* [PATCH 4.8 038/138] powerpc/mm/radix: Use tlbiel only if we ever ran on the current cpu
From: Greg Kroah-Hartman @ 2016-11-09 10:45 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Aneesh Kumar K.V, Michael Ellerman
In-Reply-To: <20161109102844.808685475@linuxfoundation.org>
4.8-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
commit bd77c4498616e27d5725b5959d880ce2272fefa9 upstream.
Before this patch, we used tlbiel, if we ever ran only on this core.
That was mostly derived from the nohash usage of the same. But is
incorrect, the ISA 3.0 clarifies tlbiel such that:
"All TLB entries that have all of the following properties are made
invalid on the thread executing the tlbiel instruction"
ie. tlbiel only invalidates TLB entries on the current thread. So if the
mm has been used on any other thread (aka. cpu) then we must broadcast
the invalidate.
This bug could lead to invalid TLB entries if a program runs on multiple
threads of a core.
Hence use tlbiel, if we only ever ran on only the current cpu.
Fixes: 1a472c9dba6b ("powerpc/mm/radix: Add tlbflush routines")
Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/include/asm/tlb.h | 12 ++++++++++++
arch/powerpc/mm/tlb-radix.c | 8 ++++----
2 files changed, 16 insertions(+), 4 deletions(-)
--- a/arch/powerpc/include/asm/tlb.h
+++ b/arch/powerpc/include/asm/tlb.h
@@ -52,11 +52,23 @@ static inline int mm_is_core_local(struc
return cpumask_subset(mm_cpumask(mm),
topology_sibling_cpumask(smp_processor_id()));
}
+
+static inline int mm_is_thread_local(struct mm_struct *mm)
+{
+ return cpumask_equal(mm_cpumask(mm),
+ cpumask_of(smp_processor_id()));
+}
+
#else
static inline int mm_is_core_local(struct mm_struct *mm)
{
return 1;
}
+
+static inline int mm_is_thread_local(struct mm_struct *mm)
+{
+ return 1;
+}
#endif
#endif /* __KERNEL__ */
--- a/arch/powerpc/mm/tlb-radix.c
+++ b/arch/powerpc/mm/tlb-radix.c
@@ -175,7 +175,7 @@ void radix__flush_tlb_mm(struct mm_struc
if (unlikely(pid == MMU_NO_CONTEXT))
goto no_context;
- if (!mm_is_core_local(mm)) {
+ if (!mm_is_thread_local(mm)) {
int lock_tlbie = !mmu_has_feature(MMU_FTR_LOCKLESS_TLBIE);
if (lock_tlbie)
@@ -201,7 +201,7 @@ void radix__flush_tlb_pwc(struct mmu_gat
if (unlikely(pid == MMU_NO_CONTEXT))
goto no_context;
- if (!mm_is_core_local(mm)) {
+ if (!mm_is_thread_local(mm)) {
int lock_tlbie = !mmu_has_feature(MMU_FTR_LOCKLESS_TLBIE);
if (lock_tlbie)
@@ -226,7 +226,7 @@ void radix__flush_tlb_page_psize(struct
pid = mm ? mm->context.id : 0;
if (unlikely(pid == MMU_NO_CONTEXT))
goto bail;
- if (!mm_is_core_local(mm)) {
+ if (!mm_is_thread_local(mm)) {
int lock_tlbie = !mmu_has_feature(MMU_FTR_LOCKLESS_TLBIE);
if (lock_tlbie)
@@ -321,7 +321,7 @@ void radix__flush_tlb_range_psize(struct
{
unsigned long pid;
unsigned long addr;
- int local = mm_is_core_local(mm);
+ int local = mm_is_thread_local(mm);
unsigned long ap = mmu_get_ap(psize);
int lock_tlbie = !mmu_has_feature(MMU_FTR_LOCKLESS_TLBIE);
unsigned long page_size = 1UL << mmu_psize_defs[psize].shift;
^ permalink raw reply
* [PATCH 4.8 037/138] powerpc: Convert cmp to cmpd in idle enter sequence
From: Greg Kroah-Hartman @ 2016-11-09 10:45 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Vaidyanathan Srinivasan,
Segher Boessenkool, Michael Ellerman
In-Reply-To: <20161109102844.808685475@linuxfoundation.org>
4.8-stable review patch. If anyone has any objections, please let me know.
------------------
From: Segher Boessenkool <segher@kernel.crashing.org>
commit 80f23935cadb1c654e81951f5a8b7ceae0acc1b4 upstream.
PowerPC's "cmp" instruction has four operands. Normally people write
"cmpw" or "cmpd" for the second cmp operand 0 or 1. But, frequently
people forget, and write "cmp" with just three operands.
With older binutils this is silently accepted as if this was "cmpw",
while often "cmpd" is wanted. With newer binutils GAS will complain
about this for 64-bit code. For 32-bit code it still silently assumes
"cmpw" is what is meant.
In this instance the code comes directly from ISA v2.07, including the
cmp, but cmpd is correct. Backport to stable so that new toolchains can
build old kernels.
Fixes: 948cf67c4726 ("powerpc: Add NAP mode support on Power7 in HV mode")
Reviewed-by: Vaidyanathan Srinivasan <svaidy@linux.vnet.ibm.com>
Signed-off-by: Segher Boessenkool <segher@kernel.crashing.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/include/asm/cpuidle.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/powerpc/include/asm/cpuidle.h
+++ b/arch/powerpc/include/asm/cpuidle.h
@@ -26,7 +26,7 @@ extern u64 pnv_first_deep_stop_state;
std r0,0(r1); \
ptesync; \
ld r0,0(r1); \
-1: cmp cr0,r0,r0; \
+1: cmpd cr0,r0,r0; \
bne 1b; \
IDLE_INST; \
b .
^ permalink raw reply
* [PATCH v5 0/3] cpuid: Support AVX512_4VNNIW and AVX512_4FMAPS for KVM guest
From: He Chen @ 2016-11-09 11:05 UTC (permalink / raw)
To: kvm
Cc: linux-kernel, x86, Paolo Bonzini, Radim Krčmář,
Thomas Gleixner, Ingo Molnar, H . Peter Anvin, Luwei Kang,
Piotr Luc, Borislav Petkov
This patch series is going to add two new AVX512 features to KVM guest.
Since these two features are defined as scattered features in kernel,
some extra modification in kernel is included.
---
Changes in v5:
* divide the whole patchset into 3 parts.
* refine commit messages.
Changes in v4:
* divide patch into 2 parts, including modification in scattered.c and
support new AVX512 instructions for KVM.
* coding style.
* refine commit message.
Changes in v3:
* add a helper in scattered.c to get scattered leaf.
Changes in v2:
* add new macros for new AVX512 scattered features.
* add a cpuid_count_edx function to processor.h
He Chen (3):
cpuid: cleanup cpuid_regs definitions
cpuid: Add a helper in scattered.c to return cpuid
cpuid: add AVX512_4VNNIW and AVX512_4FMAPS instructions support
arch/x86/events/intel/pt.c | 45 ++++++++++++++-----------------
arch/x86/include/asm/processor.h | 14 ++++++++++
arch/x86/kernel/cpu/scattered.c | 57 ++++++++++++++++++++++++++--------------
arch/x86/kernel/cpuid.c | 4 ---
arch/x86/kvm/cpuid.c | 14 +++++++++-
5 files changed, 84 insertions(+), 50 deletions(-)
--
2.7.4
^ permalink raw reply
* [PATCH 4.8 035/138] cxl: Fix leaking pid refs in some error paths
From: Greg Kroah-Hartman @ 2016-11-09 10:45 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Andrew Donnellan, Frederic Barrat,
Vaibhav Jain, Michael Ellerman
In-Reply-To: <20161109102844.808685475@linuxfoundation.org>
4.8-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vaibhav Jain <vaibhav@linux.vnet.ibm.com>
commit a05b82d5149dfeef05254a11c3636a89a854520a upstream.
In some error paths in functions cxl_start_context and
afu_ioctl_start_work pid references to the current & group-leader tasks
can leak after they are taken. This patch fixes these error paths to
release these pid references before exiting the error path.
Fixes: 7b8ad495d592 ("cxl: Fix DSI misses when the context owning task exits")
Reviewed-by: Andrew Donnellan <andrew.donnellan@au1.ibm.com>
Reported-by: Frederic Barrat <fbarrat@linux.vnet.ibm.com>
Signed-off-by: Vaibhav Jain <vaibhav@linux.vnet.ibm.com>
Acked-by: Frederic Barrat <fbarrat@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/misc/cxl/api.c | 2 ++
drivers/misc/cxl/file.c | 22 +++++++++++++---------
2 files changed, 15 insertions(+), 9 deletions(-)
--- a/drivers/misc/cxl/api.c
+++ b/drivers/misc/cxl/api.c
@@ -247,7 +247,9 @@ int cxl_start_context(struct cxl_context
cxl_ctx_get();
if ((rc = cxl_ops->attach_process(ctx, kernel, wed, 0))) {
+ put_pid(ctx->glpid);
put_pid(ctx->pid);
+ ctx->glpid = ctx->pid = NULL;
cxl_adapter_context_put(ctx->afu->adapter);
cxl_ctx_put();
goto out;
--- a/drivers/misc/cxl/file.c
+++ b/drivers/misc/cxl/file.c
@@ -194,6 +194,16 @@ static long afu_ioctl_start_work(struct
ctx->mmio_err_ff = !!(work.flags & CXL_START_WORK_ERR_FF);
/*
+ * Increment the mapped context count for adapter. This also checks
+ * if adapter_context_lock is taken.
+ */
+ rc = cxl_adapter_context_get(ctx->afu->adapter);
+ if (rc) {
+ afu_release_irqs(ctx, ctx);
+ goto out;
+ }
+
+ /*
* We grab the PID here and not in the file open to allow for the case
* where a process (master, some daemon, etc) has opened the chardev on
* behalf of another process, so the AFU's mm gets bound to the process
@@ -205,15 +215,6 @@ static long afu_ioctl_start_work(struct
ctx->pid = get_task_pid(current, PIDTYPE_PID);
ctx->glpid = get_task_pid(current->group_leader, PIDTYPE_PID);
- /*
- * Increment the mapped context count for adapter. This also checks
- * if adapter_context_lock is taken.
- */
- rc = cxl_adapter_context_get(ctx->afu->adapter);
- if (rc) {
- afu_release_irqs(ctx, ctx);
- goto out;
- }
trace_cxl_attach(ctx, work.work_element_descriptor, work.num_interrupts, amr);
@@ -221,6 +222,9 @@ static long afu_ioctl_start_work(struct
amr))) {
afu_release_irqs(ctx, ctx);
cxl_adapter_context_put(ctx->afu->adapter);
+ put_pid(ctx->glpid);
+ put_pid(ctx->pid);
+ ctx->glpid = ctx->pid = NULL;
goto out;
}
^ permalink raw reply
* [PATCH 4.8 000/138] 4.8.7-stable review
From: Greg Kroah-Hartman @ 2016-11-09 10:44 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah.kh, patches,
ben.hutchings, stable
This is the start of the stable review cycle for the 4.8.7 release.
There are 138 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Fri Nov 11 10:28:05 UTC 2016.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.8.7-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.8.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 4.8.7-rc1
Oliver Neukum <oneukum@suse.com>
HID: usbhid: add ATEN CS962 to list of quirky devices
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
cpufreq: intel_pstate: Set P-state upfront in performance mode
Boris Brezillon <boris.brezillon@free-electrons.com>
ubi: fastmap: Fix add_vol() return value test in ubi_attach_fastmap()
Goldwyn Rodrigues <rgoldwyn@suse.com>
btrfs: qgroup: Prevent qgroup->reserved from going subzero
Owen Hofmann <osh@google.com>
kvm: x86: Check memopp before dereference (CVE-2016-8630)
Russell King <rmk+kernel@armlinux.org.uk>
ARM: fix oops when using older ARMv4T CPUs
Jiri Slaby <jslaby@suse.cz>
tty: vt, fix bogus division in csi_J
Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
v4l: vsp1: Prevent pipelines from running when not streaming
Tony Lindgren <tony@atomide.com>
usb: musb: Fix hardirq-safe hardirq-unsafe lock order error
Stefan Wahren <stefan.wahren@i2se.com>
usb: chipidea: host: fix NULL ptr dereference during shutdown
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
usb: dwc3: Fix size used in dma_free_coherent()
David Hsu <davidhsu@google.com>
pwm: Unexport children before chip removal
Wei Yongjun <weiyongjun1@huawei.com>
omapfb: fix return value check in dsi_bind()
Dan Carpenter <dan.carpenter@oracle.com>
video: fbdev: pxafb: potential NULL dereference on error
Emilio López <emilio.lopez@collabora.co.uk>
uapi: add missing install of sync_file.h
Boris Brezillon <boris.brezillon@free-electrons.com>
UBI: fastmap: scrub PEB when bitflips are detected in a free PEB EC header
Liping Zhang <liping.zhang@spreadtrum.com>
netfilter: xt_NFLOG: fix unexpected truncated packet
Ralf Ramsauer <ralf@ramses-pyramidenbau.de>
i2c: mark device nodes only in case of successful instantiation
Daniel Stone <daniels@collabora.com>
drm: i915: Wait for fences on new fb, not old
Paulo Zanoni <paulo.r.zanoni@intel.com>
drm/i915/fbc: fix CFB size calculation for gen8+
Ville Syrjälä <ville.syrjala@linux.intel.com>
drm/i915: Clean up DDI DDC/AUX CH sanitation
Ville Syrjälä <ville.syrjala@linux.intel.com>
drm/i915: Respect alternate_aux_channel for all DDI ports
Felix Monninger <felix.monninger@gmail.com>
drm: Release reference from blob lookup after replacing property
Ville Syrjälä <ville.syrjala@linux.intel.com>
drm/dp/mst: Check peer device type before attempting EDID read
Paulo Zanoni <paulo.r.zanoni@intel.com>
drm/i915/gen9: fix watermarks when using the pipe scaler
Paulo Zanoni <paulo.r.zanoni@intel.com>
drm/i915/gen9: fix DDB partitioning for multi-screen cases
Ville Syrjälä <ville.syrjala@linux.intel.com>
drm/fb-helper: Keep references for the current set of used connectors
Ville Syrjälä <ville.syrjala@linux.intel.com>
drm/fb-helper: Fix connector ref leak on error
Takashi Iwai <tiwai@suse.de>
drm/fb-helper: Don't call dirty callback for untouched clips
Peter Wu <peter@lekensteyn.nl>
drm/nouveau/acpi: fix check for power resources support
Lucas Stach <dev@lynxeye.de>
drm/radeon: drop register readback in cayman_cp_int_cntl_setup
Alex Deucher <alexander.deucher@amd.com>
drm/radeon/si_dpm: workaround for SI kickers
Tom St Denis <tom.stdenis@amd.com>
drm/radeon/si_dpm: Limit clocks on HD86xx part
Liu Ying <gnuiyl@gmail.com>
drm/imx: ipuv3-plane: Access old u/vbo properly in ->atomic_check for YU12/YV12
Liu Ying <gnuiyl@gmail.com>
drm/imx: ipuv3-plane: Switch EBA buffer only when we don't need modeset
Michel Dänzer <michel.daenzer@amd.com>
Revert "drm/radeon: fix DP link training issue with second 4K monitor"
NeilBrown <neilb@suse.com>
md: be careful not lot leak internal curr_resync value into metadata. -- (all)
Shaohua Li <shli@fb.com>
RAID10: ignore discard error
Shaohua Li <shli@fb.com>
RAID1: ignore discard error
Jaehoon Chung <jh80.chung@samsung.com>
mmc: dw_mmc-pltfm: fix the potential NULL pointer dereference
Ching Huang <ching2048@areca.com.tw>
scsi: arcmsr: Send SYNCHRONIZE_CACHE command to firmware
Ewan D. Milne <emilne@redhat.com>
scsi: scsi_debug: Fix memory leak if LBP enabled and module is unloaded
Marty Faltesek <mfaltesek@google.com>
ath10k: cache calibration data when the core is stopped
Felix Fietkau <nbd@nbd.name>
Revert "ath9k_hw: implement temperature compensation support for AR9003+"
Johannes Berg <johannes.berg@intel.com>
mac80211: discard multicast and 4-addr A-MSDUs
Stefan Richter <stefanr@s5r6.in-berlin.de>
firewire: net: fix fragmented datagram_size off-by-one
Stefan Richter <stefanr@s5r6.in-berlin.de>
firewire: net: guard against rx buffer overflows
Patrick Scheuring <patrick.scheuring.dev@gmail.com>
Input: i8042 - add XMG C504 to keyboard reset table
Jes Sorensen <Jes.Sorensen@redhat.com>
rtl8xxxu: Fix rtl8723bu driver reload issue
Jes Sorensen <Jes.Sorensen@redhat.com>
rtl8xxxu: Fix big-endian problem reporting mactime
Jes Sorensen <Jes.Sorensen@redhat.com>
rtl8xxxu: Fix memory leak in handling rxdesc16 packets
Heinz Mauelshagen <heinzm@redhat.com>
dm raid: fix activation of existing raid4/10 devices
Andy Whitcroft <apw@canonical.com>
dm raid: fix compat_features validation
Mike Snitzer <snitzer@redhat.com>
dm rq: clear kworker_task if kthread_run() returned an error
tang.junhui <tang.junhui@zte.com.cn>
dm table: fix missing dm_put_target_type() in dm_table_add_target()
Heinz Mauelshagen <heinzm@redhat.com>
dm mirror: fix read error on recovery after default leg failure
Matt Redfearn <matt.redfearn@imgtec.com>
virtio: console: Unlock vqs while freeing buffers
Will Deacon <will.deacon@arm.com>
virtio_pci: Limit DMA mask to 44 bits for legacy virtio devices
Ladi Prosek <lprosek@redhat.com>
virtio_ring: Make interrupt suppression spec compliant
John David Anglin <dave.anglin@bell.net>
parisc: Ensure consistent state when switching to kernel stack at syscall entry
Miklos Szeredi <mszeredi@redhat.com>
ovl: fsync after copy-up
Miklos Szeredi <mszeredi@redhat.com>
ovl: update S_ISGID when setting posix ACLs
Miklos Szeredi <mszeredi@redhat.com>
ovl: fix get_acl() on tmpfs
Matt Redfearn <matt.redfearn@imgtec.com>
MIPS: KASLR: Fix handling of NULL FDT
Chuck Lever <chuck.lever@oracle.com>
nfsd: Fix general protection fault in release_lock_stateid()
Linus Walleij <linus.walleij@linaro.org>
ARM: dts: fix the SD card on the Snowball
Gregory CLEMENT <gregory.clement@free-electrons.com>
ARM: mvebu: Select corediv clk for all mvebu v7 SoC
James Hogan <james.hogan@imgtec.com>
KVM: MIPS: Precalculate MMIO load resume PC
James Hogan <james.hogan@imgtec.com>
KVM: MIPS: Make ERET handle ERL before EXL
Janosch Frank <frankja@linux.vnet.ibm.com>
KVM: s390: Fix STHYI buffer alignment for diag224
Ido Yariv <ido@wizery.com>
KVM: x86: fix wbinvd_dirty_mask use-after-free
Tahsin Erdogan <tahsin@google.com>
dm: free io_barrier after blk_cleanup_queue call
Aditya Shankar <Aditya.Shankar@microchip.com>
Staging: wilc1000: Fix kernel Oops on opening the device
Sandhya Bankar <bankarsandhya512@gmail.com>
iio:chemical:atlas-ph-sensor: Fix use of 32 bit int to hold 16 bit big endian value
Marcin Wojtas <mw@semihalf.com>
arm64: dts: marvell: fix clocksource for CP110 master SPI0
Dmitry Vyukov <dvyukov@google.com>
tty: limit terminal size to 4M chars
Mathias Nyman <mathias.nyman@linux.intel.com>
xhci: workaround for hosts missing CAS bit
Mathias Nyman <mathias.nyman@linux.intel.com>
xhci: add restart quirk for Intel Wildcatpoint PCH
Long Li <longli@microsoft.com>
hv: do not lose pending heartbeat vmbus packets
Scot Doyle <lkml14@scotdoyle.com>
vt: clear selection before resizing
Thomas Gleixner <tglx@linutronix.de>
x86/smpboot: Init apic mapping before usage
Gerald Schaefer <gerald.schaefer@de.ibm.com>
GenWQE: Fix bad page access during abort of resource allocation
Bryan Paluch <bryanpaluch@gmail.com>
usb: increase ohci watchdog delay to 275 msec
Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
usb: renesas_usbhs: add wait after initialization for R-Car Gen3
Mathias Nyman <mathias.nyman@linux.intel.com>
xhci: use default USB_RESUME_TIMEOUT when resuming ports.
Stefan Tauner <stefan.tauner@technikum-wien.at>
USB: serial: ftdi_sio: add support for Infineon TriBoard TC2X7
Johan Hovold <johan@kernel.org>
USB: serial: cp210x: fix tiocmget error handling
Johan Hovold <johan@kernel.org>
USB: serial: fix potential NULL-dereference at probe
Felipe Balbi <felipe.balbi@linux.intel.com>
usb: gadget: function: u_ether: don't starve tx request queue
Alexandre Belloni <alexandre.belloni@free-electrons.com>
usb: gadget: udc: atmel: fix endpoint name
Alexander Usyskin <alexander.usyskin@intel.com>
mei: txe: don't clean an unprocessed interrupt cause.
Richard Weinberger <richard@nod.at>
ubifs: Fix regression in ubifs_readdir()
Richard Weinberger <richard@nod.at>
ubifs: Abort readdir upon error
Thomas Gleixner <tglx@linutronix.de>
timers: Lock base for same bucket optimization
Thomas Gleixner <tglx@linutronix.de>
timers: Plug locking race vs. timer migration
Thomas Gleixner <tglx@linutronix.de>
timers: Prevent base clock corruption when forwarding
Thomas Gleixner <tglx@linutronix.de>
timers: Prevent base clock rewind when forwarding clock
Borislav Petkov <bp@suse.de>
x86/microcode/AMD: Fix more fallout from CONFIG_RANDOMIZE_MEMORY=y
Paul Mackerras <paulus@ozlabs.org>
powerpc/64: Fix race condition in setting lock bit in idle/wakeup code
Paul Mackerras <paulus@ozlabs.org>
powerpc/64: Re-fix race condition between going idle and entering guest
Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
powerpc/mm/radix: Use tlbiel only if we ever ran on the current cpu
Segher Boessenkool <segher@kernel.crashing.org>
powerpc: Convert cmp to cmpd in idle enter sequence
Chris Mason <clm@fb.com>
btrfs: fix races on root_log_ctx lists
Vaibhav Jain <vaibhav@linux.vnet.ibm.com>
cxl: Fix leaking pid refs in some error paths
Arve Hjønnevåg <arve@android.com>
ANDROID: binder: Clear binder and cookie when setting handle in flat binder struct
Arve Hjønnevåg <arve@android.com>
ANDROID: binder: Add strong ref checks
Hui Wang <hui.wang@canonical.com>
ALSA: hda - Fix headset mic detection problem for two Dell laptops
Takashi Iwai <tiwai@suse.de>
ALSA: hda - Fix surround output pins for ASRock B150M mobo
Hui Wang <hui.wang@canonical.com>
ALSA: hda - Adding a new group of pin cfg into ALC295 pin quirk table
Ard Biesheuvel <ard.biesheuvel@linaro.org>
ALSA: hda - allow 40 bit DMA mask for NVidia devices
Takashi Iwai <tiwai@suse.de>
ALSA: seq: Fix time account regression
Marcel Hasler <mahasler@gmail.com>
ALSA: usb-audio: Add quirk for Syntek STK1160
Dan Williams <dan.j.williams@intel.com>
device-dax: fix percpu_ref_exit ordering
Artem Savkov <asavkov@redhat.com>
security/keys: make BIG_KEYS dependent on stdrng.
David Howells <dhowells@redhat.com>
KEYS: Sort out big_key initialisation
David Howells <dhowells@redhat.com>
KEYS: Fix short sprintf buffer in /proc/keys show function
Eric Ernst <eric.ernst@linux.intel.com>
thermal/powerclamp: correct cpu support check
Johannes Weiner <hannes@cmpxchg.org>
mm: memcontrol: do not recurse in direct reclaim
Joonsoo Kim <iamjoonsoo.kim@lge.com>
mm/slab: fix kmemcg cache creation delayed issue
Alexander Polakov <apolyakov@beget.ru>
mm/list_lru.c: avoid error-path NULL pointer deref
Darrick J. Wong <darrick.wong@oracle.com>
libxfs: clean up _calc_dquots_per_chunk
Lars-Peter Clausen <lars@metafoo.de>
gpio: GPIO_GET_LINE{HANDLE,EVENT}_IOCTL: Fix file descriptor leak
Lars-Peter Clausen <lars@metafoo.de>
gpio: GPIOHANDLE_GET_LINE_VALUES_IOCTL: Fix another information leak
Lars-Peter Clausen <lars@metafoo.de>
gpio: GPIO_GET_LINEEVENT_IOCTL: Reject invalid line and event flags
Lars-Peter Clausen <lars@metafoo.de>
gpio: GPIO_GET_LINEHANDLE_IOCTL: Reject invalid line flags
Lars-Peter Clausen <lars@metafoo.de>
gpio: GPIO_GET_LINEEVENT_IOCTL: Validate line offset
Lars-Peter Clausen <lars@metafoo.de>
gpio: GPIOHANDLE_GET_LINE_VALUES_IOCTL: Fix information leak
Lars-Peter Clausen <lars@metafoo.de>
gpio: GPIO_GET_LINEHANDLE_IOCTL: Validate line offset
Lars-Peter Clausen <lars@metafoo.de>
gpio: GPIO_GET_CHIPINFO_IOCTL: Fix information leak
Lars-Peter Clausen <lars@metafoo.de>
gpio: GPIO_GET_CHIPINFO_IOCTL: Fix line offset validation
David Arcari <darcari@redhat.com>
gpio / ACPI: fix returned error from acpi_dev_gpio_irq_get()
Mark Rutland <mark.rutland@arm.com>
h8300: fix syscall restarting
Ralf Ramsauer <ralf@ramses-pyramidenbau.de>
spi: mark device nodes only in case of successful instantiation
Arnd Bergmann <arnd@arndb.de>
spi: fsl-espi: avoid processing uninitalized data on error
Ville Syrjälä <ville.syrjala@linux.intel.com>
drm/dp/mst: Clear port->pdt when tearing down the i2c adapter
Vladimir Zapolskiy <vladimir_zapolskiy@mentor.com>
i2c: core: fix NULL pointer dereference under race condition
Hoan Tran <hotran@apm.com>
i2c: xgene: Avoid dma_buffer overrun
David Wu <david.wu@rock-chips.com>
i2c: rk3x: Give the tuning value 0 during rk3x_i2c_v0_calc_timings
-------------
Diffstat:
Documentation/device-mapper/dm-raid.txt | 1 +
Makefile | 4 +-
arch/arm/boot/dts/ste-snowball.dts | 15 ++-
arch/arm/mach-mvebu/Kconfig | 4 +-
arch/arm/mm/abort-lv4t.S | 34 ++++--
.../boot/dts/marvell/armada-cp110-master.dtsi | 2 +-
arch/h8300/include/asm/thread_info.h | 4 -
arch/h8300/kernel/signal.c | 2 +-
arch/mips/include/asm/kvm_host.h | 7 +-
arch/mips/kernel/relocate.c | 2 +-
arch/mips/kvm/emulate.c | 32 +++---
arch/parisc/kernel/syscall.S | 11 +-
arch/powerpc/include/asm/cpuidle.h | 2 +-
arch/powerpc/include/asm/tlb.h | 12 ++
arch/powerpc/kernel/idle_book3s.S | 35 +++++-
arch/powerpc/mm/tlb-radix.c | 8 +-
arch/s390/kvm/sthyi.c | 4 +-
arch/x86/kernel/cpu/microcode/amd.c | 2 +-
arch/x86/kernel/setup.c | 7 +-
arch/x86/kvm/emulate.c | 2 +-
arch/x86/kvm/x86.c | 4 +-
drivers/android/binder.c | 35 ++++--
drivers/char/virtio_console.c | 22 +++-
drivers/cpufreq/intel_pstate.c | 29 ++++-
drivers/dax/pmem.c | 2 +-
drivers/firewire/net.c | 59 ++++++----
drivers/gpio/gpiolib-acpi.c | 7 +-
drivers/gpio/gpiolib.c | 99 ++++++++++++++---
drivers/gpu/drm/drm_atomic.c | 9 +-
drivers/gpu/drm/drm_dp_mst_topology.c | 6 +-
drivers/gpu/drm/drm_fb_helper.c | 68 +++++++-----
drivers/gpu/drm/i915/intel_bios.c | 122 +++++++++++++--------
drivers/gpu/drm/i915/intel_display.c | 2 +-
drivers/gpu/drm/i915/intel_dp.c | 71 ++++++------
drivers/gpu/drm/i915/intel_fbc.c | 4 +-
drivers/gpu/drm/i915/intel_pm.c | 24 ++--
drivers/gpu/drm/imx/ipuv3-plane.c | 7 +-
drivers/gpu/drm/nouveau/nouveau_acpi.c | 3 +-
drivers/gpu/drm/radeon/ni.c | 4 +-
drivers/gpu/drm/radeon/radeon_dp_auxch.c | 2 +-
drivers/gpu/drm/radeon/si_dpm.c | 53 +++++++--
drivers/hid/hid-ids.h | 1 +
drivers/hid/usbhid/hid-quirks.c | 1 +
drivers/hv/hv_util.c | 10 +-
drivers/i2c/busses/i2c-rk3x.c | 2 +
drivers/i2c/busses/i2c-xgene-slimpro.c | 2 +-
drivers/i2c/i2c-core.c | 13 ++-
drivers/iio/chemical/atlas-ph-sensor.c | 7 +-
drivers/input/serio/i8042-x86ia64io.h | 7 ++
drivers/md/dm-raid.c | 15 ++-
drivers/md/dm-raid1.c | 1 +
drivers/md/dm-rq.c | 7 +-
drivers/md/dm-table.c | 24 ++--
drivers/md/dm.c | 4 +-
drivers/md/md.c | 4 +-
drivers/md/raid1.c | 7 +-
drivers/md/raid10.c | 7 +-
drivers/media/platform/vsp1/vsp1_video.c | 7 ++
drivers/misc/cxl/api.c | 2 +
drivers/misc/cxl/file.c | 22 ++--
drivers/misc/genwqe/card_utils.c | 12 +-
drivers/misc/mei/hw-txe.c | 6 +-
drivers/mmc/host/dw_mmc-pltfm.c | 5 +-
drivers/mtd/ubi/fastmap.c | 17 +--
drivers/net/wireless/ath/ath10k/core.h | 1 +
drivers/net/wireless/ath/ath10k/debug.c | 75 +++++++------
drivers/net/wireless/ath/ath9k/ar9003_calib.c | 25 +----
drivers/net/wireless/ath/ath9k/hw.h | 1 -
drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h | 4 +-
.../net/wireless/realtek/rtl8xxxu/rtl8xxxu_8723b.c | 4 +
.../net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 11 +-
drivers/pwm/core.c | 2 +
drivers/pwm/sysfs.c | 18 +++
drivers/scsi/arcmsr/arcmsr_hba.c | 9 --
drivers/scsi/scsi_debug.c | 1 +
drivers/spi/spi-fsl-espi.c | 2 +-
drivers/spi/spi.c | 5 +-
drivers/staging/wilc1000/host_interface.c | 1 -
drivers/thermal/intel_powerclamp.c | 14 +--
drivers/tty/vt/vt.c | 7 +-
drivers/usb/chipidea/host.c | 2 +
drivers/usb/dwc3/gadget.c | 4 +-
drivers/usb/gadget/function/u_ether.c | 5 +-
drivers/usb/gadget/udc/atmel_usba_udc.c | 2 +-
drivers/usb/host/ohci-hcd.c | 2 +-
drivers/usb/host/xhci-hub.c | 41 ++++++-
drivers/usb/host/xhci-pci.c | 10 +-
drivers/usb/host/xhci.h | 3 +
drivers/usb/musb/omap2430.c | 7 +-
drivers/usb/renesas_usbhs/rcar3.c | 8 +-
drivers/usb/serial/cp210x.c | 4 +-
drivers/usb/serial/ftdi_sio.c | 3 +-
drivers/usb/serial/ftdi_sio_ids.h | 5 +-
drivers/usb/serial/usb-serial.c | 3 +-
drivers/video/fbdev/omap2/omapfb/dss/dsi.c | 4 +-
drivers/video/fbdev/pxafb.c | 2 +-
drivers/virtio/virtio_pci_legacy.c | 16 ++-
drivers/virtio/virtio_ring.c | 14 ++-
fs/btrfs/inode.c | 9 +-
fs/btrfs/tree-log.c | 20 +---
fs/nfsd/nfs4state.c | 10 +-
fs/overlayfs/copy_up.c | 2 +
fs/overlayfs/inode.c | 3 -
fs/overlayfs/super.c | 15 +++
fs/ubifs/dir.c | 16 ++-
fs/xfs/libxfs/xfs_dquot_buf.c | 3 +-
include/linux/pwm.h | 5 +
include/uapi/linux/Kbuild | 1 +
kernel/time/timer.c | 74 ++++++++-----
mm/list_lru.c | 2 +
mm/memcontrol.c | 9 ++
mm/slab.c | 2 +-
mm/vmscan.c | 2 +
net/mac80211/rx.c | 24 ++--
net/netfilter/xt_NFLOG.c | 1 +
security/keys/Kconfig | 2 +-
security/keys/big_key.c | 59 +++++-----
security/keys/proc.c | 2 +-
sound/core/seq/seq_timer.c | 4 +-
sound/pci/hda/hda_intel.c | 7 +-
sound/pci/hda/patch_realtek.c | 30 ++++-
sound/usb/quirks-table.h | 17 +++
122 files changed, 1097 insertions(+), 542 deletions(-)
^ permalink raw reply
* [PATCH 4.8 009/138] gpio: GPIO_GET_CHIPINFO_IOCTL: Fix line offset validation
From: Greg Kroah-Hartman @ 2016-11-09 10:44 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Lars-Peter Clausen, Linus Walleij
In-Reply-To: <20161109102844.808685475@linuxfoundation.org>
4.8-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lars-Peter Clausen <lars@metafoo.de>
commit 1f1cc4566bd9dd8d3cf19965a4b6392143618536 upstream.
The current line offset validation is off by one. Depending on the data
stored behind the descs array this can either cause undefined behavior or
disclose arbitrary, potentially sensitive, memory to the issuing userspace
application.
Make sure that offset is within the bounds of the desc array.
Fixes: 521a2ad6f862 ("gpio: add userspace ABI for GPIO line information")
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpio/gpiolib.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpio/gpiolib.c
+++ b/drivers/gpio/gpiolib.c
@@ -837,7 +837,7 @@ static long gpio_ioctl(struct file *filp
if (copy_from_user(&lineinfo, ip, sizeof(lineinfo)))
return -EFAULT;
- if (lineinfo.line_offset > gdev->ngpio)
+ if (lineinfo.line_offset >= gdev->ngpio)
return -EINVAL;
desc = &gdev->descs[lineinfo.line_offset];
^ permalink raw reply
* [PATCH 4.8 008/138] gpio / ACPI: fix returned error from acpi_dev_gpio_irq_get()
From: Greg Kroah-Hartman @ 2016-11-09 10:44 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, David Arcari, Benjamin Tissoires,
Mika Westerberg, Linus Walleij
In-Reply-To: <20161109102844.808685475@linuxfoundation.org>
4.8-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Arcari <darcari@redhat.com>
commit 67bf5156edc4f58241fd7c119ae145c552adddd6 upstream.
acpi_dev_gpio_irq_get() currently ignores the error returned
by acpi_get_gpiod_by_index() and overwrites it with -ENOENT.
Problem is this error can be -EPROBE_DEFER, which just blows
up some drivers when the module ordering is not correct.
Signed-off-by: David Arcari <darcari@redhat.com>
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpio/gpiolib-acpi.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/drivers/gpio/gpiolib-acpi.c
+++ b/drivers/gpio/gpiolib-acpi.c
@@ -602,14 +602,17 @@ int acpi_dev_gpio_irq_get(struct acpi_de
{
int idx, i;
unsigned int irq_flags;
+ int ret = -ENOENT;
for (i = 0, idx = 0; idx <= index; i++) {
struct acpi_gpio_info info;
struct gpio_desc *desc;
desc = acpi_get_gpiod_by_index(adev, NULL, i, &info);
- if (IS_ERR(desc))
+ if (IS_ERR(desc)) {
+ ret = PTR_ERR(desc);
break;
+ }
if (info.gpioint && idx++ == index) {
int irq = gpiod_to_irq(desc);
@@ -628,7 +631,7 @@ int acpi_dev_gpio_irq_get(struct acpi_de
}
}
- return -ENOENT;
+ return ret;
}
EXPORT_SYMBOL_GPL(acpi_dev_gpio_irq_get);
^ permalink raw reply
* [PATCH 4.8 006/138] spi: mark device nodes only in case of successful instantiation
From: Greg Kroah-Hartman @ 2016-11-09 10:44 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Ralf Ramsauer, Geert Uytterhoeven,
Pantelis Antoniou, Mark Brown
In-Reply-To: <20161109102844.808685475@linuxfoundation.org>
4.8-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ralf Ramsauer <ralf@ramses-pyramidenbau.de>
commit e0af98a7e025a7263ae7e50264f6f79ed29642a7 upstream.
Instantiated SPI device nodes are marked with OF_POPULATE. This was
introduced in bd6c164. On unloading, loaded device nodes will of course
be unmarked. The problem are nodes that fail during initialisation: If a
node fails, it won't be unloaded and hence not be unmarked.
If a SPI driver module is unloaded and reloaded, it will skip nodes that
failed before.
Skip device nodes that are already populated and mark them only in case
of success.
Note that the same issue exists for I2C.
Fixes: bd6c164 ("spi: Mark instantiated device nodes with OF_POPULATE")
Signed-off-by: Ralf Ramsauer <ralf@ramses-pyramidenbau.de>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Acked-by: Pantelis Antoniou <pantelis.antoniou@konsulko.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/spi/spi.c
+++ b/drivers/spi/spi.c
@@ -1607,9 +1607,11 @@ static void of_register_spi_devices(stru
if (of_node_test_and_set_flag(nc, OF_POPULATED))
continue;
spi = of_register_spi_device(master, nc);
- if (IS_ERR(spi))
+ if (IS_ERR(spi)) {
dev_warn(&master->dev, "Failed to create SPI device for %s\n",
nc->full_name);
+ of_node_clear_flag(nc, OF_POPULATED);
+ }
}
}
#else
@@ -3120,6 +3122,7 @@ static int of_spi_notify(struct notifier
if (IS_ERR(spi)) {
pr_err("%s: failed to create for '%s'\n",
__func__, rd->dn->full_name);
+ of_node_clear_flag(rd->dn, OF_POPULATED);
return notifier_from_errno(PTR_ERR(spi));
}
break;
^ permalink raw reply
* [PATCH 4.8 005/138] spi: fsl-espi: avoid processing uninitalized data on error
From: Greg Kroah-Hartman @ 2016-11-09 10:44 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Arnd Bergmann, Mark Brown
In-Reply-To: <20161109102844.808685475@linuxfoundation.org>
4.8-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
commit 5c0ba57744b1422d528f19430dd66d6803cea86f upstream.
When we get a spurious interrupt in fsl_espi_irq, we end up
processing four uninitalized bytes of data, as shown in this
warning message:
drivers/spi/spi-fsl-espi.c: In function 'fsl_espi_irq':
drivers/spi/spi-fsl-espi.c:462:4: warning: 'rx_data' may be used uninitialized in this function [-Wmaybe-uninitialized]
This adds another check so we skip the data in this case.
Fixes: 6319a68011b8 ("spi/fsl-espi: avoid infinite loops on fsl_espi_cpu_irq()")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-fsl-espi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/spi/spi-fsl-espi.c
+++ b/drivers/spi/spi-fsl-espi.c
@@ -581,7 +581,7 @@ void fsl_espi_cpu_irq(struct mpc8xxx_spi
mspi->len -= rx_nr_bytes;
- if (mspi->rx)
+ if (rx_nr_bytes && mspi->rx)
mspi->get_rx(rx_data, mspi);
}
^ permalink raw reply
* [PATCH 4.8 021/138] mm: memcontrol: do not recurse in direct reclaim
From: Greg Kroah-Hartman @ 2016-11-09 10:45 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Johannes Weiner, Michal Hocko,
Vladimir Davydov, Tejun Heo, Andrew Morton, Linus Torvalds
In-Reply-To: <20161109102844.808685475@linuxfoundation.org>
4.8-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Weiner <hannes@cmpxchg.org>
commit 89a2848381b5fcd9c4d9c0cd97680e3b28730e31 upstream.
On 4.0, we saw a stack corruption from a page fault entering direct
memory cgroup reclaim, calling into btrfs_releasepage(), which then
tried to allocate an extent and recursed back into a kmem charge ad
nauseam:
[...]
btrfs_releasepage+0x2c/0x30
try_to_release_page+0x32/0x50
shrink_page_list+0x6da/0x7a0
shrink_inactive_list+0x1e5/0x510
shrink_lruvec+0x605/0x7f0
shrink_zone+0xee/0x320
do_try_to_free_pages+0x174/0x440
try_to_free_mem_cgroup_pages+0xa7/0x130
try_charge+0x17b/0x830
memcg_charge_kmem+0x40/0x80
new_slab+0x2d9/0x5a0
__slab_alloc+0x2fd/0x44f
kmem_cache_alloc+0x193/0x1e0
alloc_extent_state+0x21/0xc0
__clear_extent_bit+0x2b5/0x400
try_release_extent_mapping+0x1a3/0x220
__btrfs_releasepage+0x31/0x70
btrfs_releasepage+0x2c/0x30
try_to_release_page+0x32/0x50
shrink_page_list+0x6da/0x7a0
shrink_inactive_list+0x1e5/0x510
shrink_lruvec+0x605/0x7f0
shrink_zone+0xee/0x320
do_try_to_free_pages+0x174/0x440
try_to_free_mem_cgroup_pages+0xa7/0x130
try_charge+0x17b/0x830
mem_cgroup_try_charge+0x65/0x1c0
handle_mm_fault+0x117f/0x1510
__do_page_fault+0x177/0x420
do_page_fault+0xc/0x10
page_fault+0x22/0x30
On later kernels, kmem charging is opt-in rather than opt-out, and that
particular kmem allocation in btrfs_releasepage() is no longer being
charged and won't recurse and overrun the stack anymore.
But it's not impossible for an accounted allocation to happen from the
memcg direct reclaim context, and we needed to reproduce this crash many
times before we even got a useful stack trace out of it.
Like other direct reclaimers, mark tasks in memcg reclaim PF_MEMALLOC to
avoid recursing into any other form of direct reclaim. Then let
recursive charges from PF_MEMALLOC contexts bypass the cgroup limit.
Link: http://lkml.kernel.org/r/20161025141050.GA13019@cmpxchg.org
Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: Vladimir Davydov <vdavydov.dev@gmail.com>
Cc: Tejun Heo <tj@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/memcontrol.c | 9 +++++++++
mm/vmscan.c | 2 ++
2 files changed, 11 insertions(+)
--- a/mm/memcontrol.c
+++ b/mm/memcontrol.c
@@ -1947,6 +1947,15 @@ retry:
current->flags & PF_EXITING))
goto force;
+ /*
+ * Prevent unbounded recursion when reclaim operations need to
+ * allocate memory. This might exceed the limits temporarily,
+ * but we prefer facilitating memory reclaim and getting back
+ * under the limit over triggering OOM kills in these cases.
+ */
+ if (unlikely(current->flags & PF_MEMALLOC))
+ goto force;
+
if (unlikely(task_in_memcg_oom(current)))
goto nomem;
--- a/mm/vmscan.c
+++ b/mm/vmscan.c
@@ -3048,7 +3048,9 @@ unsigned long try_to_free_mem_cgroup_pag
sc.gfp_mask,
sc.reclaim_idx);
+ current->flags |= PF_MEMALLOC;
nr_reclaimed = do_try_to_free_pages(zonelist, &sc);
+ current->flags &= ~PF_MEMALLOC;
trace_mm_vmscan_memcg_reclaim_end(nr_reclaimed);
^ permalink raw reply
* [PATCH 4.8 020/138] mm/slab: fix kmemcg cache creation delayed issue
From: Greg Kroah-Hartman @ 2016-11-09 10:45 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Doug Smythies, Joonsoo Kim,
Christoph Lameter, Pekka Enberg, David Rientjes, Andrew Morton,
Linus Torvalds
In-Reply-To: <20161109102844.808685475@linuxfoundation.org>
4.8-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joonsoo Kim <iamjoonsoo.kim@lge.com>
commit 86d9f48534e800e4d62cdc1b5aaf539f4c1d47d6 upstream.
There is a bug report that SLAB makes extreme load average due to over
2000 kworker thread.
https://bugzilla.kernel.org/show_bug.cgi?id=172981
This issue is caused by kmemcg feature that try to create new set of
kmem_caches for each memcg. Recently, kmem_cache creation is slowed by
synchronize_sched() and futher kmem_cache creation is also delayed since
kmem_cache creation is synchronized by a global slab_mutex lock. So,
the number of kworker that try to create kmem_cache increases quietly.
synchronize_sched() is for lockless access to node's shared array but
it's not needed when a new kmem_cache is created. So, this patch rules
out that case.
Fixes: 801faf0db894 ("mm/slab: lockless decision to grow cache")
Link: http://lkml.kernel.org/r/1475734855-4837-1-git-send-email-iamjoonsoo.kim@lge.com
Reported-by: Doug Smythies <dsmythies@telus.net>
Tested-by: Doug Smythies <dsmythies@telus.net>
Signed-off-by: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: Pekka Enberg <penberg@kernel.org>
Cc: David Rientjes <rientjes@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/slab.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/mm/slab.c
+++ b/mm/slab.c
@@ -964,7 +964,7 @@ static int setup_kmem_cache_node(struct
* guaranteed to be valid until irq is re-enabled, because it will be
* freed after synchronize_sched().
*/
- if (force_change)
+ if (old_shared && force_change)
synchronize_sched();
fail:
^ permalink raw reply
* [PATCH 4.8 002/138] i2c: xgene: Avoid dma_buffer overrun
From: Greg Kroah-Hartman @ 2016-11-09 10:44 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Phil Endecott, Hoan Tran,
Wolfram Sang
In-Reply-To: <20161109102844.808685475@linuxfoundation.org>
4.8-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hoan Tran <hotran@apm.com>
commit 603616017c35f4d0fbdbcace72adf9bf949c4a65 upstream.
SMBus block command uses the first byte of buffer for the data length.
The dma_buffer should be increased by 1 to avoid the overrun issue.
Reported-by: Phil Endecott <phil_gjouf_endecott@chezphil.org>
Signed-off-by: Hoan Tran <hotran@apm.com>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i2c/busses/i2c-xgene-slimpro.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/i2c/busses/i2c-xgene-slimpro.c
+++ b/drivers/i2c/busses/i2c-xgene-slimpro.c
@@ -105,7 +105,7 @@ struct slimpro_i2c_dev {
struct mbox_chan *mbox_chan;
struct mbox_client mbox_client;
struct completion rd_complete;
- u8 dma_buffer[I2C_SMBUS_BLOCK_MAX];
+ u8 dma_buffer[I2C_SMBUS_BLOCK_MAX + 1]; /* dma_buffer[0] is used for length */
u32 *resp_msg;
};
^ permalink raw reply
* [PATCH v5 3/3] cpuid: add AVX512_4VNNIW and AVX512_4FMAPS instructions support
From: He Chen @ 2016-11-09 11:05 UTC (permalink / raw)
To: kvm
Cc: linux-kernel, x86, Paolo Bonzini, Radim Krčmář,
Thomas Gleixner, Ingo Molnar, H . Peter Anvin, Luwei Kang,
Piotr Luc, Borislav Petkov
In-Reply-To: <1478689528-444-1-git-send-email-he.chen@linux.intel.com>
Add two new AVX512 instructions support for KVM guest.
AVX512_4VNNIW:
Vector instructions for deep learning enhanced word variable precision.
AVX512_4FMAPS:
Vector instructions for deep learning floating-point single precision.
Signed-off-by: Luwei Kang <luwei.kang@intel.com>
Signed-off-by: He Chen <he.chen@linux.intel.com>
---
arch/x86/kvm/cpuid.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
index afa7bbb..ddcdf7c 100644
--- a/arch/x86/kvm/cpuid.c
+++ b/arch/x86/kvm/cpuid.c
@@ -16,6 +16,7 @@
#include <linux/export.h>
#include <linux/vmalloc.h>
#include <linux/uaccess.h>
+#include <asm/processor.h>
#include <asm/fpu/internal.h> /* For use_eager_fpu. Ugh! */
#include <asm/user.h>
#include <asm/fpu/xstate.h>
@@ -65,6 +66,11 @@ u64 kvm_supported_xcr0(void)
#define F(x) bit(X86_FEATURE_##x)
+/* These are scattered features in cpufeatures.h. */
+#define KVM_CPUID_BIT_AVX512_4VNNIW 2
+#define KVM_CPUID_BIT_AVX512_4FMAPS 3
+#define KF(x) bit(KVM_CPUID_BIT_##x)
+
int kvm_update_cpuid(struct kvm_vcpu *vcpu)
{
struct kvm_cpuid_entry2 *best;
@@ -376,6 +382,10 @@ static inline int __do_cpuid_ent(struct kvm_cpuid_entry2 *entry, u32 function,
/* cpuid 7.0.ecx*/
const u32 kvm_cpuid_7_0_ecx_x86_features = F(PKU) | 0 /*OSPKE*/;
+ /* cpuid 7.0.edx*/
+ const u32 kvm_cpuid_7_0_edx_x86_features =
+ KF(AVX512_4VNNIW) | KF(AVX512_4FMAPS);
+
/* all calls to cpuid_count() should be made on the same cpu */
get_cpu();
@@ -458,12 +468,14 @@ static inline int __do_cpuid_ent(struct kvm_cpuid_entry2 *entry, u32 function,
/* PKU is not yet implemented for shadow paging. */
if (!tdp_enabled)
entry->ecx &= ~F(PKU);
+ entry->edx &= kvm_cpuid_7_0_edx_x86_features;
+ entry->edx &= get_scattered_cpuid_leaf(7, 0, CPUID_EDX);
} else {
entry->ebx = 0;
entry->ecx = 0;
+ entry->edx = 0;
}
entry->eax = 0;
- entry->edx = 0;
break;
}
case 9:
--
2.7.4
^ permalink raw reply related
* [PATCH v5 2/3] cpuid: Add a helper in scattered.c to return cpuid
From: He Chen @ 2016-11-09 11:05 UTC (permalink / raw)
To: kvm
Cc: linux-kernel, x86, Paolo Bonzini, Radim Krčmář,
Thomas Gleixner, Ingo Molnar, H . Peter Anvin, Luwei Kang,
Piotr Luc, Borislav Petkov
In-Reply-To: <1478689528-444-1-git-send-email-he.chen@linux.intel.com>
Some sparse CPUID leafs are gathered in a fake leaf to save size of
x86_capability array in current code, but sometimes, kernel or other
modules (e.g. KVM cpuid enumeration) may need actual hardware leaf
information.
This patch adds a helper get_scattered_cpuid_leaf() to rebuild actual
CPUID leaf, and it can be called outside by modules.
Signed-off-by: He Chen <he.chen@linux.intel.com>
---
arch/x86/include/asm/processor.h | 3 +++
arch/x86/kernel/cpu/scattered.c | 49 ++++++++++++++++++++++++++++++----------
2 files changed, 40 insertions(+), 12 deletions(-)
diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h
index 8f6ac5b..e7f8c62 100644
--- a/arch/x86/include/asm/processor.h
+++ b/arch/x86/include/asm/processor.h
@@ -189,6 +189,9 @@ extern void identify_secondary_cpu(struct cpuinfo_x86 *);
extern void print_cpu_info(struct cpuinfo_x86 *);
void print_cpu_msr(struct cpuinfo_x86 *);
extern void init_scattered_cpuid_features(struct cpuinfo_x86 *c);
+extern u32 get_scattered_cpuid_leaf(unsigned int level,
+ unsigned int sub_leaf,
+ enum cpuid_regs_idx reg);
extern unsigned int init_intel_cacheinfo(struct cpuinfo_x86 *c);
extern void init_amd_cacheinfo(struct cpuinfo_x86 *c);
diff --git a/arch/x86/kernel/cpu/scattered.c b/arch/x86/kernel/cpu/scattered.c
index 5dbdd0b..d1316f9 100644
--- a/arch/x86/kernel/cpu/scattered.c
+++ b/arch/x86/kernel/cpu/scattered.c
@@ -17,24 +17,25 @@ struct cpuid_bit {
u32 sub_leaf;
};
+/* Please keep the leaf sorted by cpuid_bit.level for faster search. */
+static const struct cpuid_bit cpuid_bits[] = {
+ { X86_FEATURE_APERFMPERF, CPUID_ECX, 0, 0x00000006, 0 },
+ { X86_FEATURE_EPB, CPUID_ECX, 3, 0x00000006, 0 },
+ { X86_FEATURE_INTEL_PT, CPUID_EBX, 25, 0x00000007, 0 },
+ { X86_FEATURE_AVX512_4VNNIW, CPUID_EDX, 2, 0x00000007, 0 },
+ { X86_FEATURE_AVX512_4FMAPS, CPUID_EDX, 3, 0x00000007, 0 },
+ { X86_FEATURE_HW_PSTATE, CPUID_EDX, 7, 0x80000007, 0 },
+ { X86_FEATURE_CPB, CPUID_EDX, 9, 0x80000007, 0 },
+ { X86_FEATURE_PROC_FEEDBACK, CPUID_EDX, 11, 0x80000007, 0 },
+ { 0, 0, 0, 0, 0 }
+};
+
void init_scattered_cpuid_features(struct cpuinfo_x86 *c)
{
u32 max_level;
u32 regs[4];
const struct cpuid_bit *cb;
- static const struct cpuid_bit cpuid_bits[] = {
- { X86_FEATURE_INTEL_PT, CPUID_EBX,25, 0x00000007, 0 },
- { X86_FEATURE_AVX512_4VNNIW, CPUID_EDX, 2, 0x00000007, 0 },
- { X86_FEATURE_AVX512_4FMAPS, CPUID_EDX, 3, 0x00000007, 0 },
- { X86_FEATURE_APERFMPERF, CPUID_ECX, 0, 0x00000006, 0 },
- { X86_FEATURE_EPB, CPUID_ECX, 3, 0x00000006, 0 },
- { X86_FEATURE_HW_PSTATE, CPUID_EDX, 7, 0x80000007, 0 },
- { X86_FEATURE_CPB, CPUID_EDX, 9, 0x80000007, 0 },
- { X86_FEATURE_PROC_FEEDBACK, CPUID_EDX,11, 0x80000007, 0 },
- { 0, 0, 0, 0, 0 }
- };
-
for (cb = cpuid_bits; cb->feature; cb++) {
/* Verify that the level is valid */
@@ -51,3 +52,27 @@ void init_scattered_cpuid_features(struct cpuinfo_x86 *c)
set_cpu_cap(c, cb->feature);
}
}
+
+u32 get_scattered_cpuid_leaf(unsigned int level, unsigned int sub_leaf,
+ enum cpuid_regs_idx reg)
+{
+ const struct cpuid_bit *cb;
+ u32 cpuid_val = 0;
+
+ for (cb = cpuid_bits; cb->feature; cb++) {
+
+ if (level > cb->level)
+ continue;
+
+ if (level < cb->level)
+ break;
+
+ if (reg == cb->reg && sub_leaf == cb->sub_leaf) {
+ if (cpu_has(&boot_cpu_data, cb->feature))
+ cpuid_val |= BIT(cb->bit);
+ }
+ }
+
+ return cpuid_val;
+}
+EXPORT_SYMBOL_GPL(get_scattered_cpuid_leaf);
--
2.7.4
^ permalink raw reply related
* [PATCH 4.8 018/138] libxfs: clean up _calc_dquots_per_chunk
From: Greg Kroah-Hartman @ 2016-11-09 10:45 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Darrick J. Wong, Eric Sandeen,
Dave Chinner
In-Reply-To: <20161109102844.808685475@linuxfoundation.org>
4.8-stable review patch. If anyone has any objections, please let me know.
------------------
From: Darrick J. Wong <darrick.wong@oracle.com>
commit 58d789678546d46d7bbd809dd7dab417c0f23655 upstream.
The function xfs_calc_dquots_per_chunk takes a parameter in units
of basic blocks. The kernel seems to get the units wrong, but
userspace got 'fixed' by commenting out the unnecessary conversion.
Fix both.
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Eric Sandeen <sandeen@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/xfs/libxfs/xfs_dquot_buf.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/fs/xfs/libxfs/xfs_dquot_buf.c
+++ b/fs/xfs/libxfs/xfs_dquot_buf.c
@@ -191,8 +191,7 @@ xfs_dquot_buf_verify_crc(
if (mp->m_quotainfo)
ndquots = mp->m_quotainfo->qi_dqperchunk;
else
- ndquots = xfs_calc_dquots_per_chunk(
- XFS_BB_TO_FSB(mp, bp->b_length));
+ ndquots = xfs_calc_dquots_per_chunk(bp->b_length);
for (i = 0; i < ndquots; i++, d++) {
if (!xfs_verify_cksum((char *)d, sizeof(struct xfs_dqblk),
^ permalink raw reply
* [PATCH 4.8 016/138] gpio: GPIOHANDLE_GET_LINE_VALUES_IOCTL: Fix another information leak
From: Greg Kroah-Hartman @ 2016-11-09 10:44 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Lars-Peter Clausen, Linus Walleij
In-Reply-To: <20161109102844.808685475@linuxfoundation.org>
4.8-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lars-Peter Clausen <lars@metafoo.de>
commit d82aa4a8f2e8df9673ddb099262355da4c9b99b1 upstream.
The GPIOHANDLE_GET_LINE_VALUES_IOCTL handler allocates a gpiohandle_data
struct on the stack and then passes it to copy_to_user(). But only the
first element of the values array in the struct is set, which leaves the
struct partially initialized.
This exposes the previous, potentially sensitive, stack content to the
issuing userspace application. To avoid this make sure that the struct is
fully initialized.
Cc: stable@vger.kernel.org
Fixes: 61f922db7221 ("gpio: userspace ABI for reading GPIO line events")
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpio/gpiolib.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/gpio/gpiolib.c
+++ b/drivers/gpio/gpiolib.c
@@ -645,6 +645,8 @@ static long lineevent_ioctl(struct file
if (cmd == GPIOHANDLE_GET_LINE_VALUES_IOCTL) {
int val;
+ memset(&ghd, 0, sizeof(ghd));
+
val = gpiod_get_value_cansleep(le->desc);
if (val < 0)
return val;
^ permalink raw reply
* [PATCH 4.8 014/138] gpio: GPIO_GET_LINEHANDLE_IOCTL: Reject invalid line flags
From: Greg Kroah-Hartman @ 2016-11-09 10:44 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Lars-Peter Clausen, Linus Walleij
In-Reply-To: <20161109102844.808685475@linuxfoundation.org>
4.8-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lars-Peter Clausen <lars@metafoo.de>
commit e3e847c7f15a27c80f526b2a7a8d4dd7ce0960a0 upstream.
The GPIO_GET_LINEHANDLE_IOCTL currently ignores unknown or undefined
linehandle flags. From a backwards and forwards compatibility viewpoint it
is highly desirable to reject unknown flags though.
On one hand an application that is using newer flags and is running on
an older kernel has no way to detect if the new flags were handled
correctly if they are silently discarded.
On the other hand an application that (accidentally) passes undefined flags
will run fine on an older kernel, but may break on a newer kernel when
these flags get defined.
Ensure that requests that have undefined flags set are rejected with an
error, rather than silently discarding the undefined flags.
Fixes: d7c51b47ac11 ("gpio: userspace ABI for reading/writing GPIO lines")
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpio/gpiolib.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
--- a/drivers/gpio/gpiolib.c
+++ b/drivers/gpio/gpiolib.c
@@ -331,6 +331,13 @@ struct linehandle_state {
u32 numdescs;
};
+#define GPIOHANDLE_REQUEST_VALID_FLAGS \
+ (GPIOHANDLE_REQUEST_INPUT | \
+ GPIOHANDLE_REQUEST_OUTPUT | \
+ GPIOHANDLE_REQUEST_ACTIVE_LOW | \
+ GPIOHANDLE_REQUEST_OPEN_DRAIN | \
+ GPIOHANDLE_REQUEST_OPEN_SOURCE)
+
static long linehandle_ioctl(struct file *filep, unsigned int cmd,
unsigned long arg)
{
@@ -448,6 +455,12 @@ static int linehandle_create(struct gpio
ret = -EINVAL;
goto out_free_descs;
}
+
+ /* Return an error if a unknown flag is set */
+ if (lflags & ~GPIOHANDLE_REQUEST_VALID_FLAGS) {
+ ret = -EINVAL;
+ goto out_free_descs;
+ }
desc = &gdev->descs[offset];
ret = gpiod_request(desc, lh->label);
^ permalink raw reply
* [PATCH 4.8 012/138] gpio: GPIOHANDLE_GET_LINE_VALUES_IOCTL: Fix information leak
From: Greg Kroah-Hartman @ 2016-11-09 10:44 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Lars-Peter Clausen, Linus Walleij
In-Reply-To: <20161109102844.808685475@linuxfoundation.org>
4.8-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lars-Peter Clausen <lars@metafoo.de>
commit 3eded5d83bf4e36ad78775c7ceb44a45480b0abd upstream.
The GPIOHANDLE_GET_LINE_VALUES_IOCTL handler allocates a gpiohandle_data
struct on the stack and then passes it to copy_to_user(). But depending on
the number of requested line handles the struct is only partially
initialized.
This exposes the previous, potentially sensitive, stack content to the
issuing userspace application. To avoid this make sure that the struct is
fully initialized.
Fixes: d7c51b47ac11 ("gpio: userspace ABI for reading/writing GPIO lines")
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpio/gpiolib.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/gpio/gpiolib.c
+++ b/drivers/gpio/gpiolib.c
@@ -342,6 +342,8 @@ static long linehandle_ioctl(struct file
if (cmd == GPIOHANDLE_GET_LINE_VALUES_IOCTL) {
int val;
+ memset(&ghd, 0, sizeof(ghd));
+
/* TODO: check if descriptors are really input */
for (i = 0; i < lh->numdescs; i++) {
val = gpiod_get_value_cansleep(lh->descs[i]);
^ permalink raw reply
* [PATCH 4.8 010/138] gpio: GPIO_GET_CHIPINFO_IOCTL: Fix information leak
From: Greg Kroah-Hartman @ 2016-11-09 10:44 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Lars-Peter Clausen, Linus Walleij
In-Reply-To: <20161109102844.808685475@linuxfoundation.org>
4.8-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lars-Peter Clausen <lars@metafoo.de>
commit 0f4bbb233743bdfd51d47688b0bc2561f310488b upstream.
The GPIO_GET_CHIPINFO_IOCTL handler allocates a gpiochip_info struct on the
stack and then passes it to copy_to_user(). But depending on the length of
the GPIO chip name and label the struct is only partially initialized.
This exposes the previous, potentially sensitive, stack content to the
issuing userspace application. To avoid this make sure that the struct is
fully initialized.
Fixes: 521a2ad6f862 ("gpio: add userspace ABI for GPIO line information")
Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpio/gpiolib.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/gpio/gpiolib.c
+++ b/drivers/gpio/gpiolib.c
@@ -821,6 +821,8 @@ static long gpio_ioctl(struct file *filp
if (cmd == GPIO_GET_CHIPINFO_IOCTL) {
struct gpiochip_info chipinfo;
+ memset(&chipinfo, 0, sizeof(chipinfo));
+
strncpy(chipinfo.name, dev_name(&gdev->dev),
sizeof(chipinfo.name));
chipinfo.name[sizeof(chipinfo.name)-1] = '\0';
^ permalink raw reply
* [PATCH 4.8 001/138] i2c: rk3x: Give the tuning value 0 during rk3x_i2c_v0_calc_timings
From: Greg Kroah-Hartman @ 2016-11-09 10:44 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, David Wu, Andy Yan, Douglas Anderson,
Wolfram Sang
In-Reply-To: <20161109102844.808685475@linuxfoundation.org>
4.8-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Wu <david.wu@rock-chips.com>
commit 399c168ab5ab5e12ed55b6c91d61c24eb84c9164 upstream.
We found a bug that i2c transfer sometimes failed on 3066a board with
stabel-4.8, the con register would be updated by uninitialized tuning
value, it made the i2c transfer failed.
So give the tuning value to be zero during rk3x_i2c_v0_calc_timings.
Signed-off-by: David Wu <david.wu@rock-chips.com>
Tested-by: Andy Yan <andy.yan@rock-chips.com>
Reviewed-by: Douglas Anderson <dianders@chromium.org>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i2c/busses/i2c-rk3x.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/i2c/busses/i2c-rk3x.c
+++ b/drivers/i2c/busses/i2c-rk3x.c
@@ -694,6 +694,8 @@ static int rk3x_i2c_v0_calc_timings(unsi
t_calc->div_low--;
t_calc->div_high--;
+ /* Give the tuning value 0, that would not update con register */
+ t_calc->tuning = 0;
/* Maximum divider supported by hw is 0xffff */
if (t_calc->div_low > 0xffff) {
t_calc->div_low = 0xffff;
^ permalink raw reply
* [PATCH 4.4 67/69] kvm: x86: Check memopp before dereference (CVE-2016-8630)
From: Greg Kroah-Hartman @ 2016-11-09 10:44 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Owen Hofmann, Paolo Bonzini
In-Reply-To: <20161109102901.127641653@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Owen Hofmann <osh@google.com>
commit d9092f52d7e61dd1557f2db2400ddb430e85937e upstream.
Commit 41061cdb98 ("KVM: emulate: do not initialize memopp") removes a
check for non-NULL under incorrect assumptions. An undefined instruction
with a ModR/M byte with Mod=0 and R/M-5 (e.g. 0xc7 0x15) will attempt
to dereference a null pointer here.
Fixes: 41061cdb98a0bec464278b4db8e894a3121671f5
Message-Id: <1477592752-126650-2-git-send-email-osh@google.com>
Signed-off-by: Owen Hofmann <osh@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/emulate.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -5033,7 +5033,7 @@ done_prefixes:
/* Decode and fetch the destination operand: register or memory. */
rc = decode_operand(ctxt, &ctxt->dst, (ctxt->d >> DstShift) & OpMask);
- if (ctxt->rip_relative)
+ if (ctxt->rip_relative && likely(ctxt->memopp))
ctxt->memopp->addr.mem.ea = address_mask(ctxt,
ctxt->memopp->addr.mem.ea + ctxt->_eip);
^ permalink raw reply
* [PATCH 4.4 68/69] ubi: fastmap: Fix add_vol() return value test in ubi_attach_fastmap()
From: Greg Kroah-Hartman @ 2016-11-09 10:44 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Boris Brezillon,
Sheng Yong, Richard Weinberger
In-Reply-To: <20161109102901.127641653@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Boris Brezillon <boris.brezillon@free-electrons.com>
commit 40b6e61ac72e99672e47cdb99c8d7d226004169b upstream.
Commit e96a8a3bb671 ("UBI: Fastmap: Do not add vol if it already
exists") introduced a bug by changing the possible error codes returned
by add_vol():
- this function no longer returns NULL in case of allocation failure
but return ERR_PTR(-ENOMEM)
- when a duplicate entry in the volume RB tree is found it returns
ERR_PTR(-EEXIST) instead of ERR_PTR(-EINVAL)
Fix the tests done on add_vol() return val to match this new behavior.
Fixes: e96a8a3bb671 ("UBI: Fastmap: Do not add vol if it already exists")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
Acked-by: Sheng Yong <shengyong1@huawei.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/ubi/fastmap.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- a/drivers/mtd/ubi/fastmap.c
+++ b/drivers/mtd/ubi/fastmap.c
@@ -749,11 +749,11 @@ static int ubi_attach_fastmap(struct ubi
fmvhdr->vol_type,
be32_to_cpu(fmvhdr->last_eb_bytes));
- if (!av)
- goto fail_bad;
- if (PTR_ERR(av) == -EINVAL) {
- ubi_err(ubi, "volume (ID %i) already exists",
- fmvhdr->vol_id);
+ if (IS_ERR(av)) {
+ if (PTR_ERR(av) == -EEXIST)
+ ubi_err(ubi, "volume (ID %i) already exists",
+ fmvhdr->vol_id);
+
goto fail_bad;
}
^ permalink raw reply
* [PATCH 4.4 36/69] ovl: fsync after copy-up
From: Greg Kroah-Hartman @ 2016-11-09 10:44 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Miklos Szeredi
In-Reply-To: <20161109102901.127641653@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miklos Szeredi <mszeredi@redhat.com>
commit 641089c1549d8d3df0b047b5de7e9a111362cdce upstream.
Make sure the copied up file hits the disk before renaming to the final
destination. If this is not done then the copy-up may corrupt the data in
the file in case of a crash.
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/overlayfs/copy_up.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/overlayfs/copy_up.c
+++ b/fs/overlayfs/copy_up.c
@@ -139,6 +139,8 @@ static int ovl_copy_up_data(struct path
len -= bytes;
}
+ if (!error)
+ error = vfs_fsync(new_file, 0);
fput(new_file);
out_fput:
fput(old_file);
^ permalink raw reply
* [PATCH 4.4 42/69] firewire: net: guard against rx buffer overflows
From: Greg Kroah-Hartman @ 2016-11-09 10:44 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Eyal Itkin, Stefan Richter
In-Reply-To: <20161109102901.127641653@linuxfoundation.org>
4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Richter <stefanr@s5r6.in-berlin.de>
commit 667121ace9dbafb368618dbabcf07901c962ddac upstream.
The IP-over-1394 driver firewire-net lacked input validation when
handling incoming fragmented datagrams. A maliciously formed fragment
with a respectively large datagram_offset would cause a memcpy past the
datagram buffer.
So, drop any packets carrying a fragment with offset + length larger
than datagram_size.
In addition, ensure that
- GASP header, unfragmented encapsulation header, or fragment
encapsulation header actually exists before we access it,
- the encapsulated datagram or fragment is of nonzero size.
Reported-by: Eyal Itkin <eyal.itkin@gmail.com>
Reviewed-by: Eyal Itkin <eyal.itkin@gmail.com>
Fixes: CVE 2016-8633
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/firewire/net.c | 51 +++++++++++++++++++++++++++++++++----------------
1 file changed, 35 insertions(+), 16 deletions(-)
--- a/drivers/firewire/net.c
+++ b/drivers/firewire/net.c
@@ -578,6 +578,9 @@ static int fwnet_incoming_packet(struct
int retval;
u16 ether_type;
+ if (len <= RFC2374_UNFRAG_HDR_SIZE)
+ return 0;
+
hdr.w0 = be32_to_cpu(buf[0]);
lf = fwnet_get_hdr_lf(&hdr);
if (lf == RFC2374_HDR_UNFRAG) {
@@ -602,7 +605,12 @@ static int fwnet_incoming_packet(struct
return fwnet_finish_incoming_packet(net, skb, source_node_id,
is_broadcast, ether_type);
}
+
/* A datagram fragment has been received, now the fun begins. */
+
+ if (len <= RFC2374_FRAG_HDR_SIZE)
+ return 0;
+
hdr.w1 = ntohl(buf[1]);
buf += 2;
len -= RFC2374_FRAG_HDR_SIZE;
@@ -616,6 +624,9 @@ static int fwnet_incoming_packet(struct
datagram_label = fwnet_get_hdr_dgl(&hdr);
dg_size = fwnet_get_hdr_dg_size(&hdr); /* ??? + 1 */
+ if (fg_off + len > dg_size)
+ return 0;
+
spin_lock_irqsave(&dev->lock, flags);
peer = fwnet_peer_find_by_node_id(dev, source_node_id, generation);
@@ -722,6 +733,22 @@ static void fwnet_receive_packet(struct
fw_send_response(card, r, rcode);
}
+static int gasp_source_id(__be32 *p)
+{
+ return be32_to_cpu(p[0]) >> 16;
+}
+
+static u32 gasp_specifier_id(__be32 *p)
+{
+ return (be32_to_cpu(p[0]) & 0xffff) << 8 |
+ (be32_to_cpu(p[1]) & 0xff000000) >> 24;
+}
+
+static u32 gasp_version(__be32 *p)
+{
+ return be32_to_cpu(p[1]) & 0xffffff;
+}
+
static void fwnet_receive_broadcast(struct fw_iso_context *context,
u32 cycle, size_t header_length, void *header, void *data)
{
@@ -731,9 +758,6 @@ static void fwnet_receive_broadcast(stru
__be32 *buf_ptr;
int retval;
u32 length;
- u16 source_node_id;
- u32 specifier_id;
- u32 ver;
unsigned long offset;
unsigned long flags;
@@ -750,22 +774,17 @@ static void fwnet_receive_broadcast(stru
spin_unlock_irqrestore(&dev->lock, flags);
- specifier_id = (be32_to_cpu(buf_ptr[0]) & 0xffff) << 8
- | (be32_to_cpu(buf_ptr[1]) & 0xff000000) >> 24;
- ver = be32_to_cpu(buf_ptr[1]) & 0xffffff;
- source_node_id = be32_to_cpu(buf_ptr[0]) >> 16;
-
- if (specifier_id == IANA_SPECIFIER_ID &&
- (ver == RFC2734_SW_VERSION
+ if (length > IEEE1394_GASP_HDR_SIZE &&
+ gasp_specifier_id(buf_ptr) == IANA_SPECIFIER_ID &&
+ (gasp_version(buf_ptr) == RFC2734_SW_VERSION
#if IS_ENABLED(CONFIG_IPV6)
- || ver == RFC3146_SW_VERSION
+ || gasp_version(buf_ptr) == RFC3146_SW_VERSION
#endif
- )) {
- buf_ptr += 2;
- length -= IEEE1394_GASP_HDR_SIZE;
- fwnet_incoming_packet(dev, buf_ptr, length, source_node_id,
+ ))
+ fwnet_incoming_packet(dev, buf_ptr + 2,
+ length - IEEE1394_GASP_HDR_SIZE,
+ gasp_source_id(buf_ptr),
context->card->generation, true);
- }
packet.payload_length = dev->rcv_buffer_size;
packet.interrupt = 1;
^ permalink raw reply
* Re: [PATCH v10 4/7] x86/syscalls/32: Wire up arch_prctl on x86-32
From: Borislav Petkov @ 2016-11-09 11:04 UTC (permalink / raw)
To: Kyle Huey
Cc: Robert O'Callahan, Thomas Gleixner, Andy Lutomirski,
Ingo Molnar, H. Peter Anvin, x86, Paolo Bonzini,
Radim Krčmář, Jeff Dike, Richard Weinberger,
Alexander Viro, Shuah Khan, Dave Hansen, Peter Zijlstra,
Boris Ostrovsky, Len Brown, Rafael J. Wysocki, Dmitry Safonov,
David Matlack, linux-kernel
In-Reply-To: <20161108183956.4521-5-khuey@kylehuey.com>
On Tue, Nov 08, 2016 at 10:39:53AM -0800, Kyle Huey wrote:
> Hook up arch_prctl to call do_arch_prctl on x86-32, and in 32 bit compat
> mode on x86-64. This allows us to have arch_prctls that are not specific to
function_name()
> 64 bits.
>
> On UML, simply stub out this syscall.
>
> Signed-off-by: Kyle Huey <khuey@kylehuey.com>
...
--
Regards/Gruss,
Boris.
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)
--
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.