1. 16 Mar, 2018 11 commits
  2. 15 Mar, 2018 8 commits
    • Eric W. Biederman's avatar
      fs: Teach path_connected to handle nfs filesystems with multiple roots. · 95dd7758
      Eric W. Biederman authored
      On nfsv2 and nfsv3 the nfs server can export subsets of the same
      filesystem and report the same filesystem identifier, so that the nfs
      client can know they are the same filesystem.  The subsets can be from
      disjoint directory trees.  The nfsv2 and nfsv3 filesystems provides no
      way to find the common root of all directory trees exported form the
      server with the same filesystem identifier.
      
      The practical result is that in struct super s_root for nfs s_root is
      not necessarily the root of the filesystem.  The nfs mount code sets
      s_root to the root of the first subset of the nfs filesystem that the
      kernel mounts.
      
      This effects the dcache invalidation code in generic_shutdown_super
      currently called shrunk_dcache_for_umount and that code for years
      has gone through an additional list of dentries that might be dentry
      trees that need to be freed to accomodate nfs.
      
      When I wrote path_connected I did not realize nfs was so special, and
      it's hueristic for avoiding calling is_subdir can fail.
      
      The practical case where this fails is when there is a move of a
      directory from the subtree exposed by one nfs mount to the subtree
      exposed by another nfs mount.  This move can happen either locally or
      remotely.  With the remote case requiring that the move directory be cached
      before the move and that after the move someone walks the path
      to where the move directory now exists and in so doing causes the
      already cached directory to be moved in the dcache through the magic
      of d_splice_alias.
      
      If someone whose working directory is in the move directory or a
      subdirectory and now starts calling .. from the initial mount of nfs
      (where s_root == mnt_root), then path_connected as a heuristic will
      not bother with the is_subdir check.  As s_root really is not the root
      of the nfs filesystem this heuristic is wrong, and the path may
      actually not be connected and path_connected can fail.
      
      The is_subdir function might be cheap enough that we can call it
      unconditionally.  Verifying that will take some benchmarking and
      the result may not be the same on all kernels this fix needs
      to be backported to.  So I am avoiding that for now.
      
      Filesystems with snapshots such as nilfs and btrfs do something
      similar.  But as the directory tree of the snapshots are disjoint
      from one another and from the main directory tree rename won't move
      things between them and this problem will not occur.
      
      Cc: stable@vger.kernel.org
      Reported-by: default avatarAl Viro <viro@ZenIV.linux.org.uk>
      Fixes: 397d425d ("vfs: Test for and handle paths that are unreachable from their mnt_root")
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      95dd7758
    • Rodrigo Vivi's avatar
      Merge tag 'gvt-fixes-2018-03-15' of https://github.com/intel/gvt-linux into drm-intel-fixes · 05b429a8
      Rodrigo Vivi authored
      gvt-fixes-2018-03-15
      
      - Two warnings fix for runtime pm and usr copy (Xiong, Zhenyu)
      - OA context fix for vGPU profiling (Min)
      - privilege batch buffer reloc fix (Fred)
      Signed-off-by: default avatarRodrigo Vivi <rodrigo.vivi@intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20180315100023.5n5a74afky6qinoh@zhen-hp.sh.intel.com
      05b429a8
    • David S. Miller's avatar
      sparc64: Fix regression in pmdp_invalidate(). · cfb61b5e
      David S. Miller authored
      pmdp_invalidate() was changed to update the pmd atomically
      (to not lose dirty/access bits) and return the original pmd
      value.
      
      However, in doing so, we lost a lot of the essential work that
      set_pmd_at() does, namely to update hugepage mapping counts and
      queuing up the batched TLB flush entry.
      
      Thus we were not flushing entries out of the TLB when making
      such PMD changes.
      
      Fix this by abstracting the accounting work of set_pmd_at() out into a
      separate function, and call it from pmdp_establish().
      
      Fixes: a8e654f0 ("sparc64: update pmdp_invalidate() to return old pmd value")
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      cfb61b5e
    • Linus Torvalds's avatar
      Merge tag 'sound-4.16-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · e2c15aff
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "A series of small fixes in ASoC, HD-audio and core stuff:
      
         - a UAF fix in ALSA PCM core
      
         - yet more hardening for ALSA sequencer
      
         - a regression fix for the previous HD-audio power_save option change
      
         - various ASoC codec fixes (sgtl5000, rt5651, hdmi-codec, wm_adsp)
      
         - minor ASoC platform fixes (AMD ACP, sun4i)"
      
      * tag 'sound-4.16-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ALSA: hda - Revert power_save option default value
        ALSA: pcm: Fix UAF in snd_pcm_oss_get_formats()
        ALSA: seq: Clear client entry before deleting else at closing
        ALSA: seq: Fix possible UAF in snd_seq_check_queue()
        ASoC: amd: 16bit resolution support for i2s sp instance
        ASoC: wm_adsp: For TLV controls only register TLV get/set
        ASoC: sun4i-i2s: Fix RX slot number of SUN8I
        ASoC: hdmi-codec: Fix module unloading caused kernel crash
        ASoC: rt5651: Fix regcache sync errors on resume
        ASoC: sgtl5000: Fix suspend/resume
        MAINTAINERS: Add myself as sgtl5000 maintainer
        ASoC: samsung: Add the DT binding files entry to MAINTAINERS
        sgtl5000: change digital_mute policy
      e2c15aff
    • Linus Torvalds's avatar
      Merge tag 'for-4.16/dm-fixes-3' of... · 667058ae
      Linus Torvalds authored
      Merge tag 'for-4.16/dm-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm
      
      Pull device mapper fixes from Mike Snitzer:
      
       - a stable DM multipath fix to restore ability to pass integrity data
      
       - two DM multipath fixes for a fix that was merged into 4.16-rc5
      
      * tag 'for-4.16/dm-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm:
        dm mpath: fix passing integrity data
        dm mpath: eliminate need to use scsi_device_from_queue
        dm mpath: fix uninitialized 'pg_init_wait' waitqueue_head NULL pointer
      667058ae
    • Zhenyu Wang's avatar
      drm/i915/gvt: fix user copy warning by whitelist workload rb_tail field · 850555d1
      Zhenyu Wang authored
      This is to fix warning got as:
      
      [ 6730.476938] ------------[ cut here ]------------
      [ 6730.476979] Bad or missing usercopy whitelist? Kernel memory exposure attempt detected from SLAB object 'gvt-g_vgpu_workload' (offset 120, size 4)!
      [ 6730.477021] WARNING: CPU: 2 PID: 441 at mm/usercopy.c:81 usercopy_warn+0x7e/0xa0
      [ 6730.477042] Modules linked in: tun(E) bridge(E) stp(E) llc(E) kvmgt(E) x86_pkg_temp_thermal(E) vfio_mdev(E) intel_powerclamp(E) mdev(E) coretemp(E) vfio_iommu_type1(E) vfio(E) kvm_intel(E) kvm(E) hid_generic(E) irqbypass(E) crct10dif_pclmul(E) crc32_pclmul(E) usbhid(E) i915(E) crc32c_intel(E) hid(E) ghash_clmulni_intel(E) pcbc(E) aesni_intel(E) aes_x86_64(E) crypto_simd(E) cryptd(E) glue_helper(E) intel_cstate(E) idma64(E) evdev(E) virt_dma(E) iTCO_wdt(E) intel_uncore(E) intel_rapl_perf(E) intel_lpss_pci(E) sg(E) shpchp(E) mei_me(E) pcspkr(E) iTCO_vendor_support(E) intel_lpss(E) intel_pch_thermal(E) prime_numbers(E) mei(E) mfd_core(E) video(E) acpi_pad(E) button(E) binfmt_misc(E) ip_tables(E) x_tables(E) autofs4(E) ext4(E) crc16(E) mbcache(E) jbd2(E) fscrypto(E) sd_mod(E) e1000e(E) xhci_pci(E) sdhci_pci(E)
      [ 6730.477244]  ptp(E) cqhci(E) xhci_hcd(E) pps_core(E) sdhci(E) mmc_core(E) i2c_i801(E) usbcore(E) thermal(E) fan(E)
      [ 6730.477276] CPU: 2 PID: 441 Comm: gvt workload 0 Tainted: G            E    4.16.0-rc1-gvt-staging-0213+ #127
      [ 6730.477303] Hardware name:  /NUC6i5SYB, BIOS SYSKLi35.86A.0039.2016.0316.1747 03/16/2016
      [ 6730.477326] RIP: 0010:usercopy_warn+0x7e/0xa0
      [ 6730.477340] RSP: 0018:ffffba6301223d18 EFLAGS: 00010286
      [ 6730.477355] RAX: 0000000000000000 RBX: ffff8f41caae9838 RCX: 0000000000000006
      [ 6730.477375] RDX: 0000000000000007 RSI: 0000000000000082 RDI: ffff8f41dad166f0
      [ 6730.477395] RBP: 0000000000000004 R08: 0000000000000576 R09: 0000000000000000
      [ 6730.477415] R10: ffffffffb1293fb2 R11: 00000000ffffffff R12: 0000000000000001
      [ 6730.477447] R13: ffff8f41caae983c R14: ffff8f41caae9838 R15: 00007f183ca2b000
      [ 6730.477467] FS:  0000000000000000(0000) GS:ffff8f41dad00000(0000) knlGS:0000000000000000
      [ 6730.477489] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 6730.477506] CR2: 0000559462817291 CR3: 000000028b46c006 CR4: 00000000003626e0
      [ 6730.477526] Call Trace:
      [ 6730.477537]  __check_object_size+0x9c/0x1a0
      [ 6730.477562]  __kvm_write_guest_page+0x45/0x90 [kvm]
      [ 6730.477585]  kvm_write_guest+0x46/0x80 [kvm]
      [ 6730.477599]  kvmgt_rw_gpa+0x9b/0xf0 [kvmgt]
      [ 6730.477642]  workload_thread+0xa38/0x1040 [i915]
      [ 6730.477659]  ? do_wait_intr_irq+0xc0/0xc0
      [ 6730.477673]  ? finish_wait+0x80/0x80
      [ 6730.477707]  ? clean_workloads+0x120/0x120 [i915]
      [ 6730.477722]  kthread+0x111/0x130
      [ 6730.477733]  ? _kthread_create_worker_on_cpu+0x60/0x60
      [ 6730.477750]  ? exit_to_usermode_loop+0x6f/0xb0
      [ 6730.477766]  ret_from_fork+0x35/0x40
      [ 6730.477777] Code: 48 c7 c0 20 e3 25 b1 48 0f 44 c2 41 50 51 41 51 48 89 f9 49 89 f1 4d 89 d8 4c 89 d2 48 89 c6 48 c7 c7 78 e3 25 b1 e8 b2 bc e4 ff <0f> ff 48 83 c4 18 c3 48 c7 c6 09 d0 26 b1 49 89 f1 49 89 f3 eb
      [ 6730.477849] ---[ end trace cae869c1c323e45a ]---
      
      By whitelist guest page write from workload struct allocated from kmem cache.
      Reviewed-by: default avatarHang Yuan <hang.yuan@linux.intel.com>
      Signed-off-by: default avatarZhenyu Wang <zhenyuw@linux.intel.com>
      (cherry picked from commit 5627705406874df57fdfad3b4e0c9aedd3b007df)
      850555d1
    • fred gao's avatar
      drm/i915/gvt: Correct the privilege shadow batch buffer address · ef75c685
      fred gao authored
      Once the ring buffer is copied to ring_scan_buffer and scanned,
      the shadow batch buffer start address is only updated into
      ring_scan_buffer, not the real ring address allocated through
      intel_ring_begin in later copy_workload_to_ring_buffer.
      
      This patch is only to set the right shadow batch buffer address
      from Ring buffer, not include the shadow_wa_ctx.
      
      v2:
      - refine some comments. (Zhenyu)
      v3:
      - fix typo in title. (Zhenyu)
      v4:
      - remove the unnecessary comments. (Zhenyu)
      - add comments in bb_start_cmd_va update. (Zhenyu)
      
      Fixes: 0a53bc07 ("drm/i915/gvt: Separate cmd scan from request allocation")
      Cc: stable@vger.kernel.org  # v4.15
      Cc: Zhenyu Wang <zhenyuw@linux.intel.com>
      Cc: Yulei Zhang <yulei.zhang@intel.com>
      Signed-off-by: default avatarfred gao <fred.gao@intel.com>
      Signed-off-by: default avatarZhenyu Wang <zhenyuw@linux.intel.com>
      ef75c685
    • Linus Torvalds's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · 0aa3fdb8
      Linus Torvalds authored
      Pull SCSI fixes from James Bottomley:
       "This is four patches, consisting of one regression from the merge
        window (qla2xxx), one long-standing memory leak (sd_zbc), one event
        queue mislabelling which we want to eliminate to discourage the
        pattern (mpt3sas), and one behaviour change because re-reading the
        partition table shouldn't clear the ro flag"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: sd: Keep disk read-only when re-reading partition
        scsi: qla2xxx: Fix crashes in qla2x00_probe_one on probe failure
        scsi: sd_zbc: Fix potential memory leak
        scsi: mpt3sas: Do not mark fw_event workqueue as WQ_MEM_RECLAIM
      0aa3fdb8
  3. 14 Mar, 2018 20 commits
    • Joern Engel's avatar
      btree: avoid variable-length allocations · 8df3aaaf
      Joern Engel authored
      geo->keylen cannot be larger than 4.  So we might as well make
      fixed-size allocations.
      
      Given the one remaining user, geo->keylen cannot even be larger than 1.
      Logfs used to have 64bit and 128bit keys, tcm_qla2xxx only has 32bit
      keys.  But let's not break the code if we don't have to.
      Signed-off-by: default avatarJoern Engel <joern@purestorage.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      8df3aaaf
    • Linus Torvalds's avatar
      Merge branch 'percpu_ref-rcu-audit-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/misc · fed8f509
      Linus Torvalds authored
      Pull percpu_ref rcu fixes from Tejun Heo:
       "Jann Horn found that aio was depending on the internal RCU grace
        periods of percpu-ref and that it's broken because aio uses regular
        RCU while percpu_ref uses sched-RCU.
      
        Depending on percpu_ref's internal grace periods isn't a good idea
        because
      
         - The RCU type might not match.
      
         - percpu_ref's grace periods are used to switch to atomic mode. They
           aren't between the last put and the invocation of the last release.
           This is easy to get confused about and can lead to subtle bugs.
      
         - percpu_ref might not have grace periods at all depending on its
           current operation mode.
      
        This patchset audits and fixes percpu_ref users for their RCU usages"
      
      [ There's a continuation of this series that clarifies percpu_ref
        documentation that the internal grace periods must not be depended
        upon, and introduces rcu_work to simplify bouncing to a workqueue
        after an RCU grace period.
      
        That will go in for 4.17 - this is just the minimal set with the fixes
        that are tagged for -stable ]
      
      * 'percpu_ref-rcu-audit-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/misc:
        RDMAVT: Fix synchronization around percpu_ref
        fs/aio: Use RCU accessors for kioctx_table->table[]
        fs/aio: Add explicit RCU grace period when freeing kioctx
      fed8f509
    • Ard Biesheuvel's avatar
      Revert "mm/page_alloc: fix memmap_init_zone pageblock alignment" · 3e04040d
      Ard Biesheuvel authored
      This reverts commit 864b75f9.
      
      Commit 864b75f9 ("mm/page_alloc: fix memmap_init_zone pageblock
      alignment") modified the logic in memmap_init_zone() to initialize
      struct pages associated with invalid PFNs, to appease a VM_BUG_ON()
      in move_freepages(), which is redundant by its own admission, and
      dereferences struct page fields to obtain the zone without checking
      whether the struct pages in question are valid to begin with.
      
      Commit 864b75f9 only makes it worse, since the rounding it does
      may cause pfn assume the same value it had in a prior iteration of
      the loop, resulting in an infinite loop and a hang very early in the
      boot. Also, since it doesn't perform the same rounding on start_pfn
      itself but only on intermediate values following an invalid PFN, we
      may still hit the same VM_BUG_ON() as before.
      
      So instead, let's fix this at the core, and ensure that the BUG
      check doesn't dereference struct page fields of invalid pages.
      
      Fixes: 864b75f9 ("mm/page_alloc: fix memmap_init_zone pageblock alignment")
      Tested-by: default avatarJan Glauber <jglauber@cavium.com>
      Tested-by: default avatarShanker Donthineni <shankerd@codeaurora.org>
      Cc: Daniel Vacek <neelx@redhat.com>
      Cc: Mel Gorman <mgorman@techsingularity.net>
      Cc: Michal Hocko <mhocko@suse.com>
      Cc: Paul Burton <paul.burton@imgtec.com>
      Cc: Pavel Tatashin <pasha.tatashin@oracle.com>
      Cc: Vlastimil Babka <vbabka@suse.cz>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      3e04040d
    • Dave Airlie's avatar
      Merge tag 'drm-intel-fixes-2018-03-14' of... · 67f19766
      Dave Airlie authored
      Merge tag 'drm-intel-fixes-2018-03-14' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes
      
      - 1 display fix for bxt
      - 1 gem fix for fences
      - 1 gem/pm fix for rps freq
      
      * tag 'drm-intel-fixes-2018-03-14' of git://anongit.freedesktop.org/drm/drm-intel:
        drm/i915: Kick the rps worker when changing the boost frequency
        drm/i915: Only prune fences after wait-for-all
        drm/i915: Enable VBT based BL control for DP
      67f19766
    • Dave Airlie's avatar
      Merge branch 'drm-fixes-4.16' of git://people.freedesktop.org/~agd5f/linux into drm-fixes · 4cdc8f12
      Dave Airlie authored
      A few fixes for 4.16:
      - Fix a backlight S/R regression on amdgpu
      - Fix prime teardown on radeon and amdgpu
      - DP fix for amdgpu
      
      * 'drm-fixes-4.16' of git://people.freedesktop.org/~agd5f/linux:
        drm/amdgpu/dce: Don't turn off DP sink when disconnected
        drm/amdgpu: save/restore backlight level in legacy dce code
        drm/radeon: fix prime teardown order
        drm/amdgpu: fix prime teardown order
      4cdc8f12
    • Michel Dänzer's avatar
      drm/amdgpu/dce: Don't turn off DP sink when disconnected · 7d617264
      Michel Dänzer authored
      Turning off the sink in this case causes various issues, because
      userspace expects it to stay on until it turns it off explicitly.
      
      Instead, turn the sink off and back on when a display is connected
      again. This dance seems necessary for link training to work correctly.
      
      Bugzilla: https://bugs.freedesktop.org/105308
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarMichel Dänzer <michel.daenzer@amd.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      7d617264
    • Alex Deucher's avatar
      drm/amdgpu: save/restore backlight level in legacy dce code · b5e32413
      Alex Deucher authored
      Save/restore the backlight level scratch register in S3/S4 so the
      backlight level comes back at the previously requested level.
      
      Bug: https://bugzilla.kernel.org/show_bug.cgi?id=199047
      Fixes: 4ec6ecf4 (drm/amdgpu: drop scratch regs save and restore from S3/S4 handling)
      Acked-by: default avatarMichel Dänzer <michel.daenzer@amd.com>
      Reviewed-by: default avatarHarry Wentland <harry.wentland@amd.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      b5e32413
    • Christian König's avatar
      drm/radeon: fix prime teardown order · 0f4f715b
      Christian König authored
      We unmapped imported DMA-bufs when the GEM handle was dropped, not when the
      hardware was done with the buffere.
      Signed-off-by: default avatarChristian König <christian.koenig@amd.com>
      Reviewed-by: default avatarMichel Dänzer <michel.daenzer@amd.com>
      CC: stable@vger.kernel.org
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      0f4f715b
    • Christian König's avatar
      drm/amdgpu: fix prime teardown order · 342038d9
      Christian König authored
      We unmapped imported DMA-bufs when the GEM handle was dropped, not when the
      hardware was done with the buffere.
      Signed-off-by: default avatarChristian König <christian.koenig@amd.com>
      Reviewed-by: default avatarMichel Dänzer <michel.daenzer@amd.com>
      CC: stable@vger.kernel.org
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      342038d9
    • Linus Torvalds's avatar
      Merge tag 'platform-drivers-x86-v4.16-7' of git://git.infradead.org/linux-platform-drivers-x86 · 274a1ff0
      Linus Torvalds authored
      Pull x86 platform drives fixes from Darren Hart:
      
       - DELL_SMBIOS conditionally depends on ACPI_WMI in the same way it
         depends on DCDBAS, update the Kconfig accordingly.
      
       - fix the dell driver init order to ensure that the driver dependencies
         are met, avoiding race conditions resulting in boot failure on
         certain systems when the drivers are built-in.
      
      * tag 'platform-drivers-x86-v4.16-7' of git://git.infradead.org/linux-platform-drivers-x86:
        platform/x86: Fix dell driver init order
        platform/x86: dell-smbios: Resolve dependency error on ACPI_WMI
      274a1ff0
    • Steffen Maier's avatar
      dm mpath: fix passing integrity data · 8c5c1473
      Steffen Maier authored
      After v4.12 commit e2460f2a ("dm: mark targets that pass integrity
      data"), dm-multipath, e.g. on DIF+DIX SCSI disk paths, does not support
      block integrity any more. So add it to the whitelist.
      
      This is also a pre-requisite to use block integrity with other dm layer(s)
      on top of multipath, such as kpartx partitions (dm-linear) or LVM.
      
      Also, bump target version to reflect this fix.
      
      Fixes: e2460f2a ("dm: mark targets that pass integrity data")
      Cc: <stable@vger.kernel.org> #4.12+
      Bisected-by: default avatarFedor Loshakov <loshakov@linux.vnet.ibm.com>
      Signed-off-by: default avatarSteffen Maier <maier@linux.vnet.ibm.com>
      Reviewed-by: default avatarHannes Reinecke <hare@suse.com>
      Reviewed-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      8c5c1473
    • Tejun Heo's avatar
      RDMAVT: Fix synchronization around percpu_ref · 74b44bbe
      Tejun Heo authored
      rvt_mregion uses percpu_ref for reference counting and RCU to protect
      accesses from lkey_table.  When a rvt_mregion needs to be freed, it
      first gets unregistered from lkey_table and then rvt_check_refs() is
      called to wait for in-flight usages before the rvt_mregion is freed.
      
      rvt_check_refs() seems to have a couple issues.
      
      * It has a fast exit path which tests percpu_ref_is_zero().  However,
        a percpu_ref reading zero doesn't mean that the object can be
        released.  In fact, the ->release() callback might not even have
        started executing yet.  Proceeding with freeing can lead to
        use-after-free.
      
      * lkey_table is RCU protected but there is no RCU grace period in the
        free path.  percpu_ref uses RCU internally but it's sched-RCU whose
        grace periods are different from regular RCU.  Also, it generally
        isn't a good idea to depend on internal behaviors like this.
      
      To address the above issues, this patch removes the fast exit and adds
      an explicit synchronize_rcu().
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Acked-by: default avatarDennis Dalessandro <dennis.dalessandro@intel.com>
      Cc: Mike Marciniszyn <mike.marciniszyn@intel.com>
      Cc: linux-rdma@vger.kernel.org
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      74b44bbe
    • Tejun Heo's avatar
      fs/aio: Use RCU accessors for kioctx_table->table[] · d0264c01
      Tejun Heo authored
      While converting ioctx index from a list to a table, db446a08
      ("aio: convert the ioctx list to table lookup v3") missed tagging
      kioctx_table->table[] as an array of RCU pointers and using the
      appropriate RCU accessors.  This introduces a small window in the
      lookup path where init and access may race.
      
      Mark kioctx_table->table[] with __rcu and use the approriate RCU
      accessors when using the field.
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Reported-by: default avatarJann Horn <jannh@google.com>
      Fixes: db446a08 ("aio: convert the ioctx list to table lookup v3")
      Cc: Benjamin LaHaise <bcrl@kvack.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: stable@vger.kernel.org # v3.12+
      d0264c01
    • Tejun Heo's avatar
      fs/aio: Add explicit RCU grace period when freeing kioctx · a6d7cff4
      Tejun Heo authored
      While fixing refcounting, e34ecee2 ("aio: Fix a trinity splat")
      incorrectly removed explicit RCU grace period before freeing kioctx.
      The intention seems to be depending on the internal RCU grace periods
      of percpu_ref; however, percpu_ref uses a different flavor of RCU,
      sched-RCU.  This can lead to kioctx being freed while RCU read
      protected dereferences are still in progress.
      
      Fix it by updating free_ioctx() to go through call_rcu() explicitly.
      
      v2: Comment added to explain double bouncing.
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Reported-by: default avatarJann Horn <jannh@google.com>
      Fixes: e34ecee2 ("aio: Fix a trinity splat")
      Cc: Kent Overstreet <kent.overstreet@gmail.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: stable@vger.kernel.org # v3.13+
      a6d7cff4
    • Darren Hart (VMware)'s avatar
      platform/x86: Fix dell driver init order · 49368c13
      Darren Hart (VMware) authored
      Update the initcall ordering to satisfy the following dependency
      ordering:
      
      1. DCDBAS, ACPI_WMI
      2. DELL_SMBIOS, DELL_RBTN
      3. DELL_LAPTOP, DELL_WMI
      
      By assigning them to the following initcall levels:
      
      subsys_initcall: DCDBAS, ACPI_WMI
      module_init: DELL_SMBIOS, DELL_RBTN
      late_initcall: DELL_LAPTOP, DELL_WMI
      
      Cc: Dominik Brodowski <linux@dominikbrodowski.net>
      Cc: Mario.Limonciello@dell.com
      Signed-off-by: default avatarDarren Hart (VMware) <dvhart@infradead.org>
      49368c13
    • Darren Hart's avatar
      platform/x86: dell-smbios: Resolve dependency error on ACPI_WMI · 75073a64
      Darren Hart authored
      Similarly to DCDBAS for DELL_SMBIOS_SMM, if DELL_SMBIOS_WMI is enabled,
      DELL_SMBIOS becomes dependent on ACPI_WMI. Update the depends lines to
      prevent a configuration where DELL_SMBIOS=y and either backend
      dependency =m. Update the comment accordingly.
      
      Cc: Mario Limonciello <mario.limonciello@dell.com>
      Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
      Cc: Dominik Brodowski <linux@dominikbrodowski.net>
      Signed-off-by: default avatarDarren Hart (VMware) <dvhart@infradead.org>
      75073a64
    • Linus Torvalds's avatar
      Merge tag 'usb-4.16-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · 3032f8c5
      Linus Torvalds authored
      Pull USB fixes from Greg KH:
       "Here are a small clump of USB fixes for 4.16-rc6.
      
        Nothing major, just a number of fixes in lots of different drivers, as
        well as a PHY driver fix that snuck into this tree. Full details are
        in the shortlog.
      
        All of these have been in linux-next with no reported issues"
      
      * tag 'usb-4.16-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (22 commits)
        usb: musb: Fix external abort in musb_remove on omap2430
        phy: qcom-ufs: add MODULE_LICENSE tag
        usb: typec: tcpm: fusb302: Do not log an error on -EPROBE_DEFER
        USB: OHCI: Fix NULL dereference in HCDs using HCD_LOCAL_MEM
        usbip: vudc: fix null pointer dereference on udc->lock
        xhci: Fix front USB ports on ASUS PRIME B350M-A
        usb: host: xhci-plat: revert "usb: host: xhci-plat: enable clk in resume timing"
        usb: usbmon: Read text within supplied buffer size
        usb: host: xhci-rcar: add support for r8a77965
        USB: storage: Add JMicron bridge 152d:2567 to unusual_devs.h
        usb: xhci: dbc: Fix lockdep warning
        xhci: fix endpoint context tracer output
        Revert "typec: tcpm: Only request matching pdos"
        usb: musb: call pm_runtime_{get,put}_sync before reading vbus registers
        usb: quirks: add control message delay for 1b1c:1b20
        uas: fix comparison for error code
        usb: gadget: udc: renesas_usb3: add binging for r8a77965
        usb: renesas_usbhs: add binding for r8a77965
        usb: dwc2: fix STM32F7 USB OTG HS compatible
        dt-bindings: usb: fix the STM32F7 DWC2 OTG HS core binding
        ...
      3032f8c5
    • Linus Torvalds's avatar
      Merge tag 'tty-4.16-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty · 6560ca4a
      Linus Torvalds authored
      Pull tty/serial driver fixes from Greg KH:
       "Here are some small tty core and serial driver fixes for 4.16-rc6.
      
        They resolve some newly reported bugs, as well as some very old ones,
        which is always nice to see. There is also a new device id added in
        here for good measure.
      
        All of these have been in linux-next for a while with no reported
        issues"
      
      * tag 'tty-4.16-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
        serial: imx: fix bogus dev_err
        serial: sh-sci: prevent lockup on full TTY buffers
        serial: 8250_pci: Add Brainboxes UC-260 4 port serial device
        earlycon: add reg-offset to physical address before mapping
        serial: core: mark port as initialized in autoconfig
        serial: 8250_pci: Don't fail on multiport card class
        tty/serial: atmel: add new version check for usart
        tty: make n_tty_read() always abort if hangup is in progress
      6560ca4a
    • Linus Torvalds's avatar
      Merge tag 'staging-4.16-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging · 5e15d39f
      Linus Torvalds authored
      Pull staging fixes from Greg KH:
       "Here are three staging driver fixes for 4.16-rc6
      
        Two of them are lockdep fixes for the ashmem driver that have been
        reported by a number of people recently. The last one is a fix for the
        comedi driver core.
      
        All of these have been in linux-next for a while with no reported
        issues"
      
      * tag 'staging-4.16-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
        staging: android: ashmem: Fix possible deadlock in ashmem_ioctl
        staging: comedi: fix comedi_nsamples_left.
        staging: android: ashmem: Fix lockdep issue during llseek
      5e15d39f
    • Linus Torvalds's avatar
      Merge tag 'auxdisplay-for-linus-v4.16-rc6' of git://github.com/ojeda/linux · 1a7f7496
      Linus Torvalds authored
      Pull auxdisplay fixes from Miguel Ojeda:
       "Silence a few warnings in auxdisplay.
      
         - a couple of uninitialized warnings reported by the build service
      
         - a doc comment warning under W=1
      
         - three fall-through comments not recognized under W=1"
      
      * tag 'auxdisplay-for-linus-v4.16-rc6' of git://github.com/ojeda/linux:
        auxdisplay: img-ascii-lcd: Silence 2 uninitialized warnings
        auxdisplay: img-ascii-lcd: Fix doc comment to silence warnings
        auxdisplay: panel: Change comments to silence fallthrough warnings
      1a7f7496
  4. 13 Mar, 2018 1 commit
    • Mike Snitzer's avatar
      dm mpath: eliminate need to use scsi_device_from_queue · e8f74a0f
      Mike Snitzer authored
      Instead of scsi_device_from_queue(), use scsi_dh_attached_handler_name()
      -- whose implementation uses scsi_device_from_queue() to avoid trying to
      access SCSI-specific resources from non-SCSI devices.
      
      Fixes buildbot reported issue when CONFIG_SCSI isn't set:
       ERROR: "scsi_device_from_queue" [drivers/md/dm-multipath.ko] undefined!
      
      Fixes: 8d47e659 ("dm mpath: remove unnecessary NVMe branching in favor of scsi_dh checks")
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      e8f74a0f