1. 21 Mar, 2018 1 commit
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma · 303851e1
      Linus Torvalds authored
      Pull rdma fixes from Jason Gunthorpe:
       "Not much exciting here, almost entirely syzkaller fixes.
      
        This is going to be on ongoing theme for some time, I think. Both
        Google and Mellanox are now running syzkaller on different parts of
        the user API.
      
        Summary:
      
         - Many bug fixes related to syzkaller from Leon Romanovsky. These are
           still for the mlx driver and ucma interface.
      
         - Fix a situation with port reuse for iWarp, discovered during
           scale-up testing
      
         - Bug fixes for the profile and restrack patches accepted during this
           merge window
      
         - Compile warning cleanups from Arnd, this is apparently the last
           warning to make 32 bit builds quiet"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
        RDMA/ucma: Ensure that CM_ID exists prior to access it
        RDMA/verbs: Remove restrack entry from XRCD structure
        RDMA/ucma: Fix use-after-free access in ucma_close
        RDMA/ucma: Check AF family prior resolving address
        infiniband: bnxt_re: use BIT_ULL() for 64-bit bit masks
        infiniband: qplib_fp: fix pointer cast
        IB/mlx5: Fix cleanup order on unload
        RDMA/ucma: Don't allow join attempts for unsupported AF family
        RDMA/ucma: Fix access to non-initialized CM_ID object
        RDMA/core: Do not use invalid destination in determining port reuse
        RDMA/mlx5: Fix crash while accessing garbage pointer and freed memory
        IB/mlx5: Fix integer overflows in mlx5_ib_create_srq
        IB/mlx5: Fix out-of-bounds read in create_raw_packet_qp_rq
      303851e1
  2. 20 Mar, 2018 4 commits
    • Linus Torvalds's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · 76c0b6a3
      Linus Torvalds authored
      Pull SCSI fixes from James Bottomley:
      
       - one driver patch (qla2xxx) which fixes a problem caused by an
         existing regression fix (FCP discovery is failing)
      
       - one generic fix to a longstanding bug in libsas that causes I/O
         eventually to hang to the device in the face of ATA error recovery.
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: qla2xxx: Remove FC_NO_LOOP_ID for FCP and FC-NVMe Discovery
        scsi: libsas: defer ata device eh commands to libata
      76c0b6a3
    • Linus Torvalds's avatar
      Merge tag 'nfsd-4.16-1' of git://linux-nfs.org/~bfields/linux · 645102ea
      Linus Torvalds authored
      Pull nfsd fix from Bruce Fields:
       "Just one fix for an occasional panic from Jeff Layton"
      
      * tag 'nfsd-4.16-1' of git://linux-nfs.org/~bfields/linux:
        nfsd: remove blocked locks on client teardown
      645102ea
    • Linus Torvalds's avatar
      kvm/x86: fix icebp instruction handling · 32d43cd3
      Linus Torvalds authored
      The undocumented 'icebp' instruction (aka 'int1') works pretty much like
      'int3' in the absense of in-circuit probing equipment (except,
      obviously, that it raises #DB instead of raising #BP), and is used by
      some validation test-suites as such.
      
      But Andy Lutomirski noticed that his test suite acted differently in kvm
      than on bare hardware.
      
      The reason is that kvm used an inexact test for the icebp instruction:
      it just assumed that an all-zero VM exit qualification value meant that
      the VM exit was due to icebp.
      
      That is not unlike the guess that do_debug() does for the actual
      exception handling case, but it's purely a heuristic, not an absolute
      rule.  do_debug() does it because it wants to ascribe _some_ reasons to
      the #DB that happened, and an empty %dr6 value means that 'icebp' is the
      most likely casue and we have no better information.
      
      But kvm can just do it right, because unlike the do_debug() case, kvm
      actually sees the real reason for the #DB in the VM-exit interruption
      information field.
      
      So instead of relying on an inexact heuristic, just use the actual VM
      exit information that says "it was 'icebp'".
      
      Right now the 'icebp' instruction isn't technically documented by Intel,
      but that will hopefully change.  The special "privileged software
      exception" information _is_ actually mentioned in the Intel SDM, even
      though the cause of it isn't enumerated.
      Reported-by: default avatarAndy Lutomirski <luto@kernel.org>
      Tested-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      32d43cd3
    • Leon Romanovsky's avatar
      RDMA/ucma: Ensure that CM_ID exists prior to access it · e8980d67
      Leon Romanovsky authored
      Prior to access UCMA commands, the context should be initialized
      and connected to CM_ID with ucma_create_id(). In case user skips
      this step, he can provide non-valid ctx without CM_ID and cause
      to multiple NULL dereferences.
      
      Also there are situations where the create_id can be raced with
      other user access, ensure that the context is only shared to
      other threads once it is fully initialized to avoid the races.
      
      [  109.088108] BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
      [  109.090315] IP: ucma_connect+0x138/0x1d0
      [  109.092595] PGD 80000001dc02d067 P4D 80000001dc02d067 PUD 1da9ef067 PMD 0
      [  109.095384] Oops: 0000 [#1] SMP KASAN PTI
      [  109.097834] CPU: 0 PID: 663 Comm: uclose Tainted: G    B 4.16.0-rc1-00062-g2975d5de #45
      [  109.100816] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org 04/01/2014
      [  109.105943] RIP: 0010:ucma_connect+0x138/0x1d0
      [  109.108850] RSP: 0018:ffff8801c8567a80 EFLAGS: 00010246
      [  109.111484] RAX: 0000000000000000 RBX: 1ffff100390acf50 RCX: ffffffff9d7812e2
      [  109.114496] RDX: 1ffffffff3f507a5 RSI: 0000000000000297 RDI: 0000000000000297
      [  109.117490] RBP: ffff8801daa15600 R08: 0000000000000000 R09: ffffed00390aceeb
      [  109.120429] R10: 0000000000000001 R11: ffffed00390aceea R12: 0000000000000000
      [  109.123318] R13: 0000000000000120 R14: ffff8801de6459c0 R15: 0000000000000118
      [  109.126221] FS:  00007fabb68d6700(0000) GS:ffff8801e5c00000(0000) knlGS:0000000000000000
      [  109.129468] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  109.132523] CR2: 0000000000000020 CR3: 00000001d45d8003 CR4: 00000000003606b0
      [  109.135573] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [  109.138716] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [  109.142057] Call Trace:
      [  109.144160]  ? ucma_listen+0x110/0x110
      [  109.146386]  ? wake_up_q+0x59/0x90
      [  109.148853]  ? futex_wake+0x10b/0x2a0
      [  109.151297]  ? save_stack+0x89/0xb0
      [  109.153489]  ? _copy_from_user+0x5e/0x90
      [  109.155500]  ucma_write+0x174/0x1f0
      [  109.157933]  ? ucma_resolve_route+0xf0/0xf0
      [  109.160389]  ? __mod_node_page_state+0x1d/0x80
      [  109.162706]  __vfs_write+0xc4/0x350
      [  109.164911]  ? kernel_read+0xa0/0xa0
      [  109.167121]  ? path_openat+0x1b10/0x1b10
      [  109.169355]  ? fsnotify+0x899/0x8f0
      [  109.171567]  ? fsnotify_unmount_inodes+0x170/0x170
      [  109.174145]  ? __fget+0xa8/0xf0
      [  109.177110]  vfs_write+0xf7/0x280
      [  109.179532]  SyS_write+0xa1/0x120
      [  109.181885]  ? SyS_read+0x120/0x120
      [  109.184482]  ? compat_start_thread+0x60/0x60
      [  109.187124]  ? SyS_read+0x120/0x120
      [  109.189548]  do_syscall_64+0xeb/0x250
      [  109.192178]  entry_SYSCALL_64_after_hwframe+0x21/0x86
      [  109.194725] RIP: 0033:0x7fabb61ebe99
      [  109.197040] RSP: 002b:00007fabb68d5e98 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
      [  109.200294] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fabb61ebe99
      [  109.203399] RDX: 0000000000000120 RSI: 00000000200001c0 RDI: 0000000000000004
      [  109.206548] RBP: 00007fabb68d5ec0 R08: 0000000000000000 R09: 0000000000000000
      [  109.209902] R10: 0000000000000000 R11: 0000000000000202 R12: 00007fabb68d5fc0
      [  109.213327] R13: 0000000000000000 R14: 00007fff40ab2430 R15: 00007fabb68d69c0
      [  109.216613] Code: 88 44 24 2c 0f b6 84 24 6e 01 00 00 88 44 24 2d 0f
      b6 84 24 69 01 00 00 88 44 24 2e 8b 44 24 60 89 44 24 30 e8 da f6 06 ff
      31 c0 <66> 41 83 7c 24 20 1b 75 04 8b 44 24 64 48 8d 74 24 20 4c 89 e7
      [  109.223602] RIP: ucma_connect+0x138/0x1d0 RSP: ffff8801c8567a80
      [  109.226256] CR2: 0000000000000020
      
      Fixes: 75216638 ("RDMA/cma: Export rdma cm interface to userspace")
      Reported-by: <syzbot+36712f50b0552615bf59@syzkaller.appspotmail.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      e8980d67
  3. 19 Mar, 2018 14 commits
    • Linus Torvalds's avatar
      Merge branch 'for-4.16-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup · 1b5f3ba4
      Linus Torvalds authored
      Pull cgroup fixes from Tejun Heo:
       "Two commits to fix the following subtle cgroup2 behavior bugs:
      
         - cpu.max was rejecting config when it shouldn't
      
         - thread mode enable was allowed when it shouldn't"
      
      * 'for-4.16-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup:
        cgroup: fix rule checking for threaded mode switching
        sched, cgroup: Don't reject lower cpu.max on ancestors
      1b5f3ba4
    • Linus Torvalds's avatar
      Merge branch 'for-4.16-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq · c6256ca9
      Linus Torvalds authored
      Pull workqueue fixes from Tejun Heo:
       "Two low-impact workqueue commits.
      
        One fixes workqueue creation error path and the other removes the
        unused cancel_work()"
      
      * 'for-4.16-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq:
        workqueue: remove unused cancel_work()
        workqueue: use put_device() instead of kfree()
      c6256ca9
    • Linus Torvalds's avatar
      Merge branch 'for-4.16-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/percpu · 0d707a2f
      Linus Torvalds authored
      Pull percpu fixes from Tejun Heo:
       "Late percpu pull request for v4.16-rc6.
      
         - percpu allocator pool replenishing no longer triggers OOM or
           warning messages.
      
           Also, the alloc interface now understands __GFP_NORETRY and
           __GFP_NOWARN. This is to allow avoiding OOMs from userland
           triggered actions like bpf map creation.
      
           Also added cond_resched() in alloc loop.
      
         - perpcu allocation now can be interrupted by kill sigs to avoid
           deadlocking OOM killer.
      
         - Added Dennis Zhou as a co-maintainer.
      
           He has rewritten the area map allocator, understands most of the
           code base and has been responsive for all bug reports"
      
      * 'for-4.16-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/percpu:
        percpu_ref: Update doc to dissuade users from depending on internal RCU grace periods
        mm: Allow to kill tasks doing pcpu_alloc() and waiting for pcpu_balance_workfn()
        percpu: include linux/sched.h for cond_resched()
        percpu: add a schedule point in pcpu_balance_workfn()
        percpu: allow select gfp to be passed to underlying allocators
        percpu: add __GFP_NORETRY semantics to the percpu balancing path
        percpu: match chunk allocator declarations with definitions
        percpu: add Dennis Zhou as a percpu co-maintainer
      0d707a2f
    • Linus Torvalds's avatar
      Merge branch 'for-4.16-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata · efac2483
      Linus Torvalds authored
      Pull libata fixes from Tejun Heo:
       "I sat on them too long and it's quite a few this late, but nothing has
        a wide blast area. The changes are...
      
         - Fix corner cases in SG command handling.
      
         - Recent introduction of default powersaving mode config option
           exposed several devices with broken powersaving behaviors. A number
           of patches to update the blacklist accordingly.
      
         - Fix a kernel panic on SAS hotplug.
      
         - Other misc and device specific updates"
      
      * 'for-4.16-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata:
        libata: Modify quirks for MX100 to limit NCQ_TRIM quirk to MU01 version
        libata: Make Crucial BX100 500GB LPM quirk apply to all firmware versions
        libata: Apply NOLPM quirk to Crucial M500 480 and 960GB SSDs
        libata: Enable queued TRIM for Samsung SSD 860
        PCI: Add function 1 DMA alias quirk for Highpoint RocketRAID 644L
        ahci: Add PCI-id for the Highpoint Rocketraid 644L card
        ata: do not schedule hot plug if it is a sas host
        libata: disable LPM for Crucial BX100 SSD 500GB drive
        libata: Apply NOLPM quirk to Crucial MX100 512GB SSDs
        libata: update documentation for sysfs interfaces
        ata: sata_rcar: Remove unused variable in sata_rcar_init_controller()
        libata: transport: cleanup documentation of sysfs interface
        sata_rcar: Reset SATA PHY when Salvator-X board resumes
        libata: don't try to pass through NCQ commands to non-NCQ devices
        libata: remove WARN() for DMA or PIO command without data
        libata: fix length validation of ATAPI-relayed SCSI commands
        ata: libahci: fix comment indentation
        ahci: Add check for device presence (PCIe hot unplug) in ahci_stop_engine()
        libata: Fix compile warning with ATA_DEBUG enabled
      efac2483
    • Jeff Layton's avatar
      nfsd: remove blocked locks on client teardown · 68ef3bc3
      Jeff Layton authored
      We had some reports of panics in nfsd4_lm_notify, and that showed a
      nfs4_lockowner that had outlived its so_client.
      
      Ensure that we walk any leftover lockowners after tearing down all of
      the stateids, and remove any blocked locks that they hold.
      
      With this change, we also don't need to walk the nbl_lru on nfsd_net
      shutdown, as that will happen naturally when we tear down the clients.
      
      Fixes: 76d348fa (nfsd: have nfsd4_lock use blocking locks for v4.1+ locks)
      Reported-by: default avatarFrank Sorenson <fsorenso@redhat.com>
      Signed-off-by: default avatarJeff Layton <jlayton@redhat.com>
      Cc: stable@vger.kernel.org # 4.9
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      68ef3bc3
    • Leon Romanovsky's avatar
      RDMA/verbs: Remove restrack entry from XRCD structure · 80cf79ae
      Leon Romanovsky authored
      XRCD object is not implemented in the restrack, so lets remove it.
      
      Fixes: 02d8883f ("RDMA/restrack: Add general infrastructure to track RDMA resources")
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      80cf79ae
    • Leon Romanovsky's avatar
      RDMA/ucma: Fix use-after-free access in ucma_close · ed65a4dc
      Leon Romanovsky authored
      The error in ucma_create_id() left ctx in the list of contexts belong
      to ucma file descriptor. The attempt to close this file descriptor causes
      to use-after-free accesses while iterating over such list.
      
      Fixes: 75216638 ("RDMA/cma: Export rdma cm interface to userspace")
      Reported-by: <syzbot+dcfd344365a56fbebd0f@syzkaller.appspotmail.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Reviewed-by: default avatarSean Hefty <sean.hefty@intel.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      ed65a4dc
    • Tejun Heo's avatar
      percpu_ref: Update doc to dissuade users from depending on internal RCU grace periods · b3a5d111
      Tejun Heo authored
      percpu_ref internally uses sched-RCU to implement the percpu -> atomic
      mode switching and the documentation suggested that this could be
      depended upon.  This doesn't seem like a good idea.
      
      * percpu_ref uses sched-RCU which has different grace periods regular
        RCU.  Users may combine percpu_ref with regular RCU usage and
        incorrectly believe that regular RCU grace periods are performed by
        percpu_ref.  This can lead to, for example, use-after-free due to
        premature freeing.
      
      * percpu_ref has a grace period when switching from percpu to atomic
        mode.  It doesn't have one between the last put and release.  This
        distinction is subtle and can lead to surprising bugs.
      
      * percpu_ref allows starting in and switching to atomic mode manually
        for debugging and other purposes.  This means that there may not be
        any grace periods from kill to release.
      
      This patch makes it clear that the grace periods are percpu_ref's
      internal implementation detail and can't be depended upon by the
      users.
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Cc: Kent Overstreet <kent.overstreet@gmail.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      b3a5d111
    • Kirill Tkhai's avatar
      mm: Allow to kill tasks doing pcpu_alloc() and waiting for pcpu_balance_workfn() · f52ba1fe
      Kirill Tkhai authored
      In case of memory deficit and low percpu memory pages,
      pcpu_balance_workfn() takes pcpu_alloc_mutex for a long
      time (as it makes memory allocations itself and waits
      for memory reclaim). If tasks doing pcpu_alloc() are
      choosen by OOM killer, they can't exit, because they
      are waiting for the mutex.
      
      The patch makes pcpu_alloc() to care about killing signal
      and use mutex_lock_killable(), when it's allowed by GFP
      flags. This guarantees, a task does not miss SIGKILL
      from OOM killer.
      Signed-off-by: default avatarKirill Tkhai <ktkhai@virtuozzo.com>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      f52ba1fe
    • Tejun Heo's avatar
      percpu: include linux/sched.h for cond_resched() · 71546d10
      Tejun Heo authored
      microblaze build broke due to missing declaration of the
      cond_resched() invocation added recently.  Let's include linux/sched.h
      explicitly.
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Reported-by: default avatarkbuild test robot <fengguang.wu@intel.com>
      71546d10
    • Hans de Goede's avatar
      libata: Modify quirks for MX100 to limit NCQ_TRIM quirk to MU01 version · d418ff56
      Hans de Goede authored
      When commit 9c7be59f ("libata: Apply NOLPM quirk to Crucial MX100
      512GB SSDs") was added it inherited the ATA_HORKAGE_NO_NCQ_TRIM quirk
      from the existing "Crucial_CT*MX100*" entry, but that entry sets model_rev
      to "MU01", where as the entry adding the NOLPM quirk sets it to NULL.
      
      This means that after this commit we no apply the NO_NCQ_TRIM quirk to
      all "Crucial_CT512MX100*" SSDs even if they have the fixed "MU02"
      firmware. This commit splits the "Crucial_CT512MX100*" quirk into 2
      quirks, one for the "MU01" firmware and one for all other firmware
      versions, so that we once again only apply the NO_NCQ_TRIM quirk to the
      "MU01" firmware version.
      
      Fixes: 9c7be59f ("libata: Apply NOLPM quirk to ... MX100 512GB SSDs")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      d418ff56
    • Hans de Goede's avatar
      libata: Make Crucial BX100 500GB LPM quirk apply to all firmware versions · 3bf7b5d6
      Hans de Goede authored
      Commit b17e5729 ("libata: disable LPM for Crucial BX100 SSD 500GB
      drive"), introduced a ATA_HORKAGE_NOLPM quirk for Crucial BX100 500GB SSDs
      but limited this to the MU02 firmware version, according to:
      http://www.crucial.com/usa/en/support-ssd-firmware
      
      MU02 is the last version, so there are no newer possibly fixed versions
      and if the MU02 version has broken LPM then the MU01 almost certainly
      also has broken LPM, so this commit changes the quirk to apply to all
      firmware versions.
      
      Fixes: b17e5729 ("libata: disable LPM for Crucial BX100 SSD 500GB...")
      Cc: stable@vger.kernel.org
      Cc: Kai-Heng Feng <kai.heng.feng@canonical.com>
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      3bf7b5d6
    • Hans de Goede's avatar
      libata: Apply NOLPM quirk to Crucial M500 480 and 960GB SSDs · 62ac3f73
      Hans de Goede authored
      There have been reports of the Crucial M500 480GB model not working
      with LPM set to min_power / med_power_with_dipm level.
      
      It has not been tested with medium_power, but that typically has no
      measurable power-savings.
      
      Note the reporters Crucial_CT480M500SSD3 has a firmware version of MU03
      and there is a MU05 update available, but that update does not mention any
      LPM fixes in its changelog, so the quirk matches all firmware versions.
      
      In my experience the LPM problems with (older) Crucial SSDs seem to be
      limited to higher capacity versions of the SSDs (different firmware?),
      so this commit adds a NOLPM quirk for the 480 and 960GB versions of the
      M500, to avoid LPM causing issues with these SSDs.
      
      Cc: stable@vger.kernel.org
      Reported-and-tested-by: default avatarMartin Steigerwald <martin@lichtvoll.de>
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      62ac3f73
    • Linus Torvalds's avatar
      Linux 4.16-rc6 · c698ca52
      Linus Torvalds authored
      c698ca52
  4. 18 Mar, 2018 5 commits
    • Linus Torvalds's avatar
      Merge branch 'x86-pti-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 9e1909b9
      Linus Torvalds authored
      Pull x86/pti updates from Thomas Gleixner:
       "Another set of melted spectrum updates:
      
         - Iron out the last late microcode loading issues by actually
           checking whether new microcode is present and preventing the CPU
           synchronization to run into a timeout induced hang.
      
         - Remove Skylake C2 from the microcode blacklist according to the
           latest Intel documentation
      
         - Fix the VM86 POPF emulation which traps if VIP is set, but VIF is
           not. Enhance the selftests to catch that kind of issue
      
         - Annotate indirect calls/jumps for objtool on 32bit. This is not a
           functional issue, but for consistency sake its the right thing to
           do.
      
         - Fix a jump label build warning observed on SPARC64 which uses 32bit
           storage for the code location which is casted to 64 bit pointer w/o
           extending it to 64bit first.
      
         - Add two new cpufeature bits. Not really an urgent issue, but
           provides them for both x86 and x86/kvm work. No impact on the
           current kernel"
      
      * 'x86-pti-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/microcode: Fix CPU synchronization routine
        x86/microcode: Attempt late loading only when new microcode is present
        x86/speculation: Remove Skylake C2 from Speculation Control microcode blacklist
        jump_label: Fix sparc64 warning
        x86/speculation, objtool: Annotate indirect calls/jumps for objtool on 32-bit kernels
        x86/vm86/32: Fix POPF emulation
        selftests/x86/entry_from_vm86: Add test cases for POPF
        selftests/x86/entry_from_vm86: Exit with 1 if we fail
        x86/cpufeatures: Add Intel PCONFIG cpufeature
        x86/cpufeatures: Add Intel Total Memory Encryption cpufeature
      9e1909b9
    • Linus Torvalds's avatar
      Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · df4fe178
      Linus Torvalds authored
      Pull x86 fix from Thomas Gleixner:
       "A single fix for vmalloc_fault() which uses p*d_huge() unconditionally
        whether CONFIG_HUGETLBFS is set or not. In case of CONFIG_HUGETLBFS=n
        this results in a crash as p*d_huge() returns 0 in that case"
      
      * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/mm: Fix vmalloc_fault to use pXd_large
      df4fe178
    • Linus Torvalds's avatar
      Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · d2149e13
      Linus Torvalds authored
      Pull irq fixes from Thomas Gleixner:
       "Three fixes for irq chip drivers:
      
         - Make sure the allocations in the GIC-V3 ITS driver are large enough
           to accomodate the interrupt space
      
         - Fix a misplaced __iomem annotation which causes a splat of 26
           sparse warnings
      
         - Remove an unused function in the IMX GPCV2 driver which causes
           build warnings"
      
      * 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        irqchip/irq-imx-gpcv2: Remove unused function
        irqchip/gic-v3-its: Ensure nr_ites >= nr_lpis
        irqchip/gic-v3-its: Fix misplaced __iomem annotations
      d2149e13
    • Linus Torvalds's avatar
      Merge branch 'efi-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 23fe85ae
      Linus Torvalds authored
      Pull EFI fix from Thomas Gleixner:
       "A single fix to prevent partially initialized pointers in mixed mode
        (64bit kernel on 32bit UEFI)"
      
      * 'efi-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        efi/libstub/tpm: Initialize pointer variables to zero for mixed mode
      23fe85ae
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · 3cd1d327
      Linus Torvalds authored
      Pull KVM fixes from Paolo Bonzini:
       "PPC:
         - fix bug leading to lost IPIs and smp_call_function_many() lockups
           on POWER9
      
        ARM:
         - locking fix
         - reset fix
         - GICv2 multi-source SGI injection fix
         - GICv2-on-v3 MMIO synchronization fix
         - make the console less verbose.
      
        x86:
         - fix device passthrough on AMD SME"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        KVM: x86: Fix device passthrough when SME is active
        kvm: arm/arm64: vgic-v3: Tighten synchronization for guests using v2 on v3
        KVM: arm/arm64: vgic: Don't populate multiple LRs with the same vintid
        KVM: arm/arm64: Reduce verbosity of KVM init log
        KVM: arm/arm64: Reset mapped IRQs on VM reset
        KVM: arm/arm64: Avoid vcpu_load for other vcpu ioctls than KVM_RUN
        KVM: arm/arm64: vgic: Add missing irq_lock to vgic_mmio_read_pending
        KVM: PPC: Book3S HV: Fix trap number return from __kvmppc_vcore_entry
      3cd1d327
  5. 17 Mar, 2018 1 commit
    • John David Anglin's avatar
      parisc: Handle case where flush_cache_range is called with no context · 9ef0f88f
      John David Anglin authored
      Just when I had decided that flush_cache_range() was always called with
      a valid context, Helge reported two cases where the
      "BUG_ON(!vma->vm_mm->context);" was hit on the phantom buildd:
      
       kernel BUG at /mnt/sdb6/linux/linux-4.15.4/arch/parisc/kernel/cache.c:587!
       CPU: 1 PID: 3254 Comm: kworker/1:2 Tainted: G D 4.15.0-1-parisc64-smp #1 Debian 4.15.4-1+b1
       Workqueue: events free_ioctx
        IAOQ[0]: flush_cache_range+0x164/0x168
        IAOQ[1]: flush_cache_page+0x0/0x1c8
        RP(r2): unmap_page_range+0xae8/0xb88
       Backtrace:
        [<00000000404a6980>] unmap_page_range+0xae8/0xb88
        [<00000000404a6ae0>] unmap_single_vma+0xc0/0x188
        [<00000000404a6cdc>] zap_page_range_single+0x134/0x1f8
        [<00000000404a702c>] unmap_mapping_range+0x1cc/0x208
        [<0000000040461518>] truncate_pagecache+0x98/0x108
        [<0000000040461624>] truncate_setsize+0x9c/0xb8
        [<00000000405d7f30>] put_aio_ring_file+0x80/0x100
        [<00000000405d803c>] aio_free_ring+0x8c/0x290
        [<00000000405d82c0>] free_ioctx+0x80/0x180
        [<0000000040284e6c>] process_one_work+0x21c/0x668
        [<00000000402854c4>] worker_thread+0x20c/0x778
        [<0000000040291d44>] kthread+0x2d4/0x2e0
        [<0000000040204020>] end_fault_vector+0x20/0xc0
      
      This indicates that we need to handle the no context case in
      flush_cache_range() as we do in flush_cache_mm().
      
      In thinking about this, I realized that we don't need to flush the TLB
      when there is no context.  So, I added context checks to the large flush
      cases in flush_cache_mm() and flush_cache_range().  The large flush case
      occurs frequently in flush_cache_mm() and the change should improve fork
      performance.
      
      The v2 version of this change removes the BUG_ON from flush_cache_page()
      by skipping the TLB flush when there is no context.  I also added code
      to flush the TLB in flush_cache_mm() and flush_cache_range() when we
      have a context that's not current.  Now all three routines handle TLB
      flushes in a similar manner.
      Signed-off-by: default avatarJohn David Anglin <dave.anglin@bell.net>
      Cc: stable@vger.kernel.org # 4.9+
      Signed-off-by: default avatarHelge Deller <deller@gmx.de>
      9ef0f88f
  6. 16 Mar, 2018 15 commits
    • Linus Torvalds's avatar
      Merge tag 'for-4.16-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux · 8f5fd927
      Linus Torvalds authored
      Pull btrfs fixes from David Sterba:
       "There's an important revert in this pull request that needs to go to
        stable as it causes a corruption on big endian machines.
      
        The other fix is for FIEMAP incorrectly reporting shared extents
        before a sync and one fix for a crash in raid56.
      
        So far we got only one report about the BE corruption, the stable
        kernels were out for like a week, so hopefully the scope of the damage
        is low"
      
      * tag 'for-4.16-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
        Revert "btrfs: use proper endianness accessors for super_copy"
        btrfs: add missing initialization in btrfs_check_shared
        btrfs: Fix NULL pointer exception in find_bio_stripe
      8f5fd927
    • Linus Torvalds's avatar
      Merge tag 'microblaze-4.16-rc6' of git://git.monstr.eu/linux-2.6-microblaze · 8757ae23
      Linus Torvalds authored
      Pull microblaze fixes from Michal Simek:
      
       - Use NO_BOOTMEM to fix boot issue
      
       - Fix opt lib endian dependencies
      
      * tag 'microblaze-4.16-rc6' of git://git.monstr.eu/linux-2.6-microblaze:
        microblaze: switch to NO_BOOTMEM
        microblaze: remove unused alloc_maybe_bootmem
        microblaze: Setup dependencies for ASM optimized lib functions
      8757ae23
    • Borislav Petkov's avatar
      x86/microcode: Fix CPU synchronization routine · bb8c13d6
      Borislav Petkov authored
      Emanuel reported an issue with a hang during microcode update because my
      dumb idea to use one atomic synchronization variable for both rendezvous
      - before and after update - was simply bollocks:
      
        microcode: microcode_reload_late: late_cpus: 4
        microcode: __reload_late: cpu 2 entered
        microcode: __reload_late: cpu 1 entered
        microcode: __reload_late: cpu 3 entered
        microcode: __reload_late: cpu 0 entered
        microcode: __reload_late: cpu 1 left
        microcode: Timeout while waiting for CPUs rendezvous, remaining: 1
      
      CPU1 above would finish, leave and the others will still spin waiting for
      it to join.
      
      So do two synchronization atomics instead, which makes the code a lot more
      straightforward.
      
      Also, since the update is serialized and it also takes quite some time per
      microcode engine, increase the exit timeout by the number of CPUs on the
      system.
      
      That's ok because the moment all CPUs are done, that timeout will be cut
      short.
      
      Furthermore, panic when some of the CPUs timeout when returning from a
      microcode update: we can't allow a system with not all cores updated.
      
      Also, as an optimization, do not do the exit sync if microcode wasn't
      updated.
      Reported-by: default avatarEmanuel Czirai <xftroxgpx@protonmail.com>
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Tested-by: default avatarEmanuel Czirai <xftroxgpx@protonmail.com>
      Tested-by: default avatarAshok Raj <ashok.raj@intel.com>
      Tested-by: default avatarTom Lendacky <thomas.lendacky@amd.com>
      Link: https://lkml.kernel.org/r/20180314183615.17629-2-bp@alien8.de
      bb8c13d6
    • Borislav Petkov's avatar
      x86/microcode: Attempt late loading only when new microcode is present · 2613f36e
      Borislav Petkov authored
      Return UCODE_NEW from the scanning functions to denote that new microcode
      was found and only then attempt the expensive synchronization dance.
      Reported-by: default avatarEmanuel Czirai <xftroxgpx@protonmail.com>
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Tested-by: default avatarEmanuel Czirai <xftroxgpx@protonmail.com>
      Tested-by: default avatarAshok Raj <ashok.raj@intel.com>
      Tested-by: default avatarTom Lendacky <thomas.lendacky@amd.com>
      Link: https://lkml.kernel.org/r/20180314183615.17629-1-bp@alien8.de
      2613f36e
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-for-v4.16-rc6' of git://people.freedesktop.org/~airlied/linux · 1660a76a
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "i915, amd and nouveau fixes.
      
        i915:
         - backlight fix for some panels
         - pm fix
         - fencing fix
         - some GVT fixes
      
        amdgpu:
         - backlight fix across suspend/resume
         - object destruction ordering issue fix
         - displayport fix
      
        nouveau:
         - two backlight fixes
         - fix for some lockups
      
        Pretty quiet week, seems like everyone was fixing backlights"
      
      * tag 'drm-fixes-for-v4.16-rc6' of git://people.freedesktop.org/~airlied/linux:
        drm/nouveau/bl: fix backlight regression
        drm/nouveau/bl: Fix oops on driver unbind
        drm/nouveau/mmu: ALIGN_DOWN correct variable
        drm/i915/gvt: fix user copy warning by whitelist workload rb_tail field
        drm/i915/gvt: Correct the privilege shadow batch buffer address
        drm/amdgpu/dce: Don't turn off DP sink when disconnected
        drm/amdgpu: save/restore backlight level in legacy dce code
        drm/radeon: fix prime teardown order
        drm/amdgpu: fix prime teardown order
        drm/i915: Kick the rps worker when changing the boost frequency
        drm/i915: Only prune fences after wait-for-all
        drm/i915: Enable VBT based BL control for DP
        drm/i915/gvt: keep oa config in shadow ctx
        drm/i915/gvt: Add runtime_pm_get/put into gvt_switch_mmio
      1660a76a
    • David Sterba's avatar
      Revert "btrfs: use proper endianness accessors for super_copy" · 093e037c
      David Sterba authored
      This reverts commit 3c181c12.
      
      The offending patch was merged in 4.16-rc4 and was promptly applied to
      stable kernels 4.14.25 and 4.15.8.
      
      The patch causes a corruption in several superblock items on big-endian
      machines because of messed up endianity conversions. The damage is
      manually repairable. A filesystem cannot be mounted again after it has
      been unmounted once.
      
      We do a full revert and not a fixup so stable can pick that patch ASAP.
      
      Fixes: 3c181c12 ("btrfs: use proper endianness accessors for super_copy")
      Link: https://lkml.kernel.org/r/1521139304@msgid.manchmal.in-ulm.de
      CC: stable@vger.kernel.org # 4.14+
      Reported-by: default avatarChristoph Biedl <linux-kernel.bfrz@manchmal.in-ulm.de>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      093e037c
    • Tom Lendacky's avatar
      KVM: x86: Fix device passthrough when SME is active · daaf216c
      Tom Lendacky authored
      When using device passthrough with SME active, the MMIO range that is
      mapped for the device should not be mapped encrypted.  Add a check in
      set_spte() to insure that a page is not mapped encrypted if that page
      is a device MMIO page as indicated by kvm_is_mmio_pfn().
      
      Cc: <stable@vger.kernel.org> # 4.14.x-
      Signed-off-by: default avatarTom Lendacky <thomas.lendacky@amd.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      daaf216c
    • Rob Herring's avatar
      microblaze: switch to NO_BOOTMEM · 101646a2
      Rob Herring authored
      Microblaze doesn't set CONFIG_NO_BOOTMEM and so memblock_virt_alloc()
      doesn't work for CONFIG_HAVE_MEMBLOCK && !CONFIG_NO_BOOTMEM.
      
      Similar change was already done by others architectures
      "ARM: mm: Remove bootmem code and switch to NO_BOOTMEM"
      (sha1: 84f452b1)
      or
      "openrisc: Consolidate setup to use memblock instead of bootmem"
      (sha1: 266c7fad)
      or
      "parisc: Drop bootmem and switch to memblock"
      (sha1: 4fe9e1d9)
      or
      "powerpc: Remove bootmem allocator"
      (sha1: 10239733)
      or
      "s390/mm: Convert bootmem to memblock"
      (sha1: 50be6345)
      or
      "sparc64: Convert over to NO_BOOTMEM."
      (sha1: 625d693e)
      or
      "xtensa: drop sysmem and switch to memblock"
      (sha1: 0e46c111)
      
      Issue was introduced by:
      "of/fdt: use memblock_virt_alloc for early alloc"
      (sha1: 0fa1c579)
      Signed-off-by: default avatarRob Herring <robh@kernel.org>
      Tested-by: default avatarAlvaro Gamez Machado <alvaro.gamez@hazent.com>
      Tested-by: default avatarMichal Simek <michal.simek@xilinx.com>
      Signed-off-by: default avatarMichal Simek <michal.simek@xilinx.com>
      101646a2
    • Rob Herring's avatar
      microblaze: remove unused alloc_maybe_bootmem · cd4dfee6
      Rob Herring authored
      alloc_maybe_bootmem is unused, so remove it.
      Signed-off-by: default avatarRob Herring <robh@kernel.org>
      Signed-off-by: default avatarMichal Simek <michal.simek@xilinx.com>
      cd4dfee6
    • Michal Simek's avatar
      microblaze: Setup dependencies for ASM optimized lib functions · 18ffc0cc
      Michal Simek authored
      The patch:
      "microblaze: Setup proper dependency for optimized lib functions"
      (sha1: 7b6ce52b)
      didn't setup all dependencies properly.
      Optimized lib functions in C are also present for little endian
      and optimized library functions in assembler are implemented only for
      big endian version.
      Reported-by: default avatarkbuild test robot <fengguang.wu@intel.com>
      Signed-off-by: default avatarMichal Simek <michal.simek@xilinx.com>
      18ffc0cc
    • Alexander Sergeyev's avatar
      x86/speculation: Remove Skylake C2 from Speculation Control microcode blacklist · e3b3121f
      Alexander Sergeyev authored
      In accordance with Intel's microcode revision guidance from March 6 MCU
      rev 0xc2 is cleared on both Skylake H/S and Skylake Xeon E3 processors
      that share CPUID 506E3.
      Signed-off-by: default avatarAlexander Sergeyev <sergeev917@gmail.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: Jia Zhang <qianyue.zj@alibaba-inc.com>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Kyle Huey <me@kylehuey.com>
      Cc: David Woodhouse <dwmw@amazon.co.uk>
      Link: https://lkml.kernel.org/r/20180313193856.GA8580@localhost.localdomain
      e3b3121f
    • Dave Airlie's avatar
      Merge tag 'drm-intel-fixes-2018-03-15' of... · 3a1b5de3
      Dave Airlie authored
      Merge tag 'drm-intel-fixes-2018-03-15' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes
      
      Only GVT fixes:
      - Two warnings fix for runtime pm and usr copy (Xiong, Zhenyu)
      - OA context fix for vGPU profiling (Min)
      - privilege batch buffer reloc fix (Fred)
      
      * tag 'drm-intel-fixes-2018-03-15' of git://anongit.freedesktop.org/drm/drm-intel:
        drm/i915/gvt: fix user copy warning by whitelist workload rb_tail field
        drm/i915/gvt: Correct the privilege shadow batch buffer address
        drm/i915/gvt: keep oa config in shadow ctx
        drm/i915/gvt: Add runtime_pm_get/put into gvt_switch_mmio
      3a1b5de3
    • Leon Romanovsky's avatar
      RDMA/ucma: Check AF family prior resolving address · 2975d5de
      Leon Romanovsky authored
      Garbage supplied by user will cause to UCMA module provide zero
      memory size for memcpy(), because it wasn't checked, it will
      produce unpredictable results in rdma_resolve_addr().
      
      [   42.873814] BUG: KASAN: null-ptr-deref in rdma_resolve_addr+0xc8/0xfb0
      [   42.874816] Write of size 28 at addr 00000000000000a0 by task resaddr/1044
      [   42.876765]
      [   42.876960] CPU: 1 PID: 1044 Comm: resaddr Not tainted 4.16.0-rc1-00057-gaa56a5293d7e #34
      [   42.877840] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org 04/01/2014
      [   42.879691] Call Trace:
      [   42.880236]  dump_stack+0x5c/0x77
      [   42.880664]  kasan_report+0x163/0x380
      [   42.881354]  ? rdma_resolve_addr+0xc8/0xfb0
      [   42.881864]  memcpy+0x34/0x50
      [   42.882692]  rdma_resolve_addr+0xc8/0xfb0
      [   42.883366]  ? deref_stack_reg+0x88/0xd0
      [   42.883856]  ? vsnprintf+0x31a/0x770
      [   42.884686]  ? rdma_bind_addr+0xc40/0xc40
      [   42.885327]  ? num_to_str+0x130/0x130
      [   42.885773]  ? deref_stack_reg+0x88/0xd0
      [   42.886217]  ? __read_once_size_nocheck.constprop.6+0x10/0x10
      [   42.887698]  ? unwind_get_return_address_ptr+0x50/0x50
      [   42.888302]  ? replace_slot+0x147/0x170
      [   42.889176]  ? delete_node+0x12c/0x340
      [   42.890223]  ? __radix_tree_lookup+0xa9/0x160
      [   42.891196]  ? ucma_resolve_ip+0xb7/0x110
      [   42.891917]  ucma_resolve_ip+0xb7/0x110
      [   42.893003]  ? ucma_resolve_addr+0x190/0x190
      [   42.893531]  ? _copy_from_user+0x5e/0x90
      [   42.894204]  ucma_write+0x174/0x1f0
      [   42.895162]  ? ucma_resolve_route+0xf0/0xf0
      [   42.896309]  ? dequeue_task_fair+0x67e/0xd90
      [   42.897192]  ? put_prev_entity+0x7d/0x170
      [   42.897870]  ? ring_buffer_record_is_on+0xd/0x20
      [   42.898439]  ? tracing_record_taskinfo_skip+0x20/0x50
      [   42.899686]  __vfs_write+0xc4/0x350
      [   42.900142]  ? kernel_read+0xa0/0xa0
      [   42.900602]  ? firmware_map_remove+0xdf/0xdf
      [   42.901135]  ? do_task_dead+0x5d/0x60
      [   42.901598]  ? do_exit+0xcc6/0x1220
      [   42.902789]  ? __fget+0xa8/0xf0
      [   42.903190]  vfs_write+0xf7/0x280
      [   42.903600]  SyS_write+0xa1/0x120
      [   42.904206]  ? SyS_read+0x120/0x120
      [   42.905710]  ? compat_start_thread+0x60/0x60
      [   42.906423]  ? SyS_read+0x120/0x120
      [   42.908716]  do_syscall_64+0xeb/0x250
      [   42.910760]  entry_SYSCALL_64_after_hwframe+0x21/0x86
      [   42.912735] RIP: 0033:0x7f138b0afe99
      [   42.914734] RSP: 002b:00007f138b799e98 EFLAGS: 00000287 ORIG_RAX: 0000000000000001
      [   42.917134] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f138b0afe99
      [   42.919487] RDX: 000000000000002e RSI: 0000000020000c40 RDI: 0000000000000004
      [   42.922393] RBP: 00007f138b799ec0 R08: 00007f138b79a700 R09: 0000000000000000
      [   42.925266] R10: 00007f138b79a700 R11: 0000000000000287 R12: 00007f138b799fc0
      [   42.927570] R13: 0000000000000000 R14: 00007ffdbae757c0 R15: 00007f138b79a9c0
      [   42.930047]
      [   42.932681] Disabling lock debugging due to kernel taint
      [   42.934795] BUG: unable to handle kernel NULL pointer dereference at 00000000000000a0
      [   42.936939] IP: memcpy_erms+0x6/0x10
      [   42.938864] PGD 80000001bea92067 P4D 80000001bea92067 PUD 1bea96067 PMD 0
      [   42.941576] Oops: 0002 [#1] SMP KASAN PTI
      [   42.943952] CPU: 1 PID: 1044 Comm: resaddr Tainted: G    B 4.16.0-rc1-00057-gaa56a5293d7e #34
      [   42.946964] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org 04/01/2014
      [   42.952336] RIP: 0010:memcpy_erms+0x6/0x10
      [   42.954707] RSP: 0018:ffff8801c8b479c8 EFLAGS: 00010286
      [   42.957227] RAX: 00000000000000a0 RBX: ffff8801c8b47ba0 RCX: 000000000000001c
      [   42.960543] RDX: 000000000000001c RSI: ffff8801c8b47bbc RDI: 00000000000000a0
      [   42.963867] RBP: ffff8801c8b47b60 R08: 0000000000000000 R09: ffffed0039168ed1
      [   42.967303] R10: 0000000000000001 R11: ffffed0039168ed0 R12: ffff8801c8b47bbc
      [   42.970685] R13: 00000000000000a0 R14: 1ffff10039168f4a R15: 0000000000000000
      [   42.973631] FS:  00007f138b79a700(0000) GS:ffff8801e5d00000(0000) knlGS:0000000000000000
      [   42.976831] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   42.979239] CR2: 00000000000000a0 CR3: 00000001be908002 CR4: 00000000003606a0
      [   42.982060] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [   42.984877] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [   42.988033] Call Trace:
      [   42.990487]  rdma_resolve_addr+0xc8/0xfb0
      [   42.993202]  ? deref_stack_reg+0x88/0xd0
      [   42.996055]  ? vsnprintf+0x31a/0x770
      [   42.998707]  ? rdma_bind_addr+0xc40/0xc40
      [   43.000985]  ? num_to_str+0x130/0x130
      [   43.003410]  ? deref_stack_reg+0x88/0xd0
      [   43.006302]  ? __read_once_size_nocheck.constprop.6+0x10/0x10
      [   43.008780]  ? unwind_get_return_address_ptr+0x50/0x50
      [   43.011178]  ? replace_slot+0x147/0x170
      [   43.013517]  ? delete_node+0x12c/0x340
      [   43.016019]  ? __radix_tree_lookup+0xa9/0x160
      [   43.018755]  ? ucma_resolve_ip+0xb7/0x110
      [   43.021270]  ucma_resolve_ip+0xb7/0x110
      [   43.023968]  ? ucma_resolve_addr+0x190/0x190
      [   43.026312]  ? _copy_from_user+0x5e/0x90
      [   43.029384]  ucma_write+0x174/0x1f0
      [   43.031861]  ? ucma_resolve_route+0xf0/0xf0
      [   43.034782]  ? dequeue_task_fair+0x67e/0xd90
      [   43.037483]  ? put_prev_entity+0x7d/0x170
      [   43.040215]  ? ring_buffer_record_is_on+0xd/0x20
      [   43.042990]  ? tracing_record_taskinfo_skip+0x20/0x50
      [   43.045595]  __vfs_write+0xc4/0x350
      [   43.048624]  ? kernel_read+0xa0/0xa0
      [   43.051604]  ? firmware_map_remove+0xdf/0xdf
      [   43.055379]  ? do_task_dead+0x5d/0x60
      [   43.058000]  ? do_exit+0xcc6/0x1220
      [   43.060783]  ? __fget+0xa8/0xf0
      [   43.063133]  vfs_write+0xf7/0x280
      [   43.065677]  SyS_write+0xa1/0x120
      [   43.068647]  ? SyS_read+0x120/0x120
      [   43.071179]  ? compat_start_thread+0x60/0x60
      [   43.074025]  ? SyS_read+0x120/0x120
      [   43.076705]  do_syscall_64+0xeb/0x250
      [   43.079006]  entry_SYSCALL_64_after_hwframe+0x21/0x86
      [   43.081606] RIP: 0033:0x7f138b0afe99
      [   43.083679] RSP: 002b:00007f138b799e98 EFLAGS: 00000287 ORIG_RAX: 0000000000000001
      [   43.086802] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f138b0afe99
      [   43.089989] RDX: 000000000000002e RSI: 0000000020000c40 RDI: 0000000000000004
      [   43.092866] RBP: 00007f138b799ec0 R08: 00007f138b79a700 R09: 0000000000000000
      [   43.096233] R10: 00007f138b79a700 R11: 0000000000000287 R12: 00007f138b799fc0
      [   43.098913] R13: 0000000000000000 R14: 00007ffdbae757c0 R15: 00007f138b79a9c0
      [   43.101809] Code: 90 90 90 90 90 eb 1e 0f 1f 00 48 89 f8 48 89 d1 48
      c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48
      89 d1 <f3> a4 c3 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38
      [   43.107950] RIP: memcpy_erms+0x6/0x10 RSP: ffff8801c8b479c8
      
      Reported-by: <syzbot+1d8c43206853b369d00c@syzkaller.appspotmail.com>
      Fixes: 75216638 ("RDMA/cma: Export rdma cm interface to userspace")
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Reviewed-by: default avatarSean Hefty <sean.hefty@intel.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      2975d5de
    • Dave Airlie's avatar
      Merge branch 'linux-4.16' of git://github.com/skeggsb/linux into drm-fixes · d4487b57
      Dave Airlie authored
      nouveau regression fixes.
      
      * 'linux-4.16' of git://github.com/skeggsb/linux:
        drm/nouveau/bl: fix backlight regression
        drm/nouveau/bl: Fix oops on driver unbind
        drm/nouveau/mmu: ALIGN_DOWN correct variable
      d4487b57
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs · df09348f
      Linus Torvalds authored
      Pull vfs fixes from Al Viro:
      
       - backport-friendly part of lock_parent() race fix
      
       - a fix for an assumption in the heurisic used by path_connected() that
         is not true on NFS
      
       - livelock fixes for d_alloc_parallel()
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
        fs: Teach path_connected to handle nfs filesystems with multiple roots.
        fs: dcache: Use READ_ONCE when accessing i_dir_seq
        fs: dcache: Avoid livelock between d_alloc_parallel and __d_add
        lock_parent() needs to recheck if dentry got __dentry_kill'ed under it
      df09348f