1. 16 Aug, 2016 10 commits
  2. 10 Aug, 2016 30 commits
    • Greg Kroah-Hartman's avatar
      Linux 4.6.6 · 90838e40
      Greg Kroah-Hartman authored
      90838e40
    • Paul Burton's avatar
      MIPS: CM: Fix mips_cm_max_vp_width for UP kernels · 491749fe
      Paul Burton authored
      commit a60ae81e upstream.
      
      Fix mips_cm_max_vp_width for UP kernels where it previously referenced
      smp_num_siblings, which is not declared for UP kernels. This led to
      build errors such as the following:
      
        drivers/built-in.o: In function `$L446':
        irq-mips-gic.c:(.text+0x1994): undefined reference to `smp_num_siblings'
        drivers/built-in.o:irq-mips-gic.c:(.text+0x199c): more undefined references to `smp_num_siblings' follow
      
      On UP kernels simply return 1, leaving the reference to smp_num_siblings
      in place only for SMP kernels.
      Signed-off-by: default avatarPaul Burton <paul.burton@imgtec.com>
      Cc: Matt Redfearn <matt.redfearn@imgtec.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: linux-mips@linux-mips.org
      Cc: linux-kernel@vger.kernel.org
      Patchwork: https://patchwork.linux-mips.org/patch/12332/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      491749fe
    • Miklos Szeredi's avatar
      vfs: fix deadlock in file_remove_privs() on overlayfs · 42c7aa83
      Miklos Szeredi authored
      commit c1892c37 upstream.
      
      file_remove_privs() is called with inode lock on file_inode(), which
      proceeds to calling notify_change() on file->f_path.dentry.  Which triggers
      the WARN_ON_ONCE(!inode_is_locked(inode)) in addition to deadlocking later
      when ovl_setattr tries to lock the underlying inode again.
      
      Fix this mess by not mixing the layers, but doing everything on underlying
      dentry/inode.
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      Fixes: 07a2daab ("ovl: Copy up underlying inode's ->i_mode to overlay inode")
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      42c7aa83
    • Scott Bauer's avatar
      vfs: ioctl: prevent double-fetch in dedupe ioctl · 04678f55
      Scott Bauer authored
      commit 10eec60c upstream.
      
      This prevents a double-fetch from user space that can lead to to an
      undersized allocation and heap overflow.
      
      Fixes: 54dbc151 ("vfs: hoist the btrfs deduplication ioctl to the vfs")
      Signed-off-by: default avatarScott Bauer <sbauer@plzdonthack.me>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      04678f55
    • Alexander Shishkin's avatar
      intel_th: Fix a deadlock in modprobing · 900ac92c
      Alexander Shishkin authored
      commit a36aa80f upstream.
      
      Driver initialization tries to request a hub (GTH) driver module from
      its probe callback, resulting in a deadlock.
      
      This patch solves the problem by adding a deferred work for requesting
      the hub module.
      Signed-off-by: default avatarAlexander Shishkin <alexander.shishkin@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      900ac92c
    • Alexander Shishkin's avatar
      intel_th: pci: Add Kaby Lake PCH-H support · df1abbea
      Alexander Shishkin authored
      commit 7a1a47ce upstream.
      
      This adds Intel(R) Trace Hub PCI ID for Kaby Lake PCH-H.
      Signed-off-by: default avatarAlexander Shishkin <alexander.shishkin@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      df1abbea
    • Gregory Greenman's avatar
      cfg80211: handle failed skb allocation · f4cb43e0
      Gregory Greenman authored
      commit 16a910a6 upstream.
      
      Handle the case when dev_alloc_skb returns NULL.
      
      Fixes: 2b67f944 ("cfg80211: reuse existing page fragments in A-MSDU rx")
      Signed-off-by: default avatarGregory Greenman <gregory.greenman@intel.com>
      Signed-off-by: default avatarLuca Coelho <luciano.coelho@intel.com>
      Signed-off-by: default avatarJohannes Berg <johannes@sipsolutions.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f4cb43e0
    • Dmitri Epshtein's avatar
      net: mvneta: set real interrupt per packet for tx_done · 2f4cf2ec
      Dmitri Epshtein authored
      commit 06708f81 upstream.
      
      Commit aebea2ba ("net: mvneta: fix Tx interrupt delay") intended to
      set coalescing threshold to a value guaranteeing interrupt generation
      per each sent packet, so that buffers can be released with no delay.
      
      In fact setting threshold to '1' was wrong, because it causes interrupt
      every two packets. According to the documentation a reason behind it is
      following - interrupt occurs once sent buffers counter reaches a value,
      which is higher than one specified in MVNETA_TXQ_SIZE_REG(q). This
      behavior was confirmed during tests. Also when testing the SoC working
      as a NAS device, better performance was observed with int-per-packet,
      as it strongly depends on the fact that all transmitted packets are
      released immediately.
      
      This commit enables NETA controller work in interrupt per sent packet mode
      by setting coalescing threshold to 0.
      Signed-off-by: default avatarDmitri Epshtein <dima@marvell.com>
      Signed-off-by: default avatarMarcin Wojtas <mw@semihalf.com>
      Fixes aebea2ba ("net: mvneta: fix Tx interrupt delay")
      Acked-by: default avatarWilly Tarreau <w@1wt.eu>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2f4cf2ec
    • Ilya Dryomov's avatar
      libceph: apply new_state before new_up_client on incrementals · 14877928
      Ilya Dryomov authored
      commit 930c5328 upstream.
      
      Currently, osd_weight and osd_state fields are updated in the encoding
      order.  This is wrong, because an incremental map may look like e.g.
      
          new_up_client: { osd=6, addr=... } # set osd_state and addr
          new_state: { osd=6, xorstate=EXISTS } # clear osd_state
      
      Suppose osd6's current osd_state is EXISTS (i.e. osd6 is down).  After
      applying new_up_client, osd_state is changed to EXISTS | UP.  Carrying
      on with the new_state update, we flip EXISTS and leave osd6 in a weird
      "!EXISTS but UP" state.  A non-existent OSD is considered down by the
      mapping code
      
      2087    for (i = 0; i < pg->pg_temp.len; i++) {
      2088            if (ceph_osd_is_down(osdmap, pg->pg_temp.osds[i])) {
      2089                    if (ceph_can_shift_osds(pi))
      2090                            continue;
      2091
      2092                    temp->osds[temp->size++] = CRUSH_ITEM_NONE;
      
      and so requests get directed to the second OSD in the set instead of
      the first, resulting in OSD-side errors like:
      
      [WRN] : client.4239 192.168.122.21:0/2444980242 misdirected client.4239.1:2827 pg 2.5df899f2 to osd.4 not [1,4,6] in e680/680
      
      and hung rbds on the client:
      
      [  493.566367] rbd: rbd0: write 400000 at 11cc00000 (0)
      [  493.566805] rbd: rbd0:   result -6 xferred 400000
      [  493.567011] blk_update_request: I/O error, dev rbd0, sector 9330688
      
      The fix is to decouple application from the decoding and:
      - apply new_weight first
      - apply new_state before new_up_client
      - twiddle osd_state flags if marking in
      - clear out some of the state if osd is destroyed
      
      Fixes: http://tracker.ceph.com/issues/14901Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
      Reviewed-by: default avatarJosh Durgin <jdurgin@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      14877928
    • Tejun Heo's avatar
      libata: LITE-ON CX1-JB256-HP needs lower max_sectors · 54d61751
      Tejun Heo authored
      commit 1488a1e3 upstream.
      
      Since 34b48db6 ("block: remove artifical max_hw_sectors cap"),
      max_sectors is no longer limited to BLK_DEF_MAX_SECTORS and LITE-ON
      CX1-JB256-HP keeps timing out with higher max_sectors.  Revert it to
      the previous value.
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Reported-by: dgerasimov@gmail.com
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=121671
      Fixes: 34b48db6 ("block: remove artifical max_hw_sectors cap")
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      54d61751
    • Lukasz Gemborowski's avatar
      i2c: mux: reg: wrong condition checked for of_address_to_resource return value · ed87c214
      Lukasz Gemborowski authored
      commit 22ebf00e upstream.
      
      of_address_to_resource return 0 on successful call but
      devm_ioremap_resource is called only if it returns non-zero value
      Signed-off-by: default avatarLukasz Gemborowski <lukasz.gemborowski@nokia.com>
      Reviewed-by: default avatarAlexander Sverdlin <alexander.sverdlin@nokia.com>
      Signed-off-by: default avatarWolfram Sang <wsa@the-dreams.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ed87c214
    • Sricharan R's avatar
      i2c: qup: Fix wrong value of index variable · f5be1dff
      Sricharan R authored
      commit d4f56c77 upstream.
      
      index gets incremented during check to determine if the
      messages can be transferred with dma. But not reset after
      that, resulting in wrong start value in subsequent loop,
      causing failure. Fix it.
      Signed-off-by: default avatarSricharan R <sricharan@codeaurora.org>
      Signed-off-by: default avatarWolfram Sang <wsa@the-dreams.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f5be1dff
    • Laurent Pinchart's avatar
      adv7604: Don't ignore pad number in subdev DV timings pad operations · 9388174e
      Laurent Pinchart authored
      commit 6519c3d7 upstream.
      
      The dv_timings_cap() and enum_dv_timings() pad operations take a pad
      number as an input argument and return the DV timings capabilities and
      list of supported DV timings for that pad.
      
      Commit bd3e275f ("[media] media: i2c: adv7604: Use v4l2-dv-timings
      helpers") broke this as it started ignoring the pad number, always
      returning the information associated with the currently selected input.
      Fix it.
      
      Fixes: bd3e275f ("[media] media: i2c: adv7604: Use v4l2-dv-timings helpers")
      Signed-off-by: default avatarLaurent Pinchart <laurent.pinchart@ideasonboard.com>
      Signed-off-by: default avatarHans Verkuil <hans.verkuil@cisco.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9388174e
    • Thomas Gleixner's avatar
      cpu/hotplug: Keep enough storage space if SMP=n to avoid array out of bounds scribble · 5e8123b6
      Thomas Gleixner authored
      commit a7c73414 upstream.
      
      Xiaolong Ye reported lock debug warnings triggered by the following commit:
      
        8de4a0066106 ("perf/x86: Convert the core to the hotplug state machine")
      
      The bug is the following: the cpuhp_bp_states[] array is cut short when
      CONFIG_SMP=n, but the dynamically registered callbacks are stored nevertheless
      and happily scribble outside of the array bounds...
      
      We need to store them in case that the state is unregistered so we can invoke
      the teardown function. That's independent of CONFIG_SMP. Make sure the array
      is large enough.
      Reported-by: default avatarkernel test robot <xiaolong.ye@intel.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: Adam Borowski <kilobyte@angband.pl>
      Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: Anna-Maria Gleixner <anna-maria@linutronix.de>
      Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
      Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
      Cc: Borislav Petkov <bp@suse.de>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Kan Liang <kan.liang@intel.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
      Cc: Stephane Eranian <eranian@google.com>
      Cc: Vince Weaver <vincent.weaver@maine.edu>
      Cc: lkp@01.org
      Cc: tipbuild@zytor.com
      Fixes: cff7d378 "cpu/hotplug: Convert to a state machine for the control processor"
      Link: http://lkml.kernel.org/r/alpine.DEB.2.11.1607122144560.4083@nanosSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5e8123b6
    • Alexey Dobriyan's avatar
      posix_cpu_timer: Exit early when process has been reaped · 2acf7a3a
      Alexey Dobriyan authored
      commit 2c13ce8f upstream.
      
      Variable "now" seems to be genuinely used unintialized
      if branch
      
      	if (CPUCLOCK_PERTHREAD(timer->it_clock)) {
      
      is not taken and branch
      
      	if (unlikely(sighand == NULL)) {
      
      is taken. In this case the process has been reaped and the timer is marked as
      disarmed anyway. So none of the postprocessing of the sample is
      required. Return right away.
      Signed-off-by: default avatarAlexey Dobriyan <adobriyan@gmail.com>
      Link: http://lkml.kernel.org/r/20160707223911.GA26483@p183.telecom.bySigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2acf7a3a
    • James Patrick-Evans's avatar
      media: fix airspy usb probe error path · 1031db3d
      James Patrick-Evans authored
      commit aa93d1fe upstream.
      
      Fix a memory leak on probe error of the airspy usb device driver.
      
      The problem is triggered when more than 64 usb devices register with
      v4l2 of type VFL_TYPE_SDR or VFL_TYPE_SUBDEV.
      
      The memory leak is caused by the probe function of the airspy driver
      mishandeling errors and not freeing the corresponding control structures
      when an error occours registering the device to v4l2 core.
      
      A badusb device can emulate 64 of these devices, and then through
      continual emulated connect/disconnect of the 65th device, cause the
      kernel to run out of RAM and crash the kernel, thus causing a local DOS
      vulnerability.
      
      Fixes CVE-2016-5400
      Signed-off-by: default avatarJames Patrick-Evans <james@jmp-e.com>
      Reviewed-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1031db3d
    • Brian King's avatar
      ipr: Clear interrupt on croc/crocodile when running with LSI · 602efc3c
      Brian King authored
      commit 54e430bb upstream.
      
      If we fall back to using LSI on the Croc or Crocodile chip we need to
      clear the interrupt so we don't hang the system.
      Tested-by: default avatarBenjamin Herrenschmidt <benh@kernel.crashing.org>
      Signed-off-by: default avatarBrian King <brking@linux.vnet.ibm.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      602efc3c
    • Alan Stern's avatar
      SCSI: fix new bug in scsi_dev_info_list string matching · 224d3cc7
      Alan Stern authored
      commit 5e7ff2ca upstream.
      
      Commit b704f70c ("SCSI: fix bug in scsi_dev_info_list matching")
      changed the way vendor- and model-string matching was carried out in the
      routine that looks up entries in a SCSI devinfo list.  The new matching
      code failed to take into account the case of a maximum-length string; in
      such cases it could end up testing for a terminating '\0' byte beyond
      the end of the memory allocated to the string.  This out-of-bounds bug
      was detected by UBSAN.
      
      I don't know if anybody has actually encountered this bug.  The symptom
      would be that a device entry in the blacklist might not be matched
      properly if it contained an 8-character vendor name or a 16-character
      model name.  Such entries certainly exist in scsi_static_device_list.
      
      This patch fixes the problem by adding a check for a maximum-length
      string before the '\0' test.
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Fixes: b704f70c ("SCSI: fix bug in scsi_dev_info_list matching")
      Tested-by: default avatarWilfried Klaebe <linux-kernel@lebenslange-mailadresse.de>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      224d3cc7
    • Bruno Prémont's avatar
      qla2xxx: Fix NULL pointer deref in QLA interrupt · ddb2bdc5
      Bruno Prémont authored
      commit 262e2bfd upstream.
      
      In qla24xx_process_response_queue() rsp->msix->cpuid may trigger NULL
      pointer dereference when rsp->msix is NULL:
      
      [    5.622457] NULL pointer dereference at 0000000000000050
      [    5.622457] IP: [<ffffffff8155e614>] qla24xx_process_response_queue+0x44/0x4b0
      [    5.622457] PGD 0
      [    5.622457] Oops: 0000 [#1] SMP
      [    5.622457] Modules linked in:
      [    5.622457] CPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.6.3-x86_64 #1
      [    5.622457] Hardware name: HP ProLiant DL360 G5, BIOS P58 05/02/2011
      [    5.622457] task: ffff8801a88f3740 ti: ffff8801a8954000 task.ti: ffff8801a8954000
      [    5.622457] RIP: 0010:[<ffffffff8155e614>]  [<ffffffff8155e614>] qla24xx_process_response_queue+0x44/0x4b0
      [    5.622457] RSP: 0000:ffff8801afb03de8  EFLAGS: 00010002
      [    5.622457] RAX: 0000000000000000 RBX: 0000000000000032 RCX: 00000000ffffffff
      [    5.622457] RDX: 0000000000000002 RSI: ffff8801a79bf8c8 RDI: ffff8800c8f7e7c0
      [    5.622457] RBP: ffff8801afb03e68 R08: 0000000000000000 R09: 0000000000000000
      [    5.622457] R10: 00000000ffff8c47 R11: 0000000000000002 R12: ffff8801a79bf8c8
      [    5.622457] R13: ffff8800c8f7e7c0 R14: ffff8800c8f60000 R15: 0000000000018013
      [    5.622457] FS:  0000000000000000(0000) GS:ffff8801afb00000(0000) knlGS:0000000000000000
      [    5.622457] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [    5.622457] CR2: 0000000000000050 CR3: 0000000001e07000 CR4: 00000000000006e0
      [    5.622457] Stack:
      [    5.622457]  ffff8801afb03e30 ffffffff810c0f2d 0000000000000086 0000000000000002
      [    5.622457]  ffff8801afb03e28 ffffffff816570e1 ffff8800c8994628 0000000000000002
      [    5.622457]  ffff8801afb03e60 ffffffff816772d4 b47c472ad6955e68 0000000000000032
      [    5.622457] Call Trace:
      [    5.622457]  <IRQ>
      [    5.622457]  [<ffffffff810c0f2d>] ? __wake_up_common+0x4d/0x80
      [    5.622457]  [<ffffffff816570e1>] ? usb_hcd_resume_root_hub+0x51/0x60
      [    5.622457]  [<ffffffff816772d4>] ? uhci_hub_status_data+0x64/0x240
      [    5.622457]  [<ffffffff81560d00>] qla24xx_intr_handler+0xf0/0x2e0
      [    5.622457]  [<ffffffff810d569e>] ? get_next_timer_interrupt+0xce/0x200
      [    5.622457]  [<ffffffff810c89b4>] handle_irq_event_percpu+0x64/0x100
      [    5.622457]  [<ffffffff810c8a77>] handle_irq_event+0x27/0x50
      [    5.622457]  [<ffffffff810cb965>] handle_edge_irq+0x65/0x140
      [    5.622457]  [<ffffffff8101a498>] handle_irq+0x18/0x30
      [    5.622457]  [<ffffffff8101a276>] do_IRQ+0x46/0xd0
      [    5.622457]  [<ffffffff817f8fff>] common_interrupt+0x7f/0x7f
      [    5.622457]  <EOI>
      [    5.622457]  [<ffffffff81020d38>] ? mwait_idle+0x68/0x80
      [    5.622457]  [<ffffffff8102114a>] arch_cpu_idle+0xa/0x10
      [    5.622457]  [<ffffffff810c1b97>] default_idle_call+0x27/0x30
      [    5.622457]  [<ffffffff810c1d3b>] cpu_startup_entry+0x19b/0x230
      [    5.622457]  [<ffffffff810324c6>] start_secondary+0x136/0x140
      [    5.622457] Code: 00 00 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 48 8b 47 58 a8 02 0f 84 c5 00 00 00 48 8b 46 50 49 89 f4 65 8b 15 34 bb aa 7e <39> 50 50 74 11 89 50 50 48 8b 46 50 8b 40 50 41 89 86 60 8b 00
      [    5.622457] RIP  [<ffffffff8155e614>] qla24xx_process_response_queue+0x44/0x4b0
      [    5.622457]  RSP <ffff8801afb03de8>
      [    5.622457] CR2: 0000000000000050
      [    5.622457] ---[ end trace fa2b19c25106d42b ]---
      [    5.622457] Kernel panic - not syncing: Fatal exception in interrupt
      
      The affected code was introduced by commit cdb898c5
      (qla2xxx: Add irq affinity notification).
      
      Only dereference rsp->msix when it has been set so the machine can boot
      fine. Possibly rsp->msix is unset because:
      [    3.479679] qla2xxx [0000:00:00.0]-0005: : QLogic Fibre Channel HBA Driver: 8.07.00.33-k.
      [    3.481839] qla2xxx [0000:13:00.0]-001d: : Found an ISP2432 irq 17 iobase 0xffffc90000038000.
      [    3.484081] qla2xxx [0000:13:00.0]-0035:0: MSI-X; Unsupported ISP2432 (0x2, 0x3).
      [    3.485804] qla2xxx [0000:13:00.0]-0037:0: Falling back-to MSI mode -258.
      [    3.890145] scsi host0: qla2xxx
      [    3.891956] qla2xxx [0000:13:00.0]-00fb:0: QLogic QLE2460 - PCI-Express Single Channel 4Gb Fibre Channel HBA.
      [    3.894207] qla2xxx [0000:13:00.0]-00fc:0: ISP2432: PCIe (2.5GT/s x4) @ 0000:13:00.0 hdma+ host#=0 fw=7.03.00 (9496).
      [    5.714774] qla2xxx [0000:13:00.0]-500a:0: LOOP UP detected (4 Gbps).
      Signed-off-by: default avatarBruno Prémont <bonbons@linux-vserver.org>
      Acked-by: default avatarQuinn Tran <quinn.tran@qlogic.com>
      Fixes: cdb898c5Signed-off-by: default avatarJames Bottomley <jejb@linux.vnet.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ddb2bdc5
    • Paul Burton's avatar
      irqchip/mips-gic: Match IPI IRQ domain by bus token only · 4406733d
      Paul Burton authored
      commit 547aefc4 upstream.
      
      Commit fbde2d7d ("MIPS: Add generic SMP IPI support") introduced
      code which calls irq_find_matching_host with a NULL node parameter in
      order to discover IPI IRQ domains which are not associated with the DT
      root node's interrupt parent. This suggests that implementations of IPI
      IRQ domains should effectively ignore the node parameter if it is NULL
      and search purely based upon the bus token. Commit 2af70a96
      ("irqchip/mips-gic: Add a IPI hierarchy domain") did not do this when
      implementing the GIC IPI IRQ domain, and on MIPS Boston boards this
      leads to no IPI domain being discovered and a NULL pointer dereference
      when attempting to send an IPI:
      
        CPU 0 Unable to handle kernel paging request at virtual address 0000000000000040, epc == ffffffff8016e70c, ra == ffffffff8010ff5c
        Oops[#1]:
        CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.7.0-rc6-00223-gad0d1b6 #945
        task: a8000000ff066fc0 ti: a8000000ff068000 task.ti: a8000000ff068000
        $ 0   : 0000000000000000 0000000000000001 ffffffff80730000 0000000000000003
        $ 4   : 0000000000000000 ffffffff8057e5b0 a800000001e3ee00 0000000000000000
        $ 8   : 0000000000000000 0000000000000023 0000000000000001 0000000000000001
        $12   : 0000000000000000 ffffffff803323d0 0000000000000000 0000000000000000
        $16   : 0000000000000000 0000000000000000 0000000000000001 ffffffff801108fc
        $20   : 0000000000000000 ffffffff8057e5b0 0000000000000001 0000000000000000
        $24   : 0000000000000000 ffffffff8012de28
        $28   : a8000000ff068000 a8000000ff06fbc0 0000000000000000 ffffffff8010ff5c
        Hi    : ffffffff8014c174
        Lo    : a800000001e1e140
        epc   : ffffffff8016e70c __ipi_send_mask+0x24/0x11c
        ra    : ffffffff8010ff5c mips_smp_send_ipi_mask+0x68/0x178
        Status: 140084e2        KX SX UX KERNEL EXL
        Cause : 00800008 (ExcCode 02)
        BadVA : 0000000000000040
        PrId  : 0001a920 (MIPS I6400)
        Process swapper/0 (pid: 1, threadinfo=a8000000ff068000, task=a8000000ff066fc0, tls=0000000000000000)
        Stack : 0000000000000000 0000000000000000 0000000000000001 ffffffff801108fc
                  0000000000000000 ffffffff8057e5b0 0000000000000001 ffffffff8010ff5c
                  0000000000000001 0000000000000020 0000000000000000 0000000000000000
                  0000000000000000 ffffffff801108fc 0000000000000000 0000000000000001
                  0000000000000001 0000000000000000 0000000000000000 ffffffff801865e8
                  a8000000ff0c7500 a8000000ff06fc90 0000000000000001 0000000000000002
                  ffffffff801108fc ffffffff801868b8 0000000000000000 ffffffff801108fc
                  0000000000000000 0000000000000003 ffffffff8068c700 0000000000000001
                  ffffffff80730000 0000000000000001 a8000000ff00a290 ffffffff80110c50
                  0000000000000003 a800000001e48308 0000000000000003 0000000000000008
                  ...
        Call Trace:
        [<ffffffff8016e70c>] __ipi_send_mask+0x24/0x11c
        [<ffffffff8010ff5c>] mips_smp_send_ipi_mask+0x68/0x178
        [<ffffffff801865e8>] generic_exec_single+0x150/0x170
        [<ffffffff801868b8>] smp_call_function_single+0x108/0x160
        [<ffffffff80110c50>] cps_boot_secondary+0x328/0x394
        [<ffffffff80110534>] __cpu_up+0x38/0x90
        [<ffffffff8012de4c>] bringup_cpu+0x24/0xac
        [<ffffffff8012df40>] cpuhp_up_callbacks+0x58/0xdc
        [<ffffffff8012e648>] cpu_up+0x118/0x18c
        [<ffffffff806dc158>] smp_init+0xbc/0xe8
        [<ffffffff806d4c18>] kernel_init_freeable+0xa0/0x228
        [<ffffffff8056c908>] kernel_init+0x10/0xf0
        [<ffffffff80105098>] ret_from_kernel_thread+0x14/0x1c
      
      Fix this by allowing the GIC IPI IRQ domain to match purely based upon
      the bus token if the node provided is NULL.
      
      Fixes: 2af70a96 ("irqchip/mips-gic: Add a IPI hierarchy domain")
      Signed-off-by: default avatarPaul Burton <paul.burton@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Cc: Jason Cooper <jason@lakedaemon.net>
      Cc: Qais Yousef <qsyousef@gmail.com>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: Marc Zyngier <marc.zyngier@arm.com>
      Link: http://lkml.kernel.org/r/20160705132600.27730-2-paul.burton@imgtec.comSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4406733d
    • Paul Burton's avatar
      irqchip/mips-gic: Map to VPs using HW VPNum · 42c33fde
      Paul Burton authored
      commit 99ec8a36 upstream.
      
      When mapping an interrupt to a VP(E) we must use the identifier for the
      VP that the hardware expects, and this does not always match up with the
      Linux CPU number. Commit d46812bb ("irqchip: mips-gic: Use HW IDs
      for VPE_OTHER_ADDR") corrected this for the cases that existed at the
      time it was written, but commit 2af70a96 ("irqchip/mips-gic: Add a
      IPI hierarchy domain") added another case before the former patch was
      merged. This leads to incorrectly using Linux CPU numbers when mapping
      interrupts to VPs, which breaks on certain systems such as those with
      multi-core I6400 CPUs. Fix by adding the appropriate call to
      mips_cm_vp_id() to retrieve the expected VP identifier.
      
      Fixes: d46812bb ("irqchip: mips-gic: Use HW IDs for VPE_OTHER_ADDR")
      Fixes: 2af70a96 ("irqchip/mips-gic: Add a IPI hierarchy domain")
      Signed-off-by: default avatarPaul Burton <paul.burton@imgtec.com>
      Cc: linux-mips@linux-mips.org
      Cc: Jason Cooper <jason@lakedaemon.net>
      Cc: Qais Yousef <qsyousef@gmail.com>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: Marc Zyngier <marc.zyngier@arm.com>
      Link: http://lkml.kernel.org/r/20160705132600.27730-1-paul.burton@imgtec.comSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      42c33fde
    • Vegard Nossum's avatar
      RDS: fix rds_tcp_init() error path · d71872a9
      Vegard Nossum authored
      commit 3dad5424 upstream.
      
      If register_pernet_subsys() fails, we shouldn't try to call
      unregister_pernet_subsys().
      
      Fixes: 467fa153 ("RDS-TCP: Support multiple RDS-TCP listen endpoints, one per netns.")
      Cc: Sowmini Varadhan <sowmini.varadhan@oracle.com>
      Cc: David S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarVegard Nossum <vegard.nossum@oracle.com>
      Acked-by: default avatarSowmini Varadhan <sowmini.varadhan@oracle.com>
      Acked-by: default avatarSantosh Shilimkar <santosh.shilimkar@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d71872a9
    • Oliver Hartkopp's avatar
      can: fix oops caused by wrong rtnl dellink usage · f3f8ae8b
      Oliver Hartkopp authored
      commit 25e1ed6e upstream.
      
      For 'real' hardware CAN devices the netlink interface is used to set CAN
      specific communication parameters. Real CAN hardware can not be created nor
      removed with the ip tool ...
      
      This patch adds a private dellink function for the CAN device driver interface
      that does just nothing.
      
      It's a follow up to commit 993e6f2f ("can: fix oops caused by wrong rtnl
      newlink usage") but for dellink.
      Reported-by: default avatarajneu <ajneu1@gmail.com>
      Signed-off-by: default avatarOliver Hartkopp <socketcan@hartkopp.net>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f3f8ae8b
    • Oliver Hartkopp's avatar
      can: fix handling of unmodifiable configuration options fix · 171cf1dc
      Oliver Hartkopp authored
      commit bce271f2 upstream.
      
      With upstream commit bb208f14 (can: fix handling of unmodifiable
      configuration options) a new can_validate() function was introduced.
      
      When invoking 'ip link set can0 type can' without any configuration data
      can_validate() tries to validate the content without taking into account that
      there's totally no content. This patch adds a check for missing content.
      Reported-by: default avatarajneu <ajneu1@gmail.com>
      Signed-off-by: default avatarOliver Hartkopp <socketcan@hartkopp.net>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      171cf1dc
    • Thor Thayer's avatar
      can: c_can: Update D_CAN TX and RX functions to 32 bit - fix Altera Cyclone access · 07562cc2
      Thor Thayer authored
      commit 427460c8 upstream.
      
      When testing CAN write floods on Altera's CycloneV, the first 2 bytes
      are sometimes 0x00, 0x00 or corrupted instead of the values sent. Also
      observed bytes 4 & 5 were corrupted in some cases.
      
      The D_CAN Data registers are 32 bits and changing from 16 bit writes to
      32 bit writes fixes the problem.
      
      Testing performed on Altera CycloneV (D_CAN).  Requesting tests on other
      C_CAN & D_CAN platforms.
      Reported-by: default avatarRichard Andrysek <richard.andrysek@gomtec.de>
      Signed-off-by: default avatarThor Thayer <tthayer@opensource.altera.com>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      07562cc2
    • Wolfgang Grandegger's avatar
      can: at91_can: RX queue could get stuck at high bus load · 88e08b41
      Wolfgang Grandegger authored
      commit 43200a44 upstream.
      
      At high bus load it could happen that "at91_poll()" enters with all RX
      message boxes filled up. If then at the end the "quota" is exceeded as
      well, "rx_next" will not be reset to the first RX mailbox and hence the
      interrupts remain disabled.
      Signed-off-by: default avatarWolfgang Grandegger <wg@grandegger.com>
      Tested-by: default avatarAmr Bekhit <amrbekhit@gmail.com>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      88e08b41
    • Peter Zijlstra's avatar
      sched/fair: Fix effective_load() to consistently use smoothed load · 81dc1601
      Peter Zijlstra authored
      commit 7dd49125 upstream.
      
      Starting with the following commit:
      
        fde7d22e ("sched/fair: Fix overly small weight for interactive group entities")
      
      calc_tg_weight() doesn't compute the right value as expected by effective_load().
      
      The difference is in the 'correction' term. In order to ensure \Sum
      rw_j >= rw_i we cannot use tg->load_avg directly, since that might be
      lagging a correction on the current cfs_rq->avg.load_avg value.
      Therefore we use tg->load_avg - cfs_rq->tg_load_avg_contrib +
      cfs_rq->avg.load_avg.
      
      Now, per the referenced commit, calc_tg_weight() doesn't use
      cfs_rq->avg.load_avg, as is later used in @w, but uses
      cfs_rq->load.weight instead.
      
      So stop using calc_tg_weight() and do it explicitly.
      
      The effects of this bug are wake_affine() making randomly
      poor choices in cgroup-intense workloads.
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Fixes: fde7d22e ("sched/fair: Fix overly small weight for interactive group entities")
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      81dc1601
    • Taras Kondratiuk's avatar
      mmc: block: fix packed command header endianness · 8815298c
      Taras Kondratiuk authored
      commit f68381a7 upstream.
      
      The code that fills packed command header assumes that CPU runs in
      little-endian mode. Hence the header is malformed in big-endian mode
      and causes MMC data transfer errors:
      
      [  563.200828] mmcblk0: error -110 transferring data, sector 2048, nr 8, cmd response 0x900, card status 0xc40
      [  563.219647] mmcblk0: packed cmd failed, nr 2, sectors 16, failure index: -1
      
      Convert header data to LE.
      Signed-off-by: default avatarTaras Kondratiuk <takondra@cisco.com>
      Fixes: ce39f9d1 ("mmc: support packed write command for eMMC4.5 devices")
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8815298c
    • Ville Viinikka's avatar
      mmc: block: fix free of uninitialized 'idata->buf' · 5e8087b3
      Ville Viinikka authored
      commit bfe5b1b1 upstream.
      
      Set 'idata->buf' to NULL so that it never gets returned without
      initialization. This fixes a bug where mmc_blk_ioctl_cmd() would
      free both 'idata' and 'idata->buf' but 'idata->buf' was returned
      uninitialized.
      
      Fixes: 1ff8950c ("mmc: block: change to use kmalloc when copy data from userspace")
      Signed-off-by: default avatarVille Viinikka <ville@tuxera.com>
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5e8087b3
    • Omar Sandoval's avatar
      block: fix use-after-free in sys_ioprio_get() · 5c72cc56
      Omar Sandoval authored
      commit 8ba86821 upstream.
      
      get_task_ioprio() accesses the task->io_context without holding the task
      lock and thus can race with exit_io_context(), leading to a
      use-after-free. The reproducer below hits this within a few seconds on
      my 4-core QEMU VM:
      
      #define _GNU_SOURCE
      #include <assert.h>
      #include <unistd.h>
      #include <sys/syscall.h>
      #include <sys/wait.h>
      
      int main(int argc, char **argv)
      {
      	pid_t pid, child;
      	long nproc, i;
      
      	/* ioprio_set(IOPRIO_WHO_PROCESS, 0, IOPRIO_PRIO_VALUE(IOPRIO_CLASS_IDLE, 0)); */
      	syscall(SYS_ioprio_set, 1, 0, 0x6000);
      
      	nproc = sysconf(_SC_NPROCESSORS_ONLN);
      
      	for (i = 0; i < nproc; i++) {
      		pid = fork();
      		assert(pid != -1);
      		if (pid == 0) {
      			for (;;) {
      				pid = fork();
      				assert(pid != -1);
      				if (pid == 0) {
      					_exit(0);
      				} else {
      					child = wait(NULL);
      					assert(child == pid);
      				}
      			}
      		}
      
      		pid = fork();
      		assert(pid != -1);
      		if (pid == 0) {
      			for (;;) {
      				/* ioprio_get(IOPRIO_WHO_PGRP, 0); */
      				syscall(SYS_ioprio_get, 2, 0);
      			}
      		}
      	}
      
      	for (;;) {
      		/* ioprio_get(IOPRIO_WHO_PGRP, 0); */
      		syscall(SYS_ioprio_get, 2, 0);
      	}
      
      	return 0;
      }
      
      This gets us KASAN dumps like this:
      
      [   35.526914] ==================================================================
      [   35.530009] BUG: KASAN: out-of-bounds in get_task_ioprio+0x7b/0x90 at addr ffff880066f34e6c
      [   35.530009] Read of size 2 by task ioprio-gpf/363
      [   35.530009] =============================================================================
      [   35.530009] BUG blkdev_ioc (Not tainted): kasan: bad access detected
      [   35.530009] -----------------------------------------------------------------------------
      
      [   35.530009] Disabling lock debugging due to kernel taint
      [   35.530009] INFO: Allocated in create_task_io_context+0x2b/0x370 age=0 cpu=0 pid=360
      [   35.530009] 	___slab_alloc+0x55d/0x5a0
      [   35.530009] 	__slab_alloc.isra.20+0x2b/0x40
      [   35.530009] 	kmem_cache_alloc_node+0x84/0x200
      [   35.530009] 	create_task_io_context+0x2b/0x370
      [   35.530009] 	get_task_io_context+0x92/0xb0
      [   35.530009] 	copy_process.part.8+0x5029/0x5660
      [   35.530009] 	_do_fork+0x155/0x7e0
      [   35.530009] 	SyS_clone+0x19/0x20
      [   35.530009] 	do_syscall_64+0x195/0x3a0
      [   35.530009] 	return_from_SYSCALL_64+0x0/0x6a
      [   35.530009] INFO: Freed in put_io_context+0xe7/0x120 age=0 cpu=0 pid=1060
      [   35.530009] 	__slab_free+0x27b/0x3d0
      [   35.530009] 	kmem_cache_free+0x1fb/0x220
      [   35.530009] 	put_io_context+0xe7/0x120
      [   35.530009] 	put_io_context_active+0x238/0x380
      [   35.530009] 	exit_io_context+0x66/0x80
      [   35.530009] 	do_exit+0x158e/0x2b90
      [   35.530009] 	do_group_exit+0xe5/0x2b0
      [   35.530009] 	SyS_exit_group+0x1d/0x20
      [   35.530009] 	entry_SYSCALL_64_fastpath+0x1a/0xa4
      [   35.530009] INFO: Slab 0xffffea00019bcd00 objects=20 used=4 fp=0xffff880066f34ff0 flags=0x1fffe0000004080
      [   35.530009] INFO: Object 0xffff880066f34e58 @offset=3672 fp=0x0000000000000001
      [   35.530009] ==================================================================
      
      Fix it by grabbing the task lock while we poke at the io_context.
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: default avatarOmar Sandoval <osandov@fb.com>
      Signed-off-by: default avatarJens Axboe <axboe@fb.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5c72cc56