Pull crypto fixes from Herbert Xu:
"This fixes the following issues:
- memory corruption when kmalloc fails in xts/lrw
- mark some CCP DMA channels as private
- fix reordering race in padata
- regression in omap-rng DT description"
* 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
crypto: xts,lrw - fix out-of-bounds write after kmalloc failure
crypto: ccp - Make some CCP DMA channels private
padata: avoid race in reordering
dt-bindings: rng: clocks property on omap_rng not always mandatory
At this time, most of changes are for ASoC, while we got one fix for
yet another race of ALSA sequencer core and a usual HD-audio quirk.
The ASoC changes are mostly small and device-specific fixes. A
slightly large volume is seen in sun8i-codec, which is a new code in
4.11, and we'd like to fix user-visible stuff before the official 4.1
release.
-----BEGIN PGP SIGNATURE-----
iQJCBAABCAAsFiEECxfAB4MH3rD5mfB6bDGAVD0pKaQFAljeLGMOHHRpd2FpQHN1
c2UuZGUACgkQbDGAVD0pKaSqhhAArkaOfZ/5Dz+ejvjhvYO/usH0eTEmi6KaE/Ra
5Vl7WrnixcpXvIu6MwDJCcgCMuayJ83K3GC3PoER9FPXSJJAiowzmDRRuTfUzyQP
JzgR9DPuRrbk+ErOn/gK1P1PHVQjMXB5U+L67oV+FTbcqdATQGVQqDqaQH+jX9MD
ymMzrd0hR6gFbxKFCO5Pg+BQIyIo7ZzrD8hYHsvFKA5i/NIxQFHvnae2NzBytn8Q
NnXbBN6Cnf3h6M/+oYnW5FQ4Ik6jhH4iuXe2XrGY03NoN5t2eXe1247bK3ty/9i+
OCBwuFDadOnfkABr0xDMZGaCrbdMdUlh78SLEapszcuTvNrnW3zbul9WXIrDO/tn
MfRJwfAcoc7FzhmrFSGlicNAqUFMU5HkO7atQyu/FafN3Q5vUhV1+yVZKZsXbJm/
pOxOSdt2PCQeA8WZhT5GoP8uPTyu+EW4wU93Gy1Fj1YjmkYh65kmDQRCHTZu6l7u
T/hZtBrQDkalExxGVGkrIG6P3Fi+g/ztBIM70XkxAIVLclKOru+ghwNt0ru0ltOb
ayr01QdLlSAx1MCvHnWvQmNIyPvKJKAOz8geBtY0fEXdrivnYv9nSXbXyq+SXYfk
4sTDbgo9+VUHv8LO3K/BDUqcpaES4bgHIFbS7IO3hqL7t6xdR5+QtwDr+GAJV27e
P5NHP4s=
=qutY
-----END PGP SIGNATURE-----
Merge tag 'sound-4.11-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound
Pull sound fixes from Takashi Iwai:
"At this time, most of changes are for ASoC, while we got one fix for
yet another race of ALSA sequencer core and a usual HD-audio quirk.
The ASoC changes are mostly small and device-specific fixes. A
slightly large volume is seen in sun8i-codec, which is a new code in
4.11, and we'd like to fix user-visible stuff before the official 4.1
release"
* tag 'sound-4.11-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (27 commits)
ALSA: hda - fix a problem for lineout on a Dell AIO machine
ASoC: simple-card: fix simple_dai clk lookup
ASoC: STI: Fix reader substream pointer set
ALSA: seq: Fix race during FIFO resize
ARM: dts: sun8i: Update audio-routing with renamed widgets
ASoC: sun8i-codec: Convert to use SND_SOC_DAPM_AIF_IN
ASoC: sun8i-codec: Fix space on audio-routing widget
ASoC: sun8i-codec: Update mixer to use SOC_DAPM_DOUBLE
ASoC: sun8i-codec: Remove analog "HP" widget
ASoC: rt5665: fix wrong shift rt5665_if2_1_adc_in_enum
ASoC: rt5665: fix define of RT5665_HP_DRIVER_5X
ASoC: rcar: dma: remove unnecessary "volatile"
ASoC: rcar: clear DE bit only in PDMACHCR when it stops
ASoC: rsnd: fix sound route path when using SRC6/SRC9
ASoC: don't dereference NULL pcm_{new,free}
ASoC: rt5665: CLKDET is also a power of ASRC
ASoC: rt5665: Vref3 is necessary for Mono Amp
ASoC: rt5665: increase LDO level
ASoC: rt5665: fix getting wrong work handler container
ASoC: atmel-classd: fix audio clock rate
...
Pull HID fixes from Jiri Kosina:
- Wacom regression fixes, from Aaron Armstrong Skomra
- new device ID addition by Peter Stein
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid:
HID: wacom: call _query_tablet_data() for BAMBOO_TOUCH
HID: wacom: Don't add ghost interface as shared data
HID: xinmo: fix for out of range for THT 2P arcade controller.
-----BEGIN PGP SIGNATURE-----
iQIcBAABAgAGBQJY3gYlAAoJEAx081l5xIa+aCIP/0IaulWIRbmE4qj6A5RA9X2z
sMx0L8Ok25s+Q2bzoH4KOZqt9DJW01EllLAi1jUtZpLQ6rI4JX6PiNKs160HadkU
vH0/5m4w+PxFu/g4QapUacsUxUqrrZLkR5dmQGILTXl06Vj6mcHPeou4VpEydH/1
BfQcIC2JF9lG8Xmo02C9OnCbslXIZE+aLnjIWCQJ0Ms6yHFQc4fjAwCsIMygjyxS
KLOgK3UOcQ38cOXnunq6sCx+zrcEMO/1pNGsi/qVFzzoEZ5ZV4Awdb6NFspmfPGJ
n2JjnKZWttVYRhZnnNiUcU0a9vPCx23NZD1gDo8IK0PtOZLJTzxNlLjjdv2LEfto
FsXrfi5GQe3kdCp3g/8jiDjH4PpmmZ+n7AdKUfLM+iO0xj2K/Xd6z/PkDcqxXqam
AuQF3C4SoCtbQ9LE4zb0Ja55uPE6NiX8hIM4IJYwO2ZgALuSgOTyGY+3npewcKJE
wFgaEamd7TG2id+jcbzVZXWsFgZCD5Y9kJfnUhFDH4SOxCs6dPgPw3BMBfL1H/2b
2uzrkDxsOqNl1JHUjDoW60T3yl2YwMxId1t8qNmNESvCrw9P2SwB3aG2Ir2IFEc4
pK9WBKj1pOXH/lSRMAQCQh8Lnb1UP311kFMz8scjhVxPOL+IlyfXWukNMj5ULi78
OeYCnnBc0+wdZ9jUX26E
=Hq4M
-----END PGP SIGNATURE-----
Merge tag 'drm-fixes-for-v4.11-rc5' of git://people.freedesktop.org/~airlied/linux
Pull drm fixes from Dave Airlie:
"Seems to be quietening down, which means someone will make a liar of
me for rc6.
Just one vc4, one etnvaiv, one radeon, and a few i915 GVT fixes, and
one i915 normal fixes"
* tag 'drm-fixes-for-v4.11-rc5' of git://people.freedesktop.org/~airlied/linux:
drm/vc4: Allocate the right amount of space for boot-time CRTC state.
drm/etnaviv: (re-)protect fence allocation with GPU mutex
drm/radeon: Override fpfn for all VRAM placements in radeon_evict_flags
drm/i915: Restore marking context objects as dirty on pinning
drm/i915/gvt: Use force single submit flag to distinguish gvt request from i915 request
drm/i915/gvt: set shadow entry to scratch page while p2m failed
drm/i915/gvt: Fix guest fail to read EDID leading to black guest console issue.
drm/i915/gvt: fix wrong offset when loading RCS mocs
drm/i915/gvt: add write handler for mmio mbctl
drm/i915/kvmgt: Hold struct kvm reference
On this Dell AIO machine, the lineout jack does not work.
We found the pin 0x1a is assigned to lineout on this machine, and in
the past, we applied ALC298_FIXUP_DELL1_MIC_NO_PRESENCE to fix the
heaset-set mic problem for this machine, this fixup will redefine
the pin 0x1a to headphone-mic, as a result the lineout doesn't
work anymore.
After consulting with Dell, they told us this machine doesn't support
microphone via headset jack, so we add a new fixup which only defines
the pin 0x18 as the headset-mic.
[rearranged the fixup insertion position by tiwai in order to make the
merge with other branches easier -- tiwai]
Fixes: 59ec4b57bc ("ALSA: hda - Fix headset mic detection problem for two dell machines")
Cc: <stable@vger.kernel.org>
Signed-off-by: Hui Wang <hui.wang@canonical.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Just one vc4 fix from Eric, cc: stable
* tag 'drm-misc-fixes-2017-03-31' of git://anongit.freedesktop.org/git/drm-misc:
drm/vc4: Allocate the right amount of space for boot-time CRTC state.
drm/i915 fixes for v4.11-rc5
* tag 'drm-intel-fixes-2017-03-29' of git://anongit.freedesktop.org/git/drm-intel:
drm/i915: Restore marking context objects as dirty on pinning
drm/i915/gvt: Use force single submit flag to distinguish gvt request from i915 request
drm/i915/gvt: set shadow entry to scratch page while p2m failed
drm/i915/gvt: Fix guest fail to read EDID leading to black guest console issue.
drm/i915/gvt: fix wrong offset when loading RCS mocs
drm/i915/gvt: add write handler for mmio mbctl
drm/i915/kvmgt: Hold struct kvm reference
One small fix for radeon.
* 'drm-fixes-4.11' of git://people.freedesktop.org/~agd5f/linux:
drm/radeon: Override fpfn for all VRAM placements in radeon_evict_flags
a single fix to keep fence seqnos of completed jobs monotonically
increasing, as expected in various locations of the driver code. Also
tagged for stable.
* 'etnaviv/fixes' of https://git.pengutronix.de/git/lst/linux:
drm/etnaviv: (re-)protect fence allocation with GPU mutex
The controller has different timings for MMC_TIMING_UHS_DDR50 and
MMC_TIMING_MMC_DDR52. Configuring the controller with SDHCI_CTRL_UHS_DDR50,
when MMC_TIMING_MMC_DDR52 timings are requested, is not correct and can
lead to unexpected behavior.
Signed-off-by: Ludovic Desroches <ludovic.desroches@microchip.com>
Fixes: bb5f8ea4d5 ("mmc: sdhci-of-at91: introduce driver for the Atmel SDMMC")
Cc: <stable@vger.kernel.org> # 4.4+
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
SDIO cards may need clock to send the card interrupt to the host.
On a cherrytrail tablet with a RTL8723BS wifi chip, without this patch
pinging the tablet results in:
PING 192.168.1.14 (192.168.1.14) 56(84) bytes of data.
64 bytes from 192.168.1.14: icmp_seq=1 ttl=64 time=78.6 ms
64 bytes from 192.168.1.14: icmp_seq=2 ttl=64 time=1760 ms
64 bytes from 192.168.1.14: icmp_seq=3 ttl=64 time=753 ms
64 bytes from 192.168.1.14: icmp_seq=4 ttl=64 time=3.88 ms
64 bytes from 192.168.1.14: icmp_seq=5 ttl=64 time=795 ms
64 bytes from 192.168.1.14: icmp_seq=6 ttl=64 time=1841 ms
64 bytes from 192.168.1.14: icmp_seq=7 ttl=64 time=810 ms
64 bytes from 192.168.1.14: icmp_seq=8 ttl=64 time=1860 ms
64 bytes from 192.168.1.14: icmp_seq=9 ttl=64 time=812 ms
64 bytes from 192.168.1.14: icmp_seq=10 ttl=64 time=48.6 ms
Where as with this patch I get:
PING 192.168.1.14 (192.168.1.14) 56(84) bytes of data.
64 bytes from 192.168.1.14: icmp_seq=1 ttl=64 time=3.96 ms
64 bytes from 192.168.1.14: icmp_seq=2 ttl=64 time=1.97 ms
64 bytes from 192.168.1.14: icmp_seq=3 ttl=64 time=17.2 ms
64 bytes from 192.168.1.14: icmp_seq=4 ttl=64 time=2.46 ms
64 bytes from 192.168.1.14: icmp_seq=5 ttl=64 time=2.83 ms
64 bytes from 192.168.1.14: icmp_seq=6 ttl=64 time=1.40 ms
64 bytes from 192.168.1.14: icmp_seq=7 ttl=64 time=2.10 ms
64 bytes from 192.168.1.14: icmp_seq=8 ttl=64 time=1.40 ms
64 bytes from 192.168.1.14: icmp_seq=9 ttl=64 time=2.04 ms
64 bytes from 192.168.1.14: icmp_seq=10 ttl=64 time=1.40 ms
Cc: Dong Aisheng <b29396@freescale.com>
Cc: Ian W MORRISON <ianwmorrison@gmail.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Acked-by: Adrian Hunter <adrian.hunter@intel.com>
Acked-by: Dong Aisheng <aisheng.dong@nxp.com>
Cc: stable@vger.kernel.org
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
A relatively large pile of fixes for mainline, the first since the merge
window. The biggest block of changes here by volume is the sun8i-codec
set, the driver was newly added in the merge window but it was realized
that renaming some of the user visible controls was required so these
are being pushed for v4.11 to avoid the original code appearing in a
release. Otherwise it's all fairly standard bugfix stuff.
-----BEGIN PGP SIGNATURE-----
iQFHBAABCAAxFiEEreZoqmdXGLWf4p/qJNaLcl1Uh9AFAljdNc0THGJyb29uaWVA
a2VybmVsLm9yZwAKCRAk1otyXVSH0IgMB/9SGwZvXPsI0w2q/f7pP4Q7SntvmywP
o+gyktSaC/nLDpdPkdOBMekzhpkzvEgJsg/07iop/J/qsYSgmRoT+UkGB5KMBYxS
aFse8ya9NavulcuCksINMr+kPrd9bMGzev0Y2v9p6nOAZ0Yhqoi0cK/JNeLH8WBE
amgWI7MbZ3vAR5jviKINw57crXsqeJcH7u1IkFNznhUb5MfzO7MdAby2nYnlFiTs
D7XeA/OV/cffwdsI5fylrD0zCd6DekZImjrv31nGi36DIZ275V4uDiN/XQFel069
cQc4CYLgMWXiXGZaRmxjqPZ/Om14VY6i17VsoriNhU8e5CtQlynOogV/
=k725
-----END PGP SIGNATURE-----
Merge tag 'asoc-fix-v4.11-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus
ASoC: Fixes for v4.11
A relatively large pile of fixes for mainline, the first since the merge
window. The biggest block of changes here by volume is the sun8i-codec
set, the driver was newly added in the merge window but it was realized
that renaming some of the user visible controls was required so these
are being pushed for v4.11 to avoid the original code appearing in a
release. Otherwise it's all fairly standard bugfix stuff.
Without this, the first modeset would dereference past the allocation
when trying to free the mm node.
Signed-off-by: Eric Anholt <eric@anholt.net>
Tested-by: Stefan Wahren <stefan.wahren@i2se.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20170328201343.4884-1-eric@anholt.net
Fixes: d8dbf44f13 ("drm/vc4: Make the CRTCs cooperate on allocating display lists.")
Cc: <stable@vger.kernel.org> # v4.6+
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Commit a544c619a5 ("HID: wacom: do not attempt to switch mode
while in probe") introduces delayed work for querying (setting the
mode) on all tablets. Bamboo Touch (056a:00d0) has a ghost
interface which claims to be a pen device. Though this device can
be removed, we have to set the mode on the ghost pen interface
before we remove it. After the aforementioned delay was introduced
the device was being removed before the mode setting could be
executed.
Signed-off-by: Aaron Armstrong Skomra <aaron.skomra@wacom.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
A previous commit (below) adds a check for already probed interfaces to
Wacom's matching heuristic. Unfortunately this causes the Bamboo Pen
(CTL-460) to match itself to its 'ghost' touch interface. After
subsequent changes to the driver this match to the ghost causes the
kernel to crash. This patch avoids calling wacom_add_shared_data()
for the BAMBOO_PEN's ghost touch interface.
Fixes: 41372d5d40 ("HID: wacom: Augment 'oVid' and 'oPid' with heuristics for HID_GENERIC")
Cc: stable <stable@vger.kernel.org> # 4.9
Signed-off-by: Aaron Armstrong Skomra <aaron.skomra@wacom.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Pull thermal management fixes from Zhang Rui:
- Fix a potential deadlock in cpu_cooling driver, which was introduced
in 4.11-rc1. (Matthew Wilcox)
- Fix the cpu_cooling and devfreq_cooling code to handle possible error
return value from OPP calls, together with three minor fixes in the
same patch series. (Viresh Kumar)
* 'for-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux:
thermal: cpu_cooling: Check OPP for errors
thermal: cpu_cooling: Replace dev_warn with dev_err
thermal: devfreq: Check OPP for errors
thermal: devfreq_cooling: Replace dev_warn with dev_err
thermal: devfreq: Simplify expression
thermal: Fix potential deadlock in cpu_cooling
Pull block fixes from Jens Axboe:
"Five fixes for this series:
- a fix from me to ensure that blk-mq drivers that terminate IO in
their ->queue_rq() handler by returning QUEUE_ERROR don't stall
with a scheduler enabled.
- four nbd fixes from Josef and Ratna, fixing various problems that
are critical enough to go in for this cycle. They have been well
tested"
* 'for-linus' of git://git.kernel.dk/linux-block:
nbd: replace kill_bdev() with __invalidate_device()
nbd: set queue timeout properly
nbd: set rq->errors to actual error code
nbd: handle ERESTARTSYS properly
blk-mq: include errors in did_work calculation
Merge xfrm_user validation fixes from Andy Whitcroft:
"Two patches we are applying to Ubuntu for XFRM_MSG_NEWAE validation
issue reported by ZDI.
The first of these is the primary fix, and the second is for a more
theoretical issue that Kees pointed out when reviewing the first"
* emailed patches from Andy Whitcroft <apw@canonical.com>:
xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder
xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window
Merge PTRACE_SETREGSET leakage fixes from Dave Martin:
"This series is the collection of fixes I proposed on this topic, that
have not yet appeared upstream or in the stable branches,
The issue can leak kernel stack, but doesn't appear to allow userspace
to attack the kernel directly. The affected architectures are c6x,
h8300, metag, mips and sparc.
[ Mark Salter points out that c6x has no MMU or other mechanism to
prevent userspace access to kernel code or data on c6x, but it
doesn't hurt to clean that case up too. ]
The bugs arise from use of user_regset_copyin(). Users of
user_regset_copyin() can work in one of two ways:
1) Copy directly to thread_struct or equivalent. (This seems to be
the design assumption of the regset API, and is the most common
approach.)
2) Copy to a local variable and then transfer to thread_struct. (A
significant minority of cases.)
Buggy code typically involves approach 2"
* emailed patches from Dave Martin <Dave.Martin@arm.com>:
sparc/ptrace: Preserve previous registers for short regset write
mips/ptrace: Preserve previous registers for short regset write
metag/ptrace: Reject partial NT_METAG_RPIPE writes
metag/ptrace: Provide default TXSTATUS for short NT_PRSTATUS
metag/ptrace: Preserve previous registers for short regset write
h8300/ptrace: Fix incorrect register transfer count
c6x/ptrace: Remove useless PTRACE_SETREGSET implementation
Ensure that if userspace supplies insufficient data to PTRACE_SETREGSET
to fill all the registers, the thread's old registers are preserved.
Signed-off-by: Dave Martin <Dave.Martin@arm.com>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Ensure that if userspace supplies insufficient data to PTRACE_SETREGSET
to fill all the registers, the thread's old registers are preserved.
Signed-off-by: Dave Martin <Dave.Martin@arm.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
It's not clear what behaviour is sensible when doing partial write of
NT_METAG_RPIPE, so just don't bother.
This patch assumes that userspace will never rely on a partial SETREGSET
in this case, since it's not clear what should happen anyway.
Signed-off-by: Dave Martin <Dave.Martin@arm.com>
Acked-by: James Hogan <james.hogan@imgtec.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Ensure that if userspace supplies insufficient data to PTRACE_SETREGSET
to fill TXSTATUS, a well-defined default value is used, based on the
task's current value.
Suggested-by: James Hogan <james.hogan@imgtec.com>
Signed-off-by: Dave Martin <Dave.Martin@arm.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Ensure that if userspace supplies insufficient data to PTRACE_SETREGSET
to fill all the registers, the thread's old registers are preserved.
Signed-off-by: Dave Martin <Dave.Martin@arm.com>
Acked-by: James Hogan <james.hogan@imgtec.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
regs_set() and regs_get() are vulnerable to an off-by-1 buffer overrun
if CONFIG_CPU_H8S is set, since this adds an extra entry to
register_offset[] but not to user_regs_struct.
So, iterate over user_regs_struct based on its actual size, not based on
the length of register_offset[].
Signed-off-by: Dave Martin <Dave.Martin@arm.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
gpr_set won't work correctly and can never have been tested, and the
correct behaviour is not clear due to the endianness-dependent task
layout.
So, just remove it. The core code will now return -EOPNOTSUPPORT when
trying to set NT_PRSTATUS on this architecture until/unless a correct
implementation is supplied.
Signed-off-by: Dave Martin <Dave.Martin@arm.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Kees Cook has pointed out that xfrm_replay_state_esn_len() is subject to
wrapping issues. To ensure we are correctly ensuring that the two ESN
structures are the same size compare both the overall size as reported
by xfrm_replay_state_esn_len() and the internal length are the same.
CVE-2017-7184
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
When a new xfrm state is created during an XFRM_MSG_NEWSA call we
validate the user supplied replay_esn to ensure that the size is valid
and to ensure that the replay_window size is within the allocated
buffer. However later it is possible to update this replay_esn via a
XFRM_MSG_NEWAE call. There we again validate the size of the supplied
buffer matches the existing state and if so inject the contents. We do
not at this point check that the replay_window is within the allocated
memory. This leads to out-of-bounds reads and writes triggered by
netlink packets. This leads to memory corruption and the potential for
priviledge escalation.
We already attempt to validate the incoming replay information in
xfrm_new_ae() via xfrm_replay_verify_len(). This confirms that the user
is not trying to change the size of the replay state buffer which
includes the replay_esn. It however does not check the replay_window
remains within that buffer. Add validation of the contained
replay_window.
CVE-2017-7184
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
The fence allocation needs to be protected by the GPU mutex, otherwise
the fence seqnos of concurrent submits might not match the insertion order
of the jobs in the kernel ring. This breaks the assumption that jobs
complete with monotonically increasing fence seqnos.
Fixes: d985349017 (drm/etnaviv: take GPU lock later in the submit process)
CC: stable@vger.kernel.org #4.9+
Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
Fixes to multiple issues in virtio. Most notably
a regression fix for crashes reported by Fedora users.
Hybernate is still reportedly broken, working on it.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
-----BEGIN PGP SIGNATURE-----
iQEcBAABAgAGBQJY2qEcAAoJECgfDbjSjVRpM/oH/3GPZOh9/tMzDFDaDljqtWQy
PGVb74/3+O55xOOq9nyyS3+6BlCXmiUcynxg61QUOUqUuHPPdH/OntyyPgG0pYkx
271W81C1yc2xFp/qkOiMWKiPmsbJ7ykVg37NWtxm7Phf4RgX3wgymq87hWr4Td1G
q9k6oyMCmvJUECJVxOVHjPt+oYQ7zQkFBNB8kSNlj67gbe533jkPt46MMlXbX7fQ
lPdJTnLXN/GQxnVtw5AAiWF87z0wNVUefrLe9sHW3KOeGBdne4NXblvz3WF/iPq4
N96thgm7QOP3NgAqbaUa7Fb0+jxyi2DNYFrVPxnf+nOOQy/AVUX6GRZJ2Tu6gF0=
=oSO5
-----END PGP SIGNATURE-----
Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost
Pull virtio fixes from Michael Tsirkin:
"Fixes to multiple issues in virtio.
Most notably a regression fix for crashes reported by Fedora users.
Hibernate is still reportedly broken, working on it"
* tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost:
virtio_balloon: prevent uninitialized variable use
virtio-balloon: use actual number of stats for stats queue buffers
virtio_balloon: init 1st buffer in stats vq
virtio_pci: fix out of bound access for msix_names
The latest gcc-7.0.1 snapshot reports a new warning:
virtio/virtio_balloon.c: In function 'update_balloon_stats':
virtio/virtio_balloon.c:258:26: error: 'events[2]' is used uninitialized in this function [-Werror=uninitialized]
virtio/virtio_balloon.c:260:26: error: 'events[3]' is used uninitialized in this function [-Werror=uninitialized]
virtio/virtio_balloon.c:261:56: error: 'events[18]' is used uninitialized in this function [-Werror=uninitialized]
virtio/virtio_balloon.c:262:56: error: 'events[17]' is used uninitialized in this function [-Werror=uninitialized]
This seems absolutely right, so we should add an extra check to
prevent copying uninitialized stack data into the statistics.
>From all I can tell, this has been broken since the statistics code
was originally added in 2.6.34.
Fixes: 9564e138b1 ("virtio: Add memory statistics reporting to the balloon driver (V4)")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ladi Prosek <lprosek@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
The virtio balloon driver contained a not-so-obvious invariant that
update_balloon_stats has to update exactly VIRTIO_BALLOON_S_NR counters
in order to send valid stats to the host. This commit fixes it by having
update_balloon_stats return the actual number of counters, and its
callers use it when pushing buffers to the stats virtqueue.
Note that it is still out of spec to change the number of counters
at run-time. "Driver MUST supply the same subset of statistics in all
buffers submitted to the statsq."
Suggested-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Ladi Prosek <lprosek@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
When init_vqs runs, virtio_balloon.stats is either uninitialized or
contains stale values. The host updates its state with garbage data
because it has no way of knowing that this is just a marker buffer
used for signaling.
This patch updates the stats before pushing the initial buffer.
Alternative fixes:
* Push an empty buffer in init_vqs. Not easily done with the current
virtio implementation and violates the spec "Driver MUST supply the
same subset of statistics in all buffers submitted to the statsq".
* Push a buffer with invalid tags in init_vqs. Violates the same
spec clause, plus "invalid tag" is not really defined.
Note: the spec says:
When using the legacy interface, the device SHOULD ignore all values in
the first buffer in the statsq supplied by the driver after device
initialization. Note: Historically, drivers supplied an uninitialized
buffer in the first buffer.
Unfortunately QEMU does not seem to implement the recommendation
even for the legacy interface.
Cc: stable@vger.kernel.org
Signed-off-by: Ladi Prosek <lprosek@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Fedora has received multiple reports of crashes when running
4.11 as a guest
https://bugzilla.redhat.com/show_bug.cgi?id=1430297https://bugzilla.redhat.com/show_bug.cgi?id=1434462https://bugzilla.kernel.org/show_bug.cgi?id=194911https://bugzilla.redhat.com/show_bug.cgi?id=1433899
The crashes are not always consistent but they are generally
some flavor of oops or GPF in virtio related code. Multiple people
have done bisections (Thank you Thorsten Leemhuis and
Richard W.M. Jones) and found this commit to be at fault
07ec51480b is the first bad commit
commit 07ec51480b
Author: Christoph Hellwig <hch@lst.de>
Date: Sun Feb 5 18:15:19 2017 +0100
virtio_pci: use shared interrupts for virtqueues
The issue seems to be an out of bounds access to the msix_names
array corrupting kernel memory.
Fixes: 07ec51480b ("virtio_pci: use shared interrupts for virtqueues")
Reported-by: Laura Abbott <labbott@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Tested-by: Richard W.M. Jones <rjones@redhat.com>
Tested-by: Thorsten Leemhuis <linux@leemhuis.info>
SRCU uses a delayed work item. Skip cleaning it up, and
the result is use-after-free in the work item callbacks.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Suggested-by: Dmitry Vyukov <dvyukov@google.com>
Cc: stable@vger.kernel.org
Fixes: 0eb05bf290
Reviewed-by: Xiao Guangrong <xiaoguangrong.eric@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
The nested_ept_enabled flag introduced in commit 7ca29de213 was not
computed correctly. We are interested only in L1's EPT state, not the
the combined L0+L1 value.
In particular, if L0 uses EPT but L1 does not, nested_ept_enabled must
be false to make sure that PDPSTRs are loaded based on CR3 as usual,
because the special case described in 26.3.2.4 Loading Page-Directory-
Pointer-Table Entries does not apply.
Fixes: 7ca29de213 ("KVM: nVMX: fix CR3 load if L2 uses PAE paging and EPT")
Cc: qemu-stable@nongnu.org
Reported-by: Wanpeng Li <wanpeng.li@hotmail.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Signed-off-by: Ladi Prosek <lprosek@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
or VM memory are not put thus leaked in kvm_iommu_unmap_memslots() when
destroy VM.
This is consistent with current vfio implementation.
Signed-off-by: herongguang <herongguang.he@huawei.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
We were accidentally only overriding the first VRAM placement. For BOs
with the RADEON_GEM_NO_CPU_ACCESS flag set,
radeon_ttm_placement_from_domain creates a second VRAM placment with
fpfn == 0. If VRAM is almost full, the first VRAM placement with
fpfn > 0 may not work, but the second one with fpfn == 0 always will
(the BO's current location trivially satisfies it). Because "moving"
the BO to its current location puts it back on the LRU list, this
results in an infinite loop.
Fixes: 2a85aedd11 ("drm/radeon: Try evicting from CPU accessible to
inaccessible VRAM first")
Reported-by: Zachary Michaels <zmichaels@oblong.com>
Reported-and-Tested-by: Julien Isorce <jisorce@oblong.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Michel Dänzer <michel.daenzer@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Intel Apollo Lake platform and the Denverton microserver.
+ small fixlets.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEzv7L6UO9uDPlPSfHEsHwGGHeVUoFAljYz4cACgkQEsHwGGHe
VUpdaBAAh/ak8ZHt5p+vdeUeDWXDFsJeCd7mecDLsGP0AwnsWJIh3aLVxkDjJdLd
FKR08f777btKRq/idlTA8uCx7g1pNgk4vqAK0pGAsH5bb/JRH8XT+r4X3ZwC38LM
N2yLubuh1mf/wYkDbDXrmDc4/YV/0Bkwo2atvZC9IZmrZHSBLVBletU+N0jlOpP8
y9R5/WF1YypFojDLpaPHw4ucvBQ/FBMUCob42Se0xaAQKpQaiR0WcfTG6xnBjNDT
1brmVC1dD95a3yqfU4zvlYNhxCzOfb/ACln0f0rUlwt0S3VexUeWfdt6c7QxJ3cV
WRTaiGmcLE67kuiIDgtnkVx6d9Lg/BUkRco4aDwnRwrRokPV7LXHUwcvw6fKz+Tg
gBaJ+4Iotiz95j0M/KPaPcko7LcPOa0qvI95pRZBUpfYxJgieoBdEjmQyf/abWXF
1wV9IrFwyoNoT1/XwRIRZz9kixBglFEairKnPRc1EJrjnjdTKmFZam1kDbZFvf18
AdJxivtoNzd51DylpD2z2+TT0wGHUQbjUdwVPh7e9VPGjYWz1Yh7DEeldRSemRzI
nQW2CEun0IcdpxqNQ0nPWDXDx9N0D34jJbZm8GJIUEZBCZGc/lWKCAa5hahV4jOT
GAGPuqLV+gI8Fz0iuHg9oPiWs7bdI1q66JdK7DEOIj1FfI++uu4=
=aftN
-----END PGP SIGNATURE-----
Merge tag 'edac_for_4.11_2' of git://git.kernel.org/pub/scm/linux/kernel/git/bp/bp
Pull EDAC updates from Borislav Petkov:
"A new EDAC driver for the Pondicherry2 memory controller IP found in
the Intel Apollo Lake platform and the Denverton microserver.
Plus small fixlets.
Normally I had this queued for 4.12 but Tony requested for the
pnd2_edac driver to possibly land in 4.11 therefore I'm sending it to
you now.
It is a driver for new hardware which people don't have yet so it
shouldn't cause any regressions.
The couple of patches ontop of it show that Qiuxu actually did test it
on the hardware he has access to :)"
* tag 'edac_for_4.11_2' of git://git.kernel.org/pub/scm/linux/kernel/git/bp/bp:
EDAC, pnd2_edac: Fix reported DIMM number
EDAC, pnd2_edac: Fix !EDAC_DEBUG build
EDAC: Select DEBUG_FS
EDAC, pnd2_edac: Add new EDAC driver for Intel SoC platforms
EDAC, i5000, i5400: Fix use of MTR_DRAM_WIDTH macro
EDAC, xgene: Fix wrongly spelled "procesing"
- Kconfig fixup for the TI IOdelay pinctrl-single add-on.
- Fix up a typo in the meson i2c ao groups.
- Switch a remapping back to use devm_ioremap() as
devm_ioremap_resource() does not allow for sharing memory
regions.
- Do not clear the Qualcomm irq status bit in irq_unmask(),
as this can lead to missing interrupts while the irq handler
is executing.
- Add irq_request/release_resources() on the ST driver.
- Add a bunch of mysteriously missing pingroups for high
numbered pins in the Qualcomm ipq4019 driver.
-----BEGIN PGP SIGNATURE-----
iQIcBAABAgAGBQJY2MAtAAoJEEEQszewGV1zjGEQAJjwAQ0Guht7s5WJdrw4330z
Cy1ln5PSXQrIj8ZNrNdgJy/CfwFYG/2x7DEG393wIeiEhXscV+LqHUrfe0M9rN7z
zgqA+nlAwzcsWp8tvASmCjYXIjIEGjAh4qBsJbW7kWMToct3+UfBAnmL+T88P36z
30MJ9eFPaS5J5660wkqgPu3hjUuPebReVFkyrH4xd2ky6CIuLxal0h0tQCBFEK8j
9jN6LO41ScririvrB+Z0wpDVz74DCxqlspOmHSnHYEXwoMfhG/Zp1WMo94YOIXg2
/Ob8xSeN5YhyGszYjXXnMhHR9tiI2rlXcoJA63CTZsJ83V91v7QJpqDNPFmS1t11
+RFd4B49Q5th7/fNMtqFK+Y9zlSUpinkigAvCAImic42X9kYgV4kNmlW6TX/Um22
5e0KbvS4U1YeCxY4y8fbJ9eHv+Yjv5K7c/4wFEhHq1KfFZ/yyFcqzXcCIKKZ74+u
DaU+rSPkSNWrsAunfNg1EnrExWOzl5YXzl6SUb/fSYdXY0BNm6jsAzsiSOkqs7VV
aQgGAN5VJ88Ho5cn14qAZw9IlpPKAzf9twna//CgJLUBD/TEs4SiPeBq9vwdjB5a
3m0smorY+jXnziLe5GCdiZRvvJAgeKV9wB7i87BugCsQbB4W98MO0aJg24X1z+zK
nsf+0ff7+UCSOHjx9Lxw
=0sa2
-----END PGP SIGNATURE-----
Merge tag 'pinctrl-v4.11-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl
Pull more pin control fixes from Linus Walleij:
"Here is a bunch of pin control fixes again
A bit more than I'd like for this subsystem at this point, but what
can I do. They are all driver fixes for hardware issues, as like "we
forgot", "we didn't think of the fact that this could happen", "oops
that one goes there" etc
- Kconfig fixup for the TI IOdelay pinctrl-single add-on
- fix up a typo in the meson i2c ao groups
- switch a remapping back to use devm_ioremap() as
devm_ioremap_resource() does not allow for sharing memory regions
- do not clear the Qualcomm irq status bit in irq_unmask(), as this
can lead to missing interrupts while the irq handler is executing
- add irq_request/release_resources() on the ST driver
- add a bunch of mysteriously missing pingroups for high numbered
pins in the Qualcomm ipq4019 driver"
* tag 'pinctrl-v4.11-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
pinctrl: qcom: ipq4019: add missing pingroups for pins > 70
pinctrl: st: add irq_request/release_resources callbacks
pinctrl: qcom: Don't clear status bit on irq_unmask
pinctrl: samsung: Fix memory mapping code
pinctrl: meson-gxbb: Fix typo in i2c ao groups
pinctrl: ti: The IODelay driver is a DRA7xxx feature so depend on that SoC
Commit e8a9c58fcd ("drm/i915: Unify active context tracking between
legacy/execlists/guc") converted the legacy intel_ringbuffer submission
to the same context pinning mechanism as execlists - that is to pin the
context until the subsequent request is retired. Previously it used the
vma retirement of the context object to keep itself pinned until the
next request (after i915_vma_move_to_active()). In the conversion, I
missed that the vma retirement was also responsible for marking the
object as dirty. Mark the context object as dirty when pinning
(equivalent to execlists) which ensures that if the context is swapped
out due to mempressure or suspend/hibernation, when it is loaded back in
it does so with the previous state (and not all zero).
Fixes: e8a9c58fcd ("drm/i915: Unify active context tracking between legacy/execlists/guc")
Reported-by: Dennis Gilmore <dennis@ausil.us>
Reported-by: Mathieu Marquer <mathieu.marquer@gmail.com>
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=99993
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=100181
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
Cc: <drm-intel-fixes@lists.freedesktop.org> # v4.11-rc1
Link: http://patchwork.freedesktop.org/patch/msgid/20170322205930.12762-1-chris@chris-wilson.co.uk
Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
(cherry picked from commit 5d4bac5503)
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Linus Torvalds