Commit Graph

589710 Commits

Author SHA1 Message Date
Steven Rostedt (Red Hat)
59643d1535 ring-buffer: Prevent overflow of size in ring_buffer_resize()
If the size passed to ring_buffer_resize() is greater than MAX_LONG - BUF_PAGE_SIZE
then the DIV_ROUND_UP() will return zero.

Here's the details:

  # echo 18014398509481980 > /sys/kernel/debug/tracing/buffer_size_kb

tracing_entries_write() processes this and converts kb to bytes.

 18014398509481980 << 10 = 18446744073709547520

and this is passed to ring_buffer_resize() as unsigned long size.

 size = DIV_ROUND_UP(size, BUF_PAGE_SIZE);

Where DIV_ROUND_UP(a, b) is (a + b - 1)/b

BUF_PAGE_SIZE is 4080 and here

 18446744073709547520 + 4080 - 1 = 18446744073709551599

where 18446744073709551599 is still smaller than 2^64

 2^64 - 18446744073709551599 = 17

But now 18446744073709551599 / 4080 = 4521260802379792

and size = size * 4080 = 18446744073709551360

This is checked to make sure its still greater than 2 * 4080,
which it is.

Then we convert to the number of buffer pages needed.

 nr_page = DIV_ROUND_UP(size, BUF_PAGE_SIZE)

but this time size is 18446744073709551360 and

 2^64 - (18446744073709551360 + 4080 - 1) = -3823

Thus it overflows and the resulting number is less than 4080, which makes

  3823 / 4080 = 0

an nr_pages is set to this. As we already checked against the minimum that
nr_pages may be, this causes the logic to fail as well, and we crash the
kernel.

There's no reason to have the two DIV_ROUND_UP() (that's just result of
historical code changes), clean up the code and fix this bug.

Cc: stable@vger.kernel.org # 3.5+
Fixes: 83f40318da ("ring-buffer: Make removal of ring buffer pages atomic")
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
2016-05-13 16:44:20 -04:00
Steven Rostedt (Red Hat)
9b94a8fba5 ring-buffer: Use long for nr_pages to avoid overflow failures
The size variable to change the ring buffer in ftrace is a long. The
nr_pages used to update the ring buffer based on the size is int. On 64 bit
machines this can cause an overflow problem.

For example, the following will cause the ring buffer to crash:

 # cd /sys/kernel/debug/tracing
 # echo 10 > buffer_size_kb
 # echo 8556384240 > buffer_size_kb

Then you get the warning of:

 WARNING: CPU: 1 PID: 318 at kernel/trace/ring_buffer.c:1527 rb_update_pages+0x22f/0x260

Which is:

  RB_WARN_ON(cpu_buffer, nr_removed);

Note each ring buffer page holds 4080 bytes.

This is because:

 1) 10 causes the ring buffer to have 3 pages.
    (10kb requires 3 * 4080 pages to hold)

 2) (2^31 / 2^10  + 1) * 4080 = 8556384240
    The value written into buffer_size_kb is shifted by 10 and then passed
    to ring_buffer_resize(). 8556384240 * 2^10 = 8761737461760

 3) The size passed to ring_buffer_resize() is then divided by BUF_PAGE_SIZE
    which is 4080. 8761737461760 / 4080 = 2147484672

 4) nr_pages is subtracted from the current nr_pages (3) and we get:
    2147484669. This value is saved in a signed integer nr_pages_to_update

 5) 2147484669 is greater than 2^31 but smaller than 2^32, a signed int
    turns into the value of -2147482627

 6) As the value is a negative number, in update_pages_handler() it is
    negated and passed to rb_remove_pages() and 2147482627 pages will
    be removed, which is much larger than 3 and it causes the warning
    because not all the pages asked to be removed were removed.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=118001

Cc: stable@vger.kernel.org # 2.6.28+
Fixes: 7a8e76a382 ("tracing: unified trace buffer")
Reported-by: Hao Qin <QEver.cn@gmail.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
2016-05-13 11:12:20 -04:00
Chunyu Hu
854145e0a8 tracing: Don't display trigger file for events that can't be enabled
Currently register functions for events will be called
through the 'reg' field of event class directly without
any check when seting up triggers.

Triggers for events that don't support register through
debug fs (events under events/ftrace are for trace-cmd to
read event format, and most of them don't have a register
function except events/ftrace/functionx) can't be enabled
at all, and an oops will be hit when setting up trigger
for those events, so just not creating them is an easy way
to avoid the oops.

Link: http://lkml.kernel.org/r/1462275274-3911-1-git-send-email-chuhu@redhat.com

Cc: stable@vger.kernel.org # 3.14+
Fixes: 85f2b08268 ("tracing: Add basic event trigger framework")
Signed-off-by: Chunyu Hu <chuhu@redhat.com>
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
2016-05-03 12:59:30 -04:00
Linus Torvalds
04974df804 Linux 4.6-rc6 2016-05-01 15:52:31 -07:00
Linus Torvalds
da9373d67c Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/evalenti/linux-soc-thermal
Pull thermal fixes from Eduardo Valentin:
 "A couple of minor fixes for the thermal subsystem.

  Specifics in this pull request:

   - Fixes in hisilicon thermal driver
   - More fixes of unsigned to int type change in thermal_core.c"

* 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/evalenti/linux-soc-thermal:
  thermal: use %d to print S32 parameters
  thermal: hisilicon: increase temperature resolution
2016-04-30 18:57:42 -07:00
Linus Torvalds
1b46bac627 powerpc fixes for 4.6
- cxl: Keep IRQ mappings on context teardown from Michael Neuling
  - cxl: Poll for outstanding IRQs when detaching a context from Michael Neuling
  - Wire up preadv2 and pwritev2 syscalls from Rui Salvaterra
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJXI2HxAAoJEFHr6jzI4aWAfLgP/jxD+kfBtrK6KJXq5BVM+IWr
 aevVTVCgv3F8yOiI0ZPyOSh7B23dP8nBGYcejpTxyQcb8lox20WL6Q+om7H+BleC
 yrb9/sGzvJXIdazqMF77fzDjTHjjAMNizi9f82+8OzrghtQj8GJNogKwydIXe3QB
 +27kZcbkpXhdJZ/V0qmsWCAMV+sdaW0BW3DREQ0jFf0k08I0HMHiyN/zrqwadLjU
 Qx7af0iENdSRXtve1vGI41lflDPTaou39Y4NyUHfar1zGtt2rktrl5z16lmPC9nw
 gio6CsTIKwjsWRZugzrAlPXaToZKGgCGmW634RRfBMkjOnFoEGk0/GN2w0A+wjp4
 +jYq8v+2jss74Ngq12/NmIbB+b8iFsKsN7b0UPZnf91PsAKlprB6iDbCw35KSHgi
 MLB8cOeEGBg+nm+ZSdrylyOa7RSJv3dK7cfEegtpXRAdxGwVAwCpjXvBqA+fdyUi
 dfg2ChHJ91GWs3+ljPd/ee+OTPq3jY+o6PL/lQBaGhC6XuxrFQTsm537pNzlH6wf
 sUZzF5duf1jpRvnpeGgzAMUqYHz7W/NbiHKVV8EC18jSDnc/7BANfVxENBk1Vk+o
 2CdVWS26hDTUkRKdx+JbDRsStD1XxBgmBD37tEaDuD49VvbkqHB5yarjqAphM+zY
 Pf3WwyuXpfsB1ppjrzCM
 =4O+o
 -----END PGP SIGNATURE-----

Merge tag 'powerpc-4.6-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux

Pull powerpc fixes from Michael Ellerman:
 "A few more powerpc fixes for 4.6:

   - cxl: Keep IRQ mappings on context teardown from Michael Neuling

   - cxl: Poll for outstanding IRQs when detaching a context from
     Michael Neuling

   - Wire up preadv2 and pwritev2 syscalls from Rui Salvaterra"

* tag 'powerpc-4.6-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
  powerpc: wire up preadv2 and pwritev2 syscalls
  cxl: Poll for outstanding IRQs when detaching a context
  cxl: Keep IRQ mappings on context teardown
2016-04-29 18:50:08 -07:00
Linus Torvalds
65c4cbeba7 Make sure sb_edac and i7core_edac do not terminate MCE processing on the
decoding callchain prematurely.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJXI47iAAoJEBLB8Bhh3lVKkmIP/3ux+I41Z4Hc1APdevLnB/kE
 /XLFp+ubnrQpjdkQMxFlQMHVToDVsMtFWkb6TqJ3JCiDPn3NIR37tY1REVrKBBwz
 rkofw1N4Xp/jfpTYhqtzS/NlTw0WYr9NymPGwytfBUQUj5JL7KdvYOywgu+Xivt4
 tILK4b0JXO1Q2nL+iewNcgvCcOnJ3nrEAD/S0hlpqBtUuXjMAWRAukFledYSn1dd
 O2g4+SH/VtfutQOg8oGywJtxGIx5dKNMmMWSEoTQLcuvBWS6tV11GTzZFvYdH8jv
 Yhpv3nRnydTqXdgf1BR8Oh5nYMFxXU9MAHNh6Vz3BOGdJiRm5rVz19UApi+CMFCG
 7v0e4wSAz7XwO5jE9vxuBSOcJLBJ9wQG7eCX5ckMh4hK5EZYsS+Mh1EanEVIj+6D
 n9ZScdnGiGvGpGkEGT3Xv4A2U1uXhOFrjvTTEBenHZgGpy+xi3H8RCU7HnruwUyg
 VXngxbV9chzfFlh3YuMVFEZWQJwRN6Jf0GMbMIIsGcwFEVsofQ+Po39gkLihRfv7
 3WeDnyelds0eIqB/94zoYUKhahsa/hiQJwmpeYbUmmffE7fBFLA+48aNy0npjxPr
 IEZ7wgKV8EURLUmjkPR3Bm1AL9Puqj3gkC8lHD4ikmEmdOJZnAwZ19u4PfBMvNcs
 THHoI5h6Qsi4aKALfUSp
 =TlNI
 -----END PGP SIGNATURE-----

Merge tag 'edac_fix_for_4.6' of git://git.kernel.org/pub/scm/linux/kernel/git/bp/bp

Pull EDAC fix from Borislav Petkov:
 "Make sure sb_edac and i7core_edac do not terminate MCE processing on
  the decoding callchain prematurely"

* tag 'edac_fix_for_4.6' of git://git.kernel.org/pub/scm/linux/kernel/git/bp/bp:
  EDAC: i7core, sb_edac: Don't return NOTIFY_BAD from mce_decoder callback
2016-04-29 17:59:26 -07:00
Linus Torvalds
b49a5195e2 Power management fixes for v4.6-rc6
- Revert cpufreq commit that attempted to fix a problem in the
    ondemand/conservative governor code, but did that incorrectly
    and introduced another problem instead (Rafael Wysocki).
 
  - Fix incorrect decoding of MSR contents related to the
    Turbo Activation Ratio (TAR) handling in the intel_pstate
    driver (Srinivas Pandruvada).
 
 /
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABCAAGBQJXI1WqAAoJEILEb/54YlRxXW8P/0D+1fn2EWJFVzXqOYjEsmH1
 i8kpfmXHqO2LLt+njPDnpqTMCShOHlLOTJquPt98A5LM8/4Jkk6SDt2A9LKMENrG
 boKWm/U2uFjT2dFdfpsETzM6zENyukb0cpOwxRlz1X81buOwXmEVGvJnKJrLQbT3
 bOLzKRXsT7NPeMeeqOtsUy7kq+17N2dErPzppzHQqlx+510FXGsgC+WibQwtpKVm
 KCPkb0KBTvuYtjPqMfv9LrFAyBIQn9V4sJePtjJbx3lMbCKC2IFZ3O97Fp/UIgOd
 FTkgsvJr+jTogvhqHCxeIBXclySLWpIGNiIO69oWxHjy+Mh6RK+nObE0mW17GAc3
 QxpQSz03ZNbLU4iWQIQ/jAGBp4w/FDxnZ/gVX43T1183ooEIP+/baAdfkb+e5dbJ
 WPoKuWPNrqi6W1lsJ9dLzEUemN14pAyGWF3KGmO0Czj6tGlq5LwUc6UO6+q92j4m
 5lsZkL+fAQOVywhbc9pZ+PylSL9fi4VASg1Pmn4W+0fYGoM6O4NdaY3vIz9L5wgF
 NS+LIOv66YHvAIdLfrWVZcQX0vEM1EmOA0lO4+h9/1G7ZVe42JS0iUPqciX64l3p
 M2703pYq3Jdcy1IL1x905HdJA8dv6yjlgudqj0gOMGsPtNCcN3TOQyK/x+ffhCex
 /Ei1Zx5QN5GQar00HTfu
 =ES0b
 -----END PGP SIGNATURE-----

Merge tag 'pm+acpi-4.6-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm

Pull power management fixes from Rafael Wysocki:
 "One revert of a recent cpufreq commit that introduced a regression and
  a fix for intel_pstate's Turbo Activation Ratio handling code.

  Specifics:

   - Revert cpufreq commit that attempted to fix a problem in the
     ondemand/conservative governor code, but did that incorrectly and
     introduced another problem instead (Rafael Wysocki).

   - Fix incorrect decoding of MSR contents related to the Turbo
     Activation Ratio (TAR) handling in the intel_pstate driver
     (Srinivas Pandruvada)"

* tag 'pm+acpi-4.6-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
  cpufreq: intel_pstate: Fix processing for turbo activation ratio
  Revert "cpufreq: governor: Fix negative idle_time when configured with CONFIG_HZ_PERIODIC"
2016-04-29 17:39:51 -07:00
Linus Torvalds
a8feb78209 MMC host:
- sdhci-acpi: Reduce Baytrail eMMC/SD/SDIO hangs
  - sunxi: Disable eMMC HS-DDR for Allwinner A80
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJXInEdAAoJEP4mhCVzWIwpMIUP/0WLTuK68GJ7/hbx7cFfJUsQ
 R05hc31VQkN8Q8ebunz/BuNo5a80QZqLX8zIpnFpoPWkE56ERwAsFr2Qv7qGhQvA
 Qnh03EiKsdrt9du4ZfPT6rBU+4xcUoyGZauGKBOt/cqvG6m7VQxJ4XTbb3u9m4BV
 QM2K1t4po195b4FsTWetfZ/Uqib4vW+F/ekqmQh4SdQ++RRxuDw/aYtdFd3gp3DS
 5ZQToN3lsS5ibFPbzSOBTY0Emu6b/0DQE3PxtQhmJsp1fHCf9aEMhO9ETL5QuntZ
 xkqBtTbhmR2NcITpgha/m9caLBFtMJNfK1xtAnJOoEenK9u4Dd/p9V/eQ9RUBq+k
 VRfiOKdxjKtYIPogdF9E4XUYBKUT7sIGF0lfNT/Rru5WA+zmlf6moNHlrChvdN8S
 TSq/Tj6+8dU1Vm2+IPKrlsR5EjqGaOq5RYptRDNTnnvT8ni/m3UQETtI+V4VaC/k
 5LxnjyvnyMRYL9hz7cekmuW2xRCVSEcD6cCwRKRa9wQaoazV6Su5ZzrkzBtgExqb
 gR+QAPoWxf8DbiBCWsTT+/X+DVypeHZCrZX0v+sDQrbBHMR0n7ApVD3FzvZNGyZl
 vPvW4GCH0fsRMkfJkjZsfqrO8qFXcnF0NqQ7NM4msYEPJFm+SCg+lcaGa96p7mwM
 v04TgEXKeHIDFoVaHhzW
 =t5At
 -----END PGP SIGNATURE-----

Merge tag 'mmc-v4.6-rc4' of git://git.linaro.org/people/ulf.hansson/mmc

Pull MMC fixes from Ulf Hansson:
 "Here are a two MMC host fixes:

  - sdhci-acpi: Reduce Baytrail eMMC/SD/SDIO hangs

  - sunxi: Disable eMMC HS-DDR for Allwinner A80"

* tag 'mmc-v4.6-rc4' of git://git.linaro.org/people/ulf.hansson/mmc:
  mmc: sunxi: Disable eMMC HS-DDR (MMC_CAP_1_8V_DDR) for Allwinner A80
  mmc: sdhci-acpi: Reduce Baytrail eMMC/SD/SDIO hangs
2016-04-29 17:32:19 -07:00
Linus Torvalds
b9cc335ffa Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux
Pull drm fixes from Dave Airlie:
 "A few fixes all over the place:

  radeon is probably the biggest standout, it's a fix for screen
  corruption or hung black outputs so I thought it was worth pulling in.

  Otherwise some amdgpu power control fixes, some misc vmwgfx fixes, one
  etnaviv fix, one virtio-gpu fix, two DP MST fixes, and a single TTM
  fix"

* 'drm-fixes' of git://people.freedesktop.org/~airlied/linux:
  drm/vmwgfx: Fix order of operation
  drm/vmwgfx: use vmw_cmd_dx_cid_check for query commands.
  drm/vmwgfx: Enable SVGA_3D_CMD_DX_SET_PREDICATION
  drm/amdgpu: disable vm interrupts with vm_fault_stop=2
  drm/amdgpu: print a message if ATPX dGPU power control is missing
  Revert "drm/amdgpu: disable runtime pm on PX laptops without dGPU power control"
  drm/radeon: fix vertical bars appear on monitor (v2)
  drm/ttm: fix kref count mess in ttm_bo_move_to_lru_tail
  drm/virtio: send vblank event after crtc updates
  drm/dp/mst: Restore primary hub guid on resume
  drm/dp/mst: Get validated port ref in drm_dp_update_payload_part1()
  drm/etnaviv: don't move linear memory window on 3D cores without MC2.0
2016-04-29 17:18:55 -07:00
Linus Torvalds
925d96a0c9 Final set of -rc fixes for 4.6
- A number of collected fixes for oopses, memory corruptions, deadlocks,
   etc.  All of these fixes are small (many only 5-10 lines), obvious,
   and tested.
 - Fix for the security issue related to the use of write for
   bi-directional communications.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJXIrZVAAoJELgmozMOVy/d/XEP/1A4Ohm7WiZMN09wvlFGSgLe
 2z2tY9ILvFuiAF++VZRfYyRmHorVKHYB1tk0JTsW1Ts1DrkjExgr4LS1/YDLOC42
 q8YlBZw2x7pdnD5W1MJm+HK6oNj7aZVVjEHG7QnfLUIXr57a2rBQIeeWLx24M+OS
 j1yvaY/v39qvf7dwHwVjs07rh2WW9QCZn2c/552G4xz1YDdTkYBTc2WNnl0eng1f
 1NqqMXhnajmNyR+Q+0+Vbcp4YWv551l5E6j9M+5nebehNtPSRb0GEIjxT3KnSGEg
 AjFev3XwnRF9EkQOwgbsg7a784+UHXe15vbr1MvbzGygcQeq4NVzLl04WEHExQe1
 Om0ES/i8zfRs6d5XYB5zMY8pJbdjSVM/20d+h21SQs//4JXXJrN35WVAyy8lgwrX
 M3oY4t21eBQlV7oezfEZQgEEbdtccr8LILfZZmRUWPHd2ymaTWg6e4pZwtn45rlD
 O/Gb11G/UT7SXgw+XiPLBj5xlQk7nRn0kGuaStR7PonkLQ9Zy1wSSptvJeGj0VWE
 W6TEJnIqtv0aiJLhIQn8Ee1pCxE/ds7UPW6wT5O9R8ccEdDeIB3BDgskTNg1xPuS
 I8e1o7iA9752YS3wMDhLA8PifwbmVbkGHxJUQecOBPiDcdukkM0q4/YoNYqXKLCc
 nLDv3fMztpinG1L1T2LM
 =MFdC
 -----END PGP SIGNATURE-----

Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma

Pull rdma fixes from Doug Ledford:
 "Final set of -rc fixes for 4.6.

  I've collected up a number of patches that are all pretty small with
  the exception of only a couple.  The hfi1 driver has a number of
  important patches, and it is what really drives the line count of this
  pull request up.  These are all small and I've got this kernel built
  and running in the test lab (I have most of the hardware, I think nes
  is the only thing in this patch set that I can't say I've personally
  tested and have up and running).

  Summary:

   - A number of collected fixes for oopses, memory corruptions,
     deadlocks, etc.  All of these fixes are small (many only 5-10
     lines), obvious, and tested.

   - Fix for the security issue related to the use of write for
     bi-directional communications"

* tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma:
  RDMA/nes: don't leak skb if carrier down
  IB/security: Restrict use of the write() interface
  IB/hfi1: Use kernel default llseek for ui device
  IB/hfi1: Don't attempt to free resources if initialization failed
  IB/hfi1: Fix missing lock/unlock in verbs drain callback
  IB/rdmavt: Fix send scheduling
  IB/hfi1: Prevent unpinning of wrong pages
  IB/hfi1: Fix deadlock caused by locking with wrong scope
  IB/hfi1: Prevent NULL pointer deferences in caching code
  MAINTAINERS: Update iser/isert maintainer contact info
  IB/mlx5: Expose correct max_sge_rd limit
  RDMA/iw_cxgb4: Fix bar2 virt addr calculation for T4 chips
  iw_cxgb4: handle draining an idle qp
  iw_cxgb3: initialize ibdev.iwcm->ifname for port mapping
  iw_cxgb4: initialize ibdev.iwcm->ifname for port mapping
  IB/core: Don't drain non-existent rq queue-pair
  IB/core: Fix oops in ib_cache_gid_set_default_gid
2016-04-29 17:07:54 -07:00
Linus Torvalds
1d003af2ef Merge branch 'akpm' (patches from Andrew)
Merge fixes from Andrew Morton:
 "20 fixes"

* emailed patches from Andrew Morton <akpm@linux-foundation.org>:
  Documentation/sysctl/vm.txt: update numa_zonelist_order description
  lib/stackdepot.c: allow the stack trace hash to be zero
  rapidio: fix potential NULL pointer dereference
  mm/memory-failure: fix race with compound page split/merge
  ocfs2/dlm: return zero if deref_done message is successfully handled
  Ananth has moved
  kcov: don't profile branches in kcov
  kcov: don't trace the code coverage code
  mm: wake kcompactd before kswapd's short sleep
  .mailmap: add Frank Rowand
  mm/hwpoison: fix wrong num_poisoned_pages accounting
  mm: call swap_slot_free_notify() with page lock held
  mm: vmscan: reclaim highmem zone if buffer_heads is over limit
  numa: fix /proc/<pid>/numa_maps for THP
  mm/huge_memory: replace VM_NO_THP VM_BUG_ON with actual VMA check
  mailmap: fix Krzysztof Kozlowski's misspelled name
  thp: keep huge zero page pinned until tlb flush
  mm: exclude HugeTLB pages from THP page_mapped() logic
  kexec: export OFFSET(page.compound_head) to find out compound tail page
  kexec: update VMCOREINFO for compound_order/dtor
2016-04-29 11:21:22 -07:00
Tony Luck
c4fc1956fa EDAC: i7core, sb_edac: Don't return NOTIFY_BAD from mce_decoder callback
Both of these drivers can return NOTIFY_BAD, but this terminates
processing other callbacks that were registered later on the chain.
Since the driver did nothing to log the error it seems wrong to prevent
other interested parties from seeing it. E.g. neither of them had even
bothered to check the type of the error to see if it was a memory error
before the return NOTIFY_BAD.

Signed-off-by: Tony Luck <tony.luck@intel.com>
Acked-by: Aristeu Rozanski <aris@redhat.com>
Acked-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Cc: linux-edac <linux-edac@vger.kernel.org>
Cc: <stable@vger.kernel.org>
Link: http://lkml.kernel.org/r/72937355dd92318d2630979666063f8a2853495b.1461864507.git.tony.luck@intel.com
Signed-off-by: Borislav Petkov <bp@suse.de>
2016-04-29 15:43:10 +02:00
Rafael J. Wysocki
81be193b7e Merge branch 'pm-cpufreq-fixes'
* pm-cpufreq-fixes:
  cpufreq: intel_pstate: Fix processing for turbo activation ratio
  Revert "cpufreq: governor: Fix negative idle_time when configured with CONFIG_HZ_PERIODIC"
2016-04-29 14:22:25 +02:00
Dave Airlie
ea99697814 Merge branch 'drm-fixes-4.6' of git://people.freedesktop.org/~agd5f/linux into drm-fixes
A few fixes for 4.6.
- revert amdgpu PX commit that was previously reverted on the radeon side
- cleaned up version of the NI+ MC update display fix for radeon
- TTM kref fix

* 'drm-fixes-4.6' of git://people.freedesktop.org/~agd5f/linux:
  drm/amdgpu: disable vm interrupts with vm_fault_stop=2
  drm/amdgpu: print a message if ATPX dGPU power control is missing
  Revert "drm/amdgpu: disable runtime pm on PX laptops without dGPU power control"
  drm/radeon: fix vertical bars appear on monitor (v2)
  drm/ttm: fix kref count mess in ttm_bo_move_to_lru_tail
2016-04-29 14:31:44 +10:00
Dave Airlie
d8ba5d60d5 Merge branch 'drm-vmwgfx-fixes' of git://people.freedesktop.org/~syeh/repos_linux into drm-fixes
three misc vmwgfx fixes

* 'drm-vmwgfx-fixes' of git://people.freedesktop.org/~syeh/repos_linux:
  drm/vmwgfx: Fix order of operation
  drm/vmwgfx: use vmw_cmd_dx_cid_check for query commands.
  drm/vmwgfx: Enable SVGA_3D_CMD_DX_SET_PREDICATION
2016-04-29 14:27:50 +10:00
Linus Torvalds
92c19ea953 Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull x86 fixes from Ingo Molnar:
 "Two boot crash fixes and an IRQ handling crash fix"

* 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  x86/apic: Handle zero vector gracefully in clear_vector_irq()
  Revert "x86/mm/32: Set NX in __supported_pte_mask before enabling paging"
  xen/qspinlock: Don't kick CPU if IRQ is not initialized
2016-04-28 20:24:27 -07:00
Linus Torvalds
814dd9481d Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull perf fixes from Ingo Molnar:
 "x86 PMU driver fixes plus a core code race fix"

* 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  perf/x86/intel: Fix incorrect lbr_sel_mask value
  perf/x86/intel/pt: Don't die on VMXON
  perf/core: Fix perf_event_open() vs. execve() race
  perf/x86/amd: Set the size of event map array to PERF_COUNT_HW_MAX
  perf/core: Make sysctl_perf_cpu_time_max_percent conform to documentation
  perf/x86/intel/rapl: Add missing Haswell model
  perf/x86/intel: Add model number for Skylake Server to perf
2016-04-28 20:19:04 -07:00
Linus Torvalds
2113caed87 Merge branch 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull locking fixes from Ingo Molnar:
 "Two lockdep fixes"

* 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  lockdep: Fix lock_chain::base size
  locking/lockdep: Fix ->irq_context calculation
2016-04-28 19:59:17 -07:00
Linus Torvalds
8f3603a210 Merge branch 'efi-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull EFI fix from Ingo Molnar:
 "This fixes a bug in the efivars code"

* 'efi-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  efi: Fix out-of-bounds read in variable_matches()
2016-04-28 19:54:50 -07:00
Linus Torvalds
ba14e961b4 media fixes for v4.6-rc6
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJXIhgfAAoJEAhfPr2O5OEVlY4P/Rw71pT4fJ5MJdwrg11V7Kor
 ev3QxqjKQbeAi2oQEooIaLIlGtvHiGdKApo/jT+VjpvHvdT1y1YDTck0pLYGKTEz
 61dGWWGe3S6WKLXI+jDww7r/MscmdqzYheEGx+qtwB1nvpni6e3szxrIwhKyup70
 wTmh+LO80VhzHOORnYs9E4gUWIlYYOBxtnb1TDeYKzZquly7Mls32gQ+3Uixk4pt
 AFsilvsq8iUU/0LAyxtkPClmmf8ZWoKgLSgAhFBOHZx5TR6Kwa/YwLE+WH6kd4fS
 CQuyD2rvxKwix4PocYjtZJB2YEVGeUU/Ux6VMsKkDrh5aG/V0F3dcqQwCr3iSoTU
 51ieaBh9wFdesT/FnWCznOtVINr4v23wRuOyAHEHd6HrVxXxkLo8R1ADMynwr6HU
 YQMS1Su3icoQcLsdwlYxpQwaJaYvUV4LzDycE5G8weXg9hb2Tfv60svQc1zbXSWc
 Urvw8c7k23vHNLky0h1yYadkgE9K0b567/Am78FXTnFJR1saMpdt9kS7vxqpSJXC
 hoTw+MAaJrmM9jNk+Nmic6ps5xDKAiptjMxZ6YfCzrSK7IHjyYSvay3Lnd9M0zwm
 CKDEaXf9YhDEGEVpaSOIuluo6tcSFumlRY4FFoRysI4n/A779X7X7Ittd6vCrO8Z
 ymL6dhrTgFrnCLEWV9cB
 =REYX
 -----END PGP SIGNATURE-----

Merge tag 'media/v4.6-4' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media

Pull media fixes from Mauro Carvalho Chehab:
 "Some regression fixes:

   - videobuf2 core: avoid the risk of going past buffer on multi-planes
     and fix rw mode

   - fix support for 4K formats at V4L2 core

   - fix a trouble at davinci_fpe, caused by a bad patch

   - usbvision: revert a patch with a partial fixup.  The fixup patch
     was merged already, and this one has some issues"

* tag 'media/v4.6-4' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media:
  [media] vb2-memops: Fix over allocation of frame vectors
  [media] media: vb2: Fix regression on poll() for RW mode
  [media] v4l2-dv-timings.h: fix polarity for 4k formats
  [media] davinci_vpfe: Revert "staging: media: davinci_vpfe: remove,unnecessary ret variable"
  [media] usbvision: revert commit 588afcc1
  [media] videobuf2-v4l2: Verify planes array in buffer dequeueing
  [media] videobuf2-core: Check user space planes array in dqbuf
2016-04-28 19:44:47 -07:00
Linus Torvalds
e1f14a5469 sound fixes for 4.6-rc6
Usually we get a big collection of fixes for ASoC once during rc.
 And this is it.
 
 At this time, most of fixes are about Intel Skylake ASoC driver, which
 is a new and still on-going development.  Along with it, a slight
 large LOC is seen in legacy HD-audio driver, but it's merely a code
 move to the upper layer.
 
 Other than that, the rest are small or trivial fixes to various
 drivers, in addition to an ASoC dapm debugfs code fix.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQIcBAABCAAGBQJXIgKpAAoJEGwxgFQ9KSmkNYQP/1Fzw/1Of+6ONNSO0mhTrFsZ
 KcYkKBlWTXLgzV5KTmcxhtx66QP8Z1S6yUNVxeeW8sWlW+F8CRdpGMhWaXcxpiRl
 uhuOO6qWIa96U0U8huFN3hvcUDjdEUJTS/cyMK2FD253qIWkZlZifSgPJRxeWKg2
 EBfIICz14UKWusk5Frqb/mD3QGmkh9P4wd/Z2y+4p+TNrpCFKGOcHo8LKI4JscXo
 bhQduiQ0LsGWFfNfdzd9KX6G5XAE+pu7hc9VYDE1X89Ih/pMzdJGqwy9dyDBokh6
 ucE+y3E715r/CS19vZ6l9p/4s+b5gUVvXBAk2MjFo/3/HOfoMqCz/ECi3PTfuc7c
 CcmJq8A2KifOgGc7/yi4apajn5THUpQmQuQAharlipB1Y/vWZxKUo4eX7RGjJnaq
 /peXevea96ilpajankQ1Et8LwsvklxzGAQ5J1ONtR7x8pqiOJ7mVL5Cp0GU3Cg1J
 BHIKWPm+Dv5piMtke0/7JSYIbxL5zzgmltqfYY44wnAzEvAcehv4u7zDE/BQdPo8
 l8oLxgTsyAaBj+4YCUtlSWQjCyBifK8kD1OsRqak+jqYg6rl/uug7Cau7qAcpOyG
 IWSnQbLyP3YfcLNagtqyqru35Q4w1F1NRpZFwe2XLNbsG6hM5Ea/y0QKbCUS/ncn
 IkQPkrdx3+h/3PGNLo+P
 =ju49
 -----END PGP SIGNATURE-----

Merge tag 'sound-4.6-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound

Pull sound fixes from Takashi Iwai:
 "Usually we get a big collection of fixes for ASoC once during rc.  And
  this is it.

  At this time, most of fixes are about Intel Skylake ASoC driver, which
  is a new and still on-going development.  Along with it, a slight
  large LOC is seen in legacy HD-audio driver, but it's merely a code
  move to the upper layer.

  Other than that, the rest are small or trivial fixes to various
  drivers, in addition to an ASoC dapm debugfs code fix"

* tag 'sound-4.6-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (24 commits)
  ALSA: hda - Update BCLK also at hotplug for i915 HSW/BDW
  ALSA: hda - Add dock support for ThinkPad X260
  ASoC: wm5102: Free compressed IRQ in CODEC remove
  ASoC: arizona: Free speaker thermal IRQs in CODEC remove
  ASoC: Intel: Skylake: Fix ibs/obs calc for non-integral sampling rates
  ASoC: Intel: sst: fix a loop timeout in sst_hsw_stream_reset()
  ASoC: Intel: Skylake: Fix to turn OFF codec power when entering S3
  ASoC: hdac_hdmi: Fix codec power state in S3 during playback
  ASoC: hdac_hdmi: Fix to use dev_pm ops instead soc pm
  ASoC: wm8962: Correct typo when setting DSPCLK rate
  ASoC: nau8825: Fix jack detection across suspend
  ASoC: Intel: Skylake: Fix DSP resource de-allocation
  ASoC: Intel: Skylake: Fix for unloading module only when it is loaded
  ASoC: Intel: Skylake: Fix kbuild dependency
  ASoC: dapm: Make sure we have a card when displaying component widgets
  ASoC: rt5640: Correct the digital interface data select
  ASoC: Intel: Skylake: remove call to pci_dev_put
  ASoC: Intel: Skylake: Call i915 exit last
  ASoC: Intel: Skylake: Unmap the address last
  ASoC: Intel: Skylake: Freeup properly on skl_dsp_free
  ...
2016-04-28 19:38:45 -07:00
Xishi Qiu
7c88a292df Documentation/sysctl/vm.txt: update numa_zonelist_order description
Commit 3193913ce6 ("mm: page_alloc: default node-ordering on 64-bit
NUMA, zone-ordering on 32-bit") changes the default value of
numa_zonelist_order.  Update the document.

Signed-off-by: Xishi Qiu <qiuxishi@huawei.com>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Rik van Riel <riel@redhat.com>
Cc: David Rientjes <rientjes@google.com>
Cc: Kamezawa Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-04-28 19:34:04 -07:00
Alexander Potapenko
33334e2576 lib/stackdepot.c: allow the stack trace hash to be zero
Do not bail out from depot_save_stack() if the stack trace has zero hash.
Initially depot_save_stack() silently dropped stack traces with zero
hashes, however there's actually no point in reserving this zero value.

Reported-by: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Signed-off-by: Alexander Potapenko <glider@google.com>
Acked-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-04-28 19:34:04 -07:00
Vladimir Zapolskiy
99f23c2cde rapidio: fix potential NULL pointer dereference
The change fixes improper check for a returned error value by
class_create() function, which on error returns ERR_PTR() value, thus the
original check always results in a dead code on error path.

Signed-off-by: Vladimir Zapolskiy <vz@mleia.com>
Signed-off-by: Alexandre Bounine <alexandre.bounine@idt.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-04-28 19:34:04 -07:00
Konstantin Khlebnikov
c2e7e00b71 mm/memory-failure: fix race with compound page split/merge
get_hwpoison_page() must recheck relation between head and tail pages.

n-horiguchi said: without this recheck, the race causes kernel to pin an
irrelevant page, and finally makes kernel crash for refcount mismatch.

Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Acked-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-04-28 19:34:04 -07:00
xuejiufei
b73413647e ocfs2/dlm: return zero if deref_done message is successfully handled
dlm_deref_lockres_done_handler() should return zero if the message is
successfully handled.

Fixes: 60d663cb52 ("ocfs2/dlm: add DEREF_DONE message").
Signed-off-by: xuejiufei <xuejiufei@huawei.com>
Reviewed-by: Joseph Qi <joseph.qi@huawei.com>
Cc: Mark Fasheh <mfasheh@suse.de>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-04-28 19:34:04 -07:00
Ananth N Mavinakayanahalli
a320817c68 Ananth has moved
The current ID is going away soon... update email address

Signed-off-by: Ananth N Mavinakayanahalli <ananth@linux.vnet.ibm.com>
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-04-28 19:34:04 -07:00
Andrey Ryabinin
36f05ae8bc kcov: don't profile branches in kcov
Profiling 'if' statements in __sanitizer_cov_trace_pc() leads to
unbound recursion and crash:

	__sanitizer_cov_trace_pc() ->
		ftrace_likely_update ->
			__sanitizer_cov_trace_pc() ...

Define DISABLE_BRANCH_PROFILING to disable this tracer.

Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-04-28 19:34:04 -07:00
James Morse
bdab42dfc9 kcov: don't trace the code coverage code
Kcov causes the compiler to add a call to __sanitizer_cov_trace_pc() in
every basic block.  Ftrace patches in a call to _mcount() to each
function it has annotated.

Letting these mechanisms annotate each other is a bad thing.  Break the
loop by adding 'notrace' to __sanitizer_cov_trace_pc() so that ftrace
won't try to patch this code.

This patch lets arm64 with KCOV and STACK_TRACER boot.

Signed-off-by: James Morse <james.morse@arm.com>
Acked-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Alexander Potapenko <glider@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-04-28 19:34:04 -07:00
Vlastimil Babka
fd901c9538 mm: wake kcompactd before kswapd's short sleep
When kswapd goes to sleep it checks if the node is balanced and at first
it sleeps only for HZ/10 time, then rechecks if the node is still
balanced and nobody has woken it during the initial sleep.  Only then it
goes fully sleep until an allocation slowpath wakes it up again.

For higher-order allocations, waking up kcompactd is done only before
the full sleep.  This turns out to be an issue in case another
high-order allocation fails during the initial sleep.  It will wake
kswapd up, however kswapd considers the zone balanced from the order-0
perspective, and will just quickly try to sleep again.  So if there's a
longer stream of high-order allocations hitting the slowpath and waking
up kswapd, it might never actually wake up kcompactd, which may be
considered a regression from kswapd-based compaction.  In the worst
case, it might be that a single allocation that cannot direct
reclaim/compact itself is waking kswapd in the retry loop and preventing
kcompactd from being woken up and unblocking it.

This patch makes sure kcompactd is woken up in such situations by simply
moving the wakeup before the short initial sleep.  More efficient
solution would be to wake kcompactd immediately instead of kswapd if the
node is already order-0 balanced, but in that case we should also move
reset_isolation_suitable() call to kcompactd so it's not adding to the
allocator's latency.  Since it's late in the 4.6 cycle, let's go with
the simpler change for now.

Fixes: accf62422b ("mm, kswapd: replace kswapd compaction with waking up kcompactd")
Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Cc: Rik van Riel <riel@redhat.com>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Mel Gorman <mgorman@techsingularity.net>
Cc: David Rientjes <rientjes@google.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-04-28 19:34:04 -07:00
Frank Rowand
eeb68d1d2d .mailmap: add Frank Rowand
Set current email address to replace obsolete email addresses.

Signed-off-by: Frank Rowand <frank.rowand@sonymobile.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-04-28 19:34:04 -07:00
Minchan Kim
d7e69488bd mm/hwpoison: fix wrong num_poisoned_pages accounting
Currently, migration code increses num_poisoned_pages on *failed*
migration page as well as successfully migrated one at the trial of
memory-failure.  It will make the stat wrong.  As well, it marks the
page as PG_HWPoison even if the migration trial failed.  It would mean
we cannot recover the corrupted page using memory-failure facility.

This patches fixes it.

Signed-off-by: Minchan Kim <minchan@kernel.org>
Reported-by: Vlastimil Babka <vbabka@suse.cz>
Acked-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-04-28 19:34:04 -07:00
Minchan Kim
b06bad17c7 mm: call swap_slot_free_notify() with page lock held
Kyeongdon reported below error which is BUG_ON(!PageSwapCache(page)) in
page_swap_info.  The reason is that page_endio in rw_page unlocks the
page if read I/O is completed so we need to hold a PG_lock again to
check PageSwapCache.  Otherwise, the page can be removed from swapcache.

  Kernel BUG at c00f9040 [verbose debug info unavailable]
  Internal error: Oops - BUG: 0 [] PREEMPT SMP ARM
  Modules linked in:
  CPU: 4 PID: 13446 Comm: RenderThread Tainted: G        W 3.10.84-g9f14aec-dirty 
  task: c3b73200 ti: dd192000 task.ti: dd192000
  PC is at page_swap_info+0x10/0x2c
  LR is at swap_slot_free_notify+0x18/0x6c
  pc : [<c00f9040>]    lr : [<c00f5560>]    psr: 400f0113
  sp : dd193d78  ip : c2deb1e4  fp : da015180
  r10: 00000000  r9 : 000200da  r8 : c120fe08
  r7 : 00000000  r6 : 00000000  r5 : c249a6c0  r4 : = c249a6c0
  r3 : 00000000  r2 : 40080009  r1 : 200f0113  r0 : = c249a6c0
  ..<snip> ..
  Call Trace:
    page_swap_info+0x10/0x2c
    swap_slot_free_notify+0x18/0x6c
    swap_readpage+0x90/0x11c
    read_swap_cache_async+0x134/0x1ac
    swapin_readahead+0x70/0xb0
    handle_pte_fault+0x320/0x6fc
    handle_mm_fault+0xc0/0xf0
    do_page_fault+0x11c/0x36c
    do_DataAbort+0x34/0x118

Fixes: 3f2b1a04f4 ("zram: revive swap_slot_free_notify")
Signed-off-by: Minchan Kim <minchan@kernel.org>
Tested-by: Kyeongdon Kim <kyeongdon.kim@lge.com>
Cc: Hugh Dickins <hughd@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-04-28 19:34:04 -07:00
Minchan Kim
7bf52fb891 mm: vmscan: reclaim highmem zone if buffer_heads is over limit
We have been reclaimed highmem zone if buffer_heads is over limit but
commit 6b4f7799c6 ("mm: vmscan: invoke slab shrinkers from
shrink_zone()") changed the behavior so it doesn't reclaim highmem zone
although buffer_heads is over the limit.  This patch restores the logic.

Fixes: 6b4f7799c6 ("mm: vmscan: invoke slab shrinkers from shrink_zone()")
Signed-off-by: Minchan Kim <minchan@kernel.org>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-04-28 19:34:04 -07:00
Gerald Schaefer
28093f9f34 numa: fix /proc/<pid>/numa_maps for THP
In gather_pte_stats() a THP pmd is cast into a pte, which is wrong
because the layouts may differ depending on the architecture.  On s390
this will lead to inaccurate numa_maps accounting in /proc because of
misguided pte_present() and pte_dirty() checks on the fake pte.

On other architectures pte_present() and pte_dirty() may work by chance,
but there may be an issue with direct-access (dax) mappings w/o
underlying struct pages when HAVE_PTE_SPECIAL is set and THP is
available.  In vm_normal_page() the fake pte will be checked with
pte_special() and because there is no "special" bit in a pmd, this will
always return false and the VM_PFNMAP | VM_MIXEDMAP checking will be
skipped.  On dax mappings w/o struct pages, an invalid struct page
pointer would then be returned that can crash the kernel.

This patch fixes the numa_maps THP handling by introducing new "_pmd"
variants of the can_gather_numa_stats() and vm_normal_page() functions.

Signed-off-by: Gerald Schaefer <gerald.schaefer@de.ibm.com>
Cc: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Cc: "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>
Cc: Konstantin Khlebnikov <koct9i@gmail.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Jerome Marchand <jmarchan@redhat.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Mel Gorman <mgorman@suse.de>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: Michael Holzheu <holzheu@linux.vnet.ibm.com>
Cc: <stable@vger.kernel.org>	[4.3+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-04-28 19:34:04 -07:00
Konstantin Khlebnikov
3486b85a29 mm/huge_memory: replace VM_NO_THP VM_BUG_ON with actual VMA check
Khugepaged detects own VMAs by checking vm_file and vm_ops but this way
it cannot distinguish private /dev/zero mappings from other special
mappings like /dev/hpet which has no vm_ops and popultes PTEs in mmap.

This fixes false-positive VM_BUG_ON and prevents installing THP where
they are not expected.

Link: http://lkml.kernel.org/r/CACT4Y+ZmuZMV5CjSFOeXviwQdABAgT7T+StKfTqan9YDtgEi5g@mail.gmail.com
Fixes: 78f11a2557 ("mm: thp: fix /dev/zero MAP_PRIVATE and vm_flags cleanups")
Signed-off-by: Konstantin Khlebnikov <koct9i@gmail.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Acked-by: Vlastimil Babka <vbabka@suse.cz>
Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-04-28 19:34:04 -07:00
Krzysztof Kozlowski
314e9b75b3 mailmap: fix Krzysztof Kozlowski's misspelled name
Patchwork introduced a garbled Polish character in commit 1e3012d0fd
("crypto: s5p-sss - Use memcpy_toio for iomem annotated memory") so fix
the mail mapping.  Additionally prefer to use kernel.org account for
personal work, instead of my gmail address.

Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-04-28 19:34:04 -07:00
Kirill A. Shutemov
aa88b68c3b thp: keep huge zero page pinned until tlb flush
Andrea has found[1] a race condition on MMU-gather based TLB flush vs
split_huge_page() or shrinker which frees huge zero under us (patch 1/2
and 2/2 respectively).

With new THP refcounting, we don't need patch 1/2: mmu_gather keeps the
page pinned until flush is complete and the pin prevents the page from
being split under us.

We still need patch 2/2.  This is simplified version of Andrea's patch.
We don't need fancy encoding.

[1] http://lkml.kernel.org/r/1447938052-22165-1-git-send-email-aarcange@redhat.com

Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Reported-by: Andrea Arcangeli <aarcange@redhat.com>
Reviewed-by: Andrea Arcangeli <aarcange@redhat.com>
Cc: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com>
Cc: Mel Gorman <mgorman@techsingularity.net>
Cc: Hugh Dickins <hughd@google.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-04-28 19:34:04 -07:00
Steve Capper
66ee95d16a mm: exclude HugeTLB pages from THP page_mapped() logic
HugeTLB pages cannot be split, so we use the compound_mapcount to track
rmaps.

Currently page_mapped() will check the compound_mapcount, but will also
go through the constituent pages of a THP compound page and query the
individual _mapcount's too.

Unfortunately, page_mapped() does not distinguish between HugeTLB and
THP compound pages and assumes that a compound page always needs to have
HPAGE_PMD_NR pages querying.

For most cases when dealing with HugeTLB this is just inefficient, but
for scenarios where the HugeTLB page size is less than the pmd block
size (e.g.  when using contiguous bit on ARM) this can lead to crashes.

This patch adjusts the page_mapped function such that we skip the
unnecessary THP reference checks for HugeTLB pages.

Fixes: e1534ae950 ("mm: differentiate page_mapped() from page_mapcount() for compound pages")
Signed-off-by: Steve Capper <steve.capper@arm.com>
Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Will Deacon <will.deacon@arm.com>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-04-28 19:34:04 -07:00
Atsushi Kumagai
d7f53518f7 kexec: export OFFSET(page.compound_head) to find out compound tail page
PageAnon() always look at head page to check PAGE_MAPPING_ANON and tail
page's page->mapping has just a poisoned data since commit 1c290f6421
("mm: sanitize page->mapping for tail pages").

If makedumpfile checks page->mapping of a compound tail page to
distinguish anonymous page as usual, it must fail in newer kernel.  So
it's necessary to export OFFSET(page.compound_head) to avoid checking
compound tail pages.

The problem is that unnecessary hugepages won't be removed from a dump
file in kernels 4.5.x and later.  This means that extra disk space would
be consumed.  It's a problem, but not critical.

Signed-off-by: Atsushi Kumagai <ats-kumagai@wm.jp.nec.com>
Acked-by: Dave Young <dyoung@redhat.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Vivek Goyal <vgoyal@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-04-28 19:34:04 -07:00
Atsushi Kumagai
8639a847b0 kexec: update VMCOREINFO for compound_order/dtor
makedumpfile refers page.lru.next to get the order of compound pages for
page filtering.

However, now the order is stored in page.compound_order, hence
VMCOREINFO should be updated to export the offset of
page.compound_order.

The fact is, page.compound_order was introduced already in kernel 4.0,
but the offset of it was the same as page.lru.next until kernel 4.3, so
this was not actual problem.

The above can be said also for page.lru.prev and page.compound_dtor,
it's necessary to detect hugetlbfs pages.  Further, the content was
changed from direct address to the ID which means dtor.

The problem is that unnecessary hugepages won't be removed from a dump
file in kernels 4.4.x and later.  This means that extra disk space would
be consumed.  It's a problem, but not critical.

Signed-off-by: Atsushi Kumagai <ats-kumagai@wm.jp.nec.com>
Acked-by: Dave Young <dyoung@redhat.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Vivek Goyal <vgoyal@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-04-28 19:34:04 -07:00
Linus Torvalds
6fa9bffbcc Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client
Pull Ceph fixes from Sage Weil:
 "There is a lifecycle fix in the auth code, a fix for a narrow race
  condition on map, and a helpful message in the log when there is a
  feature mismatch (which happens frequently now that the default
  server-side options have changed)"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client:
  rbd: report unsupported features to syslog
  rbd: fix rbd map vs notify races
  libceph: make authorizer destruction independent of ceph_auth_client
2016-04-28 18:59:24 -07:00
Linus Torvalds
cf681c2ebc Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux
Pull s390 fixes from Martin Schwidefsky:
 "Three more bug fixes for 4.6

   - Due to a race in the dynamic page table code a multi-threaded
     program can cause a translation specification exception.  With
     panic_on_oops a user space program can crash the system.

   - An information leak with the /dev/sclp device.

   - A use after free in the s390 PCI code"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
  s390/sclp_ctl: fix potential information leak with /dev/sclp
  s390/mm: fix asce_bits handling with dynamic pagetable levels
  s390/pci: fix use after free in dma_init
2016-04-28 18:52:11 -07:00
Florian Westphal
4c8bb95921 RDMA/nes: don't leak skb if carrier down
Alternatively one could free the skb, OTOH I don't think this test is
useful so just remove it.

Cc: <linux-rdma@vger.kernel.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Doug Ledford <dledford@redhat.com>
2016-04-28 21:11:09 -04:00
Sinclair Yeh
7851496a32 drm/vmwgfx: Fix order of operation
mode->hdisplay * (var->bits_per_pixel + 7) gets evaluated before
the division, potentially making the pitch larger than it should
be.

Since the original intention is to do a div-round-up, just use
the macro instead.

Signed-off-by: Sinclair Yeh <syeh@vmware.com>
Reviewed-by: Thomas Hellstrom <thellstrom@vmware.com>
2016-04-28 11:07:30 -07:00
Charmaine Lee
e02e588431 drm/vmwgfx: use vmw_cmd_dx_cid_check for query commands.
Instead of calling vmw_cmd_ok, call vmw_cmd_dx_cid_check to
validate the context id for query commands.

Signed-off-by: Charmaine Lee <charmainel@vmware.com>
Reviewed-by: Sinclair Yeh <syeh@vmware.com>
2016-04-28 11:07:23 -07:00
Charmaine Lee
1883598d42 drm/vmwgfx: Enable SVGA_3D_CMD_DX_SET_PREDICATION
Fixes piglit tests nv_conditional_render-* crashes.

Signed-off-by: Charmaine Lee <charmainel@vmware.com>
Reviewed-by: Brian Paul <brianp@vmware.com>
Reviewed-by: Sinclair Yeh <syeh@vmware.com>
2016-04-28 11:07:15 -07:00
Jason Gunthorpe
e6bd18f57a IB/security: Restrict use of the write() interface
The drivers/infiniband stack uses write() as a replacement for
bi-directional ioctl().  This is not safe. There are ways to
trigger write calls that result in the return structure that
is normally written to user space being shunted off to user
specified kernel memory instead.

For the immediate repair, detect and deny suspicious accesses to
the write API.

For long term, update the user space libraries and the kernel API
to something that doesn't present the same security vulnerabilities
(likely a structured ioctl() interface).

The impacted uAPI interfaces are generally only available if
hardware from drivers/infiniband is installed in the system.

Reported-by: Jann Horn <jann@thejh.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
[ Expanded check to all known write() entry points ]
Cc: stable@vger.kernel.org
Signed-off-by: Doug Ledford <dledford@redhat.com>
2016-04-28 12:03:16 -04:00
Dean Luick
7723d8c244 IB/hfi1: Use kernel default llseek for ui device
The ui device llseek had a mistake with SEEK_END and did
not fully follow seek semantics.  Correct all this by
using a kernel supplied function for fixed size devices.

Cc: Al Viro <viro@ZenIV.linux.org.uk>
Reviewed-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: Dean Luick <dean.luick@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
2016-04-28 12:00:39 -04:00