1. 19 Feb, 2015 2 commits
    • Hector Marco-Gisbert's avatar
      x86, mm/ASLR: Fix stack randomization on 64-bit systems · 4e7c22d4
      Hector Marco-Gisbert authored
      
      
      The issue is that the stack for processes is not properly randomized on
      64 bit architectures due to an integer overflow.
      
      The affected function is randomize_stack_top() in file
      "fs/binfmt_elf.c":
      
        static unsigned long randomize_stack_top(unsigned long stack_top)
        {
                 unsigned int random_variable = 0;
      
                 if ((current->flags & PF_RANDOMIZE) &&
                         !(current->personality & ADDR_NO_RANDOMIZE)) {
                         random_variable = get_random_int() & STACK_RND_MASK;
                         random_variable <<= PAGE_SHIFT;
                 }
                 return PAGE_ALIGN(stack_top) + random_variable;
                 return PAGE_ALIGN(stack_top) - random_variable;
        }
      
      Note that, it declares the "random_variable" variable as "unsigned int".
      Since the result of the shifting operation between STACK_RND_MASK (which
      is 0x3fffff on x86_64, 22 bits) and PAGE_SHIFT (which is 12 on x86_64):
      
      	  random_variable <<= PAGE_SHIFT;
      
      then the two leftmost bits are dropped when storing the result in the
      "random_variable". This variable shall be at least 34 bits long to hold
      the (22+12) result.
      
      These two dropped bits have an impact on the entropy of process stack.
      Concretely, the total stack entropy is reduced by four: from 2^28 to
      2^30 (One fourth of expected entropy).
      
      This patch restores back the entropy by correcting the types involved
      in the operations in the functions randomize_stack_top() and
      stack_maxrandom_size().
      
      The successful fix can be tested with:
      
        $ for i in `seq 1 10`; do cat /proc/self/maps | grep stack; done
        7ffeda566000-7ffeda587000 rw-p 00000000 00:00 0                          [stack]
        7fff5a332000-7fff5a353000 rw-p 00000000 00:00 0                          [stack]
        7ffcdb7a1000-7ffcdb7c2000 rw-p 00000000 00:00 0                          [stack]
        7ffd5e2c4000-7ffd5e2e5000 rw-p 00000000 00:00 0                          [stack]
        ...
      
      Once corrected, the leading bytes should be between 7ffc and 7fff,
      rather than always being 7fff.
      Signed-off-by: default avatarHector Marco-Gisbert <hecmargi@upv.es>
      Signed-off-by: default avatarIsmael Ripoll <iripoll@upv.es>
      [ Rebased, fixed 80 char bugs, cleaned up commit message, added test example and CVE ]
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Cc: <stable@vger.kernel.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Fixes: CVE-2015-1593
      Link: http://lkml.kernel.org/r/20150214173350.GA18393@www.outflux.net
      
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      4e7c22d4
    • Jiri Kosina's avatar
      x86/mm/ASLR: Propagate base load address calculation · f47233c2
      Jiri Kosina authored
      Commit:
      
        e2b32e67
      
       ("x86, kaslr: randomize module base load address")
      
      makes the base address for module to be unconditionally randomized in
      case when CONFIG_RANDOMIZE_BASE is defined and "nokaslr" option isn't
      present on the commandline.
      
      This is not consistent with how choose_kernel_location() decides whether
      it will randomize kernel load base.
      
      Namely, CONFIG_HIBERNATION disables kASLR (unless "kaslr" option is
      explicitly specified on kernel commandline), which makes the state space
      larger than what module loader is looking at. IOW CONFIG_HIBERNATION &&
      CONFIG_RANDOMIZE_BASE is a valid config option, kASLR wouldn't be applied
      by default in that case, but module loader is not aware of that.
      
      Instead of fixing the logic in module.c, this patch takes more generic
      aproach. It introduces a new bootparam setup data_type SETUP_KASLR and
      uses that to pass the information whether kaslr has been applied during
      kernel decompression, and sets a global 'kaslr_enabled' variable
      accordingly, so that any kernel code (module loading, livepatching, ...)
      can make decisions based on its value.
      
      x86 module loader is converted to make use of this flag.
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Cc: "H. Peter Anvin" <hpa@linux.intel.com>
      Link: https://lkml.kernel.org/r/alpine.LNX.2.00.1502101411280.10719@pobox.suse.cz
      
      
      [ Always dump correct kaslr status when panicking ]
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      f47233c2
  2. 09 Feb, 2015 5 commits
    • Linus Torvalds's avatar
      Linux 3.19 · bfa76d49
      Linus Torvalds authored
      bfa76d49
    • Linus Torvalds's avatar
      Merge tag 'nios2-fixes-v3.19-final' of git://git.rocketboards.org/linux-socfpga-next · da2d96d3
      Linus Torvalds authored
      Pull nios2 fix from Ley Foon Tan:
       "This fixes incorrect behavior of some user programs"
      
      * tag 'nios2-fixes-v3.19-final' of git://git.rocketboards.org/linux-socfpga-next:
        nios2: fix unhandled signals
      da2d96d3
    • Linus Torvalds's avatar
      Merge git://git.kvack.org/~bcrl/aio-fixes · cdecbb33
      Linus Torvalds authored
      Pull aio nested sleep annotation from Ben LaHaise,
      
      * git://git.kvack.org/~bcrl/aio-fixes:
        aio: annotate aio_read_event_ring for sleep patterns
      cdecbb33
    • Linus Torvalds's avatar
      Merge tag 'trace-fixes-v3.19-rc7' of... · 4e02370f
      Linus Torvalds authored
      Merge tag 'trace-fixes-v3.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace
      
      Pull ftrace fixes from Steven Rostedt:
       "During testing Sedat Dilek hit a "suspicious RCU usage" splat that
        pointed out a real bug.  During suspend and resume the tlb_flush
        tracepoint is called when the CPU is going offline.  As the CPU has
        been noted as offline, RCU is ignoring that CPU, which means that it
        can not use RCU protected locks.  When tracepoints are activated, they
        require RCU locking, and if RCU is ignoring a CPU that runs a
        tracepoint, there is a chance that the tracepoint could cause
        corruption.
      
        The solution was to change the tracepoint into a
        TRACE_EVENT_CONDITION() which allows us to check a condition to
        determine if the tracepoint should be called or not.  If the condition
        is not met, the rcu protected code will not be executed.  By adding
        the condition "cpu_online(smp_processor_id())", this will prevent the
        RCU protected code from being executed if the CPU is marked offline.
      
        After adding this, another bug was discovered.  As RCU checks rcu
        callers, if a rcu call is not done, there is no check (obviously).  We
        found that tracepoints could be added in RCU ignored locations and not
        have lockdep complain until the tracepoint is activated.  This missed
        places where tracepoints were added in places they should not have
        been.  To fix this, code was added in 3.18 that if lockdep is enabled,
        any tracepoint will still call the rcu checks even if the tracepoint
        is not enabled.  The bug here, is that the check does not take the
        CONDITION into account.  As the condition may prevent tracepoints from
        being activated in RCU ignored areas (as the one patch does), we get
        false positives when we enable lockdep and hit a tracepoint that the
        condition prevents it from being called in a RCU ignored location.
      
        The fix for this is to add the CONDITION to the rcu checks, even if
        the tracepoint is not enabled"
      
      * tag 'trace-fixes-v3.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
        x86/tlb/trace: Do not trace on CPU that is offline
        tracing: Add condition check to RCU lockdep checks
      4e02370f
    • Chung-Ling Tang's avatar
      nios2: fix unhandled signals · a3248d60
      Chung-Ling Tang authored
      
      
      Follow other architectures for user fault handling.
      Signed-off-by: default avatarChung-Ling Tang <cltang@codesourcery.com>
      Acked-by: default avatarLey Foon Tan <lftan@altera.com>
      a3248d60
  3. 08 Feb, 2015 2 commits
    • Steven Rostedt (Red Hat)'s avatar
      x86/tlb/trace: Do not trace on CPU that is offline · 6c8465a8
      Steven Rostedt (Red Hat) authored
      When taking a CPU down for suspend and resume, a tracepoint may be called
      when the CPU has been designated offline. As tracepoints require RCU for
      protection, they must not be called if the current CPU is offline.
      
      Unfortunately, trace_tlb_flush() is called in this scenario as was noted
      by LOCKDEP:
      
      ...
      
       Disabling non-boot CPUs ...
       intel_pstate CPU 1 exiting
      
       ===============================
       smpboot: CPU 1 didn't die...
       [ INFO: suspicious RCU usage. ]
       3.19.0-rc7-next-20150204.1-iniza-small #1 Not tainted
       -------------------------------
       include/trace/events/tlb.h:35 suspicious rcu_dereference_check() usage!
      
       other info that might help us debug this:
      
       RCU used illegally from offline CPU!
       rcu_scheduler_active = 1, debug_locks = 0
       no locks held by swapper/1/0.
      
       stack backtrace:
       CPU: 1 PID: 0 Comm: swapper/1 Not tainted 3.19.0-rc7-next-20150204.1-iniza-small #1
       Hardware name: SAMSUNG ELECTRONICS CO., LTD. 530U3BI/530U4BI/530U4BH/530U3BI/530U4BI/530U4BH, BIOS 13XK 03/28/2013
        0000000000000001 ffff88011a44fe18 ffffffff817e370d 0000000000000011
        ffff88011a448290 ffff88011a44fe48 ffffffff810d6847 ffff8800c66b9600
        0000000000000001 ffff88011a44c000 ffffffff81cb3900 ffff88011a44fe78
       Call Trace:
        [<ffffffff817e370d>] dump_stack+0x4c/0x65
        [<ffffffff810d6847>] lockdep_rcu_suspicious+0xe7/0x120
        [<ffffffff810b71a5>] idle_task_exit+0x205/0x2c0
        [<ffffffff81054c4e>] play_dead_common+0xe/0x50
        [<ffffffff81054ca5>] native_play_dead+0x15/0x140
        [<ffffffff8102963f>] arch_cpu_idle_dead+0xf/0x20
        [<ffffffff810cd89e>] cpu_startup_entry+0x37e/0x580
        [<ffffffff81053e20>] start_secondary+0x140/0x150
       intel_pstate CPU 2 exiting
      
      ...
      
      By converting the tlb_flush tracepoint to a TRACE_EVENT_CONDITION where the
      condition is cpu_online(smp_processor_id()), we can avoid calling RCU protected
      code when the CPU is offline.
      
      Link: http://lkml.kernel.org/r/CA+icZUUGiGDoL5NU8RuxKzFjoLjEKRtUWx=JB8B9a0EQv-eGzQ@mail.gmail.com
      
      Cc: stable@vger.kernel.org # 3.17+
      Fixes: d17d8f9d
      
       "x86/mm: Add tracepoints for TLB flushes"
      Reported-by: default avatarSedat Dilek <sedat.dilek@gmail.com>
      Tested-by: default avatarSedat Dilek <sedat.dilek@gmail.com>
      Suggested-by: default avatarPaul E. McKenney <paulmck@linux.vnet.ibm.com>
      Acked-by: default avatarPaul E. McKenney <paulmck@linux.vnet.ibm.com>
      Acked-by: default avatarDave Hansen <dave@sr71.net>
      Signed-off-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      6c8465a8
    • Steven Rostedt (Red Hat)'s avatar
      tracing: Add condition check to RCU lockdep checks · a05d59a5
      Steven Rostedt (Red Hat) authored
      The trace_tlb_flush() tracepoint can be called when a CPU is going offline.
      When a CPU is offline, RCU is no longer watching that CPU and since the
      tracepoint is protected by RCU, it must not be called. To prevent the
      tlb_flush tracepoint from being called when the CPU is offline, it was
      converted to a TRACE_EVENT_CONDITION where the condition checks if the
      CPU is online before calling the tracepoint.
      
      Unfortunately, this was not enough to stop lockdep from complaining about
      it. Even though the RCU protected code of the tracepoint will never be
      called, the condition is hidden within the tracepoint, and even though the
      condition prevents RCU code from being called, the lockdep checks are
      outside the tracepoint (this is to test tracepoints even when they are not
      enabled).
      
      Even though tracepoints should be checked to be RCU safe when they are not
      enabled, the condition should still be considered when checking RCU.
      
      Link: http://lkml.kernel.org/r/CA+icZUUGiGDoL5NU8RuxKzFjoLjEKRtUWx=JB8B9a0EQv-eGzQ@mail.gmail.com
      
      Fixes: 3a630178
      
       "tracing: generate RCU warnings even when tracepoints are disabled"
      Cc: stable@vger.kernel.org # 3.18+
      Acked-by: default avatarDave Hansen <dave@sr71.net>
      Reported-by: default avatarSedat Dilek <sedat.dilek@gmail.com>
      Tested-by: default avatarSedat Dilek <sedat.dilek@gmail.com>
      Signed-off-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      a05d59a5
  4. 07 Feb, 2015 2 commits
  5. 06 Feb, 2015 7 commits
    • Linus Torvalds's avatar
      Merge branches 'timers-urgent-for-linus' and 'x86-urgent-for-linus' of... · 26cdd1f7
      Linus Torvalds authored
      Merge branches 'timers-urgent-for-linus' and 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
      
      Pull timer and x86 fix from Ingo Molnar:
       "A CLOCK_TAI early expiry fix and an x86 microcode driver oops fix"
      
      * 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        hrtimer: Fix incorrect tai offset calculation for non high-res timer systems
      
      * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86, microcode: Return error from driver init code when loader is disabled
      26cdd1f7
    • Linus Torvalds's avatar
      Merge branch 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 396e9099
      Linus Torvalds authored
      Pull scheduler fixes from Ingo Molnar:
       "Misc fixes"
      
      * 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        sched/deadline: Fix deadline parameter modification handling
        sched/wait: Remove might_sleep() from wait_event_cmd()
        sched: Fix crash if cpuset_cpumask_can_shrink() is passed an empty cpumask
        sched/fair: Avoid using uninitialized variable in preferred_group_nid()
      396e9099
    • Linus Torvalds's avatar
      Merge branch 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 29f12c48
      Linus Torvalds authored
      Pull core kernel fixes from Ingo Molnar:
       "Two liblockdep fixes and a CPU hotplug race fix"
      
      * 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        tools/liblockdep: don't include host headers
        tools/liblockdep: ignore generated .so file
        smpboot: Add missing get_online_cpus() in smpboot_register_percpu_thread()
      29f12c48
    • Linus Torvalds's avatar
      Merge tag 'sound-3.19' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 2af613d3
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "Hopefully the final pull request for 3.19: this ended up with a
        slightly higher volume than wished, but I put them all as they are
        either stable or 3.19 regression fixes.
      
        Most of commits are from ASoC, and have been stewed for a while in
        linux-next.  The only change in the common code is the regression
        fixes for ASoC AC97 stuff wrt device registrations.  The rest are
        device-specific, mostly small fixes in various ASoC drivers and ak411x
        on ice1724 boards"
      
      * tag 'sound-3.19' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ASoC: Intel: fix sst firmware path for cht-bsw-rt5672
        ARM: dts: Fix I2S1, I2S2 compatible for exynos4 SoCs
        ASoC: sgtl5000: add delay before first I2C access
        MAINTAINERS: ASoC: add maintainer for Intel BDW/HSW ASoC driver
        ASoC: atmel_ssc_dai: fix the setting for DSP mode
        ASoC: sgtl5000: Use shift mask when setting codec mode
        ASoC: tlv320aic3x: Fix data delay configuration
        ALSA: ak411x: Fix stall in work callback
        ASoC: Intel: Used lock version to update shim registers
        ASoC: wm8731: init mutex in i2c init path
        ASoC: atmel_ssc_dai: fix start event for I2S mode
        ASoC: rt5640: Add RT5642 ACPI ID for Intel Baytrail
        ASoC: wm97xx: Reset AC'97 device before registering it
        ASoC: Add support for allocating AC'97 device before registering it
      2af613d3
    • Linus Torvalds's avatar
      Merge branch 'akpm' (patches from Andrew Morton) · 48beb121
      Linus Torvalds authored
      Merge misc fixes from Andrew Morton:
       "7 fixes"
      
      * emailed patches from Andrew Morton <akpm@linux-foundation.org>:
        mm/debug_pagealloc: fix build failure on ppc and some other archs
        nilfs2: fix deadlock of segment constructor over I_SYNC flag
        MAINTAINERS: remove SUPERH website
        memcg, shmem: fix shmem migration to use lrucare
        mm: export "high_memory" symbol on !MMU
        .mailmap: update Konstantin Khlebnikov's email address
        mm: pagewalk: call pte_hole() for VM_PFNMAP during walk_page_range
      48beb121
    • Linus Torvalds's avatar
      Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus · dbf3b7dd
      Linus Torvalds authored
      Pull MIPS fixes from Ralf Baechle:
       "The pending MIPS fixes for 3.19.  All across the field and nothing
        particularly severe or dramatic"
      
      * 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus: (23 commits)
        IRQCHIP: mips-gic: Avoid rerouting timer IRQs for smp-cmp
        MIPS: Fix syscall_get_nr for the syscall exit tracing.
        MIPS: elf2ecoff: Ignore PT_MIPS_ABIFLAGS program headers.
        MIPS: elf2ecoff: Rewrite main processing loop to switch.
        MIPS: fork: Fix MSA/FPU/DSP context duplication race
        MIPS: Fix C0_Pagegrain[IEC] support.
        MIPS: traps: Fix inline asm ctc1 missing .set hardfloat
        MIPS: mipsregs.h: Add write_32bit_cp1_register()
        MIPS: Fix kernel lockup or crash after CPU offline/online
        MIPS: OCTEON: fix kernel crash when offlining a CPU
        MIPS: ARC: Fix build error.
        MIPS: IRQ: Fix disable_irq on CPU IRQs
        MIPS: smp-mt,smp-cmp: Enable all HW IRQs on secondary CPUs
        MIPS: Fix restart of indirect syscalls
        MIPS: ELF: fix loading o32 binaries on 64-bit kernels
        MIPS: mips-cm: Fix sparse warnings
        MIPS: Kconfig: Fix recursive dependency.
        MIPS: Compat: Fix build error if CONFIG_MIPS32_COMPAT but no compat ABI.
        MIPS: JZ4740: Fixup #include's (sparse)
        MIPS: Wire up execveat(2).
        ...
      dbf3b7dd
    • Yann Droneaud's avatar
      Revert "IB/core: Add support for extended query device caps" · 43c61165
      Yann Droneaud authored
      While commit 7e36ef82 ("IB/core: Temporarily disable
      ex_query_device uverb") is correct as it makes the extended
      QUERY_DEVICE uverb (which came as part of commit 5a77abf9
      ("IB/core: Add support for extended query device caps") and commit
      860f10a7 ("IB/core: Add flags for on demand paging support")) not
      available to userspace, it doesn't address the initial issue regarding
      ib_copy_to_udata() [1][2].
      
      Additionally, further discussions around this new uverb seems to
      conclude it would require a different data structure than the one
      currently described in <rdma/ib_user_verbs.h> [3].
      
      Both of these issues require a revert of the changes, so this patch
      partially reverts commit 8cdd312c ("IB/mlx5: Implement the ODP
      capability query verb") and commit 860f10a7 ("IB/core: Add flags
      for on demand paging support") and fully reverts commit 5a77abf9
      ("IB/core: Add support for extended query device caps").
      
      [1] "Re: [PATCH v3 06/17] IB/core: Add support for extended query device caps"
          http://mid.gmane.org/1418733236.2779.26.camel@opteya.com
      
      [2] "Re: [PATCH] IB/core: Temporarily disable ex_query_device uverb"
          http://mid.gmane.org/1423067503.3030.83.camel@opteya.com
      
      [3] "RE: [PATCH v1 1/5] IB/uverbs: ex_query_device: answer must not depend on request's comp_mask"
          http://mid.gmane.org/2807E5FD2F6FDA4886F6618EAC48510E0CC12C30@CRSMSX101.amr.corp.intel.com
      
      
      
      Cc: Eli Cohen <eli@mellanox.com>
      Cc: Haggai Eran <haggaie@mellanox.com>
      Cc: Ira Weiny <ira.weiny@intel.com>
      Cc: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
      Cc: Sagi Grimberg <sagig@mellanox.com>
      Cc: Shachar Raindel <raindel@mellanox.com>
      Signed-off-by: default avatarYann Droneaud <ydroneaud@opteya.com>
      Signed-off-by: default avatarRoland Dreier <roland@purestorage.com>
      43c61165
  6. 05 Feb, 2015 22 commits
    • Joonsoo Kim's avatar
      mm/debug_pagealloc: fix build failure on ppc and some other archs · 7b02190c
      Joonsoo Kim authored
      Kim Phillips reported following build failure.
      
        LD      init/built-in.o
        mm/built-in.o: In function `free_pages_prepare':
        mm/page_alloc.c:770: undefined reference to `.kernel_map_pages'
        mm/built-in.o: In function `prep_new_page':
        mm/page_alloc.c:933: undefined reference to `.kernel_map_pages'
        mm/built-in.o: In function `map_pages':
        mm/compaction.c:61: undefined reference to `.kernel_map_pages'
        make: *** [vmlinux] Error 1
      
      Reason for this problem is that commit 031bc574
      
      
      ("mm/debug-pagealloc: make debug-pagealloc boottime configurable")
      forgot to remove the old declaration of kernel_map_pages() for some
      architectures.  This patch removes them to fix build failure.
      Reported-by: default avatarKim Phillips <kim.phillips@freescale.com>
      Signed-off-by: default avatarJoonsoo Kim <iamjoonsoo.kim@lge.com>
      Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
      Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
      Cc: David Miller <davem@davemloft.net>
      Cc: David Howells <dhowells@redhat.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      7b02190c
    • Ryusuke Konishi's avatar
      nilfs2: fix deadlock of segment constructor over I_SYNC flag · 7ef3ff2f
      Ryusuke Konishi authored
      
      
      Nilfs2 eventually hangs in a stress test with fsstress program.  This
      issue was caused by the following deadlock over I_SYNC flag between
      nilfs_segctor_thread() and writeback_sb_inodes():
      
        nilfs_segctor_thread()
          nilfs_segctor_thread_construct()
            nilfs_segctor_unlock()
              nilfs_dispose_list()
                iput()
                  iput_final()
                    evict()
                      inode_wait_for_writeback()  * wait for I_SYNC flag
      
        writeback_sb_inodes()
           * set I_SYNC flag on inode->i_state
          __writeback_single_inode()
            do_writepages()
              nilfs_writepages()
                nilfs_construct_dsync_segment()
                  nilfs_segctor_sync()
                     * wait for completion of segment constructor
          inode_sync_complete()
             * clear I_SYNC flag after __writeback_single_inode() completed
      
      writeback_sb_inodes() calls do_writepages() for dirty inodes after
      setting I_SYNC flag on inode->i_state.  do_writepages() in turn calls
      nilfs_writepages(), which can run segment constructor and wait for its
      completion.  On the other hand, segment constructor calls iput(), which
      can call evict() and wait for the I_SYNC flag on
      inode_wait_for_writeback().
      
      Since segment constructor doesn't know when I_SYNC will be set, it
      cannot know whether iput() will block or not unless inode->i_nlink has a
      non-zero count.  We can prevent evict() from being called in iput() by
      implementing sop->drop_inode(), but it's not preferable to leave inodes
      with i_nlink == 0 for long periods because it even defers file
      truncation and inode deallocation.  So, this instead resolves the
      deadlock by calling iput() asynchronously with a workqueue for inodes
      with i_nlink == 0.
      Signed-off-by: default avatarRyusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Tested-by: default avatarRyusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      7ef3ff2f
    • Sudip Mukherjee's avatar
      MAINTAINERS: remove SUPERH website · 81cca6fb
      Sudip Mukherjee authored
      
      
      The mentioned website only displays information about buying and selling
      domains.
      Signed-off-by: default avatarSudip Mukherjee <sudip@vectorindia.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      81cca6fb
    • Michal Hocko's avatar
      memcg, shmem: fix shmem migration to use lrucare · f5e03a49
      Michal Hocko authored
      It has been reported that 965GM might trigger
      
        VM_BUG_ON_PAGE(!lrucare && PageLRU(oldpage), oldpage)
      
      in mem_cgroup_migrate when shmem wants to replace a swap cache page
      because of shmem_should_replace_page (the page is allocated from an
      inappropriate zone).  shmem_replace_page expects that the oldpage is not
      on LRU list and calls mem_cgroup_migrate without lrucare.  This is
      obviously incorrect because swapcache pages might be on the LRU list
      (e.g. swapin readahead page).
      
      Fix this by enabling lrucare for the migration in shmem_replace_page.
      Also clarify that lrucare should be used even if one of the pages might
      be on LRU list.
      
      The BUG_ON will trigger only when CONFIG_DEBUG_VM is enabled but even
      without that the migration code might leave the old page on an
      inappropriate memcg' LRU which is not that critical because the page
      would get removed with its last reference but it is still confusing.
      
      Fixes: 0a31bc97
      
       ("mm: memcontrol: rewrite uncharge API")
      Signed-off-by: default avatarMichal Hocko <mhocko@suse.cz>
      Reported-by: default avatarChris Wilson <chris@chris-wilson.co.uk>
      Reported-by: default avatarDave Airlie <airlied@gmail.com>
      Acked-by: default avatarHugh Dickins <hughd@google.com>
      Acked-by: default avatarJohannes Weiner <hannes@cmpxchg.org>
      Cc: <stable@vger.kernel.org>	[3.17+]
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      f5e03a49
    • Arnd Bergmann's avatar
      mm: export "high_memory" symbol on !MMU · 944b6874
      Arnd Bergmann authored
      
      
      The symbol 'high_memory' is provided on both MMU- and NOMMU-kernels, but
      only one of them is exported, which leads to module build errors in
      drivers that work fine built-in:
      
        ERROR: "high_memory" [drivers/net/virtio_net.ko] undefined!
        ERROR: "high_memory" [drivers/net/ppp/ppp_mppe.ko] undefined!
        ERROR: "high_memory" [drivers/mtd/nand/nand.ko] undefined!
        ERROR: "high_memory" [crypto/tcrypt.ko] undefined!
        ERROR: "high_memory" [crypto/cts.ko] undefined!
      
      This exports the symbol to get these to work on NOMMU as well.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
      Acked-by: default avatarGreg Ungerer <gerg@uclinux.org>
      Acked-by: default avatarDavid Rientjes <rientjes@google.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      944b6874
    • Kim Phillips's avatar
      .mailmap: update Konstantin Khlebnikov's email address · 21d543f2
      Kim Phillips authored
      
      
      get_maintainer.pl returns k.khlebnikov@samsung.com via git history, for
      which emails get rejected:
      
         RCPT TO:<k.khlebnikov@samsung.com>
         550 5.1.1 Recipient address rejected: User unknown
      
      Use his other address that passes vger's mxverify:
      
         RCPT TO:<koct9i@gmail.com>
         250 2.1.5 OK ir10si13843754pbc.62 - gsmtp
      
      and add his old email address in the wrong email address field.
      Signed-off-by: default avatarKim Phillips <kim.phillips@freescale.com>
      Acked-by: default avatarKonstantin Khlebnikov <koct9i@gmail.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      21d543f2
    • Shiraz Hashim's avatar
      mm: pagewalk: call pte_hole() for VM_PFNMAP during walk_page_range · 23aaed66
      Shiraz Hashim authored
      walk_page_range() silently skips vma having VM_PFNMAP set, which leads
      to undesirable behaviour at client end (who called walk_page_range).
      Userspace applications get the wrong data, so the effect is like just
      confusing users (if the applications just display the data) or sometimes
      killing the processes (if the applications do something with
      misunderstanding virtual addresses due to the wrong data.)
      
      For example for pagemap_read, when no callbacks are called against
      VM_PFNMAP vma, pagemap_read may prepare pagemap data for next virtual
      address range at wrong index.
      
      Eventually userspace may get wrong pagemap data for a task.
      Corresponding to a VM_PFNMAP marked vma region, kernel may report
      mappings from subsequent vma regions.  User space in turn may account
      more pages (than really are) to the task.
      
      In my case I was using procmem, procrack (Android utility) which uses
      pagemap interface to account RSS pages of a task.  Due to this bug it
      was giving a wrong picture for vmas (with VM_PFNMAP set).
      
      Fixes: a9ff785e
      
       ("mm/pagewalk.c: walk_page_range should avoid VM_PFNMAP areas")
      Signed-off-by: default avatarShiraz Hashim <shashim@codeaurora.org>
      Acked-by: default avatarNaoya Horiguchi <n-horiguchi@ah.jp.nec.com>
      Cc: <stable@vger.kernel.org>	[3.10+]
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      23aaed66
    • Takashi Iwai's avatar
      Merge tag 'asoc-fix-ac97-v3.19-rc7' of... · d2255c01
      Takashi Iwai authored
      Merge tag 'asoc-fix-ac97-v3.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus
      
      ASoC: AC'97 fixes
      
      These are rather too large for this late in the release cycle but
      they're clear, well understood and have been tested to fix a regression
      which was introduced for v3.19.  The details are all in Lars' changelog
      and they've been cooking in -next for a while, to a large extent out
      of conservatism about the size.
      d2255c01
    • Takashi Iwai's avatar
      Merge tag 'asoc-fix-intel-v3.19-rc7' of... · deb08737
      Takashi Iwai authored
      Merge tag 'asoc-fix-intel-v3.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus
      
      ASoC: Fix for Intel firmware name
      
      Another one liner that arrived after the earlier pull request.  There's
      a trivial conflict with my -next branch, I'll send a pull request with
      that resolution and some other new stuff before Monday.
      deb08737
    • Takashi Iwai's avatar
      Merge tag 'asoc-fix-v3.19-rc7' of... · 08c191de
      Takashi Iwai authored
      Merge tag 'asoc-fix-v3.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus
      
      ASoC: Fixes for v3.19
      
      A few last minute fixes for v3.19, all driver specific.  None of them
      stand out particularly - it's all the standard people who are affected
      will care stuff.
      
      The Samsung fix is a DT only fix for the audio controller, it's being
      merged via the ASoC tree due to process messups (the submitter sent it
      at the end of a tangentally related series rather than separately to the
      ARM folks) in order to make sure that it gets to people sooner.
      08c191de
    • Kevin Strasser's avatar
      ASoC: Intel: fix sst firmware path for cht-bsw-rt5672 · 5c2b0636
      Kevin Strasser authored
      
      
      All sst firmware is provided under the intel directory of the linux-firmware
      tree. By default this directory structure is kept when installing on a target
      system. Change the path to expect a default linux-firmware installation.
      Signed-off-by: default avatarKevin Strasser <kevin.strasser@linux.intel.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      5c2b0636
    • Mark Brown's avatar
    • Sylwester Nawrocki's avatar
      ARM: dts: Fix I2S1, I2S2 compatible for exynos4 SoCs · fddcd300
      Sylwester Nawrocki authored
      
      
      I2S1, I2S2 on Exynos4 SoC series have limited functionality compared
      to I2S0, "samsung,s3c6410-i2s" compatible should be used for them.
      Signed-off-by: default avatarSylwester Nawrocki <s.nawrocki@samsung.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Cc: stable@vger.kernel.org
      fddcd300
    • Mark Brown's avatar
    • Mark Brown's avatar
    • Mark Brown's avatar
    • Mark Brown's avatar
    • Mark Brown's avatar
    • Mark Brown's avatar
    • Linus Torvalds's avatar
      MMerge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 9d82f5eb
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Stretch ACKs can kill performance with Reno and CUBIC congestion
          control, largely due to LRO and GRO.  Fix from Neal Cardwell.
      
       2) Fix userland breakage because we accidently emit zero length netlink
          messages from the bridging code.  From Roopa Prabhu.
      
       3) Carry handling in generic csum_tcpudp_nofold is broken, fix from
          Karl Beldan.
      
       4) Remove bogus dev_set_net() calls from CAIF driver, from Nicolas
          Dichtel.
      
       5) Make sure PPP deflation never returns a length greater then the
          output buffer, otherwise we overflow and trigger skb_over_panic().
          Fix from Florian Westphal.
      
       6) COSA driver needs VIRT_TO_BUS Kconfig dependencies, from Arnd
          Bergmann.
      
       7) Don't increase route cached MTU on datagram too big ICMPs.  From Li
          Wei.
      
       8) Fix error path leaks in nf_tables, from Pablo Neira Ayuso.
      
       9) Fix bitmask handling regression in netlink that broke things like
          acpi userland tools.  From Pablo Neira Ayuso.
      
      10) Wrong header pointer passed to param_type2af() in SCTP code, from
          Saran Maruti Ramanara.
      
      11) Stacked vlans not handled correctly by vlan_get_protocol(), from
          Toshiaki Makita.
      
      12) Add missing DMA memory barrier to xgene driver, from Iyappan
          Subramanian.
      
      13) Fix crash in rate estimators, from Eric Dumazet.
      
      14) We've been adding various workarounds, one after another, for the
          change which added the per-net tcp_sock.  It was meant to reduce
          socket contention but added lots of problems.
      
          Reduce this instead to a proper per-cpu socket and that rids us of
          all the daemons.
      
          From Eric Dumazet.
      
      15) Fix memory corruption and OOPS in mlx4 driver, from Jack
          Morgenstein.
      
      16) When we disabled UFO in the virtio_net device, it introduces some
          serious performance regressions.  The orignal problem was IPV6
          fragment ID generation, so fix that properly instead.  From Vlad
          Yasevich.
      
      17) sr9700 driver build breaks on xtensa because it defines macros with
          the same name as those used by the arch code.  Use more unique
          names.  From Chen Gang.
      
      18) Fix endianness in new virio 1.0 mode of the vhost net driver, from
          Michael S Tsirkin.
      
      19) Several sysctls were setting the maxlen attribute incorrectly, from
          Sasha Levin.
      
      20) Don't accept an FQ scheduler quantum of zero, that leads to crashes.
          From Kenneth Klette Jonassen.
      
      21) Fix dumping of non-existing actions in the packet scheduler
          classifier.  From Ignacy Gawędzki.
      
      22) Return the write work_done value when doing TX work in the qlcnic
          driver.
      
      23) ip6gre_err accesses the info field with the wrong endianness, from
          Sabrina Dubroca.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (54 commits)
        sit: fix some __be16/u16 mismatches
        ipv6: fix sparse errors in ip6_make_flowlabel()
        net: remove some sparse warnings
        flow_keys: n_proto type should be __be16
        ip6_gre: fix endianness errors in ip6gre_err
        qlcnic: Fix NAPI poll routine for Tx completion
        amd-xgbe: Set RSS enablement based on hardware features
        amd-xgbe: Adjust for zero-based traffic class count
        cls_api.c: Fix dumping of non-existing actions' stats.
        pkt_sched: fq: avoid hang when quantum 0
        net: rds: use correct size for max unacked packets and bytes
        vhost/net: fix up num_buffers endian-ness
        gianfar: correct the bad expression while writing bit-pattern
        net: usb: sr9700: Use 'SR_' prefix for the common register macros
        Revert "drivers/net: Disable UFO through virtio"
        Revert "drivers/net, ipv6: Select IPv6 fragment idents for virtio UFO packets"
        ipv6: Select fragment id during UFO segmentation if not set.
        xen-netback: stop the guest rx thread after a fatal error
        net/mlx4_core: Fix kernel Oops (mem corruption) when working with more than 80 VFs
        isdn: off by one in connect_res()
        ...
      9d82f5eb
    • Linus Torvalds's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · 14365ea2
      Linus Torvalds authored
      Pull SCSI fixes from James Bottomley:
       "This patch set is fixing two serious problems which have turned up
        late in the release cycle.
      
        The first fixes a problem with 4k sector disks where the transfer
        length (amount of data sent to the disk) was getting increased every
        time the disk was revalidated leading to potential for overflows.
      
        The other is a regression oops fix for some of our last merge window
        code"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        sd: Fix max transfer length for 4k disks
        scsi: fix device handler detach oops
      14365ea2
    • Linus Torvalds's avatar
      Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux · 42345d63
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "Radeon and amdkfd fixes.
      
        Radeon ones mostly for oops in some test/benchmark functions since
        fencing changes, and one regression fix for old GPUs,
      
        There is one cirrus regression fix, the 32bpp broke userspace, so this
        hides it behind a module option for the few users who care.
      
        I'm off for a few days, so this is probably the final pull I have, if
        I see fixes from Intel I'll forward the pull as I should have email"
      
      * 'drm-fixes' of git://people.freedesktop.org/~airlied/linux:
        drm/cirrus: Limit modes depending on bpp option
        drm/radeon: fix the crash in test functions
        drm/radeon: fix the crash in benchmark functions
        drm/radeon: properly set vm fragment size for TN/RL
        drm/radeon: don't init gpuvm if accel is disabled (v3)
        drm/radeon: fix PLLs on RS880 and older v2
        drm/amdkfd: Don't create BUG due to incorrect user parameter
        drm/amdkfd: max num of queues can't be 0
        drm/amdkfd: Fix bug in accounting of queues
      42345d63