Date: Fri, 24 Feb 2017 11:00:32 -0500
Subject: [PATCH 095/251] net sched actions: decrement module reference count
after table flush.
+Status: RO
Content-Length: 2407
Lines: 90
--
2.12.2
-From 8e0ec20539f8c626463ae43fcaeb218e3b2b5dc4 Mon Sep 17 00:00:00 2001
-From: Andrey Ryabinin <aryabinin@virtuozzo.com>
-Date: Mon, 13 Mar 2017 19:33:37 +0300
-Subject: [PATCH 098/251] x86/kasan: Fix boot with KASAN=y and
- PROFILE_ANNOTATED_BRANCHES=y
-Content-Length: 1839
-Lines: 50
-
-commit be3606ff739d1c1be36389f8737c577ad87e1f57 upstream.
-
-The kernel doesn't boot with both PROFILE_ANNOTATED_BRANCHES=y and KASAN=y
-options selected. With branch profiling enabled we end up calling
-ftrace_likely_update() before kasan_early_init(). ftrace_likely_update() is
-built with KASAN instrumentation, so calling it before kasan has been
-initialized leads to crash.
-
-Use DISABLE_BRANCH_PROFILING define to make sure that we don't call
-ftrace_likely_update() from early code before kasan_early_init().
-
-Fixes: ef7f0d6a6ca8 ("x86_64: add KASan support")
-Reported-by: Fengguang Wu <fengguang.wu@intel.com>
-Signed-off-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
-Cc: kasan-dev@googlegroups.com
-Cc: Alexander Potapenko <glider@google.com>
-Cc: Andrew Morton <akpm@linux-foundation.org>
-Cc: lkp@01.org
-Cc: Dmitry Vyukov <dvyukov@google.com>
-Link: http://lkml.kernel.org/r/20170313163337.1704-1-aryabinin@virtuozzo.com
-Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kernel/head64.c | 1 +
- arch/x86/mm/kasan_init_64.c | 1 +
- 2 files changed, 2 insertions(+)
-
-diff --git a/arch/x86/kernel/head64.c b/arch/x86/kernel/head64.c
-index f129a9af6357..b6b0077da1af 100644
---- a/arch/x86/kernel/head64.c
-+++ b/arch/x86/kernel/head64.c
-@@ -4,6 +4,7 @@
- * Copyright (C) 2000 Andrea Arcangeli <andrea@suse.de> SuSE
- */
-
-+#define DISABLE_BRANCH_PROFILING
- #include <linux/init.h>
- #include <linux/linkage.h>
- #include <linux/types.h>
-diff --git a/arch/x86/mm/kasan_init_64.c b/arch/x86/mm/kasan_init_64.c
-index d470cf219a2d..4e5ac46adc9d 100644
---- a/arch/x86/mm/kasan_init_64.c
-+++ b/arch/x86/mm/kasan_init_64.c
-@@ -1,3 +1,4 @@
-+#define DISABLE_BRANCH_PROFILING
- #define pr_fmt(fmt) "kasan: " fmt
- #include <linux/bootmem.h>
- #include <linux/kasan.h>
---
-2.12.2
-
-From 62f57041fbdf15db6336542384a4b36f1f387299 Mon Sep 17 00:00:00 2001
-From: Andy Lutomirski <luto@kernel.org>
-Date: Thu, 16 Mar 2017 12:59:39 -0700
-Subject: [PATCH 099/251] x86/perf: Fix CR4.PCE propagation to use active_mm
- instead of mm
-Content-Length: 1726
-Lines: 44
-
-commit 5dc855d44c2ad960a86f593c60461f1ae1566b6d upstream.
-
-If one thread mmaps a perf event while another thread in the same mm
-is in some context where active_mm != mm (which can happen in the
-scheduler, for example), refresh_pce() would write the wrong value
-to CR4.PCE. This broke some PAPI tests.
-
-Reported-and-tested-by: Vince Weaver <vincent.weaver@maine.edu>
-Signed-off-by: Andy Lutomirski <luto@kernel.org>
-Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
-Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
-Cc: Borislav Petkov <bpetkov@suse.de>
-Cc: H. Peter Anvin <hpa@zytor.com>
-Cc: Jiri Olsa <jolsa@redhat.com>
-Cc: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Peter Zijlstra <peterz@infradead.org>
-Cc: Stephane Eranian <eranian@google.com>
-Cc: Thomas Gleixner <tglx@linutronix.de>
-Cc: stable@vger.kernel.org
-Fixes: 7911d3f7af14 ("perf/x86: Only allow rdpmc if a perf_event is mapped")
-Link: http://lkml.kernel.org/r/0c5b38a76ea50e405f9abe07a13dfaef87c173a1.1489694270.git.luto@kernel.org
-Signed-off-by: Ingo Molnar <mingo@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/x86/kernel/cpu/perf_event.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/arch/x86/kernel/cpu/perf_event.c b/arch/x86/kernel/cpu/perf_event.c
-index 1a8256dd6729..5b2f2306fbcc 100644
---- a/arch/x86/kernel/cpu/perf_event.c
-+++ b/arch/x86/kernel/cpu/perf_event.c
-@@ -1996,8 +1996,8 @@ static int x86_pmu_event_init(struct perf_event *event)
-
- static void refresh_pce(void *ignored)
- {
-- if (current->mm)
-- load_mm_cr4(current->mm);
-+ if (current->active_mm)
-+ load_mm_cr4(current->active_mm);
- }
-
- static void x86_pmu_event_mapped(struct perf_event *event)
---
-2.12.2
-
From 0136bca4e0f65075b0b4716a270f8b04c6c46abc Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 22 Mar 2017 12:17:51 +0100
--
2.12.2
-From 12e1a3cd11ea373143e957cf9698a26a4e43f4a6 Mon Sep 17 00:00:00 2001
-From: "Manoj N. Kumar" <manoj@linux.vnet.ibm.com>
-Date: Fri, 4 Mar 2016 15:55:20 -0600
-Subject: [PATCH 108/251] cxlflash: Increase cmd_per_lun for better throughput
-Content-Length: 2593
-Lines: 71
-
-commit 83430833b4d4a9c9b23964babbeb1f36450f8136 upstream.
-
-With the current value of cmd_per_lun at 16, the throughput
-over a single adapter is limited to around 150kIOPS.
-
-Increase the value of cmd_per_lun to 256 to improve
-throughput. With this change a single adapter is able to
-attain close to the maximum throughput (380kIOPS).
-Also change the number of RRQ entries that can be queued.
-
-Signed-off-by: Manoj N. Kumar <manoj@linux.vnet.ibm.com>
-Acked-by: Matthew R. Ochs <mrochs@linux.vnet.ibm.com>
-Reviewed-by: Uma Krishnan <ukrishn@linux.vnet.ibm.com>
-Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
-Cc: Sumit Semwal <sumit.semwal@linaro.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/scsi/cxlflash/common.h | 8 +++++---
- drivers/scsi/cxlflash/main.c | 2 +-
- 2 files changed, 6 insertions(+), 4 deletions(-)
-
-diff --git a/drivers/scsi/cxlflash/common.h b/drivers/scsi/cxlflash/common.h
-index 5ada9268a450..a8ac4c0a1493 100644
---- a/drivers/scsi/cxlflash/common.h
-+++ b/drivers/scsi/cxlflash/common.h
-@@ -34,7 +34,6 @@ extern const struct file_operations cxlflash_cxl_fops;
- sectors
- */
-
--#define NUM_RRQ_ENTRY 16 /* for master issued cmds */
- #define MAX_RHT_PER_CONTEXT (PAGE_SIZE / sizeof(struct sisl_rht_entry))
-
- /* AFU command retry limit */
-@@ -48,9 +47,12 @@ extern const struct file_operations cxlflash_cxl_fops;
- index derivation
- */
-
--#define CXLFLASH_MAX_CMDS 16
-+#define CXLFLASH_MAX_CMDS 256
- #define CXLFLASH_MAX_CMDS_PER_LUN CXLFLASH_MAX_CMDS
-
-+/* RRQ for master issued cmds */
-+#define NUM_RRQ_ENTRY CXLFLASH_MAX_CMDS
-+
-
- static inline void check_sizes(void)
- {
-@@ -149,7 +151,7 @@ struct afu_cmd {
- struct afu {
- /* Stuff requiring alignment go first. */
-
-- u64 rrq_entry[NUM_RRQ_ENTRY]; /* 128B RRQ */
-+ u64 rrq_entry[NUM_RRQ_ENTRY]; /* 2K RRQ */
- /*
- * Command & data for AFU commands.
- */
-diff --git a/drivers/scsi/cxlflash/main.c b/drivers/scsi/cxlflash/main.c
-index c86847c68448..2882bcac918a 100644
---- a/drivers/scsi/cxlflash/main.c
-+++ b/drivers/scsi/cxlflash/main.c
-@@ -2305,7 +2305,7 @@ static struct scsi_host_template driver_template = {
- .eh_device_reset_handler = cxlflash_eh_device_reset_handler,
- .eh_host_reset_handler = cxlflash_eh_host_reset_handler,
- .change_queue_depth = cxlflash_change_queue_depth,
-- .cmd_per_lun = 16,
-+ .cmd_per_lun = CXLFLASH_MAX_CMDS_PER_LUN,
- .can_queue = CXLFLASH_MAX_CMDS,
- .this_id = -1,
- .sg_tablesize = SG_NONE, /* No scatter gather support */
---
-2.12.2
-
-From 962c66c74184b1c7927f5906c9848e605fe8b236 Mon Sep 17 00:00:00 2001
-From: Alex Hung <alex.hung@canonical.com>
-Date: Fri, 27 May 2016 15:47:06 +0800
-Subject: [PATCH 109/251] ACPI / video: skip evaluating _DOD when it does not
- exist
-Content-Length: 1067
-Lines: 30
-
-commit e34fbbac669de0b7fb7803929d0477f35f6e2833 upstream.
-
-Some system supports hybrid graphics and its discrete VGA
-does not have any connectors and therefore has no _DOD method.
-
-Signed-off-by: Alex Hung <alex.hung@canonical.com>
-Reviewed-by: Aaron Lu <aaron.lu@intel.com>
-Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
-Cc: Sumit Semwal <sumit.semwal@linaro.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/acpi/acpi_video.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/drivers/acpi/acpi_video.c b/drivers/acpi/acpi_video.c
-index 5fdac394207a..549cdbed7b0e 100644
---- a/drivers/acpi/acpi_video.c
-+++ b/drivers/acpi/acpi_video.c
-@@ -1211,6 +1211,9 @@ static int acpi_video_device_enumerate(struct acpi_video_bus *video)
- union acpi_object *dod = NULL;
- union acpi_object *obj;
-
-+ if (!video->cap._DOD)
-+ return AE_NOT_EXIST;
-+
- status = acpi_evaluate_object(video->device->handle, "_DOD", NULL, &buffer);
- if (!ACPI_SUCCESS(status)) {
- ACPI_EXCEPTION((AE_INFO, status, "Evaluating _DOD"));
---
-2.12.2
-
-From 3787a071d145055a89442cf614ceec39c315bc9f Mon Sep 17 00:00:00 2001
-From: Mika Westerberg <mika.westerberg@linux.intel.com>
-Date: Mon, 22 Aug 2016 14:42:52 +0300
-Subject: [PATCH 110/251] pinctrl: cherryview: Do not mask all interrupts in
- probe
-Content-Length: 2194
-Lines: 52
-
-commit bcb48cca23ec9852739e4a464307fa29515bbe48 upstream.
-
-The Cherryview GPIO controller has 8 or 16 wires connected to the I/O-APIC
-which can be used directly by the platform/BIOS or drivers. One such wire
-is used as SCI (System Control Interrupt) which ACPI depends on to be able
-to trigger GPEs (General Purpose Events).
-
-The pinctrl driver itself uses another IRQ resource which is wire OR of all
-the 8 (or 16) wires and follows what BIOS has programmed to the IntSel
-register of each pin.
-
-Currently the driver masks all interrupts at probe time and this prevents
-these direct interrupts from working as expected. The reason for this is
-that some early stage prototypes had some pins misconfigured causing lots
-of spurious interrupts.
-
-We fix this by leaving the interrupt mask untouched. This allows SCI and
-other direct interrupts work properly. What comes to the possible spurious
-interrupts we switch the default handler to be handle_bad_irq() instead of
-handle_simple_irq() (which was not correct anyway).
-
-Reported-by: Yu C Chen <yu.c.chen@intel.com>
-Reported-by: Anisse Astier <anisse@astier.eu>
-Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
-Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
-Cc: Sumit Semwal <sumit.semwal@linaro.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/pinctrl/intel/pinctrl-cherryview.c | 5 ++---
- 1 file changed, 2 insertions(+), 3 deletions(-)
-
-diff --git a/drivers/pinctrl/intel/pinctrl-cherryview.c b/drivers/pinctrl/intel/pinctrl-cherryview.c
-index a009ae34c5ef..930f0f25c1ce 100644
---- a/drivers/pinctrl/intel/pinctrl-cherryview.c
-+++ b/drivers/pinctrl/intel/pinctrl-cherryview.c
-@@ -1466,12 +1466,11 @@ static int chv_gpio_probe(struct chv_pinctrl *pctrl, int irq)
- offset += range->npins;
- }
-
-- /* Mask and clear all interrupts */
-- chv_writel(0, pctrl->regs + CHV_INTMASK);
-+ /* Clear all interrupts */
- chv_writel(0xffff, pctrl->regs + CHV_INTSTAT);
-
- ret = gpiochip_irqchip_add(chip, &chv_gpio_irqchip, 0,
-- handle_simple_irq, IRQ_TYPE_NONE);
-+ handle_bad_irq, IRQ_TYPE_NONE);
- if (ret) {
- dev_err(pctrl->dev, "failed to add IRQ chip\n");
- goto fail;
---
-2.12.2
-
-From 0a2512768f1683514ef964e2e0767458baef14de Mon Sep 17 00:00:00 2001
-From: Vitaly Kuznetsov <vkuznets@redhat.com>
-Date: Sat, 30 Apr 2016 19:21:35 -0700
-Subject: [PATCH 111/251] Drivers: hv: balloon: don't crash when memory is
- added in non-sorted order
-Content-Length: 1762
-Lines: 43
-
-commit 77c0c9735bc0ba5898e637a3a20d6bcb50e3f67d upstream.
-
-When we iterate through all HA regions in handle_pg_range() we have an
-assumption that all these regions are sorted in the list and the
-'start_pfn >= has->end_pfn' check is enough to find the proper region.
-Unfortunately it's not the case with WS2016 where host can hot-add regions
-in a different order. We end up modifying the wrong HA region and crashing
-later on pages online. Modify the check to make sure we found the region
-we were searching for while iterating. Fix the same check in pfn_covered()
-as well.
-
-Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
-Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
-Cc: Sumit Semwal <sumit.semwal@linaro.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/hv/hv_balloon.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/hv/hv_balloon.c b/drivers/hv/hv_balloon.c
-index b853b4b083bd..43af91362be5 100644
---- a/drivers/hv/hv_balloon.c
-+++ b/drivers/hv/hv_balloon.c
-@@ -714,7 +714,7 @@ static bool pfn_covered(unsigned long start_pfn, unsigned long pfn_cnt)
- * If the pfn range we are dealing with is not in the current
- * "hot add block", move on.
- */
-- if ((start_pfn >= has->end_pfn))
-+ if (start_pfn < has->start_pfn || start_pfn >= has->end_pfn)
- continue;
- /*
- * If the current hot add-request extends beyond
-@@ -768,7 +768,7 @@ static unsigned long handle_pg_range(unsigned long pg_start,
- * If the pfn range we are dealing with is not in the current
- * "hot add block", move on.
- */
-- if ((start_pfn >= has->end_pfn))
-+ if (start_pfn < has->start_pfn || start_pfn >= has->end_pfn)
- continue;
-
- old_covered_state = has->covered_end_pfn;
---
-2.12.2
-
-From b1a0f744f8e63fbef10dc84029e9d213e03a3a18 Mon Sep 17 00:00:00 2001
-From: Vitaly Kuznetsov <vkuznets@redhat.com>
-Date: Fri, 3 Jun 2016 17:09:22 -0700
-Subject: [PATCH 112/251] Drivers: hv: avoid vfree() on crash
-Content-Length: 3254
-Lines: 110
-
-commit a9f61ca793becabdefab03b77568d6c6f8c1bc79 upstream.
-
-When we crash from NMI context (e.g. after NMI injection from host when
-'sysctl -w kernel.unknown_nmi_panic=1' is set) we hit
-
- kernel BUG at mm/vmalloc.c:1530!
-
-as vfree() is denied. While the issue could be solved with in_nmi() check
-instead I opted for skipping vfree on all sorts of crashes to reduce the
-amount of work which can cause consequent crashes. We don't really need to
-free anything on crash.
-
-Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
-Signed-off-by: K. Y. Srinivasan <kys@microsoft.com>
-Cc: Sumit Semwal <sumit.semwal@linaro.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/hv/hv.c | 8 +++++---
- drivers/hv/hyperv_vmbus.h | 2 +-
- drivers/hv/vmbus_drv.c | 8 ++++----
- 3 files changed, 10 insertions(+), 8 deletions(-)
-
-diff --git a/drivers/hv/hv.c b/drivers/hv/hv.c
-index 57c191798699..ddbf7e7e0d98 100644
---- a/drivers/hv/hv.c
-+++ b/drivers/hv/hv.c
-@@ -274,7 +274,7 @@ cleanup:
- *
- * This routine is called normally during driver unloading or exiting.
- */
--void hv_cleanup(void)
-+void hv_cleanup(bool crash)
- {
- union hv_x64_msr_hypercall_contents hypercall_msr;
-
-@@ -284,7 +284,8 @@ void hv_cleanup(void)
- if (hv_context.hypercall_page) {
- hypercall_msr.as_uint64 = 0;
- wrmsrl(HV_X64_MSR_HYPERCALL, hypercall_msr.as_uint64);
-- vfree(hv_context.hypercall_page);
-+ if (!crash)
-+ vfree(hv_context.hypercall_page);
- hv_context.hypercall_page = NULL;
- }
-
-@@ -304,7 +305,8 @@ void hv_cleanup(void)
-
- hypercall_msr.as_uint64 = 0;
- wrmsrl(HV_X64_MSR_REFERENCE_TSC, hypercall_msr.as_uint64);
-- vfree(hv_context.tsc_page);
-+ if (!crash)
-+ vfree(hv_context.tsc_page);
- hv_context.tsc_page = NULL;
- }
- #endif
-diff --git a/drivers/hv/hyperv_vmbus.h b/drivers/hv/hyperv_vmbus.h
-index 12156db2e88e..75e383e6d03d 100644
---- a/drivers/hv/hyperv_vmbus.h
-+++ b/drivers/hv/hyperv_vmbus.h
-@@ -581,7 +581,7 @@ struct hv_ring_buffer_debug_info {
-
- extern int hv_init(void);
-
--extern void hv_cleanup(void);
-+extern void hv_cleanup(bool crash);
-
- extern int hv_post_message(union hv_connection_id connection_id,
- enum hv_message_type message_type,
-diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c
-index 509ed9731630..802dcb409030 100644
---- a/drivers/hv/vmbus_drv.c
-+++ b/drivers/hv/vmbus_drv.c
-@@ -889,7 +889,7 @@ err_alloc:
- bus_unregister(&hv_bus);
-
- err_cleanup:
-- hv_cleanup();
-+ hv_cleanup(false);
-
- return ret;
- }
-@@ -1254,7 +1254,7 @@ static void hv_kexec_handler(void)
- vmbus_initiate_unload();
- for_each_online_cpu(cpu)
- smp_call_function_single(cpu, hv_synic_cleanup, NULL, 1);
-- hv_cleanup();
-+ hv_cleanup(false);
- };
-
- static void hv_crash_handler(struct pt_regs *regs)
-@@ -1266,7 +1266,7 @@ static void hv_crash_handler(struct pt_regs *regs)
- * for kdump.
- */
- hv_synic_cleanup(NULL);
-- hv_cleanup();
-+ hv_cleanup(true);
- };
-
- static int __init hv_acpi_init(void)
-@@ -1330,7 +1330,7 @@ static void __exit vmbus_exit(void)
- &hyperv_panic_block);
- }
- bus_unregister(&hv_bus);
-- hv_cleanup();
-+ hv_cleanup(false);
- for_each_online_cpu(cpu) {
- tasklet_kill(hv_context.event_dpc[cpu]);
- smp_call_function_single(cpu, hv_synic_cleanup, NULL, 1);
---
-2.12.2
-
From e2d9577854f5a5469bcf7a3d1b17ca5e9b9ba673 Mon Sep 17 00:00:00 2001
From: Ross Lagerwall <ross.lagerwall@citrix.com>
Date: Fri, 22 Apr 2016 13:05:31 +0100
From: Linus Torvalds <torvalds@linux-foundation.org>
Date: Thu, 2 Mar 2017 12:17:22 -0800
Subject: [PATCH 120/251] give up on gcc ilog2() constant optimizations
+Status: RO
Content-Length: 4200
Lines: 125
--
2.12.2
-From b24473976b985fd1c1d57a9ea934f9792bf654cc Mon Sep 17 00:00:00 2001
-From: Michael Ellerman <mpe@ellerman.id.au>
-Date: Tue, 7 Mar 2017 16:14:49 +1100
-Subject: [PATCH 123/251] powerpc/boot: Fix zImage TOC alignment
-Content-Length: 925
-Lines: 29
-
-commit 97ee351b50a49717543533cfb85b4bf9d88c9680 upstream.
-
-Recent toolchains force the TOC to be 256 byte aligned. We need to
-enforce this alignment in the zImage linker script, otherwise pointers
-to our TOC variables (__toc_start) could be incorrect. If the actual
-start of the TOC and __toc_start don't have the same value we crash
-early in the zImage wrapper.
-
-Suggested-by: Alan Modra <amodra@gmail.com>
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/powerpc/boot/zImage.lds.S | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/arch/powerpc/boot/zImage.lds.S b/arch/powerpc/boot/zImage.lds.S
-index 861e72109df2..f080abfc2f83 100644
---- a/arch/powerpc/boot/zImage.lds.S
-+++ b/arch/powerpc/boot/zImage.lds.S
-@@ -68,6 +68,7 @@ SECTIONS
- }
-
- #ifdef CONFIG_PPC64_BOOT_WRAPPER
-+ . = ALIGN(256);
- .got :
- {
- __toc_start = .;
---
-2.12.2
-
From 582f548924cdda2dadf842020075f6b2525421d2 Mon Sep 17 00:00:00 2001
From: Shaohua Li <shli@fb.com>
Date: Tue, 28 Feb 2017 13:00:20 -0800
--
2.12.2
-From b55ffcb1bc8a9c40db928f568ef61016ac681c29 Mon Sep 17 00:00:00 2001
-From: Takashi Iwai <tiwai@suse.de>
-Date: Tue, 21 Mar 2017 13:56:04 +0100
-Subject: [PATCH 154/251] ALSA: seq: Fix racy cell insertions during
- snd_seq_pool_done()
-Content-Length: 3599
-Lines: 105
-
-commit c520ff3d03f0b5db7146d9beed6373ad5d2a5e0e upstream.
-
-When snd_seq_pool_done() is called, it marks the closing flag to
-refuse the further cell insertions. But snd_seq_pool_done() itself
-doesn't clear the cells but just waits until all cells are cleared by
-the caller side. That is, it's racy, and this leads to the endless
-stall as syzkaller spotted.
-
-This patch addresses the racy by splitting the setup of pool->closing
-flag out of snd_seq_pool_done(), and calling it properly before
-snd_seq_pool_done().
-
-BugLink: http://lkml.kernel.org/r/CACT4Y+aqqy8bZA1fFieifNxR2fAfFQQABcBHj801+u5ePV0URw@mail.gmail.com
-Reported-and-tested-by: Dmitry Vyukov <dvyukov@google.com>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- sound/core/seq/seq_clientmgr.c | 1 +
- sound/core/seq/seq_fifo.c | 3 +++
- sound/core/seq/seq_memory.c | 17 +++++++++++++----
- sound/core/seq/seq_memory.h | 1 +
- 4 files changed, 18 insertions(+), 4 deletions(-)
-
-diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c
-index 58e79e02f217..c67f9c212dd1 100644
---- a/sound/core/seq/seq_clientmgr.c
-+++ b/sound/core/seq/seq_clientmgr.c
-@@ -1921,6 +1921,7 @@ static int snd_seq_ioctl_set_client_pool(struct snd_seq_client *client,
- info.output_pool != client->pool->size)) {
- if (snd_seq_write_pool_allocated(client)) {
- /* remove all existing cells */
-+ snd_seq_pool_mark_closing(client->pool);
- snd_seq_queue_client_leave_cells(client->number);
- snd_seq_pool_done(client->pool);
- }
-diff --git a/sound/core/seq/seq_fifo.c b/sound/core/seq/seq_fifo.c
-index 86240d02b530..3f4efcb85df5 100644
---- a/sound/core/seq/seq_fifo.c
-+++ b/sound/core/seq/seq_fifo.c
-@@ -70,6 +70,9 @@ void snd_seq_fifo_delete(struct snd_seq_fifo **fifo)
- return;
- *fifo = NULL;
-
-+ if (f->pool)
-+ snd_seq_pool_mark_closing(f->pool);
-+
- snd_seq_fifo_clear(f);
-
- /* wake up clients if any */
-diff --git a/sound/core/seq/seq_memory.c b/sound/core/seq/seq_memory.c
-index dfa5156f3585..5847c4475bf3 100644
---- a/sound/core/seq/seq_memory.c
-+++ b/sound/core/seq/seq_memory.c
-@@ -414,6 +414,18 @@ int snd_seq_pool_init(struct snd_seq_pool *pool)
- return 0;
- }
-
-+/* refuse the further insertion to the pool */
-+void snd_seq_pool_mark_closing(struct snd_seq_pool *pool)
-+{
-+ unsigned long flags;
-+
-+ if (snd_BUG_ON(!pool))
-+ return;
-+ spin_lock_irqsave(&pool->lock, flags);
-+ pool->closing = 1;
-+ spin_unlock_irqrestore(&pool->lock, flags);
-+}
-+
- /* remove events */
- int snd_seq_pool_done(struct snd_seq_pool *pool)
- {
-@@ -424,10 +436,6 @@ int snd_seq_pool_done(struct snd_seq_pool *pool)
- return -EINVAL;
-
- /* wait for closing all threads */
-- spin_lock_irqsave(&pool->lock, flags);
-- pool->closing = 1;
-- spin_unlock_irqrestore(&pool->lock, flags);
--
- if (waitqueue_active(&pool->output_sleep))
- wake_up(&pool->output_sleep);
-
-@@ -484,6 +492,7 @@ int snd_seq_pool_delete(struct snd_seq_pool **ppool)
- *ppool = NULL;
- if (pool == NULL)
- return 0;
-+ snd_seq_pool_mark_closing(pool);
- snd_seq_pool_done(pool);
- kfree(pool);
- return 0;
-diff --git a/sound/core/seq/seq_memory.h b/sound/core/seq/seq_memory.h
-index 4a2ec779b8a7..32f959c17786 100644
---- a/sound/core/seq/seq_memory.h
-+++ b/sound/core/seq/seq_memory.h
-@@ -84,6 +84,7 @@ static inline int snd_seq_total_cells(struct snd_seq_pool *pool)
- int snd_seq_pool_init(struct snd_seq_pool *pool);
-
- /* done pool - free events */
-+void snd_seq_pool_mark_closing(struct snd_seq_pool *pool);
- int snd_seq_pool_done(struct snd_seq_pool *pool);
-
- /* create pool */
---
-2.12.2
-
-From ed00b613bbcb7af32fbdd87e3c985c00e2c9c5a3 Mon Sep 17 00:00:00 2001
-From: Takashi Iwai <tiwai@suse.de>
-Date: Mon, 20 Mar 2017 10:08:19 +0100
-Subject: [PATCH 155/251] ALSA: ctxfi: Fix the incorrect check of
- dma_set_mask() call
-Content-Length: 1225
-Lines: 32
-
-commit f363a06642f28caaa78cb6446bbad90c73fe183c upstream.
-
-In the commit [15c75b09f8d1: ALSA: ctxfi: Fallback DMA mask to 32bit],
-I forgot to put "!" at dam_set_mask() call check in cthw20k1.c (while
-cthw20k2.c is OK). This patch fixes that obvious bug.
-
-(As a side note: although the original commit was completely wrong,
- it's still working for most of machines, as it sets to 32bit DMA mask
- in the end. So the bug severity is low.)
-
-Fixes: 15c75b09f8d1 ("ALSA: ctxfi: Fallback DMA mask to 32bit")
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- sound/pci/ctxfi/cthw20k1.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/sound/pci/ctxfi/cthw20k1.c b/sound/pci/ctxfi/cthw20k1.c
-index ab4cdab5cfa5..79edd88d5cd0 100644
---- a/sound/pci/ctxfi/cthw20k1.c
-+++ b/sound/pci/ctxfi/cthw20k1.c
-@@ -1905,7 +1905,7 @@ static int hw_card_start(struct hw *hw)
- return err;
-
- /* Set DMA transfer mask */
-- if (dma_set_mask(&pci->dev, DMA_BIT_MASK(dma_bits))) {
-+ if (!dma_set_mask(&pci->dev, DMA_BIT_MASK(dma_bits))) {
- dma_set_coherent_mask(&pci->dev, DMA_BIT_MASK(dma_bits));
- } else {
- dma_set_mask(&pci->dev, DMA_BIT_MASK(32));
---
-2.12.2
-
-From 1ea551eec703102af8db2c2dcc99fc660baa3602 Mon Sep 17 00:00:00 2001
-From: Hui Wang <hui.wang@canonical.com>
-Date: Thu, 23 Mar 2017 10:00:25 +0800
-Subject: [PATCH 156/251] ALSA: hda - Adding a group of pin definition to fix
- headset problem
-Content-Length: 1089
-Lines: 28
-
-commit 3f307834e695f59dac4337a40316bdecfb9d0508 upstream.
-
-A new Dell laptop needs to apply ALC269_FIXUP_DELL1_MIC_NO_PRESENCE to
-fix the headset problem, and the pin definiton of this machine is not
-in the pin quirk table yet, now adding it to the table.
-
-Signed-off-by: Hui Wang <hui.wang@canonical.com>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- sound/pci/hda/patch_realtek.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
-index cf0785ddbd14..1d4f34379f56 100644
---- a/sound/pci/hda/patch_realtek.c
-+++ b/sound/pci/hda/patch_realtek.c
-@@ -6040,6 +6040,8 @@ static const struct snd_hda_pin_quirk alc269_pin_fixup_tbl[] = {
- ALC295_STANDARD_PINS,
- {0x17, 0x21014040},
- {0x18, 0x21a19050}),
-+ SND_HDA_PIN_QUIRK(0x10ec0295, 0x1028, "Dell", ALC269_FIXUP_DELL1_MIC_NO_PRESENCE,
-+ ALC295_STANDARD_PINS),
- SND_HDA_PIN_QUIRK(0x10ec0298, 0x1028, "Dell", ALC298_FIXUP_DELL1_MIC_NO_PRESENCE,
- ALC298_STANDARD_PINS,
- {0x17, 0x90170110}),
---
-2.12.2
-
From 8f0f081647cc1c7e7ce6bea99a3b2ebb3604b1f1 Mon Sep 17 00:00:00 2001
From: Dan Williams <dcbw@redhat.com>
Date: Thu, 9 Mar 2017 11:32:28 -0600
--
2.12.2
-From 2705b183263bd6e2969a648d2c7353716ca1d7a8 Mon Sep 17 00:00:00 2001
-From: Nicolas Ferre <nicolas.ferre@microchip.com>
-Date: Tue, 14 Mar 2017 09:38:04 +0100
-Subject: [PATCH 178/251] ARM: at91: pm: cpu_idle: switch DDR to power-down
- mode
-Content-Length: 2385
-Lines: 64
-
-commit 60b89f1928af80b546b5c3fd8714a62f6f4b8844 upstream.
-
-On some DDR controllers, compatible with the sama5d3 one,
-the sequence to enter/exit/re-enter the self-refresh mode adds
-more constrains than what is currently written in the at91_idle
-driver. An actual access to the DDR chip is needed between exit
-and re-enter of this mode which is somehow difficult to implement.
-This sequence can completely hang the SoC. It is particularly
-experienced on parts which embed a L2 cache if the code run
-between IDLE calls fits in it...
-
-Moreover, as the intention is to enter and exit pretty rapidly
-from IDLE, the power-down mode is a good candidate.
-
-So now we use power-down instead of self-refresh. As we can
-simplify the code for sama5d3 compatible DDR controllers,
-we instantiate a new sama5d3_ddr_standby() function.
-
-Signed-off-by: Nicolas Ferre <nicolas.ferre@microchip.com>
-Fixes: 017b5522d5e3 ("ARM: at91: Add new binding for sama5d3-ddramc")
-Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/arm/mach-at91/pm.c | 18 +++++++++++++++++-
- 1 file changed, 17 insertions(+), 1 deletion(-)
-
-diff --git a/arch/arm/mach-at91/pm.c b/arch/arm/mach-at91/pm.c
-index 23726fb31741..d687f860a2da 100644
---- a/arch/arm/mach-at91/pm.c
-+++ b/arch/arm/mach-at91/pm.c
-@@ -286,6 +286,22 @@ static void at91_ddr_standby(void)
- at91_ramc_write(1, AT91_DDRSDRC_LPR, saved_lpr1);
- }
-
-+static void sama5d3_ddr_standby(void)
-+{
-+ u32 lpr0;
-+ u32 saved_lpr0;
-+
-+ saved_lpr0 = at91_ramc_read(0, AT91_DDRSDRC_LPR);
-+ lpr0 = saved_lpr0 & ~AT91_DDRSDRC_LPCB;
-+ lpr0 |= AT91_DDRSDRC_LPCB_POWER_DOWN;
-+
-+ at91_ramc_write(0, AT91_DDRSDRC_LPR, lpr0);
-+
-+ cpu_do_idle();
-+
-+ at91_ramc_write(0, AT91_DDRSDRC_LPR, saved_lpr0);
-+}
-+
- /* We manage both DDRAM/SDRAM controllers, we need more than one value to
- * remember.
- */
-@@ -320,7 +336,7 @@ static const struct of_device_id const ramc_ids[] __initconst = {
- { .compatible = "atmel,at91rm9200-sdramc", .data = at91rm9200_standby },
- { .compatible = "atmel,at91sam9260-sdramc", .data = at91sam9_sdram_standby },
- { .compatible = "atmel,at91sam9g45-ddramc", .data = at91_ddr_standby },
-- { .compatible = "atmel,sama5d3-ddramc", .data = at91_ddr_standby },
-+ { .compatible = "atmel,sama5d3-ddramc", .data = sama5d3_ddr_standby },
- { /*sentinel*/ }
- };
-
---
-2.12.2
-
-From e1af444e52ce1b08cd6534e61f8da7aa55b31880 Mon Sep 17 00:00:00 2001
-From: Nicolas Ferre <nicolas.ferre@atmel.com>
-Date: Tue, 26 Jan 2016 17:30:18 +0100
-Subject: [PATCH 179/251] ARM: dts: at91: sama5d2: add dma properties to UART
- nodes
-Content-Length: 3124
-Lines: 89
-
-commit b1708b72a0959a032cd2eebb77fa9086ea3e0c84 upstream.
-
-The dmas/dma-names properties are added to the UART nodes. Note that additional
-properties are needed to enable them at the board level: check bindings for
-details.
-
-Signed-off-by: Nicolas Ferre <nicolas.ferre@atmel.com>
-Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/arm/boot/dts/sama5d2.dtsi | 35 +++++++++++++++++++++++++++++++++++
- 1 file changed, 35 insertions(+)
-
-diff --git a/arch/arm/boot/dts/sama5d2.dtsi b/arch/arm/boot/dts/sama5d2.dtsi
-index 4dfca8fc49b3..1bc61ece2589 100644
---- a/arch/arm/boot/dts/sama5d2.dtsi
-+++ b/arch/arm/boot/dts/sama5d2.dtsi
-@@ -856,6 +856,13 @@
- compatible = "atmel,at91sam9260-usart";
- reg = <0xf801c000 0x100>;
- interrupts = <24 IRQ_TYPE_LEVEL_HIGH 7>;
-+ dmas = <&dma0
-+ (AT91_XDMAC_DT_MEM_IF(0) | AT91_XDMAC_DT_PER_IF(1) |
-+ AT91_XDMAC_DT_PERID(35))>,
-+ <&dma0
-+ (AT91_XDMAC_DT_MEM_IF(0) | AT91_XDMAC_DT_PER_IF(1) |
-+ AT91_XDMAC_DT_PERID(36))>;
-+ dma-names = "tx", "rx";
- clocks = <&uart0_clk>;
- clock-names = "usart";
- status = "disabled";
-@@ -865,6 +872,13 @@
- compatible = "atmel,at91sam9260-usart";
- reg = <0xf8020000 0x100>;
- interrupts = <25 IRQ_TYPE_LEVEL_HIGH 7>;
-+ dmas = <&dma0
-+ (AT91_XDMAC_DT_MEM_IF(0) | AT91_XDMAC_DT_PER_IF(1) |
-+ AT91_XDMAC_DT_PERID(37))>,
-+ <&dma0
-+ (AT91_XDMAC_DT_MEM_IF(0) | AT91_XDMAC_DT_PER_IF(1) |
-+ AT91_XDMAC_DT_PERID(38))>;
-+ dma-names = "tx", "rx";
- clocks = <&uart1_clk>;
- clock-names = "usart";
- status = "disabled";
-@@ -874,6 +888,13 @@
- compatible = "atmel,at91sam9260-usart";
- reg = <0xf8024000 0x100>;
- interrupts = <26 IRQ_TYPE_LEVEL_HIGH 7>;
-+ dmas = <&dma0
-+ (AT91_XDMAC_DT_MEM_IF(0) | AT91_XDMAC_DT_PER_IF(1) |
-+ AT91_XDMAC_DT_PERID(39))>,
-+ <&dma0
-+ (AT91_XDMAC_DT_MEM_IF(0) | AT91_XDMAC_DT_PER_IF(1) |
-+ AT91_XDMAC_DT_PERID(40))>;
-+ dma-names = "tx", "rx";
- clocks = <&uart2_clk>;
- clock-names = "usart";
- status = "disabled";
-@@ -985,6 +1006,13 @@
- compatible = "atmel,at91sam9260-usart";
- reg = <0xfc008000 0x100>;
- interrupts = <27 IRQ_TYPE_LEVEL_HIGH 7>;
-+ dmas = <&dma0
-+ (AT91_XDMAC_DT_MEM_IF(0) | AT91_XDMAC_DT_PER_IF(1) |
-+ AT91_XDMAC_DT_PERID(41))>,
-+ <&dma0
-+ (AT91_XDMAC_DT_MEM_IF(0) | AT91_XDMAC_DT_PER_IF(1) |
-+ AT91_XDMAC_DT_PERID(42))>;
-+ dma-names = "tx", "rx";
- clocks = <&uart3_clk>;
- clock-names = "usart";
- status = "disabled";
-@@ -993,6 +1021,13 @@
- uart4: serial@fc00c000 {
- compatible = "atmel,at91sam9260-usart";
- reg = <0xfc00c000 0x100>;
-+ dmas = <&dma0
-+ (AT91_XDMAC_DT_MEM_IF(0) | AT91_XDMAC_DT_PER_IF(1) |
-+ AT91_XDMAC_DT_PERID(43))>,
-+ <&dma0
-+ (AT91_XDMAC_DT_MEM_IF(0) | AT91_XDMAC_DT_PER_IF(1) |
-+ AT91_XDMAC_DT_PERID(44))>;
-+ dma-names = "tx", "rx";
- interrupts = <28 IRQ_TYPE_LEVEL_HIGH 7>;
- clocks = <&uart4_clk>;
- clock-names = "usart";
---
-2.12.2
-
From 17503963206584333b674740ba75b5079ea7e196 Mon Sep 17 00:00:00 2001
From: Viresh Kumar <viresh.kumar@linaro.org>
Date: Tue, 21 Mar 2017 11:36:06 +0530
--
2.12.2
-From 6e174bbd0631865acc193804fa4043852f3198c5 Mon Sep 17 00:00:00 2001
-From: Dave Martin <Dave.Martin@arm.com>
-Date: Mon, 27 Mar 2017 15:10:53 +0100
-Subject: [PATCH 215/251] c6x/ptrace: Remove useless PTRACE_SETREGSET
- implementation
-Content-Length: 2142
-Lines: 78
-
-commit fb411b837b587a32046dc4f369acb93a10b1def8 upstream.
-
-gpr_set won't work correctly and can never have been tested, and the
-correct behaviour is not clear due to the endianness-dependent task
-layout.
-
-So, just remove it. The core code will now return -EOPNOTSUPPORT when
-trying to set NT_PRSTATUS on this architecture until/unless a correct
-implementation is supplied.
-
-Signed-off-by: Dave Martin <Dave.Martin@arm.com>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/c6x/kernel/ptrace.c | 41 -----------------------------------------
- 1 file changed, 41 deletions(-)
-
-diff --git a/arch/c6x/kernel/ptrace.c b/arch/c6x/kernel/ptrace.c
-index 3c494e84444d..a511ac16a8e3 100644
---- a/arch/c6x/kernel/ptrace.c
-+++ b/arch/c6x/kernel/ptrace.c
-@@ -69,46 +69,6 @@ static int gpr_get(struct task_struct *target,
- 0, sizeof(*regs));
- }
-
--static int gpr_set(struct task_struct *target,
-- const struct user_regset *regset,
-- unsigned int pos, unsigned int count,
-- const void *kbuf, const void __user *ubuf)
--{
-- int ret;
-- struct pt_regs *regs = task_pt_regs(target);
--
-- /* Don't copyin TSR or CSR */
-- ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf,
-- ®s,
-- 0, PT_TSR * sizeof(long));
-- if (ret)
-- return ret;
--
-- ret = user_regset_copyin_ignore(&pos, &count, &kbuf, &ubuf,
-- PT_TSR * sizeof(long),
-- (PT_TSR + 1) * sizeof(long));
-- if (ret)
-- return ret;
--
-- ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf,
-- ®s,
-- (PT_TSR + 1) * sizeof(long),
-- PT_CSR * sizeof(long));
-- if (ret)
-- return ret;
--
-- ret = user_regset_copyin_ignore(&pos, &count, &kbuf, &ubuf,
-- PT_CSR * sizeof(long),
-- (PT_CSR + 1) * sizeof(long));
-- if (ret)
-- return ret;
--
-- ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf,
-- ®s,
-- (PT_CSR + 1) * sizeof(long), -1);
-- return ret;
--}
--
- enum c6x_regset {
- REGSET_GPR,
- };
-@@ -120,7 +80,6 @@ static const struct user_regset c6x_regsets[] = {
- .size = sizeof(u32),
- .align = sizeof(u32),
- .get = gpr_get,
-- .set = gpr_set
- },
- };
-
---
-2.12.2
-
-From e1dc8904b33b8c01f22d904fed4cb5f2060f5da3 Mon Sep 17 00:00:00 2001
-From: Dave Martin <Dave.Martin@arm.com>
-Date: Mon, 27 Mar 2017 15:10:54 +0100
-Subject: [PATCH 216/251] h8300/ptrace: Fix incorrect register transfer count
-Content-Length: 1903
-Lines: 51
-
-commit 502585c7555083d4a949c08350306b9ec196779e upstream.
-
-regs_set() and regs_get() are vulnerable to an off-by-1 buffer overrun
-if CONFIG_CPU_H8S is set, since this adds an extra entry to
-register_offset[] but not to user_regs_struct.
-
-So, iterate over user_regs_struct based on its actual size, not based on
-the length of register_offset[].
-
-Signed-off-by: Dave Martin <Dave.Martin@arm.com>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/h8300/kernel/ptrace.c | 8 +++++---
- 1 file changed, 5 insertions(+), 3 deletions(-)
-
-diff --git a/arch/h8300/kernel/ptrace.c b/arch/h8300/kernel/ptrace.c
-index 92075544a19a..0dc1c8f622bc 100644
---- a/arch/h8300/kernel/ptrace.c
-+++ b/arch/h8300/kernel/ptrace.c
-@@ -95,7 +95,8 @@ static int regs_get(struct task_struct *target,
- long *reg = (long *)®s;
-
- /* build user regs in buffer */
-- for (r = 0; r < ARRAY_SIZE(register_offset); r++)
-+ BUILD_BUG_ON(sizeof(regs) % sizeof(long) != 0);
-+ for (r = 0; r < sizeof(regs) / sizeof(long); r++)
- *reg++ = h8300_get_reg(target, r);
-
- return user_regset_copyout(&pos, &count, &kbuf, &ubuf,
-@@ -113,7 +114,8 @@ static int regs_set(struct task_struct *target,
- long *reg;
-
- /* build user regs in buffer */
-- for (reg = (long *)®s, r = 0; r < ARRAY_SIZE(register_offset); r++)
-+ BUILD_BUG_ON(sizeof(regs) % sizeof(long) != 0);
-+ for (reg = (long *)®s, r = 0; r < sizeof(regs) / sizeof(long); r++)
- *reg++ = h8300_get_reg(target, r);
-
- ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf,
-@@ -122,7 +124,7 @@ static int regs_set(struct task_struct *target,
- return ret;
-
- /* write back to pt_regs */
-- for (reg = (long *)®s, r = 0; r < ARRAY_SIZE(register_offset); r++)
-+ for (reg = (long *)®s, r = 0; r < sizeof(regs) / sizeof(long); r++)
- h8300_put_reg(target, r, *reg++);
- return 0;
- }
---
-2.12.2
-
-From c8693666856c0db4a1e07235d98ce0b3bde98d9e Mon Sep 17 00:00:00 2001
-From: Dave Martin <Dave.Martin@arm.com>
-Date: Mon, 27 Mar 2017 15:10:58 +0100
-Subject: [PATCH 217/251] mips/ptrace: Preserve previous registers for short
- regset write
-Content-Length: 1082
-Lines: 28
-
-commit d614fd58a2834cfe4efa472c33c8f3ce2338b09b upstream.
-
-Ensure that if userspace supplies insufficient data to PTRACE_SETREGSET
-to fill all the registers, the thread's old registers are preserved.
-
-Signed-off-by: Dave Martin <Dave.Martin@arm.com>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/mips/kernel/ptrace.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c
-index 74d581569778..c95bf18260f8 100644
---- a/arch/mips/kernel/ptrace.c
-+++ b/arch/mips/kernel/ptrace.c
-@@ -485,7 +485,8 @@ static int fpr_set(struct task_struct *target,
- &target->thread.fpu,
- 0, sizeof(elf_fpregset_t));
-
-- for (i = 0; i < NUM_FPU_REGS; i++) {
-+ BUILD_BUG_ON(sizeof(fpr_val) != sizeof(elf_fpreg_t));
-+ for (i = 0; i < NUM_FPU_REGS && count >= sizeof(elf_fpreg_t); i++) {
- err = user_regset_copyin(&pos, &count, &kbuf, &ubuf,
- &fpr_val, i * sizeof(elf_fpreg_t),
- (i + 1) * sizeof(elf_fpreg_t));
---
-2.12.2
-
-From 962b95a88574359b081e24815fae6aba92fff98d Mon Sep 17 00:00:00 2001
-From: Dave Martin <Dave.Martin@arm.com>
-Date: Mon, 27 Mar 2017 15:10:59 +0100
-Subject: [PATCH 218/251] sparc/ptrace: Preserve previous registers for short
- regset write
-Content-Length: 923
-Lines: 28
-
-commit d3805c546b275c8cc7d40f759d029ae92c7175f2 upstream.
-
-Ensure that if userspace supplies insufficient data to PTRACE_SETREGSET
-to fill all the registers, the thread's old registers are preserved.
-
-Signed-off-by: Dave Martin <Dave.Martin@arm.com>
-Acked-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/sparc/kernel/ptrace_64.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/arch/sparc/kernel/ptrace_64.c b/arch/sparc/kernel/ptrace_64.c
-index 9ddc4928a089..c1566170964f 100644
---- a/arch/sparc/kernel/ptrace_64.c
-+++ b/arch/sparc/kernel/ptrace_64.c
-@@ -311,7 +311,7 @@ static int genregs64_set(struct task_struct *target,
- }
-
- if (!ret) {
-- unsigned long y;
-+ unsigned long y = regs->y;
-
- ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf,
- &y,
---
-2.12.2
-
-From 2d9bc3695012f1ef7465f56302c1e60c48dccde8 Mon Sep 17 00:00:00 2001
-From: Dave Martin <Dave.Martin@arm.com>
-Date: Mon, 27 Mar 2017 15:10:55 +0100
-Subject: [PATCH 219/251] metag/ptrace: Preserve previous registers for short
- regset write
-Content-Length: 976
-Lines: 28
-
-commit a78ce80d2c9178351b34d78fec805140c29c193e upstream.
-
-Ensure that if userspace supplies insufficient data to PTRACE_SETREGSET
-to fill all the registers, the thread's old registers are preserved.
-
-Signed-off-by: Dave Martin <Dave.Martin@arm.com>
-Acked-by: James Hogan <james.hogan@imgtec.com>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/metag/kernel/ptrace.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/arch/metag/kernel/ptrace.c b/arch/metag/kernel/ptrace.c
-index 7563628822bd..ae659ba61948 100644
---- a/arch/metag/kernel/ptrace.c
-+++ b/arch/metag/kernel/ptrace.c
-@@ -303,7 +303,7 @@ static int metag_tls_set(struct task_struct *target,
- const void *kbuf, const void __user *ubuf)
- {
- int ret;
-- void __user *tls;
-+ void __user *tls = target->thread.tls_ptr;
-
- ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &tls, 0, -1);
- if (ret)
---
-2.12.2
-
-From e441102d8c074d63d44329a59f3278573cdc1477 Mon Sep 17 00:00:00 2001
-From: Dave Martin <Dave.Martin@arm.com>
-Date: Mon, 27 Mar 2017 15:10:56 +0100
-Subject: [PATCH 220/251] metag/ptrace: Provide default TXSTATUS for short
- NT_PRSTATUS
-Content-Length: 1755
-Lines: 56
-
-commit 5fe81fe98123ce41265c65e95d34418d30d005d1 upstream.
-
-Ensure that if userspace supplies insufficient data to PTRACE_SETREGSET
-to fill TXSTATUS, a well-defined default value is used, based on the
-task's current value.
-
-Suggested-by: James Hogan <james.hogan@imgtec.com>
-Signed-off-by: Dave Martin <Dave.Martin@arm.com>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/metag/kernel/ptrace.c | 15 ++++++++++++---
- 1 file changed, 12 insertions(+), 3 deletions(-)
-
-diff --git a/arch/metag/kernel/ptrace.c b/arch/metag/kernel/ptrace.c
-index ae659ba61948..2e4dfc15abd3 100644
---- a/arch/metag/kernel/ptrace.c
-+++ b/arch/metag/kernel/ptrace.c
-@@ -24,6 +24,16 @@
- * user_regset definitions.
- */
-
-+static unsigned long user_txstatus(const struct pt_regs *regs)
-+{
-+ unsigned long data = (unsigned long)regs->ctx.Flags;
-+
-+ if (regs->ctx.SaveMask & TBICTX_CBUF_BIT)
-+ data |= USER_GP_REGS_STATUS_CATCH_BIT;
-+
-+ return data;
-+}
-+
- int metag_gp_regs_copyout(const struct pt_regs *regs,
- unsigned int pos, unsigned int count,
- void *kbuf, void __user *ubuf)
-@@ -62,9 +72,7 @@ int metag_gp_regs_copyout(const struct pt_regs *regs,
- if (ret)
- goto out;
- /* TXSTATUS */
-- data = (unsigned long)regs->ctx.Flags;
-- if (regs->ctx.SaveMask & TBICTX_CBUF_BIT)
-- data |= USER_GP_REGS_STATUS_CATCH_BIT;
-+ data = user_txstatus(regs);
- ret = user_regset_copyout(&pos, &count, &kbuf, &ubuf,
- &data, 4*25, 4*26);
- if (ret)
-@@ -119,6 +127,7 @@ int metag_gp_regs_copyin(struct pt_regs *regs,
- if (ret)
- goto out;
- /* TXSTATUS */
-+ data = user_txstatus(regs);
- ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf,
- &data, 4*25, 4*26);
- if (ret)
---
-2.12.2
-
-From 573341eba9c44b0b2198373cb453bbbb5b3f066a Mon Sep 17 00:00:00 2001
-From: Dave Martin <Dave.Martin@arm.com>
-Date: Mon, 27 Mar 2017 15:10:57 +0100
-Subject: [PATCH 221/251] metag/ptrace: Reject partial NT_METAG_RPIPE writes
-Content-Length: 1069
-Lines: 31
-
-commit 7195ee3120d878259e8d94a5d9f808116f34d5ea upstream.
-
-It's not clear what behaviour is sensible when doing partial write of
-NT_METAG_RPIPE, so just don't bother.
-
-This patch assumes that userspace will never rely on a partial SETREGSET
-in this case, since it's not clear what should happen anyway.
-
-Signed-off-by: Dave Martin <Dave.Martin@arm.com>
-Acked-by: James Hogan <james.hogan@imgtec.com>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/metag/kernel/ptrace.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/arch/metag/kernel/ptrace.c b/arch/metag/kernel/ptrace.c
-index 2e4dfc15abd3..5e2dc7defd2c 100644
---- a/arch/metag/kernel/ptrace.c
-+++ b/arch/metag/kernel/ptrace.c
-@@ -253,6 +253,8 @@ int metag_rp_state_copyin(struct pt_regs *regs,
- unsigned long long *ptr;
- int ret, i;
-
-+ if (count < 4*13)
-+ return -EINVAL;
- /* Read the entire pipeline before making any changes */
- ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf,
- &rp, 0, 4*13);
---
-2.12.2
-
-From 7a5202190810dde1467718235c1f650fcf57592a Mon Sep 17 00:00:00 2001
-From: Eric Biggers <ebiggers@google.com>
-Date: Tue, 21 Feb 2017 15:07:11 -0800
-Subject: [PATCH 222/251] fscrypt: remove broken support for detecting keyring
- key revocation
-Content-Length: 10256
-Lines: 300
+From 7a5202190810dde1467718235c1f650fcf57592a Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Tue, 21 Feb 2017 15:07:11 -0800
+Subject: [PATCH 222/251] fscrypt: remove broken support for detecting keyring
+ key revocation
+Content-Length: 10256
+Lines: 300
commit 1b53cf9815bb4744958d41f3795d5d5a1d365e2d upstream.
--
2.12.2
-From a90d7447e4a154ad26e3b9e09a0878680be49339 Mon Sep 17 00:00:00 2001
-From: Takashi Iwai <tiwai@suse.de>
-Date: Fri, 24 Mar 2017 17:07:57 +0100
-Subject: [PATCH 230/251] ALSA: seq: Fix race during FIFO resize
-Content-Length: 1200
-Lines: 34
-
-commit 2d7d54002e396c180db0c800c1046f0a3c471597 upstream.
-
-When a new event is queued while processing to resize the FIFO in
-snd_seq_fifo_clear(), it may lead to a use-after-free, as the old pool
-that is being queued gets removed. For avoiding this race, we need to
-close the pool to be deleted and sync its usage before actually
-deleting it.
-
-The issue was spotted by syzkaller.
-
-Reported-by: Dmitry Vyukov <dvyukov@google.com>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- sound/core/seq/seq_fifo.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/sound/core/seq/seq_fifo.c b/sound/core/seq/seq_fifo.c
-index 3f4efcb85df5..3490d21ab9e7 100644
---- a/sound/core/seq/seq_fifo.c
-+++ b/sound/core/seq/seq_fifo.c
-@@ -265,6 +265,10 @@ int snd_seq_fifo_resize(struct snd_seq_fifo *f, int poolsize)
- /* NOTE: overflow flag is not cleared */
- spin_unlock_irqrestore(&f->lock, flags);
-
-+ /* close the old pool and wait until all users are gone */
-+ snd_seq_pool_mark_closing(oldpool);
-+ snd_use_lock_sync(&f->use_lock);
-+
- /* release cells in old pool */
- for (cell = oldhead; cell; cell = next) {
- next = cell->next;
---
-2.12.2
-
-From ce3dcfdbff04bab023806ef7a342c657ec08915d Mon Sep 17 00:00:00 2001
-From: Hui Wang <hui.wang@canonical.com>
-Date: Fri, 31 Mar 2017 10:31:40 +0800
-Subject: [PATCH 231/251] ALSA: hda - fix a problem for lineout on a Dell AIO
- machine
-Content-Length: 2380
-Lines: 64
-
-commit 2f726aec19a9d2c63bec9a8a53a3910ffdcd09f8 upstream.
-
-On this Dell AIO machine, the lineout jack does not work.
-
-We found the pin 0x1a is assigned to lineout on this machine, and in
-the past, we applied ALC298_FIXUP_DELL1_MIC_NO_PRESENCE to fix the
-heaset-set mic problem for this machine, this fixup will redefine
-the pin 0x1a to headphone-mic, as a result the lineout doesn't
-work anymore.
-
-After consulting with Dell, they told us this machine doesn't support
-microphone via headset jack, so we add a new fixup which only defines
-the pin 0x18 as the headset-mic.
-
-[rearranged the fixup insertion position by tiwai in order to make the
- merge with other branches easier -- tiwai]
-
-Fixes: 59ec4b57bcae ("ALSA: hda - Fix headset mic detection problem for two dell machines")
-Signed-off-by: Hui Wang <hui.wang@canonical.com>
-Signed-off-by: Takashi Iwai <tiwai@suse.de>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- sound/pci/hda/patch_realtek.c | 12 +++++++++++-
- 1 file changed, 11 insertions(+), 1 deletion(-)
-
-diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
-index 1d4f34379f56..46a34039ecdc 100644
---- a/sound/pci/hda/patch_realtek.c
-+++ b/sound/pci/hda/patch_realtek.c
-@@ -4831,6 +4831,7 @@ enum {
- ALC292_FIXUP_DISABLE_AAMIX,
- ALC293_FIXUP_DISABLE_AAMIX_MULTIJACK,
- ALC298_FIXUP_DELL1_MIC_NO_PRESENCE,
-+ ALC298_FIXUP_DELL_AIO_MIC_NO_PRESENCE,
- ALC275_FIXUP_DELL_XPS,
- ALC256_FIXUP_DELL_XPS_13_HEADPHONE_NOISE,
- ALC293_FIXUP_LENOVO_SPK_NOISE,
-@@ -5429,6 +5430,15 @@ static const struct hda_fixup alc269_fixups[] = {
- .chained = true,
- .chain_id = ALC269_FIXUP_HEADSET_MODE
- },
-+ [ALC298_FIXUP_DELL_AIO_MIC_NO_PRESENCE] = {
-+ .type = HDA_FIXUP_PINS,
-+ .v.pins = (const struct hda_pintbl[]) {
-+ { 0x18, 0x01a1913c }, /* use as headset mic, without its own jack detect */
-+ { }
-+ },
-+ .chained = true,
-+ .chain_id = ALC269_FIXUP_HEADSET_MODE
-+ },
- [ALC275_FIXUP_DELL_XPS] = {
- .type = HDA_FIXUP_VERBS,
- .v.verbs = (const struct hda_verb[]) {
-@@ -5501,7 +5511,7 @@ static const struct hda_fixup alc269_fixups[] = {
- .type = HDA_FIXUP_FUNC,
- .v.func = alc298_fixup_speaker_volume,
- .chained = true,
-- .chain_id = ALC298_FIXUP_DELL1_MIC_NO_PRESENCE,
-+ .chain_id = ALC298_FIXUP_DELL_AIO_MIC_NO_PRESENCE,
- },
- [ALC256_FIXUP_DELL_INSPIRON_7559_SUBWOOFER] = {
- .type = HDA_FIXUP_PINS,
---
-2.12.2
-
-From ab48ab614b8c83f3a3b0f83f7882b1d2766962d3 Mon Sep 17 00:00:00 2001
-From: Songjun Wu <songjun.wu@microchip.com>
-Date: Fri, 24 Feb 2017 15:10:43 +0800
-Subject: [PATCH 232/251] ASoC: atmel-classd: fix audio clock rate
-Content-Length: 994
-Lines: 28
-
-commit cd3ac9affc43b44f49d7af70d275f0bd426ba643 upstream.
-
-Fix the audio clock rate according to the datasheet.
-
-Reported-by: Dushara Jayasinghe <dushara@successful.com.au>
-Signed-off-by: Songjun Wu <songjun.wu@microchip.com>
-Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com>
-Signed-off-by: Mark Brown <broonie@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- sound/soc/atmel/atmel-classd.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/sound/soc/atmel/atmel-classd.c b/sound/soc/atmel/atmel-classd.c
-index 8276675730ef..78a985629607 100644
---- a/sound/soc/atmel/atmel-classd.c
-+++ b/sound/soc/atmel/atmel-classd.c
-@@ -343,7 +343,7 @@ static int atmel_classd_codec_dai_digital_mute(struct snd_soc_dai *codec_dai,
- }
-
- #define CLASSD_ACLK_RATE_11M2896_MPY_8 (112896 * 100 * 8)
--#define CLASSD_ACLK_RATE_12M288_MPY_8 (12228 * 1000 * 8)
-+#define CLASSD_ACLK_RATE_12M288_MPY_8 (12288 * 1000 * 8)
-
- static struct {
- int rate;
---
-2.12.2
-
From 3342857ac074768e14e361392ac09fbbd70d840e Mon Sep 17 00:00:00 2001
From: Josh Poimboeuf <jpoimboe@redhat.com>
Date: Thu, 16 Mar 2017 08:56:28 -0500
--
2.12.2
-From b3ed3864912e8809e228ddea259e8e0fa1deadf5 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <uwe@kleine-koenig.org>
-Date: Sat, 2 Jul 2016 17:28:08 +0200
-Subject: [PATCH 242/251] rtc: s35390a: fix reading out alarm
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Content-Length: 3107
-Lines: 91
+From 42462d23e60b89a3c2f7d8d63f5f4e464ba77727 Mon Sep 17 00:00:00 2001
+From: David Hildenbrand <david@redhat.com>
+Date: Thu, 23 Mar 2017 18:24:19 +0100
+Subject: [PATCH 246/251] KVM: kvm_io_bus_unregister_dev() should never fail
+Content-Length: 5392
+Lines: 167
-commit f87e904ddd8f0ef120e46045b0addeb1cc88354e upstream.
+commit 90db10434b163e46da413d34db8d0e77404cc645 upstream.
-There are several issues fixed in this patch:
+No caller currently checks the return value of
+kvm_io_bus_unregister_dev(). This is evil, as all callers silently go on
+freeing their device. A stale reference will remain in the io_bus,
+getting at least used again, when the iobus gets teared down on
+kvm_destroy_vm() - leading to use after free errors.
- - When alarm isn't enabled, set .enabled to zero instead of returning
- -EINVAL.
- - Ignore how IRQ1 is configured when determining if IRQ2 is on.
- - The three alarm registers have an enable flag which must be
- evaluated.
- - The chip always triggers when the seconds register gets 0.
+There is nothing the callers could do, except retrying over and over
+again.
-Note that the rtc framework however doesn't handle the result correctly
-because it doesn't check wday being initialized and so interprets an
-alarm being set for 10:00 AM in three days as 10:00 AM tomorrow (or
-today if that's not over yet).
+So let's simply remove the bus altogether, print an error and make
+sure no one can access this broken bus again (returning -ENOMEM on any
+attempt to access it).
-Signed-off-by: Uwe Kleine-König <uwe@kleine-koenig.org>
-Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
+Fixes: e93f8a0f821e ("KVM: convert io_bus to SRCU")
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com>
+Signed-off-by: David Hildenbrand <david@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
- drivers/rtc/rtc-s35390a.c | 40 +++++++++++++++++++++++++++++++---------
- 1 file changed, 31 insertions(+), 9 deletions(-)
+ include/linux/kvm_host.h | 4 ++--
+ virt/kvm/eventfd.c | 3 ++-
+ virt/kvm/kvm_main.c | 40 +++++++++++++++++++++++-----------------
+ 3 files changed, 27 insertions(+), 20 deletions(-)
-diff --git a/drivers/rtc/rtc-s35390a.c b/drivers/rtc/rtc-s35390a.c
-index f40afdd0e5f5..6507a01cf9ad 100644
---- a/drivers/rtc/rtc-s35390a.c
-+++ b/drivers/rtc/rtc-s35390a.c
-@@ -242,6 +242,8 @@ static int s35390a_set_alarm(struct i2c_client *client, struct rtc_wkalrm *alm)
-
- if (alm->time.tm_wday != -1)
- buf[S35390A_ALRM_BYTE_WDAY] = bin2bcd(alm->time.tm_wday) | 0x80;
-+ else
-+ buf[S35390A_ALRM_BYTE_WDAY] = 0;
-
- buf[S35390A_ALRM_BYTE_HOURS] = s35390a_hr2reg(s35390a,
- alm->time.tm_hour) | 0x80;
-@@ -269,23 +271,43 @@ static int s35390a_read_alarm(struct i2c_client *client, struct rtc_wkalrm *alm)
- if (err < 0)
- return err;
-
-- if (bitrev8(sts) != S35390A_INT2_MODE_ALARM)
-- return -EINVAL;
-+ if ((bitrev8(sts) & S35390A_INT2_MODE_MASK) != S35390A_INT2_MODE_ALARM) {
-+ /*
-+ * When the alarm isn't enabled, the register to configure
-+ * the alarm time isn't accessible.
-+ */
-+ alm->enabled = 0;
-+ return 0;
-+ } else {
-+ alm->enabled = 1;
-+ }
-
- err = s35390a_get_reg(s35390a, S35390A_CMD_INT2_REG1, buf, sizeof(buf));
- if (err < 0)
- return err;
+diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h
+index c923350ca20a..d7ce4e3280db 100644
+--- a/include/linux/kvm_host.h
++++ b/include/linux/kvm_host.h
+@@ -182,8 +182,8 @@ int kvm_io_bus_read(struct kvm_vcpu *vcpu, enum kvm_bus bus_idx, gpa_t addr,
+ int len, void *val);
+ int kvm_io_bus_register_dev(struct kvm *kvm, enum kvm_bus bus_idx, gpa_t addr,
+ int len, struct kvm_io_device *dev);
+-int kvm_io_bus_unregister_dev(struct kvm *kvm, enum kvm_bus bus_idx,
+- struct kvm_io_device *dev);
++void kvm_io_bus_unregister_dev(struct kvm *kvm, enum kvm_bus bus_idx,
++ struct kvm_io_device *dev);
- /* This chip returns the bits of each byte in reverse order */
-- for (i = 0; i < 3; ++i) {
-+ for (i = 0; i < 3; ++i)
- buf[i] = bitrev8(buf[i]);
-- buf[i] &= ~0x80;
-- }
-
-- alm->time.tm_wday = bcd2bin(buf[S35390A_ALRM_BYTE_WDAY]);
-- alm->time.tm_hour = s35390a_reg2hr(s35390a,
-- buf[S35390A_ALRM_BYTE_HOURS]);
-- alm->time.tm_min = bcd2bin(buf[S35390A_ALRM_BYTE_MINS]);
-+ /*
-+ * B0 of the three matching registers is an enable flag. Iff it is set
-+ * the configured value is used for matching.
-+ */
-+ if (buf[S35390A_ALRM_BYTE_WDAY] & 0x80)
-+ alm->time.tm_wday =
-+ bcd2bin(buf[S35390A_ALRM_BYTE_WDAY] & ~0x80);
-+
-+ if (buf[S35390A_ALRM_BYTE_HOURS] & 0x80)
-+ alm->time.tm_hour =
-+ s35390a_reg2hr(s35390a,
-+ buf[S35390A_ALRM_BYTE_HOURS] & ~0x80);
-+
-+ if (buf[S35390A_ALRM_BYTE_MINS] & 0x80)
-+ alm->time.tm_min = bcd2bin(buf[S35390A_ALRM_BYTE_MINS] & ~0x80);
-+
-+ /* alarm triggers always at s=0 */
-+ alm->time.tm_sec = 0;
-
- dev_dbg(&client->dev, "%s: alm is mins=%d, hours=%d, wday=%d\n",
- __func__, alm->time.tm_min, alm->time.tm_hour,
---
-2.12.2
-
-From fdd4bc9313e59a1757cfc8ac5836cff55ec03eeb Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <uwe@kleine-koenig.org>
-Date: Mon, 3 Apr 2017 23:32:38 +0200
-Subject: [PATCH 243/251] rtc: s35390a: make sure all members in the output are
- set
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Content-Length: 1582
-Lines: 45
-
-The rtc core calls the .read_alarm with all fields initialized to 0. As
-the s35390a driver doesn't touch some fields the returned date is
-interpreted as a date in January 1900. So make sure all fields are set
-to -1; some of them are then overwritten with the right data depending
-on the hardware state.
-
-In mainline this is done by commit d68778b80dd7 ("rtc: initialize output
-parameter for read alarm to "uninitialized"") in the core. This is
-considered to dangerous for stable as it might have side effects for
-other rtc drivers that might for example rely on alarm->time.tm_sec
-being initialized to 0.
-
-Signed-off-by: Uwe Kleine-König <uwe@kleine-koenig.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/rtc/rtc-s35390a.c | 14 ++++++++++++++
- 1 file changed, 14 insertions(+)
-
-diff --git a/drivers/rtc/rtc-s35390a.c b/drivers/rtc/rtc-s35390a.c
-index 6507a01cf9ad..47b88bbe4ce7 100644
---- a/drivers/rtc/rtc-s35390a.c
-+++ b/drivers/rtc/rtc-s35390a.c
-@@ -267,6 +267,20 @@ static int s35390a_read_alarm(struct i2c_client *client, struct rtc_wkalrm *alm)
- char buf[3], sts;
- int i, err;
-
-+ /*
-+ * initialize all members to -1 to signal the core that they are not
-+ * defined by the hardware.
-+ */
-+ alm->time.tm_sec = -1;
-+ alm->time.tm_min = -1;
-+ alm->time.tm_hour = -1;
-+ alm->time.tm_mday = -1;
-+ alm->time.tm_mon = -1;
-+ alm->time.tm_year = -1;
-+ alm->time.tm_wday = -1;
-+ alm->time.tm_yday = -1;
-+ alm->time.tm_isdst = -1;
-+
- err = s35390a_get_reg(s35390a, S35390A_CMD_STATUS2, &sts, sizeof(sts));
- if (err < 0)
- return err;
---
-2.12.2
-
-From a55ae9d1937b0bf4004e5416cfa15750cd6d2b22 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <uwe@kleine-koenig.org>
-Date: Sat, 2 Jul 2016 17:28:09 +0200
-Subject: [PATCH 244/251] rtc: s35390a: implement reset routine as suggested by
- the reference
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Content-Length: 3792
-Lines: 124
-
-commit 8e6583f1b5d1f5f129b873f1428b7e414263d847 upstream.
-
-There were two deviations from the reference manual: you have to wait
-half a second when POC is active and you might have to repeat
-initialization when POC or BLD are still set after the sequence.
-
-Note however that as POC and BLD are cleared by read the driver might
-not be able to detect that a reset is necessary. I don't have a good
-idea how to fix this.
-
-Additionally report the value read from STATUS1 to the caller. This
-prepares the next patch.
-
-Signed-off-by: Uwe Kleine-König <uwe@kleine-koenig.org>
-Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/rtc/rtc-s35390a.c | 65 +++++++++++++++++++++++++++++++++++++++--------
- 1 file changed, 55 insertions(+), 10 deletions(-)
-
-diff --git a/drivers/rtc/rtc-s35390a.c b/drivers/rtc/rtc-s35390a.c
-index 47b88bbe4ce7..c7c1fce69635 100644
---- a/drivers/rtc/rtc-s35390a.c
-+++ b/drivers/rtc/rtc-s35390a.c
-@@ -15,6 +15,7 @@
- #include <linux/bitrev.h>
- #include <linux/bcd.h>
- #include <linux/slab.h>
-+#include <linux/delay.h>
-
- #define S35390A_CMD_STATUS1 0
- #define S35390A_CMD_STATUS2 1
-@@ -94,19 +95,63 @@ static int s35390a_get_reg(struct s35390a *s35390a, int reg, char *buf, int len)
- return 0;
- }
-
--static int s35390a_reset(struct s35390a *s35390a)
-+/*
-+ * Returns <0 on error, 0 if rtc is setup fine and 1 if the chip was reset.
-+ * To keep the information if an irq is pending, pass the value read from
-+ * STATUS1 to the caller.
-+ */
-+static int s35390a_reset(struct s35390a *s35390a, char *status1)
- {
-- char buf[1];
-+ char buf;
-+ int ret;
-+ unsigned initcount = 0;
-
-- if (s35390a_get_reg(s35390a, S35390A_CMD_STATUS1, buf, sizeof(buf)) < 0)
-- return -EIO;
-+ ret = s35390a_get_reg(s35390a, S35390A_CMD_STATUS1, status1, 1);
-+ if (ret < 0)
-+ return ret;
-
-- if (!(buf[0] & (S35390A_FLAG_POC | S35390A_FLAG_BLD)))
-+ if (*status1 & S35390A_FLAG_POC)
-+ /*
-+ * Do not communicate for 0.5 seconds since the power-on
-+ * detection circuit is in operation.
-+ */
-+ msleep(500);
-+ else if (!(*status1 & S35390A_FLAG_BLD))
-+ /*
-+ * If both POC and BLD are unset everything is fine.
-+ */
- return 0;
-
-- buf[0] |= (S35390A_FLAG_RESET | S35390A_FLAG_24H);
-- buf[0] &= 0xf0;
-- return s35390a_set_reg(s35390a, S35390A_CMD_STATUS1, buf, sizeof(buf));
-+ /*
-+ * At least one of POC and BLD are set, so reinitialise chip. Keeping
-+ * this information in the hardware to know later that the time isn't
-+ * valid is unfortunately not possible because POC and BLD are cleared
-+ * on read. So the reset is best done now.
-+ *
-+ * The 24H bit is kept over reset, so set it already here.
-+ */
-+initialize:
-+ *status1 = S35390A_FLAG_24H;
-+ buf = S35390A_FLAG_RESET | S35390A_FLAG_24H;
-+ ret = s35390a_set_reg(s35390a, S35390A_CMD_STATUS1, &buf, 1);
-+
-+ if (ret < 0)
-+ return ret;
-+
-+ ret = s35390a_get_reg(s35390a, S35390A_CMD_STATUS1, &buf, 1);
-+ if (ret < 0)
-+ return ret;
-+
-+ if (buf & (S35390A_FLAG_POC | S35390A_FLAG_BLD)) {
-+ /* Try up to five times to reset the chip */
-+ if (initcount < 5) {
-+ ++initcount;
-+ goto initialize;
-+ } else
-+ return -EIO;
-+ }
-+
-+ return 1;
- }
-
- static int s35390a_disable_test_mode(struct s35390a *s35390a)
-@@ -367,7 +412,7 @@ static int s35390a_probe(struct i2c_client *client,
- unsigned int i;
- struct s35390a *s35390a;
- struct rtc_time tm;
-- char buf[1];
-+ char buf[1], status1;
-
- if (!i2c_check_functionality(client->adapter, I2C_FUNC_I2C)) {
- err = -ENODEV;
-@@ -396,7 +441,7 @@ static int s35390a_probe(struct i2c_client *client,
- }
- }
-
-- err = s35390a_reset(s35390a);
-+ err = s35390a_reset(s35390a, &status1);
- if (err < 0) {
- dev_err(&client->dev, "error resetting chip\n");
- goto exit_dummy;
---
-2.12.2
-
-From 3a1246b46df5210164ee43d4c5c560d0dc9ed2ce Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <uwe@kleine-koenig.org>
-Date: Sat, 2 Jul 2016 17:28:10 +0200
-Subject: [PATCH 245/251] rtc: s35390a: improve irq handling
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-Content-Length: 3693
-Lines: 120
-
-commit 3bd32722c827d00eafe8e6d5b83e9f3148ea7c7e upstream.
-
-On some QNAP NAS devices the rtc can wake the machine. Several people
-noticed that once the machine was woken this way it fails to shut down.
-That's because the driver fails to acknowledge the interrupt and so it
-keeps active and restarts the machine immediatly after shutdown. See
-https://bugs.debian.org/794266 for a bug report.
-
-Doing this correctly requires to interpret the INT2 flag of the first read
-of the STATUS1 register because this bit is cleared by read.
-
-Note this is not maximally robust though because a pending irq isn't
-detected when the STATUS1 register was already read (and so INT2 is not
-set) but the irq was not disabled. But that is a hardware imposed problem
-that cannot easily be fixed by software.
-
-Signed-off-by: Uwe Kleine-König <uwe@kleine-koenig.org>
-Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/rtc/rtc-s35390a.c | 48 ++++++++++++++++++++++++++++++-----------------
- 1 file changed, 31 insertions(+), 17 deletions(-)
-
-diff --git a/drivers/rtc/rtc-s35390a.c b/drivers/rtc/rtc-s35390a.c
-index c7c1fce69635..00662dd28d66 100644
---- a/drivers/rtc/rtc-s35390a.c
-+++ b/drivers/rtc/rtc-s35390a.c
-@@ -35,10 +35,14 @@
- #define S35390A_ALRM_BYTE_HOURS 1
- #define S35390A_ALRM_BYTE_MINS 2
-
-+/* flags for STATUS1 */
- #define S35390A_FLAG_POC 0x01
- #define S35390A_FLAG_BLD 0x02
-+#define S35390A_FLAG_INT2 0x04
- #define S35390A_FLAG_24H 0x40
- #define S35390A_FLAG_RESET 0x80
-+
-+/* flag for STATUS2 */
- #define S35390A_FLAG_TEST 0x01
-
- #define S35390A_INT2_MODE_MASK 0xF0
-@@ -408,11 +412,11 @@ static struct i2c_driver s35390a_driver;
- static int s35390a_probe(struct i2c_client *client,
- const struct i2c_device_id *id)
- {
-- int err;
-+ int err, err_reset;
- unsigned int i;
- struct s35390a *s35390a;
- struct rtc_time tm;
-- char buf[1], status1;
-+ char buf, status1;
-
- if (!i2c_check_functionality(client->adapter, I2C_FUNC_I2C)) {
- err = -ENODEV;
-@@ -441,29 +445,35 @@ static int s35390a_probe(struct i2c_client *client,
- }
- }
-
-- err = s35390a_reset(s35390a, &status1);
-- if (err < 0) {
-+ err_reset = s35390a_reset(s35390a, &status1);
-+ if (err_reset < 0) {
-+ err = err_reset;
- dev_err(&client->dev, "error resetting chip\n");
- goto exit_dummy;
- }
-
-- err = s35390a_disable_test_mode(s35390a);
-- if (err < 0) {
-- dev_err(&client->dev, "error disabling test mode\n");
-- goto exit_dummy;
-- }
--
-- err = s35390a_get_reg(s35390a, S35390A_CMD_STATUS1, buf, sizeof(buf));
-- if (err < 0) {
-- dev_err(&client->dev, "error checking 12/24 hour mode\n");
-- goto exit_dummy;
-- }
-- if (buf[0] & S35390A_FLAG_24H)
-+ if (status1 & S35390A_FLAG_24H)
- s35390a->twentyfourhour = 1;
- else
- s35390a->twentyfourhour = 0;
-
-- if (s35390a_get_datetime(client, &tm) < 0)
-+ if (status1 & S35390A_FLAG_INT2) {
-+ /* disable alarm (and maybe test mode) */
-+ buf = 0;
-+ err = s35390a_set_reg(s35390a, S35390A_CMD_STATUS2, &buf, 1);
-+ if (err < 0) {
-+ dev_err(&client->dev, "error disabling alarm");
-+ goto exit_dummy;
-+ }
-+ } else {
-+ err = s35390a_disable_test_mode(s35390a);
-+ if (err < 0) {
-+ dev_err(&client->dev, "error disabling test mode\n");
-+ goto exit_dummy;
-+ }
-+ }
-+
-+ if (err_reset > 0 || s35390a_get_datetime(client, &tm) < 0)
- dev_warn(&client->dev, "clock needs to be set\n");
-
- device_set_wakeup_capable(&client->dev, 1);
-@@ -476,6 +486,10 @@ static int s35390a_probe(struct i2c_client *client,
- err = PTR_ERR(s35390a->rtc);
- goto exit_dummy;
- }
-+
-+ if (status1 & S35390A_FLAG_INT2)
-+ rtc_update_irq(s35390a->rtc, 1, RTC_AF);
-+
- return 0;
-
- exit_dummy:
---
-2.12.2
-
-From 42462d23e60b89a3c2f7d8d63f5f4e464ba77727 Mon Sep 17 00:00:00 2001
-From: David Hildenbrand <david@redhat.com>
-Date: Thu, 23 Mar 2017 18:24:19 +0100
-Subject: [PATCH 246/251] KVM: kvm_io_bus_unregister_dev() should never fail
-Content-Length: 5392
-Lines: 167
-
-commit 90db10434b163e46da413d34db8d0e77404cc645 upstream.
-
-No caller currently checks the return value of
-kvm_io_bus_unregister_dev(). This is evil, as all callers silently go on
-freeing their device. A stale reference will remain in the io_bus,
-getting at least used again, when the iobus gets teared down on
-kvm_destroy_vm() - leading to use after free errors.
-
-There is nothing the callers could do, except retrying over and over
-again.
-
-So let's simply remove the bus altogether, print an error and make
-sure no one can access this broken bus again (returning -ENOMEM on any
-attempt to access it).
-
-Fixes: e93f8a0f821e ("KVM: convert io_bus to SRCU")
-Reported-by: Dmitry Vyukov <dvyukov@google.com>
-Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com>
-Signed-off-by: David Hildenbrand <david@redhat.com>
-Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- include/linux/kvm_host.h | 4 ++--
- virt/kvm/eventfd.c | 3 ++-
- virt/kvm/kvm_main.c | 40 +++++++++++++++++++++++-----------------
- 3 files changed, 27 insertions(+), 20 deletions(-)
-
-diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h
-index c923350ca20a..d7ce4e3280db 100644
---- a/include/linux/kvm_host.h
-+++ b/include/linux/kvm_host.h
-@@ -182,8 +182,8 @@ int kvm_io_bus_read(struct kvm_vcpu *vcpu, enum kvm_bus bus_idx, gpa_t addr,
- int len, void *val);
- int kvm_io_bus_register_dev(struct kvm *kvm, enum kvm_bus bus_idx, gpa_t addr,
- int len, struct kvm_io_device *dev);
--int kvm_io_bus_unregister_dev(struct kvm *kvm, enum kvm_bus bus_idx,
-- struct kvm_io_device *dev);
-+void kvm_io_bus_unregister_dev(struct kvm *kvm, enum kvm_bus bus_idx,
-+ struct kvm_io_device *dev);
-
- #ifdef CONFIG_KVM_ASYNC_PF
- struct kvm_async_pf {
-diff --git a/virt/kvm/eventfd.c b/virt/kvm/eventfd.c
-index 46dbc0a7dfc1..49001fa84ead 100644
---- a/virt/kvm/eventfd.c
-+++ b/virt/kvm/eventfd.c
-@@ -868,7 +868,8 @@ kvm_deassign_ioeventfd_idx(struct kvm *kvm, enum kvm_bus bus_idx,
- continue;
+ #ifdef CONFIG_KVM_ASYNC_PF
+ struct kvm_async_pf {
+diff --git a/virt/kvm/eventfd.c b/virt/kvm/eventfd.c
+index 46dbc0a7dfc1..49001fa84ead 100644
+--- a/virt/kvm/eventfd.c
++++ b/virt/kvm/eventfd.c
+@@ -868,7 +868,8 @@ kvm_deassign_ioeventfd_idx(struct kvm *kvm, enum kvm_bus bus_idx,
+ continue;
kvm_io_bus_unregister_dev(kvm, bus_idx, &p->dev);
- kvm->buses[bus_idx]->ioeventfd_count--;
--
2.12.2
-From 0f5d17253b2868a3e75d623dcb2514e305bc7447 Mon Sep 17 00:00:00 2001
-From: Heiko Carstens <heiko.carstens@de.ibm.com>
-Date: Mon, 27 Mar 2017 09:48:04 +0200
-Subject: [PATCH 26/52] s390/uaccess: get_user() should zero on failure (again)
-Content-Length: 1611
-Lines: 40
-
-commit d09c5373e8e4eaaa09233552cbf75dc4c4f21203 upstream.
-
-Commit fd2d2b191fe7 ("s390: get_user() should zero on failure")
-intended to fix s390's get_user() implementation which did not zero
-the target operand if the read from user space faulted. Unfortunately
-the patch has no effect: the corresponding inline assembly specifies
-that the operand is only written to ("=") and the previous value is
-discarded.
-
-Therefore the compiler is free to and actually does omit the zero
-initialization.
-
-To fix this simply change the contraint modifier to "+", so the
-compiler cannot omit the initialization anymore.
-
-Fixes: c9ca78415ac1 ("s390/uaccess: provide inline variants of get_user/put_user")
-Fixes: fd2d2b191fe7 ("s390: get_user() should zero on failure")
-Cc: Al Viro <viro@zeniv.linux.org.uk>
-Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
-Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/s390/include/asm/uaccess.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/arch/s390/include/asm/uaccess.h b/arch/s390/include/asm/uaccess.h
-index 5c7381c5ad7f..c8d837f0fbbc 100644
---- a/arch/s390/include/asm/uaccess.h
-+++ b/arch/s390/include/asm/uaccess.h
-@@ -150,7 +150,7 @@ unsigned long __must_check __copy_to_user(void __user *to, const void *from,
- " jg 2b\n" \
- ".popsection\n" \
- EX_TABLE(0b,3b) EX_TABLE(1b,3b) \
-- : "=d" (__rc), "=Q" (*(to)) \
-+ : "=d" (__rc), "+Q" (*(to)) \
- : "d" (size), "Q" (*(from)), \
- "d" (__reg0), "K" (-EFAULT) \
- : "cc"); \
---
-2.12.2
-
-From 765ee8ce4e3d059378aefc40666b024e4cd494f2 Mon Sep 17 00:00:00 2001
-From: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
-Date: Mon, 13 Mar 2017 12:14:58 -0300
-Subject: [PATCH 25/52] s390/decompressor: fix initrd corruption caused by bss
- clear
-Content-Length: 3239
-Lines: 81
-
-commit d82c0d12c92705ef468683c9b7a8298dd61ed191 upstream.
-
-Reorder the operations in decompress_kernel() to ensure initrd is moved
-to a safe location before the bss section is zeroed.
-
-During decompression bss can overlap with the initrd and this can
-corrupt the initrd contents depending on the size of the compressed
-kernel (which affects where the initrd is placed by the bootloader) and
-the size of the bss section of the decompressor.
-
-Also use the correct initrd size when checking for overlaps with
-parmblock.
-
-Fixes: 06c0dd72aea3 ([S390] fix boot failures with compressed kernels)
-Reviewed-by: Joy Latten <joy.latten@canonical.com>
-Reviewed-by: Vineetha HariPai <vineetha.hari.pai@canonical.com>
-Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com>
-Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
-Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/s390/boot/compressed/misc.c | 35 +++++++++++++++++++----------------
- 1 file changed, 19 insertions(+), 16 deletions(-)
-
-diff --git a/arch/s390/boot/compressed/misc.c b/arch/s390/boot/compressed/misc.c
-index 4da604ebf6fd..ca15613eaaa4 100644
---- a/arch/s390/boot/compressed/misc.c
-+++ b/arch/s390/boot/compressed/misc.c
-@@ -141,31 +141,34 @@ static void check_ipl_parmblock(void *start, unsigned long size)
-
- unsigned long decompress_kernel(void)
- {
-- unsigned long output_addr;
-- unsigned char *output;
-+ void *output, *kernel_end;
-
-- output_addr = ((unsigned long) &_end + HEAP_SIZE + 4095UL) & -4096UL;
-- check_ipl_parmblock((void *) 0, output_addr + SZ__bss_start);
-- memset(&_bss, 0, &_ebss - &_bss);
-- free_mem_ptr = (unsigned long)&_end;
-- free_mem_end_ptr = free_mem_ptr + HEAP_SIZE;
-- output = (unsigned char *) output_addr;
-+ output = (void *) ALIGN((unsigned long) &_end + HEAP_SIZE, PAGE_SIZE);
-+ kernel_end = output + SZ__bss_start;
-+ check_ipl_parmblock((void *) 0, (unsigned long) kernel_end);
-
- #ifdef CONFIG_BLK_DEV_INITRD
- /*
- * Move the initrd right behind the end of the decompressed
-- * kernel image.
-+ * kernel image. This also prevents initrd corruption caused by
-+ * bss clearing since kernel_end will always be located behind the
-+ * current bss section..
- */
-- if (INITRD_START && INITRD_SIZE &&
-- INITRD_START < (unsigned long) output + SZ__bss_start) {
-- check_ipl_parmblock(output + SZ__bss_start,
-- INITRD_START + INITRD_SIZE);
-- memmove(output + SZ__bss_start,
-- (void *) INITRD_START, INITRD_SIZE);
-- INITRD_START = (unsigned long) output + SZ__bss_start;
-+ if (INITRD_START && INITRD_SIZE && kernel_end > (void *) INITRD_START) {
-+ check_ipl_parmblock(kernel_end, INITRD_SIZE);
-+ memmove(kernel_end, (void *) INITRD_START, INITRD_SIZE);
-+ INITRD_START = (unsigned long) kernel_end;
- }
- #endif
-
-+ /*
-+ * Clear bss section. free_mem_ptr and free_mem_end_ptr need to be
-+ * initialized afterwards since they reside in bss.
-+ */
-+ memset(&_bss, 0, &_ebss - &_bss);
-+ free_mem_ptr = (unsigned long) &_end;
-+ free_mem_end_ptr = free_mem_ptr + HEAP_SIZE;
-+
- puts("Uncompressing Linux... ");
- __decompress(input_data, input_len, NULL, NULL, output, 0, NULL, error);
- puts("Ok, booting the kernel.\n");
---
-2.12.2
-
-From 1c47303355dc970d692f3625839da43f6b969622 Mon Sep 17 00:00:00 2001
-From: Tobias Klauser <tklauser@distanz.ch>
-Date: Sun, 2 Apr 2017 20:08:04 -0700
-Subject: [PATCH 24/52] nios2: reserve boot memory for device tree
-Content-Length: 2379
-Lines: 69
-
-commit 921d701e6f31e1ffaca3560416af1aa04edb4c4f upstream.
-
-Make sure to reserve the boot memory for the flattened device tree.
-Otherwise it might get overwritten, e.g. when initial_boot_params is
-copied, leading to a corrupted FDT and a boot hang/crash:
-
- bootconsole [early0] enabled
- Early console on uart16650 initialized at 0xf8001600
- OF: fdt: Error -11 processing FDT
- Kernel panic - not syncing: setup_cpuinfo: No CPU found in devicetree!
-
- ---[ end Kernel panic - not syncing: setup_cpuinfo: No CPU found in devicetree!
-
-Guenter Roeck says:
-
-> I think I found the problem. In unflatten_and_copy_device_tree(), with added
-> debug information:
->
-> OF: fdt: initial_boot_params=c861e400, dt=c861f000 size=28874 (0x70ca)
->
-> ... and then initial_boot_params is copied to dt, which results in corrupted
-> fdt since the memory overlaps. Looks like the initial_boot_params memory
-> is not reserved and (re-)allocated by early_init_dt_alloc_memory_arch().
-
-Reported-by: Guenter Roeck <linux@roeck-us.net>
-Reference: http://lkml.kernel.org/r/20170226210338.GA19476@roeck-us.net
-Tested-by: Guenter Roeck <linux@roeck-us.net>
-Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
-Acked-by: Ley Foon Tan <ley.foon.tan@intel.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/nios2/kernel/prom.c | 7 +++++++
- arch/nios2/kernel/setup.c | 3 +++
- 2 files changed, 10 insertions(+)
-
-diff --git a/arch/nios2/kernel/prom.c b/arch/nios2/kernel/prom.c
-index 718dd197909f..de73beb36910 100644
---- a/arch/nios2/kernel/prom.c
-+++ b/arch/nios2/kernel/prom.c
-@@ -48,6 +48,13 @@ void * __init early_init_dt_alloc_memory_arch(u64 size, u64 align)
- return alloc_bootmem_align(size, align);
- }
-
-+int __init early_init_dt_reserve_memory_arch(phys_addr_t base, phys_addr_t size,
-+ bool nomap)
-+{
-+ reserve_bootmem(base, size, BOOTMEM_DEFAULT);
-+ return 0;
-+}
-+
- void __init early_init_devtree(void *params)
- {
- __be32 *dtb = (u32 *)__dtb_start;
-diff --git a/arch/nios2/kernel/setup.c b/arch/nios2/kernel/setup.c
-index a4ff86d58d5c..6c4e351a7930 100644
---- a/arch/nios2/kernel/setup.c
-+++ b/arch/nios2/kernel/setup.c
-@@ -195,6 +195,9 @@ void __init setup_arch(char **cmdline_p)
- }
- #endif /* CONFIG_BLK_DEV_INITRD */
-
-+ early_init_fdt_reserve_self();
-+ early_init_fdt_scan_reserved_mem();
-+
- unflatten_and_copy_device_tree();
-
- setup_cpuinfo();
---
-2.12.2
-
-From ca9bd55235b346da89dadc1821e37bb4ec22b7eb Mon Sep 17 00:00:00 2001
-From: Paul Mackerras <paulus@ozlabs.org>
-Date: Tue, 4 Apr 2017 14:56:05 +1000
-Subject: [PATCH 23/52] powerpc: Don't try to fix up misaligned
- load-with-reservation instructions
-Content-Length: 2443
-Lines: 67
-
-commit 48fe9e9488743eec9b7c1addd3c93f12f2123d54 upstream.
-
-In the past, there was only one load-with-reservation instruction,
-lwarx, and if a program attempted a lwarx on a misaligned address, it
-would take an alignment interrupt and the kernel handler would emulate
-it as though it was lwzx, which was not really correct, but benign since
-it is loading the right amount of data, and the lwarx should be paired
-with a stwcx. to the same address, which would also cause an alignment
-interrupt which would result in a SIGBUS being delivered to the process.
-
-We now have 5 different sizes of load-with-reservation instruction. Of
-those, lharx and ldarx cause an immediate SIGBUS by luck since their
-entries in aligninfo[] overlap instructions which were not fixed up, but
-lqarx overlaps with lhz and will be emulated as such. lbarx can never
-generate an alignment interrupt since it only operates on 1 byte.
-
-To straighten this out and fix the lqarx case, this adds code to detect
-the l[hwdq]arx instructions and return without fixing them up, resulting
-in a SIGBUS being delivered to the process.
-
-Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/powerpc/kernel/align.c | 27 +++++++++++++++++++--------
- 1 file changed, 19 insertions(+), 8 deletions(-)
-
-diff --git a/arch/powerpc/kernel/align.c b/arch/powerpc/kernel/align.c
-index 86150fbb42c3..91e5c1758b5c 100644
---- a/arch/powerpc/kernel/align.c
-+++ b/arch/powerpc/kernel/align.c
-@@ -808,14 +808,25 @@ int fix_alignment(struct pt_regs *regs)
- nb = aligninfo[instr].len;
- flags = aligninfo[instr].flags;
-
-- /* ldbrx/stdbrx overlap lfs/stfs in the DSISR unfortunately */
-- if (IS_XFORM(instruction) && ((instruction >> 1) & 0x3ff) == 532) {
-- nb = 8;
-- flags = LD+SW;
-- } else if (IS_XFORM(instruction) &&
-- ((instruction >> 1) & 0x3ff) == 660) {
-- nb = 8;
-- flags = ST+SW;
-+ /*
-+ * Handle some cases which give overlaps in the DSISR values.
-+ */
-+ if (IS_XFORM(instruction)) {
-+ switch (get_xop(instruction)) {
-+ case 532: /* ldbrx */
-+ nb = 8;
-+ flags = LD+SW;
-+ break;
-+ case 660: /* stdbrx */
-+ nb = 8;
-+ flags = ST+SW;
-+ break;
-+ case 20: /* lwarx */
-+ case 84: /* ldarx */
-+ case 116: /* lharx */
-+ case 276: /* lqarx */
-+ return 0; /* not emulated ever */
-+ }
- }
-
- /* Byteswap little endian loads and stores */
---
-2.12.2
-
-From a67004a3896eacd109a0138b5526957381fe4337 Mon Sep 17 00:00:00 2001
-From: Frederic Barrat <fbarrat@linux.vnet.ibm.com>
-Date: Wed, 29 Mar 2017 19:19:42 +0200
-Subject: [PATCH 22/52] powerpc/mm: Add missing global TLB invalidate if cxl is
- active
-Content-Length: 1830
-Lines: 48
-
-commit 88b1bf7268f56887ca88eb09c6fb0f4fc970121a upstream.
-
-Commit 4c6d9acce1f4 ("powerpc/mm: Add hooks for cxl") converted local
-TLB invalidates to global if the cxl driver is active. This is necessary
-because the CAPP snoops invalidations to forward them to the PSL on the
-cxl adapter. However one path was forgotten. native_flush_hash_range()
-still does local TLB invalidates, as found out the hard way recently.
-
-This patch fixes it by following the same logic as previously: if the
-cxl driver is active, the local TLB invalidates are 'upgraded' to
-global.
-
-Fixes: 4c6d9acce1f4 ("powerpc/mm: Add hooks for cxl")
-Signed-off-by: Frederic Barrat <fbarrat@linux.vnet.ibm.com>
-Reviewed-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
-Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/powerpc/mm/hash_native_64.c | 7 +++++--
- 1 file changed, 5 insertions(+), 2 deletions(-)
-
-diff --git a/arch/powerpc/mm/hash_native_64.c b/arch/powerpc/mm/hash_native_64.c
-index c8822af10a58..19d9b2d2d212 100644
---- a/arch/powerpc/mm/hash_native_64.c
-+++ b/arch/powerpc/mm/hash_native_64.c
-@@ -645,6 +645,10 @@ static void native_flush_hash_range(unsigned long number, int local)
- unsigned long psize = batch->psize;
- int ssize = batch->ssize;
- int i;
-+ unsigned int use_local;
-+
-+ use_local = local && mmu_has_feature(MMU_FTR_TLBIEL) &&
-+ mmu_psize_defs[psize].tlbiel && !cxl_ctx_in_use();
-
- local_irq_save(flags);
-
-@@ -671,8 +675,7 @@ static void native_flush_hash_range(unsigned long number, int local)
- } pte_iterate_hashed_end();
- }
-
-- if (mmu_has_feature(MMU_FTR_TLBIEL) &&
-- mmu_psize_defs[psize].tlbiel && local) {
-+ if (use_local) {
- asm volatile("ptesync":::"memory");
- for (i = 0; i < number; i++) {
- vpn = batch->vpn[i];
---
-2.12.2
-
From 435cc436a88652046b9ca89fb56acf3a4b1a44b8 Mon Sep 17 00:00:00 2001
From: James Hogan <james.hogan@imgtec.com>
Date: Tue, 4 Apr 2017 08:51:34 +0100
--
2.12.2
-From 926e1ed2b8ce683f137ea8e0683ac4f6d27c8afb Mon Sep 17 00:00:00 2001
-From: "bsegall@google.com" <bsegall@google.com>
-Date: Fri, 7 Apr 2017 16:04:51 -0700
-Subject: [PATCH 13/52] ptrace: fix PTRACE_LISTEN race corrupting task->state
-Content-Length: 2204
-Lines: 57
-
-commit 5402e97af667e35e54177af8f6575518bf251d51 upstream.
-
-In PT_SEIZED + LISTEN mode STOP/CONT signals cause a wakeup against
-__TASK_TRACED. If this races with the ptrace_unfreeze_traced at the end
-of a PTRACE_LISTEN, this can wake the task /after/ the check against
-__TASK_TRACED, but before the reset of state to TASK_TRACED. This
-causes it to instead clobber TASK_WAKING, allowing a subsequent wakeup
-against TRACED while the task is still on the rq wake_list, corrupting
-it.
-
-Oleg said:
- "The kernel can crash or this can lead to other hard-to-debug problems.
- In short, "task->state = TASK_TRACED" in ptrace_unfreeze_traced()
- assumes that nobody else can wake it up, but PTRACE_LISTEN breaks the
- contract. Obviusly it is very wrong to manipulate task->state if this
- task is already running, or WAKING, or it sleeps again"
-
-[akpm@linux-foundation.org: coding-style fixes]
-Fixes: 9899d11f ("ptrace: ensure arch_ptrace/ptrace_request can never race with SIGKILL")
-Link: http://lkml.kernel.org/r/xm26y3vfhmkp.fsf_-_@bsegall-linux.mtv.corp.google.com
-Signed-off-by: Ben Segall <bsegall@google.com>
-Acked-by: Oleg Nesterov <oleg@redhat.com>
-Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- kernel/ptrace.c | 14 ++++++++++----
- 1 file changed, 10 insertions(+), 4 deletions(-)
-
-diff --git a/kernel/ptrace.c b/kernel/ptrace.c
-index a46c40bfb5f6..c7e8ed99c953 100644
---- a/kernel/ptrace.c
-+++ b/kernel/ptrace.c
-@@ -151,11 +151,17 @@ static void ptrace_unfreeze_traced(struct task_struct *task)
-
- WARN_ON(!task->ptrace || task->parent != current);
-
-+ /*
-+ * PTRACE_LISTEN can allow ptrace_trap_notify to wake us up remotely.
-+ * Recheck state under the lock to close this race.
-+ */
- spin_lock_irq(&task->sighand->siglock);
-- if (__fatal_signal_pending(task))
-- wake_up_state(task, __TASK_TRACED);
-- else
-- task->state = TASK_TRACED;
-+ if (task->state == __TASK_TRACED) {
-+ if (__fatal_signal_pending(task))
-+ wake_up_state(task, __TASK_TRACED);
-+ else
-+ task->state = TASK_TRACED;
-+ }
- spin_unlock_irq(&task->sighand->siglock);
- }
-
---
-2.12.2
-
-From 5a69c2b268ed938d44011274e6bc87562542ef94 Mon Sep 17 00:00:00 2001
-From: Jan-Marek Glogowski <glogow@fbihome.de>
-Date: Mon, 20 Feb 2017 12:25:58 +0100
-Subject: [PATCH 12/52] Reset TreeId to zero on SMB2 TREE_CONNECT
-Content-Length: 1105
-Lines: 34
-
-commit 806a28efe9b78ffae5e2757e1ee924b8e50c08ab upstream.
-
-Currently the cifs module breaks the CIFS specs on reconnect as
-described in http://msdn.microsoft.com/en-us/library/cc246529.aspx:
-
-"TreeId (4 bytes): Uniquely identifies the tree connect for the
-command. This MUST be 0 for the SMB2 TREE_CONNECT Request."
-
-Signed-off-by: Jan-Marek Glogowski <glogow@fbihome.de>
-Reviewed-by: Aurelien Aptel <aaptel@suse.com>
-Tested-by: Aurelien Aptel <aaptel@suse.com>
-Signed-off-by: Steve French <smfrench@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/cifs/smb2pdu.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
-index 2fa754c5fd62..6cb5c4b30e78 100644
---- a/fs/cifs/smb2pdu.c
-+++ b/fs/cifs/smb2pdu.c
-@@ -952,6 +952,10 @@ SMB2_tcon(const unsigned int xid, struct cifs_ses *ses, const char *tree,
- return -EINVAL;
- }
-
-+ /* SMB2 TREE_CONNECT request must be called with TreeId == 0 */
-+ if (tcon)
-+ tcon->tid = 0;
-+
- rc = small_smb2_init(SMB2_TREE_CONNECT, tcon, (void **) &req);
- if (rc) {
- kfree(unc_path);
---
-2.12.2
-
-From 8ff7eb4bc8b8cf0416e0746dcdb1545fc6869e98 Mon Sep 17 00:00:00 2001
-From: Quentin Schulz <quentin.schulz@free-electrons.com>
-Date: Tue, 21 Mar 2017 16:52:14 +0100
-Subject: [PATCH 11/52] iio: bmg160: reset chip when probing
-Content-Length: 1865
-Lines: 59
-
-commit 4bdc9029685ac03be50b320b29691766d2326c2b upstream.
-
-The gyroscope chip might need to be reset to be used.
-
-Without the chip being reset, the driver stopped at the first
-regmap_read (to get the CHIP_ID) and failed to probe.
-
-The datasheet of the gyroscope says that a minimum wait of 30ms after
-the reset has to be done.
-
-This patch has been checked on a BMX055 and the datasheet of the BMG160
-and the BMI055 give the same reset register and bits.
-
-Signed-off-by: Quentin Schulz <quentin.schulz@free-electrons.com>
-Signed-off-by: Jonathan Cameron <jic23@kernel.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/iio/gyro/bmg160_core.c | 12 ++++++++++++
- 1 file changed, 12 insertions(+)
-
-diff --git a/drivers/iio/gyro/bmg160_core.c b/drivers/iio/gyro/bmg160_core.c
-index acb3b303d800..90841abd3ce4 100644
---- a/drivers/iio/gyro/bmg160_core.c
-+++ b/drivers/iio/gyro/bmg160_core.c
-@@ -28,6 +28,7 @@
- #include <linux/iio/trigger_consumer.h>
- #include <linux/iio/triggered_buffer.h>
- #include <linux/regmap.h>
-+#include <linux/delay.h>
- #include "bmg160.h"
-
- #define BMG160_IRQ_NAME "bmg160_event"
-@@ -53,6 +54,9 @@
- #define BMG160_NO_FILTER 0
- #define BMG160_DEF_BW 100
-
-+#define BMG160_GYRO_REG_RESET 0x14
-+#define BMG160_GYRO_RESET_VAL 0xb6
-+
- #define BMG160_REG_INT_MAP_0 0x17
- #define BMG160_INT_MAP_0_BIT_ANY BIT(1)
-
-@@ -186,6 +190,14 @@ static int bmg160_chip_init(struct bmg160_data *data)
- int ret;
- unsigned int val;
-
-+ /*
-+ * Reset chip to get it in a known good state. A delay of 30ms after
-+ * reset is required according to the datasheet.
-+ */
-+ regmap_write(data->regmap, BMG160_GYRO_REG_RESET,
-+ BMG160_GYRO_RESET_VAL);
-+ usleep_range(30000, 30700);
-+
- ret = regmap_read(data->regmap, BMG160_REG_CHIP_ID, &val);
- if (ret < 0) {
- dev_err(data->dev, "Error reading reg_chip_id\n");
---
-2.12.2
-
From d4ad442b9982fba9eab0f9003c8cd185a1afeff6 Mon Sep 17 00:00:00 2001
From: Marc Zyngier <marc.zyngier@arm.com>
Date: Thu, 16 Mar 2017 18:20:50 +0000
Subject: [PATCH 10/52] arm/arm64: KVM: Take mmap_sem in
kvm_arch_prepare_memory_region
+Status: RO
Content-Length: 2022
Lines: 62
--
2.12.2
-From 8e88806117e4868bc459a3042e55f8bf06c0b9e0 Mon Sep 17 00:00:00 2001
-From: Marc Zyngier <marc.zyngier@arm.com>
-Date: Thu, 16 Mar 2017 18:20:49 +0000
-Subject: [PATCH 09/52] arm/arm64: KVM: Take mmap_sem in stage2_unmap_vm
-Content-Length: 1130
-Lines: 37
-
-commit 90f6e150e44a0dc3883110eeb3ab35d1be42b6bb upstream.
-
-We don't hold the mmap_sem while searching for the VMAs when
-we try to unmap each memslot for a VM. Fix this properly to
-avoid unexpected results.
-
-Fixes: commit 957db105c997 ("arm/arm64: KVM: Introduce stage2_unmap_vm")
-Reviewed-by: Christoffer Dall <cdall@linaro.org>
-Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
-Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- arch/arm/kvm/mmu.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/arch/arm/kvm/mmu.c b/arch/arm/kvm/mmu.c
-index 11b6595c2672..5366a736151e 100644
---- a/arch/arm/kvm/mmu.c
-+++ b/arch/arm/kvm/mmu.c
-@@ -796,6 +796,7 @@ void stage2_unmap_vm(struct kvm *kvm)
- int idx;
-
- idx = srcu_read_lock(&kvm->srcu);
-+ down_read(¤t->mm->mmap_sem);
- spin_lock(&kvm->mmu_lock);
-
- slots = kvm_memslots(kvm);
-@@ -803,6 +804,7 @@ void stage2_unmap_vm(struct kvm *kvm)
- stage2_unmap_memslot(kvm, memslot);
-
- spin_unlock(&kvm->mmu_lock);
-+ up_read(¤t->mm->mmap_sem);
- srcu_read_unlock(&kvm->srcu, idx);
- }
-
---
-2.12.2
-
-From 193b590c71cd4c1fd54f4b4cab1ba73b6212c073 Mon Sep 17 00:00:00 2001
-From: Shuxiao Zhang <zhangshuxiao@xiaomi.com>
-Date: Thu, 6 Apr 2017 22:30:29 +0800
-Subject: [PATCH 08/52] staging: android: ashmem: lseek failed due to no
- FMODE_LSEEK.
-Content-Length: 1274
-Lines: 35
-
-commit 97fbfef6bd597888485b653175fb846c6998b60c upstream.
-
-vfs_llseek will check whether the file mode has
-FMODE_LSEEK, no return failure. But ashmem can be
-lseek, so add FMODE_LSEEK to ashmem file.
-
-Comment From Greg Hackmann:
- ashmem_llseek() passes the llseek() call through to the backing
- shmem file. 91360b02ab48 ("ashmem: use vfs_llseek()") changed
- this from directly calling the file's llseek() op into a VFS
- layer call. This also adds a check for the FMODE_LSEEK bit, so
- without that bit ashmem_llseek() now always fails with -ESPIPE.
-
-Fixes: 91360b02ab48 ("ashmem: use vfs_llseek()")
-Signed-off-by: Shuxiao Zhang <zhangshuxiao@xiaomi.com>
-Tested-by: Greg Hackmann <ghackmann@google.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/staging/android/ashmem.c | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/drivers/staging/android/ashmem.c b/drivers/staging/android/ashmem.c
-index 3f2a3d611e4b..9c6357c03905 100644
---- a/drivers/staging/android/ashmem.c
-+++ b/drivers/staging/android/ashmem.c
-@@ -392,6 +392,7 @@ static int ashmem_mmap(struct file *file, struct vm_area_struct *vma)
- ret = PTR_ERR(vmfile);
- goto out;
- }
-+ vmfile->f_mode |= FMODE_LSEEK;
- asma->file = vmfile;
- }
- get_file(asma->file);
---
-2.12.2
-
-From 69d8d58bf50d9cd1bb6f000bbdf54026e74717a3 Mon Sep 17 00:00:00 2001
-From: NeilBrown <neilb@suse.com>
-Date: Mon, 3 Apr 2017 11:30:34 +1000
-Subject: [PATCH 07/52] sysfs: be careful of error returns from ops->show()
-Content-Length: 2847
-Lines: 76
-
-commit c8a139d001a1aab1ea8734db14b22dac9dd143b6 upstream.
-
-ops->show() can return a negative error code.
-Commit 65da3484d9be ("sysfs: correctly handle short reads on PREALLOC attrs.")
-(in v4.4) caused this to be stored in an unsigned 'size_t' variable, so errors
-would look like large numbers.
-As a result, if an error is returned, sysfs_kf_read() will return the
-value of 'count', typically 4096.
-
-Commit 17d0774f8068 ("sysfs: correctly handle read offset on PREALLOC attrs")
-(in v4.8) extended this error to use the unsigned large 'len' as a size for
-memmove().
-Consequently, if ->show returns an error, then the first read() on the
-sysfs file will return 4096 and could return uninitialized memory to
-user-space.
-If the application performs a subsequent read, this will trigger a memmove()
-with extremely large count, and is likely to crash the machine is bizarre ways.
-
-This bug can currently only be triggered by reading from an md
-sysfs attribute declared with __ATTR_PREALLOC() during the
-brief period between when mddev_put() deletes an mddev from
-the ->all_mddevs list, and when mddev_delayed_delete() - which is
-scheduled on a workqueue - completes.
-Before this, an error won't be returned by the ->show()
-After this, the ->show() won't be called.
-
-I can reproduce it reliably only by putting delay like
- usleep_range(500000,700000);
-early in mddev_delayed_delete(). Then after creating an
-md device md0 run
- echo clear > /sys/block/md0/md/array_state; cat /sys/block/md0/md/array_state
-
-The bug can be triggered without the usleep.
-
-Fixes: 65da3484d9be ("sysfs: correctly handle short reads on PREALLOC attrs.")
-Fixes: 17d0774f8068 ("sysfs: correctly handle read offset on PREALLOC attrs")
-Signed-off-by: NeilBrown <neilb@suse.com>
-Acked-by: Tejun Heo <tj@kernel.org>
-Reported-and-tested-by: Miroslav Benes <mbenes@suse.cz>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- fs/sysfs/file.c | 6 ++++--
- 1 file changed, 4 insertions(+), 2 deletions(-)
-
-diff --git a/fs/sysfs/file.c b/fs/sysfs/file.c
-index b803213d1307..39c75a86c67f 100644
---- a/fs/sysfs/file.c
-+++ b/fs/sysfs/file.c
-@@ -108,7 +108,7 @@ static ssize_t sysfs_kf_read(struct kernfs_open_file *of, char *buf,
- {
- const struct sysfs_ops *ops = sysfs_file_ops(of->kn);
- struct kobject *kobj = of->kn->parent->priv;
-- size_t len;
-+ ssize_t len;
-
- /*
- * If buf != of->prealloc_buf, we don't know how
-@@ -117,13 +117,15 @@ static ssize_t sysfs_kf_read(struct kernfs_open_file *of, char *buf,
- if (WARN_ON_ONCE(buf != of->prealloc_buf))
- return 0;
- len = ops->show(kobj, of->kn->priv, buf);
-+ if (len < 0)
-+ return len;
- if (pos) {
- if (len <= pos)
- return 0;
- len -= pos;
- memmove(buf, buf + pos, len);
- }
-- return min(count, len);
-+ return min_t(ssize_t, count, len);
- }
-
- /* kernfs write callback for regular sysfs files */
---
-2.12.2
-
-From c21636bd64c511160846bdf87ef4c7ff48680c99 Mon Sep 17 00:00:00 2001
-From: Li Qiang <liq3ea@gmail.com>
-Date: Mon, 27 Mar 2017 20:10:53 -0700
-Subject: [PATCH 06/52] drm/vmwgfx: fix integer overflow in
- vmw_surface_define_ioctl()
-Content-Length: 1355
-Lines: 35
-
-commit e7e11f99564222d82f0ce84bd521e57d78a6b678 upstream.
-
-In vmw_surface_define_ioctl(), the 'num_sizes' is the sum of the
-'req->mip_levels' array. This array can be assigned any value from
-the user space. As both the 'num_sizes' and the array is uint32_t,
-it is easy to make 'num_sizes' overflow. The later 'mip_levels' is
-used as the loop count. This can lead an oob write. Add the check of
-'req->mip_levels' to avoid this.
-
-Signed-off-by: Li Qiang <liqiang6-s@360.cn>
-Reviewed-by: Thomas Hellstrom <thellstrom@vmware.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
-index 79f78a68d92d..c9c04ccccdd9 100644
---- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
-+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
-@@ -715,8 +715,11 @@ int vmw_surface_define_ioctl(struct drm_device *dev, void *data,
- 128;
-
- num_sizes = 0;
-- for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i)
-+ for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i) {
-+ if (req->mip_levels[i] > DRM_VMW_MAX_MIP_LEVELS)
-+ return -EINVAL;
- num_sizes += req->mip_levels[i];
-+ }
-
- if (num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS ||
- num_sizes == 0)
---
-2.12.2
-
-From 235e914069bd501be22597e6c0176f16b477ae37 Mon Sep 17 00:00:00 2001
-From: Thomas Hellstrom <thellstrom@vmware.com>
-Date: Mon, 27 Mar 2017 13:06:05 +0200
-Subject: [PATCH 05/52] drm/vmwgfx: Remove getparam error message
-Content-Length: 963
-Lines: 29
-
-commit 53e16798b0864464c5444a204e1bb93ae246c429 upstream.
-
-The mesa winsys sometimes uses unimplemented parameter requests to
-check for features. Remove the error message to avoid bloating the
-kernel log.
-
-Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
-Reviewed-by: Brian Paul <brianp@vmware.com>
-Reviewed-by: Sinclair Yeh <syeh@vmware.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 2 --
- 1 file changed, 2 deletions(-)
-
-diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c b/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c
-index 1802d0e7fab8..5ec24fd801cd 100644
---- a/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c
-+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c
-@@ -114,8 +114,6 @@ int vmw_getparam_ioctl(struct drm_device *dev, void *data,
- param->value = dev_priv->has_dx;
- break;
- default:
-- DRM_ERROR("Illegal vmwgfx get param request: %d\n",
-- param->param);
- return -EINVAL;
- }
-
---
-2.12.2
-
-From ad4ae2feef4f65b860f139e0d8455e2a16efb93c Mon Sep 17 00:00:00 2001
-From: Thomas Hellstrom <thellstrom@vmware.com>
-Date: Mon, 27 Mar 2017 11:21:25 +0200
-Subject: [PATCH 04/52] drm/ttm, drm/vmwgfx: Relax permission checking when
- opening surfaces
-Content-Length: 6721
-Lines: 176
-
-commit fe25deb7737ce6c0879ccf79c99fa1221d428bf2 upstream.
-
-Previously, when a surface was opened using a legacy (non prime) handle,
-it was verified to have been created by a client in the same master realm.
-Relax this so that opening is also allowed recursively if the client
-already has the surface open.
-
-This works around a regression in svga mesa where opening of a shared
-surface is used recursively to obtain surface information.
-
-Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
-Reviewed-by: Sinclair Yeh <syeh@vmware.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/gpu/drm/ttm/ttm_object.c | 10 +++++++---
- drivers/gpu/drm/vmwgfx/vmwgfx_fence.c | 6 ++----
- drivers/gpu/drm/vmwgfx/vmwgfx_resource.c | 4 ++--
- drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 22 +++++++++-------------
- include/drm/ttm/ttm_object.h | 5 ++++-
- 5 files changed, 24 insertions(+), 23 deletions(-)
-
-diff --git a/drivers/gpu/drm/ttm/ttm_object.c b/drivers/gpu/drm/ttm/ttm_object.c
-index 4f5fa8d65fe9..144367c0c28f 100644
---- a/drivers/gpu/drm/ttm/ttm_object.c
-+++ b/drivers/gpu/drm/ttm/ttm_object.c
-@@ -179,7 +179,7 @@ int ttm_base_object_init(struct ttm_object_file *tfile,
- if (unlikely(ret != 0))
- goto out_err0;
-
-- ret = ttm_ref_object_add(tfile, base, TTM_REF_USAGE, NULL);
-+ ret = ttm_ref_object_add(tfile, base, TTM_REF_USAGE, NULL, false);
- if (unlikely(ret != 0))
- goto out_err1;
-
-@@ -318,7 +318,8 @@ EXPORT_SYMBOL(ttm_ref_object_exists);
-
- int ttm_ref_object_add(struct ttm_object_file *tfile,
- struct ttm_base_object *base,
-- enum ttm_ref_type ref_type, bool *existed)
-+ enum ttm_ref_type ref_type, bool *existed,
-+ bool require_existed)
- {
- struct drm_open_hash *ht = &tfile->ref_hash[ref_type];
- struct ttm_ref_object *ref;
-@@ -345,6 +346,9 @@ int ttm_ref_object_add(struct ttm_object_file *tfile,
- }
-
- rcu_read_unlock();
-+ if (require_existed)
-+ return -EPERM;
-+
- ret = ttm_mem_global_alloc(mem_glob, sizeof(*ref),
- false, false);
- if (unlikely(ret != 0))
-@@ -635,7 +639,7 @@ int ttm_prime_fd_to_handle(struct ttm_object_file *tfile,
- prime = (struct ttm_prime_object *) dma_buf->priv;
- base = &prime->base;
- *handle = base->hash.key;
-- ret = ttm_ref_object_add(tfile, base, TTM_REF_USAGE, NULL);
-+ ret = ttm_ref_object_add(tfile, base, TTM_REF_USAGE, NULL, false);
-
- dma_buf_put(dma_buf);
-
-diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c b/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c
-index b2f329917eda..6c649f7b5929 100644
---- a/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c
-+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c
-@@ -1144,10 +1144,8 @@ int vmw_fence_event_ioctl(struct drm_device *dev, void *data,
- (void) vmw_fence_obj_reference(fence);
-
- if (user_fence_rep != NULL) {
-- bool existed;
--
-- ret = ttm_ref_object_add(tfile, base,
-- TTM_REF_USAGE, &existed);
-+ ret = ttm_ref_object_add(vmw_fp->tfile, base,
-+ TTM_REF_USAGE, NULL, false);
- if (unlikely(ret != 0)) {
- DRM_ERROR("Failed to reference a fence "
- "object.\n");
-diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c b/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c
-index e57667ca7557..dbca128a9aa6 100644
---- a/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c
-+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c
-@@ -591,7 +591,7 @@ static int vmw_user_dmabuf_synccpu_grab(struct vmw_user_dma_buffer *user_bo,
- return ret;
-
- ret = ttm_ref_object_add(tfile, &user_bo->prime.base,
-- TTM_REF_SYNCCPU_WRITE, &existed);
-+ TTM_REF_SYNCCPU_WRITE, &existed, false);
- if (ret != 0 || existed)
- ttm_bo_synccpu_write_release(&user_bo->dma.base);
-
-@@ -775,7 +775,7 @@ int vmw_user_dmabuf_reference(struct ttm_object_file *tfile,
-
- *handle = user_bo->prime.base.hash.key;
- return ttm_ref_object_add(tfile, &user_bo->prime.base,
-- TTM_REF_USAGE, NULL);
-+ TTM_REF_USAGE, NULL, false);
- }
-
- /*
-diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
-index b363f0be6512..79f78a68d92d 100644
---- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
-+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
-@@ -904,17 +904,16 @@ vmw_surface_handle_reference(struct vmw_private *dev_priv,
- uint32_t handle;
- struct ttm_base_object *base;
- int ret;
-+ bool require_exist = false;
-
- if (handle_type == DRM_VMW_HANDLE_PRIME) {
- ret = ttm_prime_fd_to_handle(tfile, u_handle, &handle);
- if (unlikely(ret != 0))
- return ret;
- } else {
-- if (unlikely(drm_is_render_client(file_priv))) {
-- DRM_ERROR("Render client refused legacy "
-- "surface reference.\n");
-- return -EACCES;
-- }
-+ if (unlikely(drm_is_render_client(file_priv)))
-+ require_exist = true;
-+
- if (ACCESS_ONCE(vmw_fpriv(file_priv)->locked_master)) {
- DRM_ERROR("Locked master refused legacy "
- "surface reference.\n");
-@@ -942,17 +941,14 @@ vmw_surface_handle_reference(struct vmw_private *dev_priv,
-
- /*
- * Make sure the surface creator has the same
-- * authenticating master.
-+ * authenticating master, or is already registered with us.
- */
- if (drm_is_primary_client(file_priv) &&
-- user_srf->master != file_priv->master) {
-- DRM_ERROR("Trying to reference surface outside of"
-- " master domain.\n");
-- ret = -EACCES;
-- goto out_bad_resource;
-- }
-+ user_srf->master != file_priv->master)
-+ require_exist = true;
-
-- ret = ttm_ref_object_add(tfile, base, TTM_REF_USAGE, NULL);
-+ ret = ttm_ref_object_add(tfile, base, TTM_REF_USAGE, NULL,
-+ require_exist);
- if (unlikely(ret != 0)) {
- DRM_ERROR("Could not add a reference to a surface.\n");
- goto out_bad_resource;
-diff --git a/include/drm/ttm/ttm_object.h b/include/drm/ttm/ttm_object.h
-index ed953f98f0e1..1487011fe057 100644
---- a/include/drm/ttm/ttm_object.h
-+++ b/include/drm/ttm/ttm_object.h
-@@ -229,6 +229,8 @@ extern void ttm_base_object_unref(struct ttm_base_object **p_base);
- * @ref_type: The type of reference.
- * @existed: Upon completion, indicates that an identical reference object
- * already existed, and the refcount was upped on that object instead.
-+ * @require_existed: Fail with -EPERM if an identical ref object didn't
-+ * already exist.
- *
- * Checks that the base object is shareable and adds a ref object to it.
- *
-@@ -243,7 +245,8 @@ extern void ttm_base_object_unref(struct ttm_base_object **p_base);
- */
- extern int ttm_ref_object_add(struct ttm_object_file *tfile,
- struct ttm_base_object *base,
-- enum ttm_ref_type ref_type, bool *existed);
-+ enum ttm_ref_type ref_type, bool *existed,
-+ bool require_existed);
-
- extern bool ttm_ref_object_exists(struct ttm_object_file *tfile,
- struct ttm_base_object *base);
---
-2.12.2
-
-From 0e075f266749ea6507758123f553fece6664e4e2 Mon Sep 17 00:00:00 2001
-From: Murray McAllister <murray.mcallister@insomniasec.com>
-Date: Mon, 27 Mar 2017 11:15:12 +0200
-Subject: [PATCH 03/52] drm/vmwgfx: avoid calling vzalloc with a 0 size in
- vmw_get_cap_3d_ioctl()
-Content-Length: 1144
-Lines: 30
-
-commit 63774069d9527a1aeaa4aa20e929ef5e8e9ecc38 upstream.
-
-In vmw_get_cap_3d_ioctl(), a user can supply 0 for a size that is
-used in vzalloc(). This eventually calls dump_stack() (in warn_alloc()),
-which can leak useful addresses to dmesg.
-
-Add check to avoid a size of 0.
-
-Signed-off-by: Murray McAllister <murray.mcallister@insomniasec.com>
-Reviewed-by: Sinclair Yeh <syeh@vmware.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c b/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c
-index b8c6a03c8c54..1802d0e7fab8 100644
---- a/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c
-+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c
-@@ -186,7 +186,7 @@ int vmw_get_cap_3d_ioctl(struct drm_device *dev, void *data,
- bool gb_objects = !!(dev_priv->capabilities & SVGA_CAP_GBOBJECTS);
- struct vmw_fpriv *vmw_fp = vmw_fpriv(file_priv);
-
-- if (unlikely(arg->pad64 != 0)) {
-+ if (unlikely(arg->pad64 != 0 || arg->max_size == 0)) {
- DRM_ERROR("Illegal GET_3D_CAP argument.\n");
- return -EINVAL;
- }
---
-2.12.2
-
-From b26629453c7b2a6c82000b36fbd1cfc4d9101808 Mon Sep 17 00:00:00 2001
-From: Murray McAllister <murray.mcallister@insomniasec.com>
-Date: Mon, 27 Mar 2017 11:12:53 +0200
-Subject: [PATCH 02/52] drm/vmwgfx: NULL pointer dereference in
- vmw_surface_define_ioctl()
-Content-Length: 1176
-Lines: 32
-
-commit 36274ab8c596f1240c606bb514da329add2a1bcd upstream.
-
-Before memory allocations vmw_surface_define_ioctl() checks the
-upper-bounds of a user-supplied size, but does not check if the
-supplied size is 0.
-
-Add check to avoid NULL pointer dereferences.
-
-Signed-off-by: Murray McAllister <murray.mcallister@insomniasec.com>
-Reviewed-by: Sinclair Yeh <syeh@vmware.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
-index 7d620e82e000..b363f0be6512 100644
---- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
-+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c
-@@ -718,8 +718,8 @@ int vmw_surface_define_ioctl(struct drm_device *dev, void *data,
- for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i)
- num_sizes += req->mip_levels[i];
-
-- if (num_sizes > DRM_VMW_MAX_SURFACE_FACES *
-- DRM_VMW_MAX_MIP_LEVELS)
-+ if (num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS ||
-+ num_sizes == 0)
- return -EINVAL;
-
- size = vmw_user_surface_size + 128 +
---
-2.12.2
-
-From ed528923541afc1228c5a66e98845148aca51e24 Mon Sep 17 00:00:00 2001
-From: Thomas Hellstrom <thellstrom@vmware.com>
-Date: Mon, 27 Mar 2017 11:09:08 +0200
-Subject: [PATCH 01/52] drm/vmwgfx: Type-check lookups of fence objects
-Content-Length: 5168
-Lines: 154
-
-commit f7652afa8eadb416b23eb57dec6f158529942041 upstream.
-
-A malicious caller could otherwise hand over handles to other objects
-causing all sorts of interesting problems.
-
-Testing done: Ran a Fedora 25 desktop using both Xorg and
-gnome-shell/Wayland.
-
-Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
-Reviewed-by: Sinclair Yeh <syeh@vmware.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
----
- drivers/gpu/drm/vmwgfx/vmwgfx_fence.c | 77 +++++++++++++++++++++++------------
- 1 file changed, 50 insertions(+), 27 deletions(-)
-
-diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c b/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c
-index 8e689b439890..b2f329917eda 100644
---- a/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c
-+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c
-@@ -539,7 +539,7 @@ int vmw_fence_create(struct vmw_fence_manager *fman,
- struct vmw_fence_obj **p_fence)
- {
- struct vmw_fence_obj *fence;
-- int ret;
-+ int ret;
-
- fence = kzalloc(sizeof(*fence), GFP_KERNEL);
- if (unlikely(fence == NULL))
-@@ -702,6 +702,41 @@ void vmw_fence_fifo_up(struct vmw_fence_manager *fman)
- }
-
-
-+/**
-+ * vmw_fence_obj_lookup - Look up a user-space fence object
-+ *
-+ * @tfile: A struct ttm_object_file identifying the caller.
-+ * @handle: A handle identifying the fence object.
-+ * @return: A struct vmw_user_fence base ttm object on success or
-+ * an error pointer on failure.
-+ *
-+ * The fence object is looked up and type-checked. The caller needs
-+ * to have opened the fence object first, but since that happens on
-+ * creation and fence objects aren't shareable, that's not an
-+ * issue currently.
-+ */
-+static struct ttm_base_object *
-+vmw_fence_obj_lookup(struct ttm_object_file *tfile, u32 handle)
-+{
-+ struct ttm_base_object *base = ttm_base_object_lookup(tfile, handle);
-+
-+ if (!base) {
-+ pr_err("Invalid fence object handle 0x%08lx.\n",
-+ (unsigned long)handle);
-+ return ERR_PTR(-EINVAL);
-+ }
-+
-+ if (base->refcount_release != vmw_user_fence_base_release) {
-+ pr_err("Invalid fence object handle 0x%08lx.\n",
-+ (unsigned long)handle);
-+ ttm_base_object_unref(&base);
-+ return ERR_PTR(-EINVAL);
-+ }
-+
-+ return base;
-+}
-+
-+
- int vmw_fence_obj_wait_ioctl(struct drm_device *dev, void *data,
- struct drm_file *file_priv)
- {
-@@ -727,13 +762,9 @@ int vmw_fence_obj_wait_ioctl(struct drm_device *dev, void *data,
- arg->kernel_cookie = jiffies + wait_timeout;
- }
-
-- base = ttm_base_object_lookup(tfile, arg->handle);
-- if (unlikely(base == NULL)) {
-- printk(KERN_ERR "Wait invalid fence object handle "
-- "0x%08lx.\n",
-- (unsigned long)arg->handle);
-- return -EINVAL;
-- }
-+ base = vmw_fence_obj_lookup(tfile, arg->handle);
-+ if (IS_ERR(base))
-+ return PTR_ERR(base);
-
- fence = &(container_of(base, struct vmw_user_fence, base)->fence);
-
-@@ -772,13 +803,9 @@ int vmw_fence_obj_signaled_ioctl(struct drm_device *dev, void *data,
- struct ttm_object_file *tfile = vmw_fpriv(file_priv)->tfile;
- struct vmw_private *dev_priv = vmw_priv(dev);
-
-- base = ttm_base_object_lookup(tfile, arg->handle);
-- if (unlikely(base == NULL)) {
-- printk(KERN_ERR "Fence signaled invalid fence object handle "
-- "0x%08lx.\n",
-- (unsigned long)arg->handle);
-- return -EINVAL;
-- }
-+ base = vmw_fence_obj_lookup(tfile, arg->handle);
-+ if (IS_ERR(base))
-+ return PTR_ERR(base);
-
- fence = &(container_of(base, struct vmw_user_fence, base)->fence);
- fman = fman_from_fence(fence);
-@@ -1093,6 +1120,7 @@ int vmw_fence_event_ioctl(struct drm_device *dev, void *data,
- (struct drm_vmw_fence_event_arg *) data;
- struct vmw_fence_obj *fence = NULL;
- struct vmw_fpriv *vmw_fp = vmw_fpriv(file_priv);
-+ struct ttm_object_file *tfile = vmw_fp->tfile;
- struct drm_vmw_fence_rep __user *user_fence_rep =
- (struct drm_vmw_fence_rep __user *)(unsigned long)
- arg->fence_rep;
-@@ -1106,15 +1134,11 @@ int vmw_fence_event_ioctl(struct drm_device *dev, void *data,
- */
- if (arg->handle) {
- struct ttm_base_object *base =
-- ttm_base_object_lookup_for_ref(dev_priv->tdev,
-- arg->handle);
--
-- if (unlikely(base == NULL)) {
-- DRM_ERROR("Fence event invalid fence object handle "
-- "0x%08lx.\n",
-- (unsigned long)arg->handle);
-- return -EINVAL;
-- }
-+ vmw_fence_obj_lookup(tfile, arg->handle);
-+
-+ if (IS_ERR(base))
-+ return PTR_ERR(base);
-+
- fence = &(container_of(base, struct vmw_user_fence,
- base)->fence);
- (void) vmw_fence_obj_reference(fence);
-@@ -1122,7 +1146,7 @@ int vmw_fence_event_ioctl(struct drm_device *dev, void *data,
- if (user_fence_rep != NULL) {
- bool existed;
-
-- ret = ttm_ref_object_add(vmw_fp->tfile, base,
-+ ret = ttm_ref_object_add(tfile, base,
- TTM_REF_USAGE, &existed);
- if (unlikely(ret != 0)) {
- DRM_ERROR("Failed to reference a fence "
-@@ -1166,8 +1190,7 @@ int vmw_fence_event_ioctl(struct drm_device *dev, void *data,
- return 0;
- out_no_create:
- if (user_fence_rep != NULL)
-- ttm_ref_object_base_unref(vmw_fpriv(file_priv)->tfile,
-- handle, TTM_REF_USAGE);
-+ ttm_ref_object_base_unref(tfile, handle, TTM_REF_USAGE);
- out_no_ref_obj:
- vmw_fence_obj_unreference(&fence);
- return ret;
---
-2.12.2
-
projects / thirdparty / kernel / stable-queue.git / commitdiff
