1. 14 10月, 2017 21 次提交
  2. 13 10月, 2017 14 次提交
    • J
      iommu/amd: Finish TLB flush in amd_iommu_unmap() · ce76353f
      Joerg Roedel 提交于
      The function only sends the flush command to the IOMMU(s),
      but does not wait for its completion when it returns. Fix
      that.
      
      Fixes: 601367d7 ('x86/amd-iommu: Remove iommu_flush_domain function')
      Cc: stable@vger.kernel.org # >= 2.6.33
      Signed-off-by: NJoerg Roedel <jroedel@suse.de>
      ce76353f
    • A
      powerpc/perf: Fix IMC initialization crash · 0d8ba162
      Anju T Sudhakar 提交于
      Panic observed with latest firmware, and upstream kernel:
      
       NIP init_imc_pmu+0x8c/0xcf0
       LR  init_imc_pmu+0x2f8/0xcf0
       Call Trace:
         init_imc_pmu+0x2c8/0xcf0 (unreliable)
         opal_imc_counters_probe+0x300/0x400
         platform_drv_probe+0x64/0x110
         driver_probe_device+0x3d8/0x580
         __driver_attach+0x14c/0x1a0
         bus_for_each_dev+0x8c/0xf0
         driver_attach+0x34/0x50
         bus_add_driver+0x298/0x350
         driver_register+0x9c/0x180
         __platform_driver_register+0x5c/0x70
         opal_imc_driver_init+0x2c/0x40
         do_one_initcall+0x64/0x1d0
         kernel_init_freeable+0x280/0x374
         kernel_init+0x24/0x160
         ret_from_kernel_thread+0x5c/0x74
      
      While registering nest imc at init, cpu-hotplug callback
      nest_pmu_cpumask_init() makes an OPAL call to stop the engine. And if
      the OPAL call fails, imc_common_cpuhp_mem_free() is invoked to cleanup
      memory and cpuhotplug setup.
      
      But when cleaning up the attribute group, we are dereferencing the
      attribute element array without checking whether the backing element
      is not NULL. This causes the kernel panic.
      
      Add a check for the backing element prior to dereferencing the
      attribute element, to handle the failing case gracefully.
      Signed-off-by: NAnju T Sudhakar <anju@linux.vnet.ibm.com>
      Reported-by: NPridhiviraj Paidipeddi <ppaidipe@linux.vnet.ibm.com>
      [mpe: Trim change log]
      Signed-off-by: NMichael Ellerman <mpe@ellerman.id.au>
      0d8ba162
    • L
      Merge tag 'devprop-4.14-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 3d788276
      Linus Torvalds 提交于
      Pull device properties framework fixes from Rafael Wysocki:
       "These fix an issue related to device removal introduced during the 4.9
        cycle and fix up new functionality added recently.
      
        Specifics:
      
         - Fix a device properties management issue, introduced during the 4.9
           cycle, that causes device properties associated with a parent
           device to go away on a removal of its child in some cases (Jarkko
           Nikula).
      
         - Fix inconsistencies in error codes returned by a new function
           helper in the device properties framework depending on the
           underlying low-level firmware interface, DT or ACPI, by making the
           meaning of error codes returned in the ACPI case agree with the
           meaning of DT error codes in analogous situations (Sakari Ailus)"
      
      * tag 'devprop-4.14-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        ACPI: properties: Fix __acpi_node_get_property_reference() return codes
        ACPI: properties: Align return codes of __acpi_node_get_property_reference()
        device property: Track owner device of device property
      3d788276
    • L
      Merge tag 'xfs-4.14-fixes-5' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux · 8ff0b97c
      Linus Torvalds 提交于
      Pull xfs fixes from Darrick Wong:
      
       - Fix a stale kernel memory exposure when logging inodes.
      
       - Fix some build problems with CONFIG_XFS_RT=n
      
       - Don't change inode mode if the acl write fails, leaving the file
         totally inaccessible.
      
       - Fix a dangling pointer problem when removing an attr fork under
         memory pressure.
      
       - Don't crash while trying to invalidate a null buffer associated with
         a corrupt metadata pointer.
      
      * tag 'xfs-4.14-fixes-5' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux:
        xfs: handle error if xfs_btree_get_bufs fails
        xfs: reinit btree pointer on attr tree inactivation walk
        xfs: Fix bool initialization/comparison
        xfs: don't change inode mode if ACL update fails
        xfs: move more RT specific code under CONFIG_XFS_RT
        xfs: Don't log uninitialised fields in inode structures
      8ff0b97c
    • N
      scripts: fix faddr2line to work on last symbol · 2aab9c3c
      NeilBrown 提交于
      If faddr2line is given a function name which is the last one listed by
      "nm -n", it will fail because it never finds the next symbol.
      
      So teach the awk script to catch that possibility, and use 'size' to
      provide the end point of the last function.
      Signed-off-by: NNeilBrown <neilb@suse.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      2aab9c3c
    • L
      Merge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs · 3206e7d5
      Linus Torvalds 提交于
      Pull quota fix from Jan Kara:
       "A fix for a regression in handling of quota grace times and warnings"
      
      * 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs:
        quota: Generate warnings for DQUOT_SPACE_NOFAIL allocations
      3206e7d5
    • L
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · cbaff876
      Linus Torvalds 提交于
      Pull kvm fixes from Paolo Bonzini:
       "Another latent bug related to PCID, an out-of-bounds access, and a
        submaintainer change being finally made official"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        MAINTAINERS: Add Paul Mackerras as maintainer for KVM/powerpc
        KVM: nVMX: fix guest CR4 loading when emulating L2 to L1 exit
        KVM: MMU: always terminate page walks at level 1
        KVM: nVMX: update last_nonleaf_level when initializing nested EPT
      cbaff876
    • N
      device property: preserve usecount for node passed to of_fwnode_graph_get_port_parent() · 3314c6bd
      Niklas Söderlund 提交于
      Using CONFIG_OF_DYNAMIC=y uncovered an imbalance in the usecount of the
      node being passed to of_fwnode_graph_get_port_parent(). Preserve the
      usecount by using of_get_parent() instead of of_get_next_parent() which
      don't decrement the usecount of the node passed to it.
      
      Fixes: 3b27d00e ("device property: Move fwnode graph ops to firmware specific locations")
      Signed-off-by: NNiklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
      Acked-by: NSakari Ailus <sakari.ailus@linux.intel.com>
      Signed-off-by: NRob Herring <robh@kernel.org>
      3314c6bd
    • S
      drivers: of: increase MAX_RESERVED_REGIONS to 32 · 22f8cc6e
      Stewart Smith 提交于
      There are two types of memory reservations firmware can ask the kernel
      to make in the device tree: static and dynamic.
      See Documentation/devicetree/bindings/reserved-memory/reserved-memory.txt
      
      If you have greater than 16 entries in /reserved-memory (as we do on
      POWER9 systems) you would get this scary looking error message:
       [    0.000000] OF: reserved mem: not enough space all defined regions.
      
      This is harmless if all your reservations are static (which with OPAL on
      POWER9, they are).
      
      It is not harmless if you have any dynamic reservations after the 16th.
      
      In the first pass over the fdt to find reservations, the child nodes of
      /reserved-memory are added to a static array in of_reserved_mem.c so that
      memory can be reserved in a 2nd pass. The array has 16 entries. This is why,
      on my dual socket POWER9 system, I get that error 4 times with 20 static
      reservations.
      
      We don't have a problem on ppc though, as in arch/powerpc/kernel/prom.c
      we look at the new style /reserved-ranges property to do reservations,
      and this logic was introduced in 0962e800 (well before any powernv
      system shipped).
      
      A Google search shows up no occurances of that exact error message, so we're
      probably safe in that no machine that people use has memory not being reserved
      when it should be.
      
      The simple fix is to bump the length of the array to 32 which "should be
      enough for everyone(TM)". The simple fix of not recording static allocations
      in the array would cause problems for devices with "memory-region" properties.
      A more future-proof fix is likely possible, although more invasive and this
      simple fix is perfectly suitable in the meantime while a more future-proof
      fix is developed.
      Signed-off-by: NStewart Smith <stewart@linux.vnet.ibm.com>
      Tested-by: NMauricio Faria de Oliveira <mauricfo@linux.vnet.ibm.com>
      Signed-off-by: NRob Herring <robh@kernel.org>
      22f8cc6e
    • S
      of: do not leak console options · db179e0d
      Sergey Senozhatsky 提交于
      Do not strdup() console options. It seems that the only reason for
      it to be strdup()-ed was a compilation warning: printk, UART and
      console drivers, for some reason, expect char pointer instead of
      const char pointer. So we can just pass `of_stdout_options', but
      need to cast it to char pointer. A better fix would be to change
      printk, console drivers and UART to accept const char `options';
      but that will take time - there are lots of drivers to update.
      
      The patch also fixes a possible memory leak: add_preferred_console()
      can fail, but we don't kfree() options.
      Signed-off-by: NSergey Senozhatsky <sergey.senozhatsky@gmail.com>
      Reviewed-by: NPetr Mladek <pmladek@suse.com>
      Signed-off-by: NRob Herring <robh@kernel.org>
      db179e0d
    • L
      Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 · 73a752cc
      Linus Torvalds 提交于
      Pull crypto fixes from Herbert Xu:
      
       - fix crashes in skcipher/shash from zero-length input.
      
       - fix softirq GFP_KERNEL allocation in shash_setkey_unaligned.
      
       - error path bug fix in xts create function.
      
       - fix compiler warning regressions in axis and stm32
      
      * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
        crypto: shash - Fix zero-length shash ahash digest crash
        crypto: skcipher - Fix crash on zero-length input
        crypto: shash - Fix a sleep-in-atomic bug in shash_setkey_unaligned
        crypto: xts - Fix an error handling path in 'create()'
        crypto: stm32 - Try to fix hash padding
        crypto: axis - hide an unused variable
      73a752cc
    • L
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/livepatching · 0de50ea7
      Linus Torvalds 提交于
      Pull livepatching fix from Jiri Kosina:
      
       - bugfix for handling of coming modules (incorrect handling of failure)
         from Joe Lawrence
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/livepatching:
        livepatch: unpatch all klp_objects if klp_module_coming fails
      0de50ea7
    • L
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid · be7484ac
      Linus Torvalds 提交于
      Pull HID fixes from Jiri Kosina:
      
       - fix for potential out-of-bounds memory access (found by fuzzing,
         likely requires specially crafted device to trigger) by Jaejoong Kim
      
       - two new device IDs for elecom driver from Alex Manoussakis
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid:
        HID: hid-elecom: extend to fix descriptor for HUGE trackball
        HID: usbhid: fix out-of-bounds bug
      be7484ac
    • L
      Merge tag 'sound-4.14-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 7702f476
      Linus Torvalds 提交于
      Pull sound fixes from Takashi Iwai:
       "It's been a busy week for defending the attacks from fuzzer people.
      
        This contains various USB-audio driver fixes and sequencer core fixes
        spotted by syzkaller and other fuzzer, as well as one quirk for a
        Plantronics USB audio device"
      
      * tag 'sound-4.14-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ALSA: caiaq: Fix stray URB at probe error path
        ALSA: seq: Fix use-after-free at creating a port
        ALSA: usb-audio: Kill stray URB at exiting
        ALSA: line6: Fix leftover URB at error-path during probe
        ALSA: line6: Fix NULL dereference at podhd_disconnect()
        ALSA: line6: Fix missing initialization before error path
        ALSA: seq: Fix copy_from_user() call inside lock
        ALSA: usb-audio: Add sample rate quirk for Plantronics P610
      7702f476
  3. 12 10月, 2017 5 次提交
    • L
      Merge branch 'waitid-fix' · 467251c6
      Linus Torvalds 提交于
      Merge waitid() fix from Kees Cook.
      
      I'd have hoped that the unsafe_{get|put}_user() naming would have
      avoided these kinds of stupid bugs, but no such luck.
      
      * waitid-fix:
        waitid(): Add missing access_ok() checks
      467251c6
    • A
      powerpc/perf: Add ___GFP_NOWARN flag to alloc_pages_node() · cd4f2b30
      Anju T Sudhakar 提交于
      Stack trace output during a stress test:
       [    4.310049] Freeing initrd memory: 22592K
      [    4.310646] rtas_flash: no firmware flash support
      [    4.313341] cpuhp/64: page allocation failure: order:0, mode:0x14480c0(GFP_KERNEL|__GFP_ZERO|__GFP_THISNODE), nodemask=(null)
      [    4.313465] cpuhp/64 cpuset=/ mems_allowed=0
      [    4.313521] CPU: 64 PID: 392 Comm: cpuhp/64 Not tainted 4.11.0-39.el7a.ppc64le #1
      [    4.313588] Call Trace:
      [    4.313622] [c000000f1fb1b8e0] [c000000000c09388] dump_stack+0xb0/0xf0 (unreliable)
      [    4.313694] [c000000f1fb1b920] [c00000000030ef6c] warn_alloc+0x12c/0x1c0
      [    4.313753] [c000000f1fb1b9c0] [c00000000030ff68] __alloc_pages_nodemask+0xea8/0x1000
      [    4.313823] [c000000f1fb1bbb0] [c000000000113a8c] core_imc_mem_init+0xbc/0x1c0
      [    4.313892] [c000000f1fb1bc00] [c000000000113cdc] ppc_core_imc_cpu_online+0x14c/0x170
      [    4.313962] [c000000f1fb1bc90] [c000000000125758] cpuhp_invoke_callback+0x198/0x5d0
      [    4.314031] [c000000f1fb1bd00] [c00000000012782c] cpuhp_thread_fun+0x8c/0x3d0
      [    4.314101] [c000000f1fb1bd60] [c0000000001678d0] smpboot_thread_fn+0x290/0x2a0
      [    4.314169] [c000000f1fb1bdc0] [c00000000015ee78] kthread+0x168/0x1b0
      [    4.314229] [c000000f1fb1be30] [c00000000000b368] ret_from_kernel_thread+0x5c/0x74
      [    4.314313] Mem-Info:
      [    4.314356] active_anon:0 inactive_anon:0 isolated_anon:0
      
      core_imc_mem_init() at system boot use alloc_pages_node() to get memory
      and alloc_pages_node() throws this stack dump when tried to allocate
      memory from a node which has no memory behind it. Add a ___GFP_NOWARN
      flag in allocation request as a fix.
      Signed-off-by: NAnju T Sudhakar <anju@linux.vnet.ibm.com>
      Reported-by: NMichael Ellerman <mpe@ellerman.id.au>
      Reported-by: NVenkat R.B <venkatb3@in.ibm.com>
      Signed-off-by: NMichael Ellerman <mpe@ellerman.id.au>
      cd4f2b30
    • A
      powerpc/perf: Fix for core/nest imc call trace on cpuhotplug · 0d923820
      Anju T Sudhakar 提交于
      Nest/core pmu units are enabled only when it is used. A reference count is
      maintained for the events which uses the nest/core pmu units. Currently in
      *_imc_counters_release function a WARN() is used for notification of any
      underflow of ref count.
      
      The case where event ref count hit a negative value is, when perf session is
      started, followed by offlining of all cpus in a given core.
      i.e. in cpuhotplug offline path ppc_core_imc_cpu_offline() function set the
      ref->count to zero, if the current cpu which is about to offline is the last
      cpu in a given core and make an OPAL call to disable the engine in that core.
      And on perf session termination, perf->destroy (core_imc_counters_release) will
      first decrement the ref->count for this core and based on the ref->count value
      an opal call is made to disable the core-imc engine.
      Now, since cpuhotplug path already clears the ref->count for core and disabled
      the engine, perf->destroy() decrementing again at event termination make it
      negative which in turn fires the WARN_ON. The same happens for nest units.
      
      Add a check to see if the reference count is alreday zero, before decrementing
      the count, so that the ref count will not hit a negative value.
      Signed-off-by: NAnju T Sudhakar <anju@linux.vnet.ibm.com>
      Reviewed-by: NSantosh Sivaraj <santosh@fossix.org>
      Signed-off-by: NMichael Ellerman <mpe@ellerman.id.au>
      0d923820
    • T
      MAINTAINERS: Add Paul Mackerras as maintainer for KVM/powerpc · 8a60aea6
      Thomas Huth 提交于
      Paul is handling almost all of the powerpc related KVM patches nowadays,
      so he should be mentioned in the MAINTAINERS file accordingly.
      Signed-off-by: NThomas Huth <thuth@redhat.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      8a60aea6
    • H
      KVM: nVMX: fix guest CR4 loading when emulating L2 to L1 exit · 8eb3f87d
      Haozhong Zhang 提交于
      When KVM emulates an exit from L2 to L1, it loads L1 CR4 into the
      guest CR4. Before this CR4 loading, the guest CR4 refers to L2
      CR4. Because these two CR4's are in different levels of guest, we
      should vmx_set_cr4() rather than kvm_set_cr4() here. The latter, which
      is used to handle guest writes to its CR4, checks the guest change to
      CR4 and may fail if the change is invalid.
      
      The failure may cause trouble. Consider we start
        a L1 guest with non-zero L1 PCID in use,
           (i.e. L1 CR4.PCIDE == 1 && L1 CR3.PCID != 0)
      and
        a L2 guest with L2 PCID disabled,
           (i.e. L2 CR4.PCIDE == 0)
      and following events may happen:
      
      1. If kvm_set_cr4() is used in load_vmcs12_host_state() to load L1 CR4
         into guest CR4 (in VMCS01) for L2 to L1 exit, it will fail because
         of PCID check. As a result, the guest CR4 recorded in L0 KVM (i.e.
         vcpu->arch.cr4) is left to the value of L2 CR4.
      
      2. Later, if L1 attempts to change its CR4, e.g., clearing VMXE bit,
         kvm_set_cr4() in L0 KVM will think L1 also wants to enable PCID,
         because the wrong L2 CR4 is used by L0 KVM as L1 CR4. As L1
         CR3.PCID != 0, L0 KVM will inject GP to L1 guest.
      
      Fixes: 4704d0be ("KVM: nVMX: Exiting from L2 to L1")
      Cc: qemu-stable@nongnu.org
      Signed-off-by: NHaozhong Zhang <haozhong.zhang@intel.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      8eb3f87d