1. 03 3月, 2018 1 次提交
    • M
      signals: Move put_compat_sigset to compat.h to silence hardened usercopy · fde9fc76
      Matt Redfearn 提交于
      Since commit afcc90f8 ("usercopy: WARN() on slab cache usercopy
      region violations"), MIPS systems booting with a compat root filesystem
      emit a warning when copying compat siginfo to userspace:
      
      WARNING: CPU: 0 PID: 953 at mm/usercopy.c:81 usercopy_warn+0x98/0xe8
      Bad or missing usercopy whitelist? Kernel memory exposure attempt
      detected from SLAB object 'task_struct' (offset 1432, size 16)!
      Modules linked in:
      CPU: 0 PID: 953 Comm: S01logging Not tainted 4.16.0-rc2 #10
      Stack : ffffffff808c0000 0000000000000000 0000000000000001 65ac85163f3bdc4a
      	65ac85163f3bdc4a 0000000000000000 90000000ff667ab8 ffffffff808c0000
      	00000000000003f8 ffffffff808d0000 00000000000000d1 0000000000000000
      	000000000000003c 0000000000000000 ffffffff808c8ca8 ffffffff808d0000
      	ffffffff808d0000 ffffffff80810000 fffffc0000000000 ffffffff80785c30
      	0000000000000009 0000000000000051 90000000ff667eb0 90000000ff667db0
      	000000007fe0d938 0000000000000018 ffffffff80449958 0000000020052798
      	ffffffff808c0000 90000000ff664000 90000000ff667ab0 00000000100c0000
      	ffffffff80698810 0000000000000000 0000000000000000 0000000000000000
      	0000000000000000 0000000000000000 ffffffff8010d02c 65ac85163f3bdc4a
      	...
      Call Trace:
      [<ffffffff8010d02c>] show_stack+0x9c/0x130
      [<ffffffff80698810>] dump_stack+0x90/0xd0
      [<ffffffff80137b78>] __warn+0x100/0x118
      [<ffffffff80137bdc>] warn_slowpath_fmt+0x4c/0x70
      [<ffffffff8021e4a8>] usercopy_warn+0x98/0xe8
      [<ffffffff8021e68c>] __check_object_size+0xfc/0x250
      [<ffffffff801bbfb8>] put_compat_sigset+0x30/0x88
      [<ffffffff8011af24>] setup_rt_frame_n32+0xc4/0x160
      [<ffffffff8010b8b4>] do_signal+0x19c/0x230
      [<ffffffff8010c408>] do_notify_resume+0x60/0x78
      [<ffffffff80106f50>] work_notifysig+0x10/0x18
      ---[ end trace 88fffbf69147f48a ]---
      
      Commit 5905429a ("fork: Provide usercopy whitelisting for
      task_struct") noted that:
      
      "While the blocked and saved_sigmask fields of task_struct are copied to
      userspace (via sigmask_to_save() and setup_rt_frame()), it is always
      copied with a static length (i.e. sizeof(sigset_t))."
      
      However, this is not true in the case of compat signals, whose sigset
      is copied by put_compat_sigset and receives size as an argument.
      
      At most call sites, put_compat_sigset is copying a sigset from the
      current task_struct. This triggers a warning when
      CONFIG_HARDENED_USERCOPY is active. However, by marking this function as
      static inline, the warning can be avoided because in all of these cases
      the size is constant at compile time, which is allowed. The only site
      where this is not the case is handling the rt_sigpending syscall, but
      there the copy is being made from a stack local variable so does not
      trigger the warning.
      
      Move put_compat_sigset to compat.h, and mark it static inline. This
      fixes the WARN on MIPS.
      
      Fixes: afcc90f8 ("usercopy: WARN() on slab cache usercopy region violations")
      Signed-off-by: NMatt Redfearn <matt.redfearn@mips.com>
      Acked-by: NKees Cook <keescook@chromium.org>
      Cc: "Dmitry V . Levin" <ldv@altlinux.org>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: kernel-hardening@lists.openwall.com
      Cc: linux-mips@linux-mips.org
      Patchwork: https://patchwork.linux-mips.org/patch/18639/Signed-off-by: NJames Hogan <jhogan@kernel.org>
      fde9fc76
  2. 23 2月, 2018 2 次提交
  3. 20 2月, 2018 1 次提交
    • J
      MIPS: Drop spurious __unused in struct compat_flock · 6ae1756f
      James Hogan 提交于
      MIPS' struct compat_flock doesn't match the 32-bit struct flock, as it
      has an extra short __unused before pad[4], which combined with alignment
      increases the size to 40 bytes compared with struct flock's 36 bytes.
      
      Since commit 8c6657cb ("Switch flock copyin/copyout primitives to
      copy_{from,to}_user()"), put_compat_flock() writes the full compat_flock
      struct to userland, which results in corruption of the userland word
      after the struct flock when running 32-bit userlands on 64-bit kernels.
      
      This was observed to cause a bus error exception when starting Firefox
      on Debian 8 (Jessie).
      Reported-by: NPeter Mamonov <pmamonov@gmail.com>
      Signed-off-by: NJames Hogan <jhogan@kernel.org>
      Tested-by: NPeter Mamonov <pmamonov@gmail.com>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: linux-mips@linux-mips.org
      Cc: <stable@vger.kernel.org> # 4.13+
      Patchwork: https://patchwork.linux-mips.org/patch/18646/
      6ae1756f
  4. 19 2月, 2018 5 次提交
    • L
      Linux 4.16-rc2 · 91ab883e
      Linus Torvalds 提交于
      91ab883e
    • L
      Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 0e06fb5b
      Linus Torvalds 提交于
      Pull x86 Kconfig fixes from Thomas Gleixner:
       "Three patchlets to correct HIGHMEM64G and CMPXCHG64 dependencies in
        Kconfig when CPU selections are explicitely set to M586 or M686"
      
      * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/Kconfig: Explicitly enumerate i686-class CPUs in Kconfig
        x86/Kconfig: Exclude i586-class CPUs lacking PAE support from the HIGHMEM64G Kconfig group
        x86/Kconfig: Add missing i586-class CPUs to the X86_CMPXCHG64 Kconfig group
      0e06fb5b
    • L
      Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 9ca2c16f
      Linus Torvalds 提交于
      Pull perf updates from Thomas Gleixner:
       "Perf tool updates and kprobe fixes:
      
         - perf_mmap overwrite mode fixes/overhaul, prep work to get 'perf
           top' using it, making it bearable to use it in large core count
           systems such as Knights Landing/Mill Intel systems (Kan Liang)
      
         - s/390 now uses syscall.tbl, just like x86-64 to generate the
           syscall table id -> string tables used by 'perf trace' (Hendrik
           Brueckner)
      
         - Use strtoull() instead of home grown function (Andy Shevchenko)
      
         - Synchronize kernel ABI headers, v4.16-rc1 (Ingo Molnar)
      
         - Document missing 'perf data --force' option (Sangwon Hong)
      
         - Add perf vendor JSON metrics for ARM Cortex-A53 Processor (William
           Cohen)
      
         - Improve error handling and error propagation of ftrace based
           kprobes so failures when installing kprobes are not silently
           ignored and create disfunctional tracepoints"
      
      * 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: (27 commits)
        kprobes: Propagate error from disarm_kprobe_ftrace()
        kprobes: Propagate error from arm_kprobe_ftrace()
        Revert "tools include s390: Grab a copy of arch/s390/include/uapi/asm/unistd.h"
        perf s390: Rework system call table creation by using syscall.tbl
        perf s390: Grab a copy of arch/s390/kernel/syscall/syscall.tbl
        tools/headers: Synchronize kernel ABI headers, v4.16-rc1
        perf test: Fix test trace+probe_libc_inet_pton.sh for s390x
        perf data: Document missing --force option
        perf tools: Substitute yet another strtoull()
        perf top: Check the latency of perf_top__mmap_read()
        perf top: Switch default mode to overwrite mode
        perf top: Remove lost events checking
        perf hists browser: Add parameter to disable lost event warning
        perf top: Add overwrite fall back
        perf evsel: Expose the perf_missing_features struct
        perf top: Check per-event overwrite term
        perf mmap: Discard legacy interface for mmap read
        perf test: Update mmap read functions for backward-ring-buffer test
        perf mmap: Introduce perf_mmap__read_event()
        perf mmap: Introduce perf_mmap__read_done()
        ...
      9ca2c16f
    • L
      Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 2d6c4e40
      Linus Torvalds 提交于
      Pull irq updates from Thomas Gleixner:
       "A small set of updates mostly for irq chip drivers:
      
         - MIPS GIC fix for spurious, masked interrupts
      
         - fix for a subtle IPI bug in GICv3
      
         - do not probe GICv3 ITSs that are marked as disabled
      
         - multi-MSI support for GICv2m
      
         - various small cleanups"
      
      * 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        irqdomain: Re-use DEFINE_SHOW_ATTRIBUTE() macro
        irqchip/bcm: Remove hashed address printing
        irqchip/gic-v2m: Add PCI Multi-MSI support
        irqchip/gic-v3: Ignore disabled ITS nodes
        irqchip/gic-v3: Use wmb() instead of smb_wmb() in gic_raise_softirq()
        irqchip/gic-v3: Change pr_debug message to pr_devel
        irqchip/mips-gic: Avoid spuriously handling masked interrupts
      2d6c4e40
    • L
      Merge branch 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 59e47215
      Linus Torvalds 提交于
      Pull core fix from Thomas Gleixner:
       "A small fix which adds the missing for_each_cpu_wrap() stub for the UP
        case to avoid build failures"
      
      * 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        cpumask: Make for_each_cpu_wrap() available on UP as well
      59e47215
  5. 18 2月, 2018 6 次提交
    • L
      Merge tag 'for-linus-20180217' of git://git.kernel.dk/linux-block · c786427f
      Linus Torvalds 提交于
      Pull block fixes from Jens Axboe:
      
       - NVMe pull request from Keith, with fixes all over the map for nvme.
         From various folks.
      
       - Classic polling fix, that avoids a latency issue where we still end
         up waiting for an interrupt in some cases. From Nitesh Shetty.
      
       - Comment typo fix from Minwoo Im.
      
      * tag 'for-linus-20180217' of git://git.kernel.dk/linux-block:
        block: fix a typo in comment of BLK_MQ_POLL_STATS_BKTS
        nvme-rdma: fix sysfs invoked reset_ctrl error flow
        nvmet: Change return code of discard command if not supported
        nvme-pci: Fix timeouts in connecting state
        nvme-pci: Remap CMB SQ entries on every controller reset
        nvme: fix the deadlock in nvme_update_formats
        blk: optimization for classic polling
        nvme: Don't use a stack buffer for keep-alive command
        nvme_fc: cleanup io completion
        nvme_fc: correct abort race condition on resets
        nvme: Fix discard buffer overrun
        nvme: delete NVME_CTRL_LIVE --> NVME_CTRL_CONNECTING transition
        nvme-rdma: use NVME_CTRL_CONNECTING state to mark init process
        nvme: rename NVME_CTRL_RECONNECTING state to NVME_CTRL_CONNECTING
      c786427f
    • L
      Merge tag 'mmc-v4.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc · fa2139ef
      Linus Torvalds 提交于
      Pull MMC fixes from Ulf Hansson:
      
       - meson-gx: Revert to earlier tuning process
      
       - bcm2835: Don't overwrite max frequency unconditionally
      
      * tag 'mmc-v4.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc:
        mmc: bcm2835: Don't overwrite max frequency unconditionally
        Revert "mmc: meson-gx: include tx phase in the tuning process"
      fa2139ef
    • L
      Merge tag 'mtd/fixes-for-4.16-rc2' of git://git.infradead.org/linux-mtd · 4b6415f9
      Linus Torvalds 提交于
      Pull mtd fixes from Boris Brezillon:
      
       - add missing dependency to NAND_MARVELL Kconfig entry
      
       - use the appropriate OOB layout in the VF610 driver
      
      * tag 'mtd/fixes-for-4.16-rc2' of git://git.infradead.org/linux-mtd:
        mtd: nand: MTD_NAND_MARVELL should depend on HAS_DMA
        mtd: nand: vf610: set correct ooblayout
      4b6415f9
    • L
      Merge tag 'powerpc-4.16-3' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · ee78ad78
      Linus Torvalds 提交于
      Pull powerpc fixes from Michael Ellerman:
       "The main attraction is a fix for a bug in the new drmem code, which
        was causing an oops on boot on some versions of Qemu.
      
        There's also a fix for XIVE (Power9 interrupt controller) on KVM, as
        well as a few other minor fixes.
      
        Thanks to: Corentin Labbe, Cyril Bur, Cédric Le Goater, Daniel Black,
        Nathan Fontenot, Nicholas Piggin"
      
      * tag 'powerpc-4.16-3' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        powerpc/pseries: Check for zero filled ibm,dynamic-memory property
        powerpc/pseries: Add empty update_numa_cpu_lookup_table() for NUMA=n
        powerpc/powernv: IMC fix out of bounds memory access at shutdown
        powerpc/xive: Use hw CPU ids when configuring the CPU queues
        powerpc: Expose TSCR via sysfs only on powernv
      ee78ad78
    • L
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · 74688a02
      Linus Torvalds 提交于
      Pull arm64 fixes from Catalin Marinas:
       "The bulk of this is the pte accessors annotation to READ/WRITE_ONCE
        (we tried to avoid pushing this during the merge window to avoid
        conflicts)
      
         - Updated the page table accessors to use READ/WRITE_ONCE and prevent
           compiler transformation that could lead to an apparent loss of
           coherency
      
         - Enabled branch predictor hardening for the Falkor CPU
      
         - Fix interaction between kpti enabling and KASan causing the
           recursive page table walking to take a significant time
      
         - Fix some sparse warnings"
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        arm64: cputype: Silence Sparse warnings
        arm64: mm: Use READ_ONCE/WRITE_ONCE when accessing page tables
        arm64: proc: Set PTE_NG for table entries to avoid traversing them twice
        arm64: Add missing Falkor part number for branch predictor hardening
      74688a02
    • L
      Merge tag 'for-linus-4.16a-rc2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip · f73f047d
      Linus Torvalds 提交于
      Pull xen fixes from Juergen Gross:
      
       - fixes for the Xen pvcalls frontend driver
      
       - fix for booting Xen pv domains
      
       - fix for the xenbus driver user interface
      
      * tag 'for-linus-4.16a-rc2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
        pvcalls-front: wait for other operations to return when release passive sockets
        pvcalls-front: introduce a per sock_mapping refcount
        x86/xen: Calculate __max_logical_packages on PV domains
        xenbus: track caller request id
      f73f047d
  6. 17 2月, 2018 14 次提交
    • S
      pvcalls-front: wait for other operations to return when release passive sockets · d1a75e08
      Stefano Stabellini 提交于
      Passive sockets can have ongoing operations on them, specifically, we
      have two wait_event_interruptable calls in pvcalls_front_accept.
      
      Add two wake_up calls in pvcalls_front_release, then wait for the
      potential waiters to return and release the sock_mapping refcount.
      Signed-off-by: NStefano Stabellini <stefano@aporeto.com>
      Acked-by: NJuergen Gross <jgross@suse.com>
      Signed-off-by: NJuergen Gross <jgross@suse.com>
      d1a75e08
    • S
      pvcalls-front: introduce a per sock_mapping refcount · 64d68718
      Stefano Stabellini 提交于
      Introduce a per sock_mapping refcount, in addition to the existing
      global refcount. Thanks to the sock_mapping refcount, we can safely wait
      for it to be 1 in pvcalls_front_release before freeing an active socket,
      instead of waiting for the global refcount to be 1.
      Signed-off-by: NStefano Stabellini <stefano@aporeto.com>
      Acked-by: NJuergen Gross <jgross@suse.com>
      Signed-off-by: NJuergen Gross <jgross@suse.com>
      64d68718
    • P
      x86/xen: Calculate __max_logical_packages on PV domains · 63e708f8
      Prarit Bhargava 提交于
      The kernel panics on PV domains because native_smp_cpus_done() is
      only called for HVM domains.
      
      Calculate __max_logical_packages for PV domains.
      
      Fixes: b4c0a732 ("x86/smpboot: Fix __max_logical_packages estimate")
      Signed-off-by: NPrarit Bhargava <prarit@redhat.com>
      Tested-and-reported-by: NSimon Gaiser <simon@invisiblethingslab.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: x86@kernel.org
      Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
      Cc: Juergen Gross <jgross@suse.com>
      Cc: Dou Liyang <douly.fnst@cn.fujitsu.com>
      Cc: Prarit Bhargava <prarit@redhat.com>
      Cc: Kate Stewart <kstewart@linuxfoundation.org>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Andi Kleen <ak@linux.intel.com>
      Cc: Vitaly Kuznetsov <vkuznets@redhat.com>
      Cc: xen-devel@lists.xenproject.org
      Reviewed-by: NBoris Ostrovsky <boris.ostrovsky@oracle.com>
      Signed-off-by: NJuergen Gross <jgross@suse.com>
      63e708f8
    • J
      xenbus: track caller request id · 29fee6ee
      Joao Martins 提交于
      Commit fd8aa909 ("xen: optimize xenbus driver for multiple concurrent
      xenstore accesses") optimized xenbus concurrent accesses but in doing so
      broke UABI of /dev/xen/xenbus. Through /dev/xen/xenbus applications are in
      charge of xenbus message exchange with the correct header and body. Now,
      after the mentioned commit the replies received by application will no
      longer have the header req_id echoed back as it was on request (see
      specification below for reference), because that particular field is being
      overwritten by kernel.
      
      struct xsd_sockmsg
      {
        uint32_t type;  /* XS_??? */
        uint32_t req_id;/* Request identifier, echoed in daemon's response.  */
        uint32_t tx_id; /* Transaction id (0 if not related to a transaction). */
        uint32_t len;   /* Length of data following this. */
      
        /* Generally followed by nul-terminated string(s). */
      };
      
      Before there was only one request at a time so req_id could simply be
      forwarded back and forth. To allow simultaneous requests we need a
      different req_id for each message thus kernel keeps a monotonic increasing
      counter for this field and is written on every request irrespective of
      userspace value.
      
      Forwarding again the req_id on userspace requests is not a solution because
      we would open the possibility of userspace-generated req_id colliding with
      kernel ones. So this patch instead takes another route which is to
      artificially keep user req_id while keeping the xenbus logic as is. We do
      that by saving the original req_id before xs_send(), use the private kernel
      counter as req_id and then once reply comes and was validated, we restore
      back the original req_id.
      
      Cc: <stable@vger.kernel.org> # 4.11
      Fixes: fd8aa909 ("xen: optimize xenbus driver for multiple concurrent xenstore accesses")
      Reported-by: NBhavesh Davda <bhavesh.davda@oracle.com>
      Signed-off-by: NJoao Martins <joao.m.martins@oracle.com>
      Reviewed-by: NJuergen Gross <jgross@suse.com>
      Signed-off-by: NJuergen Gross <jgross@suse.com>
      29fee6ee
    • R
      arm64: cputype: Silence Sparse warnings · e1a50de3
      Robin Murphy 提交于
      Sparse makes a fair bit of noise about our MPIDR mask being implicitly
      long - let's explicitly describe it as such rather than just relying on
      the value forcing automatic promotion.
      Signed-off-by: NRobin Murphy <robin.murphy@arm.com>
      Signed-off-by: NCatalin Marinas <catalin.marinas@arm.com>
      e1a50de3
    • L
      Merge tag 'dma-mapping-4.16-2' of git://git.infradead.org/users/hch/dma-mapping · 1e3510b2
      Linus Torvalds 提交于
      Pull dma-mapping fixes from Christoph Hellwig:
       "A few dma-mapping fixes for the fallout from the changes in rc1"
      
      * tag 'dma-mapping-4.16-2' of git://git.infradead.org/users/hch/dma-mapping:
        powerpc/macio: set a proper dma_coherent_mask
        dma-mapping: fix a comment typo
        dma-direct: comment the dma_direct_free calling convention
        dma-direct: mark as is_phys
        ia64: fix build failure with CONFIG_SWIOTLB
      1e3510b2
    • W
      arm64: mm: Use READ_ONCE/WRITE_ONCE when accessing page tables · 20a004e7
      Will Deacon 提交于
      In many cases, page tables can be accessed concurrently by either another
      CPU (due to things like fast gup) or by the hardware page table walker
      itself, which may set access/dirty bits. In such cases, it is important
      to use READ_ONCE/WRITE_ONCE when accessing page table entries so that
      entries cannot be torn, merged or subject to apparent loss of coherence
      due to compiler transformations.
      
      Whilst there are some scenarios where this cannot happen (e.g. pinned
      kernel mappings for the linear region), the overhead of using READ_ONCE
      /WRITE_ONCE everywhere is minimal and makes the code an awful lot easier
      to reason about. This patch consistently uses these macros in the arch
      code, as well as explicitly namespacing pointers to page table entries
      from the entries themselves by using adopting a 'p' suffix for the former
      (as is sometimes used elsewhere in the kernel source).
      Tested-by: NYury Norov <ynorov@caviumnetworks.com>
      Tested-by: NRichard Ruigrok <rruigrok@codeaurora.org>
      Reviewed-by: NMarc Zyngier <marc.zyngier@arm.com>
      Signed-off-by: NWill Deacon <will.deacon@arm.com>
      Signed-off-by: NCatalin Marinas <catalin.marinas@arm.com>
      20a004e7
    • A
      mm: hide a #warning for COMPILE_TEST · af27d940
      Arnd Bergmann 提交于
      We get a warning about some slow configurations in randconfig kernels:
      
        mm/memory.c:83:2: error: #warning Unfortunate NUMA and NUMA Balancing config, growing page-frame for last_cpupid. [-Werror=cpp]
      
      The warning is reasonable by itself, but gets in the way of randconfig
      build testing, so I'm hiding it whenever CONFIG_COMPILE_TEST is set.
      
      The warning was added in 2013 in commit 75980e97 ("mm: fold
      page->_last_nid into page->flags where possible").
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      af27d940
    • L
      Merge tag 'mips_fixes_4.16_2' of git://git.kernel.org/pub/scm/linux/kernel/git/jhogan/mips · 78352f18
      Linus Torvalds 提交于
      Pull MIPS fixes from James Hogan:
       "A few fixes for outstanding MIPS issues:
      
         - an __init section mismatch warning when brcmstb_pm is enabled
      
         - a regression handling multiple mem=X@Y arguments (4.11)
      
         - a USB Kconfig select warning, and related sparc cleanup (4.16)"
      
      * tag 'mips_fixes_4.16_2' of git://git.kernel.org/pub/scm/linux/kernel/git/jhogan/mips:
        sparc,leon: Select USB_UHCI_BIG_ENDIAN_{MMIO,DESC}
        usb: Move USB_UHCI_BIG_ENDIAN_* out of USB_SUPPORT
        MIPS: Fix incorrect mem=X@Y handling
        MIPS: BMIPS: Fix section mismatch warning
      78352f18
    • L
      Merge tag 'for-4.16-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux · da370f1d
      Linus Torvalds 提交于
      Pull btrfs fixes from David Sterba:
       "We have a few assorted fixes, some of them show up during fstests so I
        gave them more testing"
      
      * tag 'for-4.16-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
        btrfs: Fix use-after-free when cleaning up fs_devs with a single stale device
        Btrfs: fix null pointer dereference when replacing missing device
        btrfs: remove spurious WARN_ON(ref->count < 0) in find_parent_nodes
        btrfs: Ignore errors from btrfs_qgroup_trace_extent_post
        Btrfs: fix unexpected -EEXIST when creating new inode
        Btrfs: fix use-after-free on root->orphan_block_rsv
        Btrfs: fix btrfs_evict_inode to handle abnormal inodes correctly
        Btrfs: fix extent state leak from tree log
        Btrfs: fix crash due to not cleaning up tree log block's dirty bits
        Btrfs: fix deadlock in run_delalloc_nocow
      da370f1d
    • L
      Merge tag 'for-4.16/dm-chained-bios-fix' of... · c85b0b14
      Linus Torvalds 提交于
      Merge tag 'for-4.16/dm-chained-bios-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm
      
      Pull device mapper fix from Mike Snitzer:
       "Fix for DM core to properly propagate errors (avoids overriding
        non-zero error with 0). This is particularly important given DM core's
        increased use of chained bios"
      
      * tag 'for-4.16/dm-chained-bios-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm:
        dm: correctly handle chained bios in dec_pending()
      c85b0b14
    • L
      Merge tag 'platform-drivers-x86-v4.16-4' of git://git.infradead.org/linux-platform-drivers-x86 · 5e8639b7
      Linus Torvalds 提交于
      Pull x86 platform driver fixes from Andy Shevchenko:
      
       - regression fix in keyboard support for Dell laptops
      
       - prevent out-of-boundary write in WMI bus driver
      
       - increase timeout to read functional key status on Lenovo laptops
      
      * tag 'platform-drivers-x86-v4.16-4' of git://git.infradead.org/linux-platform-drivers-x86:
        platform/x86: dell-laptop: Removed duplicates in DMI whitelist
        platform/x86: dell-laptop: fix kbd_get_state's request value
        platform/x86: ideapad-laptop: Increase timeout to wait for EC answer
        platform/x86: wmi: fix off-by-one write in wmi_dev_probe()
      5e8639b7
    • L
      Merge tag 'sound-4.16-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 1a2a7d3e
      Linus Torvalds 提交于
      Pull sound fixes from Takashi Iwai:
       "A collection of usual suspects:
      
         - a handful USB-audio and HD-audio device-specific quirks
      
         - some trivial fixes for the new AC97 bus stuff
      
         - another race fix in ALSA sequencer core"
      
      * tag 'sound-4.16-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ALSA: hda/realtek: PCI quirk for Fujitsu U7x7
        ALSA: seq: Fix racy pool initializations
        ALSA: usb: add more device quirks for USB DSD devices
        ALSA: usb-audio: Fix UAC2 get_ctl request with a RANGE attribute
        ALSA: ac97: Fix copy and paste typo in documentation
        ALSA: usb-audio: add implicit fb quirk for Behringer UFX1204
        ALSA: ac97: kconfig: Remove select of undefined symbol AC97
        ALSA: hda/realtek - Enable Thinkpad Dock device for ALC298 platform
        ALSA: hda/realtek - Add headset mode support for Dell laptop
        ALSA: hda - Fix headset mic detection problem for two Dell machines
      1a2a7d3e
    • L
      Merge tag 'drm-fixes-for-v4.16-rc2' of git://people.freedesktop.org/~airlied/linux · bad57539
      Linus Torvalds 提交于
      Pull drm fixes from Dave Airlie:
       "One nouveau regression fix, one AMD quirk and a full set of i915
        fixes.
      
        The i915 fixes are mostly for things caught by their CI system, main
        ones being DSI panel fixes and GEM fixes"
      
      * tag 'drm-fixes-for-v4.16-rc2' of git://people.freedesktop.org/~airlied/linux:
        drm/nouveau: Make clock gate support conditional
        drm/i915: Fix DSI panels with v1 MIPI sequences without a DEASSERT sequence v3
        drm/i915: Free memdup-ed DSI VBT data structures on driver_unload
        drm/i915: Add intel_bios_cleanup() function
        drm/i915/vlv: Add cdclk workaround for DSI
        drm/i915/gvt: fix one typo of render_mmio trace
        drm/i915/gvt: Support BAR0 8-byte reads/writes
        drm/i915/gvt: add 0xe4f0 into gen9 render list
        drm/i915/pmu: Fix building without CONFIG_PM
        drm/i915/pmu: Fix sleep under atomic in RC6 readout
        drm/i915/pmu: Fix PMU enable vs execlists tasklet race
        drm/i915: Lock out execlist tasklet while peeking inside for busy-stats
        drm/i915/breadcrumbs: Ignore unsubmitted signalers
        drm/i915: Don't wake the device up to check if the engine is asleep
        drm/i915: Avoid truncation before clamping userspace's priority value
        drm/i915/perf: Fix compiler warning for string truncation
        drm/i915/perf: Fix compiler warning for string truncation
        drm/amdgpu: add new device to use atpx quirk
      bad57539
  7. 16 2月, 2018 11 次提交
    • N
      dm: correctly handle chained bios in dec_pending() · 8dd601fa
      NeilBrown 提交于
      dec_pending() is given an error status (possibly 0) to be recorded
      against a bio.  It can be called several times on the one 'struct
      dm_io', and it is careful to only assign a non-zero error to
      io->status.  However when it then assigned io->status to bio->bi_status,
      it is not careful and could overwrite a genuine error status with 0.
      
      This can happen when chained bios are in use.  If a bio is chained
      beneath the bio that this dm_io is handling, the child bio might
      complete and set bio->bi_status before the dm_io completes.
      
      This has been possible since chained bios were introduced in 3.14, and
      has become a lot easier to trigger with commit 18a25da8 ("dm: ensure
      bio submission follows a depth-first tree walk") as that commit caused
      dm to start using chained bios itself.
      
      A particular failure mode is that if a bio spans an 'error' target and a
      working target, the 'error' fragment will complete instantly and set the
      ->bi_status, and the other fragment will normally complete a little
      later, and will clear ->bi_status.
      
      The fix is simply to only assign io_error to bio->bi_status when
      io_error is not zero.
      Reported-and-tested-by: NMilan Broz <gmazyland@gmail.com>
      Cc: stable@vger.kernel.org (v3.14+)
      Signed-off-by: NNeilBrown <neilb@suse.com>
      Signed-off-by: NMike Snitzer <snitzer@redhat.com>
      8dd601fa
    • T
      Merge tag 'irqchip-4.16-2' of... · 6dee6ae9
      Thomas Gleixner 提交于
      Merge tag 'irqchip-4.16-2' of git://git.kernel.org/pub/scm/linux/kernel/git/maz/arm-platforms into irq/urgent
      
      Pull irqchip updates for 4.16-rc2 from Marc Zyngier
      
       - A MIPS GIC fix for spurious, masked interrupts
       - A fix for a subtle IPI bug in GICv3
       - Do not probe GICv3 ITSs that are marked as disabled
       - Multi-MSI support for GICv2m
       - Various cleanups
      6dee6ae9
    • A
      irqdomain: Re-use DEFINE_SHOW_ATTRIBUTE() macro · 0b24a0bb
      Andy Shevchenko 提交于
      ...instead of open coding file operations followed by custom ->open()
      callbacks per each attribute.
      Signed-off-by: NAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: NMarc Zyngier <marc.zyngier@arm.com>
      0b24a0bb
    • J
      irqchip/bcm: Remove hashed address printing · 2d02424e
      Jaedon Shin 提交于
      Since commit ad67b74d ("printk: hash addresses printed with %p")
      pointers are being hashed when printed. Displaying the virtual memory at
      bootup time is not helpful. so delete the prints.
      Acked-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: NJaedon Shin <jaedon.shin@gmail.com>
      Signed-off-by: NMarc Zyngier <marc.zyngier@arm.com>
      2d02424e
    • M
      irqchip/gic-v2m: Add PCI Multi-MSI support · de337ee3
      Marc Zyngier 提交于
      We'd never implemented Multi-MSI support with GICv2m, because
      it is weird and clunky, and you'd think people would rather use
      MSI-X.
      
      Turns out there is still plenty of devices out there that rely
      on Multi-MSI. Oh well, let's teach that trick to the v2m widget,
      it is not a big deal anyway.
      Signed-off-by: NMarc Zyngier <marc.zyngier@arm.com>
      de337ee3
    • S
      irqchip/gic-v3: Ignore disabled ITS nodes · 95a25625
      Stephen Boyd 提交于
      On some platforms there's an ITS available but it's not enabled
      because reading or writing the registers is denied by the
      firmware. In fact, reading or writing them will cause the system
      to reset. We could remove the node from DT in such a case, but
      it's better to skip nodes that are marked as "disabled" in DT so
      that we can describe the hardware that exists and use the status
      property to indicate how the firmware has configured things.
      
      Cc: Stuart Yoder <stuyoder@gmail.com>
      Cc: Laurentiu Tudor <laurentiu.tudor@nxp.com>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Marc Zyngier <marc.zyngier@arm.com>
      Cc: Rajendra Nayak <rnayak@codeaurora.org>
      Signed-off-by: NStephen Boyd <sboyd@codeaurora.org>
      Signed-off-by: NMarc Zyngier <marc.zyngier@arm.com>
      95a25625
    • S
      irqchip/gic-v3: Use wmb() instead of smb_wmb() in gic_raise_softirq() · 21ec30c0
      Shanker Donthineni 提交于
      A DMB instruction can be used to ensure the relative order of only
      memory accesses before and after the barrier. Since writes to system
      registers are not memory operations, barrier DMB is not sufficient
      for observability of memory accesses that occur before ICC_SGI1R_EL1
      writes.
      
      A DSB instruction ensures that no instructions that appear in program
      order after the DSB instruction, can execute until the DSB instruction
      has completed.
      
      Cc: stable@vger.kernel.org
      Acked-by: Will Deacon <will.deacon@arm.com>,
      Signed-off-by: NShanker Donthineni <shankerd@codeaurora.org>
      Signed-off-by: NMarc Zyngier <marc.zyngier@arm.com>
      21ec30c0
    • M
      irqchip/gic-v3: Change pr_debug message to pr_devel · b6dd4d83
      Mark Salter 提交于
      The pr_debug() in gic-v3 gic_send_sgi() can trigger a circular locking
      warning:
      
       GICv3: CPU10: ICC_SGI1R_EL1 5000400
       ======================================================
       WARNING: possible circular locking dependency detected
       4.15.0+ #1 Tainted: G        W
       ------------------------------------------------------
       dynamic_debug01/1873 is trying to acquire lock:
        ((console_sem).lock){-...}, at: [<0000000099c891ec>] down_trylock+0x20/0x4c
      
       but task is already holding lock:
        (&rq->lock){-.-.}, at: [<00000000842e1587>] __task_rq_lock+0x54/0xdc
      
       which lock already depends on the new lock.
      
       the existing dependency chain (in reverse order) is:
      
       -> #2 (&rq->lock){-.-.}:
              __lock_acquire+0x3b4/0x6e0
              lock_acquire+0xf4/0x2a8
              _raw_spin_lock+0x4c/0x60
              task_fork_fair+0x3c/0x148
              sched_fork+0x10c/0x214
              copy_process.isra.32.part.33+0x4e8/0x14f0
              _do_fork+0xe8/0x78c
              kernel_thread+0x48/0x54
              rest_init+0x34/0x2a4
              start_kernel+0x45c/0x488
      
       -> #1 (&p->pi_lock){-.-.}:
              __lock_acquire+0x3b4/0x6e0
              lock_acquire+0xf4/0x2a8
              _raw_spin_lock_irqsave+0x58/0x70
              try_to_wake_up+0x48/0x600
              wake_up_process+0x28/0x34
              __up.isra.0+0x60/0x6c
              up+0x60/0x68
              __up_console_sem+0x4c/0x7c
              console_unlock+0x328/0x634
              vprintk_emit+0x25c/0x390
              dev_vprintk_emit+0xc4/0x1fc
              dev_printk_emit+0x88/0xa8
              __dev_printk+0x58/0x9c
              _dev_info+0x84/0xa8
              usb_new_device+0x100/0x474
              hub_port_connect+0x280/0x92c
              hub_event+0x740/0xa84
              process_one_work+0x240/0x70c
              worker_thread+0x60/0x400
              kthread+0x110/0x13c
              ret_from_fork+0x10/0x18
      
       -> #0 ((console_sem).lock){-...}:
              validate_chain.isra.34+0x6e4/0xa20
              __lock_acquire+0x3b4/0x6e0
              lock_acquire+0xf4/0x2a8
              _raw_spin_lock_irqsave+0x58/0x70
              down_trylock+0x20/0x4c
              __down_trylock_console_sem+0x3c/0x9c
              console_trylock+0x20/0xb0
              vprintk_emit+0x254/0x390
              vprintk_default+0x58/0x90
              vprintk_func+0xbc/0x164
              printk+0x80/0xa0
              __dynamic_pr_debug+0x84/0xac
              gic_raise_softirq+0x184/0x18c
              smp_cross_call+0xac/0x218
              smp_send_reschedule+0x3c/0x48
              resched_curr+0x60/0x9c
              check_preempt_curr+0x70/0xdc
              wake_up_new_task+0x310/0x470
              _do_fork+0x188/0x78c
              SyS_clone+0x44/0x50
              __sys_trace_return+0x0/0x4
      
       other info that might help us debug this:
      
       Chain exists of:
         (console_sem).lock --> &p->pi_lock --> &rq->lock
      
        Possible unsafe locking scenario:
      
              CPU0                    CPU1
              ----                    ----
         lock(&rq->lock);
                                      lock(&p->pi_lock);
                                      lock(&rq->lock);
         lock((console_sem).lock);
      
        *** DEADLOCK ***
      
       2 locks held by dynamic_debug01/1873:
        #0:  (&p->pi_lock){-.-.}, at: [<000000001366df53>] wake_up_new_task+0x40/0x470
        #1:  (&rq->lock){-.-.}, at: [<00000000842e1587>] __task_rq_lock+0x54/0xdc
      
       stack backtrace:
       CPU: 10 PID: 1873 Comm: dynamic_debug01 Tainted: G        W        4.15.0+ #1
       Hardware name: GIGABYTE R120-T34-00/MT30-GS2-00, BIOS T48 10/02/2017
       Call trace:
        dump_backtrace+0x0/0x188
        show_stack+0x24/0x2c
        dump_stack+0xa4/0xe0
        print_circular_bug.isra.31+0x29c/0x2b8
        check_prev_add.constprop.39+0x6c8/0x6dc
        validate_chain.isra.34+0x6e4/0xa20
        __lock_acquire+0x3b4/0x6e0
        lock_acquire+0xf4/0x2a8
        _raw_spin_lock_irqsave+0x58/0x70
        down_trylock+0x20/0x4c
        __down_trylock_console_sem+0x3c/0x9c
        console_trylock+0x20/0xb0
        vprintk_emit+0x254/0x390
        vprintk_default+0x58/0x90
        vprintk_func+0xbc/0x164
        printk+0x80/0xa0
        __dynamic_pr_debug+0x84/0xac
        gic_raise_softirq+0x184/0x18c
        smp_cross_call+0xac/0x218
        smp_send_reschedule+0x3c/0x48
        resched_curr+0x60/0x9c
        check_preempt_curr+0x70/0xdc
        wake_up_new_task+0x310/0x470
        _do_fork+0x188/0x78c
        SyS_clone+0x44/0x50
        __sys_trace_return+0x0/0x4
       GICv3: CPU0: ICC_SGI1R_EL1 12000
      
      This could be fixed with printk_deferred() but that might lessen its
      usefulness for debugging. So change it to pr_devel to keep it out of
      production kernels. Developers working on gic-v3 can enable it as
      needed in their kernels.
      Signed-off-by: NMark Salter <msalter@redhat.com>
      Signed-off-by: NMarc Zyngier <marc.zyngier@arm.com>
      b6dd4d83
    • M
      irqchip/mips-gic: Avoid spuriously handling masked interrupts · 285cb4f6
      Matt Redfearn 提交于
      Commit 7778c4b2 ("irqchip: mips-gic: Use pcpu_masks to avoid reading
      GIC_SH_MASK*") removed the read of the hardware mask register when
      handling shared interrupts, instead using the driver's shadow pcpu_masks
      entry as the effective mask. Unfortunately this did not take account of
      the write to pcpu_masks during gic_shared_irq_domain_map, which
      effectively unmasks the interrupt early. If an interrupt is asserted,
      gic_handle_shared_int decodes and processes the interrupt even though it
      has not yet been unmasked via gic_unmask_irq, which also sets the
      appropriate bit in pcpu_masks.
      
      On the MIPS Boston board, when a console command line of
      "console=ttyS0,115200n8r" is passed, the modem status IRQ is enabled in
      the UART, which is immediately raised to the GIC. The interrupt has been
      mapped, but no handler has yet been registered, nor is it expected to be
      unmasked. However, the write to pcpu_masks in gic_shared_irq_domain_map
      has effectively unmasked it, resulting in endless reports of:
      
      [    5.058454] irq 13, desc: ffffffff80a7ad80, depth: 1, count: 0, unhandled: 0
      [    5.062057] ->handle_irq():  ffffffff801b1838,
      [    5.062175] handle_bad_irq+0x0/0x2c0
      
      Where IRQ 13 is the UART interrupt.
      
      To fix this, just remove the write to pcpu_masks in
      gic_shared_irq_domain_map. The existing write in gic_unmask_irq is the
      correct place for what is now the effective unmasking.
      
      Cc: stable@vger.kernel.org
      Fixes: 7778c4b2 ("irqchip: mips-gic: Use pcpu_masks to avoid reading GIC_SH_MASK*")
      Signed-off-by: NMatt Redfearn <matt.redfearn@mips.com>
      Reviewed-by: NPaul Burton <paul.burton@mips.com>
      Signed-off-by: NMarc Zyngier <marc.zyngier@arm.com>
      285cb4f6
    • N
      powerpc/pseries: Check for zero filled ibm,dynamic-memory property · 2c10636a
      Nathan Fontenot 提交于
      Some versions of QEMU will produce an ibm,dynamic-reconfiguration-memory
      node with a ibm,dynamic-memory property that is zero-filled. This
      causes the drmem code to oops trying to parse this property.
      
      The fix for this is to validate that the property does contain LMB
      entries before trying to parse it and bail if the count is zero.
      
        Oops: Kernel access of bad area, sig: 11 [#1]
        DAR: 0000000000000010
        NIP read_drconf_v1_cell+0x54/0x9c
        LR  read_drconf_v1_cell+0x48/0x9c
        Call Trace:
          __param_initcall_debug+0x0/0x28 (unreliable)
          drmem_init+0x144/0x2f8
          do_one_initcall+0x64/0x1d0
          kernel_init_freeable+0x298/0x38c
          kernel_init+0x24/0x160
          ret_from_kernel_thread+0x5c/0xb4
      
      The ibm,dynamic-reconfiguration-memory device tree property generated
      that causes this:
      
        ibm,dynamic-reconfiguration-memory {
                ibm,lmb-size = <0x0 0x10000000>;
                ibm,memory-flags-mask = <0xff>;
                ibm,dynamic-memory = <0x0 0x0 0x0 0x0 0x0 0x0>;
                linux,phandle = <0x7e57eed8>;
                ibm,associativity-lookup-arrays = <0x1 0x4 0x0 0x0 0x0 0x0>;
                ibm,memory-preservation-time = <0x0>;
        };
      Signed-off-by: NNathan Fontenot <nfont@linux.vnet.ibm.com>
      Reviewed-by: NCyril Bur <cyrilbur@gmail.com>
      Tested-by: NDaniel Black <daniel@linux.vnet.ibm.com>
      [mpe: Trim oops report]
      Signed-off-by: NMichael Ellerman <mpe@ellerman.id.au>
      2c10636a
    • M
      cpumask: Make for_each_cpu_wrap() available on UP as well · d207af2e
      Michael Kelley 提交于
      for_each_cpu_wrap() was originally added in the #else half of a
      large "#if NR_CPUS == 1" statement, but was omitted in the #if
      half.  This patch adds the missing #if half to prevent compile
      errors when NR_CPUS is 1.
      Reported-by: Nkbuild test robot <fengguang.wu@intel.com>
      Signed-off-by: NMichael Kelley <mhkelley@outlook.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: kys@microsoft.com
      Cc: martin.petersen@oracle.com
      Cc: mikelley@microsoft.com
      Fixes: c743f0a5 ("sched/fair, cpumask: Export for_each_cpu_wrap()")
      Link: http://lkml.kernel.org/r/SN6PR1901MB2045F087F59450507D4FCC17CBF50@SN6PR1901MB2045.namprd19.prod.outlook.comSigned-off-by: NIngo Molnar <mingo@kernel.org>
      d207af2e