-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl3gA+IACgkQONu9yGCS
aT4A1g/9GUv2ZqnuffYjkV/89P+ueu5iG/XvI7EZixVtFNe8/ZV/MDqVw98TiGck
q9ZY4fg1Zn0VmBreSruDGBTa+NJ5RGlkcUqRO9CjeyPN2P3T9haN+JiRNpB2vjgW
xLOF0+JiZ/KZFB4QY39imcX+58BdCvl4I40wv2frP8r/QcM2eXP3f80UAb2bAjTO
mVKm538Btd/bSKbnzShmUree4lqExOZtxvoYjlGEwyJJz+uT2E2/HiE/mAoh4eIz
NtAAo9QH5xDye6dHLxxjM5ks3hyFipbNKzdIKXl/5Z2bF3wcG99M19BpbwoGmfv6
ndNl1Cbvvm1iBLK9+EKhEFpsoZ2emLf53l/cgmTHYAul/ookMwyqxogC9REH7pSL
YQVhoADQ7lqFmO5P09PKILx+P88Xn5FRTO/XcivKcmodKnaiQsxisRbem5LzGoDd
PhNQV/y7pVTwi1Q/FeD0rl3gPVaKLRyWFtEVkn/CI/2Y7CXCy0pLvkjso37REGt7
wNaE5/6yPuW1wQ+Sker767SwDN8C3PFQCNaPYTShEJ52H/g4vYtC5y3AtwVj0Mu8
itAw/vcwoEpY6clsCKq6qmptS8hNrP6bkOi6Ev4wPC/YS0iDnH/r/SGI+T3sEzBL
9FzBMerRJtRj8f2Iq6t2qp3sv4921iCLratrjVS+S5wSbCfYhrc=
=o3eX
-----END PGP SIGNATURE-----
Merge 4.9.204 into android-4.9-q
Changes in 4.9.204
net/mlx4_en: fix mlx4 ethtool -N insertion
net: rtnetlink: prevent underflows in do_setvfinfo()
sfc: Only cancel the PPS workqueue if it exists
net/mlx5e: Fix set vf link state error flow
net/sched: act_pedit: fix WARN() in the traffic path
gpio: max77620: Fixup debounce delays
tools: gpio: Correctly add make dependencies for gpio_utils
Revert "fs: ocfs2: fix possible null-pointer dereferences in ocfs2_xa_prepare_entry()"
mm/ksm.c: don't WARN if page is still mapped in remove_stable_node()
platform/x86: asus-nb-wmi: Support ALS on the Zenbook UX430UQ
platform/x86: asus-wmi: Only Tell EC the OS will handle display hotkeys from asus_nb_wmi
mwifiex: Fix NL80211_TX_POWER_LIMITED
ALSA: isight: fix leak of reference to firewire unit in error path of .probe callback
printk: fix integer overflow in setup_log_buf()
gfs2: Fix marking bitmaps non-full
synclink_gt(): fix compat_ioctl()
powerpc: Fix signedness bug in update_flash_db()
powerpc/eeh: Fix use of EEH_PE_KEEP on wrong field
brcmsmac: AP mode: update beacon when TIM changes
ath10k: allocate small size dma memory in ath10k_pci_diag_write_mem
spi: sh-msiof: fix deferred probing
mmc: mediatek: fix cannot receive new request when msdc_cmd_is_ready fail
btrfs: handle error of get_old_root
gsmi: Fix bug in append_to_eventlog sysfs handler
misc: mic: fix a DMA pool free failure
m68k: fix command-line parsing when passed from u-boot
amiflop: clean up on errors during setup
scsi: ips: fix missing break in switch
KVM/x86: Fix invvpid and invept register operand size in 64-bit mode
scsi: isci: Use proper enumerated type in atapi_d2h_reg_frame_handler
scsi: isci: Change sci_controller_start_task's return type to sci_status
scsi: iscsi_tcp: Explicitly cast param in iscsi_sw_tcp_host_get_param
clk: mmp2: fix the clock id for sdh2_clk and sdh3_clk
ASoC: tegra_sgtl5000: fix device_node refcounting
scsi: dc395x: fix dma API usage in srb_done
scsi: dc395x: fix DMA API usage in sg_update_list
net: fix warning in af_unix
net: ena: Fix Kconfig dependency on X86
xfs: fix use-after-free race in xfs_buf_rele
kprobes, x86/ptrace.h: Make regs_get_kernel_stack_nth() not fault on bad stack
ALSA: i2c/cs8427: Fix int to char conversion
macintosh/windfarm_smu_sat: Fix debug output
USB: misc: appledisplay: fix backlight update_status return code
usbip: tools: fix atoi() on non-null terminated string
SUNRPC: Fix a compile warning for cmpxchg64()
sunrpc: safely reallow resvport min/max inversion
atm: zatm: Fix empty body Clang warnings
s390/perf: Return error when debug_register fails
spi: omap2-mcspi: Set FIFO DMA trigger level to word length
sparc: Fix parport build warnings.
ceph: fix dentry leak in ceph_readdir_prepopulate
rtc: s35390a: Change buf's type to u8 in s35390a_init
f2fs: fix to spread clear_cold_data()
mISDN: Fix type of switch control variable in ctrl_teimanager
qlcnic: fix a return in qlcnic_dcb_get_capability()
net: ethernet: ti: cpsw: unsync mcast entries while switch promisc mode
mfd: arizona: Correct calling of runtime_put_sync
mfd: mc13xxx-core: Fix PMIC shutdown when reading ADC values
mfd: max8997: Enale irq-wakeup unconditionally
selftests/ftrace: Fix to test kprobe $comm arg only if available
thermal: rcar_thermal: Prevent hardware access during system suspend
powerpc/process: Fix flush_all_to_thread for SPE
sparc64: Rework xchg() definition to avoid warnings.
fs/ocfs2/dlm/dlmdebug.c: fix a sleep-in-atomic-context bug in dlm_print_one_mle()
mm/page-writeback.c: fix range_cyclic writeback vs writepages deadlock
macsec: update operstate when lower device changes
macsec: let the administrator set UP state even if lowerdev is down
um: Make line/tty semantics use true write IRQ
linux/bitmap.h: handle constant zero-size bitmaps correctly
linux/bitmap.h: fix type of nbits in bitmap_shift_right()
hfsplus: fix BUG on bnode parent update
hfs: fix BUG on bnode parent update
hfsplus: prevent btree data loss on ENOSPC
hfs: prevent btree data loss on ENOSPC
hfsplus: fix return value of hfsplus_get_block()
hfs: fix return value of hfs_get_block()
hfsplus: update timestamps on truncate()
hfs: update timestamp on truncate()
fs/hfs/extent.c: fix array out of bounds read of array extent
mm/memory_hotplug: make add_memory() take the device_hotplug_lock
igb: shorten maximum PHC timecounter update interval
ntb_netdev: fix sleep time mismatch
ntb: intel: fix return value for ndev_vec_mask()
arm64: makefile fix build of .i file in external module case
ocfs2: don't put and assigning null to bh allocated outside
ocfs2: fix clusters leak in ocfs2_defrag_extent()
net: do not abort bulk send on BQL status
sched/fair: Don't increase sd->balance_interval on newidle balance
audit: print empty EXECVE args
wlcore: Fix the return value in case of error in 'wlcore_vendor_cmd_smart_config_start()'
rtl8xxxu: Fix missing break in switch
brcmsmac: never log "tid x is not agg'able" by default
wireless: airo: potential buffer overflow in sprintf()
rtlwifi: rtl8192de: Fix misleading REG_MCUFWDL information
scsi: mpt3sas: Fix Sync cache command failure during driver unload
scsi: mpt3sas: Fix driver modifying persistent data in Manufacturing page11
scsi: megaraid_sas: Fix msleep granularity
scsi: lpfc: fcoe: Fix link down issue after 1000+ link bounces
dlm: fix invalid free
dlm: don't leak kernel pointer to userspace
ACPICA: Use %d for signed int print formatting instead of %u
net: bcmgenet: return correct value 'ret' from bcmgenet_power_down
sock: Reset dst when changing sk_mark via setsockopt
pinctrl: qcom: spmi-gpio: fix gpio-hog related boot issues
pinctrl: lpc18xx: Use define directive for PIN_CONFIG_GPIO_PIN_INT
pinctrl: zynq: Use define directive for PIN_CONFIG_IO_STANDARD
PCI: keystone: Use quirk to limit MRRS for K2G
spi: omap2-mcspi: Fix DMA and FIFO event trigger size mismatch
mm/memory_hotplug: Do not unlock when fails to take the device_hotplug_lock
Bluetooth: Fix invalid-free in bcsp_close()
KVM: MMU: Do not treat ZONE_DEVICE pages as being reserved
ath9k_hw: fix uninitialized variable data
dm: use blk_set_queue_dying() in __dm_destroy()
arm64: fix for bad_mode() handler to always result in panic
cpufreq: Skip cpufreq resume if it's not suspended
ocfs2: remove ocfs2_is_o2cb_active()
ARM: 8904/1: skip nomap memblocks while finding the lowmem/highmem boundary
ARC: perf: Accommodate big-endian CPU
x86/insn: Fix awk regexp warnings
x86/speculation: Fix incorrect MDS/TAA mitigation status
x86/speculation: Fix redundant MDS mitigation message
nfc: port100: handle command failure cleanly
l2tp: don't use l2tp_tunnel_find() in l2tp_ip and l2tp_ip6
media: vivid: Set vid_cap_streaming and vid_out_streaming to true
media: vivid: Fix wrong locking that causes race conditions on streaming stop
media: usbvision: Fix races among open, close, and disconnect
cpufreq: Add NULL checks to show() and store() methods of cpufreq
media: uvcvideo: Fix error path in control parsing failure
media: b2c2-flexcop-usb: add sanity checking
media: cxusb: detect cxusb_ctrl_msg error in query
media: imon: invalid dereference in imon_touch_event
virtio_console: reset on out of memory
virtio_console: don't tie bufs to a vq
virtio_console: allocate inbufs in add_port() only if it is needed
virtio_ring: fix return code on DMA mapping fails
virtio_console: fix uninitialized variable use
virtio_console: drop custom control queue cleanup
virtio_console: move removal code
usbip: tools: fix fd leakage in the function of read_attr_usbip_status
usb-serial: cp201x: support Mark-10 digital force gauge
USB: chaoskey: fix error case of a timeout
appledisplay: fix error handling in the scheduled work
USB: serial: mos7840: add USB ID to support Moxa UPort 2210
USB: serial: mos7720: fix remote wakeup
USB: serial: mos7840: fix remote wakeup
USB: serial: option: add support for DW5821e with eSIM support
USB: serial: option: add support for Foxconn T77W968 LTE modules
staging: comedi: usbduxfast: usbduxfast_ai_cmdtest rounding error
powerpc/64s: support nospectre_v2 cmdline option
powerpc/book3s64: Fix link stack flush on context switch
KVM: PPC: Book3S HV: Flush link stack on guest exit to host kernel
Linux 4.9.204
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
[ Upstream commit 8df1d0e4a265f25dc1e7e7624ccdbcb4a6630c89 ]
add_memory() currently does not take the device_hotplug_lock, however
is aleady called under the lock from
arch/powerpc/platforms/pseries/hotplug-memory.c
drivers/acpi/acpi_memhotplug.c
to synchronize against CPU hot-remove and similar.
In general, we should hold the device_hotplug_lock when adding memory to
synchronize against online/offline request (e.g. from user space) - which
already resulted in lock inversions due to device_lock() and
mem_hotplug_lock - see 30467e0b3b ("mm, hotplug: fix concurrent memory
hot-add deadlock"). add_memory()/add_memory_resource() will create memory
block devices, so this really feels like the right thing to do.
Holding the device_hotplug_lock makes sure that a memory block device
can really only be accessed (e.g. via .online/.state) from user space,
once the memory has been fully added to the system.
The lock is not held yet in
drivers/xen/balloon.c
arch/powerpc/platforms/powernv/memtrace.c
drivers/s390/char/sclp_cmd.c
drivers/hv/hv_balloon.c
So, let's either use the locked variants or take the lock.
Don't export add_memory_resource(), as it once was exported to be used by
XEN, which is never built as a module. If somebody requires it, we also
have to export a locked variant (as device_hotplug_lock is never
exported).
Link: http://lkml.kernel.org/r/20180925091457.28651-3-david@redhat.com
Signed-off-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Pavel Tatashin <pavel.tatashin@microsoft.com>
Reviewed-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Rashmica Gupta <rashmica.g@gmail.com>
Reviewed-by: Oscar Salvador <osalvador@suse.de>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Paul Mackerras <paulus@samba.org>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: "Rafael J. Wysocki" <rjw@rjwysocki.net>
Cc: Len Brown <lenb@kernel.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: Juergen Gross <jgross@suse.com>
Cc: Nathan Fontenot <nfont@linux.vnet.ibm.com>
Cc: John Allen <jallen@linux.vnet.ibm.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Mathieu Malaterre <malat@debian.org>
Cc: Pavel Tatashin <pavel.tatashin@microsoft.com>
Cc: YASUAKI ISHIMATSU <yasu.isimatu@gmail.com>
Cc: Balbir Singh <bsingharora@gmail.com>
Cc: Haiyang Zhang <haiyangz@microsoft.com>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Kate Stewart <kstewart@linuxfoundation.org>
Cc: "K. Y. Srinivasan" <kys@microsoft.com>
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
Cc: Michael Neuling <mikey@neuling.org>
Cc: Philippe Ombredanne <pombredanne@nexb.com>
Cc: Stephen Hemminger <sthemmin@microsoft.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 64081362e8ff4587b4554087f3cfc73d3e0a4cd7 ]
We've recently seen a workload on XFS filesystems with a repeatable
deadlock between background writeback and a multi-process application
doing concurrent writes and fsyncs to a small range of a file.
range_cyclic
writeback Process 1 Process 2
xfs_vm_writepages
write_cache_pages
writeback_index = 2
cycled = 0
....
find page 2 dirty
lock Page 2
->writepage
page 2 writeback
page 2 clean
page 2 added to bio
no more pages
write()
locks page 1
dirties page 1
locks page 2
dirties page 1
fsync()
....
xfs_vm_writepages
write_cache_pages
start index 0
find page 1 towrite
lock Page 1
->writepage
page 1 writeback
page 1 clean
page 1 added to bio
find page 2 towrite
lock Page 2
page 2 is writeback
<blocks>
write()
locks page 1
dirties page 1
fsync()
....
xfs_vm_writepages
write_cache_pages
start index 0
!done && !cycled
sets index to 0, restarts lookup
find page 1 dirty
find page 1 towrite
lock Page 1
page 1 is writeback
<blocks>
lock Page 1
<blocks>
DEADLOCK because:
- process 1 needs page 2 writeback to complete to make
enough progress to issue IO pending for page 1
- writeback needs page 1 writeback to complete so process 2
can progress and unlock the page it is blocked on, then it
can issue the IO pending for page 2
- process 2 can't make progress until process 1 issues IO
for page 1
The underlying cause of the problem here is that range_cyclic writeback is
processing pages in descending index order as we hold higher index pages
in a structure controlled from above write_cache_pages(). The
write_cache_pages() caller needs to be able to submit these pages for IO
before write_cache_pages restarts writeback at mapping index 0 to avoid
wcp inverting the page lock/writeback wait order.
generic_writepages() is not susceptible to this bug as it has no private
context held across write_cache_pages() - filesystems using this
infrastructure always submit pages in ->writepage immediately and so there
is no problem with range_cyclic going back to mapping index 0.
However:
mpage_writepages() has a private bio context,
exofs_writepages() has page_collect
fuse_writepages() has fuse_fill_wb_data
nfs_writepages() has nfs_pageio_descriptor
xfs_vm_writepages() has xfs_writepage_ctx
All of these ->writepages implementations can hold pages under writeback
in their private structures until write_cache_pages() returns, and hence
they are all susceptible to this deadlock.
Also worth noting is that ext4 has it's own bastardised version of
write_cache_pages() and so it /may/ have an equivalent deadlock. I looked
at the code long enough to understand that it has a similar retry loop for
range_cyclic writeback reaching the end of the file and then promptly ran
away before my eyes bled too much. I'll leave it for the ext4 developers
to determine if their code is actually has this deadlock and how to fix it
if it has.
There's a few ways I can see avoid this deadlock. There's probably more,
but these are the first I've though of:
1. get rid of range_cyclic altogether
2. range_cyclic always stops at EOF, and we start again from
writeback index 0 on the next call into write_cache_pages()
2a. wcp also returns EAGAIN to ->writepages implementations to
indicate range cyclic has hit EOF. writepages implementations can
then flush the current context and call wpc again to continue. i.e.
lift the retry into the ->writepages implementation
3. range_cyclic uses trylock_page() rather than lock_page(), and it
skips pages it can't lock without blocking. It will already do this
for pages under writeback, so this seems like a no-brainer
3a. all non-WB_SYNC_ALL writeback uses trylock_page() to avoid
blocking as per pages under writeback.
I don't think #1 is an option - range_cyclic prevents frequently
dirtied lower file offset from starving background writeback of
rarely touched higher file offsets.
#2 is simple, and I don't think it will have any impact on
performance as going back to the start of the file implies an
immediate seek. We'll have exactly the same number of seeks if we
switch writeback to another inode, and then come back to this one
later and restart from index 0.
#2a is pretty much "status quo without the deadlock". Moving the
retry loop up into the wcp caller means we can issue IO on the
pending pages before calling wcp again, and so avoid locking or
waiting on pages in the wrong order. I'm not convinced we need to do
this given that we get the same thing from #2 on the next writeback
call from the writeback infrastructure.
#3 is really just a band-aid - it doesn't fix the access/wait
inversion problem, just prevents it from becoming a deadlock
situation. I'd prefer we fix the inversion, not sweep it under the
carpet like this.
#3a is really an optimisation that just so happens to include the
band-aid fix of #3.
So it seems that the simplest way to fix this issue is to implement
solution #2
Link: http://lkml.kernel.org/r/20181005054526.21507-1-david@fromorbit.com
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Jan Kara <jack@suse.de>
Cc: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
commit 9a63236f1ad82d71a98aa80320b6cb618fb32f44 upstream.
It's possible to hit the WARN_ON_ONCE(page_mapped(page)) in
remove_stable_node() when it races with __mmput() and squeezes in
between ksm_exit() and exit_mmap().
WARNING: CPU: 0 PID: 3295 at mm/ksm.c:888 remove_stable_node+0x10c/0x150
Call Trace:
remove_all_stable_nodes+0x12b/0x330
run_store+0x4ef/0x7b0
kernfs_fop_write+0x200/0x420
vfs_write+0x154/0x450
ksys_write+0xf9/0x1d0
do_syscall_64+0x99/0x510
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Remove the warning as there is nothing scary going on.
Link: http://lkml.kernel.org/r/20191119131850.5675-1-aryabinin@virtuozzo.com
Fixes: cbf86cfe04 ("ksm: remove old stable nodes more thoroughly")
Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Acked-by: Hugh Dickins <hughd@google.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl3blr8ACgkQONu9yGCS
aT5BrQ//bhVt4Fy5NPJ/QlzpslU7XrwTYtGH0foNbUVvUeeJjiTYZj4XrRDE1VhC
dQJNYRs8wqxG1EhNV4ydpCyLZgG+iLFW0pJc+k47WL+KJAChN0gQT0lGRkZ90GUJ
1+FAM9/QJ5T5Z5T3sMfigp+nUDDoWgWrXl4RBxxbROmYu+xgOOa5agWxqzJDh3CU
bjMF9heQEbpK26NyCqpaumL/nBaj86c/Qspq9PHeHwQDF3Sv+XEDgx8S94t8Zc1K
DJojA3Nyl87FQOpdR/1UFCjge7GcdMP2xozRYGzMXqUwNCHjm6crKoM2EaGqHf2a
HrFDUKL+tC6pE0YrPnrsaQkEFauZEB4Zm9zegwuIqxEovM3o+VkjiTi4XI4VdrZT
t5VVE2tirlvNEAIN1BSbMqZnlE+c+8PpObABLhQtpmNAJP+PNXVeze600uissLbp
grAU7hVvC89uzhPTbfhUyAginAAlqftDaO/YvdPlHXYCv4bLGcF1PYyEH2WfzAPp
fpFJwyVE5tUev5WT4Xm1tAzK5EsW0aUZ69y0+RqwC1mKXTvcHQy9A0u+5ccmQTl9
KSoR2Z/y2qvzfUAB0umAsXQohLUhZYtE4cCyj1us0WDy/0DI3HiJK5rDmJElM3DQ
4PcGN4QtH2PZUogtPaHdwOnL9WS7kwFv+RKDdV3Mjw8bTZPiZg0=
=TWjb
-----END PGP SIGNATURE-----
Merge 4.9.203 into android-4.9-q
Changes in 4.9.203
ax88172a: fix information leak on short answers
slip: Fix memory leak in slip_open error path
ALSA: usb-audio: Fix missing error check at mixer resolution test
ALSA: usb-audio: not submit urb for stopped endpoint
Input: ff-memless - kill timer in destroy()
Input: synaptics-rmi4 - fix video buffer size
Input: synaptics-rmi4 - clear IRQ enables for F54
Input: synaptics-rmi4 - destroy F54 poller workqueue when removing
IB/hfi1: Ensure full Gen3 speed in a Gen4 system
ecryptfs_lookup_interpose(): lower_dentry->d_inode is not stable
ecryptfs_lookup_interpose(): lower_dentry->d_parent is not stable either
iommu/vt-d: Fix QI_DEV_IOTLB_PFSID and QI_DEV_EIOTLB_PFSID macros
mm: memcg: switch to css_tryget() in get_mem_cgroup_from_mm()
mm: hugetlb: switch to css_tryget() in hugetlb_cgroup_charge_cgroup()
mmc: sdhci-of-at91: fix quirk2 overwrite
ath10k: fix kernel panic by moving pci flush after napi_disable
iio: dac: mcp4922: fix error handling in mcp4922_write_raw
ALSA: pcm: signedness bug in snd_pcm_plug_alloc()
arm64: dts: tegra210-p2180: Correct sdmmc4 vqmmc-supply
ARM: dts: at91/trivial: Fix USART1 definition for at91sam9g45
cfg80211: Avoid regulatory restore when COUNTRY_IE_IGNORE is set
ALSA: seq: Do error checks at creating system ports
ath9k: fix tx99 with monitor mode interface
gfs2: Don't set GFS2_RDF_UPTODATE when the lvb is updated
ASoC: dpcm: Properly initialise hw->rate_max
MIPS: BCM47XX: Enable USB power on Netgear WNDR3400v3
ARM: dts: exynos: Fix sound in Snow-rev5 Chromebook
ARM: dts: exynos: Fix regulators configuration on Peach Pi/Pit Chromebooks
i40e: use correct length for strncpy
i40e: hold the rtnl lock on clearing interrupt scheme
i40e: Prevent deleting MAC address from VF when set by PF
IB/rxe: fixes for rdma read retry
iwlwifi: mvm: avoid sending too many BARs
ARM: dts: pxa: fix power i2c base address
rtl8187: Fix warning generated when strncpy() destination length matches the sixe argument
net: lan78xx: Bail out if lan78xx_get_endpoints fails
ASoC: sgtl5000: avoid division by zero if lo_vag is zero
ARM: dts: exynos: Disable pull control for S5M8767 PMIC
ath10k: wmi: disable softirq's while calling ieee80211_rx
mips: txx9: fix iounmap related issue
ASoC: Intel: hdac_hdmi: Limit sampling rates at dai creation
of: make PowerMac cache node search conditional on CONFIG_PPC_PMAC
ARM: dts: omap3-gta04: give spi_lcd node a label so that we can overwrite in other DTS files
ARM: dts: omap3-gta04: fixes for tvout / venc
ARM: dts: omap3-gta04: tvout: enable as display1 alias
ARM: dts: omap3-gta04: fix touchscreen tsc2007
ARM: dts: omap3-gta04: make NAND partitions compatible with recent U-Boot
ARM: dts: omap3-gta04: keep vpll2 always on
dmaengine: dma-jz4780: Don't depend on MACH_JZ4780
dmaengine: dma-jz4780: Further residue status fix
ath9k: add back support for using active monitor interfaces for tx99
signal: Always ignore SIGKILL and SIGSTOP sent to the global init
signal: Properly deliver SIGILL from uprobes
signal: Properly deliver SIGSEGV from x86 uprobes
f2fs: fix memory leak of percpu counter in fill_super()
scsi: sym53c8xx: fix NULL pointer dereference panic in sym_int_sir()
ARM: imx6: register pm_power_off handler if "fsl,pmic-stby-poweroff" is set
scsi: pm80xx: Corrected dma_unmap_sg() parameter
scsi: pm80xx: Fixed system hang issue during kexec boot
kprobes: Don't call BUG_ON() if there is a kprobe in use on free list
nvmem: core: return error code instead of NULL from nvmem_device_get
media: fix: media: pci: meye: validate offset to avoid arbitrary access
media: dvb: fix compat ioctl translation
ALSA: intel8x0m: Register irq handler after register initializations
pinctrl: at91-pio4: fix has_config check in atmel_pctl_dt_subnode_to_map()
llc: avoid blocking in llc_sap_close()
ARM: dts: qcom: ipq4019: fix cpu0's qcom,saw2 reg value
powerpc/vdso: Correct call frame information
ARM: dts: socfpga: Fix I2C bus unit-address error
pinctrl: at91: don't use the same irqchip with multiple gpiochips
cxgb4: Fix endianness issue in t4_fwcache()
power: supply: ab8500_fg: silence uninitialized variable warnings
power: reset: at91-poweroff: do not procede if at91_shdwc is allocated
power: supply: max8998-charger: Fix platform data retrieval
component: fix loop condition to call unbind() if bind() fails
kernfs: Fix range checks in kernfs_get_target_path
ip_gre: fix parsing gre header in ipgre_err
ARM: dts: rockchip: Fix erroneous SPI bus dtc warnings on rk3036
ath9k: Fix a locking bug in ath9k_add_interface()
s390/qeth: invoke softirqs after napi_schedule()
PCI/ACPI: Correct error message for ASPM disabling
serial: mxs-auart: Fix potential infinite loop
powerpc/iommu: Avoid derefence before pointer check
powerpc/64s/hash: Fix stab_rr off by one initialization
powerpc/pseries: Disable CPU hotplug across migrations
RDMA/i40iw: Fix incorrect iterator type
libfdt: Ensure INT_MAX is defined in libfdt_env.h
power: supply: twl4030_charger: fix charging current out-of-bounds
power: supply: twl4030_charger: disable eoc interrupt on linear charge
net: toshiba: fix return type of ndo_start_xmit function
net: xilinx: fix return type of ndo_start_xmit function
net: broadcom: fix return type of ndo_start_xmit function
net: amd: fix return type of ndo_start_xmit function
usb: chipidea: imx: enable OTG overcurrent in case USB subsystem is already started
usb: chipidea: Fix otg event handler
mlxsw: spectrum: Init shaper for TCs 8..15
ARM: dts: am335x-evm: fix number of cpsw
f2fs: fix to recover inode's uid/gid during POR
ARM: dts: ux500: Correct SCU unit address
ARM: dts: ux500: Fix LCDA clock line muxing
ARM: dts: ste: Fix SPI controller node names
spi: pic32: Use proper enum in dmaengine_prep_slave_rg
cpufeature: avoid warning when compiling with clang
ARM: dts: marvell: Fix SPI and I2C bus warnings
bnx2x: Ignore bandwidth attention in single function mode
net: micrel: fix return type of ndo_start_xmit function
x86/CPU: Use correct macros for Cyrix calls
MIPS: kexec: Relax memory restriction
media: pci: ivtv: Fix a sleep-in-atomic-context bug in ivtv_yuv_init()
media: au0828: Fix incorrect error messages
media: davinci: Fix implicit enum conversion warning
usb: gadget: uvc: configfs: Drop leaked references to config items
usb: gadget: uvc: configfs: Prevent format changes after linking header
phy: phy-twl4030-usb: fix denied runtime access
usb: gadget: uvc: Factor out video USB request queueing
usb: gadget: uvc: Only halt video streaming endpoint in bulk mode
coresight: Fix handling of sinks
coresight: etm4x: Configure EL2 exception level when kernel is running in HYP
coresight: tmc: Fix byte-address alignment for RRP
misc: kgdbts: Fix restrict error
misc: genwqe: should return proper error value.
vfio/pci: Fix potential memory leak in vfio_msi_cap_len
vfio/pci: Mask buggy SR-IOV VF INTx support
scsi: libsas: always unregister the old device if going to discover new
ARM: dts: tegra30: fix xcvr-setup-use-fuses
ARM: tegra: apalis_t30: fix mmc1 cmd pull-up
ARM: dts: paz00: fix wakeup gpio keycode
net: smsc: fix return type of ndo_start_xmit function
EDAC: Raise the maximum number of memory controllers
ARM: dts: realview: Fix SPI controller node names
Bluetooth: L2CAP: Detect if remote is not able to use the whole MPS
crypto: s5p-sss: Fix Fix argument list alignment
crypto: fix a memory leak in rsa-kcs1pad's encryption mode
scsi: NCR5380: Clear all unissued commands on host reset
scsi: NCR5380: Use DRIVER_SENSE to indicate valid sense data
scsi: NCR5380: Check for invalid reselection target
scsi: NCR5380: Don't clear busy flag when abort fails
scsi: NCR5380: Don't call dsprintk() following reselection interrupt
scsi: NCR5380: Handle BUS FREE during reselection
arm64: dts: amd: Fix SPI bus warnings
arm64: dts: lg: Fix SPI controller node names
ARM: dts: lpc32xx: Fix SPI controller node names
usb: xhci-mtk: fix ISOC error when interval is zero
fuse: use READ_ONCE on congestion_threshold and max_background
IB/iser: Fix possible NULL deref at iser_inv_desc()
memfd: Use radix_tree_deref_slot_protected to avoid the warning.
slcan: Fix memory leak in error path
net: cdc_ncm: Signedness bug in cdc_ncm_set_dgram_size()
x86/atomic: Fix smp_mb__{before,after}_atomic()
kprobes/x86: Prohibit probing on exception masking instructions
uprobes/x86: Prohibit probing on MOV SS instruction
fbdev: Ditch fb_edid_add_monspecs
block: introduce blk_rq_is_passthrough
libata: have ata_scsi_rw_xlat() fail invalid passthrough requests
net: ovs: fix return type of ndo_start_xmit function
net: xen-netback: fix return type of ndo_start_xmit function
ARM: dts: omap5: enable OTG role for DWC3 controller
f2fs: return correct errno in f2fs_gc
SUNRPC: Fix priority queue fairness
kvm: arm/arm64: Fix stage2_flush_memslot for 4 level page table
arm64/numa: Report correct memblock range for the dummy node
ath10k: fix vdev-start timeout on error
ata: ahci_brcm: Allow using driver or DSL SoCs
ath9k: fix reporting calculated new FFT upper max
usb: gadget: udc: fotg210-udc: Fix a sleep-in-atomic-context bug in fotg210_get_status()
nl80211: Fix a GET_KEY reply attribute
dmaengine: ep93xx: Return proper enum in ep93xx_dma_chan_direction
dmaengine: timb_dma: Use proper enum in td_prep_slave_sg
mei: samples: fix a signedness bug in amt_host_if_call()
cxgb4: Use proper enum in cxgb4_dcb_handle_fw_update
cxgb4: Use proper enum in IEEE_FAUX_SYNC
powerpc/pseries: Fix DTL buffer registration
powerpc/pseries: Fix how we iterate over the DTL entries
mtd: rawnand: sh_flctl: Use proper enum for flctl_dma_fifo0_transfer
ixgbe: Fix crash with VFs and flow director on interface flap
IB/mthca: Fix error return code in __mthca_init_one()
IB/mlx4: Avoid implicit enumerated type conversion
ACPICA: Never run _REG on system_memory and system_IO
ata: ep93xx: Use proper enums for directions
media: pxa_camera: Fix check for pdev->dev.of_node
ALSA: hda/sigmatel - Disable automute for Elo VuPoint
KVM: PPC: Book3S PR: Exiting split hack mode needs to fixup both PC and LR
USB: serial: cypress_m8: fix interrupt-out transfer length
mtd: physmap_of: Release resources on error
cpu/SMT: State SMT is disabled even with nosmt and without "=force"
brcmfmac: reduce timeout for action frame scan
brcmfmac: fix full timeout waiting for action frame on-channel tx
clk: samsung: Use clk_hw API for calling clk framework from clk notifiers
i2c: brcmstb: Allow enabling the driver on DSL SoCs
NFSv4.x: fix lock recovery during delegation recall
dmaengine: ioat: fix prototype of ioat_enumerate_channels
Input: st1232 - set INPUT_PROP_DIRECT property
Input: silead - try firmware reload after unsuccessful resume
x86/olpc: Fix build error with CONFIG_MFD_CS5535=m
crypto: mxs-dcp - Fix SHA null hashes and output length
crypto: mxs-dcp - Fix AES issues
ACPI / SBS: Fix rare oops when removing modules
iwlwifi: mvm: don't send keys when entering D3
fbdev: sbuslib: use checked version of put_user()
fbdev: sbuslib: integer overflow in sbusfb_ioctl_helper()
reset: Fix potential use-after-free in __of_reset_control_get()
bcache: recal cached_dev_sectors on detach
s390/kasan: avoid vdso instrumentation
proc/vmcore: Fix i386 build error of missing copy_oldmem_page_encrypted()
backlight: lm3639: Unconditionally call led_classdev_unregister
mfd: ti_am335x_tscadc: Keep ADC interface on if child is wakeup capable
printk: Give error on attempt to set log buffer length to over 2G
media: isif: fix a NULL pointer dereference bug
GFS2: Flush the GFS2 delete workqueue before stopping the kernel threads
media: cx231xx: fix potential sign-extension overflow on large shift
x86/kexec: Correct KEXEC_BACKUP_SRC_END off-by-one error
gpio: syscon: Fix possible NULL ptr usage
spi: spidev: Fix OF tree warning logic
ARM: 8802/1: Call syscall_trace_exit even when system call skipped
orangefs: rate limit the client not running info message
hwmon: (pwm-fan) Silence error on probe deferral
hwmon: (ina3221) Fix INA3221_CONFIG_MODE macros
misc: cxl: Fix possible null pointer dereference
mac80211: minstrel: fix CCK rate group streams value
spi: rockchip: initialize dma_slave_config properly
ARM: dts: omap5: Fix dual-role mode on Super-Speed port
arm64: uaccess: Ensure PAN is re-enabled after unhandled uaccess fault
Linux 4.9.203
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
The commit 3ce6b467b9 ("memfd: Fix locking when tagging pins")
introduces the following warning messages.
*WARNING: suspicious RCU usage in memfd_wait_for_pins*
It is because we still use radix_tree_deref_slot without read_rcu_lock.
We should use radix_tree_deref_slot_protected instead in the case.
Cc: stable@vger.kernel.org
Fixes: 3ce6b467b9 ("memfd: Fix locking when tagging pins")
Signed-off-by: zhong jiang <zhongjiang@huawei.com>
Reviewed-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 0362f326d86c645b5e96b7dbc3ee515986ed019d upstream.
An exiting task might belong to an offline cgroup. In this case an
attempt to grab a cgroup reference from the task can end up with an
infinite loop in hugetlb_cgroup_charge_cgroup(), because neither the
cgroup will become online, neither the task will be migrated to a live
cgroup.
Fix this by switching over to css_tryget(). As css_tryget_online()
can't guarantee that the cgroup won't go offline, in most cases the
check doesn't make sense. In this particular case users of
hugetlb_cgroup_charge_cgroup() are not affected by this change.
A similar problem is described by commit 18fa84a2db0e ("cgroup: Use
css_tryget() instead of css_tryget_online() in task_get_css()").
Link: http://lkml.kernel.org/r/20191106225131.3543616-2-guro@fb.com
Signed-off-by: Roman Gushchin <guro@fb.com>
Acked-by: Johannes Weiner <hannes@cmpxchg.org>
Acked-by: Tejun Heo <tj@kernel.org>
Reviewed-by: Shakeel Butt <shakeelb@google.com>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 00d484f354d85845991b40141d40ba9e5eb60faf upstream.
We've encountered a rcu stall in get_mem_cgroup_from_mm():
rcu: INFO: rcu_sched self-detected stall on CPU
rcu: 33-....: (21000 ticks this GP) idle=6c6/1/0x4000000000000002 softirq=35441/35441 fqs=5017
(t=21031 jiffies g=324821 q=95837) NMI backtrace for cpu 33
<...>
RIP: 0010:get_mem_cgroup_from_mm+0x2f/0x90
<...>
__memcg_kmem_charge+0x55/0x140
__alloc_pages_nodemask+0x267/0x320
pipe_write+0x1ad/0x400
new_sync_write+0x127/0x1c0
__kernel_write+0x4f/0xf0
dump_emit+0x91/0xc0
writenote+0xa0/0xc0
elf_core_dump+0x11af/0x1430
do_coredump+0xc65/0xee0
get_signal+0x132/0x7c0
do_signal+0x36/0x640
exit_to_usermode_loop+0x61/0xd0
do_syscall_64+0xd4/0x100
entry_SYSCALL_64_after_hwframe+0x44/0xa9
The problem is caused by an exiting task which is associated with an
offline memcg. We're iterating over and over in the do {} while
(!css_tryget_online()) loop, but obviously the memcg won't become online
and the exiting task won't be migrated to a live memcg.
Let's fix it by switching from css_tryget_online() to css_tryget().
As css_tryget_online() cannot guarantee that the memcg won't go offline,
the check is usually useless, except some rare cases when for example it
determines if something should be presented to a user.
A similar problem is described by commit 18fa84a2db0e ("cgroup: Use
css_tryget() instead of css_tryget_online() in task_get_css()").
Johannes:
: The bug aside, it doesn't matter whether the cgroup is online for the
: callers. It used to matter when offlining needed to evacuate all charges
: from the memcg, and so needed to prevent new ones from showing up, but we
: don't care now.
Link: http://lkml.kernel.org/r/20191106225131.3543616-1-guro@fb.com
Signed-off-by: Roman Gushchin <guro@fb.com>
Acked-by: Johannes Weiner <hannes@cmpxchg.org>
Acked-by: Tejun Heo <tj@kernel.org>
Reviewed-by: Shakeel Butt <shakeeb@google.com>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Michal Koutn <mkoutny@suse.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
The Android-tuned page block heuristic was accidentally reset in an AU
drop. Fix the heuristic to avoid unnecessary unmovable pageblock
migration over time.
bug 30643938
Bug: 63336523
(cherry-picked from commit 3e19bcf7d08713daaaba888b4d13502e06e38e96)
Change-Id: I59efcd3934f29982b1c9aeb7b0f18eb17e0934b3
Signed-off-by: John Dias <joaodias@google.com>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl3K9vkACgkQONu9yGCS
aT6fag//aZGV3gVyTHo9ZFFSs1ZO6AW9H/Qyfi+w1Q+pfvMfxvOroFs0Fojk1xoa
VQ9QDpa9O9dvX1GcvCaxwToVR8zte+wWMviDOz5Tae5puFQuT3dkjleMiU/5Gu+E
wWwV7dLoyJ4WMIvRCuxs7djh9NYQDczkOCLZtA1z9IF2SkG12pOJ5yg2ZOOUnovJ
lvSo7phGYv3X/tZHUvWvg6XG8DaAzWYgo4nQ0Ccv0Q3IWiqAlJFZwWH+VDqgzdPS
HKwKKqLqjTo2mfmDbScduVtIton6U9wipXrnOkqVPNxbrMS1OpmNreYfJYRXfCfZ
0WD/pEqa4t9dAkRVXhal91CXjJ0pfl5VPo3T3EXEDSCBb/rvId45dMpKxLO4kLmm
rF7w0NdvcSV9Zo07m6SL8S+ADrgBNts6g2ZopFRCm7HRXxxGXlA0smLR8mUrsMxw
49Lvcr0MtVu8/LgrnPEjyvT1A615Yad5f3n7oJSKsQrm/32abrTb47ZE98U7rUnU
9NEiBrLe83dyq3HTPbPspx7yIAjiCkknQdmCylL+lLIlRaIXeas81D+AO+zO3Wyu
DBjJRy8N+PotluK66PxlKSaJSrkH2YbQsbYUpifU9KZ8JfR2CRmEzmb4cyWgpVOH
2clUBuQg6uEoDK2QsweIdKvHlCO6vHKIE4Gh71NSvS8vxMfg+tA=
=WHB8
-----END PGP SIGNATURE-----
Merge 4.9.201 into android-4.9-q
Changes in 4.9.201
CDC-NCM: handle incomplete transfer of MTU
ipv4: Fix table id reference in fib_sync_down_addr
net: fix data-race in neigh_event_send()
net: usb: qmi_wwan: add support for DW5821e with eSIM support
NFC: fdp: fix incorrect free object
nfc: netlink: fix double device reference drop
NFC: st21nfca: fix double free
qede: fix NULL pointer deref in __qede_remove()
ALSA: timer: Fix incorrectly assigned timer instance
ALSA: bebob: fix to detect configured source of sampling clock for Focusrite Saffire Pro i/o series
ALSA: hda/ca0132 - Fix possible workqueue stall
mm: thp: handle page cache THP correctly in PageTransCompoundMap
mm, vmstat: hide /proc/pagetypeinfo from normal users
dump_stack: avoid the livelock of the dump_lock
perf tools: Fix time sorting
drm/radeon: fix si_enable_smc_cac() failed issue
ceph: fix use-after-free in __ceph_remove_cap()
iio: imu: adis16480: make sure provided frequency is positive
netfilter: nf_tables: Align nft_expr private data to 64-bit
netfilter: ipset: Fix an error code in ip_set_sockfn_get()
can: usb_8dev: fix use-after-free on disconnect
can: c_can: c_can_poll(): only read status register after status IRQ
can: peak_usb: fix a potential out-of-sync while decoding packets
can: gs_usb: gs_can_open(): prevent memory leak
can: peak_usb: fix slab info leak
configfs: Fix bool initialization/comparison
configfs: stash the data we need into configfs_buffer at open time
configfs_register_group() shouldn't be (and isn't) called in rmdirable parts
configfs: new object reprsenting tree fragments
configfs: provide exclusion between IO and removals
configfs: fix a deadlock in configfs_symlink()
usbip: stub_rx: fix static checker warning on unnecessary checks
usbip: Fix vhci_urb_enqueue() URB null transfer buffer error path
usbip: fix possibility of dereference by NULLL pointer in vhci_hcd.c
drivers: usb: usbip: Add missing break statement to switch
PCI: tegra: Enable Relaxed Ordering only for Tegra20 & Tegra30
dmaengine: xilinx_dma: Fix control reg update in vdma_channel_set_config
HID: intel-ish-hid: fix wrong error handling in ishtp_cl_alloc_tx_ring()
scsi: qla2xxx: fixup incorrect usage of host_byte
scsi: lpfc: Honor module parameter lpfc_use_adisc
ipvs: move old_secure_tcp into struct netns_ipvs
bonding: fix unexpected IFF_BONDING bit unset
usb: fsl: Check memory resource before releasing it
usb: gadget: udc: atmel: Fix interrupt storm in FIFO mode.
usb: gadget: composite: Fix possible double free memory bug
usb: gadget: configfs: fix concurrent issue between composite APIs
usb: dwc3: remove the call trace of USBx_GFLADJ
perf/x86/amd/ibs: Fix reading of the IBS OpData register and thus precise RIP validity
perf/x86/amd/ibs: Handle erratum #420 only on the affected CPU family (10h)
USB: Skip endpoints with 0 maxpacket length
RDMA/iw_cxgb4: Avoid freeing skb twice in arp failure case
scsi: qla2xxx: stop timer in shutdown path
fjes: Handle workqueue allocation failure
net: hisilicon: Fix "Trying to free already-free IRQ"
NFSv4: Don't allow a cached open with a revoked delegation
net: ethernet: arc: add the missed clk_disable_unprepare
igb: Fix constant media auto sense switching when no cable is connected
e1000: fix memory leaks
x86/apic: Move pending interrupt check code into it's own function
x86/apic: Drop logical_smp_processor_id() inline
x86/apic/32: Avoid bogus LDR warnings
can: flexcan: disable completely the ECC mechanism
mm/filemap.c: don't initiate writeback if mapping has no dirty pages
cgroup,writeback: don't switch wbs immediately on dead wbs if the memcg is dead
net: prevent load/store tearing on sk->sk_stamp
drm/i915: kick out cmd_parser specific structs from i915_drv.h
drm/i915: cleanup use of INSTR_CLIENT_MASK
drm/i915: return EACCES for check_cmd() failures
drm/i915: don't whitelist oacontrol in cmd parser
drm/i915: Use the precomputed value for whether to enable command parsing
drm/i915/cmdparser: Limit clflush to active cachelines
drm/i915/gtt: Add read only pages to gen8_pte_encode
drm/i915/gtt: Read-only pages for insert_entries on bdw+
drm/i915/gtt: Disable read-only support under GVT
drm/i915: Prevent writing into a read-only object via a GGTT mmap
drm/i915/cmdparser: Check reg_table_count before derefencing.
drm/i915/cmdparser: Do not check past the cmd length.
drm/i915: Silence smatch for cmdparser
drm/i915: Move engine->needs_cmd_parser to engine->flags
drm/i915: Rename gen7 cmdparser tables
drm/i915: Disable Secure Batches for gen6+
drm/i915: Remove Master tables from cmdparser
drm/i915: Add support for mandatory cmdparsing
drm/i915: Support ro ppgtt mapped cmdparser shadow buffers
drm/i915: Allow parsing of unsized batches
drm/i915: Add gen9 BCS cmdparsing
drm/i915/cmdparser: Use explicit goto for error paths
drm/i915/cmdparser: Add support for backward jumps
drm/i915/cmdparser: Ignore Length operands during command matching
drm/i915: Lower RM timeout to avoid DSI hard hangs
drm/i915/gen8+: Add RC6 CTX corruption WA
drm/i915/cmdparser: Fix jump whitelist clearing
Linux 4.9.201
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit c3aab9a0bd91b696a852169479b7db1ece6cbf8c upstream.
Functions like filemap_write_and_wait_range() should do nothing if inode
has no dirty pages or pages currently under writeback. But they anyway
construct struct writeback_control and this does some atomic operations if
CONFIG_CGROUP_WRITEBACK=y - on fast path it locks inode->i_lock and
updates state of writeback ownership, on slow path might be more work.
Current this path is safely avoided only when inode mapping has no pages.
For example generic_file_read_iter() calls filemap_write_and_wait_range()
at each O_DIRECT read - pretty hot path.
This patch skips starting new writeback if mapping has no dirty tags set.
If writeback is already in progress filemap_write_and_wait_range() will
wait for it.
Link: http://lkml.kernel.org/r/156378816804.1087.8607636317907921438.stgit@buzz
Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Reviewed-by: Jan Kara <jack@suse.cz>
Cc: Tejun Heo <tj@kernel.org>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit abaed0112c1db08be15a784a2c5c8a8b3063cdd3 upstream.
/proc/pagetypeinfo is a debugging tool to examine internal page
allocator state wrt to fragmentation. It is not very useful for any
other use so normal users really do not need to read this file.
Waiman Long has noticed that reading this file can have negative side
effects because zone->lock is necessary for gathering data and that a)
interferes with the page allocator and its users and b) can lead to hard
lockups on large machines which have very long free_list.
Reduce both issues by simply not exporting the file to regular users.
Link: http://lkml.kernel.org/r/20191025072610.18526-2-mhocko@kernel.org
Fixes: 467c996c1e ("Print out statistics in relation to fragmentation avoidance to /proc/pagetypeinfo")
Signed-off-by: Michal Hocko <mhocko@suse.com>
Reported-by: Waiman Long <longman@redhat.com>
Acked-by: Mel Gorman <mgorman@suse.de>
Acked-by: Vlastimil Babka <vbabka@suse.cz>
Acked-by: Waiman Long <longman@redhat.com>
Acked-by: Rafael Aquini <aquini@redhat.com>
Acked-by: David Rientjes <rientjes@google.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: David Hildenbrand <david@redhat.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Roman Gushchin <guro@fb.com>
Cc: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Cc: Jann Horn <jannh@google.com>
Cc: Song Liu <songliubraving@fb.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl239R8ACgkQONu9yGCS
aT6sJg//WrCVVbFVhdEAJHxwPXoJUBDcAV8FG1awsK0q1jfeh3OOuw0EZ1zKreXw
Qt/VOdd5gRboxZYJ9rLTh8BJbL8roVvC8ebh6Tx7hayMdQ/lo8Ljty78+xE4w/Xj
b0yhA+5ke7gn6PMzyVMz7m8xdEqEH+AP6lluwTjZRKQgotrRa+Ccr1DZNYwbqk6x
+9Lv38q4X9J7lxlKu61oEP2UdV7Ph0t7/lJ0hd9ejMxudhWIeS96XTecbRvKxkXW
rpMzXUMVAyHubeyJG01LZvi+QWAIyqamiAeBAUG+oPQuK04YSAAZOpxey7p90IJk
V+bxgQHeT0ysk+sOcchqQ8lqq4/pppYVc8fbMlXeRYG3LjIORObhTvXxvCW3Iyj3
mTgWwYL2xGR+FO4YFVD0FtZGnAZAirMN0IbNBGYfjIvhQB/691mxNmYgm1E1cwmo
rZT1Ncvs4681LUfW/Ne1eau18LrOgfKQGz/7zXEsEg/F7cSjKsiha9NXtIvBN1dp
AgDJzgd1Nc2SJZB3opZUaUOHpu4IYdLesbgI74gXcU96LooNzuXzkyaabz80DqDF
PJiihO6ZpHwKqApvtG/yDR89TPhdvabIFXQxmZFGDDOtCdkWEUMOIMeOo3uqm/y7
GuXad35ziV5yB7YqeIFL1N+YAChroVfR9pig2nCjnaNoGF958E4=
=Pnwf
-----END PGP SIGNATURE-----
Merge 4.9.198 into android-4.9-q
Changes in 4.9.198
scsi: ufs: skip shutdown if hba is not powered
scsi: megaraid: disable device when probe failed after enabled device
scsi: qla2xxx: Fix unbound sleep in fcport delete path.
ARM: OMAP2+: Fix missing reset done flag for am3 and am43
ARM: dts: am4372: Set memory bandwidth limit for DISPC
MIPS: dts: ar9331: fix interrupt-controller size
nl80211: fix null pointer dereference
mac80211: fix txq null pointer dereference
mips: Loongson: Fix the link time qualifier of 'serial_exit()'
net: hisilicon: Fix usage of uninitialized variable in function mdio_sc_cfg_reg_write()
namespace: fix namespace.pl script to support relative paths
Revert "drm/radeon: Fix EEH during kexec"
ocfs2: fix panic due to ocfs2_wq is null
loop: Add LOOP_SET_DIRECT_IO to compat ioctl
net: bcmgenet: Fix RGMII_MODE_EN value for GENET v1/2/3
net: bcmgenet: Set phydev->dev_flags only for internal PHYs
sctp: change sctp_prot .no_autobind with true
net: avoid potential infinite loop in tc_ctl_action()
ipv4: Return -ENETUNREACH if we can't create route but saddr is valid
memfd: Fix locking when tagging pins
USB: legousbtower: fix memleak on disconnect
ALSA: hda/realtek - Add support for ALC711
usb: udc: lpc32xx: fix bad bit shift operation
USB: serial: ti_usb_3410_5052: fix port-close races
USB: ldusb: fix memleak on disconnect
USB: usblp: fix use-after-free on disconnect
USB: ldusb: fix read info leaks
MIPS: tlbex: Fix build_restore_pagemask KScratch restore
staging: wlan-ng: fix exit return when sme->key_idx >= NUM_WEPKEYS
scsi: core: try to get module before removing device
Input: da9063 - fix capability and drop KEY_SLEEP
ASoC: rsnd: Reinitialize bit clock inversion flag for every format setting
cfg80211: wext: avoid copying malformed SSIDs
mac80211: Reject malformed SSID elements
drm/edid: Add 6 bpc quirk for SDC panel in Lenovo G50
scsi: zfcp: fix reaction on bit error threshold notification
mm/slub: fix a deadlock in show_slab_objects()
xtensa: drop EXPORT_SYMBOL for outs*/ins*
parisc: Fix vmap memory leak in ioremap()/iounmap()
CIFS: avoid using MID 0xFFFF
btrfs: block-group: Fix a memory leak due to missing btrfs_put_block_group()
memstick: jmb38x_ms: Fix an error handling path in 'jmb38x_ms_probe()'
cpufreq: Avoid cpufreq_suspend() deadlock on system shutdown
xen/netback: fix error path of xenvif_connect_data()
PCI: PM: Fix pci_power_up()
Revert "net: sit: fix memory leak in sit_init_net()"
RDMA/cxgb4: Do not dma memory off of the stack
Linux 4.9.198
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit e4f8e513c3d353c134ad4eef9fd0bba12406c7c8 upstream.
A long time ago we fixed a similar deadlock in show_slab_objects() [1].
However, it is apparently due to the commits like 01fb58bcba63 ("slab:
remove synchronous synchronize_sched() from memcg cache deactivation
path") and 03afc0e25f ("slab: get_online_mems for
kmem_cache_{create,destroy,shrink}"), this kind of deadlock is back by
just reading files in /sys/kernel/slab which will generate a lockdep
splat below.
Since the "mem_hotplug_lock" here is only to obtain a stable online node
mask while racing with NUMA node hotplug, in the worst case, the results
may me miscalculated while doing NUMA node hotplug, but they shall be
corrected by later reads of the same files.
WARNING: possible circular locking dependency detected
------------------------------------------------------
cat/5224 is trying to acquire lock:
ffff900012ac3120 (mem_hotplug_lock.rw_sem){++++}, at:
show_slab_objects+0x94/0x3a8
but task is already holding lock:
b8ff009693eee398 (kn->count#45){++++}, at: kernfs_seq_start+0x44/0xf0
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #2 (kn->count#45){++++}:
lock_acquire+0x31c/0x360
__kernfs_remove+0x290/0x490
kernfs_remove+0x30/0x44
sysfs_remove_dir+0x70/0x88
kobject_del+0x50/0xb0
sysfs_slab_unlink+0x2c/0x38
shutdown_cache+0xa0/0xf0
kmemcg_cache_shutdown_fn+0x1c/0x34
kmemcg_workfn+0x44/0x64
process_one_work+0x4f4/0x950
worker_thread+0x390/0x4bc
kthread+0x1cc/0x1e8
ret_from_fork+0x10/0x18
-> #1 (slab_mutex){+.+.}:
lock_acquire+0x31c/0x360
__mutex_lock_common+0x16c/0xf78
mutex_lock_nested+0x40/0x50
memcg_create_kmem_cache+0x38/0x16c
memcg_kmem_cache_create_func+0x3c/0x70
process_one_work+0x4f4/0x950
worker_thread+0x390/0x4bc
kthread+0x1cc/0x1e8
ret_from_fork+0x10/0x18
-> #0 (mem_hotplug_lock.rw_sem){++++}:
validate_chain+0xd10/0x2bcc
__lock_acquire+0x7f4/0xb8c
lock_acquire+0x31c/0x360
get_online_mems+0x54/0x150
show_slab_objects+0x94/0x3a8
total_objects_show+0x28/0x34
slab_attr_show+0x38/0x54
sysfs_kf_seq_show+0x198/0x2d4
kernfs_seq_show+0xa4/0xcc
seq_read+0x30c/0x8a8
kernfs_fop_read+0xa8/0x314
__vfs_read+0x88/0x20c
vfs_read+0xd8/0x10c
ksys_read+0xb0/0x120
__arm64_sys_read+0x54/0x88
el0_svc_handler+0x170/0x240
el0_svc+0x8/0xc
other info that might help us debug this:
Chain exists of:
mem_hotplug_lock.rw_sem --> slab_mutex --> kn->count#45
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(kn->count#45);
lock(slab_mutex);
lock(kn->count#45);
lock(mem_hotplug_lock.rw_sem);
*** DEADLOCK ***
3 locks held by cat/5224:
#0: 9eff00095b14b2a0 (&p->lock){+.+.}, at: seq_read+0x4c/0x8a8
#1: 0eff008997041480 (&of->mutex){+.+.}, at: kernfs_seq_start+0x34/0xf0
#2: b8ff009693eee398 (kn->count#45){++++}, at:
kernfs_seq_start+0x44/0xf0
stack backtrace:
Call trace:
dump_backtrace+0x0/0x248
show_stack+0x20/0x2c
dump_stack+0xd0/0x140
print_circular_bug+0x368/0x380
check_noncircular+0x248/0x250
validate_chain+0xd10/0x2bcc
__lock_acquire+0x7f4/0xb8c
lock_acquire+0x31c/0x360
get_online_mems+0x54/0x150
show_slab_objects+0x94/0x3a8
total_objects_show+0x28/0x34
slab_attr_show+0x38/0x54
sysfs_kf_seq_show+0x198/0x2d4
kernfs_seq_show+0xa4/0xcc
seq_read+0x30c/0x8a8
kernfs_fop_read+0xa8/0x314
__vfs_read+0x88/0x20c
vfs_read+0xd8/0x10c
ksys_read+0xb0/0x120
__arm64_sys_read+0x54/0x88
el0_svc_handler+0x170/0x240
el0_svc+0x8/0xc
I think it is important to mention that this doesn't expose the
show_slab_objects to use-after-free. There is only a single path that
might really race here and that is the slab hotplug notifier callback
__kmem_cache_shrink (via slab_mem_going_offline_callback) but that path
doesn't really destroy kmem_cache_node data structures.
[1] http://lkml.iu.edu/hypermail/linux/kernel/1101.0/02850.html
[akpm@linux-foundation.org: add comment explaining why we don't need mem_hotplug_lock]
Link: http://lkml.kernel.org/r/1570192309-10132-1-git-send-email-cai@lca.pw
Fixes: 01fb58bcba63 ("slab: remove synchronous synchronize_sched() from memcg cache deactivation path")
Fixes: 03afc0e25f ("slab: get_online_mems for kmem_cache_{create,destroy,shrink}")
Signed-off-by: Qian Cai <cai@lca.pw>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: Pekka Enberg <penberg@kernel.org>
Cc: David Rientjes <rientjes@google.com>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Tejun Heo <tj@kernel.org>
Cc: Vladimir Davydov <vdavydov.dev@gmail.com>
Cc: Roman Gushchin <guro@fb.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
The RCU lock is insufficient to protect the radix tree iteration as
a deletion from the tree can occur before we take the spinlock to
tag the entry. In 4.19, this has manifested as a bug with the following
trace:
kernel BUG at lib/radix-tree.c:1429!
invalid opcode: 0000 [#1] SMP KASAN PTI
CPU: 7 PID: 6935 Comm: syz-executor.2 Not tainted 4.19.36 #25
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
RIP: 0010:radix_tree_tag_set+0x200/0x2f0 lib/radix-tree.c:1429
Code: 00 00 5b 5d 41 5c 41 5d 41 5e 41 5f c3 48 89 44 24 10 e8 a3 29 7e fe 48 8b 44 24 10 48 0f ab 03 e9 d2 fe ff ff e8 90 29 7e fe <0f> 0b 48 c7 c7 e0 5a 87 84 e8 f0 e7 08 ff 4c 89 ef e8 4a ff ac fe
RSP: 0018:ffff88837b13fb60 EFLAGS: 00010016
RAX: 0000000000040000 RBX: ffff8883c5515d58 RCX: ffffffff82cb2ef0
RDX: 0000000000000b72 RSI: ffffc90004cf2000 RDI: ffff8883c5515d98
RBP: ffff88837b13fb98 R08: ffffed106f627f7e R09: ffffed106f627f7e
R10: 0000000000000001 R11: ffffed106f627f7d R12: 0000000000000004
R13: ffffea000d7fea80 R14: 1ffff1106f627f6f R15: 0000000000000002
FS: 00007fa1b8df2700(0000) GS:ffff8883e2fc0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fa1b8df1db8 CR3: 000000037d4d2001 CR4: 0000000000160ee0
Call Trace:
memfd_tag_pins mm/memfd.c:51 [inline]
memfd_wait_for_pins+0x2c5/0x12d0 mm/memfd.c:81
memfd_add_seals mm/memfd.c:215 [inline]
memfd_fcntl+0x33d/0x4a0 mm/memfd.c:247
do_fcntl+0x589/0xeb0 fs/fcntl.c:421
__do_sys_fcntl fs/fcntl.c:463 [inline]
__se_sys_fcntl fs/fcntl.c:448 [inline]
__x64_sys_fcntl+0x12d/0x180 fs/fcntl.c:448
do_syscall_64+0xc8/0x580 arch/x86/entry/common.c:293
The problem does not occur in mainline due to the XArray rewrite which
changed the locking to exclude modification of the tree during iteration.
At the time, nobody realised this was a bugfix. Backport the locking
changes to stable.
Cc: stable@vger.kernel.org
Reported-by: zhong jiang <zhongjiang@huawei.com>
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
* refs/heads/tmp-9ca8608:
Linux 4.9.191
mm/zsmalloc.c: fix build when CONFIG_COMPACTION=n
x86/ptrace: fix up botched merge of spectrev1 fix
i2c: piix4: Fix port selection for AMD Family 16h Model 30h
KVM: arm/arm64: vgic-v2: Handle SGI bits in GICD_I{S,C}PENDR0 as WI
KVM: arm/arm64: vgic: Fix potential deadlock when ap_list is long
mac80211: fix possible sta leak
Revert "cfg80211: fix processing world regdomain when non modular"
VMCI: Release resource if the work is already queued
stm class: Fix a double free of stm_source_device
mmc: core: Fix init of SD cards reporting an invalid VDD range
mmc: sdhci-of-at91: add quirk for broken HS200
uprobes/x86: Fix detection of 32-bit user mode
ptrace,x86: Make user_64bit_mode() available to 32-bit builds
USB: storage: ums-realtek: Whitelist auto-delink support
USB: storage: ums-realtek: Update module parameter description for auto_delink_en
usb: host: xhci: rcar: Fix typo in compatible string matching
usb: host: ohci: fix a race condition between shutdown and irq
usb: chipidea: udc: don't do hardware access if gadget has stopped
USB: cdc-wdm: fix race between write and disconnect due to flag abuse
usb-storage: Add new JMS567 revision to unusual_devs
mm/zsmalloc.c: fix race condition in zs_destroy_pool
x86/apic: Include the LDR when clearing out APIC registers
x86/apic: Do not initialize LDR and DFR for bigsmp
KVM: x86: Don't update RIP or do single-step on faulting emulation
ALSA: seq: Fix potential concurrent access to the deleted pool
ALSA: line6: Fix memory leak at line6_init_pcm() error path
tcp: make sure EPOLLOUT wont be missed
ALSA: usb-audio: Fix an OOB bug in parse_audio_mixer_unit
ALSA: usb-audio: Fix a stack buffer overflow bug in check_input_term
tcp: fix tcp_rtx_queue_tail in case of empty retransmit queue
scsi: ufs: Fix RX_TERMINATION_FORCE_ENABLE define value
watchdog: bcm2835_wdt: Fix module autoload
tools: hv: fix KVP and VSS daemons exit code
usb: host: fotg2: restart hcd after port reset
i2c: emev2: avoid race when unregistering slave client
xen/blkback: fix memory leaks
usb: gadget: composite: Clear "suspended" on reset/disconnect
iommu/dma: Handle SG length overflow better
dmaengine: ste_dma40: fix unneeded variable warning
x86/CPU/AMD: Clear RDRAND CPUID bit on AMD family 15h/16h
Revert "perf test 6: Fix missing kvm module load for s390"
xfs: fix missing ILOCK unlock when xfs_setattr_nonsize fails due to EDQUOT
mm/zsmalloc.c: migration can leave pages in ZS_EMPTY indefinitely
mm, page_owner: handle THP splits correctly
genirq: Properly pair kobject_del() with kobject_add()
dm table: fix invalid memory accesses with too high sector number
dm space map metadata: fix missing store of apply_bops() return value
dm btree: fix order of block initialization in btree_split_beneath
x86/boot: Fix boot regression caused by bootparam sanitizing
x86/boot: Save fields explicitly, zero out everything else
x86/apic: Handle missing global clockevent gracefully
x86/retpoline: Don't clobber RFLAGS during CALL_NOSPEC on i386
userfaultfd_release: always remove uffd flags and clear vm_userfaultfd_ctx
gpiolib: never report open-drain/source lines as 'input' to user-space
Revert "dm bufio: fix deadlock with loop device"
HID: wacom: Correct distance scale for 2nd-gen Intuos devices
HID: wacom: correct misreported EKR ring values
selftests: kvm: Adding config fragments
perf pmu-events: Fix missing "cpu_clk_unhalted.core" event
drm/vmwgfx: fix memory leak when too many retries have occurred
x86/lib/cpu: Address missing prototypes warning
libata: add SG safety checks in SFF pio transfers
net: hisilicon: Fix dma_map_single failed on arm64
net: hisilicon: fix hip04-xmit never return TX_BUSY
net: hisilicon: make hip04_tx_reclaim non-reentrant
net: cxgb3_main: Fix a resource leak in a error path in 'init_one()'
HID: input: fix a4tech horizontal wheel custom usage
NFSv4: Fix a potential sleep while atomic in nfs4_do_reclaim()
can: peak_usb: force the string buffer NULL-terminated
can: sja1000: force the string buffer NULL-terminated
perf bench numa: Fix cpu0 binding
isdn: hfcsusb: Fix mISDN driver crash caused by transfer buffer on the stack
isdn: mISDN: hfcsusb: Fix possible null-pointer dereferences in start_isoc_chain()
net: usb: qmi_wwan: Add the BroadMobi BM818 card
ASoC: ti: davinci-mcasp: Correct slot_width posed constraint
st_nci_hci_connectivity_event_received: null check the allocation
st21nfca_connectivity_event_received: null check the allocation
can: dev: call netif_carrier_off() in register_candev()
bonding: Force slave speed check after link state recovery for 802.3ad
ASoC: dapm: Fix handling of custom_stop_condition on DAPM graph walks
netfilter: ebtables: fix a memory leak bug in compat
MIPS: kernel: only use i8253 clocksource with periodic clockevent
HID: Add 044f:b320 ThrustMaster, Inc. 2 in 1 DT
ANDROID: sched: Disallow WALT with CFS bandwidth control
ANDROID: fiq_debugger: remove
ANDROID: Add a tracepoint for mapping inode to full path
Conflicts:
drivers/staging/android/fiq_debugger/fiq_debugger.c
drivers/usb/gadget/composite.c
fs/userfaultfd.c
sound/usb/mixer.c
Change-Id: I1731d5df58f9f2679bfcfa4ecbfaa9a9c273ed77
Signed-off-by: jianzhou <jianzhou@codeaurora.org>
* refs/heads/tmp-476e7ea:
Linux 4.9.190
bonding: Add vlan tx offload to hw_enc_features
team: Add vlan tx offload to hw_enc_features
net/mlx5e: Use flow keys dissector to parse packets for ARFS
net/mlx5e: Only support tx/rx pause setting for port owner
xen/netback: Reset nr_frags before freeing skb
sctp: fix the transport error_count check
net/packet: fix race in tpacket_snd()
bnx2x: Fix VF's VLAN reconfiguration in reload.
iommu/amd: Move iommu_init_pci() to .init section
Input: psmouse - fix build error of multiple definition
netfilter: conntrack: Use consistent ct id hash calculation
arm64: compat: Allow single-byte watchpoints on all addresses
bpf: fix bpf_jit_limit knob for PAGE_SIZE >= 64K
asm-generic: fix -Wtype-limits compiler warnings
USB: serial: option: Add Motorola modem UARTs
USB: serial: option: add the BroadMobi BM818 card
USB: serial: option: Add support for ZTE MF871A
USB: serial: option: add D-Link DWM-222 device ID
USB: CDC: fix sanity checks in CDC union parser
usb: cdc-acm: make sure a refcount is taken early enough
USB: core: Fix races in character device registration and deregistraion
staging: comedi: dt3000: Fix rounding up of timer divisor
staging: comedi: dt3000: Fix signed integer overflow 'divider * base'
ocfs2: remove set but not used variable 'last_hash'
IB/mad: Fix use-after-free in ib mad completion handling
IB/core: Add mitigation for Spectre V1
arm64/mm: fix variable 'pud' set but not used
arm64/efi: fix variable 'si' set but not used
kbuild: modpost: handle KBUILD_EXTRA_SYMBOLS only for external modules
ata: libahci: do not complain in case of deferred probe
scsi: hpsa: correct scsi command status issue after reset
libata: zpodd: Fix small read overflow in zpodd_get_mech_type()
perf header: Fix use of unitialized value warning
perf header: Fix divide by zero error if f_header.attr_size==0
irqchip/irq-imx-gpcv2: Forward irq type to parent
xen/pciback: remove set but not used variable 'old_state'
net: usb: pegasus: fix improper read if get_registers() fail
Input: iforce - add sanity checks
Input: kbtab - sanity check for endpoint type
HID: hiddev: do cleanup in failure of opening a device
HID: hiddev: avoid opening a disconnected device
HID: holtek: test for sanity of intfdata
ALSA: hda - Let all conexant codec enter D3 when rebooting
ALSA: hda - Add a generic reboot_notify
ALSA: hda - Fix a memory leak bug
xtensa: add missing isync to the cpu_reset TLB code
netfilter: ctnetlink: don't use conntrack/expect object addresses as id
inet: switch IP ID generator to siphash
siphash: implement HalfSipHash1-3 for hash tables
siphash: add cryptographically secure PRF
vhost: scsi: add weight support
vhost_net: fix possible infinite loop
vhost: introduce vhost_exceeds_weight()
vhost_net: introduce vhost_exceeds_weight()
vhost_net: use packet weight for rx handler, too
vhost-net: set packet weight of tx polling to 2 * vq size
bpf: add bpf_jit_limit knob to restrict unpriv allocations
bpf: restrict access to core bpf sysctls
bpf: get rid of pure_initcall dependency to enable jits
mm/memcontrol.c: fix use after free in mem_cgroup_iter()
mm/usercopy: use memory range to be accessed for wraparound check
sh: kernel: hw_breakpoint: Fix missing break in switch statement
scsi: mpt3sas: Use 63-bit DMA addressing on SAS35 HBA
iwlwifi: don't unmap as page memory that was mapped as single
mwifiex: fix 802.11n/WPA detection
smb3: send CAP_DFS capability during session setup
SMB3: Fix deadlock in validate negotiate hits reconnect
mac80211: don't WARN on short WMM parameters from AP
ALSA: hda - Don't override global PCM hw info flag
ALSA: firewire: fix a memory leak bug
hwmon: (nct7802) Fix wrong detection of in4 presence
can: peak_usb: pcan_usb_fd: Fix info-leaks to USB devices
can: peak_usb: pcan_usb_pro: Fix info-leaks to USB devices
perf/core: Fix creating kernel counters for PMUs that override event->cpu
tty/ldsem, locking/rwsem: Add missing ACQUIRE to read_failed sleep loop
scsi: scsi_dh_alua: always use a 2 second delay before retrying RTPG
scsi: ibmvfc: fix WARN_ON during event pool release
scsi: megaraid_sas: fix panic on loading firmware crashdump
ARM: davinci: fix sleep.S build error on ARMv4
ACPI/IORT: Fix off-by-one check in iort_dev_find_its_id()
drbd: dynamically allocate shash descriptor
perf probe: Avoid calling freeing routine multiple times for same pointer
ALSA: compress: Be more restrictive about when a drain is allowed
ALSA: compress: Don't allow paritial drain operations on capture streams
ALSA: compress: Prevent bypasses of set_params
ALSA: compress: Fix regression on compressed capture streams
s390/qdio: add sanity checks to the fast-requeue path
cpufreq/pasemi: fix use-after-free in pas_cpufreq_cpu_init()
hwmon: (nct6775) Fix register address and added missed tolerance for nct6106
mac80211: don't warn about CW params when not using them
iscsi_ibft: make ISCSI_IBFT dependson ACPI instead of ISCSI_IBFT_FIND
netfilter: nfnetlink: avoid deadlock due to synchronous request_module
can: peak_usb: fix potential double kfree_skb()
usb: yurex: Fix use-after-free in yurex_delete
perf record: Fix module size on s390
perf db-export: Fix thread__exec_comm()
perf record: Fix wrong size in perf_record_mmap for last kernel module
mm/vmalloc: Sync unmappings in __purge_vmap_area_lazy()
x86/mm: Sync also unmappings in vmalloc_sync_all()
x86/mm: Check for pfn instead of page in vmalloc_sync_one()
sound: fix a memory leak bug
usb: iowarrior: fix deadlock on disconnect
usb: usbfs: fix double-free of usb memory upon submiturb error
BACKPORT: arch: add pidfd and io_uring syscalls everywhere
ANDROID: arch: add missing pidfd_open definitions for arm32
ANDROID: fix kernelci build-break in lowmemorykiller
f2fs: fix build error on android tracepoints
ANDROID: Avoid taking multiple locks in handle_lmk_event
UPSTREAM: net/ipv6: allow sysctl to change link-local address generation mode
ANDROID: fix binder change in merge of 4.9.188
UPSTREAM: pidfd: fix a poll race when setting exit_state
BACKPORT: arch: wire-up pidfd_open()
BACKPORT: pid: add pidfd_open()
UPSTREAM: pidfd: add polling support
UPSTREAM: signal: improve comments
BACKPORT: fork: do not release lock that wasn't taken
BACKPORT: signal: support CLONE_PIDFD with pidfd_send_signal
BACKPORT: clone: add CLONE_PIDFD
UPSTREAM: Make anon_inodes unconditional
UPSTREAM: signal: use fdget() since we don't allow O_PATH
UPSTREAM: signal: don't silently convert SI_USER signals to non-current pidfd
BACKPORT: signal: add pidfd_send_signal() syscall
Conflicts:
drivers/staging/android/lowmemorykiller.c
include/linux/ipv6.h
net/ipv6/addrconf.c
sound/core/compress_offload.c
Change-Id: I18be309a1a2fd17077b949c7b7113f407a9033a8
Signed-off-by: jianzhou <jianzhou@codeaurora.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl2o0kcACgkQONu9yGCS
aT4nAQ//UOJDaAeVD3HlVI52sv8ZS7lCck8MCrVXeOWfgP5BPgVTcQairhBxtCiz
eiIfQclHWTqoZygCHAf2mGNgSymYT13w0EJ/pnrGIBs66+mWTJcZ/U31iD8ftGo+
LBC8nUL4ocmLN+eNFRhDpFjRksFZnYAcE5L3A3Y+oMat/QplYT/R+T6dgnN08VHI
oBDNen1y8Q+4PG3LnBBtS1PjvnSJMVPxX4MkRfBD+wjSNZdPCDqQ/piuZCmeBSsy
nkkW/fEsWAKbsXT3sybYTmjJpaJZvrhTGi/E/LCFAsAE1iQTawovC4xdT4LwGbID
49qg/Fg9l8485zv7sTJOxjJBQKeePKVWuU0iSuOg9d1lc62ilO0A1NQ61Ys8wqwn
DulsHART0d47sQzTwitMBJxX45iW+z+EUSi4WXTZSi1VpAvi8pIYHsnsPLaAOJXR
k/vJDQJv0zCZD488pHpMIg3CQHCgavYh7V3bpcpkUcjI/YnnBVGjwn1X7ZT88FTh
q9KK3mhz5ZfpNu7ZCrmn7uXdMOa8SL7r6NBhNjUAAoU4bOIg782AxIMOzBYJ9p0w
BqcmgKcIaClBMW+q1zYuDh1l221G2VAPvwjaTr9EZ2jEjr5EyqWwZU+icOvZG+vl
ETfH4NbRy5Zi5BinHkgYu2GRhk4MmJm/9QNpd/fu14sdnOwQUZs=
=rLBB
-----END PGP SIGNATURE-----
Merge 4.9.197 into android-4.9-q
Changes in 4.9.197
KVM: s390: Test for bad access register and size at the start of S390_MEM_OP
s390/topology: avoid firing events before kobjs are created
s390/cio: avoid calling strlen on null pointer
s390/cio: exclude subchannels with no parent from pseudo check
KVM: nVMX: handle page fault in vmread fix
ASoC: Define a set of DAPM pre/post-up events
powerpc/powernv: Restrict OPAL symbol map to only be readable by root
can: mcp251x: mcp251x_hw_reset(): allow more time after a reset
crypto: qat - Silence smp_processor_id() warning
usercopy: Avoid HIGHMEM pfn warning
timer: Read jiffies once when forwarding base clk
watchdog: imx2_wdt: fix min() calculation in imx2_wdt_set_timeout
ieee802154: atusb: fix use-after-free at disconnect
cfg80211: initialize on-stack chandefs
ima: always return negative code for error
fs: nfs: Fix possible null-pointer dereferences in encode_attrs()
9p: avoid attaching writeback_fid on mmap with type PRIVATE
xen/pci: reserve MCFG areas earlier
ceph: fix directories inode i_blkbits initialization
ceph: reconnect connection if session hang in opening state
drm/amdgpu: Check for valid number of registers to read
thermal: Fix use-after-free when unregistering thermal zone device
fuse: fix memleak in cuse_channel_open
sched/core: Fix migration to invalid CPU in __set_cpus_allowed_ptr()
kernel/elfcore.c: include proper prototypes
tools lib traceevent: Do not free tep->cmdlines in add_new_comm() on failure
perf tools: Fix segfault in cpu_cache_level__read()
perf stat: Fix a segmentation fault when using repeat forever
perf stat: Reset previous counts on repeat with interval
crypto: caam - fix concurrency issue in givencrypt descriptor
coresight: etm4x: Use explicit barriers on enable/disable
cfg80211: add and use strongly typed element iteration macros
cfg80211: Use const more consistently in for_each_element macros
nl80211: validate beacon head
ASoC: sgtl5000: Improve VAG power and mute control
panic: ensure preemption is disabled during panic()
USB: rio500: Remove Rio 500 kernel driver
USB: yurex: Don't retry on unexpected errors
USB: yurex: fix NULL-derefs on disconnect
USB: usb-skeleton: fix runtime PM after driver unbind
USB: usb-skeleton: fix NULL-deref on disconnect
xhci: Fix false warning message about wrong bounce buffer write length
xhci: Prevent device initiated U1/U2 link pm if exit latency is too long
xhci: Check all endpoints for LPM timeout
usb: xhci: wait for CNR controller not ready bit in xhci resume
xhci: Increase STS_SAVE timeout in xhci_suspend()
USB: adutux: remove redundant variable minor
USB: adutux: fix use-after-free on disconnect
USB: adutux: fix NULL-derefs on disconnect
USB: adutux: fix use-after-free on release
USB: iowarrior: fix use-after-free on disconnect
USB: iowarrior: fix use-after-free on release
USB: iowarrior: fix use-after-free after driver unbind
USB: usblp: fix runtime PM after driver unbind
USB: chaoskey: fix use-after-free on release
USB: ldusb: fix NULL-derefs on driver unbind
serial: uartlite: fix exit path null pointer
USB: serial: keyspan: fix NULL-derefs on open() and write()
USB: serial: ftdi_sio: add device IDs for Sienna and Echelon PL-20
USB: serial: option: add Telit FN980 compositions
USB: serial: option: add support for Cinterion CLS8 devices
USB: serial: fix runtime PM after driver unbind
USB: usblcd: fix I/O after disconnect
USB: microtek: fix info-leak at probe
USB: dummy-hcd: fix power budget for SuperSpeed mode
usb: renesas_usbhs: gadget: Do not discard queues in usb_ep_set_{halt,wedge}()
usb: renesas_usbhs: gadget: Fix usb_ep_set_{halt,wedge}() behavior
USB: legousbtower: fix slab info leak at probe
USB: legousbtower: fix deadlock on disconnect
USB: legousbtower: fix potential NULL-deref on disconnect
USB: legousbtower: fix open after failed reset request
USB: legousbtower: fix use-after-free on release
staging: vt6655: Fix memory leak in vt6655_probe
iio: adc: ad799x: fix probe error handling
iio: light: opt3001: fix mutex unlock race
efivar/ssdt: Don't iterate over EFI vars if no SSDT override was specified
perf llvm: Don't access out-of-scope array
perf inject jit: Fix JIT_CODE_MOVE filename
CIFS: Gracefully handle QueryInfo errors during open
CIFS: Force revalidate inode when dentry is stale
CIFS: Force reval dentry if LOOKUP_REVAL flag is set
kernel/sysctl.c: do not override max_threads provided by userspace
staging: fbtft: Stop using BL_CORE_DRIVER1
Staging: fbtft: fix memory leak in fbtft_framebuffer_alloc
MIPS: Disable Loongson MMI instructions for kernel build
Fix the locking in dcache_readdir() and friends
media: stkwebcam: fix runtime PM after driver unbind
tracing/hwlat: Report total time spent in all NMIs during the sample
tracing/hwlat: Don't ignore outer-loop duration when calculating max_latency
tracing: Get trace_array reference for available_tracers files
x86/asm: Fix MWAITX C-state hint value
xfs: clear sb->s_fs_info on mount failure
Linux 4.9.197
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit 314eed30ede02fa925990f535652254b5bad6b65 upstream.
When running on a system with >512MB RAM with a 32-bit kernel built with:
CONFIG_DEBUG_VIRTUAL=y
CONFIG_HIGHMEM=y
CONFIG_HARDENED_USERCOPY=y
all execve()s will fail due to argv copying into kmap()ed pages, and on
usercopy checking the calls ultimately of virt_to_page() will be looking
for "bad" kmap (highmem) pointers due to CONFIG_DEBUG_VIRTUAL=y:
------------[ cut here ]------------
kernel BUG at ../arch/x86/mm/physaddr.c:83!
invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.3.0-rc8 #6
Hardware name: Dell Inc. Inspiron 1318/0C236D, BIOS A04 01/15/2009
EIP: __phys_addr+0xaf/0x100
...
Call Trace:
__check_object_size+0xaf/0x3c0
? __might_sleep+0x80/0xa0
copy_strings+0x1c2/0x370
copy_strings_kernel+0x2b/0x40
__do_execve_file+0x4ca/0x810
? kmem_cache_alloc+0x1c7/0x370
do_execve+0x1b/0x20
...
The check is from arch/x86/mm/physaddr.c:
VIRTUAL_BUG_ON((phys_addr >> PAGE_SHIFT) > max_low_pfn);
Due to the kmap() in fs/exec.c:
kaddr = kmap(kmapped_page);
...
if (copy_from_user(kaddr+offset, str, bytes_to_copy)) ...
Now we can fetch the correct page to avoid the pfn check. In both cases,
hardened usercopy will need to walk the page-span checker (if enabled)
to do sanity checking.
Reported-by: Randy Dunlap <rdunlap@infradead.org>
Tested-by: Randy Dunlap <rdunlap@infradead.org>
Fixes: f5509cc18d ("mm: Hardened usercopy")
Cc: Matthew Wilcox <willy@infradead.org>
Cc: stable@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Link: https://lore.kernel.org/r/201909171056.7F2FFD17@keescook
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* refs/heads/tmp-d4fff2d:
Linux 4.9.188
x86, mm, gup: prevent get_page() race with munmap in paravirt guest
objtool: Support GCC 9 cold subfunction naming scheme
include/linux/module.h: copy __init/__exit attrs to init/cleanup_module
Backport minimal compiler_attributes.h to support GCC 9
eeprom: at24: make spd world-readable again
coredump: fix race condition between collapse_huge_page() and core dumping
infiniband: fix race condition between infiniband mlx4, mlx5 driver and core dumping
coredump: fix race condition between mmget_not_zero()/get_task_mm() and core dumping
IB/mlx5: Fix RSS Toeplitz setup to be aligned with the HW specification
xen/swiotlb: fix condition for calling xen_destroy_contiguous_region()
drivers/perf: arm_pmu: Fix failure path in PM notifier
s390/dasd: fix endless loop after read unit address configuration
selinux: fix memory leak in policydb_init()
gpiolib: fix incorrect IRQ requesting of an active-low lineevent
mmc: dw_mmc: Fix occasional hang after tuning on eMMC
Btrfs: fix incremental send failure after deduplication
kbuild: initialize CLANG_FLAGS correctly in the top Makefile
x86, boot: Remove multiple copy of static function sanitize_boot_params()
x86/kvm: Don't call kvm_spurious_fault() from .fixup
ipc/mqueue.c: only perform resource calculation if user valid
drivers/rapidio/devices/rio_mport_cdev.c: NUL terminate some strings
uapi linux/coda_psdev.h: move upc_req definition from uapi to kernel side headers
coda: fix build using bare-metal toolchain
coda: add error handling for fget
mm/cma.c: fail if fixed declaration can't be honored
x86: math-emu: Hide clang warnings for 16-bit overflow
x86/apic: Silence -Wtype-limits compiler warnings
be2net: Signal that the device cannot transmit during reconfiguration
ACPI: fix false-positive -Wuninitialized warning
scsi: zfcp: fix GCC compiler warning emitted with -Wmaybe-uninitialized
ceph: return -ERANGE if virtual xattr value didn't fit in buffer
ceph: fix improper use of smp_mb__before_atomic()
btrfs: fix minimum number of chunk errors for DUP
fs/adfs: super: fix use-after-free bug
dmaengine: rcar-dmac: Reject zero-length slave DMA requests
MIPS: lantiq: Fix bitfield masking
kernel/module.c: Only return -EEXIST for modules that have finished loading
ftrace: Enable trampoline when rec count returns back to one
ARM: dts: rockchip: Mark that the rk3288 timer might stop in suspend
ARM: dts: rockchip: Make rk3288-veyron-mickey's emmc work again
ARM: dts: rockchip: Make rk3288-veyron-minnie run at hs200
ARM: riscpc: fix DMA
UPSTREAM: net-ipv6-ndisc: add support for RFC7710 RA Captive Portal Identifier
binder: binder: fix possible UAF when freeing buffer
Revert "ANDROID: Revert "f2fs: avoid out-of-range memory access""
ANDROID: fix up 9p filesystem due to CFI non-upstream patches
ANDROID: Revert "f2fs: avoid out-of-range memory access"
Change-Id: I479eae2ad70f75889e4a705648e493fc879bb6b9
Signed-off-by: jianzhou <jianzhou@codeaurora.org>
* refs/heads/tmp-fabc071:
Linux 4.9.187
ceph: hold i_ceph_lock when removing caps for freeing inode
drivers/pps/pps.c: clear offset flags in PPS_SETPARAMS ioctl
sched/fair: Don't free p->numa_faults with concurrent readers
Bluetooth: hci_uart: check for missing tty operations
media: radio-raremono: change devm_k*alloc to k*alloc
media: cpia2_usb: first wake up, then free in disconnect
media: au0828: fix null dereference in error path
ISDN: hfcsusb: checking idx of ep configuration
arm64: compat: Provide definition for COMPAT_SIGMINSTKSZ
i2c: qup: fixed releasing dma without flush operation completion
arm64: dts: marvell: Fix A37xx UART0 register size
tcp: reset sk_send_head in tcp_write_queue_purge
ipv6: check sk sk_type and protocol early in ip_mroute_set/getsockopt
access: avoid the RCU grace period for the temporary subjective credentials
powerpc/tm: Fix oops on sigreturn on systems without TM
ALSA: hda - Add a conexant codec entry to let mute led work
ALSA: line6: Fix wrong altsetting for LINE6_PODHD500_1
hpet: Fix division by zero in hpet_time_div()
x86/speculation/mds: Apply more accurate check on hypervisor platform
x86/sysfb_efi: Add quirks for some devices with swapped width and height
usb: pci-quirks: Correct AMD PLL quirk detection
usb: wusbcore: fix unbalanced get/put cluster_id
locking/lockdep: Hide unused 'class' variable
locking/lockdep: Fix lock used or unused stats error
mm/mmu_notifier: use hlist_add_head_rcu()
9p: pass the correct prototype to read_cache_page
mm/kmemleak.c: fix check for softirq context
sh: prevent warnings when using iounmap
powerpc/eeh: Handle hugepages in ioremap space
mailbox: handle failed named mailbox channel request
f2fs: avoid out-of-range memory access
powerpc/boot: add {get, put}_unaligned_be32 to xz_config.h
RDMA/rxe: Fill in wc byte_len with IB_WC_RECV_RDMA_WITH_IMM
perf test mmap-thread-lookup: Initialize variable to suppress memory sanitizer warning
kallsyms: exclude kasan local symbols on s390
serial: sh-sci: Fix TX DMA buffer flushing and workqueue races
serial: sh-sci: Terminate TX DMA during buffer flushing
RDMA/i40iw: Set queue pair state when being queried
powerpc/4xx/uic: clear pending interrupt after irq type/pol change
um: Silence lockdep complaint about mmap_sem
mfd: hi655x-pmic: Fix missing return value check for devm_regmap_init_mmio_clk
mfd: arizona: Fix undefined behavior
mfd: core: Set fwnode for created devices
recordmcount: Fix spurious mcount entries on powerpc
iio: iio-utils: Fix possible incorrect mask calculation
PCI: xilinx-nwl: Fix Multi MSI data programming
kbuild: Add -Werror=unknown-warning-option to CLANG_FLAGS
PCI: sysfs: Ignore lockdep for remove attribute
powerpc/pci/of: Fix OF flags parsing for 64bit BARs
usb: gadget: Zero ffs_io_data
tty: serial_core: Set port active bit in uart_port_activate
drm/rockchip: Properly adjust to a true clock in adjusted_mode
phy: renesas: rcar-gen2: Fix memory leak at error paths
drm/virtio: Add memory barriers for capset cache.
serial: 8250: Fix TX interrupt handling condition
tty: serial: msm_serial: avoid system lockup condition
tty/serial: digicolor: Fix digicolor-usart already registered warning
memstick: Fix error cleanup path of memstick_init
drm/bridge: sii902x: pixel clock unit is 10kHz instead of 1kHz
drm/bridge: tc358767: read display_props in get_modes()
tty: serial: cpm_uart - fix init when SMC is relocated
pinctrl: rockchip: fix leaked of_node references
tty: max310x: Fix invalid baudrate divisors calculator
usb: core: hub: Disable hub-initiated U1/U2
drm/panel: simple: Fix panel_simple_dsi_probe
nfsd: Fix overflow causing non-working mounts on 1 TB machines
nfsd: fix performance-limiting session calculation
nfsd: give out fewer session slots as limit approaches
nfsd: increase DRC cache limit
NFSv4: Fix open create exclusive when the server reboots
perf/events/amd/uncore: Fix amd_uncore_llc ID to use pre-defined cpu_llc_id
perf/x86/amd/uncore: Get correct number of cores sharing last level cache
perf/x86/amd/uncore: Rename 'L2' to 'LLC'
net: bridge: stp: don't cache eth dest pointer before skb pull
net: bridge: mcast: fix stale ipv6 hdr pointer when handling v6 query
net: bridge: mcast: fix stale nsrcs pointer in igmp3/mld2 report handling
tcp: Reset bytes_acked and bytes_received when disconnecting
bonding: validate ip header before check IPPROTO_IGMP
netrom: hold sock when setting skb->destructor
netrom: fix a memory leak in nr_rx_frame()
macsec: fix checksumming after decryption
macsec: fix use-after-free of skb during RX
vrf: make sure skb->data contains ip header to make routing
sky2: Disable MSI on ASUS P6T
rxrpc: Fix send on a connected, but unbound socket
nfc: fix potential illegal memory access
net: openvswitch: fix csum updates for MPLS actions
net: neigh: fix multiple neigh timer scheduling
net: dsa: mv88e6xxx: wait after reset deactivation
net: bcmgenet: use promisc for unsupported filters
ipv4: don't set IPv6 only flags to IPv4 addresses
igmp: fix memory leak in igmpv3_del_delrec()
caif-hsi: fix possible deadlock in cfhsi_exit_module()
bnx2x: Prevent ptp_task to be rescheduled indefinitely
bnx2x: Prevent load reordering in tx completion processing
ext4: allow directory holes
lib/strscpy: Shut up KASAN false-positives in strscpy()
compiler.h: Add read_word_at_a_time() function.
compiler.h, kasan: Avoid duplicating __read_once_size_nocheck()
dm bufio: fix deadlock with loop device
usb: Handle USB3 remote wakeup for LPM enabled devices correctly
Bluetooth: Add SMP workaround Microsoft Surface Precision Mouse bug
intel_th: msu: Fix single mode with disabled IOMMU
eCryptfs: fix a couple type promotion bugs
powerpc/watchpoint: Restore NV GPRs while returning from exception
powerpc/32s: fix suspend/resume when IBATs 4-7 are used
parisc: Fix kernel panic due invalid values in IAOQ0 or IAOQ1
parisc: Ensure userspace privilege for ptraced processes in regset functions
um: Fix FP register size for XSTATE/XSAVE
um: Allow building and running on older hosts
crypto: caam - limit output IV to CBC to work around CTR mode DMA issue
PCI: hv: Fix a use-after-free bug in hv_eject_device_work()
PCI: hv: Delete the device earlier from hbus->children for hot-remove
crypto: ccp - Validate the the error value used to index error messages
gpu: ipu-v3: ipu-ic: Fix saturation bit offset in TPMEM
coda: pass the host file in vma->vm_file on mmap
floppy: fix out-of-bounds read in copy_buffer
floppy: fix invalid pointer dereference in drive_name
floppy: fix out-of-bounds read in next_valid_format
floppy: fix div-by-zero in setup_format_params
take floppy compat ioctls to sodding floppy.c
libnvdimm/pfn: fix fsdax-mode namespace info-block zero-fields
Btrfs: add missing inode version, ctime and mtime updates when punching hole
PCI: Do not poll for PME if the device is in D3cold
9p/virtio: Add cleanup path in p9_virtio_init
padata: use smp_mb in padata_reorder to avoid orphaned padata jobs
drm/nouveau/i2c: Enable i2c pads & busses during preinit
fs/proc/proc_sysctl.c: fix the default values of i_uid/i_gid on /proc/sys inodes.
arm64: tegra: Fix AGIC register range
KVM: x86/vPMU: refine kvm_pmu err msg when event creation failed
media: coda: Remove unbalanced and unneeded mutex unlock
media: v4l2: Test type instead of cfg->type in v4l2_ctrl_new_custom()
ALSA: hda/realtek: apply ALC891 headset fixup to one Dell machine
ALSA: seq: Break too long mutex context in the write loop
lib/scatterlist: Fix mapping iterator when sg->offset is greater than PAGE_SIZE
NFSv4: Handle the special Linux file open access mode
tracing/snapshot: Resize spare buffer if size changed
iwlwifi: pcie: don't service an interrupt that was masked
arm64: tegra: Update Jetson TX1 GPU regulator timings
regulator: s2mps11: Fix buck7 and buck8 wrong voltages
Input: gtco - bounds check collection indent level
crypto: crypto4xx - fix a potential double free in ppc4xx_trng_probe
crypto: chacha20poly1305 - fix atomic sleep when using async algorithm
crypto: arm64/sha2-ce - correct digest for empty data in finup
crypto: arm64/sha1-ce - correct digest for empty data in finup
crypto: ghash - fix unaligned memory access in ghash_setkey()
scsi: mac_scsi: Increase PIO/PDMA transfer length threshold
scsi: NCR5380: Always re-enable reselection interrupt
scsi: NCR5380: Reduce goto statements in NCR5380_select()
xen: let alloc_xenballooned_pages() fail if not enough memory free
gtp: fix use-after-free in gtp_newlink()
gtp: fix Illegal context switch in RCU read-side critical section.
Bluetooth: validate BLE connection interval updates
Bluetooth: Check state in l2cap_disconnect_rsp
Bluetooth: 6lowpan: search for destination address in all peers
Bluetooth: hci_bcsp: Fix memory leak in rx_skb
gpiolib: Fix references to gpiod_[gs]et_*value_cansleep() variants
net: usb: asix: init MAC address buffers
iwlwifi: mvm: Drop large non sta frames
bcache: check c->gc_thread by IS_ERR_OR_NULL in cache_set_flush()
EDAC: Fix global-out-of-bounds write when setting edac_mc_poll_msec
crypto: asymmetric_keys - select CRYPTO_HASH where needed
ixgbe: Check DDM existence in transceiver before access
rslib: Fix handling of of caller provided syndrome
rslib: Fix decoding of shortened codes
clocksource/drivers/exynos_mct: Increase priority over ARM arch timer
libata: don't request sense data on !ZAC ATA devices
perf tools: Increase MAX_NR_CPUS and MAX_CACHES
ath10k: fix PCIE device wake up failed
mt7601u: fix possible memory leak when the device is disconnected
x86/build: Add 'set -e' to mkcapflags.sh to delete broken capflags.c
mt7601u: do not schedule rx_tasklet when the device has been disconnected
media: coda: increment sequence offset for the last returned frame
media: coda: fix mpeg2 sequence number handling
acpi/arm64: ignore 5.1 FADTs that are reported as 5.0
timer_list: Guard procfs specific code
ntp: Limit TAI-UTC offset
media: i2c: fix warning same module names
ipsec: select crypto ciphers for xfrm_algo
EDAC/sysfs: Fix memory leak when creating a csrow object
ipoib: correcly show a VF hardware address
vhost_net: disable zerocopy by default
perf evsel: Make perf_evsel__name() accept a NULL argument
xfrm: fix sa selector validation
blkcg, writeback: dead memcgs shouldn't contribute to writeback ownership arbitration
rcu: Force inlining of rcu_read_lock()
bpf: silence warning messages in core
regmap: fix bulk writes on paged registers
gpio: omap: ensure irq is enabled before wakeup
gpio: omap: fix lack of irqstatus_raw0 for OMAP4
perf test 6: Fix missing kvm module load for s390
perf cs-etm: Properly set the value of 'old' and 'head' in snapshot mode
s390/qdio: handle PENDING state for QEBSM devices
net: axienet: Fix race condition causing TX hang
net: fec: Do not use netdev messages too early
cpupower : frequency-set -r option misses the last cpu in related cpu list
media: wl128x: Fix some error handling in fm_v4l2_init_video_device()
locking/lockdep: Fix merging of hlocks with non-zero references
tua6100: Avoid build warnings.
crypto: talitos - Align SEC1 accesses to 32 bits boundaries.
crypto: talitos - properly handle split ICV.
net: phy: Check against net_device being NULL
media: staging: media: davinci_vpfe: - Fix for memory leak if decoder initialization fails.
media: mc-device.c: don't memset __user pointer contents
xfrm: Fix xfrm sel prefix length validation
af_key: fix leaks in key_pol_get_resp and dump_sp.
signal/pid_namespace: Fix reboot_pid_ns to use send_sig not force_sig
net: stmmac: dwmac4/5: Clear unused address entries
net: stmmac: dwmac1000: Clear unused address entries
media: media_device_enum_links32: clean a reserved field
media: vpss: fix a potential NULL pointer dereference
media: marvell-ccic: fix DMA s/g desc number calculation
crypto: talitos - fix skcipher failure due to wrong output IV
media: dvb: usb: fix use after free in dvb_usb_device_exit
batman-adv: fix for leaked TVLV handler.
ath: DFS JP domain W56 fixed pulse type 3 RADAR detection
ath6kl: add some bounds checking
ath9k: Check for errors when reading SREV register
ath10k: Do not send probe response template for mesh
dmaengine: imx-sdma: fix use-after-free on probe error path
arm64/efi: Mark __efistub_stext_offset as an absolute symbol explicitly
MIPS: fix build on non-linux hosts
MIPS: ath79: fix ar933x uart parity mode
ext4: remove unused value
f2fs: use EINVAL for superblock with invalid magic
f2fs: fix to read source block before invalidating it
f2fs: remove redundant check from f2fs_setflags_common()
f2fs: use generic checking and prep function for FS_IOC_SETFLAGS
vfs: use READ_ONCE() to access ->i_link
fs, fscrypt: clear DCACHE_ENCRYPTED_NAME when unaliasing directory
ANDROID: enable CONFIG_RTC_DRV_TEST on cuttlefish
ANDROID: xfrm: remove in_compat_syscall() checks
UPSTREAM: binder: Set end of SG buffer area properly.
fscrypt: cache decrypted symlink target in ->i_link
fscrypt: fix race where ->lookup() marks plaintext dentry as ciphertext
ext4: remove unused d_name argument from ext4_search_dir() et al.
fscrypt: only set dentry_operations on ciphertext dentries
fscrypt: fix race allowing rename() and link() of ciphertext dentries
fscrypt: clean up and improve dentry revalidation
fscrypt: use READ_ONCE() to access ->i_crypt_info
fscrypt: remove WARN_ON_ONCE() when decryption fails
fscrypt: drop inode argument from fscrypt_get_ctx()
f2fs: improve print log in f2fs_sanity_check_ckpt()
f2fs: avoid out-of-range memory access
f2fs: fix to avoid long latency during umount
f2fs: allow all the users to pin a file
f2fs: support swap file w/ DIO
f2fs: allocate blocks for pinned file
f2fs: fix is_idle() check for discard type
f2fs: add a rw_sem to cover quota flag changes
f2fs: set SBI_NEED_FSCK for xattr corruption case
f2fs: use generic EFSBADCRC/EFSCORRUPTED
f2fs: Use DIV_ROUND_UP() instead of open-coding
f2fs: print kernel message if filesystem is inconsistent
f2fs: introduce f2fs_<level> macros to wrap f2fs_printk()
f2fs: avoid get_valid_blocks() for cleanup
f2fs: ioctl for removing a range from F2FS
f2fs: only set project inherit bit for directory
f2fs: separate f2fs i_flags from fs_flags and ext4 i_flags
f2fs: Add option to limit required GC for checkpoint=disable
f2fs: Fix accounting for unusable blocks
f2fs: Fix root reserved on remount
f2fs: Lower threshold for disable_cp_again
f2fs: fix sparse warning
f2fs: fix f2fs_show_options to show nodiscard mount option
f2fs: add error prints for debugging mount failure
f2fs: fix to do sanity check on segment bitmap of LFS curseg
f2fs: add missing sysfs entries in documentation
f2fs: fix to avoid deadloop if data_flush is on
f2fs: always assume that the device is idle under gc_urgent
f2fs: add bio cache for IPU
f2fs: allow ssr block allocation during checkpoint=disable period
f2fs: fix to check layout on last valid checkpoint park
Conflicts:
drivers/tty/serial/msm_serial.c
fs/crypto/bio.c
fs/crypto/keyinfo.c
fs/f2fs/data.c
Change-Id: I400b66ca62d751839b3e0499cb6c797f5f70b554
Signed-off-by: jianzhou <jianzhou@codeaurora.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl2YcM0ACgkQONu9yGCS
aT50Bg//curnCC8kpDrnuE3sxgC6eDXMx0FVbepP6CI0cy+kQrytTWy7i3oIq/p+
8j5DXMkyc/Xq2GBcG3NWKZEcpJDWo+RUmgvIX1UlQKD4dJMc/KfGUwnf4hqvK08e
/ZyuELegBKjNhNPS09Vm3vzFthUJKpou8grOJw1ef1PgFGMdol+6j2LwPunEP2yY
fVVnQE4VGhkiZxxtl74rs4vR7XFhc2UX+QoruclWfNhQGmlMxsSeTNyez3xc+zEX
SgIOgf0PQ4x3zCSWcTlbXPKMiQfyRElivCuiqusObl/2JGPE/QJvQUjgCX8wgOqZ
BuX2X68S8S1jwVYngubL0W4lL68tQbm9Jac5E8R455azV0WhhBBv7A4xB3GE0AOY
8CIS9w6Th8NbHlejarSJ8jyqBavAj1qGkhFG4XpAZrq3u6qH4517w/MEVsEUi2wC
rgydLRfeCxiqT/FZCf4w9Mx8lF8nvvanvaGEr1iouAOtDf8EFxmYlr183TxbUE9i
cUW5JTthQropRk7i7U6pWCcLbDBrF5Ef3wl0Bmahq12xJKtE7DE0N+manDnbueu5
bmYuSC+2OfaORfVl8LhqyKEF3JmBZkcZASGqYQCBf7R6u+yLAxt2De/ZxTUHzM/c
PAtbFO/PwJEISzCscz6B+1n26GAs9C2TGpzeTw9E2rj0vnCT0So=
=R4e7
-----END PGP SIGNATURE-----
Merge 4.9.195 into android-4.9-q
Changes in 4.9.195
Revert "Bluetooth: validate BLE connection interval updates"
IB/core: Add an unbound WQ type to the new CQ API
HID: prodikeys: Fix general protection fault during probe
HID: logitech: Fix general protection fault caused by Logitech driver
HID: hidraw: Fix invalid read in hidraw_ioctl
mtd: cfi_cmdset_0002: Use chip_good() to retry in do_write_oneword()
crypto: talitos - fix missing break in switch statement
media: tvp5150: fix switch exit in set control handler
ASoC: fsl: Fix of-node refcount unbalance in fsl_ssi_probe_from_dt()
ALSA: hda - Add laptop imic fixup for ASUS M9V laptop
objtool: Clobber user CFLAGS variable
mac80211: Print text for disassociation reason
mac80211: handle deauthentication/disassociation from TDLS peer
power: supply: sysfs: ratelimit property read error message
locking/lockdep: Add debug_locks check in __lock_downgrade()
irqchip/gic-v3-its: Fix LPI release for Multi-MSI devices
f2fs: check all the data segments against all node ones
Revert "f2fs: avoid out-of-range memory access"
f2fs: fix to do sanity check on segment bitmap of LFS curseg
drm: Flush output polling on shutdown
xfs: don't crash on null attr fork xfs_bmapi_read
Bluetooth: btrtl: Additional Realtek 8822CE Bluetooth devices
arcnet: provide a buffer big enough to actually receive packets
cdc_ncm: fix divide-by-zero caused by invalid wMaxPacketSize
macsec: drop skb sk before calling gro_cells_receive
net/phy: fix DP83865 10 Mbps HDX loopback disable function
net: qrtr: Stop rx_worker before freeing node
openvswitch: change type of UPCALL_PID attribute to NLA_UNSPEC
ppp: Fix memory leak in ppp_write
sch_netem: fix a divide by zero in tabledist()
skge: fix checksum byte order
usbnet: ignore endpoints with invalid wMaxPacketSize
usbnet: sanity checking of packet sizes and device mtu
mISDN: enforce CAP_NET_RAW for raw sockets
appletalk: enforce CAP_NET_RAW for raw sockets
ax25: enforce CAP_NET_RAW for raw sockets
ieee802154: enforce CAP_NET_RAW for raw sockets
nfc: enforce CAP_NET_RAW for raw sockets
ALSA: hda: Flush interrupts on disabling
regulator: lm363x: Fix off-by-one n_voltages for lm3632 ldo_vpos/ldo_vneg
ASoC: sgtl5000: Fix charge pump source assignment
dmaengine: bcm2835: Print error in case setting DMA mask fails
leds: leds-lp5562 allow firmware files up to the maximum length
media: dib0700: fix link error for dibx000_i2c_set_speed
media: exynos4-is: fix leaked of_node references
media: hdpvr: Add device num check and handling
sched/fair: Fix imbalance due to CPU affinity
sched/core: Fix CPU controller for !RT_GROUP_SCHED
x86/reboot: Always use NMI fallback when shutdown via reboot vector IPI fails
x86/apic: Soft disable APIC before initializing it
ALSA: hda - Show the fatal CORB/RIRB error more clearly
ALSA: i2c: ak4xxx-adda: Fix a possible null pointer dereference in build_adc_controls()
media: iguanair: add sanity checks
base: soc: Export soc_device_register/unregister APIs
ALSA: usb-audio: Skip bSynchAddress endpoint check if it is invalid
ia64:unwind: fix double free for mod->arch.init_unw_table
EDAC/altera: Use the proper type for the IRQ status bits
md: don't call spare_active in md_reap_sync_thread if all member devices can't work
md: don't set In_sync if array is frozen
efi: cper: print AER info of PCIe fatal error
media: gspca: zero usb_buf on error
dmaengine: iop-adma: use correct printk format strings
media: omap3isp: Don't set streaming state on random subdevs
net: lpc-enet: fix printk format strings
ARM: dts: imx7d: cl-som-imx7: make ethernet work again
media: radio/si470x: kill urb on error
media: hdpvr: add terminating 0 at end of string
media: dvb-core: fix a memory leak bug
PM / devfreq: passive: Use non-devm notifiers
PM / devfreq: exynos-bus: Correct clock enable sequence
media: saa7146: add cleanup in hexium_attach()
media: cpia2_usb: fix memory leaks
media: saa7134: fix terminology around saa7134_i2c_eeprom_md7134_gate()
media: ov9650: add a sanity check
ACPI / CPPC: do not require the _PSD method
arm64: kpti: ensure patched kernel text is fetched from PoU
nvmet: fix data units read and written counters in SMART log
iommu/amd: Silence warnings under memory pressure
libtraceevent: Change users plugin directory
ARM: dts: exynos: Mark LDO10 as always-on on Peach Pit/Pi Chromebooks
ACPI: custom_method: fix memory leaks
ACPI / PCI: fix acpi_pci_irq_enable() memory leak
hwmon: (acpi_power_meter) Change log level for 'unsafe software power cap'
md/raid1: fail run raid1 array when active disk less than one
dmaengine: ti: edma: Do not reset reserved paRAM slots
kprobes: Prohibit probing on BUG() and WARN() address
s390/crypto: xts-aes-s390 fix extra run-time crypto self tests finding
ASoC: dmaengine: Make the pcm->name equal to pcm->id if the name is not set
mmc: sdhci: Fix incorrect switch to HS mode
libertas: Add missing sentinel at end of if_usb.c fw_table
e1000e: add workaround for possible stalled packet
drm/amd/powerplay/smu7: enforce minimal VBITimeout (v2)
media: ttusb-dec: Fix info-leak in ttusb_dec_send_command()
ALSA: hda/realtek - Blacklist PC beep for Lenovo ThinkCentre M73/93
btrfs: extent-tree: Make sure we only allocate extents from block groups with the same type
media: omap3isp: Set device on omap3isp subdevs
PM / devfreq: passive: fix compiler warning
ALSA: firewire-tascam: handle error code when getting current source of clock
ALSA: firewire-tascam: check intermediate state of clock status and retry
IB/hfi1: Define variables as unsigned long to fix KASAN warning
printk: remove games with previous record flags
printk: Do not lose last line in kmsg buffer dump
fuse: fix missing unlock_page in fuse_writepage()
parisc: Disable HP HSC-PCI Cards to prevent kernel crash
KVM: x86: always stop emulation on page fault
KVM: x86: set ctxt->have_exception in x86_decode_insn()
KVM: x86: Manually calculate reserved bits when loading PDPTRS
media: sn9c20x: Add MSI MS-1039 laptop to flip_dmi_table
ASoC: Intel: NHLT: Fix debug print format
ASoC: Intel: Fix use of potentially uninitialized variable
ARM: zynq: Use memcpy_toio instead of memcpy on smp bring-up
alarmtimer: Use EOPNOTSUPP instead of ENOTSUPP
regulator: Defer init completion for a while after late_initcall
memcg, kmem: do not fail __GFP_NOFAIL charges
ovl: filter of trusted xattr results in audit
Btrfs: fix use-after-free when using the tree modification log
btrfs: Relinquish CPUs in btrfs_compare_trees
md/raid6: Set R5_ReadError when there is read failure on parity disk
cfg80211: Purge frame registrations on iftype change
/dev/mem: Bail out upon SIGKILL.
ext4: fix warning inside ext4_convert_unwritten_extents_endio
ext4: fix punch hole for inline_data file systems
quota: fix wrong condition in is_quota_modification()
hwrng: core - don't wait on add_early_randomness()
i2c: riic: Clear NACK in tend isr
CIFS: fix max ea value size
CIFS: Fix oplock handling for SMB 2.1+ protocols
btrfs: qgroup: Drop quota_root and fs_info parameters from update_qgroup_status_item
Btrfs: fix race setting up and completing qgroup rescan workers
Linux 4.9.195
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl1yFqoACgkQONu9yGCS
aT6Qhg/9EhDdNA67JIe4Wxns9YRb/yqAKKYGhvGQsUNud1fEYmnIeYOfkwSjPDQv
OCt2gwgPfw1K49r96+zXsw4vywrCBAZShe2OnR7g63Toz9NHGQu1LJy6FyvzBubl
vZ2WQBkY8T/viUfPMQ+xwJcuUsx2mWZ+VqgEzmgrqXxFCEPaxCerXqxgLAN3UhjI
KGqylDKaKlHpNDZYc24GvO8rNoehRZS7FSrKOfjFpDld1bLjHq0ZMNp8ChBp/W99
K+jp3MIeenjdoEiH4K2Hdf8zRRxxOVJf/hcbT9Hi8TKG2HsgAKAMuFz1X6IJtnYZ
02bhYkvPoa+sKVS1wt9tscFzIiwBfAP7CyAROn9nv3A2V3A8ZfXIY/tMWh1yRS+E
y6eVwH6gG9IW7AbjkJmZAlcgxCkYlag6WoTjc1F/s+XdB+fLyQIi8Tls85mKtzwi
GXygbZIC7pKPlcVIfnEK4cMEm9FAZlxqThTXTckzSasteFsxTbQxy4AeflMY7MQE
hn8c32gU4+zXhebF/2vQaEwVar+DkzRNwJUjRN5uLbISwJ1hrEvGWR3mhde2RIZg
JiwGiJ5LmdegSemuLMXBvtOiZ6yTvfoT5p4Wqd5LLhtclrMvDOQ1ye4lBPOHGKFc
gTuC+Hvo50THpNovzVjsJX2tf92z1FtF0jvH8fMEaQ3uPsLwGrA=
=U6+Q
-----END PGP SIGNATURE-----
Merge 4.9.191 into android-4.9
Changes in 4.9.191
HID: Add 044f:b320 ThrustMaster, Inc. 2 in 1 DT
MIPS: kernel: only use i8253 clocksource with periodic clockevent
netfilter: ebtables: fix a memory leak bug in compat
ASoC: dapm: Fix handling of custom_stop_condition on DAPM graph walks
bonding: Force slave speed check after link state recovery for 802.3ad
can: dev: call netif_carrier_off() in register_candev()
st21nfca_connectivity_event_received: null check the allocation
st_nci_hci_connectivity_event_received: null check the allocation
ASoC: ti: davinci-mcasp: Correct slot_width posed constraint
net: usb: qmi_wwan: Add the BroadMobi BM818 card
isdn: mISDN: hfcsusb: Fix possible null-pointer dereferences in start_isoc_chain()
isdn: hfcsusb: Fix mISDN driver crash caused by transfer buffer on the stack
perf bench numa: Fix cpu0 binding
can: sja1000: force the string buffer NULL-terminated
can: peak_usb: force the string buffer NULL-terminated
NFSv4: Fix a potential sleep while atomic in nfs4_do_reclaim()
HID: input: fix a4tech horizontal wheel custom usage
net: cxgb3_main: Fix a resource leak in a error path in 'init_one()'
net: hisilicon: make hip04_tx_reclaim non-reentrant
net: hisilicon: fix hip04-xmit never return TX_BUSY
net: hisilicon: Fix dma_map_single failed on arm64
libata: add SG safety checks in SFF pio transfers
x86/lib/cpu: Address missing prototypes warning
drm/vmwgfx: fix memory leak when too many retries have occurred
perf pmu-events: Fix missing "cpu_clk_unhalted.core" event
selftests: kvm: Adding config fragments
HID: wacom: correct misreported EKR ring values
HID: wacom: Correct distance scale for 2nd-gen Intuos devices
Revert "dm bufio: fix deadlock with loop device"
gpiolib: never report open-drain/source lines as 'input' to user-space
userfaultfd_release: always remove uffd flags and clear vm_userfaultfd_ctx
x86/retpoline: Don't clobber RFLAGS during CALL_NOSPEC on i386
x86/apic: Handle missing global clockevent gracefully
x86/boot: Save fields explicitly, zero out everything else
x86/boot: Fix boot regression caused by bootparam sanitizing
dm btree: fix order of block initialization in btree_split_beneath
dm space map metadata: fix missing store of apply_bops() return value
dm table: fix invalid memory accesses with too high sector number
genirq: Properly pair kobject_del() with kobject_add()
mm, page_owner: handle THP splits correctly
mm/zsmalloc.c: migration can leave pages in ZS_EMPTY indefinitely
xfs: fix missing ILOCK unlock when xfs_setattr_nonsize fails due to EDQUOT
Revert "perf test 6: Fix missing kvm module load for s390"
x86/CPU/AMD: Clear RDRAND CPUID bit on AMD family 15h/16h
dmaengine: ste_dma40: fix unneeded variable warning
iommu/dma: Handle SG length overflow better
usb: gadget: composite: Clear "suspended" on reset/disconnect
xen/blkback: fix memory leaks
i2c: emev2: avoid race when unregistering slave client
usb: host: fotg2: restart hcd after port reset
tools: hv: fix KVP and VSS daemons exit code
watchdog: bcm2835_wdt: Fix module autoload
scsi: ufs: Fix RX_TERMINATION_FORCE_ENABLE define value
tcp: fix tcp_rtx_queue_tail in case of empty retransmit queue
ALSA: usb-audio: Fix a stack buffer overflow bug in check_input_term
ALSA: usb-audio: Fix an OOB bug in parse_audio_mixer_unit
tcp: make sure EPOLLOUT wont be missed
ALSA: line6: Fix memory leak at line6_init_pcm() error path
ALSA: seq: Fix potential concurrent access to the deleted pool
KVM: x86: Don't update RIP or do single-step on faulting emulation
x86/apic: Do not initialize LDR and DFR for bigsmp
x86/apic: Include the LDR when clearing out APIC registers
mm/zsmalloc.c: fix race condition in zs_destroy_pool
usb-storage: Add new JMS567 revision to unusual_devs
USB: cdc-wdm: fix race between write and disconnect due to flag abuse
usb: chipidea: udc: don't do hardware access if gadget has stopped
usb: host: ohci: fix a race condition between shutdown and irq
usb: host: xhci: rcar: Fix typo in compatible string matching
USB: storage: ums-realtek: Update module parameter description for auto_delink_en
USB: storage: ums-realtek: Whitelist auto-delink support
ptrace,x86: Make user_64bit_mode() available to 32-bit builds
uprobes/x86: Fix detection of 32-bit user mode
mmc: sdhci-of-at91: add quirk for broken HS200
mmc: core: Fix init of SD cards reporting an invalid VDD range
stm class: Fix a double free of stm_source_device
VMCI: Release resource if the work is already queued
Revert "cfg80211: fix processing world regdomain when non modular"
mac80211: fix possible sta leak
KVM: arm/arm64: vgic: Fix potential deadlock when ap_list is long
KVM: arm/arm64: vgic-v2: Handle SGI bits in GICD_I{S,C}PENDR0 as WI
i2c: piix4: Fix port selection for AMD Family 16h Model 30h
x86/ptrace: fix up botched merge of spectrev1 fix
mm/zsmalloc.c: fix build when CONFIG_COMPACTION=n
Linux 4.9.191
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl1yFqoACgkQONu9yGCS
aT6Qhg/9EhDdNA67JIe4Wxns9YRb/yqAKKYGhvGQsUNud1fEYmnIeYOfkwSjPDQv
OCt2gwgPfw1K49r96+zXsw4vywrCBAZShe2OnR7g63Toz9NHGQu1LJy6FyvzBubl
vZ2WQBkY8T/viUfPMQ+xwJcuUsx2mWZ+VqgEzmgrqXxFCEPaxCerXqxgLAN3UhjI
KGqylDKaKlHpNDZYc24GvO8rNoehRZS7FSrKOfjFpDld1bLjHq0ZMNp8ChBp/W99
K+jp3MIeenjdoEiH4K2Hdf8zRRxxOVJf/hcbT9Hi8TKG2HsgAKAMuFz1X6IJtnYZ
02bhYkvPoa+sKVS1wt9tscFzIiwBfAP7CyAROn9nv3A2V3A8ZfXIY/tMWh1yRS+E
y6eVwH6gG9IW7AbjkJmZAlcgxCkYlag6WoTjc1F/s+XdB+fLyQIi8Tls85mKtzwi
GXygbZIC7pKPlcVIfnEK4cMEm9FAZlxqThTXTckzSasteFsxTbQxy4AeflMY7MQE
hn8c32gU4+zXhebF/2vQaEwVar+DkzRNwJUjRN5uLbISwJ1hrEvGWR3mhde2RIZg
JiwGiJ5LmdegSemuLMXBvtOiZ6yTvfoT5p4Wqd5LLhtclrMvDOQ1ye4lBPOHGKFc
gTuC+Hvo50THpNovzVjsJX2tf92z1FtF0jvH8fMEaQ3uPsLwGrA=
=U6+Q
-----END PGP SIGNATURE-----
Merge 4.9.191 into android-4.9-q
Changes in 4.9.191
HID: Add 044f:b320 ThrustMaster, Inc. 2 in 1 DT
MIPS: kernel: only use i8253 clocksource with periodic clockevent
netfilter: ebtables: fix a memory leak bug in compat
ASoC: dapm: Fix handling of custom_stop_condition on DAPM graph walks
bonding: Force slave speed check after link state recovery for 802.3ad
can: dev: call netif_carrier_off() in register_candev()
st21nfca_connectivity_event_received: null check the allocation
st_nci_hci_connectivity_event_received: null check the allocation
ASoC: ti: davinci-mcasp: Correct slot_width posed constraint
net: usb: qmi_wwan: Add the BroadMobi BM818 card
isdn: mISDN: hfcsusb: Fix possible null-pointer dereferences in start_isoc_chain()
isdn: hfcsusb: Fix mISDN driver crash caused by transfer buffer on the stack
perf bench numa: Fix cpu0 binding
can: sja1000: force the string buffer NULL-terminated
can: peak_usb: force the string buffer NULL-terminated
NFSv4: Fix a potential sleep while atomic in nfs4_do_reclaim()
HID: input: fix a4tech horizontal wheel custom usage
net: cxgb3_main: Fix a resource leak in a error path in 'init_one()'
net: hisilicon: make hip04_tx_reclaim non-reentrant
net: hisilicon: fix hip04-xmit never return TX_BUSY
net: hisilicon: Fix dma_map_single failed on arm64
libata: add SG safety checks in SFF pio transfers
x86/lib/cpu: Address missing prototypes warning
drm/vmwgfx: fix memory leak when too many retries have occurred
perf pmu-events: Fix missing "cpu_clk_unhalted.core" event
selftests: kvm: Adding config fragments
HID: wacom: correct misreported EKR ring values
HID: wacom: Correct distance scale for 2nd-gen Intuos devices
Revert "dm bufio: fix deadlock with loop device"
gpiolib: never report open-drain/source lines as 'input' to user-space
userfaultfd_release: always remove uffd flags and clear vm_userfaultfd_ctx
x86/retpoline: Don't clobber RFLAGS during CALL_NOSPEC on i386
x86/apic: Handle missing global clockevent gracefully
x86/boot: Save fields explicitly, zero out everything else
x86/boot: Fix boot regression caused by bootparam sanitizing
dm btree: fix order of block initialization in btree_split_beneath
dm space map metadata: fix missing store of apply_bops() return value
dm table: fix invalid memory accesses with too high sector number
genirq: Properly pair kobject_del() with kobject_add()
mm, page_owner: handle THP splits correctly
mm/zsmalloc.c: migration can leave pages in ZS_EMPTY indefinitely
xfs: fix missing ILOCK unlock when xfs_setattr_nonsize fails due to EDQUOT
Revert "perf test 6: Fix missing kvm module load for s390"
x86/CPU/AMD: Clear RDRAND CPUID bit on AMD family 15h/16h
dmaengine: ste_dma40: fix unneeded variable warning
iommu/dma: Handle SG length overflow better
usb: gadget: composite: Clear "suspended" on reset/disconnect
xen/blkback: fix memory leaks
i2c: emev2: avoid race when unregistering slave client
usb: host: fotg2: restart hcd after port reset
tools: hv: fix KVP and VSS daemons exit code
watchdog: bcm2835_wdt: Fix module autoload
scsi: ufs: Fix RX_TERMINATION_FORCE_ENABLE define value
tcp: fix tcp_rtx_queue_tail in case of empty retransmit queue
ALSA: usb-audio: Fix a stack buffer overflow bug in check_input_term
ALSA: usb-audio: Fix an OOB bug in parse_audio_mixer_unit
tcp: make sure EPOLLOUT wont be missed
ALSA: line6: Fix memory leak at line6_init_pcm() error path
ALSA: seq: Fix potential concurrent access to the deleted pool
KVM: x86: Don't update RIP or do single-step on faulting emulation
x86/apic: Do not initialize LDR and DFR for bigsmp
x86/apic: Include the LDR when clearing out APIC registers
mm/zsmalloc.c: fix race condition in zs_destroy_pool
usb-storage: Add new JMS567 revision to unusual_devs
USB: cdc-wdm: fix race between write and disconnect due to flag abuse
usb: chipidea: udc: don't do hardware access if gadget has stopped
usb: host: ohci: fix a race condition between shutdown and irq
usb: host: xhci: rcar: Fix typo in compatible string matching
USB: storage: ums-realtek: Update module parameter description for auto_delink_en
USB: storage: ums-realtek: Whitelist auto-delink support
ptrace,x86: Make user_64bit_mode() available to 32-bit builds
uprobes/x86: Fix detection of 32-bit user mode
mmc: sdhci-of-at91: add quirk for broken HS200
mmc: core: Fix init of SD cards reporting an invalid VDD range
stm class: Fix a double free of stm_source_device
VMCI: Release resource if the work is already queued
Revert "cfg80211: fix processing world regdomain when non modular"
mac80211: fix possible sta leak
KVM: arm/arm64: vgic: Fix potential deadlock when ap_list is long
KVM: arm/arm64: vgic-v2: Handle SGI bits in GICD_I{S,C}PENDR0 as WI
i2c: piix4: Fix port selection for AMD Family 16h Model 30h
x86/ptrace: fix up botched merge of spectrev1 fix
mm/zsmalloc.c: fix build when CONFIG_COMPACTION=n
Linux 4.9.191
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
[ Upstream commit 701d678599d0c1623aaf4139c03eea260a75b027 ]
In zs_destroy_pool() we call flush_work(&pool->free_work). However, we
have no guarantee that migration isn't happening in the background at
that time.
Since migration can't directly free pages, it relies on free_work being
scheduled to free the pages. But there's nothing preventing an
in-progress migrate from queuing the work *after*
zs_unregister_migration() has called flush_work(). Which would mean
pages still pointing at the inode when we free it.
Since we know at destroy time all objects should be free, no new
migrations can come in (since zs_page_isolate() fails for fully-free
zspages). This means it is sufficient to track a "# isolated zspages"
count by class, and have the destroy logic ensure all such pages have
drained before proceeding. Keeping that state under the class spinlock
keeps the logic straightforward.
In this case a memory leak could lead to an eventual crash if compaction
hits the leaked page. This crash would only occur if people are
changing their zswap backend at runtime (which eventually starts
destruction).
Link: http://lkml.kernel.org/r/20190809181751.219326-2-henryburns@google.com
Fixes: 48b4800a1c ("zsmalloc: page migration support")
Signed-off-by: Henry Burns <henryburns@google.com>
Reviewed-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Cc: Henry Burns <henrywolfeburns@gmail.com>
Cc: Minchan Kim <minchan@kernel.org>
Cc: Shakeel Butt <shakeelb@google.com>
Cc: Jonathan Adams <jwadams@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
commit 1a87aa03597efa9641e92875b883c94c7f872ccb upstream.
In zs_page_migrate() we call putback_zspage() after we have finished
migrating all pages in this zspage. However, the return value is
ignored. If a zs_free() races in between zs_page_isolate() and
zs_page_migrate(), freeing the last object in the zspage,
putback_zspage() will leave the page in ZS_EMPTY for potentially an
unbounded amount of time.
To fix this, we need to do the same thing as zs_page_putback() does:
schedule free_work to occur.
To avoid duplicated code, move the sequence to a new
putback_zspage_deferred() function which both zs_page_migrate() and
zs_page_putback() call.
Link: http://lkml.kernel.org/r/20190809181751.219326-1-henryburns@google.com
Fixes: 48b4800a1c ("zsmalloc: page migration support")
Signed-off-by: Henry Burns <henryburns@google.com>
Reviewed-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Cc: Henry Burns <henrywolfeburns@gmail.com>
Cc: Minchan Kim <minchan@kernel.org>
Cc: Shakeel Butt <shakeelb@google.com>
Cc: Jonathan Adams <jwadams@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit f7da677bc6e72033f0981b9d58b5c5d409fa641e upstream.
THP splitting path is missing the split_page_owner() call that
split_page() has.
As a result, split THP pages are wrongly reported in the page_owner file
as order-9 pages. Furthermore when the former head page is freed, the
remaining former tail pages are not listed in the page_owner file at
all. This patch fixes that by adding the split_page_owner() call into
__split_huge_page().
Link: http://lkml.kernel.org/r/20190820131828.22684-2-vbabka@suse.cz
Fixes: a9627bc5e3 ("mm/page_owner: introduce split_page_owner and replace manual handling")
Reported-by: Kirill A. Shutemov <kirill@shutemov.name>
Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Mel Gorman <mgorman@techsingularity.net>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl1iTCkACgkQONu9yGCS
aT7n5BAAp5eiY3ZNOOsthb4kCnWoJopEbAx4bgKfrHiWYizcPmA8MBjbwGnR0Brh
WQnLWROg/00y7M+DgUhuPk3sLEFsoTDJlEmsp5e0UDh8ZiO0qt1S82LRE9vLUAaK
QW92EbNO0NDOSZbTeLb7P/TVMmBBlUkm1UILfjMEHKMSn+syPJxUpbmjynmTBLE+
2fJ6metOCJrEoiRM0mVeWlewXsy+XF2VYx5sCV2t6fx6GgofWPW3HZkQtJDaz2/R
rj5G5f2A6HVGpwPoSvvXKc+q6cBD3g2efQtQbWu8j+VDbWsw7d5oiGGLs44xiTjo
jC0si9+577y5c3DHo1AvryYD3CXkjpwsV6Y4nbt7j8Rd6LmNoVF3+8ghVuVCzpDE
DSz4MDW7q4aw3o91QIwgZsljpheLnSJNv54ZFlz63ToGESMHNxuRsoTkchrf7+3Y
htF9KZsT+xkbzc+KlhqtQ6ozRwzPY9/zUdItugnYkt2WQWRFfJdmVbupRv9C0Xv+
0PVdj1YYc1NbbD4/R5SRe7aaj+InDMYPGW8LXjyxR9eLZlMj0ReN5dFi/4mvZ/Yu
QegxU9TRLpSvl3s1nH8hwi+85rM0Jw+B/2swqRRRmU52A3b2fW4qaDV+q2LuD0VS
vNRvZ1bBLx2rrYeOw40W9KQKjivj8mGTs1A9aQJZJumHuiSD6Z0=
=zCyG
-----END PGP SIGNATURE-----
Merge 4.9.190 into android-4.9
Changes in 4.9.190
usb: usbfs: fix double-free of usb memory upon submiturb error
usb: iowarrior: fix deadlock on disconnect
sound: fix a memory leak bug
x86/mm: Check for pfn instead of page in vmalloc_sync_one()
x86/mm: Sync also unmappings in vmalloc_sync_all()
mm/vmalloc: Sync unmappings in __purge_vmap_area_lazy()
perf record: Fix wrong size in perf_record_mmap for last kernel module
perf db-export: Fix thread__exec_comm()
perf record: Fix module size on s390
usb: yurex: Fix use-after-free in yurex_delete
can: peak_usb: fix potential double kfree_skb()
netfilter: nfnetlink: avoid deadlock due to synchronous request_module
iscsi_ibft: make ISCSI_IBFT dependson ACPI instead of ISCSI_IBFT_FIND
mac80211: don't warn about CW params when not using them
hwmon: (nct6775) Fix register address and added missed tolerance for nct6106
cpufreq/pasemi: fix use-after-free in pas_cpufreq_cpu_init()
s390/qdio: add sanity checks to the fast-requeue path
ALSA: compress: Fix regression on compressed capture streams
ALSA: compress: Prevent bypasses of set_params
ALSA: compress: Don't allow paritial drain operations on capture streams
ALSA: compress: Be more restrictive about when a drain is allowed
perf probe: Avoid calling freeing routine multiple times for same pointer
drbd: dynamically allocate shash descriptor
ACPI/IORT: Fix off-by-one check in iort_dev_find_its_id()
ARM: davinci: fix sleep.S build error on ARMv4
scsi: megaraid_sas: fix panic on loading firmware crashdump
scsi: ibmvfc: fix WARN_ON during event pool release
scsi: scsi_dh_alua: always use a 2 second delay before retrying RTPG
tty/ldsem, locking/rwsem: Add missing ACQUIRE to read_failed sleep loop
perf/core: Fix creating kernel counters for PMUs that override event->cpu
can: peak_usb: pcan_usb_pro: Fix info-leaks to USB devices
can: peak_usb: pcan_usb_fd: Fix info-leaks to USB devices
hwmon: (nct7802) Fix wrong detection of in4 presence
ALSA: firewire: fix a memory leak bug
ALSA: hda - Don't override global PCM hw info flag
mac80211: don't WARN on short WMM parameters from AP
SMB3: Fix deadlock in validate negotiate hits reconnect
smb3: send CAP_DFS capability during session setup
mwifiex: fix 802.11n/WPA detection
iwlwifi: don't unmap as page memory that was mapped as single
scsi: mpt3sas: Use 63-bit DMA addressing on SAS35 HBA
sh: kernel: hw_breakpoint: Fix missing break in switch statement
mm/usercopy: use memory range to be accessed for wraparound check
mm/memcontrol.c: fix use after free in mem_cgroup_iter()
bpf: get rid of pure_initcall dependency to enable jits
bpf: restrict access to core bpf sysctls
bpf: add bpf_jit_limit knob to restrict unpriv allocations
vhost-net: set packet weight of tx polling to 2 * vq size
vhost_net: use packet weight for rx handler, too
vhost_net: introduce vhost_exceeds_weight()
vhost: introduce vhost_exceeds_weight()
vhost_net: fix possible infinite loop
vhost: scsi: add weight support
siphash: add cryptographically secure PRF
siphash: implement HalfSipHash1-3 for hash tables
inet: switch IP ID generator to siphash
netfilter: ctnetlink: don't use conntrack/expect object addresses as id
xtensa: add missing isync to the cpu_reset TLB code
ALSA: hda - Fix a memory leak bug
ALSA: hda - Add a generic reboot_notify
ALSA: hda - Let all conexant codec enter D3 when rebooting
HID: holtek: test for sanity of intfdata
HID: hiddev: avoid opening a disconnected device
HID: hiddev: do cleanup in failure of opening a device
Input: kbtab - sanity check for endpoint type
Input: iforce - add sanity checks
net: usb: pegasus: fix improper read if get_registers() fail
xen/pciback: remove set but not used variable 'old_state'
irqchip/irq-imx-gpcv2: Forward irq type to parent
perf header: Fix divide by zero error if f_header.attr_size==0
perf header: Fix use of unitialized value warning
libata: zpodd: Fix small read overflow in zpodd_get_mech_type()
scsi: hpsa: correct scsi command status issue after reset
ata: libahci: do not complain in case of deferred probe
kbuild: modpost: handle KBUILD_EXTRA_SYMBOLS only for external modules
arm64/efi: fix variable 'si' set but not used
arm64/mm: fix variable 'pud' set but not used
IB/core: Add mitigation for Spectre V1
IB/mad: Fix use-after-free in ib mad completion handling
ocfs2: remove set but not used variable 'last_hash'
staging: comedi: dt3000: Fix signed integer overflow 'divider * base'
staging: comedi: dt3000: Fix rounding up of timer divisor
USB: core: Fix races in character device registration and deregistraion
usb: cdc-acm: make sure a refcount is taken early enough
USB: CDC: fix sanity checks in CDC union parser
USB: serial: option: add D-Link DWM-222 device ID
USB: serial: option: Add support for ZTE MF871A
USB: serial: option: add the BroadMobi BM818 card
USB: serial: option: Add Motorola modem UARTs
asm-generic: fix -Wtype-limits compiler warnings
bpf: fix bpf_jit_limit knob for PAGE_SIZE >= 64K
arm64: compat: Allow single-byte watchpoints on all addresses
netfilter: conntrack: Use consistent ct id hash calculation
Input: psmouse - fix build error of multiple definition
iommu/amd: Move iommu_init_pci() to .init section
bnx2x: Fix VF's VLAN reconfiguration in reload.
net/packet: fix race in tpacket_snd()
sctp: fix the transport error_count check
xen/netback: Reset nr_frags before freeing skb
net/mlx5e: Only support tx/rx pause setting for port owner
net/mlx5e: Use flow keys dissector to parse packets for ARFS
team: Add vlan tx offload to hw_enc_features
bonding: Add vlan tx offload to hw_enc_features
Linux 4.9.190
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl1iTCkACgkQONu9yGCS
aT7n5BAAp5eiY3ZNOOsthb4kCnWoJopEbAx4bgKfrHiWYizcPmA8MBjbwGnR0Brh
WQnLWROg/00y7M+DgUhuPk3sLEFsoTDJlEmsp5e0UDh8ZiO0qt1S82LRE9vLUAaK
QW92EbNO0NDOSZbTeLb7P/TVMmBBlUkm1UILfjMEHKMSn+syPJxUpbmjynmTBLE+
2fJ6metOCJrEoiRM0mVeWlewXsy+XF2VYx5sCV2t6fx6GgofWPW3HZkQtJDaz2/R
rj5G5f2A6HVGpwPoSvvXKc+q6cBD3g2efQtQbWu8j+VDbWsw7d5oiGGLs44xiTjo
jC0si9+577y5c3DHo1AvryYD3CXkjpwsV6Y4nbt7j8Rd6LmNoVF3+8ghVuVCzpDE
DSz4MDW7q4aw3o91QIwgZsljpheLnSJNv54ZFlz63ToGESMHNxuRsoTkchrf7+3Y
htF9KZsT+xkbzc+KlhqtQ6ozRwzPY9/zUdItugnYkt2WQWRFfJdmVbupRv9C0Xv+
0PVdj1YYc1NbbD4/R5SRe7aaj+InDMYPGW8LXjyxR9eLZlMj0ReN5dFi/4mvZ/Yu
QegxU9TRLpSvl3s1nH8hwi+85rM0Jw+B/2swqRRRmU52A3b2fW4qaDV+q2LuD0VS
vNRvZ1bBLx2rrYeOw40W9KQKjivj8mGTs1A9aQJZJumHuiSD6Z0=
=zCyG
-----END PGP SIGNATURE-----
Merge 4.9.190 into android-4.9-q
Changes in 4.9.190
usb: usbfs: fix double-free of usb memory upon submiturb error
usb: iowarrior: fix deadlock on disconnect
sound: fix a memory leak bug
x86/mm: Check for pfn instead of page in vmalloc_sync_one()
x86/mm: Sync also unmappings in vmalloc_sync_all()
mm/vmalloc: Sync unmappings in __purge_vmap_area_lazy()
perf record: Fix wrong size in perf_record_mmap for last kernel module
perf db-export: Fix thread__exec_comm()
perf record: Fix module size on s390
usb: yurex: Fix use-after-free in yurex_delete
can: peak_usb: fix potential double kfree_skb()
netfilter: nfnetlink: avoid deadlock due to synchronous request_module
iscsi_ibft: make ISCSI_IBFT dependson ACPI instead of ISCSI_IBFT_FIND
mac80211: don't warn about CW params when not using them
hwmon: (nct6775) Fix register address and added missed tolerance for nct6106
cpufreq/pasemi: fix use-after-free in pas_cpufreq_cpu_init()
s390/qdio: add sanity checks to the fast-requeue path
ALSA: compress: Fix regression on compressed capture streams
ALSA: compress: Prevent bypasses of set_params
ALSA: compress: Don't allow paritial drain operations on capture streams
ALSA: compress: Be more restrictive about when a drain is allowed
perf probe: Avoid calling freeing routine multiple times for same pointer
drbd: dynamically allocate shash descriptor
ACPI/IORT: Fix off-by-one check in iort_dev_find_its_id()
ARM: davinci: fix sleep.S build error on ARMv4
scsi: megaraid_sas: fix panic on loading firmware crashdump
scsi: ibmvfc: fix WARN_ON during event pool release
scsi: scsi_dh_alua: always use a 2 second delay before retrying RTPG
tty/ldsem, locking/rwsem: Add missing ACQUIRE to read_failed sleep loop
perf/core: Fix creating kernel counters for PMUs that override event->cpu
can: peak_usb: pcan_usb_pro: Fix info-leaks to USB devices
can: peak_usb: pcan_usb_fd: Fix info-leaks to USB devices
hwmon: (nct7802) Fix wrong detection of in4 presence
ALSA: firewire: fix a memory leak bug
ALSA: hda - Don't override global PCM hw info flag
mac80211: don't WARN on short WMM parameters from AP
SMB3: Fix deadlock in validate negotiate hits reconnect
smb3: send CAP_DFS capability during session setup
mwifiex: fix 802.11n/WPA detection
iwlwifi: don't unmap as page memory that was mapped as single
scsi: mpt3sas: Use 63-bit DMA addressing on SAS35 HBA
sh: kernel: hw_breakpoint: Fix missing break in switch statement
mm/usercopy: use memory range to be accessed for wraparound check
mm/memcontrol.c: fix use after free in mem_cgroup_iter()
bpf: get rid of pure_initcall dependency to enable jits
bpf: restrict access to core bpf sysctls
bpf: add bpf_jit_limit knob to restrict unpriv allocations
vhost-net: set packet weight of tx polling to 2 * vq size
vhost_net: use packet weight for rx handler, too
vhost_net: introduce vhost_exceeds_weight()
vhost: introduce vhost_exceeds_weight()
vhost_net: fix possible infinite loop
vhost: scsi: add weight support
siphash: add cryptographically secure PRF
siphash: implement HalfSipHash1-3 for hash tables
inet: switch IP ID generator to siphash
netfilter: ctnetlink: don't use conntrack/expect object addresses as id
xtensa: add missing isync to the cpu_reset TLB code
ALSA: hda - Fix a memory leak bug
ALSA: hda - Add a generic reboot_notify
ALSA: hda - Let all conexant codec enter D3 when rebooting
HID: holtek: test for sanity of intfdata
HID: hiddev: avoid opening a disconnected device
HID: hiddev: do cleanup in failure of opening a device
Input: kbtab - sanity check for endpoint type
Input: iforce - add sanity checks
net: usb: pegasus: fix improper read if get_registers() fail
xen/pciback: remove set but not used variable 'old_state'
irqchip/irq-imx-gpcv2: Forward irq type to parent
perf header: Fix divide by zero error if f_header.attr_size==0
perf header: Fix use of unitialized value warning
libata: zpodd: Fix small read overflow in zpodd_get_mech_type()
scsi: hpsa: correct scsi command status issue after reset
ata: libahci: do not complain in case of deferred probe
kbuild: modpost: handle KBUILD_EXTRA_SYMBOLS only for external modules
arm64/efi: fix variable 'si' set but not used
arm64/mm: fix variable 'pud' set but not used
IB/core: Add mitigation for Spectre V1
IB/mad: Fix use-after-free in ib mad completion handling
ocfs2: remove set but not used variable 'last_hash'
staging: comedi: dt3000: Fix signed integer overflow 'divider * base'
staging: comedi: dt3000: Fix rounding up of timer divisor
USB: core: Fix races in character device registration and deregistraion
usb: cdc-acm: make sure a refcount is taken early enough
USB: CDC: fix sanity checks in CDC union parser
USB: serial: option: add D-Link DWM-222 device ID
USB: serial: option: Add support for ZTE MF871A
USB: serial: option: add the BroadMobi BM818 card
USB: serial: option: Add Motorola modem UARTs
asm-generic: fix -Wtype-limits compiler warnings
bpf: fix bpf_jit_limit knob for PAGE_SIZE >= 64K
arm64: compat: Allow single-byte watchpoints on all addresses
netfilter: conntrack: Use consistent ct id hash calculation
Input: psmouse - fix build error of multiple definition
iommu/amd: Move iommu_init_pci() to .init section
bnx2x: Fix VF's VLAN reconfiguration in reload.
net/packet: fix race in tpacket_snd()
sctp: fix the transport error_count check
xen/netback: Reset nr_frags before freeing skb
net/mlx5e: Only support tx/rx pause setting for port owner
net/mlx5e: Use flow keys dissector to parse packets for ARFS
team: Add vlan tx offload to hw_enc_features
bonding: Add vlan tx offload to hw_enc_features
Linux 4.9.190
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit 951531691c4bcaa59f56a316e018bc2ff1ddf855 upstream.
Currently, when checking to see if accessing n bytes starting at address
"ptr" will cause a wraparound in the memory addresses, the check in
check_bogus_address() adds an extra byte, which is incorrect, as the
range of addresses that will be accessed is [ptr, ptr + (n - 1)].
This can lead to incorrectly detecting a wraparound in the memory
address, when trying to read 4 KB from memory that is mapped to the the
last possible page in the virtual address space, when in fact, accessing
that range of memory would not cause a wraparound to occur.
Use the memory range that will actually be accessed when considering if
accessing a certain amount of bytes will cause the memory address to
wrap around.
Link: http://lkml.kernel.org/r/1564509253-23287-1-git-send-email-isaacm@codeaurora.org
Fixes: f5509cc18d ("mm: Hardened usercopy")
Signed-off-by: Prasad Sodagudi <psodagud@codeaurora.org>
Signed-off-by: Isaac J. Manjarres <isaacm@codeaurora.org>
Co-developed-by: Prasad Sodagudi <psodagud@codeaurora.org>
Reviewed-by: William Kucharski <william.kucharski@oracle.com>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Trilok Soni <tsoni@codeaurora.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[kees: backport to v4.9]
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 3f8fd02b1bf1d7ba964485a56f2f4b53ae88c167 upstream.
On x86-32 with PTI enabled, parts of the kernel page-tables are not shared
between processes. This can cause mappings in the vmalloc/ioremap area to
persist in some page-tables after the region is unmapped and released.
When the region is re-used the processes with the old mappings do not fault
in the new mappings but still access the old ones.
This causes undefined behavior, in reality often data corruption, kernel
oopses and panics and even spontaneous reboots.
Fix this problem by activly syncing unmaps in the vmalloc/ioremap area to
all page-tables in the system before the regions can be re-used.
References: https://bugzilla.suse.com/show_bug.cgi?id=1118689
Fixes: 5d72b4fba4 ('x86, mm: support huge I/O mapping capability I/F')
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Dave Hansen <dave.hansen@linux.intel.com>
Link: https://lkml.kernel.org/r/20190719184652.11391-4-joro@8bytes.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* refs/heads/tmp-70d52cb:
Linux 4.9.185
arm64: kaslr: keep modules inside module region when KASAN is enabled
dmaengine: imx-sdma: remove BD_INTR for channel0
MIPS: Add missing EHB in mtc0 -> mfc0 sequence.
IB/hfi1: Close PSM sdma_progress sleep window
KVM: LAPIC: Fix pending interrupt in IRR blocked by software disable LAPIC
arm64, vdso: Define vdso_{start,end} as array
tty: rocket: fix incorrect forward declaration of 'rp_init()'
btrfs: Ensure replaced device doesn't have pending chunk allocation
drm/imx: only send event on crtc disable if kept disabled
drm/imx: notify drm core before sending event during crtc disable
lib/mpi: Fix karactx leak in mpi_powm
ALSA: usb-audio: fix sign unintended sign extension on left shifts
ALSA: line6: Fix write on zero-sized buffer
ALSA: firewire-lib/fireworks: fix miss detection of received MIDI messages
ALSA: seq: fix incorrect order of dest_client/dest_ports arguments
crypto: user - prevent operating on larval algorithms
ptrace: Fix ->ptracer_cred handling for PTRACE_TRACEME
MIPS: Workaround GCC __builtin_unreachable reordering bug
drm/i915/dmc: protect against reading random memory
KVM: x86: degrade WARN to pr_warn_ratelimited
clk: sunxi: fix uninitialized access
ARC: handle gcc generated __builtin_trap for older compiler
bug.h: work around GCC PR82365 in BUG()
ARC: fix allnoconfig build warning
mfd: omap-usb-tll: Fix register offsets
MIPS: netlogic: xlr: Remove erroneous check in nlm_fmn_send()
MIPS: math-emu: do not use bools for arithmetic
mm/mlock.c: change count_mm_mlocked_page_nr return type
scripts/decode_stacktrace.sh: prefix addr2line with $CROSS_COMPILE
scsi: hpsa: correct ioaccel2 chaining
usb: gadget: udc: lpc32xx: allocate descriptor with GFP_ATOMIC
usb: gadget: fusb300_udc: Fix memory leak of fusb300->ep[i]
ASoC: max98090: remove 24-bit format support if RJ is 0
drm/mediatek: fix unbind functions
spi: bitbang: Fix NULL pointer dereference in spi_unregister_master
ASoC: soc-pcm: BE dai needs prepare when pause release after resume
ASoC : cs4265 : readable register too low
Bluetooth: Fix faulty expression for minimum encryption key size check
tipc: pass tunnel dev as NULL to udp_tunnel(6)_xmit_skb
bpf: udp: ipv6: Avoid running reuseport's bpf_prog from __udp6_lib_err
bpf: udp: Avoid calling reuseport's bpf_prog from udp_gro
net: check before dereferencing netdev_ops during busy poll
ipv4: Use return value of inet_iif() for __raw_v4_lookup in the while loop
bonding: Always enable vlan tx offload
team: Always enable vlan tx offload
tun: wake up waitqueues after IFF_UP is set
tipc: check msg->req data len in tipc_nl_compat_bearer_disable
tipc: change to use register_pernet_device
sctp: change to hold sk after auth shkey is created successfully
net: stmmac: fixed new system time seconds value calculation
af_packet: Block execution of tasks waiting for transmit to complete in AF_PACKET
cpu/speculation: Warn on unsupported mitigations= parameter
NFS/flexfiles: Use the correct TCP timeout for flexfiles I/O
x86/speculation: Allow guests to use SSBD even if host does not
scsi: vmw_pscsi: Fix use-after-free in pvscsi_queue_lck()
mm/page_idle.c: fix oops because end_pfn is larger than max_pfn
fs/binfmt_flat.c: make load_flat_shared_library() work
fs/proc/array.c: allow reporting eip/esp for all coredumping threads
net/9p: include trans_common.h to fix missing prototype warning.
9p: p9dirent_read: check network-provided name length
9p/rdma: remove useless check in cm_event_handler
9p: acl: fix uninitialized iattr access
9p/rdma: do not disconnect on down_interruptible EAGAIN
perf header: Fix unchecked usage of strncpy()
perf help: Remove needless use of strncpy()
perf ui helpline: Use strlcpy() as a shorter form of strncpy() + explicit set nul
IB/hfi1: Avoid hardlockup with flushlist_lock
mac80211: Do not use stack memory with scatterlist for GMAC
mac80211: drop robust management frames from unknown TA
cfg80211: fix memory leak of wiphy device name
Bluetooth: Fix regression with minimum encryption key size alignment
Bluetooth: Align minimum encryption key size for LE and BR/EDR connections
ARM: imx: cpuidle-imx6sx: Restrict the SW2ISO increase to i.MX6SX
powerpc/bpf: use unsigned division instruction for 64-bit operations
can: purge socket error queue on sock destruct
can: flexcan: fix timeout when set small bitrate
btrfs: start readahead also in seed devices
nvme: Fix u32 overflow in the number of namespace list calculation
hwmon: (pmbus/core) Treat parameters as paged if on multiple pages
s390/qeth: fix VLAN attribute in bridge_hostnotify udev event
scsi: ufs: Check that space was properly alloced in copy_query_response
scripts/checkstack.pl: Fix arm64 wrong or unknown architecture
drm/arm/hdlcd: Allow a bit of clock tolerance
net: ethernet: mediatek: Use NET_IP_ALIGN to judge if HW RX_2BYTE_OFFSET is enabled
net: ethernet: mediatek: Use hw_feature to judge if HWLRO is supported
sparc: perf: fix updated event period in response to PERF_EVENT_IOC_PERIOD
net: hns: Fix loopback test failed at copper ports
net: dsa: mv88e6xxx: avoid error message on remove from VLAN 0
MIPS: uprobes: remove set but not used variable 'epc'
IB/{qib, hfi1, rdmavt}: Correct ibv_devinfo max_mr value
IB/hfi1: Insure freeze_work work_struct is canceled on shutdown
IB/rdmavt: Fix alloc_qpn() WARN_ON()
parisc: Fix compiler warnings in float emulation code
parport: Fix mem leak in parport_register_dev_model
ARC: fix build warnings with !CONFIG_KPROBES
apparmor: enforce nullbyte at end of tag string
Input: uinput - add compat ioctl number translation for UI_*_FF_UPLOAD
IB/hfi1: Silence txreq allocation warnings
usb: chipidea: udc: workaround for endpoint conflict issue
scsi: ufs: Avoid runtime suspend possibly being blocked forever
gcc-9: silence 'address-of-packed-member' warning
tracing: Silence GCC 9 array bounds warning
BACKPORT: kheaders: Do not regenerate archive if config is not changed
BACKPORT: kheaders: Move from proc to sysfs
BACKPORT: Provide in-kernel headers to make extending kernel easier
Change-Id: I2fc2e9b2019708f0febb754efbf2a63e47ad5b81
Signed-off-by: jianzhou <jianzhou@codeaurora.org>
* refs/heads/tmp-a80a7ab:
Linux 4.9.183
Abort file_remove_privs() for non-reg. files
mlxsw: spectrum: Prevent force of 56G
scsi: libsas: delete sas port if expander discover failed
scsi: smartpqi: properly set both the DMA mask and the coherent DMA mask
scsi: libcxgbi: add a check for NULL pointer in cxgbi_check_route()
net: sh_eth: fix mdio access in sh_eth_close() for R-Car Gen2 and RZ/A1 SoCs
KVM: PPC: Book3S HV: Don't take kvm->lock around kvm_for_each_vcpu
KVM: PPC: Book3S: Use new mutex to synchronize access to rtas token list
ia64: fix build errors by exporting paddr_to_nid()
perf record: Fix s390 missing module symbol and warning for non-root users
perf data: Fix 'strncat may truncate' build failure with recent gcc
configfs: Fix use-after-free when accessing sd->s_dentry
i2c: dev: fix potential memory leak in i2cdev_ioctl_rdwr
net: tulip: de4x5: Drop redundant MODULE_DEVICE_TABLE()
gpio: fix gpio-adp5588 build errors
perf/ring_buffer: Add ordering to rb->nest increment
perf/ring_buffer: Fix exposing a temporarily decreased data_head
x86/CPU/AMD: Don't force the CPB cap when running under a hypervisor
mISDN: make sure device name is NUL terminated
selftests: netfilter: missing error check when setting up veth interface
perf/x86/intel/ds: Fix EVENT vs. UEVENT PEBS constraints
Revert "staging: vc04_services: prevent integer overflow in create_pagelist()"
sunhv: Fix device naming inconsistency between sunhv_console and sunhv_reg
neigh: fix use-after-free read in pneigh_get_next
lapb: fixed leak of control-blocks.
ipv6: flowlabel: fl6_sock_lookup() must use atomic_inc_not_zero
be2net: Fix number of Rx queues used for flow hashing
ax25: fix inconsistent lock state in ax25_destroy_timer
rtc: pcf8523: don't return invalid date when battery is low
USB: serial: option: add Telit 0x1260 and 0x1261 compositions
USB: serial: option: add support for Simcom SIM7500/SIM7600 RNDIS mode
USB: serial: pl2303: add Allied Telesis VT-Kit3
USB: usb-storage: Add new ID to ums-realtek
USB: Fix chipmunk-like voice when using Logitech C270 for recording audio.
usb: dwc2: Fix DMA cache alignment issues
drm/vmwgfx: NULL pointer dereference from vmw_cmd_dx_view_define()
drm/vmwgfx: integer underflow in vmw_cmd_dx_set_shader() leading to an invalid read
KVM: s390: fix memory slot handling for KVM_SET_USER_MEMORY_REGION
KVM: x86/pmu: do not mask the value that is written to fixed PMUs
usbnet: ipheth: fix racing condition
selftests/timers: Add missing fflush(stdout) calls
scsi: bnx2fc: fix incorrect cast to u64 on shift operation
arm64/mm: Inhibit huge-vmap with ptdump
scsi: lpfc: add check for loss of ndlp when sending RRQ
Drivers: misc: fix out-of-bounds access in function param_set_kgdbts_var
Revert "ALSA: seq: Protect in-kernel ioctl calls with mutex"
ALSA: seq: Fix race of get-subscription call vs port-delete ioctls
ALSA: seq: Protect in-kernel ioctl calls with mutex
x86/uaccess, kcov: Disable stack protector
ASoC: fsl_asrc: Fix the issue about unsupported rate
ASoC: cs42xx8: Add regcache mask dirty
cgroup: Use css_tryget() instead of css_tryget_online() in task_get_css()
bcache: fix stack corruption by PRECEDING_KEY()
i2c: acorn: fix i2c warning
media: v4l2-ioctl: clear fields in s_parm
ptrace: restore smp_rmb() in __ptrace_may_access()
signal/ptrace: Don't leak unitialized kernel memory with PTRACE_PEEK_SIGINFO
fs/ocfs2: fix race in ocfs2_dentry_attach_lock()
mm/list_lru.c: fix memory leak in __memcg_init_list_lru_node
libata: Extend quirks for the ST1000LM024 drives with NOLPM quirk
ALSA: oxfw: allow PCM capture for Stanton SCS.1m
ALSA: seq: Cover unsubscribe_port() in list_mutex
Revert "Bluetooth: Align minimum encryption key size for LE and BR/EDR connections"
ARM: exynos: Fix undefined instruction during Exynos5422 resume
pwm: Fix deadlock warning when removing PWM device
ARM: dts: exynos: Always enable necessary APIO_1V8 and ABB_1V8 regulators on Arndale Octa
pwm: tiehrpwm: Update shadow register for disabling PWMs
dmaengine: idma64: Use actual device for DMA transfers
gpio: gpio-omap: add check for off wake capable gpios
PCI: xilinx: Check for __get_free_pages() failure
video: imsttfb: fix potential NULL pointer dereferences
video: hgafb: fix potential NULL pointer dereference
PCI: rcar: Fix 64bit MSI message address handling
PCI: rcar: Fix a potential NULL pointer dereference
platform/x86: intel_pmc_ipc: adding error handling
PCI: rpadlpar: Fix leaked device_node references in add/remove paths
ARM: dts: imx6qdl: Specify IMX6QDL_CLK_IPG as "ipg" clock to SDMA
ARM: dts: imx6sx: Specify IMX6SX_CLK_IPG as "ipg" clock to SDMA
ARM: dts: imx6ul: Specify IMX6UL_CLK_IPG as "ipg" clock to SDMA
ARM: dts: imx7d: Specify IMX7D_CLK_IPG as "ipg" clock to SDMA
ARM: dts: imx6sx: Specify IMX6SX_CLK_IPG as "ahb" clock to SDMA
clk: rockchip: Turn on "aclk_dmac1" for suspend on rk3288
soc: mediatek: pwrap: Zero initialize rdata in pwrap_init_cipher
platform/chrome: cros_ec_proto: check for NULL transfer function
x86/PCI: Fix PCI IRQ routing table memory leak
nfsd: allow fh_want_write to be called twice
fuse: retrieve: cap requested size to negotiated max_write
nvmem: core: fix read buffer in place
ALSA: hda - Register irq handler after the chip initialization
iommu/vt-d: Set intel_iommu_gfx_mapped correctly
watchdog: fix compile time error of pretimeout governors
watchdog: imx2_wdt: Fix set_timeout for big timeout values
uml: fix a boot splat wrt use of cpu_all_mask
configfs: fix possible use-after-free in configfs_register_group
f2fs: fix to do sanity check on valid block count of segment
f2fs: fix to clear dirty inode in error path of f2fs_iget()
f2fs: fix to avoid panic in do_recover_data()
ntp: Allow TAI-UTC offset to be set to zero
pwm: meson: Use the spin-lock only to protect register modifications
objtool: Don't use ignore flag for fake jumps
drm/bridge: adv7511: Fix low refresh rate selection
perf/x86/intel: Allow PEBS multi-entry in watermark mode
mfd: twl6040: Fix device init errors for ACCCTL register
mfd: intel-lpss: Set the device in reset state when init
mfd: tps65912-spi: Add missing of table registration
drivers: thermal: tsens: Don't print error message on -EPROBE_DEFER
kernel/sys.c: prctl: fix false positive in validate_prctl_map()
mm/slab.c: fix an infinite loop in leaks_show()
mm/cma_debug.c: fix the break condition in cma_maxchunk_get()
mm/cma.c: fix crash on CMA allocation if bitmap allocation fails
mem-hotplug: fix node spanned pages when we have a node with only ZONE_MOVABLE
hugetlbfs: on restore reserve error path retain subpool reservation
ARM: prevent tracing IPI_CPU_BACKTRACE
ipc: prevent lockup on alloc_msg and free_msg
sysctl: return -EINVAL if val violates minmax
fs/fat/file.c: issue flush after the writeback of FAT
rapidio: fix a NULL pointer dereference when create_workqueue() fails
ANDROID: kernel: cgroup: cpuset: Clear cpus_requested for empty buf
ANDROID: kernel: cgroup: cpuset: Add missing allocation of cpus_requested in alloc_trial_cpuset
mm: memcontrol: fix NULL pointer crash in test_clear_page_writeback()
Change-Id: I770e617e5d63461d0e9a8ff3a9bc94af8e6a4966
Signed-off-by: jianzhou <jianzhou@codeaurora.org>
This reverts commit d4a742865c.
LTS android-4.9.183 (a80a7ab) has conflicts with the reverted code.
They do the same thing, use LTS solution.
Change-Id: If64be3448dc5d4fdc66cb119aa46b52b341da8fd
Signed-off-by: jianzhou <jianzhou@codeaurora.org>
* refs/heads/tmp-6ccab84:
Linux 4.9.181
ethtool: check the return value of get_regs_len
ipv4: Define __ipv4_neigh_lookup_noref when CONFIG_INET is disabled
fuse: Add FOPEN_STREAM to use stream_open()
fs: stream_open - opener for stream-like files so that read and write can run simultaneously without deadlock
TTY: serial_core, add ->install
drm/i915: Fix I915_EXEC_RING_MASK
drm/radeon: prefer lower reference dividers
drm/gma500/cdv: Check vbt config bits when detecting lvds panels
genwqe: Prevent an integer overflow in the ioctl
Revert "MIPS: perf: ath79: Fix perfcount IRQ assignment"
MIPS: pistachio: Build uImage.gz by default
x86/power: Fix 'nosmt' vs hibernation triple fault during resume
fuse: fallocate: fix return with locked inode
parisc: Use implicit space register selection for loading the coherence index of I/O pdirs
rcu: locking and unlocking need to always be at least barriers
Revert "fib_rules: return 0 directly if an exactly same rule exists when NLM_F_EXCL not supplied"
Revert "fib_rules: fix error in backport of e9919a24d302 ("fib_rules: return 0...")"
ipv6: use READ_ONCE() for inet->hdrincl as in ipv4
ipv6: fix EFAULT on sendto with icmpv6 and hdrincl
pktgen: do not sleep with the thread lock held.
net: rds: fix memory leak in rds_ib_flush_mr_pool
net/mlx4_en: ethtool, Remove unsupported SFP EEPROM high pages query
neighbor: Call __ipv4_neigh_lookup_noref in neigh_xmit
ethtool: fix potential userspace buffer overflow
media: uvcvideo: Fix uvc_alloc_entity() allocation alignment
efi/libstub: Unify command line param parsing
Revert "x86/build: Move _etext to actual end of .text"
mm: make page ref count overflow check tighter and more explicit
mm: prevent get_user_pages() from overflowing page refcount
mm, gup: ensure real head page is ref-counted when using hugepages
mm, gup: remove broken VM_BUG_ON_PAGE compound check for hugepages
fs: prevent page refcount overflow in pipe_buf_get
binder: replace "%p" with "%pK"
binder: Replace "%p" with "%pK" for stable
brcmfmac: add subtype check for event handling in data path
brcmfmac: assure SSID length from firmware is limited
brcmfmac: add length checks in scheduled scan result handler
drm/vmwgfx: Don't send drm sysfs hotplug events on initial master set
gcc-plugins: Fix build failures under Darwin host
CIFS: cifs_read_allocate_pages: don't iterate through whole page array on ENOMEM
staging: vc04_services: prevent integer overflow in create_pagelist()
docs: Fix conf.py for Sphinx 2.0
kernel/signal.c: trace_signal_deliver when signal_group_exit
memcg: make it work on sparse non-0-node systems
tty: max310x: Fix external crystal register setup
tty: serial: msm_serial: Fix XON/XOFF
drm/nouveau/i2c: Disable i2c bus access after ->fini()
ALSA: hda/realtek - Set default power save node to 0
powerpc/perf: Fix MMCRA corruption by bhrb_filter
Btrfs: fix race updating log root item during fsync
scsi: zfcp: fix to prevent port_remove with pure auto scan LUNs (only sdevs)
scsi: zfcp: fix missing zfcp_port reference put on -EBUSY from port_remove
media: smsusb: better handle optional alignment
media: usb: siano: Fix false-positive "uninitialized variable" warning
media: usb: siano: Fix general protection fault in smsusb
USB: rio500: fix memory leak in close after disconnect
USB: rio500: refuse more than one device at a time
USB: Add LPM quirk for Surface Dock GigE adapter
USB: sisusbvga: fix oops in error path of sisusb_probe
USB: Fix slab-out-of-bounds write in usb_get_bos_descriptor
usbip: usbip_host: fix stub_dev lock context imbalance regression
usbip: usbip_host: fix BUG: sleeping function called from invalid context
usb: xhci: avoid null pointer deref when bos field is NULL
xhci: Convert xhci_handshake() to use readl_poll_timeout_atomic()
xhci: Use %zu for printing size_t type
xhci: update bounce buffer with correct sg num
include/linux/bitops.h: sanitize rotate primitives
sparc64: Fix regression in non-hypervisor TLB flush xcall
tipc: fix modprobe tipc failed after switch order of device registration
Revert "tipc: fix modprobe tipc failed after switch order of device registration"
xen/pciback: Don't disable PCI_COMMAND on PCI device reset.
crypto: vmx - ghash: do nosimd fallback manually
net: mvpp2: fix bad MVPP2_TXQ_SCHED_TOKEN_CNTR_REG queue value
net: mvneta: Fix err code path of probe
net: dsa: mv88e6xxx: fix handling of upper half of STATS_TYPE_PORT
ipv4/igmp: fix build error if !CONFIG_IP_MULTICAST
ipv4/igmp: fix another memory leak in igmpv3_del_delrec()
bnxt_en: Fix aggregation buffer leak under OOM condition.
tipc: Avoid copying bytes beyond the supplied data
usbnet: fix kernel crash after disconnect
net: stmmac: fix reset gpio free missing
net-gro: fix use-after-free read in napi_gro_frags()
net: fec: fix the clk mismatch in failed_reset path
llc: fix skb leak in llc_build_and_send_ui_pkt()
ipv6: Consider sk_bound_dev_if when binding a raw socket to an address
Revert "fib_rules: return 0 directly if an exactly same rule exists when NLM_F_EXCL not supplied"
Revert "fib_rules: fix error in backport of e9919a24d302 ("fib_rules: return 0...")"
Revert "x86/build: Move _etext to actual end of .text"
Change-Id: I0a273429558465e31453b6f46f4acc74c97d576a
Signed-off-by: jianzhou <jianzhou@codeaurora.org>
* refs/heads/tmp-719bdd9:
Linux 4.9.180
drm: Wake up next in drm_read() chain if we are forced to putback the event
ASoC: davinci-mcasp: Fix clang warning without CONFIG_PM
spi: Fix zero length xfer bug
spi: rspi: Fix sequencer reset during initialization
spi : spi-topcliff-pch: Fix to handle empty DMA buffers
scsi: lpfc: Fix SLI3 commands being issued on SLI4 devices
media: saa7146: avoid high stack usage with clang
scsi: lpfc: Fix FDMI manufacturer attribute value
media: go7007: avoid clang frame overflow warning with KASAN
media: m88ds3103: serialize reset messages in m88ds3103_set_frontend
dmaengine: tegra210-adma: use devm_clk_*() helpers
scsi: qla4xxx: avoid freeing unallocated dma memory
usb: core: Add PM runtime calls to usb_hcd_platform_shutdown
rcuperf: Fix cleanup path for invalid perf_type strings
rcutorture: Fix cleanup path for invalid torture_type strings
x86/mce: Fix machine_check_poll() tests for error types
tty: ipwireless: fix missing checks for ioremap
virtio_console: initialize vtermno value for ports
media: wl128x: prevent two potential buffer overflows
spi: tegra114: reset controller on probe
cxgb3/l2t: Fix undefined behaviour
ASoC: fsl_utils: fix a leaked reference by adding missing of_node_put
ASoC: eukrea-tlv320: fix a leaked reference by adding missing of_node_put
HID: core: move Usage Page concatenation to Main item
chardev: add additional check for minor range overlap
x86/ia32: Fix ia32_restore_sigcontext() AC leak
x86/uaccess, signal: Fix AC=1 bloat
arm64: cpu_ops: fix a leaked reference by adding missing of_node_put
scsi: ufs: Avoid configuring regulator with undefined voltage range
scsi: ufs: Fix regulator load and icc-level configuration
brcmfmac: fix Oops when bringing up interface during USB disconnect
brcmfmac: fix race during disconnect when USB completion is in progress
brcmfmac: convert dev_init_lock mutex to completion
b43: shut up clang -Wuninitialized variable warning
brcmfmac: fix missing checks for kmemdup
mwifiex: Fix mem leak in mwifiex_tm_cmd
rtlwifi: fix a potential NULL pointer dereference
iio: common: ssp_sensors: Initialize calculated_time in ssp_common_process_data
iio: hmc5843: fix potential NULL pointer dereferences
iio: ad_sigma_delta: Properly handle SPI bus locking vs CS assertion
x86/build: Keep local relocations with ld.lld
cpufreq: pmac32: fix possible object reference leak
cpufreq/pasemi: fix possible object reference leak
cpufreq: ppc_cbe: fix possible object reference leak
s390: cio: fix cio_irb declaration
extcon: arizona: Disable mic detect if running when driver is removed
PM / core: Propagate dev->power.wakeup_path when no callbacks
mmc: sdhci-of-esdhc: add erratum eSDHC-A001 and A-008358 support
mmc: sdhci-of-esdhc: add erratum eSDHC5 support
mmc_spi: add a status check for spi_sync_locked
mmc: core: make pwrseq_emmc (partially) support sleepy GPIO controllers
scsi: libsas: Do discovery on empty PHY to update PHY info
hwmon: (f71805f) Use request_muxed_region for Super-IO accesses
hwmon: (pc87427) Use request_muxed_region for Super-IO accesses
hwmon: (smsc47b397) Use request_muxed_region for Super-IO accesses
hwmon: (smsc47m1) Use request_muxed_region for Super-IO accesses
hwmon: (vt1211) Use request_muxed_region for Super-IO accesses
RDMA/cxgb4: Fix null pointer dereference on alloc_skb failure
arm64: vdso: Fix clock_getres() for CLOCK_REALTIME
i40e: don't allow changes to HW VLAN stripping on active port VLANs
x86/irq/64: Limit IST stack overflow check to #DB stack
USB: core: Don't unbind interfaces following device reset failure
sched/core: Handle overflow in cpu_shares_write_u64
sched/core: Check quota and period overflow at usec to nsec conversion
powerpc/numa: improve control of topology updates
media: pvrusb2: Prevent a buffer overflow
media: au0828: Fix NULL pointer dereference in au0828_analog_stream_enable()
audit: fix a memory leak bug
media: ov2659: make S_FMT succeed even if requested format doesn't match
media: au0828: stop video streaming only when last user stops
media: ov6650: Move v4l2_clk_get() to ov6650_video_probe() helper
media: coda: clear error return value before picture run
dmaengine: at_xdmac: remove BUG_ON macro in tasklet
pinctrl: pistachio: fix leaked of_node references
HID: logitech-hidpp: use RAP instead of FAP to get the protocol version
mm/uaccess: Use 'unsigned long' to placate UBSAN warnings on older GCC versions
x86/mm: Remove in_nmi() warning from 64-bit implementation of vmalloc_fault()
smpboot: Place the __percpu annotation correctly
x86/build: Move _etext to actual end of .text
bcache: avoid clang -Wunintialized warning
bcache: add failure check to run_cache_set() for journal replay
bcache: fix failure in journal relplay
bcache: return error immediately in bch_journal_replay()
crypto: sun4i-ss - Fix invalid calculation of hash end
net: cw1200: fix a NULL pointer dereference
mwifiex: prevent an array overflow
ASoC: fsl_sai: Update is_slave_mode with correct value
mac80211/cfg80211: update bss channel on channel switch
dmaengine: pl330: _stop: clear interrupt status
w1: fix the resume command API
rtc: 88pm860x: prevent use-after-free on device remove
iwlwifi: pcie: don't crash on invalid RX interrupt
scsi: qla2xxx: Fix a qla24xx_enable_msix() error path
sched/cpufreq: Fix kobject memleak
arm64: Fix compiler warning from pte_unmap() with -Wunused-but-set-variable
ARM: vdso: Remove dependency with the arch_timer driver internals
brcm80211: potential NULL dereference in brcmf_cfg80211_vndr_cmds_dcmd_handler()
spi: pxa2xx: fix SCR (divisor) calculation
ASoC: imx: fix fiq dependencies
powerpc/boot: Fix missing check of lseek() return value
ASoC: hdmi-codec: unlock the device on startup errors
net: ena: gcc 8: fix compilation warning
dmaengine: tegra210-dma: free dma controller in remove()
mmc: core: Verify SD bus width
cxgb4: Fix error path in cxgb4_init_module
gfs2: Fix lru_count going negative
Revert "btrfs: Honour FITRIM range constraints during free space trim"
tools include: Adopt linux/bits.h
perf tools: No need to include bitops.h in util.h
at76c50x-usb: Don't register led_trigger if usb_register_driver failed
ssb: Fix possible NULL pointer dereference in ssb_host_pcmcia_exit
media: vivid: use vfree() instead of kfree() for dev->bitmap_cap
media: cpia2: Fix use-after-free in cpia2_exit
fbdev: fix WARNING in __alloc_pages_nodemask bug
hugetlb: use same fault hash key for shared and private mappings
fbdev: fix divide error in fb_var_to_videomode
btrfs: sysfs: don't leak memory when failing add fsid
Btrfs: fix race between ranged fsync and writeback of adjacent ranges
Btrfs: do not abort transaction at btrfs_update_root() after failure to COW path
gfs2: Fix sign extension bug in gfs2_update_stats
arm64: Save and restore OSDLR_EL1 across suspend/resume
libnvdimm/namespace: Fix label tracking error
kvm: svm/avic: fix off-by-one in checking host APIC ID
crypto: vmx - CTR: always increment IV as quadword
Revert "scsi: sd: Keep disk read-only when re-reading partition"
bio: fix improper use of smp_mb__before_atomic()
KVM: x86: fix return value for reserved EFER
ext4: do not delete unlinked inode from orphan list on failed truncate
f2fs: link f2fs quota ops for sysfile
Change-Id: Ief4e371f7f2377222f54fea237408c8bd5dda548
Signed-off-by: jianzhou <jianzhou@codeaurora.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl1JqvYACgkQONu9yGCS
aT78HA//TVAfvVC0NqHbLFIIgkkZ1ygQc9A7K0hhkdCvZXcwSQgaxWO3uhHOeVNz
yK2RS5GqxsNQaSnsmO66cfb6+B1YzmnRuXbZsKU9AcA+rs5rhRGZx1Ax+nMxbpeC
zQ6Yi9aATa+R5O/yt3emtxL/Ml7W82sb0kE/o2YGJBDamiOmWEAnf6ROTz9euzZ3
bm2ifHNDiN5EG49J6PgQLXGNca9YqxFmpH6bts+mdNIBmv1M46QyD4nMtke3q4fz
XDLy9RoPXvbUt9i+xRf18Z5lHMSMqdS9+rU7iOK5E3mir9slWqTNLHN6B7dObvH3
lmICvdYUo+CucVHMHlihUNtPWpw4q1Ml5f8gY9p9qNE7WNErbt8Do9hCi7RKEpwL
o1jIVoJcWdeElbTsMMOnqnypOX54JsE4NrValuuuRuC8LqqsFe6AxbOoqouQHzqW
TOuJFw6thJlYXhsZCNciNLSlyD7PbobeBuZ+6DSfeGhqmGR0/5+Aq9bbZmxsLd0p
OMsnwkiboYBhTn/IaC0jpIVwqcI+NvKQG0fwlAR0KqILwLrvbe62WMQS7OxoKxix
4fj5B1tZMHKWKMdE0GPFE0f2bfVMJMMnF+ra8ilgLLI1cuOPGwjXHpT0Nio9Uqtb
UQ2Q9R8MpxUCYkOLy/22U0cNrc29ND9dzp9mkaGpDH0PJUwVg2s=
=i+NY
-----END PGP SIGNATURE-----
Merge 4.9.188 into android-4.9-q
Changes in 4.9.188
ARM: riscpc: fix DMA
ARM: dts: rockchip: Make rk3288-veyron-minnie run at hs200
ARM: dts: rockchip: Make rk3288-veyron-mickey's emmc work again
ARM: dts: rockchip: Mark that the rk3288 timer might stop in suspend
ftrace: Enable trampoline when rec count returns back to one
kernel/module.c: Only return -EEXIST for modules that have finished loading
MIPS: lantiq: Fix bitfield masking
dmaengine: rcar-dmac: Reject zero-length slave DMA requests
fs/adfs: super: fix use-after-free bug
btrfs: fix minimum number of chunk errors for DUP
ceph: fix improper use of smp_mb__before_atomic()
ceph: return -ERANGE if virtual xattr value didn't fit in buffer
scsi: zfcp: fix GCC compiler warning emitted with -Wmaybe-uninitialized
ACPI: fix false-positive -Wuninitialized warning
be2net: Signal that the device cannot transmit during reconfiguration
x86/apic: Silence -Wtype-limits compiler warnings
x86: math-emu: Hide clang warnings for 16-bit overflow
mm/cma.c: fail if fixed declaration can't be honored
coda: add error handling for fget
coda: fix build using bare-metal toolchain
uapi linux/coda_psdev.h: move upc_req definition from uapi to kernel side headers
drivers/rapidio/devices/rio_mport_cdev.c: NUL terminate some strings
ipc/mqueue.c: only perform resource calculation if user valid
x86/kvm: Don't call kvm_spurious_fault() from .fixup
x86, boot: Remove multiple copy of static function sanitize_boot_params()
kbuild: initialize CLANG_FLAGS correctly in the top Makefile
Btrfs: fix incremental send failure after deduplication
mmc: dw_mmc: Fix occasional hang after tuning on eMMC
gpiolib: fix incorrect IRQ requesting of an active-low lineevent
selinux: fix memory leak in policydb_init()
s390/dasd: fix endless loop after read unit address configuration
drivers/perf: arm_pmu: Fix failure path in PM notifier
xen/swiotlb: fix condition for calling xen_destroy_contiguous_region()
IB/mlx5: Fix RSS Toeplitz setup to be aligned with the HW specification
coredump: fix race condition between mmget_not_zero()/get_task_mm() and core dumping
infiniband: fix race condition between infiniband mlx4, mlx5 driver and core dumping
coredump: fix race condition between collapse_huge_page() and core dumping
eeprom: at24: make spd world-readable again
Backport minimal compiler_attributes.h to support GCC 9
include/linux/module.h: copy __init/__exit attrs to init/cleanup_module
objtool: Support GCC 9 cold subfunction naming scheme
x86, mm, gup: prevent get_page() race with munmap in paravirt guest
Linux 4.9.188
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl1JqvYACgkQONu9yGCS
aT78HA//TVAfvVC0NqHbLFIIgkkZ1ygQc9A7K0hhkdCvZXcwSQgaxWO3uhHOeVNz
yK2RS5GqxsNQaSnsmO66cfb6+B1YzmnRuXbZsKU9AcA+rs5rhRGZx1Ax+nMxbpeC
zQ6Yi9aATa+R5O/yt3emtxL/Ml7W82sb0kE/o2YGJBDamiOmWEAnf6ROTz9euzZ3
bm2ifHNDiN5EG49J6PgQLXGNca9YqxFmpH6bts+mdNIBmv1M46QyD4nMtke3q4fz
XDLy9RoPXvbUt9i+xRf18Z5lHMSMqdS9+rU7iOK5E3mir9slWqTNLHN6B7dObvH3
lmICvdYUo+CucVHMHlihUNtPWpw4q1Ml5f8gY9p9qNE7WNErbt8Do9hCi7RKEpwL
o1jIVoJcWdeElbTsMMOnqnypOX54JsE4NrValuuuRuC8LqqsFe6AxbOoqouQHzqW
TOuJFw6thJlYXhsZCNciNLSlyD7PbobeBuZ+6DSfeGhqmGR0/5+Aq9bbZmxsLd0p
OMsnwkiboYBhTn/IaC0jpIVwqcI+NvKQG0fwlAR0KqILwLrvbe62WMQS7OxoKxix
4fj5B1tZMHKWKMdE0GPFE0f2bfVMJMMnF+ra8ilgLLI1cuOPGwjXHpT0Nio9Uqtb
UQ2Q9R8MpxUCYkOLy/22U0cNrc29ND9dzp9mkaGpDH0PJUwVg2s=
=i+NY
-----END PGP SIGNATURE-----
Merge 4.9.188 into android-4.9
Changes in 4.9.188
ARM: riscpc: fix DMA
ARM: dts: rockchip: Make rk3288-veyron-minnie run at hs200
ARM: dts: rockchip: Make rk3288-veyron-mickey's emmc work again
ARM: dts: rockchip: Mark that the rk3288 timer might stop in suspend
ftrace: Enable trampoline when rec count returns back to one
kernel/module.c: Only return -EEXIST for modules that have finished loading
MIPS: lantiq: Fix bitfield masking
dmaengine: rcar-dmac: Reject zero-length slave DMA requests
fs/adfs: super: fix use-after-free bug
btrfs: fix minimum number of chunk errors for DUP
ceph: fix improper use of smp_mb__before_atomic()
ceph: return -ERANGE if virtual xattr value didn't fit in buffer
scsi: zfcp: fix GCC compiler warning emitted with -Wmaybe-uninitialized
ACPI: fix false-positive -Wuninitialized warning
be2net: Signal that the device cannot transmit during reconfiguration
x86/apic: Silence -Wtype-limits compiler warnings
x86: math-emu: Hide clang warnings for 16-bit overflow
mm/cma.c: fail if fixed declaration can't be honored
coda: add error handling for fget
coda: fix build using bare-metal toolchain
uapi linux/coda_psdev.h: move upc_req definition from uapi to kernel side headers
drivers/rapidio/devices/rio_mport_cdev.c: NUL terminate some strings
ipc/mqueue.c: only perform resource calculation if user valid
x86/kvm: Don't call kvm_spurious_fault() from .fixup
x86, boot: Remove multiple copy of static function sanitize_boot_params()
kbuild: initialize CLANG_FLAGS correctly in the top Makefile
Btrfs: fix incremental send failure after deduplication
mmc: dw_mmc: Fix occasional hang after tuning on eMMC
gpiolib: fix incorrect IRQ requesting of an active-low lineevent
selinux: fix memory leak in policydb_init()
s390/dasd: fix endless loop after read unit address configuration
drivers/perf: arm_pmu: Fix failure path in PM notifier
xen/swiotlb: fix condition for calling xen_destroy_contiguous_region()
IB/mlx5: Fix RSS Toeplitz setup to be aligned with the HW specification
coredump: fix race condition between mmget_not_zero()/get_task_mm() and core dumping
infiniband: fix race condition between infiniband mlx4, mlx5 driver and core dumping
coredump: fix race condition between collapse_huge_page() and core dumping
eeprom: at24: make spd world-readable again
Backport minimal compiler_attributes.h to support GCC 9
include/linux/module.h: copy __init/__exit attrs to init/cleanup_module
objtool: Support GCC 9 cold subfunction naming scheme
x86, mm, gup: prevent get_page() race with munmap in paravirt guest
Linux 4.9.188
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit 59ea6d06cfa9247b586a695c21f94afa7183af74 upstream.
When fixing the race conditions between the coredump and the mmap_sem
holders outside the context of the process, we focused on
mmget_not_zero()/get_task_mm() callers in 04f5866e41fb70 ("coredump: fix
race condition between mmget_not_zero()/get_task_mm() and core
dumping"), but those aren't the only cases where the mmap_sem can be
taken outside of the context of the process as Michal Hocko noticed
while backporting that commit to older -stable kernels.
If mmgrab() is called in the context of the process, but then the
mm_count reference is transferred outside the context of the process,
that can also be a problem if the mmap_sem has to be taken for writing
through that mm_count reference.
khugepaged registration calls mmgrab() in the context of the process,
but the mmap_sem for writing is taken later in the context of the
khugepaged kernel thread.
collapse_huge_page() after taking the mmap_sem for writing doesn't
modify any vma, so it's not obvious that it could cause a problem to the
coredump, but it happens to modify the pmd in a way that breaks an
invariant that pmd_trans_huge_lock() relies upon. collapse_huge_page()
needs the mmap_sem for writing just to block concurrent page faults that
call pmd_trans_huge_lock().
Specifically the invariant that "!pmd_trans_huge()" cannot become a
"pmd_trans_huge()" doesn't hold while collapse_huge_page() runs.
The coredump will call __get_user_pages() without mmap_sem for reading,
which eventually can invoke a lockless page fault which will need a
functional pmd_trans_huge_lock().
So collapse_huge_page() needs to use mmget_still_valid() to check it's
not running concurrently with the coredump... as long as the coredump
can invoke page faults without holding the mmap_sem for reading.
This has "Fixes: khugepaged" to facilitate backporting, but in my view
it's more a bug in the coredump code that will eventually have to be
rewritten to stop invoking page faults without the mmap_sem for reading.
So the long term plan is still to drop all mmget_still_valid().
Link: http://lkml.kernel.org/r/20190607161558.32104-1-aarcange@redhat.com
Fixes: ba76149f47 ("thp: khugepaged")
Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
Reported-by: Michal Hocko <mhocko@suse.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Jann Horn <jannh@google.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Mike Rapoport <rppt@linux.vnet.ibm.com>
Cc: Mike Kravetz <mike.kravetz@oracle.com>
Cc: Peter Xu <peterx@redhat.com>
Cc: Jason Gunthorpe <jgg@mellanox.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[Ajay: Just adjusted to apply on v4.9]
Signed-off-by: Ajay Kaher <akaher@vmware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 04f5866e41fb70690e28397487d8bd8eea7d712a upstream.
The core dumping code has always run without holding the mmap_sem for
writing, despite that is the only way to ensure that the entire vma
layout will not change from under it. Only using some signal
serialization on the processes belonging to the mm is not nearly enough.
This was pointed out earlier. For example in Hugh's post from Jul 2017:
https://lkml.kernel.org/r/alpine.LSU.2.11.1707191716030.2055@eggly.anvils
"Not strictly relevant here, but a related note: I was very surprised
to discover, only quite recently, how handle_mm_fault() may be called
without down_read(mmap_sem) - when core dumping. That seems a
misguided optimization to me, which would also be nice to correct"
In particular because the growsdown and growsup can move the
vm_start/vm_end the various loops the core dump does around the vma will
not be consistent if page faults can happen concurrently.
Pretty much all users calling mmget_not_zero()/get_task_mm() and then
taking the mmap_sem had the potential to introduce unexpected side
effects in the core dumping code.
Adding mmap_sem for writing around the ->core_dump invocation is a
viable long term fix, but it requires removing all copy user and page
faults and to replace them with get_dump_page() for all binary formats
which is not suitable as a short term fix.
For the time being this solution manually covers the places that can
confuse the core dump either by altering the vma layout or the vma flags
while it runs. Once ->core_dump runs under mmap_sem for writing the
function mmget_still_valid() can be dropped.
Allowing mmap_sem protected sections to run in parallel with the
coredump provides some minor parallelism advantage to the swapoff code
(which seems to be safe enough by never mangling any vma field and can
keep doing swapins in parallel to the core dumping) and to some other
corner case.
In order to facilitate the backporting I added "Fixes: 86039bd3b4e6"
however the side effect of this same race condition in /proc/pid/mem
should be reproducible since before 2.6.12-rc2 so I couldn't add any
other "Fixes:" because there's no hash beyond the git genesis commit.
Because find_extend_vma() is the only location outside of the process
context that could modify the "mm" structures under mmap_sem for
reading, by adding the mmget_still_valid() check to it, all other cases
that take the mmap_sem for reading don't need the new check after
mmget_not_zero()/get_task_mm(). The expand_stack() in page fault
context also doesn't need the new check, because all tasks under core
dumping are frozen.
Link: http://lkml.kernel.org/r/20190325224949.11068-1-aarcange@redhat.com
Fixes: 86039bd3b4 ("userfaultfd: add new syscall to provide memory externalization")
Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
Reported-by: Jann Horn <jannh@google.com>
Suggested-by: Oleg Nesterov <oleg@redhat.com>
Acked-by: Peter Xu <peterx@redhat.com>
Reviewed-by: Mike Rapoport <rppt@linux.ibm.com>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Reviewed-by: Jann Horn <jannh@google.com>
Acked-by: Jason Gunthorpe <jgg@mellanox.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[akaher@vmware.com: stable 4.9 backport
- handle binder_update_page_range - mhocko@suse.com]
Signed-off-by: Ajay Kaher <akaher@vmware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit c633324e311243586675e732249339685e5d6faa ]
The description of cma_declare_contiguous() indicates that if the
'fixed' argument is true the reserved contiguous area must be exactly at
the address of the 'base' argument.
However, the function currently allows the 'base', 'size', and 'limit'
arguments to be silently adjusted to meet alignment constraints. This
commit enforces the documented behavior through explicit checks that
return an error if the region does not fit within a specified region.
Link: http://lkml.kernel.org/r/1561422051-16142-1-git-send-email-opendmb@gmail.com
Fixes: 5ea3b1b2f8 ("cma: add placement specifier for "cma=" kernel parameter")
Signed-off-by: Doug Berger <opendmb@gmail.com>
Acked-by: Michal Nazarewicz <mina86@mina86.com>
Cc: Yue Hu <huyue2@yulong.com>
Cc: Mike Rapoport <rppt@linux.ibm.com>
Cc: Laura Abbott <labbott@redhat.com>
Cc: Peng Fan <peng.fan@nxp.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Marek Szyprowski <m.szyprowski@samsung.com>
Cc: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl1GilkACgkQONu9yGCS
aT6ibw//QcoRk+6jjWIzW2R83tvcSpDREIYKF5xDPULqmaUKv7qcbGqdCT4OI0Vf
CySao6jvmN+1V+5OlQHHw1qmithHF/Y4yEVi+eL0CcMgB6qA2tQxeA0ffFu0Fzxe
oKrAIDANAJ2FKymqbIzTJU8AChNuy+Rc+C60L9O0ZhBHykLYvO7/VepTxdO2aMGs
a9tdZyXnOAr/ZgKx+uN1F8Rx2ZorNfFmP2rDxEZ/B8pVrXsOjMAcxWRsZBv+w9mc
zWaMPEL1vIR/kG35L18l2EFwZ++uIGvfGR2HxhNRUlTqN4m/3trATIc0eRn5PyAC
qBlVdcwUeJKavBqK3cgHvK9CzWQdSMxNefk9A0H66ZGpfSuNCiFjw54AXEiRzx3t
OvzUvDjfa36jsKW7yiYXdLbEa52gT14UDzmSIzlAYQLBplEadHikJ0FxCFzAWpFt
C13gG1e4G0ZKEHH8wZMuRdanHbN87c/0Sm4rgTLMwCO6I1PeILcUwIq9El9M4RVL
MmHSXLKduaHbPJWx+Qopl6NxjqTe/VR8paT6q1QnU00/4kP15aIVE08vZSiGSNP+
Gp6xbv12skAx1m1zP7K82oGdwnCVCJUqlC9wafcjsaxcoCVBWvIgPkyMWAzUeFzc
Ub2yIS9iulUeYOxPXBZKWCqgwpl7kovGztf4gwX2Kuy50mXSZQg=
=ozfF
-----END PGP SIGNATURE-----
Merge 4.9.187 into android-4.9-q
Changes in 4.9.187
MIPS: ath79: fix ar933x uart parity mode
MIPS: fix build on non-linux hosts
arm64/efi: Mark __efistub_stext_offset as an absolute symbol explicitly
dmaengine: imx-sdma: fix use-after-free on probe error path
ath10k: Do not send probe response template for mesh
ath9k: Check for errors when reading SREV register
ath6kl: add some bounds checking
ath: DFS JP domain W56 fixed pulse type 3 RADAR detection
batman-adv: fix for leaked TVLV handler.
media: dvb: usb: fix use after free in dvb_usb_device_exit
crypto: talitos - fix skcipher failure due to wrong output IV
media: marvell-ccic: fix DMA s/g desc number calculation
media: vpss: fix a potential NULL pointer dereference
media: media_device_enum_links32: clean a reserved field
net: stmmac: dwmac1000: Clear unused address entries
net: stmmac: dwmac4/5: Clear unused address entries
signal/pid_namespace: Fix reboot_pid_ns to use send_sig not force_sig
af_key: fix leaks in key_pol_get_resp and dump_sp.
xfrm: Fix xfrm sel prefix length validation
media: mc-device.c: don't memset __user pointer contents
media: staging: media: davinci_vpfe: - Fix for memory leak if decoder initialization fails.
net: phy: Check against net_device being NULL
crypto: talitos - properly handle split ICV.
crypto: talitos - Align SEC1 accesses to 32 bits boundaries.
tua6100: Avoid build warnings.
locking/lockdep: Fix merging of hlocks with non-zero references
media: wl128x: Fix some error handling in fm_v4l2_init_video_device()
cpupower : frequency-set -r option misses the last cpu in related cpu list
net: fec: Do not use netdev messages too early
net: axienet: Fix race condition causing TX hang
s390/qdio: handle PENDING state for QEBSM devices
perf cs-etm: Properly set the value of 'old' and 'head' in snapshot mode
perf test 6: Fix missing kvm module load for s390
gpio: omap: fix lack of irqstatus_raw0 for OMAP4
gpio: omap: ensure irq is enabled before wakeup
regmap: fix bulk writes on paged registers
bpf: silence warning messages in core
rcu: Force inlining of rcu_read_lock()
blkcg, writeback: dead memcgs shouldn't contribute to writeback ownership arbitration
xfrm: fix sa selector validation
perf evsel: Make perf_evsel__name() accept a NULL argument
vhost_net: disable zerocopy by default
ipoib: correcly show a VF hardware address
EDAC/sysfs: Fix memory leak when creating a csrow object
ipsec: select crypto ciphers for xfrm_algo
media: i2c: fix warning same module names
ntp: Limit TAI-UTC offset
timer_list: Guard procfs specific code
acpi/arm64: ignore 5.1 FADTs that are reported as 5.0
media: coda: fix mpeg2 sequence number handling
media: coda: increment sequence offset for the last returned frame
mt7601u: do not schedule rx_tasklet when the device has been disconnected
x86/build: Add 'set -e' to mkcapflags.sh to delete broken capflags.c
mt7601u: fix possible memory leak when the device is disconnected
ath10k: fix PCIE device wake up failed
perf tools: Increase MAX_NR_CPUS and MAX_CACHES
libata: don't request sense data on !ZAC ATA devices
clocksource/drivers/exynos_mct: Increase priority over ARM arch timer
rslib: Fix decoding of shortened codes
rslib: Fix handling of of caller provided syndrome
ixgbe: Check DDM existence in transceiver before access
crypto: asymmetric_keys - select CRYPTO_HASH where needed
EDAC: Fix global-out-of-bounds write when setting edac_mc_poll_msec
bcache: check c->gc_thread by IS_ERR_OR_NULL in cache_set_flush()
iwlwifi: mvm: Drop large non sta frames
net: usb: asix: init MAC address buffers
gpiolib: Fix references to gpiod_[gs]et_*value_cansleep() variants
Bluetooth: hci_bcsp: Fix memory leak in rx_skb
Bluetooth: 6lowpan: search for destination address in all peers
Bluetooth: Check state in l2cap_disconnect_rsp
Bluetooth: validate BLE connection interval updates
gtp: fix Illegal context switch in RCU read-side critical section.
gtp: fix use-after-free in gtp_newlink()
xen: let alloc_xenballooned_pages() fail if not enough memory free
scsi: NCR5380: Reduce goto statements in NCR5380_select()
scsi: NCR5380: Always re-enable reselection interrupt
scsi: mac_scsi: Increase PIO/PDMA transfer length threshold
crypto: ghash - fix unaligned memory access in ghash_setkey()
crypto: arm64/sha1-ce - correct digest for empty data in finup
crypto: arm64/sha2-ce - correct digest for empty data in finup
crypto: chacha20poly1305 - fix atomic sleep when using async algorithm
crypto: crypto4xx - fix a potential double free in ppc4xx_trng_probe
Input: gtco - bounds check collection indent level
regulator: s2mps11: Fix buck7 and buck8 wrong voltages
arm64: tegra: Update Jetson TX1 GPU regulator timings
iwlwifi: pcie: don't service an interrupt that was masked
tracing/snapshot: Resize spare buffer if size changed
NFSv4: Handle the special Linux file open access mode
lib/scatterlist: Fix mapping iterator when sg->offset is greater than PAGE_SIZE
ALSA: seq: Break too long mutex context in the write loop
ALSA: hda/realtek: apply ALC891 headset fixup to one Dell machine
media: v4l2: Test type instead of cfg->type in v4l2_ctrl_new_custom()
media: coda: Remove unbalanced and unneeded mutex unlock
KVM: x86/vPMU: refine kvm_pmu err msg when event creation failed
arm64: tegra: Fix AGIC register range
fs/proc/proc_sysctl.c: fix the default values of i_uid/i_gid on /proc/sys inodes.
drm/nouveau/i2c: Enable i2c pads & busses during preinit
padata: use smp_mb in padata_reorder to avoid orphaned padata jobs
9p/virtio: Add cleanup path in p9_virtio_init
PCI: Do not poll for PME if the device is in D3cold
Btrfs: add missing inode version, ctime and mtime updates when punching hole
libnvdimm/pfn: fix fsdax-mode namespace info-block zero-fields
take floppy compat ioctls to sodding floppy.c
floppy: fix div-by-zero in setup_format_params
floppy: fix out-of-bounds read in next_valid_format
floppy: fix invalid pointer dereference in drive_name
floppy: fix out-of-bounds read in copy_buffer
coda: pass the host file in vma->vm_file on mmap
gpu: ipu-v3: ipu-ic: Fix saturation bit offset in TPMEM
crypto: ccp - Validate the the error value used to index error messages
PCI: hv: Delete the device earlier from hbus->children for hot-remove
PCI: hv: Fix a use-after-free bug in hv_eject_device_work()
crypto: caam - limit output IV to CBC to work around CTR mode DMA issue
um: Allow building and running on older hosts
um: Fix FP register size for XSTATE/XSAVE
parisc: Ensure userspace privilege for ptraced processes in regset functions
parisc: Fix kernel panic due invalid values in IAOQ0 or IAOQ1
powerpc/32s: fix suspend/resume when IBATs 4-7 are used
powerpc/watchpoint: Restore NV GPRs while returning from exception
eCryptfs: fix a couple type promotion bugs
intel_th: msu: Fix single mode with disabled IOMMU
Bluetooth: Add SMP workaround Microsoft Surface Precision Mouse bug
usb: Handle USB3 remote wakeup for LPM enabled devices correctly
dm bufio: fix deadlock with loop device
compiler.h, kasan: Avoid duplicating __read_once_size_nocheck()
compiler.h: Add read_word_at_a_time() function.
lib/strscpy: Shut up KASAN false-positives in strscpy()
ext4: allow directory holes
bnx2x: Prevent load reordering in tx completion processing
bnx2x: Prevent ptp_task to be rescheduled indefinitely
caif-hsi: fix possible deadlock in cfhsi_exit_module()
igmp: fix memory leak in igmpv3_del_delrec()
ipv4: don't set IPv6 only flags to IPv4 addresses
net: bcmgenet: use promisc for unsupported filters
net: dsa: mv88e6xxx: wait after reset deactivation
net: neigh: fix multiple neigh timer scheduling
net: openvswitch: fix csum updates for MPLS actions
nfc: fix potential illegal memory access
rxrpc: Fix send on a connected, but unbound socket
sky2: Disable MSI on ASUS P6T
vrf: make sure skb->data contains ip header to make routing
macsec: fix use-after-free of skb during RX
macsec: fix checksumming after decryption
netrom: fix a memory leak in nr_rx_frame()
netrom: hold sock when setting skb->destructor
bonding: validate ip header before check IPPROTO_IGMP
tcp: Reset bytes_acked and bytes_received when disconnecting
net: bridge: mcast: fix stale nsrcs pointer in igmp3/mld2 report handling
net: bridge: mcast: fix stale ipv6 hdr pointer when handling v6 query
net: bridge: stp: don't cache eth dest pointer before skb pull
perf/x86/amd/uncore: Rename 'L2' to 'LLC'
perf/x86/amd/uncore: Get correct number of cores sharing last level cache
perf/events/amd/uncore: Fix amd_uncore_llc ID to use pre-defined cpu_llc_id
NFSv4: Fix open create exclusive when the server reboots
nfsd: increase DRC cache limit
nfsd: give out fewer session slots as limit approaches
nfsd: fix performance-limiting session calculation
nfsd: Fix overflow causing non-working mounts on 1 TB machines
drm/panel: simple: Fix panel_simple_dsi_probe
usb: core: hub: Disable hub-initiated U1/U2
tty: max310x: Fix invalid baudrate divisors calculator
pinctrl: rockchip: fix leaked of_node references
tty: serial: cpm_uart - fix init when SMC is relocated
drm/bridge: tc358767: read display_props in get_modes()
drm/bridge: sii902x: pixel clock unit is 10kHz instead of 1kHz
memstick: Fix error cleanup path of memstick_init
tty/serial: digicolor: Fix digicolor-usart already registered warning
tty: serial: msm_serial: avoid system lockup condition
serial: 8250: Fix TX interrupt handling condition
drm/virtio: Add memory barriers for capset cache.
phy: renesas: rcar-gen2: Fix memory leak at error paths
drm/rockchip: Properly adjust to a true clock in adjusted_mode
tty: serial_core: Set port active bit in uart_port_activate
usb: gadget: Zero ffs_io_data
powerpc/pci/of: Fix OF flags parsing for 64bit BARs
PCI: sysfs: Ignore lockdep for remove attribute
kbuild: Add -Werror=unknown-warning-option to CLANG_FLAGS
PCI: xilinx-nwl: Fix Multi MSI data programming
iio: iio-utils: Fix possible incorrect mask calculation
recordmcount: Fix spurious mcount entries on powerpc
mfd: core: Set fwnode for created devices
mfd: arizona: Fix undefined behavior
mfd: hi655x-pmic: Fix missing return value check for devm_regmap_init_mmio_clk
um: Silence lockdep complaint about mmap_sem
powerpc/4xx/uic: clear pending interrupt after irq type/pol change
RDMA/i40iw: Set queue pair state when being queried
serial: sh-sci: Terminate TX DMA during buffer flushing
serial: sh-sci: Fix TX DMA buffer flushing and workqueue races
kallsyms: exclude kasan local symbols on s390
perf test mmap-thread-lookup: Initialize variable to suppress memory sanitizer warning
RDMA/rxe: Fill in wc byte_len with IB_WC_RECV_RDMA_WITH_IMM
powerpc/boot: add {get, put}_unaligned_be32 to xz_config.h
f2fs: avoid out-of-range memory access
mailbox: handle failed named mailbox channel request
powerpc/eeh: Handle hugepages in ioremap space
sh: prevent warnings when using iounmap
mm/kmemleak.c: fix check for softirq context
9p: pass the correct prototype to read_cache_page
mm/mmu_notifier: use hlist_add_head_rcu()
locking/lockdep: Fix lock used or unused stats error
locking/lockdep: Hide unused 'class' variable
usb: wusbcore: fix unbalanced get/put cluster_id
usb: pci-quirks: Correct AMD PLL quirk detection
x86/sysfb_efi: Add quirks for some devices with swapped width and height
x86/speculation/mds: Apply more accurate check on hypervisor platform
hpet: Fix division by zero in hpet_time_div()
ALSA: line6: Fix wrong altsetting for LINE6_PODHD500_1
ALSA: hda - Add a conexant codec entry to let mute led work
powerpc/tm: Fix oops on sigreturn on systems without TM
access: avoid the RCU grace period for the temporary subjective credentials
ipv6: check sk sk_type and protocol early in ip_mroute_set/getsockopt
tcp: reset sk_send_head in tcp_write_queue_purge
arm64: dts: marvell: Fix A37xx UART0 register size
i2c: qup: fixed releasing dma without flush operation completion
arm64: compat: Provide definition for COMPAT_SIGMINSTKSZ
ISDN: hfcsusb: checking idx of ep configuration
media: au0828: fix null dereference in error path
media: cpia2_usb: first wake up, then free in disconnect
media: radio-raremono: change devm_k*alloc to k*alloc
Bluetooth: hci_uart: check for missing tty operations
sched/fair: Don't free p->numa_faults with concurrent readers
drivers/pps/pps.c: clear offset flags in PPS_SETPARAMS ioctl
ceph: hold i_ceph_lock when removing caps for freeing inode
Linux 4.9.187
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl1GilkACgkQONu9yGCS
aT6ibw//QcoRk+6jjWIzW2R83tvcSpDREIYKF5xDPULqmaUKv7qcbGqdCT4OI0Vf
CySao6jvmN+1V+5OlQHHw1qmithHF/Y4yEVi+eL0CcMgB6qA2tQxeA0ffFu0Fzxe
oKrAIDANAJ2FKymqbIzTJU8AChNuy+Rc+C60L9O0ZhBHykLYvO7/VepTxdO2aMGs
a9tdZyXnOAr/ZgKx+uN1F8Rx2ZorNfFmP2rDxEZ/B8pVrXsOjMAcxWRsZBv+w9mc
zWaMPEL1vIR/kG35L18l2EFwZ++uIGvfGR2HxhNRUlTqN4m/3trATIc0eRn5PyAC
qBlVdcwUeJKavBqK3cgHvK9CzWQdSMxNefk9A0H66ZGpfSuNCiFjw54AXEiRzx3t
OvzUvDjfa36jsKW7yiYXdLbEa52gT14UDzmSIzlAYQLBplEadHikJ0FxCFzAWpFt
C13gG1e4G0ZKEHH8wZMuRdanHbN87c/0Sm4rgTLMwCO6I1PeILcUwIq9El9M4RVL
MmHSXLKduaHbPJWx+Qopl6NxjqTe/VR8paT6q1QnU00/4kP15aIVE08vZSiGSNP+
Gp6xbv12skAx1m1zP7K82oGdwnCVCJUqlC9wafcjsaxcoCVBWvIgPkyMWAzUeFzc
Ub2yIS9iulUeYOxPXBZKWCqgwpl7kovGztf4gwX2Kuy50mXSZQg=
=ozfF
-----END PGP SIGNATURE-----
Merge 4.9.187 into android-4.9
Changes in 4.9.187
MIPS: ath79: fix ar933x uart parity mode
MIPS: fix build on non-linux hosts
arm64/efi: Mark __efistub_stext_offset as an absolute symbol explicitly
dmaengine: imx-sdma: fix use-after-free on probe error path
ath10k: Do not send probe response template for mesh
ath9k: Check for errors when reading SREV register
ath6kl: add some bounds checking
ath: DFS JP domain W56 fixed pulse type 3 RADAR detection
batman-adv: fix for leaked TVLV handler.
media: dvb: usb: fix use after free in dvb_usb_device_exit
crypto: talitos - fix skcipher failure due to wrong output IV
media: marvell-ccic: fix DMA s/g desc number calculation
media: vpss: fix a potential NULL pointer dereference
media: media_device_enum_links32: clean a reserved field
net: stmmac: dwmac1000: Clear unused address entries
net: stmmac: dwmac4/5: Clear unused address entries
signal/pid_namespace: Fix reboot_pid_ns to use send_sig not force_sig
af_key: fix leaks in key_pol_get_resp and dump_sp.
xfrm: Fix xfrm sel prefix length validation
media: mc-device.c: don't memset __user pointer contents
media: staging: media: davinci_vpfe: - Fix for memory leak if decoder initialization fails.
net: phy: Check against net_device being NULL
crypto: talitos - properly handle split ICV.
crypto: talitos - Align SEC1 accesses to 32 bits boundaries.
tua6100: Avoid build warnings.
locking/lockdep: Fix merging of hlocks with non-zero references
media: wl128x: Fix some error handling in fm_v4l2_init_video_device()
cpupower : frequency-set -r option misses the last cpu in related cpu list
net: fec: Do not use netdev messages too early
net: axienet: Fix race condition causing TX hang
s390/qdio: handle PENDING state for QEBSM devices
perf cs-etm: Properly set the value of 'old' and 'head' in snapshot mode
perf test 6: Fix missing kvm module load for s390
gpio: omap: fix lack of irqstatus_raw0 for OMAP4
gpio: omap: ensure irq is enabled before wakeup
regmap: fix bulk writes on paged registers
bpf: silence warning messages in core
rcu: Force inlining of rcu_read_lock()
blkcg, writeback: dead memcgs shouldn't contribute to writeback ownership arbitration
xfrm: fix sa selector validation
perf evsel: Make perf_evsel__name() accept a NULL argument
vhost_net: disable zerocopy by default
ipoib: correcly show a VF hardware address
EDAC/sysfs: Fix memory leak when creating a csrow object
ipsec: select crypto ciphers for xfrm_algo
media: i2c: fix warning same module names
ntp: Limit TAI-UTC offset
timer_list: Guard procfs specific code
acpi/arm64: ignore 5.1 FADTs that are reported as 5.0
media: coda: fix mpeg2 sequence number handling
media: coda: increment sequence offset for the last returned frame
mt7601u: do not schedule rx_tasklet when the device has been disconnected
x86/build: Add 'set -e' to mkcapflags.sh to delete broken capflags.c
mt7601u: fix possible memory leak when the device is disconnected
ath10k: fix PCIE device wake up failed
perf tools: Increase MAX_NR_CPUS and MAX_CACHES
libata: don't request sense data on !ZAC ATA devices
clocksource/drivers/exynos_mct: Increase priority over ARM arch timer
rslib: Fix decoding of shortened codes
rslib: Fix handling of of caller provided syndrome
ixgbe: Check DDM existence in transceiver before access
crypto: asymmetric_keys - select CRYPTO_HASH where needed
EDAC: Fix global-out-of-bounds write when setting edac_mc_poll_msec
bcache: check c->gc_thread by IS_ERR_OR_NULL in cache_set_flush()
iwlwifi: mvm: Drop large non sta frames
net: usb: asix: init MAC address buffers
gpiolib: Fix references to gpiod_[gs]et_*value_cansleep() variants
Bluetooth: hci_bcsp: Fix memory leak in rx_skb
Bluetooth: 6lowpan: search for destination address in all peers
Bluetooth: Check state in l2cap_disconnect_rsp
Bluetooth: validate BLE connection interval updates
gtp: fix Illegal context switch in RCU read-side critical section.
gtp: fix use-after-free in gtp_newlink()
xen: let alloc_xenballooned_pages() fail if not enough memory free
scsi: NCR5380: Reduce goto statements in NCR5380_select()
scsi: NCR5380: Always re-enable reselection interrupt
scsi: mac_scsi: Increase PIO/PDMA transfer length threshold
crypto: ghash - fix unaligned memory access in ghash_setkey()
crypto: arm64/sha1-ce - correct digest for empty data in finup
crypto: arm64/sha2-ce - correct digest for empty data in finup
crypto: chacha20poly1305 - fix atomic sleep when using async algorithm
crypto: crypto4xx - fix a potential double free in ppc4xx_trng_probe
Input: gtco - bounds check collection indent level
regulator: s2mps11: Fix buck7 and buck8 wrong voltages
arm64: tegra: Update Jetson TX1 GPU regulator timings
iwlwifi: pcie: don't service an interrupt that was masked
tracing/snapshot: Resize spare buffer if size changed
NFSv4: Handle the special Linux file open access mode
lib/scatterlist: Fix mapping iterator when sg->offset is greater than PAGE_SIZE
ALSA: seq: Break too long mutex context in the write loop
ALSA: hda/realtek: apply ALC891 headset fixup to one Dell machine
media: v4l2: Test type instead of cfg->type in v4l2_ctrl_new_custom()
media: coda: Remove unbalanced and unneeded mutex unlock
KVM: x86/vPMU: refine kvm_pmu err msg when event creation failed
arm64: tegra: Fix AGIC register range
fs/proc/proc_sysctl.c: fix the default values of i_uid/i_gid on /proc/sys inodes.
drm/nouveau/i2c: Enable i2c pads & busses during preinit
padata: use smp_mb in padata_reorder to avoid orphaned padata jobs
9p/virtio: Add cleanup path in p9_virtio_init
PCI: Do not poll for PME if the device is in D3cold
Btrfs: add missing inode version, ctime and mtime updates when punching hole
libnvdimm/pfn: fix fsdax-mode namespace info-block zero-fields
take floppy compat ioctls to sodding floppy.c
floppy: fix div-by-zero in setup_format_params
floppy: fix out-of-bounds read in next_valid_format
floppy: fix invalid pointer dereference in drive_name
floppy: fix out-of-bounds read in copy_buffer
coda: pass the host file in vma->vm_file on mmap
gpu: ipu-v3: ipu-ic: Fix saturation bit offset in TPMEM
crypto: ccp - Validate the the error value used to index error messages
PCI: hv: Delete the device earlier from hbus->children for hot-remove
PCI: hv: Fix a use-after-free bug in hv_eject_device_work()
crypto: caam - limit output IV to CBC to work around CTR mode DMA issue
um: Allow building and running on older hosts
um: Fix FP register size for XSTATE/XSAVE
parisc: Ensure userspace privilege for ptraced processes in regset functions
parisc: Fix kernel panic due invalid values in IAOQ0 or IAOQ1
powerpc/32s: fix suspend/resume when IBATs 4-7 are used
powerpc/watchpoint: Restore NV GPRs while returning from exception
eCryptfs: fix a couple type promotion bugs
intel_th: msu: Fix single mode with disabled IOMMU
Bluetooth: Add SMP workaround Microsoft Surface Precision Mouse bug
usb: Handle USB3 remote wakeup for LPM enabled devices correctly
dm bufio: fix deadlock with loop device
compiler.h, kasan: Avoid duplicating __read_once_size_nocheck()
compiler.h: Add read_word_at_a_time() function.
lib/strscpy: Shut up KASAN false-positives in strscpy()
ext4: allow directory holes
bnx2x: Prevent load reordering in tx completion processing
bnx2x: Prevent ptp_task to be rescheduled indefinitely
caif-hsi: fix possible deadlock in cfhsi_exit_module()
igmp: fix memory leak in igmpv3_del_delrec()
ipv4: don't set IPv6 only flags to IPv4 addresses
net: bcmgenet: use promisc for unsupported filters
net: dsa: mv88e6xxx: wait after reset deactivation
net: neigh: fix multiple neigh timer scheduling
net: openvswitch: fix csum updates for MPLS actions
nfc: fix potential illegal memory access
rxrpc: Fix send on a connected, but unbound socket
sky2: Disable MSI on ASUS P6T
vrf: make sure skb->data contains ip header to make routing
macsec: fix use-after-free of skb during RX
macsec: fix checksumming after decryption
netrom: fix a memory leak in nr_rx_frame()
netrom: hold sock when setting skb->destructor
bonding: validate ip header before check IPPROTO_IGMP
tcp: Reset bytes_acked and bytes_received when disconnecting
net: bridge: mcast: fix stale nsrcs pointer in igmp3/mld2 report handling
net: bridge: mcast: fix stale ipv6 hdr pointer when handling v6 query
net: bridge: stp: don't cache eth dest pointer before skb pull
perf/x86/amd/uncore: Rename 'L2' to 'LLC'
perf/x86/amd/uncore: Get correct number of cores sharing last level cache
perf/events/amd/uncore: Fix amd_uncore_llc ID to use pre-defined cpu_llc_id
NFSv4: Fix open create exclusive when the server reboots
nfsd: increase DRC cache limit
nfsd: give out fewer session slots as limit approaches
nfsd: fix performance-limiting session calculation
nfsd: Fix overflow causing non-working mounts on 1 TB machines
drm/panel: simple: Fix panel_simple_dsi_probe
usb: core: hub: Disable hub-initiated U1/U2
tty: max310x: Fix invalid baudrate divisors calculator
pinctrl: rockchip: fix leaked of_node references
tty: serial: cpm_uart - fix init when SMC is relocated
drm/bridge: tc358767: read display_props in get_modes()
drm/bridge: sii902x: pixel clock unit is 10kHz instead of 1kHz
memstick: Fix error cleanup path of memstick_init
tty/serial: digicolor: Fix digicolor-usart already registered warning
tty: serial: msm_serial: avoid system lockup condition
serial: 8250: Fix TX interrupt handling condition
drm/virtio: Add memory barriers for capset cache.
phy: renesas: rcar-gen2: Fix memory leak at error paths
drm/rockchip: Properly adjust to a true clock in adjusted_mode
tty: serial_core: Set port active bit in uart_port_activate
usb: gadget: Zero ffs_io_data
powerpc/pci/of: Fix OF flags parsing for 64bit BARs
PCI: sysfs: Ignore lockdep for remove attribute
kbuild: Add -Werror=unknown-warning-option to CLANG_FLAGS
PCI: xilinx-nwl: Fix Multi MSI data programming
iio: iio-utils: Fix possible incorrect mask calculation
recordmcount: Fix spurious mcount entries on powerpc
mfd: core: Set fwnode for created devices
mfd: arizona: Fix undefined behavior
mfd: hi655x-pmic: Fix missing return value check for devm_regmap_init_mmio_clk
um: Silence lockdep complaint about mmap_sem
powerpc/4xx/uic: clear pending interrupt after irq type/pol change
RDMA/i40iw: Set queue pair state when being queried
serial: sh-sci: Terminate TX DMA during buffer flushing
serial: sh-sci: Fix TX DMA buffer flushing and workqueue races
kallsyms: exclude kasan local symbols on s390
perf test mmap-thread-lookup: Initialize variable to suppress memory sanitizer warning
RDMA/rxe: Fill in wc byte_len with IB_WC_RECV_RDMA_WITH_IMM
powerpc/boot: add {get, put}_unaligned_be32 to xz_config.h
f2fs: avoid out-of-range memory access
mailbox: handle failed named mailbox channel request
powerpc/eeh: Handle hugepages in ioremap space
sh: prevent warnings when using iounmap
mm/kmemleak.c: fix check for softirq context
9p: pass the correct prototype to read_cache_page
mm/mmu_notifier: use hlist_add_head_rcu()
locking/lockdep: Fix lock used or unused stats error
locking/lockdep: Hide unused 'class' variable
usb: wusbcore: fix unbalanced get/put cluster_id
usb: pci-quirks: Correct AMD PLL quirk detection
x86/sysfb_efi: Add quirks for some devices with swapped width and height
x86/speculation/mds: Apply more accurate check on hypervisor platform
hpet: Fix division by zero in hpet_time_div()
ALSA: line6: Fix wrong altsetting for LINE6_PODHD500_1
ALSA: hda - Add a conexant codec entry to let mute led work
powerpc/tm: Fix oops on sigreturn on systems without TM
access: avoid the RCU grace period for the temporary subjective credentials
ipv6: check sk sk_type and protocol early in ip_mroute_set/getsockopt
tcp: reset sk_send_head in tcp_write_queue_purge
arm64: dts: marvell: Fix A37xx UART0 register size
i2c: qup: fixed releasing dma without flush operation completion
arm64: compat: Provide definition for COMPAT_SIGMINSTKSZ
ISDN: hfcsusb: checking idx of ep configuration
media: au0828: fix null dereference in error path
media: cpia2_usb: first wake up, then free in disconnect
media: radio-raremono: change devm_k*alloc to k*alloc
Bluetooth: hci_uart: check for missing tty operations
sched/fair: Don't free p->numa_faults with concurrent readers
drivers/pps/pps.c: clear offset flags in PPS_SETPARAMS ioctl
ceph: hold i_ceph_lock when removing caps for freeing inode
Linux 4.9.187
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Bruno Martins