When EVA is in use, __copy_from_user() was unconditionally using the EVA
instructions to read the user address space, however this can also be
used for kernel access. If the address isn't a valid user address it
will cause an address error or TLB exception, and if it is then user
memory may be read instead of kernel memory.
For example in the following stack trace from Linux v3.10 (changes since
then will prevent this particular one still happening) kernel_sendmsg()
set the user address limit to KERNEL_DS, and tcp_sendmsg() goes on to
use __copy_from_user() with a kernel address in KSeg0.
[<8002d434>] __copy_fromuser_common+0x10c/0x254
[<805710e0>] tcp_sendmsg+0x5f4/0xf00
[<804e8e3c>] sock_sendmsg+0x78/0xa0
[<804e8f28>] kernel_sendmsg+0x24/0x38
[<804ee0f8>] sock_no_sendpage+0x70/0x7c
[<8017c820>] pipe_to_sendpage+0x80/0x98
[<8017c6b0>] splice_from_pipe_feed+0xa8/0x198
[<8017cc54>] __splice_from_pipe+0x4c/0x8c
[<8017e844>] splice_from_pipe+0x58/0x78
[<8017e884>] generic_splice_sendpage+0x20/0x2c
[<8017d690>] do_splice_from+0xb4/0x110
[<8017d710>] direct_splice_actor+0x24/0x30
[<8017d394>] splice_direct_to_actor+0xd8/0x208
[<8017d51c>] do_splice_direct+0x58/0x7c
[<8014eaf4>] do_sendfile+0x1dc/0x39c
[<8014f82c>] SyS_sendfile+0x90/0xf8
Add the eva_kernel_access() check in __copy_from_user() like the one in
copy_from_user().
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Markos Chandras <markos.chandras@imgtec.com>
Cc: Paul Burton <paul.burton@imgtec.com>
Cc: Leonid Yegoshin <leonid.yegoshin@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/10843/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
The busywait in __i915_spin_request() does not respect pending signals
and so may consume the entire timeslice for the task instead of
returning to userspace to handle the signal.
In the worst case this could cause a delay in signal processing of 20ms,
which would be a noticeable jitter in cursor tracking. If a higher
resolution signal was being used, for example to provide fairness of a
server timeslices between clients, we could expect to detect some
unfairness between clients (i.e. some windows not updating as fast as
others). This issue was noticed when inspecting a report of poor
interactivity resulting from excessively high __i915_spin_request usage.
Fixes regression from
commit 2def4ad99b [v4.2]
Author: Chris Wilson <chris@chris-wilson.co.uk>
Date: Tue Apr 7 16:20:41 2015 +0100
drm/i915: Optimistically spin for the request completion
v2: Try to assess the impact of the bug
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Reviewed-by: Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com>
Cc: Jens Axboe <axboe@kernel.dk>
Cc; "Rogozhkin, Dmitry V" <dmitry.v.rogozhkin@intel.com>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: Tvrtko Ursulin <tvrtko.ursulin@linux.intel.com>
Cc: Eero Tamminen <eero.t.tamminen@intel.com>
Cc: "Rantala, Valtteri" <valtteri.rantala@intel.com>
Cc: stable@vger.kernel.org
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: http://patchwork.freedesktop.org/patch/msgid/1449833608-22125-2-git-send-email-chris@chris-wilson.co.uk
(cherry picked from commit 91b0c352ac)
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
The strlen_user() function calls __strlen_kernel_asm in both branches of
the eva_kernel_access() conditional. For EVA it should be calling
__strlen_user_eva for user accesses, otherwise it will load from the
kernel address space instead of the user address space, and the access
checking will likely be ineffective at preventing it due to EVA's
overlapping user and kernel address spaces.
This was found after extending the test_user_copy module to cover user
string access functions, which gave the following error with EVA:
test_user_copy: illegal strlen_user passed
Fortunately the use of strlen_user() has been all but eradicated from
the mainline kernel, so only out of tree modules could be affected.
Fixes: e3a9b07a9c ("MIPS: asm: uaccess: Add EVA support for str*_user operations")
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Markos Chandras <markos.chandras@imgtec.com>
Cc: Paul Burton <paul.burton@imgtec.com>
Cc: Leonid Yegoshin <leonid.yegoshin@imgtec.com>
Cc: linux-mips@linux-mips.org
Cc: <stable@vger.kernel.org> # 3.15.x-
Patchwork: https://patchwork.linux-mips.org/patch/10842/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
If we fail to reconstruct the BIOS fb (e.g., because the FB is too
large), we'll be left with plane state that indicates the primary plane
is visible yet has a NULL fb. This mismatch causes problems later on
(e.g., for the watermark code). Since we've failed to reconstruct the
BIOS FB, the best solution is to just disable the primary plane and
pretend the BIOS never had it enabled.
v2: Add intel_pre_disable_primary() call (Maarten)
Cc: Daniel Vetter <daniel@ffwll.ch>
Cc: Ville Syrjälä <ville.syrjala@intel.com>
Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Cc: drm-intel-fixes@lists.freedesktop.org
Signed-off-by: Matt Roper <matthew.d.roper@intel.com>
Reviewed-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/1449171462-30763-2-git-send-email-matthew.d.roper@intel.com
(cherry picked from commit 200757f5d7)
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
As we mark the preallocated objects as bound, we should also flag them
correctly as being map-and-fenceable (if appropriate!) so that later
users do not get confused and try and rebind the pinned vma in order to
get a map-and-fenceable binding.
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: "Goel, Akash" <akash.goel@intel.com>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: Jesse Barnes <jbarnes@virtuousgeek.org>
Cc: drm-intel-fixes@lists.freedesktop.org
Link: http://patchwork.freedesktop.org/patch/msgid/1448029000-10616-1-git-send-email-chris@chris-wilson.co.uk
Reviewed-by: Jesse Barnes <jbarnes@virtuousgeek.org>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
(cherry picked from commit d0710abbcd)
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
The cursor code tries to treat base==0 to mean disabled. That fails
when the cursor bo gets bound at ggtt offset 0, and the user is left
looking at an invisible cursor.
We lose the disabled->disabled optimization, but that seems like
something better handled at a slightly higher level.
Cc: drm-intel-fixes@lists.freedesktop.org
Cc: Takashi Iwai <tiwai@suse.de>
Cc: Jani Nikula <jani.nikula@linux.intel.com>
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/1450091808-32607-3-git-send-email-ville.syrjala@linux.intel.com
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
(cherry picked from commit 663f3122d0)
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Without this patch, internal speaker and line-out work,
but front headphone output jack stays silent on the
Mac Pro 4,1.
This code path also gets executed on the MacPro 5,1 due
to identical codec SSID, but i don't know if it has any
positive or adverse effects there or not.
(v2) Implement feedback from Takashi Iwai: Reuse
alc889_fixup_mbp_vref and just add a new nid
0x19 for the MacPro 4,1.
Signed-off-by: Mario Kleiner <mario.kleiner.de@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Eryu Guan reported that loading scsi_debug would fail. This turned out
to be caused by scsi_debug reporting an optimal I/O size of 32KB which
is smaller than the 64KB page size on the PowerPC system in question.
Add a check to ensure that we only use the device-reported OPTIMAL
TRANSFER LENGTH if it is bigger than or equal to the page cache size.
Reported-by: Eryu Guan <guaneryu@gmail.com>
Reported-by: Ming Lei <tom.leiming@gmail.com>
Reviewed-by: Douglas Gilbert <dgilbert@interlog.com>
Reviewed-by: Ewan Milne <emilne@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Daniele Palmas says:
====================
net: usb: cdc_ncm: Adding support for two new Dell devices
This patch series add support in the cdc_ncm driver for two devices
based on the same platform, that are different only for carrier
customization.
V2: Added comment for highlighting FLAG_NOARP usage for those devices
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Unlike DW5550, Dell DW5813 is a mobile broadband card with no ARP
capabilities: the patch makes this device to use wwan_noarp_info struct
Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Unlike DW5550, Dell DW5812 is a mobile broadband card with no ARP
capabilities: the patch makes this device to use wwan_noarp_info struct
Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
It turns out that some Android versions hardcode the SYSENTER
calling convention. This is buggy and will cause problems no
matter what the kernel does. Nonetheless, we should try to
support it.
Credit goes to Linus for pointing out a clean way to handle
the SYSENTER/SYSCALL clobber differences while preserving
straightforward DWARF annotations.
I believe that the original offending Android commit was:
https://android.googlesource.com/platform%2Fbionic/+/7dc3684d7a2587e43e6d2a8e0e3f39bf759bd535
Reported-by: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
Signed-off-by: Andy Lutomirski <luto@kernel.org>
Reviewed-and-tested-by: Borislav Petkov <bp@alien8.de>
Cc: <mark.gross@intel.com>
Cc: Su Tao <tao.su@intel.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: <frank.wang@intel.com>
Cc: <borun.fu@intel.com>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Mingwei Shi <mingwei.shi@intel.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
On parisc syscalls which are interrupted by signals sometimes failed to
restart and instead returned -ENOSYS which in the worst case lead to
userspace crashes.
A similiar problem existed on MIPS and was fixed by commit e967ef02
("MIPS: Fix restart of indirect syscalls").
On parisc the current syscall restart code assumes that all syscall
callers load the syscall number in the delay slot of the ble
instruction. That's how it is e.g. done in the unistd.h header file:
ble 0x100(%sr2, %r0)
ldi #syscall_nr, %r20
Because of that assumption the current code never restored %r20 before
returning to userspace.
This assumption is at least not true for code which uses the glibc
syscall() function, which instead uses this syntax:
ble 0x100(%sr2, %r0)
copy regX, %r20
where regX depend on how the compiler optimizes the code and register
usage.
This patch fixes this problem by adding code to analyze how the syscall
number is loaded in the delay branch and - if needed - copy the syscall
number to regX prior returning to userspace for the syscall restart.
Signed-off-by: Helge Deller <deller@gmx.de>
Cc: stable@vger.kernel.org
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Blingly ignoring CIE.version != 1 was a bad idea.
It still leaves "desirability" when running perf with callgraphing where libgcc
symbols might show in hotspot.
More importantly, basic CIE.version == 3 support already exists in code:
|
| retAddrReg = state.version <= 1 ? *ptr++ : get_uleb128(&ptr, end);
|
Next commit with simply add continue-not-bail for CIE.version != 1
This reverts commit 323f41f9e7.
At -Os, ARC gcc generates millicode thunk for function prologue/epilogue,
which are served by libgcc.
Modules historically are NOT linked with libgcc to avoid code bloat, reducing
runtime relocation fixups etc. I even once tried doing that but got lost
in makefile intricacies.
This means modules at -Os don't get the millicode thunks, causing build
failures below:
| MODPOST 5 modules
| ERROR: "__ld_r13_to_r18" [crypto/sha256_generic.ko] undefined!
| ERROR: "__ld_r13_to_r18_ret" [crypto/sha256_generic.ko] undefined!
| ERROR: "__st_r13_to_r18" [crypto/sha256_generic.ko] undefined!
| ERROR: "__ld_r13_to_r17_ret" [crypto/sha256_generic.ko] undefined!
| ERROR: "__st_r13_to_r17" [crypto/sha256_generic.ko] undefined!
| ERROR: "__ld_r13_to_r16_ret" [crypto/sha256_generic.ko] undefined!
| ERROR: "__st_r13_to_r16" [crypto/sha256_generic.ko] undefined!
|....
|....
Workaround that by inhibiting millicode thunks for loadable modules
Fixes STAR 9000641864:
("Linux built with optimizations for size emits errors for modules")
Reported-by: Anton Kolesov <akolesov@synosys.com>
Cc: Michal Marek <mmarek@suse.cz>
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
ARC700 cores with MMU v2 don't have IC_PTAG AUX register and so we only
define ARC_REG_IC_PTAG for MMU versions >= 3.
But current implementation of cache_line_loop_vX() routines assumes
availability of all of them (v2, v3 and v4) simultaneously.
And given undefined ARC_REG_IC_PTAG if CONFIG_MMU_VER=2 we're seeing
compilation problem:
---------------------------------->8-------------------------------
CC arch/arc/mm/cache.o
arch/arc/mm/cache.c: In function '__cache_line_loop_v3':
arch/arc/mm/cache.c:270:13: error: 'ARC_REG_IC_PTAG' undeclared (first use in this function)
aux_tag = ARC_REG_IC_PTAG;
^
arch/arc/mm/cache.c:270:13: note: each undeclared identifier is reported only once for each function it appears in
scripts/Makefile.build:258: recipe for target 'arch/arc/mm/cache.o' failed
---------------------------------->8-------------------------------
The simples fix is to have ARC_REG_IC_PTAG defined regardless MMU
version being used.
We don't use it in cache_line_loop_v2() anyways so who cares.
Signed-off-by: Alexey Brodkin <abrodkin@synopsys.com>
Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
| WARNING: vmlinux.o(.text+0xd6c2): Section mismatch in reference from the function alloc_kmap_pgtable() to the function
| .init.text:__alloc_bootmem_low()
The function alloc_kmap_pgtable() references the function __init __alloc_bootmem_low().
This is often because alloc_kmap_pgtable lacks a __init annotation or the annotation of __alloc_bootmem_low is wrong.
Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
The processor cooling device is no longer present for passive thermal
control.
Commit 239708a3af ("ACPI: Split out ACPI PSS from ACPI Processor driver")
moved the processing to a new function acpi_pss_perf_init(), but
missed "return 0" after successful creation. This causes the error
handling functions to be called, which will delete the previously
created processor cooling device.
Fixes: 239708a3af (ACPI: Split out ACPI PSS from ACPI Processor driver)
Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Cc: 4.3+ <stable@vger.kernel.org> # 4.3+
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
md currently doesn't allow a 'sync_action' such as 'reshape' to be set
while MD_RECOVERY_NEEDED is set.
This s a problem, particularly since commit 738a273806 as that can
cause ->check_shape to call mddev_resume() which sets
MD_RECOVERY_NEEDED. So by the time we come to start 'reshape' it is
very likely that MD_RECOVERY_NEEDED is still set.
Testing for this flag is not really needed and is in any case very
racy as it can be set at any moment - asynchronously. Any race
between setting a sync_action and setting MD_RECOVERY_NEEDED must
already be handled properly in some locked code, probably
md_check_recovery(), so remove the test here.
The test on MD_RECOVERY_RUNNING is also racy in the 'reshape' case
so we should test it again after getting mddev_lock().
As this fixes a race and a regression which can cause 'reshape' to
fail, it is suitable for -stable kernels since 4.1
Reported-by: Xiao Ni <xni@redhat.com>
Fixes: 738a273806 ("md/raid5: fix allocation of 'scribble' array.")
Cc: stable@vger.kernel.org (v4.1+)
Signed-off-by: NeilBrown <neilb@suse.com>
A fix for a nasty hardware bug in rk808 and a initialization reordering in
da9063 to fix a possible crash.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABCAAGBQJWdqZXAAoJEKbNnwlvZCyzbAcQAIC7LKRmsaMJW3a4vswqQTXr
2wUknLbrQaWYd/bJXENTZj8rLDmyjlgYJWJOPtrYkmbgd0jfhel5VIvPYgbvqMLe
7Ta+4bhGZcSDbzi5FXvgJkt42qxSBQQenl+SUbb9rjCmPbVEexHyyhd7VRSR7jMm
8PlntP30ZoyHh7QB/JQfGwq0VS3TGgwJCZ5zro+zrlq71U0m0162fJ37+xuQ2dQR
kL7XkRjDZQ/7KGgtqc37WzuP0k2PjtEDYiDxqpITqT/oPdY+JS2TiIitJyTyxIQS
Q88DF6N0tONBddSAehc8zlCo43wAWdsV7OOCjHvyzJnqHD979Grk3qkESF6KEEIK
kfLeCFLPKfh+NZWYH/k7000EMgFNt3Z/xBAECEoSev37+33+G9+SRzCXOQCd5C2k
Azkw04KymHUQr4JS74pcjvFvSn1sNE3woYKfMEoZGdsSofRRLkCmKl5h0w6qPDZI
3oKiDu7QyHI1HdXLZe814PhkneLIok0/P+NOkf89MJtlCZDlT6w6dNG+mfJP3Du9
ra2flC5R+S8EK23YLj1mFDkLpilpUWXOnMGznRdgPbkTMgHusiwvfcrUIcXzat3I
rUEGV73qIX3HaP3lYkuAyJ5tp3cX69pqPR9tWwqZggQt+r/IxJ2jBuE8PDY1cn3K
pa0kYQ4ojSZvmLHC+pBP
=xXh7
-----END PGP SIGNATURE-----
Merge tag 'rtc-4.4-3' of git://git.kernel.org/pub/scm/linux/kernel/git/abelloni/linux
Pull RTC fixes from Alexandre Belloni:
"Late fixes for the RTC subsystem for 4.4:
A fix for a nasty hardware bug in rk808 and an initialization
reordering in da9063 to fix a possible crash"
* tag 'rtc-4.4-3' of git://git.kernel.org/pub/scm/linux/kernel/git/abelloni/linux:
rtc: da9063: fix access ordering error during RTC interrupt at system power on
rtc: rk808: Compensate for Rockchip calendar deviation on November 31st
This fix alters the ordering of the IRQ and device registrations in the RTC
driver probe function. This change will apply to the RTC driver that supports
both DA9063 and DA9062 PMICs.
A problem could occur with the existing RTC driver if:
A system is started from a cold boot using the PMIC RTC IRQ to initiate a
power on operation. For instance, if an RTC alarm is used to start a
platform from power off.
The existing driver IRQ is requested before the device has been properly
registered.
i.e.
ret = devm_request_threaded_irq()
comes before
rtc->rtc_dev = devm_rtc_device_register();
In this case, the interrupt can be called before the device has been
registered and the handler can be called immediately. The IRQ handler
da9063_alarm_event() contains the function call
rtc_update_irq(rtc->rtc_dev, 1, RTC_IRQF | RTC_AF);
which in turn tries to access the unavailable rtc->rtc_dev.
The fix is to reorder the functions inside the RTC probe. The IRQ is
requested after the RTC device resource has been registered so that
get_irq_byname is the last thing to happen.
Signed-off-by: Steve Twiss <stwiss.opensource@diasemi.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
In A.D. 1582 Pope Gregory XIII found that the existing Julian calendar
insufficiently represented reality, and changed the rules about
calculating leap years to account for this. Similarly, in A.D. 2013
Rockchip hardware engineers found that the new Gregorian calendar still
contained flaws, and that the month of November should be counted up to
31 days instead. Unfortunately it takes a long time for calendar changes
to gain widespread adoption, and just like more than 300 years went by
before the last Protestant nation implemented Greg's proposal, we will
have to wait a while until all religions and operating system kernels
acknowledge the inherent advantages of the Rockchip system. Until then
we need to translate dates read from (and written to) Rockchip hardware
back to the Gregorian format.
This patch works by defining Jan 1st, 2016 as the arbitrary anchor date
on which Rockchip and Gregorian calendars are in sync. From that we can
translate arbitrary later dates back and forth by counting the number
of November/December transitons since the anchor date to determine the
offset between the calendars. We choose this method (rather than trying
to regularly "correct" the date stored in hardware) since it's the only
way to ensure perfect time-keeping even if the system may be shut down
for an unknown number of years. The drawback is that other software
reading the same hardware (e.g. mainboard firmware) must use the same
translation convention (including the same anchor date) to be able to
read and write correct timestamps from/to the RTC.
Signed-off-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Douglas Anderson <dianders@chromium.org>
Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
Here are some tty/serial driver fixes for 4.4-rc6 that resolve some
reported problems. All of these have been in linux-next. The details
are in the shortlog.
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iEYEABECAAYFAlZ19rAACgkQMUfUDdst+ykBQQCeKSU7YZFKPTEFbGKS2UfFgMJd
EokAoIJp4lXqhLHKtI7TNwVFlMQAaDYj
=2I3R
-----END PGP SIGNATURE-----
Merge tag 'tty-4.4-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty
Pull tty/serial fixes from Greg KH:
"Here are some tty/serial driver fixes for 4.4-rc6 that resolve some
reported problems. All of these have been in linux-next. The details
are in the shortlog"
* tag 'tty-4.4-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
tty: Fix GPF in flush_to_ldisc()
serial: earlycon: Add missing spinlock initialization
serial: sh-sci: Fix length of scatterlist
n_tty: Fix poll() after buffer-limited eof push read
serial: 8250_uniphier: fix dl_read and dl_write functions
Here are some USB and PHY fixes for 4.4-rc6. All of them resolve some
reported problems. Full details in the shortlog.
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iEYEABECAAYFAlZ1+CoACgkQMUfUDdst+yksSQCg1MuW8nVyz7eUHcZnd/r4dSPa
fy8An0J0aKi8IhUMSIAIFcoM4/40ulCE
=ycut
-----END PGP SIGNATURE-----
Merge tag 'usb-4.4-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb
Pull USB fixes from Greg KH:
"Here are some USB and PHY fixes for 4.4-rc6. All of them resolve some
reported problems. Full details in the shortlog"
* tag 'usb-4.4-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
USB: fix invalid memory access in hub_activate()
USB: ipaq.c: fix a timeout loop
phy: core: Get a refcount to phy in devm_of_phy_get_by_index()
phy: cygnus: pcie: add missing of_node_put
phy: miphy365x: add missing of_node_put
phy: miphy28lp: add missing of_node_put
phy: rockchip-usb: add missing of_node_put
phy: berlin-sata: add missing of_node_put
phy: mt65xx-usb3: add missing of_node_put
phy: brcmstb-sata: add missing of_node_put
phy: sun9i-usb: add USB dependency
- 2 recently introduced regressions fixed.
- one older bug in RAID10 - tagged for -stable since 4.2
- one minor sysfs api improvement.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAABCAAGBQJWddZIAAoJEDnsnt1WYoG5L/AQAMBmdj4kQiqVq/y4q26+V79d
W4AVgmGJLRuya1Xy1yN58TIrG7TLWRciH7q/P21g9AIFEso3wU42PNwvDjYG4xRN
XzovJA91xmRkz2RSxaDs45kxpaOCB2ED+VgdMn4+VLAl23I0oI/gdGxJfs/OBuWI
OoG09gNCJXhuZETFRqtlH9BZb+QAfYWdJOKbHXvrXDJlevWmz1Oav+QO+V3rAWRu
nnupsrlLL9GxvS51oSV7PmRcFFNa03AHDNelUPxdlPrQosi5CgH27SVlxygJtFBP
djyq4NKFXAD0sTsqeleJ9Ib7D0HZ/P84GC68NNILEDbjdu8kMGWeC8FZ4rXuxRCf
VARBF+H/647uxfjZfKUwqTZsYYPPANkr6gK8jKgiuo0gc8V1lgF53OsokeWkCPZN
nvDpS9MYrhKB8m7VO3KL1cIgu9fee2vnJLjf8wsNh2N9SDkBCz+7vENjbfbAyKAz
V2H97Mgw1UQSnOcsvfVv0r4TmMFUcCslujFyjQu7A83NTWZ/ICGkRVUKP7tK8pc6
fQ6MG1vIdPzhVduOrTjlTr9eT/4Sk1ofl1LOFC7gnN6vHhubzOfcuwrDWgnqVGiE
0BY0NVsa7f6tzjA6h9pDjnFjdF6uM4QGEgfnLBmRJ8ehwvXBwH6CJUbIBhDWHhj1
rrm2LYiEuA1nWfWEpD8x
=nHNn
-----END PGP SIGNATURE-----
Merge tag 'md/4.4-rc5-fixes' of git://neil.brown.name/md
Pull md fixes from Neil Brown:
"Four fixes for md:
- two recently introduced regressions fixed.
- one older bug in RAID10 - tagged for -stable since 4.2
- one minor sysfs api improvement"
* tag 'md/4.4-rc5-fixes' of git://neil.brown.name/md:
Fix remove_and_add_spares removes drive added as spare in slot_store
md: fix bug due to nested suspend
MD: change journal disk role to disk 0
md/raid10: fix data corruption and crash during resync
- Partial revert of "powerpc: Individual System V IPC system calls"
- pr_warn_once on unsupported OPAL_MSG type from Stewart
- Fix deadlock in opal-irqchip introduced by "Fix double endian conversion" from Alistair
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJWdTe9AAoJEFHr6jzI4aWANO4QAJwqS2Zhga0v/JSqMUpKgrlM
aFMLp6nM25wHkFmRBbIgJbkQAqG+2Sl43OARuJ4y4b3J9fqjKBXxzymgPQ+Y1OlR
xd+psLmfRf5r/cge45UgILhxE5LFckVIVg/uYkeI5zfRq9TqYes1Ys+7nGpV7IdB
zWXseulscE/KcEbDHlBexN9/FujONZk6DU6m17TzJbkiptn+7CA0AahbWsK9t05g
jXCppDPvGYvYGYQ4Y0G8Qnp3jELDlmPhwYWGLw7gruGTHSfbMQxhFokembk/HDcx
tSetmTBzGt384h7dVJD6HF89VuwgqECBIL8hl0cajFkjkzgdIieDuEGWM1yov4+R
7Tv05aO/5xYUy5vTk5qkMfywH+TQOwVjr3p3KZgGdj8ddYu7Sk4rRwKK/4cN1M7W
/RrRzeSOJ2RkTedzu1/sd0h49r2o7tUtgC0rKosDBkibCk135yNa3pe7FKHyR8NW
a/B57u6+wFvf374TUVMavcSeRvIa4cQ3YuMPcM8ykrEUJWB+QVEXPNiTNG5rux4Z
4+VX9n0/LhsEu+dGMrdWkpEUSCXi4p6AQHKpTDocWSfEiGNU77b1vF7va06T34fN
nbp6O0dXFnTgX6IJ8jEQzc8bELElFNw0gfgH6vHpgh6dkFEyL/ew0mJqQJ17bJLF
HUxdt4/OgNVj5htfeKDI
=58wA
-----END PGP SIGNATURE-----
Merge tag 'powerpc-4.4-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux
Pull powerpc fixes from Michael Ellerman:
- Partial revert of "powerpc: Individual System V IPC system calls"
- pr_warn_once on unsupported OPAL_MSG type from Stewart
- Fix deadlock in opal-irqchip introduced by "Fix double endian
conversion" from Alistair
* tag 'powerpc-4.4-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
powerpc/opal-irqchip: Fix deadlock introduced by "Fix double endian conversion"
powerpc/powernv: pr_warn_once on unsupported OPAL_MSG type
Partial revert of "powerpc: Individual System V IPC system calls"
just one regression fix.
* 'exynos-drm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/daeinki/drm-exynos:
drm/exynos: atomic check only enabled crtc states
Adding the rtc platform device in non-privileged Xen PV guests causes
an IRQ conflict because these guests do not have legacy PIC and may
allocate irqs in the legacy range.
In a single VCPU Xen PV guest we should have:
/proc/interrupts:
CPU0
0: 4934 xen-percpu-virq timer0
1: 0 xen-percpu-ipi spinlock0
2: 0 xen-percpu-ipi resched0
3: 0 xen-percpu-ipi callfunc0
4: 0 xen-percpu-virq debug0
5: 0 xen-percpu-ipi callfuncsingle0
6: 0 xen-percpu-ipi irqwork0
7: 321 xen-dyn-event xenbus
8: 90 xen-dyn-event hvc_console
...
But hvc_console cannot get its interrupt because it is already in use
by rtc0 and the console does not work.
genirq: Flags mismatch irq 8. 00000000 (hvc_console) vs. 00000000 (rtc0)
We can avoid this problem by realizing that unprivileged PV guests (both
Xen and lguests) are not supposed to have rtc_cmos device and so
adding it is not necessary.
Privileged guests (i.e. Xen's dom0) do use it but they should not have
irq conflicts since they allocate irqs above legacy range (above
gsi_top, in fact).
Instead of explicitly testing whether the guest is privileged we can
extend pv_info structure to include information about guest's RTC
support.
Reported-and-tested-by: Sander Eikelenboom <linux@eikelenboom.it>
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Cc: vkuznets@redhat.com
Cc: xen-devel@lists.xenproject.org
Cc: konrad.wilk@oracle.com
Cc: stable@vger.kernel.org # 4.2+
Link: http://lkml.kernel.org/r/1449842873-2613-1-git-send-email-boris.ostrovsky@oracle.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
A couple of reference counting bugs here, one in spidev and one with
holding an extra reference in the core that we never freed if we removed
a device, plus a driver specific fix. Both of the refcounting bugs are
very old but they've only been found by observation so hopefully their
impact has been low.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAABAgAGBQJWdUKcAAoJECTWi3JdVIfQO1EH/3aQKNFu1Z5cEaKiBtQ0aZZD
1E/w+OPqmKdaFDlXvwXO+W4UY5m0w0Kg5FPg4wMgpjDJQTiELtLJ3c4BiKp1Du8p
8RHnpqrYtggCZOK2r6iJNonIdIDDIDZMxxu1KHaKl+Wsqh9/1xUsQg7X9xi5Iaiv
fVd+QlhmCfC42lU92urBboPmON31XxaITTM8qNhGvQO77L4FdZHiVMP/bmyephV7
Mr4G7MFZHDZljGqEUhAlamhEiBxmCtQAm0eDhWmbYwN6S3U8L5VSqrkBDbNR08C+
4qnek2PS2/HlkQwMTpgGZpLrLyk04oWgsFMVZQ2275vR9qZlQTgnlEu50roBBD0=
=DMO9
-----END PGP SIGNATURE-----
Merge tag 'spi-fix-v4.4-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi
Pull spi fixes from Mark Brown:
"A couple of reference counting bugs here, one in spidev and one with
holding an extra reference in the core that we never freed if we
removed a device, plus a driver specific fix. Both of the refcounting
bugs are very old but they've only been found by observation so
hopefully their impact has been low"
* tag 'spi-fix-v4.4-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi:
spi: fix parent-device reference leak
spi: spidev: Hold spi_lock over all defererences of spi in release()
spi-fsl-dspi: Fix CTAR Register access
- Revert the error number propagation from the .get() vtable
entry temporarily, until we make the proper fixes to all drivers.
- Fix the clamping behaviour in the generic GPIO driver.
- Driver fix for the ath79 driver
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJWdUHfAAoJEEEQszewGV1zN3IP/1t/w6sOIugibcyLTq5EpL1X
0fndqaqoRunZdFpeauTujq4hXXhRDtZdqzcSNWMg5Xelq0ROHIRLeEcX1GEQlROM
t9IfNmsxbso0N02ii4NC5F+jaKitnqeV+ZSzGekQjvTxvF3zJ0EaL/I0dNoImXEl
K6gX36R31DEoxSabRXJrwfUfJFEfDjtriP4m8GTxt/Nd51QcE1WRpDusXK8smuga
UaiZsnb0VzuM4QzZ1BvSFafBk6UpYU0245H1pYlPPcQRIkabZTuBQsEWrcLHAtDX
AjuSqBy/PNYXGEzOVVnv2LETYAhC9KR+t2xXpT9QOXIiAD1XSk1n+UV0doJY22ZW
x02ZTZiurllby/uuTOH7s3ZZ/NNmwoZK16d4F65qrU74fRvuc/9NeODKiizHXn3a
+Z9s1dmRedHe8Q2eN/GLUCOHWZBHGj8kJVEgh1Oi1kaFVnP3GXBAeEEEnmZyrRJR
BRKCQa8LWpXusJPhMsIrPK1M4FyAMFG1EFdq10cvag7UOamIpbK6q3/CIsSD8e1N
FYcBGAOBMhdtyjAd3DXJXUsDqQ8aRL/LZ8hH1epsATiIvrkzHC10/erxSzA2cWtB
URe+oatMGXgS8fQCaqyXZiA7gzxUNePXV3QBPvwWEo/OysnO49280owndACYnCMT
de1R0SvltXC9GzXYVT5t
=bPar
-----END PGP SIGNATURE-----
Merge tag 'gpio-v4.4-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio
Pull GPIO fixes from Linus Walleij:
"Some GPIO fixes for the v4.4 series. Most prominent: I revert the
error propagation from the .get() function until we can fix up all the
drivers properly for v4.5.
- Revert the error number propagation from the .get() vtable entry
temporarily, until we make the proper fixes to all drivers.
- Fix the clamping behaviour in the generic GPIO driver.
- Driver fix for the ath79 driver"
* tag 'gpio-v4.4-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio:
gpio: revert get() to non-errorprogating behaviour
gpio: generic: clamp values from bgpio_get_set()
gpio: ath79: Fix the logic to clear offset bit of AR71XX_GPIO_REG_OE register
refill_rx() and start_tx() do not check if mapping dma memory succeed.
The patch adds the checks and failure handling.
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
Pull i2c fixes from Wolfram Sang:
"A set of 'usual' driver bugfixes for the I2C subsystem"
* 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
i2c: rcar: disable runtime PM correctly in slave mode
i2c: designware: Keep pm_runtime_enable/_disable calls in sync
i2c: designware: fix IO timeout issue for AMD controller
i2c: imx: init bus recovery info before adding i2c adapter
i2c: do not use 0x in front of %pa
i2c: davinci: Increase module clock frequency
i2c: mv64xxx: The n clockdiv factor is 0 based on sunxi SoCs
i2c: rk3x: populate correct variable for sda_falling_time
Since atomic check is called also for disabled crtcs it should skip
mode checking as it can be uninitialized. The patch fixes it.
Signed-off-by: Andrzej Hajda <a.hajda@samsung.com>
Suggested-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Tested-by: Javier Martinez Canillas <javier@osg.samsung.com>
Signed-off-by: Inki Dae <inki.dae@samsung.com>
When we also are I2C slave, we need to disable runtime PM because the
address detection mechanism needs to be active all the time. However, we
can reenable runtime PM once the slave instance was unregistered. So,
use pm_runtime_get_sync/put to achieve this, since it has proper
refcounting. pm_runtime_allow/forbid is like a global knob controllable
from userspace which is unsuitable here.
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Cc: stable@kernel.org
After 32-bit syscall rewrite, and specifically after commit:
5f310f739b ("x86/entry/32: Re-implement SYSENTER using the new C path")
... the stack frame that is passed to xen_sysexit is no longer a
"standard" one (i.e. it's not pt_regs).
Since we end up calling xen_iret from xen_sysexit we don't need
to fix up the stack and instead follow entry_SYSENTER_32's IRET
path directly to xen_iret.
We can do the same thing for compat mode even though stack does
not need to be fixed. This will allow us to drop usergs_sysret32
paravirt op (in the subsequent patch)
Suggested-by: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Reviewed-by: Borislav Petkov <bp@suse.de>
Acked-by: Andy Lutomirski <luto@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: david.vrabel@citrix.com
Cc: konrad.wilk@oracle.com
Cc: virtualization@lists.linux-foundation.org
Cc: xen-devel@lists.xenproject.org
Link: http://lkml.kernel.org/r/1447970147-1733-2-git-send-email-boris.ostrovsky@oracle.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Intel's MCA implementation broadcasts MCEs to all CPUs on the
node. This poses a problem for offlined CPUs which cannot
participate in the rendezvous process:
Kernel panic - not syncing: Timeout: Not all CPUs entered broadcast exception handler
Kernel Offset: disabled
Rebooting in 100 seconds..
More specifically, Linux does a soft offline of a CPU when
writing a 0 to /sys/devices/system/cpu/cpuX/online, which
doesn't prevent the #MC exception from being broadcasted to that
CPU.
Ensure that offline CPUs don't participate in the MCE rendezvous
and clear the RIP valid status bit so that a second MCE won't
cause a shutdown.
Without the patch, mce_start() will increment mce_callin and
wait for all CPUs. Offlined CPUs should avoid participating in
the rendezvous process altogether.
Signed-off-by: Ashok Raj <ashok.raj@intel.com>
[ Massage commit message. ]
Signed-off-by: Borislav Petkov <bp@suse.de>
Reviewed-by: Tony Luck <tony.luck@intel.com>
Cc: <stable@vger.kernel.org>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-edac <linux-edac@vger.kernel.org>
Link: http://lkml.kernel.org/r/1449742346-21470-2-git-send-email-bp@alien8.de
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
- Fix a potential regression in the generic power domains
framework introduced during the 4.3 development cycle that
may lead to spurious failures of system suspend in certain
situations (Ulf Hansson).
- Fix a problem in the power capping RAPL (Running Average
Power Limits) driver that causes it to initialize successfully
on some systems where it is not supposed to do that which is
due to an incorrect check in an initialization routine (Prarit
Bhargava).
- Fix a build problem in the cpufreq Tegra driver that depends
on the regulator framework, but that dependency is not reflected
in Kconfig (Arnd Bergmann).
- Fix a recent mistake in the intel_pstate driver where a numeric
constant is used directly instead of a symbol defined specifically
for the case in question (Prarit Bhargava).
/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAABCAAGBQJWdNhOAAoJEILEb/54YlRxFBUP/0KwbDo7BLdIjUjyi7y3IG39
oxcb4volIE69Z7e332Mm6y+hG/CXcfOwTde16+WIYOZfmmHfP1c6bamOoJOwcFI8
RAU9UmMtsXJaEjtiYx6+J97hLh3pmORZdXPnJqLPICIq0/kG356nqoPDEoTDaXGp
JRbt4h6mcTFX/rErI1hpk4/QXQMOSKSQUbz4bzTfozgn4y1j0DJhr+TBOoCZJdjE
r9h6Uk4y1E4f9kHy/25wgKlEB3LPqBm5IcFF1lxzndYIyGQJV829FYo+CuVoLMpj
tlM1yFhdqSZ9ejCPkAac75i92trWaxADuO9WT/RNhSGEyvpzh43IvGZKbJzKoXIf
svHkMwCCOcI4x6f6ZXpINSAmk8Vl+QzlBy35f8U9F5JX1ZPN21MsQRX1+QfzKFO/
TnsGW/GXPIH0cooucBqMS+NieN61R3AKYWsc4Tka7aXWGpdzvr/hvwaEoItxtTti
WXNn21PxOrQxcSjb46Mwikeniyhw2sLveZJRW2jCgwkYSLOOB3+gz+yu+q2yYlXh
rzr+ObihVMq0DUte2JfFSUYL2hJDIkwTIa/Rqmq2PJShDBDUmw38RIXZ2EcnxdiA
g32cboGtS5QvsSQzM2tr9fbioxl7n0zva0p64fSUq97fuX0em7y4kMR4m3y7WOE4
Nlpb0/dyECRpCvFBuuin
=da89
-----END PGP SIGNATURE-----
Merge tag 'pm+acpi-4.4-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm
Pull power management fixes from Rafael Wysocki:
"These fix a potential regression introduced during the 4.3 cycle
(generic power domains framework), a nasty bug that has been present
forever (power capping RAPL driver), a build issue (Tegra cpufreq
driver) and a minor ugliness introduced recently (intel_pstate).
Specifics:
- Fix a potential regression in the generic power domains framework
introduced during the 4.3 development cycle that may lead to
spurious failures of system suspend in certain situations (Ulf
Hansson).
- Fix a problem in the power capping RAPL (Running Average Power
Limits) driver that causes it to initialize successfully on some
systems where it is not supposed to do that which is due to an
incorrect check in an initialization routine (Prarit Bhargava).
- Fix a build problem in the cpufreq Tegra driver that depends on the
regulator framework, but that dependency is not reflected in
Kconfig (Arnd Bergmann).
- Fix a recent mistake in the intel_pstate driver where a numeric
constant is used directly instead of a symbol defined specifically
for the case in question (Prarit Bhargava)"
* tag 'pm+acpi-4.4-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
powercap / RAPL: fix BIOS lock check
cpufreq: intel_pstate: Minor cleanup for FRAC_BITS
cpufreq: tegra: add regulator dependency for T124
PM / Domains: Allow runtime PM callbacks to be re-used during system PM
The commit c6ff526829 ("rhashtable:
Fix walker list corruption") causes a suspicious RCU usage warning
because we no longer hold ht->mutex when we dereference ht->tbl.
However, this is a false positive because we now hold ht->lock
which also guarantees that ht->tbl won't disppear from under us.
This patch kills the warning by using rcu_dereference_protected.
Reported-by: kernel test robot <ying.huang@linux.intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Three fixes this time, two in SES picked up by KASAN for various types of
buffer overrun. The first is a USB array which returns page 8 whatever is
asked for and causes us to overrun with incorrect data format assumptions and
the second is an invalid iteration of page 10 (the additional information
page). The final one is a reversion of a NULL deref fix which caused
suspend/resume not to be called in pairs leading to incorrect device operation
(Jens has queued a more proper fix for the problem in block).
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAABAgAGBQJWdLxTAAoJEDeqqVYsXL0MwOYH+wYb27NxfyA7+q7z/dFz+LhQ
B9RlUfnEw57vVz7KEwleqJ9uA2jprCQndMqRoelmWtxeu5CVUBbq/1ONDWvPX2ha
Prr3wVp+SbqbtzmvGQrQ8If7o4iS47fXtwUe5RRDBdfKMUfXs7LeVBgQrpZsqlkE
va6LNKVqzYW4sneC+CfWcwwyedLGeaphNBYygKtCm7SfEkbnfH5+zhWH9JWwtYXf
r8VCCUnmF69ocx4a7MZLnSAJuXfzaJl45c0nhRiHTiokW7KYuylJm0Zd1PYkhwhV
rQr53otJsdPTyZUjmeCdS6PBlGp/HVdYIOyKt5b4Ti2S71ij9R52YPY6BdtIWeQ=
=6New
-----END PGP SIGNATURE-----
Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi
Pull SCSI fixes from James Bottomley:
"Three fixes this time, two in SES picked up by KASAN for various types
of buffer overrun. The first is a USB array which returns page 8
whatever is asked for and causes us to overrun with incorrect data
format assumptions and the second is an invalid iteration of page 10
(the additional information page).
The final fix is a reversion of a NULL deref fix which caused
suspend/resume not to be called in pairs leading to incorrect device
operation (Jens has queued a more proper fix for the problem in
block)"
* tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
ses: fix additional element traversal bug
Revert "SCSI: Fix NULL pointer dereference in runtime PM"
ses: Fix problems with simple enclosures
Just one important fix for amdgpu to avoid possible memory corruption.
* 'drm-fixes-4.4' of git://people.freedesktop.org/~agd5f/linux:
drm/amdgpu: fix user fence handling
This fixes CVE-2015-7550.
There's a race between keyctl_read() and keyctl_revoke(). If the revoke
happens between keyctl_read() checking the validity of a key and the key's
semaphore being taken, then the key type read method will see a revoked key.
This causes a problem for the user-defined key type because it assumes in
its read method that there will always be a payload in a non-revoked key
and doesn't check for a NULL pointer.
Fix this by making keyctl_read() check the validity of a key after taking
semaphore instead of before.
I think the bug was introduced with the original keyrings code.
This was discovered by a multithreaded test program generated by syzkaller
(http://github.com/google/syzkaller). Here's a cleaned up version:
#include <sys/types.h>
#include <keyutils.h>
#include <pthread.h>
void *thr0(void *arg)
{
key_serial_t key = (unsigned long)arg;
keyctl_revoke(key);
return 0;
}
void *thr1(void *arg)
{
key_serial_t key = (unsigned long)arg;
char buffer[16];
keyctl_read(key, buffer, 16);
return 0;
}
int main()
{
key_serial_t key = add_key("user", "%", "foo", 3, KEY_SPEC_USER_KEYRING);
pthread_t th[5];
pthread_create(&th[0], 0, thr0, (void *)(unsigned long)key);
pthread_create(&th[1], 0, thr1, (void *)(unsigned long)key);
pthread_create(&th[2], 0, thr0, (void *)(unsigned long)key);
pthread_create(&th[3], 0, thr1, (void *)(unsigned long)key);
pthread_join(th[0], 0);
pthread_join(th[1], 0);
pthread_join(th[2], 0);
pthread_join(th[3], 0);
return 0;
}
Build as:
cc -o keyctl-race keyctl-race.c -lkeyutils -lpthread
Run as:
while keyctl-race; do :; done
as it may need several iterations to crash the kernel. The crash can be
summarised as:
BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
IP: [<ffffffff81279b08>] user_read+0x56/0xa3
...
Call Trace:
[<ffffffff81276aa9>] keyctl_read_key+0xb6/0xd7
[<ffffffff81277815>] SyS_keyctl+0x83/0xe0
[<ffffffff815dbb97>] entry_SYSCALL_64_fastpath+0x12/0x6f
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Dmitry Vyukov <dvyukov@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: James Morris <james.l.morris@oracle.com>
Looks like we're missing the wakeirq for the console uart for
duovero parlor. Let's add that as without it console acess just
hangs with PM enabled.
Cc: Arun Bharadwaj <arun@gumstix.com>
Cc: Ash Charles <ash@gumstix.com>
Cc: Florian Vaussard <florian.vaussard@epfl.ch>
Signed-off-by: Tony Lindgren <tony@atomide.com>
When sending "SLEEP" command to the controller it ceases scanning
completely and is unable to wake the system up from sleep, so if it is
configured as a wakeup source we should simply configure interrupt for
wakeup and rely on idle logic within the controller to reduce power
consumption while it is not used.
Signed-off-by: James Chen <james.chen@emc.com.tw>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>