1. 04 9月, 2017 11 次提交
    • L
      Merge branch 'core-debugobjects-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · fea15437
      Linus Torvalds 提交于
      Pull debugobjects fix from Ingo Molnar:
       "A single commit making debugobjects interact better with kmemleak"
      
      * 'core-debugobjects-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        debugobjects: Make kmemleak ignore debug objects
      fea15437
    • L
      Merge branch 'docs-next' of git://git.lwn.net/linux · 81a84ad3
      Linus Torvalds 提交于
      Pull documentation updates from Jonathan Corbet:
       "After a fair amount of churn in the last couple of cycles, docs are
        taking it easier this time around. Lots of fixes and some new
        documentation, but nothing all that radical. Perhaps the most
        interesting change for many is the scripts/sphinx-pre-install tool
        from Mauro; it will tell you exactly which packages you need to
        install to get a working docs toolchain on your system.
      
        There are two little patches reaching outside of Documentation/; both
        just tweak kerneldoc comments to eliminate warnings and fix some
        dangling doc pointers"
      
      * 'docs-next' of git://git.lwn.net/linux: (52 commits)
        Documentation/sphinx: fix kernel-doc decode for non-utf-8 locale
        genalloc: Fix an incorrect kerneldoc comment
        doc: Add documentation for the genalloc subsystem
        assoc_array: fix path to assoc_array documentation
        kernel-doc parser mishandles declarations split into lines
        docs: ReSTify table of contents in core.rst
        docs: process: drop git snapshots from applying-patches.rst
        Documentation:input: fix typo
        swap: Remove obsolete sentence
        sphinx.rst: Allow Sphinx version 1.6 at the docs
        docs-rst: fix verbatim font size on tables
        Documentation: stable-kernel-rules: fix broken git urls
        rtmutex: update rt-mutex
        rtmutex: update rt-mutex-design
        docs: fix minimal sphinx version in conf.py
        docs: fix nested numbering in the TOC
        NVMEM documentation fix: A minor typo
        docs-rst: pdf: use same vertical margin on all Sphinx versions
        doc: Makefile: if sphinx is not found, run a check script
        docs: Fix paths in security/keys
        ...
      81a84ad3
    • L
      Merge tag 'hwmon-for-linus-v4.14' of... · fe91f281
      Linus Torvalds 提交于
      Merge tag 'hwmon-for-linus-v4.14' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging
      
      Pull hwmon updates from Guenter Roeck:
      
       - new drivers:
         - Lantiq CPU temperature sensor
         - IBM CFF power supply
         - TPS53679 PMBus driver
      
       - new support:
         - LM5066I (lm25066 PMBus driver)
         - Intel VID protocol VR13 (PMBus drivers)
         - CAT34TS02C, GT30TS00, GT34TS02, and CAT34TS04 (jc42 driver)
      
       - cleanup and minor improvements in several drivers
      
      * tag 'hwmon-for-linus-v4.14' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging: (36 commits)
        hwmon: (ltq-cputemp) add cpu temp sensor driver
        hwmon: (ltq-cputemp) add devicetree bindings documentation
        hwmon: (pmbus) Add support for Texas Instruments tps53679 device
        hwmon: (asc7621) make several arrays static const
        hwmon: (pmbus/lm25066) Add support for TI LM5066I
        hwmon: (pmbus/lm25066) Offset coefficient depends on CL
        hwmon: (pmbus) Add support for Intel VID protocol VR13
        Documentation: hwmon: Document the IBM CFF power supply
        hwmon: (pmbus) Add IBM Common Form Factor (CFF) power supply driver
        dt-bindings: hwmon: Document the IBM CCF power supply version 1
        hwmon: (ftsteutates) constify i2c_device_id
        hwmon: da9052: Add support for TSI channel
        mfd: da9052: Make touchscreen registration optional
        hwmon: da9052: Replace S_IRUGO with 0444
        mfd: da9052: Add register details for TSI
        hwmon: (aspeed-pwm) add THERMAL dependency
        hwmon: (pmbus) Add debugfs for status registers
        hwmon: (aspeed-pwm-tacho) cooling device support.
        Documentation: dt-bindings: aspeed-pwm-tacho cooling device.
        hwmon: (pmbus): Add generic alarm bit for iin and pin
        ...
      fe91f281
    • L
      Merge tag 'for-linus-ioctl' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma · aa9d4648
      Linus Torvalds 提交于
      Pull rdma updates from Doug Ledford:
       "This is a big pull request.
      
        Of note is that I'm sending you the new ioctl API for the rdma
        subsystem. We put it up on linux-api@, but didn't get much response.
        The API is complex, but it solves two different problems in one go:
      
         1) The bi-directional nature of the RDMA file write calls, which
            created the security hole we had to handle (and for which the fix
            is now causing problems for systems in production, we were a bit
            over zealous in the fix and the ability to open a device, then
            fork, then create new queue pairs on the device and use them is
            broken).
      
         2) The bloat caused by different vendors implementing extensions to
            the base verbs API. Each vendor's hardware is slightly different,
            and the hardware might be suitable for one extension but not
            another.
      
            By the time we add generic extensions for all the different ways
            that the different hardware can offload things, the API becomes
            bloated. Things like our completion structs have started to exceed
            a cache line in size because of all the elements needed to support
            this. That in turn shows up heavily in the performance graphs with
            a noticable drop in performance on 100Gigabit links as our
            completion structs go from occupying one cache line to 1+.
      
            This API makes things like the completion structs modular in a
            very similar way to netlink so that your structs can only include
            the items needed for the offloads/features you are actually using
            on a given queue pair. In that way we support everything, but only
            use what we need, and our structs stay smaller.
      
        The ioctl API is better explained by the posting on linux-api@ than I
        can explain it here, so I'll just leave it at that.
      
        The rest of the pull request is typical stuff.
      
        Updates for 4.14 kernel merge window
      
         - Lots of hfi1 driver updates (mixed with a few qib and core updates
           as well)
      
         - rxe updates
      
         - various mlx updates
      
         - Set default roce type to RoCEv2
      
         - Several larger fixes for bnxt_re that were too big for -rc
      
         - Several larger fixes for qedr that, likewise, were too big for -rc
      
         - Misc core changes
      
         - Make the hns_roce driver compilable on arches other than aarch64 so
           we can more easily debug build issues related to it
      
         - Add rdma-netlink infrastructure updates
      
         - Add automatic IRQ affinity infrastructure
      
         - Add 32bit lid support
      
         - Lots of misc fixes across the subsystem from random people
      
         - Autoloading of RDMA netlink modules
      
         - PCI pool cleanups from Romain Perier
      
         - mlx5 driver feature additions and fixes
      
         - Hardware tag matchine feature
      
         - Fix sleeping in atomic when resolving roce ah
      
         - Add experimental ioctl interface as posted to linux-api@"
      
      * tag 'for-linus-ioctl' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma: (328 commits)
        IB/core: Expose ioctl interface through experimental Kconfig
        IB/core: Assign root to all drivers
        IB/core: Add completion queue (cq) object actions
        IB/core: Add legacy driver's user-data
        IB/core: Export ioctl enum types to user-space
        IB/core: Explicitly destroy an object while keeping uobject
        IB/core: Add macros for declaring methods and attributes
        IB/core: Add uverbs merge trees functionality
        IB/core: Add DEVICE object and root tree structure
        IB/core: Declare an object instead of declaring only type attributes
        IB/core: Add new ioctl interface
        RDMA/vmw_pvrdma: Fix a signedness
        RDMA/vmw_pvrdma: Report network header type in WC
        IB/core: Add might_sleep() annotation to ib_init_ah_from_wc()
        IB/cm: Fix sleeping in atomic when RoCE is used
        IB/core: Add support to finalize objects in one transaction
        IB/core: Add a generic way to execute an operation on a uobject
        Documentation: Hardware tag matching
        IB/mlx5: Support IB_SRQT_TM
        net/mlx5: Add XRQ support
        ...
      aa9d4648
    • L
      Merge tag 'drm-for-v4.14' of git://people.freedesktop.org/~airlied/linux · 906dde0f
      Linus Torvalds 提交于
      Pull drm updates from Dave Airlie:
       "This is the main drm pull request for 4.14 merge window.
      
        I'm sending this early, as my continuing journey into fatherhood is
        occurring really soon now, I'm going to be mostly useless for the next
        couple of weeks, though I may be able to read email, I doubt I'll be
        doing much patch applications or git sending. If anything urgent pops
        up I've asked Daniel/Jani/Alex/Sean to try and direct stuff towards
        you.
      
        Outside drm changes:
      
        Some rcar-du updates that touch the V4L tree, all acks should be in
        place. It adds one export to the radix tree code for new i915 use
        case. There are some minor AGP cleanups (don't see that too often).
        Changes to the vbox driver in staging to avoid breaking compilation.
      
        Summary:
      
        core:
         - Atomic helper fixes
         - Atomic UAPI fixes
         - Add YCBCR 4:2:0 support
         - Drop set_busid hook
         - Refactor fb_helper locking
         - Remove a bunch of internal APIs
         - Add a bunch of better default handlers
         - Format modifier/blob plane property added
         - More internal header refactoring
         - Make more internal API names consistent
         - Enhanced syncobj APIs (wait/signal/reset/create signalled)
      
        bridge:
         - Add Synopsys Designware MIPI DSI host bridge driver
      
        tiny:
         - Add Pervasive Displays RePaper displays
         - Add support for LEGO MINDSTORMS EV3 LCD
      
        i915:
         - Lots of GEN10/CNL  support patches
         - drm syncobj support
         - Skylake+ watermark refactoring
         - GVT vGPU 48-bit ppgtt support
         - GVT performance improvements
         - NOA change ioctl
         - CCS (color compression) scanout support
         - GPU reset improvements
      
        amdgpu:
         - Initial hugepage support
         - BO migration logic rework
         - Vega10 improvements
         - Powerplay fixes
         - Stop reprogramming the MC
         - Fixes for ACP audio on stoney
         - SR-IOV fixes/improvements
         - Command submission overhead improvements
      
        amdkfd:
         - Non-dGPU upstreaming patches
         - Scratch VA ioctl
         - Image tiling modes
         - Update PM4 headers for new firmware
         - Drop all BUG_ONs.
      
        nouveau:
         - GP108 modesetting support.
         - Disable MSI on big endian.
      
        vmwgfx:
         - Add fence fd support.
      
        msm:
         - Runtime PM improvements
      
        exynos:
         - NV12MT support
         - Refactor KMS drivers
      
        imx-drm:
         - Lock scanout channel to improve memory bw
         - Cleanups
      
        etnaviv:
         - GEM object population fixes
      
        tegra:
         - Prep work for Tegra186 support
         - PRIME mmap support
      
        sunxi:
         - HDMI support improvements
         - HDMI CEC support
      
        omapdrm:
         - HDMI hotplug IRQ support
         - Big driver cleanup
         - OMAP5 DSI support
      
        rcar-du:
         - vblank fixes
         - VSP1 updates
      
        arcgpu:
         - Minor fixes
      
        stm:
         - Add STM32 DSI controller driver
      
        dw_hdmi:
         - Add support for Rockchip RK3399
         - HDMI CEC support
      
        atmel-hlcdc:
         - Add 8-bit color support
      
        vc4:
         - Atomic fixes
         - New ioctl to attach a label to a buffer object
         - HDMI CEC support
         - Allow userspace to dictate rendering order on submit ioctl"
      
      * tag 'drm-for-v4.14' of git://people.freedesktop.org/~airlied/linux: (1074 commits)
        drm/syncobj: Add a signal ioctl (v3)
        drm/syncobj: Add a reset ioctl (v3)
        drm/syncobj: Add a syncobj_array_find helper
        drm/syncobj: Allow wait for submit and signal behavior (v5)
        drm/syncobj: Add a CREATE_SIGNALED flag
        drm/syncobj: Add a callback mechanism for replace_fence (v3)
        drm/syncobj: add sync obj wait interface. (v8)
        i915: Use drm_syncobj_fence_get
        drm/syncobj: Add a race-free drm_syncobj_fence_get helper (v2)
        drm/syncobj: Rename fence_get to find_fence
        drm: kirin: Add mode_valid logic to avoid mode clocks we can't generate
        drm/vmwgfx: Bump the version for fence FD support
        drm/vmwgfx: Add export fence to file descriptor support
        drm/vmwgfx: Add support for imported Fence File Descriptor
        drm/vmwgfx: Prepare to support fence fd
        drm/vmwgfx: Fix incorrect command header offset at restart
        drm/vmwgfx: Support the NOP_ERROR command
        drm/vmwgfx: Restart command buffers after errors
        drm/vmwgfx: Move irq bottom half processing to threads
        drm/vmwgfx: Don't use drm_irq_[un]install
        ...
      906dde0f
    • L
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs · 69c0067a
      Linus Torvalds 提交于
      Pull misc fixes from Al Viro:
       "Loose ends and regressions from the last merge window.
      
        Strictly speaking, only binfmt_flat thing is a build regression per
        se - the rest is 'only sparse cares about that' stuff"
      
      [ This came in before the 4.13 release and could have gone there, but it
        was late in the release and nothing seemed critical enough to care, so
        I'm pulling it in the 4.14 merge window instead  - Linus ]
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
        binfmt_flat: fix arch/m32r and arch/microblaze flat_put_addr_at_rp()
        compat_hdio_ioctl: Fix a declaration
        <linux/uaccess.h>: Fix copy_in_user() declaration
        annotate RWF_... flags
        teach SYSCALL_DEFINE/COMPAT_SYSCALL_DEFINE to handle __bitwise arguments
      69c0067a
    • L
      Linux 4.13 · 569dbb88
      Linus Torvalds 提交于
      569dbb88
    • L
      Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus · 5e3b19d8
      Linus Torvalds 提交于
      Pull MIPS fixes from Ralf Baechle:
       "The two indirect syscall fixes have sat in linux-next for a few days.
        I did check back with a hardware designer to ensure a SYNC is really
        what's required for the GIC fix and so the GIC fix didn't make it into
        to linux-next in time for this final pull request.
      
        It builds in local build tests and passes Imagination's test system"
      
      * 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus:
        irqchip: mips-gic: SYNC after enabling GIC region
        MIPS: Remove pt_regs adjustments in indirect syscall handler
        MIPS: seccomp: Fix indirect syscall args
      5e3b19d8
    • L
      Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · d0fa6ea1
      Linus Torvalds 提交于
      Pull x86 fixes from Thomas Gleixner:
      
       - Expand the space for uncompressing as the LZ4 worst case does not fit
         into the currently reserved space
      
       - Validate boot parameters more strictly to prevent out of bound access
         in the decompressor/boot code
      
       - Fix off by one errors in get_segment_base()
      
      * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/boot: Prevent faulty bootparams.screeninfo from causing harm
        x86/boot: Provide more slack space during decompression
        x86/ldt: Fix off by one in get_segment_base()
      d0fa6ea1
    • L
      Merge branch 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 3b62dc6c
      Linus Torvalds 提交于
      Pull timer fix from Thomas Gleixner:
       "A single fix for a thinko in the raw timekeeper update which causes
        clock MONOTONIC_RAW to run with erratically increased frequency"
      
      * 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        time: Fix ktime_get_raw() incorrect base accumulation
      3b62dc6c
    • L
      Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · e92d51af
      Linus Torvalds 提交于
      Pull perf fixes from Thomas Gleixner:
      
       - Prevent a potential inconistency in the perf user space access which
         might lead to evading sanity checks.
      
       - Prevent perf recording function trace entries twice
      
      * 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        perf/ftrace: Fix double traces of perf on ftrace:function
        perf/core: Fix potential double-fetch bug
      e92d51af
  2. 02 9月, 2017 15 次提交
    • L
      Merge branch 'for-next' of git://git.samba.org/sfrench/cifs-2.6 · d0d6ab53
      Linus Torvalds 提交于
      Pull cifs version warning fix from Steve French:
       "As requested, additional kernel warning messages to clarify the
        default dialect changes"
      
      [ There is still some discussion about exactly which version should be
        the new default.  Longer-term we have auto-negotiation coming, but
        that's not there yet..  - Linus ]
      
      * 'for-next' of git://git.samba.org/sfrench/cifs-2.6:
        Fix warning messages when mounting to older servers
      d0d6ab53
    • L
      Merge tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc · 54f70f52
      Linus Torvalds 提交于
      Pull ARM SoC fixes from Olof Johansson:
       "A couple of late-arriving fixes before final 4.13:
      
         - A few reverts of DT bindings on Allwinner for their ethernet
           driver. Discussion didn't converge, and since bindings are
           considered ABI it makes sense to revert instead of having to
           support two bindings long-term.
      
         - A fix to enumerate GPIOs properly on Marvell Armada AP806"
      
      * tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc:
        arm64: dts: marvell: fix number of GPIOs in Armada AP806 description
        arm: dts: sunxi: Revert EMAC changes
        arm64: dts: allwinner: Revert EMAC changes
        dt-bindings: net: Revert sun8i dwmac binding
      54f70f52
    • O
      Merge tag 'mvebu-fixes-4.13-3' of git://git.infradead.org/linux-mvebu into fixes · 6f71a925
      Olof Johansson 提交于
      mvebu fixes for 4.13 (part 3)
      
      Fix number of GPIOs in AP806 description for Armada 7K/8K
      
      * tag 'mvebu-fixes-4.13-3' of git://git.infradead.org/linux-mvebu:
        arm64: dts: marvell: fix number of GPIOs in Armada AP806 description
      Signed-off-by: NOlof Johansson <olof@lixom.net>
      6f71a925
    • L
      Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux · f8c6d724
      Linus Torvalds 提交于
      Pull i2c fixes from Wolfram Sang:
       "The ismt driver had a problem with a rarely used transaction type and
        the designware driver was made even more robust against non standard
        ACPI tables"
      
      * 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
        i2c: designware: Round down ACPI provided clk to nearest supported clk
        i2c: ismt: Return EMSGSIZE for block reads with bogus length
        i2c: ismt: Don't duplicate the receive length for block reads
      f8c6d724
    • O
      epoll: fix race between ep_poll_callback(POLLFREE) and ep_free()/ep_remove() · 138e4ad6
      Oleg Nesterov 提交于
      The race was introduced by me in commit 971316f0 ("epoll:
      ep_unregister_pollwait() can use the freed pwq->whead").  I did not
      realize that nothing can protect eventpoll after ep_poll_callback() sets
      ->whead = NULL, only whead->lock can save us from the race with
      ep_free() or ep_remove().
      
      Move ->whead = NULL to the end of ep_poll_callback() and add the
      necessary barriers.
      
      TODO: cleanup the ewake/EPOLLEXCLUSIVE logic, it was confusing even
      before this patch.
      
      Hopefully this explains use-after-free reported by syzcaller:
      
      	BUG: KASAN: use-after-free in debug_spin_lock_before
      	...
      	 _raw_spin_lock_irqsave+0x4a/0x60 kernel/locking/spinlock.c:159
      	 ep_poll_callback+0x29f/0xff0 fs/eventpoll.c:1148
      
      this is spin_lock(eventpoll->lock),
      
      	...
      	Freed by task 17774:
      	...
      	 kfree+0xe8/0x2c0 mm/slub.c:3883
      	 ep_free+0x22c/0x2a0 fs/eventpoll.c:865
      
      Fixes: 971316f0 ("epoll: ep_unregister_pollwait() can use the freed pwq->whead")
      Reported-by: N范龙飞 <long7573@126.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: NOleg Nesterov <oleg@redhat.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      138e4ad6
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 8cf9f2a2
      Linus Torvalds 提交于
      Pull networking fixes from David Miller:
      
       1) Fix handling of pinned BPF map nodes in hash of maps, from Daniel
          Borkmann.
      
       2) IPSEC ESP error paths leak memory, from Steffen Klassert.
      
       3) We need an RCU grace period before freeing fib6_node objects, from
          Wei Wang.
      
       4) Must check skb_put_padto() return value in HSR driver, from FLorian
          Fainelli.
      
       5) Fix oops on PHY probe failure in ftgmac100 driver, from Andrew
          Jeffery.
      
       6) Fix infinite loop in UDP queue when using SO_PEEK_OFF, from Eric
          Dumazet.
      
       7) Use after free when tcf_chain_destroy() called multiple times, from
          Jiri Pirko.
      
       8) Fix KSZ DSA tag layer multiple free of SKBS, from Florian Fainelli.
      
       9) Fix leak of uninitialized memory in sctp_get_sctp_info(),
          inet_diag_msg_sctpladdrs_fill() and inet_diag_msg_sctpaddrs_fill().
          From Stefano Brivio.
      
      10) L2TP tunnel refcount fixes from Guillaume Nault.
      
      11) Don't leak UDP secpath in udp_set_dev_scratch(), from Yossi
          Kauperman.
      
      12) Revert a PHY layer change wrt. handling of PHY_HALTED state in
          phy_stop_machine(), it causes regressions for multiple people. From
          Florian Fainelli.
      
      13) When packets are sent out of br0 we have to clear the
          offload_fwdq_mark value.
      
      14) Several NULL pointer deref fixes in packet schedulers when their
          ->init() routine fails. From Nikolay Aleksandrov.
      
      15) Aquantium devices cannot checksum offload correctly when the packet
          is <= 60 bytes. From Pavel Belous.
      
      16) Fix vnet header access past end of buffer in AF_PACKET, from
          Benjamin Poirier.
      
      17) Double free in probe error paths of nfp driver, from Dan Carpenter.
      
      18) QOS capability not checked properly in DCB init paths of mlx5
          driver, from Huy Nguyen.
      
      19) Fix conflicts between firmware load failure and health_care timer in
          mlx5, also from Huy Nguyen.
      
      20) Fix dangling page pointer when DMA mapping errors occur in mlx5,
          from Eran Ben ELisha.
      
      21) ->ndo_setup_tc() in bnxt_en driver doesn't count rings properly,
          from Michael Chan.
      
      22) Missing MSIX vector free in bnxt_en, also from Michael Chan.
      
      23) Refcount leak in xfrm layer when using sk_policy, from Lorenzo
          Colitti.
      
      24) Fix copy of uninitialized data in qlge driver, from Arnd Bergmann.
      
      25) bpf_setsockopts() erroneously always returns -EINVAL even on
          success. Fix from Yuchung Cheng.
      
      26) tipc_rcv() needs to linearize the SKB before parsing the inner
          headers, from Parthasarathy Bhuvaragan.
      
      27) Fix deadlock between link status updates and link removal in netvsc
          driver, from Stephen Hemminger.
      
      28) Missed locking of page fragment handling in ESP output, from Steffen
          Klassert.
      
      29) Fix refcnt leak in ebpf congestion control code, from Sabrina
          Dubroca.
      
      30) sxgbe_probe_config_dt() doesn't check devm_kzalloc()'s return value,
          from Christophe Jaillet.
      
      31) Fix missing ipv6 rx_dst_cookie update when rx_dst is updated during
          early demux, from Paolo Abeni.
      
      32) Several info leaks in xfrm_user layer, from Mathias Krause.
      
      33) Fix out of bounds read in cxgb4 driver, from Stefano Brivio.
      
      34) Properly propagate obsolete state of route upwards in ipv6 so that
          upper holders like xfrm can see it. From Xin Long.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (118 commits)
        udp: fix secpath leak
        bridge: switchdev: Clear forward mark when transmitting packet
        mlxsw: spectrum: Forbid linking to devices that have uppers
        wl1251: add a missing spin_lock_init()
        Revert "net: phy: Correctly process PHY_HALTED in phy_stop_machine()"
        net: dsa: bcm_sf2: Fix number of CFP entries for BCM7278
        kcm: do not attach PF_KCM sockets to avoid deadlock
        sch_tbf: fix two null pointer dereferences on init failure
        sch_sfq: fix null pointer dereference on init failure
        sch_netem: avoid null pointer deref on init failure
        sch_fq_codel: avoid double free on init failure
        sch_cbq: fix null pointer dereferences on init failure
        sch_hfsc: fix null pointer deref and double free on init failure
        sch_hhf: fix null pointer dereference on init failure
        sch_multiq: fix double free on init failure
        sch_htb: fix crash on init failure
        net/mlx5e: Fix CQ moderation mode not set properly
        net/mlx5e: Fix inline header size for small packets
        net/mlx5: E-Switch, Unload the representors in the correct order
        net/mlx5e: Properly resolve TC offloaded ipv6 vxlan tunnel source address
        ...
      8cf9f2a2
    • L
      Merge tag 'ceph-for-4.13-rc8' of git://github.com/ceph/ceph-client · b8a78bb4
      Linus Torvalds 提交于
      Pull ceph fix from Ilya Dryomov:
       "ceph fscache page locking fix from Zheng, marked for stable"
      
      * tag 'ceph-for-4.13-rc8' of git://github.com/ceph/ceph-client:
        ceph: fix readpage from fscache
      b8a78bb4
    • L
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input · 3e1d79c8
      Linus Torvalds 提交于
      Pull input fixes from Dmitry Torokhov:
       "Just a couple drivers fixes (Synaptics PS/2, Xpad)"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
        Input: xpad - fix PowerA init quirk for some gamepad models
        Input: synaptics - fix device info appearing different on reconnect
      3e1d79c8
    • L
      Merge tag 'mmc-v4.13-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc · d7e44b86
      Linus Torvalds 提交于
      Pull two more MMC fixes from Ulf Hansson:
       "MMC core:
         - Fix block status codes
      
        MMC host:
         - sdhci-xenon: Fix SD bus voltage select"
      
      * tag 'mmc-v4.13-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc:
        mmc: sdhci-xenon: add set_power callback
        mmc: block: Fix block status codes
      d7e44b86
    • L
      Merge tag 'sound-4.13-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 381cce59
      Linus Torvalds 提交于
      Pull sound fixes from Takashi Iwai:
       "Three regression fixes that should be addressed before the final
        release: a missing mutex call in OSS PCM emulation ioctl, ASoC rt5670
        headset detection breakage, and a regression in simple-card parser
        code"
      
      * tag 'sound-4.13-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ASoC: simple_card_utils: fix fallback when "label" property isn't present
        ALSA: pcm: Fix power lock unbalance via OSS emulation
        ASoC: rt5670: Fix GPIO headset detection regression
      381cce59
    • L
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux · bba2a5b8
      Linus Torvalds 提交于
      Pull s390 fixes from Martin Schwidefsky:
       "Three more bug fixes for v4.13.
      
        The two memory management related fixes are quite new, they fix kernel
        crashes that can be triggered by user space.
      
        The third commit fixes a bug in the vfio ccw translation code"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
        s390/mm: fix BUG_ON in crst_table_upgrade
        s390/mm: fork vs. 5 level page tabel
        vfio: ccw: fix bad ptr math for TIC cda translation
      bba2a5b8
    • L
      Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 · a1c516a6
      Linus Torvalds 提交于
      Pull crypto fixes from Herbert Xu:
       "This fixes the following issues:
      
         - Regression in chacha20 handling of chunked input
      
         - Crash in algif_skcipher when used with async io
      
         - Potential bogus pointer dereference in lib/mpi"
      
      * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
        crypto: algif_skcipher - only call put_page on referenced and used pages
        crypto: testmgr - add chunked test cases for chacha20
        crypto: chacha20 - fix handling of chunked input
        lib/mpi: kunmap after finishing accessing buffer
      a1c516a6
    • Y
      udp: fix secpath leak · e8a732d1
      Yossi Kuperman 提交于
      After commit dce4551c ("udp: preserve head state for IP_CMSG_PASSSEC")
      we preserve the secpath for the whole skb lifecycle, but we also
      end up leaking a reference to it.
      
      We must clear the head state on skb reception, if secpath is
      present.
      
      Fixes: dce4551c ("udp: preserve head state for IP_CMSG_PASSSEC")
      Signed-off-by: NYossi Kuperman <yossiku@mellanox.com>
      Signed-off-by: NPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e8a732d1
    • I
      bridge: switchdev: Clear forward mark when transmitting packet · 79e99bdd
      Ido Schimmel 提交于
      Commit 6bc506b4 ("bridge: switchdev: Add forward mark support for
      stacked devices") added the 'offload_fwd_mark' bit to the skb in order
      to allow drivers to indicate to the bridge driver that they already
      forwarded the packet in L2.
      
      In case the bit is set, before transmitting the packet from each port,
      the port's mark is compared with the mark stored in the skb's control
      block. If both marks are equal, we know the packet arrived from a switch
      device that already forwarded the packet and it's not re-transmitted.
      
      However, if the packet is transmitted from the bridge device itself
      (e.g., br0), we should clear the 'offload_fwd_mark' bit as the mark
      stored in the skb's control block isn't valid.
      
      This scenario can happen in rare cases where a packet was trapped during
      L3 forwarding and forwarded by the kernel to a bridge device.
      
      Fixes: 6bc506b4 ("bridge: switchdev: Add forward mark support for stacked devices")
      Signed-off-by: NIdo Schimmel <idosch@mellanox.com>
      Reported-by: NYotam Gigi <yotamg@mellanox.com>
      Tested-by: NYotam Gigi <yotamg@mellanox.com>
      Reviewed-by: NJiri Pirko <jiri@mellanox.com>
      Acked-by: NNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      79e99bdd
    • I
      mlxsw: spectrum: Forbid linking to devices that have uppers · 25cc72a3
      Ido Schimmel 提交于
      The mlxsw driver relies on NETDEV_CHANGEUPPER events to configure the
      device in case a port is enslaved to a master netdev such as bridge or
      bond.
      
      Since the driver ignores events unrelated to its ports and their
      uppers, it's possible to engineer situations in which the device's data
      path differs from the kernel's.
      
      One example to such a situation is when a port is enslaved to a bond
      that is already enslaved to a bridge. When the bond was enslaved the
      driver ignored the event - as the bond wasn't one of its uppers - and
      therefore a bridge port instance isn't created in the device.
      
      Until such configurations are supported forbid them by checking that the
      upper device doesn't have uppers of its own.
      
      Fixes: 0d65fc13 ("mlxsw: spectrum: Implement LAG port join/leave")
      Signed-off-by: NIdo Schimmel <idosch@mellanox.com>
      Reported-by: NNogah Frankel <nogahf@mellanox.com>
      Tested-by: NNogah Frankel <nogahf@mellanox.com>
      Signed-off-by: NJiri Pirko <jiri@mellanox.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      25cc72a3
  3. 01 9月, 2017 14 次提交
    • F
      hwmon: (ltq-cputemp) add cpu temp sensor driver · 7074d0a9
      Florian Eckert 提交于
      Add the lantiq cpu temperature sensor support for xrx200.
      Signed-off-by: NFlorian Eckert <fe@dev.tdt.de>
      Signed-off-by: NGuenter Roeck <linux@roeck-us.net>
      7074d0a9
    • F
      hwmon: (ltq-cputemp) add devicetree bindings documentation · 7a3b68b9
      Florian Eckert 提交于
      Document the devicetree bindings for the ltq-cputemp
      Signed-off-by: NFlorian Eckert <fe@dev.tdt.de>
      Signed-off-by: NGuenter Roeck <linux@roeck-us.net>
      7a3b68b9
    • S
      Fix warning messages when mounting to older servers · 7e682f76
      Steve French 提交于
      When mounting to older servers, such as Windows XP (or even Windows 7),
      the limited error messages that can be passed back to user space can
      get confusing since the default dialect has changed from SMB1 (CIFS) to
      more secure SMB3 dialect. Log additional information when the user chooses
      to use the default dialects and when the server does not support the
      dialect requested.
      Signed-off-by: NSteve French <smfrench@gmail.com>
      Reviewed-by: NRonnie Sahlberg <lsahlber@redhat.com>
      Acked-by: NPavel Shilovsky <pshilov@microsoft.com>
      7e682f76
    • L
      Merge tag 'cifs-fixes-for-4.13-rc7-and-stable' of git://git.samba.org/sfrench/cifs-2.6 · e89ce1f8
      Linus Torvalds 提交于
      Pull cifs fixes from Steve French:
       "Two cifs bug fixes for stable"
      
      * tag 'cifs-fixes-for-4.13-rc7-and-stable' of git://git.samba.org/sfrench/cifs-2.6:
        CIFS: remove endian related sparse warning
        CIFS: Fix maximum SMB2 header size
      e89ce1f8
    • L
      Merge branch 'for-linus' of git://git.kernel.dk/linux-block · 501d9f79
      Linus Torvalds 提交于
      Pull block fixes from Jens Axboe:
       "Unfortunately a few issues that warrant sending another pull request,
        even if I had hoped to avoid it. This contains:
      
         - A fix for multiqueue xen-blkback, on tear down / disconnect.
      
         - A few fixups for NVMe, including a wrong bit definition, fix for
           host memory buffers, and an nvme rdma page size fix"
      
      * 'for-linus' of git://git.kernel.dk/linux-block:
        nvme: fix the definition of the doorbell buffer config support bit
        nvme-pci: use dma memory for the host memory buffer descriptors
        nvme-rdma: default MR page size to 4k
        xen-blkback: stop blkback thread of every queue in xen_blkif_disconnect
      501d9f79
    • L
      Merge tag 'for-4.13/dm-fixes-2' of... · 73adb8c5
      Linus Torvalds 提交于
      Merge tag 'for-4.13/dm-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm
      
      Pull device mapper fixes from Mike Snitzer:
      
       - A couple fixes for bugs introduced as part of the blk_status_t block
         layer changes during the 4.13 merge window
      
       - A printk throttling fix to use discrete rate limiting state for each
         DM log level
      
       - A stable@ fix for DM multipath that delays request requeueing to
         avoid CPU lockup if/when the request queue is "dying"
      
      * tag 'for-4.13/dm-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm:
        dm mpath: do not lock up a CPU with requeuing activity
        dm: fix printk() rate limiting code
        dm mpath: retry BLK_STS_RESOURCE errors
        dm: fix the second dec_pending() argument in __split_and_process_bio()
      73adb8c5
    • L
      Merge branch 'akpm' (patches from Andrew) · 1b2614f1
      Linus Torvalds 提交于
      Merge more fixes from Andrew Morton:
       "6 fixes"
      
      * emailed patches from Andrew Morton <akpm@linux-foundation.org>:
        scripts/dtc: fix '%zx' warning
        include/linux/compiler.h: don't perform compiletime_assert with -O0
        mm, madvise: ensure poisoned pages are removed from per-cpu lists
        mm, uprobes: fix multiple free of ->uprobes_state.xol_area
        kernel/kthread.c: kthread_worker: don't hog the cpu
        mm,page_alloc: don't call __node_reclaim() with oom_lock held.
      1b2614f1
    • L
      Merge branch 'mmu_notifier_fixes' · ea25c431
      Linus Torvalds 提交于
      Merge mmu_notifier fixes from Jérôme Glisse:
       "The invalidate_page callback suffered from 2 pitfalls. First it used
        to happen after page table lock was release and thus a new page might
        have been setup for the virtual address before the call to
        invalidate_page().
      
        This is in a weird way fixed by commit c7ab0d2f ("mm: convert
        try_to_unmap_one() to use page_vma_mapped_walk()") which moved the
        callback under the page table lock. Which also broke several existing
        user of the mmu_notifier API that assumed they could sleep inside this
        callback.
      
        The second pitfall was invalidate_page being the only callback not
        taking a range of address in respect to invalidation but was giving an
        address and a page. Lot of the callback implementer assumed this could
        never be THP and thus failed to invalidate the appropriate range for
        THP pages.
      
        By killing this callback we unify the mmu_notifier callback API to
        always take a virtual address range as input.
      
        There is now two clear API (I am not mentioning the youngess API which
        is seldomly used):
      
         - invalidate_range_start()/end() callback (which allow you to sleep)
      
         - invalidate_range() where you can not sleep but happen right after
           page table update under page table lock
      
        Note that a lot of existing user feels broken in respect to
        range_start/ range_end. Many user only have range_start() callback but
        there is nothing preventing them to undo what was invalidated in their
        range_start() callback after it returns but before any CPU page table
        update take place.
      
        The code pattern use in kvm or umem odp is an example on how to
        properly avoid such race. In a nutshell use some kind of sequence
        number and active range invalidation counter to block anything that
        might undo what the range_start() callback did.
      
        If you do not care about keeping fully in sync with CPU page table (ie
        you can live with CPU page table pointing to new different page for a
        given virtual address) then you can take a reference on the pages
        inside the range_start callback and drop it in range_end or when your
        driver is done with those pages.
      
        Last alternative is to use invalidate_range() if you can do
        invalidation without sleeping as invalidate_range() callback happens
        under the CPU page table spinlock right after the page table is
        updated.
      
        The first two patches convert existing mmu_notifier_invalidate_page()
        calls to mmu_notifier_invalidate_range() and bracket those call with
        call to mmu_notifier_invalidate_range_start()/end().
      
        The next ten patches remove existing invalidate_page() callback as it
        can no longer happen.
      
        Finally the last page remove the invalidate_page() callback completely
        so it can RIP.
      
        Changes since v1:
         - remove more dead code in kvm (no testing impact)
         - more accurate end address computation (patch 2) in page_mkclean_one
           and try_to_unmap_one
         - added tested-by/reviewed-by gotten so far"
      
      * emailed patches from Jérôme Glisse <jglisse@redhat.com>:
        mm/mmu_notifier: kill invalidate_page
        KVM: update to new mmu_notifier semantic v2
        xen/gntdev: update to new mmu_notifier semantic
        sgi-gru: update to new mmu_notifier semantic
        misc/mic/scif: update to new mmu_notifier semantic
        iommu/intel: update to new mmu_notifier semantic
        iommu/amd: update to new mmu_notifier semantic
        IB/hfi1: update to new mmu_notifier semantic
        IB/umem: update to new mmu_notifier semantic
        drm/amdgpu: update to new mmu_notifier semantic
        powerpc/powernv: update to new mmu_notifier semantic
        mm/rmap: update to new mmu_notifier semantic v2
        dax: update to new mmu_notifier semantic
      ea25c431
    • D
      jfs should use MAX_LFS_FILESIZE when calculating s_maxbytes · c227390c
      Dave Kleikamp 提交于
      jfs had previously avoided the use of MAX_LFS_FILESIZE because it hadn't
      accounted for the whole 32-bit index range on 32-bit systems.  That has
      been fixed by commit 0cc3b0ec ("Clarify (and fix) MAX_LFS_FILESIZE
      macros"), so we can simplify the code now.
      
      Suggested by Andreas Dilger.
      Signed-off-by: NDave Kleikamp <dave.kleikamp@oracle.com>
      Reviewed-by: NAndreas Dilger <adilger@dilger.ca>
      Cc: jfs-discussion@lists.sourceforge.net
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      c227390c
    • R
      scripts/dtc: fix '%zx' warning · e6618692
      Russell King 提交于
      dtc uses an incorrect format specifier for printing a uint64_t value.
      uint64_t may be either 'unsigned long' or 'unsigned long long' depending
      on the host architecture.
      
      Fix this by using %llx and casting to unsigned long long, which ensures
      that we always have a wide enough variable to print 64 bits of hex.
      
          HOSTCC  scripts/dtc/checks.o
        scripts/dtc/checks.c: In function 'check_simple_bus_reg':
        scripts/dtc/checks.c:876:2: warning: format '%zx' expects argument of type 'size_t', but argument 4 has type 'uint64_t' [-Wformat=]
          snprintf(unit_addr, sizeof(unit_addr), "%zx", reg);
          ^
        scripts/dtc/checks.c:876:2: warning: format '%zx' expects argument of type 'size_t', but argument 4 has type 'uint64_t' [-Wformat=]
      
      Link: http://lkml.kernel.org/r/20170829222034.GJ20805@n2100.armlinux.org.uk
      Fixes: 828d4cdd ("dtc: check.c fix compile error")
      Signed-off-by: NRussell King <rmk+kernel@armlinux.org.uk>
      Cc: Rob Herring <robh+dt@kernel.org>
      Cc: Frank Rowand <frowand.list@gmail.com>
      Cc: Shuah Khan <shuahkh@osg.samsung.com>
      Cc: David Gibson <david@gibson.dropbear.id.au>
      Cc: Michal Marek <mmarek@suse.cz>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      e6618692
    • J
      include/linux/compiler.h: don't perform compiletime_assert with -O0 · c03567a8
      Joe Stringer 提交于
      Commit c7acec71 ("kernel.h: handle pointers to arrays better in
      container_of()") made use of __compiletime_assert() from container_of()
      thus increasing the usage of this macro, allowing developers to notice
      type conflicts in usage of container_of() at compile time.
      
      However, the implementation of __compiletime_assert relies on compiler
      optimizations to report an error.  This means that if a developer uses
      "-O0" with any code that performs container_of(), the compiler will always
      report an error regardless of whether there is an actual problem in the
      code.
      
      This patch disables compile_time_assert when optimizations are disabled to
      allow such code to compile with CFLAGS="-O0".
      
      Example compilation failure:
      
      ./include/linux/compiler.h:547:38: error: call to `__compiletime_assert_94' declared with attribute error: pointer type mismatch in container_of()
        _compiletime_assert(condition, msg, __compiletime_assert_, __LINE__)
                                            ^
      ./include/linux/compiler.h:530:4: note: in definition of macro `__compiletime_assert'
          prefix ## suffix();    \
          ^~~~~~
      ./include/linux/compiler.h:547:2: note: in expansion of macro `_compiletime_assert'
        _compiletime_assert(condition, msg, __compiletime_assert_, __LINE__)
        ^~~~~~~~~~~~~~~~~~~
      ./include/linux/build_bug.h:46:37: note: in expansion of macro `compiletime_assert'
       #define BUILD_BUG_ON_MSG(cond, msg) compiletime_assert(!(cond), msg)
                                           ^~~~~~~~~~~~~~~~~~
      ./include/linux/kernel.h:860:2: note: in expansion of macro `BUILD_BUG_ON_MSG'
        BUILD_BUG_ON_MSG(!__same_type(*(ptr), ((type *)0)->member) && \
        ^~~~~~~~~~~~~~~~
      
      [akpm@linux-foundation.org: use do{}while(0), per Michal]
      Link: http://lkml.kernel.org/r/20170829230114.11662-1-joe@ovn.org
      Fixes: c7acec71 ("kernel.h: handle pointers to arrays better in container_of()")
      Signed-off-by: NJoe Stringer <joe@ovn.org>
      Cc: Ian Abbott <abbotti@mev.co.uk>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Michal Nazarewicz <mina86@mina86.com>
      Cc: Kees Cook <keescook@chromium.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      c03567a8
    • M
      mm, madvise: ensure poisoned pages are removed from per-cpu lists · c461ad6a
      Mel Gorman 提交于
      Wendy Wang reported off-list that a RAS HWPOISON-SOFT test case failed
      and bisected it to the commit 479f854a ("mm, page_alloc: defer
      debugging checks of pages allocated from the PCP").
      
      The problem is that a page that was poisoned with madvise() is reused.
      The commit removed a check that would trigger if DEBUG_VM was enabled
      but re-enabling the check only fixes the problem as a side-effect by
      printing a bad_page warning and recovering.
      
      The root of the problem is that an madvise() can leave a poisoned page
      on the per-cpu list.  This patch drains all per-cpu lists after pages
      are poisoned so that they will not be reused.  Wendy reports that the
      test case in question passes with this patch applied.  While this could
      be done in a targeted fashion, it is over-complicated for such a rare
      operation.
      
      Link: http://lkml.kernel.org/r/20170828133414.7qro57jbepdcyz5x@techsingularity.net
      Fixes: 479f854a ("mm, page_alloc: defer debugging checks of pages allocated from the PCP")
      Signed-off-by: NMel Gorman <mgorman@techsingularity.net>
      Reported-by: NWang, Wendy <wendy.wang@intel.com>
      Tested-by: NWang, Wendy <wendy.wang@intel.com>
      Acked-by: NDavid Rientjes <rientjes@google.com>
      Acked-by: NVlastimil Babka <vbabka@suse.cz>
      Cc: "Hansen, Dave" <dave.hansen@intel.com>
      Cc: "Luck, Tony" <tony.luck@intel.com>
      Cc: Naoya Horiguchi <nao.horiguchi@gmail.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      c461ad6a
    • E
      mm, uprobes: fix multiple free of ->uprobes_state.xol_area · 355627f5
      Eric Biggers 提交于
      Commit 7c051267 ("mm, fork: make dup_mmap wait for mmap_sem for
      write killable") made it possible to kill a forking task while it is
      waiting to acquire its ->mmap_sem for write, in dup_mmap().
      
      However, it was overlooked that this introduced an new error path before
      the new mm_struct's ->uprobes_state.xol_area has been set to NULL after
      being copied from the old mm_struct by the memcpy in dup_mm().  For a
      task that has previously hit a uprobe tracepoint, this resulted in the
      'struct xol_area' being freed multiple times if the task was killed at
      just the right time while forking.
      
      Fix it by setting ->uprobes_state.xol_area to NULL in mm_init() rather
      than in uprobe_dup_mmap().
      
      With CONFIG_UPROBE_EVENTS=y, the bug can be reproduced by the same C
      program given by commit 2b7e8665 ("fork: fix incorrect fput of
      ->exe_file causing use-after-free"), provided that a uprobe tracepoint
      has been set on the fork_thread() function.  For example:
      
          $ gcc reproducer.c -o reproducer -lpthread
          $ nm reproducer | grep fork_thread
          0000000000400719 t fork_thread
          $ echo "p $PWD/reproducer:0x719" > /sys/kernel/debug/tracing/uprobe_events
          $ echo 1 > /sys/kernel/debug/tracing/events/uprobes/enable
          $ ./reproducer
      
      Here is the use-after-free reported by KASAN:
      
          BUG: KASAN: use-after-free in uprobe_clear_state+0x1c4/0x200
          Read of size 8 at addr ffff8800320a8b88 by task reproducer/198
      
          CPU: 1 PID: 198 Comm: reproducer Not tainted 4.13.0-rc7-00015-g36fde05f #255
          Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-20170228_101828-anatol 04/01/2014
          Call Trace:
           dump_stack+0xdb/0x185
           print_address_description+0x7e/0x290
           kasan_report+0x23b/0x350
           __asan_report_load8_noabort+0x19/0x20
           uprobe_clear_state+0x1c4/0x200
           mmput+0xd6/0x360
           do_exit+0x740/0x1670
           do_group_exit+0x13f/0x380
           get_signal+0x597/0x17d0
           do_signal+0x99/0x1df0
           exit_to_usermode_loop+0x166/0x1e0
           syscall_return_slowpath+0x258/0x2c0
           entry_SYSCALL_64_fastpath+0xbc/0xbe
      
          ...
      
          Allocated by task 199:
           save_stack_trace+0x1b/0x20
           kasan_kmalloc+0xfc/0x180
           kmem_cache_alloc_trace+0xf3/0x330
           __create_xol_area+0x10f/0x780
           uprobe_notify_resume+0x1674/0x2210
           exit_to_usermode_loop+0x150/0x1e0
           prepare_exit_to_usermode+0x14b/0x180
           retint_user+0x8/0x20
      
          Freed by task 199:
           save_stack_trace+0x1b/0x20
           kasan_slab_free+0xa8/0x1a0
           kfree+0xba/0x210
           uprobe_clear_state+0x151/0x200
           mmput+0xd6/0x360
           copy_process.part.8+0x605f/0x65d0
           _do_fork+0x1a5/0xbd0
           SyS_clone+0x19/0x20
           do_syscall_64+0x22f/0x660
           return_from_SYSCALL_64+0x0/0x7a
      
      Note: without KASAN, you may instead see a "Bad page state" message, or
      simply a general protection fault.
      
      Link: http://lkml.kernel.org/r/20170830033303.17927-1-ebiggers3@gmail.com
      Fixes: 7c051267 ("mm, fork: make dup_mmap wait for mmap_sem for write killable")
      Signed-off-by: NEric Biggers <ebiggers@google.com>
      Reported-by: NOleg Nesterov <oleg@redhat.com>
      Acked-by: NOleg Nesterov <oleg@redhat.com>
      Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Cc: Ingo Molnar <mingo@kernel.org>
      Cc: Konstantin Khlebnikov <koct9i@gmail.com>
      Cc: Mark Rutland <mark.rutland@arm.com>
      Cc: Michal Hocko <mhocko@suse.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Vlastimil Babka <vbabka@suse.cz>
      Cc: <stable@vger.kernel.org>    [4.7+]
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      355627f5
    • S
      kernel/kthread.c: kthread_worker: don't hog the cpu · 22cf8bc6
      Shaohua Li 提交于
      If the worker thread continues getting work, it will hog the cpu and rcu
      stall complains.  Make it a good citizen.  This is triggered in a loop
      block device test.
      
      Link: http://lkml.kernel.org/r/5de0a179b3184e1a2183fc503448b0269f24d75b.1503697127.git.shli@fb.comSigned-off-by: NShaohua Li <shli@fb.com>
      Cc: Petr Mladek <pmladek@suse.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Tejun Heo <tj@kernel.org>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Cc: Ingo Molnar <mingo@kernel.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      22cf8bc6