From: Greg Kroah-Hartman Date: Tue, 18 Apr 2017 18:49:19 +0000 (+0200) Subject: 3.18 mbox update X-Git-Tag: v4.4.63~21 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=abde62630f84e49b127ddd0c72a1960cfcfecfad;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18 mbox update --- diff --git a/mbox_todo-3.18 b/mbox_todo-3.18 index bc6f04131e3..f07b14661d8 100644 --- a/mbox_todo-3.18 +++ b/mbox_todo-3.18 @@ -580,6 +580,7 @@ From: Roman Mashak Date: Fri, 24 Feb 2017 11:00:32 -0500 Subject: [PATCH 095/251] net sched actions: decrement module reference count after table flush. +Status: RO Content-Length: 2407 Lines: 90 @@ -742,118 +743,6 @@ index e504f548b64e..5bbd1989d5e6 100644 -- 2.12.2 -From 8e0ec20539f8c626463ae43fcaeb218e3b2b5dc4 Mon Sep 17 00:00:00 2001 -From: Andrey Ryabinin -Date: Mon, 13 Mar 2017 19:33:37 +0300 -Subject: [PATCH 098/251] x86/kasan: Fix boot with KASAN=y and - PROFILE_ANNOTATED_BRANCHES=y -Content-Length: 1839 -Lines: 50 - -commit be3606ff739d1c1be36389f8737c577ad87e1f57 upstream. - -The kernel doesn't boot with both PROFILE_ANNOTATED_BRANCHES=y and KASAN=y -options selected. With branch profiling enabled we end up calling -ftrace_likely_update() before kasan_early_init(). ftrace_likely_update() is -built with KASAN instrumentation, so calling it before kasan has been -initialized leads to crash. - -Use DISABLE_BRANCH_PROFILING define to make sure that we don't call -ftrace_likely_update() from early code before kasan_early_init(). - -Fixes: ef7f0d6a6ca8 ("x86_64: add KASan support") -Reported-by: Fengguang Wu -Signed-off-by: Andrey Ryabinin -Cc: kasan-dev@googlegroups.com -Cc: Alexander Potapenko -Cc: Andrew Morton -Cc: lkp@01.org -Cc: Dmitry Vyukov -Link: http://lkml.kernel.org/r/20170313163337.1704-1-aryabinin@virtuozzo.com -Signed-off-by: Thomas Gleixner -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/kernel/head64.c | 1 + - arch/x86/mm/kasan_init_64.c | 1 + - 2 files changed, 2 insertions(+) - -diff --git a/arch/x86/kernel/head64.c b/arch/x86/kernel/head64.c -index f129a9af6357..b6b0077da1af 100644 ---- a/arch/x86/kernel/head64.c -+++ b/arch/x86/kernel/head64.c -@@ -4,6 +4,7 @@ - * Copyright (C) 2000 Andrea Arcangeli SuSE - */ - -+#define DISABLE_BRANCH_PROFILING - #include - #include - #include -diff --git a/arch/x86/mm/kasan_init_64.c b/arch/x86/mm/kasan_init_64.c -index d470cf219a2d..4e5ac46adc9d 100644 ---- a/arch/x86/mm/kasan_init_64.c -+++ b/arch/x86/mm/kasan_init_64.c -@@ -1,3 +1,4 @@ -+#define DISABLE_BRANCH_PROFILING - #define pr_fmt(fmt) "kasan: " fmt - #include - #include --- -2.12.2 - -From 62f57041fbdf15db6336542384a4b36f1f387299 Mon Sep 17 00:00:00 2001 -From: Andy Lutomirski -Date: Thu, 16 Mar 2017 12:59:39 -0700 -Subject: [PATCH 099/251] x86/perf: Fix CR4.PCE propagation to use active_mm - instead of mm -Content-Length: 1726 -Lines: 44 - -commit 5dc855d44c2ad960a86f593c60461f1ae1566b6d upstream. - -If one thread mmaps a perf event while another thread in the same mm -is in some context where active_mm != mm (which can happen in the -scheduler, for example), refresh_pce() would write the wrong value -to CR4.PCE. This broke some PAPI tests. - -Reported-and-tested-by: Vince Weaver -Signed-off-by: Andy Lutomirski -Cc: Alexander Shishkin -Cc: Arnaldo Carvalho de Melo -Cc: Borislav Petkov -Cc: H. Peter Anvin -Cc: Jiri Olsa -Cc: Linus Torvalds -Cc: Peter Zijlstra -Cc: Stephane Eranian -Cc: Thomas Gleixner -Cc: stable@vger.kernel.org -Fixes: 7911d3f7af14 ("perf/x86: Only allow rdpmc if a perf_event is mapped") -Link: http://lkml.kernel.org/r/0c5b38a76ea50e405f9abe07a13dfaef87c173a1.1489694270.git.luto@kernel.org -Signed-off-by: Ingo Molnar -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/kernel/cpu/perf_event.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/arch/x86/kernel/cpu/perf_event.c b/arch/x86/kernel/cpu/perf_event.c -index 1a8256dd6729..5b2f2306fbcc 100644 ---- a/arch/x86/kernel/cpu/perf_event.c -+++ b/arch/x86/kernel/cpu/perf_event.c -@@ -1996,8 +1996,8 @@ static int x86_pmu_event_init(struct perf_event *event) - - static void refresh_pce(void *ignored) - { -- if (current->mm) -- load_mm_cr4(current->mm); -+ if (current->active_mm) -+ load_mm_cr4(current->active_mm); - } - - static void x86_pmu_event_mapped(struct perf_event *event) --- -2.12.2 - From 0136bca4e0f65075b0b4716a270f8b04c6c46abc Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 22 Mar 2017 12:17:51 +0100 @@ -880,355 +769,6 @@ index d9cc21df444d..cf9303a5d621 100644 -- 2.12.2 -From 12e1a3cd11ea373143e957cf9698a26a4e43f4a6 Mon Sep 17 00:00:00 2001 -From: "Manoj N. Kumar" -Date: Fri, 4 Mar 2016 15:55:20 -0600 -Subject: [PATCH 108/251] cxlflash: Increase cmd_per_lun for better throughput -Content-Length: 2593 -Lines: 71 - -commit 83430833b4d4a9c9b23964babbeb1f36450f8136 upstream. - -With the current value of cmd_per_lun at 16, the throughput -over a single adapter is limited to around 150kIOPS. - -Increase the value of cmd_per_lun to 256 to improve -throughput. With this change a single adapter is able to -attain close to the maximum throughput (380kIOPS). -Also change the number of RRQ entries that can be queued. - -Signed-off-by: Manoj N. Kumar -Acked-by: Matthew R. Ochs -Reviewed-by: Uma Krishnan -Signed-off-by: Martin K. Petersen -Cc: Sumit Semwal -Signed-off-by: Greg Kroah-Hartman ---- - drivers/scsi/cxlflash/common.h | 8 +++++--- - drivers/scsi/cxlflash/main.c | 2 +- - 2 files changed, 6 insertions(+), 4 deletions(-) - -diff --git a/drivers/scsi/cxlflash/common.h b/drivers/scsi/cxlflash/common.h -index 5ada9268a450..a8ac4c0a1493 100644 ---- a/drivers/scsi/cxlflash/common.h -+++ b/drivers/scsi/cxlflash/common.h -@@ -34,7 +34,6 @@ extern const struct file_operations cxlflash_cxl_fops; - sectors - */ - --#define NUM_RRQ_ENTRY 16 /* for master issued cmds */ - #define MAX_RHT_PER_CONTEXT (PAGE_SIZE / sizeof(struct sisl_rht_entry)) - - /* AFU command retry limit */ -@@ -48,9 +47,12 @@ extern const struct file_operations cxlflash_cxl_fops; - index derivation - */ - --#define CXLFLASH_MAX_CMDS 16 -+#define CXLFLASH_MAX_CMDS 256 - #define CXLFLASH_MAX_CMDS_PER_LUN CXLFLASH_MAX_CMDS - -+/* RRQ for master issued cmds */ -+#define NUM_RRQ_ENTRY CXLFLASH_MAX_CMDS -+ - - static inline void check_sizes(void) - { -@@ -149,7 +151,7 @@ struct afu_cmd { - struct afu { - /* Stuff requiring alignment go first. */ - -- u64 rrq_entry[NUM_RRQ_ENTRY]; /* 128B RRQ */ -+ u64 rrq_entry[NUM_RRQ_ENTRY]; /* 2K RRQ */ - /* - * Command & data for AFU commands. - */ -diff --git a/drivers/scsi/cxlflash/main.c b/drivers/scsi/cxlflash/main.c -index c86847c68448..2882bcac918a 100644 ---- a/drivers/scsi/cxlflash/main.c -+++ b/drivers/scsi/cxlflash/main.c -@@ -2305,7 +2305,7 @@ static struct scsi_host_template driver_template = { - .eh_device_reset_handler = cxlflash_eh_device_reset_handler, - .eh_host_reset_handler = cxlflash_eh_host_reset_handler, - .change_queue_depth = cxlflash_change_queue_depth, -- .cmd_per_lun = 16, -+ .cmd_per_lun = CXLFLASH_MAX_CMDS_PER_LUN, - .can_queue = CXLFLASH_MAX_CMDS, - .this_id = -1, - .sg_tablesize = SG_NONE, /* No scatter gather support */ --- -2.12.2 - -From 962c66c74184b1c7927f5906c9848e605fe8b236 Mon Sep 17 00:00:00 2001 -From: Alex Hung -Date: Fri, 27 May 2016 15:47:06 +0800 -Subject: [PATCH 109/251] ACPI / video: skip evaluating _DOD when it does not - exist -Content-Length: 1067 -Lines: 30 - -commit e34fbbac669de0b7fb7803929d0477f35f6e2833 upstream. - -Some system supports hybrid graphics and its discrete VGA -does not have any connectors and therefore has no _DOD method. - -Signed-off-by: Alex Hung -Reviewed-by: Aaron Lu -Signed-off-by: Rafael J. Wysocki -Cc: Sumit Semwal -Signed-off-by: Greg Kroah-Hartman ---- - drivers/acpi/acpi_video.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/drivers/acpi/acpi_video.c b/drivers/acpi/acpi_video.c -index 5fdac394207a..549cdbed7b0e 100644 ---- a/drivers/acpi/acpi_video.c -+++ b/drivers/acpi/acpi_video.c -@@ -1211,6 +1211,9 @@ static int acpi_video_device_enumerate(struct acpi_video_bus *video) - union acpi_object *dod = NULL; - union acpi_object *obj; - -+ if (!video->cap._DOD) -+ return AE_NOT_EXIST; -+ - status = acpi_evaluate_object(video->device->handle, "_DOD", NULL, &buffer); - if (!ACPI_SUCCESS(status)) { - ACPI_EXCEPTION((AE_INFO, status, "Evaluating _DOD")); --- -2.12.2 - -From 3787a071d145055a89442cf614ceec39c315bc9f Mon Sep 17 00:00:00 2001 -From: Mika Westerberg -Date: Mon, 22 Aug 2016 14:42:52 +0300 -Subject: [PATCH 110/251] pinctrl: cherryview: Do not mask all interrupts in - probe -Content-Length: 2194 -Lines: 52 - -commit bcb48cca23ec9852739e4a464307fa29515bbe48 upstream. - -The Cherryview GPIO controller has 8 or 16 wires connected to the I/O-APIC -which can be used directly by the platform/BIOS or drivers. One such wire -is used as SCI (System Control Interrupt) which ACPI depends on to be able -to trigger GPEs (General Purpose Events). - -The pinctrl driver itself uses another IRQ resource which is wire OR of all -the 8 (or 16) wires and follows what BIOS has programmed to the IntSel -register of each pin. - -Currently the driver masks all interrupts at probe time and this prevents -these direct interrupts from working as expected. The reason for this is -that some early stage prototypes had some pins misconfigured causing lots -of spurious interrupts. - -We fix this by leaving the interrupt mask untouched. This allows SCI and -other direct interrupts work properly. What comes to the possible spurious -interrupts we switch the default handler to be handle_bad_irq() instead of -handle_simple_irq() (which was not correct anyway). - -Reported-by: Yu C Chen -Reported-by: Anisse Astier -Signed-off-by: Mika Westerberg -Signed-off-by: Linus Walleij -Cc: Sumit Semwal -Signed-off-by: Greg Kroah-Hartman ---- - drivers/pinctrl/intel/pinctrl-cherryview.c | 5 ++--- - 1 file changed, 2 insertions(+), 3 deletions(-) - -diff --git a/drivers/pinctrl/intel/pinctrl-cherryview.c b/drivers/pinctrl/intel/pinctrl-cherryview.c -index a009ae34c5ef..930f0f25c1ce 100644 ---- a/drivers/pinctrl/intel/pinctrl-cherryview.c -+++ b/drivers/pinctrl/intel/pinctrl-cherryview.c -@@ -1466,12 +1466,11 @@ static int chv_gpio_probe(struct chv_pinctrl *pctrl, int irq) - offset += range->npins; - } - -- /* Mask and clear all interrupts */ -- chv_writel(0, pctrl->regs + CHV_INTMASK); -+ /* Clear all interrupts */ - chv_writel(0xffff, pctrl->regs + CHV_INTSTAT); - - ret = gpiochip_irqchip_add(chip, &chv_gpio_irqchip, 0, -- handle_simple_irq, IRQ_TYPE_NONE); -+ handle_bad_irq, IRQ_TYPE_NONE); - if (ret) { - dev_err(pctrl->dev, "failed to add IRQ chip\n"); - goto fail; --- -2.12.2 - -From 0a2512768f1683514ef964e2e0767458baef14de Mon Sep 17 00:00:00 2001 -From: Vitaly Kuznetsov -Date: Sat, 30 Apr 2016 19:21:35 -0700 -Subject: [PATCH 111/251] Drivers: hv: balloon: don't crash when memory is - added in non-sorted order -Content-Length: 1762 -Lines: 43 - -commit 77c0c9735bc0ba5898e637a3a20d6bcb50e3f67d upstream. - -When we iterate through all HA regions in handle_pg_range() we have an -assumption that all these regions are sorted in the list and the -'start_pfn >= has->end_pfn' check is enough to find the proper region. -Unfortunately it's not the case with WS2016 where host can hot-add regions -in a different order. We end up modifying the wrong HA region and crashing -later on pages online. Modify the check to make sure we found the region -we were searching for while iterating. Fix the same check in pfn_covered() -as well. - -Signed-off-by: Vitaly Kuznetsov -Signed-off-by: K. Y. Srinivasan -Cc: Sumit Semwal -Signed-off-by: Greg Kroah-Hartman ---- - drivers/hv/hv_balloon.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/drivers/hv/hv_balloon.c b/drivers/hv/hv_balloon.c -index b853b4b083bd..43af91362be5 100644 ---- a/drivers/hv/hv_balloon.c -+++ b/drivers/hv/hv_balloon.c -@@ -714,7 +714,7 @@ static bool pfn_covered(unsigned long start_pfn, unsigned long pfn_cnt) - * If the pfn range we are dealing with is not in the current - * "hot add block", move on. - */ -- if ((start_pfn >= has->end_pfn)) -+ if (start_pfn < has->start_pfn || start_pfn >= has->end_pfn) - continue; - /* - * If the current hot add-request extends beyond -@@ -768,7 +768,7 @@ static unsigned long handle_pg_range(unsigned long pg_start, - * If the pfn range we are dealing with is not in the current - * "hot add block", move on. - */ -- if ((start_pfn >= has->end_pfn)) -+ if (start_pfn < has->start_pfn || start_pfn >= has->end_pfn) - continue; - - old_covered_state = has->covered_end_pfn; --- -2.12.2 - -From b1a0f744f8e63fbef10dc84029e9d213e03a3a18 Mon Sep 17 00:00:00 2001 -From: Vitaly Kuznetsov -Date: Fri, 3 Jun 2016 17:09:22 -0700 -Subject: [PATCH 112/251] Drivers: hv: avoid vfree() on crash -Content-Length: 3254 -Lines: 110 - -commit a9f61ca793becabdefab03b77568d6c6f8c1bc79 upstream. - -When we crash from NMI context (e.g. after NMI injection from host when -'sysctl -w kernel.unknown_nmi_panic=1' is set) we hit - - kernel BUG at mm/vmalloc.c:1530! - -as vfree() is denied. While the issue could be solved with in_nmi() check -instead I opted for skipping vfree on all sorts of crashes to reduce the -amount of work which can cause consequent crashes. We don't really need to -free anything on crash. - -Signed-off-by: Vitaly Kuznetsov -Signed-off-by: K. Y. Srinivasan -Cc: Sumit Semwal -Signed-off-by: Greg Kroah-Hartman ---- - drivers/hv/hv.c | 8 +++++--- - drivers/hv/hyperv_vmbus.h | 2 +- - drivers/hv/vmbus_drv.c | 8 ++++---- - 3 files changed, 10 insertions(+), 8 deletions(-) - -diff --git a/drivers/hv/hv.c b/drivers/hv/hv.c -index 57c191798699..ddbf7e7e0d98 100644 ---- a/drivers/hv/hv.c -+++ b/drivers/hv/hv.c -@@ -274,7 +274,7 @@ cleanup: - * - * This routine is called normally during driver unloading or exiting. - */ --void hv_cleanup(void) -+void hv_cleanup(bool crash) - { - union hv_x64_msr_hypercall_contents hypercall_msr; - -@@ -284,7 +284,8 @@ void hv_cleanup(void) - if (hv_context.hypercall_page) { - hypercall_msr.as_uint64 = 0; - wrmsrl(HV_X64_MSR_HYPERCALL, hypercall_msr.as_uint64); -- vfree(hv_context.hypercall_page); -+ if (!crash) -+ vfree(hv_context.hypercall_page); - hv_context.hypercall_page = NULL; - } - -@@ -304,7 +305,8 @@ void hv_cleanup(void) - - hypercall_msr.as_uint64 = 0; - wrmsrl(HV_X64_MSR_REFERENCE_TSC, hypercall_msr.as_uint64); -- vfree(hv_context.tsc_page); -+ if (!crash) -+ vfree(hv_context.tsc_page); - hv_context.tsc_page = NULL; - } - #endif -diff --git a/drivers/hv/hyperv_vmbus.h b/drivers/hv/hyperv_vmbus.h -index 12156db2e88e..75e383e6d03d 100644 ---- a/drivers/hv/hyperv_vmbus.h -+++ b/drivers/hv/hyperv_vmbus.h -@@ -581,7 +581,7 @@ struct hv_ring_buffer_debug_info { - - extern int hv_init(void); - --extern void hv_cleanup(void); -+extern void hv_cleanup(bool crash); - - extern int hv_post_message(union hv_connection_id connection_id, - enum hv_message_type message_type, -diff --git a/drivers/hv/vmbus_drv.c b/drivers/hv/vmbus_drv.c -index 509ed9731630..802dcb409030 100644 ---- a/drivers/hv/vmbus_drv.c -+++ b/drivers/hv/vmbus_drv.c -@@ -889,7 +889,7 @@ err_alloc: - bus_unregister(&hv_bus); - - err_cleanup: -- hv_cleanup(); -+ hv_cleanup(false); - - return ret; - } -@@ -1254,7 +1254,7 @@ static void hv_kexec_handler(void) - vmbus_initiate_unload(); - for_each_online_cpu(cpu) - smp_call_function_single(cpu, hv_synic_cleanup, NULL, 1); -- hv_cleanup(); -+ hv_cleanup(false); - }; - - static void hv_crash_handler(struct pt_regs *regs) -@@ -1266,7 +1266,7 @@ static void hv_crash_handler(struct pt_regs *regs) - * for kdump. - */ - hv_synic_cleanup(NULL); -- hv_cleanup(); -+ hv_cleanup(true); - }; - - static int __init hv_acpi_init(void) -@@ -1330,7 +1330,7 @@ static void __exit vmbus_exit(void) - &hyperv_panic_block); - } - bus_unregister(&hv_bus); -- hv_cleanup(); -+ hv_cleanup(false); - for_each_online_cpu(cpu) { - tasklet_kill(hv_context.event_dpc[cpu]); - smp_call_function_single(cpu, hv_synic_cleanup, NULL, 1); --- -2.12.2 - From e2d9577854f5a5469bcf7a3d1b17ca5e9b9ba673 Mon Sep 17 00:00:00 2001 From: Ross Lagerwall Date: Fri, 22 Apr 2016 13:05:31 +0100 @@ -1661,6 +1201,7 @@ From 4cb0c0b73d1c79a8ce260836b3f27650aa1c57f1 Mon Sep 17 00:00:00 2001 From: Linus Torvalds Date: Thu, 2 Mar 2017 12:17:22 -0800 Subject: [PATCH 120/251] give up on gcc ilog2() constant optimizations +Status: RO Content-Length: 4200 Lines: 125 @@ -1901,43 +1442,6 @@ index 8412ce5f93a7..86fa9fdc8323 100644 -- 2.12.2 -From b24473976b985fd1c1d57a9ea934f9792bf654cc Mon Sep 17 00:00:00 2001 -From: Michael Ellerman -Date: Tue, 7 Mar 2017 16:14:49 +1100 -Subject: [PATCH 123/251] powerpc/boot: Fix zImage TOC alignment -Content-Length: 925 -Lines: 29 - -commit 97ee351b50a49717543533cfb85b4bf9d88c9680 upstream. - -Recent toolchains force the TOC to be 256 byte aligned. We need to -enforce this alignment in the zImage linker script, otherwise pointers -to our TOC variables (__toc_start) could be incorrect. If the actual -start of the TOC and __toc_start don't have the same value we crash -early in the zImage wrapper. - -Suggested-by: Alan Modra -Signed-off-by: Michael Ellerman -Signed-off-by: Greg Kroah-Hartman ---- - arch/powerpc/boot/zImage.lds.S | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/arch/powerpc/boot/zImage.lds.S b/arch/powerpc/boot/zImage.lds.S -index 861e72109df2..f080abfc2f83 100644 ---- a/arch/powerpc/boot/zImage.lds.S -+++ b/arch/powerpc/boot/zImage.lds.S -@@ -68,6 +68,7 @@ SECTIONS - } - - #ifdef CONFIG_PPC64_BOOT_WRAPPER -+ . = ALIGN(256); - .got : - { - __toc_start = .; --- -2.12.2 - From 582f548924cdda2dadf842020075f6b2525421d2 Mon Sep 17 00:00:00 2001 From: Shaohua Li Date: Tue, 28 Feb 2017 13:00:20 -0800 @@ -3930,198 +3434,6 @@ index 45b466e3bbe8..0146e2c74649 100644 -- 2.12.2 -From b55ffcb1bc8a9c40db928f568ef61016ac681c29 Mon Sep 17 00:00:00 2001 -From: Takashi Iwai -Date: Tue, 21 Mar 2017 13:56:04 +0100 -Subject: [PATCH 154/251] ALSA: seq: Fix racy cell insertions during - snd_seq_pool_done() -Content-Length: 3599 -Lines: 105 - -commit c520ff3d03f0b5db7146d9beed6373ad5d2a5e0e upstream. - -When snd_seq_pool_done() is called, it marks the closing flag to -refuse the further cell insertions. But snd_seq_pool_done() itself -doesn't clear the cells but just waits until all cells are cleared by -the caller side. That is, it's racy, and this leads to the endless -stall as syzkaller spotted. - -This patch addresses the racy by splitting the setup of pool->closing -flag out of snd_seq_pool_done(), and calling it properly before -snd_seq_pool_done(). - -BugLink: http://lkml.kernel.org/r/CACT4Y+aqqy8bZA1fFieifNxR2fAfFQQABcBHj801+u5ePV0URw@mail.gmail.com -Reported-and-tested-by: Dmitry Vyukov -Signed-off-by: Takashi Iwai -Signed-off-by: Greg Kroah-Hartman ---- - sound/core/seq/seq_clientmgr.c | 1 + - sound/core/seq/seq_fifo.c | 3 +++ - sound/core/seq/seq_memory.c | 17 +++++++++++++---- - sound/core/seq/seq_memory.h | 1 + - 4 files changed, 18 insertions(+), 4 deletions(-) - -diff --git a/sound/core/seq/seq_clientmgr.c b/sound/core/seq/seq_clientmgr.c -index 58e79e02f217..c67f9c212dd1 100644 ---- a/sound/core/seq/seq_clientmgr.c -+++ b/sound/core/seq/seq_clientmgr.c -@@ -1921,6 +1921,7 @@ static int snd_seq_ioctl_set_client_pool(struct snd_seq_client *client, - info.output_pool != client->pool->size)) { - if (snd_seq_write_pool_allocated(client)) { - /* remove all existing cells */ -+ snd_seq_pool_mark_closing(client->pool); - snd_seq_queue_client_leave_cells(client->number); - snd_seq_pool_done(client->pool); - } -diff --git a/sound/core/seq/seq_fifo.c b/sound/core/seq/seq_fifo.c -index 86240d02b530..3f4efcb85df5 100644 ---- a/sound/core/seq/seq_fifo.c -+++ b/sound/core/seq/seq_fifo.c -@@ -70,6 +70,9 @@ void snd_seq_fifo_delete(struct snd_seq_fifo **fifo) - return; - *fifo = NULL; - -+ if (f->pool) -+ snd_seq_pool_mark_closing(f->pool); -+ - snd_seq_fifo_clear(f); - - /* wake up clients if any */ -diff --git a/sound/core/seq/seq_memory.c b/sound/core/seq/seq_memory.c -index dfa5156f3585..5847c4475bf3 100644 ---- a/sound/core/seq/seq_memory.c -+++ b/sound/core/seq/seq_memory.c -@@ -414,6 +414,18 @@ int snd_seq_pool_init(struct snd_seq_pool *pool) - return 0; - } - -+/* refuse the further insertion to the pool */ -+void snd_seq_pool_mark_closing(struct snd_seq_pool *pool) -+{ -+ unsigned long flags; -+ -+ if (snd_BUG_ON(!pool)) -+ return; -+ spin_lock_irqsave(&pool->lock, flags); -+ pool->closing = 1; -+ spin_unlock_irqrestore(&pool->lock, flags); -+} -+ - /* remove events */ - int snd_seq_pool_done(struct snd_seq_pool *pool) - { -@@ -424,10 +436,6 @@ int snd_seq_pool_done(struct snd_seq_pool *pool) - return -EINVAL; - - /* wait for closing all threads */ -- spin_lock_irqsave(&pool->lock, flags); -- pool->closing = 1; -- spin_unlock_irqrestore(&pool->lock, flags); -- - if (waitqueue_active(&pool->output_sleep)) - wake_up(&pool->output_sleep); - -@@ -484,6 +492,7 @@ int snd_seq_pool_delete(struct snd_seq_pool **ppool) - *ppool = NULL; - if (pool == NULL) - return 0; -+ snd_seq_pool_mark_closing(pool); - snd_seq_pool_done(pool); - kfree(pool); - return 0; -diff --git a/sound/core/seq/seq_memory.h b/sound/core/seq/seq_memory.h -index 4a2ec779b8a7..32f959c17786 100644 ---- a/sound/core/seq/seq_memory.h -+++ b/sound/core/seq/seq_memory.h -@@ -84,6 +84,7 @@ static inline int snd_seq_total_cells(struct snd_seq_pool *pool) - int snd_seq_pool_init(struct snd_seq_pool *pool); - - /* done pool - free events */ -+void snd_seq_pool_mark_closing(struct snd_seq_pool *pool); - int snd_seq_pool_done(struct snd_seq_pool *pool); - - /* create pool */ --- -2.12.2 - -From ed00b613bbcb7af32fbdd87e3c985c00e2c9c5a3 Mon Sep 17 00:00:00 2001 -From: Takashi Iwai -Date: Mon, 20 Mar 2017 10:08:19 +0100 -Subject: [PATCH 155/251] ALSA: ctxfi: Fix the incorrect check of - dma_set_mask() call -Content-Length: 1225 -Lines: 32 - -commit f363a06642f28caaa78cb6446bbad90c73fe183c upstream. - -In the commit [15c75b09f8d1: ALSA: ctxfi: Fallback DMA mask to 32bit], -I forgot to put "!" at dam_set_mask() call check in cthw20k1.c (while -cthw20k2.c is OK). This patch fixes that obvious bug. - -(As a side note: although the original commit was completely wrong, - it's still working for most of machines, as it sets to 32bit DMA mask - in the end. So the bug severity is low.) - -Fixes: 15c75b09f8d1 ("ALSA: ctxfi: Fallback DMA mask to 32bit") -Signed-off-by: Takashi Iwai -Signed-off-by: Greg Kroah-Hartman ---- - sound/pci/ctxfi/cthw20k1.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/sound/pci/ctxfi/cthw20k1.c b/sound/pci/ctxfi/cthw20k1.c -index ab4cdab5cfa5..79edd88d5cd0 100644 ---- a/sound/pci/ctxfi/cthw20k1.c -+++ b/sound/pci/ctxfi/cthw20k1.c -@@ -1905,7 +1905,7 @@ static int hw_card_start(struct hw *hw) - return err; - - /* Set DMA transfer mask */ -- if (dma_set_mask(&pci->dev, DMA_BIT_MASK(dma_bits))) { -+ if (!dma_set_mask(&pci->dev, DMA_BIT_MASK(dma_bits))) { - dma_set_coherent_mask(&pci->dev, DMA_BIT_MASK(dma_bits)); - } else { - dma_set_mask(&pci->dev, DMA_BIT_MASK(32)); --- -2.12.2 - -From 1ea551eec703102af8db2c2dcc99fc660baa3602 Mon Sep 17 00:00:00 2001 -From: Hui Wang -Date: Thu, 23 Mar 2017 10:00:25 +0800 -Subject: [PATCH 156/251] ALSA: hda - Adding a group of pin definition to fix - headset problem -Content-Length: 1089 -Lines: 28 - -commit 3f307834e695f59dac4337a40316bdecfb9d0508 upstream. - -A new Dell laptop needs to apply ALC269_FIXUP_DELL1_MIC_NO_PRESENCE to -fix the headset problem, and the pin definiton of this machine is not -in the pin quirk table yet, now adding it to the table. - -Signed-off-by: Hui Wang -Signed-off-by: Takashi Iwai -Signed-off-by: Greg Kroah-Hartman ---- - sound/pci/hda/patch_realtek.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c -index cf0785ddbd14..1d4f34379f56 100644 ---- a/sound/pci/hda/patch_realtek.c -+++ b/sound/pci/hda/patch_realtek.c -@@ -6040,6 +6040,8 @@ static const struct snd_hda_pin_quirk alc269_pin_fixup_tbl[] = { - ALC295_STANDARD_PINS, - {0x17, 0x21014040}, - {0x18, 0x21a19050}), -+ SND_HDA_PIN_QUIRK(0x10ec0295, 0x1028, "Dell", ALC269_FIXUP_DELL1_MIC_NO_PRESENCE, -+ ALC295_STANDARD_PINS), - SND_HDA_PIN_QUIRK(0x10ec0298, 0x1028, "Dell", ALC298_FIXUP_DELL1_MIC_NO_PRESENCE, - ALC298_STANDARD_PINS, - {0x17, 0x90170110}), --- -2.12.2 - From 8f0f081647cc1c7e7ce6bea99a3b2ebb3604b1f1 Mon Sep 17 00:00:00 2001 From: Dan Williams Date: Thu, 9 Mar 2017 11:32:28 -0600 @@ -4816,177 +4128,6 @@ index f0fc6f7b5d98..0628372f3591 100644 -- 2.12.2 -From 2705b183263bd6e2969a648d2c7353716ca1d7a8 Mon Sep 17 00:00:00 2001 -From: Nicolas Ferre -Date: Tue, 14 Mar 2017 09:38:04 +0100 -Subject: [PATCH 178/251] ARM: at91: pm: cpu_idle: switch DDR to power-down - mode -Content-Length: 2385 -Lines: 64 - -commit 60b89f1928af80b546b5c3fd8714a62f6f4b8844 upstream. - -On some DDR controllers, compatible with the sama5d3 one, -the sequence to enter/exit/re-enter the self-refresh mode adds -more constrains than what is currently written in the at91_idle -driver. An actual access to the DDR chip is needed between exit -and re-enter of this mode which is somehow difficult to implement. -This sequence can completely hang the SoC. It is particularly -experienced on parts which embed a L2 cache if the code run -between IDLE calls fits in it... - -Moreover, as the intention is to enter and exit pretty rapidly -from IDLE, the power-down mode is a good candidate. - -So now we use power-down instead of self-refresh. As we can -simplify the code for sama5d3 compatible DDR controllers, -we instantiate a new sama5d3_ddr_standby() function. - -Signed-off-by: Nicolas Ferre -Fixes: 017b5522d5e3 ("ARM: at91: Add new binding for sama5d3-ddramc") -Signed-off-by: Alexandre Belloni -Signed-off-by: Greg Kroah-Hartman ---- - arch/arm/mach-at91/pm.c | 18 +++++++++++++++++- - 1 file changed, 17 insertions(+), 1 deletion(-) - -diff --git a/arch/arm/mach-at91/pm.c b/arch/arm/mach-at91/pm.c -index 23726fb31741..d687f860a2da 100644 ---- a/arch/arm/mach-at91/pm.c -+++ b/arch/arm/mach-at91/pm.c -@@ -286,6 +286,22 @@ static void at91_ddr_standby(void) - at91_ramc_write(1, AT91_DDRSDRC_LPR, saved_lpr1); - } - -+static void sama5d3_ddr_standby(void) -+{ -+ u32 lpr0; -+ u32 saved_lpr0; -+ -+ saved_lpr0 = at91_ramc_read(0, AT91_DDRSDRC_LPR); -+ lpr0 = saved_lpr0 & ~AT91_DDRSDRC_LPCB; -+ lpr0 |= AT91_DDRSDRC_LPCB_POWER_DOWN; -+ -+ at91_ramc_write(0, AT91_DDRSDRC_LPR, lpr0); -+ -+ cpu_do_idle(); -+ -+ at91_ramc_write(0, AT91_DDRSDRC_LPR, saved_lpr0); -+} -+ - /* We manage both DDRAM/SDRAM controllers, we need more than one value to - * remember. - */ -@@ -320,7 +336,7 @@ static const struct of_device_id const ramc_ids[] __initconst = { - { .compatible = "atmel,at91rm9200-sdramc", .data = at91rm9200_standby }, - { .compatible = "atmel,at91sam9260-sdramc", .data = at91sam9_sdram_standby }, - { .compatible = "atmel,at91sam9g45-ddramc", .data = at91_ddr_standby }, -- { .compatible = "atmel,sama5d3-ddramc", .data = at91_ddr_standby }, -+ { .compatible = "atmel,sama5d3-ddramc", .data = sama5d3_ddr_standby }, - { /*sentinel*/ } - }; - --- -2.12.2 - -From e1af444e52ce1b08cd6534e61f8da7aa55b31880 Mon Sep 17 00:00:00 2001 -From: Nicolas Ferre -Date: Tue, 26 Jan 2016 17:30:18 +0100 -Subject: [PATCH 179/251] ARM: dts: at91: sama5d2: add dma properties to UART - nodes -Content-Length: 3124 -Lines: 89 - -commit b1708b72a0959a032cd2eebb77fa9086ea3e0c84 upstream. - -The dmas/dma-names properties are added to the UART nodes. Note that additional -properties are needed to enable them at the board level: check bindings for -details. - -Signed-off-by: Nicolas Ferre -Signed-off-by: Alexandre Belloni -Signed-off-by: Greg Kroah-Hartman ---- - arch/arm/boot/dts/sama5d2.dtsi | 35 +++++++++++++++++++++++++++++++++++ - 1 file changed, 35 insertions(+) - -diff --git a/arch/arm/boot/dts/sama5d2.dtsi b/arch/arm/boot/dts/sama5d2.dtsi -index 4dfca8fc49b3..1bc61ece2589 100644 ---- a/arch/arm/boot/dts/sama5d2.dtsi -+++ b/arch/arm/boot/dts/sama5d2.dtsi -@@ -856,6 +856,13 @@ - compatible = "atmel,at91sam9260-usart"; - reg = <0xf801c000 0x100>; - interrupts = <24 IRQ_TYPE_LEVEL_HIGH 7>; -+ dmas = <&dma0 -+ (AT91_XDMAC_DT_MEM_IF(0) | AT91_XDMAC_DT_PER_IF(1) | -+ AT91_XDMAC_DT_PERID(35))>, -+ <&dma0 -+ (AT91_XDMAC_DT_MEM_IF(0) | AT91_XDMAC_DT_PER_IF(1) | -+ AT91_XDMAC_DT_PERID(36))>; -+ dma-names = "tx", "rx"; - clocks = <&uart0_clk>; - clock-names = "usart"; - status = "disabled"; -@@ -865,6 +872,13 @@ - compatible = "atmel,at91sam9260-usart"; - reg = <0xf8020000 0x100>; - interrupts = <25 IRQ_TYPE_LEVEL_HIGH 7>; -+ dmas = <&dma0 -+ (AT91_XDMAC_DT_MEM_IF(0) | AT91_XDMAC_DT_PER_IF(1) | -+ AT91_XDMAC_DT_PERID(37))>, -+ <&dma0 -+ (AT91_XDMAC_DT_MEM_IF(0) | AT91_XDMAC_DT_PER_IF(1) | -+ AT91_XDMAC_DT_PERID(38))>; -+ dma-names = "tx", "rx"; - clocks = <&uart1_clk>; - clock-names = "usart"; - status = "disabled"; -@@ -874,6 +888,13 @@ - compatible = "atmel,at91sam9260-usart"; - reg = <0xf8024000 0x100>; - interrupts = <26 IRQ_TYPE_LEVEL_HIGH 7>; -+ dmas = <&dma0 -+ (AT91_XDMAC_DT_MEM_IF(0) | AT91_XDMAC_DT_PER_IF(1) | -+ AT91_XDMAC_DT_PERID(39))>, -+ <&dma0 -+ (AT91_XDMAC_DT_MEM_IF(0) | AT91_XDMAC_DT_PER_IF(1) | -+ AT91_XDMAC_DT_PERID(40))>; -+ dma-names = "tx", "rx"; - clocks = <&uart2_clk>; - clock-names = "usart"; - status = "disabled"; -@@ -985,6 +1006,13 @@ - compatible = "atmel,at91sam9260-usart"; - reg = <0xfc008000 0x100>; - interrupts = <27 IRQ_TYPE_LEVEL_HIGH 7>; -+ dmas = <&dma0 -+ (AT91_XDMAC_DT_MEM_IF(0) | AT91_XDMAC_DT_PER_IF(1) | -+ AT91_XDMAC_DT_PERID(41))>, -+ <&dma0 -+ (AT91_XDMAC_DT_MEM_IF(0) | AT91_XDMAC_DT_PER_IF(1) | -+ AT91_XDMAC_DT_PERID(42))>; -+ dma-names = "tx", "rx"; - clocks = <&uart3_clk>; - clock-names = "usart"; - status = "disabled"; -@@ -993,6 +1021,13 @@ - uart4: serial@fc00c000 { - compatible = "atmel,at91sam9260-usart"; - reg = <0xfc00c000 0x100>; -+ dmas = <&dma0 -+ (AT91_XDMAC_DT_MEM_IF(0) | AT91_XDMAC_DT_PER_IF(1) | -+ AT91_XDMAC_DT_PERID(43))>, -+ <&dma0 -+ (AT91_XDMAC_DT_MEM_IF(0) | AT91_XDMAC_DT_PER_IF(1) | -+ AT91_XDMAC_DT_PERID(44))>; -+ dma-names = "tx", "rx"; - interrupts = <28 IRQ_TYPE_LEVEL_HIGH 7>; - clocks = <&uart4_clk>; - clock-names = "usart"; --- -2.12.2 - From 17503963206584333b674740ba75b5079ea7e196 Mon Sep 17 00:00:00 2001 From: Viresh Kumar Date: Tue, 21 Mar 2017 11:36:06 +0530 @@ -7718,374 +6859,13 @@ index 146264a41ec8..9736f9be5447 100644 -- 2.12.2 -From 6e174bbd0631865acc193804fa4043852f3198c5 Mon Sep 17 00:00:00 2001 -From: Dave Martin -Date: Mon, 27 Mar 2017 15:10:53 +0100 -Subject: [PATCH 215/251] c6x/ptrace: Remove useless PTRACE_SETREGSET - implementation -Content-Length: 2142 -Lines: 78 - -commit fb411b837b587a32046dc4f369acb93a10b1def8 upstream. - -gpr_set won't work correctly and can never have been tested, and the -correct behaviour is not clear due to the endianness-dependent task -layout. - -So, just remove it. The core code will now return -EOPNOTSUPPORT when -trying to set NT_PRSTATUS on this architecture until/unless a correct -implementation is supplied. - -Signed-off-by: Dave Martin -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman ---- - arch/c6x/kernel/ptrace.c | 41 ----------------------------------------- - 1 file changed, 41 deletions(-) - -diff --git a/arch/c6x/kernel/ptrace.c b/arch/c6x/kernel/ptrace.c -index 3c494e84444d..a511ac16a8e3 100644 ---- a/arch/c6x/kernel/ptrace.c -+++ b/arch/c6x/kernel/ptrace.c -@@ -69,46 +69,6 @@ static int gpr_get(struct task_struct *target, - 0, sizeof(*regs)); - } - --static int gpr_set(struct task_struct *target, -- const struct user_regset *regset, -- unsigned int pos, unsigned int count, -- const void *kbuf, const void __user *ubuf) --{ -- int ret; -- struct pt_regs *regs = task_pt_regs(target); -- -- /* Don't copyin TSR or CSR */ -- ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, -- ®s, -- 0, PT_TSR * sizeof(long)); -- if (ret) -- return ret; -- -- ret = user_regset_copyin_ignore(&pos, &count, &kbuf, &ubuf, -- PT_TSR * sizeof(long), -- (PT_TSR + 1) * sizeof(long)); -- if (ret) -- return ret; -- -- ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, -- ®s, -- (PT_TSR + 1) * sizeof(long), -- PT_CSR * sizeof(long)); -- if (ret) -- return ret; -- -- ret = user_regset_copyin_ignore(&pos, &count, &kbuf, &ubuf, -- PT_CSR * sizeof(long), -- (PT_CSR + 1) * sizeof(long)); -- if (ret) -- return ret; -- -- ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, -- ®s, -- (PT_CSR + 1) * sizeof(long), -1); -- return ret; --} -- - enum c6x_regset { - REGSET_GPR, - }; -@@ -120,7 +80,6 @@ static const struct user_regset c6x_regsets[] = { - .size = sizeof(u32), - .align = sizeof(u32), - .get = gpr_get, -- .set = gpr_set - }, - }; - --- -2.12.2 - -From e1dc8904b33b8c01f22d904fed4cb5f2060f5da3 Mon Sep 17 00:00:00 2001 -From: Dave Martin -Date: Mon, 27 Mar 2017 15:10:54 +0100 -Subject: [PATCH 216/251] h8300/ptrace: Fix incorrect register transfer count -Content-Length: 1903 -Lines: 51 - -commit 502585c7555083d4a949c08350306b9ec196779e upstream. - -regs_set() and regs_get() are vulnerable to an off-by-1 buffer overrun -if CONFIG_CPU_H8S is set, since this adds an extra entry to -register_offset[] but not to user_regs_struct. - -So, iterate over user_regs_struct based on its actual size, not based on -the length of register_offset[]. - -Signed-off-by: Dave Martin -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman ---- - arch/h8300/kernel/ptrace.c | 8 +++++--- - 1 file changed, 5 insertions(+), 3 deletions(-) - -diff --git a/arch/h8300/kernel/ptrace.c b/arch/h8300/kernel/ptrace.c -index 92075544a19a..0dc1c8f622bc 100644 ---- a/arch/h8300/kernel/ptrace.c -+++ b/arch/h8300/kernel/ptrace.c -@@ -95,7 +95,8 @@ static int regs_get(struct task_struct *target, - long *reg = (long *)®s; - - /* build user regs in buffer */ -- for (r = 0; r < ARRAY_SIZE(register_offset); r++) -+ BUILD_BUG_ON(sizeof(regs) % sizeof(long) != 0); -+ for (r = 0; r < sizeof(regs) / sizeof(long); r++) - *reg++ = h8300_get_reg(target, r); - - return user_regset_copyout(&pos, &count, &kbuf, &ubuf, -@@ -113,7 +114,8 @@ static int regs_set(struct task_struct *target, - long *reg; - - /* build user regs in buffer */ -- for (reg = (long *)®s, r = 0; r < ARRAY_SIZE(register_offset); r++) -+ BUILD_BUG_ON(sizeof(regs) % sizeof(long) != 0); -+ for (reg = (long *)®s, r = 0; r < sizeof(regs) / sizeof(long); r++) - *reg++ = h8300_get_reg(target, r); - - ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, -@@ -122,7 +124,7 @@ static int regs_set(struct task_struct *target, - return ret; - - /* write back to pt_regs */ -- for (reg = (long *)®s, r = 0; r < ARRAY_SIZE(register_offset); r++) -+ for (reg = (long *)®s, r = 0; r < sizeof(regs) / sizeof(long); r++) - h8300_put_reg(target, r, *reg++); - return 0; - } --- -2.12.2 - -From c8693666856c0db4a1e07235d98ce0b3bde98d9e Mon Sep 17 00:00:00 2001 -From: Dave Martin -Date: Mon, 27 Mar 2017 15:10:58 +0100 -Subject: [PATCH 217/251] mips/ptrace: Preserve previous registers for short - regset write -Content-Length: 1082 -Lines: 28 - -commit d614fd58a2834cfe4efa472c33c8f3ce2338b09b upstream. - -Ensure that if userspace supplies insufficient data to PTRACE_SETREGSET -to fill all the registers, the thread's old registers are preserved. - -Signed-off-by: Dave Martin -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman ---- - arch/mips/kernel/ptrace.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c -index 74d581569778..c95bf18260f8 100644 ---- a/arch/mips/kernel/ptrace.c -+++ b/arch/mips/kernel/ptrace.c -@@ -485,7 +485,8 @@ static int fpr_set(struct task_struct *target, - &target->thread.fpu, - 0, sizeof(elf_fpregset_t)); - -- for (i = 0; i < NUM_FPU_REGS; i++) { -+ BUILD_BUG_ON(sizeof(fpr_val) != sizeof(elf_fpreg_t)); -+ for (i = 0; i < NUM_FPU_REGS && count >= sizeof(elf_fpreg_t); i++) { - err = user_regset_copyin(&pos, &count, &kbuf, &ubuf, - &fpr_val, i * sizeof(elf_fpreg_t), - (i + 1) * sizeof(elf_fpreg_t)); --- -2.12.2 - -From 962b95a88574359b081e24815fae6aba92fff98d Mon Sep 17 00:00:00 2001 -From: Dave Martin -Date: Mon, 27 Mar 2017 15:10:59 +0100 -Subject: [PATCH 218/251] sparc/ptrace: Preserve previous registers for short - regset write -Content-Length: 923 -Lines: 28 - -commit d3805c546b275c8cc7d40f759d029ae92c7175f2 upstream. - -Ensure that if userspace supplies insufficient data to PTRACE_SETREGSET -to fill all the registers, the thread's old registers are preserved. - -Signed-off-by: Dave Martin -Acked-by: David S. Miller -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman ---- - arch/sparc/kernel/ptrace_64.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/arch/sparc/kernel/ptrace_64.c b/arch/sparc/kernel/ptrace_64.c -index 9ddc4928a089..c1566170964f 100644 ---- a/arch/sparc/kernel/ptrace_64.c -+++ b/arch/sparc/kernel/ptrace_64.c -@@ -311,7 +311,7 @@ static int genregs64_set(struct task_struct *target, - } - - if (!ret) { -- unsigned long y; -+ unsigned long y = regs->y; - - ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, - &y, --- -2.12.2 - -From 2d9bc3695012f1ef7465f56302c1e60c48dccde8 Mon Sep 17 00:00:00 2001 -From: Dave Martin -Date: Mon, 27 Mar 2017 15:10:55 +0100 -Subject: [PATCH 219/251] metag/ptrace: Preserve previous registers for short - regset write -Content-Length: 976 -Lines: 28 - -commit a78ce80d2c9178351b34d78fec805140c29c193e upstream. - -Ensure that if userspace supplies insufficient data to PTRACE_SETREGSET -to fill all the registers, the thread's old registers are preserved. - -Signed-off-by: Dave Martin -Acked-by: James Hogan -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman ---- - arch/metag/kernel/ptrace.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/arch/metag/kernel/ptrace.c b/arch/metag/kernel/ptrace.c -index 7563628822bd..ae659ba61948 100644 ---- a/arch/metag/kernel/ptrace.c -+++ b/arch/metag/kernel/ptrace.c -@@ -303,7 +303,7 @@ static int metag_tls_set(struct task_struct *target, - const void *kbuf, const void __user *ubuf) - { - int ret; -- void __user *tls; -+ void __user *tls = target->thread.tls_ptr; - - ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, &tls, 0, -1); - if (ret) --- -2.12.2 - -From e441102d8c074d63d44329a59f3278573cdc1477 Mon Sep 17 00:00:00 2001 -From: Dave Martin -Date: Mon, 27 Mar 2017 15:10:56 +0100 -Subject: [PATCH 220/251] metag/ptrace: Provide default TXSTATUS for short - NT_PRSTATUS -Content-Length: 1755 -Lines: 56 - -commit 5fe81fe98123ce41265c65e95d34418d30d005d1 upstream. - -Ensure that if userspace supplies insufficient data to PTRACE_SETREGSET -to fill TXSTATUS, a well-defined default value is used, based on the -task's current value. - -Suggested-by: James Hogan -Signed-off-by: Dave Martin -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman ---- - arch/metag/kernel/ptrace.c | 15 ++++++++++++--- - 1 file changed, 12 insertions(+), 3 deletions(-) - -diff --git a/arch/metag/kernel/ptrace.c b/arch/metag/kernel/ptrace.c -index ae659ba61948..2e4dfc15abd3 100644 ---- a/arch/metag/kernel/ptrace.c -+++ b/arch/metag/kernel/ptrace.c -@@ -24,6 +24,16 @@ - * user_regset definitions. - */ - -+static unsigned long user_txstatus(const struct pt_regs *regs) -+{ -+ unsigned long data = (unsigned long)regs->ctx.Flags; -+ -+ if (regs->ctx.SaveMask & TBICTX_CBUF_BIT) -+ data |= USER_GP_REGS_STATUS_CATCH_BIT; -+ -+ return data; -+} -+ - int metag_gp_regs_copyout(const struct pt_regs *regs, - unsigned int pos, unsigned int count, - void *kbuf, void __user *ubuf) -@@ -62,9 +72,7 @@ int metag_gp_regs_copyout(const struct pt_regs *regs, - if (ret) - goto out; - /* TXSTATUS */ -- data = (unsigned long)regs->ctx.Flags; -- if (regs->ctx.SaveMask & TBICTX_CBUF_BIT) -- data |= USER_GP_REGS_STATUS_CATCH_BIT; -+ data = user_txstatus(regs); - ret = user_regset_copyout(&pos, &count, &kbuf, &ubuf, - &data, 4*25, 4*26); - if (ret) -@@ -119,6 +127,7 @@ int metag_gp_regs_copyin(struct pt_regs *regs, - if (ret) - goto out; - /* TXSTATUS */ -+ data = user_txstatus(regs); - ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, - &data, 4*25, 4*26); - if (ret) --- -2.12.2 - -From 573341eba9c44b0b2198373cb453bbbb5b3f066a Mon Sep 17 00:00:00 2001 -From: Dave Martin -Date: Mon, 27 Mar 2017 15:10:57 +0100 -Subject: [PATCH 221/251] metag/ptrace: Reject partial NT_METAG_RPIPE writes -Content-Length: 1069 -Lines: 31 - -commit 7195ee3120d878259e8d94a5d9f808116f34d5ea upstream. - -It's not clear what behaviour is sensible when doing partial write of -NT_METAG_RPIPE, so just don't bother. - -This patch assumes that userspace will never rely on a partial SETREGSET -in this case, since it's not clear what should happen anyway. - -Signed-off-by: Dave Martin -Acked-by: James Hogan -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman ---- - arch/metag/kernel/ptrace.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/arch/metag/kernel/ptrace.c b/arch/metag/kernel/ptrace.c -index 2e4dfc15abd3..5e2dc7defd2c 100644 ---- a/arch/metag/kernel/ptrace.c -+++ b/arch/metag/kernel/ptrace.c -@@ -253,6 +253,8 @@ int metag_rp_state_copyin(struct pt_regs *regs, - unsigned long long *ptr; - int ret, i; - -+ if (count < 4*13) -+ return -EINVAL; - /* Read the entire pipeline before making any changes */ - ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, - &rp, 0, 4*13); --- -2.12.2 - -From 7a5202190810dde1467718235c1f650fcf57592a Mon Sep 17 00:00:00 2001 -From: Eric Biggers -Date: Tue, 21 Feb 2017 15:07:11 -0800 -Subject: [PATCH 222/251] fscrypt: remove broken support for detecting keyring - key revocation -Content-Length: 10256 -Lines: 300 +From 7a5202190810dde1467718235c1f650fcf57592a Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Tue, 21 Feb 2017 15:07:11 -0800 +Subject: [PATCH 222/251] fscrypt: remove broken support for detecting keyring + key revocation +Content-Length: 10256 +Lines: 300 commit 1b53cf9815bb4744958d41f3795d5d5a1d365e2d upstream. @@ -8899,157 +7679,6 @@ index 9c706d8c1441..6f5e2720ffad 100644 -- 2.12.2 -From a90d7447e4a154ad26e3b9e09a0878680be49339 Mon Sep 17 00:00:00 2001 -From: Takashi Iwai -Date: Fri, 24 Mar 2017 17:07:57 +0100 -Subject: [PATCH 230/251] ALSA: seq: Fix race during FIFO resize -Content-Length: 1200 -Lines: 34 - -commit 2d7d54002e396c180db0c800c1046f0a3c471597 upstream. - -When a new event is queued while processing to resize the FIFO in -snd_seq_fifo_clear(), it may lead to a use-after-free, as the old pool -that is being queued gets removed. For avoiding this race, we need to -close the pool to be deleted and sync its usage before actually -deleting it. - -The issue was spotted by syzkaller. - -Reported-by: Dmitry Vyukov -Signed-off-by: Takashi Iwai -Signed-off-by: Greg Kroah-Hartman ---- - sound/core/seq/seq_fifo.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/sound/core/seq/seq_fifo.c b/sound/core/seq/seq_fifo.c -index 3f4efcb85df5..3490d21ab9e7 100644 ---- a/sound/core/seq/seq_fifo.c -+++ b/sound/core/seq/seq_fifo.c -@@ -265,6 +265,10 @@ int snd_seq_fifo_resize(struct snd_seq_fifo *f, int poolsize) - /* NOTE: overflow flag is not cleared */ - spin_unlock_irqrestore(&f->lock, flags); - -+ /* close the old pool and wait until all users are gone */ -+ snd_seq_pool_mark_closing(oldpool); -+ snd_use_lock_sync(&f->use_lock); -+ - /* release cells in old pool */ - for (cell = oldhead; cell; cell = next) { - next = cell->next; --- -2.12.2 - -From ce3dcfdbff04bab023806ef7a342c657ec08915d Mon Sep 17 00:00:00 2001 -From: Hui Wang -Date: Fri, 31 Mar 2017 10:31:40 +0800 -Subject: [PATCH 231/251] ALSA: hda - fix a problem for lineout on a Dell AIO - machine -Content-Length: 2380 -Lines: 64 - -commit 2f726aec19a9d2c63bec9a8a53a3910ffdcd09f8 upstream. - -On this Dell AIO machine, the lineout jack does not work. - -We found the pin 0x1a is assigned to lineout on this machine, and in -the past, we applied ALC298_FIXUP_DELL1_MIC_NO_PRESENCE to fix the -heaset-set mic problem for this machine, this fixup will redefine -the pin 0x1a to headphone-mic, as a result the lineout doesn't -work anymore. - -After consulting with Dell, they told us this machine doesn't support -microphone via headset jack, so we add a new fixup which only defines -the pin 0x18 as the headset-mic. - -[rearranged the fixup insertion position by tiwai in order to make the - merge with other branches easier -- tiwai] - -Fixes: 59ec4b57bcae ("ALSA: hda - Fix headset mic detection problem for two dell machines") -Signed-off-by: Hui Wang -Signed-off-by: Takashi Iwai -Signed-off-by: Greg Kroah-Hartman ---- - sound/pci/hda/patch_realtek.c | 12 +++++++++++- - 1 file changed, 11 insertions(+), 1 deletion(-) - -diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c -index 1d4f34379f56..46a34039ecdc 100644 ---- a/sound/pci/hda/patch_realtek.c -+++ b/sound/pci/hda/patch_realtek.c -@@ -4831,6 +4831,7 @@ enum { - ALC292_FIXUP_DISABLE_AAMIX, - ALC293_FIXUP_DISABLE_AAMIX_MULTIJACK, - ALC298_FIXUP_DELL1_MIC_NO_PRESENCE, -+ ALC298_FIXUP_DELL_AIO_MIC_NO_PRESENCE, - ALC275_FIXUP_DELL_XPS, - ALC256_FIXUP_DELL_XPS_13_HEADPHONE_NOISE, - ALC293_FIXUP_LENOVO_SPK_NOISE, -@@ -5429,6 +5430,15 @@ static const struct hda_fixup alc269_fixups[] = { - .chained = true, - .chain_id = ALC269_FIXUP_HEADSET_MODE - }, -+ [ALC298_FIXUP_DELL_AIO_MIC_NO_PRESENCE] = { -+ .type = HDA_FIXUP_PINS, -+ .v.pins = (const struct hda_pintbl[]) { -+ { 0x18, 0x01a1913c }, /* use as headset mic, without its own jack detect */ -+ { } -+ }, -+ .chained = true, -+ .chain_id = ALC269_FIXUP_HEADSET_MODE -+ }, - [ALC275_FIXUP_DELL_XPS] = { - .type = HDA_FIXUP_VERBS, - .v.verbs = (const struct hda_verb[]) { -@@ -5501,7 +5511,7 @@ static const struct hda_fixup alc269_fixups[] = { - .type = HDA_FIXUP_FUNC, - .v.func = alc298_fixup_speaker_volume, - .chained = true, -- .chain_id = ALC298_FIXUP_DELL1_MIC_NO_PRESENCE, -+ .chain_id = ALC298_FIXUP_DELL_AIO_MIC_NO_PRESENCE, - }, - [ALC256_FIXUP_DELL_INSPIRON_7559_SUBWOOFER] = { - .type = HDA_FIXUP_PINS, --- -2.12.2 - -From ab48ab614b8c83f3a3b0f83f7882b1d2766962d3 Mon Sep 17 00:00:00 2001 -From: Songjun Wu -Date: Fri, 24 Feb 2017 15:10:43 +0800 -Subject: [PATCH 232/251] ASoC: atmel-classd: fix audio clock rate -Content-Length: 994 -Lines: 28 - -commit cd3ac9affc43b44f49d7af70d275f0bd426ba643 upstream. - -Fix the audio clock rate according to the datasheet. - -Reported-by: Dushara Jayasinghe -Signed-off-by: Songjun Wu -Acked-by: Nicolas Ferre -Signed-off-by: Mark Brown -Signed-off-by: Greg Kroah-Hartman ---- - sound/soc/atmel/atmel-classd.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/sound/soc/atmel/atmel-classd.c b/sound/soc/atmel/atmel-classd.c -index 8276675730ef..78a985629607 100644 ---- a/sound/soc/atmel/atmel-classd.c -+++ b/sound/soc/atmel/atmel-classd.c -@@ -343,7 +343,7 @@ static int atmel_classd_codec_dai_digital_mute(struct snd_soc_dai *codec_dai, - } - - #define CLASSD_ACLK_RATE_11M2896_MPY_8 (112896 * 100 * 8) --#define CLASSD_ACLK_RATE_12M288_MPY_8 (12228 * 1000 * 8) -+#define CLASSD_ACLK_RATE_12M288_MPY_8 (12288 * 1000 * 8) - - static struct { - int rate; --- -2.12.2 - From 3342857ac074768e14e361392ac09fbbd70d840e Mon Sep 17 00:00:00 2001 From: Josh Poimboeuf Date: Thu, 16 Mar 2017 08:56:28 -0500 @@ -9563,487 +8192,61 @@ index 2e7f60c9fc5d..51cdc46a87e2 100644 -- 2.12.2 -From b3ed3864912e8809e228ddea259e8e0fa1deadf5 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= -Date: Sat, 2 Jul 2016 17:28:08 +0200 -Subject: [PATCH 242/251] rtc: s35390a: fix reading out alarm -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit -Content-Length: 3107 -Lines: 91 +From 42462d23e60b89a3c2f7d8d63f5f4e464ba77727 Mon Sep 17 00:00:00 2001 +From: David Hildenbrand +Date: Thu, 23 Mar 2017 18:24:19 +0100 +Subject: [PATCH 246/251] KVM: kvm_io_bus_unregister_dev() should never fail +Content-Length: 5392 +Lines: 167 -commit f87e904ddd8f0ef120e46045b0addeb1cc88354e upstream. +commit 90db10434b163e46da413d34db8d0e77404cc645 upstream. -There are several issues fixed in this patch: +No caller currently checks the return value of +kvm_io_bus_unregister_dev(). This is evil, as all callers silently go on +freeing their device. A stale reference will remain in the io_bus, +getting at least used again, when the iobus gets teared down on +kvm_destroy_vm() - leading to use after free errors. - - When alarm isn't enabled, set .enabled to zero instead of returning - -EINVAL. - - Ignore how IRQ1 is configured when determining if IRQ2 is on. - - The three alarm registers have an enable flag which must be - evaluated. - - The chip always triggers when the seconds register gets 0. +There is nothing the callers could do, except retrying over and over +again. -Note that the rtc framework however doesn't handle the result correctly -because it doesn't check wday being initialized and so interprets an -alarm being set for 10:00 AM in three days as 10:00 AM tomorrow (or -today if that's not over yet). +So let's simply remove the bus altogether, print an error and make +sure no one can access this broken bus again (returning -ENOMEM on any +attempt to access it). -Signed-off-by: Uwe Kleine-König -Signed-off-by: Alexandre Belloni +Fixes: e93f8a0f821e ("KVM: convert io_bus to SRCU") +Reported-by: Dmitry Vyukov +Reviewed-by: Cornelia Huck +Signed-off-by: David Hildenbrand +Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman --- - drivers/rtc/rtc-s35390a.c | 40 +++++++++++++++++++++++++++++++--------- - 1 file changed, 31 insertions(+), 9 deletions(-) + include/linux/kvm_host.h | 4 ++-- + virt/kvm/eventfd.c | 3 ++- + virt/kvm/kvm_main.c | 40 +++++++++++++++++++++++----------------- + 3 files changed, 27 insertions(+), 20 deletions(-) -diff --git a/drivers/rtc/rtc-s35390a.c b/drivers/rtc/rtc-s35390a.c -index f40afdd0e5f5..6507a01cf9ad 100644 ---- a/drivers/rtc/rtc-s35390a.c -+++ b/drivers/rtc/rtc-s35390a.c -@@ -242,6 +242,8 @@ static int s35390a_set_alarm(struct i2c_client *client, struct rtc_wkalrm *alm) - - if (alm->time.tm_wday != -1) - buf[S35390A_ALRM_BYTE_WDAY] = bin2bcd(alm->time.tm_wday) | 0x80; -+ else -+ buf[S35390A_ALRM_BYTE_WDAY] = 0; - - buf[S35390A_ALRM_BYTE_HOURS] = s35390a_hr2reg(s35390a, - alm->time.tm_hour) | 0x80; -@@ -269,23 +271,43 @@ static int s35390a_read_alarm(struct i2c_client *client, struct rtc_wkalrm *alm) - if (err < 0) - return err; - -- if (bitrev8(sts) != S35390A_INT2_MODE_ALARM) -- return -EINVAL; -+ if ((bitrev8(sts) & S35390A_INT2_MODE_MASK) != S35390A_INT2_MODE_ALARM) { -+ /* -+ * When the alarm isn't enabled, the register to configure -+ * the alarm time isn't accessible. -+ */ -+ alm->enabled = 0; -+ return 0; -+ } else { -+ alm->enabled = 1; -+ } - - err = s35390a_get_reg(s35390a, S35390A_CMD_INT2_REG1, buf, sizeof(buf)); - if (err < 0) - return err; +diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h +index c923350ca20a..d7ce4e3280db 100644 +--- a/include/linux/kvm_host.h ++++ b/include/linux/kvm_host.h +@@ -182,8 +182,8 @@ int kvm_io_bus_read(struct kvm_vcpu *vcpu, enum kvm_bus bus_idx, gpa_t addr, + int len, void *val); + int kvm_io_bus_register_dev(struct kvm *kvm, enum kvm_bus bus_idx, gpa_t addr, + int len, struct kvm_io_device *dev); +-int kvm_io_bus_unregister_dev(struct kvm *kvm, enum kvm_bus bus_idx, +- struct kvm_io_device *dev); ++void kvm_io_bus_unregister_dev(struct kvm *kvm, enum kvm_bus bus_idx, ++ struct kvm_io_device *dev); - /* This chip returns the bits of each byte in reverse order */ -- for (i = 0; i < 3; ++i) { -+ for (i = 0; i < 3; ++i) - buf[i] = bitrev8(buf[i]); -- buf[i] &= ~0x80; -- } - -- alm->time.tm_wday = bcd2bin(buf[S35390A_ALRM_BYTE_WDAY]); -- alm->time.tm_hour = s35390a_reg2hr(s35390a, -- buf[S35390A_ALRM_BYTE_HOURS]); -- alm->time.tm_min = bcd2bin(buf[S35390A_ALRM_BYTE_MINS]); -+ /* -+ * B0 of the three matching registers is an enable flag. Iff it is set -+ * the configured value is used for matching. -+ */ -+ if (buf[S35390A_ALRM_BYTE_WDAY] & 0x80) -+ alm->time.tm_wday = -+ bcd2bin(buf[S35390A_ALRM_BYTE_WDAY] & ~0x80); -+ -+ if (buf[S35390A_ALRM_BYTE_HOURS] & 0x80) -+ alm->time.tm_hour = -+ s35390a_reg2hr(s35390a, -+ buf[S35390A_ALRM_BYTE_HOURS] & ~0x80); -+ -+ if (buf[S35390A_ALRM_BYTE_MINS] & 0x80) -+ alm->time.tm_min = bcd2bin(buf[S35390A_ALRM_BYTE_MINS] & ~0x80); -+ -+ /* alarm triggers always at s=0 */ -+ alm->time.tm_sec = 0; - - dev_dbg(&client->dev, "%s: alm is mins=%d, hours=%d, wday=%d\n", - __func__, alm->time.tm_min, alm->time.tm_hour, --- -2.12.2 - -From fdd4bc9313e59a1757cfc8ac5836cff55ec03eeb Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= -Date: Mon, 3 Apr 2017 23:32:38 +0200 -Subject: [PATCH 243/251] rtc: s35390a: make sure all members in the output are - set -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit -Content-Length: 1582 -Lines: 45 - -The rtc core calls the .read_alarm with all fields initialized to 0. As -the s35390a driver doesn't touch some fields the returned date is -interpreted as a date in January 1900. So make sure all fields are set -to -1; some of them are then overwritten with the right data depending -on the hardware state. - -In mainline this is done by commit d68778b80dd7 ("rtc: initialize output -parameter for read alarm to "uninitialized"") in the core. This is -considered to dangerous for stable as it might have side effects for -other rtc drivers that might for example rely on alarm->time.tm_sec -being initialized to 0. - -Signed-off-by: Uwe Kleine-König -Signed-off-by: Greg Kroah-Hartman ---- - drivers/rtc/rtc-s35390a.c | 14 ++++++++++++++ - 1 file changed, 14 insertions(+) - -diff --git a/drivers/rtc/rtc-s35390a.c b/drivers/rtc/rtc-s35390a.c -index 6507a01cf9ad..47b88bbe4ce7 100644 ---- a/drivers/rtc/rtc-s35390a.c -+++ b/drivers/rtc/rtc-s35390a.c -@@ -267,6 +267,20 @@ static int s35390a_read_alarm(struct i2c_client *client, struct rtc_wkalrm *alm) - char buf[3], sts; - int i, err; - -+ /* -+ * initialize all members to -1 to signal the core that they are not -+ * defined by the hardware. -+ */ -+ alm->time.tm_sec = -1; -+ alm->time.tm_min = -1; -+ alm->time.tm_hour = -1; -+ alm->time.tm_mday = -1; -+ alm->time.tm_mon = -1; -+ alm->time.tm_year = -1; -+ alm->time.tm_wday = -1; -+ alm->time.tm_yday = -1; -+ alm->time.tm_isdst = -1; -+ - err = s35390a_get_reg(s35390a, S35390A_CMD_STATUS2, &sts, sizeof(sts)); - if (err < 0) - return err; --- -2.12.2 - -From a55ae9d1937b0bf4004e5416cfa15750cd6d2b22 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= -Date: Sat, 2 Jul 2016 17:28:09 +0200 -Subject: [PATCH 244/251] rtc: s35390a: implement reset routine as suggested by - the reference -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit -Content-Length: 3792 -Lines: 124 - -commit 8e6583f1b5d1f5f129b873f1428b7e414263d847 upstream. - -There were two deviations from the reference manual: you have to wait -half a second when POC is active and you might have to repeat -initialization when POC or BLD are still set after the sequence. - -Note however that as POC and BLD are cleared by read the driver might -not be able to detect that a reset is necessary. I don't have a good -idea how to fix this. - -Additionally report the value read from STATUS1 to the caller. This -prepares the next patch. - -Signed-off-by: Uwe Kleine-König -Signed-off-by: Alexandre Belloni -Signed-off-by: Greg Kroah-Hartman ---- - drivers/rtc/rtc-s35390a.c | 65 +++++++++++++++++++++++++++++++++++++++-------- - 1 file changed, 55 insertions(+), 10 deletions(-) - -diff --git a/drivers/rtc/rtc-s35390a.c b/drivers/rtc/rtc-s35390a.c -index 47b88bbe4ce7..c7c1fce69635 100644 ---- a/drivers/rtc/rtc-s35390a.c -+++ b/drivers/rtc/rtc-s35390a.c -@@ -15,6 +15,7 @@ - #include - #include - #include -+#include - - #define S35390A_CMD_STATUS1 0 - #define S35390A_CMD_STATUS2 1 -@@ -94,19 +95,63 @@ static int s35390a_get_reg(struct s35390a *s35390a, int reg, char *buf, int len) - return 0; - } - --static int s35390a_reset(struct s35390a *s35390a) -+/* -+ * Returns <0 on error, 0 if rtc is setup fine and 1 if the chip was reset. -+ * To keep the information if an irq is pending, pass the value read from -+ * STATUS1 to the caller. -+ */ -+static int s35390a_reset(struct s35390a *s35390a, char *status1) - { -- char buf[1]; -+ char buf; -+ int ret; -+ unsigned initcount = 0; - -- if (s35390a_get_reg(s35390a, S35390A_CMD_STATUS1, buf, sizeof(buf)) < 0) -- return -EIO; -+ ret = s35390a_get_reg(s35390a, S35390A_CMD_STATUS1, status1, 1); -+ if (ret < 0) -+ return ret; - -- if (!(buf[0] & (S35390A_FLAG_POC | S35390A_FLAG_BLD))) -+ if (*status1 & S35390A_FLAG_POC) -+ /* -+ * Do not communicate for 0.5 seconds since the power-on -+ * detection circuit is in operation. -+ */ -+ msleep(500); -+ else if (!(*status1 & S35390A_FLAG_BLD)) -+ /* -+ * If both POC and BLD are unset everything is fine. -+ */ - return 0; - -- buf[0] |= (S35390A_FLAG_RESET | S35390A_FLAG_24H); -- buf[0] &= 0xf0; -- return s35390a_set_reg(s35390a, S35390A_CMD_STATUS1, buf, sizeof(buf)); -+ /* -+ * At least one of POC and BLD are set, so reinitialise chip. Keeping -+ * this information in the hardware to know later that the time isn't -+ * valid is unfortunately not possible because POC and BLD are cleared -+ * on read. So the reset is best done now. -+ * -+ * The 24H bit is kept over reset, so set it already here. -+ */ -+initialize: -+ *status1 = S35390A_FLAG_24H; -+ buf = S35390A_FLAG_RESET | S35390A_FLAG_24H; -+ ret = s35390a_set_reg(s35390a, S35390A_CMD_STATUS1, &buf, 1); -+ -+ if (ret < 0) -+ return ret; -+ -+ ret = s35390a_get_reg(s35390a, S35390A_CMD_STATUS1, &buf, 1); -+ if (ret < 0) -+ return ret; -+ -+ if (buf & (S35390A_FLAG_POC | S35390A_FLAG_BLD)) { -+ /* Try up to five times to reset the chip */ -+ if (initcount < 5) { -+ ++initcount; -+ goto initialize; -+ } else -+ return -EIO; -+ } -+ -+ return 1; - } - - static int s35390a_disable_test_mode(struct s35390a *s35390a) -@@ -367,7 +412,7 @@ static int s35390a_probe(struct i2c_client *client, - unsigned int i; - struct s35390a *s35390a; - struct rtc_time tm; -- char buf[1]; -+ char buf[1], status1; - - if (!i2c_check_functionality(client->adapter, I2C_FUNC_I2C)) { - err = -ENODEV; -@@ -396,7 +441,7 @@ static int s35390a_probe(struct i2c_client *client, - } - } - -- err = s35390a_reset(s35390a); -+ err = s35390a_reset(s35390a, &status1); - if (err < 0) { - dev_err(&client->dev, "error resetting chip\n"); - goto exit_dummy; --- -2.12.2 - -From 3a1246b46df5210164ee43d4c5c560d0dc9ed2ce Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= -Date: Sat, 2 Jul 2016 17:28:10 +0200 -Subject: [PATCH 245/251] rtc: s35390a: improve irq handling -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit -Content-Length: 3693 -Lines: 120 - -commit 3bd32722c827d00eafe8e6d5b83e9f3148ea7c7e upstream. - -On some QNAP NAS devices the rtc can wake the machine. Several people -noticed that once the machine was woken this way it fails to shut down. -That's because the driver fails to acknowledge the interrupt and so it -keeps active and restarts the machine immediatly after shutdown. See -https://bugs.debian.org/794266 for a bug report. - -Doing this correctly requires to interpret the INT2 flag of the first read -of the STATUS1 register because this bit is cleared by read. - -Note this is not maximally robust though because a pending irq isn't -detected when the STATUS1 register was already read (and so INT2 is not -set) but the irq was not disabled. But that is a hardware imposed problem -that cannot easily be fixed by software. - -Signed-off-by: Uwe Kleine-König -Signed-off-by: Alexandre Belloni -Signed-off-by: Greg Kroah-Hartman ---- - drivers/rtc/rtc-s35390a.c | 48 ++++++++++++++++++++++++++++++----------------- - 1 file changed, 31 insertions(+), 17 deletions(-) - -diff --git a/drivers/rtc/rtc-s35390a.c b/drivers/rtc/rtc-s35390a.c -index c7c1fce69635..00662dd28d66 100644 ---- a/drivers/rtc/rtc-s35390a.c -+++ b/drivers/rtc/rtc-s35390a.c -@@ -35,10 +35,14 @@ - #define S35390A_ALRM_BYTE_HOURS 1 - #define S35390A_ALRM_BYTE_MINS 2 - -+/* flags for STATUS1 */ - #define S35390A_FLAG_POC 0x01 - #define S35390A_FLAG_BLD 0x02 -+#define S35390A_FLAG_INT2 0x04 - #define S35390A_FLAG_24H 0x40 - #define S35390A_FLAG_RESET 0x80 -+ -+/* flag for STATUS2 */ - #define S35390A_FLAG_TEST 0x01 - - #define S35390A_INT2_MODE_MASK 0xF0 -@@ -408,11 +412,11 @@ static struct i2c_driver s35390a_driver; - static int s35390a_probe(struct i2c_client *client, - const struct i2c_device_id *id) - { -- int err; -+ int err, err_reset; - unsigned int i; - struct s35390a *s35390a; - struct rtc_time tm; -- char buf[1], status1; -+ char buf, status1; - - if (!i2c_check_functionality(client->adapter, I2C_FUNC_I2C)) { - err = -ENODEV; -@@ -441,29 +445,35 @@ static int s35390a_probe(struct i2c_client *client, - } - } - -- err = s35390a_reset(s35390a, &status1); -- if (err < 0) { -+ err_reset = s35390a_reset(s35390a, &status1); -+ if (err_reset < 0) { -+ err = err_reset; - dev_err(&client->dev, "error resetting chip\n"); - goto exit_dummy; - } - -- err = s35390a_disable_test_mode(s35390a); -- if (err < 0) { -- dev_err(&client->dev, "error disabling test mode\n"); -- goto exit_dummy; -- } -- -- err = s35390a_get_reg(s35390a, S35390A_CMD_STATUS1, buf, sizeof(buf)); -- if (err < 0) { -- dev_err(&client->dev, "error checking 12/24 hour mode\n"); -- goto exit_dummy; -- } -- if (buf[0] & S35390A_FLAG_24H) -+ if (status1 & S35390A_FLAG_24H) - s35390a->twentyfourhour = 1; - else - s35390a->twentyfourhour = 0; - -- if (s35390a_get_datetime(client, &tm) < 0) -+ if (status1 & S35390A_FLAG_INT2) { -+ /* disable alarm (and maybe test mode) */ -+ buf = 0; -+ err = s35390a_set_reg(s35390a, S35390A_CMD_STATUS2, &buf, 1); -+ if (err < 0) { -+ dev_err(&client->dev, "error disabling alarm"); -+ goto exit_dummy; -+ } -+ } else { -+ err = s35390a_disable_test_mode(s35390a); -+ if (err < 0) { -+ dev_err(&client->dev, "error disabling test mode\n"); -+ goto exit_dummy; -+ } -+ } -+ -+ if (err_reset > 0 || s35390a_get_datetime(client, &tm) < 0) - dev_warn(&client->dev, "clock needs to be set\n"); - - device_set_wakeup_capable(&client->dev, 1); -@@ -476,6 +486,10 @@ static int s35390a_probe(struct i2c_client *client, - err = PTR_ERR(s35390a->rtc); - goto exit_dummy; - } -+ -+ if (status1 & S35390A_FLAG_INT2) -+ rtc_update_irq(s35390a->rtc, 1, RTC_AF); -+ - return 0; - - exit_dummy: --- -2.12.2 - -From 42462d23e60b89a3c2f7d8d63f5f4e464ba77727 Mon Sep 17 00:00:00 2001 -From: David Hildenbrand -Date: Thu, 23 Mar 2017 18:24:19 +0100 -Subject: [PATCH 246/251] KVM: kvm_io_bus_unregister_dev() should never fail -Content-Length: 5392 -Lines: 167 - -commit 90db10434b163e46da413d34db8d0e77404cc645 upstream. - -No caller currently checks the return value of -kvm_io_bus_unregister_dev(). This is evil, as all callers silently go on -freeing their device. A stale reference will remain in the io_bus, -getting at least used again, when the iobus gets teared down on -kvm_destroy_vm() - leading to use after free errors. - -There is nothing the callers could do, except retrying over and over -again. - -So let's simply remove the bus altogether, print an error and make -sure no one can access this broken bus again (returning -ENOMEM on any -attempt to access it). - -Fixes: e93f8a0f821e ("KVM: convert io_bus to SRCU") -Reported-by: Dmitry Vyukov -Reviewed-by: Cornelia Huck -Signed-off-by: David Hildenbrand -Signed-off-by: Paolo Bonzini -Signed-off-by: Greg Kroah-Hartman ---- - include/linux/kvm_host.h | 4 ++-- - virt/kvm/eventfd.c | 3 ++- - virt/kvm/kvm_main.c | 40 +++++++++++++++++++++++----------------- - 3 files changed, 27 insertions(+), 20 deletions(-) - -diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h -index c923350ca20a..d7ce4e3280db 100644 ---- a/include/linux/kvm_host.h -+++ b/include/linux/kvm_host.h -@@ -182,8 +182,8 @@ int kvm_io_bus_read(struct kvm_vcpu *vcpu, enum kvm_bus bus_idx, gpa_t addr, - int len, void *val); - int kvm_io_bus_register_dev(struct kvm *kvm, enum kvm_bus bus_idx, gpa_t addr, - int len, struct kvm_io_device *dev); --int kvm_io_bus_unregister_dev(struct kvm *kvm, enum kvm_bus bus_idx, -- struct kvm_io_device *dev); -+void kvm_io_bus_unregister_dev(struct kvm *kvm, enum kvm_bus bus_idx, -+ struct kvm_io_device *dev); - - #ifdef CONFIG_KVM_ASYNC_PF - struct kvm_async_pf { -diff --git a/virt/kvm/eventfd.c b/virt/kvm/eventfd.c -index 46dbc0a7dfc1..49001fa84ead 100644 ---- a/virt/kvm/eventfd.c -+++ b/virt/kvm/eventfd.c -@@ -868,7 +868,8 @@ kvm_deassign_ioeventfd_idx(struct kvm *kvm, enum kvm_bus bus_idx, - continue; + #ifdef CONFIG_KVM_ASYNC_PF + struct kvm_async_pf { +diff --git a/virt/kvm/eventfd.c b/virt/kvm/eventfd.c +index 46dbc0a7dfc1..49001fa84ead 100644 +--- a/virt/kvm/eventfd.c ++++ b/virt/kvm/eventfd.c +@@ -868,7 +868,8 @@ kvm_deassign_ioeventfd_idx(struct kvm *kvm, enum kvm_bus bus_idx, + continue; kvm_io_bus_unregister_dev(kvm, bus_idx, &p->dev); - kvm->buses[bus_idx]->ioeventfd_count--; @@ -12726,354 +10929,6 @@ index db459612de44..75bfca69e418 100644 -- 2.12.2 -From 0f5d17253b2868a3e75d623dcb2514e305bc7447 Mon Sep 17 00:00:00 2001 -From: Heiko Carstens -Date: Mon, 27 Mar 2017 09:48:04 +0200 -Subject: [PATCH 26/52] s390/uaccess: get_user() should zero on failure (again) -Content-Length: 1611 -Lines: 40 - -commit d09c5373e8e4eaaa09233552cbf75dc4c4f21203 upstream. - -Commit fd2d2b191fe7 ("s390: get_user() should zero on failure") -intended to fix s390's get_user() implementation which did not zero -the target operand if the read from user space faulted. Unfortunately -the patch has no effect: the corresponding inline assembly specifies -that the operand is only written to ("=") and the previous value is -discarded. - -Therefore the compiler is free to and actually does omit the zero -initialization. - -To fix this simply change the contraint modifier to "+", so the -compiler cannot omit the initialization anymore. - -Fixes: c9ca78415ac1 ("s390/uaccess: provide inline variants of get_user/put_user") -Fixes: fd2d2b191fe7 ("s390: get_user() should zero on failure") -Cc: Al Viro -Signed-off-by: Heiko Carstens -Signed-off-by: Martin Schwidefsky -Signed-off-by: Greg Kroah-Hartman ---- - arch/s390/include/asm/uaccess.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/arch/s390/include/asm/uaccess.h b/arch/s390/include/asm/uaccess.h -index 5c7381c5ad7f..c8d837f0fbbc 100644 ---- a/arch/s390/include/asm/uaccess.h -+++ b/arch/s390/include/asm/uaccess.h -@@ -150,7 +150,7 @@ unsigned long __must_check __copy_to_user(void __user *to, const void *from, - " jg 2b\n" \ - ".popsection\n" \ - EX_TABLE(0b,3b) EX_TABLE(1b,3b) \ -- : "=d" (__rc), "=Q" (*(to)) \ -+ : "=d" (__rc), "+Q" (*(to)) \ - : "d" (size), "Q" (*(from)), \ - "d" (__reg0), "K" (-EFAULT) \ - : "cc"); \ --- -2.12.2 - -From 765ee8ce4e3d059378aefc40666b024e4cd494f2 Mon Sep 17 00:00:00 2001 -From: Marcelo Henrique Cerri -Date: Mon, 13 Mar 2017 12:14:58 -0300 -Subject: [PATCH 25/52] s390/decompressor: fix initrd corruption caused by bss - clear -Content-Length: 3239 -Lines: 81 - -commit d82c0d12c92705ef468683c9b7a8298dd61ed191 upstream. - -Reorder the operations in decompress_kernel() to ensure initrd is moved -to a safe location before the bss section is zeroed. - -During decompression bss can overlap with the initrd and this can -corrupt the initrd contents depending on the size of the compressed -kernel (which affects where the initrd is placed by the bootloader) and -the size of the bss section of the decompressor. - -Also use the correct initrd size when checking for overlaps with -parmblock. - -Fixes: 06c0dd72aea3 ([S390] fix boot failures with compressed kernels) -Reviewed-by: Joy Latten -Reviewed-by: Vineetha HariPai -Signed-off-by: Marcelo Henrique Cerri -Signed-off-by: Heiko Carstens -Signed-off-by: Martin Schwidefsky -Signed-off-by: Greg Kroah-Hartman ---- - arch/s390/boot/compressed/misc.c | 35 +++++++++++++++++++---------------- - 1 file changed, 19 insertions(+), 16 deletions(-) - -diff --git a/arch/s390/boot/compressed/misc.c b/arch/s390/boot/compressed/misc.c -index 4da604ebf6fd..ca15613eaaa4 100644 ---- a/arch/s390/boot/compressed/misc.c -+++ b/arch/s390/boot/compressed/misc.c -@@ -141,31 +141,34 @@ static void check_ipl_parmblock(void *start, unsigned long size) - - unsigned long decompress_kernel(void) - { -- unsigned long output_addr; -- unsigned char *output; -+ void *output, *kernel_end; - -- output_addr = ((unsigned long) &_end + HEAP_SIZE + 4095UL) & -4096UL; -- check_ipl_parmblock((void *) 0, output_addr + SZ__bss_start); -- memset(&_bss, 0, &_ebss - &_bss); -- free_mem_ptr = (unsigned long)&_end; -- free_mem_end_ptr = free_mem_ptr + HEAP_SIZE; -- output = (unsigned char *) output_addr; -+ output = (void *) ALIGN((unsigned long) &_end + HEAP_SIZE, PAGE_SIZE); -+ kernel_end = output + SZ__bss_start; -+ check_ipl_parmblock((void *) 0, (unsigned long) kernel_end); - - #ifdef CONFIG_BLK_DEV_INITRD - /* - * Move the initrd right behind the end of the decompressed -- * kernel image. -+ * kernel image. This also prevents initrd corruption caused by -+ * bss clearing since kernel_end will always be located behind the -+ * current bss section.. - */ -- if (INITRD_START && INITRD_SIZE && -- INITRD_START < (unsigned long) output + SZ__bss_start) { -- check_ipl_parmblock(output + SZ__bss_start, -- INITRD_START + INITRD_SIZE); -- memmove(output + SZ__bss_start, -- (void *) INITRD_START, INITRD_SIZE); -- INITRD_START = (unsigned long) output + SZ__bss_start; -+ if (INITRD_START && INITRD_SIZE && kernel_end > (void *) INITRD_START) { -+ check_ipl_parmblock(kernel_end, INITRD_SIZE); -+ memmove(kernel_end, (void *) INITRD_START, INITRD_SIZE); -+ INITRD_START = (unsigned long) kernel_end; - } - #endif - -+ /* -+ * Clear bss section. free_mem_ptr and free_mem_end_ptr need to be -+ * initialized afterwards since they reside in bss. -+ */ -+ memset(&_bss, 0, &_ebss - &_bss); -+ free_mem_ptr = (unsigned long) &_end; -+ free_mem_end_ptr = free_mem_ptr + HEAP_SIZE; -+ - puts("Uncompressing Linux... "); - __decompress(input_data, input_len, NULL, NULL, output, 0, NULL, error); - puts("Ok, booting the kernel.\n"); --- -2.12.2 - -From 1c47303355dc970d692f3625839da43f6b969622 Mon Sep 17 00:00:00 2001 -From: Tobias Klauser -Date: Sun, 2 Apr 2017 20:08:04 -0700 -Subject: [PATCH 24/52] nios2: reserve boot memory for device tree -Content-Length: 2379 -Lines: 69 - -commit 921d701e6f31e1ffaca3560416af1aa04edb4c4f upstream. - -Make sure to reserve the boot memory for the flattened device tree. -Otherwise it might get overwritten, e.g. when initial_boot_params is -copied, leading to a corrupted FDT and a boot hang/crash: - - bootconsole [early0] enabled - Early console on uart16650 initialized at 0xf8001600 - OF: fdt: Error -11 processing FDT - Kernel panic - not syncing: setup_cpuinfo: No CPU found in devicetree! - - ---[ end Kernel panic - not syncing: setup_cpuinfo: No CPU found in devicetree! - -Guenter Roeck says: - -> I think I found the problem. In unflatten_and_copy_device_tree(), with added -> debug information: -> -> OF: fdt: initial_boot_params=c861e400, dt=c861f000 size=28874 (0x70ca) -> -> ... and then initial_boot_params is copied to dt, which results in corrupted -> fdt since the memory overlaps. Looks like the initial_boot_params memory -> is not reserved and (re-)allocated by early_init_dt_alloc_memory_arch(). - -Reported-by: Guenter Roeck -Reference: http://lkml.kernel.org/r/20170226210338.GA19476@roeck-us.net -Tested-by: Guenter Roeck -Signed-off-by: Tobias Klauser -Acked-by: Ley Foon Tan -Signed-off-by: Greg Kroah-Hartman ---- - arch/nios2/kernel/prom.c | 7 +++++++ - arch/nios2/kernel/setup.c | 3 +++ - 2 files changed, 10 insertions(+) - -diff --git a/arch/nios2/kernel/prom.c b/arch/nios2/kernel/prom.c -index 718dd197909f..de73beb36910 100644 ---- a/arch/nios2/kernel/prom.c -+++ b/arch/nios2/kernel/prom.c -@@ -48,6 +48,13 @@ void * __init early_init_dt_alloc_memory_arch(u64 size, u64 align) - return alloc_bootmem_align(size, align); - } - -+int __init early_init_dt_reserve_memory_arch(phys_addr_t base, phys_addr_t size, -+ bool nomap) -+{ -+ reserve_bootmem(base, size, BOOTMEM_DEFAULT); -+ return 0; -+} -+ - void __init early_init_devtree(void *params) - { - __be32 *dtb = (u32 *)__dtb_start; -diff --git a/arch/nios2/kernel/setup.c b/arch/nios2/kernel/setup.c -index a4ff86d58d5c..6c4e351a7930 100644 ---- a/arch/nios2/kernel/setup.c -+++ b/arch/nios2/kernel/setup.c -@@ -195,6 +195,9 @@ void __init setup_arch(char **cmdline_p) - } - #endif /* CONFIG_BLK_DEV_INITRD */ - -+ early_init_fdt_reserve_self(); -+ early_init_fdt_scan_reserved_mem(); -+ - unflatten_and_copy_device_tree(); - - setup_cpuinfo(); --- -2.12.2 - -From ca9bd55235b346da89dadc1821e37bb4ec22b7eb Mon Sep 17 00:00:00 2001 -From: Paul Mackerras -Date: Tue, 4 Apr 2017 14:56:05 +1000 -Subject: [PATCH 23/52] powerpc: Don't try to fix up misaligned - load-with-reservation instructions -Content-Length: 2443 -Lines: 67 - -commit 48fe9e9488743eec9b7c1addd3c93f12f2123d54 upstream. - -In the past, there was only one load-with-reservation instruction, -lwarx, and if a program attempted a lwarx on a misaligned address, it -would take an alignment interrupt and the kernel handler would emulate -it as though it was lwzx, which was not really correct, but benign since -it is loading the right amount of data, and the lwarx should be paired -with a stwcx. to the same address, which would also cause an alignment -interrupt which would result in a SIGBUS being delivered to the process. - -We now have 5 different sizes of load-with-reservation instruction. Of -those, lharx and ldarx cause an immediate SIGBUS by luck since their -entries in aligninfo[] overlap instructions which were not fixed up, but -lqarx overlaps with lhz and will be emulated as such. lbarx can never -generate an alignment interrupt since it only operates on 1 byte. - -To straighten this out and fix the lqarx case, this adds code to detect -the l[hwdq]arx instructions and return without fixing them up, resulting -in a SIGBUS being delivered to the process. - -Signed-off-by: Paul Mackerras -Signed-off-by: Michael Ellerman -Signed-off-by: Greg Kroah-Hartman ---- - arch/powerpc/kernel/align.c | 27 +++++++++++++++++++-------- - 1 file changed, 19 insertions(+), 8 deletions(-) - -diff --git a/arch/powerpc/kernel/align.c b/arch/powerpc/kernel/align.c -index 86150fbb42c3..91e5c1758b5c 100644 ---- a/arch/powerpc/kernel/align.c -+++ b/arch/powerpc/kernel/align.c -@@ -808,14 +808,25 @@ int fix_alignment(struct pt_regs *regs) - nb = aligninfo[instr].len; - flags = aligninfo[instr].flags; - -- /* ldbrx/stdbrx overlap lfs/stfs in the DSISR unfortunately */ -- if (IS_XFORM(instruction) && ((instruction >> 1) & 0x3ff) == 532) { -- nb = 8; -- flags = LD+SW; -- } else if (IS_XFORM(instruction) && -- ((instruction >> 1) & 0x3ff) == 660) { -- nb = 8; -- flags = ST+SW; -+ /* -+ * Handle some cases which give overlaps in the DSISR values. -+ */ -+ if (IS_XFORM(instruction)) { -+ switch (get_xop(instruction)) { -+ case 532: /* ldbrx */ -+ nb = 8; -+ flags = LD+SW; -+ break; -+ case 660: /* stdbrx */ -+ nb = 8; -+ flags = ST+SW; -+ break; -+ case 20: /* lwarx */ -+ case 84: /* ldarx */ -+ case 116: /* lharx */ -+ case 276: /* lqarx */ -+ return 0; /* not emulated ever */ -+ } - } - - /* Byteswap little endian loads and stores */ --- -2.12.2 - -From a67004a3896eacd109a0138b5526957381fe4337 Mon Sep 17 00:00:00 2001 -From: Frederic Barrat -Date: Wed, 29 Mar 2017 19:19:42 +0200 -Subject: [PATCH 22/52] powerpc/mm: Add missing global TLB invalidate if cxl is - active -Content-Length: 1830 -Lines: 48 - -commit 88b1bf7268f56887ca88eb09c6fb0f4fc970121a upstream. - -Commit 4c6d9acce1f4 ("powerpc/mm: Add hooks for cxl") converted local -TLB invalidates to global if the cxl driver is active. This is necessary -because the CAPP snoops invalidations to forward them to the PSL on the -cxl adapter. However one path was forgotten. native_flush_hash_range() -still does local TLB invalidates, as found out the hard way recently. - -This patch fixes it by following the same logic as previously: if the -cxl driver is active, the local TLB invalidates are 'upgraded' to -global. - -Fixes: 4c6d9acce1f4 ("powerpc/mm: Add hooks for cxl") -Signed-off-by: Frederic Barrat -Reviewed-by: Aneesh Kumar K.V -Signed-off-by: Michael Ellerman -Signed-off-by: Greg Kroah-Hartman ---- - arch/powerpc/mm/hash_native_64.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/arch/powerpc/mm/hash_native_64.c b/arch/powerpc/mm/hash_native_64.c -index c8822af10a58..19d9b2d2d212 100644 ---- a/arch/powerpc/mm/hash_native_64.c -+++ b/arch/powerpc/mm/hash_native_64.c -@@ -645,6 +645,10 @@ static void native_flush_hash_range(unsigned long number, int local) - unsigned long psize = batch->psize; - int ssize = batch->ssize; - int i; -+ unsigned int use_local; -+ -+ use_local = local && mmu_has_feature(MMU_FTR_TLBIEL) && -+ mmu_psize_defs[psize].tlbiel && !cxl_ctx_in_use(); - - local_irq_save(flags); - -@@ -671,8 +675,7 @@ static void native_flush_hash_range(unsigned long number, int local) - } pte_iterate_hashed_end(); - } - -- if (mmu_has_feature(MMU_FTR_TLBIEL) && -- mmu_psize_defs[psize].tlbiel && local) { -+ if (use_local) { - asm volatile("ptesync":::"memory"); - for (i = 0; i < number; i++) { - vpn = batch->vpn[i]; --- -2.12.2 - From 435cc436a88652046b9ca89fb56acf3a4b1a44b8 Mon Sep 17 00:00:00 2001 From: James Hogan Date: Tue, 4 Apr 2017 08:51:34 +0100 @@ -14022,185 +11877,12 @@ index acbb0e73d3a2..7d7f99b0db47 100644 -- 2.12.2 -From 926e1ed2b8ce683f137ea8e0683ac4f6d27c8afb Mon Sep 17 00:00:00 2001 -From: "bsegall@google.com" -Date: Fri, 7 Apr 2017 16:04:51 -0700 -Subject: [PATCH 13/52] ptrace: fix PTRACE_LISTEN race corrupting task->state -Content-Length: 2204 -Lines: 57 - -commit 5402e97af667e35e54177af8f6575518bf251d51 upstream. - -In PT_SEIZED + LISTEN mode STOP/CONT signals cause a wakeup against -__TASK_TRACED. If this races with the ptrace_unfreeze_traced at the end -of a PTRACE_LISTEN, this can wake the task /after/ the check against -__TASK_TRACED, but before the reset of state to TASK_TRACED. This -causes it to instead clobber TASK_WAKING, allowing a subsequent wakeup -against TRACED while the task is still on the rq wake_list, corrupting -it. - -Oleg said: - "The kernel can crash or this can lead to other hard-to-debug problems. - In short, "task->state = TASK_TRACED" in ptrace_unfreeze_traced() - assumes that nobody else can wake it up, but PTRACE_LISTEN breaks the - contract. Obviusly it is very wrong to manipulate task->state if this - task is already running, or WAKING, or it sleeps again" - -[akpm@linux-foundation.org: coding-style fixes] -Fixes: 9899d11f ("ptrace: ensure arch_ptrace/ptrace_request can never race with SIGKILL") -Link: http://lkml.kernel.org/r/xm26y3vfhmkp.fsf_-_@bsegall-linux.mtv.corp.google.com -Signed-off-by: Ben Segall -Acked-by: Oleg Nesterov -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman ---- - kernel/ptrace.c | 14 ++++++++++---- - 1 file changed, 10 insertions(+), 4 deletions(-) - -diff --git a/kernel/ptrace.c b/kernel/ptrace.c -index a46c40bfb5f6..c7e8ed99c953 100644 ---- a/kernel/ptrace.c -+++ b/kernel/ptrace.c -@@ -151,11 +151,17 @@ static void ptrace_unfreeze_traced(struct task_struct *task) - - WARN_ON(!task->ptrace || task->parent != current); - -+ /* -+ * PTRACE_LISTEN can allow ptrace_trap_notify to wake us up remotely. -+ * Recheck state under the lock to close this race. -+ */ - spin_lock_irq(&task->sighand->siglock); -- if (__fatal_signal_pending(task)) -- wake_up_state(task, __TASK_TRACED); -- else -- task->state = TASK_TRACED; -+ if (task->state == __TASK_TRACED) { -+ if (__fatal_signal_pending(task)) -+ wake_up_state(task, __TASK_TRACED); -+ else -+ task->state = TASK_TRACED; -+ } - spin_unlock_irq(&task->sighand->siglock); - } - --- -2.12.2 - -From 5a69c2b268ed938d44011274e6bc87562542ef94 Mon Sep 17 00:00:00 2001 -From: Jan-Marek Glogowski -Date: Mon, 20 Feb 2017 12:25:58 +0100 -Subject: [PATCH 12/52] Reset TreeId to zero on SMB2 TREE_CONNECT -Content-Length: 1105 -Lines: 34 - -commit 806a28efe9b78ffae5e2757e1ee924b8e50c08ab upstream. - -Currently the cifs module breaks the CIFS specs on reconnect as -described in http://msdn.microsoft.com/en-us/library/cc246529.aspx: - -"TreeId (4 bytes): Uniquely identifies the tree connect for the -command. This MUST be 0 for the SMB2 TREE_CONNECT Request." - -Signed-off-by: Jan-Marek Glogowski -Reviewed-by: Aurelien Aptel -Tested-by: Aurelien Aptel -Signed-off-by: Steve French -Signed-off-by: Greg Kroah-Hartman ---- - fs/cifs/smb2pdu.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c -index 2fa754c5fd62..6cb5c4b30e78 100644 ---- a/fs/cifs/smb2pdu.c -+++ b/fs/cifs/smb2pdu.c -@@ -952,6 +952,10 @@ SMB2_tcon(const unsigned int xid, struct cifs_ses *ses, const char *tree, - return -EINVAL; - } - -+ /* SMB2 TREE_CONNECT request must be called with TreeId == 0 */ -+ if (tcon) -+ tcon->tid = 0; -+ - rc = small_smb2_init(SMB2_TREE_CONNECT, tcon, (void **) &req); - if (rc) { - kfree(unc_path); --- -2.12.2 - -From 8ff7eb4bc8b8cf0416e0746dcdb1545fc6869e98 Mon Sep 17 00:00:00 2001 -From: Quentin Schulz -Date: Tue, 21 Mar 2017 16:52:14 +0100 -Subject: [PATCH 11/52] iio: bmg160: reset chip when probing -Content-Length: 1865 -Lines: 59 - -commit 4bdc9029685ac03be50b320b29691766d2326c2b upstream. - -The gyroscope chip might need to be reset to be used. - -Without the chip being reset, the driver stopped at the first -regmap_read (to get the CHIP_ID) and failed to probe. - -The datasheet of the gyroscope says that a minimum wait of 30ms after -the reset has to be done. - -This patch has been checked on a BMX055 and the datasheet of the BMG160 -and the BMI055 give the same reset register and bits. - -Signed-off-by: Quentin Schulz -Signed-off-by: Jonathan Cameron -Signed-off-by: Greg Kroah-Hartman ---- - drivers/iio/gyro/bmg160_core.c | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - -diff --git a/drivers/iio/gyro/bmg160_core.c b/drivers/iio/gyro/bmg160_core.c -index acb3b303d800..90841abd3ce4 100644 ---- a/drivers/iio/gyro/bmg160_core.c -+++ b/drivers/iio/gyro/bmg160_core.c -@@ -28,6 +28,7 @@ - #include - #include - #include -+#include - #include "bmg160.h" - - #define BMG160_IRQ_NAME "bmg160_event" -@@ -53,6 +54,9 @@ - #define BMG160_NO_FILTER 0 - #define BMG160_DEF_BW 100 - -+#define BMG160_GYRO_REG_RESET 0x14 -+#define BMG160_GYRO_RESET_VAL 0xb6 -+ - #define BMG160_REG_INT_MAP_0 0x17 - #define BMG160_INT_MAP_0_BIT_ANY BIT(1) - -@@ -186,6 +190,14 @@ static int bmg160_chip_init(struct bmg160_data *data) - int ret; - unsigned int val; - -+ /* -+ * Reset chip to get it in a known good state. A delay of 30ms after -+ * reset is required according to the datasheet. -+ */ -+ regmap_write(data->regmap, BMG160_GYRO_REG_RESET, -+ BMG160_GYRO_RESET_VAL); -+ usleep_range(30000, 30700); -+ - ret = regmap_read(data->regmap, BMG160_REG_CHIP_ID, &val); - if (ret < 0) { - dev_err(data->dev, "Error reading reg_chip_id\n"); --- -2.12.2 - From d4ad442b9982fba9eab0f9003c8cd185a1afeff6 Mon Sep 17 00:00:00 2001 From: Marc Zyngier Date: Thu, 16 Mar 2017 18:20:50 +0000 Subject: [PATCH 10/52] arm/arm64: KVM: Take mmap_sem in kvm_arch_prepare_memory_region +Status: RO Content-Length: 2022 Lines: 62 @@ -14267,684 +11949,3 @@ index 5366a736151e..f91ee2f27b41 100644 -- 2.12.2 -From 8e88806117e4868bc459a3042e55f8bf06c0b9e0 Mon Sep 17 00:00:00 2001 -From: Marc Zyngier -Date: Thu, 16 Mar 2017 18:20:49 +0000 -Subject: [PATCH 09/52] arm/arm64: KVM: Take mmap_sem in stage2_unmap_vm -Content-Length: 1130 -Lines: 37 - -commit 90f6e150e44a0dc3883110eeb3ab35d1be42b6bb upstream. - -We don't hold the mmap_sem while searching for the VMAs when -we try to unmap each memslot for a VM. Fix this properly to -avoid unexpected results. - -Fixes: commit 957db105c997 ("arm/arm64: KVM: Introduce stage2_unmap_vm") -Reviewed-by: Christoffer Dall -Signed-off-by: Suzuki K Poulose -Signed-off-by: Marc Zyngier -Signed-off-by: Greg Kroah-Hartman ---- - arch/arm/kvm/mmu.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/arch/arm/kvm/mmu.c b/arch/arm/kvm/mmu.c -index 11b6595c2672..5366a736151e 100644 ---- a/arch/arm/kvm/mmu.c -+++ b/arch/arm/kvm/mmu.c -@@ -796,6 +796,7 @@ void stage2_unmap_vm(struct kvm *kvm) - int idx; - - idx = srcu_read_lock(&kvm->srcu); -+ down_read(¤t->mm->mmap_sem); - spin_lock(&kvm->mmu_lock); - - slots = kvm_memslots(kvm); -@@ -803,6 +804,7 @@ void stage2_unmap_vm(struct kvm *kvm) - stage2_unmap_memslot(kvm, memslot); - - spin_unlock(&kvm->mmu_lock); -+ up_read(¤t->mm->mmap_sem); - srcu_read_unlock(&kvm->srcu, idx); - } - --- -2.12.2 - -From 193b590c71cd4c1fd54f4b4cab1ba73b6212c073 Mon Sep 17 00:00:00 2001 -From: Shuxiao Zhang -Date: Thu, 6 Apr 2017 22:30:29 +0800 -Subject: [PATCH 08/52] staging: android: ashmem: lseek failed due to no - FMODE_LSEEK. -Content-Length: 1274 -Lines: 35 - -commit 97fbfef6bd597888485b653175fb846c6998b60c upstream. - -vfs_llseek will check whether the file mode has -FMODE_LSEEK, no return failure. But ashmem can be -lseek, so add FMODE_LSEEK to ashmem file. - -Comment From Greg Hackmann: - ashmem_llseek() passes the llseek() call through to the backing - shmem file. 91360b02ab48 ("ashmem: use vfs_llseek()") changed - this from directly calling the file's llseek() op into a VFS - layer call. This also adds a check for the FMODE_LSEEK bit, so - without that bit ashmem_llseek() now always fails with -ESPIPE. - -Fixes: 91360b02ab48 ("ashmem: use vfs_llseek()") -Signed-off-by: Shuxiao Zhang -Tested-by: Greg Hackmann -Signed-off-by: Greg Kroah-Hartman ---- - drivers/staging/android/ashmem.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/drivers/staging/android/ashmem.c b/drivers/staging/android/ashmem.c -index 3f2a3d611e4b..9c6357c03905 100644 ---- a/drivers/staging/android/ashmem.c -+++ b/drivers/staging/android/ashmem.c -@@ -392,6 +392,7 @@ static int ashmem_mmap(struct file *file, struct vm_area_struct *vma) - ret = PTR_ERR(vmfile); - goto out; - } -+ vmfile->f_mode |= FMODE_LSEEK; - asma->file = vmfile; - } - get_file(asma->file); --- -2.12.2 - -From 69d8d58bf50d9cd1bb6f000bbdf54026e74717a3 Mon Sep 17 00:00:00 2001 -From: NeilBrown -Date: Mon, 3 Apr 2017 11:30:34 +1000 -Subject: [PATCH 07/52] sysfs: be careful of error returns from ops->show() -Content-Length: 2847 -Lines: 76 - -commit c8a139d001a1aab1ea8734db14b22dac9dd143b6 upstream. - -ops->show() can return a negative error code. -Commit 65da3484d9be ("sysfs: correctly handle short reads on PREALLOC attrs.") -(in v4.4) caused this to be stored in an unsigned 'size_t' variable, so errors -would look like large numbers. -As a result, if an error is returned, sysfs_kf_read() will return the -value of 'count', typically 4096. - -Commit 17d0774f8068 ("sysfs: correctly handle read offset on PREALLOC attrs") -(in v4.8) extended this error to use the unsigned large 'len' as a size for -memmove(). -Consequently, if ->show returns an error, then the first read() on the -sysfs file will return 4096 and could return uninitialized memory to -user-space. -If the application performs a subsequent read, this will trigger a memmove() -with extremely large count, and is likely to crash the machine is bizarre ways. - -This bug can currently only be triggered by reading from an md -sysfs attribute declared with __ATTR_PREALLOC() during the -brief period between when mddev_put() deletes an mddev from -the ->all_mddevs list, and when mddev_delayed_delete() - which is -scheduled on a workqueue - completes. -Before this, an error won't be returned by the ->show() -After this, the ->show() won't be called. - -I can reproduce it reliably only by putting delay like - usleep_range(500000,700000); -early in mddev_delayed_delete(). Then after creating an -md device md0 run - echo clear > /sys/block/md0/md/array_state; cat /sys/block/md0/md/array_state - -The bug can be triggered without the usleep. - -Fixes: 65da3484d9be ("sysfs: correctly handle short reads on PREALLOC attrs.") -Fixes: 17d0774f8068 ("sysfs: correctly handle read offset on PREALLOC attrs") -Signed-off-by: NeilBrown -Acked-by: Tejun Heo -Reported-and-tested-by: Miroslav Benes -Signed-off-by: Greg Kroah-Hartman ---- - fs/sysfs/file.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/fs/sysfs/file.c b/fs/sysfs/file.c -index b803213d1307..39c75a86c67f 100644 ---- a/fs/sysfs/file.c -+++ b/fs/sysfs/file.c -@@ -108,7 +108,7 @@ static ssize_t sysfs_kf_read(struct kernfs_open_file *of, char *buf, - { - const struct sysfs_ops *ops = sysfs_file_ops(of->kn); - struct kobject *kobj = of->kn->parent->priv; -- size_t len; -+ ssize_t len; - - /* - * If buf != of->prealloc_buf, we don't know how -@@ -117,13 +117,15 @@ static ssize_t sysfs_kf_read(struct kernfs_open_file *of, char *buf, - if (WARN_ON_ONCE(buf != of->prealloc_buf)) - return 0; - len = ops->show(kobj, of->kn->priv, buf); -+ if (len < 0) -+ return len; - if (pos) { - if (len <= pos) - return 0; - len -= pos; - memmove(buf, buf + pos, len); - } -- return min(count, len); -+ return min_t(ssize_t, count, len); - } - - /* kernfs write callback for regular sysfs files */ --- -2.12.2 - -From c21636bd64c511160846bdf87ef4c7ff48680c99 Mon Sep 17 00:00:00 2001 -From: Li Qiang -Date: Mon, 27 Mar 2017 20:10:53 -0700 -Subject: [PATCH 06/52] drm/vmwgfx: fix integer overflow in - vmw_surface_define_ioctl() -Content-Length: 1355 -Lines: 35 - -commit e7e11f99564222d82f0ce84bd521e57d78a6b678 upstream. - -In vmw_surface_define_ioctl(), the 'num_sizes' is the sum of the -'req->mip_levels' array. This array can be assigned any value from -the user space. As both the 'num_sizes' and the array is uint32_t, -it is easy to make 'num_sizes' overflow. The later 'mip_levels' is -used as the loop count. This can lead an oob write. Add the check of -'req->mip_levels' to avoid this. - -Signed-off-by: Li Qiang -Reviewed-by: Thomas Hellstrom -Signed-off-by: Greg Kroah-Hartman ---- - drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c -index 79f78a68d92d..c9c04ccccdd9 100644 ---- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c -+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c -@@ -715,8 +715,11 @@ int vmw_surface_define_ioctl(struct drm_device *dev, void *data, - 128; - - num_sizes = 0; -- for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i) -+ for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i) { -+ if (req->mip_levels[i] > DRM_VMW_MAX_MIP_LEVELS) -+ return -EINVAL; - num_sizes += req->mip_levels[i]; -+ } - - if (num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS || - num_sizes == 0) --- -2.12.2 - -From 235e914069bd501be22597e6c0176f16b477ae37 Mon Sep 17 00:00:00 2001 -From: Thomas Hellstrom -Date: Mon, 27 Mar 2017 13:06:05 +0200 -Subject: [PATCH 05/52] drm/vmwgfx: Remove getparam error message -Content-Length: 963 -Lines: 29 - -commit 53e16798b0864464c5444a204e1bb93ae246c429 upstream. - -The mesa winsys sometimes uses unimplemented parameter requests to -check for features. Remove the error message to avoid bloating the -kernel log. - -Signed-off-by: Thomas Hellstrom -Reviewed-by: Brian Paul -Reviewed-by: Sinclair Yeh -Signed-off-by: Greg Kroah-Hartman ---- - drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 2 -- - 1 file changed, 2 deletions(-) - -diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c b/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c -index 1802d0e7fab8..5ec24fd801cd 100644 ---- a/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c -+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c -@@ -114,8 +114,6 @@ int vmw_getparam_ioctl(struct drm_device *dev, void *data, - param->value = dev_priv->has_dx; - break; - default: -- DRM_ERROR("Illegal vmwgfx get param request: %d\n", -- param->param); - return -EINVAL; - } - --- -2.12.2 - -From ad4ae2feef4f65b860f139e0d8455e2a16efb93c Mon Sep 17 00:00:00 2001 -From: Thomas Hellstrom -Date: Mon, 27 Mar 2017 11:21:25 +0200 -Subject: [PATCH 04/52] drm/ttm, drm/vmwgfx: Relax permission checking when - opening surfaces -Content-Length: 6721 -Lines: 176 - -commit fe25deb7737ce6c0879ccf79c99fa1221d428bf2 upstream. - -Previously, when a surface was opened using a legacy (non prime) handle, -it was verified to have been created by a client in the same master realm. -Relax this so that opening is also allowed recursively if the client -already has the surface open. - -This works around a regression in svga mesa where opening of a shared -surface is used recursively to obtain surface information. - -Signed-off-by: Thomas Hellstrom -Reviewed-by: Sinclair Yeh -Signed-off-by: Greg Kroah-Hartman ---- - drivers/gpu/drm/ttm/ttm_object.c | 10 +++++++--- - drivers/gpu/drm/vmwgfx/vmwgfx_fence.c | 6 ++---- - drivers/gpu/drm/vmwgfx/vmwgfx_resource.c | 4 ++-- - drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 22 +++++++++------------- - include/drm/ttm/ttm_object.h | 5 ++++- - 5 files changed, 24 insertions(+), 23 deletions(-) - -diff --git a/drivers/gpu/drm/ttm/ttm_object.c b/drivers/gpu/drm/ttm/ttm_object.c -index 4f5fa8d65fe9..144367c0c28f 100644 ---- a/drivers/gpu/drm/ttm/ttm_object.c -+++ b/drivers/gpu/drm/ttm/ttm_object.c -@@ -179,7 +179,7 @@ int ttm_base_object_init(struct ttm_object_file *tfile, - if (unlikely(ret != 0)) - goto out_err0; - -- ret = ttm_ref_object_add(tfile, base, TTM_REF_USAGE, NULL); -+ ret = ttm_ref_object_add(tfile, base, TTM_REF_USAGE, NULL, false); - if (unlikely(ret != 0)) - goto out_err1; - -@@ -318,7 +318,8 @@ EXPORT_SYMBOL(ttm_ref_object_exists); - - int ttm_ref_object_add(struct ttm_object_file *tfile, - struct ttm_base_object *base, -- enum ttm_ref_type ref_type, bool *existed) -+ enum ttm_ref_type ref_type, bool *existed, -+ bool require_existed) - { - struct drm_open_hash *ht = &tfile->ref_hash[ref_type]; - struct ttm_ref_object *ref; -@@ -345,6 +346,9 @@ int ttm_ref_object_add(struct ttm_object_file *tfile, - } - - rcu_read_unlock(); -+ if (require_existed) -+ return -EPERM; -+ - ret = ttm_mem_global_alloc(mem_glob, sizeof(*ref), - false, false); - if (unlikely(ret != 0)) -@@ -635,7 +639,7 @@ int ttm_prime_fd_to_handle(struct ttm_object_file *tfile, - prime = (struct ttm_prime_object *) dma_buf->priv; - base = &prime->base; - *handle = base->hash.key; -- ret = ttm_ref_object_add(tfile, base, TTM_REF_USAGE, NULL); -+ ret = ttm_ref_object_add(tfile, base, TTM_REF_USAGE, NULL, false); - - dma_buf_put(dma_buf); - -diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c b/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c -index b2f329917eda..6c649f7b5929 100644 ---- a/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c -+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c -@@ -1144,10 +1144,8 @@ int vmw_fence_event_ioctl(struct drm_device *dev, void *data, - (void) vmw_fence_obj_reference(fence); - - if (user_fence_rep != NULL) { -- bool existed; -- -- ret = ttm_ref_object_add(tfile, base, -- TTM_REF_USAGE, &existed); -+ ret = ttm_ref_object_add(vmw_fp->tfile, base, -+ TTM_REF_USAGE, NULL, false); - if (unlikely(ret != 0)) { - DRM_ERROR("Failed to reference a fence " - "object.\n"); -diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c b/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c -index e57667ca7557..dbca128a9aa6 100644 ---- a/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c -+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_resource.c -@@ -591,7 +591,7 @@ static int vmw_user_dmabuf_synccpu_grab(struct vmw_user_dma_buffer *user_bo, - return ret; - - ret = ttm_ref_object_add(tfile, &user_bo->prime.base, -- TTM_REF_SYNCCPU_WRITE, &existed); -+ TTM_REF_SYNCCPU_WRITE, &existed, false); - if (ret != 0 || existed) - ttm_bo_synccpu_write_release(&user_bo->dma.base); - -@@ -775,7 +775,7 @@ int vmw_user_dmabuf_reference(struct ttm_object_file *tfile, - - *handle = user_bo->prime.base.hash.key; - return ttm_ref_object_add(tfile, &user_bo->prime.base, -- TTM_REF_USAGE, NULL); -+ TTM_REF_USAGE, NULL, false); - } - - /* -diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c -index b363f0be6512..79f78a68d92d 100644 ---- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c -+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c -@@ -904,17 +904,16 @@ vmw_surface_handle_reference(struct vmw_private *dev_priv, - uint32_t handle; - struct ttm_base_object *base; - int ret; -+ bool require_exist = false; - - if (handle_type == DRM_VMW_HANDLE_PRIME) { - ret = ttm_prime_fd_to_handle(tfile, u_handle, &handle); - if (unlikely(ret != 0)) - return ret; - } else { -- if (unlikely(drm_is_render_client(file_priv))) { -- DRM_ERROR("Render client refused legacy " -- "surface reference.\n"); -- return -EACCES; -- } -+ if (unlikely(drm_is_render_client(file_priv))) -+ require_exist = true; -+ - if (ACCESS_ONCE(vmw_fpriv(file_priv)->locked_master)) { - DRM_ERROR("Locked master refused legacy " - "surface reference.\n"); -@@ -942,17 +941,14 @@ vmw_surface_handle_reference(struct vmw_private *dev_priv, - - /* - * Make sure the surface creator has the same -- * authenticating master. -+ * authenticating master, or is already registered with us. - */ - if (drm_is_primary_client(file_priv) && -- user_srf->master != file_priv->master) { -- DRM_ERROR("Trying to reference surface outside of" -- " master domain.\n"); -- ret = -EACCES; -- goto out_bad_resource; -- } -+ user_srf->master != file_priv->master) -+ require_exist = true; - -- ret = ttm_ref_object_add(tfile, base, TTM_REF_USAGE, NULL); -+ ret = ttm_ref_object_add(tfile, base, TTM_REF_USAGE, NULL, -+ require_exist); - if (unlikely(ret != 0)) { - DRM_ERROR("Could not add a reference to a surface.\n"); - goto out_bad_resource; -diff --git a/include/drm/ttm/ttm_object.h b/include/drm/ttm/ttm_object.h -index ed953f98f0e1..1487011fe057 100644 ---- a/include/drm/ttm/ttm_object.h -+++ b/include/drm/ttm/ttm_object.h -@@ -229,6 +229,8 @@ extern void ttm_base_object_unref(struct ttm_base_object **p_base); - * @ref_type: The type of reference. - * @existed: Upon completion, indicates that an identical reference object - * already existed, and the refcount was upped on that object instead. -+ * @require_existed: Fail with -EPERM if an identical ref object didn't -+ * already exist. - * - * Checks that the base object is shareable and adds a ref object to it. - * -@@ -243,7 +245,8 @@ extern void ttm_base_object_unref(struct ttm_base_object **p_base); - */ - extern int ttm_ref_object_add(struct ttm_object_file *tfile, - struct ttm_base_object *base, -- enum ttm_ref_type ref_type, bool *existed); -+ enum ttm_ref_type ref_type, bool *existed, -+ bool require_existed); - - extern bool ttm_ref_object_exists(struct ttm_object_file *tfile, - struct ttm_base_object *base); --- -2.12.2 - -From 0e075f266749ea6507758123f553fece6664e4e2 Mon Sep 17 00:00:00 2001 -From: Murray McAllister -Date: Mon, 27 Mar 2017 11:15:12 +0200 -Subject: [PATCH 03/52] drm/vmwgfx: avoid calling vzalloc with a 0 size in - vmw_get_cap_3d_ioctl() -Content-Length: 1144 -Lines: 30 - -commit 63774069d9527a1aeaa4aa20e929ef5e8e9ecc38 upstream. - -In vmw_get_cap_3d_ioctl(), a user can supply 0 for a size that is -used in vzalloc(). This eventually calls dump_stack() (in warn_alloc()), -which can leak useful addresses to dmesg. - -Add check to avoid a size of 0. - -Signed-off-by: Murray McAllister -Reviewed-by: Sinclair Yeh -Signed-off-by: Greg Kroah-Hartman ---- - drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c b/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c -index b8c6a03c8c54..1802d0e7fab8 100644 ---- a/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c -+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c -@@ -186,7 +186,7 @@ int vmw_get_cap_3d_ioctl(struct drm_device *dev, void *data, - bool gb_objects = !!(dev_priv->capabilities & SVGA_CAP_GBOBJECTS); - struct vmw_fpriv *vmw_fp = vmw_fpriv(file_priv); - -- if (unlikely(arg->pad64 != 0)) { -+ if (unlikely(arg->pad64 != 0 || arg->max_size == 0)) { - DRM_ERROR("Illegal GET_3D_CAP argument.\n"); - return -EINVAL; - } --- -2.12.2 - -From b26629453c7b2a6c82000b36fbd1cfc4d9101808 Mon Sep 17 00:00:00 2001 -From: Murray McAllister -Date: Mon, 27 Mar 2017 11:12:53 +0200 -Subject: [PATCH 02/52] drm/vmwgfx: NULL pointer dereference in - vmw_surface_define_ioctl() -Content-Length: 1176 -Lines: 32 - -commit 36274ab8c596f1240c606bb514da329add2a1bcd upstream. - -Before memory allocations vmw_surface_define_ioctl() checks the -upper-bounds of a user-supplied size, but does not check if the -supplied size is 0. - -Add check to avoid NULL pointer dereferences. - -Signed-off-by: Murray McAllister -Reviewed-by: Sinclair Yeh -Signed-off-by: Greg Kroah-Hartman ---- - drivers/gpu/drm/vmwgfx/vmwgfx_surface.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c -index 7d620e82e000..b363f0be6512 100644 ---- a/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c -+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_surface.c -@@ -718,8 +718,8 @@ int vmw_surface_define_ioctl(struct drm_device *dev, void *data, - for (i = 0; i < DRM_VMW_MAX_SURFACE_FACES; ++i) - num_sizes += req->mip_levels[i]; - -- if (num_sizes > DRM_VMW_MAX_SURFACE_FACES * -- DRM_VMW_MAX_MIP_LEVELS) -+ if (num_sizes > DRM_VMW_MAX_SURFACE_FACES * DRM_VMW_MAX_MIP_LEVELS || -+ num_sizes == 0) - return -EINVAL; - - size = vmw_user_surface_size + 128 + --- -2.12.2 - -From ed528923541afc1228c5a66e98845148aca51e24 Mon Sep 17 00:00:00 2001 -From: Thomas Hellstrom -Date: Mon, 27 Mar 2017 11:09:08 +0200 -Subject: [PATCH 01/52] drm/vmwgfx: Type-check lookups of fence objects -Content-Length: 5168 -Lines: 154 - -commit f7652afa8eadb416b23eb57dec6f158529942041 upstream. - -A malicious caller could otherwise hand over handles to other objects -causing all sorts of interesting problems. - -Testing done: Ran a Fedora 25 desktop using both Xorg and -gnome-shell/Wayland. - -Signed-off-by: Thomas Hellstrom -Reviewed-by: Sinclair Yeh -Signed-off-by: Greg Kroah-Hartman ---- - drivers/gpu/drm/vmwgfx/vmwgfx_fence.c | 77 +++++++++++++++++++++++------------ - 1 file changed, 50 insertions(+), 27 deletions(-) - -diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c b/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c -index 8e689b439890..b2f329917eda 100644 ---- a/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c -+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_fence.c -@@ -539,7 +539,7 @@ int vmw_fence_create(struct vmw_fence_manager *fman, - struct vmw_fence_obj **p_fence) - { - struct vmw_fence_obj *fence; -- int ret; -+ int ret; - - fence = kzalloc(sizeof(*fence), GFP_KERNEL); - if (unlikely(fence == NULL)) -@@ -702,6 +702,41 @@ void vmw_fence_fifo_up(struct vmw_fence_manager *fman) - } - - -+/** -+ * vmw_fence_obj_lookup - Look up a user-space fence object -+ * -+ * @tfile: A struct ttm_object_file identifying the caller. -+ * @handle: A handle identifying the fence object. -+ * @return: A struct vmw_user_fence base ttm object on success or -+ * an error pointer on failure. -+ * -+ * The fence object is looked up and type-checked. The caller needs -+ * to have opened the fence object first, but since that happens on -+ * creation and fence objects aren't shareable, that's not an -+ * issue currently. -+ */ -+static struct ttm_base_object * -+vmw_fence_obj_lookup(struct ttm_object_file *tfile, u32 handle) -+{ -+ struct ttm_base_object *base = ttm_base_object_lookup(tfile, handle); -+ -+ if (!base) { -+ pr_err("Invalid fence object handle 0x%08lx.\n", -+ (unsigned long)handle); -+ return ERR_PTR(-EINVAL); -+ } -+ -+ if (base->refcount_release != vmw_user_fence_base_release) { -+ pr_err("Invalid fence object handle 0x%08lx.\n", -+ (unsigned long)handle); -+ ttm_base_object_unref(&base); -+ return ERR_PTR(-EINVAL); -+ } -+ -+ return base; -+} -+ -+ - int vmw_fence_obj_wait_ioctl(struct drm_device *dev, void *data, - struct drm_file *file_priv) - { -@@ -727,13 +762,9 @@ int vmw_fence_obj_wait_ioctl(struct drm_device *dev, void *data, - arg->kernel_cookie = jiffies + wait_timeout; - } - -- base = ttm_base_object_lookup(tfile, arg->handle); -- if (unlikely(base == NULL)) { -- printk(KERN_ERR "Wait invalid fence object handle " -- "0x%08lx.\n", -- (unsigned long)arg->handle); -- return -EINVAL; -- } -+ base = vmw_fence_obj_lookup(tfile, arg->handle); -+ if (IS_ERR(base)) -+ return PTR_ERR(base); - - fence = &(container_of(base, struct vmw_user_fence, base)->fence); - -@@ -772,13 +803,9 @@ int vmw_fence_obj_signaled_ioctl(struct drm_device *dev, void *data, - struct ttm_object_file *tfile = vmw_fpriv(file_priv)->tfile; - struct vmw_private *dev_priv = vmw_priv(dev); - -- base = ttm_base_object_lookup(tfile, arg->handle); -- if (unlikely(base == NULL)) { -- printk(KERN_ERR "Fence signaled invalid fence object handle " -- "0x%08lx.\n", -- (unsigned long)arg->handle); -- return -EINVAL; -- } -+ base = vmw_fence_obj_lookup(tfile, arg->handle); -+ if (IS_ERR(base)) -+ return PTR_ERR(base); - - fence = &(container_of(base, struct vmw_user_fence, base)->fence); - fman = fman_from_fence(fence); -@@ -1093,6 +1120,7 @@ int vmw_fence_event_ioctl(struct drm_device *dev, void *data, - (struct drm_vmw_fence_event_arg *) data; - struct vmw_fence_obj *fence = NULL; - struct vmw_fpriv *vmw_fp = vmw_fpriv(file_priv); -+ struct ttm_object_file *tfile = vmw_fp->tfile; - struct drm_vmw_fence_rep __user *user_fence_rep = - (struct drm_vmw_fence_rep __user *)(unsigned long) - arg->fence_rep; -@@ -1106,15 +1134,11 @@ int vmw_fence_event_ioctl(struct drm_device *dev, void *data, - */ - if (arg->handle) { - struct ttm_base_object *base = -- ttm_base_object_lookup_for_ref(dev_priv->tdev, -- arg->handle); -- -- if (unlikely(base == NULL)) { -- DRM_ERROR("Fence event invalid fence object handle " -- "0x%08lx.\n", -- (unsigned long)arg->handle); -- return -EINVAL; -- } -+ vmw_fence_obj_lookup(tfile, arg->handle); -+ -+ if (IS_ERR(base)) -+ return PTR_ERR(base); -+ - fence = &(container_of(base, struct vmw_user_fence, - base)->fence); - (void) vmw_fence_obj_reference(fence); -@@ -1122,7 +1146,7 @@ int vmw_fence_event_ioctl(struct drm_device *dev, void *data, - if (user_fence_rep != NULL) { - bool existed; - -- ret = ttm_ref_object_add(vmw_fp->tfile, base, -+ ret = ttm_ref_object_add(tfile, base, - TTM_REF_USAGE, &existed); - if (unlikely(ret != 0)) { - DRM_ERROR("Failed to reference a fence " -@@ -1166,8 +1190,7 @@ int vmw_fence_event_ioctl(struct drm_device *dev, void *data, - return 0; - out_no_create: - if (user_fence_rep != NULL) -- ttm_ref_object_base_unref(vmw_fpriv(file_priv)->tfile, -- handle, TTM_REF_USAGE); -+ ttm_ref_object_base_unref(tfile, handle, TTM_REF_USAGE); - out_no_ref_obj: - vmw_fence_obj_unreference(&fence); - return ret; --- -2.12.2 -