15 Oct, 2015
1 commit
-
…nel/platform-linux-feature-tree into ti-linux-4.1.y
TI-Feature: platform_base
TI-Tree: git://git.ti.com/~rrnayak/ti-linux-kernel/platform-linux-feature-tree.git
TI-Branch: platform-ti-linux-4.1.y* 'platform-ti-linux-4.1.y' of git://git.ti.com/~rrnayak/ti-linux-kernel/platform-linux-feature-tree:
genirq: Export handle_bad_irqSigned-off-by: Texas Instruments Auto Merger <lcpd_integration@list.ti.com>
14 Oct, 2015
1 commit
-
commit 9d67dc5da59d63f746aad8f6ec4fbb86d6486f76 upstream.
A cleanup of the omap gpio driver introduced a use of the
Handle_bad_irq() function in a device driver that can be
a loadable module.This broke the ARM allmodconfig build:
ERROR: "handle_bad_irq" [drivers/gpio/gpio-omap.ko] undefined!
This patch exports the handle_bad_irq symbol in order to
allow the use in modules.Signed-off-by: Arnd Bergmann
Cc: Grygorii Strashko
Cc: Santosh Shilimkar
Cc: Linus Walleij
Cc: Austin Schuh
Cc: Tony Lindgren
Cc: linux-arm-kernel@lists.infradead.org
Link: http://lkml.kernel.org/r/5847725.4IBopItaOr@wuerfel
Signed-off-by: Thomas Gleixner
Signed-off-by: Dan Murphy
02 Oct, 2015
1 commit
-
…x-stable into ti-linux-4.1.y
This is the 4.1.9 stable release
* tag 'v4.1.9' of http://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable: (160 commits)
Linux 4.1.9
cxl: Don't remove AFUs/vPHBs in cxl_reset
ipv4: off-by-one in continuation handling in /proc/net/route
net: dsa: Do not override PHY interface if already configured
inet: fix races with reqsk timers
inet: fix possible request socket leak
netlink: make sure -EBUSY won't escape from netlink_insert
bna: fix interrupts storm caused by erroneous packets
bridge: netlink: account for the IFLA_BRPORT_PROXYARP_WIFI attribute size and policy
bridge: netlink: account for the IFLA_BRPORT_PROXYARP attribute size and policy
udp: fix dst races with multicast early demux
rds: fix an integer overflow test in rds_info_getsockopt()
rocker: free netdevice during netdevice removal
net: sched: fix refcount imbalance in actions
act_bpf: fix memory leaks when replacing bpf programs
packet: tpacket_snd(): fix signed/unsigned comparison
packet: missing dev_put() in packet_do_bind()
fib_trie: Drop unnecessary calls to leaf_pull_suffix
net/mlx4_core: Fix wrong index in propagating port change event to VFs
bridge: netlink: fix slave_changelink/br_setport race conditions
...Signed-off-by: Dan Murphy <DMurphy@ti.com>
Conflicts:
drivers/media/platform/am437x/am437x-vpfe.c
30 Sep, 2015
1 commit
-
commit 12c641ab8270f787dfcce08b5f20ce8b65008096 upstream.
In the logic in the initial commit of unshare made creating a new
thread group for a process, contingent upon creating a new memory
address space for that process. That is wrong. Two separate
processes in different thread groups can share a memory address space
and clone allows creation of such proceses.This is significant because it was observed that mm_users > 1 does not
mean that a process is multi-threaded, as reading /proc/PID/maps
temporarily increments mm_users, which allows other processes to
(accidentally) interfere with unshare() calls.Correct the check in check_unshare_flags() to test for
!thread_group_empty() for CLONE_THREAD, CLONE_SIGHAND, and CLONE_VM.
For sighand->count > 1 for CLONE_SIGHAND and CLONE_VM.
For !current_is_single_threaded instead of mm_users > 1 for CLONE_VM.By using the correct checks in unshare this removes the possibility of
an accidental denial of service attack.Additionally using the correct checks in unshare ensures that only an
explicit unshare(CLONE_VM) can possibly trigger the slow path of
current_is_single_threaded(). As an explict unshare(CLONE_VM) is
pointless it is not expected there are many applications that make
that call.Fixes: b2e0d98705e60e45bbb3c0032c48824ad7ae0704 userns: Implement unshare of the user namespace
Reported-by: Ricky Zhou
Reported-by: Kees Cook
Reviewed-by: Kees Cook
Signed-off-by: "Eric W. Biederman"
Signed-off-by: Greg Kroah-Hartman
26 Sep, 2015
1 commit
-
…x-stable into ti-linux-4.1.y
This is the 4.1.8 stable release
* tag 'v4.1.8' of http://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable: (184 commits)
Linux 4.1.8
ARM: rockchip: fix broken build
fs: create and use seq_show_option for escaping
hpfs: update ctime and mtime on directory modification
fs: Set the size of empty dirs to 0.
drivercore: Fix unregistration path of platform devices
ACPI, PCI: Penalize legacy IRQ used by ACPI SCI
ARM: dts: rockchip: fix rk3288 watchdog irq
ARM: rockchip: fix the CPU soft reset
ARM: OMAP2+: DRA7: clockdomain: change l4per2_7xx_clkdm to SW_WKUP
ARM: dts: fix clock-frequency of display timing0 for exynos3250-rinato
ARM: orion5x: fix legacy orion5x IRQ numbers
of/address: Don't loop forever in of_find_matching_node_by_address().
soc/tegra: pmc: Avoid usage of uninitialized variable
x86/mce: Reenable CMCI banks when swiching back to interrupt mode
regulator: pbias: Fix broken pbias disable functionality
auxdisplay: ks0108: fix refcount
spi/spi-xilinx: Fix mixed poll/irq mode
spi/spi-xilinx: Fix spurious IRQ ACK on irq mode
Doc: ABI: testing: configfs-usb-gadget-sourcesink
...Signed-off-by: Dan Murphy <DMurphy@ti.com>
Conflicts:
arch/arm/mm/proc-v7.S
22 Sep, 2015
2 commits
-
commit a068acf2ee77693e0bf39d6e07139ba704f461c3 upstream.
Many file systems that implement the show_options hook fail to correctly
escape their output which could lead to unescaped characters (e.g. new
lines) leaking into /proc/mounts and /proc/[pid]/mountinfo files. This
could lead to confusion, spoofed entries (resulting in things like
systemd issuing false d-bus "mount" notifications), and who knows what
else. This looks like it would only be the root user stepping on
themselves, but it's possible weird things could happen in containers or
in other situations with delegated mount privileges.Here's an example using overlay with setuid fusermount trusting the
contents of /proc/mounts (via the /etc/mtab symlink). Imagine the use
of "sudo" is something more sneaky:$ BASE="ovl"
$ MNT="$BASE/mnt"
$ LOW="$BASE/lower"
$ UP="$BASE/upper"
$ WORK="$BASE/work/ 0 0
none /proc fuse.pwn user_id=1000"
$ mkdir -p "$LOW" "$UP" "$WORK"
$ sudo mount -t overlay -o "lowerdir=$LOW,upperdir=$UP,workdir=$WORK" none /mnt
$ cat /proc/mounts
none /root/ovl/mnt overlay rw,relatime,lowerdir=ovl/lower,upperdir=ovl/upper,workdir=ovl/work/ 0 0
none /proc fuse.pwn user_id=1000 0 0
$ fusermount -u /proc
$ cat /proc/mounts
cat: /proc/mounts: No such file or directoryThis fixes the problem by adding new seq_show_option and
seq_show_option_n helpers, and updating the vulnerable show_option
handlers to use them as needed. Some, like SELinux, need to be open
coded due to unusual existing escape mechanisms.[akpm@linux-foundation.org: add lost chunk, per Kees]
[keescook@chromium.org: seq_show_option should be using const parameters]
Signed-off-by: Kees Cook
Acked-by: Serge Hallyn
Acked-by: Jan Kara
Acked-by: Paul Moore
Cc: J. R. Okajima
Signed-off-by: Kees Cook
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
Signed-off-by: Greg Kroah-Hartman -
commit dd9d3843755da95f63dd3a376f62b3e45c011210 upstream.
There is a race condition in SMP bootup code, which may result
inWARNING: CPU: 0 PID: 1 at kernel/workqueue.c:4418
workqueue_cpu_up_callback()
or
kernel BUG at kernel/smpboot.c:135!It can be triggered with a bit of luck in Linux guests running
on busy hosts.CPU0 CPUn
==== ====_cpu_up()
__cpu_up()
start_secondary()
set_cpu_online()
cpumask_set_cpu(cpu,
to_cpumask(cpu_online_bits));
cpu_notify(CPU_ONLINE)
cpumask_set_cpu(cpu,
to_cpumask(cpu_active_bits));During the various CPU_ONLINE callbacks CPUn is online but not
active. Several things can go wrong at that point, depending on
the scheduling of tasks on CPU0.Variant 1:
cpu_notify(CPU_ONLINE)
workqueue_cpu_up_callback()
rebind_workers()
set_cpus_allowed_ptr()This call fails because it requires an active CPU; rebind_workers()
ends with a warning:WARNING: CPU: 0 PID: 1 at kernel/workqueue.c:4418
workqueue_cpu_up_callback()Variant 2:
cpu_notify(CPU_ONLINE)
smpboot_thread_call()
smpboot_unpark_threads()
..
__kthread_unpark()
__kthread_bind()
wake_up_state()
..
select_task_rq()
select_fallback_rq()The ->wake_cpu of the unparked thread is not allowed, making a call
to select_fallback_rq() necessary. Then, select_fallback_rq() cannot
find an allowed, active CPU and promptly resets the allowed CPUs, so
that the task in question ends up on CPU0.When those unparked tasks are eventually executed, they run
immediately into a BUG:kernel BUG at kernel/smpboot.c:135!
Just changing the order in which the online/active bits are set
(and adding some memory barriers), would solve the two issues
above. However, it would change the order of operations back to
the one before commit 6acbfb96976f ("sched: Fix hotplug vs.
set_cpus_allowed_ptr()"), thus, reintroducing that particular
problem.Going further back into history, we have at least the following
commits touching this topic:
- commit 2baab4e90495 ("sched: Fix select_fallback_rq() vs cpu_active/cpu_online")
- commit 5fbd036b552f ("sched: Cleanup cpu_active madness")Together, these give us the following non-working solutions:
- secondary CPU sets active before online, because active is assumed to
be a subset of online;- secondary CPU sets online before active, because the primary CPU
assumes that an online CPU is also active;- secondary CPU sets online and waits for primary CPU to set active,
because it might deadlock.Commit 875ebe940d77 ("powerpc/smp: Wait until secondaries are
active & online") introduces an arch-specific solution to this
arch-independent problem.Now, go for a more general solution without explicit waiting and
simply set active twice: once on the secondary CPU after online
was set and once on the primary CPU after online was seen.set_cpus_allowed_ptr()")
Signed-off-by: Jan H. Schönherr
Acked-by: Peter Zijlstra
Cc: Anton Blanchard
Cc: Borislav Petkov
Cc: Joerg Roedel
Cc: Linus Torvalds
Cc: Matt Wilson
Cc: Michael Ellerman
Cc: Peter Zijlstra
Cc: Thomas Gleixner
Fixes: 6acbfb96976f ("sched: Fix hotplug vs. set_cpus_allowed_ptr()")
Link: http://lkml.kernel.org/r/1439408156-18840-1-git-send-email-jschoenh@amazon.de
Signed-off-by: Ingo Molnar
Signed-off-by: Greg Kroah-Hartman
14 Sep, 2015
7 commits
-
commit b7560de198222994374c1340a389f12d5efb244a upstream.
This helper is required for irq chips which do not implement a
irq_set_type callback and need to call down the irq domain hierarchy
for the actual trigger type change.This helper is required to fix further wreckage caused by the
conversion of TI OMAP to hierarchical irq domains and therefor tagged
for stable.[ tglx: Massaged changelog ]
Signed-off-by: Grygorii Strashko
Cc: Sudeep Holla
Cc:
Cc:
Cc:
Cc:
Cc:
Cc:
Cc:
Cc: stable@vger.kernel.org # 4.1
Link: http://lkml.kernel.org/r/1439554830-19502-3-git-send-email-grygorii.strashko@ti.com
Signed-off-by: Thomas Gleixner
Signed-off-by: Greg Kroah-Hartman -
commit 6d4affea7d5aa5ca5ff4c3e5fbf3ee16801cc527 upstream.
irq_chip_retrigger_hierarchy() returns -ENOSYS if it was not able to
find at least one .irq_retrigger() callback implemented in the IRQ
domain hierarchy.That's wrong, because check_irq_resend() expects a 0 return value from
the callback in case that the hardware assisted resend was not
possible. If the return value is non zero the core code assumes
hardware resend success and the software resend is not invoked.This results in lost interrupts on platforms where none of the parent
irq chips in the hierarchy implements the retrigger callback.This is observable on TI OMAP, where the hierarchy is:
ARM GIC
Reviewed-by: Marc Zyngier
Reviewed-by: Jiang Liu
Cc: Sudeep Holla
Cc:
Cc:
Cc:
Cc:
Cc:
Cc:
Link: http://lkml.kernel.org/r/1439554830-19502-2-git-send-email-grygorii.strashko@ti.com
Signed-off-by: Thomas Gleixner
Signed-off-by: Greg Kroah-Hartman -
commit 24ee3cf89bef04e8bc23788aca4e029a3f0f06d9 upstream.
The comment says it's using trialcs->mems_allowed as a temp variable but
it didn't match the code. Change the code to match the comment.This fixes an issue when writing in cpuset.mems when a sub-directory
exists: we need to write several times for the information to persist:| root@alban:/sys/fs/cgroup/cpuset# mkdir footest9
| root@alban:/sys/fs/cgroup/cpuset# cd footest9
| root@alban:/sys/fs/cgroup/cpuset/footest9# mkdir aa
| root@alban:/sys/fs/cgroup/cpuset/footest9# cat cpuset.mems
|
| root@alban:/sys/fs/cgroup/cpuset/footest9# echo 0 > cpuset.mems
| root@alban:/sys/fs/cgroup/cpuset/footest9# cat cpuset.mems
|
| root@alban:/sys/fs/cgroup/cpuset/footest9# echo 0 > cpuset.mems
| root@alban:/sys/fs/cgroup/cpuset/footest9# cat cpuset.mems
| 0
| root@alban:/sys/fs/cgroup/cpuset/footest9# cat aa/cpuset.mems
|
| root@alban:/sys/fs/cgroup/cpuset/footest9# echo 0 > aa/cpuset.mems
| root@alban:/sys/fs/cgroup/cpuset/footest9# cat aa/cpuset.mems
| 0
| root@alban:/sys/fs/cgroup/cpuset/footest9#This should help to fix the following issue in Docker:
https://github.com/opencontainers/runc/issues/133
In some conditions, a Docker container needs to be started twice in
order to work.Signed-off-by: Alban Crequy
Tested-by: Iago López Galeiras
Acked-by: Li Zefan
Signed-off-by: Tejun Heo
Signed-off-by: Greg Kroah-Hartman -
commit c7999c6f3fed9e383d3131474588f282ae6d56b9 upstream.
I ran the perf fuzzer, which triggered some WARN()s which are due to
trying to stop/restart an event on the wrong CPU.Use the normal IPI pattern to ensure we run the code on the correct CPU.
Signed-off-by: Peter Zijlstra (Intel)
Cc: Vince Weaver
Cc: Linus Torvalds
Cc: Peter Zijlstra
Cc: Thomas Gleixner
Fixes: bad7192b842c ("perf: Fix PERF_EVENT_IOC_PERIOD to force-reset the period")
Signed-off-by: Ingo Molnar
Signed-off-by: Greg Kroah-Hartman -
commit ee9397a6fb9bc4e52677f5e33eed4abee0f515e6 upstream.
If rb->aux_refcount is decremented to zero before rb->refcount,
__rb_free_aux() may be called twice resulting in a double free of
rb->aux_pages. Fix this by adding a check to __rb_free_aux().Signed-off-by: Ben Hutchings
Signed-off-by: Peter Zijlstra (Intel)
Cc: Alexander Shishkin
Cc: Arnaldo Carvalho de Melo
Cc: Linus Torvalds
Cc: Peter Zijlstra
Cc: Thomas Gleixner
Fixes: 57ffc5ca679f ("perf: Fix AUX buffer refcounting")
Link: http://lkml.kernel.org/r/1437953468.12842.17.camel@decadent.org.uk
Signed-off-by: Ingo Molnar
Signed-off-by: Greg Kroah-Hartman -
commit 00a2916f7f82c348a2a94dbb572874173bc308a3 upstream.
A recent fix to the shadow timestamp inadvertly broke the running time
accounting.We must not update the running timestamp if we fail to schedule the
event, the event will not have ran. This can (and did) result in
negative total runtime because the stopped timestamp was before the
running timestamp (we 'started' but never stopped the event -- because
it never really started we didn't have to stop it either).Reported-and-Tested-by: Vince Weaver
Fixes: 72f669c0086f ("perf: Update shadow timestamp before add event")
Signed-off-by: Peter Zijlstra (Intel)
Cc: Shaohua Li
Signed-off-by: Thomas Gleixner
Signed-off-by: Greg Kroah-Hartman -
commit fed66e2cdd4f127a43fd11b8d92a99bdd429528c upstream.
Vince reported that the fasync signal stuff doesn't work proper for
inherited events. So fix that.Installing fasync allocates memory and sets filp->f_flags |= FASYNC,
which upon the demise of the file descriptor ensures the allocation is
freed and state is updated.Now for perf, we can have the events stick around for a while after the
original FD is dead because of references from child events. So we
cannot copy the fasync pointer around. We can however consistently use
the parent's fasync, as that will be updated.Reported-and-Tested-by: Vince Weaver
Signed-off-by: Peter Zijlstra (Intel)
Cc: Arnaldo Carvalho deMelo
Cc: Linus Torvalds
Cc: Peter Zijlstra
Cc: Thomas Gleixner
Cc: eranian@google.com
Link: http://lkml.kernel.org/r/1434011521.1495.71.camel@twins
Signed-off-by: Ingo Molnar
Signed-off-by: Greg Kroah-Hartman
27 Aug, 2015
3 commits
-
…nel/platform-linux-feature-tree into ti-linux-4.1.y
TI-Feature: platform_base
TI-Tree: git://git.ti.com/~rrnayak/ti-linux-kernel/platform-linux-feature-tree.git
TI-Branch: platform-ti-linux-4.1.y* 'platform-ti-linux-4.1.y' of git://git.ti.com/~rrnayak/ti-linux-kernel/platform-linux-feature-tree:
irqchip/crossbar: Restore set_wake functionality
irqchip/crossbar: Restore the mask on suspend behaviour
ARM: OMAP: wakeupgen: Restore the irq_set_type() mechanism
irqchip/crossbar: Restore the irq_set_type() mechanism
genirq: Introduce irq_chip_set_type_parent() helper
genirq: Don't return ENOSYS in irq_chip_retrigger_hierarchy
drivercore: Fix unregistration path of platform devices
driver core: correct device's shutdown orderSigned-off-by: Texas Instruments Auto Merger <lcpd_integration@list.ti.com>
-
commit b7560de198222994374c1340a389f12d5efb244a upstream.
This helper is required for irq chips which do not implement a
irq_set_type callback and need to call down the irq domain hierarchy
for the actual trigger type change.This helper is required to fix further wreckage caused by the
conversion of TI OMAP to hierarchical irq domains and therefor tagged
for stable.[ tglx: Massaged changelog ]
Signed-off-by: Grygorii Strashko
Cc: Sudeep Holla
Cc:
Cc:
Cc:
Cc:
Cc:
Cc:
Cc:
Cc: stable@vger.kernel.org # 4.1
Link: http://lkml.kernel.org/r/1439554830-19502-3-git-send-email-grygorii.strashko@ti.com
Signed-off-by: Thomas Gleixner
Signed-off-by: Grygorii Strashko -
commit 6d4affea7d5aa5ca5ff4c3e5fbf3ee16801cc527 upstream.
irq_chip_retrigger_hierarchy() returns -ENOSYS if it was not able to
find at least one .irq_retrigger() callback implemented in the IRQ
domain hierarchy.That's wrong, because check_irq_resend() expects a 0 return value from
the callback in case that the hardware assisted resend was not
possible. If the return value is non zero the core code assumes
hardware resend success and the software resend is not invoked.This results in lost interrupts on platforms where none of the parent
irq chips in the hierarchy implements the retrigger callback.This is observable on TI OMAP, where the hierarchy is:
ARM GIC
Reviewed-by: Marc Zyngier
Reviewed-by: Jiang Liu
Cc: Sudeep Holla
Cc:
Cc:
Cc:
Cc:
Cc:
Cc:
Cc: stable@vger.kernel.org # 4.1
Link: http://lkml.kernel.org/r/1439554830-19502-2-git-send-email-grygorii.strashko@ti.com
Signed-off-by: Thomas Gleixner
Signed-off-by: Grygorii Strashko
17 Aug, 2015
3 commits
-
…x-stable into ti-linux-4.1.y
This is the 4.1.6 stable release
* tag 'v4.1.6' of http://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable: (85 commits)
Linux 4.1.6
nfsd: do nfs4_check_fh in nfs4_check_file instead of nfs4_check_olstateid
nfsd: refactor nfs4_preprocess_stateid_op
kvm: x86: fix kvm_apic_has_events to check for NULL pointer
signal: fix information leak in copy_siginfo_from_user32
signal: fix information leak in copy_siginfo_to_user
signalfd: fix information leak in signalfd_copyinfo
mm, vmscan: Do not wait for page writeback for GFP_NOFS allocations
thermal: exynos: Disable the regulator on probe failure
Input: alps - only Dell laptops have separate button bits for v2 dualpoint sticks
mtd: nand: Fix NAND_USE_BOUNCE_BUFFER flag conflict
USB: qcserial: Add support for Dell Wireless 5809e 4G Modem
USB: qcserial/option: make AT URCs work for Sierra Wireless MC7305/MC7355
usb: gadget: f_uac2: fix calculation of uac2->p_interval
staging: lustre: Include unaligned.h instead of access_ok.h
staging: vt6655: vnt_bss_info_changed check conf->beacon_rate is not NULL
dm: fix dm_merge_bvec regression on 32 bit systems
md/raid1: extend spinlock to protect raid1_end_read_request against inconsistencies
PCI: Restore PCI_MSIX_FLAGS_BIRMASK definition
nfsd: Drop BUG_ON and ignore SECLABEL on absent filesystem
...Signed-off-by: Texas Instruments Auto Merger <lcpd_integration@list.ti.com>
-
commit 3c00cb5e68dc719f2fc73a33b1b230aadfcb1309 upstream.
This function can leak kernel stack data when the user siginfo_t has a
positive si_code value. The top 16 bits of si_code descibe which fields
in the siginfo_t union are active, but they are treated inconsistently
between copy_siginfo_from_user32, copy_siginfo_to_user32 and
copy_siginfo_to_user.copy_siginfo_from_user32 is called from rt_sigqueueinfo and
rt_tgsigqueueinfo in which the user has full control overthe top 16 bits
of si_code.This fixes the following information leaks:
x86: 8 bytes leaked when sending a signal from a 32-bit process to
itself. This leak grows to 16 bytes if the process uses x32.
(si_code = __SI_CHLD)
x86: 100 bytes leaked when sending a signal from a 32-bit process to
a 64-bit process. (si_code = -1)
sparc: 4 bytes leaked when sending a signal from a 32-bit process to a
64-bit process. (si_code = any)parsic and s390 have similar bugs, but they are not vulnerable because
rt_[tg]sigqueueinfo have checks that prevent sending a positive si_code
to a different process. These bugs are also fixed for consistency.Signed-off-by: Amanieu d'Antras
Cc: Oleg Nesterov
Cc: Ingo Molnar
Cc: Russell King
Cc: Ralf Baechle
Cc: Benjamin Herrenschmidt
Cc: Chris Metcalf
Cc: Paul Mackerras
Cc: Michael Ellerman
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
Signed-off-by: Greg Kroah-Hartman -
commit 26135022f85105ad725cda103fa069e29e83bd16 upstream.
This function may copy the si_addr_lsb, si_lower and si_upper fields to
user mode when they haven't been initialized, which can leak kernel
stack data to user mode.Just checking the value of si_code is insufficient because the same
si_code value is shared between multiple signals. This is solved by
checking the value of si_signo in addition to si_code.Signed-off-by: Amanieu d'Antras
Cc: Oleg Nesterov
Cc: Ingo Molnar
Cc: Russell King
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
Signed-off-by: Greg Kroah-Hartman
12 Aug, 2015
1 commit
-
…x-stable into ti-linux-4.1.y
This is the 4.1.5 stable release
* tag 'v4.1.5' of http://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable: (124 commits)
Linux 4.1.5
perf symbols: Store if there is a filter in place
xfs: remote attributes need to be considered data
xfs: remote attribute headers contain an invalid LSN
drm/nouveau/drm/nv04-nv40/instmem: protect access to priv->heap by mutex
drm/nouveau: hold mutex when calling nouveau_abi16_fini()
drm/nouveau/kms/nv50-: guard against enabling cursor on disabled heads
drm/nouveau/fbcon/nv11-: correctly account for ring space usage
qla2xxx: kill sessions/log out initiator on RSCN and port down events
qla2xxx: fix command initialization in target mode.
qla2xxx: Remove msleep in qlt_send_term_exchange
qla2xxx: release request queue reservation.
qla2xxx: Fix hardware lock/unlock issue causing kernel panic.
intel_pstate: Add get_scaling cpu_defaults param to Knights Landing
iscsi-target: Fix iser explicit logout TX kthread leak
iscsi-target: Fix iscsit_start_kthreads failure OOPs
iscsi-target: Fix use-after-free during TPG session shutdown
IB/ipoib: Fix CONFIG_INFINIBAND_IPOIB_CM
NFS: Fix a memory leak in nfs_do_recoalesce
NFSv4: We must set NFS_OPEN_STATE flag in nfs_resync_open_stateid_locked
...Signed-off-by: Dan Murphy <DMurphy@ti.com>
Conflicts:
arch/arm/boot/dts/dra7-evm.dts
drivers/mmc/host/omap_hsmmc.c
11 Aug, 2015
2 commits
-
commit e3eea1404f5ff7a2ceb7b5e7ba412a6fd94f2935 upstream.
Commit 4104d326b670 ("ftrace: Remove global function list and call function
directly") simplified the ftrace code by removing the global_ops list with a
new design. But this cleanup also broke the filtering of PIDs that are added
to the set_ftrace_pid file.Add back the proper hooks to have pid filtering working once again.
Reported-by: Matt Fleming
Reported-by: Richard Weinberger
Tested-by: Matt Fleming
Signed-off-by: Steven Rostedt
Signed-off-by: Greg Kroah-Hartman -
commit 75a06189fc508a2acf470b0b12710362ffb2c4b1 upstream.
The resend mechanism happily calls the interrupt handler of interrupts
which are marked IRQ_NESTED_THREAD from softirq context. This can
result in crashes because the interrupt handler is not the proper way
to invoke the device handlers. They must be invoked via
handle_nested_irq.Prevent the resend even if the interrupt has no valid parent irq
set. Its better to have a lost interrupt than a crashing machine.Reported-by: Uwe Kleine-König
Signed-off-by: Thomas Gleixner
Signed-off-by: Greg Kroah-Hartman
04 Aug, 2015
7 commits
-
…x-stable into ti-linux-4.1.y
This is the 4.1.4 stable release
* tag 'v4.1.4' of http://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable: (270 commits)
Linux 4.1.4
x86/mpx: Do not set ->vm_ops on MPX VMAs
mm: avoid setting up anonymous pages into file mapping
Fix firmware loader uevent buffer NULL pointer dereference
hpfs: hpfs_error: Remove static buffer, use vsprintf extension %pV instead
hpfs: kstrdup() out of memory handling
ARM: 8397/1: fix vdsomunge not to depend on glibc specific error.h
ARM: 8393/1: smp: Fix suspicious RCU usage with ipi tracepoints
perf bench numa: Fix to show proper convergence stats
arm64: Don't report clear pmds and puds as huge
arm64: bpf: fix endianness conversion bugs
arm64: bpf: fix out-of-bounds read in bpf2a64_offset()
ARM64: smp: Fix suspicious RCU usage with ipi tracepoints
p9_client_write(): avoid double p9_free_req()
EDAC, octeon: Fix broken build due to model helper renames
ARM: dove: fix legacy dove IRQ numbers
agp/intel: Fix typo in needs_ilk_vtd_wa()
rbd: use GFP_NOIO in rbd_obj_request_create()
9p: don't leave a half-initialized inode sitting around
9p: forgetting to cancel request on interrupted zero-copy RPC
...Signed-off-by: Texas Instruments Auto Merger <lcpd_integration@list.ti.com>
-
commit d194e5d666225b04c7754471df0948f645b6ab3a upstream.
The final version of commit 637241a900cb ("kmsg: honor dmesg_restrict
sysctl on /dev/kmsg") lost few hooks, as result security_syslog() are
processed incorrectly:- open of /dev/kmsg checks syslog access permissions by using
check_syslog_permissions() where security_syslog() is not called if
dmesg_restrict is set.- syslog syscall and /proc/kmsg calls do_syslog() where security_syslog
can be executed twice (inside check_syslog_permissions() and then
directly in do_syslog())With this patch security_syslog() is called once only in all
syslog-related operations regardless of dmesg_restrict value.Fixes: 637241a900cb ("kmsg: honor dmesg_restrict sysctl on /dev/kmsg")
Signed-off-by: Vasily Averin
Cc: Kees Cook
Cc: Josh Boyer
Cc: Eric Paris
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
Signed-off-by: Greg Kroah-Hartman -
commit fff3b16d2754a061a3549c4307a186423a0128fd upstream.
Many harddisks (mostly WD ones) have firmware problems and take too
long, more than 10 seconds, to resume from suspend. And this often
exceeds the default DPM watchdog timeout (12 seconds), resulting in a
kernel panic out of sudden.Since most distros just take the default as is, we should give a bit
more safer value. This patch increases the default value from 12
seconds to one minute, which has been confirmed to be long enough for
such problematic disks.Link: https://bugzilla.kernel.org/show_bug.cgi?id=91921
Fixes: 70fea60d888d (PM / Sleep: Detect device suspend/resume lockup and log event)
Signed-off-by: Takashi Iwai
Signed-off-by: Rafael J. Wysocki
Signed-off-by: Greg Kroah-Hartman -
commit 6224beb12e190ff11f3c7d4bf50cb2922878f600 upstream.
Fengguang Wu's tests triggered a bug in the branch tracer's start up
test when CONFIG_DEBUG_PREEMPT set. This was because that config
adds some debug logic in the per cpu field, which calls back into
the branch tracer.The branch tracer has its own recursive checks, but uses a per cpu
variable to implement it. If retrieving the per cpu variable calls
back into the branch tracer, you can see how things will break.Instead of using a per cpu variable, use the trace_recursion field
of the current task struct. Simply set a bit when entering the
branch tracing and clear it when leaving. If the bit is set on
entry, just don't do the tracing.There's also the case with lockdep, as the local_irq_save() called
before the recursion can also trigger code that can call back into
the function. Changing that to a raw_local_irq_save() will protect
that as well.This prevents the recursion and the inevitable crash that follows.
Link: http://lkml.kernel.org/r/20150630141803.GA28071@wfg-t540p.sh.intel.com
Reported-by: Fengguang Wu
Tested-by: Fengguang Wu
Signed-off-by: Steven Rostedt
Signed-off-by: Greg Kroah-Hartman -
commit cc9e4bde03f2b4cfba52406c021364cbd2a4a0f3 upstream.
The trace.h header when called without CONFIG_EVENT_TRACING enabled
(seldom done), will not compile because of a typo in the protocol
of trace_event_enum_update().Signed-off-by: Steven Rostedt
Signed-off-by: Greg Kroah-Hartman -
commit 6b88f44e161b9ee2a803e5b2b1fbcf4e20e8b980 upstream.
While debugging a WARN_ON() for filtering, I found that it is possible
for the filter string to be referenced after its end. With the filter:# echo '>' > /sys/kernel/debug/events/ext4/ext4_truncate_exit/filter
The filter_parse() function can call infix_get_op() which calls
infix_advance() that updates the infix filter pointers for the cnt
and tail without checking if the filter is already at the end, which
will put the cnt to zero and the tail beyond the end. The loop then calls
infix_next() that hasps->infix.cnt--;
return ps->infix.string[ps->infix.tail++];The cnt will now be below zero, and the tail that is returned is
already passed the end of the filter string. So far the allocation
of the filter string usually has some buffer that is zeroed out, but
if the filter string is of the exact size of the allocated buffer
there's no guarantee that the charater after the nul terminating
character will be zero.Luckily, only root can write to the filter.
Signed-off-by: Steven Rostedt
Signed-off-by: Greg Kroah-Hartman -
commit b4875bbe7e68f139bd3383828ae8e994a0df6d28 upstream.
When testing the fix for the trace filter, I could not come up with
a scenario where the operand count goes below zero, so I added a
WARN_ON_ONCE(cnt < 0) to the logic. But there is legitimate case
that it can happen (although the filter would be wrong).# echo '>' > /sys/kernel/debug/events/ext4/ext4_truncate_exit/filter
That is, a single operation without any operands will hit the path
where the WARN_ON_ONCE() can trigger. Although this is harmless,
and the filter is reported as a error. But instead of spitting out
a warning to the kernel dmesg, just fail nicely and report it via
the proper channels.Link: http://lkml.kernel.org/r/558C6082.90608@oracle.com
Reported-by: Vince Weaver
Reported-by: Sasha Levin
Signed-off-by: Steven Rostedt
Signed-off-by: Greg Kroah-Hartman
22 Jul, 2015
6 commits
-
…x-stable into ti-linux-4.1.y
This is the 4.1.3 stable release
* tag 'v4.1.3' of http://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable: (66 commits)
Linux 4.1.3
Input: pixcir_i2c_ts - fix receive error
of/pci: Fix pci_address_to_pio() conversion of CPU address to I/O port
PCI: pciehp: Wait for hotplug command completion where necessary
PCI: Add pci_bus_addr_t
PCI: Propagate the "ignore hotplug" setting to parent
mtd: dc21285: use raw spinlock functions for nw_gpio_lock
mtd: fix: avoid race condition when accessing mtd->usecount
leds / PM: fix hibernation on arm when gpio-led used with CPU led trigger
video: mxsfb: Make sure axi clock is enabled when accessing registers
genirq: devres: Fix testing return value of request_any_context_irq()
IB/srp: Fix reconnection failure handling
IB/srp: Fix connection state tracking
IB/srp: Fix a connection setup race
IB/srp: Remove an extraneous scsi_host_put() from an error path
scsi_transport_srp: Fix a race condition
scsi_transport_srp: Introduce srp_wait_for_queuecommand()
spi: pl022: Specify 'num-cs' property as required in devicetree binding
spi: orion: Fix maximum baud rates for Armada 370/XP
spi: fix race freeing dummy_tx/rx before it is unmapped
...Signed-off-by: Texas Instruments Auto Merger <lcpd_integration@list.ti.com>
-
commit 63781394c540dd9e666a6b21d70b64dd52bce76e upstream.
request_any_context_irq() returns a negative value on failure.
It returns either IRQC_IS_HARDIRQ or IRQC_IS_NESTED on success.
So fix testing return value of request_any_context_irq().Also fixup the return value of devm_request_any_context_irq() to make it
consistent with request_any_context_irq().Fixes: 0668d3065128 ("genirq: Add devm_request_any_context_irq()")
Signed-off-by: Axel Lin
Reviewed-by: Stephen Boyd
Link: http://lkml.kernel.org/r/1431334978.17783.4.camel@ingics.com
Signed-off-by: Thomas Gleixner
Signed-off-by: Greg Kroah-Hartman -
commit 9a1bd63cdae4b623494c4ebaf723a91c35ec49fb upstream.
The list of loaded modules is walked through in
module_kallsyms_on_each_symbol (called by kallsyms_on_each_symbol). The
module_mutex lock should be acquired to prevent potential corruptions
in the list.This was uncovered with new lockdep asserts in module code introduced by
the commit 0be964be0d45 ("module: Sanitize RCU usage and locking") in
recent next- trees.Signed-off-by: Miroslav Benes
Acked-by: Josh Poimboeuf
Signed-off-by: Jiri Kosina
Signed-off-by: Greg Kroah-Hartman -
commit 6e91f8cb138625be96070b778d9ba71ce520ea7e upstream.
If, at the time __rcu_process_callbacks() is invoked, there are callbacks
in Tiny RCU's callback list, but none of them are ready to be invoked,
the current list-management code will knit the non-ready callbacks out
of the list. This can result in hangs and possibly worse. This commit
therefore inserts a check for there being no callbacks that can be
invoked immediately.This bug is unlikely to occur -- you have to get a new callback between
the time rcu_sched_qs() or rcu_bh_qs() was called, but before we get to
__rcu_process_callbacks(). It was detected by the addition of RCU-bh
testing to rcutorture, which in turn was instigated by Iftekhar Ahmed's
mutation testing. Although this bug was made much more likely by
915e8a4fe45e (rcu: Remove fastpath from __rcu_process_callbacks()), this
did not cause the bug, but rather made it much more probable. That
said, it takes more than 40 hours of rcutorture testing, on average,
for this bug to appear, so this fix cannot be considered an emergency.Signed-off-by: Paul E. McKenney
Reviewed-by: Josh Triplett
Signed-off-by: Greg Kroah-Hartman -
commit f9bb48825a6b5d02f4cabcc78967c75db903dcdc upstream.
This allows for better documentation in the code and
it allows for a simpler and fully correct version of
fs_fully_visible to be written.The mount points converted and their filesystems are:
/sys/hypervisor/s390/ s390_hypfs
/sys/kernel/config/ configfs
/sys/kernel/debug/ debugfs
/sys/firmware/efi/efivars/ efivarfs
/sys/fs/fuse/connections/ fusectl
/sys/fs/pstore/ pstore
/sys/kernel/tracing/ tracefs
/sys/fs/cgroup/ cgroup
/sys/kernel/security/ securityfs
/sys/fs/selinux/ selinuxfs
/sys/fs/smackfs/ smackfsAcked-by: Greg Kroah-Hartman
Signed-off-by: "Eric W. Biederman"
Signed-off-by: Greg Kroah-Hartman -
commit f9bd6733d3f11e24f3949becf277507d422ee1eb upstream.
Add a magic sysctl table sysctl_mount_point that when used to
create a directory forces that directory to be permanently empty.Update the code to use make_empty_dir_inode when accessing permanently
empty directories.Update the code to not allow adding to permanently empty directories.
Update /proc/sys/fs/binfmt_misc to be a permanently empty directory.
Signed-off-by: "Eric W. Biederman"
Signed-off-by: Greg Kroah-Hartman
09 Jul, 2015
2 commits
-
…nel/platform-linux-feature-tree into ti-linux-4.1.y
TI-Feature: platform_base
TI-Tree: git://git.ti.com/~rrnayak/ti-linux-kernel/platform-linux-feature-tree.git
TI-Branch: platform-ti-linux-4.1.y* 'platform-ti-linux-4.1.y' of git://git.ti.com/~rrnayak/ti-linux-kernel/platform-linux-feature-tree: (61 commits)
ti_config_fragments/baseport.cfg: Enable AMx3 power features
ti_config_fragments/baseport.cfg: Fix incorrect comment for Crypto
ARM: AM43XX: Add CPU idle support
ARM: AM33XX: Add CPU idle support
ARM: OMAP2+: pm33xx: Add base cpuidle support
ARM: OMAP2+: sleep33xx: Make sleep33xx actions configurable
soc: ti: wkup_m3_ipc: Add cpuidle support
sched / idle: Export cpu_idle_poll_ctrl
ARM: dts: am437x-gp-evm: Enable wkup_m3 control of IO isolation
ARM: dts: am437x-gp-evm: Add state for ddr3 vtt toggle pin
ARM: dts: am335x-evmsk: add support for VTT Toggle
wkup_m3_ipc: Add support for IO Isolation
wkup_m3_ipc: Add support for toggling VTT regulator
ARM: OMAP2: pm33xx: Print out wakeup source name during resume
soc: ti: wkup_m3_ipc: Add wkup_m3_request_wake_src
soc: ti: wkup_m3_ipc: Adapt to irqless mailbox usage
ARM: OMAP2+: Hookup amx3xx PM code into OMAP builds
ARM: OMAP2+: pm33xx: Basic suspend to mem and standby support
ARM: OMAP2+: Introduce low-level suspend code for AM43XX
ARM: OMAP2+: AM33XX: Add assembly code for PM operations
...Signed-off-by: Dan Murphy <DMurphy@ti.com>
Conflicts:
arch/arm/boot/dts/am437x-gp-evm.dts -
Export cpu_idle_poll_ctrl so that it can be used in modules.
Signed-off-by: Dave Gerlach
30 Jun, 2015
1 commit
-
commit 2f993cf093643b98477c421fa2b9a98dcc940323 upstream.
While looking for other users of get_state/cond_sync. I Found
ring_buffer_attach() and it looks obviously buggy?Don't we need to ensure that we have "synchronize" _between_
list_del() and list_add() ?IOW. Suppose that ring_buffer_attach() preempts right_after
get_state_synchronize_rcu() and gp completes before spin_lock().In this case cond_synchronize_rcu() does nothing and we reuse
->rb_entry without waiting for gp in between?It also moves the ->rcu_pending check under "if (rb)", to make it
more readable imo.Signed-off-by: Oleg Nesterov
Signed-off-by: Peter Zijlstra (Intel)
Cc: Alexander Shishkin
Cc: Andrew Morton
Cc: Andy Lutomirski
Cc: Borislav Petkov
Cc: Brian Gerst
Cc: Denys Vlasenko
Cc: H. Peter Anvin
Cc: Linus Torvalds
Cc: Paul E. McKenney
Cc: Peter Zijlstra
Cc: Thomas Gleixner
Cc: dave@stgolabs.net
Cc: der.herr@hofr.at
Cc: josh@joshtriplett.org
Cc: tj@kernel.org
Fixes: b69cf53640da ("perf: Fix a race between ring_buffer_detach() and ring_buffer_attach()")
Link: http://lkml.kernel.org/r/20150530200425.GA15748@redhat.com
Signed-off-by: Ingo Molnar
Signed-off-by: Greg Kroah-Hartman
18 Jun, 2015
1 commit
-
…l/git/rostedt/linux-trace
Pull tracing filter fix from Steven Rostedt:
"Vince Weaver reported a warning when he added perf event filters into
his fuzzer tests. There's a missing check of balanced operations when
parenthesis are used, and this triggers a WARN_ON() and when reading
the failure, the filter reports no failure occurred.The operands were not being checked if they match, this adds that"
* tag 'trace-fix-filter-4.1-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
tracing: Have filter check for balanced ops
