Commit Graph

603538 Commits

Author SHA1 Message Date
Josh Poimboeuf fc18822510 perf/x86: Fix 32-bit perf user callgraph collection
A basic perf callgraph record operation causes an immediate panic on a
32-bit kernel compiled with CONFIG_CC_STACKPROTECTOR=y:

  $ perf record -g ls
  Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: c0404fbd

  CPU: 0 PID: 998 Comm: ls Not tainted 4.7.0-rc5+ #1
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.9.1-1.fc24 04/01/2014
   c0dd5967 ff7afe1c 00000086 f41dbc2c c07445a0 464c457f f41dbca8 f41dbc44
   c05646f4 f41dbca8 464c457f f41dbca8 464c457f f41dbc54 c04625be c0ce56fc
   c0404fbd f41dbc88 c0404fbd b74668f0 f41dc000 00000000 c0000000 00000000
  Call Trace:
   [<c07445a0>] dump_stack+0x58/0x78
   [<c05646f4>] panic+0x8e/0x1c6
   [<c04625be>] __stack_chk_fail+0x1e/0x30
   [<c0404fbd>] ? perf_callchain_user+0x22d/0x230
   [<c0404fbd>] perf_callchain_user+0x22d/0x230
   [<c055f89f>] get_perf_callchain+0x1ff/0x270
   [<c055f988>] perf_callchain+0x78/0x90
   [<c055c7eb>] perf_prepare_sample+0x24b/0x370
   [<c055c934>] perf_event_output_forward+0x24/0x70
   [<c05531c0>] __perf_event_overflow+0xa0/0x210
   [<c0550a93>] ? cpu_clock_event_read+0x43/0x50
   [<c0553431>] perf_swevent_hrtimer+0x101/0x180
   [<c0456235>] ? kmap_atomic_prot+0x35/0x140
   [<c056dc69>] ? get_page_from_freelist+0x279/0x950
   [<c058fdd8>] ? vma_interval_tree_remove+0x158/0x230
   [<c05939f4>] ? wp_page_copy.isra.82+0x2f4/0x630
   [<c05a050d>] ? page_add_file_rmap+0x1d/0x50
   [<c0565611>] ? unlock_page+0x61/0x80
   [<c0566755>] ? filemap_map_pages+0x305/0x320
   [<c059769f>] ? handle_mm_fault+0xb7f/0x1560
   [<c074cbeb>] ? timerqueue_del+0x1b/0x70
   [<c04cfefe>] ? __remove_hrtimer+0x2e/0x60
   [<c04d017b>] __hrtimer_run_queues+0xcb/0x2a0
   [<c0553330>] ? __perf_event_overflow+0x210/0x210
   [<c04d0a2a>] hrtimer_interrupt+0x8a/0x180
   [<c043ecc2>] local_apic_timer_interrupt+0x32/0x60
   [<c043f643>] smp_apic_timer_interrupt+0x33/0x50
   [<c0b0cd38>] apic_timer_interrupt+0x34/0x3c
  Kernel Offset: disabled
  ---[ end Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: c0404fbd

The panic is caused by the fact that perf_callchain_user() mistakenly
assumes it's 64-bit only and ends up corrupting the stack.

Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Cc: stable@vger.kernel.org # v4.5+
Fixes: 75925e1ad7 ("perf/x86: Optimize stack walk user accesses")
Link: http://lkml.kernel.org/r/1a547f5077ec30f75f9b57074837c3c80df86e5e.1467432113.git.jpoimboe@redhat.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2016-07-03 10:43:00 +02:00
Stephane Eranian 9010ae4a8d perf/x86/intel: Update event constraints when HT is off
This patch updates the event constraints for non-PEBS mode for
Intel Broadwell and Skylake processors. When HT is off, each
CPU gets 8 generic counters. However, not all events can be
programmed on any of the 8 counters.  This patch adds the
constraints for the MEM_* events which can only be measured on the
bottom 4 counters. The constraints are also valid when HT is off
because, then, there are only 4 generic counters and they are the
bottom counters.

Signed-off-by: Stephane Eranian <eranian@google.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Cc: kan.liang@intel.com
Link: http://lkml.kernel.org/r/1467411742-13245-1-git-send-email-eranian@google.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2016-07-03 10:39:53 +02:00
Vivek Goyal e7c0b5991d ovl: warn instead of error if d_type is not supported
overlay needs underlying fs to support d_type. Recently I put in a
patch in to detect this condition and started failing mount if
underlying fs did not support d_type.

But this breaks existing configurations over kernel upgrade. Those who
are running docker (partially broken configuration) with xfs not
supporting d_type, are surprised that after kernel upgrade docker does
not run anymore.

https://github.com/docker/docker/issues/22937#issuecomment-229881315

So instead of erroring out, detect broken configuration and warn
about it. This should allow existing docker setups to continue
working after kernel upgrade.

Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Fixes: 45aebeaf4f ("ovl: Ensure upper filesystem supports d_type")
Cc: <stable@vger.kernel.org> 4.6
2016-07-03 09:39:31 +02:00
Linus Torvalds 4f302921c1 Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus
Pull MIPS fix from Ralf Baechle:
 "Only a single fix for 4.7 pending at this point.  It fixes an issue
  that may lead to corruption of the cache mode bits in the page table"

* 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus:
  MIPS: Fix possible corruption of cache mode by mprotect.
2016-07-02 19:10:21 -07:00
Linus Torvalds 70bd68d7f7 powerpc fixes for 4.7 #5
- tm: Always reclaim in start_thread() for exec() class syscalls from Cyril Bur
  - tm: Avoid SLB faults in treclaim/trecheckpoint when RI=0 from Michael Neuling
  - eeh: Fix wrong argument passed to eeh_rmv_device() from Gavin Shan
  - Initialise pci_io_base as early as possible from Darren Stevens
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJXeEmsAAoJEFHr6jzI4aWAwMMQAKs/u9rwB3gpOkNJSHajN1Dd
 kdqDufzLxLDwbWnMfqM1+bcO2EOjPhKbtpbzhG6oeiET8undRRoLsjHS5rZeYK5h
 cviRPEJ/Yz8ZWaIgFGI8+02gXwU0MJhuTY8NPexXmsh4FRdKYwEuCIJShl30lg22
 P7UrJ2SCNM+H/uZyS07B7thiwBeAKSp6VkLTpuW/QDz2j1ra/F22dTh7c0Agdahd
 INAMAnh9nYeuMVYn4XjOOlQ07JnBTuf1/W5Wxlw4i/86rVq+Hy8zh5r1X52oysR5
 lZl63B9q3agKG9cc9lSN2ibTDVerlFMwB2QysX2a6Uy7+y2SB3hS7VS1RTXCh3hg
 /omApGGVW3Hh+E2CuKfFLQySU55NRpLAoTGravGr/KsH4wZP/n/fkrctldCrqm7P
 sTPT52+t+iJQk4fiskRY3yQ7DTTnt3rTC8MJRGqvLuCheolLll4NQaWOF75AJP+7
 WFWtC4QHOTPERMkhqLnZDG2vNuDg1H8chuZ2+PxtIs6G1vuOEun+MTZAYh4u6XWE
 bAIT9rV3xBdE17bzYOQz7lU1y7yNVtP7xkm0HIOAHlU4gUrjQp5u8F3TnPW3/M0m
 8GeaZdrPjhsaNg31YZODAeM8Ddf+N9d2a2VPIr/fzytURhMe0ss3Z/MdMoYRATab
 Lh1o+G3gDo9MVaphoJ3w
 =oEAY
 -----END PGP SIGNATURE-----

Merge tag 'powerpc-4.7-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux

Pull powerpc fixes from Michael Ellerman:

 - tm: Always reclaim in start_thread() for exec() class syscalls from
   Cyril Bur

 - tm: Avoid SLB faults in treclaim/trecheckpoint when RI=0 from Michael
   Neuling

 - eeh: Fix wrong argument passed to eeh_rmv_device() from Gavin Shan

 - Initialise pci_io_base as early as possible from Darren Stevens

* tag 'powerpc-4.7-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
  powerpc: Initialise pci_io_base as early as possible
  powerpc/tm: Avoid SLB faults in treclaim/trecheckpoint when RI=0
  powerpc/eeh: Fix wrong argument passed to eeh_rmv_device()
  powerpc/tm: Always reclaim in start_thread() for exec() class syscalls
2016-07-02 17:47:54 -07:00
Stefan Hauser b291c41817 net: phy: dp83867: Fix initialization of PHYCR register
When initializing the PHY control register, the FIFO depth bits are
written without reading the previous register value, i.e. all other
bits are overwritten with zero. This disables automatic MDI-X
configuration, which is enabled by default. Fix initialization by doing
a read/modify/write operation.

Signed-off-by: Stefan Hauser <stefan@shauser.net>
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-07-02 14:48:58 -04:00
Sergio Valverde 373819ec39 enc28j60: Fix race condition in enc28j60 driver
The interrupt worker code for the enc28j60 relies only on the TXIF flag to
determinate if the packet transmission was completed. However the datasheet
specifies in section 12.1.3 that TXERIF will clear the TXRTS after a
transmit abort. Also in section 12.1.4 that TXIF will be set
when TXRTS transitions from '1' to '0'. Therefore the TXIF flag is enabled
during transmission errors.

This causes a race condition, since the worker code will invoke
enc28j60_tx_clear() -> netif_wake_queue(), potentially invoking the
ndo_start_xmit function to send a new packet. The enc28j60_send_packet function
uses a workqueue that invokes enc28j60_hw_tx(). In between this function is
called, the worker from the interrupt handler will enter the path for error
handler because of the TXERIF flag, causing to invoke enc28j60_tx_clear() again
and releasing the packet scheduled for transmission, causing a kernel crash with
due a NULL pointer.

These crashes due a NULL pointer were observed under stress conditions of the
device. A BUG_ON() sequence was used to validate the issue was fixed, and has
been running without problems for 2 years now.

Signed-off-by: Diego Dompe <dompe@hpe.com>
Acked-by: Sergio Valverde <sergio.valverde@hpe.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-07-02 14:48:14 -04:00
Matt Corallo a8b7d7709d net: stmmac: Fix null-function call in ISR on stmmac1000
(resent due to overhelpful mail client corrupting patch)

At least on Meson GXBB, the CORE_IRQ_MTL_RX_OVERFLOW interrupt is thrown
with the stmmac1000 driver, which does not support set_rx_tail_ptr. With
this patch and the clock fixes, 1G ethernet works on ODROID-C2.

Signed-off-by: Matt Corallo <git@bluematt.me>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-07-02 14:36:18 -04:00
Linus Torvalds 99b0f54e6a Merge tag 'drm-fixes-for-v4.7-rc6' of git://people.freedesktop.org/~airlied/linux
Pull drm fixes frlm Dave Airlie:
 "Just some AMD and Intel fixes, the AMD ones are further production
  Polaris fixes, and the Intel ones fix some early timeouts, some PCI ID
  changes and a couple of other fixes.

  Still a bit Internet challenged here, hopefully end of next week will
  solve it"

* tag 'drm-fixes-for-v4.7-rc6' of git://people.freedesktop.org/~airlied/linux:
  drm/i915: Fix missing unlock on error in i915_ppgtt_info()
  drm/amd/powerplay: workaround for UVD clock issue
  drm/amdgpu: add ACLK_CNTL setting for polaris10
  drm/amd/powerplay: fix issue uvd dpm can't enabled on Polaris11.
  drm/amd/powerplay: Workaround for Memory EDC Error on Polaris10.
  drm/i915: Removing PCI IDs that are no longer listed as Kabylake.
  drm/i915: Add more Kabylake PCI IDs.
  drm/i915: Avoid early timeout during AUX transfers
  drm/i915/hsw: Avoid early timeout during LCPLL disable/restore
  drm/i915/lpt: Avoid early timeout during FDI PHY reset
  drm/i915/bxt: Avoid early timeout during PLL enable
  drm/i915: Refresh cached DP port register value on resume
  drm/amd/powerplay: Update CKS on/ CKS off voltage offset calculation
  drm/amd/powerplay: disable FFC.
  drm/amd/powerplay: add some definition for FFC feature on polaris.
2016-07-02 09:41:28 -07:00
Linus Torvalds 467ce7693f spi: Fixes for v4.7
A few small driver-specific fixes for SPI, all in the normal important
 if you hit them category especially the rockchip driver fix which
 addresses a race which has been exposed more frequently with some recent
 performance improvements.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQEcBAABAgAGBQJXd4PmAAoJECTWi3JdVIfQ0A4H/1D1m/bsdAY0FS12YQteV1GQ
 JYUvj/CWNiuV1MSqIU0WWrlMFO9EwtsojytLIfmGNPXUvPMSpW/Q3IJqhRrQWhmN
 Zl1FUUUIz+sGBsqwq6nZbDJxJhpT6/Tb7YDFR6Oi4l7VeB4Sisv5ax6Ay+uwa/mp
 cvrb/ULILLCHAv0v+6rSjIkZlvD1Yc+08SbbUrTPtVdcY0TDbJEkZ+U2IviCsxmP
 PuqdPUgFIEy7j+hnbEib24f5BNZ/m1a0DY012+es7fSkD5DVa2h71kxS54RC6QYn
 BkkMdK7moflBpbipKlI/eBPz73eePO9SxBwUZFLSUzG4DJEJE2mKKRVyU2LHpGA=
 =uU1M
 -----END PGP SIGNATURE-----

Merge tag 'spi-fix-v4.7-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi

Pull spi fixes from Mark Brown:
 "A few small driver-specific fixes for SPI, all in the normal important
  if you hit them category especially the rockchip driver fix which
  addresses a race which has been exposed more frequently with some
  recent performance improvements"

* tag 'spi-fix-v4.7-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi:
  spi: sunxi: fix transfer timeout
  spi: sun4i: fix FIFO limit
  spi: rockchip: Signal unfinished DMA transfers
  spi: spi-ti-qspi: Suspend the queue before removing the device
2016-07-02 09:40:11 -07:00
Linus Torvalds a2b0db5b55 regulator: Fixes for v4.7
Two small fixes for the regulator subsystem - one fixing a crash with
 one of the devices supported by the max77620 driver, another fixing
 startup for the anatop regulator when it starts up with the regulator in
 bypass mode.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQEcBAABAgAGBQJXd4GeAAoJECTWi3JdVIfQ+g8H/jpOOKEri6SVaatEbk2J33oA
 YD6EpSV4BRVGQRRLSY11tz3Md45xPLhe47kRpT1antgplKVEAJYARGYGVLmCovGz
 nFXqbQzeTvxs6o6UdrkJlFLDmn4yZgrL4MqhjfxLUzX+Yz/3neQZq6KhESCWKphT
 WPBrNa90s0j+nBCGJV0LxcuoZiKt6th/GUjr0gngepckrg3gIxJJyRVvtE9iVyip
 JYdVTfHt/aYJihIdKAPnXa4M9Ky5KY8ZNTySYcyUaXT3VLDK/UNFFO25q4Nw6F5a
 6XgcjwcFYDpZitf7pQYYfoobDbgTJ1XllPujEP82rIafruAvAKtfORHnvVJfRlU=
 =ZA94
 -----END PGP SIGNATURE-----

Merge tag 'regulator-fix-v4.7-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator

Pull regulator fixes from Mark Brown:
 "Two small fixes for the regulator subsystem - one fixing a crash with
  one of the devices supported by the max77620 driver, another fixing
  startup for the anatop regulator when it starts up with the regulator
  in bypass mode"

* tag 'regulator-fix-v4.7-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator:
  regulator: max77620: check for valid regulator info
  regulator: anatop: allow regulator to be in bypass mode
2016-07-02 09:39:03 -07:00
Linus Torvalds 4438512005 A small fix for the newly added oxnas clk driver and a handful of
rockchip clk driver fixes for newly added rk3399 support.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABCAAGBQJXdwP4AAoJEK0CiJfG5JUlG8oP/R+kfW2OBvwrJ4ubGnl68obU
 PoLqATqi9S3Zq7nEd4B04+SQT4OBgj63YnCAEwJY9D7KSCoJNYL9nML9FzB/MCiC
 R2Yune3PIsaEuZFZObnURGO5eRxyZqSJEGgzck1LXwrX/BCyrVHGYsJ0EWm2exZo
 zp8YPpM73oILwwCJGivVATNWXFT9HtQ1nfxAmH/e288t6nNuCnXPJf7PLm1t6ERF
 fjQiPRILodQqB3OtKEYvEv2z682RC0Zivwv6O/dd0FEG33aXB2VgAlCz8Ttp/brf
 fFV5L+i7XjDGDyBcZR2dYCOGwx42XYFOKvUpK+ePnbD0x23V3MSjwFU4yeItZlnD
 3PKO0lIJgbRjMtL4a03iWLzcaxDEbMb+/RVPMUtUWoGyId9l2S+cUblB7NuzTfLL
 RnTu6ttUSh3IY81eiAkrDRjafdAkswOf3lJweg+Rx2OZhzaKX0UcpDBaeUdzdqx6
 lxZ8chv8zYnfjgYUEu2jYvIIM/0VoHZgDmvarNRMreATPaOYqDMTfwsGZeTYcvNU
 qZhpNmue3c1cKGAYwzO3elB3KwhuB+83DVXGJu+6/RabbSk3OTMhaGwIH1NSQeCj
 nStb6C9h+Mog9ZTFukUlx7js6d0O8GmjlT4crlWxJ4QGdDvS2j7/hT53e8uK7SLl
 N5WzJrO9szvkZ8ZC9/LI
 =fAAu
 -----END PGP SIGNATURE-----

Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux

Pull clk fixes from Stephen Boyd:
 "A small fix for the newly added oxnas clk driver and a handful of
  rockchip clk driver fixes for newly added rk3399 support"

* tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux:
  clk: Fix return value check in oxnas_stdclk_probe()
  clk: rockchip: release io resource when failing to init clk on rk3399
  clk: rockchip: fix cpuclk registration error handling
  clk: rockchip: Revert "clk: rockchip: reset init state before mmc card initialization"
  clk: rockchip: fix incorrect parent for rk3399's {c,g}pll_aclk_perihp_src
  clk: rockchip: mark rk3399 GIC clocks as critical
  clk: rockchip: initialize flags of clk_init_data in mmc-phase clock
2016-07-02 09:36:49 -07:00
Takashi Iwai 046e9ceefa ASoC: Fixes for v4.7
A small clutch of hardware specific fixes for various ASoC devices, all
 small individually and important if you have that device but not
 otherwise.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQEcBAABAgAGBQJXd39qAAoJECTWi3JdVIfQFPEH/0EkO4NyV5Lwe6vgiLL/MBxF
 Quo7Q9qG7c5TGob1Jsqs1xnacxR194xSs6hnIKD3E7QqtdHMBXpOdUnphniD7/I6
 NFP0/b+/leFabXN9DH/Bd8+1csC1mAeYbqzvjRYKU1obag6MrF5+YNiK0QaUyVY2
 nqCrdD6O8Ko3LCdsriWv0vj+cSekVsz5KlCB2Ob0RuPu+v/1GmYcjBcy8ILl2y41
 KL+s4H5K/H5gG+WAFBict94pa4Ag4BFDJc22/wAeAjCGPA1tlN6SJicqYTFDpzRA
 9Wr6kAPN3JaHqDZVeRpDt8z0QyTLpvYB68D3PNw3vCFcbBnCsjDSGw7Fmfyj1AI=
 =/0YH
 -----END PGP SIGNATURE-----

Merge tag 'asoc-fix-v4.7-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus

ASoC: Fixes for v4.7

A small clutch of hardware specific fixes for various ASoC devices, all
small individually and important if you have that device but not
otherwise.
2016-07-02 10:50:45 +02:00
Dave Airlie 88c087109b Merge tag 'drm-intel-fixes-2016-06-30' of git://anongit.freedesktop.org/drm-intel into drm-fixes
here's a batch of i915 fixes for 4.7.

* tag 'drm-intel-fixes-2016-06-30' of git://anongit.freedesktop.org/drm-intel:
  drm/i915: Fix missing unlock on error in i915_ppgtt_info()
  drm/i915: Removing PCI IDs that are no longer listed as Kabylake.
  drm/i915: Add more Kabylake PCI IDs.
  drm/i915: Avoid early timeout during AUX transfers
  drm/i915/hsw: Avoid early timeout during LCPLL disable/restore
  drm/i915/lpt: Avoid early timeout during FDI PHY reset
  drm/i915/bxt: Avoid early timeout during PLL enable
  drm/i915: Refresh cached DP port register value on resume
2016-07-02 15:50:41 +10:00
Dave Airlie 40793e85d2 Merge branch 'drm-fixes-4.7' of git://people.freedesktop.org/~agd5f/linux into drm-fixes
Just a few more late fixes for Polaris cards.

* 'drm-fixes-4.7' of git://people.freedesktop.org/~agd5f/linux:
  drm/amd/powerplay: workaround for UVD clock issue
  drm/amdgpu: add ACLK_CNTL setting for polaris10
  drm/amd/powerplay: fix issue uvd dpm can't enabled on Polaris11.
  drm/amd/powerplay: Workaround for Memory EDC Error on Polaris10.
  drm/amd/powerplay: Update CKS on/ CKS off voltage offset calculation
  drm/amd/powerplay: disable FFC.
  drm/amd/powerplay: add some definition for FFC feature on polaris.
2016-07-02 15:48:33 +10:00
Ralf Baechle 6d037de90a MIPS: Fix possible corruption of cache mode by mprotect.
The following testcase may result in a page table entries with a invalid
CCA field being generated:

static void *bindstack;

static int sysrqfd;

static void protect_low(int protect)
{
	mprotect(bindstack, BINDSTACK_SIZE, protect);
}

static void sigbus_handler(int signal, siginfo_t * info, void *context)
{
	void *addr = info->si_addr;

	write(sysrqfd, "x", 1);

	printf("sigbus, fault address %p (should not happen, but might)\n",
	       addr);
	abort();
}

static void run_bind_test(void)
{
	unsigned int *p = bindstack;

	p[0] = 0xf001f001;

	write(sysrqfd, "x", 1);

	/* Set trap on access to p[0] */
	protect_low(PROT_NONE);

	write(sysrqfd, "x", 1);

	/* Clear trap on access to p[0] */
	protect_low(PROT_READ | PROT_WRITE | PROT_EXEC);

	write(sysrqfd, "x", 1);

	/* Check the contents of p[0] */
	if (p[0] != 0xf001f001) {
		write(sysrqfd, "x", 1);

		/* Reached, but shouldn't be */
		printf("badness, shouldn't happen but does\n");
		abort();
	}
}

int main(void)
{
	struct sigaction sa;

	sysrqfd = open("/proc/sysrq-trigger", O_WRONLY);

	if (sigprocmask(SIG_BLOCK, NULL, &sa.sa_mask)) {
		perror("sigprocmask");
		return 0;
	}

	sa.sa_sigaction = sigbus_handler;
	sa.sa_flags = SA_SIGINFO | SA_NODEFER | SA_RESTART;
	if (sigaction(SIGBUS, &sa, NULL)) {
		perror("sigaction");
		return 0;
	}

	bindstack = mmap(NULL,
			 BINDSTACK_SIZE,
			 PROT_READ | PROT_WRITE | PROT_EXEC,
			 MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
	if (bindstack == MAP_FAILED) {
		perror("mmap bindstack");
		return 0;
	}

	printf("bindstack: %p\n", bindstack);

	run_bind_test();

	printf("done\n");

	return 0;
}

There are multiple ingredients for this:

 1) PAGE_NONE is defined to _CACHE_CACHABLE_NONCOHERENT, which is CCA 3
    on all platforms except SB1 where it's CCA 5.
 2) _page_cachable_default must have bits set which are not set
    _CACHE_CACHABLE_NONCOHERENT.
 3) Either the defective version of pte_modify for XPA or the standard
    version must be in used.  However pte_modify for the 36 bit address
    space support is no affected.

In that case additional bits in the final CCA mode may generate an invalid
value for the CCA field.  On the R10000 system where this was tracked
down for example a CCA 7 has been observed, which is Uncached Accelerated.

Fixed by:

 1) Using the proper CCA mode for PAGE_NONE just like for all the other
    PAGE_* pte/pmd bits.
 2) Fix the two affected variants of pte_modify.

Further code inspection also shows the same issue to exist in pmd_modify
which would affect huge page systems.

Issue in pte_modify tracked down by Alastair Bridgewater, PAGE_NONE
and pmd_modify issue found by me.

The history of this goes back beyond Linus' git history.  Chris Dearman's
commit 351336929c ("[MIPS] Allow setting of
the cache attribute at run time.") missed the opportunity to fix this
but it was originally introduced in lmo commit
d523832cf12007b3242e50bb77d0c9e63e0b6518 ("Missing from last commit.")
and 32cc38229ac7538f2346918a09e75413e8861f87 ("New configuration option
CONFIG_MIPS_UNCACHED.")

Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Reported-by: Alastair Bridgewater <alastair.bridgewater@gmail.com>
2016-07-02 01:51:39 +02:00
Sinan Kaya f7eca374f0 ACPI,PCI,IRQ: separate ISA penalty calculation
Since commit 103544d869 (ACPI,PCI,IRQ: reduce resource requirements)
the penalty values are calculated on the fly rather than at boot time.

This works fine for PCI interrupts but not so well for ISA interrupts.

The information on whether or not an ISA interrupt is in use is not
available to the pci_link.c code directly.  That information is
obtained from the outside via acpi_penalize_isa_irq().  [If its
"active" argument is true, then the IRQ is in use by ISA.]

Since the current code relies on PCI Link objects for determination
of penalties, we are factoring in the PCI penalty twice after
acpi_penalize_isa_irq() function is called.

To avoid that, limit the newly added functionality to just PCI
interrupts so that old behavior is still maintained.

Fixes: 103544d869 (ACPI,PCI,IRQ: reduce resource requirements)
Signed-off-by: Sinan Kaya <okaya@codeaurora.org>
Tested-by: Wim Osterholt <wim@djo.tudelft.nl>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
2016-07-02 01:38:34 +02:00
Sinan Kaya 487cf917ed Revert "ACPI, PCI, IRQ: remove redundant code in acpi_irq_penalty_init()"
Trying to make the ISA and PCI init functionality common turned out
to be a bad idea, because the ISA path depends on external
functionality.

Restore the previous behavior and limit the refactoring to PCI
interrupts only.

Fixes: 1fcb6a813c "ACPI,PCI,IRQ: remove redundant code in acpi_irq_penalty_init()"
Signed-off-by: Sinan Kaya <okaya@codeaurora.org>
Tested-by: Wim Osterholt <wim@djo.tudelft.nl>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
2016-07-02 01:38:34 +02:00
Sinan Kaya 4a6e68bf96 ACPI,PCI,IRQ: factor in PCI possible
The change introduced in commit 103544d869 (ACPI,PCI,IRQ: reduce
resource requirements) omitted the initially applied PCI_POSSIBLE
penalty when the IRQ is active.

Incorrect calculation of the penalty leads the ACPI code to assigning
a wrong interrupt number to a PCI INTx interrupt.

This would not be as bad as it sounds in theory.  It would just cause
the interrupts to be shared and result in performance penalty.

However, some drivers (like the parallel port driver) don't like
interrupt sharing and in the above case they will causes all of
the PCI drivers wanting to share the interrupt to be unable to
request it.

The issue has not been caught in testing because the behavior is
platform-specific and depends on the peripherals ending up sharing
the IRQ and their drivers.

Before the above commit the code would add the PCI_POSSIBLE value
divided by the number of possible IRQ users to the IRQ penalty
during initialization.

Later in that code path, if the IRQ is chosen as the active IRQ or
if it is used by ISA; additional penalties are added.

Fixes: 103544d869 (ACPI,PCI,IRQ: reduce resource requirements)
Signed-off-by: Sinan Kaya <okaya@codeaurora.org>
Tested-by: Wim Osterholt <wim@djo.tudelft.nl>
[ rjw: Changelog ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
2016-07-02 01:38:34 +02:00
Linus Torvalds dbdc3bb74f ACPI fix for v4.7-rc6
Fix an expression in the ACPI PCI IRQ management code added by a
 recent commit that overlooked missing parens in it, so the result
 of the computation is incorrect in some cases (Sinan Kaya).
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABCAAGBQJXdtScAAoJEILEb/54YlRx5r4P/AwWjfh3wPsDCXCajSkiqR7b
 raPnXYXvVhEC4ZfqLpuID1sk/DzQL/MZmkFpB8PUYkf1onOKXcd9MDsyiVdOuJi/
 gqP64yzGI+n79qq4u+vhUlujsDH11X8WtKxNQoZWWdHoLR5o/qhYA4c3kZ0yjzim
 uD/3GWtXsmbPMyBMJjOIFJLFpj3DgizxER3PUL0WdX1XB8YXX/e16WT4+8IkHVru
 mM8Mk389+iQoKfDgWAL9ImOcfY9xXh0IPkKF/kHT2D0CG4qHfjGWUfu124hu83Fp
 YGIhcmX0De5cwb3PchQ4Uga2U4KbzKgAhW574RFD+pCmY5EX/fjYDaPPCU4Gctzf
 RNTG3JIS+mpR2maC+t73lJUanQSxS4GahXtEGfJ7ci3q85sIXuX5GSqd9CkXScCZ
 /0Ww+xjiXyeo1EE/PFC0rXZT7h5bzCdpqWbUUhcSDnFKj8TLz/LjiNd6vCFZAVUF
 G/7p9rY2n+Nid8j7DVITKcYS6HuaucKOTGKbPp7P3HBXc5N3d5vqrSrVcwQ/Yi+g
 hwaoDle506BUvTgIwrjCEPBRFRmFz8uRHOMMbpugzYZm2Kn5UUF3Za358NqI6pYR
 LiosgEiCXYFQScDeFOV5QD9hRGRoWaL6C54po1d459MGjqgwDt4lolbOhy7BIWXj
 pJMmdHbczB0VT6KRyYxs
 =r8BR
 -----END PGP SIGNATURE-----

Merge tag 'acpi-4.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm

Pull ACPI fix from Rafael Wysocki:
 "Fix an expression in the ACPI PCI IRQ management code added by a
  recent commit that overlooked missing parens in it, so the result of
  the computation is incorrect in some cases (Sinan Kaya)"

* tag 'acpi-4.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
  ACPI,PCI,IRQ: correct operator precedence
2016-07-01 15:31:48 -07:00
Linus Torvalds 81dbd6f59d Power management fixes for v4.7-rc6
- Fix a recent intel_pstate regression that caused the number of
    wakeups to increase significantly on an idle system in some cases
    due to excessive synchronize_sched() invocations (Rafael Wysocki).
 
  - Fix unnecessary invocations of WARN_ON() in the cpufreq core
    after cpufreq has been suspended introduced during the 4.6 cycla
    (Rafael Wysocki).
 
  - Fix an error code path in the cpufreq-dt-platdev driver that
    forgets to drop a reference to a DT node (Masahiro Yamada).
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABCAAGBQJXdtQFAAoJEILEb/54YlRxZEkQAKHFWVRGwIGRT4mF6Tx8P6PN
 mg+9fQbTKAKNFnNZZp6xGhch97s1sIWf5GPRTS72zZkP8oHLERNphVhh7ucPslk7
 XicBaawxmwIAlalcB8S8I/i8hGZqwYpTgpPx0DsDxA8E9XJLnELmiJpiB520FoQp
 Ym+PzbE5LHHPdxZrNhzMejfOvi5X1svFvRQRxTnHF638kfOJswmABX0WRGyYjtHP
 FDasdVv+S7JbJhCP/nOTVW50/Scao67nL8GqtiovYjWPBq85+WYAo63qHK46XwlG
 NgOMIqVfdb89e7aoPmlHW/FS9QAqQYOsK+pZv+fimRCAMottu1XEXLSzBzQYQSqU
 RYW3cJkyf06F4Vk+7Jpgdujia4Fv2OBU1qQKmvvlXyPLZVhssTfTECx/kkEiQtrK
 Id8rzlyYaPIDRdpG1cOWH3my8Ypv75EWvuDnBlBojweiq+1twcncLbIBRmY0HMCB
 QAcnxZTqNHq5lacgyixwOPKIkSRoXT0dFt6hnGX0CE9NdiplhSltQ/uBmDNz6Asi
 nRq2A+3Bwv6uc5PlHr4IfA4xZ7f8oAxj42dybAOgAM0dU89LjmOtaLCtYDxH6mSk
 xQBTe3R6tLbFK++lI5XBgjRRxbrwixXIZFwK6bdJnESVf8+UH4I1SbkwoXf0cxtx
 jTQ1C2XLx5oxdvTE2J60
 =+apA
 -----END PGP SIGNATURE-----

Merge tag 'pm-4.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm

Pull power management fixes from Rafael Wysocki:
 "Three cpufreq fixes, one in the core (stable-candidate) and two in
  drivers (intel_pstate and cpufreq-dt).

  Specifics:

   - Fix a recent intel_pstate regression that caused the number of
     wakeups to increase significantly on an idle system in some cases
     due to excessive synchronize_sched() invocations (Rafael Wysocki).

   - Fix unnecessary invocations of WARN_ON() in the cpufreq core after
     cpufreq has been suspended introduced during the 4.6 cycla (Rafael
     Wysocki).

   - Fix an error code path in the cpufreq-dt-platdev driver that
     forgets to drop a reference to a DT node (Masahiro Yamada)"

* tag 'pm-4.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
  cpufreq: Avoid false-positive WARN_ON()s in cpufreq_update_policy()
  cpufreq: dt: call of_node_put() before error out
  intel_pstate: Do not clear utilization update hooks on policy changes
2016-07-01 15:28:22 -07:00
Linus Torvalds 48c4565ed6 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
Pull vfs fixes from Al Viro:
 "Tmpfs readdir throughput regression fix (this cycle) + some -stable
  fodder all over the place.

  One missing bit is Miklos' tonight locks.c fix - NFS folks had already
  grabbed that one by the time I woke up ;-)"

[ The locks.c fix came through the nfsd tree just moments ago ]

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
  namespace: update event counter when umounting a deleted dentry
  9p: use file_dentry()
  ceph: fix d_obtain_alias() misuses
  lockless next_positive()
  libfs.c: new helper - next_positive()
  dcache_{readdir,dir_lseek}(): don't bother with nested ->d_lock
2016-07-01 15:20:11 -07:00
Linus Torvalds 2728c57fda One fix for lockd soft lookups in an error path, and one fix for file
leases on overlayfs.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJXdr1UAAoJECebzXlCjuG+QlsQAJiZTmio6k9tupN5+iKsZNL3
 m919ooj8GYsXxlC0OTFfi09dUi1yeF8MEE3j9egk/+qxEtsdmKdEOIy0RVdcLSfd
 HeGjXgLh79hVcGxgyBP+pdax2XhZ3RVisg8F5gTw2GPo+FPFZfrEuO5h7ctn+t45
 MCQ+4yqYqzEhYnoPyo5XKh5Aj6wBWiaTzg3/jSe6uSuSfuBfyaMaBPq7l7ayGra/
 5El+tu61o/SrJ41N2EayWSj/bOFJE92LIuGOh8NdfANuuP70JhxlwgVSldah3CCQ
 6PymXAVcjw0+gJ00mokzKfTJW5FPfasxckMHaOvcFsSONy4rlmrwwqUr9C2AFzTE
 wQGIzibCDYOSI8uF+//Oe+dh8JWp2TF8rfJcmKLyJMIcCq/Xl6cNx1qrq/oSWvuk
 WKOv1otJrPeT31h/s5iLjr/E/Po1eX+d2ySJdvUHYu/5aZwFgWPnVXwJk0s9bLow
 auZU85tPnuz+tbS2pWEK+el7LMgDBdzraVRogMdH1c+m3+G9pr53EzmpYovkZ2X8
 duVJ2Leslyya347TnJAgEY47Fbeu26JaoeIChGVhKcEyCENlcqAJWaGVECrxvs3y
 p/Y2MYMkO8YrCz5wQXPiLFiG4rAc+jSIn1Q+vRGl2Pkel0y7AgJNNMFtANjMCSIO
 pg6BqUjOyKt8cXVy4UW7
 =K0mr
 -----END PGP SIGNATURE-----

Merge tag 'nfsd-4.7-3' of git://linux-nfs.org/~bfields/linux

Pull lockd/locks fixes from Bruce Fields:
 "One fix for lockd soft lookups in an error path, and one fix for file
  leases on overlayfs"

* tag 'nfsd-4.7-3' of git://linux-nfs.org/~bfields/linux:
  locks: use file_inode()
  lockd: unregister notifier blocks if the service fails to come up completely
2016-07-01 15:18:49 -07:00
Linus Torvalds 0d064a7b9c - Final patches fixing Reset API change
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQIcBAABCAAGBQJXdkJCAAoJEFGvii+H/Hdh4fIP/0U47cICszk6AkV2P3q3yRc6
 RyIfjBddVxAnNnUQoJAkyDnZmZnCH33wMa3NG8BlXCrtPUSMoUkG78RIN6mWjgp6
 pooaXBylqIiU4ZoyQVXvxTQZhM7u/ox+2InrXOeZXirkJvRY4GzwsNWtdhzclHq2
 iM86K1cfaIPdJ4d3y7WF6/5DOsdMiYQUvmtxLEYTKgJgGvkgM/9I7Ws8vk3R0lXk
 wO8EItxIZecAIEwfwI8HgYCoyPctevMSnXMTWAJTF+5m3Wprhhv0lEjCTEBHbmJb
 kkrAr86tNj4nNVG9pQCDYL/XX0Zpub0vTA4+mPL5/WTrVpI/RRYlJXKIlR25vvlN
 wlYRrY4mE4gKFJh7t6DhQiHdrrQcoWPymKZ7CSF2GZvc65xwBa0u3ZkeLhurgj0N
 C8Zj7QRIqHfP4O8JDMRvuToWJWtc8sfSvh2Y9szkevwNjZjO9INSM/hStfJZ1S0E
 EnZIcHSKehjdiLHiMgyWGRB3Fq24u41u8aVAGvCfCsSe7CZKYKzyAHEQSC7solSJ
 GmbJ6F2gB65v62rNReZeP9NCc25fex7ZkdYMr6XYqrSh7GoxtF+9VPHEvYXs5BVK
 +rVVCOvuvqSy4+oQ+N/0grLHIThqSVbAusXBSLFPykHO7R4Z30f3wIiSPTq8m2VW
 c5qwGR4ceOBRrX8fQw0c
 =PpU9
 -----END PGP SIGNATURE-----

Merge tag 'mfd-fixes-4.7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd

Pull more MFD fixes from Lee Jones:
 "Apologies for missing these from the first pull request.

  Final patches fixing Reset API change"

* tag 'mfd-fixes-4.7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd:
  usb: dwc3: st: Use explicit reset_control_get_exclusive() API
  phy: phy-stih407-usb: Use explicit reset_control_get_exclusive() API
  phy: miphy28lp: Inform the reset framework that our reset line may be shared
2016-07-01 15:17:16 -07:00
Linus Torvalds f3683ccd12 Merge branch 'libnvdimm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm
Pull libnvdimm fixes from Dan Williams:
 "1/ Two regression fixes since v4.6: one for the byte order of a sysfs
     attribute (bz121161) and another for QEMU 2.6's NVDIMM _DSM (ACPI
     Device Specific Method) implementation that gets tripped up by new
     auto-probing behavior in the NFIT driver.

  2/ A fix tagged for -stable that stops the kernel from
     clobbering/ignoring changes to the configuration of a 'pfn'
     instance ("struct page" driver).  For example changing the
     alignment from 2M to 1G may silently revert to 2M if that value is
     currently stored on media.

  3/ A fix from Eric for an xfstests failure in dax.  It is not
     currently tagged for -stable since it requires an 8-exabyte file
     system to trigger, and there appear to be no user visible side
     effects"

* 'libnvdimm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm:
  nfit: fix format interface code byte order
  dax: fix offset overflow in dax_io
  acpi, nfit: fix acpi_check_dsm() vs zero functions implemented
  libnvdimm, pfn, dax: fix initialization vs autodetect for mode + alignment
2016-07-01 15:15:03 -07:00
Richard Alpe 55e77a3e82 tipc: fix nl compat regression for link statistics
Fix incorrect use of nla_strlcpy() where the first NLA_HDRLEN bytes
of the link name where left out.

Making the output of tipc-config -ls look something like:
Link statistics:
dcast-link
1:data0-1.1.2:data0
1:data0-1.1.3:data0

Also, for the record, the patch that introduce this regression
claims "Sending the whole object out can cause a leak". Which isn't
very likely as this is a compat layer, where the data we are parsing
is generated by us and we know the string to be NULL terminated. But
you can of course never be to secure.

Fixes: 5d2be1422e (tipc: fix an infoleak in tipc_nl_compat_link_dump)
Signed-off-by: Richard Alpe <richard.alpe@ericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-07-01 16:47:38 -04:00
Florian Fainelli 016eb55157 net: bcmsysport: Device stats are unsigned long
On 64bits kernels, device stats are 64bits wide, not 32bits.

Fixes: 80105befdb ("net: systemport: add Broadcom SYSTEMPORT Ethernet MAC driver")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-07-01 16:37:43 -04:00
Daniel Borkmann 79c62220d7 macsec: set actual real device for xmit when !protect_frames
Avoid recursions of dev_queue_xmit() to the wrong net device when
frames are unprotected, since at that time skb->dev still points to
our own macsec dev and unlike macsec_encrypt_finish() dev pointer
doesn't get updated to real underlying device.

Fixes: c09440f7dc ("macsec: introduce IEEE 802.1AE driver")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Sabrina Dubroca <sd@queasysnail.net>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-07-01 16:35:56 -04:00
WANG Cong 82a31b9231 net_sched: fix mirrored packets checksum
Similar to commit 9b368814b3 ("net: fix bridge multicast packet checksum validation")
we need to fixup the checksum for CHECKSUM_COMPLETE when
pushing skb on RX path. Otherwise we get similar splats.

Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: Tom Herbert <tom@herbertland.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-07-01 16:19:34 -04:00
David S. Miller eb70db8756 packet: Use symmetric hash for PACKET_FANOUT_HASH.
People who use PACKET_FANOUT_HASH want a symmetric hash, meaning that
they want packets going in both directions on a flow to hash to the
same bucket.

The core kernel SKB hash became non-symmetric when the ipv6 flow label
and other entities were incorporated into the standard flow hash order
to increase entropy.

But there are no users of PACKET_FANOUT_HASH who want an assymetric
hash, they all want a symmetric one.

Therefore, use the flow dissector to compute a flat symmetric hash
over only the protocol, addresses and ports.  This hash does not get
installed into and override the normal skb hash, so this change has
no effect whatsoever on the rest of the stack.

Reported-by: Eric Leblond <eric@regit.org>
Tested-by: Eric Leblond <eric@regit.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-07-01 16:07:50 -04:00
Linus Torvalds 6e5c4f13a5 Staging/IIO fixes for 4.7-rc6
Here are a few small staging and iio driver fixes for 4.7-rc6.
 
 Nothing major here, just a number of small fixes, all have been in
 linux-next for a while, and the full details are in the shortlog.
 
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iFYEABECABYFAld2lKYPHGdyZWdAa3JvYWguY29tAAoJEDFH1A3bLfsp7EkAn2tK
 KAXXdlnEs9jud1JteSphbTwFAJ4zqSIZXrNMS1vsBgujQiLP6r1xXA==
 =eYY6
 -----END PGP SIGNATURE-----

Merge tag 'staging-4.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging

Pull staging and IIO fixes from Greg KH:
 "Here are a few small staging and iio driver fixes for 4.7-rc6.

  Nothing major here, just a number of small fixes, all have been in
  linux-next for a while, and the full details are in the shortlog"

* tag 'staging-4.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
  iio:ad7266: Fix probe deferral for vref
  iio:ad7266: Fix support for optional regulators
  iio:ad7266: Fix broken regulator error handling
  iio: accel: kxsd9: fix the usage of spi_w8r8()
  staging: iio: accel: fix error check
  staging: iio: ad5933: fix order of cycle conditions
  staging: iio: fix ad7606_spi regression
  iio: inv_mpu6050: Fix use-after-free in ACPI code
2016-07-01 09:21:34 -07:00
Linus Torvalds 756c0aeca3 tty fixes for 4.7-rc6
Here are two tty fixes for some reported issues.  One resolves a crash
 in devpts, and the other resolves a problem with the fbcon cursor blink
 causing lockups.
 
 Both have been in linux-next with no reported problems.
 
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iFYEABECABYFAld2lcUPHGdyZWdAa3JvYWguY29tAAoJEDFH1A3bLfspo5MAnjdF
 aMlMp7JeHrv9KoEa+lP6rOT6AJ4rrc/tQ0zHCksxMqEDLPNwjnVPbg==
 =iFXo
 -----END PGP SIGNATURE-----

Merge tag 'tty-4.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty

Pull tty fixes from Greg KH:
 "Here are two tty fixes for some reported issues.  One resolves a crash
  in devpts, and the other resolves a problem with the fbcon cursor
  blink causing lockups.

  Both have been in linux-next with no reported problems"

* tag 'tty-4.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
  devpts: fix null pointer dereference on failed memory allocation
  tty: vt: Fix soft lockup in fbcon cursor blink timer.
2016-07-01 09:20:12 -07:00
Linus Torvalds 0232b23d08 USB and PHY fixes for 4.7-rc6
Here are a number of small USB and PHY driver fixes for 4.7-rc6.
 
 Nothing major here, all are described in the shortlog below.  All have
 been in linux-next with no reported issues.
 
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iFYEABECABYFAld2ljcPHGdyZWdAa3JvYWguY29tAAoJEDFH1A3bLfspN+sAn28Z
 +GbDzyY5XwZ7Qs5/5uPYoGONAKCObDpgZr1A+/EMvDd57gfHWmFqTw==
 =uYl3
 -----END PGP SIGNATURE-----

Merge tag 'usb-4.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb

Pull USB and PHY fixes from Greg KH:
 "Here are a number of small USB and PHY driver fixes for 4.7-rc6.

  Nothing major here, all are described in the shortlog below.  All have
  been in linux-next with no reported issues"

* tag 'usb-4.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
  USB: don't free bandwidth_mutex too early
  USB: EHCI: declare hostpc register as zero-length array
  phy-sun4i-usb: Fix irq free conditions to match request conditions
  phy: bcm-ns-usb2: checking the wrong variable
  phy-sun4i-usb: fix missing __iomem *
  phy: phy-sun4i-usb: Fix optional gpios failing probe
  phy: rockchip-dp: fix return value check in rockchip_dp_phy_probe()
  phy: rcar-gen3-usb2: fix unexpected repeat interrupts of VBUS change
  usb: common: otg-fsm: add license to usb-otg-fsm
2016-07-01 09:18:17 -07:00
Linus Torvalds aa7a6c8e52 IOMMU Fixes for Linux v4.7-rc5
Three fixes:
 
 	* Fix use of smp_processor_id() in preemptible code in the IOVA
 	  allocation code. This got introduced with the scalability
 	  improvements in this release cycle.
 
 	* A VT-d fix for out-of-bounds access of the iommu->domains
 	  array. The bug showed during suspend/resume.
 
 	* AMD IOMMU fix to print the correct device id in the ACPI
 	  parsing code.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQIcBAABAgAGBQJXdoyGAAoJECvwRC2XARrj4s4QANfX5U108HnHvSNZL7dOhQlQ
 RkghYuAgK3Bzgo89WNoNOVat+Q0t+sdqz+4aktbEydrHXgn+8EOLfId1ixzBb0+O
 SWQ1myTtfCMM0quQTG8KMPZli18aEFyWY0P+K/OGZd8YXU9u6xoKArlz8AyBxfIF
 DBuHbYdc646aO763MpkX1WSjnagBEBT/bp90k26smHGoqJNBroXXAo5KEhFdXxNB
 CARM99R9PjatnggU/xSXaUXv3oC+J2Qo1MgWxrARQOIJPkIXuAzS8fgItvUgcxnx
 NZeUpSRBRRe+za0H3vFC7K6D8HlTQ7lhlODzP82gTzzRyG7N5A4+n7zu9p1qeT8w
 fi7Hak7tjp+xQsYp2xDVcKsL3ghLVjqmDrjCBLKGRX/7CeEOIG7eTKV9hsxVUO+q
 Bvjx+Lc+XKuDdLJmhGCueFxZDfBJJBLDSP7HBFRHdhVuovvhxvALik5Hd3pgC+iz
 08zcHzyiLVYKI58t3K3q1OTKo0cIlsk6SWPJHFUR/B3ghcGT9eLgQjXVQIC+jaAD
 RK2/6yl/zfg1mZv5tyX7kGBGB2FfUXQ48eCR/TZnzh2AmEK1P10kc6XJUXfj/hrV
 eJkKnuh1FaRG/PnHzxic/T20aAYhFjp8fmKDqUgoJla8q6h73LZSOfRqgoAknDTa
 0+EASaDbIsU9nHtHxEz8
 =ogRx
 -----END PGP SIGNATURE-----

Merge tag 'iommu-fixes-v4.7-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu

Pull IOMMU fixes from Joerg Roedel:
 "Three fixes:

   - Fix use of smp_processor_id() in preemptible code in the IOVA
     allocation code.  This got introduced with the scalability
     improvements in this release cycle.

   - A VT-d fix for out-of-bounds access of the iommu->domains array.
     The bug showed during suspend/resume.

   - AMD IOMMU fix to print the correct device id in the ACPI parsing
     code"

* tag 'iommu-fixes-v4.7-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu:
  iommu/amd: Initialize devid variable before using it
  iommu/vt-d: Fix overflow of iommu->domains array
  iommu/iova: Disable preemption around use of this_cpu_ptr()
2016-07-01 09:13:31 -07:00
Mark Brown a29a36f265 Merge remote-tracking branches 'regulator/fix/anatop' and 'regulator/fix/max77620' into regulator-linus 2016-07-01 18:06:48 +02:00
Mark Brown 7c5eec4edf Merge remote-tracking branches 'asoc/fix/rcar', 'asoc/fix/rt5670' and 'asoc/fix/wm8940' into asoc-linus 2016-07-01 18:05:34 +02:00
Mark Brown af5fb67877 Merge remote-tracking branches 'asoc/fix/ak4613', 'asoc/fix/arizona', 'asoc/fix/cx20442', 'asoc/fix/davinci', 'asoc/fix/fsl-ssi' and 'asoc/fix/hdmi' into asoc-linus 2016-07-01 18:05:31 +02:00
Mark Brown 9d3146c401 Merge remote-tracking branch 'asoc/fix/rt5645' into asoc-linus 2016-07-01 18:05:30 +02:00
Mark Brown de07bb5b11 Merge remote-tracking branch 'asoc/fix/intel' into asoc-linus 2016-07-01 18:05:30 +02:00
Omar Sandoval 8ba8682107 block: fix use-after-free in sys_ioprio_get()
get_task_ioprio() accesses the task->io_context without holding the task
lock and thus can race with exit_io_context(), leading to a
use-after-free. The reproducer below hits this within a few seconds on
my 4-core QEMU VM:

#define _GNU_SOURCE
#include <assert.h>
#include <unistd.h>
#include <sys/syscall.h>
#include <sys/wait.h>

int main(int argc, char **argv)
{
	pid_t pid, child;
	long nproc, i;

	/* ioprio_set(IOPRIO_WHO_PROCESS, 0, IOPRIO_PRIO_VALUE(IOPRIO_CLASS_IDLE, 0)); */
	syscall(SYS_ioprio_set, 1, 0, 0x6000);

	nproc = sysconf(_SC_NPROCESSORS_ONLN);

	for (i = 0; i < nproc; i++) {
		pid = fork();
		assert(pid != -1);
		if (pid == 0) {
			for (;;) {
				pid = fork();
				assert(pid != -1);
				if (pid == 0) {
					_exit(0);
				} else {
					child = wait(NULL);
					assert(child == pid);
				}
			}
		}

		pid = fork();
		assert(pid != -1);
		if (pid == 0) {
			for (;;) {
				/* ioprio_get(IOPRIO_WHO_PGRP, 0); */
				syscall(SYS_ioprio_get, 2, 0);
			}
		}
	}

	for (;;) {
		/* ioprio_get(IOPRIO_WHO_PGRP, 0); */
		syscall(SYS_ioprio_get, 2, 0);
	}

	return 0;
}

This gets us KASAN dumps like this:

[   35.526914] ==================================================================
[   35.530009] BUG: KASAN: out-of-bounds in get_task_ioprio+0x7b/0x90 at addr ffff880066f34e6c
[   35.530009] Read of size 2 by task ioprio-gpf/363
[   35.530009] =============================================================================
[   35.530009] BUG blkdev_ioc (Not tainted): kasan: bad access detected
[   35.530009] -----------------------------------------------------------------------------

[   35.530009] Disabling lock debugging due to kernel taint
[   35.530009] INFO: Allocated in create_task_io_context+0x2b/0x370 age=0 cpu=0 pid=360
[   35.530009] 	___slab_alloc+0x55d/0x5a0
[   35.530009] 	__slab_alloc.isra.20+0x2b/0x40
[   35.530009] 	kmem_cache_alloc_node+0x84/0x200
[   35.530009] 	create_task_io_context+0x2b/0x370
[   35.530009] 	get_task_io_context+0x92/0xb0
[   35.530009] 	copy_process.part.8+0x5029/0x5660
[   35.530009] 	_do_fork+0x155/0x7e0
[   35.530009] 	SyS_clone+0x19/0x20
[   35.530009] 	do_syscall_64+0x195/0x3a0
[   35.530009] 	return_from_SYSCALL_64+0x0/0x6a
[   35.530009] INFO: Freed in put_io_context+0xe7/0x120 age=0 cpu=0 pid=1060
[   35.530009] 	__slab_free+0x27b/0x3d0
[   35.530009] 	kmem_cache_free+0x1fb/0x220
[   35.530009] 	put_io_context+0xe7/0x120
[   35.530009] 	put_io_context_active+0x238/0x380
[   35.530009] 	exit_io_context+0x66/0x80
[   35.530009] 	do_exit+0x158e/0x2b90
[   35.530009] 	do_group_exit+0xe5/0x2b0
[   35.530009] 	SyS_exit_group+0x1d/0x20
[   35.530009] 	entry_SYSCALL_64_fastpath+0x1a/0xa4
[   35.530009] INFO: Slab 0xffffea00019bcd00 objects=20 used=4 fp=0xffff880066f34ff0 flags=0x1fffe0000004080
[   35.530009] INFO: Object 0xffff880066f34e58 @offset=3672 fp=0x0000000000000001
[   35.530009] ==================================================================

Fix it by grabbing the task lock while we poke at the io_context.

Cc: stable@vger.kernel.org
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Omar Sandoval <osandov@fb.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
2016-07-01 08:39:24 -06:00
Miklos Szeredi 6343a21208 locks: use file_inode()
(Another one for the f_path debacle.)

ltp fcntl33 testcase caused an Oops in selinux_file_send_sigiotask.

The reason is that generic_add_lease() used filp->f_path.dentry->inode
while all the others use file_inode().  This makes a difference for files
opened on overlayfs since the former will point to the overlay inode the
latter to the underlying inode.

So generic_add_lease() added the lease to the overlay inode and
generic_delete_lease() removed it from the underlying inode.  When the file
was released the lease remained on the overlay inode's lock list, resulting
in use after free.

Reported-by: Eryu Guan <eguan@redhat.com>
Fixes: 4bacc9c923 ("overlayfs: Make f_path always point to the overlay and f_inode to the underlay")
Cc: <stable@vger.kernel.org>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Reviewed-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
2016-07-01 10:24:18 -04:00
Ingo Molnar 0de7611a10 timers/nohz: Capitalize 'CPU' consistently
While reviewing another patch I noticed that kernel/time/tick-sched.c
had a charmingly (confusingly, annoyingly) rich set of variants for
spelling 'CPU':

  cpu
  cpus
  CPU
  CPUs
  per CPU
  per-CPU
  per cpu

... sometimes these were mixed even within the same comment block!

Compress these variants down to a single consistent set of:

  CPU
  CPUs
  per-CPU

Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2016-07-01 12:45:34 +02:00
Wei Jiangang 6168f8ed01 timers/nohz: Fix several typos
Signed-off-by: Wei Jiangang <weijg.fnst@cn.fujitsu.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: fenghua.yu@intel.com
Link: http://lkml.kernel.org/r/1467175910-2966-2-git-send-email-weijg.fnst@cn.fujitsu.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2016-07-01 12:39:22 +02:00
David S. Miller 08df7bc500 Merge branch 'mlx5-fixes'
Saeed Mahameed says:

====================
Mellanox 100G mlx5 resiliency and xmit path fixes

This series provides two set of fixes to the mlx5 driver:
	- Resiliency fixes for reset flow and internal pci errors
	- xmit path fixes

Please consider queuing those patches for -stable (4.6).

Reset flow fixes for core driver:
	- Add more commands to the list of error simulated commands
	  when pci errors occur
	- Avoid calling sleeping function by the health poll thread
	- Fix incorrect page count when in internal error
	- Fix timeout in wait vital for VFs
	- Deadlock fix and Timeout handling in commands interface

Reset flow and resiliency fixes for mlx5e netdev driver:
	- Handle RQ flush in error cases
	- Implement ndo_tx_timeout callback
	- Timeout if SQ doesn't flush during close
	- Log link state changes
	- Validate BW weight values of ETS

xmit path fixes:
	- Fix wrong fallback assumption in select queue callback
	- Account for all L2 headers when copying headers into inline segment
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2016-07-01 06:12:12 -04:00
Shaker Daibes 87424ad52d net/mlx5e: Log link state changes
Add Link UP/Down prints to kernel log when link state changes

Signed-off-by: Shaker Daibes <shakerd@mellanox.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-07-01 06:12:04 -04:00
Rana Shahout cdcf11212b net/mlx5e: Validate BW weight values of ETS
Valid weight assigned to ETS TClass values are 1-100

Fixes: 08fb1dacdd ('net/mlx5e: Support DCBNL IEEE ETS')
Signed-off-by: Rana Shahout <ranas@mellanox.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-07-01 06:12:04 -04:00
Rana Shahout 7ccdd0841b net/mlx5e: Fix select queue callback
The default fallback function used by mlx5e select queue can return
any TX queues in range [0..dev->num_real_tx_queues).

The current implementation assumes that the fallback function returns
a number in the range [0.. number of channels).  Actually
dev->num_real_tx_queues = (number of channels) * dev->num_tc;
which is more than the expected range if num_tc is configured and could
lead to crashes.

To fix this we test if num_tc is not configured we can safely return the
fallback suggestion, if not we will reciprocal_scale the fallback
result and normalize it to the desired range.

Fixes: 08fb1dacdd ('net/mlx5e: Support DCBNL IEEE ETS')
Signed-off-by: Rana Shahout <ranas@mellanox.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Reported-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-07-01 06:12:04 -04:00
Matthew Finlay e3a19b53cb net/mlx5e: Copy all L2 headers into inline segment
ConnectX4-Lx uses an inline wqe mode that currently defaults to
requiring the entire L2 header be included in the wqe.
This patch fixes mlx5e_get_inline_hdr_size() to account for
all L2 headers (VLAN, QinQ, etc) using skb_network_offset(skb).

Fixes: e586b3b0ba ("net/mlx5: Ethernet Datapath files")
Signed-off-by: Matthew Finlay <matt@mellanox.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-07-01 06:12:04 -04:00
Daniel Jurgens 6cd392a082 net/mlx5e: Handle RQ flush in error cases
Add a timeout to avoid an infinite loop waiting for RQ's to flush. This
occurs during AER/EEH and will also happen if the device stops posting
completions due to internal error or reset, or if moving the RQ to the
error state fails. Also cleanup posted receive resources when closing
the RQ.

Fixes: f62b8bb8f2 ('net/mlx5: Extend mlx5_core to support ConnectX-4 Ethernet functionality')
Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-07-01 06:12:03 -04:00
Daniel Jurgens 3947ca1859 net/mlx5e: Implement ndo_tx_timeout callback
Add callback to handle TX timeouts.

Fixes: f62b8bb8f2 ('net/mlx5: Extend mlx5_core to support ConnectX-4 Ethernet functionality')
Signed-off-by: Daniel Jurgens <danielj@mellanox.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-07-01 06:12:03 -04:00