1. 22 11月, 2016 13 次提交
  2. 21 11月, 2016 4 次提交
  3. 20 11月, 2016 23 次提交
    • J
      tipc: eliminate obsolete socket locking policy description · 51b9a31c
      Jon Paul Maloy 提交于
      The comment block in socket.c describing the locking policy is
      obsolete, and does not reflect current reality. We remove it in this
      commit.
      
      Since the current locking policy is much simpler and follows a
      mainstream approach, we see no need to add a new description.
      Signed-off-by: NJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      51b9a31c
    • Z
      rtnl: fix the loop index update error in rtnl_dump_ifinfo() · 3f0ae05d
      Zhang Shengju 提交于
      If the link is filtered out, loop index should also be updated. If not,
      loop index will not be correct.
      
      Fixes: dc599f76 ("net: Add support for filtering link dump by master device and kind")
      Signed-off-by: NZhang Shengju <zhangshengju@cmss.chinamobile.com>
      Acked-by: NDavid Ahern <dsa@cumulusnetworks.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3f0ae05d
    • G
      l2tp: fix racy SOCK_ZAPPED flag check in l2tp_ip{,6}_bind() · 32c23116
      Guillaume Nault 提交于
      Lock socket before checking the SOCK_ZAPPED flag in l2tp_ip6_bind().
      Without lock, a concurrent call could modify the socket flags between
      the sock_flag(sk, SOCK_ZAPPED) test and the lock_sock() call. This way,
      a socket could be inserted twice in l2tp_ip6_bind_table. Releasing it
      would then leave a stale pointer there, generating use-after-free
      errors when walking through the list or modifying adjacent entries.
      
      BUG: KASAN: use-after-free in l2tp_ip6_close+0x22e/0x290 at addr ffff8800081b0ed8
      Write of size 8 by task syz-executor/10987
      CPU: 0 PID: 10987 Comm: syz-executor Not tainted 4.8.0+ #39
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
       ffff880031d97838 ffffffff829f835b ffff88001b5a1640 ffff8800081b0ec0
       ffff8800081b15a0 ffff8800081b6d20 ffff880031d97860 ffffffff8174d3cc
       ffff880031d978f0 ffff8800081b0e80 ffff88001b5a1640 ffff880031d978e0
      Call Trace:
       [<ffffffff829f835b>] dump_stack+0xb3/0x118 lib/dump_stack.c:15
       [<ffffffff8174d3cc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156
       [<     inline     >] print_address_description mm/kasan/report.c:194
       [<ffffffff8174d666>] kasan_report_error+0x1f6/0x4d0 mm/kasan/report.c:283
       [<     inline     >] kasan_report mm/kasan/report.c:303
       [<ffffffff8174db7e>] __asan_report_store8_noabort+0x3e/0x40 mm/kasan/report.c:329
       [<     inline     >] __write_once_size ./include/linux/compiler.h:249
       [<     inline     >] __hlist_del ./include/linux/list.h:622
       [<     inline     >] hlist_del_init ./include/linux/list.h:637
       [<ffffffff8579047e>] l2tp_ip6_close+0x22e/0x290 net/l2tp/l2tp_ip6.c:239
       [<ffffffff850b2dfd>] inet_release+0xed/0x1c0 net/ipv4/af_inet.c:415
       [<ffffffff851dc5a0>] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:422
       [<ffffffff84c4581d>] sock_release+0x8d/0x1d0 net/socket.c:570
       [<ffffffff84c45976>] sock_close+0x16/0x20 net/socket.c:1017
       [<ffffffff817a108c>] __fput+0x28c/0x780 fs/file_table.c:208
       [<ffffffff817a1605>] ____fput+0x15/0x20 fs/file_table.c:244
       [<ffffffff813774f9>] task_work_run+0xf9/0x170
       [<ffffffff81324aae>] do_exit+0x85e/0x2a00
       [<ffffffff81326dc8>] do_group_exit+0x108/0x330
       [<ffffffff81348cf7>] get_signal+0x617/0x17a0 kernel/signal.c:2307
       [<ffffffff811b49af>] do_signal+0x7f/0x18f0
       [<ffffffff810039bf>] exit_to_usermode_loop+0xbf/0x150 arch/x86/entry/common.c:156
       [<     inline     >] prepare_exit_to_usermode arch/x86/entry/common.c:190
       [<ffffffff81006060>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
       [<ffffffff85e4d726>] entry_SYSCALL_64_fastpath+0xc4/0xc6
      Object at ffff8800081b0ec0, in cache L2TP/IPv6 size: 1448
      Allocated:
      PID = 10987
       [ 1116.897025] [<ffffffff811ddcb6>] save_stack_trace+0x16/0x20
       [ 1116.897025] [<ffffffff8174c736>] save_stack+0x46/0xd0
       [ 1116.897025] [<ffffffff8174c9ad>] kasan_kmalloc+0xad/0xe0
       [ 1116.897025] [<ffffffff8174cee2>] kasan_slab_alloc+0x12/0x20
       [ 1116.897025] [<     inline     >] slab_post_alloc_hook mm/slab.h:417
       [ 1116.897025] [<     inline     >] slab_alloc_node mm/slub.c:2708
       [ 1116.897025] [<     inline     >] slab_alloc mm/slub.c:2716
       [ 1116.897025] [<ffffffff817476a8>] kmem_cache_alloc+0xc8/0x2b0 mm/slub.c:2721
       [ 1116.897025] [<ffffffff84c4f6a9>] sk_prot_alloc+0x69/0x2b0 net/core/sock.c:1326
       [ 1116.897025] [<ffffffff84c58ac8>] sk_alloc+0x38/0xae0 net/core/sock.c:1388
       [ 1116.897025] [<ffffffff851ddf67>] inet6_create+0x2d7/0x1000 net/ipv6/af_inet6.c:182
       [ 1116.897025] [<ffffffff84c4af7b>] __sock_create+0x37b/0x640 net/socket.c:1153
       [ 1116.897025] [<     inline     >] sock_create net/socket.c:1193
       [ 1116.897025] [<     inline     >] SYSC_socket net/socket.c:1223
       [ 1116.897025] [<ffffffff84c4b46f>] SyS_socket+0xef/0x1b0 net/socket.c:1203
       [ 1116.897025] [<ffffffff85e4d685>] entry_SYSCALL_64_fastpath+0x23/0xc6
      Freed:
      PID = 10987
       [ 1116.897025] [<ffffffff811ddcb6>] save_stack_trace+0x16/0x20
       [ 1116.897025] [<ffffffff8174c736>] save_stack+0x46/0xd0
       [ 1116.897025] [<ffffffff8174cf61>] kasan_slab_free+0x71/0xb0
       [ 1116.897025] [<     inline     >] slab_free_hook mm/slub.c:1352
       [ 1116.897025] [<     inline     >] slab_free_freelist_hook mm/slub.c:1374
       [ 1116.897025] [<     inline     >] slab_free mm/slub.c:2951
       [ 1116.897025] [<ffffffff81748b28>] kmem_cache_free+0xc8/0x330 mm/slub.c:2973
       [ 1116.897025] [<     inline     >] sk_prot_free net/core/sock.c:1369
       [ 1116.897025] [<ffffffff84c541eb>] __sk_destruct+0x32b/0x4f0 net/core/sock.c:1444
       [ 1116.897025] [<ffffffff84c5aca4>] sk_destruct+0x44/0x80 net/core/sock.c:1452
       [ 1116.897025] [<ffffffff84c5ad33>] __sk_free+0x53/0x220 net/core/sock.c:1460
       [ 1116.897025] [<ffffffff84c5af23>] sk_free+0x23/0x30 net/core/sock.c:1471
       [ 1116.897025] [<ffffffff84c5cb6c>] sk_common_release+0x28c/0x3e0 ./include/net/sock.h:1589
       [ 1116.897025] [<ffffffff8579044e>] l2tp_ip6_close+0x1fe/0x290 net/l2tp/l2tp_ip6.c:243
       [ 1116.897025] [<ffffffff850b2dfd>] inet_release+0xed/0x1c0 net/ipv4/af_inet.c:415
       [ 1116.897025] [<ffffffff851dc5a0>] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:422
       [ 1116.897025] [<ffffffff84c4581d>] sock_release+0x8d/0x1d0 net/socket.c:570
       [ 1116.897025] [<ffffffff84c45976>] sock_close+0x16/0x20 net/socket.c:1017
       [ 1116.897025] [<ffffffff817a108c>] __fput+0x28c/0x780 fs/file_table.c:208
       [ 1116.897025] [<ffffffff817a1605>] ____fput+0x15/0x20 fs/file_table.c:244
       [ 1116.897025] [<ffffffff813774f9>] task_work_run+0xf9/0x170
       [ 1116.897025] [<ffffffff81324aae>] do_exit+0x85e/0x2a00
       [ 1116.897025] [<ffffffff81326dc8>] do_group_exit+0x108/0x330
       [ 1116.897025] [<ffffffff81348cf7>] get_signal+0x617/0x17a0 kernel/signal.c:2307
       [ 1116.897025] [<ffffffff811b49af>] do_signal+0x7f/0x18f0
       [ 1116.897025] [<ffffffff810039bf>] exit_to_usermode_loop+0xbf/0x150 arch/x86/entry/common.c:156
       [ 1116.897025] [<     inline     >] prepare_exit_to_usermode arch/x86/entry/common.c:190
       [ 1116.897025] [<ffffffff81006060>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
       [ 1116.897025] [<ffffffff85e4d726>] entry_SYSCALL_64_fastpath+0xc4/0xc6
      Memory state around the buggy address:
       ffff8800081b0d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
       ffff8800081b0e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      >ffff8800081b0e80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
                                                          ^
       ffff8800081b0f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
       ffff8800081b0f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      
      ==================================================================
      
      The same issue exists with l2tp_ip_bind() and l2tp_ip_bind_table.
      
      Fixes: c51ce497 ("l2tp: fix oops in L2TP IP sockets for connect() AF_UNSPEC case")
      Reported-by: NBaozeng Ding <sploving1@gmail.com>
      Reported-by: NAndrey Konovalov <andreyknvl@google.com>
      Tested-by: NBaozeng Ding <sploving1@gmail.com>
      Signed-off-by: NGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      32c23116
    • L
      Merge tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc · 77079b13
      Linus Torvalds 提交于
      Pull ARM SoC fixes from Olof Johansson:
       "Again a set of smaller fixes across several platforms (OMAP, Marvell,
        Allwinner, i.MX, etc).
      
        A handful of typo fixes and smaller missing contents from device
        trees, with some tweaks to OMAP mach files to deal with CPU feature
        print misformatting, potential NULL ptr dereference and one setup
        issue with UARTs"
      
      * tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc:
        ipmi/bt-bmc: change compatible node to 'aspeed, ast2400-ibt-bmc'
        ARM: dts: STiH410-b2260: Fix typo in spi0 chipselect definition
        ARM: dts: omap5: board-common: fix wrong SMPS6 (VDD-DDR3) voltage
        ARM: omap3: Add missing memory node in SOM-LV
        arm64: dts: marvell: add unique identifiers for Armada A8k SPI controllers
        arm64: dts: marvell: fix clocksource for CP110 slave SPI0
        arm64: dts: marvell: Fix typo in label name on Armada 37xx
        ASoC: omap-abe-twl6040: fix typo in bindings documentation
        dts: omap5: board-common: enable twl6040 headset jack detection
        dts: omap5: board-common: add phandle to reference Palmas gpadc
        ARM: OMAP2+: avoid NULL pointer dereference
        ARM: OMAP2+: PRM: initialize en_uart4_mask and grpsel_uart4_mask
        ARM: dts: omap3: Fix memory node in Torpedo board
        ARM: AM43XX: Select OMAP_INTERCONNECT in Kconfig
        ARM: OMAP3: Fix formatting of features printed
        ARM: dts: imx53-qsb: Fix regulator constraints
        ARM: dts: sun8i: fix the pinmux for UART1
      77079b13
    • L
      Merge tag 'ext4_for_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4 · d117b9ac
      Linus Torvalds 提交于
      Pull ext4 fixes from Ted Ts'o:
       "A security fix (so a maliciously corrupted file system image won't
        panic the kernel) and some fixes for CONFIG_VMAP_STACK"
      
      * tag 'ext4_for_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4:
        ext4: sanity check the block and cluster size at mount time
        fscrypto: don't use on-stack buffer for key derivation
        fscrypto: don't use on-stack buffer for filename encryption
      d117b9ac
    • T
      ext4: sanity check the block and cluster size at mount time · 8cdf3372
      Theodore Ts'o 提交于
      If the block size or cluster size is insane, reject the mount.  This
      is important for security reasons (although we shouldn't be just
      depending on this check).
      
      Ref: http://www.securityfocus.com/archive/1/539661
      Ref: https://bugzilla.redhat.com/show_bug.cgi?id=1332506Reported-by: NBorislav Petkov <bp@alien8.de>
      Reported-by: NNikolay Borisov <kernel@kyup.com>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      Cc: stable@vger.kernel.org
      8cdf3372
    • E
      fscrypto: don't use on-stack buffer for key derivation · 0f0909e2
      Eric Biggers 提交于
      With the new (in 4.9) option to use a virtually-mapped stack
      (CONFIG_VMAP_STACK), stack buffers cannot be used as input/output for
      the scatterlist crypto API because they may not be directly mappable to
      struct page.  get_crypt_info() was using a stack buffer to hold the
      output from the encryption operation used to derive the per-file key.
      Fix it by using a heap buffer.
      
      This bug could most easily be observed in a CONFIG_DEBUG_SG kernel
      because this allowed the BUG in sg_set_buf() to be triggered.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NEric Biggers <ebiggers@google.com>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      0f0909e2
    • E
      fscrypto: don't use on-stack buffer for filename encryption · 3c7018eb
      Eric Biggers 提交于
      With the new (in 4.9) option to use a virtually-mapped stack
      (CONFIG_VMAP_STACK), stack buffers cannot be used as input/output for
      the scatterlist crypto API because they may not be directly mappable to
      struct page.  For short filenames, fname_encrypt() was encrypting a
      stack buffer holding the padded filename.  Fix it by encrypting the
      filename in-place in the output buffer, thereby making the temporary
      buffer unnecessary.
      
      This bug could most easily be observed in a CONFIG_DEBUG_SG kernel
      because this allowed the BUG in sg_set_buf() to be triggered.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NEric Biggers <ebiggers@google.com>
      Signed-off-by: NTheodore Ts'o <tytso@mit.edu>
      3c7018eb
    • L
      Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux · 50d438fb
      Linus Torvalds 提交于
      Pull i2c fixes from Wolfram Sang:
       "Some I2C driver bugfixes (and one documentation fix)"
      
      * 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
        i2c: i2c-mux-pca954x: fix deselect enabling for device-tree
        i2c: digicolor: use clk_disable_unprepare instead of clk_unprepare
        i2c: mux: fix up dependencies
        i2c: Documentation: i2c-topology: fix minor whitespace nit
        i2c: mux: demux-pinctrl: make drivers with no pinctrl work again
      50d438fb
    • L
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · dce9ce36
      Linus Torvalds 提交于
      Pull KVM fixes from Radim Krčmář:
       "ARM:
         - Fix handling of the 32bit cycle counter
         - Fix cycle counter filtering
      
        x86:
         - Fix a race leading to double unregistering of user notifiers
         - Amend oversight in kvm_arch_set_irq that turned Hyper-V code dead
         - Use SRCU around kvm_lapic_set_vapic_addr
         - Avoid recursive flushing of asynchronous page faults
         - Do not rely on deferred update in KVM_GET_CLOCK, which fixes #GP
         - Let userspace know that KVM_GET_CLOCK is useful with master clock;
           4.9 changed the return value to better match the guest clock, but
           didn't provide means to let guests take advantage of it"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        kvm: x86: merge kvm_arch_set_irq and kvm_arch_set_irq_inatomic
        KVM: x86: fix missed SRCU usage in kvm_lapic_set_vapic_addr
        KVM: async_pf: avoid recursive flushing of work items
        kvm: kvmclock: let KVM_GET_CLOCK return whether the master clock is in use
        KVM: Disable irq while unregistering user notifier
        KVM: x86: do not go through vcpu in __get_kvmclock_ns
        KVM: arm64: Fix the issues when guest PMCCFILTR is configured
        arm64: KVM: pmu: Fix AArch32 cycle counter access
      dce9ce36
    • A
      i2c: i2c-mux-pca954x: fix deselect enabling for device-tree · ad092de6
      Alex Hemme 提交于
      Deselect functionality can be ignored for device-trees with
      "i2c-mux-idle-disconnect" entries if no platform_data is available.
      By enabling the deselect functionality outside the platform_data
      block the logic works as it did in previous kernels.
      
      Fixes: 7fcac980 ("i2c: i2c-mux-pca954x: convert to use an explicit i2c mux core")
      Cc: <stable@vger.kernel.org> # v4.7+
      Signed-off-by: NAlex Hemme <ahemme@cisco.com>
      Signed-off-by: NZiyang Wu <ziywu@cisco.com>
      [touched up a few minor issues /peda]
      Signed-off-by: NPeter Rosin <peda@axentia.se>
      Signed-off-by: NWolfram Sang <wsa@the-dreams.de>
      ad092de6
    • L
      Merge tag 'powerpc-4.9-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · f6918382
      Linus Torvalds 提交于
      Pull powerpc fixes from Michael Ellerman:
       "Fixes marked for stable:
         - fix system reset interrupt winkle wakeups
         - fix setting of AIL in hypervisor mode
      
        Fixes for code merged this cycle:
         - fix exception vector build with 2.23 era binutils
         - fix missing update of HID register on secondary CPUs
      
        Other:
         - fix missing pr_cont()s
         - invalidate ERAT on tlbiel for POWER9 DD1"
      
      * tag 'powerpc-4.9-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        powerpc/mm: Fix missing update of HID register on secondary CPUs
        powerpc/mm/radix: Invalidate ERAT on tlbiel for POWER9 DD1
        powerpc/64: Fix setting of AIL in hypervisor mode
        powerpc/oops: Fix missing pr_cont()s in instruction dump
        powerpc/oops: Fix missing pr_cont()s in show_regs()
        powerpc/oops: Fix missing pr_cont()s in print_msr_bits() et. al.
        powerpc/oops: Fix missing pr_cont()s in show_stack()
        powerpc: Fix exception vector build with 2.23 era binutils
        powerpc/64s: Fix system reset interrupt winkle wakeups
      f6918382
    • L
      Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 · 384b0dc4
      Linus Torvalds 提交于
      Pull crypto fixes from Herbert Xu:
       "This fixes the following issues:
      
         - Compiler warning in caam driver that was the last one remaining
      
         - Do not register aes-xts in caam drivers on unsupported platforms
      
         - Regression in algif_hash interface that may lead to an oops"
      
      * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
        crypto: algif_hash - Fix NULL hash crash with shash
        crypto: caam - fix type mismatch warning
        crypto: caam - do not register AES-XTS mode on LP units
      384b0dc4
    • L
      Merge tag 'leds_4.9-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/j.anaszewski/linux-leds · 67418976
      Linus Torvalds 提交于
      Pull LED subsystem update from Jacek Anaszewski:
       "I'd like to announce a new co-maintainer - Pavel Machek"
      
      * tag 'leds_4.9-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/j.anaszewski/linux-leds:
        MAINTAINERS: Add LED subsystem co-maintainer
      67418976
    • L
      Merge tag 'dmaengine-fix-4.9-rc6' of git://git.infradead.org/users/vkoul/slave-dma · eab8d4bc
      Linus Torvalds 提交于
      Pull dmaengine fixes from Vinod Koul:
       "Some driver fixes which we pending in my tree:
      
         - return error code fix in edma driver
         - Kconfig fix for genric allocator in mmp_tdma
         - fix uninitialized value in sun6i
         - Runtime pm fixes for cppi"
      
      * tag 'dmaengine-fix-4.9-rc6' of git://git.infradead.org/users/vkoul/slave-dma:
        dmaengine: cppi41: More PM runtime fixes
        dmaengine: cpp41: Fix handling of error path
        dmaengine: cppi41: Fix unpaired pm runtime when only a USB hub is connected
        dmaengine: cppi41: Fix list not empty warning on module removal
        dmaengine: sun6i: fix the uninitialized value for v_lli
        dmaengine: mmp_tdma: add missing select GENERIC_ALLOCATOR in Kconfig
        dmaengine: edma: Fix error return code in edma_alloc_chan_resources()
      eab8d4bc
    • P
      kvm: x86: merge kvm_arch_set_irq and kvm_arch_set_irq_inatomic · a2b07739
      Paolo Bonzini 提交于
      kvm_arch_set_irq is unused since commit b97e6de9.  Merge
      its functionality with kvm_arch_set_irq_inatomic.
      Reported-by: NJiang Biao <jiang.biao2@zte.com.cn>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      Reviewed-by: NDavid Hildenbrand <david@redhat.com>
      Signed-off-by: NRadim Krčmář <rkrcmar@redhat.com>
      a2b07739
    • P
      KVM: x86: fix missed SRCU usage in kvm_lapic_set_vapic_addr · 7301d6ab
      Paolo Bonzini 提交于
      Reported by syzkaller:
      
          [ INFO: suspicious RCU usage. ]
          4.9.0-rc4+ #47 Not tainted
          -------------------------------
          ./include/linux/kvm_host.h:536 suspicious rcu_dereference_check() usage!
      
          stack backtrace:
          CPU: 1 PID: 6679 Comm: syz-executor Not tainted 4.9.0-rc4+ #47
          Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
           ffff880039e2f6d0 ffffffff81c2e46b ffff88003e3a5b40 0000000000000000
           0000000000000001 ffffffff83215600 ffff880039e2f700 ffffffff81334ea9
           ffffc9000730b000 0000000000000004 ffff88003c4f8420 ffff88003d3f8000
          Call Trace:
           [<     inline     >] __dump_stack lib/dump_stack.c:15
           [<ffffffff81c2e46b>] dump_stack+0xb3/0x118 lib/dump_stack.c:51
           [<ffffffff81334ea9>] lockdep_rcu_suspicious+0x139/0x180 kernel/locking/lockdep.c:4445
           [<     inline     >] __kvm_memslots include/linux/kvm_host.h:534
           [<     inline     >] kvm_memslots include/linux/kvm_host.h:541
           [<ffffffff8105d6ae>] kvm_gfn_to_hva_cache_init+0xa1e/0xce0 virt/kvm/kvm_main.c:1941
           [<ffffffff8112685d>] kvm_lapic_set_vapic_addr+0xed/0x140 arch/x86/kvm/lapic.c:2217
      Reported-by: NDmitry Vyukov <dvyukov@google.com>
      Fixes: fda4e2e8
      Cc: Andrew Honig <ahonig@google.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      Reviewed-by: NDavid Hildenbrand <david@redhat.com>
      Signed-off-by: NRadim Krčmář <rkrcmar@redhat.com>
      7301d6ab
    • P
      KVM: async_pf: avoid recursive flushing of work items · 22583f0d
      Paolo Bonzini 提交于
      This was reported by syzkaller:
      
          [ INFO: possible recursive locking detected ]
          4.9.0-rc4+ #49 Not tainted
          ---------------------------------------------
          kworker/2:1/5658 is trying to acquire lock:
           ([ 1644.769018] (&work->work)
          [<     inline     >] list_empty include/linux/compiler.h:243
          [<ffffffff8128dd60>] flush_work+0x0/0x660 kernel/workqueue.c:1511
      
          but task is already holding lock:
           ([ 1644.769018] (&work->work)
          [<ffffffff812916ab>] process_one_work+0x94b/0x1900 kernel/workqueue.c:2093
      
          stack backtrace:
          CPU: 2 PID: 5658 Comm: kworker/2:1 Not tainted 4.9.0-rc4+ #49
          Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
          Workqueue: events async_pf_execute
           ffff8800676ff630 ffffffff81c2e46b ffffffff8485b930 ffff88006b1fc480
           0000000000000000 ffffffff8485b930 ffff8800676ff7e0 ffffffff81339b27
           ffff8800676ff7e8 0000000000000046 ffff88006b1fcce8 ffff88006b1fccf0
          Call Trace:
          ...
          [<ffffffff8128ddf3>] flush_work+0x93/0x660 kernel/workqueue.c:2846
          [<ffffffff812954ea>] __cancel_work_timer+0x17a/0x410 kernel/workqueue.c:2916
          [<ffffffff81295797>] cancel_work_sync+0x17/0x20 kernel/workqueue.c:2951
          [<ffffffff81073037>] kvm_clear_async_pf_completion_queue+0xd7/0x400 virt/kvm/async_pf.c:126
          [<     inline     >] kvm_free_vcpus arch/x86/kvm/x86.c:7841
          [<ffffffff810b728d>] kvm_arch_destroy_vm+0x23d/0x620 arch/x86/kvm/x86.c:7946
          [<     inline     >] kvm_destroy_vm virt/kvm/kvm_main.c:731
          [<ffffffff8105914e>] kvm_put_kvm+0x40e/0x790 virt/kvm/kvm_main.c:752
          [<ffffffff81072b3d>] async_pf_execute+0x23d/0x4f0 virt/kvm/async_pf.c:111
          [<ffffffff8129175c>] process_one_work+0x9fc/0x1900 kernel/workqueue.c:2096
          [<ffffffff8129274f>] worker_thread+0xef/0x1480 kernel/workqueue.c:2230
          [<ffffffff812a5a94>] kthread+0x244/0x2d0 kernel/kthread.c:209
          [<ffffffff831f102a>] ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:433
      
      The reason is that kvm_put_kvm is causing the destruction of the VM, but
      the page fault is still on the ->queue list.  The ->queue list is owned
      by the VCPU, not by the work items, so we cannot just add list_del to
      the work item.
      
      Instead, use work->vcpu to note async page faults that have been resolved
      and will be processed through the done list.  There is no need to flush
      those.
      
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: NRadim Krčmář <rkrcmar@redhat.com>
      22583f0d
    • P
      kvm: kvmclock: let KVM_GET_CLOCK return whether the master clock is in use · e3fd9a93
      Paolo Bonzini 提交于
      Userspace can read the exact value of kvmclock by reading the TSC
      and fetching the timekeeping parameters out of guest memory.  This
      however is brittle and not necessary anymore with KVM 4.11.  Provide
      a mechanism that lets userspace know if the new KVM_GET_CLOCK
      semantics are in effect, and---since we are at it---if the clock
      is stable across all VCPUs.
      
      Cc: Radim Krčmář <rkrcmar@redhat.com>
      Cc: Marcelo Tosatti <mtosatti@redhat.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: NRadim Krčmář <rkrcmar@redhat.com>
      e3fd9a93
    • I
      KVM: Disable irq while unregistering user notifier · 1650b4eb
      Ignacio Alvarado 提交于
      Function user_notifier_unregister should be called only once for each
      registered user notifier.
      
      Function kvm_arch_hardware_disable can be executed from an IPI context
      which could cause a race condition with a VCPU returning to user mode
      and attempting to unregister the notifier.
      Signed-off-by: NIgnacio Alvarado <ikalvarado@google.com>
      Cc: stable@vger.kernel.org
      Fixes: 18863bdd ("KVM: x86 shared msr infrastructure")
      Reviewed-by: NPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: NRadim Krčmář <rkrcmar@redhat.com>
      1650b4eb
    • P
      KVM: x86: do not go through vcpu in __get_kvmclock_ns · 8b953440
      Paolo Bonzini 提交于
      Going through the first VCPU is wrong if you follow a KVM_SET_CLOCK with
      a KVM_GET_CLOCK immediately after, without letting the VCPU run and
      call kvm_guest_time_update.
      
      To fix this, compute the kvmclock value ourselves, using the master
      clock (tsc, nsec) pair as the base and the host CPU frequency as
      the scale.
      Reported-by: NMarcelo Tosatti <mtosatti@redhat.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: NRadim Krčmář <rkrcmar@redhat.com>
      8b953440
    • R
      Merge tag 'kvm-arm-for-4.9-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm · e5dbc4bf
      Radim Krčmář 提交于
      KVM/ARM updates for v4.9-rc6
      
      - Fix handling of the 32bit cycle counter
      - Fix cycle counter filtering
      e5dbc4bf
    • D
      Merge tag 'batadv-net-for-davem-20161119' of git://git.open-mesh.org/linux-merge · adda3067
      David S. Miller 提交于
      Simon Wunderlich says:
      
      ====================
      Here are two batman-adv bugfix patches:
      
       - Revert a splat on disabling interface which created another problem,
         by Sven Eckelmann
      
       - Fix error handling when the primary interface disappears during a
         throughput meter test, by Sven Eckelmann
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      adda3067