Commit Graph

782550 Commits

Author SHA1 Message Date
Linus Torvalds
f8f65382c9 KVM fixes for 4.19-rc3
ARM:
  - Fix a VFP corruption in 32-bit guest
  - Add missing cache invalidation for CoW pages
  - Two small cleanups
 
 s390:
  - Fallout from the hugetlbfs support: pfmf interpretion and locking
  - VSIE: fix keywrapping for nested guests
 
 PPC:
  - Fix a bug where pages might not get marked dirty, causing
    guest memory corruption on migration,
  - Fix a bug causing reads from guest memory to use the wrong guest
    real address for very large HPT guests (>256G of memory), leading to
    failures in instruction emulation.
 
 x86:
  - Fix out of bound access from malicious pv ipi hypercalls (introduced
    in rc1)
  - Fix delivery of pending interrupts when entering a nested guest,
    preventing arbitrarily late injection
  - Sanitize kvm_stat output after destroying a guest
  - Fix infinite loop when emulating a nested guest page fault
    and improve the surrounding emulation code
  - Two minor cleanups
 -----BEGIN PGP SIGNATURE-----
 
 iQEcBAABCAAGBQJbk5gAAAoJEED/6hsPKofoS0UH/1clCzg/8x3jhpDcKKp6tDm7
 9XHOOQ6XmydT0HXYJNqZepGNqU99ip+2u4x8E9LCT5MTvTMZ1BcNM6PmenjJVULY
 GMJtwZhjqoklrOcNkXGqIye4Ec+I0pBuMmt0AN0N85CcHO8VUBpMzsdxgJLuxcRm
 UT6OZnCLyJsock6BqkZmqVsJj/gemFnI9MpudnrU8cCFk60roXmQWJ66fMIFfKjt
 q0R61t8nmbapQKE8pjqBNgbCsuotVOtU1zgMkeM5LkaYEfc65ZPdgt3sdpyG8Guq
 WA7Vt6HEvmNrcQxHFX5P0GxTVM9lOVCUx1bKXE4+57CMZOYl/8hDaTudlcacutg=
 =FyuN
 -----END PGP SIGNATURE-----

Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm

Pull KVM fixes from Radim Krčmář:
 "ARM:
   - Fix a VFP corruption in 32-bit guest
   - Add missing cache invalidation for CoW pages
   - Two small cleanups

  s390:
   - Fallout from the hugetlbfs support: pfmf interpretion and locking
   - VSIE: fix keywrapping for nested guests

  PPC:
   - Fix a bug where pages might not get marked dirty, causing guest
     memory corruption on migration
   - Fix a bug causing reads from guest memory to use the wrong guest
     real address for very large HPT guests (>256G of memory), leading
     to failures in instruction emulation.

  x86:
   - Fix out of bound access from malicious pv ipi hypercalls
     (introduced in rc1)
   - Fix delivery of pending interrupts when entering a nested guest,
     preventing arbitrarily late injection
   - Sanitize kvm_stat output after destroying a guest
   - Fix infinite loop when emulating a nested guest page fault and
     improve the surrounding emulation code
   - Two minor cleanups"

* tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: (28 commits)
  KVM: LAPIC: Fix pv ipis out-of-bounds access
  KVM: nVMX: Fix loss of pending IRQ/NMI before entering L2
  arm64: KVM: Remove pgd_lock
  KVM: Remove obsolete kvm_unmap_hva notifier backend
  arm64: KVM: Only force FPEXC32_EL2.EN if trapping FPSIMD
  KVM: arm/arm64: Clean dcache to PoC when changing PTE due to CoW
  KVM: s390: Properly lock mm context allow_gmap_hpage_1m setting
  KVM: s390: vsie: copy wrapping keys to right place
  KVM: s390: Fix pfmf and conditional skey emulation
  tools/kvm_stat: re-animate display of dead guests
  tools/kvm_stat: indicate dead guests as such
  tools/kvm_stat: handle guest removals more gracefully
  tools/kvm_stat: don't reset stats when setting PID filter for debugfs
  tools/kvm_stat: fix updates for dead guests
  tools/kvm_stat: fix handling of invalid paths in debugfs provider
  tools/kvm_stat: fix python3 issues
  KVM: x86: Unexport x86_emulate_instruction()
  KVM: x86: Rename emulate_instruction() to kvm_emulate_instruction()
  KVM: x86: Do not re-{try,execute} after failed emulation in L2
  KVM: x86: Default to not allowing emulation retry in kvm_mmu_page_fault
  ...
2018-09-08 15:52:45 -07:00
Linus Torvalds
0f3aa48ad4 ARM: SoC fixes
A few more fixes who have trickled in:
  - MMC bus width fixup for some Allwinner platforms
  - Fix for NULL deref in ti-aemif when no platform data is passed in
  - Fix div by 0 in SCMI code
  - Add a missing module alias in a new RPi driver
 -----BEGIN PGP SIGNATURE-----
 
 iQJDBAABCAAtFiEElf+HevZ4QCAJmMQ+jBrnPN6EHHcFAluUAp0PHG9sb2ZAbGl4
 b20ubmV0AAoJEIwa5zzehBx3+6YP/2T9NuOUTjssbVBho92lF9dV58Y5xOgDv9wX
 mFT7gePXovTPQrgrpDi4RWrv0wAkjMa3grJfL2RGZXSZtsgkyHstb3mXf1O6sbnF
 Ry1yc4ByJ0+JKJRq2tBxhQmLpBVFNXiav4vhIdPNZRdtZid7WzZaqF0JrCj6iyNf
 CDhiGFRAZC9NcaCdOvI0aHFVC47Cp/Uacbh3PzZmdRWJJ2rCGO9X4vwQoMai/1cq
 vVuiOBOs2ArXQQvvDoVixb3sCcdblCsDoS57lArJ5jKrHFm8iu6Z2+6UGhi2QEhc
 9PKp5tySctWVqitOn0Ueixq+nKCXF3/dVAqjMVViSfC7G0Pt2XIAeqZU+2Ou3Zkj
 nFcHqTZAXfSs6I1hnXqJYQ9Me3JzwQ+pRFJY8/+tbq2eGv7eZzUuzUppr13eF62s
 NeBzJiGiI7ab9sGJknhmoXVDyuB7ctuZXA8JgO/kZvL8dfuWcF3GNocs2p9916JD
 uWGwnfXiTLMhbxKkYrjaOClaVyx2bf996M3Z4NqxBQ9XGNXyh+V/6bzUh9DGPSL0
 +9W7YcRFT08v4I1Zh7/P5zXVAOyqj3awWeD6gpg7PAsmKPdN/f17EEqk6KH7rOVZ
 Vvw3/w+Ef9u4onGpbpE/IyCco75vXrv1GtkHMX7VlMjLe0eAv5Cpw7UwLDO2tVnu
 pEJFkk45
 =oZbn
 -----END PGP SIGNATURE-----

Merge tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc

Pull ARM SoC fixes from Olof Johansson:
 "A few more fixes who have trickled in:

   - MMC bus width fixup for some Allwinner platforms

   - Fix for NULL deref in ti-aemif when no platform data is passed in

   - Fix div by 0 in SCMI code

   - Add a missing module alias in a new RPi driver"

* tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc:
  memory: ti-aemif: fix a potential NULL-pointer dereference
  firmware: arm_scmi: fix divide by zero when sustained_perf_level is zero
  hwmon: rpi: add module alias to raspberrypi-hwmon
  arm64: allwinner: dts: h6: fix Pine H64 MMC bus width
2018-09-08 15:38:57 -07:00
Olof Johansson
a132bb9041 Allwinner fixes for 4.19
Just one fix for H6 mmc on the Pine H64: the mmc bus width was missing
 from the device tree. This was added in 4.19-rc1.
 -----BEGIN PGP SIGNATURE-----
 
 iQJCBAABCgAsFiEE2nN1m/hhnkhOWjtHOJpUIZwPJDAFAluQmz0OHHdlbnNAY3Np
 ZS5vcmcACgkQOJpUIZwPJDD01RAApxHO0v7/7y9w/8pGGpjpTYpliF9lndaQYD3o
 +Xc/Y7bcy2+Iy4Lz0TbkOObjIVUoLsQcpGKvttHa/gIsjbgd9xBpxd5X2PVBRmWx
 /ERA5HdMG4RvznLD3P7X0JOAL/3w1ad/4DarOHOibqYk3KqX+iG6kphIRx326INt
 SSqPZNNub/LXmHSUnyprQ+ccfKs87uiy9dT1LrSTxXGjh9tdXXmkGmDCOSX+oCKm
 EXeFIK1uTmyGyE8OXa2NbCktwNylw6c4XwcaWLIPQeJTEW6oVh95IkewBphi+nFw
 rU82W2aqCGqP2EYHJwzD7zx53V7cGAJVkb/u3ENXSXgE/kyTdmoFukxWRb7upfEb
 9bjgQUMQ+6RG1f5lDYIHSVNXdk81AshMc1Y7qKG5EoCfJUIcG0gyyQYpO+lKji7V
 nvTeiA0882a/PMYYkGU7vWGD7oIuPHEWEmnSZDWUNsqcKXaX5b3km/BsoLfTii9a
 45MDQ9Wo2B26PL6zflN78BrDfuX+UgmX1bbxY0b+rOal4CKuz+VqwEnQIumu1SYE
 9GaMHFKGMh2JCQ/U8o4AGdomEUjX79dgZbwz7W4KBnaS7K4iKrQfxcKLFXcXLtI9
 EaA4nNsHeIe6ByE5z4FNVUPHEcLkfqlpqdFBRdd/xt+MfDYQaorh73NQfGvN4s0x
 3pGu1fI=
 =WbHO
 -----END PGP SIGNATURE-----

Merge tag 'sunxi-fixes-for-4.19' of https://git.kernel.org/pub/scm/linux/kernel/git/sunxi/linux into fixes

Allwinner fixes for 4.19

Just one fix for H6 mmc on the Pine H64: the mmc bus width was missing
from the device tree. This was added in 4.19-rc1.

* tag 'sunxi-fixes-for-4.19' of https://git.kernel.org/pub/scm/linux/kernel/git/sunxi/linux:
  arm64: allwinner: dts: h6: fix Pine H64 MMC bus width

Signed-off-by: Olof Johansson <olof@lixom.net>
2018-09-08 10:04:37 -07:00
Nadav Amit
9bc4f28af7 x86/mm: Use WRITE_ONCE() when setting PTEs
When page-table entries are set, the compiler might optimize their
assignment by using multiple instructions to set the PTE. This might
turn into a security hazard if the user somehow manages to use the
interim PTE. L1TF does not make our lives easier, making even an interim
non-present PTE a security hazard.

Using WRITE_ONCE() to set PTEs and friends should prevent this potential
security hazard.

I skimmed the differences in the binary with and without this patch. The
differences are (obviously) greater when CONFIG_PARAVIRT=n as more
code optimizations are possible. For better and worse, the impact on the
binary with this patch is pretty small. Skimming the code did not cause
anything to jump out as a security hazard, but it seems that at least
move_soft_dirty_pte() caused set_pte_at() to use multiple writes.

Signed-off-by: Nadav Amit <namit@vmware.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Dave Hansen <dave.hansen@linux.intel.com>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Sean Christopherson <sean.j.christopherson@intel.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/20180902181451.80520-1-namit@vmware.com
2018-09-08 12:30:36 +02:00
Thomas Gleixner
47b7360ce5 x86/apic/vector: Make error return value negative
activate_managed() returns EINVAL instead of -EINVAL in case of
error. While this is unlikely to happen, the positive return value would
cause further malfunction at the call site.

Fixes: 2db1f959d9 ("x86/vector: Handle managed interrupts proper")
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
2018-09-08 12:12:40 +02:00
Vincent Whitchurch
5cf4a8532c tcp: really ignore MSG_ZEROCOPY if no SO_ZEROCOPY
According to the documentation in msg_zerocopy.rst, the SO_ZEROCOPY
flag was introduced because send(2) ignores unknown message flags and
any legacy application which was accidentally passing the equivalent of
MSG_ZEROCOPY earlier should not see any new behaviour.

Before commit f214f915e7 ("tcp: enable MSG_ZEROCOPY"), a send(2) call
which passed the equivalent of MSG_ZEROCOPY without setting SO_ZEROCOPY
would succeed.  However, after that commit, it fails with -ENOBUFS.  So
it appears that the SO_ZEROCOPY flag fails to fulfill its intended
purpose.  Fix it.

Fixes: f214f915e7 ("tcp: enable MSG_ZEROCOPY")
Signed-off-by: Vincent Whitchurch <vincent.whitchurch@axis.com>
Acked-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-09-07 23:11:06 -07:00
Cong Wang
a162c35114 net_sched: properly cancel netlink dump on failure
When nla_put*() fails after nla_nest_start(), we need
to call nla_nest_cancel() to cancel the message, otherwise
we end up calling nla_nest_end() like a success.

Fixes: 0ed5269f9e ("net/sched: add tunnel option support to act_tunnel_key")
Cc: Davide Caratti <dcaratti@redhat.com>
Cc: Simon Horman <simon.horman@netronome.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-09-07 23:05:07 -07:00
Juergen Gross
8edfe2e992 xen/netfront: fix waiting for xenbus state change
Commit 822fb18a82 ("xen-netfront: wait xenbus state change when load
module manually") added a new wait queue to wait on for a state change
when the module is loaded manually. Unfortunately there is no wakeup
anywhere to stop that waiting.

Instead of introducing a new wait queue rename the existing
module_unload_q to module_wq and use it for both purposes (loading and
unloading).

As any state change of the backend might be intended to stop waiting
do the wake_up_all() in any case when netback_changed() is called.

Fixes: 822fb18a82 ("xen-netfront: wait xenbus state change when load module manually")
Cc: <stable@vger.kernel.org> #4.18
Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-09-07 23:03:16 -07:00
Linus Torvalds
d7b686ebf7 Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux
Pull i2c fixes from Wolfram Sang:

 - bugfixes for uniphier, i801, and xiic drivers

 - ID removal (never produced) for imx

 - one MAINTAINER addition

* 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
  i2c: xiic: Record xilinx i2c with Zynq fragment
  i2c: xiic: Make the start and the byte count write atomic
  i2c: i801: fix DNV's SMBCTRL register offset
  i2c: imx-lpi2c: Remove mx8dv compatible entry
  dt-bindings: imx-lpi2c: Remove mx8dv compatible entry
  i2c: uniphier-f: issue STOP only for last message or I2C_M_STOP
  i2c: uniphier: issue STOP only for last message or I2C_M_STOP
2018-09-07 17:30:40 -07:00
Linus Torvalds
2c34a0e041 ARC updates for 4.19-rc3
- For for atomic_fetch_#op  [Will Deacon]
 
  - Enabling per device IOC [Eugeniy Paltsev]
 
  - Remove redundany gcc version checks [Masahiro Yamada]
 
  - Miscll platform config/DT updates [Alexey Brodkin]
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJbks/0AAoJEGnX8d3iisJeV4YP+wXcZwaxeviYoy+sdfNqUNz2
 ET7gVkQNvl/LP/nEI/NCiHKirT5iyn/Ln629TOt9YNyWKyNnMJY3sTDYvHAsI0tB
 UEUDLW4E6QJnw7bcvfdtOdJfjyTzB6/FBhgPCcGdi5yg3ClN1U39aqW6eepTa5XX
 6GenRoi+K8Mcve51R9+pOK+P54UYstADog7AjQssu2jHOzGsKwcc9C3NaqZjbDSl
 CFjQwRgfqsPYRqtPYNRkqyN6YO6oJRVxjEz/0dz7ncBK4nZRj0xdgj5yKApioBvX
 Vy9s/L03vAzaR044GiQph/xaNm0eXteYxGoASNSMVICi4p9smTq2Rqk2cHAJTL3g
 f1f/DD7EWFbchxsMfFk9dbjVhsCyr/IxQSeOOGbicWc1ItUKvkYjzimqpXH3Crdj
 de0Ja708paa3UKfIRr2UnbrXwbt9XkUR19zsH9HKHIFHRl7MOHJIr5E1JWY8h7FE
 AxlqXt2fIVQJxvTjwApphTIxix3thfaE1kJrUu1bENB9kL2CTkP2j04oHJMi71zb
 W08Aw8OahUd5O/Qxg2eT3+Cq7u+sjaNVEYVsRFcW38i+DvaIJv5/FSGIyFEt2yYG
 TC4Gg68kE5yNlOdO6b6+uDC/lsq0cZkRYaIM1+10yV4w3qZeSrbWV+VQbXInLqnP
 6p0qFt6hyHQm7XP5meEF
 =pb89
 -----END PGP SIGNATURE-----

Merge tag 'arc-4.19-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc

Pull ARC updates from Vineet Gupta:

 - Fix for atomic_fetch_#op  [Will Deacon]

 - Enable per device IOC [Eugeniy Paltsev]

 - Remove redundant gcc version checks [Masahiro Yamada]

 - Miscll platform config/DT updates [Alexey Brodkin]

* tag 'arc-4.19-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc:
  ARC: don't check for HIGHMEM pages in arch_dma_alloc
  ARC: IOC: panic if both IOC and ZONE_HIGHMEM enabled
  ARC: dma [IOC] Enable per device io coherency
  ARC: dma [IOC]: mark DMA devices connected as dma-coherent
  ARC: atomics: unbork atomic_fetch_##op()
  arc: remove redundant GCC version checks
  ARC: sort Kconfig
  ARC: cleanup show_faulting_vma()
  ARC: [plat-axs*]: Enable SWAP
  ARC: [plat-axs*/plat-hsdk]: Allow U-Boot to pass MAC-address to the kernel
  ARC: configs: cleanup
2018-09-07 16:45:32 -07:00
David Howells
ecfe951f0c afs: Fix cell specification to permit an empty address list
Fix the cell specification mechanism to allow cells to be pre-created
without having to specify at least one address (the addresses will be
upcalled for).

This allows the cell information preload service to avoid the need to issue
loads of DNS lookups during boot to get the addresses for each cell (500+
lookups for the 'standard' cell list[*]).  The lookups can be done later as
each cell is accessed through the filesystem.

Also remove the print statement that prints a line every time a new cell is
added.

[*] There are 144 cells in the list.  Each cell is first looked up for an
    SRV record, and if that fails, for an AFSDB record.  These get a list
    of server names, each of which then has to be looked up to get the
    addresses for that server.  E.g.:

	dig srv _afs3-vlserver._udp.grand.central.org

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2018-09-07 16:39:44 -07:00
Maciej S. Szmigiero
f74dd480cf r8169: set TxConfig register after TX / RX is enabled, just like RxConfig
Commit 3559d81e76 ("r8169: simplify rtl_hw_start_8169") changed order of
two register writes:
1) Caused RxConfig to be written before TX / RX is enabled,
2) Caused TxConfig to be written before TX / RX is enabled.

At least on XIDs 10000000 ("RTL8169sb/8110sb") and
18000000 ("RTL8169sc/8110sc") such writes are ignored by the chip, leaving
values in these registers intact.

Change 1) was reverted by
commit 05212ba813 ("r8169: set RxConfig after tx/rx is enabled for RTL8169sb/8110sb devices"),
however change 2) wasn't.

In practice, this caused TxConfig's "InterFrameGap time" and "Max DMA Burst
Size per Tx DMA Burst" bits to be zero dramatically reducing TX performance
(in my tests it dropped from around 500Mbps to around 50Mbps).

This patch fixes the issue by moving TxConfig register write a bit later in
the code so it happens after TX / RX is already enabled.

Fixes: 05212ba813 ("r8169: set RxConfig after tx/rx is enabled for RTL8169sb/8110sb devices")
Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-09-07 14:52:23 -07:00
Linus Torvalds
3d0e7a9e00 Merge tag 'md/4.19-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/shli/md
Pull MD fixes from Shaohua Li:

 - Fix a locking issue for md-cluster (Guoqing)

 - Fix a sync crash for raid10 (Ni)

 - Fix a reshape bug with raid5 cache enabled (me)

* tag 'md/4.19-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/shli/md:
  md-cluster: release RESYNC lock after the last resync message
  RAID10 BUG_ON in raise_barrier when force is true and conf->barrier is 0
  md/raid5-cache: disable reshape completely
2018-09-07 12:15:37 -07:00
Linus Torvalds
a12ed06ba2 Two rbd patches to complete support for images within namespaces that
went into -rc1 and a use-after-free fix.
 
 The rbd changes have been sitting in a branch for quite a while but
 couldn't be included into the -rc1 pull request because of a pending
 wire protocol backwards compatibility fixup that only got committed
 early this week.
 -----BEGIN PGP SIGNATURE-----
 
 iQFHBAABCAAxFiEEydHwtzie9C7TfviiSn/eOAIR84sFAluSrJYTHGlkcnlvbW92
 QGdtYWlsLmNvbQAKCRBKf944AhHzi/N8B/4sZzRCJMCejvU/yRq91NlaPDrxbVHh
 nfICZ/8Fsy/fmvK8NWNyHcCIWx+nWrbCvCJMj0fxWMhk/1t75yC+TdyCJnyuhsQU
 V/CPTs9BTdwrSUiTB83/n/ukGL6mpESk0CQ1er/l1EO6FnNOXvgzHDnCqUQZLdzU
 1aRcx5JQWWo/QlCmzt2KWENhfQRMvLAtf04F5cUuR+JTrMjwWia6MAuRGuOhVQkW
 XIlFNakBKab89Vod1pmA7BrG/+sHXCpVGX6sjAp9vQUWO3WWKBRnNtVwo9dPSHah
 hBR8IzOkihw7HfTlINWVpiR69nTfM80PQHXJkFSp36E6Sfq8EShRpFIZ
 =pga5
 -----END PGP SIGNATURE-----

Merge tag 'ceph-for-4.19-rc3' of https://github.com/ceph/ceph-client

Pull ceph fixes from Ilya Dryomov:
 "Two rbd patches to complete support for images within namespaces that
  went into -rc1 and a use-after-free fix.

  The rbd changes have been sitting in a branch for quite a while but
  couldn't be included into the -rc1 pull request because of a pending
  wire protocol backwards compatibility fixup that only got committed
  early this week"

* tag 'ceph-for-4.19-rc3' of https://github.com/ceph/ceph-client:
  rbd: support cloning across namespaces
  rbd: factor out get_parent_info()
  ceph: avoid a use-after-free in ceph_destroy_options()
2018-09-07 10:57:59 -07:00
Linus Torvalds
d042a240a8 \n
-----BEGIN PGP SIGNATURE-----
 
 iQEzBAABCAAdFiEEq1nRK9aeMoq1VSgcnJ2qBz9kQNkFAluSNfQACgkQnJ2qBz9k
 QNloSAf/RpsqUnmQvJKK7hQUVNMCQP/Kf3KND5iN5RfMbhU9r7tzERkNvqhdA6QZ
 uoPi8dEecI+ihY5F8ddyw1Chaou4MToWKdNz4ojwJXVrN6bb+pq+xj0hTvT5FjFh
 iM1JXHtSEk6W+CnXPE5CycrZppIHxJfJxeaWg7av5Zyc4nkTesxtG8PycMBxROW8
 detUcJt15VGBswi19udztf7XY/lwDwUQ9LwC0W5B+o8pKIwuN3ENMVVOeAriAyoy
 hXTpPA8twBhM7i8D/1eppDCkYLTr08bquNsDpn8kUEf2RxcxiFJuDLOeXiH3sQRq
 BZmf/QIIRA8R+SPeFiuxY/795FDC6Q==
 =CWu1
 -----END PGP SIGNATURE-----

Merge tag 'for_v4.19-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs

Pull fsnotify fix from Jan Kara:
 "A small fsnotify fix from Amir"

* tag 'for_v4.19-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs:
  fsnotify: fix ignore mask logic in fsnotify()
2018-09-07 10:54:46 -07:00
Linus Torvalds
4ff8a142bd arm64 fix
- Remove accidental VM_WARN_ON
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQEcBAABCgAGBQJbkorgAAoJELescNyEwWM0my8IAKsVsc5heKBeL/0Ep5gfXJLS
 H3kjkToFKfOeVADLfZXfTkPzlx9f1NrEP4+b/hQYgqGqXQcvCIwEXzpTMFg4pT4/
 ERhYtq9qYBNQmg4AZnTHl2cKSRFt+s7knTZMoTEwNk1NxdBQAtbIZa9HB9Ly2mSn
 xK6UP7zsZvRcY02BlyDQ0A/QBjzQAi3I83FRLizxjPYaSUhF0QqhrzTr0ANoKEjv
 DnX04nJEMYqLEjSKWTn3rzot2PgLVDcMEjXKwMB3XB6LML3KLRUsvnTpxED5c+dW
 tv+wzKKdaFeHWmfFxUgYZXSd4igh0IKf3OZDohRKz+lNOhKrTYUE35dtFyyw04I=
 =xYN8
 -----END PGP SIGNATURE-----

Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux

Pull arm64 fix from Will Deacon:
 "Just one small fix here, preventing a VM_WARN_ON when a !present
  PMD/PUD is "freed" as part of a huge ioremap() operation.

  The correct behaviour is to skip the free silently in this case, which
  is a little weird (the function is a bit of a misnomer), but it
  follows the x86 implementation"

* tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
  arm64: fix erroneous warnings in page freeing functions
2018-09-07 10:37:23 -07:00
Linus Torvalds
5393734014 ACPI fixes for 4.19-rc3
- Fix a power management regression in the ACPI driver for Intel
    SoCs (LPSS) introduced by a system-wide suspend/resume fix during
    the 4.18 cycle (Zhang Rui).
 
  - Prevent dmi_check_system() from being called on non-x86 systems in
    the ACPI core (Jean Delvare).
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQIcBAABCAAGBQJbkjqmAAoJEILEb/54YlRxUn0QAKNCccsWcBnli0OkFKQNvgHN
 cSq8sBLi6PoBULbkOKXgUPxjOajoeJ4I4YyZUIKD8sj4MJyLjGFQY+eDGHqjIetO
 8MmAtSPlmu9xwO3T9OAhnRFI/zMYXHoT1PP7fGfQr8Ok0CpPlfIVZBGzy/9G8PeR
 wgEYSIEcHpD6KphOG0FcUsA2aJdQf9pFe+OPBnNJpj8s7d6nsNhcYqoxQS4R7auz
 2jJkh7khSwuY9EK8+mTLxnx9KUK3E39sTpgFbaixuujUEMnH5hVe1WpH38SC1ufZ
 tGmXA19wZ9xzH02TA5tymx4dViDWMAQBNjoQ7uyqqLWM20oELE0MLbORyIqrUORP
 wf6A+45xNxoVfQieqr8JJMjj0uPeCjKD1kLfPw6xerAI1+xXU7RRGcnaca1UoTVa
 BmKrmReuC+7vpPJ6kZgR0m+LsaIyDF+b4/glgSJH28KoZwv6ZePxvd1tNZsdgYon
 P5lBwLAMXvXvIrEkyx7MAz211EXM0AfJ4Vlt+How9vJt0g6y7cOETsP8hcguYTSb
 KNUiCTL2/+lGMnPYPsWpRFRYYtWMI2gFs97/HO+Ay2MdH3NjQS0CkZ9sNphlixMV
 5dhVidswOwP1lQomps0PZkE2ZW38WedHXuGtQSl3imYhJbWLkoo8PINBt2vwh6cm
 YP+/eFIk4D/hvPFESjvA
 =R0It
 -----END PGP SIGNATURE-----

Merge tag 'acpi-4.19-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm

Pull ACPI fixes from Rafael Wysocki:
 "These fix a regression from the 4.18 cycle in the ACPI driver for
  Intel SoCs (LPSS) and prevent dmi_check_system() from being called on
  non-x86 systems in the ACPI core.

  Specifics:

   - Fix a power management regression in the ACPI driver for Intel SoCs
     (LPSS) introduced by a system-wide suspend/resume fix during the
     4.18 cycle (Zhang Rui).

   - Prevent dmi_check_system() from being called on non-x86 systems in
     the ACPI core (Jean Delvare)"

* tag 'acpi-4.19-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
  ACPI / LPSS: Force LPSS quirks on boot
  ACPI / bus: Only call dmi_check_system() on X86
2018-09-07 10:25:26 -07:00
Linus Torvalds
69ddce94e3 sound fixes for 4.19-rc3
Just a few small fixes:
 - a fix for the recursive work cancellation in a specific HD-audio
   operation mode
 - a fix for potentially uninitialized memory access via rawmidi
 - the register bit access fixes for ASoC HD-audio
 -----BEGIN PGP SIGNATURE-----
 
 iQJCBAABCAAsFiEEIXTw5fNLNI7mMiVaLtJE4w1nLE8FAluRUPIOHHRpd2FpQHN1
 c2UuZGUACgkQLtJE4w1nLE+Ocg/+IyPtFzekuBO5zqp9PtDAz0stpvYiUerRYzUL
 PUZzKq4RoIpcZb5wk5wNATAlVGXhQEDzPdjYHQCW639Osj9s6429EufoKXqL9U29
 UrKDMJBCmha3CAe6GJsBTNC/Lt8Zp60nV9HYfT9EU0LPRhQ9kw+gX2I7HyFxE5aw
 7Ik5jOpiC+cR7gSuROL0ZzPQ4mG3YWSe6OWXYpoefuuDRQ7NpG4GIn/KQlJMoUlx
 41GABCvLu2PIApczXzgZUGhTq4C+/0xZuYF4qf4iM5bDFhPxOC1u2eQftiXL5jGI
 +ZWnCjw7005FmH3Yvwrc3S1vpdI26Kzd7Zg5F4xb5vSOybRLmajbnGq1jzqm7bDh
 TcyET4VnX2gkL3DYq5fgwI5gqJPqkd8K8NC1L+YtqzAMb1GN2qDj/0FebGnY1Jpn
 Zufu25bnX+3JKAYB37c/TSzdkKFch6w0Z2TtsmlYjpmTz0m1AyiwdyQ2HcTr+KBx
 a1b1YU5+pvgRFpmgQUpGgXgyoG6+51np4oYf7Memc3gR1Fq8vht18hStgCP0qpuP
 b4uvgOtSKMxJVDxflAbOHE+nhX1O9RciXR7Mep4haDtOTm8bW931L+GlkH1mRRYg
 e4PAo4TmfzcQCyRATWMaA9i4l2hwRyhpndjAP81lyCVba3WBZa7xnLPaDLFFmSuT
 b0h9hi4=
 =nuWw
 -----END PGP SIGNATURE-----

Merge tag 'sound-4.19-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound

Pull sound fixes from Takashi Iwai:
 "Just a few small fixes:

   - a fix for the recursive work cancellation in a specific HD-audio
     operation mode

   - a fix for potentially uninitialized memory access via rawmidi

   - the register bit access fixes for ASoC HD-audio"

* tag 'sound-4.19-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
  ALSA: hda: Fix several mismatch for register mask and value
  ALSA: rawmidi: Initialize allocated buffers
  ALSA: hda - Fix cancel_work_sync() stall from jackpoll work
2018-09-07 10:20:31 -07:00
Wanpeng Li
bdf7ffc899 KVM: LAPIC: Fix pv ipis out-of-bounds access
Dan Carpenter reported that the untrusted data returns from kvm_register_read()
results in the following static checker warning:
  arch/x86/kvm/lapic.c:576 kvm_pv_send_ipi()
  error: buffer underflow 'map->phys_map' 's32min-s32max'

KVM guest can easily trigger this by executing the following assembly sequence
in Ring0:

mov $10, %rax
mov $0xFFFFFFFF, %rbx
mov $0xFFFFFFFF, %rdx
mov $0, %rsi
vmcall

As this will cause KVM to execute the following code-path:
vmx_handle_exit() -> handle_vmcall() -> kvm_emulate_hypercall() -> kvm_pv_send_ipi()
which will reach out-of-bounds access.

This patch fixes it by adding a check to kvm_pv_send_ipi() against map->max_apic_id,
ignoring destinations that are not present and delivering the rest. We also check
whether or not map->phys_map[min + i] is NULL since the max_apic_id is set to the
max apic id, some phys_map maybe NULL when apic id is sparse, especially kvm
unconditionally set max_apic_id to 255 to reserve enough space for any xAPIC ID.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Liran Alon <liran.alon@oracle.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Radim Krčmář <rkrcmar@redhat.com>
Cc: Liran Alon <liran.alon@oracle.com>
Cc: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Wanpeng Li <wanpengli@tencent.com>
[Add second "if (min > map->max_apic_id)" to complete the fix. -Radim]
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
2018-09-07 18:38:43 +02:00
Liran Alon
b5861e5cf2 KVM: nVMX: Fix loss of pending IRQ/NMI before entering L2
Consider the case L1 had a IRQ/NMI event until it executed
VMLAUNCH/VMRESUME which wasn't delivered because it was disallowed
(e.g. interrupts disabled). When L1 executes VMLAUNCH/VMRESUME,
L0 needs to evaluate if this pending event should cause an exit from
L2 to L1 or delivered directly to L2 (e.g. In case L1 don't intercept
EXTERNAL_INTERRUPT).

Usually this would be handled by L0 requesting a IRQ/NMI window
by setting VMCS accordingly. However, this setting was done on
VMCS01 and now VMCS02 is active instead. Thus, when L1 executes
VMLAUNCH/VMRESUME we force L0 to perform pending event evaluation by
requesting a KVM_REQ_EVENT.

Note that above scenario exists when L1 KVM is about to enter L2 but
requests an "immediate-exit". As in this case, L1 will
disable-interrupts and then send a self-IPI before entering L2.

Reviewed-by: Nikita Leshchenko <nikita.leshchenko@oracle.com>
Co-developed-by: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: Liran Alon <liran.alon@oracle.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
2018-09-07 18:38:42 +02:00
Radim Krčmář
564ad0aa85 Fixes for KVM/ARM for Linux v4.19 v2:
- Fix a VFP corruption in 32-bit guest
  - Add missing cache invalidation for CoW pages
  - Two small cleanups
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQEcBAABAgAGBQJbkngmAAoJEEtpOizt6ddyeaoH/15bbGHlwWf23tGjSoDzhyD4
 zAXfy+SJdm4cR8K7jEkVrNffkEMAby7Zl28hTHKB9jsY1K8DD+EuCE3Nd4kkVAsc
 iHJwV4aiHil/zC5SyE0MqMzELeS8UhsxESYebG6yNF0ElQDQ0SG+QAFr47/OBN9S
 u4I7x0rhyJP6Kg8z9U4KtEX0hM6C7VVunGWu44/xZSAecTaMuJnItCIM4UMdEkSs
 xpAoI59lwM6BWrXLvEunekAkxEXoR7AVpQER2PDINoLK2I0i0oavhPim9Xdt2ZXs
 rqQqfmwmPOVvYbexDp97JtfWo3/psGLqvgoK1tq9bzF3u6Y3ylnUK5IspyVYwuQ=
 =TK8A
 -----END PGP SIGNATURE-----

Merge tag 'kvm-arm-fixes-for-v4.19-v2' of git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm

Fixes for KVM/ARM for Linux v4.19 v2:

 - Fix a VFP corruption in 32-bit guest
 - Add missing cache invalidation for CoW pages
 - Two small cleanups
2018-09-07 18:38:25 +02:00
Radim Krčmář
ed2ef29100 KVM: s390: Fixes for 4.19
- Fallout from the hugetlbfs support: pfmf interpretion and locking
 - VSIE: fix keywrapping for nested guests
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJbj40sAAoJEBF7vIC1phx8MIYQAK6TtogzCUok4nvRJZGl34Ac
 HvJP2OTSNcJO8MA/DkmXk6LNVgrjgLqc4Y0MCMqaz9EzM1FVM0A5cQ4Tiiwk6dlG
 395Q5SbkrmVIpmxG7dSQbrj3HlMTUCz7jtAUrDS57zaWYdKhqX+AUuW45u+TPfAo
 DL00wS+WJxiTWB06cr0gHpHcXyctn5hK0cYUZQokMn2a1pAjLrS4TEpvoGOcu2d6
 lULY6uYWCwCnma8eieiC8ssLzB8opDPedLrewBnaZFziEZZrPybYvT8uMffNfygA
 tj7og1/+iqnUmyAG20Fb8oM0MMcjRWhLGHVFpv1W1ph7624oDUb3Tzd7rV8bzTMC
 NoqHeIv+oQyhRJCsuPTe2jUcpKc/eJzA8o3ZUdu3LeDBXxNzNOIh08iRHvyFC9iM
 91/YkyYcDW2cukxqYjIwPf+y/dVHRqNAmcs9+hvu8AiNeUJPGUYsmlTBABEg0V9H
 gubV7m/Gl5Yx95UyrlQ4UkuvkOzmtwFYsnFKE0KnqT99bbFFf2na3CZyYBJFBVOj
 knSl3lS9W5LLrZ3s2VaJ/4/bPc4oGjW1ADEamQCYa4K3XQoMrnqGdL0VVuALJ2dZ
 RVIz2DP+P6HBCoRWD0cOA0Q+MvP5hl6TrGDdpCbza3ASSF1f/eSASvHs4P4JQPqY
 dWQ3uIByc3wDXuErkcT5
 =kgjR
 -----END PGP SIGNATURE-----

Merge tag 'kvm-s390-master-4.19-1' of git://git.kernel.org/pub/scm/linux/kernel/git/kvms390/linux

KVM: s390: Fixes for 4.19

- Fallout from the hugetlbfs support: pfmf interpretion and locking
- VSIE: fix keywrapping for nested guests
2018-09-07 18:30:47 +02:00
Steven Price
df3190e220 arm64: KVM: Remove pgd_lock
The lock has never been used and the page tables are protected by
mmu_lock in struct kvm.

Reviewed-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Signed-off-by: Steven Price <steven.price@arm.com>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Christoffer Dall <christoffer.dall@arm.com>
2018-09-07 15:06:03 +02:00
Marc Zyngier
a35381e10d KVM: Remove obsolete kvm_unmap_hva notifier backend
kvm_unmap_hva is long gone, and we only have kvm_unmap_hva_range to
deal with. Drop the now obsolete code.

Fixes: fb1522e099 ("KVM: update to new mmu_notifier semantic v2")
Cc: James Hogan <jhogan@kernel.org>
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Christoffer Dall <christoffer.dall@arm.com>
2018-09-07 15:06:02 +02:00
Marc Zyngier
7d14919c0d arm64: KVM: Only force FPEXC32_EL2.EN if trapping FPSIMD
If trapping FPSIMD in the context of an AArch32 guest, it is critical
to set FPEXC32_EL2.EN to 1 so that the trapping is taken to EL2 and
not EL1.

Conversely, it is just as critical *not* to set FPEXC32_EL2.EN to 1
if we're not going to trap FPSIMD, as we then corrupt the existing
VFP state.

Moving the call to __activate_traps_fpsimd32 to the point where we
know for sure that we are going to trap ensures that we don't set that
bit spuriously.

Fixes: e6b673b741 ("KVM: arm64: Optimise FPSIMD handling to reduce guest/host thrashing")
Cc: stable@vger.kernel.org # v4.18
Cc: Dave Martin <dave.martin@arm.com>
Reported-by: Alexander Graf <agraf@suse.de>
Tested-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Christoffer Dall <christoffer.dall@arm.com>
2018-09-07 15:05:50 +02:00
Marc Zyngier
694556d54f KVM: arm/arm64: Clean dcache to PoC when changing PTE due to CoW
When triggering a CoW, we unmap the RO page via an MMU notifier
(invalidate_range_start), and then populate the new PTE using another
one (change_pte). In the meantime, we'll have copied the old page
into the new one.

The problem is that the data for the new page is sitting in the
cache, and should the guest have an uncached mapping to that page
(or its MMU off), following accesses will bypass the cache.

In a way, this is similar to what happens on a translation fault:
We need to clean the page to the PoC before mapping it. So let's just
do that.

This fixes a KVM unit test regression observed on a HiSilicon platform,
and subsequently reproduced on Seattle.

Fixes: a9c0e12ebe ("KVM: arm/arm64: Only clean the dcache on translation fault")
Cc: stable@vger.kernel.org # v4.16+
Reported-by: Mike Galbraith <efault@gmx.de>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Christoffer Dall <christoffer.dall@arm.com>
2018-09-07 15:05:40 +02:00
Michal Simek
da4dfaf842 i2c: xiic: Record xilinx i2c with Zynq fragment
Include xilinx soft i2c controller to Zynq fragment to make clear who is
responsible for it.

Signed-off-by: Michal Simek <michal.simek@xilinx.com>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
2018-09-07 13:04:45 +02:00
Rafael J. Wysocki
a6b7eb3b41 Merge branch 'acpi-bus'
Merge ACPI core fix to avoid calling dmi_check_system() on non-x86.

* acpi-bus:
  ACPI / bus: Only call dmi_check_system() on X86
2018-09-07 10:05:20 +02:00
Cong Wang
8f5c5fcf35 tipc: call start and done ops directly in __tipc_nl_compat_dumpit()
__tipc_nl_compat_dumpit() uses a netlink_callback on stack,
so the only way to align it with other ->dumpit() call path
is calling tipc_dump_start() and tipc_dump_done() directly
inside it. Otherwise ->dumpit() would always get NULL from
cb->args[].

But tipc_dump_start() uses sock_net(cb->skb->sk) to retrieve
net pointer, the cb->skb here doesn't set skb->sk, the net pointer
is saved in msg->net instead, so introduce a helper function
__tipc_dump_start() to pass in msg->net.

Ying pointed out cb->args[0...3] are already used by other
callbacks on this call path, so we can't use cb->args[0] any
more, use cb->args[4] instead.

Fixes: 9a07efa9ae ("tipc: switch to rhashtable iterator")
Reported-and-tested-by: syzbot+e93a2c41f91b8e2c7d9b@syzkaller.appspotmail.com
Cc: Jon Maloy <jon.maloy@ericsson.com>
Cc: Ying Xue <ying.xue@windriver.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Ying Xue <ying.xue@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-09-06 21:49:18 -07:00
Linus Torvalds
a49a9dcce8 i915 fixes
-----BEGIN PGP SIGNATURE-----
 
 iQIcBAABAgAGBQJbkdySAAoJEAx081l5xIa+35IP/2jlHwU/EABqktSYl2hiG41c
 gN/4r83Oj+Wg61mrwfNgKlGHmBclMwPFk+ZI/wUOCP/rfUPVSKQhOt6gtVL053JG
 GUTK1zLqzbHAyubdVdEXe43llGf9iawcsyY5Iv8qdN3l+Y+LzasOCnfi25UUUZTO
 MrB4hB+26ukymZr6yXjvmGzP617XSH5JyXwqyeNWr4/D6t15bQGsfymnexBYAn92
 Jik6Y0B5g2wksUFx3Cp9JABp+zXz7geP2LbfehFEa2tmyyik+I/eTGO3OFOHHK9G
 DCW7Hd+7+KLd6IuyD7GLTeIGuFyMeWH6vbsu51bm/Cqb6LA2lCzbkTWHKAPBVik3
 GAbYTC58HOElp1p+ttvFNAHmf6BbiOLjX28kFLbwaieyduKbJ2Hd41/rFuvRBuIy
 npcc7O/NUhEtklpOkueKi4J6En9Bz1pT4wbZgzJEfTeWcqNZn6tRe75ncEqAg/g3
 HafK7g5Y9ZlnvBCYV5759SBLjEEOACO5/usxR8MtCPcrrMbJKUdhCzYL2CXhhP7w
 YoBk97uTBqFkQd8VAMM+RU2/aELxySAntUxXk5q75uAY711CrRoAjWWCOjS5ilhQ
 dXWfKhwYZXbx7lemziC9Nbn1qPczvVsAohot0ETBLHFHing8AfTW8hCHYHTkj/F2
 F81nD908CG9lL1lYq/K/
 =722Y
 -----END PGP SIGNATURE-----

Merge tag 'drm-fixes-2018-09-07' of git://anongit.freedesktop.org/drm/drm

Pull drm fixes from Dave Airlie:
 "Seems to have been overly quiet this week so I expect next week will
  be more stuff, just one pull from Rodrigo with i915 fixes in it.

  Quoting Rodrigo:

    'The critical fix here on display side is the DP MST regression one.

     But this pull also include fixes for DP SST, small VDSC register
     fix and GVT's bucked with "BXT fixes, two guest warning fixes,
     dmabuf format mod fix and one for recent multiple VM timeout
     failure'."

* tag 'drm-fixes-2018-09-07' of git://anongit.freedesktop.org/drm/drm:
  drm/i915/dp_mst: Fix enabling pipe clock for all streams
  drm/i915/dsc: Fix PPS register definition macros for 2nd VDSC engine
  drm/i915: Re-apply "Perform link quality check, unconditionally during long pulse"
  drm/i915/gvt: Give new born vGPU higher scheduling chance
  drm/i915/gvt: Fix drm_format_mod value for vGPU plane
  drm/i915/gvt: move intel_runtime_pm_get out of spin_lock in stop_schedule
  drm/i915/gvt: Handle GEN9_WM_CHICKEN3 with F_CMD_ACCESS.
  drm/i915/gvt: Make correct handling to vreg BXT_PHY_CTL_FAMILY
  drm/i915/gvt: emulate gen9 dbuf ctl register access
2018-09-06 20:19:57 -07:00
Linus Torvalds
631267f6ad Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/gerg/m68knommu
Pull m68knommu fix from Greg Ungerer:
 "A single change to fix booting on ColdFire platforms that have RAM
  starting at a non-0 address"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/gerg/m68knommu:
  m68k: fix early memory reservation for ColdFire MMU systems
2018-09-06 19:35:30 -07:00
Dave Airlie
67c6ed7cf9 The critical fix here on display side is the DP MST regression one.
But this pull also include fixes for DP SST, small VDSC register fix
 and GVT's bucked with "BXT fixes, two guest warning fixes, dmabuf
 format mod fix and one for recent multiple VM timeout failure."
 -----BEGIN PGP SIGNATURE-----
 
 iQEcBAABAgAGBQJbkCCZAAoJEPpiX2QO6xPKmhgIAIX+VmEMS+dP6YOP9ghTbBrI
 rNa6iAss17EvxQ3DXxS3dPEQHFiyIGfnZo1Kc/BCIs00qUUU10DlsszQkDurnfAp
 18w8aDH6CRZmDeq6CA4g0K1DjkHJYhnPutrLUHpnZwZE1W6avAXjo4kM5pXKehza
 IPKQK063DacNOcjN1hhzLoPM7FJTBof4X62bv8lGuhv44N8ei1v3bTqii2YQrakg
 h6PdF4uGpjrXeGs+1VFD5gGbYFWkNwTVVkFZg2yKF91axPZrtSAo/CroEiKDsrfM
 iPMRll5Hm5fgOJM3wCd2NUp/10NXO/BX9h+87w988lsDeExwqVJel/OdX9B3n1c=
 =xY7e
 -----END PGP SIGNATURE-----

Merge tag 'drm-intel-fixes-2018-09-05' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes

The critical fix here on display side is the DP MST regression one.
But this pull also include fixes for DP SST, small VDSC register fix
and GVT's bucked with "BXT fixes, two guest warning fixes, dmabuf
format mod fix and one for recent multiple VM timeout failure."

Signed-off-by: Dave Airlie <airlied@redhat.com>

From: Rodrigo Vivi <rodrigo.vivi@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20180905183000.GA2151@intel.com
2018-09-07 11:07:03 +10:00
Linus Torvalds
2601dd392d A single fix for v4.19-rc3, resolving a problem with our VDSO data page
for systems with dcache aliasing. Those systems could previously observe
 stale data, causing clock_gettime() & gettimeofday() to return incorrect
 values.
 -----BEGIN PGP SIGNATURE-----
 
 iIsEABYIADMWIQRgLjeFAZEXQzy86/s+p5+stXUA3QUCW5GjkhUccGF1bC5idXJ0
 b25AbWlwcy5jb20ACgkQPqefrLV1AN3LmgEA3bCpFJNpj6Ep4ffwHx6bLOgHzr3T
 1CPx6UWPktIBZIgBAMmOWzCC5U/fqp3974lwohEG0orAzOfpuLn6uX9X0m4O
 =TEC0
 -----END PGP SIGNATURE-----

Merge tag 'mips_fixes_4.19_1' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux

Pull MIPS fix from Paul Burton:
 "A single fix for v4.19-rc3, resolving a problem with our VDSO data
  page for systems with dcache aliasing. Those systems could previously
  observe stale data, causing clock_gettime() & gettimeofday() to return
  incorrect values"

* tag 'mips_fixes_4.19_1' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux:
  MIPS: VDSO: Match data page cache colouring when D$ aliases
2018-09-06 15:42:10 -07:00
Linus Torvalds
c6ff25ce35 four small SMB3 fixes, three for stable, and one minor debug clarification
-----BEGIN PGP SIGNATURE-----
 
 iQGzBAABCgAdFiEE6fsu8pdIjtWE/DpLiiy9cAdyT1EFAluRb84ACgkQiiy9cAdy
 T1GBuAv/ZkXC5cxNpE84dRLii4ey+Y0u5ip3VIyzxwburDDxQh99zWTs8FdyYe1f
 5CYD4PKcNajVceNUg1EdfkNC4ss21I2HcxujquCo8gZJqrt5lHvZXELJ31d8ovXG
 Y2MRl5+KZKLx1sBgzsGJf3aZOneObp7EEAnL/bjeziX7caD6uO/F52MXcMgWrpoM
 krvWSMzS5iY+jRltvPLhTzUmfbaPoS86FRNIHHOiA8AgQLvx3CT4lL+kJOHv1bHX
 haZc9zKy1iUU+yK05vnNLOHVlPeZDa8j/Q8lcEfTrDVa0J/je4DkI9HsB1X54vz0
 65JluAf4G4vaSYU/hnLaWt4PZ7owjTr7fJlu0c8TE6aPqAZEYYoVhjbrdXg7OI4j
 9nUsoEY1hyBH2X5qStvpb9GiZbhR19bhcvnvOAgZ7p4VnyKfexe7o2QHTCPPAxaP
 uYf8OeHjmnYF3MQI0s6rA0TPdZxc77acgrZQWUoOMPN/bwkyP1bSfA1aURJAsx/k
 OodjAog1
 =WRXo
 -----END PGP SIGNATURE-----

Merge tag '4.19-rc2-smb3-fixes' of git://git.samba.org/sfrench/cifs-2.6

Pull cifs fixes from Steve French:
 "Four small SMB3 fixes, three for stable, and one minor debug
  clarification"

* tag '4.19-rc2-smb3-fixes' of git://git.samba.org/sfrench/cifs-2.6:
  cifs: connect to servername instead of IP for IPC$ share
  smb3: check for and properly advertise directory lease support
  smb3: minor debugging clarifications in rfc1001 len processing
  SMB3: Backup intent flag missing for directory opens with backupuid mounts
  fs/cifs: don't translate SFM_SLASH (U+F026) to backslash
2018-09-06 15:39:11 -07:00
Peter Zijlstra
e2c631ba75 clocksource: Revert "Remove kthread"
I turns out that the silly spawn kthread from worker was actually needed.

clocksource_watchdog_kthread() cannot be called directly from
clocksource_watchdog_work(), because clocksource_select() calls
timekeeping_notify() which uses stop_machine(). One cannot use
stop_machine() from a workqueue() due lock inversions wrt CPU hotplug.

Revert the patch but add a comment that explain why we jump through such
apparently silly hoops.

Fixes: 7197e77abc ("clocksource: Remove kthread")
Reported-by: Siegfried Metz <frame@mailbox.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Tested-by: Niklas Cassel <niklas.cassel@linaro.org>
Tested-by: Kevin Shanahan <kevin@shanahan.id.au>
Tested-by: viktor_jaegerskuepper@freenet.de
Tested-by: Siegfried Metz <frame@mailbox.org>
Cc: rafael.j.wysocki@intel.com
Cc: len.brown@intel.com
Cc: diego.viola@gmail.com
Cc: rui.zhang@intel.com
Cc: bjorn.andersson@linaro.org
Link: https://lkml.kernel.org/r/20180905084158.GR24124@hirez.programming.kicks-ass.net
2018-09-06 23:38:35 +02:00
Heinz Mauelshagen
5380c05b68 dm raid: bump target version, update comments and documentation
Bump target version to reflect the documented fixes are available.
Also fix some code comments (typos and clarity).

Signed-off-by: Heinz Mauelshagen <heinzm@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
2018-09-06 17:07:58 -04:00
Heinz Mauelshagen
36a240a706 dm raid: fix RAID leg rebuild errors
On fast devices such as NVMe, a flaw in rs_get_progress() results in
false target status output when userspace lvm2 requests leg rebuilds
(symptom of the failure is device health chars 'aaaaaaaa' instead of
expected 'aAaAAAAA' causing lvm2 to fail).

The correct sync action state definitions already exist in
decipher_sync_action() so fix rs_get_progress() to use it.

Change decipher_sync_action() to return an enum rather than a string for
the sync states and call it from rs_get_progress().  Introduce
sync_str() to translate from enum to the string that is needed by
raid_status().

Signed-off-by: Heinz Mauelshagen <heinzm@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
2018-09-06 17:07:56 -04:00
Heinz Mauelshagen
c44a5ee803 dm raid: fix rebuild of specific devices by updating superblock
Update superblock when particular devices are requested via rebuild
(e.g. lvconvert --replace ...) to avoid spurious failure with the "New
device injected into existing raid set without 'delta_disks' or
'rebuild' parameter specified" error message.

Signed-off-by: Heinz Mauelshagen <heinzm@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
2018-09-06 17:07:56 -04:00
Heinz Mauelshagen
644e2537fd dm raid: fix stripe adding reshape deadlock
When initiating a stripe adding reshape, a deadlock between
md_stop_writes() waiting for the sync thread to stop and the running
sync thread waiting for inactive stripes occurs (this frequently happens
on single-core but rarely on multi-core systems).

Fix this deadlock by setting MD_RECOVERY_WAIT to have the main MD
resynchronization thread worker (md_do_sync()) bail out when initiating
the reshape via constructor arguments.

Signed-off-by: Heinz Mauelshagen <heinzm@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
2018-09-06 17:07:50 -04:00
Linus Torvalds
ca16eb342e for-linus-20180906
-----BEGIN PGP SIGNATURE-----
 
 iQJEBAABCAAuFiEEwPw5LcreJtl1+l5K99NY+ylx4KYFAluRkywQHGF4Ym9lQGtl
 cm5lbC5kawAKCRD301j7KXHgpm8uEAC8vBFb5tzZ2dOeRbGQ6LaPTToBmRrLtOcP
 kDRnfZIw0raNStOpn1dkGLz8IOSjwOGftx9Q4pJed25vynTEq5lYmmLVUlJQ6cJ7
 oNpYiCdPxJvbKz5fChGG2nHHa1RLer1d728NZtkeZU/ChPmw56EO5ORghE7zPG7K
 Z/0qHYsgwS427o8pUDsymmt6I62IJGrjzqJdC0pqBy6RePQWtlwkmtd7CIgFiffY
 tDnk6RSwcihnIalMMLvFXeGf6cSaZvuH4oK1QNdfojAyS8kWeA6gHtjRS8UcuuUY
 t6o+hU0vki8bghoNoI40RrLgAmV91BVv1/Voo79dQvDWAigyie51HwFFkqdWzJxJ
 g4MCZYpys26w/VUGBFCku0hiRIAhZFO8Sun5zbVCJpyt8hTXF0RrG3CpwmCF7Lc0
 m+h8tJanEMCesfYMztTD31L1BOFhJeOgBJr4a5QURy0LbIvC0V52IKiOQ0475E8E
 H10rQaRw/7Am+mZugedMUGMgYD/eN33NQoRuTWZdck/58big2SU78zGpR/GqTmy3
 w9v2I8ksBTivzEayBV0G4Z5Gxu7QYA7NMsO5RS/wuGfUX8D/1QtQU9Ejh5TESbek
 R3WUyhXJJ2S+DWTUlmX7TgPxYxG3sXatQbSAgFJiucxyIRdpdqfeoXmOHvPrWZEq
 O3VDm0D6pw==
 =qhv7
 -----END PGP SIGNATURE-----

Merge tag 'for-linus-20180906' of git://git.kernel.dk/linux-block

Pull block fixes from Jens Axboe:
 "Small collection of fixes that should go into this release. This
  contains:

   - Small series that fixes a race between blkcg teardown and writeback
     (Dennis Zhou)

   - Fix disallowing invalid block size settings from the nbd ioctl (me)

   - BFQ fix for a use-after-free on last release of a bfqg (Konstantin
     Khlebnikov)

   - Fix for the "don't warn for flush" fix (Mikulas)"

* tag 'for-linus-20180906' of git://git.kernel.dk/linux-block:
  block: bfq: swap puts in bfqg_and_blkg_put
  block: don't warn when doing fsync on read-only devices
  nbd: don't allow invalid blocksize settings
  blkcg: use tryget logic when associating a blkg with a bio
  blkcg: delay blkg destruction until after writeback has finished
  Revert "blk-throttle: fix race between blkcg_bio_issue_check() and cgroup_rmdir()"
2018-09-06 14:01:15 -07:00
Ben Skeggs
53b0cc46f2 drm/nouveau/disp/gm200-: enforce identity-mapped SOR assignment for LVDS/eDP panels
Fixes eDP backlight issues on more recent laptops.

Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
2018-09-07 06:54:28 +10:00
Ben Skeggs
e04cfdc9b7 drm/nouveau/disp: fix DP disable race
If a HPD pulse signalling the need to retrain the link occurs between
the KMS driver releasing the output and the supervisor interrupt that
finishes the teardown, it was possible get a NULL-ptr deref.

Avoid this by marking the link as inactive earlier.

Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
2018-09-07 06:54:28 +10:00
Ben Skeggs
f6d52b2172 drm/nouveau/disp: move eDP panel power handling
We need to do this earlier to prevent aux channel timeouts in resume
paths on certain systems.

Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
2018-09-07 06:54:28 +10:00
Ben Skeggs
606557708f drm/nouveau/disp: remove unused struct member
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
2018-09-07 06:54:28 +10:00
Ben Skeggs
0a6986c659 drm/nouveau/TBDdevinit: don't fail when PMU/PRE_OS is missing from VBIOS
This Falcon application doesn't appear to be present on some newer
systems, so let's not fail init if we can't find it.

TBD: is there a way to determine whether it *should* be there?

Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
2018-09-07 06:54:28 +10:00
Ben Skeggs
51ed833c88 drm/nouveau/mmu: don't attempt to dereference vmm without valid instance pointer
Fixes oopses in certain failure paths.

Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
2018-09-07 06:54:28 +10:00
Ben Skeggs
a43b16dda2 drm/nouveau: fix oops in client init failure path
The NV_ERROR macro requires drm->client to be initialised, which it may not
be at this stage of the init process.

Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
2018-09-07 06:54:27 +10:00
Lyude Paul
d5986a1c4d drm/nouveau: Fix nouveau_connector_ddc_detect()
It looks like that when we moved over to using
drm_connector_for_each_possible_encoder() in nouveau, that one rather
important part of this function got dropped by accident:

	/*          Right   v   here */
	for (i = 0; nv_encoder = NULL, i < DRM_CONNECTOR_MAX_ENCODER; i++) {
		int id = connector->encoder_ids[i];
		if (id == 0)
			break;

Since it's rather difficult to notice: the conditional in this loop is
actually:

	nv_encoder = NULL, i < DRM_CONNECTOR_MAX_ENCODER

Meaning that all early breaks result in nv_encoder keeping it's value,
otherwise nv_encoder = NULL. Ugh.

Since this got dropped, nouveau_connector_ddc_detect() now returns an
encoder for every single connector, regardless of whether or not it's
detected:

    [ 1780.056185] nouveau 0000:01:00.0: DRM: DDC responded, but no EDID for DP-2

So: fix this to ensure we only return an encoder if we actually found
one, and clean up the rest of the function while we're at it since it's
nearly impossible to read properly.

Changes since v1:
- Don't skip ddc probing for LVDS if we can't switch DDC through
  vga-switcheroo, just do the DDC probing without calling
  vga_switcheroo_lock_ddc() - skeggsb

Signed-off-by: Lyude Paul <lyude@redhat.com>
Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
Fixes: ddba766dd0 ("drm/nouveau: Use drm_connector_for_each_possible_encoder()")
Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
2018-09-07 06:54:27 +10:00
Lyude Paul
2f7ca781fd drm/nouveau/drm/nouveau: Don't forget to cancel hpd_work on suspend/unload
Currently, there's nothing in nouveau that actually cancels this work
struct. So, cancel it on suspend/unload. Otherwise, if we're unlucky
enough hpd_work might try to keep running up until the system is
suspended.

Signed-off-by: Lyude Paul <lyude@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
2018-09-07 06:54:27 +10:00
Lyude Paul
79e765ad66 drm/nouveau/drm/nouveau: Prevent handling ACPI HPD events too early
On most systems with ACPI hotplugging support, it seems that we always
receive a hotplug event once we re-enable EC interrupts even if the GPU
hasn't even been resumed yet.

This can cause problems since even though we schedule hpd_work to handle
connector reprobing for us, hpd_work synchronizes on
pm_runtime_get_sync() to wait until the device is ready to perform
reprobing. Since runtime suspend/resume callbacks are disabled before
the PM core calls ->suspend(), any calls to pm_runtime_get_sync() during
this period will grab a runtime PM ref and return immediately with
-EACCES. Because we schedule hpd_work from our ACPI HPD handler, and
hpd_work synchronizes on pm_runtime_get_sync(), this causes us to launch
a connector reprobe immediately even if the GPU isn't actually resumed
just yet. This causes various warnings in dmesg and occasionally, also
prevents some displays connected to the dedicated GPU from coming back
up after suspend. Example:

usb 1-4: USB disconnect, device number 14
usb 1-4.1: USB disconnect, device number 15
WARNING: CPU: 0 PID: 838 at drivers/gpu/drm/nouveau/include/nvkm/subdev/i2c.h:170 nouveau_dp_detect+0x17e/0x370 [nouveau]
CPU: 0 PID: 838 Comm: kworker/0:6 Not tainted 4.17.14-201.Lyude.bz1477182.V3.fc28.x86_64 #1
Hardware name: LENOVO 20EQS64N00/20EQS64N00, BIOS N1EET77W (1.50 ) 03/28/2018
Workqueue: events nouveau_display_hpd_work [nouveau]
RIP: 0010:nouveau_dp_detect+0x17e/0x370 [nouveau]
RSP: 0018:ffffa15143933cf0 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff8cb4f656c400 RCX: 0000000000000000
RDX: ffffa1514500e4e4 RSI: ffffa1514500e4e4 RDI: 0000000001009002
RBP: ffff8cb4f4a8a800 R08: ffffa15143933cfd R09: ffffa15143933cfc
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8cb4fb57a000
R13: ffff8cb4fb57a000 R14: ffff8cb4f4a8f800 R15: ffff8cb4f656c418
FS:  0000000000000000(0000) GS:ffff8cb51f400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f78ec938000 CR3: 000000073720a003 CR4: 00000000003606f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 ? _cond_resched+0x15/0x30
 nouveau_connector_detect+0x2ce/0x520 [nouveau]
 ? _cond_resched+0x15/0x30
 ? ww_mutex_lock+0x12/0x40
 drm_helper_probe_detect_ctx+0x8b/0xe0 [drm_kms_helper]
 drm_helper_hpd_irq_event+0xa8/0x120 [drm_kms_helper]
 nouveau_display_hpd_work+0x2a/0x60 [nouveau]
 process_one_work+0x187/0x340
 worker_thread+0x2e/0x380
 ? pwq_unbound_release_workfn+0xd0/0xd0
 kthread+0x112/0x130
 ? kthread_create_worker_on_cpu+0x70/0x70
 ret_from_fork+0x35/0x40
Code: 4c 8d 44 24 0d b9 00 05 00 00 48 89 ef ba 09 00 00 00 be 01 00 00 00 e8 e1 09 f8 ff 85 c0 0f 85 b2 01 00 00 80 7c 24 0c 03 74 02 <0f> 0b 48 89 ef e8 b8 07 f8 ff f6 05 51 1b c8 ff 02 0f 84 72 ff
---[ end trace 55d811b38fc8e71a ]---

So, to fix this we attempt to grab a runtime PM reference in the ACPI
handler itself asynchronously. If the GPU is already awake (it will have
normal hotplugging at this point) or runtime PM callbacks are currently
disabled on the device, we drop our reference without updating the
autosuspend delay. We only schedule connector reprobes when we
successfully managed to queue up a resume request with our asynchronous
PM ref.

This also has the added benefit of preventing redundant connector
reprobes from ACPI while the GPU is runtime resumed!

Signed-off-by: Lyude Paul <lyude@redhat.com>
Cc: stable@vger.kernel.org
Cc: Karol Herbst <kherbst@redhat.com>
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1477182#c41
Signed-off-by: Lyude Paul <lyude@redhat.com>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
2018-09-07 06:54:27 +10:00