Commit Graph

649605 Commits

Author SHA1 Message Date
Linus Torvalds 99378fd268 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input
Pull input fixes from Dmitry Torokhov:
 "A fix for a crash in uinput, and a fix for build errors when HID-RMI
  is built-in but SERIO is a module"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
  Input: synaptics-rmi4 - select 'SERIO' when needed
  Input: uinput - fix crash when mixing old and new init style
2017-02-09 11:58:05 -08:00
Linus Torvalds 189addce85 VFIO fixes for v4.10
- Fix regression in attaching groups to existing container for
    SPAPR IOMMU backend (Alexey Kardashevskiy)
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.14 (GNU/Linux)
 
 iQIcBAABAgAGBQJYnIsVAAoJECObm247sIsiv7kP/iRZRv46IqmIL4ynKKJL44Bl
 Oz2NO5EPvyb56yE0JZY+Em46yQYsQDuMSNOnuQC7FXKrmrmRj/rD0wPIa344umtZ
 /wxJ1aruR37UJjbYHkXGfZ89F/D7ahiZsAyT95t7LIGKNOwALS2JGBZbpnHxArFL
 SjOs4E8lDZCwBHwWJWYs3JQjPU/VrvCPMiULKaADDzw6sRWvFV+Xpk9uJnJpGMPD
 ggVnSzASFYd3jZjOS8p2YM14m8yudMdYDu112fWHefi0znXL7QgfxnOHD8vRhwYu
 zNOAP8qKW4MvMlHXh0hXWiT8fBQ86GUydBhTtc/Cd7UqJEhmjtununEQhJxyfOJw
 +XSjBjfdTSoQdFEe4XgReFbTntCK6PiiLza9kZ5mEArgUKOl5hkxml1el3PkPZrO
 Efukr0b06ZdJWNKkR4OkFkW7c/WVXeFcuW1FhVQf3OBZOoT9ev4VlAXitK/l1+dl
 s54HP0mpxrOlkYwJsWzA8NKzB8cQcvaMs4loo6YzR5hJ8IOPxBc+jVjjqAz+H72Z
 S7bP6ilTuxWiPQy0s4k3vLoDWaAwWJ9GxjR0Yd+tmG+TafVNPiUr9ZmBQNaCjIjH
 2/hX9CDiAQs5vHYk8R+HgdFNvD2ntH8KD9DQnqnXhZsnCXYGcai9Boja/9jUxGK1
 uELj3AYYa4FubZiSWnMl
 =iCg7
 -----END PGP SIGNATURE-----

Merge tag 'vfio-v4.10-final' of git://github.com/awilliam/linux-vfio

Pull VFIO fix from Alex Williamson:
 "Fix regression in attaching groups to existing container for SPAPR
  IOMMU backend (Alexey Kardashevskiy)"

* tag 'vfio-v4.10-final' of git://github.com/awilliam/linux-vfio:
  vfio/spapr_tce: Set window when adding additional groups to container
2017-02-09 11:34:15 -08:00
Linus Torvalds 59e8f10ac1 Merge branch 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm
Pull ARM fixes from Russell King:
 "A couple more fixes for 4.10:

   - fix addressing the short regset write issue (Dave Martin)

   - fix for LPAE systems which leave a pending imprecise data abort
     before entering the kernel (Alexander Sverdlin)"

* 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm:
  ARM: 8643/3: arm/ptrace: Preserve previous registers for short regset write
  ARM: 8642/1: LPAE: catch pending imprecise abort on unmask
2017-02-09 11:30:56 -08:00
Linus Torvalds d966564fcd Revert "x86/ioapic: Restore IO-APIC irq_chip retrigger callback"
This reverts commit 020eb3daab.

Gabriel C reports that it causes his machine to not boot, and we haven't
tracked down the reason for it yet.  Since the bug it fixes has been
around for a longish time, we're better off reverting the fix for now.

Gabriel says:
 "It hangs early and freezes with a lot RCU warnings.

  I bisected it down to :

  > Ruslan Ruslichenko (1):
  >       x86/ioapic: Restore IO-APIC irq_chip retrigger callback

  Reverting this one fixes the problem for me..

  The box is a PRIMERGY TX200 S5 , 2 socket , 2 x E5520 CPU(s) installed"

and Ruslan and Thomas are currently stumped.

Reported-and-bisected-by: Gabriel C <nix.or.die@gmail.com>
Cc: Ruslan Ruslichenko <rruslich@cisco.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@kernel.org   # for the backport of the original commit
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-02-08 18:08:29 -08:00
David Daney 3b802c9455 Revert "hwrng: core - zeroize buffers with random data"
This reverts commit 2cc7515458.

With this commit in place I get on a Cavium ThunderX (arm64) system:

$ if=/dev/hwrng bs=256 count=1 | od -t x1 -A x -v > rng-bad.txt
1+0 records in
1+0 records out
256 bytes (256 B) copied, 9.1171e-05 s, 2.8 MB/s
$ dd if=/dev/hwrng bs=256 count=1 | od -t x1 -A x -v >> rng-bad.txt
1+0 records in
1+0 records out
256 bytes (256 B) copied, 9.6141e-05 s, 2.7 MB/s
$ cat rng-bad.txt
000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000050 00 00 00 00 37 20 46 ae d0 fc 1c 55 25 6e b0 b8
000060 7c 7e d7 d4 00 0f 6f b2 91 1e 30 a8 fa 3e 52 0e
000070 06 2d 53 30 be a1 20 0f aa 56 6e 0e 44 6e f4 35
000080 b7 6a fe d2 52 70 7e 58 56 02 41 ea d1 9c 6a 6a
000090 d1 bd d8 4c da 35 45 ef 89 55 fc 59 d5 cd 57 ba
0000a0 4e 3e 02 1c 12 76 43 37 23 e1 9f 7a 9f 9e 99 24
0000b0 47 b2 de e3 79 85 f6 55 7e ad 76 13 4f a0 b5 41
0000c0 c6 92 42 01 d9 12 de 8f b4 7b 6e ae d7 24 fc 65
0000d0 4d af 0a aa 36 d9 17 8d 0e 8b 7a 3b b6 5f 96 47
0000e0 46 f7 d8 ce 0b e8 3e c6 13 a6 2c b6 d6 cc 17 26
0000f0 e3 c3 17 8e 9e 45 56 1e 41 ef 29 1a a8 65 c8 3a
000100
000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000050 00 00 00 00 f4 90 65 aa 8b f2 5e 31 01 53 b4 d4
000060 06 c0 23 a2 99 3d 01 e4 b0 c1 b1 55 0f 80 63 cf
000070 33 24 d8 3a 1d 5e cd 2c ba c0 d0 18 6f bc 97 46
000080 1e 19 51 b1 90 15 af 80 5e d1 08 0d eb b0 6c ab
000090 6a b4 fe 62 37 c5 e1 ee 93 c3 58 78 91 2a d5 23
0000a0 63 50 eb 1f 3b 84 35 18 cf b2 a4 b8 46 69 9e cf
0000b0 0c 95 af 03 51 45 a8 42 f1 64 c9 55 fc 69 76 63
0000c0 98 9d 82 fa 76 85 24 da 80 07 29 fe 4e 76 0c 61
0000d0 ff 23 94 4f c8 5c ce 0b 50 e8 31 bc 9d ce f4 ca
0000e0 be ca 28 da e6 fa cc 64 1c ec a8 41 db fe 42 bd
0000f0 a0 e2 4b 32 b4 52 ba 03 70 8e c1 8e d0 50 3a c6
000100

To my untrained mental entropy detector, the first several bytes of
each read from /dev/hwrng seem to not be very random (i.e. all zero).

When I revert the patch (apply this patch), I get back to what we have
in v4.9, which looks like (much more random appearing):

$ dd if=/dev/hwrng bs=256 count=1 | od -t x1 -A x -v > rng-good.txt
1+0 records in
1+0 records out
256 bytes (256 B) copied, 0.000252233 s, 1.0 MB/s
$ dd if=/dev/hwrng bs=256 count=1 | od -t x1 -A x -v >> rng-good.txt
1+0 records in
1+0 records out
256 bytes (256 B) copied, 0.000113571 s, 2.3 MB/s
$ cat rng-good.txt
000000 75 d1 2d 19 68 1f d2 26 a1 49 22 61 66 e8 09 e5
000010 e0 4e 10 d0 1a 2c 45 5d 59 04 79 8e e2 b7 2c 2e
000020 e8 ad da 34 d5 56 51 3d 58 29 c7 7a 8e ed 22 67
000030 f9 25 b9 fb c6 b7 9c 35 1f 84 21 35 c1 1d 48 34
000040 45 7c f6 f1 57 63 1a 88 38 e8 81 f0 a9 63 ad 0e
000050 be 5d 3e 74 2e 4e cb 36 c2 01 a8 14 e1 38 e1 bb
000060 23 79 09 56 77 19 ff 98 e8 44 f3 27 eb 6e 0a cb
000070 c9 36 e3 2a 96 13 07 a0 90 3f 3b bd 1d 04 1d 67
000080 be 33 14 f8 02 c2 a4 02 ab 8b 5b 74 86 17 f0 5e
000090 a1 d7 aa ef a6 21 7b 93 d1 85 86 eb 4e 8c d0 4c
0000a0 56 ac e4 45 27 44 84 9f 71 db 36 b9 f7 47 d7 b3
0000b0 f2 9c 62 41 a3 46 2b 5b e3 80 63 a4 35 b5 3c f4
0000c0 bc 1e 3a ad e4 59 4a 98 6c e8 8d ff 1b 16 f8 52
0000d0 05 5c 2f 52 2a 0f 45 5b 51 fb 93 97 a4 49 4f 06
0000e0 f3 a0 d1 1e ba 3d ed a7 60 8f bb 84 2c 21 94 2d
0000f0 b3 66 a6 61 1e 58 30 24 85 f8 c8 18 c3 77 00 22
000100
000000 73 ca cc a1 d9 bb 21 8d c3 5c f3 ab 43 6d a7 a4
000010 4a fd c5 f4 9c ba 4a 0f b1 2e 19 15 4e 84 26 e0
000020 67 c9 f2 52 4d 65 1f 81 b7 8b 6d 2b 56 7b 99 75
000030 2e cd d0 db 08 0c 4b df f3 83 c6 83 00 2e 2b b8
000040 0f af 61 1d f2 02 35 74 b5 a4 6f 28 f3 a1 09 12
000050 f2 53 b5 d2 da 45 01 e5 12 d6 46 f8 0b db ed 51
000060 7b f4 0d 54 e0 63 ea 22 e2 1d d0 d6 d0 e7 7e e0
000070 93 91 fb 87 95 43 41 28 de 3d 8b a3 a8 8f c4 9e
000080 30 95 12 7a b2 27 28 ff 37 04 2e 09 7c dd 7c 12
000090 e1 50 60 fb 6d 5f a8 65 14 40 89 e3 4c d2 87 8f
0000a0 34 76 7e 66 7a 8e 6b a3 fc cf 38 52 2e f9 26 f0
0000b0 98 63 15 06 34 99 b2 88 4f aa d8 14 88 71 f1 81
0000c0 be 51 11 2b f4 7e a0 1e 12 b2 44 2e f6 8d 84 ea
0000d0 63 82 2b 66 b3 9a fd 08 73 5a c2 cc ab 5a af b1
0000e0 88 e3 a6 80 4b fc db ed 71 e0 ae c0 0a a4 8c 35
0000f0 eb 89 f9 8a 4b 52 59 6f 09 7c 01 3f 56 e7 c7 bf
000100

Signed-off-by: David Daney <david.daney@cavium.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-02-08 18:06:03 -08:00
Linus Torvalds 507053d23b Merge branch 'akpm' (patches from Andrew)
Merge fixes from Andrew Morton:
 "4 fixes"

* emailed patches from Andrew Morton <akpm@linux-foundation.org>:
  mm/slub.c: fix random_seq offset destruction
  cpumask: use nr_cpumask_bits for parsing functions
  mm: avoid returning VM_FAULT_RETRY from ->page_mkwrite handlers
  kernel/ucount.c: mark user_header with kmemleak_ignore()
2017-02-08 16:06:10 -08:00
Sean Rees a810007afe mm/slub.c: fix random_seq offset destruction
Commit 210e7a43fa ("mm: SLUB freelist randomization") broke USB hub
initialisation as described in

  https://bugzilla.kernel.org/show_bug.cgi?id=177551.

Bail out early from init_cache_random_seq if s->random_seq is already
initialised.  This prevents destroying the previously computed
random_seq offsets later in the function.

If the offsets are destroyed, then shuffle_freelist will truncate
page->freelist to just the first object (orphaning the rest).

Fixes: 210e7a43fa ("mm: SLUB freelist randomization")
Link: http://lkml.kernel.org/r/20170207140707.20824-1-sean@erifax.org
Signed-off-by: Sean Rees <sean@erifax.org>
Reported-by: <userwithuid@gmail.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: Pekka Enberg <penberg@kernel.org>
Cc: David Rientjes <rientjes@google.com>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Thomas Garnier <thgarnie@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-02-08 15:41:43 -08:00
Tejun Heo 4d59b6ccf0 cpumask: use nr_cpumask_bits for parsing functions
Commit 513e3d2d11 ("cpumask: always use nr_cpu_ids in formatting and
parsing functions") converted both cpumask printing and parsing
functions to use nr_cpu_ids instead of nr_cpumask_bits.  While this was
okay for the printing functions as it just picked one of the two output
formats that we were alternating between depending on a kernel config,
doing the same for parsing wasn't okay.

nr_cpumask_bits can be either nr_cpu_ids or NR_CPUS.  We can always use
nr_cpu_ids but that is a variable while NR_CPUS is a constant, so it can
be more efficient to use NR_CPUS when we can get away with it.
Converting the printing functions to nr_cpu_ids makes sense because it
affects how the masks get presented to userspace and doesn't break
anything; however, using nr_cpu_ids for parsing functions can
incorrectly leave the higher bits uninitialized while reading in these
masks from userland.  As all testing and comparison functions use
nr_cpumask_bits which can be larger than nr_cpu_ids, the parsed cpumasks
can erroneously yield false negative results.

This made the taskstats interface incorrectly return -EINVAL even when
the inputs were correct.

Fix it by restoring the parse functions to use nr_cpumask_bits instead
of nr_cpu_ids.

Link: http://lkml.kernel.org/r/20170206182442.GB31078@htj.duckdns.org
Fixes: 513e3d2d11 ("cpumask: always use nr_cpu_ids in formatting and parsing functions")
Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-by: Martin Steigerwald <martin.steigerwald@teamix.de>
Debugged-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Cc: <stable@vger.kernel.org>	[4.0+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-02-08 15:41:43 -08:00
Jan Kara 0911d0041c mm: avoid returning VM_FAULT_RETRY from ->page_mkwrite handlers
Some ->page_mkwrite handlers may return VM_FAULT_RETRY as its return
code (GFS2 or Lustre can definitely do this).  However VM_FAULT_RETRY
from ->page_mkwrite is completely unhandled by the mm code and results
in locking and writeably mapping the page which definitely is not what
the caller wanted.

Fix Lustre and block_page_mkwrite_ret() used by other filesystems
(notably GFS2) to return VM_FAULT_NOPAGE instead which results in
bailing out from the fault code, the CPU then retries the access, and we
fault again effectively doing what the handler wanted.

Link: http://lkml.kernel.org/r/20170203150729.15863-1-jack@suse.cz
Signed-off-by: Jan Kara <jack@suse.cz>
Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
Reviewed-by: Jinshan Xiong <jinshan.xiong@intel.com>
Cc: Matthew Wilcox <willy@infradead.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-02-08 15:41:43 -08:00
Luis R. Rodriguez ed5bd7dc88 kernel/ucount.c: mark user_header with kmemleak_ignore()
The user_header gets caught by kmemleak with the following splat as
missing a free:

  unreferenced object 0xffff99667a733d80 (size 96):
  comm "swapper/0", pid 1, jiffies 4294892317 (age 62191.468s)
  hex dump (first 32 bytes):
    a0 b6 92 b4 ff ff ff ff 00 00 00 00 01 00 00 00  ................
    01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
     kmemleak_alloc+0x4a/0xa0
     __kmalloc+0x144/0x260
     __register_sysctl_table+0x54/0x5e0
     register_sysctl+0x1b/0x20
     user_namespace_sysctl_init+0x17/0x34
     do_one_initcall+0x52/0x1a0
     kernel_init_freeable+0x173/0x200
     kernel_init+0xe/0x100
     ret_from_fork+0x2c/0x40

The BUG_ON()s are intended to crash so no need to clean up after
ourselves on error there.  This is also a kernel/ subsys_init() we don't
need a respective exit call here as this is never modular, so just white
list it.

Link: http://lkml.kernel.org/r/20170203211404.31458-1-mcgrof@kernel.org
Signed-off-by: Luis R. Rodriguez <mcgrof@kernel.org>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Nikolay Borisov <n.borisov.lkml@gmail.com>
Cc: Serge Hallyn <serge@hallyn.com>
Cc: Jan Kara <jack@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-02-08 15:41:43 -08:00
Linus Torvalds be11f436a8 pci-v4.10-fixes-3
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJYm19aAAoJEFmIoMA60/r8q5AQALuO3zl+fEsUD9k+vf1ernIm
 +Bzvzqe7RbmO/1Mke8ccZEJPigOx2Kyv3dcrVxvwVF/mcK7yjPp4NC040f4OBYeu
 lkeMC3+3x7k99xNHkszZkYG9wg4xEEqkMrQQcxokuE04FYSCQSyUJnVRtlhC3GWh
 I71IH9qHqCMRaIPbnbsOWaHimS2iPBcOIHE0OWlPo0VhUD+hqebQ8tdfTWykFWxU
 3YZX0tcqCFF0uZkKZ6zIiC1D2wL3AZ8QDN/FfwyrCRrCwZAJyshBxSk7jIxkvxL/
 RkA7b/tbNVug2UGtNJyV7zCc11ApruJ0H9sgHfppzdOo6tr2vov7itaCWFY0AA04
 bdEdqvqYnEdQAPXoeIGRbBPovlMjcUXI8qkrNuxZinLdwSya2oB+A+Zn33nkLjnz
 buXzbPni3FcriSDQm0l6brI4n0JXopyij6pfQv+Wq6lW/pF4Z54eksxLstZrw29o
 tQ+8cMUkmL46q++809c7jM2Mb3ZEXUL0EDbMeN96U4zjIsq/llc//pYsJbeogosa
 QSQUhAvKGHprUIhRjizLZ7h1BmYQbQ6oPI2k5wgx6zUNTn0V7MQ+gf2lYC/ogYif
 htiKNg9u/nFSqED9JZtUxsyHnlPtRui2iYr/S0JTo8AwLY7vUuXAcMQeQIw0ywW2
 QqKJgbZIUJyFKnEax1KS
 =uhbh
 -----END PGP SIGNATURE-----

Merge tag 'pci-v4.10-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci

Pull PCI fixes from Bjorn Helgaas:

 - check MSI affinity vs. number of vectors to avoid memory corruption

 - drop runtime power management for PCIe hotplug ports for now to avoid
   regressing hotplug via sysfs

* tag 'pci-v4.10-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
  Revert "PCI: pciehp: Add runtime PM support for PCIe hotplug ports"
  PCI/MSI: Don't apply affinity if there aren't enough vectors left
2017-02-08 12:23:49 -08:00
Linus Torvalds 472ff5be61 ARM: SoC fixes for v4.10
- A relatively large patch restores booting on i.MX platforms that
   failed to boot after a cleanup was merged for v4.10.
 
 - A quirk for USB needs to be enabled on the STi platform
 
 - On the Meson platform, we saw memory corruption with part of
   the memory used by the secure monitor, so we have to stay out
   of that area.
 
 - The same platform also has a problem with ethernet under load,
   which is fixed by disabling EEE negotiation.
 
 - imx6dl has an incorrect pin configuration, which prevents SPI
   from working.
 
 - Two maintainers have lost their access to their email addresses, so
   we should update the MAINTAINERS file before the release
 
 - Renaming one of the orion5x linkstation models to help simplify
   the debian install.
 
 - A couple of fixes for build warnings that were introduced during
   v4.10-rc.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIVAwUAWJtPYGCrR//JCVInAQIrqxAA4XlWN83jn0+zDt1A7OmrXUhtycD8eJFM
 cP0Lc965pa1OVVkcIRRrgvYE9dnILuK6qPit7HbQtQcCSRxb5P2OQ0AyNBjAt6C0
 exBD/R13aImPLWWuGl65/WqBaCWaZ9KnVqzNHDXGt9d51NBsqreM9TdwLMvFMQBl
 tyvoRNK4TbIMGpOtrnLMTwHLkh4yZXik7srkuwSV0jeIVh7HrQUd2eawqWssuX7A
 idkZWBheDhQt2s1tI5wkRf4TFEI6muWpaNaU3NGi9qmQdHpJWc0ivYZtHlE29Fli
 T/nXDWmPptRIhOSIney6TwLdgN1Lg4ztRdaowHEpYXnfieUx+P86QJTXhxxo/3eT
 be30IhWX4WKAWiQkQHAsVCt6zIYRfXE5N8An6S5MfsC3n1dYAvCCf/qpToGUnoc/
 nyZQcbasHaSB3r5YMUmgH1oDowT9FsE/iaOzCr5xymiXgxR/p3gTVxcLn9jgp3Zq
 m1hSNfCACGmGLNcQBR/fz63/1b6sanXV6JOSEEB2TfpcQ0Mi0AaeZjAR9JAfQbNR
 hG/r8LC2Q0cG10zwOe1Iv60Ery7UsfCtdzEU6D3/gwtlDssSOs351cBoIKWtQxnX
 SPcUag9ZHZS1iuaZaSISmOWMyhK7CeCjk12TDFJPBrLolJOhIuHUOW/5cFwydWgp
 DLbhSBwqQKU=
 =zlTb
 -----END PGP SIGNATURE-----

Merge tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc

Pull ARM SoC fixes from Arnd Bergmann:

 - A relatively large patch restores booting on i.MX platforms that
   failed to boot after a cleanup was merged for v4.10.

 - A quirk for USB needs to be enabled on the STi platform

 - On the Meson platform, we saw memory corruption with part of the
   memory used by the secure monitor, so we have to stay out of that
   area.

 - The same platform also has a problem with ethernet under load, which
   is fixed by disabling EEE negotiation.

 - imx6dl has an incorrect pin configuration, which prevents SPI from
   working.

 - Two maintainers have lost their access to their email addresses, so
   we should update the MAINTAINERS file before the release

 - Renaming one of the orion5x linkstation models to help simplify the
   debian install.

 - A couple of fixes for build warnings that were introduced during
   v4.10-rc.

* tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc:
  ARM: defconfigs: make NF_CT_PROTO_SCTP and NF_CT_PROTO_UDPLITE built-in
  MAINTAINERS: socfpga: update email for Dinh Nguyen
  ARM: orion5x: fix Makefile for linkstation-lschl.dtb
  ARM: dts: orion5x-lschl: More consistent naming on linkstation series
  ARM: dts: orion5x-lschl: Fix model name
  MAINTAINERS: change email address from atmel to microchip
  MAINTAINERS: at91: change email address
  ARM64: dts: meson-gx: Add firmware reserved memory zones
  ARM64: dts: meson-gxbb-odroidc2: fix GbE tx link breakage
  ARM: dts: STiH407-family: set snps,dis_u3_susphy_quirk
  ARM: dts: imx: Pass 'chosen' and 'memory' nodes
  ARM: dts: imx6dl: fix GPIO4 range
  ARM: imx: hide unused variable in #ifdef
2017-02-08 10:01:39 -08:00
Linus Torvalds d3498fbaf3 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull selinux fix from James Morris:
 "Fix off-by-one in setprocattr"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
  selinux: fix off-by-one in setprocattr
2017-02-08 09:59:45 -08:00
Linus Torvalds 23fbe2cdc1 Merge branch 'for-linus' of git://git.kernel.dk/linux-block
Pull block fix from Jens Axboe:
 "A single fix that should go into 4.10, fixing a regression on some
  devices with the WRITE_SAME command"

* 'for-linus' of git://git.kernel.dk/linux-block:
  block: don't try Write Same from __blkdev_issue_zeroout
2017-02-08 09:56:15 -08:00
Stephen Smalley 0c461cb727 selinux: fix off-by-one in setprocattr
SELinux tries to support setting/clearing of /proc/pid/attr attributes
from the shell by ignoring terminating newlines and treating an
attribute value that begins with a NUL or newline as an attempt to
clear the attribute.  However, the test for clearing attributes has
always been wrong; it has an off-by-one error, and this could further
lead to reading past the end of the allocated buffer since commit
bb646cdb12 ("proc_pid_attr_write():
switch to memdup_user()").  Fix the off-by-one error.

Even with this fix, setting and clearing /proc/pid/attr attributes
from the shell is not straightforward since the interface does not
support multiple write() calls (so shells that write the value and
newline separately will set and then immediately clear the attribute,
requiring use of echo -n to set the attribute), whereas trying to use
echo -n "" to clear the attribute causes the shell to skip the
write() call altogether since POSIX says that a zero-length write
causes no side effects. Thus, one must use echo -n to set and echo
without -n to clear, as in the following example:
$ echo -n unconfined_u:object_r:user_home_t:s0 > /proc/$$/attr/fscreate
$ cat /proc/$$/attr/fscreate
unconfined_u:object_r:user_home_t:s0
$ echo "" > /proc/$$/attr/fscreate
$ cat /proc/$$/attr/fscreate

Note the use of /proc/$$ rather than /proc/self, as otherwise
the cat command will read its own attribute value, not that of the shell.

There are no users of this facility to my knowledge; possibly we
should just get rid of it.

UPDATE: Upon further investigation it appears that a local process
with the process:setfscreate permission can cause a kernel panic as a
result of this bug.  This patch fixes CVE-2017-2618.

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
[PM: added the update about CVE-2017-2618 to the commit description]
Cc: stable@vger.kernel.org # 3.5: d6ea83ec68
Signed-off-by: Paul Moore <paul@paul-moore.com>

Signed-off-by: James Morris <james.l.morris@oracle.com>
2017-02-08 19:09:53 +11:00
Arnd Bergmann 413d373267 Input: synaptics-rmi4 - select 'SERIO' when needed
With CONFIG_SERIO=m, we get a build error for the rmi4-f03 driver,
added in linux-4.10:

warning: (HID_RMI) selects RMI4_F03 which has unmet direct dependencies (!UML && INPUT && RMI4_CORE && (SERIO=y || RMI4_CORE=SERIO))
drivers/input/built-in.o: In function `rmi_f03_attention':
rmi_f03.c:(.text+0xcfe0): undefined reference to `serio_interrupt'
rmi_f03.c:(.text+0xd055): undefined reference to `serio_interrupt'
drivers/input/built-in.o: In function `rmi_f03_remove':
rmi_f03.c:(.text+0xd115): undefined reference to `serio_unregister_port'
drivers/input/built-in.o: In function `rmi_f03_probe':
rmi_f03.c:(.text+0xd209): undefined reference to `__serio_register_port'

An earlier patch tried to fix this, but missed the HID_RMI driver that
does a 'select' on the F03 backend.

This adds a hidden Kconfig symbol that enforces 'serio' to be enabled
when RMI4-F03 is, which covers all cases.

Fixes: d7ddad0acc ("Input: synaptics-rmi4 - fix F03 build error when serio is module")
Fixes: c5e8848fc9 ("Input: synaptics-rmi4 - add support for F03")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
2017-02-07 14:31:45 -08:00
Linus Torvalds 926af6273f Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Pull networking fixes from David Miller:

 1) Load correct firmware in rtl8192ce wireless driver, from Jurij
    Smakov.

 2) Fix leak of tx_ring and tx_cq due to overwriting in mlx4 driver,
    from Martin KaFai Lau.

 3) Need to reference count PHY driver module when it is attached, from
    Mao Wenan.

 4) Don't do zero length vzalloc() in ethtool register dump, from
    Stanislaw Gruszka.

 5) Defer net_disable_timestamp() to a workqueue to get out of locking
    issues, from Eric Dumazet.

 6) We cannot drop the SKB dst when IP options refer to them, fix also
    from Eric Dumazet.

 7) Incorrect packet header offset calculations in ip6_gre, again from
    Eric Dumazet.

 8) Missing tcp_v6_restore_cb() causes use-after-free, from Eric too.

 9) tcp_splice_read() can get into an infinite loop with URG, and hey
    it's from Eric once more.

10) vnet_hdr_sz can change asynchronously, so read it once during
    decision making in macvtap and tun, from Willem de Bruijn.

11) Can't use kernel stack for DMA transfers in USB networking drivers,
    from Ben Hutchings.

12) Handle csum errors properly in UDP by calling the proper destructor,
    from Eric Dumazet.

13) For non-deterministic softirq run when scheduling NAPI from a
    workqueue in mlx4, from Benjamin Poirier.

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (28 commits)
  sctp: check af before verify address in sctp_addr_id2transport
  sctp: avoid BUG_ON on sctp_wait_for_sndbuf
  mlx4: Invoke softirqs after napi_reschedule
  udp: properly cope with csum errors
  catc: Use heap buffer for memory size test
  catc: Combine failure cleanup code in catc_probe()
  rtl8150: Use heap buffers for all register access
  pegasus: Use heap buffers for all register access
  macvtap: read vnet_hdr_size once
  tun: read vnet_hdr_sz once
  tcp: avoid infinite loop in tcp_splice_read()
  hns: avoid stack overflow with CONFIG_KASAN
  ipv6: Fix IPv6 packet loss in scenarios involving roaming + snooping switches
  ipv6: tcp: add a missing tcp_v6_restore_cb()
  nl80211: Fix mesh HT operation check
  mac80211: Fix adding of mesh vendor IEs
  mac80211: Allocate a sync skcipher explicitly for FILS AEAD
  mac80211: Fix FILS AEAD protection in Association Request frame
  ip6_gre: fix ip6gre_err() invalid reads
  netlabel: out of bound access in cipso_v4_validate()
  ...
2017-02-07 12:10:57 -08:00
Hugh Dickins b6789123bc mm: fix KPF_SWAPCACHE in /proc/kpageflags
Commit 6326fec112 ("mm: Use owner_priv bit for PageSwapCache, valid
when PageSwapBacked") aliased PG_swapcache to PG_owner_priv_1 (and
depending on PageSwapBacked being true).

As a result, the KPF_SWAPCACHE bit in '/proc/kpageflags' should now be
synthesized, instead of being shown on unrelated pages which just happen
to have PG_owner_priv_1 set.

Signed-off-by: Hugh Dickins <hughd@google.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Nicholas Piggin <npiggin@gmail.com>
Cc: Wu Fengguang <fengguang.wu@intel.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-02-07 12:08:32 -08:00
Xin Long 912964eacb sctp: check af before verify address in sctp_addr_id2transport
Commit 6f29a13061 ("sctp: sctp_addr_id2transport should verify the
addr before looking up assoc") invoked sctp_verify_addr to verify the
addr.

But it didn't check af variable beforehand, once users pass an address
with family = 0 through sockopt, sctp_get_af_specific will return NULL
and NULL pointer dereference will be caused by af->sockaddr_len.

This patch is to fix it by returning NULL if af variable is NULL.

Fixes: 6f29a13061 ("sctp: sctp_addr_id2transport should verify the addr before looking up assoc")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-02-07 14:07:23 -05:00
Alexey Kardashevskiy 930a42ded3 vfio/spapr_tce: Set window when adding additional groups to container
If a container already has a group attached, attaching a new group
should just program already created IOMMU tables to the hardware via
the iommu_table_group_ops::set_window() callback.

However commit 6f01cc692a ("vfio/spapr: Add a helper to create
default DMA window") did not just simplify the code but also removed
the set_window() calls in the case of attaching groups to a container
which already has tables so it broke VFIO PCI hotplug.

This reverts set_window() bits in tce_iommu_take_ownership_ddw().

Fixes: 6f01cc692a ("vfio/spapr: Add a helper to create default DMA window")
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Reviewed-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
2017-02-07 11:48:16 -07:00
Vineet Gupta a524c218bc ARC: [arcompact] brown paper bag bug in unaligned access delay slot fixup
Reported-by: Jo-Philipp Wich <jo@mein.io>
Fixes: 9aed02feae ("ARC: [arcompact] handle unaligned access delay slot")
Cc: linux-kernel@vger.kernel.org
Cc: linux-snps-arc@lists.infradead.org
Cc: stable@vger.kernel.org
Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-02-07 10:02:01 -08:00
Marcelo Ricardo Leitner 2dcab59848 sctp: avoid BUG_ON on sctp_wait_for_sndbuf
Alexander Popov reported that an application may trigger a BUG_ON in
sctp_wait_for_sndbuf if the socket tx buffer is full, a thread is
waiting on it to queue more data and meanwhile another thread peels off
the association being used by the first thread.

This patch replaces the BUG_ON call with a proper error handling. It
will return -EPIPE to the original sendmsg call, similarly to what would
have been done if the association wasn't found in the first place.

Acked-by: Alexander Popov <alex.popov@linux.com>
Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Reviewed-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-02-07 12:54:59 -05:00
Benjamin Poirier bd4ce941c8 mlx4: Invoke softirqs after napi_reschedule
mlx4 may schedule napi from a workqueue. Afterwards, softirqs are not run
in a deterministic time frame and the following message may be logged:
NOHZ: local_softirq_pending 08

The problem is the same as what was described in commit ec13ee8014
("virtio_net: invoke softirqs after __napi_schedule") and this patch
applies the same fix to mlx4.

Fixes: 07841f9d94 ("net/mlx4_en: Schedule napi when RX buffers allocation fails")
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Benjamin Poirier <bpoirier@suse.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Tariq Toukan <tariqt@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-02-07 12:50:43 -05:00
Eric Dumazet 69629464e0 udp: properly cope with csum errors
Dmitry reported that UDP sockets being destroyed would trigger the
WARN_ON(atomic_read(&sk->sk_rmem_alloc)); in inet_sock_destruct()

It turns out we do not properly destroy skb(s) that have wrong UDP
checksum.

Thanks again to syzkaller team.

Fixes : 7c13f97ffd ("udp: do fwd memory scheduling on dequeue")
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
Acked-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-02-07 11:19:00 -05:00
David S. Miller 6a413e269b Merge branch 'net-Fix-on-stack-USB-buffers'
Ben Hutchings says:

====================
net: Fix on-stack USB buffers

Allocating USB buffers on the stack is not portable, and no longer
works on x86_64 (with VMAP_STACK enabled as per default).  This
series fixes all the instances I could find where USB networking
drivers do that.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2017-02-07 10:07:03 -05:00
Ben Hutchings 2d6a0e9de0 catc: Use heap buffer for memory size test
Allocating USB buffers on the stack is not portable, and no longer
works on x86_64 (with VMAP_STACK enabled as per default).

Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-02-07 10:07:02 -05:00
Ben Hutchings d41149145f catc: Combine failure cleanup code in catc_probe()
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-02-07 10:07:02 -05:00
Ben Hutchings 7926aff5c5 rtl8150: Use heap buffers for all register access
Allocating USB buffers on the stack is not portable, and no longer
works on x86_64 (with VMAP_STACK enabled as per default).

Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-02-07 10:07:02 -05:00
Ben Hutchings 5593523f96 pegasus: Use heap buffers for all register access
Allocating USB buffers on the stack is not portable, and no longer
works on x86_64 (with VMAP_STACK enabled as per default).

Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
References: https://bugs.debian.org/852556
Reported-by: Lisandro Damián Nicanor Pérez Meyer <lisandro@debian.org>
Tested-by: Lisandro Damián Nicanor Pérez Meyer <lisandro@debian.org>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-02-07 10:07:01 -05:00
David S. Miller 432d4f8ab0 Merge branch 'read-vnet_hdr_sz-once'
Willem de Bruijn says:

====================
read vnet_hdr_sz once

Tuntap devices allow concurrent use and update of field vnet_hdr_sz.
Read the field once to avoid TOCTOU.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2017-02-06 22:41:27 -05:00
Willem de Bruijn 837585a537 macvtap: read vnet_hdr_size once
When IFF_VNET_HDR is enabled, a virtio_net header must precede data.
Data length is verified to be greater than or equal to expected header
length tun->vnet_hdr_sz before copying.

Macvtap functions read the value once, but unless READ_ONCE is used,
the compiler may ignore this and read multiple times. Enforce a single
read and locally cached value to avoid updates between test and use.

Signed-off-by: Willem de Bruijn <willemb@google.com>
Suggested-by: Eric Dumazet <edumazet@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-02-06 22:41:27 -05:00
Willem de Bruijn e1edab87fa tun: read vnet_hdr_sz once
When IFF_VNET_HDR is enabled, a virtio_net header must precede data.
Data length is verified to be greater than or equal to expected header
length tun->vnet_hdr_sz before copying.

Read this value once and cache locally, as it can be updated between
the test and use (TOCTOU).

Signed-off-by: Willem de Bruijn <willemb@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
CC: Eric Dumazet <edumazet@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-02-06 22:41:27 -05:00
Eric Dumazet ccf7abb93a tcp: avoid infinite loop in tcp_splice_read()
Splicing from TCP socket is vulnerable when a packet with URG flag is
received and stored into receive queue.

__tcp_splice_read() returns 0, and sk_wait_data() immediately
returns since there is the problematic skb in queue.

This is a nice way to burn cpu (aka infinite loop) and trigger
soft lockups.

Again, this gem was found by syzkaller tool.

Fixes: 9c55e01c0c ("[TCP]: Splice receive support.")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov  <dvyukov@google.com>
Cc: Willy Tarreau <w@1wt.eu>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-02-06 22:38:55 -05:00
Linus Torvalds 8b1b41ee74 Merge branch 'libnvdimm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm
Pull libnvdimm fixes from Dan Williams:
 "None of these are showstoppers for 4.10 and could wait for 4.11 merge
  window, but they are low enough risk for this late in the cycle and
  the fixes have waiting users . They have received a build success
  notification from the 0day robot, pass the latest ndctl unit tests,
  and appeared in next:

   - Fix a crash that can result when SIGINT is sent to a process that
     is awaiting completion of an address range scrub command. We were
     not properly cleaning up the workqueue after
     wait_event_interruptible().

   - Fix a memory hotplug failure condition that results from not
     reserving enough space out of persistent memory for the memmap. By
     default we align to 2M allocations that the memory hotplug code
     assumes, but if the administrator specifies a non-default
     4K-alignment then we can fail to correctly size the reservation.

   - A one line fix to improve the predictability of libnvdimm block
     device names. A common operation is to reconfigure /dev/pmem0 into
     a different mode. For example, a reconfiguration might set a new
     mode that reserves some of the capacity for a struct page memmap
     array. It surprises users if the device name changes to
     "/dev/pmem0.1" after the mode change and then back to /dev/pmem0
     after a reboot.

   - Add 'const' to some function pointer tables"

* 'libnvdimm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm:
  libnvdimm, pfn: fix memmap reservation size versus 4K alignment
  acpi, nfit: fix acpi_nfit_flush_probe() crash
  libnvdimm, namespace: do not delete namespace-id 0
  nvdimm: constify device_type structures
2017-02-06 19:36:04 -08:00
Linus Torvalds f7d6040aa4 Power management fixes for v4.10-rc8
- Add an intel_pstate driver quirk to work around a firmware setting
    that leads to frequency scaling issues on desktop Intel Kaby Lake
    processors in some configurations if the hardware-managed P-states
    (HWP) feature is in use (Srinivas Pandruvada).
 
  - Fix up the recently added brcmstb-avs cpufreq driver: fix a bug
    related to system suspend and change the sysfs interface to match
    the user space expectations (Markus Mayer).
 
  - Modify the runtime PM framework to avoid false-positive warnings
    from the might_sleep_if() assertions in it (Rafael Wysocki).
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQIcBAABCAAGBQJYmIOoAAoJEILEb/54YlRx2XgP/AjkxDOBep8mnY3xHNMvx887
 BjWWGkuO3qZiX/xFhkhlBuxx8zLfg3ie7NJiSpn1Lj0192M9ggwn4RrM61V1SBX6
 QTOeP68uueIIA/SCt2dw9DdEpepzyvwSJpUTqRmZubZAAYjcVHN+FLgNa5QzUdMb
 X73zORAXsOu4SAguS4MP3yvPvFfdsOwSexllfsK9IAd+eb5RSZYnNyHuwW+S8EK5
 zVCE+cwJOYU4SFh0speGpvUh7wXtWdYM3CV6mzrkiQqfvS6q29xillrxKWaEIk7Z
 5Y6sReFl6i/zIuFQnx0nKPNM5DUhiOY80ha5uaZzde+vRRR7EM7n6LaIQVp672A7
 mq6d0YxsJD8Z9Gx9r66oID/pfEkviRvRc4ejm0Xb187QN9jZvBhY85WD22X5p3KR
 B0B/mhN1zN8ruaLvitqKwXtTntq4ahLtjfxtsyYoH56kh8J6C5KNlJ985/q2hhLD
 8W1ZAaXPy+vyfODsnxdzfnYvkOgeY/XIg9NQ++QGdhXNwDBb1QZP34zdNsIF/YXR
 8A+usM8BAq4r2dDROFfxtCkIVH6JsMkqWVbrUPkM9hdIL2jF3IpRS9bXKBvDICMc
 ZsbDm4ihz+XtjVG4GxmrB5SZ2C3qPYwbmLBiu1CwfY7L6lN8azF0RmRJ0s2fpvAG
 d4nxEZa5ysPKEZfU6PyE
 =2NdR
 -----END PGP SIGNATURE-----

Merge tag 'pm-4.10-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm

Pull power management fixes from Rafael Wysocki:
 "These add a quirk to intel_pstate to work around a firmware setting
  that leads to frequency scaling issues (discovered recently) on some
  Intel Kaby Lake processors, fix up the recently added brcmstb-avs
  cpufreq driver and avoid false-positive warnings from the runtime PM
  framework triggered by recent changes in i915.

  Specifics:

   - Add an intel_pstate driver quirk to work around a firmware setting
     that leads to frequency scaling issues on desktop Intel Kaby Lake
     processors in some configurations if the hardware-managed P-states
     (HWP) feature is in use (Srinivas Pandruvada)

   - Fix up the recently added brcmstb-avs cpufreq driver: fix a bug
     related to system suspend and change the sysfs interface to match
     the user space expectations (Markus Mayer)

   - Modify the runtime PM framework to avoid false-positive warnings
     from the might_sleep_if() assertions in it (Rafael Wysocki)"

* tag 'pm-4.10-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
  PM / runtime: Avoid false-positive warnings from might_sleep_if()
  cpufreq: intel_pstate: Disable energy efficiency optimization
  cpufreq: brcmstb-avs-cpufreq: properly retrieve P-state upon suspend
  cpufreq: brcmstb-avs-cpufreq: extend sysfs entry brcm_avs_pmap
2017-02-06 15:11:04 -08:00
Linus Torvalds 50dcb6cdb7 - A fix for a race in .request_fn request-based DM request handling vs
DM device destruction
 
 - An RCU fix for dm-crypt's kernel keyring support that was included in
   4.10-rc1
 
 - A -Wbool-operation warning fix for DM multipath
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQEcBAABAgAGBQJYlKLnAAoJEMUj8QotnQNaUOcH/3OgBjsRuFpNmrW3bzzcpLUQ
 XH6R2YAc1/14BU6rUYY7vLA905n7Jw3VyyJGgl2cJUqaDqA/Qj6uBmwfOve019Fl
 xTzi8rMAas05zqs9b5SrRAtSt2z6eZnbpm8df+QjrFQZjsDzsl2+PLxR+emp9YIQ
 wXLAU4Re35v/jPUccoNB0Be0LARIh0dSPQYWCYPomYqFHBoioHinGBOJpeq8HXFp
 U+JRXPcjrFxs4zjKq8aRE1XhN7lqLt7uZ4gi43sRCgieWXApoOfmo634IINyZtCf
 WIjS92qbFeyZfMk65q+GzfUYM9ZdAvzwXMlHnECYSd+jfbz89DhKv7YOuyCf1CU=
 =RSQc
 -----END PGP SIGNATURE-----

Merge tag 'dm-4.10-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm

Pull device mapper fixes from Mike Snitzer:

 - a fix for a race in .request_fn request-based DM request handling vs
   DM device destruction

 - an RCU fix for dm-crypt's kernel keyring support that was included in
   4.10-rc1

 - a -Wbool-operation warning fix for DM multipath

* tag 'dm-4.10-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm:
  dm crypt: replace RCU read-side section with rwsem
  dm rq: cope with DM device destruction while in dm_old_request_fn()
  dm mpath: cleanup -Wbool-operation warning in choose_pgpath()
2017-02-06 14:42:34 -08:00
Linus Torvalds 72df5eba70 media fixes for v4.10-rc8
-----BEGIN PGP SIGNATURE-----
 
 iQIcBAABAgAGBQJYmJDxAAoJEAhfPr2O5OEVFtkQAJHHkcc4H139Fdp0ThGLLLf/
 1VWAwQqWb/WmXMqIrE2fIQdEty8za8GvX6gQMsgeDS06GTlxtprnBeH/ZKlwrNR3
 akq/mwQPtJhOUe5uuAmgcGUOrIUIRfO0kmY6hZY+92MyxHbUbmSvpV6YHe81eWV1
 Emkwc4cMrir3RaCAsn2FgRnFRRpB58oi9TCe89LtLI4zzCMuTzEvEfG7O9u5WCcO
 SrhMv05M5XWIvEywoZsKcUW+vBZxZ6QvbG970MY5czW2WRs5GIoOnwskNYpo/bxy
 ttKmcgDXD63Wa2JPuEImLm8imyHhquJMKXCFrCRDvSWVw5p+xKDx5lX56cMhJYmr
 ZHG32Z7dsG2bfVLY5+L/B+4QhnBYqEehhgh/8oDhrR8POw+71L40aWCq5gC9cHp4
 fjNBRxII11i6AEqyMA2Dv+aSyeW3LSYBxV11h5F/Zef5fpa+WMgtHLjKKxRMOnzF
 lt81OC5yg3XWBRb4s/4xXghOOmMPFMPCo8LUbo3wB5wGNBtguBBXssZ2HIolrSCA
 /NAD01Eb29dRhtRXEqQYAhEuSiuob6ETdn+FktbtUeZl5ZUg7JfZ+A5MqTmH1l1u
 Ezl8I42BnkMuSc2gdkWh1eBJfrzNEytiW7EOZO4TMfi00PzlshwusQkXtRTUC5aC
 DG5W41QC2PolZnV8XcXs
 =nEM8
 -----END PGP SIGNATURE-----

Merge tag 'media/v4.10-3' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media

Pull media fixes from Mauro Carvalho Chehab:
 "A few documentation fixes at CEC (with got promoted from staging for
  4.10), and one fix on its core."

* tag 'media/v4.10-3' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media:
  [media] cec: fix wrong last_la determination
  [media] cec-intro.rst: mention the v4l-utils package and CEC utilities
  [media] cec rst: remove "This API is not yet finalized" notice
2017-02-06 14:37:55 -08:00
Linus Torvalds 396bf4cd83 Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6
Pull crypto fixes from Herbert Xu:

 - use-after-free in algif_aead

 - modular aesni regression when pcbc is modular but absent

 - bug causing IO page faults in ccp

 - double list add in ccp

 - NULL pointer dereference in qat (two patches)

 - panic in chcr

 - NULL pointer dereference in chcr

 - out-of-bound access in chcr

* 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
  crypto: chcr - Fix key length for RFC4106
  crypto: algif_aead - Fix kernel panic on list_del
  crypto: aesni - Fix failure when pcbc module is absent
  crypto: ccp - Fix double add when creating new DMA command
  crypto: ccp - Fix DMA operations when IOMMU is enabled
  crypto: chcr - Check device is allocated before use
  crypto: chcr - Fix panic on dma_unmap_sg
  crypto: qat - zero esram only for DH85x devices
  crypto: qat - fix bar discovery for c62x
2017-02-06 14:16:23 -08:00
Arnd Bergmann b3f2d07f46 hns: avoid stack overflow with CONFIG_KASAN
The use of ACCESS_ONCE() looks like a micro-optimization to force gcc to use
an indexed load for the register address, but it has an absolutely detrimental
effect on builds with gcc-5 and CONFIG_KASAN=y, leading to a very likely
kernel stack overflow aside from very complex object code:

hisilicon/hns/hns_dsaf_gmac.c: In function 'hns_gmac_update_stats':
hisilicon/hns/hns_dsaf_gmac.c:419:1: error: the frame size of 2912 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
hisilicon/hns/hns_dsaf_ppe.c: In function 'hns_ppe_reset_common':
hisilicon/hns/hns_dsaf_ppe.c:390:1: error: the frame size of 1184 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
hisilicon/hns/hns_dsaf_ppe.c: In function 'hns_ppe_get_regs':
hisilicon/hns/hns_dsaf_ppe.c:621:1: error: the frame size of 3632 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
hisilicon/hns/hns_dsaf_rcb.c: In function 'hns_rcb_get_common_regs':
hisilicon/hns/hns_dsaf_rcb.c:970:1: error: the frame size of 2784 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
hisilicon/hns/hns_dsaf_gmac.c: In function 'hns_gmac_get_regs':
hisilicon/hns/hns_dsaf_gmac.c:641:1: error: the frame size of 5728 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
hisilicon/hns/hns_dsaf_rcb.c: In function 'hns_rcb_get_ring_regs':
hisilicon/hns/hns_dsaf_rcb.c:1021:1: error: the frame size of 2208 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
hisilicon/hns/hns_dsaf_main.c: In function 'hns_dsaf_comm_init':
hisilicon/hns/hns_dsaf_main.c:1209:1: error: the frame size of 1904 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
hisilicon/hns/hns_dsaf_xgmac.c: In function 'hns_xgmac_get_regs':
hisilicon/hns/hns_dsaf_xgmac.c:748:1: error: the frame size of 4704 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
hisilicon/hns/hns_dsaf_main.c: In function 'hns_dsaf_update_stats':
hisilicon/hns/hns_dsaf_main.c:2420:1: error: the frame size of 1088 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
hisilicon/hns/hns_dsaf_main.c: In function 'hns_dsaf_get_regs':
hisilicon/hns/hns_dsaf_main.c:2753:1: error: the frame size of 10768 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]

This does not seem to happen any more with gcc-7, but removing the ACCESS_ONCE
seems safe anyway and it avoids a serious issue for some people. I have verified
that with gcc-5.3.1, the object code we get is better in the new version
both with and without CONFIG_KASAN, as we no longer allocate a 1344 byte
stack frame for hns_dsaf_get_regs() but otherwise have practically identical
object code.

With gcc-7.0.0, removing ACCESS_ONCE has no effect, the object code is already
good either way.

This patch is probably not urgent to get into 4.11 as only KASAN=y builds
with certain compilers are affected, but I still think it makes sense to
backport into older kernels.

Cc: stable@vger.kernel.org
Fixes: 511e6bc ("net: add Hisilicon Network Subsystem DSAF support")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-02-06 12:02:32 -05:00
Linus Lüssing a088d1d73a ipv6: Fix IPv6 packet loss in scenarios involving roaming + snooping switches
When for instance a mobile Linux device roams from one access point to
another with both APs sharing the same broadcast domain and a
multicast snooping switch in between:

1)    (c) <~~~> (AP1) <--[SSW]--> (AP2)

2)              (AP1) <--[SSW]--> (AP2) <~~~> (c)

Then currently IPv6 multicast packets will get lost for (c) until an
MLD Querier sends its next query message. The packet loss occurs
because upon roaming the Linux host so far stayed silent regarding
MLD and the snooping switch will therefore be unaware of the
multicast topology change for a while.

This patch fixes this by always resending MLD reports when an interface
change happens, for instance from NO-CARRIER to CARRIER state.

Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-02-06 11:43:01 -05:00
Arnd Bergmann 5aff1d245e ARM: defconfigs: make NF_CT_PROTO_SCTP and NF_CT_PROTO_UDPLITE built-in
The symbols can no longer be used as loadable modules, leading to a harmless Kconfig
warning:

arch/arm/configs/imote2_defconfig:60:warning: symbol value 'm' invalid for NF_CT_PROTO_UDPLITE
arch/arm/configs/imote2_defconfig:59:warning: symbol value 'm' invalid for NF_CT_PROTO_SCTP
arch/arm/configs/ezx_defconfig:68:warning: symbol value 'm' invalid for NF_CT_PROTO_UDPLITE
arch/arm/configs/ezx_defconfig:67:warning: symbol value 'm' invalid for NF_CT_PROTO_SCTP

Let's make them built-in.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
2017-02-06 17:37:42 +01:00
Christoph Hellwig eeeefd4184 block: don't try Write Same from __blkdev_issue_zeroout
Write Same can return an error asynchronously if it turns out the
underlying SCSI device does not support Write Same, which makes a
proper fallback to other methods in __blkdev_issue_zeroout impossible.
Thus only issue a Write Same from blkdev_issue_zeroout an don't try it
at all from __blkdev_issue_zeroout as a non-invasive workaround.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Reported-by: Junichi Nomura <j-nomura@ce.jp.nec.com>
Fixes: e73c23ff ("block: add async variant of blkdev_issue_zeroout")
Tested-by: Junichi Nomura <j-nomura@ce.jp.nec.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
2017-02-06 09:34:46 -07:00
Arnd Bergmann a47b3fca62 mvebu fixes for 4.10 (part 1)
More consistent naming for some orion5x based boards helping the
 switch to device tree for debian users.
 -----BEGIN PGP SIGNATURE-----
 
 iIEEABECAEEWIQQYqXDMF3cvSLY+g9cLBhiOFHI71QUCWJNvuSMcZ3JlZ29yeS5j
 bGVtZW50QGZyZWUtZWxlY3Ryb25zLmNvbQAKCRALBhiOFHI71bUAAJ9F2ae0LEvo
 4Fu44238w1Kr6hC6LQCeO16PL46cLMTZj2E/hOy/9eytbM0=
 =IcBG
 -----END PGP SIGNATURE-----

Merge tag 'mvebu-fixes-4.10-1' of git://git.infradead.org/linux-mvebu into fixes

Pull "mvebu fixes for 4.10 (part 1)" from Gregory CLEMENT:

More consistent naming for some orion5x based boards helping the
switch to device tree for debian users.

* tag 'mvebu-fixes-4.10-1' of git://git.infradead.org/linux-mvebu:
  ARM: orion5x: fix Makefile for linkstation-lschl.dtb
  ARM: dts: orion5x-lschl: More consistent naming on linkstation series
  ARM: dts: orion5x-lschl: Fix model name
2017-02-06 17:33:51 +01:00
Dinh Nguyen 08b3b33f3e MAINTAINERS: socfpga: update email for Dinh Nguyen
My opensource.altera.com email will be going away soon.

Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
2017-02-06 17:33:01 +01:00
David S. Miller 62f01db9cf wireless-drivers fixes for 4.10
Only one important fix for rtlwifi which fixes a regression introduced
 in 4.9 and which caused problems for many users.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQEcBAABAgAGBQJYmJChAAoJEG4XJFUm622b+GIIAJCOUqAC67Mk1/jTgyVlUHZc
 4uLocdhupiozZjBTh7z1lClY3EdT38AAkstcPRXIIQLcVMjkU4B9e5nLUQFv3R/u
 Bt7waNd5KixG+fX0iDPiuLj21SeMNYGtBNQ1PYSiiuuYaWXyAwplK4FW00KkUlqA
 i0V2DHt1BZD3psfhPcKAmx/8kAjCjg2jX1HxMoaLHpC4HUkDdNSd87ZjrEJWN37u
 eLihSdtw5+d8HMqHTmbgGXhiQKNRN9GRv7NMX+iUSSmu4oPwJtE5VLMU24VDeDwW
 3rgprba5p/ddz20iBtWAVRytOHdt5GtrnWCInI2jZk3QpjmM4hqEqoOhc9E47Dc=
 =0wO8
 -----END PGP SIGNATURE-----

Merge tag 'wireless-drivers-for-davem-2017-02-06' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers

Kalle Valo says:

====================
wireless-drivers fixes for 4.10

Only one important fix for rtlwifi which fixes a regression introduced
in 4.9 and which caused problems for many users.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2017-02-06 11:20:48 -05:00
David S. Miller 89389b4d55 A few simple fixes:
* fix FILS AEAD cipher usage to use the correct AAD vectors
    and to use synchronous algorithms
  * fix using mesh HT operation data from userspace
  * fix adding mesh vendor elements to beacons & plink frames
 -----BEGIN PGP SIGNATURE-----
 
 iQIcBAABCgAGBQJYmCBmAAoJEGt7eEactAAd5BAP/2oPaRDgJv0ByqoFPh0pzKqx
 RwoXOW9xqtp+wWFA8hPTe2niVtNpexwo4ZQ2I2hkjeomFfbw0gwklBFQQ0Vbq5b9
 6UtClEBHp/xW5vdvooBwMAcUBJQMM25wIFt2jwz9xRIUxjiOisZBIp7avLTtoQKC
 +hsNJOWOmyeJYLXdeJVaJM953dANCKdzL590JX3f6tbr8LPpszrg8TmVLJWklTYQ
 Cm2latv0GezxL/d+KcSWbNoX+X+d5D0gVZXHmp5UFWX6yT0FMkNmSURmkHEfuiuD
 z11befXgvXAr3l7cxE/TEtrNCh57pwDoPtJmBqJ9G68aURK8iVb4XB/ZEB8hEvHi
 EchMXompYU/xPiGVbkb/wOFXlBY+xc85uoEwkSL1CZs4eX6r6JawrHG7RUcTKFsv
 V2zAQU0pDO29OcprHbjD+rnjrG2qtZ/pDKO7X5+eIgHvEzwaqZY3yd1YmJK52d67
 J4slSS/jislTg+rbhFi8NrCONuRlp5rixjmHINUWCsilojrKeDh9thMYrVmXWZjT
 qjoOojMmiGH7ekhvSVDciRxoLgP9aIShuIvbub9uOPQAPXsVf3KHquSiY9JOpJI8
 PpY3hPWQS6j2r5Q2pZu/LM345r0rcj5At1BzCzGqcfKxRUH7rbFDQQ1D3Moehzho
 Gqrkv2/p4FAAGFG+4bJ6
 =ZzHl
 -----END PGP SIGNATURE-----

Merge tag 'mac80211-for-davem-2017-02-06' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211

Johannes Berg says:

====================
A few simple fixes:
 * fix FILS AEAD cipher usage to use the correct AAD vectors
   and to use synchronous algorithms
 * fix using mesh HT operation data from userspace
 * fix adding mesh vendor elements to beacons & plink frames
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2017-02-06 10:55:08 -05:00
Eric Dumazet ebf6c9cb23 ipv6: tcp: add a missing tcp_v6_restore_cb()
Dmitry reported use-after-free in ip6_datagram_recv_specific_ctl()

A similar bug was fixed in commit 8ce48623f0 ("ipv6: tcp: restore
IP6CB for pktoptions skbs"), but I missed another spot.

tcp_v6_syn_recv_sock() can indeed set np->pktoptions from ireq->pktopts

Fixes: 971f10eca1 ("tcp: better TCP_SKB_CB layout to reduce cache line misses")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-02-06 10:52:45 -05:00
Rafael J. Wysocki cbf304e420 Merge branches 'pm-core-fixes' and 'pm-cpufreq-fixes'
* pm-core-fixes:
  PM / runtime: Avoid false-positive warnings from might_sleep_if()

* pm-cpufreq-fixes:
  cpufreq: intel_pstate: Disable energy efficiency optimization
  cpufreq: brcmstb-avs-cpufreq: properly retrieve P-state upon suspend
  cpufreq: brcmstb-avs-cpufreq: extend sysfs entry brcm_avs_pmap
2017-02-06 14:52:10 +01:00
Masashi Honma fd551bac47 nl80211: Fix mesh HT operation check
A previous change to fix checks for NL80211_MESHCONF_HT_OPMODE
missed setting the flag when replacing FILL_IN_MESH_PARAM_IF_SET
with checking codes. This results in dropping the received HT
operation value when called by nl80211_update_mesh_config(). Fix
this by setting the flag properly.

Fixes: 9757235f45 ("nl80211: correct checks for NL80211_MESHCONF_HT_OPMODE value")
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
[rewrite commit message to use Fixes: line]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2017-02-06 07:59:07 +01:00
Thorsten Horstmann da7061c82e mac80211: Fix adding of mesh vendor IEs
The function ieee80211_ie_split_vendor doesn't return 0 on errors. Instead
it returns any offset < ielen when WLAN_EID_VENDOR_SPECIFIC is found. The
return value in mesh_add_vendor_ies must therefore be checked against
ifmsh->ie_len and not 0. Otherwise all ifmsh->ie starting with
WLAN_EID_VENDOR_SPECIFIC will be rejected.

Fixes: 082ebb0c25 ("mac80211: fix mesh beacon format")
Signed-off-by: Thorsten Horstmann <thorsten@defutech.de>
Signed-off-by: Mathias Kretschmer <mathias.kretschmer@fit.fraunhofer.de>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
[sven@narfation.org: Add commit message]
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2017-02-06 07:55:44 +01:00