sync with iptable_mangle. Also from Liping. 3) NAT mangling via ctnetlink lies to userspace when nf_nat_setup_info() fails to setup the NAT conntrack extension. This problem has been there since the beginning, but it can now show up after rhashtable conversion. 4) Fix possible NULL pointer dereference due to failures in allocating the synproxy and seqadj conntrack extensions, from Gao feng. ==================== Signed-off-by: David S. Miller commit 5eb0d6eb3fac3daa60d9190eed9fa41cf809c756 Author: Boris Brezillon Date: Tue Sep 13 15:58:29 2016 +0200 irqchip/atmel-aic: Fix potential deadlock in ->xlate() aic5_irq_domain_xlate() and aic_irq_domain_xlate() take the generic chip lock without disabling interrupts, which can lead to a deadlock if an interrupt occurs while the lock is held in one of these functions. Replace irq_gc_{lock,unlock}() calls by irq_gc_{lock_irqsave,unlock_irqrestore}() ones to prevent this bug from happening. Fixes: b1479ebb7720 ("irqchip: atmel-aic: Add atmel AIC/AIC5 drivers") Signed-off-by: Boris Brezillon Acked-by: Marc Zyngier Cc: Jason Cooper Cc: Nicolas Ferre Cc: stable@vger.kernel.org Cc: Alexandre Belloni Link: http://lkml.kernel.org/r/1473775109-4192-2-git-send-email-boris.brezillon@free-electrons.com Signed-off-by: Thomas Gleixner drivers/irqchip/irq-atmel-aic.c | 5 +++-- drivers/irqchip/irq-atmel-aic5.c | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) commit ebf9ff753c041b296241990aef76163bbb2cc9c8 Author: Boris Brezillon Date: Tue Sep 13 15:58:28 2016 +0200 genirq: Provide irq_gc_{lock_irqsave,unlock_irqrestore}() helpers Some irqchip drivers need to take the generic chip lock outside of the irq context. Provide the irq_gc_{lock_irqsave,unlock_irqrestore}() helpers to allow one to disable irqs while entering a critical section protected by gc->lock. Note that we do not provide optimized version of these helpers for !SMP, because they are not called from the hot-path. [ tglx: Added a comment when these helpers should be [not] used ] Signed-off-by: Boris Brezillon Cc: Jason Cooper Cc: Marc Zyngier Cc: Nicolas Ferre Cc: stable@vger.kernel.org Cc: Alexandre Belloni Link: http://lkml.kernel.org/r/1473775109-4192-1-git-send-email-boris.brezillon@free-electrons.com Signed-off-by: Thomas Gleixner include/linux/irq.h | 10 ++++++++++ 1 file changed, 10 insertions(+) commit 951c39cd3bc0aedf67fbd8fb4b9380287e6205d1 Author: Matt Redfearn Date: Mon Sep 5 15:43:40 2016 +0100 MIPS: paravirt: Fix undefined reference to smp_bootstrap If the paravirt machine is compiles without CONFIG_SMP, the following linker error occurs arch/mips/kernel/head.o: In function `kernel_entry': (.ref.text+0x10): undefined reference to `smp_bootstrap' due to the kernel entry macro always including SMP startup code. Wrap this code in CONFIG_SMP to fix the error. Signed-off-by: Matt Redfearn Cc: linux-mips@linux-mips.org Cc: linux-kernel@vger.kernel.org Cc: stable@vger.kernel.org # 3.16+ Patchwork: https://patchwork.linux-mips.org/patch/14212/ Signed-off-by: Ralf Baechle arch/mips/include/asm/mach-paravirt/kernel-entry-init.h | 2 ++ 1 file changed, 2 insertions(+) commit 3bc42f3f0ef13a8239138a4c00a0b782f029f23d Merge: 015282c 2cfe199 Author: Jens Axboe Date: Tue Sep 13 07:58:34 2016 -0600 Merge branch 'nvmf-4.8-rc' of git://git.infradead.org/nvme-fabrics into for-linus Sagi writes: Here we have: - Kconfig dependencies fix from Arnd - nvme-rdma device removal fixes from Steve - possible bad deref fix from Colin commit b03c1e3b8eed9026733c473071d1f528358a0e50 Author: Paul Burton Date: Mon Sep 12 10:58:06 2016 +0100 MIPS: Remove compact branch policy Kconfig entries Commit c1a0e9bc885d ("MIPS: Allow compact branch policy to be changed") added Kconfig entries allowing for the compact branch policy used by the compiler for MIPSr6 kernels to be specified. This can be useful for debugging, particularly in systems where compact branches have recently been introduced. Unfortunately mainline gcc 5.x supports MIPSr6 but not the -mcompact-branches compiler flag, leading to MIPSr6 kernels failing to build with gcc 5.x with errors such as: mipsel-linux-gnu-gcc: error: unrecognized command line option '-mcompact-branches=optimal' make[2]: *** [kernel/bounds.s] Error 1 Fixing this by hiding the Kconfig entry behind another seems to be more hassle than it's worth, as MIPSr6 & compact branches have been around for a while now and if policy does need to be set for debug it can be done easily enough with KCFLAGS. Therefore remove the compact branch policy Kconfig entries & their handling in the Makefile. This reverts commit c1a0e9bc885d ("MIPS: Allow compact branch policy to be changed"). Signed-off-by: Paul Burton Reported-by: kbuild test robot Fixes: c1a0e9bc885d ("MIPS: Allow compact branch policy to be changed") Cc: stable # v4.4+ Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/14241/ Signed-off-by: Ralf Baechle arch/mips/Kconfig.debug | 36 ------------------------------------ arch/mips/Makefile | 4 ---- 2 files changed, 40 deletions(-) commit ac7e385f2bf1c39615cf58f7e58246fdd9da5bb9 Author: James Hogan Date: Tue Aug 9 13:21:49 2016 +0100 MIPS: MAAR: Fix address alignment The alignment of MIPS MAAR region addresses isn't quite right. - It rounds an already 64 KiB aligned start address up to the next 64 KiB boundary, e.g. 0x80000000 is rounded up to 0x80010000. - It assumes the end address is already on a 64 KiB boundary and doesn't round it down. Should that not be the case it will hit the second BUG_ON() in write_maar_pair(). Both cases are addressed by rounding up and down to 64 KiB boundaries in the more traditional way of adding 0xffff (for rounding up) and masking off the low 16 bits. Signed-off-by: James Hogan Cc: Paul Burton Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/13858/ Signed-off-by: Ralf Baechle arch/mips/mm/init.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) commit 58cae9b0f0c1d9cc55de018d927e65549b24cf5b Author: James Hogan Date: Tue Aug 9 13:21:48 2016 +0100 MIPS: Fix memory regions reaching top of physical Memory regions added with add_memory_region() at the top of the physical address space will have their end address overflow to 0. This causes them to be rejected as invalid, and would cause various other issues later on. This causes issues on Malta and Boston platforms when wanting to use all 2GB of RAM on a 32-bit kernel, either via highmem (using physical addresses 0x90000000..0xFFFFFFFF), or with the Malta Enhanced Virtual Addressing (EVA) layout which exposes the whole 0x80000000..0xFFFFFFFF physical address range to kernel mode at 0x00000000..0x7FFFFFFF. Due to the abundance of these non-overflow assumptions and the fact that memblock already avoids the arithmetic overflow by limiting the size of new memory regions without the arch code knowing it (in particular mem_init_free_highmem() will trigger a page dump due to nonzero mapcount on the last page), it is simpler and safer to just limit the size of the region in a similar way to memblock but at the arch level to allow most of the RAM to be used without arithmetic overflows. Therefore we detect this case specifically and reduce the size of the region slightly to avoid the arithmetic overflows and cause the last page to be ignored. Signed-off-by: James Hogan Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/13857/ Signed-off-by: Ralf Baechle arch/mips/kernel/setup.c | 7 +++++++ 1 file changed, 7 insertions(+) commit 2809328f6ef2139115665dda1b83ee9303c52431 Author: Marcin Nowakowski Date: Thu Aug 11 09:02:30 2016 +0200 MIPS: uprobes: fix incorrect uprobe brk handling When a uprobe-replacement breakpoint instruction is handled, a notifier is called with DIE_UPROBE argument, but a corresponding exception notify handler for MIPS attempts to handle DIE_BREAK instead. As a result the breakpoint instruction isn't handled by the uprobe code and the probed application terminates with SIGTRAP. Fix this by changing arch_uprobe_exception_notify code to handle DIE_UPROBE as a pre-singlestep condition instead of DIE_BREAK. Signed-off-by: Marcin Nowakowski Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/13884/ Signed-off-by: Ralf Baechle arch/mips/kernel/uprobes.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit e3b23148fd8af277fd55068183ed3ce4c8f51aa5 Author: Amitoj Kaur Chawla Date: Fri Aug 12 08:36:54 2016 +0530 MIPS: ath79: Fix test for error return of clk_register_fixed_factor(). clk_register_fixed_factor returns an ERR_PTR in case of an error and should have an IS_ERR check instead of a null check. The Coccinelle semantic patch used to find this issue is as follows: @@ expression e; statement S; @@ *e = clk_register_fixed_factor(...); if (!e) S Signed-off-by: Amitoj Kaur Chawla Cc: julia.lawall@lip6.fr Cc: linux-mips@linux-mips.org Cc: linux-kernel@vger.kernel.org Patchwork: https://patchwork.linux-mips.org/patch/13894/ Signed-off-by: Ralf Baechle arch/mips/ath79/clock.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 2db34e78f126c6001d79d3b66ab1abb482dc7caa Author: Ard Biesheuvel Date: Tue Sep 13 09:48:53 2016 +0100 crypto: arm64/aes-ctr - fix NULL dereference in tail processing The AES-CTR glue code avoids calling into the blkcipher API for the tail portion of the walk, by comparing the remainder of walk.nbytes modulo AES_BLOCK_SIZE with the residual nbytes, and jumping straight into the tail processing block if they are equal. This tail processing block checks whether nbytes != 0, and does nothing otherwise. However, in case of an allocation failure in the blkcipher layer, we may enter this code with walk.nbytes == 0, while nbytes > 0. In this case, we should not dereference the source and destination pointers, since they may be NULL. So instead of checking for nbytes != 0, check for (walk.nbytes % AES_BLOCK_SIZE) != 0, which implies the former in non-error conditions. Fixes: 49788fe2a128 ("arm64/crypto: AES-ECB/CBC/CTR/XTS using ARMv8 NEON and Crypto Extensions") Cc: stable@vger.kernel.org Reported-by: xiakaixu Signed-off-by: Ard Biesheuvel Signed-off-by: Herbert Xu arch/arm64/crypto/aes-glue.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit f82e90b28654804ab72881d577d87c3d5c65e2bc Author: Ard Biesheuvel Date: Tue Sep 13 09:48:52 2016 +0100 crypto: arm/aes-ctr - fix NULL dereference in tail processing The AES-CTR glue code avoids calling into the blkcipher API for the tail portion of the walk, by comparing the remainder of walk.nbytes modulo AES_BLOCK_SIZE with the residual nbytes, and jumping straight into the tail processing block if they are equal. This tail processing block checks whether nbytes != 0, and does nothing otherwise. However, in case of an allocation failure in the blkcipher layer, we may enter this code with walk.nbytes == 0, while nbytes > 0. In this case, we should not dereference the source and destination pointers, since they may be NULL. So instead of checking for nbytes != 0, check for (walk.nbytes % AES_BLOCK_SIZE) != 0, which implies the former in non-error conditions. Fixes: 86464859cc77 ("crypto: arm - AES in ECB/CBC/CTR/XTS modes using ARMv8 Crypto Extensions") Cc: stable@vger.kernel.org Reported-by: xiakaixu Signed-off-by: Ard Biesheuvel Signed-off-by: Herbert Xu arch/arm/crypto/aes-ce-glue.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit acdb04d0b36769b3e05990c488dc74d8b7ac8060 Author: Herbert Xu Date: Tue Sep 13 14:43:29 2016 +0800 crypto: skcipher - Fix blkcipher walk OOM crash When we need to allocate a temporary blkcipher_walk_next and it fails, the code is supposed to take the slow path of processing the data block by block. However, due to an unrelated change we instead end up dereferencing the NULL pointer. This patch fixes it by moving the unrelated bsize setting out of the way so that we enter the slow path as inteded. Fixes: 7607bd8ff03b ("[CRYPTO] blkcipher: Added blkcipher_walk_virt_block") Cc: stable@vger.kernel.org Reported-by: xiakaixu Reported-by: Ard Biesheuvel Signed-off-by: Herbert Xu Tested-by: Ard Biesheuvel crypto/blkcipher.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 53a5d5ddccf849dbc27a8c1bba0b43c3a45fb792 Author: Herbert Xu Date: Wed Sep 7 18:42:08 2016 +0800 crypto: echainiv - Replace chaining with multiplication The current implementation uses a global per-cpu array to store data which are used to derive the next IV. This is insecure as the attacker may change the stored data. This patch removes all traces of chaining and replaces it with multiplication of the salt and the sequence number. Fixes: a10f554fa7e0 ("crypto: echainiv - Add encrypted chain IV...") Cc: stable@vger.kernel.org Reported-by: Mathias Krause Signed-off-by: Herbert Xu crypto/echainiv.c | 115 ++++++++++++------------------------------------------ 1 file changed, 24 insertions(+), 91 deletions(-) commit 4440a2ab3b9f40dddbe006331ef0659c76859296 Author: Gao Feng Date: Tue Sep 13 08:49:18 2016 +0800 netfilter: synproxy: Check oom when adding synproxy and seqadj ct extensions When memory is exhausted, nfct_seqadj_ext_add may fail to add the synproxy and seqadj extensions. The function nf_ct_seqadj_init doesn't check if get valid seqadj pointer by the nfct_seqadj. Now drop the packet directly when fail to add seqadj extension to avoid dereference NULL pointer in nf_ct_seqadj_init from init_conntrack(). Signed-off-by: Gao Feng Signed-off-by: Pablo Neira Ayuso include/net/netfilter/nf_conntrack_synproxy.h | 14 ++++++++++++++ net/netfilter/nf_conntrack_core.c | 6 +++--- net/netfilter/nf_nat_core.c | 3 ++- 3 files changed, 19 insertions(+), 4 deletions(-) commit 7eebfba5c48f89e1729022459cde2b256696ba2a Merge: 062f531 1ba7db0 Author: Dave Airlie Date: Tue Sep 13 10:18:02 2016 +1000 Merge tag 'drm/atmel-hlcdc/4.8-fixes' of github.com:bbrezillon/linux-at91 into drm-fixes Two fixes for 4.8: - missing static specifier on atmel_hlcdc_crtc_reset() - bug in the hardware scaling logic * tag 'drm/atmel-hlcdc/4.8-fixes' of github.com:bbrezillon/linux-at91: drm/atmel-hlcdc: Make ->reset() implementation static drm: atmel-hlcdc: Fix vertical scaling commit 062f531ab2e959a2236ae76523be0881ade7058d Merge: 603f2c9 fc2780b Author: Dave Airlie Date: Tue Sep 13 10:17:31 2016 +1000 Merge tag 'drm-intel-fixes-2016-09-08' of git://anongit.freedesktop.org/drm-intel into drm-fixes i915 fixes from Jani. * tag 'drm-intel-fixes-2016-09-08' of git://anongit.freedesktop.org/drm-intel: drm/i915: Add GEN7_PCODE_MIN_FREQ_TABLE_GT_RATIO_OUT_OF_RANGE to SNB drm/i915: disable 48bit full PPGTT when vGPU is active drm/i915: enable vGPU detection for all drm/i915/dvo: Remove dangling call to drm_encoder_cleanup() commit e8988e0550b040265b8cdab82c553b5d6be627fb Merge: ac059c4 e4abe2b Author: Linus Torvalds Date: Mon Sep 12 14:49:21 2016 -0700 Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux Pull clk fixes from Stephen Boyd: "Some small fixes for the new sunxi clk driver introduced this merge window" * tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux: clk: sunxi-ng: Fix wrong reset register offsets clk: sunxi-ng: nk: Make ccu_nk_find_best static clk: sunxi-ng: Fix inverted test condition in ccu_helper_wait_for_lock clk: sunxi: Fix return value check in sun8i_a23_mbus_setup() clk: sunxi: pll2: Fix return value check in sun4i_pll2_setup() commit ac059c4fa78ff548ad7b2ecbad491e46bfbc6d2d Merge: 2c937eb 27bd44e Author: Linus Torvalds Date: Mon Sep 12 14:30:14 2016 -0700 Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm Pull KVM fixes from Paolo Bonzini: - s390: nested virt fixes (new 4.8 feature) - x86: fixes for 4.8 regressions - ARM: two small bugfixes * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: kvm-arm: Unmap shadow pagetables properly x86, clock: Fix kvm guest tsc initialization arm: KVM: Fix idmap overlap detection when the kernel is idmap'ed KVM: lapic: adjust preemption timer correctly when goes TSC backward KVM: s390: vsie: fix riccbd KVM: s390: don't use current->thread.fpu.* when accessing registers commit 2c937eb4ddca946bb74936cf63aba0f94aa0efb3 Merge: da499f8 b519d40 Author: Linus Torvalds Date: Mon Sep 12 14:13:45 2016 -0700 Merge tag 'nfs-for-4.8-4' of git://git.linux-nfs.org/projects/trondmy/linux-nfs Pull NFS client bugfixes from Trond Myklebust: "Highlights include: Stable patches: - We must serialise LAYOUTGET and LAYOUTRETURN to ensure correct state accounting - Fix the CREATE_SESSION slot number Bugfixes: - sunrpc: fix a UDP memory accounting regression - NFS: Fix an error reporting regression in nfs_file_write() - pNFS: Fix further layout stateid issues - RPC/rdma: Revert 3d4cf35bd4fa ("xprtrdma: Reply buffer exhaustion...") - RPC/rdma: Fix receive buffer accounting" * tag 'nfs-for-4.8-4' of git://git.linux-nfs.org/projects/trondmy/linux-nfs: NFSv4.1: Fix the CREATE_SESSION slot number accounting xprtrdma: Fix receive buffer accounting xprtrdma: Revert 3d4cf35bd4fa ("xprtrdma: Reply buffer exhaustion...") pNFS: Don't forget the layout stateid if there are outstanding LAYOUTGETs pNFS: Clear out all layout segments if the server unsets lrp->res.lrs_present pNFS: Fix pnfs_set_layout_stateid() to clear NFS_LAYOUT_INVALID_STID pNFS: Ensure LAYOUTGET and LAYOUTRETURN are properly serialised NFS: Fix error reporting in nfs_file_write() sunrpc: fix UDP memory accounting commit bf2c4b6f9b74c2ee1dd3c050b181e9b9c86fbcdb Author: Chuck Lever Date: Thu Sep 1 10:50:38 2016 -0400 svcauth_gss: Revert 64c59a3726f2 ("Remove unnecessary allocation") rsc_lookup steals the passed-in memory to avoid doing an allocation of its own, so we can't just pass in a pointer to memory that someone else is using. If we really want to avoid allocation there then maybe we should preallocate somwhere, or reference count these handles. For now we should revert. On occasion I see this on my server: kernel: kernel BUG at /home/cel/src/linux/linux-2.6/mm/slub.c:3851! kernel: invalid opcode: 0000 [#1] SMP kernel: Modules linked in: cts rpcsec_gss_krb5 sb_edac edac_core x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel lrw gf128mul glue_helper ablk_helper cryptd btrfs xor iTCO_wdt iTCO_vendor_support raid6_pq pcspkr i2c_i801 i2c_smbus lpc_ich mfd_core mei_me sg mei shpchp wmi ioatdma ipmi_si ipmi_msghandler acpi_pad acpi_power_meter rpcrdma ib_ipoib rdma_ucm ib_ucm ib_uverbs ib_umad rdma_cm ib_cm iw_cm nfsd nfs_acl lockd grace auth_rpcgss sunrpc ip_tables xfs libcrc32c mlx4_ib mlx4_en ib_core sr_mod cdrom sd_mod ast drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm crc32c_intel igb mlx4_core ahci libahci libata ptp pps_core dca i2c_algo_bit i2c_core dm_mirror dm_region_hash dm_log dm_mod kernel: CPU: 7 PID: 145 Comm: kworker/7:2 Not tainted 4.8.0-rc4-00006-g9d06b0b #15 kernel: Hardware name: Supermicro Super Server/X10SRL-F, BIOS 1.0c 09/09/2015 kernel: Workqueue: events do_cache_clean [sunrpc] kernel: task: ffff8808541d8000 task.stack: ffff880854344000 kernel: RIP: 0010:[] [] kfree+0x155/0x180 kernel: RSP: 0018:ffff880854347d70 EFLAGS: 00010246 kernel: RAX: ffffea0020fe7660 RBX: ffff88083f9db064 RCX: 146ff0f9d5ec5600 kernel: RDX: 000077ff80000000 RSI: ffff880853f01500 RDI: ffff88083f9db064 kernel: RBP: ffff880854347d88 R08: ffff8808594ee000 R09: ffff88087fdd8780 kernel: R10: 0000000000000000 R11: ffffea0020fe76c0 R12: ffff880853f01500 kernel: R13: ffffffffa013cf76 R14: ffffffffa013cff0 R15: ffffffffa04253a0 kernel: FS: 0000000000000000(0000) GS:ffff88087fdc0000(0000) knlGS:0000000000000000 kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 kernel: CR2: 00007fed60b020c3 CR3: 0000000001c06000 CR4: 00000000001406e0 kernel: Stack: kernel: ffff8808589f2f00 ffff880853f01500 0000000000000001 ffff880854347da0 kernel: ffffffffa013cf76 ffff8808589f2f00 ffff880854347db8 ffffffffa013d006 kernel: ffff8808589f2f20 ffff880854347e00 ffffffffa0406f60 0000000057c7044f kernel: Call Trace: kernel: [] rsc_free+0x16/0x90 [auth_rpcgss] kernel: [] rsc_put+0x16/0x30 [auth_rpcgss] kernel: [] cache_clean+0x2e0/0x300 [sunrpc] kernel: [] do_cache_clean+0xe/0x70 [sunrpc] kernel: [] process_one_work+0x1ff/0x3b0 kernel: [] worker_thread+0x2bc/0x4a0 kernel: [] ? rescuer_thread+0x3a0/0x3a0 kernel: [] kthread+0xe4/0xf0 kernel: [] ret_from_fork+0x1f/0x40 kernel: [] ? kthread_stop+0x110/0x110 kernel: Code: f7 ff ff eb 3b 65 8b 05 da 30 e2 7e 89 c0 48 0f a3 05 a0 38 b8 00 0f 92 c0 84 c0 0f 85 d1 fe ff ff 0f 1f 44 00 00 e9 f5 fe ff ff <0f> 0b 49 8b 03 31 f6 f6 c4 40 0f 85 62 ff ff ff e9 61 ff ff ff kernel: RIP [] kfree+0x155/0x180 kernel: RSP kernel: ---[ end trace 3fdec044969def26 ]--- It seems to be most common after a server reboot where a client has been using a Kerberos mount, and reconnects to continue its workload. Signed-off-by: Chuck Lever Cc: stable@vger.kernel.org Signed-off-by: J. Bruce Fields net/sunrpc/auth_gss/svcauth_gss.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) commit 2cfe199ca5a8816ee80fe15bcf202dd1020aaea0 Author: Arnd Bergmann Date: Tue Sep 6 14:58:06 2016 +0200 nvme-rdma: add back dependency on CONFIG_BLOCK A recent change removed the dependency on BLK_DEV_NVME, which implies the dependency on PCI and BLOCK. We don't need CONFIG_PCI, but without CONFIG_BLOCK we get tons of build errors, e.g. In file included from drivers/nvme/host/core.c:16:0: linux/blk-mq.h:182:33: error: 'struct gendisk' declared inside parameter list will not be visible outside of this definition or declaration [-Werror] drivers/nvme/host/core.c: In function 'nvme_setup_rw': drivers/nvme/host/core.c:295:21: error: implicit declaration of function 'rq_data_dir' [-Werror=implicit-function-declaration] drivers/nvme/host/nvme.h: In function 'nvme_map_len': drivers/nvme/host/nvme.h:217:6: error: implicit declaration of function 'req_op' [-Werror=implicit-function-declaration] drivers/nvme/host/scsi.c: In function 'nvme_trans_bdev_limits_page': drivers/nvme/host/scsi.c:768:85: error: implicit declaration of function 'queue_max_hw_sectors' [-Werror=implicit-function-declaration] This adds back the specific CONFIG_BLOCK dependency to avoid broken configurations. Signed-off-by: Arnd Bergmann Fixes: aa71987472a9 ("nvme: fabrics drivers don't need the nvme-pci driver") Signed-off-by: Sagi Grimberg drivers/nvme/host/Kconfig | 1 + 1 file changed, 1 insertion(+) commit 1bda18de8f15a611a61d1a935b679db2e153338a Author: Colin Ian King Date: Mon Sep 5 16:24:38 2016 +0100 nvme-rdma: fix null pointer dereference on req->mr If there is an error on req->mr, req->mr is set to null, however the following statement sets req->mr->need_inval causing a null pointer dereference. Fix this by bailing out to label 'out' to immediately return and hence skip over the offending null pointer dereference. Fixes: f5b7b559e1488 ("nvme-rdma: Get rid of duplicate variable") Signed-off-by: Colin Ian King Reviewed-by: Christoph Hellwig Signed-off-by: Sagi Grimberg drivers/nvme/host/rdma.c | 1 + 1 file changed, 1 insertion(+) commit e87a911fed07e368c6f97e75152e6297a7dfba48 Author: Steve Wise Date: Fri Sep 2 09:01:54 2016 -0700 nvme-rdma: use ib_client API to detect device removal Change nvme-rdma to use the IB Client API to detect device removal. This has the wonderful benefit of being able to blow away all the ib/rdma_cm resources for the device being removed. No craziness about not destroying the cm_id handling the event. No deadlocks due to broken iw_cm/rdma_cm/iwarp dependencies. And no need to have a bound cm_id around during controller recovery/reconnect to catch device removal events. We don't use the device_add aspect of the ib_client service since we only want to create resources for an IB device if we have a target utilizing that device. Reviewed-by: Christoph Hellwig Signed-off-by: Steve Wise Signed-off-by: Sagi Grimberg drivers/nvme/host/rdma.c | 108 ++++++++++++++++++----------------------------- 1 file changed, 40 insertions(+), 68 deletions(-) commit e89ca58f9c901c8c4cfb09f96d879b186bb01492 Author: Sagi Grimberg Date: Fri Sep 2 09:01:54 2016 -0700 nvme-rdma: add DELETING queue flag When we get a surprise disconnect from the target we queue a periodic reconnect (which is the sane thing to do...). We only move the queues out of CONNECTED when we retry to reconnect (after 10 seconds in the default case) but we stop the blk queues immediately so we are not bothered with traffic from now on. If delete() is kicking off in this period the queues are still in CONNECTED state. Part of the delete sequence is trying to issue ctrl shutdown if the admin queue is CONNECTED (which it is!). This request is issued but stuck in blk-mq waiting for the queues to start again. This might be the one preventing us from forward progress... The patch separates the queue flags to CONNECTED and DELETING. Now we will move out of CONNECTED as soon as error recovery kicks in (before stopping the queues) and DELETING is on when we start the queue deletion. Signed-off-by: Sagi Grimberg drivers/nvme/host/rdma.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) commit ecfcdfec7e0cc64215a194044305f02a5a836e6d Author: Pablo Neira Ayuso Date: Fri Sep 9 15:38:12 2016 +0200 netfilter: nf_nat: handle NF_DROP from nfnetlink_parse_nat_setup() nf_nat_setup_info() returns NF_* verdicts, so convert them to error codes that is what ctnelink expects. This has passed overlook without having any impact since this nf_nat_setup_info() has always returned NF_ACCEPT so far. Since 870190a9ec90 ("netfilter: nat: convert nat bysrc hash to rhashtable"), this is problem. Signed-off-by: Pablo Neira Ayuso net/netfilter/nf_nat_core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit da499f8f5385c181e29978fdaab15a58de185302 Merge: 9395452 373df31 Author: Linus Torvalds Date: Mon Sep 12 07:56:06 2016 -0700 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net Pull networking fixes from David Miller: "Mostly small sets of driver fixes scattered all over the place. 1) Mediatek driver fixes from Sean Wang. Forward port not written correctly during TX map, missed handling of EPROBE_DEFER, and mistaken use of put_page() instead of skb_free_frag(). 2) Fix socket double-free in KCM code, from WANG Cong. 3) QED driver fixes from Sudarsana Reddy Kalluru, including a fix for using the dcbx buffers before initializing them. 4) Mellanox Switch driver fixes from Jiri Pirko, including a fix for double fib removals and an error handling fix in mlxsw_sp_module_init(). 5) Fix kernel panic when enabling LLDP in i40e driver, from Dave Ertman. 6) Fix padding of TSO packets in thunderx driver, from Sunil Goutham. 7) TCP's rcv_wup not initialized properly when using fastopen, from Neal Cardwell. 8) Don't use uninitialized flow keys in flow dissector, from Gao Feng. 9) Use after free in l2tp module unload, from Sabrina Dubroca. 10) Fix interrupt registry ordering issues in smsc911x driver, from Jeremy Linton. 11) Fix crashes in bonding having to do with enslaving and rx_handler, from Mahesh Bandewar. 12) AF_UNIX deadlock fixes from Linus. 13) In mlx5 driver, don't read skb->xmit_mode after it might have been freed from the TX reclaim path. From Tariq Toukan. 14) Fix a bug from 2015 in TCP Yeah where the congestion window does not increase, from Artem Germanov. 15) Don't pad frames on receive in NFP driver, from Jakub Kicinski. 16) Fix chunk fragmenting in SCTP wrt. GSO, from Marcelo Ricardo Leitner. 17) Fix deletion of VRF routes, from Mark Tomlinson. 18) Fix device refcount leak when DAD fails in ipv6, from Wei Yongjun" * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (101 commits) net/mlx4_en: Fix panic on xmit while port is down net/mlx4_en: Fixes for DCBX net/mlx4_en: Fix the return value of mlx4_en_dcbnl_set_state() net/mlx4_en: Fix the return value of mlx4_en_dcbnl_set_all() net: ethernet: renesas: sh_eth: add POST registers for rz drivers: net: phy: mdio-xgene: Add hardware dependency dwc_eth_qos: do not register semi-initialized device sctp: identify chunks that need to be fragmented at IP level mlxsw: spectrum: Set port type before setting its address mlxsw: spectrum_router: Fix error path in mlxsw_sp_router_init nfp: don't pad frames on receive nfp: drop support for old firmware ABIs nfp: remove linux/version.h includes tcp: cwnd does not increase in TCP YeAH net/mlx5e: Fix parsing of vlan packets when updating lro header net/mlx5e: Fix global PFC counters replication net/mlx5e: Prevent casting overflow net/mlx5e: Move an_disable_cap bit to a new position net/mlx5e: Fix xmit_more counter race issue tcp: fastopen: avoid negative sk_forward_alloc ... commit 1a57c286d8ced1e4144c6201a19bbb70827edee6 Author: Russell King Date: Sun Sep 4 21:45:56 2016 +0100 ARM: pxa/lubbock: add pcmcia clock Add the required PCMCIA clock for the SA1111 "1800" device. This clock is used to compute timing information for the PCMCIA interface in the SoC device, rather than the SA1111. Hence, the provision of this clock is a convenience for the driver and does not reflect the hardware, so this must not be copied into DT. Acked-by: Robert Jarzmik Tested-by: Robert Jarzmik Signed-off-by: Russell King arch/arm/mach-pxa/lubbock.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) commit 07f56e6646228da27122e81d5a5a232fdf3d3a50 Author: Russell King Date: Fri Sep 2 22:08:45 2016 +0100 ARM: locomo: fix locomo irq handling Accidentally booting Collie on Assabet reveals that the locomo driver incorrectly overwrites gpio-sa1100's chip data for its parent interrupt, leading to oops in sa1100_gpio_unmask() and sa1100_update_edge_regs() when "gpio: sa1100: convert to use IO accessors" is applied. Fix locomo to use the handler data rather than chip data for its parent interrupt. Signed-off-by: Russell King arch/arm/common/locomo.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) commit 6b3142b2b852cd5e3216d1aa800a0a49377e6e1c Author: Stefan Agner Date: Wed Sep 7 21:56:09 2016 +0100 ARM: 8612/1: LPAE: initialize cache policy correctly The cachepolicy variable gets initialized using a masked pmd value. So far, the pmd has been masked with flags valid for the 2-page table format, but the 3-page table format requires a different mask. On LPAE, this lead to a wrong assumption of what initial cache policy has been used. Later a check forces the cache policy to writealloc and prints the following warning: Forcing write-allocate cache policy for SMP This patch introduces a new definition PMD_SECT_CACHE_MASK for both page table formats which masks in all cache flags in both cases. Signed-off-by: Stefan Agner Signed-off-by: Russell King arch/arm/include/asm/pgtable-2level-hwdef.h | 1 + arch/arm/include/asm/pgtable-3level-hwdef.h | 1 + arch/arm/mm/mmu.c | 2 +- 3 files changed, 3 insertions(+), 1 deletion(-) commit 5df20f2141eadb5430caaad20eceac61cfe0f139 Author: Pedersen, Thomas Date: Tue Sep 6 11:59:00 2016 -0700 mac80211: make mpath path fixing more robust A fixed mpath was not quite being treated as such: 1) if a PERR frame was received, a fixed mpath was deactivated. 2) queued path discovery for fixed mpath was potentially being considered, changing mpath state. 3) other mpath flags were potentially being inherited when fixing the mpath. Just assign PATH_FIXED and SN_VALID. This solves several issues when fixing a mesh path in one direction. The reverse direction mpath should probably also be fixed, or root announcements at least be enabled. Signed-off-by: Thomas Pedersen Signed-off-by: Johannes Berg net/mac80211/mesh_hwmp.c | 3 ++- net/mac80211/mesh_pathtbl.c | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) commit 1feafd64cbc31b75b7b08ab3ca0305311c3f6246 Merge: 817ed57 87d5dd6 Author: Russell King Date: Mon Sep 12 11:19:04 2016 +0100 Merge branches 'fixes-pcmcia' and 'fixes-sa1111' into fixes commit 87d5dd62c07f90ed2b0d6718f5c666f69e7d39b0 Author: Russell King Date: Tue Sep 6 16:09:17 2016 +0100 ARM: sa1111: fix missing clk_disable() SA1111 forgets to call clk_disable() in the probe error cleanup path. Add the necessary call. Signed-off-by: Russell King arch/arm/common/sa1111.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit 06dfe5cc0cc684e735cb0232fdb756d30780b05d Author: Russell King Date: Tue Sep 6 14:34:05 2016 +0100 ARM: sa1111: fix pcmcia suspend/resume SA1111 PCMCIA was broken when PCMCIA switched to using dev_pm_ops for the PCMCIA socket class. PCMCIA used to handle suspend/resume via the socket hosting device, which happened at normal device suspend/resume time. However, the referenced commit changed this: much of the resume now happens much earlier, in the noirq resume handler of dev_pm_ops. However, on SA1111, the PCMCIA device is not accessible as the SA1111 has not been resumed at _noirq time. It's slightly worse than that, because the SA1111 has already been put to sleep at _noirq time, so suspend doesn't work properly. Fix this by converting the core SA1111 code to use dev_pm_ops as well, and performing its own suspend/resume at noirq time. This fixes these errors in the kernel log: pcmcia_socket pcmcia_socket0: time out after reset pcmcia_socket pcmcia_socket1: time out after reset and the resulting lack of PCMCIA cards after a S2RAM cycle. Fixes: d7646f7632549 ("pcmcia: use dev_pm_ops for class pcmcia_socket_class") Signed-off-by: Russell King arch/arm/common/sa1111.c | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) commit 7c0091eceab231b59e51b80bbcf5a2205a0fa905 Author: Russell King Date: Tue Sep 6 14:21:46 2016 +0100 ARM: sa1111: fix pcmcia interrupt mask polarity The polarity of the high IRQs was being calculated using SA1111_IRQMASK_HI(), but this assumes a Linux interrupt number, not a hardware interrupt number. Hence, the resulting mask was incorrect. Fix this. Signed-off-by: Russell King arch/arm/common/sa1111.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit cb034407ec3f816540f359300cda1122faabdbbd Author: Russell King Date: Sat Sep 3 10:21:51 2016 +0100 ARM: sa1111: fix error code propagation in sa1111_probe() Ensure that we propagate the platform_get_irq() error code out of the probe function. This allows probe deferrals to work correctly should platform_get_irq() not be able to resolve the interrupt in a DT environment at probe time. Signed-off-by: Russell King arch/arm/common/sa1111.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 817ed5748e40bbc5b5f2aa0c3094c4a7adfb8881 Author: Robert Jarzmik Date: Thu Sep 1 08:31:08 2016 +0200 pcmcia: lubbock: fix sockets configuration On lubbock board, the probe of the driver crashes by dereferencing very early a platform_data structure which is not set, in pxa2xx_configure_sockets(). The stack fixed is : [ 0.244353] SA1111 Microprocessor Companion Chip: silicon revision 1, metal revision 1 [ 0.256321] sa1111 sa1111: Providing IRQ336-390 [ 0.340899] clocksource: Switched to clocksource oscr0 [ 0.472263] Unable to handle kernel NULL pointer dereference at virtual address 00000004 [ 0.480469] pgd = c0004000 [ 0.483432] [00000004] *pgd=00000000 [ 0.487105] Internal error: Oops: f5 [#1] ARM [ 0.491497] Modules linked in: [ 0.494650] CPU: 0 PID: 1 Comm: swapper Not tainted 4.8.0-rc3-00080-g1aaa68426f0c-dirty #2068 [ 0.503229] Hardware name: Intel DBPXA250 Development Platform (aka Lubbock) [ 0.510344] task: c3e42000 task.stack: c3e44000 [ 0.514984] PC is at pxa2xx_configure_sockets+0x4/0x24 (drivers/pcmcia/pxa2xx_base.c:227) [ 0.520193] LR is at pcmcia_lubbock_init+0x1c/0x38 [ 0.525079] pc : [] lr : [] psr: a0000053 [ 0.525079] sp : c3e45e70 ip : 100019ff fp : 00000000 [ 0.536651] r10: c0828900 r9 : c0434838 r8 : 00000000 [ 0.541953] r7 : c0820700 r6 : c0857b30 r5 : c3ec1400 r4 : c0820758 [ 0.548549] r3 : 00000000 r2 : 0000000c r1 : c3c09c40 r0 : c3ec1400 [ 0.555154] Flags: NzCv IRQs on FIQs off Mode SVC_32 ISA ARM Segment none [ 0.562450] Control: 0000397f Table: a0004000 DAC: 00000053 [ 0.568257] Process swapper (pid: 1, stack limit = 0xc3e44190) [ 0.574154] Stack: (0xc3e45e70 to 0xc3e46000) [ 0.578610] 5e60: c4849800 00000000 c3ec1400 c024769c [ 0.586928] 5e80: 00000000 c3ec140c c3c0ee0c c3ec1400 c3ec1434 c020c410 c3ec1400 c3ec1434 [ 0.595244] 5ea0: c0820700 c080b408 c0828900 c020c5f8 00000000 c0820700 c020c578 c020ac5c [ 0.603560] 5ec0: c3e687cc c3e71e10 c0820700 00000000 c3c02de0 c020bae4 c03c62f7 c03c62f7 [ 0.611872] 5ee0: c3e68780 c0820700 c042e034 00000000 c043c440 c020cdec c080b408 00000005 [ 0.620188] 5f00: c042e034 c00096c0 c0034440 c01c730c 20000053 ffffffff 00000000 00000000 [ 0.628502] 5f20: 00000000 c3ffcb87 c3ffcb90 c00346ac c3e66ba0 c03f7914 00000092 00000005 [ 0.636811] 5f40: 00000005 c03f847c 00000091 c03f847c 00000000 00000005 c0434828 00000005 [ 0.645125] 5f60: c043482c 00000092 c043c440 c0828900 c0434838 c0418d2c 00000005 00000005 [ 0.653430] 5f80: 00000000 c041858c 00000000 c032e9f0 00000000 00000000 00000000 00000000 [ 0.661729] 5fa0: 00000000 c032e9f8 00000000 c000f0f0 00000000 00000000 00000000 00000000 [ 0.670020] 5fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 0.678311] 5fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000 [ 0.686673] (pxa2xx_configure_sockets) from pcmcia_lubbock_init (/drivers/pcmcia/sa1111_lubbock.c:161) [ 0.696026] (pcmcia_lubbock_init) from pcmcia_probe (/drivers/pcmcia/sa1111_generic.c:213) [ 0.704358] (pcmcia_probe) from driver_probe_device (/drivers/base/dd.c:378 /drivers/base/dd.c:499) [ 0.712848] (driver_probe_device) from __driver_attach (/./include/linux/device.h:983 /drivers/base/dd.c:733) [ 0.721414] (__driver_attach) from bus_for_each_dev (/drivers/base/bus.c:313) [ 0.729723] (bus_for_each_dev) from bus_add_driver (/drivers/base/bus.c:708) [ 0.738036] (bus_add_driver) from driver_register (/drivers/base/driver.c:169) [ 0.746185] (driver_register) from do_one_initcall (/init/main.c:778) [ 0.754561] (do_one_initcall) from kernel_init_freeable (/init/main.c:843 /init/main.c:851 /init/main.c:869 /init/main.c:1016) [ 0.763409] (kernel_init_freeable) from kernel_init (/init/main.c:944) [ 0.771660] (kernel_init) from ret_from_fork (/arch/arm/kernel/entry-common.S:119) [ 0.779347] Code: c03c6305 c03c631e c03c632e e5903048 (e993000c) All code ======== 0: c03c6305 eorsgt r6, ip, r5, lsl #6 4: c03c631e eorsgt r6, ip, lr, lsl r3 8: c03c632e eorsgt r6, ip, lr, lsr #6 c: e5903048 ldr r3, [r0, #72] ; 0x48 10:* e993000c ldmib r3, {r2, r3} <-- trapping instruction Signed-off-by: Robert Jarzmik Signed-off-by: Russell King drivers/pcmcia/pxa2xx_base.c | 9 +++++---- drivers/pcmcia/pxa2xx_base.h | 2 +- drivers/pcmcia/sa1111_lubbock.c | 2 +- 3 files changed, 7 insertions(+), 6 deletions(-) commit 3f8df892b2312011f2ba73aedc0a192d70b8844e Author: Russell King Date: Fri Sep 2 10:14:20 2016 +0100 pcmcia: sa1111: fix propagation of lowlevel board init return code When testing Lubbock, it was noticed that the sa1111 pcmcia driver bound but was not functional due to no sockets being registered. This is because the return code from the lowlevel board initialisation was not being propagated out of the probe function. Fix this. Tested-by: Robert Jarzmik Signed-off-by: Russell King drivers/pcmcia/sa1111_badge4.c | 22 ++++++++-------------- drivers/pcmcia/sa1111_generic.c | 22 +++++++++++++++++----- drivers/pcmcia/sa1111_jornada720.c | 25 ++++++++++--------------- drivers/pcmcia/sa1111_lubbock.c | 32 +++++++++++++------------------- drivers/pcmcia/sa1111_neponset.c | 26 ++++++++++---------------- 5 files changed, 58 insertions(+), 69 deletions(-) commit a466ebd2fc6a793e55f028a008b9f094d7d30fe3 Author: Russell King Date: Wed Aug 31 08:49:43 2016 +0100 pcmcia: soc_common: fix SS_STSCHG polarity SS_STSCHG should be set for an IO card when the BVD1 signal is asserted low, not high. Signed-off-by: Russell King drivers/pcmcia/soc_common.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit cbd5a16820e576d26bf985ad62b8c4cdf792fb45 Author: Russell King Date: Wed Aug 31 08:49:43 2016 +0100 pcmcia: sa11xx_base: add units to the timing information Add units to the timing information, so we know that the numbers are nanoseconds. The output changes from: I/O : 165 (172) attribute: 300 (316) common : 300 (316) to: I/O : 165ns (172ns) attribute: 300ns (316ns) common : 300ns (316ns) Signed-off-by: Russell King drivers/pcmcia/sa11xx_base.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit 6dec04e8f30a8cf1e782500244d8601c1f8505ad Author: Russell King Date: Wed Aug 31 08:49:43 2016 +0100 pcmcia: sa11xx_base: fix reporting of timing information Fix the reporting of the currently programmed timing information. These entries have been showing zero due to the clock rate being a factor of 1000 too big. With this change, we go from: I/O : 165 (0) attribute: 300 (0) common : 300 (0) to: I/O : 165 (172) attribute: 300 (316) common : 300 (316) Signed-off-by: Russell King drivers/pcmcia/sa11xx_base.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit ad8d52b897a14711e026889053befbbee7fd51ba Author: Russell King Date: Wed Aug 31 08:49:43 2016 +0100 pcmcia: ds: fix suspend/resume PCMCIA suspend/resume no longer works since the commit mentioned below, as the callbacks are no longer made. Convert the driver to the new dev_pm_ops, which restores the suspend/resume functionality. Tested on the arm arch Assabet platform. Fixes: aa8e54b559479 ("PM / sleep: Go direct_complete if driver has no callbacks") Signed-off-by: Russell King drivers/pcmcia/ds.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) commit df6ef5d8a87ace995d5c10a7bd684be05911a321 Author: Felix Fietkau Date: Sun Sep 4 18:00:59 2016 +0200 mac80211: fix sequence number assignment for PS response frames When using intermediate queues, sequence number allocation is deferred until dequeue. This doesn't work for PS response frames, which bypass those queues. Signed-off-by: Felix Fietkau Signed-off-by: Johannes Berg net/mac80211/tx.c | 65 ++++++++++++++++++++++++++++--------------------------- 1 file changed, 33 insertions(+), 32 deletions(-) commit 83843c80dcf11a78995d167255b03072a1e49c2c Author: Felix Fietkau Date: Sun Aug 28 13:10:37 2016 +0200 mac80211: fix tim recalculation after PS response Handle the case where the mac80211 intermediate queues are empty and the driver has buffered frames Fixes: ba8c3d6f16a1 ("mac80211: add an intermediate software queue implementation") Signed-off-by: Felix Fietkau Signed-off-by: Johannes Berg net/mac80211/sta_info.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 3ae50f4512ce831e8b63eb54ad969417ff30ada7 Author: Lee Jones Date: Thu Sep 8 11:11:36 2016 +0200 mmc: sdhci-st: Handle interconnect clock Some ST platforms contain interconnect (ICN) clocks which must be handed correctly in order to obtain full functionality of a given IP. In this case, if the ICN clocks are not handled properly by the ST SDHCI driver MMC will break and the following output can be observed: [ 13.916949] mmc0: Timeout waiting for hardware interrupt. [ 13.922349] sdhci: =========== REGISTER DUMP (mmc0)=========== [ 13.928175] sdhci: Sys addr: 0x00000000 | Version: 0x00001002 [ 13.933999] sdhci: Blk size: 0x00007040 | Blk cnt: 0x00000001 [ 13.939825] sdhci: Argument: 0x00fffff0 | Trn mode: 0x00000013 [ 13.945650] sdhci: Present: 0x1fff0206 | Host ctl: 0x00000011 [ 13.951475] sdhci: Power: 0x0000000f | Blk gap: 0x00000080 [ 13.957300] sdhci: Wake-up: 0x00000000 | Clock: 0x00003f07 [ 13.963126] sdhci: Timeout: 0x00000004 | Int stat: 0x00000000 [ 13.968952] sdhci: Int enab: 0x02ff008b | Sig enab: 0x02ff008b [ 13.974777] sdhci: AC12 err: 0x00000000 | Slot int: 0x00000000 [ 13.980602] sdhci: Caps: 0x21ed3281 | Caps_1: 0x00000000 [ 13.986428] sdhci: Cmd: 0x0000063a | Max curr: 0x00000000 [ 13.992252] sdhci: Host ctl2: 0x00000000 [ 13.996166] sdhci: ADMA Err: 0x00000000 | ADMA Ptr: 0x7c048200 [ 14.001990] sdhci: =========================================== [ 14.009802] mmc0: Got data interrupt 0x02000000 even though no data operation was in progress. A decent point was raised about minimising the use of a local variable that we 'could' do without. I've chosen consistency over the possibility of reducing the local variable count by 1. Thinking that it's more important for the code to be grouped and authoured in a similar manner/style for greater maintainability/readability. Cc: stable@vger.kernel.org Tested-by: Peter Griffin Signed-off-by: Lee Jones Signed-off-by: Ulf Hansson drivers/mmc/host/sdhci-st.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) commit 981b178964d03f6f8e6cca01568c17d1dbafdf0e Author: Lee Jones Date: Thu Sep 8 11:11:35 2016 +0200 dt-bindings: mmc: sdhci-st: Mention the discretionary "icn" clock The interconnect (ICN) clock is required for functional working of MMC on some ST platforms. When not supplied it can result in broken MMC and the following output: [ 13.916949] mmc0: Timeout waiting for hardware interrupt. [ 13.922349] sdhci: =========== REGISTER DUMP (mmc0)=========== [ 13.928175] sdhci: Sys addr: 0x00000000 | Version: 0x00001002 [ 13.933999] sdhci: Blk size: 0x00007040 | Blk cnt: 0x00000001 [ 13.939825] sdhci: Argument: 0x00fffff0 | Trn mode: 0x00000013 [ 13.945650] sdhci: Present: 0x1fff0206 | Host ctl: 0x00000011 [ 13.951475] sdhci: Power: 0x0000000f | Blk gap: 0x00000080 [ 13.957300] sdhci: Wake-up: 0x00000000 | Clock: 0x00003f07 [ 13.963126] sdhci: Timeout: 0x00000004 | Int stat: 0x00000000 [ 13.968952] sdhci: Int enab: 0x02ff008b | Sig enab: 0x02ff008b [ 13.974777] sdhci: AC12 err: 0x00000000 | Slot int: 0x00000000 [ 13.980602] sdhci: Caps: 0x21ed3281 | Caps_1: 0x00000000 [ 13.986428] sdhci: Cmd: 0x0000063a | Max curr: 0x00000000 [ 13.992252] sdhci: Host ctl2: 0x00000000 [ 13.996166] sdhci: ADMA Err: 0x00000000 | ADMA Ptr: 0x7c048200 [ 14.001990] sdhci: =========================================== [ 14.009802] mmc0: Got data interrupt 0x02000000 even though no data operation was in progress. Signed-off-by: Lee Jones Signed-off-by: Ulf Hansson Documentation/devicetree/bindings/mmc/sdhci-st.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit f190fd92458da3e869b4e2c6289e2c617490ae53 Author: Daniele Palmas Date: Fri Sep 2 10:37:56 2016 +0200 USB: serial: simple: add support for another Infineon flashloader This patch adds support for Infineon flashloader 0x8087/0x0801. The flashloader is used in Telit LE940B modem family with Telit flashing application. Signed-off-by: Daniele Palmas Cc: stable Signed-off-by: Johan Hovold drivers/usb/serial/usb-serial-simple.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 9395452b4aab7bc2475ef8935b4a4fb99d778d70 Author: Linus Torvalds Date: Sun Sep 11 20:02:25 2016 -0700 Linux 4.8-rc6 Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit ffed15d3ce3f710b94e6f402e1ca2318f7d7c0e2 Author: Michael Ellerman Date: Mon Sep 12 12:48:28 2016 +1000 powerpc/kernel: Fix size of NUM_CPU_FTR_KEYS on 32-bit The number of CPU feature keys is meant to map 1:1 to the number of CPU feature flags defined in cputable.h, and the latter must fit in an unsigned long. In commit 4db7327194db ("powerpc: Add option to use jump label for cpu_has_feature()"), I incorrectly defined NUM_CPU_FTR_KEYS to 64. There should be no real adverse consequences of this bug, other than us allocating too many keys. Fix it by using BITS_PER_LONG. Fixes: 4db7327194db ("powerpc: Add option to use jump label for cpu_has_feature()") Tested-by: Meelis Roos Signed-off-by: Michael Ellerman arch/powerpc/include/asm/cpu_has_feature.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit bd00a240dc52e28706fbbe3aceda63e6c291b433 Author: Gautham R. Shenoy Date: Wed Sep 7 10:46:30 2016 +0530 powerpc/powernv: Fix restore of SPRs upon wake up from hypervisor state loss pnv_wakeup_tb_loss() currently expects cr4 to be "eq" if the CPU is waking up from a complete hypervisor state loss. Hence, it currently restores the SPR contents only if cr4 is "eq". However, after commit bcef83a00dc4 ("powerpc/powernv: Add platform support for stop instruction"), on ISA v3.0 CPUs, the function pnv_restore_hyp_resource() sets cr4 to contain the result of the comparison between the state the CPU has woken up from and the first deep stop state before calling pnv_wakeup_tb_loss(). Thus if the CPU woke up from a state that is deeper than the first deep stop state, cr4 will have "gt" set and hence, pnv_wakeup_tb_loss() will fail to restore the SPRs on waking up from such a state. Fix the code in pnv_wakeup_tb_loss() to restore the SPR states when cr4 is "eq" or "gt". Fixes: bcef83a00dc4 ("powerpc/powernv: Add platform support for stop instruction") Signed-off-by: Gautham R. Shenoy Reviewed-by: Shreyas B. Prabhu Signed-off-by: Michael Ellerman arch/powerpc/kernel/idle_book3s.S | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) commit 373df3131aa83bd3e0ea7cd15be92d942d75fc72 Merge: e148788 7a61fc8 Author: David S. Miller Date: Sun Sep 11 19:40:26 2016 -0700 Merge branch 'mlx4-fixes' Tariq Toukan says: ==================== mlx4 fixes This patchset contains several bug fixes from the team to the mlx4 Eth driver. Series generated against net commit: c2f57fb97da5 "drivers: net: phy: mdio-xgene: Add hardware dependency" v2: * excluded some cleanup patches. ==================== Signed-off-by: David S. Miller commit 7a61fc86af4a0c957c5b8c5777ab21d5cc286748 Author: Moshe Shemesh Date: Sun Sep 11 10:56:20 2016 +0300 net/mlx4_en: Fix panic on xmit while port is down When port is down, tx drop counter update is not needed. Updating the counter in this case can cause a kernel panic as when the port is down, ring can be NULL. Fixes: 63a664b7e92b ("net/mlx4_en: fix tx_dropped bug") Signed-off-by: Moshe Shemesh Signed-off-by: Tariq Toukan Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlx4/en_tx.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) commit 564ed9b187082da79726a2f25bb88a58ebeec7e8 Author: Tariq Toukan Date: Sun Sep 11 10:56:19 2016 +0300 net/mlx4_en: Fixes for DCBX This patch adds a capability check before enabling DCBX. In addition, it re-organizes the relevant data structures, and fixes a typo in a define. Fixes: af7d51852631 ("net/mlx4_en: Add DCB PFC support through CEE netlink commands") Signed-off-by: Tariq Toukan Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlx4/en_dcb_nl.c | 31 +++++++++++++------------- drivers/net/ethernet/mellanox/mlx4/en_netdev.c | 21 +++++++---------- drivers/net/ethernet/mellanox/mlx4/mlx4_en.h | 15 +++---------- drivers/net/ethernet/mellanox/mlx4/port.c | 4 ++-- 4 files changed, 28 insertions(+), 43 deletions(-) commit c677071741343381f4f555867c04af7ec4a90869 Author: Kamal Heib Date: Sun Sep 11 10:56:18 2016 +0300 net/mlx4_en: Fix the return value of mlx4_en_dcbnl_set_state() mlx4_en_dcbnl_set_state() returns u8, the return value from mlx4_en_setup_tc() could be negative in case of failure, so fix that. Fixes: af7d51852631 ("net/mlx4_en: Add DCB PFC support through CEE netlink commands") Signed-off-by: Kamal Heib Signed-off-by: Tariq Toukan Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlx4/en_dcb_nl.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) commit 74a9e9054456658f047bf71d9108844defde793d Author: Kamal Heib Date: Sun Sep 11 10:56:17 2016 +0300 net/mlx4_en: Fix the return value of mlx4_en_dcbnl_set_all() mlx4_en_dcbnl_set_all() returns u8, so return value can't be negative in case of failure. Fixes: af7d51852631 ("net/mlx4_en: Add DCB PFC support through CEE netlink commands") Signed-off-by: Kamal Heib Signed-off-by: Rana Shahout Reported-by: Dan Carpenter Signed-off-by: Tariq Toukan Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlx4/en_dcb_nl.c | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) commit bd0b841fee49de421f615cc173ccff063303672f Author: Linus Torvalds Date: Sun Sep 11 14:41:49 2016 -0700 nvme: make NVME_RDMA depend on BLOCK Commit aa71987472a9 ("nvme: fabrics drivers don't need the nvme-pci driver") removed the dependency on BLK_DEV_NVME, but the cdoe does depend on the block layer (which used to be an implicit dependency through BLK_DEV_NVME). Otherwise you get various errors from the kbuild test robot random config testing when that happens to hit a configuration with BLOCK device support disabled. Cc: Christoph Hellwig Cc: Jay Freyensee Cc: Sagi Grimberg Signed-off-by: Linus Torvalds drivers/nvme/host/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 2afe669acdcea66d95b94bbcdc1412210ea218d6 Merge: 61c3dae 72d508a Author: Linus Torvalds Date: Sun Sep 11 14:23:48 2016 -0700 Merge tag 'staging-4.8-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging Pull IIO fixes from Greg KH: "Here are a few small IIO fixes for 4.8-rc6. Nothing major, full details are in the shortlog, all of these have been in linux-next with no reported issues" * tag 'staging-4.8-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging: iio:core: fix IIO_VAL_FRACTIONAL sign handling iio: ensure ret is initialized to zero before entering do loop iio: accel: kxsd9: Fix scaling bug iio: accel: bmc150: reset chip at init time iio: fix pressure data output unit in hid-sensor-attributes tools:iio:iio_generic_buffer: fix trigger-less mode commit 61c3dae670436131647c2f05a9ba3571503b79ff Merge: 98ac9a6 6b98174 Author: Linus Torvalds Date: Sun Sep 11 14:10:29 2016 -0700 Merge tag 'usb-4.8-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb Pull USB fixes from Greg KH: "Here are some small USB gadget, phy, and xhci fixes for 4.8-rc6. All of these resolve minor issues that have been reported, and all have been in linux-next with no reported issues" * tag 'usb-4.8-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: usb: chipidea: udc: fix NULL ptr dereference in isr_setup_status_phase xhci: fix null pointer dereference in stop command timeout function usb: dwc3: pci: fix build warning on !PM_SLEEP usb: gadget: prevent potenial null pointer dereference on skb->len usb: renesas_usbhs: fix clearing the {BRDY,BEMP}STS condition usb: phy: phy-generic: Check clk_prepare_enable() error usb: gadget: udc: renesas-usb3: clear VBOUT bit in DRD_CON Revert "usb: dwc3: gadget: always decrement by 1" commit b519d408ea32040b1c7e10b155a3ee9a36660947 Author: Trond Myklebust Date: Sun Sep 11 14:50:01 2016 -0400 NFSv4.1: Fix the CREATE_SESSION slot number accounting Ensure that we conform to the algorithm described in RFC5661, section 18.36.4 for when to bump the sequence id. In essence we do it for all cases except when the RPC call timed out, or in case of the server returning NFS4ERR_DELAY or NFS4ERR_STALE_CLIENTID. Signed-off-by: Trond Myklebust Cc: stable@vger.kernel.org fs/nfs/nfs4proc.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) commit e1487888eccc83e9eb5a3659955f79b039dc7945 Author: Chris Brandt Date: Wed Sep 7 14:57:09 2016 -0400 net: ethernet: renesas: sh_eth: add POST registers for rz Due to a mistake in the hardware manual, the FWSLC and POST1-4 registers were not documented and left out of the driver for RZ/A making the CAM feature non-operational. Additionally, when the offset values for POST1-4 are left blank, the driver attempts to set them using an offset of 0xFFFF which can cause a memory corruption or panic. This patch fixes the panic and properly enables CAM. Reported-by: Daniel Palmer Signed-off-by: Chris Brandt Acked-by: Sergei Shtylyov Signed-off-by: David S. Miller drivers/net/ethernet/renesas/sh_eth.c | 7 +++++++ 1 file changed, 7 insertions(+) commit 4af2ff91ec3f42b538a65cf12df5f9faf6aaa914 Author: Hans de Goede Date: Wed Sep 7 19:32:14 2016 -0700 Input: silead_gsl1680 - use "silead/" prefix for firmware loading The silead touch-controller ICs use a different firmware per digitizer / tablet model. So there are going to be quite a few of then and they really should be under a separate subdir. This commit prefixes the default firmware names with "silead/" just like we are already doing for devicetree specified firmware names. Signed-off-by: Hans de Goede Signed-off-by: Dmitry Torokhov drivers/input/touchscreen/silead.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) commit 43ba588346455dcc984dc98a49af1c2eb1e9aa75 Author: Hans de Goede Date: Wed Sep 7 19:25:37 2016 -0700 Input: silead_gsl1680 - document firmware-name, fix implementation The driver has supported touchscreen-fw-name to specify the firmware to load since it has been merged, but this was omitted from the dt-binding documentation. During review of adding touchscreen-fw-name to the binding documentation it was brought up that there is a standard property name called "firmware-name" for this, which should be used. Since there are no users of touchscreen-fw-name yet, this commit adds documentation of "firmware-name" to the dt-binding documentation and switches the driver over to use this. This commit also makes the driver add a "silead/" prefix to the firmware name from dt before calling request_firmware. That the firmware files are stored under /lib/firmware/silead under Linux is an implementation detail and does not belong in devicetree. Signed-off-by: Hans de Goede Acked-by: Rob Herring Signed-off-by: Dmitry Torokhov .../devicetree/bindings/input/touchscreen/silead_gsl1680.txt | 1 + drivers/input/touchscreen/silead.c | 5 +++-- 2 files changed, 4 insertions(+), 2 deletions(-) commit 98ac9a608dc79ba8a20cee77fe959a6dfccdaa63 Merge: b8db371 1e8b8d9 Author: Linus Torvalds Date: Sat Sep 10 09:58:52 2016 -0700 Merge branch 'libnvdimm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm Pull libnvdimm fixes from Dan Williams: "nvdimm fixes for v4.8, two of them are tagged for -stable: - Fix devm_memremap_pages() to use track_pfn_insert(). Otherwise, DAX pmd mappings end up with an uncached pgprot, and unusable performance for the device-dax interface. The device-dax interface appeared in 4.7 so this is tagged for -stable. - Fix a couple VM_BUG_ON() checks in the show_smaps() path to understand DAX pmd entries. This fix is tagged for -stable. - Fix a mis-merge of the nfit machine-check handler to flip the polarity of an if() to match the final version of the patch that Vishal sent for 4.8-rc1. Without this the nfit machine check handler never detects / inserts new 'badblocks' entries which applications use to identify lost portions of files. - For test purposes, fix the nvdimm_clear_poison() path to operate on legacy / simulated nvdimm memory ranges. Without this fix a test can set badblocks, but never clear them on these ranges. - Fix the range checking done by dax_dev_pmd_fault(). This is not tagged for -stable since this problem is mitigated by specifying aligned resources at device-dax setup time. These patches have appeared in a next release over the past week. The recent rebase you can see in the timestamps was to drop an invalid fix as identified by the updated device-dax unit tests [1]. The -mm touches have an ack from Andrew" [1]: "[ndctl PATCH 0/3] device-dax test for recent kernel bugs" https://lists.01.org/pipermail/linux-nvdimm/2016-September/006855.html * 'libnvdimm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm: libnvdimm: allow legacy (e820) pmem region to clear bad blocks nfit, mce: Fix SPA matching logic in MCE handler mm: fix cache mode of dax pmd mappings mm: fix show_smap() for zone_device-pmd ranges dax: fix mapping size check commit b8db3714d7479881e23de20735f60f1733723241 Merge: 6905732 cbfff43 Author: Linus Torvalds Date: Sat Sep 10 09:43:10 2016 -0700 Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux Pull i2c fixes from Wolfram Sang: "Mostly driver bugfixes, but also a few cleanups which are nice to have out of the way" * 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux: i2c: rk3x: Restore clock settings at resume time i2c: Spelling s/acknowedge/acknowledge/ i2c: designware: save the preset value of DW_IC_SDA_HOLD Documentation: i2c: slave-interface: add note for driver development i2c: mux: demux-pinctrl: run properly with multiple instances i2c: bcm-kona: fix inconsistent indenting i2c: rcar: use proper device with dma_mapping_error i2c: sh_mobile: use proper device with dma_mapping_error i2c: mux: demux-pinctrl: invalidate properly when switching fails commit 6905732c80bc7f85602abbe27f7bdc3fe81f56d0 Merge: d0acc7d ba63f23 Author: Linus Torvalds Date: Sat Sep 10 09:18:33 2016 -0700 Merge tag 'for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4 Pull fscrypto fixes fromTed Ts'o: "Fix some brown-paper-bag bugs for fscrypto, including one one which allows a malicious user to set an encryption policy on an empty directory which they do not own" * tag 'for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4: fscrypto: require write access to mount to set encryption policy fscrypto: only allow setting encryption policy on directories fscrypto: add authorization check for setting encryption policy commit 8ef9b8455a2a3049efa9e46e8a6402b972a3eb41 Author: Peter Zijlstra Date: Wed Sep 7 14:42:55 2016 +0200 perf/x86/intel: Fix PEBSv3 record drain Alexander hit the WARN_ON_ONCE(!event) on his Skylake while running the perf fuzzer. This means the PEBSv3 record included a status bit for an inactive event, something that _should_ not happen. Move the code that filters the status bits against our known PEBS events up a spot to guarantee we only deal with events we know about. Further add "continue" statements to the WARN_ON_ONCE()s such that we'll not die nor generate silly events in case we ever do hit them again. Reported-by: Alexander Shishkin Tested-by: Alexander Shishkin Signed-off-by: Peter Zijlstra (Intel) Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Kan Liang Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Thomas Gleixner Cc: Vince Weaver Cc: stable@vger.kernel.org Fixes: a3d86542de88 ("perf/x86/intel/pebs: Add PEBSv3 decoding") Signed-off-by: Ingo Molnar arch/x86/events/intel/ds.c | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) commit ef9ef3befa0d76008e988a9ed9fe439e803351b9 Author: Alexander Shishkin Date: Tue Sep 6 16:23:53 2016 +0300 perf/x86/intel/bts: Kill a silly warning At the moment, intel_bts will WARN() out if there is more than one event writing to the same ring buffer, via SET_OUTPUT, and will only send data from one event to a buffer. There is no reason to have this warning in, so kill it. Signed-off-by: Alexander Shishkin Signed-off-by: Peter Zijlstra (Intel) Cc: Arnaldo Carvalho de Melo Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Thomas Gleixner Cc: vince@deater.net Link: http://lkml.kernel.org/r/20160906132353.19887-6-alexander.shishkin@linux.intel.com Signed-off-by: Ingo Molnar arch/x86/events/intel/bts.c | 2 -- 1 file changed, 2 deletions(-) commit 4d4c474124649198d9b0a065c06f9362cf18e14e Author: Alexander Shishkin Date: Tue Sep 6 16:23:52 2016 +0300 perf/x86/intel/bts: Fix BTS PMI detection Since BTS doesn't have a dedicated PMI status bit, the driver needs to take extra care to check for the condition that triggers it to avoid spurious NMI warnings. Regardless of the local BTS context state, the only way of knowing that the NMI is ours is to compare the write pointer against the interrupt threshold. Reported-by: Vince Weaver Signed-off-by: Alexander Shishkin Signed-off-by: Peter Zijlstra (Intel) Cc: Arnaldo Carvalho de Melo Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Thomas Gleixner Cc: vince@deater.net Link: http://lkml.kernel.org/r/20160906132353.19887-5-alexander.shishkin@linux.intel.com Signed-off-by: Ingo Molnar arch/x86/events/intel/bts.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) commit a9a94401c2b5805c71e39427b1af1bf1b9f67cd0 Author: Alexander Shishkin Date: Tue Sep 6 16:23:51 2016 +0300 perf/x86/intel/bts: Fix confused ordering of PMU callbacks The intel_bts driver is using a CPU-local 'started' variable to order callbacks and PMIs and make sure that AUX transactions don't get messed up. However, the ordering rules in regard to this variable is a complete mess, which recently resulted in perf_fuzzer-triggered warnings and panics. The general ordering rule that is patch is enforcing is that this cpu-local variable be set only when the cpu-local AUX transaction is active; consequently, this variable is to be checked before the AUX related bits can be touched. Reported-by: Vince Weaver Signed-off-by: Alexander Shishkin Signed-off-by: Peter Zijlstra (Intel) Cc: Arnaldo Carvalho de Melo Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Thomas Gleixner Cc: vince@deater.net Link: http://lkml.kernel.org/r/20160906132353.19887-4-alexander.shishkin@linux.intel.com Signed-off-by: Ingo Molnar arch/x86/events/intel/bts.c | 104 ++++++++++++++++++++++++++++++++++---------- 1 file changed, 80 insertions(+), 24 deletions(-) commit b79ccadd6bb10e72cf784a298ca6dc1398eb9a24 Author: Alexander Shishkin Date: Tue Sep 6 16:23:50 2016 +0300 perf/core: Fix aux_mmap_count vs aux_refcount order The order of accesses to ring buffer's aux_mmap_count and aux_refcount has to be preserved across the users, namely perf_mmap_close() and perf_aux_output_begin(), otherwise the inversion can result in the latter holding the last reference to the aux buffer and subsequently free'ing it in atomic context, triggering a warning. > ------------[ cut here ]------------ > WARNING: CPU: 0 PID: 257 at kernel/events/ring_buffer.c:541 __rb_free_aux+0x11a/0x130 > CPU: 0 PID: 257 Comm: stopbug Not tainted 4.8.0-rc1+ #2596 > Call Trace: > [] __warn+0xcb/0xf0 > [] warn_slowpath_null+0x1d/0x20 > [] __rb_free_aux+0x11a/0x130 > [] rb_free_aux+0x18/0x20 > [] perf_aux_output_begin+0x163/0x1e0 > [] bts_event_start+0x3a/0xd0 > [] bts_event_add+0x5d/0x80 > [] event_sched_in.isra.104+0xf6/0x2f0 > [] group_sched_in+0x6e/0x190 > [] ctx_sched_in+0x2fe/0x5f0 > [] perf_event_sched_in+0x60/0x80 > [] ctx_resched+0x5b/0x90 > [] __perf_event_enable+0x1e1/0x240 > [] event_function+0xa9/0x180 > [] ? perf_cgroup_attach+0x70/0x70 > [] remote_function+0x3f/0x50 > [] flush_smp_call_function_queue+0x83/0x150 > [] generic_smp_call_function_single_interrupt+0x13/0x60 > [] smp_call_function_single_interrupt+0x27/0x40 > [] call_function_single_interrupt+0x89/0x90 > [] finish_task_switch+0xa6/0x210 > [] ? finish_task_switch+0x67/0x210 > [] __schedule+0x3dd/0xb50 > [] schedule+0x35/0x80 > [] sys_sched_yield+0x61/0x70 > [] entry_SYSCALL_64_fastpath+0x18/0xa8 > ---[ end trace 6235f556f5ea83a9 ]--- This patch puts the checks in perf_aux_output_begin() in the same order as that of perf_mmap_close(). Reported-by: Vince Weaver Signed-off-by: Alexander Shishkin Signed-off-by: Peter Zijlstra (Intel) Cc: Arnaldo Carvalho de Melo Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Thomas Gleixner Cc: vince@deater.net Link: http://lkml.kernel.org/r/20160906132353.19887-3-alexander.shishkin@linux.intel.com Signed-off-by: Ingo Molnar kernel/events/ring_buffer.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) commit 767ae08678c2c796bcd7f582ee457aee20a28a1e Author: Alexander Shishkin Date: Tue Sep 6 16:23:49 2016 +0300 perf/core: Fix a race between mmap_close() and set_output() of AUX events In the mmap_close() path we need to stop all the AUX events that are writing data to the AUX area that we are unmapping, before we can safely free the pages. To determine if an event needs to be stopped, we're comparing its ->rb against the one that's getting unmapped. However, a SET_OUTPUT ioctl may turn up inside an AUX transaction and swizzle event::rb to some other ring buffer, but the transaction will keep writing data to the old ring buffer until the event gets scheduled out. At this point, mmap_close() will skip over such an event and will proceed to free the AUX area, while it's still being used by this event, which will set off a warning in the mmap_close() path and cause a memory corruption. To avoid this, always stop an AUX event before its ->rb is updated; this will release the (potentially) last reference on the AUX area of the buffer. If the event gets restarted, its new ring buffer will be used. If another SET_OUTPUT comes and switches it back to the old ring buffer that's getting unmapped, it's also fine: this ring buffer's aux_mmap_count will be zero and AUX transactions won't start any more. Reported-by: Vince Weaver Signed-off-by: Alexander Shishkin Signed-off-by: Peter Zijlstra (Intel) Cc: Arnaldo Carvalho de Melo Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Thomas Gleixner Cc: vince@deater.net Link: http://lkml.kernel.org/r/20160906132353.19887-2-alexander.shishkin@linux.intel.com Signed-off-by: Ingo Molnar kernel/events/core.c | 31 +++++++++++++++++++++++++------ 1 file changed, 25 insertions(+), 6 deletions(-) commit ba63f23d69a3a10e7e527a02702023da68ef8a6d Author: Eric Biggers Date: Thu Sep 8 14:20:38 2016 -0700 fscrypto: require write access to mount to set encryption policy Since setting an encryption policy requires writing metadata to the filesystem, it should be guarded by mnt_want_write/mnt_drop_write. Otherwise, a user could cause a write to a frozen or readonly filesystem. This was handled correctly by f2fs but not by ext4. Make fscrypt_process_policy() handle it rather than relying on the filesystem to get it right. Signed-off-by: Eric Biggers Cc: stable@vger.kernel.org # 4.1+; check fs/{ext4,f2fs} Signed-off-by: Theodore Ts'o Acked-by: Jaegeuk Kim fs/crypto/policy.c | 38 +++++++++++++++++++++++++------------- fs/ext4/ioctl.c | 2 +- fs/f2fs/file.c | 9 +-------- include/linux/fscrypto.h | 5 ++--- 4 files changed, 29 insertions(+), 25 deletions(-) commit 348c1bfa84dfc47da1f1234b7f2bf09fa798edea Author: Sachin Prabhu Date: Fri Jul 29 22:38:21 2016 +0100 Move check for prefix path to within cifs_get_root() Signed-off-by: Sachin Prabhu Tested-by: Aurelien Aptel Signed-off-by: Steve French fs/cifs/cifsfs.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) commit c1d8b24d18192764fe82067ec6aa8d4c3bf094e0 Author: Sachin Prabhu Date: Fri Jul 29 22:38:20 2016 +0100 Compare prepaths when comparing superblocks The patch fs/cifs: make share unaccessible at root level mountable makes use of prepaths when any component of the underlying path is inaccessible. When mounting 2 separate shares having different prepaths but are other wise similar in other respects, we end up sharing superblocks when we shouldn't be doing so. Signed-off-by: Sachin Prabhu Tested-by: Aurelien Aptel Signed-off-by: Steve French fs/cifs/connect.c | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) commit 4214ebf4654798309364d0c678b799e402f38288 Author: Sachin Prabhu Date: Fri Jul 29 22:38:19 2016 +0100 Fix memory leaks in cifs_do_mount() Fix memory leaks introduced by the patch fs/cifs: make share unaccessible at root level mountable Also move allocation of cifs_sb->prepath to cifs_setup_cifs_sb(). Signed-off-by: Sachin Prabhu Tested-by: Aurelien Aptel Signed-off-by: Steve French fs/cifs/cifsfs.c | 20 ++++++++------------ fs/cifs/cifsproto.h | 2 +- fs/cifs/connect.c | 10 +++++++++- 3 files changed, 18 insertions(+), 14 deletions(-) commit 002ced4be6429918800ce3e41d5cbc2d7c01822c Author: Eric Biggers Date: Thu Sep 8 11:36:39 2016 -0700 fscrypto: only allow setting encryption policy on directories The FS_IOC_SET_ENCRYPTION_POLICY ioctl allowed setting an encryption policy on nondirectory files. This was unintentional, and in the case of nonempty regular files did not behave as expected because existing data was not actually encrypted by the ioctl. In the case of ext4, the user could also trigger filesystem errors in ->empty_dir(), e.g. due to mismatched "directory" checksums when the kernel incorrectly tried to interpret a regular file as a directory. This bug affected ext4 with kernels v4.8-rc1 or later and f2fs with kernels v4.6 and later. It appears that older kernels only permitted directories and that the check was accidentally lost during the refactoring to share the file encryption code between ext4 and f2fs. This patch restores the !S_ISDIR() check that was present in older kernels. Signed-off-by: Eric Biggers Cc: stable@vger.kernel.org Signed-off-by: Theodore Ts'o fs/crypto/policy.c | 2 ++ 1 file changed, 2 insertions(+) commit 163ae1c6ad6299b19e22b4a35d5ab24a89791a98 Author: Eric Biggers Date: Thu Sep 8 10:57:08 2016 -0700 fscrypto: add authorization check for setting encryption policy On an ext4 or f2fs filesystem with file encryption supported, a user could set an encryption policy on any empty directory(*) to which they had readonly access. This is obviously problematic, since such a directory might be owned by another user and the new encryption policy would prevent that other user from creating files in their own directory (for example). Fix this by requiring inode_owner_or_capable() permission to set an encryption policy. This means that either the caller must own the file, or the caller must have the capability CAP_FOWNER. (*) Or also on any regular file, for f2fs v4.6 and later and ext4 v4.8-rc1 and later; a separate bug fix is coming for that. Signed-off-by: Eric Biggers Cc: stable@vger.kernel.org # 4.1+; check fs/{ext4,f2fs} Signed-off-by: Theodore Ts'o fs/crypto/policy.c | 3 +++ 1 file changed, 3 insertions(+) commit f6d7c1b5598b6407c3f1da795dd54acf99c1990c Author: Karl Beldan Date: Mon Aug 29 07:45:49 2016 +0000 mtd: nand: davinci: Reinitialize the HW ECC engine in 4bit hwctl This fixes subpage writes when using 4-bit HW ECC. There has been numerous reports about ECC errors with devices using this driver for a while. Also the 4-bit ECC has been reported as broken with subpages in [1] and with 16 bits NANDs in the driver and in mach* board files both in mainline and in the vendor BSPs. What I saw with 4-bit ECC on a 16bits NAND (on an LCDK) which got me to try reinitializing the ECC engine: - R/W on whole pages properly generates/checks RS code - try writing the 1st subpage only of a blank page, the subpage is well written and the RS code properly generated, re-reading the same page the HW detects some ECC error, reading the same page again no ECC error is detected Note that the ECC engine is already reinitialized in the 1-bit case. Tested on my LCDK with UBI+UBIFS using subpages. This could potentially get rid of the issue workarounded in [1]. [1] 28c015a9daab ("mtd: davinci-nand: disable subpage write for keystone-nand") Fixes: 6a4123e581b3 ("mtd: nand: davinci_nand, 4-bit ECC for smallpage") Cc: Signed-off-by: Karl Beldan Acked-by: Boris Brezillon Signed-off-by: Brian Norris drivers/mtd/nand/davinci_nand.c | 3 +++ 1 file changed, 3 insertions(+) commit c2f57fb97da5730509a50e316f353d3da17f6c25 Author: Jean Delvare Date: Thu Sep 8 16:25:15 2016 +0200 drivers: net: phy: mdio-xgene: Add hardware dependency The mdio-xgene driver is only useful on X-Gene SoC. Signed-off-by: Jean Delvare Cc: Iyappan Subramanian Cc: David S. Miller Acked-by: Iyappan Subramanian Signed-off-by: David S. Miller drivers/net/phy/Kconfig | 1 + 1 file changed, 1 insertion(+) commit 0808a29a20322873fbfd3f7b4093ae92d0018e65 Merge: 47b02f7 a071412 Author: David S. Miller Date: Fri Sep 9 19:21:07 2016 -0700 Merge tag 'wireless-drivers-for-davem-2016-09-08' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers Kalle Valo says: ==================== wireless-drivers fixes for 4.8 iwlwifi * fix P2P dump trigger * prevent a potential null dereference in iwlmvm * prevent an uninitialized value from being returned in iwlmvm * advertise support for channel width change in AP mode ath10k * fix racy rx status retrieval from htt context * QCA9887 support is not experimental anymore, remove the warning message ath9k * fix regression with led GPIOs * fix AR5416 GPIO access warning brcmfmac * avoid potential stack overflow in brcmf_cfg80211_start_ap() ==================== Signed-off-by: David S. Miller commit 47b02f7294a483387772a46931da942b2ca9d845 Author: Lars Persson Date: Thu Sep 8 13:24:21 2016 +0200 dwc_eth_qos: do not register semi-initialized device We move register_netdev() to the end of dwceqos_probe() to close any races where the netdev callbacks are called before the initialization has finished. Reported-by: Pavel Andrianov Signed-off-by: Lars Persson Signed-off-by: David S. Miller drivers/net/ethernet/synopsys/dwc_eth_qos.c | 38 ++++++++++++++--------------- 1 file changed, 18 insertions(+), 20 deletions(-) commit 7303a1475008bee5c3e82a06a282568415690d72 Author: Marcelo Ricardo Leitner Date: Thu Sep 8 17:54:11 2016 +0800 sctp: identify chunks that need to be fragmented at IP level Previously, without GSO, it was easy to identify it: if the chunk didn't fit and there was no data chunk in the packet yet, we could fragment at IP level. So if there was an auth chunk and we were bundling a big data chunk, it would fragment regardless of the size of the auth chunk. This also works for the context of PMTU reductions. But with GSO, we cannot distinguish such PMTU events anymore, as the packet is allowed to exceed PMTU. So we need another check: to ensure that the chunk that we are adding, actually fits the current PMTU. If it doesn't, trigger a flush and let it be fragmented at IP level in the next round. Signed-off-by: Marcelo Ricardo Leitner Signed-off-by: David S. Miller net/sctp/output.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) commit 1e8b8d9619f9476e94f32eb20cab000d50d236aa Author: Dave Jiang Date: Fri Sep 9 09:10:08 2016 -0700 libnvdimm: allow legacy (e820) pmem region to clear bad blocks Bad blocks can be injected via /sys/block/pmemN/badblocks. In a situation where legacy pmem is being used or a pmem region created by using memmap kernel parameter, the injected bad blocks are not cleared due to nvdimm_clear_poison() failing from lack of ndctl function pointer. In this case we need to just return as handled and allow the bad blocks to be cleared rather than fail. Reviewed-by: Vishal Verma Signed-off-by: Dave Jiang Signed-off-by: Dan Williams drivers/nvdimm/bus.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) commit 2e21807d4b131dfd4a8e5c82116a85b62f28aeec Author: Vishal Verma Date: Fri Sep 2 17:27:30 2016 -0600 nfit, mce: Fix SPA matching logic in MCE handler The check for a 'pmem' type SPA in the MCE handler was inverted due to a merge/rebase error. Fixes: 6839a6d nfit: do an ARS scrub on hitting a latent media error Cc: linux-acpi@vger.kernel.org Cc: Dan Williams Signed-off-by: Vishal Verma Signed-off-by: Dan Williams drivers/acpi/nfit/mce.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 9049771f7d5490a302589976984810064c83ab40 Author: Dan Williams Date: Wed Sep 7 08:51:21 2016 -0700 mm: fix cache mode of dax pmd mappings track_pfn_insert() in vmf_insert_pfn_pmd() is marking dax mappings as uncacheable rendering them impractical for application usage. DAX-pte mappings are cached and the goal of establishing DAX-pmd mappings is to attain more performance, not dramatically less (3 orders of magnitude). track_pfn_insert() relies on a previous call to reserve_memtype() to establish the expected page_cache_mode for the range. While memremap() arranges for reserve_memtype() to be called, devm_memremap_pages() does not. So, teach track_pfn_insert() and untrack_pfn() how to handle tracking without a vma, and arrange for devm_memremap_pages() to establish the write-back-cache reservation in the memtype tree. Cc: Cc: Matthew Wilcox Cc: Ross Zwisler Cc: Nilesh Choudhury Cc: Kirill A. Shutemov Reported-by: Toshi Kani Reported-by: Kai Zhang Acked-by: Andrew Morton Signed-off-by: Dan Williams arch/x86/mm/pat.c | 17 ++++++++++------- kernel/memremap.c | 9 +++++++++ 2 files changed, 19 insertions(+), 7 deletions(-) commit ca120cf688874f4423e579e7cc5ddf7244aeca45 Author: Dan Williams Date: Sat Sep 3 10:38:03 2016 -0700 mm: fix show_smap() for zone_device-pmd ranges Attempting to dump /proc//smaps for a process with pmd dax mappings currently results in the following VM_BUG_ONs: kernel BUG at mm/huge_memory.c:1105! task: ffff88045f16b140 task.stack: ffff88045be14000 RIP: 0010:[] [] follow_trans_huge_pmd+0x2cb/0x340 [..] Call Trace: [] smaps_pte_range+0xa0/0x4b0 [] ? vsnprintf+0x255/0x4c0 [] __walk_page_range+0x1fe/0x4d0 [] walk_page_vma+0x62/0x80 [] show_smap+0xa6/0x2b0 kernel BUG at fs/proc/task_mmu.c:585! RIP: 0010:[] [] smaps_pte_range+0x499/0x4b0 Call Trace: [] ? vsnprintf+0x255/0x4c0 [] __walk_page_range+0x1fe/0x4d0 [] walk_page_vma+0x62/0x80 [] show_smap+0xa6/0x2b0 These locations are sanity checking page flags that must be set for an anonymous transparent huge page, but are not set for the zone_device pages associated with dax mappings. Cc: Ross Zwisler Cc: Kirill A. Shutemov Acked-by: Andrew Morton Signed-off-by: Dan Williams fs/proc/task_mmu.c | 2 ++ mm/huge_memory.c | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) commit 1b672f5fefa80bfcb8d11df1d7ee1cb1bb4f4fb4 Merge: 2c2c8e3 3247ff2 Author: David S. Miller Date: Fri Sep 9 16:56:54 2016 -0700 Merge branch 'mlxsw-fixes' Jiri Pirko says: ==================== mlxsw: couple of fixes Couple of fixes from Ido and myself. ==================== Signed-off-by: David S. Miller commit 3247ff2b318f3eeaaf32163ce39ddaac23e9a6f9 Author: Ido Schimmel Date: Thu Sep 8 08:16:02 2016 +0200 mlxsw: spectrum: Set port type before setting its address During port init, we currently set the port's type to Ethernet after setting its MAC address. However, the hardware documentation states this should be the other way around. Align the driver with the hardware documentation and set the port's MAC address after setting its type. Fixes: 56ade8fe3fe1 ("mlxsw: spectrum: Add initial support for Spectrum ASIC") Signed-off-by: Ido Schimmel Signed-off-by: Jiri Pirko Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlxsw/spectrum.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) commit 40d259045500c6431633f215516c1f94bac8c62f Author: Jiri Pirko Date: Thu Sep 8 08:16:01 2016 +0200 mlxsw: spectrum_router: Fix error path in mlxsw_sp_router_init When neigh_init fails, we have to do proper cleanup including router_fini call. Fixes: 6cf3c971dc84cb ("mlxsw: spectrum_router: Add private neigh table") Signed-off-by: Jiri Pirko Acked-by: Ido Schimmel Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) commit 2545e5da080b4839dd859e3b09343a884f6ab0e3 Author: Al Viro Date: Wed Aug 17 16:36:37 2016 -0400 asm-generic: make copy_from_user() zero the destination properly ... in all cases, including the failing access_ok() Note that some architectures using asm-generic/uaccess.h have __copy_from_user() not zeroing the tail on failure halfway through. This variant works either way. Cc: stable@vger.kernel.org Signed-off-by: Al Viro include/asm-generic/uaccess.h | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) commit 2561d309dfd1555e781484af757ed0115035ddb3 Author: Al Viro Date: Wed Aug 17 16:02:32 2016 -0400 alpha: fix copy_from_user() it should clear the destination even when access_ok() fails. Cc: stable@vger.kernel.org Signed-off-by: Al Viro arch/alpha/include/asm/uaccess.h | 19 ++++++++----------- 1 file changed, 8 insertions(+), 11 deletions(-) commit 7d762e49c2117d3829eb3355f2617aea080ed3a7 Author: Sebastian Andrzej Siewior Date: Fri Sep 9 18:08:23 2016 +0200 perf/x86/amd/uncore: Prevent use after free The resent conversion of the cpu hotplug support in the uncore driver introduced a regression due to the way the callbacks are invoked at initialization time. The old code called the prepare/starting/online function on each online cpu as a block. The new code registers the hotplug callbacks in the core for each state. The core invokes the callbacks at each registration on all online cpus. The code implicitely relied on the prepare/starting/online callbacks being called as combo on a particular cpu, which was not obvious and completely undocumented. The resulting subtle wreckage happens due to the way how the uncore code manages shared data structures for cpus which share an uncore resource in hardware. The sharing is determined in the cpu starting callback, but the prepare callback allocates per cpu data for the upcoming cpu because potential sharing is unknown at this point. If the starting callback finds a online cpu which shares the hardware resource it takes a refcount on the percpu data of that cpu and puts the own data structure into a 'free_at_online' pointer of that shared data structure. The online callback frees that. With the old model this worked because in a starting callback only one non unused structure (the one of the starting cpu) was available. The new code allocates the data structures for all cpus when the prepare callback is registered. Now the starting function iterates through all online cpus and looks for a data structure (skipping its own) which has a matching hardware id. The id member of the data structure is initialized to 0, but the hardware id can be 0 as well. The resulting wreckage is: CPU0 finds a matching id on CPU1, takes a refcount on CPU1 data and puts its own data structure into CPU1s data structure to be freed. CPU1 skips CPU0 because the data structure is its allegedly unsued own. It finds a matching id on CPU2, takes a refcount on CPU1 data and puts its own data structure into CPU2s data structure to be freed. .... Now the online callbacks are invoked. CPU0 has a pointer to CPU1s data and frees the original CPU0 data. So far so good. CPU1 has a pointer to CPU2s data and frees the original CPU1 data, which is still referenced by CPU0 ---> Booom So there are two issues to be solved here: 1) The id field must be initialized at allocation time to a value which cannot be a valid hardware id, i.e. -1 This prevents the above scenario, but now CPU1 and CPU2 both stick their own data structure into the free_at_online pointer of CPU0. So we leak CPU1s data structure. 2) Fix the memory leak described in #1 Instead of having a single pointer, use a hlist to enqueue the superflous data structures which are then freed by the first cpu invoking the online callback. Ideally we should know the sharing _before_ invoking the prepare callback, but that's way beyond the scope of this bug fix. [ tglx: Rewrote changelog ] Fixes: 96b2bd3866a0 ("perf/x86/amd/uncore: Convert to hotplug state machine") Reported-and-tested-by: Eric Sandeen Signed-off-by: Sebastian Andrzej Siewior Cc: Borislav Petkov Link: http://lkml.kernel.org/r/20160909160822.lowgmkdwms2dheyv@linutronix.de Signed-off-by: Thomas Gleixner arch/x86/events/amd/uncore.c | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) commit d0acc7dfd90eb97e90ccd42a567034017ec60fb8 Merge: daf6b9b 5e59d9a Author: Linus Torvalds Date: Fri Sep 9 14:52:05 2016 -0700 Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost Pull virtio fixes from Michael Tsirkin: "This includes a couple of bugfixs for virtio. The virtio console patch is actually also in x86/tip targeting 4.9 because it helps vmap stacks, but it also fixes IOMMU_PLATFORM which was added in 4.8, and it seems important not to ship that in a broken configuration" * tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost: virtio_console: Stop doing DMA on the stack virtio: mark vring_dma_dev() static commit daf6b9b68fca57effe3fcf74a8528f17516c420f Merge: c4a6c70 8a2a835 Author: Linus Torvalds Date: Fri Sep 9 14:47:41 2016 -0700 Merge tag 'pm-4.8-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull power management fixes from Rafael Wysocki: "This includes a PM QoS framework fix from Tejun to prevent interrupts from being enabled unexpectedly during early boot and a cpufreq documentation fix. Specifics: - If the PM QoS framework invokes cancel_delayed_work_sync() during early boot, it will enable interrupts which is not expected at that point, so prevent it from happening (Tejun Heo) - Fix cpufreq statistic documentation to follow a recent change in behavior that forgot to update it as appropriate (Jean Delvare)" * tag 'pm-4.8-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: cpufreq-stats: Minor documentation fix PM / QoS: avoid calling cancel_delayed_work_sync() during early boot commit 8a2a835bbcaa6af0ec659606d3eabc23ccaaab80 Merge: c86d06b 3732b30 Author: Rafael J. Wysocki Date: Fri Sep 9 22:34:16 2016 +0200 Merge branches 'pm-core-fixes' and 'pm-cpufreq-fixes' * pm-core-fixes: PM / QoS: avoid calling cancel_delayed_work_sync() during early boot * pm-cpufreq-fixes: cpufreq-stats: Minor documentation fix commit c4a6c70f93638821519047ba751b0145f7a9f90b Merge: 6dc728c 56beac9 Author: Linus Torvalds Date: Fri Sep 9 13:09:50 2016 -0700 Merge tag 'gpio-v4.8-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio Pull GPIO fixes from Linus Walleij: "Some GPIO fixes that have been boiling the last two weeks or so. Nothing special, I'm trying to sort out some Kconfig business and Russell needs a fix in for -his SA1100 rework. Summary: - Revert a pointless attempt to add an include to solve the UM allyes compilation problem. - Make the mcp23s08 depend on OF_GPIO as it uses it and doesn't compile properly without it. - Fix a probing problem for ucb1x00" * tag 'gpio-v4.8-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio: gpio: sa1100: fix irq probing for ucb1x00 gpio: mcp23s08: make driver depend on OF_GPIO Revert "gpio: include in gpiolib-of" commit 6dc728ccd3c9db64d5a1fd2930ccb9bcfdf20f67 Merge: 5c44ad6 8fba54a Author: Linus Torvalds Date: Fri Sep 9 13:00:41 2016 -0700 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse Pull fuse fix from Miklos Szeredi: "This fixes a deadlock when fuse, direct I/O and loop device are combined" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse: fuse: direct-io: don't dirty ITER_BVEC pages commit 5c44ad6a35a9818039e301be289a1bb7ae77613e Merge: f4a9c16 e1ff3dd Author: Linus Torvalds Date: Fri Sep 9 12:56:28 2016 -0700 Merge branch 'overlayfs-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs Pull overlayfs fix from Miklos Szeredi: "This fixes a regression caused by the last pull request" * 'overlayfs-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs: ovl: fix workdir creation commit f4a9c169c29efea31b22aec0012ad29df6cf84d4 Merge: 067c2f4 b7f3c7d Author: Linus Torvalds Date: Fri Sep 9 12:52:31 2016 -0700 Merge branch 'for-linus-4.8' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs Pull btrfs fixes from Chris Mason: "I'm not proud of how long it took me to track down that one liner in btrfs_sync_log(), but the good news is the patches I was trying to blame for these problems were actually fine (sorry Filipe)" * 'for-linus-4.8' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs: btrfs: introduce tickets_id to determine whether asynchronous metadata reclaim work makes progress btrfs: remove root_log_ctx from ctx list before btrfs_sync_log returns btrfs: do not decrease bytes_may_use when replaying extents commit ea90383837334bcebe842e719ad4d8c966f4ef51 Author: Baoyou Xie Date: Thu Sep 8 19:03:20 2016 +0800 drm/vc4: mark vc4_bo_cache_purge() static We get 1 warning when building kernel with W=1: drivers/gpu/drm/vc4/vc4_bo.c:147:6: warning: no previous prototype for 'vc4_bo_cache_purge' [-Wmissing-prototypes] In fact, this function is only used in the file in which it is declared and don't need a declaration, but can be made static. So this patch marks it 'static'. Signed-off-by: Baoyou Xie Signed-off-by: Eric Anholt drivers/gpu/drm/vc4/vc4_bo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 067c2f472d81b8b235176ce8e2cb221c4edc1a9e Merge: e45eeb4 816f318 Author: Linus Torvalds Date: Fri Sep 9 12:02:46 2016 -0700 Merge tag 'sound-4.8-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound Pull sound fixes from Takashi Iwai: "We've got quite a few fixes at this time, and all are stable patches. syzkaller strikes back again (episode 19 or so), and we had to plug some holes in ALSA core part (mostly timer). In addition, a couple of FireWire audio fixes for the invalid copy user calls in locks, and a few quirks for HD-audio and USB-audio as usual are included" * tag 'sound-4.8-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: ALSA: rawmidi: Fix possible deadlock with virmidi registration ALSA: timer: Fix zero-division by continue of uninitialized instance ALSA: timer: fix NULL pointer dereference in read()/ioctl() race ALSA: fireworks: accessing to user space outside spinlock ALSA: firewire-tascam: accessing to user space outside spinlock ALSA: hda - Enable subwoofer on Dell Inspiron 7559 ALSA: hda - Add headset mic quirk for Dell Inspiron 5468 ALSA: usb-audio: Add sample rate inquiry quirk for B850V3 CP2114 ALSA: timer: fix NULL pointer dereference on memory allocation failure ALSA: timer: fix division by zero after SNDRV_TIMER_IOCTL_CONTINUE commit 5e59d9a1aed26abcc79abe78af5cfd34e53cbe7f Author: Andy Lutomirski Date: Tue Aug 30 08:04:15 2016 -0700 virtio_console: Stop doing DMA on the stack virtio_console uses a small DMA buffer for control requests. Move that buffer into heap memory. Doing virtio DMA on the stack is normally okay on non-DMA-API virtio systems (which is currently most of them), but it breaks completely if the stack is virtually mapped. Tested by typing both directions using picocom aimed at /dev/hvc0. Signed-off-by: Andy Lutomirski Signed-off-by: Michael S. Tsirkin Reviewed-by: Amit Shah drivers/char/virtio_console.c | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) commit af7c1beccfd98bad752644dc14ea93805d65b2c9 Author: Baoyou Xie Date: Thu Sep 1 19:02:57 2016 +0800 virtio: mark vring_dma_dev() static We get 1 warning when building kernel with W=1: drivers/virtio/virtio_ring.c:170:16: warning: no previous prototype for 'vring_dma_dev' [-Wmissing-prototypes] In fact, this function is only used in the file in which it is declared and don't need a declaration, but can be made static. so this patch marks this function with 'static'. Signed-off-by: Baoyou Xie Acked-by: Arnd Bergmann Signed-off-by: Michael S. Tsirkin drivers/virtio/virtio_ring.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit c94455558337eece474eebb6a16b905f98930418 Author: Shaohua Li Date: Thu Sep 8 10:43:58 2016 -0700 raid5: fix a small race condition commit 5f9d1fde7d54a5(raid5: fix memory leak of bio integrity data) moves bio_reset to bio_endio. But it introduces a small race condition. It does bio_reset after raid5_release_stripe, which could make the stripe reusable and hence reuse the bio just before bio_reset. Moving bio_reset before raid5_release_stripe is called should fix the race. Reported-and-tested-by: Stefan Priebe - Profihost AG Signed-off-by: Shaohua Li drivers/md/raid5.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit e45eeb43e67669f130c270a325383769d5fd73e2 Merge: 2771fc8 2b97434 Author: Linus Torvalds Date: Fri Sep 9 10:54:29 2016 -0700 Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux Pull arm64 fixes from Catalin Marinas: - smp_mb__before_spinlock() changed to smp_mb() on arm64 since the generic definition to smp_wmb() is not sufficient - avoid a recursive loop with the graph tracer by using using preempt_(enable|disable)_notrace in _percpu_(read|write) * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux: arm64: use preempt_disable_notrace in _percpu_read/write arm64: spinlocks: implement smp_mb__before_spinlock() as smp_mb() commit 56fe27beeb158e2046c10df0d5eb8292ecaf78c0 Merge: d31449a 78567f1 Author: Arnd Bergmann Date: Fri Sep 9 17:58:40 2016 +0200 Merge tag 'sti-dt-fixes-for-v4.8-rcs' of git://git.kernel.org/pub/scm/linux/kernel/git/pchotard/sti into fixes Pull "Handle STiH410 interconnect clock required for EHCI/OHCI and SDHCI" from Patrice Chotard: With the introduction of critical-clock support in v4.8, our developers' default configuration is to run with 'clk_ignore_unused' removed. This patch-set ensures they can achieve successful boot when a) booting from an SD Card and when b) booting using USB->Eth adaptors for NFS booting. * tag 'sti-dt-fixes-for-v4.8-rcs' of git://git.kernel.org/pub/scm/linux/kernel/git/pchotard/sti: ARM: dts: STiH407-family: Provide interconnect clock for consumption in ST SDHCI ARM: dts: STiH410: Handle interconnect clock required by EHCI/OHCI (USB) commit d31449a59aa3da72639ff24f8a4fde2d10af8898 Merge: 76aa759 c2f3211 Author: Arnd Bergmann Date: Fri Sep 9 17:56:40 2016 +0200 Merge tag 'renesas-fixes-for-v4.8' of git://git.kernel.org/pub/scm/linux/kernel/git/horms/renesas into fixes Merge "Renesas ARM Based SoC Fixes for v4.8" from Simon Horman: * Correct R-Car Gen2 regulator quirk * tag 'renesas-fixes-for-v4.8' of git://git.kernel.org/pub/scm/linux/kernel/git/horms/renesas: ARM: shmobile: fix regulator quirk for Gen2 commit 76aa7591688001839ec9ca838041f2d55d49ab92 Author: Ian Campbell Date: Wed Aug 3 15:12:45 2016 +0100 ARM64: dts: bcm: Use a symlink to R-Pi dtsi files from arch=arm The ../../../arm... style cross-references added by commit 9d56c22a7861 ("ARM: bcm2835: Add devicetree for the Raspberry Pi 3.") do not work in the context of the split device-tree repository[0] (where the directory structure differs). As with commit 8ee57b8182c4 ("ARM64: dts: vexpress: Use a symlink to vexpress-v2m-rs1.dtsi from arch=arm") use symlinks instead. [0] https://git.kernel.org/cgit/linux/kernel/git/devicetree/devicetree-rebasing.git/ Signed-off-by: Ian Campbell Acked-by: Mark Rutland Cc: Catalin Marinas Cc: Will Deacon Cc: Mark Rutland Cc: Rob Herring Cc: Frank Rowand Cc: Eric Anholt Cc: Stephen Warren Cc: Lee Jones Cc: Gerd Hoffmann Cc: devicetree@vger.kernel.org Cc: linux-kernel@vger.kernel.org Cc: linux-arm-kernel@lists.infradead.org Cc: linux-rpi-kernel@lists.infradead.org Cc: arm@kernel.org Signed-off-by: Arnd Bergmann arch/arm64/boot/dts/broadcom/bcm2835-rpi.dtsi | 1 + arch/arm64/boot/dts/broadcom/bcm2837-rpi-3-b.dts | 4 ++-- arch/arm64/boot/dts/broadcom/bcm2837.dtsi | 2 +- arch/arm64/boot/dts/broadcom/bcm283x-rpi-smsc9514.dtsi | 1 + arch/arm64/boot/dts/broadcom/bcm283x.dtsi | 1 + 5 files changed, 6 insertions(+), 3 deletions(-) commit 6b7b554d34fdbc5dc9fae9d4ca9dd37f6346be3d Author: Ian Campbell Date: Wed Aug 3 15:12:44 2016 +0100 ARM: dts: Remove use of skeleton.dtsi from bcm283x.dtsi This file is included from DTS files under arch/arm64 too (via broadcom/bcm2837-rpi-3-b.dts and broadcom/bcm2837.dtsi). There is a desire not to have skeleton.dtsi for ARM64. See commit 3ebee5a2e141 ("arm64: dts: kill skeleton.dtsi") for rationale for its removal. As well as the addition of #*-cells also requires adding the device_type to the rpi memory node explicitly. Note that this change results in the removal of an empty /aliases node from bcm2835-rpi-a.dtb and bcm2835-rpi-a-plus.dtb. I have no hardware to check if this is a problem or not. It also results in some reordering of the nodes in the DTBs (the /aliases and /memory nodes come later). This isn't supposed to matter but, again, I've no hardware to check if it is true in this particular case. Signed-off-by: Ian Campbell Acked-by: Mark Rutland Tested-by: Stefan Wahren Cc: Catalin Marinas Cc: Will Deacon Cc: Mark Rutland Cc: Rob Herring Cc: Frank Rowand Cc: Eric Anholt Cc: Stephen Warren Cc: Lee Jones Cc: Gerd Hoffmann Cc: devicetree@vger.kernel.org Cc: linux-kernel@vger.kernel.org Cc: linux-arm-kernel@lists.infradead.org Cc: linux-rpi-kernel@lists.infradead.org Cc: arm@kernel.org Signed-off-by: Arnd Bergmann arch/arm/boot/dts/bcm2835-rpi.dtsi | 1 + arch/arm/boot/dts/bcm283x.dtsi | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) commit 27bd44e06cf4e6c51b985810e7c56147bc8d94d5 Merge: a4497a8 293f293 Author: Paolo Bonzini Date: Fri Sep 9 17:45:56 2016 +0200 Merge tag 'kvm-arm-fixes-for-v4.8-round2' of git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm into kvm-master KVM/ARM Fixes for v4.8, round 2 Fixes an idmap issue on 32-bit KVM on ARM, and fixes a memory unmapping issue that we've had forever. commit 2771fc8ed60e43a0148a2f2c672a55b8f565f418 Merge: 53d5f1d f077aaf Author: Linus Torvalds Date: Fri Sep 9 08:43:42 2016 -0700 Merge tag 'powerpc-4.8-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux Pull powerpc fixes from Michael Ellerman: "Fixes marked for stable: - Don't alias user region to other regions below PAGE_OFFSET from Paul Mackerras - Fix again csum_partial_copy_generic() on 32-bit from Christophe Leroy - Fix corrupted PE allocation bitmap on releasing PE from Gavin Shan Fixes for code merged this cycle: - Fix crash on releasing compound PE from Gavin Shan - Fix processor numbers in OPAL ICP from Benjamin Herrenschmidt - Fix little endian build with CONFIG_KEXEC=n from Thiago Jung Bauermann" * tag 'powerpc-4.8-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux: powerpc/mm: Don't alias user region to other regions below PAGE_OFFSET powerpc/32: Fix again csum_partial_copy_generic() powerpc/powernv: Fix corrupted PE allocation bitmap on releasing PE powerpc/powernv: Fix crash on releasing compound PE powerpc/xics/opal: Fix processor numbers in OPAL ICP powerpc/pseries: Fix little endian build with CONFIG_KEXEC=n commit 53d5f1dcd1f41a0deb2015724f4466f7dc138aed Merge: 711bef6 da60626 Author: Linus Torvalds Date: Fri Sep 9 08:32:10 2016 -0700 Merge branch 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm Pull ARM fixes from Russell King: "A few ARM fixes: - Robin Murphy noticed that the non-secure privileged entry was relying on undefined behaviour, which needed to be fixed. - Vladimir Murzin noticed that prov-v7 fails to build for MMUless configurations because a required header file wasn't included. - A bunch of fixes for StrongARM regressions found while testing 4.8-rc on such platforms" * 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm: ARM: sa1100: clear reset status prior to reboot ARM: 8600/1: Enforce some NS-SVC initialisation ARM: 8599/1: mm: pull asm/memory.h explicitly ARM: sa1100: register clocks early ARM: sa1100: fix 3.6864MHz clock commit 60815d4a78204915f5cdf79a536bc96d5d23ae5f Author: Hans Verkuil Date: Wed Aug 24 07:17:22 2016 -0300 [media] cec: fix ioctl return code when not registered Don't return the confusing -EIO error code when the device is not registered, instead return -ENODEV which is the proper thing to do in this situation. Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab drivers/staging/media/cec/cec-api.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit a179b69359feb26ddb148bb6a2c0c53a8d1dc5be Author: Hans Verkuil Date: Wed Aug 24 05:36:53 2016 -0300 [media] cec: don't Feature Abort broadcast msgs when unregistered If the adapter is configured as 'Unregistered', then cec_receive_notify incorrectly thinks that broadcast messages are directed messages. The destination for broadcast messages is 0xf, and the logical address assigned to Unregistered devices is also 0xf and the logic didn't handle that correctly. Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab drivers/staging/media/cec/cec-adap.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) commit 6b98174b957ce87e0efe7c675d6cfd9e4c7a1912 Merge: 1b49dae 696118c Author: Greg Kroah-Hartman Date: Fri Sep 9 15:11:35 2016 +0200 Merge tag 'fixes-for-v4.8-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/balbi/usb into usb-linus Felipe writes: usb: fixes for v4.8-rc6 Unfortunately we have a bogus dwc3 patch leaked through the cracks and got merged into Linus' HEAD. That patch ended up causing off-by-1 error in our TRB accounting logic. Thankfully John Youn found out the problem and we provided a revert to the bogus dwc3 patch in no time. Apart from this off-by-1 error, we have two fixes to the Renesas drivers, a small fix to our generic phy driver, a NULL pointer dereference fix for f_eem and a build warning fix in dwc3. commit 1b49dae1ca65cd38221b28911ba08954627a2760 Merge: bcf42aa 6f3c4fb Author: Greg Kroah-Hartman Date: Fri Sep 9 13:47:20 2016 +0200 Merge tag 'usb-ci-v4.8-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/peter.chen/usb into usb-linus Peter writes: Fix the possible kernel panic when the hardware signal is bad for chipidea udc. commit 72d508ad488a63678396cf1039fc5a65e04caa9e Merge: c693593 171c009 Author: Greg Kroah-Hartman Date: Fri Sep 9 13:44:37 2016 +0200 Merge tag 'iio-fixes-for-4.8b' of git://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio into staging-linus Jonathan writes: Second set of IIO fixes for the 4.8 cycle. We have a big rework of the kxsd9 driver queued up behind the fix below and a fix for a recent fix that was marked for stable. Hence this fix series is perhaps a little more urgent than average for IIO. * core - a fix for a fix in the last set. The recent fix for blocking ops when ! task running left a path (unlikely one) in which the function return value was not set - so initialise it to 0. - The IIO_TYPE_FRACTIONAL code previously didn't cope with negative fractions. Turned out a fix for this was in Analog's tree but hadn't made it upstream. * bmc150 - reset chip at init time. At least one board out there ends up coming up in an unstable state due to noise during power up. The reset does no harm on other boards. * kxsd9 - Fix a bug in the reported scaling due to failing to set the integer part to 0. * hid-sensors-pressure - Output was in the wrong units to comply with the IIO ABI. * tools - iio_generic_buffer: Fix the trigger-less mode by ensuring we don't fault out for having no trigger when we explicitly said we didn't want to have one. commit 2b9743441a312e0b0a2d87deae363eccbe9d0f00 Author: Chunyan Zhang Date: Thu Sep 8 20:46:42 2016 +0800 arm64: use preempt_disable_notrace in _percpu_read/write When debug preempt or preempt tracer is enabled, preempt_count_add/sub() can be traced by function and function graph tracing, and preempt_disable/enable() would call preempt_count_add/sub(), so in Ftrace subsystem we should use preempt_disable/enable_notrace instead. In the commit 345ddcc882d8 ("ftrace: Have set_ftrace_pid use the bitmap like events do") the function this_cpu_read() was added to trace_graph_entry(), and if this_cpu_read() calls preempt_disable(), graph tracer will go into a recursive loop, even if the tracing_on is disabled. So this patch change to use preempt_enable/disable_notrace instead in this_cpu_read(). Since Yonghui Yang helped a lot to find the root cause of this problem, so also add his SOB. Signed-off-by: Yonghui Yang Signed-off-by: Chunyan Zhang Acked-by: Will Deacon Signed-off-by: Catalin Marinas arch/arm64/include/asm/percpu.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) commit 872c63fbf9e153146b07f0cece4da0d70b283eeb Author: Will Deacon Date: Mon Sep 5 11:56:05 2016 +0100 arm64: spinlocks: implement smp_mb__before_spinlock() as smp_mb() smp_mb__before_spinlock() is intended to upgrade a spin_lock() operation to a full barrier, such that prior stores are ordered with respect to loads and stores occuring inside the critical section. Unfortunately, the core code defines the barrier as smp_wmb(), which is insufficient to provide the required ordering guarantees when used in conjunction with our load-acquire-based spinlock implementation. This patch overrides the arm64 definition of smp_mb__before_spinlock() to map to a full smp_mb(). Cc: Cc: Peter Zijlstra Reported-by: Alan Stern Signed-off-by: Will Deacon Signed-off-by: Catalin Marinas arch/arm64/include/asm/spinlock.h | 10 ++++++++++ 1 file changed, 10 insertions(+) commit 293f293637b55db4f9f522a5a72514e98a541076 Author: Suzuki K Poulose Date: Thu Sep 8 16:25:49 2016 +0100 kvm-arm: Unmap shadow pagetables properly On arm/arm64, we depend on the kvm_unmap_hva* callbacks (via mmu_notifiers::invalidate_*) to unmap the stage2 pagetables when the userspace buffer gets unmapped. However, when the Hypervisor process exits without explicit unmap of the guest buffers, the only notifier we get is kvm_arch_flush_shadow_all() (via mmu_notifier::release ) which does nothing on arm. Later this causes us to access pages that were already released [via exit_mmap() -> unmap_vmas()] when we actually get to unmap the stage2 pagetable [via kvm_arch_destroy_vm() -> kvm_free_stage2_pgd()]. This triggers crashes with CONFIG_DEBUG_PAGEALLOC, which unmaps any free'd pages from the linear map. [ 757.644120] Unable to handle kernel paging request at virtual address ffff800661e00000 [ 757.652046] pgd = ffff20000b1a2000 [ 757.655471] [ffff800661e00000] *pgd=00000047fffe3003, *pud=00000047fcd8c003, *pmd=00000047fcc7c003, *pte=00e8004661e00712 [ 757.666492] Internal error: Oops: 96000147 [#3] PREEMPT SMP [ 757.672041] Modules linked in: [ 757.675100] CPU: 7 PID: 3630 Comm: qemu-system-aar Tainted: G D 4.8.0-rc1 #3 [ 757.683240] Hardware name: AppliedMicro X-Gene Mustang Board/X-Gene Mustang Board, BIOS 3.06.15 Aug 19 2016 [ 757.692938] task: ffff80069cdd3580 task.stack: ffff8006adb7c000 [ 757.698840] PC is at __flush_dcache_area+0x1c/0x40 [ 757.703613] LR is at kvm_flush_dcache_pmd+0x60/0x70 [ 757.708469] pc : [] lr : [] pstate: 20000145 ... [ 758.357249] [] __flush_dcache_area+0x1c/0x40 [ 758.363059] [] unmap_stage2_range+0x458/0x5f0 [ 758.368954] [] kvm_free_stage2_pgd+0x34/0x60 [ 758.374761] [] kvm_arch_destroy_vm+0x20/0x68 [ 758.380570] [] kvm_put_kvm+0x210/0x358 [ 758.385860] [] kvm_vm_release+0x2c/0x40 [ 758.391239] [] __fput+0x114/0x2e8 [ 758.396096] [] ____fput+0xc/0x18 [ 758.400869] [] task_work_run+0x108/0x138 [ 758.406332] [] do_exit+0x48c/0x10e8 [ 758.411363] [] do_group_exit+0x6c/0x130 [ 758.416739] [] get_signal+0x284/0xa18 [ 758.421943] [] do_signal+0x158/0x860 [ 758.427060] [] do_notify_resume+0x6c/0x88 [ 758.432608] [] work_pending+0x10/0x14 [ 758.437812] Code: 9ac32042 8b010001 d1000443 8a230000 (d50b7e20) This patch fixes the issue by moving the kvm_free_stage2_pgd() to kvm_arch_flush_shadow_all(). Cc: # 3.9+ Tested-by: Itaru Kitayama Reported-by: Itaru Kitayama Reported-by: James Morse Cc: Marc Zyngier Cc: Catalin Marinas Cc: Christoffer Dall Signed-off-by: Suzuki K Poulose Signed-off-by: Christoffer Dall arch/arm/kvm/arm.c | 2 -- arch/arm/kvm/mmu.c | 1 + 2 files changed, 1 insertion(+), 2 deletions(-) commit 6f3c4fb6d05e63c9c6d8968302491c3a5457be61 Author: Clemens Gruber Date: Mon Sep 5 19:29:58 2016 +0200 usb: chipidea: udc: fix NULL ptr dereference in isr_setup_status_phase Problems with the signal integrity of the high speed USB data lines or noise on reference ground lines can cause the i.MX6 USB controller to violate USB specs and exhibit unexpected behavior. It was observed that USBi_UI interrupts were triggered first and when isr_setup_status_phase was called, ci->status was NULL, which lead to a NULL pointer dereference kernel panic. This patch fixes the kernel panic, emits a warning once and returns -EPIPE to halt the device and let the host get stalled. It also adds a comment to point people, who are experiencing this issue, to their USB hardware design. Cc: #4.1+ Signed-off-by: Clemens Gruber Signed-off-by: Peter Chen drivers/usb/chipidea/udc.c | 9 +++++++++ 1 file changed, 9 insertions(+) commit 1fb81e09d487656aa23f2acb1232c7f56b4c2367 Author: thomas.zeitlhofer+lkml@ze-it.at Date: Wed Sep 7 20:40:38 2016 +0200 vti: use right inner_mode for inbound inter address family policy checks In case of inter address family tunneling (IPv6 over vti4 or IPv4 over vti6), the inbound policy checks in vti_rcv_cb() and vti6_rcv_cb() are using the wrong address family. As a result, all inbound inter address family traffic is dropped. Use the xfrm_ip2inner_mode() helper, as done in xfrm_input() (i.e., also increment LINUX_MIB_XFRMINSTATEMODEERROR in case of error), to select the inner_mode that contains the right address family for the inbound policy checks. Signed-off-by: Thomas Zeitlhofer Signed-off-by: Steffen Klassert net/ipv4/ip_vti.c | 15 ++++++++++++++- net/ipv6/ip6_vti.c | 15 ++++++++++++++- 2 files changed, 28 insertions(+), 2 deletions(-) commit 2f30ea5090cbc57ea573cdc66421264b3de3fb0a Author: Mathias Krause Date: Thu Sep 8 18:09:57 2016 +0200 xfrm_user: propagate sec ctx allocation errors When we fail to attach the security context in xfrm_state_construct() we'll return 0 as error value which, in turn, will wrongly claim success to userland when, in fact, we won't be adding / updating the XFRM state. This is a regression introduced by commit fd21150a0fe1 ("[XFRM] netlink: Inline attach_encap_tmpl(), attach_sec_ctx(), and attach_one_addr()"). Fix it by propagating the error returned by security_xfrm_state_alloc() in this case. Fixes: fd21150a0fe1 ("[XFRM] netlink: Inline attach_encap_tmpl()...") Signed-off-by: Mathias Krause Cc: Thomas Graf Signed-off-by: Steffen Klassert net/xfrm/xfrm_user.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) commit 2c2c8e33e4aa6e46f19ef7bba8e559759a74a4db Merge: db7196a ebecefc Author: David S. Miller Date: Thu Sep 8 17:18:42 2016 -0700 Merge branch 'nfp-fixes' Jakub Kicinski says: ==================== nfp: fixes and trivial cleanup First patch drops unnecessary version.h includes. Second one drops support for pre-release versions of FW ABI. Removing FW ABI 0.0 from supported set is particularly good since 0 could just be uninitialized memory. Last but not least I drop unnecessary padding of frames on RX which makes us count bytes incorrectly for the VF2VF traffic. ==================== Signed-off-by: David S. Miller commit ebecefc820ec791a216382a68b937577bb69d3f7 Author: Jakub Kicinski Date: Wed Sep 7 19:45:37 2016 +0100 nfp: don't pad frames on receive There is no need to pad frames to ETH_ZLEN on RX. Signed-off-by: Jakub Kicinski Reviewed-by: Simon Horman Reviewed-by: Dinan Gunawardena Signed-off-by: David S. Miller drivers/net/ethernet/netronome/nfp/nfp_net_common.c | 4 ---- 1 file changed, 4 deletions(-) commit 313b345cbff566340022c82267a377e1e493ef90 Author: Jakub Kicinski Date: Wed Sep 7 19:45:36 2016 +0100 nfp: drop support for old firmware ABIs Be more strict about FW versions. Drop support for old transitional revisions which were never used in production. Dropping support for FW ABI version 0.0.0.0 is particularly useful because 0 could just be uninitialized memory. Signed-off-by: Jakub Kicinski Reviewed-by: Dinan Gunawardena Signed-off-by: David S. Miller drivers/net/ethernet/netronome/nfp/nfp_netvf_main.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) commit 312fada1f9f87fb55ace4b5a55a70a9eea5100fd Author: Jakub Kicinski Date: Wed Sep 7 19:45:35 2016 +0100 nfp: remove linux/version.h includes Remove unnecessary version.h includes. Signed-off-by: Jakub Kicinski Reviewed-by: Simon Horman Reviewed-by: Dinan Gunawardena Signed-off-by: David S. Miller drivers/net/ethernet/netronome/nfp/nfp_net_common.c | 1 - drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c | 1 - drivers/net/ethernet/netronome/nfp/nfp_netvf_main.c | 1 - 3 files changed, 3 deletions(-) commit db7196a0d0984b933ccf2cd6a60e26abf466e8a3 Author: Artem Germanov Date: Wed Sep 7 10:49:36 2016 -0700 tcp: cwnd does not increase in TCP YeAH Commit 76174004a0f19785a328f40388e87e982bbf69b9 (tcp: do not slow start when cwnd equals ssthresh ) introduced regression in TCP YeAH. Using 100ms delay 1% loss virtual ethernet link kernel 4.2 shows bandwidth ~500KB/s for single TCP connection and kernel 4.3 and above (including 4.8-rc4) shows bandwidth ~100KB/s. That is caused by stalled cwnd when cwnd equals ssthresh. This patch fixes it by proper increasing cwnd in this case. Signed-off-by: Artem Germanov Acked-by: Dmitry Adamushko Signed-off-by: David S. Miller net/ipv4/tcp_yeah.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 81d1a366ff814211f3169e6b3e2c9eea682a679e Merge: 76061f6 cd17d23 Author: David S. Miller Date: Thu Sep 8 16:15:29 2016 -0700 Merge branch 'mlx5-fixes' Saeed Mahameed says: ==================== Mellanox 100G mlx5 fixes 2016-09-07 The following series contains bug fixes for the mlx5e driver. from Gal, - Static code checker cleanup (casting overflow) - Fix global PFC counter statistics reading - Fix HW LRO when vlan stripping is off From Bodong, - Deprecate old autoneg capability bit and use new one. From Tariq, - Fix xmit more counter race condition ==================== Signed-off-by: David S. Miller commit cd17d230dd060a12f7451c0caeedb3fd5158eaf9 Author: Gal Pressman Date: Wed Sep 7 19:08:01 2016 +0300 net/mlx5e: Fix parsing of vlan packets when updating lro header Currently vlan tagged packets were not parsed correctly and assumed to be regular IPv4/IPv6 packets. We should check for 802.1Q/802.1ad tags and update the lro header accordingly. This fixes the use case where LRO is on and rxvlan is off (vlan stripping is off). Fixes: e586b3b0baee ('net/mlx5: Ethernet Datapath files') Signed-off-by: Gal Pressman Signed-off-by: Saeed Mahameed Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) commit 4e39883d9c7426f8246ef86a32dc6a6f06f5aace Author: Gal Pressman Date: Wed Sep 7 19:08:00 2016 +0300 net/mlx5e: Fix global PFC counters replication Currently when reading global PFC statistics we left the counter iterator out of the equation and we ended up reading the same counter over and over again. Instead of reading the counter at index 0 on every iteration we now read the counter at index (i). Fixes: e989d5a532ce ('net/mlx5e: Expose flow control counters to ethtool') Signed-off-by: Gal Pressman Signed-off-by: Saeed Mahameed Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 7abc2110779b133e54ce681a4d0be3d89304eda1 Author: Gal Pressman Date: Wed Sep 7 19:07:59 2016 +0300 net/mlx5e: Prevent casting overflow On 64 bits architectures unsigned long is longer than u32, casting to unsigned long will result in overflow. We need to first allocate an unsigned long variable, then assign the wanted value. Fixes: 665bc53969d7 ('net/mlx5e: Use new ethtool get/set link ksettings API') Signed-off-by: Gal Pressman Signed-off-by: Saeed Mahameed Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) commit e7e31ca43d6bedf1c551b1f9c7e78d51c9a45790 Author: Bodong Wang Date: Wed Sep 7 19:07:58 2016 +0300 net/mlx5e: Move an_disable_cap bit to a new position Previous an_disable_cap position bit31 is deprecated to be use in driver with newer firmware. New firmware will advertise the same capability in bit29. Old capability didn't allow setting more than one protocol for a specific speed when autoneg is off, while newer firmware will allow this and it is indicated in the new capability location. Signed-off-by: Bodong Wang Signed-off-by: Saeed Mahameed Signed-off-by: David S. Miller include/linux/mlx5/mlx5_ifc.h | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) commit 0dbf657c3993a269fa0cd7dabbb9c02741d4aefa Author: Tariq Toukan Date: Wed Sep 7 19:07:57 2016 +0300 net/mlx5e: Fix xmit_more counter race issue Update the xmit_more counter before notifying the HW, to prevent a possible use-after-free of the skb. Fixes: c8cf78fe100b ("net/mlx5e: Add ethtool counter for TX xmit_more") Signed-off-by: Tariq Toukan Signed-off-by: Saeed Mahameed Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlx5/core/en_tx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 76061f631c2ea4ab9c4d66f3a96ecc5737f5aaf7 Author: Eric Dumazet Date: Wed Sep 7 08:34:11 2016 -0700 tcp: fastopen: avoid negative sk_forward_alloc When DATA and/or FIN are carried in a SYN/ACK message or SYN message, we append an skb in socket receive queue, but we forget to call sk_forced_mem_schedule(). Effect is that the socket has a negative sk->sk_forward_alloc as long as the message is not read by the application. Josh Hunt fixed a similar issue in commit d22e15371811 ("tcp: fix tcp fin memory accounting") Fixes: 168a8f58059a ("tcp: TCP Fast Open Server - main code path") Signed-off-by: Eric Dumazet Reviewed-by: Josh Hunt Signed-off-by: David S. Miller net/ipv4/tcp_fastopen.c | 1 + 1 file changed, 1 insertion(+) commit 3732b30a7d88dc32bef76e117067fb397e811703 Author: Jean Delvare Date: Thu Sep 8 23:05:07 2016 +0200 cpufreq-stats: Minor documentation fix The cpufreq-stats code can no longer be built as a module, so it now appears with square brackets in menuconfig. Signed-off-by: Jean Delvare Fixes: 1aefc75b2449 (cpufreq: stats: Make the stats code non-modular) Acked-by: Viresh Kumar Signed-off-by: Rafael J. Wysocki Documentation/cpu-freq/cpufreq-stats.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit cbfff439c54f37fc363b1d365183fa61af43585c Author: Doug Anderson Date: Mon Aug 29 14:22:36 2016 -0700 i2c: rk3x: Restore clock settings at resume time Depending on a number of factors including: - Which exact Rockchip SoC we're working with - How deep we suspend - Which i2c port we're on We might lose the state of the i2c registers at suspend time. Specifically we've found that on rk3399 the i2c ports that are not in the PMU power domain lose their state with the current suspend depth configured by ARM Tursted Firmware. Note that there are very few actual i2c registers that aren't configured per transfer anyway so all we actually need to re-configure are the clock config registers. We'll just add a call to rk3x_i2c_adapt_div() at resume time and be done with it. NOTE: On rk3399 on ports whose power was lost, I put printouts in at resume time. I saw things like: before: con=0x00010300, div=0x00060006 after: con=0x00010200, div=0x00180025 Signed-off-by: Douglas Anderson Reviewed-by: David Wu Tested-by: David Wu [wsa: removed duplicate const] Signed-off-by: Wolfram Sang drivers/i2c/busses/i2c-rk3x.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) commit e0603c8dd298171bd64227c65c6bbd6a861e1a78 Author: Geert Uytterhoeven Date: Wed Aug 31 11:38:48 2016 +0200 i2c: Spelling s/acknowedge/acknowledge/ Signed-off-by: Geert Uytterhoeven Signed-off-by: Wolfram Sang drivers/i2c/busses/i2c-cadence.c | 2 +- drivers/i2c/busses/i2c-rk3x.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) commit 664d58bf4d3406dc4404e29bcb8c89fd22589d57 Author: Zhuo-hao Lee Date: Sat Aug 27 15:39:30 2016 +0800 i2c: designware: save the preset value of DW_IC_SDA_HOLD There are several ways to set the SDA hold time for i2c controller, including: Device Tree, built-in device properties and ACPI. However, if the SDA hold time is not specified by above method, we should read the value, where it is preset by firmware, and save it to sda_hold_time. This is needed because when i2c controller enters runtime suspend, the DW_IC_SDA_HOLD value will be reset to chipset default value. And during runtime resume, i2c_dw_init will be called to reconfigure i2c controller. If sda_hold_time is zero, the chipset default hold time will be used, that will be too short for some platforms. Therefore, to have a better tolerance, the DW_IC_SDA_HOLD value should be kept by sda_hold_time. Signed-off-by: Zhuo-hao Lee Reviewed-by: Andy Shevchenko Acked-by: Jarkko Nikula Signed-off-by: Wolfram Sang drivers/i2c/busses/i2c-designware-core.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) commit 40e3012e6ea715e957347477a980145210735267 Merge: 9dd4aaef 11d7a0b Author: David S. Miller Date: Thu Sep 8 13:12:37 2016 -0700 Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec Steffen Klassert says: ==================== ipsec 2016-09-08 1) Fix a crash when xfrm_dump_sa returns an error. From Vegard Nossum. 2) Remove some incorrect WARN() on normal error handling. From Vegard Nossum. 3) Ignore socket policies when rebuilding hash tables, socket policies are not inserted into the hash tables. From Tobias Brunner. 4) Initialize and check tunnel pointers properly before we use it. From Alexey Kodanev. 5) Fix l3mdev oif setting on xfrm dst lookups. From David Ahern. ==================== Signed-off-by: David S. Miller commit e4abe2b9ab3ac79537d99dfceff7302739a586bc Merge: dc7066c 6654674 Author: Stephen Boyd Date: Thu Sep 8 12:54:24 2016 -0700 Merge tag 'sunxi-clk-fixes-for-4.8' of https://git.kernel.org/pub/scm/linux/kernel/git/mripard/linux into clk-fixes Clock Fixes for the Allwinner SoCs, 4.8 Edition The usual bunch of fixes to the our clock drivers, mostly targetted to the brand new sunxi-ng drivers. * tag 'sunxi-clk-fixes-for-4.8' of https://git.kernel.org/pub/scm/linux/kernel/git/mripard/linux: clk: sunxi-ng: Fix wrong reset register offsets clk: sunxi-ng: nk: Make ccu_nk_find_best static clk: sunxi-ng: Fix inverted test condition in ccu_helper_wait_for_lock clk: sunxi: Fix return value check in sun8i_a23_mbus_setup() clk: sunxi: pll2: Fix return value check in sun4i_pll2_setup() commit 711bef65e91d2a06730bf8c64bb00ecab48815a1 Merge: acdfffb 0f5aa88 Author: Linus Torvalds Date: Thu Sep 8 12:23:13 2016 -0700 Merge tag 'ceph-for-4.8-rc6' of git://github.com/ceph/ceph-client Pull ceph fix from Ilya Dryomov: "A fix for a 4.7 performance regression, caused by a typo in an if condition" * tag 'ceph-for-4.8-rc6' of git://github.com/ceph/ceph-client: ceph: do not modify fi->frag in need_reset_readdir() commit acdfffb5e003858e0f4a70525101f584e393323e Merge: e8b3b45 9b41b92 Author: Linus Torvalds Date: Thu Sep 8 12:19:24 2016 -0700 Merge branch 'dmi-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jdelvare/staging Pull dmi fix from Jean Delvare. * 'dmi-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jdelvare/staging: dmi-id: don't free dev structure after calling device_register commit e8b3b45de89117729cdc1a6b29da85500e4af7db Merge: d71f058 95390e3 Author: Linus Torvalds Date: Thu Sep 8 12:05:15 2016 -0700 Merge tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc Pull ARM SoC fixes from Olof Johansson: "This is a slightly larger batch of fixes that we've been sitting on a few -rcs. Most of them are simple oneliners, but there are two sets that are slightly larger and worth pointing out: - A set of patches to OMAP to deal with hwmod for RTC on am33xx (beaglebone SoC, among others). It's the only clock that ever has a valid offset of 0, so a new flag needed introduction once this problem was discovered. - A collection of CCI fixes for performance counters discovered once people started using it on X-Gene CPUs" * tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc: (37 commits) arm-cci: pmu: Fix typo in event name Revert "ARM: tegra: fix erroneous address in dts" ARM: dts: imx6qdl: Fix SPDIF regression ARM: imx6: add missing BM_CLPCR_BYPASS_PMIC_READY setting for imx6sx ARM: dts: imx7d-sdb: fix ti,x-plate-ohms property name ARM: dts: kirkwood: Fix PCIe label on OpenRD ARM: kirkwood: ib62x0: fix size of u-boot environment partition bus: arm-ccn: make event groups reliable bus: arm-ccn: fix hrtimer registration bus: arm-ccn: fix PMU interrupt flags ARM: tegra: Correct polarity for Tegra114 PMIC interrupt MAINTAINERS: add tree entry for ARM/UniPhier architecture ARM: sun5i: Fix typo in trip point temperature MAINTAINERS: Switch to kernel.org account for Krzysztof Kozlowski ARM: imx6ul: populates platform device at .init_machine bus: arm-ccn: Add missing event attribute exclusions for host/guest bus: arm-ccn: Correct required arguments for XP PMU events bus: arm-ccn: Fix XP watchpoint settings bitmask bus: arm-ccn: Do not attempt to configure XPs for cycle counter bus: arm-ccn: Fix PMU handling of MN ... commit 47a7b0d8888c04c9746812820b6e60553cc77bbc Author: Guoqing Jiang Date: Sun Sep 4 22:17:28 2016 -0400 md-cluster: make md-cluster also can work when compiled into kernel The md-cluster is compiled as module by default, if it is compiled by built-in way, then we can't make md-cluster works. [64782.630008] md/raid1:md127: active with 2 out of 2 mirrors [64782.630528] md-cluster module not found. [64782.630530] md127: Could not setup cluster service (-2) Fixes: edb39c9 ("Introduce md_cluster_operations to handle cluster functions") Cc: stable@vger.kernel.org (v4.1+) Reported-by: Marc Smith Reviewed-by: NeilBrown Signed-off-by: Guoqing Jiang Signed-off-by: Shaohua Li drivers/md/md.c | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) commit 015282c9eb6da05bfad6ff009078f91e06c0c98f Author: Wenbo Wang Date: Thu Sep 8 12:12:11 2016 -0400 nvme/quirk: Add a delay before checking device ready for memblaze device Signed-off-by: Wenbo Wang Signed-off-by: Jens Axboe drivers/nvme/host/pci.c | 2 ++ 1 file changed, 2 insertions(+) commit 30851a7c2155d0b321485e66386ea99191d8b3f5 Author: Wolfram Sang Date: Thu Aug 25 19:27:40 2016 +0200 Documentation: i2c: slave-interface: add note for driver development Make it clear that adding slave support shall not disable master functionality. We can have both, so we should. Signed-off-by: Wolfram Sang Documentation/i2c/slave-interface | 5 +++++ 1 file changed, 5 insertions(+) commit e35478eac030990e23a56bf11dc074c5a069124a Author: Wolfram Sang Date: Tue Aug 23 17:28:03 2016 +0200 i2c: mux: demux-pinctrl: run properly with multiple instances We can't use a static property for all the changesets, so we now create dynamic ones for each changeset. Signed-off-by: Wolfram Sang Fixes: 50a5ba87690814 ("i2c: mux: demux-pinctrl: add driver") Signed-off-by: Wolfram Sang drivers/i2c/muxes/i2c-demux-pinctrl.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) commit a4497a86fb9b855c5ac8503fdc959393b00bb643 Author: Prarit Bhargava Date: Thu Sep 8 10:15:28 2016 -0400 x86, clock: Fix kvm guest tsc initialization When booting a kvm guest on AMD with the latest kernel the following messages are displayed in the boot log: tsc: Unable to calibrate against PIT tsc: HPET/PMTIMER calibration failed aa297292d708 ("x86/tsc: Enumerate SKL cpu_khz and tsc_khz via CPUID") introduced a change to account for a difference in cpu and tsc frequencies for Intel SKL processors. Before this change the native tsc set x86_platform.calibrate_tsc to native_calibrate_tsc() which is a hardware calibration of the tsc, and in tsc_init() executed tsc_khz = x86_platform.calibrate_tsc(); cpu_khz = tsc_khz; The kvm code changed x86_platform.calibrate_tsc to kvm_get_tsc_khz() and executed the same tsc_init() function. This meant that KVM guests did not execute the native hardware calibration function. After aa297292d708, there are separate native calibrations for cpu_khz and tsc_khz. The code sets x86_platform.calibrate_tsc to native_calibrate_tsc() which is now an Intel specific calibration function, and x86_platform.calibrate_cpu to native_calibrate_cpu() which is the "old" native_calibrate_tsc() function (ie, the native hardware calibration function). tsc_init() now does cpu_khz = x86_platform.calibrate_cpu(); tsc_khz = x86_platform.calibrate_tsc(); if (tsc_khz == 0) tsc_khz = cpu_khz; else if (abs(cpu_khz - tsc_khz) * 10 > tsc_khz) cpu_khz = tsc_khz; The kvm code should not call the hardware initialization in native_calibrate_cpu(), as it isn't applicable for kvm and it didn't do that prior to aa297292d708. This patch resolves this issue by setting x86_platform.calibrate_cpu to kvm_get_tsc_khz(). v2: I had originally set x86_platform.calibrate_cpu to cpu_khz_from_cpuid(), however, pbonzini pointed out that the CPUID leaf in that function is not available in KVM. I have changed the function pointer to kvm_get_tsc_khz(). Fixes: aa297292d708 ("x86/tsc: Enumerate SKL cpu_khz and tsc_khz via CPUID") Signed-off-by: Prarit Bhargava Cc: Paolo Bonzini Cc: Radim Krčmář Cc: Thomas Gleixner Cc: Ingo Molnar Cc: "H. Peter Anvin" Cc: x86@kernel.org Cc: Len Brown Cc: "Peter Zijlstra (Intel)" Cc: Borislav Petkov Cc: Adrian Hunter Cc: "Christopher S. Hall" Cc: David Woodhouse Cc: kvm@vger.kernel.org Signed-off-by: Paolo Bonzini arch/x86/kernel/kvmclock.c | 1 + 1 file changed, 1 insertion(+) commit 78567f135d9bbbaf4538f63656d3e4d957c35fe9 Author: Lee Jones Date: Thu Sep 8 11:11:00 2016 +0200 ARM: dts: STiH407-family: Provide interconnect clock for consumption in ST SDHCI The STiH4{07,10} platform contains some interconnect clocks which are used by various IPs. If these clocks aren't handled correctly by ST's SDHCI driver MMC will break and the following output can be observed: [ 13.916949] mmc0: Timeout waiting for hardware interrupt. [ 13.922349] sdhci: =========== REGISTER DUMP (mmc0)=========== [ 13.928175] sdhci: Sys addr: 0x00000000 | Version: 0x00001002 [ 13.933999] sdhci: Blk size: 0x00007040 | Blk cnt: 0x00000001 [ 13.939825] sdhci: Argument: 0x00fffff0 | Trn mode: 0x00000013 [ 13.945650] sdhci: Present: 0x1fff0206 | Host ctl: 0x00000011 [ 13.951475] sdhci: Power: 0x0000000f | Blk gap: 0x00000080 [ 13.957300] sdhci: Wake-up: 0x00000000 | Clock: 0x00003f07 [ 13.963126] sdhci: Timeout: 0x00000004 | Int stat: 0x00000000 [ 13.968952] sdhci: Int enab: 0x02ff008b | Sig enab: 0x02ff008b [ 13.974777] sdhci: AC12 err: 0x00000000 | Slot int: 0x00000000 [ 13.980602] sdhci: Caps: 0x21ed3281 | Caps_1: 0x00000000 [ 13.986428] sdhci: Cmd: 0x0000063a | Max curr: 0x00000000 [ 13.992252] sdhci: Host ctl2: 0x00000000 [ 13.996166] sdhci: ADMA Err: 0x00000000 | ADMA Ptr: 0x7c048200 [ 14.001990] sdhci: =========================================== [ 14.009802] mmc0: Got data interrupt 0x02000000 even though no data operation was in progress. Cc: stable@vger.kernel.org Tested-by: Peter Griffin Signed-off-by: Lee Jones Acked-by: Patrice Chotard arch/arm/boot/dts/stih407-family.dtsi | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) commit 7e9d2850a8db4e0d85a20bb692198bf2cc4be3b7 Author: Lee Jones Date: Thu Sep 8 11:11:00 2016 +0200 ARM: dts: STiH410: Handle interconnect clock required by EHCI/OHCI (USB) The STiH4{07,10} platform contains some interconnect clocks which are used by various IPs. If this clock isn't handled correctly by ST's EHCI/OHCI drivers, their hub won't be found, the following error be shown and the result will be non-working USB: [ 97.221963] hub 2-1:1.0: hub_ext_port_status failed (err = -110) Cc: stable@vger.kernel.org Tested-by: Peter Griffin Signed-off-by: Lee Jones Acked-by: Patrice Chotard arch/arm/boot/dts/stih410.dtsi | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) commit 816f318b2364262a51024096da7ca3b84e78e3b5 Author: Takashi Iwai Date: Tue Aug 30 14:45:46 2016 +0200 ALSA: rawmidi: Fix possible deadlock with virmidi registration When a seq-virmidi driver is initialized, it registers a rawmidi instance with its callback to create an associated seq kernel client. Currently it's done throughly in rawmidi's register_mutex context. Recently it was found that this may lead to a deadlock another rawmidi device that is being attached with the sequencer is accessed, as both open with the same register_mutex. This was actually triggered by syzkaller, as Dmitry Vyukov reported: ====================================================== [ INFO: possible circular locking dependency detected ] 4.8.0-rc1+ #11 Not tainted ------------------------------------------------------- syz-executor/7154 is trying to acquire lock: (register_mutex#5){+.+.+.}, at: [] snd_rawmidi_kernel_open+0x4b/0x260 sound/core/rawmidi.c:341 but task is already holding lock: (&grp->list_mutex){++++.+}, at: [] check_and_subscribe_port+0x5b/0x5c0 sound/core/seq/seq_ports.c:495 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&grp->list_mutex){++++.+}: [] lock_acquire+0x208/0x430 kernel/locking/lockdep.c:3746 [] down_read+0x49/0xc0 kernel/locking/rwsem.c:22 [< inline >] deliver_to_subscribers sound/core/seq/seq_clientmgr.c:681 [] snd_seq_deliver_event+0x35e/0x890 sound/core/seq/seq_clientmgr.c:822 [] > snd_seq_kernel_client_dispatch+0x126/0x170 sound/core/seq/seq_clientmgr.c:2418 [] snd_seq_system_broadcast+0xb2/0xf0 sound/core/seq/seq_system.c:101 [] snd_seq_create_kernel_client+0x24a/0x330 sound/core/seq/seq_clientmgr.c:2297 [< inline >] snd_virmidi_dev_attach_seq sound/core/seq/seq_virmidi.c:383 [] snd_virmidi_dev_register+0x29f/0x750 sound/core/seq/seq_virmidi.c:450 [] snd_rawmidi_dev_register+0x30c/0xd40 sound/core/rawmidi.c:1645 [] __snd_device_register.part.0+0x63/0xc0 sound/core/device.c:164 [< inline >] __snd_device_register sound/core/device.c:162 [] snd_device_register_all+0xad/0x110 sound/core/device.c:212 [] snd_card_register+0xef/0x6c0 sound/core/init.c:749 [] snd_virmidi_probe+0x3ef/0x590 sound/drivers/virmidi.c:123 [] platform_drv_probe+0x8b/0x170 drivers/base/platform.c:564 ...... -> #0 (register_mutex#5){+.+.+.}: [< inline >] check_prev_add kernel/locking/lockdep.c:1829 [< inline >] check_prevs_add kernel/locking/lockdep.c:1939 [< inline >] validate_chain kernel/locking/lockdep.c:2266 [] __lock_acquire+0x4d44/0x4d80 kernel/locking/lockdep.c:3335 [] lock_acquire+0x208/0x430 kernel/locking/lockdep.c:3746 [< inline >] __mutex_lock_common kernel/locking/mutex.c:521 [] mutex_lock_nested+0xb1/0xa20 kernel/locking/mutex.c:621 [] snd_rawmidi_kernel_open+0x4b/0x260 sound/core/rawmidi.c:341 [] midisynth_subscribe+0xf7/0x350 sound/core/seq/seq_midi.c:188 [< inline >] subscribe_port sound/core/seq/seq_ports.c:427 [] check_and_subscribe_port+0x467/0x5c0 sound/core/seq/seq_ports.c:510 [] snd_seq_port_connect+0x2c9/0x500 sound/core/seq/seq_ports.c:579 [] snd_seq_ioctl_subscribe_port+0x1d8/0x2b0 sound/core/seq/seq_clientmgr.c:1480 [] snd_seq_do_ioctl+0x184/0x1e0 sound/core/seq/seq_clientmgr.c:2225 [] snd_seq_kernel_client_ctl+0xa8/0x110 sound/core/seq/seq_clientmgr.c:2440 [] snd_seq_oss_midi_open+0x3b4/0x610 sound/core/seq/oss/seq_oss_midi.c:375 [] snd_seq_oss_synth_setup_midi+0x107/0x4c0 sound/core/seq/oss/seq_oss_synth.c:281 [] snd_seq_oss_open+0x748/0x8d0 sound/core/seq/oss/seq_oss_init.c:274 [] odev_open+0x6a/0x90 sound/core/seq/oss/seq_oss.c:138 [] soundcore_open+0x30f/0x640 sound/sound_core.c:639 ...... other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&grp->list_mutex); lock(register_mutex#5); lock(&grp->list_mutex); lock(register_mutex#5); *** DEADLOCK *** ====================================================== The fix is to simply move the registration parts in snd_rawmidi_dev_register() to the outside of the register_mutex lock. The lock is needed only to manage the linked list, and it's not necessarily to cover the whole initialization process. Reported-by: Dmitry Vyukov Cc: Signed-off-by: Takashi Iwai sound/core/rawmidi.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit 9f8a7658bcafb2a7853f7a2eae8a94e87e6e695b Author: Takashi Iwai Date: Wed Sep 7 15:45:31 2016 +0200 ALSA: timer: Fix zero-division by continue of uninitialized instance When a user timer instance is continued without the explicit start beforehand, the system gets eventually zero-division error like: divide error: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN CPU: 1 PID: 27320 Comm: syz-executor Not tainted 4.8.0-rc3-next-20160825+ #8 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 task: ffff88003c9b2280 task.stack: ffff880027280000 RIP: 0010:[] [< inline >] ktime_divns include/linux/ktime.h:195 RIP: 0010:[] [] snd_hrtimer_callback+0x1bc/0x3c0 sound/core/hrtimer.c:62 Call Trace: [< inline >] __run_hrtimer kernel/time/hrtimer.c:1238 [] __hrtimer_run_queues+0x325/0xe70 kernel/time/hrtimer.c:1302 [] hrtimer_interrupt+0x18b/0x420 kernel/time/hrtimer.c:1336 [] local_apic_timer_interrupt+0x6f/0xe0 arch/x86/kernel/apic/apic.c:933 [] smp_apic_timer_interrupt+0x76/0xa0 arch/x86/kernel/apic/apic.c:957 [] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:487 ..... Although a similar issue was spotted and a fix patch was merged in commit [6b760bb2c63a: ALSA: timer: fix division by zero after SNDRV_TIMER_IOCTL_CONTINUE], it seems covering only a part of iceberg. In this patch, we fix the issue a bit more drastically. Basically the continue of an uninitialized timer is supposed to be a fresh start, so we do it for user timers. For the direct snd_timer_continue() call, there is no way to pass the initial tick value, so we kick out for the uninitialized case. Reported-by: Dmitry Vyukov Cc: Signed-off-by: Takashi Iwai sound/core/timer.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) commit 9b41b92bbae6a4d3e1f3adde87864fd481037814 Author: Allen Hung Date: Fri Jul 15 17:42:22 2016 +0800 dmi-id: don't free dev structure after calling device_register dmi_dev is freed in error exit code but, according to the document of device_register, it should never directly free device structure after calling this function, even if it returned an error! Use put_device() instead. Signed-off-by: Allen Hung Signed-off-by: Jean Delvare drivers/firmware/dmi-id.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) commit bcf42aa60c2832510b9be0f30c090bfd35bb172d Author: Mathias Nyman Date: Wed Sep 7 17:26:33 2016 +0300 xhci: fix null pointer dereference in stop command timeout function The stop endpoint command has its own 5 second timeout timer. If the timeout function is triggered between USB3 and USB2 host removal it will try to call usb_hc_died(xhci_to_hcd(xhci)->primary_hcd) the ->primary_hcd will be set to NULL at USB3 hcd removal. Fix this by first checking if the PCI host is being removed, and also by using only xhci_to_hcd() as it will always return the primary hcd. CC: Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman drivers/usb/host/xhci-ring.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) commit c291b015158577be533dd5a959dfc09bab119eed Author: Dou Liyang Date: Wed Sep 7 10:21:33 2016 +0800 x86/apic: Fix num_processors value in case of failure If the topology package map check of the APIC ID and the CPU is a failure, we don't generate the processor info for that APIC ID yet we increase disabled_cpus by one - which is buggy. Only increase num_processors once we are sure we don't fail. Signed-off-by: Dou Liyang Acked-by: David Rientjes Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Link: http://lkml.kernel.org/r/1473214893-16481-1-git-send-email-douly.fnst@cn.fujitsu.com [ Rewrote the changelog. ] Signed-off-by: Ingo Molnar arch/x86/kernel/apic/apic.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit db91e2370e087967cb6b6425c092188767fb5e00 Author: Daniel Baluta Date: Wed Sep 7 19:49:34 2016 +0930 tools/lguest: Don't bork the terminal in case of wrong args Running lguest without arguments or with a wrong argument name borks the terminal, because the cleanup handler is set up too late in the initialization process. Signed-off-by: Daniel Baluta Signed-off-by: Rusty Russell Cc: Andy Lutomirski Cc: Borislav Petkov Cc: Brian Gerst Cc: Denys Vlasenko Cc: H. Peter Anvin Cc: Josh Poimboeuf Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Signed-off-by: Ingo Molnar tools/lguest/lguest.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit d71f058617564750261b673ea9b3352382b9cde4 Merge: 80a7704 87260d3 Author: Linus Torvalds Date: Wed Sep 7 21:28:26 2016 -0700 Merge branch 'for-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux Pull thermal fix from Zhang Rui: "Only one patch this time, which fixes a crash in rcar_thermal driver. From Dirk Behme" * 'for-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux: thermal: rcar_thermal: Fix priv->zone error handling commit 95390e3290e8bf69091116e0d91b9754c0e93a24 Merge: 1d3ef9c 539d5c4 Author: Olof Johansson Date: Wed Sep 7 21:25:08 2016 -0700 Merge tag 'sunxi-fixes-for-4.8' of https://git.kernel.org/pub/scm/linux/kernel/git/mripard/linux into fixes Allwinner fixes for 4.8 A single patch fixing a typo in the temperature trip points in the A13 DTSI. * tag 'sunxi-fixes-for-4.8' of https://git.kernel.org/pub/scm/linux/kernel/git/mripard/linux: ARM: sun5i: Fix typo in trip point temperature Signed-off-by: Olof Johansson commit 1d3ef9c2dc699fcc09320a4b642e84eb3c038f26 Author: Suzuki K Poulose Date: Mon Sep 5 16:27:53 2016 +0100 arm-cci: pmu: Fix typo in event name For one of the CCI events exposed under sysfs, "snoop" was typo'd as "snopp". Correct this such that users see the expected event name when enumerating events via sysfs. Cc: arm@kernel.org Acked-by: Mark Rutland Signed-off-by: Suzuki K Poulose Signed-off-by: Olof Johansson drivers/bus/arm-cci.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 28fa9917368978e8272407f2d7f8829b17f024ea Merge: d8b795f f065e9e Author: Olof Johansson Date: Wed Sep 7 21:24:22 2016 -0700 Merge tag 'imx-fixes-4.8-2' of git://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux into fixes i.MX fixes for 4.8, 2nd round: - Fix misspelled "ti,x-plate-ohms" property name of touchscreen controller for imx7d-sdb DTS. - Add missing BM_CLPCR_BYPASS_PMIC_READY setting for i.MX6SX to get suspend/resume work properly. - Fix SPDIF regression on imx6qdl which caused by a clock update on spdif device node. * tag 'imx-fixes-4.8-2' of git://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux: ARM: dts: imx6qdl: Fix SPDIF regression ARM: imx6: add missing BM_CLPCR_BYPASS_PMIC_READY setting for imx6sx ARM: dts: imx7d-sdb: fix ti,x-plate-ohms property name Signed-off-by: Olof Johansson commit d8b795f5e3a3f81e0635919b3c9cd746631a6a76 Author: Olof Johansson Date: Wed Sep 7 21:16:40 2016 -0700 Revert "ARM: tegra: fix erroneous address in dts" This reverts commit b5c86b7496d74f6e454bcab5166efa023e1f0459. This is no longer needed due to other changes going into 4.8 to rename the unit addresses on a large number of device nodes. So it was picked up for v4.8-rc1 in error. Reported-by: Ralf Ramsauer Signed-off-by: Olof Johansson arch/arm/boot/dts/tegra124-jetson-tk1.dts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit f077aaf0754bcba0fffdbd925bc12f09cd1e38aa Author: Paul Mackerras Date: Fri Sep 2 21:47:59 2016 +1000 powerpc/mm: Don't alias user region to other regions below PAGE_OFFSET In commit c60ac5693c47 ("powerpc: Update kernel VSID range", 2013-03-13) we lost a check on the region number (the top four bits of the effective address) for addresses below PAGE_OFFSET. That commit replaced a check that the top 18 bits were all zero with a check that bits 46 - 59 were zero (performed for all addresses, not just user addresses). This means that userspace can access an address like 0x1000_0xxx_xxxx_xxxx and we will insert a valid SLB entry for it. The VSID used will be the same as if the top 4 bits were 0, but the page size will be some random value obtained by indexing beyond the end of the mm_ctx_high_slices_psize array in the paca. If that page size is the same as would be used for region 0, then userspace just has an alias of the region 0 space. If the page size is different, then no HPTE will be found for the access, and the process will get a SIGSEGV (since hash_page_mm() will refuse to create a HPTE for the bogus address). The access beyond the end of the mm_ctx_high_slices_psize can be at most 5.5MB past the array, and so will be in RAM somewhere. Since the access is a load performed in real mode, it won't fault or crash the kernel. At most this bug could perhaps leak a little bit of information about blocks of 32 bytes of memory located at offsets of i * 512kB past the paca->mm_ctx_high_slices_psize array, for 1 <= i <= 11. Fixes: c60ac5693c47 ("powerpc: Update kernel VSID range") Cc: stable@vger.kernel.org # v3.9+ Signed-off-by: Paul Mackerras Reviewed-by: Aneesh Kumar K.V Signed-off-by: Michael Ellerman arch/powerpc/mm/slb_low.S | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) commit 8540571e01f973d321b0821f4f32ed6e9ae8263c Author: Christophe Leroy Date: Fri Aug 26 16:45:13 2016 +0200 powerpc/32: Fix again csum_partial_copy_generic() Commit 7aef4136566b0 ("powerpc32: rewrite csum_partial_copy_generic() based on copy_tofrom_user()") introduced a bug when destination address is odd and len is lower than cacheline size. In that case the resulting csum value doesn't have to be rotated one byte because the cache-aligned copy part is skipped so no alignment is performed. Fixes: 7aef4136566b0 ("powerpc32: rewrite csum_partial_copy_generic() based on copy_tofrom_user()") Cc: stable@vger.kernel.org # v4.6+ Reported-by: Alessio Igor Bogani Signed-off-by: Christophe Leroy Tested-by: Alessio Igor Bogani Signed-off-by: Michael Ellerman arch/powerpc/lib/checksum_32.S | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) commit caa58f808834fca9a4443233fd09df5ab639690d Author: Gavin Shan Date: Tue Sep 6 14:17:18 2016 +1000 powerpc/powernv: Fix corrupted PE allocation bitmap on releasing PE In pnv_ioda_free_pe(), the PE object (including the associated PE number) is cleared before resetting the corresponding bit in the PE allocation bitmap. It means PE#0 is always released to the bitmap wrongly. This fixes above issue by caching the PE number before the PE object is cleared. Fixes: 1e9167726c41 ("powerpc/powernv: Use PE instead of number during setup and release" Cc: stable@vger.kernel.org # v4.7+ Signed-off-by: Gavin Shan Signed-off-by: Michael Ellerman arch/powerpc/platforms/powernv/pci-ioda.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 9dd4aaef194e45d96c2d0b6232a9cbc5430ad789 Author: Florian Fainelli Date: Tue Sep 6 20:22:21 2016 -0700 MAINTAINERS: Update CPMAC email address Signed-off-by: Florian Fainelli Signed-off-by: David S. Miller MAINTAINERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 56beac95cb88c188d2a885825a5da131edb41fe3 Author: Russell King Date: Mon Aug 29 11:24:10 2016 +0100 gpio: sa1100: fix irq probing for ucb1x00 ucb1x00 has used IRQ probing since it's dawn to find the GPIO interrupt that it's connected to. However, commit 23393d49fb75 ("gpio: kill off set_irq_flags usage") broke this by disabling IRQ probing on GPIO interrupts. Fix this. Fixes: 23393d49fb75 ("gpio: kill off set_irq_flags usage") Signed-off-by: Russell King Signed-off-by: Linus Walleij drivers/gpio/gpio-sa1100.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 60f749f8e4cfdfffa5f29c966050ed680eeedac2 Author: Linus Walleij Date: Wed Sep 7 23:13:20 2016 +0200 gpio: mcp23s08: make driver depend on OF_GPIO The MCP23S08 driver certainly accesses fields inside the struct gpio_chip that are only available under CONFIG_OF_GPIO not just CONFIG_OF, so update the Kconfig and driver to reflect this. Cc: Alexander Stein Cc: Phil Reid Reported-by: kbuild test robot Signed-off-by: Linus Walleij drivers/gpio/Kconfig | 1 + drivers/gpio/gpio-mcp23s08.c | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) commit c6c864993d9a20f8d7cacb4feaac5c46a2f2e4db Author: Linus Walleij Date: Wed Aug 24 13:51:33 2016 +0200 Revert "gpio: include in gpiolib-of" This reverts commit 7d4defe21c682c934a19fce1ba8b54b7bde61b08. The commit was pointless, manically trembling in the dark for a solution. The real fixes are: commit 048c28c91e56 ("gpio: make any OF dependent driver depend on OF_GPIO") commit 2527ecc9195e ("gpio: Fix OF build problem on UM") Reported-by: Chris Wilson Signed-off-by: Linus Walleij drivers/gpio/gpiolib-of.c | 1 - 1 file changed, 1 deletion(-) commit 80a77045daacc660659093b312ca0708b53ed558 Merge: ab29b33 8e1f74e Author: Linus Torvalds Date: Wed Sep 7 14:03:49 2016 -0700 Merge tag 'usercopy-v4.8-rc6-part2' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux Pull more hardened usercopyfixes from Kees Cook: - force check_object_size() to be inline too - move page-spanning check behind a CONFIG since it's triggering false positives [ Changed the page-spanning config option to depend on EXPERT in the merge. That way it still gets build testing, and you can enable it if you want to, but is never enabled for "normal" configurations ] * tag 'usercopy-v4.8-rc6-part2' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: usercopy: remove page-spanning test for now usercopy: force check_object_size() inline commit b7f3c7d345f72240055efcdf4111fb2e0d01be99 Merge: cbd60aa ce12965 Author: Chris Mason Date: Wed Sep 7 12:55:36 2016 -0700 Merge branch 'for-chris' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux into for-linus-4.8 commit 8e1f74ea02cf4562404c48c6882214821552c13f Author: Kees Cook Date: Wed Sep 7 09:54:34 2016 -0700 usercopy: remove page-spanning test for now A custom allocator without __GFP_COMP that copies to userspace has been found in vmw_execbuf_process[1], so this disables the page-span checker by placing it behind a CONFIG for future work where such things can be tracked down later. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1373326 Reported-by: Vinson Lee Fixes: f5509cc18daa ("mm: Hardened usercopy") Signed-off-by: Kees Cook mm/usercopy.c | 61 ++++++++++++++++++++++++++++++++------------------------ security/Kconfig | 11 ++++++++++ 2 files changed, 46 insertions(+), 26 deletions(-) commit a85d6b8242dc78ef3f4542a0f979aebcbe77fc4e Author: Kees Cook Date: Wed Sep 7 09:39:32 2016 -0700 usercopy: force check_object_size() inline Just for good measure, make sure that check_object_size() is always inlined too, as already done for copy_*_user() and __copy_*_user(). Suggested-by: Linus Torvalds Signed-off-by: Kees Cook include/linux/thread_info.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit ab29b33a84f6910ebf01a32f69a370886a4283dd Merge: 08411a7 4fadd04 Author: Linus Torvalds Date: Wed Sep 7 10:46:06 2016 -0700 Merge tag 'seccomp-v4.8-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux Pull seccomp fixes from Kees Cook: "Fix UM seccomp vs ptrace, after reordering landed" * tag 'seccomp-v4.8-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: seccomp: Remove 2-phase API documentation um/ptrace: Fix the syscall number update after a ptrace um/ptrace: Fix the syscall_trace_leave call commit a0714125d11bcf21599b08b25fdaf384c0db6712 Merge: ded8991 e34f2ff Author: Kalle Valo Date: Wed Sep 7 20:16:37 2016 +0300 Merge ath-current from ath.git ath.git fixes for 4.8. Major changes: ath10k * fix racy rx status retrieval from htt context * QCA9887 support is not experimental anymore, remove the warning message ath9k * fix regression with led GPIOs * fix AR5416 GPIO access warning commit 08411a7554248009f26e85635f445a209604bfb5 Merge: d060e0f 3c17648 Author: Linus Torvalds Date: Wed Sep 7 09:29:36 2016 -0700 Merge tag 'usercopy-v4.8-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux Pull hardened usercopy fixes from Kees Cook: - inline copy_*_user() for correct use of __builtin_const_p() for hardened usercopy and the recent compile-time checks. - switch hardened usercopy to only check non-const size arguments to avoid meaningless checks on likely-sane const values. - update lkdtm usercopy tests to compenstate for the const checking. * tag 'usercopy-v4.8-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: lkdtm: adjust usercopy tests to bypass const checks usercopy: fold builtin_const check into inline function x86/uaccess: force copy_*_user() to be inlined commit 4fadd04d504a82f7f1fdeaddc144a9c396d1285e Author: Mickaël Salaün Date: Mon Aug 1 23:01:57 2016 +0200 seccomp: Remove 2-phase API documentation Fixes: 8112c4f140fa ("seccomp: remove 2-phase API") Signed-off-by: Mickaël Salaün Acked-by: Kees Cook Cc: Andy Lutomirski Cc: James Morris Signed-off-by: James Morris Signed-off-by: Kees Cook arch/Kconfig | 11 ----------- 1 file changed, 11 deletions(-) commit ce29856a5e1aabe52e18b2c60db1490769a6ab55 Author: Mickaël Salaün Date: Mon Aug 1 23:01:56 2016 +0200 um/ptrace: Fix the syscall number update after a ptrace Update the syscall number after each PTRACE_SETREGS on ORIG_*AX. This is needed to get the potentially altered syscall number in the seccomp filters after RET_TRACE. This fix four seccomp_bpf tests: > [ RUN ] TRACE_syscall.skip_after_RET_TRACE > seccomp_bpf.c:1560:TRACE_syscall.skip_after_RET_TRACE:Expected -1 (18446744073709551615) == syscall(39) (26) > seccomp_bpf.c:1561:TRACE_syscall.skip_after_RET_TRACE:Expected 1 (1) == (*__errno_location ()) (22) > [ FAIL ] TRACE_syscall.skip_after_RET_TRACE > [ RUN ] TRACE_syscall.kill_after_RET_TRACE > TRACE_syscall.kill_after_RET_TRACE: Test exited normally instead of by signal (code: 1) > [ FAIL ] TRACE_syscall.kill_after_RET_TRACE > [ RUN ] TRACE_syscall.skip_after_ptrace > seccomp_bpf.c:1622:TRACE_syscall.skip_after_ptrace:Expected -1 (18446744073709551615) == syscall(39) (26) > seccomp_bpf.c:1623:TRACE_syscall.skip_after_ptrace:Expected 1 (1) == (*__errno_location ()) (22) > [ FAIL ] TRACE_syscall.skip_after_ptrace > [ RUN ] TRACE_syscall.kill_after_ptrace > TRACE_syscall.kill_after_ptrace: Test exited normally instead of by signal (code: 1) > [ FAIL ] TRACE_syscall.kill_after_ptrace Fixes: 26703c636c1f ("um/ptrace: run seccomp after ptrace") Signed-off-by: Mickaël Salaün Acked-by: Kees Cook Cc: Jeff Dike Cc: Richard Weinberger Cc: James Morris Cc: user-mode-linux-devel@lists.sourceforge.net Signed-off-by: James Morris Signed-off-by: Kees Cook arch/um/kernel/skas/syscall.c | 5 ----- arch/x86/um/ptrace_32.c | 3 +++ arch/x86/um/ptrace_64.c | 4 ++++ 3 files changed, 7 insertions(+), 5 deletions(-) commit 972939e28592ec61e2e8334786152be2c80de677 Author: Mickaël Salaün Date: Mon Aug 1 23:01:55 2016 +0200 um/ptrace: Fix the syscall_trace_leave call Keep the same semantic as before the commit 26703c636c1f: deallocate audit context and fake a proper syscall exit. This fix a kernel panic triggered by the seccomp_bpf test: > [ RUN ] global.ERRNO_valid > BUG: failure at kernel/auditsc.c:1504/__audit_syscall_entry()! > Kernel panic - not syncing: BUG! Fixes: 26703c636c1f ("um/ptrace: run seccomp after ptrace") Signed-off-by: Mickaël Salaün Acked-by: Kees Cook Cc: Jeff Dike Cc: Richard Weinberger Cc: James Morris Cc: user-mode-linux-devel@lists.sourceforge.net Signed-off-by: James Morris Signed-off-by: Kees Cook arch/um/kernel/skas/syscall.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) commit 82469c59d222f839ded5cd282172258e026f9112 Author: Gabriel Krisman Bertazi Date: Tue Sep 6 17:39:13 2016 -0300 nvme: Don't suspend admin queue that wasn't created This fixes a regression in my previous commit c21377f8366c ("nvme: Suspend all queues before deletion"), which provoked an Oops in the removal path when removing a device that became IO incapable very early at probe (i.e. after a failed EEH recovery). Turns out, if the error occurred very early at the probe path, before even configuring the admin queue, we might try to suspend the uninitialized admin queue, accessing bad memory. Fixes: c21377f8366c ("nvme: Suspend all queues before deletion") Signed-off-by: Gabriel Krisman Bertazi Reviewed-by: Jay Freyensee Signed-off-by: Jens Axboe drivers/nvme/host/pci.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) commit fc2780b66b15092ac68272644a522c1624c48547 Author: Chris Wilson Date: Fri Aug 26 11:59:26 2016 +0100 drm/i915: Add GEN7_PCODE_MIN_FREQ_TABLE_GT_RATIO_OUT_OF_RANGE to SNB According to the CI test machines, SNB also uses the GEN7_PCODE_MIN_FREQ_TABLE_GT_RATIO_OUT_OF_RANGE value to report a bad GEN6_PCODE_MIN_FREQ_TABLE request. [ 157.744641] WARNING: CPU: 5 PID: 9238 at drivers/gpu/drm/i915/intel_pm.c:7760 sandybridge_pcode_write+0x141/0x200 [i915] [ 157.744642] Missing switch case (16) in gen6_check_mailbox_status [ 157.744642] Modules linked in: snd_hda_intel i915 ax88179_178a usbnet mii x86_pkg_temp_thermal intel_powerclamp coretemp crct10dif_pclmul crc32_pclmul ghash_clmulni_intel snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic snd_hda_codec snd_hwdep snd_hda_core mei_me lpc_ich snd_pcm mei broadcom bcm_phy_lib tg3 ptp pps_core [last unloaded: vgem] [ 157.744658] CPU: 5 PID: 9238 Comm: drv_hangman Tainted: G U W 4.8.0-rc3-CI-CI_DRM_1589+ #1 [ 157.744658] Hardware name: Dell Inc. XPS 8300 /0Y2MRG, BIOS A06 10/17/2011 [ 157.744659] 0000000000000000 ffff88011f093a98 ffffffff81426415 ffff88011f093ae8 [ 157.744662] 0000000000000000 ffff88011f093ad8 ffffffff8107d2a6 00001e50810d3c9f [ 157.744663] ffff880128680000 0000000000000008 0000000000000000 ffff88012868a650 [ 157.744665] Call Trace: [ 157.744669] [] dump_stack+0x67/0x92 [ 157.744672] [] __warn+0xc6/0xe0 [ 157.744673] [] warn_slowpath_fmt+0x4a/0x50 [ 157.744685] [] sandybridge_pcode_write+0x141/0x200 [i915] [ 157.744697] [] intel_enable_gt_powersave+0x64a/0x1330 [i915] [ 157.744712] [] ? i9xx_emit_request+0x1b/0x80 [i915] [ 157.744725] [] __i915_add_request+0x1e3/0x370 [i915] [ 157.744738] [] i915_gem_do_execbuffer.isra.16+0xced/0x1b80 [i915] [ 157.744740] [] ? __might_fault+0x3e/0x90 [ 157.744752] [] i915_gem_execbuffer2+0xc2/0x2a0 [i915] [ 157.744753] [] drm_ioctl+0x207/0x4c0 [ 157.744765] [] ? i915_gem_execbuffer+0x360/0x360 [i915] [ 157.744767] [] ? debug_lockdep_rcu_enabled+0x1d/0x20 [ 157.744769] [] do_vfs_ioctl+0x8e/0x680 [ 157.744770] [] ? __might_fault+0x87/0x90 [ 157.744771] [] ? __might_fault+0x3e/0x90 [ 157.744773] [] ? trace_hardirqs_on_caller+0x122/0x1b0 [ 157.744774] [] SyS_ioctl+0x3c/0x70 [ 157.744776] [] entry_SYSCALL_64_fastpath+0x1c/0xac Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=97491 Fixes: 87660502f1a4 ("drm/i915/gen6+: Interpret mailbox error flags") Signed-off-by: Chris Wilson Cc: Lyude Cc: Matt Roper Cc: Maarten Lankhorst Cc: Daniel Vetter Cc: Ville Syrjälä Cc: stable@vger.kernel.org Link: http://patchwork.freedesktop.org/patch/msgid/20160826105926.3413-1-chris@chris-wilson.co.uk Acked-by: Mika Kuoppala (cherry picked from commit 7850d1c35344c7bd6a357240f2f9f60fc2c097b5) Signed-off-by: Jani Nikula drivers/gpu/drm/i915/intel_pm.c | 1 + 1 file changed, 1 insertion(+) commit ded89912156b1a47d940a0c954c43afbabd0c42c Author: Arend Van Spriel Date: Mon Sep 5 10:45:47 2016 +0100 brcmfmac: avoid potential stack overflow in brcmf_cfg80211_start_ap() User-space can choose to omit NL80211_ATTR_SSID and only provide raw IE TLV data. When doing so it can provide SSID IE with length exceeding the allowed size. The driver further processes this IE copying it into a local variable without checking the length. Hence stack can be corrupted and used as exploit. Cc: stable@vger.kernel.org # v4.7 Reported-by: Daxing Guo Reviewed-by: Hante Meuleman Reviewed-by: Pieter-Paul Giesberts Reviewed-by: Franky Lin Signed-off-by: Arend van Spriel Signed-off-by: Kalle Valo drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit e34f2ff40e0339f6a379e1ecf49e8f2759056453 Author: Giedrius Statkevičius Date: Thu Sep 1 20:47:02 2016 +0300 ath9k: bring back direction setting in ath9k_{start_stop} A regression was introduced in commit id 79d4db1214a ("ath9k: cleanup led_pin initial") that broken the WLAN status led on my laptop with AR9287 after suspending and resuming. Steps to reproduce: * Suspend (laptop) * Resume (laptop) * Observe that the WLAN led no longer turns ON/OFF depending on the status and is always red Even though for my case it only needs to be set to OUT in ath9k_start but for consistency bring back the IN direction setting as well. Fixes: 79d4db1214a0 ("ath9k: cleanup led_pin initial") Cc: Miaoqing Pan Cc: Kalle Valo Cc: # 4.7+ Link: https://bugzilla.kernel.org/show_bug.cgi?id=151711 Signed-off-by: Giedrius Statkevičius [kvalo@qca.qualcomm.com: improve commit log] Signed-off-by: Kalle Valo drivers/net/wireless/ath/ath9k/main.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) commit 0bd2223594a4dcddc1e34b15774a3a4776f7749e Author: Ard Biesheuvel Date: Thu Sep 1 14:25:43 2016 +0100 crypto: cryptd - initialize child shash_desc on import When calling .import() on a cryptd ahash_request, the structure members that describe the child transform in the shash_desc need to be initialized like they are when calling .init() Cc: stable@vger.kernel.org Signed-off-by: Ard Biesheuvel Signed-off-by: Herbert Xu crypto/cryptd.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) commit 696118c016dd5f5caaa05360f13f8acd8fb9d1a7 Author: Felipe Balbi Date: Wed Sep 7 13:39:37 2016 +0300 usb: dwc3: pci: fix build warning on !PM_SLEEP When building a kernel with CONFIG_PM_SLEEP=n, we get the following warning: drivers/usb/dwc3/dwc3-pci.c:253:12: warning: 'dwc3_pci_pm_dummy' defined but not used In order to fix this, we should only define dwc3_pci_pm_dummy() when CONFIG_PM_SLEEP is defined. Fixes: f6c274e11e3b ("usb: dwc3: pci: runtime_resume child device") Reported-by: Arnd Bergmann Acked-by: Arnd Bergmann Signed-off-by: Felipe Balbi drivers/usb/dwc3/dwc3-pci.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit 751eb6b6042a596b0080967c1a529a9fe98dac1d Author: Wei Yongjun Date: Mon Sep 5 16:06:31 2016 +0800 ipv6: addrconf: fix dev refcont leak when DAD failed In general, when DAD detected IPv6 duplicate address, ifp->state will be set to INET6_IFADDR_STATE_ERRDAD and DAD is stopped by a delayed work, the call tree should be like this: ndisc_recv_ns -> addrconf_dad_failure <- missing ifp put -> addrconf_mod_dad_work -> schedule addrconf_dad_work() -> addrconf_dad_stop() <- missing ifp hold before call it addrconf_dad_failure() called with ifp refcont holding but not put. addrconf_dad_work() call addrconf_dad_stop() without extra holding refcount. This will not cause any issue normally. But the race between addrconf_dad_failure() and addrconf_dad_work() may cause ifp refcount leak and netdevice can not be unregister, dmesg show the following messages: IPv6: eth0: IPv6 duplicate address fe80::XX:XXXX:XXXX:XX detected! ... unregister_netdevice: waiting for eth0 to become free. Usage count = 1 Cc: stable@vger.kernel.org Fixes: c15b1ccadb32 ("ipv6: move DAD and addrconf_verify processing to workqueue") Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller net/ipv6/addrconf.c | 2 ++ 1 file changed, 2 insertions(+) commit 9d13744bb75078175ab49408f2abb980e4dbccc9 Author: Michael Chan Date: Mon Sep 5 01:57:35 2016 -0400 bnxt_en: Fix TX push operation on ARM64. There is a code path where we are calling __iowrite64_copy() on an address that is not 64-bit aligned. This causes an exception on some architectures such as arm64. Fix that code path by using __iowrite32_copy(). Reported-by: JD Zheng Signed-off-by: Michael Chan Signed-off-by: David S. Miller drivers/net/ethernet/broadcom/bnxt/bnxt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 5a56a0b3a45dd0cc5b2f7bec6afd053a474ed9f5 Author: Mark Tomlinson Date: Mon Sep 5 10:20:20 2016 +1200 net: Don't delete routes in different VRFs When deleting an IP address from an interface, there is a clean-up of routes which refer to this local address. However, there was no check to see that the VRF matched. This meant that deletion wasn't confined to the VRF it should have been. To solve this, a new field has been added to fib_info to hold a table id. When removing fib entries corresponding to a local ip address, this table id is also used in the comparison. The table id is populated when the fib_info is created. This was already done in some places, but not in ip_rt_ioctl(). This has now been fixed. Fixes: 021dd3b8a142 ("net: Add routes to the table associated with the device") Acked-by: David Ahern Tested-by: David Ahern Signed-off-by: Mark Tomlinson Signed-off-by: David S. Miller include/net/ip_fib.h | 3 ++- net/ipv4/fib_frontend.c | 3 ++- net/ipv4/fib_semantics.c | 8 ++++++-- 3 files changed, 10 insertions(+), 4 deletions(-) commit daa7ee8dfa64233789221685e73a6ef8159f80de Author: Sudip Mukherjee Date: Sun Sep 4 23:02:21 2016 +0530 net: smsc: remove build warning of duplicate definition The build of m32r was giving warning: In file included from drivers/net/ethernet/smsc/smc91x.c:92:0: drivers/net/ethernet/smsc/smc91x.h:448:0: warning: "SMC_inb" redefined #define SMC_inb(ioaddr, reg) ({ BUG(); 0; }) drivers/net/ethernet/smsc/smc91x.h:106:0: note: this is the location of the previous definition #define SMC_inb(a, r) inb(((u32)a) + (r)) drivers/net/ethernet/smsc/smc91x.h:449:0: warning: "SMC_outb" redefined #define SMC_outb(x, ioaddr, reg) BUG() drivers/net/ethernet/smsc/smc91x.h:108:0: note: this is the location of the previous definition #define SMC_outb(v, a, r) outb(v, ((u32)a) + (r)) Signed-off-by: Sudip Mukherjee Signed-off-by: David S. Miller drivers/net/ethernet/smsc/smc91x.h | 2 ++ 1 file changed, 2 insertions(+) commit 007e4ba3ee137f4700f39aa6dbaf01a71047c5f6 Author: Helmut Buchsbaum Date: Sun Sep 4 18:09:47 2016 +0200 net: macb: initialize checksum when using checksum offloading I'm still struggling to get this fix right.. Changes since v2: - do not blindly modify SKB contents according to Dave's legitimate objection Changes since v1: - dropped disabling HW checksum offload for Zynq - initialize checksum similar to net/ethernet/freescale/fec_main.c -- >8 -- MACB/GEM needs the checksum field initialized to 0 to get correct results on transmit in all cases, e.g. on Zynq, UDP packets with payload <= 2 otherwise contain a wrong checksums. Signed-off-by: Helmut Buchsbaum Signed-off-by: David S. Miller drivers/net/ethernet/cadence/macb.c | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) commit 05c974669ecec510a85d8534099bb75404e82c41 Author: Chuck Lever Date: Tue Sep 6 11:22:58 2016 -0400 xprtrdma: Fix receive buffer accounting An RPC can terminate before its reply arrives, if a credential problem or a soft timeout occurs. After this happens, xprtrdma reports it is out of Receive buffers. A Receive buffer is posted before each RPC is sent, and returned to the buffer pool when a reply is received. If no reply is received for an RPC, that Receive buffer remains posted. But xprtrdma tries to post another when the next RPC is sent. If this happens a few dozen times, there are no receive buffers left to be posted at send time. I don't see a way for a transport connection to recover at that point, and it will spit warnings and unnecessarily delay RPCs on occasion for its remaining lifetime. Commit 1e465fd4ff47 ("xprtrdma: Replace send and receive arrays") removed a little bit of logic to detect this case and not provide a Receive buffer so no more buffers are posted, and then transport operation continues correctly. We didn't understand what that logic did, and it wasn't commented, so it was removed as part of the overhaul to support backchannel requests. Restore it, but be wary of the need to keep extra Receives posted to deal with backchannel requests. Fixes: 1e465fd4ff47 ("xprtrdma: Replace send and receive arrays") Signed-off-by: Chuck Lever Reviewed-by: Anna Schumaker Signed-off-by: Trond Myklebust net/sunrpc/xprtrdma/verbs.c | 41 +++++++++++++++++++++++++++++------------ net/sunrpc/xprtrdma/xprt_rdma.h | 1 + 2 files changed, 30 insertions(+), 12 deletions(-) commit 78d506e1b7071b24850fd5ac22b896c459b0a04c Author: Chuck Lever Date: Tue Sep 6 11:22:49 2016 -0400 xprtrdma: Revert 3d4cf35bd4fa ("xprtrdma: Reply buffer exhaustion...") Receive buffer exhaustion, if it were to actually occur, would be catastrophic. However, when there are no reply buffers to post, that means all of them have already been posted and are waiting for incoming replies. By design, there can never be more RPCs in flight than there are available receive buffers. A receive buffer can be left posted after an RPC exits without a received reply; say, due to a credential problem or a soft timeout. This does not result in fewer posted receive buffers than there are pending RPCs, and there is already logic in xprtrdma to deal appropriately with this case. It also looks like the "+ 2" that was removed was accidentally accommodating the number of extra receive buffers needed for receiving backchannel requests. That will need to be addressed by another patch. Fixes: 3d4cf35bd4fa ("xprtrdma: Reply buffer exhaustion can be...") Signed-off-by: Chuck Lever Reviewed-by: Anna Schumaker Signed-off-by: Trond Myklebust net/sunrpc/xprtrdma/verbs.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) commit 03c2778a938aaba0893f6d6cdc29511d91a79848 Author: Dave Jones Date: Fri Sep 2 14:39:50 2016 -0400 ipv6: release dst in ping_v6_sendmsg Neither the failure or success paths of ping_v6_sendmsg release the dst it acquires. This leads to a flood of warnings from "net/core/dst.c:288 dst_release" on older kernels that don't have 8bf4ada2e21378816b28205427ee6b0e1ca4c5f1 backported. That patch optimistically hoped this had been fixed post 3.10, but it seems at least one case wasn't, where I've seen this triggered a lot from machines doing unprivileged icmp sockets. Cc: Martin Lau Signed-off-by: Dave Jones Acked-by: Martin KaFai Lau Signed-off-by: David S. Miller net/ipv6/ping.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) commit d060e0f603a4156087813d221d818bb39ec91429 Merge: 46738ab 16170d9 Author: Linus Torvalds Date: Tue Sep 6 12:33:12 2016 -0700 Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma Pull rdma fixes from Doug Ledford: "This is the second pull request for the rdma subsystem. Most of the patches are small and obvious. I took two patches in that are larger than I wanted this late in the cycle. The first is the hfi1 patch that implements a work queue to test the QSFP read state. I originally rejected the first patch for this (which would have place up to 20 seconds worth of udelays in their probe routine). They then rewrote it the way I wanted (use delayed work tasks to wait asynchronously up to 20 seconds for the QSFP to come alive), so I can't really complain about the size of getting what I asked for :-/. The second is large because it switches the rcu locking in the debugfs code. Since a locking change like this is done all at once, the size it what it is. It resolves a litany of debug messages from the kernel, so I pulled it in for -rc. The rest are all typical -rc worthy patches I think. There will still be a third -rc pull request from the rdma subsystem this release. I hope to have that one ready to go by the end of this week or early next. Summary: - a smattering of small fixes across the core, ipoib, i40iw, isert, cxgb4, and mlx4 - a slightly larger group of fixes to each of mlx5 and hfi1" * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma: IB/hfi1: Rework debugfs to use SRCU IB/hfi1: Make n_krcvqs be an unsigned long integer IB/hfi1: Add QSFP sanity pre-check IB/hfi1: Fix AHG KDETH Intr shift IB/hfi1: Fix SGE length for misaligned PIO copy IB/mlx5: Don't return errors from poll_cq IB/mlx5: Use TIR number based on selector IB/mlx5: Simplify code by removing return variable IB/mlx5: Return EINVAL when caller specifies too many SGEs IB/mlx4: Don't return errors from poll_cq Revert "IB/mlx4: Return EAGAIN for any error in mlx4_ib_poll_one" IB/ipoib: Fix memory corruption in ipoib cm mode connect flow IB/core: Fix use after free in send_leave function IB/cxgb4: Make _free_qp static to silence build warning IB/isert: Properly release resources on DEVICE_REMOVAL IB/hfi1: Fix the size parameter to find_first_bit IB/mlx5: Fix the size parameter to find_first_bit IB/hfi1: Clean up type used and casting i40iw: Receive notification events correctly i40iw: Update hw_iwarp_state commit 3c17648c2816f6d28bd2be9293032a2901994a36 Author: Kees Cook Date: Tue Sep 6 11:26:12 2016 -0700 lkdtm: adjust usercopy tests to bypass const checks The hardened usercopy is now consistently avoiding checks against const sizes, since we really only want to perform runtime bounds checking on lengths that weren't known at build time. To test the hardened usercopy code, we must force the length arguments to be seen as non-const. Signed-off-by: Kees Cook drivers/misc/lkdtm_usercopy.c | 25 +++++++++++++++++-------- 1 file changed, 17 insertions(+), 8 deletions(-) commit 81409e9e28058811c9ea865345e1753f8f677e44 Author: Kees Cook Date: Wed Aug 31 16:04:21 2016 -0700 usercopy: fold builtin_const check into inline function Instead of having each caller of check_object_size() need to remember to check for a const size parameter, move the check into check_object_size() itself. This actually matches the original implementation in PaX, though this commit cleans up the now-redundant builtin_const() calls in the various architectures. Signed-off-by: Kees Cook arch/ia64/include/asm/uaccess.h | 12 ++++-------- arch/powerpc/include/asm/uaccess.h | 19 +++++++------------ arch/sparc/include/asm/uaccess_32.h | 9 +++------ arch/sparc/include/asm/uaccess_64.h | 7 +++---- include/linux/thread_info.h | 3 ++- 5 files changed, 19 insertions(+), 31 deletions(-) commit e6971009a95a74f28c58bbae415c40effad1226c Author: Kees Cook Date: Tue Sep 6 11:56:01 2016 -0700 x86/uaccess: force copy_*_user() to be inlined As already done with __copy_*_user(), mark copy_*_user() as __always_inline. Without this, the checks for things like __builtin_const_p() won't work consistently in either hardened usercopy nor the recent adjustments for detecting usercopy overflows at compile time. The change in kernel text size is detectable, but very small: text data bss dec hex filename 12118735 5768608 14229504 32116847 1ea106f vmlinux.before 12120207 5768608 14229504 32118319 1ea162f vmlinux.after Signed-off-by: Kees Cook arch/x86/include/asm/uaccess.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 46738ab31fe668ea1d4413dd459af2632f6fef8d Merge: 6296c41 a75e4a8 Author: Linus Torvalds Date: Tue Sep 6 11:15:07 2016 -0700 Merge branch 'mailbox-devel' of git://git.linaro.org/landing-teams/working/fujitsu/integration Pull mailbox fixes from Jassi Brar: "Misc fixes for BCM mailbox driver - Fix build warnings by making static functions used within the file. - Check for potential NULL before dereferencing - Fix link error by defining HAS_DMA dependency" * 'mailbox-devel' of git://git.linaro.org/landing-teams/working/fujitsu/integration: fix:mailbox:bcm-pdc-mailbox:mark symbols static where possible mailbox: bcm-pdc: potential NULL dereference in pdc_shutdown() mailbox: Add HAS_DMA Kconfig dependency to BCM_PDC_MBOX commit 6296c41259af263780a976d9e2db6bb581709d45 Merge: ec9a03d 14a5916 Author: Linus Torvalds Date: Tue Sep 6 11:06:52 2016 -0700 Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi Pull SCSI fixes from James Bottomley: "This is really three fixes, but the SES one comes in a bundle of three (making the replacement API available properly, using it and removing the non-working one). The SES problem causes an oops on hpsa devices because they attach virtual disks to the host which aren't SAS attached (the replacement API ignores them). The other two fixes are fairly minor: the sense key one means we actually resolve a newly added sense key and the RDAC device blacklisting is needed to prevent us annoying the universal XPORT lun of various RDAC arrays" * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: scsi: sas: remove is_sas_attached() scsi: ses: use scsi_is_sas_rphy instead of is_sas_attached scsi: sas: provide stub implementation for scsi_is_sas_rphy scsi: blacklist all RDAC devices for BLIST_NO_ULD_ATTACH scsi: fix upper bounds check of sense key in scsi_sense_key_string() commit ec9a03d47ed71364501c54ce3845af0bd81ff2f6 Merge: 8ded8f0 787ad90 Author: Linus Torvalds Date: Tue Sep 6 11:02:36 2016 -0700 Merge tag 'regmap-fix-v4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regmap Pull regmap fixes from Mark Brown: "Several fixes here, the main one being the change from Lars-Peter which I'd been letting soak in -next since the merge window in case it uncovered further issues as it's a minimal fix rather than a change addressing the root cause of the problems (which would've been too invasive for -rc): - The biggest change is a fix from Lars-Peter to ensure that we don't create overlapping rbtree nodes which in turn avoids returning corrupt cache values to users, fixing some issues that were exposed by some recent optimisations with certain access patterns but had been present for a long time. - A fix from Elaine Zhang to stop us updating the cache if we get an I/O error when writing to the hardware. - A fix fromm Maarten ter Huurne to avoid uninitialized defaults in cases where we have non-readable registers but are initializing the cache by reading from the device" * tag 'regmap-fix-v4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regmap: regmap: drop cache if the bus transfer error regmap: rbtree: Avoid overlapping nodes regmap: cache: Fix num_reg_defaults computation from reg_defaults_raw commit 8ded8f0030b9b44e9dcf48ce2421f9502cece39b Merge: 8fa5729 ae4860b Author: Linus Torvalds Date: Tue Sep 6 10:59:44 2016 -0700 Merge tag 'spi-fix-v4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi Pull spi fixes from Mark Brown: "As well as the usual driver fixes there's a couple of non-trivial core fixes in here: - Fixes for issues reported by Julia Lawall in the changes that were sent last time to fix interaction between the bus lock and the locking done for the SPI thread. I'd let this one cook for a while to make sure nothing else came up in testing. - A fix from Sien Wu for arithmetic overflows when calculating the timeout for larger transfers (espcially common with slow buses with flashes on them)" * tag 'spi-fix-v4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi: spi: Prevent unexpected SPI time out due to arithmetic overflow spi: pxa2xx-pci: fix ACPI-based enumeration of SPI devices MAINTAINERS: add myself as Samsung SPI maintainer spi: Drop io_mutex in error paths spi: sh-msiof: Avoid invalid clock generator parameters spi: img-spfi: Remove spi_master_put in img_spfi_remove() spi: mediatek: remove spi_master_put in mtk_spi_remove() spi: qup: Remove spi_master_put in spi_qup_remove() commit 8fa5729dc294af34968451a8dc558ac36ed8d7d8 Merge: 4c601e0 78cefcb Author: Linus Torvalds Date: Tue Sep 6 10:43:54 2016 -0700 Merge tag 'regulator-fix-v4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator Pull regulator fixes from Mark Brown: "Two things here, one an e-mail update for Krzysztof Kozlowski and the other a couple of fixes for issues with incorrectly described voltages in a couple of the Qualcomm regulator drivers that were breaking MMC on some platforms" * tag 'regulator-fix-v4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator: regulator: Change Krzysztof Kozlowski's email to kernel.org regulator: qcom_smd: Fix voltage ranges for pma8084 ftsmps and pldo regulator: qcom_smd: Fix voltage ranges for pm8x41 commit 4c601e0df765482ad338e8b98f35accd5f1b87a7 Merge: bc4dee5 486095f Author: Linus Torvalds Date: Tue Sep 6 10:36:12 2016 -0700 Merge tag 'pinctrl-v4.8-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl Pull pin control fixes from Linus Walleij: "Nothing special at all, just three SoC-specific driver fixes: - Fix routing problems in pistachio (Imagination) and sunxi (AllWinner) - Fix an interrupt problem in the Cherryview (Intel)" * tag 'pinctrl-v4.8-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl: pinctrl: sunxi: fix uart1 CTS/RTS pins at PG on A23/A33 pinctrl: cherryview: Do not mask all interrupts in probe pinctrl: pistachio: fix mfio pll_lock pinmux commit d1a6cba576fc7c43e476538fe5aa72fe04bd80e1 Author: Liping Zhang Date: Tue Sep 6 22:31:02 2016 +0800 netfilter: nft_chain_route: re-route before skb is queued to userspace Imagine such situation, user add the following nft rules, and queue the packets to userspace for further check: # ip rule add fwmark 0x0/0x1 lookup eth0 # ip rule add fwmark 0x1/0x1 lookup eth1 # nft add table filter # nft add chain filter output {type route hook output priority 0 \;} # nft add rule filter output mark set 0x1 # nft add rule filter output queue num 0 But after we reinject the skbuff, the packet will be sent via the wrong route, i.e. in this case, the packet will be routed via eth0 table, not eth1 table. Because we skip to do re-route when verdict is NF_QUEUE, even if the mark was changed. Acctually, we should not touch sk_buff if verdict is NF_DROP or NF_STOLEN, and when re-route fails, return NF_DROP with error code. This is consistent with the mangle table in iptables. Signed-off-by: Liping Zhang Signed-off-by: Pablo Neira Ayuso net/ipv4/netfilter/nft_chain_route_ipv4.c | 11 +++++++---- net/ipv6/netfilter/nft_chain_route_ipv6.c | 10 +++++++--- 2 files changed, 14 insertions(+), 7 deletions(-) commit ce129655c9d9aaa7b3bcc46529db1b36693575ed Author: Wang Xiaoguang Date: Fri Sep 2 10:58:46 2016 +0800 btrfs: introduce tickets_id to determine whether asynchronous metadata reclaim work makes progress In btrfs_async_reclaim_metadata_space(), we use ticket's address to determine whether asynchronous metadata reclaim work is making progress. ticket = list_first_entry(&space_info->tickets, struct reserve_ticket, list); if (last_ticket == ticket) { flush_state++; } else { last_ticket = ticket; flush_state = FLUSH_DELAYED_ITEMS_NR; if (commit_cycles) commit_cycles--; } But indeed it's wrong, we should not rely on local variable's address to do this check, because addresses may be same. In my test environment, I dd one 168MB file in a 256MB fs, found that for this file, every time wait_reserve_ticket() called, local variable ticket's address is same, For above codes, assume a previous ticket's address is addrA, last_ticket is addrA. Btrfs_async_reclaim_metadata_space() finished this ticket and wake up it, then another ticket is added, but with the same address addrA, now last_ticket will be same to current ticket, then current ticket's flush work will start from current flush_state, not initial FLUSH_DELAYED_ITEMS_NR, which may result in some enospc issues(I have seen this in my test machine). Signed-off-by: Wang Xiaoguang Reviewed-by: Josef Bacik Signed-off-by: David Sterba fs/btrfs/ctree.h | 1 + fs/btrfs/extent-tree.c | 11 ++++++----- 2 files changed, 7 insertions(+), 5 deletions(-) commit 557b1a8cae25e36ac2f125d93f003e60a7d0d014 Author: Zhi Wang Date: Tue Sep 6 12:04:12 2016 +0800 drm/i915: disable 48bit full PPGTT when vGPU is active Disable 48bit full PPGTT on vGPU too for now. Signed-off-by: Zhi Wang Signed-off-by: Zhenyu Wang Reviewed-by: Joonas Lahtinen Acked-by: Chris Wilson Cc: drm-intel-fixes@lists.freedesktop.org Signed-off-by: Jani Nikula Link: http://patchwork.freedesktop.org/patch/msgid/20160906040412.1274-3-zhenyuw@linux.intel.com (cherry picked from commit e320d40022128845dfff900422ea9fd69f576c98) Signed-off-by: Jani Nikula drivers/gpu/drm/i915/i915_gem_gtt.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) commit cd28e716c6869d2f06e64bcd679d0a45dd8a6295 Author: Ping Gao Date: Tue Sep 6 12:04:11 2016 +0800 drm/i915: enable vGPU detection for all vGPU capability is handled by GVT-g host driver, not needed to put extra HW check for vGPU detection. And we'll actually support vGPU from BDW. Signed-off-by: Ping Gao Signed-off-by: Zhenyu Wang Reviewed-by: Joonas Lahtinen Acked-by: Chris Wilson Cc: drm-intel-fixes@lists.freedesktop.org Signed-off-by: Jani Nikula Link: http://patchwork.freedesktop.org/patch/msgid/20160906040412.1274-2-zhenyuw@linux.intel.com (cherry picked from commit 8ef89995c735f978d5dfcb3ca6bce70d41728c91) Signed-off-by: Jani Nikula drivers/gpu/drm/i915/i915_vgpu.c | 3 --- 1 file changed, 3 deletions(-) commit cbd60aa7cd17d81a434234268c55192862147439 Author: Chris Mason Date: Tue Sep 6 05:37:40 2016 -0700 Btrfs: remove root_log_ctx from ctx list before btrfs_sync_log returns We use a btrfs_log_ctx structure to pass information into the tree log commit, and get error values out. It gets added to a per log-transaction list which we walk when things go bad. Commit d1433debe added an optimization to skip waiting for the log commit, but didn't take root_log_ctx out of the list. This patch makes sure we remove things before exiting. Signed-off-by: Chris Mason Fixes: d1433debe7f4346cf9fc0dafc71c3137d2a97bc4 cc: stable@vger.kernel.org # 3.15+ fs/btrfs/tree-log.c | 1 + 1 file changed, 1 insertion(+) commit 1ba7db07ccc2825669d6e376632316813a072887 Author: Thierry Reding Date: Mon Jul 11 12:19:40 2016 +0200 drm/atmel-hlcdc: Make ->reset() implementation static The atmel_hlcdc_crtc_reset() function is never used outside the file and can be static. This avoids a warning from sparse. Signed-off-by: Thierry Reding drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_crtc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit d31ed3f05763644840c654a384eaefa94c097ba2 Author: Jan Leupold Date: Wed Jul 6 13:22:35 2016 +0200 drm: atmel-hlcdc: Fix vertical scaling The code is applying the same scaling for the X and Y components, thus making the scaling feature only functional when both components have the same scaling factor. Do the s/_w/_h/ replacement where appropriate to fix vertical scaling. Signed-off-by: Jan Leupold Fixes: 1a396789f65a2 ("drm: add Atmel HLCDC Display Controller support") Cc: Signed-off-by: Boris Brezillon drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) commit 87260d3f7aecba9a5fadc6886c338b2a8fccfca9 Author: Dirk Behme Date: Thu Apr 21 12:24:55 2016 +0200 thermal: rcar_thermal: Fix priv->zone error handling In case thermal_zone_xxx_register() returns an error, priv->zone isn't NULL any more, but contains the error code. This is passed to thermal_zone_device_unregister(), then. This checks for priv->zone being NULL, but the error code is != NULL. So it works with the error code as a pointer. Crashing immediately. To fix this, reset priv->zone to NULL before entering rcar_gen3_thermal_remove(). Signed-off-by: Dirk Behme Reviewed-by: Geert Uytterhoeven Signed-off-by: Zhang Rui drivers/thermal/rcar_thermal.c | 1 + 1 file changed, 1 insertion(+) commit ae4860b5333586b60ca1798f3f83b8b37520904c Merge: c693593 764f216 2e365a7 2932c28 b70cd2d c3ccf35 d0716dd Author: Mark Brown Date: Tue Sep 6 12:32:09 2016 +0100 Merge remote-tracking branches 'spi/fix/lock', 'spi/fix/maintainers', 'spi/fix/put', 'spi/fix/pxa2xx', 'spi/fix/sh-msiof' and 'spi/fix/timeout' into spi-linus commit 78cefcbe60de8069c7382bcc15570873ba01f489 Merge: c693593 cea8aa3 c488f00 Author: Mark Brown Date: Tue Sep 6 12:31:34 2016 +0100 Merge remote-tracking branches 'regulator/fix/email' and 'regulator/fix/qcom-smd' into regulator-linus commit d2896d4b55b2e32b423072a4124d7da4dc1e6cb1 Author: Marc Zyngier Date: Mon Aug 22 09:01:17 2016 +0100 arm: KVM: Fix idmap overlap detection when the kernel is idmap'ed We're trying hard to detect when the HYP idmap overlaps with the HYP va, as it makes the teardown of a cpu dangerous. But there is one case where an overlap is completely safe, which is when the whole of the kernel is idmap'ed, which is likely to happen on 32bit when RAM is at 0x8000000 and we're using a 2G/2G VA split. In that case, we can proceed safely. Reported-by: Christoffer Dall Signed-off-by: Marc Zyngier Signed-off-by: Christoffer Dall arch/arm/kvm/mmu.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 79d102cbfd2e9d94257fcc7c82807ef1cdf80322 Author: Jiri Olsa Date: Mon Sep 5 17:30:07 2016 +0200 perf/x86/intel/cqm: Check cqm/mbm enabled state in event init Yanqiu Zhang reported kernel panic when using mbm event on system where CQM is detected but without mbm event support, like with perf: # perf stat -e 'intel_cqm/event=3/' -a BUG: unable to handle kernel NULL pointer dereference at 0000000000000020 IP: [] update_sample+0xbc/0xe0 ... [] __intel_mbm_event_init+0x18/0x20 [] flush_smp_call_function_queue+0x7b/0x160 [] generic_smp_call_function_single_interrupt+0x13/0x60 [] smp_call_function_interrupt+0x27/0x40 [] call_function_interrupt+0x8c/0xa0 ... The reason is that we currently allow to init mbm event even if mbm support is not detected. Adding checks for both cqm and mbm events and support into cqm's event_init. Fixes: 33c3cc7acfd9 ("perf/x86/mbm: Add Intel Memory B/W Monitoring enumeration and init") Reported-by: Yanqiu Zhang Signed-off-by: Jiri Olsa Acked-by: Peter Zijlstra Cc: Vikas Shivappa Cc: Tony Luck Cc: stable@vger.kernel.org Link: http://lkml.kernel.org/r/1473089407-21857-1-git-send-email-jolsa@kernel.org Signed-off-by: Thomas Gleixner arch/x86/events/intel/cqm.c | 9 +++++++++ 1 file changed, 9 insertions(+) commit 3ff488ab6000f1338684b227c499450317519cc1 Author: Colin Ian King Date: Mon Sep 5 16:37:12 2016 +0100 usb: gadget: prevent potenial null pointer dereference on skb->len An earlier fix partially fixed the null pointer dereference on skb->len by moving the assignment of len after the check on skb being non-null, however it failed to remove the erroneous dereference when assigning len. Correctly fix this by removing the initialisation of len as was originally intended. Fixes: 70237dc8efd092 ("usb: gadget: function: f_eem: socket buffer may be NULL") Acked-by: Peter Chen Signed-off-by: Colin Ian King Signed-off-by: Felipe Balbi drivers/usb/gadget/function/f_eem.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit b314427a52fd8daa1215d30e56de01e32edec531 Author: Gavin Shan Date: Tue Sep 6 14:16:44 2016 +1000 powerpc/powernv: Fix crash on releasing compound PE The compound PE is created to accommodate the devices attached to one specific PCI bus that consume multiple M64 segments. The compound PE is made up of one master PE and possibly multiple slave PEs. The slave PEs should be destroyed when releasing the master PE. A kernel crash happens when derferencing @pe->pdev on releasing the slave PE in pnv_ioda_deconfigure_pe(). # echo 0 > /sys/bus/pci/slots/C7/power iommu: Removing device 0000:01:00.1 from group 0 iommu: Removing device 0000:01:00.0 from group 0 Unable to handle kernel paging request for data at address 0x00000010 Faulting instruction address: 0xc00000000005d898 cpu 0x1: Vector: 300 (Data Access) at [c000000fe8217620] pc: c00000000005d898: pnv_ioda_release_pe+0x288/0x610 lr: c00000000005dbdc: pnv_ioda_release_pe+0x5cc/0x610 sp: c000000fe82178a0 msr: 9000000000009033 dar: 10 dsisr: 40000000 current = 0xc000000fe815ab80 paca = 0xc00000000ff00400 softe: 0 irq_happened: 0x01 pid = 2709, comm = sh Linux version 4.8.0-rc5-gavin-00006-g745efdb (gwshan@gwshan) \ (gcc version 4.9.3 (Buildroot 2016.02-rc2-00093-g5ea3bce) ) #586 SMP \ Tue Sep 6 13:37:29 AEST 2016 enter ? for help [c000000fe8217940] c00000000005d684 pnv_ioda_release_pe+0x74/0x610 [c000000fe82179e0] c000000000034460 pcibios_release_device+0x50/0x70 [c000000fe8217a10] c0000000004aba80 pci_release_dev+0x50/0xa0 [c000000fe8217a40] c000000000704898 device_release+0x58/0xf0 [c000000fe8217ac0] c000000000470510 kobject_release+0x80/0xf0 [c000000fe8217b00] c000000000704dd4 put_device+0x24/0x40 [c000000fe8217b20] c0000000004af94c pci_remove_bus_device+0x12c/0x150 [c000000fe8217b60] c000000000034244 pci_hp_remove_devices+0x94/0xd0 [c000000fe8217ba0] c0000000004ca444 pnv_php_disable_slot+0x64/0xb0 [c000000fe8217bd0] c0000000004c88c0 power_write_file+0xa0/0x190 [c000000fe8217c50] c0000000004c248c pci_slot_attr_store+0x3c/0x60 [c000000fe8217c70] c0000000002d6494 sysfs_kf_write+0x94/0xc0 [c000000fe8217cb0] c0000000002d50f0 kernfs_fop_write+0x180/0x260 [c000000fe8217d00] c0000000002334a0 __vfs_write+0x40/0x190 [c000000fe8217d90] c000000000234738 vfs_write+0xc8/0x240 [c000000fe8217de0] c000000000236250 SyS_write+0x60/0x110 [c000000fe8217e30] c000000000009524 system_call+0x38/0x108 It fixes the kernel crash by bypassing releasing resources (DMA, IO and memory segments, PELTM) because there are no resources assigned to the slave PE. Fixes: c5f7700bbd2e ("powerpc/powernv: Dynamically release PE") Reported-by: Frederic Barrat Signed-off-by: Gavin Shan Signed-off-by: Michael Ellerman arch/powerpc/platforms/powernv/pci-ioda.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) commit f8e33475b0da98c4bffc91017a3fbbfb443a7bdb Author: Benjamin Herrenschmidt Date: Tue Sep 6 13:43:45 2016 +1000 powerpc/xics/opal: Fix processor numbers in OPAL ICP When using the OPAL ICP backend we incorrectly pass Linux CPU numbers rather than HW CPU numbers to OPAL. Fixes: d74361881f0d ("powerpc/xics: Add ICP OPAL backend") Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Michael Ellerman arch/powerpc/sysdev/xics/icp-opal.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) commit d81d8258218228d3137055afe8acf981c3ebed46 Author: Thiago Jung Bauermann Date: Tue Aug 23 19:57:39 2016 -0300 powerpc/pseries: Fix little endian build with CONFIG_KEXEC=n On ppc64le, builds with CONFIG_KEXEC=n fail with: arch/powerpc/platforms/pseries/setup.c: In function ‘pseries_big_endian_exceptions’: arch/powerpc/platforms/pseries/setup.c:403:13: error: implicit declaration of function ‘kdump_in_progress’ if (rc && !kdump_in_progress()) This is because pseries/setup.c includes , but kdump_in_progress() is defined in . This is a problem because the former only includes the latter if CONFIG_KEXEC_CORE=y. Fix it by including directly, as is done in powernv/setup.c. Fixes: d3cbff1b5a90 ("powerpc: Put exception configuration in a common place") Signed-off-by: Thiago Jung Bauermann Signed-off-by: Michael Ellerman arch/powerpc/platforms/pseries/setup.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 171c0091837c81ed5c949fec6966bb5afff2d1cf Author: Gregor Boirie Date: Fri Sep 2 20:27:46 2016 +0200 iio:core: fix IIO_VAL_FRACTIONAL sign handling 7985e7c100 ("iio: Introduce a new fractional value type") introduced a new IIO_VAL_FRACTIONAL value type meant to represent rational type numbers expressed by a numerator and denominator combination. Formating of IIO_VAL_FRACTIONAL values relies upon do_div() usage. This fails handling negative values properly since parameters are reevaluated as unsigned values. Fix this by using div_s64_rem() instead. Computed integer part will carry properly signed value. Formatted fractional part will always be positive. Fixes: 7985e7c100 ("iio: Introduce a new fractional value type") Signed-off-by: Gregor Boirie Reviewed-by: Lars-Peter Clausen Cc: Signed-off-by: Jonathan Cameron drivers/iio/industrialio-core.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) commit 5dba4b14bafe801083d01e1f400816df7e5a8f2e Author: Colin Ian King Date: Mon Sep 5 15:39:06 2016 +0100 iio: ensure ret is initialized to zero before entering do loop A recent fix to iio_buffer_read_first_n_outer removed ret from being set by a return from wait_event_interruptible and also added a continue in a loop which causes the variable ret to not be set when it reaches the end of the loop. Fix this by initializing ret to zero. Also remove extraneous white space at the end of the loop. Fixes: fcf68f3c0bb2a5 ("fix sched WARNING "do not call blocking ops when !TASK_RUNNING") Signed-off-by: Colin Ian King Cc: Signed-off-by: Jonathan Cameron drivers/iio/industrialio-buffer.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit bc4dee5aa72723632a1f83fd0d3720066c93b433 Merge: 56291b2 8b18e23 Author: Linus Torvalds Date: Mon Sep 5 11:10:00 2016 -0700 Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 Pull crypto fixes from Herbert Xu: "This fixes a regression in the cryptd code that breaks certain accelerated AED algorithms as well as an older regression in the caam driver that breaks IPsec" * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: crypto: caam - fix IV loading for authenc (giv)decryption crypto: cryptd - Use correct tfm object for AEAD tracking commit 56291b271be032057c782e357ca728b27d89ff70 Merge: c693593 d3e2773 Author: Linus Torvalds Date: Mon Sep 5 10:55:55 2016 -0700 Merge branch 'rc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild Pull kbuild fix from Michal Marek: "Fix for 'make deb-pkg'. The bug got introduced in v4.8-rc1" * 'rc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild: builddeb: Skip gcc-plugins when not configured commit 5210d393ef84e5d2a4854671a9af2d97fd1b8dd4 Author: Liping Zhang Date: Fri Sep 2 20:49:12 2016 +0800 netfilter: nf_tables_trace: fix endiness when dump chain policy NFTA_TRACE_POLICY attribute is big endian, but we forget to call htonl to convert it. Fortunately, this attribute is parsed as big endian in libnftnl. Signed-off-by: Liping Zhang Signed-off-by: Pablo Neira Ayuso net/netfilter/nf_tables_trace.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit ed7a6948394305b810d0c6203268648715e5006f Author: Wang Xiaoguang Date: Fri Aug 26 11:33:14 2016 +0800 btrfs: do not decrease bytes_may_use when replaying extents When replaying extents, there is no need to update bytes_may_use in btrfs_alloc_logged_file_extent(), otherwise it'll trigger a WARN_ON about bytes_may_use. Fixes: ("btrfs: update btrfs_space_info's bytes_may_use timely") Signed-off-by: Wang Xiaoguang Reviewed-by: Josef Bacik Signed-off-by: David Sterba fs/btrfs/extent-tree.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) commit cbf2f8a99a2337894c3592c9ac2170e8c1f8f73f Merge: fa8410b d649340 Author: Thomas Gleixner Date: Mon Sep 5 17:14:17 2016 +0200 Merge tag 'efi-urgent' of git://git.kernel.org/pub/scm/linux/kernel/git/mfleming/efi into efi/urgent * Make for_each_efi_memory_desc_in_map() safe on Xen and prevent an infinte loop - Jan Beulich * Fix boot error on arm64 Qualcomm platforms by refactoring and improving the ExitBootServices() hack we already for x86 and moving it to the libstub - Jeffrey Hugo * Use correct return data type for of_get_flat_dt_subnode_by_name() so that we correctly handle errors - Andrzej Hajda commit 20218b86ad8adb4bf71db9425bb59680f345eafd Merge: e12c8f3 4d21cef Author: Paolo Bonzini Date: Mon Sep 5 16:15:22 2016 +0200 Merge tag 'kvm-s390-master-4.8-3' of git://git.kernel.org/pub/scm/linux/kernel/git/kvms390/linux into kvm-master A bugfix for the vsie code (setting the wrong field). commit e12c8f36f3f7a60d55938c5aed5999278fa92bcb Author: Wanpeng Li Date: Tue Aug 30 16:14:00 2016 +0800 KVM: lapic: adjust preemption timer correctly when goes TSC backward TSC_OFFSET will be adjusted if discovers TSC backward during vCPU load. The preemption timer, which relies on the guest tsc to reprogram its preemption timer value, is also reprogrammed if vCPU is scheded in to a different pCPU. However, the current implementation reprogram preemption timer before TSC_OFFSET is adjusted to the right value, resulting in the preemption timer firing prematurely. This patch fix it by adjusting TSC_OFFSET before reprogramming preemption timer if TSC backward. Cc: Paolo Bonzini Cc: Radim Krċmář Cc: Yunhong Jiang Signed-off-by: Wanpeng Li Signed-off-by: Paolo Bonzini arch/x86/kvm/x86.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) commit c86d06ba2818c5126078cb0cf4e0175ec381045b Author: Tejun Heo Date: Mon Sep 5 08:38:13 2016 -0400 PM / QoS: avoid calling cancel_delayed_work_sync() during early boot of_clk_init() ends up calling into pm_qos_update_request() very early during boot where irq is expected to stay disabled. pm_qos_update_request() uses cancel_delayed_work_sync() which correctly assumes that irq is enabled on invocation and unconditionally disables and re-enables it. Gate cancel_delayed_work_sync() invocation with kevented_up() to avoid enabling irq unexpectedly during early boot. Signed-off-by: Tejun Heo Reported-and-tested-by: Qiao Zhou Link: http://lkml.kernel.org/r/d2501c4c-8e7b-bea3-1b01-000b36b5dfe9@asrmicro.com Signed-off-by: Rafael J. Wysocki kernel/power/qos.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) commit 0f5aa88a7bb28b73253fb42b3df8202142769f39 Author: Nicolas Iooss Date: Sun Aug 28 18:47:12 2016 +0200 ceph: do not modify fi->frag in need_reset_readdir() Commit f3c4ebe65ea1 ("ceph: using hash value to compose dentry offset") modified "if (fpos_frag(new_pos) != fi->frag)" to "if (fi->frag |= fpos_frag(new_pos))" in need_reset_readdir(), thus replacing a comparison operator with an assignment one. This looks like a typo which is reported by clang when building the kernel with some warning flags: fs/ceph/dir.c:600:22: error: using the result of an assignment as a condition without parentheses [-Werror,-Wparentheses] } else if (fi->frag |= fpos_frag(new_pos)) { ~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~ fs/ceph/dir.c:600:22: note: place parentheses around the assignment to silence this warning } else if (fi->frag |= fpos_frag(new_pos)) { ^ ( ) fs/ceph/dir.c:600:22: note: use '!=' to turn this compound assignment into an inequality comparison } else if (fi->frag |= fpos_frag(new_pos)) { ^~ != Fixes: f3c4ebe65ea1 ("ceph: using hash value to compose dentry offset") Signed-off-by: Nicolas Iooss Signed-off-by: Ilya Dryomov fs/ceph/dir.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit e1ff3dd1ae52cef5b5373c8cc4ad949c2c25a71c Author: Miklos Szeredi Date: Mon Sep 5 13:55:20 2016 +0200 ovl: fix workdir creation Workdir creation fails in latest kernel. Fix by allowing EOPNOTSUPP as a valid return value from vfs_removexattr(XATTR_NAME_POSIX_ACL_*). Upper filesystem may not support ACL and still be perfectly able to support overlayfs. Reported-by: Martin Ziegler Signed-off-by: Miklos Szeredi Fixes: c11b9fdd6a61 ("ovl: remove posix_acl_default from workdir") Cc: fs/overlayfs/super.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 4d21cef3ea00ba3ac508eb61fb8db70e3e31df67 Author: David Hildenbrand Date: Fri Sep 2 12:33:49 2016 +0200 KVM: s390: vsie: fix riccbd We store the address of riccbd at the wrong location, overwriting gvrd. This means that our nested guest will not be able to use runtime instrumentation. Also, a memory leak, if our KVM guest actually sets gvrd. Not noticed until now, as KVM guests never make use of gvrd and runtime instrumentation wasn't completely tested yet. Reported-by: Fan Zhang Reviewed-by: Cornelia Huck Signed-off-by: David Hildenbrand Signed-off-by: Cornelia Huck arch/s390/kvm/vsie.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit d64934019f6cc39202e2f78063709f61ca5cb364 Author: Jeffrey Hugo Date: Mon Aug 29 14:38:54 2016 -0600 x86/efi: Use efi_exit_boot_services() The eboot code directly calls ExitBootServices. This is inadvisable as the UEFI spec details a complex set of errors, race conditions, and API interactions that the caller of ExitBootServices must get correct. The eboot code attempts allocations after calling ExitBootSerives which is not permitted per the spec. Call the efi_exit_boot_services() helper intead, which handles the allocation scenario properly. Signed-off-by: Jeffrey Hugo Cc: Ard Biesheuvel Cc: Mark Rutland Cc: Leif Lindholm Cc: Ingo Molnar Cc: Signed-off-by: Matt Fleming arch/x86/boot/compressed/eboot.c | 136 +++++++++++++++++++-------------------- 1 file changed, 67 insertions(+), 69 deletions(-) commit ed9cc156c42ff0c0bf9b1d09df48a12bf0873473 Author: Jeffrey Hugo Date: Mon Aug 29 14:38:53 2016 -0600 efi/libstub: Use efi_exit_boot_services() in FDT The FDT code directly calls ExitBootServices. This is inadvisable as the UEFI spec details a complex set of errors, race conditions, and API interactions that the caller of ExitBootServices must get correct. The FDT code does not handle EFI_INVALID_PARAMETER as required by the spec, which causes intermittent boot failures on the Qualcomm Technologies QDF2432. Call the efi_exit_boot_services() helper intead, which handles the EFI_INVALID_PARAMETER scenario properly. Signed-off-by: Jeffrey Hugo Cc: Ard Biesheuvel Cc: Mark Rutland Cc: Leif Lindholm Cc: Ingo Molnar Cc: Signed-off-by: Matt Fleming drivers/firmware/efi/libstub/fdt.c | 37 +++++++++++++++++++++++++++---------- 1 file changed, 27 insertions(+), 10 deletions(-) commit fc07716ba803483be91bc4b2344f9c84985e6f07 Author: Jeffrey Hugo Date: Mon Aug 29 14:38:52 2016 -0600 efi/libstub: Introduce ExitBootServices helper The spec allows ExitBootServices to fail with EFI_INVALID_PARAMETER if a race condition has occurred where the EFI has updated the memory map after the stub grabbed a reference to the map. The spec defines a retry proceedure with specific requirements to handle this scenario. This scenario was previously observed on x86 - commit d3768d885c6c ("x86, efi: retry ExitBootServices() on failure") but the current fix is not spec compliant and the scenario is now observed on the Qualcomm Technologies QDF2432 via the FDT stub which does not handle the error and thus causes boot failures. The user will notice the boot failure as the kernel is not executed and the system may drop back to a UEFI shell, but will be unresponsive to input and the system will require a power cycle to recover. Add a helper to the stub library that correctly adheres to the spec in the case of EFI_INVALID_PARAMETER from ExitBootServices and can be universally used across all stub implementations. Signed-off-by: Jeffrey Hugo Cc: Ard Biesheuvel Cc: Mark Rutland Cc: Leif Lindholm Cc: Ingo Molnar Cc: Signed-off-by: Matt Fleming drivers/firmware/efi/libstub/efi-stub-helper.c | 73 ++++++++++++++++++++++++++ include/linux/efi.h | 10 ++++ 2 files changed, 83 insertions(+) commit dadb57abc37499f565b23933dbf49b435c3ba8af Author: Jeffrey Hugo Date: Mon Aug 29 14:38:51 2016 -0600 efi/libstub: Allocate headspace in efi_get_memory_map() efi_get_memory_map() allocates a buffer to store the memory map that it retrieves. This buffer may need to be reused by the client after ExitBootServices() is called, at which point allocations are not longer permitted. To support this usecase, provide the allocated buffer size back to the client, and allocate some additional headroom to account for any reasonable growth in the map that is likely to happen between the call to efi_get_memory_map() and the client reusing the buffer. Signed-off-by: Jeffrey Hugo Cc: Ard Biesheuvel Cc: Mark Rutland Cc: Leif Lindholm Cc: Ingo Molnar Cc: Signed-off-by: Matt Fleming arch/x86/boot/compressed/eboot.c | 20 ++++-- drivers/firmware/efi/libstub/efi-stub-helper.c | 96 ++++++++++++++++++-------- drivers/firmware/efi/libstub/fdt.c | 17 +++-- drivers/firmware/efi/libstub/random.c | 12 +++- include/linux/efi.h | 15 ++-- 5 files changed, 111 insertions(+), 49 deletions(-) commit 519d8bd4b5d3d82c413eac5bb42b106bb4b9ec15 Author: Yoshihiro Shimoda Date: Mon Aug 29 18:00:38 2016 +0900 usb: renesas_usbhs: fix clearing the {BRDY,BEMP}STS condition The previous driver is possible to stop the transfer wrongly. For example: 1) An interrupt happens, but not BRDY interruption. 2) Read INTSTS0. And than state->intsts0 is not set to BRDY. 3) BRDY is set to 1 here. 4) Read BRDYSTS. 5) Clear the BRDYSTS. And then. the BRDY is cleared wrongly. Remarks: - The INTSTS0.BRDY is read only. - If any bits of BRDYSTS are set to 1, the BRDY is set to 1. - If BRDYSTS is 0, the BRDY is set to 0. So, this patch adds condition to avoid such situation. (And about NRDYSTS, this is not used for now. But, avoiding any side effects, this patch doesn't touch it.) Fixes: d5c6a1e024dd ("usb: renesas_usbhs: fixup interrupt status clear method") Cc: # v3.8+ Signed-off-by: Yoshihiro Shimoda Signed-off-by: Felipe Balbi drivers/usb/renesas_usbhs/mod.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) commit 7c113f7df710df2aed63709815e518608dbd338c Author: Fabio Estevam Date: Mon Aug 22 22:45:36 2016 -0300 usb: phy: phy-generic: Check clk_prepare_enable() error clk_prepare_enable() may fail, so we should better check its return value and propagate it in the case of failure. Signed-off-by: Fabio Estevam Signed-off-by: Felipe Balbi drivers/usb/phy/phy-generic.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) commit b2f1eaaee564c5593c303f4d15d827924cb6d20d Author: Yoshihiro Shimoda Date: Tue Aug 23 21:11:13 2016 +0900 usb: gadget: udc: renesas-usb3: clear VBOUT bit in DRD_CON This driver should clear the bit. Otherwise, the VBUS will output wrongly if the usb port on a board has VBUS output capability. Fixes: 746bfe63bba3 ("usb: gadget: renesas_usb3: add support for Renesas USB3.0 peripheral controller") Cc: # v4.5+ Signed-off-by: Yoshihiro Shimoda Signed-off-by: Felipe Balbi drivers/usb/gadget/udc/renesas_usb3.c | 2 ++ 1 file changed, 2 insertions(+) commit 9d7aba7786b6c9eec6d083e43fd639228c400c3a Author: John Youn Date: Fri Aug 26 18:43:01 2016 -0700 Revert "usb: dwc3: gadget: always decrement by 1" This reverts commit 6f8245b4e37c ("usb: dwc3: gadget: always decrement by 1"). We can't always decrement this value. We should decrement only if the calculation of free slots results in a LINK TRB being among one of the free slots (dequeue < enqueue). Otherwise, if the LINK TRB is not among the free slots then it should not be decremented. Signed-off-by: John Youn Signed-off-by: Felipe Balbi drivers/usb/dwc3/gadget.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) commit 4af9ed578a50cd331a725322cfd9d555251ce788 Author: Andrzej Hajda Date: Tue Aug 30 12:41:37 2016 +0200 efi: Fix handling error value in fdt_find_uefi_params of_get_flat_dt_subnode_by_name can return negative value in case of error. Assigning the result to unsigned variable and checking if the variable is lesser than zero is incorrect and always false. The patch fixes it by using signed variable to check the result. The problem has been detected using semantic patch scripts/coccinelle/tests/unsigned_lesser_than_zero.cocci Signed-off-by: Andrzej Hajda Cc: Bartlomiej Zolnierkiewicz Cc: Marek Szyprowski Cc: Ingo Molnar Cc: Thomas Gleixner Cc: "H. Peter Anvin" Cc: Shawn Lin Cc: Mark Rutland Cc: Signed-off-by: Matt Fleming drivers/firmware/efi/efi.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) commit d4c4fed08f31f3746000c46cb1b20bed2959547a Author: Jan Beulich Date: Mon Aug 15 09:05:45 2016 -0600 efi: Make for_each_efi_memory_desc_in_map() cope with running on Xen While commit 55f1ea15216 ("efi: Fix for_each_efi_memory_desc_in_map() for empty memmaps") made an attempt to deal with empty memory maps, it didn't address the case where the map field never gets set, as is apparently the case when running under Xen. Reported-by: Tested-by: Cc: Vitaly Kuznetsov Cc: Jiri Slaby Cc: Mark Rutland Cc: # v4.7+ Signed-off-by: Jan Beulich [ Guard the loop with a NULL check instead of pointer underflow ] Signed-off-by: Matt Fleming include/linux/efi.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 135e8c9250dd5c8c9aae5984fde6f230d0cbfeaf Author: Balbir Singh Date: Mon Sep 5 13:16:40 2016 +1000 sched/core: Fix a race between try_to_wake_up() and a woken up task The origin of the issue I've seen is related to a missing memory barrier between check for task->state and the check for task->on_rq. The task being woken up is already awake from a schedule() and is doing the following: do { schedule() set_current_state(TASK_(UN)INTERRUPTIBLE); } while (!cond); The waker, actually gets stuck doing the following in try_to_wake_up(): while (p->on_cpu) cpu_relax(); Analysis: The instance I've seen involves the following race: CPU1 CPU2 while () { if (cond) break; do { schedule(); set_current_state(TASK_UN..) } while (!cond); wakeup_routine() spin_lock_irqsave(wait_lock) raw_spin_lock_irqsave(wait_lock) wake_up_process() } try_to_wake_up() set_current_state(TASK_RUNNING); .. list_del(&waiter.list); CPU2 wakes up CPU1, but before it can get the wait_lock and set current state to TASK_RUNNING the following occurs: CPU3 wakeup_routine() raw_spin_lock_irqsave(wait_lock) if (!list_empty) wake_up_process() try_to_wake_up() raw_spin_lock_irqsave(p->pi_lock) .. if (p->on_rq && ttwu_wakeup()) .. while (p->on_cpu) cpu_relax() .. CPU3 tries to wake up the task on CPU1 again since it finds it on the wait_queue, CPU1 is spinning on wait_lock, but immediately after CPU2, CPU3 got it. CPU3 checks the state of p on CPU1, it is TASK_UNINTERRUPTIBLE and the task is spinning on the wait_lock. Interestingly since p->on_rq is checked under pi_lock, I've noticed that try_to_wake_up() finds p->on_rq to be 0. This was the most confusing bit of the analysis, but p->on_rq is changed under runqueue lock, rq_lock, the p->on_rq check is not reliable without this fix IMHO. The race is visible (based on the analysis) only when ttwu_queue() does a remote wakeup via ttwu_queue_remote. In which case the p->on_rq change is not done uder the pi_lock. The result is that after a while the entire system locks up on the raw_spin_irqlock_save(wait_lock) and the holder spins infintely Reproduction of the issue: The issue can be reproduced after a long run on my system with 80 threads and having to tweak available memory to very low and running memory stress-ng mmapfork test. It usually takes a long time to reproduce. I am trying to work on a test case that can reproduce the issue faster, but thats work in progress. I am still testing the changes on my still in a loop and the tests seem OK thus far. Big thanks to Benjamin and Nick for helping debug this as well. Ben helped catch the missing barrier, Nick caught every missing bit in my theory. Signed-off-by: Balbir Singh [ Updated comment to clarify matching barriers. Many architectures do not have a full barrier in switch_to() so that cannot be relied upon. ] Signed-off-by: Peter Zijlstra (Intel) Acked-by: Benjamin Herrenschmidt Cc: Alexey Kardashevskiy Cc: Linus Torvalds Cc: Nicholas Piggin Cc: Nicholas Piggin Cc: Oleg Nesterov Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: Link: http://lkml.kernel.org/r/e02cce7b-d9ca-1ad0-7a61-ea97c7582b37@gmail.com Signed-off-by: Ingo Molnar kernel/sched/core.c | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) commit 58763148758057ffc447bf990321d3ea86d199a0 Author: Peter Zijlstra Date: Tue Aug 30 10:15:03 2016 +0200 perf/core: Remove WARN from perf_event_read() This effectively reverts commit: 71e7bc2bab77 ("perf/core: Check return value of the perf_event_read() IPI") ... and puts in a comment explaining why we ignore the return value. Reported-by: Vegard Nossum Signed-off-by: Peter Zijlstra (Intel) Cc: David Carrillo-Cisneros Cc: Jiri Olsa Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Fixes: 71e7bc2bab77 ("perf/core: Check return value of the perf_event_read() IPI") Signed-off-by: Ingo Molnar kernel/events/core.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) commit d7127b5e5fa0551be21b86640f1648b224e36d43 Author: Johannes Berg Date: Fri Aug 26 08:16:00 2016 +0200 locking/barriers: Don't use sizeof(void) in lockless_dereference() My previous commit: 112dc0c8069e ("locking/barriers: Suppress sparse warnings in lockless_dereference()") caused sparse to complain that (in radix-tree.h) we use sizeof(void) since that rcu_dereference()s a void *. Really, all we need is to have the expression *p in here somewhere to make sure p is a pointer type, and sizeof(*p) was the thing that came to my mind first to make sure that's done without really doing anything at runtime. Another thing I had considered was using typeof(*p), but obviously we can't just declare a typeof(*p) variable either, since that may end up being void. Declaring a variable as typeof(*p)* gets around that, and still checks that typeof(*p) is valid, so do that. This type construction can't be done for _________p1 because that will actually be used and causes sparse address space warnings, so keep a separate unused variable for it. Reported-by: Fengguang Wu Signed-off-by: Johannes Berg Signed-off-by: Peter Zijlstra (Intel) Cc: Linus Torvalds Cc: Paul E . McKenney Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: kbuild-all@01.org Fixes: 112dc0c8069e ("locking/barriers: Suppress sparse warnings in lockless_dereference()") Link: http://lkml.kernel.org/r/1472192160-4049-1-git-send-email-johannes@sipsolutions.net Signed-off-by: Ingo Molnar include/linux/compiler.h | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) commit cc2187a6e037bc64404f63c6d650ff263c2200c0 Author: Borislav Petkov Date: Sun Sep 4 11:37:36 2016 +0200 x86/microcode/AMD: Fix load of builtin microcode with randomized memory We do not need to add the randomization offset when the microcode is built in. Reported-and-tested-by: Emanuel Czirai Signed-off-by: Borislav Petkov Link: http://lkml.kernel.org/r/20160904093736.GA11939@pd.tnic Signed-off-by: Thomas Gleixner arch/x86/kernel/cpu/microcode/amd.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) commit f065e9e4addd75c21bb976bb2558648bf4f61de6 Author: Fabio Estevam Date: Wed Aug 31 10:56:48 2016 -0300 ARM: dts: imx6qdl: Fix SPDIF regression Commit 833f2cbf7091 ("ARM: dts: imx6: change the core clock of spdif") changed many more clocks than only the SPDIF core clock as stated in the commit message. The MLB clock has been added and this causes SPDIF regression as reported by Xavi Drudis Ferran and also in this forum post: https://forum.digikey.com/thread/34240 The MX6Q Reference Manual does not mention that MLB is a clock related to SPDIF, so change it back to a dummy clock to restore SPDIF functionality. Thanks to Ambika for providing the fix at: https://community.nxp.com/thread/387131 Fixes: 833f2cbf7091 ("ARM: dts: imx6: change the core clock of spdif") Cc: # 4.4.x Reported-by: Xavi Drudis Ferran Signed-off-by: Fabio Estevam Tested-by: Xavi Drudis Ferran Signed-off-by: Shawn Guo arch/arm/boot/dts/imx6qdl.dtsi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit c6935931c1894ff857616ff8549b61236a19148f Author: Linus Torvalds Date: Sun Sep 4 14:31:46 2016 -0700 Linux 4.8-rc5 Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 6e1ce3c3451291142a57c4f3f6f999a29fb5b3bc Author: Linus Torvalds Date: Thu Sep 1 14:43:53 2016 -0700 af_unix: split 'u->readlock' into two: 'iolock' and 'bindlock' Right now we use the 'readlock' both for protecting some of the af_unix IO path and for making the bind be single-threaded. The two are independent, but using the same lock makes for a nasty deadlock due to ordering with regards to filesystem locking. The bind locking would want to nest outside the VSF pathname locking, but the IO locking wants to nest inside some of those same locks. We tried to fix this earlier with commit c845acb324aa ("af_unix: Fix splice-bind deadlock") which moved the readlock inside the vfs locks, but that caused problems with overlayfs that will then call back into filesystem routines that take the lock in the wrong order anyway. Splitting the locks means that we can go back to having the bind lock be the outermost lock, and we don't have any deadlocks with lock ordering. Acked-by: Rainer Weikusat Acked-by: Al Viro Signed-off-by: Linus Torvalds Acked-by: Hannes Frederic Sowa Signed-off-by: David S. Miller include/net/af_unix.h | 2 +- net/unix/af_unix.c | 45 +++++++++++++++++++++++---------------------- 2 files changed, 24 insertions(+), 23 deletions(-) commit 38f7bd94a97b542de86a2be9229289717e33a7a4 Author: Linus Torvalds Date: Thu Sep 1 14:56:49 2016 -0700 Revert "af_unix: Fix splice-bind deadlock" This reverts commit c845acb324aa85a39650a14e7696982ceea75dc1. It turns out that it just replaces one deadlock with another one: we can still get the wrong lock ordering with the readlock due to overlayfs calling back into the filesystem layer and still taking the vfs locks after the readlock. The proper solution ends up being to just split the readlock into two pieces: the bind lock (taken *outside* the vfs locks) and the IO lock (taken *inside* the filesystem locks). The two locks are independent anyway. Signed-off-by: Linus Torvalds Reviewed-by: Shmulik Ladkani Signed-off-by: David S. Miller net/unix/af_unix.c | 66 +++++++++++++++++++++--------------------------------- 1 file changed, 26 insertions(+), 40 deletions(-) commit 2f83a53a81f5695b0f13635d411cd78367e547d6 Merge: 24b27fc 3555621 Author: David S. Miller Date: Sun Sep 4 11:42:57 2016 -0700 Merge branch 'vxlan-fixes' Jiri Benc says: ==================== vxlan: fix error reporting This patchset improves checking for invalid configuration in VXLAN and fixes problems with duplicated and inappropriate error messages. ==================== Signed-off-by: David S. Miller commit 3555621de7fcceb79c4850f3d07d1ae4f652acf6 Author: Jiri Benc Date: Fri Sep 2 13:37:12 2016 +0200 vxlan: fix duplicated and wrong error messages vxlan_dev_configure outputs error messages before returning, no need to print again the same mesages in vxlan_newlink. Also, vxlan_dev_configure may return a particular error code for a different reason than vxlan_newlink thinks. Move the remaining error messages into vxlan_dev_configure and let vxlan_newlink just pass on the error code. Signed-off-by: Jiri Benc Signed-off-by: David S. Miller drivers/net/vxlan.c | 35 +++++++++-------------------------- 1 file changed, 9 insertions(+), 26 deletions(-) commit 9b4cdd516dadc1b68c55ba24520194a06adff10c Author: Jiri Benc Date: Fri Sep 2 13:37:11 2016 +0200 vxlan: reject multicast destination without an interface Currently, kernel accepts configurations such as: ip l a type vxlan dstport 4789 id 1 group 239.192.0.1 ip l a type vxlan dstport 4789 id 1 group ff0e::110 However, neither of those really works. In the IPv4 case, the interface cannot be brought up ("RTNETLINK answers: No such device"). This is because multicast join will be rejected without the interface being specified. In the IPv6 case, multicast wil be joined on the first interface found. This is not what the user wants as it depends on random factors (order of interfaces). Note that it's possible to add a local address but it doesn't solve anything. For IPv4, it's not considered in the multicast join (thus the same error as above is returned on ifup). This could be added but it wouldn't help for IPv6 anyway. For IPv6, we do need the interface. Just reject a configuration that sets multicast address and does not provide an interface. Nobody can depend on the previous behavior as it never worked. Signed-off-by: Jiri Benc Signed-off-by: David S. Miller drivers/net/vxlan.c | 3 +++ 1 file changed, 3 insertions(+) commit 24b27fc4cdf9e10c5e79e5923b6b7c2c5c95096c Author: Mahesh Bandewar Date: Thu Sep 1 22:18:34 2016 -0700 bonding: Fix bonding crash Following few steps will crash kernel - (a) Create bonding master > modprobe bonding miimon=50 (b) Create macvlan bridge on eth2 > ip link add link eth2 dev mvl0 address aa:0:0:0:0:01 \ type macvlan (c) Now try adding eth2 into the bond > echo +eth2 > /sys/class/net/bond0/bonding/slaves Bonding does lots of things before checking if the device enslaved is busy or not. In this case when the notifier call-chain sends notifications, the bond_netdev_event() assumes that the rx_handler /rx_handler_data is registered while the bond_enslave() hasn't progressed far enough to register rx_handler for the new slave. This patch adds a rx_handler check that can be performed right at the beginning of the enslave code to avoid getting into this situation. Signed-off-by: Mahesh Bandewar Acked-by: Eric Dumazet Signed-off-by: David S. Miller drivers/net/bonding/bond_main.c | 7 ++++--- include/linux/netdevice.h | 1 + net/core/dev.c | 16 ++++++++++++++++ 3 files changed, 21 insertions(+), 3 deletions(-) commit 334a8f37115bf35e38617315a360a91ac4f2b2c6 Author: Trond Myklebust Date: Sun Sep 4 12:46:35 2016 -0400 pNFS: Don't forget the layout stateid if there are outstanding LAYOUTGETs If there are outstanding LAYOUTGET rpc calls, then we want to ensure that we keep the layout stateid around so we that don't inadvertently pick up an old/misordered sequence id. The race is as follows: Client Server ====== ====== LAYOUTGET(seqid) LAYOUTGET(seqid) return LAYOUTGET(seqid+1) return LAYOUTGET(seqid+2) process LAYOUTGET(seqid+2) forget layout process LAYOUTGET(seqid+1) If it forgets the layout stateid before processing seqid+1, then the client will not check the layout->plh_barrier, and so will set the stateid with seqid+1. Signed-off-by: Trond Myklebust fs/nfs/pnfs.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 9ca581b50dab6103183396852cc08e440fcda18e Merge: 1c33336 d199299 Author: Linus Torvalds Date: Sun Sep 4 08:45:41 2016 -0700 Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86 fix from Thomas Gleixner: "A single fix for an AMD erratum so machines without a BIOS fix work" * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/AMD: Apply erratum 665 on machines without a BIOS fix commit 1c3333600b0ebca94edffb3bb431c78687dc3d36 Merge: 28e6815 08d07259 Author: Linus Torvalds Date: Sun Sep 4 08:43:45 2016 -0700 Merge branch 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull timer fixes from Thomas Gleixner: "Two fixlet from the timers departement: - A fix for scheduler stalls in the tick idle code affecting NOHZ_FULL kernels - A trivial compile fix" * 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: tick/nohz: Fix softlockup on scheduler stalls in kvm guest clocksource/drivers/atmel-pit: Fix compilation error commit f361e5a01ed35c0f9a00816d76a910d8a5cb4547 Author: Steve Wise Date: Fri Sep 2 09:01:27 2016 -0700 nvme-rdma: destroy nvme queue rdma resources on connect failure After address resolution, the nvme_rdma_queue rdma resources are allocated. If rdma route resolution or the connect fails, or the controller reconnect times out and gives up, then the rdma resources need to be freed. Otherwise, rdma resources are leaked. Reviewed-by: Christoph Hellwig Reviewed-by: Sagi Grimberg Signed-off-by: Steve Wise Signed-off-by: Sagi Grimberg drivers/nvme/host/rdma.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) commit cdbecc8d24b642b67ae79a0acc2ff18d3d0e677e Author: Steve Wise Date: Thu Sep 1 09:12:25 2016 -0700 nvme_rdma: keep a ref on the ctrl during delete/flush Reviewed-by: Christoph Hellwig Reviewed-by: Sagi Grimberg Signed-off-by: Steve Wise Signed-off-by: Sagi Grimberg drivers/nvme/host/rdma.c | 26 ++++++++++++++++++-------- 1 file changed, 18 insertions(+), 8 deletions(-) commit 37eb816c0867b1b0db273d22b530780a0a083980 Author: Steve Wise Date: Thu Sep 1 06:44:52 2016 -0700 iw_cxgb4: block module unload until all ep resources are released Otherwise an endpoint can be still closing down causing a touch after free crash. Also WARN_ON if ulps have failed to destroy various resources during device removal. Fixes: ad61a4c7a9b7 ("iw_cxgb4: don't block in destroy_qp awaiting the last deref") Reviewed-by: Sagi Grimberg Reviewed-by: Christoph Hellwig Signed-off-by: Steve Wise Signed-off-by: Sagi Grimberg drivers/infiniband/hw/cxgb4/cm.c | 2 ++ drivers/infiniband/hw/cxgb4/device.c | 5 +++++ drivers/infiniband/hw/cxgb4/iw_cxgb4.h | 1 + 3 files changed, 8 insertions(+) commit 609e941a6bcd7ceb1cbb561941c997f6465e8698 Author: Steve Wise Date: Thu Sep 1 06:43:46 2016 -0700 iw_cxgb4: call dev_put() on l2t allocation failure Reviewed-by: Sagi Grimberg Reviewed-by: Christoph Hellwig Signed-off-by: Steve Wise Signed-off-by: Sagi Grimberg drivers/infiniband/hw/cxgb4/cm.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit 28e68154c5e2793123b248d38cf17b34dcb16d87 Merge: 4b30b6d edd1ea2 Author: Linus Torvalds Date: Sat Sep 3 17:29:58 2016 -0700 Merge tag 'dm-4.8-fixes-4' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm Pull device mapper fixes from Mike Snitzer: - a stable fix in both DM crypt and DM log-writes for too large bios (as generated by bcache) - two other stable fixes for DM log-writes - a stable fix for a DM crypt bug that could result in freeing pointers from uninitialized memory in the tfm allocation error path - a DM bufio cleanup to discontinue using create_singlethread_workqueue() * tag 'dm-4.8-fixes-4' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm: dm bufio: remove use of deprecated create_singlethread_workqueue() dm crypt: fix free of bad values after tfm allocation failure dm crypt: fix error with too large bios dm log writes: fix check of kthread_run() return value dm log writes: fix bug with too large bios dm log writes: move IO accounting earlier to fix error path commit 4b30b6d126ca8b23b319f5329570f6855736a095 Merge: 2bece1a cb88708 Author: Linus Torvalds Date: Sat Sep 3 12:40:45 2016 -0700 Merge branch 'for-linus-4.8' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs Pull btrfs fixes from Chris Mason: "I'm still prepping a set of fixes for btrfs fsync, just nailing down a hard to trigger memory corruption. For now, these are tested and ready." * 'for-linus-4.8' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs: btrfs: fix one bug that process may endlessly wait for ticket in wait_reserve_ticket() Btrfs: fix endless loop in balancing block groups Btrfs: kill invalid ASSERT() in process_all_refs() commit 2bece1a0106497d065fb7db77abc525d32d3bf04 Merge: 593ee4e 744c6c3 Author: Linus Torvalds Date: Sat Sep 3 12:31:37 2016 -0700 Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux Pull arm64 fixes from Catalin Marinas: "arm64 and arm/perf fixes: - arm64 fix: debug exception unmasking on the CPU resume path - ARM PMU fixes: memory leak on error path and NULL pointer dereference" * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux: arm64: kernel: Fix unmasked debug exceptions when restoring mdscr_el1 drivers/perf: arm_pmu: Fix NULL pointer dereference during probe drivers/perf: arm_pmu: Fix leak in error path commit 593ee4edc51d99fadda9f6eea8c0201c59452de7 Merge: 4148820 ccdf3b8 Author: Linus Torvalds Date: Sat Sep 3 11:38:43 2016 -0700 Merge tag 'char-misc-4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc Pull char/misc driver fixes from Greg KH: "Here are a number of small driver fixes for 4.8-rc5. The largest thing here is deleting an obsolete driver, drivers/misc/bh1780gli.c, as the functionality of it was replaced by an iio driver a while ago. The other fixes are things that have been reported, or reverts of broken stuff (the binder change). All of these changes have been in linux-next for a while with no reported issues" * tag 'char-misc-4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: thunderbolt: Don't declare Falcon Ridge unsupported thunderbolt: Add support for INTEL_FALCON_RIDGE_2C controller. thunderbolt: Fix resume quirk for Falcon Ridge 4C. lkdtm: Mark lkdtm_rodata_do_nothing() notrace mei: me: disable driver on SPT SPS firmware Revert "android: binder: fix dangling pointer comparison" drivers/iio/light/Kconfig: SENSORS_BH1780 cleanup android: binder: fix dangling pointer comparison misc: delete bh1780 driver commit 41488202f1afac2e7425cc4d4a3b4208c3e2cc8c Merge: 018c81b8 17d0774 Author: Linus Torvalds Date: Sat Sep 3 11:36:55 2016 -0700 Merge tag 'driver-core-4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core Pull driver core fixes from Greg KH: "Here are three small fixes for 4.8-rc5. One for sysfs, one for kernfs, and one documentation fix, all for reported issues. All of these have been in linux-next for a while" * tag 'driver-core-4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core: sysfs: correctly handle read offset on PREALLOC attrs documentation: drivers/core/of: fix name of of_node symlink kernfs: don't depend on d_find_any_alias() when generating notifications commit 018c81b827563c4d64ad79f9b90ea985a65bff4d Merge: 39da979 eafe5cf Author: Linus Torvalds Date: Sat Sep 3 11:33:33 2016 -0700 Merge tag 'staging-4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging Pull staging/IIO driver fixes from Greg KH: "Here are a number of small fixes for staging and IIO drivers that resolve reported problems. Full details are in the shortlog. All of these have been in linux-next with no reported issues" * tag 'staging-4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging: (35 commits) arm: dts: rockchip: add reset node for the exist saradc SoCs arm64: dts: rockchip: add reset saradc node for rk3368 SoCs iio: adc: rockchip_saradc: reset saradc controller before programming it iio: accel: kxsd9: Fix raw read return iio: adc: ti_am335x_adc: Increase timeout value waiting for ADC sample iio: adc: ti_am335x_adc: Protect FIFO1 from concurrent access include/linux: fix excess fence.h kernel-doc notation staging: wilc1000: correctly check if associatedsta has not been found staging: wilc1000: NULL dereference on error staging: wilc1000: txq_event: Fix coding error MAINTAINERS: Add file patterns for ion device tree bindings MAINTAINERS: Update maintainer entry for wilc1000 iio: chemical: atlas-ph-sensor: fix typo in val assignment iio: fix sched WARNING "do not call blocking ops when !TASK_RUNNING" staging: comedi: ni_mio_common: fix AO inttrig backwards compatibility staging: comedi: dt2811: fix a precedence bug staging: comedi: adv_pci1760: Do not return EINVAL for CMDF_ROUND_DOWN. staging: comedi: ni_mio_common: fix wrong insn_write handler staging: comedi: comedi_test: fix timer race conditions staging: comedi: daqboard2000: bug fix board type matching code ... commit 39da979c98cf7516bc7b2c648ee4aed528eb1f36 Merge: 70dad49 c8d1924 Author: Linus Torvalds Date: Sat Sep 3 11:29:31 2016 -0700 Merge tag 'tty-4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty Pull serial driver fixes from Greg KH: "Here are some small serial driver fixes for 4.8-rc5. One fixes an oft-reported build issue with the fintek driver, another reverts a patch that was causing problems, one fixes a crash, and some new device ids were added. All of these have been in linux-next for a while" * tag 'tty-4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty: serial: 8250: added acces i/o products quad and octal serial cards serial: 8250_mid: fix divide error bug if baud rate is 0 Revert "tty/serial/8250: use mctrl_gpio helpers" 8250/fintek: rename IRQ_MODE macro commit 70dad4998ee482f08c85c5956765ea6c31da8734 Merge: 3e42394 2c55754 Author: Linus Torvalds Date: Sat Sep 3 11:24:23 2016 -0700 Merge tag 'usb-4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb Pull USB/PHY fixes from Greg KH: "Here are some USB and PHY driver fixes for 4.8-rc5 Nothing major, lots of little fixes for reported bugs, and a build fix for a missing .h file that the phy drivers needed. All of these have been in linux-next for a while with no reported issues" * tag 'usb-4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (24 commits) usb: musb: Fix locking errors for host only mode usb: dwc3: gadget: always decrement by 1 usb: dwc3: debug: fix ep name on trace output usb: gadget: udc: core: don't starve DMA resources USB: serial: option: add WeTelecom 0x6802 and 0x6803 products USB: avoid left shift by -1 USB: fix typo in wMaxPacketSize validation usb: gadget: Add the gserial port checking in gs_start_tx() usb: dwc3: gadget: don't rely on jiffies while holding spinlock usb: gadget: fsl_qe_udc: signedness bug in qe_get_frame() usb: gadget: function: f_rndis: socket buffer may be NULL usb: gadget: function: f_eem: socket buffer may be NULL usb: renesas_usbhs: gadget: fix return value check in usbhs_mod_gadget_probe() usb: dwc2: Add reset control to dwc2 usb: dwc3: core: allow device to runtime_suspend several times usb: dwc3: pci: runtime_resume child device USB: serial: option: add WeTelecom WM-D200 usb: chipidea: udc: don't touch DP when controller is in host mode USB: serial: mos7840: fix non-atomic allocation in write path USB: serial: mos7720: fix non-atomic allocation in write path ... commit 3e423945ea94412283eaba8bfbe9d6e0a80b434f Author: Linus Torvalds Date: Sat Sep 3 11:02:50 2016 -0700 devpts: return NULL pts 'priv' entry for non-devpts nodes In commit 8ead9dd54716 ("devpts: more pty driver interface cleanups") I made devpts_get_priv() just return the dentry->fs_data directly. And because I thought it wouldn't happen, I added a warning if you ever saw a pts node that wasn't on devpts. And no, that warning never triggered under any actual real use, but you can trigger it by creating nonsensical pts nodes by hand. So just revert the warning, and make devpts_get_priv() return NULL for that case like it used to. Reported-by: Dmitry Vyukov Cc: stable@vger.kernel.org # 4.6+ Cc: Eric W Biederman" Signed-off-by: Linus Torvalds fs/devpts/inode.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 4c3cb6e9a9d94d1553807854a565cd27ff4c22aa Author: Dan Williams Date: Sat Sep 3 10:36:00 2016 -0700 dax: fix mapping size check pgoff_to_phys() validates that both the starting address and the length of the mapping against the resource list. We need to check for a mapping size of PMD_SIZE not PAGE_SIZE in the pmd fault path. Signed-off-by: Dan Williams drivers/dax/dax.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 307fe9dd11ae44d4f8881ee449a7cbac36e1f5de Author: Linus Walleij Date: Thu Sep 1 11:44:35 2016 +0200 iio: accel: kxsd9: Fix scaling bug All the scaling of the KXSD9 involves multiplication with a fraction number < 1. However the scaling value returned from IIO_INFO_SCALE was unpredictable as only the micros of the value was assigned, and not the integer part, resulting in scaling like this: $cat in_accel_scale -1057462640.011978 Fix this by assigning zero to the integer part. Cc: stable@vger.kernel.org Tested-by: Jonathan Cameron Signed-off-by: Linus Walleij Signed-off-by: Jonathan Cameron drivers/iio/accel/kxsd9.c | 1 + 1 file changed, 1 insertion(+) commit 1c500840934a138bd6b13556c210516e9301fbee Author: Olof Johansson Date: Thu Aug 25 09:45:33 2016 -0700 iio: accel: bmc150: reset chip at init time In at least one known setup, the chip comes up in a state where reading the chip ID returns garbage unless it's been reset, due to noise on the wires during system boot. All supported chips have the same reset method, and based on the datasheets they all need 1.3 or 1.8ms to recover after reset. So, do the conservative thing here and always reset the chip. Signed-off-by: Olof Johansson Reviewed-by: Srinivas Pandruvada Cc: Signed-off-by: Jonathan Cameron drivers/iio/accel/bmc150-accel-core.c | 11 +++++++++++ 1 file changed, 11 insertions(+) commit 52ec7be2e27392201adf77892ba883f68df88c99 Author: Trond Myklebust Date: Sat Sep 3 11:05:28 2016 -0400 pNFS: Clear out all layout segments if the server unsets lrp->res.lrs_present If the server fails to set lrp->res.lrs_present in the LAYOUTRETURN reply, then that means it believes the client holds no more layout state for that file, and that the layout stateid is now invalid. Signed-off-by: Trond Myklebust fs/nfs/nfs4proc.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) commit 2a59a0411671ef9daf17ba21da57809c696f4119 Author: Trond Myklebust Date: Sat Sep 3 11:20:04 2016 -0400 pNFS: Fix pnfs_set_layout_stateid() to clear NFS_LAYOUT_INVALID_STID If the layout was marked as invalid, we want to ensure to initialise the layout header fields correctly. Signed-off-by: Trond Myklebust fs/nfs/pnfs.c | 36 +++++++++++++++++++----------------- 1 file changed, 19 insertions(+), 17 deletions(-) commit bf0291dd2267a2b9a4cd74d65249553d11bb45d6 Author: Trond Myklebust Date: Sat Sep 3 10:39:51 2016 -0400 pNFS: Ensure LAYOUTGET and LAYOUTRETURN are properly serialised According to RFC5661, the client is responsible for serialising LAYOUTGET and LAYOUTRETURN to avoid ambiguity. Consider the case where we send both in parallel. Client Server ====== ====== LAYOUTGET(seqid=X) LAYOUTRETURN(seqid=X) LAYOUTGET return seqid=X+1 LAYOUTRETURN return seqid=X+2 Process LAYOUTRETURN Forget layout stateid Process LAYOUTGET Set seqid=X+1 The client processes the layoutget/layoutreturn in the wrong order, and since the result of the layoutreturn was to clear the only existing layout segment, the client forgets the layout stateid. When the LAYOUTGET comes in, it is treated as having a completely new stateid, and so the client sets the wrong sequence id... Fix is to check if there are outstanding LAYOUTGET requests before we send the LAYOUTRETURN (note that LAYOUGET will already wait if it sees an outstanding LAYOUTRETURN). Signed-off-by: Trond Myklebust Cc: stable@vger.kernel.org # v4.5+ Signed-off-by: Trond Myklebust fs/nfs/pnfs.c | 3 +++ 1 file changed, 3 insertions(+) commit c49edecd513693ea7530ab18efbd7d6d5b7cbf90 Author: Trond Myklebust Date: Sat Sep 3 12:05:31 2016 -0400 NFS: Fix error reporting in nfs_file_write() When doing O_DSYNC writes, the actual write errors are reported through generic_write_sync(), so we must test the result. Reported-by: J. R. Okajima Fixes: 18290650b1c8 ("NFS: Move buffered I/O locking into nfs_file_write()") Signed-off-by: Trond Myklebust fs/nfs/file.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) commit 36afb176d3c9580651d7f410ed7f000ec48b5137 Author: Kweh, Hock Leong Date: Mon Aug 29 18:50:56 2016 +0800 iio: fix pressure data output unit in hid-sensor-attributes According to IIO ABI definition, IIO_PRESSURE data output unit is kilopascal: http://lxr.free-electrons.com/source/Documentation/ABI/testing/sysfs-bus-iio This patch fix output unit of HID pressure sensor IIO driver from pascal to kilopascal to follow IIO ABI definition. Signed-off-by: Kweh, Hock Leong Reviewed-by: Srinivas Pandruvada Cc: Signed-off-by: Jonathan Cameron drivers/iio/common/hid-sensors/hid-sensor-attributes.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit a41bd25ae67d3e4052c7f00ee9f2b4ba9219309e Author: Paolo Abeni Date: Thu Aug 25 18:42:35 2016 +0200 sunrpc: fix UDP memory accounting The commit f9b2ee714c5c ("SUNRPC: Move UDP receive data path into a workqueue context"), as a side effect, moved the skb_free_datagram() call outside the scope of the related socket lock, but UDP sockets require such lock to be held for proper memory accounting. Fix it by replacing skb_free_datagram() with skb_free_datagram_locked(). Fixes: f9b2ee714c5c ("SUNRPC: Move UDP receive data path into a workqueue context") Reported-and-tested-by: Jan Stancek Signed-off-by: Paolo Abeni Cc: stable@vger.kernel.org # 4.4+ Signed-off-by: Trond Myklebust net/sunrpc/xprtsock.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 787ad90332b3573d502a6c1aff52f708ca141976 Merge: f735aa2 1bc8da4 Author: Mark Brown Date: Sat Sep 3 12:10:09 2016 +0100 Merge remote-tracking branch 'regmap/fix/rbtree' into regmap-linus commit f735aa279021149ef600febe07333ad218783d79 Merge: 3eab887 815806e Author: Mark Brown Date: Sat Sep 3 12:10:08 2016 +0100 Merge remote-tracking branch 'regmap/fix/cache' into regmap-linus commit d0716dde375eb6bff332763bb2137302120d263d Author: Sien Wu Date: Thu Sep 1 18:24:29 2016 -0500 spi: Prevent unexpected SPI time out due to arithmetic overflow When reading SPI flash as MTD device, the transfer length is directly passed to the spi driver. If the requested data size exceeds 512KB, it will cause the time out calculation to overflow since transfer length is 32-bit unsigned integer. This issue is resolved by using 64-bit unsigned integer to perform the arithmetic. Signed-off-by: Sien Wu Acked-by: Brad Keryan Acked-by: Gratian Crisan Acked-by: Brad Mouring Natinst-ReviewBoard-ID 150232 Signed-off-by: Mark Brown drivers/spi/spi.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) commit 0141af184adc7f6ea9bd2f9631a15704d0806f8b Merge: 0ddc9e5 d8d8d9d Author: Linus Torvalds Date: Fri Sep 2 21:05:38 2016 -0700 Merge branch 'for-linus' of git://git.kernel.dk/linux-block Pull block fixes from Jens Axboe: "A collection of fixes for the nvme over fabrics code" * 'for-linus' of git://git.kernel.dk/linux-block: nvme-rdma: Get rid of redundant defines nvme-rdma: Get rid of duplicate variable nvme: fabrics drivers don't need the nvme-pci driver nvme-fabrics: get a reference when reusing a nvme_host structure nvme-fabrics: change NQN UUID to big-endian format nvme-loop: set sqsize to 0-based value, per spec nvme-rdma: fix sqsize/hsqsize per spec fabrics: define admin sqsize min default, per spec nvmet-rdma: +1 to *queue_size from hsqsize/hrqsize nvmet-rdma: Fix use after free nvme-rdma: initialize ret to zero to avoid returning garbage commit 312565a0c38ab12275b6ca5ec75d21f3f3ace844 Merge: 2f86953 f252974 Author: David S. Miller Date: Fri Sep 2 17:28:34 2016 -0700 Merge branch 'smsc911x-fixes' Jeremy Linton says: ==================== net: smsc911x: Move phy and interrupt config v2-v3: Move error handing into separate patch, replace a couple cases of fixed errors with the errors being returned from the failing functions. Hoist irq handler. The smsc911x driver is doing a number of things in its probe routine that should be delayed until the interface is started. Because of this, the module cannot be unloaded, the phy states are incorrect/stale if the interface isn't running, open's unnecessarily fail causing network configuration problems, and the /proc/irq nodes are incorrectly named. Clean up a number of these problems by moving the mdio and interrupt configuration into the smsc911x_open routine. ==================== Signed-off-by: David S. Miller commit f252974eaa64f64b940894f24bfa162a8e7f6b0d Author: Jeremy Linton Date: Thu Sep 1 15:15:09 2016 -0500 net: smsc911x: Move interrupt allocation to open/stop The /proc/irq/xx information is incorrect for smsc911x because the request_irq is happening before the register_netdev has the proper device name. Moving it to the open also fixes the case of when the device is renamed. Reported-by: Will Deacon Signed-off-by: Jeremy Linton Tested-by: Will Deacon Signed-off-by: David S. Miller drivers/net/ethernet/smsc/smsc911x.c | 47 ++++++++++++++---------------------- 1 file changed, 18 insertions(+), 29 deletions(-) commit a85f00c36ef53ea3cb5ebf3dee4ce9cc6726671f Author: Jeremy Linton Date: Thu Sep 1 15:15:08 2016 -0500 net: smsc911x: Move interrupt handler before open In preparation for the allocating/enabling interrupts in the ndo_open routine move the irq handler before it. Signed-off-by: Jeremy Linton Signed-off-by: David S. Miller drivers/net/ethernet/smsc/smsc911x.c | 122 +++++++++++++++++------------------ 1 file changed, 61 insertions(+), 61 deletions(-) commit aea95dd52db436f406f3f45a455a710774a3a210 Author: Jeremy Linton Date: Thu Sep 1 15:15:07 2016 -0500 net: smsc911x: Fix register_netdev, phy startup, driver unload ordering Move phy startup/shutdown into the smsc911x_open/stop routines. This allows the module to be unloaded because phy_connect_direct is no longer always holding the module use count. This one change also resolves a number of other problems. The link status of a downed interface no longer reflects a stale state. Errors caused by the net device being opened before the mdio/phy was configured. There is also a potential power savings as the phy's don't remain powered when the interface isn't running. Signed-off-by: Jeremy Linton Signed-off-by: David S. Miller drivers/net/ethernet/smsc/smsc911x.c | 48 ++++++++++++++++++------------------ 1 file changed, 24 insertions(+), 24 deletions(-) commit 1358bd5a7477b346dfb6b502051d61f29b11a200 Author: Jeremy Linton Date: Thu Sep 1 15:15:06 2016 -0500 net: smsc911x: Remove multiple exit points from smsc911x_open Rework the error handling in smsc911x open in preparation for the mdio startup being moved here. Signed-off-by: Jeremy Linton Signed-off-by: David S. Miller drivers/net/ethernet/smsc/smsc911x.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) commit 0ddc9e5a112489e1703143ad75b44fc57f9ac25a Merge: 601b586 4a29b34 Author: Linus Torvalds Date: Fri Sep 2 15:33:54 2016 -0700 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security Pull TPM bugfix from James Morris. * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: tpm: invalid self test error message commit 4a29b3484f857ff350f203a2d9bf3b428c9e0bf2 Author: Jarkko Sakkinen Date: Fri Sep 2 02:36:58 2016 +0300 tpm: invalid self test error message The driver emits invalid self test error message even though the init succeeds. Signed-off-by: Jarkko Sakkinen Fixes: cae8b441fc20 ("tpm: Factor out common startup code") Reviewed-by: James Morris Signed-off-by: James Morris drivers/char/tpm/tpm2-cmd.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) commit 601b58699440b421756e5a2b8f3f2211879dd94d Merge: 9a0bcc8 5331d9c Author: Linus Torvalds Date: Fri Sep 2 15:16:04 2016 -0700 Merge tag 'acpi-4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull ACPI fixes ffrom Rafael Wysocki: "Two stable-candidate fixes for the ACPI early device probing code added during the 4.4 cycle, one fixing a typo in a stub macro used when CONFIG_ACPI is unset and one that prevents sleeping functions from being called under a spinlock (Lorenzo Pieralisi)" * tag 'acpi-4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: ACPI / drivers: replace acpi_probe_lock spinlock with mutex ACPI / drivers: fix typo in ACPI_DECLARE_PROBE_ENTRY macro commit 9a0bcc8fe701bb6e05e622c19b5815e949c9b7c5 Merge: 15301a5 b654c62 Author: Linus Torvalds Date: Fri Sep 2 15:07:41 2016 -0700 Merge tag 'pm-4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull power management fixes from Rafael Wysocki: "This includes a stable-candidate cpufreq-dt driver problem fix and annotations of tracepoints in the runtime PM framework. Specifics: - Fix the definition of the cpufreq-dt driver's machines table introduced during the 4.7 cycle that should be NULL-terminated, but the termination entry is missing from it (Wei Yongjun). - Annotate tracepoints in the runtime PM framework's core so as to allow the functions containing them to be called from the idle code path without causing RCU to complain about illegal usage (Paul McKenney)" * tag 'pm-4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: PM / runtime: Add _rcuidle suffix to allow rpm_idle() use from idle PM / runtime: Add _rcuidle suffix to allow rpm_resume() to be called from idle cpufreq: dt: Add terminate entry for of_device_id tables commit b654c62e7734cdcd507a5751cd940077be2ad373 Merge: bd37e02 d7737ce Author: Rafael J. Wysocki Date: Fri Sep 2 22:38:30 2016 +0200 Merge branches 'pm-cpufreq-fixes' and 'pm-core-fixes' * pm-cpufreq-fixes: cpufreq: dt: Add terminate entry for of_device_id tables * pm-core-fixes: PM / runtime: Add _rcuidle suffix to allow rpm_idle() use from idle PM / runtime: Add _rcuidle suffix to allow rpm_resume() to be called from idle commit 5331d9cab32ef640b4cd38a43b0858874fbb7168 Author: Lorenzo Pieralisi Date: Tue Aug 16 16:59:53 2016 +0100 ACPI / drivers: replace acpi_probe_lock spinlock with mutex Commit e647b532275b ("ACPI: Add early device probing infrastructure") introduced code that allows inserting driver specific struct acpi_probe_entry probe entries into ACPI linker sections (one per-subsystem, eg irqchip, clocksource) that are then walked to retrieve the data and function hooks required to probe the respective kernel components. Probing for all entries in a section is triggered through the __acpi_probe_device_table() function, that in turn, according to the table ID a given probe entry reports parses the table with the function retrieved from the respective section structures (ie struct acpi_probe_entry). Owing to the current ACPI table parsing implementation, the __acpi_probe_device_table() function has to share global variables with the acpi_match_madt() function, so in order to guarantee mutual exclusion locking is required between the two functions. Current kernel code implements the locking through the acpi_probe_lock spinlock; this has the side effect of requiring all code called within the lock (ie struct acpi_probe_entry.probe_{table/subtbl} hooks) not to sleep. However, kernel subsystems that make use of the early probing infrastructure are relying on kernel APIs that may sleep (eg irq_domain_alloc_fwnode(), among others) in the function calls pointed at by struct acpi_probe_entry.{probe_table/subtbl} entries (eg gic_v2_acpi_init()), which is a bug. Since __acpi_probe_device_table() is called from context that is allowed to sleep the acpi_probe_lock spinlock can be replaced with a mutex; this fixes the issue whilst still guaranteeing mutual exclusion. Signed-off-by: Lorenzo Pieralisi Fixes: e647b532275b (ACPI: Add early device probing infrastructure) Cc: 4.4+ # 4.4+ Signed-off-by: Rafael J. Wysocki drivers/acpi/scan.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit 3feab13c919f99b0a17d0ca22ae00cf90f5d3fd1 Author: Lorenzo Pieralisi Date: Tue Aug 16 16:59:52 2016 +0100 ACPI / drivers: fix typo in ACPI_DECLARE_PROBE_ENTRY macro When the ACPI_DECLARE_PROBE_ENTRY macro was added in commit e647b532275b ("ACPI: Add early device probing infrastructure"), a stub macro adding an unused entry was added for the !CONFIG_ACPI Kconfig option case to make sure kernel code making use of the macro did not require to be guarded within CONFIG_ACPI in order to be compiled. The stub macro was never used since all kernel code that defines ACPI_DECLARE_PROBE_ENTRY entries is currently guarded within CONFIG_ACPI; it contains a typo that should be nonetheless fixed. Fix the typo in the stub (ie !CONFIG_ACPI) ACPI_DECLARE_PROBE_ENTRY() macro so that it can actually be used if needed. Signed-off-by: Lorenzo Pieralisi Fixes: e647b532275b (ACPI: Add early device probing infrastructure) Cc: 4.4+ # 4.4+ Signed-off-by: Rafael J. Wysocki include/linux/acpi.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 2f86953e7436c9b9a4690909c5e2db24799e173b Author: Sabrina Dubroca Date: Fri Sep 2 10:22:54 2016 +0200 l2tp: fix use-after-free during module unload Tunnel deletion is delayed by both a workqueue (l2tp_tunnel_delete -> wq -> l2tp_tunnel_del_work) and RCU (sk_destruct -> RCU -> l2tp_tunnel_destruct). By the time l2tp_tunnel_destruct() runs to destroy the tunnel and finish destroying the socket, the private data reserved via the net_generic mechanism has already been freed, but l2tp_tunnel_destruct() actually uses this data. Make sure tunnel deletion for the netns has completed before returning from l2tp_exit_net() by first flushing the tunnel removal workqueue, and then waiting for RCU callbacks to complete. Fixes: 167eb17e0b17 ("l2tp: create tunnel sockets in the right namespace") Signed-off-by: Sabrina Dubroca Signed-off-by: David S. Miller net/l2tp/l2tp_core.c | 3 +++ 1 file changed, 3 insertions(+) commit d1992996753132e2dafe955cccb2fb0714d3cfc4 Author: Emanuel Czirai Date: Fri Sep 2 07:35:50 2016 +0200 x86/AMD: Apply erratum 665 on machines without a BIOS fix AMD F12h machines have an erratum which can cause DIV/IDIV to behave unpredictably. The workaround is to set MSRC001_1029[31] but sometimes there is no BIOS update containing that workaround so let's do it ourselves unconditionally. It is simple enough. [ Borislav: Wrote commit message. ] Signed-off-by: Emanuel Czirai Signed-off-by: Borislav Petkov Cc: Yaowu Xu Cc: stable@vger.kernel.org Link: http://lkml.kernel.org/r/20160902053550.18097-1-bp@alien8.de Signed-off-by: Thomas Gleixner arch/x86/kernel/cpu/amd.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) commit 16170d9c102764f76c58aad244e947f4e3f44590 Author: Mike Marciniszyn Date: Wed Aug 31 07:24:46 2016 -0700 IB/hfi1: Rework debugfs to use SRCU The debugfs RCU trips many debug kernel warnings because of potential sleeps with an RCU read lock held. This includes both user copy calls and slab allocations throughout the file. This patch switches the RCU to use SRCU for file remove/access race protection. In one case, the SRCU is implicit in the use of the raw debugfs file object and just works. In the seq_file case, a wrapper around seq_read() and seq_lseek() is used to enforce the SRCU using the debugfs supplied functions debugfs_use_file_start() and debugfs_use_file_stop(). The sychronize_rcu() is deleted since the SRCU prevents the remove access race. The RCU locking is kept for qp_stats since the QP hash list is protected using the non-sleepable RCU. Reviewed-by: Sebastian Sanchez Signed-off-by: Mike Marciniszyn Signed-off-by: Dennis Dalessandro Signed-off-by: Doug Ledford drivers/infiniband/hw/hfi1/debugfs.c | 132 ++++++++++++++--------------------- 1 file changed, 52 insertions(+), 80 deletions(-) commit 429b6a721727d49d8565b50a6bc0dc42432383a9 Author: Harish Chegondi Date: Wed Aug 31 07:24:40 2016 -0700 IB/hfi1: Make n_krcvqs be an unsigned long integer The global variable n_krcvqs stores the sum of the number of kernel receive queues of VLs 0-7 which the user can pass to the driver through the module parameter array krcvqs which is of type unsigned integer. If the user passes large value(s) into krcvqs parameter array, it can cause an arithmetic overflow while calculating n_krcvqs which is also of type unsigned int. The overflow results in an incorrect value of n_krcvqs which can lead to kernel crash while loading the driver. Fix by changing the data type of n_krcvqs to unsigned long. This patch also changes the data type of other variables that get their values from n_krcvqs. Reviewed-by: Dennis Dalessandro Signed-off-by: Harish Chegondi Signed-off-by: Dennis Dalessandro Signed-off-by: Doug Ledford drivers/infiniband/hw/hfi1/chip.c | 6 +++--- drivers/infiniband/hw/hfi1/hfi.h | 2 +- drivers/infiniband/hw/hfi1/init.c | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) commit 673b975f1fbad5382f76afdb987e7513c5f4b71b Author: Dean Luick Date: Wed Aug 31 07:24:33 2016 -0700 IB/hfi1: Add QSFP sanity pre-check Sometimes a QSFP device does not respond in the expected time after a power-on. Add a read pre-check/retry when starting the link on driver load. Reviewed-by: Easwar Hariharan Signed-off-by: Dean Luick Signed-off-by: Dennis Dalessandro Signed-off-by: Doug Ledford drivers/infiniband/hw/hfi1/chip.c | 86 +++++++++++++++++++++++++++++++++++---- drivers/infiniband/hw/hfi1/chip.h | 1 + drivers/infiniband/hw/hfi1/hfi.h | 2 + drivers/infiniband/hw/hfi1/init.c | 1 + 4 files changed, 82 insertions(+), 8 deletions(-) commit af53493916693343955930556aaa83f875b8436a Author: Jubin John Date: Wed Aug 31 07:24:27 2016 -0700 IB/hfi1: Fix AHG KDETH Intr shift In the set_txreq_header_ahg(), The KDETH Intr bit is obtained from the header in the user sdma request using a KDETH_GET shift and mask macro. This value is then futher right shifted by 16 causing us to lose the value i.e it is shifted to zero, leading to the following smatch warning: drivers/infiniband/hw/hfi1/user_sdma.c:1482 set_txreq_header_ahg() warn: mask and shift to zero The Intr bit should be left shifted into its correct position in the KDETH header before the AHG update. Reported-by: Dan Carpenter Reviewed-by: Mitko Haralanov Reviewed-by: Harish Chegondi Signed-off-by: Jubin John Signed-off-by: Dennis Dalessandro Signed-off-by: Doug Ledford drivers/infiniband/hw/hfi1/user_sdma.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) commit 3e6c3b0fd5d071ed17bf91586aae35a6cfb8cdb3 Author: Sebastian Sanchez Date: Wed Aug 31 07:24:20 2016 -0700 IB/hfi1: Fix SGE length for misaligned PIO copy When trying to align the source pointer and there's a byte carry in an SGE copy, bytes are borrowed from the next quad-word X to complete the required quad-word copy. Then, the SGE length is reduced by the number of borrowed bytes. After this, if the remaining number of bytes from quad-word X (extra bytes) is greater than the new SGE length, the number of extra bytes needs to be updated to the new SGE length. Otherwise, when the SGE length gets updated again after the extra bytes are read to create the new byte carry, it goes negative, which then becomes a very large number as the SGE length is an unsigned integer. This causes SGE buffer to be over-read. Reviewed-by: Dean Luick Signed-off-by: Sebastian Sanchez Signed-off-by: Dennis Dalessandro Signed-off-by: Doug Ledford drivers/infiniband/hw/hfi1/pio_copy.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) commit dbdf7d4e7f911f79ceb08365a756bbf6eecac81c Author: Leon Romanovsky Date: Sun Aug 28 10:58:38 2016 +0300 IB/mlx5: Don't return errors from poll_cq Remove returning errors from mlx5 poll_cq function. Polling CQ operation in kernel never fails by Mellanox HCA architecture and respective driver design. Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford drivers/infiniband/hw/mlx5/cq.c | 22 ++-------------------- 1 file changed, 2 insertions(+), 20 deletions(-) commit d9f88e5ab9a73058ebdde589219c0d37da250f06 Author: Yishai Hadas Date: Sun Aug 28 10:58:37 2016 +0300 IB/mlx5: Use TIR number based on selector Use TIR number based on selector, it should be done to differentiate between RSS QP to RAW one. Reported-by: Sagi Grimberg Signed-off-by: Yishai Hadas Signed-off-by: Leon Romanovsky Tested-by: Sagi Grimberg Signed-off-by: Doug Ledford drivers/infiniband/hw/mlx5/main.c | 6 +++++- drivers/infiniband/hw/mlx5/mlx5_ib.h | 1 + drivers/infiniband/hw/mlx5/qp.c | 1 + 3 files changed, 7 insertions(+), 1 deletion(-) commit b2a232d21f301d600b02c6f9ccbc9f977331bb39 Author: Leon Romanovsky Date: Sun Aug 28 10:58:35 2016 +0300 IB/mlx5: Simplify code by removing return variable Return variable was set in a line before the actual return was called in begin_wqe function. This patch removes such variable and simplifies the code. Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford drivers/infiniband/hw/mlx5/qp.c | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) commit 24be409beede1a7cbe95b1740c4cdade3b6a8187 Author: Chuck Lever Date: Sun Aug 28 10:58:34 2016 +0300 IB/mlx5: Return EINVAL when caller specifies too many SGEs The returned value should be EINVAL, because it is caused by wrong caller and not by internal overflow event. Signed-off-by: Chuck Lever Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford drivers/infiniband/hw/mlx5/qp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 20697434b6ea9c6d895ebc5217a46f18850a109f Author: Leon Romanovsky Date: Sun Aug 28 10:58:33 2016 +0300 IB/mlx4: Don't return errors from poll_cq Remove returning errors from mlx4 poll_cq function. Polling CQ operation in kernel never fails by Mellanox HCA architecture and respective driver design. Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford drivers/infiniband/hw/mlx4/cq.c | 26 ++------------------------ 1 file changed, 2 insertions(+), 24 deletions(-) commit 25b64fc5f2c0779b53ec155d69cc06b7cdc6e99f Author: Leon Romanovsky Date: Sun Aug 28 10:58:32 2016 +0300 Revert "IB/mlx4: Return EAGAIN for any error in mlx4_ib_poll_one" By Mellanox HW design and SW implementation, poll_cq never fails and returns errors, so all these printks are to catch ULP bugs. In case of such bug, the reverted patch will cause reentry of the function, resulting in a printk storm. This reverts commit 5412352fcd8f ("IB/mlx4: Return EAGAIN for any error in mlx4_ib_poll_one") Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford drivers/infiniband/hw/mlx4/cq.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit 546481c2816ea3c061ee9d5658eb48070f69212e Author: Erez Shitrit Date: Sun Aug 28 10:58:31 2016 +0300 IB/ipoib: Fix memory corruption in ipoib cm mode connect flow When a new CM connection is being requested, ipoib driver copies data from the path pointer in the CM/tx object, the path object might be invalid at the point and memory corruption will happened later when now the CM driver will try using that data. The next scenario demonstrates it: neigh_add_path --> ipoib_cm_create_tx --> queue_work (pointer to path is in the cm/tx struct) #while the work is still in the queue, #the port goes down and causes the ipoib_flush_paths: ipoib_flush_paths --> path_free --> kfree(path) #at this point the work scheduled starts. ipoib_cm_tx_start --> copy from the (invalid)path pointer: (memcpy(&pathrec, &p->path->pathrec, sizeof pathrec);) -> memory corruption. To fix that the driver now starts the CM/tx connection only if that specific path exists in the general paths database. This check is protected with the relevant locks, and uses the gid from the neigh member in the CM/tx object which is valid according to the ref count that was taken by the CM/tx. Fixes: 839fcaba35 ('IPoIB: Connected mode experimental support') Signed-off-by: Erez Shitrit Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford drivers/infiniband/ulp/ipoib/ipoib.h | 1 + drivers/infiniband/ulp/ipoib/ipoib_cm.c | 16 ++++++++++++++++ drivers/infiniband/ulp/ipoib/ipoib_main.c | 2 +- 3 files changed, 18 insertions(+), 1 deletion(-) commit 68c6bcdd8bd00394c234b915ab9b97c74104130c Author: Erez Shitrit Date: Sun Aug 28 10:58:30 2016 +0300 IB/core: Fix use after free in send_leave function The function send_leave sets the member: group->query_id (group->query_id = ret) after calling the sa_query, but leave_handler can be executed before the setting and it might delete the group object, and will get a memory corruption. Additionally, this patch gets rid of group->query_id variable which is not used. Fixes: faec2f7b96b5 ('IB/sa: Track multicast join/leave requests') Signed-off-by: Erez Shitrit Signed-off-by: Leon Romanovsky Signed-off-by: Doug Ledford drivers/infiniband/core/multicast.c | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) commit 656aacea6c90ce8e15c2bdef4f89b74b73e2e34a Author: Baoyou Xie Date: Sun Aug 28 22:57:11 2016 +0800 IB/cxgb4: Make _free_qp static to silence build warning We get 1 warning when build kernel with W=1: drivers/infiniband/hw/cxgb4/qp.c:686:6: warning: no previous prototype for '_free_qp' [-Wmissing-prototypes] In fact, this function is only used in the file in which it is declared and don't need a declaration, but can be made static. so this patch marks it 'static'. Signed-off-by: Baoyou Xie Reviewed-by: Yuval Shaia Reviewed-by: Leon Romanovsky Acked-by: Steve Wise Signed-off-by: Doug Ledford drivers/infiniband/hw/cxgb4/qp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 63b268d232b869dfbc92e49c77f7e0648e1d039c Author: Raju Rangoju Date: Mon Aug 29 17:15:49 2016 +0530 IB/isert: Properly release resources on DEVICE_REMOVAL When the low level driver exercises the hot unplug they would call rdma_cm cma_remove_one which would fire DEVICE_REMOVAL event to all cma consumers. Now, if consumer doesn't make sure they destroy all IB objects created on that IB device instance prior to finalizing all processing of DEVICE_REMOVAL callback, rdma_cm will let the lld to de-register with IB core and destroy the IB device instance. And if the consumer calls (say) ib_dereg_mr(), it will crash since that dev object is NULL. In the current implementation, iser-target just initiates the cleanup and returns from DEVICE_REMOVAL callback. This deferred work creates a race between iser-target cleaning IB objects(say MR) and lld destroying IB device instance. This patch includes the following fixes -> make sure that consumer frees all IB objects associated with device instance -> return non-zero from the callback to destroy the rdma_cm id Signed-off-by: Raju Rangoju Acked-by: Sagi Grimberg Signed-off-by: Doug Ledford drivers/infiniband/ulp/isert/ib_isert.c | 23 ++++++++++++++++++++--- drivers/infiniband/ulp/isert/ib_isert.h | 2 ++ 2 files changed, 22 insertions(+), 3 deletions(-) commit 6aaa382f1267644072f288916476879684502f73 Author: Christophe Jaillet Date: Fri Aug 26 06:49:09 2016 +0200 IB/hfi1: Fix the size parameter to find_first_bit The 2nd parameter of 'find_first_bit' is the number of bits to search. In this case, we are passing 'sizeof(u64)' which is 8. It is likely that the number of bits of 'port_mask' was expected here. Use sizeof() * 8 to get the correct number. It has been spotted by the following coccinelle script: @@ expression ret, x; @@ * ret = \(find_first_bit \| find_first_zero_bit\) (x, sizeof(...)); Signed-off-by: Christophe JAILLET Signed-off-by: Doug Ledford drivers/infiniband/hw/hfi1/mad.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) commit fffd68734dc685e208e86d8c5f6522cd695a8d60 Author: Christophe Jaillet Date: Fri Aug 26 07:16:17 2016 +0200 IB/mlx5: Fix the size parameter to find_first_bit The 2nd parameter of 'find_first_bit' is the number of bits to search. In this case, we are passing 'sizeof(tmp)' which is likely to be 4 or 8 because 'tmp' is an 'unsigned long'. It is likely that the number of bits of 'tmp' was expected here. So use BITS_PER_LONG instead. It has been spotted by the following coccinelle script: @@ expression ret, x; @@ * ret = \(find_first_bit \| find_first_zero_bit\) (x, sizeof(...)); Signed-off-by: Christophe JAILLET Acked-by: Majd Dibbiny Acked-by: Leon Romanovsky Signed-off-by: Doug Ledford drivers/infiniband/hw/mlx5/mem.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit 15301a570754c7af60335d094dd2d1808b0641a5 Author: Steven Rostedt Date: Wed May 25 13:47:26 2016 -0400 x86/paravirt: Do not trace _paravirt_ident_*() functions Łukasz Daniluk reported that on a RHEL kernel that his machine would lock up after enabling function tracer. I asked him to bisect the functions within available_filter_functions, which he did and it came down to three: _paravirt_nop(), _paravirt_ident_32() and _paravirt_ident_64() It was found that this is only an issue when noreplace-paravirt is added to the kernel command line. This means that those functions are most likely called within critical sections of the funtion tracer, and must not be traced. In newer kenels _paravirt_nop() is defined within gcc asm(), and is no longer an issue. But both _paravirt_ident_{32,64}() causes the following splat when they are traced: mm/pgtable-generic.c:33: bad pmd ffff8800d2435150(0000000001d00054) mm/pgtable-generic.c:33: bad pmd ffff8800d3624190(0000000001d00070) mm/pgtable-generic.c:33: bad pmd ffff8800d36a5110(0000000001d00054) mm/pgtable-generic.c:33: bad pmd ffff880118eb1450(0000000001d00054) NMI watchdog: BUG: soft lockup - CPU#2 stuck for 22s! [systemd-journal:469] Modules linked in: e1000e CPU: 2 PID: 469 Comm: systemd-journal Not tainted 4.6.0-rc4-test+ #513 Hardware name: Hewlett-Packard HP Compaq Pro 6300 SFF/339A, BIOS K01 v02.05 05/07/2012 task: ffff880118f740c0 ti: ffff8800d4aec000 task.ti: ffff8800d4aec000 RIP: 0010:[] [] queued_spin_lock_slowpath+0x118/0x1a0 RSP: 0018:ffff8800d4aefb90 EFLAGS: 00000246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88011eb16d40 RDX: ffffffff82485760 RSI: 000000001f288820 RDI: ffffea0000008030 RBP: ffff8800d4aefb90 R08: 00000000000c0000 R09: 0000000000000000 R10: ffffffff821c8e0e R11: 0000000000000000 R12: ffff880000200fb8 R13: 00007f7a4e3f7000 R14: ffffea000303f600 R15: ffff8800d4b562e0 FS: 00007f7a4e3d7840(0000) GS:ffff88011eb00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f7a4e3f7000 CR3: 00000000d3e71000 CR4: 00000000001406e0 Call Trace: _raw_spin_lock+0x27/0x30 handle_pte_fault+0x13db/0x16b0 handle_mm_fault+0x312/0x670 __do_page_fault+0x1b1/0x4e0 do_page_fault+0x22/0x30 page_fault+0x28/0x30 __vfs_read+0x28/0xe0 vfs_read+0x86/0x130 SyS_read+0x46/0xa0 entry_SYSCALL_64_fastpath+0x1e/0xa8 Code: 12 48 c1 ea 0c 83 e8 01 83 e2 30 48 98 48 81 c2 40 6d 01 00 48 03 14 c5 80 6a 5d 82 48 89 0a 8b 41 08 85 c0 75 09 f3 90 8b 41 08 <85> c0 74 f7 4c 8b 09 4d 85 c9 74 08 41 0f 18 09 eb 02 f3 90 8b Reported-by: Łukasz Daniluk Signed-off-by: Steven Rostedt Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds arch/x86/kernel/paravirt.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit f28929ba36b7b35feffd3f282ba17fbc0c4cc83e Merge: ac81038 026e5e0 Author: Linus Torvalds Date: Fri Sep 2 09:32:15 2016 -0700 Merge branch 'overlayfs-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs Pull overlayfs fixes from Miklos Szeredi: "Most of this is regression fixes for posix acl behavior introduced in 4.8-rc1 (these were caught by the pjd-fstest suite). The are also miscellaneous fixes marked as stable material and cleanups. Other than overlayfs code, it touches to add a constant with which to disable posix acl caching. No changes needed to the actual caching code, it automatically does the right thing, although later we may want to optimize this case. I'm now testing overlayfs with the following test suites to catch regressions: - unionmount-testsuite - xfstests - pjd-fstest" * 'overlayfs-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs: ovl: update doc ovl: listxattr: use strnlen() ovl: Switch to generic_getxattr ovl: copyattr after setting POSIX ACL ovl: Switch to generic_removexattr ovl: Get rid of ovl_xattr_noacl_handlers array ovl: Fix OVL_XATTR_PREFIX ovl: fix spelling mistake: "directries" -> "directories" ovl: don't cache acl on overlay layer ovl: use cached acl on underlying layer ovl: proper cleanup of workdir ovl: remove posix_acl_default from workdir ovl: handle umask and posix_acl_default correctly on creation ovl: don't copy up opaqueness commit db7b542e4a789156a4fb61278f2074795fe2eb9c Author: Miaoqing Pan Date: Thu Aug 4 15:48:34 2016 +0800 ath9k: fix AR5416 access GPIO warning The warning was seen on AR5416 chip, which invoke ath9k_hw_gio_get() before the GPIO initialized correctly. WARNING: CPU: 1 PID: 1159 at ~/drivers/net/wireless/ath/ath9k/hw.c:2776 ath9k_hw_gpio_get+0x148/0x1a0 [ath9k_hw] ... CPU: 1 PID: 1159 Comm: systemd-udevd Not tainted 4.7.0-rc7-aptosid-amd64 #1 aptosid 4.7~rc7-1~git92.slh.3 Hardware name: /DH67CL, BIOS BLH6710H.86A.0160.2012.1204.1156 12/04/2012 0000000000000286 00000000f912d633 ffffffff81290fd3 0000000000000000 0000000000000000 ffffffff81063fd4 ffff88040c6dc018 0000000000000000 0000000000000002 0000000000000000 0000000000000100 ffff88040c6dc018 Call Trace: [] ? dump_stack+0x5c/0x79 [] ? __warn+0xb4/0xd0 [] ? ath9k_hw_gpio_get+0x148/0x1a0 [ath9k_hw] Signed-off-by: Miaoqing Pan Reported-by: Stefan Lippers-Hollmann Tested-by: Stefan Lippers-Hollmann Signed-off-by: Kalle Valo drivers/net/wireless/ath/ath9k/hw.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 744c6c37cc18705d19e179622f927f5b781fe9cc Author: James Morse Date: Fri Aug 26 16:03:42 2016 +0100 arm64: kernel: Fix unmasked debug exceptions when restoring mdscr_el1 Changes to make the resume from cpu_suspend() code behave more like secondary boot caused debug exceptions to be unmasked early by __cpu_setup(). We then go on to restore mdscr_el1 in cpu_do_resume(), potentially taking break or watch points based on uninitialised registers. Mask debug exceptions in cpu_do_resume(), which is specific to resume from cpu_suspend(). Debug exceptions will be restored to their original state by local_dbg_restore() in cpu_suspend(), which runs after hw_breakpoint_restore() has re-initialised the other registers. Reported-by: Lorenzo Pieralisi Fixes: cabe1c81ea5b ("arm64: Change cpu_resume() to enable mmu early then access sleep_sp by va") Cc: # 4.7+ Signed-off-by: James Morse Acked-by: Will Deacon Signed-off-by: Catalin Marinas arch/arm64/mm/proc.S | 9 +++++++++ 1 file changed, 9 insertions(+) commit 63fb0a9516b2c4e23293d7253c14c40aa9c2b7d1 Author: Stefan Wahren Date: Sat Aug 27 16:19:50 2016 +0000 drivers/perf: arm_pmu: Fix NULL pointer dereference during probe Patch 7f1d642fbb5c ("drivers/perf: arm-pmu: Fix handling of SPI lacking interrupt-affinity property") unintended also fixes perf_event support for bcm2835 which doesn't have PMU interrupts. Unfortunately this change introduce a NULL pointer dereference on bcm2835, because irq_is_percpu always expected to be called with a valid IRQ. So fix this regression by validating the IRQ before. Tested-by: Kevin Hilman Signed-off-by: Stefan Wahren Fixes: 7f1d642fbb5c ("drivers/perf: arm-pmu: Fix handling of SPI lacking "interrupt-affinity" property") Signed-off-by: Will Deacon Signed-off-by: Catalin Marinas drivers/perf/arm_pmu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 753246840d012ae34ea80a1d40bc1546c62fb957 Author: Stefan Wahren Date: Sat Aug 27 16:19:49 2016 +0000 drivers/perf: arm_pmu: Fix leak in error path In case of a IRQ type mismatch in of_pmu_irq_cfg() the device node for interrupt affinity isn't freed. So fix this issue by calling of_node_put(). Signed-off-by: Stefan Wahren Fixes: fa8ad7889d83 ("arm: perf: factor arm_pmu core out to drivers") Signed-off-by: Will Deacon Signed-off-by: Catalin Marinas drivers/perf/arm_pmu.c | 1 + 1 file changed, 1 insertion(+) commit ac8103840b7bf9cca48b437fd5a8cb8b14b6bd02 Merge: b0be76b 32e8082 Author: Linus Torvalds Date: Fri Sep 2 07:58:31 2016 -0700 Merge tag 'dmaengine-fix-4.8-rc5' of git://git.infradead.org/users/vkoul/slave-dma Pull dmaengine fixes from Vinod Koul: "The fixes this time are all in drivers: - possible NULL dereference in img-mdc - correct device identity for free_irq in at_xdmac - missing of_node_put() in fsl probe - fix debug log and hotchain corner case for pxa-dma - fix checking hardware bits in isr in usb dmac" * tag 'dmaengine-fix-4.8-rc5' of git://git.infradead.org/users/vkoul/slave-dma: dmaengine: img-mdc: fix a possible NULL dereference dmaengine: at_xdmac: fix to pass correct device identity to free_irq() dmaengine: fsl_raid: add missing of_node_put() in fsl_re_probe() dmaengine: pxa_dma: fix debug message dmaengine: pxa_dma: fix hotchain corner case dmaengine: usb-dmac: check CHCR.DE bit in usb_dmac_isr_channel() commit b0be76bf54cbc1a002b266e35544eefb3a5417cf Merge: cc4163d 603f2c9 Author: Linus Torvalds Date: Fri Sep 2 07:53:00 2016 -0700 Merge tag 'drm-fixes-for-4.8-rc5' of git://people.freedesktop.org/~airlied/linux Pull drm fixes from Dave Airlie: "Contains fixes for imx, amdgpu, vc4, msm and one nouveau ACPI fix" * tag 'drm-fixes-for-4.8-rc5' of git://people.freedesktop.org/~airlied/linux: drm/amdgpu: record error code when ring test failed drm/amd/amdgpu: compute ring test fail during S4 on CI drm/amd/amdgpu: sdma resume fail during S4 on CI drm/nouveau/acpi: use DSM if bridge does not support D3cold drm/imx: fix crtc vblank state regression drm/imx: Add active plane reconfiguration support drm/msm: protect against faults from copy_from_user() in submit ioctl drm/msm: fix use of copy_from_user() while holding spinlock drm/vc4: Fix oops when userspace hands in a bad BO. drm/vc4: Fix overflow mem unreferencing when the binner runs dry. drm/vc4: Free hang state before destroying BO cache. drm/vc4: Fix handling of a pm_runtime_get_sync() success case. drm/vc4: Use drm_malloc_ab to fix large rendering jobs. drm/vc4: Use drm_free_large() on handles to match its allocation. commit 7064f623c4cc8c8537745b5cdd21d9896100445c Merge: 982098a d662ed2e Author: Arnd Bergmann Date: Fri Sep 2 16:11:14 2016 +0200 Merge tag 'ccn/fixes-for-4.8-v2' of git://git.linaro.org/people/pawel.moll/linux into fixes Merge "bus: ARM CCN PMU driver updates" from Paweł Moll: - Fixes and improvements for XP watchpoint and events handling - Added missing condition checks for KVM-related exclusions - Improved interrupt affinity handling - Fix for hrtimer use in polling mode - Event grouping implementation improvement * tag 'ccn/fixes-for-4.8-v2' of git://git.linaro.org/people/pawel.moll/linux: bus: arm-ccn: make event groups reliable bus: arm-ccn: fix hrtimer registration bus: arm-ccn: fix PMU interrupt flags bus: arm-ccn: Add missing event attribute exclusions for host/guest bus: arm-ccn: Correct required arguments for XP PMU events bus: arm-ccn: Fix XP watchpoint settings bitmask bus: arm-ccn: Do not attempt to configure XPs for cycle counter bus: arm-ccn: Fix PMU handling of MN commit 982098a9f7e2391e735e639a6816715da8dda3b9 Merge: 0a10e85 c721da1 Author: Arnd Bergmann Date: Fri Sep 2 16:02:01 2016 +0200 Merge tag 'mvebu-fixes-4.8-2' of git://git.infradead.org/linux-mvebu into fixes Merge "mvebu fixes for 4.8 (part 1)" from Gregory CLEMENT: Few device tree fix on kirkwood: - enable PCIe on OpenRD - use correct u-boot environment partition size on ib62x0 * tag 'mvebu-fixes-4.8-2' of git://git.infradead.org/linux-mvebu: ARM: dts: kirkwood: Fix PCIe label on OpenRD ARM: kirkwood: ib62x0: fix size of u-boot environment partition commit 11749e086b2766cccf6217a527ef5c5604ba069c Author: Vegard Nossum Date: Sun Aug 28 10:13:07 2016 +0200 ALSA: timer: fix NULL pointer dereference in read()/ioctl() race I got this with syzkaller: ================================================================== BUG: KASAN: null-ptr-deref on address 0000000000000020 Read of size 32 by task syz-executor/22519 CPU: 1 PID: 22519 Comm: syz-executor Not tainted 4.8.0-rc2+ #169 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2 014 0000000000000001 ffff880111a17a00 ffffffff81f9f141 ffff880111a17a90 ffff880111a17c50 ffff880114584a58 ffff880114584a10 ffff880111a17a80 ffffffff8161fe3f ffff880100000000 ffff880118d74a48 ffff880118d74a68 Call Trace: [] dump_stack+0x83/0xb2 [] kasan_report_error+0x41f/0x4c0 [] kasan_report+0x34/0x40 [] ? snd_timer_user_read+0x554/0x790 [] check_memory_region+0x13e/0x1a0 [] kasan_check_read+0x11/0x20 [] snd_timer_user_read+0x554/0x790 [] ? snd_timer_user_info_compat.isra.5+0x2b0/0x2b0 [] ? proc_fault_inject_write+0x1c1/0x250 [] ? next_tgid+0x2a0/0x2a0 [] ? do_group_exit+0x108/0x330 [] ? fsnotify+0x72a/0xca0 [] __vfs_read+0x10e/0x550 [] ? snd_timer_user_info_compat.isra.5+0x2b0/0x2b0 [] ? do_sendfile+0xc50/0xc50 [] ? __fsnotify_update_child_dentry_flags+0x60/0x60 [] ? kcov_ioctl+0x56/0x190 [] ? common_file_perm+0x2e2/0x380 [] ? __fsnotify_parent+0x5e/0x2b0 [] ? security_file_permission+0x86/0x1e0 [] ? rw_verify_area+0xe5/0x2b0 [] vfs_read+0x115/0x330 [] SyS_read+0xd1/0x1a0 [] ? vfs_write+0x4b0/0x4b0 [] ? __this_cpu_preempt_check+0x1c/0x20 [] ? __context_tracking_exit.part.4+0x3a/0x1e0 [] ? vfs_write+0x4b0/0x4b0 [] do_syscall_64+0x1c4/0x4e0 [] ? syscall_return_slowpath+0x16c/0x1d0 [] entry_SYSCALL64_slow_path+0x25/0x25 ================================================================== There are a couple of problems that I can see: - ioctl(SNDRV_TIMER_IOCTL_SELECT), which potentially sets tu->queue/tu->tqueue to NULL on memory allocation failure, so read() would get a NULL pointer dereference like the above splat - the same ioctl() can free tu->queue/to->tqueue which means read() could potentially see (and dereference) the freed pointer We can fix both by taking the ioctl_lock mutex when dereferencing ->queue/->tqueue, since that's always held over all the ioctl() code. Just looking at the code I find it likely that there are more problems here such as tu->qhead pointing outside the buffer if the size is changed concurrently using SNDRV_TIMER_IOCTL_PARAMS. Signed-off-by: Vegard Nossum Cc: Signed-off-by: Takashi Iwai sound/core/timer.c | 2 ++ 1 file changed, 2 insertions(+) commit 08d072599234c959b0b82b63fa252c129225a899 Author: Wanpeng Li Date: Fri Sep 2 14:38:23 2016 +0800 tick/nohz: Fix softlockup on scheduler stalls in kvm guest tick_nohz_start_idle() is prevented to be called if the idle tick can't be stopped since commit 1f3b0f8243cb934 ("tick/nohz: Optimize nohz idle enter"). As a result, after suspend/resume the host machine, full dynticks kvm guest will softlockup: NMI watchdog: BUG: soft lockup - CPU#0 stuck for 26s! [swapper/0:0] Call Trace: default_idle+0x31/0x1a0 arch_cpu_idle+0xf/0x20 default_idle_call+0x2a/0x50 cpu_startup_entry+0x39b/0x4d0 rest_init+0x138/0x140 ? rest_init+0x5/0x140 start_kernel+0x4c1/0x4ce ? set_init_arg+0x55/0x55 ? early_idt_handler_array+0x120/0x120 x86_64_start_reservations+0x24/0x26 x86_64_start_kernel+0x142/0x14f In addition, cat /proc/stat | grep cpu in guest or host: cpu 398 16 5049 15754 5490 0 1 46 0 0 cpu0 206 5 450 0 0 0 1 14 0 0 cpu1 81 0 3937 3149 1514 0 0 9 0 0 cpu2 45 6 332 6052 2243 0 0 11 0 0 cpu3 65 2 328 6552 1732 0 0 11 0 0 The idle and iowait states are weird 0 for cpu0(housekeeping). The bug is present in both guest and host kernels, and they both have cpu0's idle and iowait states issue, however, host kernel's suspend/resume path etc will touch watchdog to avoid the softlockup. - The watchdog will not be touched in tick_nohz_stop_idle path (need be touched since the scheduler stall is expected) if idle_active flags are not detected. - The idle and iowait states will not be accounted when exit idle loop (resched or interrupt) if idle start time and idle_active flags are not set. This patch fixes it by reverting commit 1f3b0f8243cb934 since can't stop idle tick doesn't mean can't be idle. Fixes: 1f3b0f8243cb934 ("tick/nohz: Optimize nohz idle enter") Signed-off-by: Wanpeng Li Cc: Sanjeev Yadav Cc: Gaurav Jindal Cc: stable@vger.kernel.org Cc: kvm@vger.kernel.org Cc: Radim Krčmář Cc: Peter Zijlstra Cc: Paolo Bonzini Link: http://lkml.kernel.org/r/1472798303-4154-1-git-send-email-wanpeng.li@hotmail.com Signed-off-by: Thomas Gleixner kernel/time/tick-sched.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit c2f321126e31cd69365e65ecd4a7c774e4fc71d2 Author: Wolfram Sang Date: Tue Aug 30 21:50:22 2016 +0200 ARM: shmobile: fix regulator quirk for Gen2 The current implementation only works if the da9xxx devices are added before their drivers are registered. Only then it can apply the fixes to both devices. Otherwise, the driver for the first device gets probed before the fix for the second device can be applied. This is what fails when using the IP core switcher or when having the i2c master driver as a module. So, we need to disable both da9xxx once we detected one of them. We now use i2c_transfer with hardcoded i2c_messages and device addresses, so we don't need the da9xxx client devices to be instantiated. Because the fixup is used on specific boards only, the addresses are not going to change. Fixes: 663fbb52159cca ("ARM: shmobile: R-Car Gen2: Add da9063/da9210 regulator quirk") Signed-off-by: Wolfram Sang Reviewed-by: Geert Uytterhoeven Tested-by: Geert Uytterhoeven (r8a7791/koelsch) Tested-by: Kuninori Morimoto Signed-off-by: Simon Horman arch/arm/mach-shmobile/regulator-quirk-rcar-gen2.c | 62 +++++++++------------- 1 file changed, 26 insertions(+), 36 deletions(-) commit ab34380162cbc9b5172afdadf5136643c687bb73 Author: Eli Cooper Date: Fri Aug 26 23:52:29 2016 +0800 ipv6: Don't unset flowi6_proto in ipxip6_tnl_xmit() Commit 8eb30be0352d0916 ("ipv6: Create ip6_tnl_xmit") unsets flowi6_proto in ip4ip6_tnl_xmit() and ip6ip6_tnl_xmit(). Since xfrm_selector_match() relies on this info, IPv6 packets sent by an ip6tunnel cannot be properly selected by their protocols after removing it. This patch puts flowi6_proto back. Cc: stable@vger.kernel.org Fixes: 8eb30be0352d ("ipv6: Create ip6_tnl_xmit") Signed-off-by: Eli Cooper Signed-off-by: David S. Miller net/ipv6/ip6_tunnel.c | 2 ++ 1 file changed, 2 insertions(+) commit 603f2c9f45c6620afd65b60ec084c1ea7c36b2ec Merge: 5322942 552416c Author: Dave Airlie Date: Fri Sep 2 15:55:15 2016 +1000 Merge tag 'drm-vc4-fixes-2016-08-29' of https://github.com/anholt/linux into drm-fixes This pull request brings in fixes for VC4 3D in 4.8, most of which are covered by testcases. * tag 'drm-vc4-fixes-2016-08-29' of https://github.com/anholt/linux: drm/vc4: Fix oops when userspace hands in a bad BO. drm/vc4: Fix overflow mem unreferencing when the binner runs dry. drm/vc4: Free hang state before destroying BO cache. drm/vc4: Fix handling of a pm_runtime_get_sync() success case. drm/vc4: Use drm_malloc_ab to fix large rendering jobs. drm/vc4: Use drm_free_large() on handles to match its allocation. commit b44e108b6f322eb5f20aa6eba39b468a1ffc10ff Author: Guilherme G. Piccoli Date: Wed Aug 31 12:11:57 2016 -0300 bnx2x: don't reset chip on cleanup if PCI function is offline When PCI error is detected, in some architectures (like PowerPC) a slot reset is performed - the driver's error handlers are in charge of "disable" device before the reset, and re-enable it after a successful slot reset. There are two cases though that another path is taken on the code: if the slot reset is not successful or if too many errors already happened in the specific adapter (meaning that possibly the device is experiencing a HW failure that slot reset is not able to solve), the core PCI error mechanism (called EEH in PowerPC) will remove the adapter from the system, since it will consider this as a permanent failure on device. In this case, a path is taken that leads to bnx2x_chip_cleanup() calling bnx2x_reset_hw(), which then tries to perform a HW reset on chip. This reset won't succeed since the HW is in a fault state, which can be seen by multiple messages on kernel log like below: bnx2x: [bnx2x_issue_dmae_with_comp:552(eth1)]DMAE timeout! bnx2x: [bnx2x_write_dmae:600(eth1)]DMAE returned failure -1 After some time, the PCI error mechanism gives up on waiting the driver's correct removal procedure and forcibly remove the adapter from the system. We can see soft lockup while core PCI error mechanism is waiting for driver to accomplish the right removal process. This patch adds a verification to avoid a chip reset whenever the function is in PCI error state - since this case is only reached when we have a device being removed because of a permanent failure, the HW chip reset is not expected to work fine neither is necessary. Also, as a minor improvement in error path, we avoid the MCP information dump in case of non-recoverable PCI error (when adapter is about to be removed), since it will certainly fail. Reported-by: Harsha Thyagaraja Signed-off-by: Guilherme G. Piccoli Acked-By: Yuval Mintz Signed-off-by: David S. Miller drivers/net/ethernet/broadcom/bnx2x/bnx2x_main.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) commit 5322942527156178874eec3d3108a4fae148d87d Merge: 27dd735 a474478 Author: Dave Airlie Date: Fri Sep 2 15:48:38 2016 +1000 Merge tag 'imx-drm-fixes-2016-08-30' of git://git.pengutronix.de/git/pza/linux into drm-fixes imx-drm atomic modeset regression fixes - add active plane reconfiguration support - add back crtc vblank state reporting * tag 'imx-drm-fixes-2016-08-30' of git://git.pengutronix.de/git/pza/linux: drm/imx: fix crtc vblank state regression drm/imx: Add active plane reconfiguration support commit 635c223cfa05af9523146b2f37e119d945f449ae Author: Gao Feng Date: Wed Aug 31 14:15:05 2016 +0800 rps: flow_dissector: Fix uninitialized flow_keys used in __skb_get_hash possibly The original codes depend on that the function parameters are evaluated from left to right. But the parameter's evaluation order is not defined in C standard actually. When flow_keys_have_l4(&keys) is invoked before ___skb_get_hash(skb, &keys, hashrnd) with some compilers or environment, the keys passed to flow_keys_have_l4 is not initialized. Fixes: 6db61d79c1e1 ("flow_dissector: Ignore flow dissector return value from ___skb_get_hash") Acked-by: Eric Dumazet Signed-off-by: Gao Feng Signed-off-by: David S. Miller net/core/flow_dissector.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) commit cc4163daaaa1eb0a4ce0396a7d1da4a47b3e526a Merge: b9677fa dc7066c Author: Linus Torvalds Date: Thu Sep 1 20:32:18 2016 -0700 Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux Pull clk fixes from Stephen Boyd: "A collection of small fixes for various SoC vendor clk drivers" * tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux: clk: rockchip: mark aclk_emmc_noc as a critical clock on rk3399 clk: tegra: remove TEGRA_PLL_USE_LOCK for PLLD/PLLD2 clk: rockchip: fix incorrect GATE bits for {c, g}pll_aclk_perihp_src on rk3399 clk: rockchip: fix incorrect aclk_emmc source gate bits on rk3399 clk: renesas: r8a7795: Fix SD clocks clk: rockchip: fix rk3399 aclk_vio gate bit clk: sunxi-ng: Fix inverted test condition in ccu_helper_wait_for_lock commit b9677faf45bcf4c63431b62758bfd895404f0f3f Merge: 511a8cd b300692 Author: Linus Torvalds Date: Thu Sep 1 18:23:22 2016 -0700 Merge branch 'akpm' (patches from Andrew) Merge fixes from Andrew Morton: "14 fixes" * emailed patches from Andrew Morton : rapidio/tsi721: fix incorrect detection of address translation condition rapidio/documentation/mport_cdev: add missing parameter description kernel/fork: fix CLONE_CHILD_CLEARTID regression in nscd MAINTAINERS: Vladimir has moved mm, mempolicy: task->mempolicy must be NULL before dropping final reference printk/nmi: avoid direct printk()-s from __printk_nmi_flush() treewide: remove references to the now unnecessary DEFINE_PCI_DEVICE_TABLE drivers/scsi/wd719x.c: remove last declaration using DEFINE_PCI_DEVICE_TABLE mm, vmscan: only allocate and reclaim from zones with pages managed by the buddy allocator lib/test_hash.c: fix warning in preprocessor symbol evaluation lib/test_hash.c: fix warning in two-dimensional array init kconfig: tinyconfig: provide whole choice blocks to avoid warnings kexec: fix double-free when failing to relocate the purgatory mm, oom: prevent premature OOM killer invocation for high order request commit b30069291dc7f9b9a073c33d619818fe4a8e50de Author: Alexandre Bounine Date: Thu Sep 1 16:15:18 2016 -0700 rapidio/tsi721: fix incorrect detection of address translation condition Fix incorrect condition to identify involvment of a address translation mechanism. This bug results in NULL pointer kernel crash dump in cases when mapping of inbound RapidIO address range is requested within existing aprture. Link: http://lkml.kernel.org/r/20160901173144.2983-1-alexandre.bounine@idt.com Signed-off-by: Alexandre Bounine Cc: Matt Porter Cc: Andre van Herk Cc: Barry Wood Cc: [4.6+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds drivers/rapidio/devices/tsi721.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 1e1011af7a5725141aa4c8d30132acd93fe3da4e Author: Alexandre Bounine Date: Thu Sep 1 16:15:15 2016 -0700 rapidio/documentation/mport_cdev: add missing parameter description Add missing description for rio_mport_cdev driver parameter 'dma_timeout'. This patch is applicable to kernel versions starting from v4.6. Link: http://lkml.kernel.org/r/20160901173104.2928-1-alexandre.bounine@idt.com Signed-off-by: Alexandre Bounine Cc: Matt Porter Cc: Andre van Herk Cc: Barry Wood Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Documentation/rapidio/mport_cdev.txt | 4 ++++ 1 file changed, 4 insertions(+) commit 735f2770a770156100f534646158cb58cb8b2939 Author: Michal Hocko Date: Thu Sep 1 16:15:13 2016 -0700 kernel/fork: fix CLONE_CHILD_CLEARTID regression in nscd Commit fec1d0115240 ("[PATCH] Disable CLONE_CHILD_CLEARTID for abnormal exit") has caused a subtle regression in nscd which uses CLONE_CHILD_CLEARTID to clear the nscd_certainly_running flag in the shared databases, so that the clients are notified when nscd is restarted. Now, when nscd uses a non-persistent database, clients that have it mapped keep thinking the database is being updated by nscd, when in fact nscd has created a new (anonymous) one (for non-persistent databases it uses an unlinked file as backend). The original proposal for the CLONE_CHILD_CLEARTID change claimed (https://lkml.org/lkml/2006/10/25/233): : The NPTL library uses the CLONE_CHILD_CLEARTID flag on clone() syscalls : on behalf of pthread_create() library calls. This feature is used to : request that the kernel clear the thread-id in user space (at an address : provided in the syscall) when the thread disassociates itself from the : address space, which is done in mm_release(). : : Unfortunately, when a multi-threaded process incurs a core dump (such as : from a SIGSEGV), the core-dumping thread sends SIGKILL signals to all of : the other threads, which then proceed to clear their user-space tids : before synchronizing in exit_mm() with the start of core dumping. This : misrepresents the state of process's address space at the time of the : SIGSEGV and makes it more difficult for someone to debug NPTL and glibc : problems (misleading him/her to conclude that the threads had gone away : before the fault). : : The fix below is to simply avoid the CLONE_CHILD_CLEARTID action if a : core dump has been initiated. The resulting patch from Roland (https://lkml.org/lkml/2006/10/26/269) seems to have a larger scope than the original patch asked for. It seems that limitting the scope of the check to core dumping should work for SIGSEGV issue describe above. [Changelog partly based on Andreas' description] Fixes: fec1d0115240 ("[PATCH] Disable CLONE_CHILD_CLEARTID for abnormal exit") Link: http://lkml.kernel.org/r/1471968749-26173-1-git-send-email-mhocko@kernel.org Signed-off-by: Michal Hocko Tested-by: William Preston Acked-by: Oleg Nesterov Cc: Roland McGrath Cc: Andreas Schwab Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds kernel/fork.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) commit c4e297386bd1621b83f6f7d58a729fb770597a91 Author: Vladimir Davydov Date: Thu Sep 1 16:15:09 2016 -0700 MAINTAINERS: Vladimir has moved vdavydov@{parallels,virtuozzo}.com will bounce from now on. Link: http://lkml.kernel.org/r/20160831180752.GB10353@esperanza Signed-off-by: Vladimir Davydov Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds .mailmap | 2 ++ MAINTAINERS | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) commit c11600e4fed67ae4cd6a8096936afd445410e8ed Author: David Rientjes Date: Thu Sep 1 16:15:07 2016 -0700 mm, mempolicy: task->mempolicy must be NULL before dropping final reference KASAN allocates memory from the page allocator as part of kmem_cache_free(), and that can reference current->mempolicy through any number of allocation functions. It needs to be NULL'd out before the final reference is dropped to prevent a use-after-free bug: BUG: KASAN: use-after-free in alloc_pages_current+0x363/0x370 at addr ffff88010b48102c CPU: 0 PID: 15425 Comm: trinity-c2 Not tainted 4.8.0-rc2+ #140 ... Call Trace: dump_stack kasan_object_err kasan_report_error __asan_report_load2_noabort alloc_pages_current <-- use after free depot_save_stack save_stack kasan_slab_free kmem_cache_free __mpol_put <-- free do_exit This patch sets current->mempolicy to NULL before dropping the final reference. Link: http://lkml.kernel.org/r/alpine.DEB.2.10.1608301442180.63329@chino.kir.corp.google.com Fixes: cd11016e5f52 ("mm, kasan: stackdepot implementation. Enable stackdepot for SLAB") Signed-off-by: David Rientjes Reported-by: Vegard Nossum Acked-by: Andrey Ryabinin Cc: Alexander Potapenko Cc: Dmitry Vyukov Cc: [4.6+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds include/linux/mempolicy.h | 4 ++++ kernel/exit.c | 7 +------ mm/mempolicy.c | 17 +++++++++++++++++ 3 files changed, 22 insertions(+), 6 deletions(-) commit 19feeff18bbfde659baa58c2346f15a24d7c405e Author: Sergey Senozhatsky Date: Thu Sep 1 16:15:04 2016 -0700 printk/nmi: avoid direct printk()-s from __printk_nmi_flush() __printk_nmi_flush() can be called from nmi_panic(), therefore it has to test whether it's executed in NMI context and thus must route the messages through deferred printk() or via direct printk(). This is to avoid potential deadlocks, as described in commit cf9b1106c81c ("printk/nmi: flush NMI messages on the system panic"). However there remain two places where __printk_nmi_flush() does unconditional direct printk() calls: - pr_err("printk_nmi_flush: internal error ...") - pr_cont("\n") Factor out print_nmi_seq_line() parts into a new printk_nmi_flush_line() function, which takes care of in_nmi(), and use it in __printk_nmi_flush() for printing and error-reporting. Link: http://lkml.kernel.org/r/20160830161354.581-1-sergey.senozhatsky@gmail.com Signed-off-by: Sergey Senozhatsky Cc: Petr Mladek Cc: Jan Kara Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds kernel/printk/nmi.c | 38 +++++++++++++++++++++++--------------- 1 file changed, 23 insertions(+), 15 deletions(-) commit 7e932159901183283cd82d797bc9a7c681e48e9c Author: Joe Perches Date: Thu Sep 1 16:15:01 2016 -0700 treewide: remove references to the now unnecessary DEFINE_PCI_DEVICE_TABLE It's been eliminated from the sources, remove it from everywhere else. Link: http://lkml.kernel.org/r/076eff466fd7edb550c25c8b25d76924ca0eba62.1472660229.git.joe@perches.com Signed-off-by: Joe Perches Cc: "James E.J. Bottomley" Cc: "Martin K. Petersen" Cc: Bjorn Helgaas Cc: Andy Whitcroft Cc: Jonathan Corbet Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Documentation/PCI/pci.txt | 1 - include/linux/pci.h | 9 --------- scripts/checkpatch.pl | 9 --------- scripts/tags.sh | 1 - 4 files changed, 20 deletions(-) commit 8a793bea2745d9876030f892a84fc8be180f2e78 Author: Joe Perches Date: Thu Sep 1 16:14:58 2016 -0700 drivers/scsi/wd719x.c: remove last declaration using DEFINE_PCI_DEVICE_TABLE Convert it to the preferred const struct pci_device_id instead. Link: http://lkml.kernel.org/r/95c5e4100c3cd4eda643624f5b70e8d7abceb86c.1472660229.git.joe@perches.com Signed-off-by: Joe Perches Reviewed-by: Bart Van Assche Cc: "James E.J. Bottomley" Cc: "Martin K. Petersen" Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds drivers/scsi/wd719x.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 6aa303defb7454a2520c4ddcdf6b081f62a15890 Author: Mel Gorman Date: Thu Sep 1 16:14:55 2016 -0700 mm, vmscan: only allocate and reclaim from zones with pages managed by the buddy allocator Firmware Assisted Dump (FA_DUMP) on ppc64 reserves substantial amounts of memory when booting a secondary kernel. Srikar Dronamraju reported that multiple nodes may have no memory managed by the buddy allocator but still return true for populated_zone(). Commit 1d82de618ddd ("mm, vmscan: make kswapd reclaim in terms of nodes") was reported to cause kswapd to spin at 100% CPU usage when fadump was enabled. The old code happened to deal with the situation of a populated node with zero free pages by co-incidence but the current code tries to reclaim populated zones without realising that is impossible. We cannot just convert populated_zone() as many existing users really need to check for present_pages. This patch introduces a managed_zone() helper and uses it in the few cases where it is critical that the check is made for managed pages -- zonelist construction and page reclaim. Link: http://lkml.kernel.org/r/20160831195104.GB8119@techsingularity.net Signed-off-by: Mel Gorman Reported-by: Srikar Dronamraju Tested-by: Srikar Dronamraju Acked-by: Michal Hocko Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds include/linux/mmzone.h | 16 ++++++++++++++-- mm/page_alloc.c | 4 ++-- mm/vmscan.c | 22 +++++++++++----------- 3 files changed, 27 insertions(+), 15 deletions(-) commit e6173ba42bbdba05fd4f3021c0beda0506271507 Author: Geert Uytterhoeven Date: Thu Sep 1 16:14:53 2016 -0700 lib/test_hash.c: fix warning in preprocessor symbol evaluation Some versions of gcc don't like tests for the value of an undefined preprocessor symbol, even in the #else branch of an #ifndef: lib/test_hash.c:224:7: warning: "HAVE_ARCH__HASH_32" is not defined [-Wundef] #elif HAVE_ARCH__HASH_32 != 1 ^ lib/test_hash.c:229:7: warning: "HAVE_ARCH_HASH_32" is not defined [-Wundef] #elif HAVE_ARCH_HASH_32 != 1 ^ lib/test_hash.c:234:7: warning: "HAVE_ARCH_HASH_64" is not defined [-Wundef] #elif HAVE_ARCH_HASH_64 != 1 ^ Seen with gcc 4.9, not seen with 4.1.2. Change the logic to only check the value inside an #ifdef to fix this. Fixes: 468a9428521e7d00 (": Add support for architecture-specific functions") Link: http://lkml.kernel.org/r/20160829214952.1334674-4-arnd@arndb.de Signed-off-by: Geert Uytterhoeven Signed-off-by: Arnd Bergmann Acked-by: George Spelvin Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds lib/test_hash.c | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) commit ed76b7a131f41c91b0c725d472f9b969d75ce888 Author: Geert Uytterhoeven Date: Thu Sep 1 16:14:50 2016 -0700 lib/test_hash.c: fix warning in two-dimensional array init lib/test_hash.c: In function 'test_hash_init': lib/test_hash.c:146:2: warning: missing braces around initializer [-Wmissing-braces] Fixes: 468a9428521e7d00 (": Add support for architecture-specific functions") Link: http://lkml.kernel.org/r/20160829214952.1334674-3-arnd@arndb.de Signed-off-by: Geert Uytterhoeven Signed-off-by: Arnd Bergmann Acked-by: George Spelvin Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds lib/test_hash.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 236dec051078a8691950f56949612b4b74107e48 Author: Arnd Bergmann Date: Thu Sep 1 16:14:47 2016 -0700 kconfig: tinyconfig: provide whole choice blocks to avoid warnings Using "make tinyconfig" produces a couple of annoying warnings that show up for build test machines all the time: .config:966:warning: override: NOHIGHMEM changes choice state .config:965:warning: override: SLOB changes choice state .config:963:warning: override: KERNEL_XZ changes choice state .config:962:warning: override: CC_OPTIMIZE_FOR_SIZE changes choice state .config:933:warning: override: SLOB changes choice state .config:930:warning: override: CC_OPTIMIZE_FOR_SIZE changes choice state .config:870:warning: override: SLOB changes choice state .config:868:warning: override: KERNEL_XZ changes choice state .config:867:warning: override: CC_OPTIMIZE_FOR_SIZE changes choice state I've made a previous attempt at fixing them and we discussed a number of alternatives. I tried changing the Makefile to use "merge_config.sh -n $(fragment-list)" but couldn't get that to work properly. This is yet another approach, based on the observation that we do want to see a warning for conflicting 'choice' options, and that we can simply make them non-conflicting by listing all other options as disabled. This is a trivial patch that we can apply independent of plans for other changes. Link: http://lkml.kernel.org/r/20160829214952.1334674-2-arnd@arndb.de Link: https://storage.kernelci.org/mainline/v4.7-rc6/x86-tinyconfig/build.log https://patchwork.kernel.org/patch/9212749/ Signed-off-by: Arnd Bergmann Reviewed-by: Josh Triplett Reviewed-by: Masahiro Yamada Acked-by: Ingo Molnar Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds arch/x86/configs/tiny.config | 2 ++ kernel/configs/tiny.config | 8 ++++++++ 2 files changed, 10 insertions(+) commit 070c43eea5043e950daa423707ae3c77e2f48edb Author: Thiago Jung Bauermann Date: Thu Sep 1 16:14:44 2016 -0700 kexec: fix double-free when failing to relocate the purgatory If kexec_apply_relocations fails, kexec_load_purgatory frees pi->sechdrs and pi->purgatory_buf. This is redundant, because in case of error kimage_file_prepare_segments calls kimage_file_post_load_cleanup, which will also free those buffers. This causes two warnings like the following, one for pi->sechdrs and the other for pi->purgatory_buf: kexec-bzImage64: Loading purgatory failed ------------[ cut here ]------------ WARNING: CPU: 1 PID: 2119 at mm/vmalloc.c:1490 __vunmap+0xc1/0xd0 Trying to vfree() nonexistent vm area (ffffc90000e91000) Modules linked in: CPU: 1 PID: 2119 Comm: kexec Not tainted 4.8.0-rc3+ #5 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: dump_stack+0x4d/0x65 __warn+0xcb/0xf0 warn_slowpath_fmt+0x4f/0x60 ? find_vmap_area+0x19/0x70 ? kimage_file_post_load_cleanup+0x47/0xb0 __vunmap+0xc1/0xd0 vfree+0x2e/0x70 kimage_file_post_load_cleanup+0x5e/0xb0 SyS_kexec_file_load+0x448/0x680 ? putname+0x54/0x60 ? do_sys_open+0x190/0x1f0 entry_SYSCALL_64_fastpath+0x13/0x8f ---[ end trace 158bb74f5950ca2b ]--- Fix by setting pi->sechdrs an pi->purgatory_buf to NULL, since vfree won't try to free a NULL pointer. Link: http://lkml.kernel.org/r/1472083546-23683-1-git-send-email-bauerman@linux.vnet.ibm.com Signed-off-by: Thiago Jung Bauermann Acked-by: Baoquan He Cc: "Eric W. Biederman" Cc: Vivek Goyal Cc: Dave Young Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds kernel/kexec_file.c | 3 +++ 1 file changed, 3 insertions(+) commit 6b4e3181d7bd5ca5ab6f45929e4a5ffa7ab4ab7f Author: Michal Hocko Date: Thu Sep 1 16:14:41 2016 -0700 mm, oom: prevent premature OOM killer invocation for high order request There have been several reports about pre-mature OOM killer invocation in 4.7 kernel when order-2 allocation request (for the kernel stack) invoked OOM killer even during basic workloads (light IO or even kernel compile on some filesystems). In all reported cases the memory is fragmented and there are no order-2+ pages available. There is usually a large amount of slab memory (usually dentries/inodes) and further debugging has shown that there are way too many unmovable blocks which are skipped during the compaction. Multiple reporters have confirmed that the current linux-next which includes [1] and [2] helped and OOMs are not reproducible anymore. A simpler fix for the late rc and stable is to simply ignore the compaction feedback and retry as long as there is a reclaim progress and we are not getting OOM for order-0 pages. We already do that for CONFING_COMPACTION=n so let's reuse the same code when compaction is enabled as well. [1] http://lkml.kernel.org/r/20160810091226.6709-1-vbabka@suse.cz [2] http://lkml.kernel.org/r/f7a9ea9d-bb88-bfd6-e340-3a933559305a@suse.cz Fixes: 0a0337e0d1d1 ("mm, oom: rework oom detection") Link: http://lkml.kernel.org/r/20160823074339.GB23577@dhcp22.suse.cz Signed-off-by: Michal Hocko Tested-by: Olaf Hering Tested-by: Ralf-Peter Rohbeck Cc: Markus Trippelsdorf Cc: Arkadiusz Miskiewicz Cc: Ralf-Peter Rohbeck Cc: Jiri Slaby Cc: Vlastimil Babka Cc: Joonsoo Kim Cc: Tetsuo Handa Cc: David Rientjes Cc: [4.7.x] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/page_alloc.c | 51 ++------------------------------------------------- 1 file changed, 2 insertions(+), 49 deletions(-) commit cb887083d084d74421ae7bb18acca40568da791f Merge: 28a2359 e0af248 Author: Chris Mason Date: Thu Sep 1 17:29:34 2016 -0700 Merge tag 'for-chris' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux into for-linus-4.8 commit 28b346cbc0715ae45b2814d857f1d8a7e6817ed8 Author: Neal Cardwell Date: Tue Aug 30 11:55:23 2016 -0400 tcp: fastopen: fix rcv_wup initialization for TFO server on SYN/data Yuchung noticed that on the first TFO server data packet sent after the (TFO) handshake, the server echoed the TCP timestamp value in the SYN/data instead of the timestamp value in the final ACK of the handshake. This problem did not happen on regular opens. The tcp_replace_ts_recent() logic that decides whether to remember an incoming TS value needs tp->rcv_wup to hold the latest receive sequence number that we have ACKed (latest tp->rcv_nxt we have ACKed). This commit fixes this issue by ensuring that a TFO server properly updates tp->rcv_wup to match tp->rcv_nxt at the time it sends a SYN/ACK for the SYN/data. Reported-by: Yuchung Cheng Signed-off-by: Neal Cardwell Signed-off-by: Yuchung Cheng Signed-off-by: Eric Dumazet Signed-off-by: Soheil Hassas Yeganeh Fixes: 168a8f58059a ("tcp: TCP Fast Open Server - main code path") Signed-off-by: David S. Miller net/ipv4/tcp_fastopen.c | 1 + 1 file changed, 1 insertion(+) commit 85a3d4a9356b595d5440c3f1bf07ee7cecca1567 Author: Nikolay Aleksandrov Date: Tue Aug 30 17:44:29 2016 +0200 net: bridge: don't increment tx_dropped in br_do_proxy_arp pskb_may_pull may fail due to various reasons (e.g. alloc failure), but the skb isn't changed/dropped and processing continues so we shouldn't increment tx_dropped. CC: Kyeyoon Park CC: Roopa Prabhu CC: Stephen Hemminger CC: bridge@lists.linux-foundation.org Fixes: 958501163ddd ("bridge: Add support for IEEE 802.11 Proxy ARP") Signed-off-by: Nikolay Aleksandrov Signed-off-by: David S. Miller net/bridge/br_input.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) commit 511a8cdb650544b7efd1bbccf7967d3153aee5f6 Merge: 7d1ce60 5efc244 Author: Linus Torvalds Date: Thu Sep 1 15:55:56 2016 -0700 Merge branch 'stable-4.8' of git://git.infradead.org/users/pcmoore/audit Pull audit fixes from Paul Moore: "Two small patches to fix some bugs with the audit-by-executable functionality we introduced back in v4.3 (both patches are marked for the stable folks)" * 'stable-4.8' of git://git.infradead.org/users/pcmoore/audit: audit: fix exe_file access in audit_exe_compare mm: introduce get_task_exe_file commit 7d1ce606a37922879cbe40a6122047827105a332 Merge: 071e31e ea78d80 Author: Linus Torvalds Date: Thu Sep 1 15:33:16 2016 -0700 Merge tag 'xfs-iomap-for-linus-4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/dgc/linux-xfs Pull xfs and iomap fixes from Dave Chinner: "Most of these changes are small regression fixes that address problems introduced in the 4.8-rc1 window. The two fixes that aren't (IO completion fix and superblock inprogress check) are fixes for problems introduced some time ago and need to be pushed back to stable kernels. Changes in this update: - iomap FIEMAP_EXTENT_MERGED usage fix - additional mount-time feature restrictions - rmap btree query fixes - freeze/unmount io completion workqueue fix - memory corruption fix for deferred operations handling" * tag 'xfs-iomap-for-linus-4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/dgc/linux-xfs: xfs: track log done items directly in the deferred pending work item iomap: don't set FIEMAP_EXTENT_MERGED for extent based filesystems xfs: prevent dropping ioend completions during buftarg wait xfs: fix superblock inprogress check xfs: simple btree query range should look right if LE lookup fails xfs: fix some key handling problems in _btree_simple_query_range xfs: don't log the entire end of the AGF xfs: disallow mounting of realtime + rmap filesystems xfs: don't perform lookups on zero-height btrees commit 29c994e361009142ec0bca6493cc8f7b0d3c561a Author: Nicolas Dichtel Date: Tue Aug 30 10:09:22 2016 +0200 netconf: add a notif when settings are created All changes are notified, but the initial state was missing. Signed-off-by: Nicolas Dichtel Signed-off-by: David S. Miller net/ipv4/devinet.c | 11 +++++++---- net/ipv6/addrconf.c | 9 ++++++++- 2 files changed, 15 insertions(+), 5 deletions(-) commit d26c638c16cb54f6fb1507e27df93ede692db572 Author: Nicolas Dichtel Date: Tue Aug 30 10:09:21 2016 +0200 ipv6: add missing netconf notif when 'all' is updated The 'default' value was not advertised. Fixes: f3a1bfb11ccb ("rtnl/ipv6: use netconf msg to advertise forwarding status") Signed-off-by: Nicolas Dichtel Signed-off-by: David S. Miller net/ipv6/addrconf.c | 7 +++++++ 1 file changed, 7 insertions(+) commit d3ebc88efe464d93585e66ffa0cd402cd55a033d Merge: a036244 7ceb8a1 Author: David S. Miller Date: Thu Sep 1 14:50:47 2016 -0700 Merge branch 'thunderx-fixes' Sunil Goutham says: ==================== net: thunderx: Fixes for TSO offload issues This patch series fixes couple of issues w.r.t HW TSO offload ==================== Signed-off-by: David S. Miller commit 7ceb8a1319ec64954459d474dd4a8c3c60ff0999 Author: Sunil Goutham Date: Tue Aug 30 11:36:27 2016 +0530 net: thunderx: Fix for issues with multiple CQEs posted for a TSO packet On ThunderX 88xx pass 2.x chips when TSO is offloaded to HW, HW posts a CQE for every TSO segment transmitted. Current code does handles this, but is prone to issues when segment sizes are small resulting in SW processing too many CQEs and also at times frees a SKB which is not yet transmitted. This patch handles the errata in a different way and eliminates issues with earlier approach, TSO packet is submitted to HW with post_cqe=0, so that no CQE is posted upon completion of transmission of TSO packet but a additional HDR + IMMEDIATE descriptors are added to SQ due to which a CQE is posted and will have required info to be used while cleanup in napi. This way only one CQE is posted for a TSO packet. Signed-off-by: Sunil Goutham Signed-off-by: David S. Miller drivers/net/ethernet/cavium/thunder/nic.h | 1 + drivers/net/ethernet/cavium/thunder/nicvf_main.c | 20 +++++-- drivers/net/ethernet/cavium/thunder/nicvf_queues.c | 64 +++++++++++++++++++--- 3 files changed, 73 insertions(+), 12 deletions(-) commit 57e81d44b0e1aa4dcb479ff8de8fc34cf635d0e8 Author: Sunil Goutham Date: Tue Aug 30 11:36:26 2016 +0530 net: thunderx: Fix for HW issue while padding TSO packet There is a issue in HW where-in while sending GSO sized pkts as part of TSO, if pkt len falls below configured min packet size i.e 60, NIC will zero PAD packet and also updates IP total length. Hence set this value to lessthan min pkt size of MAC + IP + TCP headers, BGX will anyway do the padding to transmit 64 byte pkt including FCS. Signed-off-by: Sunil Goutham Signed-off-by: David S. Miller drivers/net/ethernet/cavium/thunder/nic_main.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) commit a036244c068612a43fa8c0f33a0eb4daa4d8dba0 Author: Dave Ertman Date: Mon Aug 29 17:38:26 2016 -0700 i40e: Fix kernel panic on enable/disable LLDP If DCB is configured on the link partner switch with an unsupported traffic class configuration (e.g. non-contiguous TCs), the driver is flagging DCB as disabled. But, for future DCB LLDPDUs, the driver was checking if the interface was DCB capable instead of enabled. This was causing a kernel panic when LLDP was enabled/disabled on the link partner switch. This patch corrects the situation by having the LLDP event handler check the correct flag in the pf structure. It also cleans up the setting and clearing of the enabled flag for other checks. Signed-off-by: Dave Ertman Tested-by: Andrew Bowers Signed-off-by: Jeff Kirsher Signed-off-by: David S. Miller drivers/net/ethernet/intel/i40e/i40e_main.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) commit da29838dcbde86b3bdf3b5702abb5937b4c31d18 Author: Andy Gospodarek Date: Mon Aug 29 16:51:30 2016 -0400 MAINTAINERS: update to working email address Signed-off-by: Andy Gospodarek Signed-off-by: David S. Miller MAINTAINERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit a0d4a992f259703fe4ed5c42f1fa3100f2573911 Merge: d2f394d bb87f02 Author: David S. Miller Date: Thu Sep 1 14:11:11 2016 -0700 Merge tag 'wireless-drivers-for-davem-2016-08-29' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers Kalle Valo says: ==================== wireless-drivers fixes for 4.8 ath9k * fix regression in client mode beacon configuration * fix a station pointer which resulted in spurious crashes mwifiex * fix large amsdu packets causing firmware hang brcmfmac * fix deadlock when removing interface * fix use of mutex in atomic context ==================== Signed-off-by: David S. Miller commit d2f394dc4816b7bd1b44981d83509f18f19c53f0 Author: Parthasarathy Bhuvaragan Date: Thu Sep 1 16:22:16 2016 +0200 tipc: fix random link resets while adding a second bearer In a dual bearer configuration, if the second tipc link becomes active while the first link still has pending nametable "bulk" updates, it randomly leads to reset of the second link. When a link is established, the function named_distribute(), fills the skb based on node mtu (allows room for TUNNEL_PROTOCOL) with NAME_DISTRIBUTOR message for each PUBLICATION. However, the function named_distribute() allocates the buffer by increasing the node mtu by INT_H_SIZE (to insert NAME_DISTRIBUTOR). This consumes the space allocated for TUNNEL_PROTOCOL. When establishing the second link, the link shall tunnel all the messages in the first link queue including the "bulk" update. As size of the NAME_DISTRIBUTOR messages while tunnelling, exceeds the link mtu the transmission fails (-EMSGSIZE). Thus, the synch point based on the message count of the tunnel packets is never reached leading to link timeout. In this commit, we adjust the size of name distributor message so that they can be tunnelled. Reviewed-by: Jon Maloy Signed-off-by: Parthasarathy Bhuvaragan Signed-off-by: David S. Miller net/tipc/name_distr.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) commit aabdd09d535073c35f746e46c3a5d3286088be3a Author: Ivan Vecera Date: Thu Sep 1 11:28:59 2016 +0200 tg3: Fix for disallow tx coalescing time to be 0 The recent commit 087d7a8c9174 "tg3: Fix for diasllow rx coalescing time to be 0" disallow to set Rx coalescing time to be 0 as this stops generating interrupts for the incoming packets. I found the zero Tx coalescing time stops generating interrupts for outgoing packets as well and fires Tx watchdog later. To avoid this, don't allow to set Tx coalescing time to 0 and also remove subsequent checks that become senseless. Cc: satish.baddipadige@broadcom.com Cc: siva.kallam@broadcom.com Cc: michael.chan@broadcom.com Signed-off-by: Ivan Vecera Acked-by: Siva Reddy Kallam Acked-by: Michael Chan Signed-off-by: David S. Miller drivers/net/ethernet/broadcom/tg3.c | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) commit 561ed23331dfefea4c8eec616463ee4d0c8fa4b7 Author: Wu Fengguang Date: Thu Sep 1 14:45:12 2016 +0800 qed: fix kzalloc-simple.cocci warnings drivers/net/ethernet/qlogic/qed/qed_dcbx.c:1230:13-20: WARNING: kzalloc should be used for dcbx_info, instead of kmalloc/memset drivers/net/ethernet/qlogic/qed/qed_dcbx.c:1192:13-20: WARNING: kzalloc should be used for dcbx_info, instead of kmalloc/memset Use kzalloc rather than kmalloc followed by memset with 0 This considers some simple cases that are common and easy to validate Note in particular that there are no ...s in the rule, so all of the matched code has to be contiguous Generated by: scripts/coccinelle/api/alloc/kzalloc-simple.cocci CC: Sudarsana Reddy Kalluru Signed-off-by: Fengguang Wu Acked-by: Yuval Mintz Signed-off-by: David S. Miller drivers/net/ethernet/qlogic/qed/qed_dcbx.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) commit cb849e3041e4238d2593b2a565a24757736b79fc Merge: c380428 aad8b6b Author: David S. Miller Date: Thu Sep 1 09:44:57 2016 -0700 Merge branch 'mlxsw-fixes' Jiri Pirko says: ==================== mlxsw: couple of fixes Couple of fixes from Ido and myself. ==================== Signed-off-by: David S. Miller commit aad8b6bae7c63fcf860c4c7ce693cb8ac5d4a511 Author: Ido Schimmel Date: Thu Sep 1 10:37:45 2016 +0200 mlxsw: spectrum: Use existing flood setup when adding VLANs When a VLAN is added on a bridge port we should use the existing unicast flood configuration of the port instead of assuming it's enabled. Fixes: 0293038e0c36 ("mlxsw: spectrum: Add support for flood control") Signed-off-by: Ido Schimmel Signed-off-by: Jiri Pirko Signed-off-by: David S. Miller .../ethernet/mellanox/mlxsw/spectrum_switchdev.c | 25 ++++++++-------------- 1 file changed, 9 insertions(+), 16 deletions(-) commit f1de7a28d53cfde8fa290d6c535eb690a4e1b5d5 Author: Ido Schimmel Date: Thu Sep 1 10:37:44 2016 +0200 mlxsw: spectrum: Don't take multiple references on a FID In commit 14d39461b3f4 ("mlxsw: spectrum: Use per-FID struct for the VLAN-aware bridge") I added a per-FID struct, which member ports can take a reference on upon VLAN membership configuration. However, sometimes only the VLAN flags (e.g. egress untagged) are toggled without changing the VLAN membership. In these cases we shouldn't take another reference on the FID. Fixes: 14d39461b3f4 ("mlxsw: spectrum: Use per-FID struct for the VLAN-aware bridge") Signed-off-by: Ido Schimmel Signed-off-by: Jiri Pirko Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlxsw/spectrum_switchdev.c | 3 +++ 1 file changed, 3 insertions(+) commit e73226384948e9b35823150cadd9a3ea4ca9fc97 Author: Jiri Pirko Date: Thu Sep 1 10:37:43 2016 +0200 mlxsw: spectrum_router: Fix netevent notifier registration Currently the notifier is registered for every asic instance, however the same block. Fix this by moving the registration to module init. Fixes: c723c735fa6b ("mlxsw: spectrum_router: Periodically update the kernel's neigh table") Signed-off-by: Jiri Pirko Reviewed-by: Ido Schimmel Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlxsw/spectrum.c | 9 +++++++++ drivers/net/ethernet/mellanox/mlxsw/spectrum.h | 2 ++ drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c | 17 ++--------------- 3 files changed, 13 insertions(+), 15 deletions(-) commit de7d62952b01755f9885bbe945b141d9d4338e55 Author: Jiri Pirko Date: Thu Sep 1 10:37:42 2016 +0200 mlxsw: spectrum: Fix error path in mlxsw_sp_module_init Add forgotten notifier unregister. Fixes: 99724c18fc66 ("mlxsw: spectrum: Introduce support for router interfaces") Signed-off-by: Jiri Pirko Reviewed-by: Ido Schimmel Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlxsw/spectrum.c | 1 + 1 file changed, 1 insertion(+) commit 7146da31817aa21b19d7a01e95b94686c3f4bd97 Author: Jiri Pirko Date: Thu Sep 1 10:37:41 2016 +0200 mlxsw: spectrum_router: Fix fib entry update path Originally, I expected that there would be needed to call update operation in case RALUE record action is changed. However, that is not needed since write operation takes care of that nicely. Remove prepared construct and always call the write operation. Fixes: 61c503f976b5 ("mlxsw: spectrum_router: Implement fib4 add/del switchdev obj ops") Signed-off-by: Jiri Pirko Reviewed-by: Ido Schimmel Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) commit 5b004412e2b7894105ea6043d380b7ab21f244ef Author: Jiri Pirko Date: Thu Sep 1 10:37:40 2016 +0200 mlxsw: spectrum_router: Fix failure caused by double fib removal from HW In mlxsw we squash tables 254 and 255 together into HW. Kernel adds/dels /32 ip to/from both 254 and 255. On del path, that causes the same prefix being removed twice. Fix this by introducing reference counting for private mlxsw fib entries. That required a bit of code reshuffle. Also put dev into fib entry key so the same prefix could be represented once per every router interface. Fixes: 61c503f976b5 ("mlxsw: spectrum_router: Implement fib4 add/del switchdev obj ops") Signed-off-by: Jiri Pirko Signed-off-by: David S. Miller .../net/ethernet/mellanox/mlxsw/spectrum_router.c | 126 +++++++++++++++------ 1 file changed, 92 insertions(+), 34 deletions(-) commit e0af24849efb0eea572cf22d22bb65d164cb8a6f Author: Wang Xiaoguang Date: Wed Aug 31 19:46:16 2016 +0800 btrfs: fix one bug that process may endlessly wait for ticket in wait_reserve_ticket() If can_overcommit() in btrfs_calc_reclaim_metadata_size() returns true, btrfs_async_reclaim_metadata_space() will not reclaim metadata space, just return directly and also forget to wake up process which are waiting for their tickets, so these processes will wait endlessly. Fstests case generic/172 with mount option "-o compress=lzo" have revealed this bug in my test machine. Here if we have tickets to handle, we must handle them first. Signed-off-by: Wang Xiaoguang Reviewed-by: Josef Bacik Signed-off-by: David Sterba fs/btrfs/extent-tree.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) commit a9b1fc851db054ddec703dc7951ed00620600b26 Author: Liu Bo Date: Wed Aug 31 16:43:33 2016 -0700 Btrfs: fix endless loop in balancing block groups Qgroup function may overwrite the saved error 'err' with 0 in case quota is not enabled, and this ends up with a endless loop in balance because we keep going back to balance the same block group. It really should use 'ret' instead. Signed-off-by: Liu Bo Reviewed-by: Qu Wenruo Signed-off-by: David Sterba fs/btrfs/relocation.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) commit 3dc09ec895f098cedd789a620c90ff1bf7f779a1 Author: Josef Bacik Date: Wed Aug 24 11:57:52 2016 -0400 Btrfs: kill invalid ASSERT() in process_all_refs() Suppose you have the following tree in snap1 on a file system mounted with -o inode_cache so that inode numbers are recycled └── [ 258] a └── [ 257] b and then you remove b, rename a to c, and then re-create b in c so you have the following tree └── [ 258] c └── [ 257] b and then you try to do an incremental send you will hit ASSERT(pending_move == 0); in process_all_refs(). This is because we assume that any recycling of inodes will not have a pending change in our path, which isn't the case. This is the case for the DELETE side, since we want to remove the old file using the old path, but on the create side we could have a pending move and need to do the normal pending rename dance. So remove this ASSERT() and put a comment about why we ignore pending_move. Thanks, Signed-off-by: Josef Bacik Signed-off-by: David Sterba fs/btrfs/send.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) commit a9840c46ff9bb845d62d6f9592ab76c0e531c8f4 Merge: bb87f02 a904a08 Author: Kalle Valo Date: Thu Sep 1 17:11:42 2016 +0300 Merge tag 'iwlwifi-for-kalle-2016-08-29' of git://git.kernel.org/pub/scm/linux/kernel/git/iwlwifi/iwlwifi-fixes * Fix P2P dump trigger * Prevent a potential null dereference in iwlmvm * Prevent an uninitialized value from being returned in iwlmvm * Advertise support for channel width change in AP mode commit 6af7e4f77259ee946103387372cb159f2e99a6d4 Author: Bjorn Helgaas Date: Thu Sep 1 08:52:29 2016 -0500 PCI: Mark Haswell Power Control Unit as having non-compliant BARs The Haswell Power Control Unit has a non-PCI register (CONFIG_TDP_NOMINAL) where BAR 0 is supposed to be. This is erratum HSE43 in the spec update referenced below: The PCIe* Base Specification indicates that Configuration Space Headers have a base address register at offset 0x10. Due to this erratum, the Power Control Unit's CONFIG_TDP_NOMINAL CSR (Bus 1; Device 30; Function 3; Offset 0x10) is located where a base register is expected. Mark the PCU as having non-compliant BARs so we don't try to probe any of them. There are no other BARs on this device. Rename the quirk so it's not Broadwell-specific. Link: http://www.intel.com/content/www/us/en/processors/xeon/xeon-e5-v3-spec-update.html Link: http://www.intel.com/content/www/us/en/processors/xeon/xeon-e5-v3-datasheet-vol-2.html (section 5.4, Device 30 Function 3) Link: https://bugzilla.kernel.org/show_bug.cgi?id=153881 Reported-by: Paul Menzel Tested-by: Prarit Bhargava Signed-off-by: Bjorn Helgaas Acked-by: Myron Stowe arch/x86/pci/fixup.c | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) commit 026e5e0cc12474495515275d9c176ef823238c70 Author: Miklos Szeredi Date: Thu Sep 1 11:12:00 2016 +0200 ovl: update doc Some of the documented quirks no longer apply. Signed-off-by: Miklos Szeredi Documentation/filesystems/overlayfs.txt | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) commit 7cb35119d067191ce9ebc380a599db0b03cbd9d9 Author: Miklos Szeredi Date: Thu Sep 1 11:12:00 2016 +0200 ovl: listxattr: use strnlen() Be defensive about what underlying fs provides us in the returned xattr list buffer. If it's not properly null terminated, bail out with a warning insead of BUG. Signed-off-by: Miklos Szeredi Cc: fs/overlayfs/inode.c | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) commit 0eb45fc3bb7a2cf9c9c93d9e95986a841e5f4625 Author: Andreas Gruenbacher Date: Mon Aug 22 17:52:55 2016 +0200 ovl: Switch to generic_getxattr Now that overlayfs has xattr handlers for iop->{set,remove}xattr, use those same handlers for iop->getxattr as well. Signed-off-by: Andreas Gruenbacher Signed-off-by: Miklos Szeredi fs/overlayfs/dir.c | 2 +- fs/overlayfs/inode.c | 11 ++++------- fs/overlayfs/overlayfs.h | 4 ++-- fs/overlayfs/super.c | 26 ++++++++++++++++++++++++++ 4 files changed, 33 insertions(+), 10 deletions(-) commit ce31513a9114f74fe3e9caa6534d201bdac7238d Author: Miklos Szeredi Date: Thu Sep 1 11:12:00 2016 +0200 ovl: copyattr after setting POSIX ACL Setting POSIX acl may also modify the file mode, so need to copy that up to the overlay inode. Reported-by: Eryu Guan Fixes: d837a49bd57f ("ovl: fix POSIX ACL setting") Signed-off-by: Miklos Szeredi fs/overlayfs/super.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) commit 0e585ccc13b3edbb187fb4f1b7cc9397f17d64a9 Author: Andreas Gruenbacher Date: Mon Aug 22 17:22:11 2016 +0200 ovl: Switch to generic_removexattr Commit d837a49bd57f ("ovl: fix POSIX ACL setting") switches from iop->setxattr from ovl_setxattr to generic_setxattr, so switch from ovl_removexattr to generic_removexattr as well. As far as permission checking goes, the same rules should apply in either case. While doing that, rename ovl_setxattr to ovl_xattr_set to indicate that this is not an iop->setxattr implementation and remove the unused inode argument. Move ovl_other_xattr_set above ovl_own_xattr_set so that they match the order of handlers in ovl_xattr_handlers. Signed-off-by: Andreas Gruenbacher Fixes: d837a49bd57f ("ovl: fix POSIX ACL setting") Signed-off-by: Miklos Szeredi fs/overlayfs/dir.c | 2 +- fs/overlayfs/inode.c | 65 ++++++++++++++++-------------------------------- fs/overlayfs/overlayfs.h | 6 ++--- fs/overlayfs/super.c | 18 +++++++------- 4 files changed, 33 insertions(+), 58 deletions(-) commit 0c97be22f928b85110504c4bbb8574facb4bd0c0 Author: Andreas Gruenbacher Date: Mon Aug 22 16:36:49 2016 +0200 ovl: Get rid of ovl_xattr_noacl_handlers array Use an ordinary #ifdef to conditionally include the POSIX ACL handlers in ovl_xattr_handlers, like the other filesystems do. Flag the code that is now only used conditionally with __maybe_unused. Signed-off-by: Andreas Gruenbacher Signed-off-by: Miklos Szeredi fs/overlayfs/super.c | 28 ++++++++++++---------------- 1 file changed, 12 insertions(+), 16 deletions(-) commit fe2b75952347762a21f67d9df1199137ae5988b2 Author: Andreas Gruenbacher Date: Mon Aug 22 17:59:22 2016 +0200 ovl: Fix OVL_XATTR_PREFIX Make sure ovl_own_xattr_handler only matches attribute names starting with "overlay.", not "overlayXXX". Signed-off-by: Andreas Gruenbacher Fixes: d837a49bd57f ("ovl: fix POSIX ACL setting") Signed-off-by: Miklos Szeredi fs/overlayfs/inode.c | 5 ++--- fs/overlayfs/overlayfs.h | 4 ++-- 2 files changed, 4 insertions(+), 5 deletions(-) commit fd36570a8805f39b40a0ebde19b08603aa201d17 Author: Colin Ian King Date: Thu Aug 18 16:58:35 2016 +0100 ovl: fix spelling mistake: "directries" -> "directories" Trivial fix to spelling mistake in pr_err message. Signed-off-by: Colin Ian King Signed-off-by: Miklos Szeredi fs/overlayfs/super.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 2a3a2a3f35249412e35fbb48b743348c40373409 Author: Miklos Szeredi Date: Thu Sep 1 11:11:59 2016 +0200 ovl: don't cache acl on overlay layer Some operations (setxattr/chmod) can make the cached acl stale. We either need to clear overlay's acl cache for the affected inode or prevent acl caching on the overlay altogether. Preventing caching has the following advantages: - no double caching, less memory used - overlay cache doesn't go stale when fs clears it's own cache Possible disadvantage is performance loss. If that becomes a problem get_acl() can be optimized for overlayfs. This patch disables caching by pre setting i_*acl to a value that - has bit 0 set, so is_uncached_acl() will return true - is not equal to ACL_NOT_CACHED, so get_acl() will not overwrite it The constant -3 was chosen for this purpose. Fixes: 39a25b2b3762 ("ovl: define ->get_acl() for overlay inodes") Signed-off-by: Miklos Szeredi fs/overlayfs/inode.c | 3 +++ include/linux/fs.h | 1 + 2 files changed, 4 insertions(+) commit 5201dc449e4b6b6d7e92f7f974269b11681f98b5 Author: Miklos Szeredi Date: Thu Sep 1 11:11:59 2016 +0200 ovl: use cached acl on underlying layer Instead of calling ->get_acl() directly, use get_acl() to get the cached value. We will have the acl cached on the underlying inode anyway, because we do permission checking on the both the overlay and the underlying fs. So, since we already have double caching, this improves performance without any cost. Signed-off-by: Miklos Szeredi fs/overlayfs/inode.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) commit eea2fb4851e9dcbab6b991aaf47e2e024f1f55a0 Author: Miklos Szeredi Date: Thu Sep 1 11:11:59 2016 +0200 ovl: proper cleanup of workdir When mounting overlayfs it needs a clean "work" directory under the supplied workdir. Previously the mount code removed this directory if it already existed and created a new one. If the removal failed (e.g. directory was not empty) then it fell back to a read-only mount not using the workdir. While this has never been reported, it is possible to get a non-empty "work" dir from a previous mount of overlayfs in case of crash in the middle of an operation using the work directory. In this case the left over state should be discarded and the overlay filesystem will be consistent, guaranteed by the atomicity of operations on moving to/from the workdir to the upper layer. This patch implements cleaning out any files left in workdir. It is implemented using real recursion for simplicity, but the depth is limited to 2, because the worst case is that of a directory containing whiteouts under "work". Signed-off-by: Miklos Szeredi Cc: fs/overlayfs/overlayfs.h | 2 ++ fs/overlayfs/readdir.c | 63 +++++++++++++++++++++++++++++++++++++++++++++++- fs/overlayfs/super.c | 2 +- 3 files changed, 65 insertions(+), 2 deletions(-) commit c11b9fdd6a612f376a5e886505f1c54c16d8c380 Author: Miklos Szeredi Date: Thu Sep 1 11:11:59 2016 +0200 ovl: remove posix_acl_default from workdir Clear out posix acl xattrs on workdir and also reset the mode after creation so that an inherited sgid bit is cleared. Signed-off-by: Miklos Szeredi Cc: fs/overlayfs/super.c | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) commit 38b256973ea90fc7c2b7e1b734fa0e8b83538d50 Author: Miklos Szeredi Date: Thu Sep 1 11:11:59 2016 +0200 ovl: handle umask and posix_acl_default correctly on creation Setting MS_POSIXACL in sb->s_flags has the side effect of passing mode to create functions without masking against umask. Another problem when creating over a whiteout is that the default posix acl is not inherited from the parent dir (because the real parent dir at the time of creation is the work directory). Fix these problems by: a) If upper fs does not have MS_POSIXACL, then mask mode with umask. b) If creating over a whiteout, call posix_acl_create() to get the inherited acls. After creation (but before moving to the final destination) set these acls on the created file. posix_acl_create() also updates the file creation mode as appropriate. Fixes: 39a25b2b3762 ("ovl: define ->get_acl() for overlay inodes") Signed-off-by: Miklos Szeredi fs/overlayfs/dir.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) commit c3804289c90c1c88e447991c4c06cff6acdee7bc Merge: c0338af c5e801d Author: David S. Miller Date: Wed Aug 31 21:03:47 2016 -0700 Merge branch 'qed-fixes' Sudarsana Reddy Kalluru says: ==================== qed*: dcbx fix series. The series contains several small fixes for qed* dcbx module. ==================== Signed-off-by: David S. Miller commit c5e801dac4daff972013613ae3edae6668b2aa7c Author: Sudarsana Reddy Kalluru Date: Mon Aug 29 08:29:54 2016 -0400 qed: Clear dcbx memory buffers before the usage. This patch takes care of clearing the uninitialized buffer before using it. 1. pfc pri-enable bitmap need to be cleared before setting the requested enable bits. Without this, the un-touched values will be merged with requested values and sent to MFW. 2. The data in app-entry field need to be cleared before using it. 3. Clear the output data buffer used in qed_dcbx_query_params(). Signed-off-by: Sudarsana Reddy Kalluru Signed-off-by: Yuval Mintz Signed-off-by: David S. Miller drivers/net/ethernet/qlogic/qed/qed_dcbx.c | 4 ++++ 1 file changed, 4 insertions(+) commit 5ec5dfa4d29448002bb05018ba12620e7fafffd1 Author: Sudarsana Reddy Kalluru Date: Mon Aug 29 08:29:53 2016 -0400 qed: Set selection-field while configuring the app entry in ieee mode. Management firmware requires the selection-field (SF) to be set for configuring the application/protocol entry in IEEE mode. Without this setting, the app entry will be configured incorrectly in MFW. Signed-off-by: Sudarsana Reddy Kalluru Signed-off-by: Yuval Mintz Signed-off-by: David S. Miller drivers/net/ethernet/qlogic/qed/qed_dcbx.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) commit 5fe118c9fd6b8e129788c88a10ac0af82b255f81 Author: Sudarsana Reddy Kalluru Date: Mon Aug 29 08:29:52 2016 -0400 qed*: Disallow dcbx configuration for VF interfaces. Dcbx configuration is not supported for VF interfaces. Hence don't populate the callbacks for VFs and also fail the dcbx-query for VFs. Signed-off-by: Sudarsana Reddy Kalluru Signed-off-by: Yuval Mintz Signed-off-by: David S. Miller drivers/net/ethernet/qlogic/qed/qed_dcbx.c | 4 ++++ drivers/net/ethernet/qlogic/qede/qede_main.c | 3 ++- 2 files changed, 6 insertions(+), 1 deletion(-) commit c0338aff2260ea6c092806312dbb154cec07a242 Author: WANG Cong Date: Sun Aug 28 21:28:26 2016 -0700 kcm: fix a socket double free Dmitry reported a double free on kcm socket, which could be easily reproduced by: #include #include int main() { int fd = syscall(SYS_socket, 0x29ul, 0x5ul, 0x0ul, 0, 0, 0); syscall(SYS_ioctl, fd, 0x89e2ul, 0x20a98000ul, 0, 0, 0); return 0; } This is because on the error path, after we install the new socket file, we call sock_release() to clean up the socket, which leaves the fd pointing to a freed socket. Fix this by calling sys_close() on that fd directly. Fixes: ab7ac4eb9832 ("kcm: Kernel Connection Multiplexor module") Reported-by: Dmitry Vyukov Cc: Tom Herbert Signed-off-by: Cong Wang Signed-off-by: David S. Miller net/kcm/kcmsock.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 3b631e52f7c741a1813b6fc631acca25591972a4 Merge: 9264251 aa6e8a5 Author: David S. Miller Date: Wed Aug 31 20:53:49 2016 -0700 Merge branch 'mediatek-fixes' Sean Wang says: ==================== net: ethernet: mediatek: a couple of fixes a couple of fixes come out from integrating with linux-4.8 rc1 they all are verified and workable on linux-4.8 rc1 Changes since v1: - usage of loops to work out if all required clock are ready instead of tedious coding - remove redundant pinctrl setup that is already done by core driver thanks for careful and patient reviewing by Andrew Lunn - splitting distinct changes into the separate patches - change variable naming from err to ret for readable coding Changes since v2: - restore to original clock disabling sequence that is changed accidentally in the last version - refine the commit log that would cause misunderstanding what has been done in the changes - refine the commit log that would cause footnote losing due to improper delimiter use Changes since v3: - fix git rejects caused by mixing a change from net-next, so remake the patch set based on the current net branch again. ==================== Signed-off-by: David S. Miller commit aa6e8a54f653daaf34ff7fdceb2d992d714eea7c Author: Sean Wang Date: Thu Sep 1 10:47:35 2016 +0800 net: ethernet: mediatek: fix error handling inside mtk_mdio_init Return -ENODEV if the MDIO bus is disabled in the device tree. Signed-off-by: Sean Wang Acked-by: John Crispin Reviewed-by: Andrew Lunn Signed-off-by: David S. Miller drivers/net/ethernet/mediatek/mtk_eth_soc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 1e515b7fdbaeef29b1025c09b50ebbb132a39208 Author: Sean Wang Date: Thu Sep 1 10:47:34 2016 +0800 net: ethernet: mediatek: use devm_mdiobus_alloc instead of mdiobus_alloc inside mtk_mdio_init a lot of parts in the driver uses devm_* APIs to gain benefits from the device resource management, so devm_mdiobus_alloc is also used instead of mdiobus_alloc to have more elegant code flow. Using common code provided by the devm_* helps to 1) have simplified the code flow as [1] says 2) decrease the risk of incorrect error handling by human 3) only a few drivers used it since it was proposed on linux 3.16, so just hope to promote for this. Ref: [1] https://patchwork.ozlabs.org/patch/344093/ Signed-off-by: Sean Wang Reviewed-by: Andrew Lunn Signed-off-by: David S. Miller drivers/net/ethernet/mediatek/mtk_eth_soc.c | 23 ++++++----------------- 1 file changed, 6 insertions(+), 17 deletions(-) commit b5776f01bf1f36a6c89c6dc407dda6509002e0d7 Author: Sean Wang Date: Thu Sep 1 10:47:33 2016 +0800 net: ethernet: mediatek: fix the missing of_node_put() after node is used done inside mtk_mdio_init This patch adds the missing of_node_put() after finishing the usage of of_get_child_by_name. Signed-off-by: Sean Wang Acked-by: John Crispin Signed-off-by: David S. Miller drivers/net/ethernet/mediatek/mtk_eth_soc.c | 1 + 1 file changed, 1 insertion(+) commit 79e9a41438527a4cc2b426a2dfb92cd0825d7d29 Author: Sean Wang Date: Thu Sep 1 10:47:32 2016 +0800 net: ethernet: mediatek: fix issue of driver removal with interface is up mtk_stop() must be called to stop for freeing DMA resources acquired and restoring state changed by mtk_open() firstly when module removal. Signed-off-by: Sean Wang Signed-off-by: David S. Miller drivers/net/ethernet/mediatek/mtk_eth_soc.c | 8 ++++++++ 1 file changed, 8 insertions(+) commit 7c6b0d76fa02213393815e3b6d5e4a415bf3f0e2 Author: Sean Wang Date: Thu Sep 1 10:47:31 2016 +0800 net: ethernet: mediatek: fix logic unbalance between probe and remove original mdio_cleanup is not in the symmetric place against where mdio_init is, so relocate mdio_cleanup to the right one. Signed-off-by: Sean Wang Acked-by: John Crispin Signed-off-by: David S. Miller drivers/net/ethernet/mediatek/mtk_eth_soc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit d3bd1ce4db8e843dce421e2f8f123e5251a9c7d3 Author: Sean Wang Date: Thu Sep 1 10:47:30 2016 +0800 net: ethernet: mediatek: remove redundant free_irq for devm_request_irq allocated irq these irqs are not used for shared irq and disabled during ethernet stops. irq requested by devm_request_irq is safe to be freed automatically on driver detach. Signed-off-by: Sean Wang Acked-by: John Crispin Signed-off-by: David S. Miller drivers/net/ethernet/mediatek/mtk_eth_soc.c | 2 -- 1 file changed, 2 deletions(-) commit 1b43079906367d4d6e1ad00f04fff525a32e26c4 Author: Sean Wang Date: Thu Sep 1 10:47:29 2016 +0800 net: ethernet: mediatek: fix API usage with skb_free_frag use skb_free_frag() instead of legacy put_page() Signed-off-by: Sean Wang Acked-by: John Crispin Signed-off-by: David S. Miller drivers/net/ethernet/mediatek/mtk_eth_soc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 549e5495467ac2a76489f1304e2b4a7ad85e1644 Author: Sean Wang Date: Thu Sep 1 10:47:28 2016 +0800 net: ethernet: mediatek: fix incorrect return value of devm_clk_get with EPROBE_DEFER 1) If the return value of devm_clk_get is EPROBE_DEFER, we should defer probing the driver. The change is verified and works based on 4.8-rc1 staying with the latest clk-next code for MT7623. 2) Changing with the usage of loops to work out if all clocks required are fine Signed-off-by: Sean Wang Signed-off-by: David S. Miller drivers/net/ethernet/mediatek/mtk_eth_soc.c | 39 ++++++++++++++++------------- drivers/net/ethernet/mediatek/mtk_eth_soc.h | 22 ++++++++++------ 2 files changed, 36 insertions(+), 25 deletions(-) commit c6f1dc4d9ce275c1bd9d90b5630f36ca6abccc97 Author: Sean Wang Date: Thu Sep 1 10:47:27 2016 +0800 net: ethernet: mediatek: fix fails from TX housekeeping due to incorrect port setup which net device the SKB is complete for depends on the forward port on txd4 on the corresponding TX descriptor, but the information isn't set up well in case of SKB fragments that would lead to watchdog timeout from the upper layer, so fix it up. Signed-off-by: Sean Wang Acked-by: John Crispin Signed-off-by: David S. Miller drivers/net/ethernet/mediatek/mtk_eth_soc.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) commit 27dd73503f690ee3593a2e73a1b1864860e7f7b0 Merge: 8509eb1 d78d383 Author: Dave Airlie Date: Thu Sep 1 06:34:09 2016 +1000 Merge branch 'msm-fixes-4.8' of git://people.freedesktop.org/~robclark/linux into drm-fixes copy from user fixes. * 'msm-fixes-4.8' of git://people.freedesktop.org/~robclark/linux: drm/msm: protect against faults from copy_from_user() in submit ioctl drm/msm: fix use of copy_from_user() while holding spinlock commit 5efc244346f9f338765da3d592f7947b0afdc4b5 Author: Mateusz Guzik Date: Tue Aug 23 16:20:39 2016 +0200 audit: fix exe_file access in audit_exe_compare Prior to the change the function would blindly deference mm, exe_file and exe_file->f_inode, each of which could have been NULL or freed. Use get_task_exe_file to safely obtain stable exe_file. Signed-off-by: Mateusz Guzik Acked-by: Konstantin Khlebnikov Acked-by: Richard Guy Briggs Cc: # 4.3.x Signed-off-by: Paul Moore kernel/audit_watch.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) commit cd81a9170e69e018bbaba547c1fd85a585f5697a Author: Mateusz Guzik Date: Tue Aug 23 16:20:38 2016 +0200 mm: introduce get_task_exe_file For more convenient access if one has a pointer to the task. As a minor nit take advantage of the fact that only task lock + rcu are needed to safely grab ->exe_file. This saves mm refcount dance. Use the helper in proc_exe_link. Signed-off-by: Mateusz Guzik Acked-by: Konstantin Khlebnikov Acked-by: Richard Guy Briggs Cc: # 4.3.x Signed-off-by: Paul Moore fs/proc/base.c | 7 +------ include/linux/mm.h | 1 + kernel/fork.c | 23 +++++++++++++++++++++++ 3 files changed, 25 insertions(+), 6 deletions(-) commit 8509eb19618c050b017a3da7f6dd3180106cdf32 Merge: 279cf3f 1f703e6 Author: Dave Airlie Date: Thu Sep 1 06:03:35 2016 +1000 Merge branch 'drm-fixes-4.8' of git://people.freedesktop.org/~agd5f/linux into drm-fixes Fixes for 4.8: - 2 CI S4 fixes - error handling fix * 'drm-fixes-4.8' of git://people.freedesktop.org/~agd5f/linux: drm/amdgpu: record error code when ring test failed drm/amd/amdgpu: compute ring test fail during S4 on CI drm/amd/amdgpu: sdma resume fail during S4 on CI commit 1f703e6679f373f5bba4efe7093aa82e91af4037 Author: Chunming Zhou Date: Tue Aug 30 17:59:11 2016 +0800 drm/amdgpu: record error code when ring test failed Otherwise we may miss errors. Signed-off-by: Chunming Zhou Reviewed-by: Christian König Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org drivers/gpu/drm/amd/amdgpu/amdgpu_ib.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) commit 53960b4f89db58bc155d6f8aa0a44ccc59ccb26f Author: jimqu Date: Tue Aug 30 09:03:16 2016 +0800 drm/amd/amdgpu: compute ring test fail during S4 on CI unhalt Instrction Fetch Unit after all rings are inited. Signed-off-by: JimQu Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org drivers/gpu/drm/amd/amdgpu/gfx_v7_0.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) commit 10ea9434065e56fe14287f89258ecf2fb684ed1a Author: jimqu Date: Tue Aug 30 08:59:42 2016 +0800 drm/amd/amdgpu: sdma resume fail during S4 on CI SDMA could be fail in the thaw() and restore() processes, do software reset if each SDMA engine is busy. Signed-off-by: JimQu Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org drivers/gpu/drm/amd/amdgpu/cik_sdma.c | 3 +++ 1 file changed, 3 insertions(+) commit 071e31e254e0e0c438eecba3dba1d6e2d0da36c2 Merge: 9f834ec 901d3d4 Author: Linus Torvalds Date: Wed Aug 31 09:42:14 2016 -0700 Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 Pull crypto fixes from Herbert Xu: "This fixes the following issues: - Kconfig problem that prevented mxc-rnga from being enabled - bogus key sizes in qat aes-xts - buggy aes-xts code in vmx" * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: crypto: vmx - fix null dereference in p8_aes_xts_crypt crypto: qat - fix aes-xts key sizes hwrng: mxc-rnga - Fix Kconfig dependency commit 9264251ee2a55bce8fb93826b3f581fb9eb7e2c2 Author: Davide Caratti Date: Wed Aug 31 14:16:44 2016 +0200 bridge: re-introduce 'fix parsing of MLDv2 reports' commit bc8c20acaea1 ("bridge: multicast: treat igmpv3 report with INCLUDE and no sources as a leave") seems to have accidentally reverted commit 47cc84ce0c2f ("bridge: fix parsing of MLDv2 reports"). This commit brings back a change to br_ip6_multicast_mld2_report() where parsing of MLDv2 reports stops when the first group is successfully added to the MDB cache. Fixes: bc8c20acaea1 ("bridge: multicast: treat igmpv3 report with INCLUDE and no sources as a leave") Signed-off-by: Davide Caratti Acked-by: Nikolay Aleksandrov Acked-by: Thadeu Lima de Souza Cascardo Signed-off-by: David S. Miller net/bridge/br_multicast.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 9f834ec18defc369d73ccf9e87a2790bfa05bf46 Author: Linus Torvalds Date: Mon Aug 22 16:41:46 2016 -0700 binfmt_elf: switch to new creds when switching to new mm We used to delay switching to the new credentials until after we had mapped the executable (and possible elf interpreter). That was kind of odd to begin with, since the new executable will actually then _run_ with the new creds, but whatever. The bigger problem was that we also want to make sure that we turn off prof events and tracing before we start mapping the new executable state. So while this is a cleanup, it's also a fix for a possible information leak. Reported-by: Robert Święcki Tested-by: Peter Zijlstra Acked-by: David Howells Acked-by: Oleg Nesterov Acked-by: Andy Lutomirski Acked-by: Eric W. Biederman Cc: Willy Tarreau Cc: Kees Cook Cc: Al Viro Signed-off-by: Linus Torvalds fs/binfmt_elf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit ad5b0f7685dbfc4730987cd16af3c5ebe8133f10 Author: Shaohua Li Date: Tue Aug 30 10:29:33 2016 -0700 raid5: guarantee enough stripes to avoid reshape hang If there aren't enough stripes, reshape will hang. We have a check for this in new reshape, but miss it for reshape resume, hence we could see hang in reshape resume. This patch forces enough stripes existed if reshape resumes. Reviewed-by: NeilBrown Signed-off-by: Shaohua Li drivers/md/raid5.c | 10 ++++++++++ 1 file changed, 10 insertions(+) commit 8e018c21da3febb558586b48c8db0d6d66cb6593 Author: Shaohua Li Date: Thu Aug 25 10:09:39 2016 -0700 raid5-cache: fix a deadlock in superblock write There is a potential deadlock in superblock write. Discard could zero data, so before discard we must make sure superblock is updated to new log tail. Updating superblock (either directly call md_update_sb() or depend on md thread) must hold reconfig mutex. On the other hand, raid5_quiesce is called with reconfig_mutex hold. The first step of raid5_quiesce() is waitting for all IO finish, hence waitting for reclaim thread, while reclaim thread is calling this function and waitting for reconfig mutex. So there is a deadlock. We workaround this issue with a trylock. The downside of the solution is we could miss discard if we can't take reconfig mutex. But this should happen rarely (mainly in raid array stop), so miss discard shouldn't be a big problem. Cc: NeilBrown Signed-off-by: Shaohua Li drivers/md/raid5-cache.c | 46 +++++++++++++++------------------------------- 1 file changed, 15 insertions(+), 31 deletions(-) commit 8b18e2359aff2ab810aba84cebffc9da07fef78f Author: Horia Geantă Date: Mon Aug 29 14:52:14 2016 +0300 crypto: caam - fix IV loading for authenc (giv)decryption For algorithms that implement IV generators before the crypto ops, the IV needed for decryption is initially located in req->src scatterlist, not in req->iv. Avoid copying the IV into req->iv by modifying the (givdecrypt) descriptors to load it directly from req->src. aead_givdecrypt() is no longer needed and goes away. Cc: # 4.3+ Fixes: 479bcc7c5b9e ("crypto: caam - Convert authenc to new AEAD interface") Signed-off-by: Horia Geantă Signed-off-by: Herbert Xu drivers/crypto/caam/caamalg.c | 77 +++++++++++++++++++++---------------------- 1 file changed, 37 insertions(+), 40 deletions(-) commit 31bd44e7687be8a70e1e744e5cb84974b798d568 Author: Herbert Xu Date: Thu Aug 25 16:49:51 2016 +0800 crypto: cryptd - Use correct tfm object for AEAD tracking The AEAD code path incorrectly uses the child tfm to track the cryptd refcnt, and then potentially frees the child tfm. Fixes: 81760ea6a95a ("crypto: cryptd - Add helpers to check...") Reported-by: Sowmini Varadhan Signed-off-by: Herbert Xu crypto/cryptd.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit c8d192428f52f244130b84650ad616df09f2b1e1 Author: Jimi Damon Date: Wed Jul 20 17:00:40 2016 -0700 serial: 8250: added acces i/o products quad and octal serial cards Added devices ids for acces i/o products quad and octal serial cards that make use of existing Pericom PI7C9X7954 and PI7C9X7958 configurations . Signed-off-by: Jimi Damon Cc: stable Signed-off-by: Greg Kroah-Hartman drivers/tty/serial/8250/8250_pci.c | 139 +++++++++++++++++++++++++++++++++++++ 1 file changed, 139 insertions(+) commit 6b1ca4bcadf9ef077cc5f03c6822ba276ed14902 Author: Takashi Sakamoto Date: Wed Aug 31 22:58:42 2016 +0900 ALSA: fireworks: accessing to user space outside spinlock In hwdep interface of fireworks driver, accessing to user space is in a critical section with disabled local interrupt. Depending on architecture, accessing to user space can cause page fault exception. Then local processor stores machine status and handles the synchronous event. A handler corresponding to the event can call task scheduler to wait for preparing pages. In a case of usage of single core processor, the state to disable local interrupt is worse because it don't handle usual interrupts from hardware. This commit fixes this bug, performing the accessing outside spinlock. This commit also gives up counting the number of queued response messages to simplify ring-buffer management. Reported-by: Vaishali Thakkar Cc: stable@vger.kernel.org Fixes: 555e8a8f7f14('ALSA: fireworks: Add command/response functionality into hwdep interface') Signed-off-by: Takashi Sakamoto Signed-off-by: Takashi Iwai sound/firewire/fireworks/fireworks.h | 1 - sound/firewire/fireworks/fireworks_hwdep.c | 71 +++++++++++++++++------- sound/firewire/fireworks/fireworks_proc.c | 4 +- sound/firewire/fireworks/fireworks_transaction.c | 5 +- 4 files changed, 56 insertions(+), 25 deletions(-) commit 47b34d2ef266e2c283b514d65c8963c2ccd42474 Author: Andy Shevchenko Date: Fri Jul 1 17:21:49 2016 +0300 serial: 8250_mid: fix divide error bug if baud rate is 0 Since the commit c1a67b48f6a5 ("serial: 8250_pci: replace switch-case by formula for Intel MID"), the 8250 driver crashes in the byt_set_termios() function with a divide error. This is caused by the fact that a baud rate of 0 (B0) is not handled properly. Fix it by falling back to B9600 in this case. Reported-by: "Mendez Salinas, Fernando" Fixes: c1a67b48f6a5 ("serial: 8250_pci: replace switch-case by formula for Intel MID") Cc: stable@vger.kernel.org Signed-off-by: Andy Shevchenko Signed-off-by: Greg Kroah-Hartman drivers/tty/serial/8250/8250_mid.c | 3 +++ 1 file changed, 3 insertions(+) commit 5db4f7f80d165fc9725f356e99feec409e446baa Author: Andy Shevchenko Date: Tue Aug 16 15:06:54 2016 +0300 Revert "tty/serial/8250: use mctrl_gpio helpers" Serial console is broken in v4.8-rcX. Mika and I independently bisected down to commit 4ef03d328769 ("tty/serial/8250: use mctrl_gpio helpers"). Since neither author nor anyone else didn't propose a solution we better revert it for now. This reverts commit 4ef03d328769eddbfeca1f1c958fdb181a69c341. Link: https://lkml.kernel.org/r/20160809130229.GN1729@lahna.fi.intel.com Signed-off-by: Andy Shevchenko Tested-by: Heikki Krogerus Tested-by: Mika Westerberg Signed-off-by: Greg Kroah-Hartman Documentation/devicetree/bindings/serial/8250.txt | 19 ------------ drivers/tty/serial/8250/8250.h | 35 +---------------------- drivers/tty/serial/8250/8250_core.c | 9 ------ drivers/tty/serial/8250/8250_omap.c | 31 +++++++++----------- drivers/tty/serial/8250/8250_port.c | 7 +---- drivers/tty/serial/8250/Kconfig | 1 - include/linux/serial_8250.h | 1 - 7 files changed, 15 insertions(+), 88 deletions(-) commit 17d0774f80681020eccc9638d925a23f1fc4f671 Author: Konstantin Khlebnikov Date: Wed Jun 22 21:42:16 2016 +0300 sysfs: correctly handle read offset on PREALLOC attrs Attributes declared with __ATTR_PREALLOC use sysfs_kf_read() which returns zero bytes for non-zero offset. This breaks script checkarray in mdadm tool in debian where /bin/sh is 'dash' because its builtin 'read' reads only one byte at a time. Script gets 'i' instead of 'idle' when reads current action from /sys/block/$dev/md/sync_action and as a result does nothing. This patch adds trivial implementation of partial read: generate whole string and move required part into buffer head. Signed-off-by: Konstantin Khlebnikov Fixes: 4ef67a8c95f3 ("sysfs/kernfs: make read requests on pre-alloc files use the buffer.") Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=787950 Cc: Stable # v3.19+ Acked-by: Tejun Heo Signed-off-by: Greg Kroah-Hartman fs/sysfs/file.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) commit 96b0af4b729cabd44e237c5a6b9bd4e0ea4ed457 Author: Martin Fuzzey Date: Fri May 20 14:23:38 2016 +0200 documentation: drivers/core/of: fix name of of_node symlink commit 5590f3196b29 ("drivers/core/of: Add symlink to device-tree from devices with an OF node") added a symlink called "of_node" to sysfs however the documentation describes it as "of_path". Fix the documentation to match what the code actually does. Signed-off-by: Martin Fuzzey Acked-by: Rob Herring Signed-off-by: Greg Kroah-Hartman Documentation/ABI/stable/sysfs-devices | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit df6a58c5c5aa8ecb1e088ecead3fa33ae70181f1 Author: Tejun Heo Date: Fri Jun 17 17:51:17 2016 -0400 kernfs: don't depend on d_find_any_alias() when generating notifications kernfs_notify_workfn() sends out file modified events for the scheduled kernfs_nodes. Because the modifications aren't from userland, it doesn't have the matching file struct at hand and can't use fsnotify_modify(). Instead, it looked up the inode and then used d_find_any_alias() to find the dentry and used fsnotify_parent() and fsnotify() directly to generate notifications. The assumption was that the relevant dentries would have been pinned if there are listeners, which isn't true as inotify doesn't pin dentries at all and watching the parent doesn't pin the child dentries even for dnotify. This led to, for example, inotify watchers not getting notifications if the system is under memory pressure and the matching dentries got reclaimed. It can also be triggered through /proc/sys/vm/drop_caches or a remount attempt which involves shrinking dcache. fsnotify_parent() only uses the dentry to access the parent inode, which kernfs can do easily. Update kernfs_notify_workfn() so that it uses fsnotify() directly for both the parent and target inodes without going through d_find_any_alias(). While at it, supply the target file name to fsnotify() from kernfs_node->name. Signed-off-by: Tejun Heo Reported-by: Evgeny Vereshchagin Fixes: d911d9874801 ("kernfs: make kernfs_notify() trigger inotify events too") Cc: John McCutchan Cc: Robert Love Cc: Eric Paris Cc: stable@vger.kernel.org # v3.16+ Signed-off-by: Greg Kroah-Hartman fs/kernfs/file.c | 28 +++++++++++++++++++++------- 1 file changed, 21 insertions(+), 7 deletions(-) commit 04b2d9c9c319277ad4fbbb71855c256a9f4d5f98 Author: Takashi Sakamoto Date: Wed Aug 31 20:15:32 2016 +0900 ALSA: firewire-tascam: accessing to user space outside spinlock In hwdep interface of firewire-tascam driver, accessing to user space is in a critical section with disabled local interrupt. Depending on architecture, accessing to user space can cause page fault exception. Then local processor stores machine status and handle the synchronous event. A handler corresponding to the event can call task scheduler to wait for preparing pages. In a case of usage of single core processor, the state to disable local interrupt is worse because it doesn't handle usual interrupts from hardware. This commit fixes this bug, by performing the accessing outside spinlock. Reported-by: Vaishali Thakkar Cc: stable@vger.kernel.org Fixes: e5e0c3dd257b('ALSA: firewire-tascam: add hwdep interface') Signed-off-by: Takashi Sakamoto Signed-off-by: Takashi Iwai sound/firewire/tascam/tascam-hwdep.c | 33 +++++++++++---------------------- 1 file changed, 11 insertions(+), 22 deletions(-) commit ccdf3b888d87df1b914fedde91ed1848f0651c65 Author: Lukas Wunner Date: Wed Aug 3 10:44:12 2016 +0200 thunderbolt: Don't declare Falcon Ridge unsupported Falcon Ridge 4C has been supported by the driver from the beginning, Falcon Ridge 2C support was just added. Don't irritate users with a warning declaring the opposite. Signed-off-by: Lukas Wunner Signed-off-by: Andreas Noever Signed-off-by: Greg Kroah-Hartman drivers/thunderbolt/switch.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit 82a6a81c2a38aa7a7813a0c532637877773c50ae Author: Xavier Gnata Date: Tue Jul 26 18:40:38 2016 +0200 thunderbolt: Add support for INTEL_FALCON_RIDGE_2C controller. From: Xavier Gnata Add support to INTEL_FALCON_RIDGE_2C controller and corresponding quirk to support suspend/resume. Tested against 4.7 master on a MacBook Air 11" 2015. Signed-off-by: Andreas Noever Reviewed-by: Lukas Wunner Signed-off-by: Greg Kroah-Hartman drivers/pci/quirks.c | 4 ++++ drivers/thunderbolt/nhi.c | 6 ++++++ 2 files changed, 10 insertions(+) commit 25eb7e5c7454c9e8407c5382b9fe32d3b45fe163 Author: Andreas Noever Date: Tue Jul 26 18:40:37 2016 +0200 thunderbolt: Fix resume quirk for Falcon Ridge 4C. The quirk 'quirk_apple_wait_for_thunderbolt' did not fire on Falcon Ridge 4C controllers with subdevice/subvendor set to zero. This lead to lost pci devices on system resume. Older thunderbolt controllers (pre Falcon Ridge) used the same device id for bridges and for the controller. On Apple hardware the subvendor- & subdevice-ids were set for the controller, but not for bridges. So that is what was used to differentiate between the two. Starting with Falcon Ridge bridges and controllers received different device ids. Additionally on some MacBookPro models (but not all) the subvendor/subdevice was zeroed. Starting with a42fb351c (thunderbolt: Allow loading of module on recent Apple MacBooks with thunderbolt 2 controller) the thunderbolt driver binds to all Falcon Ridge 4C controllers (irregardless of subvendor/subdevice). The corresponding quirk was not updated. This commit changes the quirk to check the device class instead of its subvendor-/subdeviceids. This works for all generations of Thunderbolt controllers. Signed-off-by: Andreas Noever Reviewed-by: Lukas Wunner Signed-off-by: Greg Kroah-Hartman drivers/pci/quirks.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) commit c012268b37db6b10b59dac9b7f45956cb9a8bcb2 Author: Michael Ellerman Date: Fri Aug 5 14:25:53 2016 -0700 lkdtm: Mark lkdtm_rodata_do_nothing() notrace lkdtm_rodata_do_nothing() is an empty function which is generated in order to test the non-executability of rodata. Currently if function tracing is enabled then an mcount callsite will be generated for lkdtm_rodata_do_nothing(), and it will appear in the list of available functions for function tracing (available_filter_functions). Given it's purpose purely as a test function, it seems preferable for lkdtm_rodata_do_nothing() to be marked notrace, so it doesn't appear as traceable. This also avoids triggering a linker bug on powerpc: https://sourceware.org/bugzilla/show_bug.cgi?id=20428 When the linker sees code that needs to generate a call stub, eg. a branch to mcount(), it assumes the section is executable and dereferences a NULL pointer leading to a linker segfault. Marking lkdtm_rodata_do_nothing() notrace avoids triggering the bug because the function contains no other function calls. Signed-off-by: Michael Ellerman Signed-off-by: Kees Cook Signed-off-by: Greg Kroah-Hartman drivers/misc/lkdtm_rodata.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 4e80ffab0e722911842b59299dbf8033709673e5 Author: Mohammed Shafi Shajakhan Date: Fri Aug 19 13:37:37 2016 +0300 ath10k: Remove driver log suggesting QCA9887 support is experimental Support for QCA9887 is no longer experimental and if there are any issues we need to address them Signed-off-by: Mohammed Shafi Shajakhan Signed-off-by: Kalle Valo drivers/net/wireless/ath/ath10k/pci.c | 1 - 1 file changed, 1 deletion(-) commit 237e15dfd5d651868726111c3a9d828bec700490 Author: Ashok Raj Nagarajan Date: Fri Aug 19 13:37:37 2016 +0300 ath10k: fix get rx_status from htt context On handling amsdu on rx path, get the rx_status from htt context. Without this fix, we are seeing warnings when running DBDC traffic like this. WARNING: CPU: 0 PID: 0 at net/mac80211/rx.c:4105 ieee80211_rx_napi+0x88/0x7d8 [mac80211]() [ 1715.878248] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 3.18.21 #1 [ 1715.878273] [] (unwind_backtrace) from [] (show_stack+0x10/0x14) [ 1715.878293] [] (show_stack) from [] (dump_stack+0x70/0xbc) [ 1715.878315] [] (dump_stack) from [] (warn_slowpath_common+0x64/0x88) [ 1715.878339] [] (warn_slowpath_common) from [] (warn_slowpath_null+0x18/0x20) [ 1715.878395] [] (warn_slowpath_null) from [] (ieee80211_rx_napi+0x88/0x7d8 [mac80211]) [ 1715.878474] [] (ieee80211_rx_napi [mac80211]) from [] (ath10k_htt_t2h_msg_handler+0xb48/0xbfc [ath10k_core]) [ 1715.878535] [] (ath10k_htt_t2h_msg_handler [ath10k_core]) from [] (ath10k_htt_t2h_msg_handler+0xbf8/0xbfc [ath10k_core]) [ 1715.878597] [] (ath10k_htt_t2h_msg_handler [ath10k_core]) from [] (ath10k_htt_txrx_compl_task+0xa54/0x1170 [ath10k_core]) [ 1715.878639] [] (ath10k_htt_txrx_compl_task [ath10k_core]) from [] (tasklet_action+0xb4/0x130) [ 1715.878659] [] (tasklet_action) from [] (__do_softirq+0xe0/0x210) [ 1715.878678] [] (__do_softirq) from [] (irq_exit+0x84/0xe0) [ 1715.878700] [] (irq_exit) from [] (__handle_domain_irq+0x98/0xd0) [ 1715.878722] [] (__handle_domain_irq) from [] (gic_handle_irq+0x38/0x5c) [ 1715.878741] [] (gic_handle_irq) from [] (__irq_svc+0x40/0x74) [ 1715.878753] Exception stack(0xc05f9f50 to 0xc05f9f98) [ 1715.878767] 9f40: ffffffed 00000000 00399e1e c000a220 [ 1715.878786] 9f60: 00000000 c05f6780 c05f8000 00000000 c05f5db8 ffffffed c05f8000 c04d1980 [ 1715.878802] 9f80: 00000000 c05f9f98 c0018110 c0018114 60000013 ffffffff [ 1715.878822] [] (__irq_svc) from [] (arch_cpu_idle+0x2c/0x50) [ 1715.878844] [] (arch_cpu_idle) from [] (cpu_startup_entry+0x108/0x234) [ 1715.878866] [] (cpu_startup_entry) from [] (start_kernel+0x33c/0x3b8) [ 1715.878879] ---[ end trace 6d5e1cc0fef8ed6a ]--- [ 1715.878899] ------------[ cut here ]------------ Fixes: 18235664e7f9 ("ath10k: cleanup amsdu processing for rx indication") Signed-off-by: Ashok Raj Nagarajan Signed-off-by: Kalle Valo drivers/net/wireless/ath/ath10k/htt_rx.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) commit 279cf3f23870f7eb8ca071115e06d3d5ca0a2b9e Author: Peter Wu Date: Fri Aug 26 01:00:54 2016 +0200 drm/nouveau/acpi: use DSM if bridge does not support D3cold Even if PR3 support is available on the bridge, it will not be used if the PCI layer considers it unavailable (i.e. on all laptops from 2013 and 2014). Ensure that this condition is checked to allow a fallback to the Optimus DSM for device poweroff. Initially I wanted to call pci_d3cold_enable before checking bridge_d3 (in case the user changed d3cold_allowed), but that is such an unlikely case and likely fragile anyway. The current patch is suggested by Mika in http://www.spinics.net/lists/linux-pci/msg52599.html Cc: Mika Westerberg Signed-off-by: Peter Wu Reviewed-by: Mika Westerberg Signed-off-by: Dave Airlie drivers/gpu/drm/nouveau/nouveau_acpi.c | 11 +++++++++++ 1 file changed, 11 insertions(+) commit 2df5d103a646998c672a34db74d15613cf7a716d Merge: 1554369 c73c248 Author: David S. Miller Date: Tue Aug 30 22:02:09 2016 -0700 Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf Pablo Neira Ayuso says: ==================== Netfilter fixes for net The following patchset contains Netfilter fixes for your net tree, they are: 1) Allow nf_tables reject expression from input, forward and output hooks, since only there the routing information is available, otherwise we crash. 2) Fix unsafe list iteration when flushing timeout and accouting objects. 3) Fix refcount leak on timeout policy parsing failure. 4) Unlink timeout object for unconfirmed conntracks too 5) Missing validation of pkttype mangling from bridge family. 6) Fix refcount leak on ebtables on second lookup for the specific bridge match extension, this patch from Sabrina Dubroca. 7) Remove unnecessary ip_hdr() in nf_tables_netdev family. Patches from 1-5 and 7 from Liping Zhang. ==================== Signed-off-by: David S. Miller commit 15543692a010192b4264ade0d45390e8bb3dc639 Merge: e4e98c4 61aaa0e Author: David S. Miller Date: Tue Aug 30 21:34:48 2016 -0700 Merge tag 'mac80211-for-davem-2016-08-30' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211 Johannes Berg says: ==================== Three little fixes: * revert a recent wext patch, which Ben Hutchings noticed was wrong, and it turns out not to be necessary for any driver * fix an infinite loop that can occur under certain conditions in mac80211's TDLS code (depending on regulatory information) * add a cfg80211_get_station() static inline when cfg80211 isn't built, to allow other modules to not have to depend on it for it ==================== Signed-off-by: David S. Miller commit d7737ce964d944dd07e25b0f569edcd550ede18c Author: Paul E. McKenney Date: Tue Apr 26 13:03:51 2016 -0700 PM / runtime: Add _rcuidle suffix to allow rpm_idle() use from idle This commit appends a few _rcuidle suffixes to fix the following RCU-used-from-idle bug: > =============================== > [ INFO: suspicious RCU usage. ] > 4.6.0-rc5-next-20160426+ #1116 Not tainted > ------------------------------- > include/trace/events/rpm.h:95 suspicious rcu_dereference_check() usage! > > other info that might help us debug this: > > > RCU used illegally from idle CPU! > rcu_scheduler_active = 1, debug_locks = 0 > RCU used illegally from extended quiescent state! > 1 lock held by swapper/0/0: > #0: (&(&dev->power.lock)->rlock){-.-...}, at: [] __rpm_callback+0x58/0x60 > > stack backtrace: > CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.6.0-rc5-next-20160426+ #1116 > Hardware name: Generic OMAP36xx (Flattened Device Tree) > [] (unwind_backtrace) from [] (show_stack+0x10/0x14) > [] (show_stack) from [] (dump_stack+0xb0/0xe4) > [] (dump_stack) from [] (rpm_suspend+0x580/0x768) > [] (rpm_suspend) from [] (__pm_runtime_suspend+0x64/0x84) > [] (__pm_runtime_suspend) from [] (omap2_gpio_prepare_for_idle+0x5c/0x70) > [] (omap2_gpio_prepare_for_idle) from [] (omap_sram_idle+0x140/0x244) > [] (omap_sram_idle) from [] (omap3_enter_idle_bm+0xfc/0x1ec) > [] (omap3_enter_idle_bm) from [] (cpuidle_enter_state+0x80/0x3d4) > [] (cpuidle_enter_state) from [] (cpu_startup_entry+0x198/0x3a0) > [] (cpu_startup_entry) from [] (start_kernel+0x354/0x3c8) > [] (start_kernel) from [<8000807c>] (0x8000807c) In the immortal words of Steven Rostedt, "*Whack* *Whack* *Whack*!!!" Reported-by: Tony Lindgren Signed-off-by: Paul E. McKenney Tested-by: Tony Lindgren Tested-by: Guenter Roeck WhACKED-by: Steven Rostedt Signed-off-by: Rafael J. Wysocki drivers/base/power/runtime.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit d44c950e9398e639e124014e5872480a37b67259 Author: Paul E. McKenney Date: Tue Apr 26 13:38:55 2016 -0700 PM / runtime: Add _rcuidle suffix to allow rpm_resume() to be called from idle This commit applies another _rcuidle suffix to fix an RCU use from idle. > =============================== > [ INFO: suspicious RCU usage. ] > 4.6.0-rc5-next-20160426+ #1122 Not tainted > ------------------------------- > include/trace/events/rpm.h:69 suspicious rcu_dereference_check() usage! > > other info that might help us debug this: > > > RCU used illegally from idle CPU! > rcu_scheduler_active = 1, debug_locks = 0 > RCU used illegally from extended quiescent state! > 1 lock held by swapper/0/0: > #0: (&(&dev->power.lock)->rlock){-.-...}, at: [] __pm_runtime_resume+0x3c/0x64 > > stack backtrace: > CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.6.0-rc5-next-20160426+ #1122 > Hardware name: Generic OMAP36xx (Flattened Device Tree) > [] (unwind_backtrace) from [] (show_stack+0x10/0x14) > [] (show_stack) from [] (dump_stack+0xb0/0xe4) > [] (dump_stack) from [] (rpm_resume+0x5cc/0x7f4) > [] (rpm_resume) from [] (__pm_runtime_resume+0x4c/0x64) > [] (__pm_runtime_resume) from [] (omap2_gpio_resume_after_idle+0x54/0x68) > [] (omap2_gpio_resume_after_idle) from [] (omap3_enter_idle_bm+0xfc/0x1ec) > [] (omap3_enter_idle_bm) from [] (cpuidle_enter_state+0x80/0x3d4) > [] (cpuidle_enter_state) from [] (cpu_startup_entry+0x198/0x3a0) > [] (cpu_startup_entry) from [] (start_kernel+0x354/0x3c8) > [] (start_kernel) from [<8000807c>] (0x8000807c) Reported-by: Tony Lindgren Signed-off-by: Paul E. McKenney Tested-by: Tony Lindgren Tested-by: Guenter Roeck Signed-off-by: Rafael J. Wysocki drivers/base/power/runtime.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit bd37e022e334757a5dc1dae41baa29e16befe4ec Author: Wei Yongjun Date: Sun Aug 21 15:41:44 2016 +0000 cpufreq: dt: Add terminate entry for of_device_id tables Make sure of_device_id tables are NULL terminated. Signed-off-by: Wei Yongjun Acked-by: Viresh Kumar Fixes: f56aad1d98f1 (cpufreq: dt: Add generic platform-device creation support) CC: 4.7+ # 4.7+ Signed-off-by: Rafael J. Wysocki drivers/cpufreq/cpufreq-dt-platdev.c | 2 ++ 1 file changed, 2 insertions(+) commit edd1ea2a8a2549e4fe58e817d539445729491ecf Author: Bhaktipriya Shridhar Date: Tue Aug 30 22:19:11 2016 +0530 dm bufio: remove use of deprecated create_singlethread_workqueue() The workqueue "dm_bufio_wq" queues a single work item &dm_bufio_work so it doesn't require execution ordering. Hence, alloc_workqueue() has been used to replace the deprecated create_singlethread_workqueue(). The WQ_MEM_RECLAIM flag has been set since DM requires forward progress under memory pressure. Since there are fixed number of work items, explicit concurrency limit is unnecessary here. Signed-off-by: Bhaktipriya Shridhar Signed-off-by: Mike Snitzer drivers/md/dm-bufio.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 5d0be84ec0cacfc7a6d6ea548afdd07d481324cd Author: Eric Biggers Date: Tue Aug 30 09:51:44 2016 -0700 dm crypt: fix free of bad values after tfm allocation failure If crypt_alloc_tfms() had to allocate multiple tfms and it failed before the last allocation, then it would call crypt_free_tfms() and could free pointers from uninitialized memory -- due to the crypt_free_tfms() check for non-zero cc->tfms[i]. Fix by allocating zeroed memory. Signed-off-by: Eric Biggers Signed-off-by: Mike Snitzer Cc: stable@vger.kernel.org drivers/md/dm-crypt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 4e870e948fbabf62b78e8410f04c67703e7c816b Author: Mikulas Patocka Date: Tue Aug 30 16:38:42 2016 -0400 dm crypt: fix error with too large bios When dm-crypt processes writes, it allocates a new bio in crypt_alloc_buffer(). The bio is allocated from a bio set and it can have at most BIO_MAX_PAGES vector entries, however the incoming bio can be larger (e.g. if it was allocated by bcache). If the incoming bio is larger, bio_alloc_bioset() fails and an error is returned. To avoid the error, we test for a too large bio in the function crypt_map() and use dm_accept_partial_bio() to split the bio. dm_accept_partial_bio() trims the current bio to the desired size and asks DM core to send another bio with the rest of the data. Signed-off-by: Mikulas Patocka Signed-off-by: Mike Snitzer Cc: stable@vger.kernel.org # v3.16+ drivers/md/dm-crypt.c | 7 +++++++ 1 file changed, 7 insertions(+) commit 91e630d9ae6de6f740ef7c8176736eb55366833e Author: Vladimir Zapolskiy Date: Thu Mar 10 01:22:19 2016 +0200 dm log writes: fix check of kthread_run() return value The kthread_run() function returns either a valid task_struct or ERR_PTR() value, check for NULL is invalid. This change fixes potential for oops, e.g. in OOM situation. Signed-off-by: Vladimir Zapolskiy Signed-off-by: Mike Snitzer Cc: stable@vger.kernel.org drivers/md/dm-log-writes.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 61b5ebd6ffc3099618a2e79903e5ee0577c10799 Merge: 86a1679 485a252 Author: Linus Torvalds Date: Tue Aug 30 16:25:57 2016 -0700 Merge tag 'seccomp-v4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux Pull seccomp fix from Kees Cook: "Fix fatal signal delivery after ptrace reordering" * tag 'seccomp-v4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: seccomp: Fix tracer exit notifications during fatal signals commit 485a252a5559b45d7df04c819ec91177c62c270b Author: Kees Cook Date: Wed Aug 10 16:28:09 2016 -0700 seccomp: Fix tracer exit notifications during fatal signals This fixes a ptrace vs fatal pending signals bug as manifested in seccomp now that seccomp was reordered to happen after ptrace. The short version is that seccomp should not attempt to call do_exit() while fatal signals are pending under a tracer. The existing code was trying to be as defensively paranoid as possible, but it now ends up confusing ptrace. Instead, the syscall can just be skipped (which solves the original concern that the do_exit() was addressing) and normal signal handling, tracer notification, and process death can happen. Paraphrasing from the original bug report: If a tracee task is in a PTRACE_EVENT_SECCOMP trap, or has been resumed after such a trap but not yet been scheduled, and another task in the thread-group calls exit_group(), then the tracee task exits without the ptracer receiving a PTRACE_EVENT_EXIT notification. Test case here: https://gist.github.com/khuey/3c43ac247c72cef8c956ca73281c9be7 The bug happens because when __seccomp_filter() detects fatal_signal_pending(), it calls do_exit() without dequeuing the fatal signal. When do_exit() sends the PTRACE_EVENT_EXIT notification and that task is descheduled, __schedule() notices that there is a fatal signal pending and changes its state from TASK_TRACED to TASK_RUNNING. That prevents the ptracer's waitpid() from returning the ptrace event. A more detailed analysis is here: https://github.com/mozilla/rr/issues/1762#issuecomment-237396255. Reported-by: Robert O'Callahan Reported-by: Kyle Huey Tested-by: Kyle Huey Fixes: 93e35efb8de4 ("x86/ptrace: run seccomp after ptrace") Signed-off-by: Kees Cook Acked-by: Oleg Nesterov Acked-by: James Morris kernel/seccomp.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) commit 313a61d30761217ce4383018de1cc0d5d503a376 Author: Eric Anholt Date: Tue Aug 30 13:57:38 2016 -0700 drm/vc4: Allow some more signals to be packed with uniform resets. The intent was to make sure people don't sneak in a small immediate or something to change the interpretation of the uniform update args, but these signals are just fine. Fixes a validation failure in the current X server on some Render operation. Signed-off-by: Eric Anholt drivers/gpu/drm/vc4/vc4_validate_shaders.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) commit 7efb367320f56fc4d549875b6f3a6940018ef2e5 Author: Mikulas Patocka Date: Tue Aug 30 16:20:55 2016 -0400 dm log writes: fix bug with too large bios bio_alloc() can allocate a bio with at most BIO_MAX_PAGES (256) vector entries. However, the incoming bio may have more vector entries if it was allocated by other means. For example, bcache submits bios with more than BIO_MAX_PAGES entries. This results in bio_alloc() failure. To avoid the failure, change the code so that it allocates bio with at most BIO_MAX_PAGES entries. If the incoming bio has more entries, bio_add_page() will fail and a new bio will be allocated - the code that handles bio_add_page() failure already exists in the dm-log-writes target. Signed-off-by: Mikulas Patocka Reviewed-by: Josef Bacik Signed-off-by: Mike Snitzer Cc: stable@vger.kernel.org # v4.1+ drivers/md/dm-log-writes.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit a5d60783df61fbb67b7596b8a0f6b4b2e05251d5 Author: Mikulas Patocka Date: Tue Aug 30 16:11:53 2016 -0400 dm log writes: move IO accounting earlier to fix error path Move log_one_block()'s atomic_inc(&lc->io_blocks) before bio_alloc() to fix a bug that the target hangs if bio_alloc() fails. The error path does put_io_block(lc), so atomic_inc(&lc->io_blocks) must occur before invoking the error path to avoid underflow of lc->io_blocks. Signed-off-by: Mikulas Patocka Reviewed-by: Josef Bacik Signed-off-by: Mike Snitzer Cc: stable@vger.kernel.org drivers/md/dm-log-writes.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 86a1679860babbacd61fc1e8c0c0f43641d5860d Merge: 0cf21c6 45c91d8 Author: Linus Torvalds Date: Tue Aug 30 11:24:04 2016 -0700 Merge tag 'md/4.8-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/shli/md Pull MD fixes from Shaohua Li: "This includes several bug fixes: - Alexey Obitotskiy fixed a hang for faulty raid5 array with external management - Song Liu fixed two raid5 journal related bugs - Tomasz Majchrzak fixed a bad block recording issue and an accounting issue for raid10 - ZhengYuan Liu fixed an accounting issue for raid5 - I fixed a potential race condition and memory leak with DIF/DIX enabled - other trival fixes" * tag 'md/4.8-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/shli/md: raid5: avoid unnecessary bio data set raid5: fix memory leak of bio integrity data raid10: record correct address of bad block md-cluster: fix error return code in join() r5cache: set MD_JOURNAL_CLEAN correctly md: don't print the same repeated messages about delayed sync operation md: remove obsolete ret in md_start_sync md: do not count journal as spare in GET_ARRAY_INFO md: Prevent IO hold during accessing to faulty raid5 array MD: hold mddev lock to change bitmap location raid5: fix incorrectly counter of conf->empty_inactive_list_nr raid10: increment write counter after bio is split commit 0cf21c6609c582690a9407bddb72aec2732c6178 Merge: 0d025d2 98b0f80 Author: Linus Torvalds Date: Tue Aug 30 11:14:02 2016 -0700 Merge tag 'nfs-for-4.8-3' of git://git.linux-nfs.org/projects/trondmy/linux-nfs Pull NFS client bugfixes from Trond Myklebust: "Highlights include: Stable patches: - Fix a refcount leak in nfs_callback_up_net - Fix an Oopsable condition when the flexfile pNFS driver connection to the DS fails - Fix an Oopsable condition in NFSv4.1 server callback races - Ensure pNFS clients stop doing I/O to the DS if their lease has expired, as required by the NFSv4.1 protocol Bugfixes: - Fix potential looping in the NFSv4.x migration code - Patch series to close callback races for OPEN, LAYOUTGET and LAYOUTRETURN - Silence WARN_ON when NFSv4.1 over RDMA is in use - Fix a LAYOUTCOMMIT race in the pNFS/blocks client - Fix pNFS timeout issues when the DS fails" * tag 'nfs-for-4.8-3' of git://git.linux-nfs.org/projects/trondmy/linux-nfs: NFSv4.x: Fix a refcount leak in nfs_callback_up_net NFS4: Avoid migration loops pNFS/flexfiles: Fix an Oopsable condition when connection to the DS fails NFSv4.1: Remove obsolete and incorrrect assignment in nfs4_callback_sequence NFSv4.1: Close callback races for OPEN, LAYOUTGET and LAYOUTRETURN NFSv4.1: Defer bumping the slot sequence number until we free the slot NFSv4.1: Delay callback processing when there are referring triples NFSv4.1: Fix Oopsable condition in server callback races SUNRPC: Silence WARN_ON when NFSv4.1 over RDMA is in use pnfs/blocklayout: update last_write_offset atomically with extents pNFS: The client must not do I/O to the DS if it's lease has expired pNFS: Handle NFS4ERR_OLD_STATEID correctly in LAYOUTSTAT calls pNFS/flexfiles: Set reasonable default retrans values for the data channel NFS: Allow the mount option retrans=0 pNFS/flexfiles: Fix layoutstat periodic reporting commit 0d025d271e55f3de21f0aaaf54b42d20404d2b23 Author: Josh Poimboeuf Date: Tue Aug 30 08:04:16 2016 -0500 mm/usercopy: get rid of CONFIG_DEBUG_STRICT_USER_COPY_CHECKS There are three usercopy warnings which are currently being silenced for gcc 4.6 and newer: 1) "copy_from_user() buffer size is too small" compile warning/error This is a static warning which happens when object size and copy size are both const, and copy size > object size. I didn't see any false positives for this one. So the function warning attribute seems to be working fine here. Note this scenario is always a bug and so I think it should be changed to *always* be an error, regardless of CONFIG_DEBUG_STRICT_USER_COPY_CHECKS. 2) "copy_from_user() buffer size is not provably correct" compile warning This is another static warning which happens when I enable __compiletime_object_size() for new compilers (and CONFIG_DEBUG_STRICT_USER_COPY_CHECKS). It happens when object size is const, but copy size is *not*. In this case there's no way to compare the two at build time, so it gives the warning. (Note the warning is a byproduct of the fact that gcc has no way of knowing whether the overflow function will be called, so the call isn't dead code and the warning attribute is activated.) So this warning seems to only indicate "this is an unusual pattern, maybe you should check it out" rather than "this is a bug". I get 102(!) of these warnings with allyesconfig and the __compiletime_object_size() gcc check removed. I don't know if there are any real bugs hiding in there, but from looking at a small sample, I didn't see any. According to Kees, it does sometimes find real bugs. But the false positive rate seems high. 3) "Buffer overflow detected" runtime warning This is a runtime warning where object size is const, and copy size > object size. All three warnings (both static and runtime) were completely disabled for gcc 4.6 with the following commit: 2fb0815c9ee6 ("gcc4: disable __compiletime_object_size for GCC 4.6+") That commit mistakenly assumed that the false positives were caused by a gcc bug in __compiletime_object_size(). But in fact, __compiletime_object_size() seems to be working fine. The false positives were instead triggered by #2 above. (Though I don't have an explanation for why the warnings supposedly only started showing up in gcc 4.6.) So remove warning #2 to get rid of all the false positives, and re-enable warnings #1 and #3 by reverting the above commit. Furthermore, since #1 is a real bug which is detected at compile time, upgrade it to always be an error. Having done all that, CONFIG_DEBUG_STRICT_USER_COPY_CHECKS is no longer needed. Signed-off-by: Josh Poimboeuf Cc: Kees Cook Cc: Thomas Gleixner Cc: Ingo Molnar Cc: "H . Peter Anvin" Cc: Andy Lutomirski Cc: Steven Rostedt Cc: Brian Gerst Cc: Peter Zijlstra Cc: Frederic Weisbecker Cc: Byungchul Park Cc: Nilay Vaish Signed-off-by: Linus Torvalds arch/parisc/Kconfig | 1 - arch/parisc/configs/c8000_defconfig | 1 - arch/parisc/configs/generic-64bit_defconfig | 1 - arch/parisc/include/asm/uaccess.h | 22 ++++----- arch/s390/Kconfig | 1 - arch/s390/configs/default_defconfig | 1 - arch/s390/configs/gcov_defconfig | 1 - arch/s390/configs/performance_defconfig | 1 - arch/s390/defconfig | 1 - arch/s390/include/asm/uaccess.h | 19 +++++--- arch/tile/Kconfig | 1 - arch/tile/include/asm/uaccess.h | 22 +++++---- arch/x86/Kconfig | 1 - arch/x86/include/asm/uaccess.h | 69 ++++------------------------- include/asm-generic/uaccess.h | 1 + include/linux/compiler-gcc.h | 2 +- lib/Kconfig.debug | 18 -------- lib/Makefile | 1 - lib/usercopy.c | 9 ---- 19 files changed, 45 insertions(+), 128 deletions(-) commit d8dc020cac1d5335cab3ffadb1964ad83c2f8729 Merge: 748e7fc 9ebae9e Author: Linus Torvalds Date: Tue Aug 30 09:44:11 2016 -0700 Merge branch 'for-4.8-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata Pull libata fixes from Tejun Heo: "Two libata driver specific fixes for v4.8-rc4. Nothing too scary" * 'for-4.8-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata: pata_ninja32: Avoid corrupting status flags ahci: disable correct irq for dummy ports commit 748e7fc20983fccd742e93c5b6a38ece1f71f80f Merge: e4e98c4 568ac88 Author: Linus Torvalds Date: Tue Aug 30 09:31:59 2016 -0700 Merge branch 'for-4.8-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup Pull cgroup fixes from Tejun Heo: "Two fixes for cgroup. - There still was a hole in enforcing cpuset rules, fixed by Li. - The recent switch to global percpu_rwseom for threadgroup locking revealed a couple issues in how percpu_rwsem is implemented and used by cgroup. Balbir found that the read locking section was too wide unnecessarily including operations which can often depend on IOs. With percpu_rwsem updates (coming through a different tree) and reduction of read locking section, all the reported locking latency issues, including the android one, are resolved. It looks like we can keep global percpu_rwsem locking for now. If there actually are cases which can't be resolved, we can go back to more complex per-signal_struct locking" * 'for-4.8-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup: cgroup: reduce read locked section of cgroup_threadgroup_rwsem during fork cpuset: make sure new tasks conform to the current config of the cpuset commit 9ebae9e4bcd7dff22536af8a969d8f66e6f23900 Author: Alan Cox Date: Tue Aug 30 16:47:02 2016 +0100 pata_ninja32: Avoid corrupting status flags Ninja32 needs to set some flags to indicate it does 32bit IO. However it currently assigns this which loses the initializing flag and causes a warning spew. Fix it to use a logical or as is intended. Signed-off-by: Alan Cox Tested-by: Ellmar Stelnberger Signed-off-by: Tejun Heo drivers/ata/pata_ninja32.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 98b0f80c2396224bbbed81792b526e6c72ba9efa Author: Trond Myklebust Date: Mon Aug 29 11:15:36 2016 -0400 NFSv4.x: Fix a refcount leak in nfs_callback_up_net On error, the callers expect us to return without bumping nn->cb_users[]. Signed-off-by: Trond Myklebust Cc: stable@vger.kernel.org # v3.7+ fs/nfs/callback.c | 1 + 1 file changed, 1 insertion(+) commit 52442f9b11b7e5d4a38d99143011831fd171f8d9 Author: Benjamin Coddington Date: Tue Aug 30 09:20:32 2016 -0400 NFS4: Avoid migration loops If a server returns itself as a location while migrating, the client may end up getting stuck attempting to migrate twice to the same server. Catch this by checking if the nfs_client found is the same as the existing client. For the other two callers to nfs4_set_client, the nfs_client will always be ERR_PTR(-EINVAL). Signed-off-by: Benjamin Coddington Signed-off-by: Trond Myklebust fs/nfs/nfs4client.c | 5 +++++ 1 file changed, 5 insertions(+) commit 8c57cac1457f3125a5d13dc03635c0708c61bff0 Author: Tomas Winkler Date: Wed Jul 20 10:24:02 2016 +0300 mei: me: disable driver on SPT SPS firmware Sunrise Point PCH with SPS Firmware doesn't expose working MEI interface, we need to quirk it out. The SPS Firmware is identifiable only on the first PCI function of the device. Cc: #4.6+ Tested-by: Sujith Pandel Signed-off-by: Tomas Winkler Signed-off-by: Greg Kroah-Hartman drivers/misc/mei/hw-me.c | 10 ++++++++-- drivers/misc/mei/pci-me.c | 4 ++-- 2 files changed, 10 insertions(+), 4 deletions(-) commit 2c5575401e34de3d2fc90af1c95bc73435784093 Author: Tony Lindgren Date: Fri Aug 26 16:28:39 2016 -0500 usb: musb: Fix locking errors for host only mode If we have USB gadgets disabled and USB_MUSB_HOST set, we get errors "possible irq lock inverssion dependency detected" errors during boot. Let's fix the issue by adding start_musb flag and start the controller after we're out of the spinlock protected section. Reported-by: Ladislav Michl Tested-by: Ladislav Michl Signed-off-by: Tony Lindgren Signed-off-by: Bin Liu Signed-off-by: Greg Kroah-Hartman drivers/usb/musb/musb_virthub.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) commit 20b8f9e2dde171c69da4a79c34fccdc2a8492797 Merge: 3eab887 a7d4b8f Author: Paolo Bonzini Date: Tue Aug 30 14:11:33 2016 +0200 Merge tag 'kvm-s390-master-4.8-2' of git://git.kernel.org/pub/scm/linux/kernel/git/kvms390/linux into kvm-master KVM: s390: Fix for fpu register errors since 4.7 This fixes a regression that was introduced by a semantic change in commit 3f6813b9a5e0 ("s390/fpu: allocate 'struct fpu' with the task_struct"). Symptoms are broken host userspace fpu registers if the old FPU set/get ioctls are used. commit 3fa2a81e6e77f4308b4a3860aab2a1885a127f47 Merge: 83b4a3d 017300d Author: Greg Kroah-Hartman Date: Tue Aug 30 14:10:51 2016 +0200 Merge tag 'phy-for-4.8-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/kishon/linux-phy into usb-linus Kishon writes: phy: for 4.8 -rc *) Fix to get host-only mode working in sun4i *) Fix a compilation error because of missing header file *) Other minor fixes Signed-off-by: Kishon Vijay Abraham I commit 83b4a3d79efb291c17cd9b2182e187c1217f8276 Merge: d1228f4 c4e9417 Author: Greg Kroah-Hartman Date: Tue Aug 30 14:07:01 2016 +0200 Merge tag 'usb-ci-v4.8-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/peter.chen/usb into usb-linus Peter writes: Fix one bug that host can't work after insmod gadget module at dual-role mode, the root cause of this issue is the usbcmd.rs is cleared by chipidea udc code. commit 8aade778f787305fdbfd3c1d54e6b583601b5902 Author: Anson Huang Date: Mon Aug 22 23:53:25 2016 +0800 ARM: imx6: add missing BM_CLPCR_BYPASS_PMIC_READY setting for imx6sx i.MX6SX has bypass PMIC ready function, as this function is normally NOT enabled on the board design, so we need to bypass the PMIC ready pin check during DSM mode resume flow, otherwise, the internal DSM resume logic will be waiting for this signal to be ready forever and cause resume fail. Signed-off-by: Anson Huang Fixes: ff843d621bfc ("ARM: imx: add suspend support for i.mx6sx") Cc: Tested-by: Peter Chen Signed-off-by: Shawn Guo arch/arm/mach-imx/pm-imx6.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit c73c2484901139c28383b58eabcbf4d613e91518 Author: Liping Zhang Date: Sun Aug 28 16:59:52 2016 +0800 netfilter: nf_tables_netdev: remove redundant ip_hdr assignment We have already use skb_header_pointer to get the ip header pointer, so there's no need to use ip_hdr again. Moreover, in NETDEV INGRESS hook, ip header maybe not linear, so use ip_hdr is not appropriate, remove it. Signed-off-by: Liping Zhang Signed-off-by: Pablo Neira Ayuso net/netfilter/nf_tables_netdev.c | 1 - 1 file changed, 1 deletion(-) commit b030485220caf862c71db6fb8b8ad016ce7f7565 Author: Javier Martinez Canillas Date: Sun Aug 21 03:27:45 2016 -0400 ARM: EXYNOS: Clear OF_POPULATED flag from PMU node in IRQ init callback The Exynos PMU node is an interrupt, clock and PMU (Power Management Unit) controller, and these functionalities are supported by different drivers that matches the same compatible strings. Since commit 15cc2ed6dcf9 ("of/irq: Mark initialised interrupt controllers as populated") the OF core flags interrupt controllers registered with the IRQCHIP_DECLARE() macro as OF_POPULATED, so platform devices with the same compatible string as the interrupt controller will not be registered. This prevents the PMU platform device to be registered so the Exynos PMU driver is never probed. This breaks (among other things) Suspend-to-RAM. Fix this by clearing the OF_POPULATED flag in the PMU IRQ init callback, to allow the Exynos PMU platform driver to be probed. The patch is based on Philipp Zabel's "ARM: imx6: mark GPC node as not populated after irq init to probe pm domain driver". Fixes: 15cc2ed6dcf9 ("of/irq: Mark initialised interrupt controllers as populated") Signed-off-by: Javier Martinez Canillas Signed-off-by: Krzysztof Kozlowski arch/arm/mach-exynos/suspend.c | 6 ++++++ 1 file changed, 6 insertions(+) commit fd06c77eb9200b53d421da5fffe0dcd894b5d72a Author: Kai-Heng Feng Date: Tue Aug 30 15:36:34 2016 +0800 ALSA: hda - Enable subwoofer on Dell Inspiron 7559 The subwoofer on Inspiron 7559 was disabled originally. Applying a pin fixup to node 0x1b can enable it and make it work. Old pin: 0x411111f0 New pin: 0x90170151 Signed-off-by: Kai-Heng Feng Cc: Signed-off-by: Takashi Iwai sound/pci/hda/patch_realtek.c | 11 +++++++++++ 1 file changed, 11 insertions(+) commit a474478642d57641ea06645104a15acc0420f01a Author: Lucas Stach Date: Mon Aug 29 17:51:24 2016 +0200 drm/imx: fix crtc vblank state regression The atomic conversion lost the notification to let the DRM core know about the current state of the CRTC vblank interrupts. This regressed the ability of the core to reject page flip attempts on currently disabled CRTCs. Add back the notifications. Signed-off-by: Lucas Stach Signed-off-by: Philipp Zabel drivers/gpu/drm/imx/ipuv3-crtc.c | 4 ++++ 1 file changed, 4 insertions(+) commit 61aaa0e8c1c15d9e045f0577f046be50f2f571ab Author: Linus Lüssing Date: Fri Aug 19 22:02:48 2016 +0200 cfg80211: Add stub for cfg80211_get_station() This allows modules using this function (currently: batman-adv) to compile even if cfg80211 is not built at all, thus relaxing dependencies. Signed-off-by: Linus Lüssing Signed-off-by: Johannes Berg include/net/cfg80211.h | 9 +++++++++ 1 file changed, 9 insertions(+) commit 554d072e7bc3e56de5893c8181110a547b2062c9 Author: Arik Nemtsov Date: Mon Aug 29 12:37:35 2016 +0300 mac80211: TDLS: don't require beaconing for AP BW Stop downgrading TDLS chandef when reaching the AP BW. The AP provides the necessary regulatory protection in this case. This fixes https://bugzilla.kernel.org/show_bug.cgi?id=153961, which reported an infinite loop here. Reported-by: Kamil Toman Signed-off-by: Arik Nemtsov Signed-off-by: Johannes Berg net/mac80211/tdls.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) commit 311042d1b67d9a1856a8e1294e7729fb86f64014 Author: Shrirang Bagul Date: Mon Aug 29 15:19:27 2016 +0800 ALSA: hda - Add headset mic quirk for Dell Inspiron 5468 This patch enables headset microphone on some variants of Dell Inspiron 5468. (Dell SSID 0x07ad) BugLink: https://bugs.launchpad.net/bugs/1617900 Signed-off-by: Shrirang Bagul Cc: Signed-off-by: Takashi Iwai sound/pci/hda/patch_realtek.c | 4 ++++ 1 file changed, 4 insertions(+) commit ea78d80866ce375defb2fdd1c8a3aafec95e0f85 Author: Darrick J. Wong Date: Tue Aug 30 13:51:39 2016 +1000 xfs: track log done items directly in the deferred pending work item Christoph reports slab corruption when a deferred refcount update aborts during _defer_finish(). The cause of this was broken log item state tracking in xfs_defer_pending -- upon an abort, _defer_trans_abort() will call abort_intent on all intent items, including the ones that have already had a done item attached. This is incorrect because each intent item has 2 refcount: the first is released when the intent item is committed to the log; and the second is released when the _done_ item is committed to the log, or by the intent creator if there is no done item. In other words, once we log the done item, responsibility for releasing the intent item's second refcount is transferred to the done item and /must not/ be performed by anything else. The dfp_committed flag should have been tracking whether or not we had a done item so that _defer_trans_abort could decide if it needs to abort the intent item, but due to a thinko this was not the case. Rip it out and track the done item directly so that we do the right thing w.r.t. intent item freeing. Signed-off-by: Darrick J. Wong Reported-by: Christoph Hellwig Reviewed-by: Dave Chinner Signed-off-by: Dave Chinner fs/xfs/libxfs/xfs_defer.c | 17 ++++------------- fs/xfs/libxfs/xfs_defer.h | 2 +- fs/xfs/xfs_trace.h | 2 +- 3 files changed, 6 insertions(+), 15 deletions(-) commit e4e98c460ad38c78498622a164fd5ef09a2dc9cb Merge: b892772 3c32926 Author: Linus Torvalds Date: Mon Aug 29 19:12:35 2016 -0700 Merge tag 'hwmon-for-linus-v4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging Pull hwmon fix from Guenter Roeck: "Add missing sysfs attribute group terminator to it87 driver" * tag 'hwmon-for-linus-v4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging: hwmon: (it87) Add missing sysfs attribute group terminator commit dc7066c54107255f5f9a11bf3f82417c9b1aef51 Merge: af7c388 a45f9d4 Author: Stephen Boyd Date: Mon Aug 29 17:08:35 2016 -0700 Merge tag 'v4.8-rockchip-clk-fixes1' of git://git.kernel.org/pub/scm/linux/kernel/git/mmind/linux-rockchip into clk-fixes Some fixes for rk3399 register errors that revealed themself during actual use. * tag 'v4.8-rockchip-clk-fixes1' of git://git.kernel.org/pub/scm/linux/kernel/git/mmind/linux-rockchip: clk: rockchip: mark aclk_emmc_noc as a critical clock on rk3399 clk: rockchip: fix incorrect GATE bits for {c, g}pll_aclk_perihp_src on rk3399 clk: rockchip: fix incorrect aclk_emmc source gate bits on rk3399 clk: rockchip: fix rk3399 aclk_vio gate bit commit a93295a7e118b5c58391906e47183775b1eb7cb1 Author: Roger Quadros Date: Mon Aug 15 10:47:39 2016 +0300 mtd: nand: omap2: Don't call dma_release_channel() if dma_request_chan() failed dma_request_chan() can fail returning an error pointer. In this case prevent calling dma_release_channel() to prevent a ERR_PTR() dereference. As error path can be called even with no DMA configuration, info->dma can be NULL so don't call dma_release_channel() for that case either. Fixes: de3bfc4a1616: ("mtd: nand: omap2: fix return value check in omap_nand_probe()") Reported-by: Dan Carpenter Signed-off-by: Roger Quadros Acked-by: Boris Brezillon Signed-off-by: Brian Norris drivers/mtd/nand/omap2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit b8927721ae9d5ac0582d29d7b8c267d465ad5f00 Merge: 1f6a563 2e81a4e Author: Linus Torvalds Date: Mon Aug 29 12:37:11 2016 -0700 Merge tag 'ext4_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4 Pull ext4 fixes from Ted Ts'o: "Fix bugs that could cause kernel deadlocks or file system corruption while moving xattrs to expand the extended inode. Also add some sanity checks to the block group descriptors to make sure we don't end up overwriting the superblock" * tag 'ext4_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4: ext4: avoid deadlock when expanding inode size ext4: properly align shifted xattrs when expanding inodes ext4: fix xattr shifting when expanding inodes part 2 ext4: fix xattr shifting when expanding inodes ext4: validate that metadata blocks do not overlap superblock ext4: reserve xattr index for the Hurd commit 1f6a563ee0cd577a9292940eee389482db306765 Merge: cf4d377 b99b43b Author: Linus Torvalds Date: Mon Aug 29 12:29:13 2016 -0700 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net Pull networking fixes from David Miller: 1) Segregate namespaces properly in conntrack dumps, from Liping Zhang. 2) tcp listener refcount fix in netfilter tproxy, from Eric Dumazet. 3) Fix timeouts in qed driver due to xmit_more, from Yuval Mintz. 4) Fix use-after-free in tcp_xmit_retransmit_queue(). 5) Userspace header fixups (use of __u32, missing includes, etc.) from Mikko Rapeli. 6) Further refinements to fragmentation wrt gso and tunnels, from Shmulik Ladkani. 7) Trigger poll correctly for zero length UDP packets, from Eric Dumazet. 8) TCP window scaling fix, also from Eric Dumazet. 9) SLAB_DESTROY_BY_RCU is not relevant any more for UDP sockets. 10) Module refcount leak in qdisc_create_dflt(), from Eric Dumazet. 11) Fix deadlock in cp_rx_poll() of 8139cp driver, from Gao Feng. 12) Memory leak in rhashtable's alloc_bucket_locks(), from Eric Dumazet. 13) Add new device ID to alx driver, from Owen Lin. * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (83 commits) Add Killer E2500 device ID in alx driver. net: smc91x: fix SMC accesses Documentation: networking: dsa: Remove platform device TODO net/mlx5: Increase number of ethtool steering priorities net/mlx5: Add error prints when validate ETS failed net/mlx5e: Fix memory leak if refreshing TIRs fails net/mlx5e: Add ethtool counter for TX xmit_more net/mlx5e: Fix ethtool -g/G rx ring parameter report with striding RQ net/mlx5e: Don't wait for SQ completions on close net/mlx5e: Don't post fragmented MPWQE when RQ is disabled net/mlx5e: Don't wait for RQ completions on close net/mlx5e: Limit UMR length to the device's limitation rhashtable: fix a memory leak in alloc_bucket_locks() sfc: fix potential stack corruption from running past stat bitmask team: loadbalance: push lacpdus to exact delivery net: hns: dereference ppe_cb->ppe_common_cb if it is non-null 8139cp: Fix one possible deadloop in cp_rx_poll i40e: Change some init flow for the client Revert "phy: IRQ cannot be shared" net: dsa: bcm_sf2: Fix race condition while unmasking interrupts ... commit a904a08b5fee5317ff0f7b8212aa5d0776795a52 Author: Peer, Ilan Date: Wed Aug 10 13:48:35 2016 +0300 iwlwifi: mvm: Advertise support for AP channel width change The iwlmvm driver supports channel width change in AP mode. Add the proper flag. Signed-off-by: Ilan Peer Signed-off-by: Luca Coelho drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 1 + 1 file changed, 1 insertion(+) commit ff6e58e648ed5f3cc43891767811d5c3c88bbd41 Author: Emmanuel Grumbach Date: Wed Aug 3 22:06:43 2016 +0300 iwlwifi: mvm: don't use ret when not initialised fw-dbg code return ret but that variable was either 0 or not initialised. Return 0 always. Signed-off-by: Emmanuel Grumbach Fixes: 6a95126763fb ("iwlwifi: mvm: send dbg config hcmds to fw if set in tlv") Signed-off-by: Luca Coelho drivers/net/wireless/intel/iwlwifi/mvm/fw-dbg.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit bdc98b13716eafc454457e068d6c8aaffaaa71e4 Author: Sharon Dvir Date: Mon Jul 25 16:11:05 2016 +0300 iwlwifi: mvm: check if vif is NULL before using it wdev_to_ieee80211_vif() might return NULL. Check that vif != NULL before dereferencing it. Signed-off-by: Sharon Dvir Signed-off-by: Luca Coelho drivers/net/wireless/intel/iwlwifi/mvm/mvm.h | 2 ++ 1 file changed, 2 insertions(+) commit 360647959323ec066cc55d82133df73e30530824 Author: Emmanuel Grumbach Date: Mon Jul 11 09:25:45 2016 +0300 iwlwifi: mvm: consider P2p device type for firmware dump triggers When the user really wanted a dump on P2P Client, he coudln't get it because we checked vif->type but didn't take vif->p2p into account. Fix that. Signed-off-by: Emmanuel Grumbach Signed-off-by: Luca Coelho drivers/net/wireless/intel/iwlwifi/mvm/fw-dbg.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 3dc147359e3dcdf0648f1e2c11f62cfae3160df0 Author: Trond Myklebust Date: Mon Aug 29 15:12:54 2016 -0400 pNFS/flexfiles: Fix an Oopsable condition when connection to the DS fails If the attempt to connect to a DS fails inside ff_layout_pg_init_read or ff_layout_pg_init_write, then we currently end up clearing the layout segment carried by the struct nfs_pageio_descriptor, causing an Oops when we later call into ff_layout_read_pagelist/ff_layout_write_pagelist. The fix is to ensure we return the layout and then retry. Fixes: 446ca2195303 ("pNFS/flexfiles: When initing reads or writes, we...") Cc: stable@vger.kernel.org # v4.7+ Signed-off-by: Trond Myklebust fs/nfs/flexfilelayout/flexfilelayout.c | 37 +++++++++++++++---------------- fs/nfs/flexfilelayout/flexfilelayoutdev.c | 19 ++++++++-------- 2 files changed, 28 insertions(+), 28 deletions(-) commit cf4d3779e5ccfc2886e1e4ca19adaf59636f963d Merge: 2a90309 da43bf0 Author: Linus Torvalds Date: Mon Aug 29 12:20:22 2016 -0700 Merge tag 'platform-drivers-x86-v4.8-4' of git://git.infradead.org/users/dvhart/linux-platform-drivers-x86 Pull x86 platform driver fixes from Darren Hart: "Remove module related code from two drivers that are only configurable as built-in: intel_pmic_gpio and platform/olpc" * tag 'platform-drivers-x86-v4.8-4' of git://git.infradead.org/users/dvhart/linux-platform-drivers-x86: intel_pmic_gpio: Make explicitly non-modular platform/olpc: Make ec explicitly non-modular commit 2a90309e062382ca0bd10bc2004abcab8fa0944b Merge: 3eab887 78a3e88 Author: Linus Torvalds Date: Mon Aug 29 12:12:15 2016 -0700 Merge tag 'powerpc-4.8-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux Pull powerpc fixes from Ben Herrenschmidt: "This was meant to be sent early last week, but I has a change pending on one of the fixes and other things made me forget all about. Ugh. We have some misc fixes for powerpc 4.8. Some trivial bits and some regressions, and a trivial cleanup or two that I saw no point in letting rot in patchwork" * tag 'powerpc-4.8-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux: powerpc: signals: Discard transaction state from signal frames powerpc/powernv : Drop reference added by kset_find_obj() powerpc/tm: do not use r13 for tabort_syscall powerpc: move hmi.c to arch/powerpc/kvm/ powerpc: sysdev: cpm: fix gpio save_regs functions powerpc/pseries: PACA save area fix for MCE vs MCE powerpc/pseries: PACA save area fix for general exception vs MCE powerpc/prom: Fix sub-processor option passed to ibm, client-architecture-support powerpc, hotplug: Avoid to touch non-existent cpumasks. powerpc: migrate exception table users off module.h and onto extable.h powerpc/powernv/pci: fix iterator signedness powerpc/pseries: use pci_host_bridge.release_fn() to kfree(phb) cxl: use pcibios_free_controller_deferred() when removing vPHBs powerpc: mpc8349emitx: Delete unnecessary assignment for the field "owner" powerpc/512x: Delete unnecessary assignment for the field "owner" drivers/macintosh: Delete owner assignment powerpc: cputhreads: Add missing include file commit bb87f02b7e4ccdb614a83cbf840524de81e9b321 Merge: b64abcb 7711aaf0 Author: Kalle Valo Date: Mon Aug 29 21:39:04 2016 +0300 Merge ath-current from ath.git ath.git fixes for 4.8. Major changes: ath9k * fix regression in client mode beacon configuration * fix a station pointer which resulted in spurious crashes commit f8e81d7e496ea89f377c6935b92022032bed62e5 Author: Gregor Boirie Date: Wed Aug 24 15:28:27 2016 +0200 tools:iio:iio_generic_buffer: fix trigger-less mode Passing the trigger-less mode option on the command line causes iio_generic_buffer to fail searching for an IIO trigger. Fix this by skipping trigger initialization if trigger-less mode is requested. Technically it actually fixes: 7c7e9dad70 where the bug was introduced but as the window to the patch below that changes the context was very small let's mark it with that. Signed-off-by: Gregor Boirie Fixes: deb4d1fdcb5af ("iio: generic_buffer: Fix --trigger-num option") Signed-off-by: Jonathan Cameron tools/iio/iio_generic_buffer.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 83d9956b7e6b310c1062df7894257251c625b22e Author: Ken Lin Date: Fri Aug 12 14:08:47 2016 -0400 ALSA: usb-audio: Add sample rate inquiry quirk for B850V3 CP2114 Avoid getting sample rate on B850V3 CP2114 as it is unsupported and causes noisy "current rate is different from the runtime rate" messages when playback starts. Signed-off-by: Ken Lin Signed-off-by: Akshay Bhat Cc: Signed-off-by: Takashi Iwai sound/usb/quirks.c | 1 + 1 file changed, 1 insertion(+) commit d8d8d9d789097f91edaeee65b77523079fa8cf3f Merge: 3eab887 4d8c6a7 Author: Jens Axboe Date: Mon Aug 29 08:39:22 2016 -0600 Merge branch 'nvmf-4.8-rc' of git://git.infradead.org/nvme-fabrics into for-linus Sagi writes: Mostly stability fixes and cleanups: - NQN endianess fix from Daniel - possible use-after-free fix from Vincent - nvme-rdma connect semantics fixes from Jay - Remove redundant variables in rdma driver - Kbuild fix from Christoph - nvmf_host referencing fix from Christoph - uninit variable fix from Colin commit c6c1f9bc798bee7cfc2e172cd2c9b48187d801a7 Author: Liu Ying Date: Mon Aug 15 16:41:13 2016 +0800 drm/imx: Add active plane reconfiguration support We don't support configuring active plane on-the-fly for imx-drm. The relevant CRTC should be disabled before the plane configuration. Of course, the plane itself should be disabled as well. This patch adds active plane reconfiguration support by forcing CRTC mode change and disabling-enabling plane in plane's ->atomic_update callback. Suggested-by: Daniel Vetter Cc: Philipp Zabel Cc: David Airlie Cc: Russell King Cc: Daniel Vetter Cc: Peter Senna Tschudin Signed-off-by: Liu Ying Tested-by: Peter Senna Tschudin Tested-by: Lucas Stach Signed-off-by: Philipp Zabel drivers/gpu/drm/imx/imx-drm-core.c | 26 +++++++++++++++++++++++++- drivers/gpu/drm/imx/ipuv3-plane.c | 21 ++++++++++++++------- 2 files changed, 39 insertions(+), 8 deletions(-) commit f7d3586f2dbe330a84f8d0d02c39ddb3fbde67d3 Author: Vladimir Zapolskiy Date: Mon Aug 29 04:41:50 2016 +0300 ARM: dts: imx7d-sdb: fix ti,x-plate-ohms property name Fix misspelled "ti,x-plate-ohms" property name of TI TSC2046 touchscreen controller. Fixes: d09e6beafa23 ("ARM: dts: imx7d-sdb: Add support for touchscreen") Signed-off-by: Vladimir Zapolskiy Signed-off-by: Shawn Guo arch/arm/boot/dts/imx7d-sdb.dts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit a75e4a85f49e7f5d71cf0e425bc009c15ad3b5c4 Author: Baoyou Xie Date: Sun Aug 28 01:15:24 2016 +0800 fix:mailbox:bcm-pdc-mailbox:mark symbols static where possible We get 2 warnings when biuld kernel with W=1: drivers/mailbox/bcm-pdc-mailbox.c:472:6: warning: no previous prototype for 'pdc_setup_debugfs' [-Wmissing-prototypes] drivers/mailbox/bcm-pdc-mailbox.c:488:6: warning: no previous prototype for 'pdc_free_debugfs' [-Wmissing-prototypes] In fact, these functions are only used in the file in which they are declared and don't need a declaration, but can be made static. so this patch marks these functions with 'static'. Signed-off-by: Baoyou Xie Acked-by: Arnd Bergmann Signed-off-by: Jassi Brar drivers/mailbox/bcm-pdc-mailbox.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 068cf29eca4ef25556496635b978143b170b862c Author: Dan Carpenter Date: Thu Aug 4 08:30:31 2016 +0300 mailbox: bcm-pdc: potential NULL dereference in pdc_shutdown() We can't pass NULL pointers to pdc_ring_free() so I moved the check for NULL. Signed-off-by: Dan Carpenter Signed-off-by: Jassi Brar drivers/mailbox/bcm-pdc-mailbox.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) commit e0c6fba45ab730afc22fa01ac1c42459893252ec Author: Rob Rice Date: Mon Aug 1 13:03:41 2016 -0400 mailbox: Add HAS_DMA Kconfig dependency to BCM_PDC_MBOX Add HAS_DMA Kconfig dependency to BCM_PDC_MBOX to avoid link error on some platforms. Reported-by: Fengguang Wu Signed-off-by: Rob Rice Acked-by: Geert Uytterhoeven Signed-off-by: Jassi Brar drivers/mailbox/Kconfig | 1 + 1 file changed, 1 insertion(+) commit 3c3292634fc2de1ab97b6aa3222fee647f737adb Author: Jean Delvare Date: Mon Aug 29 13:18:23 2016 +0200 hwmon: (it87) Add missing sysfs attribute group terminator Attribute array it87_attributes_in lacks its NULL terminator, causing random behavior when operating on the attribute group. Fixes: 52929715634a ("hwmon: (it87) Use is_visible for voltage sensors") Signed-off-by: Jean Delvare Cc: Martin Blumenstingl Cc: Guenter Roeck Cc: stable@vger.kernel.org Signed-off-by: Guenter Roeck drivers/hwmon/it87.c | 1 + 1 file changed, 1 insertion(+) commit 8a07fed44b126f48020f122b9e6bf05d8c48f281 Author: Chris Wilson Date: Tue Aug 23 10:25:58 2016 +0100 drm/i915/dvo: Remove dangling call to drm_encoder_cleanup() If we hit the error path, we have never called drm_encoder_init() and so have nothing to cleanup. Doing so hits a null dereference: [ 10.066261] BUG: unable to handle kernel NULL pointer dereference at 00000104 [ 10.066273] IP: [] mutex_lock+0xa/0x15 [ 10.066287] *pde = 00000000 [ 10.066295] Oops: 0002 [#1] [ 10.066302] Modules linked in: i915(+) video i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm iTCO_wdt iTCO_vendor_support ppdev evdev snd_intel8x0 snd_ac97_codec ac97_bus psmouse snd_pcm snd_timer snd pcspkr uhci_hcd ehci_pci soundcore sr_mod ehci_hcd serio_raw i2c_i801 usbcore i2c_smbus cdrom lpc_ich mfd_core rng_core e100 mii floppy parport_pc parport acpi_cpufreq button processor usb_common eeprom lm85 hwmon_vid autofs4 [ 10.066378] CPU: 0 PID: 132 Comm: systemd-udevd Not tainted 4.8.0-rc3-00013-gef0e1ea #34 [ 10.066389] Hardware name: MicroLink /D865GLC , BIOS BF86510A.86A.0077.P25.0508040031 08/04/2005 [ 10.066401] task: f62db800 task.stack: f5970000 [ 10.066409] EIP: 0060:[] EFLAGS: 00010286 CPU: 0 [ 10.066417] EIP is at mutex_lock+0xa/0x15 [ 10.066424] EAX: 00000104 EBX: 00000104 ECX: 00000000 EDX: 80000000 [ 10.066432] ESI: 00000000 EDI: 00000104 EBP: f5be8000 ESP: f5971b58 [ 10.066439] DS: 007b ES: 007b FS: 0000 GS: 00e0 SS: 0068 [ 10.066446] CR0: 80050033 CR2: 00000104 CR3: 35945000 CR4: 000006d0 [ 10.066453] Stack: [ 10.066459] f503d740 f824dddf 00000000 f61170c0 f61170c0 f82371ae f850f40e 00000001 [ 10.066476] f61170c0 f5971bcc f5be8000 f9c2d401 00000001 f8236fcc 00000001 00000000 [ 10.066491] f5144014 f5be8104 00000008 f9c5267c 00000007 f61170c0 f5144400 f9c4ff00 [ 10.066507] Call Trace: [ 10.066526] [] ? drm_modeset_lock_all+0x27/0xb3 [drm] [ 10.066545] [] ? drm_encoder_cleanup+0x1a/0x132 [drm] [ 10.066559] [] ? drm_atomic_helper_connector_reset+0x3f/0x5c [drm_kms_helper] [ 10.066644] [] ? intel_dvo_init+0x569/0x788 [i915] [ 10.066663] [] ? drm_encoder_init+0x43/0x20b [drm] [ 10.066734] [] ? intel_modeset_init+0x1436/0x17dd [i915] [ 10.066791] [] ? i915_driver_load+0x85a/0x15d3 [i915] [ 10.066846] [] ? i915_driver_open+0x5/0x5 [i915] [ 10.066857] [] ? firmware_map_add_entry.part.2+0xc/0xc [ 10.066868] [] ? pci_device_probe+0x8e/0x11c [ 10.066878] [] ? driver_probe_device+0x1db/0x62e [ 10.066888] [] ? kernfs_new_node+0x29/0x9c [ 10.066897] [] ? pci_match_device+0xd9/0x161 [ 10.066905] [] ? kernfs_create_dir_ns+0x42/0x88 [ 10.066914] [] ? __driver_attach+0xe6/0x11b [ 10.066924] [] ? kobject_add_internal+0x1bb/0x44f [ 10.066933] [] ? driver_probe_device+0x62e/0x62e [ 10.066941] [] ? bus_for_each_dev+0x46/0x7f [ 10.066950] [] ? driver_attach+0x1a/0x34 [ 10.066958] [] ? driver_probe_device+0x62e/0x62e [ 10.066966] [] ? bus_add_driver+0x217/0x32a [ 10.066975] [] ? 0xf8403000 [ 10.066982] [] ? driver_register+0x5f/0x108 [ 10.066991] [] ? do_one_initcall+0x49/0x1f6 [ 10.067000] [] ? pick_next_task_fair+0x14b/0x2a3 [ 10.067008] [] ? __schedule+0x15c/0x4fe [ 10.067016] [] ? preempt_schedule_common+0x19/0x3c [ 10.067027] [] ? do_init_module+0x17/0x230 [ 10.067035] [] ? _cond_resched+0x12/0x1a [ 10.067044] [] ? kmem_cache_alloc+0x8f/0x11f [ 10.067052] [] ? do_init_module+0x17/0x230 [ 10.067060] [] ? kfree+0x137/0x203 [ 10.067068] [] ? do_init_module+0x76/0x230 [ 10.067078] [] ? load_module+0x2a39/0x333f [ 10.067087] [] ? SyS_finit_module+0x96/0xd5 [ 10.067096] [] ? vm_mmap_pgoff+0x79/0xa0 [ 10.067105] [] ? do_fast_syscall_32+0xb5/0x1b0 [ 10.067114] [] ? sysenter_past_esp+0x47/0x75 [ 10.067121] Code: c8 f7 76 c1 e8 8e cc d2 ff e9 45 fe ff ff 66 90 66 90 66 90 66 90 90 ff 00 7f 05 e8 4e 0c 00 00 c3 53 89 c3 e8 75 ec ff ff 89 d8 08 79 05 e8 fa 0a 00 00 5b c3 53 89 c3 85 c0 74 1b 8b 03 83 [ 10.067180] EIP: [] mutex_lock+0xa/0x15 SS:ESP 0068:f5971b58 [ 10.067190] CR2: 0000000000000104 [ 10.067222] ---[ end trace 049f1f09da45a856 ]--- Reported-by: Meelis Roos Fixes: 580d8ed522e0 ("drm/i915: Give encoders useful names") Reviewed-by: David Weinehall Signed-off-by: Chris Wilson Cc: Ville Syrjälä Cc: drm-intel-fixes@lists.freedesktop.org Signed-off-by: Jani Nikula Link: http://patchwork.freedesktop.org/patch/msgid/20160823092558.14931-1-chris@chris-wilson.co.uk (cherry picked from commit 8f76aa0ebe0b7787afe768d9df80031e832d2520) drivers/gpu/drm/i915/intel_dvo.c | 1 - 1 file changed, 1 deletion(-) commit 98744b408c757901df57fa50cbd5826245dc3a1f Author: Daniel Lezcano Date: Mon Aug 29 08:44:03 2016 +0200 clocksource/drivers/atmel-pit: Fix compilation error The previous fix introduced a check against the ret variable which is not defined, hence producing a compilation error: linux/drivers/clocksource/timer-atmel-pit.c: In function ‘at91sam926x_pit_dt_init’: linux/drivers/clocksource/timer-atmel-pit.c:264:2: error: ‘ret’ undeclared (first use in this function) ret = clk_prepare_enable(data->mck); ^ linux/drivers/clocksource/timer-atmel-pit.c:264:2: note: each undeclared identifier is reported only once for each function it appears in Add the missing the variable 'ret'. Fixes: 504f34c9e45c "clocksource/drivers/atmel-pit: Convert init function to return error" Signed-off-by: Daniel Lezcano Cc: alexandre.belloni@free-electrons.com Cc: motobud@gmail.com Cc: realbright@lgcns.com Link: http://lkml.kernel.org/r/1472453043-24287-1-git-send-email-daniel.lezcano@linaro.org Signed-off-by: Thomas Gleixner drivers/clocksource/timer-atmel-pit.c | 1 + 1 file changed, 1 insertion(+) commit 8ddc05638ee42b18ba4fe99b5fb647fa3ad20456 Author: Vegard Nossum Date: Mon Aug 29 00:33:51 2016 +0200 ALSA: timer: fix NULL pointer dereference on memory allocation failure I hit this with syzkaller: kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] PREEMPT SMP KASAN CPU: 0 PID: 1327 Comm: a.out Not tainted 4.8.0-rc2+ #190 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014 task: ffff88011278d600 task.stack: ffff8801120c0000 RIP: 0010:[] [] snd_hrtimer_start+0x77/0x100 RSP: 0018:ffff8801120c7a60 EFLAGS: 00010006 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000007 RDX: 0000000000000009 RSI: 1ffff10023483091 RDI: 0000000000000048 RBP: ffff8801120c7a78 R08: ffff88011a5cf768 R09: ffff88011a5ba790 R10: 0000000000000002 R11: ffffed00234b9ef1 R12: ffff880114843980 R13: ffffffff84213c00 R14: ffff880114843ab0 R15: 0000000000000286 FS: 00007f72958f3700(0000) GS:ffff88011aa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000603001 CR3: 00000001126ab000 CR4: 00000000000006f0 Stack: ffff880114843980 ffff880111eb2dc0 ffff880114843a34 ffff8801120c7ad0 ffffffff82c81ab1 0000000000000000 ffffffff842138e0 0000000100000000 ffff880111eb2dd0 ffff880111eb2dc0 0000000000000001 ffff880111eb2dc0 Call Trace: [] snd_timer_start1+0x331/0x670 [] snd_timer_start+0x5d/0xa0 [] snd_timer_user_ioctl+0x88e/0x2830 [] ? __follow_pte.isra.49+0x430/0x430 [] ? snd_timer_pause+0x80/0x80 [] ? do_wp_page+0x3aa/0x1c90 [] ? put_prev_entity+0x108f/0x21a0 [] ? snd_timer_pause+0x80/0x80 [] do_vfs_ioctl+0x193/0x1050 [] ? cpuacct_account_field+0x12f/0x1a0 [] ? ioctl_preallocate+0x200/0x200 [] ? syscall_trace_enter+0x3cf/0xdb0 [] ? __context_tracking_exit.part.4+0x9a/0x1e0 [] ? exit_to_usermode_loop+0x190/0x190 [] ? check_preemption_disabled+0x37/0x1e0 [] ? security_file_ioctl+0x89/0xb0 [] SyS_ioctl+0x8f/0xc0 [] ? do_vfs_ioctl+0x1050/0x1050 [] do_syscall_64+0x1c4/0x4e0 [] entry_SYSCALL64_slow_path+0x25/0x25 Code: c7 c7 c4 b9 c8 82 48 89 d9 4c 89 ee e8 63 88 7f fe e8 7e 46 7b fe 48 8d 7b 48 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 04 84 c0 7e 65 80 7b 48 00 74 0e e8 52 46 RIP [] snd_hrtimer_start+0x77/0x100 RSP ---[ end trace 5955b08db7f2b029 ]--- This can happen if snd_hrtimer_open() fails to allocate memory and returns an error, which is currently not checked by snd_timer_open(): ioctl(SNDRV_TIMER_IOCTL_SELECT) - snd_timer_user_tselect() - snd_timer_close() - snd_hrtimer_close() - (struct snd_timer *) t->private_data = NULL - snd_timer_open() - snd_hrtimer_open() - kzalloc() fails; t->private_data is still NULL ioctl(SNDRV_TIMER_IOCTL_START) - snd_timer_user_start() - snd_timer_start() - snd_timer_start1() - snd_hrtimer_start() - t->private_data == NULL // boom Signed-off-by: Vegard Nossum Cc: Signed-off-by: Takashi Iwai sound/core/timer.c | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) commit 6b760bb2c63a9e322c0e4a0b5daf335ad93d5a33 Author: Vegard Nossum Date: Mon Aug 29 00:33:50 2016 +0200 ALSA: timer: fix division by zero after SNDRV_TIMER_IOCTL_CONTINUE I got this: divide error: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 1327 Comm: a.out Not tainted 4.8.0-rc2+ #189 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014 task: ffff8801120a9580 task.stack: ffff8801120b0000 RIP: 0010:[] [] snd_hrtimer_callback+0x1da/0x3f0 RSP: 0018:ffff88011aa87da8 EFLAGS: 00010006 RAX: 0000000000004f76 RBX: ffff880112655e88 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff880112655ea0 RDI: 0000000000000001 RBP: ffff88011aa87e00 R08: ffff88013fff905c R09: ffff88013fff9048 R10: ffff88013fff9050 R11: 00000001050a7b8c R12: ffff880114778a00 R13: ffff880114778ab4 R14: ffff880114778b30 R15: 0000000000000000 FS: 00007f071647c700(0000) GS:ffff88011aa80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000603001 CR3: 0000000112021000 CR4: 00000000000006e0 Stack: 0000000000000000 ffff880114778ab8 ffff880112655ea0 0000000000004f76 ffff880112655ec8 ffff880112655e80 ffff880112655e88 ffff88011aa98fc0 00000000b97ccf2b dffffc0000000000 ffff88011aa98fc0 ffff88011aa87ef0 Call Trace: [] __hrtimer_run_queues+0x347/0xa00 [] ? snd_hrtimer_close+0x130/0x130 [] ? retrigger_next_event+0x1b0/0x1b0 [] ? hrtimer_interrupt+0x136/0x4b0 [] hrtimer_interrupt+0x1b0/0x4b0 [] local_apic_timer_interrupt+0x6e/0xf0 [] ? kvm_guest_apic_eoi_write+0x13/0xc0 [] smp_apic_timer_interrupt+0x76/0xa0 [] apic_timer_interrupt+0x8c/0xa0 [] ? _raw_spin_unlock_irqrestore+0x2c/0x60 [] snd_timer_start1+0xdd/0x670 [] snd_timer_continue+0x45/0x80 [] snd_timer_user_ioctl+0x1030/0x2830 [] ? __follow_pte.isra.49+0x430/0x430 [] ? snd_timer_pause+0x80/0x80 [] ? do_wp_page+0x3aa/0x1c90 [] ? handle_mm_fault+0xbc8/0x27f0 [] ? __pmd_alloc+0x370/0x370 [] ? snd_timer_pause+0x80/0x80 [] do_vfs_ioctl+0x193/0x1050 [] ? ioctl_preallocate+0x200/0x200 [] ? syscall_trace_enter+0x3cf/0xdb0 [] ? __context_tracking_exit.part.4+0x9a/0x1e0 [] ? exit_to_usermode_loop+0x190/0x190 [] ? check_preemption_disabled+0x37/0x1e0 [] ? security_file_ioctl+0x89/0xb0 [] SyS_ioctl+0x8f/0xc0 [] ? do_vfs_ioctl+0x1050/0x1050 [] do_syscall_64+0x1c4/0x4e0 [] entry_SYSCALL64_slow_path+0x25/0x25 Code: e8 fc 42 7b fe 8b 0d 06 8a 50 03 49 0f af cf 48 85 c9 0f 88 7c 01 00 00 48 89 4d a8 e8 e0 42 7b fe 48 8b 45 c0 48 8b 4d a8 48 99 <48> f7 f9 49 01 c7 e8 cb 42 7b fe 48 8b 55 d0 48 b8 00 00 00 00 RIP [] snd_hrtimer_callback+0x1da/0x3f0 RSP ---[ end trace 6aa380f756a21074 ]--- The problem happens when you call ioctl(SNDRV_TIMER_IOCTL_CONTINUE) on a completely new/unused timer -- it will have ->sticks == 0, which causes a divide by 0 in snd_hrtimer_callback(). Signed-off-by: Vegard Nossum Cc: Signed-off-by: Takashi Iwai sound/core/timer.c | 1 + 1 file changed, 1 insertion(+) commit 6654674cb7b5953ac04fc9d7f5f511676ae97e29 Author: Jorik Jonker Date: Sat Aug 27 21:04:33 2016 +0200 clk: sunxi-ng: Fix wrong reset register offsets The reset register offsets for UART*, I2C* and SCR were off by a few bytes. Signed-off-by: Jorik Jonker Signed-off-by: Maxime Ripard drivers/clk/sunxi-ng/ccu-sun8i-h3.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) commit da43bf0c21e57fff0221da5de0a9a388ec0d27cd Author: Paul Gortmaker Date: Mon Aug 15 18:24:59 2016 -0400 intel_pmic_gpio: Make explicitly non-modular The Kconfig entry controlling compilation of this code is: drivers/platform/x86/Kconfig:config GPIO_INTEL_PMIC drivers/platform/x86/Kconfig: bool "Intel PMIC GPIO support" ...meaning that it currently is not being built as a module by anyone. Lets remove the couple traces of modular infrastructure use, so that when reading the driver there is no doubt it is builtin-only. We delete the MODULE_LICENSE tag etc. since all that information was (or is now) contained at the top of the file in the comments. We don't replace module.h with init.h since the file already has that. Cc: Alek Du Cc: platform-driver-x86@vger.kernel.org Signed-off-by: Paul Gortmaker Signed-off-by: Darren Hart drivers/platform/x86/intel_pmic_gpio.c | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) commit f48d1496b8537d75776478c6942dd87f34d7f270 Author: Paul Gortmaker Date: Mon Aug 15 18:25:17 2016 -0400 platform/olpc: Make ec explicitly non-modular The Kconfig entry controlling compilation of this code is: arch/x86/Kconfig:config OLPC arch/x86/Kconfig: bool "One Laptop Per Child support" ...meaning that it currently is not being built as a module by anyone. Lets remove the couple traces of modular infrastructure use, so that when reading the driver there is no doubt it is builtin-only. We delete the MODULE_LICENSE tag etc. since all that information was (or is now) contained at the top of the file in the comments. Cc: platform-driver-x86@vger.kernel.org Signed-off-by: Paul Gortmaker Acked-by: Andres Salomon Signed-off-by: Darren Hart drivers/platform/olpc/olpc-ec.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) commit b99b43bb4bdf1d361f7487cf03d803082bbf9101 Author: Owen Lin Date: Fri Aug 26 13:49:09 2016 +0800 Add Killer E2500 device ID in alx driver. Signed-off-by: David S. Miller drivers/net/ethernet/atheros/alx/main.c | 2 ++ drivers/net/ethernet/atheros/alx/reg.h | 1 + 2 files changed, 3 insertions(+) commit 2fb04fdf30192ff1e2b5834e9b7745889ea8bbcb Author: Russell King Date: Sat Aug 27 17:33:03 2016 +0100 net: smc91x: fix SMC accesses Commit b70661c70830 ("net: smc91x: use run-time configuration on all ARM machines") broke some ARM platforms through several mistakes. Firstly, the access size must correspond to the following rule: (a) at least one of 16-bit or 8-bit access size must be supported (b) 32-bit accesses are optional, and may be enabled in addition to the above. Secondly, it provides no emulation of 16-bit accesses, instead blindly making 16-bit accesses even when the platform specifies that only 8-bit is supported. Reorganise smc91x.h so we can make use of the existing 16-bit access emulation already provided - if 16-bit accesses are supported, use 16-bit accesses directly, otherwise if 8-bit accesses are supported, use the provided 16-bit access emulation. If neither, BUG(). This exactly reflects the driver behaviour prior to the commit being fixed. Since the conversion incorrectly cut down the available access sizes on several platforms, we also need to go through every platform and fix up the overly-restrictive access size: Arnd assumed that if a platform can perform 32-bit, 16-bit and 8-bit accesses, then only a 32-bit access size needed to be specified - not so, all available access sizes must be specified. This likely fixes some performance regressions in doing this: if a platform does not support 8-bit accesses, 8-bit accesses have been emulated by performing a 16-bit read-modify-write access. Tested on the Intel Assabet/Neponset platform, which supports only 8-bit accesses, which was broken by the original commit. Fixes: b70661c70830 ("net: smc91x: use run-time configuration on all ARM machines") Signed-off-by: Russell King Tested-by: Robert Jarzmik Signed-off-by: David S. Miller arch/arm/mach-pxa/idp.c | 3 +- arch/arm/mach-pxa/xcep.c | 3 +- arch/arm/mach-realview/core.c | 3 +- arch/arm/mach-sa1100/pleb.c | 2 +- arch/blackfin/mach-bf561/boards/cm_bf561.c | 3 +- arch/blackfin/mach-bf561/boards/ezkit.c | 3 +- drivers/net/ethernet/smsc/smc91x.c | 7 ++++ drivers/net/ethernet/smsc/smc91x.h | 65 +++++++++++++++++++++--------- include/linux/smc91x.h | 10 +++++ 9 files changed, 73 insertions(+), 26 deletions(-) commit 7d13eca09ed5e477f6ecfd97a35058762228b5e4 Author: Florian Fainelli Date: Sat Aug 27 15:34:20 2016 -0700 Documentation: networking: dsa: Remove platform device TODO Since commit 83c0afaec7b7 ("net: dsa: Add new binding implementation"), the shortcomings of the dsa platform device have been addressed, remove that TODO item. Signed-off-by: Florian Fainelli Acked-by: Andrew Lunn Signed-off-by: David S. Miller Documentation/networking/dsa/dsa.txt | 20 -------------------- 1 file changed, 20 deletions(-) commit e4d986a878e0eb9e46f851a564189f8204cc677f Merge: 9dbeea7 e5835f2 Author: David S. Miller Date: Sun Aug 28 23:24:24 2016 -0400 Merge branch 'mlx5-series' Saeed Mahameed says: ==================== Mellanox 100G mlx5 fixes 2016-08-29 This series contains some bug fixes for the mlx5 core and mlx5 ethernet driver. From Saeed, Fix UMR to consider hardware translation table field size limitation when calculating the maximum number of MTTs required by the driver. Three patches to speed-up netdevice close time by serializing channel (SQs & RQs) destruction rather than issuing and waiting for hardware interrupts to free them. From Eran, Fix ethtool ring parameter reporting for striding RQ layout. Add error prints on ETS validation failure. From Kamal, Fix memory leak on error flow. From Maor, Fix ethtool steering priorities number. ==================== Signed-off-by: David S. Miller commit e5835f2833b12808c53aa621d1d3aa085706b5b3 Author: Maor Gottlieb Date: Mon Aug 29 01:13:50 2016 +0300 net/mlx5: Increase number of ethtool steering priorities Ethtool has 11 flow tables, each flow table has its own priority. Increase the number of priorities to be aligned with the number of flow tables. Fixes: 1174fce8d141 ('net/mlx5e: Support l3/l4 flow type specs in ethtool flow steering') Signed-off-by: Maor Gottlieb Signed-off-by: Saeed Mahameed Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlx5/core/fs_core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 1722b9694ecfbc602865017c3fa6da0e3ec234d8 Author: Eran Ben Elisha Date: Mon Aug 29 01:13:49 2016 +0300 net/mlx5: Add error prints when validate ETS failed Upon set ETS failure due to user invalid input, add error prints to specify the exact error to the user. Fixes: cdcf11212b22 ('net/mlx5e: Validate BW weight values of ETS') Signed-off-by: Eran Ben Elisha Signed-off-by: Saeed Mahameed Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlx5/core/en_dcbnl.c | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) commit bf50082c15eb2bc47d1922e70f424c57f36646d5 Author: Kamal Heib Date: Mon Aug 29 01:13:48 2016 +0300 net/mlx5e: Fix memory leak if refreshing TIRs fails Free 'in' command object also when mlx5_core_modify_tir fails. Fixes: 724b2aa15126 ("net/mlx5e: TIRs management refactoring") Signed-off-by: Kamal Heib Signed-off-by: Saeed Mahameed Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlx5/core/en_common.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) commit c8cf78fe100b0d152a1932327c24cefc0ba4bdbe Author: Tariq Toukan Date: Mon Aug 29 01:13:47 2016 +0300 net/mlx5e: Add ethtool counter for TX xmit_more Add a counter in ethtool for the number of times that TX xmit_more was used. Signed-off-by: Tariq Toukan Signed-off-by: Saeed Mahameed Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 1 + drivers/net/ethernet/mellanox/mlx5/core/en_stats.h | 4 ++++ drivers/net/ethernet/mellanox/mlx5/core/en_tx.c | 1 + 3 files changed, 6 insertions(+) commit cc8e9ebf952699cb6870f1366a4920d05b036e31 Author: Eran Ben Elisha Date: Mon Aug 29 01:13:46 2016 +0300 net/mlx5e: Fix ethtool -g/G rx ring parameter report with striding RQ The driver RQ has two possible configurations: striding RQ and non-striding RQ. Until this patch, the driver always reported the number of hardware WQEs (ring descriptors). For non striding RQ configuration, this was OK since we have one WQE per pending packet For striding RQ, multiple packets can fit into one WQE. For better user experience we normalize the rx_pending parameter (size of wqe/mtu) as the average ring size in case of striding RQ. Fixes: 461017cb006a ('net/mlx5e: Support RX multi-packet WQE ...') Signed-off-by: Eran Ben Elisha Signed-off-by: Saeed Mahameed Signed-off-by: David S. Miller .../net/ethernet/mellanox/mlx5/core/en_ethtool.c | 76 +++++++++++++++++++--- 1 file changed, 67 insertions(+), 9 deletions(-) commit 6e8dd6d6f4bd2fd6fefdbf2e73bf251e36db59af Author: Saeed Mahameed Date: Mon Aug 29 01:13:45 2016 +0300 net/mlx5e: Don't wait for SQ completions on close Instead of asking the firmware to flush the SQ (Send Queue) via asynchronous completions when moved to error, we handle SQ flush manually (mlx5e_free_tx_descs) same as we did when SQ flush got timed out or on tx_timeout. This will reduce SQs flush time and speedup interface down procedure. Moved mlx5e_free_tx_descs to the end of en_tx.c for tx critical code locality. Fixes: 29429f3300a3 ('net/mlx5e: Timeout if SQ doesn't flush during close') Signed-off-by: Saeed Mahameed Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlx5/core/en.h | 3 +- drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 38 ++----------- drivers/net/ethernet/mellanox/mlx5/core/en_tx.c | 67 +++++++++++------------ drivers/net/ethernet/mellanox/mlx5/core/en_txrx.c | 6 +- 4 files changed, 44 insertions(+), 70 deletions(-) commit 8484f9ed13b26043be80ff5774506024956eae8f Author: Saeed Mahameed Date: Mon Aug 29 01:13:44 2016 +0300 net/mlx5e: Don't post fragmented MPWQE when RQ is disabled ICO (Internal control operations) SQ (Send Queue) is closed/disabled after RQ (Receive Queue). After RQ is closed an ICO SQ completion might post a fragmented MPWQE (Multi Packet Work Queue Element) into that RQ. As on regular RQ post, check if we are allowed to post to that RQ (RQ is enabled). Cleanup in-progress UMR MPWQE on mlx5e_free_rx_descs if needed. Fixes: bc77b240b3c5 ('net/mlx5e: Add fragmented memory support for RX multi packet WQE') Signed-off-by: Saeed Mahameed Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 4 ++++ drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 6 ++++++ 2 files changed, 10 insertions(+) commit f2fde18c52a7367a8f6cf6855e2a7174e601c8ee Author: Saeed Mahameed Date: Mon Aug 29 01:13:43 2016 +0300 net/mlx5e: Don't wait for RQ completions on close This will significantly reduce receive queue flush time on interface down. Instead of asking the firmware to flush the RQ (Receive Queue) via asynchronous completions when moved to error, we handle RQ flush manually (mlx5e_free_rx_descs) same as we did when RQ flush got timed out. This will reduce RQs flush time and speedup interface down procedure (ifconfig down) from 6 sec to 0.3 sec on a 48 cores system. Moved mlx5e_free_rx_descs en_main.c where it is needed, to keep en_rx.c free form non critical data path code for better code locality. Fixes: 6cd392a082de ('net/mlx5e: Handle RQ flush in error cases') Signed-off-by: Saeed Mahameed Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlx5/core/en.h | 4 +-- drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 37 +++++++++++------------ drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 23 ++------------ 3 files changed, 22 insertions(+), 42 deletions(-) commit fe4c988bdd1cc60402a4e3ca3976a686ea991b5a Author: Saeed Mahameed Date: Mon Aug 29 01:13:42 2016 +0300 net/mlx5e: Limit UMR length to the device's limitation ConnectX-4 UMR (User Memory Region) MTT translation table offset in WQE is limited to U16_MAX, before this patch we ignored that limitation and requested the maximum possible UMR translation length that the netdev might need (MAX channels * MAX pages per channel). In case of a system with #cores > 32 and when linear WQE allocation fails, falling back to using UMR WQEs will cause the RQ (Receive Queue) to get stuck. Here we limit UMR length to min(U16_MAX, max required pages) (while considering the required alignments) on driver load, by default U16_MAX is sufficient since the default RX rings value guarantees that we are in range, dynamically (on set_ringparam/set_channels) we will check if the new required UMR length (num mtts) is still in range, if not, fail the request. Fixes: bc77b240b3c5 ('net/mlx5e: Add fragmented memory support for RX multi packet WQE') Signed-off-by: Saeed Mahameed Signed-off-by: David S. Miller drivers/net/ethernet/mellanox/mlx5/core/en.h | 14 +++++++------- drivers/net/ethernet/mellanox/mlx5/core/en_ethtool.c | 19 +++++++++++++++++++ drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 11 ++++++++--- drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 12 ++++++------ 4 files changed, 40 insertions(+), 16 deletions(-) commit 78a3e8889b4b6b99775ed954696ff3e017f5d19b Author: Cyril Bur Date: Tue Aug 23 10:46:17 2016 +1000 powerpc: signals: Discard transaction state from signal frames Userspace can begin and suspend a transaction within the signal handler which means they might enter sys_rt_sigreturn() with the processor in suspended state. sys_rt_sigreturn() wants to restore process context (which may have been in a transaction before signal delivery). To do this it must restore TM SPRS. To achieve this, any transaction initiated within the signal frame must be discarded in order to be able to restore TM SPRs as TM SPRs can only be manipulated non-transactionally.. >From the PowerPC ISA: TM Bad Thing Exception [Category: Transactional Memory] An attempt is made to execute a mtspr targeting a TM register in other than Non-transactional state. Not doing so results in a TM Bad Thing: [12045.221359] Kernel BUG at c000000000050a40 [verbose debug info unavailable] [12045.221470] Unexpected TM Bad Thing exception at c000000000050a40 (msr 0x201033) [12045.221540] Oops: Unrecoverable exception, sig: 6 [#1] [12045.221586] SMP NR_CPUS=2048 NUMA PowerNV [12045.221634] Modules linked in: xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter ip_tables x_tables kvm_hv kvm uio_pdrv_genirq ipmi_powernv uio powernv_rng ipmi_msghandler autofs4 ses enclosure scsi_transport_sas bnx2x ipr mdio libcrc32c [12045.222167] CPU: 68 PID: 6178 Comm: sigreturnpanic Not tainted 4.7.0 #34 [12045.222224] task: c0000000fce38600 ti: c0000000fceb4000 task.ti: c0000000fceb4000 [12045.222293] NIP: c000000000050a40 LR: c0000000000163bc CTR: 0000000000000000 [12045.222361] REGS: c0000000fceb7ac0 TRAP: 0700 Not tainted (4.7.0) [12045.222418] MSR: 9000000300201033 CR: 28444280 XER: 20000000 [12045.222625] CFAR: c0000000000163b8 SOFTE: 0 PACATMSCRATCH: 900000014280f033 GPR00: 01100000b8000001 c0000000fceb7d40 c00000000139c100 c0000000fce390d0 GPR04: 900000034280f033 0000000000000000 0000000000000000 0000000000000000 GPR08: 0000000000000000 b000000000001033 0000000000000001 0000000000000000 GPR12: 0000000000000000 c000000002926400 0000000000000000 0000000000000000 GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 GPR20: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 GPR24: 0000000000000000 00003ffff98cadd0 00003ffff98cb470 0000000000000000 GPR28: 900000034280f033 c0000000fceb7ea0 0000000000000001 c0000000fce390d0 [12045.223535] NIP [c000000000050a40] tm_restore_sprs+0xc/0x1c [12045.223584] LR [c0000000000163bc] tm_recheckpoint+0x5c/0xa0 [12045.223630] Call Trace: [12045.223655] [c0000000fceb7d80] [c000000000026e74] sys_rt_sigreturn+0x494/0x6c0 [12045.223738] [c0000000fceb7e30] [c0000000000092e0] system_call+0x38/0x108 [12045.223806] Instruction dump: [12045.223841] 7c800164 4e800020 7c0022a6 f80304a8 7c0222a6 f80304b0 7c0122a6 f80304b8 [12045.223955] 4e800020 e80304a8 7c0023a6 e80304b0 <7c0223a6> e80304b8 7c0123a6 4e800020 [12045.224074] ---[ end trace cb8002ee240bae76 ]--- It isn't clear exactly if there is really a use case for userspace returning with a suspended transaction, however, doing so doesn't (on its own) constitute a bad frame. As such, this patch simply discards the transactional state of the context calling the sigreturn and continues. Reported-by: Laurent Dufour Signed-off-by: Cyril Bur Tested-by: Laurent Dufour Reviewed-by: Laurent Dufour Acked-by: Simon Guo Signed-off-by: Benjamin Herrenschmidt Documentation/powerpc/transactional_memory.txt | 2 ++ arch/powerpc/kernel/signal_32.c | 14 ++++++++++++++ arch/powerpc/kernel/signal_64.c | 14 ++++++++++++++ 3 files changed, 30 insertions(+) commit a9cbf0b2195b695cbeeeecaa4e2770948c212e9a Author: Mukesh Ojha Date: Mon Aug 22 12:17:44 2016 +0530 powerpc/powernv : Drop reference added by kset_find_obj() In a situation, where Linux kernel gets notified about duplicate error log from OPAL, it is been observed that kernel fails to remove sysfs entries (/sys/firmware/opal/elog/0xXXXXXXXX) of such error logs. This is because, we currently search the error log/dump kobject in the kset list via 'kset_find_obj()' routine. Which eventually increment the reference count by one, once it founds the kobject. So, unless we decrement the reference count by one after it found the kobject, we would not be able to release the kobject properly later. This patch adds the 'kobject_put()' which was missing earlier. Signed-off-by: Mukesh Ojha Cc: stable@vger.kernel.org Reviewed-by: Vasant Hegde Signed-off-by: Benjamin Herrenschmidt arch/powerpc/platforms/powernv/opal-dump.c | 7 ++++++- arch/powerpc/platforms/powernv/opal-elog.c | 7 ++++++- 2 files changed, 12 insertions(+), 2 deletions(-) commit cc7786d3ee7e3c979799db834b528db2c0834c2e Author: Nicholas Piggin Date: Mon Jul 25 14:26:51 2016 +1000 powerpc/tm: do not use r13 for tabort_syscall tabort_syscall runs with RI=1, so a nested recoverable machine check will load the paca into r13 and overwrite what we loaded it with, because exceptions returning to privileged mode do not restore r13. Fixes: b4b56f9ecab4 (powerpc/tm: Abort syscalls in active transactions) Cc: stable@vger.kernel.org Signed-off-by: Nick Piggin Signed-off-by: Benjamin Herrenschmidt arch/powerpc/kernel/entry_64.S | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) commit 17de0a9ff3df8f54f2f47746d118112d4e61d973 Author: Christoph Hellwig Date: Mon Aug 29 11:33:58 2016 +1000 iomap: don't set FIEMAP_EXTENT_MERGED for extent based filesystems Filesystems like XFS that use extents should not set the FIEMAP_EXTENT_MERGED flag in the fiemap extent structures. To allow for both behaviors for the upcoming gfs2 usage split the iomap type field into type and flags, and only set FIEMAP_EXTENT_MERGED if the IOMAP_F_MERGED flag is set. The flags field will also come in handy for future features such as shared extents on reflink-enabled file systems. Reported-by: Andreas Gruenbacher Signed-off-by: Christoph Hellwig Acked-by: Darrick J. Wong Signed-off-by: Dave Chinner fs/iomap.c | 5 ++++- include/linux/iomap.h | 8 +++++++- 2 files changed, 11 insertions(+), 2 deletions(-) commit 3eab887a55424fc2c27553b7bfe32330df83f7b8 Author: Linus Torvalds Date: Sun Aug 28 15:04:33 2016 -0700 Linux 4.8-rc4 Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 25d0d91af77089ddf378568fd858b22612c52aff Merge: 908e373 add1fa7 Author: Linus Torvalds Date: Sun Aug 28 14:31:36 2016 -0700 Merge tag 'drm-fixes-for-4.8-rc4' of git://people.freedesktop.org/~airlied/linux Pull drm fixes from Dave Airlie: "A bunch of fixes covering i915, amdgpu, one tegra and some core DRM ones. Nothing too strange at this point" * tag 'drm-fixes-for-4.8-rc4' of git://people.freedesktop.org/~airlied/linux: (21 commits) drm/atomic: Don't potentially reset color_mgmt_changed on successive property updates. drm: Protect fb_defio in drivers with CONFIG_KMS_FBDEV_EMULATION drm/amdgpu: skip TV/CV in display parsing drm/amdgpu: avoid a possible array overflow drm/amdgpu: fix lru size grouping v2 drm/tegra: dsi: Enhance runtime power management drm/i915: Fix botched merge that downgrades CSR versions. drm/i915/skl: Ensure pipes with changed wms get added to the state drm/i915/gen9: Only copy WM results for changed pipes to skl_hw drm/i915/skl: Add support for the SAGV, fix underrun hangs drm/i915/gen6+: Interpret mailbox error flags drm/i915: Reattach comment, complete type specification drm/i915: Unconditionally flush any chipset buffers before execbuf drm/i915/gen9: Drop invalid WARN() during data rate calculation drm/i915/gen9: Initialize intel_state->active_crtcs during WM sanitization (v2) drm: Reject page_flip for !DRIVER_MODESET drm/amdgpu: fix timeout value check in amd_sched_job_recovery drm/amdgpu: fix sdma_v2_4_ring_test_ib drm/amdgpu: fix amdgpu_move_blit on 32bit systems drm/radeon: fix radeon_move_blit on 32bit systems ... commit add1fa75101263ab4d74240f93000998d4325624 Author: Mario Kleiner Date: Sat Aug 27 01:02:28 2016 +0200 drm/atomic: Don't potentially reset color_mgmt_changed on successive property updates. Due to assigning the 'replaced' value instead of or'ing it, if drm_atomic_crtc_set_property() gets called multiple times, the last call will define the color_mgmt_changed flag, so a non-updating call to a property can reset the flag and prevent actual hw state updates required by preceding property updates. Signed-off-by: Mario Kleiner Cc: Daniel Vetter Cc: # v4.6+ Reviewed-by: Daniel Vetter Signed-off-by: Dave Airlie drivers/gpu/drm/drm_atomic.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) commit d138027a8256a3e9d7657c8d0dae84c08ef2cfe1 Author: Trond Myklebust Date: Sun Aug 28 12:19:04 2016 -0400 NFSv4.1: Remove obsolete and incorrrect assignment in nfs4_callback_sequence Signed-off-by: Trond Myklebust fs/nfs/callback_proc.c | 1 - 1 file changed, 1 deletion(-) commit 2e80dbe7ac51a911e8a828407b1a48c5ba938cd2 Author: Trond Myklebust Date: Sun Aug 28 11:50:26 2016 -0400 NFSv4.1: Close callback races for OPEN, LAYOUTGET and LAYOUTRETURN Defer freeing the slot until after we have processed the results from OPEN and LAYOUTGET. This means that the server can rely on the mechanism in RFC5661 Section 2.10.6.3 to ensure that replies to an OPEN or LAYOUTGET/RETURN RPC call don't race with the callbacks that apply to them. Signed-off-by: Trond Myklebust fs/nfs/nfs4proc.c | 78 +++++++++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 65 insertions(+), 13 deletions(-) commit 07e8dcbda71ef87e9cbdc42b5bb16a44c1ab839b Author: Trond Myklebust Date: Sun Aug 28 10:28:25 2016 -0400 NFSv4.1: Defer bumping the slot sequence number until we free the slot For operations like OPEN or LAYOUTGET, which return recallable state (i.e. delegations and layouts) we want to enable the mechanism for resolving recall races in RFC5661 Section 2.10.6.3. To do so, we will want to defer bumping the slot's sequence number until we have finished processing the RPC results. Signed-off-by: Trond Myklebust fs/nfs/nfs4proc.c | 9 +++++++-- fs/nfs/nfs4session.h | 3 ++- 2 files changed, 9 insertions(+), 3 deletions(-) commit 045d2a6d076a2ecd7043ea543ea198af943f8b16 Author: Trond Myklebust Date: Sun Aug 28 13:25:43 2016 -0400 NFSv4.1: Delay callback processing when there are referring triples If CB_SEQUENCE tells us that the processing of this request depends on the completion of one or more referring triples (see RFC 5661 Section 2.10.6.3), delay the callback processing until after the RPC requests being referred to have completed. If we end up delaying for more than 1/2 second, then fall back to returning NFS4ERR_DELAY in reply to the callback. Signed-off-by: Trond Myklebust fs/nfs/callback_proc.c | 4 ++-- fs/nfs/nfs4proc.c | 2 ++ fs/nfs/nfs4session.c | 22 +++++++++++++++++++++- fs/nfs/nfs4session.h | 5 ++++- 4 files changed, 29 insertions(+), 4 deletions(-) commit e09c978aae5bedfdb379be80363b024b7d82638b Author: Trond Myklebust Date: Sat Aug 27 23:44:04 2016 -0400 NFSv4.1: Fix Oopsable condition in server callback races The slot table hasn't been an array since v3.7. Ensure that we use nfs4_lookup_slot() to access the slot correctly. Fixes: 87dda67e7386 ("NFSv4.1: Allow SEQUENCE to resize the slot table...") Signed-off-by: Trond Myklebust Cc: stable@vger.kernel.org # v3.8+ fs/nfs/callback_proc.c | 5 +---- fs/nfs/nfs4session.c | 33 +++++++++++++++++++++++++++++++++ fs/nfs/nfs4session.h | 1 + 3 files changed, 35 insertions(+), 4 deletions(-) commit 908e373f1c8102505d13cdb61ad56c1686d6a583 Merge: 5d84ee7 8b6a3fe Author: Linus Torvalds Date: Sun Aug 28 10:02:23 2016 -0700 Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull perf fixes from Thomas Gleixner: "A few fixes from the perf departement - prevent a imbalanced preemption disable in the events teardown code - prevent out of bound acces in perf userspace - make perf tools compile with UCLIBC again - a fix for the userspace unwinder utility" * 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: perf/core: Use this_cpu_ptr() when stopping AUX events perf evsel: Do not access outside hw cache name arrays tools lib: Reinstate strlcpy() header guard with __UCLIBC__ perf unwind: Use addr_location::addr instead of ip for entries commit 5d84ee7964489acea418122edf54d55f980a0383 Merge: 4340393 2e63ad4 Author: Linus Torvalds Date: Sun Aug 28 10:00:21 2016 -0700 Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86 fix from Thomas Gleixner: "A single bugfix to prevent irq remapping when the ioapic is disabled" * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/apic: Do not init irq remapping if ioapic is disabled commit 4340393e5a507a9a91bf807a03c73407a1344e20 Merge: 037d240 2564970 Author: Linus Torvalds Date: Sun Aug 28 09:52:40 2016 -0700 Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull irq fixes from Thomas Gleixner: "This lot provides: - plug a hotplug race in the new affinity infrastructure - a fix for the trigger type of chained interrupts - plug a potential memory leak in the core code - a few fixes for ARM and MIPS GICs" * 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: irqchip/mips-gic: Implement activate op for device domain irqchip/mips-gic: Cleanup chip and handler setup genirq/affinity: Use get/put_online_cpus around cpumask operations genirq: Fix potential memleak when failing to get irq pm irqchip/gicv3-its: Disable the ITS before initializing it irqchip/gicv3: Remove disabling redistributor and group1 non-secure interrupts irqchip/gic: Allow self-SGIs for SMP on UP configurations genirq: Correctly configure the trigger on chained interrupts commit d78d383ab354b0b9e1d23404ae0d9fbdeb9aa035 Author: Rob Clark Date: Mon Aug 22 15:28:38 2016 -0400 drm/msm: protect against faults from copy_from_user() in submit ioctl An evil userspace could try to cause deadlock by passing an unfaulted-in GEM bo as submit->bos (or submit->cmds) table. Which will trigger msm_gem_fault() while we already hold struct_mutex. See: https://github.com/freedreno/msmtest/blob/master/evilsubmittest.c Cc: stable@vger.kernel.org Signed-off-by: Rob Clark drivers/gpu/drm/msm/msm_drv.h | 6 ++++++ drivers/gpu/drm/msm/msm_gem.c | 9 +++++++++ drivers/gpu/drm/msm/msm_gem_submit.c | 3 +++ 3 files changed, 18 insertions(+) commit 89f82cbb0d5c0ab768c8d02914188aa2211cd2e3 Author: Rob Clark Date: Mon Aug 22 15:15:23 2016 -0400 drm/msm: fix use of copy_from_user() while holding spinlock Use instead __copy_from_user_inatomic() and fallback to slow-path where we drop and re-aquire the lock in case of fault. Cc: stable@vger.kernel.org Reported-by: Vaishali Thakkar Signed-off-by: Rob Clark drivers/gpu/drm/msm/msm_gem_submit.c | 27 ++++++++++++++++++++++----- 1 file changed, 22 insertions(+), 5 deletions(-) commit 037d2405d0ca0d276c481e40b98fb40e5d0360b8 Merge: af56ff2 b53e7d0 Author: Linus Torvalds Date: Sun Aug 28 09:03:05 2016 -0700 Merge branch 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull timer fixes from Thomas Gleixner: "A few updates for timers & co: - prevent a livelock in the timekeeping code when debugging is enabled - prevent out of bounds access in the timekeeping debug code - various fixes in clocksource drivers - a new maintainers entry" * 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function drivers/clocksource/pistachio: Fix memory corruption in init clocksource/drivers/timer-atmel-pit: Enable mck clock clocksource/drivers/pxa: Fix include files for compilation MAINTAINERS: Add ARM ARCHITECTED TIMER entry timekeeping: Cap array access in timekeeping_debug timekeeping: Avoid taking lock in NMI path with CONFIG_DEBUG_TIMEKEEPING commit 4d8c6a7946d53648d9ed0e3852a1c81ce07d40db Author: Sagi Grimberg Date: Fri Aug 26 00:37:52 2016 +0300 nvme-rdma: Get rid of redundant defines Signed-off-by: Sagi Grimberg Reviewed-by: Christoph Hellwig drivers/nvme/host/rdma.c | 4 ---- 1 file changed, 4 deletions(-) commit f5b7b559e14881b27d76f9c97817ec82bfc48827 Author: Sagi Grimberg Date: Wed Aug 24 12:25:56 2016 +0300 nvme-rdma: Get rid of duplicate variable We already have need_inval in ib_mr, lets use that instead. Signed-off-by: Sagi Grimberg Reviewed-by: Christoph Hellwig drivers/nvme/host/rdma.c | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) commit af56ff27eba54fceee5f5643e79bf6531f2e1739 Merge: 5e608a0 ba913e4 Author: Linus Torvalds Date: Sat Aug 27 15:51:50 2016 -0700 Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm Pull KVM fixes from Paolo Bonzini: "ARM: - fixes for ITS init issues, error handling, IRQ leakage, race conditions - an erratum workaround for timers - some removal of misleading use of errors and comments - a fix for GICv3 on 32-bit guests MIPS: - fix for where the guest could wrongly map the first page of physical memory x86: - nested virtualization fixes" * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: MIPS: KVM: Check for pfn noslot case kvm: nVMX: fix nested tsc scaling KVM: nVMX: postpone VMCS changes on MSR_IA32_APICBASE write KVM: nVMX: fix msr bitmaps to prevent L2 from accessing L0 x2APIC arm64: KVM: report configured SRE value to 32-bit world arm64: KVM: remove misleading comment on pmu status KVM: arm/arm64: timer: Workaround misconfigured timer interrupt arm64: Document workaround for Cortex-A72 erratum #853709 KVM: arm/arm64: Change misleading use of is_error_pfn KVM: arm64: ITS: avoid re-mapping LPIs KVM: arm64: check for ITS device on MSI injection KVM: arm64: ITS: move ITS registration into first VCPU run KVM: arm64: vgic-its: Make updates to propbaser/pendbaser atomic KVM: arm64: vgic-its: Plug race in vgic_put_irq KVM: arm64: vgic-its: Handle errors from vgic_add_lpi KVM: arm64: ITS: return 1 on successful MSI injection commit 5e608a027082ae426e100a582031e0ff40becc83 Merge: 65fc7d5 11bd969 Author: Linus Torvalds Date: Fri Aug 26 23:12:12 2016 -0700 Merge branch 'akpm' (patches from Andrew) Merge fixes from Andrew Morton: "11 fixes" * emailed patches from Andrew Morton : mm: silently skip readahead for DAX inodes dax: fix device-dax region base fs/seq_file: fix out-of-bounds read mm: memcontrol: avoid unused function warning mm: clarify COMPACTION Kconfig text treewide: replace config_enabled() with IS_ENABLED() (2nd round) printk: fix parsing of "brl=" option soft_dirty: fix soft_dirty during THP split sysctl: handle error writing UINT_MAX to u32 fields get_maintainer: quiet noisy implicit -f vcs_file_exists checking byteswap: don't use __builtin_bswap*() with sparse commit 65fc7d54efb6b03dcf61d98aa0fd68fe968c211c Merge: a3d3469 fd363bd Author: Linus Torvalds Date: Fri Aug 26 23:05:19 2016 -0700 Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux Pull ARM64 fix from Catalin Marinas: "ARM64 fix to avoid potential TLB conflict when CONFIG_RANDOMIZE_BASE is enabled" * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux: arm64: avoid TLB conflict with CONFIG_RANDOMIZE_BASE commit a3d34698086aec78ca9169b338468e3ce9bd4b3c Merge: 03cef71 049b1e7 Author: Linus Torvalds Date: Fri Aug 26 23:01:09 2016 -0700 Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma Pull rdma fixes from Doug Ledford: "Round one of 4.8 rc fixes. This should be the bulk of the -rc fixes for 4.8. I only have a few things that are still outstanding (two ipoib bugs for which the solution is not yet fully known, and a few queued items that came in after my last push and I didn't want to delay this pull request for late comers again). Even though the patch count is kind of high, everything is minor fixes so the overall churn is pretty low. Summary: - minor fixes to cxgb4 - minor fixes to mlx4 - one minor fix each to core, rxe, isert, srpt, mlx5, ocrdma, and usnic - six or so fixes to i40iw fixes - the rest are hfi1 fixes" * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma: (34 commits) i40iw: Send last streaming mode message for loopback connections IB/srpt: Update sport->port_guid with each port refresh RDMA/ocrdma: Fix the max_sge reported from FW i40iw: Avoid writing to freed memory i40iw: Fix double free of allocated_buffer IB/mlx5: Remove superfluous include of io-mapping.h i40iw: Do not set self-referencing pointer to NULL after kfree i40iw: Add missing NULL check for MPA private data iw_cxgb4: Fix cxgb4 arm CQ logic w/IB_CQ_REPORT_MISSED_EVENTS i40iw: Add missing check for interface already open i40iw: Protect req_resource_num update i40iw: Change mem_resources pointer to a u8 IB/core: Use memdup_user() rather than duplicating its implementation IB/qib: Use memdup_user() rather than duplicating its implementation iw_cxgb4: use the MPA initiator's IRD if < our ORD iw_cxgb4: limit IRD/ORD advertised to ULP by device max. IB/hfi1: Fix mm_struct use after free IB/rdmvat: Fix double vfree() in rvt_create_qp() error path IB/hfi1: Improve J_KEY generation IB/hfi1: Return invalid field for non-QSFP CableInfo queries ... commit 03cef71062cf185e95d588d90406f27bad740b3c Merge: 28687b9 a820cd3 Author: Linus Torvalds Date: Fri Aug 26 22:53:21 2016 -0700 Merge tag 'sound-4.8-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound Pull sound fixes from Takashi Iwai: "Here are a bunch of fixes as you can see in diffstat. One core change in ASoC is about the unexpected unbinding error, and another about debugfs cleanup. The rest are wide-spread driver-specific fixes: a series of LINE6 USB fixes, a HD-audio quirk, and various ASoC fixes including OMAP boot fixes and Intel SKL fixes" * tag 'sound-4.8-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (22 commits) ALSA: hda/realtek - fix headset mic detection for MSI MS-B120 ASoC: omap-mcpdm: Fix irq resource handling ASoC: max98371: Add terminate entry for i2c_device_id tables ALSA: line6: Fix POD sysfs attributes segfault ALSA: line6: Give up on the lock while URBs are released. ALSA: line6: Remove double line6_pcm_release() after failed acquire. ASoC: omap-abe-twl6040: Correct dmic-codec device registration ASoC: core: Clean up DAPM before the card debugfs ASoC: omap-mcpdm: Drop pdmclk clock handling ASoC: atmel_ssc_dai: Don't unconditionally reset SSC on stream startup ASoC: compress: Fix leak of a widget list in soc_compr_open_fe ASoC: Intel: Skylake: Fix error return code in skl_probe() ASoC: wm2000: Fix return of uninitialised varible ASoC: Fix leak of rtd in soc_bind_dai_link ASoC: da7213: Default to 64 BCLKs per WCLK to support all formats ASoC: nau8825: fix static check error about semaphone control ASoC: nau8825: fix bug in playback when suspend ASoC: samsung: Fix clock handling in S3C24XX_UDA134X card ASoC: simple-card-utils: add missing MODULE_xxx() ASoC: Intel: Skylake: Check list empty while getting module info ... commit 9dbeea7f08f3784b152d9fb3b86beb34aad77c72 Author: Eric Dumazet Date: Fri Aug 26 08:51:39 2016 -0700 rhashtable: fix a memory leak in alloc_bucket_locks() If vmalloc() was successful, do not attempt a kmalloc_array() Fixes: 4cf0b354d92e ("rhashtable: avoid large lock-array allocations") Reported-by: CAI Qian Signed-off-by: Eric Dumazet Cc: Florian Westphal Acked-by: Herbert Xu Tested-by: CAI Qian Signed-off-by: David S. Miller lib/rhashtable.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) commit e70c70c38d7a5ced76fc8b1c4a7ccee76e9c2911 Author: Andrew Rybchenko Date: Fri Aug 26 11:19:34 2016 +0100 sfc: fix potential stack corruption from running past stat bitmask On 32-bit systems, mask is only an array of 3 longs, not 4, so don't try to write to mask[3]. Also include build-time checks in case the size of the bitmask changes. Fixes: 3c36a2aded8c ("sfc: display vadaptor statistics for all interfaces") Signed-off-by: Edward Cree Signed-off-by: David S. Miller drivers/net/ethernet/sfc/ef10.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 5c1f5b457b86a263d0e21c8f3ebe83d515e7bcce Merge: c15e07b 4f34228 Author: David S. Miller Date: Fri Aug 26 21:09:17 2016 -0700 Merge branch 'for-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth Johan Hedberg says: ==================== pull request: bluetooth 2016-08-25 Here are a couple of important Bluetooth fixes for the 4.8 kernel: - Memory leak fix for HCI requests - Fix sk_filter handling with L2CAP - Fix sock_recvmsg behavior when MSG_TRUNC is not set Please let me know if there are any issues pulling. Thanks. ==================== Signed-off-by: David S. Miller commit 28687b935e93a9041a485b9ecdcab0e335f8eda5 Merge: 370f601 28a2359 Author: Linus Torvalds Date: Fri Aug 26 20:22:01 2016 -0700 Merge branch 'for-linus-4.8' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs Pull btrfs fixes from Chris Mason: "We've queued up a few different fixes in here. These range from enospc corners to fsync and quota fixes, and a few targeted at error handling for corrupt metadata/fuzzing" * 'for-linus-4.8' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs: Btrfs: fix lockdep warning on deadlock against an inode's log mutex Btrfs: detect corruption when non-root leaf has zero item Btrfs: check btree node's nritems btrfs: don't create or leak aliased root while cleaning up orphans Btrfs: fix em leak in find_first_block_group btrfs: do not background blkdev_put() Btrfs: clarify do_chunk_alloc()'s return value btrfs: fix fsfreeze hang caused by delayed iputs deal btrfs: update btrfs_space_info's bytes_may_use timely btrfs: divide btrfs_update_reserved_bytes() into two functions btrfs: use correct offset for reloc_inode in prealloc_file_extent_cluster() btrfs: qgroup: Fix qgroup incorrectness caused by log replay btrfs: relocation: Fix leaking qgroups numbers on data extents btrfs: qgroup: Refactor btrfs_qgroup_insert_dirty_extent() btrfs: waiting on qgroup rescan should not always be interruptible btrfs: properly track when rescan worker is running btrfs: flush_space: treat return value of do_chunk_alloc properly Btrfs: add ASSERT for block group's memory leak btrfs: backref: Fix soft lockup in __merge_refs function Btrfs: fix memory leak of reloc_root commit 370f6017295da81189d9aaed24e68c36e68a8947 Merge: 6ec675e 079d37d Author: Linus Torvalds Date: Fri Aug 26 20:18:49 2016 -0700 Merge tag 'dlm-4.8-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/teigland/linux-dlm Pull dlm fix from David Teigland: "This fixes a bug introduced by recent debugfs cleanup" * tag 'dlm-4.8-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/teigland/linux-dlm: dlm: fix malfunction of dlm_tool caused by debugfs changes commit 6ec675ede9d810f162da019db626f1ced63c3093 Merge: 67a8c7d 9c5a559 Author: Linus Torvalds Date: Fri Aug 26 20:15:32 2016 -0700 Merge tag 'dm-4.8-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm Pull device mapper fixes from Mike Snitzer: - another stable fix for DM flakey (that tweaks the previous fix that didn't factor in expected 'drop_writes' behavior for read IO). - a dm-log bio operation flags fix for the broader block changes that were merged during the 4.8 merge window. * tag 'dm-4.8-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm: dm log: fix unitialized bio operation flags dm flakey: fix reads to be issued if drop_writes configured commit 67a8c7d636886ee05cc139833b8f1aef0e685c2c Merge: fd1ae51 4df3618 Author: Linus Torvalds Date: Fri Aug 26 20:12:35 2016 -0700 Merge tag 'iommu-fixes-v4.8-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu Pull IOMMU fixes from Joerg Roedel: "Fixes from Will Deacon: - fix a couple of thinkos in the CMDQ error handling and short-descriptor page table code that have been there since day one - disable stalling faults, since they may result in hardware deadlock - fix an accidental BUG() when passing disable_bypass=1 on the cmdline" * tag 'iommu-fixes-v4.8-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu: iommu/arm-smmu: Don't BUG() if we find aborting STEs with disable_bypass iommu/arm-smmu: Disable stalling faults for all endpoints iommu/arm-smmu: Fix CMDQ error handling iommu/io-pgtable-arm-v7s: Fix attributes when splitting blocks commit fd1ae514528bfa7136640301523f646f396134e2 Merge: b09c412 869c554 Author: Linus Torvalds Date: Fri Aug 26 18:50:07 2016 -0700 Merge branch 'for-linus' of git://git.kernel.dk/linux-block Pull block fixes from Jens Axboe: "Here's a set of block fixes for the current 4.8-rc release. This contains: - a fix for a secure erase regression, from Adrian. - a fix for an mmc use-after-free bug regression, also from Adrian. - potential zero pointer deference in bdev freezing, from Andrey. - a race fix for blk_set_queue_dying() from Bart. - a set of xen blkfront fixes from Bob Liu. - three small fixes for bcache, from Eric and Kent. - a fix for a potential invalid NVMe state transition, from Gabriel. - blk-mq CPU offline fix, preventing us from issuing and completing a request on the wrong queue. From me. - revert two previous floppy changes, since they caused a user visibile regression. A better fix is in the works. - ensure that we don't send down bios that have more than 256 elements in them. Fixes a crash with bcache, for example. From Ming. - a fix for deferencing an error pointer with cgroup writeback. Fixes a regression. From Vegard" * 'for-linus' of git://git.kernel.dk/linux-block: mmc: fix use-after-free of struct request Revert "floppy: refactor open() flags handling" Revert "floppy: fix open(O_ACCMODE) for ioctl-only open" fs/block_dev: fix potential NULL ptr deref in freeze_bdev() blk-mq: improve warning for running a queue on the wrong CPU blk-mq: don't overwrite rq->mq_ctx block: make sure a big bio is split into at most 256 bvecs nvme: Fix nvme_get/set_features() with a NULL result pointer bdev: fix NULL pointer dereference xen-blkfront: free resources if xlvbd_alloc_gendisk fails xen-blkfront: introduce blkif_set_queue_limits() xen-blkfront: fix places not updated after introducing 64KB page granularity bcache: pr_err: more meaningful error message when nr_stripes is invalid bcache: RESERVE_PRIO is too small by one when prio_buckets() is a power of two. bcache: register_bcache(): call blkdev_put() when cache_alloc() fails block: Fix race triggered by blk_set_queue_dying() block: Fix secure erase nvme: Prevent controller state invalid transition commit b09c412aa4540d13b677a9f4af05f59048b78949 Merge: 219c04c e3a888a Author: Linus Torvalds Date: Fri Aug 26 18:36:23 2016 -0700 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input Pull input subsystem fixes from Dmitry Torokhov: "Simply small driver fixups" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input: Input: ads7846 - remove redundant regulator_disable call Input: synaptics-rmi4 - fix register descriptor subpacket map construction Input: tegra-kbc - fix inverted reset logic Input: silead - use devm_gpiod_get Input: i8042 - set up shared ps2_cmd_mutex for AUX ports commit 219c04cea3f17a6e3ab11d257af741f527c16195 Merge: 61c0457 21c80c9 Author: Linus Torvalds Date: Fri Aug 26 18:26:07 2016 -0700 Merge tag 'pci-v4.8-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci Pull PCI fixes from Bjorn Helgaas: "Resource management: - Update "pci=resource_alignment" documentation (Mathias Koehrer) MSI: - Use positive flags in pci_alloc_irq_vectors() (Christoph Hellwig) - Call pci_intx() when using legacy interrupts in pci_alloc_irq_vectors() (Christoph Hellwig) Intel VMD host bridge driver: - Fix infinite loop executing irq's (Keith Busch)" * tag 'pci-v4.8-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci: x86/PCI: VMD: Fix infinite loop executing irq's PCI: Call pci_intx() when using legacy interrupts in pci_alloc_irq_vectors() PCI: Use positive flags in pci_alloc_irq_vectors() PCI: Update "pci=resource_alignment" documentation commit 11bd969fdefea3ac0cb9791224f1e09784e21e58 Author: Ross Zwisler Date: Thu Aug 25 15:17:17 2016 -0700 mm: silently skip readahead for DAX inodes For DAX inodes we need to be careful to never have page cache pages in the mapping->page_tree. This radix tree should be composed only of DAX exceptional entries and zero pages. ltp's readahead02 test was triggering a warning because we were trying to insert a DAX exceptional entry but found that a page cache page had already been inserted into the tree. This page was being inserted into the radix tree in response to a readahead(2) call. Readahead doesn't make sense for DAX inodes, but we don't want it to report a failure either. Instead, we just return success and don't do any work. Link: http://lkml.kernel.org/r/20160824221429.21158-1-ross.zwisler@linux.intel.com Signed-off-by: Ross Zwisler Reported-by: Jeff Moyer Cc: Dan Williams Cc: Dave Chinner Cc: Dave Hansen Cc: Jan Kara Cc: [4.5+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/readahead.c | 9 +++++++++ 1 file changed, 9 insertions(+) commit d0e5845561c238619de9f5b77e0d763f4c331ca5 Author: Dan Williams Date: Thu Aug 25 15:17:14 2016 -0700 dax: fix device-dax region base The data offset for a dax region needs to account for a reservation in the resource range. Otherwise, device-dax is allowing mappings directly into the memmap or device-info-block area with crash signatures like the following: BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 IP: get_zone_device_page+0x11/0x30 Call Trace: follow_devmap_pmd+0x298/0x2c0 follow_page_mask+0x275/0x530 __get_user_pages+0xe3/0x750 __gfn_to_pfn_memslot+0x1b2/0x450 [kvm] tdp_page_fault+0x130/0x280 [kvm] kvm_mmu_page_fault+0x5f/0xf0 [kvm] handle_ept_violation+0x94/0x180 [kvm_intel] vmx_handle_exit+0x1d3/0x1440 [kvm_intel] kvm_arch_vcpu_ioctl_run+0x81d/0x16a0 [kvm] kvm_vcpu_ioctl+0x33c/0x620 [kvm] do_vfs_ioctl+0xa2/0x5d0 SyS_ioctl+0x79/0x90 entry_SYSCALL_64_fastpath+0x1a/0xa4 Fixes: ab68f2622136 ("/dev/dax, pmem: direct access to persistent memory") Link: http://lkml.kernel.org/r/147205536732.1606.8994275381938837346.stgit@dwillia2-desk3.amr.corp.intel.com Signed-off-by: Dan Williams Reported-by: Abhilash Kumar Mulumudi Reported-by: Toshi Kani Tested-by: Toshi Kani Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds drivers/dax/pmem.c | 3 +++ 1 file changed, 3 insertions(+) commit 088bf2ff5d12e2e32ee52a4024fec26e582f44d3 Author: Vegard Nossum Date: Thu Aug 25 15:17:11 2016 -0700 fs/seq_file: fix out-of-bounds read seq_read() is a nasty piece of work, not to mention buggy. It has (I think) an old bug which allows unprivileged userspace to read beyond the end of m->buf. I was getting these: BUG: KASAN: slab-out-of-bounds in seq_read+0xcd2/0x1480 at addr ffff880116889880 Read of size 2713 by task trinity-c2/1329 CPU: 2 PID: 1329 Comm: trinity-c2 Not tainted 4.8.0-rc1+ #96 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014 Call Trace: kasan_object_err+0x1c/0x80 kasan_report_error+0x2cb/0x7e0 kasan_report+0x4e/0x80 check_memory_region+0x13e/0x1a0 kasan_check_read+0x11/0x20 seq_read+0xcd2/0x1480 proc_reg_read+0x10b/0x260 do_loop_readv_writev.part.5+0x140/0x2c0 do_readv_writev+0x589/0x860 vfs_readv+0x7b/0xd0 do_readv+0xd8/0x2c0 SyS_readv+0xb/0x10 do_syscall_64+0x1b3/0x4b0 entry_SYSCALL64_slow_path+0x25/0x25 Object at ffff880116889100, in cache kmalloc-4096 size: 4096 Allocated: PID = 1329 save_stack_trace+0x26/0x80 save_stack+0x46/0xd0 kasan_kmalloc+0xad/0xe0 __kmalloc+0x1aa/0x4a0 seq_buf_alloc+0x35/0x40 seq_read+0x7d8/0x1480 proc_reg_read+0x10b/0x260 do_loop_readv_writev.part.5+0x140/0x2c0 do_readv_writev+0x589/0x860 vfs_readv+0x7b/0xd0 do_readv+0xd8/0x2c0 SyS_readv+0xb/0x10 do_syscall_64+0x1b3/0x4b0 return_from_SYSCALL_64+0x0/0x6a Freed: PID = 0 (stack is not available) Memory state around the buggy address: ffff88011688a000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88011688a080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff88011688a100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff88011688a180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88011688a200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Disabling lock debugging due to kernel taint This seems to be the same thing that Dave Jones was seeing here: https://lkml.org/lkml/2016/8/12/334 There are multiple issues here: 1) If we enter the function with a non-empty buffer, there is an attempt to flush it. But it was not clearing m->from after doing so, which means that if we try to do this flush twice in a row without any call to traverse() in between, we are going to be reading from the wrong place -- the splat above, fixed by this patch. 2) If there's a short write to userspace because of page faults, the buffer may already contain multiple lines (i.e. pos has advanced by more than 1), but we don't save the progress that was made so the next call will output what we've already returned previously. Since that is a much less serious issue (and I have a headache after staring at seq_read() for the past 8 hours), I'll leave that for now. Link: http://lkml.kernel.org/r/1471447270-32093-1-git-send-email-vegard.nossum@oracle.com Signed-off-by: Vegard Nossum Reported-by: Dave Jones Cc: Al Viro Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds fs/seq_file.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit 358c07fcc3b60ab08d77f1684de8bd81bcf49a1a Author: Arnd Bergmann Date: Thu Aug 25 15:17:08 2016 -0700 mm: memcontrol: avoid unused function warning A bugfix in v4.8-rc2 introduced a harmless warning when CONFIG_MEMCG_SWAP is disabled but CONFIG_MEMCG is enabled: mm/memcontrol.c:4085:27: error: 'mem_cgroup_id_get_online' defined but not used [-Werror=unused-function] static struct mem_cgroup *mem_cgroup_id_get_online(struct mem_cgroup *memcg) This moves the function inside of the #ifdef block that hides the calling function, to avoid the warning. Fixes: 1f47b61fb407 ("mm: memcontrol: fix swap counter leak on swapout from offline cgroup") Link: http://lkml.kernel.org/r/20160824113733.2776701-1-arnd@arndb.de Signed-off-by: Arnd Bergmann Acked-by: Michal Hocko Acked-by: Vladimir Davydov Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/memcontrol.c | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) commit b32eaf71db6085f2ba54cf3ddf688bfc858219d0 Author: Michal Hocko Date: Thu Aug 25 15:17:05 2016 -0700 mm: clarify COMPACTION Kconfig text The current wording of the COMPACTION Kconfig help text doesn't emphasise that disabling COMPACTION might cripple the page allocator which relies on the compaction quite heavily for high order requests and an unexpected OOM can happen with the lack of compaction. Make sure we are vocal about that. Link: http://lkml.kernel.org/r/20160823091726.GK23577@dhcp22.suse.cz Signed-off-by: Michal Hocko Cc: Markus Trippelsdorf Cc: Mel Gorman Cc: Joonsoo Kim Cc: Vlastimil Babka Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/Kconfig | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) commit a5ff1b34e16c203397542d98c49c5c7783193946 Author: Masahiro Yamada Date: Thu Aug 25 15:17:02 2016 -0700 treewide: replace config_enabled() with IS_ENABLED() (2nd round) Commit 97f2645f358b ("tree-wide: replace config_enabled() with IS_ENABLED()") mostly killed config_enabled(), but some new users have appeared for v4.8-rc1. They are all used for a boolean option, so can be replaced with IS_ENABLED() safely. Link: http://lkml.kernel.org/r/1471970749-24867-1-git-send-email-yamada.masahiro@socionext.com Signed-off-by: Masahiro Yamada Acked-by: Kees Cook Acked-by: Peter Oberparleiter Cc: Martin Schwidefsky Cc: Heiko Carstens Cc: Ralf Baechle Cc: Ingo Molnar Cc: "H. Peter Anvin" Cc: Thomas Gleixner Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds arch/mips/include/asm/page.h | 4 ++-- arch/s390/kernel/setup.c | 6 ++---- arch/x86/mm/kaslr.c | 2 +- 3 files changed, 5 insertions(+), 7 deletions(-) commit ae6c33ba6e37eea3012fe2640b22400ef3f2d0f3 Author: Nicolas Iooss Date: Thu Aug 25 15:17:00 2016 -0700 printk: fix parsing of "brl=" option Commit bbeddf52adc1 ("printk: move braille console support into separate braille.[ch] files") moved the parsing of braille-related options into _braille_console_setup(), changing the type of variable str from char* to char**. In this commit, memcmp(str, "brl,", 4) was correctly updated to memcmp(*str, "brl,", 4) but not memcmp(str, "brl=", 4). Update the code to make "brl=" option work again and replace memcmp() with strncmp() to make the compiler able to detect such an issue. Fixes: bbeddf52adc1 ("printk: move braille console support into separate braille.[ch] files") Link: http://lkml.kernel.org/r/20160823165700.28952-1-nicolas.iooss_linux@m4x.org Signed-off-by: Nicolas Iooss Cc: Joe Perches Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds kernel/printk/braille.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit 804dd150468cfd920d92d4b3cf00536fedef3902 Author: Andrea Arcangeli Date: Thu Aug 25 15:16:57 2016 -0700 soft_dirty: fix soft_dirty during THP split While adding proper userfaultfd_wp support with bits in pagetable and swap entry to avoid false positives WP userfaults through swap/fork/ KSM/etc, I've been adding a framework that mostly mirrors soft dirty. So I noticed in one place I had to add uffd_wp support to the pagetables that wasn't covered by soft_dirty and I think it should have. Example: in the THP migration code migrate_misplaced_transhuge_page() pmd_mkdirty is called unconditionally after mk_huge_pmd. entry = mk_huge_pmd(new_page, vma->vm_page_prot); entry = maybe_pmd_mkwrite(pmd_mkdirty(entry), vma); That sets soft dirty too (it's a false positive for soft dirty, the soft dirty bit could be more finegrained and transfer the bit like uffd_wp will do.. pmd/pte_uffd_wp() enforces the invariant that when it's set pmd/pte_write is not set). However in the THP split there's no unconditional pmd_mkdirty after mk_huge_pmd and pte_swp_mksoft_dirty isn't called after the migration entry is created. The code sets the dirty bit in the struct page instead of setting it in the pagetable (which is fully equivalent as far as the real dirty bit is concerned, as the whole point of pagetable bits is to be eventually flushed out of to the page, but that is not equivalent for the soft-dirty bit that gets lost in translation). This was found by code review only and totally untested as I'm working to actually replace soft dirty and I don't have time to test potential soft dirty bugfixes as well :). Transfer the soft_dirty from pmd to pte during THP splits. This fix avoids losing the soft_dirty bit and avoids userland memory corruption in the checkpoint. Fixes: eef1b3ba053aa6 ("thp: implement split_huge_pmd()") Link: http://lkml.kernel.org/r/1471610515-30229-2-git-send-email-aarcange@redhat.com Signed-off-by: Andrea Arcangeli Acked-by: Pavel Emelyanov Cc: "Kirill A. Shutemov" Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds mm/huge_memory.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) commit e7d316a02f683864a12389f8808570e37fb90aa3 Author: Subash Abhinov Kasiviswanathan Date: Thu Aug 25 15:16:51 2016 -0700 sysctl: handle error writing UINT_MAX to u32 fields We have scripts which write to certain fields on 3.18 kernels but this seems to be failing on 4.4 kernels. An entry which we write to here is xfrm_aevent_rseqth which is u32. echo 4294967295 > /proc/sys/net/core/xfrm_aevent_rseqth Commit 230633d109e3 ("kernel/sysctl.c: detect overflows when converting to int") prevented writing to sysctl entries when integer overflow occurs. However, this does not apply to unsigned integers. Heinrich suggested that we introduce a new option to handle 64 bit limits and set min as 0 and max as UINT_MAX. This might not work as it leads to issues similar to __do_proc_doulongvec_minmax. Alternatively, we would need to change the datatype of the entry to 64 bit. static int __do_proc_doulongvec_minmax(void *data, struct ctl_table { i = (unsigned long *) data; //This cast is causing to read beyond the size of data (u32) vleft = table->maxlen / sizeof(unsigned long); //vleft is 0 because maxlen is sizeof(u32) which is lesser than sizeof(unsigned long) on x86_64. Introduce a new proc handler proc_douintvec. Individual proc entries will need to be updated to use the new handler. [akpm@linux-foundation.org: coding-style fixes] Fixes: 230633d109e3 ("kernel/sysctl.c:detect overflows when converting to int") Link: http://lkml.kernel.org/r/1471479806-5252-1-git-send-email-subashab@codeaurora.org Signed-off-by: Subash Abhinov Kasiviswanathan Cc: Heinrich Schuchardt Cc: Kees Cook Cc: "David S. Miller" Cc: Ingo Molnar Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds include/linux/sysctl.h | 2 ++ kernel/sysctl.c | 45 +++++++++++++++++++++++++++++++++++++++++++-- 2 files changed, 45 insertions(+), 2 deletions(-) commit 8582fb59f7ee012f2b8118c2bb95168c1622a4c5 Author: Joe Perches Date: Thu Aug 25 15:16:48 2016 -0700 get_maintainer: quiet noisy implicit -f vcs_file_exists checking Checking command line filenames that are outside the git tree can emit a noisy and confusing message. Quiet that message by redirecting stderr. Verify that the command was executed successfully. Fixes: 4cad35a7ca69 ("get_maintainer.pl: reduce need for command-line option -f") Link: http://lkml.kernel.org/r/1970a1d2fecb258e384e2e4fdaacdc9ccf3e30a4.1470955439.git.joe@perches.com Signed-off-by: Joe Perches Reported-by: Wolfram Sang Tested-by: Wolfram Sang Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds scripts/get_maintainer.pl | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) commit 101b29a204f87c99377faa53bd378f101ebb1824 Author: Johannes Berg Date: Thu Aug 25 15:16:45 2016 -0700 byteswap: don't use __builtin_bswap*() with sparse Although sparse declares __builtin_bswap*(), it can't actually do constant folding inside them (yet). As such, things like switch (protocol) { case htons(ETH_P_IP): break; } which we do all over the place cause sparse to warn that it expects a constant instead of a function call. Disable __HAVE_BUILTIN_BSWAP*__ if __CHECKER__ is defined to avoid this. Fixes: 7322dd755e7d ("byteswap: try to avoid __builtin_constant_p gcc bug") Link: http://lkml.kernel.org/r/1470914102-26389-1-git-send-email-johannes@sipsolutions.net Signed-off-by: Johannes Berg Acked-by: Arnd Bergmann Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds include/linux/compiler-gcc.h | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) commit c15e07b02bf0450bc8e60f2cc51cb42daa371417 Author: Jiri Pirko Date: Thu Aug 25 18:30:52 2016 +0200 team: loadbalance: push lacpdus to exact delivery When team is in bridge and LACP is utilized, LACPDU packets are pushed to userspace using raw socket and there they are processed. However, since 8626c56c8279b, LACPDU skbs are dropped by bridge rx_handler so they never reach packet handlers in rx path. Fix this by explicity treat LACPDUs to be pushed to exact delivery in team rx_handler. Reported-by: Ido Schimmel Fixes: 8626c56c8279b ("bridge: fix potential use-after-free when hook returns QUEUE or STOLEN verdict") Signed-off-by: Jiri Pirko Signed-off-by: David S. Miller drivers/net/team/team_mode_loadbalance.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) commit c234af5875ffeab39d5a2c4230a477a35987a484 Author: Colin Ian King Date: Thu Aug 25 07:51:10 2016 +0100 net: hns: dereference ppe_cb->ppe_common_cb if it is non-null ppe_cb->ppe_common_cb is being dereferenced before a null check is being made on it. If ppe_cb->ppe_common_cb is null then we end up with a null pointer dereference when assigning dsaf_dev. Fix this by moving the initialisation of dsaf_dev once we know ppe_cb->ppe_common_cb is OK to dereference. Signed-off-by: Colin Ian King Acked-by: Yisen Zhuang Signed-off-by: David S. Miller drivers/net/ethernet/hisilicon/hns/hns_dsaf_ppe.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 079d37df3397d48aab0f014986c1b0a1ca6256aa Author: Eric Ren Date: Thu Aug 25 17:20:59 2016 +0800 dlm: fix malfunction of dlm_tool caused by debugfs changes With the current kernel, `dlm_tool lockdebug` fails as below: "dlm_tool lockdebug ED0BD86DCE724393918A1AE8FDBF1EE3 can't open /sys/kernel/debug/dlm/ED0BD86DCE724393918A1AE8FDBF1EE3: Operation not permitted" This is because table_open() depends on file->f_op to tell which seq_file ops should be passed down. But, the original file ops in file->f_op is replaced by "debugfs_full_proxy_file_operations" with commit 49d200deaa68 ("debugfs: prevent access to removed files' private data"). Currently, I can think up 2 solutions: 1st, replace debugfs_create_file() with debugfs_create_file_unsafe(); 2nd, make different table_open#() accordingly. The 1st one is neat, but I don't thoroughly understand its risk. Maybe someone has a better one. Signed-off-by: Eric Ren Signed-off-by: David Teigland fs/dlm/debug_fs.c | 62 ++++++++++++++++++++++++++++++++++++++++++------------- 1 file changed, 48 insertions(+), 14 deletions(-) commit 29617e1cfc2aa869154f5ed2580b756ec2c3cb28 Author: Javier Martinez Canillas Date: Thu Aug 25 10:56:48 2016 -0400 MAINTAINERS: Add myself as reviewer for Samsung Exynos support I've been helping reviewing and testing Exynos SoC support patches for the last couple of years. But it would be easier for me if I'm cc'ed for patches, so I'm adding myself as reviewer for this entry. Signed-off-by: Javier Martinez Canillas Acked-by: Kukjin Kim Acked-by: Sylwester Nawrocki Signed-off-by: Krzysztof Kozlowski MAINTAINERS | 1 + 1 file changed, 1 insertion(+) commit da60626e7d02a4f385cae80e450afc8b07035368 Author: Russell King Date: Fri Aug 19 16:34:45 2016 +0100 ARM: sa1100: clear reset status prior to reboot Clear the current reset status prior to rebooting the platform. This adds the bit missing from 04fef228fb00 ("[ARM] pxa: introduce reset_status and clear_reset_status for driver's usage"). Fixes: 04fef228fb00 ("[ARM] pxa: introduce reset_status and clear_reset_status for driver's usage") Signed-off-by: Russell King arch/arm/mach-sa1100/generic.c | 3 +++ 1 file changed, 3 insertions(+) commit 61a28d2b690a8b6c383a075a12d62d711850f9d7 Author: Christophe Jaillet Date: Fri Aug 26 06:49:25 2016 +0200 IB/hfi1: Clean up type used and casting In all other places in this file where 'find_first_bit' is called, port_num is defined as a 'u8' and no casting is done. Do the same here in order to be more consistent. Signed-off-by: Christophe JAILLET Signed-off-by: Doug Ledford drivers/infiniband/hw/hfi1/mad.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) commit b71121b4b70a995c0b794026e84c880c4f26c361 Author: Shiraz Saleem Date: Thu Aug 25 11:53:24 2016 -0500 i40iw: Receive notification events correctly Device notifications are not received after the first interface is closed; since there is an unregister for notifications on every interface close. Correct this by unregistering for device notifications only when the last interface is closed. Also, make all operations on the i40iw_notifiers_registered atomic as it can be read/modified concurrently. Fixes: 8e06af711bf2 ("i40iw: add main, hdr, status") Signed-off-by: Mustafa Ismail Signed-off-by: Shiraz Saleem Signed-off-by: Doug Ledford drivers/infiniband/hw/i40iw/i40iw_main.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) commit 866e0f4d73390ee6f5cd68aa92cf74eef3a2b0f2 Author: Mustafa Ismail Date: Thu Aug 25 11:52:47 2016 -0500 i40iw: Update hw_iwarp_state Update iwqp->hw_iwarp_state to reflect the new state of the CQP modify QP operation. This avoids reissuing a CQP operation to modify a QP to a state that it is already in. Fixes: 4e9042e647ff ("i40iw: add hw and utils files") Reported-by: Stefan Assmann Signed-off-by: Mustafa Ismail Signed-off-by: Shiraz Saleem Signed-off-by: Doug Ledford drivers/infiniband/hw/i40iw/i40iw_hw.c | 1 + 1 file changed, 1 insertion(+) commit b53e7d000d9e6e9fd2c6eb6b82d2783c67fd599e Author: Chen-Yu Tsai Date: Thu Aug 25 14:26:59 2016 +0800 clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function The bootloader (U-boot) sometimes uses this timer for various delays. It uses it as a ongoing counter, and does comparisons on the current counter value. The timer counter is never stopped. In some cases when the user interacts with the bootloader, or lets it idle for some time before loading Linux, the timer may expire, and an interrupt will be pending. This results in an unexpected interrupt when the timer interrupt is enabled by the kernel, at which point the event_handler isn't set yet. This results in a NULL pointer dereference exception, panic, and no way to reboot. Clear any pending interrupts after we stop the timer in the probe function to avoid this. Cc: stable@vger.kernel.org Signed-off-by: Chen-Yu Tsai Signed-off-by: Daniel Lezcano Acked-by: Maxime Ripard drivers/clocksource/sun4i_timer.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) commit 4d0e701659aa869a445823149e172e23faa6edac Author: Marcin Nowakowski Date: Wed Aug 17 12:22:33 2016 +0200 drivers/clocksource/pistachio: Fix memory corruption in init Driver init code incorrectly uses the block base address and as a result clears clocksource structure's fields instead of the hardware registers. Commit 09a998201649 ("timekeeping: Lift clocksource cacheline restriction") has changed the offsets within pistachio_clocksource structure and what has previously gone unnoticed now leads to a kernel panic during boot. Signed-off-by: Marcin Nowakowski Signed-off-by: Daniel Lezcano drivers/clocksource/time-pistachio.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) commit 699e36e5b8e9f77b2be4c23f0b309e53be4b2880 Author: Alexandre Belloni Date: Tue Aug 23 10:44:02 2016 +0200 clocksource/drivers/timer-atmel-pit: Enable mck clock mck is needed to get the PIT working. Explicitly prepare_enable it instead of assuming it is enabled. This solves an issue where the system is freezing when the ETM/ETB drivers are enabled. Reported-by: Olivier Schonken Reviewed-by: Boris Brezillon Acked-by: Nicolas Ferre Signed-off-by: Alexandre Belloni Signed-off-by: Daniel Lezcano drivers/clocksource/timer-atmel-pit.c | 6 ++++++ 1 file changed, 6 insertions(+) commit 1e5d343b8f23770e8ac5d31f5c439826bdb35148 Author: Linus Lüssing Date: Tue Aug 23 03:13:03 2016 +0200 batman-adv: fix elp packet data reservation The skb_reserve() call only reserved headroom for the mac header, but not the elp packet header itself. Fixing this by using skb_put()'ing towards the skb tail instead of skb_push()'ing towards the skb head. Fixes: d6f94d91f766 ("batman-adv: ELP - adding basic infrastructure") Signed-off-by: Linus Lüssing Signed-off-by: Marek Lindner Signed-off-by: Sven Eckelmann Signed-off-by: Simon Wunderlich net/batman-adv/bat_v_elp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 936523441bb64cdc9a5b263e8fd2782e70313a57 Author: Sven Eckelmann Date: Sat Aug 6 15:50:52 2016 +0200 batman-adv: Add missing refcnt for last_candidate batadv_find_router dereferences last_bonding_candidate from orig_node without making sure that it has a valid reference. This reference has to be retrieved by increasing the reference counter while holding neigh_list_lock. The lock is required to avoid that batadv_last_bonding_replace removes the current last_bonding_candidate, reduces the reference counter and maybe destroys the object in this process. Fixes: f3b3d9018975 ("batman-adv: add bonding again") Signed-off-by: Sven Eckelmann Signed-off-by: Marek Lindner Signed-off-by: Simon Wunderlich net/batman-adv/routing.c | 28 +++++++++++++++++++++++++++- 1 file changed, 27 insertions(+), 1 deletion(-) commit c721da1d05760ad0b4e7670896dae31b6b07d8d6 Author: Gregory CLEMENT Date: Mon Aug 22 18:09:36 2016 +0200 ARM: dts: kirkwood: Fix PCIe label on OpenRD While converting PCIe node on kirkwood by using label, the following commit eb13cf8345e9 ("ARM: dts: kirkwood: Fixup pcie DT warnings") introduced a regression on the OpenRD boards: the PCIe didn't work anymore. As reported by Aaro Koskinen, the display/framebuffer was lost. This commit adds the forgotten label. Reported-by: Aaro Koskinen Tested-by: Aaro Koskinen Fixes: eb13cf8345e9 ("ARM: dts: kirkwood: Fixup pcie DT warnings") Cc: stable@vger.kernel.org Reviewed-by: Andrew Lunn Signed-off-by: Gregory CLEMENT arch/arm/boot/dts/kirkwood-openrd.dtsi | 4 ++++ 1 file changed, 4 insertions(+) commit a778937888867aac17a33887d1c429120790fbc2 Author: Simon Baatz Date: Fri Aug 12 19:12:50 2016 +0200 ARM: kirkwood: ib62x0: fix size of u-boot environment partition Commit 148c274ea644 ("ARM: kirkwood: ib62x0: add u-boot environment partition") split the "u-boot" partition into "u-boot" and "u-boot environment". However, instead of the size of the environment, an offset was given, resulting in overlapping partitions. Signed-off-by: Simon Baatz Fixes: 148c274ea644 ("ARM: kirkwood: ib62x0: add u-boot environment partition") Cc: Jason Cooper Cc: Andrew Lunn Cc: Gregory Clement Cc: Sebastian Hesselbarth Cc: Luka Perkov Cc: stable@vger.kernel.org # 3.13+ Reviewed-by: Andrew Lunn Signed-off-by: Gregory CLEMENT arch/arm/boot/dts/kirkwood-ib62x0.dts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit d662ed2e50c9dab1d4c25e80fa3e01ebe257bd65 Author: Mark Rutland Date: Thu Aug 11 10:50:43 2016 +0100 bus: arm-ccn: make event groups reliable The CCN PMU driver leaves the counting logic always enabled, and thus events are enabled while groups are manipulated. As each event is stopped and read individually, this leads to arbitrary skew across event groups, which can be seen if counting several identical events. To avoid this, implement pmu_{enable,disable} callbacks to stop and start all counters atomically around event manipulation. As the counters are now stopped, we cannot poll the cycle counter to wait for events to drain from the bus. However, as the counters are stopped and the events will not be read regardless, we can simply allow the bus to drain naturally. Signed-off-by: Mark Rutland Signed-off-by: Pawel Moll drivers/bus/arm-ccn.c | 29 ++++++++++++++++++++--------- 1 file changed, 20 insertions(+), 9 deletions(-) commit 5b1e01f3ce15d3a8f2af5d38cc31f0d5c3c11dae Author: Mark Rutland Date: Thu Aug 11 10:50:42 2016 +0100 bus: arm-ccn: fix hrtimer registration The CCN PMU driver has a single hrtimer, used to simulate a periodic interrupt on systems where the overflow interrupt is not possible to use. The hrtimer is started when any event is started, and cancelled when any event is stopped. Thus, stopping a single event is sufficient to disable to hrtimer, and overflows (of other events) may be lost. To avoid this, this patch reworks the hrtimer start/cancel to only occur when the first event is added to a PMU, and the last event removed, making use of the existing bitmap counting active events. Signed-off-by: Mark Rutland Signed-off-by: Pawel Moll drivers/bus/arm-ccn.c | 33 +++++++++++++++++++++------------ 1 file changed, 21 insertions(+), 12 deletions(-) commit 0811ef7e2f5470833a353426a6fbe0b845aea926 Author: Mark Rutland Date: Thu Aug 11 10:50:41 2016 +0100 bus: arm-ccn: fix PMU interrupt flags Currently the IRQ core is permitted to make the CCN PMU IRQ handler threaded, and will allow userspace to change the CPU affinity of the interrupt behind our back. Both of these could violate our synchronisation requirements with the core perf code, which relies upon strict CPU affinity and disabling of interrupts to guarantee mutual exclusion in some cases. As with the CPU PMU drivers, we should request the interrupt with IRQF_NOBALANCING and IRQF_NO_THREAD, to avoid these issues. Signed-off-by: Mark Rutland Acked-by: Pawel Moll Reviewed-by: Will Deacon Signed-off-by: Pawel Moll drivers/bus/arm-ccn.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) commit 800b2694f890cc35a1bda63501fc71c94389d517 Author: Brian Foster Date: Fri Aug 26 16:01:59 2016 +1000 xfs: prevent dropping ioend completions during buftarg wait xfs_wait_buftarg() waits for all pending I/O, drains the ioend completion workqueue and walks the LRU until all buffers in the cache have been released. This is traditionally an unmount operation` but the mechanism is also reused during filesystem freeze. xfs_wait_buftarg() invokes drain_workqueue() as part of the quiesce, which is intended more for a shutdown sequence in that it indicates to the queue that new operations are not expected once the drain has begun. New work jobs after this point result in a WARN_ON_ONCE() and are otherwise dropped. With filesystem freeze, however, read operations are allowed and can proceed during or after the workqueue drain. If such a read occurs during the drain sequence, the workqueue infrastructure complains about the queued ioend completion work item and drops it on the floor. As a result, the buffer remains on the LRU and the freeze never completes. Despite the fact that the overall buffer cache cleanup is not necessary during freeze, fix up this operation such that it is safe to invoke during non-unmount quiesce operations. Replace the drain_workqueue() call with flush_workqueue(), which runs a similar serialization on pending workqueue jobs without causing new jobs to be dropped. This is safe for unmount as unmount independently locks out new operations by the time xfs_wait_buftarg() is invoked. cc: Signed-off-by: Brian Foster Reviewed-by: Christoph Hellwig Signed-off-by: Dave Chinner fs/xfs/xfs_buf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit f3d7ebdeb2c297bd26272384e955033493ca291c Author: Dave Chinner Date: Fri Aug 26 16:01:30 2016 +1000 xfs: fix superblock inprogress check From inspection, the superblock sb_inprogress check is done in the verifier and triggered only for the primary superblock via a "bp->b_bn == XFS_SB_DADDR" check. Unfortunately, the primary superblock is an uncached buffer, and hence it is configured by xfs_buf_read_uncached() with: bp->b_bn = XFS_BUF_DADDR_NULL; /* always null for uncached buffers */ And so this check never triggers. Fix it. cc: Signed-off-by: Dave Chinner Reviewed-by: Brian Foster Reviewed-by: Christoph Hellwig Signed-off-by: Dave Chinner fs/xfs/libxfs/xfs_sb.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 5b5c2dbd3c9bcfa89fba9709c12ecc0a445c6e40 Author: Darrick J. Wong Date: Fri Aug 26 16:00:10 2016 +1000 xfs: simple btree query range should look right if LE lookup fails If the initial LOOKUP_LE in the simple query range fails to find anything, we should attempt to increment the btree cursor to see if there actually /are/ records for what we're trying to find. Without this patch, a bnobt range query of (0, $agsize) returns no results because the leftmost record never has a startblock of zero. Signed-off-by: Darrick J. Wong Reviewed-by: Christoph Hellwig Signed-off-by: Dave Chinner fs/xfs/libxfs/xfs_btree.c | 7 +++++++ 1 file changed, 7 insertions(+) commit 722278997bc964349e23e7061d541f8df3133a04 Author: Darrick J. Wong Date: Fri Aug 26 15:59:50 2016 +1000 xfs: fix some key handling problems in _btree_simple_query_range We only need the record's high key for the first record that we look at; for all records, we /definitely/ need the regular record key. Therefore, fix how the simple range query function gets its keys. Signed-off-by: Darrick J. Wong Reviewed-by: Christoph Hellwig Signed-off-by: Dave Chinner fs/xfs/libxfs/xfs_btree.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit da1f039d6947b1a49f13b39a6de0df2a3e9e1ed1 Author: Darrick J. Wong Date: Fri Aug 26 15:59:31 2016 +1000 xfs: don't log the entire end of the AGF When we're logging the last non-spare field in the AGF, we don't need to log the spare fields, so plumb in a new AGF logging flag to help us avoid that. Signed-off-by: Darrick J. Wong Reviewed-by: Christoph Hellwig Signed-off-by: Dave Chinner fs/xfs/libxfs/xfs_alloc.c | 2 ++ fs/xfs/libxfs/xfs_format.h | 6 ++++-- 2 files changed, 6 insertions(+), 2 deletions(-) commit 738f57c16a2bb527c705641f0fc1c68ff8cba72a Author: Darrick J. Wong Date: Fri Aug 26 15:59:19 2016 +1000 xfs: disallow mounting of realtime + rmap filesystems Since the kernel doesn't currently support the realtime rmapbt, don't allow such filesystems to be mounted. Support will appear in a future release. Signed-off-by: Darrick J. Wong Reviewed-by: Carlos Maiolino Reviewed-by: Christoph Hellwig Signed-off-by: Dave Chinner fs/xfs/xfs_super.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) commit ed150e1a5cf20c04cf0b2d2c34e498fc1d6519be Author: Darrick J. Wong Date: Fri Aug 26 15:58:40 2016 +1000 xfs: don't perform lookups on zero-height btrees If the caller passes in a cursor to a zero-height btree (which is impossible), we never set block to anything but NULL, which causes the later dereference of it to crash. Instead, just return -EFSCORRUPTED. Signed-off-by: Darrick J. Wong Reviewed-by: Christoph Hellwig Signed-off-by: Dave Chinner fs/xfs/libxfs/xfs_btree.c | 4 ++++ 1 file changed, 4 insertions(+) commit 0a10e85b6c546c2f34ee257b955f33dbb4ece746 Author: Jon Hunter Date: Wed Aug 24 15:14:38 2016 +0200 ARM: tegra: Correct polarity for Tegra114 PMIC interrupt The ARM GIC only supports interrupts with either level-high or rising-edge types for SPIs. The interrupt type for the Palmas PMIC used for Tegra114 boards is specified as level-low which is invalid for the GIC. This has gone undetected because until recently, failures to set the interrupt type when the interrupts are mapped via firmware (such as device-tree) have not been reported. Since commits 4b357daed698 ("genirq: Look-up trigger type if not specified by caller") and 1e2a7d78499e ("irqdomain: Don't set type when mapping an IRQ"), failure to set the interrupt type will cause the requesting of the interrupt to fail and exposing incorrectly configured interrupts. Please note that although the interrupt type was never being set for the Palmas PMIC, it was still working fine, because the default type setting for the interrupt, 'level-high', happen to match the correct type for the interrupt. Finally, it should be noted that the Palmas interrupt from the PMIC is actually 'level-low', however, this interrupt signal is inverted by the Tegra PMC and so the GIC actually sees a 'level-high' interrupt which is what should be specified in the device-tree interrupt specifier. Signed-off-by: Jon Hunter Signed-off-by: Thierry Reding Signed-off-by: Olof Johansson arch/arm/boot/dts/tegra114-dalmore.dts | 2 +- arch/arm/boot/dts/tegra114-roth.dts | 2 +- arch/arm/boot/dts/tegra114-tn7.dts | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) commit 633af91ddb9133d65da6f3a77bb8908cdbf6aced Merge: 1ce3b12 326dce0 Author: Olof Johansson Date: Thu Aug 25 17:29:32 2016 -0700 Merge tag 'samsung-fixes-4.8' of git://git.kernel.org/pub/scm/linux/kernel/git/krzk/linux into fixes Fix for v4.8-rc1: 1. Select proper eMMC HighSpeed mode on Odroid XU. DTS was mixing "samsung,exynos5250-dw-mshc" compatible (with HS200 as fastest mode) with a property "mmc-hs400-1_8v" thus leading to failures during probe. 2. Update Krzysztof Kozlowski's email address in maintainers. * tag 'samsung-fixes-4.8' of git://git.kernel.org/pub/scm/linux/kernel/git/krzk/linux: MAINTAINERS: Switch to kernel.org account for Krzysztof Kozlowski ARM: dts: exynos: Properly select eMMC HighSpeed mode on Odroid XU Signed-off-by: Olof Johansson commit 1ce3b12f43558d8f73dab57d58a89fdcdaaff997 Merge: becc8d3 cfee6b58 Author: Olof Johansson Date: Thu Aug 25 17:21:37 2016 -0700 Merge tag 'imx-fixes-4.8' of git://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux into fixes The i.MX fixes for 4.8: - Fix typo in imx6sx-sabreauto board wakeup property - Fix i.MX6UL suspend-to-standby support by adding the BM_CLPCR_BYP_MMDC_CH0_LPM_HS handling - Fix a i.MX6UL regression on suspend support, which is caused by commit 850bea2335e4 ("arm: Remove unnecessary of_platform_populate with default match table") * tag 'imx-fixes-4.8' of git://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux: ARM: imx6ul: populates platform device at .init_machine ARM: imx6: add missing BM_CLPCR_BYP_MMDC_CH0_LPM_HS setting for imx6ul ARM: dts: imx6sx-sabreauto: Fix misspelled property Signed-off-by: Olof Johansson commit becc8d3ccdcfa746fc4302092da11ad763bc9e49 Author: Masahiro Yamada Date: Thu Aug 18 03:08:22 2016 +0900 MAINTAINERS: add tree entry for ARM/UniPhier architecture Add T: entry for a new git tree, which I expect UniPhier SoC updates will be pulled from. Signed-off-by: Masahiro Yamada Signed-off-by: Olof Johansson MAINTAINERS | 1 + 1 file changed, 1 insertion(+) commit fd0381979799b4adcbf0eac74029e9804737cadb Merge: 8184a34 7391218 Author: Olof Johansson Date: Thu Aug 25 17:12:23 2016 -0700 Merge tag 'omap-for-v4.8/fixes-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap into fixes Fixes for omaps for v4.8-rc cycle, mostly a series of four fixes for am335x RTC zero offset for clkctrl register. Also few other fixes: - Add missing sysc information for DSI as at least n950 needs it for the working display - Fix old elm-id properties that cause nand boot to not work - Fix overo gpmc nand cs0 range - FIx overo gpmc nand on boards with ethernet - Fix logicpd torpedo nand ready pin nand interrupt configuration * tag 'omap-for-v4.8/fixes-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap: ARM: dts: logicpd-somlv: Fix NAND device nodes ARM: dts: logicpd-torpedo-som: Provide NAND ready pin ARM: dts: overo: fix gpmc nand on boards with ethernet ARM: dts: overo: fix gpmc nand cs0 range ARM: dts: am335x: Update elm phandle binding ARM: OMAP4+: CM: Remove redundant checks for clkctrl_offs of zero ARM: OMAP4+: Have _omap4_wait_target_* check for valid clkctrl_offs ARM: OMAP2+: AM33XX: Add HWMOD_OMAP4_ZERO_CLKCTRL_OFFSET flag to rtc hwmod ARM: OMAP4+: hwmod: Add hwmod flag for HWMOD_OMAP4_ZERO_CLKCTRL_OFFSET ARM: OMAP3: hwmod data: Add sysc information for DSI Signed-off-by: Olof Johansson commit b628d611a2a53858263fc419dba552f32431dba4 Author: Gao Feng Date: Thu Aug 25 09:45:39 2016 +0800 8139cp: Fix one possible deadloop in cp_rx_poll When cp_rx_poll does not get enough packet, it will check the rx interrupt status again. If so, it will jumpt to rx_status_loop again. But the goto jump resets the rx variable as zero too. As a result, it causes one possible deadloop. Assume this case, rx_status_loop only gets the packet count which is less than budget, and (cpr16(IntrStatus) & cp_rx_intr_mask) condition is always true. It causes the deadloop happens and system is blocked. Signed-off-by: Gao Feng Signed-off-by: David S. Miller drivers/net/ethernet/realtek/8139cp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 8184a34f1124c6529611c3e77e361f087ce2ee1c Merge: 84ba04f b079bd5 Author: Olof Johansson Date: Thu Aug 25 17:00:10 2016 -0700 Merge tag 'vexpress-fixes-4.8-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/sudeep.holla/linux into fixes SCPI/Vexpress fixes for v4.8-rc Couple of minor fixes to add missing of_node_put after calling of_parse_phandle in SCPI and vexpress-config bus drivers(Peter Chen) * tag 'vexpress-fixes-4.8-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/sudeep.holla/linux: firmware: arm_scpi: add missing of_node_put after calling of_parse_phandle bus: vexpress-config: add missing of_node_put after calling of_parse_phandle Signed-off-by: Olof Johansson commit f38ff2ee7727994685494bcc4d7c274b35b5418a Author: Anjali Singhai Jain Date: Wed Aug 24 17:51:53 2016 -0700 i40e: Change some init flow for the client This change makes a common flow for Client instance open during init and reset path. The Client subtask can handle both the cases instead of making a separate notify_client_of_open call. Also it may fix a bug during reset where the service task was leaking some memory and causing issues. Change-Id: I7232a32fd52b82e863abb54266fa83122f80a0cd Signed-off-by: Anjali Singhai Jain Tested-by: Andrew Bowers Signed-off-by: Jeff Kirsher Signed-off-by: David S. Miller drivers/net/ethernet/intel/i40e/i40e_client.c | 41 ++++++++++++++++++++------- drivers/net/ethernet/intel/i40e/i40e_main.c | 1 - 2 files changed, 30 insertions(+), 12 deletions(-) commit 84ba04f26d20d2f91516cd9078e5035f2c8c6087 Merge: 2586d61 23540d6 Author: Olof Johansson Date: Thu Aug 25 16:54:16 2016 -0700 Merge tag 'gpmc-omap-v4.8-rc1' of https://github.com/rogerq/linux into fixes OMAP-GPMC: fixes for v4.8-rc1 Allow other children of GPMC to probe even if any child fails. This fixes problem on Overo boards where networking device child doesn't probe due to broken NAND child. * tag 'gpmc-omap-v4.8-rc1' of https://github.com/rogerq/linux: memory: omap-gpmc: allow probe of child nodes to fail Signed-off-by: Olof Johansson commit c3e70edd7c2eed6acd234627a6007627f5c76e8e Author: Xander Huff Date: Wed Aug 24 16:47:53 2016 -0500 Revert "phy: IRQ cannot be shared" This reverts: commit 33c133cc7598 ("phy: IRQ cannot be shared") On hardware with multiple PHY devices hooked up to the same IRQ line, allow them to share it. Sergei Shtylyov says: "I'm not sure now what was the reason I concluded that the IRQ sharing was impossible... most probably I thought that the kernel IRQ handling code exited the loop over the IRQ actions once IRQ_HANDLED was returned -- which is obviously not so in reality..." Signed-off-by: Xander Huff Signed-off-by: Nathan Sullivan Signed-off-by: David S. Miller drivers/net/phy/phy.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) commit 2586d61f81ea4d84e325cbde2b316c9a8ca43e38 Merge: fa8410b d9fd3c9 Author: Olof Johansson Date: Thu Aug 25 16:52:29 2016 -0700 Merge tag 'mvebu-fixes-4.8-1' of git://git.infradead.org/linux-mvebu into fixes mvebu fixes for 4.8 (part 1) Fix lan numbering for the Armada 388 clearfog board * tag 'mvebu-fixes-4.8-1' of git://git.infradead.org/linux-mvebu: ARM: dts: armada-388-clearfog: number LAN ports properly Signed-off-by: Olof Johansson commit 4f101c47791cdcb831b3ef1f831b1cc51e4fe03c Author: Florian Fainelli Date: Wed Aug 24 11:01:20 2016 -0700 net: dsa: bcm_sf2: Fix race condition while unmasking interrupts We kept shadow copies of which interrupt sources we have enabled and disabled, but due to an order bug in how intrl2_mask_clear was defined, we could run into the following scenario: CPU0 CPU1 intrl2_1_mask_clear(..) sets INTRL2_CPU_MASK_CLEAR bcm_sf2_switch_1_isr read INTRL2_CPU_STATUS and masks with stale irq1_mask value updates irq1_mask value Which would make us loop again and again trying to process and interrupt we are not clearing since our copy of whether it was enabled before still indicates it was not. Fix this by updating the shadow copy first, and then unasking at the HW level. Fixes: 246d7f773c13 ("net: dsa: add Broadcom SF2 switch driver") Signed-off-by: Florian Fainelli Signed-off-by: David S. Miller drivers/net/dsa/bcm_sf2.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 166ee5b87866de07a3e56c1b757f2b5cabba72a5 Author: Eric Dumazet Date: Wed Aug 24 09:39:02 2016 -0700 qdisc: fix a module refcount leak in qdisc_create_dflt() Should qdisc_alloc() fail, we must release the module refcount we got right before. Fixes: 6da7c8fcbcbd ("qdisc: allow setting default queuing discipline") Signed-off-by: Eric Dumazet Acked-by: John Fastabend Acked-by: John Fastabend Signed-off-by: David S. Miller net/sched/sch_generic.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) commit a5de125dd46c851fc962806135953c1bd0a0f0df Author: Wei Yongjun Date: Wed Aug 24 13:32:19 2016 +0000 tipc: fix the error handling in tipc_udp_enable() Fix to return a negative error code in enable_mcast() error handling case, and release udp socket when necessary. Fixes: d0f91938bede ("tipc: add ip/udp media type") Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller net/tipc/udp_media.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) commit d1228f4ff3e7c257788ba86ed02a22f5266552ea Merge: 368907d 40d9c32 Author: Greg Kroah-Hartman Date: Thu Aug 25 17:00:01 2016 -0400 Merge tag 'usb-serial-4.8-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial into usb-linus Johan writes: USB-serial fixes for v4.8-rc4 Here are a couple of fixes for non-atomic allocations in write paths, and some new option device ids. Signed-off-by: Johan Hovold commit 869c554808ccf7ddd25be5317073b88ceddb8507 Author: Adrian Hunter Date: Thu Aug 25 14:11:43 2016 -0600 mmc: fix use-after-free of struct request We call mmc_req_is_special() after having processed a request, but it could be freed after that. Check that ahead of time, and use the cached value. Reported-by: Hans de Goede Tested-by: Hans de Goede Fixes: c2df40dfb8c0 ("drivers: use req op accessor") Signed-off-by: Jens Axboe drivers/mmc/card/block.c | 4 ++-- drivers/mmc/card/queue.c | 4 +++- 2 files changed, 5 insertions(+), 3 deletions(-) commit 969af80f770a86e65bf8be1f72b218b5f8556b56 Merge: 2b721f2 177d91a Author: Dave Airlie Date: Fri Aug 26 05:18:40 2016 +1000 Merge tag 'drm-intel-fixes-2016-08-25' of git://anongit.freedesktop.org/drm-intel into drm-fixes i915 fixes queue. * tag 'drm-intel-fixes-2016-08-25' of git://anongit.freedesktop.org/drm-intel: drm/i915: Fix botched merge that downgrades CSR versions. drm/i915/skl: Ensure pipes with changed wms get added to the state drm/i915/gen9: Only copy WM results for changed pipes to skl_hw drm/i915/skl: Add support for the SAGV, fix underrun hangs drm/i915/gen6+: Interpret mailbox error flags drm/i915: Reattach comment, complete type specification drm/i915: Unconditionally flush any chipset buffers before execbuf drm/i915/gen9: Drop invalid WARN() during data rate calculation drm/i915/gen9: Initialize intel_state->active_crtcs during WM sanitization (v2) commit 2b721f20770ccbca4d3dad58e1bd44aa570efb3f Author: Daniel Vetter Date: Wed Aug 10 18:52:38 2016 +0200 drm: Protect fb_defio in drivers with CONFIG_KMS_FBDEV_EMULATION For reasons that entirely elude me fb.h exposes all the structures, even when it is not enabled. Except for special stuff like fb_defio. Which means all the drivers which haven't yet switched over to the defio support in the helpers and still roll their own, will fail to compile when fbdev emulation is disabled. Protect just those bits, as a gnarly reminder that conversion to the core defio helpers would be good. Reviewed-by: Alex Deucher Signed-off-by: Daniel Vetter Link: http://patchwork.freedesktop.org/patch/msgid/1470847958-28465-6-git-send-email-daniel.vetter@ffwll.ch Signed-off-by: Dave Airlie drivers/gpu/drm/qxl/qxl_fb.c | 4 ++++ drivers/gpu/drm/udl/udl_fb.c | 4 ++++ 2 files changed, 8 insertions(+) commit 4f34228b67246ae3b3ab1dc33b980c77c0650ef4 Author: Luiz Augusto von Dentz Date: Mon Aug 15 16:02:20 2016 +0300 Bluetooth: Fix hci_sock_recvmsg when MSG_TRUNC is not set Similar to bt_sock_recvmsg MSG_TRUNC shall be checked using the original flags not msg_flags. Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Marcel Holtmann net/bluetooth/hci_sock.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 90a56f72edb088c678083c32d05936c7c8d9a948 Author: Luiz Augusto von Dentz Date: Fri Aug 12 15:11:28 2016 +0300 Bluetooth: Fix bt_sock_recvmsg when MSG_TRUNC is not set Commit b5f34f9420b50c9b5876b9a2b68e96be6d629054 attempt to introduce proper handling for MSG_TRUNC but recv and variants should still work as read if no flag is passed, but because the code may set MSG_TRUNC to msg->msg_flags that shall not be used as it may cause it to be behave as if MSG_TRUNC is always, so instead of using it this changes the code to use the flags parameter which shall contain the original flags. Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Marcel Holtmann net/bluetooth/af_bluetooth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit b31cc4b37e8e33e84e9f990d0d84387f37ef01a1 Author: Wolfram Sang Date: Mon Aug 15 00:47:22 2016 +0200 i2c: bcm-kona: fix inconsistent indenting smatch rightfully says: drivers/i2c/busses/i2c-bcm-kona.c:646 bcm_kona_i2c_xfer() warn: inconsistent indenting Signed-off-by: Wolfram Sang Reviewed-by: Tim Kryger drivers/i2c/busses/i2c-bcm-kona.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit c13c29186c59b056d6ec141b5967c2ca3efc0c16 Author: Wolfram Sang Date: Wed Aug 24 11:19:29 2016 +0200 i2c: rcar: use proper device with dma_mapping_error We must use the same device we used for mapping. Signed-off-by: Wolfram Sang Reviewed-by: Geert Uytterhoeven Signed-off-by: Wolfram Sang drivers/i2c/busses/i2c-rcar.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 488d69ea72457c7566b36eb0d484d579f19963c5 Author: Wolfram Sang Date: Wed Aug 24 11:19:28 2016 +0200 i2c: sh_mobile: use proper device with dma_mapping_error We must use the same device we used for mapping. Signed-off-by: Wolfram Sang Reviewed-by: Geert Uytterhoeven Signed-off-by: Wolfram Sang drivers/i2c/busses/i2c-sh_mobile.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) commit 9a5382e8ffe86412f442f6a34fde43f94aae530b Author: Wolfram Sang Date: Mon Aug 22 16:52:21 2016 +0200 i2c: mux: demux-pinctrl: invalidate properly when switching fails Make sure the index to the active channel is invalidated when switching fails. Signed-off-by: Wolfram Sang Signed-off-by: Wolfram Sang drivers/i2c/muxes/i2c-demux-pinctrl.c | 1 + 1 file changed, 1 insertion(+) commit a820cd3d25c2891028b5f296a8a871ce6dd92c0d Merge: abaa227 cfb89f2 Author: Takashi Iwai Date: Thu Aug 25 17:56:09 2016 +0200 Merge tag 'asoc-fix-v4.8-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus ASoC: Fixes for v4.8 A clutch of fixes for v4.8. These are mainly driver specific, the most notable ones being those for OMAP which fix a series of issues that broke boot on some platforms there when deferred probe kicked in. There's also one core fix for an issue when unbinding a card which for some reason had managed to not manifest until recently. commit a7d4b8f2565ad0dfdff9a222d1d87990c73b36e8 Author: David Hildenbrand Date: Tue Aug 16 14:38:24 2016 +0200 KVM: s390: don't use current->thread.fpu.* when accessing registers As the meaning of these variables and pointers seems to change more frequently, let's directly access our save area, instead of going via current->thread. Right now, this is broken for set/get_fpu. They simply overwrite the host registers, as the pointers to the current save area were turned into the static host save area. Cc: stable@vger.kernel.org # 4.7 Fixes: 3f6813b9a5e0 ("s390/fpu: allocate 'struct fpu' with the task_struct") Reported-by: Hao QingFeng Signed-off-by: David Hildenbrand Signed-off-by: Christian Borntraeger arch/s390/kvm/kvm-s390.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) commit 049b1e7c7e5c21bbb64dc3fc10bb0c53f30b0b70 Merge: 716b076b 07c72d7 Author: Doug Ledford Date: Thu Aug 25 11:17:10 2016 -0400 Merge branch 'misc-fixes' into k.o/for-4.8-rc commit 07c72d7d54d138eb2ca37709a5a3d55fbcc01536 Author: Tatyana Nikolova Date: Wed Aug 24 13:59:17 2016 -0500 i40iw: Send last streaming mode message for loopback connections Send a zero length last streaming mode message for loopback connections to synchronize between accepting QP and connecting QP. This avoids data transfer to start on the accepting QP before the connecting QP is in RTS. Also remove function i40iw_loopback_nop() as it is no longer used. Fixes: f27b4746f378 ("i40iw: add connection management code") Signed-off-by: Tatyana Nikolova Signed-off-by: Shiraz Saleem Signed-off-by: Doug Ledford drivers/infiniband/hw/i40iw/i40iw_cm.c | 22 +--------------------- 1 file changed, 1 insertion(+), 21 deletions(-) commit f2791e7eadf437633f30faa51b30878cf15650be Author: Jens Axboe Date: Thu Aug 25 08:56:51 2016 -0600 Revert "floppy: refactor open() flags handling" This reverts commit 09954bad448791ef01202351d437abdd9497a804. drivers/block/floppy.c | 34 +++++++++++++++------------------- 1 file changed, 15 insertions(+), 19 deletions(-) commit 468c298ad3ed3f0d94a65f8ca00f6bfc6c2b4e33 Author: Jens Axboe Date: Thu Aug 25 08:56:44 2016 -0600 Revert "floppy: fix open(O_ACCMODE) for ioctl-only open" This reverts commit ff06db1efb2ad6db06eb5b99b88a0c15a9cc9b0e. drivers/block/floppy.c | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) commit 5bb53c0fb8e0fc2e34287d5d0fcadc784de913e1 Author: Andrey Ryabinin Date: Tue Aug 23 18:55:31 2016 +0300 fs/block_dev: fix potential NULL ptr deref in freeze_bdev() Calling freeze_bdev() twice on the same block device without mounted filesystem get_super() will return NULL, which will lead to NULL-ptr dereference later in drop_super(). Check get_super() result to fix that. Note, that this is a purely theoretical issue. We have only 3 freeze_bdev() callers. 2 of them are in filesystem code and used on a device with mounted fs. The third one in lock_fs() has protection in upper-layer code against freezing block device the second time without thawing it first. Signed-off-by: Andrey Ryabinin Reviewed-by: Christoph Hellwig Signed-off-by: Jens Axboe fs/block_dev.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) commit 368907ddb2eda418e9fde6b772d1ed864666a296 Merge: 53e5f36 6f8245b Author: Greg Kroah-Hartman Date: Thu Aug 25 08:54:13 2016 -0400 Merge tag 'fixes-for-v4.8-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/balbi/usb into usb-linus Felipe writes: usb: fixes for v4.8-rc3 Few fixes on dwc3 again, the most important being a fix for pm_runtime to make it work with current intel platforms. Other than that, there's a signedness bug fix in fsl udc and some other minor fixes. commit 4249fc1f023a2106170bbf715e2e1a0ebc2d5b1f Author: Sabrina Dubroca Date: Tue Aug 23 10:20:31 2016 +0200 netfilter: ebtables: put module reference when an incorrect extension is found commit bcf493428840 ("netfilter: ebtables: Fix extension lookup with identical name") added a second lookup in case the extension that was found during the first lookup matched another extension with the same name, but didn't release the reference on the incorrect module. Fixes: bcf493428840 ("netfilter: ebtables: Fix extension lookup with identical name") Signed-off-by: Sabrina Dubroca Acked-by: Phil Sutter Signed-off-by: Pablo Neira Ayuso net/bridge/netfilter/ebtables.c | 2 ++ 1 file changed, 2 insertions(+) commit 960fa72f67f1be6891d63a5518860d1ae4e14b88 Author: Liping Zhang Date: Mon Aug 22 22:57:56 2016 +0800 netfilter: nft_meta: improve the validity check of pkttype set expr "meta pkttype set" is only supported on prerouting chain with bridge family and ingress chain with netdev family. But the validate check is incomplete, and the user can add the nft rules on input chain with bridge family, for example: # nft add table bridge filter # nft add chain bridge filter input {type filter hook input \ priority 0 \;} # nft add chain bridge filter test # nft add rule bridge filter test meta pkttype set unicast # nft add rule bridge filter input jump test This patch fixes the problem. Signed-off-by: Liping Zhang Signed-off-by: Pablo Neira Ayuso include/net/netfilter/nft_meta.h | 4 ++++ net/bridge/netfilter/nft_meta_bridge.c | 1 + net/netfilter/nft_meta.c | 17 +++++++++++++---- 3 files changed, 18 insertions(+), 4 deletions(-) commit 533e33009897c7dd1b0424c0d4b3331b222d5681 Author: Liping Zhang Date: Mon Aug 22 21:58:18 2016 +0800 netfilter: cttimeout: unlink timeout objs in the unconfirmed ct lists KASAN reported this bug: BUG: KASAN: use-after-free in icmp_packet+0x25/0x50 [nf_conntrack_ipv4] at addr ffff880002db08c8 Read of size 4 by task lt-nf-queue/19041 Call Trace: [] dump_stack+0x63/0x88 [] kasan_report_error+0x528/0x560 [] kasan_report+0x58/0x60 [] ? icmp_packet+0x25/0x50 [nf_conntrack_ipv4] [] __asan_load4+0x61/0x80 [] icmp_packet+0x25/0x50 [nf_conntrack_ipv4] [] nf_conntrack_in+0x550/0x980 [nf_conntrack] [] ? __nf_conntrack_confirm+0xb10/0xb10 [nf_conntrack] [ ... ] The main reason is that we missed to unlink the timeout objects in the unconfirmed ct lists, so we will access the timeout objects that have already been freed. Signed-off-by: Liping Zhang Signed-off-by: Pablo Neira Ayuso net/netfilter/nfnetlink_cttimeout.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) commit 23aaba5ad55547db62bada5066c8fb6412d5b1c2 Author: Liping Zhang Date: Mon Aug 22 21:58:17 2016 +0800 netfilter: cttimeout: put back l4proto when replacing timeout policy We forget to call nf_ct_l4proto_put when replacing the existing timeout policy. Acctually, there's no need to get ct l4proto before doing replace, so we can move it to a later position. Signed-off-by: Liping Zhang Signed-off-by: Pablo Neira Ayuso net/netfilter/nfnetlink_cttimeout.c | 33 +++++++++++++++------------------ 1 file changed, 15 insertions(+), 18 deletions(-) commit 93fac10b99d78eb2c50a739cba2e590c7332d539 Author: Liping Zhang Date: Mon Aug 22 21:58:16 2016 +0800 netfilter: nfnetlink: use list_for_each_entry_safe to delete all objects cttimeout and acct objects are deleted from the list while traversing it, so use list_for_each_entry is unsafe here. Signed-off-by: Liping Zhang