Al Viro [Fri, 18 Mar 2016 20:07:38 +0000 (16:07 -0400)]
Merge branches 'work.lookups', 'work.misc' and 'work.preadv2' into for-next
Rabin Vincent [Thu, 10 Mar 2016 20:19:06 +0000 (21:19 +0100)]
splice: handle zero nr_pages in splice_to_pipe()
Running the following command:
busybox cat /sys/kernel/debug/tracing/trace_pipe > /dev/null
with any tracing enabled pretty very quickly leads to various NULL
pointer dereferences and VM BUG_ON()s, such as these:
BUG: unable to handle kernel NULL pointer dereference at
0000000000000020
IP: [<
ffffffff8119df6c>] generic_pipe_buf_release+0xc/0x40
Call Trace:
[<
ffffffff811c48a3>] splice_direct_to_actor+0x143/0x1e0
[<
ffffffff811c42e0>] ? generic_pipe_buf_nosteal+0x10/0x10
[<
ffffffff811c49cf>] do_splice_direct+0x8f/0xb0
[<
ffffffff81196869>] do_sendfile+0x199/0x380
[<
ffffffff81197600>] SyS_sendfile64+0x90/0xa0
[<
ffffffff8192cbee>] entry_SYSCALL_64_fastpath+0x12/0x6d
page dumped because: VM_BUG_ON_PAGE(atomic_read(&page->_count) == 0)
kernel BUG at include/linux/mm.h:367!
invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
RIP: [<
ffffffff8119df9c>] generic_pipe_buf_release+0x3c/0x40
Call Trace:
[<
ffffffff811c48a3>] splice_direct_to_actor+0x143/0x1e0
[<
ffffffff811c42e0>] ? generic_pipe_buf_nosteal+0x10/0x10
[<
ffffffff811c49cf>] do_splice_direct+0x8f/0xb0
[<
ffffffff81196869>] do_sendfile+0x199/0x380
[<
ffffffff81197600>] SyS_sendfile64+0x90/0xa0
[<
ffffffff8192cd1e>] tracesys_phase2+0x84/0x89
(busybox's cat uses sendfile(2), unlike the coreutils version)
This is because tracing_splice_read_pipe() can call splice_to_pipe()
with spd->nr_pages == 0. spd_pages underflows in splice_to_pipe() and
we fill the page pointers and the other fields of the pipe_buffers with
garbage.
All other callers of splice_to_pipe() avoid calling it when nr_pages ==
0, and we could make tracing_splice_read_pipe() do that too, but it
seems reasonable to have splice_to_page() handle this condition
gracefully.
Cc: stable@vger.kernel.org
Signed-off-by: Rabin Vincent <rabin@rab.in>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Dmitry V. Levin [Thu, 19 Mar 2015 11:10:54 +0000 (11:10 +0000)]
vfs: show_vfsstat: do not ignore errors from show_devname method
Explicitly check show_devname method return code and bail out in case
of an error. This fixes regression introduced by commit
9d4d65748a5c.
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Thu, 10 Mar 2016 00:52:39 +0000 (19:52 -0500)]
dcache.c: new helper: __d_add()
d_add() with inode->i_lock already held; common to d_add() and
d_splice_alias(). All ->lookup() instances that end up hashing
the dentry they are given will hash it here.
This almost completes the preparations to parallel lookups
proper - the only remaining bit is taking security_d_instantiate()
past d_rehash() and doing rehashing without dropping ->d_lock.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Wed, 9 Mar 2016 23:05:42 +0000 (18:05 -0500)]
don't bother with __d_instantiate(dentry, NULL)
it's a no-op - bumping ->d_seq is pointless there.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Wed, 9 Mar 2016 22:58:49 +0000 (17:58 -0500)]
untangle fsnotify_d_instantiate() a bit
First of all, don't bother calling it if inode is NULL -
that makes inode argument unused. Moreover, do it *before*
dropping ->d_lock, not right after that (and don't bother
grabbing ->d_lock in it, of course).
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Wed, 9 Mar 2016 02:01:03 +0000 (21:01 -0500)]
uninline d_add()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Tue, 8 Mar 2016 17:44:17 +0000 (12:44 -0500)]
replace d_add_unique() with saner primitive
new primitive: d_exact_alias(dentry, inode). If there is an unhashed
dentry with the same name/parent and given inode, rehash, grab and
return it. Otherwise, return NULL. The only caller of d_add_unique()
switched to d_exact_alias() + d_splice_alias().
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Tue, 8 Mar 2016 04:27:22 +0000 (23:27 -0500)]
quota: use lookup_one_len_unlocked()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Tue, 8 Mar 2016 04:20:44 +0000 (23:20 -0500)]
cifs_get_root(): use lookup_one_len_unlocked()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Tue, 8 Mar 2016 03:40:43 +0000 (22:40 -0500)]
nfs_lookup: don't bother with d_instantiate(dentry, NULL)
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Tue, 1 Mar 2016 20:35:06 +0000 (15:35 -0500)]
kill dentry_unhash()
the last user is gone
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Mon, 7 Mar 2016 20:11:43 +0000 (15:11 -0500)]
ceph_fill_trace(): don't bother with d_instantiate(dn, NULL)
... and use d_add(dn, NULL) in case we need to hash a negative
unhashed rather than using d_rehash() directly.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Mon, 7 Mar 2016 20:10:45 +0000 (15:10 -0500)]
autofs4: don't bother with d_instantiate(dentry, NULL) in ->lookup()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Mon, 7 Mar 2016 19:25:46 +0000 (14:25 -0500)]
configfs: move d_rehash() into configfs_create() for regular files
... and turn it into d_add in there
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Mon, 7 Mar 2016 01:42:16 +0000 (20:42 -0500)]
ceph: don't bother with d_rehash() in splice_dentry()
d_splice_alias() guarantees that it'll be always hashed
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Sun, 6 Mar 2016 19:20:52 +0000 (14:20 -0500)]
namei: teach lookup_slow() to skip revalidate
... and make mountpoint_last() use it. That makes all
candidates for lookup with parent locked shared go
through lookup_slow().
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Sun, 6 Mar 2016 19:03:27 +0000 (14:03 -0500)]
namei: massage lookup_slow() to be usable by lookup_one_len_unlocked()
Return dentry and don't pass nameidata or path; lift crossing mountpoints
into the caller.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Sun, 6 Mar 2016 03:31:50 +0000 (22:31 -0500)]
lookup_one_len_unlocked(): use lookup_dcache()
No need to lock parent just because of ->d_revalidate() on child;
contrary to the stale comment, lookup_dcache() *can* be used without
locking the parent. Result can be moved as soon as we return, of
course, but the same is true for lookup_one_len_unlocked() itself.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Sun, 6 Mar 2016 03:37:46 +0000 (22:37 -0500)]
namei: simplify invalidation logics in lookup_dcache()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Sun, 6 Mar 2016 03:04:59 +0000 (22:04 -0500)]
namei: change calling conventions for lookup_{fast,slow} and follow_managed()
Have lookup_fast() return 1 on success and 0 on "need to fall back";
lookup_slow() and follow_managed() return positive (1) on success.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Sun, 6 Mar 2016 02:32:53 +0000 (21:32 -0500)]
namei: untanlge lookup_fast()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Tue, 8 Mar 2016 04:07:10 +0000 (23:07 -0500)]
jffs2: reduce the breakage on recovery from halfway failed rename()
d_instantiate(new_dentry, old_inode) is absolutely wrong thing to
do - it will oops if new_dentry used to be positive, for starters.
What we need is d_invalidate() the target and be done with that.
Cc: stable@vger.kernel.org # v3.18+
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Tue, 8 Mar 2016 03:17:07 +0000 (22:17 -0500)]
ncpfs: fix a braino in OOM handling in ncp_fill_cache()
Failing to allocate an inode for child means that cache for *parent* is
incompletely populated. So it's parent directory inode ('dir') that
needs NCPI_DIR_CACHE flag removed, *not* the child inode ('inode', which
is what we'd failed to allocate in the first place).
Fucked-up-in: commit
5e993e25 ("ncpfs: get rid of d_validate() nonsense")
Fucked-up-by: Al Viro <viro@zeniv.linux.org.uk>
Cc: stable@vger.kernel.org # v3.19
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Sun, 6 Mar 2016 01:09:32 +0000 (20:09 -0500)]
lookup_dcache(): lift d_alloc() into callers
... and kill need_lookup thing
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Sat, 5 Mar 2016 23:14:03 +0000 (18:14 -0500)]
do_last(): reorder and simplify a bit
bugger off on negatives a bit earlier, simplify the tests
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Sat, 5 Mar 2016 23:10:51 +0000 (18:10 -0500)]
Merge branch 'for-linus' into work.lookups
for the sake of namei.c fixes
Christoph Hellwig [Thu, 3 Mar 2016 15:04:03 +0000 (16:04 +0100)]
blk-mq: enable polling support by default
Now that applications need to explicitly ask for polling we can enable it
by default in blk-mq drivers. Note that this will only have an affect
on driver that supply a poll function, which currently only includes nvme.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Stephen Bates <stephen.bates@pmcs.com>
Tested-by: Stephen Bates <stephen.bates@pmcs.com>
Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Christoph Hellwig [Thu, 3 Mar 2016 15:04:02 +0000 (16:04 +0100)]
direct-io: only use block polling if explicitly requested
Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Stephen Bates <stephen.bates@pmcs.com>
Tested-by: Stephen Bates <stephen.bates@pmcs.com>
Acked-by: Jeff Moyer <jmoyer@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Christoph Hellwig [Thu, 3 Mar 2016 15:04:01 +0000 (16:04 +0100)]
vfs: add the RWF_HIPRI flag for preadv2/pwritev2
This adds a flag that tells the file system that this is a high priority
request for which it's worth to poll the hardware. The flag is purely
advisory and can be ignored if not supported.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Stephen Bates <stephen.bates@pmcs.com>
Tested-by: Stephen Bates <stephen.bates@pmcs.com>
Acked-by: Jeff Moyer <jmoyer@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Christoph Hellwig [Thu, 3 Mar 2016 15:04:00 +0000 (16:04 +0100)]
x86: wire up preadv2 and pwritev2
Signed-off-by: Milosz Tanski <milosz@adfin.com>
[hch: rebased due to newly added syscalls]
Reviewed-by: Stephen Bates <stephen.bates@pmcs.com>
Tested-by: Stephen Bates <stephen.bates@pmcs.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Milosz Tanski [Thu, 3 Mar 2016 15:03:59 +0000 (16:03 +0100)]
vfs: vfs: Define new syscalls preadv2,pwritev2
New syscalls that take an flag argument. No flags are added yet in this
patch.
Signed-off-by: Milosz Tanski <milosz@adfin.com>
[hch: rebased on top of my kiocb changes]
Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Stephen Bates <stephen.bates@pmcs.com>
Tested-by: Stephen Bates <stephen.bates@pmcs.com>
Acked-by: Jeff Moyer <jmoyer@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Christoph Hellwig [Thu, 3 Mar 2016 15:03:58 +0000 (16:03 +0100)]
vfs: pass a flags argument to vfs_readv/vfs_writev
This way we can set kiocb flags also from the sync read/write path for
the read_iter/write_iter operations. For now there is no way to pass
flags to plain read/write operations as there is no real need for that,
and all flags passed are explicitly rejected for these files.
Signed-off-by: Milosz Tanski <milosz@adfin.com>
[hch: rebased on top of my kiocb changes]
Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Stephen Bates <stephen.bates@pmcs.com>
Tested-by: Stephen Bates <stephen.bates@pmcs.com>
Acked-by: Jeff Moyer <jmoyer@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Mon, 29 Feb 2016 17:12:46 +0000 (12:12 -0500)]
use ->d_seq to get coherency between ->d_inode and ->d_flags
Games with ordering and barriers are way too brittle. Just
bump ->d_seq before and after updating ->d_inode and ->d_flags
type bits, so that verifying ->d_seq would guarantee they are
coherent.
Cc: stable@vger.kernel.org # v3.13+
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Sun, 28 Feb 2016 00:37:37 +0000 (19:37 -0500)]
do_last(): ELOOP failure exit should be done after leaving RCU mode
... or we risk seeing a bogus value of d_is_symlink() there.
Cc: stable@vger.kernel.org # v4.2+
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Sun, 28 Feb 2016 00:31:01 +0000 (19:31 -0500)]
should_follow_link(): validate ->d_seq after having decided to follow
... otherwise d_is_symlink() above might have nothing to do with
the inode value we've got.
Cc: stable@vger.kernel.org # v4.2+
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Sun, 28 Feb 2016 00:23:16 +0000 (19:23 -0500)]
namei: ->d_inode of a pinned dentry is stable only for positives
both do_last() and walk_component() risk picking a NULL inode out
of dentry about to become positive, *then* checking its flags and
seeing that it's not negative anymore and using (already stale by
then) value they'd fetched earlier. Usually ends up oopsing soon
after that...
Cc: stable@vger.kernel.org # v3.13+
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Sun, 28 Feb 2016 00:17:33 +0000 (19:17 -0500)]
do_last(): don't let a bogus return value from ->open() et.al. to confuse us
... into returning a positive to path_openat(), which would interpret that
as "symlink had been encountered" and proceed to corrupt memory, etc.
It can only happen due to a bug in some ->open() instance or in some LSM
hook, etc., so we report any such event *and* make sure it doesn't trick
us into further unpleasantness.
Cc: stable@vger.kernel.org # v3.6+, at least
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Christoph Hellwig [Fri, 26 Feb 2016 17:53:12 +0000 (18:53 +0100)]
fs: return -EOPNOTSUPP if clone is not supported
-EBADF is a rather confusing error if an operations is not supported,
and nfsd gets rather upset about it.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Mikulas Patocka [Thu, 25 Feb 2016 17:17:38 +0000 (18:17 +0100)]
hpfs: don't truncate the file when delete fails
The delete opration can allocate additional space on the HPFS filesystem
due to btree split. The HPFS driver checks in advance if there is
available space, so that it won't corrupt the btree if we run out of space
during splitting.
If there is not enough available space, the HPFS driver attempted to
truncate the file, but this results in a deadlock since the commit
7dd29d8d865efdb00c0542a5d2c87af8c52ea6c7 ("HPFS: Introduce a global mutex
and lock it on every callback from VFS").
This patch removes the code that tries to truncate the file and -ENOSPC is
returned instead. If the user hits -ENOSPC on delete, he should try to
delete other files (that are stored in a leaf btree node), so that the
delete operation will make some space for deleting the file stored in
non-leaf btree node.
Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
Signed-off-by: Mikulas Patocka <mikulas@artax.karlin.mff.cuni.cz>
Cc: stable@vger.kernel.org # 2.6.39+
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Mon, 22 Feb 2016 23:14:25 +0000 (18:14 -0500)]
ecryptfs_encrypt_and_encode_filename(): drop unused argument
the last time it was getting something other than NULL as
crypt_stat had been back in 2009...
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Mon, 22 Feb 2016 22:48:19 +0000 (17:48 -0500)]
ecryptfs_lookup(): use lookup_one_len_unlocked()
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Maxim Patlasov [Tue, 16 Feb 2016 19:45:33 +0000 (11:45 -0800)]
fs/pnode.c: treat zero mnt_group_id-s as unequal
propagate_one(m) calculates "type" argument for copy_tree() like this:
> if (m->mnt_group_id == last_dest->mnt_group_id) {
> type = CL_MAKE_SHARED;
> } else {
> type = CL_SLAVE;
> if (IS_MNT_SHARED(m))
> type |= CL_MAKE_SHARED;
> }
The "type" argument then governs clone_mnt() behavior with respect to flags
and mnt_master of new mount. When we iterate through a slave group, it is
possible that both current "m" and "last_dest" are not shared (although,
both are slaves, i.e. have non-NULL mnt_master-s). Then the comparison
above erroneously makes new mount shared and sets its mnt_master to
last_source->mnt_master. The patch fixes the problem by handling zero
mnt_group_id-s as though they are unequal.
The similar problem exists in the implementation of "else" clause above
when we have to ascend upward in the master/slave tree by calling:
> last_source = last_source->mnt_master;
> last_dest = last_source->mnt_parent;
proper number of times. The last step is governed by
"n->mnt_group_id != last_dest->mnt_group_id" condition that may lie if
both are zero. The patch fixes this case in the same way as the former one.
[AV: don't open-code an obvious helper...]
Signed-off-by: Maxim Patlasov <mpatlasov@virtuozzo.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Tue, 2 Feb 2016 02:28:05 +0000 (02:28 +0000)]
affs_do_readpage_ofs(): just use kmap_atomic() around memcpy()
It forgets kunmap() on a failure exit, but there's really no point keeping
the page kmapped at all - after all, what we are doing is a bunch of memcpy()
into the parts of page, so kmap_atomic()/kunmap_atomic() just around those
memcpy() is enough.
Spotted-by: Insu Yun <wuninsu@gmail.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Mateusz Guzik [Thu, 4 Feb 2016 01:56:30 +0000 (02:56 +0100)]
xattr handlers: plug a lock leak in simple_xattr_list
The code could leak xattrs->lock on error.
Problem introduced with
786534b92f3ce68f4 "tmpfs: listxattr should
include POSIX ACL xattrs".
Signed-off-by: Mateusz Guzik <mguzik@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Wouter van Kesteren [Tue, 16 Feb 2016 21:20:59 +0000 (22:20 +0100)]
fs: allow no_seek_end_llseek to actually seek
The user-visible impact of the issue is for example that without this
patch sensors-detect breaks when trying to seek in /dev/cpu/0/cpuid.
'~0ULL' is a 'unsigned long long' that when converted to a loff_t,
which is signed, gets turned into -1. later in vfs_setpos we have
'if (offset > maxsize)', which makes it always return EINVAL.
Fixes:
b25472f9b961 ("new helpers: no_seek_end_llseek{,_size}()")
Signed-off-by: Wouter van Kesteren <woutershep@gmail.com>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Linus Torvalds [Sun, 14 Feb 2016 21:05:20 +0000 (13:05 -0800)]
Linux 4.5-rc4
Linus Torvalds [Sun, 14 Feb 2016 20:47:45 +0000 (12:47 -0800)]
Merge tag 'char-misc-4.5-rc4' of git://git./linux/kernel/git/gregkh/char-misc
Pull char/misc driver fixes from Greg KH:
"Here are 3 fixes for some reported issues. Two nvmem driver fixes,
and one mei fix. All have been in linux-next just fine"
* tag 'char-misc-4.5-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
nvmem: qfprom: Specify LE device endianness
nvmem: core: return error for non word aligned access
mei: validate request value in client notify request ioctl
Linus Torvalds [Sun, 14 Feb 2016 20:34:53 +0000 (12:34 -0800)]
Merge tag 'driver-core-4.5-rc4' of git://git./linux/kernel/git/gregkh/driver-core
Pull driver core fix from Greg KH:
"Here is one driver core, well klist, fix for 4.5-rc4.
It fixes a problem found in the scsi device list traversal that
probably also could be triggered by other subsystems.
The fix has been in linux-next for a while with no reported problems"
* tag 'driver-core-4.5-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core:
klist: fix starting point removed bug in klist iterators
Linus Torvalds [Sun, 14 Feb 2016 20:29:59 +0000 (12:29 -0800)]
Merge tag 'tty-4.5-rc4' of git://git./linux/kernel/git/gregkh/tty
Pull tty/serial fixes from Greg KH:
"Here are a number of small tty and serial driver fixes for 4.5-rc4
that resolve some reported issues.
One of them got reverted as it wasn't correct based on testing, and
all have been in linux-next for a while"
* tag 'tty-4.5-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
Revert "8250: uniphier: allow modular build with 8250 console"
pty: make sure super_block is still valid in final /dev/tty close
pty: fix possible use after free of tty->driver_data
tty: Add support for PCIe WCH382 2S multi-IO card
serial/omap: mark wait_for_xmitr as __maybe_unused
serial: omap: Prevent DoS using unprivileged ioctl(TIOCSRS485)
8250: uniphier: allow modular build with 8250 console
tty: Drop krefs for interrupted tty lock
Linus Torvalds [Sun, 14 Feb 2016 20:24:28 +0000 (12:24 -0800)]
Merge tag 'usb-4.5-rc4' of git://git./linux/kernel/git/gregkh/usb
Pull PHY fixes from Greg KH:
"Here are a couple of PHY driver fixes for 4.5-rc4.
A few small phy issues. All have been in linux-next with no reported
issues"
* tag 'usb-4.5-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
phy: twl4030-usb: Fix unbalanced pm_runtime_enable on module reload
phy: twl4030-usb: Relase usb phy on unload
phy: core: fix wrong err handle for phy_power_on
phy: Restrict phy-hi6220-usb to HiSilicon arm64
Linus Torvalds [Sun, 14 Feb 2016 20:07:55 +0000 (12:07 -0800)]
Merge branch 'perf-urgent-for-linus' of git://git./linux/kernel/git/tip/tip
Pull perf tooling fixes from Thomas Gleixner:
"Another round of fixes for the perf tooling side:
- Prevent a NULL pointer dereference in tracepoint error handling
- Fix a thread handling bug in the intel_pt error handling code
- Search both .eh_frame and .debug_frame sections as toolchains seem
to have random choices of storing the CFI information
- Fix the perf state interval output values, which got broken when
fixing the overall output"
* 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
perf stat: Fix interval output values
perf probe: Search both .eh_frame and .debug_frame sections for probe location
perf tools: Fix thread lifetime related segfaut in intel_pt
perf tools: tracepoint_error() can receive e=NULL, robustify it
Linus Torvalds [Sun, 14 Feb 2016 20:02:05 +0000 (12:02 -0800)]
Merge branch 'locking-urgent-for-linus' of git://git./linux/kernel/git/tip/tip
Pull lockdep fix from Thomas Gleixner:
"A single fix for the stack trace caching logic in lockdep, where the
duplicate avoidance managed to store no back trace at all"
* 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
locking/lockdep: Fix stack trace caching logic
Linus Torvalds [Sun, 14 Feb 2016 19:57:24 +0000 (11:57 -0800)]
Merge branch 'timers-urgent-for-linus' of git://git./linux/kernel/git/tip/tip
Pull timer fix from Thomas Gleixner:
"A single fix preventing a 32bit overflow in timespec/val to cputime
conversions on 32bit machines"
* 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
cputime: Prevent 32bit overflow in time[val|spec]_to_cputime()
Linus Torvalds [Sun, 14 Feb 2016 19:49:30 +0000 (11:49 -0800)]
Merge branch 'irq-urgent-for-linus' of git://git./linux/kernel/git/tip/tip
Pull irqchip fixes from Thomas Gleixner:
"Another set of ARM SoC related irqchip fixes:
- Plug a memory leak in gicv3-its
- Limit features to the root gic interrupt controller
- Add a missing barrier in the gic-v3 IAR access
- Another compile test fix for sun4i"
* 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
irqchip/gic-v3: Make sure read from ICC_IAR1_EL1 is visible on redestributor
irqchip/gic: Only set the EOImodeNS bit for the root controller
irqchip/gic: Only populate set_affinity for the root controller
irqchip/gicv3-its: Fix memory leak in its_free_tables()
irqchip/sun4i: Fix compilation outside of arch/arm
Linus Torvalds [Sun, 14 Feb 2016 18:50:26 +0000 (10:50 -0800)]
Merge branch 'x86-urgent-for-linus' of git://git./linux/kernel/git/tip/tip
Pull x86 fixes from Thomas Gleixner:
"Two small fixlets for x86:
- Prevent a KASAN false positive in thread_saved_pc()
- Fix a 32-bit truncation problem in the x86 numa code"
* 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
x86/mm/numa: Fix 32-bit memblock range truncation bug on 32-bit NUMA kernels
x86: Fix KASAN false positives in thread_saved_pc()
Linus Torvalds [Sun, 14 Feb 2016 18:49:01 +0000 (10:49 -0800)]
Merge branch 'upstream' of git://git.linux-mips.org/ralf/upstream-linus
Pull MIPS fixes from Ralf Baechle:
"Here's the first round of MIPS fixes after the merge window:
- Detect Octeon III's PCI correctly.
- Fix return value of the MT7620 probing function.
- Wire up the copy_file_range syscall.
- Fix 64k page support on 32 bit kernels.
- Fix the early Coherency Manager probe.
- Allow only hardware-supported page sizes to be selected for R6000.
- Fix corner cases for the RDHWR nstruction emulation on old hardware.
- Fix FPU handling corner cases.
- Remove stale entry for BCM33xx from the MAINTAINERS file.
- 32 and 64 bit ELF headers are different, handle them correctly"
* 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus:
mips: Differentiate between 32 and 64 bit ELF header
MIPS: Octeon: Update OCTEON_FEATURE_PCIE for Octeon III
MIPS: pci-mt7620: Fix return value check in mt7620_pci_probe()
MIPS: Fix early CM probing
MIPS: Wire up copy_file_range syscall.
MIPS: Fix 64k page support for 32 bit kernels.
MIPS: R6000: Don't allow 64k pages for R6000.
MIPS: traps.c: Correct microMIPS RDHWR emulation
MIPS: traps.c: Don't emulate RDHWR in the CpU #0 exception handler
MAINTAINERS: Remove stale entry for BCM33xx chips
MIPS: Fix FPU disable with preemption
MIPS: Properly disable FPU in start_thread()
MIPS: Fix buffer overflow in syscall_get_arguments()
Linus Torvalds [Sun, 14 Feb 2016 18:46:47 +0000 (10:46 -0800)]
Merge branch 'fixes' of git://ftp.arm.linux.org.uk/~rmk/linux-arm
Pull ARM fixes from Russell King:
"A couple of ARM fixes from Linus for the ICST clock generator code"
[ "Linus" here is Linus Walleij. Name-stealer.
Linus "there can be only one" Torvalds ]
* 'fixes' of git://ftp.arm.linux.org.uk/~rmk/linux-arm:
ARM: 8519/1: ICST: try other dividends than 1
ARM: 8517/1: ICST: avoid arithmetic overflow in icst_hz()
Linus Torvalds [Sun, 14 Feb 2016 18:40:21 +0000 (10:40 -0800)]
Merge branch 'component' of git://ftp.arm.linux.org.uk/~rmk/linux-arm
Pull component helper fixes from Russell King:
"A few fixes for problems people have encountered with the recent
update to the component helpers"
* 'component' of git://ftp.arm.linux.org.uk/~rmk/linux-arm:
component: remove device from master match list on failed add
component: Detach components when deleting master struct
component: fix crash on x86_64 with hda audio drivers
Linus Torvalds [Sun, 14 Feb 2016 01:35:23 +0000 (17:35 -0800)]
Merge tag 'for-linus' of git://git./linux/kernel/git/dledford/rdma
Pull more rdma fixes from Doug Ledford:
"I think we are getting pretty close to done now. There are four
one-off fixes in this update:
- fix ipoib multicast joins
- fix mlx4 error handling
- fix mlx5 size computation
- fix a thinko in core code"
* tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma:
IB/mlx5: Fix RC transport send queue overhead computation
IB/ipoib: fix for rare multicast join race condition
IB/core: Fix reading capability mask of the port info class
net/mlx4: fix some error handling in mlx4_multi_func_init()
Linus Torvalds [Sun, 14 Feb 2016 00:39:27 +0000 (16:39 -0800)]
Merge git://git./linux/kernel/git/nab/target-pending
Pull SCSI target fixes from Nicholas Bellinger:
"This includes the long awaited series to address a set of bugs around
active I/O remote-port LUN_RESET, as well as properly handling this
same case with concurrent fabric driver session disconnect ->
reconnect.
Note this set of LUN_RESET bug-fixes has been surviving extended
testing on both v4.5-rc1 and v3.14.y code over the last weeks, and is
CC'ed for stable as it's something folks using multiple ESX connected
hosts with slow backends can certainly trigger.
The highlights also include:
- Fix WRITE_SAME/DISCARD emulation 4k sector conversion in
target/iblock (Mike Christie)
- Fix TMR abort interaction and AIO type TMR response in qla2xxx
target (Quinn Tran + Swapnil Nagle)
- Fix >= v3.17 stale descriptor pointer regression in qla2xxx target
(Quinn Tran)
- Fix >= v4.5-rc1 return regression with unmap_zeros_data_store new
configfs store handler (nab)
- Add CPU affinity flag + convert qla2xxx to use bit (Quinn + HCH +
Bart)"
* git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending:
qla2xxx: use TARGET_SCF_USE_CPUID flag to indiate CPU Affinity
target/transport: add flag to indicate CPU Affinity is observed
target: Fix incorrect unmap_zeroes_data_store return
qla2xxx: Use ATIO type to send correct tmr response
qla2xxx: Fix stale pointer access.
target/user: Fix cast from pointer to phys_addr_t
target: Drop legacy se_cmd->task_stop_comp + REQUEST_STOP usage
target: Fix race with SCF_SEND_DELAYED_TAS handling
target: Fix remote-port TMR ABORT + se_cmd fabric stop
target: Fix TAS handling for multi-session se_node_acls
target: Fix LUN_RESET active TMR descriptor handling
target: Fix LUN_RESET active I/O handling for ACK_KREF
qla2xxx: Fix TMR ABORT interaction issue between qla2xxx and TCM
qla2xxx: Fix warning reported by static checker
target: Fix WRITE_SAME/DISCARD conversion to linux 512b sectors
Linus Torvalds [Sat, 13 Feb 2016 21:05:56 +0000 (13:05 -0800)]
Merge branch 'fixes' of git://git./linux/kernel/git/evalenti/linux-soc-thermal
Pull thermal management fixes from Eduardo Valentin:
"Specifics in this pull request:
- Compilation fixes on SPEAR, and U8500 thermal drivers.
- RCAR thermal driver now recognizes OF-thermal based thermal zones.
- Small code rework on OF-thermal.
- These change have been CI tested using KernelCI bot [1,2]. \o/
I am taking over on Rui's behalf while he is out. Happy New Chinese
Year!
[1] - https://kernelci.org/build/evalenti/kernel/
v4.5-rc3-16-ga53b8394ec3c/
[2] - https://kernelci.org/boot/all/job/evalenti/kernel/
v4.5-rc3-16-ga53b8394ec3c/"
* 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/evalenti/linux-soc-thermal:
thermal: cpu_cooling: fix out of bounds access in time_in_idle
thermal: allow u8500-thermal driver to be a module
thermal: allow spear-thermal driver to be a module
thermal: spear: use __maybe_unused for PM functions
thermal: rcar: enable to use thermal-zone on DT
thermal: of: use for_each_available_child_of_node for child iterator
Linus Torvalds [Sat, 13 Feb 2016 21:04:47 +0000 (13:04 -0800)]
Merge tag 'sound-fix-4.5-rc4' of git://git./linux/kernel/git/tiwai/sound
Pull another sound fix from Takashi Iwai:
"This contains a fix for the double-free of usb-audio MIDI device at
probe failure"
* tag 'sound-fix-4.5-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
ALSA: usb-audio: avoid freeing umidi object twice
Linus Torvalds [Sat, 13 Feb 2016 16:18:21 +0000 (08:18 -0800)]
Merge tag 'arc-4.5-fixes' of git://git./linux/kernel/git/vgupta/arc
Pull ARC fixes from Vineet Gupta:
"I've been sitting on some of these fixes for a while.
- Corner case of returning to delay slot from interrupt
- Changing default interrupt prioiry level
- Kconfig'ize support for super pages
- Other minor fixes"
* tag 'arc-4.5-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc:
ARC: mm: Introduce explicit super page size support
ARCv2: intc: Allow interruption by lowest priority interrupt
ARCv2: Check for LL-SC livelock only if LLSC is enabled
ARC: shrink cpuinfo by not saving full timer BCR
ARCv2: clocksource: Rename GRTC -> GFRC ...
ARCv2: STAR
9000950267: Handle return from intr to Delay Slot #2
Andrey Konovalov [Sat, 13 Feb 2016 08:08:06 +0000 (11:08 +0300)]
ALSA: usb-audio: avoid freeing umidi object twice
The 'umidi' object will be free'd on the error path by snd_usbmidi_free()
when tearing down the rawmidi interface. So we shouldn't try to free it
in snd_usbmidi_create() after having registered the rawmidi interface.
Found by KASAN.
Signed-off-by: Andrey Konovalov <andreyknvl@gmail.com>
Acked-by: Clemens Ladisch <clemens@ladisch.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Linus Torvalds [Fri, 12 Feb 2016 23:31:22 +0000 (15:31 -0800)]
Merge tag 'pci-v4.5-fixes-1' of git://git./linux/kernel/git/helgaas/pci
Pull PCI fixes from Bjorn Helgaas:
"These are some Renesas binding updates for PCI host controllers, a
Broadcom fix for a regression we added in v4.5-rc1, and a fix for an
AER use-after-free problem that can cause memory corruption.
Summary:
AER:
Flush workqueue on device remove to avoid use-after-free (Sebastian Andrzej Siewior)
Broadcom iProc host bridge driver:
Allow multiple devices except on PAXC (Ray Jui)
Renesas R-Car host bridge driver:
Add gen2 device tree support for r8a7793 (Simon Horman)
Add device tree support for r8a7793 (Simon Horman)"
* tag 'pci-v4.5-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
PCI: rcar: Add device tree support for r8a7793
PCI: rcar: Add gen2 device tree support for r8a7793
PCI: iproc: Allow multiple devices except on PAXC
PCI/AER: Flush workqueue on device remove to avoid use-after-free
Linus Torvalds [Fri, 12 Feb 2016 21:12:27 +0000 (13:12 -0800)]
Merge branch 'akpm'(patches from Andrew)
Merge fixes from Andrew Morton:
"10 fixes"
The lockdep hlist conversion is in the locking tree too, waiting for the
next merge window. Andrew thought it should go in now. I'll take it,
since it fixes a real problem and looks trivially correct (famous last
words).
* emailed patches from Andrew Morton <akpm@linux-foundation.org>:
arch/x86/Kconfig: CONFIG_X86_UV should depend on CONFIG_EFI
mm: fix pfn_t vs highmem
kernel/locking/lockdep.c: convert hash tables to hlists
mm,thp: fix spellos in describing __HAVE_ARCH_FLUSH_PMD_TLB_RANGE
mm,thp: khugepaged: call pte flush at the time of collapse
mm/backing-dev.c: fix error path in wb_init()
mm, dax: check for pmd_none() after split_huge_pmd()
vsprintf: kptr_restrict is okay in IRQ when 2
mm: fix filemap.c kernel doc warning
ubsan: cosmetic fix to Kconfig text
Leon Romanovsky [Thu, 11 Feb 2016 19:09:57 +0000 (21:09 +0200)]
IB/mlx5: Fix RC transport send queue overhead computation
Fix the RC QPs send queue overhead computation to take into account
two additional segments in the WQE which are needed for registration
operations.
The ATOMIC and UMR segments can't coexist together, so chose maximum out
of them.
The commit
9e65dc371b5c ("IB/mlx5: Fix RC transport send queue overhead
computation") was intended to update RC transport as commit messages
states, but added the code to UC transport.
Fixes:
9e65dc371b5c ("IB/mlx5: Fix RC transport send queue overhead computation")
Signed-off-by: Kamal Heib <kamalh@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Reviewed-by: Sagi Grimberg <sagig@mellanox.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Alex Estrin [Thu, 11 Feb 2016 21:30:51 +0000 (16:30 -0500)]
IB/ipoib: fix for rare multicast join race condition
A narrow window for race condition still exist between
multicast join thread and *dev_flush workers.
A kernel crash caused by prolong erratic link state changes
was observed (most likely a faulty cabling):
[167275.656270] BUG: unable to handle kernel NULL pointer dereference at
0000000000000020
[167275.665973] IP: [<
ffffffffa05f8f2e>] ipoib_mcast_join+0xae/0x1d0 [ib_ipoib]
[167275.674443] PGD 0
[167275.677373] Oops: 0000 [#1] SMP
...
[167275.977530] Call Trace:
[167275.982225] [<
ffffffffa05f92f0>] ? ipoib_mcast_free+0x200/0x200 [ib_ipoib]
[167275.992024] [<
ffffffffa05fa1b7>] ipoib_mcast_join_task+0x2a7/0x490
[ib_ipoib]
[167276.002149] [<
ffffffff8109d5fb>] process_one_work+0x17b/0x470
[167276.010754] [<
ffffffff8109e3cb>] worker_thread+0x11b/0x400
[167276.019088] [<
ffffffff8109e2b0>] ? rescuer_thread+0x400/0x400
[167276.027737] [<
ffffffff810a5aef>] kthread+0xcf/0xe0
Here was a hit spot:
ipoib_mcast_join() {
..............
rec.qkey = priv->broadcast->mcmember.qkey;
^^^^^^^
.....
}
Proposed patch should prevent multicast join task to continue
if link state change is detected.
Signed-off-by: Alex Estrin <alex.estrin@intel.com>
Changes from v4:
- as suggested by Doug Ledford, optimized spinlock usage,
i.e. ipoib_mcast_join() is called with lock held.
Changes from v3:
- sync with priv->lock before flag check.
Chages from v2:
- Move check for OPER_UP flag state to mcast_join() to
ensure no event worker is in progress.
- minor style fixes.
Changes from v1:
- No need to lock again if error detected.
Signed-off-by: Doug Ledford <dledford@redhat.com>
Linus Torvalds [Fri, 12 Feb 2016 17:48:55 +0000 (09:48 -0800)]
Merge tag 'mmc-v4.5-rc2' of git://git.linaro.org/people/ulf.hansson/mmc
Pull MMC fixes from Ulf Hansson:
"Here are some mmc fixes intended for v4.5 rc4.
MMC core:
- Fix an sysfs ABI regression
- Return an error in a specific error path dealing with mmc ioctls
MMC host:
- sdhci-pci|acpi: Fix card detect race for Intel BXT/APL
- sh_mmcif: Correct TX DMA channel allocation
- mmc_spi: Fix error handling for dma mapping errors
- sdhci-of-at91: Fix an unbalance issue for the runtime PM usage count
- pxamci: Fix the device-tree probe deferral path
- pxamci: Fix read-only GPIO polarity"
* tag 'mmc-v4.5-rc2' of git://git.linaro.org/people/ulf.hansson/mmc:
Revert "mmc: block: don't use parameter prefix if built as module"
mmc: sdhci-acpi: Fix card detect race for Intel BXT/APL
mmc: sdhci-pci: Fix card detect race for Intel BXT/APL
mmc: sdhci: Allow override of get_cd() called from sdhci_request()
mmc: sdhci: Allow override of mmc host operations
mmc: sh_mmcif: Correct TX DMA channel allocation
mmc: block: return error on failed mmc_blk_get()
mmc: pxamci: fix the device-tree probe deferral path
mmc: mmc_spi: add checks for dma mapping error
mmc: sdhci-of-at91: fix pm runtime unbalanced issue in error path
mmc: pxamci: fix again read-only gpio detection polarity
Linus Torvalds [Fri, 12 Feb 2016 17:42:05 +0000 (09:42 -0800)]
Merge tag 'sound-4.5-rc4' of git://git./linux/kernel/git/tiwai/sound
Pull sound fixes from Takashi Iwai:
"In this rc, we've got more volume than previous rc, unsurprisingly;
the majority of updates in ASoC are about Intel drivers, and another
major changes are the continued plumbing of ALSA timer bugs revealed
by syzkaller fuzzer. Hopefully both settle down now.
Other than that, HD-audio received a couple of code fixes as well as
the usual quirks, and various small fixes are found for FireWire
devices, ASoC codecs and drivers"
* tag 'sound-4.5-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (50 commits)
ASoC: arizona: fref must be limited in pseudo-fractional mode
ASoC: sigmadsp: Fix missleading return value
ALSA: timer: Fix race at concurrent reads
ALSA: firewire-digi00x: Drop bogus const type qualifier on dot_scrt()
ALSA: hda - Fix bad dereference of jack object
ALSA: timer: Fix race between stop and interrupt
ALSA: timer: Fix wrong instance passed to slave callbacks
ASoC: Intel: Add module tags for common match module
ASoC: Intel: Load the atom DPCM driver only
ASoC: Intel: Create independent acpi match module
ASoC: Intel: Revert "ASoC: Intel: fix ACPI probe regression with Atom DPCM driver"
ALSA: dummy: Implement timer backend switching more safely
ALSA: hda - Fix speaker output from VAIO AiO machines
Revert "ALSA: hda - Fix noise on Gigabyte Z170X mobo"
ALSA: firewire-tascam: remove needless member for control and status message
ALSA: firewire-tascam: remove a flag for controller
ALSA: firewire-tascam: add support for FW-1804
ALSA: firewire-tascam: fix NULL pointer dereference when model identification fails
ALSA: hda - Fix static checker warning in patch_hdmi.c
ASoC: Intel: Skylake: Remove autosuspend delay
...
Linus Torvalds [Fri, 12 Feb 2016 17:39:34 +0000 (09:39 -0800)]
Merge tag 'fbdev-fixes-4.5' of git://git./linux/kernel/git/tomba/linux
Pull fbdev fixes from Tomi Valkeinen:
- fix omap2plus_defconfig to enable omapfb as it was in v4.4
- ocfb: fix timings for margins
- s6e8ax0, da8xx-fb: fix compile warnings
- mmp: fix build failure caused by bad printk parameters
- imxfb: fix clock issue which kept the display off
* tag 'fbdev-fixes-4.5' of git://git.kernel.org/pub/scm/linux/kernel/git/tomba/linux:
video: fbdev: imxfb: Provide a reset mechanism
fbdev: mmp: print IRQ resource using %pR format string
fbdev: da8xx-fb: remove incorrect type cast
fbdev: s6e8ax0: avoid unused function warnings
ocfb: fix tgdel and tvdel timing parameters
ARM: omap2plus_defconfig: update display configs
Linus Torvalds [Fri, 12 Feb 2016 17:32:37 +0000 (09:32 -0800)]
Merge tag 'scsi-fixes' of git://git./linux/kernel/git/jejb/scsi
Pull SCSI fixes from James Bottomley:
"A set of seven fixes:
Two regressions in the new hisi_sas arm driver, a blacklist entry for
the marvell console which was causing a reset cascade without it, a
race fix in the WRITE_SAME/DISCARD routines, a retry fix for the rdac
driver, without which, it would prematurely return EIO and a couple of
fixes for the hyper-v storvsc driver"
* tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
block/sd: Return -EREMOTEIO when WRITE SAME and DISCARD are disabled
SCSI: Add Marvell Console to VPD blacklist
scsi_dh_rdac: always retry MODE SELECT on command lock violation
storvsc: Use the specified target ID in device lookup
storvsc: Install the storvsc specific timeout handler for FC devices
hisi_sas: fix v1 hw check for slot error
hisi_sas: add dependency for HAS_IOMEM
Linus Torvalds [Fri, 12 Feb 2016 17:27:31 +0000 (09:27 -0800)]
Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux
Pull drm amd fixes from Dave Airlie:
"Been pretty quiet.
This is an amdgpu fixes pull from AMD, a bunch of powerplay stability
fixes, race fix, hibernate fix, and a possible circular locking fix"
* 'drm-fixes' of git://people.freedesktop.org/~airlied/linux: (21 commits)
drm/amdgpu: fix issue with overlapping userptrs
drm/radeon: hold reference to fences in radeon_sa_bo_new
drm/amdgpu: remove unnecessary forward declaration
drm/amdgpu: hold reference to fences in amdgpu_sa_bo_new (v2)
drm/amdgpu: fix s4 resume
drm/amdgpu/cz: plumb pg flags through to powerplay
drm/amdgpu/tonga: plumb pg flags through to powerplay
drma/dmgpu: move cg and pg flags into shared headers
drm/amdgpu: remove unused cg defines
drm/amdgpu: add a cgs interface to fetch cg and pg flags
drm/amd/powerplay/tonga: disable vce pg
drm/amd/powerplay/tonga: disable uvd pg
drm/amd/powerplay/cz: disable vce pg
drm/amd/powerplay/cz: disable uvd pg
drm/amdgpu: be consistent with uvd cg flags
drm/amdgpu: clean up vce pg flags for cz/st
drm/amdgpu: handle vce pg flags properly
drm/amdgpu: handle uvd pg flags properly
drm/amdgpu/dpm/ci: switch over to the common pcie caps interface
drm/amdgpu/cik: don't mess with aspm if gpu is root bus
...
Linus Torvalds [Fri, 12 Feb 2016 17:24:48 +0000 (09:24 -0800)]
Merge branch 'for-linus' of git://git./linux/kernel/git/jmorris/linux-security
Pull crypto fix from James Morris.
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
EVM: Use crypto_memneq() for digest comparisons
Linus Torvalds [Fri, 12 Feb 2016 17:21:28 +0000 (09:21 -0800)]
Merge branch 'for-linus-4.5' of git://git./linux/kernel/git/mason/linux-btrfs
Pull btrfs fixes from Chris Mason:
"This has a few fixes from Filipe, along with a readdir fix from Dave
that we've been testing for some time"
* 'for-linus-4.5' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs:
btrfs: properly set the termination value of ctx->pos in readdir
Btrfs: fix hang on extent buffer lock caused by the inode_paths ioctl
Btrfs: remove no longer used function extent_read_full_page_nolock()
Btrfs: fix page reading in extent_same ioctl leading to csum errors
Btrfs: fix invalid page accesses in extent_same (dedup) ioctl
Linus Torvalds [Fri, 12 Feb 2016 17:17:03 +0000 (09:17 -0800)]
Merge tag 'xfs-fixes-for-linus-4.5' of git://git./linux/kernel/git/dgc/linux-xfs
Pull xfs fix from Dve Chinner:
"This contains a fix for an endian conversion issue in new CRC
validation in log recovery that was discovered on a ppc64 platform"
* tag 'xfs-fixes-for-linus-4.5' of git://git.kernel.org/pub/scm/linux/kernel/git/dgc/linux-xfs:
xfs: fix endianness error when checking log block crc on big endian platforms
Takashi Iwai [Fri, 12 Feb 2016 08:48:51 +0000 (09:48 +0100)]
Merge tag 'asoc-fix-v4.5-rc4' of git://git./linux/kernel/git/broonie/sound into for-linus
ASoC: Fixes for v4.5
A rather large batch of fixes here, almost all in the Intel driver.
The changes that got merged in this merge window for Skylake were rather
large and as well as issues that you'd expect in a large block of new
code there were some problems created for older processors which needed
fixing up. Things are largely settling down now hopefully.
Ryan Ware [Thu, 11 Feb 2016 23:58:44 +0000 (15:58 -0800)]
EVM: Use crypto_memneq() for digest comparisons
This patch fixes vulnerability CVE-2016-2085. The problem exists
because the vm_verify_hmac() function includes a use of memcmp().
Unfortunately, this allows timing side channel attacks; specifically
a MAC forgery complexity drop from 2^128 to 2^12. This patch changes
the memcmp() to the cryptographically safe crypto_memneq().
Reported-by: Xiaofei Rex Guo <xiaofei.rex.guo@intel.com>
Signed-off-by: Ryan Ware <ware@linux.intel.com>
Cc: stable@vger.kernel.org
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Vineet Gupta [Wed, 10 Feb 2016 01:22:07 +0000 (06:52 +0530)]
ARC: mm: Introduce explicit super page size support
MMUv4 supports 2 concurrent page sizes: Normal and Super [4K to 16M]
So far Linux supported a single super page size for a given Normal page,
depending on the software page walking address split.
e.g. we had 11:8:13 address split for 8K page, which meant super page
was 2 ^(8+13) = 2M (given that THP size has to be PMD_SHIFT)
Now we turn this around, by allowing multiple Super Pages in Kconfig
(currently 2M and 16M only) and forcing page walker address split to
PGDIR_SHIFT and PAGE_SHIFT
For configs without Super page, things are same as before and
PGDIR_SHIFT can be hacked to get non default address split
The motivation for this change is a customer who needs 16M super page
and a 8K Normal page combo.
Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
Greg Kroah-Hartman [Fri, 12 Feb 2016 04:10:58 +0000 (20:10 -0800)]
Merge tag 'phy-for-4.5-rc' of git://git./linux/kernel/git/kishon/linux-phy into usb-linus
Kishon writes:
phy: for 4.5-rc
*) Fix error handling code in phy core [phy_power_on()]
*) phy-twl4030-usb fixes for unloading the module
*) Restrict phy-hi6220-usb to HiSilicon arm64
Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
Andrew Morton [Fri, 12 Feb 2016 00:13:20 +0000 (16:13 -0800)]
arch/x86/Kconfig: CONFIG_X86_UV should depend on CONFIG_EFI
arch/x86/built-in.o: In function `uv_bios_call':
(.text+0xeba00): undefined reference to `efi_call'
Reported-by: kbuild test robot <fengguang.wu@intel.com>
Suggested-by: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@elte.hu>
Reviewed-by: Matt Fleming <matt@codeblueprint.co.uk>
Acked-by: Alex Thorlton <athorlton@sgi.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Dan Williams [Fri, 12 Feb 2016 00:13:17 +0000 (16:13 -0800)]
mm: fix pfn_t vs highmem
The pfn_t type uses an unsigned long to store a pfn + flags value. On a
64-bit platform the upper 12 bits of an unsigned long are never used for
storing the value of a pfn. However, this is not true on highmem
platforms, all 32-bits of a pfn value are used to address a 44-bit
physical address space. A pfn_t needs to store a 64-bit value.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=112211
Fixes:
01c8f1c44b83 ("mm, dax, gpu: convert vm_insert_mixed to pfn_t")
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Reported-by: Stuart Foster <smf.linux@ntlworld.com>
Reported-by: Julian Margetson <runaway@candw.ms>
Tested-by: Julian Margetson <runaway@candw.ms>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Andrew Morton [Fri, 12 Feb 2016 00:13:14 +0000 (16:13 -0800)]
kernel/locking/lockdep.c: convert hash tables to hlists
Mike said:
: CONFIG_UBSAN_ALIGNMENT breaks x86-64 kernel with lockdep enabled, i. e
: kernel with CONFIG_UBSAN_ALIGNMENT fails to load without even any error
: message.
:
: The problem is that ubsan callbacks use spinlocks and might be called
: before lockdep is initialized. Particularly this line in the
: reserve_ebda_region function causes problem:
:
: lowmem = *(unsigned short *)__va(BIOS_LOWMEM_KILOBYTES);
:
: If i put lockdep_init() before reserve_ebda_region call in
: x86_64_start_reservations kernel loads well.
Fix this ordering issue permanently: change lockdep so that it uses
hlists for the hash tables. Unlike a list_head, an hlist_head is in its
initialized state when it is all-zeroes, so lockdep is ready for
operation immediately upon boot - lockdep_init() need not have run.
The patch will also save some memory.
lockdep_init() and lockdep_initialized can be done away with now - a 4.6
patch has been prepared to do this.
Reported-by: Mike Krinkin <krinkin.m.u@gmail.com>
Suggested-by: Mike Krinkin <krinkin.m.u@gmail.com>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Vineet Gupta [Fri, 12 Feb 2016 00:13:11 +0000 (16:13 -0800)]
mm,thp: fix spellos in describing __HAVE_ARCH_FLUSH_PMD_TLB_RANGE
[akpm@linux-foundation.org: s/threshhold/threshold/]
Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Vineet Gupta [Fri, 12 Feb 2016 00:13:09 +0000 (16:13 -0800)]
mm,thp: khugepaged: call pte flush at the time of collapse
This showed up on ARC when running LMBench bw_mem tests as Overlapping
TLB Machine Check Exception triggered due to STLB entry (2M pages)
overlapping some NTLB entry (regular 8K page).
bw_mem 2m touches a large chunk of vaddr creating NTLB entries. In the
interim khugepaged kicks in, collapsing the contiguous ptes into a
single pmd. pmdp_collapse_flush()->flush_pmd_tlb_range() is called to
flush out NTLB entries for the ptes. This for ARC (by design) can only
shootdown STLB entries (for pmd). The stray NTLB entries cause the
overlap with the subsequent STLB entry for collapsed page. So make
pmdp_collapse_flush() call pte flush interface not pmd flush.
Note that originally all thp flush call sites in generic code called
flush_tlb_range() leaving it to architecture to implement the flush for
pte and/or pmd. Commit
12ebc1581ad11454 changed this by calling a new
opt-in API flush_pmd_tlb_range() which made the semantics more explicit
but failed to distinguish the pte vs pmd flush in generic code, which is
what this patch fixes.
Note that ARC can fixed w/o touching the generic pmdp_collapse_flush()
by defining a ARC version, but that defeats the purpose of generic
version, plus sementically this is the right thing to do.
Fixes STAR
9000961194: LMBench on AXS103 triggering duplicate TLB
exceptions with super pages
Fixes:
12ebc1581ad11454 ("mm,thp: introduce flush_pmd_tlb_range")
Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
Reviewed-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: <stable@vger.kernel.org> [4.4]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Rasmus Villemoes [Fri, 12 Feb 2016 00:13:06 +0000 (16:13 -0800)]
mm/backing-dev.c: fix error path in wb_init()
We need to use post-decrement to get percpu_counter_destroy() called on
&wb->stat[0]. Moreover, the pre-decremebt would cause infinite
out-of-bounds accesses if the setup code failed at i==0.
Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Vladimir Davydov <vdavydov@virtuozzo.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Kirill A. Shutemov [Fri, 12 Feb 2016 00:13:03 +0000 (16:13 -0800)]
mm, dax: check for pmd_none() after split_huge_pmd()
DAX implements split_huge_pmd() by clearing pmd. This simple approach
reduces memory overhead, as we don't need to deposit page table on huge
page mapping to make split_huge_pmd() never-fail. PTE table can be
allocated and populated later on page fault from backing store.
But one side effect is that have to check if pmd is pmd_none() after
split_huge_pmd(). In most places we do this already to deal with
parallel MADV_DONTNEED.
But I found two call sites which is not affected by MADV_DONTNEED (due
down_write(mmap_sem)), but need to have the check to work with DAX
properly.
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: Matthew Wilcox <willy@linux.intel.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Ross Zwisler <ross.zwisler@linux.intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Jason A. Donenfeld [Fri, 12 Feb 2016 00:13:00 +0000 (16:13 -0800)]
vsprintf: kptr_restrict is okay in IRQ when 2
The kptr_restrict flag, when set to 1, only prints the kernel address
when the user has CAP_SYSLOG. When it is set to 2, the kernel address
is always printed as zero. When set to 1, this needs to check whether
or not we're in IRQ.
However, when set to 2, this check is unneccessary, and produces
confusing results in dmesg. Thus, only make sure we're not in IRQ when
mode 1 is used, but not mode 2.
[akpm@linux-foundation.org: coding-style fixes]
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Cc: Kees Cook <keescook@chromium.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Randy Dunlap [Fri, 12 Feb 2016 00:12:58 +0000 (16:12 -0800)]
mm: fix filemap.c kernel doc warning
Add missing kernel-doc notation for function parameter 'gfp_mask' to fix
kernel-doc warning.
mm/filemap.c:1898: warning: No description found for parameter 'gfp_mask'
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Yang Shi [Fri, 12 Feb 2016 00:12:55 +0000 (16:12 -0800)]
ubsan: cosmetic fix to Kconfig text
When enabling UBSAN_SANITIZE_ALL, the kernel image size gets increased
significantly (~3x). So, it sounds better to have some note in Kconfig.
And, fixed a typo.
Signed-off-by: Yang Shi <yang.shi@linaro.org>
Acked-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Linus Torvalds [Thu, 11 Feb 2016 19:25:55 +0000 (11:25 -0800)]
Merge tag 'gpio-v4.5-2' of git://git./linux/kernel/git/linusw/linux-gpio
Pull GPIO fixes from Linus Walleij:
- Probe errorpath fix for the Altera
- irqchip ofnode pointer added to the DaVinci driver
- controller instance number correction for DaVinci
* tag 'gpio-v4.5-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio:
gpio: davinci: Fix the number of controllers allocated
gpio: davinci: Add the missing of-node pointer
gpio: gpio-altera: Remove gpiochip on probe failure.
Linus Torvalds [Thu, 11 Feb 2016 19:17:19 +0000 (11:17 -0800)]
Merge tag 'platform-drivers-x86-v4.5-3' of git://git.infradead.org/users/dvhart/linux-platform-drivers-x86
Pull x86 platform driver fixes from Darren Hart:
"Just two small fixes for the 4.5-rc cycle:
intel_scu_ipcutil:
- underflow in scu_reg_access()
intel-hid:
- fix incorrect entries in intel_hid_keymap"
* tag 'platform-drivers-x86-v4.5-3' of git://git.infradead.org/users/dvhart/linux-platform-drivers-x86:
intel_scu_ipcutil: underflow in scu_reg_access()
intel-hid: fix incorrect entries in intel_hid_keymap
Linus Torvalds [Thu, 11 Feb 2016 19:00:34 +0000 (11:00 -0800)]
Merge git://git./linux/kernel/git/davem/net
Pull networking fixes from David Miller:
1) Fix BPF handling of branch offset adjustmnets on backjumps, from
Daniel Borkmann.
2) Make sure selinux knows about SOCK_DESTROY netlink messages, from
Lorenzo Colitti.
3) Fix openvswitch tunnel mtu regression, from David Wragg.
4) Fix ICMP handling of TCP sockets in syn_recv state, from Eric
Dumazet.
5) Fix SCTP user hmacid byte ordering bug, from Xin Long.
6) Fix recursive locking in ipv6 addrconf, from Subash Abhinov
Kasiviswanathan.
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net:
bpf: fix branch offset adjustment on backjumps after patching ctx expansion
vxlan, gre, geneve: Set a large MTU on ovs-created tunnel devices
geneve: Relax MTU constraints
vxlan: Relax MTU constraints
flow_dissector: Fix unaligned access in __skb_flow_dissector when used by eth_get_headlen
of: of_mdio: Add marvell,
88e1145 to whitelist of PHY compatibilities.
selinux: nlmsgtab: add SOCK_DESTROY to the netlink mapping tables
sctp: translate network order to host order when users get a hmacid
enic: increment devcmd2 result ring in case of timeout
tg3: Fix for tg3 transmit queue 0 timed out when too many gso_segs
net:Add sysctl_max_skb_frags
tcp: do not drop syn_recv on all icmp reports
ipv6: fix a lockdep splat
unix: correctly track in-flight fds in sending process user_struct
update be2net maintainers' email addresses
dwc_eth_qos: Reset hardware before PHY start
ipv6: addrconf: Fix recursive spin lock call
Eran Ben Elisha [Thu, 11 Feb 2016 08:24:42 +0000 (10:24 +0200)]
IB/core: Fix reading capability mask of the port info class
When checking specific attribute from a bit mask, need to use bitwise
AND and not logical AND, fixed that.
Fixes:
145d9c541032 ('IB/core: Display extended counter set if
available')
Signed-off-by: Eran Ben Elisha <eranbe@mellanox.com>
Signed-off-by: Matan Barak <matanb@mellanox.com>
Reviewed-by: Or Gerlitz <ogerlitz@mellanox.com>
Reviewed-by: Christoph Lameter <cl@linux.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Rasmus Villemoes [Tue, 9 Feb 2016 20:11:14 +0000 (21:11 +0100)]
net/mlx4: fix some error handling in mlx4_multi_func_init()
The while loop after err_slaves should use post-decrement; otherwise
we'll fail to do the kfrees for i==0, and will run into out-of-bounds
accesses if the setup above failed already at i==0.
[I'm not sure why one even bothers populating the ->vlan_filter array:
mlx4.h isn't #included by anything outside
drivers/net/ethernet/mellanox/mlx4/, and "git grep -C2 -w vlan_filter
drivers/net/ethernet/mellanox/mlx4/" seems to suggest that the
vlan_filter elements aren't used at all.]
Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Ulf Hansson [Thu, 11 Feb 2016 15:42:58 +0000 (16:42 +0100)]
Revert "mmc: block: don't use parameter prefix if built as module"
This reverts commit
829b6962f7e3cfc06f7c5c26269fd47ad48cf503.
Revert this change as it causes a sysfs path to change and therefore
introduces and ABI regression. More precisely Android's vold is not being
able to access /sys/module/mmcblk/parameters/perdev_minors any more, since
the path becomes changed to: "/sys/module/mmc_block/..."
Fixes:
829b6962f7e3 ("mmc: block: don't use parameter prefix if built as
module")
Reported-by: John Stultz <john.stultz@linaro.org>
Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Javi Merino [Thu, 11 Feb 2016 12:00:51 +0000 (12:00 +0000)]
thermal: cpu_cooling: fix out of bounds access in time_in_idle
In __cpufreq_cooling_register() we allocate the arrays for time_in_idle
and time_in_idle_timestamp to be as big as the number of cpus in this
cpufreq device. However, in get_load() we access this array using the
cpu number as index, which can result in an out of bound access.
Index time_in_idle{,_timestamp} using the index in the cpufreq_device's
allowed_cpus mask, as we do for the load_cpu array in
cpufreq_get_requested_power()
Reported-by: Nicolas Boichat <drinkcat@chromium.org>
Cc: Amit Daniel Kachhap <amit.kachhap@gmail.com>
Cc: Zhang Rui <rui.zhang@intel.com>
Cc: Eduardo Valentin <edubezval@gmail.com>
Tested-by: Nicolas Boichat <drinkcat@chromium.org>
Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Javi Merino <javi.merino@arm.com>
Signed-off-by: Eduardo Valentin <edubezval@gmail.com>
David Sterba [Fri, 13 Nov 2015 12:44:28 +0000 (13:44 +0100)]
btrfs: properly set the termination value of ctx->pos in readdir
The value of ctx->pos in the last readdir call is supposed to be set to
INT_MAX due to 32bit compatibility, unless 'pos' is intentially set to a
larger value, then it's LLONG_MAX.
There's a report from PaX SIZE_OVERFLOW plugin that "ctx->pos++"
overflows (https://forums.grsecurity.net/viewtopic.php?f=1&t=4284), on a
64bit arch, where the value is 0x7fffffffffffffff ie. LLONG_MAX before
the increment.
We can get to that situation like that:
* emit all regular readdir entries
* still in the same call to readdir, bump the last pos to INT_MAX
* next call to readdir will not emit any entries, but will reach the
bump code again, finds pos to be INT_MAX and sets it to LLONG_MAX
Normally this is not a problem, but if we call readdir again, we'll find
'pos' set to LLONG_MAX and the unconditional increment will overflow.
The report from Victor at
(http://thread.gmane.org/gmane.comp.file-systems.btrfs/49500) with debugging
print shows that pattern:
Overflow: e
Overflow:
7fffffff
Overflow:
7fffffffffffffff
PAX: size overflow detected in function btrfs_real_readdir
fs/btrfs/inode.c:5760 cicus.935_282 max, count: 9, decl: pos; num: 0;
context: dir_context;
CPU: 0 PID: 2630 Comm: polkitd Not tainted 4.2.3-grsec #1
Hardware name: Gigabyte Technology Co., Ltd. H81ND2H/H81ND2H, BIOS F3 08/11/2015
ffffffff81901608 0000000000000000 ffffffff819015e6 ffffc90004973d48
ffffffff81742f0f 0000000000000007 ffffffff81901608 ffffc90004973d78
ffffffff811cb706 0000000000000000 ffff8800d47359e0 ffffc90004973ed8
Call Trace:
[<
ffffffff81742f0f>] dump_stack+0x4c/0x7f
[<
ffffffff811cb706>] report_size_overflow+0x36/0x40
[<
ffffffff812ef0bc>] btrfs_real_readdir+0x69c/0x6d0
[<
ffffffff811dafc8>] iterate_dir+0xa8/0x150
[<
ffffffff811e6d8d>] ? __fget_light+0x2d/0x70
[<
ffffffff811dba3a>] SyS_getdents+0xba/0x1c0
Overflow: 1a
[<
ffffffff811db070>] ? iterate_dir+0x150/0x150
[<
ffffffff81749b69>] entry_SYSCALL_64_fastpath+0x12/0x83
The jump from
7fffffff to
7fffffffffffffff happens when new dir entries
are not yet synced and are processed from the delayed list. Then the code
could go to the bump section again even though it might not emit any new
dir entries from the delayed list.
The fix avoids entering the "bump" section again once we've finished
emitting the entries, both for synced and delayed entries.
References: https://forums.grsecurity.net/viewtopic.php?f=1&t=4284
Reported-by: Victor <services@swwu.com>
CC: stable@vger.kernel.org
Signed-off-by: David Sterba <dsterba@suse.com>
Tested-by: Holger Hoffstätte <holger.hoffstaette@googlemail.com>
Signed-off-by: Chris Mason <clm@fb.com>
Linus Walleij [Wed, 10 Feb 2016 08:25:17 +0000 (09:25 +0100)]
ARM: 8519/1: ICST: try other dividends than 1
Since the dawn of time the ICST code has only supported divide
by one or hang in an eternal loop. Luckily we were always dividing
by one because the reference frequency for the systems using
the ICSTs is 24MHz and the [min,max] values for the PLL input
if [10,320] MHz for ICST307 and [6,200] for ICST525, so the loop
will always terminate immediately without assigning any divisor
for the reference frequency.
But for the code to make sense, let's insert the missing i++
Reported-by: David Binderman <dcb314@hotmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>