1. 03 6月, 2017 5 次提交
    • M
      include/linux/gfp.h: fix ___GFP_NOLOCKDEP value · 1bde33e0
      Michal Hocko 提交于
      Igor Stoppa has noticed that __GFP_NOLOCKDEP can use a lower bit.  At
      the time commit 7e784422 ("lockdep: allow to disable reclaim lockup
      detection") was written we still had __GFP_OTHER_NODE but I have removed
      it in commit 41b6167e ("mm: get rid of __GFP_OTHER_NODE") and forgot
      to lower the bit value.
      
      The current value is outside of __GFP_BITS_SHIFT so it cannot be used
      actually.
      
      Fixes: 7e784422 ("lockdep: allow to disable reclaim lockup detection")
      Signed-off-by: NMichal Hocko <mhocko@suse.com>
      Reported-by: NIgor Stoppa <igor.stoppa@nokia.com>
      Acked-by: NVlastimil Babka <vbabka@suse.cz>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      1bde33e0
    • A
      ksm: prevent crash after write_protect_page fails · a7306c34
      Andrea Arcangeli 提交于
      "err" needs to be left set to -EFAULT if split_huge_page succeeds.
      Otherwise if "err" gets clobbered with zero and write_protect_page
      fails, try_to_merge_one_page() will succeed instead of returning -EFAULT
      and then try_to_merge_with_ksm_page() will continue thinking kpage is a
      PageKsm when in fact it's still an anonymous page.  Eventually it'll
      crash in page_add_anon_rmap.
      
      This has been reproduced on Fedora25 kernel but I can reproduce with
      upstream too.
      
      The bug was introduced in commit f765f540 ("ksm: prepare to new THP
      semantics") introduced in v4.5.
      
          page:fffff67546ce1cc0 count:4 mapcount:2 mapping:ffffa094551e36e1 index:0x7f0f46673
          flags: 0x2ffffc0004007c(referenced|uptodate|dirty|lru|active|swapbacked)
          page dumped because: VM_BUG_ON_PAGE(!PageLocked(page))
          page->mem_cgroup:ffffa09674bf0000
          ------------[ cut here ]------------
          kernel BUG at mm/rmap.c:1222!
          CPU: 1 PID: 76 Comm: ksmd Not tainted 4.9.3-200.fc25.x86_64 #1
          RIP: do_page_add_anon_rmap+0x1c4/0x240
          Call Trace:
            page_add_anon_rmap+0x18/0x20
            try_to_merge_with_ksm_page+0x50b/0x780
            ksm_scan_thread+0x1211/0x1410
            ? prepare_to_wait_event+0x100/0x100
            ? try_to_merge_with_ksm_page+0x780/0x780
            kthread+0xd9/0xf0
            ? kthread_park+0x60/0x60
            ret_from_fork+0x25/0x30
      
      Fixes: f765f540 ("ksm: prepare to new THP semantics")
      Link: http://lkml.kernel.org/r/20170513131040.21732-1-aarcange@redhat.comSigned-off-by: NAndrea Arcangeli <aarcange@redhat.com>
      Reported-by: NFederico Simoncelli <fsimonce@redhat.com>
      Acked-by: NKirill A. Shutemov <kirill.shutemov@linux.intel.com>
      Cc: Hugh Dickins <hughd@google.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      a7306c34
    • L
      Merge tag 'sound-4.12-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · c531577b
      Linus Torvalds 提交于
      Pull sound fixes from Takashi Iwai:
       "This contains the fixes for a few reported regression for HD-audio and
        USB-audio. All small, trivial, and boring"
      
      * tag 'sound-4.12-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ALSA: hda - Fix applying MSI dual-codec mobo quirk
        ALSA: usb: Avoid VLA in mixer_us16x08.c
        ALSA: usb: Fix a typo in Tascam US-16x08 mixer element
        Revert "ALSA: usb-audio: purge needless variable length array"
      c531577b
    • L
      Merge tag 'dmaengine-fix-4.12-rc4' of git://git.infradead.org/users/vkoul/slave-dma · f8e72db3
      Linus Torvalds 提交于
      Pull dmaengine fixes from Vinod Koul:
       "Here is the dmaengine fixes request for 4.12. Fixes bunch of issues in
        the driver, npthing exciting though..
      
         - mv_xor_v2 driver fixes for handling descriptors, tx_submit
           implementation, removing interrupt coalescing and setting DMA mask
           properly
      
         - fix usb-dmac DMAOR AE bit definition
      
         - fix ep93xx start buffer from BASE0 and not drain the transfers in
           terminate_all
      
         - fix rcar-dmac to use right descriptor pointer for residue
           calculation
      
         - pl330 fix warn for irq freeup"
      
      * tag 'dmaengine-fix-4.12-rc4' of git://git.infradead.org/users/vkoul/slave-dma:
        dmaengine: pl330: fix warning in pl330_remove
        rcar-dmac: fixup descriptor pointer for descriptor mode
        dmaengine: ep93xx: Don't drain the transfers in terminate_all()
        dmaengine: ep93xx: Always start from BASE0
        dmaengine: usb-dmac: Fix DMAOR AE bit definition
        dmaengine: mv_xor_v2: set DMA mask to 40 bits
        dmaengine: mv_xor_v2: remove interrupt coalescing
        dmaengine: mv_xor_v2: fix tx_submit() implementation
        dmaengine: mv_xor_v2: enable XOR engine after its configuration
        dmaengine: mv_xor_v2: do not use descriptors not acked by async_tx
        dmaengine: mv_xor_v2: properly handle wrapping in the array of HW descriptors
        dmaengine: mv_xor_v2: handle mv_xor_v2_prep_sw_desc() error properly
      f8e72db3
    • L
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid · 6df62e79
      Linus Torvalds 提交于
      Pull HID fixes from Jiri Kosina:
      
       - corner-case oops fixes for Asus and Wacom drivers from Carlo Caione
         and Jason Gerecke
      
       - power management fix (reported on SIS0817 touchscreen) for i2c-hid
         devices from Hans de Goede
      
       - device-id-specific fixes and quirks from Hans de Goede, Diego Elio
         Pettenò and Che-Liang Chiou
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid:
        HID: asus: Stop underlying hardware on remove
        HID: i2c: Call acpi_device_fix_up_power for ACPI-enumerated devices
        HID: asus: Add support for T100 keyboard
        HID: elecom: extend to fix the descriptor for DEFT trackballs
        HID: magicmouse: Set multi-touch keybits for Magic Mouse
        HID: wacom: Have wacom_tpc_irq guard against possible NULL dereference
      6df62e79
  2. 02 6月, 2017 10 次提交
  3. 01 6月, 2017 12 次提交
    • I
      Revert "x86/PAT: Fix Xorg regression on CPUs that don't support PAT" · c08d5174
      Ingo Molnar 提交于
      This reverts commit cbed27cd.
      
      As Andy Lutomirski observed:
      
       "I think this patch is bogus. pat_enabled() sure looks like it's
        supposed to return true if PAT is *enabled*, and these days PAT is
        'enabled' even if there's no HW PAT support."
      Reported-by: NBernhard Held <berny156@gmx.de>
      Reported-by: NChris Wilson <chris@chris-wilson.co.uk>
      Acked-by: NAndy Lutomirski <luto@kernel.org>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Brian Gerst <brgerst@gmail.com>
      Cc: Denys Vlasenko <dvlasenk@redhat.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Luis R. Rodriguez <mcgrof@suse.com>
      Cc: Mikulas Patocka <mpatocka@redhat.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Toshi Kani <toshi.kani@hp.com>
      Cc: stable@vger.kernel.org # v4.2+
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: NIngo Molnar <mingo@kernel.org>
      c08d5174
    • Z
      KVM: x86: Fix nmi injection failure when vcpu got blocked · 47a66eed
      ZhuangYanying 提交于
      When spin_lock_irqsave() deadlock occurs inside the guest, vcpu threads,
      other than the lock-holding one, would enter into S state because of
      pvspinlock. Then inject NMI via libvirt API "inject-nmi", the NMI could
      not be injected into vm.
      
      The reason is:
      1 It sets nmi_queued to 1 when calling ioctl KVM_NMI in qemu, and sets
      cpu->kvm_vcpu_dirty to true in do_inject_external_nmi() meanwhile.
      2 It sets nmi_queued to 0 in process_nmi(), before entering guest, because
      cpu->kvm_vcpu_dirty is true.
      
      It's not enough just to check nmi_queued to decide whether to stay in
      vcpu_block() or not. NMI should be injected immediately at any situation.
      Add checking nmi_pending, and testing KVM_REQ_NMI replaces nmi_queued
      in vm_vcpu_has_events().
      
      Do the same change for SMIs.
      Signed-off-by: NZhuang Yanying <ann.zhuangyanying@huawei.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      47a66eed
    • R
      KVM: SVM: do not zero out segment attributes if segment is unusable or not present · d9c1b543
      Roman Pen 提交于
      This is a fix for the problem [1], where VMCB.CPL was set to 0 and interrupt
      was taken on userspace stack.  The root cause lies in the specific AMD CPU
      behaviour which manifests itself as unusable segment attributes on SYSRET.
      The corresponding work around for the kernel is the following:
      
      61f01dd9 ("x86_64, asm: Work around AMD SYSRET SS descriptor attribute issue")
      
      In other turn virtualization side treated unusable segment incorrectly and
      restored CPL from SS attributes, which were zeroed out few lines above.
      
      In current patch it is assured only that P bit is cleared in VMCB.save state
      and segment attributes are not zeroed out if segment is not presented or is
      unusable, therefore CPL can be safely restored from DPL field.
      
      This is only one part of the fix, since QEMU side should be fixed accordingly
      not to zero out attributes on its side.  Corresponding patch will follow.
      
      [1] Message id: CAJrWOzD6Xq==b-zYCDdFLgSRMPM-NkNuTSDFEtX=7MreT45i7Q@mail.gmail.com
      Signed-off-by: NRoman Pen <roman.penyaev@profitbricks.com>
      Signed-off-by: NMikhail Sennikovskii <mikhail.sennikovskii@profitbricks.com>
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: Radim KrÄmář <rkrcmar@redhat.com>
      Cc: kvm@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      d9c1b543
    • T
      ALSA: hda - Fix applying MSI dual-codec mobo quirk · d2c3b14e
      Takashi Iwai 提交于
      The previous commit [63691587: ALSA: hda - Apply dual-codec quirk
      for MSI Z270-Gaming mobo] attempted to apply the existing dual-codec
      quirk for a MSI mobo.  But it turned out that this isn't applied
      properly due to the MSI-vendor quirk before this entry.  I overlooked
      such two MSI entries just because they were put in the wrong position,
      although we have a list ordered by PCI SSID numbers.
      
      This patch fixes it by rearranging the unordered entries.
      
      Fixes: 63691587 ("ALSA: hda - Apply dual-codec quirk for MSI Z270-Gaming mobo")
      Reported-by: NRudolf Schmidt <info@rudolfschmidt.com>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      d2c3b14e
    • L
      Merge tag 'drm-fixes-for-v4.12-rc4' of git://people.freedesktop.org/~airlied/linux · a3748463
      Linus Torvalds 提交于
      Pull drm fixes from Dave Airlie:
       "This is the main set of fixes for rc4, one amdgpu fix, some exynos
        regression fixes, some msm fixes and some i915 and GVT fixes.
      
        I've got a second regression fix for some DP chips that might be a
        bit large, but I think we'd like to land it now, I'll send it along
        tomorrow, once you are happy with this set"
      
      * tag 'drm-fixes-for-v4.12-rc4' of git://people.freedesktop.org/~airlied/linux: (24 commits)
        drm/amdgpu: Program ring for vce instance 1 at its register space
        drm/exynos: clean up description of exynos_drm_crtc
        drm/exynos: dsi: Remove bridge node reference in removal
        drm/exynos: dsi: Fix the parse_dt function
        drm/exynos: Merge pre/postclose hooks
        drm/msm: Fix the check for the command size
        drm/msm: Take the mutex before calling msm_gem_new_impl
        drm/msm: for array in-fences, check if all backing fences are from our own context before waiting
        drm/msm: constify irq_domain_ops
        drm/msm/mdp5: release hwpipe(s) for unused planes
        drm/msm: Reuse dma_fence_release.
        drm/msm: Expose our reservation object when exporting a dmabuf.
        drm/msm/gpu: check legacy clk names in get_clocks()
        drm/msm/mdp5: use __drm_atomic_helper_plane_duplicate_state()
        drm/msm: select PM_OPP
        drm/i915: Stop pretending to mask/unmask LPE audio interrupts
        drm/i915/selftests: Silence compiler warning in igt_ctx_exec
        Revert "drm/i915: Restore lost "Initialized i915" welcome message"
        drm/i915/gvt: clean up unsubmited workloads before destroying kmem cache
        drm/i915/gvt: Disable compression workaround for Gen9
        ...
      a3748463
    • D
      Merge tag 'exynos-drm-fixes-for-v4.12' of... · 400129f0
      Dave Airlie 提交于
      Merge tag 'exynos-drm-fixes-for-v4.12' of git://git.kernel.org/pub/scm/linux/kernel/git/daeinki/drm-exynos into drm-fixes
      
      - Fix a regression to description of exynos_drm_crtc
      - Remove preclose hook of Exynos
        . This was a exynos change of the patch series[1] merged already.
      - Fix one dt broken issue
      - Make sure to release bridge_node of Exynos MIPI-DSI driver.
      
      [1] https://lists.freedesktop.org/archives/dri-devel/2017-March/135111.html
      
      * tag 'exynos-drm-fixes-for-v4.12' of git://git.kernel.org/pub/scm/linux/kernel/git/daeinki/drm-exynos:
        drm/exynos: clean up description of exynos_drm_crtc
        drm/exynos: dsi: Remove bridge node reference in removal
        drm/exynos: dsi: Fix the parse_dt function
        drm/exynos: Merge pre/postclose hooks
      400129f0
    • D
      Merge branch 'drm-fixes-4.12' of git://people.freedesktop.org/~agd5f/linux into drm-fixes · 8ef6fcc8
      Dave Airlie 提交于
      * 'drm-fixes-4.12' of git://people.freedesktop.org/~agd5f/linux:
        drm/amdgpu: Program ring for vce instance 1 at its register space
      8ef6fcc8
    • D
      Merge branch 'msm-fixes-4.12-rc4' of git://people.freedesktop.org/~robclark/linux into drm-fixes · 58b58f6e
      Dave Airlie 提交于
      a few fixes for 4.12..
      
      * 'msm-fixes-4.12-rc4' of git://people.freedesktop.org/~robclark/linux:
        drm/msm: Fix the check for the command size
        drm/msm: Take the mutex before calling msm_gem_new_impl
        drm/msm: for array in-fences, check if all backing fences are from our own context before waiting
        drm/msm: constify irq_domain_ops
        drm/msm/mdp5: release hwpipe(s) for unused planes
        drm/msm: Reuse dma_fence_release.
        drm/msm: Expose our reservation object when exporting a dmabuf.
        drm/msm/gpu: check legacy clk names in get_clocks()
        drm/msm/mdp5: use __drm_atomic_helper_plane_duplicate_state()
        drm/msm: select PM_OPP
      58b58f6e
    • D
      Merge tag 'drm-intel-fixes-2017-05-29' of... · 25f480e8
      Dave Airlie 提交于
      Merge tag 'drm-intel-fixes-2017-05-29' of git://anongit.freedesktop.org/git/drm-intel into drm-fixes
      
      drm/i915 fixes for v4.12-rc4
      
      * tag 'drm-intel-fixes-2017-05-29' of git://anongit.freedesktop.org/git/drm-intel:
        drm/i915: Stop pretending to mask/unmask LPE audio interrupts
        drm/i915/selftests: Silence compiler warning in igt_ctx_exec
        Revert "drm/i915: Restore lost "Initialized i915" welcome message"
        drm/i915/gvt: clean up unsubmited workloads before destroying kmem cache
        drm/i915/gvt: Disable compression workaround for Gen9
        drm/i915: set initialised only when init_context callback is NULL
        drm/i915: Fix new -Wint-in-bool-context gcc compiler warning
        drm/i915: use vma->size for appgtt allocate_va_range
        drm/i915: Do not sync RCU during shrinking
      25f480e8
    • J
      iscsi-target: Always wait for kthread_should_stop() before kthread exit · 5e0cf5e6
      Jiang Yi 提交于
      There are three timing problems in the kthread usages of iscsi_target_mod:
      
       - np_thread of struct iscsi_np
       - rx_thread and tx_thread of struct iscsi_conn
      
      In iscsit_close_connection(), it calls
      
       send_sig(SIGINT, conn->tx_thread, 1);
       kthread_stop(conn->tx_thread);
      
      In conn->tx_thread, which is iscsi_target_tx_thread(), when it receive
      SIGINT the kthread will exit without checking the return value of
      kthread_should_stop().
      
      So if iscsi_target_tx_thread() exit right between send_sig(SIGINT...)
      and kthread_stop(...), the kthread_stop() will try to stop an already
      stopped kthread.
      
      This is invalid according to the documentation of kthread_stop().
      
      (Fix -ECONNRESET logout handling in iscsi_target_tx_thread and
       early iscsi_target_rx_thread failure case - nab)
      Signed-off-by: NJiang Yi <jiangyilism@gmail.com>
      Cc: <stable@vger.kernel.org> # v3.12+
      Signed-off-by: NNicholas Bellinger <nab@linux-iscsi.org>
      5e0cf5e6
    • N
      iscsi-target: Fix initial login PDU asynchronous socket close OOPs · 25cdda95
      Nicholas Bellinger 提交于
      This patch fixes a OOPs originally introduced by:
      
         commit bb048357
         Author: Nicholas Bellinger <nab@linux-iscsi.org>
         Date:   Thu Sep 5 14:54:04 2013 -0700
      
         iscsi-target: Add sk->sk_state_change to cleanup after TCP failure
      
      which would trigger a NULL pointer dereference when a TCP connection
      was closed asynchronously via iscsi_target_sk_state_change(), but only
      when the initial PDU processing in iscsi_target_do_login() from iscsi_np
      process context was blocked waiting for backend I/O to complete.
      
      To address this issue, this patch makes the following changes.
      
      First, it introduces some common helper functions used for checking
      socket closing state, checking login_flags, and atomically checking
      socket closing state + setting login_flags.
      
      Second, it introduces a LOGIN_FLAGS_INITIAL_PDU bit to know when a TCP
      connection has dropped via iscsi_target_sk_state_change(), but the
      initial PDU processing within iscsi_target_do_login() in iscsi_np
      context is still running.  For this case, it sets LOGIN_FLAGS_CLOSED,
      but doesn't invoke schedule_delayed_work().
      
      The original NULL pointer dereference case reported by MNC is now handled
      by iscsi_target_do_login() doing a iscsi_target_sk_check_close() before
      transitioning to FFP to determine when the socket has already closed,
      or iscsi_target_start_negotiation() if the login needs to exchange
      more PDUs (eg: iscsi_target_do_login returned 0) but the socket has
      closed.  For both of these cases, the cleanup up of remaining connection
      resources will occur in iscsi_target_start_negotiation() from iscsi_np
      process context once the failure is detected.
      
      Finally, to handle to case where iscsi_target_sk_state_change() is
      called after the initial PDU procesing is complete, it now invokes
      conn->login_work -> iscsi_target_do_login_rx() to perform cleanup once
      existing iscsi_target_sk_check_close() checks detect connection failure.
      For this case, the cleanup of remaining connection resources will occur
      in iscsi_target_do_login_rx() from delayed workqueue process context
      once the failure is detected.
      Reported-by: NMike Christie <mchristi@redhat.com>
      Reviewed-by: NMike Christie <mchristi@redhat.com>
      Tested-by: NMike Christie <mchristi@redhat.com>
      Cc: Mike Christie <mchristi@redhat.com>
      Reported-by: NHannes Reinecke <hare@suse.com>
      Cc: Hannes Reinecke <hare@suse.com>
      Cc: Sagi Grimberg <sagi@grimberg.me>
      Cc: Varun Prakash <varun@chelsio.com>
      Cc: <stable@vger.kernel.org> # v3.12+
      Signed-off-by: NNicholas Bellinger <nab@linux-iscsi.org>
      25cdda95
    • L
      drm/amdgpu: Program ring for vce instance 1 at its register space · 45cc6586
      Leo Liu 提交于
      We need program ring buffer on instance 1 register space domain,
      when only if instance 1 available, with two instances or instance 0,
      and we need only program instance 0 regsiter space domain for ring.
      Signed-off-by: NLeo Liu <leo.liu@amd.com>
      Reviewed-by: NAlex Deucher <alexander.deucher@amd.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: NAlex Deucher <alexander.deucher@amd.com>
      45cc6586
  4. 31 5月, 2017 5 次提交
    • L
      Merge branch 'overlayfs-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs · d602fb68
      Linus Torvalds 提交于
      Pull overlayfs fixes from Miklos Szeredi:
       "Fix regressions:
      
         - missing CONFIG_EXPORTFS dependency
      
         - failure if upper fs doesn't support xattr
      
         - bad error cleanup
      
        This also adds the concept of "impure" directories complementing the
        "origin" marking introduced in -rc1. Together they enable getting
        consistent st_ino and d_ino for directory listings.
      
        And there's a bug fix and a cleanup as well"
      
      * 'overlayfs-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs:
        ovl: filter trusted xattr for non-admin
        ovl: mark upper merge dir with type origin entries "impure"
        ovl: mark upper dir with type origin entries "impure"
        ovl: remove unused arg from ovl_lookup_temp()
        ovl: handle rename when upper doesn't support xattr
        ovl: don't fail copy-up if upper doesn't support xattr
        ovl: check on mount time if upper fs supports setting xattr
        ovl: fix creds leak in copy up error path
        ovl: select EXPORTFS
      d602fb68
    • T
      ALSA: usb: Avoid VLA in mixer_us16x08.c · e49a14fa
      Takashi Iwai 提交于
      This is another attempt to work around the VLA used in
      mixer_us16x08.c.  Basically the temporary array is used individually
      for two cases, and we can declare locally in each block, instead of
      hackish max() usage.
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      e49a14fa
    • T
      ALSA: usb: Fix a typo in Tascam US-16x08 mixer element · 617163fc
      Takashi Iwai 提交于
      A mixer element created in a quirk for Tascam US-16x08 contains a
      typo: it should be "EQ MidLow Q" instead of "EQ MidQLow Q".
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=195875
      Fixes: d2bb390a ("ALSA: usb-audio: Tascam US-16x08 DSP mixer quirk")
      Cc: <stable@vger.kernel.org> # v4.11+
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      617163fc
    • T
      Revert "ALSA: usb-audio: purge needless variable length array" · 64188cfb
      Takashi Iwai 提交于
      This reverts commit 89b593c3 ("ALSA: usb-audio: purge needless
      variable length array").  The patch turned out to cause a severe
      regression, triggering an Oops at snd_usb_ctl_msg().  It was overseen
      that snd_usb_ctl_msg() writes back the response to the given buffer,
      while the patch changed it to a read-only const buffer.  (One should
      always double-check when an extra pointer cast is present...)
      
      As a simple fix, just revert the affected commit.  It was merely a
      cleanup.  Although it brings VLA again, it's clearer as a fix.  We'll
      address the VLA later in another patch.
      
      Fixes: 89b593c3 ("ALSA: usb-audio: purge needless variable length array")
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=195875
      Cc: <stable@vger.kernel.org> # v4.11+
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      64188cfb
    • L
      "Yes, people use FOLL_FORCE ;)" · f511c0b1
      Linus Torvalds 提交于
      This effectively reverts commit 8ee74a91 ("proc: try to remove use
      of FOLL_FORCE entirely")
      
      It turns out that people do depend on FOLL_FORCE for the /proc/<pid>/mem
      case, and we're talking not just debuggers. Talking to the affected people, the use-cases are:
      
      Keno Fischer:
       "We used these semantics as a hardening mechanism in the julia JIT. By
        opening /proc/self/mem and using these semantics, we could avoid
        needing RWX pages, or a dual mapping approach. We do have fallbacks to
        these other methods (though getting EIO here actually causes an assert
        in released versions - we'll updated that to make sure to take the
        fall back in that case).
      
        Nevertheless the /proc/self/mem approach was our favored approach
        because it a) Required an attacker to be able to execute syscalls
        which is a taller order than getting memory write and b) didn't double
        the virtual address space requirements (as a dual mapping approach
        would).
      
        I think in general this feature is very useful for anybody who needs
        to precisely control the execution of some other process. Various
        debuggers (gdb/lldb/rr) certainly fall into that category, but there's
        another class of such processes (wine, various emulators) which may
        want to do that kind of thing.
      
        Now, I suspect most of these will have the other process under ptrace
        control, so maybe allowing (same_mm || ptraced) would be ok, but at
        least for the sandbox/remote-jit use case, it would be perfectly
        reasonable to not have the jit server be a ptracer"
      
      Robert O'Callahan:
       "We write to readonly code and data mappings via /proc/.../mem in lots
        of different situations, particularly when we're adjusting program
        state during replay to match the recorded execution.
      
        Like Julia, we can add workarounds, but they could be expensive."
      
      so not only do people use FOLL_FORCE for both reads and writes, but they
      use it for both the local mm and remote mm.
      
      With these comments in mind, we likely also cannot add the "are we
      actively ptracing" check either, so this keeps the new code organization
      and does not do a real revert that would add back the original comment
      about "Maybe we should limit FOLL_FORCE to actual ptrace users?"
      Reported-by: NKeno Fischer <keno@juliacomputing.com>
      Reported-by: NRobert O'Callahan <robert@ocallahan.org>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Andy Lutomirski <luto@amacapital.net>
      Cc: Eric Biederman <ebiederm@xmission.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      f511c0b1
  5. 30 5月, 2017 5 次提交
    • G
      KVM: SVM: ignore type when setting segment registers · 8eae9570
      Gioh Kim 提交于
      Commit 19bca6ab ("KVM: SVM: Fix cross vendor migration issue with
      unusable bit") added checking type when setting unusable.
      So unusable can be set if present is 0 OR type is 0.
      According to the AMD processor manual, long mode ignores the type value
      in segment descriptor. And type can be 0 if it is read-only data segment.
      Therefore type value is not related to unusable flag.
      
      This patch is based on linux-next v4.12.0-rc3.
      Signed-off-by: NGioh Kim <gi-oh.kim@profitbricks.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      8eae9570
    • R
      KVM: nVMX: fix nested_vmx_check_vmptr failure paths under debugging · cbf71279
      Radim Krčmář 提交于
      kvm_skip_emulated_instruction() will return 0 if userspace is
      single-stepping the guest.
      
      kvm_skip_emulated_instruction() uses return status convention of exit
      handler: 0 means "exit to userspace" and 1 means "continue vm entries".
      The problem is that nested_vmx_check_vmptr() return status means
      something else: 0 is ok, 1 is error.
      
      This means we would continue executing after a failure.  Static checker
      noticed it because vmptr was not initialized.
      Reported-by: NDan Carpenter <dan.carpenter@oracle.com>
      Fixes: 6affcbed ("KVM: x86: Add kvm_skip_emulated_instruction and use it.")
      Signed-off-by: NRadim Krčmář <rkrcmar@redhat.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      cbf71279
    • K
      rcar-dmac: fixup descriptor pointer for descriptor mode · 56b17705
      Kuninori Morimoto 提交于
      In descriptor mode, the descriptor running pointer is not maintained
      by the interrupt handler, thus, driver finds the running descriptor
      from the descriptor pointer field in the CHCRB register.
      But, CHCRB::DPTR indicates *next* descriptor pointer, not current.
      Thus, The residue calculation will be missed. This patch fixup it.
      Signed-off-by: NKuninori Morimoto <kuninori.morimoto.gx@renesas.com>
      Signed-off-by: NVinod Koul <vinod.koul@intel.com>
      56b17705
    • L
      Merge tag 'pinctrl-v4.12-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl · 3f173bde
      Linus Torvalds 提交于
      Pull pin control fixes from Linus Walleij:
       "Here is an overdue pull request for pin control fixes, the most
        prominent feature is to make Intel Chromebooks (and I suspect any
        other Cherryview-based Intel thing) happy again, which we really want
        to see.
      
        There is a patch hitting drivers/firmware/* that I was uncertain to
        who actually manages, but I got Andy Shevchenko's and Dmitry Torokov's
        review tags on it and I trust them both 100% to do the right thing for
        Intel platform drivers.
      
        Summary:
      
         - Make a few Intel Chromebooks with Cherryview DMI firmware work
           smoothly.
      
         - A fix for some bogus allocations in the generic group management
           code.
      
         - Some GPIO descriptor lookup table stubs. Merged through the pin
           control tree for administrative reasons.
      
         - Revert the "bi-directional" and "output-enable" generic properties:
           we need more discussions around this. It seems other SoCs are using
           input/output gate enablement and these terms are not correct.
      
         - Fix mux and drive strength atomically in the MXS driver.
      
         - Fix the SPDIF function on sunxi A83T.
      
         - OF table terminators and other small fixes"
      
      * tag 'pinctrl-v4.12-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
        pinctrl: sunxi: Fix SPDIF function name for A83T
        pinctrl: mxs: atomically switch mux and drive strength config
        pinctrl: cherryview: Extend the Chromebook DMI quirk to Intel_Strago systems
        firmware: dmi: Add DMI_PRODUCT_FAMILY identification string
        pinctrl: core: Fix warning by removing bogus code
        gpiolib: Add stubs for gpiod lookup table interface
        Revert "pinctrl: generic: Add bi-directional and output-enable"
        pinctrl: cherryview: Add terminate entry for dmi_system_id tables
      3f173bde
    • V
      kthread: fix boot hang (regression) on MIPS/OpenRISC · b0f5a8f3
      Vegard Nossum 提交于
      This fixes a regression in commit 4d6501dc where I didn't notice
      that MIPS and OpenRISC were reinitialising p->{set,clear}_child_tid to
      NULL after our initialisation in copy_process().
      
      We can simply get rid of the arch-specific initialisation here since it
      is now always done in copy_process() before hitting copy_thread{,_tls}().
      
      Review notes:
      
       - As far as I can tell, copy_process() is the only user of
         copy_thread_tls(), which is the only caller of copy_thread() for
         architectures that don't implement copy_thread_tls().
      
       - After this patch, there is no arch-specific code touching
         p->set_child_tid or p->clear_child_tid whatsoever.
      
       - It may look like MIPS/OpenRISC wanted to always have these fields be
         NULL, but that's not true, as copy_process() would unconditionally
         set them again _after_ calling copy_thread_tls() before commit
         4d6501dc.
      
      Fixes: 4d6501dc ("kthread: Fix use-after-free if kthread fork fails")
      Reported-by: NGuenter Roeck <linux@roeck-us.net>
      Tested-by: Guenter Roeck <linux@roeck-us.net> # MIPS only
      Acked-by: NStafford Horne <shorne@gmail.com>
      Acked-by: NOleg Nesterov <oleg@redhat.com>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: linux-mips@linux-mips.org
      Cc: Jonas Bonn <jonas@southpole.se>
      Cc: Stefan Kristiansson <stefan.kristiansson@saunalahti.fi>
      Cc: openrisc@lists.librecores.org
      Cc: Jamie Iles <jamie.iles@oracle.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Signed-off-by: NVegard Nossum <vegard.nossum@oracle.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      b0f5a8f3
  6. 29 5月, 2017 3 次提交
    • M
      ovl: filter trusted xattr for non-admin · a082c6f6
      Miklos Szeredi 提交于
      Filesystems filter out extended attributes in the "trusted." domain for
      unprivlieged callers.
      
      Overlay calls underlying filesystem's method with elevated privs, so need
      to do the filtering in overlayfs too.
      Signed-off-by: NMiklos Szeredi <mszeredi@redhat.com>
      a082c6f6
    • H
      HID: i2c: Call acpi_device_fix_up_power for ACPI-enumerated devices · f3d3eab6
      Hans de Goede 提交于
      For ACPI devices which do not have a _PSC method, the ACPI subsys cannot
      query their initial state at boot, so these devices are assumed to have
      been put in D0 by the BIOS, but for touchscreens that is not always true.
      
      This commit adds a call to acpi_device_fix_up_power to explicitly put
      devices without a _PSC method into D0 state (for devices with a _PSC
      method it is a nop). Note we only need to do this on probe, after a
      resume the ACPI subsys knows the device is in D3 and will properly
      put it in D0.
      
      This fixes the SIS0817 i2c-hid touchscreen on a Peaq C1010 2-in-1
      device failing to probe with a "hid_descr_cmd failed" error.
      Acked-by: NBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: NHans de Goede <hdegoede@redhat.com>
      Signed-off-by: NJiri Kosina <jkosina@suse.cz>
      f3d3eab6
    • A
      ovl: mark upper merge dir with type origin entries "impure" · f3a15685
      Amir Goldstein 提交于
      An upper dir is marked "impure" to let ovl_iterate() know that this
      directory may contain non pure upper entries whose d_ino may need to be
      read from the origin inode.
      
      We already mark a non-merge dir "impure" when moving a non-pure child
      entry inside it, to let ovl_iterate() know not to iterate the non-merge
      dir directly.
      
      Mark also a merge dir "impure" when moving a non-pure child entry inside
      it and when copying up a child entry inside it.
      
      This can be used to optimize ovl_iterate() to perform a "pure merge" of
      upper and lower directories, merging the content of the directories,
      without having to read d_ino from origin inodes.
      Signed-off-by: NAmir Goldstein <amir73il@gmail.com>
      Signed-off-by: NMiklos Szeredi <mszeredi@redhat.com>
      f3a15685