1. 10 2月, 2017 10 次提交
    • F
      tick/nohz: Fix possible missing clock reprog after tick soft restart · 7bdb59f1
      Frederic Weisbecker 提交于
      ts->next_tick keeps track of the next tick deadline in order to optimize
      clock programmation on irq exit and avoid redundant clock device writes.
      
      Now if ts->next_tick missed an update, we may spuriously miss a clock
      reprog later as the nohz code is fooled by an obsolete next_tick value.
      
      This is what happens here on a specific path: when we observe an
      expired timer from the nohz update code on irq exit, we perform a soft
      tick restart which simply fires the closest possible tick without
      actually exiting the nohz mode and restoring a periodic state. But we
      forget to update ts->next_tick accordingly.
      
      As a result, after the next tick resulting from such soft tick restart,
      the nohz code sees a stale value on ts->next_tick which doesn't match
      the clock deadline that just expired. If that obsolete ts->next_tick
      value happens to collide with the actual next tick deadline to be
      scheduled, we may spuriously bypass the clock reprogramming. In the
      worst case, the tick may never fire again.
      
      Fix this with a ts->next_tick reset on soft tick restart.
      Signed-off-by: NFrederic Weisbecker <fweisbec@gmail.com>
      Reviewed: Wanpeng Li <wanpeng.li@hotmail.com>
      Acked-by: NRik van Riel <riel@redhat.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: stable@vger.kernel.org
      Link: http://lkml.kernel.org/r/1486485894-29173-1-git-send-email-fweisbec@gmail.comSigned-off-by: NThomas Gleixner <tglx@linutronix.de>
      7bdb59f1
    • L
      Merge tag 'drm-fixes-for-v4.10-rc8' of git://people.freedesktop.org/~airlied/linux · 3d88460d
      Linus Torvalds 提交于
      Pull drm fixes from Dave Airlie:
       "This should be the final set of drm fixes for 4.10: one vmwgfx boot
        fix, one vc4 fix, and a few i915 fixes:
      
      * tag 'drm-fixes-for-v4.10-rc8' of git://people.freedesktop.org/~airlied/linux:
        drm: vc4: adapt to new behaviour of drm_crtc.c
        drm/i915: Always convert incoming exec offsets to non-canonical
        drm/i915: Remove overzealous fence warn on runtime suspend
        drm/i915/bxt: Add MST support when do DPLL calculation
        drm/i915: don't warn about Skylake CPU - KabyPoint PCH combo
        drm/i915: fix i915 running as dom0 under Xen
        drm/i915: Flush untouched framebuffers before display on !llc
        drm/i915: fix use-after-free in page_flip_completed()
        drm/vmwgfx: Fix depth input into drm_mode_legacy_fb_format
      3d88460d
    • D
      Merge tag 'drm-intel-fixes-2017-02-09' of... · 697d3a21
      Dave Airlie 提交于
      Merge tag 'drm-intel-fixes-2017-02-09' of git://anongit.freedesktop.org/git/drm-intel into drm-fixes
      
      Hopefully final fixes for v4.10, about half of them stable material.
      
      * tag 'drm-intel-fixes-2017-02-09' of git://anongit.freedesktop.org/git/drm-intel:
        drm/i915: Always convert incoming exec offsets to non-canonical
        drm/i915: Remove overzealous fence warn on runtime suspend
        drm/i915/bxt: Add MST support when do DPLL calculation
        drm/i915: don't warn about Skylake CPU - KabyPoint PCH combo
        drm/i915: fix i915 running as dom0 under Xen
        drm/i915: Flush untouched framebuffers before display on !llc
        drm/i915: fix use-after-free in page_flip_completed()
      697d3a21
    • D
      Merge tag 'drm-misc-fixes-2017-02-09' of git://anongit.freedesktop.org/git/drm-misc into drm-fixes · 811b40c8
      Dave Airlie 提交于
      Last-minute vc4 fix for 4.10.
      
      * tag 'drm-misc-fixes-2017-02-09' of git://anongit.freedesktop.org/git/drm-misc:
        drm: vc4: adapt to new behaviour of drm_crtc.c
      811b40c8
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending · 55aac6ef
      Linus Torvalds 提交于
      Pull SCSI target fixes from Nicholas Bellinger:
       "This target series for v4.10 contains fixes which address a few
        long-standing bugs that DATERA's QA + automation teams have uncovered
        while putting v4.1.y target code into production usage.
      
        We've been running the top three in our nightly automated regression
        runs for the last two months, and the COMPARE_AND_WRITE fix Mr. Gary
        Guo has been manually verifying against a four node ESX cluster this
        past week.
      
        Note all of them have CC' stable tags.
      
        Summary:
      
         - Fix a bug with ESX EXTENDED_COPY + SAM_STAT_RESERVATION_CONFLICT
           status, where target_core_xcopy.c logic was incorrectly returning
           SAM_STAT_CHECK_CONDITION for all non SAM_STAT_GOOD cases (Nixon
           Vincent)
      
         - Fix a TMR LUN_RESET hung task bug while other in-flight TMRs are
           being aborted, before the new one had been dispatched into tmr_wq
           (Rob Millner)
      
         - Fix a long standing double free OOPs, where a dynamically generated
           'demo-mode' NodeACL has multiple sessions associated with it, and
           the /sys/kernel/config/target/$FABRIC/$WWN/ subsequently disables
           demo-mode, but never converts the dynamic ACL into a explicit ACL
           (Rob Millner)
      
         - Fix a long standing reference leak with ESX VAAI COMPARE_AND_WRITE
           when the second phase WRITE COMMIT command fails, resulting in
           CHECK_CONDITION response never being sent and se_cmd->cmd_kref
           never reaching zero (Gary Guo)
      
        Beyond these items on v4.1.y we've reproduced, fixed, and run through
        our regression test suite using iscsi-target exports, there are two
        additional outstanding list items:
      
         - Remove a >= v4.2 RCU conversion BUG_ON that would trigger when
           dynamic node NodeACLs where being converted to explicit NodeACLs.
           The patch drops the BUG_ON to follow how pre RCU conversion worked
           for this special case (Benjamin Estrabaud)
      
         - Add ibmvscsis target_core_fabric_ops->max_data_sg_nent assignment
           to match what IBM's Virtual SCSI hypervisor is already enforcing at
           transport layer. (Bryant Ly + Steven Royer)"
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending:
        ibmvscsis: Add SGL limit
        target: Fix COMPARE_AND_WRITE ref leak for non GOOD status
        target: Fix multi-session dynamic se_node_acl double free OOPs
        target: Fix early transport_generic_handle_tmr abort scenario
        target: Use correct SCSI status during EXTENDED_COPY exception
        target: Don't BUG_ON during NodeACL dynamic -> explicit conversion
      55aac6ef
    • L
      Merge tag 'pstore-v4.10-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux · 2b369478
      Linus Torvalds 提交于
      Pull pstore fix from Kees Cook:
       "Fix pstore regression (boot Oops) when ftrace disabled, from Brian
        Norris"
      
      * tag 'pstore-v4.10-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
        pstore: don't OOPS when there are no ftrace zones
      2b369478
    • L
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input · 99378fd2
      Linus Torvalds 提交于
      Pull input fixes from Dmitry Torokhov:
       "A fix for a crash in uinput, and a fix for build errors when HID-RMI
        is built-in but SERIO is a module"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
        Input: synaptics-rmi4 - select 'SERIO' when needed
        Input: uinput - fix crash when mixing old and new init style
      99378fd2
    • B
      pstore: don't OOPS when there are no ftrace zones · 8672aed7
      Brian Norris 提交于
      We'll OOPS in ramoops_get_next_prz() if the platform didn't ask for any
      ftrace zones (i.e., cxt->fprzs will be NULL). Let's just skip this
      entire FTRACE section if there's no 'fprzs'.
      
      Regression seen on a coreboot/depthcharge-based Chromebook.
      
      Fixes: 2fbea82b ("pstore: Merge per-CPU ftrace records into one")
      Cc: Joel Fernandes <joelaf@google.com>
      Cc: Kees Cook <keescook@chromium.org>
      Signed-off-by: NBrian Norris <briannorris@chromium.org>
      Signed-off-by: NKees Cook <keescook@chromium.org>
      8672aed7
    • L
      Merge tag 'vfio-v4.10-final' of git://github.com/awilliam/linux-vfio · 189addce
      Linus Torvalds 提交于
      Pull VFIO fix from Alex Williamson:
       "Fix regression in attaching groups to existing container for SPAPR
        IOMMU backend (Alexey Kardashevskiy)"
      
      * tag 'vfio-v4.10-final' of git://github.com/awilliam/linux-vfio:
        vfio/spapr_tce: Set window when adding additional groups to container
      189addce
    • L
      Merge branch 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm · 59e8f10a
      Linus Torvalds 提交于
      Pull ARM fixes from Russell King:
       "A couple more fixes for 4.10:
      
         - fix addressing the short regset write issue (Dave Martin)
      
         - fix for LPAE systems which leave a pending imprecise data abort
           before entering the kernel (Alexander Sverdlin)"
      
      * 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm:
        ARM: 8643/3: arm/ptrace: Preserve previous registers for short regset write
        ARM: 8642/1: LPAE: catch pending imprecise abort on unmask
      59e8f10a
  2. 09 2月, 2017 15 次提交
    • L
      Revert "x86/ioapic: Restore IO-APIC irq_chip retrigger callback" · d966564f
      Linus Torvalds 提交于
      This reverts commit 020eb3da.
      
      Gabriel C reports that it causes his machine to not boot, and we haven't
      tracked down the reason for it yet.  Since the bug it fixes has been
      around for a longish time, we're better off reverting the fix for now.
      
      Gabriel says:
       "It hangs early and freezes with a lot RCU warnings.
      
        I bisected it down to :
      
        > Ruslan Ruslichenko (1):
        >       x86/ioapic: Restore IO-APIC irq_chip retrigger callback
      
        Reverting this one fixes the problem for me..
      
        The box is a PRIMERGY TX200 S5 , 2 socket , 2 x E5520 CPU(s) installed"
      
      and Ruslan and Thomas are currently stumped.
      Reported-and-bisected-by: NGabriel C <nix.or.die@gmail.com>
      Cc: Ruslan Ruslichenko <rruslich@cisco.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: stable@kernel.org   # for the backport of the original commit
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      d966564f
    • D
      Revert "hwrng: core - zeroize buffers with random data" · 3b802c94
      David Daney 提交于
      This reverts commit 2cc75154.
      
      With this commit in place I get on a Cavium ThunderX (arm64) system:
      
      $ if=/dev/hwrng bs=256 count=1 | od -t x1 -A x -v > rng-bad.txt
      1+0 records in
      1+0 records out
      256 bytes (256 B) copied, 9.1171e-05 s, 2.8 MB/s
      $ dd if=/dev/hwrng bs=256 count=1 | od -t x1 -A x -v >> rng-bad.txt
      1+0 records in
      1+0 records out
      256 bytes (256 B) copied, 9.6141e-05 s, 2.7 MB/s
      $ cat rng-bad.txt
      000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      000050 00 00 00 00 37 20 46 ae d0 fc 1c 55 25 6e b0 b8
      000060 7c 7e d7 d4 00 0f 6f b2 91 1e 30 a8 fa 3e 52 0e
      000070 06 2d 53 30 be a1 20 0f aa 56 6e 0e 44 6e f4 35
      000080 b7 6a fe d2 52 70 7e 58 56 02 41 ea d1 9c 6a 6a
      000090 d1 bd d8 4c da 35 45 ef 89 55 fc 59 d5 cd 57 ba
      0000a0 4e 3e 02 1c 12 76 43 37 23 e1 9f 7a 9f 9e 99 24
      0000b0 47 b2 de e3 79 85 f6 55 7e ad 76 13 4f a0 b5 41
      0000c0 c6 92 42 01 d9 12 de 8f b4 7b 6e ae d7 24 fc 65
      0000d0 4d af 0a aa 36 d9 17 8d 0e 8b 7a 3b b6 5f 96 47
      0000e0 46 f7 d8 ce 0b e8 3e c6 13 a6 2c b6 d6 cc 17 26
      0000f0 e3 c3 17 8e 9e 45 56 1e 41 ef 29 1a a8 65 c8 3a
      000100
      000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      000050 00 00 00 00 f4 90 65 aa 8b f2 5e 31 01 53 b4 d4
      000060 06 c0 23 a2 99 3d 01 e4 b0 c1 b1 55 0f 80 63 cf
      000070 33 24 d8 3a 1d 5e cd 2c ba c0 d0 18 6f bc 97 46
      000080 1e 19 51 b1 90 15 af 80 5e d1 08 0d eb b0 6c ab
      000090 6a b4 fe 62 37 c5 e1 ee 93 c3 58 78 91 2a d5 23
      0000a0 63 50 eb 1f 3b 84 35 18 cf b2 a4 b8 46 69 9e cf
      0000b0 0c 95 af 03 51 45 a8 42 f1 64 c9 55 fc 69 76 63
      0000c0 98 9d 82 fa 76 85 24 da 80 07 29 fe 4e 76 0c 61
      0000d0 ff 23 94 4f c8 5c ce 0b 50 e8 31 bc 9d ce f4 ca
      0000e0 be ca 28 da e6 fa cc 64 1c ec a8 41 db fe 42 bd
      0000f0 a0 e2 4b 32 b4 52 ba 03 70 8e c1 8e d0 50 3a c6
      000100
      
      To my untrained mental entropy detector, the first several bytes of
      each read from /dev/hwrng seem to not be very random (i.e. all zero).
      
      When I revert the patch (apply this patch), I get back to what we have
      in v4.9, which looks like (much more random appearing):
      
      $ dd if=/dev/hwrng bs=256 count=1 | od -t x1 -A x -v > rng-good.txt
      1+0 records in
      1+0 records out
      256 bytes (256 B) copied, 0.000252233 s, 1.0 MB/s
      $ dd if=/dev/hwrng bs=256 count=1 | od -t x1 -A x -v >> rng-good.txt
      1+0 records in
      1+0 records out
      256 bytes (256 B) copied, 0.000113571 s, 2.3 MB/s
      $ cat rng-good.txt
      000000 75 d1 2d 19 68 1f d2 26 a1 49 22 61 66 e8 09 e5
      000010 e0 4e 10 d0 1a 2c 45 5d 59 04 79 8e e2 b7 2c 2e
      000020 e8 ad da 34 d5 56 51 3d 58 29 c7 7a 8e ed 22 67
      000030 f9 25 b9 fb c6 b7 9c 35 1f 84 21 35 c1 1d 48 34
      000040 45 7c f6 f1 57 63 1a 88 38 e8 81 f0 a9 63 ad 0e
      000050 be 5d 3e 74 2e 4e cb 36 c2 01 a8 14 e1 38 e1 bb
      000060 23 79 09 56 77 19 ff 98 e8 44 f3 27 eb 6e 0a cb
      000070 c9 36 e3 2a 96 13 07 a0 90 3f 3b bd 1d 04 1d 67
      000080 be 33 14 f8 02 c2 a4 02 ab 8b 5b 74 86 17 f0 5e
      000090 a1 d7 aa ef a6 21 7b 93 d1 85 86 eb 4e 8c d0 4c
      0000a0 56 ac e4 45 27 44 84 9f 71 db 36 b9 f7 47 d7 b3
      0000b0 f2 9c 62 41 a3 46 2b 5b e3 80 63 a4 35 b5 3c f4
      0000c0 bc 1e 3a ad e4 59 4a 98 6c e8 8d ff 1b 16 f8 52
      0000d0 05 5c 2f 52 2a 0f 45 5b 51 fb 93 97 a4 49 4f 06
      0000e0 f3 a0 d1 1e ba 3d ed a7 60 8f bb 84 2c 21 94 2d
      0000f0 b3 66 a6 61 1e 58 30 24 85 f8 c8 18 c3 77 00 22
      000100
      000000 73 ca cc a1 d9 bb 21 8d c3 5c f3 ab 43 6d a7 a4
      000010 4a fd c5 f4 9c ba 4a 0f b1 2e 19 15 4e 84 26 e0
      000020 67 c9 f2 52 4d 65 1f 81 b7 8b 6d 2b 56 7b 99 75
      000030 2e cd d0 db 08 0c 4b df f3 83 c6 83 00 2e 2b b8
      000040 0f af 61 1d f2 02 35 74 b5 a4 6f 28 f3 a1 09 12
      000050 f2 53 b5 d2 da 45 01 e5 12 d6 46 f8 0b db ed 51
      000060 7b f4 0d 54 e0 63 ea 22 e2 1d d0 d6 d0 e7 7e e0
      000070 93 91 fb 87 95 43 41 28 de 3d 8b a3 a8 8f c4 9e
      000080 30 95 12 7a b2 27 28 ff 37 04 2e 09 7c dd 7c 12
      000090 e1 50 60 fb 6d 5f a8 65 14 40 89 e3 4c d2 87 8f
      0000a0 34 76 7e 66 7a 8e 6b a3 fc cf 38 52 2e f9 26 f0
      0000b0 98 63 15 06 34 99 b2 88 4f aa d8 14 88 71 f1 81
      0000c0 be 51 11 2b f4 7e a0 1e 12 b2 44 2e f6 8d 84 ea
      0000d0 63 82 2b 66 b3 9a fd 08 73 5a c2 cc ab 5a af b1
      0000e0 88 e3 a6 80 4b fc db ed 71 e0 ae c0 0a a4 8c 35
      0000f0 eb 89 f9 8a 4b 52 59 6f 09 7c 01 3f 56 e7 c7 bf
      000100
      Signed-off-by: NDavid Daney <david.daney@cavium.com>
      Acked-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      3b802c94
    • L
      Merge branch 'akpm' (patches from Andrew) · 507053d2
      Linus Torvalds 提交于
      Merge fixes from Andrew Morton:
       "4 fixes"
      
      * emailed patches from Andrew Morton <akpm@linux-foundation.org>:
        mm/slub.c: fix random_seq offset destruction
        cpumask: use nr_cpumask_bits for parsing functions
        mm: avoid returning VM_FAULT_RETRY from ->page_mkwrite handlers
        kernel/ucount.c: mark user_header with kmemleak_ignore()
      507053d2
    • S
      mm/slub.c: fix random_seq offset destruction · a810007a
      Sean Rees 提交于
      Commit 210e7a43 ("mm: SLUB freelist randomization") broke USB hub
      initialisation as described in
      
        https://bugzilla.kernel.org/show_bug.cgi?id=177551.
      
      Bail out early from init_cache_random_seq if s->random_seq is already
      initialised.  This prevents destroying the previously computed
      random_seq offsets later in the function.
      
      If the offsets are destroyed, then shuffle_freelist will truncate
      page->freelist to just the first object (orphaning the rest).
      
      Fixes: 210e7a43 ("mm: SLUB freelist randomization")
      Link: http://lkml.kernel.org/r/20170207140707.20824-1-sean@erifax.orgSigned-off-by: NSean Rees <sean@erifax.org>
      Reported-by: <userwithuid@gmail.com>
      Cc: Christoph Lameter <cl@linux.com>
      Cc: Pekka Enberg <penberg@kernel.org>
      Cc: David Rientjes <rientjes@google.com>
      Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
      Cc: Thomas Garnier <thgarnie@google.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      a810007a
    • T
      cpumask: use nr_cpumask_bits for parsing functions · 4d59b6cc
      Tejun Heo 提交于
      Commit 513e3d2d ("cpumask: always use nr_cpu_ids in formatting and
      parsing functions") converted both cpumask printing and parsing
      functions to use nr_cpu_ids instead of nr_cpumask_bits.  While this was
      okay for the printing functions as it just picked one of the two output
      formats that we were alternating between depending on a kernel config,
      doing the same for parsing wasn't okay.
      
      nr_cpumask_bits can be either nr_cpu_ids or NR_CPUS.  We can always use
      nr_cpu_ids but that is a variable while NR_CPUS is a constant, so it can
      be more efficient to use NR_CPUS when we can get away with it.
      Converting the printing functions to nr_cpu_ids makes sense because it
      affects how the masks get presented to userspace and doesn't break
      anything; however, using nr_cpu_ids for parsing functions can
      incorrectly leave the higher bits uninitialized while reading in these
      masks from userland.  As all testing and comparison functions use
      nr_cpumask_bits which can be larger than nr_cpu_ids, the parsed cpumasks
      can erroneously yield false negative results.
      
      This made the taskstats interface incorrectly return -EINVAL even when
      the inputs were correct.
      
      Fix it by restoring the parse functions to use nr_cpumask_bits instead
      of nr_cpu_ids.
      
      Link: http://lkml.kernel.org/r/20170206182442.GB31078@htj.duckdns.org
      Fixes: 513e3d2d ("cpumask: always use nr_cpu_ids in formatting and parsing functions")
      Signed-off-by: NTejun Heo <tj@kernel.org>
      Reported-by: NMartin Steigerwald <martin.steigerwald@teamix.de>
      Debugged-by: NBen Hutchings <ben.hutchings@codethink.co.uk>
      Cc: <stable@vger.kernel.org>	[4.0+]
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      4d59b6cc
    • J
      mm: avoid returning VM_FAULT_RETRY from ->page_mkwrite handlers · 0911d004
      Jan Kara 提交于
      Some ->page_mkwrite handlers may return VM_FAULT_RETRY as its return
      code (GFS2 or Lustre can definitely do this).  However VM_FAULT_RETRY
      from ->page_mkwrite is completely unhandled by the mm code and results
      in locking and writeably mapping the page which definitely is not what
      the caller wanted.
      
      Fix Lustre and block_page_mkwrite_ret() used by other filesystems
      (notably GFS2) to return VM_FAULT_NOPAGE instead which results in
      bailing out from the fault code, the CPU then retries the access, and we
      fault again effectively doing what the handler wanted.
      
      Link: http://lkml.kernel.org/r/20170203150729.15863-1-jack@suse.czSigned-off-by: NJan Kara <jack@suse.cz>
      Reported-by: NAl Viro <viro@ZenIV.linux.org.uk>
      Reviewed-by: NJinshan Xiong <jinshan.xiong@intel.com>
      Cc: Matthew Wilcox <willy@infradead.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      0911d004
    • L
      kernel/ucount.c: mark user_header with kmemleak_ignore() · ed5bd7dc
      Luis R. Rodriguez 提交于
      The user_header gets caught by kmemleak with the following splat as
      missing a free:
      
        unreferenced object 0xffff99667a733d80 (size 96):
        comm "swapper/0", pid 1, jiffies 4294892317 (age 62191.468s)
        hex dump (first 32 bytes):
          a0 b6 92 b4 ff ff ff ff 00 00 00 00 01 00 00 00  ................
          01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
        backtrace:
           kmemleak_alloc+0x4a/0xa0
           __kmalloc+0x144/0x260
           __register_sysctl_table+0x54/0x5e0
           register_sysctl+0x1b/0x20
           user_namespace_sysctl_init+0x17/0x34
           do_one_initcall+0x52/0x1a0
           kernel_init_freeable+0x173/0x200
           kernel_init+0xe/0x100
           ret_from_fork+0x2c/0x40
      
      The BUG_ON()s are intended to crash so no need to clean up after
      ourselves on error there.  This is also a kernel/ subsys_init() we don't
      need a respective exit call here as this is never modular, so just white
      list it.
      
      Link: http://lkml.kernel.org/r/20170203211404.31458-1-mcgrof@kernel.orgSigned-off-by: NLuis R. Rodriguez <mcgrof@kernel.org>
      Cc: Eric W. Biederman <ebiederm@xmission.com>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Nikolay Borisov <n.borisov.lkml@gmail.com>
      Cc: Serge Hallyn <serge@hallyn.com>
      Cc: Jan Kara <jack@suse.cz>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      ed5bd7dc
    • A
      drm: vc4: adapt to new behaviour of drm_crtc.c · 49d29a07
      Andrzej Pietrasiewicz 提交于
      When drm_crtc_init_with_planes() was orignally added
      (in drm_crtc.c, e13161af
      drm: Add drm_crtc_init_with_planes() (v2)), it only checked for "primary"
      being non-null. If that was the case, it modified primary->possible_crtcs.
      
      Then, when support for cursor planes was added
      (fc1d3e44 drm: Allow drivers to register
      cursor planes with crtc), the same behaviour was implemented for cursor
      planes.
      
      vc4_plane_init() since its inception has passed 0xff as "possible_crtcs"
      parameter to drm_universal_plane_init(). With a change in drm_crtc.c
      (7abc7d47 drm: don't override
      possible_crtcs for primary/cursor planes) passing 0xff results in primary's
      possible_crtcs set to 0xff (cursor was updated manually by vc4_crtc.c).
      Consequently, it would be allowed to use the primary plane from CRTC 1 (for
      example) on CRTC 0, which would result in the overlay and cursors being
      buried.
      Signed-off-by: NAndrzej Pietrasiewicz <andrzej.p@samsung.com>
      Reviewed-by: NEric Anholt <eric@anholt.net>
      Link: http://patchwork.freedesktop.org/patch/msgid/1485941708-27892-1-git-send-email-andrzej.p@samsung.com
      Fixes: 7abc7d47 ("drm: don't override possible_crtcs for primary/cursor planes")
      49d29a07
    • L
      Merge tag 'pci-v4.10-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci · be11f436
      Linus Torvalds 提交于
      Pull PCI fixes from Bjorn Helgaas:
      
       - check MSI affinity vs. number of vectors to avoid memory corruption
      
       - drop runtime power management for PCIe hotplug ports for now to avoid
         regressing hotplug via sysfs
      
      * tag 'pci-v4.10-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
        Revert "PCI: pciehp: Add runtime PM support for PCIe hotplug ports"
        PCI/MSI: Don't apply affinity if there aren't enough vectors left
      be11f436
    • B
      ibmvscsis: Add SGL limit · b22bc278
      Bryant G. Ly 提交于
      This patch adds internal LIO sgl limit since the driver already
      sets a max transfer limit on transport layer of 1MB to the client.
      
      Cc: stable@vger.kernel.org
      Tested-by: NSteven Royer <seroyer@linux.vnet.ibm.com>
      Signed-off-by: NBryant G. Ly <bryantly@linux.vnet.ibm.com>
      Signed-off-by: NNicholas Bellinger <nab@linux-iscsi.org>
      b22bc278
    • L
      Merge tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc · 472ff5be
      Linus Torvalds 提交于
      Pull ARM SoC fixes from Arnd Bergmann:
      
       - A relatively large patch restores booting on i.MX platforms that
         failed to boot after a cleanup was merged for v4.10.
      
       - A quirk for USB needs to be enabled on the STi platform
      
       - On the Meson platform, we saw memory corruption with part of the
         memory used by the secure monitor, so we have to stay out of that
         area.
      
       - The same platform also has a problem with ethernet under load, which
         is fixed by disabling EEE negotiation.
      
       - imx6dl has an incorrect pin configuration, which prevents SPI from
         working.
      
       - Two maintainers have lost their access to their email addresses, so
         we should update the MAINTAINERS file before the release
      
       - Renaming one of the orion5x linkstation models to help simplify the
         debian install.
      
       - A couple of fixes for build warnings that were introduced during
         v4.10-rc.
      
      * tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc:
        ARM: defconfigs: make NF_CT_PROTO_SCTP and NF_CT_PROTO_UDPLITE built-in
        MAINTAINERS: socfpga: update email for Dinh Nguyen
        ARM: orion5x: fix Makefile for linkstation-lschl.dtb
        ARM: dts: orion5x-lschl: More consistent naming on linkstation series
        ARM: dts: orion5x-lschl: Fix model name
        MAINTAINERS: change email address from atmel to microchip
        MAINTAINERS: at91: change email address
        ARM64: dts: meson-gx: Add firmware reserved memory zones
        ARM64: dts: meson-gxbb-odroidc2: fix GbE tx link breakage
        ARM: dts: STiH407-family: set snps,dis_u3_susphy_quirk
        ARM: dts: imx: Pass 'chosen' and 'memory' nodes
        ARM: dts: imx6dl: fix GPIO4 range
        ARM: imx: hide unused variable in #ifdef
      472ff5be
    • L
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security · d3498fba
      Linus Torvalds 提交于
      Pull selinux fix from James Morris:
       "Fix off-by-one in setprocattr"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
        selinux: fix off-by-one in setprocattr
      d3498fba
    • L
      Merge branch 'for-linus' of git://git.kernel.dk/linux-block · 23fbe2cd
      Linus Torvalds 提交于
      Pull block fix from Jens Axboe:
       "A single fix that should go into 4.10, fixing a regression on some
        devices with the WRITE_SAME command"
      
      * 'for-linus' of git://git.kernel.dk/linux-block:
        block: don't try Write Same from __blkdev_issue_zeroout
      23fbe2cd
    • N
      target: Fix COMPARE_AND_WRITE ref leak for non GOOD status · 9b2792c3
      Nicholas Bellinger 提交于
      This patch addresses a long standing bug where the commit phase
      of COMPARE_AND_WRITE would result in a se_cmd->cmd_kref reference
      leak if se_cmd->scsi_status returned non SAM_STAT_GOOD.
      
      This would manifest first as a lost SCSI response, and eventual
      hung task during fabric driver logout or re-login, as existing
      shutdown logic waited for the COMPARE_AND_WRITE se_cmd->cmd_kref
      to reach zero.
      
      To address this bug, compare_and_write_post() has been changed
      to drop the incorrect !cmd->scsi_status conditional that was
      preventing *post_ret = 1 for being set during non SAM_STAT_GOOD
      status.
      
      This patch has been tested with SAM_STAT_CHECK_CONDITION status
      from normal target_complete_cmd() callback path, as well as the
      incoming __target_execute_cmd() submission failure path when
      se_cmd->execute_cmd() returns non zero status.
      Reported-by: NDonald White <dew@datera.io>
      Cc: Donald White <dew@datera.io>
      Tested-by: NGary Guo <ghg@datera.io>
      Cc: Gary Guo <ghg@datera.io>
      Reviewed-by: NChristoph Hellwig <hch@lst.de>
      Cc: <stable@vger.kernel.org> # v3.12+
      Signed-off-by: NNicholas Bellinger <nab@linux-iscsi.org>
      9b2792c3
    • N
      target: Fix multi-session dynamic se_node_acl double free OOPs · 01d4d673
      Nicholas Bellinger 提交于
      This patch addresses a long-standing bug with multi-session
      (eg: iscsi-target + iser-target) se_node_acl dynamic free
      withini transport_deregister_session().
      
      This bug is caused when a storage endpoint is configured with
      demo-mode (generate_node_acls = 1 + cache_dynamic_acls = 1)
      initiators, and initiator login creates a new dynamic node acl
      and attaches two sessions to it.
      
      After that, demo-mode for the storage instance is disabled via
      configfs (generate_node_acls = 0 + cache_dynamic_acls = 0) and
      the existing dynamic acl is never converted to an explicit ACL.
      
      The end result is dynamic acl resources are released twice when
      the sessions are shutdown in transport_deregister_session().
      
      If the storage instance is not changed to disable demo-mode,
      or the dynamic acl is converted to an explict ACL, or there
      is only a single session associated with the dynamic ACL,
      the bug is not triggered.
      
      To address this big, move the release of dynamic se_node_acl
      memory into target_complete_nacl() so it's only freed once
      when se_node_acl->acl_kref reaches zero.
      
      (Drop unnecessary list_del_init usage - HCH)
      Reported-by: NRob Millner <rlm@daterainc.com>
      Tested-by: NRob Millner <rlm@daterainc.com>
      Cc: Rob Millner <rlm@daterainc.com>
      Cc: stable@vger.kernel.org # 4.1+
      Signed-off-by: NNicholas Bellinger <nab@linux-iscsi.org>
      01d4d673
  3. 08 2月, 2017 15 次提交
    • N
      target: Fix early transport_generic_handle_tmr abort scenario · c54eeffb
      Nicholas Bellinger 提交于
      This patch fixes a bug where incoming task management requests
      can be explicitly aborted during an active LUN_RESET, but who's
      struct work_struct are canceled in-flight before execution.
      
      This occurs when core_tmr_drain_tmr_list() invokes cancel_work_sync()
      for the incoming se_tmr_req->task_cmd->work, resulting in cmd->work
      for target_tmr_work() never getting invoked and the aborted TMR
      waiting indefinately within transport_wait_for_tasks().
      
      To address this case, perform a CMD_T_ABORTED check early in
      transport_generic_handle_tmr(), and invoke the normal path via
      transport_cmd_check_stop_to_fabric() to complete any TMR kthreads
      blocked waiting for CMD_T_STOP in transport_wait_for_tasks().
      
      Also, move the TRANSPORT_ISTATE_PROCESSING assignment earlier
      into transport_generic_handle_tmr() so the existing check in
      core_tmr_drain_tmr_list() avoids attempting abort the incoming
      se_tmr_req->task_cmd->work if it has already been queued into
      se_device->tmr_wq.
      Reported-by: NRob Millner <rlm@daterainc.com>
      Tested-by: NRob Millner <rlm@daterainc.com>
      Cc: Rob Millner <rlm@daterainc.com>
      Reviewed-by: NChristoph Hellwig <hch@lst.de>
      Cc: stable@vger.kernel.org # 3.14+
      Signed-off-by: NNicholas Bellinger <nab@linux-iscsi.org>
      c54eeffb
    • N
      target: Use correct SCSI status during EXTENDED_COPY exception · 0583c261
      Nicholas Bellinger 提交于
      This patch adds the missing target_complete_cmd() SCSI status
      parameter change in target_xcopy_do_work(), that was originally
      missing in commit 926317de.
      
      It correctly propigates up the correct SCSI status during
      EXTENDED_COPY exception cases, instead of always using the
      hardcoded SAM_STAT_CHECK_CONDITION from original code.
      
      This is required for ESX host environments that expect to
      hit SAM_STAT_RESERVATION_CONFLICT for certain scenarios,
      and SAM_STAT_CHECK_CONDITION results in non-retriable
      status for these cases.
      Reported-by: NNixon Vincent <nixon.vincent@calsoftinc.com>
      Tested-by: NNixon Vincent <nixon.vincent@calsoftinc.com>
      Cc: Nixon Vincent <nixon.vincent@calsoftinc.com>
      Reviewed-by: NChristoph Hellwig <hch@lst.de>
      Cc: stable@vger.kernel.org # 3.14+
      Signed-off-by: NNicholas Bellinger <nab@linux-iscsi.org>
      0583c261
    • N
      target: Don't BUG_ON during NodeACL dynamic -> explicit conversion · 391e2a6d
      Nicholas Bellinger 提交于
      After the v4.2+ RCU conversion to se_node_acl->lun_entry_hlist,
      a BUG_ON() was added in core_enable_device_list_for_node() to
      detect when the located orig->se_lun_acl contains an existing
      se_lun_acl pointer reference.
      
      However, this scenario can happen when a dynamically generated
      NodeACL is being converted to an explicit NodeACL, when the
      explicit NodeACL contains a different LUN mapping than the
      default provided by the WWN endpoint.
      
      So instead of triggering BUG_ON(), go ahead and fail instead
      following the original pre RCU conversion logic.
      Reported-by: NBenjamin ESTRABAUD <ben.estrabaud@mpstor.com>
      Cc: Benjamin ESTRABAUD <ben.estrabaud@mpstor.com>
      Reviewed-by: NChristoph Hellwig <hch@lst.de>
      Cc: stable@vger.kernel.org # 4.2+
      Signed-off-by: NNicholas Bellinger <nab@linux-iscsi.org>
      391e2a6d
    • M
      drm/i915: Always convert incoming exec offsets to non-canonical · 6e7eb178
      Michał Winiarski 提交于
      We're using non-canonical addresses in drm_mm, and we're making sure that
      userspace is using canonical addressing - both in case of softpin
      (verifying incoming offset) and when relocating (converting to canonical
      when updating offset returned to userspace).
      Unfortunately when considering the need for relocations, we're comparing
      offset from userspace (in canonical form) with drm_mm node (in
      non-canonical form), and as a result, we end up always relocating if our
      offsets are in the "problematic" range.
      Let's always convert the offsets to avoid the performance impact of
      relocations.
      
      Fixes: a5f0edf6 ("drm/i915: Avoid writing relocs with addresses in non-canonical form")
      Cc: Chris Wilson <chris@chris-wilson.co.uk>
      Cc: Michel Thierry <michel.thierry@intel.com>
      Reported-by: NMichał Pyrzowski <michal.pyrzowski@intel.com>
      Signed-off-by: NMichał Winiarski <michal.winiarski@intel.com>
      Link: http://patchwork.freedesktop.org/patch/msgid/20170207195559.18798-1-michal.winiarski@intel.comReviewed-by: NChris Wilson <chris@chris-wilson.co.uk>
      Signed-off-by: NChris Wilson <chris@chris-wilson.co.uk>
      (cherry picked from commit 038c95a3)
      Signed-off-by: NJani Nikula <jani.nikula@intel.com>
      6e7eb178
    • C
      drm/i915: Remove overzealous fence warn on runtime suspend · 83bf6d55
      Chris Wilson 提交于
      The goal of the WARN was to catch when we are still actively using the
      fence as we go into the runtime suspend. However, the reg->pin_count is
      too coarse as it does not distinguish between exclusive ownership of the
      fence register from activity.
      
      I've not improved on the WARN, nor have we captured this WARN in an
      exact igt, but it is showing up regularly in the wild:
      
      [ 1915.935332] WARNING: CPU: 1 PID: 10861 at drivers/gpu/drm/i915/i915_gem.c:2022 i915_gem_runtime_suspend+0x116/0x130 [i915]
      [ 1915.935383] WARN_ON(reg->pin_count)[ 1915.935399] Modules linked in:
       snd_hda_intel i915 drm_kms_helper vgem netconsole scsi_transport_iscsi fuse vfat fat x86_pkg_temp_thermal coretemp intel_cstate intel_uncore snd_hda_codec_hdmi snd_hda_codec_generic snd_hda_codec snd_hwdep snd_hda_core snd_pcm snd_timer snd mei_me mei serio_raw intel_rapl_perf intel_pch_thermal soundcore wmi acpi_pad i2c_algo_bit syscopyarea sysfillrect sysimgblt fb_sys_fops drm r8169 mii video [last unloaded: drm_kms_helper]
      [ 1915.935785] CPU: 1 PID: 10861 Comm: kworker/1:0 Tainted: G     U  W       4.9.0-rc5+ #170
      [ 1915.935799] Hardware name: LENOVO 80MX/Lenovo E31-80, BIOS DCCN34WW(V2.03) 12/01/2015
      [ 1915.935822] Workqueue: pm pm_runtime_work
      [ 1915.935845]  ffffc900044fbbf0 ffffffffac3220bc ffffc900044fbc40 0000000000000000
      [ 1915.935890]  ffffc900044fbc30 ffffffffac059bcb 000007e6044fbc60 ffff8801626e3198
      [ 1915.935937]  ffff8801626e0000 0000000000000002 ffffffffc05e5d4e 0000000000000000
      [ 1915.935985] Call Trace:
      [ 1915.936013]  [<ffffffffac3220bc>] dump_stack+0x4f/0x73
      [ 1915.936038]  [<ffffffffac059bcb>] __warn+0xcb/0xf0
      [ 1915.936060]  [<ffffffffac059c4f>] warn_slowpath_fmt+0x5f/0x80
      [ 1915.936158]  [<ffffffffc052d916>] i915_gem_runtime_suspend+0x116/0x130 [i915]
      [ 1915.936251]  [<ffffffffc04f1c74>] intel_runtime_suspend+0x64/0x280 [i915]
      [ 1915.936277]  [<ffffffffac0926f1>] ? dequeue_entity+0x241/0xbc0
      [ 1915.936298]  [<ffffffffac36bb85>] pci_pm_runtime_suspend+0x55/0x180
      [ 1915.936317]  [<ffffffffac36bb30>] ? pci_pm_runtime_resume+0xa0/0xa0
      [ 1915.936339]  [<ffffffffac4514e2>] __rpm_callback+0x32/0x70
      [ 1915.936356]  [<ffffffffac451544>] rpm_callback+0x24/0x80
      [ 1915.936375]  [<ffffffffac36bb30>] ? pci_pm_runtime_resume+0xa0/0xa0
      [ 1915.936392]  [<ffffffffac45222d>] rpm_suspend+0x12d/0x680
      [ 1915.936415]  [<ffffffffac69f6d7>] ? _raw_spin_unlock_irq+0x17/0x30
      [ 1915.936435]  [<ffffffffac0810b8>] ? finish_task_switch+0x88/0x220
      [ 1915.936455]  [<ffffffffac4534bf>] pm_runtime_work+0x6f/0xb0
      [ 1915.936477]  [<ffffffffac074353>] process_one_work+0x1f3/0x4d0
      [ 1915.936501]  [<ffffffffac074678>] worker_thread+0x48/0x4e0
      [ 1915.936523]  [<ffffffffac074630>] ? process_one_work+0x4d0/0x4d0
      [ 1915.936542]  [<ffffffffac074630>] ? process_one_work+0x4d0/0x4d0
      [ 1915.936559]  [<ffffffffac07a2c9>] kthread+0xd9/0xf0
      [ 1915.936580]  [<ffffffffac07a1f0>] ? kthread_park+0x60/0x60
      [ 1915.936600]  [<ffffffffac69fe62>] ret_from_fork+0x22/0x30
      
      In the case the register is pinned, it should be present and we will
      need to invalidate them to be restored upon resume as we cannot expect
      the owner of the pin to call get_fence prior to use after resume.
      
      Fixes: 7c108fd8 ("drm/i915: Move fence cancellation to runtime suspend")
      Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=98804Reported-by: NLionel Landwerlin <lionel.g.landwerlin@linux.intel.com>
      Signed-off-by: NChris Wilson <chris@chris-wilson.co.uk>
      Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
      Cc: Imre Deak <imre.deak@linux.intel.com>
      Cc: Jani Nikula <jani.nikula@linux.intel.com>
      Cc: <drm-intel-fixes@lists.freedesktop.org> # v4.10-rc1+
      Link: http://patchwork.freedesktop.org/patch/msgid/20170203125717.8431-1-chris@chris-wilson.co.ukReviewed-by: NJoonas Lahtinen <joonas.lahtinen@linux.intel.com>
      (cherry picked from commit e0ec3ec6)
      Signed-off-by: NJani Nikula <jani.nikula@intel.com>
      83bf6d55
    • L
      drm/i915/bxt: Add MST support when do DPLL calculation · 789ea125
      Lee, Shawn C 提交于
      Add the missing INTEL_OUTPUT_DP_MST case in bxt_get_dpll()
      to correctly initialize the crtc_state and port plls when
      link training a DP MST monitor on BXT/APL devices.
      
      Fixes: a277ca7d ("drm/i915: Split bxt_ddi_pll_select()")
      Bugs: https://bugs.freedesktop.org/show_bug.cgi?id=99572Reviewed-by: NCooper Chiou <cooper.chiou@intel.com>
      Reviewed-by: NGary C Wang <gary.c.wang@intel.com>
      Reviewed-by: NCiobanu, Nathan D <nathan.d.ciobanu@intel.com>
      Reviewed-by: NHerbert, Marc <marc.herbert@intel.com>
      Reviewed-by: NBride, Jim <jim.bride@intel.com>
      Reviewed-by: NNavare, Manasi D <manasi.d.navare@intel.com>
      Cc: Jani Nikula <jani.nikula@intel.com>
      Cc: <stable@vger.kernel.org> # v4.9+
      Signed-off-by: NLee, Shawn C <shawn.c.lee@intel.com>
      Signed-off-by: NJani Nikula <jani.nikula@intel.com>
      Link: http://patchwork.freedesktop.org/patch/msgid/1486096329-6255-1-git-send-email-shawn.c.lee@intel.com
      (cherry picked from commit 0aab2c72)
      Signed-off-by: NJani Nikula <jani.nikula@intel.com>
      789ea125
    • J
      drm/i915: don't warn about Skylake CPU - KabyPoint PCH combo · 85327748
      Jani Nikula 提交于
      Apparently there are machines out there with Skylake CPU and KabyPoint
      PCH. Judging from our driver code, there doesn't seem to be any code
      paths that would do anything different between SunrisePoint and
      KabyPoint PCHs, so it would seem okay to accept the combo without
      warnings.
      
      Fixes: 22dea0be ("drm/i915: Introduce Kabypoint PCH for Kabylake H/DT.")
      References: https://lists.freedesktop.org/archives/intel-gfx/2017-February/118611.htmlReported-by: NRainer Koenig <Rainer.Koenig@ts.fujitsu.com>
      Cc: Rainer Koenig <Rainer.Koenig@ts.fujitsu.com>
      Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
      Cc: <stable@vger.kernel.org> # v4.8+
      Reviewed-by: NRodrigo Vivi <rodrigo.vivi@intel.com>
      Signed-off-by: NJani Nikula <jani.nikula@intel.com>
      Link: http://patchwork.freedesktop.org/patch/msgid/1485956769-26015-1-git-send-email-jani.nikula@intel.com
      (cherry picked from commit 3aac4acb)
      Signed-off-by: NJani Nikula <jani.nikula@intel.com>
      85327748
    • J
      drm/i915: fix i915 running as dom0 under Xen · 71521871
      Juergen Gross 提交于
      Commit 920cf419 ("drm/i915: Introduce an internal allocator for
      disposable private objects") introduced a regression for the kernel
      running as Xen dom0: when switching to graphics mode a GPU HANG
      occurred.
      
      Reason seems to be a missing adaption similar to that done in
      commit 7453c549 ("swiotlb: Export swiotlb_max_segment to users")
      to i915_gem_object_get_pages_internal().
      
      So limit the maximum page order to be used according to the maximum
      swiotlb segment size instead to the complete swiotlb size.
      
      Fixes: 920cf419 ("drm/i915: Introduce an internal allocator for disposable private objects")
      Signed-off-by: NJuergen Gross <jgross@suse.com>
      Link: http://patchwork.freedesktop.org/patch/msgid/20170202094711.939-1-jgross@suse.com
      Cc: Chris Wilson <chris@chris-wilson.co.uk>
      Cc: Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com>
      Cc: Daniel Vetter <daniel.vetter@intel.com>
      Cc: Jani Nikula <jani.nikula@linux.intel.com>
      Cc: intel-gfx@lists.freedesktop.org
      Cc: <drm-intel-fixes@lists.freedesktop.org> # v4.10-rc1+
      Reviewed-by: NTvrtko Ursulin <tvrtko.ursulin@intel.com>
      Signed-off-by: NChris Wilson <chris@chris-wilson.co.uk>
      (cherry picked from commit 5584f1b1)
      Signed-off-by: NJani Nikula <jani.nikula@intel.com>
      71521871
    • C
      drm/i915: Flush untouched framebuffers before display on !llc · e3818697
      Chris Wilson 提交于
      On a non-llc system, the objects are created with .cache_level =
      CACHE_NONE and so the transition to uncached for scanout is a no-op.
      However, if the object was never written to, it will still be in the CPU
      domain (having been zeroed out by shmemfs). Those cachelines need to be
      flushed prior to display.
      
      Reported-and-tested-by: Vito Caputo
      Fixes: a6a7cc4b ("drm/i915: Always flush the dirty CPU cache when pinning the scanout")
      Signed-off-by: NChris Wilson <chris@chris-wilson.co.uk>
      Cc: <drm-intel-fixes@lists.freedesktop.org> # v4.10-rc1+
      Link: http://patchwork.freedesktop.org/patch/msgid/20170109111932.6342-1-chris@chris-wilson.co.ukReviewed-by: NDaniel Vetter <daniel.vetter@ffwll.ch>
      (cherry picked from commit 69aeafea)
      Signed-off-by: NJani Nikula <jani.nikula@intel.com>
      e3818697
    • A
      drm/i915: fix use-after-free in page_flip_completed() · 5351fbb1
      Andrey Ryabinin 提交于
      page_flip_completed() dereferences 'work' variable after executing
      queue_work(). This is not safe as the 'work' item might be already freed
      by queued work:
      
          BUG: KASAN: use-after-free in page_flip_completed+0x3ff/0x490 at addr ffff8803dc010f90
          Call Trace:
           __asan_report_load8_noabort+0x59/0x80
           page_flip_completed+0x3ff/0x490
           intel_finish_page_flip_mmio+0xe3/0x130
           intel_pipe_handle_vblank+0x2d/0x40
           gen8_irq_handler+0x4a7/0xed0
           __handle_irq_event_percpu+0xf6/0x860
           handle_irq_event_percpu+0x6b/0x160
           handle_irq_event+0xc7/0x1b0
           handle_edge_irq+0x1f4/0xa50
           handle_irq+0x41/0x70
           do_IRQ+0x9a/0x200
           common_interrupt+0x89/0x89
      
          Freed:
           kfree+0x113/0x4d0
           intel_unpin_work_fn+0x29a/0x3b0
           process_one_work+0x79e/0x1b70
           worker_thread+0x611/0x1460
           kthread+0x241/0x3a0
           ret_from_fork+0x27/0x40
      
      Move queue_work() after	trace_i915_flip_complete() to fix this.
      
      Fixes: e5510fac ("drm/i915: add tracepoints for flip requests & completions")
      Signed-off-by: NAndrey Ryabinin <aryabinin@virtuozzo.com>
      Cc: <stable@vger.kernel.org> # v2.6.36+
      Reviewed-by: NChris Wilson <chris@chris-wilson.co.uk>
      Signed-off-by: NDaniel Vetter <daniel.vetter@ffwll.ch>
      Link: http://patchwork.freedesktop.org/patch/msgid/20170126143211.24013-1-aryabinin@virtuozzo.com
      (cherry picked from commit 05c41f92)
      Signed-off-by: NJani Nikula <jani.nikula@intel.com>
      5351fbb1
    • S
      selinux: fix off-by-one in setprocattr · 0c461cb7
      Stephen Smalley 提交于
      SELinux tries to support setting/clearing of /proc/pid/attr attributes
      from the shell by ignoring terminating newlines and treating an
      attribute value that begins with a NUL or newline as an attempt to
      clear the attribute.  However, the test for clearing attributes has
      always been wrong; it has an off-by-one error, and this could further
      lead to reading past the end of the allocated buffer since commit
      bb646cdb ("proc_pid_attr_write():
      switch to memdup_user()").  Fix the off-by-one error.
      
      Even with this fix, setting and clearing /proc/pid/attr attributes
      from the shell is not straightforward since the interface does not
      support multiple write() calls (so shells that write the value and
      newline separately will set and then immediately clear the attribute,
      requiring use of echo -n to set the attribute), whereas trying to use
      echo -n "" to clear the attribute causes the shell to skip the
      write() call altogether since POSIX says that a zero-length write
      causes no side effects. Thus, one must use echo -n to set and echo
      without -n to clear, as in the following example:
      $ echo -n unconfined_u:object_r:user_home_t:s0 > /proc/$$/attr/fscreate
      $ cat /proc/$$/attr/fscreate
      unconfined_u:object_r:user_home_t:s0
      $ echo "" > /proc/$$/attr/fscreate
      $ cat /proc/$$/attr/fscreate
      
      Note the use of /proc/$$ rather than /proc/self, as otherwise
      the cat command will read its own attribute value, not that of the shell.
      
      There are no users of this facility to my knowledge; possibly we
      should just get rid of it.
      
      UPDATE: Upon further investigation it appears that a local process
      with the process:setfscreate permission can cause a kernel panic as a
      result of this bug.  This patch fixes CVE-2017-2618.
      Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov>
      [PM: added the update about CVE-2017-2618 to the commit description]
      Cc: stable@vger.kernel.org # 3.5: d6ea83ecSigned-off-by: NPaul Moore <paul@paul-moore.com>
      Signed-off-by: NJames Morris <james.l.morris@oracle.com>
      0c461cb7
    • D
      Merge branch 'drm-vmwgfx-fixes-4_10' of... · 5d18a619
      Dave Airlie 提交于
      Merge branch 'drm-vmwgfx-fixes-4_10' of git://people.freedesktop.org/~syeh/repos_linux into drm-fixes
      
      Single vmwgfx boot crasher fix.
      
      * 'drm-vmwgfx-fixes-4_10' of git://people.freedesktop.org/~syeh/repos_linux:
        drm/vmwgfx: Fix depth input into drm_mode_legacy_fb_format
      5d18a619
    • A
      Input: synaptics-rmi4 - select 'SERIO' when needed · 413d3732
      Arnd Bergmann 提交于
      With CONFIG_SERIO=m, we get a build error for the rmi4-f03 driver,
      added in linux-4.10:
      
      warning: (HID_RMI) selects RMI4_F03 which has unmet direct dependencies (!UML && INPUT && RMI4_CORE && (SERIO=y || RMI4_CORE=SERIO))
      drivers/input/built-in.o: In function `rmi_f03_attention':
      rmi_f03.c:(.text+0xcfe0): undefined reference to `serio_interrupt'
      rmi_f03.c:(.text+0xd055): undefined reference to `serio_interrupt'
      drivers/input/built-in.o: In function `rmi_f03_remove':
      rmi_f03.c:(.text+0xd115): undefined reference to `serio_unregister_port'
      drivers/input/built-in.o: In function `rmi_f03_probe':
      rmi_f03.c:(.text+0xd209): undefined reference to `__serio_register_port'
      
      An earlier patch tried to fix this, but missed the HID_RMI driver that
      does a 'select' on the F03 backend.
      
      This adds a hidden Kconfig symbol that enforces 'serio' to be enabled
      when RMI4-F03 is, which covers all cases.
      
      Fixes: d7ddad0a ("Input: synaptics-rmi4 - fix F03 build error when serio is module")
      Fixes: c5e8848f ("Input: synaptics-rmi4 - add support for F03")
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Signed-off-by: NDmitry Torokhov <dmitry.torokhov@gmail.com>
      413d3732
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 926af627
      Linus Torvalds 提交于
      Pull networking fixes from David Miller:
      
       1) Load correct firmware in rtl8192ce wireless driver, from Jurij
          Smakov.
      
       2) Fix leak of tx_ring and tx_cq due to overwriting in mlx4 driver,
          from Martin KaFai Lau.
      
       3) Need to reference count PHY driver module when it is attached, from
          Mao Wenan.
      
       4) Don't do zero length vzalloc() in ethtool register dump, from
          Stanislaw Gruszka.
      
       5) Defer net_disable_timestamp() to a workqueue to get out of locking
          issues, from Eric Dumazet.
      
       6) We cannot drop the SKB dst when IP options refer to them, fix also
          from Eric Dumazet.
      
       7) Incorrect packet header offset calculations in ip6_gre, again from
          Eric Dumazet.
      
       8) Missing tcp_v6_restore_cb() causes use-after-free, from Eric too.
      
       9) tcp_splice_read() can get into an infinite loop with URG, and hey
          it's from Eric once more.
      
      10) vnet_hdr_sz can change asynchronously, so read it once during
          decision making in macvtap and tun, from Willem de Bruijn.
      
      11) Can't use kernel stack for DMA transfers in USB networking drivers,
          from Ben Hutchings.
      
      12) Handle csum errors properly in UDP by calling the proper destructor,
          from Eric Dumazet.
      
      13) For non-deterministic softirq run when scheduling NAPI from a
          workqueue in mlx4, from Benjamin Poirier.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (28 commits)
        sctp: check af before verify address in sctp_addr_id2transport
        sctp: avoid BUG_ON on sctp_wait_for_sndbuf
        mlx4: Invoke softirqs after napi_reschedule
        udp: properly cope with csum errors
        catc: Use heap buffer for memory size test
        catc: Combine failure cleanup code in catc_probe()
        rtl8150: Use heap buffers for all register access
        pegasus: Use heap buffers for all register access
        macvtap: read vnet_hdr_size once
        tun: read vnet_hdr_sz once
        tcp: avoid infinite loop in tcp_splice_read()
        hns: avoid stack overflow with CONFIG_KASAN
        ipv6: Fix IPv6 packet loss in scenarios involving roaming + snooping switches
        ipv6: tcp: add a missing tcp_v6_restore_cb()
        nl80211: Fix mesh HT operation check
        mac80211: Fix adding of mesh vendor IEs
        mac80211: Allocate a sync skcipher explicitly for FILS AEAD
        mac80211: Fix FILS AEAD protection in Association Request frame
        ip6_gre: fix ip6gre_err() invalid reads
        netlabel: out of bound access in cipso_v4_validate()
        ...
      926af627
    • H
      mm: fix KPF_SWAPCACHE in /proc/kpageflags · b6789123
      Hugh Dickins 提交于
      Commit 6326fec1 ("mm: Use owner_priv bit for PageSwapCache, valid
      when PageSwapBacked") aliased PG_swapcache to PG_owner_priv_1 (and
      depending on PageSwapBacked being true).
      
      As a result, the KPF_SWAPCACHE bit in '/proc/kpageflags' should now be
      synthesized, instead of being shown on unrelated pages which just happen
      to have PG_owner_priv_1 set.
      Signed-off-by: NHugh Dickins <hughd@google.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Nicholas Piggin <npiggin@gmail.com>
      Cc: Wu Fengguang <fengguang.wu@intel.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      b6789123