GitHub/LineageOS/G12/android_kernel_amlogic_linux-4.9.git
7 years agoFROMLIST: binder: fix death race conditions
Martijn Coenen [Mon, 22 May 2017 18:26:23 +0000 (11:26 -0700)]
FROMLIST: binder: fix death race conditions

(from https://patchwork.kernel.org/patch/9817765/)

A race existed where one thread could register
a death notification for a node, while another
thread was cleaning up that node and sending
out death notifications for its references,
causing simultaneous access to ref->death
because different locks were held.

Change-Id: I2392eb8075ac0aee51f1749ac398a663853ef4e6
Signed-off-by: Martijn Coenen <maco@google.com>
7 years agoFROMLIST: binder: protect against stale pointers in print_binder_transaction
Todd Kjos [Fri, 21 Apr 2017 21:32:11 +0000 (14:32 -0700)]
FROMLIST: binder: protect against stale pointers in print_binder_transaction

(from https://patchwork.kernel.org/patch/9817761/)

When printing transactions there were several race conditions
that could cause a stale pointer to be deferenced. Fixed by
reading the pointer once and using it if valid (which is
safe). The transaction buffer also needed protection via proc
lock, so it is only printed if we are holding the correct lock.

Change-Id: I9a03129e08eaab4b8a5646eecafaf10e343dbdea
Signed-off-by: Todd Kjos <tkjos@google.com>
7 years agoFROMLIST: binder: protect binder_ref with outer lock
Todd Kjos [Thu, 20 Oct 2016 23:43:34 +0000 (16:43 -0700)]
FROMLIST: binder: protect binder_ref with outer lock

(from https://patchwork.kernel.org/patch/9817771/)

Use proc->outer_lock to protect the binder_ref structure.
The outer lock allows functions operating on the binder_ref
to do nested acquires of node and inner locks as necessary
to attach refs to nodes atomically.

Binder refs must never be accesssed without holding the
outer lock.

Change-Id: Iffb9ae47fd383b87b70ee6bec344cde9f8d24996
Signed-off-by: Todd Kjos <tkjos@google.com>
7 years agoFROMLIST: binder: use inner lock to protect thread accounting
Todd Kjos [Fri, 26 May 2017 00:35:02 +0000 (17:35 -0700)]
FROMLIST: binder: use inner lock to protect thread accounting

(from https://patchwork.kernel.org/patch/9817763/)

Use the inner lock to protect thread accounting fields in
proc structure: max_threads, requested_threads,
requested_threads_started and ready_threads.

Change-Id: I8cf519f40ddfe4fd00d99b82fdb88dc069611787
Signed-off-by: Todd Kjos <tkjos@google.com>
7 years agoFROMLIST: binder: protect transaction_stack with inner lock.
Martijn Coenen [Fri, 2 Jun 2017 20:36:52 +0000 (13:36 -0700)]
FROMLIST: binder: protect transaction_stack with inner lock.

(from https://patchwork.kernel.org/patch/9817779/)

This makes future changes to priority inheritance
easier, since we want to be able to look at a thread's
transaction stack when selecting a thread to inherit
priority for.

It also allows us to take just a single lock in a
few paths, where we used to take two in succession.

Change-Id: Ie30eaefe9f746577967bab76e64c49069b8a5cfa
Signed-off-by: Martijn Coenen <maco@google.com>
7 years agoFROMLIST: binder: protect proc->threads with inner_lock
Todd Kjos [Thu, 25 May 2017 22:52:17 +0000 (15:52 -0700)]
FROMLIST: binder: protect proc->threads with inner_lock

(from https://patchwork.kernel.org/patch/9817775/)

proc->threads will need to be accessed with higher
locks of other processes held so use proc->inner_lock
to protect it. proc->tmp_ref now needs to be protected
by proc->inner_lock.

Change-Id: Id4cff2c9786d900b7846ec9b1816f7a07655c429
Signed-off-by: Todd Kjos <tkjos@google.com>
7 years agoFROMLIST: binder: protect proc->nodes with inner lock
Todd Kjos [Mon, 12 Jun 2017 19:07:26 +0000 (12:07 -0700)]
FROMLIST: binder: protect proc->nodes with inner lock

(from https://patchwork.kernel.org/patch/9817783/)

When locks for binder_ref handling are added, proc->nodes
will need to be modified while holding the outer lock

Change-Id: I7daf5a51d83cdf6ac31a3728b3ea3e6ab94bf2e7
Signed-off-by: Todd Kjos <tkjos@google.com>
7 years agoFROMLIST: binder: add spinlock to protect binder_node
Todd Kjos [Thu, 8 Jun 2017 20:45:59 +0000 (13:45 -0700)]
FROMLIST: binder: add spinlock to protect binder_node

(from https://patchwork.kernel.org/patch/9817769/)

node->node_lock is used to protect elements of node. No
need to acquire for fields that are invariant: debug_id,
ptr, cookie.

Change-Id: I612ecb9db2d69b1319a9f0c450ccfdc85de70c39
Signed-off-by: Todd Kjos <tkjos@google.com>
7 years agoFROMLIST: binder: add spinlocks to protect todo lists
Todd Kjos [Thu, 20 Oct 2016 17:33:00 +0000 (10:33 -0700)]
FROMLIST: binder: add spinlocks to protect todo lists

(from https://patchwork.kernel.org/patch/9817769/)

The todo lists in the proc, thread, and node structures
are accessed by other procs/threads to place work
items on the queue.

The todo lists are protected by the new proc->inner_lock.
No locks should ever be nested under these locks. As the
name suggests, an outer lock will be introduced in
a later patch.

Change-Id: Iaf613f317d7c6a1409055de47c5b84cd8147102e
Signed-off-by: Todd Kjos <tkjos@google.com>
7 years agoFROMLIST: binder: use inner lock to sync work dq and node counts
Todd Kjos [Tue, 21 Mar 2017 20:06:01 +0000 (13:06 -0700)]
FROMLIST: binder: use inner lock to sync work dq and node counts

(from https://patchwork.kernel.org/patch/9817789/)

For correct behavior we need to hold the inner lock when
dequeuing and processing node work in binder_thread_read.
We now hold the inner lock when we enter the switch statement
and release it after processing anything that might be
affected by other threads.

We also need to hold the inner lock to protect the node
weak/strong ref tracking fields as long as node->proc
is non-NULL (if it is NULL then we are guaranteed that
we don't have any node work queued).

This means that other functions that manipulate these fields
must hold the inner lock. Refactored these functions to use
the inner lock.

Change-Id: I90cb6e39a3fecf4809a0828aa3a4f3199b38b209
Signed-off-by: Todd Kjos <tkjos@google.com>
7 years agoFROMLIST: binder: introduce locking helper functions
Todd Kjos [Mon, 29 May 2017 23:44:24 +0000 (16:44 -0700)]
FROMLIST: binder: introduce locking helper functions

(from https://patchwork.kernel.org/patch/9817791/)

There are 3 main spinlocks which must be acquired in this
order:
1) proc->outer_lock : protects most fields of binder_proc,
binder_thread, and binder_ref structures. binder_proc_lock()
and binder_proc_unlock() are used to acq/rel.
2) node->lock : protects most fields of binder_node.
binder_node_lock() and binder_node_unlock() are
used to acq/rel
3) proc->inner_lock : protects the thread and node lists
(proc->threads, proc->nodes) and all todo lists associated
with the binder_proc (proc->todo, thread->todo,
proc->delivered_death and node->async_todo).
binder_inner_proc_lock() and binder_inner_proc_unlock()
are used to acq/rel

Any lock under procA must never be nested under any lock at the same
level or below on procB.

Functions that require a lock held on entry indicate which lock
in the suffix of the function name:

foo_olocked() : requires node->outer_lock
foo_nlocked() : requires node->lock
foo_ilocked() : requires proc->inner_lock
foo_iolocked(): requires proc->outer_lock and proc->inner_lock
foo_nilocked(): requires node->lock and proc->inner_lock

Change-Id: Ic11bf3bf988e0a901ce0484e2fd9323b176994c3
Signed-off-by: Todd Kjos <tkjos@google.com>
7 years agoFROMLIST: binder: use node->tmp_refs to ensure node safety
Todd Kjos [Tue, 9 May 2017 18:08:05 +0000 (11:08 -0700)]
FROMLIST: binder: use node->tmp_refs to ensure node safety

(from https://patchwork.kernel.org/patch/9817795/)

When obtaining a node via binder_get_node(),
binder_get_node_from_ref() or binder_new_node(),
increment node->tmp_refs to take a
temporary reference on the node to ensure the node
persists while being used.  binder_put_node() must
be called to remove the temporary reference.

Change-Id: Idb84fea1ba0ae119a6593ec2dc80b7d4e6d81bce
Signed-off-by: Todd Kjos <tkjos@google.com>
7 years agoFROMLIST: binder: refactor binder ref inc/dec for thread safety
Todd Kjos [Mon, 8 May 2017 16:16:27 +0000 (09:16 -0700)]
FROMLIST: binder: refactor binder ref inc/dec for thread safety

(from https://patchwork.kernel.org/patch/9817781/)

Once locks are added, binder_ref's will only be accessed
safely with the proc lock held. Refactor the inc/dec paths
to make them atomic with the binder_get_ref* paths and
node inc/dec. For example, instead of:

  ref = binder_get_ref(proc, handle, strong);
  ...
  binder_dec_ref(ref, strong);

we now have:

  ret = binder_dec_ref_for_handle(proc, handle, strong, &rdata);

Since the actual ref is no longer exposed to callers, a
new struct binder_ref_data is introduced which can be used
to return a copy of ref state.

Change-Id: I11e6a31963eb18f5788cd52ae6ec9adb4438fa48
Signed-off-by: Todd Kjos <tkjos@google.com>
7 years agoFROMLIST: binder: make sure accesses to proc/thread are safe
Todd Kjos [Fri, 12 May 2017 21:42:55 +0000 (14:42 -0700)]
FROMLIST: binder: make sure accesses to proc/thread are safe

(from https://patchwork.kernel.org/patch/9817787/)

binder_thread and binder_proc may be accessed by other
threads when processing transaction. Therefore they
must be prevented from being freed while a transaction
is in progress that references them.

This is done by introducing a temporary reference
counter for threads and procs that indicates that the
object is in use and must not be freed. binder_thread_dec_tmpref()
and binder_proc_dec_tmpref() are used to decrement
the temporary reference.

It is safe to free a binder_thread if there
is no reference and it has been released
(indicated by thread->is_dead).

It is safe to free a binder_proc if it has no
remaining threads and no reference.

A spinlock is added to the binder_transaction
to safely access and set references for t->from
and for debug code to safely access t->to_thread
and t->to_proc.

Change-Id: Ibab67eacc55e61d00f15a6567e54fb67aef51b3f
Signed-off-by: Todd Kjos <tkjos@google.com>
7 years agoFROMLIST: binder: make sure target_node has strong ref
Todd Kjos [Fri, 26 May 2017 18:56:29 +0000 (11:56 -0700)]
FROMLIST: binder: make sure target_node has strong ref

(from https://patchwork.kernel.org/patch/9817787/)

When initiating a transaction, the target_node must
have a strong ref on it. Then we take a second
strong ref to make sure the node survives until the
transaction is complete.

Change-Id: Ia77b1794a92a8b6b8a564e48b4a4a6b225b5c279
Signed-off-by: Todd Kjos <tkjos@google.com>
7 years agoFROMLIST: binder: guarantee txn complete / errors delivered in-order
Todd Kjos [Sat, 22 Apr 2017 00:35:12 +0000 (17:35 -0700)]
FROMLIST: binder: guarantee txn complete / errors delivered in-order

(from https://patchwork.kernel.org/patch/9817805/)

Since errors are tracked in the return_error/return_error2
fields of the binder_thread object and BR_TRANSACTION_COMPLETEs
can be tracked either in those fields or via the thread todo
work list, it is possible for errors to be reported ahead
of the associated txn complete.

Use the thread todo work list for errors to guarantee
order. Also changed binder_send_failed_reply to pop
the transaction even if it failed to send a reply.

Change-Id: Ibf93b412b6236812d415bc10fec8b43826948eaa
Signed-off-by: Todd Kjos <tkjos@google.com>
7 years agoFROMLIST: binder: refactor binder_pop_transaction
Todd Kjos [Fri, 31 Mar 2017 01:02:13 +0000 (18:02 -0700)]
FROMLIST: binder: refactor binder_pop_transaction

(from https://lkml.org/lkml/2017/6/29/754)

binder_pop_transaction needs to be split into 2 pieces to
to allow the proc lock to be held on entry to dequeue the
transaction stack, but no lock when kfree'ing the transaction.

Split into binder_pop_transaction_locked and binder_free_transaction
(the actual locks are still to be added).

Change-Id: I4b3d21d42ad54031f52cb94ab2b0152812747c38
Signed-off-by: Todd Kjos <tkjos@google.com>
7 years agoFROMLIST: binder: use atomic for transaction_log index
Todd Kjos [Wed, 24 May 2017 20:33:28 +0000 (13:33 -0700)]
FROMLIST: binder: use atomic for transaction_log index

(from https://patchwork.kernel.org/patch/9817807/)

The log->next index for the transaction log was
not protected when incremented. This led to a
case where log->next++ resulted in an index
larger than ARRAY_SIZE(log->entry) and eventually
a bad access to memory.

Fixed by making the log index an atomic64 and
converting to an array by using "% ARRAY_SIZE(log->entry)"

Also added "complete" field to the log entry which is
written last to tell the print code whether the
entry is complete

Change-Id: I539f285fee3406468e7f89de3cd560285bfd9ab1
Signed-off-by: Todd Kjos <tkjos@google.com>
7 years agoFROMLIST: binder: add more debug info when allocation fails.
Martijn Coenen [Wed, 15 Mar 2017 17:22:52 +0000 (18:22 +0100)]
FROMLIST: binder: add more debug info when allocation fails.

(from https://patchwork.kernel.org/patch/9817797/)

Display information about allocated/free space whenever
binder buffer allocation fails on synchronous
transactions.

Change-Id: Ia718c897dfbfd50991746232ea3c6c9cfab5d1a3
Signed-off-by: Martijn Coenen <maco@android.com>
Signed-off-by: Siqi Lin <siqilin@google.com>
7 years agoFROMLIST: binder: protect against two threads freeing buffer
Todd Kjos [Fri, 21 Apr 2017 21:32:11 +0000 (14:32 -0700)]
FROMLIST: binder: protect against two threads freeing buffer

(from https://patchwork.kernel.org/patch/9817815/)

Adds protection against malicious user code freeing
the same buffer at the same time which could cause
a crash. Cannot happen under normal use.

Change-Id: I9461229401aaa7f3b5b2477960f79d4d1bd17fee
Signed-off-by: Todd Kjos <tkjos@google.com>
7 years agoFROMLIST: binder: remove dead code in binder_get_ref_for_node
Todd Kjos [Tue, 2 May 2017 00:21:51 +0000 (17:21 -0700)]
FROMLIST: binder: remove dead code in binder_get_ref_for_node

(from https://patchwork.kernel.org/patch/9817819/)

node is always non-NULL in binder_get_ref_for_node so the
conditional and else clause are not needed

Change-Id: I89ca8c3c0a1a263624a0bd5ddb14e9093ae12009
Signed-off-by: Todd Kjos <tkjos@google.com>
7 years agoFROMLIST: binder: don't modify thread->looper from other threads
Todd Kjos [Fri, 6 Jan 2017 22:19:25 +0000 (14:19 -0800)]
FROMLIST: binder: don't modify thread->looper from other threads

(from https://patchwork.kernel.org/patch/9817799/)

The looper member of struct binder_thread is a bitmask
of control bits. All of the existing bits are modified
by the affected thread except for BINDER_LOOPER_STATE_NEED_RETURN
which can be modified in binder_deferred_flush() by
another thread.

To avoid adding a spinlock around all read-mod-writes to
modify a bit, the BINDER_LOOPER_STATE_NEED_RETURN flag
is replaced by a separate field in struct binder_thread.

Change-Id: I92a5d084081e813b6d8c60f970dd58cc031042d6
Signed-off-by: Todd Kjos <tkjos@google.com>
7 years agoFROMLIST: binder: avoid race conditions when enqueuing txn
Todd Kjos [Tue, 9 May 2017 15:31:32 +0000 (08:31 -0700)]
FROMLIST: binder: avoid race conditions when enqueuing txn

(from https://patchwork.kernel.org/patch/9817813/)

Currently, the transaction complete work item is queued
after the transaction. This means that it is possible
for the transaction to be handled and a reply to be
enqueued in the current thread before the transaction
complete is enqueued, which violates the protocol
with userspace who may not expect the transaction
complete. Fixed by always enqueing the transaction
complete first.

Also, once the transaction is enqueued, it is unsafe
to access since it might be freed. Currently,
t->flags is accessed to determine whether a sync
wake is needed. Changed to access tr->flags
instead.

Change-Id: I247f25a66cfeac8a1fcb2ad65c6053d51cafe4f3
Signed-off-by: Todd Kjos <tkjos@google.com>
7 years agoFROMLIST: binder: refactor queue management in binder_thread_read
Todd Kjos [Wed, 24 May 2017 17:51:01 +0000 (10:51 -0700)]
FROMLIST: binder: refactor queue management in binder_thread_read

(from https://patchwork.kernel.org/patch/9817757/)

In binder_thread_read, the BINDER_WORK_NODE command is used
to communicate the references on the node to userspace. It
can take a couple of iterations in the loop to construct
the list of commands for user space. When locking is added,
the lock would need to be release on each iteration which
means the state could change. The work item is not dequeued
during this process which prevents a simpler queue management
that can just dequeue up front and handle the work item.

Fixed by changing the BINDER_WORK_NODE algorithm in
binder_thread_read to determine which commands to send
to userspace atomically in 1 pass so it stays consistent
with the kernel view.

The work item is now dequeued immediately since only
1 pass is needed.

Change-Id: I252990504866e6518cf474a1e0af6d853ac52102
Signed-off-by: Todd Kjos <tkjos@google.com>
7 years agoFROMLIST: binder: add log information for binder transaction failures
Todd Kjos [Thu, 23 Mar 2017 00:19:52 +0000 (17:19 -0700)]
FROMLIST: binder: add log information for binder transaction failures

(from https://patchwork.kernel.org/patch/9817751/)

Add additional information to determine the cause of binder
failures. Adds the following to failed transaction log and
kernel messages:
return_error : value returned for transaction
return_error_param : errno returned by binder allocator
return_error_line : line number where error detected

Also, return BR_DEAD_REPLY if an allocation error indicates
a dead proc (-ESRCH)

Change-Id: If9f203dee30036003aa1823aaf3f7098f488a3e6
Signed-off-by: Todd Kjos <tkjos@google.com>
7 years agoFROMLIST: binder: make binder_last_id an atomic
Todd Kjos [Thu, 25 May 2017 17:56:00 +0000 (10:56 -0700)]
FROMLIST: binder: make binder_last_id an atomic

(from https://patchwork.kernel.org/patch/9817809/)

Use an atomic for binder_last_id to avoid locking it

Change-Id: I582c48be4bd04a17d6c96c9a4093c3ade56c47cd
Signed-off-by: Todd Kjos <tkjos@google.com>
7 years agoFROMLIST: binder: change binder_stats to atomics
Badhri Jagan Sridharan [Thu, 13 Oct 2016 23:36:15 +0000 (16:36 -0700)]
FROMLIST: binder: change binder_stats to atomics

(from https://patchwork.kernel.org/patch/9817755/)

Use atomics for stats to avoid needing to lock for
increments/decrements

Change-Id: I7e29cdab7aaa2dd5516bfe6b6c9926824955a4b3
Signed-off-by: Todd Kjos <tkjos@google.com>
7 years agoFROMLIST: binder: add protection for non-perf cases
Todd Kjos [Mon, 17 Oct 2016 19:33:15 +0000 (12:33 -0700)]
FROMLIST: binder: add protection for non-perf cases

(from https://patchwork.kernel.org/patch/9817749/)

Add binder_dead_nodes_lock, binder_procs_lock, and
binder_context_mgr_node_lock to protect the associated global lists

Change-Id: Iaa47e52fcd7950e227abbe5d35fc9109f6a27d2f
Signed-off-by: Todd Kjos <tkjos@google.com>
7 years agoFROMLIST: binder: remove binder_debug_no_lock mechanism
Todd Kjos [Wed, 24 May 2017 18:53:13 +0000 (11:53 -0700)]
FROMLIST: binder: remove binder_debug_no_lock mechanism

(from https://patchwork.kernel.org/patch/9817811/)

With the global lock, there was a mechanism to access
binder driver debugging information with the global
lock disabled to debug deadlocks or other issues.
This mechanism is rarely (if ever) used anymore
and wasn't needed during the development of
fine-grained locking in the binder driver.
Removing it.

Change-Id: I6f4061ddb04fbdcf1e067e7a5eeee730f14d4c01
Signed-off-by: Todd Kjos <tkjos@google.com>
7 years agoFROMLIST: binder: move binder_alloc to separate file
Todd Kjos [Mon, 10 Oct 2016 17:40:53 +0000 (10:40 -0700)]
FROMLIST: binder: move binder_alloc to separate file

(from https://patchwork.kernel.org/patch/9817753/)

Move the binder allocator functionality to its own file

Continuation of splitting the binder allocator from the binder
driver. Split binder_alloc functions from normal binder functions.

Add kernel doc comments to functions declared extern in
binder_alloc.h

Change-Id: I6a10138d003632ebcb1589f22c7437f2bec8bff6
Signed-off-by: Todd Kjos <tkjos@google.com>
7 years agoFROMLIST: binder: separate out binder_alloc functions
Todd Kjos [Mon, 10 Oct 2016 17:40:53 +0000 (10:40 -0700)]
FROMLIST: binder: separate out binder_alloc functions

(from https://patchwork.kernel.org/patch/9817753/)

Continuation of splitting the binder allocator from the binder
driver. Separate binder_alloc functions from normal binder
functions. Protect the allocator with a separate mutex.

Change-Id: I119b05b4d0573fc965f863f34fa2ebfae40426f7
Signed-off-by: Todd Kjos <tkjos@google.com>
7 years agoFROMLIST: binder: remove unneeded cleanup code
Todd Kjos [Fri, 21 Apr 2017 18:18:12 +0000 (11:18 -0700)]
FROMLIST: binder: remove unneeded cleanup code

(from https://patchwork.kernel.org/patch/9817817/)

The buffer's transaction has already been freed before
binder_deferred_release. No need to do it again.

Change-Id: I2451a22aee72796d7ca1fc6c1406e22a706200c5
Signed-off-by: Todd Kjos <tkjos@google.com>
7 years agoFROMLIST: binder: separate binder allocator structure from binder proc
Todd Kjos [Mon, 10 Oct 2016 17:39:59 +0000 (10:39 -0700)]
FROMLIST: binder: separate binder allocator structure from binder proc

(from https://patchwork.kernel.org/patch/9817745/)

The binder allocator is logically separate from the rest
of the binder drivers. Separating the data structures
to prepare for splitting into separate file with separate
locking.

Change-Id: Ia97d9347eaad953dc3a34bbd6fda23834dd6cef4
Signed-off-by: Todd Kjos <tkjos@google.com>
7 years agoFROMLIST: binder: Use wake up hint for synchronous transactions.
Riley Andrews [Tue, 1 Sep 2015 19:42:07 +0000 (12:42 -0700)]
FROMLIST: binder: Use wake up hint for synchronous transactions.

(from https://patchwork.kernel.org/patch/9817747)

Use wake_up_interruptible_sync() to hint to the scheduler binder
transactions are synchronous wakeups. Disable preemption while waking
to avoid ping-ponging on the binder lock.

Change-Id: I041dd798f3d0c4c15aa461e4e6d71dc270e1ca86
Signed-off-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Omprakash Dhyade <odhyade@codeaurora.org>
7 years agoRevert "android: binder: Sanity check at binder ioctl"
Todd Kjos [Tue, 27 Jun 2017 22:18:51 +0000 (15:18 -0700)]
Revert "android: binder: Sanity check at binder ioctl"

This reverts commit a906d6931f3ccaf7de805643190765ddd7378e27.

The patch introduced a race in the binder driver. An attempt to fix the
race was submitted in "[PATCH v2] android: binder: fix dangling pointer
comparison", however the conclusion in the discussion for that patch
was that the original patch should be reverted.

The reversion is being done as part of the fine-grained locking
patchset since the patch would need to be refactored when
proc->vmm_vm_mm is removed from struct binder_proc and added
in the binder allocator.

Also needs reversion in 4.9 LTS

Change-Id: I9777ece955c07ac30432187bb968f87cf73271d8
Signed-off-by: Todd Kjos <tkjos@google.com>
7 years agoMerge 4.9.37 into android-4.9
Greg Kroah-Hartman [Wed, 12 Jul 2017 15:07:29 +0000 (17:07 +0200)]
Merge 4.9.37 into android-4.9

Changes in 4.9.37
fs: add a VALID_OPEN_FLAGS
fs: completely ignore unknown open flags
driver core: platform: fix race condition with driver_override
ceph: choose readdir frag based on previous readdir reply
tracing/kprobes: Allow to create probe with a module name starting with a digit
media: entity: Fix stream count check
drm/virtio: don't leak bo on drm_gem_object_init failure
usb: dwc3: replace %p with %pK
USB: serial: cp210x: add ID for CEL EM3588 USB ZigBee stick
Add USB quirk for HVR-950q to avoid intermittent device resets
usb: usbip: set buffer pointers to NULL after free
usb: Fix typo in the definition of Endpoint[out]Request
USB: core: fix device node leak
mac80211_hwsim: Replace bogus hrtimer clockid
sysctl: don't print negative flag for proc_douintvec
sysctl: report EINVAL if value is larger than UINT_MAX for proc_douintvec
pinctrl: qcom: ipq4019: add missing pingroups for pins > 70
pinctrl: cherryview: Add a quirk to make Acer Chromebook keyboard work again
pinctrl: sh-pfc: r8a7794: Swap ATA signals
pinctrl: sh-pfc: r8a7791: Fix SCIF2 pinmux data
pinctrl: sh-pfc: r8a7791: Add missing DVC_MUTE signal
pinctrl: sh-pfc: r8a7795: Fix hscif2_clk_b and hscif4_ctrl
pinctrl: meson: meson8b: fix the NAND DQS pins
pinctrl: stm32: Fix bad function call
pinctrl: sunxi: Fix SPDIF function name for A83T
pinctrl: cherryview: Add terminate entry for dmi_system_id tables
pinctrl: mxs: atomically switch mux and drive strength config
pinctrl: sh-pfc: r8a7791: Add missing HSCIF1 pinmux data
pinctrl: sh-pfc: Update info pointer after SoC-specific init
USB: serial: option: add two Longcheer device ids
USB: serial: qcserial: new Sierra Wireless EM7305 device ID
xhci: Limit USB2 port wake support for AMD Promontory hosts
gfs2: Fix glock rhashtable rcu bug
tpm: fix a kernel memory leak in tpm-sysfs.c
x86/tools: Fix gcc-7 warning in relocs.c
x86/uaccess: Optimize copy_user_enhanced_fast_string() for short strings
ath10k: override CE5 config for QCA9377
KEYS: Fix an error code in request_master_key()
crypto: drbg - Fixes panic in wait_for_completion call
RDMA/uverbs: Check port number supplied by user verbs cmds
rt286: add Thinkpad Helix 2 to force_combo_jack_table
Linux 4.9.37

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
7 years agoLinux 4.9.37
Greg Kroah-Hartman [Wed, 12 Jul 2017 13:42:41 +0000 (15:42 +0200)]
Linux 4.9.37

7 years agort286: add Thinkpad Helix 2 to force_combo_jack_table
Yifeng Li [Wed, 3 May 2017 17:34:14 +0000 (01:34 +0800)]
rt286: add Thinkpad Helix 2 to force_combo_jack_table

commit fe0dfd6358a17c79bd7d6996af7512ba452a7059 upstream.

Thinkpad Helix 2 is a tablet PC, the audio is powered by Core M
broadwell-audio and rt286 codec. For all versions of Linux kernel,
the stereo output doesn't work properly when earphones are plugged
in, the sound was coming out from both channels even if the audio
contains only the left or right channel. Furthermore, if a music
recorded in stereo is played, the two channels cancle out each other
out, as a result, no voice but only distorted background music can be
heard, like a sound card with builtin a Karaoke sount effect.

Apparently this tablet uses a combo jack with polarity incorrectly
set by rt286 driver. This patch adds DMI information of Thinkpad Helix 2
to force_combo_jack_table[] and the issue is resolved. The microphone
input doesn't work regardless to the presence of this patch and still
needs help from other developers to investigate.

This is my first patch to LKML directly, sorry for CC-ing too many
people here.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=93841
Signed-off-by: Yifeng Li <tomli@tomli.me>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoRDMA/uverbs: Check port number supplied by user verbs cmds
Boris Pismenny [Tue, 27 Jun 2017 12:09:13 +0000 (15:09 +0300)]
RDMA/uverbs: Check port number supplied by user verbs cmds

commit 5ecce4c9b17bed4dc9cb58bfb10447307569b77b upstream.

The ib_uverbs_create_ah() ind ib_uverbs_modify_qp() calls receive
the port number from user input as part of its attributes and assumes
it is valid. Down on the stack, that parameter is used to access kernel
data structures.  If the value is invalid, the kernel accesses memory
it should not.  To prevent this, verify the port number before using it.

BUG: KASAN: use-after-free in ib_uverbs_create_ah+0x6d5/0x7b0
Read of size 4 at addr ffff880018d67ab8 by task syz-executor/313

BUG: KASAN: slab-out-of-bounds in modify_qp.isra.4+0x19d0/0x1ef0
Read of size 4 at addr ffff88006c40ec58 by task syz-executor/819

Fixes: 67cdb40ca444 ("[IB] uverbs: Implement more commands")
Cc: Yevgeny Kliteynik <kliteyn@mellanox.com>
Cc: Tziporet Koren <tziporet@mellanox.com>
Cc: Alex Polak <alexpo@mellanox.com>
Signed-off-by: Boris Pismenny <borisp@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agocrypto: drbg - Fixes panic in wait_for_completion call
Stephan Mueller [Fri, 26 May 2017 10:11:31 +0000 (12:11 +0200)]
crypto: drbg - Fixes panic in wait_for_completion call

commit b61929c654f2e725644935737c4c1ea9c741e2f8 upstream.

Initialise ctr_completion variable before use.

Cc: <stable@vger.kernel.org>
Signed-off-by: Harsh Jain <harshjain.prof@gmail.com>
Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoKEYS: Fix an error code in request_master_key()
Dan Carpenter [Thu, 9 Feb 2017 17:17:52 +0000 (17:17 +0000)]
KEYS: Fix an error code in request_master_key()

commit 57cb17e764ba0aaa169d07796acce54ccfbc6cae upstream.

This function has two callers and neither are able to handle a NULL
return.  Really, -EINVAL is the correct thing return here anyway.  This
fixes some static checker warnings like:

security/keys/encrypted-keys/encrypted.c:709 encrypted_key_decrypt()
error: uninitialized symbol 'master_key'.

Fixes: 7e70cb497850 ("keys: add new key-type encrypted")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoath10k: override CE5 config for QCA9377
Bartosz Markowski [Thu, 15 Dec 2016 09:23:22 +0000 (11:23 +0200)]
ath10k: override CE5 config for QCA9377

commit b08b5b53a1ed2bd7a883f8fd29232c8f03604671 upstream.

Similarly to QCA6174, QCA9377 requires the CE5 configuration to be
available for other feature. Use the ath10k_pci_override_ce_config()
for it as well.

This is required for TF2.0 firmware. Previous FW revisions were
working fine without this patch.

Fixes: a70587b3389a ("ath10k: configure copy engine 5 for HTT messages")
Signed-off-by: Bartosz Markowski <bartosz.markowski@tieto.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agox86/uaccess: Optimize copy_user_enhanced_fast_string() for short strings
Paolo Abeni [Thu, 29 Jun 2017 13:55:58 +0000 (15:55 +0200)]
x86/uaccess: Optimize copy_user_enhanced_fast_string() for short strings

commit 236222d39347e0e486010f10c1493e83dbbdfba8 upstream.

According to the Intel datasheet, the REP MOVSB instruction
exposes a pretty heavy setup cost (50 ticks), which hurts
short string copy operations.

This change tries to avoid this cost by calling the explicit
loop available in the unrolled code for strings shorter
than 64 bytes.

The 64 bytes cutoff value is arbitrary from the code logic
point of view - it has been selected based on measurements,
as the largest value that still ensures a measurable gain.

Micro benchmarks of the __copy_from_user() function with
lengths in the [0-63] range show this performance gain
(shorter the string, larger the gain):

 - in the [55%-4%] range on Intel Xeon(R) CPU E5-2690 v4
 - in the [72%-9%] range on Intel Core i7-4810MQ

Other tested CPUs - namely Intel Atom S1260 and AMD Opteron
8216 - show no difference, because they do not expose the
ERMS feature bit.

Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Alan Cox <gnomes@lxorguk.ukuu.org.uk>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Link: http://lkml.kernel.org/r/4533a1d101fd460f80e21329a34928fad521c1d4.1498744345.git.pabeni@redhat.com
[ Clarified the changelog. ]
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Mel Gorman <mgorman@techsingularity.net>
7 years agox86/tools: Fix gcc-7 warning in relocs.c
Markus Trippelsdorf [Thu, 15 Dec 2016 12:45:13 +0000 (13:45 +0100)]
x86/tools: Fix gcc-7 warning in relocs.c

commit 7ebb916782949621ff6819acf373a06902df7679 upstream.

gcc-7 warns:

In file included from arch/x86/tools/relocs_64.c:17:0:
arch/x86/tools/relocs.c: In function ‘process_64’:
arch/x86/tools/relocs.c:953:2: warning: argument 1 null where non-null expected [-Wnonnull]
  qsort(r->offset, r->count, sizeof(r->offset[0]), cmp_relocs);
  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from arch/x86/tools/relocs.h:6:0,
                 from arch/x86/tools/relocs_64.c:1:
/usr/include/stdlib.h:741:13: note: in a call to function ‘qsort’ declared here
 extern void qsort

This happens because relocs16 is not used for ELF_BITS == 64,
so there is no point in trying to sort it.

Make the sort_relocs(&relocs16) call 32bit only.

Signed-off-by: Markus Trippelsdorf <markus@trippelsdorf.de>
Link: http://lkml.kernel.org/r/20161215124513.GA289@x4
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agotpm: fix a kernel memory leak in tpm-sysfs.c
Jarkko Sakkinen [Tue, 20 Jun 2017 09:38:02 +0000 (11:38 +0200)]
tpm: fix a kernel memory leak in tpm-sysfs.c

commit 13b47cfcfc60495cde216eef4c01040d76174cbe upstream.

While cleaning up sysfs callback that prints EK we discovered a kernel
memory leak. This commit fixes the issue by zeroing the buffer used for
TPM command/response.

The leak happen when we use either tpm_vtpm_proxy, tpm_ibmvtpm or
xen-tpmfront.

Fixes: 0883743825e3 ("TPM: sysfs functions consolidation")
Reported-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
Tested-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Signed-off-by: Jarkko Sakkinen <jarkko.sakkinen@linux.intel.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agogfs2: Fix glock rhashtable rcu bug
Andreas Gruenbacher [Fri, 7 Jul 2017 18:22:05 +0000 (13:22 -0500)]
gfs2: Fix glock rhashtable rcu bug

commit 961ae1d83d055a4b9ebbfb4cc8ca62ec1a7a3b74 upstream.

Before commit 88ffbf3e03 "GFS2: Use resizable hash table for glocks",
glocks were freed via call_rcu to allow reading the glock hashtable
locklessly using rcu.  This was then changed to free glocks immediately,
which made reading the glock hashtable unsafe.  Bring back the original
code for freeing glocks via call_rcu.

Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Bob Peterson <rpeterso@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoxhci: Limit USB2 port wake support for AMD Promontory hosts
Jiahau Chang [Mon, 19 Jun 2017 10:08:30 +0000 (13:08 +0300)]
xhci: Limit USB2 port wake support for AMD Promontory hosts

commit dec08194ffeccfa1cf085906b53d301930eae18f upstream.

For AMD Promontory xHCI host, although you can disable USB 2.0 ports in
BIOS settings, those ports will be enabled anyway after you remove a
device on that port and re-plug it in again. It's a known limitation of
the chip. As a workaround we can clear the PORT_WAKE_BITS.

This will disable wake on connect, disconnect and overcurrent on
AMD Promontory USB2 ports

[checkpatch cleanup and commit message reword -Mathias]
Cc: Tsai Nicholas <nicholas.tsai@amd.com>
Signed-off-by: Jiahau Chang <Lars_Chang@asmedia.com.tw>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoUSB: serial: qcserial: new Sierra Wireless EM7305 device ID
Bjørn Mork [Tue, 13 Jun 2017 17:11:42 +0000 (19:11 +0200)]
USB: serial: qcserial: new Sierra Wireless EM7305 device ID

commit 996fab55d864ed604158f71724ff52db1c2454a3 upstream.

A new Sierra Wireless EM7305 device ID used in a Toshiba laptop.

Reported-by: Petr Kloc <petr_kloc@yahoo.com>
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoUSB: serial: option: add two Longcheer device ids
Johan Hovold [Mon, 12 Jun 2017 14:30:16 +0000 (16:30 +0200)]
USB: serial: option: add two Longcheer device ids

commit 8fb060da715ad10fe956d7c0077b2fb0c12bb9d7 upstream.

Add two Longcheer device-id entries which specifically enables a
Telewell TW-3G HSPA+ branded modem (0x9801).

Reported-by: Teemu Likonen <tlikonen@iki.fi>
Reported-by: Bjørn Mork <bjorn@mork.no>
Reported-by: Lars Melin <larsm17@gmail.com>
Tested-by: Teemu Likonen <tlikonen@iki.fi>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agopinctrl: sh-pfc: Update info pointer after SoC-specific init
Geert Uytterhoeven [Thu, 9 Mar 2017 18:20:48 +0000 (19:20 +0100)]
pinctrl: sh-pfc: Update info pointer after SoC-specific init

commit 3091ae775fae17084013021d01513bc1ad274e6a upstream.

Update the sh_pfc_soc_info pointer after calling the SoC-specific
initialization function, as it may have been updated to e.g. handle
different SoC revisions.  This makes sure the correct subdriver name is
printed later.

Fixes: 0c151062f32c9db8 ("sh-pfc: Add support for SoC-specific initialization")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agopinctrl: sh-pfc: r8a7791: Add missing HSCIF1 pinmux data
Sergei Shtylyov [Wed, 29 Mar 2017 18:36:50 +0000 (21:36 +0300)]
pinctrl: sh-pfc: r8a7791: Add missing HSCIF1 pinmux data

commit da7a692fbbab07f4e9798b5b52798f6e3256dd8f upstream.

The R8A7791 PFC driver  was apparently based on the preliminary revisions
of  the  user's manual, which  omitted the HSCIF1 group E signals in  the
IPSR4 register description. This would cause HSCIF1's probe  to fail with
the messages like below:

sh-pfc e6060000.pfc: cannot locate data/mark enum_id for mark 1989
sh-sci e62c8000.serial: Error applying setting, reverse things back
sh-sci: probe of e62c8000.serial failed with error -22

Add the neceassary PINMUX_IPSR_MSEL() invocations for the HSCK1_E,
HCTS1#_E, and HRTS1#_E signals...

Fixes: 508845196238 ("pinctrl: sh-pfc: r8a7791 PFC support")
Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agopinctrl: mxs: atomically switch mux and drive strength config
Uwe Kleine-König [Thu, 18 May 2017 09:23:55 +0000 (11:23 +0200)]
pinctrl: mxs: atomically switch mux and drive strength config

commit da6c2addf66d7ff7d0b090d6267d4292f951e4e6 upstream.

To set the mux mode of a pin two bits must be set. Up to now this is
implemented using the following idiom:

writel(mask, reg + CLR);
writel(value, reg + SET);

. This however results in the mux mode being 0 between the two writes.

On my machine there is an IC's reset pin connected to LCD_D20. The
bootloader configures this pin as GPIO output-high (i.e. not holding the
IC in reset). When Linux reconfigures the pin to GPIO the short time
LCD_D20 is muxed as LCD_D20 instead of GPIO_1_20 is enough to confuse
the connected IC.

The same problem is present for the pin's drive strength setting which is
reset to low drive strength before using the right value.

So instead of relying on the hardware to modify the register setting
using two writes implement the bit toggling using read-modify-write.

Fixes: 17723111e64f ("pinctrl: add pinctrl-mxs support")
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Acked-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agopinctrl: cherryview: Add terminate entry for dmi_system_id tables
Wei Yongjun [Tue, 25 Apr 2017 06:22:05 +0000 (06:22 +0000)]
pinctrl: cherryview: Add terminate entry for dmi_system_id tables

commit a9de080bbcd5c4e213a3d7bbb1e314d60980e943 upstream.

Make sure dmi_system_id tables are NULL terminated.

Fixes: 703650278372 ("pinctrl: cherryview: Add a quirk to make Acer
Chromebook keyboard work again")
Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agopinctrl: sunxi: Fix SPDIF function name for A83T
Chen-Yu Tsai [Mon, 22 May 2017 06:25:49 +0000 (14:25 +0800)]
pinctrl: sunxi: Fix SPDIF function name for A83T

commit 7903d4f5e1dec53963cba9b1bc472a76a3532e07 upstream.

We use well known standard names for functions that have name, such as
I2C, SPI, SPDIF, etc..

Fix the function name of SPDIF, which was named OWA (One Wire Audio)
based on Allwinner datasheets.

Fixes: 4730f33f0d82 ("pinctrl: sunxi: add allwinner A83T PIO controller
      support")
Signed-off-by: Chen-Yu Tsai <wens@csie.org>
Acked-by: Maxime Ripard <maxime.ripard@free-electrons.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agopinctrl: stm32: Fix bad function call
Alexandre TORGUE [Tue, 30 May 2017 14:43:04 +0000 (16:43 +0200)]
pinctrl: stm32: Fix bad function call

commit b7c747d4627462f25b3daabf49c18895a6722faa upstream.

In stm32_pconf_parse_conf function, stm32_pmx_gpio_set_direction is
called with wrong parameter value. Indeed, using NULL value for range
will raise an oops.

Fixes: aceb16dc2da5 ("pinctrl: Add STM32 MCUs support")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Alexandre TORGUE <alexandre.torgue@st.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agopinctrl: meson: meson8b: fix the NAND DQS pins
Martin Blumenstingl [Sat, 1 Apr 2017 13:59:21 +0000 (15:59 +0200)]
pinctrl: meson: meson8b: fix the NAND DQS pins

commit 97ba26b8a9343008504d4e3a87d212bc07b05212 upstream.

The nand_groups table uses different names for the NAND DQS pins than
the GROUP() definition in meson8b_cbus_groups (nand_dqs_0 vs nand_dqs0).
This prevents using the NAND DQS pins in the devicetree.

Fix this by ensuring that the GROUP() definition and the
meson8b_cbus_groups use the same name for these pins.

Fixes: 0fefcb6876d0 ("pinctrl: Add support for Meson8b")
Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Acked-by: Kevin Hilman <khilman@baylibre.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agopinctrl: sh-pfc: r8a7795: Fix hscif2_clk_b and hscif4_ctrl
Geert Uytterhoeven [Sat, 11 Mar 2017 11:26:09 +0000 (12:26 +0100)]
pinctrl: sh-pfc: r8a7795: Fix hscif2_clk_b and hscif4_ctrl

commit 4324b6084f45b9faebda8d6563d8625d22b4b5df upstream.

Fix typos in hscif2_clk_b_mux[] and hscif4_ctrl_mux[].

Fixes: a56069c46c102710 ("pinctrl: sh-pfc: r8a7795: Add HSCIF pins, groups, and functions")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agopinctrl: sh-pfc: r8a7791: Add missing DVC_MUTE signal
Sergei Shtylyov [Wed, 29 Mar 2017 18:36:51 +0000 (21:36 +0300)]
pinctrl: sh-pfc: r8a7791: Add missing DVC_MUTE signal

commit 3908632fb829d73317c64c3d04f584b49f62e4ae upstream.

The R8A7791 PFC driver  was apparently based on the preliminary revisions
of  the user's  manual, which  omitted the DVC_MUTE signal  altogether in
the PFC section. The modern manual has the signal described,  so just add
the necassary data to the driver...

Fixes: 508845196238 ("pinctrl: sh-pfc: r8a7791 PFC support")
Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agopinctrl: sh-pfc: r8a7791: Fix SCIF2 pinmux data
Sergei Shtylyov [Thu, 30 Mar 2017 20:20:48 +0000 (23:20 +0300)]
pinctrl: sh-pfc: r8a7791: Fix SCIF2 pinmux data

commit 58439280f84e6b39fd7d61f25ab30489c1aaf0a9 upstream.

PINMUX_IPSR_MSEL() macro invocation for the TX2 signal has apparently wrong
1st argument -- most probably a result of cut&paste programming...

Fixes: 508845196238 ("pinctrl: sh-pfc: r8a7791 PFC support")
Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agopinctrl: sh-pfc: r8a7794: Swap ATA signals
Sergei Shtylyov [Tue, 4 Apr 2017 20:20:16 +0000 (23:20 +0300)]
pinctrl: sh-pfc: r8a7794: Swap ATA signals

commit 5f4c8cafe1148f8a91287072815df8f0b66f0e5c upstream.

All R8A7794 manuals I have here (0.50 and 1.10) agree that the PFC driver
has ATAG0# and ATAWR0# signals in IPSR12 swapped -- fix this.

Fixes: 43c4436e2f18 ("pinctrl: sh-pfc: add R8A7794 PFC support")
Signed-off-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agopinctrl: cherryview: Add a quirk to make Acer Chromebook keyboard work again
Mika Westerberg [Mon, 10 Apr 2017 10:16:33 +0000 (13:16 +0300)]
pinctrl: cherryview: Add a quirk to make Acer Chromebook keyboard work again

commit 7036502783729c2aaf7a3c24c89087c58721430f upstream.

After commit 47c950d10202 ("pinctrl: cherryview: Do not add all
southwest and north GPIOs to IRQ domain") the driver does not add all
GPIOs to the irqdomain. The reason for that is that those GPIOs cannot
generate IRQs at all, only GPEs (General Purpose Events). This causes
Linux virtual IRQ numbering to change.

However, it seems some CYAN Chromebooks, including Acer Chromebook
hardcodes these Linux IRQ numbers in the ACPI tables of the machine.
Since the numbering is different now, the IRQ meant for keyboard does
not match the Linux virtual IRQ number anymore making the keyboard
non-functional.

Work this around by adding special quirk just for these machines where
we add back all GPIOs to the irqdomain. Rest of the Cherryview/Braswell
based machines will not be affected by the change.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=194945
Fixes: 47c950d10202 ("pinctrl: cherryview: Do not add all southwest and north GPIOs to IRQ domain")
Reported-by: Adam S Levy <theadamlevy@gmail.com>
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agopinctrl: qcom: ipq4019: add missing pingroups for pins > 70
Christian Lamparter [Thu, 16 Mar 2017 20:36:07 +0000 (21:36 +0100)]
pinctrl: qcom: ipq4019: add missing pingroups for pins > 70

commit d7402de48efae57bbb0072e53d3800c30de57ea5 upstream.

This patch adds the missing PINGROUP for GPIO70-99.
This fixes a crash that happens in pinctrl-msm, if any
of the GPIO70-99 are accessed.

Fixes: 5303f7827fcd41d ("pinctrl: qcom: ipq4019: set ngpios to correct value")
Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
Acked-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agosysctl: report EINVAL if value is larger than UINT_MAX for proc_douintvec
Liping Zhang [Fri, 7 Apr 2017 15:51:07 +0000 (23:51 +0800)]
sysctl: report EINVAL if value is larger than UINT_MAX for proc_douintvec

commit 425fffd886bae3d127a08fa6a17f2e31e24ed7ff upstream.

Currently, inputting the following command will succeed but actually the
value will be truncated:

  # echo 0x12ffffffff > /proc/sys/net/ipv4/tcp_notsent_lowat

This is not friendly to the user, so instead, we should report error
when the value is larger than UINT_MAX.

Fixes: e7d316a02f68 ("sysctl: handle error writing UINT_MAX to u32 fields")
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Cc: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agosysctl: don't print negative flag for proc_douintvec
Liping Zhang [Fri, 7 Apr 2017 15:51:06 +0000 (23:51 +0800)]
sysctl: don't print negative flag for proc_douintvec

commit 5380e5644afbba9e3d229c36771134976f05c91e upstream.

I saw some very confusing sysctl output on my system:
  # cat /proc/sys/net/core/xfrm_aevent_rseqth
  -2
  # cat /proc/sys/net/core/xfrm_aevent_etime
  -10
  # cat /proc/sys/net/ipv4/tcp_notsent_lowat
  -4294967295

Because we forget to set the *negp flag in proc_douintvec, so it will
become a garbage value.

Since the value related to proc_douintvec is always an unsigned integer,
so we can set *negp to false explictily to fix this issue.

Fixes: e7d316a02f68 ("sysctl: handle error writing UINT_MAX to u32 fields")
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Cc: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agomac80211_hwsim: Replace bogus hrtimer clockid
Thomas Gleixner [Sat, 25 Feb 2017 10:27:37 +0000 (10:27 +0000)]
mac80211_hwsim: Replace bogus hrtimer clockid

commit 8fbcfeb8a9cc803464d6c166e7991913711c612c upstream.

mac80211_hwsim initializes a hrtimer with clockid
CLOCK_MONOTONIC_RAW. That's not supported.

Use CLOCK_MONOTONIC instead.

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoUSB: core: fix device node leak
Johan Hovold [Tue, 6 Jun 2017 15:58:58 +0000 (17:58 +0200)]
USB: core: fix device node leak

commit e271b2c909a22a2c13b2d5f77f2ce0091b74540c upstream.

Make sure to release any OF device-node reference taken when creating
the USB device.

Note that we currently do not hold a reference to the root hub
device-tree node (i.e. the parent controller node).

Fixes: 69bec7259853 ("USB: core: let USB device know device node")
Acked-by: Peter Chen <peter.chen@nxp.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agousb: Fix typo in the definition of Endpoint[out]Request
Benjamin Herrenschmidt [Tue, 13 Jun 2017 06:01:13 +0000 (16:01 +1000)]
usb: Fix typo in the definition of Endpoint[out]Request

commit 7cf916bd639bd26db7214f2205bccdb4b9306256 upstream.

The current definition is wrong. This breaks my upcoming
Aspeed virtual hub driver.

Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agousb: usbip: set buffer pointers to NULL after free
Michael Grzeschik [Mon, 22 May 2017 11:02:44 +0000 (13:02 +0200)]
usb: usbip: set buffer pointers to NULL after free

commit b3b51417d0af63fb9a06662dc292200aed9ea53f upstream.

The usbip stack dynamically allocates the transfer_buffer and
setup_packet of each urb that got generated by the tcp to usb stub code.
As these pointers are always used only once we will set them to NULL
after use. This is done likewise to the free_urb code in vudc_dev.c.
This patch fixes double kfree situations where the usbip remote side
added the URB_FREE_BUFFER.

Signed-off-by: Michael Grzeschik <m.grzeschik@pengutronix.de>
Acked-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoAdd USB quirk for HVR-950q to avoid intermittent device resets
Devin Heitmueller [Tue, 27 Jun 2017 17:08:51 +0000 (13:08 -0400)]
Add USB quirk for HVR-950q to avoid intermittent device resets

commit 6836796de4019944f4ba4c99a360e8250fd2e735 upstream.

The USB core and sysfs will attempt to enumerate certain parameters
which are unsupported by the au0828 - causing inconsistent behavior
and sometimes causing the chip to reset.  Avoid making these calls.

This problem manifested as intermittent cases where the au8522 would
be reset on analog video startup, in particular when starting up ALSA
audio streaming in parallel - the sysfs entries created by
snd-usb-audio on streaming startup would result in unsupported control
messages being sent during tuning which would put the chip into an
unknown state.

Signed-off-by: Devin Heitmueller <dheitmueller@kernellabs.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoUSB: serial: cp210x: add ID for CEL EM3588 USB ZigBee stick
Jeremie Rapin [Wed, 28 Jun 2017 16:23:25 +0000 (18:23 +0200)]
USB: serial: cp210x: add ID for CEL EM3588 USB ZigBee stick

commit fd90f73a9925f248d696bde1cfc836d9fda5570d upstream.

Added the USB serial device ID for the CEL ZigBee EM3588
radio stick.

Signed-off-by: Jeremie Rapin <rapinj@gmail.com>
Acked-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agousb: dwc3: replace %p with %pK
Felipe Balbi [Wed, 17 May 2017 12:57:45 +0000 (15:57 +0300)]
usb: dwc3: replace %p with %pK

commit 04fb365c453e14ff9e8a28f1c46050d920a27a4a upstream.

%p will leak kernel pointers, so let's not expose the information on
dmesg and instead use %pK. %pK will only show the actual addresses if
explicitly enabled under /proc/sys/kernel/kptr_restrict.

Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agodrm/virtio: don't leak bo on drm_gem_object_init failure
Gerd Hoffmann [Thu, 6 Apr 2017 15:59:40 +0000 (17:59 +0200)]
drm/virtio: don't leak bo on drm_gem_object_init failure

commit 385aee965b4e4c36551c362a334378d2985b722a upstream.

Reported-by: 李强 <liqiang6-s@360.cn>
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20170406155941.458-1-kraxel@redhat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agomedia: entity: Fix stream count check
Sakari Ailus [Wed, 20 Jul 2016 11:32:49 +0000 (08:32 -0300)]
media: entity: Fix stream count check

commit 41387a59c8fd55975c6a26cc12fc5c9ca61fcc0f upstream.

There's a sanity check for the stream count remaining positive or zero on
error path, but instead of performing the check on the traversed entity it
is performed on the entity where traversal ends. Fix this.

Fixes: commit 3801bc7d1b8d ("[media] media: Media Controller fix to not let stream_count go negative")

Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agotracing/kprobes: Allow to create probe with a module name starting with a digit
Sabrina Dubroca [Thu, 22 Jun 2017 09:24:42 +0000 (11:24 +0200)]
tracing/kprobes: Allow to create probe with a module name starting with a digit

commit 9e52b32567126fe146f198971364f68d3bc5233f upstream.

Always try to parse an address, since kstrtoul() will safely fail when
given a symbol as input. If that fails (which will be the case for a
symbol), try to parse a symbol instead.

This allows creating a probe such as:

    p:probe/vlan_gro_receive 8021q:vlan_gro_receive+0

Which is necessary for this command to work:

    perf probe -m 8021q -a vlan_gro_receive

Link: http://lkml.kernel.org/r/fd72d666f45b114e2c5b9cf7e27b91de1ec966f1.1498122881.git.sd@queasysnail.net
Fixes: 413d37d1e ("tracing: Add kprobe-based event tracer")
Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoceph: choose readdir frag based on previous readdir reply
Yan, Zheng [Mon, 24 Apr 2017 03:56:50 +0000 (11:56 +0800)]
ceph: choose readdir frag based on previous readdir reply

commit b50c2de51e611da90cf3cf04c058f7e9bbe79e93 upstream.

The dirfragtree is lazily updated, it's not always accurate. Infinite
loops happens in following circumstance.

- client send request to read frag A
- frag A has been fragmented into frag B and C. So mds fills the reply
  with contents of frag B
- client wants to read next frag C. ceph_choose_frag(frag value of C)
  return frag A.

The fix is using previous readdir reply to calculate next readdir frag
when possible.

Signed-off-by: "Yan, Zheng" <zyan@redhat.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agodriver core: platform: fix race condition with driver_override
Adrian Salido [Tue, 25 Apr 2017 23:55:26 +0000 (16:55 -0700)]
driver core: platform: fix race condition with driver_override

commit 6265539776a0810b7ce6398c27866ddb9c6bd154 upstream.

The driver_override implementation is susceptible to race condition when
different threads are reading vs storing a different driver override.
Add locking to avoid race condition.

Fixes: 3d713e0e382e ("driver core: platform: add device binding path 'driver_override'")
Cc: stable@vger.kernel.org
Signed-off-by: Adrian Salido <salidoa@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agofs: completely ignore unknown open flags
Christoph Hellwig [Thu, 27 Apr 2017 07:42:25 +0000 (09:42 +0200)]
fs: completely ignore unknown open flags

commit 629e014bb8349fcf7c1e4df19a842652ece1c945 upstream.

Currently we just stash anything we got into file->f_flags, and the
report it in fcntl(F_GETFD).  This patch just clears out all unknown
flags so that we don't pass them to the fs or report them.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agofs: add a VALID_OPEN_FLAGS
Christoph Hellwig [Thu, 27 Apr 2017 07:42:24 +0000 (09:42 +0200)]
fs: add a VALID_OPEN_FLAGS

commit 80f18379a7c350c011d30332658aa15fe49a8fa5 upstream.

Add a central define for all valid open flags, and use it in the uniqueness
check.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoANDROID: android-base.cfg: remove CONFIG_CGROUP_DEBUG
Steve Muckle [Tue, 11 Jul 2017 17:06:37 +0000 (10:06 -0700)]
ANDROID: android-base.cfg: remove CONFIG_CGROUP_DEBUG

This config option is not required by Android.

Bug: 63578267
Change-Id: I163fa19183734a1a343d525e885a000a495c242e
Signed-off-by: Steve Muckle <smuckle@google.com>
7 years agoANDROID: sdcardfs: use mount_nodev and fix a issue in sdcardfs_kill_sb
Gao Xiang [Tue, 9 May 2017 04:30:56 +0000 (12:30 +0800)]
ANDROID: sdcardfs: use mount_nodev and fix a issue in sdcardfs_kill_sb

Use the VFS mount_nodev instead of customized mount_nodev_with_options
and fix generic_shutdown_super to kill_anon_super because of set_anon_super

Signed-off-by: Gao Xiang <gaoxiang25@huawei.com>
Change-Id: Ibe46647aa2ce49d79291aa9d0295e9625cfccd80

7 years agoMerge 4.9.36 into android-4.9
Greg Kroah-Hartman [Wed, 5 Jul 2017 14:18:14 +0000 (16:18 +0200)]
Merge 4.9.36 into android-4.9

Changes in 4.9.36
ipv6: release dst on error in ip6_dst_lookup_tail
net: don't call strlen on non-terminated string in dev_set_alias()
decnet: dn_rtmsg: Improve input length sanitization in dnrmg_receive_user_skb
net: Zero ifla_vf_info in rtnl_fill_vfinfo()
net: vrf: Make add_fib_rules per network namespace flag
af_unix: Add sockaddr length checks before accessing sa_family in bind and connect handlers
Fix an intermittent pr_emerg warning about lo becoming free.
sctp: disable BH in sctp_for_each_endpoint
net: caif: Fix a sleep-in-atomic bug in cfpkt_create_pfx
net: tipc: Fix a sleep-in-atomic bug in tipc_msg_reverse
net/mlx5e: Added BW check for DIM decision mechanism
net/mlx5e: Fix wrong indications in DIM due to counter wraparound
proc: snmp6: Use correct type in memset
igmp: acquire pmc lock for ip_mc_clear_src()
igmp: add a missing spin_lock_init()
ipv6: fix calling in6_ifa_hold incorrectly for dad work
sctp: return next obj by passing pos + 1 into sctp_transport_get_idx
net/mlx5e: Avoid doing a cleanup call if the profile doesn't have it
net/mlx5: Wait for FW readiness before initializing command interface
net/mlx5e: Fix timestamping capabilities reporting
decnet: always not take dst->__refcnt when inserting dst into hash table
net: 8021q: Fix one possible panic caused by BUG_ON in free_netdev
sfc: provide dummy definitions of vswitch functions
ipv6: Do not leak throw route references
rtnetlink: add IFLA_GROUP to ifla_policy
netfilter: xt_TCPMSS: add more sanity tests on tcph->doff
netfilter: synproxy: fix conntrackd interaction
NFSv4: fix a reference leak caused WARNING messages
NFSv4.x/callback: Create the callback service through svc_create_pooled
xen/blkback: don't use xen_blkif_get() in xen-blkback kthread
drm/ast: Handle configuration without P2A bridge
mm, swap_cgroup: reschedule when neeed in swap_cgroup_swapoff()
MIPS: head: Reorder instructions missing a delay slot
MIPS: Avoid accidental raw backtrace
MIPS: pm-cps: Drop manual cache-line alignment of ready_count
MIPS: Fix IRQ tracing & lockdep when rescheduling
ALSA: hda - Fix endless loop of codec configure
ALSA: hda - set input_path bitmap to zero after moving it to new place
NFSv4.1: Fix a race in nfs4_proc_layoutget
gpiolib: fix filtering out unwanted events
drm/vmwgfx: Free hash table allocated by cmdbuf managed res mgr
dm thin: do not queue freed thin mapping for next stage processing
x86/mm: Fix boot crash caused by incorrect loop count calculation in sync_global_pgds()
usb: gadget: f_fs: Fix possibe deadlock
l2tp: fix race in l2tp_recv_common()
l2tp: ensure session can't get removed during pppol2tp_session_ioctl()
l2tp: fix duplicate session creation
l2tp: hold session while sending creation notifications
l2tp: take a reference on sessions used in genetlink handlers
mm: numa: avoid waiting on freed migrated pages
sparc64: Handle PIO & MEM non-resumable errors.
sparc64: Zero pages on allocation for mondo and error queues.
net: ethtool: add support for 2500BaseT and 5000BaseT link modes
net: phy: add an option to disable EEE advertisement
dt-bindings: net: add EEE capability constants
net: phy: fix sign type error in genphy_config_eee_advert
net: phy: use boolean dt properties for eee broken modes
dt: bindings: net: use boolean dt properties for eee broken modes
ARM64: dts: meson-gxbb-odroidc2: fix GbE tx link breakage
xen/blkback: don't free be structure too early
KVM: x86: fix fixing of hypercalls
scsi: sd: Fix wrong DPOFUA disable in sd_read_cache_type
stmmac: add missing of_node_put
scsi: lpfc: Set elsiocb contexts to NULL after freeing it
qla2xxx: Terminate exchange if corrupted
qla2xxx: Fix erroneous invalid handle message
drm/amdgpu: fix program vce instance logic error.
drm/amdgpu: add support for new hainan variants
net: phy: dp83848: add DP83620 PHY support
perf/x86/intel: Handle exclusive threadid correctly on CPU hotplug
net: korina: Fix NAPI versus resources freeing
powerpc/eeh: Enable IO path on permanent error
net: ethtool: Initialize buffer when querying device channel settings
xen-netback: fix memory leaks on XenBus disconnect
xen-netback: protect resource cleaning on XenBus disconnect
bnxt_en: Fix "uninitialized variable" bug in TPA code path.
bpf: don't trigger OOM killer under pressure with map alloc
objtool: Fix IRET's opcode
gianfar: Do not reuse pages from emergency reserve
Btrfs: Fix deadlock between direct IO and fast fsync
Btrfs: fix truncate down when no_holes feature is enabled
virtio_console: fix a crash in config_work_handler
swiotlb-xen: update dev_addr after swapping pages
xen-netfront: Fix Rx stall during network stress and OOM
scsi: virtio_scsi: Reject commands when virtqueue is broken
iwlwifi: fix kernel crash when unregistering thermal zone
platform/x86: ideapad-laptop: handle ACPI event 1
amd-xgbe: Check xgbe_init() return code
net: dsa: Check return value of phy_connect_direct()
drm/amdgpu: check ring being ready before using
vfio/spapr: fail tce_iommu_attach_group() when iommu_data is null
mlxsw: spectrum_router: Correctly reallocate adjacency entries
virtio_net: fix PAGE_SIZE > 64k
ip6_tunnel: must reload ipv6h in ip6ip6_tnl_xmit()
vxlan: do not age static remote mac entries
ibmveth: Add a proper check for the availability of the checksum features
kernel/panic.c: add missing \n
Documentation: devicetree: change the mediatek ethernet compatible string
drm/etnaviv: trick drm_mm into giving out a low IOVA
perf/x86/intel/uncore: Fix hardcoded socket 0 assumption in the Haswell init code
pinctrl: intel: Set pin direction properly
net: phy: marvell: fix Marvell 88E1512 used in SGMII mode
mac80211: recalculate min channel width on VHT opmode changes
perf/x86/intel: Use ULL constant to prevent undefined shift behaviour
HID: i2c-hid: Add sleep between POWER ON and RESET
scsi: lpfc: avoid double free of resource identifiers
spi: davinci: use dma_mapping_error()
arm64: assembler: make adr_l work in modules under KASLR
net: thunderx: acpi: fix LMAC initialization
drm/radeon/si: load special ucode for certain MC configs
drm/amd/powerplay: fix vce cg logic error on CZ/St.
drm/amd/powerplay: refine vce dpm update code on Cz.
pmem: return EIO on read_pmem() failure
mac80211: initialize SMPS field in HT capabilities
x86/tsc: Add the Intel Denverton Processor to native_calibrate_tsc()
x86/mpx: Use compatible types in comparison to fix sparse error
perf/core: Fix sys_perf_event_open() vs. hotplug
perf/x86: Reject non sampling events with precise_ip
aio: fix lock dep warning
coredump: Ensure proper size of sparse core files
swiotlb: ensure that page-sized mappings are page-aligned
s390/ctl_reg: make __ctl_load a full memory barrier
usb: dwc2: gadget: Fix GUSBCFG.USBTRDTIM value
be2net: fix status check in be_cmd_pmac_add()
be2net: don't delete MAC on close on unprivileged BE3 VFs
be2net: fix MAC addr setting on privileged BE3 VFs
perf probe: Fix to show correct locations for events on modules
net: phy: dp83867: allow RGMII_TXID/RGMII_RXID interface types
tipc: allocate user memory with GFP_KERNEL flag
perf probe: Fix to probe on gcc generated functions in modules
net/mlx4_core: Eliminate warning messages for SRQ_LIMIT under SRIOV
sctp: check af before verify address in sctp_addr_id2transport
ip6_tunnel, ip6_gre: fix setting of DSCP on encapsulated packets
ravb: Fix use-after-free on `ifconfig eth0 down`
mm/vmalloc.c: huge-vmap: fail gracefully on unexpected huge vmap mappings
xfrm: fix stack access out of bounds with CONFIG_XFRM_SUB_POLICY
xfrm: NULL dereference on allocation failure
xfrm: Oops on error in pfkey_msg2xfrm_state()
netfilter: use skb_to_full_sk in ip_route_me_harder
watchdog: bcm281xx: Fix use of uninitialized spinlock.
sched/loadavg: Avoid loadavg spikes caused by delayed NO_HZ accounting
spi: When no dma_chan map buffers with spi_master's parent
spi: fix device-node leaks
regulator: tps65086: Fix expected switch DT node names
regulator: tps65086: Fix DT node referencing in of_parse_cb
ARM: OMAP2+: omap_device: Sync omap_device and pm_runtime after probe defer
ARM: dts: OMAP3: Fix MFG ID EEPROM
ARM64/ACPI: Fix BAD_MADT_GICC_ENTRY() macro implementation
ARM: 8685/1: ensure memblock-limit is pmd-aligned
tools arch: Sync arch/x86/lib/memcpy_64.S with the kernel
x86/boot/KASLR: Fix kexec crash due to 'virt_addr' calculation bug
x86/mpx: Correctly report do_mpx_bt_fault() failures to user-space
x86/mm: Fix flush_tlb_page() on Xen
ocfs2: o2hb: revert hb threshold to keep compatible
iommu/vt-d: Don't over-free page table directories
iommu: Handle default domain attach failure
iommu/dma: Don't reserve PCI I/O windows
iommu/amd: Fix incorrect error handling in amd_iommu_bind_pasid()
iommu/amd: Fix interrupt remapping when disable guest_mode
cpufreq: s3c2416: double free on driver init error path
clk: scpi: don't add cpufreq device if the scpi dvfs node is disabled
objtool: Fix another GCC jump table detection issue
infiniband: hns: avoid gcc-7.0.1 warning for uninitialized data
brcmfmac: avoid writing channel out of allocated array
i2c: brcmstb: Fix START and STOP conditions
mtd: nand: brcmnand: Check flash #WP pin status before nand erase/program
arm64: fix NULL dereference in have_cpu_die()
KVM: x86: fix emulation of RSM and IRET instructions
KVM: x86/vPMU: fix undefined shift in intel_pmu_refresh()
KVM: x86: zero base3 of unusable segments
KVM: nVMX: Fix exception injection
Linux 4.9.36

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
7 years agoLinux 4.9.36
Greg Kroah-Hartman [Wed, 5 Jul 2017 12:40:44 +0000 (14:40 +0200)]
Linux 4.9.36

7 years agoKVM: nVMX: Fix exception injection
Wanpeng Li [Mon, 5 Jun 2017 12:19:09 +0000 (05:19 -0700)]
KVM: nVMX: Fix exception injection

commit d4912215d1031e4fb3d1038d2e1857218dba0d0a upstream.

 WARNING: CPU: 3 PID: 2840 at arch/x86/kvm/vmx.c:10966 nested_vmx_vmexit+0xdcd/0xde0 [kvm_intel]
 CPU: 3 PID: 2840 Comm: qemu-system-x86 Tainted: G           OE   4.12.0-rc3+ #23
 RIP: 0010:nested_vmx_vmexit+0xdcd/0xde0 [kvm_intel]
 Call Trace:
  ? kvm_check_async_pf_completion+0xef/0x120 [kvm]
  ? rcu_read_lock_sched_held+0x79/0x80
  vmx_queue_exception+0x104/0x160 [kvm_intel]
  ? vmx_queue_exception+0x104/0x160 [kvm_intel]
  kvm_arch_vcpu_ioctl_run+0x1171/0x1ce0 [kvm]
  ? kvm_arch_vcpu_load+0x47/0x240 [kvm]
  ? kvm_arch_vcpu_load+0x62/0x240 [kvm]
  kvm_vcpu_ioctl+0x384/0x7b0 [kvm]
  ? kvm_vcpu_ioctl+0x384/0x7b0 [kvm]
  ? __fget+0xf3/0x210
  do_vfs_ioctl+0xa4/0x700
  ? __fget+0x114/0x210
  SyS_ioctl+0x79/0x90
  do_syscall_64+0x81/0x220
  entry_SYSCALL64_slow_path+0x25/0x25

This is triggered occasionally by running both win7 and win2016 in L2, in
addition, EPT is disabled on both L1 and L2. It can't be reproduced easily.

Commit 0b6ac343fc (KVM: nVMX: Correct handling of exception injection) mentioned
that "KVM wants to inject page-faults which it got to the guest. This function
assumes it is called with the exit reason in vmcs02 being a #PF exception".
Commit e011c663 (KVM: nVMX: Check all exceptions for intercept during delivery to
L2) allows to check all exceptions for intercept during delivery to L2. However,
there is no guarantee the exit reason is exception currently, when there is an
external interrupt occurred on host, maybe a time interrupt for host which should
not be injected to guest, and somewhere queues an exception, then the function
nested_vmx_check_exception() will be called and the vmexit emulation codes will
try to emulate the "Acknowledge interrupt on exit" behavior, the warning is
triggered.

Reusing the exit reason from the L2->L0 vmexit is wrong in this case,
the reason must always be EXCEPTION_NMI when injecting an exception into
L1 as a nested vmexit.

Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Radim Krčmář <rkrcmar@redhat.com>
Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
Fixes: e011c663b9c7 ("KVM: nVMX: Check all exceptions for intercept during delivery to L2")
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoKVM: x86: zero base3 of unusable segments
Radim Krčmář [Thu, 18 May 2017 17:37:30 +0000 (19:37 +0200)]
KVM: x86: zero base3 of unusable segments

commit f0367ee1d64d27fa08be2407df5c125442e885e3 upstream.

Static checker noticed that base3 could be used uninitialized if the
segment was not present (useable).  Random stack values probably would
not pass VMCS entry checks.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Fixes: 1aa366163b8b ("KVM: x86 emulator: consolidate segment accessors")
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoKVM: x86/vPMU: fix undefined shift in intel_pmu_refresh()
Radim Krčmář [Thu, 18 May 2017 17:37:31 +0000 (19:37 +0200)]
KVM: x86/vPMU: fix undefined shift in intel_pmu_refresh()

commit 34b0dadbdf698f9b277a31b2747b625b9a75ea1f upstream.

Static analysis noticed that pmu->nr_arch_gp_counters can be 32
(INTEL_PMC_MAX_GENERIC) and therefore cannot be used to shift 'int'.

I didn't add BUILD_BUG_ON for it as we have a better checker.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Fixes: 25462f7f5295 ("KVM: x86/vPMU: Define kvm_pmu_ops to support vPMU function dispatch")
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoKVM: x86: fix emulation of RSM and IRET instructions
Ladi Prosek [Tue, 25 Apr 2017 14:42:44 +0000 (16:42 +0200)]
KVM: x86: fix emulation of RSM and IRET instructions

commit 6ed071f051e12cf7baa1b69d3becb8f232fdfb7b upstream.

On AMD, the effect of set_nmi_mask called by emulate_iret_real and em_rsm
on hflags is reverted later on in x86_emulate_instruction where hflags are
overwritten with ctxt->emul_flags (the kvm_set_hflags call). This manifests
as a hang when rebooting Windows VMs with QEMU, OVMF, and >1 vcpu.

Instead of trying to merge ctxt->emul_flags into vcpu->arch.hflags after
an instruction is emulated, this commit deletes emul_flags altogether and
makes the emulator access vcpu->arch.hflags using two new accessors. This
way all changes, on the emulator side as well as in functions called from
the emulator and accessing vcpu state with emul_to_vcpu, are preserved.

More details on the bug and its manifestation with Windows and OVMF:

  It's a KVM bug in the interaction between SMI/SMM and NMI, specific to AMD.
  I believe that the SMM part explains why we started seeing this only with
  OVMF.

  KVM masks and unmasks NMI when entering and leaving SMM. When KVM emulates
  the RSM instruction in em_rsm, the set_nmi_mask call doesn't stick because
  later on in x86_emulate_instruction we overwrite arch.hflags with
  ctxt->emul_flags, effectively reverting the effect of the set_nmi_mask call.
  The AMD-specific hflag of interest here is HF_NMI_MASK.

  When rebooting the system, Windows sends an NMI IPI to all but the current
  cpu to shut them down. Only after all of them are parked in HLT will the
  initiating cpu finish the restart. If NMI is masked, other cpus never get
  the memo and the initiating cpu spins forever, waiting for
  hal!HalpInterruptProcessorsStarted to drop. That's the symptom we observe.

Fixes: a584539b24b8 ("KVM: x86: pass the whole hflags field to emulator and back")
Signed-off-by: Ladi Prosek <lprosek@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoarm64: fix NULL dereference in have_cpu_die()
Mark Salter [Fri, 24 Mar 2017 13:53:56 +0000 (09:53 -0400)]
arm64: fix NULL dereference in have_cpu_die()

commit 335d2c2d192266358c5dfa64953a4c162f46e464 upstream.

Commit 5c492c3f5255 ("arm64: smp: Add function to determine if cpus are
stuck in the kernel") added a helper function to determine if die() is
supported in cpu_ops. This function assumes a cpu will have a valid
cpu_ops entry, but that may not be the case for cpu0 is spin-table or
parking protocol is used to boot secondary cpus. In that case, there
is a NULL dereference if have_cpu_die() is called by cpu0. So add a
check for a valid cpu_ops before dereferencing it.

Fixes: 5c492c3f5255 ("arm64: smp: Add function to determine if cpus are stuck in the kernel")
Signed-off-by: Mark Salter <msalter@redhat.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agomtd: nand: brcmnand: Check flash #WP pin status before nand erase/program
Kamal Dasu [Fri, 3 Mar 2017 21:16:53 +0000 (16:16 -0500)]
mtd: nand: brcmnand: Check flash #WP pin status before nand erase/program

commit 9d2ee0a60b8bd9bef2a0082c533736d6a7b39873 upstream.

On brcmnand controller v6.x and v7.x, the #WP pin is controlled through
the NAND_WP bit in CS_SELECT register.

The driver currently assumes that toggling the #WP pin is
instantaneously enabling/disabling write-protection, but it actually
takes some time to propagate the new state to the internal NAND chip
logic. This behavior is sometime causing data corruptions when an
erase/program operation is executed before write-protection has really
been disabled.

Fixes: 27c5b17cd1b1 ("mtd: nand: add NAND driver "library" for Broadcom STB NAND controller")
Signed-off-by: Kamal Dasu <kdasu.kdev@gmail.com>
Signed-off-by: Boris Brezillon <boris.brezillon@free-electrons.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoi2c: brcmstb: Fix START and STOP conditions
Jaedon Shin [Fri, 3 Mar 2017 01:55:03 +0000 (10:55 +0900)]
i2c: brcmstb: Fix START and STOP conditions

commit 2de3ec4f1d4ba6ee380478055104eb918bd50cce upstream.

The BSC data buffers to send and receive data are each of size 32 bytes
or 8 bytes 'xfersz' depending on SoC. The problem observed for all the
combined message transfer was if length of data transfer was a multiple
of 'xfersz' a repeated START was being transmitted by BSC driver. Fixed
this by appropriately setting START/STOP conditions for such transfers.

Fixes: dd1aa2524bc5 ("i2c: brcmstb: Add Broadcom settop SoC i2c controller driver")
Signed-off-by: Jaedon Shin <jaedon.shin@gmail.com>
Acked-by: Kamal Dasu <kdasu.kdev@gmail.com>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agobrcmfmac: avoid writing channel out of allocated array
Rafał Miłecki [Wed, 4 Jan 2017 11:09:41 +0000 (12:09 +0100)]
brcmfmac: avoid writing channel out of allocated array

commit 77c0d0cd10e793989d1e8b835a9a09694182cb39 upstream.

Our code was assigning number of channels to the index variable by
default. If firmware reported channel we didn't predict this would
result in using that initial index value and writing out of array. This
never happened so far (we got a complete list of supported channels) but
it means possible memory corruption so we should handle it anyway.

This patch simply detects unexpected channel and ignores it.

As we don't try to create new entry now, it's also safe to drop hw_value
and center_freq assignment. For known channels we have these set anyway.

I decided to fix this issue by assigning NULL or a target channel to the
channel variable. This was one of possible ways, I prefefred this one as
it also avoids using channel[index] over and over.

Fixes: 58de92d2f95e ("brcmfmac: use static superset of channels for wiphy bands")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoinfiniband: hns: avoid gcc-7.0.1 warning for uninitialized data
Arnd Bergmann [Fri, 24 Mar 2017 22:02:48 +0000 (23:02 +0100)]
infiniband: hns: avoid gcc-7.0.1 warning for uninitialized data

commit 5b0ff9a00755d4d9c209033a77f1ed8f3186fe5c upstream.

hns_roce_v1_cq_set_ci() calls roce_set_bit() on an uninitialized field,
which will then change only a few of its bits, causing a warning with
the latest gcc:

infiniband/hw/hns/hns_roce_hw_v1.c: In function 'hns_roce_v1_cq_set_ci':
infiniband/hw/hns/hns_roce_hw_v1.c:1854:23: error: 'doorbell[1]' is used uninitialized in this function [-Werror=uninitialized]
  roce_set_bit(doorbell[1], ROCEE_DB_OTHERS_H_ROCEE_DB_OTH_HW_SYNS_S, 1);

The code is actually correct since we always set all bits of the
port_vlan field, but gcc correctly points out that the first
access does contain uninitialized data.

This initializes the field to zero first before setting the
individual bits.

Fixes: 9a4435375cd1 ("IB/hns: Add driver files for hns RoCE driver")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoobjtool: Fix another GCC jump table detection issue
Josh Poimboeuf [Thu, 2 Mar 2017 22:57:23 +0000 (16:57 -0600)]
objtool: Fix another GCC jump table detection issue

commit 5c51f4ae84df0f9df33ac08aa5be50061a8b4242 upstream.

Arnd Bergmann reported a (false positive) objtool warning:

  drivers/infiniband/sw/rxe/rxe_resp.o: warning: objtool: rxe_responder()+0xfe: sibling call from callable instruction with changed frame pointer

The issue is in find_switch_table().  It tries to find a switch
statement's jump table by walking backwards from an indirect jump
instruction, looking for a relocation to the .rodata section.  In this
case it stopped walking prematurely: the first .rodata relocation it
encountered was for a variable (resp_state_name) instead of a jump
table, so it just assumed there wasn't a jump table.

The fix is to ignore any .rodata relocation which refers to an ELF
object symbol.  This works because the jump tables are anonymous and
have no symbols associated with them.

Reported-by: Arnd Bergmann <arnd@arndb.de>
Tested-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Fixes: 3732710ff6f2 ("objtool: Improve rare switch jump table pattern detection")
Link: http://lkml.kernel.org/r/20170302225723.3ndbsnl4hkqbne7a@treble
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoclk: scpi: don't add cpufreq device if the scpi dvfs node is disabled
Sudeep Holla [Fri, 6 Jan 2017 12:34:30 +0000 (12:34 +0000)]
clk: scpi: don't add cpufreq device if the scpi dvfs node is disabled

commit 67bcc2c5f1da8c5bb58e72354274ea5c59a3950a upstream.

Currently we add the virtual cpufreq device unconditionally even when
the SCPI DVFS clock provider node is disabled. This will cause cpufreq
driver to throw errors when it gets initailised on boot/modprobe and
also when the CPUs are hot-plugged back in.

This patch fixes the issue by adding the virtual cpufreq device only if
the SCPI DVFS clock provider is available and registered.

Fixes: 9490f01e2471 ("clk: scpi: add support for cpufreq virtual device")
Reported-by: Michał Zegan <webczat_200@poczta.onet.pl>
Cc: Neil Armstrong <narmstrong@baylibre.com>
Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
Tested-by: Michał Zegan <webczat_200@poczta.onet.pl>
Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agocpufreq: s3c2416: double free on driver init error path
Dan Carpenter [Tue, 7 Feb 2017 13:19:06 +0000 (16:19 +0300)]
cpufreq: s3c2416: double free on driver init error path

commit a69261e4470d680185a15f748d9cdafb37c57a33 upstream.

The "goto err_armclk;" error path already does a clk_put(s3c_freq->hclk);
so this is a double free.

Fixes: 34ee55075265 ([CPUFREQ] Add S3C2416/S3C2450 cpufreq driver)
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Krzysztof Kozlowski <krzk@kernel.org>
Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoiommu/amd: Fix interrupt remapping when disable guest_mode
Suravee Suthikulpanit [Mon, 26 Jun 2017 09:28:04 +0000 (04:28 -0500)]
iommu/amd: Fix interrupt remapping when disable guest_mode

commit 84a21dbdef0b96d773599c33c2afbb002198d303 upstream.

Pass-through devices to VM guest can get updated IRQ affinity
information via irq_set_affinity() when not running in guest mode.
Currently, AMD IOMMU driver in GA mode ignores the updated information
if the pass-through device is setup to use vAPIC regardless of guest_mode.
This could cause invalid interrupt remapping.

Also, the guest_mode bit should be set and cleared only when
SVM updates posted-interrupt interrupt remapping information.

Signed-off-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
Cc: Joerg Roedel <jroedel@suse.de>
Fixes: d98de49a53e48 ('iommu/amd: Enable vAPIC interrupt remapping mode by default')
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoiommu/amd: Fix incorrect error handling in amd_iommu_bind_pasid()
Pan Bian [Sun, 23 Apr 2017 10:23:21 +0000 (18:23 +0800)]
iommu/amd: Fix incorrect error handling in amd_iommu_bind_pasid()

commit 73dbd4a4230216b6a5540a362edceae0c9b4876b upstream.

In function amd_iommu_bind_pasid(), the control flow jumps
to label out_free when pasid_state->mm and mm is NULL. And
mmput(mm) is called.  In function mmput(mm), mm is
referenced without validation. This will result in a NULL
dereference bug. This patch fixes the bug.

Signed-off-by: Pan Bian <bianpan2016@163.com>
Fixes: f0aac63b873b ('iommu/amd: Don't hold a reference to mm_struct')
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoiommu/dma: Don't reserve PCI I/O windows
Robin Murphy [Thu, 16 Mar 2017 17:00:17 +0000 (17:00 +0000)]
iommu/dma: Don't reserve PCI I/O windows

commit 938f1bbe35e3a7cb07e1fa7c512e2ef8bb866bdf upstream.

Even if a host controller's CPU-side MMIO windows into PCI I/O space do
happen to leak into PCI memory space such that it might treat them as
peer addresses, trying to reserve the corresponding I/O space addresses
doesn't do anything to help solve that problem. Stop doing a silly thing.

Fixes: fade1ec055dc ("iommu/dma: Avoid PCI host bridge windows")
Reviewed-by: Eric Auger <eric.auger@redhat.com>
Signed-off-by: Robin Murphy <robin.murphy@arm.com>
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoiommu: Handle default domain attach failure
Robin Murphy [Mon, 16 Jan 2017 12:58:07 +0000 (12:58 +0000)]
iommu: Handle default domain attach failure

commit 797a8b4d768c58caac58ee3e8cb36a164d1b7751 upstream.

We wouldn't normally expect ops->attach_dev() to fail, but on IOMMUs
with limited hardware resources, or generally misconfigured systems,
it is certainly possible. We report failure correctly from the external
iommu_attach_device() interface, but do not do so in iommu_group_add()
when attaching to the default domain. The result of failure there is
that the device, group and domain all get left in a broken,
part-configured state which leads to weird errors and misbehaviour down
the line when IOMMU API calls sort-of-but-don't-quite work.

Check the return value of __iommu_attach_device() on the default domain,
and refactor the error handling paths to cope with its failure and clean
up correctly in such cases.

Fixes: e39cb8a3aa98 ("iommu: Make sure a device is always attached to a domain")
Reported-by: Punit Agrawal <punit.agrawal@arm.com>
Signed-off-by: Robin Murphy <robin.murphy@arm.com>
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoiommu/vt-d: Don't over-free page table directories
David Dillow [Tue, 31 Jan 2017 03:11:11 +0000 (19:11 -0800)]
iommu/vt-d: Don't over-free page table directories

commit f7116e115acdd74bc75a4daf6492b11d43505125 upstream.

dma_pte_free_level() recurses down the IOMMU page tables and frees
directory pages that are entirely contained in the given PFN range.
Unfortunately, it incorrectly calculates the starting address covered
by the PTE under consideration, which can lead to it clearing an entry
that is still in use.

This occurs if we have a scatterlist with an entry that has a length
greater than 1026 MB and is aligned to 2 MB for both the IOMMU and
physical addresses. For example, if __domain_mapping() is asked to map a
two-entry scatterlist with 2 MB and 1028 MB segments to PFN 0xffff80000,
it will ask if dma_pte_free_pagetable() is asked to PFNs from
0xffff80200 to 0xffffc05ff, it will also incorrectly clear the PFNs from
0xffff80000 to 0xffff801ff because of this issue. The current code will
set level_pfn to 0xffff80200, and 0xffff80200-0xffffc01ff fits inside
the range being cleared. Properly setting the level_pfn for the current
level under consideration catches that this PTE is outside of the range
being cleared.

This patch also changes the value passed into dma_pte_free_level() when
it recurses. This only affects the first PTE of the range being cleared,
and is handled by the existing code that ensures we start our cursor no
lower than start_pfn.

This was found when using dma_map_sg() to map large chunks of contiguous
memory, which immediatedly led to faults on the first access of the
erroneously-deleted mappings.

Fixes: 3269ee0bd668 ("intel-iommu: Fix leaks in pagetable freeing")
Reviewed-by: Benjamin Serebrin <serebrin@google.com>
Signed-off-by: David Dillow <dillow@google.com>
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoocfs2: o2hb: revert hb threshold to keep compatible
Junxiao Bi [Wed, 3 May 2017 21:51:41 +0000 (14:51 -0700)]
ocfs2: o2hb: revert hb threshold to keep compatible

commit 33496c3c3d7b88dcbe5e55aa01288b05646c6aca upstream.

Configfs is the interface for ocfs2-tools to set configure to kernel and
$configfs_dir/cluster/$clustername/heartbeat/dead_threshold is the one
used to configure heartbeat dead threshold.  Kernel has a default value
of it but user can set O2CB_HEARTBEAT_THRESHOLD in /etc/sysconfig/o2cb
to override it.

Commit 45b997737a80 ("ocfs2/cluster: use per-attribute show and store
methods") changed heartbeat dead threshold name while ocfs2-tools did
not, so ocfs2-tools won't set this configurable and the default value is
always used.  So revert it.

Fixes: 45b997737a80 ("ocfs2/cluster: use per-attribute show and store methods")
Link: http://lkml.kernel.org/r/1490665245-15374-1-git-send-email-junxiao.bi@oracle.com
Signed-off-by: Junxiao Bi <junxiao.bi@oracle.com>
Acked-by: Joseph Qi <jiangqi903@gmail.com>
Cc: Mark Fasheh <mfasheh@versity.com>
Cc: Joel Becker <jlbec@evilplan.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>