Commit Graph

707285 Commits

Author SHA1 Message Date
Jeffy Chen 7827912725 drm/atomic: Unref duplicated drm_atomic_state in drm_atomic_helper_resume()
Kmemleak reported memory leak after suspend and resume:
unreferenced object 0xffffffc0e31d8880 (size 128):
  comm "bash", pid 181, jiffies 4294763583 (age 24.694s)
  hex dump (first 32 bytes):
    01 00 00 00 00 00 00 00 00 20 a2 eb c0 ff ff ff  ......... ......
    01 00 00 00 00 00 00 00 80 87 1d e3 c0 ff ff ff  ................
  backtrace:
    [<ffffffc00034bb64>] __save_stack_trace+0x48/0x6c
    [<ffffffc00034c244>] create_object+0x138/0x254
    [<ffffffc0009dd218>] kmemleak_alloc+0x58/0x8c
    [<ffffffc000346de4>] kmem_cache_alloc_trace+0x188/0x254
    [<ffffffc0005af4c0>] drm_atomic_state_alloc+0x3c/0x88
    [<ffffffc000591f0c>] drm_atomic_helper_duplicate_state+0x28/0x158
    [<ffffffc000592098>] drm_atomic_helper_suspend+0x5c/0xf0

Problem here is that we are duplicating the drm_atomic_state in
drm_atomic_helper_suspend(), but not unreference it in the resume path.

Fixes: 1494276000 ("drm/atomic-helper: Implement subsystem-level suspend/resume")
Signed-off-by: Jeffy Chen <jeffy.chen@rock-chips.com>
Reviewed-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Signed-off-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20171009064641.15174-1-jeffy.chen@rock-chips.com
Fixes: 0853695c3b ("drm: Add reference counting to drm_atomic_state")
Cc: <stable@vger.kernel.org> # v4.10+
(cherry picked from commit 6d281b1f79)
2017-10-09 14:26:45 +02:00
Takashi Iwai 5803b02388 ALSA: seq: Fix copy_from_user() call inside lock
The event handler in the virmidi sequencer code takes a read-lock for
the linked list traverse, while it's calling snd_seq_dump_var_event()
in the loop.  The latter function may expand the user-space data
depending on the event type.  It eventually invokes copy_from_user(),
which might be a potential dead-lock.

The sequencer core guarantees that the user-space data is passed only
with atomic=0 argument, but snd_virmidi_dev_receive_event() ignores it
and always takes read-lock().  For avoiding the problem above, this
patch introduces rwsem for non-atomic case, while keeping rwlock for
atomic case.

Also while we're at it: the superfluous irq flags is dropped in
snd_virmidi_input_open().

Reported-by: Jia-Ju Bai <baijiaju1990@163.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-09 14:10:13 +02:00
Kai-Heng Feng c247487c0d ALSA: usb-audio: Add sample rate quirk for Plantronics P610
Like other Plantronics devices, P610 does not support sample
rate reading. Apply sample rate quirk to it.

BugLink: https://bugs.launchpad.net/bugs/1719853

Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-10-09 14:10:11 +02:00
Thomas Gleixner e43b3b5854 genirq/cpuhotplug: Enforce affinity setting on startup of managed irqs
Managed interrupts can end up in a stale state on CPU hotplug. If the
interrupt is not targeting a single CPU, i.e. the affinity mask spawns
multiple CPUs then the following can happen:

After boot:

dstate:   0x01601200
            IRQD_ACTIVATED
            IRQD_IRQ_STARTED
            IRQD_SINGLE_TARGET
            IRQD_AFFINITY_SET
            IRQD_AFFINITY_MANAGED
node:     0
affinity: 24-31
effectiv: 24
pending:  0

After offlining CPU 31 - 24

dstate:   0x01a31000
            IRQD_IRQ_DISABLED
            IRQD_IRQ_MASKED
            IRQD_SINGLE_TARGET
            IRQD_AFFINITY_SET
            IRQD_AFFINITY_MANAGED
            IRQD_MANAGED_SHUTDOWN
node:     0
affinity: 24-31
effectiv: 24
pending:  0

Now CPU 25 gets onlined again, so it should get the effective interrupt
affinity for this interruopt, but due to the x86 interrupt affinity setter
restrictions this ends up after restarting the interrupt with:

dstate:   0x01601300
            IRQD_ACTIVATED
            IRQD_IRQ_STARTED
            IRQD_SINGLE_TARGET
            IRQD_AFFINITY_SET
            IRQD_SETAFFINITY_PENDING
            IRQD_AFFINITY_MANAGED
node:     0
affinity: 24-31
effectiv: 24
pending:  24-31

So the interrupt is still affine to CPU 24, which was the last CPU to go
offline of that affinity set and the move to an online CPU within 24-31,
in this case 25, is pending. This mechanism is x86/ia64 specific as those
architectures cannot move interrupts from thread context and do this when
an interrupt is actually handled. So the move is set to pending.

Whats worse is that offlining CPU 25 again results in:

dstate:   0x01601300
            IRQD_ACTIVATED
            IRQD_IRQ_STARTED
            IRQD_SINGLE_TARGET
            IRQD_AFFINITY_SET
            IRQD_SETAFFINITY_PENDING
            IRQD_AFFINITY_MANAGED
node:     0
affinity: 24-31
effectiv: 24
pending:  24-31

This means the interrupt has not been shut down, because the outgoing CPU
is not in the effective affinity mask, but of course nothing notices that
the effective affinity mask is pointing at an offline CPU.

In the case of restarting a managed interrupt the move restriction does not
apply, so the affinity setting can be made unconditional. This needs to be
done _before_ the interrupt is started up as otherwise the condition for
moving it from thread context would not longer be fulfilled.

With that change applied onlining CPU 25 after offlining 31-24 results in:

dstate:   0x01600200
            IRQD_ACTIVATED
            IRQD_IRQ_STARTED
            IRQD_SINGLE_TARGET
            IRQD_AFFINITY_MANAGED
node:     0
affinity: 24-31
effectiv: 25
pending:  

And after offlining CPU 25:

dstate:   0x01a30000
            IRQD_IRQ_DISABLED
            IRQD_IRQ_MASKED
            IRQD_SINGLE_TARGET
            IRQD_AFFINITY_MANAGED
            IRQD_MANAGED_SHUTDOWN
node:     0
affinity: 24-31
effectiv: 25
pending:  

which is the correct and expected result.

Fixes: 761ea388e8 ("genirq: Handle managed irqs gracefully in irq_startup()")
Reported-by: YASUAKI ISHIMATSU <yasu.isimatu@gmail.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: axboe@kernel.dk
Cc: linux-scsi@vger.kernel.org
Cc: Sumit Saxena <sumit.saxena@broadcom.com>
Cc: Marc Zyngier <marc.zyngier@arm.com>
Cc: mpe@ellerman.id.au
Cc: Shivasharan Srikanteshwara <shivasharan.srikanteshwara@broadcom.com>
Cc: Kashyap Desai <kashyap.desai@broadcom.com>
Cc: keith.busch@intel.com
Cc: peterz@infradead.org
Cc: Hannes Reinecke <hare@suse.de>
Cc: Christoph Hellwig <hch@lst.de>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/alpine.DEB.2.20.1710042208400.2406@nanos
2017-10-09 13:26:48 +02:00
Thomas Gleixner 60b09c51bb genirq/cpuhotplug: Add sanity check for effective affinity mask
The effective affinity mask handling has no safety net when the mask is not
updated by the interrupt chip or the mask contains offline CPUs.

If that happens the CPU unplug code fails to migrate interrupts.

Add sanity checks and emit a warning when the mask contains only offline
CPUs.

Fixes: 415fcf1a22 ("genirq/cpuhotplug: Use effective affinity mask")
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Marc Zyngier <marc.zyngier@arm.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: stable@vger.kernel.org
Link: http://lkml.kernel.org/r/alpine.DEB.2.20.1710042208400.2406@nanos
2017-10-09 13:26:48 +02:00
Thomas Gleixner 19e1d4e947 genirq: Warn when effective affinity is not updated
Emit a one time warning when the effective affinity mask is enabled in
Kconfig, but the interrupt chip does not update the mask in its
irq_set_affinity() callback,

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Marc Zyngier <marc.zyngier@arm.com>
Link: http://lkml.kernel.org/r/alpine.DEB.2.20.1710042208400.2406@nanos
2017-10-09 13:26:48 +02:00
Lin Zhang 49f817d793 netfilter: SYNPROXY: skip non-tcp packet in {ipv4, ipv6}_synproxy_hook
In function {ipv4,ipv6}_synproxy_hook we expect a normal tcp packet, but
the real server maybe reply an icmp error packet related to the exist
tcp conntrack, so we will access wrong tcp data.

Fix it by checking for the protocol field and only process tcp traffic.

Signed-off-by: Lin Zhang <xiaolou4617@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2017-10-09 13:08:39 +02:00
Jon Maloy a9e2971b8c tipc: Unclone message at secondary destination lookup
When a bundling message is received, the function tipc_link_input()
calls function tipc_msg_extract() to unbundle all inner messages of
the bundling message before adding them to input queue.

The function tipc_msg_extract() just clones all inner skb for all
inner messagges from the bundling skb. This means that the skb
headroom of an inner message overlaps with the data part of the
preceding message in the bundle.

If the message in question is a name addressed message, it may be
subject to a secondary destination lookup, and eventually be sent out
on one of the interfaces again. But, since what is perceived as headroom
by the device driver in reality is the last bytes of the preceding
message in the bundle, the latter will be overwritten by the MAC
addresses of the L2 header. If the preceding message has not yet been
consumed by the user, it will evenually be delivered with corrupted
contents.

This commit fixes this by uncloning all messages passing through the
function tipc_msg_lookup_dest(), hence ensuring that the headroom
is always valid when the message is passed on.

Signed-off-by: Tung Nguyen <tung.q.nguyen@dektech.com.au>
Signed-off-by: Jon Maloy <jon.maloy@ericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-08 21:13:23 -07:00
Jon Maloy 3382605fd8 tipc: correct initialization of skb list
We change the initialization of the skb transmit buffer queues
in the functions tipc_bcast_xmit() and tipc_rcast_xmit() to also
initialize their spinlocks. This is needed because we may, during
error conditions, need to call skb_queue_purge() on those queues
further down the stack.

Signed-off-by: Jon Maloy <jon.maloy@ericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-08 21:13:23 -07:00
Linus Torvalds 8a5776a5f4 Linux 4.14-rc4 2017-10-08 20:53:29 -07:00
Alexey Kodanev 3d0241d57c gso: fix payload length when gso_size is zero
When gso_size reset to zero for the tail segment in skb_segment(), later
in ipv6_gso_segment(), __skb_udp_tunnel_segment() and gre_gso_segment()
we will get incorrect results (payload length, pcsum) for that segment.
inet_gso_segment() already has a check for gso_size before calculating
payload.

The issue was found with LTP vxlan & gre tests over ixgbe NIC.

Fixes: 07b26c9454 ("gso: Support partial splitting at the frag_list pointer")
Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
Acked-by: Alexander Duyck <alexander.h.duyck@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-08 10:12:15 -07:00
Ido Schimmel a69518cf0b mlxsw: spectrum_router: Avoid expensive lookup during route removal
In commit fc922bb0dd ("mlxsw: spectrum_router: Use one LPM tree for
all virtual routers") I increased the scale of supported VRFs by having
all of them share the same LPM tree.

In order to avoid look-ups for prefix lengths that don't exist, each
route removal would trigger an aggregation across all the active virtual
routers to see which prefix lengths are in use and which aren't and
structure the tree accordingly.

With the way the data structures are currently laid out, this is a very
expensive operation. When preformed repeatedly - due to the invocation
of the abort mechanism - and with enough VRFs, this can result in a hung
task.

For now, avoid this optimization until it can be properly re-added in
net-next.

Fixes: fc922bb0dd ("mlxsw: spectrum_router: Use one LPM tree for all virtual routers")
Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Reported-by: David Ahern <dsa@cumulusnetworks.com>
Tested-by: David Ahern <dsa@cumulusnetworks.com>
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-08 10:05:27 -07:00
Grygorii Strashko 845e405e5e pinctrl: cherryview: fix issues caused by dynamic gpio irqs mapping
New GPIO IRQs are allocated and mapped dynamically by default when
GPIO IRQ infrastructure is used by cherryview-pinctrl driver.
This causes issues on some Intel platforms [1][2] with broken BIOS which
hardcodes Linux IRQ numbers in their ACPI tables.

On such platforms cherryview-pinctrl driver should allocate and map all
GPIO IRQs at probe time.
Side effect - "Cannot allocate irq_descs @ IRQ%d, assuming pre-allocated\n"
can be seen at boot log.

NOTE. It still may fail if boot sequence will changed and some interrupt
controller will be probed before cherryview-pinctrl which will shift Linux IRQ
numbering (expected with CONFIG_SPARCE_IRQ enabled).

[1] https://bugzilla.kernel.org/show_bug.cgi?id=194945
[2] https://lkml.org/lkml/2017/9/28/153
Cc: Andy Shevchenko <andy.shevchenko@gmail.com>
Cc: Chris Gorman <chrisjohgorman@gmail.com>
Cc: Mika Westerberg <mika.westerberg@linux.intel.com>
Cc: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Signed-off-by: Grygorii Strashko <grygorii.strashko@ti.com>
Reported-by: Chris Gorman <chrisjohgorman@gmail.com>
Reported-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Tested-by: Chris Gorman <chrisjohgorman@gmail.com>
Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
2017-10-08 02:32:59 +02:00
Alexei Starovoitov 8fe2d6ccd5 bpf: fix liveness marking
while processing Rx = Ry instruction the verifier does
regs[insn->dst_reg] = regs[insn->src_reg]
which often clears write mark (when Ry doesn't have it)
that was just set by check_reg_arg(Rx) prior to the assignment.
That causes mark_reg_read() to keep marking Rx in this block as
REG_LIVE_READ (since the logic incorrectly misses that it's
screened by the write) and in many of its parents (until lucky
write into the same Rx or beginning of the program).
That causes is_state_visited() logic to miss many pruning opportunities.

Furthermore mark_reg_read() logic propagates the read mark
for BPF_REG_FP as well (though it's readonly) which causes
harmless but unnecssary work during is_state_visited().
Note that do_propagate_liveness() skips FP correctly,
so do the same in mark_reg_read() as well.
It saves 0.2 seconds for the test below

program               before  after
bpf_lb-DLB_L3.o       2604    2304
bpf_lb-DLB_L4.o       11159   3723
bpf_lb-DUNKNOWN.o     1116    1110
bpf_lxc-DDROP_ALL.o   34566   28004
bpf_lxc-DUNKNOWN.o    53267   39026
bpf_netdev.o          17843   16943
bpf_overlay.o         8672    7929
time                  ~11 sec  ~4 sec

Fixes: dc503a8ad9 ("bpf/verifier: track liveness for pruning")
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Edward Cree <ecree@solarflare.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-07 23:25:17 +01:00
Axel Beckert 00a534e5ea doc: Fix typo "8023.ad" in bonding documentation
Should be "802.3ad" like everywhere else in the document.

Signed-off-by: Axel Beckert <abe@deuxchevaux.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-07 23:19:13 +01:00
Matteo Croce a2d3f3e338 ipv6: fix net.ipv6.conf.all.accept_dad behaviour for real
Commit 35e015e1f5 ("ipv6: fix net.ipv6.conf.all interface DAD handlers")
was intended to affect accept_dad flag handling in such a way that
DAD operation and mode on a given interface would be selected
according to the maximum value of conf/{all,interface}/accept_dad.

However, addrconf_dad_begin() checks for particular cases in which we
need to skip DAD, and this check was modified in the wrong way.

Namely, it was modified so that, if the accept_dad flag is 0 for the
given interface *or* for all interfaces, DAD would be skipped.

We have instead to skip DAD if accept_dad is 0 for the given interface
*and* for all interfaces.

Fixes: 35e015e1f5 ("ipv6: fix net.ipv6.conf.all interface DAD handlers")
Acked-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Matteo Croce <mcroce@redhat.com>
Reported-by: Erik Kline <ek@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-07 23:10:05 +01:00
Linus Torvalds 85b1bb2480 SCSI fixes on 20171007
A couple of serious fixes (use after free and blacklist for WRITE
 SAME).  One error leg fix (write_pending failure) and one user
 experience problem (do not override max_sectors_kb) and one minor
 unused function removal.
 
 Signed-off-by: James E.J. Bottomley <jejb@linux.vnet.ibm.com>
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQIcBAABAgAGBQJZ2P68AAoJEAVr7HOZEZN48hEP/0d7RH77AjV1smqQHJpel7b8
 WFh7zWHfhyHEmDMf1xtepqw1RAsrkXfRy12wOOc3ppnaozBIh1GIvjHRWXtaEIaA
 qsTJkROWro3XskxfKL8n0CqeATuk6EjfE+ehRFyXQ9F9yhIB4FxaYROzGUfM9rON
 ScD2vHH0sE4PIUiavizjxSk6G4KNvGyqM/xtgUIymH7Dcd7MorOq1WBvGXp7etkG
 QSCV1tvB63yg2jcqatANTLO0LuI9N023VGA/QrTLzpu6M54QZwMGAmVwZfkQ1/nO
 RLGWTj6jrB4RSF690NN1QLRnf58GYEyIEa37Dlwp/bLyHv4Y9NxO3KB/M0MIf/x2
 PJ5FmUw7IwPVzAk6WmGoUIvscDnrDplzVL0fMZKlnW3+8mQav+IIev7sBvPjMkMw
 HA7PLNXrEpR1tOBhr9je2V2Jz9KxARZFRUqm238Rq03W6kjYQQbSG+dC06A7o2DQ
 UYuXCWp+CZhbBSG29qPf8wzNbdndpkmXatwLrwVmmRn+/eo3BGF5/SfOKu0M8PTu
 M4apqkZTZdMAzPckIe0lg6RIJ+F5lWPPX454CZqivM8MFNyjHbf2VJAvQbU9dNhM
 dfrPsLogZNgCop13H06xAFS6m3dIP5YqUEo/yWXciC6hnvCP7z6ZkiqHTHJIIJMm
 vwQJLkkB2Ex4NscJcZfw
 =X/MK
 -----END PGP SIGNATURE-----

Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi

Pull SCSI fixes from James Bottomley:

 - a couple of serious fixes: use after free and blacklist for WRITE
   SAME

 - one error leg fix: write_pending failure

 - one user experience problem: do not override max_sectors_kb

 - one minor unused function removal

* tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
  scsi: ibmvscsis: Fix write_pending failure path
  scsi: libiscsi: Remove iscsi_destroy_session
  scsi: libiscsi: Fix use-after-free race during iscsi_session_teardown
  scsi: sd: Do not override max_sectors_kb sysfs setting
  scsi: sd: Implement blacklist option for WRITE SAME w/ UNMAP
2017-10-07 12:34:16 -07:00
Linus Torvalds 67936a41e5 Merge branch 'i2c/for-current-4.14' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux
Pull i2c fixes from Wolfram Sang:
 "I2C has three driver fixes for the newly introduced drivers and one ID
  addition for the i801 driver"

* 'i2c/for-current-4.14' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
  i2c: i2c-stm32f7: make structure stm32f7_setup static const
  i2c: ensure termination of *_device_id tables
  i2c: i801: Add support for Intel Cedar Fork
  i2c: stm32f7: fix setup structure
2017-10-07 10:07:51 -07:00
Linus Torvalds 031b814030 MMC core:
- Fix driver strength selection when selecting hs400es
  - Delete bounce buffer handling:
    This change fixes a problem related to how bounce buffers are being
    allocated. However, instead of trying to fix that, let's just remove
    the mmc bounce buffer code altogether, as it has practically no use.
 
 MMC host:
  - meson-gx: A couple of fixes related to clock/phase/tuning
  - sdhci-xenon: Fix clock resource by adding an optional bus clock
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJZ2IGlAAoJEP4mhCVzWIwpi5gP/2dyF4FOK02BS24iV5LjElVV
 TkwpfNWDYguU9eBwCSrDZnCBsfeKgRobpTlre5qtNqGK2YqAwEO9n5lsZQL8HG/6
 8LyVKSy9a7DWbuiK58dvswHKabjeZXZo1JdBx1JONTSfezNGGL5ZvyiDS7mHWv10
 MsX+VukX31kFmS1HOd85Ayhdz9NlYZjnNSfmUN8UMuGMMysV007icwp8QX1uwW1s
 2uPS0DFdtOlCoSs1ln6cyQMSoRZjRJ5Dm/SUFvRec4X7LC3ORxVbBXtbxtDGO8dS
 6TIZHPILMpTHJcah/ONAk1LTXHO5Wt+x5o6vkca6uaEQEnvyUhKqK2NpwXCINRit
 OW+eJkAPv4J1a6/geZ99C7V+SDCCMsHeRrzfWxO1wkj/2ptu2OKtLPPJst2lLYgU
 QEXTgW920SxSWvWQaXcBmgkGZ67cyw3h2pI09QsmZJ9M4jmQpyZVIGWHgfsMFRkj
 iwtzuRL15qqnQqrs62eWJN383/b+BYfKzTnilVWExs+ozcpjYMYxYTGFTOKC1YV1
 yeV+qL60gaK41HobWMJnbv0ckaPTLGZ1oOgB6F9OX6fGZz0LBh1yiOjYG1j66fwb
 KgDzN5sX4Ab/gDOT8zH1G8fGLYGBLDZMciuXrZfYf+mzJF8rpTI0he8BUwJm6KGC
 YJ+kW1MnnWATW+U63hRs
 =0WJ+
 -----END PGP SIGNATURE-----

Merge tag 'mmc-v4.14-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc

Pull MMC fixes from Ulf Hansson:
 "MMC core:

   - Fix driver strength selection when selecting hs400es

   - Delete bounce buffer handling:

     This change fixes a problem related to how bounce buffers are being
     allocated. However, instead of trying to fix that, let's just
     remove the mmc bounce buffer code altogether, as it has practically
     no use.

  MMC host:

   - meson-gx: A couple of fixes related to clock/phase/tuning

   - sdhci-xenon: Fix clock resource by adding an optional bus clock"

* tag 'mmc-v4.14-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc:
  mmc: sdhci-xenon: Fix clock resource by adding an optional bus clock
  mmc: meson-gx: include tx phase in the tuning process
  mmc: meson-gx: fix rx phase reset
  mmc: meson-gx: make sure the clock is rounded down
  mmc: Delete bounce buffer handling
  mmc: core: add driver strength selection when selecting hs400es
2017-10-07 10:03:03 -07:00
Grygorii Strashko 80ac93c274 gpio: omap: Fix lost edge interrupts
Now acking of edge irqs happens the following way:
- omap_gpio_irq_handler
  - "isr" = read irq status
  - omap_clear_gpio_irqbank(bank, isr_saved & ~level_mask);
	^ clear edge status, so irq can be accepted
  - loop while "isr"
	generic_handle_irq()
	 - handle_edge_irq()
	    - desc->irq_data.chip->irq_ack(&desc->irq_data);
		- omap_gpio_ack_irq()
it might be that at this moment edge IRQ was triggered again and it will be
cleared and IRQ will be lost.

Use handle_simple_irq and clear edge interrupts early without disabling them in
omap_gpio_irq_handler to avoid loosing interrupts.

[1] https://marc.info/?l=linux-omap&m=149004465313534&w=2
Signed-off-by: Grygorii Strashko <grygorii.strashko@ti.com>
Signed-off-by: Ladislav Michl <ladis@linux-mips.org>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
2017-10-07 13:17:07 +02:00
Herbert Xu 0cabf2af6f crypto: skcipher - Fix crash on zero-length input
The skcipher walk interface doesn't handle zero-length input
properly as the old blkcipher walk interface did.  This is due
to the fact that the length check is done too late.

This patch moves the length check forward so that it does the
right thing.

Fixes: b286d8b1a6 ("crypto: skcipher - Add skcipher walk...")
Cc: <stable@vger.kernel.org>
Reported-by: Stephan Müller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2017-10-07 12:04:32 +08:00
Jia-Ju Bai 9039f3ef44 crypto: shash - Fix a sleep-in-atomic bug in shash_setkey_unaligned
The SCTP program may sleep under a spinlock, and the function call path is:
sctp_generate_t3_rtx_event (acquire the spinlock)
  sctp_do_sm
    sctp_side_effects
      sctp_cmd_interpreter
        sctp_make_init_ack
          sctp_pack_cookie
            crypto_shash_setkey
              shash_setkey_unaligned
                kmalloc(GFP_KERNEL)

For the same reason, the orinoco driver may sleep in interrupt handler,
and the function call path is:
orinoco_rx_isr_tasklet
  orinoco_rx
    orinoco_mic
      crypto_shash_setkey
        shash_setkey_unaligned
          kmalloc(GFP_KERNEL)

To fix it, GFP_KERNEL is replaced with GFP_ATOMIC.
This bug is found by my static analysis tool and my code review.

Signed-off-by: Jia-Ju Bai <baijiaju1990@163.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2017-10-07 12:04:32 +08:00
Christophe Jaillet 5125e4e867 crypto: xts - Fix an error handling path in 'create()'
All error handling paths 'goto err_drop_spawn' except this one.
In order to avoid some resources leak, we should do it as well here.

Fixes: f1c131b454 ("crypto: xts - Convert to skcipher")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2017-10-07 12:04:31 +08:00
Arnd Bergmann 532f419cde crypto: stm32 - Try to fix hash padding
gcc warns that the length for the extra unaligned data in the hash
function may be used unaligned. In theory this could happen if
we pass a zero-length sg_list, or if sg_is_last() was never true:

In file included from drivers/crypto/stm32/stm32-hash.c:23:
drivers/crypto/stm32/stm32-hash.c: In function 'stm32_hash_one_request':
include/uapi/linux/kernel.h:12:49: error: 'ncp' may be used uninitialized in this function [-Werror=maybe-uninitialized]
 #define __KERNEL_DIV_ROUND_UP(n, d) (((n) + (d) - 1) / (d))

Neither of these can happen in practice, so the warning is harmless.

However while trying to suppress the warning, I noticed multiple
problems with that code:

- On big-endian kernels, we byte-swap the data like we do for
  register accesses, however this is a data stream and almost
  certainly needs to use a single writesl() instead of series
  of writel() to give the correct hash.

- If the length is not a multiple of four bytes, we skip the
  last word entirely, since we write the truncated length
  using stm32_hash_set_nblw().

- If we change the code to round the length up rather than
  down, the last bytes contain stale data, so it needs some
  form of padding.

This tries to address all four problems, by correctly
initializing the length to zero, using endian-safe copy
functions, adding zero-padding and passing the padded length.

I have done no testing on this patch, so please review
carefully and if possible test with an unaligned length
and big-endian kernel builds.

Fixes: 8a1012d3f2 ("crypto: stm32 - Support for STM32 HASH module")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2017-10-07 12:04:31 +08:00
Linus Torvalds 1c86f2e4c8 Fix up error path in xgene driver
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJZ2CTPAAoJEMsfJm/On5mBIV0P/3iM6i9Vnp35Q0Q2NI7GaNZb
 TK//TOyjJRNQHOoVPkbD4inX8O5ZSnkk1Eky1A5jzfoue48QZsT2ROwTsLWhMo+Q
 ITlZLTEWoSUcN7QiFanC40xM206Cfo3aJhMFFyuiFHPhKAPjD1bO8AErTdnFOGEm
 EwS86g5Cf8DceEl39+6scm+WPxQfBUngKBgSnKS2wtwpfFDK0zOoJnevPitkGlMO
 UVdK9xECQWQJUHGGhhJgURoL30MxgLz4UdgbuXkKNFxusINNsCHvnn3rPvZaM/cS
 pSuabxENYzpoEY9EaTdFfRj5+3t/4DPKBkM7LrEpkoQQkHIkuI53oaTMLGqO7cc1
 F+6Vz+ZUPg3zYuEHbxo1/YI/4yxd8Sgl0rGvwaI+VqkrZacqSNNo90BmiwFo0FuM
 j7UgI0Izu8fGSvOhaSnAKUI70NiSRf6hTi94krDl4XTQXSpky+nnWT23H8PZjDLE
 u7v3W72h2jeVIqOAeRDppIRKD8TI7lb+8JMwK+xndcIGY6vFZDIOg9abQD54oyp6
 0d79J99bm9FimuIW9Dvrl2NvAC5fh5h02TcYwSlOreY60CqAqxd2rl0Taqy/BuK5
 OHRnqnZVqG0mC/69PBCayoCebiVzJnPWNrPHW7IJoK+Anku0S4MeLpnlMSLsOFOi
 fren+nO00BOFiBb+6eCI
 =TFNX
 -----END PGP SIGNATURE-----

Merge tag 'hwmon-for-linus-v4.14-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging

Pull hwmon fix from Guenter Roeck:
 "Fix up error path in xgene driver"

* tag 'hwmon-for-linus-v4.14-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging:
  hwmon: (xgene) Fix up error handling path mixup in 'xgene_hwmon_probe()'
2017-10-06 17:59:32 -07:00
Linus Torvalds dbeb1a8ff5 - Build fix to export the clk_bulk_prepare() symbol
- Suspend fix for Samsung Exynos SoCs where we need to keep clks on
    across suspend
 
  - Two critical clk markings for clks that shouldn't ever turn off on
    Rockchip SoCs
 
  - A fix for a copy-paste mistake on Rockchip rk3128 causing some clks to
    touch the same bit and trample over one another
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABCAAGBQJZ2A7QAAoJEK0CiJfG5JUlbeMQAJZ6rty/oz0mMSt0V621pQ+0
 FJo9Kv+mmWfdZ/WMUgfmqhvty5S5BYW69dQFZuwB4eWVZ8rFa8ZLDi85sAxmd8Q2
 mTnhwz1QhCiXbllTHTAx024h2CvTe/fScw0+SEXoTTCDnHVnnNwLcElb8YdBNUKF
 dm1fd26hmZpqrW9vRKYuxa96+aSfRzS1DnrRyn9a+KSmA4XTTJkfU8W2qxCEn2Em
 rkIBVdWlRGA4Xk/e2pct9Ov/CMiMMNWE3pHGdzS3FtLUd+c0ocs9XO/2NVvBJQ7R
 AIiWmkdUTLEkRwos/u1JqvtPxXx+qouEV3hsdWfJQL65Hz0clOcbyh6DtytOu7vi
 I7QxF92fkOl1kQhUSWkzdKCVnZklUSEJQkkibyDksiVENgk+UASWyVTE+INR12tT
 7jO+aj/u1nMRlZ0lgTjvh0uWioZyL/+6DWSphuh0W6xcRsG4T2kTQDt463WHBkxM
 YjZQurtUZN2SKnCzTNInHAjJ0agqkD3rR67yZTxSOFJM6Coeu2faoe/Jke7in7lV
 HAMWpxonvRHt9P+wu8CNwuyR1z9ZdlUTrOLkB2tBoXF8WpEUCdK4yIbTD940uQvG
 Od3ltW4HzyCRXl4tlcklDyGj08McxL4Cv8OYf4PjVq2XSWaxlVDhoXbZJG8OfFnN
 CJgJVOw4JWB7tEMhpL9U
 =jV1S
 -----END PGP SIGNATURE-----

Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux

Pull clk fixes from Stephen Boyd:

 - build fix to export the clk_bulk_prepare() symbol

 - suspend fix for Samsung Exynos SoCs where we need to keep clks on
   across suspend

 - two critical clk markings for clks that shouldn't ever turn off on
   Rockchip SoCs

 - a fix for a copy-paste mistake on Rockchip rk3128 causing some clks
   to touch the same bit and trample over one another

* tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux:
  clk: samsung: exynos4: Enable VPLL and EPLL clocks for suspend/resume cycle
  clk: Export clk_bulk_prepare()
  clk: rockchip: add sclk_timer5 as critical clock on rk3128
  clk: rockchip: fix up rk3128 pvtm and mipi_24m gate regs error
  clk: rockchip: add pclk_pmu as critical clock on rk3128
2017-10-06 16:25:08 -07:00
Linus Torvalds ed0f72f4ea ARC udpates for 4.14-rc4
- Updates for various platforms
 
  - boot log updates for upcoming HS48 family of cores (dual issue)
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJZ1/PLAAoJEGnX8d3iisJehiAP/jBOk2hPMZHQrD9j2m1oCihb
 LrV/gSPIRHQAKeCCcCSaIO1SSnpCkcoeL6w6LXMtH+og4wFS47KxCe+l7KKp9L3y
 Btkc4JZL7GKa9Sk99KlllBMB7ysC+CzCCGpcuQC7AxCdFEBmkYvP8se7cVWVOMAV
 ZcCI0K498T5N/3kFkpQEQJ1XcN5V+jNtEcvFUyZzHGyW17pBUaYc44/lQra+fSDP
 iWsDD6a/lWZ6TntLR/JlCxKUWXo18ZgQUxe0c9mFO0cv27vvuWGLonts9PY6U9v0
 M7Tc3AtxkUc4tHwzkOPrJDiLEtFHhYkpD2P2CIwwi/16ysA2XCYXsdkChTbTSQFs
 +kjOs7QtG5NXT7LUp4lSLnOgVtkH88pAcfeujHNDwqJ5bOQRtxtb4XJP2zsYnVr8
 ec1BLf1BRrq4W06/v5J1VmNP0CBVB7bZkJU0d+Q4OJMn11nFJmg1/7VT3EpB6T87
 heQkXnTU8OuVYE/KYN7EIhqcrR7+rQL95BghJmevdtPkkQkuR+yoJCIJEsG/WDu9
 OzS+gmGgeuAgIRaewGKlZsNN+TCAELdK8ZiKjaDDsyxrExQcEYgGRYh/IOR4ny0P
 VDUwr3FrEr+jrt8mtaUrG9DalLXPxfFBrQO8QNJUfHTF197EIyuZiAZF9++pkyxb
 QEk7uPIYOPujUXc25vkY
 =Lcdb
 -----END PGP SIGNATURE-----

Merge tag 'arc-4.14-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc

Pull ARC udpates from Vineet Gupta:

 - updates for various platforms

 - boot log updates for upcoming HS48 family of cores (dual issue)

* tag 'arc-4.14-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc:
  ARC: [plat-hsdk]: Add reset controller node to manage ethernet reset
  ARC: [plat-hsdk]: Temporary fix to set CPU frequency to 1GHz
  ARC: fix allnoconfig build warning
  ARCv2: boot log: identify HS48 cores (dual issue)
  ARC: boot log: decontaminate ARCv2 ISA_CONFIG register
  arc: remove redundant UTS_MACHINE define in arch/arc/Makefile
  ARC: [plat-eznps] Update platform maintainer as Noam left
  ARC: [plat-hsdk] use actual clk driver to manage cpu clk
  ARC: [*defconfig] Reenable soft lock-up detector
  ARC: [plat-axs10x] sdio: Temporary fix of sdio ciu frequency
  ARC: [plat-hsdk] sdio: Temporary fix of sdio ciu frequency
  ARC: [plat-axs103] Add temporary quirk to reset ethernet IP
2017-10-06 15:57:08 -07:00
Linus Torvalds eab26ad197 Changes since last update:
- fix a race between overlapping copy on write aio
 - fix cow fork swapping when we defragment reflinked files
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABCgAGBQJZ1/WPAAoJEPh/dxk0SrTrk8AP/0rV3Cb6tknRTwNPHWC2KG+v
 UPP2KmN9tGPrqbrDTzMYdQC4/UNE4Je7+hMevF+A61Q7rug/4xofGP3Bl+vxWV22
 Y2lDA2jGHDnA20tvHvNUNJ+8aWbiHXXkzYCbohrlTHteDMaB+diHLp7jtePPrgzu
 ++qBM2X2noXhC3B6MB/GzEDUyTwHgEySsfx2IJDHs7LkQR5qV9UF8f1SSLbr9o7u
 N7JJ6CXUW5Dfb6Sxk8WJGEBHxTzf14vdPeTOmnsx1OwW9FFidVtcr8/YdY6Cv1F+
 LjpDuR/pWwJM0Ig1BB03jIcKNoG6Q6V1AJjNdZkq0hoEYc4Z8mNdyHPPSyvgMqqS
 733eMJI7q1Cu546XBP2NKmzUBJr4wVNPxTVbxZnbqrL1ybODTzKuDRkgpkoE8Hrg
 gSKXi4gnXJkR4/N5DPN+dP3cLMRl81QJ6widiZdpvxWzJGaOM1Ynu/o9mmo0yj7K
 rlHQ6tgex2TyuTys+jyPgRb489rf6eKnNTxu2I4F4nNbHsNOiNa8eVUc7FLP1SxL
 SfL2PUmUgcI1FcLl3yMZ2wZ3zP+PMV005aZB2q9KW08COF/ASXOX87efsQ91WaUy
 rEzOZoBxZvfc0DA0G5Tmlb+MbGtlfdjDfidPygmDeBrSRPJpUyxTh7xoRk/an8wL
 B4QtpX77Pj/qQNbuThkv
 =oDmt
 -----END PGP SIGNATURE-----

Merge tag 'xfs-4.14-fixes-4' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux

Pull xfs fixes from Darrick Wong:

 - fix a race between overlapping copy on write aio

 - fix cow fork swapping when we defragment reflinked files

* tag 'xfs-4.14-fixes-4' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux:
  xfs: handle racy AIO in xfs_reflink_end_cow
  xfs: always swap the cow forks when swapping extents
2017-10-06 15:53:36 -07:00
Linus Torvalds 17d084c8d1 Merge branch 'for-linus' of git://git.kernel.dk/linux-block
Pull block fixes from Jens Axboe:
 "A collection of fixes for this series. This contains:

   - NVMe pull request from Christoph, one uuid attribute fix, and one
     fix for the controller memory buffer address for remapped BARs.

   - use-after-free fix for bsg, from Benjamin Block.

   - bcache race/use-after-free fix for a list traversal, fixing a
     regression in this merge window. From Coly Li.

   - null_blk change configfs dependency change from a 'depends' to a
     'select'. This is a change from this merge window as well. From me.

   - nbd signal fix from Josef, fixing a regression introduced with the
     status code changes.

   - nbd MAINTAINERS mailing list entry update.

   - blk-throttle stall fix from Joseph Qi.

   - blk-mq-debugfs fix from Omar, fixing an issue where we don't
     register the IO scheduler debugfs directory, if the driver is
     loaded with it. Only shows up if you switch through the sysfs
     interface"

* 'for-linus' of git://git.kernel.dk/linux-block:
  bsg-lib: fix use-after-free under memory-pressure
  nvme-pci: Use PCI bus address for data/queues in CMB
  blk-mq-debugfs: fix device sched directory for default scheduler
  null_blk: change configfs dependency to select
  blk-throttle: fix possible io stall when upgrade to max
  MAINTAINERS: update list for NBD
  nbd: fix -ERESTARTSYS handling
  nvme: fix visibility of "uuid" ns attribute
  bcache: use llist_for_each_entry_safe() in __closure_wake_up()
2017-10-06 12:13:50 -07:00
Linus Torvalds 80cf1f8c16 pci-v4.14-fixes-4
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJZ18l8AAoJEFmIoMA60/r8lrIP/i0fNFaf6gc1vvoizwPhwGU8
 0pN6LyDXDCRwaUKXK8BhEgGb2CdtoBl5bU5BJFKdmRFQqDEUmhkGD1a150E89zbm
 Ty4k93Ym+EpfYra/gUriT+jR21v/TVIFhx9V4PgjJY/4UIulNKDyHnFrOM2HCRC9
 yMv6QDmkSaAhTJAQL+2isP0m1jfSwWD1K5b4anP7+93S81uwm68DkLsQLZhvsJY/
 HtWXEo5EQFP0Sz0Q17etRZyvh1DmCHSd/6lPYQHatz1t2+7VkvF3tZ3EEw/Mjua2
 hmMMLIVdoZnnRH81JzjENvANCecbT5r+FCDurfUxuI34Z8elmeIZ10lt0Du+VmA7
 onC50eUow9U55RXXOv+at8UWKAGSVKX0HAgGYe2Og/AoRBo4rnNiP6sf2f+Qpj78
 3fh2deLT3xxxF///3P8FZTYPuPclghJKdFyxEyVhwnyArwuJD7hNkJrb2IuOemoF
 9uxleJdSYVyHcwiewP7YdCRFNnTFL60WU/fn+8QPzoNj7of9OBDwovjq0iPKHBUn
 UT8hsG7ZfICj1I+FBS/+tGraEOurXl4ts2hOodZJCPzoLRWnKzGCbAJrjTEVPhLs
 Vy+RegL2B1zJWXxbg2GHLYEV8I8vV8FXo1x2vgAh2vigZNOX8RfECFZ4aigTwkzo
 5j3UGm3xXBfZhn+uHxFe
 =/3Ag
 -----END PGP SIGNATURE-----

Merge tag 'pci-v4.14-fixes-4' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci

Pull PCI fixes from Bjorn Helgaas:
 "Fix legacy IDE probe issues exposed by recent PCI core IRQ mapping
  changes (Bartlomiej Zolnierkiewicz, Lorenzo Pieralisi)"

* tag 'pci-v4.14-fixes-4' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
  ide: fix IRQ assignment for PCI bus order probing
  ide: pci: free PCI BARs on initialization failure
  ide: free hwif->portdev on hwif_init() failure
2017-10-06 12:07:09 -07:00
Linus Torvalds 275490680c arm64 fixes:
- Bring initialisation of user space undefined instruction handling
   early (core_initcall) since late_initcall() happens after modprobe in
   initramfs is invoked. Similar fix for fpsimd initialisation
 
 - Increase the kernel stack when KASAN is enabled
 
 - Bring the PCI ACS enabling earlier via the
   iort_init_platform_devices()
 
 - Fix misleading data abort address printing (decimal vs hex)
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEE5RElWfyWxS+3PLO2a9axLQDIXvEFAlnXpvoACgkQa9axLQDI
 XvFQmhAArl+ckCtEkroPlX1HVcf5CkOItv0bwzWDXcLMI3nW2mUKJ9tmd+U5uEvA
 43FYfqdgbetEMvpaBBwH8oT8VrJ8o+ZaawWcZAwholXCd+aT3Uuku1eqL4dtGdPT
 HsgsmDb2ywkGA2kOHUNqbTZpOg3rq4Yyolr3UV4xv5xBlcqdWlIMFDAkDGggEGq4
 5H/hQWcKON1d96mBfNh0wReQNggUXtWAxnb3RkLwevQcXPVq+KOG8tNsVIC/MbrS
 VrD+2x95IkNs+QycTuSAWY17Bl2VvxyeJeb+gmgw7J5coY+M/5tEcVTVhdwoNXYN
 KkOP9kO+n6K9tNBgpo5QU4htVcebcv+/mqh50t9nLWpLMV0Que+gigmyiCdYgJpg
 mnvy5g3rGiaGr0QTQSWDJdoD1fAEecdRyu4hxnSJJv2Ol0CVsPkOtIOgNTrnNVCc
 nB9zuhIIsDyhWVgmDPbVihWViTbs3W0EcOymiCC/5c/Dj36emtNfNSqqpJ+ZAPWx
 GQMH67UnYRD1Jy2dxS4AXpaXfuN4zQdm8zOmIEw3uQespF6TWm7Sn94X0KfnOZU7
 5PFKnlufLgbisGCVPbwTiNtfIzstQ1uZu3yLoqxJTDQRqTlPZ14FePS6bb9HqKCB
 yCdSDUwwDzxnB4O5WkiDtshHGK8hFKjEpLHWmptpG5b56zpM3Bo=
 =Iu63
 -----END PGP SIGNATURE-----

Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux

Pull arm64 fixes from Catalin Marinas:

 - Bring initialisation of user space undefined instruction handling
   early (core_initcall) since late_initcall() happens after modprobe in
   initramfs is invoked. Similar fix for fpsimd initialisation

 - Increase the kernel stack when KASAN is enabled

 - Bring the PCI ACS enabling earlier via the
   iort_init_platform_devices()

 - Fix misleading data abort address printing (decimal vs hex)

* tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
  arm64: Ensure fpsimd support is ready before userspace is active
  arm64: Ensure the instruction emulation is ready for userspace
  arm64: Use larger stacks when KASAN is selected
  ACPI/IORT: Fix PCI ACS enablement
  arm64: fix misleading data abort decoding
2017-10-06 11:31:46 -07:00
Linus Torvalds 8d473320ee KVM fixes for v4.14-rc4
- fix PPC XIVE interrupt delivery
 - fix x86 RCU breakage from asynchronous page faults when built without
   PREEMPT_COUNT
 - fix x86 build with -frecord-gcc-switches
 - fix x86 build without X86_LOCAL_APIC
 -----BEGIN PGP SIGNATURE-----
 
 iQEcBAABCAAGBQJZ18AmAAoJEED/6hsPKofoPEwH+waDVIeS+s38G8HkiB8PoVww
 bAhAV6Aj3muOI49KtwBt+qyC8nOQHpwPCNqjmagOv1GEYSwJ4gKKoJ6Xl9rOsxau
 GT0xDgVDbrzIb/PTFL+7bDjsyMxf89utIfoBL8i37uznzB35+QFlvy4mLgKntAh0
 1/tYDzgrQxuxH5RF4DbFstoPFjw1kdxpXRzHdngsV13bS87PAG9j7A0l7orLtXZg
 qxlTh2SvCSr4B0hOZGG/Pc0aIAxLh8kRD6NaU05raKgzQLJa5sxJ0Yr+RbskfqQb
 7B98X1Ygb1BjBOFxy+Je5IamKt4ICTY1B0v1ivs0qZ+mgxG59FWuQlR0pww/8Ug=
 =ay5S
 -----END PGP SIGNATURE-----

Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm

Pull KVM fixes from Radim Krčmář:

 - fix PPC XIVE interrupt delivery

 - fix x86 RCU breakage from asynchronous page faults when built without
   PREEMPT_COUNT

 - fix x86 build with -frecord-gcc-switches

 - fix x86 build without X86_LOCAL_APIC

* tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
  KVM: add X86_LOCAL_APIC dependency
  x86/kvm: Move kvm_fastop_exception to .fixup section
  kvm/x86: Avoid async PF preempting the kernel incorrectly
  KVM: PPC: Book3S: Fix server always zero from kvmppc_xive_get_xive()
2017-10-06 11:28:34 -07:00
Linus Torvalds d109d83fc8 Third -rc update for 4.14 kernel
- a fix for iwpm netlink usage
 - a fix for error unwinding in mlx5
 - two fixes to vlan handling in qedr
 - a couple small i40iw fixes
 -----BEGIN PGP SIGNATURE-----
 
 iQIcBAABAgAGBQJZ1TaBAAoJELgmozMOVy/durcP/3RIEcW35nLwvy5ZZD8a9OUQ
 AaW5o4fbQmlwqXPtE6DRe8QalnS0aSMM6c7M7I2ckX+Q2X0qtvGRvTVQGhQCEDkx
 v+pHZH5Lkjyf8mcIIIxOnuWOLTb4lekZ8MZPNRnd1MKGEKg83PUNFf/7/soKi8Dd
 V/sB8/czbrb5Wu5RdHHUXDw3iWhF2gu4UdqbvaKKM1E/lXi7nv09h/fe/1csBTPF
 VCI8pkkSzj1Z514uwFBTb/ORfiWMSr/ylmvA8cuUUiNvJfoqQZHbaV0LXkta91RZ
 HOFt9wtYWL92Ef5nOlPjTZ6oW6U9DdpO7z8cVKk3heouyd+0vSdF6v6U78sc58a8
 iafg5B1Ej/LZOQJRuk4FF+JcZYxC0NnxRFSgZukZQ0E7mWPCz76v/cK6j987HPXZ
 4YDqDBJ4dnPFWIAWOpIKbsYFE2GzUGZ0c6Rqe4ZRn24Od0w+tGXCQnhFF4CTdaem
 IbJr3OL0mDL4ceQEwdXo7ph49vHCW02ha+ehIdgSW1Sm/yXV1dOll/PUFsQ5SXO3
 5HpxH724AqJa89LYCeyjTCJ80BZzvWKqM6UIKaxg42ki7gojXHeQw+aMcnNAeWAV
 DYHRQrZCcREdOdFK7IB7Ja2Bp5TYHouPnV8zLyutJHp2zCTP1OSadwXHEOpsS+rk
 Zpy3A5IpRtIW++WZ1/++
 =17J/
 -----END PGP SIGNATURE-----

Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma

Pull rdma fixes from Doug Ledford:
 "This is a pretty small pull request. Only 6 patches in total. There
  are no outstanding -rc patches on the mailing list after this pull
  request, so only if some new issues are discovered in the remainder of
  the rc cycles will you hear from me again.

  Summary:
   - a fix for iwpm netlink usage
   - a fix for error unwinding in mlx5
   - two fixes to vlan handling in qedr
   - a couple small i40iw fixes"

* tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma:
  i40iw: Fix port number for query QP
  i40iw: Add missing memory barriers
  RDMA/qedr: Parse vlan priority as sl
  RDMA/qedr: Parse VLAN ID correctly and ignore the value of zero
  IB/mlx5: Fix label order in error path handling
  RDMA/iwpm: Properly mark end of NL messages
2017-10-06 11:25:55 -07:00
Guillaume Nault 6151b8b37b ppp: fix race in ppp device destruction
ppp_release() tries to ensure that netdevices are unregistered before
decrementing the unit refcount and running ppp_destroy_interface().

This is all fine as long as the the device is unregistered by
ppp_release(): the unregister_netdevice() call, followed by
rtnl_unlock(), guarantee that the unregistration process completes
before rtnl_unlock() returns.

However, the device may be unregistered by other means (like
ppp_nl_dellink()). If this happens right before ppp_release() calling
rtnl_lock(), then ppp_release() has to wait for the concurrent
unregistration code to release the lock.
But rtnl_unlock() releases the lock before completing the device
unregistration process. This allows ppp_release() to proceed and
eventually call ppp_destroy_interface() before the unregistration
process completes. Calling free_netdev() on this partially unregistered
device will BUG():

 ------------[ cut here ]------------
 kernel BUG at net/core/dev.c:8141!
 invalid opcode: 0000 [#1] SMP

 CPU: 1 PID: 1557 Comm: pppd Not tainted 4.14.0-rc2+ #4
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1.fc26 04/01/2014

 Call Trace:
  ppp_destroy_interface+0xd8/0xe0 [ppp_generic]
  ppp_disconnect_channel+0xda/0x110 [ppp_generic]
  ppp_unregister_channel+0x5e/0x110 [ppp_generic]
  pppox_unbind_sock+0x23/0x30 [pppox]
  pppoe_connect+0x130/0x440 [pppoe]
  SYSC_connect+0x98/0x110
  ? do_fcntl+0x2c0/0x5d0
  SyS_connect+0xe/0x10
  entry_SYSCALL_64_fastpath+0x1a/0xa5

 RIP: free_netdev+0x107/0x110 RSP: ffffc28a40573d88
 ---[ end trace ed294ff0cc40eeff ]---

We could set the ->needs_free_netdev flag on PPP devices and move the
ppp_destroy_interface() logic in the ->priv_destructor() callback. But
that'd be quite intrusive as we'd first need to unlink from the other
channels and units that depend on the device (the ones that used the
PPPIOCCONNECT and PPPIOCATTACH ioctls).

Instead, we can just let the netdevice hold a reference on its
ppp_file. This reference is dropped in ->priv_destructor(), at the very
end of the unregistration process, so that neither ppp_release() nor
ppp_disconnect_channel() can call ppp_destroy_interface() in the interim.

Reported-by: Beniamino Galvani <bgalvani@redhat.com>
Fixes: 8cb775bc0a ("ppp: fix device unregistration upon netns deletion")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-06 10:16:34 -07:00
Linus Torvalds bf2db0b9f5 Merge branch 'for-4.14-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux
Pull btrfs fixes from David Sterba:
 "Two more fixes for bugs introduced in 4.13.

  The sector_t problem with 32bit architecture and !LBDAF config seems
  serious but the number of affected deployments is hopefully low.

  The clashing status bits could lead to a confusing in-memory state of
  the whole-filesystem operations if used with the quota override sysfs
  knob"

* 'for-4.14-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
  Btrfs: fix overlap of fs_info::flags values
  btrfs: avoid overflow when sector_t is 32 bit
2017-10-06 09:03:08 -07:00
Linus Torvalds b77779b93d Two fixups for CephFS snapshot-handling patches in -rc1.
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQEcBAABCAAGBQJZ142+AAoJEEp/3jgCEfOLPdQH/0wFtTLG7sKhEBVndsDUG8u0
 RUtLBE4dXFJU7IlLQOuAkD4GvC4XqttLIJs7bkUwSUu7Vk3+2OKk0JvUq2qKFl03
 tM5sWIqX5FkL9nenivV28YI6rOPHyghVXttVw/4xy5QYLJ1G3OoJpGPJOE44v5v9
 w96guw+EEaPWyn8+/SBhEkfpVAR2fRXe4UDKiLzGYLqYNYiGSSd90j/7F8I4uaNG
 hpQ6aJVJOzNoTQtfmsGyZ0DHuBD8/CSQOIumXdICegDk7stEVGaxSlkBX2ZwwR2q
 jwxIRj6ItM+jDORSgaVAhQ6NJktCxs+scfNFgu8MlQ+RaTOSnEkcvigA7DIVMrw=
 =h2CQ
 -----END PGP SIGNATURE-----

Merge tag 'ceph-for-4.14-rc4' of git://github.com/ceph/ceph-client

Pull ceph fixes from Ilya Dryomov:
 "Two fixups for CephFS snapshot-handling patches in -rc1"

* tag 'ceph-for-4.14-rc4' of git://github.com/ceph/ceph-client:
  ceph: fix __choose_mds() for LSSNAP request
  ceph: properly queue cap snap for newly created snap realm
2017-10-06 09:01:45 -07:00
Eugeniy Paltsev ab8eb7db1d ARC: [plat-hsdk]: Add reset controller node to manage ethernet reset
DW ethernet controller on HSDK hangs sometimes after SW reset, so
add reset node to make possible to reset DW ethernet controller HW.

Signed-off-by: Eugeniy Paltsev <Eugeniy.Paltsev@synopsys.com>
Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
2017-10-06 08:59:54 -07:00
Linus Torvalds 8d4ef4e15e Merge branch 'overlayfs-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs
Pull overlayfs fixes from Miklos Szeredi:
 "Fix a regression in 4.14 and one in 4.13. The latter is a case when
  Docker is doing something it really shouldn't and gets away with it.
  We now print a warning instead of erroring out.

  There are also fixes to several error paths"

* 'overlayfs-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs:
  ovl: fix regression caused by exclusive upper/work dir protection
  ovl: fix missing unlock_rename() in ovl_do_copy_up()
  ovl: fix dentry leak in ovl_indexdir_cleanup()
  ovl: fix dput() of ERR_PTR in ovl_cleanup_index()
  ovl: fix error value printed in ovl_lookup_index()
  ovl: fix may_write_real() for overlayfs directories
2017-10-06 08:52:53 -07:00
Linus Torvalds 1249b571ba powerpc fixes for 4.14 #4
Nine small fixes, really nothing that stands out.
 
 A work around for a spurious MCE on Power9. A CXL fault handling fix, some fixes
 to the new XIVE code, and a fix to the new 32-bit STRICT_KERNEL_RWX code.
 
 Fixes for old code/stable: an fix to an incorrect TLB flush on boot but not on
 any current machines, a compile error on 4xx and a fix to memory hotplug when
 using radix (Power9).
 
 Thanks to:
   Anton Blanchard, Cédric Le Goater, Christian Lamparter, Christophe Leroy,
   Christophe Lombard, Guenter Roeck, Jeremy Kerr, Michael Neuling, Nicholas
   Piggin.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJZ11/yAAoJEFHr6jzI4aWAooYQAKjOKamLyxRotFGSqBfrfOMN
 UfWKAmfeoF/gi4z03x8JdhcMQ1CMh5c/cQmrwzkzDosQ2m83CEWzNbk0gFV0Tpld
 2qDTrEnBfTC4TRhCwWuOlaQC8LFeqxwpsCS6iXGpYoTY2NzmsbliPIQaruCIqj3f
 F+7etfTqGJ+gCCkGfT0s7m96QO+daaT32nXL1VM8i/rOOpwZ23oj6kR3/ZSTWxBc
 eyzvUcTLLhLp8hJoF0kU4f1VQtYijnpqK6ULr3wSfxYqjB9S4dsGyiF537aw5bKX
 UPUCoMgkttVy8Jh35dtvKLuMqlfjHGqoe6UcezSG9a6wxeUnQRzsVmXihNDSkyEt
 EawmPS6R5YaXXu9NKsleKBZDAdU4+EkcX24Wwn/lZy3wTKc1Lys+wH9hXuzzGNiH
 JYEcMacXvpM1yFYNT+ouyLtoT86VWVCdwihueBMV74lyV87Wr55zS65XP6Z+Bb8/
 aPL906sOAvnJW1JhHbYq/UxLfvs0enHNHpyR0xM4/oXi+RoGfhbM/MC1uJxv4w9z
 12n1hbrpaRxHSSnJr1gahCrDoNUXLjkO2+0Ur3iXP4tfMMhwDs8qCILeaKpNmzkC
 sO1ehOmXSSYqJLNiPmSIxs/QEzjFrvQdNwZOIav+3Tsc5ofR6wsauDCmfK5br2Mg
 BdhW7LXtqL77cmOzN95e
 =etbe
 -----END PGP SIGNATURE-----

Merge tag 'powerpc-4.14-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux

Pull powerpc fixes from Michael Ellerman:
 "Nine small fixes, really nothing that stands out.

  A work-around for a spurious MCE on Power9. A CXL fault handling fix,
  some fixes to the new XIVE code, and a fix to the new 32-bit
  STRICT_KERNEL_RWX code.

  Fixes for old code/stable: an fix to an incorrect TLB flush on boot
  but not on any current machines, a compile error on 4xx and a fix to
  memory hotplug when using radix (Power9).

  Thanks to: Anton Blanchard, Cédric Le Goater, Christian Lamparter,
  Christophe Leroy, Christophe Lombard, Guenter Roeck, Jeremy Kerr,
  Michael Neuling, Nicholas Piggin"

* tag 'powerpc-4.14-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
  powerpc/powernv: Increase memory block size to 1GB on radix
  powerpc/mm: Call flush_tlb_kernel_range with interrupts enabled
  powerpc/xive: Clear XIVE internal structures when a CPU is removed
  powerpc/xive: Fix IPI reset
  powerpc/4xx: Fix compile error with 64K pages on 40x, 44x
  powerpc: Fix action argument for cpufeatures-based TLB flush
  cxl: Fix memory page not handled
  powerpc: Fix workaround for spurious MCE on POWER9
  powerpc: Handle MCE on POWER9 with only DSISR bit 30 set
2017-10-06 08:47:21 -07:00
Linus Torvalds 9c0c1adab6 i915 and sun4i fixes
-----BEGIN PGP SIGNATURE-----
 
 iQIcBAABAgAGBQJZ1uMDAAoJEAx081l5xIa+qBsP/iL+nL1Sq0/fFLXS/PXPBb6Z
 9bWI1/pXMSNNhPJg6u8l4urC5fwv1jeLJGfNnuQAF0sVw8uxd1lBeAVg69511Pym
 XdefFgSqy3mwIEbserRim3n4D5QdxS+qAObtmjf6Ocdb0EIWfyrqLspDoRnGQm74
 nnZ2VG2Lg9SLyV95iGxbVYX/ua52+QTKtrO9RqC0aPFn5E4SC8v+uTUlJVUR3BGQ
 ls+Oi64Naj8mHtaa4F978xv8sYGFvurD3/uiSfvSXTiMu5+BhXM8TUtv4wmu8olw
 QMKfaF3vw6SEbd6MLt/D44l/BzqXWnGQw6cYpne8/0bnS80JuPb2rE3aACe1gjlF
 XgM4iaHVye67UeHtfnmtIGoyUG/mmXHjIdbjQ7y265qihkJ9/qFscpEe1uWqr3b1
 qpd+IUPbHsG9PRcf9PT8aqfHSV7E4xMwhZes2qEkyDsjkb1mOQHmbWQe5HtWaCn8
 by5hSIossBBevlcQ3AwQ3tfl5iYvu0Y53G/J4wH1b52DTLfbYFMrcCVM+r9L/HLR
 EokbpIqj1N+skP55iDf6avX9av5kLoII/hA8WHkWUmsksIKfRUJt5adBicO29y23
 WjyYy7Rczr5iePw/PxZG/NjnRCXHx8VOhwy2AFZILjPEwrEAF0CQ6ZYC19if5jCI
 BWRNqbZtle8ZO9rBEzVb
 =mn3h
 -----END PGP SIGNATURE-----

Merge tag 'drm-fixes-for-v4.14-rc4' of git://people.freedesktop.org/~airlied/linux

Pull drm fixes from Dave Airlie:
 "Some i915 fixes from the last two weeks (as they were on a strange
  base and I just waited for rc3), also a single sun4i hdmi fix"

* tag 'drm-fixes-for-v4.14-rc4' of git://people.freedesktop.org/~airlied/linux:
  drm/i915/glk: Fix DMC/DC state idleness calculation
  drm/i915/cnl: Reprogram DMC firmware after S3/S4 resume
  drm/i915: Fix DDI PHY init if it was already on
  drm/sun4i: hdmi: Disable clks in bind function error path and unbind function
  drm/i915/bios: ignore HDMI on port A
  drm/i915: remove redundant variable hw_check
  drm/i915: always update ELD connector type after get modes
2017-10-06 08:42:06 -07:00
Linus Torvalds 27efed3e83 Merge branch 'core-watchdog-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull watchddog clean-up and fixes from Thomas Gleixner:
 "The watchdog (hard/softlockup detector) code is pretty much broken in
  its current state. The patch series addresses this by removing all
  duct tape and refactoring it into a workable state.

  The reasons why I ask for inclusion that late in the cycle are:

   1) The code causes lockdep splats vs. hotplug locking which get
      reported over and over. Unfortunately there is no easy fix.

   2) The risk of breakage is minimal because it's already broken

   3) As 4.14 is a long term stable kernel, I prefer to have working
      watchdog code in that and the lockdep issues resolved. I wouldn't
      ask you to pull if 4.14 wouldn't be a LTS kernel or if the
      solution would be easy to backport.

   4) The series was around before the merge window opened, but then got
      delayed due to the UP failure caused by the for_each_cpu()
      surprise which we discussed recently.

  Changes vs. V1:

   - Addressed your review points

   - Addressed the warning in the powerpc code which was discovered late

   - Changed two function names which made sense up to a certain point
     in the series. Now they match what they do in the end.

   - Fixed a 'unused variable' warning, which got not detected by the
     intel robot. I triggered it when trying all possible related config
     combinations manually. Randconfig testing seems not random enough.

  The changes have been tested by and reviewed by Don Zickus and tested
  and acked by Micheal Ellerman for powerpc"

* 'core-watchdog-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: (36 commits)
  watchdog/core: Put softlockup_threads_initialized under ifdef guard
  watchdog/core: Rename some softlockup_* functions
  powerpc/watchdog: Make use of watchdog_nmi_probe()
  watchdog/core, powerpc: Lock cpus across reconfiguration
  watchdog/core, powerpc: Replace watchdog_nmi_reconfigure()
  watchdog/hardlockup/perf: Fix spelling mistake: "permanetely" -> "permanently"
  watchdog/hardlockup/perf: Cure UP damage
  watchdog/hardlockup: Clean up hotplug locking mess
  watchdog/hardlockup/perf: Simplify deferred event destroy
  watchdog/hardlockup/perf: Use new perf CPU enable mechanism
  watchdog/hardlockup/perf: Implement CPU enable replacement
  watchdog/hardlockup/perf: Implement init time detection of perf
  watchdog/hardlockup/perf: Implement init time perf validation
  watchdog/core: Get rid of the racy update loop
  watchdog/core, powerpc: Make watchdog_nmi_reconfigure() two stage
  watchdog/sysctl: Clean up sysctl variable name space
  watchdog/sysctl: Get rid of the #ifdeffery
  watchdog/core: Clean up header mess
  watchdog/core: Further simplify sysctl handling
  watchdog/core: Get rid of the thread teardown/setup dance
  ...
2017-10-06 08:36:41 -07:00
Suzuki K Poulose ae2e972dae arm64: Ensure fpsimd support is ready before userspace is active
We register the pm/hotplug callbacks for FPSIMD as late_initcall,
which happens after the userspace is active (from initramfs via
populate_rootfs, a rootfs_initcall). Make sure we are ready even
before the userspace could potentially use it, by promoting to
a core_initcall.

Cc: Will Deacon <will.deacon@arm.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Dave Martin <dave.martin@arm.com>
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
2017-10-06 16:35:25 +01:00
Suzuki K Poulose c0d8832e78 arm64: Ensure the instruction emulation is ready for userspace
We trap and emulate some instructions (e.g, mrs, deprecated instructions)
for the userspace. However the handlers for these are registered as
late_initcalls and the userspace could be up and running from the initramfs
by that time (with populate_rootfs, which is a rootfs_initcall()). This
could cause problems for the early applications ending up in failure
like :

[   11.152061] modprobe[93]: undefined instruction: pc=0000ffff8ca48ff4

This patch promotes the specific calls to core_initcalls, which are
guaranteed to be completed before we hit userspace.

Cc: stable@vger.kernel.org
Cc: Dave Martin <dave.martin@arm.com>
Cc: Matthias Brugger <mbrugger@suse.com>
Cc: James Morse <james.morse@arm.com>
Reported-by: Matwey V. Kornilov <matwey.kornilov@gmail.com>
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
2017-10-06 16:35:21 +01:00
Eric Dumazet e466af75c0 netfilter: x_tables: avoid stack-out-of-bounds read in xt_copy_counters_from_user
syzkaller reports an out of bound read in strlcpy(), triggered
by xt_copy_counters_from_user()

Fix this by using memcpy(), then forcing a zero byte at the last position
of the destination, as Florian did for the non COMPAT code.

Fixes: d7591f0c41 ("netfilter: x_tables: introduce and use xt_copy_counters_from_user")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Willem de Bruijn <willemb@google.com>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2017-10-06 15:04:05 +02:00
Pablo Neira Ayuso 5f9bfe0ef6 netfilter: nf_tables: do not dump chain counters if not enabled
Chain counters are only enabled on demand since 9f08ea8481, skip them
when dumping them via netlink.

Fixes: 9f08ea8481 ("netfilter: nf_tables: keep chain counters away from hot path")
Reported-by: Johny Mattsson <johny.mattsson+kernel@gmail.com>
Tested-by: Johny Mattsson <johny.mattsson+kernel@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2017-10-06 14:49:19 +02:00
Gustavo Romero 044215d145 powerpc/tm: Fix illegal TM state in signal handler
Currently it's possible that on returning from the signal handler
through the restore_tm_sigcontexts() code path (e.g. from a signal
caught due to a `trap` instruction executed in the middle of an HTM
block, or a deliberately constructed sigframe) an illegal TM state
(like TS=10 TM=0, i.e. "T0") is set in SRR1 and when `rfid` sets
implicitly the MSR register from SRR1 register on return to userspace
it causes a TM Bad Thing exception.

That illegal state can be set (a) by a malicious user that disables
the TM bit by tweaking the bits in uc_mcontext before returning from
the signal handler or (b) by a sufficient number of context switches
occurring such that the load_tm counter overflows and TM is disabled
whilst in the signal handler.

This commit fixes the illegal TM state by ensuring that TM bit is
always enabled before we return from restore_tm_sigcontexts(). A small
comment correction is made as well.

Fixes: 5d176f751e ("powerpc: tm: Enable transactional memory (TM) lazily for userspace")
Cc: stable@vger.kernel.org # v4.9+
Signed-off-by: Gustavo Romero <gromero@linux.vnet.ibm.com>
Signed-off-by: Breno Leitao <leitao@debian.org>
Signed-off-by: Cyril Bur <cyrilbur@gmail.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
2017-10-06 22:12:55 +11:00
Cyril Bur 265e60a170 powerpc/64s: Use emergency stack for kernel TM Bad Thing program checks
When using transactional memory (TM), the CPU can be in one of six
states as far as TM is concerned, encoded in the Machine State
Register (MSR). Certain state transitions are illegal and if attempted
trigger a "TM Bad Thing" type program check exception.

If we ever hit one of these exceptions it's treated as a bug, ie. we
oops, and kill the process and/or panic, depending on configuration.

One case where we can trigger a TM Bad Thing, is when returning to
userspace after a system call or interrupt, using RFID. When this
happens the CPU first restores the user register state, in particular
r1 (the stack pointer) and then attempts to update the MSR. However
the MSR update is not allowed and so we take the program check with
the user register state, but the kernel MSR.

This tricks the exception entry code into thinking we have a bad
kernel stack pointer, because the MSR says we're coming from the
kernel, but r1 is pointing to userspace.

To avoid this we instead always switch to the emergency stack if we
take a TM Bad Thing from the kernel. That way none of the user
register values are used, other than for printing in the oops message.

This is the fix for CVE-2017-1000255.

Fixes: 5d176f751e ("powerpc: tm: Enable transactional memory (TM) lazily for userspace")
Cc: stable@vger.kernel.org # v4.9+
Signed-off-by: Cyril Bur <cyrilbur@gmail.com>
[mpe: Rewrite change log & comments, tweak asm slightly]
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
2017-10-06 22:12:16 +11:00
Anton Blanchard 53ecde0b91 powerpc/powernv: Increase memory block size to 1GB on radix
Memory hot unplug on PowerNV radix hosts is broken. Our memory block
size is 256MB but since we map the linear region with very large
pages, each pte we tear down maps 1GB.

A hot unplug of one 256MB memory block results in 768MB of memory
getting unintentionally unmapped. At this point we are likely to oops.

Fix this by increasing our memory block size to 1GB on PowerNV radix
hosts.

Fixes: 4b5d62ca17 ("powerpc/mm: add radix__remove_section_mapping()")
Cc: stable@vger.kernel.org # v4.11+
Signed-off-by: Anton Blanchard <anton@samba.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
2017-10-06 15:50:45 +11:00
Dan Carpenter 1561b3266e selftests/net: rxtimestamp: Fix an off by one
The > should be >= so that we don't write one element beyond the end of
the array.

Fixes: 16e7812241 ("selftests/net: Add a test to validate behavior of rx timestamps")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-05 21:28:53 -07:00
Dave Airlie baf7c1f7e8 Merge tag 'drm-misc-fixes-2017-10-05' of git://anongit.freedesktop.org/git/drm-misc into drm-fixes
One bugfix in sun4i for 4.14

* tag 'drm-misc-fixes-2017-10-05' of git://anongit.freedesktop.org/git/drm-misc:
  drm/sun4i: hdmi: Disable clks in bind function error path and unbind function
2017-10-06 11:09:47 +10:00