1. 31 Aug, 2016 12 commits
  2. 28 Aug, 2016 7 commits
    • Linus Torvalds's avatar
      Linux 4.8-rc4 · 3eab887a
      Linus Torvalds authored
      3eab887a
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-for-4.8-rc4' of git://people.freedesktop.org/~airlied/linux · 25d0d91a
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "A bunch of fixes covering i915, amdgpu, one tegra and some core DRM
        ones.  Nothing too strange at this point"
      
      * tag 'drm-fixes-for-4.8-rc4' of git://people.freedesktop.org/~airlied/linux: (21 commits)
        drm/atomic: Don't potentially reset color_mgmt_changed on successive property updates.
        drm: Protect fb_defio in drivers with CONFIG_KMS_FBDEV_EMULATION
        drm/amdgpu: skip TV/CV in display parsing
        drm/amdgpu: avoid a possible array overflow
        drm/amdgpu: fix lru size grouping v2
        drm/tegra: dsi: Enhance runtime power management
        drm/i915: Fix botched merge that downgrades CSR versions.
        drm/i915/skl: Ensure pipes with changed wms get added to the state
        drm/i915/gen9: Only copy WM results for changed pipes to skl_hw
        drm/i915/skl: Add support for the SAGV, fix underrun hangs
        drm/i915/gen6+: Interpret mailbox error flags
        drm/i915: Reattach comment, complete type specification
        drm/i915: Unconditionally flush any chipset buffers before execbuf
        drm/i915/gen9: Drop invalid WARN() during data rate calculation
        drm/i915/gen9: Initialize intel_state->active_crtcs during WM sanitization (v2)
        drm: Reject page_flip for !DRIVER_MODESET
        drm/amdgpu: fix timeout value check in amd_sched_job_recovery
        drm/amdgpu: fix sdma_v2_4_ring_test_ib
        drm/amdgpu: fix amdgpu_move_blit on 32bit systems
        drm/radeon: fix radeon_move_blit on 32bit systems
        ...
      25d0d91a
    • Mario Kleiner's avatar
      drm/atomic: Don't potentially reset color_mgmt_changed on successive property updates. · add1fa75
      Mario Kleiner authored
      Due to assigning the 'replaced' value instead of or'ing it,
      if drm_atomic_crtc_set_property() gets called multiple times,
      the last call will define the color_mgmt_changed flag, so
      a non-updating call to a property can reset the flag and
      prevent actual hw state updates required by preceding
      property updates.
      Signed-off-by: default avatarMario Kleiner <mario.kleiner.de@gmail.com>
      Cc: Daniel Vetter <daniel.vetter@intel.com>
      Cc: <stable@vger.kernel.org> # v4.6+
      Reviewed-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      add1fa75
    • Linus Torvalds's avatar
      Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 908e373f
      Linus Torvalds authored
      Pull perf fixes from Thomas Gleixner:
       "A few fixes from the perf departement
      
         - prevent a imbalanced preemption disable in the events teardown code
         - prevent out of bound acces in perf userspace
         - make perf tools compile with UCLIBC again
         - a fix for the userspace unwinder utility"
      
      * 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        perf/core: Use this_cpu_ptr() when stopping AUX events
        perf evsel: Do not access outside hw cache name arrays
        tools lib: Reinstate strlcpy() header guard with __UCLIBC__
        perf unwind: Use addr_location::addr instead of ip for entries
      908e373f
    • Linus Torvalds's avatar
      Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 5d84ee79
      Linus Torvalds authored
      Pull x86 fix from Thomas Gleixner:
       "A single bugfix to prevent irq remapping when the ioapic is disabled"
      
      * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/apic: Do not init irq remapping if ioapic is disabled
      5d84ee79
    • Linus Torvalds's avatar
      Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 4340393e
      Linus Torvalds authored
      Pull irq fixes from Thomas Gleixner:
       "This lot provides:
      
         - plug a hotplug race in the new affinity infrastructure
         - a fix for the trigger type of chained interrupts
         - plug a potential memory leak in the core code
         - a few fixes for ARM and MIPS GICs"
      
      * 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        irqchip/mips-gic: Implement activate op for device domain
        irqchip/mips-gic: Cleanup chip and handler setup
        genirq/affinity: Use get/put_online_cpus around cpumask operations
        genirq: Fix potential memleak when failing to get irq pm
        irqchip/gicv3-its: Disable the ITS before initializing it
        irqchip/gicv3: Remove disabling redistributor and group1 non-secure interrupts
        irqchip/gic: Allow self-SGIs for SMP on UP configurations
        genirq: Correctly configure the trigger on chained interrupts
      4340393e
    • Linus Torvalds's avatar
      Merge branch 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 037d2405
      Linus Torvalds authored
      Pull timer fixes from Thomas Gleixner:
       "A few updates for timers & co:
      
         - prevent a livelock in the timekeeping code when debugging is
           enabled
      
         - prevent out of bounds access in the timekeeping debug code
      
         - various fixes in clocksource drivers
      
         - a new maintainers entry"
      
      * 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        clocksource/drivers/sun4i: Clear interrupts after stopping timer in probe function
        drivers/clocksource/pistachio: Fix memory corruption in init
        clocksource/drivers/timer-atmel-pit: Enable mck clock
        clocksource/drivers/pxa: Fix include files for compilation
        MAINTAINERS: Add ARM ARCHITECTED TIMER entry
        timekeeping: Cap array access in timekeeping_debug
        timekeeping: Avoid taking lock in NMI path with CONFIG_DEBUG_TIMEKEEPING
      037d2405
  3. 27 Aug, 2016 21 commits
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · af56ff27
      Linus Torvalds authored
      Pull KVM fixes from Paolo Bonzini:
       "ARM:
         - fixes for ITS init issues, error handling, IRQ leakage, race
           conditions
         - an erratum workaround for timers
         - some removal of misleading use of errors and comments
         - a fix for GICv3 on 32-bit guests
      
        MIPS:
         - fix for where the guest could wrongly map the first page of
           physical memory
      
        x86:
         - nested virtualization fixes"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        MIPS: KVM: Check for pfn noslot case
        kvm: nVMX: fix nested tsc scaling
        KVM: nVMX: postpone VMCS changes on MSR_IA32_APICBASE write
        KVM: nVMX: fix msr bitmaps to prevent L2 from accessing L0 x2APIC
        arm64: KVM: report configured SRE value to 32-bit world
        arm64: KVM: remove misleading comment on pmu status
        KVM: arm/arm64: timer: Workaround misconfigured timer interrupt
        arm64: Document workaround for Cortex-A72 erratum #853709
        KVM: arm/arm64: Change misleading use of is_error_pfn
        KVM: arm64: ITS: avoid re-mapping LPIs
        KVM: arm64: check for ITS device on MSI injection
        KVM: arm64: ITS: move ITS registration into first VCPU run
        KVM: arm64: vgic-its: Make updates to propbaser/pendbaser atomic
        KVM: arm64: vgic-its: Plug race in vgic_put_irq
        KVM: arm64: vgic-its: Handle errors from vgic_add_lpi
        KVM: arm64: ITS: return 1 on successful MSI injection
      af56ff27
    • Linus Torvalds's avatar
      Merge branch 'akpm' (patches from Andrew) · 5e608a02
      Linus Torvalds authored
      Merge fixes from Andrew Morton:
       "11 fixes"
      
      * emailed patches from Andrew Morton <akpm@linux-foundation.org>:
        mm: silently skip readahead for DAX inodes
        dax: fix device-dax region base
        fs/seq_file: fix out-of-bounds read
        mm: memcontrol: avoid unused function warning
        mm: clarify COMPACTION Kconfig text
        treewide: replace config_enabled() with IS_ENABLED() (2nd round)
        printk: fix parsing of "brl=" option
        soft_dirty: fix soft_dirty during THP split
        sysctl: handle error writing UINT_MAX to u32 fields
        get_maintainer: quiet noisy implicit -f vcs_file_exists checking
        byteswap: don't use __builtin_bswap*() with sparse
      5e608a02
    • Linus Torvalds's avatar
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · 65fc7d54
      Linus Torvalds authored
      Pull ARM64 fix from Catalin Marinas:
       "ARM64 fix to avoid potential TLB conflict when CONFIG_RANDOMIZE_BASE
        is enabled"
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        arm64: avoid TLB conflict with CONFIG_RANDOMIZE_BASE
      65fc7d54
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma · a3d34698
      Linus Torvalds authored
      Pull rdma fixes from Doug Ledford:
       "Round one of 4.8 rc fixes.
      
        This should be the bulk of the -rc fixes for 4.8.  I only have a few
        things that are still outstanding (two ipoib bugs for which the
        solution is not yet fully known, and a few queued items that came in
        after my last push and I didn't want to delay this pull request for
        late comers again).
      
        Even though the patch count is kind of high, everything is minor fixes
        so the overall churn is pretty low.
      
        Summary:
      
         - minor fixes to cxgb4
         - minor fixes to mlx4
         - one minor fix each to core, rxe, isert, srpt, mlx5, ocrdma, and usnic
         - six or so fixes to i40iw fixes
         - the rest are hfi1 fixes"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma: (34 commits)
        i40iw: Send last streaming mode message for loopback connections
        IB/srpt: Update sport->port_guid with each port refresh
        RDMA/ocrdma: Fix the max_sge reported from FW
        i40iw: Avoid writing to freed memory
        i40iw: Fix double free of allocated_buffer
        IB/mlx5: Remove superfluous include of io-mapping.h
        i40iw: Do not set self-referencing pointer to NULL after kfree
        i40iw: Add missing NULL check for MPA private data
        iw_cxgb4: Fix cxgb4 arm CQ logic w/IB_CQ_REPORT_MISSED_EVENTS
        i40iw: Add missing check for interface already open
        i40iw: Protect req_resource_num update
        i40iw: Change mem_resources pointer to a u8
        IB/core: Use memdup_user() rather than duplicating its implementation
        IB/qib: Use memdup_user() rather than duplicating its implementation
        iw_cxgb4: use the MPA initiator's IRD if < our ORD
        iw_cxgb4: limit IRD/ORD advertised to ULP by device max.
        IB/hfi1: Fix mm_struct use after free
        IB/rdmvat: Fix double vfree() in rvt_create_qp() error path
        IB/hfi1: Improve J_KEY generation
        IB/hfi1: Return invalid field for non-QSFP CableInfo queries
        ...
      a3d34698
    • Linus Torvalds's avatar
      Merge tag 'sound-4.8-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 03cef710
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "Here are a bunch of fixes as you can see in diffstat.
      
        One core change in ASoC is about the unexpected unbinding error, and
        another about debugfs cleanup.
      
        The rest are wide-spread driver-specific fixes: a series of LINE6 USB
        fixes, a HD-audio quirk, and various ASoC fixes including OMAP boot
        fixes and Intel SKL fixes"
      
      * tag 'sound-4.8-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (22 commits)
        ALSA: hda/realtek - fix headset mic detection for MSI MS-B120
        ASoC: omap-mcpdm: Fix irq resource handling
        ASoC: max98371: Add terminate entry for i2c_device_id tables
        ALSA: line6: Fix POD sysfs attributes segfault
        ALSA: line6: Give up on the lock while URBs are released.
        ALSA: line6: Remove double line6_pcm_release() after failed acquire.
        ASoC: omap-abe-twl6040: Correct dmic-codec device registration
        ASoC: core: Clean up DAPM before the card debugfs
        ASoC: omap-mcpdm: Drop pdmclk clock handling
        ASoC: atmel_ssc_dai: Don't unconditionally reset SSC on stream startup
        ASoC: compress: Fix leak of a widget list in soc_compr_open_fe
        ASoC: Intel: Skylake: Fix error return code in skl_probe()
        ASoC: wm2000: Fix return of uninitialised varible
        ASoC: Fix leak of rtd in soc_bind_dai_link
        ASoC: da7213: Default to 64 BCLKs per WCLK to support all formats
        ASoC: nau8825: fix static check error about semaphone control
        ASoC: nau8825: fix bug in playback when suspend
        ASoC: samsung: Fix clock handling in S3C24XX_UDA134X card
        ASoC: simple-card-utils: add missing MODULE_xxx()
        ASoC: Intel: Skylake: Check list empty while getting module info
        ...
      03cef710
    • Linus Torvalds's avatar
      Merge branch 'for-linus-4.8' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs · 28687b93
      Linus Torvalds authored
      Pull btrfs fixes from Chris Mason:
       "We've queued up a few different fixes in here.  These range from
        enospc corners to fsync and quota fixes, and a few targeted at error
        handling for corrupt metadata/fuzzing"
      
      * 'for-linus-4.8' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs:
        Btrfs: fix lockdep warning on deadlock against an inode's log mutex
        Btrfs: detect corruption when non-root leaf has zero item
        Btrfs: check btree node's nritems
        btrfs: don't create or leak aliased root while cleaning up orphans
        Btrfs: fix em leak in find_first_block_group
        btrfs: do not background blkdev_put()
        Btrfs: clarify do_chunk_alloc()'s return value
        btrfs: fix fsfreeze hang caused by delayed iputs deal
        btrfs: update btrfs_space_info's bytes_may_use timely
        btrfs: divide btrfs_update_reserved_bytes() into two functions
        btrfs: use correct offset for reloc_inode in prealloc_file_extent_cluster()
        btrfs: qgroup: Fix qgroup incorrectness caused by log replay
        btrfs: relocation: Fix leaking qgroups numbers on data extents
        btrfs: qgroup: Refactor btrfs_qgroup_insert_dirty_extent()
        btrfs: waiting on qgroup rescan should not always be interruptible
        btrfs: properly track when rescan worker is running
        btrfs: flush_space: treat return value of do_chunk_alloc properly
        Btrfs: add ASSERT for block group's memory leak
        btrfs: backref: Fix soft lockup in __merge_refs function
        Btrfs: fix memory leak of reloc_root
      28687b93
    • Linus Torvalds's avatar
      Merge tag 'dlm-4.8-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/teigland/linux-dlm · 370f6017
      Linus Torvalds authored
      Pull dlm fix from David Teigland:
       "This fixes a bug introduced by recent debugfs cleanup"
      
      * tag 'dlm-4.8-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/teigland/linux-dlm:
        dlm: fix malfunction of dlm_tool caused by debugfs changes
      370f6017
    • Linus Torvalds's avatar
      Merge tag 'dm-4.8-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm · 6ec675ed
      Linus Torvalds authored
      Pull device mapper fixes from Mike Snitzer:
      
       - another stable fix for DM flakey (that tweaks the previous fix that
         didn't factor in expected 'drop_writes' behavior for read IO).
      
       - a dm-log bio operation flags fix for the broader block changes that
         were merged during the 4.8 merge window.
      
      * tag 'dm-4.8-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm:
        dm log: fix unitialized bio operation flags
        dm flakey: fix reads to be issued if drop_writes configured
      6ec675ed
    • Linus Torvalds's avatar
      Merge tag 'iommu-fixes-v4.8-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu · 67a8c7d6
      Linus Torvalds authored
      Pull IOMMU fixes from Joerg Roedel:
       "Fixes from Will Deacon:
      
         - fix a couple of thinkos in the CMDQ error handling and
           short-descriptor page table code that have been there since day one
      
         - disable stalling faults, since they may result in hardware deadlock
      
         - fix an accidental BUG() when passing disable_bypass=1 on the
           cmdline"
      
      * tag 'iommu-fixes-v4.8-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu:
        iommu/arm-smmu: Don't BUG() if we find aborting STEs with disable_bypass
        iommu/arm-smmu: Disable stalling faults for all endpoints
        iommu/arm-smmu: Fix CMDQ error handling
        iommu/io-pgtable-arm-v7s: Fix attributes when splitting blocks
      67a8c7d6
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.dk/linux-block · fd1ae514
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
       "Here's a set of block fixes for the current 4.8-rc release.  This
        contains:
      
         - a fix for a secure erase regression, from Adrian.
      
         - a fix for an mmc use-after-free bug regression, also from Adrian.
      
         - potential zero pointer deference in bdev freezing, from Andrey.
      
         - a race fix for blk_set_queue_dying() from Bart.
      
         - a set of xen blkfront fixes from Bob Liu.
      
         - three small fixes for bcache, from Eric and Kent.
      
         - a fix for a potential invalid NVMe state transition, from Gabriel.
      
         - blk-mq CPU offline fix, preventing us from issuing and completing a
           request on the wrong queue.  From me.
      
         - revert two previous floppy changes, since they caused a user
           visibile regression.  A better fix is in the works.
      
         - ensure that we don't send down bios that have more than 256
           elements in them.  Fixes a crash with bcache, for example.  From
           Ming.
      
         - a fix for deferencing an error pointer with cgroup writeback.
           Fixes a regression.  From Vegard"
      
      * 'for-linus' of git://git.kernel.dk/linux-block:
        mmc: fix use-after-free of struct request
        Revert "floppy: refactor open() flags handling"
        Revert "floppy: fix open(O_ACCMODE) for ioctl-only open"
        fs/block_dev: fix potential NULL ptr deref in freeze_bdev()
        blk-mq: improve warning for running a queue on the wrong CPU
        blk-mq: don't overwrite rq->mq_ctx
        block: make sure a big bio is split into at most 256 bvecs
        nvme: Fix nvme_get/set_features() with a NULL result pointer
        bdev: fix NULL pointer dereference
        xen-blkfront: free resources if xlvbd_alloc_gendisk fails
        xen-blkfront: introduce blkif_set_queue_limits()
        xen-blkfront: fix places not updated after introducing 64KB page granularity
        bcache: pr_err: more meaningful error message when nr_stripes is invalid
        bcache: RESERVE_PRIO is too small by one when prio_buckets() is a power of two.
        bcache: register_bcache(): call blkdev_put() when cache_alloc() fails
        block: Fix race triggered by blk_set_queue_dying()
        block: Fix secure erase
        nvme: Prevent controller state invalid transition
      fd1ae514
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input · b09c412a
      Linus Torvalds authored
      Pull input subsystem fixes from Dmitry Torokhov:
       "Simply small driver fixups"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
        Input: ads7846 - remove redundant regulator_disable call
        Input: synaptics-rmi4 - fix register descriptor subpacket map construction
        Input: tegra-kbc - fix inverted reset logic
        Input: silead - use devm_gpiod_get
        Input: i8042 - set up shared ps2_cmd_mutex for AUX ports
      b09c412a
    • Linus Torvalds's avatar
      Merge tag 'pci-v4.8-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci · 219c04ce
      Linus Torvalds authored
      Pull PCI fixes from Bjorn Helgaas:
       "Resource management:
         - Update "pci=resource_alignment" documentation (Mathias Koehrer)
      
        MSI:
         - Use positive flags in pci_alloc_irq_vectors() (Christoph Hellwig)
         - Call pci_intx() when using legacy interrupts in pci_alloc_irq_vectors() (Christoph Hellwig)
      
        Intel VMD host bridge driver:
         - Fix infinite loop executing irq's (Keith Busch)"
      
      * tag 'pci-v4.8-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
        x86/PCI: VMD: Fix infinite loop executing irq's
        PCI: Call pci_intx() when using legacy interrupts in pci_alloc_irq_vectors()
        PCI: Use positive flags in pci_alloc_irq_vectors()
        PCI: Update "pci=resource_alignment" documentation
      219c04ce
    • Ross Zwisler's avatar
      mm: silently skip readahead for DAX inodes · 11bd969f
      Ross Zwisler authored
      For DAX inodes we need to be careful to never have page cache pages in
      the mapping->page_tree.  This radix tree should be composed only of DAX
      exceptional entries and zero pages.
      
      ltp's readahead02 test was triggering a warning because we were trying
      to insert a DAX exceptional entry but found that a page cache page had
      already been inserted into the tree.  This page was being inserted into
      the radix tree in response to a readahead(2) call.
      
      Readahead doesn't make sense for DAX inodes, but we don't want it to
      report a failure either.  Instead, we just return success and don't do
      any work.
      
      Link: http://lkml.kernel.org/r/20160824221429.21158-1-ross.zwisler@linux.intel.comSigned-off-by: default avatarRoss Zwisler <ross.zwisler@linux.intel.com>
      Reported-by: default avatarJeff Moyer <jmoyer@redhat.com>
      Cc: Dan Williams <dan.j.williams@intel.com>
      Cc: Dave Chinner <david@fromorbit.com>
      Cc: Dave Hansen <dave.hansen@linux.intel.com>
      Cc: Jan Kara <jack@suse.com>
      Cc: <stable@vger.kernel.org>	[4.5+]
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      11bd969f
    • Dan Williams's avatar
      dax: fix device-dax region base · d0e58455
      Dan Williams authored
      The data offset for a dax region needs to account for a reservation in
      the resource range.  Otherwise, device-dax is allowing mappings directly
      into the memmap or device-info-block area with crash signatures like the
      following:
      
       BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
       IP: get_zone_device_page+0x11/0x30
       Call Trace:
         follow_devmap_pmd+0x298/0x2c0
         follow_page_mask+0x275/0x530
         __get_user_pages+0xe3/0x750
         __gfn_to_pfn_memslot+0x1b2/0x450 [kvm]
         tdp_page_fault+0x130/0x280 [kvm]
         kvm_mmu_page_fault+0x5f/0xf0 [kvm]
         handle_ept_violation+0x94/0x180 [kvm_intel]
         vmx_handle_exit+0x1d3/0x1440 [kvm_intel]
         kvm_arch_vcpu_ioctl_run+0x81d/0x16a0 [kvm]
         kvm_vcpu_ioctl+0x33c/0x620 [kvm]
         do_vfs_ioctl+0xa2/0x5d0
         SyS_ioctl+0x79/0x90
         entry_SYSCALL_64_fastpath+0x1a/0xa4
      
      Fixes: ab68f262 ("/dev/dax, pmem: direct access to persistent memory")
      Link: http://lkml.kernel.org/r/147205536732.1606.8994275381938837346.stgit@dwillia2-desk3.amr.corp.intel.comSigned-off-by: default avatarDan Williams <dan.j.williams@intel.com>
      Reported-by: default avatarAbhilash Kumar Mulumudi <m.abhilash-kumar@hpe.com>
      Reported-by: default avatarToshi Kani <toshi.kani@hpe.com>
      Tested-by: default avatarToshi Kani <toshi.kani@hpe.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      d0e58455
    • Vegard Nossum's avatar
      fs/seq_file: fix out-of-bounds read · 088bf2ff
      Vegard Nossum authored
      seq_read() is a nasty piece of work, not to mention buggy.
      
      It has (I think) an old bug which allows unprivileged userspace to read
      beyond the end of m->buf.
      
      I was getting these:
      
          BUG: KASAN: slab-out-of-bounds in seq_read+0xcd2/0x1480 at addr ffff880116889880
          Read of size 2713 by task trinity-c2/1329
          CPU: 2 PID: 1329 Comm: trinity-c2 Not tainted 4.8.0-rc1+ #96
          Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
          Call Trace:
            kasan_object_err+0x1c/0x80
            kasan_report_error+0x2cb/0x7e0
            kasan_report+0x4e/0x80
            check_memory_region+0x13e/0x1a0
            kasan_check_read+0x11/0x20
            seq_read+0xcd2/0x1480
            proc_reg_read+0x10b/0x260
            do_loop_readv_writev.part.5+0x140/0x2c0
            do_readv_writev+0x589/0x860
            vfs_readv+0x7b/0xd0
            do_readv+0xd8/0x2c0
            SyS_readv+0xb/0x10
            do_syscall_64+0x1b3/0x4b0
            entry_SYSCALL64_slow_path+0x25/0x25
          Object at ffff880116889100, in cache kmalloc-4096 size: 4096
          Allocated:
          PID = 1329
            save_stack_trace+0x26/0x80
            save_stack+0x46/0xd0
            kasan_kmalloc+0xad/0xe0
            __kmalloc+0x1aa/0x4a0
            seq_buf_alloc+0x35/0x40
            seq_read+0x7d8/0x1480
            proc_reg_read+0x10b/0x260
            do_loop_readv_writev.part.5+0x140/0x2c0
            do_readv_writev+0x589/0x860
            vfs_readv+0x7b/0xd0
            do_readv+0xd8/0x2c0
            SyS_readv+0xb/0x10
            do_syscall_64+0x1b3/0x4b0
            return_from_SYSCALL_64+0x0/0x6a
          Freed:
          PID = 0
          (stack is not available)
          Memory state around the buggy address:
           ffff88011688a000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
           ffff88011688a080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
          >ffff88011688a100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      		       ^
           ffff88011688a180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
           ffff88011688a200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
          ==================================================================
          Disabling lock debugging due to kernel taint
      
      This seems to be the same thing that Dave Jones was seeing here:
      
        https://lkml.org/lkml/2016/8/12/334
      
      There are multiple issues here:
      
        1) If we enter the function with a non-empty buffer, there is an attempt
           to flush it. But it was not clearing m->from after doing so, which
           means that if we try to do this flush twice in a row without any call
           to traverse() in between, we are going to be reading from the wrong
           place -- the splat above, fixed by this patch.
      
        2) If there's a short write to userspace because of page faults, the
           buffer may already contain multiple lines (i.e. pos has advanced by
           more than 1), but we don't save the progress that was made so the
           next call will output what we've already returned previously. Since
           that is a much less serious issue (and I have a headache after
           staring at seq_read() for the past 8 hours), I'll leave that for now.
      
      Link: http://lkml.kernel.org/r/1471447270-32093-1-git-send-email-vegard.nossum@oracle.comSigned-off-by: default avatarVegard Nossum <vegard.nossum@oracle.com>
      Reported-by: default avatarDave Jones <davej@codemonkey.org.uk>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      088bf2ff
    • Arnd Bergmann's avatar
      mm: memcontrol: avoid unused function warning · 358c07fc
      Arnd Bergmann authored
      A bugfix in v4.8-rc2 introduced a harmless warning when
      CONFIG_MEMCG_SWAP is disabled but CONFIG_MEMCG is enabled:
      
        mm/memcontrol.c:4085:27: error: 'mem_cgroup_id_get_online' defined but not used [-Werror=unused-function]
         static struct mem_cgroup *mem_cgroup_id_get_online(struct mem_cgroup *memcg)
      
      This moves the function inside of the #ifdef block that hides the
      calling function, to avoid the warning.
      
      Fixes: 1f47b61f ("mm: memcontrol: fix swap counter leak on swapout from offline cgroup")
      Link: http://lkml.kernel.org/r/20160824113733.2776701-1-arnd@arndb.deSigned-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Acked-by: default avatarMichal Hocko <mhocko@suse.com>
      Acked-by: default avatarVladimir Davydov <vdavydov@virtuozzo.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      358c07fc
    • Michal Hocko's avatar
      mm: clarify COMPACTION Kconfig text · b32eaf71
      Michal Hocko authored
      The current wording of the COMPACTION Kconfig help text doesn't
      emphasise that disabling COMPACTION might cripple the page allocator
      which relies on the compaction quite heavily for high order requests and
      an unexpected OOM can happen with the lack of compaction.  Make sure we
      are vocal about that.
      
      Link: http://lkml.kernel.org/r/20160823091726.GK23577@dhcp22.suse.czSigned-off-by: default avatarMichal Hocko <mhocko@suse.com>
      Cc: Markus Trippelsdorf <markus@trippelsdorf.de>
      Cc: Mel Gorman <mgorman@suse.de>
      Cc: Joonsoo Kim <js1304@gmail.com>
      Cc: Vlastimil Babka <vbabka@suse.cz>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      b32eaf71
    • Masahiro Yamada's avatar
      treewide: replace config_enabled() with IS_ENABLED() (2nd round) · a5ff1b34
      Masahiro Yamada authored
      Commit 97f2645f ("tree-wide: replace config_enabled() with
      IS_ENABLED()") mostly killed config_enabled(), but some new users have
      appeared for v4.8-rc1.  They are all used for a boolean option, so can
      be replaced with IS_ENABLED() safely.
      
      Link: http://lkml.kernel.org/r/1471970749-24867-1-git-send-email-yamada.masahiro@socionext.comSigned-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Acked-by: default avatarPeter Oberparleiter <oberpar@linux.vnet.ibm.com>
      Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
      Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: Ingo Molnar <mingo@elte.hu>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      a5ff1b34
    • Nicolas Iooss's avatar
      printk: fix parsing of "brl=" option · ae6c33ba
      Nicolas Iooss authored
      Commit bbeddf52 ("printk: move braille console support into separate
      braille.[ch] files") moved the parsing of braille-related options into
      _braille_console_setup(), changing the type of variable str from char*
      to char**.  In this commit, memcmp(str, "brl,", 4) was correctly updated
      to memcmp(*str, "brl,", 4) but not memcmp(str, "brl=", 4).
      
      Update the code to make "brl=" option work again and replace memcmp()
      with strncmp() to make the compiler able to detect such an issue.
      
      Fixes: bbeddf52 ("printk: move braille console support into separate braille.[ch] files")
      Link: http://lkml.kernel.org/r/20160823165700.28952-1-nicolas.iooss_linux@m4x.orgSigned-off-by: default avatarNicolas Iooss <nicolas.iooss_linux@m4x.org>
      Cc: Joe Perches <joe@perches.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      ae6c33ba
    • Andrea Arcangeli's avatar
      soft_dirty: fix soft_dirty during THP split · 804dd150
      Andrea Arcangeli authored
      While adding proper userfaultfd_wp support with bits in pagetable and
      swap entry to avoid false positives WP userfaults through swap/fork/
      KSM/etc, I've been adding a framework that mostly mirrors soft dirty.
      
      So I noticed in one place I had to add uffd_wp support to the pagetables
      that wasn't covered by soft_dirty and I think it should have.
      
      Example: in the THP migration code migrate_misplaced_transhuge_page()
      pmd_mkdirty is called unconditionally after mk_huge_pmd.
      
      	entry = mk_huge_pmd(new_page, vma->vm_page_prot);
      	entry = maybe_pmd_mkwrite(pmd_mkdirty(entry), vma);
      
      That sets soft dirty too (it's a false positive for soft dirty, the soft
      dirty bit could be more finegrained and transfer the bit like uffd_wp
      will do..  pmd/pte_uffd_wp() enforces the invariant that when it's set
      pmd/pte_write is not set).
      
      However in the THP split there's no unconditional pmd_mkdirty after
      mk_huge_pmd and pte_swp_mksoft_dirty isn't called after the migration
      entry is created.  The code sets the dirty bit in the struct page
      instead of setting it in the pagetable (which is fully equivalent as far
      as the real dirty bit is concerned, as the whole point of pagetable bits
      is to be eventually flushed out of to the page, but that is not
      equivalent for the soft-dirty bit that gets lost in translation).
      
      This was found by code review only and totally untested as I'm working
      to actually replace soft dirty and I don't have time to test potential
      soft dirty bugfixes as well :).
      
      Transfer the soft_dirty from pmd to pte during THP splits.
      
      This fix avoids losing the soft_dirty bit and avoids userland memory
      corruption in the checkpoint.
      
      Fixes: eef1b3ba ("thp: implement split_huge_pmd()")
      Link: http://lkml.kernel.org/r/1471610515-30229-2-git-send-email-aarcange@redhat.comSigned-off-by: default avatarAndrea Arcangeli <aarcange@redhat.com>
      Acked-by: default avatarPavel Emelyanov <xemul@virtuozzo.com>
      Cc: "Kirill A. Shutemov" <kirill@shutemov.name>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      804dd150
    • Subash Abhinov Kasiviswanathan's avatar
      sysctl: handle error writing UINT_MAX to u32 fields · e7d316a0
      Subash Abhinov Kasiviswanathan authored
      We have scripts which write to certain fields on 3.18 kernels but this
      seems to be failing on 4.4 kernels.  An entry which we write to here is
      xfrm_aevent_rseqth which is u32.
      
        echo 4294967295  > /proc/sys/net/core/xfrm_aevent_rseqth
      
      Commit 230633d1 ("kernel/sysctl.c: detect overflows when converting
      to int") prevented writing to sysctl entries when integer overflow
      occurs.  However, this does not apply to unsigned integers.
      
      Heinrich suggested that we introduce a new option to handle 64 bit
      limits and set min as 0 and max as UINT_MAX.  This might not work as it
      leads to issues similar to __do_proc_doulongvec_minmax.  Alternatively,
      we would need to change the datatype of the entry to 64 bit.
      
        static int __do_proc_doulongvec_minmax(void *data, struct ctl_table
        {
            i = (unsigned long *) data;   //This cast is causing to read beyond the size of data (u32)
            vleft = table->maxlen / sizeof(unsigned long); //vleft is 0 because maxlen is sizeof(u32) which is lesser than sizeof(unsigned long) on x86_64.
      
      Introduce a new proc handler proc_douintvec.  Individual proc entries
      will need to be updated to use the new handler.
      
      [akpm@linux-foundation.org: coding-style fixes]
      Fixes: 230633d1 ("kernel/sysctl.c:detect overflows when converting to int")
      Link: http://lkml.kernel.org/r/1471479806-5252-1-git-send-email-subashab@codeaurora.orgSigned-off-by: default avatarSubash Abhinov Kasiviswanathan <subashab@codeaurora.org>
      Cc: Heinrich Schuchardt <xypron.glpk@gmx.de>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: Ingo Molnar <mingo@redhat.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      e7d316a0