OSDN Git Service
Johan Hovold [Thu, 16 Mar 2017 18:35:12 +0000 (11:35 -0700)]
Input: cm109 - validate number of endpoints before using them
commit
ac2ee9ba953afe88f7a673e1c0c839227b1d7891 upstream.
Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer should a malicious device lack endpoints.
Fixes:
c04148f915e5 ("Input: add driver for USB VoIP phones with CM109...")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Johan Hovold [Thu, 16 Mar 2017 18:37:01 +0000 (11:37 -0700)]
Input: yealink - validate number of endpoints before using them
commit
5cc4a1a9f5c179795c8a1f2b0f4361829d6a070e upstream.
Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer should a malicious device lack endpoints.
Fixes:
aca951a22a1d ("[PATCH] input-driver-yealink-P1K-usb-phone")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Johan Hovold [Thu, 16 Mar 2017 18:39:29 +0000 (11:39 -0700)]
Input: hanwang - validate number of endpoints before using them
commit
ba340d7b83703768ce566f53f857543359aa1b98 upstream.
Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer should a malicious device lack endpoints.
Fixes:
bba5394ad3bd ("Input: add support for Hanwang tablets")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Johan Hovold [Thu, 16 Mar 2017 18:36:13 +0000 (11:36 -0700)]
Input: ims-pcu - validate number of endpoints before using them
commit
1916d319271664241b7aa0cd2b05e32bdb310ce9 upstream.
Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer should a malicious device lack control-interface endpoints.
Fixes:
628329d52474 ("Input: add IMS Passenger Control Unit driver")
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Johan Hovold [Thu, 16 Mar 2017 18:34:02 +0000 (11:34 -0700)]
Input: iforce - validate number of endpoints before using them
commit
59cf8bed44a79ec42303151dd014fdb6434254bb upstream.
Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer or accessing memory that lie beyond the end of the endpoint
array should a malicious device lack the expected endpoints.
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Kai-Heng Feng [Tue, 7 Mar 2017 17:31:29 +0000 (09:31 -0800)]
Input: i8042 - add noloop quirk for Dell Embedded Box PC 3000
commit
45838660e34d90db8d4f7cbc8fd66e8aff79f4fe upstream.
The aux port does not get detected without noloop quirk, so external PS/2
mouse cannot work as result.
The PS/2 mouse can work with this quirk.
BugLink: https://bugs.launchpad.net/bugs/1591053
Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Reviewed-by: Marcos Paulo de Souza <marcos.souza.org@gmail.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Matjaz Hegedic [Fri, 10 Mar 2017 22:33:09 +0000 (14:33 -0800)]
Input: elan_i2c - add ASUS EeeBook X205TA special touchpad fw
commit
92ef6f97a66e580189a41a132d0f8a9f78d6ddce upstream.
EeeBook X205TA is yet another ASUS device with a special touchpad
firmware that needs to be accounted for during initialization, or
else the touchpad will go into an invalid state upon suspend/resume.
Adding the appropriate ic_type and product_id check fixes the problem.
Signed-off-by: Matjaz Hegedic <matjaz.hegedic@gmail.com>
Acked-by: KT Liao <kt.liao@emc.com.tw>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Eric Dumazet [Wed, 22 Mar 2017 15:10:21 +0000 (08:10 -0700)]
tcp: initialize icsk_ack.lrcvtime at session start time
[ Upstream commit
15bb7745e94a665caf42bfaabf0ce062845b533b ]
icsk_ack.lrcvtime has a 0 value at socket creation time.
tcpi_last_data_recv can have bogus value if no payload is ever received.
This patch initializes icsk_ack.lrcvtime for active sessions
in tcp_finish_connect(), and for passive sessions in
tcp_create_openreq_child()
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Daniel Borkmann [Wed, 22 Mar 2017 12:08:08 +0000 (13:08 +0100)]
socket, bpf: fix sk_filter use after free in sk_clone_lock
[ Upstream commit
a97e50cc4cb67e1e7bff56f6b41cda62ca832336 ]
In sk_clone_lock(), we create a new socket and inherit most of the
parent's members via sock_copy() which memcpy()'s various sections.
Now, in case the parent socket had a BPF socket filter attached,
then newsk->sk_filter points to the same instance as the original
sk->sk_filter.
sk_filter_charge() is then called on the newsk->sk_filter to take a
reference and should that fail due to hitting max optmem, we bail
out and release the newsk instance.
The issue is that commit
278571baca2a ("net: filter: simplify socket
charging") wrongly combined the dismantle path with the failure path
of xfrm_sk_clone_policy(). This means, even when charging failed, we
call sk_free_unlock_clone() on the newsk, which then still points to
the same sk_filter as the original sk.
Thus, sk_free_unlock_clone() calls into __sk_destruct() eventually
where it tests for present sk_filter and calls sk_filter_uncharge()
on it, which potentially lets sk_omem_alloc wrap around and releases
the eBPF prog and sk_filter structure from the (still intact) parent.
Fix it by making sure that when sk_filter_charge() failed, we reset
newsk->sk_filter back to NULL before passing to sk_free_unlock_clone(),
so that we don't mess with the parents sk_filter.
Only if xfrm_sk_clone_policy() fails, we did reach the point where
either the parent's filter was NULL and as a result newsk's as well
or where we previously had a successful sk_filter_charge(), thus for
that case, we do need sk_filter_uncharge() to release the prior taken
reference on sk_filter.
Fixes:
278571baca2a ("net: filter: simplify socket charging")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Eric Dumazet [Wed, 22 Mar 2017 02:22:28 +0000 (19:22 -0700)]
ipv4: provide stronger user input validation in nl_fib_input()
[ Upstream commit
c64c0b3cac4c5b8cb093727d2c19743ea3965c0b ]
Alexander reported a KMSAN splat caused by reads of uninitialized
field (tb_id_in) from user provided struct fib_result_nl
It turns out nl_fib_input() sanity tests on user input is a bit
wrong :
User can pretend nlh->nlmsg_len is big enough, but provide
at sendmsg() time a too small buffer.
Reported-by: Alexander Potapenko <glider@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Doug Berger [Tue, 21 Mar 2017 21:01:06 +0000 (14:01 -0700)]
net: bcmgenet: remove bcmgenet_internal_phy_setup()
[ Upstream commit
31739eae738ccbe8b9d627c3f2251017ca03f4d2 ]
Commit
6ac3ce8295e6 ("net: bcmgenet: Remove excessive PHY reset")
removed the bcmgenet_mii_reset() function from bcmgenet_power_up() and
bcmgenet_internal_phy_setup() functions. In so doing it broke the reset
of the internal PHY devices used by the GENETv1-GENETv3 which required
this reset before the UniMAC was enabled. It also broke the internal
GPHY devices used by the GENETv4 because the config_init that installed
the AFE workaround was no longer occurring after the reset of the GPHY
performed by bcmgenet_phy_power_set() in bcmgenet_internal_phy_setup().
In addition the code in bcmgenet_internal_phy_setup() related to the
"enable APD" comment goes with the bcmgenet_mii_reset() so it should
have also been removed.
Commit
bd4060a6108b ("net: bcmgenet: Power on integrated GPHY in
bcmgenet_power_up()") moved the bcmgenet_phy_power_set() call to the
bcmgenet_power_up() function, but failed to remove it from the
bcmgenet_internal_phy_setup() function. Had it done so, the
bcmgenet_internal_phy_setup() function would have been empty and could
have been removed at that time.
Commit
5dbebbb44a6a ("net: bcmgenet: Software reset EPHY after power on")
was submitted to correct the functional problems introduced by
commit
6ac3ce8295e6 ("net: bcmgenet: Remove excessive PHY reset"). It
was included in v4.4 and made available on 4.3-stable. Unfortunately,
it didn't fully revert the commit because this bcmgenet_mii_reset()
doesn't apply the soft reset to the internal GPHY used by GENETv4 like
the previous one did. This prevents the restoration of the AFE work-
arounds for internal GPHY devices after the bcmgenet_phy_power_set() in
bcmgenet_internal_phy_setup().
This commit takes the alternate approach of removing the unnecessary
bcmgenet_internal_phy_setup() function which shouldn't have been in v4.3
so that when bcmgenet_mii_reset() was restored it should have only gone
into bcmgenet_power_up(). This will avoid the problems while also
removing the redundancy (and hopefully some of the confusion).
Fixes:
6ac3ce8295e6 ("net: bcmgenet: Remove excessive PHY reset")
Signed-off-by: Doug Berger <opendmb@gmail.com>
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Gal Pressman [Tue, 21 Mar 2017 13:59:19 +0000 (15:59 +0200)]
net/mlx5e: Count LRO packets correctly
[ Upstream commit
8ab7e2ae15d84ba758b2c8c6f4075722e9bd2a08 ]
RX packets statistics ('rx_packets' counter) used to count LRO packets
as one, even though it contains multiple segments.
This patch will increment the counter by the number of segments, and
align the driver with the behavior of other drivers in the stack.
Note that no information is lost in this patch due to 'rx_lro_packets'
counter existence.
Before, ethtool showed:
$ ethtool -S ens6 | egrep "rx_packets|rx_lro_packets"
rx_packets: 435277
rx_lro_packets: 35847
rx_packets_phy:
1935066
Now, we will see the more logical statistics:
$ ethtool -S ens6 | egrep "rx_packets|rx_lro_packets"
rx_packets:
1935066
rx_lro_packets: 35847
rx_packets_phy:
1935066
Fixes:
e586b3b0baee ("net/mlx5: Ethernet Datapath files")
Signed-off-by: Gal Pressman <galp@mellanox.com>
Cc: kernel-team@fb.com
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Maor Gottlieb [Tue, 21 Mar 2017 13:59:17 +0000 (15:59 +0200)]
net/mlx5: Increase number of max QPs in default profile
[ Upstream commit
5f40b4ed975c26016cf41953b7510fe90718e21c ]
With ConnectX-4 sharing SRQs from the same space as QPs, we hit a
limit preventing some applications to allocate needed QPs amount.
Double the size to 256K.
Fixes:
e126ba97dba9e ('mlx5: Add driver for Mellanox Connect-IB adapters')
Signed-off-by: Maor Gottlieb <maorg@mellanox.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Andrey Ulanov [Wed, 15 Mar 2017 03:16:42 +0000 (20:16 -0700)]
net: unix: properly re-increment inflight counter of GC discarded candidates
[ Upstream commit
7df9c24625b9981779afb8fcdbe2bb4765e61147 ]
Dmitry has reported that a BUG_ON() condition in unix_notinflight()
may be triggered by a simple code that forwards unix socket in an
SCM_RIGHTS message.
That is caused by incorrect unix socket GC implementation in unix_gc().
The GC first collects list of candidates, then (a) decrements their
"children's" inflight counter, (b) checks which inflight counters are
now 0, and then (c) increments all inflight counters back.
(a) and (c) are done by calling scan_children() with inc_inflight or
dec_inflight as the second argument.
Commit
6209344f5a37 ("net: unix: fix inflight counting bug in garbage
collector") changed scan_children() such that it no longer considers
sockets that do not have UNIX_GC_CANDIDATE flag. It also added a block
of code that that unsets this flag _before_ invoking
scan_children(, dec_iflight, ). This may lead to incorrect inflight
counters for some sockets.
This change fixes this bug by changing order of operations:
UNIX_GC_CANDIDATE is now unset only after all inflight counters are
restored to the original state.
kernel BUG at net/unix/garbage.c:149!
RIP: 0010:[<
ffffffff8717ebf4>] [<
ffffffff8717ebf4>]
unix_notinflight+0x3b4/0x490 net/unix/garbage.c:149
Call Trace:
[<
ffffffff8716cfbf>] unix_detach_fds.isra.19+0xff/0x170 net/unix/af_unix.c:1487
[<
ffffffff8716f6a9>] unix_destruct_scm+0xf9/0x210 net/unix/af_unix.c:1496
[<
ffffffff86a90a01>] skb_release_head_state+0x101/0x200 net/core/skbuff.c:655
[<
ffffffff86a9808a>] skb_release_all+0x1a/0x60 net/core/skbuff.c:668
[<
ffffffff86a980ea>] __kfree_skb+0x1a/0x30 net/core/skbuff.c:684
[<
ffffffff86a98284>] kfree_skb+0x184/0x570 net/core/skbuff.c:705
[<
ffffffff871789d5>] unix_release_sock+0x5b5/0xbd0 net/unix/af_unix.c:559
[<
ffffffff87179039>] unix_release+0x49/0x90 net/unix/af_unix.c:836
[<
ffffffff86a694b2>] sock_release+0x92/0x1f0 net/socket.c:570
[<
ffffffff86a6962b>] sock_close+0x1b/0x20 net/socket.c:1017
[<
ffffffff81a76b8e>] __fput+0x34e/0x910 fs/file_table.c:208
[<
ffffffff81a771da>] ____fput+0x1a/0x20 fs/file_table.c:244
[<
ffffffff81483ab0>] task_work_run+0x1a0/0x280 kernel/task_work.c:116
[< inline >] exit_task_work include/linux/task_work.h:21
[<
ffffffff8141287a>] do_exit+0x183a/0x2640 kernel/exit.c:828
[<
ffffffff8141383e>] do_group_exit+0x14e/0x420 kernel/exit.c:931
[<
ffffffff814429d3>] get_signal+0x663/0x1880 kernel/signal.c:2307
[<
ffffffff81239b45>] do_signal+0xc5/0x2190 arch/x86/kernel/signal.c:807
[<
ffffffff8100666a>] exit_to_usermode_loop+0x1ea/0x2d0
arch/x86/entry/common.c:156
[< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:190
[<
ffffffff81009693>] syscall_return_slowpath+0x4d3/0x570
arch/x86/entry/common.c:259
[<
ffffffff881478e6>] entry_SYSCALL_64_fastpath+0xc4/0xc6
Link: https://lkml.org/lkml/2017/3/6/252
Signed-off-by: Andrey Ulanov <andreyu@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Fixes:
6209344 ("net: unix: fix inflight counting bug in garbage collector")
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Lendacky, Thomas [Wed, 15 Mar 2017 20:11:23 +0000 (15:11 -0500)]
amd-xgbe: Fix jumbo MTU processing on newer hardware
[ Upstream commit
622c36f143fc9566ba49d7cec994c2da1182d9e2 ]
Newer hardware does not provide a cumulative payload length when multiple
descriptors are needed to handle the data. Once the MTU increases beyond
the size that can be handled by a single descriptor, the SKB does not get
built properly by the driver.
The driver will now calculate the size of the data buffers used by the
hardware. The first buffer of the first descriptor is for packet headers
or packet headers and data when the headers can't be split. Subsequent
descriptors in a multi-descriptor chain will not use the first buffer. The
second buffer is used by all the descriptors in the chain for payload data.
Based on whether the driver is processing the first, intermediate, or last
descriptor it can calculate the buffer usage and build the SKB properly.
Tested and verified on both old and new hardware.
Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Eric Dumazet [Wed, 15 Mar 2017 20:21:28 +0000 (13:21 -0700)]
net: properly release sk_frag.page
[ Upstream commit
22a0e18eac7a9e986fec76c60fa4a2926d1291e2 ]
I mistakenly added the code to release sk->sk_frag in
sk_common_release() instead of sk_destruct()
TCP sockets using sk->sk_allocation == GFP_ATOMIC do no call
sk_common_release() at close time, thus leaking one (order-3) page.
iSCSI is using such sockets.
Fixes:
5640f7685831 ("net: use a per task frag allocator")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Florian Fainelli [Wed, 15 Mar 2017 19:57:21 +0000 (12:57 -0700)]
net: bcmgenet: Do not suspend PHY if Wake-on-LAN is enabled
[ Upstream commit
5371bbf4b295eea334ed453efa286afa2c3ccff3 ]
Suspending the PHY would be putting it in a low power state where it
may no longer allow us to do Wake-on-LAN.
Fixes:
cc013fb48898 ("net: bcmgenet: correctly suspend and resume PHY device")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Or Gerlitz [Wed, 15 Mar 2017 16:10:47 +0000 (18:10 +0200)]
net/openvswitch: Set the ipv6 source tunnel key address attribute correctly
[ Upstream commit
3d20f1f7bd575d147ffa75621fa560eea0aec690 ]
When dealing with ipv6 source tunnel key address attribute
(OVS_TUNNEL_KEY_ATTR_IPV6_SRC) we are wrongly setting the tunnel
dst ip, fix that.
Fixes:
6b26ba3a7d95 ('openvswitch: netlink attributes for IPv6 tunneling')
Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
Reported-by: Paul Blakey <paulb@mellanox.com>
Acked-by: Jiri Benc <jbenc@redhat.com>
Acked-by: Joe Stringer <joe@ovn.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Greg Kroah-Hartman [Wed, 29 Mar 2017 11:53:50 +0000 (13:53 +0200)]
Merge 4.4.57 to android-4.4
Changes in 4.4.57:
usb: core: hub: hub_port_init lock controller instead of bus
USB: don't free bandwidth_mutex too early
crypto: ghash-clmulni - Fix load failure
crypto: cryptd - Assign statesize properly
crypto: mcryptd - Fix load failure
cxlflash: Increase cmd_per_lun for better throughput
ACPI / video: skip evaluating _DOD when it does not exist
pinctrl: cherryview: Do not mask all interrupts in probe
Drivers: hv: balloon: don't crash when memory is added in non-sorted order
Drivers: hv: avoid vfree() on crash
xen/qspinlock: Don't kick CPU if IRQ is not initialized
KVM: PPC: Book3S PR: Fix illegal opcode emulation
s390/pci: fix use after free in dma_init
drm/amdgpu: add missing irq.h include
tpm_tis: Use devm_free_irq not free_irq
hv_netvsc: use skb_get_hash() instead of a homegrown implementation
kernek/fork.c: allocate idle task for a CPU always on its local node
give up on gcc ilog2() constant optimizations
perf/core: Fix event inheritance on fork()
cpufreq: Fix and clean up show_cpuinfo_cur_freq()
powerpc/boot: Fix zImage TOC alignment
md/raid1/10: fix potential deadlock
target/pscsi: Fix TYPE_TAPE + TYPE_MEDIMUM_CHANGER export
scsi: lpfc: Add shutdown method for kexec
scsi: libiscsi: add lock around task lists to fix list corruption regression
target: Fix VERIFY_16 handling in sbc_parse_cdb
isdn/gigaset: fix NULL-deref at probe
gfs2: Avoid alignment hole in struct lm_lockname
percpu: acquire pcpu_lock when updating pcpu_nr_empty_pop_pages
ext4: fix fencepost in s_first_meta_bg validation
Linux 4.4.57
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Greg Kroah-Hartman [Sun, 26 Mar 2017 10:13:55 +0000 (12:13 +0200)]
Linux 4.4.57
Theodore Ts'o [Wed, 15 Feb 2017 06:26:39 +0000 (01:26 -0500)]
ext4: fix fencepost in s_first_meta_bg validation
commit
2ba3e6e8afc9b6188b471f27cf2b5e3cf34e7af2 upstream.
It is OK for s_first_meta_bg to be equal to the number of block group
descriptor blocks. (It rarely happens, but it shouldn't cause any
problems.)
https://bugzilla.kernel.org/show_bug.cgi?id=194567
Fixes:
3a4b77cd47bb837b8557595ec7425f281f2ca1fe
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Tahsin Erdogan [Sat, 25 Feb 2017 21:00:19 +0000 (13:00 -0800)]
percpu: acquire pcpu_lock when updating pcpu_nr_empty_pop_pages
commit
320661b08dd6f1746d5c7ab4eb435ec64b97cd45 upstream.
Update to pcpu_nr_empty_pop_pages in pcpu_alloc() is currently done
without holding pcpu_lock. This can lead to bad updates to the variable.
Add missing lock calls.
Fixes:
b539b87fed37 ("percpu: implmeent pcpu_nr_empty_pop_pages and chunk->nr_populated")
Signed-off-by: Tahsin Erdogan <tahsin@google.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Andreas Gruenbacher [Mon, 6 Mar 2017 17:58:42 +0000 (12:58 -0500)]
gfs2: Avoid alignment hole in struct lm_lockname
commit
28ea06c46fbcab63fd9a55531387b7928a18a590 upstream.
Commit
88ffbf3e03 switches to using rhashtables for glocks, hashing over
the entire struct lm_lockname instead of its individual fields. On some
architectures, struct lm_lockname contains a hole of uninitialized
memory due to alignment rules, which now leads to incorrect hash values.
Get rid of that hole.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Bob Peterson <rpeterso@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Johan Hovold [Mon, 13 Mar 2017 12:39:01 +0000 (13:39 +0100)]
isdn/gigaset: fix NULL-deref at probe
commit
68c32f9c2a36d410aa242e661506e5b2c2764179 upstream.
Make sure to check the number of endpoints to avoid dereferencing a
NULL-pointer should a malicious device lack endpoints.
Fixes:
cf7776dc05b8 ("[PATCH] isdn4linux: Siemens Gigaset drivers - direct USB connection")
Cc: Hansjoerg Lipp <hjlipp@web.de>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Max Lohrmann [Wed, 8 Mar 2017 06:09:56 +0000 (22:09 -0800)]
target: Fix VERIFY_16 handling in sbc_parse_cdb
commit
13603685c1f12c67a7a2427f00b63f39a2b6f7c9 upstream.
As reported by Max, the Windows 2008 R2 chkdsk utility expects
VERIFY_16 to be supported, and does not handle the returned
CHECK_CONDITION properly, resulting in an infinite loop.
The kernel will log huge amounts of this error:
kernel: TARGET_CORE[iSCSI]: Unsupported SCSI Opcode 0x8f, sending
CHECK_CONDITION.
Signed-off-by: Max Lohrmann <post@wickenrode.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Chris Leech [Tue, 28 Feb 2017 00:58:36 +0000 (16:58 -0800)]
scsi: libiscsi: add lock around task lists to fix list corruption regression
commit
6f8830f5bbab16e54f261de187f3df4644a5b977 upstream.
There's a rather long standing regression from the commit "libiscsi:
Reduce locking contention in fast path"
Depending on iSCSI target behavior, it's possible to hit the case in
iscsi_complete_task where the task is still on a pending list
(!list_empty(&task->running)). When that happens the task is removed
from the list while holding the session back_lock, but other task list
modification occur under the frwd_lock. That leads to linked list
corruption and eventually a panicked system.
Rather than back out the session lock split entirely, in order to try
and keep some of the performance gains this patch adds another lock to
maintain the task lists integrity.
Major enterprise supported kernels have been backing out the lock split
for while now, thanks to the efforts at IBM where a lab setup has the
most reliable reproducer I've seen on this issue. This patch has been
tested there successfully.
Signed-off-by: Chris Leech <cleech@redhat.com>
Fixes:
659743b02c41 ("[SCSI] libiscsi: Reduce locking contention in fast path")
Reported-by: Prashantha Subbarao <psubbara@us.ibm.com>
Reviewed-by: Guilherme G. Piccoli <gpiccoli@linux.vnet.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Anton Blanchard [Sun, 12 Feb 2017 21:49:20 +0000 (08:49 +1100)]
scsi: lpfc: Add shutdown method for kexec
commit
85e8a23936ab3442de0c42da97d53b29f004ece1 upstream.
We see lpfc devices regularly fail during kexec. Fix this by adding a
shutdown method which mirrors the remove method.
Signed-off-by: Anton Blanchard <anton@samba.org>
Reviewed-by: Mauricio Faria de Oliveira <mauricfo@linux.vnet.ibm.com>
Tested-by: Mauricio Faria de Oliveira <mauricfo@linux.vnet.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Nicholas Bellinger [Fri, 4 Nov 2016 06:06:53 +0000 (23:06 -0700)]
target/pscsi: Fix TYPE_TAPE + TYPE_MEDIMUM_CHANGER export
commit
a04e54f2c35823ca32d56afcd5cea5b783e2f51a upstream.
The following fixes a divide by zero OOPs with TYPE_TAPE
due to pscsi_tape_read_blocksize() failing causing a zero
sd->sector_size being propigated up via dev_attrib.hw_block_size.
It also fixes another long-standing bug where TYPE_TAPE and
TYPE_MEDIMUM_CHANGER where using pscsi_create_type_other(),
which does not call scsi_device_get() to take the device
reference. Instead, rename pscsi_create_type_rom() to
pscsi_create_type_nondisk() and use it for all cases.
Finally, also drop a dump_stack() in pscsi_get_blocks() for
non TYPE_DISK, which in modern target-core can get invoked
via target_sense_desc_format() during CHECK_CONDITION.
Reported-by: Malcolm Haak <insanemal@gmail.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Shaohua Li [Tue, 28 Feb 2017 21:00:20 +0000 (13:00 -0800)]
md/raid1/10: fix potential deadlock
commit
61eb2b43b99ebdc9bc6bc83d9792257b243e7cb3 upstream.
Neil Brown pointed out a potential deadlock in raid 10 code with
bio_split/chain. The raid1 code could have the same issue, but recent
barrier rework makes it less likely to happen. The deadlock happens in
below sequence:
1. generic_make_request(bio), this will set current->bio_list
2. raid10_make_request will split bio to bio1 and bio2
3. __make_request(bio1), wait_barrer, add underlayer disk bio to
current->bio_list
4. __make_request(bio2), wait_barrer
If raise_barrier happens between 3 & 4, since wait_barrier runs at 3,
raise_barrier waits for IO completion from 3. And since raise_barrier
sets barrier, 4 waits for raise_barrier. But IO from 3 can't be
dispatched because raid10_make_request() doesn't finished yet.
The solution is to adjust the IO ordering. Quotes from Neil:
"
It is much safer to:
if (need to split) {
split = bio_split(bio, ...)
bio_chain(...)
make_request_fn(split);
generic_make_request(bio);
} else
make_request_fn(mddev, bio);
This way we first process the initial section of the bio (in 'split')
which will queue some requests to the underlying devices. These
requests will be queued in generic_make_request.
Then we queue the remainder of the bio, which will be added to the end
of the generic_make_request queue.
Then we return.
generic_make_request() will pop the lower-level device requests off the
queue and handle them first. Then it will process the remainder
of the original bio once the first section has been fully processed.
"
Note, this only happens in read path. In write path, the bio is flushed to
underlaying disks either by blk flush (from schedule) or offladed to raid1/10d.
It's queued in current->bio_list.
Cc: Coly Li <colyli@suse.de>
Suggested-by: NeilBrown <neilb@suse.com>
Reviewed-by: Jack Wang <jinpu.wang@profitbricks.com>
Signed-off-by: Shaohua Li <shli@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Michael Ellerman [Tue, 7 Mar 2017 05:14:49 +0000 (16:14 +1100)]
powerpc/boot: Fix zImage TOC alignment
commit
97ee351b50a49717543533cfb85b4bf9d88c9680 upstream.
Recent toolchains force the TOC to be 256 byte aligned. We need to
enforce this alignment in the zImage linker script, otherwise pointers
to our TOC variables (__toc_start) could be incorrect. If the actual
start of the TOC and __toc_start don't have the same value we crash
early in the zImage wrapper.
Suggested-by: Alan Modra <amodra@gmail.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Rafael J. Wysocki [Tue, 14 Mar 2017 23:12:16 +0000 (00:12 +0100)]
cpufreq: Fix and clean up show_cpuinfo_cur_freq()
commit
9b4f603e7a9f4282aec451063ffbbb8bb410dcd9 upstream.
There is a missing newline in show_cpuinfo_cur_freq(), so add it,
but while at it clean that function up somewhat too.
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Peter Zijlstra [Thu, 16 Mar 2017 12:47:49 +0000 (13:47 +0100)]
perf/core: Fix event inheritance on fork()
commit
e7cc4865f0f31698ef2f7aac01a50e78968985b7 upstream.
While hunting for clues to a use-after-free, Oleg spotted that
perf_event_init_context() can loose an error value with the result
that fork() can succeed even though we did not fully inherit the perf
event context.
Spotted-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Cc: oleg@redhat.com
Fixes:
889ff0150661 ("perf/core: Split context's event group list into pinned and non-pinned lists")
Link: http://lkml.kernel.org/r/20170316125823.190342547@infradead.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linus Torvalds [Thu, 2 Mar 2017 20:17:22 +0000 (12:17 -0800)]
give up on gcc ilog2() constant optimizations
commit
474c90156c8dcc2fa815e6716cc9394d7930cb9c upstream.
gcc-7 has an "optimization" pass that completely screws up, and
generates the code expansion for the (impossible) case of calling
ilog2() with a zero constant, even when the code gcc compiles does not
actually have a zero constant.
And we try to generate a compile-time error for anybody doing ilog2() on
a constant where that doesn't make sense (be it zero or negative). So
now gcc7 will fail the build due to our sanity checking, because it
created that constant-zero case that didn't actually exist in the source
code.
There's a whole long discussion on the kernel mailing about how to work
around this gcc bug. The gcc people themselevs have discussed their
"feature" in
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=72785
but it's all water under the bridge, because while it looked at one
point like it would be solved by the time gcc7 was released, that was
not to be.
So now we have to deal with this compiler braindamage.
And the only simple approach seems to be to just delete the code that
tries to warn about bad uses of ilog2().
So now "ilog2()" will just return 0 not just for the value 1, but for
any non-positive value too.
It's not like I can recall anybody having ever actually tried to use
this function on any invalid value, but maybe the sanity check just
meant that such code never made it out in public.
Reported-by: Laura Abbott <labbott@redhat.com>
Cc: John Stultz <john.stultz@linaro.org>,
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Andi Kleen [Mon, 23 May 2016 23:24:05 +0000 (16:24 -0700)]
kernek/fork.c: allocate idle task for a CPU always on its local node
commit
725fc629ff2545b061407305ae51016c9f928fce upstream.
Linux preallocates the task structs of the idle tasks for all possible
CPUs. This currently means they all end up on node 0. This also
implies that the cache line of MWAIT, which is around the flags field in
the task struct, are all located in node 0.
We see a noticeable performance improvement on Knights Landing CPUs when
the cache lines used for MWAIT are located in the local nodes of the
CPUs using them. I would expect this to give a (likely slight)
improvement on other systems too.
The patch implements placing the idle task in the node of its CPUs, by
passing the right target node to copy_process()
[akpm@linux-foundation.org: use NUMA_NO_NODE, not a bare -1]
Link: http://lkml.kernel.org/r/1463492694-15833-1-git-send-email-andi@firstfloor.org
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Sumit Semwal <sumit.semwal@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Vitaly Kuznetsov [Mon, 25 Jan 2016 15:00:41 +0000 (16:00 +0100)]
hv_netvsc: use skb_get_hash() instead of a homegrown implementation
commit
757647e10e55c01fb7a9c4356529442e316a7c72 upstream.
Recent changes to 'struct flow_keys' (e.g commit
d34af823ff40 ("net: Add
VLAN ID to flow_keys")) introduced a performance regression in netvsc
driver. Is problem is, however, not the above mentioned commit but the
fact that netvsc_set_hash() function did some assumptions on the struct
flow_keys data layout and this is wrong.
Get rid of netvsc_set_hash() by switching to skb_get_hash(). This change
will also imply switching to Jenkins hash from the currently used Toeplitz
but it seems there is no good excuse for Toeplitz to stay.
Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: Sumit Semwal <sumit.semwal@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Jason Gunthorpe [Wed, 25 Nov 2015 21:05:30 +0000 (14:05 -0700)]
tpm_tis: Use devm_free_irq not free_irq
commit
727f28b8ca24a581c7bd868326b8cea1058c720a upstream.
The interrupt is always allocated with devm_request_irq so it
must always be freed with devm_free_irq.
Fixes:
448e9c55c12d ("tpm_tis: verify interrupt during init")
Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Acked-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Tested-by: Martin Wilck <Martin.Wilck@ts.fujitsu.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Acked-by: Peter Huewe <peterhuewe@gmx.de>
Cc: Sumit Semwal <sumit.semwal@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Dave Airlie [Wed, 13 Jan 2016 22:07:55 +0000 (08:07 +1000)]
drm/amdgpu: add missing irq.h include
commit
e9c5e7402dad6f4f04c2430db6f283512bcd4392 upstream.
this fixes the build on arm.
Signed-off-by: Dave Airlie <airlied@redhat.com>
Cc: Sumit Semwal <sumit.semwal@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Sebastian Ott [Fri, 15 Apr 2016 07:41:35 +0000 (09:41 +0200)]
s390/pci: fix use after free in dma_init
commit
dba599091c191d209b1499511a524ad9657c0e5a upstream.
After a failure during registration of the dma_table (because of the
function being in error state) we free its memory but don't reset the
associated pointer to zero.
When we then receive a notification from firmware (about the function
being in error state) we'll try to walk and free the dma_table again.
Fix this by resetting the dma_table pointer. In addition to that make
sure that we free the iommu_bitmap when appropriate.
Signed-off-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
Reviewed-by: Gerald Schaefer <gerald.schaefer@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Cc: Sumit Semwal <sumit.semwal@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Thomas Huth [Wed, 18 May 2016 19:01:20 +0000 (21:01 +0200)]
KVM: PPC: Book3S PR: Fix illegal opcode emulation
commit
708e75a3ee750dce1072134e630d66c4e6eaf63c upstream.
If kvmppc_handle_exit_pr() calls kvmppc_emulate_instruction() to emulate
one instruction (in the BOOK3S_INTERRUPT_H_EMUL_ASSIST case), it calls
kvmppc_core_queue_program() afterwards if kvmppc_emulate_instruction()
returned EMULATE_FAIL, so the guest gets an program interrupt for the
illegal opcode.
However, the kvmppc_emulate_instruction() also tried to inject a
program exception for this already, so the program interrupt gets
injected twice and the return address in srr0 gets destroyed.
All other callers of kvmppc_emulate_instruction() are also injecting
a program interrupt, and since the callers have the right knowledge
about the srr1 flags that should be used, it is the function
kvmppc_emulate_instruction() that should _not_ inject program
interrupts, so remove the kvmppc_core_queue_program() here.
This fixes the issue discovered by Laurent Vivier with kvm-unit-tests
where the logs are filled with these messages when the test tries
to execute an illegal instruction:
Couldn't emulate instruction 0x00000000 (op 0 xop 0)
kvmppc_handle_exit_pr: emulation at 700 failed (
00000000)
Signed-off-by: Thomas Huth <thuth@redhat.com>
Reviewed-by: Alexander Graf <agraf@suse.de>
Tested-by: Laurent Vivier <lvivier@redhat.com>
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
Cc: Sumit Semwal <sumit.semwal@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Ross Lagerwall [Fri, 22 Apr 2016 12:05:31 +0000 (13:05 +0100)]
xen/qspinlock: Don't kick CPU if IRQ is not initialized
commit
707e59ba494372a90d245f18b0c78982caa88e48 upstream.
The following commit:
1fb3a8b2cfb2 ("xen/spinlock: Fix locking path engaging too soon under PVHVM.")
... moved the initalization of the kicker interrupt until after
native_cpu_up() is called.
However, when using qspinlocks, a CPU may try to kick another CPU that is
spinning (because it has not yet initialized its kicker interrupt), resulting
in the following crash during boot:
kernel BUG at /build/linux-Ay7j_C/linux-4.4.0/drivers/xen/events/events_base.c:1210!
invalid opcode: 0000 [#1] SMP
...
RIP: 0010:[<
ffffffff814c97c9>] [<
ffffffff814c97c9>] xen_send_IPI_one+0x59/0x60
...
Call Trace:
[<
ffffffff8102be9e>] xen_qlock_kick+0xe/0x10
[<
ffffffff810cabc2>] __pv_queued_spin_unlock+0xb2/0xf0
[<
ffffffff810ca6d1>] ? __raw_callee_save___pv_queued_spin_unlock+0x11/0x20
[<
ffffffff81052936>] ? check_tsc_warp+0x76/0x150
[<
ffffffff81052aa6>] check_tsc_sync_source+0x96/0x160
[<
ffffffff81051e28>] native_cpu_up+0x3d8/0x9f0
[<
ffffffff8102b315>] xen_hvm_cpu_up+0x35/0x80
[<
ffffffff8108198c>] _cpu_up+0x13c/0x180
[<
ffffffff81081a4a>] cpu_up+0x7a/0xa0
[<
ffffffff81f80dfc>] smp_init+0x7f/0x81
[<
ffffffff81f5a121>] kernel_init_freeable+0xef/0x212
[<
ffffffff81817f30>] ? rest_init+0x80/0x80
[<
ffffffff81817f3e>] kernel_init+0xe/0xe0
[<
ffffffff8182488f>] ret_from_fork+0x3f/0x70
[<
ffffffff81817f30>] ? rest_init+0x80/0x80
To fix this, only send the kick if the target CPU's interrupt has been
initialized. This check isn't racy, because the target is waiting for
the spinlock, so it won't have initialized the interrupt in the
meantime.
Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: David Vrabel <david.vrabel@citrix.com>
Cc: Juergen Gross <jgross@suse.com>
Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-kernel@vger.kernel.org
Cc: xen-devel@lists.xenproject.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Cc: Sumit Semwal <sumit.semwal@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Vitaly Kuznetsov [Sat, 4 Jun 2016 00:09:22 +0000 (17:09 -0700)]
Drivers: hv: avoid vfree() on crash
commit
a9f61ca793becabdefab03b77568d6c6f8c1bc79 upstream.
When we crash from NMI context (e.g. after NMI injection from host when
'sysctl -w kernel.unknown_nmi_panic=1' is set) we hit
kernel BUG at mm/vmalloc.c:1530!
as vfree() is denied. While the issue could be solved with in_nmi() check
instead I opted for skipping vfree on all sorts of crashes to reduce the
amount of work which can cause consequent crashes. We don't really need to
free anything on crash.
Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
Cc: Sumit Semwal <sumit.semwal@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Vitaly Kuznetsov [Sun, 1 May 2016 02:21:35 +0000 (19:21 -0700)]
Drivers: hv: balloon: don't crash when memory is added in non-sorted order
commit
77c0c9735bc0ba5898e637a3a20d6bcb50e3f67d upstream.
When we iterate through all HA regions in handle_pg_range() we have an
assumption that all these regions are sorted in the list and the
'start_pfn >= has->end_pfn' check is enough to find the proper region.
Unfortunately it's not the case with WS2016 where host can hot-add regions
in a different order. We end up modifying the wrong HA region and crashing
later on pages online. Modify the check to make sure we found the region
we were searching for while iterating. Fix the same check in pfn_covered()
as well.
Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
Cc: Sumit Semwal <sumit.semwal@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Mika Westerberg [Mon, 22 Aug 2016 11:42:52 +0000 (14:42 +0300)]
pinctrl: cherryview: Do not mask all interrupts in probe
commit
bcb48cca23ec9852739e4a464307fa29515bbe48 upstream.
The Cherryview GPIO controller has 8 or 16 wires connected to the I/O-APIC
which can be used directly by the platform/BIOS or drivers. One such wire
is used as SCI (System Control Interrupt) which ACPI depends on to be able
to trigger GPEs (General Purpose Events).
The pinctrl driver itself uses another IRQ resource which is wire OR of all
the 8 (or 16) wires and follows what BIOS has programmed to the IntSel
register of each pin.
Currently the driver masks all interrupts at probe time and this prevents
these direct interrupts from working as expected. The reason for this is
that some early stage prototypes had some pins misconfigured causing lots
of spurious interrupts.
We fix this by leaving the interrupt mask untouched. This allows SCI and
other direct interrupts work properly. What comes to the possible spurious
interrupts we switch the default handler to be handle_bad_irq() instead of
handle_simple_irq() (which was not correct anyway).
Reported-by: Yu C Chen <yu.c.chen@intel.com>
Reported-by: Anisse Astier <anisse@astier.eu>
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Cc: Sumit Semwal <sumit.semwal@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Alex Hung [Fri, 27 May 2016 07:47:06 +0000 (15:47 +0800)]
ACPI / video: skip evaluating _DOD when it does not exist
commit
e34fbbac669de0b7fb7803929d0477f35f6e2833 upstream.
Some system supports hybrid graphics and its discrete VGA
does not have any connectors and therefore has no _DOD method.
Signed-off-by: Alex Hung <alex.hung@canonical.com>
Reviewed-by: Aaron Lu <aaron.lu@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Cc: Sumit Semwal <sumit.semwal@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Manoj N. Kumar [Fri, 4 Mar 2016 21:55:20 +0000 (15:55 -0600)]
cxlflash: Increase cmd_per_lun for better throughput
commit
83430833b4d4a9c9b23964babbeb1f36450f8136 upstream.
With the current value of cmd_per_lun at 16, the throughput
over a single adapter is limited to around 150kIOPS.
Increase the value of cmd_per_lun to 256 to improve
throughput. With this change a single adapter is able to
attain close to the maximum throughput (380kIOPS).
Also change the number of RRQ entries that can be queued.
Signed-off-by: Manoj N. Kumar <manoj@linux.vnet.ibm.com>
Acked-by: Matthew R. Ochs <mrochs@linux.vnet.ibm.com>
Reviewed-by: Uma Krishnan <ukrishn@linux.vnet.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Cc: Sumit Semwal <sumit.semwal@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Wang, Rui Y [Wed, 27 Jan 2016 09:08:36 +0000 (17:08 +0800)]
crypto: mcryptd - Fix load failure
commit
ddef482420b1ba8ec45e6123a7e8d3f67b21e5e3 upstream.
mcryptd_create_hash() fails by returning -EINVAL, causing any
driver using mcryptd to fail to load. It is because it needs
to set its statesize properly.
Signed-off-by: Rui Wang <rui.y.wang@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Sumit Semwal <sumit.semwal@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Wang, Rui Y [Sun, 29 Nov 2015 14:45:34 +0000 (22:45 +0800)]
crypto: cryptd - Assign statesize properly
commit
1a07834024dfca5c4bed5de8f8714306e0a11836 upstream.
cryptd_create_hash() fails by returning -EINVAL. It is because after
8996eafdc ("crypto: ahash - ensure statesize is non-zero") all ahash
drivers must have a non-zero statesize.
This patch fixes the problem by properly assigning the statesize.
Signed-off-by: Rui Wang <rui.y.wang@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Sumit Semwal <sumit.semwal@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Wang, Rui Y [Sun, 29 Nov 2015 14:45:33 +0000 (22:45 +0800)]
crypto: ghash-clmulni - Fix load failure
commit
3a020a723c65eb8ffa7c237faca26521a024e582 upstream.
ghash_clmulni_intel fails to load on Linux 4.3+ with the following message:
"modprobe: ERROR: could not insert 'ghash_clmulni_intel': Invalid argument"
After
8996eafdc ("crypto: ahash - ensure statesize is non-zero") all ahash
drivers are required to implement import()/export(), and must have a non-
zero statesize.
This patch has been tested with the algif_hash interface. The calculated
digest values, after several rounds of import()s and export()s, match those
calculated by tcrypt.
Signed-off-by: Rui Wang <rui.y.wang@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Sumit Semwal <sumit.semwal@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Alan Stern [Mon, 27 Jun 2016 14:23:10 +0000 (10:23 -0400)]
USB: don't free bandwidth_mutex too early
commit
ab2a4bf83902c170d29ba130a8abb5f9d90559e1 upstream.
The USB core contains a bug that can show up when a USB-3 host
controller is removed. If the primary (USB-2) hcd structure is
released before the shared (USB-3) hcd, the core will try to do a
double-free of the common bandwidth_mutex.
The problem was described in graphical form by Chung-Geol Kim, who
first reported it:
=================================================
At *remove USB(3.0) Storage
sequence <1> --> <5> ((Problem Case))
=================================================
VOLD
------------------------------------|------------
(uevent)
________|_________
|<1> |
|dwc3_otg_sm_work |
|usb_put_hcd |
|peer_hcd(kref=2)|
|__________________|
________|_________
|<2> |
|New USB BUS #2 |
| |
|peer_hcd(kref=1) |
| |
--(Link)-bandXX_mutex|
| |__________________|
|
___________________ |
|<3> | |
|dwc3_otg_sm_work | |
|usb_put_hcd | |
|primary_hcd(kref=1)| |
|___________________| |
_________|_________ |
|<4> | |
|New USB BUS #1 | |
|hcd_release | |
|primary_hcd(kref=0)| |
| | |
|bandXX_mutex(free) |<-
|___________________|
(( VOLD ))
______|___________
|<5> |
| SCSI |
|usb_put_hcd |
|peer_hcd(kref=0) |
|*hcd_release |
|bandXX_mutex(free*)|<- double free
|__________________|
=================================================
This happens because hcd_release() frees the bandwidth_mutex whenever
it sees a primary hcd being released (which is not a very good idea
in any case), but in the course of releasing the primary hcd, it
changes the pointers in the shared hcd in such a way that the shared
hcd will appear to be primary when it gets released.
This patch fixes the problem by changing hcd_release() so that it
deallocates the bandwidth_mutex only when the _last_ hcd structure
referencing it is released. The patch also removes an unnecessary
test, so that when an hcd is released, both the shared_hcd and
primary_hcd pointers in the hcd's peer will be cleared.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Chung-Geol Kim <chunggeol.kim@samsung.com>
Tested-by: Chung-Geol Kim <chunggeol.kim@samsung.com>
Cc: Sumit Semwal <sumit.semwal@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Chris Bainbridge [Mon, 25 Apr 2016 12:48:38 +0000 (13:48 +0100)]
usb: core: hub: hub_port_init lock controller instead of bus
commit
feb26ac31a2a5cb88d86680d9a94916a6343e9e6 upstream.
The XHCI controller presents two USB buses to the system - one for USB2
and one for USB3. The hub init code (hub_port_init) is reentrant but
only locks one bus per thread, leading to a race condition failure when
two threads attempt to simultaneously initialise a USB2 and USB3 device:
[ 8.034843] xhci_hcd 0000:00:14.0: Timeout while waiting for setup device command
[ 13.183701] usb 3-3: device descriptor read/all, error -110
On a test system this failure occurred on 6% of all boots.
The call traces at the point of failure are:
Call Trace:
[<
ffffffff81b9bab7>] schedule+0x37/0x90
[<
ffffffff817da7cd>] usb_kill_urb+0x8d/0xd0
[<
ffffffff8111e5e0>] ? wake_up_atomic_t+0x30/0x30
[<
ffffffff817dafbe>] usb_start_wait_urb+0xbe/0x150
[<
ffffffff817db10c>] usb_control_msg+0xbc/0xf0
[<
ffffffff817d07de>] hub_port_init+0x51e/0xb70
[<
ffffffff817d4697>] hub_event+0x817/0x1570
[<
ffffffff810f3e6f>] process_one_work+0x1ff/0x620
[<
ffffffff810f3dcf>] ? process_one_work+0x15f/0x620
[<
ffffffff810f4684>] worker_thread+0x64/0x4b0
[<
ffffffff810f4620>] ? rescuer_thread+0x390/0x390
[<
ffffffff810fa7f5>] kthread+0x105/0x120
[<
ffffffff810fa6f0>] ? kthread_create_on_node+0x200/0x200
[<
ffffffff81ba183f>] ret_from_fork+0x3f/0x70
[<
ffffffff810fa6f0>] ? kthread_create_on_node+0x200/0x200
Call Trace:
[<
ffffffff817fd36d>] xhci_setup_device+0x53d/0xa40
[<
ffffffff817fd87e>] xhci_address_device+0xe/0x10
[<
ffffffff817d047f>] hub_port_init+0x1bf/0xb70
[<
ffffffff811247ed>] ? trace_hardirqs_on+0xd/0x10
[<
ffffffff817d4697>] hub_event+0x817/0x1570
[<
ffffffff810f3e6f>] process_one_work+0x1ff/0x620
[<
ffffffff810f3dcf>] ? process_one_work+0x15f/0x620
[<
ffffffff810f4684>] worker_thread+0x64/0x4b0
[<
ffffffff810f4620>] ? rescuer_thread+0x390/0x390
[<
ffffffff810fa7f5>] kthread+0x105/0x120
[<
ffffffff810fa6f0>] ? kthread_create_on_node+0x200/0x200
[<
ffffffff81ba183f>] ret_from_fork+0x3f/0x70
[<
ffffffff810fa6f0>] ? kthread_create_on_node+0x200/0x200
Which results from the two call chains:
hub_port_init
usb_get_device_descriptor
usb_get_descriptor
usb_control_msg
usb_internal_control_msg
usb_start_wait_urb
usb_submit_urb / wait_for_completion_timeout / usb_kill_urb
hub_port_init
hub_set_address
xhci_address_device
xhci_setup_device
Mathias Nyman explains the current behaviour violates the XHCI spec:
hub_port_reset() will end up moving the corresponding xhci device slot
to default state.
As hub_port_reset() is called several times in hub_port_init() it
sounds reasonable that we could end up with two threads having their
xhci device slots in default state at the same time, which according to
xhci 4.5.3 specs still is a big no no:
"Note: Software shall not transition more than one Device Slot to the
Default State at a time"
So both threads fail at their next task after this.
One fails to read the descriptor, and the other fails addressing the
device.
Fix this in hub_port_init by locking the USB controller (instead of an
individual bus) to prevent simultaneous initialisation of both buses.
Fixes:
638139eb95d2 ("usb: hub: allow to process more usb hub events in parallel")
Link: https://lkml.org/lkml/2016/2/8/312
Link: https://lkml.org/lkml/2016/2/4/748
Signed-off-by: Chris Bainbridge <chris.bainbridge@gmail.com>
Cc: stable <stable@vger.kernel.org>
Acked-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Sumit Semwal <sumit.semwal@linaro.org>
[sumits: minor merge conflict resolution for linux-4.4.y]
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Daniel Rosenberg [Wed, 22 Mar 2017 02:11:38 +0000 (19:11 -0700)]
ANDROID: sdcardfs: Fix style issues in macros
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Bug:
35331000
Change-Id: I89c4035029dc2236081a7685c55cac595d9e7ebf
Daniel Rosenberg [Wed, 22 Mar 2017 00:27:40 +0000 (17:27 -0700)]
ANDROID: sdcardfs: Use seq_puts over seq_printf
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Bug:
35331000
Change-Id: I3795ec61ce61e324738815b1ce3b0e09b25d723f
Daniel Rosenberg [Fri, 17 Mar 2017 02:32:59 +0000 (19:32 -0700)]
ANDROID: sdcardfs: Use to kstrout
Switch from deprecated simple_strtoul to kstrout
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Bug:
35331000
Change-Id: If18bd133b4d2877f71e58b58fc31371ff6613ed5
Daniel Rosenberg [Fri, 17 Mar 2017 00:46:13 +0000 (17:46 -0700)]
ANDROID: sdcardfs: Use pr_[...] instead of printk
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Bug:
35331000
Change-Id: Ibc635ec865750530d32b87067779f681fe58a003
Daniel Rosenberg [Tue, 21 Mar 2017 23:29:13 +0000 (16:29 -0700)]
ANDROID: sdcardfs: remove unneeded null check
As pointed out by checkpatch, these functions already
handle null inputs, so the checks are not needed.
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Bug:
35331000
Change-Id: I189342f032dfcefee36b27648bb512488ad61d20
Daniel Rosenberg [Fri, 17 Mar 2017 02:33:35 +0000 (19:33 -0700)]
ANDROID: sdcardfs: Fix style issues with comments
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Bug:
35331000
Change-Id: I8791ef7eac527645ecb9407908e7e5ece35b8f80
Daniel Rosenberg [Fri, 17 Mar 2017 00:42:58 +0000 (17:42 -0700)]
ANDROID: sdcardfs: Fix formatting
This fixes various spacing and bracket related issues
pointed out by checkpatch.
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Bug:
35331000
Change-Id: I6e248833a7a04e3899f3ae9462d765cfcaa70c96
Daniel Rosenberg [Tue, 21 Mar 2017 23:28:27 +0000 (16:28 -0700)]
ANDROID: sdcardfs: correct order of descriptors
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Bug:
35331000
Change-Id: Ia6d16b19c8c911f41231d2a12be0740057edfacf
Chenbo Feng [Thu, 23 Mar 2017 20:51:24 +0000 (13:51 -0700)]
fix the deadlock in xt_qtaguid when enable DDEBUG
When DDEBUG is enabled, the prdebug_full_state() function will try to
recursively aquire the spinlock of sock_tag_list and causing deadlock. A
check statement is added before it aquire the spinlock to differentiate
the behavior depend on the caller of the function.
Bug:
36559739
Test: Compile and run test under system/extra/test/iptables/
Change-Id: Ie3397fbaa207e14fe214d47aaf5e8ca1f4a712ee
Signed-off-by: Chenbo Feng <fengc@google.com>
Chih-Wei Huang [Thu, 23 Mar 2017 18:01:46 +0000 (02:01 +0800)]
Merge remote-tracking branch 'aosp/android-4.4' into kernel-4.4
Conflicts:
drivers/misc/Kconfig
Chih-Wei Huang [Thu, 23 Mar 2017 17:37:38 +0000 (01:37 +0800)]
Revert "Squashfs: optimize reading uncompressed data"
This reverts commit
d9aa8ddc51cbd7d3bc68d664f9b71548a04447e9.
Povilas Staniulis [Thu, 23 Mar 2017 13:33:24 +0000 (21:33 +0800)]
HID: multitouch: add ids of Uiworks
Joel Scherpelz [Wed, 22 Mar 2017 09:19:04 +0000 (18:19 +0900)]
net: ipv6: Add sysctl for minimum prefix len acceptable in RIOs.
This commit adds a new sysctl accept_ra_rt_info_min_plen that
defines the minimum acceptable prefix length of Route Information
Options. The new sysctl is intended to be used together with
accept_ra_rt_info_max_plen to configure a range of acceptable
prefix lengths. It is useful to prevent misconfigurations from
unintentionally blackholing too much of the IPv6 address space
(e.g., home routers announcing RIOs for fc00::/7, which is
incorrect).
[backport of net-next
bbea124bc99df968011e76eba105fe964a4eceab]
Bug:
33333670
Test: net_test passes
Signed-off-by: Joel Scherpelz <jscherpelz@google.com>
Acked-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Greg Kroah-Hartman [Wed, 22 Mar 2017 11:32:56 +0000 (11:32 +0000)]
Linux 4.4.56
am:
0136bca4e0
Change-Id: I222649f657066fe86bc7f8380b869e5e9c8a23f3
Peter Zijlstra [Wed, 22 Mar 2017 11:32:47 +0000 (11:32 +0000)]
futex: Add missing error handling to FUTEX_REQUEUE_PI
am:
99d403faba
Change-Id: I7d99bd76a3d1cd329295b157eb179fc194029c5d
Peter Zijlstra [Wed, 22 Mar 2017 11:32:38 +0000 (11:32 +0000)]
futex: Fix potential use-after-free in FUTEX_REQUEUE_PI
am:
44854c191e
Change-Id: I361f387f34ccb2a497290c3f1f33803cc899b7da
Andy Lutomirski [Wed, 22 Mar 2017 11:32:30 +0000 (11:32 +0000)]
x86/perf: Fix CR4.PCE propagation to use active_mm instead of mm
am:
62f57041fb
Change-Id: I49a7e668ab62da72a19802ed047bb925a7fb14f0
Andrey Ryabinin [Wed, 22 Mar 2017 11:32:20 +0000 (11:32 +0000)]
x86/kasan: Fix boot with KASAN=y and PROFILE_ANNOTATED_BRANCHES=y
am:
8e0ec20539
Change-Id: I232544f0d96384f70c58b37f41f524ff4bc808fe
Eric Biggers [Wed, 22 Mar 2017 11:32:11 +0000 (11:32 +0000)]
fscrypto: lock inode while setting encryption policy
am:
3a19419c50
Change-Id: I3926f8d43c5d7f4c3648460bc103f24d05b6f3ee
Eric Biggers [Wed, 22 Mar 2017 11:32:00 +0000 (11:32 +0000)]
fscrypt: fix renaming and linking special files
am:
fd74e8d258
Change-Id: I899984b06cce168a62c3ca6f2df05a6c19fdfc28
Roman Mashak [Wed, 22 Mar 2017 11:31:51 +0000 (11:31 +0000)]
net sched actions: decrement module reference count after table flush.
am:
c10ffe988f
Change-Id: Ie90a3e257c06baeb2c1e8b190da986990a5c2e7c
Hannes Frederic Sowa [Wed, 22 Mar 2017 11:31:41 +0000 (11:31 +0000)]
dccp: fix memory leak during tear-down of unsuccessful connection request
am:
676fe97852
Change-Id: Ibf191dd00ac72ee187beff00a46be207778ea912
Jon Maxwell [Wed, 22 Mar 2017 11:31:33 +0000 (11:31 +0000)]
dccp/tcp: fix routing redirect race
am:
4ab956b561
Change-Id: I9cb352108500198e4d94eb8e08b53065e29e31d4
Florian Westphal [Wed, 22 Mar 2017 11:31:22 +0000 (11:31 +0000)]
bridge: drop netfilter fake rtable unconditionally
am:
56f9b9502f
Change-Id: I286db307416cce649790533419ec6a735bbcbb3d
Florian Westphal [Wed, 22 Mar 2017 11:31:13 +0000 (11:31 +0000)]
ipv6: avoid write to a possibly cloned skb
am:
aed728c38c
Change-Id: I7bbff2dcff94ea2804d3f21cd0341379332a47e6
Sabrina Dubroca [Wed, 22 Mar 2017 11:31:04 +0000 (11:31 +0000)]
ipv6: make ECMP route replacement less greedy
am:
5f8bc3856e
Change-Id: I6abea1ee369e3ae901dbb615991a112621da03f9
David Ahern [Wed, 22 Mar 2017 11:30:56 +0000 (11:30 +0000)]
mpls: Send route delete notifications when router module is unloaded
am:
b57955ea30
Change-Id: Ica14abfb917ddcf236459f3e6886234a9daac40b
Etienne Noss [Wed, 22 Mar 2017 11:30:47 +0000 (11:30 +0000)]
act_connmark: avoid crashing on malformed nlattrs with null parms
am:
710fbeb3f5
Change-Id: Ie14c5fad2baf06f9d7669ef68b16023bd165af17
Dmitry V. Levin [Wed, 22 Mar 2017 11:30:38 +0000 (11:30 +0000)]
uapi: fix linux/packet_diag.h userspace compilation error
am:
6c72458ab4
Change-Id: I107c3b445b4f92b52be422542062a0d6e147cc3d
David Ahern [Wed, 22 Mar 2017 11:30:30 +0000 (11:30 +0000)]
vrf: Fix use-after-free in vrf_xmit
am:
e671f1cc58
Change-Id: I9252af147439040890edc2f612d4868806c2324a
Eric Dumazet [Wed, 22 Mar 2017 11:30:21 +0000 (11:30 +0000)]
dccp: fix use-after-free in dccp_feat_activate_values
am:
d0ebde92fb
Change-Id: I80863cbb814b1486069ee311e3f8543c7d34b74a
Eric Dumazet [Wed, 22 Mar 2017 11:30:11 +0000 (11:30 +0000)]
net: fix socket refcounting in skb_complete_tx_timestamp()
am:
ec4d8692b7
Change-Id: Idc05607ffe99175575d7f07e3138e2f4496a5110
Eric Dumazet [Wed, 22 Mar 2017 11:30:01 +0000 (11:30 +0000)]
net: fix socket refcounting in skb_complete_wifi_ack()
am:
9e7683301b
Change-Id: I00fea5d105075ad526ca753b463f91bcd5db30d0
Eric Dumazet [Wed, 22 Mar 2017 11:29:50 +0000 (11:29 +0000)]
tcp: fix various issues for sockets morphing to listen state
am:
2681a7853a
Change-Id: I9dd8b9c075e54c8b5fbff08ff06dcd74c7e56d4a
Arnaldo Carvalho de Melo [Wed, 22 Mar 2017 11:29:41 +0000 (11:29 +0000)]
dccp: Unlock sock before calling sk_free()
am:
9216632bf4
Change-Id: Id3dda6def7939123cc232d10fefcd0bb2b020ccc
Eric Dumazet [Wed, 22 Mar 2017 11:29:30 +0000 (11:29 +0000)]
net: net_enable_timestamp() can be called from irq contexts
am:
a70c328597
Change-Id: I79a15d07b95126c554366c5b9c266cdb73e8f823
Alexander Potapenko [Wed, 22 Mar 2017 11:29:19 +0000 (11:29 +0000)]
net: don't call strlen() on the user buffer in packet_bind_spkt()
am:
f331d6445a
Change-Id: If72ad0b49abc6132a8e67dede206504aa3985da9
Paul Hber [Wed, 22 Mar 2017 11:29:11 +0000 (11:29 +0000)]
l2tp: avoid use-after-free caused by l2tp_ip_backlog_recv
am:
2cd0afc64e
Change-Id: Ib7bcb274c63e13807b1e25f74b6018866e2d8eb1
Julian Anastasov [Wed, 22 Mar 2017 11:29:01 +0000 (11:29 +0000)]
ipv4: mask tos for input route
am:
354f79125f
Change-Id: I39b7ce23fe7319187421d3e6f0cdd91b16d1fb8c
David Forster [Wed, 22 Mar 2017 11:28:51 +0000 (11:28 +0000)]
vti6: return GRE_KEY for vti6
am:
f1b3aae1f1
Change-Id: I62e249897c31124ca45296c2563c9e3d665e49fb
Matthias Schiffer [Wed, 22 Mar 2017 11:28:41 +0000 (11:28 +0000)]
vxlan: correctly validate VXLAN ID against VXLAN_N_VID
am:
51a219a137
Change-Id: Ibe33b8e55a3c7625b7b985260b38b443ffbfadc9
Florian Westphal [Wed, 22 Mar 2017 11:28:31 +0000 (11:28 +0000)]
netlink: remove mmapped netlink support
am:
0c0be310ba
Change-Id: I85d714d9cc491fd7cb3d1af553864f22c4f1e8fb
Greg Kroah-Hartman [Wed, 22 Mar 2017 11:17:51 +0000 (12:17 +0100)]
Linux 4.4.56
Peter Zijlstra [Sat, 4 Mar 2017 09:27:19 +0000 (10:27 +0100)]
futex: Add missing error handling to FUTEX_REQUEUE_PI
commit
9bbb25afeb182502ca4f2c4f3f88af0681b34cae upstream.
Thomas spotted that fixup_pi_state_owner() can return errors and we
fail to unlock the rt_mutex in that case.
Reported-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Darren Hart <dvhart@linux.intel.com>
Cc: juri.lelli@arm.com
Cc: bigeasy@linutronix.de
Cc: xlpang@redhat.com
Cc: rostedt@goodmis.org
Cc: mathieu.desnoyers@efficios.com
Cc: jdesfossez@efficios.com
Cc: dvhart@infradead.org
Cc: bristot@redhat.com
Link: http://lkml.kernel.org/r/20170304093558.867401760@infradead.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Peter Zijlstra [Sat, 4 Mar 2017 09:27:18 +0000 (10:27 +0100)]
futex: Fix potential use-after-free in FUTEX_REQUEUE_PI
commit
c236c8e95a3d395b0494e7108f0d41cf36ec107c upstream.
While working on the futex code, I stumbled over this potential
use-after-free scenario. Dmitry triggered it later with syzkaller.
pi_mutex is a pointer into pi_state, which we drop the reference on in
unqueue_me_pi(). So any access to that pointer after that is bad.
Since other sites already do rt_mutex_unlock() with hb->lock held, see
for example futex_lock_pi(), simply move the unlock before
unqueue_me_pi().
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Darren Hart <dvhart@linux.intel.com>
Cc: juri.lelli@arm.com
Cc: bigeasy@linutronix.de
Cc: xlpang@redhat.com
Cc: rostedt@goodmis.org
Cc: mathieu.desnoyers@efficios.com
Cc: jdesfossez@efficios.com
Cc: dvhart@infradead.org
Cc: bristot@redhat.com
Link: http://lkml.kernel.org/r/20170304093558.801744246@infradead.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Andy Lutomirski [Thu, 16 Mar 2017 19:59:39 +0000 (12:59 -0700)]
x86/perf: Fix CR4.PCE propagation to use active_mm instead of mm
commit
5dc855d44c2ad960a86f593c60461f1ae1566b6d upstream.
If one thread mmaps a perf event while another thread in the same mm
is in some context where active_mm != mm (which can happen in the
scheduler, for example), refresh_pce() would write the wrong value
to CR4.PCE. This broke some PAPI tests.
Reported-and-tested-by: Vince Weaver <vincent.weaver@maine.edu>
Signed-off-by: Andy Lutomirski <luto@kernel.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Borislav Petkov <bpetkov@suse.de>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
Fixes:
7911d3f7af14 ("perf/x86: Only allow rdpmc if a perf_event is mapped")
Link: http://lkml.kernel.org/r/0c5b38a76ea50e405f9abe07a13dfaef87c173a1.1489694270.git.luto@kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Andrey Ryabinin [Mon, 13 Mar 2017 16:33:37 +0000 (19:33 +0300)]
x86/kasan: Fix boot with KASAN=y and PROFILE_ANNOTATED_BRANCHES=y
commit
be3606ff739d1c1be36389f8737c577ad87e1f57 upstream.
The kernel doesn't boot with both PROFILE_ANNOTATED_BRANCHES=y and KASAN=y
options selected. With branch profiling enabled we end up calling
ftrace_likely_update() before kasan_early_init(). ftrace_likely_update() is
built with KASAN instrumentation, so calling it before kasan has been
initialized leads to crash.
Use DISABLE_BRANCH_PROFILING define to make sure that we don't call
ftrace_likely_update() from early code before kasan_early_init().
Fixes:
ef7f0d6a6ca8 ("x86_64: add KASan support")
Reported-by: Fengguang Wu <fengguang.wu@intel.com>
Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: kasan-dev@googlegroups.com
Cc: Alexander Potapenko <glider@google.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: lkp@01.org
Cc: Dmitry Vyukov <dvyukov@google.com>
Link: http://lkml.kernel.org/r/20170313163337.1704-1-aryabinin@virtuozzo.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Eric Biggers [Sat, 15 Oct 2016 13:48:50 +0000 (09:48 -0400)]
fscrypto: lock inode while setting encryption policy
commit
8906a8223ad4909b391c5628f7991ebceda30e52 upstream.
i_rwsem needs to be acquired while setting an encryption policy so that
concurrent calls to FS_IOC_SET_ENCRYPTION_POLICY are correctly
serialized (especially the ->get_context() + ->set_context() pair), and
so that new files cannot be created in the directory during or after the
->empty_dir() check.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Richard Weinberger <richard@nod.at>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Eric Biggers [Mon, 19 Dec 2016 22:20:13 +0000 (14:20 -0800)]
fscrypt: fix renaming and linking special files
commit
42d97eb0ade31e1bc537d086842f5d6e766d9d51 upstream.
Attempting to link a device node, named pipe, or socket file into an
encrypted directory through rename(2) or link(2) always failed with
EPERM. This happened because fscrypt_has_permitted_context() saw that
the file was unencrypted and forbid creating the link. This behavior
was unexpected because such files are never encrypted; only regular
files, directories, and symlinks can be encrypted.
To fix this, make fscrypt_has_permitted_context() always return true on
special files.
This will be covered by a test in my encryption xfstests patchset.
Fixes:
9bd8212f981e ("ext4 crypto: add encryption policy and password salt support")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Roman Mashak [Fri, 24 Feb 2017 16:00:32 +0000 (11:00 -0500)]
net sched actions: decrement module reference count after table flush.
[ Upstream commit
edb9d1bff4bbe19b8ae0e71b1f38732591a9eeb2 ]
When tc actions are loaded as a module and no actions have been installed,
flushing them would result in actions removed from the memory, but modules
reference count not being decremented, so that the modules would not be
unloaded.
Following is example with GACT action:
% sudo modprobe act_gact
% lsmod
Module Size Used by
act_gact 16384 0
%
% sudo tc actions ls action gact
%
% sudo tc actions flush action gact
% lsmod
Module Size Used by
act_gact 16384 1
% sudo tc actions flush action gact
% lsmod
Module Size Used by
act_gact 16384 2
% sudo rmmod act_gact
rmmod: ERROR: Module act_gact is in use
....
After the fix:
% lsmod
Module Size Used by
act_gact 16384 0
%
% sudo tc actions add action pass index 1
% sudo tc actions add action pass index 2
% sudo tc actions add action pass index 3
% lsmod
Module Size Used by
act_gact 16384 3
%
% sudo tc actions flush action gact
% lsmod
Module Size Used by
act_gact 16384 0
%
% sudo tc actions flush action gact
% lsmod
Module Size Used by
act_gact 16384 0
% sudo rmmod act_gact
% lsmod
Module Size Used by
%
Fixes:
f97017cdefef ("net-sched: Fix actions flushing")
Signed-off-by: Roman Mashak <mrv@mojatatu.com>
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
OSDN Git Service
