Commit Graph

617042 Commits

Author SHA1 Message Date
Linus Torvalds
748e7fc209 Merge branch 'for-4.8-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup
Pull cgroup fixes from Tejun Heo:
 "Two fixes for cgroup.

   - There still was a hole in enforcing cpuset rules, fixed by Li.

   - The recent switch to global percpu_rwseom for threadgroup locking
     revealed a couple issues in how percpu_rwsem is implemented and
     used by cgroup.  Balbir found that the read locking section was too
     wide unnecessarily including operations which can often depend on
     IOs.  With percpu_rwsem updates (coming through a different tree)
     and reduction of read locking section, all the reported locking
     latency issues, including the android one, are resolved.

  It looks like we can keep global percpu_rwsem locking for now.  If
  there actually are cases which can't be resolved, we can go back to
  more complex per-signal_struct locking"

* 'for-4.8-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup:
  cgroup: reduce read locked section of cgroup_threadgroup_rwsem during fork
  cpuset: make sure new tasks conform to the current config of the cpuset
2016-08-30 09:31:59 -07:00
Linus Torvalds
e4e98c460a hwmon patch for v4.8-rc5
Add missing sysfs attribute group terminator to it87 driver.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJXxOcJAAoJEMsfJm/On5mBLuMQAIMl/6nPwcZA3TOqg8ACdE61
 CuqhX22uIwR/n+0ni38D+XuVpuAcFeQaC2N+PCkO1dtwSXEqRUxPgXyxElxe1+2V
 o53ALqMBPZv2/MgB95KU/nzo//2KxrnRzLPxU3CPBT8A4LLvqhe2dXdH17ojhoao
 7bYyrbq3YUOB4lvP/SDUtmiaie0xfaTGJnOibtKE1bHqwlbcz7ntuZSY7KrSZXfk
 PE7Vf3coLObijTIwEpfaGOJYr/WRZEEmdUH7bj4EvGF0jw8pG9Ho6c+RY/cPdTrb
 TxfpvfNhTxKdC2TWuCZp0fz4vhb7tVIVM8C9nNFrn5Z8O+GcgM6j2JIwCUBj2fLz
 ACyoogbnYhalN/aw/O0949dgMYkF/+Dmi44qQFudIODxr+LX6U/71pkOLv5GXeWx
 EGwvYP/GUUb0ZSzK//vUdrItEwxtho4ZduLPHKGxi7y/qbjKvkEAXpzLleeWgzqY
 DMw0lf8ffv99R5eAuur6f/VmLSAy8y+HVqqvHFj5vGTNXKsoEMZBjeMhw5/5Z2gD
 zQwTaoAlcfBcO60hnGMGy5fA7iPwfeY5Vv0wBlmCNv1zyCADpmna1benM1i7ehYw
 TClvaDMjLJFIRVGI0W1IaicVKHOIwraN3pAwp46CzBhQu7/LG4xlF854QPBZNLOW
 j86KN9JajF+hHOyKER5e
 =Lb8i
 -----END PGP SIGNATURE-----

Merge tag 'hwmon-for-linus-v4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging

Pull hwmon fix from Guenter Roeck:
 "Add missing sysfs attribute group terminator to it87 driver"

* tag 'hwmon-for-linus-v4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging:
  hwmon: (it87) Add missing sysfs attribute group terminator
2016-08-29 19:12:35 -07:00
Linus Torvalds
b8927721ae Fix bugs that could cause kernel deadlocks or file system corruption
while moving xattrs to expand the extended inode.  Also add some
 sanity checks to the block group descriptors to make sure we don't end
 up overwriting the superblock.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQEcBAABCAAGBQJXw7i2AAoJEPL5WVaVDYGj96gH/A8rNgx7BoqPx3kanVEamblT
 tM0X9JcEGmKHN4enRts2b78EWbR0/U0SOP92+fg9SSq2MDJ0/kdaKLWmbUwx8jUi
 B7HMEqCprlCdigK7wwt3xF+6edyZRhtzlWy3bhxJ40f0KT5CuriSQbxogr931uKl
 hUKW2h5JtUqHtINzTt4oWjVm8xwrScxuYHYAcpw0G42ZzfO6xQOzQdowcx4m3cE9
 PrtTbU5MwW8/wgsdLiClScQq30MK/GCbHh5heyRt1BcNo9+MDsZDOgdavh9StfnW
 Bl1N6zwRtRBJNcpKWfTfwU4NTIvStCTyA8BJgKgE95YIHDsstJVl4MO7ot25qbM=
 =pXe+
 -----END PGP SIGNATURE-----

Merge tag 'ext4_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4

Pull ext4 fixes from Ted Ts'o:
 "Fix bugs that could cause kernel deadlocks or file system corruption
  while moving xattrs to expand the extended inode.

  Also add some sanity checks to the block group descriptors to make
  sure we don't end up overwriting the superblock"

* tag 'ext4_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4:
  ext4: avoid deadlock when expanding inode size
  ext4: properly align shifted xattrs when expanding inodes
  ext4: fix xattr shifting when expanding inodes part 2
  ext4: fix xattr shifting when expanding inodes
  ext4: validate that metadata blocks do not overlap superblock
  ext4: reserve xattr index for the Hurd
2016-08-29 12:37:11 -07:00
Linus Torvalds
1f6a563ee0 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Pull networking fixes from David Miller:

 1) Segregate namespaces properly in conntrack dumps, from Liping Zhang.

 2) tcp listener refcount fix in netfilter tproxy, from Eric Dumazet.

 3) Fix timeouts in qed driver due to xmit_more, from Yuval Mintz.

 4) Fix use-after-free in tcp_xmit_retransmit_queue().

 5) Userspace header fixups (use of __u32, missing includes, etc.) from
    Mikko Rapeli.

 6) Further refinements to fragmentation wrt gso and tunnels, from
    Shmulik Ladkani.

 7) Trigger poll correctly for zero length UDP packets, from Eric
    Dumazet.

 8) TCP window scaling fix, also from Eric Dumazet.

 9) SLAB_DESTROY_BY_RCU is not relevant any more for UDP sockets.

10) Module refcount leak in qdisc_create_dflt(), from Eric Dumazet.

11) Fix deadlock in cp_rx_poll() of 8139cp driver, from Gao Feng.

12) Memory leak in rhashtable's alloc_bucket_locks(), from Eric Dumazet.

13) Add new device ID to alx driver, from Owen Lin.

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (83 commits)
  Add Killer E2500 device ID in alx driver.
  net: smc91x: fix SMC accesses
  Documentation: networking: dsa: Remove platform device TODO
  net/mlx5: Increase number of ethtool steering priorities
  net/mlx5: Add error prints when validate ETS failed
  net/mlx5e: Fix memory leak if refreshing TIRs fails
  net/mlx5e: Add ethtool counter for TX xmit_more
  net/mlx5e: Fix ethtool -g/G rx ring parameter report with striding RQ
  net/mlx5e: Don't wait for SQ completions on close
  net/mlx5e: Don't post fragmented MPWQE when RQ is disabled
  net/mlx5e: Don't wait for RQ completions on close
  net/mlx5e: Limit UMR length to the device's limitation
  rhashtable: fix a memory leak in alloc_bucket_locks()
  sfc: fix potential stack corruption from running past stat bitmask
  team: loadbalance: push lacpdus to exact delivery
  net: hns: dereference ppe_cb->ppe_common_cb if it is non-null
  8139cp: Fix one possible deadloop in cp_rx_poll
  i40e: Change some init flow for the client
  Revert "phy: IRQ cannot be shared"
  net: dsa: bcm_sf2: Fix race condition while unmasking interrupts
  ...
2016-08-29 12:29:13 -07:00
Linus Torvalds
cf4d3779e5 platform-drivers-x86 for 4.8-4
Remove module related code from two drivers that are only configurable as
 built-in.
 
 intel_pmic_gpio:
  - Make explicitly non-modular
 
 platform/olpc:
  - Make ec explicitly non-modular
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQEcBAABAgAGBQJXw8nIAAoJEKbMaAwKp364M/gH/iWSc0YIZppWjAF3brN8Vgv/
 PSKzG2BJHiDV/LYsGBBmgPTcT7Y56Oun88MkVCdTx/oKuTYY0CzMd5FE1rpNJoyz
 8kKy8Vi4PIj4qqAZA2//8GSY7iD/wX+9Zm2e42Hjo2gXxGF2RyrbLQue9C9vHrWr
 3WyCZEeN/gaED6G7tKMOdPQnqAJFdqjvAhsvKU/dedWIWcgB9mee6drQUrJBuWfO
 qnLUQrQXVGXQO3xOaPbJmusVhzrbUm4qlhb6cW86S/lNFp6JmN9XmgxULt/cHewE
 TIdhODBDYgbrBDOzViQ4QVXZprq6P2EXzawXK9EWjNswZODJW5hIAgwPOizTgLo=
 =GL9U
 -----END PGP SIGNATURE-----

Merge tag 'platform-drivers-x86-v4.8-4' of git://git.infradead.org/users/dvhart/linux-platform-drivers-x86

Pull x86 platform driver fixes from Darren Hart:
 "Remove module related code from two drivers that are only configurable
  as built-in: intel_pmic_gpio and platform/olpc"

* tag 'platform-drivers-x86-v4.8-4' of git://git.infradead.org/users/dvhart/linux-platform-drivers-x86:
  intel_pmic_gpio: Make explicitly non-modular
  platform/olpc: Make ec explicitly non-modular
2016-08-29 12:20:22 -07:00
Linus Torvalds
2a90309e06 powerpc fixes for 4.8 #4
Andrew Donnellan (1):
       cxl: use pcibios_free_controller_deferred() when removing vPHBs
 
 Andrzej Hajda (1):
       powerpc/powernv/pci: fix iterator signedness
 
 Boqun Feng (1):
       powerpc, hotplug: Avoid to touch non-existent cpumasks.
 
 Christophe Leroy (1):
       powerpc: sysdev: cpm: fix gpio save_regs functions
 
 Cyril Bur (1):
       powerpc: signals: Discard transaction state from signal frames
 
 Guenter Roeck (1):
       powerpc: cputhreads: Add missing include file
 
 Markus Elfring (3):
       drivers/macintosh: Delete owner assignment
       powerpc/512x: Delete unnecessary assignment for the field "owner"
       powerpc: mpc8349emitx: Delete unnecessary assignment for the field "owner"
 
 Mauricio Faria de Oliveira (1):
       powerpc/pseries: use pci_host_bridge.release_fn() to kfree(phb)
 
 Michael Ellerman (1):
       powerpc/prom: Fix sub-processor option passed to ibm, client-architecture-support
 
 Mukesh Ojha (1):
       powerpc/powernv : Drop reference added by kset_find_obj()
 
 Nicholas Piggin (3):
       powerpc/pseries: PACA save area fix for general exception vs MCE
       powerpc/pseries: PACA save area fix for MCE vs MCE
       powerpc/tm: do not use r13 for tabort_syscall
 
 Paolo Bonzini (1):
       powerpc: move hmi.c to arch/powerpc/kvm/
 
 Paul Gortmaker (1):
       powerpc: migrate exception table users off module.h and onto extable.h
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJXw7jmAAoJEHM62YSLdExeu6YP+gMNWkW4CDjvIo8OsVMhYKqX
 RP3c6xa8APcizfdxssKMwX+STP6nfEzRUMCsDMmChSSpb1ZtSNdwM2t2zmlLDe8r
 wKHN7Chqw1EJsnIT6TLa79fvHft03MyGQCTjeRvr54aFcTVJHuAgZnTeuejFBrtN
 hHCsO/pEv+KjgGlDkN+UvEMUs0quI5Ri8kRJpDxO6il1agcPpeYFYB3ksIcgwaVH
 0X/MwLJbzENmiDLhtb3S0jQWGMijmpPbcz5b3z36gIpTxddEPnC9UhYCdc924V/C
 sREuku7rihXDEda6B/qNpk8kOxXxIkE/dh5eWVMyWVDHIXJA6hy4z0zpoF9xe4Ba
 H2/ERyCfsP3LqonOpDOWKs/tkTAmMXOwdfgr+geoc4vDsbR2X8jyjHqb3bdj7J2A
 YtcjmQ/w9HCnzC0weme1+0xR2tfyjUciNOdNoRHP/shLAObzc14xXlpg0IZ3eou2
 oozGqkHnGoA6SrsqezF0UmsAf3884BcVscY1N45p1s8ulMRkyHTgPHM8KnGpHoHq
 1zgUZji2F4VFgjGrMJyMZ82c3usP3/N65d2nkvRv/QzkmdTat4OmXLiB0Qky26Wy
 gW7GsyRpGdEvW/KxhLxuobxPw7xg4mGQ3MdUMWzL3Df17IuRquuFhjljeQIUsQDE
 I7NVfZATWJ7mqJQU2s5L
 =+1I0
 -----END PGP SIGNATURE-----

Merge tag 'powerpc-4.8-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux

Pull powerpc fixes from Ben Herrenschmidt:
 "This was meant to be sent early last week, but I has a change pending
  on one of the fixes and other things made me forget all about.  Ugh.

  We have some misc fixes for powerpc 4.8.  Some trivial bits and some
  regressions, and a trivial cleanup or two that I saw no point in
  letting rot in patchwork"

* tag 'powerpc-4.8-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
  powerpc: signals: Discard transaction state from signal frames
  powerpc/powernv : Drop reference added by kset_find_obj()
  powerpc/tm: do not use r13 for tabort_syscall
  powerpc: move hmi.c to arch/powerpc/kvm/
  powerpc: sysdev: cpm: fix gpio save_regs functions
  powerpc/pseries: PACA save area fix for MCE vs MCE
  powerpc/pseries: PACA save area fix for general exception vs MCE
  powerpc/prom: Fix sub-processor option passed to ibm, client-architecture-support
  powerpc, hotplug: Avoid to touch non-existent cpumasks.
  powerpc: migrate exception table users off module.h and onto extable.h
  powerpc/powernv/pci: fix iterator signedness
  powerpc/pseries: use pci_host_bridge.release_fn() to kfree(phb)
  cxl: use pcibios_free_controller_deferred() when removing vPHBs
  powerpc: mpc8349emitx: Delete unnecessary assignment for the field "owner"
  powerpc/512x: Delete unnecessary assignment for the field "owner"
  drivers/macintosh: Delete owner assignment
  powerpc: cputhreads: Add missing include file
2016-08-29 12:12:15 -07:00
Jean Delvare
3c3292634f hwmon: (it87) Add missing sysfs attribute group terminator
Attribute array it87_attributes_in lacks its NULL terminator,
causing random behavior when operating on the attribute group.

Fixes: 5292971563 ("hwmon: (it87) Use is_visible for voltage sensors")
Signed-off-by: Jean Delvare <jdelvare@suse.de>
Cc: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Cc: Guenter Roeck <linux@roeck-us.net>
Cc: stable@vger.kernel.org
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
2016-08-29 05:31:31 -07:00
Paul Gortmaker
da43bf0c21 intel_pmic_gpio: Make explicitly non-modular
The Kconfig entry controlling compilation of this code is:

drivers/platform/x86/Kconfig:config GPIO_INTEL_PMIC
drivers/platform/x86/Kconfig:   bool "Intel PMIC GPIO support"

...meaning that it currently is not being built as a module by anyone.

Lets remove the couple traces of modular infrastructure use, so that
when reading the driver there is no doubt it is builtin-only.

We delete the MODULE_LICENSE tag etc. since all that information
was (or is now) contained at the top of the file in the comments.

We don't replace module.h with init.h since the file already has that.

Cc: Alek Du <alek.du@intel.com>
Cc: platform-driver-x86@vger.kernel.org
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Signed-off-by: Darren Hart <dvhart@linux.intel.com>
2016-08-28 22:31:52 -07:00
Paul Gortmaker
f48d1496b8 platform/olpc: Make ec explicitly non-modular
The Kconfig entry controlling compilation of this code is:

arch/x86/Kconfig:config OLPC
arch/x86/Kconfig:       bool "One Laptop Per Child support"

...meaning that it currently is not being built as a module by anyone.

Lets remove the couple traces of modular infrastructure use, so that
when reading the driver there is no doubt it is builtin-only.

We delete the MODULE_LICENSE tag etc. since all that information
was (or is now) contained at the top of the file in the comments.

Cc: platform-driver-x86@vger.kernel.org
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Acked-by: Andres Salomon <dilinger@queued.net>
Signed-off-by: Darren Hart <dvhart@linux.intel.com>
2016-08-28 22:31:52 -07:00
Owen Lin
b99b43bb4b Add Killer E2500 device ID in alx driver.
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-08-29 00:23:50 -04:00
Russell King
2fb04fdf30 net: smc91x: fix SMC accesses
Commit b70661c708 ("net: smc91x: use run-time configuration on all ARM
machines") broke some ARM platforms through several mistakes.  Firstly,
the access size must correspond to the following rule:

(a) at least one of 16-bit or 8-bit access size must be supported
(b) 32-bit accesses are optional, and may be enabled in addition to
    the above.

Secondly, it provides no emulation of 16-bit accesses, instead blindly
making 16-bit accesses even when the platform specifies that only 8-bit
is supported.

Reorganise smc91x.h so we can make use of the existing 16-bit access
emulation already provided - if 16-bit accesses are supported, use
16-bit accesses directly, otherwise if 8-bit accesses are supported,
use the provided 16-bit access emulation.  If neither, BUG().  This
exactly reflects the driver behaviour prior to the commit being fixed.

Since the conversion incorrectly cut down the available access sizes on
several platforms, we also need to go through every platform and fix up
the overly-restrictive access size: Arnd assumed that if a platform can
perform 32-bit, 16-bit and 8-bit accesses, then only a 32-bit access
size needed to be specified - not so, all available access sizes must
be specified.

This likely fixes some performance regressions in doing this: if a
platform does not support 8-bit accesses, 8-bit accesses have been
emulated by performing a 16-bit read-modify-write access.

Tested on the Intel Assabet/Neponset platform, which supports only 8-bit
accesses, which was broken by the original commit.

Fixes: b70661c708 ("net: smc91x: use run-time configuration on all ARM machines")
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Tested-by: Robert Jarzmik <robert.jarzmik@free.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-08-28 23:44:55 -04:00
Florian Fainelli
7d13eca09e Documentation: networking: dsa: Remove platform device TODO
Since commit 83c0afaec7 ("net: dsa: Add new binding implementation"),
the shortcomings of the dsa platform device have been addressed, remove
that TODO item.

Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Acked-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-08-28 23:43:06 -04:00
David S. Miller
e4d986a878 Merge branch 'mlx5-series'
Saeed Mahameed says:

====================
Mellanox 100G mlx5 fixes 2016-08-29

This series contains some bug fixes for the mlx5 core and mlx5
ethernet driver.

From Saeed, Fix UMR to consider hardware translation table field
size limitation when calculating the maximum number of MTTs required
by the driver.  Three patches to speed-up netdevice close time by
serializing channel (SQs & RQs) destruction rather than issuing and
waiting for hardware interrupts to free them.

From Eran, Fix ethtool ring parameter reporting for striding RQ layout.
Add error prints on ETS validation failure.

From Kamal, Fix memory leak on error flow.

From Maor, Fix ethtool steering priorities number.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2016-08-28 23:24:24 -04:00
Maor Gottlieb
e5835f2833 net/mlx5: Increase number of ethtool steering priorities
Ethtool has 11 flow tables, each flow table has its own priority.
Increase the number of priorities to be aligned with the number of flow
tables.

Fixes: 1174fce8d1 ('net/mlx5e: Support l3/l4 flow type specs in ethtool flow steering')
Signed-off-by: Maor Gottlieb <maorg@mellanox.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-08-28 23:24:16 -04:00
Eran Ben Elisha
1722b9694e net/mlx5: Add error prints when validate ETS failed
Upon set ETS failure due to user invalid input, add error prints to
specify the exact error to the user.

Fixes: cdcf11212b ('net/mlx5e: Validate BW weight values of ETS')
Signed-off-by: Eran Ben Elisha <eranbe@mellanox.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-08-28 23:24:16 -04:00
Kamal Heib
bf50082c15 net/mlx5e: Fix memory leak if refreshing TIRs fails
Free 'in' command object also when mlx5_core_modify_tir fails.

Fixes: 724b2aa151 ("net/mlx5e: TIRs management refactoring")
Signed-off-by: Kamal Heib <kamalh@mellanox.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-08-28 23:24:15 -04:00
Tariq Toukan
c8cf78fe10 net/mlx5e: Add ethtool counter for TX xmit_more
Add a counter in ethtool for the number of times that
TX xmit_more was used.

Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-08-28 23:24:15 -04:00
Eran Ben Elisha
cc8e9ebf95 net/mlx5e: Fix ethtool -g/G rx ring parameter report with striding RQ
The driver RQ has two possible configurations: striding RQ and
non-striding RQ.  Until this patch, the driver always reported the
number of hardware WQEs (ring descriptors). For non striding RQ
configuration, this was OK since we have one WQE per pending packet
For striding RQ, multiple packets can fit into one WQE. For better
user experience we normalize the rx_pending parameter (size of wqe/mtu)
as the average ring size in case of striding RQ.

Fixes: 461017cb00 ('net/mlx5e: Support RX multi-packet WQE ...')
Signed-off-by: Eran Ben Elisha <eranbe@mellanox.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-08-28 23:24:15 -04:00
Saeed Mahameed
6e8dd6d6f4 net/mlx5e: Don't wait for SQ completions on close
Instead of asking the firmware to flush the SQ (Send Queue) via
asynchronous completions when moved to error, we handle SQ flush
manually (mlx5e_free_tx_descs) same as we did when SQ flush got
timed out or on tx_timeout.

This will reduce SQs flush time and speedup interface down procedure.

Moved mlx5e_free_tx_descs to the end of en_tx.c for tx
critical code locality.

Fixes: 29429f3300 ('net/mlx5e: Timeout if SQ doesn't flush during close')
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-08-28 23:24:15 -04:00
Saeed Mahameed
8484f9ed13 net/mlx5e: Don't post fragmented MPWQE when RQ is disabled
ICO (Internal control operations) SQ (Send Queue) is closed/disabled
after RQ (Receive Queue).  After RQ is closed an ICO SQ completion
might post a fragmented MPWQE (Multi Packet Work Queue Element) into
that RQ.

As on regular RQ post, check if we are allowed to post to that
RQ (RQ is enabled). Cleanup in-progress UMR MPWQE on mlx5e_free_rx_descs
if needed.

Fixes: bc77b240b3 ('net/mlx5e: Add fragmented memory support for RX multi packet WQE')
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-08-28 23:24:15 -04:00
Saeed Mahameed
f2fde18c52 net/mlx5e: Don't wait for RQ completions on close
This will significantly reduce receive queue flush time on interface
down.

Instead of asking the firmware to flush the RQ (Receive Queue) via
asynchronous completions when moved to error, we handle RQ flush
manually (mlx5e_free_rx_descs) same as we did when RQ flush got timed
out.

This will reduce RQs flush time and speedup interface down procedure
(ifconfig down) from 6 sec to 0.3 sec on a 48 cores system.

Moved mlx5e_free_rx_descs en_main.c where it is needed, to keep en_rx.c
free form non critical data path code for better code locality.

Fixes: 6cd392a082 ('net/mlx5e: Handle RQ flush in error cases')
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-08-28 23:24:15 -04:00
Saeed Mahameed
fe4c988bdd net/mlx5e: Limit UMR length to the device's limitation
ConnectX-4 UMR (User Memory Region) MTT translation table offset in WQE
is limited to U16_MAX, before this patch we ignored that limitation and
requested the maximum possible UMR translation length that the netdev
might need (MAX channels * MAX pages per channel).
In case of a system with #cores > 32 and when linear WQE allocation fails,
falling back to using UMR WQEs will cause the RQ (Receive Queue) to get
stuck.

Here we limit UMR length to min(U16_MAX, max required pages) (while
considering the required alignments) on driver load, by default U16_MAX is
sufficient since the default RX rings value guarantees that we are in
range, dynamically (on set_ringparam/set_channels) we will check if the
new required UMR length (num mtts) is still in range, if not, fail the
request.

Fixes: bc77b240b3 ('net/mlx5e: Add fragmented memory support for RX multi packet WQE')
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-08-28 23:24:15 -04:00
Cyril Bur
78a3e8889b powerpc: signals: Discard transaction state from signal frames
Userspace can begin and suspend a transaction within the signal
handler which means they might enter sys_rt_sigreturn() with the
processor in suspended state.

sys_rt_sigreturn() wants to restore process context (which may have
been in a transaction before signal delivery). To do this it must
restore TM SPRS. To achieve this, any transaction initiated within the
signal frame must be discarded in order to be able to restore TM SPRs
as TM SPRs can only be manipulated non-transactionally..
>From the PowerPC ISA:
  TM Bad Thing Exception [Category: Transactional Memory]
   An attempt is made to execute a mtspr targeting a TM register in
   other than Non-transactional state.

Not doing so results in a TM Bad Thing:
[12045.221359] Kernel BUG at c000000000050a40 [verbose debug info unavailable]
[12045.221470] Unexpected TM Bad Thing exception at c000000000050a40 (msr 0x201033)
[12045.221540] Oops: Unrecoverable exception, sig: 6 [#1]
[12045.221586] SMP NR_CPUS=2048 NUMA PowerNV
[12045.221634] Modules linked in: xt_CHECKSUM iptable_mangle ipt_MASQUERADE
 nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4
 xt_conntrack nf_conntrack ipt_REJECT nf_reject_ipv4 xt_tcpudp bridge stp llc ebtable_filter
 ebtables ip6table_filter ip6_tables iptable_filter ip_tables x_tables kvm_hv kvm
 uio_pdrv_genirq ipmi_powernv uio powernv_rng ipmi_msghandler autofs4 ses enclosure
 scsi_transport_sas bnx2x ipr mdio libcrc32c
[12045.222167] CPU: 68 PID: 6178 Comm: sigreturnpanic Not tainted 4.7.0 #34
[12045.222224] task: c0000000fce38600 ti: c0000000fceb4000 task.ti: c0000000fceb4000
[12045.222293] NIP: c000000000050a40 LR: c0000000000163bc CTR: 0000000000000000
[12045.222361] REGS: c0000000fceb7ac0 TRAP: 0700   Not tainted (4.7.0)
[12045.222418] MSR: 9000000300201033 <SF,HV,ME,IR,DR,RI,LE,TM[SE]> CR: 28444280  XER: 20000000
[12045.222625] CFAR: c0000000000163b8 SOFTE: 0 PACATMSCRATCH: 900000014280f033
GPR00: 01100000b8000001 c0000000fceb7d40 c00000000139c100 c0000000fce390d0
GPR04: 900000034280f033 0000000000000000 0000000000000000 0000000000000000
GPR08: 0000000000000000 b000000000001033 0000000000000001 0000000000000000
GPR12: 0000000000000000 c000000002926400 0000000000000000 0000000000000000
GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
GPR20: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
GPR24: 0000000000000000 00003ffff98cadd0 00003ffff98cb470 0000000000000000
GPR28: 900000034280f033 c0000000fceb7ea0 0000000000000001 c0000000fce390d0
[12045.223535] NIP [c000000000050a40] tm_restore_sprs+0xc/0x1c
[12045.223584] LR [c0000000000163bc] tm_recheckpoint+0x5c/0xa0
[12045.223630] Call Trace:
[12045.223655] [c0000000fceb7d80] [c000000000026e74] sys_rt_sigreturn+0x494/0x6c0
[12045.223738] [c0000000fceb7e30] [c0000000000092e0] system_call+0x38/0x108
[12045.223806] Instruction dump:
[12045.223841] 7c800164 4e800020 7c0022a6 f80304a8 7c0222a6 f80304b0 7c0122a6 f80304b8
[12045.223955] 4e800020 e80304a8 7c0023a6 e80304b0 <7c0223a6> e80304b8 7c0123a6 4e800020
[12045.224074] ---[ end trace cb8002ee240bae76 ]---

It isn't clear exactly if there is really a use case for userspace
returning with a suspended transaction, however, doing so doesn't (on
its own) constitute a bad frame. As such, this patch simply discards
the transactional state of the context calling the sigreturn and
continues.

Reported-by: Laurent Dufour <ldufour@linux.vnet.ibm.com>
Signed-off-by: Cyril Bur <cyrilbur@gmail.com>
Tested-by: Laurent Dufour <ldufour@linux.vnet.ibm.com>
Reviewed-by: Laurent Dufour <ldufour@linux.vnet.ibm.com>
Acked-by: Simon Guo <wei.guo.simon@gmail.com>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
2016-08-29 12:48:40 +10:00
Mukesh Ojha
a9cbf0b219 powerpc/powernv : Drop reference added by kset_find_obj()
In a situation, where Linux kernel gets notified about duplicate error log
from OPAL, it is been observed that kernel fails to remove sysfs entries
(/sys/firmware/opal/elog/0xXXXXXXXX) of such error logs. This is because,
we currently search the error log/dump kobject in the kset list via
'kset_find_obj()' routine. Which eventually increment the reference count
by one, once it founds the kobject.

So, unless we decrement the reference count by one after it found the kobject,
we would not be able to release the kobject properly later.

This patch adds the 'kobject_put()' which was missing earlier.

Signed-off-by: Mukesh Ojha <mukesh02@linux.vnet.ibm.com>
Cc: stable@vger.kernel.org
Reviewed-by: Vasant Hegde <hegdevasant@linux.vnet.ibm.com>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
2016-08-29 12:48:21 +10:00
Nicholas Piggin
cc7786d3ee powerpc/tm: do not use r13 for tabort_syscall
tabort_syscall runs with RI=1, so a nested recoverable machine
check will load the paca into r13 and overwrite what we loaded
it with, because exceptions returning to privileged mode do not
restore r13.

Fixes: b4b56f9eca (powerpc/tm: Abort syscalls in active transactions)
Cc: stable@vger.kernel.org
Signed-off-by: Nick Piggin <npiggin@gmail.com>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
2016-08-29 12:47:56 +10:00
Linus Torvalds
3eab887a55 Linux 4.8-rc4 2016-08-28 15:04:33 -07:00
Linus Torvalds
25d0d91af7 Merge tag 'drm-fixes-for-4.8-rc4' of git://people.freedesktop.org/~airlied/linux
Pull drm fixes from Dave Airlie:
 "A bunch of fixes covering i915, amdgpu, one tegra and some core DRM
  ones.  Nothing too strange at this point"

* tag 'drm-fixes-for-4.8-rc4' of git://people.freedesktop.org/~airlied/linux: (21 commits)
  drm/atomic: Don't potentially reset color_mgmt_changed on successive property updates.
  drm: Protect fb_defio in drivers with CONFIG_KMS_FBDEV_EMULATION
  drm/amdgpu: skip TV/CV in display parsing
  drm/amdgpu: avoid a possible array overflow
  drm/amdgpu: fix lru size grouping v2
  drm/tegra: dsi: Enhance runtime power management
  drm/i915: Fix botched merge that downgrades CSR versions.
  drm/i915/skl: Ensure pipes with changed wms get added to the state
  drm/i915/gen9: Only copy WM results for changed pipes to skl_hw
  drm/i915/skl: Add support for the SAGV, fix underrun hangs
  drm/i915/gen6+: Interpret mailbox error flags
  drm/i915: Reattach comment, complete type specification
  drm/i915: Unconditionally flush any chipset buffers before execbuf
  drm/i915/gen9: Drop invalid WARN() during data rate calculation
  drm/i915/gen9: Initialize intel_state->active_crtcs during WM sanitization (v2)
  drm: Reject page_flip for !DRIVER_MODESET
  drm/amdgpu: fix timeout value check in amd_sched_job_recovery
  drm/amdgpu: fix sdma_v2_4_ring_test_ib
  drm/amdgpu: fix amdgpu_move_blit on 32bit systems
  drm/radeon: fix radeon_move_blit on 32bit systems
  ...
2016-08-28 14:31:36 -07:00
Mario Kleiner
add1fa7510 drm/atomic: Don't potentially reset color_mgmt_changed on successive property updates.
Due to assigning the 'replaced' value instead of or'ing it,
if drm_atomic_crtc_set_property() gets called multiple times,
the last call will define the color_mgmt_changed flag, so
a non-updating call to a property can reset the flag and
prevent actual hw state updates required by preceding
property updates.

Signed-off-by: Mario Kleiner <mario.kleiner.de@gmail.com>
Cc: Daniel Vetter <daniel.vetter@intel.com>
Cc: <stable@vger.kernel.org> # v4.6+
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2016-08-29 06:55:47 +10:00
Linus Torvalds
908e373f1c Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull perf fixes from Thomas Gleixner:
 "A few fixes from the perf departement

   - prevent a imbalanced preemption disable in the events teardown code
   - prevent out of bound acces in perf userspace
   - make perf tools compile with UCLIBC again
   - a fix for the userspace unwinder utility"

* 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  perf/core: Use this_cpu_ptr() when stopping AUX events
  perf evsel: Do not access outside hw cache name arrays
  tools lib: Reinstate strlcpy() header guard with __UCLIBC__
  perf unwind: Use addr_location::addr instead of ip for entries
2016-08-28 10:02:23 -07:00
Linus Torvalds
5d84ee7964 Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull x86 fix from Thomas Gleixner:
 "A single bugfix to prevent irq remapping when the ioapic is disabled"

* 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  x86/apic: Do not init irq remapping if ioapic is disabled
2016-08-28 10:00:21 -07:00
Linus Torvalds
4340393e5a Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull irq fixes from Thomas Gleixner:
 "This lot provides:

   - plug a hotplug race in the new affinity infrastructure
   - a fix for the trigger type of chained interrupts
   - plug a potential memory leak in the core code
   - a few fixes for ARM and MIPS GICs"

* 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  irqchip/mips-gic: Implement activate op for device domain
  irqchip/mips-gic: Cleanup chip and handler setup
  genirq/affinity: Use get/put_online_cpus around cpumask operations
  genirq: Fix potential memleak when failing to get irq pm
  irqchip/gicv3-its: Disable the ITS before initializing it
  irqchip/gicv3: Remove disabling redistributor and group1 non-secure interrupts
  irqchip/gic: Allow self-SGIs for SMP on UP configurations
  genirq: Correctly configure the trigger on chained interrupts
2016-08-28 09:52:40 -07:00
Linus Torvalds
037d2405d0 Merge branch 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull timer fixes from Thomas Gleixner:
 "A few updates for timers & co:

   - prevent a livelock in the timekeeping code when debugging is
     enabled

   - prevent out of bounds access in the timekeeping debug code

   - various fixes in clocksource drivers

   - a new maintainers entry"

* 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function
  drivers/clocksource/pistachio: Fix memory corruption in init
  clocksource/drivers/timer-atmel-pit: Enable mck clock
  clocksource/drivers/pxa: Fix include files for compilation
  MAINTAINERS: Add ARM ARCHITECTED TIMER entry
  timekeeping: Cap array access in timekeeping_debug
  timekeeping: Avoid taking lock in NMI path with CONFIG_DEBUG_TIMEKEEPING
2016-08-28 09:03:05 -07:00
Linus Torvalds
af56ff27eb * ARM fixes:
** fixes for ITS init issues, error handling, IRQ leakage, race conditions
 ** An erratum workaround for timers
 ** Some removal of misleading use of errors and comments
 ** A fix for GICv3 on 32-bit guests
 * MIPS fix where the guest could wrongly map the first page of physical memory
 * x86 nested virtualization fixes
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQEcBAABAgAGBQJXtyfVAAoJEL/70l94x66Dhe4IAIOGI/OYVWU5IfUQ01oeRgD3
 7wN222OmyC/K0/hSZc7ndRdcQfr5ombgM9XsS/EbkcRacWxAUHDX2FaYMpKgjT2M
 Dnh2tJHuPz/4VtByGQ2fZ4hziK7amn18/MtPFCee+mIj0ya2fcWZ4qHVU8pKC6Ps
 mVVZ0kxXsdV4pw9y6XgBLz/4bTLeASKvhFZrWOnjJoa+GeH2MFwocS0xaEI0HwxP
 HVwcgoRdGXJuKUB9jE9FDWmWOgdoLnCG1bNUOvXKPcE0ZaFQDT4I4dImkBys3rqz
 jbqnhLrpGEY2ZC3Rj+VyD2MOXbYOOSi59GRwYmCkqD96ZarHxSu3PdyCxmIFWzM=
 =+4WK
 -----END PGP SIGNATURE-----

Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm

Pull KVM fixes from Paolo Bonzini:
 "ARM:
   - fixes for ITS init issues, error handling, IRQ leakage, race
     conditions
   - an erratum workaround for timers
   - some removal of misleading use of errors and comments
   - a fix for GICv3 on 32-bit guests

  MIPS:
   - fix for where the guest could wrongly map the first page of
     physical memory

  x86:
   - nested virtualization fixes"

* tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
  MIPS: KVM: Check for pfn noslot case
  kvm: nVMX: fix nested tsc scaling
  KVM: nVMX: postpone VMCS changes on MSR_IA32_APICBASE write
  KVM: nVMX: fix msr bitmaps to prevent L2 from accessing L0 x2APIC
  arm64: KVM: report configured SRE value to 32-bit world
  arm64: KVM: remove misleading comment on pmu status
  KVM: arm/arm64: timer: Workaround misconfigured timer interrupt
  arm64: Document workaround for Cortex-A72 erratum #853709
  KVM: arm/arm64: Change misleading use of is_error_pfn
  KVM: arm64: ITS: avoid re-mapping LPIs
  KVM: arm64: check for ITS device on MSI injection
  KVM: arm64: ITS: move ITS registration into first VCPU run
  KVM: arm64: vgic-its: Make updates to propbaser/pendbaser atomic
  KVM: arm64: vgic-its: Plug race in vgic_put_irq
  KVM: arm64: vgic-its: Handle errors from vgic_add_lpi
  KVM: arm64: ITS: return 1 on successful MSI injection
2016-08-27 15:51:50 -07:00
Linus Torvalds
5e608a0270 Merge branch 'akpm' (patches from Andrew)
Merge fixes from Andrew Morton:
 "11 fixes"

* emailed patches from Andrew Morton <akpm@linux-foundation.org>:
  mm: silently skip readahead for DAX inodes
  dax: fix device-dax region base
  fs/seq_file: fix out-of-bounds read
  mm: memcontrol: avoid unused function warning
  mm: clarify COMPACTION Kconfig text
  treewide: replace config_enabled() with IS_ENABLED() (2nd round)
  printk: fix parsing of "brl=" option
  soft_dirty: fix soft_dirty during THP split
  sysctl: handle error writing UINT_MAX to u32 fields
  get_maintainer: quiet noisy implicit -f vcs_file_exists checking
  byteswap: don't use __builtin_bswap*() with sparse
2016-08-26 23:12:12 -07:00
Linus Torvalds
65fc7d54ef ARM64 fix to avoid potential TLB conflict when CONFIG_RANDOMIZE_BASE is
enabled.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJXwH52AAoJEGvWsS0AyF7xQukP/1c9tMKzvX2tEaEenwv5nIvV
 /fUfYzdPl97+KHl50N8CPY3xomHUo5kR+p/PDMi/yH2wljOCUmOI7alpWOrBizK9
 GbaGGU4rFsfmRlyxWkMfnYWjKkiXdDR4RPGwvW3SOC7sUDnI4od+1Dk9r9O/vomw
 14tggbL6HCR66MpcuH+yDCxBKvDnUuu8YPWoT3CX+VJCEPLXquO+d1GQKo28iYdu
 GxAxGB3NCNFiGyTIifLZk7OdozniCkCblhd+wdwRmMMPPgA75aueuUFsvaOMpo6a
 Tc5DoVTgLHiqAcJN7GWTKvrQeocxOXSJkEns4iTEmYuCVackwokvaLu6cFFxET5P
 zdG4crOjfoGPUvKB2yM3RnbYSRKGKOBkPsL/mqtyu2JgApPCqwLK6EQ6g0fWwouU
 OXvhmVyUGG53VXFYfPu1EzsE/ilRVzevHSlt3hHki9YkwXbKTgGfS7WQWQD6dkUe
 ks8gUpSmLBeW7SRVfB0YRrN3cFCd5dbkelES5S/97zHWkpIJy4ZoFKGQYOV3oj18
 rjHq1miPD40abe2IhbdZSz2mtiYpXjKfRvwuGc/MPySaB+WBIzHYwrGuiDvrqlgm
 nmFAeRMA8ulqq3VM5VklJbyk8I9luC7tHojKKgzWru711awuiRTi38bJaaAG1piJ
 bfvWK/pICaat+BIQp9wh
 =LYZy
 -----END PGP SIGNATURE-----

Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux

Pull ARM64 fix from Catalin Marinas:
 "ARM64 fix to avoid potential TLB conflict when CONFIG_RANDOMIZE_BASE
  is enabled"

* tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
  arm64: avoid TLB conflict with CONFIG_RANDOMIZE_BASE
2016-08-26 23:05:19 -07:00
Linus Torvalds
a3d3469808 Round one of 4.8 rc fixes
- Minor fixes to cxgb4
 - Minor fixes to mlx4
 - One minor fix each to core, rxe, isert, srpt, mlx5, ocrdma, and usnic
 - Six or so fixes to i40iw fixes
 - The rest are hfi1 fixes
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJXvwwYAAoJELgmozMOVy/dhuEQAKeRF89w8ghh6+MFPljYcdH8
 XEJGGguImBcwqfLjJwtQTxTxEFLJr64pZiG2CeAH05cuY+gVOfsAGXWqhYNfI8Gn
 pKYO1B5c4Y7ecypAzAd3VI2UBUVSXvTAOAPlh0G6TLhcnyi1m9V8RmNTCfLVh2tJ
 GcfkNZSwH+0Wl4ULI69Ah9K7LIZMge5DbKBlsq25/iikRdPXPuEuMmu8GzM3JkAs
 EdUWrOBuQC1eBG6Cm2nDOjj7PCpVgRNXPzHpiRd8zamj95MRQ265Ten20P82yKu9
 xqJdTBLn8oK+UrNNyO+ue45jPt2XjfnJlMByaAY92D8+Gz7uGoOB9gtvq/SOV/dq
 XoO5VVgTRGKYvAucbyuAr3Cf7x9rcUAVkpvbEjkD7sPz0CndnGT0zNoVNCU8h4Pb
 yjpf9ChuNcz5ynxnIeR31thZJqblh0ixx718NT+QuwPjwgQcWvf2ZZ0qaC2pIXYB
 3otQ1kr9OicUoP/O+tpLirKvtuvkVkbJ2tZf+0RUvdfr6CZYZdYjJg+vI0YXGwjC
 bQantzsSnCQH22ybS8QvIrGOM57+A9N9N63m4zRExwPmgeY7dB3dKpixWp34kMK9
 DqXA1NIsUplYsBJo78fbAhCT7FO1tdjkgm0d6K+P3iq+xdoUq2nwZ790A7ejidYI
 DIkcyG9E3aQpFtC9Gh9e
 =Mdb6
 -----END PGP SIGNATURE-----

Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma

Pull rdma fixes from Doug Ledford:
 "Round one of 4.8 rc fixes.

  This should be the bulk of the -rc fixes for 4.8.  I only have a few
  things that are still outstanding (two ipoib bugs for which the
  solution is not yet fully known, and a few queued items that came in
  after my last push and I didn't want to delay this pull request for
  late comers again).

  Even though the patch count is kind of high, everything is minor fixes
  so the overall churn is pretty low.

  Summary:

   - minor fixes to cxgb4
   - minor fixes to mlx4
   - one minor fix each to core, rxe, isert, srpt, mlx5, ocrdma, and usnic
   - six or so fixes to i40iw fixes
   - the rest are hfi1 fixes"

* tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma: (34 commits)
  i40iw: Send last streaming mode message for loopback connections
  IB/srpt: Update sport->port_guid with each port refresh
  RDMA/ocrdma: Fix the max_sge reported from FW
  i40iw: Avoid writing to freed memory
  i40iw: Fix double free of allocated_buffer
  IB/mlx5: Remove superfluous include of io-mapping.h
  i40iw: Do not set self-referencing pointer to NULL after kfree
  i40iw: Add missing NULL check for MPA private data
  iw_cxgb4: Fix cxgb4 arm CQ logic w/IB_CQ_REPORT_MISSED_EVENTS
  i40iw: Add missing check for interface already open
  i40iw: Protect req_resource_num update
  i40iw: Change mem_resources pointer to a u8
  IB/core: Use memdup_user() rather than duplicating its implementation
  IB/qib: Use memdup_user() rather than duplicating its implementation
  iw_cxgb4: use the MPA initiator's IRD if < our ORD
  iw_cxgb4: limit IRD/ORD advertised to ULP by device max.
  IB/hfi1: Fix mm_struct use after free
  IB/rdmvat: Fix double vfree() in rvt_create_qp() error path
  IB/hfi1: Improve J_KEY generation
  IB/hfi1: Return invalid field for non-QSFP CableInfo queries
  ...
2016-08-26 23:01:09 -07:00
Linus Torvalds
03cef71062 sound fixes for 4.8-rc4
Here are a bunch of fixes as you can see in diffstat.  One core change
 in ASoC is about the unexpected unbinding error, and   The rest are
 wide-spread driver-specific fixes: a series of LINE6 USB fixes, a
 HD-audio quirk, and various ASoC fixes including OMAP boot fixes and
 Intel SKL fixes.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQIrBAABCAAVBQJXwGOgDhx0aXdhaUBzdXNlLmRlAAoJEGwxgFQ9KSmkH5cQALMj
 FZayvYi7MeKuAeUZB0Ocox7ExD4OHE6JCeFFlDHKqmr1FjvRf3+nModKys/0IzfH
 vbavwGCyhxhgTuHoBspHrCigrTXH1mbdDhIfyjiGAQMXpSV5Mpoe371+EUJpt3n7
 r+5L4SX3GH6oJw1Sl0g++61lOztwUX6JCe1ciALAa+NbH7xV2VRmpO5zYCTHYHRY
 wRQYss76y6NLYlDyyAKI6NClgr1GxWBJnRbCtWkOBGkkgwxjYFffX4yTMDPCRzD5
 vLxokhxQIcvHOMnjP1+8zLhYa1Y1nBIAO8dSEdROp9C1Br7Ii35YZMs6HnuAmtQG
 sbArfybpgdYXhvp6DhDcrEfr7rM9QzbGxqwGQuNh9hSdFFi3g8NQxKpF3SX3hzYC
 O2J+EbJSantqa/+6n50Cdhntp/ebDxejgsvIcGYPXD4C6a7LCqogjyIAiJ4FaDzX
 u4Tying8XoY8hPlzdOgWufHozpCd9fEny9FLmUBsMpvI8gjFJyVFsNTcVSC29zBj
 ZyjEt9IIy2b7vetm+3zde3KhgwoX5II2JcKCfGJm1ra9ydorOZnxJ3lBoc1A9qDj
 oqJpA8LfPkBF6GZLfaztg4F6e1psGgrOiomWK7CwUqdBpI5ZU0rhqp8LSLc0PNGV
 ZtNCBEpjczfqQ+FzDYB67FUOQ2iIRpJfsiNLoGqB
 =+EQP
 -----END PGP SIGNATURE-----

Merge tag 'sound-4.8-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound

Pull sound fixes from Takashi Iwai:
 "Here are a bunch of fixes as you can see in diffstat.

  One core change in ASoC is about the unexpected unbinding error, and
  another about debugfs cleanup.

  The rest are wide-spread driver-specific fixes: a series of LINE6 USB
  fixes, a HD-audio quirk, and various ASoC fixes including OMAP boot
  fixes and Intel SKL fixes"

* tag 'sound-4.8-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (22 commits)
  ALSA: hda/realtek - fix headset mic detection for MSI MS-B120
  ASoC: omap-mcpdm: Fix irq resource handling
  ASoC: max98371: Add terminate entry for i2c_device_id tables
  ALSA: line6: Fix POD sysfs attributes segfault
  ALSA: line6: Give up on the lock while URBs are released.
  ALSA: line6: Remove double line6_pcm_release() after failed acquire.
  ASoC: omap-abe-twl6040: Correct dmic-codec device registration
  ASoC: core: Clean up DAPM before the card debugfs
  ASoC: omap-mcpdm: Drop pdmclk clock handling
  ASoC: atmel_ssc_dai: Don't unconditionally reset SSC on stream startup
  ASoC: compress: Fix leak of a widget list in soc_compr_open_fe
  ASoC: Intel: Skylake: Fix error return code in skl_probe()
  ASoC: wm2000: Fix return of uninitialised varible
  ASoC: Fix leak of rtd in soc_bind_dai_link
  ASoC: da7213: Default to 64 BCLKs per WCLK to support all formats
  ASoC: nau8825: fix static check error about semaphone control
  ASoC: nau8825: fix bug in playback when suspend
  ASoC: samsung: Fix clock handling in S3C24XX_UDA134X card
  ASoC: simple-card-utils: add missing MODULE_xxx()
  ASoC: Intel: Skylake: Check list empty while getting module info
  ...
2016-08-26 22:53:21 -07:00
Eric Dumazet
9dbeea7f08 rhashtable: fix a memory leak in alloc_bucket_locks()
If vmalloc() was successful, do not attempt a kmalloc_array()

Fixes: 4cf0b354d9 ("rhashtable: avoid large lock-array allocations")
Reported-by: CAI Qian <caiqian@redhat.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Florian Westphal <fw@strlen.de>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Tested-by: CAI Qian <caiqian@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-08-26 21:59:53 -07:00
Andrew Rybchenko
e70c70c38d sfc: fix potential stack corruption from running past stat bitmask
On 32-bit systems, mask is only an array of 3 longs, not 4, so don't try
to write to mask[3].
Also include build-time checks in case the size of the bitmask changes.

Fixes: 3c36a2aded ("sfc: display vadaptor statistics for all interfaces")
Signed-off-by: Edward Cree <ecree@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-08-26 21:40:44 -07:00
David S. Miller
5c1f5b457b Merge branch 'for-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth
Johan Hedberg says:

====================
pull request: bluetooth 2016-08-25

Here are a couple of important Bluetooth fixes for the 4.8 kernel:

 - Memory leak fix for HCI requests
 - Fix sk_filter handling with L2CAP
 - Fix sock_recvmsg behavior when MSG_TRUNC is not set

Please let me know if there are any issues pulling. Thanks.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2016-08-26 21:09:17 -07:00
Linus Torvalds
28687b935e Merge branch 'for-linus-4.8' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs
Pull btrfs fixes from Chris Mason:
 "We've queued up a few different fixes in here.  These range from
  enospc corners to fsync and quota fixes, and a few targeted at error
  handling for corrupt metadata/fuzzing"

* 'for-linus-4.8' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs:
  Btrfs: fix lockdep warning on deadlock against an inode's log mutex
  Btrfs: detect corruption when non-root leaf has zero item
  Btrfs: check btree node's nritems
  btrfs: don't create or leak aliased root while cleaning up orphans
  Btrfs: fix em leak in find_first_block_group
  btrfs: do not background blkdev_put()
  Btrfs: clarify do_chunk_alloc()'s return value
  btrfs: fix fsfreeze hang caused by delayed iputs deal
  btrfs: update btrfs_space_info's bytes_may_use timely
  btrfs: divide btrfs_update_reserved_bytes() into two functions
  btrfs: use correct offset for reloc_inode in prealloc_file_extent_cluster()
  btrfs: qgroup: Fix qgroup incorrectness caused by log replay
  btrfs: relocation: Fix leaking qgroups numbers on data extents
  btrfs: qgroup: Refactor btrfs_qgroup_insert_dirty_extent()
  btrfs: waiting on qgroup rescan should not always be interruptible
  btrfs: properly track when rescan worker is running
  btrfs: flush_space: treat return value of do_chunk_alloc properly
  Btrfs: add ASSERT for block group's memory leak
  btrfs: backref: Fix soft lockup in __merge_refs function
  Btrfs: fix memory leak of reloc_root
2016-08-26 20:22:01 -07:00
Linus Torvalds
370f601729 dlm fixes for 4.8
This fixes a bug introduced by recent debugfs cleanup.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJXwJgQAAoJEDgbc8f8gGmqTQcP/1XKsslqYcg9e4xcx3ZAyT3l
 HTzRbygNmIzgIsLxDk4AvlvfrUOMFj/rJwBH/gvM68wD5cUHaTrdTN9riOWaJLFh
 J+EgkMYmKAoYvk3wyvAKbeYACOAB8BjTOLLN7zdEEDCVBMG4A+zq7B54xg3J15bU
 o60XLNnA34m4YPCh+LpGODckek++lKnsNzI/x0H7EQoMMU9Rm7WgVk+gictmnZlT
 Ms8zfE8dy1UPuGUyYN5YGGXoCasNN6FQc3MVLbTYCmw8qPwIa2hdMYjm8er329gL
 bvqp350ElogABbTGrgzN/cmrKJt6k3Y2i2ECs4G7aYBXkFhWJKXIdhPnu5ajiiRG
 DUwnPSqCgFXSDKU/X1Ev3Ro1IgdqZJx18PFgljW2PCPTDx79jCaMJjHgEtK+Q5mu
 VyeEiyXwhRPaFU4Sfc2Tul75ylI0SashufTRHSo80qfobCnhnByYTyOb8/MuCAsM
 v8fcgbSaHBktpiZIMOn9ZOcsaXQ/wkciqr5JKqnVO69F/m2dbz5SX6ySew0y+DSA
 6ZpU9H6VIXKzsd1NCLsUTgyJE5L649nE9T0CzbzBUWYj1EzC+lk/DLu+gzxVuj3M
 T0SDmU0d441qECOsxtyUgkBUOfqKoHQis5WZyU++cXxV9vapBR+s+NFAJjc3MmT+
 iiKm1Qg6nD5BQr8EM8i6
 =9igI
 -----END PGP SIGNATURE-----

Merge tag 'dlm-4.8-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/teigland/linux-dlm

Pull dlm fix from David Teigland:
 "This fixes a bug introduced by recent debugfs cleanup"

* tag 'dlm-4.8-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/teigland/linux-dlm:
  dlm: fix malfunction of dlm_tool caused by debugfs changes
2016-08-26 20:18:49 -07:00
Linus Torvalds
6ec675ede9 - Another stable fix for DM flakey (that tweaks the previous fix that
didn't factor in expected 'drop_writes' behavior for read IO).
 
 - A dm-log bio operation flags fix for the broader block changes that
   were merged during the 4.8 merge window.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQEcBAABAgAGBQJXwHX2AAoJEMUj8QotnQNaMdQIAJuCHedIKQxlsCH4BG20thwM
 7+kPh68ZWOB5VYpVlm2sn0aJG0t2c2IsM2+AcQrwwcVsTjVkqu4s5XeqhBhkhvBE
 xrRHdJU21K6ho3IFiMhscZYfhMGvptwddevOxnRLfCgBALTjWpCWCEeQWLe17QCt
 klR0bvGckLp7dJavYmb/8MO7VqIQQufYCDjYqEdq4IQT+lKVf940X1bNx5+RpzAD
 OCgFwmWFb1OWYsVKWnVqxL+QzQcIA84YpBMV+FKQSTDNTLYgDM1mPTxMOxVMCNLO
 neCUh2WNetvoE9s69T/NmPkjzB3hNAmVhbuFT2SBJ7Bnf/lfxT4Zc6WYOeqqWKY=
 =XAfD
 -----END PGP SIGNATURE-----

Merge tag 'dm-4.8-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm

Pull device mapper fixes from Mike Snitzer:

 - another stable fix for DM flakey (that tweaks the previous fix that
   didn't factor in expected 'drop_writes' behavior for read IO).

 - a dm-log bio operation flags fix for the broader block changes that
   were merged during the 4.8 merge window.

* tag 'dm-4.8-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm:
  dm log: fix unitialized bio operation flags
  dm flakey: fix reads to be issued if drop_writes configured
2016-08-26 20:15:32 -07:00
Linus Torvalds
67a8c7d636 IOMMU Fixes for Linux v4.8-rc3:
From Will Deacon:
 
 	* Fix a couple of thinkos in the CMDQ error handling and
           short-descriptor page table code that have been there since
           day one
 
 	* Disable stalling faults, since they may result in hardware
           deadlock
 
 	* Fix an accidental BUG() when passing disable_bypass=1 on
           the cmdline
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQIcBAABAgAGBQJXwF/CAAoJECvwRC2XARrjEuAP/1cCyOuG7WuD9TBapWzDp1hf
 rkmruS4SO6Jn+YnQ4ob81cE2kV11KdbwaO6pLcyqeH7d9dUzKMpnShEElC+jSeyO
 kwD2eQnmZeNtcJNQe8cdjHl0YWN3W3Y+9QRI/cZy+PHK4u/SmGWURtp5EDcsHsbF
 RMzF7HzKEA2Uu3CSerCXWY9AHSRFvPTWVJVxbTeeoH8B3NwZihTUj5fJiudG6hqp
 YcSB1Y6kMMinydrn9hEtjgw6MHRp8wUwOZxJlQyMuULp22WDiwU+1sOkFAbR/4MA
 scCptDHZJA7xm7WYc7UShk/feQNY5lbDXEdEuTv+mJR/nVdM2zUyvcGtItPTshG4
 e507pRE4kpXcPvhUatY8pLuCJNGK9rsnRyJLRWeMAGnLodIi2pw2xYsqgPZE8lz/
 DPJ6C66Q7M7O+KsU9AI6/IxfwW/FpmF0AMx6fLsnHYQlIGva+0Bdk9tjksRSkxcI
 ZbmuUdoUmzPvxe+9XQemOqiskycEbYXQgBc8QxogX13ohYiH1h8axzL8hVKsoKy9
 ZsTOf/IuTeO/OXyQZOGfK1m8miFUn9CNe0Ip2D4kpSNnH3Zi5tjXRofaSUwNiPIh
 DsXkC6b+H8ibr5/43QfIAggLhQxMFiYSfQKQmpN2qAvMG5b6aYZac25Ep9P+cOn7
 W93mu7eYz5ROMmPRUusF
 =XLo2
 -----END PGP SIGNATURE-----

Merge tag 'iommu-fixes-v4.8-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu

Pull IOMMU fixes from Joerg Roedel:
 "Fixes from Will Deacon:

   - fix a couple of thinkos in the CMDQ error handling and
     short-descriptor page table code that have been there since day one

   - disable stalling faults, since they may result in hardware deadlock

   - fix an accidental BUG() when passing disable_bypass=1 on the
     cmdline"

* tag 'iommu-fixes-v4.8-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu:
  iommu/arm-smmu: Don't BUG() if we find aborting STEs with disable_bypass
  iommu/arm-smmu: Disable stalling faults for all endpoints
  iommu/arm-smmu: Fix CMDQ error handling
  iommu/io-pgtable-arm-v7s: Fix attributes when splitting blocks
2016-08-26 20:12:35 -07:00
Linus Torvalds
fd1ae51452 Merge branch 'for-linus' of git://git.kernel.dk/linux-block
Pull block fixes from Jens Axboe:
 "Here's a set of block fixes for the current 4.8-rc release.  This
  contains:

   - a fix for a secure erase regression, from Adrian.

   - a fix for an mmc use-after-free bug regression, also from Adrian.

   - potential zero pointer deference in bdev freezing, from Andrey.

   - a race fix for blk_set_queue_dying() from Bart.

   - a set of xen blkfront fixes from Bob Liu.

   - three small fixes for bcache, from Eric and Kent.

   - a fix for a potential invalid NVMe state transition, from Gabriel.

   - blk-mq CPU offline fix, preventing us from issuing and completing a
     request on the wrong queue.  From me.

   - revert two previous floppy changes, since they caused a user
     visibile regression.  A better fix is in the works.

   - ensure that we don't send down bios that have more than 256
     elements in them.  Fixes a crash with bcache, for example.  From
     Ming.

   - a fix for deferencing an error pointer with cgroup writeback.
     Fixes a regression.  From Vegard"

* 'for-linus' of git://git.kernel.dk/linux-block:
  mmc: fix use-after-free of struct request
  Revert "floppy: refactor open() flags handling"
  Revert "floppy: fix open(O_ACCMODE) for ioctl-only open"
  fs/block_dev: fix potential NULL ptr deref in freeze_bdev()
  blk-mq: improve warning for running a queue on the wrong CPU
  blk-mq: don't overwrite rq->mq_ctx
  block: make sure a big bio is split into at most 256 bvecs
  nvme: Fix nvme_get/set_features() with a NULL result pointer
  bdev: fix NULL pointer dereference
  xen-blkfront: free resources if xlvbd_alloc_gendisk fails
  xen-blkfront: introduce blkif_set_queue_limits()
  xen-blkfront: fix places not updated after introducing 64KB page granularity
  bcache: pr_err: more meaningful error message when nr_stripes is invalid
  bcache: RESERVE_PRIO is too small by one when prio_buckets() is a power of two.
  bcache: register_bcache(): call blkdev_put() when cache_alloc() fails
  block: Fix race triggered by blk_set_queue_dying()
  block: Fix secure erase
  nvme: Prevent controller state invalid transition
2016-08-26 18:50:07 -07:00
Linus Torvalds
b09c412aa4 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input
Pull input subsystem fixes from Dmitry Torokhov:
 "Simply small driver fixups"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
  Input: ads7846 - remove redundant regulator_disable call
  Input: synaptics-rmi4 - fix register descriptor subpacket map construction
  Input: tegra-kbc - fix inverted reset logic
  Input: silead - use devm_gpiod_get
  Input: i8042 - set up shared ps2_cmd_mutex for AUX ports
2016-08-26 18:36:23 -07:00
Linus Torvalds
219c04cea3 PCI updates for v4.8:
Resource management
     Update "pci=resource_alignment" documentation (Mathias Koehrer)
 
   MSI
     Use positive flags in pci_alloc_irq_vectors() (Christoph Hellwig)
     Call pci_intx() when using legacy interrupts in pci_alloc_irq_vectors() (Christoph Hellwig)
 
   Intel VMD host bridge driver
     Fix infinite loop executing irq's (Keith Busch)
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJXvvHgAAoJEFmIoMA60/r8y+MP/3cXG5FG3fdRB9Pn8q5BvdD4
 hmIgOpuEH859iYFOUJNxVB6haxG73Z+z3aFvNUDKTOh7GXQ7UHzNw1qj1OEmjXS0
 ex45ynjxP2DTBIO3eoyLpTKaRuOCAz03sDIucK9NzSBkrazBGoaxRRYY5gi+V8K9
 CNsbT8pPSGOrfRX6nk2QjiGMHVw+ExurvskbwuQmRYmHGU1Y1nnkmlnT5AMUJsn+
 BgSLOLFkv9UOIfLVY2+/KCnPFfi0nIxspCJHinosLl5BsgULgFPdRFKr6SiY+yhx
 W3d8MKnhDX5wsajtE7V/HurYmETiyimLL1ZBPJOCzGXwNGrwvUrt1rji+83S+1Zx
 LbrPGDRNBLW51prcrxOx1Pr/RDaHT0+/2UrSvaeUnTqniV5xW1daBPvB6h8jbKih
 C+GGqfiHURvJi1sd9QUMP95yVaxVgSBM9BrKfNYAmVYarnCpx3xbdeMv8gA0+QHx
 Ts0QKJ7ph80mcztdk2H0Ov7OK+OGjDhZPDijXiCTSPfKgK0HPsaytDCULt9LcqAv
 M8daeD42nwe36xOlNgcosj++gL+VxVYk/4BAiOWCgwF+k2EDh1ol8/eK6a+hXAqC
 qslLMNNucZP5BSsSIYc5KVGbkEXuHTw8viUNvBhLE2CWD3SY378IlzrF7QxjgKNl
 AawNqjfXY7obX3m5xr9g
 =qJG4
 -----END PGP SIGNATURE-----

Merge tag 'pci-v4.8-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci

Pull PCI fixes from Bjorn Helgaas:
 "Resource management:
   - Update "pci=resource_alignment" documentation (Mathias Koehrer)

  MSI:
   - Use positive flags in pci_alloc_irq_vectors() (Christoph Hellwig)
   - Call pci_intx() when using legacy interrupts in pci_alloc_irq_vectors() (Christoph Hellwig)

  Intel VMD host bridge driver:
   - Fix infinite loop executing irq's (Keith Busch)"

* tag 'pci-v4.8-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
  x86/PCI: VMD: Fix infinite loop executing irq's
  PCI: Call pci_intx() when using legacy interrupts in pci_alloc_irq_vectors()
  PCI: Use positive flags in pci_alloc_irq_vectors()
  PCI: Update "pci=resource_alignment" documentation
2016-08-26 18:26:07 -07:00
Ross Zwisler
11bd969fde mm: silently skip readahead for DAX inodes
For DAX inodes we need to be careful to never have page cache pages in
the mapping->page_tree.  This radix tree should be composed only of DAX
exceptional entries and zero pages.

ltp's readahead02 test was triggering a warning because we were trying
to insert a DAX exceptional entry but found that a page cache page had
already been inserted into the tree.  This page was being inserted into
the radix tree in response to a readahead(2) call.

Readahead doesn't make sense for DAX inodes, but we don't want it to
report a failure either.  Instead, we just return success and don't do
any work.

Link: http://lkml.kernel.org/r/20160824221429.21158-1-ross.zwisler@linux.intel.com
Signed-off-by: Ross Zwisler <ross.zwisler@linux.intel.com>
Reported-by: Jeff Moyer <jmoyer@redhat.com>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: Dave Chinner <david@fromorbit.com>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Jan Kara <jack@suse.com>
Cc: <stable@vger.kernel.org>	[4.5+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-08-26 17:39:35 -07:00
Dan Williams
d0e5845561 dax: fix device-dax region base
The data offset for a dax region needs to account for a reservation in
the resource range.  Otherwise, device-dax is allowing mappings directly
into the memmap or device-info-block area with crash signatures like the
following:

 BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
 IP: get_zone_device_page+0x11/0x30
 Call Trace:
   follow_devmap_pmd+0x298/0x2c0
   follow_page_mask+0x275/0x530
   __get_user_pages+0xe3/0x750
   __gfn_to_pfn_memslot+0x1b2/0x450 [kvm]
   tdp_page_fault+0x130/0x280 [kvm]
   kvm_mmu_page_fault+0x5f/0xf0 [kvm]
   handle_ept_violation+0x94/0x180 [kvm_intel]
   vmx_handle_exit+0x1d3/0x1440 [kvm_intel]
   kvm_arch_vcpu_ioctl_run+0x81d/0x16a0 [kvm]
   kvm_vcpu_ioctl+0x33c/0x620 [kvm]
   do_vfs_ioctl+0xa2/0x5d0
   SyS_ioctl+0x79/0x90
   entry_SYSCALL_64_fastpath+0x1a/0xa4

Fixes: ab68f26221 ("/dev/dax, pmem: direct access to persistent memory")
Link: http://lkml.kernel.org/r/147205536732.1606.8994275381938837346.stgit@dwillia2-desk3.amr.corp.intel.com
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Reported-by: Abhilash Kumar Mulumudi <m.abhilash-kumar@hpe.com>
Reported-by: Toshi Kani <toshi.kani@hpe.com>
Tested-by: Toshi Kani <toshi.kani@hpe.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-08-26 17:39:35 -07:00
Vegard Nossum
088bf2ff5d fs/seq_file: fix out-of-bounds read
seq_read() is a nasty piece of work, not to mention buggy.

It has (I think) an old bug which allows unprivileged userspace to read
beyond the end of m->buf.

I was getting these:

    BUG: KASAN: slab-out-of-bounds in seq_read+0xcd2/0x1480 at addr ffff880116889880
    Read of size 2713 by task trinity-c2/1329
    CPU: 2 PID: 1329 Comm: trinity-c2 Not tainted 4.8.0-rc1+ #96
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
    Call Trace:
      kasan_object_err+0x1c/0x80
      kasan_report_error+0x2cb/0x7e0
      kasan_report+0x4e/0x80
      check_memory_region+0x13e/0x1a0
      kasan_check_read+0x11/0x20
      seq_read+0xcd2/0x1480
      proc_reg_read+0x10b/0x260
      do_loop_readv_writev.part.5+0x140/0x2c0
      do_readv_writev+0x589/0x860
      vfs_readv+0x7b/0xd0
      do_readv+0xd8/0x2c0
      SyS_readv+0xb/0x10
      do_syscall_64+0x1b3/0x4b0
      entry_SYSCALL64_slow_path+0x25/0x25
    Object at ffff880116889100, in cache kmalloc-4096 size: 4096
    Allocated:
    PID = 1329
      save_stack_trace+0x26/0x80
      save_stack+0x46/0xd0
      kasan_kmalloc+0xad/0xe0
      __kmalloc+0x1aa/0x4a0
      seq_buf_alloc+0x35/0x40
      seq_read+0x7d8/0x1480
      proc_reg_read+0x10b/0x260
      do_loop_readv_writev.part.5+0x140/0x2c0
      do_readv_writev+0x589/0x860
      vfs_readv+0x7b/0xd0
      do_readv+0xd8/0x2c0
      SyS_readv+0xb/0x10
      do_syscall_64+0x1b3/0x4b0
      return_from_SYSCALL_64+0x0/0x6a
    Freed:
    PID = 0
    (stack is not available)
    Memory state around the buggy address:
     ffff88011688a000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     ffff88011688a080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    >ffff88011688a100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
		       ^
     ffff88011688a180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
     ffff88011688a200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
    ==================================================================
    Disabling lock debugging due to kernel taint

This seems to be the same thing that Dave Jones was seeing here:

  https://lkml.org/lkml/2016/8/12/334

There are multiple issues here:

  1) If we enter the function with a non-empty buffer, there is an attempt
     to flush it. But it was not clearing m->from after doing so, which
     means that if we try to do this flush twice in a row without any call
     to traverse() in between, we are going to be reading from the wrong
     place -- the splat above, fixed by this patch.

  2) If there's a short write to userspace because of page faults, the
     buffer may already contain multiple lines (i.e. pos has advanced by
     more than 1), but we don't save the progress that was made so the
     next call will output what we've already returned previously. Since
     that is a much less serious issue (and I have a headache after
     staring at seq_read() for the past 8 hours), I'll leave that for now.

Link: http://lkml.kernel.org/r/1471447270-32093-1-git-send-email-vegard.nossum@oracle.com
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Reported-by: Dave Jones <davej@codemonkey.org.uk>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-08-26 17:39:35 -07:00