1. 06 Dec, 2016 19 commits
  2. 05 Dec, 2016 9 commits
  3. 04 Dec, 2016 2 commits
    • Linus Torvalds's avatar
      Linux 4.9-rc8 · 3e5de27e
      Linus Torvalds authored
      3e5de27e
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-for-v4.9-rc8' of git://people.freedesktop.org/~airlied/linux · 0cb65c83
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "A pretty small pull request: a couple of AMD powerxpress regression
        fixes and a power management fix, a couple of i915 fixes and one hdlcd
        fix, along with one core don't oops because of incorrect API usage fix"
      
      * tag 'drm-fixes-for-v4.9-rc8' of git://people.freedesktop.org/~airlied/linux:
        drm/i915: drop the struct_mutex when wedged or trying to reset
        drm/i915: Don't touch NULL sg on i915_gem_object_get_pages_gtt() error
        drm: Don't call drm_for_each_crtc with a non-KMS driver
        drm/radeon: fix check for port PM availability
        drm/amdgpu: fix check for port PM availability
        drm/amd/powerplay: initialize the soft_regs offset in struct smu7_hwmgr
        drm: hdlcd: Fix cleanup order
      0cb65c83
  4. 03 Dec, 2016 4 commits
    • Dave Airlie's avatar
      Merge tag 'drm-intel-fixes-2016-12-01' of... · ab7cd8d8
      Dave Airlie authored
      Merge tag 'drm-intel-fixes-2016-12-01' of git://anongit.freedesktop.org/git/drm-intel into drm-fixes
      
      2 intel fixes.
      
      * tag 'drm-intel-fixes-2016-12-01' of git://anongit.freedesktop.org/git/drm-intel:
        drm/i915: drop the struct_mutex when wedged or trying to reset
        drm/i915: Don't touch NULL sg on i915_gem_object_get_pages_gtt() error
      ab7cd8d8
    • Linus Torvalds's avatar
      Merge branch 'akpm' (patches from Andrew) · 3c49de52
      Linus Torvalds authored
      Merge more fixes from Andrew Morton:
       "2 fixes"
      
      * emailed patches from Andrew Morton <akpm@linux-foundation.org>:
        mm, vmscan: add cond_resched() into shrink_node_memcg()
        mm: workingset: fix NULL ptr in count_shadow_nodes
      3c49de52
    • Michal Hocko's avatar
      mm, vmscan: add cond_resched() into shrink_node_memcg() · bd041733
      Michal Hocko authored
      Boris Zhmurov has reported RCU stalls during the kswapd reclaim:
      
        INFO: rcu_sched detected stalls on CPUs/tasks:
         23-...: (22 ticks this GP) idle=92f/140000000000000/0 softirq=2638404/2638404 fqs=23
         (detected by 4, t=6389 jiffies, g=786259, c=786258, q=42115)
        Task dump for CPU 23:
        kswapd1         R  running task        0   148      2 0x00000008
        Call Trace:
          shrink_node+0xd2/0x2f0
          kswapd+0x2cb/0x6a0
          mem_cgroup_shrink_node+0x160/0x160
          kthread+0xbd/0xe0
          __switch_to+0x1fa/0x5c0
          ret_from_fork+0x1f/0x40
          kthread_create_on_node+0x180/0x180
      
      a closer code inspection has shown that we might indeed miss all the
      scheduling points in the reclaim path if no pages can be isolated from
      the LRU list.  This is a pathological case but other reports from Donald
      Buczek have shown that we might indeed hit such a path:
      
              clusterd-989   [009] .... 118023.654491: mm_vmscan_direct_reclaim_end: nr_reclaimed=193
               kswapd1-86    [001] dN.. 118023.987475: mm_vmscan_lru_isolate: isolate_mode=0 classzone=0 order=0 nr_requested=32 nr_scanned=4239830 nr_taken=0 file=1
               kswapd1-86    [001] dN.. 118024.320968: mm_vmscan_lru_isolate: isolate_mode=0 classzone=0 order=0 nr_requested=32 nr_scanned=4239844 nr_taken=0 file=1
               kswapd1-86    [001] dN.. 118024.654375: mm_vmscan_lru_isolate: isolate_mode=0 classzone=0 order=0 nr_requested=32 nr_scanned=4239858 nr_taken=0 file=1
               kswapd1-86    [001] dN.. 118024.987036: mm_vmscan_lru_isolate: isolate_mode=0 classzone=0 order=0 nr_requested=32 nr_scanned=4239872 nr_taken=0 file=1
               kswapd1-86    [001] dN.. 118025.319651: mm_vmscan_lru_isolate: isolate_mode=0 classzone=0 order=0 nr_requested=32 nr_scanned=4239886 nr_taken=0 file=1
               kswapd1-86    [001] dN.. 118025.652248: mm_vmscan_lru_isolate: isolate_mode=0 classzone=0 order=0 nr_requested=32 nr_scanned=4239900 nr_taken=0 file=1
               kswapd1-86    [001] dN.. 118025.984870: mm_vmscan_lru_isolate: isolate_mode=0 classzone=0 order=0 nr_requested=32 nr_scanned=4239914 nr_taken=0 file=1
        [...]
               kswapd1-86    [001] dN.. 118084.274403: mm_vmscan_lru_isolate: isolate_mode=0 classzone=0 order=0 nr_requested=32 nr_scanned=4241133 nr_taken=0 file=1
      
      this is minute long snapshot which didn't take a single page from the
      LRU.  It is not entirely clear why only 1303 pages have been scanned
      during that time (maybe there was a heavy IRQ activity interfering).
      
      In any case it looks like we can really hit long periods without
      scheduling on non preemptive kernels so an explicit cond_resched() in
      shrink_node_memcg which is independent on the reclaim operation is due.
      
      Link: http://lkml.kernel.org/r/20161202095841.16648-1-mhocko@kernel.orgSigned-off-by: default avatarMichal Hocko <mhocko@suse.com>
      Reported-by: default avatarBoris Zhmurov <bb@kernelpanic.ru>
      Tested-by: default avatarBoris Zhmurov <bb@kernelpanic.ru>
      Reported-by: default avatarDonald Buczek <buczek@molgen.mpg.de>
      Reported-by: default avatar"Christopher S. Aker" <caker@theshore.net>
      Reported-by: default avatarPaul Menzel <pmenzel@molgen.mpg.de>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      bd041733
    • Michal Hocko's avatar
      mm: workingset: fix NULL ptr in count_shadow_nodes · 20ab67a5
      Michal Hocko authored
      Commit 0a6b76dd ("mm: workingset: make shadow node shrinker memcg
      aware") has made the workingset shadow nodes shrinker memcg aware.  The
      implementation is not correct though because memcg_kmem_enabled() might
      become true while we are doing a global reclaim when the sc->memcg might
      be NULL which is exactly what Marek has seen:
      
        BUG: unable to handle kernel NULL pointer dereference at 0000000000000400
        IP: [<ffffffff8122d520>] mem_cgroup_node_nr_lru_pages+0x20/0x40
        PGD 0
        Oops: 0000 [#1] SMP
        CPU: 0 PID: 60 Comm: kswapd0 Tainted: G           O   4.8.10-12.pvops.qubes.x86_64 #1
        task: ffff880011863b00 task.stack: ffff880011868000
        RIP: mem_cgroup_node_nr_lru_pages+0x20/0x40
        RSP: e02b:ffff88001186bc70  EFLAGS: 00010293
        RAX: 0000000000000000 RBX: ffff88001186bd20 RCX: 0000000000000002
        RDX: 000000000000000c RSI: 0000000000000000 RDI: 0000000000000000
        RBP: ffff88001186bc70 R08: 28f5c28f5c28f5c3 R09: 0000000000000000
        R10: 0000000000006c34 R11: 0000000000000333 R12: 00000000000001f6
        R13: ffffffff81c6f6a0 R14: 0000000000000000 R15: 0000000000000000
        FS:  0000000000000000(0000) GS:ffff880013c00000(0000) knlGS:ffff880013d00000
        CS:  e033 DS: 0000 ES: 0000 CR0: 0000000080050033
        CR2: 0000000000000400 CR3: 00000000122f2000 CR4: 0000000000042660
        Call Trace:
          count_shadow_nodes+0x9a/0xa0
          shrink_slab.part.42+0x119/0x3e0
          shrink_node+0x22c/0x320
          kswapd+0x32c/0x700
          kthread+0xd8/0xf0
          ret_from_fork+0x1f/0x40
        Code: 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 3b 35 dd eb b1 00 55 48 89 e5 73 2c 89 d2 31 c9 31 c0 4c 63 ce 48 0f a3 ca 73 13 <4a> 8b b4 cf 00 04 00 00 41 89 c8 4a 03 84 c6 80 00 00 00 83 c1
        RIP  mem_cgroup_node_nr_lru_pages+0x20/0x40
         RSP <ffff88001186bc70>
        CR2: 0000000000000400
        ---[ end trace 100494b9edbdfc4d ]---
      
      This patch fixes the issue by checking sc->memcg rather than
      memcg_kmem_enabled() which is sufficient because shrink_slab makes sure
      that only memcg aware shrinkers will get non-NULL memcgs and only if
      memcg_kmem_enabled is true.
      
      Fixes: 0a6b76dd ("mm: workingset: make shadow node shrinker memcg aware")
      Link: http://lkml.kernel.org/r/20161201132156.21450-1-mhocko@kernel.orgSigned-off-by: default avatarMichal Hocko <mhocko@suse.com>
      Reported-by: default avatarMarek Marczykowski-Górecki <marmarek@mimuw.edu.pl>
      Tested-by: default avatarMarek Marczykowski-Górecki <marmarek@mimuw.edu.pl>
      Acked-by: default avatarVladimir Davydov <vdavydov.dev@gmail.com>
      Acked-by: default avatarJohannes Weiner <hannes@cmpxchg.org>
      Acked-by: default avatarBalbir Singh <bsingharora@gmail.com>
      Cc: <stable@vger.kernel.org>	[4.6+]
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      20ab67a5
  5. 02 Dec, 2016 6 commits
    • Nicolas Pitre's avatar
      kbuild: fix building bzImage with CONFIG_TRIM_UNUSED_KSYMS enabled · 86556392
      Nicolas Pitre authored
      When building a specific target such as bzImage, modules aren't normally
      built.  However if CONFIG_TRIM_UNUSED_KSYMS is enabled, no built modules
      means none of the exported symbols are used and therefore they will all
      be trimmed away from the final kernel.  A subsequent "make modules" will
      fail because modpost cannot find the needed symbols for those modules in
      the kernel binary.
      
      Let's make sure modules are also built whenever CONFIG_TRIM_UNUSED_KSYMS
      is enabled and that the kernel binary is properly rebuilt accordingly.
      Signed-off-by: default avatarNicolas Pitre <nico@linaro.org>
      Tested-by: default avatarJarod Wilson <jarod@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      86556392
    • Linus Torvalds's avatar
      Merge tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc · 8dc0f265
      Linus Torvalds authored
      Pull ARM SoC fixes from Arnd Bergmann:
       "This should be the last set of bugfixes for arm-soc in v4.9. None of
        these are critical regressions, but it would be nice to still get them
        merged.
      
         - On the Juno platform, the idle latency was described wrong, leading
           to suboptimal cpuidle tuning.
      
         - Also on the same platform, PCI I/O space was set up incorrectly and
           could not work.
      
         - On the sti platform, a syntactically incorrect DT entry caused
           warnings.
      
         - The newly added 'gr8' platform has somewhat confusing file names,
           which we rename for consistency"
      
      * tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc:
        arm64: dts: juno: fix cluster sleep state entry latency on all SoC versions
        arm64: dts: juno: Correct PCI IO window
        ARM: dts: STiH407-family: fix i2c nodes
        ARM: gr8: Rename the DTSI and relevant DTS
      8dc0f265
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 8bca927f
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Lots more phydev and probe error path leaks in various drivers by
          Johan Hovold.
      
       2) Fix race in packet_set_ring(), from Philip Pettersson.
      
       3) Use after free in dccp_invalid_packet(), from Eric Dumazet.
      
       4) Signnedness overflow in SO_{SND,RCV}BUFFORCE, also from Eric
          Dumazet.
      
       5) When tunneling between ipv4 and ipv6 we can be left with the wrong
          skb->protocol value as we enter the IPSEC engine and this causes all
          kinds of problems. Set it before the output path does any
          dst_output() calls, from Eli Cooper.
      
       6) bcmgenet uses wrong device struct pointer in DMA API calls, fix from
          Florian Fainelli.
      
       7) Various netfilter nat bug fixes from FLorian Westphal.
      
       8) Fix memory leak in ipvlan_link_new(), from Gao Feng.
      
       9) Locking fixes, particularly wrt. socket lookups, in l2tp from
          Guillaume Nault.
      
      10) Avoid invoking rhash teardowns in atomic context by moving netlink
          cb->done() dump completion from a worker thread. Fix from Herbert
          Xu.
      
      11) Buffer refcount problems in tun and macvtap on errors, from Jason
          Wang.
      
      12) We don't set Kconfig symbol DEFAULT_TCP_CONG properly when the user
          selects BBR. Fix from Julian Wollrath.
      
      13) Fix deadlock in transmit path on altera TSE driver, from Lino
          Sanfilippo.
      
      14) Fix unbalanced reference counting in dsa_switch_tree, from Nikita
          Yushchenko.
      
      15) tc_tunnel_key needs to be properly exported to userspace via uapi,
          fix from Roi Dayan.
      
      16) rds_tcp_init_net() doesn't unregister notifier in error path, fix
          from Sowmini Varadhan.
      
      17) Stale packet header pointer access after pskb_expand_head() in
          genenve driver, fix from Sabrina Dubroca.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (103 commits)
        net: avoid signed overflows for SO_{SND|RCV}BUFFORCE
        geneve: avoid use-after-free of skb->data
        tipc: check minimum bearer MTU
        net: renesas: ravb: unintialized return value
        sh_eth: remove unchecked interrupts for RZ/A1
        net: bcmgenet: Utilize correct struct device for all DMA operations
        NET: usb: qmi_wwan: add support for Telit LE922A PID 0x1040
        cdc_ether: Fix handling connection notification
        ip6_offload: check segs for NULL in ipv6_gso_segment.
        RDS: TCP: unregister_netdevice_notifier() in error path of rds_tcp_init_net
        Revert: "ip6_tunnel: Update skb->protocol to ETH_P_IPV6 in ip6_tnl_xmit()"
        ipv6: Set skb->protocol properly for local output
        ipv4: Set skb->protocol properly for local output
        packet: fix race condition in packet_set_ring
        net: ethernet: altera: TSE: do not use tx queue lock in tx completion handler
        net: ethernet: altera: TSE: Remove unneeded dma sync for tx buffers
        net: ethernet: stmmac: fix of-node and fixed-link-phydev leaks
        net: ethernet: stmmac: platform: fix outdated function header
        net: ethernet: stmmac: dwmac-meson8b: fix probe error path
        net: ethernet: stmmac: dwmac-generic: fix probe error path
        ...
      8bca927f
    • Eric Dumazet's avatar
      net: avoid signed overflows for SO_{SND|RCV}BUFFORCE · b98b0bc8
      Eric Dumazet authored
      CAP_NET_ADMIN users should not be allowed to set negative
      sk_sndbuf or sk_rcvbuf values, as it can lead to various memory
      corruptions, crashes, OOM...
      
      Note that before commit 82981930 ("net: cleanups in
      sock_setsockopt()"), the bug was even more serious, since SO_SNDBUF
      and SO_RCVBUF were vulnerable.
      
      This needs to be backported to all known linux kernels.
      
      Again, many thanks to syzkaller team for discovering this gem.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b98b0bc8
    • Sabrina Dubroca's avatar
      geneve: avoid use-after-free of skb->data · 5b010147
      Sabrina Dubroca authored
      geneve{,6}_build_skb can end up doing a pskb_expand_head(), which
      makes the ip_hdr(skb) reference we stashed earlier stale. Since it's
      only needed as an argument to ip_tunnel_ecn_encap(), move this
      directly in the function call.
      
      Fixes: 08399efc ("geneve: ensure ECN info is handled properly in all tx/rx paths")
      Signed-off-by: default avatarSabrina Dubroca <sd@queasysnail.net>
      Reviewed-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5b010147
    • Michal Kubeček's avatar
      tipc: check minimum bearer MTU · 3de81b75
      Michal Kubeček authored
      Qian Zhang (张谦) reported a potential socket buffer overflow in
      tipc_msg_build() which is also known as CVE-2016-8632: due to
      insufficient checks, a buffer overflow can occur if MTU is too short for
      even tipc headers. As anyone can set device MTU in a user/net namespace,
      this issue can be abused by a regular user.
      
      As agreed in the discussion on Ben Hutchings' original patch, we should
      check the MTU at the moment a bearer is attached rather than for each
      processed packet. We also need to repeat the check when bearer MTU is
      adjusted to new device MTU. UDP case also needs a check to avoid
      overflow when calculating bearer MTU.
      
      Fixes: b97bf3fd ("[TIPC] Initial merge")
      Signed-off-by: default avatarMichal Kubecek <mkubecek@suse.cz>
      Reported-by: default avatarQian Zhang (张谦) <zhangqian-c@360.cn>
      Acked-by: default avatarYing Xue <ying.xue@windriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3de81b75