1. 05 Sep, 2016 1 commit
    • Balbir Singh's avatar
      sched/core: Fix a race between try_to_wake_up() and a woken up task · 135e8c92
      Balbir Singh authored
      The origin of the issue I've seen is related to
      a missing memory barrier between check for task->state and
      the check for task->on_rq.
      
      The task being woken up is already awake from a schedule()
      and is doing the following:
      
      	do {
      		schedule()
      		set_current_state(TASK_(UN)INTERRUPTIBLE);
      	} while (!cond);
      
      The waker, actually gets stuck doing the following in
      try_to_wake_up():
      
      	while (p->on_cpu)
      		cpu_relax();
      
      Analysis:
      
      The instance I've seen involves the following race:
      
       CPU1					CPU2
      
       while () {
         if (cond)
           break;
         do {
           schedule();
           set_current_state(TASK_UN..)
         } while (!cond);
      					wakeup_routine()
      					  spin_lock_irqsave(wait_lock)
         raw_spin_lock_irqsave(wait_lock)	  wake_up_process()
       }					  try_to_wake_up()
       set_current_state(TASK_RUNNING);	  ..
       list_del(&waiter.list);
      
      CPU2 wakes up CPU1, but before it can get the wait_lock and set
      current state to TASK_RUNNING the following occurs:
      
       CPU3
       wakeup_routine()
       raw_spin_lock_irqsave(wait_lock)
       if (!list_empty)
         wake_up_process()
         try_to_wake_up()
         raw_spin_lock_irqsave(p->pi_lock)
         ..
         if (p->on_rq && ttwu_wakeup())
         ..
         while (p->on_cpu)
           cpu_relax()
         ..
      
      CPU3 tries to wake up the task on CPU1 again since it finds
      it on the wait_queue, CPU1 is spinning on wait_lock, but immediately
      after CPU2, CPU3 got it.
      
      CPU3 checks the state of p on CPU1, it is TASK_UNINTERRUPTIBLE and
      the task is spinning on the wait_lock. Interestingly since p->on_rq
      is checked under pi_lock, I've noticed that try_to_wake_up() finds
      p->on_rq to be 0. This was the most confusing bit of the analysis,
      but p->on_rq is changed under runqueue lock, rq_lock, the p->on_rq
      check is not reliable without this fix IMHO. The race is visible
      (based on the analysis) only when ttwu_queue() does a remote wakeup
      via ttwu_queue_remote. In which case the p->on_rq change is not
      done uder the pi_lock.
      
      The result is that after a while the entire system locks up on
      the raw_spin_irqlock_save(wait_lock) and the holder spins infintely
      
      Reproduction of the issue:
      
      The issue can be reproduced after a long run on my system with 80
      threads and having to tweak available memory to very low and running
      memory stress-ng mmapfork test. It usually takes a long time to
      reproduce. I am trying to work on a test case that can reproduce
      the issue faster, but thats work in progress. I am still testing the
      changes on my still in a loop and the tests seem OK thus far.
      
      Big thanks to Benjamin and Nick for helping debug this as well.
      Ben helped catch the missing barrier, Nick caught every missing
      bit in my theory.
      Signed-off-by: default avatarBalbir Singh <bsingharora@gmail.com>
      [ Updated comment to clarify matching barriers. Many
        architectures do not have a full barrier in switch_to()
        so that cannot be relied upon. ]
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Acked-by: default avatarBenjamin Herrenschmidt <benh@kernel.crashing.org>
      Cc: Alexey Kardashevskiy <aik@ozlabs.ru>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Nicholas Piggin <nicholas.piggin@gmail.com>
      Cc: Nicholas Piggin <npiggin@gmail.com>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: <stable@vger.kernel.org>
      Link: http://lkml.kernel.org/r/e02cce7b-d9ca-1ad0-7a61-ea97c7582b37@gmail.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      135e8c92
  2. 04 Sep, 2016 4 commits
  3. 03 Sep, 2016 9 commits
    • Linus Torvalds's avatar
      Merge branch 'for-linus-4.8' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs · 4b30b6d1
      Linus Torvalds authored
      Pull btrfs fixes from Chris Mason:
       "I'm still prepping a set of fixes for btrfs fsync, just nailing down a
        hard to trigger memory corruption.  For now, these are tested and ready."
      
      * 'for-linus-4.8' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs:
        btrfs: fix one bug that process may endlessly wait for ticket in wait_reserve_ticket()
        Btrfs: fix endless loop in balancing block groups
        Btrfs: kill invalid ASSERT() in process_all_refs()
      4b30b6d1
    • Linus Torvalds's avatar
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · 2bece1a0
      Linus Torvalds authored
      Pull arm64 fixes from Catalin Marinas:
       "arm64 and arm/perf fixes:
      
         - arm64 fix: debug exception unmasking on the CPU resume path
      
         - ARM PMU fixes: memory leak on error path and NULL pointer
           dereference"
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        arm64: kernel: Fix unmasked debug exceptions when restoring mdscr_el1
        drivers/perf: arm_pmu: Fix NULL pointer dereference during probe
        drivers/perf: arm_pmu: Fix leak in error path
      2bece1a0
    • Linus Torvalds's avatar
      Merge tag 'char-misc-4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc · 593ee4ed
      Linus Torvalds authored
      Pull char/misc driver fixes from Greg KH:
       "Here are a number of small driver fixes for 4.8-rc5.
      
        The largest thing here is deleting an obsolete driver,
        drivers/misc/bh1780gli.c, as the functionality of it was replaced by
        an iio driver a while ago.
      
        The other fixes are things that have been reported, or reverts of
        broken stuff (the binder change).  All of these changes have been in
        linux-next for a while with no reported issues"
      
      * tag 'char-misc-4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
        thunderbolt: Don't declare Falcon Ridge unsupported
        thunderbolt: Add support for INTEL_FALCON_RIDGE_2C controller.
        thunderbolt: Fix resume quirk for Falcon Ridge 4C.
        lkdtm: Mark lkdtm_rodata_do_nothing() notrace
        mei: me: disable driver on SPT SPS firmware
        Revert "android: binder: fix dangling pointer comparison"
        drivers/iio/light/Kconfig: SENSORS_BH1780 cleanup
        android: binder: fix dangling pointer comparison
        misc: delete bh1780 driver
      593ee4ed
    • Linus Torvalds's avatar
      Merge tag 'driver-core-4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core · 41488202
      Linus Torvalds authored
      Pull driver core fixes from Greg KH:
       "Here are three small fixes for 4.8-rc5.
      
        One for sysfs, one for kernfs, and one documentation fix, all for
        reported issues.  All of these have been in linux-next for a while"
      
      * tag 'driver-core-4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core:
        sysfs: correctly handle read offset on PREALLOC attrs
        documentation: drivers/core/of: fix name of of_node symlink
        kernfs: don't depend on d_find_any_alias() when generating notifications
      41488202
    • Linus Torvalds's avatar
      Merge tag 'staging-4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging · 018c81b8
      Linus Torvalds authored
      Pull staging/IIO driver fixes from Greg KH:
       "Here are a number of small fixes for staging and IIO drivers that
        resolve reported problems.
      
        Full details are in the shortlog.  All of these have been in
        linux-next with no reported issues"
      
      * tag 'staging-4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging: (35 commits)
        arm: dts: rockchip: add reset node for the exist saradc SoCs
        arm64: dts: rockchip: add reset saradc node for rk3368 SoCs
        iio: adc: rockchip_saradc: reset saradc controller before programming it
        iio: accel: kxsd9: Fix raw read return
        iio: adc: ti_am335x_adc: Increase timeout value waiting for ADC sample
        iio: adc: ti_am335x_adc: Protect FIFO1 from concurrent access
        include/linux: fix excess fence.h kernel-doc notation
        staging: wilc1000: correctly check if associatedsta has not been found
        staging: wilc1000: NULL dereference on error
        staging: wilc1000: txq_event: Fix coding error
        MAINTAINERS: Add file patterns for ion device tree bindings
        MAINTAINERS: Update maintainer entry for wilc1000
        iio: chemical: atlas-ph-sensor: fix typo in val assignment
        iio: fix sched WARNING "do not call blocking ops when !TASK_RUNNING"
        staging: comedi: ni_mio_common: fix AO inttrig backwards compatibility
        staging: comedi: dt2811: fix a precedence bug
        staging: comedi: adv_pci1760: Do not return EINVAL for CMDF_ROUND_DOWN.
        staging: comedi: ni_mio_common: fix wrong insn_write handler
        staging: comedi: comedi_test: fix timer race conditions
        staging: comedi: daqboard2000: bug fix board type matching code
        ...
      018c81b8
    • Linus Torvalds's avatar
      Merge tag 'tty-4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty · 39da979c
      Linus Torvalds authored
      Pull serial driver fixes from Greg KH:
       "Here are some small serial driver fixes for 4.8-rc5.  One fixes an
        oft-reported build issue with the fintek driver, another reverts a
        patch that was causing problems, one fixes a crash, and some new
        device ids were added.
      
        All of these have been in linux-next for a while"
      
      * tag 'tty-4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
        serial: 8250: added acces i/o products quad and octal serial cards
        serial: 8250_mid: fix divide error bug if baud rate is 0
        Revert "tty/serial/8250: use mctrl_gpio helpers"
        8250/fintek: rename IRQ_MODE macro
      39da979c
    • Linus Torvalds's avatar
      Merge tag 'usb-4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · 70dad499
      Linus Torvalds authored
      Pull USB/PHY fixes from Greg KH:
       "Here are some USB and PHY driver fixes for 4.8-rc5
      
        Nothing major, lots of little fixes for reported bugs, and a build fix
        for a missing .h file that the phy drivers needed.  All of these have
        been in linux-next for a while with no reported issues"
      
      * tag 'usb-4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (24 commits)
        usb: musb: Fix locking errors for host only mode
        usb: dwc3: gadget: always decrement by 1
        usb: dwc3: debug: fix ep name on trace output
        usb: gadget: udc: core: don't starve DMA resources
        USB: serial: option: add WeTelecom 0x6802 and 0x6803 products
        USB: avoid left shift by -1
        USB: fix typo in wMaxPacketSize validation
        usb: gadget: Add the gserial port checking in gs_start_tx()
        usb: dwc3: gadget: don't rely on jiffies while holding spinlock
        usb: gadget: fsl_qe_udc: signedness bug in qe_get_frame()
        usb: gadget: function: f_rndis: socket buffer may be NULL
        usb: gadget: function: f_eem: socket buffer may be NULL
        usb: renesas_usbhs: gadget: fix return value check in usbhs_mod_gadget_probe()
        usb: dwc2: Add reset control to dwc2
        usb: dwc3: core: allow device to runtime_suspend several times
        usb: dwc3: pci: runtime_resume child device
        USB: serial: option: add WeTelecom WM-D200
        usb: chipidea: udc: don't touch DP when controller is in host mode
        USB: serial: mos7840: fix non-atomic allocation in write path
        USB: serial: mos7720: fix non-atomic allocation in write path
        ...
      70dad499
    • Linus Torvalds's avatar
      devpts: return NULL pts 'priv' entry for non-devpts nodes · 3e423945
      Linus Torvalds authored
      In commit 8ead9dd5 ("devpts: more pty driver interface cleanups") I
      made devpts_get_priv() just return the dentry->fs_data directly.  And
      because I thought it wouldn't happen, I added a warning if you ever saw
      a pts node that wasn't on devpts.
      
      And no, that warning never triggered under any actual real use, but you
      can trigger it by creating nonsensical pts nodes by hand.
      
      So just revert the warning, and make devpts_get_priv() return NULL for
      that case like it used to.
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Cc: stable@vger.kernel.org # 4.6+
      Cc: Eric W Biederman" <ebiederm@xmission.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      3e423945
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.dk/linux-block · 0141af18
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
       "A collection of fixes for the nvme over fabrics code"
      
      * 'for-linus' of git://git.kernel.dk/linux-block:
        nvme-rdma: Get rid of redundant defines
        nvme-rdma: Get rid of duplicate variable
        nvme: fabrics drivers don't need the nvme-pci driver
        nvme-fabrics: get a reference when reusing a nvme_host structure
        nvme-fabrics: change NQN UUID to big-endian format
        nvme-loop: set sqsize to 0-based value, per spec
        nvme-rdma: fix sqsize/hsqsize per spec
        fabrics: define admin sqsize min default, per spec
        nvmet-rdma: +1 to *queue_size from hsqsize/hrqsize
        nvmet-rdma: Fix use after free
        nvme-rdma: initialize ret to zero to avoid returning garbage
      0141af18
  4. 02 Sep, 2016 26 commits
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security · 0ddc9e5a
      Linus Torvalds authored
      Pull TPM bugfix from James Morris.
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
        tpm: invalid self test error message
      0ddc9e5a
    • Jarkko Sakkinen's avatar
      tpm: invalid self test error message · 4a29b348
      Jarkko Sakkinen authored
      The driver emits invalid self test error message even though the init
      succeeds.
      Signed-off-by: default avatarJarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
      Fixes: cae8b441 ("tpm: Factor out common startup code")
      Reviewed-by: default avatarJames Morris <james.l.morris@oracle.com>
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      4a29b348
    • Linus Torvalds's avatar
      Merge tag 'acpi-4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 601b5869
      Linus Torvalds authored
      Pull ACPI fixes ffrom Rafael Wysocki:
       "Two stable-candidate fixes for the ACPI early device probing code
        added during the 4.4 cycle, one fixing a typo in a stub macro used
        when CONFIG_ACPI is unset and one that prevents sleeping functions
        from being called under a spinlock (Lorenzo Pieralisi)"
      
      * tag 'acpi-4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        ACPI / drivers: replace acpi_probe_lock spinlock with mutex
        ACPI / drivers: fix typo in ACPI_DECLARE_PROBE_ENTRY macro
      601b5869
    • Linus Torvalds's avatar
      Merge tag 'pm-4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 9a0bcc8f
      Linus Torvalds authored
      Pull power management fixes from Rafael Wysocki:
       "This includes a stable-candidate cpufreq-dt driver problem fix and
        annotations of tracepoints in the runtime PM framework.
      
        Specifics:
      
         - Fix the definition of the cpufreq-dt driver's machines table
           introduced during the 4.7 cycle that should be NULL-terminated, but
           the termination entry is missing from it (Wei Yongjun).
      
         - Annotate tracepoints in the runtime PM framework's core so as to
           allow the functions containing them to be called from the idle code
           path without causing RCU to complain about illegal usage (Paul
           McKenney)"
      
      * tag 'pm-4.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        PM / runtime: Add _rcuidle suffix to allow rpm_idle() use from idle
        PM / runtime: Add _rcuidle suffix to allow rpm_resume() to be called from idle
        cpufreq: dt: Add terminate entry for of_device_id tables
      9a0bcc8f
    • Rafael J. Wysocki's avatar
      Merge branches 'pm-cpufreq-fixes' and 'pm-core-fixes' · b654c62e
      Rafael J. Wysocki authored
      * pm-cpufreq-fixes:
        cpufreq: dt: Add terminate entry for of_device_id tables
      
      * pm-core-fixes:
        PM / runtime: Add _rcuidle suffix to allow rpm_idle() use from idle
        PM / runtime: Add _rcuidle suffix to allow rpm_resume() to be called from idle
      b654c62e
    • Lorenzo Pieralisi's avatar
      ACPI / drivers: replace acpi_probe_lock spinlock with mutex · 5331d9ca
      Lorenzo Pieralisi authored
      Commit e647b532 ("ACPI: Add early device probing infrastructure")
      introduced code that allows inserting driver specific
      struct acpi_probe_entry probe entries into ACPI linker sections
      (one per-subsystem, eg irqchip, clocksource) that are then walked
      to retrieve the data and function hooks required to probe the
      respective kernel components.
      
      Probing for all entries in a section is triggered through
      the __acpi_probe_device_table() function, that in turn, according
      to the table ID a given probe entry reports parses the table
      with the function retrieved from the respective section structures
      (ie struct acpi_probe_entry). Owing to the current ACPI table
      parsing implementation, the __acpi_probe_device_table() function
      has to share global variables with the acpi_match_madt() function, so
      in order to guarantee mutual exclusion locking is required
      between the two functions.
      
      Current kernel code implements the locking through the acpi_probe_lock
      spinlock; this has the side effect of requiring all code called
      within the lock (ie struct acpi_probe_entry.probe_{table/subtbl} hooks)
      not to sleep.
      
      However, kernel subsystems that make use of the early probing
      infrastructure are relying on kernel APIs that may sleep (eg
      irq_domain_alloc_fwnode(), among others) in the function calls
      pointed at by struct acpi_probe_entry.{probe_table/subtbl} entries
      (eg gic_v2_acpi_init()), which is a bug.
      
      Since __acpi_probe_device_table() is called from context
      that is allowed to sleep the acpi_probe_lock spinlock can be replaced
      with a mutex; this fixes the issue whilst still guaranteeing
      mutual exclusion.
      Signed-off-by: default avatarLorenzo Pieralisi <lorenzo.pieralisi@arm.com>
      Fixes: e647b532 (ACPI: Add early device probing infrastructure)
      Cc: 4.4+ <stable@vger.kernel.org> # 4.4+
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      5331d9ca
    • Lorenzo Pieralisi's avatar
      ACPI / drivers: fix typo in ACPI_DECLARE_PROBE_ENTRY macro · 3feab13c
      Lorenzo Pieralisi authored
      When the ACPI_DECLARE_PROBE_ENTRY macro was added in
      commit e647b532 ("ACPI: Add early device probing infrastructure"),
      a stub macro adding an unused entry was added for the !CONFIG_ACPI
      Kconfig option case to make sure kernel code making use of the
      macro did not require to be guarded within CONFIG_ACPI in order to
      be compiled.
      
      The stub macro was never used since all kernel code that defines
      ACPI_DECLARE_PROBE_ENTRY entries is currently guarded within
      CONFIG_ACPI; it contains a typo that should be nonetheless fixed.
      
      Fix the typo in the stub (ie !CONFIG_ACPI) ACPI_DECLARE_PROBE_ENTRY()
      macro so that it can actually be used if needed.
      Signed-off-by: default avatarLorenzo Pieralisi <lorenzo.pieralisi@arm.com>
      Fixes: e647b532 (ACPI: Add early device probing infrastructure)
      Cc: 4.4+ <stable@vger.kernel.org> # 4.4+
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      3feab13c
    • Emanuel Czirai's avatar
      x86/AMD: Apply erratum 665 on machines without a BIOS fix · d1992996
      Emanuel Czirai authored
      AMD F12h machines have an erratum which can cause DIV/IDIV to behave
      unpredictably. The workaround is to set MSRC001_1029[31] but sometimes
      there is no BIOS update containing that workaround so let's do it
      ourselves unconditionally. It is simple enough.
      
      [ Borislav: Wrote commit message. ]
      Signed-off-by: default avatarEmanuel Czirai <icanrealizeum@gmail.com>
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Cc: Yaowu Xu <yaowu@google.com>
      Cc: stable@vger.kernel.org
      Link: http://lkml.kernel.org/r/20160902053550.18097-1-bp@alien8.deSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      d1992996
    • Steven Rostedt's avatar
      x86/paravirt: Do not trace _paravirt_ident_*() functions · 15301a57
      Steven Rostedt authored
      Łukasz Daniluk reported that on a RHEL kernel that his machine would lock up
      after enabling function tracer. I asked him to bisect the functions within
      available_filter_functions, which he did and it came down to three:
      
        _paravirt_nop(), _paravirt_ident_32() and _paravirt_ident_64()
      
      It was found that this is only an issue when noreplace-paravirt is added
      to the kernel command line.
      
      This means that those functions are most likely called within critical
      sections of the funtion tracer, and must not be traced.
      
      In newer kenels _paravirt_nop() is defined within gcc asm(), and is no
      longer an issue.  But both _paravirt_ident_{32,64}() causes the
      following splat when they are traced:
      
       mm/pgtable-generic.c:33: bad pmd ffff8800d2435150(0000000001d00054)
       mm/pgtable-generic.c:33: bad pmd ffff8800d3624190(0000000001d00070)
       mm/pgtable-generic.c:33: bad pmd ffff8800d36a5110(0000000001d00054)
       mm/pgtable-generic.c:33: bad pmd ffff880118eb1450(0000000001d00054)
       NMI watchdog: BUG: soft lockup - CPU#2 stuck for 22s! [systemd-journal:469]
       Modules linked in: e1000e
       CPU: 2 PID: 469 Comm: systemd-journal Not tainted 4.6.0-rc4-test+ #513
       Hardware name: Hewlett-Packard HP Compaq Pro 6300 SFF/339A, BIOS K01 v02.05 05/07/2012
       task: ffff880118f740c0 ti: ffff8800d4aec000 task.ti: ffff8800d4aec000
       RIP: 0010:[<ffffffff81134148>]  [<ffffffff81134148>] queued_spin_lock_slowpath+0x118/0x1a0
       RSP: 0018:ffff8800d4aefb90  EFLAGS: 00000246
       RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88011eb16d40
       RDX: ffffffff82485760 RSI: 000000001f288820 RDI: ffffea0000008030
       RBP: ffff8800d4aefb90 R08: 00000000000c0000 R09: 0000000000000000
       R10: ffffffff821c8e0e R11: 0000000000000000 R12: ffff880000200fb8
       R13: 00007f7a4e3f7000 R14: ffffea000303f600 R15: ffff8800d4b562e0
       FS:  00007f7a4e3d7840(0000) GS:ffff88011eb00000(0000) knlGS:0000000000000000
       CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
       CR2: 00007f7a4e3f7000 CR3: 00000000d3e71000 CR4: 00000000001406e0
       Call Trace:
         _raw_spin_lock+0x27/0x30
         handle_pte_fault+0x13db/0x16b0
         handle_mm_fault+0x312/0x670
         __do_page_fault+0x1b1/0x4e0
         do_page_fault+0x22/0x30
         page_fault+0x28/0x30
         __vfs_read+0x28/0xe0
         vfs_read+0x86/0x130
         SyS_read+0x46/0xa0
         entry_SYSCALL_64_fastpath+0x1e/0xa8
       Code: 12 48 c1 ea 0c 83 e8 01 83 e2 30 48 98 48 81 c2 40 6d 01 00 48 03 14 c5 80 6a 5d 82 48 89 0a 8b 41 08 85 c0 75 09 f3 90 8b 41 08 <85> c0 74 f7 4c 8b 09 4d 85 c9 74 08 41 0f 18 09 eb 02 f3 90 8b
      Reported-by: default avatarŁukasz Daniluk <lukasz.daniluk@intel.com>
      Signed-off-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      15301a57
    • Linus Torvalds's avatar
      Merge branch 'overlayfs-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs · f28929ba
      Linus Torvalds authored
      Pull overlayfs fixes from Miklos Szeredi:
       "Most of this is regression fixes for posix acl behavior introduced in
        4.8-rc1 (these were caught by the pjd-fstest suite).  The are also
        miscellaneous fixes marked as stable material and cleanups.
      
        Other than overlayfs code, it touches <linux/fs.h> to add a constant
        with which to disable posix acl caching.  No changes needed to the
        actual caching code, it automatically does the right thing, although
        later we may want to optimize this case.
      
        I'm now testing overlayfs with the following test suites to catch
        regressions:
      
         - unionmount-testsuite
         - xfstests
         - pjd-fstest"
      
      * 'overlayfs-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs:
        ovl: update doc
        ovl: listxattr: use strnlen()
        ovl: Switch to generic_getxattr
        ovl: copyattr after setting POSIX ACL
        ovl: Switch to generic_removexattr
        ovl: Get rid of ovl_xattr_noacl_handlers array
        ovl: Fix OVL_XATTR_PREFIX
        ovl: fix spelling mistake: "directries" -> "directories"
        ovl: don't cache acl on overlay layer
        ovl: use cached acl on underlying layer
        ovl: proper cleanup of workdir
        ovl: remove posix_acl_default from workdir
        ovl: handle umask and posix_acl_default correctly on creation
        ovl: don't copy up opaqueness
      f28929ba
    • James Morse's avatar
      arm64: kernel: Fix unmasked debug exceptions when restoring mdscr_el1 · 744c6c37
      James Morse authored
      Changes to make the resume from cpu_suspend() code behave more like
      secondary boot caused debug exceptions to be unmasked early by
      __cpu_setup(). We then go on to restore mdscr_el1 in cpu_do_resume(),
      potentially taking break or watch points based on uninitialised registers.
      
      Mask debug exceptions in cpu_do_resume(), which is specific to resume
      from cpu_suspend(). Debug exceptions will be restored to their original
      state by local_dbg_restore() in cpu_suspend(), which runs after
      hw_breakpoint_restore() has re-initialised the other registers.
      Reported-by: default avatarLorenzo Pieralisi <lorenzo.pieralisi@arm.com>
      Fixes: cabe1c81 ("arm64: Change cpu_resume() to enable mmu early then access sleep_sp by va")
      Cc: <stable@vger.kernel.org> # 4.7+
      Signed-off-by: default avatarJames Morse <james.morse@arm.com>
      Acked-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      744c6c37
    • Stefan Wahren's avatar
      drivers/perf: arm_pmu: Fix NULL pointer dereference during probe · 63fb0a95
      Stefan Wahren authored
      Patch 7f1d642f ("drivers/perf: arm-pmu: Fix handling of SPI lacking
      interrupt-affinity property") unintended also fixes perf_event support
      for bcm2835 which doesn't have PMU interrupts. Unfortunately this change
      introduce a NULL pointer dereference on bcm2835, because irq_is_percpu
      always expected to be called with a valid IRQ. So fix this regression
      by validating the IRQ before.
      Tested-by: default avatarKevin Hilman <khilman@baylibre.com>
      Signed-off-by: default avatarStefan Wahren <stefan.wahren@i2se.com>
      Fixes: 7f1d642f ("drivers/perf: arm-pmu: Fix handling of SPI lacking "interrupt-affinity" property")
      Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      63fb0a95
    • Stefan Wahren's avatar
      drivers/perf: arm_pmu: Fix leak in error path · 75324684
      Stefan Wahren authored
      In case of a IRQ type mismatch in of_pmu_irq_cfg() the
      device node for interrupt affinity isn't freed. So fix this
      issue by calling of_node_put().
      Signed-off-by: default avatarStefan Wahren <stefan.wahren@i2se.com>
      Fixes: fa8ad788 ("arm: perf: factor arm_pmu core out to drivers")
      Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      75324684
    • Linus Torvalds's avatar
      Merge tag 'dmaengine-fix-4.8-rc5' of git://git.infradead.org/users/vkoul/slave-dma · ac810384
      Linus Torvalds authored
      Pull dmaengine fixes from Vinod Koul:
       "The fixes this time are all in drivers:
      
         - possible NULL dereference in img-mdc
         - correct device identity for free_irq in at_xdmac
         - missing of_node_put() in fsl probe
         - fix debug log and hotchain corner case for pxa-dma
         - fix checking hardware bits in isr in usb dmac"
      
      * tag 'dmaengine-fix-4.8-rc5' of git://git.infradead.org/users/vkoul/slave-dma:
        dmaengine: img-mdc: fix a possible NULL dereference
        dmaengine: at_xdmac: fix to pass correct device identity to free_irq()
        dmaengine: fsl_raid: add missing of_node_put() in fsl_re_probe()
        dmaengine: pxa_dma: fix debug message
        dmaengine: pxa_dma: fix hotchain corner case
        dmaengine: usb-dmac: check CHCR.DE bit in usb_dmac_isr_channel()
      ac810384
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-for-4.8-rc5' of git://people.freedesktop.org/~airlied/linux · b0be76bf
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "Contains fixes for imx, amdgpu, vc4, msm and one nouveau ACPI fix"
      
      * tag 'drm-fixes-for-4.8-rc5' of git://people.freedesktop.org/~airlied/linux:
        drm/amdgpu: record error code when ring test failed
        drm/amd/amdgpu: compute ring test fail during S4 on CI
        drm/amd/amdgpu: sdma resume fail during S4 on CI
        drm/nouveau/acpi: use DSM if bridge does not support D3cold
        drm/imx: fix crtc vblank state regression
        drm/imx: Add active plane reconfiguration support
        drm/msm: protect against faults from copy_from_user() in submit ioctl
        drm/msm: fix use of copy_from_user() while holding spinlock
        drm/vc4: Fix oops when userspace hands in a bad BO.
        drm/vc4: Fix overflow mem unreferencing when the binner runs dry.
        drm/vc4: Free hang state before destroying BO cache.
        drm/vc4: Fix handling of a pm_runtime_get_sync() success case.
        drm/vc4: Use drm_malloc_ab to fix large rendering jobs.
        drm/vc4: Use drm_free_large() on handles to match its allocation.
      b0be76bf
    • Wanpeng Li's avatar
      tick/nohz: Fix softlockup on scheduler stalls in kvm guest · 08d07259
      Wanpeng Li authored
      tick_nohz_start_idle() is prevented to be called if the idle tick can't 
      be stopped since commit 1f3b0f82 ("tick/nohz: Optimize nohz idle 
      enter"). As a result, after suspend/resume the host machine, full dynticks 
      kvm guest will softlockup:
      
       NMI watchdog: BUG: soft lockup - CPU#0 stuck for 26s! [swapper/0:0]
       Call Trace:
        default_idle+0x31/0x1a0
        arch_cpu_idle+0xf/0x20
        default_idle_call+0x2a/0x50
        cpu_startup_entry+0x39b/0x4d0
        rest_init+0x138/0x140
        ? rest_init+0x5/0x140
        start_kernel+0x4c1/0x4ce
        ? set_init_arg+0x55/0x55
        ? early_idt_handler_array+0x120/0x120
        x86_64_start_reservations+0x24/0x26
        x86_64_start_kernel+0x142/0x14f
      
      In addition, cat /proc/stat | grep cpu in guest or host:
      
      cpu  398 16 5049 15754 5490 0 1 46 0 0
      cpu0 206 5 450 0 0 0 1 14 0 0
      cpu1 81 0 3937 3149 1514 0 0 9 0 0
      cpu2 45 6 332 6052 2243 0 0 11 0 0
      cpu3 65 2 328 6552 1732 0 0 11 0 0
      
      The idle and iowait states are weird 0 for cpu0(housekeeping). 
      
      The bug is present in both guest and host kernels, and they both have 
      cpu0's idle and iowait states issue, however, host kernel's suspend/resume 
      path etc will touch watchdog to avoid the softlockup.
      
      - The watchdog will not be touched in tick_nohz_stop_idle path (need be 
        touched since the scheduler stall is expected) if idle_active flags are 
        not detected.
      - The idle and iowait states will not be accounted when exit idle loop 
        (resched or interrupt) if idle start time and idle_active flags are 
        not set. 
      
      This patch fixes it by reverting commit 1f3b0f82 since can't stop 
      idle tick doesn't mean can't be idle.
      
      Fixes: 1f3b0f82 ("tick/nohz: Optimize nohz idle enter")
      Signed-off-by: default avatarWanpeng Li <wanpeng.li@hotmail.com>
      Cc: Sanjeev Yadav<sanjeev.yadav@spreadtrum.com>
      Cc: Gaurav Jindal<gaurav.jindal@spreadtrum.com>
      Cc: stable@vger.kernel.org
      Cc: kvm@vger.kernel.org
      Cc: Radim Krčmář <rkrcmar@redhat.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Link: http://lkml.kernel.org/r/1472798303-4154-1-git-send-email-wanpeng.li@hotmail.comSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      08d07259
    • Dave Airlie's avatar
      Merge tag 'drm-vc4-fixes-2016-08-29' of https://github.com/anholt/linux into drm-fixes · 603f2c9f
      Dave Airlie authored
      This pull request brings in fixes for VC4 3D in 4.8, most of which are
      covered by testcases.
      
      * tag 'drm-vc4-fixes-2016-08-29' of https://github.com/anholt/linux:
        drm/vc4: Fix oops when userspace hands in a bad BO.
        drm/vc4: Fix overflow mem unreferencing when the binner runs dry.
        drm/vc4: Free hang state before destroying BO cache.
        drm/vc4: Fix handling of a pm_runtime_get_sync() success case.
        drm/vc4: Use drm_malloc_ab to fix large rendering jobs.
        drm/vc4: Use drm_free_large() on handles to match its allocation.
      603f2c9f
    • Dave Airlie's avatar
      Merge tag 'imx-drm-fixes-2016-08-30' of git://git.pengutronix.de/git/pza/linux into drm-fixes · 53229425
      Dave Airlie authored
      imx-drm atomic modeset regression fixes
      
      - add active plane reconfiguration support
      - add back crtc vblank state reporting
      
      * tag 'imx-drm-fixes-2016-08-30' of git://git.pengutronix.de/git/pza/linux:
        drm/imx: fix crtc vblank state regression
        drm/imx: Add active plane reconfiguration support
      53229425
    • Linus Torvalds's avatar
      Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux · cc4163da
      Linus Torvalds authored
      Pull clk fixes from Stephen Boyd:
       "A collection of small fixes for various SoC vendor clk drivers"
      
      * tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux:
        clk: rockchip: mark aclk_emmc_noc as a critical clock on rk3399
        clk: tegra: remove TEGRA_PLL_USE_LOCK for PLLD/PLLD2
        clk: rockchip: fix incorrect GATE bits for {c, g}pll_aclk_perihp_src on rk3399
        clk: rockchip: fix incorrect aclk_emmc source gate bits on rk3399
        clk: renesas: r8a7795: Fix SD clocks
        clk: rockchip: fix rk3399 aclk_vio gate bit
        clk: sunxi-ng: Fix inverted test condition in ccu_helper_wait_for_lock
      cc4163da
    • Linus Torvalds's avatar
      Merge branch 'akpm' (patches from Andrew) · b9677faf
      Linus Torvalds authored
      Merge fixes from Andrew Morton:
       "14 fixes"
      
      * emailed patches from Andrew Morton <akpm@linux-foundation.org>:
        rapidio/tsi721: fix incorrect detection of address translation condition
        rapidio/documentation/mport_cdev: add missing parameter description
        kernel/fork: fix CLONE_CHILD_CLEARTID regression in nscd
        MAINTAINERS: Vladimir has moved
        mm, mempolicy: task->mempolicy must be NULL before dropping final reference
        printk/nmi: avoid direct printk()-s from __printk_nmi_flush()
        treewide: remove references to the now unnecessary DEFINE_PCI_DEVICE_TABLE
        drivers/scsi/wd719x.c: remove last declaration using DEFINE_PCI_DEVICE_TABLE
        mm, vmscan: only allocate and reclaim from zones with pages managed by the buddy allocator
        lib/test_hash.c: fix warning in preprocessor symbol evaluation
        lib/test_hash.c: fix warning in two-dimensional array init
        kconfig: tinyconfig: provide whole choice blocks to avoid warnings
        kexec: fix double-free when failing to relocate the purgatory
        mm, oom: prevent premature OOM killer invocation for high order request
      b9677faf
    • Alexandre Bounine's avatar
      rapidio/tsi721: fix incorrect detection of address translation condition · b3006929
      Alexandre Bounine authored
      Fix incorrect condition to identify involvment of a address translation
      mechanism.
      
      This bug results in NULL pointer kernel crash dump in cases when mapping
      of inbound RapidIO address range is requested within existing aprture.
      
      Link: http://lkml.kernel.org/r/20160901173144.2983-1-alexandre.bounine@idt.comSigned-off-by: default avatarAlexandre Bounine <alexandre.bounine@idt.com>
      Cc: Matt Porter <mporter@kernel.crashing.org>
      Cc: Andre van Herk <andre.van.herk@prodrive-technologies.com>
      Cc: Barry Wood <barry.wood@idt.com>
      Cc: <stable@vger.kernel.org>	[4.6+]
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      b3006929
    • Alexandre Bounine's avatar
      rapidio/documentation/mport_cdev: add missing parameter description · 1e1011af
      Alexandre Bounine authored
      Add missing description for rio_mport_cdev driver parameter
      'dma_timeout'.
      
      This patch is applicable to kernel versions starting from v4.6.
      
      Link: http://lkml.kernel.org/r/20160901173104.2928-1-alexandre.bounine@idt.comSigned-off-by: default avatarAlexandre Bounine <alexandre.bounine@idt.com>
      Cc: Matt Porter <mporter@kernel.crashing.org>
      Cc: Andre van Herk <andre.van.herk@prodrive-technologies.com>
      Cc: Barry Wood <barry.wood@idt.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      1e1011af
    • Michal Hocko's avatar
      kernel/fork: fix CLONE_CHILD_CLEARTID regression in nscd · 735f2770
      Michal Hocko authored
      Commit fec1d011 ("[PATCH] Disable CLONE_CHILD_CLEARTID for abnormal
      exit") has caused a subtle regression in nscd which uses
      CLONE_CHILD_CLEARTID to clear the nscd_certainly_running flag in the
      shared databases, so that the clients are notified when nscd is
      restarted.  Now, when nscd uses a non-persistent database, clients that
      have it mapped keep thinking the database is being updated by nscd, when
      in fact nscd has created a new (anonymous) one (for non-persistent
      databases it uses an unlinked file as backend).
      
      The original proposal for the CLONE_CHILD_CLEARTID change claimed
      (https://lkml.org/lkml/2006/10/25/233):
      
      : The NPTL library uses the CLONE_CHILD_CLEARTID flag on clone() syscalls
      : on behalf of pthread_create() library calls.  This feature is used to
      : request that the kernel clear the thread-id in user space (at an address
      : provided in the syscall) when the thread disassociates itself from the
      : address space, which is done in mm_release().
      :
      : Unfortunately, when a multi-threaded process incurs a core dump (such as
      : from a SIGSEGV), the core-dumping thread sends SIGKILL signals to all of
      : the other threads, which then proceed to clear their user-space tids
      : before synchronizing in exit_mm() with the start of core dumping.  This
      : misrepresents the state of process's address space at the time of the
      : SIGSEGV and makes it more difficult for someone to debug NPTL and glibc
      : problems (misleading him/her to conclude that the threads had gone away
      : before the fault).
      :
      : The fix below is to simply avoid the CLONE_CHILD_CLEARTID action if a
      : core dump has been initiated.
      
      The resulting patch from Roland (https://lkml.org/lkml/2006/10/26/269)
      seems to have a larger scope than the original patch asked for.  It
      seems that limitting the scope of the check to core dumping should work
      for SIGSEGV issue describe above.
      
      [Changelog partly based on Andreas' description]
      Fixes: fec1d011 ("[PATCH] Disable CLONE_CHILD_CLEARTID for abnormal exit")
      Link: http://lkml.kernel.org/r/1471968749-26173-1-git-send-email-mhocko@kernel.orgSigned-off-by: default avatarMichal Hocko <mhocko@suse.com>
      Tested-by: default avatarWilliam Preston <wpreston@suse.com>
      Acked-by: default avatarOleg Nesterov <oleg@redhat.com>
      Cc: Roland McGrath <roland@hack.frob.com>
      Cc: Andreas Schwab <schwab@suse.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      735f2770
    • Vladimir Davydov's avatar
      MAINTAINERS: Vladimir has moved · c4e29738
      Vladimir Davydov authored
      vdavydov@{parallels,virtuozzo}.com will bounce from now on.
      
      Link: http://lkml.kernel.org/r/20160831180752.GB10353@esperanzaSigned-off-by: default avatarVladimir Davydov <vdavydov.dev@gmail.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      c4e29738
    • David Rientjes's avatar
      mm, mempolicy: task->mempolicy must be NULL before dropping final reference · c11600e4
      David Rientjes authored
      KASAN allocates memory from the page allocator as part of
      kmem_cache_free(), and that can reference current->mempolicy through any
      number of allocation functions.  It needs to be NULL'd out before the
      final reference is dropped to prevent a use-after-free bug:
      
      	BUG: KASAN: use-after-free in alloc_pages_current+0x363/0x370 at addr ffff88010b48102c
      	CPU: 0 PID: 15425 Comm: trinity-c2 Not tainted 4.8.0-rc2+ #140
      	...
      	Call Trace:
      		dump_stack
      		kasan_object_err
      		kasan_report_error
      		__asan_report_load2_noabort
      		alloc_pages_current	<-- use after free
      		depot_save_stack
      		save_stack
      		kasan_slab_free
      		kmem_cache_free
      		__mpol_put		<-- free
      		do_exit
      
      This patch sets current->mempolicy to NULL before dropping the final
      reference.
      
      Link: http://lkml.kernel.org/r/alpine.DEB.2.10.1608301442180.63329@chino.kir.corp.google.com
      Fixes: cd11016e ("mm, kasan: stackdepot implementation. Enable stackdepot for SLAB")
      Signed-off-by: default avatarDavid Rientjes <rientjes@google.com>
      Reported-by: default avatarVegard Nossum <vegard.nossum@oracle.com>
      Acked-by: default avatarAndrey Ryabinin <aryabinin@virtuozzo.com>
      Cc: Alexander Potapenko <glider@google.com>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Cc: <stable@vger.kernel.org>	[4.6+]
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      c11600e4
    • Sergey Senozhatsky's avatar
      printk/nmi: avoid direct printk()-s from __printk_nmi_flush() · 19feeff1
      Sergey Senozhatsky authored
      __printk_nmi_flush() can be called from nmi_panic(), therefore it has to
      test whether it's executed in NMI context and thus must route the
      messages through deferred printk() or via direct printk().
      
      This is to avoid potential deadlocks, as described in commit
      cf9b1106 ("printk/nmi: flush NMI messages on the system panic").
      
      However there remain two places where __printk_nmi_flush() does
      unconditional direct printk() calls:
      
       - pr_err("printk_nmi_flush: internal error ...")
       - pr_cont("\n")
      
      Factor out print_nmi_seq_line() parts into a new printk_nmi_flush_line()
      function, which takes care of in_nmi(), and use it in
      __printk_nmi_flush() for printing and error-reporting.
      
      Link: http://lkml.kernel.org/r/20160830161354.581-1-sergey.senozhatsky@gmail.comSigned-off-by: default avatarSergey Senozhatsky <sergey.senozhatsky@gmail.com>
      Cc: Petr Mladek <pmladek@suse.com>
      Cc: Jan Kara <jack@suse.cz>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      19feeff1