commit 55d64c0b3c15cb5fb4d5a5bdebde9522e4ed52ff Author: Greg Kroah-Hartman Date: Thu Dec 8 07:16:36 2016 +0100 Linux 4.8.13 commit a4edb1a2b04597df75558d9fa6dbab7b28254895 Author: James Morse Date: Tue Oct 18 11:27:48 2016 +0100 arm64: suspend: Reconfigure PSTATE after resume from idle commit d08544127d9fb4505635e3cb6871fd50a42947bd upstream. The suspend/resume path in kernel/sleep.S, as used by cpu-idle, does not save/restore PSTATE. As a result of this cpufeatures that were detected and have bits in PSTATE get lost when we resume from idle. UAO gets set appropriately on the next context switch. PAN will be re-enabled next time we return from user-space, but on a preemptible kernel we may run work accessing user space before this point. Add code to re-enable theses two features in __cpu_suspend_exit(). We re-use uao_thread_switch() passing current. Signed-off-by: James Morse Cc: Lorenzo Pieralisi Signed-off-by: Will Deacon Signed-off-by: Greg Kroah-Hartman commit 6353400d91305273452dbe0d26a1dfd3c975ae91 Author: James Morse Date: Tue Oct 18 11:27:47 2016 +0100 arm64: mm: Set PSTATE.PAN from the cpu_enable_pan() call commit 7209c868600bd8926e37c10b9aae83124ccc1dd8 upstream. Commit 338d4f49d6f7 ("arm64: kernel: Add support for Privileged Access Never") enabled PAN by enabling the 'SPAN' feature-bit in SCTLR_EL1. This means the PSTATE.PAN bit won't be set until the next return to the kernel from userspace. On a preemptible kernel we may schedule work that accesses userspace on a CPU before it has done this. Now that cpufeature enable() calls are scheduled via stop_machine(), we can set PSTATE.PAN from the cpu_enable_pan() call. Add WARN_ON_ONCE(in_interrupt()) to check the PSTATE value we updated is not immediately discarded. Reported-by: Tony Thompson Reported-by: Vladimir Murzin Signed-off-by: James Morse [will: fixed typo in comment] Signed-off-by: Will Deacon Signed-off-by: Greg Kroah-Hartman commit b49b1ae6d341f2a0940413338d3c2351c27a7537 Author: James Morse Date: Tue Oct 18 11:27:46 2016 +0100 arm64: cpufeature: Schedule enable() calls instead of calling them via IPI commit 2a6dcb2b5f3e21592ca8dfa198dcce7bec09b020 upstream. The enable() call for a cpufeature/errata is called using on_each_cpu(). This issues a cross-call IPI to get the work done. Implicitly, this stashes the running PSTATE in SPSR when the CPU receives the IPI, and restores it when we return. This means an enable() call can never modify PSTATE. To allow PAN to do this, change the on_each_cpu() call to use stop_machine(). This schedules the work on each CPU which allows us to modify PSTATE. This involves changing the protype of all the enable() functions. enable_cpu_capabilities() is called during boot and enables the feature on all online CPUs. This path now uses stop_machine(). CPU features for hotplug'd CPUs are enabled by verify_local_cpu_features() which only acts on the local CPU, and can already modify the running PSTATE as it is called from secondary_start_kernel(). Reported-by: Tony Thompson Reported-by: Vladimir Murzin Signed-off-by: James Morse Cc: Suzuki K Poulose Signed-off-by: Will Deacon [Removed enable() hunks for A53 workaround] Signed-off-by: James Morse Signed-off-by: Greg Kroah-Hartman commit e4e77deda20081cdd9b5217dc41b6d00356bf15f Author: Sven Eckelmann Date: Sat Oct 29 09:18:43 2016 +0200 batman-adv: Detect missing primaryif during tp_send as error commit e13258f38e927b61cdb5f4ad25309450d3b127d1 upstream. The throughput meter detects different situations as problems for the current test. It stops the test after these and reports it to userspace. This also has to be done when the primary interface disappeared during the test. Fixes: 33a3bb4a3345 ("batman-adv: throughput meter implementation") Reported-by: Joe Perches Signed-off-by: Sven Eckelmann Signed-off-by: Simon Wunderlich Signed-off-by: Greg Kroah-Hartman commit f106de5604ddb831df2a1a8f7e4b564a74514d66 Author: Stéphan Rafin Date: Fri Nov 4 00:53:56 2016 +0100 clk: sunxi: Fix M factor computation for APB1 commit ac95330b96376550ae7a533d1396272d675adfa2 upstream. commit cfa636886033 ("clk: sunxi: factors: Consolidate get_factors parameters into a struct") introduced a regression for m factor computation in sun4i_get_apb1_factors function. The old code reassigned the "parent_rate" parameter to the targeted divisor value and was buggy for the returned frequency but not for the computed factors. Now, returned frequency is good but m factor is incorrectly computed (its max value 31 is always set resulting in a significantly slower frequency than the requested one...) This patch simply restores the original proper computation for m while keeping the good changes for returned rate. Fixes: cfa636886033 ("clk: sunxi: factors: Consolidate get_factors parameters into a struct") Signed-off-by: Stéphan Rafin Signed-off-by: Maxime Ripard Signed-off-by: Greg Kroah-Hartman commit 9e2d9e95094a9326b140ac8bd173f3dc07a26c12 Author: Johannes Weiner Date: Tue Nov 22 10:57:42 2016 +0100 perf/x86: Restore TASK_SIZE check on frame pointer commit ae31fe51a3cceaa0cabdb3058f69669ecb47f12e upstream. The following commit: 75925e1ad7f5 ("perf/x86: Optimize stack walk user accesses") ... switched from copy_from_user_nmi() to __copy_from_user_nmi() with a manual access_ok() check. Unfortunately, copy_from_user_nmi() does an explicit check against TASK_SIZE, whereas the access_ok() uses whatever the current address limit of the task is. We are getting NMIs when __probe_kernel_read() has switched to KERNEL_DS, and then see vmalloc faults when we access what looks like pointers into vmalloc space: [] WARNING: CPU: 3 PID: 3685731 at arch/x86/mm/fault.c:435 vmalloc_fault+0x289/0x290 [] CPU: 3 PID: 3685731 Comm: sh Tainted: G W 4.6.0-5_fbk1_223_gdbf0f40 #1 [] Call Trace: [] [] dump_stack+0x4d/0x6c [] [] __warn+0xd3/0xf0 [] [] warn_slowpath_null+0x1d/0x20 [] [] vmalloc_fault+0x289/0x290 [] [] __do_page_fault+0x330/0x490 [] [] do_page_fault+0xc/0x10 [] [] page_fault+0x22/0x30 [] [] ? perf_callchain_user+0x100/0x2a0 [] [] get_perf_callchain+0x17f/0x190 [] [] perf_callchain+0x67/0x80 [] [] perf_prepare_sample+0x2a0/0x370 [] [] perf_event_output+0x20/0x60 [] [] ? perf_event_update_userpage+0xc7/0x130 [] [] __perf_event_overflow+0x181/0x1d0 [] [] perf_event_overflow+0x14/0x20 [] [] intel_pmu_handle_irq+0x1d3/0x490 [] [] ? copy_user_enhanced_fast_string+0x7/0x10 [] [] ? vunmap_page_range+0x1a1/0x2f0 [] [] ? unmap_kernel_range_noflush+0x11/0x20 [] [] ? ghes_copy_tofrom_phys+0x116/0x1f0 [] [] ? x2apic_send_IPI_self+0x1d/0x20 [] [] perf_event_nmi_handler+0x2d/0x50 [] [] nmi_handle+0x61/0x110 [] [] default_do_nmi+0x44/0x110 [] [] do_nmi+0xdb/0x150 [] [] end_repeat_nmi+0x1a/0x1e [] [] ? copy_user_enhanced_fast_string+0x7/0x10 [] [] ? copy_user_enhanced_fast_string+0x7/0x10 [] [] ? copy_user_enhanced_fast_string+0x7/0x10 [] <> [] ? __probe_kernel_read+0x3e/0xa0 Fix this by moving the valid_user_frame() check to before the uaccess that loads the return address and the pointer to the next frame. Signed-off-by: Johannes Weiner Signed-off-by: Peter Zijlstra (Intel) Cc: Alexander Shishkin Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Thomas Gleixner Cc: Vince Weaver Cc: linux-kernel@vger.kernel.org Fixes: 75925e1ad7f5 ("perf/x86: Optimize stack walk user accesses") Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit ab34b429a01f608488016ce207ab7dda1fcdcfe3 Author: Matthias Brugger Date: Fri Nov 18 11:06:10 2016 +0100 drm/mediatek: fix null pointer dereference commit 5ad45307d990020b25a8f7486178b6e033790f70 upstream. The probe function requests the interrupt before initializing the ddp component. Which leads to a null pointer dereference at boot. Fix this by requesting the interrput after all components got initialized properly. Fixes: 119f5173628a ("drm/mediatek: Add DRM Driver for Mediatek SoC MT8173.") Signed-off-by: Matthias Brugger Signed-off-by: Greg Kroah-Hartman Change-Id: I57193a7ab554dfb37c35a455900689333adf511c commit 43b5bb262711e0e81ea348072a01ef1744b157ca Author: Johan Hovold Date: Tue Nov 1 11:46:39 2016 +0100 pwm: Fix device reference leak commit 0e1614ac84f1719d87bed577963bb8140d0c9ce8 upstream. Make sure to drop the reference to the parent device taken by class_find_device() after "unexporting" any children when deregistering a PWM chip. Fixes: 0733424c9ba9 ("pwm: Unexport children before chip removal") Signed-off-by: Johan Hovold Signed-off-by: Thierry Reding Signed-off-by: Greg Kroah-Hartman commit 6c69476139799ccf8d3e76edfc892c64ced80bc4 Author: Dan Carpenter Date: Wed Nov 30 22:21:05 2016 +0300 KVM: use after free in kvm_ioctl_create_device() commit a0f1d21c1ccb1da66629627a74059dd7f5ac9c61 upstream. We should move the ops->destroy(dev) after the list_del(&dev->vm_node) so that we don't use "dev" after freeing it. Fixes: a28ebea2adc4 ("KVM: Protect device ops->create and list_add with kvm->lock") Signed-off-by: Dan Carpenter Reviewed-by: David Hildenbrand Signed-off-by: Radim Krčmář Signed-off-by: Greg Kroah-Hartman commit ff8b06b4efa608c9d4d78f32df5ec7af8fcc9f0e Author: Sudeep Holla Date: Wed Nov 16 17:31:31 2016 +0000 arm64: dts: juno: fix cluster sleep state entry latency on all SoC versions commit 909e481e2467f202b97d42beef246e8829416a85 upstream. The core and the cluster sleep state entry latencies can't be same as cluster sleep involves more work compared to core level e.g. shared cache maintenance. Experiments have shown on an average about 100us more latency for the cluster sleep state compared to the core level sleep. This patch fixes the entry latency for the cluster sleep state. Fixes: 28e10a8f3a03 ("arm64: dts: juno: Add idle-states to device tree") Cc: Lorenzo Pieralisi Cc: "Jon Medhurst (Tixy)" Reviewed-by: Liviu Dudau Signed-off-by: Sudeep Holla Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman commit f67b89acdfa14ce83c8101e52f239b31910e8d83 Author: Alex Deucher Date: Mon Nov 28 17:23:40 2016 -0500 drm/radeon: fix check for port PM availability commit bcfdd5d5105087e6f33dfeb08a1ca6b2c0287b61 upstream. The ATPX method does not always exist on the dGPU, it may be located at the iGPU. The parent device of the iGPU is the root port for which bridge_d3 is false. This accidentally enables the legacy PM method which conflicts with port PM and prevented the dGPU from powering on. Ported from amdgpu commit: drm/amdgpu: fix check for port PM availability from Peter Wu. Fixes: d3ac31f3b4bf9fad (drm/radeon: fix power state when port pm is unavailable (v2)) Signed-off-by: Alex Deucher Cc: Peter Wu Signed-off-by: Greg Kroah-Hartman commit 835bb5cd36539d8a5f44a49d32f5e835c6c3f03b Author: Peter Wu Date: Sat Nov 26 15:05:01 2016 +0100 drm/amdgpu: fix check for port PM availability commit 7ac33e47d5769632010e537964c7e45498f8dc26 upstream. The ATPX method does not always exist on the dGPU, it may be located at the iGPU. The parent device of the iGPU is the root port for which bridge_d3 is false. This accidentally enables the legacy PM method which conflicts with port PM and prevented the dGPU from powering on. Fixes: 1db4496f167b ("drm/amdgpu: fix power state when port pm is unavailable") Reported-and-tested-by: Mike Lothian Signed-off-by: Peter Wu Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit 972d595824b65485db7e6a0da5767019b7a50797 Author: Peter Wu Date: Wed Nov 23 02:22:25 2016 +0100 drm/radeon: fix power state when port pm is unavailable (v2) commit d3ac31f3b4bf9fade93d69770cb9c34912e017be upstream. When PCIe port PM is not enabled (system BIOS is pre-2015 or the pcie_port_pm=off parameter is set), legacy ATPX PM should still be marked as supported. Otherwise the GPU can fail to power on after runtime suspend. This affected a Dell Inspiron 5548. Ideally the BIOS date in the PCI core is lowered to 2013 (the first year where hybrid graphics platforms using power resources was introduced), but that seems more risky at this point and would not solve the pcie_port_pm=off issue. v2: agd: fix typo Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=98505 Signed-off-by: Peter Wu Signed-off-by: Alex Deucher Reviewed-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit be1b75edf20b721c5439c2378b0a7c779880205e Author: Peter Wu Date: Wed Nov 23 02:22:24 2016 +0100 drm/amdgpu: fix power state when port pm is unavailable commit 1db4496f167bcc7c6541d449355ade2e7d339d52 upstream. When PCIe port PM is not enabled (system BIOS is pre-2015 or the pcie_port_pm=off parameter is set), legacy ATPX PM should still be marked as supported. Otherwise the GPU can fail to power on after runtime suspend. This affected a Dell Inspiron 5548. Ideally the BIOS date in the PCI core is lowered to 2013 (the first year where hybrid graphics platforms using power resources was introduced), but that seems more risky at this point and would not solve the pcie_port_pm=off issue. Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=98505 Reported-and-tested-by: Nayan Deshmukh Signed-off-by: Peter Wu Signed-off-by: Alex Deucher Acked-by: Christian König Reviewed-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit bd78c077f8fecf9f4dd86e8fde918dbd9c1bf8ce Author: Matthew Auld Date: Mon Nov 28 10:36:48 2016 +0000 drm/i915: drop the struct_mutex when wedged or trying to reset commit e411072d5740a49cdc9d0713798c30440757e451 upstream. We grab the struct_mutex in intel_crtc_page_flip, but if we are wedged or a reset is in progress we bail early but never seem to actually release the lock. Fixes: 7f1847ebf48b ("drm/i915: Simplify checking of GPU reset_counter in display pageflips") Cc: Chris Wilson Signed-off-by: Matthew Auld Link: http://patchwork.freedesktop.org/patch/msgid/20161128103648.9235-1-matthew.auld@intel.com Reviewed-by: Joonas Lahtinen Reviewed-by: Chris Wilson Signed-off-by: Chris Wilson (cherry picked from commit ddbb271aea87fc6004d3c8bcdb0710e980c7ec85) Signed-off-by: Jani Nikula Signed-off-by: Greg Kroah-Hartman commit 5dd86b6e587387b71f01690777d49ae6b240e00a Author: Chris Wilson Date: Mon Nov 14 11:29:30 2016 +0000 drm/i915: Don't touch NULL sg on i915_gem_object_get_pages_gtt() error commit 2420489bcb8910188578acc0c11c75445c2e4b92 upstream. On the DMA mapping error path, sg may be NULL (it has already been marked as the last scatterlist entry), and we should avoid dereferencing it again. Reported-by: Dan Carpenter Fixes: e227330223a7 ("drm/i915: avoid leaking DMA mappings") Signed-off-by: Chris Wilson Cc: Imre Deak Link: http://patchwork.freedesktop.org/patch/msgid/20161114112930.2033-1-chris@chris-wilson.co.uk Reviewed-by: Matthew Auld (cherry picked from commit b17993b7b29612369270567643bcff814f4b3d7f) Signed-off-by: Jani Nikula Signed-off-by: Greg Kroah-Hartman commit 05abe7452b71c5c30f5f46a9d3f7f73a32671f3e Author: Marc Zyngier Date: Wed Nov 23 10:11:21 2016 +0000 KVM: arm/arm64: vgic: Don't notify EOI for non-SPIs commit 8ca18eec2b2276b449c1dc86b98bf083c5fe4e09 upstream. When we inject a level triggerered interrupt (and unless it is backed by the physical distributor - timer style), we request a maintenance interrupt. Part of the processing for that interrupt is to feed to the rest of KVM (and to the eventfd subsystem) the information that the interrupt has been EOIed. But that notification only makes sense for SPIs, and not PPIs (such as the PMU interrupt). Skip over the notification if the interrupt is not an SPI. Fixes: 140b086dd197 ("KVM: arm/arm64: vgic-new: Add GICv2 world switch backend") Fixes: 59529f69f504 ("KVM: arm/arm64: vgic-new: Add GICv3 world switch backend") Reported-by: Catalin Marinas Tested-by: Catalin Marinas Acked-by: Christoffer Dall Signed-off-by: Marc Zyngier Signed-off-by: Greg Kroah-Hartman commit ca42bd35d3084fd832cb31152b11d2f7e17aa51a Author: Brian Norris Date: Tue Nov 8 18:28:24 2016 -0800 mwifiex: printk() overflow with 32-byte SSIDs commit fcd2042e8d36cf644bd2d69c26378d17158b17df upstream. SSIDs aren't guaranteed to be 0-terminated. Let's cap the max length when we print them out. This can be easily noticed by connecting to a network with a 32-octet SSID: [ 3903.502925] mwifiex_pcie 0000:01:00.0: info: trying to associate to '0123456789abcdef0123456789abcdef ' bssid xx:xx:xx:xx:xx:xx Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver") Signed-off-by: Brian Norris Acked-by: Amitkumar Karwar Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman commit de9ba13ebfdbb79330ea7688063b0168de2cfd1d Author: Johannes Thumshirn Date: Wed Nov 23 10:56:28 2016 -0600 PCI: Set Read Completion Boundary to 128 iff Root Port supports it (_HPX) commit e42010d8207f9d15a605ceb8e321bcd9648071b0 upstream. Per PCIe spec r3.0, sec 2.3.1.1, the Read Completion Boundary (RCB) determines the naturally aligned address boundaries on which a Read Request may be serviced with multiple Completions: - For a Root Complex, RCB is 64 bytes or 128 bytes This value is reported in the Link Control Register Note: Bridges and Endpoints may implement a corresponding command bit which may be set by system software to indicate the RCB value for the Root Complex, allowing the Bridge/Endpoint to optimize its behavior when the Root Complex’s RCB is 128 bytes. - For all other system elements, RCB is 128 bytes Per sec 7.8.7, if a Root Port only supports a 64-byte RCB, the RCB of all downstream devices must be clear, indicating an RCB of 64 bytes. If the Root Port supports a 128-byte RCB, we may optionally set the RCB of downstream devices so they know they can generate larger Completions. Some BIOSes supply an _HPX that tells us to set RCB, even though the Root Port doesn't have RCB set, which may lead to Malformed TLP errors if the Endpoint generates completions larger than the Root Port can handle. The IBM x3850 X6 with BIOS version -[A8E120CUS-1.30]- 08/22/2016 supplies such an _HPX and a Mellanox MT27500 ConnectX-3 device fails to initialize: mlx4_core 0000:41:00.0: command 0xfff timed out (go bit not cleared) mlx4_core 0000:41:00.0: device is going to be reset mlx4_core 0000:41:00.0: Failed to obtain HW semaphore, aborting mlx4_core 0000:41:00.0: Fail to reset HCA ------------[ cut here ]------------ kernel BUG at drivers/net/ethernet/mellanox/mlx4/catas.c:193! After 6cd33649fa83 ("PCI: Add pci_configure_device() during enumeration") and 7a1562d4f2d0 ("PCI: Apply _HPX Link Control settings to all devices with a link"), we apply _HPX settings to *all* devices, not just those hot-added after boot. Before 7a1562d4f2d0, we didn't touch the Mellanox RCB, and the device worked. After 7a1562d4f2d0, we set its RCB to 128, and it failed. Set the RCB to 128 iff the Root Port supports a 128-byte RCB. Otherwise, set RCB to 64 bytes. This effectively ignores what _HPX tells us about RCB. Note that this change only affects _HPX handling. If we have no _HPX, this does nothing with RCB. [bhelgaas: changelog, clear RCB if not set for Root Port] Fixes: 6cd33649fa83 ("PCI: Add pci_configure_device() during enumeration") Fixes: 7a1562d4f2d0 ("PCI: Apply _HPX Link Control settings to all devices with a link") Link: https://bugzilla.kernel.org/show_bug.cgi?id=187781 Tested-by: Frank Danapfel Signed-off-by: Johannes Thumshirn Signed-off-by: Bjorn Helgaas Acked-by: Myron Stowe Signed-off-by: Greg Kroah-Hartman commit 4f4857148b4ae50b2936b0aed991fd18e8c3ba44 Author: Johannes Thumshirn Date: Wed Nov 2 16:35:51 2016 -0600 PCI: Export pcie_find_root_port commit e784930bd645e7df78c66e7872fec282b0620075 upstream. Export pcie_find_root_port() so we can use it outside of PCIe-AER error injection. Signed-off-by: Johannes Thumshirn Signed-off-by: Bjorn Helgaas Signed-off-by: Greg Kroah-Hartman commit 27dce9bcad4df5a26bb89c21c353b667a32a8972 Author: Michal Hocko Date: Fri Dec 2 17:26:45 2016 -0800 mm: workingset: fix NULL ptr in count_shadow_nodes commit 20ab67a563f5299c09a234164c372aba5a59add8 upstream. Commit 0a6b76dd23fa ("mm: workingset: make shadow node shrinker memcg aware") has made the workingset shadow nodes shrinker memcg aware. The implementation is not correct though because memcg_kmem_enabled() might become true while we are doing a global reclaim when the sc->memcg might be NULL which is exactly what Marek has seen: BUG: unable to handle kernel NULL pointer dereference at 0000000000000400 IP: [] mem_cgroup_node_nr_lru_pages+0x20/0x40 PGD 0 Oops: 0000 [#1] SMP CPU: 0 PID: 60 Comm: kswapd0 Tainted: G O 4.8.10-12.pvops.qubes.x86_64 #1 task: ffff880011863b00 task.stack: ffff880011868000 RIP: mem_cgroup_node_nr_lru_pages+0x20/0x40 RSP: e02b:ffff88001186bc70 EFLAGS: 00010293 RAX: 0000000000000000 RBX: ffff88001186bd20 RCX: 0000000000000002 RDX: 000000000000000c RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffff88001186bc70 R08: 28f5c28f5c28f5c3 R09: 0000000000000000 R10: 0000000000006c34 R11: 0000000000000333 R12: 00000000000001f6 R13: ffffffff81c6f6a0 R14: 0000000000000000 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff880013c00000(0000) knlGS:ffff880013d00000 CS: e033 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000400 CR3: 00000000122f2000 CR4: 0000000000042660 Call Trace: count_shadow_nodes+0x9a/0xa0 shrink_slab.part.42+0x119/0x3e0 shrink_node+0x22c/0x320 kswapd+0x32c/0x700 kthread+0xd8/0xf0 ret_from_fork+0x1f/0x40 Code: 66 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 3b 35 dd eb b1 00 55 48 89 e5 73 2c 89 d2 31 c9 31 c0 4c 63 ce 48 0f a3 ca 73 13 <4a> 8b b4 cf 00 04 00 00 41 89 c8 4a 03 84 c6 80 00 00 00 83 c1 RIP mem_cgroup_node_nr_lru_pages+0x20/0x40 RSP CR2: 0000000000000400 ---[ end trace 100494b9edbdfc4d ]--- This patch fixes the issue by checking sc->memcg rather than memcg_kmem_enabled() which is sufficient because shrink_slab makes sure that only memcg aware shrinkers will get non-NULL memcgs and only if memcg_kmem_enabled is true. Fixes: 0a6b76dd23fa ("mm: workingset: make shadow node shrinker memcg aware") Link: http://lkml.kernel.org/r/20161201132156.21450-1-mhocko@kernel.org Signed-off-by: Michal Hocko Reported-by: Marek Marczykowski-Górecki Tested-by: Marek Marczykowski-Górecki Acked-by: Vladimir Davydov Acked-by: Johannes Weiner Acked-by: Balbir Singh Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 60e33689a06e9d39fba8a43adf4e4d912000601a Author: Ding Tianhong Date: Wed Jun 15 15:27:36 2016 +0800 rcu: Fix soft lockup for rcu_nocb_kthread commit bedc1969150d480c462cdac320fa944b694a7162 upstream. Carrying out the following steps results in a softlockup in the RCU callback-offload (rcuo) kthreads: 1. Connect to ixgbevf, and set the speed to 10Gb/s. 2. Use ifconfig to bring the nic up and down repeatedly. [ 317.005148] IPv6: ADDRCONF(NETDEV_CHANGE): eth2: link becomes ready [ 368.106005] BUG: soft lockup - CPU#1 stuck for 22s! [rcuos/1:15] [ 368.106005] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 [ 368.106005] task: ffff88057dd8a220 ti: ffff88057dd9c000 task.ti: ffff88057dd9c000 [ 368.106005] RIP: 0010:[] [] fib_table_lookup+0x14/0x390 [ 368.106005] RSP: 0018:ffff88061fc83ce8 EFLAGS: 00000286 [ 368.106005] RAX: 0000000000000001 RBX: 00000000020155c0 RCX: 0000000000000001 [ 368.106005] RDX: ffff88061fc83d50 RSI: ffff88061fc83d70 RDI: ffff880036d11a00 [ 368.106005] RBP: ffff88061fc83d08 R08: 0000000000000001 R09: 0000000000000000 [ 368.106005] R10: ffff880036d11a00 R11: ffffffff819e0900 R12: ffff88061fc83c58 [ 368.106005] R13: ffffffff816154dd R14: ffff88061fc83d08 R15: 00000000020155c0 [ 368.106005] FS: 0000000000000000(0000) GS:ffff88061fc80000(0000) knlGS:0000000000000000 [ 368.106005] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 368.106005] CR2: 00007f8c2aee9c40 CR3: 000000057b222000 CR4: 00000000000407e0 [ 368.106005] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 368.106005] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [ 368.106005] Stack: [ 368.106005] 00000000010000c0 ffff88057b766000 ffff8802e380b000 ffff88057af03e00 [ 368.106005] ffff88061fc83dc0 ffffffff815349a6 ffff88061fc83d40 ffffffff814ee146 [ 368.106005] ffff8802e380af00 00000000e380af00 ffffffff819e0900 020155c0010000c0 [ 368.106005] Call Trace: [ 368.106005] [ 368.106005] [ 368.106005] [] ip_route_input_noref+0x516/0xbd0 [ 368.106005] [] ? skb_release_data+0xd6/0x110 [ 368.106005] [] ? kfree_skb+0x3a/0xa0 [ 368.106005] [] ip_rcv_finish+0x29f/0x350 [ 368.106005] [] ip_rcv+0x234/0x380 [ 368.106005] [] __netif_receive_skb_core+0x676/0x870 [ 368.106005] [] __netif_receive_skb+0x18/0x60 [ 368.106005] [] process_backlog+0xae/0x180 [ 368.106005] [] net_rx_action+0x152/0x240 [ 368.106005] [] __do_softirq+0xef/0x280 [ 368.106005] [] call_softirq+0x1c/0x30 [ 368.106005] [ 368.106005] [ 368.106005] [] do_softirq+0x65/0xa0 [ 368.106005] [] local_bh_enable+0x94/0xa0 [ 368.106005] [] rcu_nocb_kthread+0x232/0x370 [ 368.106005] [] ? wake_up_bit+0x30/0x30 [ 368.106005] [] ? rcu_start_gp+0x40/0x40 [ 368.106005] [] kthread+0xcf/0xe0 [ 368.106005] [] ? kthread_create_on_node+0x140/0x140 [ 368.106005] [] ret_from_fork+0x58/0x90 [ 368.106005] [] ? kthread_create_on_node+0x140/0x140 ==================================cut here============================== It turns out that the rcuos callback-offload kthread is busy processing a very large quantity of RCU callbacks, and it is not reliquishing the CPU while doing so. This commit therefore adds an cond_resched_rcu_qs() within the loop to allow other tasks to run. Signed-off-by: Ding Tianhong [ paulmck: Substituted cond_resched_rcu_qs for cond_resched. ] Signed-off-by: Paul E. McKenney Cc: Dhaval Giani Signed-off-by: Greg Kroah-Hartman commit b6f9e236b7efef399bac7819f979e4ecc51f5115 Author: Dmitry Torokhov Date: Sat Nov 12 10:45:48 2016 -0800 Input: psmouse - disable automatic probing of BYD touchpads commit e9fb7cc63801d3dc71b60ca11c4d08f68f879a53 upstream. BYD automatic protocol detection is extremely unreliable and is often triggers false positives on regular mice, Sentelic touchpads, and other devices. BYD has several documents that have recommended detection sequence, but they conflict with each other and, as far as I can see, still would not produce unique enough output to reliably differentiate BYD from other PS/2 devices. OEMs sourcing BYD devices also do not do us any favors by not supplying any reasonable DMI data and instead leaving turds like "To Be Filled By O.E.M." in place of vendor data, or "System Serial Number" as serial number. On top of that BYD is not truly modern multitouch controller, but rather a single-touch transitional device that only reports absolute coordinates at the beginning of finger contact and then reverts to reporting displacements, and thus not very precise; the only benefit from using BYD mode vs the legacy PS/2 mode is possibility of edge scrolling. Given the above, and the fact that BYD devices are somewhat uncommon, let's disable automatic detection of BYD devices. Users who know they have BYD trackpads or want to experiment can attempt to activate BYD protocol via sysfs: echo -n "byd" > /sys/bus/serio/devices/serio1/drvctl Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=151691 Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=175421 Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=120781 Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=121281 Fixes: 98ee37714493 ("Input: byd - add BYD PS/2 touchpad driver") Reviewed-by: Pali Rohár Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 6ca8ab7052c4d16a3ea9b8eb9cea0b41b6ffb562 Author: Ping Cheng Date: Mon Nov 28 13:20:51 2016 -0800 Input: change KEY_DATA from 0x275 to 0x277 commit 2425f1808123bf69a8f66d4ec90e0d0e302c2613 upstream. 0x275 is used by KEY_FASTREVERSE. Fixes: 488326947cd1 ("Input: add HDMI CEC specific keycodes") Signed-off-by: Ping Cheng Acked-by: Hans Verkuil Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 600bec25b855cfa9ae72d17806899bed7e4d5057 Author: Miklos Szeredi Date: Tue Nov 29 10:20:24 2016 +0100 ovl: fix d_real() for stacked fs commit c4fcfc1619ea43a8a89ad2f83ff23905eee088bd upstream. Handling of recursion in d_real() is completely broken. Recursion is only done in the 'inode != NULL' case. But when opening the file we have 'inode == NULL' hence d_real() will return an overlay dentry. This won't work since overlayfs doesn't define its own file operations, so all file ops will fail. Fix by doing the recursion first and the check against the inode second. Bash script to reproduce the issue written by Quentin: - 8< - - - - - 8< - - - - - 8< - - - - - 8< - - - - tmpdir=$(mktemp -d) pushd ${tmpdir} mkdir -p {upper,lower,work} echo -n 'rocks' > lower/ksplice mount -t overlay level_zero upper -o lowerdir=lower,upperdir=upper,workdir=work cat upper/ksplice tmpdir2=$(mktemp -d) pushd ${tmpdir2} mkdir -p {upper,work} mount -t overlay level_one upper -o lowerdir=${tmpdir}/upper,upperdir=upper,workdir=work ls -l upper/ksplice cat upper/ksplice - 8< - - - - - 8< - - - - - 8< - - - - - 8< - - - - Reported-by: Quentin Casasnovas Signed-off-by: Miklos Szeredi Fixes: 2d902671ce1c ("vfs: merge .d_select_inode() into .d_real()") Signed-off-by: Greg Kroah-Hartman commit 5661a69268715cde3489a668251926b314a59173 Author: Kirill A. Shutemov Date: Wed Nov 30 15:54:19 2016 -0800 mm: fix false-positive WARN_ON() in truncate/invalidate for hugetlb commit 5cbc198ae08d84bd416b672ad8bd1222acd0855c upstream. Hugetlb pages have ->index in size of the huge pages (PMD_SIZE or PUD_SIZE), not in PAGE_SIZE as other types of pages. This means we cannot user page_to_pgoff() to check whether we've got the right page for the radix-tree index. Let's introduce page_to_index() which would return radix-tree index for given page. We will be able to get rid of this once hugetlb will be switched to multi-order entries. Fixes: fc127da085c2 ("truncate: handle file thp") Link: http://lkml.kernel.org/r/20161123093053.mjbnvn5zwxw5e6lk@black.fi.intel.com Signed-off-by: Kirill A. Shutemov Reported-by: Doug Nelson Tested-by: Doug Nelson Reviewed-by: Naoya Horiguchi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 48b6b50a2ba5fa74399e9fb0abf3c26982a0048e Author: Dmitry Vyukov Date: Wed Nov 30 15:54:13 2016 -0800 kasan: update kasan_global for gcc 7 commit 045d599a286bc01daa3510d59272440a17b23c2e upstream. kasan_global struct is part of compiler/runtime ABI. gcc revision 241983 has added a new field to kasan_global struct. Update kernel definition of kasan_global struct to include the new field. Without this patch KASAN is broken with gcc 7. Link: http://lkml.kernel.org/r/1479219743-28682-1-git-send-email-dvyukov@google.com Signed-off-by: Dmitry Vyukov Acked-by: Andrey Ryabinin Cc: Alexander Potapenko Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit db04d354b7f1ea4f47142174195cada01e9f40b7 Author: Takashi Iwai Date: Wed Nov 30 15:54:08 2016 -0800 zram: fix unbalanced idr management at hot removal commit 529e71e16403830ae0d737a66c55c5f360f3576b upstream. The zram hot removal code calls idr_remove() even when zram_remove() returns an error (typically -EBUSY). This results in a leftover at the device release, eventually leading to a crash when the module is reloaded. As described in the bug report below, the following procedure would cause an Oops with zram: - provision three zram devices via modprobe zram num_devices=3 - configure a size for each device + echo "1G" > /sys/block/$zram_name/disksize - mkfs and mount zram0 only - attempt to hot remove all three devices + echo 2 > /sys/class/zram-control/hot_remove + echo 1 > /sys/class/zram-control/hot_remove + echo 0 > /sys/class/zram-control/hot_remove - zram0 removal fails with EBUSY, as expected - unmount zram0 - try zram0 hot remove again + echo 0 > /sys/class/zram-control/hot_remove - fails with ENODEV (unexpected) - unload zram kernel module + completes successfully - zram0 device node still exists - attempt to mount /dev/zram0 + mount command is killed + following BUG is encountered BUG: unable to handle kernel paging request at ffffffffa0002ba0 IP: get_disk+0x16/0x50 Oops: 0000 [#1] SMP CPU: 0 PID: 252 Comm: mount Not tainted 4.9.0-rc6 #176 Call Trace: exact_lock+0xc/0x20 kobj_lookup+0xdc/0x160 get_gendisk+0x2f/0x110 __blkdev_get+0x10c/0x3c0 blkdev_get+0x19d/0x2e0 blkdev_open+0x56/0x70 do_dentry_open.isra.19+0x1ff/0x310 vfs_open+0x43/0x60 path_openat+0x2c9/0xf30 do_filp_open+0x79/0xd0 do_sys_open+0x114/0x1e0 SyS_open+0x19/0x20 entry_SYSCALL_64_fastpath+0x13/0x94 This patch adds the proper error check in hot_remove_store() not to call idr_remove() unconditionally. Fixes: 17ec4cd98578 ("zram: don't call idr_remove() from zram_remove()") Bugzilla: https://bugzilla.opensuse.org/show_bug.cgi?id=1010970 Link: http://lkml.kernel.org/r/20161121132140.12683-1-tiwai@suse.de Signed-off-by: Takashi Iwai Reviewed-by: David Disseldorp Reported-by: David Disseldorp Tested-by: David Disseldorp Acked-by: Minchan Kim Acked-by: Sergey Senozhatsky Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 010020900006394ffc7b3a3ccde3ec029e1ca61c Author: Kirill A. Shutemov Date: Wed Nov 30 15:54:05 2016 -0800 thp: fix corner case of munlock() of PTE-mapped THPs commit 655548bf6271b212cd1e4c259da9dbe616348d38 upstream. The following program triggers BUG() in munlock_vma_pages_range(): // autogenerated by syzkaller (http://github.com/google/syzkaller) #include int main() { mmap((void*)0x20105000ul, 0xc00000ul, 0x2ul, 0x2172ul, -1, 0); mremap((void*)0x201fd000ul, 0x4000ul, 0xc00000ul, 0x3ul, 0x203f0000ul); return 0; } The test-case constructs the situation when munlock_vma_pages_range() finds PTE-mapped THP-head in the middle of page table and, by mistake, skips HPAGE_PMD_NR pages after that. As result, on the next iteration it hits the middle of PMD-mapped THP and gets upset seeing mlocked tail page. The solution is only skip HPAGE_PMD_NR pages if the THP was mlocked during munlock_vma_page(). It would guarantee that the page is PMD-mapped as we never mlock PTE-mapeed THPs. Fixes: e90309c9f772 ("thp: allow mlocked THP again") Link: http://lkml.kernel.org/r/20161115132703.7s7rrgmwttegcdh4@black.fi.intel.com Signed-off-by: Kirill A. Shutemov Reported-by: Dmitry Vyukov Cc: Konstantin Khlebnikov Cc: Andrey Ryabinin Cc: syzkaller Cc: Andrea Arcangeli Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 08fd95de5eee8c32b963fa0551cfc03dca429681 Author: Jérémy Lefaure Date: Wed Nov 30 15:54:02 2016 -0800 mm, thp: propagation of conditional compilation in khugepaged.c commit e1465d125d2189e667029b9fa8a6f455180fbcf2 upstream. Commit b46e756f5e47 ("thp: extract khugepaged from mm/huge_memory.c") moved code from huge_memory.c to khugepaged.c. Some of this code should be compiled only when CONFIG_SYSFS is enabled but the condition around this code was not moved into khugepaged.c. The result is a compilation error when CONFIG_SYSFS is disabled: mm/built-in.o: In function `khugepaged_defrag_store': khugepaged.c:(.text+0x2d095): undefined reference to `single_hugepage_flag_store' mm/built-in.o: In function `khugepaged_defrag_show': khugepaged.c:(.text+0x2d0ab): undefined reference to `single_hugepage_flag_show' This commit adds the #ifdef CONFIG_SYSFS around the code related to sysfs. Link: http://lkml.kernel.org/r/20161114203448.24197-1-jeremy.lefaure@lse.epita.fr Signed-off-by: Jérémy Lefaure Acked-by: Kirill A. Shutemov Acked-by: Hillf Danton Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 76e59ecacd5409c8bc500d5ee417d0d57c66e750 Author: Vineet Gupta Date: Wed Nov 23 17:43:17 2016 -0800 ARC: Don't use "+l" inline asm constraint commit 3c7c7a2fc8811bc7097479f69acf2527693d7562 upstream. Apparenty this is coming in the way of gcc fix which inhibits the usage of LP_COUNT as a gpr. Signed-off-by: Vineet Gupta Signed-off-by: Greg Kroah-Hartman commit b43fb9f6f162ac4bff8cfe836b19a28439291bae Author: Yuriy Kolerov Date: Mon Nov 28 07:07:17 2016 +0300 ARC: mm: PAE40: Fix crash at munmap commit 6a8b2ca702b279bea0e8f0363056439352e2081c upstream. commit 1c3c90930392 broke PAE40. Macro pfn_pte(pfn, prot) creates paddr from pfn, but the page shift was getting truncated to 32 bits since we lost the proper cast to 64 bits (for PAE400 Instead of reverting that commit, use a better helper which is 32/64 bits safe just like ARM implementation. Fixes: 1c3c90930392 ("ARC: mm: fix build breakage with STRICT_MM_TYPECHECKS") Signed-off-by: Yuriy Kolerov [vgupta: massaged changelog] Signed-off-by: Vineet Gupta Signed-off-by: Greg Kroah-Hartman commit 8d1ee7b245ef50b497f1f1f57b74cae3285accf2 Author: Johannes Thumshirn Date: Thu Nov 17 12:50:23 2016 +0100 scsi: libfc: fix seconds_since_last_reset miscalculation commit 208da78e8ec8b6d6ce3747ab0e5c120458e08ae6 upstream. Commit 540eb1eef0ab ("scsi: libfc: fix seconds_since_last_reset calculation") removed the use of 'struct timespec' from fc_get_host_stats(). This broke the output of 'fcoeadm -s' after kernel 4.8-rc1. Signed-off-by: Johannes Thumshirn Fixes: 540eb1eef0ab ("scsi: libfc: fix seconds_since_last_reset calculation") Acked-by: Arnd Bergmann Reviewed-by: Bart Van Assche Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 10e2627377b01b5dbfae039573cea2e4fa508483 Author: Hannes Reinecke Date: Thu Nov 17 12:15:56 2016 +0100 scsi: hpsa: use bus '3' for legacy HBA devices commit 7630b3a599e2c6d1c042945d32ff2debc855ad29 upstream. Older controllers use SCSI target id '0' for the first internal disk. As the controllers are now placed on the same bus as the internal disks this leads to a clash with the SCSI target id of controller. This patch checks the SCSI revision, and moves older controller to bus '3' to be compatible with older releases and avoid this problem. [mkp: fixed uninitialized variable] Fixes: 09371d623c9 ("hpsa: Change SAS transport devices to bus 0.") Signed-off-by: Hannes Reinecke Acked-by: Don Brace Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit e170c1003c025ae3289a079507f481cf6eaf1e44 Author: Hannes Reinecke Date: Mon Oct 31 21:06:58 2016 +0100 libata-scsi: Fixup ata_gen_passthru_sense() commit e0029dcb5b6e1c23e68f578ce7a3d6c5caba0501 upstream. There's a typo in ata_gen_passthru_sense(), where the first byte would be overwritten incorrectly later on. Reported-by: Charles Machalow Signed-off-by: Hannes Reinecke Fixes: 11093cb1ef56 ("libata-scsi: generate correct ATA pass-through sense") Signed-off-by: Tejun Heo Signed-off-by: Greg Kroah-Hartman