4 years ago[media] dvb-usb-firmware: don't do DMA on stack
Stefan Brüns [Sun, 12 Feb 2017 15:02:13 +0000 (13:02 -0200)]
[media] dvb-usb-firmware: don't do DMA on stack

The buffer allocation for the firmware data was changed in
commit 43fab9793c1f ("[media] dvb-usb: don't use stack for firmware load")
but the same applies for the reset value.

Fixes: 43fab9793c1f ("[media] dvb-usb: don't use stack for firmware load")
Signed-off-by: Stefan Brüns <>
Signed-off-by: Mauro Carvalho Chehab <>
4 years ago[media] staging: omap4iss: fix coding style issue
Avraham Shukron [Thu, 9 Feb 2017 17:01:57 +0000 (15:01 -0200)]
[media] staging: omap4iss: fix coding style issue

Broke argument list so that it won't exceed 80 characters

Signed-off-by: Avraham Shukron <>
Acked-by: Laurent Pinchart <>
Signed-off-by: Mauro Carvalho Chehab <>
4 years ago[media] staging: omap4iss: fix multiline comment style
Avraham Shukron [Thu, 9 Feb 2017 16:57:55 +0000 (14:57 -0200)]
[media] staging: omap4iss: fix multiline comment style

Fixed multi-line comments to their preferred style (First line empty)

Signed-off-by: Avraham Shukron <>
Acked-by: Laurent Pinchart <>
Signed-off-by: Mauro Carvalho Chehab <>
4 years ago[media] dvb-usb-cxusb: Geniatech T230C support
Evgeny Plehov [Tue, 7 Feb 2017 21:37:01 +0000 (19:37 -0200)]
[media] dvb-usb-cxusb: Geniatech T230C support

Updated Geniatech DVB-T/T2 stick support.

Signed-off-by: Evgeny Plehov <>
Signed-off-by: Mauro Carvalho Chehab <>
4 years ago[media] si2157: Si2141/2151 tuner support
Evgeny Plehov [Tue, 7 Feb 2017 21:35:46 +0000 (19:35 -0200)]
[media] si2157: Si2141/2151 tuner support

Support for new tuner version.

Signed-off-by: Evgeny Plehov <>
Signed-off-by: Mauro Carvalho Chehab <>
4 years ago[media] si2168: Si2168-D60 support
Evgeny Plehov [Tue, 7 Feb 2017 21:33:47 +0000 (19:33 -0200)]
[media] si2168: Si2168-D60 support

Support for new demod version.

Signed-off-by: Evgeny Plehov <>
Signed-off-by: Mauro Carvalho Chehab <>
4 years ago[media] vcodec: mediatek: Add Maintainers entry for Mediatek JPEG driver
Rick Chang [Wed, 14 Dec 2016 08:04:50 +0000 (06:04 -0200)]
[media] vcodec: mediatek: Add Maintainers entry for Mediatek JPEG driver

Signed-off-by: Rick Chang <>
Signed-off-by: Minghsiu Tsai <>
Signed-off-by: Bin Liu <>
Signed-off-by: Hans Verkuil <>
Signed-off-by: Mauro Carvalho Chehab <>
4 years ago[media] vcodec: mediatek: Add Mediatek JPEG Decoder Driver
Rick Chang [Wed, 14 Dec 2016 08:04:48 +0000 (06:04 -0200)]
[media] vcodec: mediatek: Add Mediatek JPEG Decoder Driver

Add v4l2 driver for Mediatek JPEG Decoder

Signed-off-by: Rick Chang <>
Signed-off-by: Minghsiu Tsai <>
Reviewed-by: Ricky Liang <>
Tested-by: Ricky Liang <>
Signed-off-by: Hans Verkuil <>
Signed-off-by: Mauro Carvalho Chehab <>
4 years ago[media] dt-bindings: mediatek: Add a binding for Mediatek JPEG Decoder
Rick Chang [Wed, 14 Dec 2016 08:04:47 +0000 (06:04 -0200)]
[media] dt-bindings: mediatek: Add a binding for Mediatek JPEG Decoder

Add a DT binding documentation for Mediatek JPEG Decoder of
MT2701 SoC.

Signed-off-by: Rick Chang <>
Signed-off-by: Minghsiu Tsai <>
Acked-by: Rob Herring <>
Signed-off-by: Hans Verkuil <>
Signed-off-by: Mauro Carvalho Chehab <>
4 years ago[media] exynos-gsc: Add support for NV{16,21,61}M pixel formats
Thibault Saunier [Wed, 1 Feb 2017 20:05:22 +0000 (18:05 -0200)]
[media] exynos-gsc: Add support for NV{16,21,61}M pixel formats

Those are useful formats that should be handled.

Signed-off-by: Thibault Saunier <>
Signed-off-by: Javier Martinez Canillas <>
Acked-by: Sylwester Nawrocki <>
Signed-off-by: Mauro Carvalho Chehab <>
4 years ago[media] exynos-gsc: Do not swap cb/cr for semi planar formats
Thibault Saunier [Wed, 1 Feb 2017 20:05:21 +0000 (18:05 -0200)]
[media] exynos-gsc: Do not swap cb/cr for semi planar formats

In the case of semi planar formats cb and cr are in the same plane
in memory, meaning that will be set to 'cb' whatever the format is,
and whatever the (packed) order of those components are.

Suggested-by: Nicolas Dufresne <>
Signed-off-by: Thibault Saunier <>
Signed-off-by: Javier Martinez Canillas <>
Acked-by: Sylwester Nawrocki <>
Signed-off-by: Mauro Carvalho Chehab <>
4 years ago[media] tveeprom: get rid of unused arg on tveeprom_hauppauge_analog()
Mauro Carvalho Chehab [Fri, 3 Mar 2017 10:28:29 +0000 (07:28 -0300)]
[media] tveeprom: get rid of unused arg on tveeprom_hauppauge_analog()

tveeprom_hauppauge_analog() used to need the I2C adapter in
order to print debug messages. As it now uses pr_foo() facilities
since commit 6037b3ca28f4 ("[media] tveeprom: print log messages
using pr_foo()"), the first argument of the function is not
needed anymore.

So, get rid of it.

Signed-off-by: Mauro Carvalho Chehab <>
4 years ago[media] vidioc-g-dv-timings.rst: update v4l2_bt_timings struct
Hans Verkuil [Fri, 10 Feb 2017 08:19:14 +0000 (06:19 -0200)]
[media] vidioc-g-dv-timings.rst: update v4l2_bt_timings struct

The new picture_aspect, cea861_vic and hdmi_vic fields were not documented,
even though the corresponding flags were.

Add documentation for these new fields.

Signed-off-by: Hans Verkuil <>
Signed-off-by: Mauro Carvalho Chehab <>
4 years ago[media] cec.h: small typo fix
Hans Verkuil [Thu, 9 Feb 2017 15:14:13 +0000 (13:14 -0200)]
[media] cec.h: small typo fix

ad -> as

It won't bring about world peace, but every little bit helps :-)

Signed-off-by: Hans Verkuil <>
Signed-off-by: Mauro Carvalho Chehab <>
4 years ago[media] coda/imx-vdoa: platform_driver should not be const
Arnd Bergmann [Thu, 9 Feb 2017 15:09:08 +0000 (13:09 -0200)]
[media] coda/imx-vdoa: platform_driver should not be const

The device driver platform is actually written to during registration,
for setting the owner field, so platform_driver_register() does not
take a const pointer:

drivers/media/platform/coda/imx-vdoa.c: In function 'vdoa_driver_init':
drivers/media/platform/coda/imx-vdoa.c:333:213: error: passing argument 1 of '__platform_driver_register' discards 'const' qualifier from pointer target type [-Werror=discarded-qualifiers]
In file included from drivers/media/platform/coda/imx-vdoa.c:22:0:
include/linux/platform_device.h:199:12: note: expected 'struct platform_driver *' but argument is of type 'const struct platform_driver *'
 extern int __platform_driver_register(struct platform_driver *,
drivers/media/platform/coda/imx-vdoa.c: In function 'vdoa_driver_exit':
drivers/media/platform/coda/imx-vdoa.c:333:626: error: passing argument 1 of 'platform_driver_unregister' discards 'const' qualifier from pointer target type [-Werror=discarded-qualifiers]

Remove the modifier again.

Fixes: d2fe28feaebb ("[media] coda/imx-vdoa: constify structs")

Signed-off-by: Arnd Bergmann <>
Signed-off-by: Hans Verkuil <>
Signed-off-by: Mauro Carvalho Chehab <>
4 years ago[media] tc358743: fix register i2c_rd/wr functions
Arnd Bergmann [Wed, 8 Feb 2017 21:14:13 +0000 (19:14 -0200)]
[media] tc358743: fix register i2c_rd/wr functions

While testing with CONFIG_UBSAN, I got this warning:

drivers/media/i2c/tc358743.c: In function 'tc358743_probe':
drivers/media/i2c/tc358743.c:1930:1: error: the frame size of 2480 bytes is larger than 2048 bytes [-Werror=frame-larger-than=]

The problem is that the i2c_rd8/wr8/rd16/... functions in this driver pass
a pointer to a local variable into a common function, and each call to one
of them adds another variable plus redzone to the stack.

I also noticed that the way this is done is broken on big-endian machines,
as we copy the registers in CPU byte order.

To address both those problems, I'm adding two helper functions for reading
a register of up to 32 bits with correct endianess and change all other
functions to use that instead. Just to be sure we don't get the problem
back with changed optimizations in gcc, I'm also marking the new functions
as 'noinline', although my tests with gcc-7 don't require that.

Signed-off-by: Arnd Bergmann <>
Signed-off-by: Hans Verkuil <>
Signed-off-by: Mauro Carvalho Chehab <>
4 years ago[media] mxl111sf: reduce stack usage in init function
Arnd Bergmann [Thu, 2 Feb 2017 14:53:07 +0000 (12:53 -0200)]
[media] mxl111sf: reduce stack usage in init function

mxl111sf uses a lot of kernel stack memory as it puts an i2c_client
structure on the stack:

drivers/media/usb/dvb-usb-v2/mxl111sf.c: In function 'mxl111sf_init':
drivers/media/usb/dvb-usb-v2/mxl111sf.c:953:1: error: the frame size of 1248 bytes is larger than 1152 bytes [-Werror=frame-larger-than=]

We can avoid doing this by open-coding the call to i2c_transfer()
instead of calling tveeprom_read(), and not passing an i2c_client
pointer to tveeprom_hauppauge_analog(), which would ignore that

Signed-off-by: Arnd Bergmann <>
Signed-off-by: Hans Verkuil <>
Signed-off-by: Mauro Carvalho Chehab <>
4 years ago[media] cx231xx-i2c: reduce stack size in bus scan
Arnd Bergmann [Thu, 2 Feb 2017 14:53:06 +0000 (12:53 -0200)]
[media] cx231xx-i2c: reduce stack size in bus scan

The cx231xx_do_i2c_scan function needs a lot of stack because
it puts an i2c_client structure on it:

drivers/media/usb/cx231xx/cx231xx-i2c.c: In function 'cx231xx_do_i2c_scan':
drivers/media/usb/cx231xx/cx231xx-i2c.c:518:1: error: the frame size of 1248 bytes is larger than 1152 bytes [-Werror=frame-larger-than=]

This changes it to call i2c_transfer() directly instead, avoiding the
need for the structure.

Signed-off-by: Arnd Bergmann <>
Signed-off-by: Hans Verkuil <>
Signed-off-by: Mauro Carvalho Chehab <>
4 years ago[media] pvrusb2: reduce stack usage pvr2_eeprom_analyze()
Arnd Bergmann [Thu, 2 Feb 2017 14:53:04 +0000 (12:53 -0200)]
[media] pvrusb2: reduce stack usage pvr2_eeprom_analyze()

The driver uses a relatively large data structure on the stack, which
showed up on my radar as we get a warning with the "latent entropy"
GCC plugin:

drivers/media/usb/pvrusb2/pvrusb2-eeprom.c:153:1: error: the frame size of 1376 bytes is larger than 1152 bytes [-Werror=frame-larger-than=]

The warning is usually hidden as we raise the warning limit to 2048
when the plugin is enabled, but I'd like to lower that again in the
future, and making this function smaller helps to do that without
build regressions.

Further analysis shows that putting an 'i2c_client' structure on
the stack is not really supported, as the embedded 'struct device'
is not initialized here, and we are only saved by the fact that
the function that is called here does not use the pointer at all.

Fixes: d855497edbfb ("V4L/DVB (4228a): pvrusb2 to kernel 2.6.18")

Signed-off-by: Arnd Bergmann <>
Signed-off-by: Hans Verkuil <>
Signed-off-by: Mauro Carvalho Chehab <>
4 years ago[media] vivid: support for contiguous DMA buffers
Vincent ABRIOU [Mon, 12 Sep 2016 08:47:27 +0000 (05:47 -0300)]
[media] vivid: support for contiguous DMA buffers

It allows to simulate the behavior of hardware with such limitations or
to connect vivid to real hardware with such limitations.

Add the "allocators" module parameter option to let vivid use the
dma-contig instead of vmalloc.

Signed-off-by: Philipp Zabel <>
Signed-off-by: Hans Verkuil <>
Signed-off-by: Vincent Abriou <>
Reviewed-by: Javier Martinez Canillas <>
Tested-by: Javier Martinez Canillas <>
Signed-off-by: Hans Verkuil <>
Signed-off-by: Mauro Carvalho Chehab <>
4 years ago[media] atmel-isc: add the isc pipeline function
Songjun Wu [Tue, 24 Jan 2017 08:05:57 +0000 (06:05 -0200)]
[media] atmel-isc: add the isc pipeline function

Image Sensor Controller has an internal image processor.
It can convert raw format to the other formats, like
RGB565, YUV420P. A module parameter 'sensor_preferred'
is used to enable or disable the pipeline function.
Some v4l2 controls are added to tuning the image when
the pipeline function is enabled.

Signed-off-by: Songjun Wu <>
Signed-off-by: Hans Verkuil <>
Signed-off-by: Mauro Carvalho Chehab <>
4 years ago[media] staging: Replaced BUG_ON with warnings
Shilpa P [Sat, 3 Dec 2016 07:02:01 +0000 (05:02 -0200)]
[media] staging: Replaced BUG_ON with warnings

Don't crash the Kernel for driver errors

Signed-off-by: Shilpa P <>
Acked-by: Allen Pais <>
Signed-off-by: Hans Verkuil <>
Signed-off-by: Mauro Carvalho Chehab <>
4 years ago[media] bdisp: Clean up file handle in open() error path
Shailendra Verma [Fri, 2 Dec 2016 04:48:01 +0000 (02:48 -0200)]
[media] bdisp: Clean up file handle in open() error path

The File handle is not yet added in the vdev list.So no need to call
v4l2_fh_del(&ctx->fh)if it fails to create control.

Signed-off-by: Shailendra Verma <>
Reviewed-by: Fabien Dessenne <>
Signed-off-by: Hans Verkuil <>
Signed-off-by: Mauro Carvalho Chehab <>
4 years agoMerge tag 'v4.10' into patchwork
Mauro Carvalho Chehab [Wed, 22 Feb 2017 10:44:15 +0000 (07:44 -0300)]
Merge tag 'v4.10' into patchwork

Linux 4.10

* tag 'v4.10': (1558 commits)
  Linux 4.10
  Fix missing sanity check in /dev/sg
  scsi: don't BUG_ON() empty DMA transfers
  ipv6: release dst on error in ip6_dst_lookup_tail
  printk: use rcuidle console tracepoint
  ARM: multi_v7_defconfig: enable Qualcomm RPMCC
  irda: Fix lockdep annotations in hashbin_delete().
  vxlan: fix oops in dev_fill_metadata_dst
  dccp: fix freeing skb too early for IPV6_RECVPKTINFO
  dpaa_eth: small leak on error
  packet: Do not call fanout_release from atomic contexts
  reset: fix shared reset triggered_count decrement on error
  ntb: ntb_hw_intel: link_poll isn't clearing the pending status properly
  ntb_transport: Pick an unused queue
  ntb: ntb_perf missing dmaengine_unmap_put
  NTB: ntb_transport: fix debugfs_remove_recursive
  Revert "nohz: Fix collision between tick and other hrtimers"
  vfs: fix uninitialized flags in splice_to_pipe()
  drm/radeon: Use mode h/vdisplay fields to hide out of bounds HW cursor
  ARM: 8658/1: uaccess: fix zeroing of 64-bit get_user()

4 years agoLinux 4.10 v4.10
Linus Torvalds [Sun, 19 Feb 2017 22:34:00 +0000 (14:34 -0800)]
Linux 4.10

4 years agoFix missing sanity check in /dev/sg
Al Viro [Sun, 19 Feb 2017 07:15:27 +0000 (07:15 +0000)]
Fix missing sanity check in /dev/sg

What happens is that a write to /dev/sg is given a request with non-zero
->iovec_count combined with zero ->dxfer_len.  Or with ->dxferp pointing
to an array full of empty iovecs.

Having write permission to /dev/sg shouldn't be equivalent to the
ability to trigger BUG_ON() while holding spinlocks...

Found by Dmitry Vyukov and syzkaller.

[ The BUG_ON() got changed to a WARN_ON_ONCE(), but this fixes the
  underlying issue.  - Linus ]

Signed-off-by: Al Viro <>
Reported-by: Dmitry Vyukov <>
Reviewed-by: Christoph Hellwig <>
Signed-off-by: Linus Torvalds <>
4 years agoscsi: don't BUG_ON() empty DMA transfers
Johannes Thumshirn [Tue, 31 Jan 2017 09:16:00 +0000 (10:16 +0100)]
scsi: don't BUG_ON() empty DMA transfers

Don't crash the machine just because of an empty transfer. Use WARN_ON()
combined with returning an error.

Found by Dmitry Vyukov and syzkaller.

[ Changed to "WARN_ON_ONCE()". Al has a patch that should fix the root
  cause, but a BUG_ON() is not acceptable in any case, and a WARN_ON()
  might still be a cause of excessive log spamming.

  NOTE! If this warning ever triggers, we may end up leaking resources,
  since this doesn't bother to try to clean the command up. So this
  WARN_ON_ONCE() triggering does imply real problems. But BUG_ON() is
  much worse.

  People really need to stop using BUG_ON() for "this shouldn't ever
  happen". It makes pretty much any bug worse.     - Linus ]

Signed-off-by: Johannes Thumshirn <>
Reported-by: Dmitry Vyukov <>
Cc: James Bottomley <>
Cc: Al Viro <>
Signed-off-by: Linus Torvalds <>
4 years agoipv6: release dst on error in ip6_dst_lookup_tail
Willem de Bruijn [Sun, 19 Feb 2017 00:00:45 +0000 (19:00 -0500)]
ipv6: release dst on error in ip6_dst_lookup_tail

If ip6_dst_lookup_tail has acquired a dst and fails the IPv4-mapped
check, release the dst before returning an error.

Fixes: ec5e3b0a1d41 ("ipv6: Inhibit IPv4-mapped src address on the wire.")
Signed-off-by: Willem de Bruijn <>
Acked-by: Eric Dumazet <>
Signed-off-by: David S. Miller <>
4 years agoMerge tag 'fixes-for-linus' of git://
Linus Torvalds [Sun, 19 Feb 2017 01:38:09 +0000 (17:38 -0800)]
Merge tag 'fixes-for-linus' of git://git./linux/kernel/git/arm/arm-soc

Pull ARM SoC fixes from Arnd Bergmann:
 "Two more bugfixes that came in during this week:

   - a defconfig change to enable a vital driver used on some Qualcomm
     based phones. This was already queued for 4.11, but the maintainer
     asked to have it in 4.10 after all.

   - a regression fix for the reset controller framework, this got
     broken by a typo in the 4.10 merge window"

* tag 'fixes-for-linus' of git://
  ARM: multi_v7_defconfig: enable Qualcomm RPMCC
  reset: fix shared reset triggered_count decrement on error

4 years agoMerge branch 'fixes' of git://
Linus Torvalds [Sun, 19 Feb 2017 01:36:15 +0000 (17:36 -0800)]
Merge branch 'fixes' of git://

Pull ARM fixes from Russell King:
 "A couple of fixes from Kees concerning problems he spotted with our
  user access support"

* 'fixes' of git://
  ARM: 8658/1: uaccess: fix zeroing of 64-bit get_user()
  ARM: 8657/1: uaccess: consistently check object sizes

4 years agoMerge branch 'x86-urgent-for-linus' of git://
Linus Torvalds [Sun, 19 Feb 2017 01:34:56 +0000 (17:34 -0800)]
Merge branch 'x86-urgent-for-linus' of git://git./linux/kernel/git/tip/tip

Pull x86 fix from Thomas Gleixner:
 "Make the build clean by working around yet another GCC stupidity"

* 'x86-urgent-for-linus' of git://
  x86/vm86: Fix unused variable warning if THP is disabled

4 years agoMerge branch 'locking-urgent-for-linus' of git://
Linus Torvalds [Sun, 19 Feb 2017 01:33:17 +0000 (17:33 -0800)]
Merge branch 'locking-urgent-for-linus' of git://git./linux/kernel/git/tip/tip

Pull locking fix from Thomas Gleixner:
 "Move the futex init function to core initcall so user mode helper does
  not run into an uninitialized futex syscall"

* 'locking-urgent-for-linus' of git://
  futex: Move futex_init() to core_initcall

4 years agoMerge branch 'timers-urgent-for-linus' of git://
Linus Torvalds [Sun, 19 Feb 2017 01:30:36 +0000 (17:30 -0800)]
Merge branch 'timers-urgent-for-linus' of git://git./linux/kernel/git/tip/tip

Pull timer fixes from Thomas Gleixner:
 "Two small fixes::

   - Prevent deadlock on the tick broadcast lock. Found and fixed by

   - Stop using printk() in the timekeeping debug code to prevent a
     deadlock against the scheduler"

* 'timers-urgent-for-linus' of git://
  timekeeping: Use deferred printk() in debug code
  tick/broadcast: Prevent deadlock on tick_broadcast_lock

4 years agoMerge git://
Linus Torvalds [Sun, 19 Feb 2017 01:29:00 +0000 (17:29 -0800)]
Merge git://git./linux/kernel/git/davem/net

Pull networking fixes from David Miller:

 1) Fix leak in dpaa_eth error paths, from Dan Carpenter.

 2) Use after free when using IPV6_RECVPKTINFO, from Andrey Konovalov.

 3) fanout_release() cannot be invoked from atomic contexts, from Anoob

 4) Fix bogus attempt at lockdep annotation in IRDA.

 5) dev_fill_metadata_dst() can OOP on a NULL dst cache pointer, from
    Paolo Abeni.

* git://
  irda: Fix lockdep annotations in hashbin_delete().
  vxlan: fix oops in dev_fill_metadata_dst
  dccp: fix freeing skb too early for IPV6_RECVPKTINFO
  dpaa_eth: small leak on error
  packet: Do not call fanout_release from atomic contexts

4 years agoprintk: use rcuidle console tracepoint
Sergey Senozhatsky [Sat, 18 Feb 2017 11:42:54 +0000 (03:42 -0800)]
printk: use rcuidle console tracepoint

Use rcuidle console tracepoint because, apparently, it may be issued
from an idle CPU:

  hw-breakpoint: Failed to enable monitor mode on CPU 0.
  hw-breakpoint: CPU 0 failed to disable vector catch

  [ ERR: suspicious RCU usage.  ]
  4.10.0-rc8-next-20170215+ #119 Not tainted
  ./include/trace/events/printk.h:32 suspicious rcu_dereference_check() usage!

  other info that might help us debug this:

  RCU used illegally from idle CPU!
  rcu_scheduler_active = 2, debug_locks = 0
  RCU used illegally from extended quiescent state!
  2 locks held by swapper/0/0:
   #0:  (cpu_pm_notifier_lock){......}, at: [<c0237e2c>] cpu_pm_exit+0x10/0x54
   #1:  (console_lock){+.+.+.}, at: [<c01ab350>] vprintk_emit+0x264/0x474

  stack backtrace:
  CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.10.0-rc8-next-20170215+ #119
  Hardware name: Generic OMAP4 (Flattened Device Tree)

This RCU warning, however, is suppressed by lockdep_off() in printk().
lockdep_off() increments the ->lockdep_recursion counter and thus
disables RCU_LOCKDEP_WARN() and debug_lockdep_rcu_enabled(), which want
lockdep to be enabled "current->lockdep_recursion == 0".

Signed-off-by: Sergey Senozhatsky <>
Reported-by: Tony Lindgren <>
Tested-by: Tony Lindgren <>
Acked-by: Paul E. McKenney <>
Acked-by: Steven Rostedt (VMware) <>
Cc: Petr Mladek <>
Cc: Peter Zijlstra <>
Cc: Thomas Gleixner <>
Cc: Tony Lindgren <>
Cc: Russell King <>
Cc: <> [3.4+]
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
4 years agoARM: multi_v7_defconfig: enable Qualcomm RPMCC
Andy Gross [Mon, 2 Jan 2017 20:35:05 +0000 (14:35 -0600)]
ARM: multi_v7_defconfig: enable Qualcomm RPMCC

This patch enables the Qualcomm RPM based Clock Controller present on
A-family boards.

Signed-off-by: Andy Gross <>
Acked-by: Bjorn Andersson <>
Signed-off-by: Olof Johansson <>
Signed-off-by: Arnd Bergmann <>
4 years agoirda: Fix lockdep annotations in hashbin_delete().
David S. Miller [Fri, 17 Feb 2017 21:19:39 +0000 (16:19 -0500)]
irda: Fix lockdep annotations in hashbin_delete().

A nested lock depth was added to the hasbin_delete() code but it
doesn't actually work some well and results in tons of lockdep splats.

Fix the code instead to properly drop the lock around the operation
and just keep peeking the head of the hashbin queue.

Reported-by: Dmitry Vyukov <>
Tested-by: Dmitry Vyukov <>
Signed-off-by: David S. Miller <>
4 years agoMerge branch 'for-linus' of git://
Linus Torvalds [Fri, 17 Feb 2017 21:01:58 +0000 (13:01 -0800)]
Merge branch 'for-linus' of git://

Pull block layer fix from Jens Axboe:
 "A single fix for a lockdep splat reported by Thomas and Gabriel"

* 'for-linus' of git://
  cfq-iosched: don't call wbt_disable_default() with IRQs disabled

4 years agovxlan: fix oops in dev_fill_metadata_dst
Paolo Abeni [Fri, 17 Feb 2017 18:14:27 +0000 (19:14 +0100)]
vxlan: fix oops in dev_fill_metadata_dst

Since the commit 0c1d70af924b ("net: use dst_cache for vxlan device")
vxlan_fill_metadata_dst() calls vxlan_get_route() passing a NULL
dst_cache pointer, so the latter should explicitly check for
valid dst_cache ptr. Unfortunately the commit d71785ffc7e7 ("net: add
dst_cache to ovs vxlan lwtunnel") removed said check.

As a result is possible to trigger a null pointer access calling
vxlan_fill_metadata_dst(), e.g. with:

ovs-vsctl add-br ovs-br0
ovs-vsctl add-port ovs-br0 vxlan0 -- set interface vxlan0 \
type=vxlan options:remote_ip= \
options:key=1234 options:dst_port=4789 ofport_request=10
ip address add dev ovs-br0
ovs-vsctl set Bridge ovs-br0 ipfix=@i -- --id=@i create IPFIX \
targets=\"\" sampling=1
iperf -c -u -l 1000 -b 10M -t 1 -p 1234

This commit addresses the issue passing to vxlan_get_route() the
dst_cache already available into the lwt info processed by

Fixes: d71785ffc7e7 ("net: add dst_cache to ovs vxlan lwtunnel")
Signed-off-by: Paolo Abeni <>
Acked-by: Jiri Benc <>
Signed-off-by: David S. Miller <>
4 years agodccp: fix freeing skb too early for IPV6_RECVPKTINFO
Andrey Konovalov [Thu, 16 Feb 2017 16:22:46 +0000 (17:22 +0100)]
dccp: fix freeing skb too early for IPV6_RECVPKTINFO

In the current DCCP implementation an skb for a DCCP_PKT_REQUEST packet
is forcibly freed via __kfree_skb in dccp_rcv_state_process if
dccp_v6_conn_request successfully returns.

However, if IPV6_RECVPKTINFO is set on a socket, the address of the skb
is saved to ireq->pktopts and the ref count for skb is incremented in
dccp_v6_conn_request, so skb is still in use. Nevertheless, it gets freed
in dccp_rcv_state_process.

Fix by calling consume_skb instead of doing goto discard and therefore
calling __kfree_skb.

Similar fixes for TCP:

fb7e2399ec17f1004c0e0ccfd17439f8759ede01 [TCP]: skb is unexpectedly freed.
0aea76d35c9651d55bbaf746e7914e5f9ae5a25d tcp: SYN packets are now
simply consumed

Signed-off-by: Andrey Konovalov <>
Acked-by: Eric Dumazet <>
Signed-off-by: David S. Miller <>
4 years agoMerge tag 'powerpc-4.10-5' of git://
Linus Torvalds [Fri, 17 Feb 2017 17:58:32 +0000 (09:58 -0800)]
Merge tag 'powerpc-4.10-5' of git://git./linux/kernel/git/powerpc/linux

Pull powerpc fix from Michael Ellerman:
 "One fix from Paul: we can not use the radix MMU under a hypervisor for

  Although the code checked if the processor supports radix, that is not

* tag 'powerpc-4.10-5' of git://
  powerpc/64: Disable use of radix under a hypervisor

4 years agoMerge branch 'for-linus' of git://
Linus Torvalds [Fri, 17 Feb 2017 17:56:34 +0000 (09:56 -0800)]
Merge branch 'for-linus' of git://git./linux/kernel/git/dtor/input

Pull input fix from Dmitry Torokhov:
 "Just a single change to Elan touchpad driver to recognize a new ACPI

* 'for-linus' of git://
  Input: elan_i2c - add ELAN0605 to the ACPI table

4 years agoMerge branch 'i2c/for-current' of git://
Linus Torvalds [Fri, 17 Feb 2017 17:53:59 +0000 (09:53 -0800)]
Merge branch 'i2c/for-current' of git://git./linux/kernel/git/wsa/linux

Pull i2c fix from Wolfram Sang:
 "I2C has a revert to fix a regression"

* 'i2c/for-current' of git://
  Revert "i2c: designware: detect when dynamic tar update is possible"

4 years agoMerge tag 'mmc-v4.10-rc8' of git://
Linus Torvalds [Fri, 17 Feb 2017 17:52:33 +0000 (09:52 -0800)]
Merge tag 'mmc-v4.10-rc8' of git://git./linux/kernel/git/ulfh/mmc

Pull MMC fix from Ulf Hansson:
 "Fix multi-bit bus width without high-speed mode for MMC"

* tag 'mmc-v4.10-rc8' of git://
  mmc: core: fix multi-bit bus width without high-speed mode

4 years agoMerge tag 'ntb-4.10-bugfixes' of git://
Linus Torvalds [Fri, 17 Feb 2017 17:51:05 +0000 (09:51 -0800)]
Merge tag 'ntb-4.10-bugfixes' of git://

Pull NTB bugfixes frfom Jon Mason:
 "NTB bug fixes to address a crash when unloading the ntb module, a DMA
  engine unmap leak, allowing the proper queue choice, and clearing the
  SKX irq bit"

* tag 'ntb-4.10-bugfixes' of git://
  ntb: ntb_hw_intel: link_poll isn't clearing the pending status properly
  ntb_transport: Pick an unused queue
  ntb: ntb_perf missing dmaengine_unmap_put
  NTB: ntb_transport: fix debugfs_remove_recursive

4 years agodpaa_eth: small leak on error
Dan Carpenter [Thu, 16 Feb 2017 09:56:10 +0000 (12:56 +0300)]
dpaa_eth: small leak on error

This should be >= instead of > here.  It means that we don't increment
the free count enough so it becomes off by one.

Fixes: 9ad1a3749333 ("dpaa_eth: add support for DPAA Ethernet")
Signed-off-by: Dan Carpenter <>
Signed-off-by: David S. Miller <>
4 years agoMerge tag 'reset-for-4.10-fixes' of into...
Arnd Bergmann [Fri, 17 Feb 2017 16:25:15 +0000 (17:25 +0100)]
Merge tag 'reset-for-4.10-fixes' of into fixes

Pull "Reset controller fixes for v4.10" from Philipp Zabel:

- Remove erroneous negation of the error check of the reset function
  to decrement trigger_count in the error case, not on success. This
  fixes shared resets to actually only trigger once, as intended.

* tag 'reset-for-4.10-fixes' of
  reset: fix shared reset triggered_count decrement on error

4 years agopacket: Do not call fanout_release from atomic contexts
Anoob Soman [Wed, 15 Feb 2017 20:25:39 +0000 (20:25 +0000)]
packet: Do not call fanout_release from atomic contexts

Commit 6664498280cf ("packet: call fanout_release, while UNREGISTERING a
netdev"), unfortunately, introduced the following issues.

1. calling mutex_lock(&fanout_mutex) (fanout_release()) from inside
rcu_read-side critical section. rcu_read_lock disables preemption, most often,
which prohibits calling sleeping functions.

[  ] include/linux/rcupdate.h:560 Illegal context switch in RCU read-side critical section!
[  ]
[  ] rcu_scheduler_active = 1, debug_locks = 0
[  ] 4 locks held by ovs-vswitchd/1969:
[  ]  #0:  (cb_lock){++++++}, at: [<ffffffff8158a6c9>] genl_rcv+0x19/0x40
[  ]  #1:  (ovs_mutex){+.+.+.}, at: [<ffffffffa04878ca>] ovs_vport_cmd_del+0x4a/0x100 [openvswitch]
[  ]  #2:  (rtnl_mutex){+.+.+.}, at: [<ffffffff81564157>] rtnl_lock+0x17/0x20
[  ]  #3:  (rcu_read_lock){......}, at: [<ffffffff81614165>] packet_notifier+0x5/0x3f0
[  ]
[  ] Call Trace:
[  ]  [<ffffffff813770c1>] dump_stack+0x85/0xc4
[  ]  [<ffffffff810c9077>] lockdep_rcu_suspicious+0x107/0x110
[  ]  [<ffffffff810a2da7>] ___might_sleep+0x57/0x210
[  ]  [<ffffffff810a2fd0>] __might_sleep+0x70/0x90
[  ]  [<ffffffff8162e80c>] mutex_lock_nested+0x3c/0x3a0
[  ]  [<ffffffff810de93f>] ? vprintk_default+0x1f/0x30
[  ]  [<ffffffff81186e88>] ? printk+0x4d/0x4f
[  ]  [<ffffffff816106dd>] fanout_release+0x1d/0xe0
[  ]  [<ffffffff81614459>] packet_notifier+0x2f9/0x3f0

2. calling mutex_lock(&fanout_mutex) inside spin_lock(&po->bind_lock).
"sleeping function called from invalid context"

[  ] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:620
[  ] in_atomic(): 1, irqs_disabled(): 0, pid: 1969, name: ovs-vswitchd
[  ] INFO: lockdep is turned off.
[  ] Call Trace:
[  ]  [<ffffffff813770c1>] dump_stack+0x85/0xc4
[  ]  [<ffffffff810a2f52>] ___might_sleep+0x202/0x210
[  ]  [<ffffffff810a2fd0>] __might_sleep+0x70/0x90
[  ]  [<ffffffff8162e80c>] mutex_lock_nested+0x3c/0x3a0
[  ]  [<ffffffff816106dd>] fanout_release+0x1d/0xe0
[  ]  [<ffffffff81614459>] packet_notifier+0x2f9/0x3f0

3. calling dev_remove_pack(&fanout->prot_hook), from inside
spin_lock(&po->bind_lock) or rcu_read-side critical-section. dev_remove_pack()
-> synchronize_net(), which might sleep.

[  ] BUG: scheduling while atomic: ovs-vswitchd/1969/0x00000002
[  ] INFO: lockdep is turned off.
[  ] Call Trace:
[  ]  [<ffffffff813770c1>] dump_stack+0x85/0xc4
[  ]  [<ffffffff81186274>] __schedule_bug+0x64/0x73
[  ]  [<ffffffff8162b8cb>] __schedule+0x6b/0xd10
[  ]  [<ffffffff8162c5db>] schedule+0x6b/0x80
[  ]  [<ffffffff81630b1d>] schedule_timeout+0x38d/0x410
[  ]  [<ffffffff810ea3fd>] synchronize_sched_expedited+0x53d/0x810
[  ]  [<ffffffff810ea6de>] synchronize_rcu_expedited+0xe/0x10
[  ]  [<ffffffff8154eab5>] synchronize_net+0x35/0x50
[  ]  [<ffffffff8154eae3>] dev_remove_pack+0x13/0x20
[  ]  [<ffffffff8161077e>] fanout_release+0xbe/0xe0
[  ]  [<ffffffff81614459>] packet_notifier+0x2f9/0x3f0

4. fanout_release() races with calls from different CPU.

To fix the above problems, remove the call to fanout_release() under
rcu_read_lock(). Instead, call __dev_remove_pack(&fanout->prot_hook) and
netdev_run_todo will be happy that &dev->ptype_specific list is empty. In order
to achieve this, I moved dev_{add,remove}_pack() out of fanout_{add,release} to
__fanout_{link,unlink}. So, call to {,__}unregister_prot_hook() will make sure
fanout->prot_hook is removed as well.

Fixes: 6664498280cf ("packet: call fanout_release, while UNREGISTERING a netdev")
Reported-by: Eric Dumazet <>
Signed-off-by: Anoob Soman <>
Acked-by: Eric Dumazet <>
Signed-off-by: David S. Miller <>
4 years agoreset: fix shared reset triggered_count decrement on error
Jerome Brunet [Wed, 15 Feb 2017 18:15:51 +0000 (19:15 +0100)]
reset: fix shared reset triggered_count decrement on error

For a shared reset, when the reset is successful, the triggered_count is
incremented when trying to call the reset callback, so that another device
sharing the same reset line won't trigger it again. If the reset has not
been triggered successfully, the trigger_count should be decremented.

The code does the opposite, and decrements the trigger_count on success.
As a consequence, another device sharing the reset will be able to trigger
it again.

Fixed be removing negation in from of the error code of the reset function.

Fixes: 7da33a37b48f ("reset: allow using reset_control_reset with shared reset")

Signed-off-by: Jerome Brunet <>
Acked-by: Martin Blumenstingl <>
Signed-off-by: Philipp Zabel <>
4 years agontb: ntb_hw_intel: link_poll isn't clearing the pending status properly
Dave Jiang [Thu, 16 Feb 2017 23:22:36 +0000 (16:22 -0700)]
ntb: ntb_hw_intel: link_poll isn't clearing the pending status properly

On Skylake hardware, the link_poll isn't clearing the pending interrupt
bit.  Adding a new function for SKX that handles clearing of status bit the
right way.

Signed-off-by: Dave Jiang <>
Fixes: 783dfa6c ("ntb: Adding Skylake Xeon NTB support")
Signed-off-by: Jon Mason <>
4 years agontb_transport: Pick an unused queue
Thomas VanSelus [Mon, 13 Feb 2017 22:46:26 +0000 (16:46 -0600)]
ntb_transport: Pick an unused queue

Fix typo causing ntb_transport_create_queue to select the first
queue every time, instead of using the next free queue.

Signed-off-by: Thomas VanSelus <>
Signed-off-by: Aaron Sierra <>
Acked-by: Allen Hubbe <>
Fixes: fce8a7bb5 ("PCI-Express Non-Transparent Bridge Support")
Signed-off-by: Jon Mason <>
4 years agontb: ntb_perf missing dmaengine_unmap_put
Dave Jiang [Mon, 30 Jan 2017 21:21:17 +0000 (14:21 -0700)]
ntb: ntb_perf missing dmaengine_unmap_put

In the normal I/O execution path, ntb_perf is missing a call to
dmaengine_unmap_put() after submission. That causes us to leak
unmap objects.

Signed-off-by: Dave Jiang <>
Fixes: 8a7b6a77 ("ntb: ntb perf tool")
Signed-off-by: Jon Mason <>
4 years agoNTB: ntb_transport: fix debugfs_remove_recursive
Allen Hubbe [Tue, 27 Dec 2016 22:57:04 +0000 (17:57 -0500)]
NTB: ntb_transport: fix debugfs_remove_recursive

The call to debugfs_remove_recursive(qp->debugfs_dir) of the sub-level
directory must not be later than
debugfs_remove_recursive(nt_debugfs_dir) of the top-level directory.
Otherwise, the sub-level directory will not exist, and it would be
invalid (panic) to attempt to remove it.  This removes the top-level
directory last, after sub-level directories have been cleaned up.

Signed-off-by: Allen Hubbe <>
Fixes: e26a5843f ("NTB: Split ntb_hw_intel and ntb_transport drivers")
Signed-off-by: Jon Mason <>
4 years agoMerge tag 'drm-fixes-for-v4.10-final' of git://
Linus Torvalds [Fri, 17 Feb 2017 02:44:38 +0000 (18:44 -0800)]
Merge tag 'drm-fixes-for-v4.10-final' of git://

Pull drm fixes from Dave Airlie:
 "Just two last minute fixes, one for DP MST oopses and one for a radeon

* tag 'drm-fixes-for-v4.10-final' of git://
  drm/radeon: Use mode h/vdisplay fields to hide out of bounds HW cursor
  drm/dp/mst: fix kernel oops when turning off secondary monitor

4 years agoMerge branch 'drm-fixes-4.10' of git:// into drm...
Dave Airlie [Fri, 17 Feb 2017 01:13:17 +0000 (11:13 +1000)]
Merge branch 'drm-fixes-4.10' of git:// into drm-fixes

One regression fix for interlaced modes on radeon

* 'drm-fixes-4.10' of git://
  drm/radeon: Use mode h/vdisplay fields to hide out of bounds HW cursor

4 years agoRevert "nohz: Fix collision between tick and other hrtimers"
Linus Torvalds [Thu, 16 Feb 2017 20:19:18 +0000 (12:19 -0800)]
Revert "nohz: Fix collision between tick and other hrtimers"

This reverts commit 24b91e360ef521a2808771633d76ebc68bd5604b and commit
7bdb59f1ad47 ("tick/nohz: Fix possible missing clock reprog after tick
soft restart") that depends on it,

Pavel reports that it causes occasional boot hangs for him that seem to
depend on just how the machine was booted.  In particular, his machine
hangs at around the PCI fixups of the EHCI USB host controller, but only
hangs from cold boot, not from a warm boot.

Thomas Gleixner suspecs it's a CPU hotplug interaction, particularly
since Pavel also saw suspend/resume issues that seem to be related.
We're reverting for now while trying to figure out the root cause.

Reported-bisected-and-tested-by: Pavel Machek <>
Acked-by: Frederic Weisbecker <>
Cc: Wanpeng Li <>
Cc: Peter Zijlstra <>
Cc: Rik van Riel <>
Cc: Thomas Gleixner <>
Cc: # reverted commits were marked for stable
Signed-off-by: Linus Torvalds <>
4 years agoMerge tag 'media/v4.10-5' of git://
Linus Torvalds [Thu, 16 Feb 2017 18:22:41 +0000 (10:22 -0800)]
Merge tag 'media/v4.10-5' of git://git./linux/kernel/git/mchehab/linux-media

Pull media fix from Mauro Carvalho Chehab:
 "A regression fix that makes the Siano driver to work again after the

* tag 'media/v4.10-5' of git://
  [media] siano: make it work again with CONFIG_VMAP_STACK

4 years agovfs: fix uninitialized flags in splice_to_pipe()
Miklos Szeredi [Thu, 16 Feb 2017 16:49:02 +0000 (17:49 +0100)]
vfs: fix uninitialized flags in splice_to_pipe()

Flags (PIPE_BUF_FLAG_PACKET, PIPE_BUF_FLAG_GIFT) could remain on the
unused part of the pipe ring buffer.  Previously splice_to_pipe() left
the flags value alone, which could result in incorrect behavior.

Uninitialized flags appears to have been there from the introduction of
the splice syscall.

Signed-off-by: Miklos Szeredi <>
Cc: <> # 2.6.17+
Signed-off-by: Linus Torvalds <>
4 years agoMerge branch 'for-linus' of git://
Linus Torvalds [Thu, 16 Feb 2017 17:05:34 +0000 (09:05 -0800)]
Merge branch 'for-linus' of git://git./linux/kernel/git/mszeredi/fuse

Pull fuse fixes from Miklos Szeredi:
 "Fix a use after free bug introduced in 4.2 and using an uninitialized
  value introduced in 4.9"

* 'for-linus' of git://
  fuse: fix uninitialized flags in pipe_buffer
  fuse: fix use after free issue in fuse_dev_do_read()

4 years agoMerge tag 'pci-v4.10-fixes-4' of git://
Linus Torvalds [Thu, 16 Feb 2017 17:03:37 +0000 (09:03 -0800)]
Merge tag 'pci-v4.10-fixes-4' of git://git./linux/kernel/git/helgaas/pci

Pull PCI fix from Bjorn Helgaas:
 "Add back pcie_pme_remove() so we free the IRQ when removing PCIe port
  devices; previously the leaked IRQ caused an MSI BUG_ON"

* tag 'pci-v4.10-fixes-4' of git://
  PCI/PME: Restore pcie_pme_driver.remove

4 years agoMerge git://
Linus Torvalds [Thu, 16 Feb 2017 16:37:18 +0000 (08:37 -0800)]
Merge git://git./linux/kernel/git/davem/net

Pull networking fixes from David Miller:

 1) In order to avoid problems in the future, make cgroup bpf overriding
    explicit using BPF_F_ALLOW_OVERRIDE. From Alexei Staovoitov.

 2) LLC sets skb->sk without proper skb->destructor and this explodes,
    fix from Eric Dumazet.

 3) Make sure when we have an ipv4 mapped source address, the
    destination is either also an ipv4 mapped address or
    ipv6_addr_any(). Fix from Jonathan T. Leighton.

 4) Avoid packet loss in fec driver by programming the multicast filter
    more intelligently. From Rui Sousa.

 5) Handle multiple threads invoking fanout_add(), fix from Eric

 6) Since we can invoke the TCP input path in process context, without
    BH being disabled, we have to accomodate that in the locking of the
    TCP probe. Also from Eric Dumazet.

 7) Fix erroneous emission of NETEVENT_DELAY_PROBE_TIME_UPDATE when we
    aren't even updating that sysctl value. From Marcus Huewe.

 8) Fix endian bugs in ibmvnic driver, from Thomas Falcon.

[ This is the second version of the pull that reverts the nested
  rhashtable changes that looked a bit too scary for this late in the
  release  - Linus ]

* git:// (27 commits)
  rhashtable: Revert nested table changes.
  ibmvnic: Fix endian errors in error reporting output
  ibmvnic: Fix endian error when requesting device capabilities
  net: neigh: Fix netevent NETEVENT_DELAY_PROBE_TIME_UPDATE notification
  net: xilinx_emaclite: fix freezes due to unordered I/O
  net: xilinx_emaclite: fix receive buffer overflow
  bpf: kernel header files need to be copied into the tools directory
  tcp: tcp_probe: use spin_lock_bh()
  uapi: fix linux/if_pppol2tp.h userspace compilation errors
  packet: fix races in fanout_add()
  ibmvnic: Fix initial MTU settings
  net: ethernet: ti: cpsw: fix cpsw assignment in resume
  kcm: fix a null pointer dereference in kcm_sendmsg()
  net: fec: fix multicast filtering hardware setup
  ipv6: Handle IPv4-mapped src to in6addr_any dst.
  ipv6: Inhibit IPv4-mapped src address on the wire.
  net/mlx5e: Disable preemption when doing TC statistics upcall
  rhashtable: Add nested tables
  tipc: Fix tipc_sk_reinit race conditions
  gfs2: Use rhashtable walk interface in glock_hash_walk

4 years agodrm/radeon: Use mode h/vdisplay fields to hide out of bounds HW cursor
Michel Dänzer [Wed, 15 Feb 2017 02:28:45 +0000 (11:28 +0900)]
drm/radeon: Use mode h/vdisplay fields to hide out of bounds HW cursor

The crtc_h/vdisplay fields may not match the CRTC viewport dimensions
with special modes such as interlaced ones.

Fixes the HW cursor disappearing in the bottom half of the screen with
interlaced modes.

Fixes: 6b16cf7785a4 ("drm/radeon: Hide the HW cursor while it's out of bounds")
Reported-by: Ashutosh Kumar <>
Tested-by: Sonny Jiang <>
Reviewed-by: Alex Deucher <>
Signed-off-by: Michel Dänzer <>
Signed-off-by: Alex Deucher <>
4 years agoARM: 8658/1: uaccess: fix zeroing of 64-bit get_user()
Kees Cook [Thu, 16 Feb 2017 00:44:37 +0000 (01:44 +0100)]
ARM: 8658/1: uaccess: fix zeroing of 64-bit get_user()

The 64-bit get_user() wasn't clearing the high word due to a typo in the
error handler. The exception handler entry was already correct, though.
Noticed during recent usercopy test additions in lib/test_user_copy.c.

Signed-off-by: Kees Cook <>
Signed-off-by: Russell King <>
4 years agoARM: 8657/1: uaccess: consistently check object sizes
Kees Cook [Thu, 16 Feb 2017 00:43:58 +0000 (01:43 +0100)]
ARM: 8657/1: uaccess: consistently check object sizes

In commit 76624175dcae ("arm64: uaccess: consistently check object sizes"),
the object size checks are moved outside the access_ok() so that bad
destinations are detected before hitting the "memset(dest, 0, size)" in the
copy_from_user() failure path.

This makes the same change for arm, with attention given to possibly
extracting the uaccess routines into a common header file for all
architectures in the future.

Suggested-by: Mark Rutland <>
Signed-off-by: Kees Cook <>
Signed-off-by: Russell King <>
4 years agocfq-iosched: don't call wbt_disable_default() with IRQs disabled
Jens Axboe [Thu, 16 Feb 2017 14:57:33 +0000 (07:57 -0700)]
cfq-iosched: don't call wbt_disable_default() with IRQs disabled

wbt_disable_default() calls del_timer_sync() to wait for the wbt
timer to finish before disabling throttling. We can't do this with
IRQs disable. This fixes a lockdep splat on boot, if non-root
cgroups are used.

Reported-by: Gabriel C <>
Fixes: 87760e5eef35 ("block: hook up writeback throttling")
Signed-off-by: Jens Axboe <>
4 years agofuse: fix uninitialized flags in pipe_buffer
Miklos Szeredi [Thu, 16 Feb 2017 14:08:20 +0000 (15:08 +0100)]
fuse: fix uninitialized flags in pipe_buffer

Signed-off-by: Miklos Szeredi <>
Fixes: d82718e348fe ("fuse_dev_splice_read(): switch to add_to_pipe()")
Cc: <> # 4.9+
4 years agorhashtable: Revert nested table changes.
David S. Miller [Thu, 16 Feb 2017 03:29:51 +0000 (22:29 -0500)]
rhashtable: Revert nested table changes.

This reverts commits:


It's too risky to put in this late in the release
cycle.  We'll put these changes into the next merge
window instead.

Signed-off-by: David S. Miller <>
4 years agoMerge tag 'drm-misc-fixes-2017-02-15' of git://
Dave Airlie [Thu, 16 Feb 2017 03:26:41 +0000 (13:26 +1000)]
Merge tag 'drm-misc-fixes-2017-02-15' of git:// into drm-fixes

dp/mst oops fix for v4.10

* tag 'drm-misc-fixes-2017-02-15' of git://
  drm/dp/mst: fix kernel oops when turning off secondary monitor

4 years agopowerpc/64: Disable use of radix under a hypervisor
Paul Mackerras [Thu, 16 Feb 2017 02:49:21 +0000 (13:49 +1100)]
powerpc/64: Disable use of radix under a hypervisor

Currently, if the kernel is running on a POWER9 processor under a
hypervisor, it may try to use the radix MMU even though it doesn't have
the necessary code to do so (it doesn't negotiate use of radix, and it
doesn't do the H_REGISTER_PROC_TBL hcall).  If the hypervisor supports
both radix and HPT, then it will set up the guest to use HPT (since the
guest doesn't request radix in the CAS call), but if the radix feature
bit is set in the ibm,pa-features property (which is valid, since
ibm,pa-features is defined to represent the capabilities of the
processor) the guest will try to use radix, resulting in a crash when
it turns the MMU on.

This makes the minimal fix for the current code, which is to disable
radix unless we are running in hypervisor mode.

Fixes: 2bfd65e45e87 ("powerpc/mm/radix: Add radix callbacks for early init routines")
Cc: # v4.7+
Signed-off-by: Paul Mackerras <>
Signed-off-by: Michael Ellerman <>
4 years agoibmvnic: Fix endian errors in error reporting output
Thomas Falcon [Wed, 15 Feb 2017 16:33:33 +0000 (10:33 -0600)]
ibmvnic: Fix endian errors in error reporting output

Error reports received from firmware were not being converted from
big endian values, leading to bogus error codes reported on little
endian systems.

Signed-off-by: Thomas Falcon <>
Signed-off-by: David S. Miller <>
4 years agoibmvnic: Fix endian error when requesting device capabilities
Thomas Falcon [Wed, 15 Feb 2017 16:32:11 +0000 (10:32 -0600)]
ibmvnic: Fix endian error when requesting device capabilities

When a vNIC client driver requests a faulty device setting, the
server returns an acceptable value for the client to request.
This 64 bit value was incorrectly being swapped as a 32 bit value,
resulting in loss of data. This patch corrects that by using
the 64 bit swap function.

Signed-off-by: Thomas Falcon <>
Signed-off-by: David S. Miller <>
4 years agonet: neigh: Fix netevent NETEVENT_DELAY_PROBE_TIME_UPDATE notification
Marcus Huewe [Wed, 15 Feb 2017 00:00:36 +0000 (01:00 +0100)]
net: neigh: Fix netevent NETEVENT_DELAY_PROBE_TIME_UPDATE notification

When setting a neigh related sysctl parameter, we always send a
NETEVENT_DELAY_PROBE_TIME_UPDATE netevent. For instance, when

sysctl net.ipv6.neigh.wlp3s0.retrans_time_ms=2000

a NETEVENT_DELAY_PROBE_TIME_UPDATE netevent is generated.

This is caused by commit 2a4501ae18b5 ("neigh: Send a
notification when DELAY_PROBE_TIME changes"). According to the
commit's description, it was intended to generate such an event
when setting the "delay_first_probe_time" sysctl parameter.

In order to fix this, only generate this event when actually
setting the "delay_first_probe_time" sysctl parameter. This fix
should not have any unintended side-effects, because all but one
registered netevent callbacks check for other netevent event
types (the registered callbacks were obtained by grepping for
"register_netevent_notifier"). The only callback that uses the
mlxsw_sp_router_netevent_event() (in
drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c): in case
of this event, it only accesses the DELAY_PROBE_TIME of the
passed neigh_parms.

Fixes: 2a4501ae18b5 ("neigh: Send a notification when DELAY_PROBE_TIME changes")
Signed-off-by: Marcus Huewe <>
Reviewed-by: Ido Schimmel <>
Signed-off-by: David S. Miller <>
4 years agonet: xilinx_emaclite: fix freezes due to unordered I/O
Anssi Hannula [Tue, 14 Feb 2017 17:11:45 +0000 (19:11 +0200)]
net: xilinx_emaclite: fix freezes due to unordered I/O

The xilinx_emaclite uses __raw_writel and __raw_readl for register
accesses. Those functions do not imply any kind of memory barriers and
they may be reordered.

The driver does not seem to take that into account, though, and the
driver does not satisfy the ordering requirements of the hardware.
For clear examples, see xemaclite_mdio_write() and xemaclite_mdio_read()
which try to set MDIO address before initiating the transaction.

I'm seeing system freezes with the driver with GCC 5.4 and current
Linux kernels on Zynq-7000 SoC immediately when trying to use the

In commit 123c1407af87 ("net: emaclite: Do not use microblaze and ppc
IO functions") the driver was switched from non-generic
in_be32/out_be32 (memory barriers, big endian) to
__raw_readl/__raw_writel (no memory barriers, native endian), so
apparently the device follows system endianness and the driver was
originally written with the assumption of memory barriers.

Rather than try to hunt for each case of missing barrier, just switch
the driver to use iowrite32/ioread32/iowrite32be/ioread32be depending
on endianness instead.

Tested on little-endian Zynq-7000 ARM SoC FPGA.

Signed-off-by: Anssi Hannula <>
Fixes: 123c1407af87 ("net: emaclite: Do not use microblaze and ppc IO
Signed-off-by: David S. Miller <>
4 years agonet: xilinx_emaclite: fix receive buffer overflow
Anssi Hannula [Tue, 14 Feb 2017 17:11:44 +0000 (19:11 +0200)]
net: xilinx_emaclite: fix receive buffer overflow

xilinx_emaclite looks at the received data to try to determine the
Ethernet packet length but does not properly clamp it if
proto_type == ETH_P_IP or 1500 < proto_type <= 1518, causing a buffer
overflow and a panic via skb_panic() as the length exceeds the allocated
skb size.

Fix those cases.

Also add an additional unconditional check with WARN_ON() at the end.

Signed-off-by: Anssi Hannula <>
Fixes: bb81b2ddfa19 ("net: add Xilinx emac lite device driver")
Signed-off-by: David S. Miller <>
4 years agoPCI/PME: Restore pcie_pme_driver.remove
Yinghai Lu [Wed, 15 Feb 2017 05:17:48 +0000 (21:17 -0800)]
PCI/PME: Restore pcie_pme_driver.remove

In addition to making PME non-modular, d7def2040077 ("PCI/PME: Make
explicitly non-modular") removed the pcie_pme_driver .remove() method,

pcie_pme_remove() freed the PME IRQ that was requested in pci_pme_probe().
The fact that we don't free the IRQ after d7def2040077 causes the following
crash when removing a PCIe port device via /sys:

  ------------[ cut here ]------------
  kernel BUG at drivers/pci/msi.c:370!
  invalid opcode: 0000 [#1] SMP
  Modules linked in:
  CPU: 1 PID: 14509 Comm: sh Tainted: G    W  4.8.0-rc1-yh-00012-gd29438d
  RIP: 0010:[<ffffffff9758bbf5>]  free_msi_irqs+0x65/0x190
  Call Trace:
   [<ffffffff9758cda4>] pci_disable_msi+0x34/0x40
   [<ffffffff97583817>] cleanup_service_irqs+0x27/0x30
   [<ffffffff97583e9a>] pcie_port_device_remove+0x2a/0x40
   [<ffffffff97584250>] pcie_portdrv_remove+0x40/0x50
   [<ffffffff97576d7b>] pci_device_remove+0x4b/0xc0
   [<ffffffff9785ebe6>] __device_release_driver+0xb6/0x150
   [<ffffffff9785eca5>] device_release_driver+0x25/0x40
   [<ffffffff975702e4>] pci_stop_bus_device+0x74/0xa0
   [<ffffffff975704ea>] pci_stop_and_remove_bus_device_locked+0x1a/0x30
   [<ffffffff97578810>] remove_store+0x50/0x70
   [<ffffffff9785a378>] dev_attr_store+0x18/0x30
   [<ffffffff97260b64>] sysfs_kf_write+0x44/0x60
   [<ffffffff9725feae>] kernfs_fop_write+0x10e/0x190
   [<ffffffff971e13f8>] __vfs_write+0x28/0x110
   [<ffffffff970b0fa4>] ? percpu_down_read+0x44/0x80
   [<ffffffff971e53a7>] ? __sb_start_write+0xa7/0xe0
   [<ffffffff971e53a7>] ? __sb_start_write+0xa7/0xe0
   [<ffffffff971e1f04>] vfs_write+0xc4/0x180
   [<ffffffff971e3089>] SyS_write+0x49/0xa0
   [<ffffffff97001a46>] do_syscall_64+0xa6/0x1b0
   [<ffffffff9819201e>] entry_SYSCALL64_slow_path+0x25/0x25
   RIP  [<ffffffff9758bbf5>] free_msi_irqs+0x65/0x190
   RSP <ffff89ad3085bc48>
  ---[ end trace f4505e1dac5b95d3 ]---
  Segmentation fault

Restore pcie_pme_remove().

[bhelgaas: changelog]
Fixes: d7def2040077 ("PCI/PME: Make explicitly non-modular")
Signed-off-by: Yinghai Lu <>
Signed-off-by: Bjorn Helgaas <>
Acked-by: Rafael J. Wysocki <>
CC: # v4.9+
4 years agotimekeeping: Use deferred printk() in debug code
Sergey Senozhatsky [Wed, 15 Feb 2017 04:43:32 +0000 (13:43 +0900)]
timekeeping: Use deferred printk() in debug code

We cannot do printk() from tk_debug_account_sleep_time(), because
tk_debug_account_sleep_time() is called under tk_core seq lock.
The reason why printk() is unsafe there is that console_sem may
invoke scheduler (up()->wake_up_process()->activate_task()), which,
in turn, can return back to timekeeping code, for instance, via
get_time()->ktime_get(), deadlocking the system on tk_core seq lock.

[   48.950592] ======================================================
[   48.950622] [ INFO: possible circular locking dependency detected ]
[   48.950622] 4.10.0-rc7-next-20170213+ #101 Not tainted
[   48.950622] -------------------------------------------------------
[   48.950622] kworker/0:0/3 is trying to acquire lock:
[   48.950653]  (tk_core){----..}, at: [<c01cc624>] retrigger_next_event+0x4c/0x90
[   48.950683]
               but task is already holding lock:
[   48.950683]  (hrtimer_bases.lock){-.-...}, at: [<c01cc610>] retrigger_next_event+0x38/0x90
[   48.950714]
               which lock already depends on the new lock.

[   48.950714]
               the existing dependency chain (in reverse order) is:
[   48.950714]
               -> #5 (hrtimer_bases.lock){-.-...}:
[   48.950744]        _raw_spin_lock_irqsave+0x50/0x64
[   48.950775]        lock_hrtimer_base+0x28/0x58
[   48.950775]        hrtimer_start_range_ns+0x20/0x5c8
[   48.950775]        __enqueue_rt_entity+0x320/0x360
[   48.950805]        enqueue_rt_entity+0x2c/0x44
[   48.950805]        enqueue_task_rt+0x24/0x94
[   48.950836]        ttwu_do_activate+0x54/0xc0
[   48.950836]        try_to_wake_up+0x248/0x5c8
[   48.950836]        __setup_irq+0x420/0x5f0
[   48.950836]        request_threaded_irq+0xdc/0x184
[   48.950866]        devm_request_threaded_irq+0x58/0xa4
[   48.950866]        omap_i2c_probe+0x530/0x6a0
[   48.950897]        platform_drv_probe+0x50/0xb0
[   48.950897]        driver_probe_device+0x1f8/0x2cc
[   48.950897]        __driver_attach+0xc0/0xc4
[   48.950927]        bus_for_each_dev+0x6c/0xa0
[   48.950927]        bus_add_driver+0x100/0x210
[   48.950927]        driver_register+0x78/0xf4
[   48.950958]        do_one_initcall+0x3c/0x16c
[   48.950958]        kernel_init_freeable+0x20c/0x2d8
[   48.950958]        kernel_init+0x8/0x110
[   48.950988]        ret_from_fork+0x14/0x24
[   48.950988]
               -> #4 (&rt_b->rt_runtime_lock){-.-...}:
[   48.951019]        _raw_spin_lock+0x40/0x50
[   48.951019]        rq_offline_rt+0x9c/0x2bc
[   48.951019]        set_rq_offline.part.2+0x2c/0x58
[   48.951049]        rq_attach_root+0x134/0x144
[   48.951049]        cpu_attach_domain+0x18c/0x6f4
[   48.951049]        build_sched_domains+0xba4/0xd80
[   48.951080]        sched_init_smp+0x68/0x10c
[   48.951080]        kernel_init_freeable+0x160/0x2d8
[   48.951080]        kernel_init+0x8/0x110
[   48.951080]        ret_from_fork+0x14/0x24
[   48.951110]
               -> #3 (&rq->lock){-.-.-.}:
[   48.951110]        _raw_spin_lock+0x40/0x50
[   48.951141]        task_fork_fair+0x30/0x124
[   48.951141]        sched_fork+0x194/0x2e0
[   48.951141]        copy_process.part.5+0x448/0x1a20
[   48.951171]        _do_fork+0x98/0x7e8
[   48.951171]        kernel_thread+0x2c/0x34
[   48.951171]        rest_init+0x1c/0x18c
[   48.951202]        start_kernel+0x35c/0x3d4
[   48.951202]        0x8000807c
[   48.951202]
               -> #2 (&p->pi_lock){-.-.-.}:
[   48.951232]        _raw_spin_lock_irqsave+0x50/0x64
[   48.951232]        try_to_wake_up+0x30/0x5c8
[   48.951232]        up+0x4c/0x60
[   48.951263]        __up_console_sem+0x2c/0x58
[   48.951263]        console_unlock+0x3b4/0x650
[   48.951263]        vprintk_emit+0x270/0x474
[   48.951293]        vprintk_default+0x20/0x28
[   48.951293]        printk+0x20/0x30
[   48.951324]        kauditd_hold_skb+0x94/0xb8
[   48.951324]        kauditd_thread+0x1a4/0x56c
[   48.951324]        kthread+0x104/0x148
[   48.951354]        ret_from_fork+0x14/0x24
[   48.951354]
               -> #1 ((console_sem).lock){-.....}:
[   48.951385]        _raw_spin_lock_irqsave+0x50/0x64
[   48.951385]        down_trylock+0xc/0x2c
[   48.951385]        __down_trylock_console_sem+0x24/0x80
[   48.951385]        console_trylock+0x10/0x8c
[   48.951416]        vprintk_emit+0x264/0x474
[   48.951416]        vprintk_default+0x20/0x28
[   48.951416]        printk+0x20/0x30
[   48.951446]        tk_debug_account_sleep_time+0x5c/0x70
[   48.951446]        __timekeeping_inject_sleeptime.constprop.3+0x170/0x1a0
[   48.951446]        timekeeping_resume+0x218/0x23c
[   48.951477]        syscore_resume+0x94/0x42c
[   48.951477]        suspend_enter+0x554/0x9b4
[   48.951477]        suspend_devices_and_enter+0xd8/0x4b4
[   48.951507]        enter_state+0x934/0xbd4
[   48.951507]        pm_suspend+0x14/0x70
[   48.951507]        state_store+0x68/0xc8
[   48.951538]        kernfs_fop_write+0xf4/0x1f8
[   48.951538]        __vfs_write+0x1c/0x114
[   48.951538]        vfs_write+0xa0/0x168
[   48.951568]        SyS_write+0x3c/0x90
[   48.951568]        __sys_trace_return+0x0/0x10
[   48.951568]
               -> #0 (tk_core){----..}:
[   48.951599]        lock_acquire+0xe0/0x294
[   48.951599]        ktime_get_update_offsets_now+0x5c/0x1d4
[   48.951629]        retrigger_next_event+0x4c/0x90
[   48.951629]        on_each_cpu+0x40/0x7c
[   48.951629]        clock_was_set_work+0x14/0x20
[   48.951660]        process_one_work+0x2b4/0x808
[   48.951660]        worker_thread+0x3c/0x550
[   48.951660]        kthread+0x104/0x148
[   48.951690]        ret_from_fork+0x14/0x24
[   48.951690]
               other info that might help us debug this:

[   48.951690] Chain exists of:
                 tk_core --> &rt_b->rt_runtime_lock --> hrtimer_bases.lock

[   48.951721]  Possible unsafe locking scenario:

[   48.951721]        CPU0                    CPU1
[   48.951721]        ----                    ----
[   48.951721]   lock(hrtimer_bases.lock);
[   48.951751]                                lock(&rt_b->rt_runtime_lock);
[   48.951751]                                lock(hrtimer_bases.lock);
[   48.951751]   lock(tk_core);
[   48.951782]
                *** DEADLOCK ***

[   48.951782] 3 locks held by kworker/0:0/3:
[   48.951782]  #0:  ("events"){.+.+.+}, at: [<c0156590>] process_one_work+0x1f8/0x808
[   48.951812]  #1:  (hrtimer_work){+.+...}, at: [<c0156590>] process_one_work+0x1f8/0x808
[   48.951843]  #2:  (hrtimer_bases.lock){-.-...}, at: [<c01cc610>] retrigger_next_event+0x38/0x90
[   48.951843]   stack backtrace:
[   48.951873] CPU: 0 PID: 3 Comm: kworker/0:0 Not tainted 4.10.0-rc7-next-20170213+
[   48.951904] Workqueue: events clock_was_set_work
[   48.951904] [<c0110208>] (unwind_backtrace) from [<c010c224>] (show_stack+0x10/0x14)
[   48.951934] [<c010c224>] (show_stack) from [<c04ca6c0>] (dump_stack+0xac/0xe0)
[   48.951934] [<c04ca6c0>] (dump_stack) from [<c019b5cc>] (print_circular_bug+0x1d0/0x308)
[   48.951965] [<c019b5cc>] (print_circular_bug) from [<c019d2a8>] (validate_chain+0xf50/0x1324)
[   48.951965] [<c019d2a8>] (validate_chain) from [<c019ec18>] (__lock_acquire+0x468/0x7e8)
[   48.951995] [<c019ec18>] (__lock_acquire) from [<c019f634>] (lock_acquire+0xe0/0x294)
[   48.951995] [<c019f634>] (lock_acquire) from [<c01d0ea0>] (ktime_get_update_offsets_now+0x5c/0x1d4)
[   48.952026] [<c01d0ea0>] (ktime_get_update_offsets_now) from [<c01cc624>] (retrigger_next_event+0x4c/0x90)
[   48.952026] [<c01cc624>] (retrigger_next_event) from [<c01e4e24>] (on_each_cpu+0x40/0x7c)
[   48.952056] [<c01e4e24>] (on_each_cpu) from [<c01cafc4>] (clock_was_set_work+0x14/0x20)
[   48.952056] [<c01cafc4>] (clock_was_set_work) from [<c015664c>] (process_one_work+0x2b4/0x808)
[   48.952087] [<c015664c>] (process_one_work) from [<c0157774>] (worker_thread+0x3c/0x550)
[   48.952087] [<c0157774>] (worker_thread) from [<c015d644>] (kthread+0x104/0x148)
[   48.952087] [<c015d644>] (kthread) from [<c0107830>] (ret_from_fork+0x14/0x24)

Replace printk() with printk_deferred(), which does not call into
the scheduler.

Fixes: 0bf43f15db85 ("timekeeping: Prints the amounts of time spent during suspend")
Reported-and-tested-by: Tony Lindgren <>
Signed-off-by: Sergey Senozhatsky <>
Cc: Petr Mladek <>
Cc: Sergey Senozhatsky <>
Cc: Peter Zijlstra <>
Cc: "Rafael J . Wysocki" <>
Cc: Steven Rostedt <>
Cc: John Stultz <>
Cc: "[4.9+]" <>
Signed-off-by: Thomas Gleixner <>
4 years agodrm/dp/mst: fix kernel oops when turning off secondary monitor
Pierre-Louis Bossart [Tue, 14 Feb 2017 12:49:21 +0000 (14:49 +0200)]
drm/dp/mst: fix kernel oops when turning off secondary monitor

100% reproducible issue found on SKL SkullCanyon NUC with two external
DP daisy-chained monitors in DP/MST mode. When turning off or changing
the input of the second monitor the machine stops with a kernel
oops. This issue happened with 4.8.8 as well as drm/drm-intel-nightly.

This issue is traced to an inconsistent control flow in
drm_dp_update_payload_part1(): the 'port' pointer is set to NULL at the
same time as 'req_payload.num_slots' is set to zero, but the pointer is
dereferenced even when req_payload.num_slot is zero.

The problematic dereference was introduced in commit dfda0df34
("drm/mst: rework payload table allocation to conform better") and may
impact all versions since v3.18

The fix suggested by Chris Wilson removes the kernel oops and was found to
work well after 10mn of monkey-testing with the second monitor power and
input buttons

Fixes: dfda0df34264 ("drm/mst: rework payload table allocation to conform better.")
Cc: Dave Airlie <>
Cc: Chris Wilson <>
Cc: Nathan D Ciobanu <>
Cc: Dhinakaran Pandiyan <>
Cc: Sean Paul <>
Cc: <> # v3.18+
Tested-by: Nathan D Ciobanu <>
Reviewed-by: Dhinakaran Pandiyan <>
Signed-off-by: Pierre-Louis Bossart <>
Signed-off-by: Jani Nikula <>
4 years agofuse: fix use after free issue in fuse_dev_do_read()
Sahitya Tummala [Wed, 8 Feb 2017 15:00:56 +0000 (20:30 +0530)]
fuse: fix use after free issue in fuse_dev_do_read()

There is a potential race between fuse_dev_do_write()
and request_wait_answer() contexts as shown below:

       |--if (test_bit(FR_SENT, &req->flags))
       <gets pre-empted after it is validated true>
                                   TASK 2:
                                     |--clears bit FR_SENT,
                                        |--sets bit FR_FINISHED
       <request gets queued to interrupts list>
       <as FR_FINISHED is set, it returns and then
       the caller frees this request>

Now, the next fuse_dev_do_read(), see interrupts list is not empty
and then calls fuse_read_interrupt() which tries to access the request
which is already free'd and gets the below crash:

[11432.401266] Unable to handle kernel paging request at virtual address
[11432.418518] Kernel BUG at ffffff80083720e0
[11432.456168] PC is at __list_del_entry+0x6c/0xc4
[11432.463573] LR is at fuse_dev_do_read+0x1ac/0x474
[11432.679999] [<ffffff80083720e0>] __list_del_entry+0x6c/0xc4
[11432.687794] [<ffffff80082c65e0>] fuse_dev_do_read+0x1ac/0x474
[11432.693180] [<ffffff80082c6b14>] fuse_dev_read+0x6c/0x78
[11432.699082] [<ffffff80081d5638>] __vfs_read+0xc0/0xe8
[11432.704459] [<ffffff80081d5efc>] vfs_read+0x90/0x108
[11432.709406] [<ffffff80081d67f0>] SyS_read+0x58/0x94

As FR_FINISHED bit is set before deleting the intr_entry with input
queue lock in request completion path, do the testing of this flag and
queueing atomically with the same lock in queue_interrupt().

Signed-off-by: Sahitya Tummala <>
Signed-off-by: Miklos Szeredi <>
Fixes: fd22d62ed0c3 ("fuse: no fc->lock for iqueue parts")
Cc: <> # 4.2+
4 years agobpf: kernel header files need to be copied into the tools directory
Stephen Rothwell [Mon, 13 Feb 2017 21:22:20 +0000 (08:22 +1100)]
bpf: kernel header files need to be copied into the tools directory

Signed-off-by: Stephen Rothwell <>
Acked-by: Alexei Starovoitov <>
Signed-off-by: David S. Miller <>
4 years agotcp: tcp_probe: use spin_lock_bh()
Eric Dumazet [Wed, 15 Feb 2017 01:11:14 +0000 (17:11 -0800)]
tcp: tcp_probe: use spin_lock_bh()

tcp_rcv_established() can now run in process context.

We need to disable BH while acquiring tcp probe spinlock,
or risk a deadlock.

Fixes: 5413d1babe8f ("net: do not block BH while processing socket backlog")
Signed-off-by: Eric Dumazet <>
Reported-by: Ricardo Nabinger Sanchez <>
Signed-off-by: David S. Miller <>
4 years agouapi: fix linux/if_pppol2tp.h userspace compilation errors
Dmitry V. Levin [Wed, 15 Feb 2017 02:23:26 +0000 (05:23 +0300)]
uapi: fix linux/if_pppol2tp.h userspace compilation errors

Because of <linux/libc-compat.h> interface limitations, <netinet/in.h>
provided by libc cannot be included after <linux/in.h>, therefore any
header that includes <netinet/in.h> cannot be included after <linux/in.h>.

Change uapi/linux/l2tp.h, the last uapi header that includes
<netinet/in.h>, to include <linux/in.h> and <linux/in6.h> instead of
<netinet/in.h> and use __SOCK_SIZE__ instead of sizeof(struct sockaddr)
the same way as uapi/linux/in.h does, to fix linux/if_pppol2tp.h userspace
compilation errors like this:

In file included from /usr/include/linux/l2tp.h:12:0,
                 from /usr/include/linux/if_pppol2tp.h:21,
/usr/include/netinet/in.h:31:8: error: redefinition of 'struct in_addr'

Fixes: 47c3e7783be4 ("net: l2tp: deprecate PPPOL2TP_MSG_* in favour of L2TP_MSG_*")
Signed-off-by: Dmitry V. Levin <>
Signed-off-by: David S. Miller <>
4 years agoRevert "i2c: designware: detect when dynamic tar update is possible"
Jarkko Nikula [Mon, 13 Feb 2017 09:18:19 +0000 (11:18 +0200)]
Revert "i2c: designware: detect when dynamic tar update is possible"

This reverts commit 63d0f0a6952a1a02bc4f116b7da7c7887e46efa3.

It caused a regression on platforms where I2C controller is synthesized
with dynamic TAR update disabled. Detection code is testing is bit
DW_IC_CON_10BITADDR_MASTER in register DW_IC_CON read-only but fails to
restore original value in case bit is read-write.

Instead of fixing this we revert the commit since it was preparation for
the commit 0317e6c0f1dc ("i2c: designware: do not disable adapter after
transfer") which was also reverted.

Reported-by: Shah Nehal-Bakulchandra <>
Reported-by: Suravee Suthikulpanit <>
Acked-By: Lucas De Marchi <>
Cc: <> # v4.9+
Fixes: 63d0f0a6952a ("i2c: designware: detect when dynamic tar update is possible")
Signed-off-by: Jarkko Nikula <>
Signed-off-by: Wolfram Sang <>
4 years ago[media] siano: make it work again with CONFIG_VMAP_STACK
Mauro Carvalho Chehab [Tue, 14 Feb 2017 19:47:57 +0000 (17:47 -0200)]
[media] siano: make it work again with CONFIG_VMAP_STACK

Reported as a Kaffeine bug:

The USB control messages require DMA to work. We cannot pass
a stack-allocated buffer, as it is not warranted that the
stack would be into a DMA enabled area.

On Kernel 4.9, the default is to not accept DMA on stack anymore
on x86 architecture. On other architectures, this has been a
requirement since Kernel 2.2. So, after this patch, this driver
should likely work fine on all archs.

Tested with USB ID 2040:5510: Hauppauge Windham

Signed-off-by: Mauro Carvalho Chehab <>
4 years agopacket: fix races in fanout_add()
Eric Dumazet [Tue, 14 Feb 2017 17:03:51 +0000 (09:03 -0800)]
packet: fix races in fanout_add()

Multiple threads can call fanout_add() at the same time.

We need to grab fanout_mutex earlier to avoid races that could
lead to one thread freeing po->rollover that was set by another thread.

Do the same in fanout_release(), for peace of mind, and to help us
finding lockdep issues earlier.

Fixes: dc99f600698d ("packet: Add fanout support.")
Fixes: 0648ab70afe6 ("packet: rollover prepare: per-socket state")
Signed-off-by: Eric Dumazet <>
Cc: Willem de Bruijn <>
Signed-off-by: David S. Miller <>
4 years agoibmvnic: Fix initial MTU settings
Thomas Falcon [Tue, 14 Feb 2017 16:22:59 +0000 (10:22 -0600)]
ibmvnic: Fix initial MTU settings

In the current driver, the MTU is set to the maximum value
capable for the backing device. This decision turned out to
be a mistake as it led to confusion among users. The expected
initial MTU value used for other IBM vNIC capable operating
systems is 1500, with the maximum value (9000) reserved for
when Jumbo frames are enabled. This patch sets the MTU to
the default value for a net device.

It also corrects a discrepancy between MTU values received from
firmware, which includes the ethernet header length, and net
device MTU values.

Finally, it removes redundant min/max MTU assignments after device

Signed-off-by: Thomas Falcon <>
Signed-off-by: David S. Miller <>
4 years agonet: ethernet: ti: cpsw: fix cpsw assignment in resume
Ivan Khoronzhuk [Tue, 14 Feb 2017 12:42:15 +0000 (14:42 +0200)]
net: ethernet: ti: cpsw: fix cpsw assignment in resume

There is a copy-paste error, which hides breaking of resume
for CPSW driver: there was replaced netdev_priv() to ndev_to_cpsw(ndev)
in suspend, but left it unchanged in resume.

Fixes: 606f39939595a4d4540406bfc11f265b2036af6d
(ti: cpsw: move platform data and slaves info to cpsw_common)

Reported-by: Alexey Starikovskiy <>
Signed-off-by: Ivan Khoronzhuk <>
Signed-off-by: David S. Miller <>
4 years agokcm: fix a null pointer dereference in kcm_sendmsg()
WANG Cong [Mon, 13 Feb 2017 19:13:16 +0000 (11:13 -0800)]
kcm: fix a null pointer dereference in kcm_sendmsg()

In commit 98e3862ca2b1 ("kcm: fix 0-length case for kcm_sendmsg()")
I tried to avoid skb allocation for 0-length case, but missed
a check for NULL pointer in the non EOR case.

Fixes: 98e3862ca2b1 ("kcm: fix 0-length case for kcm_sendmsg()")
Reported-by: Dmitry Vyukov <>
Cc: Tom Herbert <>
Signed-off-by: Cong Wang <>
Acked-by: Tom Herbert <>
Signed-off-by: David S. Miller <>
4 years agonet: fec: fix multicast filtering hardware setup
Rui Sousa [Mon, 13 Feb 2017 02:01:25 +0000 (10:01 +0800)]
net: fec: fix multicast filtering hardware setup

Fix hardware setup of multicast address hash:
- Never clear the hardware hash (to avoid packet loss)
- Construct the hash register values in software and then write once
to hardware

Signed-off-by: Rui Sousa <>
Signed-off-by: Fugang Duan <>
Signed-off-by: David S. Miller <>
4 years agoMerge branch 'ipv6-v4mapped'
David S. Miller [Tue, 14 Feb 2017 17:13:52 +0000 (12:13 -0500)]
Merge branch 'ipv6-v4mapped'

Jonathan T. Leighton says:

IPv4-mapped on wire, :: dst address issue

Under some circumstances IPv6 datagrams are sent with IPv4-mapped IPv6
addresses as the source. Given an IPv6 socket bound to an IPv4-mapped
IPv6 address, and an IPv6 destination address, both TCP and UDP will
will send packets using the IPv4-mapped IPv6 address as the source. Per
RFC 6890 (Table 20), IPv4-mapped IPv6 source addresses are not allowed
in an IP datagram. The problem can be observed by attempting to
connect() either a TCP or UDP socket, or by using sendmsg() with a UDP
socket. The patch is intended to correct this issue for all socket

linux follows the BSD convention that an IPv6 destination address
specified as in6addr_any is converted to the loopback address.
Currently, neither TCP nor UDP consider the possibility that the source
address is an IPv4-mapped IPv6 address, and assume that the appropriate
loopback address is ::1. The patch adds a check on whether or not the
source address is an IPv4-mapped IPv6 address and then sets the
destination address to either ::ffff: or ::1, as appropriate.

Signed-off-by: David S. Miller <>
4 years agoipv6: Handle IPv4-mapped src to in6addr_any dst.
Jonathan T. Leighton [Sun, 12 Feb 2017 22:26:07 +0000 (17:26 -0500)]
ipv6: Handle IPv4-mapped src to in6addr_any dst.

This patch adds a check on the type of the source address for the case
where the destination address is in6addr_any. If the source is an
IPv4-mapped IPv6 source address, the destination is changed to
::ffff:, and otherwise the destination is changed to ::1. This
is done in three locations to handle UDP calls to either connect() or
sendmsg() and TCP calls to connect(). Note that udpv6_sendmsg() delays
handling an in6addr_any destination until very late, so the patch only
needs to handle the case where the source is an IPv4-mapped IPv6

Signed-off-by: Jonathan T. Leighton <>
Signed-off-by: David S. Miller <>
4 years agoipv6: Inhibit IPv4-mapped src address on the wire.
Jonathan T. Leighton [Sun, 12 Feb 2017 22:26:06 +0000 (17:26 -0500)]
ipv6: Inhibit IPv4-mapped src address on the wire.

This patch adds a check for the problematic case of an IPv4-mapped IPv6
source address and a destination address that is neither an IPv4-mapped
IPv6 address nor in6addr_any, and returns an appropriate error. The
check in done before returning from looking up the route.

Signed-off-by: Jonathan T. Leighton <>
Signed-off-by: David S. Miller <>
4 years agonet/mlx5e: Disable preemption when doing TC statistics upcall
Or Gerlitz [Sun, 12 Feb 2017 09:21:31 +0000 (11:21 +0200)]
net/mlx5e: Disable preemption when doing TC statistics upcall

When called by HW offloading drivers, the TC action (e.g
net/sched/act_mirred.c) code uses this_cpu logic, e.g

 _bstats_cpu_update(this_cpu_ptr(a->cpu_bstats), bytes, packets)

per the kernel documention, preemption should be disabled, add that.

Before the fix, when running with CONFIG_PREEMPT set, we get a

BUG: using smp_processor_id() in preemptible [00000000] code: tc/3793

asserion from the TC action (mirred) stats_update callback.

Fixes: aad7e08d39bd ('net/mlx5e: Hardware offloaded flower filter statistics support')
Signed-off-by: Or Gerlitz <>
Signed-off-by: David S. Miller <>
4 years agoMerge tag 'media/v4.10-4' of git://
Linus Torvalds [Tue, 14 Feb 2017 14:29:21 +0000 (06:29 -0800)]
Merge tag 'media/v4.10-4' of git://git./linux/kernel/git/mchehab/linux-media

Pull media fixes from Mauro Carvalho Chehab:
 "A colorspace regression fix in V4L2 core and a CEC core bug that makes
  it discard valid messages"

* tag 'media/v4.10-4' of git://
  [media] cec: initiator should be the same as the destination for, poll
  [media] videodev2.h: go back to limited range Y'CbCr for SRGB and, ADOBERGB

4 years agommc: core: fix multi-bit bus width without high-speed mode
Anssi Hannula [Mon, 13 Feb 2017 11:46:41 +0000 (13:46 +0200)]
mmc: core: fix multi-bit bus width without high-speed mode

Commit 577fb13199b1 ("mmc: rework selection of bus speed mode")
refactored bus width selection code to mmc_select_bus_width().

However, it also altered the behavior to not call the selection code in
non-high-speed modes anymore.

This causes 1-bit mode to always be used when the high-speed mode is not
enabled, even though 4-bit and 8-bit bus are valid bus widths in the
backwards-compatibility (legacy) mode as well (see e.g. 5.3.2 Bus Speed
Modes in JEDEC 84-B50). This results in a significant regression in
transfer speeds.

Fix the code to allow 4-bit and 8-bit widths even without high-speed
mode, as before.

Tested with a Zynq-7000 PicoZed 7020 board.

Fixes: 577fb13199b1 ("mmc: rework selection of bus speed mode")
Signed-off-by: Anssi Hannula <>
Cc: <>
Signed-off-by: Ulf Hansson <>
4 years agoMerge branch 'rhashtable-allocation-failure-during-insertion'
David S. Miller [Tue, 14 Feb 2017 03:17:06 +0000 (22:17 -0500)]
Merge branch 'rhashtable-allocation-failure-during-insertion'

Herbert Xu says:

rhashtable: Handle table allocation failure during insertion

v2 -

Added Ack to patch 2.
Fixed RCU annotation in code path executed by rehasher by using

v1 -

This series tackles the problem of table allocation failures during
insertion.  The issue is that we cannot vmalloc during insertion.
This series deals with this by introducing nested tables.

The first two patches removes manual hash table walks which cannot
work on a nested table.

The final patch introduces nested tables.

I've tested this with test_rhashtable and it appears to work.

Signed-off-by: David S. Miller <>
4 years agorhashtable: Add nested tables
Herbert Xu [Sat, 11 Feb 2017 11:26:47 +0000 (19:26 +0800)]
rhashtable: Add nested tables

This patch adds code that handles GFP_ATOMIC kmalloc failure on
insertion.  As we cannot use vmalloc, we solve it by making our
hash table nested.  That is, we allocate single pages at each level
and reach our desired table size by nesting them.

When a nested table is created, only a single page is allocated
at the top-level.  Lower levels are allocated on demand during
insertion.  Therefore for each insertion to succeed, only two
(non-consecutive) pages are needed.

After a nested table is created, a rehash will be scheduled in
order to switch to a vmalloced table as soon as possible.  Also,
the rehash code will never rehash into a nested table.  If we
detect a nested table during a rehash, the rehash will be aborted
and a new rehash will be scheduled.

Signed-off-by: Herbert Xu <>
Signed-off-by: David S. Miller <>
4 years agotipc: Fix tipc_sk_reinit race conditions
Herbert Xu [Sat, 11 Feb 2017 11:26:46 +0000 (19:26 +0800)]
tipc: Fix tipc_sk_reinit race conditions

There are two problems with the function tipc_sk_reinit.  Firstly
it's doing a manual walk over an rhashtable.  This is broken as
an rhashtable can be resized and if you manually walk over it
during a resize then you may miss entries.

Secondly it's missing memory barriers as previously the code used
spinlocks which provide the barriers implicitly.

This patch fixes both problems.

Fixes: 07f6c4bc048a ("tipc: convert tipc reference table to...")
Signed-off-by: Herbert Xu <>
Acked-by: Ying Xue <>
Signed-off-by: David S. Miller <>
4 years agogfs2: Use rhashtable walk interface in glock_hash_walk
Herbert Xu [Sat, 11 Feb 2017 11:26:45 +0000 (19:26 +0800)]
gfs2: Use rhashtable walk interface in glock_hash_walk

The function glock_hash_walk walks the rhashtable by hand.  This
is broken because if it catches the hash table in the middle of
a rehash, then it will miss entries.

This patch replaces the manual walk by using the rhashtable walk

Fixes: 88ffbf3e037e ("GFS2: Use resizable hash table for glocks")
Signed-off-by: Herbert Xu <>
Signed-off-by: David S. Miller <>
4 years agoNET: Fix /proc/net/arp for AX.25
Ralf Baechle [Fri, 10 Feb 2017 23:38:57 +0000 (00:38 +0100)]
NET: Fix /proc/net/arp for AX.25

When sending ARP requests over AX.25 links the hwaddress in the neighbour
cache are not getting initialized.  For such an incomplete arp entry
ax2asc2 will generate an empty string resulting in /proc/net/arp output
like the following:

$ cat /proc/net/arp
IP address       HW type     Flags       HW address            Mask     Device    0x1         0x2         52:54:00:00:5d:5f     *        ens3      0x3         0x0              *        bpq0

The missing field will confuse the procfs parsing of arp(8) resulting in
incorrect output for the device such as the following:

$ arp
Address                  HWtype  HWaddress           Flags Mask            Iface
gateway                  ether   52:54:00:00:5d:5f   C                     ens3                      (incomplete)                              ens3

This changes the content of /proc/net/arp to:

$ cat /proc/net/arp
IP address       HW type     Flags       HW address            Mask     Device      0x3         0x0         *                     *        bpq0    0x1         0x2         52:54:00:00:5d:5f     *        ens3

To do so it change ax2asc to put the string "*" in buf for a NULL address
argument.  Finally the HW address field is left aligned in a 17 character
field (the length of an ethernet HW address in the usual hex notation) for

Signed-off-by: Ralf Baechle <>
Signed-off-by: David S. Miller <>
4 years agoxen-netback: vif counters from int/long to u64
Mart van Santen [Fri, 10 Feb 2017 12:02:18 +0000 (12:02 +0000)]
xen-netback: vif counters from int/long to u64

This patch fixes an issue where the type of counters in the queue(s)
and interface are not in sync (queue counters are int, interface
counters are long), causing incorrect reporting of tx/rx values
of the vif interface and unclear counter overflows.
This patch sets both counters to the u64 type.

Signed-off-by: Mart van Santen <>
Reviewed-by: Paul Durrant <>
Signed-off-by: David S. Miller <>