1. 11 Feb, 2019 3 commits
    • Sergei Trofimovich's avatar
      alpha: fix page fault handling for r16-r18 targets · 491af60f
      Sergei Trofimovich authored
      Fix page fault handling code to fixup r16-r18 registers.
      Before the patch code had off-by-two registers bug.
      This bug caused overwriting of ps,pc,gp registers instead
      of fixing intended r16,r17,r18 (see `struct pt_regs`).
      
      More details:
      
      Initially Dmitry noticed a kernel bug as a failure
      on strace test suite. Test passes unmapped userspace
      pointer to io_submit:
      
      ```c
          #include <err.h>
          #include <unistd.h>
          #include <sys/mman.h>
          #include <asm/unistd.h>
          int main(void)
          {
              unsigned long ctx = 0;
              if (syscall(__NR_io_setup, 1, &ctx))
                  err(1, "io_setup");
              const size_t page_size = sysconf(_SC_PAGESIZE);
              const size_t size = page_size * 2;
              void *ptr = mmap(NULL, size, PROT_READ | PROT_WRITE,
                               MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
              if (MAP_FAILED == ptr)
                  err(1, "mmap(%zu)", size);
              if (munmap(ptr, size))
                  err(1, "munmap");
              syscall(__NR_io_submit, ctx, 1, ptr + page_size);
              syscall(__NR_io_destroy, ctx);
              return 0;
          }
      ```
      
      Running this test causes kernel to crash when handling page fault:
      
      ```
          Unable to handle kernel paging request at virtual address ffffffffffff9468
          CPU 3
          aio(26027): Oops 0
          pc = [<fffffc00004eddf8>]  ra = [<fffffc00004edd5c>]  ps = 0000    Not tainted
          pc is at sys_io_submit+0x108/0x200
          ra is at sys_io_submit+0x6c/0x200
          v0 = fffffc00c58e6300  t0 = fffffffffffffff2  t1 = 000002000025e000
          t2 = fffffc01f159fef8  t3 = fffffc0001009640  t4 = fffffc0000e0f6e0
          t5 = 0000020001002e9e  t6 = 4c41564e49452031  t7 = fffffc01f159c000
          s0 = 0000000000000002  s1 = 000002000025e000  s2 = 0000000000000000
          s3 = 0000000000000000  s4 = 0000000000000000  s5 = fffffffffffffff2
          s6 = fffffc00c58e6300
          a0 = fffffc00c58e6300  a1 = 0000000000000000  a2 = 000002000025e000
          a3 = 00000200001ac260  a4 = 00000200001ac1e8  a5 = 0000000000000001
          t8 = 0000000000000008  t9 = 000000011f8bce30  t10= 00000200001ac440
          t11= 0000000000000000  pv = fffffc00006fd320  at = 0000000000000000
          gp = 0000000000000000  sp = 00000000265fd174
          Disabling lock debugging due to kernel taint
          Trace:
          [<fffffc0000311404>] entSys+0xa4/0xc0
      ```
      
      Here `gp` has invalid value. `gp is s overwritten by a fixup for the
      following page fault handler in `io_submit` syscall handler:
      
      ```
          __se_sys_io_submit
          ...
              ldq     a1,0(t1)
              bne     t0,4280 <__se_sys_io_submit+0x180>
      ```
      
      After a page fault `t0` should contain -EFALUT and `a1` is 0.
      Instead `gp` was overwritten in place of `a1`.
      
      This happens due to a off-by-two bug in `dpf_reg()` for `r16-r18`
      (aka `a0-a2`).
      
      I think the bug went unnoticed for a long time as `gp` is one
      of scratch registers. Any kernel function call would re-calculate `gp`.
      
      Dmitry tracked down the bug origin back to 2.1.32 kernel version
      where trap_a{0,1,2} fields were inserted into struct pt_regs.
      And even before that `dpf_reg()` contained off-by-one error.
      
      Cc: Richard Henderson <rth@twiddle.net>
      Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
      Cc: linux-alpha@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Reported-and-reviewed-by: default avatar"Dmitry V. Levin" <ldv@altlinux.org>
      Cc: stable@vger.kernel.org # v2.1.32+
      Bug: https://bugs.gentoo.org/672040Signed-off-by: default avatarSergei Trofimovich <slyfox@gentoo.org>
      Signed-off-by: default avatarMatt Turner <mattst88@gmail.com>
      491af60f
    • Meelis Roos's avatar
      alpha: Fix Eiger NR_IRQS to 128 · bfc91368
      Meelis Roos authored
      Eiger machine vector definition has nr_irqs 128, and working 2.6.26
      boot shows SCSI getting IRQ-s 64 and 65. Current kernel boot fails
      because Symbios SCSI fails to request IRQ-s and does not find the disks.
      It has been broken at least since 3.18 - the earliest I could test with
      my gcc-5.
      
      The headers have moved around and possibly another order of defines has
      worked in the past - but since 128 seems to be correct and used, fix
      arch/alpha/include/asm/irq.h to have NR_IRQS=128 for Eiger.
      
      This fixes 4.19-rc7 boot on my Force Flexor A264 (Eiger subarch).
      
      Cc: stable@vger.kernel.org # v3.18+
      Signed-off-by: default avatarMeelis Roos <mroos@linux.ee>
      Signed-off-by: default avatarMatt Turner <mattst88@gmail.com>
      bfc91368
    • Bob Tracy's avatar
      tools uapi: fix Alpha support · 842fc0f5
      Bob Tracy authored
      Cc: stable@vger.kernel.org # v4.18+
      Signed-off-by: default avatarBob Tracy <rct@frus.com>
      Signed-off-by: default avatarMatt Turner <mattst88@gmail.com>
      842fc0f5
  2. 10 Feb, 2019 7 commits
  3. 09 Feb, 2019 9 commits
    • Linus Torvalds's avatar
      Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux · df3865f8
      Linus Torvalds authored
      Pull i2c fixes from Wolfram Sang:
       "One PM related driver bugfix and a MAINTAINERS update"
      
      * 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
        MAINTAINERS: Update the ocores i2c bus driver maintainer, etc
        i2c: omap: Use noirq system sleep pm ops to idle device for suspend
      df3865f8
    • Linus Torvalds's avatar
      Merge tag 'mips_fixes_5.0_3' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux · e8b50608
      Linus Torvalds authored
      Pull MIPS fixes from Paul Burton:
       "A batch of MIPS fixes for 5.0, nothing too scary.
      
         - A workaround for a Loongson 3 CPU bug is the biggest change, but
           still fairly straightforward. It adds extra memory barriers (sync
           instructions) around atomics to avoid a CPU bug that can break
           atomicity.
      
         - Loongson64 also sees a fix for powering off some systems which
           would incorrectly reboot rather than waiting for the power down
           sequence to complete.
      
         - We have DT fixes for the Ingenic JZ4740 SoC & the JZ4780-based Ci20
           board, and a DT warning fix for the Nexsys4/MIPSfpga board.
      
         - The Cavium Octeon platform sees a further fix to the behaviour of
           the pcie_disable command line argument that was introduced in v3.3.
      
         - The VDSO, introduced in v4.4, sees build fixes for configurations
           of GCC that were built using the --with-fp-32= flag to specify a
           default 32-bit floating point ABI.
      
         - get_frame_info() sees a fix for configurations with
           CONFIG_KALLSYMS=n, for which it previously always returned an
           error.
      
         - If the MIPS Coherence Manager (CM) reports an error then we'll now
           clear that error correctly so that the GCR_ERROR_CAUSE register
           will be updated with information about any future errors"
      
      * tag 'mips_fixes_5.0_3' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux:
        mips: cm: reprime error cause
        mips: loongson64: remove unreachable(), fix loongson_poweroff().
        MIPS: Remove function size check in get_frame_info()
        MIPS: Use lower case for addresses in nexys4ddr.dts
        MIPS: Loongson: Introduce and use loongson_llsc_mb()
        MIPS: VDSO: Include $(ccflags-vdso) in o32,n32 .lds builds
        MIPS: VDSO: Use same -m%-float cflag as the kernel proper
        MIPS: OCTEON: don't set octeon_dma_bar_type if PCI is disabled
        DTS: CI20: Fix bugs in ci20's device tree.
        MIPS: DTS: jz4740: Correct interrupt number of DMA core
      e8b50608
    • Linus Torvalds's avatar
      Merge tag 'for-linus-20190209' of git://git.kernel.dk/linux-block · e5a8a116
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
      
       - NVMe pull request from Christoph, fixing namespace locking when
         dealing with the effects log, and a rapid add/remove issue (Keith)
      
       - blktrace tweak, ensuring requests with -1 sectors are shown (Jan)
      
       - link power management quirk for a Smasung SSD (Hans)
      
       - m68k nfblock dynamic major number fix (Chengguang)
      
       - series fixing blk-iolatency inflight counter issue (Liu)
      
       - ensure that we clear ->private when setting up the aio kiocb (Mike)
      
       - __find_get_block_slow() rate limit print (Tetsuo)
      
      * tag 'for-linus-20190209' of git://git.kernel.dk/linux-block:
        blk-mq: remove duplicated definition of blk_mq_freeze_queue
        Blk-iolatency: warn on negative inflight IO counter
        blk-iolatency: fix IO hang due to negative inflight counter
        blktrace: Show requests without sector
        fs: ratelimit __find_get_block_slow() failure message.
        m68k: set proper major_num when specifying module param major_num
        libata: Add NOLPM quirk for SAMSUNG MZ7TE512HMHP-000L1 SSD
        nvme-pci: fix rapid add remove sequence
        nvme: lock NS list changes while handling command effects
        aio: initialize kiocb private in case any filesystems expect it.
      e5a8a116
    • Linus Torvalds's avatar
      Merge tag 'mtd/fixes-for-5.0-rc6' of git://git.infradead.org/linux-mtd · 5610789a
      Linus Torvalds authored
      Pull mtd fixes from Boris Brezillon:
      
       - Fix a problem with the imx28 ECC engine
      
       - Remove a debug trace introduced in 2b6f0090 ("mtd: Check
         add_mtd_device() ret code")
      
       - Make sure partitions of size 0 can be registered
      
       - Fix kernel-doc warning in the rawnand core
      
       - Fix the error path of spinand_init() (missing manufacturer cleanup in
         a few places)
      
       - Address a problem with the SPI NAND PROGRAM LOAD operation which does
         not work as expected on some parts.
      
      * tag 'mtd/fixes-for-5.0-rc6' of git://git.infradead.org/linux-mtd:
        mtd: rawnand: gpmi: fix MX28 bus master lockup problem
        mtd: Make sure mtd->erasesize is valid even if the partition is of size 0
        mtd: Remove a debug trace in mtdpart.c
        mtd: rawnand: fix kernel-doc warnings
        mtd: spinand: Fix the error/cleanup path in spinand_init()
        mtd: spinand: Handle the case where PROGRAM LOAD does not reset the cache
      5610789a
    • Linus Torvalds's avatar
      Merge tag 'for-linus-5.0-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip · 3e5e692f
      Linus Torvalds authored
      Pull xen fixes from Juergen Gross:
       "Two very minor fixes: one remove of a #include for an unused header
        and a fix of the xen ML address in MAINTAINERS"
      
      * tag 'for-linus-5.0-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
        MAINTAINERS: unify reference to xen-devel list
        arch/arm/xen: Remove duplicate header
      3e5e692f
    • Ingo Molnar's avatar
      Merge tag 'perf-urgent-for-mingo-5.0-20190205' of... · 3bb26006
      Ingo Molnar authored
      Merge tag 'perf-urgent-for-mingo-5.0-20190205' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux into perf/urgent
      
      Pull perf/urgent fixes from Arnaldo Carvalho de Melo:
      
      perf trace:
      
        Arnaldo Carvalho de Melo:
      
          Fix handling of probe:vfs_getname when the probed routine is
          inlined in multiple places, fixing the collection of the 'filename'
          parameter in open syscalls.
      
      perf test:
      
        Gustavo A. R. Silva:
      
          Fix bitwise operator usage in evsel-tp-sched test, which made tat
          test always detect fields as signed.
      
        Jiri Olsa:
      
          Filter out hidden symbols from labels, added in systems where the
          annobin plugin is used, such as RHEL8, which, if left in place make
          the DWARF unwind 'perf test' to fail on PPC.
      
        Tony Jones:
      
          Fix 'perf_event_attr' tests when building with python3.
      
      perf mem/c2c:
      
        Ravi Bangoria:
      
          Fix perf_mem_events on PowerPC.
      
      tools headers UAPI:
      
        Arnaldo Carvalho de Melo:
      
          Sync linux/in.h copy from the kernel sources, silencing a perf build warning.
      Signed-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      3bb26006
    • Linus Torvalds's avatar
      Merge tag 'armsoc-fixes-5.0' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc · 46c291e2
      Linus Torvalds authored
      Pull ARM SoC fixes from Arnd Bergmann:
       "This is a bit larger than normal, as we had not managed to send out a
        pull request before traveling for a week without my signing key.
      
        There are multiple code fixes for older bugs, all of which should get
        backported into stable kernels:
      
         - tango: one fix for multiplatform configurations broken on other
           platforms when tango is enabled
      
         - arm_scmi: device unregistration fix
      
         - iop32x: fix kernel oops from extraneous __init annotation
      
         - pxa: remove a double kfree
      
         - fsl qbman: close an interrupt clearing race
      
        The rest is the usual collection of smaller fixes for device tree
        files, on the renesas, allwinner, meson, omap, davinci, qualcomm and
        imx platforms.
      
        Some of these are for compile-time warnings, most are for board
        specific functionality that fails to work because of incorrect
        settings"
      
      * tag 'armsoc-fixes-5.0' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc: (30 commits)
        ARM: tango: Improve ARCH_MULTIPLATFORM compatibility
        firmware: arm_scmi: provide the mandatory device release callback
        ARM: iop32x/n2100: fix PCI IRQ mapping
        arm64: dts: add msm8996 compatible to gicv3
        ARM: dts: am335x-shc.dts: fix wrong cd pin level
        ARM: dts: n900: fix mmc1 card detect gpio polarity
        ARM: dts: omap3-gta04: Fix graph_port warning
        ARM: pxa: ssp: unneeded to free devm_ allocated data
        ARM: dts: r8a7743: Convert to new LVDS DT bindings
        soc: fsl: qbman: avoid race in clearing QMan interrupt
        arm64: dts: renesas: r8a77965: Enable DMA for SCIF2
        arm64: dts: renesas: r8a7796: Enable DMA for SCIF2
        arm64: dts: renesas: r8a774a1: Enable DMA for SCIF2
        ARM: dts: da850: fix interrupt numbers for clocksource
        dt-bindings: imx8mq: Number clocks consecutively
        arm64: dts: meson: Fix mmc cd-gpios polarity
        ARM: dts: imx6sx: correct backward compatible of gpt
        ARM: dts: imx: replace gpio-key,wakeup with wakeup-source property
        ARM: dts: vf610-bk4: fix incorrect #address-cells for dspi3
        ARM: dts: meson8m2: mxiii-plus: mark the SD card detection GPIO active-low
        ...
      46c291e2
    • Linus Torvalds's avatar
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · 5bb513ed
      Linus Torvalds authored
      Pull arm64 fixes from Will Deacon:
       "Two arm64 fixes for -rc6. They resolve a kernel NULL dereference in
        kexec and bogus kernel page table dumping when userspace is configured
        for 52-bit virtual addressing.
      
        Summary:
      
         - Fix kernel oops when attemping kexec_file() with a NULL cmdline
      
         - Fix page table output in debugfs when ARM64_USER_VA_BITS_52=y"
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        arm64: kexec_file: handle empty command-line
        arm64: ptdump: Don't iterate kernel page tables using PTRS_PER_PXX
      5bb513ed
    • Linus Torvalds's avatar
      Merge tag 'powerpc-5.0-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · 820828bf
      Linus Torvalds authored
      Pull powerpc fixes from Michael Ellerman:
       "Just two fixes, both going to stable.
      
         - Our support for split pmd page table lock had a bug which could
           lead to a crash on mremap() when using the Radix MMU (Power9 only).
      
         - A fix for the PAPR SCM driver (nvdimm) we added last release, which
           had a bug where we might mis-handle a hypervisor response leading
           to us failing to attach the memory region.
      
        Thanks to: Aneesh Kumar K.V, Oliver O'Halloran"
      
      * tag 'powerpc-5.0-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        powerpc/papr_scm: Use the correct bind address
        powerpc/radix: Fix kernel crash with mremap()
      820828bf
  4. 08 Feb, 2019 21 commits
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace · 6b2912ce
      Linus Torvalds authored
      Pull signal fixes from Eric Biederman:
       "This contains four small fixes for signal handling. A missing range
        check, a regression fix, prioritizing signals we have already started
        a signal group exit for, and better detection of synchronous signals.
      
        The confused decision of which signals to handle failed spectacularly
        when a timer was pointed at SIGBUS and the stack overflowed. Resulting
        in an unkillable process in an infinite loop instead of a SIGSEGV and
        core dump"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace:
        signal: Better detection of synchronous signals
        signal: Always notice exiting tasks
        signal: Always attempt to allocate siginfo for SIGSTOP
        signal: Make siginmask safe when passed a signal of 0
      6b2912ce
    • Linus Torvalds's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · 3b6e8204
      Linus Torvalds authored
      Pull SCSI fixes from James Bottomley:
       "This is a set of five minor fixes (although, tecnhincally, the aicxxx
        fix is for a major problem in that the driver won't load without it,
        but I think the fact it's taken us since 4.10 to discover this
        indicates that the user base for these things has declined)"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: cxlflash: Prevent deadlock when adapter probe fails
        Revert "scsi: libfc: Add WARN_ON() when deleting rports"
        scsi: sd_zbc: Fix zone information messages
        scsi: target: make the pi_prot_format ConfigFS path readable
        scsi: aic94xx: fix module loading
      3b6e8204
    • Linus Torvalds's avatar
      Merge tag 'iommu-fixes-v5.0-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu · 2e277fa0
      Linus Torvalds authored
      Pull IOMMU fix from Joerg Roedel:
       "Intel decided to leave the newly added Scalable Mode Feature
        default-disabled for now. The patch here accomplishes that"
      
      * tag 'iommu-fixes-v5.0-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu:
        iommu/vt-d: Leave scalable mode default off
      2e277fa0
    • Linus Torvalds's avatar
      Merge tag 'pci-v5.0-fixes-4' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci · 70be9ac2
      Linus Torvalds authored
      Pull PCI fix from Bjorn Helgaas:
       "Work around Synopsys duplicate Device ID (HAPS USB3, NXP i.MX) that
        breaks PCIe on I.MX SoCs (Thinh Nguyen)"
      
      * tag 'pci-v5.0-fixes-4' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
        PCI: Work around Synopsys duplicate Device ID (HAPS USB3, NXP i.MX)
      70be9ac2
    • Linus Torvalds's avatar
      Merge tag 'acpi-5.0-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · e2dac603
      Linus Torvalds authored
      Pull ACPI fix from Rafael Wysocki:
       "This prevents excessive ACPI debug messages from being printed to the
        kernel log, which has started to happen after one of the recent ACPICA
        commits (Erik Schmauss)"
      
      * tag 'acpi-5.0-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        ACPI: Set debug output flags independent of ACPICA
      e2dac603
    • Andrew Lunn's avatar
      MAINTAINERS: Update the ocores i2c bus driver maintainer, etc · 13c80dda
      Andrew Lunn authored
      The listed maintainer has not been responding to emails for a while.
      Add myself as a second maintainer.
      
      Add the platform data include file, which was not listed.
      Signed-off-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarWolfram Sang <wsa@the-dreams.de>
      13c80dda
    • Liu Bo's avatar
      blk-mq: remove duplicated definition of blk_mq_freeze_queue · 26984841
      Liu Bo authored
      As the prototype has been defined in "include/linux/blk-mq.h", the one
      in "block/blk-mq.h" can be removed then.
      Signed-off-by: default avatarLiu Bo <bo.liu@linux.alibaba.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      26984841
    • Liu Bo's avatar
      Blk-iolatency: warn on negative inflight IO counter · 391f552a
      Liu Bo authored
      This is to catch any unexpected negative value of inflight IO counter.
      Signed-off-by: default avatarLiu Bo <bo.liu@linux.alibaba.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      391f552a
    • Liu Bo's avatar
      blk-iolatency: fix IO hang due to negative inflight counter · 8c772a9b
      Liu Bo authored
      Our test reported the following stack, and vmcore showed that
      ->inflight counter is -1.
      
      [ffffc9003fcc38d0] __schedule at ffffffff8173d95d
      [ffffc9003fcc3958] schedule at ffffffff8173de26
      [ffffc9003fcc3970] io_schedule at ffffffff810bb6b6
      [ffffc9003fcc3988] blkcg_iolatency_throttle at ffffffff813911cb
      [ffffc9003fcc3a20] rq_qos_throttle at ffffffff813847f3
      [ffffc9003fcc3a48] blk_mq_make_request at ffffffff8137468a
      [ffffc9003fcc3b08] generic_make_request at ffffffff81368b49
      [ffffc9003fcc3b68] submit_bio at ffffffff81368d7d
      [ffffc9003fcc3bb8] ext4_io_submit at ffffffffa031be00 [ext4]
      [ffffc9003fcc3c00] ext4_writepages at ffffffffa03163de [ext4]
      [ffffc9003fcc3d68] do_writepages at ffffffff811c49ae
      [ffffc9003fcc3d78] __filemap_fdatawrite_range at ffffffff811b6188
      [ffffc9003fcc3e30] filemap_write_and_wait_range at ffffffff811b6301
      [ffffc9003fcc3e60] ext4_sync_file at ffffffffa030cee8 [ext4]
      [ffffc9003fcc3ea8] vfs_fsync_range at ffffffff8128594b
      [ffffc9003fcc3ee8] do_fsync at ffffffff81285abd
      [ffffc9003fcc3f18] sys_fsync at ffffffff81285d50
      [ffffc9003fcc3f28] do_syscall_64 at ffffffff81003c04
      [ffffc9003fcc3f50] entry_SYSCALL_64_after_swapgs at ffffffff81742b8e
      
      The ->inflight counter may be negative (-1) if
      
      1) blk-iolatency was disabled when the IO was issued,
      
      2) blk-iolatency was enabled before this IO reached its endio,
      
      3) the ->inflight counter is decreased from 0 to -1 in endio()
      
      In fact the hang can be easily reproduced by the below script,
      
      H=/sys/fs/cgroup/unified/
      P=/sys/fs/cgroup/unified/test
      
      echo "+io" > $H/cgroup.subtree_control
      mkdir -p $P
      
      echo $$ > $P/cgroup.procs
      
      xfs_io -f -d -c "pwrite 0 4k" /dev/sdg
      
      echo "`cat /sys/block/sdg/dev` target=1000000" > $P/io.latency
      
      xfs_io -f -d -c "pwrite 0 4k" /dev/sdg
      
      This fixes the problem by freezing the queue so that while
      enabling/disabling iolatency, there is no inflight rq running.
      
      Note that quiesce_queue is not needed as this only updating iolatency
      configuration about which dispatching request_queue doesn't care.
      Signed-off-by: default avatarLiu Bo <bo.liu@linux.alibaba.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      8c772a9b
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 27b4ad62
      Linus Torvalds authored
      Pull networking fixes from David Miller:
       "This pull request is dedicated to the upcoming snowpocalypse parts 2
        and 3 in the Pacific Northwest:
      
         1) Drop profiles are broken because some drivers use dev_kfree_skb*
            instead of dev_consume_skb*, from Yang Wei.
      
         2) Fix IWLWIFI kconfig deps, from Luca Coelho.
      
         3) Fix percpu maps updating in bpftool, from Paolo Abeni.
      
         4) Missing station release in batman-adv, from Felix Fietkau.
      
         5) Fix some networking compat ioctl bugs, from Johannes Berg.
      
         6) ucc_geth must reset the BQL queue state when stopping the device,
            from Mathias Thore.
      
         7) Several XDP bug fixes in virtio_net from Toshiaki Makita.
      
         8) TSO packets must be sent always on queue 0 in stmmac, from Jose
            Abreu.
      
         9) Fix socket refcounting bug in RDS, from Eric Dumazet.
      
        10) Handle sparse cpu allocations in bpf selftests, from Martynas
            Pumputis.
      
        11) Make sure mgmt frames have enough tailroom in mac80211, from Felix
            Feitkau.
      
        12) Use safe list walking in sctp_sendmsg() asoc list traversal, from
            Greg Kroah-Hartman.
      
        13) Make DCCP's ccid_hc_[rt]x_parse_options always check for NULL
            ccid, from Eric Dumazet.
      
        14) Need to reload WoL password into bcmsysport device after deep
            sleeps, from Florian Fainelli.
      
        15) Remove filter from mask before freeing in cls_flower, from Petr
            Machata.
      
        16) Missing release and use after free in error paths of s390 qeth
            code, from Julian Wiedmann.
      
        17) Fix lockdep false positive in dsa code, from Marc Zyngier.
      
        18) Fix counting of ATU violations in mv88e6xxx, from Andrew Lunn.
      
        19) Fix EQ firmware assert in qed driver, from Manish Chopra.
      
        20) Don't default Caivum PTP to Y in kconfig, from Bjorn Helgaas"
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (116 commits)
        net: dsa: b53: Fix for failure when irq is not defined in dt
        sit: check if IPv6 enabled before calling ip6_err_gen_icmpv6_unreach()
        geneve: should not call rt6_lookup() when ipv6 was disabled
        net: Don't default Cavium PTP driver to 'y'
        net: broadcom: replace dev_kfree_skb_irq by dev_consume_skb_irq for drop profiles
        net: via-velocity: replace dev_kfree_skb_irq by dev_consume_skb_irq for drop profiles
        net: tehuti: replace dev_kfree_skb_irq by dev_consume_skb_irq for drop profiles
        net: sun: replace dev_kfree_skb_irq by dev_consume_skb_irq for drop profiles
        net: fsl_ucc_hdlc: replace dev_kfree_skb_irq by dev_consume_skb_irq for drop profiles
        net: fec_mpc52xx: replace dev_kfree_skb_irq by dev_consume_skb_irq for drop profiles
        net: smsc: epic100: replace dev_kfree_skb_irq by dev_consume_skb_irq for drop profiles
        net: dscc4: replace dev_kfree_skb_irq by dev_consume_skb_irq for drop profiles
        net: tulip: de2104x: replace dev_kfree_skb_irq by dev_consume_skb_irq for drop profiles
        net: defxx: replace dev_kfree_skb_irq by dev_consume_skb_irq for drop profiles
        net/mlx5e: Don't overwrite pedit action when multiple pedit used
        net/mlx5e: Update hw flows when encap source mac changed
        qed*: Advance drivers version to 8.37.0.20
        qed: Change verbosity for coalescing message.
        qede: Fix system crash on configuring channels.
        qed: Consider TX tcs while deriving the max num_queues for PF.
        ...
      27b4ad62
    • Linus Torvalds's avatar
      Merge tag 'char-misc-5.0-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc · 68090543
      Linus Torvalds authored
      Pull char/misc fixes from Greg KH:
       "Here are some small char and misc driver fixes for 5.0-rc6.
      
        Nothing huge here, some more binderfs fixups found as people use it,
        and there is a "large" selftest added to validate the binderfs code,
        which makes up the majority of this pull request.
      
        There's also some small mei and mic fixes to resolve some reported
        issues.
      
        All of these have been in linux-next for over a week with no reported
        issues"
      
      * tag 'char-misc-5.0-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
        mic: vop: Fix crash on remove
        mic: vop: Fix use-after-free on remove
        binderfs: remove separate device_initcall()
        fpga: stratix10-soc: fix wrong of_node_put() in init function
        mic: vop: Fix broken virtqueues
        mei: free read cb on ctrl_wr list flush
        samples: mei: use /dev/mei0 instead of /dev/mei
        mei: me: add ice lake point device id.
        binderfs: respect limit on binder control creation
        binder: fix CONFIG_ANDROID_BINDER_DEVICES
        selftests: add binderfs selftests
      68090543
    • Linus Torvalds's avatar
      Merge tag 'driver-core-5.0-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core · 8c8e62cc
      Linus Torvalds authored
      Pull driver core fixes from Greg KH:
       "Here are some driver core fixes for 5.0-rc6.
      
        Well, not so much "driver core" as "debugfs". There's a lot of
        outstanding debugfs cleanup patches coming in through different
        subsystem trees, and in that process the debugfs core was found that
        it really should return errors when something bad happens, to prevent
        random files from showing up in the root of debugfs afterward. So
        debugfs was fixed up to handle this properly, and then two fixes for
        the relay and blk-mq code was needed as it was making invalid
        assumptions about debugfs return values.
      
        There's also a cacheinfo fix in here that resolves a tiny issue.
      
        All of these have been in linux-next for over a week with no reported
        problems"
      
      * tag 'driver-core-5.0-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core:
        blk-mq: protect debugfs_create_files() from failures
        relay: check return of create_buf_file() properly
        debugfs: debugfs_lookup() should return NULL if not found
        debugfs: return error values, not NULL
        debugfs: fix debugfs_rename parameter checking
        cacheinfo: Keep the old value if of_property_read_u32 fails
      8c8e62cc
    • Linus Torvalds's avatar
      Merge tag 'staging-5.0-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging · e464f50c
      Linus Torvalds authored
      Pull staging/IIO driver fixes from Greg KH:
       "Here are some small iio and staging driver fixes for 5.0-rc6.
      
        Nothing big, just resolve some reported IIO driver issues, and one
        staging driver bug. One staging driver patch was added and then
        reverted as well.
      
        All of these have been in linux-next for a while with no reported
        issues"
      
      * tag 'staging-5.0-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
        Revert "staging: erofs: keep corrupted fs from crashing kernel in erofs_namei()"
        staging: erofs: keep corrupted fs from crashing kernel in erofs_namei()
        staging: octeon: fix broken phylib usage
        iio: ti-ads8688: Update buffer allocation for timestamps
        tools: iio: iio_generic_buffer: make num_loops signed
        iio: adc: axp288: Fix TS-pin handling
        iio: chemical: atlas-ph-sensor: correct IIO_TEMP values to millicelsius
      e464f50c
    • Linus Torvalds's avatar
      Merge tag 'tty-5.0-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty · e22a15d1
      Linus Torvalds authored
      Pull tty/serial fixes from Greg KH:
       "Here are some small tty and serial fixes for 5.0-rc6.
      
        Nothing huge, just a few small fixes for reported issues. The speakup
        fix is in here as it is a tty operation issue.
      
        All of these have been in linux-next for a while with no reported
        problems"
      
      * tag 'tty-5.0-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
        serial: fix race between flush_to_ldisc and tty_open
        staging: speakup: fix tty-operation NULL derefs
        serial: sh-sci: Do not free irqs that have already been freed
        serial: 8250_pci: Make PCI class test non fatal
        tty: serial: 8250_mtk: Fix potential NULL pointer dereference
      e22a15d1
    • Linus Torvalds's avatar
      Merge tag 'usb-5.0-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · 00a159a0
      Linus Torvalds authored
      Pull USB fixes from Grek KH:
       "Here are some small USB fixes for 5.0-rc6.
      
        Nothing huge, the normal amount of USB gadget fixes as well as some
        USB phy fixes. There's also a typec fix as well. Full details are in
        the shortlog.
      
        All of these have been in linux-next for a while with no reported
        issues"
      
      * tag 'usb-5.0-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
        usb: typec: tcpm: Correct the PPS out_volt calculation
        usb: gadget: musb: fix short isoc packets with inventra dma
        usb: phy: am335x: fix race condition in _probe
        usb: dwc3: exynos: Fix error handling of clk_prepare_enable
        usb: phy: fix link errors
        usb: gadget: udc: net2272: Fix bitwise and boolean operations
        usb: dwc3: gadget: Handle 0 xfer length for OUT EP
      00a159a0
    • Linus Torvalds's avatar
      Merge tag 'xfs-5.0-fixes-1' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux · bd5ff862
      Linus Torvalds authored
      Pull xfs fixes from Darrick Wong:
       "Here are a handful of XFS fixes to fix a data corruption problem, a
        crasher bug, and a deadlock.
      
        Summary:
      
         - Fix cache coherency problem with writeback mappings
      
         - Fix buffer deadlock when shutting fs down
      
         - Fix a null pointer dereference when running online repair"
      
      * tag 'xfs-5.0-fixes-1' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux:
        xfs: set buffer ops when repair probes for btree type
        xfs: end sync buffer I/O properly on shutdown error
        xfs: eof trim writeback mapping as soon as it is cached
      bd5ff862
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2019-02-08' of git://anongit.freedesktop.org/drm/drm · adcbc921
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "Missed fixes last week as had nothing until amdgpu showed up on
        Saturday. Other stuff has since rolled in along with some more amdgpu
        fixes, so we have two weeks of those, and some i915, vmwgfx, sun4i,
        rockchip and omap fixes.
      
        amdgpu/radeon:
         - fix crash on passthrough for SI
         - fencing fix for shared buffers
         - APU hwmon fix
         - API powerplay fix
         - eDP freesync fix
         - PASID mgr locking fix
         - KFD warning fix
         - DC/powerplay fix
         - raven revision ids fix
         - vega20 doorbell fix
      
        i915:
         - SNB display fix
         - SKL srckey mask fix
         - ICL DDI clock selection fix
      
        vmwgfx:
         - DMA API fix
         - IOMMU detection fix
         - display fixes
      
        sun4i:
         - tcon clock fix
      
        rockchip:
         - SPDX identifier fix
      
        omap:
         - DSI fixes"
      
      * tag 'drm-fixes-2019-02-08' of git://anongit.freedesktop.org/drm/drm: (28 commits)
        drm/omap: dsi: Hack-fix DSI bus flags
        drm/omap: dsi: Fix OF platform depopulate
        drm/omap: dsi: Fix crash in DSI debug dumps
        drm/i915: Try to sanitize bogus DPLL state left over by broken SNB BIOSen
        drm/amd/display: Attach VRR properties for eDP connectors
        drm/amdkfd: Fix if preprocessor statement above kfd_fill_iolink_info_for_cpu
        drm/amdgpu: use spin_lock_irqsave to protect vm_manager.pasid_idr
        drm/i915: always return something on DDI clock selection
        drm/i915: Fix skl srckey mask bits
        drm/vmwgfx: Improve on IOMMU detection
        drm/vmwgfx: Fix setting of dma masks
        drm/vmwgfx: Also check for crtc status while checking for DU active
        drm/vmwgfx: Fix an uninitialized fence handle value
        drm/vmwgfx: Return error code from vmw_execbuf_copy_fence_user
        drm/sun4i: tcon: Prepare and enable TCON channel 0 clock at init
        drm/amdgpu: fix the incorrect external id for raven series
        drm/amdgpu: Implement doorbell self-ring for NBIO 7.4
        drm/amd/display: Fix fclk idle state
        drm/amdgpu: Transfer fences to dmabuf importer
        drm/amd/powerplay: Fix missing break in switch
        ...
      adcbc921
    • Lukas Bulwahn's avatar
      MAINTAINERS: unify reference to xen-devel list · 9ab7d228
      Lukas Bulwahn authored
      In the linux kernel MAINTAINERS file, largely
        "xen-devel@lists.xenproject.org (moderated for non-subscribers)"
      is used to refer to the xen-devel mailing list.
      
      The DRM DRIVERS FOR XEN section entry mentions
      xen-devel@lists.xen.org instead, but that is just the same
      mailing list as the mailing list above.
      Signed-off-by: default avatarLukas Bulwahn <lukas.bulwahn@gmail.com>
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      9ab7d228
    • Peter Zijlstra's avatar
      x86/mm/cpa: Fix set_mce_nospec() · 0521e8be
      Peter Zijlstra authored
      The recent commit fe0937b2 ("x86/mm/cpa: Fold cpa_flush_range() and
      cpa_flush_array() into a single cpa_flush() function") accidentally made
      the call to make_addr_canonical_again() go away, which breaks
      set_mce_nospec().
      
      Re-instate the call to convert the address back into canonical form right
      before invoking either CLFLUSH or INVLPG. Rename the function while at it
      to be shorter (and less MAGA).
      
      Fixes: fe0937b2 ("x86/mm/cpa: Fold cpa_flush_range() and cpa_flush_array() into a single cpa_flush() function")
      Reported-by: default avatarTony Luck <tony.luck@intel.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Tested-by: default avatarTony Luck <tony.luck@intel.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Dan Williams <dan.j.williams@intel.com>
      Cc: Dave Hansen <dave.hansen@linux.intel.com>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Rik van Riel <riel@surriel.com>
      Link: https://lkml.kernel.org/r/20190208120859.GH32511@hirez.programming.kicks-ass.net
      0521e8be
    • Thomas Gleixner's avatar
      futex: Handle early deadlock return correctly · 1a1fb985
      Thomas Gleixner authored
      commit 56222b21 ("futex: Drop hb->lock before enqueueing on the
      rtmutex") changed the locking rules in the futex code so that the hash
      bucket lock is not longer held while the waiter is enqueued into the
      rtmutex wait list. This made the lock and the unlock path symmetric, but
      unfortunately the possible early exit from __rt_mutex_proxy_start() due to
      a detected deadlock was not updated accordingly. That allows a concurrent
      unlocker to observe inconsitent state which triggers the warning in the
      unlock path.
      
      futex_lock_pi()                         futex_unlock_pi()
        lock(hb->lock)
        queue(hb_waiter)				lock(hb->lock)
        lock(rtmutex->wait_lock)
        unlock(hb->lock)
                                              // acquired hb->lock
                                              hb_waiter = futex_top_waiter()
                                              lock(rtmutex->wait_lock)
        __rt_mutex_proxy_start()
           ---> fail
                remove(rtmutex_waiter);
           ---> returns -EDEADLOCK
        unlock(rtmutex->wait_lock)
                                              // acquired wait_lock
                                              wake_futex_pi()
                                              rt_mutex_next_owner()
      					  --> returns NULL
                                                --> WARN
      
        lock(hb->lock)
        unqueue(hb_waiter)
      
      The problem is caused by the remove(rtmutex_waiter) in the failure case of
      __rt_mutex_proxy_start() as this lets the unlocker observe a waiter in the
      hash bucket but no waiter on the rtmutex, i.e. inconsistent state.
      
      The original commit handles this correctly for the other early return cases
      (timeout, signal) by delaying the removal of the rtmutex waiter until the
      returning task reacquired the hash bucket lock.
      
      Treat the failure case of __rt_mutex_proxy_start() in the same way and let
      the existing cleanup code handle the eventual handover of the rtmutex
      gracefully. The regular rt_mutex_proxy_start() gains the rtmutex waiter
      removal for the failure case, so that the other callsites are still
      operating correctly.
      
      Add proper comments to the code so all these details are fully documented.
      
      Thanks to Peter for helping with the analysis and writing the really
      valuable code comments.
      
      Fixes: 56222b21 ("futex: Drop hb->lock before enqueueing on the rtmutex")
      Reported-by: default avatarHeiko Carstens <heiko.carstens@de.ibm.com>
      Co-developed-by: default avatarPeter Zijlstra <peterz@infradead.org>
      Signed-off-by: default avatarPeter Zijlstra <peterz@infradead.org>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Tested-by: default avatarHeiko Carstens <heiko.carstens@de.ibm.com>
      Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
      Cc: linux-s390@vger.kernel.org
      Cc: Stefan Liebler <stli@linux.ibm.com>
      Cc: Sebastian Sewior <bigeasy@linutronix.de>
      Cc: stable@vger.kernel.org
      Link: https://lkml.kernel.org/r/alpine.DEB.2.21.1901292311410.1950@nanos.tec.linutronix.de
      1a1fb985
    • Davidlohr Bueso's avatar
      futex: Fix barrier comment · 6f568ebe
      Davidlohr Bueso authored
      The current comment for the barrier that guarantees that waiter increment
      is always before taking the hb spinlock (barrier (A)) needs to be fixed as
      it is misplaced.
      
      This is obviously referring to hb_waiters_inc, which is a full barrier.
      Reported-by: default avatarPeter Zijlstra <peterz@infradead.org>
      Signed-off-by: default avatarDavidlohr Bueso <dbueso@suse.de>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Link: https://lkml.kernel.org/r/20190206185602.949-1-dave@stgolabs.net
      6f568ebe