Once pm_runtime_set_active() gets called, the kernel assumes that given
device has already enabled runtime pm and will call pm_runtime_suspend()
without matching pm_runtime_resume(). In case of DRM FIMC IPP driver,
this will result in calling clk_disable() without respective call to
clk_enable(). This patch removes call to pm_runtime_set_active() to
ensure that pm_runtime_suspend/resume calls will match.
drm/exynos: gsc: fix wrong bitwise operation for swap detection
The bits for rotation are not used as exclusively. So GSC_IN_ROT_270 can
not be used for swap detection. The definition of it is same with
GSC_IN_ROT_MASK. It is enough to check GSC_IN_ROT_90 bit is set or not to
check whether width / height size swapping is needed.
Eric Dumazet [Mon, 10 Aug 2015 22:07:34 +0000 (15:07 -0700)]
inet: fix possible request socket leak
In commit b357a364c57c9 ("inet: fix possible panic in
reqsk_queue_unlink()"), I missed fact that tcp_check_req()
can return the listener socket in one case, and that we must
release the request socket refcount or we leak it.
Tested:
Following packetdrill test template shows the issue
+0 < S 0:0(0) win 2920 <mss 1460,sackOK,nop,nop>
+0 > S. 0:0(0) ack 1 <mss 1460,nop,nop,sackOK>
+.002 < . 1:1(0) ack 21 win 2920
+0 > R 21:21(0)
Fixes: b357a364c57c9 ("inet: fix possible panic in reqsk_queue_unlink()") Signed-off-by: Eric Dumazet <[email protected]> Signed-off-by: David S. Miller <[email protected]>
Eric Dumazet [Mon, 10 Aug 2015 16:09:13 +0000 (09:09 -0700)]
inet: fix races with reqsk timers
reqsk_queue_destroy() and reqsk_queue_unlink() should use
del_timer_sync() instead of del_timer() before calling reqsk_put(),
otherwise we could free a req still used by another cpu.
But before doing so, reqsk_queue_destroy() must release syn_wait_lock
spinlock or risk a dead lock, as reqsk_timer_handler() might
need to take this same spinlock from reqsk_queue_unlink() (called from
inet_csk_reqsk_queue_drop())
Fixes: fa76ce7328b2 ("inet: get rid of central tcp/dccp listener timer") Signed-off-by: Eric Dumazet <[email protected]> Signed-off-by: David S. Miller <[email protected]>
The following patchset contains five Netfilter fixes for your net tree,
they are:
1) Silence a warning on falling back to vmalloc(). Since 88eab472ec21, we can
easily hit this warning message, that gets users confused. So let's get rid
of it.
2) Recently when porting the template object allocation on top of kmalloc to
fix the netns dependencies between x_tables and conntrack, the error
checks where left unchanged. Remove IS_ERR() and check for NULL instead.
Patch from Dan Carpenter.
3) Don't ignore gfp_flags in the new nf_ct_tmpl_alloc() function, from
Joe Stringer.
4) Fix a crash due to NULL pointer dereference in ip6t_SYNPROXY, patch from
Phil Sutter.
5) The sequence number of the Syn+ack that is sent from SYNPROXY to clients is
not adjusted through our NAT infrastructure, as a result the client may
ignore this TCP packet and TCP flow hangs until the client probes us. Also
from Phil Sutter.
====================
Linus Torvalds [Mon, 10 Aug 2015 22:16:48 +0000 (15:16 -0700)]
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid
Pull HID fixes from Jiri Kosina:
- fix for bounds limit calculation in uclogic driver, by Dan Carpenter
- fix for use-after-free during device removal, by Krzysztof Kozlowski
- fix for userspace regression (that became apparent only with shiny
new libinput, so it's not that bad, but I still consider it 4.2
material), in wacom driver, by Jason Gerecke
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid:
HID: wacom: Report correct device resolution when using the wireless adapater
HID: hid-input: Fix accessing freed memory during device disconnect
HID: uclogic: fix limit in uclogic_tablet_enable()
Jason Gerecke [Wed, 5 Aug 2015 22:44:53 +0000 (15:44 -0700)]
HID: wacom: Report correct device resolution when using the wireless adapater
The 'wacom_wireless_work' function does not recalculate the tablet's
resolution, causing the value contained in the 'features' struct to
always be reported to userspace. This value is valid only for the pen
interface, meaning that the value will be incorrect for the touchpad (if
present). This in particular causes problems for libinput which relies
on the reported resolution being correct.
This patch adds the necessary calls to recalculate the resolution for
each interface. This requires a little bit of code shuffling since both
the 'wacom_set_default_phy' and 'wacom_calculate_res' are declared below
their new first point of use in 'wacom_wireless_work'.
Yuval Mintz [Mon, 10 Aug 2015 09:49:36 +0000 (12:49 +0300)]
bnx2x: Free NVRAM lock at end of each page
Writing each 4Kb page into flash might take up-to ~100 miliseconds,
during which time management firmware cannot acces the nvram for its
own uses.
Firmware upgrade utility use the ethtool API to burn new flash images
for the device via the ethtool API, doing so by writing several page-worth
of data on each command. Such action might create problems for the
management firmware, as the nvram might not be accessible for a long time.
This patch changes the write implementation, releasing the nvram lock on
the completion of each page, allowing the management firmware time to
claim it and perform its own required actions.
Dan Carpenter [Sat, 8 Aug 2015 19:15:25 +0000 (22:15 +0300)]
cxgb4: missing curly braces in t4_setup_debugfs()
There were missing curly braces so it means we call add_debugfs_mem()
unintentionally.
Fixes: 3ccc6cf74d8c ('cxgb4: Adds support for T6 adapter') Signed-off-by: Dan Carpenter <[email protected]> Signed-off-by: David S. Miller <[email protected]>
After "62bccb8 net-timestamp: Make the clone operation stand-alone from phy
timestamping" the hwtstamps parameter of skb_complete_tx_timestamp() may no
longer be NULL.
It seems so far plausible that the recursive call into rtnetlink_rcv()
looks suspicious. One way, where this could trigger is that the senders
NETLINK_CB(skb).portid was wrongly 0 (which is rtnetlink socket), so
the rtnl_getlink() request's answer would be sent to the kernel instead
to the actual user process, thus grabbing rtnl_mutex() twice.
One theory would be that netlink_autobind() triggered via netlink_sendmsg()
internally overwrites the -EBUSY error to 0, but where it is wrongly
originating from __netlink_insert() instead. That would reset the
socket's portid to 0, which is then filled into NETLINK_CB(skb).portid
later on. As commit d470e3b483dc ("[NETLINK]: Fix two socket hashing bugs.")
also puts it, -EBUSY should not be propagated from netlink_insert().
It looks like it's very unlikely to reproduce. We need to trigger the
rhashtable_insert_rehash() handler under a situation where rehashing
currently occurs (one /rare/ way would be to hit ht->elasticity limits
while not filled enough to expand the hashtable, but that would rather
require a specifically crafted bind() sequence with knowledge about
destination slots, seems unlikely). It probably makes sense to guard
__netlink_insert() in any case and remap that error. It was suggested
that EOVERFLOW might be better than an already overloaded ENOMEM.
Ivan Vecera [Thu, 6 Aug 2015 20:48:23 +0000 (22:48 +0200)]
bna: fix interrupts storm caused by erroneous packets
The commit "e29aa33 bna: Enable Multi Buffer RX" moved packets counter
increment from the beginning of the NAPI processing loop after the check
for erroneous packets so they are never accounted. This counter is used
to inform firmware about number of processed completions (packets).
As these packets are never acked the firmware fires IRQs for them again
and again.
David S. Miller [Mon, 10 Aug 2015 17:57:01 +0000 (10:57 -0700)]
Merge branch 'mvpp2-fixes'
Marcin Wojtas says:
====================
Fixes for the network driver of Marvell Armada 375 SoC
This is a set of three patches that fix long-lasting problems implemented in
the initial support for the Armada 375 network controller.
Due to an inappropriate concept of handling the per-CPU sent packets'
processing on TX path the driver numerous problems occured, such as RCU
stalls. Those have been fixed, of which details you can find in the commit
logs. The patches were intensively tested on top of v4.2-rc5.
I'm looking forward to any comments or remarks.
====================
Marcin Wojtas [Thu, 6 Aug 2015 17:00:30 +0000 (19:00 +0200)]
net: mvpp2: replace TX coalescing interrupts with hrtimer
The PP2 controller is capable of per-CPU TX processing, which means there are
per-CPU banked register sets and queues. Current version of the driver supports
TX packet coalescing - once on given CPU sent packets amount reaches a threshold
value, an IRQ occurs. However, there is a single interrupt line responsible for
CPU0/1 TX and RX events (the latter is not per-CPU, the hardware does not
support RSS).
When the top-half executes the interrupt cause is not known. This is why in
NAPI poll function, along with RX processing, IRQ cause register on both
CPU's is accessed in order to determine on which of them the TX coalescing
threshold might have been reached. Thus the egress processing and releasing the
buffers is able to take place on the corresponding CPU. Hitherto approach lead
to an illegal usage of on_each_cpu function in softirq context.
The problem is solved by resigning from TX coalescing interrupts and separating
egress finalization from NAPI processing. For that purpose a method of using
hrtimer is introduced. In main transmit function (mvpp2_tx) buffers are released
once a software coalescing threshold is reached. In case not all the data is
processed a timer is set on this CPU - in its interrupt context a tasklet is
scheduled in which all queues are processed. At once only one timer per-CPU can
be running, which is controlled by a dedicated flag.
This commit removes TX processing from NAPI polling function, disables hardware
coalescing and enables hrtimer with tasklet, using new per-CPU port structure
(mvpp2_port_pcpu).
mvpp2 driver allows usage of per-CPU TX processing. Once the packets are
prepared independetly on each CPU, the hardware enqueues the descriptors in
common TX queue. After they are sent, the buffers and associated sk_buffs
should be released on the corresponding CPU.
This is why a special index is maintained in order to point to the right data to
be released after transmission takes place. Each per-CPU TX queue comprise an
array of sent sk_buffs, freed in mvpp2_txq_bufs_free function. However, the
index was used there also for obtaining a descriptor (and therefore a buffer to
be DMA-unmapped) from common TX queue, which was wrong, because it was not
referring to the current CPU.
This commit enables proper unmapping of sent data buffers by indexing them in
per-CPU queues using a dedicated array for keeping their physical addresses.
Marcin Wojtas [Thu, 6 Aug 2015 17:00:28 +0000 (19:00 +0200)]
net: mvpp2: remove excessive spinlocks from driver initialization
Using spinlocks protection during one-time driver initialization is not
necessary. Moreover it resulted in invalid GFP_KERNEL allocation under the lock.
This commit removes redundant spinlocks from buffer manager part of mvpp2
initialization.
Linus Torvalds [Mon, 10 Aug 2015 17:48:11 +0000 (10:48 -0700)]
Merge tag 'mfd-fixes-4.2' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd
Pull MFD fixes from Lee Jones:
- fix dependency issues on ChromeOS platforms
- fix runtime PM issues on Arizona
- fix IRQ/suspend race on Arizona
* tag 'mfd-fixes-4.2' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd:
mfd: Remove MFD_CROS_EC_SPI depends on OF
platform/chrome: Don't make CHROME_PLATFORMS depends on X86 || ARM
mfd: arizona: Fix initialisation of the PM runtime
mfd: arizona: Fix race between runtime suspend and IRQs
Linus Torvalds [Mon, 10 Aug 2015 17:38:42 +0000 (10:38 -0700)]
Merge tag 'ntb-4.2-rc7' of git://github.com/jonmason/ntb
Pull NTB bugfixes from Jon Mason:
"NTB bug fixes to address transport receive issues, stats, link
negotiation issues, and string formatting"
* tag 'ntb-4.2-rc7' of git://github.com/jonmason/ntb:
ntb: avoid format string in dev_set_name
NTB: Fix dereference before check
NTB: Fix zero size or integer overflow in ntb_set_mw
NTB: Schedule to receive on QP link up
NTB: Fix oops in debugfs when transport is half-up
NTB: ntb_netdev not covering all receive errors
NTB: Fix transport stats for multiple devices
NTB: Fix ntb_transport out-of-order RX update
This should help to fix the following issue in Docker:
https://github.com/opencontainers/runc/issues/133
In some conditions, a Docker container needs to be started twice in
order to work.
Herbert Xu [Fri, 7 Aug 2015 08:00:04 +0000 (16:00 +0800)]
crypto: authencesn - Fix breakage with new ESP code
The ESP code has been updated to generate a completely linear
AD SG list. This unfortunately broke authencesn which expects
the AD to be divided into at least three parts.
This patch fixes it to cope with the new format. Later we will
fix it properly to accept arbitrary input and not rely on the
input being linear as part of the AEAD conversion.
Fixes: 7021b2e1cddd ("esp4: Switch to new AEAD interface") Signed-off-by: Herbert Xu <[email protected]>
Since 906c55579a63 ("timekeeping: Copy the shadow-timekeeper over the
real timekeeper last") it has become possible on arm64 to:
- Obtain a CLOCK_MONOTONIC_COARSE or CLOCK_REALTIME_COARSE timestamp
via syscall.
- Subsequently obtain a timestamp for the same clock ID via VDSO which
predates the first timestamp (by one jiffy).
This is because arm64's update_vsyscall is deriving the coarse time
using the __current_kernel_time interface, when it should really be
using the timekeeper object provided to it by the timekeeping core.
It happened to work before only because __current_kernel_time would
access the same timekeeper object which had been passed to
update_vsyscall. This is no longer the case.
x86/xen: build "Xen PV" APIC driver for domU as well
It turns out that a PV domU also requires the "Xen PV" APIC
driver. Otherwise, the flat driver is used and we get stuck in busy
loops that never exit, such as in this stack trace:
(gdb) target remote localhost:9999
Remote debugging using localhost:9999
__xapic_wait_icr_idle () at ./arch/x86/include/asm/ipi.h:56
56 while (native_apic_mem_read(APIC_ICR) & APIC_ICR_BUSY)
(gdb) bt
#0 __xapic_wait_icr_idle () at ./arch/x86/include/asm/ipi.h:56
#1 __default_send_IPI_shortcut (shortcut=<optimized out>,
dest=<optimized out>, vector=<optimized out>) at
./arch/x86/include/asm/ipi.h:75
#2 apic_send_IPI_self (vector=246) at arch/x86/kernel/apic/probe_64.c:54
#3 0xffffffff81011336 in arch_irq_work_raise () at
arch/x86/kernel/irq_work.c:47
#4 0xffffffff8114990c in irq_work_queue (work=0xffff88000fc0e400) at
kernel/irq_work.c:100
#5 0xffffffff8110c29d in wake_up_klogd () at kernel/printk/printk.c:2633
#6 0xffffffff8110ca60 in vprintk_emit (facility=0, level=<optimized
out>, dict=0x0 <irq_stack_union>, dictlen=<optimized out>,
fmt=<optimized out>, args=<optimized out>)
at kernel/printk/printk.c:1778
#7 0xffffffff816010c8 in printk (fmt=<optimized out>) at
kernel/printk/printk.c:1868
#8 0xffffffffc00013ea in ?? ()
#9 0x0000000000000000 in ?? ()
A sun7i-a20-olinuxino-micro fails to boot when kernel parameter
vt.global_cursor_default=0. The value is copied to vc->vc_deccm
causing the initialization of ops->cur_blink_jiffies to be skipped.
Unconditionally initialize it.
In case videomode_from_timings() fails in function of_get_videomode(), the
allocated display timing data is not freed in the exit path. Make sure that
display_timings_release() is called in any case. Detected by Coverity CID 1309681.
Phil Sutter [Mon, 27 Jul 2015 22:53:26 +0000 (00:53 +0200)]
netfilter: SYNPROXY: fix sending window update to client
Upon receipt of SYNACK from the server, ipt_SYNPROXY first sends back an ACK to
finish the server handshake, then calls nf_ct_seqadj_init() to initiate
sequence number adjustment of forwarded packets to the client and finally sends
a window update to the client to unblock it's TX queue.
Since synproxy_send_client_ack() does not set synproxy_send_tcp()'s nfct
parameter, no sequence number adjustment happens and the client receives the
window update with incorrect sequence number. Depending on client TCP
implementation, this leads to a significant delay (until a window probe is
being sent).
[media] vb2: Fix compilation breakage when !CONFIG_BUG
Commit 77a3c6fd90c9 ("[media] vb2: Don't WARN when v4l2_buffer.bytesused
is 0 for multiplanar buffers") uses the __WARN() macro which isn't
defined when CONFIG_BUG isn't set. This introduces a compilation
breakage. Fix it by using WARN_ON() instead.
The commit was also broken in that it merged v1 of the patch while a new
v2 version had been submitted, reviewed and acked. Fix it by
incorporating the changes from v1 to v2.
Fixes: 77a3c6fd90c9 ("[media] vb2: Don't WARN when v4l2_buffer.bytesused is 0 for multiplanar buffers") Signed-off-by: Laurent Pinchart <[email protected]> Acked-by: Larry Finger <[email protected]> Signed-off-by: Hans Verkuil <[email protected]> Signed-off-by: Mauro Carvalho Chehab <[email protected]>
Jyri Sarha [Fri, 7 Aug 2015 11:04:30 +0000 (14:04 +0300)]
OMAPDSS: Fix omap_dss_find_output_by_port_node() port refcount decrement
Fix omap_dss_find_output_by_port_node() port parameter refcount
decrementation. The only user of dss_of_port_get_parent_device()
function is omap_dss_find_output_by_port_node() and it assumes the
refcount of the port parameter is not decremented by the call.
fbdev: select versatile helpers for the integrator
Commit 11c32d7b6274cb0f554943d65bd4a126c4a86dcd
"video: move Versatile CLCD helpers" missed the fact
that the Integrator/CP is also using the helper, and
as a result the platform got only stubs and no graphics.
Add this as a default selection to Kconfig so we have
graphics again.
Dave Jiang [Mon, 13 Jul 2015 12:07:11 +0000 (08:07 -0400)]
NTB: Fix oops in debugfs when transport is half-up
When the remote side is not up, we do not have all the context for the
transport, and that causes NULL ptr access. Have the debugfs reads check
to see if transport is up before we make access.
Dave Jiang [Mon, 13 Jul 2015 12:07:09 +0000 (08:07 -0400)]
NTB: Fix transport stats for multiple devices
Currently the debugfs does not have files for all NTB transport queue
pairs. When there are multiple NTBs present in a system, the QP names
of the last transport clobber the names of previously added transport
QPs. Only the last added QPs can be observed via debugfs.
Create a directory per NTB transport to associate the QPs with that
transport. Name the directory the same as the PCI device.
Allen Hubbe [Mon, 13 Jul 2015 12:07:08 +0000 (08:07 -0400)]
NTB: Fix ntb_transport out-of-order RX update
It was possible for a synchronous update of the RX index in the error
case to get ahead of the asynchronous RX index update in the normal
case. Change the RX processing to preserve an RX completion order.
There were two error cases. First, if a buffer is not present to
receive data, there would be no queue entry to preserve the RX
completion order. Instead of dropping the RX frame, leave the RX frame
in the ring. Schedule RX processing when RX entries are enqueued, in
case there are RX frames waiting in the ring to be received.
Second, if a buffer is too small to receive data, drop the frame in the
ring, mark the RX entry as done, and indicate the error in the RX entry
length. Check for a negative length in the receive callback in
ntb_netdev, and count occurrences as rx_length_errors.
Linus Torvalds [Sun, 9 Aug 2015 07:38:42 +0000 (09:38 +0200)]
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input
Pull input subsystem fixes from Dmitry Torokhov:
"Just small ALPS and Elan touchpads, and other driver fixups"
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
Input: elantech - add special check for fw_version 0x470f01 touchpad
Input: twl4030-vibra - fix ERROR: Bad of_node_put() warning
Input: alps - only Dell laptops have separate button bits for v2 dualpoint sticks
Input: axp20x-pek - add module alias
Input: turbografx - fix potential out of bound access
Linus Torvalds [Sun, 9 Aug 2015 02:59:21 +0000 (05:59 +0300)]
Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus
Pull MIPS fixes from Ralf Baechle:
"Another round of MIPS fixes for 4.2. No area does particularly stand
out but we have a two unpleasant ones:
- Kernel ptes are marked with a global bit which allows the kernel to
share kernel TLB entries between all processes. For this to work
both entries of an adjacent even/odd pte pair need to have the
global bit set. There has been a subtle race in setting the other
entry's global bit since ~ 2000 but it take particularly
pathological workloads that essentially do mostly vmalloc/vfree to
trigger this.
This pull request fixes the 64-bit case but leaves the case of 32
bit CPUs with 64 bit ptes unsolved for now. The unfixed cases
affect hardware that is not available in the field yet.
- Instruction emulation requires loading instructions from user space
but the current fast but simplistic approach will fail on pages
that are PROT_EXEC but !PROT_READ. For this reason we temporarily
do not permit this permission and will map pages with PROT_EXEC |
PROT_READ.
The remainder of this pull request is more or less across the field
and the short log explains them well"
* 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus:
MIPS: Make set_pte() SMP safe.
MIPS: Replace add and sub instructions in relocate_kernel.S with addiu
MIPS: Flush RPS on kernel entry with EVA
Revert "MIPS: BCM63xx: Provide a plat_post_dma_flush hook"
MIPS: BMIPS: Delete unused Kconfig symbol
MIPS: Export get_c0_perfcount_int()
MIPS: show_stack: Fix stack trace with EVA
MIPS: do_mcheck: Fix kernel code dump with EVA
MIPS: SMP: Don't increment irq_count multiple times for call function IPIs
MIPS: Partially disable RIXI support.
MIPS: Handle page faults of executable but unreadable pages correctly.
MIPS: Malta: Don't reinitialise RTC
MIPS: unaligned: Fix build error on big endian R6 kernels
MIPS: Fix sched_getaffinity with MT FPAFF enabled
MIPS: Fix build with CONFIG_OF=y for non OF-enabled targets
CPUFREQ: Loongson2: Fix broken build due to incorrect include.
Linus Torvalds [Sun, 9 Aug 2015 02:56:31 +0000 (05:56 +0300)]
Merge branch 'for-linus-4.2' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs
Pull btrfs fix from Chris Mason:
"We have a btrfs quota regression fix.
I merged this one on Thursday and have run it through tests against
current master.
Normally I wouldn't have sent this while you were finalizing rc6, but
I'm feeding mosquitoes in the adirondacks next week, so I wanted to
get this one out before leaving. I'll leave longer tests running and
check on things during the week, but I don't expect any problems"
* 'for-linus-4.2' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs:
btrfs: qgroup: Fix a regression in qgroup reserved space.
Linus Torvalds [Sun, 9 Aug 2015 02:54:27 +0000 (05:54 +0300)]
Merge branch 'for-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux
Pull thermal management fixes from Zhang Rui:
"Specifics:
- fix an error that "weight_attr" sysfs attribute is not removed
while unbinding. From: Viresh Kumar.
- fix power allocator governor tracing to return the real request.
From Javi Merino.
- remove redundant owner assignment of hisi platform thermal driver.
From Krzysztof Kozlowski.
- a couple of small fixes of Exynos thermal driver. From Krzysztof
Kozlowski and Chanwoo Choi"
* 'for-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux:
thermal: Drop owner assignment from platform_driver
thermal: exynos: Remove unused code related to platform_data on probe()
thermal: exynos: Add the dependency of CONFIG_THERMAL_OF instead of CONFIG_OF
thermal: exynos: Disable the regulator on probe failure
thermal: power_allocator: trace the real requested power
thermal: remove dangling 'weight_attr' device file
clockevents/drivers/sh_cmt: Only perform clocksource suspend/resume if enabled
Currently the sh_cmt clocksource timer is disabled or enabled
unconditionally on clocksource suspend resp. resume, even if a
better clocksource is present (e.g. arch_sys_counter) and the
sh_cmt clocksource is not enabled.
As sh_cmt is a syscore device when its timer is enabled, this
may lead to a genpd.prepared_count imbalance in the presence of
PM Domains, which may cause a lock-up during reboot after s2ram.
During suspend:
- pm_genpd_prepare() is called for all non-syscore devices (incl.
sh_cmt), increasing genpd.prepared_count for each device,
- clocksource.suspend() is called for all clocksource devices,
- sh_cmt_clocksource_suspend() calls sh_cmt_stop(), which is a no-op
as the clocksource was not enabled.
During resume:
- clocksource.resume() is called for all clocksource devices,
- sh_cmt_clocksource_resume() calls sh_cmt_start(), which enables the
clocksource timer, and turns sh_cmt into a syscore device,
- pm_genpd_complete() is called for all non-syscore devices (excl.
sh_cmt now!), decreasing genpd.prepared_count for each device but
sh_cmt.
Now genpd.prepared_count of the PM Domain containing sh_cmt is
still 1 instead of zero. On subsequent suspend/resume cycles,
sh_cmt is still a syscore device, hence it's skipped for
pm_genpd_{prepare,complete}(), keeping the imbalance of
genpd.prepared_count at 1.
During reboot:
- platform_drv_shutdown() is called for any platform device that has
a driver with a .shutdown() method (only rcar-dmac on R-Car Gen2),
- platform_drv_shutdown() calls dev_pm_domain_detach(), which
calls genpd_dev_pm_detach(),
- genpd_dev_pm_detach() keeps calling pm_genpd_remove_device() until
it doesn't return -EAGAIN[*],
- If the device is part of the same PM Domain as sh_cmt,
pm_genpd_remove_device() always fails with -EAGAIN due to
genpd.prepared_count > 0.
- Infinite loop in genpd_dev_pm_detach()[*].
[*] Commit 93af5e9354432828 ("PM / Domains: Avoid infinite loops in
attach/detach code") already limited the number of loop iterations,
avoiding the lock-up.
To fix this, only disable or enable the clocksource timer on
clocksource suspend resp. resume if the clocksource was enabled.
This was tested on r8a7791/koelsch with the CPG Clock Domain:
- using arch_sys_counter as the clocksource, which is the default, and
which showed the problem,
- using sh_cmt as a clocksource ("echo ffca0000.timer > \
/sys/devices/system/clocksource/clocksource0/current_clocksource"),
which behaves the same as before.
Linus Torvalds [Sat, 8 Aug 2015 01:38:00 +0000 (04:38 +0300)]
Merge tag 'arc-v4.2-rc6-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc
Pull ARC fixes from Vineet Gupta:
"Here's a late pull request for accumulated ARC fixes which came out of
extended testing of the new ARCv2 port with LTP etc. llock/scond
livelock workaround has been reviewed by PeterZ. The changes look a
lot but I've crafted them into finer grained patches for better
tracking later.
I have some more fixes (ARC Futex backend) ready to go but those will
have to wait for tglx to return from vacation.
Summary:
- Enable a reduced config of HS38 (w/o div-rem, ll64...)
- Add software workaround for LLOCK/SCOND livelock
- Fallout of a recent pt_regs update"
* tag 'arc-v4.2-rc6-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc:
ARCv2: spinlock/rwlock/atomics: reduce 1 instruction in exponential backoff
ARC: Make pt_regs regs unsigned
ARCv2: spinlock/rwlock: Reset retry delay when starting a new spin-wait cycle
ARCv2: spinlock/rwlock/atomics: Delayed retry of failed SCOND with exponential backoff
ARC: LLOCK/SCOND based rwlock
ARC: LLOCK/SCOND based spin_lock
ARC: refactor atomic inline asm operands with symbolic names
Revert "ARCv2: STAR 9000837815 workaround hardware exclusive transactions livelock"
ARCv2: [axs103_smp] Reduce clk for Quad FPGA configs
ARCv2: Fix the peripheral address space detection
ARCv2: allow selection of page size for MMUv4
ARCv2: lib: memset: Don't assume 64-bit load/stores
ARCv2: lib: memcpy: Missing PREFETCHW
ARCv2: add knob for DIV_REV in Kconfig
ARC/time: Migrate to new 'set-state' interface
Linus Torvalds [Sat, 8 Aug 2015 01:36:40 +0000 (04:36 +0300)]
Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost
Pull virtio fix from Michael Tsirkin:
"A last minute fix for the new virtio input driver. It seems pretty
obvious, and the problem it's fixing would be quite hard to debug"
* tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost:
virtio-input: reset device and detach unused during remove
Linus Torvalds [Sat, 8 Aug 2015 01:35:14 +0000 (04:35 +0300)]
Merge tag 'dm-4.2-fixes-4' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm
Pull device mapper fixes from Mike Snitzer:
- stable fix for a dm_merge_bvec() regression on 32 bit Fedora systems.
- fix for a 4.2 DM thinp discard regression due to inability to
properly delete a range of blocks in a data mapping btree.
* tag 'dm-4.2-fixes-4' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm:
dm btree remove: fix bug in remove_one()
dm: fix dm_merge_bvec regression on 32 bit systems
Linus Torvalds [Sat, 8 Aug 2015 01:33:35 +0000 (04:33 +0300)]
Merge tag 'sound-4.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound
Pull sound fixes from Takashi Iwai:
"The only bulk changes in this request is ABI updates for ASoC topology
API. It's a new API that was introduced in 4.2, and we'd like to
avoid ABI change after the release, so it's taken now. As there is no
real in-tree user for this API, it should be fairly safe.
Other than that, the usual small fixes are found in various drivers:
ASoC cs4265, rt5645, intel-sst, firewire, oxygen and HD-audio"
* tag 'sound-4.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
ASoC: topology: Add private data type and bump ABI version to 3
ASoC: topology: Add ops support to byte controls UAPI
ASoC: topology: Update TLV support so we can support more TLV types
ASoC: topology: add private data to manifest
ASoC: topology: Add subsequence in topology
ALSA: hda - one Dell machine needs the headphone white noise fixup
ALSA: fireworks/firewire-lib: add support for recent firmware quirk
Revert "ALSA: fireworks: add support for AudioFire2 quirk"
ASoC: topology: fix typo in soc_tplg_kcontrol_bind_io()
ALSA: HDA: Dont check return for snd_hdac_chip_readl
ALSA: HDA: Fix stream assignment for host in decoupled mode
ASoC: rt5645: Fix lost pin setting for DMIC1
ALSA: oxygen: Fix logical-not-parentheses warning
ASoC: Intel: sst_byt: fix initialize 'NULL device *' issue
ASoC: Intel: haswell: fix initialize 'NULL device *' issue
ASoC: cs4265: Fix setting dai format for Left/Right Justified
Linus Torvalds [Sat, 8 Aug 2015 01:30:37 +0000 (04:30 +0300)]
Merge tag 'hwmon-for-linus-v4.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging
Pull hwmon fixes from Guenter Roeck:
- Export module alias information in g762 and nct7904 to support
auto-loading.
- Blacklist Dell Studio XPS 8100 in dell-smm to fix fan control
problems.
* tag 'hwmon-for-linus-v4.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging:
hwmon: (g762) Export OF module alias information
hwmon: (nct7904) Export I2C module alias information
hwmon: (dell-smm) Blacklist Dell Studio XPS 8100
Linus Torvalds [Sat, 8 Aug 2015 01:27:51 +0000 (04:27 +0300)]
Merge tag 'usb-4.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb
Pull USB fixes from Greg KH:
"Here are some USB and PHY fixes for 4.2-rc6 that resolve some reported
issues.
All of these have been in the linux-next tree for a while, full
details on the patches are in the shortlog below"
* tag 'usb-4.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
ARM: dts: dra7: Add syscon-pllreset syscon to SATA PHY
drivers/usb: Delete XHCI command timer if necessary
xhci: fix off by one error in TRB DMA address boundary check
usb: udc: core: add device_del() call to error pathway
phy: ti-pipe3: i783 workaround for SATA lockup after dpll unlock/relock
phy-sun4i-usb: Add missing EXPORT_SYMBOL_GPL for sun4i_usb_phy_set_squelch_detect
USB: sierra: add 1199:68AB device ID
usb: gadget: f_printer: actually limit the number of instances
usb: gadget: f_hid: actually limit the number of instances
usb: gadget: f_uac2: fix calculation of uac2->p_interval
usb: gadget: bdc: fix a driver crash on disconnect
usb: chipidea: ehci_init_driver is intended to call one time
USB: qcserial: Add support for Dell Wireless 5809e 4G Modem
USB: qcserial/option: make AT URCs work for Sierra Wireless MC7305/MC7355
Linus Torvalds [Sat, 8 Aug 2015 01:26:31 +0000 (04:26 +0300)]
Merge tag 'staging-4.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging
Pull staging driver fixes from Greg KH:
"Here are three bugfixes for some staging driver issues that have been
reported. All have been in the linux-next tree for a while"
* tag 'staging-4.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
staging: lustre: Include unaligned.h instead of access_ok.h
staging: vt6655: vnt_bss_info_changed check conf->beacon_rate is not NULL
staging: comedi: das1800: add missing break in switch
Linus Torvalds [Sat, 8 Aug 2015 01:25:10 +0000 (04:25 +0300)]
Merge tag 'char-misc-4.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc
Pull char/misc fixes from Greg KH:
"Here are some extcon fixes for 4.2-rc6 that resolve some reported
problems.
All have been in linux-next for a while"
* tag 'char-misc-4.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
extcon: Fix extcon_cable_get_state() from getting old state after notification
extcon: Fix hang and extcon_get/set_cable_state().
extcon: palmas: Fix NULL pointer error
Linus Torvalds [Sat, 8 Aug 2015 01:18:14 +0000 (04:18 +0300)]
Merge tag 'drm-intel-fixes-2015-08-07' of git://anongit.freedesktop.org/drm-intel
Pull drm fixes from Daniel Vetter:
"One i915 regression fix and a drm core one since Dave's not around,
both introduced in 4.2 so not cc: stable.
The fix for the warning Ted reported isn't in here yet since he didn't
yet supply a tested-by and I can't repro this one myself (it's in
fixup code that needs firmware doing something i915 wouldn't do)"
* tag 'drm-intel-fixes-2015-08-07' of git://anongit.freedesktop.org/drm-intel:
drm/vblank: Use u32 consistently for vblank counters
drm/i915: Allow parsing of variable size child device entries from VBT
Robert Jarzmik [Tue, 4 Aug 2015 06:21:33 +0000 (08:21 +0200)]
clk: pxa: pxa3xx: fix CKEN register access
Clocks 0 to 31 are on CKENA, and not CKENB. The clock register names
were inadequately inverted. As a consequence, all clock operations were
happening on CKENB, because almost all but 2 clocks are on CKENA.
As the clocks were activated by the bootloader in the former tests, it
escaped the testing that the wrong clock gate was manipulated. The error
was revealed by changing the pxa3xx-nand driver to a module, where upon
unloading, the wrong clock was disabled in CKENB.
Fixes: 9bbb8a338fb2 ("clk: pxa: add pxa3xx clock driver") Signed-off-by: Robert Jarzmik <[email protected]> Signed-off-by: Stephen Boyd <[email protected]>
Carol L Soto [Wed, 5 Aug 2015 16:05:32 +0000 (11:05 -0500)]
net/mlx5_core: Set log_uar_page_sz for non 4K page size architecture
failed to configure the page size for architectures with page size
different than 4K.
Fixes: 938fe83 ("net/mlx5_core: New device capabilities handling") Signed-off-by: Carol L Soto <[email protected]> Acked-by: Amir Vadai <[email protected]> Signed-off-by: David S. Miller <[email protected]>
David S. Miller [Fri, 7 Aug 2015 22:51:10 +0000 (15:51 -0700)]
Merge tag 'batman-adv-fix-for-davem' of git://git.open-mesh.org/linux-merge
Antonio Quartulli says:
====================
Included changes:
- prevent DAT from replying on behalf of local clients and confuse L2
bridges
- fix crash on double list removal of TT objects (tt_local_entry)
- fix crash due to missing NULL checks
- initialize bw values for new GWs objects to prevent memory leak
====================
Drew Richardson [Thu, 6 Aug 2015 17:50:27 +0000 (18:50 +0100)]
ARM: 8409/1: Mark ret_fast_syscall as a function
ret_fast_syscall runs when user space makes a syscall. However it
needs to be marked as such so the ELF information is correct. Before
it was:
101: 8000f300 0 NOTYPE LOCAL DEFAULT 2 ret_fast_syscall
But with this change it correctly shows as:
101: 8000f300 96 FUNC LOCAL DEFAULT 2 ret_fast_syscall
I see this function when using perf to unwind call stacks from kernel
space to user space. Without this change I would need to add some
special case logic when using the vmlinux ELF information.
Gregory CLEMENT [Thu, 6 Aug 2015 14:07:04 +0000 (15:07 +0100)]
ARM: 8408/1: Fix the secondary_startup function in Big Endian case
Since the commit "b2c3e38a5471 ARM: redo TTBR setup code for LPAE",
the setup code had been reworked. As a result the secondary CPUs
failed to come online in Big Endian.
As explained by Russell, the new code expected the value in r4/r5 to
be the least significant 32bits in r4 and the most significant 32bits
in r5. However, in the secondary code, we load this using ldrd, which
on BE reverses that.
This patch swap r4/r5 after the ldrd. It is done using the xor
instructions in order to not use a temporary register.
David S. Miller [Fri, 7 Aug 2015 18:53:06 +0000 (11:53 -0700)]
Merge branch 'be2net-fixes'
Sathya Perla says:
====================
be2net: patch set
This patch set contains 2 driver fixes to a Lancer HW issue and a fix
to a double free bug. Pls apply to the "net" tree. Thanks!
Patch 1 now enables filters only after creating RXQs. This is done as
HW issues were observed on Lancer adapters if filters
(flags, mac addrs etc) are enabled *before* creating RXQs. This patch
changes the driver design by enabling filters in be_open() --
instead of be_setup() -- after RXQs are created and buffers posted.
Patch 2 fixes an RX stall issue that was seen on Lancer adapters when
RXQs are destroyed while they are in an "out of buffer" state.
This patch fixes this issue by posting 64 buffers to each RXQ before
destroying them in the close path. This is done after ensuring that no
more new packets are selected for transfer to the RXQs by disabling
interface filters.
Patch 3 protects eqo->affinity_mask variable from being freed twice and
resulting in a crash. It's now freed only when EQs haven't yet been
destroyed.
====================
Kalesh AP [Wed, 5 Aug 2015 07:27:50 +0000 (03:27 -0400)]
be2net: protect eqo->affinity_mask from getting freed twice
There are paths in the driver such as an unrecoverable error (UE) detection
followed by a driver unload wherein be_clear() is invoked twice.
Individual data structures are reset so that they are not cleaned/freed
twice. This patch does the same for eqo->affinity_mask. It is freed only
if EQs haven't yet been destroyed. This fixes a possible crash when
affinity_mask is freed twice.
Kalesh AP [Wed, 5 Aug 2015 07:27:49 +0000 (03:27 -0400)]
be2net: post buffers before destroying RXQs in Lancer
An RX stall issue was seen on Lancer adapters, when RXQs are destroyed
while they are in an "out of buffer" state. This patch fixes this issue
by posting 64 buffers to each RXQ before destroying them in the close path.
This is done after ensuring that no more new packets are selected for
transfer to the RXQs by disabling interface filters.
Kalesh AP [Wed, 5 Aug 2015 07:27:48 +0000 (03:27 -0400)]
be2net: enable IFACE filters only after creating RXQs
HW issues were observed on Lancer adapters if IFACE filters
(flags, mac addrs etc) are enabled *before* creating RXQs. This patch
changes the driver design by enabling filters in be_open() --
instead of be_setup() -- after RXQs are created and buffers posted.
Two new wrapper functions, be_enable_if_filters() and
be_disable_if_filters() are introduced to enable/disable IFACE filters in
be_open()/be_close() respectively. In be_setup() the IFACE is now created
only with the RSS flag.
Joe Thornber [Fri, 7 Aug 2015 15:33:01 +0000 (16:33 +0100)]
dm btree remove: fix bug in remove_one()
remove_one() was not incrementing the key for the beginning of the
range, so not all entries were being removed. This resulted in
discards that were not unmapping all blocks.
Fixes: 4ec331c3ea ("dm btree: add dm_btree_remove_leaves()") Signed-off-by: Joe Thornber <[email protected]> Signed-off-by: Mike Snitzer <[email protected]>
drm/vblank: Fixup and document timestamp update/read barriers
I've switched vblank->count from atomic_t to unsigned long and
accidentally created an integer comparison bug in
drm_vblank_count_and_time since vblanke->count might overflow the u32
local copy and hence the retry loop never succeed.
Takashi Iwai [Fri, 7 Aug 2015 11:53:41 +0000 (13:53 +0200)]
Merge tag 'asoc-fix-v4.2-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus
ASoC: Fixes for v4.2
There are a couple of small driver specific fixes here but the
overwhelming bulk of these changes are fixes to the topology ABI that
has been newly introduced in v4.2. Once this makes it into a release we
will have to firm this up but for now getting enhancements in before
they've made it into a release is the most expedient thing.
Haozhong Zhang [Fri, 7 Aug 2015 03:24:32 +0000 (11:24 +0800)]
KVM: x86: Use adjustment in guest cycles when handling MSR_IA32_TSC_ADJUST
When kvm_set_msr_common() handles a guest's write to
MSR_IA32_TSC_ADJUST, it will calcuate an adjustment based on the data
written by guest and then use it to adjust TSC offset by calling a
call-back adjust_tsc_offset(). The 3rd parameter of adjust_tsc_offset()
indicates whether the adjustment is in host TSC cycles or in guest TSC
cycles. If SVM TSC scaling is enabled, adjust_tsc_offset()
[i.e. svm_adjust_tsc_offset()] will first scale the adjustment;
otherwise, it will just use the unscaled one. As the MSR write here
comes from the guest, the adjustment is in guest TSC cycles. However,
the current kvm_set_msr_common() uses it as a value in host TSC
cycles (by using true as the 3rd parameter of adjust_tsc_offset()),
which can result in an incorrect adjustment of TSC offset if SVM TSC
scaling is enabled. This patch fixes this problem.
Paolo Bonzini [Fri, 7 Aug 2015 10:27:54 +0000 (12:27 +0200)]
KVM: x86: zero IDT limit on entry to SMM
The recent BlackHat 2015 presentation "The Memory Sinkhole"
mentions that the IDT limit is zeroed on entry to SMM.
This is not documented, and must have changed some time after 2010
(see http://www.ssi.gouv.fr/uploads/IMG/pdf/IT_Defense_2010_final.pdf).
KVM was not doing it, but the fix is easy.
The NSS_COMMON_CLK_SRC_CTRL_OFFSET macro is used once as an offset, and
once as a mask, which is a bug indeed. We'll fix it by defining the
offset as the real offset value and computing the mask from it when
required.
Prior to this patch, rx buffer size for each rx queue
of an interface is configurable through dts bindings.
But for an interface, the first rx queue's rx buffer
size is always the usual MTU size (plus usual overhead)
and page size for the remaining rx queues (if they are
enabled by specifying a non-zero rx queue depth dts
binding of the corresponding interface). This patch
removes the rx buffer size configuration capability.
Ian Campbell [Tue, 4 Aug 2015 19:25:55 +0000 (20:25 +0100)]
net: thunderx: remove effective "default y" from Kconfig if ARCH_THUNDER=y
As well as for kernels built only for ThunderX ARCH_THUNDERX is also enabled
for kernels which support multiple platforms (such as distro kernels). Thus
"default ARCH_THUNDER" is inappropriate.
I believe default m is equally frowned upon, so remove the line completely
rather than "default m if ARCH_THUNDER".
Ivan Vecera [Tue, 4 Aug 2015 20:11:43 +0000 (22:11 +0200)]
r8169: enforce RX_MULTI_EN on rtl8168ep/8111ep chips
Enforcing this flag in RxConfig for the mentioned chips fixes netdev
watchdog issues prepended with AMD IOMMU message(s) like:
AMD-Vi: Event logged [IO_PAGE_FAULT device=01:00.0 domain=0x001d address=0x0000000000003000 flags=0x0050]
Note that this flag is also set in Realtek's own driver for these chips.
bridge: netlink: account for the IFLA_BRPORT_PROXYARP_WIFI attribute size and policy
The attribute size wasn't accounted for in the get_slave_size() callback
(br_port_get_slave_size) when it was introduced, so fix it now. Also add
a policy entry for it in br_port_policy.
Signed-off-by: Nikolay Aleksandrov <[email protected]> Fixes: 842a9ae08a25 ("bridge: Extend Proxy ARP design to allow optional rules for Wi-Fi") Signed-off-by: David S. Miller <[email protected]>
bridge: netlink: account for the IFLA_BRPORT_PROXYARP attribute size and policy
The attribute size wasn't accounted for in the get_slave_size() callback
(br_port_get_slave_size) when it was introduced, so fix it now. Also add
a policy entry for it in br_port_policy.
Signed-off-by: Nikolay Aleksandrov <[email protected]> Fixes: 958501163ddd ("bridge: Add support for IEEE 802.11 Proxy ARP") Signed-off-by: David S. Miller <[email protected]>
David S. Miller [Fri, 7 Aug 2015 06:53:34 +0000 (23:53 -0700)]
Merge tag 'wireless-drivers-for-davem-2015-08-04' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers
Kalle Valo says:
====================
iwlwifi:
* a fix for the stuck TFD queue mechanism - it was producing
noisy false alarms
* a fix for the NIC prepare flow that prevented the driver
from being able to access the device on certain systems
* a fix for the scan prority handling which allows the
regular scan to run even if a scheduled scan is already
running
rsi:
* fix firmware load DMA regression
b43:
* fix extpa_gain check for 2GHz
rtlwifi:
* fix NULL dereference when PCI driver used as an AP
* add missing module parameter declaration for rtl8723be_mod_params.msi_support
====================
Oleg Nesterov [Tue, 4 Aug 2015 16:33:34 +0000 (18:33 +0200)]
net: pktgen: don't abuse current->state in pktgen_thread_worker()
Commit 1fbe4b46caca "net: pktgen: kill the Wait for kthread_stop
code in pktgen_thread_worker()" removed (in particular) the final
__set_current_state(TASK_RUNNING) and I didn't notice the previous
set_current_state(TASK_INTERRUPTIBLE). This triggers the warning
in __might_sleep() after return.
Afaics, we can simply remove both set_current_state()'s, and we
could do this a long ago right after ef87979c273a2 "pktgen: better
scheduler friendliness" which changed pktgen_thread_worker() to
use wait_event_interruptible_timeout().
Ross Lagerwall [Tue, 4 Aug 2015 14:40:59 +0000 (15:40 +0100)]
xen/netback: Wake dealloc thread after completing zerocopy work
Waking the dealloc thread before decrementing inflight_packets is racy
because it means the thread may go to sleep before inflight_packets is
decremented. If kthread_stop() has already been called, the dealloc
thread may wait forever with nothing to wake it. Instead, wake the
thread only after decrementing inflight_packets.
Herbert Xu [Tue, 4 Aug 2015 07:42:47 +0000 (15:42 +0800)]
net: Fix skb_set_peeked use-after-free bug
The commit 738ac1ebb96d02e0d23bc320302a6ea94c612dec ("net: Clone
skb before setting peeked flag") introduced a use-after-free bug
in skb_recv_datagram. This is because skb_set_peeked may create
a new skb and free the existing one. As it stands the caller will
continue to use the old freed skb.
This patch fixes it by making skb_set_peeked return the new skb
(or the old one if unchanged).
Linus Torvalds [Fri, 7 Aug 2015 02:20:40 +0000 (05:20 +0300)]
Merge branch 'akpm' (patches from Andrew)
Merge fixes from Andrew Morton:
"21 fixes"
* emailed patches from Andrew Morton <[email protected]>: (21 commits)
writeback: fix initial dirty limit
mm/memory-failure: set PageHWPoison before migrate_pages()
mm: check __PG_HWPOISON separately from PAGE_FLAGS_CHECK_AT_*
mm/memory-failure: give up error handling for non-tail-refcounted thp
mm/memory-failure: fix race in counting num_poisoned_pages
mm/memory-failure: unlock_page before put_page
ipc: use private shmem or hugetlbfs inodes for shm segments.
mm: initialize hotplugged pages as reserved
ocfs2: fix shift left overflow
kthread: export kthread functions
fsnotify: fix oops in fsnotify_clear_marks_by_group_flags()
lib/iommu-common.c: do not use 0xffffffffffffffffl for computing align_mask
mm/slub: allow merging when SLAB_DEBUG_FREE is set
signalfd: fix information leak in signalfd_copyinfo
signal: fix information leak in copy_siginfo_to_user
signal: fix information leak in copy_siginfo_from_user32
ocfs2: fix BUG in ocfs2_downconvert_thread_do_work()
fs, file table: reinit files_stat.max_files after deferred memory initialisation
mm, meminit: replace rwsem with completion
mm, meminit: allow early_pfn_to_nid to be used during runtime
...
David S. Miller [Fri, 7 Aug 2015 02:13:25 +0000 (19:13 -0700)]
sparc64: Fix userspace FPU register corruptions.
If we have a series of events from userpsace, with %fprs=FPRS_FEF,
like follows:
ETRAP
ETRAP
VIS_ENTRY(fprs=0x4)
VIS_EXIT
RTRAP (kernel FPU restore with fpu_saved=0x4)
RTRAP
We will not restore the user registers that were clobbered by the FPU
using kernel code in the inner-most trap.
Traps allocate FPU save slots in the thread struct, and FPU using
sequences save the "dirty" FPU registers only.
This works at the initial trap level because all of the registers
get recorded into the top-level FPU save area, and we'll return
to userspace with the FPU disabled so that any FPU use by the user
will take an FPU disabled trap wherein we'll load the registers
back up properly.
But this is not how trap returns from kernel to kernel operate.
The simplest fix for this bug is to always save all FPU register state
for anything other than the top-most FPU save area.
Getting rid of the optimized inner-slot FPU saving code ends up
making VISEntryHalf degenerate into plain VISEntry.
Longer term we need to do something smarter to reinstate the partial
save optimizations. Perhaps the fundament error is having trap entry
and exit allocate FPU save slots and restore register state. Instead,
the VISEntry et al. calls should be doing that work.
Lucas Stach [Mon, 3 Aug 2015 15:50:11 +0000 (17:50 +0200)]
net: fec: fix initial runtime PM refcount
The clocks are initially active and thus the device is marked active.
This still keeps the PM refcount at 0, the pm_runtime_put_autosuspend()
call at the end of probe then leaves us with an invalid refcount of -1,
which in turn leads to the device staying in suspended state even though
netdev open had been called.
Fix this by initializing the refcount to be coherent with the initial
device status.
Fixes: 8fff755e9f8 (net: fec: Ensure clocks are enabled while using mdio bus)
Linus Torvalds [Fri, 7 Aug 2015 01:51:14 +0000 (04:51 +0300)]
Merge branch 'drm-fixes-4.2' of git://people.freedesktop.org/~agd5f/linux
Pull amdgpu fixes from Alex Deucher:
"Just a few amdgpu fixes to make sure we report the proper firmware
information and number of render buffers to userspace and a typo in a
debugging function"
[ Pulling directly from Alex since Dave Airlie is on vacation - Linus ]
* 'drm-fixes-4.2' of git://people.freedesktop.org/~agd5f/linux:
drm/amdgpu: set fw_version and feature_version for smu fw loading
drm/amdgpu: add feature version for SDMA ucode
drm/amdgpu: add feature version for RLC and MEC v2
drm/amdgpu: increment queue when iterating on this variable.
drm/amdgpu: fix rb setting for CZ
Linus Torvalds [Fri, 7 Aug 2015 01:48:46 +0000 (04:48 +0300)]
Merge branch 'drm-tda998x-fixes' of git://ftp.arm.linux.org.uk/~rmk/linux-arm
Pull TDA998x i2c driver fixes from Russell King:
"This fixes the double-checksumming of the AVI infoframe which was
resulting in the checksum always being zero. It went unnoticed as
none of my HDMI devices had a problem with this"
[ Pulling directly from rmk since Dave Airlie is on vacation - Linus ]
* 'drm-tda998x-fixes' of git://ftp.arm.linux.org.uk/~rmk/linux-arm:
drm/i2c: tda998x: fix bad checksum of the HDMI AVI infoframe
Naoya Horiguchi [Thu, 6 Aug 2015 22:47:11 +0000 (15:47 -0700)]
mm/memory-failure: set PageHWPoison before migrate_pages()
Now page freeing code doesn't consider PageHWPoison as a bad page, so by
setting it before completing the page containment, we can prevent the
error page from being reused just after successful page migration.
I added TTU_IGNORE_HWPOISON for try_to_unmap() to make sure that the
page table entry is transformed into migration entry, not to hwpoison
entry.
projects / linux.git / log