1. 09 Sep, 2016 7 commits
    • Linus Torvalds's avatar
      Merge branch 'for-linus-4.8' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs · f4a9c169
      Linus Torvalds authored
      Pull btrfs fixes from Chris Mason:
       "I'm not proud of how long it took me to track down that one liner in
        btrfs_sync_log(), but the good news is the patches I was trying to
        blame for these problems were actually fine (sorry Filipe)"
      
      * 'for-linus-4.8' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs:
        btrfs: introduce tickets_id to determine whether asynchronous metadata reclaim work makes progress
        btrfs: remove root_log_ctx from ctx list before btrfs_sync_log returns
        btrfs: do not decrease bytes_may_use when replaying extents
      f4a9c169
    • Linus Torvalds's avatar
      Merge tag 'sound-4.8-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 067c2f47
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "We've got quite a few fixes at this time, and all are stable patches.
      
        syzkaller strikes back again (episode 19 or so), and we had to plug
        some holes in ALSA core part (mostly timer).
      
        In addition, a couple of FireWire audio fixes for the invalid copy
        user calls in locks, and a few quirks for HD-audio and USB-audio as
        usual are included"
      
      * tag 'sound-4.8-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ALSA: rawmidi: Fix possible deadlock with virmidi registration
        ALSA: timer: Fix zero-division by continue of uninitialized instance
        ALSA: timer: fix NULL pointer dereference in read()/ioctl() race
        ALSA: fireworks: accessing to user space outside spinlock
        ALSA: firewire-tascam: accessing to user space outside spinlock
        ALSA: hda - Enable subwoofer on Dell Inspiron 7559
        ALSA: hda - Add headset mic quirk for Dell Inspiron 5468
        ALSA: usb-audio: Add sample rate inquiry quirk for B850V3 CP2114
        ALSA: timer: fix NULL pointer dereference on memory allocation failure
        ALSA: timer: fix division by zero after SNDRV_TIMER_IOCTL_CONTINUE
      067c2f47
    • Linus Torvalds's avatar
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · e45eeb43
      Linus Torvalds authored
      Pull arm64 fixes from Catalin Marinas:
      
       - smp_mb__before_spinlock() changed to smp_mb() on arm64 since the
         generic definition to smp_wmb() is not sufficient
      
       - avoid a recursive loop with the graph tracer by using using
         preempt_(enable|disable)_notrace in _percpu_(read|write)
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        arm64: use preempt_disable_notrace in _percpu_read/write
        arm64: spinlocks: implement smp_mb__before_spinlock() as smp_mb()
      e45eeb43
    • Linus Torvalds's avatar
      Merge tag 'powerpc-4.8-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · 2771fc8e
      Linus Torvalds authored
      Pull powerpc fixes from Michael Ellerman:
       "Fixes marked for stable:
         - Don't alias user region to other regions below PAGE_OFFSET from
           Paul Mackerras
         - Fix again csum_partial_copy_generic() on 32-bit from Christophe
           Leroy
         - Fix corrupted PE allocation bitmap on releasing PE from Gavin Shan
      
        Fixes for code merged this cycle:
         - Fix crash on releasing compound PE from Gavin Shan
         - Fix processor numbers in OPAL ICP from Benjamin Herrenschmidt
         - Fix little endian build with CONFIG_KEXEC=n from Thiago Jung
           Bauermann"
      
      * tag 'powerpc-4.8-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        powerpc/mm: Don't alias user region to other regions below PAGE_OFFSET
        powerpc/32: Fix again csum_partial_copy_generic()
        powerpc/powernv: Fix corrupted PE allocation bitmap on releasing PE
        powerpc/powernv: Fix crash on releasing compound PE
        powerpc/xics/opal: Fix processor numbers in OPAL ICP
        powerpc/pseries: Fix little endian build with CONFIG_KEXEC=n
      2771fc8e
    • Linus Torvalds's avatar
      Merge branch 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm · 53d5f1dc
      Linus Torvalds authored
      Pull ARM fixes from Russell King:
       "A few ARM fixes:
      
         - Robin Murphy noticed that the non-secure privileged entry was
           relying on undefined behaviour, which needed to be fixed.
      
         - Vladimir Murzin noticed that prov-v7 fails to build for MMUless
           configurations because a required header file wasn't included.
      
         - A bunch of fixes for StrongARM regressions found while testing
           4.8-rc on such platforms"
      
      * 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm:
        ARM: sa1100: clear reset status prior to reboot
        ARM: 8600/1: Enforce some NS-SVC initialisation
        ARM: 8599/1: mm: pull asm/memory.h explicitly
        ARM: sa1100: register clocks early
        ARM: sa1100: fix 3.6864MHz clock
      53d5f1dc
    • Chunyan Zhang's avatar
      arm64: use preempt_disable_notrace in _percpu_read/write · 2b974344
      Chunyan Zhang authored
      When debug preempt or preempt tracer is enabled, preempt_count_add/sub()
      can be traced by function and function graph tracing, and
      preempt_disable/enable() would call preempt_count_add/sub(), so in Ftrace
      subsystem we should use preempt_disable/enable_notrace instead.
      
      In the commit 345ddcc8 ("ftrace: Have set_ftrace_pid use the bitmap
      like events do") the function this_cpu_read() was added to
      trace_graph_entry(), and if this_cpu_read() calls preempt_disable(), graph
      tracer will go into a recursive loop, even if the tracing_on is
      disabled.
      
      So this patch change to use preempt_enable/disable_notrace instead in
      this_cpu_read().
      
      Since Yonghui Yang helped a lot to find the root cause of this problem,
      so also add his SOB.
      Signed-off-by: default avatarYonghui Yang <mark.yang@spreadtrum.com>
      Signed-off-by: default avatarChunyan Zhang <zhang.chunyan@linaro.org>
      Acked-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      2b974344
    • Will Deacon's avatar
      arm64: spinlocks: implement smp_mb__before_spinlock() as smp_mb() · 872c63fb
      Will Deacon authored
      smp_mb__before_spinlock() is intended to upgrade a spin_lock() operation
      to a full barrier, such that prior stores are ordered with respect to
      loads and stores occuring inside the critical section.
      
      Unfortunately, the core code defines the barrier as smp_wmb(), which
      is insufficient to provide the required ordering guarantees when used in
      conjunction with our load-acquire-based spinlock implementation.
      
      This patch overrides the arm64 definition of smp_mb__before_spinlock()
      to map to a full smp_mb().
      
      Cc: <stable@vger.kernel.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Reported-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      872c63fb
  2. 08 Sep, 2016 14 commits
    • Linus Torvalds's avatar
      Merge tag 'ceph-for-4.8-rc6' of git://github.com/ceph/ceph-client · 711bef65
      Linus Torvalds authored
      Pull ceph fix from Ilya Dryomov:
       "A fix for a 4.7 performance regression, caused by a typo in an if
        condition"
      
      * tag 'ceph-for-4.8-rc6' of git://github.com/ceph/ceph-client:
        ceph: do not modify fi->frag in need_reset_readdir()
      711bef65
    • Linus Torvalds's avatar
      Merge branch 'dmi-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jdelvare/staging · acdfffb5
      Linus Torvalds authored
      Pull dmi fix from Jean Delvare.
      
      * 'dmi-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jdelvare/staging:
        dmi-id: don't free dev structure after calling device_register
      acdfffb5
    • Linus Torvalds's avatar
      Merge tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc · e8b3b45d
      Linus Torvalds authored
      Pull ARM SoC fixes from Olof Johansson:
       "This is a slightly larger batch of fixes that we've been sitting on a
        few -rcs.  Most of them are simple oneliners, but there are two sets
        that are slightly larger and worth pointing out:
      
         - A set of patches to OMAP to deal with hwmod for RTC on am33xx
           (beaglebone SoC, among others).  It's the only clock that ever has
           a valid offset of 0, so a new flag needed introduction once this
           problem was discovered.
      
         - A collection of CCI fixes for performance counters discovered once
           people started using it on X-Gene CPUs"
      
      * tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc: (37 commits)
        arm-cci: pmu: Fix typo in event name
        Revert "ARM: tegra: fix erroneous address in dts"
        ARM: dts: imx6qdl: Fix SPDIF regression
        ARM: imx6: add missing BM_CLPCR_BYPASS_PMIC_READY setting for imx6sx
        ARM: dts: imx7d-sdb: fix ti,x-plate-ohms property name
        ARM: dts: kirkwood: Fix PCIe label on OpenRD
        ARM: kirkwood: ib62x0: fix size of u-boot environment partition
        bus: arm-ccn: make event groups reliable
        bus: arm-ccn: fix hrtimer registration
        bus: arm-ccn: fix PMU interrupt flags
        ARM: tegra: Correct polarity for Tegra114 PMIC interrupt
        MAINTAINERS: add tree entry for ARM/UniPhier architecture
        ARM: sun5i: Fix typo in trip point temperature
        MAINTAINERS: Switch to kernel.org account for Krzysztof Kozlowski
        ARM: imx6ul: populates platform device at .init_machine
        bus: arm-ccn: Add missing event attribute exclusions for host/guest
        bus: arm-ccn: Correct required arguments for XP PMU events
        bus: arm-ccn: Fix XP watchpoint settings bitmask
        bus: arm-ccn: Do not attempt to configure XPs for cycle counter
        bus: arm-ccn: Fix PMU handling of MN
        ...
      e8b3b45d
    • Takashi Iwai's avatar
      ALSA: rawmidi: Fix possible deadlock with virmidi registration · 816f318b
      Takashi Iwai authored
      When a seq-virmidi driver is initialized, it registers a rawmidi
      instance with its callback to create an associated seq kernel client.
      Currently it's done throughly in rawmidi's register_mutex context.
      Recently it was found that this may lead to a deadlock another rawmidi
      device that is being attached with the sequencer is accessed, as both
      open with the same register_mutex.  This was actually triggered by
      syzkaller, as Dmitry Vyukov reported:
      
      ======================================================
       [ INFO: possible circular locking dependency detected ]
       4.8.0-rc1+ #11 Not tainted
       -------------------------------------------------------
       syz-executor/7154 is trying to acquire lock:
        (register_mutex#5){+.+.+.}, at: [<ffffffff84fd6d4b>] snd_rawmidi_kernel_open+0x4b/0x260 sound/core/rawmidi.c:341
      
       but task is already holding lock:
        (&grp->list_mutex){++++.+}, at: [<ffffffff850138bb>] check_and_subscribe_port+0x5b/0x5c0 sound/core/seq/seq_ports.c:495
      
       which lock already depends on the new lock.
      
       the existing dependency chain (in reverse order) is:
      
       -> #1 (&grp->list_mutex){++++.+}:
          [<ffffffff8147a3a8>] lock_acquire+0x208/0x430 kernel/locking/lockdep.c:3746
          [<ffffffff863f6199>] down_read+0x49/0xc0 kernel/locking/rwsem.c:22
          [<     inline     >] deliver_to_subscribers sound/core/seq/seq_clientmgr.c:681
          [<ffffffff85005c5e>] snd_seq_deliver_event+0x35e/0x890 sound/core/seq/seq_clientmgr.c:822
          [<ffffffff85006e96>] > snd_seq_kernel_client_dispatch+0x126/0x170 sound/core/seq/seq_clientmgr.c:2418
          [<ffffffff85012c52>] snd_seq_system_broadcast+0xb2/0xf0 sound/core/seq/seq_system.c:101
          [<ffffffff84fff70a>] snd_seq_create_kernel_client+0x24a/0x330 sound/core/seq/seq_clientmgr.c:2297
          [<     inline     >] snd_virmidi_dev_attach_seq sound/core/seq/seq_virmidi.c:383
          [<ffffffff8502d29f>] snd_virmidi_dev_register+0x29f/0x750 sound/core/seq/seq_virmidi.c:450
          [<ffffffff84fd208c>] snd_rawmidi_dev_register+0x30c/0xd40 sound/core/rawmidi.c:1645
          [<ffffffff84f816d3>] __snd_device_register.part.0+0x63/0xc0 sound/core/device.c:164
          [<     inline     >] __snd_device_register sound/core/device.c:162
          [<ffffffff84f8235d>] snd_device_register_all+0xad/0x110 sound/core/device.c:212
          [<ffffffff84f7546f>] snd_card_register+0xef/0x6c0 sound/core/init.c:749
          [<ffffffff85040b7f>] snd_virmidi_probe+0x3ef/0x590 sound/drivers/virmidi.c:123
          [<ffffffff833ebf7b>] platform_drv_probe+0x8b/0x170 drivers/base/platform.c:564
          ......
      
       -> #0 (register_mutex#5){+.+.+.}:
          [<     inline     >] check_prev_add kernel/locking/lockdep.c:1829
          [<     inline     >] check_prevs_add kernel/locking/lockdep.c:1939
          [<     inline     >] validate_chain kernel/locking/lockdep.c:2266
          [<ffffffff814791f4>] __lock_acquire+0x4d44/0x4d80 kernel/locking/lockdep.c:3335
          [<ffffffff8147a3a8>] lock_acquire+0x208/0x430 kernel/locking/lockdep.c:3746
          [<     inline     >] __mutex_lock_common kernel/locking/mutex.c:521
          [<ffffffff863f0ef1>] mutex_lock_nested+0xb1/0xa20 kernel/locking/mutex.c:621
          [<ffffffff84fd6d4b>] snd_rawmidi_kernel_open+0x4b/0x260 sound/core/rawmidi.c:341
          [<ffffffff8502e7c7>] midisynth_subscribe+0xf7/0x350 sound/core/seq/seq_midi.c:188
          [<     inline     >] subscribe_port sound/core/seq/seq_ports.c:427
          [<ffffffff85013cc7>] check_and_subscribe_port+0x467/0x5c0 sound/core/seq/seq_ports.c:510
          [<ffffffff85015da9>] snd_seq_port_connect+0x2c9/0x500 sound/core/seq/seq_ports.c:579
          [<ffffffff850079b8>] snd_seq_ioctl_subscribe_port+0x1d8/0x2b0 sound/core/seq/seq_clientmgr.c:1480
          [<ffffffff84ffe9e4>] snd_seq_do_ioctl+0x184/0x1e0 sound/core/seq/seq_clientmgr.c:2225
          [<ffffffff84ffeae8>] snd_seq_kernel_client_ctl+0xa8/0x110 sound/core/seq/seq_clientmgr.c:2440
          [<ffffffff85027664>] snd_seq_oss_midi_open+0x3b4/0x610 sound/core/seq/oss/seq_oss_midi.c:375
          [<ffffffff85023d67>] snd_seq_oss_synth_setup_midi+0x107/0x4c0 sound/core/seq/oss/seq_oss_synth.c:281
          [<ffffffff8501b0a8>] snd_seq_oss_open+0x748/0x8d0 sound/core/seq/oss/seq_oss_init.c:274
          [<ffffffff85019d8a>] odev_open+0x6a/0x90 sound/core/seq/oss/seq_oss.c:138
          [<ffffffff84f7040f>] soundcore_open+0x30f/0x640 sound/sound_core.c:639
          ......
      
       other info that might help us debug this:
      
       Possible unsafe locking scenario:
      
              CPU0                    CPU1
              ----                    ----
         lock(&grp->list_mutex);
                                      lock(register_mutex#5);
                                      lock(&grp->list_mutex);
         lock(register_mutex#5);
      
       *** DEADLOCK ***
      ======================================================
      
      The fix is to simply move the registration parts in
      snd_rawmidi_dev_register() to the outside of the register_mutex lock.
      The lock is needed only to manage the linked list, and it's not
      necessarily to cover the whole initialization process.
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      816f318b
    • Takashi Iwai's avatar
      ALSA: timer: Fix zero-division by continue of uninitialized instance · 9f8a7658
      Takashi Iwai authored
      When a user timer instance is continued without the explicit start
      beforehand, the system gets eventually zero-division error like:
      
        divide error: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN
        CPU: 1 PID: 27320 Comm: syz-executor Not tainted 4.8.0-rc3-next-20160825+ #8
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
         task: ffff88003c9b2280 task.stack: ffff880027280000
         RIP: 0010:[<ffffffff858e1a6c>]  [<     inline     >] ktime_divns include/linux/ktime.h:195
         RIP: 0010:[<ffffffff858e1a6c>]  [<ffffffff858e1a6c>] snd_hrtimer_callback+0x1bc/0x3c0 sound/core/hrtimer.c:62
        Call Trace:
         <IRQ>
         [<     inline     >] __run_hrtimer kernel/time/hrtimer.c:1238
         [<ffffffff81504335>] __hrtimer_run_queues+0x325/0xe70 kernel/time/hrtimer.c:1302
         [<ffffffff81506ceb>] hrtimer_interrupt+0x18b/0x420 kernel/time/hrtimer.c:1336
         [<ffffffff8126d8df>] local_apic_timer_interrupt+0x6f/0xe0 arch/x86/kernel/apic/apic.c:933
         [<ffffffff86e13056>] smp_apic_timer_interrupt+0x76/0xa0 arch/x86/kernel/apic/apic.c:957
         [<ffffffff86e1210c>] apic_timer_interrupt+0x8c/0xa0 arch/x86/entry/entry_64.S:487
         <EOI>
         .....
      
      Although a similar issue was spotted and a fix patch was merged in
      commit [6b760bb2: ALSA: timer: fix division by zero after
      SNDRV_TIMER_IOCTL_CONTINUE], it seems covering only a part of
      iceberg.
      
      In this patch, we fix the issue a bit more drastically.  Basically the
      continue of an uninitialized timer is supposed to be a fresh start, so
      we do it for user timers.  For the direct snd_timer_continue() call,
      there is no way to pass the initial tick value, so we kick out for the
      uninitialized case.
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      9f8a7658
    • Allen Hung's avatar
      dmi-id: don't free dev structure after calling device_register · 9b41b92b
      Allen Hung authored
      dmi_dev is freed in error exit code but, according to the document
      of device_register, it should never directly free device structure
      after calling this function, even if it returned an error! Use
      put_device() instead.
      Signed-off-by: default avatarAllen Hung <allen_hung@dell.com>
      Signed-off-by: default avatarJean Delvare <jdelvare@suse.de>
      9b41b92b
    • Linus Torvalds's avatar
      Merge branch 'for-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux · d71f0586
      Linus Torvalds authored
      Pull thermal fix from Zhang Rui:
       "Only one patch this time, which fixes a crash in rcar_thermal driver.
        From Dirk Behme"
      
      * 'for-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux:
        thermal: rcar_thermal: Fix priv->zone error handling
      d71f0586
    • Olof Johansson's avatar
      Merge tag 'sunxi-fixes-for-4.8' of... · 95390e32
      Olof Johansson authored
      Merge tag 'sunxi-fixes-for-4.8' of https://git.kernel.org/pub/scm/linux/kernel/git/mripard/linux into fixes
      
      Allwinner fixes for 4.8
      
      A single patch fixing a typo in the temperature trip points in the A13
      DTSI.
      
      * tag 'sunxi-fixes-for-4.8' of https://git.kernel.org/pub/scm/linux/kernel/git/mripard/linux:
        ARM: sun5i: Fix typo in trip point temperature
      Signed-off-by: default avatarOlof Johansson <olof@lixom.net>
      95390e32
    • Suzuki K Poulose's avatar
      arm-cci: pmu: Fix typo in event name · 1d3ef9c2
      Suzuki K Poulose authored
      For one of the CCI events exposed under sysfs, "snoop" was typo'd as
      "snopp". Correct this such that users see the expected event name when
      enumerating events via sysfs.
      
      Cc: arm@kernel.org
      Acked-by: default avatarMark Rutland <mark.rutland@arm.com>
      Signed-off-by: default avatarSuzuki K Poulose <suzuki.poulose@arm.com>
      Signed-off-by: default avatarOlof Johansson <olof@lixom.net>
      1d3ef9c2
    • Olof Johansson's avatar
      Merge tag 'imx-fixes-4.8-2' of... · 28fa9917
      Olof Johansson authored
      Merge tag 'imx-fixes-4.8-2' of git://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux into fixes
      
      i.MX fixes for 4.8, 2nd round:
       - Fix misspelled "ti,x-plate-ohms" property name of touchscreen
         controller for imx7d-sdb DTS.
       - Add missing BM_CLPCR_BYPASS_PMIC_READY setting for i.MX6SX to get
         suspend/resume work properly.
       - Fix SPDIF regression on imx6qdl which caused by a clock update on
         spdif device node.
      
      * tag 'imx-fixes-4.8-2' of git://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux:
        ARM: dts: imx6qdl: Fix SPDIF regression
        ARM: imx6: add missing BM_CLPCR_BYPASS_PMIC_READY setting for imx6sx
        ARM: dts: imx7d-sdb: fix ti,x-plate-ohms property name
      Signed-off-by: default avatarOlof Johansson <olof@lixom.net>
      28fa9917
    • Olof Johansson's avatar
      Revert "ARM: tegra: fix erroneous address in dts" · d8b795f5
      Olof Johansson authored
      This reverts commit b5c86b74.
      
      This is no longer needed due to other changes going into 4.8 to rename
      the unit addresses on a large number of device nodes. So it was picked up
      for v4.8-rc1 in error.
      Reported-by: default avatarRalf Ramsauer <ralf@ramses-pyramidenbau.de>
      Signed-off-by: default avatarOlof Johansson <olof@lixom.net>
      d8b795f5
    • Paul Mackerras's avatar
      powerpc/mm: Don't alias user region to other regions below PAGE_OFFSET · f077aaf0
      Paul Mackerras authored
      In commit c60ac569 ("powerpc: Update kernel VSID range", 2013-03-13)
      we lost a check on the region number (the top four bits of the effective
      address) for addresses below PAGE_OFFSET.  That commit replaced a check
      that the top 18 bits were all zero with a check that bits 46 - 59 were
      zero (performed for all addresses, not just user addresses).
      
      This means that userspace can access an address like 0x1000_0xxx_xxxx_xxxx
      and we will insert a valid SLB entry for it.  The VSID used will be the
      same as if the top 4 bits were 0, but the page size will be some random
      value obtained by indexing beyond the end of the mm_ctx_high_slices_psize
      array in the paca.  If that page size is the same as would be used for
      region 0, then userspace just has an alias of the region 0 space.  If the
      page size is different, then no HPTE will be found for the access, and
      the process will get a SIGSEGV (since hash_page_mm() will refuse to create
      a HPTE for the bogus address).
      
      The access beyond the end of the mm_ctx_high_slices_psize can be at most
      5.5MB past the array, and so will be in RAM somewhere.  Since the access
      is a load performed in real mode, it won't fault or crash the kernel.
      At most this bug could perhaps leak a little bit of information about
      blocks of 32 bytes of memory located at offsets of i * 512kB past the
      paca->mm_ctx_high_slices_psize array, for 1 <= i <= 11.
      
      Fixes: c60ac569 ("powerpc: Update kernel VSID range")
      Cc: stable@vger.kernel.org # v3.9+
      Signed-off-by: default avatarPaul Mackerras <paulus@ozlabs.org>
      Reviewed-by: default avatarAneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      f077aaf0
    • Christophe Leroy's avatar
      powerpc/32: Fix again csum_partial_copy_generic() · 8540571e
      Christophe Leroy authored
      Commit 7aef4136 ("powerpc32: rewrite csum_partial_copy_generic()
      based on copy_tofrom_user()") introduced a bug when destination address
      is odd and len is lower than cacheline size.
      
      In that case the resulting csum value doesn't have to be rotated one
      byte because the cache-aligned copy part is skipped so no alignment
      is performed.
      
      Fixes: 7aef4136 ("powerpc32: rewrite csum_partial_copy_generic() based on copy_tofrom_user()")
      Cc: stable@vger.kernel.org # v4.6+
      Reported-by: default avatarAlessio Igor Bogani <alessio.bogani@elettra.eu>
      Signed-off-by: default avatarChristophe Leroy <christophe.leroy@c-s.fr>
      Tested-by: default avatarAlessio Igor Bogani <alessio.bogani@elettra.eu>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      8540571e
    • Gavin Shan's avatar
      powerpc/powernv: Fix corrupted PE allocation bitmap on releasing PE · caa58f80
      Gavin Shan authored
      In pnv_ioda_free_pe(), the PE object (including the associated PE
      number) is cleared before resetting the corresponding bit in the
      PE allocation bitmap. It means PE#0 is always released to the bitmap
      wrongly.
      
      This fixes above issue by caching the PE number before the PE object
      is cleared.
      
      Fixes: 1e916772 ("powerpc/powernv: Use PE instead of number during setup and release"
      Cc: stable@vger.kernel.org # v4.7+
      Signed-off-by: default avatarGavin Shan <gwshan@linux.vnet.ibm.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      caa58f80
  3. 07 Sep, 2016 9 commits
  4. 06 Sep, 2016 10 commits
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma · d060e0f6
      Linus Torvalds authored
      Pull rdma fixes from Doug Ledford:
       "This is the second pull request for the rdma subsystem.  Most of the
        patches are small and obvious.  I took two patches in that are larger
        than I wanted this late in the cycle.
      
        The first is the hfi1 patch that implements a work queue to test the
        QSFP read state.  I originally rejected the first patch for this
        (which would have place up to 20 seconds worth of udelays in their
        probe routine).  They then rewrote it the way I wanted (use delayed
        work tasks to wait asynchronously up to 20 seconds for the QSFP to
        come alive), so I can't really complain about the size of getting what
        I asked for :-/.
      
        The second is large because it switches the rcu locking in the debugfs
        code.  Since a locking change like this is done all at once, the size
        it what it is.  It resolves a litany of debug messages from the
        kernel, so I pulled it in for -rc.
      
        The rest are all typical -rc worthy patches I think.
      
        There will still be a third -rc pull request from the rdma subsystem
        this release.  I hope to have that one ready to go by the end of this
        week or early next.
      
        Summary:
      
         - a smattering of small fixes across the core, ipoib, i40iw, isert,
           cxgb4, and mlx4
      
         - a slightly larger group of fixes to each of mlx5 and hfi1"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma:
        IB/hfi1: Rework debugfs to use SRCU
        IB/hfi1: Make n_krcvqs be an unsigned long integer
        IB/hfi1: Add QSFP sanity pre-check
        IB/hfi1: Fix AHG KDETH Intr shift
        IB/hfi1: Fix SGE length for misaligned PIO copy
        IB/mlx5: Don't return errors from poll_cq
        IB/mlx5: Use TIR number based on selector
        IB/mlx5: Simplify code by removing return variable
        IB/mlx5: Return EINVAL when caller specifies too many SGEs
        IB/mlx4: Don't return errors from poll_cq
        Revert "IB/mlx4: Return EAGAIN for any error in mlx4_ib_poll_one"
        IB/ipoib: Fix memory corruption in ipoib cm mode connect flow
        IB/core: Fix use after free in send_leave function
        IB/cxgb4: Make _free_qp static to silence build warning
        IB/isert: Properly release resources on DEVICE_REMOVAL
        IB/hfi1: Fix the size parameter to find_first_bit
        IB/mlx5: Fix the size parameter to find_first_bit
        IB/hfi1: Clean up type used and casting
        i40iw: Receive notification events correctly
        i40iw: Update hw_iwarp_state
      d060e0f6
    • Kees Cook's avatar
      lkdtm: adjust usercopy tests to bypass const checks · 3c17648c
      Kees Cook authored
      The hardened usercopy is now consistently avoiding checks against const
      sizes, since we really only want to perform runtime bounds checking
      on lengths that weren't known at build time. To test the hardened usercopy
      code, we must force the length arguments to be seen as non-const.
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      3c17648c
    • Kees Cook's avatar
      usercopy: fold builtin_const check into inline function · 81409e9e
      Kees Cook authored
      Instead of having each caller of check_object_size() need to remember to
      check for a const size parameter, move the check into check_object_size()
      itself. This actually matches the original implementation in PaX, though
      this commit cleans up the now-redundant builtin_const() calls in the
      various architectures.
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      81409e9e
    • Kees Cook's avatar
      x86/uaccess: force copy_*_user() to be inlined · e6971009
      Kees Cook authored
      As already done with __copy_*_user(), mark copy_*_user() as __always_inline.
      Without this, the checks for things like __builtin_const_p() won't work
      consistently in either hardened usercopy nor the recent adjustments for
      detecting usercopy overflows at compile time.
      
      The change in kernel text size is detectable, but very small:
      
       text      data     bss     dec      hex     filename
      12118735  5768608 14229504 32116847 1ea106f vmlinux.before
      12120207  5768608 14229504 32118319 1ea162f vmlinux.after
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      e6971009
    • Linus Torvalds's avatar
      Merge branch 'mailbox-devel' of git://git.linaro.org/landing-teams/working/fujitsu/integration · 46738ab3
      Linus Torvalds authored
      Pull mailbox fixes from Jassi Brar:
       "Misc fixes for BCM mailbox driver
      
         - Fix build warnings by making static functions used within the file.
         - Check for potential NULL before dereferencing
         - Fix link error by defining HAS_DMA dependency"
      
      * 'mailbox-devel' of git://git.linaro.org/landing-teams/working/fujitsu/integration:
        fix:mailbox:bcm-pdc-mailbox:mark symbols static where possible
        mailbox: bcm-pdc: potential NULL dereference in pdc_shutdown()
        mailbox: Add HAS_DMA Kconfig dependency to BCM_PDC_MBOX
      46738ab3
    • Linus Torvalds's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · 6296c412
      Linus Torvalds authored
      Pull SCSI fixes from James Bottomley:
       "This is really three fixes, but the SES one comes in a bundle of three
        (making the replacement API available properly, using it and removing
        the non-working one).  The SES problem causes an oops on hpsa devices
        because they attach virtual disks to the host which aren't SAS
        attached (the replacement API ignores them).
      
        The other two fixes are fairly minor: the sense key one means we
        actually resolve a newly added sense key and the RDAC device
        blacklisting is needed to prevent us annoying the universal XPORT lun
        of various RDAC arrays"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: sas: remove is_sas_attached()
        scsi: ses: use scsi_is_sas_rphy instead of is_sas_attached
        scsi: sas: provide stub implementation for scsi_is_sas_rphy
        scsi: blacklist all RDAC devices for BLIST_NO_ULD_ATTACH
        scsi: fix upper bounds check of sense key in scsi_sense_key_string()
      6296c412
    • Linus Torvalds's avatar
      Merge tag 'regmap-fix-v4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regmap · ec9a03d4
      Linus Torvalds authored
      Pull regmap fixes from Mark Brown:
       "Several fixes here, the main one being the change from Lars-Peter
        which I'd been letting soak in -next since the merge window in case it
        uncovered further issues as it's a minimal fix rather than a change
        addressing the root cause of the problems (which would've been too
        invasive for -rc):
      
         - The biggest change is a fix from Lars-Peter to ensure that we don't
           create overlapping rbtree nodes which in turn avoids returning
           corrupt cache values to users, fixing some issues that were exposed
           by some recent optimisations with certain access patterns but had
           been present for a long time.
      
         - A fix from Elaine Zhang to stop us updating the cache if we get an
           I/O error when writing to the hardware.
      
         - A fix fromm Maarten ter Huurne to avoid uninitialized defaults in
           cases where we have non-readable registers but are initializing the
           cache by reading from the device"
      
      * tag 'regmap-fix-v4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regmap:
        regmap: drop cache if the bus transfer error
        regmap: rbtree: Avoid overlapping nodes
        regmap: cache: Fix num_reg_defaults computation from reg_defaults_raw
      ec9a03d4
    • Linus Torvalds's avatar
      Merge tag 'spi-fix-v4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi · 8ded8f00
      Linus Torvalds authored
      Pull spi fixes from Mark Brown:
       "As well as the usual driver fixes there's a couple of non-trivial core
        fixes in here:
      
         - Fixes for issues reported by Julia Lawall in the changes that were
           sent last time to fix interaction between the bus lock and the
           locking done for the SPI thread.  I'd let this one cook for a while
           to make sure nothing else came up in testing.
      
         - A fix from Sien Wu for arithmetic overflows when calculating the
           timeout for larger transfers (espcially common with slow buses with
           flashes on them)"
      
      * tag 'spi-fix-v4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi:
        spi: Prevent unexpected SPI time out due to arithmetic overflow
        spi: pxa2xx-pci: fix ACPI-based enumeration of SPI devices
        MAINTAINERS: add myself as Samsung SPI maintainer
        spi: Drop io_mutex in error paths
        spi: sh-msiof: Avoid invalid clock generator parameters
        spi: img-spfi: Remove spi_master_put in img_spfi_remove()
        spi: mediatek: remove spi_master_put in mtk_spi_remove()
        spi: qup: Remove spi_master_put in spi_qup_remove()
      8ded8f00
    • Linus Torvalds's avatar
      Merge tag 'regulator-fix-v4.8-rc5' of... · 8fa5729d
      Linus Torvalds authored
      Merge tag 'regulator-fix-v4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator
      
      Pull regulator fixes from Mark Brown:
       "Two things here, one an e-mail update for Krzysztof Kozlowski and the
        other a couple of fixes for issues with incorrectly described voltages
        in a couple of the Qualcomm regulator drivers that were breaking MMC
        on some platforms"
      
      * tag 'regulator-fix-v4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator:
        regulator: Change Krzysztof Kozlowski's email to kernel.org
        regulator: qcom_smd: Fix voltage ranges for pma8084 ftsmps and pldo
        regulator: qcom_smd: Fix voltage ranges for pm8x41
      8fa5729d
    • Linus Torvalds's avatar
      Merge tag 'pinctrl-v4.8-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl · 4c601e0d
      Linus Torvalds authored
      Pull pin control fixes from Linus Walleij:
       "Nothing special at all, just three SoC-specific driver fixes:
      
         - Fix routing problems in pistachio (Imagination) and sunxi
           (AllWinner)
      
         - Fix an interrupt problem in the Cherryview (Intel)"
      
      * tag 'pinctrl-v4.8-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
        pinctrl: sunxi: fix uart1 CTS/RTS pins at PG on A23/A33
        pinctrl: cherryview: Do not mask all interrupts in probe
        pinctrl: pistachio: fix mfio pll_lock pinmux
      4c601e0d