What happens is that a write to /dev/sg is given a request with non-zero
->iovec_count combined with zero ->dxfer_len. Or with ->dxferp pointing
to an array full of empty iovecs.
Having write permission to /dev/sg shouldn't be equivalent to the
ability to trigger BUG_ON() while holding spinlocks...
Found by Dmitry Vyukov and syzkaller.
[ The BUG_ON() got changed to a WARN_ON_ONCE(), but this fixes the
underlying issue. - Linus ]
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Don't crash the machine just because of an empty transfer. Use WARN_ON()
combined with returning an error.
Found by Dmitry Vyukov and syzkaller.
[ Changed to "WARN_ON_ONCE()". Al has a patch that should fix the root
cause, but a BUG_ON() is not acceptable in any case, and a WARN_ON()
might still be a cause of excessive log spamming.
NOTE! If this warning ever triggers, we may end up leaking resources,
since this doesn't bother to try to clean the command up. So this
WARN_ON_ONCE() triggering does imply real problems. But BUG_ON() is
much worse.
People really need to stop using BUG_ON() for "this shouldn't ever
happen". It makes pretty much any bug worse. - Linus ]
Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: James Bottomley <jejb@linux.vnet.ibm.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
If ip6_dst_lookup_tail has acquired a dst and fails the IPv4-mapped
check, release the dst before returning an error.
Fixes: ec5e3b0a1d ("ipv6: Inhibit IPv4-mapped src address on the wire.")
Signed-off-by: Willem de Bruijn <willemb@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Two more bugfixes that came in during this week:
- one defconfig change to enable a vital driver used on some Qualcomm
based phones. This was already queued for 4.11, but the maintainer
asked to have it in 4.10 after all.
- One regression fix for the reset controller framework, this got
broken by a typo in the 4.10 merge window.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUAWKi+0mCrR//JCVInAQKQeA//T3CvNEB5ubRhYMV3G3rML0iEkjSlLkeS
QaUEhRAUzjs5X29u2n0Dn/FQsnkE1ZtBVfZfh6Ai8CWkBP7qHR6HRuHCtXlIeT44
NFihuJx15iIPK9PoPMEQcX+vUmAURJ2+ordRGKcHRO35X/3Z/B587ETtJ5cvSp14
b7lrG3sWGq8lFQM2yYjaDyOWL6WaVRAkzarPvGxfsBijSC4AbUwkK2z2HQd8CfyL
0CQ4H/PA/XqbQidL38NQZgV5tgq9CQXdoILDcDrDWQ8GtfoD5kkuOIAYhYrpdrkx
Tjbwkro9RA+3VlkIKh0r8WzOpBn4nFW6Awluui1I2S4/rgzJYorZagM6AsAJtFGh
hT7J5Tiahbe1QtEiWpBSB+lXZDjSEoQDxVgCliJcGjIIAnv9CbAYFvYeNYk6bPAg
LDND8lMZPnXfaV1LIi3Hq5NO2DQjiL0YM5lLcMXU0N9ritVm/GppGnS+HUZf/u2G
l8erWezCshLaWLvPSOOO4gPSJHzOeNfL596EQ+WeD2nFLVp6xRsKZCwHzj6u3hG8
2BiK12q4cFBTiSG2uVBajCNbxgF68l03wF3d3FCxQm0V1I746EuLQIfybB3z680s
YjkUoPf5ApWjTnR912ay5u8o4/aWvPXJvOVoouDAHtDeDYxKfLO+kynd6vs4xvkw
OluDShz/IC8=
=M6/8
-----END PGP SIGNATURE-----
Merge tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc
Pull ARM SoC fixes from Arnd Bergmann:
"Two more bugfixes that came in during this week:
- a defconfig change to enable a vital driver used on some Qualcomm
based phones. This was already queued for 4.11, but the maintainer
asked to have it in 4.10 after all.
- a regression fix for the reset controller framework, this got
broken by a typo in the 4.10 merge window"
* tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc:
ARM: multi_v7_defconfig: enable Qualcomm RPMCC
reset: fix shared reset triggered_count decrement on error
Pull ARM fixes from Russell King:
"A couple of fixes from Kees concerning problems he spotted with our
user access support"
* 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm:
ARM: 8658/1: uaccess: fix zeroing of 64-bit get_user()
ARM: 8657/1: uaccess: consistently check object sizes
Pull x86 fix from Thomas Gleixner:
"Make the build clean by working around yet another GCC stupidity"
* 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
x86/vm86: Fix unused variable warning if THP is disabled
Pull locking fix from Thomas Gleixner:
"Move the futex init function to core initcall so user mode helper does
not run into an uninitialized futex syscall"
* 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
futex: Move futex_init() to core_initcall
Pull timer fixes from Thomas Gleixner:
"Two small fixes::
- Prevent deadlock on the tick broadcast lock. Found and fixed by
Mike.
- Stop using printk() in the timekeeping debug code to prevent a
deadlock against the scheduler"
* 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
timekeeping: Use deferred printk() in debug code
tick/broadcast: Prevent deadlock on tick_broadcast_lock
Pull networking fixes from David Miller:
1) Fix leak in dpaa_eth error paths, from Dan Carpenter.
2) Use after free when using IPV6_RECVPKTINFO, from Andrey Konovalov.
3) fanout_release() cannot be invoked from atomic contexts, from Anoob
Soman.
4) Fix bogus attempt at lockdep annotation in IRDA.
5) dev_fill_metadata_dst() can OOP on a NULL dst cache pointer, from
Paolo Abeni.
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net:
irda: Fix lockdep annotations in hashbin_delete().
vxlan: fix oops in dev_fill_metadata_dst
dccp: fix freeing skb too early for IPV6_RECVPKTINFO
dpaa_eth: small leak on error
packet: Do not call fanout_release from atomic contexts
Use rcuidle console tracepoint because, apparently, it may be issued
from an idle CPU:
hw-breakpoint: Failed to enable monitor mode on CPU 0.
hw-breakpoint: CPU 0 failed to disable vector catch
===============================
[ ERR: suspicious RCU usage. ]
4.10.0-rc8-next-20170215+ #119 Not tainted
-------------------------------
./include/trace/events/printk.h:32 suspicious rcu_dereference_check() usage!
other info that might help us debug this:
RCU used illegally from idle CPU!
rcu_scheduler_active = 2, debug_locks = 0
RCU used illegally from extended quiescent state!
2 locks held by swapper/0/0:
#0: (cpu_pm_notifier_lock){......}, at: [<c0237e2c>] cpu_pm_exit+0x10/0x54
#1: (console_lock){+.+.+.}, at: [<c01ab350>] vprintk_emit+0x264/0x474
stack backtrace:
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.10.0-rc8-next-20170215+ #119
Hardware name: Generic OMAP4 (Flattened Device Tree)
console_unlock
vprintk_emit
vprintk_default
printk
reset_ctrl_regs
dbg_cpu_pm_notify
notifier_call_chain
cpu_pm_exit
omap_enter_idle_coupled
cpuidle_enter_state
cpuidle_enter_state_coupled
do_idle
cpu_startup_entry
start_kernel
This RCU warning, however, is suppressed by lockdep_off() in printk().
lockdep_off() increments the ->lockdep_recursion counter and thus
disables RCU_LOCKDEP_WARN() and debug_lockdep_rcu_enabled(), which want
lockdep to be enabled "current->lockdep_recursion == 0".
Link: http://lkml.kernel.org/r/20170217015932.11898-1-sergey.senozhatsky@gmail.com
Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Reported-by: Tony Lindgren <tony@atomide.com>
Tested-by: Tony Lindgren <tony@atomide.com>
Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Acked-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Cc: Petr Mladek <pmladek@suse.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Tony Lindgren <tony@atomide.com>
Cc: Russell King <rmk@armlinux.org.uk>
Cc: <stable@vger.kernel.org> [3.4+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This patch enables the Qualcomm RPM based Clock Controller present on
A-family boards.
Signed-off-by: Andy Gross <andy.gross@linaro.org>
Acked-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Signed-off-by: Olof Johansson <olof@lixom.net>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
A nested lock depth was added to the hasbin_delete() code but it
doesn't actually work some well and results in tons of lockdep splats.
Fix the code instead to properly drop the lock around the operation
and just keep peeking the head of the hashbin queue.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Tested-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Pull block layer fix from Jens Axboe:
"A single fix for a lockdep splat reported by Thomas and Gabriel"
* 'for-linus' of git://git.kernel.dk/linux-block:
cfq-iosched: don't call wbt_disable_default() with IRQs disabled
Since the commit 0c1d70af92 ("net: use dst_cache for vxlan device")
vxlan_fill_metadata_dst() calls vxlan_get_route() passing a NULL
dst_cache pointer, so the latter should explicitly check for
valid dst_cache ptr. Unfortunately the commit d71785ffc7 ("net: add
dst_cache to ovs vxlan lwtunnel") removed said check.
As a result is possible to trigger a null pointer access calling
vxlan_fill_metadata_dst(), e.g. with:
ovs-vsctl add-br ovs-br0
ovs-vsctl add-port ovs-br0 vxlan0 -- set interface vxlan0 \
type=vxlan options:remote_ip=192.168.1.1 \
options:key=1234 options:dst_port=4789 ofport_request=10
ip address add dev ovs-br0 172.16.1.2/24
ovs-vsctl set Bridge ovs-br0 ipfix=@i -- --id=@i create IPFIX \
targets=\"172.16.1.1:1234\" sampling=1
iperf -c 172.16.1.1 -u -l 1000 -b 10M -t 1 -p 1234
This commit addresses the issue passing to vxlan_get_route() the
dst_cache already available into the lwt info processed by
vxlan_fill_metadata_dst().
Fixes: d71785ffc7 ("net: add dst_cache to ovs vxlan lwtunnel")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Acked-by: Jiri Benc <jbenc@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
In the current DCCP implementation an skb for a DCCP_PKT_REQUEST packet
is forcibly freed via __kfree_skb in dccp_rcv_state_process if
dccp_v6_conn_request successfully returns.
However, if IPV6_RECVPKTINFO is set on a socket, the address of the skb
is saved to ireq->pktopts and the ref count for skb is incremented in
dccp_v6_conn_request, so skb is still in use. Nevertheless, it gets freed
in dccp_rcv_state_process.
Fix by calling consume_skb instead of doing goto discard and therefore
calling __kfree_skb.
Similar fixes for TCP:
fb7e2399ec [TCP]: skb is unexpectedly freed.
0aea76d35c tcp: SYN packets are now
simply consumed
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
One fix from Paul, we can not use the radix MMU under a hypervisor for now.
Although the current code checks if the processor supports radix, that is not
sufficient.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJYpukgAAoJEFHr6jzI4aWA17UP/jKOZX9G7GcjNAM5VUkL1MZK
pAwZ4heCGeXDT3BhM6UPhwOXPJ/HTpoo9r1hAwAcRAHjvLEbY4WIdwr89s7kGiSD
uO3AfORSpvVNXzJkiD3vyllavkeg0diB+M5G6BktTuV473Ssn3lq3HjS4fjKEWt3
Rfnn4uGx7/KTsAsjEa20bau9lbz48M9csIfvIRs5osYi+PlpEN/3ES0cKWshkgOo
E5doX5jnNxGcySXIFEDhmBQu3jBjVUGIgEambpZExAKHZkIODrhUS3WBKCbTO4U6
kqgP662F8N2Q5jchYWtqbTiJHQJ3dKCcsSzluTrW2BkEE955XSzLxG7+jXQjA2OV
2bIFi/tswKFXDrTbfkHWe8gO4VGeTjmBIFOyfutFrum/F88cxw3eRcgm/n77J8BN
APicI6RVEEXi9s/PbWPOBtw/nPUvsrITDQBz2sC6bUZ+ruk+WgTpo6uSNaqudmFy
3s47M6unX8j9JHHt1xtqPDE6wKYQSum5xQiC1J3xSTGugfakqmuXaMtikm63GK7V
sv9EFX9NZ4pdS8E/mxfnaVVqLNSwpxgpmU1Hxu38IOvTwrKceMpUpRK3R4Z5uqss
XVePIhOllpufZo7yE1WsdVSWd0xViSplrKqlvY6XHjCNeiEdBeCoYpMG3ECJtoKC
qiBro6VMAIfA1BP0vLu+
=Q1P7
-----END PGP SIGNATURE-----
Merge tag 'powerpc-4.10-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux
Pull powerpc fix from Michael Ellerman:
"One fix from Paul: we can not use the radix MMU under a hypervisor for
now.
Although the code checked if the processor supports radix, that is not
sufficient"
* tag 'powerpc-4.10-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
powerpc/64: Disable use of radix under a hypervisor
Pull input fix from Dmitry Torokhov:
"Just a single change to Elan touchpad driver to recognize a new ACPI
ID"
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
Input: elan_i2c - add ELAN0605 to the ACPI table
Pull i2c fix from Wolfram Sang:
"I2C has a revert to fix a regression"
* 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
Revert "i2c: designware: detect when dynamic tar update is possible"
This should be >= instead of > here. It means that we don't increment
the free count enough so it becomes off by one.
Fixes: 9ad1a37493 ("dpaa_eth: add support for DPAA Ethernet")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
- Remove erroneous negation of the error check of the reset function
to decrement trigger_count in the error case, not on success. This
fixes shared resets to actually only trigger once, as intended.
-----BEGIN PGP SIGNATURE-----
iQJLBAABCAA1FiEEBsBxhV1FaKwXuCOBUMKIHHCeYOsFAlimo3EXHHAuemFiZWxA
cGVuZ3V0cm9uaXguZGUACgkQUMKIHHCeYOvihRAA3JEDtX3UEJ5uc9eOTjN/46+A
dqTfZwoxSuky++zdnuPDmJRzD11WlcrBCtMDBVwKrKyRpzev7EjbFjHvoFRly3yb
CqAhSzo6x3rFaNZAt6SfWYq5IRxgCw6RgQTpjiyBmut4k/ut41M8rFjABqgWR0dH
X0WNDsi4tPP2C3lXyCH3JIlPyws36YVOqhE8OppUAfitUM7eiNehFykuUYkI0rHv
/t50+C+sMr/x59YGc3ghluqo8O2wJGnohtLTGt8qFdMOngrkos+aE1iuCefuIFee
ZUtcFrUtAnUQzWI/PNHwoqBXb1Oc7VMIpuYaFRJqb35K21seGdcG2PMFqCGPKMoH
Xw2V6Ssqy8l436FaWLkVnQPZMKheC+1YvfScmhRrTOlayt+wO8+RpJeM3ei5NoFu
3zY0UGkQI4ksQSPk8Pdn6e/n0GK0O3qK6QUpjuHD3E7x5jHRw96ARJBk3ngoM2qT
Hh9IJmbik3PqVnHdoUGdXEeBIN4qHm5Pp0KkXzszpk2IQF1H3wrbxaZ7SYbx54wE
1m/BwZ03YwN626gGilR+W3LqjRPAJ90y9jEMJbzGec2wHl/eEmHLJ7QESJAfKMOE
RM5zYeZCtU8xnNm1HcmQF29nydXx4TRNbxKQIJAvDW/89T2i/1erBkTlYTrKL545
u7KwAZdHQIWj9hItcbk=
=o2ta
-----END PGP SIGNATURE-----
Merge tag 'reset-for-4.10-fixes' of https://git.pengutronix.de/git/pza/linux into fixes
Pull "Reset controller fixes for v4.10" from Philipp Zabel:
- Remove erroneous negation of the error check of the reset function
to decrement trigger_count in the error case, not on success. This
fixes shared resets to actually only trigger once, as intended.
* tag 'reset-for-4.10-fixes' of https://git.pengutronix.de/git/pza/linux:
reset: fix shared reset triggered_count decrement on error
For a shared reset, when the reset is successful, the triggered_count is
incremented when trying to call the reset callback, so that another device
sharing the same reset line won't trigger it again. If the reset has not
been triggered successfully, the trigger_count should be decremented.
The code does the opposite, and decrements the trigger_count on success.
As a consequence, another device sharing the reset will be able to trigger
it again.
Fixed be removing negation in from of the error code of the reset function.
Fixes: 7da33a37b4 ("reset: allow using reset_control_reset with shared reset")
Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
Acked-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
On Skylake hardware, the link_poll isn't clearing the pending interrupt
bit. Adding a new function for SKX that handles clearing of status bit the
right way.
Signed-off-by: Dave Jiang <dave.jiang@intel.com>
Fixes: 783dfa6c ("ntb: Adding Skylake Xeon NTB support")
Signed-off-by: Jon Mason <jdmason@kudzu.us>
Fix typo causing ntb_transport_create_queue to select the first
queue every time, instead of using the next free queue.
Signed-off-by: Thomas VanSelus <tvanselus@xes-inc.com>
Signed-off-by: Aaron Sierra <asierra@xes-inc.com>
Acked-by: Allen Hubbe <Allen.Hubbe@dell.com>
Fixes: fce8a7bb5 ("PCI-Express Non-Transparent Bridge Support")
Signed-off-by: Jon Mason <jdmason@kudzu.us>
In the normal I/O execution path, ntb_perf is missing a call to
dmaengine_unmap_put() after submission. That causes us to leak
unmap objects.
Signed-off-by: Dave Jiang <dave.jiang@intel.com>
Fixes: 8a7b6a77 ("ntb: ntb perf tool")
Signed-off-by: Jon Mason <jdmason@kudzu.us>
The call to debugfs_remove_recursive(qp->debugfs_dir) of the sub-level
directory must not be later than
debugfs_remove_recursive(nt_debugfs_dir) of the top-level directory.
Otherwise, the sub-level directory will not exist, and it would be
invalid (panic) to attempt to remove it. This removes the top-level
directory last, after sub-level directories have been cleaned up.
Signed-off-by: Allen Hubbe <Allen.Hubbe@dell.com>
Fixes: e26a5843f ("NTB: Split ntb_hw_intel and ntb_transport drivers")
Signed-off-by: Jon Mason <jdmason@kudzu.us>
-----BEGIN PGP SIGNATURE-----
iQIcBAABAgAGBQJYpmMNAAoJEAx081l5xIa+rkQP/iKaA6ue5GOY0Y5HVc5k9sGw
Sa7014iQYhU893JzOtMl1mFUQIyUIvI3qM5ea/FBO4LsBQF0BAvqkEALslN9PLhr
pJ0+ocEeWsdGdbOY4XSBxBpYoH38XNEF4z2t8k/INKqODREWh5E4Jqj5M1jAEgIq
aTAiwfnxyTxF+1Oqt051+4cydfFP8TNgoiSWvkd0lgsGaE4mb/YiisqxI8AfeVwj
hHJq8NlY1ZSYHgf1RLI+176HcKZm4DuTsOM6u+j6lCITW66phX17A60Vhh4qLSTV
fYxz4Qm+fHb4JUdGp42ddT4gAYW/luznajm3ta4ESW7qTiYTVaula5avmrCdze0O
RyACh9Dc/DlC+3C5CgVE/Uezylg3f7GfTswEcbt0D6d2Dn+xW+jNlf8KJDS8JKLJ
7zWYvhkZ9JmraL1x7gYploEK2jKI80qevZJxjwYwtJT4tBezBUAtKXDD5WE8Y0U3
tctBnVXvXrdIP7vaMcwwXN17akMLUepxfGCKv/WmMtUbEBkXoEfzSipRmhPTIQu8
BWSJW20T0lg7TDahLVkcLh+vlbNcq3W2VmBvAJN9442OiFZzvJ/ewvP+Fxz2jE7+
UJMFCFXHX6cfdBQo8Qr9SWxZZCI4Gxw9r4IE53ZXmRf8zPd5dtQDFBALWI2iak8d
/nt4ih276yCSrFLF28HQ
=csQz
-----END PGP SIGNATURE-----
Merge tag 'drm-fixes-for-v4.10-final' of git://people.freedesktop.org/~airlied/linux
Pull drm fixes from Dave Airlie:
"Just two last minute fixes, one for DP MST oopses and one for a radeon
regression"
* tag 'drm-fixes-for-v4.10-final' of git://people.freedesktop.org/~airlied/linux:
drm/radeon: Use mode h/vdisplay fields to hide out of bounds HW cursor
drm/dp/mst: fix kernel oops when turning off secondary monitor
One regression fix for interlaced modes on radeon
* 'drm-fixes-4.10' of git://people.freedesktop.org/~agd5f/linux:
drm/radeon: Use mode h/vdisplay fields to hide out of bounds HW cursor
This reverts commit 24b91e360e and commit
7bdb59f1ad ("tick/nohz: Fix possible missing clock reprog after tick
soft restart") that depends on it,
Pavel reports that it causes occasional boot hangs for him that seem to
depend on just how the machine was booted. In particular, his machine
hangs at around the PCI fixups of the EHCI USB host controller, but only
hangs from cold boot, not from a warm boot.
Thomas Gleixner suspecs it's a CPU hotplug interaction, particularly
since Pavel also saw suspend/resume issues that seem to be related.
We're reverting for now while trying to figure out the root cause.
Reported-bisected-and-tested-by: Pavel Machek <pavel@ucw.cz>
Acked-by: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Wanpeng Li <wanpeng.li@hotmail.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Rik van Riel <riel@redhat.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@kernel.org # reverted commits were marked for stable
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-----BEGIN PGP SIGNATURE-----
iQIcBAABAgAGBQJYpefcAAoJEAhfPr2O5OEVeswP/RgA7lHk9cVl0f2srK/7rTcc
kd8IIfrHhQmHTRJOllVKdz5Rwl9Eih3FHs7xukfHzP3nr4ZfkEoj8ZEPnF6C1W0v
TivhxBJyyhKIx3g/oIl6OOXJeBLRgRCENrwoKjbRVDtuDcxpfm8d2P2NjdoPDN+6
zSDkMgqw4QW/8fqhoVpoEdtIjS0/BBS/Qob0QIpDpzSk1QtNsv0Ra83sYEGNHX/5
f+jw25XQZiYZJFw8cNCEmmOTlan5yuCKS9gjjMm7le07jFLjS/nKL+e9zwrm7WXN
4tuoxwcNCtKRzjdXyPG4up5LN0PTckQeZ/ust4w9N9wh+/ssr1n6p4qGMieVWQpE
vXgekn/1mjOpZ9VNY+ciq4IZXNLjqeWPODQiNrgyfrbGN5oN6PKoIYW8ubGd8YvA
86FEA7zJq6/I+Yne1PqvlLo3tWXquV7tVEGsZnatWe2ZnfvadsVMkGPi/KzgGjNj
PPg/lBm/8uuPjlHrAZmo0VvT/To1BQLRjKZGbb1TnC6bZU/pEJpdRy4b5mGQAyOP
ZkXeuGae3JaxWgyYVzzbjANcfxZcc4qNp7FHdG/7yKXU3w8qsZgNgiWKyPw2Xw/F
0Xx7wH0MI1Q+KlbuQi6TNGjMigX8VpqZXv2ql8r8KsUlg33FwMFNF0pe8ofPPc+8
BP0WVM1iUInBVd5jxIYi
=aXBS
-----END PGP SIGNATURE-----
Merge tag 'media/v4.10-5' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media
Pull media fix from Mauro Carvalho Chehab:
"A regression fix that makes the Siano driver to work again after the
CONFIG_VMAP_STACK change"
* tag 'media/v4.10-5' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media:
[media] siano: make it work again with CONFIG_VMAP_STACK
Flags (PIPE_BUF_FLAG_PACKET, PIPE_BUF_FLAG_GIFT) could remain on the
unused part of the pipe ring buffer. Previously splice_to_pipe() left
the flags value alone, which could result in incorrect behavior.
Uninitialized flags appears to have been there from the introduction of
the splice syscall.
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Cc: <stable@vger.kernel.org> # 2.6.17+
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Pull fuse fixes from Miklos Szeredi:
"Fix a use after free bug introduced in 4.2 and using an uninitialized
value introduced in 4.9"
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse:
fuse: fix uninitialized flags in pipe_buffer
fuse: fix use after free issue in fuse_dev_do_read()
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJYpbp5AAoJEFmIoMA60/r8zZkP/2FlVvsdjF+khX/pWndPiFcW
tm1IN0rt/2Y+eizK+w7pmkcXSH6IO/djLdqxtZngaVmN5Ov+2+IezCPP88YQi8Rm
NbEVP6tRe7EjTYi9qTCdu88W2cmHyv+xHruZPtTUVPiR1waMo5ewgNJZhvFvGho0
fuB6CyQ6H7NfV9oviTfRYbos0qVIFmje/DA16SvI1vhmGrBxRraIpNpjVnKEgPLC
d5e5Pj6HquF6AtrI+HjCgkckH77lAAmlSkvxxdxlv4tOVhgYQjFoHgztwzNApYs7
h6vSxfrPfSvwbUgHDaNzosOtc1lhnyXr0s4nql0ffhTvw01YkJeetWy9HYfhFCBC
2neWaTOW0AShap22a92JfBFmKOu+712qIA2BW0mkfTjGK4iZIbRhI6z49VPQO+Fx
liymiDDRdjZUEHdKfa5AUIAX4hBRn1C9UUi8Pfi3QHg8uYPH68238qcrZoxfpTBZ
kZk4T/kEhVsTZu7Bn7Yl7WzSwnLMJsDPDzqInJuABrGZUtlxyDT+gUu4hU3LfPjI
S9DreCZp9K062j5Xw/EszDlcFjEbFDf0CgX1444mYEW1fNAgSJ7p0j26bktyYDCs
cxmA9GMcqEtrxFJeV19kcVGgw63aiDNitbIg+Gz0ap3GP2ybtEzQzWdyHuej39yX
PYbSvJZbeprFhmowQuhp
=+P65
-----END PGP SIGNATURE-----
Merge tag 'pci-v4.10-fixes-4' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci
Pull PCI fix from Bjorn Helgaas:
"Add back pcie_pme_remove() so we free the IRQ when removing PCIe port
devices; previously the leaked IRQ caused an MSI BUG_ON"
* tag 'pci-v4.10-fixes-4' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
PCI/PME: Restore pcie_pme_driver.remove
Pull networking fixes from David Miller:
1) In order to avoid problems in the future, make cgroup bpf overriding
explicit using BPF_F_ALLOW_OVERRIDE. From Alexei Staovoitov.
2) LLC sets skb->sk without proper skb->destructor and this explodes,
fix from Eric Dumazet.
3) Make sure when we have an ipv4 mapped source address, the
destination is either also an ipv4 mapped address or
ipv6_addr_any(). Fix from Jonathan T. Leighton.
4) Avoid packet loss in fec driver by programming the multicast filter
more intelligently. From Rui Sousa.
5) Handle multiple threads invoking fanout_add(), fix from Eric
Dumazet.
6) Since we can invoke the TCP input path in process context, without
BH being disabled, we have to accomodate that in the locking of the
TCP probe. Also from Eric Dumazet.
7) Fix erroneous emission of NETEVENT_DELAY_PROBE_TIME_UPDATE when we
aren't even updating that sysctl value. From Marcus Huewe.
8) Fix endian bugs in ibmvnic driver, from Thomas Falcon.
[ This is the second version of the pull that reverts the nested
rhashtable changes that looked a bit too scary for this late in the
release - Linus ]
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (27 commits)
rhashtable: Revert nested table changes.
ibmvnic: Fix endian errors in error reporting output
ibmvnic: Fix endian error when requesting device capabilities
net: neigh: Fix netevent NETEVENT_DELAY_PROBE_TIME_UPDATE notification
net: xilinx_emaclite: fix freezes due to unordered I/O
net: xilinx_emaclite: fix receive buffer overflow
bpf: kernel header files need to be copied into the tools directory
tcp: tcp_probe: use spin_lock_bh()
uapi: fix linux/if_pppol2tp.h userspace compilation errors
packet: fix races in fanout_add()
ibmvnic: Fix initial MTU settings
net: ethernet: ti: cpsw: fix cpsw assignment in resume
kcm: fix a null pointer dereference in kcm_sendmsg()
net: fec: fix multicast filtering hardware setup
ipv6: Handle IPv4-mapped src to in6addr_any dst.
ipv6: Inhibit IPv4-mapped src address on the wire.
net/mlx5e: Disable preemption when doing TC statistics upcall
rhashtable: Add nested tables
tipc: Fix tipc_sk_reinit race conditions
gfs2: Use rhashtable walk interface in glock_hash_walk
...
The crtc_h/vdisplay fields may not match the CRTC viewport dimensions
with special modes such as interlaced ones.
Fixes the HW cursor disappearing in the bottom half of the screen with
interlaced modes.
Fixes: 6b16cf7785 ("drm/radeon: Hide the HW cursor while it's out of bounds")
Cc: stable@vger.kernel.org
Reported-by: Ashutosh Kumar <ashutosh.kumar@amd.com>
Tested-by: Sonny Jiang <sonny.jiang@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Michel Dänzer <michel.daenzer@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
The 64-bit get_user() wasn't clearing the high word due to a typo in the
error handler. The exception handler entry was already correct, though.
Noticed during recent usercopy test additions in lib/test_user_copy.c.
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@vger.kernel.org
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
In commit 76624175dc ("arm64: uaccess: consistently check object sizes"),
the object size checks are moved outside the access_ok() so that bad
destinations are detected before hitting the "memset(dest, 0, size)" in the
copy_from_user() failure path.
This makes the same change for arm, with attention given to possibly
extracting the uaccess routines into a common header file for all
architectures in the future.
Suggested-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
wbt_disable_default() calls del_timer_sync() to wait for the wbt
timer to finish before disabling throttling. We can't do this with
IRQs disable. This fixes a lockdep splat on boot, if non-root
cgroups are used.
Reported-by: Gabriel C <nix.or.die@gmail.com>
Fixes: 87760e5eef ("block: hook up writeback throttling")
Signed-off-by: Jens Axboe <axboe@fb.com>
This reverts commits:
6a254780779dbbfb0ab640137906c5
It's too risky to put in this late in the release
cycle. We'll put these changes into the next merge
window instead.
Signed-off-by: David S. Miller <davem@davemloft.net>
dp/mst oops fix for v4.10
* tag 'drm-misc-fixes-2017-02-15' of git://anongit.freedesktop.org/git/drm-misc:
drm/dp/mst: fix kernel oops when turning off secondary monitor
Currently, if the kernel is running on a POWER9 processor under a
hypervisor, it may try to use the radix MMU even though it doesn't have
the necessary code to do so (it doesn't negotiate use of radix, and it
doesn't do the H_REGISTER_PROC_TBL hcall). If the hypervisor supports
both radix and HPT, then it will set up the guest to use HPT (since the
guest doesn't request radix in the CAS call), but if the radix feature
bit is set in the ibm,pa-features property (which is valid, since
ibm,pa-features is defined to represent the capabilities of the
processor) the guest will try to use radix, resulting in a crash when
it turns the MMU on.
This makes the minimal fix for the current code, which is to disable
radix unless we are running in hypervisor mode.
Fixes: 2bfd65e45e ("powerpc/mm/radix: Add radix callbacks for early init routines")
Cc: stable@vger.kernel.org # v4.7+
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Error reports received from firmware were not being converted from
big endian values, leading to bogus error codes reported on little
endian systems.
Signed-off-by: Thomas Falcon <tlfalcon@linux.vnet.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
When a vNIC client driver requests a faulty device setting, the
server returns an acceptable value for the client to request.
This 64 bit value was incorrectly being swapped as a 32 bit value,
resulting in loss of data. This patch corrects that by using
the 64 bit swap function.
Signed-off-by: Thomas Falcon <tlfalcon@linux.vnet.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
When setting a neigh related sysctl parameter, we always send a
NETEVENT_DELAY_PROBE_TIME_UPDATE netevent. For instance, when
executing
sysctl net.ipv6.neigh.wlp3s0.retrans_time_ms=2000
a NETEVENT_DELAY_PROBE_TIME_UPDATE netevent is generated.
This is caused by commit 2a4501ae18 ("neigh: Send a
notification when DELAY_PROBE_TIME changes"). According to the
commit's description, it was intended to generate such an event
when setting the "delay_first_probe_time" sysctl parameter.
In order to fix this, only generate this event when actually
setting the "delay_first_probe_time" sysctl parameter. This fix
should not have any unintended side-effects, because all but one
registered netevent callbacks check for other netevent event
types (the registered callbacks were obtained by grepping for
"register_netevent_notifier"). The only callback that uses the
NETEVENT_DELAY_PROBE_TIME_UPDATE event is
mlxsw_sp_router_netevent_event() (in
drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c): in case
of this event, it only accesses the DELAY_PROBE_TIME of the
passed neigh_parms.
Fixes: 2a4501ae18 ("neigh: Send a notification when DELAY_PROBE_TIME changes")
Signed-off-by: Marcus Huewe <suse-tux@gmx.de>
Reviewed-by: Ido Schimmel <idosch@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
The xilinx_emaclite uses __raw_writel and __raw_readl for register
accesses. Those functions do not imply any kind of memory barriers and
they may be reordered.
The driver does not seem to take that into account, though, and the
driver does not satisfy the ordering requirements of the hardware.
For clear examples, see xemaclite_mdio_write() and xemaclite_mdio_read()
which try to set MDIO address before initiating the transaction.
I'm seeing system freezes with the driver with GCC 5.4 and current
Linux kernels on Zynq-7000 SoC immediately when trying to use the
interface.
In commit 123c1407af ("net: emaclite: Do not use microblaze and ppc
IO functions") the driver was switched from non-generic
in_be32/out_be32 (memory barriers, big endian) to
__raw_readl/__raw_writel (no memory barriers, native endian), so
apparently the device follows system endianness and the driver was
originally written with the assumption of memory barriers.
Rather than try to hunt for each case of missing barrier, just switch
the driver to use iowrite32/ioread32/iowrite32be/ioread32be depending
on endianness instead.
Tested on little-endian Zynq-7000 ARM SoC FPGA.
Signed-off-by: Anssi Hannula <anssi.hannula@bitwise.fi>
Fixes: 123c1407af ("net: emaclite: Do not use microblaze and ppc IO
functions")
Signed-off-by: David S. Miller <davem@davemloft.net>