Commit Graph

481024 Commits

Author SHA1 Message Date
Ander Conselvan de Oliveira
6e2cc0963a drm/i915: Replace some loop through encoders with intel_pipe_has_type()
In the ironlake mode set code, there was two instances of a loop through
encoders to find out if one of them has INTEL_OUTPUT_LVDS type. Simplify
the code by deleting some lines and use intel_pipe_has_type() instead.

Signed-off-by: Ander Conselvan de Oliveira <ander.conselvan.de.oliveira@intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
2014-10-24 16:34:04 +02:00
Daniel Vetter
3436738180 drm/i915: Document that mmap forwarding is discouraged
Too many new drm driver writers seem to look at i915 for inspiration.
But we have two ways to do mmap, so discourage readers from the old,
ugly version. In a new driver we'd just expose two mmap offsets per
object, one for the gtt map and the other for the cpu map.

v2: Make it clear that i915 does cpu mmaps this way for past
cluelessness^W^W historical reasons. Asked for by Jani.

Cc: "Cheng, Yao" <yao.cheng@intel.com>
Cc: David Herrmann <dh.herrmann@gmail.com>
Reviewed-by: David Herrmann <dh.herrmann@gmail.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
2014-10-24 16:34:04 +02:00
Rodrigo Vivi
101b376d35 drm/i915/bdw: Remove BDW preproduction W/As until C stepping.
Let's clean this a bit

v2: Rebase after other Mika's patch that removed some BDW production workarounds.
v3: Removed stepping info.

Reviewed-by: Mika Kuoppala <mika.kuoppala@intel.com>
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
2014-10-24 16:34:03 +02:00
Chris Wilson
f2fbc690ae drm/i915: Convert a couple more INTEL_INFO-esque macros to be pointer agnostic
Just a couple more macros that assume that they were being passed a
struct drm_device when they want a struct drm_i915_private. Use our
magic macro to ease transitioning over to using drm_i915_privates

Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Reviewed-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
2014-10-24 16:34:03 +02:00
Sonika Jindal
1447dde094 drm/i915/skl: Add 180 degree HW rotation support
Add support for 180 degree rotation for primary and sprite planes

Signed-off-by: Sonika Jindal <sonika.jindal@intel.com>
Reviewed-by: Damien Lespiau <damien.lespiau@intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
2014-10-24 16:34:02 +02:00
Chris Wilson
bb9059d3a0 drm/i915: Suppress no action noise from oom shrinker
If we are not able to free anything (the shrinker leaves nothing on the
global object lists), do not log anything. This is useful when other
subsystems are being stress-tested for their oom behaviour and i915.ko
is shouting into the logs about doing nothing.

Reported-by: Dave Jones <davej@redhat.com>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
2014-10-24 16:34:02 +02:00
Chris Wilson
005445c5fb drm/i915: Report the current number of bytes freed during oom
The shrinker reports the number of pages freed, but we try to log the
number of bytes - which leads to some nonsense values being reportedly
freed during oom.

Reported-by: Maarten Lankhorst <maarten.lankhorst@canonical.com>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
2014-10-24 16:34:01 +02:00
Ville Syrjälä
43dc52c3b4 drm/i915: Add missing '\n' to cdclk debug message
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
2014-10-24 16:34:01 +02:00
Rodrigo Vivi
58abf1daae drm/i915: Do not export RC6p and RC6pp if they don't exist
Avoid to expose RC6 and RC6pp to the platforms that doesn't support it.
So powertop can be changed to show RC6p and RC6pp only on the platforms
they are available.

v2: Simplify by merging RC6p and RC6pp groups and respect the spec that
mentions deep and deepest RC6 on SNB and IVB although they keep disabled
by default.

v3: Remove unecessary space.

v4: RC6p and RC6pp is only for SNB and IVB; unify debug msg and use
    has_rc6p() on sanitize options instead of is gen 6 and ivb.

v5: yet another fix on has_rc6p macro. final is_gen6 or is_ivb! To make sure
    we are excluding hsw and baytrail.

References: https://bugs.freedesktop.org/show_bug.cgi?id=84524
Cc: Josh Triplett <josh.triplett@intel.com>
Cc: Paulo Zanoni <paulo.r.zanoni@intel.com>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Reviewed-by: Paulo Zanoni <paulo.r.zanoni@intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
2014-10-24 16:34:00 +02:00
Gustavo Padovan
e391ea882b drm/i915: Fix not checking cursor and object sizes
Even if the fb is the same we should still check if the sizes are
valid to be set.

Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
2014-10-24 16:34:00 +02:00
Gustavo Padovan
757f9a3e5b drm/i915: move check of intel_crtc_cursor_set_obj() out
Move check inside intel_crtc_cursor_set_obj() to
intel_check_cursor_plane(), we only use it there so move them out to
make the merge of intel_crtc_cursor_set_obj() into
intel_check_cursor_plane() easier.

This is another step toward the atomic modesetting support and unification
of plane operations such pin/unpin of fb objects on i915.

v2: take Ville's comment: move crtc_{w,h} assignment a bit down in the
code
v3: take Ville's comment: kept only the restructuring changes, the rest of
the code was moved to a separated patch since it is a bug fix (we weren't
checking sizes when the fb was the same)

Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
[danvet: Fixup commit message mixup.]
Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
2014-10-24 16:33:59 +02:00
Gustavo Padovan
5ee4463839 drm/i915: remove leftover from pre-universal planes days
Now that universal planes are in place we don't need this plane unref on
failures.

Suggested-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
2014-10-24 16:33:59 +02:00
Gustavo Padovan
ccc759dc2a drm/i915: Merge of visible and !visible paths for primary planes
Fold intel_pipe_set_base() in the update primary plane path merging
pieces of code that are common to both paths.

Basically the the pin/unpin procedures are the same for both paths
and some checks can also be shared (some of the were moved to the
check() stage)

v2: take Ville's comments:
	- remove unnecessary plane check
	- move mutex lock to inside the conditional
	- make the pin fail message a debug one
	- add a fixme for the fastboot hack
	- call intel_frontbuffer_flip() after FBC update

v3: take more Ville's comments:
	- fold update code under if (intel_crtc->active), and do the
	visible/!visible split inside.
	- check ret inside the same conditional we assign it

v4: don't use intel_enable_primary_hw_plane(), the primary_enabled
check inside will break page flips

v5: take more Ville's comments:
	- set primary_enabled to true and add BDW hack
	- unify if (old_fb) and if (old_fb != fb)

v6: take more Ville's comments:
	- make was_primary bool and fix its check
	- add the BDW vblank wait comment

Suggested-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
2014-10-24 16:33:59 +02:00
Damien Lespiau
d68a08af3d drm/i915: Remove IS_ULT()
As stated in the few previous commits, IS_ULT/ULX() is better
per-platform as it has different consequences depending on the platform.

We now can get rid of it.

Signed-off-by: Damien Lespiau <damien.lespiau@intel.com>
Reviewed-by: Paulo Zanoni <paulo.r.zanoni@intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
2014-10-24 16:33:58 +02:00
Damien Lespiau
fa4dca2cce drm/i915/skl: Don't check for ULT/ULX when detecting the PCH
IS_ULT() wasn't taking into account SKL so we had a warn with SPT-LP.

We don't realy need those checks here, and as we don't need to introduce
IS_SKL_ULT/ULX() at the moment, let's just drop them.

Signed-off-by: Damien Lespiau <damien.lespiau@intel.com>
Reviewed-by: Paulo Zanoni <paulo.r.zanoni@intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
2014-10-24 16:33:58 +02:00
Damien Lespiau
95626e7caa drm/i915: Use IS_HSW_ULT() in HSW CDCLK clock read-out
hsw_get_cdclk_freq() is really just HSW, so we can use IS_HSW_ULT()
instead of IS_ULT() there.

Signed-off-by: Damien Lespiau <damien.lespiau@intel.com>
Reviewed-by: Paulo Zanoni <paulo.r.zanoni@intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
2014-10-24 16:33:57 +02:00
Damien Lespiau
cf404ce4b1 drm/i915: Spell out IS_HSW/BDW_ULT() in intel_crt_present()
The quality of being a ULT or ULX package doesn't tell anything across
generations and so a global IS_ULT() macro doesn't make much sense, esp.
as we're adding new products.

So, spell out which ULT/ULX SKUs we are talking about here, namely HSW
and BDW.

Signed-off-by: Damien Lespiau <damien.lespiau@intel.com>
Reviewed-by: Paulo Zanoni <paulo.r.zanoni@intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
2014-10-24 16:33:57 +02:00
Damien Lespiau
dbf7786efa drm/i915: Use IS_HSW_ULT() in HAS_IPS()
HAS_IPS() has a '|| IS_BROADWELL()', no need to check for IS_BDW_ULT().

Signed-off-by: Damien Lespiau <damien.lespiau@intel.com>
Reviewed-by: Paulo Zanoni <paulo.r.zanoni@intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
2014-10-24 16:33:56 +02:00
Damien Lespiau
bcef6d5aa5 drm/i915: Use IS_HSW_ULT() in a HSW specific code path
No need to add the BDW pci ULT/ULX checks inside a if (IS_HASWELL(dev))
code path.

Signed-off-by: Damien Lespiau <damien.lespiau@intel.com>
Reviewed-by: Paulo Zanoni <paulo.r.zanoni@intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
2014-10-24 16:33:56 +02:00
Daniel Vetter
ef07388e88 drm/i915: kerneldoc for intel_fifo_underrun.c
v2: Fix spelling fail.

Reviewed-by: Paulo Zanoni <paulo.r.zanoni@intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
2014-10-24 16:33:55 +02:00
Daniel Vetter
0f239f4cb1 drm/i915: Filter gmch fifo underruns in the shared handler
This simplifies the code in the vlv irq handler. Also this now
means that we correctly filter underruns on gen2-4.

And as the real upshot I need to document one less function for
the fifo underrun code.

v2: Shorten one long line.

Reviewed-by: Paulo Zanoni <paulo.r.zanoni@intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
2014-10-24 16:33:55 +02:00
Daniel Vetter
1f7247c01c drm/i915: Add wrappers to handle fifo underrun interrupts
Way too much copypasta all over. And this also clarifies a bit what's
going on since it separates the "do we have an underrun irq" from the
"should we report the underrun" check.

v2: Fix excessively long lines.

Reviewed-by: Paulo Zanoni <paulo.r.zanoni@intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
2014-10-24 16:33:54 +02:00
Daniel Vetter
a72e4c9f9a drm/i915: Use dev_priv in public intel_fifo_underrun.c functions
It's the new rule!

Reviewed-by: Paulo Zanoni <paulo.r.zanoni@intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
2014-10-24 16:33:54 +02:00
Daniel Vetter
47339cd9ff drm/i915: Extract intel_fifo_underrun.c
Prep work for some nice documentation. Requires that we export the
display irq enable/disable functions on ilk/ibx. But we already export
them for vlv/i915. So not more inconsistency.

v2: Rebase on top of skl stage 1.

Reviewed-by: Paulo Zanoni <paulo.r.zanoni@intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
2014-10-24 16:33:53 +02:00
Daniel Vetter
cacc6c837b Revert "drm/i915: Enable full PPGTT on gen7"
This reverts commit 8c50f10d73.

It's not yet solid and Dave objected to pulling the tree in its
current state.

Cc: Michel Thierry <michel.thierry@intel.com>
Cc: Dave Airlie <airlied@gmail.com>
Cc: Chris Wilson <chris@chris-wilson.co.uk>
References: http://mid.mail-archive.com/CAPM=9ty2r1MLE=wzC-_vNSUzXVqAyXiGgocpSV9qOp0gzpK3xA@mail.gmail.com
References: http://lists.freedesktop.org/archives/intel-gfx/2014-October/053926.html
Acked-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
2014-10-24 16:30:14 +02:00
Ralf Baechle
4846f11816 MIPS: SEAD3: Fix I2C device registration.
This isn't a module and shouldn't be one.

Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2014-10-24 13:34:42 +02:00
Wanpeng Li
571ee1b685 kvm: vfio: fix unregister kvm_device_ops of vfio
After commit 80ce163 (KVM: VFIO: register kvm_device_ops dynamically),
kvm_device_ops of vfio can be registered dynamically. Commit 3c3c29fd
(kvm-vfio: do not use module_init) move the dynamic register invoked by
kvm_init in order to fix broke unloading of the kvm module. However,
kvm_device_ops of vfio is unregistered after rmmod kvm-intel module
which lead to device type collision detection warning after kvm-intel
module reinsmod.

    WARNING: CPU: 1 PID: 10358 at /root/cathy/kvm/arch/x86/kvm/../../../virt/kvm/kvm_main.c:3289 kvm_init+0x234/0x282 [kvm]()
    Modules linked in: kvm_intel(O+) kvm(O) nfsv3 nfs_acl auth_rpcgss oid_registry nfsv4 dns_resolver nfs fscache lockd sunrpc pci_stub bridge stp llc autofs4 8021q cpufreq_ondemand ipv6 joydev microcode pcspkr igb i2c_algo_bit ehci_pci ehci_hcd e1000e i2c_i801 ixgbe ptp pps_core hwmon mdio tpm_tis tpm ipmi_si ipmi_msghandler acpi_cpufreq isci libsas scsi_transport_sas button dm_mirror dm_region_hash dm_log dm_mod [last unloaded: kvm_intel]
    CPU: 1 PID: 10358 Comm: insmod Tainted: G        W  O   3.17.0-rc1 #2
    Hardware name: Intel Corporation S2600CP/S2600CP, BIOS RMLSDP.86I.00.29.D696.1311111329 11/11/2013
     0000000000000cd9 ffff880ff08cfd18 ffffffff814a61d9 0000000000000cd9
     0000000000000000 ffff880ff08cfd58 ffffffff810417b7 ffff880ff08cfd48
     ffffffffa045bcac ffffffffa049c420 0000000000000040 00000000000000ff
    Call Trace:
     [<ffffffff814a61d9>] dump_stack+0x49/0x60
     [<ffffffff810417b7>] warn_slowpath_common+0x7c/0x96
     [<ffffffffa045bcac>] ? kvm_init+0x234/0x282 [kvm]
     [<ffffffff810417e6>] warn_slowpath_null+0x15/0x17
     [<ffffffffa045bcac>] kvm_init+0x234/0x282 [kvm]
     [<ffffffffa016e995>] vmx_init+0x1bf/0x42a [kvm_intel]
     [<ffffffffa016e7d6>] ? vmx_check_processor_compat+0x64/0x64 [kvm_intel]
     [<ffffffff810002ab>] do_one_initcall+0xe3/0x170
     [<ffffffff811168a9>] ? __vunmap+0xad/0xb8
     [<ffffffff8109c58f>] do_init_module+0x2b/0x174
     [<ffffffff8109d414>] load_module+0x43e/0x569
     [<ffffffff8109c6d8>] ? do_init_module+0x174/0x174
     [<ffffffff8109c75a>] ? copy_module_from_user+0x39/0x82
     [<ffffffff8109b7dd>] ? module_sect_show+0x20/0x20
     [<ffffffff8109d65f>] SyS_init_module+0x54/0x81
     [<ffffffff814a9a12>] system_call_fastpath+0x16/0x1b
    ---[ end trace 0626f4a3ddea56f3 ]---

The bug can be reproduced by:

    rmmod kvm_intel.ko
    insmod kvm_intel.ko

without rmmod/insmod kvm.ko
This patch fixes the bug by unregistering kvm_device_ops of vfio when the
kvm-intel module is removed.

Reported-by: Liu Rongrong <rongrongx.liu@intel.com>
Fixes: 3c3c29fd0d
Signed-off-by: Wanpeng Li <wanpeng.li@linux.intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-10-24 13:30:47 +02:00
Nadav Amit
1715d0dcb0 KVM: x86: Wrong assertion on paging_tmpl.h
Even after the recent fix, the assertion on paging_tmpl.h is triggered.
Apparently, the assertion wants to check that the PAE is always set on
long-mode, but does it in incorrect way.  Note that the assertion is not
enabled unless the code is debugged by defining MMU_DEBUG.

Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-10-24 13:30:37 +02:00
Quentin Casasnovas
3d32e4dbe7 kvm: fix excessive pages un-pinning in kvm_iommu_map error path.
The third parameter of kvm_unpin_pages() when called from
kvm_iommu_map_pages() is wrong, it should be the number of pages to un-pin
and not the page size.

This error was facilitated with an inconsistent API: kvm_pin_pages() takes
a size, but kvn_unpin_pages() takes a number of pages, so fix the problem
by matching the two.

This was introduced by commit 350b8bd ("kvm: iommu: fix the third parameter
of kvm_iommu_put_pages (CVE-2014-3601)"), which fixes the lack of
un-pinning for pages intended to be un-pinned (i.e. memory leak) but
unfortunately potentially aggravated the number of pages we un-pin that
should have stayed pinned. As far as I understand though, the same
practical mitigations apply.

This issue was found during review of Red Hat 6.6 patches to prepare
Ksplice rebootless updates.

Thanks to Vegard for his time on a late Friday evening to help me in
understanding this code.

Fixes: 350b8bd ("kvm: iommu: fix the third parameter of... (CVE-2014-3601)")
Cc: stable@vger.kernel.org
Signed-off-by: Quentin Casasnovas <quentin.casasnovas@oracle.com>
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Jamie Iles <jamie.iles@oracle.com>
Reviewed-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-10-24 13:30:37 +02:00
Nadav Amit
3f6f1480d8 KVM: x86: PREFETCH and HINT_NOP should have SrcMem flag
The decode phase of the x86 emulator assumes that every instruction with the
ModRM flag, and which can be used with RIP-relative addressing, has either
SrcMem or DstMem.  This is not the case for several instructions - prefetch,
hint-nop and clflush.

Adding SrcMem|NoAccess for prefetch and hint-nop and SrcMem for clflush.

This fixes CVE-2014-8480.

Fixes: 41061cdb98
Cc: stable@vger.kernel.org
Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-10-24 13:30:36 +02:00
Nadav Amit
13e457e0ee KVM: x86: Emulator does not decode clflush well
Currently, all group15 instructions are decoded as clflush (e.g., mfence,
xsave).  In addition, the clflush instruction requires no prefix (66/f2/f3)
would exist. If prefix exists it may encode a different instruction (e.g.,
clflushopt).

Creating a group for clflush, and different group for each prefix.

This has been the case forever, but the next patch needs the cflush group
in order to fix a bug introduced in 3.17.

Fixes: 41061cdb98
Cc: stable@vger.kernel.org
Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-10-24 13:30:36 +02:00
Paolo Bonzini
a430c91663 KVM: emulate: avoid accessing NULL ctxt->memopp
A failure to decode the instruction can cause a NULL pointer access.
This is fixed simply by moving the "done" label as close as possible
to the return.

This fixes CVE-2014-8481.

Reported-by: Andy Lutomirski <luto@amacapital.net>
Cc: stable@vger.kernel.org
Fixes: 41061cdb98
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-10-24 13:30:35 +02:00
Ralf Baechle
cc08d25a88 MIPS: SEAD3: Nuke PIC32 I2C driver.
A platform driver for which nothing ever registers the corresponding
platform device.

Also it was driving the same hardware as sead3-i2c-drv.c so redundant
anyway and couldn't co-exist with that driver because each of them was
using a private spinlock to protect access to the same hardware
resources.

This also fixes a randconfig problem:

arch/mips/mti-sead3/sead3-pic32-i2c-drv.c: In function 'i2c_platform_probe':
arch/mips/mti-sead3/sead3-pic32-i2c-drv.c:345:2: error: implicit declaration of
function 'i2c_add_numbered_adapter' [-Werror=implicit-function-declaration]
  ret = i2c_add_numbered_adapter(&priv->adap);
    ^
arch/mips/mti-sead3/sead3-pic32-i2c-drv.c: In function
'i2c_platform_remove':
arch/mips/mti-sead3/sead3-pic32-i2c-drv.c:361:2: error: implicit declaration
of function 'i2c_del_adapter' [-Werror=implicit-function-declaration]
i2c_del_adapter(&priv->adap);

Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2014-10-24 13:27:37 +02:00
Nadav Amit
08da44aedb KVM: x86: Decoding guest instructions which cross page boundary may fail
Once an instruction crosses a page boundary, the size read from the second page
disregards the common case that part of the operand resides on the first page.
As a result, fetch of long insturctions may fail, and thereby cause the
decoding to fail as well.

Cc: stable@vger.kernel.org
Fixes: 5cfc7e0f5e
Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-10-24 13:21:18 +02:00
Michael S. Tsirkin
2bc19dc375 kvm: x86: don't kill guest on unknown exit reason
KVM_EXIT_UNKNOWN is a kvm bug, we don't really know whether it was
triggered by a priveledged application.  Let's not kill the guest: WARN
and inject #UD instead.

Cc: stable@vger.kernel.org
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-10-24 13:21:17 +02:00
Petr Matousek
a642fc3050 kvm: vmx: handle invvpid vm exit gracefully
On systems with invvpid instruction support (corresponding bit in
IA32_VMX_EPT_VPID_CAP MSR is set) guest invocation of invvpid
causes vm exit, which is currently not handled and results in
propagation of unknown exit to userspace.

Fix this by installing an invvpid vm exit handler.

This is CVE-2014-3646.

Cc: stable@vger.kernel.org
Signed-off-by: Petr Matousek <pmatouse@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-10-24 13:21:17 +02:00
Nadav Amit
d1442d85cc KVM: x86: Handle errors when RIP is set during far jumps
Far jmp/call/ret may fault while loading a new RIP.  Currently KVM does not
handle this case, and may result in failed vm-entry once the assignment is
done.  The tricky part of doing so is that loading the new CS affects the
VMCS/VMCB state, so if we fail during loading the new RIP, we are left in
unconsistent state.  Therefore, this patch saves on 64-bit the old CS
descriptor and restores it if loading RIP failed.

This fixes CVE-2014-3647.

Cc: stable@vger.kernel.org
Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-10-24 13:21:16 +02:00
Nadav Amit
234f3ce485 KVM: x86: Emulator fixes for eip canonical checks on near branches
Before changing rip (during jmp, call, ret, etc.) the target should be asserted
to be canonical one, as real CPUs do.  During sysret, both target rsp and rip
should be canonical. If any of these values is noncanonical, a #GP exception
should occur.  The exception to this rule are syscall and sysenter instructions
in which the assigned rip is checked during the assignment to the relevant
MSRs.

This patch fixes the emulator to behave as real CPUs do for near branches.
Far branches are handled by the next patch.

This fixes CVE-2014-3647.

Cc: stable@vger.kernel.org
Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-10-24 13:21:16 +02:00
Nadav Amit
05c83ec9b7 KVM: x86: Fix wrong masking on relative jump/call
Relative jumps and calls do the masking according to the operand size, and not
according to the address size as the KVM emulator does today.

This patch fixes KVM behavior.

Cc: stable@vger.kernel.org
Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-10-24 13:21:15 +02:00
Andy Honig
2febc83913 KVM: x86: Improve thread safety in pit
There's a race condition in the PIT emulation code in KVM.  In
__kvm_migrate_pit_timer the pit_timer object is accessed without
synchronization.  If the race condition occurs at the wrong time this
can crash the host kernel.

This fixes CVE-2014-3611.

Cc: stable@vger.kernel.org
Signed-off-by: Andrew Honig <ahonig@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-10-24 13:21:14 +02:00
Andy Honig
8b3c3104c3 KVM: x86: Prevent host from panicking on shared MSR writes.
The previous patch blocked invalid writes directly when the MSR
is written.  As a precaution, prevent future similar mistakes by
gracefulling handle GPs caused by writes to shared MSRs.

Cc: stable@vger.kernel.org
Signed-off-by: Andrew Honig <ahonig@google.com>
[Remove parts obsoleted by Nadav's patch. - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-10-24 13:21:08 +02:00
Nadav Amit
854e8bb1aa KVM: x86: Check non-canonical addresses upon WRMSR
Upon WRMSR, the CPU should inject #GP if a non-canonical value (address) is
written to certain MSRs. The behavior is "almost" identical for AMD and Intel
(ignoring MSRs that are not implemented in either architecture since they would
anyhow #GP). However, IA32_SYSENTER_ESP and IA32_SYSENTER_EIP cause #GP if
non-canonical address is written on Intel but not on AMD (which ignores the top
32-bits).

Accordingly, this patch injects a #GP on the MSRs which behave identically on
Intel and AMD.  To eliminate the differences between the architecutres, the
value which is written to IA32_SYSENTER_ESP and IA32_SYSENTER_EIP is turned to
canonical value before writing instead of injecting a #GP.

Some references from Intel and AMD manuals:

According to Intel SDM description of WRMSR instruction #GP is expected on
WRMSR "If the source register contains a non-canonical address and ECX
specifies one of the following MSRs: IA32_DS_AREA, IA32_FS_BASE, IA32_GS_BASE,
IA32_KERNEL_GS_BASE, IA32_LSTAR, IA32_SYSENTER_EIP, IA32_SYSENTER_ESP."

According to AMD manual instruction manual:
LSTAR/CSTAR (SYSCALL): "The WRMSR instruction loads the target RIP into the
LSTAR and CSTAR registers.  If an RIP written by WRMSR is not in canonical
form, a general-protection exception (#GP) occurs."
IA32_GS_BASE and IA32_FS_BASE (WRFSBASE/WRGSBASE): "The address written to the
base field must be in canonical form or a #GP fault will occur."
IA32_KERNEL_GS_BASE (SWAPGS): "The address stored in the KernelGSbase MSR must
be in canonical form."

This patch fixes CVE-2014-3610.

Cc: stable@vger.kernel.org
Signed-off-by: Nadav Amit <namit@cs.technion.ac.il>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2014-10-24 13:21:08 +02:00
David Henningsson
fb54a645b2 ALSA: hda - Add missing terminating entry to SND_HDA_PIN_QUIRK macro
Without this terminating entry, the pin matching would continue
across random memory until a zero or a non-matching entry was found.

The result being that in some cases, the pin quirk would not be
applied correctly.

Cc: stable@vger.kernel.org
Signed-off-by: David Henningsson <david.henningsson@canonical.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2014-10-24 10:04:29 +02:00
Olof Johansson
4fbc400cfc SOCFPGA fixes for 3.18
These patches fixes an SMP and SDMMC driver hang during boot up on the
 SOCFPGA platform.
 
 Patch "arm: socfpga: fix fetching cpu1start_addr for SMP" fixes the SMP
 trampoline code in order for CPU1 to correctly fetch it's cpu1start_addr.
 
 Patch "ARM: dts: socfpga: rename gpio nodes" renames that GPIO node in order
 to allow a standard way of specifying status="okay" in the board DTS file.
 
 Patch "ARM: dts: socfpga: Fix SD card detect" fixes a SDMMC driver hang
 during boot. The reason for the hang was the deferred probe of the SDMMC
 driver was waiting for the GPIO resource that would never come.
 
 Patch "ARM: dts: socfpga: Add a 3.3V fixed regulator node" adds a fixed
 regulator node for the SDMMC driver to use.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.11 (GNU/Linux)
 
 iQIcBAABAgAGBQJUSGUtAAoJEBmUBAuBoyj07SIP/j+JNckow7WoAU+W3QwOE2ew
 BvpLFffIolj6bngLbb/JU0La2TgDbtifPvcNdSYVYfF7u2NxsyTKx1mMyWYVhAmq
 JXaD6ZbteHMIps9SRUTrSOHSA8VYq/gV7IPAT0K8VS1RD9jDarwhJwhQfdZ0tLDY
 foB4Nky6CZ+jgK9P4GCTrXH2VOvF2bpfR7G0woLkXmuQ97yOA0ddUl8vIDAlQweW
 wjBZkRC7Vinpq1a1PmcRvAbkV7f+ELzbKMdY8TYvHPGE9+76Ak8/UkRh46LXyWo5
 GyEknDZaVNggl70Ex7owDdGklFBJLUKIIRR9KmG6OGdQ74hRZD2ASk5U58fVFdNr
 YHA7dyx5Qk+8XXFWq+rgXeGCpwngznH38IpI/dAVMc5IhpTUDCEcLfNrmX8xSZr9
 5oul3t2E3zVXoFI4Qj+OaHTH/8nDP8rrYb4lgLmsLBIBDlrK7YDcO8+rKHpI+qQN
 mjPHtNPXe1T5D+WAfPAxf5zzOfKwqO4BvWqFD3403gPR1cJid4WclCKlieFpeV+a
 HapULcQvKBrVhoc3vFrXCIzfLddIJHJYTNco0wQOzwb/Bk/vTuEc8teAohj/AHg2
 YSOkiFOvmkas7I+TAzXsnGgTIQz9KHOteH700gNAAILTO9Wj9PVazeGreRKZX4YZ
 hkvDbEUMaOvrGzih+Xq6
 =y6Ws
 -----END PGP SIGNATURE-----

Merge tag 'socfpga_fixes_for_3.18' of git://git.rocketboards.org/linux-socfpga-next into fixes

Merge "SOCFPGA fixes for 3.18" from Dinh Nguyen:

These patches fixes an SMP and SDMMC driver hang during boot up on the
SOCFPGA platform.

Patch "arm: socfpga: fix fetching cpu1start_addr for SMP" fixes the SMP
trampoline code in order for CPU1 to correctly fetch it's cpu1start_addr.

Patch "ARM: dts: socfpga: rename gpio nodes" renames that GPIO node in order
to allow a standard way of specifying status="okay" in the board DTS file.

Patch "ARM: dts: socfpga: Fix SD card detect" fixes a SDMMC driver hang
during boot. The reason for the hang was the deferred probe of the SDMMC
driver was waiting for the GPIO resource that would never come.

Patch "ARM: dts: socfpga: Add a 3.3V fixed regulator node" adds a fixed
regulator node for the SDMMC driver to use.

* tag 'socfpga_fixes_for_3.18' of git://git.rocketboards.org/linux-socfpga-next:
  ARM: dts: socfpga: Add a 3.3V fixed regulator node
  ARM: dts: socfpga: Fix SD card detect
  ARM: dts: socfpga: rename gpio nodes
  arm: socfpga: fix fetching cpu1start_addr for SMP

Signed-off-by: Olof Johansson <olof@lixom.net>
2014-10-23 21:05:45 -07:00
Olof Johansson
184f84d9b9 First AT91 fixes for 3.18:
- one more MAINTAINERS entry for the SSC driver
 - a fix for the newly introduced power/reset driver
 - a fix on at91sam9263 USB due to PLLB misconfiguration
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.11 (GNU/Linux)
 
 iQEcBAABAgAGBQJUR2b6AAoJEAf03oE53VmQ5cIIAIsML44VaaFCy3fuE4+uXR9p
 g5s80QMmV5dK0y/Yqwu/xIgvIEsyY4B9zWCy08w0EgzSHNbAC7iW7U4n2ia+7C9N
 QxlOar+vI4A3gBS+9d0N7nEOf7VfnWQ2qmJmd2W5hOdQ0hjEhJIfMZtQYHBd8fN5
 4fn/12HoC2iVYgGL9By/UmYVMCI1H1yeaQiYVw3KZkKPxlo6ERVrTVHL5rRjF65s
 m7l0Sf2zlmIN3rp24D7TBdr4b8OwUdfakrEqli7t+5kZh6yvFtZhuZE84Aunvy7m
 Orw7aT6ZhLDUc2omvCwz0ZNKvDtyt5I8MwWQ7ETeMGFWaeS6bPPALbwyf6Nnffw=
 =gRsw
 -----END PGP SIGNATURE-----

Merge tag 'at91-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/nferre/linux-at91 into fixes

Merge "at91: fixes for v3.18 #1" from Nicholas Ferre:

First AT91 fixes for 3.18:
- one more MAINTAINERS entry for the SSC driver
- a fix for the newly introduced power/reset driver
- a fix on at91sam9263 USB due to PLLB misconfiguration

* tag 'at91-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/nferre/linux-at91:
  ARM: at91/dt: sam9263: fix PLLB frequencies
  power: reset: at91-reset: fix power down register
  MAINTAINERS: add atmel ssc driver maintainer entry

Signed-off-by: Olof Johansson <olof@lixom.net>
2014-10-23 21:02:49 -07:00
Olof Johansson
bcd09f17cb arm: Xilinx Zynq DT fixes for v3.18
- Fix gem register size
 - Fix OPP
 - Add missing references
 - Trivial cleanup
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.10 (GNU/Linux)
 
 iEYEABECAAYFAlRFDgIACgkQykllyylKDCFg6wCfVUwy2VwRS/aArBIpfq5lV/nG
 BbUAn0dRlkEP7D6TyA89/dD4qbwIn/SV
 =rl9b
 -----END PGP SIGNATURE-----

Merge tag 'zynq-dt-fixes-for-3.18' of https://github.com/Xilinx/linux-xlnx into fixes

Merge "Xilinx Zynq dt fixes for v3.18" from Michal Simek:

arm: Xilinx Zynq DT fixes for v3.18
- Fix gem register size
- Fix OPP
- Add missing references
- Trivial cleanup

* tag 'zynq-dt-fixes-for-3.18' of https://github.com/Xilinx/linux-xlnx:
  ARM: zynq: DT: trivial: Fix mc node
  ARM: zynq: DT: Add cadence watchdog node
  ARM: zynq: DT: Add missing reference for memory-controller
  ARM: zynq: DT: Add missing reference for ADC
  ARM: zynq: DT: Add missing address for L2 pl310
  ARM: zynq: DT: Remove 222 MHz OPP
  ARM: zynq: DT: Fix GEM register area size

Signed-off-by: Olof Johansson <olof@lixom.net>
2014-10-23 21:01:02 -07:00
Olof Johansson
90f0845ce6 ARM: multi_v7_defconfig: enable CONFIG_MMC_DW_ROCKCHIP
Allows booting from SD/MMC on RK3288 and other platforms. Added here so I
can enable the board in the boot farm.

Signed-off-by: Olof Johansson <olof@lixom.net>
2014-10-23 21:00:52 -07:00
Olof Johansson
3e10dccc82 ARM: sunxi_defconfig: enable CONFIG_REGULATOR_FIXED_VOLTAGE
I missed in 9a2ad529ed that REGULATOR_FIXED_VOLTAGE had also gotten
deselected, so it needs to be added back as an explicit option.

Signed-off-by: Olof Johansson <olof@lixom.net>
2014-10-23 21:00:52 -07:00
Al Viro
1be47b387a Merge branch 'overlayfs.v25' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs into for-linus 2014-10-23 22:52:55 -04:00
Al Viro
51486b900e fix inode leaks on d_splice_alias() failure exits
d_splice_alias() callers expect it to either stash the inode reference
into a new alias, or drop the inode reference.  That makes it possible
to just return d_splice_alias() result from ->lookup() instance, without
any extra housekeeping required.

Unfortunately, that should include the failure exits.  If d_splice_alias()
returns an error, it leaves the dentry it has been given negative and
thus it *must* drop the inode reference.  Easily fixed, but it goes way
back and will need backporting.

Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2014-10-23 22:30:18 -04:00