1. 23 Nov, 2016 24 commits
  2. 22 Nov, 2016 12 commits
    • Linus Torvalds's avatar
      Merge branch 'for-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux · 23400ac9
      Linus Torvalds authored
      Pull thermal management fix from Zhang Rui:
       "We only have one urgent fix this time.
      
        Commit 3105f234 ("thermal/powerclamp: correct cpu support check"),
        which is shipped in 4.9-rc3, fixed a problem introduced by commit
        b721ca0d ("thermal/powerclamp: remove cpu whitelist").
      
        But unfortunately, it broke intel_powerclamp driver module auto-
        loading at the same time. Thus we need this change to add back module
        auto-loading for 4.9"
      
      * 'for-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux:
        thermal/powerclamp: add back module device table
      23400ac9
    • Linus Torvalds's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · b66c08ba
      Linus Torvalds authored
      Pull SCSI fixes from James Bottomley:
       "Two small fixes.
      
        One prevents timeouts on mpt3sas when trying to use the secure erase
        protocol which causes the erase protocol to be aborted. The second is
        a regression in a prior fix which causes all commands to abort during
        PCI extended error recovery, which is incorrect because PCI EEH is
        independent from what's happening on the FC transport"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: qla2xxx: do not abort all commands in the adapter during EEH recovery
        scsi: mpt3sas: Fix secure erase premature termination
      b66c08ba
    • Linus Torvalds's avatar
      Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux · 57527ed1
      Linus Torvalds authored
      Pull clk fixes from Stephen Boyd:
       "A handful of driver fixes.
      
        The sunxi fixes are for an incorrect clk tree configuration and a bad
        frequency calculation. The other two are fixes for passing the wrong
        pointer in drivers recently converted to clk_hw style registration"
      
      * tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux:
        clk: efm32gg: Pass correct type to hw provider registration
        clk: berlin: Pass correct type to hw provider registration
        clk: sunxi: Fix M factor computation for APB1
        clk: sunxi-ng: sun6i-a31: Force AHB1 clock to use PLL6 as parent
      57527ed1
    • Linus Torvalds's avatar
      Merge branch 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 000b8949
      Linus Torvalds authored
      Pull scheduler fixes from Ingo Molnar:
       "Two fixes for autogroup scheduling, for races when turning the feature
        on/off via /proc/sys/kernel/sched_autogroup_enabled"
      
      * 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        sched/autogroup: Do not use autogroup->tg in zombie threads
        sched/autogroup: Fix autogroup_move_group() to never skip sched_move_task()
      000b8949
    • Linus Torvalds's avatar
      Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 7cfc4317
      Linus Torvalds authored
      Pull x86 fixes from Ingo Molnar:
       "Misc fixes:
         - two fixes to make (very) old Intel CPUs boot reliably
         - fix the intel-mid driver and rename it
         - two KASAN false positive fixes
         - an FPU fix
         - two sysfb fixes
         - two build fixes related to new toolchain versions"
      
      * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/platform/intel-mid: Rename platform_wdt to platform_mrfld_wdt
        x86/build: Build compressed x86 kernels as PIE when !CONFIG_RELOCATABLE as well
        x86/platform/intel-mid: Register watchdog device after SCU
        x86/fpu: Fix invalid FPU ptrace state after execve()
        x86/boot: Fail the boot if !M486 and CPUID is missing
        x86/traps: Ignore high word of regs->cs in early_fixup_exception()
        x86/dumpstack: Prevent KASAN false positive warnings
        x86/unwind: Prevent KASAN false positive warnings in guess unwinder
        x86/boot: Avoid warning for zero-filling .bss
        x86/sysfb: Fix lfb_size calculation
        x86/sysfb: Add support for 64bit EFI lfb_base
      7cfc4317
    • Peter Zijlstra's avatar
      perf/x86/intel/uncore: Allow only a single PMU/box within an events group · 033ac60c
      Peter Zijlstra authored
      Group validation expects all events to be of the same PMU; however
      is_uncore_pmu() is too wide, it matches _all_ uncore events, even
      across PMUs.
      
      This triggers failure when we group different events from different
      uncore PMUs, like:
      
        perf stat -vv -e '{uncore_cbox_0/config=0x0334/,uncore_qpi_0/event=1/}' -a sleep 1
      
      Fix is_uncore_pmu() by only matching events to the box at hand.
      
      Note that generic code; ran after this step; will disallow this
      mixture of PMU events.
      Reported-by: default avatarJiri Olsa <jolsa@redhat.com>
      Tested-by: default avatarJiri Olsa <jolsa@redhat.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
      Cc: Kan Liang <kan.liang@intel.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Stephane Eranian <eranian@google.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Vince Weaver <vince@deater.net>
      Cc: Vince Weaver <vincent.weaver@maine.edu>
      Link: http://lkml.kernel.org/r/20161118125354.GQ3117@twins.programming.kicks-ass.netSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      033ac60c
    • Peter Zijlstra's avatar
      perf/x86/intel: Cure bogus unwind from PEBS entries · b8000586
      Peter Zijlstra authored
      Vince Weaver reported that perf_fuzzer + KASAN detects that PEBS event
      unwinds sometimes do 'weird' things. In particular, we seemed to be
      ending up unwinding from random places on the NMI stack.
      
      While it was somewhat expected that the event record BP,SP would not
      match the interrupt BP,SP in that the interrupt is strictly later than
      the record event, it was overlooked that it could be on an already
      overwritten stack.
      
      Therefore, don't copy the recorded BP,SP over the interrupted BP,SP
      when we need stack unwinds.
      
      Note that its still possible the unwind doesn't full match the actual
      event, as its entirely possible to have done an (I)RET between record
      and interrupt, but on average it should still point in the general
      direction of where the event came from. Also, it's the best we can do,
      considering.
      
      The particular scenario that triggered the bogus NMI stack unwind was
      a PEBS event with very short period, upon enabling the event at the
      tail of the PMI handler (FREEZE_ON_PMI is not used), it instantly
      triggers a record (while still on the NMI stack) which in turn
      triggers the next PMI. This then causes back-to-back NMIs and we'll
      try and unwind the stack-frame from the last NMI, which obviously is
      now overwritten by our own.
      Analyzed-by: default avatarJosh Poimboeuf <jpoimboe@redhat.com>
      Reported-by: default avatarVince Weaver <vincent.weaver@maine.edu>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
      Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Stephane Eranian <eranian@gmail.com>
      Cc: Stephane Eranian <eranian@google.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: davej@codemonkey.org.uk <davej@codemonkey.org.uk>
      Cc: dvyukov@google.com <dvyukov@google.com>
      Cc: stable@vger.kernel.org
      Fixes: ca037701 ("perf, x86: Add PEBS infrastructure")
      Link: http://lkml.kernel.org/r/20161117171731.GV3157@twins.programming.kicks-ass.netSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      b8000586
    • Johannes Weiner's avatar
      perf/x86: Restore TASK_SIZE check on frame pointer · ae31fe51
      Johannes Weiner authored
      The following commit:
      
        75925e1a ("perf/x86: Optimize stack walk user accesses")
      
      ... switched from copy_from_user_nmi() to __copy_from_user_nmi() with a manual
      access_ok() check.
      
      Unfortunately, copy_from_user_nmi() does an explicit check against TASK_SIZE,
      whereas the access_ok() uses whatever the current address limit of the task is.
      
      We are getting NMIs when __probe_kernel_read() has switched to KERNEL_DS, and
      then see vmalloc faults when we access what looks like pointers into vmalloc
      space:
      
        [] WARNING: CPU: 3 PID: 3685731 at arch/x86/mm/fault.c:435 vmalloc_fault+0x289/0x290
        [] CPU: 3 PID: 3685731 Comm: sh Tainted: G        W       4.6.0-5_fbk1_223_gdbf0f40 #1
        [] Call Trace:
        []  <NMI>  [<ffffffff814717d1>] dump_stack+0x4d/0x6c
        []  [<ffffffff81076e43>] __warn+0xd3/0xf0
        []  [<ffffffff81076f2d>] warn_slowpath_null+0x1d/0x20
        []  [<ffffffff8104a899>] vmalloc_fault+0x289/0x290
        []  [<ffffffff8104b5a0>] __do_page_fault+0x330/0x490
        []  [<ffffffff8104b70c>] do_page_fault+0xc/0x10
        []  [<ffffffff81794e82>] page_fault+0x22/0x30
        []  [<ffffffff81006280>] ? perf_callchain_user+0x100/0x2a0
        []  [<ffffffff8115124f>] get_perf_callchain+0x17f/0x190
        []  [<ffffffff811512c7>] perf_callchain+0x67/0x80
        []  [<ffffffff8114e750>] perf_prepare_sample+0x2a0/0x370
        []  [<ffffffff8114e840>] perf_event_output+0x20/0x60
        []  [<ffffffff8114aee7>] ? perf_event_update_userpage+0xc7/0x130
        []  [<ffffffff8114ea01>] __perf_event_overflow+0x181/0x1d0
        []  [<ffffffff8114f484>] perf_event_overflow+0x14/0x20
        []  [<ffffffff8100a6e3>] intel_pmu_handle_irq+0x1d3/0x490
        []  [<ffffffff8147daf7>] ? copy_user_enhanced_fast_string+0x7/0x10
        []  [<ffffffff81197191>] ? vunmap_page_range+0x1a1/0x2f0
        []  [<ffffffff811972f1>] ? unmap_kernel_range_noflush+0x11/0x20
        []  [<ffffffff814f2056>] ? ghes_copy_tofrom_phys+0x116/0x1f0
        []  [<ffffffff81040d1d>] ? x2apic_send_IPI_self+0x1d/0x20
        []  [<ffffffff8100411d>] perf_event_nmi_handler+0x2d/0x50
        []  [<ffffffff8101ea31>] nmi_handle+0x61/0x110
        []  [<ffffffff8101ef94>] default_do_nmi+0x44/0x110
        []  [<ffffffff8101f13b>] do_nmi+0xdb/0x150
        []  [<ffffffff81795187>] end_repeat_nmi+0x1a/0x1e
        []  [<ffffffff8147daf7>] ? copy_user_enhanced_fast_string+0x7/0x10
        []  [<ffffffff8147daf7>] ? copy_user_enhanced_fast_string+0x7/0x10
        []  [<ffffffff8147daf7>] ? copy_user_enhanced_fast_string+0x7/0x10
        []  <<EOE>>  <IRQ>  [<ffffffff8115d05e>] ? __probe_kernel_read+0x3e/0xa0
      
      Fix this by moving the valid_user_frame() check to before the uaccess
      that loads the return address and the pointer to the next frame.
      Signed-off-by: default avatarJohannes Weiner <hannes@cmpxchg.org>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Stephane Eranian <eranian@google.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Vince Weaver <vincent.weaver@maine.edu>
      Cc: linux-kernel@vger.kernel.org
      Fixes: 75925e1a ("perf/x86: Optimize stack walk user accesses")
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      ae31fe51
    • Oleg Nesterov's avatar
      sched/autogroup: Do not use autogroup->tg in zombie threads · 8e5bfa8c
      Oleg Nesterov authored
      Exactly because for_each_thread() in autogroup_move_group() can't see it
      and update its ->sched_task_group before _put() and possibly free().
      
      So the exiting task needs another sched_move_task() before exit_notify()
      and we need to re-introduce the PF_EXITING (or similar) check removed by
      the previous change for another reason.
      Signed-off-by: default avatarOleg Nesterov <oleg@redhat.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Mike Galbraith <efault@gmx.de>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: hartsjc@redhat.com
      Cc: vbendel@redhat.com
      Cc: vlovejoy@redhat.com
      Link: http://lkml.kernel.org/r/20161114184612.GA15968@redhat.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      8e5bfa8c
    • Oleg Nesterov's avatar
      sched/autogroup: Fix autogroup_move_group() to never skip sched_move_task() · 18f649ef
      Oleg Nesterov authored
      The PF_EXITING check in task_wants_autogroup() is no longer needed. Remove
      it, but see the next patch.
      
      However the comment is correct in that autogroup_move_group() must always
      change task_group() for every thread so the sysctl_ check is very wrong;
      we can race with cgroups and even sys_setsid() is not safe because a task
      running with task_group() == ag->tg must participate in refcounting:
      
      	int main(void)
      	{
      		int sctl = open("/proc/sys/kernel/sched_autogroup_enabled", O_WRONLY);
      
      		assert(sctl > 0);
      		if (fork()) {
      			wait(NULL); // destroy the child's ag/tg
      			pause();
      		}
      
      		assert(pwrite(sctl, "1\n", 2, 0) == 2);
      		assert(setsid() > 0);
      		if (fork())
      			pause();
      
      		kill(getppid(), SIGKILL);
      		sleep(1);
      
      		// The child has gone, the grandchild runs with kref == 1
      		assert(pwrite(sctl, "0\n", 2, 0) == 2);
      		assert(setsid() > 0);
      
      		// runs with the freed ag/tg
      		for (;;)
      			sleep(1);
      
      		return 0;
      	}
      
      crashes the kernel. It doesn't really need sleep(1), it doesn't matter if
      autogroup_move_group() actually frees the task_group or this happens later.
      Reported-by: default avatarVern Lovejoy <vlovejoy@redhat.com>
      Signed-off-by: default avatarOleg Nesterov <oleg@redhat.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Mike Galbraith <efault@gmx.de>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: hartsjc@redhat.com
      Cc: vbendel@redhat.com
      Link: http://lkml.kernel.org/r/20161114184609.GA15965@redhat.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      18f649ef
    • Herbert Xu's avatar
      crypto: scatterwalk - Remove unnecessary aliasing check in map_and_copy · c8467f7a
      Herbert Xu authored
      The aliasing check in map_and_copy is no longer necessary because
      the IPsec ESP code no longer provides an IV that points into the
      actual request data.  As this check is now triggering BUG checks
      due to the vmalloced stack code, I'm removing it.
      Reported-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      c8467f7a
    • Herbert Xu's avatar
      crypto: algif_hash - Fix result clobbering in recvmsg · 8acf7a10
      Herbert Xu authored
      Recently an init call was added to hash_recvmsg so as to reset
      the hash state in case a sendmsg call was never made.
      
      Unfortunately this ended up clobbering the result if the previous
      sendmsg was done with a MSG_MORE flag.  This patch fixes it by
      excluding that case when we make the init call.
      
      Fixes: a8348bca ("algif_hash - Fix NULL hash crash with shash")
      Reported-by: default avatarPatrick Steinhardt <ps@pks.im>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      8acf7a10
  3. 21 Nov, 2016 4 commits
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security · 3b404a51
      Linus Torvalds authored
      Pull apparmor bugfix from James Morris:
       "This has a fix for a policy replacement bug that is fairly serious for
        apache mod_apparmor users, as it results in the wrong policy being
        applied on an network facing service"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
        apparmor: fix change_hat not finding hat after policy replacement
      3b404a51
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc · 8d1a2408
      Linus Torvalds authored
      Pull sparc fixes from David Miller:
      
       1) With modern networking cards we can run out of 32-bit DMA space, so
          support 64-bit DMA addressing when possible on sparc64. From Dave
          Tushar.
      
       2) Some signal frame validation checks are inverted on sparc32, fix
          from Andreas Larsson.
      
       3) Lockdep tables can get too large in some circumstances on sparc64,
          add a way to adjust the size a bit. From Babu Moger.
      
       4) Fix NUMA node probing on some sun4v systems, from Thomas Tai.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc:
        sparc: drop duplicate header scatterlist.h
        lockdep: Limit static allocations if PROVE_LOCKING_SMALL is defined
        config: Adding the new config parameter CONFIG_PROVE_LOCKING_SMALL for sparc
        sunbmac: Fix compiler warning
        sunqe: Fix compiler warnings
        sparc64: Enable 64-bit DMA
        sparc64: Enable sun4v dma ops to use IOMMU v2 APIs
        sparc64: Bind PCIe devices to use IOMMU v2 service
        sparc64: Initialize iommu_map_table and iommu_pool
        sparc64: Add ATU (new IOMMU) support
        sparc64: Add FORCE_MAX_ZONEORDER and default to 13
        sparc64: fix compile warning section mismatch in find_node()
        sparc32: Fix inverted invalid_frame_pointer checks on sigreturns
        sparc64: Fix find_node warning if numa node cannot be found
      8d1a2408
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 27e7ab99
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Clear congestion control state when changing algorithms on an
          existing socket, from Florian Westphal.
      
       2) Fix register bit values in altr_tse_pcs portion of stmmac driver,
          from Jia Jie Ho.
      
       3) Fix PTP handling in stammc driver for GMAC4, from Giuseppe
          CAVALLARO.
      
       4) Fix udplite multicast delivery handling, it ignores the udp_table
          parameter passed into the lookups, from Pablo Neira Ayuso.
      
       5) Synchronize the space estimated by rtnl_vfinfo_size and the space
          actually used by rtnl_fill_vfinfo. From Sabrina Dubroca.
      
       6) Fix memory leak in fib_info when splitting nodes, from Alexander
          Duyck.
      
       7) If a driver does a napi_hash_del() explicitily and not via
          netif_napi_del(), it must perform RCU synchronization as needed. Fix
          this in virtio-net and bnxt drivers, from Eric Dumazet.
      
       8) Likewise, it is not necessary to invoke napi_hash_del() is we are
          also doing neif_napi_del() in the same code path. Remove such calls
          from be2net and cxgb4 drivers, also from Eric Dumazet.
      
       9) Don't allocate an ID in peernet2id_alloc() if the netns is dead,
          from WANG Cong.
      
      10) Fix OF node and device struct leaks in of_mdio, from Johan Hovold.
      
      11) We cannot cache routes in ip6_tunnel when using inherited traffic
          classes, from Paolo Abeni.
      
      12) Fix several crashes and leaks in cpsw driver, from Johan Hovold.
      
      13) Splice operations cannot use freezable blocking calls in AF_UNIX,
          from WANG Cong.
      
      14) Link dump filtering by master device and kind support added an error
          in loop index updates during the dump if we actually do filter, fix
          from Zhang Shengju.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (59 commits)
        tcp: zero ca_priv area when switching cc algorithms
        net: l2tp: Treat NET_XMIT_CN as success in l2tp_eth_dev_xmit
        ethernet: stmmac: make DWMAC_STM32 depend on it's associated SoC
        tipc: eliminate obsolete socket locking policy description
        rtnl: fix the loop index update error in rtnl_dump_ifinfo()
        l2tp: fix racy SOCK_ZAPPED flag check in l2tp_ip{,6}_bind()
        net: macb: add check for dma mapping error in start_xmit()
        rtnetlink: fix FDB size computation
        netns: fix get_net_ns_by_fd(int pid) typo
        af_unix: conditionally use freezable blocking calls in read
        net: ethernet: ti: cpsw: fix fixed-link phy probe deferral
        net: ethernet: ti: cpsw: add missing sanity check
        net: ethernet: ti: cpsw: fix secondary-emac probe error path
        net: ethernet: ti: cpsw: fix of_node and phydev leaks
        net: ethernet: ti: cpsw: fix deferred probe
        net: ethernet: ti: cpsw: fix mdio device reference leak
        net: ethernet: ti: cpsw: fix bad register access in probe error path
        net: sky2: Fix shutdown crash
        cfg80211: limit scan results cache size
        net sched filters: pass netlink message flags in event notification
        ...
      27e7ab99
    • Florian Westphal's avatar
      tcp: zero ca_priv area when switching cc algorithms · 7082c5c3
      Florian Westphal authored
      We need to zero out the private data area when application switches
      connection to different algorithm (TCP_CONGESTION setsockopt).
      
      When congestion ops get assigned at connect time everything is already
      zeroed because sk_alloc uses GFP_ZERO flag.  But in the setsockopt case
      this contains whatever previous cc placed there.
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7082c5c3