1. 04 Aug, 2017 25 commits
  2. 03 Aug, 2017 15 commits
    • Linus Torvalds's avatar
      Merge tag 'vfio-v4.13-rc4' of git://github.com/awilliam/linux-vfio · 869c058f
      Linus Torvalds authored
      Pull VFIO fixes from Alex Williamson:
      
       - SPAPR/EEH config build fix (Murilo Opsfelder Araujo)
      
       - Fix possible device lock deadlock (Alex Williamson)
      
       - Correctly size integrated endpoint PCIe capabilities (Alex
         Williamson)
      
      * tag 'vfio-v4.13-rc4' of git://github.com/awilliam/linux-vfio:
        vfio/pci: Fix handling of RC integrated endpoint PCIe capability size
        vfio/pci: Use pci_try_reset_function() on initial open
        include/linux/vfio.h: Guard powerpc-specific functions with CONFIG_VFIO_SPAPR_EEH
      869c058f
    • Linus Torvalds's avatar
      Merge branch 'akpm' (patches from Andrew) · 995d03ae
      Linus Torvalds authored
      Merge misc fixes from Andrew Morton:
       "15 fixes"
      
      [ This does not merge the "fortify: use WARN instead of BUG for now"
        patch, which needs a bit of extra work to build cleanly with all
        configurations. Arnd is on it.   - Linus ]
      
      * emailed patches from Andrew Morton <akpm@linux-foundation.org>:
        ocfs2: don't clear SGID when inheriting ACLs
        mm: allow page_cache_get_speculative in interrupt context
        userfaultfd: non-cooperative: flush event_wqh at release time
        ipc: add missing container_of()s for randstruct
        cpuset: fix a deadlock due to incomplete patching of cpusets_enabled()
        userfaultfd_zeropage: return -ENOSPC in case mm has gone
        mm: take memory hotplug lock within numa_zonelist_order_handler()
        mm/page_io.c: fix oops during block io poll in swapin path
        zram: do not free pool->size_class
        kthread: fix documentation build warning
        kasan: avoid -Wmaybe-uninitialized warning
        userfaultfd: non-cooperative: notify about unmap of destination during mremap
        mm, mprotect: flush TLB if potentially racing with a parallel reclaim leaving stale TLB entries
        pid: kill pidhash_size in pidhash_init()
        mm/hugetlb.c: __get_user_pages ignores certain follow_hugetlb_page errors
      995d03ae
    • Linus Torvalds's avatar
      Merge tag 'acpi-4.13-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 8d3fe85f
      Linus Torvalds authored
      Pull ACPI fixes from Rafael Wysocki:
       "These fix two issues in the ACPI SoC drivers (Intel LPSS and AMD APD),
        a crash in the PCC mailbox initialization code and a WDAT watchdog
        initialization failure.
      
        Specifics:
      
         - Fix a device ID of Hisilicon Hip07/08 in the ACPI APD (AMD SoC)
           driver (Hanjun Guo).
      
         - Fix list corruption (introduced during the 4.11 cycle) in the ACPI
           LPSS (Intel SoC) driver (Hans de Goede).
      
         - Fix PCC mailbox handling code crash during initialization when PCCT
           is not present and PCC channel 0 is requested (Hoan Tran).
      
         - Fix a WDAT watchdog initialization issue causing platform device
           creation to fail due to partially overlapping address ranges in
           resources (Ryan Kennedy)"
      
      * tag 'acpi-4.13-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        ACPI: APD: Fix HID for Hisilicon Hip07/08
        mailbox: pcc: Fix crash when request PCC channel 0
        ACPI / watchdog: Fix init failure with overlapping register regions
        ACPI / LPSS: Only call pwm_add_table() for the first PWM controller
      8d3fe85f
    • Linus Torvalds's avatar
      Merge tag 'pm-4.13-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 73784fb7
      Linus Torvalds authored
      Pull power management fixes from Rafael Wysocki:
       "These fix two cpufreq issues, one introduced recently and one related
        to recent changes, fix cpufreq documentation, fix up recently added
        code in the Thunderbolt driver and update runtime PM framework
        documentation.
      
        Specifics:
      
         - Fix the handling of the scaling_cur_freq cpufreq policy attribute
           on x86 systems with the MPERF/APERF registers present to make it
           behave more as expected after recent changes (Rafael Wysocki).
      
         - Drop a leftover callback from the intel_pstate driver which also
           prevents the cpuinfo_cur_freq cpufreq policy attribute from being
           incorrectly exposed when intel_pstate works in the active mode
           (Rafael Wysocki).
      
         - Add a missing piece describing the cpuinfo_cur_freq policy
           attribute to cpufreq documentation (Rafael Wysocki).
      
         - Fix up a recently added part of the Thunderbolt driver to avoid
           aborting system suspends if its mailbox commands time out (Rafael
           Wysocki).
      
         - Update device runtime PM framework documentation to reflect the
           current behavior of the code (Johan Hovold)"
      
      * tag 'pm-4.13-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        thunderbolt: icm: Ignore mailbox errors in icm_suspend()
        cpufreq: x86: Make scaling_cur_freq behave more as expected
        PM / runtime: Document new pm_runtime_set_suspended() constraint
        cpufreq: docs: Add missing cpuinfo_cur_freq description
        cpufreq: intel_pstate: Drop ->get from intel_pstate structure
      73784fb7
    • Rafael J. Wysocki's avatar
      Merge branches 'acpi-soc', 'acpi-wdat' and 'acpi-cppc' · 3de559d4
      Rafael J. Wysocki authored
      * acpi-soc:
        ACPI: APD: Fix HID for Hisilicon Hip07/08
        ACPI / LPSS: Only call pwm_add_table() for the first PWM controller
      
      * acpi-wdat:
        ACPI / watchdog: Fix init failure with overlapping register regions
      
      * acpi-cppc:
        mailbox: pcc: Fix crash when request PCC channel 0
      3de559d4
    • Rafael J. Wysocki's avatar
      Merge branches 'pm-core' and 'pm-misc' · 78aa904a
      Rafael J. Wysocki authored
      * pm-core:
        PM / runtime: Document new pm_runtime_set_suspended() constraint
      
      * pm-misc:
        thunderbolt: icm: Ignore mailbox errors in icm_suspend()
      78aa904a
    • Rafael J. Wysocki's avatar
      Merge branches 'pm-cpufreq-x86', 'pm-cpufreq-docs' and 'intel_pstate' · 8a05c311
      Rafael J. Wysocki authored
      * pm-cpufreq-x86:
        cpufreq: x86: Make scaling_cur_freq behave more as expected
      
      * pm-cpufreq-docs:
        cpufreq: docs: Add missing cpuinfo_cur_freq description
      
      * intel_pstate:
        cpufreq: intel_pstate: Drop ->get from intel_pstate structure
      8a05c311
    • Shawn Lin's avatar
      mmc: block: bypass the queue even if usage is present for hotplug · 7c84b8b4
      Shawn Lin authored
      The commit 304419d8 ("mmc: core: Allocate per-request data using the
      block layer core") refactored mechanism of queue handling caused
      mmc_init_request() can be called just after mmc_cleanup_queue() caused null
      pointer dereference.
      
      Another commit bbdc74dc ("mmc: block: Prevent new req entering queue
      after its cleanup") tried to fix the problem. However it actually miss one
      corner case.
      
      We could still reproduce the issue mentioned with these steps:
      (1) insert a SD card and mount it
      (2) hotplug it, so it will leave md->usage still be counted
      (3) reboot the system which will sync data and umount the card
      
      [Unable to handle kernel NULL pointer dereference at virtual address
      00000000
      [user pgtable: 4k pages, 48-bit VAs, pgd = ffff80007bab3000
      [[0000000000000000] *pgd=000000007a828003, *pud=0000000078dce003,
      *pmd=000000007aab6003, *pte=0000000000000000
      [Internal error: Oops: 96000007 [#1] PREEMPT SMP
      [Modules linked in:
      [CPU: 3 PID: 3507 Comm: umount Tainted: G        W
      4.13.0-rc1-next-20170720-00012-g9d9bf45 #33
      [Hardware name: Firefly-RK3399 Board (DT)
      [task: ffff80007a1de200 task.stack: ffff80007a01c000
      [PC is at mmc_init_request+0x14/0xc4
      [LR is at alloc_request_size+0x4c/0x74
      [pc : [<ffff0000087d7150>] lr : [<ffff000008378fe0>] pstate: 600001c5
      [sp : ffff80007a01f8f0
      
      ....
      
      [[<ffff0000087d7150>] mmc_init_request+0x14/0xc4
      [[<ffff000008378fe0>] alloc_request_size+0x4c/0x74
      [[<ffff00000817ac28>] mempool_create_node+0xb8/0x17c
      [[<ffff00000837aadc>] blk_init_rl+0x9c/0x120
      [[<ffff000008396580>] blkg_alloc+0x110/0x234
      [[<ffff000008396ac8>] blkg_create+0x424/0x468
      [[<ffff00000839877c>] blkg_lookup_create+0xd8/0x14c
      [[<ffff0000083796bc>] generic_make_request_checks+0x368/0x3b0
      [[<ffff00000837b050>] generic_make_request+0x1c/0x240
      
      So mmc_blk_put wouldn't calling blk_cleanup_queue which actually the
      QUEUE_FLAG_DYING and QUEUE_FLAG_BYPASS should stay. Block core expect
      blk_queue_bypass_{start, end} internally to bypass/drain the queue before
      actually dying the queue, so it didn't expose API to set the queue bypass.
      I think we should set QUEUE_FLAG_BYPASS whenever queue is removed, although
      the md->usage is still counted, as no dispatch queue could be found then.
      
      Fixes: 304419d8 ("mmc: core: Allocate per-request data using the block layer core")
      Signed-off-by: default avatarShawn Lin <shawn.lin@rock-chips.com>
      Reviewed-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      7c84b8b4
    • Ludovic Desroches's avatar
      mmc: sdhci-of-at91: force card detect value for non removable devices · 7a1e3f14
      Ludovic Desroches authored
      When the device is non removable, the card detect signal is often used
      for another purpose i.e. muxed to another SoC peripheral or used as a
      GPIO. It could lead to wrong behaviors depending the default value of
      this signal if not muxed to the SDHCI controller.
      
      Fixes: bb5f8ea4 ("mmc: sdhci-of-at91: introduce driver for the Atmel SDMMC")
      Signed-off-by: default avatarLudovic Desroches <ludovic.desroches@microchip.com>
      Acked-by: default avatarAdrian Hunter <adrian.hunter@intel.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      7a1e3f14
    • Linus Torvalds's avatar
      Merge tag 'nfs-for-4.13-4' of git://git.linux-nfs.org/projects/anna/linux-nfs · 19ec50a4
      Linus Torvalds authored
      Pull NFS client fixes from Anna Schumaker:
       "Two fixes from Trond this time, now that he's back from his vacation.
        The first is a stable fix for the EXCHANGE_ID issue on the mailing
        list, and the other fixes a double-free situation that he found at the
        same time.
      
        Stable fix:
         - Fix EXCHANGE_ID corrupt verifier issue
      
        Other fix:
         - Fix double frees in nfs4_test_session_trunk()"
      
      * tag 'nfs-for-4.13-4' of git://git.linux-nfs.org/projects/anna/linux-nfs:
        NFSv4: Fix double frees in nfs4_test_session_trunk()
        NFSv4: Fix EXCHANGE_ID corrupt verifier issue
      19ec50a4
    • Annie Cherkaev's avatar
      isdn/i4l: fix buffer overflow · 9f5af546
      Annie Cherkaev authored
      This fixes a potential buffer overflow in isdn_net.c caused by an
      unbounded strcpy.
      
      [ ISDN seems to be effectively unmaintained, and the I4L driver in
        particular is long deprecated, but in case somebody uses this..
          - Linus ]
      Signed-off-by: default avatarJiten Thakkar <jitenmt@gmail.com>
      Signed-off-by: default avatarAnnie Cherkaev <annie.cherk@gmail.com>
      Cc: Karsten Keil <isdn@linux-pingi.de>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: stable@kernel.org
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      9f5af546
    • Jan Kara's avatar
      ocfs2: don't clear SGID when inheriting ACLs · 19ec8e48
      Jan Kara authored
      When new directory 'DIR1' is created in a directory 'DIR0' with SGID bit
      set, DIR1 is expected to have SGID bit set (and owning group equal to
      the owning group of 'DIR0').  However when 'DIR0' also has some default
      ACLs that 'DIR1' inherits, setting these ACLs will result in SGID bit on
      'DIR1' to get cleared if user is not member of the owning group.
      
      Fix the problem by moving posix_acl_update_mode() out of ocfs2_set_acl()
      into ocfs2_iop_set_acl().  That way the function will not be called when
      inheriting ACLs which is what we want as it prevents SGID bit clearing
      and the mode has been properly set by posix_acl_create() anyway.  Also
      posix_acl_chmod() that is calling ocfs2_set_acl() takes care of updating
      mode itself.
      
      Fixes: 07393101 ("posix_acl: Clear SGID bit when setting file permissions")
      Link: http://lkml.kernel.org/r/20170801141252.19675-3-jack@suse.czSigned-off-by: default avatarJan Kara <jack@suse.cz>
      Cc: Mark Fasheh <mfasheh@versity.com>
      Cc: Joel Becker <jlbec@evilplan.org>
      Cc: Junxiao Bi <junxiao.bi@oracle.com>
      Cc: Joseph Qi <jiangqi903@gmail.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      19ec8e48
    • Kan Liang's avatar
      mm: allow page_cache_get_speculative in interrupt context · 1ee1c3f5
      Kan Liang authored
      Kernel panic when calling the IRQ-safe __get_user_pages_fast in NMI
      handler.
      
      The bug was introduced by commit 2947ba05 ("x86/mm/gup: Switch GUP
      to the generic get_user_page_fast() implementation").
      
      The original x86 __get_user_page_fast used plain get_page() or
      page_ref_add().  However, the generic __get_user_page_fast uses
      page_cache_get_speculative(), which has VM_BUG_ON(in_interrupt()).
      
      There is no reason to prevent page_cache_get_speculative from using in
      interrupt context.  According to the author, putting a BUG_ON there is
      just because the code is not verifying correctness of interrupt races.
      I did some tests in interrupt context.  There is no issue found.
      
      Removing VM_BUG_ON(in_interrupt()) for page_cache_get_speculative().
      
      Link: http://lkml.kernel.org/r/1501609146-59730-1-git-send-email-kan.liang@intel.com
      Fixes: 2947ba05 ("x86/mm/gup: Switch GUP to the generic get_user_page_fast() implementation")
      Signed-off-by: default avatarKan Liang <kan.liang@intel.com>
      Cc: Jens Axboe <axboe@fb.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
      Cc: Ying Huang <ying.huang@intel.com>
      Cc: Nicholas Piggin <npiggin@gmail.com>
      Cc: Ingo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      1ee1c3f5
    • Mike Rapoport's avatar
      userfaultfd: non-cooperative: flush event_wqh at release time · 5a18b64e
      Mike Rapoport authored
      There may still be threads waiting on event_wqh at the time the
      userfault file descriptor is closed.  Flush the events wait-queue to
      prevent waiting threads from hanging.
      
      Link: http://lkml.kernel.org/r/1501398127-30419-1-git-send-email-rppt@linux.vnet.ibm.com
      Fixes: 9cd75c3c ("userfaultfd: non-cooperative: add ability to report
      non-PF events from uffd descriptor")
      Signed-off-by: default avatarMike Rapoport <rppt@linux.vnet.ibm.com>
      Cc: Andrea Arcangeli <aarcange@redhat.com>
      Cc: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
      Cc: Pavel Emelyanov <xemul@virtuozzo.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      5a18b64e
    • Kees Cook's avatar
      ipc: add missing container_of()s for randstruct · ade9f91b
      Kees Cook authored
      When building with the randstruct gcc plugin, the layout of the IPC
      structs will be randomized, which requires any sub-structure accesses to
      use container_of().  The proc display handlers were missing the needed
      container_of()s since the iterator is passing in the top-level struct
      kern_ipc_perm.
      
      This would lead to crashes when running the "lsipc" program after the
      system had IPC registered (e.g. after starting up Gnome):
      
        general protection fault: 0000 [#1] PREEMPT SMP
        ...
        RIP: 0010:shm_add_rss_swap.isra.1+0x13/0xa0
        ...
        Call Trace:
          sysvipc_shm_proc_show+0x5e/0x150
          sysvipc_proc_show+0x1a/0x30
          seq_read+0x2e9/0x3f0
        ...
      
      Link: http://lkml.kernel.org/r/20170730205950.GA55841@beast
      Fixes: 3859a271 ("randstruct: Mark various structs for randomization")
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Reported-by: default avatarDominik Brodowski <linux@dominikbrodowski.net>
      Acked-by: default avatarDavidlohr Bueso <dave@stgolabs.net>
      Acked-by: default avatarManfred Spraul <manfred@colorfullife.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      ade9f91b