1. 30 Sep, 2016 40 commits
    • James Morse's avatar
      PM / hibernate: Fix rtree_next_node() to avoid walking off list ends · 630acdbb
      James Morse authored
      commit 924d8696 upstream.
      
      rtree_next_node() walks the linked list of leaf nodes to find the next
      block of pages in the struct memory_bitmap. If it walks off the end of
      the list of nodes, it walks the list of memory zones to find the next
      region of memory. If it walks off the end of the list of zones, it
      returns false.
      
      This leaves the struct bm_position's node and zone pointers pointing
      at their respective struct list_heads in struct mem_zone_bm_rtree.
      
      memory_bm_find_bit() uses struct bm_position's node and zone pointers
      to avoid walking lists and trees if the next bit appears in the same
      node/zone. It handles these values being stale.
      
      Swap rtree_next_node()s 'step then test' to 'test-next then step',
      this means if we reach the end of memory we return false and leave
      the node and zone pointers as they were.
      
      This fixes a panic on resume using AMD Seattle with 64K pages:
      [    6.868732] Freezing user space processes ... (elapsed 0.000 seconds) done.
      [    6.875753] Double checking all user space processes after OOM killer disable... (elapsed 0.000 seconds)
      [    6.896453] PM: Using 3 thread(s) for decompression.
      [    6.896453] PM: Loading and decompressing image data (5339 pages)...
      [    7.318890] PM: Image loading progress:   0%
      [    7.323395] Unable to handle kernel paging request at virtual address 00800040
      [    7.330611] pgd = ffff000008df0000
      [    7.334003] [00800040] *pgd=00000083fffe0003, *pud=00000083fffe0003, *pmd=00000083fffd0003, *pte=0000000000000000
      [    7.344266] Internal error: Oops: 96000005 [#1] PREEMPT SMP
      [    7.349825] Modules linked in:
      [    7.352871] CPU: 2 PID: 1 Comm: swapper/0 Tainted: G        W I     4.8.0-rc1 #4737
      [    7.360512] Hardware name: AMD Overdrive/Supercharger/Default string, BIOS ROD1002C 04/08/2016
      [    7.369109] task: ffff8003c0220000 task.stack: ffff8003c0280000
      [    7.375020] PC is at set_bit+0x18/0x30
      [    7.378758] LR is at memory_bm_set_bit+0x24/0x30
      [    7.383362] pc : [<ffff00000835bbc8>] lr : [<ffff0000080faf18>] pstate: 60000045
      [    7.390743] sp : ffff8003c0283b00
      [    7.473551]
      [    7.475031] Process swapper/0 (pid: 1, stack limit = 0xffff8003c0280020)
      [    7.481718] Stack: (0xffff8003c0283b00 to 0xffff8003c0284000)
      [    7.800075] Call trace:
      [    7.887097] [<ffff00000835bbc8>] set_bit+0x18/0x30
      [    7.891876] [<ffff0000080fb038>] duplicate_memory_bitmap.constprop.38+0x54/0x70
      [    7.899172] [<ffff0000080fcc40>] snapshot_write_next+0x22c/0x47c
      [    7.905166] [<ffff0000080fe1b4>] load_image_lzo+0x754/0xa88
      [    7.910725] [<ffff0000080ff0a8>] swsusp_read+0x144/0x230
      [    7.916025] [<ffff0000080fa338>] load_image_and_restore+0x58/0x90
      [    7.922105] [<ffff0000080fa660>] software_resume+0x2f0/0x338
      [    7.927752] [<ffff000008083350>] do_one_initcall+0x38/0x11c
      [    7.933314] [<ffff000008b40cc0>] kernel_init_freeable+0x14c/0x1ec
      [    7.939395] [<ffff0000087ce564>] kernel_init+0x10/0xfc
      [    7.944520] [<ffff000008082e90>] ret_from_fork+0x10/0x40
      [    7.949820] Code: d2800022 8b400c21 f9800031 9ac32043 (c85f7c22)
      [    7.955909] ---[ end trace 0024a5986e6ff323 ]---
      [    7.960529] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
      
      Here struct mem_zone_bm_rtree's start_pfn has been returned instead of
      struct rtree_node's addr as the node/zone pointers are corrupt after
      we walked off the end of the lists during mark_unsafe_pages().
      
      This behaviour was exposed by commit 6dbecfd3 ("PM / hibernate:
      Simplify mark_unsafe_pages()"), which caused mark_unsafe_pages() to call
      duplicate_memory_bitmap(), which uses memory_bm_find_bit() after walking
      off the end of the memory bitmap.
      
      Fixes: 3a20cb17 (PM / Hibernate: Implement position keeping in radix tree)
      Signed-off-by: default avatarJames Morse <james.morse@arm.com>
      [ rjw: Subject ]
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      630acdbb
    • Thomas Garnier's avatar
      PM / hibernate: Restore processor state before using per-CPU variables · b4707a78
      Thomas Garnier authored
      commit 62822e2e upstream.
      
      Restore the processor state before calling any other functions to
      ensure per-CPU variables can be used with KASLR memory randomization.
      
      Tracing functions use per-CPU variables (GS based on x86) and one was
      called just before restoring the processor state fully. It resulted
      in a double fault when both the tracing & the exception handler
      functions tried to use a per-CPU variable.
      
      Fixes: bb3632c6 (PM / sleep: trace events for suspend/resume)
      Reported-and-tested-by: default avatarBorislav Petkov <bp@suse.de>
      Reported-by: default avatarJiri Kosina <jikos@kernel.org>
      Tested-by: default avatarRafael J. Wysocki <rafael@kernel.org>
      Tested-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarThomas Garnier <thgarnie@google.com>
      Acked-by: default avatarPavel Machek <pavel@ucw.cz>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b4707a78
    • Wei Yongjun's avatar
      libceph: fix return value check in alloc_msg_with_page_vector() · dab6c838
      Wei Yongjun authored
      commit c22e853a upstream.
      
      In case of error, the function ceph_alloc_page_vector() returns
      ERR_PTR() and never returns NULL. The NULL test in the return value
      check should be replaced with IS_ERR().
      
      Fixes: 19079203 ('libceph: support for sending notifies')
      Signed-off-by: default avatarWei Yongjun <weiyj.lk@gmail.com>
      Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dab6c838
    • Phil Turnbull's avatar
      ceph: Correctly return NXIO errors from ceph_llseek · 0c157dba
      Phil Turnbull authored
      commit 955818cd upstream.
      
      ceph_llseek does not correctly return NXIO errors because the 'out' path
      always returns 'offset'.
      
      Fixes: 06222e49 ("fs: handle SEEK_HOLE/SEEK_DATA properly in all fs's that define their own llseek")
      Signed-off-by: default avatarPhil Turnbull <phil.turnbull@oracle.com>
      Signed-off-by: default avatarYan, Zheng <zyan@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0c157dba
    • Arnd Bergmann's avatar
      ceph: fix symbol versioning for ceph_monc_do_statfs · 6a8195b9
      Arnd Bergmann authored
      commit a0f2b652 upstream.
      
      The genksyms helper in the kernel cannot parse a type definition
      like "typeof(((type *)0)->keyfld)" that is used in the DEFINE_RB_FUNCS
      helper, causing the following EXPORT_SYMBOL() statement to be ignored
      when computing the crcs, and triggering a warning about this:
      
      WARNING: "ceph_monc_do_statfs" [fs/ceph/ceph.ko] has no CRC
      
      To work around the problem, we can rewrite the type to reference
      an undefined 'extern' symbol instead of a NULL pointer. This is
      evidently ok for genksyms, and it no longer complains about the
      line when calling it with 'genksyms -w'.
      
      I've looked briefly into extending genksyms instead, but it seems
      really hard to do. Jan Beulich introduced basic support for 'typeof'
      a while ago in dc533240 ("genksyms: fix typeof() handling"),
      but that is not sufficient for the expression we have here.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Fixes: fcd00b68 ("libceph: DEFINE_RB_FUNCS macro")
      Cc: Jan Beulich <jbeulich@suse.com>
      Cc: Michal Marek <mmarek@suse.cz>
      Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6a8195b9
    • Ilya Dryomov's avatar
      libceph: add an ONSTACK initializer for oids · dcb3f832
      Ilya Dryomov authored
      commit 281dbe5d upstream.
      
      An on-stack oid in ceph_ioctl_get_dataloc() is not initialized,
      resulting in a WARN and a NULL pointer dereference later on.  We will
      have more of these on-stack in the future, so fix it with a convenience
      macro.
      
      Fixes: d30291b9 ("libceph: variable-sized ceph_object_id")
      Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dcb3f832
    • Matt Fleming's avatar
      x86/mm/pat: Prevent hang during boot when mapping pages · 453e10c4
      Matt Fleming authored
      commit e535ec08 upstream.
      
      There's a mixture of signed 32-bit and unsigned 32-bit and 64-bit data
      types used for keeping track of how many pages have been mapped.
      
      This leads to hangs during boot when mapping large numbers of pages
      (multiple terabytes, as reported by Waiman) because those values are
      interpreted as being negative.
      
      commit 74256377 ("x86/mm/pat: Avoid truncation when converting
      cpa->numpages to address") fixed one of those bugs, but there is
      another lurking in __change_page_attr_set_clr().
      
      Additionally, the return value type for the populate_*() functions can
      return negative values when a large number of pages have been mapped,
      triggering the error paths even though no error occurred.
      
      Consistently use 64-bit types on 64-bit platforms when counting pages.
      Even in the signed case this gives us room for regions 8PiB
      (pebibytes) in size whilst still allowing the usual negative value
      error checking idiom.
      Reported-by: default avatarWaiman Long <waiman.long@hpe.com>
      Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      CC: Theodore Ts'o <tytso@mit.edu>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Scott J Norton <scott.norton@hpe.com>
      Cc: Douglas Hatch <doug.hatch@hpe.com>
      Signed-off-by: default avatarMatt Fleming <matt@codeblueprint.co.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      453e10c4
    • Matt Redfearn's avatar
      MIPS: paravirt: Fix undefined reference to smp_bootstrap · 16aef6c2
      Matt Redfearn authored
      commit 951c39cd upstream.
      
      If the paravirt machine is compiles without CONFIG_SMP, the following
      linker error occurs
      
      arch/mips/kernel/head.o: In function `kernel_entry':
      (.ref.text+0x10): undefined reference to `smp_bootstrap'
      
      due to the kernel entry macro always including SMP startup code.
      Wrap this code in CONFIG_SMP to fix the error.
      Signed-off-by: default avatarMatt Redfearn <matt.redfearn@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Cc: linux-kernel@vger.kernel.org
      Patchwork: https://patchwork.linux-mips.org/patch/14212/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      16aef6c2
    • Huacai Chen's avatar
      MIPS: Add a missing ".set pop" in an early commit · 40128587
      Huacai Chen authored
      commit 3cbc6fc9 upstream.
      
      Commit 842dfc11 ("MIPS: Fix build with binutils 2.24.51+") missing
      a ".set pop" in macro fpu_restore_16even, so add it.
      Signed-off-by: default avatarHuacai Chen <chenhc@lemote.com>
      Acked-by: default avatarManuel Lauss <manuel.lauss@gmail.com>
      Cc: Steven J . Hill <Steven.Hill@caviumnetworks.com>
      Cc: Fuxin Zhang <zhangfx@lemote.com>
      Cc: Zhangjin Wu <wuzhangjin@gmail.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/14210/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      40128587
    • Marcin Nowakowski's avatar
      MIPS: Avoid a BUG warning during prctl(PR_SET_FP_MODE, ...) · 519e0ff1
      Marcin Nowakowski authored
      commit b244614a upstream.
      
      cpu_has_fpu macro uses smp_processor_id() and is currently executed
      with preemption enabled, that triggers the warning at runtime.
      
      It is assumed throughout the kernel that if any CPU has an FPU, then all
      CPUs would have an FPU as well, so it is safe to perform the check with
      preemption enabled - change the code to use raw_ variant of the check to
      avoid the warning.
      Signed-off-by: default avatarMarcin Nowakowski <marcin.nowakowski@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/14125/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      519e0ff1
    • Paul Burton's avatar
      MIPS: Remove compact branch policy Kconfig entries · 1f13018d
      Paul Burton authored
      commit b03c1e3b upstream.
      
      Commit c1a0e9bc ("MIPS: Allow compact branch policy to be changed")
      added Kconfig entries allowing for the compact branch policy used by the
      compiler for MIPSr6 kernels to be specified. This can be useful for
      debugging, particularly in systems where compact branches have recently
      been introduced.
      
      Unfortunately mainline gcc 5.x supports MIPSr6 but not the
      -mcompact-branches compiler flag, leading to MIPSr6 kernels failing to
      build with gcc 5.x with errors such as:
      
        mipsel-linux-gnu-gcc: error: unrecognized command line option '-mcompact-branches=optimal'
        make[2]: *** [kernel/bounds.s] Error 1
      
      Fixing this by hiding the Kconfig entry behind another seems to be more
      hassle than it's worth, as MIPSr6 & compact branches have been around
      for a while now and if policy does need to be set for debug it can be
      done easily enough with KCFLAGS. Therefore remove the compact branch
      policy Kconfig entries & their handling in the Makefile.
      
      This reverts commit c1a0e9bc ("MIPS: Allow compact branch policy to
      be changed").
      Signed-off-by: default avatarPaul Burton <paul.burton@imgtec.com>
      Reported-by: default avatarkbuild test robot <fengguang.wu@intel.com>
      Fixes: c1a0e9bc ("MIPS: Allow compact branch policy to be changed")
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/14241/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1f13018d
    • James Hogan's avatar
      MIPS: vDSO: Fix Malta EVA mapping to vDSO page structs · 66f93fb3
      James Hogan authored
      commit 554af0c3 upstream.
      
      The page structures associated with the vDSO pages in the kernel image
      are calculated using virt_to_page(), which uses __pa() under the hood to
      find the pfn associated with the virtual address. The vDSO data pointers
      however point to kernel symbols, so __pa_symbol() should really be used
      instead.
      
      Since there is no equivalent to virt_to_page() which uses __pa_symbol(),
      fix init_vdso_image() to work directly with pfns, calculated with
      __phys_to_pfn(__pa_symbol(...)).
      
      This issue broke the Malta Enhanced Virtual Addressing (EVA)
      configuration which has a non-default implementation of __pa_symbol().
      This is because it uses a physical alias so that the kernel executes
      from KSeg0 (VA 0x80000000 -> PA 0x00000000), while RAM is provided to
      the kernel in the KUSeg range (VA 0x00000000 -> PA 0x80000000) which
      uses the same underlying RAM.
      
      Since there are no page structures associated with the low physical
      address region, some arbitrary kernel memory would be interpreted as a
      page structure for the vDSO pages and badness ensues.
      
      Fixes: ebb5e78c ("MIPS: Initial implementation of a VDSO")
      Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Cc: Leonid Yegoshin <leonid.yegoshin@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/14229/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      66f93fb3
    • Matt Redfearn's avatar
      MIPS: SMP: Fix possibility of deadlock when bringing CPUs online · 9ed2d4ac
      Matt Redfearn authored
      commit 8f46cca1 upstream.
      
      This patch fixes the possibility of a deadlock when bringing up
      secondary CPUs.
      The deadlock occurs because the set_cpu_online() is called before
      synchronise_count_slave(). This can cause a deadlock if the boot CPU,
      having scheduled another thread, attempts to send an IPI to the
      secondary CPU, which it sees has been marked online. The secondary is
      blocked in synchronise_count_slave() waiting for the boot CPU to enter
      synchronise_count_master(), but the boot cpu is blocked in
      smp_call_function_many() waiting for the secondary to respond to it's
      IPI request.
      
      Fix this by marking the CPU online in cpu_callin_map and synchronising
      counters before declaring the CPU online and calculating the maps for
      IPIs.
      Signed-off-by: default avatarMatt Redfearn <matt.redfearn@imgtec.com>
      Reported-by: default avatarJustin Chen <justinpopo6@gmail.com>
      Tested-by: default avatarJustin Chen <justinpopo6@gmail.com>
      Cc: Florian Fainelli <f.fainelli@gmail.com>
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/14302/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9ed2d4ac
    • Paul Burton's avatar
      MIPS: Fix pre-r6 emulation FPU initialisation · 24a465cc
      Paul Burton authored
      commit 7e956304 upstream.
      
      In the mipsr2_decoder() function, used to emulate pre-MIPSr6
      instructions that were removed in MIPSr6, the init_fpu() function is
      called if a removed pre-MIPSr6 floating point instruction is the first
      floating point instruction used by the task. However, init_fpu()
      performs varous actions that rely upon not being migrated. For example
      in the most basic case it sets the coprocessor 0 Status.CU1 bit to
      enable the FPU & then loads FP register context into the FPU registers.
      If the task were to migrate during this time, it may end up attempting
      to load FP register context on a different CPU where it hasn't set the
      CU1 bit, leading to errors such as:
      
          do_cpu invoked from kernel context![#2]:
          CPU: 2 PID: 7338 Comm: fp-prctl Tainted: G      D         4.7.0-00424-g49b0c82 #2
          task: 838e4000 ti: 88d38000 task.ti: 88d38000
          $ 0   : 00000000 00000001 ffffffff 88d3fef8
          $ 4   : 838e4000 88d38004 00000000 00000001
          $ 8   : 3400fc01 801f8020 808e9100 24000000
          $12   : dbffffff 807b69d8 807b0000 00000000
          $16   : 00000000 80786150 00400fc4 809c0398
          $20   : 809c0338 0040273c 88d3ff28 808e9d30
          $24   : 808e9d30 00400fb4
          $28   : 88d38000 88d3fe88 00000000 8011a2ac
          Hi    : 0040273c
          Lo    : 88d3ff28
          epc   : 80114178 _restore_fp+0x10/0xa0
          ra    : 8011a2ac mipsr2_decoder+0xd5c/0x1660
          Status: 1400fc03	KERNEL EXL IE
          Cause : 1080002c (ExcCode 0b)
          PrId  : 0001a920 (MIPS I6400)
          Modules linked in:
          Process fp-prctl (pid: 7338, threadinfo=88d38000, task=838e4000, tls=766527d0)
          Stack : 00000000 00000000 00000000 88d3fe98 00000000 00000000 809c0398 809c0338
          	  808e9100 00000000 88d3ff28 00400fc4 00400fc4 0040273c 7fb69e18 004a0000
          	  004a0000 004a0000 7664add0 8010de18 00000000 00000000 88d3fef8 88d3ff28
          	  808e9100 00000000 766527d0 8010e534 000c0000 85755000 8181d580 00000000
          	  00000000 00000000 004a0000 00000000 766527d0 7fb69e18 004a0000 80105c20
          	  ...
          Call Trace:
          [<80114178>] _restore_fp+0x10/0xa0
          [<8011a2ac>] mipsr2_decoder+0xd5c/0x1660
          [<8010de18>] do_ri+0x90/0x6b8
          [<80105c20>] ret_from_exception+0x0/0x10
      
      Fix this by disabling preemption around the call to init_fpu(), ensuring
      that it starts & completes on one CPU.
      Signed-off-by: default avatarPaul Burton <paul.burton@imgtec.com>
      Fixes: b0a668fb ("MIPS: kernel: mips-r2-to-r6-emul: Add R2 emulator for MIPS R6")
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/14305/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      24a465cc
    • Sudeep Holla's avatar
      i2c: qup: skip qup_i2c_suspend if the device is already runtime suspended · 4b37b0ca
      Sudeep Holla authored
      commit 331dcf42 upstream.
      
      If the i2c device is already runtime suspended, if qup_i2c_suspend is
      executed during suspend-to-idle or suspend-to-ram it will result in the
      following splat:
      
      WARNING: CPU: 3 PID: 1593 at drivers/clk/clk.c:476 clk_core_unprepare+0x80/0x90
      Modules linked in:
      
      CPU: 3 PID: 1593 Comm: bash Tainted: G        W       4.8.0-rc3 #14
      Hardware name: Qualcomm Technologies, Inc. APQ 8016 SBC (DT)
      PC is at clk_core_unprepare+0x80/0x90
      LR is at clk_unprepare+0x28/0x40
      pc : [<ffff0000086eecf0>] lr : [<ffff0000086f0c58>] pstate: 60000145
      Call trace:
       clk_core_unprepare+0x80/0x90
       qup_i2c_disable_clocks+0x2c/0x68
       qup_i2c_suspend+0x10/0x20
       platform_pm_suspend+0x24/0x68
       ...
      
      This patch fixes the issue by executing qup_i2c_pm_suspend_runtime
      conditionally in qup_i2c_suspend.
      Signed-off-by: default avatarSudeep Holla <sudeep.holla@arm.com>
      Reviewed-by: default avatarAndy Gross <andy.gross@linaro.org>
      Signed-off-by: default avatarWolfram Sang <wsa@the-dreams.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4b37b0ca
    • Peter Rosin's avatar
      i2c: mux: pca954x: retry updating the mux selection on failure · 9bdb254d
      Peter Rosin authored
      commit 463e8f84 upstream.
      
      The cached value of the last selected channel prevents retries on the
      next call, even on failure to update the selected channel. Fix that.
      Signed-off-by: default avatarPeter Rosin <peda@axentia.se>
      Signed-off-by: default avatarWolfram Sang <wsa@the-dreams.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9bdb254d
    • Yadi.hu's avatar
      i2c-eg20t: fix race between i2c init and interrupt enable · 90cc7b41
      Yadi.hu authored
      commit 371a0153 upstream.
      
      the eg20t driver call request_irq() function before the pch_base_address,
      base address of i2c controller's register, is assigned an effective value.
      
      there is one possible scenario that an interrupt which isn't inside eg20t
      arrives immediately after request_irq() is executed when i2c controller
      shares an interrupt number with others. since the interrupt handler
      pch_i2c_handler() has already active as shared action, it will be called
      and read its own register to determine if this interrupt is from itself.
      
      At that moment, since base address of i2c registers is not remapped
      in kernel space yet,so the INT handler will access an illegal address
      and then a error occurs.
      Signed-off-by: default avatarYadi.hu <yadi.hu@windriver.com>
      Signed-off-by: default avatarWolfram Sang <wsa@the-dreams.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      90cc7b41
    • Paul Burton's avatar
      irqchip/mips-gic: Fix local interrupts · f8fea9dc
      Paul Burton authored
      commit e875bd66 upstream.
      
      Since the device hierarchy domain was added by commit c98c1822
      ("irqchip/mips-gic: Add device hierarchy domain"), GIC local interrupts
      have been broken.
      
      Users attempting to setup a per-cpu local IRQ, for example the GIC timer
      clock events code in drivers/clocksource/mips-gic-timer.c, the
      setup_percpu_irq function would refuse with -EINVAL because the GIC
      irqchip driver never called irq_set_percpu_devid so the
      IRQ_PER_CPU_DEVID flag was never set for the IRQ. This happens because
      irq_set_percpu_devid was being called from the gic_irq_domain_map
      function which is no longer called.
      
      Doing only that runs into further problems because gic_dev_domain_alloc
      set the struct irq_chip for all interrupts, local or shared, to
      gic_level_irq_controller despite that only being suitable for shared
      interrupts. The typical outcome of this is that gic_level_irq_controller
      callback functions are called for local interrupts, and then hwirq
      number calculations overflow & the driver ends up attempting to access
      some invalid register with an address calculated from an invalid hwirq
      number. Best case scenario is that this then leads to a bus error. This
      is fixed by abstracting the setup of the hwirq & chip to a new function
      gic_setup_dev_chip which is used by both the root GIC IRQ domain & the
      device domain.
      
      Finally, decoding local interrupts failed because gic_dev_domain_alloc
      only called irq_domain_alloc_irqs_parent for shared interrupts. Local
      ones were therefore never associated with hwirqs in the root GIC IRQ
      domain and the virq in gic_handle_local_int would always be 0. This is
      fixed by calling irq_domain_alloc_irqs_parent unconditionally & having
      gic_irq_domain_alloc handle both local & shared interrupts, which is
      easy due to the aforementioned abstraction of chip setup into
      gic_setup_dev_chip.
      
      This fixes use of the MIPS GIC timer for clock events, which has been
      broken since c98c1822 ("irqchip/mips-gic: Add device hierarchy
      domain") but hadn't been noticed due to a silent fallback to the MIPS
      coprocessor 0 count/compare clock events device.
      
      Fixes: c98c1822 ("irqchip/mips-gic: Add device hierarchy domain")
      Signed-off-by: default avatarPaul Burton <paul.burton@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Cc: Jason Cooper <jason@lakedaemon.net>
      Cc: Qais Yousef <qsyousef@gmail.com>
      Cc: Marc Zyngier <marc.zyngier@arm.com>
      Link: http://lkml.kernel.org/r/20160913165335.31389-1-paul.burton@imgtec.comSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f8fea9dc
    • Matt Fleming's avatar
      x86/efi: Only map RAM into EFI page tables if in mixed-mode · 39b47d37
      Matt Fleming authored
      commit 12976670 upstream.
      
      Waiman reported that booting with CONFIG_EFI_MIXED enabled on his
      multi-terabyte HP machine results in boot crashes, because the EFI
      region mapping functions loop forever while trying to map those
      regions describing RAM.
      
      While this patch doesn't fix the underlying hang, there's really no
      reason to map EFI_CONVENTIONAL_MEMORY regions into the EFI page tables
      when mixed-mode is not in use at runtime.
      Reported-by: default avatarWaiman Long <waiman.long@hpe.com>
      Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      CC: Theodore Ts'o <tytso@mit.edu>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Scott J Norton <scott.norton@hpe.com>
      Cc: Douglas Hatch <doug.hatch@hpe.com>
      Signed-off-by: default avatarMatt Fleming <matt@codeblueprint.co.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      39b47d37
    • Jeff Mahoney's avatar
      btrfs: ensure that file descriptor used with subvol ioctls is a dir · eb06045e
      Jeff Mahoney authored
      commit 325c50e3 upstream.
      
      If the subvol/snapshot create/destroy ioctls are passed a regular file
      with execute permissions set, we'll eventually Oops while trying to do
      inode->i_op->lookup via lookup_one_len.
      
      This patch ensures that the file descriptor refers to a directory.
      
      Fixes: cb8e7090 (Btrfs: Fix subvolume creation locking rules)
      Fixes: 76dda93c (Btrfs: add snapshot/subvolume destroy ioctl)
      Signed-off-by: default avatarJeff Mahoney <jeffm@suse.com>
      Signed-off-by: default avatarChris Mason <clm@fb.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      eb06045e
    • Johannes Berg's avatar
      nl80211: validate number of probe response CSA counters · e402ffde
      Johannes Berg authored
      commit ad5987b4 upstream.
      
      Due to an apparent copy/paste bug, the number of counters for the
      beacon configuration were checked twice, instead of checking the
      number of probe response counters. Fix this to check the number of
      probe response counters before parsing those.
      
      Fixes: 9a774c78 ("cfg80211: Support multiple CSA counters")
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e402ffde
    • Beni Lev's avatar
      iwlwifi: mvm: update TX queue before making a copy of the skb · 29adc609
      Beni Lev authored
      commit 54c5ef2e upstream.
      
      Off-channel action frames (such as ANQP frames) must be sent either on
      the AUX queue or on the offchannel queue, otherwise the firmware will
      cause a SYSASSERT.
      
      In the current implementation, the queue to be used is correctly set in
      the original skb, but this is done after it is copied.  Thus the copy
      remains with the original, incorrect queue.
      
      Fix this by setting the queue in the original skb before copying it.
      
      Fixes: commit 5c08b0f5 ("iwlwifi: mvm: don't override the rate with the AMSDU len")
      Signed-off-by: default avatarBeni Lev <beni.lev@intel.com>
      Signed-off-by: default avatarLuca Coelho <luciano.coelho@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      29adc609
    • Marek Vasut's avatar
      net: can: ifi: Configure transmitter delay · 8c48d21d
      Marek Vasut authored
      commit 8d58790b upstream.
      
      Configure the transmitter delay register at +0x1c to correctly handle
      the CAN FD bitrate switch (BRS). This moves the SSP (secondary sample
      point) to a proper offset, so that the TDC mechanism works and won't
      generate error frames on the CAN link.
      Signed-off-by: default avatarMarek Vasut <marex@denx.de>
      Cc: Marc Kleine-Budde <mkl@pengutronix.de>
      Cc: Mark Rutland <mark.rutland@arm.com>
      Cc: Oliver Hartkopp <socketcan@hartkopp.net>
      Cc: Wolfgang Grandegger <wg@grandegger.com>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8c48d21d
    • Fabio Estevam's avatar
      can: flexcan: fix resume function · 68e864b4
      Fabio Estevam authored
      commit 4de349e7 upstream.
      
      On a imx6ul-pico board the following error is seen during system suspend:
      
      dpm_run_callback(): platform_pm_resume+0x0/0x54 returns -110
      PM: Device 2090000.flexcan failed to resume: error -110
      
      The reason for this suspend error is because when the CAN interface is not
      active the clocks are disabled and then flexcan_chip_enable() will
      always fail due to a timeout error.
      
      In order to fix this issue, only call flexcan_chip_enable/disable()
      when the CAN interface is active.
      
      Based on a patch from Dong Aisheng in the NXP kernel.
      Signed-off-by: default avatarFabio Estevam <fabio.estevam@nxp.com>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      68e864b4
    • Hugh Dickins's avatar
      mm: delete unnecessary and unsafe init_tlb_ubc() · 1d5617bf
      Hugh Dickins authored
      commit b385d21f upstream.
      
      init_tlb_ubc() looked unnecessary to me: tlb_ubc is statically
      initialized with zeroes in the init_task, and copied from parent to
      child while it is quiescent in arch_dup_task_struct(); so I went to
      delete it.
      
      But inserted temporary debug WARN_ONs in place of init_tlb_ubc() to
      check that it was always empty at that point, and found them firing:
      because memcg reclaim can recurse into global reclaim (when allocating
      biosets for swapout in my case), and arrive back at the init_tlb_ubc()
      in shrink_node_memcg().
      
      Resetting tlb_ubc.flush_required at that point is wrong: if the upper
      level needs a deferred TLB flush, but the lower level turns out not to,
      we miss a TLB flush.  But fortunately, that's the only part of the
      protocol that does not nest: with the initialization removed, cpumask
      collects bits from upper and lower levels, and flushes TLB when needed.
      
      Fixes: 72b252ae ("mm: send one IPI per CPU to TLB flush all entries after unmapping pages")
      Signed-off-by: default avatarHugh Dickins <hughd@google.com>
      Acked-by: default avatarMel Gorman <mgorman@techsingularity.net>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1d5617bf
    • Steven Rostedt (Red Hat)'s avatar
      tracing: Move mutex to protect against resetting of seq data · 9092c241
      Steven Rostedt (Red Hat) authored
      commit 1245800c upstream.
      
      The iter->seq can be reset outside the protection of the mutex. So can
      reading of user data. Move the mutex up to the beginning of the function.
      
      Fixes: d7350c3f ("tracing/core: make the read callbacks reentrants")
      Reported-by: default avatarAl Viro <viro@ZenIV.linux.org.uk>
      Signed-off-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9092c241
    • Al Viro's avatar
      fix memory leaks in tracing_buffers_splice_read() · 09ae540c
      Al Viro authored
      commit 1ae2293d upstream.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      09ae540c
    • Johannes Berg's avatar
      mac80211: reject TSPEC TIDs (TSIDs) for aggregation · 22f591e2
      Johannes Berg authored
      commit 85d5313e upstream.
      
      Since mac80211 doesn't currently support TSIDs 8-15 which can
      only be used after QoS TSPEC negotiation (and not even after
      WMM negotiation), reject attempts to set up aggregation
      sessions for them, which might confuse drivers. In mac80211
      we do correctly handle that, but the TSIDs should never get
      used anyway, and drivers might not be able to handle it.
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      22f591e2
    • Arvind Yadav's avatar
      power: reset: hisi-reboot: Unmap region obtained by of_iomap · c11aadb9
      Arvind Yadav authored
      commit bae170ef upstream.
      
      Free memory mapping, if probe is not successful.
      
      Fixes: 4a9b3737 ("power: reset: move hisilicon reboot code")
      Signed-off-by: default avatarArvind Yadav <arvind.yadav.cs@gmail.com>
      Signed-off-by: default avatarSebastian Reichel <sre@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c11aadb9
    • Keerthy's avatar
      rtc: ds1307: Fix relying on reset value for weekday · 1c79cde5
      Keerthy authored
      commit e29385fa upstream.
      
      The reset value of weekday is 0x1. This is wrong since
      the reset values of the day/month/year make up to Jan 1 2001.
      When computed weekday comes out to be Monday. On a scale
      of 1-7(Sunday - Saturday) it should be 0x2. So we should not
      be relying on the reset value.
      
      Hence compute the wday using the current date/month/year values.
      Check if reset wday is any different from the computed wday,
      If different then set the wday which we computed using
      date/month/year values.
      
      Document Referred:
      http://ww1.microchip.com/downloads/en/DeviceDoc/20002266F.pdf
      
      Fixes: 1d1945d2 "drivers/rtc/rtc-ds1307.c: add alarm support for mcp7941x chips"
      Signed-off-by: default avatarKeerthy <j-keerthy@ti.com>
      Signed-off-by: default avatarAlexandre Belloni <alexandre.belloni@free-electrons.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1c79cde5
    • John Youn's avatar
      reset: Return -ENOTSUPP when not configured · e7c5a957
      John Youn authored
      commit 168d7c4e upstream.
      
      Prior to commit 6c96f05c ("reset: Make [of_]reset_control_get[_foo]
      functions wrappers"), the "optional" functions returned -ENOTSUPP when
      CONFIG_RESET_CONTROLLER was not set.
      
      Revert back to the old behavior by changing the new
      __devm_reset_control_get() and __of_reset_control_get() functions to
      return ERR_PTR(-ENOTSUPP) when compiled without CONFIG_RESET_CONTROLLER.
      
      Otherwise they will return -EINVAL causing users to think that an error
      occurred when CONFIG_RESET_CONTROLLER is not set.
      
      Fixes: 6c96f05c ("reset: Make [of_]reset_control_get[_foo] functions wrappers")
      Signed-off-by: default avatarJohn Youn <johnyoun@synopsys.com>
      Signed-off-by: default avatarPhilipp Zabel <p.zabel@pengutronix.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e7c5a957
    • Brian Norris's avatar
      mtd: spi-nor: fix wrong "fully unlocked" test · 16964b31
      Brian Norris authored
      commit 06586204 upstream.
      
      In stm_unlock(), the test to determine whether we've fully unlocked the
      flash checks for the lock length to be equal to the flash size. That is
      a typo/think-o -- the condition actually means the flash is completely
      *locked.* We should be using the inverse condition -- that the lock
      length is 0 (i.e., no protection).
      
      The result of this bug is that we never actually turn off the Status
      Register Write Disable bit, even if the flash is completely unlocked.
      Now we can.
      
      Fixes: 47b8edbf ("mtd: spi-nor: disallow further writes to SR if WP# is low")
      Reported-by: default avatarGiorgio <giorgio.nicole@arcor.de>
      Signed-off-by: default avatarBrian Norris <computersforpeace@gmail.com>
      Cc: Ezequiel Garcia <ezequiel@vanguardiasur.com.ar>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      16964b31
    • Dan Carpenter's avatar
      mtd: pmcmsp-flash: Allocating too much in init_msp_flash() · dc4773f9
      Dan Carpenter authored
      commit 79ad07d4 upstream.
      
      There is a cut and paste issue here.  The bug is that we are allocating
      more memory than necessary for msp_maps.  We should be allocating enough
      space for a map_info struct (144 bytes) but we instead allocate enough
      for an mtd_info struct (1840 bytes).  It's a small waste.
      
      The other part of this is not harmful but when we allocated msp_flash
      then we allocated enough space fro a map_info pointer instead of an
      mtd_info pointer.  But since pointers are the same size it works out
      fine.
      
      Anyway, I decided to clean up all three allocations a bit to make them
      a bit more consistent and clear.
      
      Fixes: 68aa0fa8 ('[MTD] PMC MSP71xx flash/rootfs mappings')
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarBrian Norris <computersforpeace@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dc4773f9
    • Dan Carpenter's avatar
      mtd: maps: sa1100-flash: potential NULL dereference · 3f98badc
      Dan Carpenter authored
      commit dc01a28d upstream.
      
      We check for NULL but then dereference "info->mtd" on the next line.
      
      Fixes: 72169755 ('mtd: maps: sa1100-flash: show parent device in sysfs')
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarBrian Norris <computersforpeace@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3f98badc
    • Lothar Waßmann's avatar
      mtd: nand: mxc: fix obiwan error in mxc_nand_v[12]_ooblayout_free() functions · 753de51f
      Lothar Waßmann authored
      commit 38178e7b upstream.
      
      commit a894cf6c ("mtd: nand: mxc: switch to mtd_ooblayout_ops")
      introduced a regression accessing the OOB area from the mxc_nand
      driver due to an Obiwan error in the mxc_nand_v[12]_ooblayout_free()
      functions. They report a bogus oobregion { 64, 7 } which leads to
      errors accessing bogus data when reading the oob area.
      
      Prior to the commit the mtd-oobtest module could be run without any
      errors. With the offending commit, this test fails with results like:
      |Running mtd-oobtest
      |
      |=================================================
      |mtd_oobtest: MTD device: 5
      |mtd_oobtest: MTD device size 524288, eraseblock size 131072, page size 2048, count of eraseblocks 4, pages per eraseblock 64, OOB size 64
      |mtd_test: scanning for bad eraseblocks
      |mtd_test: scanned 4 eraseblocks, 0 are bad
      |mtd_oobtest: test 1 of 5
      |mtd_oobtest: writing OOBs of whole device
      |mtd_oobtest: written up to eraseblock 0
      |mtd_oobtest: written 4 eraseblocks
      |mtd_oobtest: verifying all eraseblocks
      |mtd_oobtest: error @addr[0x0:0x19] 0x9a -> 0x78 diff 0xe2
      |mtd_oobtest: error @addr[0x0:0x1a] 0xcc -> 0x0 diff 0xcc
      |mtd_oobtest: error @addr[0x0:0x1b] 0xe0 -> 0x85 diff 0x65
      |mtd_oobtest: error @addr[0x0:0x1c] 0x60 -> 0x62 diff 0x2
      |mtd_oobtest: error @addr[0x0:0x1d] 0x69 -> 0x45 diff 0x2c
      |mtd_oobtest: error @addr[0x0:0x1e] 0xcd -> 0xa0 diff 0x6d
      |mtd_oobtest: error @addr[0x0:0x1f] 0xf2 -> 0x60 diff 0x92
      |mtd_oobtest: error: verify failed at 0x0
      [...]
      Signed-off-by: default avatarLothar Waßmann <LW@KARO-electronics.de>
      Fixes: a894cf6c ("mtd: nand: mxc: switch to mtd_ooblayout_ops")
      Signed-off-by: default avatarBoris Brezillon <boris.brezillon@free-electrons.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      753de51f
    • Phil Turnbull's avatar
      configfs: Return -EFBIG from configfs_write_bin_file. · 71b4a3c0
      Phil Turnbull authored
      commit 42857cf5 upstream.
      
      The check for writing more than cb_max_size bytes does not 'goto out' so
      it is a no-op which allows users to vmalloc an arbitrary amount.
      
      Fixes: 03607ace ("configfs: implement binary attributes")
      Signed-off-by: default avatarPhil Turnbull <phil.turnbull@oracle.com>
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      71b4a3c0
    • David Daney's avatar
      arm64: Call numa_store_cpu_info() earlier. · 84bba4be
      David Daney authored
      commit c18df0ad upstream.
      
      The wq_numa_init() function makes a private CPU to node map by calling
      cpu_to_node() early in the boot process, before the non-boot CPUs are
      brought online.  Since the default implementation of cpu_to_node()
      returns zero for CPUs that have never been brought online, the
      workqueue system's view is that *all* CPUs are on node zero.
      
      When the unbound workqueue for a non-zero node is created, the
      tsk_cpus_allowed() for the worker threads is the empty set because
      there are, in the view of the workqueue system, no CPUs on non-zero
      nodes.  The code in try_to_wake_up() using this empty cpumask ends up
      using the cpumask empty set value of NR_CPUS as an index into the
      per-CPU area pointer array, and gets garbage as it is one past the end
      of the array.  This results in:
      
      [    0.881970] Unable to handle kernel paging request at virtual address fffffb1008b926a4
      [    1.970095] pgd = fffffc00094b0000
      [    1.973530] [fffffb1008b926a4] *pgd=0000000000000000, *pud=0000000000000000, *pmd=0000000000000000
      [    1.982610] Internal error: Oops: 96000004 [#1] SMP
      [    1.987541] Modules linked in:
      [    1.990631] CPU: 48 PID: 295 Comm: cpuhp/48 Tainted: G        W       4.8.0-rc6-preempt-vol+ #9
      [    1.999435] Hardware name: Cavium ThunderX CN88XX board (DT)
      [    2.005159] task: fffffe0fe89cc300 task.stack: fffffe0fe8b8c000
      [    2.011158] PC is at try_to_wake_up+0x194/0x34c
      [    2.015737] LR is at try_to_wake_up+0x150/0x34c
      [    2.020318] pc : [<fffffc00080e7468>] lr : [<fffffc00080e7424>] pstate: 600000c5
      [    2.027803] sp : fffffe0fe8b8fb10
      [    2.031149] x29: fffffe0fe8b8fb10 x28: 0000000000000000
      [    2.036522] x27: fffffc0008c63bc8 x26: 0000000000001000
      [    2.041896] x25: fffffc0008c63c80 x24: fffffc0008bfb200
      [    2.047270] x23: 00000000000000c0 x22: 0000000000000004
      [    2.052642] x21: fffffe0fe89d25bc x20: 0000000000001000
      [    2.058014] x19: fffffe0fe89d1d00 x18: 0000000000000000
      [    2.063386] x17: 0000000000000000 x16: 0000000000000000
      [    2.068760] x15: 0000000000000018 x14: 0000000000000000
      [    2.074133] x13: 0000000000000000 x12: 0000000000000000
      [    2.079505] x11: 0000000000000000 x10: 0000000000000000
      [    2.084879] x9 : 0000000000000000 x8 : 0000000000000000
      [    2.090251] x7 : 0000000000000040 x6 : 0000000000000000
      [    2.095621] x5 : ffffffffffffffff x4 : 0000000000000000
      [    2.100991] x3 : 0000000000000000 x2 : 0000000000000000
      [    2.106364] x1 : fffffc0008be4c24 x0 : ffffff0ffffada80
      [    2.111737]
      [    2.113236] Process cpuhp/48 (pid: 295, stack limit = 0xfffffe0fe8b8c020)
      [    2.120102] Stack: (0xfffffe0fe8b8fb10 to 0xfffffe0fe8b90000)
      [    2.125914] fb00:                                   fffffe0fe8b8fb80 fffffc00080e7648
      .
      .
      .
      [    2.442859] Call trace:
      [    2.445327] Exception stack(0xfffffe0fe8b8f940 to 0xfffffe0fe8b8fa70)
      [    2.451843] f940: fffffe0fe89d1d00 0000040000000000 fffffe0fe8b8fb10 fffffc00080e7468
      [    2.459767] f960: fffffe0fe8b8f980 fffffc00080e4958 ffffff0ff91ab200 fffffc00080e4b64
      [    2.467690] f980: fffffe0fe8b8f9d0 fffffc00080e515c fffffe0fe8b8fa80 0000000000000000
      [    2.475614] f9a0: fffffe0fe8b8f9d0 fffffc00080e58e4 fffffe0fe8b8fa80 0000000000000000
      [    2.483540] f9c0: fffffe0fe8d10000 0000000000000040 fffffe0fe8b8fa50 fffffc00080e5ac4
      [    2.491465] f9e0: ffffff0ffffada80 fffffc0008be4c24 0000000000000000 0000000000000000
      [    2.499387] fa00: 0000000000000000 ffffffffffffffff 0000000000000000 0000000000000040
      [    2.507309] fa20: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
      [    2.515233] fa40: 0000000000000000 0000000000000000 0000000000000000 0000000000000018
      [    2.523156] fa60: 0000000000000000 0000000000000000
      [    2.528089] [<fffffc00080e7468>] try_to_wake_up+0x194/0x34c
      [    2.533723] [<fffffc00080e7648>] wake_up_process+0x28/0x34
      [    2.539275] [<fffffc00080d3764>] create_worker+0x110/0x19c
      [    2.544824] [<fffffc00080d69dc>] alloc_unbound_pwq+0x3cc/0x4b0
      [    2.550724] [<fffffc00080d6bcc>] wq_update_unbound_numa+0x10c/0x1e4
      [    2.557066] [<fffffc00080d7d78>] workqueue_online_cpu+0x220/0x28c
      [    2.563234] [<fffffc00080bd288>] cpuhp_invoke_callback+0x6c/0x168
      [    2.569398] [<fffffc00080bdf74>] cpuhp_up_callbacks+0x44/0xe4
      [    2.575210] [<fffffc00080be194>] cpuhp_thread_fun+0x13c/0x148
      [    2.581027] [<fffffc00080dfbac>] smpboot_thread_fn+0x19c/0x1a8
      [    2.586929] [<fffffc00080dbd64>] kthread+0xdc/0xf0
      [    2.591776] [<fffffc0008083380>] ret_from_fork+0x10/0x50
      [    2.597147] Code: b00057e1 91304021 91005021 b8626822 (b8606821)
      [    2.603464] ---[ end trace 58c0cd36b88802bc ]---
      [    2.608138] Kernel panic - not syncing: Fatal exception
      
      Fix by moving call to numa_store_cpu_info() for all CPUs into
      smp_prepare_cpus(), which happens before wq_numa_init().  Since
      smp_store_cpu_info() now contains only a single function call,
      simplify by removing the function and out-lining its contents.
      Suggested-by: default avatarRobert Richter <rric@kernel.org>
      Fixes: 1a2db300 ("arm64, numa: Add NUMA support for arm64 platforms.")
      Signed-off-by: default avatarDavid Daney <david.daney@cavium.com>
      Reviewed-by: default avatarRobert Richter <rrichter@cavium.com>
      Tested-by: default avatarYisheng Xie <xieyisheng1@huawei.com>
      Signed-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      84bba4be
    • Herbert Xu's avatar
      KEYS: Fix skcipher IV clobbering · f3edd9b2
      Herbert Xu authored
      commit 456bee98 upstream.
      
      The IV must not be modified by the skcipher operation so we need
      to duplicate it.
      
      Fixes: c3917fd9 ("KEYS: Use skcipher")
      Reported-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f3edd9b2
    • Al Viro's avatar
      fix fault_in_multipages_...() on architectures with no-op access_ok() · 206d4c6c
      Al Viro authored
      commit e23d4159 upstream.
      
      Switching iov_iter fault-in to multipages variants has exposed an old
      bug in underlying fault_in_multipages_...(); they break if the range
      passed to them wraps around.  Normally access_ok() done by callers will
      prevent such (and it's a guaranteed EFAULT - ERR_PTR() values fall into
      such a range and they should not point to any valid objects).
      
      However, on architectures where userland and kernel live in different
      MMU contexts (e.g. s390) access_ok() is a no-op and on those a range
      with a wraparound can reach fault_in_multipages_...().
      
      Since any wraparound means EFAULT there, the fix is trivial - turn
      those
      
          while (uaddr <= end)
      	    ...
      into
      
          if (unlikely(uaddr > end))
      	    return -EFAULT;
          do
      	    ...
          while (uaddr <= end);
      Reported-by: default avatarJan Stancek <jstancek@redhat.com>
      Tested-by: default avatarJan Stancek <jstancek@redhat.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      206d4c6c
    • Johannes Weiner's avatar
      cgroup: duplicate cgroup reference when cloning sockets · 02d35700
      Johannes Weiner authored
      commit d979a39d upstream.
      
      When a socket is cloned, the associated sock_cgroup_data is duplicated
      but not its reference on the cgroup.  As a result, the cgroup reference
      count will underflow when both sockets are destroyed later on.
      
      Fixes: bd1060a1 ("sock, cgroup: add sock->sk_cgroup")
      Link: http://lkml.kernel.org/r/20160914194846.11153-2-hannes@cmpxchg.orgSigned-off-by: default avatarJohannes Weiner <hannes@cmpxchg.org>
      Acked-by: default avatarTejun Heo <tj@kernel.org>
      Cc: Michal Hocko <mhocko@suse.cz>
      Cc: Vladimir Davydov <vdavydov@virtuozzo.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      02d35700