Commit Graph

634531 Commits

Author SHA1 Message Date
Linus Torvalds f7df76e6ac Merge branch 'parisc-4.9-3' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux
Pull parisc updates from Helge Deller:
 "The first three patches are trivial and add some required KERN_CONT,
  ignore the new pkey syscalls on parisc and use the LINUX_GATEWAY_ADDR
  define instead of hardcoded values.

  The two patches from Dave Anglin are important.

  The first one avoids trashing the sr2 and sr3 space registers in the
  Light-weight syscall path. Especially the usage of sr3 is critical
  since it may get trashed by the interrupt handler.

  The second patch is even more important and tagged for stable series.
  It protects one critical section in the syscall entry path by
  disabling local interrupts. Without disabling interrupts, the sr7
  space register may not be in sync with the current stack setup and
  thus an incoming hardware interrupt may destroy memory in random
  userspace areas"

* 'parisc-4.9-3' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux:
  parisc: Ignore the pkey system calls for now
  parisc: Use LINUX_GATEWAY_ADDR define instead of hardcoded value
  parisc: Ensure consistent state when switching to kernel stack at syscall entry
  parisc: Avoid trashing sr2 and sr3 in LWS code
  parisc: use KERN_CONT when printing device inventory
2016-11-04 13:01:13 -07:00
Vladimir Zapolskiy 147b36d5b7 i2c: core: fix NULL pointer dereference under race condition
Race condition between registering an I2C device driver and
deregistering an I2C adapter device which is assumed to manage that
I2C device may lead to a NULL pointer dereference due to the
uninitialized list head of driver clients.

The root cause of the issue is that the I2C bus may know about the
registered device driver and thus it is matched by bus_for_each_drv(),
but the list of clients is not initialized and commonly it is NULL,
because I2C device drivers define struct i2c_driver as static and
clients field is expected to be initialized by I2C core:

  i2c_register_driver()             i2c_del_adapter()
    driver_register()                 ...
      bus_add_driver()                ...
        ...                           bus_for_each_drv(..., __process_removed_adapter)
      ...                               i2c_do_del_adapter()
    ...                                   list_for_each_entry_safe(..., &driver->clients, ...)
    INIT_LIST_HEAD(&driver->clients);

To solve the problem it is sufficient to do clients list head
initialization before calling driver_register().

The problem was found while using an I2C device driver with a sluggish
registration routine on a bus provided by a physically detachable I2C
master controller, but practically the oops may be reproduced under
the race between arbitraty I2C device driver registration and managing
I2C bus device removal e.g. by unbinding the latter over sysfs:

% echo 21a4000.i2c > /sys/bus/platform/drivers/imx-i2c/unbind
  Unable to handle kernel NULL pointer dereference at virtual address 00000000
  Internal error: Oops: 17 [#1] SMP ARM
  CPU: 2 PID: 533 Comm: sh Not tainted 4.9.0-rc3+ #61
  Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
  task: e5ada400 task.stack: e4936000
  PC is at i2c_do_del_adapter+0x20/0xcc
  LR is at __process_removed_adapter+0x14/0x1c
  Flags: NzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
  Control: 10c5387d  Table: 35bd004a  DAC: 00000051
  Process sh (pid: 533, stack limit = 0xe4936210)
  Stack: (0xe4937d28 to 0xe4938000)
  Backtrace:
  [<c0667be0>] (i2c_do_del_adapter) from [<c0667cc0>] (__process_removed_adapter+0x14/0x1c)
  [<c0667cac>] (__process_removed_adapter) from [<c0516998>] (bus_for_each_drv+0x6c/0xa0)
  [<c051692c>] (bus_for_each_drv) from [<c06685ec>] (i2c_del_adapter+0xbc/0x284)
  [<c0668530>] (i2c_del_adapter) from [<bf0110ec>] (i2c_imx_remove+0x44/0x164 [i2c_imx])
  [<bf0110a8>] (i2c_imx_remove [i2c_imx]) from [<c051a838>] (platform_drv_remove+0x2c/0x44)
  [<c051a80c>] (platform_drv_remove) from [<c05183d8>] (__device_release_driver+0x90/0x12c)
  [<c0518348>] (__device_release_driver) from [<c051849c>] (device_release_driver+0x28/0x34)
  [<c0518474>] (device_release_driver) from [<c0517150>] (unbind_store+0x80/0x104)
  [<c05170d0>] (unbind_store) from [<c0516520>] (drv_attr_store+0x28/0x34)
  [<c05164f8>] (drv_attr_store) from [<c0298acc>] (sysfs_kf_write+0x50/0x54)
  [<c0298a7c>] (sysfs_kf_write) from [<c029801c>] (kernfs_fop_write+0x100/0x214)
  [<c0297f1c>] (kernfs_fop_write) from [<c0220130>] (__vfs_write+0x34/0x120)
  [<c02200fc>] (__vfs_write) from [<c0221088>] (vfs_write+0xa8/0x170)
  [<c0220fe0>] (vfs_write) from [<c0221e74>] (SyS_write+0x4c/0xa8)
  [<c0221e28>] (SyS_write) from [<c0108a20>] (ret_fast_syscall+0x0/0x1c)

Signed-off-by: Vladimir Zapolskiy <vladimir_zapolskiy@mentor.com>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Cc: stable@kernel.org
2016-11-04 20:36:58 +01:00
Mark Brown 0b203d699e Merge remote-tracking branch 'asoc/fix/topology-abi' into asoc-linus 2016-11-04 12:34:05 -06:00
Mark Brown 3dfd2b682b Merge remote-tracking branches 'asoc/fix/rt5663', 'asoc/fix/samsung', 'asoc/fix/sti', 'asoc/fix/sti-codec', 'asoc/fix/sunxi' and 'asoc/fix/tas571x' into asoc-linus 2016-11-04 12:33:56 -06:00
Mark Brown 74d01b140f Merge remote-tracking branches 'asoc/fix/cs4270', 'asoc/fix/da7219', 'asoc/fix/hdmi-codec', 'asoc/fix/pxa', 'asoc/fix/qcom' and 'asoc/fix/rt298' into asoc-linus 2016-11-04 12:33:48 -06:00
Mark Brown 56eba7a15b Merge remote-tracking branch 'asoc/fix/intel' into asoc-linus 2016-11-04 12:33:45 -06:00
Archit Taneja 16976085a1 drm/msm: Fix error handling crashes seen when VRAM allocation fails
If VRAM allocation fails, the error handling path crashes in
msm_drm_uninit(). The following changes are made to fix this:

msm_gem_shrinker_cleanup() is fixed to unregister the shrinker only
if it was init-ed in the first place.

Before calling kms->funcs->destroy(), we check if kms->funcs is also
non-NULL. This is needed for MDP5, since during msm_drm_int(), priv->kms
becomes non-NULL early, but msm_kms_init() is called on it only later
in mdp5_kms_init().

Signed-off-by: Archit Taneja <architt@codeaurora.org>
Signed-off-by: Rob Clark <robdclark@gmail.com>
Reviewed-by: Andy Gross <andy.gross@linaro.org>
2016-11-04 11:51:37 -04:00
James Hogan 16a767ec63 MIPS: Fix max_low_pfn with disabled highmem
When low memory doesn't reach HIGHMEM_START (e.g. up to 256MB at PA=0 is
common) and highmem is present above HIGHMEM_START (e.g. on Malta the
RAM overlayed by the IO region is aliased at PA=0x90000000), max_low_pfn
will be initially calculated very large and then clipped down to
HIGHMEM_START.

This causes crashes when reading /sys/kernel/mm/page_idle/bitmap
(i.e. CONFIG_IDLE_PAGE_TRACKING=y) when highmem is disabled. pfn_valid()
will compare against max_mapnr which is derived from max_low_pfn when
there is no highend_pfn set up, and will return true for PFNs right up
to HIGHMEM_START, even though they are beyond the end of low memory and
no page structs will actually exist for these PFNs.

This is fixed by skipping high memory regions when initially calculating
max_low_pfn if highmem is disabled, so it doesn't get clipped too high.
We also clip regions which overlap the highmem boundary when highmem is
disabled, so that max_pfn doesn't extend into highmem either.

Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Paul Burton <paul.burton@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/14490/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2016-11-04 01:45:22 +01:00
Maciej W. Rozycki f92722dc45 MIPS: Correct MIPS I FP sigcontext layout
Complement commit 80cbfad790 ("MIPS: Correct MIPS I FP context
layout") and correct the way Floating Point General registers are stored
in a signal context with MIPS I hardware.

Use the S.D and L.D assembly macros to have pairs of SWC1 instructions
and pairs of LWC1 instructions produced, respectively, in an arrangement
which makes the memory representation of floating-point data passed
compatible with that used by hardware SDC1 and LDC1 instructions, where
available, regardless of the hardware endianness used.  This matches the
layout used by r4k_fpu.S, ensuring run-time compatibility for MIPS I
software across all o32 hardware platforms.

Define an EX2 macro to handle exceptions from both hardware instructions
implicitly produced from S.D and L.D assembly macros.

Signed-off-by: Maciej W. Rozycki <macro@imgtec.com>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/14477/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2016-11-04 01:39:23 +01:00
Maciej W. Rozycki 758ef0a939 MIPS: Fix ISA I/II FP signal context offsets
Fix a regression introduced with commit 2db9ca0a35 ("MIPS: Use struct
mips_abi offsets to save FP context") for MIPS I/I FP signal contexts,
by converting save/restore code to the updated internal API.  Start FGR
offsets from 0 rather than SC_FPREGS from $a0 and use $a1 rather than
the offset of SC_FPC_CSR from $a0 for the Floating Point Control/Status
Register (FCSR).

Document the new internal API and adjust assembly code formatting for
consistency.

Signed-off-by: Maciej W. Rozycki <macro@imgtec.com>
Cc: Paul Burton <paul.burton@imgtec.com>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/14476/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2016-11-04 01:38:52 +01:00
Maciej W. Rozycki 6daaa3266d MIPS: Remove FIR from ISA I FP signal context
Complement commit e50c0a8fa6 ("Support the MIPS32 / MIPS64 DSP ASE.")
and remove the Floating Point Implementation Register (FIR) from the FP
register set recorded in a signal context with MIPS I processors too, in
line with the change applied to r4k_fpu.S.

The `sc_fpc_eir' slot is unused according to our current ABI and the FIR
register is read-only and always directly accessible from user software.

[ralf@linux-mips.org: This is also required because the next commit depends
on it.]

Signed-off-by: Maciej W. Rozycki <macro@imgtec.com>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/14475/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2016-11-04 01:38:50 +01:00
Maciej W. Rozycki 35938a00ba MIPS: Fix ISA I FP sigcontext access violation handling
Complement commit 0ae8dceaebe3 ("Merge with 2.3.10.") and use the local
`fault' handler to recover from FP sigcontext access violation faults,
like corresponding code does in r4k_fpu.S.  The `bad_stack' handler is
in syscall.c and is not suitable here as we want to propagate the error
condition up through the caller rather than killing the thread outright.

Signed-off-by: Maciej W. Rozycki <macro@imgtec.com>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/14474/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2016-11-04 01:38:41 +01:00
Maciej W. Rozycki 5a1aca4469 MIPS: Fix FCSR Cause bit handling for correct SIGFPE issue
Sanitize FCSR Cause bit handling, following a trail of past attempts:

* commit 4249548454 ("MIPS: ptrace: Fix FP context restoration FCSR
regression"),

* commit 443c44032a ("MIPS: Always clear FCSR cause bits after
emulation"),

* commit 64bedffe49 ("MIPS: Clear [MSA]FPE CSR.Cause after
notify_die()"),

* commit b1442d39fa ("MIPS: Prevent user from setting FCSR cause
bits"),

* commit b54d2901517d ("Properly handle branch delay slots in connection
with signals.").

Specifically do not mask these bits out in ptrace(2) processing and send
a SIGFPE signal instead whenever a matching pair of an FCSR Cause and
Enable bit is seen as execution of an affected context is about to
resume.  Only then clear Cause bits, and even then do not clear any bits
that are set but masked with the respective Enable bits.  Adjust Cause
bit clearing throughout code likewise, except within the FPU emulator
proper where they are set according to IEEE 754 exceptions raised as the
operation emulated executed.  Do so so that any IEEE 754 exceptions
subject to their default handling are recorded like with operations
executed by FPU hardware.

Signed-off-by: Maciej W. Rozycki <macro@imgtec.com>
Cc: Paul Burton <paul.burton@imgtec.com>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/14460/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2016-11-04 01:28:41 +01:00
Maciej W. Rozycki c9e5603974 MIPS: ptrace: Also initialize the FP context on individual FCSR writes
Complement commit ac9ad83bc3 ("MIPS: prevent FP context set via ptrace
being discarded") and also initialize the FP context whenever FCSR alone
is written with a PTRACE_POKEUSR request addressing FPC_CSR, rather than
along with the full FPU register set in the case of the PTRACE_SETFPREGS
request.

Signed-off-by: Maciej W. Rozycki <macro@imgtec.com>
Cc: Paul Burton <paul.burton@imgtec.com>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/14459/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2016-11-04 01:28:17 +01:00
James Hogan 8a98495c70 MIPS: dump_tlb: Fix printk continuations
Since commit 4bcc595ccd ("printk: reinstate KERN_CONT for printing
continuation lines") the output from TLB dumps on MIPS has been
pretty unreadable due to the lack of KERN_CONT markers. Use pr_cont to
provide the appropriate markers & restore the expected output.

Continuation is also used for the second line of each TLB entry printed
in dump_tlb.c even though it has a newline, since it is a continuation
of the interpretation of the same TLB entry. For example:

[   46.371884] Index:  0 pgmask=16kb va=77654000 asid=73 gid=00
        [ri=0 xi=0 pa=ffc18000 c=5 d=0 v=1 g=0] [ri=0 xi=0 pa=ffc1c000 c=5 d=0 v=1 g=0]
[   46.385380] Index: 12 pgmask=16kb va=004b4000 asid=73 gid=00
        [ri=0 xi=0 pa=00000000 c=0 d=0 v=0 g=0] [ri=0 xi=0 pa=ffb00000 c=5 d=1 v=1 g=0]

Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Maciej W. Rozycki <macro@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/14444/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2016-11-04 01:04:32 +01:00
Paul Burton 752f549982 MIPS: Fix __show_regs() output
Since commit 4bcc595ccd ("printk: reinstate KERN_CONT for printing
continuation lines") the output from __show_regs() on MIPS has been
pretty unreadable due to the lack of KERN_CONT markers. Use pr_cont to
provide the appropriate markers & restore the expected register output.

Signed-off-by: Paul Burton <paul.burton@imgtec.com>
Signed-off-by: Matt Redfearn <matt.redfearn@imgtec.com>
Cc: Maciej W. Rozycki <macro@imgtec.com>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/14432/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2016-11-04 01:01:20 +01:00
Matt Redfearn 41000c5819 MIPS: traps: Fix output of show_code
Since commit 4bcc595ccd ("printk: reinstate KERN_CONT for printing
continuation lines") the output from show_code on MIPS has been
pretty unreadable due to the lack of KERN_CONT markers. Use pr_cont to
provide the appropriate markers & restore the expected output.

Signed-off-by: Matt Redfearn <matt.redfearn@imgtec.com>
Cc: Maciej W. Rozycki <macro@imgtec.com>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: Paul Burton <paul.burton@imgtec.com>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/14431/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2016-11-04 01:00:49 +01:00
Matt Redfearn fe4e09e701 MIPS: traps: Fix output of show_stacktrace
Since commit 4bcc595ccd ("printk: reinstate KERN_CONT for printing
continuation lines") the output from show_stacktrace on MIPS has been
pretty unreadable due to the lack of KERN_CONT markers. Use pr_cont to
provide the appropriate markers & restore the expected output. Also
start a new line with printk such that the presence of timing
information does not interfere with output.

Signed-off-by: Matt Redfearn <matt.redfearn@imgtec.com>
Cc: Maciej W. Rozycki <macro@imgtec.com>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: Paul Burton <paul.burton@imgtec.com>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/14430/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2016-11-04 00:58:57 +01:00
Matt Redfearn bcf084de5d MIPS: traps: Fix output of show_backtrace
Since commit 4bcc595ccd ("printk: reinstate KERN_CONT for printing
continuation lines") the output from show_backtrace on MIPS has been
pretty unreadable due to the lack of KERN_CONT markers. Use pr_cont to
provide the appropriate markers & restore the expected output.

Signed-off-by: Matt Redfearn <matt.redfearn@imgtec.com>
Cc: Maciej W. Rozycki <macro@imgtec.com>
Cc: James Hogan <james.hogan@imgtec.com>
Cc: Paul Burton <paul.burton@imgtec.com>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/14429/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2016-11-04 00:57:51 +01:00
Matt Redfearn 818f38c5b7 MIPS: Fix build of compressed image
Changes introduced to arch/mips/Makefile for the generic kernel resulted
in build errors when making a compressed image if platform-y has multiple
values, like this:

make[2]: *** No rule to make target `alchemy/'.
make[1]: *** [vmlinuz] Error 2
make[1]: Target `_all' not remade because of errors.
make: *** [sub-make] Error 2
make: Target `_all' not remade because of errors.

Fix this by quoting $(platform-y) as it is passed to the Makefile in
arch/mips/boot/compressed/Makefile

Reported-by: kernelci.org bot <bot@kernelci.org>
Link: https://storage.kernelci.org/next/next-20161017/mips-gpr_defconfig/build.log
Signed-off-by: Matt Redfearn <matt.redfearn@imgtec.com>
Reviewed-by: Paul Burton <paul.burton@imgtec.com>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/14405/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2016-11-04 00:37:15 +01:00
Matt Redfearn 9a59061cfd MIPS: generic: Fix KASLR for generic kernel.
The KASLR code requires that the plat_get_fdt() function return the
address of the device tree, and it must be available early in the boot,
before prom_init() is called. Move the code determining the address of
the device tree into plat_get_fdt, and call that from prom_init().

The fdt pointer will be set up by plat_get_fdt() called from
relocate_kernel initially and once the relocated kernel has started,
prom_init() will use it again to determine the address in the relocated
image.

Fixes: eed0eabd12 ("MIPS: generic: Introduce generic DT-based board support")
Signed-off-by: Matt Redfearn <matt.redfearn@imgtec.com>
Reviewed-by: James Hogan <james.hogan@imgtec.com>
Reviewed-by: Paul Burton <paul.burton@imgtec.com>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/14415/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2016-11-04 00:32:06 +01:00
Matt Redfearn 4736697963 MIPS: KASLR: Fix handling of NULL FDT
If platform code returns a NULL pointer to the FDT, initial_boot_params
will not get set to a valid pointer and attempting to find the /chosen
node in it will cause a NULL pointer dereference and the kernel to crash
immediately on startup - with no output to the console.

Fix this by checking that initial_boot_params is valid before using it.

Fixes: 405bc8fd12 ("MIPS: Kernel: Implement KASLR using CONFIG_RELOCATABLE")
Cc: stable@vger.kernel.org # 4.7+
Signed-off-by: Matt Redfearn <matt.redfearn@imgtec.com>
Cc: linux-mips@linux-mips.org
Cc: linux-kernel@vger.kernel.org
Patchwork: https://patchwork.linux-mips.org/patch/14414/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2016-11-04 00:30:49 +01:00
Paul Burton 93032e31a5 MIPS: Malta: Fixup reboot
Commit 10b6ea0959 ("MIPS: Malta: Use syscon-reboot driver to reboot")
converted the Malta board to use the generic syscon-reboot driver to
handle reboots, but incorrectly used the value 0x4d rather than 0x42 as
the magic to write to the reboot register.

I also incorrectly believed that syscon/regmap would default to native
endianness, but this isn't the case. Force this by specifying with a
native-endian property in the devicetree.

Signed-off-by: Paul Burton <paul.burton@imgtec.com>
Fixes: 10b6ea0959 ("MIPS: Malta: Use syscon-reboot driver to reboot")
Reported-by: Guenter Roeck <linux@roeck-us.net>
Cc: linux-mips@linux-mips.org
Tested-by: Guenter Roeck <linux@roeck-us.net>
Tested-by: Maciej W. Rozycki <macro@imgtec.com>
Patchwork: https://patchwork.linux-mips.org/patch/14396/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2016-11-04 00:27:27 +01:00
Paul Burton 682c1e5221 MIPS: CPC: Provide default mips_cpc_default_phys_base to ignore CPC
Provide a default implementation of mips_cpc_default_phys_base() which
simply returns 0, and adjust mips_cpc_phys_base() to allow for
mips_cpc_default_phys_base() returning 0. This allows kernels which
include CPC support to be built without platform code & simply ignore
the CPC if it wasn't already enabled by the bootloader.

This fixes link failures such as the following from generic defconfigs:

   arch/mips/built-in.o: In function `mips_cpc_phys_base':
   arch/mips/kernel/mips-cpc.c:47: undefined reference to `mips_cpc_default_phys_base'

[ralf@linux-mips.org: changed prototype for coding style compliance.]

Signed-off-by: Paul Burton <paul.burton@imgtec.com>
Reported-by: kbuild test robot <fengguang.wu@intel.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/14401/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2016-11-04 00:17:46 +01:00
Oliver Neukum cf0ea4da4c HID: usbhid: add ATEN CS962 to list of quirky devices
Like many similar devices it needs a quirk to work.
Issuing the request gets the device into an irrecoverable state.

Signed-off-by: Oliver Neukum <oneukum@suse.com>
CC: stable@vger.kernel.org
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
2016-11-03 12:23:01 -06:00
Borislav Petkov 1793e1c521 HID: intel-ish-hid: Fix !CONFIG_PM build warning
Fix

  drivers/hid/intel-ish-hid/ipc/pci-ish.c:247:12: warning: ‘ish_suspend’ defined but not used [-Wunused-function]
   static int ish_suspend(struct device *device)
              ^
  drivers/hid/intel-ish-hid/ipc/pci-ish.c:282:12: warning: ‘ish_resume’ defined but not used [-Wunused-function]
   static int ish_resume(struct device *device)
            ^
by sticking them in the CONFIG_PM range too.

Signed-off-by: Borislav Petkov <bp@suse.de>
Cc: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Cc: Jiri Kosina <jikos@kernel.org>
Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Cc: Wei Yongjun <weiyongjun1@huawei.com>
Cc: linux-input@vger.kernel.org
Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
2016-11-03 12:12:09 -06:00
Srinivas Pandruvada 5459ada2b3 HID: sensor-hub: Fix packing of result buffer for feature report
When report count is more than one and report size is not 4 bytes, then we
need some packing into result buffer from the caller of function
sensor_hub_get_feature.
By default the value extracted from a field is 4 bytes from hid core
(using hid_hw_request(hsdev->hdev, report, HID_REQ_GET_REPORT)), even
if report size if less than 4 byte. So when we copy data to user buffer in
sensor_hub_get_feature, we need to only copy report size bytes even
when report count is more than 1. This is
not an issue for most of the sensor hub fields as report count will be 1
where we already copy only report size bytes, but some string fields
like description, it is a problem as the report count will be more than 1.
For example:
    Field(6)
      Physical(Sensor.OtherCustom)
      Application(Sensor.Sensor)
      Usage(11)
        Sensor.0306
        Sensor.0306
        Sensor.0306
        Sensor.0306
        Sensor.0306
        Sensor.0306
        Sensor.0306
        Sensor.0306
        Sensor.0306
        Sensor.0306
        Sensor.0306
      Report Size(16)
      Report Count(11)

Here since the report size is 2 bytes, we will have 2 additional bytes of
0s copied into user buffer, if we directly copy to user buffer from
report->field[]->value

This change will copy report size bytes into the buffer of caller for each
usage report->field[]->value. So for example without this change, the
data displayed for a custom sensor field "sensor-model":

76 00 101 00 110 00 111 00 118 00 111
(truncated to report count of 11)

With change

76 101 110 111 118 111 32 89 111 103 97
("Lenovo Yoga" in ASCII )

Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
2016-11-03 12:08:43 -06:00
Alexey Brodkin a79a812131 arc: Implement arch-specific dma_map_ops.mmap
We used to use generic implementation of dma_map_ops.mmap which is
dma_common_mmap() but that only worked for simpler cached mappings when
vaddr = paddr.

If a driver requests uncached DMA buffer kernel maps it to virtual
address so that MMU gets involved and page uncached status takes into
account. In that case usage of dma_common_mmap() lead to mapping of
vaddr to vaddr for user-space which is obviously wrong. For more detals
please refer to verbose explanation here [1].

So here we implement our own version of mmap() which always deals
with dma_addr and maps underlying memory to user-space properly
(note that DMA buffer mapped to user-space is always uncached
because there's no way to properly manage cache from user-space).

[1] https://lkml.org/lkml/2016/10/26/973

Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Cc: Marek Szyprowski <m.szyprowski@samsung.com>
Cc: <stable@vger.kernel.org>  #4.5+
Signed-off-by: Alexey Brodkin <abrodkin@synopsys.com>
Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
2016-11-03 10:01:07 -07:00
Stefan Richter e9300a4b7b firewire: net: fix fragmented datagram_size off-by-one
RFC 2734 defines the datagram_size field in fragment encapsulation
headers thus:

    datagram_size:  The encoded size of the entire IP datagram.  The
    value of datagram_size [...] SHALL be one less than the value of
    Total Length in the datagram's IP header (see STD 5, RFC 791).

Accordingly, the eth1394 driver of Linux 2.6.36 and older set and got
this field with a -/+1 offset:

    ether1394_tx() /* transmit */
        ether1394_encapsulate_prep()
            hdr->ff.dg_size = dg_size - 1;

    ether1394_data_handler() /* receive */
        if (hdr->common.lf == ETH1394_HDR_LF_FF)
            dg_size = hdr->ff.dg_size + 1;
        else
            dg_size = hdr->sf.dg_size + 1;

Likewise, I observe OS X 10.4 and Windows XP Pro SP3 to transmit 1500
byte sized datagrams in fragments with datagram_size=1499 if link
fragmentation is required.

Only firewire-net sets and gets datagram_size without this offset.  The
result is lacking interoperability of firewire-net with OS X, Windows
XP, and presumably Linux' eth1394.  (I did not test with the latter.)
For example, FTP data transfers to a Linux firewire-net box with max_rec
smaller than the 1500 bytes MTU
  - from OS X fail entirely,
  - from Win XP start out with a bunch of fragmented datagrams which
    time out, then continue with unfragmented datagrams because Win XP
    temporarily reduces the MTU to 576 bytes.

So let's fix firewire-net's datagram_size accessors.

Note that firewire-net thereby loses interoperability with unpatched
firewire-net, but only if link fragmentation is employed.  (This happens
with large broadcast datagrams, and with large datagrams on several
FireWire CardBus cards with smaller max_rec than equivalent PCI cards,
and it can be worked around by setting a small enough MTU.)

Cc: stable@vger.kernel.org
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2016-11-03 14:46:39 +01:00
Stefan Richter 667121ace9 firewire: net: guard against rx buffer overflows
The IP-over-1394 driver firewire-net lacked input validation when
handling incoming fragmented datagrams.  A maliciously formed fragment
with a respectively large datagram_offset would cause a memcpy past the
datagram buffer.

So, drop any packets carrying a fragment with offset + length larger
than datagram_size.

In addition, ensure that
  - GASP header, unfragmented encapsulation header, or fragment
    encapsulation header actually exists before we access it,
  - the encapsulated datagram or fragment is of nonzero size.

Reported-by: Eyal Itkin <eyal.itkin@gmail.com>
Reviewed-by: Eyal Itkin <eyal.itkin@gmail.com>
Fixes: CVE 2016-8633
Cc: stable@vger.kernel.org
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
2016-11-03 14:46:39 +01:00
Linus Torvalds 8243d55977 sched/core: Remove pointless printout in sched_show_task()
In sched_show_task() we print out a useless hex number, not even a
symbol, and there's a big question mark whether this even makes sense
anyway, I suspect we should just remove it all.

Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Acked-by: Andy Lutomirski <luto@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: bp@alien8.de
Cc: brgerst@gmail.com
Cc: jann@thejh.net
Cc: keescook@chromium.org
Cc: linux-api@vger.kernel.org
Cc: tycho.andersen@canonical.com
Link: http://lkml.kernel.org/r/CA+55aFzphURPFzAvU4z6Moy7ZmimcwPuUdYU8bj9z0J+S8X1rw@mail.gmail.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2016-11-03 07:31:34 +01:00
Tetsuo Handa 382005027f sched/core: Fix oops in sched_show_task()
When CONFIG_THREAD_INFO_IN_TASK=y, it is possible that an exited thread
remains in the task list after its stack pointer was already set to NULL.

Therefore, thread_saved_pc() and stack_not_used() in sched_show_task()
will trigger NULL pointer dereference if an attempt to dump such thread's
traces (e.g. SysRq-t, khungtaskd) is made.

Since show_stack() in sched_show_task() calls try_get_task_stack() and
sched_show_task() is called from interrupt context, calling
try_get_task_stack() from sched_show_task() will be safe as well.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Acked-by: Andy Lutomirski <luto@kernel.org>
Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: bp@alien8.de
Cc: brgerst@gmail.com
Cc: jann@thejh.net
Cc: keescook@chromium.org
Cc: linux-api@vger.kernel.org
Cc: tycho.andersen@canonical.com
Link: http://lkml.kernel.org/r/201611021950.FEJ34368.HFFJOOMLtQOVSF@I-love.SAKURA.ne.jp
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2016-11-03 07:27:34 +01:00
Dave Airlie 7ec30fca2c Merge tag 'drm-intel-fixes-2016-11-01' of git://anongit.freedesktop.org/drm-intel into drm-fixes
batch of scattered i915 fixes.

* tag 'drm-intel-fixes-2016-11-01' of git://anongit.freedesktop.org/drm-intel:
  drm/i915: Fix SKL+ 90/270 degree rotated plane coordinate computation
  drm/i915: Remove two invalid warns
  drm/i915: Rotated view does not need a fence
  drm/i915/fbc: fix CFB size calculation for gen8+
  drm: i915: Wait for fences on new fb, not old
  drm/i915: Clean up DDI DDC/AUX CH sanitation
  drm/i915: Respect alternate_aux_channel for all DDI ports
  drm/i915/gen9: fix watermarks when using the pipe scaler
  drm/i915: Fix mismatched INIT power domain disabling during suspend
  drm/i915: fix a read size argument
  drm/i915: Use fence_write() from rpm resume
  drm/i915/gen9: fix DDB partitioning for multi-screen cases
  drm/i915: workaround sparse warning on variable length arrays
  drm/i915: keep declarations in i915_drv.h
2016-11-03 10:18:20 +10:00
Dave Airlie e676717a12 imx-drm plane, build warning, and error handling fixes
- some fixes for active plane reconfiguration support
 - hide unused label in case of disabled CONFIG_DRM_FBDEV_EMULATION,
   which caused a build warning
 - fixed error handling in imx_drm_bind
 - disallow odd x/y plane offsets for chroma subsampled formats
 - disable local alpha when switching from a format with alpha
   channel to an opaque format
 -----BEGIN PGP SIGNATURE-----
 
 iQI0BAABCAAeBQJYCbk/FxxwLnphYmVsQHBlbmd1dHJvbml4LmRlAAoJEFDCiBxw
 nmDrGMYQAJMx6LoCTJ7hfr59R4IvmST0tRcVTKO4Grux8JPfu7WtDaFNhfew4ltA
 Nt38lbawzBBJ3jmbayGzpHmeEDdZh8T0LbYqzqWNRjergQ5V0qCXcxLKuvrRW9NC
 H0QmJmbiZm9EDani7Xh1yOF51n1g37FVq7+qROr9J7oHz/xjJw523XwSiLAR9pgs
 QMmw5zrPNqu93pRCLtm5/4puVMOYQfHmE8l8WYV2zIvjck1D+rkRFv5+DJwpDZjO
 jpvq3ZrHSFHM12wk0S5jsLUwFs2cqHb16ETitGP9gB7MnkPZ7qwgTTfio3JDpuL8
 orKpTcjDPVxPfVmbS5Hv/iNNq8YMz1VrJNp7y/ZCgTqNl/877f9nmeHKXdolMWMc
 xN5gDrd0atzHJKhsxp6bOYDhp861C1Nm+gtuNs2lRHsKANUa9SKh+gcyEC+CfqaU
 PdKx0E0lQcjjWjW2UYseQmjePjIclPzgCw1V6PHJOkOFBz8wQm8EHH4BcqBsx2zP
 v/ew3s/dk00IWi6e6/M7/hDM2vgXGIvw1AV8FHqMcBgSs/4GqVbGxJF+HIDqTX5s
 257nDdm+23eA8yvg+XbtYqlP0G7r7XV1KQLiMoFNJEj8+OjFfHPotphhX0kh8eWu
 quhY4yKlrOrzrm7wrCEOXhfwSfKhO4BF1lgh3jzqKzfWYtckgXOh
 =lgaf
 -----END PGP SIGNATURE-----

Merge tag 'imx-drm-fixes-20161021' of git://git.pengutronix.de/pza/linux into drm-fixes

imx-drm plane, build warning, and error handling fixes

- some fixes for active plane reconfiguration support
- hide unused label in case of disabled CONFIG_DRM_FBDEV_EMULATION,
  which caused a build warning
- fixed error handling in imx_drm_bind
- disallow odd x/y plane offsets for chroma subsampled formats
- disable local alpha when switching from a format with alpha
  channel to an opaque format

* tag 'imx-drm-fixes-20161021' of git://git.pengutronix.de/pza/linux:
  drm/imx: ipuv3-plane: disable local alpha for planes without alpha channel
  drm/imx: ipuv3-plane: make sure x/y offsets are even in case of chroma subsampling
  drm/imx: ipuv3-plane: Access old u/vbo properly in ->atomic_check for YU12/YV12
  drm/imx: drm_dev_alloc() returns error pointers
  drm/imx: ipuv3-plane: Skip setting u/vbo only when we don't need modeset
  drm/imx: ipuv3-plane: Switch EBA buffer only when we don't need modeset
  gpu: ipu-v3: Use ERR_CAST instead of ERR_PTR(PTR_ERR())
  drm/imx: hide an unused label
2016-11-03 10:17:50 +10:00
Gerd Hoffmann eed6f0eda0 virtio-gpu: fix vblank events
virtio-gpu sends vblank events in virtio_gpu_crtc_atomic_flush, and
because of that it must be called for disabled planes too.  Ask
drm_atomic_helper_commit_planes to do that.

v2: update to use new drm_atomic_helper_commit_planes() API.

Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2016-11-03 10:14:19 +10:00
Helge Deller 18088db042 parisc: Ignore the pkey system calls for now
Signed-off-by: Helge Deller <deller@gmx.de>
2016-11-02 23:07:14 +01:00
Helge Deller 6a6e2a14bb parisc: Use LINUX_GATEWAY_ADDR define instead of hardcoded value
LINUX_GATEWAY_ADDR is defined in unistd.h. Let's use it.

Signed-off-by: Helge Deller <deller@gmx.de>
2016-11-02 23:06:38 +01:00
John David Anglin 6ed518328d parisc: Ensure consistent state when switching to kernel stack at syscall entry
We have one critical section in the syscall entry path in which we switch from
the userspace stack to kernel stack. In the event of an external interrupt, the
interrupt code distinguishes between those two states by analyzing the value of
sr7. If sr7 is zero, it uses the kernel stack. Therefore it's important, that
the value of sr7 is in sync with the currently enabled stack.

This patch now disables interrupts while executing the critical section.  This
prevents the interrupt handler to possibly see an inconsistent state which in
the worst case can lead to crashes.

Interestingly, in the syscall exit path interrupts were already disabled in the
critical section which switches back to the userspace stack.

Cc: <stable@vger.kernel.org>
Signed-off-by: John David Anglin <dave.anglin@bell.net>
Signed-off-by: Helge Deller <deller@gmx.de>
2016-11-02 23:05:30 +01:00
John David Anglin f4125cfdb3 parisc: Avoid trashing sr2 and sr3 in LWS code
There is no need to trash sr2 and sr3 in the Light-weight syscall (LWS).  sr2
already points to kernel space (it's zero in userspace, otherwise syscalls
wouldn't work), and since the LWS code is executed in userspace, we can simply
ignore to preload sr3.

Signed-off-by: John David Anglin <dave.anglin@bell.net>
Signed-off-by: Helge Deller <deller@gmx.de>
2016-11-02 23:05:11 +01:00
Helge Deller 6f63d0f6be parisc: use KERN_CONT when printing device inventory
Recent changes to printk require KERN_CONT uses to continue logging messages.
So add KERN_CONT to output of device inventory.

Signed-off-by: Helge Deller <deller@gmx.de>
2016-11-02 23:04:46 +01:00
Owen Hofmann d9092f52d7 kvm: x86: Check memopp before dereference (CVE-2016-8630)
Commit 41061cdb98 ("KVM: emulate: do not initialize memopp") removes a
check for non-NULL under incorrect assumptions. An undefined instruction
with a ModR/M byte with Mod=0 and R/M-5 (e.g. 0xc7 0x15) will attempt
to dereference a null pointer here.

Fixes: 41061cdb98
Message-Id: <1477592752-126650-2-git-send-email-osh@google.com>
Signed-off-by: Owen Hofmann <osh@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-11-02 21:31:53 +01:00
Jim Mattson 355f4fb140 kvm: nVMX: VMCLEAR an active shadow VMCS after last use
After a successful VM-entry with the "VMCS shadowing" VM-execution
control set, the shadow VMCS referenced by the VMCS link pointer field
in the current VMCS becomes active on the logical processor.

A VMCS that is made active on more than one logical processor may become
corrupted. Therefore, before an active VMCS can be migrated to another
logical processor, the first logical processor must execute a VMCLEAR
for the active VMCS. VMCLEAR both ensures that all VMCS data are written
to memory and makes the VMCS inactive.

Signed-off-by: Jim Mattson <jmattson@google.com>
Reviewed-By: David Matlack <dmatlack@google.com>
Message-Id: <1477668579-22555-1-git-send-email-jmattson@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-11-02 20:03:17 +01:00
Paolo Bonzini ea26e4ec08 KVM: x86: drop TSC offsetting kvm_x86_ops to fix KVM_GET/SET_CLOCK
Since commit a545ab6a00 ("kvm: x86: add tsc_offset field to struct
kvm_vcpu_arch", 2016-09-07) the offset between host and L1 TSC is
cached and need not be fished out of the VMCS or VMCB.  This means
that we can implement adjust_tsc_offset_guest and read_l1_tsc
entirely in generic code.  The simplification is particularly
significant for VMX code, where vmx->nested.vmcs01_tsc_offset
was duplicating what is now in vcpu->arch.tsc_offset.  Therefore
the vmcs01_tsc_offset can be dropped completely.

More importantly, this fixes KVM_GET_CLOCK/KVM_SET_CLOCK
which, after commit 108b249c45 ("KVM: x86: introduce get_kvmclock_ns",
2016-09-01) called read_l1_tsc while the VMCS was not loaded.
It thus returned bogus values on Intel CPUs.

Fixes: 108b249c45
Reported-by: Roman Kagan <rkagan@virtuozzo.com>
Reviewed-by: Radim Krčmář <rkrcmar@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2016-11-02 20:03:07 +01:00
Sylwester Nawrocki a451332042 ASoC: samsung: spdif: Fix DMA filter initialization
This patch fixes issues introduced in commit 73f5dfc683
"ASoC: samsung: get access to DMA engine early to defer probe properly"
and indicated by a following compilation warning:

  CC [M]  sound/soc/samsung/spdif.o
sound/soc/samsung/spdif.c: In function ‘spdif_probe’:
sound/soc/samsung/spdif.c:419:6: warning: ‘filter’ may be used uninitialized
in this function [-Wuninitialized]

Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
2016-11-02 09:15:27 -06:00
Rob Clark 67cba0fbb4 drm/msm/mdp5: 8x16 actually has 8 mixer stages
Signed-off-by: Rob Clark <robdclark@gmail.com>
2016-11-02 10:50:10 -04:00
Rob Clark 07cd2e3626 drm/msm/mdp5: no scaling support on RGBn pipes for 8x16
Looks like cut/paste error from the other device cfgs (which do support
scaling on RGBn pipes).

Signed-off-by: Rob Clark <robdclark@gmail.com>
2016-11-02 10:49:43 -04:00
Rob Clark 31e4801aa2 drm/msm/mdp5: handle non-fullscreen base plane case
If the bottom-most layer is not fullscreen, we need to use the BASE
mixer stage for solid fill (ie. MDP5_CTL_BLEND_OP_FLAG_BORDER_OUT).  The
blend_setup() code pretty much handled this already, we just had to
figure this out in _atomic_check() and assign the stages appropriately.

Also fix the case where there are zero enabled planes, where we also
need to enable BORDER_OUT.

Signed-off-by: Rob Clark <robdclark@gmail.com>
2016-11-02 10:49:33 -04:00
Archit Taneja 73b65b1970 drm/msm: Set CLK_IGNORE_UNUSED flag for PLL clocks
The DSI/HDMI PLLs in MSM require resources like interface clocks, power
domains to be enabled before we can access their registers.

The clock framework doesn't have a mechanism at the moment where we can
tie such resources to a clock, so we make sure that the KMS driver enables
these resources whenever a PLL is expected to be in use.

One place where we can't ensure the resource dependencies are met is when
the clock framework tries to disable unused clocks. The KMS driver doesn't
know when the clock framework calls the is_enabled clk_op, and hence can't
enable interface clocks/power domains beforehand.

We set the CLK_IGNORE_UNUSED flag for PLL clocks for now. This needs to be
revisited, since bootloaders can enable display, and we would want to
disable the PLL clocks if there isn't a display driver using them.

Cc: Stephen Boyd <sboyd@codeaurora.org>
Signed-off-by: Archit Taneja <architt@codeaurora.org>
Acked-by: Stephen Boyd <sboyd@codeaurora.org>
Signed-off-by: Rob Clark <robdclark@gmail.com>
2016-11-02 10:48:09 -04:00
Archit Taneja 8d23ea4030 drm/msm/dsi: Queue HPD helper work in attach/detach callbacks
The msm/dsi host drivers calls drm_helper_hpd_irq_event in the
mipi_dsi_host attach/detatch callbacks.

mipi_dsi_attach()/mipi_dsi_detach() from a panel/bridge
driver could be called from a context where the drm_device's
mode_config.mutex is already held, resulting in a deadlock.
Queue it as work instead.

Signed-off-by: Archit Taneja <architt@codeaurora.org>
Signed-off-by: Rob Clark <robdclark@gmail.com>
2016-11-02 10:48:09 -04:00
Johan Hovold ceb75787bc PM / sleep: fix device reference leak in test_suspend
Make sure to drop the reference taken by class_find_device() after
opening the RTC device.

Fixes: 77437fd4e6 (pm: boot time suspend selftest)
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
2016-11-02 05:10:04 +01:00