1. 12 May, 2016 10 commits
    • Linus Torvalds's avatar
      Merge branch 'akpm' (patches from Andrew) · a2ccb68b
      Linus Torvalds authored
      Merge fixes from Andrew Morton:
       "4 fixes"
      * emailed patches from Andrew Morton <akpm@linux-foundation.org>:
        mm: thp: calculate the mapcount correctly for THP pages during WP faults
        ksm: fix conflict between mmput and scan_get_next_rmap_item
        ocfs2: fix posix_acl_create deadlock
        ocfs2: revert using ocfs2_acl_chmod to avoid inode cluster lock hang
    • Andrea Arcangeli's avatar
      mm: thp: calculate the mapcount correctly for THP pages during WP faults · 6d0a07ed
      Andrea Arcangeli authored
      This will provide fully accuracy to the mapcount calculation in the
      write protect faults, so page pinning will not get broken by false
      positive copy-on-writes.
      total_mapcount() isn't the right calculation needed in
      reuse_swap_page(), so this introduces a page_trans_huge_mapcount()
      that is effectively the full accurate return value for page_mapcount()
      if dealing with Transparent Hugepages, however we only use the
      page_trans_huge_mapcount() during COW faults where it strictly needed,
      due to its higher runtime cost.
      This also provide at practical zero cost the total_mapcount
      information which is needed to know if we can still relocate the page
      anon_vma to the local vma. If page_trans_huge_mapcount() returns 1 we
      can reuse the page no matter if it's a pte or a pmd_trans_huge
      triggering the fault, but we can only relocate the page anon_vma to
      the local vma->anon_vma if we're sure it's only this "vma" mapping the
      whole THP physical range.
      Kirill A. Shutemov discovered the problem with moving the page
      anon_vma to the local vma->anon_vma in a previous version of this
      patch and another problem in the way page_move_anon_rmap() was called.
      Andrew Morton discovered that CONFIG_SWAP=n wouldn't build in a
      previous version, because reuse_swap_page must be a macro to call
      page_trans_huge_mapcount from swap.h, so this uses a macro again
      instead of an inline function. With this change at least it's a less
      dangerous usage than it was before, because "page" is used only once
      now, while with the previous code reuse_swap_page(page++) would have
      called page_mapcount on page+1 and it would have increased page twice
      instead of just once.
      Dean Luick noticed an uninitialized variable that could result in a
      rmap inefficiency for the non-THP case in a previous version.
      Mike Marciniszyn said:
      : Our RDMA tests are seeing an issue with memory locking that bisects to
      : commit 61f5d698 ("mm: re-enable THP")
      : The test program registers two rather large MRs (512M) and RDMA
      : writes data to a passive peer using the first and RDMA reads it back
      : into the second MR and compares that data.  The sizes are chosen randomly
      : between 0 and 1024 bytes.
      : The test will get through a few (<= 4 iterations) and then gets a
      : compare error.
      : Tracing indicates the kernel logical addresses associated with the individual
      : pages at registration ARE correct , the data in the "RDMA read response only"
      : packets ARE correct.
      : The "corruption" occurs when the packet crosse two pages that are not physically
      : contiguous.   The second page reads back as zero in the program.
      : It looks like the user VA at the point of the compare error no longer points to
      : the same physical address as was registered.
      : This patch totally resolves the issue!
      Link: http://lkml.kernel.org/r/1462547040-1737-2-git-send-email-aarcange@redhat.comSigned-off-by: default avatarAndrea Arcangeli <aarcange@redhat.com>
      Reviewed-by: default avatar"Kirill A. Shutemov" <kirill@shutemov.name>
      Reviewed-by: default avatarDean Luick <dean.luick@intel.com>
      Tested-by: default avatarAlex Williamson <alex.williamson@redhat.com>
      Tested-by: default avatarMike Marciniszyn <mike.marciniszyn@intel.com>
      Tested-by: default avatarJosh Collier <josh.d.collier@intel.com>
      Cc: Marc Haber <mh+linux-kernel@zugschlus.de>
      Cc: <stable@vger.kernel.org>	[4.5]
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    • Zhou Chengming's avatar
      ksm: fix conflict between mmput and scan_get_next_rmap_item · 7496fea9
      Zhou Chengming authored
      A concurrency issue about KSM in the function scan_get_next_rmap_item.
      task A (ksmd):				|task B (the mm's task):
      mm = slot->mm;				|
      down_read(&mm->mmap_sem);		|
      ...					|
      spin_lock(&ksm_mmlist_lock);		|
      ksm_scan.mm_slot go to the next slot;	|
      spin_unlock(&ksm_mmlist_lock);		|
      					|mmput() ->
      					|	ksm_exit():
      					|if (mm_slot && ksm_scan.mm_slot != mm_slot) {
      					|	if (!mm_slot->rmap_list) {
      					|		easy_to_free = 1;
      					|		...
      					|if (easy_to_free) {
      					|	mmdrop(mm);
      					|	...
      					|So this mm_struct may be freed in the mmput().
      up_read(&mm->mmap_sem);			|
      As we can see above, the ksmd thread may access a mm_struct that already
      been freed to the kmem_cache.  Suppose a fork will get this mm_struct from
      the kmem_cache, the ksmd thread then call up_read(&mm->mmap_sem), will
      cause mmap_sem.count to become -1.
      As suggested by Andrea Arcangeli, unmerge_and_remove_all_rmap_items has
      the same SMP race condition, so fix it too.  My prev fix in function
      scan_get_next_rmap_item will introduce a different SMP race condition, so
      just invert the up_read/spin_unlock order as Andrea Arcangeli said.
      Link: http://lkml.kernel.org/r/1462708815-31301-1-git-send-email-zhouchengming1@huawei.comSigned-off-by: default avatarZhou Chengming <zhouchengming1@huawei.com>
      Suggested-by: default avatarAndrea Arcangeli <aarcange@redhat.com>
      Reviewed-by: default avatarAndrea Arcangeli <aarcange@redhat.com>
      Cc: Hugh Dickins <hughd@google.com>
      Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
      Cc: Vlastimil Babka <vbabka@suse.cz>
      Cc: Geliang Tang <geliangtang@163.com>
      Cc: Minchan Kim <minchan@kernel.org>
      Cc: Hanjun Guo <guohanjun@huawei.com>
      Cc: Ding Tianhong <dingtianhong@huawei.com>
      Cc: Li Bin <huawei.libin@huawei.com>
      Cc: Zhen Lei <thunder.leizhen@huawei.com>
      Cc: Xishi Qiu <qiuxishi@huawei.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    • Junxiao Bi's avatar
      ocfs2: fix posix_acl_create deadlock · c25a1e06
      Junxiao Bi authored
      Commit 702e5bc6 ("ocfs2: use generic posix ACL infrastructure")
      refactored code to use posix_acl_create.  The problem with this function
      is that it is not mindful of the cluster wide inode lock making it
      unsuitable for use with ocfs2 inode creation with ACLs.  For example,
      when used in ocfs2_mknod, this function can cause deadlock as follows.
      The parent dir inode lock is taken when calling posix_acl_create ->
      get_acl -> ocfs2_iop_get_acl which takes the inode lock again.  This can
      cause deadlock if there is a blocked remote lock request waiting for the
      lock to be downconverted.  And same deadlock happened in ocfs2_reflink.
      This fix is to revert back using ocfs2_init_acl.
      Fixes: 702e5bc6 ("ocfs2: use generic posix ACL infrastructure")
      Signed-off-by: default avatarTariq Saeed <tariq.x.saeed@oracle.com>
      Signed-off-by: default avatarJunxiao Bi <junxiao.bi@oracle.com>
      Cc: Mark Fasheh <mfasheh@suse.de>
      Cc: Joel Becker <jlbec@evilplan.org>
      Cc: Joseph Qi <joseph.qi@huawei.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    • Junxiao Bi's avatar
      ocfs2: revert using ocfs2_acl_chmod to avoid inode cluster lock hang · 5ee0fbd5
      Junxiao Bi authored
      Commit 743b5f14 ("ocfs2: take inode lock in ocfs2_iop_set/get_acl()")
      introduced this issue.  ocfs2_setattr called by chmod command holds
      cluster wide inode lock when calling posix_acl_chmod.  This latter
      function in turn calls ocfs2_iop_get_acl and ocfs2_iop_set_acl.  These
      two are also called directly from vfs layer for getfacl/setfacl commands
      and therefore acquire the cluster wide inode lock.  If a remote
      conversion request comes after the first inode lock in ocfs2_setattr,
      OCFS2_LOCK_BLOCKED will be set.  And this will cause the second call to
      inode lock from the ocfs2_iop_get_acl() to block indefinetly.
      The deleted version of ocfs2_acl_chmod() calls __posix_acl_chmod() which
      does not call back into the filesystem.  Therefore, we restore
      ocfs2_acl_chmod(), modify it slightly for locking as needed, and use that
      Fixes: 743b5f14 ("ocfs2: take inode lock in ocfs2_iop_set/get_acl()")
      Signed-off-by: default avatarTariq Saeed <tariq.x.saeed@oracle.com>
      Signed-off-by: default avatarJunxiao Bi <junxiao.bi@oracle.com>
      Cc: Mark Fasheh <mfasheh@suse.de>
      Cc: Joel Becker <jlbec@evilplan.org>
      Cc: Joseph Qi <joseph.qi@huawei.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    • Linus Torvalds's avatar
      Merge tag 'keys-fixes-20160512' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs · 02c9c0e9
      Linus Torvalds authored
      Pull keyring fix from David Howells:
       "Fix ASN.1 indefinite length object parsing"
      * tag 'keys-fixes-20160512' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs:
        KEYS: Fix ASN.1 indefinite length object parsing
    • Linus Torvalds's avatar
      Merge tag 'sound-4.6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · e5ad8b6d
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "This is a pretty boring pull request as you wish: including a few
        small and trivial HD-audio and USB-audio quirks and a couple of small
        regression fixes in HD-audio"
      * tag 'sound-4.6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ALSA: usb-audio: Yet another Phoneix Audio device quirk
        ALSA: hda - Fix regression on ATI HDMI audio
        ALSA: hda - Fix subwoofer pin on ASUS N751 and N551
        ALSA: hda - Fix broken reconfig
        ALSA: hda - Fix white noise on Asus UX501VW headset
        ALSA: usb-audio: Quirk for yet another Phoenix Audio devices (v2)
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input · ed1e33dd
      Linus Torvalds authored
      Pull input subsystem fixes from Dmitry Torokhov.
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
        Input: twl6040-vibra - fix DT node memory management
        Input: max8997-haptic - fix NULL pointer dereference
        Input: byd - update copyright header
    • Linus Torvalds's avatar
      Merge tag 'pinctrl-v4.6-4' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl · 422ce5a9
      Linus Torvalds authored
      Pull pinctrl fix from Linus Walleij:
       "A single last pin control fix for v4.6.  t's tagged for stable and
        only hits a single driver with two added lines so should be safe.
        Tested in linux-next.
         - The pull up/down logic for the AT91 PIO4 controller was tilted: we
           need to mask the reverse pull when unmasking a pull direction.
           Setting both pull up & pull down is illegal and makes no sense"
      * tag 'pinctrl-v4.6-4' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
        pinctrl: at91-pio4: fix pull-up/down logic
    • David Howells's avatar
      KEYS: Fix ASN.1 indefinite length object parsing · 23c8a812
      David Howells authored
      This fixes CVE-2016-0758.
      In the ASN.1 decoder, when the length field of an ASN.1 value is extracted,
      it isn't validated against the remaining amount of data before being added
      to the cursor.  With a sufficiently large size indicated, the check:
      	datalen - dp < 2
      may then fail due to integer overflow.
      Fix this by checking the length indicated against the amount of remaining
      data in both places a definite length is determined.
      Whilst we're at it, make the following changes:
       (1) Check the maximum size of extended length does not exceed the capacity
           of the variable it's being stored in (len) rather than the type that
           variable is assumed to be (size_t).
       (2) Compare the EOC tag to the symbolic constant ASN1_EOC rather than the
           integer 0.
       (3) To reduce confusion, move the initialisation of len outside of:
      	for (len = 0; n > 0; n--) {
           since it doesn't have anything to do with the loop counter n.
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Reviewed-by: default avatarMimi Zohar <zohar@linux.vnet.ibm.com>
      Acked-by: default avatarDavid Woodhouse <David.Woodhouse@intel.com>
      Acked-by: default avatarPeter Jones <pjones@redhat.com>
  2. 11 May, 2016 9 commits
    • Linus Torvalds's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · 685764b1
      Linus Torvalds authored
      Pull SCSI fixes from James Bottomley:
       "This is a couple of small fixes: one is a potential uninitialised
        error variable in the alua code, potentially causing spurious failures
        and the other is a problem caused by the conversion of SCSI to
        hostwide tags which resulted in the qla1280 driver always failing in
        host initialisation"
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        qla1280: Don't allocate 512kb of host tags
        scsi_dh_alua: uninitialized variable in alua_rtpg()
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 4d8bbbff
      Linus Torvalds authored
      Pull networking fixes from David Miller:
       "Hopefully the last round of fixes this release, fingers crossed :)
         1) Initialize static nf_conntrack_locks_all_lock properly, from
            Florian Westphal.
         2) Need to cancel pending work when destroying IDLETIMER entries,
            from Liping Zhang.
         3) Fix TX param usage when sending TSO over iwlwifi devices, from
            Emmanuel Grumbach.
         4) NFACCT quota params not validated properly, from Phil Turnbull.
         5) Resolve more glibc vs.  kernel header conflicts, from Mikko
         6) Missing IRQ free in ravb_close(), from Geert Uytterhoeven.
         7) Fix infoleak in x25, from Kangjie Lu.
         8) Similarly in thunderx driver, from Heinrich Schuchardt.
         9) tc_ife.h uapi header not exported properly, from Jamal Hadi Salim.
        10) Don't reenable PHY interreupts if device is in polling mode, from
            Shaohui Xie.
        11) Packet scheduler actions late binding was not being handled
            properly at all, from Jamal Hadi Salim.
        12) Fix binding of conntrack entries to helpers in openvswitch, from
            Joe Stringer"
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (21 commits)
        gre: do not keep the GRE header around in collect medata mode
        openvswitch: Fix cached ct with helper.
        net sched: ife action fix late binding
        net sched: skbedit action fix late binding
        net sched: simple action fix late binding
        net sched: mirred action fix late binding
        net sched: ipt action fix late binding
        net sched: vlan action fix late binding
        net: phylib: fix interrupts re-enablement in phy_start
        tcp: refresh skb timestamp at retransmit time
        net: nps_enet: bug fix - handle lost tx interrupts
        net: nps_enet: Tx handler synchronization
        export tc ife uapi header
        net: thunderx: avoid exposing kernel stack
        net: fix a kernel infoleak in x25 module
        ravb: Add missing free_irq() call to ravb_close()
        uapi glibc compat: fix compile errors when glibc net/if.h included before linux/if.h
        netfilter: nfnetlink_acct: validate NFACCT_QUOTA parameter
        iwlwifi: mvm: don't override the rate with the AMSDU len
        netfilter: IDLETIMER: fix race condition when destroy the target
    • Jiri Benc's avatar
      gre: do not keep the GRE header around in collect medata mode · e271c7b4
      Jiri Benc authored
      For ipgre interface in collect metadata mode, it doesn't make sense for the
      interface to be of ARPHRD_IPGRE type. The outer header of received packets
      is not needed, as all the information from it is present in metadata_dst. We
      already don't set ipgre_header_ops for collect metadata interfaces, which is
      the only consumer of mac_header pointing to the outer IP header.
      Just set the interface type to ARPHRD_NONE in collect metadata mode for
      ipgre (not gretap, that still correctly stays ARPHRD_ETHER) and reset
      Fixes: a64b04d8 ("gre: do not assign header_ops in collect metadata mode")
      Fixes: 2e15ea39 ("ip_gre: Add support to collect tunnel metadata.")
      Signed-off-by: default avatarJiri Benc <jbenc@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    • Joe Stringer's avatar
      openvswitch: Fix cached ct with helper. · 16ec3d4f
      Joe Stringer authored
      When using conntrack helpers from OVS, a common configuration is to
      perform a lookup without specifying a helper, then go through a
      firewalling policy, only to decide to attach a helper afterwards.
      In this case, the initial lookup will cause a ct entry to be attached to
      the skb, then the later commit with helper should attach the helper and
      confirm the connection. However, the helper attachment has been missing.
      If the user has enabled automatic helper attachment, then this issue
      will be masked as it will be applied in init_conntrack(). It is also
      masked if the action is executed from ovs_packet_cmd_execute() as that
      will construct a fresh skb.
      This patch fixes the issue by making an explicit call to try to assign
      the helper if there is a discrepancy between the action's helper and the
      current skb->nfct.
      Fixes: cae3a262 ("openvswitch: Allow attaching helpers to ct action")
      Signed-off-by: default avatarJoe Stringer <joe@ovn.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    • Mathias Krause's avatar
      x86/extable: ensure entries are swapped completely when sorting · 50c73890
      Mathias Krause authored
      The x86 exception table sorting was changed in commit 29934b0f
      ("x86/extable: use generic search and sort routines") to use the arch
      independent code in lib/extable.c.  However, the patch was mangled
      somehow on its way into the kernel from the last version posted at [1].
      The committed version kind of attempted to incorporate the changes of
      commit 548acf19 ("x86/mm: Expand the exception table logic to allow
      new handling options") as in _completely_ _ignoring_ the x86 specific
      'handler' member of struct exception_table_entry.  This effectively
      broke the sorting as entries will only partly be swapped now.
      Fortunately, the x86 Kconfig selects BUILDTIME_EXTABLE_SORT, so the
      exception table doesn't need to be sorted at runtime. However, in case
      that ever changes, we better not break the exception table sorting just
      because of that.
      [ Ard Biesheuvel points out that BUILDTIME_EXTABLE_SORT applies to the
        core image only, but we still rely on the sorting routines for modules
        in that case - Linus ]
      Fix this by providing a swap_ex_entry_fixup() macro that takes care of
      the 'handler' member.
      [1] https://lkml.org/lkml/2016/1/27/232Signed-off-by: default avatarMathias Krause <minipli@googlemail.com>
      Fixes: 29934b0f ("x86/extable: use generic search and sort routines")
      Reviewed-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Borislav Petkov <bp@suse.de>
      Cc: H. Peter Anvin <hpa@linux.intel.com>
      Cc: Ingo Molnar <mingo@kernel.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Tony Luck <tony.luck@intel.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    • Linus Torvalds's avatar
      Merge tag 'spi-fix-v4.6-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi · e0d09e32
      Linus Torvalds authored
      Pull spi fixes from Mark Brown:
       "A bunch of small driver specific fixes that have come up, none of them
        remarkable in themselves.  One fixes a regression introduced in the
        merge window and another two are targetted at stable"
      * tag 'spi-fix-v4.6-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi:
        spi: pxa2xx: Do not detect number of enabled chip selects on Intel SPT
        spi: spi-ti-qspi: Handle truncated frames properly
        spi: spi-ti-qspi: Fix FLEN and WLEN settings if bits_per_word is overridden
        spi: omap2-mcspi: Undo broken fix for dma transfer of vmalloced buffer
        spi: spi-fsl-dspi: Fix cs_change handling in message transfer
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · d32917ee
      Linus Torvalds authored
      Pull KVM fixes from Paolo Bonzini:
       "Two small x86 patches, improving "make kvmconfig" and fixing an
        objtool warning for CONFIG_PROFILE_ALL_BRANCHES"
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        kvmconfig: add more virtio drivers
        x86/kvm: Add stack frame dependency to fastop() inline asm
    • Takashi Iwai's avatar
      ALSA: usb-audio: Yet another Phoneix Audio device quirk · 84add303
      Takashi Iwai authored
      Phoenix Audio has yet another device with another id (even a different
      vendor id, 0556:0014) that requires the same quirk for the sample
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=110221
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
    • Takashi Iwai's avatar
      ALSA: hda - Fix regression on ATI HDMI audio · 39669225
      Takashi Iwai authored
      The HDMI/DP audio output on ATI/AMD chips got broken due to the recent
      restructuring of chmap.  Fortunately, Daniel Exner could bisect, and
      pointed the culprit commit [739ffee9: ALSA: hda - Add hdmi chmap
      verb programming ops to chmap object].
      This commit moved some ops from hdmi_ops to chmap_ops, and reassigned
      the ops in the embedded chmap object in hdmi_spec instead.
      Unfortunately, the reassignment of these ops in patch_atihdmi() were
      moved into an if block that is performed only for old chips.  Thus, on
      newer chips, the generic ops is still used, which doesn't work for
      such ATI/AMD chips.
      This patch addresses the regression, simply by moving the assignment
      of chmap ops to the right place.
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=114981
      Fixes: 739ffee9 ('ALSA: hda - Add hdmi chmap verb programming ops to chmap object')
      Reported-and-tested-by: default avatarDaniel Exner <dex@dragonslave.de>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
  3. 10 May, 2016 21 commits