[PATCH 4.6 13/96] fs/nilfs2: fix potential underflow in call to crc32

to

4.6-stable review patch. If anyone has any objections, please let me know.

------------------

From: Mauro Carvalho Chehab <mch...@s-opensource.com>

commit 12cb22bb8ae9aff9d72a9c0a234f26d641b20eb6 upstream.

This header contains the userspace API for lirc.

This is a fixup for commit b7be755733dc ("[media] bz#75751: Move
internal header file lirc.h to uapi/"). It moved the header to the
right place, but it forgot to add it at Kbuild. So, despite being at
uapi, it is not copied to the right place.

Fixes: b7be755733dc44c72 ("[media] bz#75751: Move internal header file lirc.h to uapi/")
Link: http://lkml.kernel.org/r/320c765d32bfc82c582e336d52ffe10...@s-opensource.com
Signed-off-by: Mauro Carvalho Chehab <mch...@s-opensource.com>
Cc: Alec Leamas <leama...@gmail.com>

Signed-off-by: Andrew Morton <ak...@linux-foundation.org>
Signed-off-by: Linus Torvalds <torv...@linux-foundation.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

include/uapi/linux/Kbuild | 1 +

1 file changed, 1 insertion(+)

--- a/include/uapi/linux/Kbuild
+++ b/include/uapi/linux/Kbuild
@@ -244,6 +244,7 @@ endif
header-y += hw_breakpoint.h
header-y += l2tp.h
header-y += libc-compat.h
+header-y += lirc.h
header-y += limits.h
header-y += llc.h
header-y += loop.h

Greg Kroah-Hartman

unread,

Aug 8, 2016, 3:20:10 PM8/8/16

to

4.6-stable review patch. If anyone has any objections, please let me know.

------------------

From: Tejun Heo <t...@kernel.org>

commit d93c4130a7d049b234b5d5a15808eaf5406f2789 upstream.

mem_cgroup_migrate() uses local_irq_disable/enable() but can be called
with irq disabled from migrate_page_copy(). This ends up enabling irq
while holding a irq context lock triggering the following lockdep
warning. Fix it by using irq_save/restore instead.

=================================
[ INFO: inconsistent lock state ]
4.7.0-rc1+ #52 Tainted: G W
---------------------------------
inconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-W} usage.
kcompactd0/151 [HC0[0]:SC0[0]:HE1:SE1] takes:
(&(&ctx->completion_lock)->rlock){+.?.-.}, at: [<000000000038fd96>] aio_migratepage+0x156/0x1e8
{IN-SOFTIRQ-W} state was registered at:
__lock_acquire+0x5b6/0x1930
lock_acquire+0xee/0x270
_raw_spin_lock_irqsave+0x66/0xb0
aio_complete+0x98/0x328
dio_complete+0xe4/0x1e0
blk_update_request+0xd4/0x450
scsi_end_request+0x48/0x1c8
scsi_io_completion+0x272/0x698
blk_done_softirq+0xca/0xe8
__do_softirq+0xc8/0x518
irq_exit+0xee/0x110
do_IRQ+0x6a/0x88
io_int_handler+0x11a/0x25c
__mutex_unlock_slowpath+0x144/0x1d8
__mutex_unlock_slowpath+0x140/0x1d8
kernfs_iop_permission+0x64/0x80
__inode_permission+0x9e/0xf0
link_path_walk+0x6e/0x510
path_lookupat+0xc4/0x1a8
filename_lookup+0x9c/0x160
user_path_at_empty+0x5c/0x70
SyS_readlinkat+0x68/0x140
system_call+0xd6/0x270
irq event stamp: 971410
hardirqs last enabled at (971409): migrate_page_move_mapping+0x3ea/0x588
hardirqs last disabled at (971410): _raw_spin_lock_irqsave+0x3c/0xb0
softirqs last enabled at (970526): __do_softirq+0x460/0x518
softirqs last disabled at (970519): irq_exit+0xee/0x110

other info that might help us debug this:
Possible unsafe locking scenario:

CPU0
----
lock(&(&ctx->completion_lock)->rlock);
<Interrupt>
lock(&(&ctx->completion_lock)->rlock);

*** DEADLOCK ***

3 locks held by kcompactd0/151:
#0: (&(&mapping->private_lock)->rlock){+.+.-.}, at: aio_migratepage+0x42/0x1e8
#1: (&ctx->ring_lock){+.+.+.}, at: aio_migratepage+0x5a/0x1e8
#2: (&(&ctx->completion_lock)->rlock){+.?.-.}, at: aio_migratepage+0x156/0x1e8

stack backtrace:
CPU: 20 PID: 151 Comm: kcompactd0 Tainted: G W 4.7.0-rc1+ #52
Call Trace:
show_trace+0xea/0xf0
show_stack+0x72/0xf0
dump_stack+0x9a/0xd8
print_usage_bug.part.27+0x2d4/0x2e8
mark_lock+0x17e/0x758
mark_held_locks+0xa2/0xd0
trace_hardirqs_on_caller+0x140/0x1c0
mem_cgroup_migrate+0x266/0x370
aio_migratepage+0x16a/0x1e8
move_to_new_page+0xb0/0x260
migrate_pages+0x8f4/0x9f0
compact_zone+0x4dc/0xdc8
kcompactd_do_work+0x1aa/0x358
kcompactd+0xba/0x2c8
kthread+0x10a/0x110
kernel_thread_starter+0x6/0xc
kernel_thread_starter+0x0/0xc
INFO: lockdep is turned off.

Link: http://lkml.kernel.org/r/2016062018...@mtj.duckdns.org
Link: http://lkml.kernel.org/g/5767CFE5...@de.ibm.com
Fixes: 74485cf2bc85 ("mm: migrate: consolidate mem_cgroup_migrate() calls")
Signed-off-by: Tejun Heo <t...@kernel.org>
Reported-by: Christian Borntraeger <bornt...@de.ibm.com>
Acked-by: Johannes Weiner <han...@cmpxchg.org>
Acked-by: Michal Hocko <mho...@suse.com>
Reviewed-by: Vladimir Davydov <vdav...@virtuozzo.com>

Signed-off-by: Andrew Morton <ak...@linux-foundation.org>
Signed-off-by: Linus Torvalds <torv...@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

mm/memcontrol.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

--- a/mm/memcontrol.c
+++ b/mm/memcontrol.c
@@ -5524,6 +5524,7 @@ void mem_cgroup_migrate(struct page *old
struct mem_cgroup *memcg;
unsigned int nr_pages;
bool compound;
+ unsigned long flags;

VM_BUG_ON_PAGE(!PageLocked(oldpage), oldpage);
VM_BUG_ON_PAGE(!PageLocked(newpage), newpage);
@@ -5554,10 +5555,10 @@ void mem_cgroup_migrate(struct page *old

commit_charge(newpage, memcg, false);

- local_irq_disable();
+ local_irq_save(flags);
mem_cgroup_charge_statistics(memcg, newpage, compound, nr_pages);
memcg_check_events(memcg, newpage);
- local_irq_enable();
+ local_irq_restore(flags);
}

DEFINE_STATIC_KEY_FALSE(memcg_sockets_enabled_key);

Greg Kroah-Hartman

unread,

Aug 8, 2016, 3:20:10 PM8/8/16

to

4.6-stable review patch. If anyone has any objections, please let me know.

------------------

From: Jan Beulich <JBeu...@suse.com>

commit 0beef634b86a1350c31da5fcc2992f0d7c8a622b upstream.

Inability to locate a user mode specified transaction ID should not
lead to a kernel crash. For other than XS_TRANSACTION_START also
don't issue anything to xenbus if the specified ID doesn't match that
of any active transaction.

Signed-off-by: Jan Beulich <jbeu...@suse.com>
Signed-off-by: David Vrabel <david....@citrix.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/xen/xenbus/xenbus_dev_frontend.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)

--- a/drivers/xen/xenbus/xenbus_dev_frontend.c
+++ b/drivers/xen/xenbus/xenbus_dev_frontend.c
@@ -316,11 +316,18 @@ static int xenbus_write_transaction(unsi
rc = -ENOMEM;
goto out;
}
+ } else {
+ list_for_each_entry(trans, &u->transactions, list)
+ if (trans->handle.id == u->u.msg.tx_id)
+ break;
+ if (&trans->list == &u->transactions)
+ return -ESRCH;
}

reply = xenbus_dev_request_and_reply(&u->u.msg);
if (IS_ERR(reply)) {
- kfree(trans);
+ if (msg_type == XS_TRANSACTION_START)
+ kfree(trans);
rc = PTR_ERR(reply);
goto out;
}
@@ -333,12 +340,7 @@ static int xenbus_write_transaction(unsi
list_add(&trans->list, &u->transactions);
}
} else if (u->u.msg.type == XS_TRANSACTION_END) {
- list_for_each_entry(trans, &u->transactions, list)
- if (trans->handle.id == u->u.msg.tx_id)
- break;
- BUG_ON(&trans->list == &u->transactions);
list_del(&trans->list);
-
kfree(trans);
}

unread,

Aug 8, 2016, 3:20:13 PM8/8/16

to

4.6-stable review patch. If anyone has any objections, please let me know.

------------------

From: David Rientjes <rien...@google.com>

commit a4f04f2c6955aff5e2c08dcb40aca247ff4d7370 upstream.

If the memory compaction free scanner cannot successfully split a free
page (only possible due to per-zone low watermark), terminate the free
scanner rather than continuing to scan memory needlessly. If the
watermark is insufficient for a free page of order <= cc->order, then
terminate the scanner since all future splits will also likely fail.

This prevents the compaction freeing scanner from scanning all memory on
very large zones (very noticeable for zones > 128GB, for instance) when
all splits will likely fail while holding zone->lock.

compaction_alloc() iterating a 128GB zone has been benchmarked to take
over 400ms on some systems whereas any free page isolated and ready to
be split ends up failing in split_free_page() because of the low
watermark check and thus the iteration continues.

The next time compaction occurs, the freeing scanner will likely start
at the end of the zone again since no success was made previously and we
get the same lengthy iteration until the zone is brought above the low
watermark. All thp page faults can take >400ms in such a state without
this fix.

Link: http://lkml.kernel.org/r/alpine.DEB.2.10.1...@chino.kir.corp.google.com
Signed-off-by: David Rientjes <rien...@google.com>
Acked-by: Vlastimil Babka <vba...@suse.cz>
Cc: Minchan Kim <min...@kernel.org>
Cc: Joonsoo Kim <iamjoon...@lge.com>
Cc: Mel Gorman <mgo...@techsingularity.net>
Cc: Hugh Dickins <hu...@google.com>

Signed-off-by: Andrew Morton <ak...@linux-foundation.org>
Signed-off-by: Linus Torvalds <torv...@linux-foundation.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

mm/compaction.c | 39 +++++++++++++++++++++------------------
1 file changed, 21 insertions(+), 18 deletions(-)

--- a/mm/compaction.c
+++ b/mm/compaction.c
@@ -436,25 +436,23 @@ static unsigned long isolate_freepages_b

/* Found a free page, break it into order-0 pages */
isolated = split_free_page(page);
+ if (!isolated)
+ break;
+
total_isolated += isolated;
+ cc->nr_freepages += isolated;
for (i = 0; i < isolated; i++) {
list_add(&page->lru, freelist);
page++;
}
-
- /* If a page was split, advance to the end of it */
- if (isolated) {
- cc->nr_freepages += isolated;
- if (!strict &&
- cc->nr_migratepages <= cc->nr_freepages) {
- blockpfn += isolated;
- break;
- }
-
- blockpfn += isolated - 1;
- cursor += isolated - 1;
- continue;
+ if (!strict && cc->nr_migratepages <= cc->nr_freepages) {
+ blockpfn += isolated;
+ break;
}
+ /* Advance to the end of split page */
+ blockpfn += isolated - 1;
+ cursor += isolated - 1;
+ continue;

isolate_fail:
if (strict)
@@ -464,6 +462,9 @@ isolate_fail:

}

+ if (locked)
+ spin_unlock_irqrestore(&cc->zone->lock, flags);
+
/*
* There is a tiny chance that we have read bogus compound_order(),
* so be careful to not go outside of the pageblock.
@@ -485,9 +486,6 @@ isolate_fail:
if (strict && blockpfn < end_pfn)
total_isolated = 0;

- if (locked)
- spin_unlock_irqrestore(&cc->zone->lock, flags);
-
/* Update the pageblock-skip if the whole pageblock was scanned */
if (blockpfn == end_pfn)
update_pageblock_skip(cc, valid_page, total_isolated, false);
@@ -938,6 +936,7 @@ static void isolate_freepages(struct com
block_end_pfn = block_start_pfn,
block_start_pfn -= pageblock_nr_pages,
isolate_start_pfn = block_start_pfn) {
+ unsigned long isolated;

/*
* This can iterate a massively long zone without finding any
@@ -962,8 +961,12 @@ static void isolate_freepages(struct com
continue;

/* Found a block suitable for isolating free pages from. */
- isolate_freepages_block(cc, &isolate_start_pfn,
- block_end_pfn, freelist, false);
+ isolated = isolate_freepages_block(cc, &isolate_start_pfn,
+ block_end_pfn, freelist, false);
+ /* If isolation failed early, do not continue needlessly */
+ if (!isolated && isolate_start_pfn < block_end_pfn &&
+ cc->nr_migratepages > cc->nr_freepages)
+ break;

/*
* If we isolated enough freepages, or aborted due to async

Greg Kroah-Hartman

unread,

Aug 8, 2016, 3:20:13 PM8/8/16

to

4.6-stable review patch. If anyone has any objections, please let me know.

------------------

From: Andrey Grodzovsky <andre...@gmail.com>

commit 02ef871ecac290919ea0c783d05da7eedeffc10e upstream.

Current overlap check is evaluating to false a case where a filter
field is fully contained (proper subset) of a r/w request. This
change applies classical overlap check instead to include all the
scenarios.

More specifically, for (Hilscher GmbH CIFX 50E-DP(M/S)) device driver
the logic is such that the entire confspace is read and written in 4
byte chunks. In this case as an example, CACHE_LINE_SIZE,
LATENCY_TIMER and PCI_BIST are arriving together in one call to
xen_pcibk_config_write() with offset == 0xc and size == 4. With the
exsisting overlap check the LATENCY_TIMER field (offset == 0xd, length
== 1) is fully contained in the write request and hence is excluded
from write, which is incorrect.

Signed-off-by: Andrey Grodzovsky <andre...@gmail.com>
Reviewed-by: Boris Ostrovsky <boris.o...@oracle.com>
Reviewed-by: Jan Beulich <JBeu...@suse.com>
Signed-off-by: David Vrabel <david....@citrix.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/xen/xen-pciback/conf_space.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)

--- a/drivers/xen/xen-pciback/conf_space.c
+++ b/drivers/xen/xen-pciback/conf_space.c
@@ -183,8 +183,7 @@ int xen_pcibk_config_read(struct pci_dev
field_start = OFFSET(cfg_entry);
field_end = OFFSET(cfg_entry) + field->size;

- if ((req_start >= field_start && req_start < field_end)
- || (req_end > field_start && req_end <= field_end)) {
+ if (req_end > field_start && field_end > req_start) {
err = conf_space_read(dev, cfg_entry, field_start,
&tmp_val);
if (err)
@@ -230,8 +229,7 @@ int xen_pcibk_config_write(struct pci_de
field_start = OFFSET(cfg_entry);
field_end = OFFSET(cfg_entry) + field->size;

- if ((req_start >= field_start && req_start < field_end)
- || (req_end > field_start && req_end <= field_end)) {
+ if (req_end > field_start && field_end > req_start) {
tmp_val = 0;

err = xen_pcibk_config_read(dev, field_start,

Greg Kroah-Hartman

unread,

Aug 8, 2016, 3:20:14 PM8/8/16

to

4.6-stable review patch. If anyone has any objections, please let me know.

------------------

From: Bob Liu <bob...@oracle.com>

commit 7b427a59538a98161321aa46c13f4ea81b43f4eb upstream.

Uncompleted reqs used to be 'saved and resubmitted' in blkfront_recover() during
migration, but that's too late after multi-queue was introduced.

After a migrate to another host (which may not have multiqueue support), the
number of rings (block hardware queues) may be changed and the ring and shadow
structure will also be reallocated.

The blkfront_recover() then can't 'save and resubmit' the real
uncompleted reqs because shadow structure have been reallocated.

This patch fixes this issue by moving the 'save' logic out of
blkfront_recover() to earlier place in blkfront_resume().

The 'resubmit' is not changed and still in blkfront_recover().

Signed-off-by: Bob Liu <bob...@oracle.com>
Signed-off-by: Konrad Rzeszutek Wilk <konra...@oracle.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/block/xen-blkfront.c | 91 ++++++++++++++++++-------------------------
1 file changed, 40 insertions(+), 51 deletions(-)

--- a/drivers/block/xen-blkfront.c
+++ b/drivers/block/xen-blkfront.c
@@ -207,6 +207,9 @@ struct blkfront_info
struct blk_mq_tag_set tag_set;
struct blkfront_ring_info *rinfo;
unsigned int nr_rings;
+ /* Save uncomplete reqs and bios for migration. */
+ struct list_head requests;
+ struct bio_list bio_list;
};

static unsigned int nr_minors;
@@ -2007,69 +2010,22 @@ static int blkif_recover(struct blkfront
{
unsigned int i, r_index;
struct request *req, *n;
- struct blk_shadow *copy;
int rc;
struct bio *bio, *cloned_bio;
- struct bio_list bio_list, merge_bio;
unsigned int segs, offset;
int pending, size;
struct split_bio *split_bio;
- struct list_head requests;

blkfront_gather_backend_features(info);
segs = info->max_indirect_segments ? : BLKIF_MAX_SEGMENTS_PER_REQUEST;
blk_queue_max_segments(info->rq, segs);
- bio_list_init(&bio_list);
- INIT_LIST_HEAD(&requests);

for (r_index = 0; r_index < info->nr_rings; r_index++) {
- struct blkfront_ring_info *rinfo;
-
- rinfo = &info->rinfo[r_index];
- /* Stage 1: Make a safe copy of the shadow state. */
- copy = kmemdup(rinfo->shadow, sizeof(rinfo->shadow),
- GFP_NOIO | __GFP_REPEAT | __GFP_HIGH);
- if (!copy)
- return -ENOMEM;
-
- /* Stage 2: Set up free list. */
- memset(&rinfo->shadow, 0, sizeof(rinfo->shadow));
- for (i = 0; i < BLK_RING_SIZE(info); i++)
- rinfo->shadow[i].req.u.rw.id = i+1;
- rinfo->shadow_free = rinfo->ring.req_prod_pvt;
- rinfo->shadow[BLK_RING_SIZE(info)-1].req.u.rw.id = 0x0fffffff;
+ struct blkfront_ring_info *rinfo = &info->rinfo[r_index];

rc = blkfront_setup_indirect(rinfo);
- if (rc) {
- kfree(copy);
+ if (rc)
return rc;
- }
-
- for (i = 0; i < BLK_RING_SIZE(info); i++) {
- /* Not in use? */
- if (!copy[i].request)
- continue;
-
- /*
- * Get the bios in the request so we can re-queue them.
- */
- if (copy[i].request->cmd_flags &
- (REQ_FLUSH | REQ_FUA | REQ_DISCARD | REQ_SECURE)) {
- /*
- * Flush operations don't contain bios, so
- * we need to requeue the whole request
- */
- list_add(&copy[i].request->queuelist, &requests);
- continue;
- }
- merge_bio.head = copy[i].request->bio;
- merge_bio.tail = copy[i].request->biotail;
- bio_list_merge(&bio_list, &merge_bio);
- copy[i].request->bio = NULL;
- blk_end_request_all(copy[i].request, 0);
- }
-
- kfree(copy);
}
xenbus_switch_state(info->xbdev, XenbusStateConnected);

@@ -2084,7 +2040,7 @@ static int blkif_recover(struct blkfront
kick_pending_request_queues(rinfo);
}

- list_for_each_entry_safe(req, n, &requests, queuelist) {
+ list_for_each_entry_safe(req, n, &info->requests, queuelist) {
/* Requeue pending requests (flush or discard) */
list_del_init(&req->queuelist);
BUG_ON(req->nr_phys_segments > segs);
@@ -2092,7 +2048,7 @@ static int blkif_recover(struct blkfront
}
blk_mq_kick_requeue_list(info->rq);

- while ((bio = bio_list_pop(&bio_list)) != NULL) {
+ while ((bio = bio_list_pop(&info->bio_list)) != NULL) {
/* Traverse the list of pending bios and re-queue them */
if (bio_segments(bio) > segs) {
/*
@@ -2138,9 +2094,42 @@ static int blkfront_resume(struct xenbus
{
struct blkfront_info *info = dev_get_drvdata(&dev->dev);
int err = 0;
+ unsigned int i, j;

dev_dbg(&dev->dev, "blkfront_resume: %s\n", dev->nodename);

+ bio_list_init(&info->bio_list);
+ INIT_LIST_HEAD(&info->requests);
+ for (i = 0; i < info->nr_rings; i++) {
+ struct blkfront_ring_info *rinfo = &info->rinfo[i];
+ struct bio_list merge_bio;
+ struct blk_shadow *shadow = rinfo->shadow;
+
+ for (j = 0; j < BLK_RING_SIZE(info); j++) {
+ /* Not in use? */
+ if (!shadow[j].request)
+ continue;
+
+ /*
+ * Get the bios in the request so we can re-queue them.
+ */
+ if (shadow[j].request->cmd_flags &
+ (REQ_FLUSH | REQ_FUA | REQ_DISCARD | REQ_SECURE)) {
+ /*
+ * Flush operations don't contain bios, so
+ * we need to requeue the whole request
+ */
+ list_add(&shadow[j].request->queuelist, &info->requests);
+ continue;
+ }
+ merge_bio.head = shadow[j].request->bio;
+ merge_bio.tail = shadow[j].request->biotail;
+ bio_list_merge(&info->bio_list, &merge_bio);
+ shadow[j].request->bio = NULL;
+ blk_mq_end_request(shadow[j].request, 0);
+ }
+ }
+
blkif_free(info, info->connected == BLKIF_STATE_CONNECTED);

err = negotiate_mq(info);

Greg Kroah-Hartman

unread,

Aug 8, 2016, 3:20:14 PM8/8/16

to

4.6-stable review patch. If anyone has any objections, please let me know.

------------------

From: Michal Suchanek <hram...@gmail.com>

commit 719bd6542044efd9b338a53dba1bef45f40ca169 upstream.

The trasfer timeout is fixed at 1000 ms. Reading a 4Mbyte flash over
1MHz SPI bus takes way longer than that. Calculate the timeout from the
actual time the transfer is supposed to take and multiply by 2 for good
measure.

Signed-off-by: Michal Suchanek <hram...@gmail.com>
Acked-by: Maxime Ripard <maxime...@free-electrons.com>
Signed-off-by: Mark Brown <bro...@kernel.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/spi/spi-sun4i.c | 10 +++++++++-
drivers/spi/spi-sun6i.c | 10 +++++++++-
2 files changed, 18 insertions(+), 2 deletions(-)

--- a/drivers/spi/spi-sun4i.c
+++ b/drivers/spi/spi-sun4i.c
@@ -173,6 +173,7 @@ static int sun4i_spi_transfer_one(struct
{
struct sun4i_spi *sspi = spi_master_get_devdata(master);
unsigned int mclk_rate, div, timeout;
+ unsigned int start, end, tx_time;
unsigned int tx_len = 0;
int ret = 0;
u32 reg;
@@ -279,9 +280,16 @@ static int sun4i_spi_transfer_one(struct
reg = sun4i_spi_read(sspi, SUN4I_CTL_REG);
sun4i_spi_write(sspi, SUN4I_CTL_REG, reg | SUN4I_CTL_XCH);

+ tx_time = max(tfr->len * 8 * 2 / (tfr->speed_hz / 1000), 100U);
+ start = jiffies;
timeout = wait_for_completion_timeout(&sspi->done,
- msecs_to_jiffies(1000));
+ msecs_to_jiffies(tx_time));
+ end = jiffies;
if (!timeout) {
+ dev_warn(&master->dev,
+ "%s: timeout transferring %u bytes@%iHz for %i(%i)ms",
+ dev_name(&spi->dev), tfr->len, tfr->speed_hz,
+ jiffies_to_msecs(end - start), tx_time);
ret = -ETIMEDOUT;
goto out;
}
--- a/drivers/spi/spi-sun6i.c
+++ b/drivers/spi/spi-sun6i.c
@@ -160,6 +160,7 @@ static int sun6i_spi_transfer_one(struct
{
struct sun6i_spi *sspi = spi_master_get_devdata(master);
unsigned int mclk_rate, div, timeout;
+ unsigned int start, end, tx_time;
unsigned int tx_len = 0;
int ret = 0;
u32 reg;
@@ -269,9 +270,16 @@ static int sun6i_spi_transfer_one(struct
reg = sun6i_spi_read(sspi, SUN6I_TFR_CTL_REG);
sun6i_spi_write(sspi, SUN6I_TFR_CTL_REG, reg | SUN6I_TFR_CTL_XCH);

+ tx_time = max(tfr->len * 8 * 2 / (tfr->speed_hz / 1000), 100U);
+ start = jiffies;
timeout = wait_for_completion_timeout(&sspi->done,
- msecs_to_jiffies(1000));
+ msecs_to_jiffies(tx_time));
+ end = jiffies;
if (!timeout) {
+ dev_warn(&master->dev,
+ "%s: timeout transferring %u bytes@%iHz for %i(%i)ms",
+ dev_name(&spi->dev), tfr->len, tfr->speed_hz,
+ jiffies_to_msecs(end - start), tx_time);
ret = -ETIMEDOUT;
goto out;
}

Greg Kroah-Hartman

unread,

Aug 8, 2016, 3:30:06 PM8/8/16

to

4.6-stable review patch. If anyone has any objections, please let me know.

------------------

From: Minfei Huang <mng...@gmail.com>

commit 749d088b8e7f4b9826ede02b9a043e417fa84aa1 upstream.

Protocol for the "version" fields is: hypervisor raises it (making it
uneven) before it starts updating the fields and raises it again (making
it even) when it is done. Thus the guest can make sure the time values
it got are consistent by checking the version before and after reading
them.

Add CPU barries after getting version value just like what function
vread_pvclock does, because all of callees in this function is inline.

Fixes: 502dfeff239e8313bfbe906ca0a1a6827ac8481b
Signed-off-by: Minfei Huang <mng...@gmail.com>
Signed-off-by: Paolo Bonzini <pbon...@redhat.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

arch/x86/include/asm/pvclock.h | 2 ++
arch/x86/kernel/pvclock.c | 4 ++++
2 files changed, 6 insertions(+)

--- a/arch/x86/include/asm/pvclock.h
+++ b/arch/x86/include/asm/pvclock.h
@@ -85,6 +85,8 @@ unsigned __pvclock_read_cycles(const str
u8 ret_flags;

version = src->version;
+ /* Make the latest version visible */
+ smp_rmb();

offset = pvclock_get_nsec_offset(src);
ret = src->system_time + offset;
--- a/arch/x86/kernel/pvclock.c
+++ b/arch/x86/kernel/pvclock.c
@@ -66,6 +66,8 @@ u8 pvclock_read_flags(struct pvclock_vcp

do {
version = __pvclock_read_cycles(src, &ret, &flags);
+ /* Make sure that the version double-check is last. */
+ smp_rmb();
} while ((src->version & 1) || version != src->version);

return flags & valid_flags;
@@ -80,6 +82,8 @@ cycle_t pvclock_clocksource_read(struct

do {
version = __pvclock_read_cycles(src, &ret, &flags);
+ /* Make sure that the version double-check is last. */
+ smp_rmb();
} while ((src->version & 1) || version != src->version);

if (unlikely((flags & PVCLOCK_GUEST_STOPPED) != 0)) {

Greg Kroah-Hartman

unread,

Aug 8, 2016, 3:30:06 PM8/8/16

to

4.6-stable review patch. If anyone has any objections, please let me know.

------------------

From: Scott Bauer <sba...@plzdonthack.me>

commit 10eec60ce79187686e052092e5383c99b4420a20 upstream.

This prevents a double-fetch from user space that can lead to to an
undersized allocation and heap overflow.

Fixes: 54dbc1517237 ("vfs: hoist the btrfs deduplication ioctl to the vfs")
Signed-off-by: Scott Bauer <sba...@plzdonthack.me>
Signed-off-by: Linus Torvalds <torv...@linux-foundation.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

fs/ioctl.c | 1 +

1 file changed, 1 insertion(+)

--- a/fs/ioctl.c
+++ b/fs/ioctl.c
@@ -590,6 +590,7 @@ static long ioctl_file_dedupe_range(stru
goto out;
}

+ same->dest_count = count;
ret = vfs_dedupe_file_range(file, same);
if (ret)
goto out;

Greg Kroah-Hartman

unread,

Aug 8, 2016, 3:30:06 PM8/8/16

to

4.6-stable review patch. If anyone has any objections, please let me know.

------------------

From: Scott Mayhew <sma...@redhat.com>

commit cb7d224f82e41d82518e7f9ea271d215d4d08e6e upstream.

If the lockd service fails to start up then we need to be sure that the
notifier blocks are not registered, otherwise a subsequent start of the
service could cause the same notifier to be registered twice, leading to
soft lockups.

Signed-off-by: Scott Mayhew <sma...@redhat.com>
Fixes: 0751ddf77b6a "lockd: Register callbacks on the inetaddr_chain..."
Signed-off-by: J. Bruce Fields <bfi...@redhat.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

fs/lockd/svc.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)

--- a/fs/lockd/svc.c
+++ b/fs/lockd/svc.c
@@ -335,12 +335,17 @@ static struct notifier_block lockd_inet6
};
#endif

-static void lockd_svc_exit_thread(void)
+static void lockd_unregister_notifiers(void)
{
unregister_inetaddr_notifier(&lockd_inetaddr_notifier);
#if IS_ENABLED(CONFIG_IPV6)
unregister_inet6addr_notifier(&lockd_inet6addr_notifier);
#endif
+}
+
+static void lockd_svc_exit_thread(void)
+{
+ lockd_unregister_notifiers();
svc_exit_thread(nlmsvc_rqst);
}

@@ -462,7 +467,7 @@ int lockd_up(struct net *net)
* Note: svc_serv structures have an initial use count of 1,
* so we exit through here on both success and failure.
*/
-err_net:
+err_put:
svc_destroy(serv);
err_create:
mutex_unlock(&nlmsvc_mutex);
@@ -470,7 +475,9 @@ err_create:

err_start:
lockd_down_net(serv, net);
- goto err_net;
+err_net:
+ lockd_unregister_notifiers();
+ goto err_put;
}
EXPORT_SYMBOL_GPL(lockd_up);

Greg Kroah-Hartman

unread,

Aug 8, 2016, 3:30:06 PM8/8/16

to

4.6-stable review patch. If anyone has any objections, please let me know.

------------------

From: Omar Sandoval <osa...@fb.com>

commit 8ba8682107ee2ca3347354e018865d8e1967c5f4 upstream.

get_task_ioprio() accesses the task->io_context without holding the task
lock and thus can race with exit_io_context(), leading to a
use-after-free. The reproducer below hits this within a few seconds on
my 4-core QEMU VM:

#define _GNU_SOURCE
#include <assert.h>
#include <unistd.h>
#include <sys/syscall.h>
#include <sys/wait.h>

int main(int argc, char **argv)
{
pid_t pid, child;
long nproc, i;

/* ioprio_set(IOPRIO_WHO_PROCESS, 0, IOPRIO_PRIO_VALUE(IOPRIO_CLASS_IDLE, 0)); */
syscall(SYS_ioprio_set, 1, 0, 0x6000);

nproc = sysconf(_SC_NPROCESSORS_ONLN);

for (i = 0; i < nproc; i++) {
pid = fork();
assert(pid != -1);
if (pid == 0) {
for (;;) {
pid = fork();
assert(pid != -1);
if (pid == 0) {
_exit(0);
} else {
child = wait(NULL);
assert(child == pid);
}
}
}

pid = fork();
assert(pid != -1);
if (pid == 0) {
for (;;) {
/* ioprio_get(IOPRIO_WHO_PGRP, 0); */
syscall(SYS_ioprio_get, 2, 0);
}
}
}

for (;;) {
/* ioprio_get(IOPRIO_WHO_PGRP, 0); */
syscall(SYS_ioprio_get, 2, 0);
}

return 0;
}

This gets us KASAN dumps like this:

[ 35.526914] ==================================================================
[ 35.530009] BUG: KASAN: out-of-bounds in get_task_ioprio+0x7b/0x90 at addr ffff880066f34e6c
[ 35.530009] Read of size 2 by task ioprio-gpf/363
[ 35.530009] =============================================================================
[ 35.530009] BUG blkdev_ioc (Not tainted): kasan: bad access detected
[ 35.530009] -----------------------------------------------------------------------------

[ 35.530009] Disabling lock debugging due to kernel taint
[ 35.530009] INFO: Allocated in create_task_io_context+0x2b/0x370 age=0 cpu=0 pid=360
[ 35.530009] ___slab_alloc+0x55d/0x5a0
[ 35.530009] __slab_alloc.isra.20+0x2b/0x40
[ 35.530009] kmem_cache_alloc_node+0x84/0x200
[ 35.530009] create_task_io_context+0x2b/0x370
[ 35.530009] get_task_io_context+0x92/0xb0
[ 35.530009] copy_process.part.8+0x5029/0x5660
[ 35.530009] _do_fork+0x155/0x7e0
[ 35.530009] SyS_clone+0x19/0x20
[ 35.530009] do_syscall_64+0x195/0x3a0
[ 35.530009] return_from_SYSCALL_64+0x0/0x6a
[ 35.530009] INFO: Freed in put_io_context+0xe7/0x120 age=0 cpu=0 pid=1060
[ 35.530009] __slab_free+0x27b/0x3d0
[ 35.530009] kmem_cache_free+0x1fb/0x220
[ 35.530009] put_io_context+0xe7/0x120
[ 35.530009] put_io_context_active+0x238/0x380
[ 35.530009] exit_io_context+0x66/0x80
[ 35.530009] do_exit+0x158e/0x2b90
[ 35.530009] do_group_exit+0xe5/0x2b0
[ 35.530009] SyS_exit_group+0x1d/0x20
[ 35.530009] entry_SYSCALL_64_fastpath+0x1a/0xa4
[ 35.530009] INFO: Slab 0xffffea00019bcd00 objects=20 used=4 fp=0xffff880066f34ff0 flags=0x1fffe0000004080
[ 35.530009] INFO: Object 0xffff880066f34e58 @offset=3672 fp=0x0000000000000001
[ 35.530009] ==================================================================

Fix it by grabbing the task lock while we poke at the io_context.

Reported-by: Dmitry Vyukov <dvy...@google.com>
Signed-off-by: Omar Sandoval <osa...@fb.com>
Signed-off-by: Jens Axboe <ax...@fb.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

block/ioprio.c | 2 ++
1 file changed, 2 insertions(+)

--- a/block/ioprio.c
+++ b/block/ioprio.c
@@ -150,8 +150,10 @@ static int get_task_ioprio(struct task_s
if (ret)
goto out;
ret = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_NONE, IOPRIO_NORM);
+ task_lock(p);
if (p->io_context)
ret = p->io_context->ioprio;
+ task_unlock(p);
out:
return ret;
}

Greg Kroah-Hartman

unread,

Aug 8, 2016, 3:30:07 PM8/8/16

to

4.6-stable review patch. If anyone has any objections, please let me know.

------------------

From: Ping Cheng <ping...@gmail.com>

commit 12afb34400eb2b301f06b2aa3535497d14faee59 upstream.

Somehow the patch that added two-finger touch support forgot to update
W8001_MAX_LENGTH from 11 to 13.

Signed-off-by: Ping Cheng <pi...@wacom.com>
Reviewed-by: Peter Hutterer <peter.h...@who-t.net>
Signed-off-by: Dmitry Torokhov <dmitry....@gmail.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/input/touchscreen/wacom_w8001.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/input/touchscreen/wacom_w8001.c
+++ b/drivers/input/touchscreen/wacom_w8001.c
@@ -27,7 +27,7 @@ MODULE_AUTHOR("Jaya Kumar <jayakumar.lkm
MODULE_DESCRIPTION(DRIVER_DESC);
MODULE_LICENSE("GPL");

-#define W8001_MAX_LENGTH 11
+#define W8001_MAX_LENGTH 13
#define W8001_LEAD_MASK 0x80
#define W8001_LEAD_BYTE 0x80
#define W8001_TAB_MASK 0x40

Greg Kroah-Hartman

unread,

Aug 8, 2016, 3:30:07 PM8/8/16

to

4.6-stable review patch. If anyone has any objections, please let me know.

------------------

From: Taras Kondratiuk <tako...@cisco.com>

commit f68381a70bb2b26c31b13fdaf67c778f92fd32b4 upstream.

The code that fills packed command header assumes that CPU runs in
little-endian mode. Hence the header is malformed in big-endian mode
and causes MMC data transfer errors:

[ 563.200828] mmcblk0: error -110 transferring data, sector 2048, nr 8, cmd response 0x900, card status 0xc40
[ 563.219647] mmcblk0: packed cmd failed, nr 2, sectors 16, failure index: -1

Convert header data to LE.

Signed-off-by: Taras Kondratiuk <tako...@cisco.com>
Fixes: ce39f9d17c14 ("mmc: support packed write command for eMMC4.5 devices")
Signed-off-by: Ulf Hansson <ulf.h...@linaro.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/mmc/card/block.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)

--- a/drivers/mmc/card/block.c
+++ b/drivers/mmc/card/block.c
@@ -1762,8 +1762,8 @@ static void mmc_blk_packed_hdr_wrq_prep(

packed_cmd_hdr = packed->cmd_hdr;
memset(packed_cmd_hdr, 0, sizeof(packed->cmd_hdr));
- packed_cmd_hdr[0] = (packed->nr_entries << 16) |
- (PACKED_CMD_WR << 8) | PACKED_CMD_VER;
+ packed_cmd_hdr[0] = cpu_to_le32((packed->nr_entries << 16) |
+ (PACKED_CMD_WR << 8) | PACKED_CMD_VER);
hdr_blocks = mmc_large_sector(card) ? 8 : 1;

/*
@@ -1777,14 +1777,14 @@ static void mmc_blk_packed_hdr_wrq_prep(
((brq->data.blocks * brq->data.blksz) >=
card->ext_csd.data_tag_unit_size);
/* Argument of CMD23 */
- packed_cmd_hdr[(i * 2)] =
+ packed_cmd_hdr[(i * 2)] = cpu_to_le32(
(do_rel_wr ? MMC_CMD23_ARG_REL_WR : 0) |
(do_data_tag ? MMC_CMD23_ARG_TAG_REQ : 0) |
- blk_rq_sectors(prq);
+ blk_rq_sectors(prq));
/* Argument of CMD18 or CMD25 */
- packed_cmd_hdr[((i * 2)) + 1] =
+ packed_cmd_hdr[((i * 2)) + 1] = cpu_to_le32(
mmc_card_blockaddr(card) ?
- blk_rq_pos(prq) : blk_rq_pos(prq) << 9;
+ blk_rq_pos(prq) : blk_rq_pos(prq) << 9);
packed->blocks += blk_rq_sectors(prq);
i++;
}

Greg Kroah-Hartman

unread,

Aug 8, 2016, 3:30:07 PM8/8/16

to

4.6-stable review patch. If anyone has any objections, please let me know.

------------------

From: Peter Zijlstra <pet...@infradead.org>

commit 7dd4912594daf769a46744848b05bd5bc6d62469 upstream.

Starting with the following commit:

fde7d22e01aa ("sched/fair: Fix overly small weight for interactive group entities")

calc_tg_weight() doesn't compute the right value as expected by effective_load().

The difference is in the 'correction' term. In order to ensure \Sum
rw_j >= rw_i we cannot use tg->load_avg directly, since that might be
lagging a correction on the current cfs_rq->avg.load_avg value.
Therefore we use tg->load_avg - cfs_rq->tg_load_avg_contrib +
cfs_rq->avg.load_avg.

Now, per the referenced commit, calc_tg_weight() doesn't use
cfs_rq->avg.load_avg, as is later used in @w, but uses
cfs_rq->load.weight instead.

So stop using calc_tg_weight() and do it explicitly.

The effects of this bug are wake_affine() making randomly
poor choices in cgroup-intense workloads.

Signed-off-by: Peter Zijlstra (Intel) <pet...@infradead.org>

Cc: Linus Torvalds <torv...@linux-foundation.org>
Cc: Peter Zijlstra <pet...@infradead.org>
Cc: Thomas Gleixner <tg...@linutronix.de>

Fixes: fde7d22e01aa ("sched/fair: Fix overly small weight for interactive group entities")
Signed-off-by: Ingo Molnar <mi...@kernel.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

unread,

Aug 8, 2016, 3:30:08 PM8/8/16

to

4.6-stable review patch. If anyone has any objections, please let me know.

------------------

From: Oliver Hartkopp <sock...@hartkopp.net>

commit bce271f255dae8335dc4d2ee2c4531e09cc67f5a upstream.

With upstream commit bb208f144cf3f59 (can: fix handling of unmodifiable
configuration options) a new can_validate() function was introduced.

When invoking 'ip link set can0 type can' without any configuration data
can_validate() tries to validate the content without taking into account that
there's totally no content. This patch adds a check for missing content.

Reported-by: ajneu <ajn...@gmail.com>
Signed-off-by: Oliver Hartkopp <sock...@hartkopp.net>
Signed-off-by: Marc Kleine-Budde <m...@pengutronix.de>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/net/can/dev.c | 3 +++
1 file changed, 3 insertions(+)

--- a/drivers/net/can/dev.c
+++ b/drivers/net/can/dev.c
@@ -798,6 +798,9 @@ static int can_validate(struct nlattr *t
* - control mode with CAN_CTRLMODE_FD set
*/

+ if (!data)
+ return 0;
+
if (data[IFLA_CAN_CTRLMODE]) {
struct can_ctrlmode *cm = nla_data(data[IFLA_CAN_CTRLMODE]);

Greg Kroah-Hartman

unread,

Aug 8, 2016, 3:30:08 PM8/8/16

to

4.6-stable review patch. If anyone has any objections, please let me know.

------------------

From: Miklos Szeredi <msze...@redhat.com>

commit c1892c37769cf89c7e7ba57528ae2ccb5d153c9b upstream.

file_remove_privs() is called with inode lock on file_inode(), which
proceeds to calling notify_change() on file->f_path.dentry. Which triggers
the WARN_ON_ONCE(!inode_is_locked(inode)) in addition to deadlocking later
when ovl_setattr tries to lock the underlying inode again.

Fix this mess by not mixing the layers, but doing everything on underlying
dentry/inode.

Signed-off-by: Miklos Szeredi <msze...@redhat.com>
Fixes: 07a2daab49c5 ("ovl: Copy up underlying inode's ->i_mode to overlay inode")

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

fs/inode.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)

--- a/fs/inode.c
+++ b/fs/inode.c
@@ -1739,8 +1739,8 @@ static int __remove_privs(struct dentry
*/
int file_remove_privs(struct file *file)
{
- struct dentry *dentry = file->f_path.dentry;
- struct inode *inode = d_inode(dentry);
+ struct dentry *dentry = file_dentry(file);
+ struct inode *inode = file_inode(file);
int kill;
int error = 0;

@@ -1748,7 +1748,7 @@ int file_remove_privs(struct file *file)
if (IS_NOSEC(inode))
return 0;

- kill = file_needs_remove_privs(file);
+ kill = dentry_needs_remove_privs(dentry);
if (kill < 0)
return kill;
if (kill)

Greg Kroah-Hartman

unread,

Aug 8, 2016, 3:30:09 PM8/8/16

to

4.6-stable review patch. If anyone has any objections, please let me know.

------------------

From: Tejun Heo <t...@kernel.org>

commit 1488a1e3828d60d74c9b802a05e24c0487babe4e upstream.

Since 34b48db66e08 ("block: remove artifical max_hw_sectors cap"),
max_sectors is no longer limited to BLK_DEF_MAX_SECTORS and LITE-ON
CX1-JB256-HP keeps timing out with higher max_sectors. Revert it to
the previous value.

Signed-off-by: Tejun Heo <t...@kernel.org>
Reported-by: dgera...@gmail.com
Link: https://bugzilla.kernel.org/show_bug.cgi?id=121671
Fixes: 34b48db66e08 ("block: remove artifical max_hw_sectors cap")
Signed-off-by: Tejun Heo <t...@kernel.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/ata/libata-core.c | 6 ++++++
1 file changed, 6 insertions(+)

--- a/drivers/ata/libata-core.c
+++ b/drivers/ata/libata-core.c
@@ -4141,6 +4141,12 @@ static const struct ata_blacklist_entry
*/
{ "ST380013AS", "3.20", ATA_HORKAGE_MAX_SEC_1024 },

+ /*
+ * Device times out with higher max sects.
+ * https://bugzilla.kernel.org/show_bug.cgi?id=121671
+ */
+ { "LITEON CX1-JB256-HP", NULL, ATA_HORKAGE_MAX_SEC_1024 },
+
/* Devices we expect to fail diagnostics */

/* Devices where NCQ should be avoided */

Greg Kroah-Hartman

unread,

Aug 8, 2016, 3:30:09 PM8/8/16

to

4.6-stable review patch. If anyone has any objections, please let me know.

------------------

From: Alexander Shishkin <alexander...@linux.intel.com>

commit 7a1a47ce35821b40f5b2ce46379ba14393bc3873 upstream.

This adds Intel(R) Trace Hub PCI ID for Kaby Lake PCH-H.

Signed-off-by: Alexander Shishkin <alexander...@linux.intel.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/hwtracing/intel_th/pci.c | 5 +++++
1 file changed, 5 insertions(+)

--- a/drivers/hwtracing/intel_th/pci.c
+++ b/drivers/hwtracing/intel_th/pci.c
@@ -75,6 +75,11 @@ static const struct pci_device_id intel_
PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x0a80),
.driver_data = (kernel_ulong_t)0,
},
+ {
+ /* Kaby Lake PCH-H */
+ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0xa2a6),
+ .driver_data = (kernel_ulong_t)0,
+ },
{ 0 },
};

Greg Kroah-Hartman

unread,

Aug 8, 2016, 3:30:10 PM8/8/16

to

4.6-stable review patch. If anyone has any objections, please let me know.

------------------

From: Sinclair Yeh <sy...@vmware.com>

commit 60842ef8128e7bf58c024814cd0dc14319232b6c upstream.

The VMWare EFI BIOS will expose port 0x5658 as an ACPI resource. This
causes the port to be reserved by the APCI module as the system comes up,
making it unavailable to be reserved again by other drivers, thus
preserving this VMWare port for special use in a VMWare guest.

This port is designed to be shared among multiple VMWare services, such as
the VMMOUSE. Because of this, VMMOUSE should not try to reserve this port
on its own.

The VMWare non-EFI BIOS does not do this to preserve compatibility with
existing/legacy VMs. It is known that there is small chance a VM may be
configured such that these ports get reserved by other non-VMWare devices,
and if this ever happens, the result is undefined.

Signed-off-by: Sinclair Yeh <sy...@vmware.com>
Reviewed-by: Thomas Hellstrom <thell...@vmware.com>
Signed-off-by: Dmitry Torokhov <dmitry....@gmail.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/input/mouse/vmmouse.c | 22 ++--------------------
1 file changed, 2 insertions(+), 20 deletions(-)

--- a/drivers/input/mouse/vmmouse.c
+++ b/drivers/input/mouse/vmmouse.c
@@ -355,18 +355,11 @@ int vmmouse_detect(struct psmouse *psmou
return -ENXIO;
}

- if (!request_region(VMMOUSE_PROTO_PORT, 4, "vmmouse")) {
- psmouse_dbg(psmouse, "VMMouse port in use.\n");
- return -EBUSY;
- }
-
/* Check if the device is present */
response = ~VMMOUSE_PROTO_MAGIC;
VMMOUSE_CMD(GETVERSION, 0, version, response, dummy1, dummy2);
- if (response != VMMOUSE_PROTO_MAGIC || version == 0xffffffffU) {
- release_region(VMMOUSE_PROTO_PORT, 4);
+ if (response != VMMOUSE_PROTO_MAGIC || version == 0xffffffffU)
return -ENXIO;
- }

if (set_properties) {
psmouse->vendor = VMMOUSE_VENDOR;
@@ -374,8 +367,6 @@ int vmmouse_detect(struct psmouse *psmou
psmouse->model = version;
}

- release_region(VMMOUSE_PROTO_PORT, 4);
-
return 0;
}

@@ -394,7 +385,6 @@ static void vmmouse_disconnect(struct ps
psmouse_reset(psmouse);
input_unregister_device(priv->abs_dev);
kfree(priv);
- release_region(VMMOUSE_PROTO_PORT, 4);
}

/**
@@ -438,15 +428,10 @@ int vmmouse_init(struct psmouse *psmouse
struct input_dev *rel_dev = psmouse->dev, *abs_dev;
int error;

- if (!request_region(VMMOUSE_PROTO_PORT, 4, "vmmouse")) {
- psmouse_dbg(psmouse, "VMMouse port in use.\n");
- return -EBUSY;
- }
-
psmouse_reset(psmouse);
error = vmmouse_enable(psmouse);
if (error)
- goto release_region;
+ return error;

priv = kzalloc(sizeof(*priv), GFP_KERNEL);
abs_dev = input_allocate_device();
@@ -502,8 +487,5 @@ init_fail:
kfree(priv);
psmouse->private = NULL;

-release_region:
- release_region(VMMOUSE_PROTO_PORT, 4);
-
return error;
}

Greg Kroah-Hartman

unread,

Aug 8, 2016, 3:30:10 PM8/8/16

to

4.6-stable review patch. If anyone has any objections, please let me know.

------------------

From: Vegard Nossum <vegard...@oracle.com>

commit 3dad5424adfb346c871847d467f97dcdca64ea97 upstream.

If register_pernet_subsys() fails, we shouldn't try to call
unregister_pernet_subsys().

Fixes: 467fa15356 ("RDS-TCP: Support multiple RDS-TCP listen endpoints, one per netns.")
Cc: Sowmini Varadhan <sowmini....@oracle.com>
Cc: David S. Miller <da...@davemloft.net>
Signed-off-by: Vegard Nossum <vegard...@oracle.com>
Acked-by: Sowmini Varadhan <sowmini....@oracle.com>
Acked-by: Santosh Shilimkar <santosh....@oracle.com>
Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

net/rds/tcp.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

--- a/net/rds/tcp.c
+++ b/net/rds/tcp.c
@@ -544,7 +544,7 @@ static int rds_tcp_init(void)

ret = rds_tcp_recv_init();
if (ret)
- goto out_slab;
+ goto out_pernet;

ret = rds_trans_register(&rds_tcp_transport);
if (ret)
@@ -556,8 +556,9 @@ static int rds_tcp_init(void)

out_recv:
rds_tcp_recv_exit();
-out_slab:
+out_pernet:
unregister_pernet_subsys(&rds_tcp_net_ops);
+out_slab:
kmem_cache_destroy(rds_tcp_conn_slab);
out:
return ret;

Greg Kroah-Hartman

unread,

Aug 8, 2016, 3:30:10 PM8/8/16

to

4.6-stable review patch. If anyone has any objections, please let me know.

------------------

From: Oliver Hartkopp <sock...@hartkopp.net>

commit 25e1ed6e64f52a692ba3191c4fde650aab3ecc07 upstream.

For 'real' hardware CAN devices the netlink interface is used to set CAN
specific communication parameters. Real CAN hardware can not be created nor
removed with the ip tool ...

This patch adds a private dellink function for the CAN device driver interface
that does just nothing.

It's a follow up to commit 993e6f2fd ("can: fix oops caused by wrong rtnl
newlink usage") but for dellink.

Reported-by: ajneu <ajn...@gmail.com>
Signed-off-by: Oliver Hartkopp <sock...@hartkopp.net>
Signed-off-by: Marc Kleine-Budde <m...@pengutronix.de>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/net/can/dev.c | 6 ++++++

1 file changed, 6 insertions(+)

--- a/drivers/net/can/dev.c
+++ b/drivers/net/can/dev.c
@@ -1011,6 +1011,11 @@ static int can_newlink(struct net *src_n
return -EOPNOTSUPP;
}

+static void can_dellink(struct net_device *dev, struct list_head *head)
+{
+ return;
+}
+
static struct rtnl_link_ops can_link_ops __read_mostly = {
.kind = "can",
.maxtype = IFLA_CAN_MAX,
@@ -1019,6 +1024,7 @@ static struct rtnl_link_ops can_link_ops
.validate = can_validate,
.newlink = can_newlink,
.changelink = can_changelink,
+ .dellink = can_dellink,
.get_size = can_get_size,
.fill_info = can_fill_info,
.get_xstats_size = can_get_xstats_size,

Greg Kroah-Hartman

unread,

Aug 8, 2016, 3:30:11 PM8/8/16

to

4.6-stable review patch. If anyone has any objections, please let me know.

------------------

From: Ursula Braun <ubr...@linux.vnet.ibm.com>

commit 7831b4ff0d926e0deeaabef9db8800ed069a2757 upstream.

A qeth_card contains a napi_struct linked to the net_device during
device probing. This struct must be deleted when removing the qeth
device, otherwise Panic on oops can occur when qeth devices are
repeatedly removed and added.

Fixes: a1c3ed4c9ca ("qeth: NAPI support for l2 and l3 discipline")
Signed-off-by: Ursula Braun <ubr...@linux.vnet.ibm.com>
Tested-by: Alexander Klein <AL...@de.ibm.com>

Signed-off-by: David S. Miller <da...@davemloft.net>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/s390/net/qeth_l2_main.c | 1 +
drivers/s390/net/qeth_l3_main.c | 1 +
2 files changed, 2 insertions(+)

--- a/drivers/s390/net/qeth_l2_main.c
+++ b/drivers/s390/net/qeth_l2_main.c
@@ -1051,6 +1051,7 @@ static void qeth_l2_remove_device(struct
qeth_l2_set_offline(cgdev);

if (card->dev) {
+ netif_napi_del(&card->napi);
unregister_netdev(card->dev);
card->dev = NULL;
}
--- a/drivers/s390/net/qeth_l3_main.c
+++ b/drivers/s390/net/qeth_l3_main.c
@@ -3226,6 +3226,7 @@ static void qeth_l3_remove_device(struct
qeth_l3_set_offline(cgdev);

if (card->dev) {
+ netif_napi_del(&card->napi);
unregister_netdev(card->dev);
card->dev = NULL;
}

Greg Kroah-Hartman

unread,

Aug 8, 2016, 3:30:11 PM8/8/16

to

4.6-stable review patch. If anyone has any objections, please let me know.

------------------

From: Randy Dunlap <rdu...@infradead.org>

commit 076501ff6ba265a473689c112eda9f1f34f620b5 upstream.

The "expert" menu was broken (split) such that all entries in it after
KALLSYMS were displayed in the "General setup" area instead of in the
"Expert users" area. Fix this by adding one kconfig dependency.

Yes, the Expert users menu is fragile. Problems like this have happened
several times in the past. I will attempt to isolate the Expert users
menu if there is interest in that.

Fixes: 4d5d5664c900 ("x86: kallsyms: disable absolute percpu symbols on !SMP")
Signed-off-by: Randy Dunlap <rdu...@infradead.org>
Cc: Ard Biesheuvel <ard.bie...@linaro.org>
Signed-off-by: Linus Torvalds <torv...@linux-foundation.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

init/Kconfig | 1 +

1 file changed, 1 insertion(+)

--- a/init/Kconfig
+++ b/init/Kconfig
@@ -1423,6 +1423,7 @@ config KALLSYMS_ALL

config KALLSYMS_ABSOLUTE_PERCPU
bool
+ depends on KALLSYMS
default X86_64 && SMP

config KALLSYMS_BASE_RELATIVE

Greg Kroah-Hartman

unread,

Aug 8, 2016, 3:30:11 PM8/8/16

to

4.6-stable review patch. If anyone has any objections, please let me know.

------------------

From: Ping Cheng <ping...@gmail.com>

commit 9e72ac7492149a229ce9039c680849cb682d7092 upstream.

ThinkPad X60 Tablet PC (pen only device) sometime posts
packets that are larger than W8001_PKTLEN_TPCPEN.

Reported-by: Chris J Arges <christop...@gmail.com>
Tested-by: Chris J Arges <christop...@gmail.com>

Signed-off-by: Ping Cheng <pi...@wacom.com>
Reviewed-by: Peter Hutterer <peter.h...@who-t.net>
Signed-off-by: Dmitry Torokhov <dmitry....@gmail.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/input/touchscreen/wacom_w8001.c | 9 +++++++++
1 file changed, 9 insertions(+)

--- a/drivers/input/touchscreen/wacom_w8001.c
+++ b/drivers/input/touchscreen/wacom_w8001.c
@@ -339,6 +339,15 @@ static irqreturn_t w8001_interrupt(struc
w8001->idx = 0;
parse_multi_touch(w8001);
break;
+
+ default:
+ /*
+ * ThinkPad X60 Tablet PC (pen only device) sometimes
+ * sends invalid data packets that are larger than
+ * W8001_PKTLEN_TPCPEN. Let's start over again.
+ */
+ if (!w8001->touch_dev && w8001->idx > W8001_PKTLEN_TPCPEN - 1)
+ w8001->idx = 0;
}

return IRQ_HANDLED;

Greg Kroah-Hartman

unread,

Aug 8, 2016, 3:30:11 PM8/8/16

to

4.6-stable review patch. If anyone has any objections, please let me know.

------------------

From: Paul Burton <paul....@imgtec.com>

commit 547aefc4db877e65245c3d95fcce703701bf3a0c upstream.

Commit fbde2d7d8290 ("MIPS: Add generic SMP IPI support") introduced
code which calls irq_find_matching_host with a NULL node parameter in
order to discover IPI IRQ domains which are not associated with the DT
root node's interrupt parent. This suggests that implementations of IPI
IRQ domains should effectively ignore the node parameter if it is NULL
and search purely based upon the bus token. Commit 2af70a962070
("irqchip/mips-gic: Add a IPI hierarchy domain") did not do this when
implementing the GIC IPI IRQ domain, and on MIPS Boston boards this
leads to no IPI domain being discovered and a NULL pointer dereference
when attempting to send an IPI:

CPU 0 Unable to handle kernel paging request at virtual address 0000000000000040, epc == ffffffff8016e70c, ra == ffffffff8010ff5c
Oops[#1]:
CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.7.0-rc6-00223-gad0d1b6 #945
task: a8000000ff066fc0 ti: a8000000ff068000 task.ti: a8000000ff068000
$ 0 : 0000000000000000 0000000000000001 ffffffff80730000 0000000000000003
$ 4 : 0000000000000000 ffffffff8057e5b0 a800000001e3ee00 0000000000000000
$ 8 : 0000000000000000 0000000000000023 0000000000000001 0000000000000001
$12 : 0000000000000000 ffffffff803323d0 0000000000000000 0000000000000000
$16 : 0000000000000000 0000000000000000 0000000000000001 ffffffff801108fc
$20 : 0000000000000000 ffffffff8057e5b0 0000000000000001 0000000000000000
$24 : 0000000000000000 ffffffff8012de28
$28 : a8000000ff068000 a8000000ff06fbc0 0000000000000000 ffffffff8010ff5c
Hi : ffffffff8014c174
Lo : a800000001e1e140
epc : ffffffff8016e70c __ipi_send_mask+0x24/0x11c
ra : ffffffff8010ff5c mips_smp_send_ipi_mask+0x68/0x178
Status: 140084e2 KX SX UX KERNEL EXL
Cause : 00800008 (ExcCode 02)
BadVA : 0000000000000040
PrId : 0001a920 (MIPS I6400)
Process swapper/0 (pid: 1, threadinfo=a8000000ff068000, task=a8000000ff066fc0, tls=0000000000000000)
Stack : 0000000000000000 0000000000000000 0000000000000001 ffffffff801108fc
0000000000000000 ffffffff8057e5b0 0000000000000001 ffffffff8010ff5c
0000000000000001 0000000000000020 0000000000000000 0000000000000000
0000000000000000 ffffffff801108fc 0000000000000000 0000000000000001
0000000000000001 0000000000000000 0000000000000000 ffffffff801865e8
a8000000ff0c7500 a8000000ff06fc90 0000000000000001 0000000000000002
ffffffff801108fc ffffffff801868b8 0000000000000000 ffffffff801108fc
0000000000000000 0000000000000003 ffffffff8068c700 0000000000000001
ffffffff80730000 0000000000000001 a8000000ff00a290 ffffffff80110c50
0000000000000003 a800000001e48308 0000000000000003 0000000000000008
...
Call Trace:
[<ffffffff8016e70c>] __ipi_send_mask+0x24/0x11c
[<ffffffff8010ff5c>] mips_smp_send_ipi_mask+0x68/0x178
[<ffffffff801865e8>] generic_exec_single+0x150/0x170
[<ffffffff801868b8>] smp_call_function_single+0x108/0x160
[<ffffffff80110c50>] cps_boot_secondary+0x328/0x394
[<ffffffff80110534>] __cpu_up+0x38/0x90
[<ffffffff8012de4c>] bringup_cpu+0x24/0xac
[<ffffffff8012df40>] cpuhp_up_callbacks+0x58/0xdc
[<ffffffff8012e648>] cpu_up+0x118/0x18c
[<ffffffff806dc158>] smp_init+0xbc/0xe8
[<ffffffff806d4c18>] kernel_init_freeable+0xa0/0x228
[<ffffffff8056c908>] kernel_init+0x10/0xf0
[<ffffffff80105098>] ret_from_kernel_thread+0x14/0x1c

Fix this by allowing the GIC IPI IRQ domain to match purely based upon
the bus token if the node provided is NULL.

Fixes: 2af70a962070 ("irqchip/mips-gic: Add a IPI hierarchy domain")
Signed-off-by: Paul Burton <paul....@imgtec.com>
Cc: linux...@linux-mips.org
Cc: Jason Cooper <ja...@lakedaemon.net>
Cc: Qais Yousef <qsyo...@gmail.com>
Cc: Ralf Baechle <ra...@linux-mips.org>
Cc: Marc Zyngier <marc.z...@arm.com>
Link: http://lkml.kernel.org/r/20160705132600.27...@imgtec.com
Signed-off-by: Thomas Gleixner <tg...@linutronix.de>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/irqchip/irq-mips-gic.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/irqchip/irq-mips-gic.c
+++ b/drivers/irqchip/irq-mips-gic.c
@@ -947,7 +947,7 @@ int gic_ipi_domain_match(struct irq_doma
switch (bus_token) {
case DOMAIN_BUS_IPI:
is_ipi = d->bus_token == bus_token;
- return to_of_node(d->fwnode) == node && is_ipi;
+ return (!node || to_of_node(d->fwnode) == node) && is_ipi;
break;
default:
return 0;

Greg Kroah-Hartman

unread,

Aug 8, 2016, 3:30:11 PM8/8/16

to

4.6-stable review patch. If anyone has any objections, please let me know.

------------------

From: James Patrick-Evans <ja...@jmp-e.com>

commit aa93d1fee85c890a34f2510a310e55ee76a27848 upstream.

Fix a memory leak on probe error of the airspy usb device driver.

The problem is triggered when more than 64 usb devices register with
v4l2 of type VFL_TYPE_SDR or VFL_TYPE_SUBDEV.

The memory leak is caused by the probe function of the airspy driver
mishandeling errors and not freeing the corresponding control structures
when an error occours registering the device to v4l2 core.

A badusb device can emulate 64 of these devices, and then through
continual emulated connect/disconnect of the 65th device, cause the
kernel to run out of RAM and crash the kernel, thus causing a local DOS
vulnerability.

Fixes CVE-2016-5400

Signed-off-by: James Patrick-Evans <ja...@jmp-e.com>
Reviewed-by: Kees Cook <kees...@chromium.org>
Signed-off-by: Linus Torvalds <torv...@linux-foundation.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/media/usb/airspy/airspy.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)

--- a/drivers/media/usb/airspy/airspy.c
+++ b/drivers/media/usb/airspy/airspy.c
@@ -1072,7 +1072,7 @@ static int airspy_probe(struct usb_inter
if (ret) {
dev_err(s->dev, "Failed to register as video device (%d)\n",
ret);
- goto err_unregister_v4l2_dev;
+ goto err_free_controls;
}
dev_info(s->dev, "Registered as %s\n",
video_device_node_name(&s->vdev));
@@ -1081,7 +1081,6 @@ static int airspy_probe(struct usb_inter

err_free_controls:
v4l2_ctrl_handler_free(&s->hdl);
-err_unregister_v4l2_dev:
v4l2_device_unregister(&s->v4l2_dev);
err_free_mem:
kfree(s);

Greg Kroah-Hartman

unread,

Aug 8, 2016, 3:30:11 PM8/8/16

to

4.6-stable review patch. If anyone has any objections, please let me know.

------------------

From: Andrey Ulanov <and...@google.com>

commit e06b933e6ded42384164d28a2060b7f89243b895 upstream.

- m_start() in fs/namespace.c expects that ns->event is incremented each
time a mount added or removed from ns->list.
- umount_tree() removes items from the list but does not increment event
counter, expecting that it's done before the function is called.
- There are some codepaths that call umount_tree() without updating
"event" counter. e.g. from __detach_mounts().
- When this happens m_start may reuse a cached mount structure that no
longer belongs to ns->list (i.e. use after free which usually leads
to infinite loop).

This change fixes the above problem by incrementing global event counter
before invoking umount_tree().

Change-Id: I622c8e84dcb9fb63542372c5dbf0178ee86bb589
Signed-off-by: Andrey Ulanov <and...@google.com>
Signed-off-by: Al Viro <vi...@zeniv.linux.org.uk>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

fs/namespace.c | 1 +

1 file changed, 1 insertion(+)

--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -1562,6 +1562,7 @@ void __detach_mounts(struct dentry *dent
goto out_unlock;

lock_mount_hash();
+ event++;
while (!hlist_empty(&mp->m_list)) {
mnt = hlist_entry(mp->m_list.first, struct mount, mnt_mp_list);
if (mnt->mnt.mnt_flags & MNT_UMOUNT) {

Greg Kroah-Hartman

unread,

Aug 8, 2016, 3:30:12 PM8/8/16

to

4.6-stable review patch. If anyone has any objections, please let me know.

------------------

From: Alan Stern <st...@rowland.harvard.edu>

commit 5e7ff2ca7f2da55fe777167849d0c93403bd0dc8 upstream.

Commit b704f70ce200 ("SCSI: fix bug in scsi_dev_info_list matching")
changed the way vendor- and model-string matching was carried out in the
routine that looks up entries in a SCSI devinfo list. The new matching
code failed to take into account the case of a maximum-length string; in
such cases it could end up testing for a terminating '\0' byte beyond
the end of the memory allocated to the string. This out-of-bounds bug
was detected by UBSAN.

I don't know if anybody has actually encountered this bug. The symptom
would be that a device entry in the blacklist might not be matched
properly if it contained an 8-character vendor name or a 16-character
model name. Such entries certainly exist in scsi_static_device_list.

This patch fixes the problem by adding a check for a maximum-length
string before the '\0' test.

Signed-off-by: Alan Stern <st...@rowland.harvard.edu>
Fixes: b704f70ce200 ("SCSI: fix bug in scsi_dev_info_list matching")
Tested-by: Wilfried Klaebe <linux-...@lebenslange-mailadresse.de>

Signed-off-by: Martin K. Petersen <martin....@oracle.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/scsi/scsi_devinfo.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)

--- a/drivers/scsi/scsi_devinfo.c
+++ b/drivers/scsi/scsi_devinfo.c
@@ -429,7 +429,7 @@ static struct scsi_dev_info_list *scsi_d
* here, and we don't know what device it is
* trying to work with, leave it as-is.
*/
- vmax = 8; /* max length of vendor */
+ vmax = sizeof(devinfo->vendor);
vskip = vendor;
while (vmax > 0 && *vskip == ' ') {
vmax--;
@@ -439,7 +439,7 @@ static struct scsi_dev_info_list *scsi_d
while (vmax > 0 && vskip[vmax - 1] == ' ')
--vmax;

- mmax = 16; /* max length of model */
+ mmax = sizeof(devinfo->model);
mskip = model;
while (mmax > 0 && *mskip == ' ') {
mmax--;
@@ -455,10 +455,12 @@ static struct scsi_dev_info_list *scsi_d
* Behave like the older version of get_device_flags.
*/
if (memcmp(devinfo->vendor, vskip, vmax) ||
- devinfo->vendor[vmax])
+ (vmax < sizeof(devinfo->vendor) &&
+ devinfo->vendor[vmax]))
continue;
if (memcmp(devinfo->model, mskip, mmax) ||
- devinfo->model[mmax])
+ (mmax < sizeof(devinfo->model) &&
+ devinfo->model[mmax]))
continue;
return devinfo;
} else {

Greg Kroah-Hartman

unread,

Aug 8, 2016, 3:30:12 PM8/8/16

to

4.6-stable review patch. If anyone has any objections, please let me know.

------------------

From: Cameron Gutman <aicom...@gmail.com>

commit caca925fca4fb30c67be88cacbe908eec6721e43 upstream.

This prevents a malicious USB device from causing an oops.

Signed-off-by: Cameron Gutman <aicom...@gmail.com>
Signed-off-by: Dmitry Torokhov <dmitry....@gmail.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/input/joystick/xpad.c | 3 +++

1 file changed, 3 insertions(+)

--- a/drivers/input/joystick/xpad.c
+++ b/drivers/input/joystick/xpad.c
@@ -1421,6 +1421,9 @@ static int xpad_probe(struct usb_interfa
int ep_irq_in_idx;
int i, error;

+ if (intf->cur_altsetting->desc.bNumEndpoints != 2)
+ return -ENODEV;
+
for (i = 0; xpad_device[i].idVendor; i++) {
if ((le16_to_cpu(udev->descriptor.idVendor) == xpad_device[i].idVendor) &&
(le16_to_cpu(udev->descriptor.idProduct) == xpad_device[i].idProduct))

Greg Kroah-Hartman

unread,

Aug 8, 2016, 3:40:07 PM8/8/16

to

4.6-stable review patch. If anyone has any objections, please let me know.

------------------

From: Wenwei Tao <ww.ta...@gmail.com>

commit b00c52dae6d9ee8d0f2407118ef6544ae5524781 upstream.

When create css failed, before call css_free_rcu_fn, we remove the css
id and exit the percpu_ref, but we will do these again in
css_free_work_fn, so they are redundant. Especially the css id, that
would cause problem if we remove it twice, since it may be assigned to
another css after the first remove.

tj: This was broken by two commits updating the free path without
synchronizing the creation failure path. This can be easily
triggered by trying to create more than 64k memory cgroups.

Signed-off-by: Wenwei Tao <ww.ta...@gmail.com>
Signed-off-by: Tejun Heo <t...@kernel.org>
Cc: Vladimir Davydov <vdav...@parallels.com>
Fixes: 9a1049da9bd2 ("percpu-refcount: require percpu_ref to be exited explicitly")
Fixes: 01e586598b22 ("cgroup: release css->id after css_free")

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

kernel/cgroup.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)

--- a/kernel/cgroup.c
+++ b/kernel/cgroup.c
@@ -5150,7 +5150,7 @@ static struct cgroup_subsys_state *css_c

err = cgroup_idr_alloc(&ss->css_idr, NULL, 2, 0, GFP_KERNEL);
if (err < 0)
- goto err_free_percpu_ref;
+ goto err_free_css;
css->id = err;

/* @css is ready to be brought online now, make it visible */
@@ -5174,9 +5174,6 @@ static struct cgroup_subsys_state *css_c

err_list_del:
list_del_rcu(&css->sibling);
- cgroup_idr_remove(&ss->css_idr, css->id);
-err_free_percpu_ref:
- percpu_ref_exit(&css->refcnt);
err_free_css:
call_rcu(&css->rcu_head, css_free_rcu_fn);
return ERR_PTR(err);

Greg Kroah-Hartman

unread,

Aug 8, 2016, 3:40:08 PM8/8/16

to

4.6-stable review patch. If anyone has any objections, please let me know.

------------------

From: Jan Beulich <JBeu...@suse.com>

commit 7469be95a487319514adce2304ad2af3553d2fc9 upstream.

xenbus_dev_request_and_reply() needs to track whether a transaction is
open. For XS_TRANSACTION_START messages it calls transaction_start()
and for XS_TRANSACTION_END messages it calls transaction_end().

If sending an XS_TRANSACTION_START message fails or responds with an
an error, the transaction is not open and transaction_end() must be
called.

If sending an XS_TRANSACTION_END message fails, the transaction is
still open, but if an error response is returned the transaction is
closed.

Commit 027bd7e89906 ("xen/xenbus: Avoid synchronous wait on XenBus
stalling shutdown/restart") introduced a regression where failed
XS_TRANSACTION_START messages were leaving the transaction open. This
can cause problems with suspend (and migration) as all transactions
must be closed before suspending.

It appears that the problematic change was added accidentally, so just
remove it.

Signed-off-by: Jan Beulich <jbeu...@suse.com>
Cc: Konrad Rzeszutek Wilk <konra...@oracle.com>
Signed-off-by: David Vrabel <david....@citrix.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

unread,

Aug 8, 2016, 3:40:20 PM8/8/16

to

4.6-stable review patch. If anyone has any objections, please let me know.

------------------

From: Alexey Brodkin <Alexey....@synopsys.com>

commit 9bd54517ee86cb164c734f72ea95aeba4804f10b upstream.

If CONFIG_ARC_DW2_UNWIND is disabled every time arc_unwind_core()
gets called following message gets printed in debug console:
----------------->8---------------
CONFIG_ARC_DW2_UNWIND needs to be enabled
----------------->8---------------

That message makes sense if user indeed wants to see a backtrace or
get nice function call-graphs in perf but what if user disabled
unwinder for the purpose? Why pollute his debug console?

So instead we'll warn user about possibly missing feature once and
let him decide if that was what he or she really wanted.

Signed-off-by: Alexey Brodkin <abro...@synopsys.com>
Signed-off-by: Vineet Gupta <vgu...@synopsys.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

arch/arc/kernel/stacktrace.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arc/kernel/stacktrace.c
+++ b/arch/arc/kernel/stacktrace.c
@@ -142,7 +142,7 @@ arc_unwind_core(struct task_struct *tsk,
* prelogue is setup (callee regs saved and then fp set and not other
* way around
*/
- pr_warn("CONFIG_ARC_DW2_UNWIND needs to be enabled\n");
+ pr_warn_once("CONFIG_ARC_DW2_UNWIND needs to be enabled\n");
return 0;

#endif

Greg Kroah-Hartman

unread,

Aug 8, 2016, 3:40:44 PM8/8/16

to

4.6-stable review patch. If anyone has any objections, please let me know.

------------------

From: Bob Liu <bob...@oracle.com>

commit 2a6f71ad99cabe436e70c3f5fcf58072cb3bc07f upstream.

After a migrate to another host (which may not have multiqueue
support), the number of rings (block hardware queues)
may be changed and the ring info structure will also be reallocated.

This patch fixes two related bugs:
* call blk_mq_update_nr_hw_queues() to make blk-core know the number
of hardware queues have been changed.
* Don't store rinfo pointer to hctx->driver_data, because rinfo may be
reallocated so use hctx->queue_num to get the rinfo structure instead.

Signed-off-by: Bob Liu <bob...@oracle.com>
Signed-off-by: Konrad Rzeszutek Wilk <konra...@oracle.com>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/block/xen-blkfront.c | 20 ++++++++------------
1 file changed, 8 insertions(+), 12 deletions(-)

--- a/drivers/block/xen-blkfront.c
+++ b/drivers/block/xen-blkfront.c
@@ -877,8 +877,12 @@ static int blkif_queue_rq(struct blk_mq_
const struct blk_mq_queue_data *qd)
{
unsigned long flags;
- struct blkfront_ring_info *rinfo = (struct blkfront_ring_info *)hctx->driver_data;
+ int qid = hctx->queue_num;
+ struct blkfront_info *info = hctx->queue->queuedata;
+ struct blkfront_ring_info *rinfo = NULL;

+ BUG_ON(info->nr_rings <= qid);
+ rinfo = &info->rinfo[qid];
blk_mq_start_request(qd->rq);
spin_lock_irqsave(&rinfo->ring_lock, flags);
if (RING_FULL(&rinfo->ring))
@@ -904,20 +908,9 @@ out_busy:
return BLK_MQ_RQ_QUEUE_BUSY;
}

-static int blk_mq_init_hctx(struct blk_mq_hw_ctx *hctx, void *data,
- unsigned int index)
-{
- struct blkfront_info *info = (struct blkfront_info *)data;
-
- BUG_ON(info->nr_rings <= index);
- hctx->driver_data = &info->rinfo[index];
- return 0;
-}
-
static struct blk_mq_ops blkfront_mq_ops = {
.queue_rq = blkif_queue_rq,
.map_queue = blk_mq_map_queue,
- .init_hctx = blk_mq_init_hctx,
};

static int xlvbd_init_blk_queue(struct gendisk *gd, u16 sector_size,
@@ -953,6 +946,7 @@ static int xlvbd_init_blk_queue(struct g
return PTR_ERR(rq);
}

+ rq->queuedata = info;
queue_flag_set_unlocked(QUEUE_FLAG_VIRT, rq);

if (info->feature_discard) {
@@ -2137,6 +2131,8 @@ static int blkfront_resume(struct xenbus
return err;

err = talk_to_blkback(dev, info);
+ if (!err)
+ blk_mq_update_nr_hw_queues(&info->tag_set, info->nr_rings);

/*
* We have to wait for the backend to switch to

Greg Kroah-Hartman

unread,

Aug 8, 2016, 3:50:06 PM8/8/16

to

4.6-stable review patch. If anyone has any objections, please let me know.

------------------

From: Andrey Ryabinin <arya...@virtuozzo.com>

commit 3cb9185c67304b2a7ea9be73e7d13df6fb2793a1 upstream.

radix_tree_iter_retry() resets slot to NULL, but it doesn't reset tags.
Then NULL slot and non-zero iter.tags passed to radix_tree_next_slot()
leading to crash:

RIP: radix_tree_next_slot include/linux/radix-tree.h:473
find_get_pages_tag+0x334/0x930 mm/filemap.c:1452
....
Call Trace:
pagevec_lookup_tag+0x3a/0x80 mm/swap.c:960
mpage_prepare_extent_to_map+0x321/0xa90 fs/ext4/inode.c:2516
ext4_writepages+0x10be/0x2b20 fs/ext4/inode.c:2736
do_writepages+0x97/0x100 mm/page-writeback.c:2364
__filemap_fdatawrite_range+0x248/0x2e0 mm/filemap.c:300
filemap_write_and_wait_range+0x121/0x1b0 mm/filemap.c:490
ext4_sync_file+0x34d/0xdb0 fs/ext4/fsync.c:115
vfs_fsync_range+0x10a/0x250 fs/sync.c:195
vfs_fsync fs/sync.c:209
do_fsync+0x42/0x70 fs/sync.c:219
SYSC_fdatasync fs/sync.c:232
SyS_fdatasync+0x19/0x20 fs/sync.c:230
entry_SYSCALL_64_fastpath+0x23/0xc1 arch/x86/entry/entry_64.S:207

We must reset iterator's tags to bail out from radix_tree_next_slot()
and go to the slow-path in radix_tree_next_chunk().

Fixes: 46437f9a554f ("radix-tree: fix race in gang lookup")
Link: http://lkml.kernel.org/r/1468495196-10604-1-gi...@virtuozzo.com
Signed-off-by: Andrey Ryabinin <arya...@virtuozzo.com>
Reported-by: Dmitry Vyukov <dvy...@google.com>
Acked-by: Konstantin Khlebnikov <koc...@gmail.com>
Cc: Matthew Wilcox <wi...@linux.intel.com>
Cc: Hugh Dickins <hu...@google.com>
Cc: Ross Zwisler <ross.z...@linux.intel.com>

Signed-off-by: Andrew Morton <ak...@linux-foundation.org>
Signed-off-by: Linus Torvalds <torv...@linux-foundation.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

include/linux/radix-tree.h | 1 +

1 file changed, 1 insertion(+)

--- a/include/linux/radix-tree.h
+++ b/include/linux/radix-tree.h
@@ -399,6 +399,7 @@ static inline __must_check
void **radix_tree_iter_retry(struct radix_tree_iter *iter)
{
iter->next_index = iter->index;
+ iter->tags = 0;
return NULL;
}

Greg Kroah-Hartman

unread,

Aug 8, 2016, 3:50:07 PM8/8/16

to

4.6-stable review patch. If anyone has any objections, please let me know.

------------------

From: Jiri Slaby <jsl...@suse.cz>

commit 368301f2fe4b07e5fb71dba3cc566bc59eb6705f upstream.

With this command sequence:

modprobe plip
modprobe pps_parport
rmmod pps_parport

the partport_pps modules causes this crash:

BUG: unable to handle kernel NULL pointer dereference at (null)
IP: parport_detach+0x1d/0x60 [pps_parport]
Oops: 0000 [#1] SMP
...
Call Trace:
parport_unregister_driver+0x65/0xc0 [parport]
SyS_delete_module+0x187/0x210

The sequence that builds up to this is:

1) plip is loaded and takes the parport device for exclusive use:

plip0: Parallel port at 0x378, using IRQ 7.

2) pps_parport then fails to grab the device:

pps_parport: parallel port PPS client
parport0: cannot grant exclusive access for device pps_parport
pps_parport: couldn't register with parport0

3) rmmod of pps_parport is then killed because it tries to access
pardev->name, but pardev (taken from port->cad) is NULL.

So add a check for NULL in the test there too.

Link: http://lkml.kernel.org/r/20160714115245...@suse.cz
Signed-off-by: Jiri Slaby <jsl...@suse.cz>
Acked-by: Rodolfo Giometti <giom...@enneenne.com>

Signed-off-by: Andrew Morton <ak...@linux-foundation.org>
Signed-off-by: Linus Torvalds <torv...@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

drivers/pps/clients/pps_parport.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/pps/clients/pps_parport.c
+++ b/drivers/pps/clients/pps_parport.c
@@ -195,7 +195,7 @@ static void parport_detach(struct parpor
struct pps_client_pp *device;

/* FIXME: oooh, this is ugly! */
- if (strcmp(pardev->name, KBUILD_MODNAME))
+ if (!pardev || strcmp(pardev->name, KBUILD_MODNAME))
/* not our port */
return;

Greg Kroah-Hartman

unread,

Aug 8, 2016, 3:50:07 PM8/8/16

to

4.6-stable review patch. If anyone has any objections, please let me know.

------------------

From: Lukas Wunner <lu...@wunner.de>

commit 447d29d1d3aed839e74c2401ef63387780ac51ed upstream.

Since the following commit:

8659c406ade3 ("x86: only scan the root bus in early PCI quirks")

... early quirks are only applied to devices on the root bus.

The motivation was to prevent application of the nvidia_bugs quirk on
secondary buses.

We're about to reintroduce scanning of secondary buses for a quirk to
reset the Broadcom 4331 wireless card on 2011/2012 Macs. To prevent
regressions, open code the requirement to apply nvidia_bugs only on the
root bus.

Signed-off-by: Lukas Wunner <lu...@wunner.de>
Cc: Andy Lutomirski <lu...@kernel.org>
Cc: Bjorn Helgaas <bhel...@google.com>
Cc: Borislav Petkov <b...@alien8.de>
Cc: Brian Gerst <brg...@gmail.com>
Cc: Denys Vlasenko <dvla...@redhat.com>
Cc: H. Peter Anvin <h...@zytor.com>
Cc: Josh Poimboeuf <jpoi...@redhat.com>
Cc: Linus Torvalds <torv...@linux-foundation.org>
Cc: Peter Zijlstra <pet...@infradead.org>
Cc: Thomas Gleixner <tg...@linutronix.de>
Cc: Yinghai Lu <yin...@kernel.org>
Link: http://lkml.kernel.org/r/4d5477c1d76b2f0387a780f2142bbc...@wunner.de
Signed-off-by: Ingo Molnar <mi...@kernel.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

arch/x86/kernel/early-quirks.c | 7 +++++++
1 file changed, 7 insertions(+)

--- a/arch/x86/kernel/early-quirks.c
+++ b/arch/x86/kernel/early-quirks.c
@@ -76,6 +76,13 @@ static void __init nvidia_bugs(int num,
#ifdef CONFIG_ACPI
#ifdef CONFIG_X86_IO_APIC
/*
+ * Only applies to Nvidia root ports (bus 0) and not to
+ * Nvidia graphics cards with PCI ports on secondary buses.
+ */
+ if (num)
+ return;
+
+ /*
* All timer overrides on Nvidia are
* wrong unless HPET is enabled.
* Unfortunately that's not true on many Asus boards.

Greg Kroah-Hartman

unread,

Aug 8, 2016, 3:50:07 PM8/8/16

to

4.6-stable review patch. If anyone has any objections, please let me know.

------------------

From: Mel Gorman <mgo...@techsingularity.net>

commit e4568d3803852d00effd41dcdd489e726b998879 upstream.

early_pfn_to_nid can return node 0 if a PFN is invalid on machines that
has no node 0. A machine with only node 1 was observed to crash with
the following message:

BUG: unable to handle kernel paging request at 000000000002a3c8
PGD 0
Modules linked in:
Hardware name: Supermicro H8DSP-8/H8DSP-8, BIOS 080011 06/30/2006
task: ffffffff81c0d500 ti: ffffffff81c00000 task.ti: ffffffff81c00000
RIP: reserve_bootmem_region+0x6a/0xef
CR2: 000000000002a3c8 CR3: 0000000001c06000 CR4: 00000000000006b0
Call Trace:
free_all_bootmem+0x4b/0x12a
mem_init+0x70/0xa3
start_kernel+0x25b/0x49b

The problem is that early_page_uninitialised uses the early_pfn_to_nid
helper which returns node 0 for invalid PFNs. No caller of
early_pfn_to_nid cares except early_page_uninitialised. This patch has
early_pfn_to_nid always return a valid node.

Link: http://lkml.kernel.org/r/1468008031-3848-3-gi...@techsingularity.net
Signed-off-by: Mel Gorman <mgo...@techsingularity.net>
Acked-by: David Rientjes <rien...@google.com>

Signed-off-by: Andrew Morton <ak...@linux-foundation.org>
Signed-off-by: Linus Torvalds <torv...@linux-foundation.org>

Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

mm/page_alloc.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -1110,7 +1110,7 @@ int __meminit early_pfn_to_nid(unsigned
spin_lock(&early_pfn_lock);
nid = __early_pfn_to_nid(pfn, &early_pfnnid_cache);
if (nid < 0)
- nid = 0;
+ nid = first_online_node;
spin_unlock(&early_pfn_lock);

return nid;

Greg Kroah-Hartman

unread,

Aug 8, 2016, 3:50:07 PM8/8/16

to

4.4-stable review patch. If anyone has any objections, please let me know.

------------------

From: Mel Gorman <mgo...@techsingularity.net>

commit e838a45f9392a5bd2be1cd3ab0b16ae85857461c upstream.

Commit d0164adc89f6 ("mm, page_alloc: distinguish between being unable
to sleep, unwilling to sleep and avoiding waking kswapd") modified
__GFP_WAIT to explicitly identify the difference between atomic callers
and those that were unwilling to sleep. Later the definition was
removed entirely.

The GFP_RECLAIM_MASK is the set of flags that affect watermark checking
and reclaim behaviour but __GFP_ATOMIC was never added. Without it,
atomic users of the slab allocator strip the __GFP_ATOMIC flag and
cannot access the page allocator atomic reserves. This patch addresses
the problem.

The user-visible impact depends on the workload but potentially atomic
allocations unnecessarily fail without this path.

Link: http://lkml.kernel.org/r/2016061009...@techsingularity.net
Signed-off-by: Mel Gorman <mgo...@techsingularity.net>
Reported-by: Marcin Wojtas <m...@semihalf.com>
Acked-by: Vlastimil Babka <vba...@suse.cz>
Acked-by: Michal Hocko <mho...@suse.com>

Signed-off-by: Andrew Morton <ak...@linux-foundation.org>
Signed-off-by: Linus Torvalds <torv...@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

mm/internal.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

--- a/mm/internal.h
+++ b/mm/internal.h

@@ -22,7 +22,8 @@

Greg Kroah-Hartman

unread,

Aug 8, 2016, 3:50:09 PM8/8/16

to

4.6-stable review patch. If anyone has any objections, please let me know.

------------------

From: Dmitry Vyukov <dvy...@google.com>

commit e41f501d391265ff568f3e49d6128cc30856a36f upstream.

If CONFIG_KASAN is enabled and gcc is configured with
--disable-initfini-array and/or gold linker is used, gcc emits
.ctors/.dtors and .text.startup/.text.exit sections instead of
.init_array/.fini_array. .dtors section is not explicitly accounted in
the linker script and messes vvar/percpu layout.

We want:
ffffffff822bfd80 D _edata
ffffffff822c0000 D __vvar_beginning_hack
ffffffff822c0000 A __vvar_page
ffffffff822c0080 0000000000000098 D vsyscall_gtod_data
ffffffff822c1000 A __init_begin
ffffffff822c1000 D init_per_cpu__irq_stack_union
ffffffff822c1000 A __per_cpu_load
ffffffff822d3000 D init_per_cpu__gdt_page

We got:
ffffffff8279a600 D _edata
ffffffff8279b000 A __vvar_page
ffffffff8279c000 A __init_begin
ffffffff8279c000 D init_per_cpu__irq_stack_union
ffffffff8279c000 A __per_cpu_load
ffffffff8279e000 D __vvar_beginning_hack
ffffffff8279e080 0000000000000098 D vsyscall_gtod_data
ffffffff827ae000 D init_per_cpu__gdt_page

This happens because __vvar_page and .vvar get different addresses in
arch/x86/kernel/vmlinux.lds.S:

. = ALIGN(PAGE_SIZE);
__vvar_page = .;

.vvar : AT(ADDR(.vvar) - LOAD_OFFSET) {
/* work around gold bug 13023 */
__vvar_beginning_hack = .;

Discard .dtors/.fini_array/.text.exit, since we don't call dtors.
Merge .text.startup into init text.

Link: http://lkml.kernel.org/r/1467386363-120030-1-g...@google.com
Signed-off-by: Dmitry Vyukov <dvy...@google.com>
Reviewed-by: Andrey Ryabinin <arya...@virtuozzo.com>

Signed-off-by: Andrew Morton <ak...@linux-foundation.org>
Signed-off-by: Linus Torvalds <torv...@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

include/asm-generic/vmlinux.lds.h | 4 ++++

1 file changed, 4 insertions(+)

--- a/include/asm-generic/vmlinux.lds.h
+++ b/include/asm-generic/vmlinux.lds.h
@@ -540,15 +540,19 @@

#define INIT_TEXT \
*(.init.text) \
+ *(.text.startup) \
MEM_DISCARD(init.text)

#define EXIT_DATA \
*(.exit.data) \
+ *(.fini_array) \
+ *(.dtors) \
MEM_DISCARD(exit.data) \
MEM_DISCARD(exit.rodata)

#define EXIT_TEXT \
*(.exit.text) \
+ *(.text.exit) \
MEM_DISCARD(exit.text)

#define EXIT_CALL \

Greg Kroah-Hartman

unread,

Aug 8, 2016, 3:50:10 PM8/8/16

to

4.6-stable review patch. If anyone has any objections, please let me know.

------------------

From: Tejun Heo <t...@kernel.org>

commit ea3a9645866e12d2b198434f03df3c3e96fb86ce upstream.

mem_cgroup_css_alloc() was returning NULL on failure while cgroup core
expected it to return an ERR_PTR value leading to the following NULL
deref after a css allocation failure. Fix it by return
ERR_PTR(-ENOMEM) instead. I'll also update cgroup core so that it
can handle NULL returns.

mkdir: page allocation failure: order:6, mode:0x240c0c0(GFP_KERNEL|__GFP_COMP|__GFP_ZERO)
CPU: 0 PID: 8738 Comm: mkdir Not tainted 4.7.0-rc3+ #123
...
Call Trace:
dump_stack+0x68/0xa1
warn_alloc_failed+0xd6/0x130
__alloc_pages_nodemask+0x4c6/0xf20
alloc_pages_current+0x66/0xe0
alloc_kmem_pages+0x14/0x80
kmalloc_order_trace+0x2a/0x1a0
__kmalloc+0x291/0x310
memcg_update_all_caches+0x6c/0x130
mem_cgroup_css_alloc+0x590/0x610
cgroup_apply_control_enable+0x18b/0x370
cgroup_mkdir+0x1de/0x2e0
kernfs_iop_mkdir+0x55/0x80
vfs_mkdir+0xb9/0x150
SyS_mkdir+0x66/0xd0
do_syscall_64+0x53/0x120
entry_SYSCALL64_slow_path+0x25/0x25
...
BUG: unable to handle kernel NULL pointer dereference at 00000000000000d0
IP: init_and_link_css+0x37/0x220
PGD 34b1e067 PUD 3a109067 PMD 0
Oops: 0002 [#1] SMP
Modules linked in:
CPU: 0 PID: 8738 Comm: mkdir Not tainted 4.7.0-rc3+ #123
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.9.2-20160422_131301-anatol 04/01/2014
task: ffff88007cbc5200 ti: ffff8800666d4000 task.ti: ffff8800666d4000
RIP: 0010:[<ffffffff810f2ca7>] [<ffffffff810f2ca7>] init_and_link_css+0x37/0x220
RSP: 0018:ffff8800666d7d90 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffffffff810f2499 RSI: 0000000000000000 RDI: 0000000000000008
RBP: ffff8800666d7db8 R08: 0000000000000003 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: ffff88005a5fb400
R13: ffffffff81f0f8a0 R14: ffff88005a5fb400 R15: 0000000000000010
FS: 00007fc944689700(0000) GS:ffff88007fc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f3aed0d2b80 CR3: 000000003a1e8000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
cgroup_apply_control_enable+0x1ac/0x370
cgroup_mkdir+0x1de/0x2e0
kernfs_iop_mkdir+0x55/0x80
vfs_mkdir+0xb9/0x150
SyS_mkdir+0x66/0xd0
do_syscall_64+0x53/0x120
entry_SYSCALL64_slow_path+0x25/0x25
Code: 89 f5 48 89 fb 49 89 d4 48 83 ec 08 8b 05 72 3b d8 00 85 c0 0f 85 60 01 00 00 4c 89 e7 e8 72 f7 ff ff 48 8d 7b 08 48 89 d9 31 c0 <48> c7 83 d0 00 00 00 00 00 00 00 48 83 e7 f8 48 29 f9 81 c1 d8
RIP init_and_link_css+0x37/0x220
RSP <ffff8800666d7d90>
CR2: 00000000000000d0
---[ end trace a2d8836ae1e852d1 ]---

Link: http://lkml.kernel.org/r/2016062116...@mtj.duckdns.org
Signed-off-by: Tejun Heo <t...@kernel.org>
Reported-by: Johannes Weiner <han...@cmpxchg.org>
Reviewed-by: Vladimir Davydov <vdav...@virtuozzo.com>
Acked-by: Johannes Weiner <han...@cmpxchg.org>
Acked-by: Michal Hocko <mho...@suse.com>

Signed-off-by: Andrew Morton <ak...@linux-foundation.org>
Signed-off-by: Linus Torvalds <torv...@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

mm/memcontrol.c | 2 +-

1 file changed, 1 insertion(+), 1 deletion(-)

--- a/mm/memcontrol.c
+++ b/mm/memcontrol.c
@@ -4184,7 +4184,7 @@ mem_cgroup_css_alloc(struct cgroup_subsy
return &memcg->css;
fail:
mem_cgroup_free(memcg);
- return NULL;
+ return ERR_PTR(-ENOMEM);
}

static int

Greg Kroah-Hartman

unread,

Aug 8, 2016, 3:50:53 PM8/8/16

to

4.6-stable review patch. If anyone has any objections, please let me know.

------------------

From: David Rientjes <rien...@google.com>

commit a46cbf3bc53b6a93fb84a5ffb288c354fa807954 upstream.

It's possible to isolate some freepages in a pageblock and then fail
split_free_page() due to the low watermark check. In this case, we hit
VM_BUG_ON() because the freeing scanner terminated early without a
contended lock or enough freepages.

This should never have been a VM_BUG_ON() since it's not a fatal
condition. It should have been a VM_WARN_ON() at best, or even handled
gracefully.

Regardless, we need to terminate anytime the full pageblock scan was not
done. The logic belongs in isolate_freepages_block(), so handle its
state gracefully by terminating the pageblock loop and making a note to
restart at the same pageblock next time since it was not possible to
complete the scan this time.

[rien...@google.com: don't rescan pages in a pageblock]
Link: http://lkml.kernel.org/r/alpine.DEB.2.10.1...@chino.kir.corp.google.com
Link: http://lkml.kernel.org/r/alpine.DEB.2.10.16...@chino.kir.corp.google.com
Signed-off-by: David Rientjes <rien...@google.com>
Reported-by: Minchan Kim <min...@kernel.org>
Tested-by: Minchan Kim <min...@kernel.org>
Cc: Joonsoo Kim <iamjoon...@lge.com>
Cc: Hugh Dickins <hu...@google.com>
Cc: Mel Gorman <mgo...@techsingularity.net>
Cc: Vlastimil Babka <vba...@suse.cz>

Signed-off-by: Andrew Morton <ak...@linux-foundation.org>
Signed-off-by: Linus Torvalds <torv...@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org>

---

mm/compaction.c | 36 ++++++++++++++----------------------
1 file changed, 14 insertions(+), 22 deletions(-)

--- a/mm/compaction.c
+++ b/mm/compaction.c
@@ -936,8 +936,6 @@ static void isolate_freepages(struct com
block_end_pfn = block_start_pfn,
block_start_pfn -= pageblock_nr_pages,
isolate_start_pfn = block_start_pfn) {
- unsigned long isolated;
-
/*
* This can iterate a massively long zone without finding any
* suitable migration targets, so periodically check if we need
@@ -961,36 +959,30 @@ static void isolate_freepages(struct com
continue;

/* Found a block suitable for isolating free pages from. */
- isolated = isolate_freepages_block(cc, &isolate_start_pfn,
- block_end_pfn, freelist, false);
- /* If isolation failed early, do not continue needlessly */
- if (!isolated && isolate_start_pfn < block_end_pfn &&
- cc->nr_migratepages > cc->nr_freepages)
- break;
+ isolate_freepages_block(cc, &isolate_start_pfn, block_end_pfn,
+ freelist, false);

/*
- * If we isolated enough freepages, or aborted due to async
- * compaction being contended, terminate the loop.
- * Remember where the free scanner should restart next time,
- * which is where isolate_freepages_block() left off.
- * But if it scanned the whole pageblock, isolate_start_pfn
- * now points at block_end_pfn, which is the start of the next
- * pageblock.
- * In that case we will however want to restart at the start
- * of the previous pageblock.
+ * If we isolated enough freepages, or aborted due to lock
+ * contention, terminate.
*/
if ((cc->nr_freepages >= cc->nr_migratepages)
|| cc->contended) {
- if (isolate_start_pfn >= block_end_pfn)
+ if (isolate_start_pfn >= block_end_pfn) {
+ /*
+ * Restart at previous pageblock if more
+ * freepages can be isolated next time.
+ */
isolate_start_pfn =
block_start_pfn - pageblock_nr_pages;
+ }
break;
- } else {
+ } else if (isolate_start_pfn < block_end_pfn) {
/*
- * isolate_freepages_block() should not terminate
- * prematurely unless contended, or isolated enough
+ * If isolation failed early, do not continue
+ * needlessly.
*/
- VM_BUG_ON(isolate_start_pfn < block_end_pfn);
+ break;
}
}

Guenter Roeck

unread,

Aug 9, 2016, 1:10:05 AM8/9/16

to

On 08/08/2016 12:10 PM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.6.6 release.
> There are 96 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed Aug 10 18:02:27 UTC 2016.
> Anything received after that time might be too late.
>

Build results:
total: 148 pass: 146 fail: 2
Failed builds:
unicore32:defconfig
unicore32:allnoconfig

Qemu test results:
total: 107 pass: 103 fail: 4
Failed tests:
mips:malta_defconfig:nosmp
mips64:malta_defconfig:nosmp
mipsel:malta_defconfig:nosmp
mipsel64:malta_defconfig:nosmp

The unicore32 build error is still not fixed in mainline.

mips:

Building mips:malta_defconfig:nosmp ... failed
------------
Error log:
drivers/built-in.o: In function `gic_shared_irq_domain_map.isra.0':
irq-mips-gic.c:(.text+0x1d58): undefined reference to `smp_num_siblings'
irq-mips-gic.c:(.text+0x1d5c): undefined reference to `smp_num_siblings'
irq-mips-gic.c:(.text+0x1de0): undefined reference to `smp_num_siblings'
irq-mips-gic.c:(.text+0x1de8): undefined reference to `smp_num_siblings'

Only seen with non-SMP builds. Tricky one, required bisect.

# bad: [0353fa20cb40ea75a7e3b7293b533bde4fa013e9] Linux 4.6.6-rc1
# good: [bed4c611a3b80fae04d75b9f85fcaf174bac1b06] Linux 4.6.5
git bisect start 'HEAD' 'v4.6.5'
# good: [8d3b41c18cff2db7ccea71243b945a33610b8cb5] cgroup: remove redundant cleanup in css_create
git bisect good 8d3b41c18cff2db7ccea71243b945a33610b8cb583c9f9e994f5c963fc652a52befc120699dcc591
# good: [3a255979bc75ffcc263928045df4b5f46df8a8ca] sched/fair: Fix effective_load() to consistently use smoothed load
git bisect good 3a255979bc75ffcc263928045df4b5f46df8a8ca
# bad: [6eafb1f777de375b52c8a83d262da2885a28579a] posix_cpu_timer: Exit early when process has been reaped
git bisect bad 6eafb1f777de375b52c8a83d262da2885a28579a
# bad: [83c9f9e994f5c963fc652a52befc120699dcc591] irqchip/mips-gic: Map to VPs using HW VPNum
git bisect bad 83c9f9e994f5c963fc652a52befc120699dcc591
# good: [3a1e9944db1570f9b654b7a187f13898e5c59529] can: fix handling of unmodifiable configuration options fix
git bisect good 3a1e9944db1570f9b654b7a187f13898e5c59529
# good: [f06b9b8071ae6e383931795e2a459d6abc0bc7bd] RDS: fix rds_tcp_init() error path
git bisect good f06b9b8071ae6e383931795e2a459d6abc0bc7bd
# first bad commit: [83c9f9e994f5c963fc652a52befc120699dcc591] irqchip/mips-gic: Map to VPs using HW VPNum

Reverting 83c9f9e994f5c963fc652a52befc120699dcc591 fixes the problem.
Its description suggests that it fixes a real bug, though, so copying Paul for input.

Guenter

Greg Kroah-Hartman

unread,

Aug 9, 2016, 4:30:06 AM8/9/16

to

Thanks for the bisection and report.

Paul, any ideas? Why doesn't this also fail in 4.7?

thanks,

greg k-h

Paul Burton

unread,

Aug 9, 2016, 4:40:05 AM8/9/16

to

Hi Greg, Guenter,

The easiest way to fix this is likely to backport a60ae81e5e59 ("MIPS:
CM: Fix mips_cm_max_vp_width for UP kernels") which went into mainline
in the 4.7 cycle. Apologies for overlooking the need for that one in stable.

Thanks,
Paul

Greg Kroah-Hartman

unread,

Aug 9, 2016, 4:40:06 AM8/9/16

to

No problem, now added to the 4.6 queue, thanks.

greg k-h

Shuah Khan

unread,

Aug 9, 2016, 11:20:06 AM8/9/16

to

On 08/08/2016 01:10 PM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.6.6 release.
> There are 96 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed Aug 10 18:02:27 UTC 2016.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.6.6-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.6.y
> and the diffstat can be found below.
>

Compiled and booted on my test system. No dmesg regressions.

thanks,
-- Shuah

--
Shuah Khan
Sr. Linux Kernel Developer
Open Source Innovation Group
Samsung Research America(Silicon Valley)
shua...@samsung.com

Guenter Roeck

unread,

Aug 9, 2016, 12:20:06 PM8/9/16

to

Can you push it into the -rc repository ? I see the patch in the queue,
but not in the repository.

Thanks,
Guenter

Greg Kroah-Hartman

unread,

Aug 9, 2016, 1:30:15 PM8/9/16

to

On Tue, Aug 09, 2016 at 09:10:58AM -0600, Shuah Khan wrote:
> On 08/08/2016 01:10 PM, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 4.6.6 release.
> > There are 96 patches in this series, all will be posted as a response
> > to this one. If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Wed Aug 10 18:02:27 UTC 2016.
> > Anything received after that time might be too late.
> >
> > The whole patch series can be found in one patch at:
> > kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.6.6-rc1.gz
> > or in the git tree and branch at:
> > git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.6.y
> > and the diffstat can be found below.
> >
>
> Compiled and booted on my test system. No dmesg regressions.

thanks for testing all of these and letting me know.

greg k-h

Greg Kroah-Hartman

unread,

Aug 9, 2016, 1:30:15 PM8/9/16

to

Sorry about that, now regenerated.

greg k-h

Guenter Roeck

unread,

Aug 9, 2016, 9:30:06 PM8/9/16

to

On Tue, Aug 09, 2016 at 07:22:21PM +0200, Greg Kroah-Hartman wrote:
> > Can you push it into the -rc repository ? I see the patch in the queue,
> > but not in the repository.
>
> Sorry about that, now regenerated.
>

All but the unicore32 build problems are now fixed.

Guenter

Ben Hutchings

unread,

Aug 14, 2016, 6:40:27 AM8/14/16

to

3.2.82-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Dmitry Torokhov <dmitry....@gmail.com>

commit 226ba707744a51acb4244724e09caacb1d96aed9 upstream.

The touchpad in HP Pavilion 14-ab057ca reports it's version as 12 and
according to Elan both 11 and 12 are valid IC types and should be
identified as hw_version 4.

Reported-by: Patrick Lessard <Patrick...@cogeco.com>
Tested-by: Patrick Lessard <Patrick...@cogeco.com>
Signed-off-by: Dmitry Torokhov <dmitry....@gmail.com>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>

---
drivers/input/mouse/elantech.c | 8 +-------
1 file changed, 1 insertion(+), 7 deletions(-)

--- a/drivers/input/mouse/elantech.c
+++ b/drivers/input/mouse/elantech.c

@@ -1284,13 +1284,7 @@ static int elantech_set_properties(struc

Ben Hutchings

unread,

Aug 14, 2016, 7:00:05 AM8/14/16

to

3.16.37-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Michal Suchanek <hram...@gmail.com>

commit 719bd6542044efd9b338a53dba1bef45f40ca169 upstream.

The trasfer timeout is fixed at 1000 ms. Reading a 4Mbyte flash over
1MHz SPI bus takes way longer than that. Calculate the timeout from the
actual time the transfer is supposed to take and multiply by 2 for good
measure.

Signed-off-by: Michal Suchanek <hram...@gmail.com>
Acked-by: Maxime Ripard <maxime...@free-electrons.com>
Signed-off-by: Mark Brown <bro...@kernel.org>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

drivers/spi/spi-sun4i.c | 10 +++++++++-
drivers/spi/spi-sun6i.c | 10 +++++++++-
2 files changed, 18 insertions(+), 2 deletions(-)

--- a/drivers/spi/spi-sun4i.c
+++ b/drivers/spi/spi-sun4i.c
@@ -170,6 +170,7 @@ static int sun4i_spi_transfer_one(struct
{
struct sun4i_spi *sspi = spi_master_get_devdata(master);
unsigned int mclk_rate, div, timeout;
+ unsigned int start, end, tx_time;
unsigned int tx_len = 0;
int ret = 0;
u32 reg;
@@ -286,9 +287,16 @@ static int sun4i_spi_transfer_one(struct
reg = sun4i_spi_read(sspi, SUN4I_CTL_REG);
sun4i_spi_write(sspi, SUN4I_CTL_REG, reg | SUN4I_CTL_XCH);

+ tx_time = max(tfr->len * 8 * 2 / (tfr->speed_hz / 1000), 100U);
+ start = jiffies;
timeout = wait_for_completion_timeout(&sspi->done,
- msecs_to_jiffies(1000));
+ msecs_to_jiffies(tx_time));
+ end = jiffies;
if (!timeout) {
+ dev_warn(&master->dev,
+ "%s: timeout transferring %u bytes@%iHz for %i(%i)ms",
+ dev_name(&spi->dev), tfr->len, tfr->speed_hz,
+ jiffies_to_msecs(end - start), tx_time);
ret = -ETIMEDOUT;
goto out;
}
--- a/drivers/spi/spi-sun6i.c
+++ b/drivers/spi/spi-sun6i.c
@@ -160,6 +160,7 @@ static int sun6i_spi_transfer_one(struct
{
struct sun6i_spi *sspi = spi_master_get_devdata(master);
unsigned int mclk_rate, div, timeout;
+ unsigned int start, end, tx_time;
unsigned int tx_len = 0;
int ret = 0;
u32 reg;
@@ -269,9 +270,16 @@ static int sun6i_spi_transfer_one(struct
reg = sun6i_spi_read(sspi, SUN6I_TFR_CTL_REG);
sun6i_spi_write(sspi, SUN6I_TFR_CTL_REG, reg | SUN6I_TFR_CTL_XCH);

+ tx_time = max(tfr->len * 8 * 2 / (tfr->speed_hz / 1000), 100U);
+ start = jiffies;
timeout = wait_for_completion_timeout(&sspi->done,
- msecs_to_jiffies(1000));
+ msecs_to_jiffies(tx_time));
+ end = jiffies;
if (!timeout) {
+ dev_warn(&master->dev,
+ "%s: timeout transferring %u bytes@%iHz for %i(%i)ms",
+ dev_name(&spi->dev), tfr->len, tfr->speed_hz,
+ jiffies_to_msecs(end - start), tx_time);
ret = -ETIMEDOUT;
goto out;
}

Ben Hutchings

unread,

Aug 14, 2016, 7:10:08 AM8/14/16

to

3.16.37-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Omar Sandoval <osa...@fb.com>

commit 8ba8682107ee2ca3347354e018865d8e1967c5f4 upstream.

get_task_ioprio() accesses the task->io_context without holding the task
lock and thus can race with exit_io_context(), leading to a
use-after-free. The reproducer below hits this within a few seconds on
my 4-core QEMU VM:

#define _GNU_SOURCE
#include <assert.h>
#include <unistd.h>
#include <sys/syscall.h>
#include <sys/wait.h>

int main(int argc, char **argv)
{
pid_t pid, child;
long nproc, i;

/* ioprio_set(IOPRIO_WHO_PROCESS, 0, IOPRIO_PRIO_VALUE(IOPRIO_CLASS_IDLE, 0)); */
syscall(SYS_ioprio_set, 1, 0, 0x6000);

nproc = sysconf(_SC_NPROCESSORS_ONLN);

for (i = 0; i < nproc; i++) {
pid = fork();
assert(pid != -1);
if (pid == 0) {
for (;;) {
pid = fork();
assert(pid != -1);
if (pid == 0) {
_exit(0);
} else {
child = wait(NULL);
assert(child == pid);
}
}
}

pid = fork();
assert(pid != -1);
if (pid == 0) {
for (;;) {
/* ioprio_get(IOPRIO_WHO_PGRP, 0); */
syscall(SYS_ioprio_get, 2, 0);
}
}
}

for (;;) {
/* ioprio_get(IOPRIO_WHO_PGRP, 0); */
syscall(SYS_ioprio_get, 2, 0);
}

return 0;
}

This gets us KASAN dumps like this:

[ 35.526914] ==================================================================
[ 35.530009] BUG: KASAN: out-of-bounds in get_task_ioprio+0x7b/0x90 at addr ffff880066f34e6c
[ 35.530009] Read of size 2 by task ioprio-gpf/363
[ 35.530009] =============================================================================
[ 35.530009] BUG blkdev_ioc (Not tainted): kasan: bad access detected
[ 35.530009] -----------------------------------------------------------------------------

[ 35.530009] Disabling lock debugging due to kernel taint
[ 35.530009] INFO: Allocated in create_task_io_context+0x2b/0x370 age=0 cpu=0 pid=360
[ 35.530009] ___slab_alloc+0x55d/0x5a0
[ 35.530009] __slab_alloc.isra.20+0x2b/0x40
[ 35.530009] kmem_cache_alloc_node+0x84/0x200
[ 35.530009] create_task_io_context+0x2b/0x370
[ 35.530009] get_task_io_context+0x92/0xb0
[ 35.530009] copy_process.part.8+0x5029/0x5660
[ 35.530009] _do_fork+0x155/0x7e0
[ 35.530009] SyS_clone+0x19/0x20
[ 35.530009] do_syscall_64+0x195/0x3a0
[ 35.530009] return_from_SYSCALL_64+0x0/0x6a
[ 35.530009] INFO: Freed in put_io_context+0xe7/0x120 age=0 cpu=0 pid=1060
[ 35.530009] __slab_free+0x27b/0x3d0
[ 35.530009] kmem_cache_free+0x1fb/0x220
[ 35.530009] put_io_context+0xe7/0x120
[ 35.530009] put_io_context_active+0x238/0x380
[ 35.530009] exit_io_context+0x66/0x80
[ 35.530009] do_exit+0x158e/0x2b90
[ 35.530009] do_group_exit+0xe5/0x2b0
[ 35.530009] SyS_exit_group+0x1d/0x20
[ 35.530009] entry_SYSCALL_64_fastpath+0x1a/0xa4
[ 35.530009] INFO: Slab 0xffffea00019bcd00 objects=20 used=4 fp=0xffff880066f34ff0 flags=0x1fffe0000004080
[ 35.530009] INFO: Object 0xffff880066f34e58 @offset=3672 fp=0x0000000000000001
[ 35.530009] ==================================================================

Fix it by grabbing the task lock while we poke at the io_context.

Reported-by: Dmitry Vyukov <dvy...@google.com>
Signed-off-by: Omar Sandoval <osa...@fb.com>
Signed-off-by: Jens Axboe <ax...@fb.com>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

block/ioprio.c | 2 ++
1 file changed, 2 insertions(+)

--- a/block/ioprio.c
+++ b/block/ioprio.c
@@ -149,8 +149,10 @@ static int get_task_ioprio(struct task_s
if (ret)
goto out;
ret = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_NONE, IOPRIO_NORM);
+ task_lock(p);
if (p->io_context)
ret = p->io_context->ioprio;
+ task_unlock(p);
out:
return ret;
}

Ben Hutchings

unread,

Aug 14, 2016, 7:16:03 AM8/14/16

to

3.16.37-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Alexey Brodkin <Alexey....@synopsys.com>

commit 9bd54517ee86cb164c734f72ea95aeba4804f10b upstream.

If CONFIG_ARC_DW2_UNWIND is disabled every time arc_unwind_core()
gets called following message gets printed in debug console:
----------------->8---------------
CONFIG_ARC_DW2_UNWIND needs to be enabled
----------------->8---------------

That message makes sense if user indeed wants to see a backtrace or
get nice function call-graphs in perf but what if user disabled
unwinder for the purpose? Why pollute his debug console?

So instead we'll warn user about possibly missing feature once and
let him decide if that was what he or she really wanted.

Signed-off-by: Alexey Brodkin <abro...@synopsys.com>
Signed-off-by: Vineet Gupta <vgu...@synopsys.com>

Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---

arch/arc/kernel/stacktrace.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arc/kernel/stacktrace.c
+++ b/arch/arc/kernel/stacktrace.c

@@ -131,7 +131,7 @@ arc_unwind_core(struct task_struct *tsk,

Jiri Slaby

unread,

Aug 19, 2016, 3:30:06 AM8/19/16

to

From: Alexey Brodkin <Alexey....@synopsys.com>

3.12-stable review patch. If anyone has any objections, please let me know.

===============

commit 9bd54517ee86cb164c734f72ea95aeba4804f10b upstream.

If CONFIG_ARC_DW2_UNWIND is disabled every time arc_unwind_core()
gets called following message gets printed in debug console:
----------------->8---------------
CONFIG_ARC_DW2_UNWIND needs to be enabled
----------------->8---------------

That message makes sense if user indeed wants to see a backtrace or
get nice function call-graphs in perf but what if user disabled
unwinder for the purpose? Why pollute his debug console?

So instead we'll warn user about possibly missing feature once and
let him decide if that was what he or she really wanted.

Signed-off-by: Alexey Brodkin <abro...@synopsys.com>
Signed-off-by: Vineet Gupta <vgu...@synopsys.com>

Signed-off-by: Jiri Slaby <jsl...@suse.cz>

---
arch/arc/kernel/stacktrace.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/arc/kernel/stacktrace.c b/arch/arc/kernel/stacktrace.c
index 9c9e1d3ec5fe..0ebb921e8786 100644
--- a/arch/arc/kernel/stacktrace.c
+++ b/arch/arc/kernel/stacktrace.c
@@ -131,7 +131,7 @@ arc_unwind_core(struct task_struct *tsk, struct pt_regs *regs,

* prelogue is setup (callee regs saved and then fp set and not other
* way around
*/
- pr_warn("CONFIG_ARC_DW2_UNWIND needs to be enabled\n");
+ pr_warn_once("CONFIG_ARC_DW2_UNWIND needs to be enabled\n");
return 0;

#endif

--
2.9.3

[PATCH 4.6 13/96] fs/nilfs2: fix potential underflow in call to crc32_le

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Greg Kroah-Hartman

Guenter Roeck

Greg Kroah-Hartman

Paul Burton

Greg Kroah-Hartman

Shuah Khan

Guenter Roeck

Greg Kroah-Hartman

Greg Kroah-Hartman

Guenter Roeck

Ben Hutchings

Ben Hutchings

Ben Hutchings

Ben Hutchings

Jiri Slaby