1. 28 Feb, 2018 1 commit
    • Will Deacon's avatar
      arm_pmu: Use disable_irq_nosync when disabling SPI in CPU teardown hook · b08e5fd9
      Will Deacon authored
      Commit 6de3f791 ("arm_pmu: explicitly enable/disable SPIs at hotplug")
      moved all of the arm_pmu IRQ enable/disable calls to the CPU hotplug hooks,
      regardless of whether they are implemented as PPIs or SPIs. This can
      lead to us sleeping from atomic context due to disable_irq blocking:
      
       | BUG: sleeping function called from invalid context at kernel/irq/manage.c:112
       | in_atomic(): 1, irqs_disabled(): 128, pid: 15, name: migration/1
       | no locks held by migration/1/15.
       | irq event stamp: 192
       | hardirqs last  enabled at (191): [<00000000803c2507>]
       | _raw_spin_unlock_irq+0x2c/0x4c
       | hardirqs last disabled at (192): [<000000007f57ad28>] multi_cpu_stop+0x9c/0x140
       | softirqs last  enabled at (0): [<0000000004ee1b58>]
       | copy_process.isra.77.part.78+0x43c/0x1504
       | softirqs last disabled at (0): [<          (null)>]           (null)
       | CPU: 1 PID: 15 Comm: migration/1 Not tainted 4.16.0-rc3-salvator-x #1651
       | Hardware name: Renesas Salvator-X board based on r8a7796 (DT)
       | Call trace:
       |  dump_backtrace+0x0/0x140
       |  show_stack+0x14/0x1c
       |  dump_stack+0xb4/0xf0
       |  ___might_sleep+0x1fc/0x218
       |  __might_sleep+0x70/0x80
       |  synchronize_irq+0x40/0xa8
       |  disable_irq+0x20/0x2c
       |  arm_perf_teardown_cpu+0x80/0xac
      
      Since the interrupt is always CPU-affine and this code is running with
      interrupts disabled, we can just use disable_irq_nosync as we know there
      isn't a concurrent invocation of the handler to worry about.
      
      Fixes: 6de3f791 ("arm_pmu: explicitly enable/disable SPIs at hotplug")
      Reported-by: default avatarGeert Uytterhoeven <[email protected]>
      Tested-by: default avatarGeert Uytterhoeven <[email protected]>
      Acked-by: default avatarMark Rutland <[email protected]>
      Signed-off-by: default avatarWill Deacon <[email protected]>
      Signed-off-by: default avatarCatalin Marinas <[email protected]>
      b08e5fd9
  2. 26 Feb, 2018 7 commits
  3. 25 Feb, 2018 2 commits
    • Linus Torvalds's avatar
      Merge tag 'nfs-for-4.16-3' of git://git.linux-nfs.org/projects/trondmy/linux-nfs · c89be524
      Linus Torvalds authored
      Pull NFS client bugfixes from Trond Myklebust:
      
       - fix a broken cast in nfs4_callback_recallany()
      
       - fix an Oops during NFSv4 migration events
      
       - make struct nlmclnt_fl_close_lock_ops static
      
      * tag 'nfs-for-4.16-3' of git://git.linux-nfs.org/projects/trondmy/linux-nfs:
        NFS: make struct nlmclnt_fl_close_lock_ops static
        nfs: system crashes after NFS4ERR_MOVED recovery
        NFSv4: Fix broken cast in nfs4_callback_recallany()
      c89be524
    • Linus Torvalds's avatar
      Merge tag 'powerpc-4.16-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · 3664ce2d
      Linus Torvalds authored
      Pull powerpc fixes from Michael Ellerman:
      
       - Add handling for a missing instruction in our 32-bit BPF JIT so that
         it can be used for seccomp filtering.
      
       - Add a missing NULL pointer check before a function call in new EEH
         code.
      
       - Fix an error path in the new ocxl driver to correctly return EFAULT.
      
       - The support for the new ibm,drc-info device tree property turns out
         to need several fixes, so for now we just stop advertising to
         firmware that we support it until the bugs can be ironed out.
      
       - One fix for the new drmem code which was incorrectly modifying the
         device tree in place.
      
       - Finally two fixes for the RFI flush support, so that firmware can
         advertise to us that it should be disabled entirely so as not to
         affect performance.
      
      Thanks to: Bharata B Rao, Frederic Barrat, Juan J. Alvarez, Mark Lord,
      Michael Bringmann.
      
      * tag 'powerpc-4.16-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        powerpc/powernv: Support firmware disable of RFI flush
        powerpc/pseries: Support firmware disable of RFI flush
        powerpc/mm/drmem: Fix unexpected flag value in ibm,dynamic-memory-v2
        powerpc/bpf/jit: Fix 32-bit JIT for seccomp_data access
        powerpc/pseries: Revert support for ibm,drc-info devtree property
        powerpc/pseries: Fix duplicate firmware feature for DRC_INFO
        ocxl: Fix potential bad errno on irq allocation
        powerpc/eeh: Fix crashes in eeh_report_resume()
      3664ce2d
  4. 23 Feb, 2018 30 commits
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 9cb9c07d
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Fix TTL offset calculation in mac80211 mesh code, from Peter Oh.
      
       2) Fix races with procfs in ipt_CLUSTERIP, from Cong Wang.
      
       3) Memory leak fix in lpm_trie BPF map code, from Yonghong Song.
      
       4) Need to use GFP_ATOMIC in BPF cpumap allocations, from Jason Wang.
      
       5) Fix potential deadlocks in netfilter getsockopt() code paths, from
          Paolo Abeni.
      
       6) Netfilter stackpointer size checks really are needed to validate
          user input, from Florian Westphal.
      
       7) Missing timer init in x_tables, from Paolo Abeni.
      
       8) Don't use WQ_MEM_RECLAIM in mac80211 hwsim, from Johannes Berg.
      
       9) When an ibmvnic device is brought down then back up again, it can be
          sent queue entries from a previous session, handle this properly
          instead of crashing. From Thomas Falcon.
      
      10) Fix TCP checksum on LRO buffers in mlx5e, from Gal Pressman.
      
      11) When we are dumping filters in cls_api, the output SKB is empty, and
          the filter we are dumping is too large for the space in the SKB, we
          should return -EMSGSIZE like other netlink dump operations do.
          Otherwise userland has no signal that is needs to increase the size
          of its read buffer. From Roman Kapl.
      
      12) Several XDP fixes for virtio_net, from Jesper Dangaard Brouer.
      
      13) Module refcount leak in netlink when a dump start fails, from Jason
          Donenfeld.
      
      14) Handle sub-optimal GSO sizes better in TCP BBR congestion control,
          from Eric Dumazet.
      
      15) Releasing bpf per-cpu arraymaps can take a long time, add a
          condtional scheduling point. From Eric Dumazet.
      
      16) Implement retpolines for tail calls in x64 and arm64 bpf JITs. From
          Daniel Borkmann.
      
      17) Fix page leak in gianfar driver, from Andy Spencer.
      
      18) Missed clearing of estimator scratch buffer, from Eric Dumazet.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (76 commits)
        net_sched: gen_estimator: fix broken estimators based on percpu stats
        gianfar: simplify FCS handling and fix memory leak
        ipv6 sit: work around bogus gcc-8 -Wrestrict warning
        macvlan: fix use-after-free in macvlan_common_newlink()
        bpf, arm64: fix out of bounds access in tail call
        bpf, x64: implement retpoline for tail call
        rxrpc: Fix send in rxrpc_send_data_packet()
        net: aquantia: Fix error handling in aq_pci_probe()
        bpf: fix rcu lockdep warning for lpm_trie map_free callback
        bpf: add schedule points in percpu arrays management
        regulatory: add NUL to request alpha2
        ibmvnic: Fix early release of login buffer
        net/smc9194: Remove bogus CONFIG_MAC reference
        net: ipv4: Set addr_type in hash_keys for forwarded case
        tcp_bbr: better deal with suboptimal GSO
        smsc75xx: fix smsc75xx_set_features()
        netlink: put module reference if dump start fails
        selftests/bpf/test_maps: exit child process without error in ENOMEM case
        selftests/bpf: update gitignore with test_libbpf_open
        selftests/bpf: tcpbpf_kern: use in6_* macros from glibc
        ..
      9cb9c07d
    • Linus Torvalds's avatar
      Merge branch 'fixes-v4.16-rc3' of... · 2eb02aa9
      Linus Torvalds authored
      Merge branch 'fixes-v4.16-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
      
      Pull security subsystem fixes from James Morris:
      
       - keys fixes via David Howells:
            "A collection of fixes for Linux keyrings, mostly thanks to Eric
             Biggers:
      
              - Fix some PKCS#7 verification issues.
      
              - Fix handling of unsupported crypto in X.509.
      
              - Fix too-large allocation in big_key"
      
       - Seccomp updates via Kees Cook:
            "These are fixes for the get_metadata interface that landed during
             -rc1. While the new selftest is strictly not a bug fix, I think
             it's in the same spirit of avoiding bugs"
      
       - an IMA build fix from Randy Dunlap
      
      * 'fixes-v4.16-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
        integrity/security: fix digsig.c build error with header file
        KEYS: Use individual pages in big_key for crypto buffers
        X.509: fix NULL dereference when restricting key with unsupported_sig
        X.509: fix BUG_ON() when hash algorithm is unsupported
        PKCS#7: fix direct verification of SignerInfo signature
        PKCS#7: fix certificate blacklisting
        PKCS#7: fix certificate chain verification
        seccomp: add a selftest for get_metadata
        ptrace, seccomp: tweak get_metadata behavior slightly
        seccomp, ptrace: switch get_metadata types to arch independent
      2eb02aa9
    • Linus Torvalds's avatar
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · 65738c6b
      Linus Torvalds authored
      Pull arm64 fixes from Catalin Marinas:
       "arm64 and perf fixes:
      
         - build error when accessing MPIDR_HWID_BITMASK from .S
      
         - fix CTR_EL0 field definitions
      
         - remove/disable some kernel messages on user faults (unhandled
           signals, unimplemented syscalls)
      
         - fix kernel page fault in unwind_frame() with function graph tracing
      
         - fix perf sleeping while atomic errors when booting with ACPI"
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        arm64: fix unwind_frame() for filtered out fn for function graph tracing
        arm64: Enforce BBM for huge IO/VMAP mappings
        arm64: perf: correct PMUVer probing
        arm_pmu: acpi: request IRQs up-front
        arm_pmu: note IRQs and PMUs per-cpu
        arm_pmu: explicitly enable/disable SPIs at hotplug
        arm_pmu: acpi: check for mismatched PPIs
        arm_pmu: add armpmu_alloc_atomic()
        arm_pmu: fold platform helpers into platform code
        arm_pmu: kill arm_pmu_platdata
        ARM: ux500: remove PMU IRQ bouncer
        arm64: __show_regs: Only resolve kernel symbols when running at EL1
        arm64: Remove unimplemented syscall log message
        arm64: Disable unhandled signal log messages by default
        arm64: cpufeature: Fix CTR_EL0 field definitions
        arm64: uaccess: Formalise types for access_ok()
        arm64: Fix compilation error while accessing MPIDR_HWID_BITMASK from .S files
      65738c6b
    • Linus Torvalds's avatar
      Merge tag 'mips_fixes_4.16_3' of git://git.kernel.org/pub/scm/linux/kernel/git/jhogan/mips · 2bd06ce7
      Linus Torvalds authored
      Pull MIPS fix from James Hogan:
       "A single MIPS fix for mismatching struct compat_flock, resulting in
        bus errors starting Firefox on Debian 8 since 4.13"
      
      * tag 'mips_fixes_4.16_3' of git://git.kernel.org/pub/scm/linux/kernel/git/jhogan/mips:
        MIPS: Drop spurious __unused in struct compat_flock
      2bd06ce7
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/pmladek/printk · 13f514be
      Linus Torvalds authored
      Pull printk fixlet from Petr Mladek:
       "People expect to see the real pointer value for %px.
      
        Let's substitute '(null)' only for the other %p? format modifiers that
        need to deference the pointer"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/pmladek/printk:
        vsprintf: avoid misleading "(null)" for %px
      13f514be
    • Linus Torvalds's avatar
      Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux · 938e1426
      Linus Torvalds authored
      Pull i2c fixes from Wolfram Sang:
       "Two bugfixes, one v4.16 regression fix, and two documentation fixes"
      
      * 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
        i2c: designware: Consider SCL GPIO optional
        i2c: busses: i2c-sirf: Fix spelling: "formular" -> "formula".
        i2c: bcm2835: Set up the rising/falling edge delays
        i2c: i801: Add missing documentation entries for Braswell and Kaby Lake
        i2c: designware: must wait for enable
      938e1426
    • Linus Torvalds's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · 170e07bf
      Linus Torvalds authored
      Pull SCSI fixes from James Bottomley:
       "These are mostly fixes for problems with merge window code.
      
        In addition we have one doc update (alua) and two dead code removals
        (aiclib and octogon) a spurious assignment removal (csiostor) and a
        performance improvement for storvsc involving better interrupt
        spreading and increasing the command per lun handling"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: qla4xxx: skip error recovery in case of register disconnect.
        scsi: aacraid: fix shutdown crash when init fails
        scsi: qedi: Cleanup local str variable
        scsi: qedi: Fix truncation of CHAP name and secret
        scsi: qla2xxx: Fix incorrect handle for abort IOCB
        scsi: qla2xxx: Fix double free bug after firmware timeout
        scsi: storvsc: Increase cmd_per_lun for higher speed devices
        scsi: qla2xxx: Fix a locking imbalance in qlt_24xx_handle_els()
        scsi: scsi_dh: Document alua_rtpg_queue() arguments
        scsi: Remove Makefile entry for oktagon files
        scsi: aic7xxx: remove aiclib.c
        scsi: qla2xxx: Avoid triggering undefined behavior in qla2x00_mbx_completion()
        scsi: mptfusion: Add bounds check in mptctl_hp_targetinfo()
        scsi: sym53c8xx_2: iterator underflow in sym_getsync()
        scsi: bnx2fc: Fix check in SCSI completion handler for timed out request
        scsi: csiostor: remove redundant assignment to pointer 'ln'
        scsi: ufs: Enable quirk to ignore sending WRITE_SAME command
        scsi: ibmvfc: fix misdefined reserved field in ibmvfc_fcp_rsp_info
        scsi: qla2xxx: Fix memory corruption during hba reset test
        scsi: mpt3sas: fix an out of bound write
      170e07bf
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-for-v4.16-rc3' of git://people.freedesktop.org/~airlied/linux · 8961ca44
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "A bunch of fixes for rc3:
      
        Exynos:
         - fixes for using monotonic timestamps
         - register definitions
         - removal of unused file
      
        ipu-v3L
         - minor changes
         - make some register arrays const+static
         - fix some leaks
      
        meson:
         - fix for vsync
      
        atomic:
         - fix for memory leak
      
        EDID parser:
         - add quirks for some more non-desktop devices
         - 6-bit panel fix.
      
        drm_mm:
         - fix a bug in the core drm mm hole handling
      
        cirrus:
         - fix lut loading regression
      
        Lastly there is a deadlock fix around runtime suspend for secondary
        GPUs.
      
        There was a deadlock between one thread trying to wait for a workqueue
        job to finish in the runtime suspend path, and the workqueue job it
        was waiting for in turn waiting for a runtime_get_sync to return.
      
        The fixes avoids it by not doing the runtime sync in the workqueue as
        then we always wait for all those tasks to complete before we runtime
        suspend"
      
      * tag 'drm-fixes-for-v4.16-rc3' of git://people.freedesktop.org/~airlied/linux: (25 commits)
        drm/tve200: fix kernel-doc documentation comment include
        drm/edid: quirk Sony PlayStation VR headset as non-desktop
        drm/edid: quirk Windows Mixed Reality headsets as non-desktop
        drm/edid: quirk Oculus Rift headsets as non-desktop
        drm/meson: fix vsync buffer update
        drm: Handle unexpected holes in color-eviction
        drm: exynos: Use proper macro definition for HDMI_I2S_PIN_SEL_1
        drm/exynos: remove exynos_drm_rotator.h
        drm/exynos: g2d: Delete an error message for a failed memory allocation in two functions
        drm/exynos: fix comparison to bitshift when dealing with a mask
        drm/exynos: g2d: use monotonic timestamps
        drm/edid: Add 6 bpc quirk for CPT panel in Asus UX303LA
        gpu: ipu-csi: add 10/12-bit grayscale support to mbus_code_to_bus_cfg
        gpu: ipu-cpmem: add 16-bit grayscale support to ipu_cpmem_set_image
        gpu: ipu-v3: prg: fix device node leak in ipu_prg_lookup_by_phandle
        gpu: ipu-v3: pre: fix device node leak in ipu_pre_lookup_by_phandle
        drm/amdgpu: Fix deadlock on runtime suspend
        drm/radeon: Fix deadlock on runtime suspend
        drm/nouveau: Fix deadlock on runtime suspend
        drm: Allow determining if current task is output poll worker
        ...
      8961ca44
    • Eric Dumazet's avatar
      net_sched: gen_estimator: fix broken estimators based on percpu stats · a5f7add3
      Eric Dumazet authored
      pfifo_fast got percpu stats lately, uncovering a bug I introduced last
      year in linux-4.10.
      
      I missed the fact that we have to clear our temporary storage
      before calling __gnet_stats_copy_basic() in the case of percpu stats.
      
      Without this fix, rate estimators (tc qd replace dev xxx root est 1sec
      4sec pfifo_fast) are utterly broken.
      
      Fixes: 1c0d32fd ("net_sched: gen_estimator: complete rewrite of rate estimators")
      Signed-off-by: default avatarEric Dumazet <[email protected]>
      Signed-off-by: default avatarDavid S. Miller <[email protected]>
      a5f7add3
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 22170094
      David S. Miller authored
      Alexei Starovoitov says:
      
      ====================
      pull-request: bpf 2018-02-22
      
      The following pull-request contains BPF updates for your *net* tree.
      
      The main changes are:
      
      1) two urgent fixes for bpf_tail_call logic for x64 and arm64 JITs, from Daniel.
      
      2) cond_resched points in percpu array alloc/free paths, from Eric.
      
      3) lockdep and other minor fixes, from Yonghong, Arnd, Anders, Li.
      ====================
      Signed-off-by: default avatarDavid S. Miller <[email protected]>
      22170094
    • Andy Spencer's avatar
      gianfar: simplify FCS handling and fix memory leak · d903ec77
      Andy Spencer authored
      Previously, buffer descriptors containing only the frame check sequence
      (FCS) were skipped and not added to the skb. However, the page reference
      count was still incremented, leading to a memory leak.
      
      Fixing this inside gfar_add_rx_frag() is difficult due to reserved
      memory handling and page reuse. Instead, move the FCS handling to
      gfar_process_frame() and trim off the FCS before passing the skb up the
      networking stack.
      Signed-off-by: default avatarAndy Spencer <[email protected]>
      Signed-off-by: default avatarJim Gruen <[email protected]>
      Signed-off-by: default avatarDavid S. Miller <[email protected]>
      d903ec77
    • Arnd Bergmann's avatar
      ipv6 sit: work around bogus gcc-8 -Wrestrict warning · ca79bec2
      Arnd Bergmann authored
      gcc-8 has a new warning that detects overlapping input and output arguments
      in memcpy(). It triggers for sit_init_net() calling ipip6_tunnel_clone_6rd(),
      which is actually correct:
      
      net/ipv6/sit.c: In function 'sit_init_net':
      net/ipv6/sit.c:192:3: error: 'memcpy' source argument is the same as destination [-Werror=restrict]
      
      The problem here is that the logic detecting the memcpy() arguments finds them
      to be the same, but the conditional that tests for the input and output of
      ipip6_tunnel_clone_6rd() to be identical is not a compile-time constant.
      
      We know that netdev_priv(t->dev) is the same as t for a tunnel device,
      and comparing "dev" directly here lets the compiler figure out as well
      that 'dev == sitn->fb_tunnel_dev' when called from sit_init_net(), so
      it no longer warns.
      
      This code is old, so Cc stable to make sure that we don't get the warning
      for older kernels built with new gcc.
      
      Cc: Martin Sebor <[email protected]>
      Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=83456Signed-off-by: default avatarArnd Bergmann <[email protected]>
      Signed-off-by: default avatarDavid S. Miller <[email protected]>
      ca79bec2
    • Alexey Kodanev's avatar
      macvlan: fix use-after-free in macvlan_common_newlink() · 4e14bf42
      Alexey Kodanev authored
      The following use-after-free was reported by KASan when running
      LTP macvtap01 test on 4.16-rc2:
      
      [10642.528443] BUG: KASAN: use-after-free in
                     macvlan_common_newlink+0x12ef/0x14a0 [macvlan]
      [10642.626607] Read of size 8 at addr ffff880ba49f2100 by task ip/18450
      ...
      [10642.963873] Call Trace:
      [10642.994352]  dump_stack+0x5c/0x7c
      [10643.035325]  print_address_description+0x75/0x290
      [10643.092938]  kasan_report+0x28d/0x390
      [10643.137971]  ? macvlan_common_newlink+0x12ef/0x14a0 [macvlan]
      [10643.207963]  macvlan_common_newlink+0x12ef/0x14a0 [macvlan]
      [10643.275978]  macvtap_newlink+0x171/0x260 [macvtap]
      [10643.334532]  rtnl_newlink+0xd4f/0x1300
      ...
      [10646.256176] Allocated by task 18450:
      [10646.299964]  kasan_kmalloc+0xa6/0xd0
      [10646.343746]  kmem_cache_alloc_trace+0xf1/0x210
      [10646.397826]  macvlan_common_newlink+0x6de/0x14a0 [macvlan]
      [10646.464386]  macvtap_newlink+0x171/0x260 [macvtap]
      [10646.522728]  rtnl_newlink+0xd4f/0x1300
      ...
      [10647.022028] Freed by task 18450:
      [10647.061549]  __kasan_slab_free+0x138/0x180
      [10647.111468]  kfree+0x9e/0x1c0
      [10647.147869]  macvlan_port_destroy+0x3db/0x650 [macvlan]
      [10647.211411]  rollback_registered_many+0x5b9/0xb10
      [10647.268715]  rollback_registered+0xd9/0x190
      [10647.319675]  register_netdevice+0x8eb/0xc70
      [10647.370635]  macvlan_common_newlink+0xe58/0x14a0 [macvlan]
      [10647.437195]  macvtap_newlink+0x171/0x260 [macvtap]
      
      Commit d02fd6e7 ("macvlan: Fix one possible double free") handles
      the case when register_netdevice() invokes ndo_uninit() on error and
      as a result free the port. But 'macvlan_port_get_rtnl(dev))' check
      (returns dev->rx_handler_data), which was added by this commit in order
      to prevent double free, is not quite correct:
      
      * for macvlan it always returns NULL because 'lowerdev' is the one that
        was used to register rx handler (port) in macvlan_port_create() as
        well as to unregister it in macvlan_port_destroy().
      * for macvtap it always returns a valid pointer because macvtap registers
        its own rx handler before macvlan_common_newlink().
      
      Fixes: d02fd6e7 ("macvlan: Fix one possible double free")
      Signed-off-by: default avatarAlexey Kodanev <[email protected]>
      Signed-off-by: default avatarDavid S. Miller <[email protected]>
      4e14bf42
    • Pratyush Anand's avatar
      arm64: fix unwind_frame() for filtered out fn for function graph tracing · 9f416319
      Pratyush Anand authored
      do_task_stat() calls get_wchan(), which further does unwind_frame().
      unwind_frame() restores frame->pc to original value in case function
      graph tracer has modified a return address (LR) in a stack frame to hook
      a function return. However, if function graph tracer has hit a filtered
      function, then we can't unwind it as ftrace_push_return_trace() has
      biased the index(frame->graph) with a 'huge negative'
      offset(-FTRACE_NOTRACE_DEPTH).
      
      Moreover, arm64 stack walker defines index(frame->graph) as unsigned
      int, which can not compare a -ve number.
      
      Similar problem we can have with calling of walk_stackframe() from
      save_stack_trace_tsk() or dump_backtrace().
      
      This patch fixes unwind_frame() to test the index for -ve value and
      restore index accordingly before we can restore frame->pc.
      
      Reproducer:
      
      cd /sys/kernel/debug/tracing/
      echo schedule > set_graph_notrace
      echo 1 > options/display-graph
      echo wakeup > current_tracer
      ps -ef | grep -i agent
      
      Above commands result in:
      Unable to handle kernel paging request at virtual address ffff801bd3d1e000
      pgd = ffff8003cbe97c00
      [ffff801bd3d1e000] *pgd=0000000000000000, *pud=0000000000000000
      Internal error: Oops: 96000006 [#1] SMP
      [...]
      CPU: 5 PID: 11696 Comm: ps Not tainted 4.11.0+ #33
      [...]
      task: ffff8003c21ba000 task.stack: ffff8003cc6c0000
      PC is at unwind_frame+0x12c/0x180
      LR is at get_wchan+0xd4/0x134
      pc : [<ffff00000808892c>] lr : [<ffff0000080860b8>] pstate: 60000145
      sp : ffff8003cc6c3ab0
      x29: ffff8003cc6c3ab0 x28: 0000000000000001
      x27: 0000000000000026 x26: 0000000000000026
      x25: 00000000000012d8 x24: 0000000000000000
      x23: ffff8003c1c04000 x22: ffff000008c83000
      x21: ffff8003c1c00000 x20: 000000000000000f
      x19: ffff8003c1bc0000 x18: 0000fffffc593690
      x17: 0000000000000000 x16: 0000000000000001
      x15: 0000b855670e2b60 x14: 0003e97f22cf1d0f
      x13: 0000000000000001 x12: 0000000000000000
      x11: 00000000e8f4883e x10: 0000000154f47ec8
      x9 : 0000000070f367c0 x8 : 0000000000000000
      x7 : 00008003f7290000 x6 : 0000000000000018
      x5 : 0000000000000000 x4 : ffff8003c1c03cb0
      x3 : ffff8003c1c03ca0 x2 : 00000017ffe80000
      x1 : ffff8003cc6c3af8 x0 : ffff8003d3e9e000
      
      Process ps (pid: 11696, stack limit = 0xffff8003cc6c0000)
      Stack: (0xffff8003cc6c3ab0 to 0xffff8003cc6c4000)
      [...]
      [<ffff00000808892c>] unwind_frame+0x12c/0x180
      [<ffff000008305008>] do_task_stat+0x864/0x870
      [<ffff000008305c44>] proc_tgid_stat+0x3c/0x48
      [<ffff0000082fde0c>] proc_single_show+0x5c/0xb8
      [<ffff0000082b27e0>] seq_read+0x160/0x414
      [<ffff000008289e6c>] __vfs_read+0x58/0x164
      [<ffff00000828b164>] vfs_read+0x88/0x144
      [<ffff00000828c2e8>] SyS_read+0x60/0xc0
      [<ffff0000080834a0>] __sys_trace_return+0x0/0x4
      
      Fixes: 20380bb3 (arm64: ftrace: fix a stack tracer's output under function graph tracer)
      Signed-off-by: default avatarPratyush Anand <[email protected]>
      Signed-off-by: default avatarJerome Marchand <[email protected]>
      [[email protected]: replace WARN_ON with WARN_ON_ONCE]
      Signed-off-by: default avatarCatalin Marinas <[email protected]>
      9f416319
    • Samuel Neves's avatar
      x86/topology: Update the 'cpu cores' field in /proc/cpuinfo correctly across CPU hotplug operations · 45967493
      Samuel Neves authored
      Without this fix, /proc/cpuinfo will display an incorrect amount
      of CPU cores, after bringing them offline and online again, as
      exemplified below:
      
        $ cat /proc/cpuinfo | grep cores
        cpu cores	: 4
        cpu cores	: 8
        cpu cores	: 8
        cpu cores	: 20
        cpu cores	: 4
        cpu cores	: 3
        cpu cores	: 2
        cpu cores	: 2
      
      This patch fixes this by always zeroing the booted_cores variable
      upon turning off a logical CPU.
      Tested-by: default avatarDou Liyang <[email protected]>
      Signed-off-by: default avatarSamuel Neves <[email protected]>
      Cc: Linus Torvalds <[email protected]>
      Cc: Peter Zijlstra <[email protected]>
      Cc: Thomas Gleixner <[email protected]>
      Cc: [email protected]
      Cc: [email protected]
      Cc: [email protected]
      Cc: [email protected]
      Link: http://lkml.kernel.org/r/[email protected]Signed-off-by: default avatarIngo Molnar <[email protected]>
      45967493
    • Dou Liyang's avatar
      x86/topology: Fix function name in documentation · 0c52f7c5
      Dou Liyang authored
      topology_sibling_cpumask() is the correct thread-related topology
      function in the kernel:
      
        s/topology_sibling_mask/topology_sibling_cpumask
      Signed-off-by: default avatarDou Liyang <[email protected]>
      Cc: Linus Torvalds <[email protected]>
      Cc: Peter Zijlstra <[email protected]>
      Cc: Thomas Gleixner <[email protected]>
      Cc: [email protected]
      Cc: [email protected]
      Link: http://lkml.kernel.org/r/[email protected]Signed-off-by: default avatarIngo Molnar <[email protected]>
      0c52f7c5
    • Andrea Parri's avatar
      locking/xchg/alpha: Fix xchg() and cmpxchg() memory ordering bugs · 472e8c55
      Andrea Parri authored
      Successful RMW operations are supposed to be fully ordered, but
      Alpha's xchg() and cmpxchg() do not meet this requirement.
      
      Will Deacon noticed the bug:
      
        > So MP using xchg:
        >
        > WRITE_ONCE(x, 1)
        > xchg(y, 1)
        >
        > smp_load_acquire(y) == 1
        > READ_ONCE(x) == 0
        >
        > would be allowed.
      
      ... which thus violates the above requirement.
      
      Fix it by adding a leading smp_mb() to the xchg() and cmpxchg() implementations.
      Reported-by: default avatarWill Deacon <[email protected]>
      Signed-off-by: default avatarAndrea Parri <[email protected]>
      Acked-by: default avatarPaul E. McKenney <[email protected]>
      Cc: Alan Stern <[email protected]>
      Cc: Andrew Morton <[email protected]>
      Cc: Ivan Kokshaysky <[email protected]>
      Cc: Linus Torvalds <[email protected]>
      Cc: Matt Turner <[email protected]>
      Cc: Peter Zijlstra <[email protected]>
      Cc: Richard Henderson <[email protected]>
      Cc: Thomas Gleixner <[email protected]>
      Cc: [email protected]
      Link: http://lkml.kernel.org/r/[email protected]Signed-off-by: default avatarIngo Molnar <[email protected]>
      472e8c55
    • Andrea Parri's avatar
      locking/xchg/alpha: Clean up barrier usage by using smp_mb() in place of __ASM__MB · 79d44246
      Andrea Parri authored
      Replace each occurrence of __ASM__MB with a (trailing) smp_mb() in
      xchg(), cmpxchg(), and remove the now unused __ASM__MB definitions;
      this improves readability, with no additional synchronization cost.
      Suggested-by: default avatarWill Deacon <[email protected]>
      Signed-off-by: default avatarAndrea Parri <[email protected]>
      Acked-by: default avatarPaul E. McKenney <[email protected]>
      Cc: Alan Stern <[email protected]>
      Cc: Andrew Morton <[email protected]>
      Cc: Ivan Kokshaysky <[email protected]>
      Cc: Linus Torvalds <[email protected]>
      Cc: Matt Turner <[email protected]>
      Cc: Peter Zijlstra <[email protected]>
      Cc: Richard Henderson <[email protected]>
      Cc: Thomas Gleixner <[email protected]>
      Cc: [email protected]
      Link: http://lkml.kernel.org/r/[email protected]Signed-off-by: default avatarIngo Molnar <[email protected]>
      79d44246
    • hui's avatar
      x86/intel_rdt: Fix incorrect returned value when creating rdgroup... · 36e74d35
      hui authored
      x86/intel_rdt: Fix incorrect returned value when creating rdgroup sub-directory in resctrl file system
      
      If no monitoring feature is detected because all monitoring features are
      disabled during boot time or there is no monitoring feature in hardware,
      creating rdtgroup sub-directory by "mkdir" command reports error:
      
        mkdir: cannot create directory ‘/sys/fs/resctrl/p1’: No such file or directory
      
      But the sub-directory actually is generated and content is correct:
      
        cpus  cpus_list  schemata  tasks
      
      The error is because rdtgroup_mkdir_ctrl_mon() returns non zero value after
      the sub-directory is created and the returned value is reported as an error
      to user.
      
      Clear the returned value to report to user that the sub-directory is
      actually created successfully.
      Signed-off-by: hui's avatarWang Hui <[email protected]>
      Signed-off-by: default avatarZhang Yanfei <[email protected]>
      Signed-off-by: default avatarFenghua Yu <[email protected]>
      Cc: Linus Torvalds <[email protected]>
      Cc: Peter Zijlstra <[email protected]>
      Cc: Ravi V Shankar <[email protected]>
      Cc: Thomas Gleixner <[email protected]>
      Cc: Tony Luck <[email protected]>
      Cc: Vikas <[email protected]>
      Cc: Xiaochen Shen <[email protected]>
      Link: http://lkml.kernel.org/r/[email protected]Signed-off-by: default avatarIngo Molnar <[email protected]>
      36e74d35
    • Thomas Gleixner's avatar
      x86/apic/vector: Handle vector release on CPU unplug correctly · e84cf6aa
      Thomas Gleixner authored
      When a irq vector is replaced, then the previous vector is normally
      released when the first interrupt happens on the new vector. If the target
      CPU of the previous vector is already offline when the new vector is
      installed, then the previous vector is silently discarded, which leads to
      accounting issues causing suspend failures and other problems.
      
      Adjust the logic so that the previous vector is freed in the underlying
      matrix allocator to ensure that the accounting stays correct.
      
      Fixes: 69cde000 ("x86/vector: Use matrix allocator for vector assignment")
      Reported-by: default avatarYuriy Vostrikov <[email protected]>
      Signed-off-by: default avatarThomas Gleixner <[email protected]>
      Tested-by: default avatarYuriy Vostrikov <[email protected]>
      Cc: Peter Zijlstra <[email protected]>
      Cc: Randy Dunlap <[email protected]>
      Cc: [email protected]
      Link: https://lkml.kernel.org/r/[email protected]Signed-off-by: default avatarIngo Molnar <[email protected]>
      e84cf6aa
    • Michael Ellerman's avatar
      powerpc/powernv: Support firmware disable of RFI flush · eb0a2d26
      Michael Ellerman authored
      Some versions of firmware will have a setting that can be configured
      to disable the RFI flush, add support for it.
      
      Fixes: 6e032b35 ("powerpc/powernv: Check device-tree for RFI flush settings")
      Signed-off-by: Michael Ellerman's avatarMichael Ellerman <[email protected]>
      eb0a2d26
    • Michael Ellerman's avatar
      powerpc/pseries: Support firmware disable of RFI flush · 582605a4
      Michael Ellerman authored
      Some versions of firmware will have a setting that can be configured
      to disable the RFI flush, add support for it.
      
      Fixes: 8989d568 ("powerpc/pseries: Query hypervisor for RFI flush settings")
      Signed-off-by: Michael Ellerman's avatarMichael Ellerman <[email protected]>
      582605a4
    • Bharata B Rao's avatar
      powerpc/mm/drmem: Fix unexpected flag value in ibm,dynamic-memory-v2 · 2f7d03e0
      Bharata B Rao authored
      Memory addtion and removal by count and indexed-count methods
      temporarily mark the LMBs that are being added/removed by a special
      flag value DRMEM_LMB_RESERVED. Accessing flags value directly at a few
      places without proper accessor method is causing two unexpected
      side-effects:
      
      - DRMEM_LMB_RESERVED bit is becoming part of the flags word of
        drconf_cell_v2 entries in ibm,dynamic-memory-v2 DT property.
      - This results in extra drconf_cell entries in ibm,dynamic-memory-v2.
        For example if 1G memory is added, it leads to one entry for 3 LMBs
        and 1 separate entry for the last LMB. All the 4 LMBs should be
        defined by one entry here.
      
      Fix this by always accessing the flags by its accessor method
      drmem_lmb_flags().
      
      Fixes: 2b31e3ae ("powerpc/drmem: Add support for ibm, dynamic-memory-v2 property")
      Signed-off-by: default avatarBharata B Rao <[email protected]>
      Reviewed-by: default avatarNathan Fontenot <[email protected]>
      Signed-off-by: Michael Ellerman's avatarMichael Ellerman <[email protected]>
      2f7d03e0
    • Randy Dunlap's avatar
      integrity/security: fix digsig.c build error with header file · 120f3b11
      Randy Dunlap authored
      security/integrity/digsig.c has build errors on some $ARCH due to a
      missing header file, so add it.
      
        security/integrity/digsig.c:146:2: error: implicit declaration of function 'vfree' [-Werror=implicit-function-declaration]
      Reported-by: Michael Ellerman's avatarMichael Ellerman <[email protected]>
      Signed-off-by: default avatarRandy Dunlap <[email protected]>
      Cc: Mimi Zohar <[email protected]>
      Cc: [email protected]
      Link: http://kisskb.ellerman.id.au/kisskb/head/13396/Signed-off-by: default avatarJames Morris <[email protected]>
      120f3b11
    • James Morris's avatar
      Merge tag 'keys-fixes-20180222-2' of... · 16c4db3b
      James Morris authored
      Merge tag 'keys-fixes-20180222-2' of https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs into fixes-v4.16-rc3
      
      Keyrings fixes.
      16c4db3b
    • Dave Airlie's avatar
      Merge tag 'imx-drm-next-2018-02-22' of git://git.pengutronix.de/git/pza/linux into drm-fixes · b17800e9
      Dave Airlie authored
      drm/imx: ipu-v3 fixups and grayscale support
      
      - Make const interrupt register arrays static, reduces object size.
      - Fix device_node leaks in PRE/PRG phandle lookup functions.
      - Add 8-bit and 16-bit grayscale buffer support to ipu_cpmem_set_image,
      - add 10-bit and 12-bit grayscale media bus support to ipu-csi,
        to be used by the imx-media driver.
      
      * tag 'imx-drm-next-2018-02-22' of git://git.pengutronix.de/git/pza/linux:
        gpu: ipu-csi: add 10/12-bit grayscale support to mbus_code_to_bus_cfg
        gpu: ipu-cpmem: add 16-bit grayscale support to ipu_cpmem_set_image
        gpu: ipu-v3: prg: fix device node leak in ipu_prg_lookup_by_phandle
        gpu: ipu-v3: pre: fix device node leak in ipu_pre_lookup_by_phandle
        gpu: ipu-cpmem: add 8-bit grayscale support to ipu_cpmem_set_image
        gpu: ipu-v3: make const arrays int_reg static, shrinks object size
      b17800e9
    • Kees Cook's avatar
      MIPS: boot: Define __ASSEMBLY__ for its.S build · 0f9da844
      Kees Cook authored
      The MIPS %.its.S compiler command did not define __ASSEMBLY__, which meant
      when compiler_types.h was added to kconfig.h, unexpected things appeared
      (e.g. struct declarations) which should not have been present. As done in
      the general %.S compiler command, __ASSEMBLY__ is now included here too.
      
      The failure was:
      
          Error: arch/mips/boot/vmlinux.gz.its:201.1-2 syntax error
          FATAL ERROR: Unable to parse input tree
          /usr/bin/mkimage: Can't read arch/mips/boot/vmlinux.gz.itb.tmp: Invalid argument
          /usr/bin/mkimage Can't add hashes to FIT blob
      Reported-by: default avatarkbuild test robot <[email protected]>
      Fixes: 28128c61 ("kconfig.h: Include compiler types to avoid missed struct attributes")
      Signed-off-by: default avatarKees Cook <[email protected]>
      Signed-off-by: default avatarLinus Torvalds <[email protected]>
      0f9da844
    • Linus Torvalds's avatar
      Merge branch 'siginfo-linus' of... · bae6cfe8
      Linus Torvalds authored
      Merge branch 'siginfo-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace
      
      Pull siginfo fix from Eric Biederman:
       "This fixes a build error that only shows up on blackfin"
      
      * 'siginfo-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace:
        fs/signalfd: fix build error for BUS_MCEERR_AR
      bae6cfe8
    • Linus Torvalds's avatar
      Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 · 0bb78166
      Linus Torvalds authored
      Pull crypto fix from Herbert Xu:
       "Fix an oops in the s5p-sss driver when used with ecb(aes)"
      
      * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
        crypto: s5p-sss - Fix kernel Oops in AES-ECB mode
      0bb78166
    • Daniel Borkmann's avatar
      bpf, arm64: fix out of bounds access in tail call · 16338a9b
      Daniel Borkmann authored
      I recently noticed a crash on arm64 when feeding a bogus index
      into BPF tail call helper. The crash would not occur when the
      interpreter is used, but only in case of JIT. Output looks as
      follows:
      
        [  347.007486] Unable to handle kernel paging request at virtual address fffb850e96492510
        [...]
        [  347.043065] [fffb850e96492510] address between user and kernel address ranges
        [  347.050205] Internal error: Oops: 96000004 [#1] SMP
        [...]
        [  347.190829] x13: 0000000000000000 x12: 0000000000000000
        [  347.196128] x11: fffc047ebe782800 x10: ffff808fd7d0fd10
        [  347.201427] x9 : 0000000000000000 x8 : 0000000000000000
        [  347.206726] x7 : 0000000000000000 x6 : 001c991738000000
        [  347.212025] x5 : 0000000000000018 x4 : 000000000000ba5a
        [  347.217325] x3 : 00000000000329c4 x2 : ffff808fd7cf0500
        [  347.222625] x1 : ffff808fd7d0fc00 x0 : ffff808fd7cf0500
        [  347.227926] Process test_verifier (pid: 4548, stack limit = 0x000000007467fa61)
        [  347.235221] Call trace:
        [  347.237656]  0xffff000002f3a4fc
        [  347.240784]  bpf_test_run+0x78/0xf8
        [  347.244260]  bpf_prog_test_run_skb+0x148/0x230
        [  347.248694]  SyS_bpf+0x77c/0x1110
        [  347.251999]  el0_svc_naked+0x30/0x34
        [  347.255564] Code: 9100075a d280220a 8b0a002a d37df04b (f86b694b)
        [...]
      
      In this case the index used in BPF r3 is the same as in r1
      at the time of the call, meaning we fed a pointer as index;
      here, it had the value 0xffff808fd7cf0500 which sits in x2.
      
      While I found tail calls to be working in general (also for
      hitting the error cases), I noticed the following in the code
      emission:
      
        # bpftool p d j i 988
        [...]
        38:   ldr     w10, [x1,x10]
        3c:   cmp     w2, w10
        40:   b.ge    0x000000000000007c              <-- signed cmp
        44:   mov     x10, #0x20                      // #32
        48:   cmp     x26, x10
        4c:   b.gt    0x000000000000007c
        50:   add     x26, x26, #0x1
        54:   mov     x10, #0x110                     // #272
        58:   add     x10, x1, x10
        5c:   lsl     x11, x2, #3
        60:   ldr     x11, [x10,x11]                  <-- faulting insn (f86b694b)
        64:   cbz     x11, 0x000000000000007c
        [...]
      
      Meaning, the tests passed because commit ddb55992 ("arm64:
      bpf: implement bpf_tail_call() helper") was using signed compares
      instead of unsigned which as a result had the test wrongly passing.
      
      Change this but also the tail call count test both into unsigned
      and cap the index as u32. Latter we did as well in 90caccdd
      ("bpf: fix bpf_tail_call() x64 JIT") and is needed in addition here,
      too. Tested on HiSilicon Hi1616.
      
      Result after patch:
      
        # bpftool p d j i 268
        [...]
        38:	ldr	w10, [x1,x10]
        3c:	add	w2, w2, #0x0
        40:	cmp	w2, w10
        44:	b.cs	0x0000000000000080
        48:	mov	x10, #0x20                  	// #32
        4c:	cmp	x26, x10
        50:	b.hi	0x0000000000000080
        54:	add	x26, x26, #0x1
        58:	mov	x10, #0x110                 	// #272
        5c:	add	x10, x1, x10
        60:	lsl	x11, x2, #3
        64:	ldr	x11, [x10,x11]
        68:	cbz	x11, 0x0000000000000080
        [...]
      
      Fixes: ddb55992 ("arm64: bpf: implement bpf_tail_call() helper")
      Signed-off-by: default avatarDaniel Borkmann <[email protected]>
      Signed-off-by: default avatarAlexei Starovoitov <[email protected]>
      16338a9b