Sync up with Linus #57

dabrace · 2015-04-14T17:50:40Z

No description provided.

Fix using the bare number to set the 'bDescriptorType' field of the Hub Descriptor while the value is #define'd in <linux/usb/ch11.h>. Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Fix using the bare numbers to set the 'bDescriptorType' field of the Hub Descriptors while the values are #define'd in <linux/usb/ch11.h>. Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Fix using the bare number to set the 'bDescriptorType' field of the Hub Descriptor while the value is #define'd in <linux/usb/ch11.h>. Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Fix using the bare numbers to set the 'bHubCharacteristics' field of the Hub Descriptor while the values are #define'd in <linux/usb/ch11.h>. Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Fix using the bare number to set the 'bDescriptorType' field of the Hub Descriptor while the value is #define'd in <linux/usb/ch11.h>. Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Commit 3e45737 ("usb: musb: Fix fifo reads for dm816x with musb_dsps") fixed a USB error on dm816x, but introduced a new build error on i386 when COMPILE_TEST is set: drivers/usb/musb/musb_dsps.c: In function ‘dsps_read_fifo32’: drivers/usb/musb/musb_dsps.c:624:3: error: implicit declaration of function ‘readsl’ [-Werror=implicit-function-declaration] readsl(fifo, dst, len >> 2); Let's fix this by using ioread32_rep() instead of readsl() as that's more portable. Fixes: 3e45737 ("usb: musb: Fix fifo reads for dm816x with musb_dsps") Reported-by: Fengguang Wu <fengguang.wu@intel.com> Cc: Bin Liu <binmlist@gmail.com> Cc: Brian Hutchinson <b.hutchman@gmail.com> Cc: George Cherian <george.cherian@ti.com> Cc: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com> Signed-off-by: Tony Lindgren <tony@atomide.com> Signed-off-by: Felipe Balbi <balbi@ti.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

This reverts commit 6ad6b5e. It added a file that should not be in the kernel source tree. Cc: Amitoj Kaur Chawla <amitoj1606@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Quentin caught a corner case with the generation of instruction padding in the ALTERNATIVE_2 macro: if len(orig_insn) < len(alt1) < len(alt2), then not enough padding gets added and that is not good(tm) as we could overwrite the beginning of the next instruction. Luckily, at the time of this writing, we don't have ALTERNATIVE_2() invocations which have that problem and even if we did, a simple fix would be to prepend the instructions with enough prefixes so that that corner case doesn't happen. However, best it would be if we fixed it properly. See below for a simple, abstracted example of what we're doing. So what we ended up doing is, we compute the max(len(alt1), len(alt2)) - len(orig_insn) and feed that value to the .skip gas directive. The max() cannot have conditionals due to gas limitations, thus the fancy integer math. With this patch, all ALTERNATIVE_2 sites get padded correctly; generating obscure test cases pass too: #define alt_max_short(a, b) ((a) ^ (((a) ^ (b)) & -(-((a) < (b))))) #define gen_skip(orig, alt1, alt2, marker) \ .skip -((alt_max_short(alt1, alt2) - (orig)) > 0) * \ (alt_max_short(alt1, alt2) - (orig)),marker .pushsection .text, "ax" .globl main main: gen_skip(1, 2, 4, 0x09) gen_skip(4, 1, 2, 0x10) ... .popsection Thanks to Quentin for catching it and double-checking the fix! Reported-by: Quentin Casasnovas <quentin.casasnovas@oracle.com> Signed-off-by: Borislav Petkov <bp@suse.de> Cc: Andy Lutomirski <luto@amacapital.net> Cc: Borislav Petkov <bp@alien8.de> Cc: Brian Gerst <brgerst@gmail.com> Cc: Denys Vlasenko <dvlasenk@redhat.com> Cc: H. Peter Anvin <hpa@zytor.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Oleg Nesterov <oleg@redhat.com> Cc: Thomas Gleixner <tglx@linutronix.de> Link: http://lkml.kernel.org/r/20150404133443.GE21152@pd.tnic Signed-off-by: Ingo Molnar <mingo@kernel.org>

Return a negative error code on failure. A simplified version of the semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // <smpl> @@ identifier ret; expression e1,e2; @@ ( if ($ret < 0\|ret != 0$) { ... return ret; } | ret = 0 ) ... when != ret = e1 when != &ret *if(...) { ... when != ret = e2 when forall return ret; } // </smpl> Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr> Signed-off-by: Sebastian Reichel <sre@kernel.org>

On chips with newer PWM control, the PWM frequency divider is 256 instead of 128. Since the base PWM frequency remained the same, the actual PWM frequency is half of what it used to be with the older PWM control mechanism. Reviewed-by: Jean Delvare <jdelvare@suse.de> Signed-off-by: Guenter Roeck <linux@roeck-us.net>

ITE chips may have 'E', 'F', or both 'E' and 'F' suffixes. Introduce suffic configuration to the it87_devices structure to simplify adding new chips. Reviewed-by: Jean Delvare <jdelvare@suse.de> Signed-off-by: Guenter Roeck <linux@roeck-us.net>

On some chips, in7 is always an internal voltage sensor. Introduce feature flag to reflect this condition to simplify adding support for new chips. Reviewed-by: Jean Delvare <jdelvare@suse.de> Signed-off-by: Guenter Roeck <linux@roeck-us.net>

IT8790E is a super-IO chip with three fan tachometers. It is mostly compatible to IT8728F, but only supports three fan tachometers instead of five. Reviewed-by: Jean Delvare <jdelvare@suse.de> Signed-off-by: Guenter Roeck <linux@roeck-us.net>

IT8620E is mostly compatible to IT7828F. Add generic support for it. IT8620E supports up to 6 fan tachometers and 6 pwm controls. Support for the 6th tachometer and for the additional pwm controls are addded in separate patches. Reviewed-by: Jean Delvare <jdelvare@suse.de> Signed-off-by: Guenter Roeck <linux@roeck-us.net>

IT8620E supports up to 6 fan tachometers. Reviewed-by: Jean Delvare <jdelvare@suse.de> Signed-off-by: Guenter Roeck <linux@roeck-us.net>

Sparse reports: drivers/staging/lustre/lustre/obdclass/obd_mount.c:1284:6: warning: symbol 'lustre_kill_super' was not declared. Should it be static? Fix this warning by making lustre_kill_super static. It is not used outside this file. Signed-off-by: Tal Shorer <tal.shorer@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Return a negative error code on failure. A simplified version of the semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // <smpl> @@ identifier ret; expression e1,e2; @@ ( if ($ret < 0\|ret != 0$) { ... return ret; } | ret = 0 ) ... when != ret = e1 when != &ret *if(...) { ... when != ret = e2 when forall return ret; } // </smpl> Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

…ux/kernel/git/tip/tip Pull x86 vdso changes from Ingo Molnar: "Misc vDSO updates" * 'x86-vdso-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/vdso: Remove x32 intermediates during 'make clean' x86/vdso: Teach 'make clean' to remove generated vdso-image-*.c files x86/vdso32/syscall.S: Do not load __USER32_DS to %ss x86/vdso: Fix the x86 vdso2c tool includes

…/git/geert/linux-m68k Pull m68k updates from Geert Uytterhoeven. * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/geert/linux-m68k: m68k/mac: Fix out-of-bounds array index in OSS IRQ source initialization m68k/pci: Remove a superflous KERN_ERR m68k/defconfig: Update defconfigs for v4.0-rc1 m68k/q40: Make NE2000 builtin instead of modular m68k: Remove FSF address

…/git/egtvedt/linux-avr32 Pull avr32 fix from Hans-Christian Egtvedt. * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/egtvedt/linux-avr32: avr32: fix integer overflow in ELF_ET_DYN_BASE

…x/kernel/git/groeck/linux-staging Pull hwmon updates from Guenter Roeck: "Support for new chips: - add support for IT8620E, IT8781F, IT8786E, and IT8790E to it87 driver - add driver for NCT7904 Functional improvements: - support for new devicetree structure in ibmpowernv driver - register pwm-fan and gpio-fan drivers as thermal cooling devices - various minor cleanup and improvements to it87, nct6775, jc42, ibmpex, and coretemp drivers" * tag 'hwmon-for-linus-v4.1' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging: (43 commits) hwmon: (pwm-fan) Update the duty cycle inorder to control the pwm-fan hwmon: (it87) Use feature macros on sio_data hwmon: (ibmpowernv) Fix build error seen for some configurations hwmon: (gpio-fan) Move the thermal registration after registration is complete hwmon: (ibmpowernv) pretty print labels hwmon: (ibmpowernv) add a label attribute hwmon: (ibmpowernv) add support for the new device tree hwmon: (ibmpowernv) add a helper routine create_hwmon_attr hwmon: (it87) Add support for 6th fan of IT8620E hwmon: (it87) Add support for IT8620E hwmon: (it87) Add support for IT8790E hwmon: (it87) Introduce feature flag to reflect internal in7 sensor hwmon: (it87) Introduce configuration field for chip suffix hwmon: (it87) Fix PWM frequency display for chips with newer PWM control hwmon: (it87) Fix pwm sysfs attribute removal hwmon: (ibmpowernv) do not use the OPAL index for hwmon attribute names hwmon: (ibmpowernv) change create_hwmon_attr_name() prototype hwmon: (ibmpowernv) add a convert_opal_attr_name() routine hwmon: (ibmpowernv) add a get_sensor_type() routine hwmon: (ibmpowernv) replace AMBIENT_TEMP by TEMP ...

…/git/bp/bp Pull EDAC updates from Borislav Petkov: - convert a bunch of drivers to static attribute groups (Takashi Iwai) - misc cleanups * tag 'edac_for_4.1' of git://git.kernel.org/pub/scm/linux/kernel/git/bp/bp: EDAC: Constify of_device_id array EDAC, i82443bxgx: Don't export static symbol EDAC, amd64_edac: Get rid of per-node driver instances EDAC: Properly unwind on failure path in edac_init() EDAC: highbank: Use static attribute groups for sysfs entries EDAC: octeon: Use static attribute groups for sysfs entries EDAC: mpc85xx: Use static attribute groups for sysfs entries EDAC: i7core: Use static attribute groups for sysfs entries EDAC: i7core: Return proper error codes for kzalloc() errors EDAC: amd64: Use static attribute groups EDAC: Allow to pass driver-specific attribute groups EDAC: Use static attribute groups for managing sysfs entries EDAC: Delete unnecessary checks before pci_dev_put()

Pull MMC updates from Ulf Hansson: "MMC core: - Add support for marking HPI as broken through devicetree - Enable runtime PM management of host devices - Remove the ->enable|disable() callbacks - Restructure code and cleanups - Refreshed some of the MMC sections in MAINTAINERS MMC host: - dw_mmc: HS400 mode support - dw_mmc: Add the cmd11 timer to detect a timeout - dw_mmc: Endian agnostic IO accessors - dw_mmc: Bugfixes - sh_mmcif: Add exclusion between cmd and interrupt - omap_hsmmc: Hibernation support - omap_hsmmc: Rework and simplify cover/card detect - omap_hsmmc: Stop using ->enable|disable() callbacks - atmel-mci: Endian agnostic IO - sunxi: Enable MMC_CAP_SDIO_IRQ - sdhci-st: Add support for the stih407 family silicon - sdhci-st: UHS card support in SDR104 mode - sdhci-st: HS200 mode support - sdhci-esdhc-imx: Use common mmc DT parser - sdhci-of-arasan: Use common mmc DT parser - sdhci-iproc: Add new driver for Broadcom IPROC SDHCI controller - sdhci-tegra: Convert to GPIO descriptors - sdhci-tegra: Optmize write_w path for tegra114 and later - sdhci-sirf: Update tuning procedure - sdhci: Fix card presence logic - sdhci: Cleanups and consolidation" * tag 'mmc-v4.1' of git://git.linaro.org/people/ulf.hansson/mmc: (79 commits) mmc: sdhci-st: Update ST SDHCI binding documentation. mmc: sdhci-st: Update the quirks for this controller. mmc: sdhci-st: Add sdhci_st_set_uhs_signaling function. mmc: sdhci-st: Add st_mmcss_cconfig function to configure mmcss glue registers. mmc: sdhci-st: Add delay management functions for top registers (eMMC). mmc: sdhci-st: Add support for de-asserting reset signal and top regs resource mmc: sdhci-st: Add macros for register offsets and bitfields for mmcss glue regs mmc: sdhci-esdhc-imx: Call mmc_of_parse() mmc: dw_mmc: Add locking around cmd11 timer mmc: dw_mmc: Add a return in an unexpected cmd11 timeout mmc: dw_mmc: Increase cmd11 timeout to 500ms mmc: dw_mmc: fix fifo ordering in big endian mmc: dw_mmc: change idmac descriptor files to __le32 mmc: dw_mmc: make IO accessors endian agnostic mmc: core: Convert the error field in struct mmc_command|data into an int mmc: sdhci-of-arasan: Call OF parsing for MMC mmc: sdhci-pci: fix 64 BIT DMA quirks for rtsx mmc: Add support for marking hpi as broken through devicetree mmc: sdhci-tegra: convert to use GPIO descriptors mmc: omap_hsmmc: use generic slot-gpio isr to manage card detect pin ...

…git/broonie/regmap Pull regmap update from Mark Brown: "Just one patch for regmap this time around, a change from Steven Rostedt to prettify the way we're making the regmap internal header available to the trace events (it turns out that the trace subsystem doesn't actually need to be in trace/events)" * tag 'regmap-v4.1' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regmap: regmap: Move tracing header into drivers/base/regmap

…/broonie/spi Pull spi updates from Mark Brown: "Only one framework update this time around, a change from Lars-Peter to move full to pm_ops and remove the legacy bus PM ops. Otherwise it's all driver updates: - make the spidev driver complain loudly if registered as spidev with DT rather than with a compatible string, hopefully helping people avoid making that mistake. - error handling and robustness fixes for the Designware and Intel MID drivers from Andy Shevchenko. - substantial performance improvements for the Raspberry Pi driver from Martin Sperl. - several new features for spidev_test from Adrian Remonda and Ian Abbott" * tag 'spi-v4.1' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi: (75 commits) spi: bcm2835: enabling polling mode for transfers shorter than 30us spi: bcm2835: transform native-cs to gpio-cs on first spi_setup spi: img-spfi: Control CS lines with GPIO spi: img-spfi: Reset controller after each message spi: img-spfi: Implement a handle_err() callback spi: img-spfi: Setup TRANSACTION register before CONTROL register spi: Make master->handle_err() callback optional to avoid crashes spi: img-spfi: Limit bit clock to 1/4th of input clock spi: img-spfi: Implement a prepare_message() callback spi: fsl-dspi: Add ~50ns delay between cs and sck spi: fsl-dspi: Add cs-sck delays spi: fsl-dspi: Fix clock rate scale values spi: signedness bug in qspi_trigger_transfer_out_int() spi: imx: read back the RX/TX watermark levels earlier spi: spi-bfin5xx: Initialize cr_width in bfin_spi_pump_transfers() spi: bitbang: only toggle bitchanges spi: pxa2xx: missing break in pxa2xx_ssp_get_clk_div() spi: fsl-dspi: Fix clock rate scale values spi: Using Trigger number to transmit/receive data spi: bcm2835: fill FIFO before enabling interrupts to reduce interrupts/message ...

…el/git/broonie/regulator Pull regulator updates from Mark Brown: "Another release, another set of regulator updates. Not much of it is showing up in the code yet but there's been a lot of discussion going on about how to enhance the regulator API to work better with modern SoCs which have a microcontroller sitting between Linux and the hardware. I'm hopeful that'll start to come through into mainline for v4.2 but it's not quite there for v4.1 - what we do have (along with the usual small updates is) is: - work from Bjorn Andersson on refactoring the configuration of regulator loading interfaces to be useful for use with microcontrollers, the existing interfaces were never actually useful for anything as-is since nobody was willing to put enough data into public code. - a summary tree display in debugfs from Heiko Stübner. - support for act6000 regulators" * tag 'regulator-v4.1' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator: (34 commits) regulator: max8660: Handle empty regulator data regulator: output current-limit for all regulators in summary regulator: add a summary tree in debugfs regulator: qcom: Tidy up probe() regulator: qcom: Rework to single platform device regulator: qcom: Refactor of-parsing code regulator: qcom: Don't enable DRMS in driver regulator: max8660: fix assignment of pdata to data that becomes dead regulator: Defer lookup of supply to regulator_get mfd: max77693: Remove unused structures regulator: max77693: Let core parse DT and drop board files support regulator: Ensure unique regulator debugfs directory names regulator: stw481x: Remove unused fields from struct stw481x regulator: palmas: Add has_regen3 check for TPS659038 regulator: constify of_device_id array regulator: fixes for regulator_set_optimum_mode name change regulator: Drop temporary regulator_set_optimum_mode wrapper usb: phy: phy-msm-usb: Rename regulator_set_optimum_mode usb: phy: ab8500-usb: Rename regulator_set_optimum_mode ufs: Rename of regulator_set_optimum_mode ...

Pull power supply and reset changes from Sebastian Reichel: - new API for safe access of power supply function attrs - devres support for power supply (un)registration - new drivers / chips: - generic syscon based poweroff driver - iio & charger driver for da9150 - fuel gauge driver for axp288 - bq27x00: add support for bq27510 - bq2415x: add support for bq24157s - twl4030-madc-battery: convert to iio consumer - misc fixes * tag 'for-v4.1' of git://git.infradead.org/battery-2.6: (66 commits) power: twl4030_madc_battery: Add missing MODULE_ALIAS power: twl4030-madc-battery: Convert to iio consumer. dt: power: Add docs for generic SYSCON poweroff driver. power: reset: Add generic SYSCON register mapped poweroff. power: max17042_battery: add missed blank power: max17042_battery: Use reg type instead of chip type power/reset: at91: big endian fixes for atsama5d3x power_supply: charger-manager: Fix dereferencing of ERR_PTR HID: input: Fix NULL pointer dereference when power_supply_register fails power: constify of_device_id array power/reset/rmobile-reset.c: Fix !HAS_IOMEM build power_supply: 88pm860x_charger: Fix possible NULL pointer dereference and use of initialized variable arm: mach-pxa: Decrement the power supply's device reference counter mfd: ab8500: Decrement the power supply's device reference counter power_supply: bq2415x_charger: Decrement the power supply's device reference counter power_supply: 88pm860x_charger: Decrement the power supply's device reference counter x86/olpc/xo15/sci: Use newly added power_supply_put API x86/olpc/xo1/sci: Use newly added power_supply_put API power_supply: charger-manager: Decrement the power supply's device reference counter power_supply: Increment power supply use counter when obtaining references ...

…git/sre/linux-hsi Pull HSI changes from Sebastian Reichel: - nokia-modem: support speech data - misc fixes * tag 'hsi-for-4.1' of git://git.kernel.org/pub/scm/linux/kernel/git/sre/linux-hsi: HSI: cmt_speech: fix error return code HSI: nokia-modem: Add cmt-speech support HSI: cmt_speech: Add cmt-speech driver HSI: nokia-modem: fix error return code

…rnel/git/helgaas/pci Pull PCI changes from Bjorn Helgaas: "Enumeration - Read capability list as dwords, not bytes (Sean O. Stalley) Resource management - Don't check for PNP overlaps with unassigned PCI BARs (Bjorn Helgaas) - Mark invalid BARs as unassigned (Bjorn Helgaas) - Show driver, BAR#, and resource on pci_ioremap_bar() failure (Bjorn Helgaas) - Fail pci_ioremap_bar() on unassigned resources (Bjorn Helgaas) - Assign resources before drivers claim devices (Yijing Wang) - Claim bus resources before pci_bus_add_devices() (Yijing Wang) Power management - Optimize device state transition delays (Aaron Lu) - Don't clear ASPM bits when the FADT declares it's unsupported (Matthew Garrett) Virtualization - Add ACS quirks for Intel 1G NICs (Alex Williamson) IOMMU - Add ptr to OF node arg to of_iommu_configure() (Murali Karicheri) - Move of_dma_configure() to device.c to help re-use (Murali Karicheri) - Fix size when dma-range is not used (Murali Karicheri) - Add helper functions pci_get[put]_host_bridge_device() (Murali Karicheri) - Add of_pci_dma_configure() to update DMA configuration (Murali Karicheri) - Update DMA configuration from DT (Murali Karicheri) - dma-mapping: limit IOMMU mapping size (Murali Karicheri) - Calculate device DMA masks based on DT dma-range size (Murali Karicheri) ARM Versatile host bridge driver - Check for devm_ioremap_resource() failures (Jisheng Zhang) Broadcom iProc host bridge driver - Add Broadcom iProc PCIe driver (Ray Jui) Marvell MVEBU host bridge driver - Add suspend/resume support (Thomas Petazzoni) Renesas R-Car host bridge driver - Fix position of MSI enable bit (Nobuhiro Iwamatsu) - Write zeroes to reserved PCIEPARL bits (Nobuhiro Iwamatsu) - Change PCIEPARL and PCIEPARH to PCIEPALR and PCIEPAUR (Nobuhiro Iwamatsu) - Verify that mem_res is 64K-aligned (Nobuhiro Iwamatsu) Samsung Exynos host bridge driver - Fix INTx enablement statement termination error (Jaehoon Chung) Miscellaneous - Make a shareable UUID for PCI firmware ACPI _DSM (Aaron Lu) - Clarify policy for vendor IDs in pci.txt (Michael S. Tsirkin)" * tag 'pci-v4.1-changes' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci: (36 commits) PCI: Read capability list as dwords, not bytes PCI: layerscape: Simplify platform_get_resource_byname() failure checking PCI: keystone: Don't dereference possible NULL pointer PCI: versatile: Check for devm_ioremap_resource() failures PCI: Don't clear ASPM bits when the FADT declares it's unsupported PCI: Clarify policy for vendor IDs in pci.txt PCI/ACPI: Optimize device state transition delays PCI: Export pci_find_host_bridge() for use inside PCI core PCI: Make a shareable UUID for PCI firmware ACPI _DSM PCI: Fix typo in Thunderbolt kernel message PCI: exynos: Fix INTx enablement statement termination error PCI: iproc: Add Broadcom iProc PCIe support PCI: iproc: Add DT docs for Broadcom iProc PCIe driver PCI: Export symbols required for loadable host driver modules PCI: Add ACS quirks for Intel 1G NICs PCI: mvebu: Add suspend/resume support PCI: Cleanup control flow sparc/PCI: Claim bus resources before pci_bus_add_devices() PCI: Assign resources before drivers claim devices (pci_scan_root_bus()) PCI: Fail pci_ioremap_bar() on unassigned resources ...

…ux/kernel/git/tip/tip Pull irq core updates from Thomas Gleixner: "Managerial summary: Core code: - final removal of IRQF_DISABLED - new state save/restore functions for virtualization support - wakeup support for stacked irqdomains - new function to solve the netpoll synchronization problem irqchips: - new driver for STi based devices - new driver for Vybrid MSCM - massive cleanup of the GIC driver by moving the GIC-addons to stacked irqdomains - the usual pile of fixes and updates to the various chip drivers" * 'irq-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: (44 commits) irqchip: GICv3: Add support for irq_[get, set]_irqchip_state() irqchip: GIC: Add support for irq_[get, set]_irqchip_state() genirq: Allow the irqchip state of an IRQ to be save/restored genirq: MSI: Fix freeing of unallocated MSI irqchip: renesas-irqc: Add wake-up support irqchip: armada-370-xp: Allow using wakeup source irqchip: mips-gic: Add new functions to start/stop the GIC counter irqchip: tegra: Add Tegra210 support irqchip: digicolor: Move digicolor_set_gc to init section irqchip: renesas-irqc: Add functional clock to bindings irqchip: renesas-irqc: Add minimal runtime PM support irqchip: renesas-irqc: Add more register documentation DT: exynos: update PMU binding ARM: exynos4/5: convert pmu wakeup to stacked domains irqchip: gic: Don't complain in gic_get_cpumask() if UP system ARM: zynq: switch from gic_arch_extn to gic_set_irqchip_flags ARM: ux500: switch from gic_arch_extn to gic_set_irqchip_flags ARM: shmobile: remove use of gic_arch_extn.irq_set_wake irqchip: gic: Add an entry point to set up irqchip flags ARM: omap: convert wakeupgen to stacked domains ...

…it/tj/wq Pull workqueue updates from Tejun Heo: "Workqueue now prints debug information at the end of sysrq-t which should be helpful when tracking down suspected workqueue stalls. It only prints out the ones with something currently going on so it shouldn't add much output in most cases" * 'for-4.1' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq: workqueue: Reorder sysfs code percpu: Fix trivial typos in comments workqueue: dump workqueues on sysrq-t workqueue: keep track of the flushing task and pool manager workqueue: make the workqueues list RCU walkable

…it/tj/libata Pull libata updates from Tejun Heo: - Hannes's patchset implements support for better error reporting introduced by the new ATA command spec. - the deperecated pci_ dma API usages have been replaced by dma_ ones. - a bunch of hardware specific updates and some cleanups. * 'for-4.1' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata: ata: remove deprecated use of pci api ahci: st: st_configure_oob must be called after IP is clocked. ahci: st: Update the ahci_st DT documentation ahci: st: Update the DT example for how to obtain the PHY. sata_dwc_460ex: indent an if statement libata: Add tracepoints libata-eh: Set 'information' field for autosense libata: Implement support for sense data reporting libata: Implement NCQ autosense libata: use status bit definitions in ata_dump_status() ide,ata: Rename ATA_IDX to ATA_SENSE libata: whitespace fixes in ata_to_sense_error() libata: whitespace cleanup in ata_get_cmd_descript() libata: use READ_LOG_DMA_EXT libata: remove ATA_FLAG_LOWTAG sata_dwc_460ex: re-use hsdev->dev instead of dwc_dev sata_dwc_460ex: move to generic DMA driver sata_dwc_460ex: join messages back sata: xgene: add ACPI support for APM X-Gene SATA ports ata: sata_mv: add proper definitions for LP_PHY_CTL register values

…it/tj/cgroup Pull cgroup updates from Tejun Heo: "Nothing too interesting. Rik made cpuset cooperate better with isolcpus and there are several other cleanup patches" * 'for-4.1' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup: cpuset, isolcpus: document relationship between cpusets & isolcpus cpusets, isolcpus: exclude isolcpus from load balancing in cpusets sched, isolcpu: make cpu_isolated_map visible outside scheduler cpuset: initialize cpuset a bit early cgroup: Use kvfree in pidlist_free() cgroup: call cgroup_subsys->bind on cgroup subsys initialization

…git/gregkh/usb Pull USB driver updates from Greg KH: "Here's the big USB (and PHY) driver patchset for 4.1-rc1. Everything here has been in linux-next, and the full details are below in the shortlog. Nothing major, just the normal round of new drivers,api updates, and other changes, mostly in the USB gadget area, as usual" * tag 'usb-4.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (252 commits) drivers/usb/core: devio.c: Removed an uneeded space before tab usb: dwc2: host: sleep USB_RESUME_TIMEOUT during resume usb: chipidea: debug: add low power mode check before print registers usb: chipidea: udc: bypass pullup DP when gadget connect in OTG fsm mode usb: core: hub: use new USB_RESUME_TIMEOUT usb: isp1760: hcd: use new USB_RESUME_TIMEOUT usb: dwc2: hcd: use new USB_RESUME_TIMEOUT usb: host: sl811: use new USB_RESUME_TIMEOUT usb: host: r8a66597: use new USB_RESUME_TIMEOUT usb: host: oxu210hp: use new USB_RESUME_TIMEOUT usb: host: fusbh200: use new USB_RESUME_TIMEOUT usb: host: fotg210: use new USB_RESUME_TIMEOUT usb: host: isp116x: use new USB_RESUME_TIMEOUT usb: musb: use new USB_RESUME_TIMEOUT usb: host: uhci: use new USB_RESUME_TIMEOUT usb: host: ehci: use new USB_RESUME_TIMEOUT usb: host: xhci: use new USB_RESUME_TIMEOUT usb: define a generic USB_RESUME_TIMEOUT macro usb: musb: dsps: fix build on i386 when COMPILE_TEST is set ehci-hub: use USB_DT_HUB ...

…/kernel/git/gregkh/driver-core Pull driver core updates from Greg KH: "Here's the driver-core / kobject / lz4 tree update for 4.1-rc1. Everything here has been in linux-next for a while with no reported issues. It's mostly just coding style cleanups, with other minor changes in here as well, nothing big" * tag 'driver-core-4.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core: (32 commits) debugfs: allow bad parent pointers to be passed in stable_kernel_rules: Add clause about specification of kernel versions to patch. kobject: WARN as tip when call kobject_get() to a kobject not initialized lib/lz4: Pull out constant tables drivers: platform: parse IRQ flags from resources driver core: Make probe deferral more quiet drivers/core/of: Add symlink to device-tree from devices with an OF node device: Add dev_of_node() accessor drivers: base: fw: fix ret value when loading fw firmware: Avoid manual device_create_file() calls drivers/base: cacheinfo: validate device node for all the caches drivers/base: use tabs where possible in code indentation driver core: add missing blank line after declaration drivers: base: node: Delete space after pointer declaration drivers: base: memory: Use tabs instead of spaces firmware_class: Fix whitespace and indentation drivers: base: dma-mapping: Erase blank space after pointer drivers: base: class: Add a blank line after declarations attribute_container: fix missing blank lines after declarations drivers: base: memory: Fix switch indent ...

…nel/git/gregkh/staging Pull staging driver updates from Greg KH: "Here's the big staging driver patchset for 4.1-rc1. There's a lot of patches here, the Outreachy application period happened during this development cycle, so that means that there was a lot of cleanup patches accepted. Other than the normal coding style and sparse fixes here, there are some driver updates and work toward making some of the drivers into "mergable" shape (like the Unisys drivers.) All of these have been in linux-next for a while" * tag 'staging-4.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging: (1214 commits) staging: lustre: orthography & coding style staging: lustre: lnet: lnet: fix error return code staging: lustre: fix sparse warning Revert "Staging: sm750fb: Fix C99 Comments" Staging: rtl8192u: use correct array for debug output staging: rtl8192e: Remove dead code staging: rtl8192e: Comment cleanup (style/format) staging: rtl8192e: Fix indentation in rtllib_rx_auth_resp() staging: rtl8192e: Decrease nesting of rtllib_rx_auth_resp() staging: rtl8192e: Divide rtllib_rx_auth() staging: rtl8192e: Fix PRINTK_WITHOUT_KERN_LEVEL warnings staging: rtl8192e: Fix DO_WHILE_MACRO_WITH_TRAILING_SEMICOLON warning staging: rtl8192e: Fix BRACES warning staging: rtl8192e: Fix LINE_CONTINUATIONS warning staging: rtl8192e: Fix UNNECESSARY_PARENTHESES warnings staging: rtl8192e: remove unused EXPORT_SYMBOL_RSL macro staging: rtl8192e: Fix RETURN_VOID warnings staging: rtl8192e: Fix UNNECESSARY_ELSE warning staging: rtl8723au: Remove unneeded comments staging: rtl8723au: Use __func__ in trace logs ...

Commit 297d716 ("power_supply: Change ownership from driver to core") inverted the logic in battery_notify(). As an effect already present battery was re-added on each system suspend or hibernation. WARNING: CPU: 0 PID: 303 at ../fs/sysfs/dir.c:31 sysfs_warn_dup+0x68/0x80() sysfs: cannot create duplicate filename '/devices/LNXSYSTM:00/LNXSYBUS:00/PNP0A03:00/PNP0C0A:00/power_supply/BAT0' CPU: 0 PID: 303 Comm: rtcwake Not tainted 4.0.0-ARCH-02621-g07e6253af953 #48 Call Trace: sysfs_create_dir_ns+0x8d/0xa0 kobject_add_internal+0xb6/0x370 kobject_add+0x6f/0xd0 device_add+0x120/0x6c0 __power_supply_register+0x145/0x290 power_supply_register_no_ws+0x10/0x20 sysfs_add_battery+0x84/0xc5 [battery] battery_notify+0x45/0x6b [battery] notifier_call_chain+0x4f/0x80 __blocking_notifier_call_chain+0x4b/0x70 blocking_notifier_call_chain+0x16/0x20 pm_notifier_call_chain+0x1a/0x40 pm_suspend+0x3ed/0x4e0 Signed-off-by: Krzysztof Kozlowski <k.kozlowski.k@gmail.com> Reported-by: Linus Torvalds <torvalds@linux-foundation.org> Acked-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> Reviewed-By: Sebastian Reichel <sre@kernel.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Sync up with Linus

The perf core implicitly rejects events spanning multiple HW PMUs, as in these cases the event->ctx will differ. However this validation is performed after pmu::event_init() is called in perf_init_event(), and thus pmu::event_init() may be called with a group leader from a different HW PMU. The ARM PMU driver does not take this fact into account, and when validating groups assumes that it can call to_arm_pmu(event->pmu) for any HW event. When the event in question is from another HW PMU this is wrong, and results in dereferencing garbage. This patch updates the ARM PMU driver to first test for and reject events from other PMUs, moving the to_arm_pmu and related logic after this test. Fixes a crash triggered by perf_fuzzer on Linux-4.0-rc2, with a CCI PMU present: --- CPU: 0 PID: 1527 Comm: perf_fuzzer Not tainted 4.0.0-rc2 #57 Hardware name: ARM-Versatile Express task: bd8484c0 ti: be676000 task.ti: be676000 PC is at 0xbf1bbc90 LR is at validate_event+0x34/0x5c pc : [<bf1bbc90>] lr : [<80016060>] psr: 00000013 ... [<80016060>] (validate_event) from [<80016198>] (validate_group+0x28/0x90) [<80016198>] (validate_group) from [<80016398>] (armpmu_event_init+0x150/0x218) [<80016398>] (armpmu_event_init) from [<800882e4>] (perf_try_init_event+0x30/0x48) [<800882e4>] (perf_try_init_event) from [<8008f544>] (perf_init_event+0x5c/0xf4) [<8008f544>] (perf_init_event) from [<8008f8a8>] (perf_event_alloc+0x2cc/0x35c) [<8008f8a8>] (perf_event_alloc) from [<8009015c>] (SyS_perf_event_open+0x498/0xa70) [<8009015c>] (SyS_perf_event_open) from [<8000e420>] (ret_fast_syscall+0x0/0x34) Code: bf1be000 bf1bb380 802a2664 00000000 (00000002) ---[ end trace 01aff0ff00926a0a ]--- Also cleans up the code to use the arm_pmu only when we know that we are dealing with an arm pmu event. Cc: Will Deacon <will.deacon@arm.com> Acked-by: Mark Rutland <mark.rutland@arm.com> Acked-by: Peter Ziljstra (Intel) <peterz@infradead.org> Signed-off-by: Suzuki K. Poulose <suzuki.poulose@arm.com> Signed-off-by: Will Deacon <will.deacon@arm.com>

Draining the transfers in terminate_all callback happens with IRQs disabled, therefore induces huge latency: irqsoff latency trace v1.1.5 on 4.11.0 -------------------------------------------------------------------- latency: 39770 us, #57/57, CPU#0 | (M:preempt VP:0, KP:0, SP:0 HP:0) ----------------- | task: process-129 (uid:0 nice:0 policy:2 rt_prio:50) ----------------- => started at: _snd_pcm_stream_lock_irqsave => ended at: snd_pcm_stream_unlock_irqrestore _------=> CPU# / _-----=> irqs-off | / _----=> need-resched || / _---=> hardirq/softirq ||| / _--=> preempt-depth |||| / delay cmd pid ||||| time | caller \ / ||||| \ | / process-129 0d.s. 3us : _snd_pcm_stream_lock_irqsave process-129 0d.s1 9us : snd_pcm_stream_lock <-_snd_pcm_stream_lock_irqsave process-129 0d.s1 15us : preempt_count_add <-snd_pcm_stream_lock process-129 0d.s2 22us : preempt_count_add <-snd_pcm_stream_lock process-129 0d.s3 32us : snd_pcm_update_hw_ptr0 <-snd_pcm_period_elapsed process-129 0d.s3 41us : soc_pcm_pointer <-snd_pcm_update_hw_ptr0 process-129 0d.s3 50us : dmaengine_pcm_pointer <-soc_pcm_pointer process-129 0d.s3 58us+: snd_dmaengine_pcm_pointer_no_residue <-dmaengine_pcm_pointer process-129 0d.s3 96us : update_audio_tstamp <-snd_pcm_update_hw_ptr0 process-129 0d.s3 103us : snd_pcm_update_state <-snd_pcm_update_hw_ptr0 process-129 0d.s3 112us : xrun <-snd_pcm_update_state process-129 0d.s3 119us : snd_pcm_stop <-xrun process-129 0d.s3 126us : snd_pcm_action <-snd_pcm_stop process-129 0d.s3 134us : snd_pcm_action_single <-snd_pcm_action process-129 0d.s3 141us : snd_pcm_pre_stop <-snd_pcm_action_single process-129 0d.s3 150us : snd_pcm_do_stop <-snd_pcm_action_single process-129 0d.s3 157us : soc_pcm_trigger <-snd_pcm_do_stop process-129 0d.s3 166us : snd_dmaengine_pcm_trigger <-soc_pcm_trigger process-129 0d.s3 175us : ep93xx_dma_terminate_all <-snd_dmaengine_pcm_trigger process-129 0d.s3 182us : preempt_count_add <-ep93xx_dma_terminate_all process-129 0d.s4 189us*: m2p_hw_shutdown <-ep93xx_dma_terminate_all process-129 0d.s4 39472us : m2p_hw_setup <-ep93xx_dma_terminate_all ... rest skipped... process-129 0d.s. 40080us : <stack trace> => ep93xx_dma_tasklet => tasklet_action => __do_softirq => irq_exit => __handle_domain_irq => vic_handle_irq => __irq_usr => 0xb66c6668 Just abort the transfers and warn if the HW state is not what we expect. Move draining into device_synchronize callback. Signed-off-by: Alexander Sverdlin <alexander.sverdlin@gmail.com> Cc: stable@vger.kernel.org Signed-off-by: Vinod Koul <vinod.koul@intel.com>

If sch_hhf fails in its ->init() function (either due to wrong user-space arguments as below or memory alloc failure of hh_flows) it will do a null pointer deref of q->hh_flows in its ->destroy() function. To reproduce the crash: $ tc qdisc add dev eth0 root hhf quantum 2000000 non_hh_weight 10000000 Crash log: [ 690.654882] BUG: unable to handle kernel NULL pointer dereference at (null) [ 690.655565] IP: hhf_destroy+0x48/0xbc [ 690.655944] PGD 37345067 [ 690.655948] P4D 37345067 [ 690.656252] PUD 58402067 [ 690.656554] PMD 0 [ 690.656857] [ 690.657362] Oops: 0000 [#1] SMP [ 690.657696] Modules linked in: [ 690.658032] CPU: 3 PID: 920 Comm: tc Not tainted 4.13.0-rc6+ #57 [ 690.658525] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014 [ 690.659255] task: ffff880058578000 task.stack: ffff88005acbc000 [ 690.659747] RIP: 0010:hhf_destroy+0x48/0xbc [ 690.660146] RSP: 0018:ffff88005acbf9e0 EFLAGS: 00010246 [ 690.660601] RAX: 0000000000000000 RBX: 0000000000000020 RCX: 0000000000000000 [ 690.661155] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffffffff821f63f0 [ 690.661710] RBP: ffff88005acbfa08 R08: ffffffff81b10a90 R09: 0000000000000000 [ 690.662267] R10: 00000000f42b7019 R11: ffff880058578000 R12: 00000000ffffffea [ 690.662820] R13: ffff8800372f6400 R14: 0000000000000000 R15: 0000000000000000 [ 690.663769] FS: 00007f8ae5e8b740(0000) GS:ffff88005d980000(0000) knlGS:0000000000000000 [ 690.667069] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 690.667965] CR2: 0000000000000000 CR3: 0000000058523000 CR4: 00000000000406e0 [ 690.668918] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 690.669945] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 690.671003] Call Trace: [ 690.671743] qdisc_create+0x377/0x3fd [ 690.672534] tc_modify_qdisc+0x4d2/0x4fd [ 690.673324] rtnetlink_rcv_msg+0x188/0x197 [ 690.674204] ? rcu_read_unlock+0x3e/0x5f [ 690.675091] ? rtnl_newlink+0x729/0x729 [ 690.675877] netlink_rcv_skb+0x6c/0xce [ 690.676648] rtnetlink_rcv+0x23/0x2a [ 690.677405] netlink_unicast+0x103/0x181 [ 690.678179] netlink_sendmsg+0x326/0x337 [ 690.678958] sock_sendmsg_nosec+0x14/0x3f [ 690.679743] sock_sendmsg+0x29/0x2e [ 690.680506] ___sys_sendmsg+0x209/0x28b [ 690.681283] ? __handle_mm_fault+0xc7d/0xdb1 [ 690.681915] ? check_chain_key+0xb0/0xfd [ 690.682449] __sys_sendmsg+0x45/0x63 [ 690.682954] ? __sys_sendmsg+0x45/0x63 [ 690.683471] SyS_sendmsg+0x19/0x1b [ 690.683974] entry_SYSCALL_64_fastpath+0x23/0xc2 [ 690.684516] RIP: 0033:0x7f8ae529d690 [ 690.685016] RSP: 002b:00007fff26d2d6b8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 690.685931] RAX: ffffffffffffffda RBX: ffffffff810d278c RCX: 00007f8ae529d690 [ 690.686573] RDX: 0000000000000000 RSI: 00007fff26d2d700 RDI: 0000000000000003 [ 690.687047] RBP: ffff88005acbff98 R08: 0000000000000001 R09: 0000000000000000 [ 690.687519] R10: 00007fff26d2d480 R11: 0000000000000246 R12: 0000000000000002 [ 690.687996] R13: 0000000001258070 R14: 0000000000000001 R15: 0000000000000000 [ 690.688475] ? trace_hardirqs_off_caller+0xa7/0xcf [ 690.688887] Code: 00 00 e8 2a 02 ae ff 49 8b bc 1d 60 02 00 00 48 83 c3 08 e8 19 02 ae ff 48 83 fb 20 75 dc 45 31 f6 4d 89 f7 4d 03 bd 20 02 00 00 <49> 8b 07 49 39 c7 75 24 49 83 c6 10 49 81 fe 00 40 00 00 75 e1 [ 690.690200] RIP: hhf_destroy+0x48/0xbc RSP: ffff88005acbf9e0 [ 690.690636] CR2: 0000000000000000 Fixes: 87b60cf ("net_sched: fix error recovery at qdisc creation") Fixes: 10239ed ("net-qdisc-hhf: Heavy-Hitter Filter (HHF) qdisc") Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com> Signed-off-by: David S. Miller <davem@davemloft.net>

syzbot reported a splat: xfrm_policy_inexact_list_reinsert+0x625/0x6e0 net/xfrm/xfrm_policy.c:877 CPU: 1 PID: 6756 Comm: syz-executor.1 Not tainted 5.3.0-rc2+ #57 Call Trace: xfrm_policy_inexact_node_reinsert net/xfrm/xfrm_policy.c:922 [inline] xfrm_policy_inexact_node_merge net/xfrm/xfrm_policy.c:958 [inline] xfrm_policy_inexact_insert_node+0x537/0xb50 net/xfrm/xfrm_policy.c:1023 xfrm_policy_inexact_alloc_chain+0x62b/0xbd0 net/xfrm/xfrm_policy.c:1139 xfrm_policy_inexact_insert+0xe8/0x1540 net/xfrm/xfrm_policy.c:1182 xfrm_policy_insert+0xdf/0xce0 net/xfrm/xfrm_policy.c:1574 xfrm_add_policy+0x4cf/0x9b0 net/xfrm/xfrm_user.c:1670 xfrm_user_rcv_msg+0x46b/0x720 net/xfrm/xfrm_user.c:2676 netlink_rcv_skb+0x1f0/0x460 net/netlink/af_netlink.c:2477 xfrm_netlink_rcv+0x74/0x90 net/xfrm/xfrm_user.c:2684 netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] netlink_unicast+0x809/0x9a0 net/netlink/af_netlink.c:1328 netlink_sendmsg+0xa70/0xd30 net/netlink/af_netlink.c:1917 sock_sendmsg_nosec net/socket.c:637 [inline] sock_sendmsg net/socket.c:657 [inline] There is no reproducer, however, the warning can be reproduced by adding rules with ever smaller prefixes. The sanity check ("does the policy match the node") uses the prefix value of the node before its updated to the smaller value. To fix this, update the prefix earlier. The bug has no impact on tree correctness, this is only to prevent a false warning. Reported-by: syzbot+8cc27ace5f6972910b31@syzkaller.appspotmail.com Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>

Hangbin Liu says: ==================== fix dev null pointer dereference when send packets larger than mtu in collect_md mode When we send a packet larger than PMTU, we need to reply with icmp_send(ICMP_FRAG_NEEDED) or icmpv6_send(ICMPV6_PKT_TOOBIG). But with collect_md mode, kernel will crash while accessing the dst dev as __metadata_dst_init() init dst->dev to NULL by default. Here is what the code path looks like, for GRE: - ip6gre_tunnel_xmit - ip6gre_xmit_ipv4 - __gre6_xmit - ip6_tnl_xmit - if skb->len - t->tun_hlen - eth_hlen > mtu; return -EMSGSIZE - icmp_send - net = dev_net(rt->dst.dev); <-- here - ip6gre_xmit_ipv6 - __gre6_xmit - ip6_tnl_xmit - if skb->len - t->tun_hlen - eth_hlen > mtu; return -EMSGSIZE - icmpv6_send ... - decode_session4 - oif = skb_dst(skb)->dev->ifindex; <-- here - decode_session6 - oif = skb_dst(skb)->dev->ifindex; <-- here We could not fix it in __metadata_dst_init() as there is no dev supplied. Look in to the __icmp_send()/decode_session{4,6} code we could find the dst dev is actually not needed. In __icmp_send(), we could get the net by skb->dev. For decode_session{4,6}, as it was called by xfrm_decode_session_reverse() in this scenario, the oif is not used by fl4->flowi4_oif = reverse ? skb->skb_iif : oif; The reproducer is easy: ovs-vsctl add-br br0 ip link set br0 up ovs-vsctl add-port br0 gre0 -- set interface gre0 type=gre options:remote_ip=$dst_addr ip link set gre0 up ip addr add ${local_gre6}/64 dev br0 ping6 $remote_gre6 -s 1500 The kernel will crash like [40595.821651] BUG: kernel NULL pointer dereference, address: 0000000000000108 [40595.822411] #PF: supervisor read access in kernel mode [40595.822949] #PF: error_code(0x0000) - not-present page [40595.823492] PGD 0 P4D 0 [40595.823767] Oops: 0000 [#1] SMP PTI [40595.824139] CPU: 0 PID: 2831 Comm: handler12 Not tainted 5.2.0 #57 [40595.824788] Hardware name: Red Hat KVM, BIOS 1.11.1-3.module+el8.1.0+2983+b2ae9c0a 04/01/2014 [40595.825680] RIP: 0010:__xfrm_decode_session+0x6b/0x930 [40595.826219] Code: b7 c0 00 00 00 b8 06 00 00 00 66 85 d2 0f b7 ca 48 0f 45 c1 44 0f b6 2c 06 48 8b 47 58 48 83 e0 fe 0f 84 f4 04 00 00 48 8b 00 <44> 8b 80 08 01 00 00 41 f6 c4 01 4c 89 e7 ba 58 00 00 00 0f 85 47 [40595.828155] RSP: 0018:ffffc90000a73438 EFLAGS: 00010286 [40595.828705] RAX: 0000000000000000 RBX: ffff8881329d7100 RCX: 0000000000000000 [40595.829450] RDX: 0000000000000000 RSI: ffff8881339e70ce RDI: ffff8881329d7100 [40595.830191] RBP: ffffc90000a73470 R08: 0000000000000000 R09: 000000000000000a [40595.830936] R10: 0000000000000000 R11: 0000000000000000 R12: ffffc90000a73490 [40595.831682] R13: 000000000000002c R14: ffff888132ff1301 R15: ffff8881329d7100 [40595.832427] FS: 00007f5bfcfd6700(0000) GS:ffff88813ba00000(0000) knlGS:0000000000000000 [40595.833266] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [40595.833883] CR2: 0000000000000108 CR3: 000000013a368000 CR4: 00000000000006f0 [40595.834633] Call Trace: [40595.835392] ? rt6_multipath_hash+0x4c/0x390 [40595.835853] icmpv6_route_lookup+0xcb/0x1d0 [40595.836296] ? icmpv6_xrlim_allow+0x3e/0x140 [40595.836751] icmp6_send+0x537/0x840 [40595.837125] icmpv6_send+0x20/0x30 [40595.837494] tnl_update_pmtu.isra.27+0x19d/0x2a0 [ip_tunnel] [40595.838088] ip_md_tunnel_xmit+0x1b6/0x510 [ip_tunnel] [40595.838633] gre_tap_xmit+0x10c/0x160 [ip_gre] [40595.839103] dev_hard_start_xmit+0x93/0x200 [40595.839551] sch_direct_xmit+0x101/0x2d0 [40595.839967] __dev_queue_xmit+0x69f/0x9c0 [40595.840399] do_execute_actions+0x1717/0x1910 [openvswitch] [40595.840987] ? validate_set.isra.12+0x2f5/0x3d0 [openvswitch] [40595.841596] ? reserve_sfa_size+0x31/0x130 [openvswitch] [40595.842154] ? __ovs_nla_copy_actions+0x1b4/0xad0 [openvswitch] [40595.842778] ? __kmalloc_reserve.isra.50+0x2e/0x80 [40595.843285] ? should_failslab+0xa/0x20 [40595.843696] ? __kmalloc+0x188/0x220 [40595.844078] ? __alloc_skb+0x97/0x270 [40595.844472] ovs_execute_actions+0x47/0x120 [openvswitch] [40595.845041] ovs_packet_cmd_execute+0x27d/0x2b0 [openvswitch] [40595.845648] genl_family_rcv_msg+0x3a8/0x430 [40595.846101] genl_rcv_msg+0x47/0x90 [40595.846476] ? __alloc_skb+0x83/0x270 [40595.846866] ? genl_family_rcv_msg+0x430/0x430 [40595.847335] netlink_rcv_skb+0xcb/0x100 [40595.847777] genl_rcv+0x24/0x40 [40595.848113] netlink_unicast+0x17f/0x230 [40595.848535] netlink_sendmsg+0x2ed/0x3e0 [40595.848951] sock_sendmsg+0x4f/0x60 [40595.849323] ___sys_sendmsg+0x2bd/0x2e0 [40595.849733] ? sock_poll+0x6f/0xb0 [40595.850098] ? ep_scan_ready_list.isra.14+0x20b/0x240 [40595.850634] ? _cond_resched+0x15/0x30 [40595.851032] ? ep_poll+0x11b/0x440 [40595.851401] ? _copy_to_user+0x22/0x30 [40595.851799] __sys_sendmsg+0x58/0xa0 [40595.852180] do_syscall_64+0x5b/0x190 [40595.852574] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [40595.853105] RIP: 0033:0x7f5c00038c7d [40595.853489] Code: c7 20 00 00 75 10 b8 2e 00 00 00 0f 05 48 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8 8e f7 ff ff 48 89 04 24 b8 2e 00 00 00 0f 05 <48> 8b 3c 24 48 89 c2 e8 d7 f7 ff ff 48 89 d0 48 83 c4 08 48 3d 01 [40595.855443] RSP: 002b:00007f5bfcf73c00 EFLAGS: 00003293 ORIG_RAX: 000000000000002e [40595.856244] RAX: ffffffffffffffda RBX: 00007f5bfcf74a60 RCX: 00007f5c00038c7d [40595.856990] RDX: 0000000000000000 RSI: 00007f5bfcf73c60 RDI: 0000000000000015 [40595.857736] RBP: 0000000000000004 R08: 0000000000000b7c R09: 0000000000000110 [40595.858613] R10: 0001000800050004 R11: 0000000000003293 R12: 000055c2d8329da0 [40595.859401] R13: 00007f5bfcf74120 R14: 0000000000000347 R15: 00007f5bfcf73c60 [40595.860185] Modules linked in: ip_gre ip_tunnel gre openvswitch nsh nf_conncount nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 sunrpc bochs_drm ttm drm_kms_helper drm pcspkr joydev i2c_piix4 qemu_fw_cfg xfs libcrc32c virtio_net net_failover serio_raw failover ata_generic virtio_blk pata_acpi floppy [40595.863155] CR2: 0000000000000108 [40595.863551] ---[ end trace 22209bbcacb4addd ]--- v4: Julian Anastasov remind skb->dev also could be NULL in icmp_send. We'd better still use dst.dev and do a check to avoid crash. v3: only replace pkg to packets in cover letter. So I didn't update the version info in the follow up patches. v2: fix it in __icmp_send() and decode_session{4,6} separately instead of updating shared dst dev in {ip_md, ip6}_tunnel_xmit. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>

This patch implements CONFIG_DEBUG_VIRTUAL to do additional checks on virt_to_phys and __pa_symbol calls. virt_to_phys used for linear mapping check, and __pa_symbol used for kernel symbol check. In current RISC-V, kernel image maps to linear mapping area. If CONFIG_DEBUG_VIRTUAL is disable, these two functions calculate the offset on the address feded directly without any checks. The result of test_debug_virtual as follows: [ 0.358456] ------------[ cut here ]------------ [ 0.358738] virt_to_phys used for non-linear address: (____ptrval____) (0xffffffd000000000) [ 0.359174] WARNING: CPU: 0 PID: 1 at arch/riscv/mm/physaddr.c:16 __virt_to_phys+0x3c/0x50 [ 0.359409] Modules linked in: [ 0.359630] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.5.0-rc3-00002-g5133c5c0ca13 #57 [ 0.359861] epc: ffffffe000253d1a ra : ffffffe000253d1a sp : ffffffe03aa87da0 [ 0.360019] gp : ffffffe000ae03b0 tp : ffffffe03aa88000 t0 : ffffffe000af2660 [ 0.360175] t1 : 0000000000000064 t2 : 00000000000000b7 s0 : ffffffe03aa87dc0 [ 0.360330] s1 : ffffffd000000000 a0 : 000000000000004f a1 : 0000000000000000 [ 0.360492] a2 : 0000000000000000 a3 : 0000000000000000 a4 : ffffffe000a84358 [ 0.360672] a5 : 0000000000000000 a6 : 0000000000000000 a7 : 0000000000000000 [ 0.360876] s2 : ffffffe000ae0600 s3 : ffffffe00000fc7c s4 : ffffffe0000224b0 [ 0.361067] s5 : ffffffe000030890 s6 : ffffffe000022470 s7 : 0000000000000008 [ 0.361267] s8 : ffffffe0000002c4 s9 : ffffffe000ae0640 s10: ffffffe000ae0630 [ 0.361453] s11: 0000000000000000 t3 : 0000000000000000 t4 : 000000000001e6d0 [ 0.361636] t5 : ffffffe000ae0a18 t6 : ffffffe000aee54e [ 0.361806] status: 0000000000000120 badaddr: 0000000000000000 cause: 0000000000000003 [ 0.362056] ---[ end trace aec0bf78d4978122 ]--- [ 0.362404] PA: 0xfffffff080200000 for VA: 0xffffffd000000000 [ 0.362607] PA: 0x00000000baddd2d0 for VA: 0xffffffe03abdd2d0 Signed-off-by: Zong Li <zong.li@sifive.com> Reviewed-by: Paul Walmsley <paul.walmsley@sifive.com> Tested-by: Paul Walmsley <paul.walmsley@sifive.com> Signed-off-by: Palmer Dabbelt <palmerdabbelt@google.com>

Here's the KASAN report: BUG: KASAN: use-after-free in skcipher_crypt_done+0xe8/0x1a8 Read of size 1 at addr ffff00002304001c by task swapper/0/0 CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.6.0-rc1-00162-gfcb90d5 #57 Hardware name: LS1046A RDB Board (DT) Call trace: dump_backtrace+0x0/0x260 show_stack+0x14/0x20 dump_stack+0xe8/0x144 print_address_description.isra.11+0x64/0x348 __kasan_report+0x11c/0x230 kasan_report+0xc/0x18 __asan_load1+0x5c/0x68 skcipher_crypt_done+0xe8/0x1a8 caam_jr_dequeue+0x390/0x608 tasklet_action_common.isra.13+0x1ec/0x230 tasklet_action+0x24/0x30 efi_header_end+0x1a4/0x370 irq_exit+0x114/0x128 __handle_domain_irq+0x80/0xe0 gic_handle_irq+0x50/0xa0 el1_irq+0xb8/0x180 _raw_spin_unlock_irq+0x2c/0x78 finish_task_switch+0xa4/0x2f8 __schedule+0x3a4/0x890 schedule_idle+0x28/0x50 do_idle+0x22c/0x338 cpu_startup_entry+0x24/0x40 rest_init+0xf8/0x10c arch_call_rest_init+0xc/0x14 start_kernel+0x774/0x7b4 Allocated by task 263: save_stack+0x24/0xb0 __kasan_kmalloc.isra.10+0xc4/0xe0 kasan_kmalloc+0xc/0x18 __kmalloc+0x178/0x2b8 skcipher_edesc_alloc+0x21c/0x1018 skcipher_encrypt+0x84/0x150 crypto_skcipher_encrypt+0x50/0x68 test_skcipher_vec_cfg+0x4d4/0xc10 test_skcipher_vec+0xf8/0x1d8 alg_test_skcipher+0xec/0x230 alg_test.part.44+0x114/0x4a0 alg_test+0x1c/0x60 cryptomgr_test+0x34/0x58 kthread+0x1b8/0x1c0 ret_from_fork+0x10/0x18 Freed by task 0: save_stack+0x24/0xb0 __kasan_slab_free+0x10c/0x188 kasan_slab_free+0x10/0x18 kfree+0x7c/0x298 skcipher_crypt_done+0xe0/0x1a8 caam_jr_dequeue+0x390/0x608 tasklet_action_common.isra.13+0x1ec/0x230 tasklet_action+0x24/0x30 efi_header_end+0x1a4/0x370 The buggy address belongs to the object at ffff000023040000 which belongs to the cache dma-kmalloc-512 of size 512 The buggy address is located 28 bytes inside of 512-byte region [ffff000023040000, ffff000023040200) The buggy address belongs to the page: page:fffffe00006c1000 refcount:1 mapcount:0 mapping:ffff00093200c400 index:0x0 compound_mapcount: 0 flags: 0xffff00000010200(slab|head) raw: 0ffff00000010200 dead000000000100 dead000000000122 ffff00093200c400 raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff00002303ff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff00002303ff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff >ffff000023040000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff000023040080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff000023040100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb Fixes: ee38767 ("crypto: caam - support crypto_engine framework for SKCIPHER algorithms") Signed-off-by: Iuliana Prodan <iuliana.prodan@nxp.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

…le_activate In case if isi.nr_pages is 0, we are making sis->pages (which is unsigned int) a huge value in iomap_swapfile_activate() by assigning -1. This could cause a kernel crash in kernel v4.18 (with below signature). Or could lead to unknown issues on latest kernel if the fake big swap gets used. Fix this issue by returning -EINVAL in case of nr_pages is 0, since it is anyway a invalid swapfile. Looks like this issue will be hit when we have pagesize < blocksize type of configuration. I was able to hit the issue in case of a tiny swap file with below test script. https://raw.githubusercontent.com/riteshharjani/LinuxStudy/master/scripts/swap-issue.sh kernel crash analysis on v4.18 ============================== On v4.18 kernel, it causes a kernel panic, since sis->pages becomes a huge value and isi.nr_extents is 0. When 0 is returned it is considered as a swapfile over NFS and SWP_FILE is set (sis->flags |= SWP_FILE). Then when swapoff was getting called it was calling a_ops->swap_deactivate() if (sis->flags & SWP_FILE) is true. Since a_ops->swap_deactivate() is NULL in case of XFS, it causes below panic. Panic signature on v4.18 kernel: ======================================= root@qemu:/home/qemu# [ 8291.723351] XFS (loop2): Unmounting Filesystem [ 8292.123104] XFS (loop2): Mounting V5 Filesystem [ 8292.132451] XFS (loop2): Ending clean mount [ 8292.263362] Adding 4294967232k swap on /mnt1/test/swapfile. Priority:-2 extents:1 across:274877906880k [ 8292.277834] Unable to handle kernel paging request for instruction fetch [ 8292.278677] Faulting instruction address: 0x00000000 cpu 0x19: Vector: 400 (Instruction Access) at [c0000009dd5b7ad0] pc: 0000000000000000 lr: c0000000003eb9dc: destroy_swap_extents+0xfc/0x120 sp: c0000009dd5b7d50 msr: 8000000040009033 current = 0xc0000009b6710080 paca = 0xc00000003ffcb280 irqmask: 0x03 irq_happened: 0x01 pid = 5604, comm = swapoff Linux version 4.18.0 (riteshh@xxxxxxx) (gcc version 8.4.0 (Ubuntu 8.4.0-1ubuntu1~18.04)) #57 SMP Wed Mar 3 01:33:04 CST 2021 enter ? for help [link register ] c0000000003eb9dc destroy_swap_extents+0xfc/0x120 [c0000009dd5b7d50] c0000000025a7058 proc_poll_event+0x0/0x4 (unreliable) [c0000009dd5b7da0] c0000000003f0498 sys_swapoff+0x3f8/0x910 [c0000009dd5b7e30] c00000000000bbe4 system_call+0x5c/0x70 Exception: c01 (System Call) at 00007ffff7d208d8 Signed-off-by: Ritesh Harjani <riteshh@linux.ibm.com> [djwong: rework the comment to provide more details] Reviewed-by: Darrick J. Wong <djwong@kernel.org> Signed-off-by: Darrick J. Wong <djwong@kernel.org> Reviewed-by: Christoph Hellwig <hch@lst.de>

Sergei Shtylyov and others added 30 commits April 3, 2015 19:03

Revert "Staging: sm750fb: Fix C99 Comments"

97498bb

This reverts commit 6ad6b5e. It added a file that should not be in the kernel source tree. Cc: Amitoj Kaur Chawla <amitoj1606@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

hwmon: (it87) Add support for IT8790E

4ee0715

IT8790E is a super-IO chip with three fan tachometers. It is mostly compatible to IT8728F, but only supports three fan tachometers instead of five. Reviewed-by: Jean Delvare <jdelvare@suse.de> Signed-off-by: Guenter Roeck <linux@roeck-us.net>

hwmon: (it87) Add support for 6th fan of IT8620E

fa3f70d

IT8620E supports up to 6 fan tachometers. Reviewed-by: Jean Delvare <jdelvare@suse.de> Signed-off-by: Guenter Roeck <linux@roeck-us.net>

torvalds and others added 20 commits April 13, 2015 13:36

Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel…

cb0fc55

…/git/egtvedt/linux-avr32 Pull avr32 fix from Hans-Christian Egtvedt. * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/egtvedt/linux-avr32: avr32: fix integer overflow in ELF_ET_DYN_BASE

dabrace added a commit that referenced this pull request Apr 14, 2015

Merge pull request #57 from torvalds/master

72fb676

Sync up with Linus

dabrace merged commit 72fb676 into dabrace:master Apr 14, 2015

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Sync up with Linus #57

Sync up with Linus #57

dabrace commented Apr 14, 2015

Sync up with Linus #57

Sync up with Linus #57

Conversation

dabrace commented Apr 14, 2015