Commit Graph

455918 Commits

Author SHA1 Message Date
Linus Torvalds
c163b524d2 Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux
Pull drm fixes from Dave Airlie:
 "Exynos, i915 and msm fixes and one core fix.

  exynos:
     hdmi power off and mixer issues

  msm:
     iommu, build fixes,

  i915:
     regression races and warning fixes"

* 'drm-fixes' of git://people.freedesktop.org/~airlied/linux: (22 commits)
  drm/i915: vlv_prepare_pll is only needed in case of non DSI interfaces
  drm: fix NULL pointer access by wrong ioctl
  drm/exynos: enable vsync interrupt while waiting for vblank
  drm/exynos: soft reset mixer before reconfigure after power-on
  drm/exynos: allow multiple layer updates per vsync for mixer
  drm/i915: Hold the table lock whilst walking the file's idr and counting the objects in debugfs
  drm/i915: BDW: Adding Reserved PCI IDs.
  drm/i915: Only mark the ctx as initialised after a SET_CONTEXT operation
  drm/exynos: stop mixer before gating clocks during poweroff
  drm/exynos: set power state variable after enabling clocks and power
  drm/exynos: disable unused windows on apply
  drm/exynos: Fix de-registration ordering
  drm/exynos: change zero to NULL for sparse
  drm/exynos: dpi: Fix NULL pointer dereference with legacy bindings
  drm/exynos: hdmi: fix power order issue
  drm/i915: default to having backlight if VBT not available
  drm/i915: cache hw power well enabled state
  drm/msm: fix IOMMU cleanup for -EPROBE_DEFER
  drm/msm: use PAGE_ALIGNED instead of IS_ALIGNED(PAGE_SIZE)
  drm/msm/hdmi: set hdp clock rate before prepare_enable
  ...
2014-06-27 17:05:39 -07:00
J. Bruce Fields
76f47128f9 nfsd: fix rare symlink decoding bug
An NFS operation that creates a new symlink includes the symlink data,
which is xdr-encoded as a length followed by the data plus 0 to 3 bytes
of zero-padding as required to reach a 4-byte boundary.

The vfs, on the other hand, wants null-terminated data.

The simple way to handle this would be by copying the data into a newly
allocated buffer with space for the final null.

The current nfsd_symlink code tries to be more clever by skipping that
step in the (likely) case where the byte following the string is already
0.

But that assumes that the byte following the string is ours to look at.
In fact, it might be the first byte of a page that we can't read, or of
some object that another task might modify.

Worse, the NFSv4 code tries to fix the problem by actually writing to
that byte.

In the NFSv2/v3 cases this actually appears to be safe:

	- nfs3svc_decode_symlinkargs explicitly null-terminates the data
	  (after first checking its length and copying it to a new
	  page).
	- NFSv2 limits symlinks to 1k.  The buffer holding the rpc
	  request is always at least a page, and the link data (and
	  previous fields) have maximum lengths that prevent the request
	  from reaching the end of a page.

In the NFSv4 case the CREATE op is potentially just one part of a long
compound so can end up on the end of a page if you're unlucky.

The minimal fix here is to copy and null-terminate in the NFSv4 case.
The nfsd_symlink() interface here seems too fragile, though.  It should
really either do the copy itself every time or just require a
null-terminated string.

Reported-by: Jeff Layton <jlayton@primarydata.com>
Cc: stable@vger.kernel.org
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
2014-06-27 16:10:46 -04:00
Michael S. Tsirkin
ac5ccdba3a iovec: move memcpy_from/toiovecend to lib/iovec.c
ERROR: "memcpy_fromiovecend" [drivers/vhost/vhost_scsi.ko] undefined!

commit 9f977ef7b6
    vhost-scsi: Include prot_bytes into expected data transfer length
in target-pending makes drivers/vhost/scsi.c call memcpy_fromiovecend().
This function is not available when CONFIG_NET is not enabled.

socket.h already includes uio.h, so no callers need updating.

Reported-by: Randy Dunlap <rdunlap@infradead.org>
Cc: Stephen Rothwell <sfr@canb.auug.org.au>
Cc: "David S. Miller" <davem@davemloft.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-06-27 11:47:58 -07:00
Nicholas Bellinger
97c99b47ac iscsi-target: Avoid rejecting incorrect ITT for Data-Out
This patch changes iscsit_check_dataout_hdr() to dump the incoming
Data-Out payload when the received ITT is not associated with a
WRITE, instead of calling iscsit_reject_cmd() for the non WRITE
ITT descriptor.

This addresses a bug where an initiator sending an Data-Out for
an ITT associated with a READ would end up generating a reject
for the READ, eventually resulting in list corruption.

Reported-by: Santosh Kulkarni <santosh.kulkarni@calsoftinc.com>
Reported-by: Arshad Hussain <arshad.hussain@calsoftinc.com>
Cc: stable@vger.kernel.org # 3.10+
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-06-27 11:47:57 -07:00
Greg Kroah-Hartman
4148c1f67a lz4: fix another possible overrun
There is one other possible overrun in the lz4 code as implemented by
Linux at this point in time (which differs from the upstream lz4
codebase, but will get synced at in a future kernel release.)  As
pointed out by Don, we also need to check the overflow in the data
itself.

While we are at it, replace the odd error return value with just a
"simple" -1 value as the return value is never used for anything other
than a basic "did this work or not" check.

Reported-by: "Don A. Bailey" <donb@securitymouse.com>
Reported-by: Willy Tarreau <w@1wt.eu>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-06-27 11:21:07 -07:00
Greg Kroah-Hartman
8ecd93ab84 USB-serial fixes for v3.16-rc3
Here are some USB-serial updates for v3.16-rc3 that fix a reported
 NULL-pointer dereference and add some new device IDs.
 
 Included is also two changes to MAINTAINERS dropping individual
 maintainership for two small sub-drivers and updating an email address.
 
 Signed-off-by: Johan Hovold <johan@kernel.org>
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABAgAGBQJTqoRqAAoJEEEN5E/e4bSVRiYP/0to8Pt+KyRkfswsSLKmdj7w
 AZY/iYnXPYxDUnB+sD5876yj6ZR2dcSEK6OoURbP6GIcArj4URqKgHNtQlqS5R0C
 H2rjGgffXuqwT1+G5n/W7JeoO4+umi1xsavCihXzN+sWgiyZSqHV42s+tmrSztBs
 VZ5b8Q17AC7TYXazMFoRUZDHovGo+GTKbegccvwQVuzZ3QhjJ3m0kvLMWpFKq8Gy
 Z03KOkRVSAyyUMdflBiBC0ZDtPKoQAksEL4TZw4Fgn1LJ0Y55NdvSxikP207YNge
 /8Uz6HBy3v0/IhFHyQ01wxh5fvbrlcHVepIF5z40RiHAcqJIyp/UoLEY0I28zhu4
 SEkKMj2xoUXEhNcyEUuqdihl8L+cFacYUFBHrPbc8+D1Nr17hm88BVSZ8Wb5XWjh
 ksuYrMDJNWQKid/vqqwJQv/DP9tp+FOitBfcVat4dSdgnAS6QGBop5rVPFwE6Cmr
 h6gpc6w6GA9jL67pYomgC63X5efGNiXW7YIYY4hZHOWTbcwCDJU1Q7xOfm2r1STA
 8AQM349Xj98um6q40SHSNqv5xcXKfmjLacZog4RzRV5LCPHCWebdP+nYyPF7amC0
 Z0Q/h9Cz934gNfzC8ydKShOZ5Yp1RjQuACszxEj0T9rOWQOaG4Ioii0BKdX7lUHR
 4eFD/vVfvC4eusj/4eFZ
 =5xe6
 -----END PGP SIGNATURE-----

Merge tag 'usb-serial-3.16-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial into usb-linus

Johan writes:

USB-serial fixes for v3.16-rc3

Here are some USB-serial updates for v3.16-rc3 that fix a reported
NULL-pointer dereference and add some new device IDs.

Included is also two changes to MAINTAINERS dropping individual
maintainership for two small sub-drivers and updating an email address.

Signed-off-by: Johan Hovold <johan@kernel.org>
2014-06-27 10:42:05 -07:00
Thomas Gleixner
c58d80f523 usb: musb: Ensure that cppi41 timer gets armed on premature DMA TX irq
Some TI chips raise the DMA complete interrupt before the actual
transfer has been completed. The code tries to busy wait for a few
microseconds and if that fails it arms an hrtimer to recheck. So far
so good, but that has the following issue:

CPU 0					CPU1

start_next_transfer(RQ1);

DMA interrupt
  if (premature_irq(RQ1))
    if (!hrtimer_active(timer))
       hrtimer_start(timer);

hrtimer expires
  timer->state = CALLBACK_RUNNING;
  timer->fn()
    cppi41_recheck_tx_req()
      complete_request(RQ1);
      if (requests_pending())
        start_next_transfer(RQ2);

					DMA interrupt
					  if (premature_irq(RQ2))
					    if (!hrtimer_active(timer))
					       hrtimer_start(timer);
  timer->state = INACTIVE;

The premature interrupt of request2 on CPU1 does not arm the timer and
therefor the request completion never happens because it checks for
!hrtimer_active(). hrtimer_active() evaluates:

  timer->state != HRTIMER_STATE_INACTIVE

which of course evaluates to true in the above case as timer->state is
CALLBACK_RUNNING.

That's clearly documented:

 * A timer is active, when it is enqueued into the rbtree or the
 * callback function is running or it's in the state of being migrated
 * to another cpu.

But that's not what the code wants to check. The code wants to check
whether the timer is queued, i.e. whether its armed and waiting for
expiry.

We have a helper function for this: hrtimer_is_queued(). This
evaluates:

  timer->state & HRTIMER_STATE_QUEUED

So in the above case this evaluates to false and therefor forces the
DMA interrupt on CPU1 to call hrtimer_start().

Use hrtimer_is_queued() instead of hrtimer_active() and evrything is
good.

Reported-by: Torben Hohn <torbenh@linutronix.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
Signed-off-by: Felipe Balbi <balbi@ti.com>
2014-06-27 10:53:37 -05:00
Andreas Larsson
6ee96cc000 usb: gadget: gr_udc: Fix check for invalid number of microframes
The value 0x3 (not 0x11) in the field for additional transaction/microframe
is reserved and should not be let through. Be clear in the error message about
what value caused the error return.

Reported-by: David Binderman <dcb314@hotmail.com>
Signed-off-by: Andreas Larsson <andreas@gaisler.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
2014-06-27 10:53:07 -05:00
Ezequiel Garcia
7adb5c876e usb: musb: Fix panic upon musb_am335x module removal
At probe time, the musb_am335x driver register its childs by
calling of_platform_populate(), which registers all childs in
the devicetree hierarchy recursively.

On the other side, the driver's remove() function uses of_device_unregister()
to remove each child of musb_am335x's.

However, when musb_dsps is loaded, its devices are attached to the musb_am335x
device as musb_am335x childs. Hence, musb_am335x remove() will attempt to
unregister the devices registered by musb_dsps, which produces a kernel panic.

In other words, the childs in the "struct device" hierarchy are not the same
as the childs in the "devicetree" hierarchy.

Ideally, we should enforce the removal of the devices registered by
musb_am335x *only*, instead of all its child devices. However, because of the
recursive nature of of_platform_populate, this doesn't seem possible.

Therefore, as the only solution at hand, this commit disables musb_am335x
driver removal capability, preventing it from being ever removed. This was
originally suggested by Sebastian Siewior:

https://www.mail-archive.com/linux-omap@vger.kernel.org/msg104946.html

And for reference, here's the panic upon module removal:

musb-hdrc musb-hdrc.0.auto: remove, state 4
usb usb1: USB disconnect, device number 1
musb-hdrc musb-hdrc.0.auto: USB bus 1 deregistered
Unable to handle kernel NULL pointer dereference at virtual address 0000008c
pgd = de11c000
[0000008c] *pgd=9e174831, *pte=00000000, *ppte=00000000
Internal error: Oops: 17 [#1] ARM
Modules linked in: musb_am335x(-) musb_dsps musb_hdrc usbcore usb_common
CPU: 0 PID: 623 Comm: modprobe Not tainted 3.15.0-rc4-00001-g24efd13 #69
task: de1b7500 ti: de122000 task.ti: de122000
PC is at am335x_shutdown+0x10/0x28
LR is at am335x_shutdown+0xc/0x28
pc : [<c0327798>]    lr : [<c0327794>]    psr: a0000013
sp : de123df8  ip : 00000004  fp : 00028f00
r10: 00000000  r9 : de122000  r8 : c000e6c4
r7 : de0e3c10  r6 : de0e3800  r5 : de624010  r4 : de1ec750
r3 : de0e3810  r2 : 00000000  r1 : 00000001  r0 : 00000000
Flags: NzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
Control: 10c5387d  Table: 9e11c019  DAC: 00000015
Process modprobe (pid: 623, stack limit = 0xde122240)
Stack: (0xde123df8 to 0xde124000)
3de0:                                                       de0e3810 bf054488
3e00: bf05444c de624010 60000013 bf043650 000012fc de624010 de0e3810 bf043a20
3e20: de0e3810 bf04b240 c0635b88 c02ca37c c02ca364 c02c8db0 de1b7500 de0e3844
3e40: de0e3810 c02c8e28 c0635b88 de02824c de0e3810 c02c884c de0e3800 de0e3810
3e60: de0e3818 c02c5b20 bf05417c de0e3800 de0e3800 c0635b88 de0f2410 c02ca838
3e80: bf05417c de0e3800 bf055438 c02ca8cc de0e3c10 bf054194 de0e3c10 c02ca37c
3ea0: c02ca364 c02c8db0 de1b7500 de0e3c44 de0e3c10 c02c8e28 c0635b88 de02824c
3ec0: de0e3c10 c02c884c de0e3c10 de0e3c10 de0e3c18 c02c5b20 de0e3c10 de0e3c10
3ee0: 00000000 bf059000 a0000013 c02c5bc0 00000000 bf05900c de0e3c10 c02c5c48
3f00: de0dd0c0 de1ec970 de0f2410 bf05929c de0f2444 bf05902c de0f2410 c02ca37c
3f20: c02ca364 c02c8db0 bf05929c de0f2410 bf05929c c02c94c8 bf05929c 00000000
3f40: 00000800 c02c8ab4 bf0592e0 c007fc40 c00dd820 6273756d 336d615f 00783533
3f60: c064a0ac de1b7500 de122000 de1b7500 c000e590 00000001 c000e6c4 c0060160
3f80: 00028e70 00028e70 00028ea4 00000081 60000010 00028e70 00028e70 00028ea4
3fa0: 00000081 c000e500 00028e70 00028e70 00028ea4 00000800 becb59f8 00027608
3fc0: 00028e70 00028e70 00028ea4 00000081 00000001 00000001 00000000 00028f00
3fe0: b6e6b6f0 becb59d4 000160e8 b6e6b6fc 60000010 00028ea4 00000000 00000000
[<c0327798>] (am335x_shutdown) from [<bf054488>] (dsps_musb_exit+0x3c/0x4c [musb_dsps])
[<bf054488>] (dsps_musb_exit [musb_dsps]) from [<bf043650>] (musb_shutdown+0x80/0x90 [musb_hdrc])
[<bf043650>] (musb_shutdown [musb_hdrc]) from [<bf043a20>] (musb_remove+0x24/0x68 [musb_hdrc])
[<bf043a20>] (musb_remove [musb_hdrc]) from [<c02ca37c>] (platform_drv_remove+0x18/0x1c)
[<c02ca37c>] (platform_drv_remove) from [<c02c8db0>] (__device_release_driver+0x70/0xc8)
[<c02c8db0>] (__device_release_driver) from [<c02c8e28>] (device_release_driver+0x20/0x2c)
[<c02c8e28>] (device_release_driver) from [<c02c884c>] (bus_remove_device+0xdc/0x10c)
[<c02c884c>] (bus_remove_device) from [<c02c5b20>] (device_del+0x104/0x198)
[<c02c5b20>] (device_del) from [<c02ca838>] (platform_device_del+0x14/0x9c)
[<c02ca838>] (platform_device_del) from [<c02ca8cc>] (platform_device_unregister+0xc/0x20)
[<c02ca8cc>] (platform_device_unregister) from [<bf054194>] (dsps_remove+0x18/0x38 [musb_dsps])
[<bf054194>] (dsps_remove [musb_dsps]) from [<c02ca37c>] (platform_drv_remove+0x18/0x1c)
[<c02ca37c>] (platform_drv_remove) from [<c02c8db0>] (__device_release_driver+0x70/0xc8)
[<c02c8db0>] (__device_release_driver) from [<c02c8e28>] (device_release_driver+0x20/0x2c)
[<c02c8e28>] (device_release_driver) from [<c02c884c>] (bus_remove_device+0xdc/0x10c)
[<c02c884c>] (bus_remove_device) from [<c02c5b20>] (device_del+0x104/0x198)
[<c02c5b20>] (device_del) from [<c02c5bc0>] (device_unregister+0xc/0x20)
[<c02c5bc0>] (device_unregister) from [<bf05900c>] (of_remove_populated_child+0xc/0x14 [musb_am335x])
[<bf05900c>] (of_remove_populated_child [musb_am335x]) from [<c02c5c48>] (device_for_each_child+0x44/0x70)
[<c02c5c48>] (device_for_each_child) from [<bf05902c>] (am335x_child_remove+0x18/0x30 [musb_am335x])
[<bf05902c>] (am335x_child_remove [musb_am335x]) from [<c02ca37c>] (platform_drv_remove+0x18/0x1c)
[<c02ca37c>] (platform_drv_remove) from [<c02c8db0>] (__device_release_driver+0x70/0xc8)
[<c02c8db0>] (__device_release_driver) from [<c02c94c8>] (driver_detach+0xb4/0xb8)
[<c02c94c8>] (driver_detach) from [<c02c8ab4>] (bus_remove_driver+0x4c/0xa0)
[<c02c8ab4>] (bus_remove_driver) from [<c007fc40>] (SyS_delete_module+0x128/0x1cc)
[<c007fc40>] (SyS_delete_module) from [<c000e500>] (ret_fast_syscall+0x0/0x48)

Fixes: 97238b35d5 ("usb: musb: dsps: use proper child nodes")
Cc: <stable@vger.kernel.org> # v3.12+
Acked-by: George Cherian <george.cherian@ti.com>
Signed-off-by: Ezequiel Garcia <ezequiel@vanguardiasur.com.ar>
Signed-off-by: Felipe Balbi <balbi@ti.com>
2014-06-27 10:53:06 -05:00
Michal Nazarewicz
0912214178 usb: gadget: f_fs: resurect usb_functionfs_descs_head structure
Even though usb_functionfs_descs_head structure is now deprecated,
it has been used by some user space tools.  Its removel in commit
[ac8dde1: “Add flags to descriptors block”] was an oversight
leading to build breakage for such tools.

Bring it back so that old user space tools can still be build
without problems on newer kernel versions.

Cc: <stable@vger.kernel.org>  # 3.14
Reported-by: Lad, Prabhakar <prabhakar.csengg@gmail.com>
Reported-by: Krzysztof Opasiak <k.opasiak@samsung.com>
Signed-off-by: Michal Nazarewicz <mina86@mina86.com>
Signed-off-by: Felipe Balbi <balbi@ti.com>
2014-06-27 10:41:29 -05:00
Felipe Balbi
9ad7860450 Revert "tools: ffs-test: convert to new descriptor format fixing compilation error"
This reverts commit f2af74123f.

There is a better fix for this build error coming in a following
patch.

Signed-of-by: Felipe Balbi <balbi@ti.com>
2014-06-27 10:41:00 -05:00
H. Peter Anvin
ba3f35c7ce * Fix a few compiler warnings (one being a real bug) in the arm64 EFI
code that lots of people are running into and reporting - Catalin Marinas
 
  * Use a cast to avoid a 32-bit overflow issue when generating pstore
    filenames - Andrzej Zaborowski
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJTrYAHAAoJEC84WcCNIz1VCy8QAKMyeHBhwoQeAZKrV50fe5UW
 LRKpjxZ7ZWxDmObFMM9x9Jlq6MWroL4WBJjA/DYiPbXgLxbReUITY9nzwruxe4ts
 isQlbKPfAI/7Fx3oFPSKz2UrFqRZPNxbNG+Gmu8vBrKQ1p3jd31NTugZWn27F6Yz
 6dkux7vCbJXbaHNmXMRX8JwTTptuPkleNWyeterry6q8HzOGIyRN8wXBrGvanesx
 w8IVZZfgIuCi5JxPXSemJCVaDUmQb/hk7NGTdA4xjl8P4s2uT7cqxEVYx2I4QI/c
 aAj2B6IAauh8/b1GtN8xN3HoweLGFopfpMILifIbL5HvN3urHfOEWYAFHB/d9Iha
 97v5ylb8LwGK6rxosp1pc3/BIhI/ePtP7cRpmyRinXF99mnwe3jmMfM5f0dH4+Xj
 HqFVTTnzzCzYji38UD5y+2JznjH40VSaFwf4FJY0Ssf9mbuoVasSCgTMTFhMOiBT
 6lsRe/raH+rOJ16Sn2MCceglwaZdwqMXdJYd9pBWa7D0oBZy1keTj5CR1O+0xOqx
 NE6tfZx08hATsyZkKW0CoYCQGAjOAoB19VvFL6G8yHuFfbllpZYflvdQUibbO+TM
 c6EYrBsdOGWKFM1bl4GJ61Ju8tksZJNj8scl/Mcr9yoxg6sAhECCr9jNpVqKTwLs
 54PspusLUZEDeQCKP4w6
 =ERxp
 -----END PGP SIGNATURE-----

Merge tag 'efi-urgent' into x86/urgent

 * Fix a few compiler warnings (one being a real bug) in the arm64 EFI
   code that lots of people are running into and reporting - Catalin Marinas

 * Use a cast to avoid a 32-bit overflow issue when generating pstore
   filenames - Andrzej Zaborowski

Signed-off-by: H. Peter Anvin <hpa@zytor.com>
2014-06-27 07:55:24 -07:00
Ville Syrjälä
33c3b0d191 drm/i915: Wait for vblank after enabling the primary plane on BDW
BDW signals the flip done interrupt immediately after the DSPSURF write
when the plane is disabled. This is true even if we've already armed
DSPCNTR to enable the plane at the next vblank. This causes major
problems for our page flip code which relies on the flip done interrupts
happening at vblank time.

So what happens is that we enable the plane, and immediately allow
userspace to submit a page flip. If the plane is still in the process
of being enabled when the page flip is issued, the flip done gets
signalled immediately. Our DSPSURFLIVE check catches this to prevent
premature flip completion, but it also means that we don't get a flip
done interrupt when the plane actually gets enabled, and so the page
flip is never completed.

Work around this by re-introducing blocking vblank waits on BDW
whenever we enable the primary plane.

I removed some of the vblank waits here:
 commit 6304cd91e7
 Author: Ville Syrjälä <ville.syrjala@linux.intel.com>
 Date:   Fri Apr 25 13:30:12 2014 +0300

    drm/i915: Drop the excessive vblank waits from modeset codepaths

To avoid these blocking vblank waits we should start using the vblank
interrupt instead of the flip done interrupt to complete page flips.
But that's material for another patch.

Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=79354
Tested-by: Guo Jinxian <jinxianx.guo@intel.com>
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Reviewed-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
2014-06-27 17:36:11 +03:00
Paolo Bonzini
0c2363ffec Fix sie.h header related problems introduced during the 3.16 development
cycle.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.11 (GNU/Linux)
 
 iQIcBAABAgAGBQJTq9/fAAoJEN7Pa5PG8C+vJu4P/RSlgHXgihv7VqKueFVrm/kS
 9yEr/m3e32CU2I21LZUDEb/CWdrIgjo0Q29NlG4C9epfKVLxR7aiSjKhrJ6uZyFE
 3+ivsukDN38vaFZGOdK7SsNeKYJAppKmTcUsQJbLhglEd7tAz4hdM88PiYtStl6K
 hQv8u9ZDy+alqQGpZ0squk5KVrk2LtOPKjm62fgx2uMwXM5PgX+z3K8sLrASmOXv
 mjErzd8aXuUjK+7ZxIUn+53KWyX0Q+huFRt3l3Po6NftfUW8vMkLi/SU8O9pe2As
 DUajrYqiZQGiQpdseuAaSG7R8e7xSQM2Lj00HER4YvMiYP/9IgnQetVKzdsk7VF4
 dwZ4aLmwABTZX3IZZZpWKJp3nt6Ay8Nsfb11oLdDeYfSuhywbhBK1s7Bw1r6D3tB
 qxJO5eFsUSSFttxcFBiaiGx6/XIdk6J5IkUtkHz+OADsd+cuwoTgXMon235MwsF/
 AbjObmCCTf013hU5a3CA3MKInWBbToIxGh1QD0PGYYe/HLbrEuOSbJ4Pcg3XST31
 PKXmPNCHxtjyLpai1I32nnhWf+O+a2lNt4lyGIwwiMlsWZaI/Wk9Zyt7ifUAc1bK
 kusxSqcyQCaZaNMwwM/R6yFjA0HvN4pqrki7dYaXGED5F5185zQ26SMASF6BM7UB
 PmdRwl6xNtRau4k8aj0D
 =bgIM
 -----END PGP SIGNATURE-----

Merge tag 'kvms390-20140626' of git://git.kernel.org/pub/scm/linux/kernel/git/kvms390/linux into kvm-master

Fix sie.h header related problems introduced during the 3.16 development
cycle.
2014-06-27 16:19:39 +02:00
Takashi Iwai
a12137e779 ALSA: hda - Add a fixup for Thinkpad T540p
The similar fixup as T440 is needed for supporting the dock on T540.

Reported-by: Jim Minter <jminter@redhat.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2014-06-27 12:14:35 +02:00
David Henningsson
e03fdbde8a ALSA: hda - Add another headset pin quirk for some Dell machines
Another quirk to make the headset mic work on some new Dell machines.

Cc: Hui Wang <hui.wang@canonical.com>
BugLink: https://bugs.launchpad.net/bugs/1297581
Signed-off-by: David Henningsson <david.henningsson@canonical.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2014-06-27 12:09:57 +02:00
Andrzej Zaborowski
783ee43118 efi-pstore: Fix an overflow on 32-bit builds
In generic_id the long int timestamp is multiplied by 100000 and needs
an explicit cast to u64.

Without that the id in the resulting pstore filename is wrong and
userspace may have problems parsing it, but more importantly files in
pstore can never be deleted and may fill the EFI flash (brick device?).
This happens because when generic pstore code wants to delete a file,
it passes the id to the EFI backend which reinterpretes it and a wrong
variable name is attempted to be deleted.  There's no error message but
after remounting pstore, deleted files would reappear.

Signed-off-by: Andrew Zaborowski <andrew.zaborowski@intel.com>
Acked-by: David Rientjes <rientjes@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Matt Fleming <matt.fleming@intel.com>
2014-06-27 07:30:32 +01:00
Olof Johansson
bfda90cbb8 ARM: bcm: Fix bcm and multi_v7 defconfigs
BCM (Kona/capri platform) has regressed in two ways on this release. First,
bcm_defconfig no longer selected the appropriate MMC driver options due to
changes in dependencies. Secondly, the new MFD and regulator drivers were not
enabled on multi_v7_defconfig, so that caused the system to fail probing MMC
there.

Fix by enabling the new options as needed.

Cc: Matt Porter <matt.porter@linaro.org>
Cc: Christian Daudt <bcm@fixthebug.org>
Signed-off-by: Olof Johansson <olof@lixom.net>
2014-06-26 23:26:41 -07:00
Dave Airlie
0fcb70c301 Merge tag 'drm-intel-fixes-2014-06-26' of git://anongit.freedesktop.org/drm-intel into drm-fixes
Fixes for 3.16-rc2; regressions, races, and warns; Broadwell PCI IDs.

* tag 'drm-intel-fixes-2014-06-26' of git://anongit.freedesktop.org/drm-intel:
  drm/i915: vlv_prepare_pll is only needed in case of non DSI interfaces
  drm/i915: Hold the table lock whilst walking the file's idr and counting the objects in debugfs
  drm/i915: BDW: Adding Reserved PCI IDs.
  drm/i915: Only mark the ctx as initialised after a SET_CONTEXT operation
  drm/i915: default to having backlight if VBT not available
  drm/i915: cache hw power well enabled state
2014-06-27 15:04:06 +10:00
Nicholas Bellinger
b43f1886e4 tcm_loop: Fix memory leak in tcm_loop_submission_work error path
This patch fixes a tcm_loop_cmd descriptor memory leak in the
tcm_loop_submission_work() error path, and would result in
warnings about leaked tcm_loop_cmd_cache objects at module
unload time.

Go ahead and invoke kmem_cache_free() to release tl_cmd back to
tcm_loop_cmd_cache before calling sc->scsi_done().

Reported-by: Sebastian Herbszt <herbszt@gmx.de>
Tested-by: Sebastian Herbszt <herbszt@gmx.de>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-06-26 20:56:49 -07:00
Nicholas Bellinger
683497566d iscsi-target: Explicily clear login response PDU in exception path
This patch adds a explicit memset to the login response PDU
exception path in iscsit_tx_login_rsp().

This addresses a regression bug introduced in commit baa4d64b
where the initiator would end up not receiving the login
response and associated status class + detail, before closing
the login connection.

Reported-by: Christophe Vu-Brugier <cvubrugier@yahoo.fr>
Tested-by: Christophe Vu-Brugier <cvubrugier@yahoo.fr>
Cc: stable@vger.kernel.org # 3.10+
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-06-26 20:56:49 -07:00
Nicholas Bellinger
83ff42fcce target: Fix left-over se_lun->lun_sep pointer OOPs
This patch fixes a left-over se_lun->lun_sep pointer OOPs when one
of the /sys/kernel/config/target/$FABRIC/$WWPN/$TPGT/lun/$LUN/alua*
attributes is accessed after the $DEVICE symlink has been removed.

To address this bug, go ahead and clear se_lun->lun_sep memory in
core_dev_unexport(), so that the existing checks for show/store
ALUA attributes in target_core_fabric_configfs.c work as expected.

Reported-by: Sebastian Herbszt <herbszt@gmx.de>
Tested-by: Sebastian Herbszt <herbszt@gmx.de>
Cc: stable@vger.kernel.org
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-06-26 20:56:49 -07:00
Nicholas Bellinger
e4fae2318b iscsi-target; Enforce 1024 byte maximum for CHAP_C key value
This patch adds a check in chap_server_compute_md5() to enforce a
1024 byte maximum for the CHAP_C key value following the requirement
in RFC-3720 Section 11.1.4:

   "..., C and R are large-binary-values and their binary length (not
   the length of the character string that represents them in encoded
   form) MUST not exceed 1024 bytes."

Reported-by: rahul.rane <rahul.rane@calsoftinc.com>
Tested-by: rahul.rane <rahul.rane@calsoftinc.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-06-26 20:56:42 -07:00
Nicholas Bellinger
b06eef6eab iscsi-target: Convert chap_server_compute_md5 to use kstrtoul
This patch converts chap_server_compute_md5() from simple_strtoul() to
kstrtoul usage().

This addresses the case where a empty 'CHAP_I=' key value received during
mutual authentication would be converted to a '0' by simple_strtoul(),
instead of failing the login attempt.

Reported-by: Tejas Vaykole <tejas.vaykole@calsoftinc.com>
Tested-by: Tejas Vaykole <tejas.vaykole@calsoftinc.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2014-06-26 20:56:42 -07:00
Suman Anna
ff4f58f0ca staging: tidspbridge: fix an erroneous removal of parentheses
Commit 4a9fdbb (staging: core: tiomap3430.c Fix line over 80 characters.)
erroneously removed the parentheses around the function pointer leading
to the following build error (when enabling the build of TI DSP/Bridge
driver):

drivers/staging/tidspbridge/core/tiomap3430.c: In function 'bridge_brd_monitor':
drivers/staging/tidspbridge/core/tiomap3430.c:283:10: error: invalid type argument of unary '*' (have 'u32')
make[3]: *** [drivers/staging/tidspbridge/core/tiomap3430.o] Error 1

Fix this build error properly.

Fixes: 4a9fdbb (staging: core: tiomap3430.c Fix line over 80 characters.)
Cc: Aybuke Ozdemir <aybuke.147@gmail.com>
Cc: Peter P Waskiewicz Jr <peter.p.waskiewicz.jr@intel.com>
Cc: Omar Ramirez Luna <omar.ramirez@copitl.com>
Signed-off-by: Suman Anna <s-anna@ti.com>
Cc: stable <stable@vger.kernel.org> # 3.15
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2014-06-26 21:10:31 -04:00
Linus Torvalds
3493860c76 Merge branch 'for-linus' of git://git.kernel.dk/linux-block
Pull block fixes from Jens Axboe:
 "A small collection of fixes/changes for the current series.  This
  contains:

   - Removal of dead code from Gu Zheng.

   - Revert of two bad fixes that went in earlier in this round, marking
     things as __init that were not purely used from init.

   - A fix for blk_mq_start_hw_queue() using the __blk_mq_run_hw_queue(),
     which could place us wrongly.  Make it use the non __ variant,
     which handles cases where we are called from the wrong CPU set.
     From me.

   - A fix for drbd, which allocates discard requests without room for
     the SCSI payload.  From Lars Ellenberg.

   - A fix for user-after-free in the blkcg code from Tejun.

   - Addition of limiting gaps in SG lists, if the hardware needs it.
     This is the last pre-req patch for blk-mq to enable the full NVMe
     conversion.  Could wait until 3.17, but it's simple enough so would
     be nice to have everything we need for the NVMe port in the 3.17
     release.  From me"

* 'for-linus' of git://git.kernel.dk/linux-block:
  drbd: fix NULL pointer deref in blk_add_request_payload
  blk-mq: blk_mq_start_hw_queue() should use blk_mq_run_hw_queue()
  block: add support for limiting gaps in SG lists
  bio: remove unused macro bip_vec_idx()
  Revert "block: add __init to elv_register"
  Revert "block: add __init to blkcg_policy_register"
  blkcg: fix use-after-free in __blkg_release_rcu() by making blkcg_gq refcnt an atomic_t
  floppy: format block0 read error message properly
2014-06-26 13:06:13 -07:00
Al Viro
0b86dbf675 Fix 32-bit regression in block device read(2)
blkdev_read_iter() wants to cap the iov_iter by the amount of data
remaining to the end of device.  That's what iov_iter_truncate() is for
(trim iter->count if it's above the given limit).  So far, so good, but
the argument of iov_iter_truncate() is size_t, so on 32bit boxen (in
case of a large device) we end up with that upper limit truncated down
to 32 bits *before* comparing it with iter->count.

Easily fixed by making iov_iter_truncate() take 64bit argument - it does
the right thing after such change (we only reach the assignment in there
when the current value of iter->count is greater than the limit, i.e.
for anything that would get truncated we don't reach the assignment at
all) and that argument is not the new value of iter->count - it's an
upper limit for such.

The overhead of passing u64 is not an issue - the thing is inlined, so
callers passing size_t won't pay any penalty.

Reported-and-tested-by: Theodore Tso <tytso@mit.edu>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Tested-by: Alan Cox <gnomes@lxorguk.ukuu.org.uk>
Tested-by: Bruno Wolff III <bruno@wolff.to>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2014-06-26 13:02:28 -07:00
Jan Kara
a93cd4cf86 ext4: Fix hole punching for files with indirect blocks
Hole punching code for files with indirect blocks wrongly computed
number of blocks which need to be cleared when traversing the indirect
block tree. That could result in punching more blocks than actually
requested and thus effectively cause a data loss. For example:

fallocate -n -p 10240000 4096

will punch the range 10240000 - 12632064 instead of the range 1024000 -
10244096. Fix the calculation.

CC: stable@vger.kernel.org
Fixes: 8bad6fc813
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
2014-06-26 12:30:54 -04:00
Jan Kara
77ea2a4ba6 ext4: Fix block zeroing when punching holes in indirect block files
free_holes_block() passed local variable as a block pointer
to ext4_clear_blocks(). Thus ext4_clear_blocks() zeroed out this local
variable instead of proper place in inode / indirect block. We later
zero out proper place in inode / indirect block but don't dirty the
inode / buffer again which can lead to subtle issues (some changes e.g.
to inode can be lost).

Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
2014-06-26 12:28:57 -04:00
Laura Abbott
a67a6ed155 of: Check for phys_addr_t overflows in early_init_dt_add_memory_arch
The common early_init_dt_add_memory_arch takes the base and size
of a memory region as u64 types. The function never checks if
the base and size can actually fit in a phys_addr_t which may
be smaller than 64-bits. This may result in incorrect memory
being passed to memblock_add if the memory falls outside the
range of phys_addr_t. Add range checks for the base and size if
phys_addr_t is smaller than u64.

Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
Tested-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Laura Abbott <lauraa@codeaurora.org>
Acked-by: Nicolas Pitre <nico@linaro.org>
Signed-off-by: Grant Likely <grant.likely@linaro.org>
2014-06-26 17:28:28 +01:00
Namjae Jeon
e43bb4e612 ext4: decrement free clusters/inodes counters when block group declared bad
We should decrement free clusters counter when block bitmap is marked
as corrupt and free inodes counter when the allocation bitmap is
marked as corrupt to avoid misunderstanding due to incorrect available
size in statfs result.  User can get immediately ENOSPC error from
write begin without reaching for the writepages.

Cc: Darrick J. Wong<darrick.wong@oracle.com>
Reported-by: Amit Sahrawat <amit.sahrawat83@gmail.com>
Signed-off-by: Namjae Jeon <namjae.jeon@samsung.com>
Signed-off-by: Ashish Sangwan <a.sangwan@samsung.com>
2014-06-26 10:11:53 -04:00
Mengdong Lin
a07187c992 ALSA: hda - restore BCLK M/N values when resuming HSW/BDW display controller
For Intel Haswell/Broadwell display HD-A controller, the 24MHz HD-A link BCLK
is converted from Core Display Clock (CDCLK): BCLK = CDCLK * M / N
And there are two registers EM4 and EM5 to program M, N value respectively.
The EM4/EM5 values will be lost and when the display power well is disabled.

BIOS programs CDCLK selected by OEM and EM4/EM5, but BIOS has no idea about
display power well on/off at runtime. So the M/N can be wrong if non-default
CDCLK is used when the audio controller resumes, which results in an invalid
BCLK and abnormal audio playback rate. So this patch saves and restores valid
M/N values on controller suspend/resume.

And 'struct hda_intel' is defined to contain standard HD-A 'struct azx' and
Intel specific fields, as Takashi suggested.

Signed-off-by: Mengdong Lin <mengdong.lin@intel.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2014-06-26 15:47:42 +02:00
Ralf Baechle
16f0bbbc1f MIPS: Lasat: Fix build error if CRC32 is not enabled.
Kconfig doesn't select CRC32 so it's possible to build a Lasat kernel
without CONFIG_CRC32 resulting in a build error:

  LD      vmlinux
arch/mips/built-in.o: In function `lasat_init_board_info':
(.text+0x22c): undefined reference to `crc32_le'
arch/mips/built-in.o: In function `lasat_write_eeprom_info':
(.text+0x7fc): undefined reference to `crc32_le'
make: *** [vmlinux] Error 1

Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2014-06-26 14:43:01 +01:00
Grygorii Strashko
7602e05df7 mfd: ab8500: Fix dt irq mapping
The AD8500 defines itself as interrupt-controller in DT,
but it doesn't assign DT node to IRQ domain when creates it.
As result, of_irq_xx() helpers don't work because they can't
find necessary IRQ domain.

Hence, fix it by assigning AD8500 core device DT node to IRQ
domain when it's created.

This patch fixes STE u8500 Snowball boot failure reported by Kevin Hilman
https://lkml.org/lkml/2014/5/27/624

Reported-and-tested-by: Kevin Hilman <khilman@linaro.org>
Signed-off-by: Grygorii Strashko <grygorii.strashko@ti.com>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
2014-06-26 13:34:15 +01:00
Arnd Bergmann
9e8884872d mfd: davinci: Voicecodec needs regmap_mmio
Without REGMAP_MMIO, building that driver results in a link error:

drivers/built-in.o: In function `davinci_vc_probe':
:(.init.text+0x3c1c): undefined reference to `devm_regmap_init_mmio_clk'

This adds a Kconfig 'select' statement as the usual way to ensure
that REGMAP_MMIO is enabled.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
2014-06-26 13:33:58 +01:00
Arnd Bergmann
f41716dc52 mfd: STw481x: Allow modular build
This driver depends on I2C, which may be a loadable module.
While you'd probably want both to be built-in in practice,
allowing a modular build avoids possible randconfig link
errors.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
2014-06-26 13:33:50 +01:00
Arnd Bergmann
1c93c725d6 mfd: UCB1x00: Enable modular build
The UCB1200 / UCB1300 driver uses the MCP_SA11X0 driver, which
can be a loadable module, but this results in a link error
when UCB1200 itself is built-in:

drivers/built-in.o: In function `ucb1x00_io_set_dir':
:(.text+0x4a364): undefined reference to `mcp_reg_write'
drivers/built-in.o: In function `ucb1x00_io_write':
:(.text+0x4a3dc): undefined reference to `mcp_reg_write'
drivers/built-in.o: In function `ucb1x00_io_read':
:(.text+0x4a400): undefined reference to `mcp_reg_read'
drivers/built-in.o: In function `ucb1x00_adc_enable':
:(.text+0x4a460): undefined reference to `mcp_enable'
...

This can easily be resolved by making CONFIG_MCP_UCB1200 itself
a tristate option, since that causes Kconfig to track the
dependency correctly.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
2014-06-26 13:33:34 +01:00
Sachin Kamat
06f7d79317 video: omapdss: Fix potential null pointer dereference
kmalloc can return null. Add a check to avoid potential null
pointer dereference error when the pointer is accessed later.

Signed-off-by: Sachin Kamat <sachin.kamat@linaro.org>
Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
2014-06-26 14:40:15 +03:00
Emil Goode
74c0554ac7 video: vt8500lcdfb: Remove kfree call since devm_kzalloc() is used
We use devm_kzalloc() to allocate memory for the struct vt8500lcd_info
pointer fbi, so there is no need to free it in vt8500lcd_remove().

Signed-off-by: Emil Goode <emilgoode@gmail.com>
Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
2014-06-26 14:40:07 +03:00
Russell King
92fbdfcd7d drm/i2c: tda998x: add some basic mode validation
The TDA998x can't handle modes with clocks above 150MHz, or resolutions
larger than 8192x2048.

Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2014-06-26 11:03:25 +01:00
Russell King
713456db17 drm/i2c: tda998x: faster polling for edid
One of Jean-Francois patches changed the EDID polling to once every
10ms for 10 interations, whereas the original code did 1ms for 100
interations.  This appears to cause boot-time detection to take
noticably longer.  Revert this change.

Acked-by: Jean-Francois Moine <moinejf@free.fr>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2014-06-26 11:01:51 +01:00
Guido Martínez
2e48cecb55 drm/i2c: tda998x: move drm_i2c_encoder_destroy call
Currently tda998x_encoder_destroy() calls cec_write() and reg_clear(),
as part of the release procedure. Such calls need to access the I2C bus
and therefore, we need to call them before drm_i2c_encoder_destroy()
which unregisters the I2C device.

This commit moves the latter so it's done afterwards.

Signed-off-by: Guido Martínez <guido@vanguardiasur.com.ar>
Signed-off-by: Ezequiel García <ezequiel@vanguardiasur.com.ar>
Cc: <stable@vger.kernel.org> #v3.9+
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2014-06-26 10:52:03 +01:00
Levente Kurusa
5bb7889f44 TC: Handle device_register() errors.
Make the TURBOchannel driver bail out if the call to device_register()
failed.

Signed-off-by: Levente Kurusa <levex@linux.com>
Acked-by: Maciej W. Rozycki <macro@linux-mips.org>
Cc: LKML <linux-kernel@vger.kernel.org>
Cc: Linux MIPS <linux-mips@linux-mips.org>
Patchwork: https://patchwork.linux-mips.org/patch/6673/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2014-06-26 10:48:23 +01:00
Markos Chandras
ab6c15bc66 MIPS: MSC: Prevent out-of-bounds writes to MIPS SC ioremap'd region
Previously, the lower limit for the MIPS SC initialization loop was
set incorrectly allowing one extra loop leading to writes
beyond the MSC ioremap'd space. More precisely, the value of the 'imp'
in the last loop increased beyond the msc_irqmap_t boundaries and
as a result of which, the 'n' variable was loaded with an incorrect
value. This value was used later on to calculate the offset in the
MSC01_IC_SUP which led to random crashes like the following one:

CPU 0 Unable to handle kernel paging request at virtual address e75c0200,
epc == 8058dba4, ra == 8058db90
[...]
Call Trace:
[<8058dba4>] init_msc_irqs+0x104/0x154
[<8058b5bc>] arch_init_irq+0xd8/0x154
[<805897b0>] start_kernel+0x220/0x36c

Kernel panic - not syncing: Attempted to kill the idle task!

This patch fixes the problem

Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
Reviewed-by: James Hogan <james.hogan@imgtec.com>
Cc: stable@vger.kernel.org
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/7118/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2014-06-26 10:48:23 +01:00
Markos Chandras
d8214ef14a MIPS: bpf: Fix stack space allocation for BPF memwords on MIPS64
When allocating stack space for BPF memwords we need to use the
appropriate 32 or 64-bit instruction to avoid losing the top 32 bits
of the stack pointer.

Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Daniel Borkmann <dborkman@redhat.com>
Cc: Alexei Starovoitov <ast@plumgrid.com>
Cc: netdev@vger.kernel.org
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/7135/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2014-06-26 10:48:23 +01:00
Markos Chandras
b6a14a9845 MIPS: BPF: Use 32 or 64-bit load instruction to load an address to register
When loading a pointer to register we need to use the appropriate
32 or 64bit instruction to preserve the pointers' top 32bits.

Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: Daniel Borkmann <dborkman@redhat.com>
Cc: Alexei Starovoitov <ast@plumgrid.com>
Cc: netdev@vger.kernel.org
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/7180/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2014-06-26 10:48:22 +01:00
Markos Chandras
b4fe0ec86d MIPS: bpf: Fix PKT_TYPE case for big-endian cores
The skb->pkt_type field is defined as follows:

u8 pkt_type:3,
   fclone:2,
   ipvs_property:1,
   peeked:1,
   nf_trace:1

resulting to the following layout in big-endian systems

[pkt_type][fclone][ipvs_propery][peeked][nf_trace]
^                                                ^
|                                                |
LSB                                             MSB

As a result, the existing code did not work because it was trying to
match pkt_type == 7 whereas in reality it is 7<<5 on big-endian
systems.

This has been fixed in the interpreter in
0dcceabb0c
"net: filter: fix SKF_AD_PKTTYPE extension on big-endian"

The fix is to look for 7<<5 on big-endian systems for the pkt_type
field, and shift by 5 so the packet type will be at the lower 3 bits
of the A register.

Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: Daniel Borkmann <dborkman@redhat.com>
Cc: Alexei Starovoitov <ast@plumgrid.com>
Cc: netdev@vger.kernel.org
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/7132/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2014-06-26 10:48:22 +01:00
Markos Chandras
95782bf434 MIPS: BPF: Prevent kernel fall over for >=32bit shifts
Remove BUG_ON() if the shift immediate is >=32 to avoid kernel crashes
due to malicious user input. If the shift immediate is >= 32,
we simply load the destination register with 0 since only
32-bit instructions are used by JIT so this will do the
correct thing even on MIPS64.

Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: Daniel Borkmann <dborkman@redhat.com>
Cc: Alexei Starovoitov <ast@plumgrid.com>
Cc: netdev@vger.kernel.org
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/7179/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2014-06-26 10:48:22 +01:00
Markos Chandras
e5bb48b055 MIPS: bpf: Drop update_on_xread and always initialize the X register
Previously, update_on_xread() only set the reset flag if SEEN_X hasn't
been set already. However, SEEN_X is used to indicate that X is used
as destination or source register so there are some cases where X
is only used as source register and we really need to make sure that it
has been initialized in time. As a result of which, drop this function and
always set X to zero if it's used in any of the opcodes.

Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: Daniel Borkmann <dborkman@redhat.com>
Cc: Alexei Starovoitov <ast@plumgrid.com>
Cc: netdev@vger.kernel.org
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/7133/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2014-06-26 10:48:22 +01:00
Markos Chandras
10c4d614d2 MIPS: bpf: Fix is_range() semantics
is_range() was meant to check whether the number is within
the s16 range or not. However the return values and consumers expected
the exact opposite. We fix that by inverting the logic in the function
to return 'true' for < s16 and 'false' for > s16.

Signed-off-by: Markos Chandras <markos.chandras@imgtec.com>
Reported-by: Alexei Starovoitov <ast@plumgrid.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: Daniel Borkmann <dborkman@redhat.com>
Cc: Alexei Starovoitov <ast@plumgrid.com>
Cc: netdev@vger.kernel.org
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/7131/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2014-06-26 10:48:21 +01:00