By code inspection, it was found that multiple calls to KVM_SEV_INIT
could deplete asid bits and overwrite kvm_sev_info's regions_list.
Multiple calls to KVM_SVM_INIT is not likely to occur with QEMU, but this
should likely be fixed anyway.
This code is serialized by kvm->lock.
Fixes: 1654efcbc4 ("KVM: SVM: Add KVM_SEV_INIT command")
Reported-by: Cfir Cohen <cfir@google.com>
Signed-off-by: David Rientjes <rientjes@google.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
The function at issue does not fully validate the content of the
structure pointed by the log parameter, though its content has just been
copied from userspace and lacks validation. Fix that.
Moreover, change the type of n to unsigned long as that is the type
returned by kvm_dirty_bitmap_bytes().
Signed-off-by: Tomas Bortoli <tomasbortoli@gmail.com>
Reported-by: syzbot+028366e52c9ace67deb3@syzkaller.appspotmail.com
[Squashed the fix from Paolo. - Radim.]
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
ctl_bitmask in pt_desc is of type u64. When an integer like 0xf is
being left shifted more than 32 bits, the behavior is undefined.
Fix this by adding suffix ULL to integer 0xf.
Addresses-Coverity-ID: 1476095 ("Bad bit shift operation")
Fixes: 6c0f0bba85 ("KVM: x86: Introduce a function to initialize the PT configuration")
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Reviewed-by: Wei Yang <richardw.yang@linux.intel.com>
Reviewed-by: Luwei Kang <luwei.kang@intel.com>
Signed-off-by: Radim Krčmář <rkrcmar@redhat.com>
Pull x86 fixes from Ingo Molnar:
"A 32-bit build fix, CONFIG_RETPOLINE fixes and rename CONFIG_RESCTRL
to CONFIG_X86_RESCTRL"
* 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
x86, modpost: Replace last remnants of RETPOLINE with CONFIG_RETPOLINE
x86/cache: Rename config option to CONFIG_X86_RESCTRL
samples/seccomp: Fix 32-bit build
- Fix build failures with both CONFIG_NLS and CONFIG_PCI unset that
can occur since ACPI can be built without PCI now (Sinan Kaya).
- Clean up the handling of duplicate entries in power resource lists
returned by _PRx evaluation to avoid triggering WARN_ON() on
attempts to add duplicate symlinks in sysfs (Hans de Goede).
- Fix issues with the TS current-source switching on systems using
the xpower PMIC by avoiding to update unrelated bits in the TS
pin-ctrl register and avoiding to unconditionally enable TS
current-source on systems where it is not used (Hans de Goede).
- Fix addresses in NUMA-related messages on 32-bit with PAE which
can be truncated due to integer type conversions (Chao Fan).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAABCAAGBQJcOGwhAAoJEILEb/54YlRx2f8QAJZlOPuSlzXO5pl2ki8L/XXW
S0vj6zOjR0mUeWuvq4ipKE/FzF7GZi+WjbMbJCF3C/txoHaYZqoGLjM0XZmiACi5
4FrFEDyVfLZRoXfM0z9XcoptG9jWdBuGT8DckwnkeOdgxusop9kpIaDv8QDOLCXz
+nZjPeG8wkGH+shNSyHb0q+Jok1Q2rNLHdkjzFkjjso803ORhVah7LcQkAViYPab
L3r39MzuEpemRuPvLNzntWrNlKZyDZna8ydDD2PR1aqK8X2vIwT+Noo/WmismMWk
wW4/GRL3DR5gnsmf/qpyQHnSKMvZLi6/JTe6etXTURKuZ6KtCxFsdjH7Ygaa65J9
CL5C7Y3x0C8gJk4c9UP9jnVUY3IFm+R3xyynQWAnRLg7+kobN7h4lYyL12nwhWBS
+vfVfaheHETNTx8K6agLbYzgcY6iNbZw0DeZM4oIAL+jRXyvhIjHjjGMnUPG1sTf
K1EL2BtBL5virZJWgLv//87SKGxN39pBkR/zyx7rFKRY7mFztmLaQoEvpFP4HEv1
ge1PhFU+8hPSzj3rElfOwZi5W7DRETpKnaNtRBNDRQnFSeWuCiKjAfLHVFND0EjH
0sHk4Rjx5H6iDyMCoWyc3H4Dcdz89fwvH+ByAWlW+L1locJFrNEKoQgSeP9CAk7f
srtuj+V+QtsVIaxBWhP6
=83Yo
-----END PGP SIGNATURE-----
Merge tag 'acpi-5.0-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm
Pull ACPI fixes from Rafael Wysocki:
"Fix a build failure introduced recently, fix the xpower PMIC ACPI
driver, clean up the handling of duplicate entries in _PRx power
resource lists and fix addresses in NUMA-related messages on 32-bit
with PAE.
Specifics:
- Fix build failures with both CONFIG_NLS and CONFIG_PCI unset that
can occur since ACPI can be built without PCI now (Sinan Kaya).
- Clean up the handling of duplicate entries in power resource lists
returned by _PRx evaluation to avoid triggering WARN_ON() on
attempts to add duplicate symlinks in sysfs (Hans de Goede).
- Fix issues with the TS current-source switching on systems using
the xpower PMIC by avoiding to update unrelated bits in the TS
pin-ctrl register and avoiding to unconditionally enable TS
current-source on systems where it is not used (Hans de Goede).
- Fix addresses in NUMA-related messages on 32-bit with PAE which can
be truncated due to integer type conversions (Chao Fan)"
* tag 'acpi-5.0-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
ACPI / PMIC: xpower: Fix TS-pin current-source handling
ACPI: NUMA: Use correct type for printing addresses on i386-PAE
ACPI: power: Skip duplicate power resource references in _PRx
ACPI: Fix build failure when CONFIG_NLS is set to 'n'
- Prevent integer overflows from occurring on 32-bit when
converting milliseconds to nanoseconds in the runtime PM
framework and update comments that still refer to jiffies
in it (Vincent Guittot, Ladislav Michl).
- Fix the SCMI cpufreq driver to always use the same frequency
units for arch_set_freq_scale() and make the scale-invariant
load tracking acutally work with this driver (Quentin Perret).
- Fix freeing of dynamic OPPs in the SCPI and SCMI cpufreq drivers
broken during the 4.20 defelopment cycle (Viresh Kumar).
- Prevent the cpufreq core from attempting to return the current
frequency of offline CPUs (Sudeep Holla).
- Add devfreq suspend and resume hooks (missed previously) to the
PM core to make the recently added system suspend and resume
support in devfreq actually work (Lukasz Luba).
- Update MAINTAINERS entries for cpufreq and cpuidle, mostly to add
references to new/current documentation to them (Rafael Wysocki).
- Fix a recently broken reference to cpuidle documentation (Otto
Sabart).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAABCAAGBQJcOGt/AAoJEILEb/54YlRxSBcQAIhnPvUQz+ZqLbJ4tM/LYuAH
m2qGV82UNoyfJc4O3eppvqfr6kra0lRK+SRBYJENjVBC4tzrpDr8UlZZ6ilwobQe
KdybpUzFPmSCiROvwkwyXITSA6Z4kI1+mAZKn2HuV+q3u0O2ABQltU3S4veN0dfP
+YRap+3BhGP4Pz9g7uzWwe2YS2o5ng9RDgGDhNQ18tSw9T7TnXVJBuqYsBlCi1au
dWaY1kiswDLfXdEqJUJoFyjTwJxJir8wYtgEcYRhtBTNDrD8j0AoaFcrxd3yP9qd
I2sGnxvpvndnPczJ0fJHdz83XonivLSEQsSc+Fe/fhqt1izrli4ZSZO4DPPMrU47
n6kGX0miDUGKSvYcU+R/0b3i85X3Na4OHcVvuwjmba3Hdq6C64LmGDMvu1CJy2Qs
juIiHgDa+gG7/80u3S+ekDq7u9C/1WS75X6wCON7aS5mnaP+FagC/dOxkNmDxYsi
FwZZJhP/fxx12OjV2UYxKgVeRzw+2x8mgnNIlFa+MqsTRG6239Ii/lr/WPdXPklk
2UdwLRkxNw69K3Q/m0LrmSx9AxmtwBGp24dvAf2bxjIYC4SL6eK9RXFjS4sWoE+T
NXG4j2FHMMDptX9YGs9OlBm2GoJOb/pwJfvO52dGmIRuix1jT5Z1hM6sZjgt+mns
YNr06bu2x2jGeZGu9O9Y
=Z7S7
-----END PGP SIGNATURE-----
Merge tag 'pm-5.0-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm
Pull power management updates from Rafael Wysocki:
"These fix fallout after starting to use hrtimers in the runtime PM
framework, fix a few cpufreq issues, fix a recently broken reference
to cpuidle documentation, update MAINTAINERS entries for cpufreq and
cpuidle and make the recently added system suspend and resume support
in devfreq actually work.
Specifics:
- Prevent integer overflows from occurring on 32-bit when converting
milliseconds to nanoseconds in the runtime PM framework and update
comments that still refer to jiffies in it (Vincent Guittot,
Ladislav Michl).
- Fix the SCMI cpufreq driver to always use the same frequency units
for arch_set_freq_scale() and make the scale-invariant load
tracking acutally work with this driver (Quentin Perret).
- Fix freeing of dynamic OPPs in the SCPI and SCMI cpufreq drivers
broken during the 4.20 defelopment cycle (Viresh Kumar).
- Prevent the cpufreq core from attempting to return the current
frequency of offline CPUs (Sudeep Holla).
- Add devfreq suspend and resume hooks (missed previously) to the PM
core to make the recently added system suspend and resume support
in devfreq actually work (Lukasz Luba).
- Update MAINTAINERS entries for cpufreq and cpuidle, mostly to add
references to new/current documentation to them (Rafael Wysocki).
- Fix a recently broken reference to cpuidle documentation (Otto
Sabart)"
* tag 'pm-5.0-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
PM-runtime: Fix autosuspend_delay on 32bits arch
PM-runtime: Fix 'jiffies' in comments after switch to hrtimers
cpufreq: scmi: Fix frequency invariance in slow path
doc: trace: fix reference to cpuidle documentation file
cpufreq: check if policy is inactive early in __cpufreq_get()
cpufreq: scpi/scmi: Fix freeing of dynamic OPPs
cpuidle / Documentation: Update cpuidle MAINTAINERS entry
cpufreq / Documentation: Update cpufreq MAINTAINERS entry
PM: sleep: call devfreq suspend/resume
-----BEGIN PGP SIGNATURE-----
iQIcBAABAgAGBQJcN/qLAAoJEAx081l5xIa+9s4P/ikYjcOxwfScwGnx3Pme6aem
yrFNYxDQUwSeXhiTEkurwTTrJ+dOBLJlxZo1GceYy7smfz391Qol4bmzz136aROa
K2IG+Tz2UjtOM5v6a8A04e5hf1pdazSXoL39y6s4gYsrZ34Eg5Wr5m0KyL6pp9bO
xmvG+ksSz4yRQFkrFBb9V5OHvJCiDx9Wzt8PogR3aH5AOTUf7aMeD6w1RBDbZpO6
JXthAeFypEUb1+epxmtXvr3UPfvQNoqHbmf0Mzan9NZDlAfc/2FIxVSwrWSNyg5U
jYl3McYWFLEzufh5YK5Jwu20Zo7++i8sy4U5mq6UOLDljhiM5qLKPG16R61cU54j
8jou2Uxr9nOoqp+J2iTvKy/dzTjsrwoHtHI6JpblK7TP97He0QvwXzhJCa2fAOeC
VI2rvSubbrvPdFDHw3l09ub6kQKXANrPT0pB1rY+rdZa9b85YU5p5mHewLka+Iul
3k2z/byezoYsvkOsVhuvR/m6P+sTYpft1RRf14T89J/GlHjDAsEqS/qp71pSy9CU
C/a1CG9VL8CPQO2cmwCR38f+UhXZUNiUZXWQTmv1BVbm7cAnhDKtJxx4CmZSzPDj
3hzYTKjzyQUnKEDRL7doWfTDV0Wr61TWDhAh93rwHZ2qJgY1HdoQ5uFXV2P0VgLW
JI2PHiDd9fVBSN7NpT6w
=Mq91
-----END PGP SIGNATURE-----
Merge tag 'drm-fixes-2019-01-11' of git://anongit.freedesktop.org/drm/drm
Pull drm fixes from Dave Airlie:
"Not a huge amount for rc2, assume the usual quiet period, and rc3 will
be most of it.
amdgpu:
- Powerplay fixes
- Virtual display pinning fixes
- Golden register updates for Vega
- Pitch and gem size validation fixes
- SR-IOV init error fix
- Pagetables in system RAM disable for some Raven system
- DP-MST resume fixes
tc358767 bridge:
- fix to work with displayport connector"
* tag 'drm-fixes-2019-01-11' of git://anongit.freedesktop.org/drm/drm: (26 commits)
drm/amdgpu: disable system memory page tables for now
drm/amdgpu: set WRITE_BURST_LENGTH to 64B to workaround SDMA1 hang
drm/amdgpu: fix CPDMA hang in PRT mode for VEGA20
drm/bridge: tc358767: use DP connector if no panel set
drm/bridge: tc358767: fix output H/V syncs
drm/bridge: tc358767: reject modes which require too much BW
drm/bridge: tc358767: fix initial DP0/1_SRCCTRL value
drm/bridge: tc358767: fix single lane configuration
drm/bridge: tc358767: add defines for DP1_SRCCTRL & PHY_2LANE
drm/bridge: tc358767: add bus flags
drm/dp_mst: Add __must_check to drm_dp_mst_topology_mgr_resume()
drm/amdgpu: Don't fail resume process if resuming atomic state fails
drm/amdgpu: Don't ignore rc from drm_dp_mst_topology_mgr_resume()
drm/amdgpu: validate user GEM object size
drm/amdgpu: validate user pitch alignment
drm/amd/powerplay: drop the unnecessary uclk hard min setting
drm/amd/powerplay: avoid possible buffer overflow
drm/amd/powerplay: create pp_od_clk_voltage device file under OD support
drm/amd/powerplay: update OD support flag for SKU with no OD capabilities
drm/amdgpu: make gfx9 enter into rlc safe mode when set MGCG
...
When calling smp_call_ipl_cpu() from the IPL CPU, we will try to read
from pcpu_devices->lowcore. However, due to prefixing, that will result
in reading from absolute address 0 on that CPU. We have to go via the
actual lowcore instead.
This means that right now, we will read lc->nodat_stack == 0 and
therfore work on a very wrong stack.
This BUG essentially broke rebooting under QEMU TCG (which will report
a low address protection exception). And checking under KVM, it is
also broken under KVM. With 1 VCPU it can be easily triggered.
:/# echo 1 > /proc/sys/kernel/sysrq
:/# echo b > /proc/sysrq-trigger
[ 28.476745] sysrq: SysRq : Resetting
[ 28.476793] Kernel stack overflow.
[ 28.476817] CPU: 0 PID: 424 Comm: sh Not tainted 5.0.0-rc1+ #13
[ 28.476820] Hardware name: IBM 2964 NE1 716 (KVM/Linux)
[ 28.476826] Krnl PSW : 0400c00180000000 0000000000115c0c (pcpu_delegate+0x12c/0x140)
[ 28.476861] R:0 T:1 IO:0 EX:0 Key:0 M:0 W:0 P:0 AS:3 CC:0 PM:0 RI:0 EA:3
[ 28.476863] Krnl GPRS: ffffffffffffffff 0000000000000000 000000000010dff8 0000000000000000
[ 28.476864] 0000000000000000 0000000000000000 0000000000ab7090 000003e0006efbf0
[ 28.476864] 000000000010dff8 0000000000000000 0000000000000000 0000000000000000
[ 28.476865] 000000007fffc000 0000000000730408 000003e0006efc58 0000000000000000
[ 28.476887] Krnl Code: 0000000000115bfe: 4170f000 la %r7,0(%r15)
[ 28.476887] 0000000000115c02: 41f0a000 la %r15,0(%r10)
[ 28.476887] #0000000000115c06: e370f0980024 stg %r7,152(%r15)
[ 28.476887] >0000000000115c0c: c0e5fffff86e brasl %r14,114ce8
[ 28.476887] 0000000000115c12: 41f07000 la %r15,0(%r7)
[ 28.476887] 0000000000115c16: a7f4ffa8 brc 15,115b66
[ 28.476887] 0000000000115c1a: 0707 bcr 0,%r7
[ 28.476887] 0000000000115c1c: 0707 bcr 0,%r7
[ 28.476901] Call Trace:
[ 28.476902] Last Breaking-Event-Address:
[ 28.476920] [<0000000000a01c4a>] arch_call_rest_init+0x22/0x80
[ 28.476927] Kernel panic - not syncing: Corrupt kernel stack, can't continue.
[ 28.476930] CPU: 0 PID: 424 Comm: sh Not tainted 5.0.0-rc1+ #13
[ 28.476932] Hardware name: IBM 2964 NE1 716 (KVM/Linux)
[ 28.476932] Call Trace:
Fixes: 2f859d0dad ("s390/smp: reduce size of struct pcpu")
Cc: stable@vger.kernel.org # 4.0+
Reported-by: Cornelia Huck <cohuck@redhat.com>
Signed-off-by: David Hildenbrand <david@redhat.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
While "s390/vdso: avoid 64-bit vdso mapping for compat tasks" fixed
64-bit vdso mapping for compat tasks under gdb it introduced another
problem. "compat_mm" flag is not inherited during fork and when
31-bit process forks a child (but does not perform exec) it ends up
with 64-bit vdso. To address that, init_new_context (which is called
during fork and exec) now initialize compat_mm based on thread TIF_31BIT
flag. Later compat_mm is adjusted in arch_setup_additional_pages, which
is called during exec.
Fixes: d1befa6582 ("s390/vdso: avoid 64-bit vdso mapping for compat tasks")
Reported-by: Stefan Liebler <stli@linux.ibm.com>
Reviewed-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: <stable@vger.kernel.org> # v4.20+
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
smp_rescan_cpus() is called without the device_hotplug_lock, which can lead
to a dedlock when a new CPU is found and immediately set online by a udev
rule.
This was observed on an older kernel version, where the cpu_hotplug_begin()
loop was still present, and it resulted in hanging chcpu and systemd-udev
processes. This specific deadlock will not show on current kernels. However,
there may be other possible deadlocks, and since smp_rescan_cpus() can still
trigger a CPU hotplug operation, the device_hotplug_lock should be held.
For reference, this was the deadlock with the old cpu_hotplug_begin() loop:
chcpu (rescan) systemd-udevd
echo 1 > /sys/../rescan
-> smp_rescan_cpus()
-> (*) get_online_cpus()
(increases refcount)
-> smp_add_present_cpu()
(new CPU found)
-> register_cpu()
-> device_add()
-> udev "add" event triggered -----------> udev rule sets CPU online
-> echo 1 > /sys/.../online
-> lock_device_hotplug_sysfs()
(this is missing in rescan path)
-> device_online()
-> (**) device_lock(new CPU dev)
-> cpu_up()
-> cpu_hotplug_begin()
(loops until refcount == 0)
-> deadlock with (*)
-> bus_probe_device()
-> device_attach()
-> device_lock(new CPU dev)
-> deadlock with (**)
Fix this by taking the device_hotplug_lock in the CPU rescan path.
Cc: <stable@vger.kernel.org>
Signed-off-by: Gerald Schaefer <gerald.schaefer@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
The ASCE of an mm_struct can be modified after a task has been created,
e.g. via crst_table_downgrade for a compat process. The active_mm logic
to avoid the switch_mm call if the next task is a kernel thread can
lead to a situation where switch_mm is called where 'prev == next' is
true but 'prev->context.asce == next->context.asce' is not.
This can lead to a situation where a CPU uses the outdated ASCE to run
a task. The result can be a crash, endless loops and really subtle
problem due to TLBs being created with an invalid ASCE.
Cc: stable@kernel.org # v3.15+
Fixes: 53e857f308 ("s390/mm,tlb: race of lazy TLB flush vs. recreation")
Reported-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Reviewed-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Right now the early machine detection code check stsi 3.2.2 for "KVM"
and set MACHINE_IS_VM if this is different. As the console detection
uses diagnose 8 if MACHINE_IS_VM returns true this will crash Linux
early for any non z/VM system that sets a different value than KVM.
So instead of assuming z/VM, do not set any of MACHINE_IS_LPAR,
MACHINE_IS_VM, or MACHINE_IS_KVM.
CC: stable@vger.kernel.org
Reviewed-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Try to get reference for ldisc during tty_reopen().
If ldisc present, we don't need to do tty_ldisc_reinit() and lock the
write side for line discipline semaphore.
Effectively, it optimizes fast-path for tty_reopen(), but more
importantly it won't interrupt ongoing IO on the tty as no ldisc change
is needed.
Fixes user-visible issue when tty_reopen() interrupted login process for
user with a long password, observed and reported by Lukas.
Fixes: c96cf923a9 ("tty: Don't block on IO when ldisc change is pending")
Fixes: 83d817f410 ("tty: Hold tty_ldisc_lock() during tty_reopen()")
Cc: Jiri Slaby <jslaby@suse.com>
Reported-by: Lukas F. Hartmann <lukas@mntmn.com>
Tested-by: Lukas F. Hartmann <lukas@mntmn.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Dmitry Safonov <dima@arista.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
- Fix for a lockup when changing NIC's MTU from Dexuan.
- Fix of use of uninitialized memory from Dexuan.
- Fix for memory corruption caused by ballooning from Vitaly.
All 3 were tested internally.
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE4n5dijQDou9mhzu83qZv95d3LNwFAlw3YrYACgkQ3qZv95d3
LNyNfQ//eRbs8VloBom7NGKMnUQpbouwX+CkOvZMWsNq4/E52weehAC9Vpxa8KLS
ulCfF3gwt44i50r00FuiZwzZtmMj/7I6YuCkqevZTrASPlbREMUpegGAsKvHedjq
1EeairWJq1/1tukXrVyTDpikN0wlE61dVNy6qGs5JBCpc5eT8l9gFH7kjOGLzgIt
+/u/dTSS7x9ZX+VWn9F00JPHWzw9+rcI5aim1OKfKzkJ2JuDrjuXFz3iIJTwAKVL
4X2+H6s4XaTI47AMmIPcn+iAbELqA63RtUZhDHQoJxwCwZXy08TSNUB0IgVjylN+
aSJE4yKekhGOQrn9yaCFBJ6UudBbSGJbpU7uORG7XEHbIar5BWAsjDseFd1cUmgA
7nfPgDw+j1ttvR5mmB5DUyq5/8Mfo1vFo6l5sXNMoiaGzmHCqJ7EzdM5j/cP5pPO
SP58fVPU5UXGjrr1Wyjr18noqeheRpj9wOLsYkFMqyktsxcdx8kd5UFGKUM3Y/xi
9RYDPrEDIlaLXNZxFR3kmDqCa+JowTmhqNQPxanTjtEijtq/caW9V3aovR+KL4v1
toug3GtC0xSyKBZFG6CzDUJz22W6d8VK4XxhD6i+2JFQHXWn0x26kLUKBK5Pbl0L
8FsDFVEGlgpuq5L5TgcUlgg6zKvwrZm9RiEhtefns825yVF+P54=
=zd27
-----END PGP SIGNATURE-----
Merge tag 'hyperv-fixes-signed' of git://git.kernel.org/pub/scm/linux/kernel/git/hyperv/linux into char-misc-linus
Sasha writes:
Three bug fixes for different parts of the hyper-v code:
- Fix for a lockup when changing NIC's MTU from Dexuan.
- Fix of use of uninitialized memory from Dexuan.
- Fix for memory corruption caused by ballooning from Vitaly.
All 3 were tested internally.
* tag 'hyperv-fixes-signed' of git://git.kernel.org/pub/scm/linux/kernel/git/hyperv/linux:
vmbus: fix subchannel removal
hv_balloon: avoid touching uninitialized struct page during tail onlining
Drivers: hv: vmbus: Check for ring when getting debug info
Since commit 89a5e15bcb ("gpio/mmc/of: Respect polarity in the device
tree") gpiolib-of parses the "cd-gpios" property and flips the polarity
if "cd-inverted" is also set. This results in the "cd-inverted" property
being evaluated twice, which effectively makes it a no-op:
- first in drivers/gpio/gpiolib-of.c (of_xlate_and_get_gpiod_flags) when
setting up the CD GPIO
- then again in drivers/mmc/core/slot-gpio.c (mmc_gpio_get_cd) when
reading the CD GPIO value at runtime
On boards which are using device-tree with the "cd-inverted" property
being set any inserted card are not detected anymore. This is due to the
MMC core treating the CD GPIO with the wrong polarity.
Disable "override_cd_active_level" for the card detection GPIO which is
parsed using mmc_of_parse. This fixes SD card detection on the boards
which are currently using the "cd-inverted" device-tree property (tested
on Meson8b Odroid-C1 and Meson8b EC-100).
This does not remove the CD GPIO inversion logic from the MMC core
because there's at least one driver (sdhci-pci-core for Intel BayTrail
based boards) which still passes "override_cd_active_level = true" to
mmc_gpiod_request_cd(). Due to lack of hardware for testing this is left
untouched.
In the future the GPIO inversion logic for both, card and read-only
detection can be removed once no driver is using it anymore.
Fixes: 89a5e15bcb ("gpio/mmc/of: Respect polarity in the device tree")
Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Tested-by: Anand Moon <linux.amoon@gmail.com>
Tested-by: Loys Ollivier <loys.ollivier@gmail.com>
Acked-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
on i386 or x86_64:
Lots of build errors for drivers/pinctrl/mediatek/pinctrl-moore.c when
CONFIG_OF is not enabled (but COMPILE_TEST is).
first this:
WARNING: unmet direct dependencies detected for PINCTRL_MTK_MOORE
Depends on [n]: PINCTRL [=y] && (ARCH_MEDIATEK || COMPILE_TEST [=y])
&& OF [=n]
Selected by [y]:
- PINCTRL_MT7623 [=y] && PINCTRL [=y] &&
(ARCH_MEDIATEK || COMPILE_TEST [=y]) && (MACH_MT7623 || COMPILE_TEST [=y])
and then:
../drivers/pinctrl/mediatek/pinctrl-moore.c:22:44: error: array type has
incomplete element type
static const struct pinconf_generic_params mtk_custom_bindings[] = {
(etc)
Fixes: b5af33df50 ("pinctrl: mediatek: improve Kconfig dependencies")
Cc: stable@vger.kernel.org
Reported-by: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
Acked-by: Sean Wang <sean.wang@kernel.org>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Move mt76x02 led support in mt76x02-lib module in order to
add tpt led trigger to mt76x0e driver
Tested-by: LGA1150 <dqfext@gmail.com>
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Use proper name for __MT76x02_H macro in mt76x02.h
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Call mt76_dma_add_buf routine directly in mt76_dma_tx_queue_skb
and avoid indirect call if not necessary
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Don't populate the const array 'data' on the stack but instead
make it static. Makes the object code smaller by 78 bytes:
Before:
text data bss dec hex filename
5438 1080 0 6518 1976 mediatek/mt76/mt76x2/usb_mcu.o
After:
text data bss dec hex filename
5296 1144 0 6440 1928 mediatek/mt76/mt76x2/usb_mcu.o
(gcc version 8.2.0 x86_64)
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Port mt76x02_check_tx_hang watchdog from vendor driver in order to
perform a device reset when tx mac/dma logic hangs. Tx mac/dma stuck
has been observed when the device is heavy loaded or in a noisy
environment. Moreover introduce wdt delayed work in order to run
tx_hang watchdog. For the moment run mt76x02_check_tx_hang watchdog
just on mt76x2 devices since the issue has not been observed on mt76x0
driver yet
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Precompute data length in order to avoid to allocate the related
skb data structure if reported length does not fit in queue buf_size
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Do not set bw variable to zero for legacy rates since it is already
initialized to zero. Moreover set nss to 1 just for legacy rates
since nss will be properly set for VHT/HT rates
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Ported from the reference driver. Should fix compliance with ETSI
regulatories on preventing transmission while energy detect values
are above the threshold.
The code has been tested using an ath9k device running tx99 as
noise generator
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Update default value for MT_TX_LINK_CFG according to vendor driver
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Grab mt76_dev mutex in mt76x02_dfs_set_domain since it runs
concurrently with mt76x{0,2}_set_channel routines
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Add static qualifier to mt76x2_init_hardware routine since it is
used just in pci_init.c
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Configure MT_VHT_HT_FBK_CFG1 values similar like vendor driver.
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Configure protection based on information that are provided to
us either by remote AP or by hostapd via HT operation IE.
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
On new mt76 chips, phy mode is configured by last 3 bits
of rate value. Hence OFDM bit is marked by 0x2000
instead of 0x4000.
Acked-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Use set_rts_threshold calback to enable/disable threshold only for
legacy traffic.
Protection for HT and VHT traffic is defined by HT operation element
and it's provided by remote AP or by hostapd.
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
As already done for pcie code in commit 79d1c94c9c ("mt76: avoid
queue/status spinlocks while passing tx status to mac80211") make sure
that no tx related spinlocks are taken during the ieee80211_tx_status call
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Grab mt76_dev mutex in mt76x02_mac_work handler since it runs
concurrently with mt76x{0,2}_set_channel routines
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Reconfigure properly MT_MAC_SYS_CTRL register after mac sw-reset
in mt76x02_check_mac_err routine
Fixes: 73556561ab ("mt76x0: use mt76x02_mac_work as stats handler")
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
MODULE_FIRMWARE() is used in usb_mcu.c and provided by linux/module.h,
but this header file is not directly included. This causes problems in
backports with some kernel versions.
Add the missing include.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Precompute data length in order to avoid to allocate the related
skb data structure if reported length does not fit in queue buf_size
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Remove napi from mt76_dma_rx_fill routine signature since
it is a leftover of a previous implementation and it is no
longer used
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
So far the code only validates the buffer size of the first skb.
Extend this check to cover additional fragments as well, in case the size
is corrupted during a DMA reset.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Commit 5c63e407aa ("fbdev: Convert to using %pOFn instead of
device_node.name") changed how the OF FB driver handles the OF node
name. This missed the case where the node name is passed to
offb_init_palette_hacks(). This results in a NULL ptr dereference
in strncmp and breaks any system except ones using bootx with no display
node.
Fix this by making offb_init_palette_hacks() use the OF node pointer and
use of_node_name_prefix() helper function instead for node name
comparisons. This helps in moving all OF node name accesses to helper
functions in preparation to remove struct device_node.name pointer.
Fixes: 5c63e407aa ("fbdev: Convert to using %pOFn instead of device_node.name")
Reported-by: Mathieu Malaterre <malat@debian.org>
Tested-by: Mathieu Malaterre <malat@debian.org>
Cc: stable@vger.kernel.org # v4.19+
Cc: Elimar Riesebieter <riesebie@lxtec.de>
Signed-off-by: Rob Herring <robh@kernel.org>
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Using [1] for static analysis I found that the OMAPFB_QUERY_PLANE,
OMAPFB_GET_COLOR_KEY, OMAPFB_GET_DISPLAY_INFO, and OMAPFB_GET_VRAM_INFO
cases could all leak uninitialized stack memory--either due to
uninitialized padding or 'reserved' fields.
Fix them by clearing the shared union used to store copied out data.
[1] https://github.com/vlad902/kernel-uninitialized-memory-checker
Signed-off-by: Vlad Tsyrklevich <vlad@tsyrklevich.net>
Reviewed-by: Kees Cook <keescook@chromium.org>
Fixes: b39a982dde ("OMAP: DSS2: omapfb driver")
Cc: security@kernel.org
[b.zolnierkie: prefix patch subject with "omap2fb: "]
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
This patch aims to address writeback code problems related to error
paths. In particular it respects EINTR and related error codes and
stores and returns the first error occurred during writeback.
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Acked-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Currently we account for credits in the thread initiating a request
and waiting for a response. The demultiplex thread receives the response,
wakes up the thread and the latter collects credits from the response
buffer and add them to the server structure on the client. This approach
is not accurate, because it may race with reconnect events in the
demultiplex thread which resets the number of credits.
Fix this by moving credit processing to new mid callbacks that collect
credits granted by the server from the response in the demultiplex thread.
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
If a request is cancelled, we can't assume that the server returns
1 credit back. Instead we need to wait for a response and process
the number of credits granted by the server.
Create a separate mid callback for cancelled request, parse the number
of credits in a response buffer and add them to the client's credits.
If the didn't get a response (no response buffer available) assume
0 credits granted. The latter most probably happens together with
session reconnect, so the client's credits are adjusted anyway.
Signed-off-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
If maxBuf is small but non-zero, it could result in a zero sized lock
element array which we would then try and access OOB.
Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
CC: Stable <stable@vger.kernel.org>
The code tries to allocate a contiguous buffer with a size supplied by
the server (maxBuf). This could fail if memory is fragmented since it
results in high order allocations for commonly used server
implementations. It is also wasteful since there are probably
few locks in the usual case. Limit the buffer to be no larger than a
page to avoid memory allocation failures due to fragmentation.
Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
This addresses some compile warnings that you can
see depending on configuration settings.
Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
