Commit Graph

663041 Commits

Author SHA1 Message Date
Arnd Bergmann
bf3f53089c This pull request contains Broadcom ARM-based SoCs Device Tree fixes for 4.11,
please pull the following:
 
 - Jon fixes a reboot issue on most Northstar Plus platforms by adding the
   "open-source" property to the "gpio-restart" Device Tree nodes
 -----BEGIN PGP SIGNATURE-----
 
 iQIcBAABCAAGBQJY0rfzAAoJEIfQlpxEBwcEzCAQALNT1HOloxI7D+Ki1w5/ANum
 IsZIfzffFV/gJW1tZDhbLnNcPU+H8W9hGi3veAOihlbJSMHkEV5ECYzx9CImwLyg
 0le6H68w4eZwJQ4ZCyyu3qXPjhic6v3Dtzw2nqvWytRAbcyGh8k8z6riVRucCXJU
 wvzjARTga1u2UffvVsQEw6o7MQE0B+1KcqGh+g069IQVQzTjTxPGOvQF2hfqabUt
 45x2w5wlUKGX+SodqweDzFQu1tKErjkt8EH5zvqjeMRGFxHaDFXw4FuRWrkzp9ic
 gE+3d/IuHxYivNsPg90y029e+ihTTxPfT1cLRJkN7kbzBKYngH+/T1HLb7EFJbcO
 /haqnevKaWp3MCwkpH4LDQ3akKIaZvbo16qdxCNvQ80biTwHqOo5e+roMyk9Y9Ka
 vYw22yW0LfeRHPnkQBIBOwS9b31r2D9FePKRrkNFZXy0247w0TW4lSUovvnIdwTq
 awBBBkTS56ovnjmU08/72DVj4JE2/3mwqkYHUfEXls4RA8oYF4maHSEZI/FF16/2
 YiMVE9fBaRjLKXthxuVaMsGUz94QR2W9gaOq8UV5E/ZM9YCckR+J28mhHehV+S2U
 jsDv3iXgLpnYOnBqdoXLbcHr9QFx0OtItgACs3AlYP0SMmUryXrPdzVUY9cQBjJR
 drXgohtIcxX1j0CHxDWf
 =CKev
 -----END PGP SIGNATURE-----

Merge tag 'arm-soc/for-4.11/devicetree-fixes-2' of http://github.com/Broadcom/stblinux into fixes

Pull "Broadcom arm Device Tree fixes for 4.11 (part 2)" from Florian Fainelli:

This pull request contains Broadcom ARM-based SoCs Device Tree fixes for 4.11,
please pull the following:

- Jon fixes a reboot issue on most Northstar Plus platforms by adding the
  "open-source" property to the "gpio-restart" Device Tree nodes

* tag 'arm-soc/for-4.11/devicetree-fixes-2' of http://github.com/Broadcom/stblinux:
  ARM: dts: NSP: GPIO reboot open-source
2017-03-24 17:49:40 +01:00
Takashi Iwai
2d7d54002e ALSA: seq: Fix race during FIFO resize
When a new event is queued while processing to resize the FIFO in
snd_seq_fifo_clear(), it may lead to a use-after-free, as the old pool
that is being queued gets removed.  For avoiding this race, we need to
close the pool to be deleted and sync its usage before actually
deleting it.

The issue was spotted by syzkaller.

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2017-03-24 17:11:00 +01:00
Peter Stein
9257821c5a HID: xinmo: fix for out of range for THT 2P arcade controller.
There is a new clone of the XIN MO arcade controller which has same issue with
out of range like the original.  This fix will solve the issue where 2
directions on the joystick are not recognized by the new THT 2P arcade
controller with device ID 0x75e1.  In details the new device ID is added the
hid-id list and the hid-xinmo source code.

Signed-off-by: Peter Stein <peter@stuntstein.dk>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
2017-03-24 15:43:03 +01:00
Eric Biggers
9df0eb180c crypto: xts,lrw - fix out-of-bounds write after kmalloc failure
In the generic XTS and LRW algorithms, for input data > 128 bytes, a
temporary buffer is allocated to hold the values to be XOR'ed with the
data before and after encryption or decryption.  If the allocation
fails, the fixed-size buffer embedded in the request buffer is meant to
be used as a fallback --- resulting in more calls to the ECB algorithm,
but still producing the correct result.  However, we weren't correctly
limiting subreq->cryptlen in this case, resulting in pre_crypt()
overrunning the embedded buffer.  Fix this by setting subreq->cryptlen
correctly.

Fixes: f1c131b454 ("crypto: xts - Convert to skcipher")
Fixes: 700cb3f5fe ("crypto: lrw - Convert to skcipher")
Cc: stable@vger.kernel.org # v4.10+
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2017-03-24 21:51:34 +08:00
Gary R Hook
efc989fce8 crypto: ccp - Make some CCP DMA channels private
The CCP registers its queues as channels capable of handling
general DMA operations. The NTB driver will use DMA if
directed, but as public channels can be reserved for use in
asynchronous operations some channels should be held back
as private. Since the public/private determination is
handled at a device level, reserve the "other" (secondary)
CCP channels as private.

Add a module parameter that allows for override, to be
applied to all channels on all devices.

CC: <stable@vger.kernel.org> # 4.10.x-
Signed-off-by: Gary R Hook <gary.hook@amd.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2017-03-24 21:51:34 +08:00
Jason A. Donenfeld
de5540d088 padata: avoid race in reordering
Under extremely heavy uses of padata, crashes occur, and with list
debugging turned on, this happens instead:

[87487.298728] WARNING: CPU: 1 PID: 882 at lib/list_debug.c:33
__list_add+0xae/0x130
[87487.301868] list_add corruption. prev->next should be next
(ffffb17abfc043d0), but was ffff8dba70872c80. (prev=ffff8dba70872b00).
[87487.339011]  [<ffffffff9a53d075>] dump_stack+0x68/0xa3
[87487.342198]  [<ffffffff99e119a1>] ? console_unlock+0x281/0x6d0
[87487.345364]  [<ffffffff99d6b91f>] __warn+0xff/0x140
[87487.348513]  [<ffffffff99d6b9aa>] warn_slowpath_fmt+0x4a/0x50
[87487.351659]  [<ffffffff9a58b5de>] __list_add+0xae/0x130
[87487.354772]  [<ffffffff9add5094>] ? _raw_spin_lock+0x64/0x70
[87487.357915]  [<ffffffff99eefd66>] padata_reorder+0x1e6/0x420
[87487.361084]  [<ffffffff99ef0055>] padata_do_serial+0xa5/0x120

padata_reorder calls list_add_tail with the list to which its adding
locked, which seems correct:

spin_lock(&squeue->serial.lock);
list_add_tail(&padata->list, &squeue->serial.list);
spin_unlock(&squeue->serial.lock);

This therefore leaves only place where such inconsistency could occur:
if padata->list is added at the same time on two different threads.
This pdata pointer comes from the function call to
padata_get_next(pd), which has in it the following block:

next_queue = per_cpu_ptr(pd->pqueue, cpu);
padata = NULL;
reorder = &next_queue->reorder;
if (!list_empty(&reorder->list)) {
       padata = list_entry(reorder->list.next,
                           struct padata_priv, list);
       spin_lock(&reorder->lock);
       list_del_init(&padata->list);
       atomic_dec(&pd->reorder_objects);
       spin_unlock(&reorder->lock);

       pd->processed++;

       goto out;
}
out:
return padata;

I strongly suspect that the problem here is that two threads can race
on reorder list. Even though the deletion is locked, call to
list_entry is not locked, which means it's feasible that two threads
pick up the same padata object and subsequently call list_add_tail on
them at the same time. The fix is thus be hoist that lock outside of
that block.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2017-03-24 21:51:33 +08:00
Thomas Petazzoni
74d1cf4897 dt-bindings: rng: clocks property on omap_rng not always mandatory
Commit 52060836f7 ("dt-bindings: omap-rng: Document SafeXcel IP-76
device variant") update the omap_rng Device Tree binding to add support
for the IP-76 variation of the IP. As part of this change, a "clocks"
property was added, but is indicated as "Required", without indicated
it's actually only required for some compatible strings.

This commit fixes that, by explicitly stating that the clocks property
is only required with the inside-secure,safexcel-eip76 compatible
string.

Fixes: 52060836f7 ("dt-bindings: omap-rng: Document SafeXcel IP-76 device variant")
Cc: <stable@vger.kernel.org>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2017-03-24 21:51:32 +08:00
Philipp Zabel
c3d4fb0fb4 [media] rc: sunxi-cir: simplify optional reset handling
As of commit bb475230b8 ("reset: make optional functions really
optional"), the reset framework API calls use NULL pointers to describe
optional, non-present reset controls.

This allows to return errors from devm_reset_control_get_optional and to
call reset_control_(de)assert unconditionally.

Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
2017-03-24 08:30:03 -03:00
Philipp Zabel
ec6b0bd54e [media] st_rc: simplify optional reset handling
As of commit bb475230b8 ("reset: make optional functions really
optional"), the reset framework API calls use NULL pointers to describe
optional, non-present reset controls.

This allows to return errors from reset_control_get_optional and to call
reset_control_(de)assert unconditionally.

Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
Acked-by: Patrice Chotard <patrice.chotard@st.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
2017-03-24 08:29:27 -03:00
Johan Hovold
03eb2a557e [media] mceusb: fix NULL-deref at probe
Make sure to check for the required out endpoint to avoid dereferencing
a NULL-pointer in mce_request_packet should a malicious device lack such
an endpoint. Note that this path is hit during probe.

Fixes: 66e89522af ("V4L/DVB: IR: add mceusb IR receiver driver")

Cc: stable <stable@vger.kernel.org>	# 2.6.36
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
2017-03-24 08:28:25 -03:00
Sean Young
74c839b2f5 [media] lirc: use refcounting for lirc devices
If a lirc device is unplugged, the struct rc_dev is freed even though
userspace can still have a file descriptor open on the lirc chardev. The
rc_dev structure can be used in a subsequent, or even currently executing
ioctl, read or write.

Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
2017-03-24 08:27:07 -03:00
Sean Young
069f3b10ae [media] serial_ir: iommap is a memory address, not bool
This has been broken for a long time, so presumably it is not used. I
have no hardware to test this on.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=61401

Fixes: 90ab5ee ("module_param: make bool parameters really bool")

Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
2017-03-24 08:25:46 -03:00
Sean Young
b73bc16d08 [media] mce_kbd: add encoder
Split the protocol into two variants, one for keyboard and one for mouse
data.

Note that the mce_kbd protocol cannot be used on the igorplugusb, since
the IR is too long.

Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
2017-03-24 08:24:41 -03:00
Sean Young
e8f4818895 [media] lirc: advertise LIRC_CAN_GET_REC_RESOLUTION and improve
This feature was never set. The ioctl should fail if no resolution
is set.

Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
2017-03-24 08:23:18 -03:00
Sean Young
7dc2df1476 [media] rc: lirc keymap no longer makes any sense
The lirc keymap existed once upon a time to select the lirc protocol.
Since '275ddb4 [media] rc-core: remove the LIRC "protocol"', IR is
always passed to the lirc decoder so this keymap is no longer needed.

Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
2017-03-24 08:22:36 -03:00
Mike Looijmans
dbe4d69d25 i2c: mux: pca954x: Add missing pca9546 definition to chip_desc
The spec for the pca9546 was missing. This chip is the same as the pca9545
except that it lacks interrupt lines. While the i2c_device_id table mapped
the pca9546 to the pca9545 definition the compatible table did not.

Signed-off-by: Mike Looijmans <mike.looijmans@topic.nl>
Signed-off-by: Peter Rosin <peda@axentia.se>
2017-03-24 12:22:18 +01:00
Sean Young
ee5310e66e [media] gpio-ir: do not allow a timeout of 0
According to the documentation, a timeout of 0 turns off timeouts,
which is not the case.

Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
2017-03-24 08:21:48 -03:00
Sean Young
ea80fb6d08 [media] winbond: allow timeout to be set
The drivers sets the hardware to idle when a timeout occurs. This can
be any reasonable value.

Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
2017-03-24 08:21:17 -03:00
Sean Young
bc989391ab [media] lirc: return ENOTTY when device does support ioctl
If timeouts or carrier range is not supported, return proper error.

Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
2017-03-24 08:20:28 -03:00
Sean Young
5c86275869 [media] lirc: return ENOTTY when ioctl is not supported
We shouldn't be using ENOSYS when a feature is not available. I've tested
lirc; nothing is broken as far as I can make out.

Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
2017-03-24 07:44:42 -03:00
Sean Young
a8b875a549 [media] lirc: document lirc modes better
LIRC_MODE_MODE2 and LIRC_MODE_LIRCCODE were not covered at all.

Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
2017-03-24 07:43:26 -03:00
Derek Robson
5cd6522c5b [media] staging: lirc: use octal instead of symbolic permission
Changed permissions to octal across whole driver
Found by checkpatch

Signed-off-by: Derek Robson <robsonde@gmail.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
2017-03-24 07:41:52 -03:00
Sean Young
207c957d9e [media] cxusb: dvico remotes are nec
Adjust the keymap to use the correct nec scancodes, and adjust the
rc driver to output the correct nec scancodes.

Now the keymap can be used with any nec receiver, and the rc device
should work with any nec keymap.

Tested-by: Vincent McIntyre <vincent.mcintyre@gmail.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
2017-03-24 07:41:17 -03:00
Baoquan He
a46f60d760 x86/mm/KASLR: Exclude EFI region from KASLR VA space randomization
Currently KASLR is enabled on three regions: the direct mapping of physical
memory, vamlloc and vmemmap. However the EFI region is also mistakenly
included for VA space randomization because of misusing EFI_VA_START macro
and assuming EFI_VA_START < EFI_VA_END.

(This breaks kexec and possibly other things that rely on stable addresses.)

The EFI region is reserved for EFI runtime services virtual mapping which
should not be included in KASLR ranges. In Documentation/x86/x86_64/mm.txt,
we can see:

  ffffffef00000000 - fffffffeffffffff (=64 GB) EFI region mapping space

EFI uses the space from -4G to -64G thus EFI_VA_START > EFI_VA_END,
Here EFI_VA_START = -4G, and EFI_VA_END = -64G.

Changing EFI_VA_START to EFI_VA_END in mm/kaslr.c fixes this problem.

Signed-off-by: Baoquan He <bhe@redhat.com>
Reviewed-by: Bhupesh Sharma <bhsharma@redhat.com>
Acked-by: Dave Young <dyoung@redhat.com>
Acked-by: Thomas Garnier <thgarnie@google.com>
Cc: <stable@vger.kernel.org> #4.8+
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Masahiro Yamada <yamada.masahiro@socionext.com>
Cc: Matt Fleming <matt@codeblueprint.co.uk>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-efi@vger.kernel.org
Link: http://lkml.kernel.org/r/1490331592-31860-1-git-send-email-bhe@redhat.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2017-03-24 09:04:27 +01:00
Kees Cook
854fbd6e5f lib/syscall: Clear return values when no stack
Commit:

  aa1f1a6396 ("lib/syscall: Pin the task stack in collect_syscall()")

... added logic to handle a process stack not existing, but left sp and pc
uninitialized, which can be later reported via /proc/$pid/syscall for zombie
processes, potentially exposing kernel memory to userspace.

  Zombie /proc/$pid/syscall before:
  -1 0xffffffff9a060100 0xffff92f42d6ad900

  Zombie /proc/$pid/syscall after:
  -1 0x0 0x0

Reported-by: Robert Święcki <robert@swiecki.net>
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Andy Lutomirski <luto@kernel.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org # v4.9+
Fixes: aa1f1a6396 ("lib/syscall: Pin the task stack in collect_syscall()")
Link: http://lkml.kernel.org/r/20170323224616.GA92694@beast
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2017-03-24 07:43:35 +01:00
Linus Torvalds
ebe64824e9 Power management fixes for v4.11-rc4
- Make intel_pstate use one set of global P-state limits in the
    active mode regardless of the scaling_governor settings for
    individual CPUs instead of switching back and forth between two
    of them in a way that is hard to control (Rafael Wysocki).
 
  - Drop a useless function from intel_pstate to prevent it from
    modifying the maximum supported frequency value unexpectedly
    which may confuse the cpufreq core (Rafael Wysocki).
 
  - Fix the cpufreq core to restore policy limits on CPU online so
    that the limits are not reset over system suspend/resume, among
    other things (Viresh Kumar).
 
  - Fix the initialization of the schedutil cpufreq governor to
    make the IO-wait boosting mechanism in it actually work on
    systems with one CPU per cpufreq policy (Rafael Wysocki).
 
  - Add a sanity check to the cpuidle core to prevent crashes from
    happening if the architecture code initialization fails to set
    up things as expected (Vaidyanathan Srinivasan).
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQIcBAABCAAGBQJY1HLGAAoJEILEb/54YlRxjAsQAIFcYfJKosA8IlmKcricR/WH
 CqBMCH9S6Y5YsggrFjcj3lVJbf5P43/h3U++O+/97lJsevfp4inCChpvVSQIWX4v
 xzk2v+5Ms8ROqVSLy34yTaB0ysCC//J5FvdQLsj0Zw9W/8yvi0DosPfeiAD7sYeb
 4qkJK3+yv5sLtZ41FmdVYabhC5KHQSAV6p6X+KOZnFV8cm+8TfOSERhStXASMTGc
 tvDpjIjPA1GLpHYdOK4UQ+Er1Hgwk2fNX7eXrpHh7QCQx4eZEN+g7DAC95Ify9Am
 gkTFc5eUfOFKU5KMshdQh6gnfoNaKi4d3E/ahmnU+KQuyKiy4KMyTNcuUBszSaDM
 ZTm0GooseV0UajaLH08BNbfpqDsiKc2fm1qkCQkXxpGjs80/bYn5gK+fpvkziq9x
 210Wc7XTWf7JfmPs0d3gZekaohHtqJVigCuA4dXH6kvbDvbDcfKOza6rqNmpSFrQ
 ifWH6M12Ut/G5NfwihhTRhoKkeQjqHFgikNC8BjF2Myem20026Vr6MKZrubDAlkq
 VWP7lT2zNSs1btsNqDrA9+wejwK8OwwrpfZOx3hbYL6Q+u/AuljIJ79aRz8ROZcE
 jQZeOKprmlAaDIASdxIM4yjwzSQE0l/CaHteHfKaddmcWTrtKR+CEfU0ODzYWoK0
 dcQwyMF3tOToj7BjWqKM
 =jy4C
 -----END PGP SIGNATURE-----

Merge tag 'pm-4.11-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm

Pull power management fixes from Rafael Wysocki:
 "One of these is an intel_pstate regression fix and it is not a small
  change, but it mostly removes code that shouldn't be there. That code
  was acquired by mistake and has been a source of constant pain since
  then, so the time has come to get rid of it finally. We have not seen
  problems with this change in the lab, so fingers crossed.

  The rest is more usual: one more intel_pstate commit removing useless
  code, a cpufreq core fix to make it restore policy limits on CPU
  online (which prevents the limits from being reset over system
  suspend/resume), a schedutil cpufreq governor initialization fix to
  make it actually work as advertised on all systems and an extra sanity
  check in the cpuidle core to prevent crashes from happening if the
  arch code messes things up.

  Specifics:

   - Make intel_pstate use one set of global P-state limits in the
     active mode regardless of the scaling_governor settings for
     individual CPUs instead of switching back and forth between two of
     them in a way that is hard to control (Rafael Wysocki).

   - Drop a useless function from intel_pstate to prevent it from
     modifying the maximum supported frequency value unexpectedly which
     may confuse the cpufreq core (Rafael Wysocki).

   - Fix the cpufreq core to restore policy limits on CPU online so that
     the limits are not reset over system suspend/resume, among other
     things (Viresh Kumar).

   - Fix the initialization of the schedutil cpufreq governor to make
     the IO-wait boosting mechanism in it actually work on systems with
     one CPU per cpufreq policy (Rafael Wysocki).

   - Add a sanity check to the cpuidle core to prevent crashes from
     happening if the architecture code initialization fails to set up
     things as expected (Vaidyanathan Srinivasan)"

* tag 'pm-4.11-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
  cpufreq: Restore policy min/max limits on CPU online
  cpuidle: Validate cpu_dev in cpuidle_add_sysfs()
  cpufreq: intel_pstate: Fix policy data management in passive mode
  cpufreq: schedutil: Fix per-CPU structure initialization in sugov_start()
  cpufreq: intel_pstate: One set of global limits in active mode
2017-03-23 20:00:39 -07:00
Linus Torvalds
02a2cad8e8 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input
Pull input fixes from Dmitry Torokhov:
 "Fixes to various USB drivers to validate existence of endpoints before
  trying to use them, fixes to APLS v8 protocol, and a couple of i8042
  quirks"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
  Input: ALPS - fix trackstick button handling on V8 devices
  Input: ALPS - fix V8+ protocol handling (73 03 28)
  Input: sur40 - validate number of endpoints before using them
  Input: kbtab - validate number of endpoints before using them
  Input: hanwang - validate number of endpoints before using them
  Input: yealink - validate number of endpoints before using them
  Input: ims-pcu - validate number of endpoints before using them
  Input: cm109 - validate number of endpoints before using them
  Input: iforce - validate number of endpoints before using them
  Input: elan_i2c - add ASUS EeeBook X205TA special touchpad fw
  Input: i8042 - add TUXEDO BU1406 (N24_25BU) to the nomux list
  Input: synaptics-rmi4 - prevent null pointer dereference in f30
  Input: i8042 - add noloop quirk for Dell Embedded Box PC 3000
2017-03-23 19:51:06 -07:00
Dave Airlie
d64a04720b Merge branch 'drm-fixes-4.11' of git://people.freedesktop.org/~agd5f/linux into drm-fixes
A few small fixes for 4.11

* 'drm-fixes-4.11' of git://people.freedesktop.org/~agd5f/linux:
  drm/amd/amdgpu: add POLARIS12 PCI ID
  drm/amdgpu: fix the clearing wb size
  drm/amdgpu: reinstate oland workaround for sclk
  drm/radeon: reinstate oland workaround for sclk
2017-03-24 11:05:06 +10:00
Dave Airlie
f505a5c0ec Merge tag 'drm-misc-fixes-2017-03-23' of git://anongit.freedesktop.org/git/drm-misc into drm-fixes
One fbdev regression fix from Michel

* tag 'drm-misc-fixes-2017-03-23' of git://anongit.freedesktop.org/git/drm-misc:
  drm/fb-helper: Allow var->x/yres(_virtual) < fb->width/height again
2017-03-24 11:04:52 +10:00
Dave Airlie
8201f1e86b Merge branch 'exynos-drm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/daeinki/drm-exynos into drm-fixes
Just several fixups,
   - fix page fault and vblank timeout issues due to delayed vblank handling.
   - fix panel driver probing to fail without te-gpios property.
   - fix potential security hole by using "%pK" format.
   - fix wrong if statement condition.

   And one cleanup which removes Exynos4415 SoC support which is not supported
   anymore.

* 'exynos-drm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/daeinki/drm-exynos:
  drm/exynos/dsi: make te-gpios optional
  drm/exynos: Print kernel pointers in a restricted form
  drm/exynos/decon5433: fix software trigger mask
  drm/exynos/fimd: signal frame done interrupt at front porch
  drm/exynos/decon5433: signal frame done interrupt at front porch
  drm/exynos/decon5433: fix vblank event handling
  drm/exynos: move crtc event handling to drivers callbacks
  drm/exynos: Remove support for Exynos4415 (SoC not supported anymore)
  drm/exynos/decon5433: & vs | typo
2017-03-24 11:04:08 +10:00
Rafael J. Wysocki
90ff2b729e Merge branch 'pm-cpuidle-fixes'
* pm-cpuidle-fixes:
  cpuidle: Validate cpu_dev in cpuidle_add_sysfs()
2017-03-24 00:43:46 +01:00
Rafael J. Wysocki
6488294e4a Merge branches 'pm-cpufreq-fixes', 'pm-cpufreq-sched-fixes' and 'intel_pstate-fixes'
* pm-cpufreq-fixes:
  cpufreq: Restore policy min/max limits on CPU online

* pm-cpufreq-sched-fixes:
  cpufreq: schedutil: Fix per-CPU structure initialization in sugov_start()

* intel_pstate-fixes:
  cpufreq: intel_pstate: Fix policy data management in passive mode
  cpufreq: intel_pstate: One set of global limits in active mode
2017-03-24 00:43:26 +01:00
Stephen Boyd
7f0b97d5bb Allwinner clock fixes for 4.11
A few fixes for a bunch of clocks on a few SoCs. The most important one is
 probably one that fixes the NKMP clock frequency calculation and could end
 up with clocking the CPU frequency to out of bounds rates.
 -----BEGIN PGP SIGNATURE-----
 
 iQIcBAABCAAGBQJYz6SKAAoJEBx+YmzsjxAgDOwP/RIJDNpZJNr7b2tiqzLCAgr2
 yYJ9+sO/qBQ3gV2MhusE8BApvjWqTaiuOR/SO53tpGiC/5eX30JzlwTRuf4tLcpe
 sug8KYvL1VHgnQISo4oa+zUglWv0TFZYZKBC5IQhRq01OGo9bHhs/+nSyKpYYQA2
 T+NO8UbeVwOaPGGxYsA0edXtbnqAlDlWeZAxq+smZFyk3q95+O2vYLGRAxGNPK7s
 X8V91Q38ysB7RxeTbyKYd2VdyCqrAupF3OMGnybxpvfQ6ndNjUPe54ljvAlVIV4p
 51i7U4Ayr6YeTmgYYq4wsXWKmxoRtaauIeW0ZuGaCaNjTXY28r68qOVUignHTlRU
 XuV0cfhzxUYp8qbSpS0LEXBWc4aL52V1najYfDMY9tKsc42bhogc//kkssha9dI7
 uvPn4FBg7QsmgFZJwnIL9mujCJGByU1pN1+6JR0oSw5n3cnOyqq5LltyEbFHmGAc
 JTt+a03029fVyvxXa1BQYv05W9ANBqnF13puVRoywGmcRL2L2ytyzhrNSQhuOhSB
 /8kos+IOvrkeMgyCMmT0LGCdls4yd3wH0rl6r3ZNqyZHgD4LF9Qm5/L73GJkRHZP
 ymOU6sTonPsBir/T95PT/LYfsl3wF2YpmrqCuTPyF/Lek24d0SU5s5DO3XRSqKxS
 quM4ey2fux1Qre0OjLJk
 =27Fn
 -----END PGP SIGNATURE-----

Merge tag 'sunxi-clk-fixes-for-4.11' of https://git.kernel.org/pub/scm/linux/kernel/git/mripard/linux into clk-fixes

Pull Allwinner clock fixes from Maxime Ripard:

A few fixes for a bunch of clocks on a few SoCs. The most important one is
probably one that fixes the NKMP clock frequency calculation and could end
up with clocking the CPU frequency to out of bounds rates.

* tag 'sunxi-clk-fixes-for-4.11' of https://git.kernel.org/pub/scm/linux/kernel/git/mripard/linux:
  clk: sunxi-ng: fix recalc_rate formula of NKMP clocks
  clk: sunxi-ng: Fix div/mult settings for osc12M on A64
  clk: sunxi-ng: sun6i: Fix enable bit offset for hdmi-ddc module clock
  clk: sunxi: ccu-sun5i needs nkmp
  clk: sunxi-ng: mp: Adjust parent rate for pre-dividers
2017-03-23 16:08:46 -07:00
Tomasz Nowicki
9abb27c759 PCI: thunder-pem: Add legacy firmware support for Cavium ThunderX host controller
During early days of PCI quirks support, ThunderX firmware did not provide
PNP0c02 node with PCI configuration space and PEM-specific register ranges.
This means that for legacy FW we are not reserving these resources and
cannot gather PEM-specific resources for further PEM initialization.

To support already deployed legacy FW, calculate PEM-specific ranges and
provide resources reservation as fallback scenario into PEM driver when we
could not gather PEM reg base from ACPI tables.

Tested-by: Robert Richter <rrichter@cavium.com>
Signed-off-by: Tomasz Nowicki <tn@semihalf.com>
Signed-off-by: Vadim Lomovtsev <Vadim.Lomovtsev@caviumnetworks.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Acked-by: Robert Richter <rrichter@cavium.com>
CC: stable@vger.kernel.org	# v4.10+
2017-03-23 17:11:26 -05:00
Tomasz Nowicki
81caa91b72 PCI: thunder-pem: Use Cavium assigned hardware ID for ThunderX host controller
"CAV" is the only PNP/ACPI hardware ID vendor prefix assigned to Cavium so
fix this as it should be from day one.

Fixes: 44f22bd91e ("PCI: Add MCFG quirks for Cavium ThunderX pass2.x host controller")
Tested-by: Robert Richter <rrichter@cavium.com>
Signed-off-by: Tomasz Nowicki <tn@semihalf.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Acked-by: Robert Richter <rrichter@cavium.com>
CC: stable@vger.kernel.org	# v4.10+
2017-03-23 17:10:10 -05:00
Andy Shevchenko
e88162f9da Revert "i2c: mux: pca954x: Add ACPI support for pca954x"
In ACPI world any ID should be carefully chosen and registered
officially. The commit bbf9d262a1 seems did a wrong assumption because
PCA is the registered PNP ID for "PHILIPS BU ADD ON CARD". I'm pretty
sure this prefix has nothing to do with the driver in question.

Moreover, newer ACPI specification has a support of _DSD method and
special device IDs to allow drivers be enumerated via compatible string.
The slight change to support this kind of enumeration will be added in
sequential patch against pca954x.c.

Revert the commit bbf9d262a1 for good.

Cc: Tin Huynh <tnhuynh@apm.com>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Peter Rosin <peda@axentia.se>
2017-03-23 22:12:22 +01:00
Greg Kroah-Hartman
fd290e7096 USB-serial fixes for v4.11-rc4
Some more device ids for option and qcserial.
 
 Signed-off-by: Johan Hovold <johan@kernel.org>
 -----BEGIN PGP SIGNATURE-----
 
 iQJFBAABCAAvFiEEHszNKQClByu0A+9RQQ3kT97htJUFAljT/WsRHGpvaGFuQGtl
 cm5lbC5vcmcACgkQQQ3kT97htJUsWRAAwtPPUUc5nqUKZ/a+OsWaJBEdTcCHDU9e
 LZdZyVI3qSzATmNzylD/fCSz7kdxzctInq1Ug6doHTatNuiqC79MhEthLRWNRItQ
 okJeF9HYzK6WcOMHxKrNfvQxRKoRhbhA/cwkLsVx7xay6POHkKd2NsTlOf+X678g
 0lcPG0J7DKefS3Fs9IM3L3+BW2JNoBpBPTya93TmZSi8M2HpCOl7gGq6KCMVjCsW
 o0IyOA8hrA14j7gizahL9P7YG9s134vA12S6KSpV2nJl8g1Z8sIDBSVjpJp1voOd
 /ojNy2bfV6hqAASNkscAo9HxtUG0XTWShT67hzHh/FxXFTcHJhbPkV2NCoyRdTKW
 mAS9gALdkH82f60yyY9318EIffJ1WtPcBcGvCTRcTrQmhSBQQCobNuCOQZfrGPTY
 LDTcsPlkc9WCC4Bnl53Mv4hMEKAoxQQwiV06IwvjpZze73Q6vR3sWqUUNIJngBy2
 4whIpijRBNPRBEHT2oUAxDdqvoDqf9DYcDZ5VubYtwfmGOqMuuyM4uFVvjE1OB4L
 ZhFt3uN7Ut2I4yKsk4jEdFJ4sWcYEI63NMjBxIsrYQKYXYmSU4pL1wXrkuCLsvx5
 vwvuYLRzj544ORVOLNChE+XPAOi7u7tMzK8MTX0dIz7aiNoiaXeTlpSjDn9x+pnW
 x8a1pgToBWA=
 =JfAm
 -----END PGP SIGNATURE-----

Merge tag 'usb-serial-4.11-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial into usb-linus

Johan writes:

USB-serial fixes for v4.11-rc4

Some more device ids for option and qcserial.

Signed-off-by: Johan Hovold <johan@kernel.org>
2017-03-23 22:07:22 +01:00
Greg Kroah-Hartman
5617c05d44 usb: fixes for v4.11-rc4
f_acm got an endianness fix by Oliver Neukum. This has been around for a
 long time but it's finally fixed.
 
 f_hid learned that it should never access hidg->req without first
 grabbing the spinlock.
 
 Roger Quadros fixed two bugs in the f_uvc function driver.
 
 Janusz Dziedzic fixed a very peculiar bug with EP0, one that's rather
 difficult to trigger. When we're dealing with bounced EP0 requests, we
 should delay unmap until after ->complete() is called.
 
 UDC class got a use-after-free fix.
 -----BEGIN PGP SIGNATURE-----
 
 iQJRBAABCAA7FiEElLzh7wn96CXwjh2IzL64meEamQYFAljTv0EdHGZlbGlwZS5i
 YWxiaUBsaW51eC5pbnRlbC5jb20ACgkQzL64meEamQbhehAAvauDyMvvL4S2PpCS
 zkarfhJfF4xOB8jzyewdz8oN57XogoUQIY6KOXFIIj9sWBt5Kx2zfA7uK3FBeflm
 lEaf2Mkbo3qXw9ChkrpUDEzpezYhnLPOpm7rMoXxseiVhew1Jt6AUjyzxMkOSG+I
 ng/bMRFvJY1Crp7V0kIba0PiR/owlVxZNTad5/C5Fi1wJQtpjd6Ry0cH7Pa/Eh1W
 KI5Mrdwgh0gZJUF8u8O1MZehyUXSTzkjvHeNV7lnL4TE19hoSGngQhvTYhnoU5lT
 XdphOntQ3m4p8rvNuEvqcwuS5BT2HQoW+BwyNdJF+FUtbbrNN2gUjbY5KD7ZuQtT
 cb67cLrQD04t0ig5zFo51SEZQiYei3rBfr8y0RXepY0RAqCzpqsSoXHxZJyfp1xb
 XzNnnYinbOe2bU3b/Ovs3mMQ4kfpygTHVDMT9iYsRJZmD7DGBhG9J6AR5jD+44Js
 etY82xW7pXiDazMm9OnQ4kuMii8nse3QDynhURU7H39Jw8ty4AdIgbngHgCjRvZA
 ulAeanjGtNNsDs0bsL9L3Q2gLUGiW/y5Ds+AQXKH6388FrwwoUYqCeqBIH5xI+wF
 LIErvqZyi3+Jd/SkmvKeubix3vTxgPZ72WY4xdO45vWznKWscyUWdj0OzXpdycLx
 gOK1mf6y9vRsyoyJ9l09JZ6CAsc=
 =BWuW
 -----END PGP SIGNATURE-----

Merge tag 'fixes-for-v4.11-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/balbi/usb into usb-linus

Felipe writes:

usb: fixes for v4.11-rc4

f_acm got an endianness fix by Oliver Neukum. This has been around for a
long time but it's finally fixed.

f_hid learned that it should never access hidg->req without first
grabbing the spinlock.

Roger Quadros fixed two bugs in the f_uvc function driver.

Janusz Dziedzic fixed a very peculiar bug with EP0, one that's rather
difficult to trigger. When we're dealing with bounced EP0 requests, we
should delay unmap until after ->complete() is called.

UDC class got a use-after-free fix.
2017-03-23 22:05:10 +01:00
Greg Kroah-Hartman
22db87ba6b phy: for 4.11-rc
*) Revert USB3 PHY support for Broadcom NSP SoC
  *) Fix compiler error on qcom-usb-hs when depends on EXTCON
     is not added
  *) Fix error handling in phy-exynos-pcie
 
 Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.11 (GNU/Linux)
 
 iQIcBAABAgAGBQJY0o46AAoJEA5ceFyATYLZM5wP/ixfO3WBz1l/aUvfraZ60i0M
 J10tRM3vWvbglRy30AMs+FOcSGlNq1eBWlpqjl8CH2YGGYsL9pjom1y5WDvgud+K
 +KIdoUtZzOa5KbMB0uUaiRw+le0Y30zwv8/DrfidANAAdah597qWtXThloQ4tm/r
 RmRF717ZL3SkkaLi7qcMpYUX0OXAZRPNbmmd0cAL7hwAYXk8WbZCeKu76YJfMckc
 DJgcqWzR2cD38vkGpRvR33vX6km/oeG0FLGXzfUSbUtk2uZETOH3mG+8blef8cVY
 9FUo90TN2rxp3D06QEwdCM3nu0WKuUCdXCcZldjYDZpUTMqeh49fk2DCnT89WyDc
 VsqA/t5dt3I9lMBcXeNbIbJsiBpnIS958Vg0GKkEbgPQNBp5jdwlU6vbz+Xwkh+U
 plcGvhm2r+g+oiULJiHTKO2QwksZ/qTBHLsz4TcGWjxpRu5F9xYe6VNxefPoarwE
 9z+lR9RPCztlHPytOKcpUJcAsZJYlBKq+IkM9pEpuv0g9X8QpTMvwpFKX5/uS5mc
 GX0Zw9bK43J8FgApyBMn92NIWgnlsXK1dHy3I9UORQDrWxPOSu32/rOmPnU8UaKO
 iR0FjGxKliC1BIt0iiHktPw/rwHj1PjZSBHUtmD9iS7/dI6ZizsX+raPHgxcRkW8
 /ESBEM7dxKAGQ0LWJYNY
 =AZDi
 -----END PGP SIGNATURE-----

Merge tag 'phy-for-4.11-rc' of git://git.kernel.org/pub/scm/linux/kernel/git/kishon/linux-phy into usb-linus

Kishon writes:

phy: for 4.11-rc

 *) Revert USB3 PHY support for Broadcom NSP SoC
 *) Fix compiler error on qcom-usb-hs when depends on EXTCON
    is not added
 *) Fix error handling in phy-exynos-pcie

Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
2017-03-23 22:04:26 +01:00
Arnd Bergmann
a2125d0244 hwmon: (asus_atk0110) fix uninitialized data access
The latest gcc-7 snapshot adds a warning to point out that when
atk_read_value_old or atk_read_value_new fails, we copy
uninitialized data into sensor->cached_value:

drivers/hwmon/asus_atk0110.c: In function 'atk_input_show':
drivers/hwmon/asus_atk0110.c:651:26: error: 'value' may be used uninitialized in this function [-Werror=maybe-uninitialized]

Adding an error check avoids this. All versions of the driver
are affected.

Fixes: 2c03d07ad5 ("hwmon: Add Asus ATK0110 support")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Luca Tettamanti <kronos.it@gmail.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
2017-03-23 12:01:57 -07:00
Linus Torvalds
d038e3dcff sound fixes for 4.11-rc4
This contains the collection of small fixes for 4.11 that were pending
 during my vacation:
 - A few HD-audio quirks (more Dell headset support, docking station
   support on HP laptops),
 - A regression fix for the previous ctxfi DMA mask fix,
 - A correction of the new CONFIG_SND_X86 menu entry, and
 - A fix for the races in ALSA sequencer core spotted by syzkaller.
 -----BEGIN PGP SIGNATURE-----
 
 iQJCBAABCAAsFiEECxfAB4MH3rD5mfB6bDGAVD0pKaQFAljTzpwOHHRpd2FpQHN1
 c2UuZGUACgkQbDGAVD0pKaQzKQ//WmOSF098ORabkxxapsEG9k/8Y5cdChOKmRrT
 pmhbZ0APIxYHnBT09sDqWmCMQJB3hpI1fnGRQxz8TSGgYlWHV+PXwWKQz4XUil5b
 Cq6AznbNZsPCT11AgBRQ5G4CBLIhrL/fGFHqKBZbj0i8RtaLtMzhMUVXy7jQZrK4
 /CsZHUPAEH/TG3w3XDmlRQ0JLfAJ5eb1Vxvtq6aSwZ9C8CFuZqVef6gLbs81MSYz
 ZEpyK1/lRzi6Um/xTcq0bZB5lbXAd6d4K9+6dvog2vQni7rXBr4h3ID+li2Hr6SW
 4m3nxESkWAfXUFDKk6Ib8/LgZVXX5PonF3mnZJGrxQ1ZGFyhmXCvUIzhwOPTGEjo
 PyX9yo8Gh9Avj9kX4DsFFVApX4AwtA104DLz/3uZDVKThZKcWOMEOODDYRHidl3i
 MrWKsZvcilGeQ55xNhzvX/dw2G8Fjxq6892QEyIGNICk+lcTWHXeiTAYtd7iju+w
 587AUOx7BOjqUA0PGY1qqp6sqIIes4zxaXHYttZJhpNEB8Ga/9uUcOwnXj8MmiGc
 U1NWRZ0e+oQ+/08gMWq9aqQCaYwWxXXYFJcHKsJFoaqnrHeiX9gHdZlbkx8ZYZDt
 KMyhPeN/aBTRcwMvnGII7g7ah/dziDHCekfwpINbxp7czb93+a81jFEkwDRgHXQt
 POi+/w4=
 =tHT0
 -----END PGP SIGNATURE-----

Merge tag 'sound-4.11-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound

Pull sound fixes from Takashi Iwai:
 "This contains the collection of small fixes for 4.11 that were pending
  during my vacation:

   - a few HD-audio quirks (more Dell headset support, docking station
     support on HP laptops)

   - a regression fix for the previous ctxfi DMA mask fix

   - a correction of the new CONFIG_SND_X86 menu entry

   - a fix for the races in ALSA sequencer core spotted by syzkaller"

* tag 'sound-4.11-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
  ALSA: hda - Adding a group of pin definition to fix headset problem
  ALSA: seq: Fix racy cell insertions during snd_seq_pool_done()
  ALSA: x86: Make CONFIG_SND_X86 bool
  ALSA: hda - add support for docking station for HP 840 G3
  ALSA: hda - add support for docking station for HP 820 G2
  ALSA: ctxfi: Fix the incorrect check of dma_set_mask() call
2017-03-23 11:58:08 -07:00
Linus Torvalds
131fbf4f9c Merge branch 'for-linus-4.11' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs
Pull btrfs fixes from Chris Mason:
 "Zygo tracked down a very old bug with inline compressed extents.

  I didn't tag this one for stable because I want to do individual
  tested backports. It's a little tricky and I'd rather do some extra
  testing on it along the way"

* 'for-linus-4.11' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs:
  btrfs: add missing memset while reading compressed inline extents
  Btrfs: fix regression in lock_delalloc_pages
  btrfs: remove btrfs_err_str function from uapi/linux/btrfs.h
2017-03-23 11:39:33 -07:00
Linus Torvalds
f341d9f08a Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Pull networking fixes from David Miller:

 1) Several netfilter fixes from Pablo and the crew:
      - Handle fragmented packets properly in netfilter conntrack, from
        Florian Westphal.
      - Fix SCTP ICMP packet handling, from Ying Xue.
      - Fix big-endian bug in nftables, from Liping Zhang.
      - Fix alignment of fake conntrack entry, from Steven Rostedt.

 2) Fix feature flags setting in fjes driver, from Taku Izumi.

 3) Openvswitch ipv6 tunnel source address not set properly, from Or
    Gerlitz.

 4) Fix jumbo MTU handling in amd-xgbe driver, from Thomas Lendacky.

 5) sk->sk_frag.page not released properly in some cases, from Eric
    Dumazet.

 6) Fix RTNL deadlocks in nl80211, from Johannes Berg.

 7) Fix erroneous RTNL lockdep splat in crypto, from Herbert Xu.

 8) Cure improper inflight handling during AF_UNIX GC, from Andrey
    Ulanov.

 9) sch_dsmark doesn't write to packet headers properly, from Eric
    Dumazet.

10) Fix SCM_TIMESTAMPING_OPT_STATS handling in TCP, from Soheil Hassas
    Yeganeh.

11) Add some IDs for Motorola qmi_wwan chips, from Tony Lindgren.

12) Fix nametbl deadlock in tipc, from Ying Xue.

13) GRO and LRO packets not counted correctly in mlx5 driver, from Gal
    Pressman.

14) Fix reset of internal PHYs in bcmgenet, from Doug Berger.

15) Fix hashmap allocation handling, from Alexei Starovoitov.

16) nl_fib_input() needs stronger netlink message length checking, from
    Eric Dumazet.

17) Fix double-free of sk->sk_filter during sock clone, from Daniel
    Borkmann.

18) Fix RX checksum offloading in aquantia driver, from Pavel Belous.

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (85 commits)
  net:ethernet:aquantia: Fix for RX checksum offload.
  amd-xgbe: Fix the ECC-related bit position definitions
  sfc: cleanup a condition in efx_udp_tunnel_del()
  Bluetooth: btqcomsmd: fix compile-test dependency
  inet: frag: release spinlock before calling icmp_send()
  tcp: initialize icsk_ack.lrcvtime at session start time
  genetlink: fix counting regression on ctrl_dumpfamily()
  socket, bpf: fix sk_filter use after free in sk_clone_lock
  ipv4: provide stronger user input validation in nl_fib_input()
  bpf: fix hashmap extra_elems logic
  enic: update enic maintainers
  net: bcmgenet: remove bcmgenet_internal_phy_setup()
  ipv6: make sure to initialize sockc.tsflags before first use
  fjes: Do not load fjes driver if extended socket device is not power on.
  fjes: Do not load fjes driver if system does not have extended socket device.
  net/mlx5e: Count LRO packets correctly
  net/mlx5e: Count GSO packets correctly
  net/mlx5: Increase number of max QPs in default profile
  net/mlx5e: Avoid supporting udp tunnel port ndo for VF reps
  net/mlx5e: Use the proper UAPI values when offloading TC vlan actions
  ...
2017-03-23 11:29:49 -07:00
David Hildenbrand
90db10434b KVM: kvm_io_bus_unregister_dev() should never fail
No caller currently checks the return value of
kvm_io_bus_unregister_dev(). This is evil, as all callers silently go on
freeing their device. A stale reference will remain in the io_bus,
getting at least used again, when the iobus gets teared down on
kvm_destroy_vm() - leading to use after free errors.

There is nothing the callers could do, except retrying over and over
again.

So let's simply remove the bus altogether, print an error and make
sure no one can access this broken bus again (returning -ENOMEM on any
attempt to access it).

Fixes: e93f8a0f82 ("KVM: convert io_bus to SRCU")
Cc: stable@vger.kernel.org # 3.4+
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Reviewed-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Signed-off-by: David Hildenbrand <david@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2017-03-23 19:02:25 +01:00
Wanpeng Li
08d839c4b1 KVM: VMX: Fix enable VPID conditions
This can be reproduced by running L2 on L1, and disable VPID on L0
if w/o commit "KVM: nVMX: Fix nested VPID vmx exec control", the L2
crash as below:

KVM: entry failed, hardware error 0x7
EAX=00000000 EBX=00000000 ECX=00000000 EDX=000306c3
ESI=00000000 EDI=00000000 EBP=00000000 ESP=00000000
EIP=0000fff0 EFL=00000002 [-------] CPL=0 II=0 A20=1 SMM=0 HLT=0
ES =0000 00000000 0000ffff 00009300
CS =f000 ffff0000 0000ffff 00009b00
SS =0000 00000000 0000ffff 00009300
DS =0000 00000000 0000ffff 00009300
FS =0000 00000000 0000ffff 00009300
GS =0000 00000000 0000ffff 00009300
LDT=0000 00000000 0000ffff 00008200
TR =0000 00000000 0000ffff 00008b00
GDT=     00000000 0000ffff
IDT=     00000000 0000ffff
CR0=60000010 CR2=00000000 CR3=00000000 CR4=00000000
DR0=0000000000000000 DR1=0000000000000000 DR2=0000000000000000 DR3=0000000000000000
DR6=00000000ffff0ff0 DR7=0000000000000400
EFER=0000000000000000

Reference SDM 30.3 INVVPID:

Protected Mode Exceptions
- #UD
  - If not in VMX operation.
  - If the logical processor does not support VPIDs (IA32_VMX_PROCBASED_CTLS2[37]=0).
  - If the logical processor supports VPIDs (IA32_VMX_PROCBASED_CTLS2[37]=1) but does
    not support the INVVPID instruction (IA32_VMX_EPT_VPID_CAP[32]=0).

So we should check both VPID enable bit in vmx exec control and INVVPID support bit
in vmx capability MSRs to enable VPID. This patch adds the guarantee to not enable
VPID if either INVVPID or single-context/all-context invalidation is not exposed in
vmx capability MSRs.

Reviewed-by: David Hildenbrand <david@redhat.com>
Reviewed-by: Jim Mattson <jmattson@google.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Radim Krčmář <rkrcmar@redhat.com>
Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2017-03-23 19:02:22 +01:00
Wanpeng Li
63cb6d5f00 KVM: nVMX: Fix nested VPID vmx exec control
This can be reproduced by running kvm-unit-tests/vmx.flat on L0 w/ vpid disabled.

Test suite: VPID
Unhandled exception 6 #UD at ip 00000000004051a6
error_code=0000      rflags=00010047      cs=00000008
rax=0000000000000000 rcx=0000000000000001 rdx=0000000000000047 rbx=0000000000402f79
rbp=0000000000456240 rsi=0000000000000001 rdi=0000000000000000
r8=000000000000000a  r9=00000000000003f8 r10=0000000080010011 r11=0000000000000000
r12=0000000000000003 r13=0000000000000708 r14=0000000000000000 r15=0000000000000000
cr0=0000000080010031 cr2=0000000000000000 cr3=0000000007fff000 cr4=0000000000002020
cr8=0000000000000000
STACK: @4051a6 40523e 400f7f 402059 40028f

We should hide and forbid VPID in L1 if it is disabled on L0. However, nested VPID
enable bit is set unconditionally during setup nested vmx exec controls though VPID
is not exposed through nested VMX capablity. This patch fixes it by don't set nested
VPID enable bit if it is disabled on L0.

Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Radim Krčmář <rkrcmar@redhat.com>
Cc: stable@vger.kernel.org
Fixes: 5c614b3583 (KVM: nVMX: nested VPID emulation)
Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2017-03-23 19:02:14 +01:00
Wanpeng Li
24dccf83a1 KVM: x86: correct async page present tracepoint
After async pf setup successfully, there is a broadcast wakeup w/ special
token 0xffffffff which tells vCPU that it should wake up all processes
waiting for APFs though there is no real process waiting at the moment.

The async page present tracepoint print prematurely and fails to catch the
special token setup. This patch fixes it by moving the async page present
tracepoint after the special token setup.

Before patch:

qemu-system-x86-8499  [006] ...1  5973.473292: kvm_async_pf_ready: token 0x0 gva 0x0

After patch:

qemu-system-x86-8499  [006] ...1  5973.473292: kvm_async_pf_ready: token 0xffffffff gva 0x0

Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Radim Krčmář <rkrcmar@redhat.com>
Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2017-03-23 19:02:07 +01:00
Jim Mattson
fb6c819843 kvm: vmx: Flush TLB when the APIC-access address changes
Quoting from the Intel SDM, volume 3, section 28.3.3.4: Guidelines for
Use of the INVEPT Instruction:

If EPT was in use on a logical processor at one time with EPTP X, it
is recommended that software use the INVEPT instruction with the
"single-context" INVEPT type and with EPTP X in the INVEPT descriptor
before a VM entry on the same logical processor that enables EPT with
EPTP X and either (a) the "virtualize APIC accesses" VM-execution
control was changed from 0 to 1; or (b) the value of the APIC-access
address was changed.

In the nested case, the burden falls on L1, unless L0 enables EPT in
vmcs02 when L1 doesn't enable EPT in vmcs12.

Signed-off-by: Jim Mattson <jmattson@google.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
2017-03-23 19:02:06 +01:00
Peter Xu
c761159cf8 KVM: x86: use pic/ioapic destructor when destroy vm
We have specific destructors for pic/ioapic, we'd better use them when
destroying the VM as well.

Signed-off-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
2017-03-23 19:02:06 +01:00
Peter Xu
950712eb8e KVM: x86: check existance before destroy
Mostly used for split irqchip mode. In that case, these two things are
not inited at all, so no need to release.

Signed-off-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
2017-03-23 19:02:03 +01:00