Commit Graph

707690 Commits

Author SHA1 Message Date
David S. Miller
db5972c95d wireless-drivers fixes for 4.14
Nothing really special standing out, all of these are important fixes
 which should go to 4.14.
 
 iwlwifi
 
 * fix support for 3168 device series
 
 * fix a potential crash when using FW debugging recording;
 
 * improve channel flags parsing to avoid warnings on too long traces
 
 * return -ENODATA when the temperature is not available, since the
  -EIO we were returning was causing fatal errors in userspace
 
 * avoid printing too many messages in dmesg when using monitor mode,
   since this can become very noisy and completely flood the logs
 
 brcmsmac
 
 * reduce stack usage to avoid frame size warnings with KASAN
 
 brcmfmac
 
 * add a check to avoid copying uninitialised memory
 
 rtlwifi:
 
 * fix a regression with rtl8821ae starting from v4.11 where
   connections was frequently lost
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQEcBAABAgAGBQJZ4GYHAAoJEG4XJFUm622bXf8H/3DJF5P02OzWIVMK376xUgVI
 feX8tsazK0/cCgxeMfp/K4Nb9umZHFTNd1Zs5mrx8DFJjL1ekXTz93GtfcJ+WFH5
 sPwS+IVOf4IaBrSiNpqskJhln3GHp7A+eFgqbFQ+Is4/eQQBqt/lW6LZoyA5DI6X
 80hOT4eZtHanKNFQHuSgOGHXttAB9AcnEJngvfToZCV1jqadeoPK1GZQ+6Xsot3g
 RU5gYxc4gN+d203KhUxEebzz8buyfCEPG1wFze/mazPcQJ+8IJjMNOl474atKslW
 dsbqak2gtl70weZHeh2PlYkNvTZbAbiWk9feaTGeuwAgwWDms1BJKUKRppfZdqE=
 =RA6K
 -----END PGP SIGNATURE-----

Merge tag 'wireless-drivers-for-davem-2017-10-13' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers

Kalle Valo says:

====================
wireless-drivers fixes for 4.14

Nothing really special standing out, all of these are important fixes
which should go to 4.14.

iwlwifi

* fix support for 3168 device series

* fix a potential crash when using FW debugging recording;

* improve channel flags parsing to avoid warnings on too long traces

* return -ENODATA when the temperature is not available, since the
 -EIO we were returning was causing fatal errors in userspace

* avoid printing too many messages in dmesg when using monitor mode,
  since this can become very noisy and completely flood the logs

brcmsmac

* reduce stack usage to avoid frame size warnings with KASAN

brcmfmac

* add a check to avoid copying uninitialised memory

rtlwifi:

* fix a regression with rtl8821ae starting from v4.11 where
  connections was frequently lost
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-13 08:42:53 -07:00
Joerg Roedel
ce76353f16 iommu/amd: Finish TLB flush in amd_iommu_unmap()
The function only sends the flush command to the IOMMU(s),
but does not wait for its completion when it returns. Fix
that.

Fixes: 601367d76b ('x86/amd-iommu: Remove iommu_flush_domain function')
Cc: stable@vger.kernel.org # >= 2.6.33
Signed-off-by: Joerg Roedel <jroedel@suse.de>
2017-10-13 17:32:19 +02:00
Doug Berger
0d08af35f1 genirq: generic chip: remove irq_gc_mask_disable_reg_and_ack()
Any usage of the irq_gc_mask_disable_reg_and_ack() function has
been replaced with the desired functionality.

The incorrect and ambiguously named function is removed here to
prevent accidental misuse.

Signed-off-by: Doug Berger <opendmb@gmail.com>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
2017-10-13 16:31:05 +01:00
Florian Fainelli
16150904d8 irqchip/tango: Use irq_gc_mask_disable_and_ack_set
The only usage of the irq_gc_mask_disable_reg_and_ack() function
is by the Tango irqchip driver. This usage is replaced by the
irq_gc_mask_disable_and_ack_set() function since it provides the
intended functionality.

Fixes: 4bba66899a ("irqchip/tango: Add support for Sigma Designs SMP86xx/SMP87xx interrupt controller")
Acked-by: Mans Rullgard <mans@mansr.com>
Acked-by: Marc Gonzalez <marc_gonzalez@sigmadesigns.com>
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: Doug Berger <opendmb@gmail.com>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
2017-10-13 16:31:05 +01:00
Doug Berger
20608924cc genirq: generic chip: Add irq_gc_mask_disable_and_ack_set()
The irq_gc_mask_disable_reg_and_ack() function name implies that it
provides the combined functions of irq_gc_mask_disable_reg() and
irq_gc_ack().  However, the implementation does not actually do
that since it writes the mask instead of the disable register. It
also does not maintain the mask cache which makes it inappropriate
to use with other masking functions.

In addition, commit 659fb32d1b ("genirq: replace irq_gc_ack() with
{set,clr}_bit variants (fwd)") effectively renamed irq_gc_ack() to
irq_gc_ack_set_bit() so this function probably should have also been
renamed at that time.

The generic chip code currently provides three functions for use
with the irq_mask member of the irq_chip structure and two functions
for use with the irq_ack member of the irq_chip structure. These
functions could be combined into six functions for use with the
irq_mask_ack member of the irq_chip structure.  However, since only
one of the combinations is currently used, only the function
irq_gc_mask_disable_and_ack_set() is added by this commit.

The '_reg' and '_bit' portions of the base function name were left
out of the new combined function name in an attempt to keep the
function name length manageable with the 80 character source code
line length while still allowing the distinct aspects of each
combination to be captured by the name.

If other combinations are desired in the future please add them to
the irq generic chip library at that time.

Signed-off-by: Doug Berger <opendmb@gmail.com>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
2017-10-13 16:31:05 +01:00
Shanker Donthineni
30ae9610d2 irqchip/gic-v3-its: Add missing changes to support 52bit physical address
The current ITS driver works fine as long as normal memory and GICR
regions are located within the lower 48bit (>=0 && <2^48) physical
address space. Some of the registers GICR_PEND/PROP, GICR_VPEND/VPROP
and GITS_CBASER are handled properly but not all when configuring
the hardware with 52bit physical address.

This patch does the following changes to support 52bit PA.
  -Handle 52bit PA in GITS_BASERn.
  -Fix ITT_addr width to 52bits, bits[51:8].
  -Fix RDbase width to 52bits, bits[51:16].
  -Fix VPT_addr width to 52bits, bits[51:16].

Definition of the GITS_BASERn register when ITS PageSize is 64KB:
  -Bits[47:16] of the register provide bits[47:16] of the table PA.
  -Bits[15:12] of the register provide bits[51:48] of the table PA.
  -Bits[15:00] of the base physical address are 0.

Signed-off-by: Shanker Donthineni <shankerd@codeaurora.org>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
2017-10-13 16:30:58 +01:00
Shanker Donthineni
32bd44dc19 irqchip/gic-v3-its: Fix the incorrect parsing of VCPU table size
The VCPU table consists of vPE entries, and its size provides the number
of VPEs supported by GICv4 hardware. Unfortunately the maximum size of
the VPE table is not discoverable like Device table. All VLPI commands
limits the number of bits to 16 to hold VPEID, which is index into VCPU
table. Don't apply DEVID bits for VCPU table instead assume maximum bits
to 16.

ITS log messages on QDF2400 without fix:
  allocated 524288 Devices (indirect, esz 8, psz 64K, shr 1)
  allocated 8192 Interrupt Collections (flat, esz 8, psz 64K, shr 1)
  Virtual CPUs Table too large, reduce ids 32->26
  Virtual CPUs too large, reduce ITS pages 8192->256
  allocated 2097152 Virtual CPUs (flat, esz 8, psz 64K, shr 1)

ITS log messages on QDF2400 with fix:
  allocated 524288 Devices (indirect, esz 8, psz 64K, shr 1)
  allocated 8192 Interrupt Collections (flat, esz 8, psz 64K, shr 1)
  allocated 65536 Virtual CPUs (flat, esz 8, psz 64K, shr 1)

Signed-off-by: Shanker Donthineni <shankerd@codeaurora.org>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
2017-10-13 16:30:52 +01:00
Shanker Donthineni
c427a475b6 irqchip/gic-v3-its: Fix the incorrect BUG_ON in its_init_vpe_domain()
The driver probe path hits 'BUG_ON(entries != vpe_proxy.dev->nr_ites)'
on systems where it has VLPI capability, doesn't support direct LPI
feature and boot with a single CPU.

Relax the BUG_ON() condition to fix the issue.

Signed-off-by: Shanker Donthineni <shankerd@codeaurora.org>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
2017-10-13 16:30:52 +01:00
Julien Grall
4a40aedec6 DT: arm,gic-v3: Update the ITS size in the examples
Currently, the examples are using 2MB for the ITS size. Per the
specification (section 8.18 in ARM IHI 0069D), the ITS address map is
128KB.

Update the examples to match the specification.

Signed-off-by: Julien Grall <julien.grall@linaro.org>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
2017-10-13 13:43:03 +01:00
Anju T Sudhakar
0d8ba16278 powerpc/perf: Fix IMC initialization crash
Panic observed with latest firmware, and upstream kernel:

 NIP init_imc_pmu+0x8c/0xcf0
 LR  init_imc_pmu+0x2f8/0xcf0
 Call Trace:
   init_imc_pmu+0x2c8/0xcf0 (unreliable)
   opal_imc_counters_probe+0x300/0x400
   platform_drv_probe+0x64/0x110
   driver_probe_device+0x3d8/0x580
   __driver_attach+0x14c/0x1a0
   bus_for_each_dev+0x8c/0xf0
   driver_attach+0x34/0x50
   bus_add_driver+0x298/0x350
   driver_register+0x9c/0x180
   __platform_driver_register+0x5c/0x70
   opal_imc_driver_init+0x2c/0x40
   do_one_initcall+0x64/0x1d0
   kernel_init_freeable+0x280/0x374
   kernel_init+0x24/0x160
   ret_from_kernel_thread+0x5c/0x74

While registering nest imc at init, cpu-hotplug callback
nest_pmu_cpumask_init() makes an OPAL call to stop the engine. And if
the OPAL call fails, imc_common_cpuhp_mem_free() is invoked to cleanup
memory and cpuhotplug setup.

But when cleaning up the attribute group, we are dereferencing the
attribute element array without checking whether the backing element
is not NULL. This causes the kernel panic.

Add a check for the backing element prior to dereferencing the
attribute element, to handle the failing case gracefully.

Signed-off-by: Anju T Sudhakar <anju@linux.vnet.ibm.com>
Reported-by: Pridhiviraj Paidipeddi <ppaidipe@linux.vnet.ibm.com>
[mpe: Trim change log]
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
2017-10-13 20:08:40 +11:00
Dave Airlie
a6402e80fa drm/imx: i.MX5 regression fix and i.MX6QP PRE/PRG stability fixes
- Disable channel burst locking on IPUv3EX (i.MX51) and IPUv3M (i.MX53).
   This fixes a regression introduced by commit 790cb4c7c9 ("drm/imx: lock
   scanout transfers for consecutive bursts").
 - Give PRG a head start. Waiting for both double buffers to fill up before
   enabling the IPU improves startup reliability.
 - Avoid PRE control register updates during unsafe window, workaround for
   ERR009624.
 -----BEGIN PGP SIGNATURE-----
 
 iQJLBAABCAA1FiEEBsBxhV1FaKwXuCOBUMKIHHCeYOsFAlnfPc8XHHAuemFiZWxA
 cGVuZ3V0cm9uaXguZGUACgkQUMKIHHCeYOttzRAApPc7BrPKKOr5UZaHqVvLHZSq
 xPAOnyVDRGYRYc9+vyCMLwopjnyAHmvt5GTEThY2kXSmgY9t1tYRkeW6As/3vanc
 1LX/SBGkU/bocxMhWrDMVmKlwWcxtBPDJCvLHlDugSst92053Ox+M4ZKANnfilzr
 Z42zrwsv27B3DhRkl+PjcB+5sCYCf7cbUWQhO5bcJPTmquzm+5rxesfIooj4DPZP
 UISTZAY1peHZfdDSflBw+eOuBurI+foRFFIzhVDvbKsoiZFflNbzjde4jPM0B4ID
 8EzIqv5EHskEzS0jYUy1xGExjz5cZgMLYkIzY8pq/10Poij6/7EIBm/N93J0fTn+
 a46CLgPPT9xqwx3rfb1R1bPW2KmSccrWb8R1iI1slWQbHB5g773BBlDvd4RWt5MP
 CSEYsOLgHDEUjulRMLLcr8PgG8wP7DN0Kwtmc2igbF+7U25f5Cb9TONLpRsaWGG4
 d+GC8nCrQHNlWwOkBuBOFBjbawrcNamguSS1IDwE8RJK/L0iAktH0PCTP+MVawx+
 CxBIx7nnDrBy8NZeAJRbq8xYcnqmQo2FCKm7hLBvhJoUn3gKF6rqWgbP/l66r/hN
 PUqulcLcEtE9PbCaDwL8BkTH/WauPd17+2qrVAvgkawuvi0NojrukG4HriyU2JxU
 cibgIOp5XvnsMu050us=
 =ZPkL
 -----END PGP SIGNATURE-----

Merge tag 'imx-drm-fixes-2017-10-12' of git://git.pengutronix.de/git/pza/linux into drm-fixes

drm/imx: i.MX5 regression fix and i.MX6QP PRE/PRG stability fixes

- Disable channel burst locking on IPUv3EX (i.MX51) and IPUv3M (i.MX53).
  This fixes a regression introduced by commit 790cb4c7c9 ("drm/imx: lock
  scanout transfers for consecutive bursts").
- Give PRG a head start. Waiting for both double buffers to fill up before
  enabling the IPU improves startup reliability.
- Avoid PRE control register updates during unsafe window, workaround for
  ERR009624.

* tag 'imx-drm-fixes-2017-10-12' of git://git.pengutronix.de/git/pza/linux:
  gpu: ipu-v3: pre: implement workaround for ERR009624
  gpu: ipu-v3: prg: wait for double buffers to be filled on channel startup
  gpu: ipu-v3: Allow channel burst locking on i.MX6 only
2017-10-13 17:32:30 +10:00
Dave Airlie
0998077181 Merge branch 'drm-fixes-4.14' of git://people.freedesktop.org/~agd5f/linux into drm-fixes
single amdgpu regression fix.

* 'drm-fixes-4.14' of git://people.freedesktop.org/~agd5f/linux:
  drm/amdgpu: fix placement flags in amdgpu_ttm_bind
2017-10-13 16:23:34 +10:00
Stephen Hemminger
12ed3772b7 ip: update policy routing config help
The kernel config help for policy routing was still pointing at
an ancient document from 2000 that refers to Linux 2.1. Update it
to point to something that is at least occasionally updated.

Signed-off-by: Stephen Hemminger <sthemmin@microsoft.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-12 22:57:11 -07:00
Linus Torvalds
3d7882769b Device properties framework fixes for v4.14-rc5
- Fix a device properties management issue, introduced during the
    4.9 cycle, that causes device properties associated with a
    parent device to go away on a removal of its child in some
    cases (Jarkko Nikula).
 
  - Fix inconsistencies in error codes returned by a new function
    helper in the device properties framework depending on the
    underlying low-level firmware interface, DT or ACPI, by making the
    meaning of error codes returned in the ACPI case agree with the
    meaning of DT error codes in analogous situations (Sakari Ailus).
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQIcBAABCAAGBQJZ3+/jAAoJEILEb/54YlRxRyIP/1i/tz2SIMIusuIc2gdgdDJn
 OTVQ1jWMl1psn83Ef77WO68yLdopRH2Jv5PT3NoY4IwOfT7jGpuZGqTqoSIHte71
 0KeJTbHwjZMgeMz8bbKLFxWqyA17kj37R/ed8/ki9fb6EKG7CKdOGqvoKnKB9Cha
 ZZHravo3te4tECTuUWWwJNqiqdDpOOfRu4GMfRWJz17MW+0rFCu2aDbP2C0shDVc
 OQuhonBJ2YHykfsRPoQ9lANXn+nQCvo2qVGwmiWh3ooMSu0Q3Yknw5et/bHpbLnH
 xrcAuX/jT9A2FFZvPI5GI1DpF7sYOet7dPFV0KO2kapNN8BQm0sWANPqUUdJuhlg
 hp/qHIMAd3gj4lQLdbq7yDA2NxDI4XghVryktY5Iiyu5clJv/hgK1QoNPL23tbg6
 A+aq1P3z/kFmzHDvVJpY7o3gcxpiwspwQ0azdO50QTqqjhAa70S+O3I+skH/hzFn
 U76oUZS9xcElJbIjFEhj9ZSJZ8fDh5eT5o7xqhyNcX2756GrUdZ4T8mPTl8T4jCK
 TLaErPNfSMgnfkcUPfdJKpVdaYmaqJNSMMCPIHaCE4i0aE6w6SyACqK2VboKCnB9
 RTSZFcC38pSJ9YASU4zC3BOxH8U6VwVEvMRKMCROkNjGf8r0YVRo8niCjuWT9hdP
 bCn8zTAC6Wa1YPDOB530
 =gO65
 -----END PGP SIGNATURE-----

Merge tag 'devprop-4.14-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm

Pull device properties framework fixes from Rafael Wysocki:
 "These fix an issue related to device removal introduced during the 4.9
  cycle and fix up new functionality added recently.

  Specifics:

   - Fix a device properties management issue, introduced during the 4.9
     cycle, that causes device properties associated with a parent
     device to go away on a removal of its child in some cases (Jarkko
     Nikula).

   - Fix inconsistencies in error codes returned by a new function
     helper in the device properties framework depending on the
     underlying low-level firmware interface, DT or ACPI, by making the
     meaning of error codes returned in the ACPI case agree with the
     meaning of DT error codes in analogous situations (Sakari Ailus)"

* tag 'devprop-4.14-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
  ACPI: properties: Fix __acpi_node_get_property_reference() return codes
  ACPI: properties: Align return codes of __acpi_node_get_property_reference()
  device property: Track owner device of device property
2017-10-12 17:37:23 -07:00
Linus Torvalds
8ff0b97cf2 Changes since last update:
- Fix a stale kernel memory exposure when logging inodes.
 - Fix some build problems with CONFIG_XFS_RT=n
 - Don't change inode mode if the acl write fails, leaving the file totally
   inaccessible.
 - Fix a dangling pointer problem when removing an attr fork under memory
   pressure.
 - Don't crash while trying to invalidate a null buffer associated with a
   corrupt metadata pointer.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABCgAGBQJZ3lPiAAoJEPh/dxk0SrTrfuMP/Axy7VSX71tE/eXPOmzxCVZD
 w4/usqO+OsQj+q8o+rwwuX9hz0VGF8kWZJOdgGdXpYT7pWqPmcf88wbThheTetLF
 fjevusqva0Ds+U4AE7DCNWSKQQRhu2jDgnhQXTv1hdYhWIF59qGwioIijbEvb72I
 0QW+/uV9yXmODjWL6KfRh9zRT9N4npMtszukScONwJr9t0/5ub8H03H/ktv8T9oi
 C3ljEWwyMk5lEYH8p6tpta8EbY0mrIZgo+kj33PU5s9rHvcrTGtyPNqidREUm1fL
 X3+STMytcDQFAcZdBBXHN0nFMwa8ADTrVvKmEgaR8OsXmOmrlcPn7HfVVlWrY31w
 X3awJ0b0+IXUrsbbQOPeqgTo5hIkMDkMOga5AP/rqpx1yCCOrlMHaRPXB2NxNcVw
 dyTj6IpKybhsQ4GkcqmFcgnxPPaogNpYlp6SXV5Dm+8zEJdIQNUuci/EGsNz7UcV
 msxNlJJkxczXOew6JzCyw45wTnJCxduX7Y1xrOTLaDfa9pkWO2zQBXukCJNIqVIq
 35Q4P4JVYtmwQr8XkkX9tiqU0gBWTCTG9KjmTCMm5MYkutEYM0uTNR5Jvyiobl7L
 Nn+RydssVw7ssnNfgsLhzQHPElUivRdYoYFSBa2DQp6ViILrefqQegd5INAjK63W
 7vnHVZyJMHPM0YFoiX8w
 =6Yvh
 -----END PGP SIGNATURE-----

Merge tag 'xfs-4.14-fixes-5' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux

Pull xfs fixes from Darrick Wong:

 - Fix a stale kernel memory exposure when logging inodes.

 - Fix some build problems with CONFIG_XFS_RT=n

 - Don't change inode mode if the acl write fails, leaving the file
   totally inaccessible.

 - Fix a dangling pointer problem when removing an attr fork under
   memory pressure.

 - Don't crash while trying to invalidate a null buffer associated with
   a corrupt metadata pointer.

* tag 'xfs-4.14-fixes-5' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux:
  xfs: handle error if xfs_btree_get_bufs fails
  xfs: reinit btree pointer on attr tree inactivation walk
  xfs: Fix bool initialization/comparison
  xfs: don't change inode mode if ACL update fails
  xfs: move more RT specific code under CONFIG_XFS_RT
  xfs: Don't log uninitialised fields in inode structures
2017-10-12 14:51:13 -07:00
NeilBrown
2aab9c3ca4 scripts: fix faddr2line to work on last symbol
If faddr2line is given a function name which is the last one listed by
"nm -n", it will fail because it never finds the next symbol.

So teach the awk script to catch that possibility, and use 'size' to
provide the end point of the last function.

Signed-off-by: NeilBrown <neilb@suse.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-10-12 12:26:52 -07:00
Rob Clark
06451a3d1d drm/msm: fix _NO_IMPLICIT fencing case
We need to call reservation_object_reserve_shared() in both cases, but
this wasn't happening in the _NO_IMPLICIT submit case.

Fixes: f0a42bb ("drm/msm: submit support for in-fences")
Reported-by: Jordan Crouse <jcrouse@codeaurora.org>
Signed-off-by: Rob Clark <robdclark@gmail.com>
2017-10-12 14:21:22 -04:00
Rob Clark
6bd6ae2dfc drm/msm: fix error path cleanup
If we fail to attach iommu, gpu->aspace could be IS_ERR()..

Signed-off-by: Rob Clark <robdclark@gmail.com>
2017-10-12 14:19:08 -04:00
Linus Torvalds
3206e7d5e2 Merge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs
Pull quota fix from Jan Kara:
 "A fix for a regression in handling of quota grace times and warnings"

* 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs:
  quota: Generate warnings for DQUOT_SPACE_NOFAIL allocations
2017-10-12 10:56:06 -07:00
Linus Torvalds
cbaff8763d Another latent bug related to PCID, an out-of-bounds access,
and a submaintainer change being finally made official.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQEcBAABAgAGBQJZ31h8AAoJEL/70l94x66DR74H/jPtBYV77TZw0xMbqXmoFaiQ
 fmq/knkj6uLcQ/i80HqhQZEaoo+McgknzVXBSlAL2JyNPcSRqye7zolIOahq7yya
 tjvbqu0+g1n9YxPIgcPxghb/Ye1cs9VkSRf4xtvInl4BEiOZdmYvI7v87enUAKdO
 PbLaht4VCk3jVpeL/oSEhZYadlP6fRsxCkwiBc6nM+P7Sbo92FHJpaRfbjc4mqw0
 BGKQvSiLWv3cZpf2dw7t+eiFjDamIR/5XI0eJhugYA+8DsG5PiPvqBffkskjNW19
 mfLqiu9/Zl3O0y1oBRj0xLqFsDWH2UNe0HNszr1T/ayDLn07aWvAxH71EEc6Yu0=
 =i1Gv
 -----END PGP SIGNATURE-----

Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm

Pull kvm fixes from Paolo Bonzini:
 "Another latent bug related to PCID, an out-of-bounds access, and a
  submaintainer change being finally made official"

* tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
  MAINTAINERS: Add Paul Mackerras as maintainer for KVM/powerpc
  KVM: nVMX: fix guest CR4 loading when emulating L2 to L1 exit
  KVM: MMU: always terminate page walks at level 1
  KVM: nVMX: update last_nonleaf_level when initializing nested EPT
2017-10-12 10:42:03 -07:00
Niklas Söderlund
3314c6bdd2 device property: preserve usecount for node passed to of_fwnode_graph_get_port_parent()
Using CONFIG_OF_DYNAMIC=y uncovered an imbalance in the usecount of the
node being passed to of_fwnode_graph_get_port_parent(). Preserve the
usecount by using of_get_parent() instead of of_get_next_parent() which
don't decrement the usecount of the node passed to it.

Fixes: 3b27d00e7b ("device property: Move fwnode graph ops to firmware specific locations")
Signed-off-by: Niklas Söderlund <niklas.soderlund+renesas@ragnatech.se>
Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Rob Herring <robh@kernel.org>
2017-10-12 12:26:14 -05:00
Stewart Smith
22f8cc6e33 drivers: of: increase MAX_RESERVED_REGIONS to 32
There are two types of memory reservations firmware can ask the kernel
to make in the device tree: static and dynamic.
See Documentation/devicetree/bindings/reserved-memory/reserved-memory.txt

If you have greater than 16 entries in /reserved-memory (as we do on
POWER9 systems) you would get this scary looking error message:
 [    0.000000] OF: reserved mem: not enough space all defined regions.

This is harmless if all your reservations are static (which with OPAL on
POWER9, they are).

It is not harmless if you have any dynamic reservations after the 16th.

In the first pass over the fdt to find reservations, the child nodes of
/reserved-memory are added to a static array in of_reserved_mem.c so that
memory can be reserved in a 2nd pass. The array has 16 entries. This is why,
on my dual socket POWER9 system, I get that error 4 times with 20 static
reservations.

We don't have a problem on ppc though, as in arch/powerpc/kernel/prom.c
we look at the new style /reserved-ranges property to do reservations,
and this logic was introduced in 0962e8004e (well before any powernv
system shipped).

A Google search shows up no occurances of that exact error message, so we're
probably safe in that no machine that people use has memory not being reserved
when it should be.

The simple fix is to bump the length of the array to 32 which "should be
enough for everyone(TM)". The simple fix of not recording static allocations
in the array would cause problems for devices with "memory-region" properties.
A more future-proof fix is likely possible, although more invasive and this
simple fix is perfectly suitable in the meantime while a more future-proof
fix is developed.

Signed-off-by: Stewart Smith <stewart@linux.vnet.ibm.com>
Tested-by: Mauricio Faria de Oliveira <mauricfo@linux.vnet.ibm.com>
Signed-off-by: Rob Herring <robh@kernel.org>
2017-10-12 12:23:45 -05:00
Sergey Senozhatsky
db179e0d0d of: do not leak console options
Do not strdup() console options. It seems that the only reason for
it to be strdup()-ed was a compilation warning: printk, UART and
console drivers, for some reason, expect char pointer instead of
const char pointer. So we can just pass `of_stdout_options', but
need to cast it to char pointer. A better fix would be to change
printk, console drivers and UART to accept const char `options';
but that will take time - there are lots of drivers to update.

The patch also fixes a possible memory leak: add_preferred_console()
can fail, but we don't kfree() options.

Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Reviewed-by: Petr Mladek <pmladek@suse.com>
Signed-off-by: Rob Herring <robh@kernel.org>
2017-10-12 12:22:04 -05:00
Archit Taneja
9e4621531e drm/msm/mdp5: Remove extra pm_runtime_put call in mdp5_crtc_cursor_set()
While converting mdp5_enable/disable() calls to pm_runtime_get/put() API,
an extra call to pm_runtime_put_autosuspend() crept in
mdp5_crtc_cursor_set(). This results in calling the suspend handler
twice, and therefore clk_disables twice, which isn't a nice thing to do.

Fixes: d68fe15b18 (drm/msm/mdp5: Use runtime PM get/put API instead ...)

Reported-by: Stanimir Varbanov <stanimir.varbanov@linaro.org>
Signed-off-by: Archit Taneja <architt@codeaurora.org>
Signed-off-by: Rob Clark <robdclark@gmail.com>
2017-10-12 12:59:46 -04:00
Archit Taneja
a18a0ea009 drm/msm/dsi: Use correct pm_runtime_put variant during host_init
The DSI runtime PM suspend/resume callbacks check whether
msm_host->cfg_hnd is non-NULL before trying to enable the bus clocks.
This is done to accommodate early calls to these functions that may
happen before the bus clocks are even initialized.

Calling pm_runtime_put_autosuspend() in dsi_host_init() can result in
racy behaviour since msm_host->cfg_hnd is set very soon after. If the
suspend callback happens too late, we end up trying to disable clocks
that were never enabled, resulting in a bunch of WARN_ON splats.

Use pm_runtime_put_sync() so that the suspend callback is called
immediately.

Reported-by: Nicolas Dechesne <nicolas.dechesne@linaro.org>
Signed-off-by: Archit Taneja <architt@codeaurora.org>
Signed-off-by: Rob Clark <robdclark@gmail.com>
2017-10-12 12:59:46 -04:00
Linus Torvalds
73a752cce2 Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6
Pull crypto fixes from Herbert Xu:

 - fix crashes in skcipher/shash from zero-length input.

 - fix softirq GFP_KERNEL allocation in shash_setkey_unaligned.

 - error path bug fix in xts create function.

 - fix compiler warning regressions in axis and stm32

* 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
  crypto: shash - Fix zero-length shash ahash digest crash
  crypto: skcipher - Fix crash on zero-length input
  crypto: shash - Fix a sleep-in-atomic bug in shash_setkey_unaligned
  crypto: xts - Fix an error handling path in 'create()'
  crypto: stm32 - Try to fix hash padding
  crypto: axis - hide an unused variable
2017-10-12 09:32:53 -07:00
Linus Torvalds
0de50ea7b5 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/livepatching
Pull livepatching fix from Jiri Kosina:

 - bugfix for handling of coming modules (incorrect handling of failure)
   from Joe Lawrence

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/livepatching:
  livepatch: unpatch all klp_objects if klp_module_coming fails
2017-10-12 09:21:56 -07:00
Eric Biggers
f66665c09a ecryptfs: fix dereference of NULL user_key_payload
In eCryptfs, we failed to verify that the authentication token keys are
not revoked before dereferencing their payloads, which is problematic
because the payload of a revoked key is NULL.  request_key() *does* skip
revoked keys, but there is still a window where the key can be revoked
before we acquire the key semaphore.

Fix it by updating ecryptfs_get_key_payload_data() to return
-EKEYREVOKED if the key payload is NULL.  For completeness we check this
for "encrypted" keys as well as "user" keys, although encrypted keys
cannot be revoked currently.

Alternatively we could use key_validate(), but since we'll also need to
fix ecryptfs_get_key_payload_data() to validate the payload length, it
seems appropriate to just check the payload pointer.

Fixes: 237fead619 ("[PATCH] ecryptfs: fs/Makefile and fs/Kconfig")
Reviewed-by: James Morris <james.l.morris@oracle.com>
Cc: <stable@vger.kernel.org>    [v2.6.19+]
Cc: Michael Halcrow <mhalcrow@google.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
2017-10-12 17:16:40 +01:00
Eric Biggers
d60b5b7854 fscrypt: fix dereference of NULL user_key_payload
When an fscrypt-encrypted file is opened, we request the file's master
key from the keyrings service as a logon key, then access its payload.
However, a revoked key has a NULL payload, and we failed to check for
this.  request_key() *does* skip revoked keys, but there is still a
window where the key can be revoked before we acquire its semaphore.

Fix it by checking for a NULL payload, treating it like a key which was
already revoked at the time it was requested.

Fixes: 88bd6ccdcd ("ext4 crypto: add encryption key management facilities")
Reviewed-by: James Morris <james.l.morris@oracle.com>
Cc: <stable@vger.kernel.org>    [v4.1+]
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
2017-10-12 17:16:40 +01:00
Eric Biggers
192cabd6a2 lib/digsig: fix dereference of NULL user_key_payload
digsig_verify() requests a user key, then accesses its payload.
However, a revoked key has a NULL payload, and we failed to check for
this.  request_key() *does* skip revoked keys, but there is still a
window where the key can be revoked before we acquire its semaphore.

Fix it by checking for a NULL payload, treating it like a key which was
already revoked at the time it was requested.

Fixes: 051dbb918c ("crypto: digital signature verification support")
Reviewed-by: James Morris <james.l.morris@oracle.com>
Cc: <stable@vger.kernel.org>    [v3.3+]
Cc: Dmitry Kasatkin <dmitry.kasatkin@intel.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
2017-10-12 17:16:40 +01:00
Eric Biggers
d124b2c53c FS-Cache: fix dereference of NULL user_key_payload
When the file /proc/fs/fscache/objects (available with
CONFIG_FSCACHE_OBJECT_LIST=y) is opened, we request a user key with
description "fscache:objlist", then access its payload.  However, a
revoked key has a NULL payload, and we failed to check for this.
request_key() *does* skip revoked keys, but there is still a window
where the key can be revoked before we access its payload.

Fix it by checking for a NULL payload, treating it like a key which was
already revoked at the time it was requested.

Fixes: 4fbf4291aa ("FS-Cache: Allow the current state of all objects to be dumped")
Reviewed-by: James Morris <james.l.morris@oracle.com>
Cc: <stable@vger.kernel.org>    [v2.6.32+]
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
2017-10-12 17:16:40 +01:00
Linus Torvalds
be7484acc6 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid
Pull HID fixes from Jiri Kosina:

 - fix for potential out-of-bounds memory access (found by fuzzing,
   likely requires specially crafted device to trigger) by Jaejoong Kim

 - two new device IDs for elecom driver from Alex Manoussakis

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid:
  HID: hid-elecom: extend to fix descriptor for HUGE trackball
  HID: usbhid: fix out-of-bounds bug
2017-10-12 09:08:56 -07:00
Linus Torvalds
7702f47623 sound fixes for 4.14-rc5
It's been a busy week for defending the attacks from fuzzer people;
 this pull request contains various USB-audio driver fixes and
 sequencer core fixes spotted by syzkaller and other fuzzer, as well
 as one quirk for a Plantronics USB audio device.
 -----BEGIN PGP SIGNATURE-----
 
 iQJCBAABCAAsFiEECxfAB4MH3rD5mfB6bDGAVD0pKaQFAlnePkwOHHRpd2FpQHN1
 c2UuZGUACgkQbDGAVD0pKaSL3w/+Pc7+JNUwuhoXFbN3aq7/cH3v10+/2RMqfI9m
 TSi/F4u7wyYCSOkJOjK7CetSrMrzi6FVHhTqtTTKB4r9lcqLYuHOWRhE/6R4l8mx
 J8ZJaMiTXjSXl4nDWbNkBoDHxWH+JMN4XTaCTxJPUb/AKrxOYotahKIfTPgbWjAW
 GixnvGRpkmoRAKyAPlJDCFiD2pahDhf9zLFNkkQuYNH7oZH82nuXKS8h73oq9WDY
 7TiGlLxK1afFSTcXFYOFd1njE8czocibVuarBlFA1CLLaCxZAYTo87Hg+WtYp30V
 3nBK6ru/c0lQzhH9vv7uuT4XGzDKX1RfykF9AT8FNllNR/KqORu9O2gk9Zy+3ptq
 xWWPxjoWHUdPlp5igHGsSbjw6Y5MNAL0jc+SmfYzTI2aTrNji5ljwX2f9aNdsLf5
 fW7AWSQk2KEd7i70TJ5TzMs30tF875wggoQYIFjUu+UF4ML728Ri/XvWmDIUaamq
 E+JVaCEAcFQ8HBEmwBGCT4ZL5P0cyZSH6DCnP4okg0nCBVwnsDkGJoWZayBP5lLL
 ts2f3PL1Vo0TdYlzY0HWQfiQvdlYPfJgmMPR5Hm8U1QptxbXZVnPkYAYzW3wGwnS
 tscgHHxW5zUl9/lQrc4VbGbzKCbGsCKlUoyrLbZ67LGN97lkq+u0bvNPf1UCkno/
 3ScZZFo=
 =sl20
 -----END PGP SIGNATURE-----

Merge tag 'sound-4.14-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound

Pull sound fixes from Takashi Iwai:
 "It's been a busy week for defending the attacks from fuzzer people.

  This contains various USB-audio driver fixes and sequencer core fixes
  spotted by syzkaller and other fuzzer, as well as one quirk for a
  Plantronics USB audio device"

* tag 'sound-4.14-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
  ALSA: caiaq: Fix stray URB at probe error path
  ALSA: seq: Fix use-after-free at creating a port
  ALSA: usb-audio: Kill stray URB at exiting
  ALSA: line6: Fix leftover URB at error-path during probe
  ALSA: line6: Fix NULL dereference at podhd_disconnect()
  ALSA: line6: Fix missing initialization before error path
  ALSA: seq: Fix copy_from_user() call inside lock
  ALSA: usb-audio: Add sample rate quirk for Plantronics P610
2017-10-12 09:01:18 -07:00
Linus Torvalds
467251c69b Merge branch 'waitid-fix'
Merge waitid() fix from Kees Cook.

I'd have hoped that the unsafe_{get|put}_user() naming would have
avoided these kinds of stupid bugs, but no such luck.

* waitid-fix:
  waitid(): Add missing access_ok() checks
2017-10-12 08:36:47 -07:00
Len Brown
616dd5872e x86/apic: Update TSC_DEADLINE quirk with additional SKX stepping
SKX stepping-3 fixed the TSC_DEADLINE issue in a different ucode
version number than stepping-4.  Linux needs to know this stepping-3
specific version number to also enable the TSC_DEADLINE on stepping-3.

The steppings and ucode versions are documented in the SKX BIOS update:
https://downloadmirror.intel.com/26978/eng/ReleaseNotes_R00.01.0004.txt

Signed-off-by: Len Brown <len.brown@intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: peterz@infradead.org
Link: https://lkml.kernel.org/r/60f2bbf7cf617e212b522e663f84225bfebc50e5.1507756305.git.len.brown@intel.com
2017-10-12 17:10:11 +02:00
Paolo Bonzini
cc6afe2240 x86/apic: Silence "FW_BUG TSC_DEADLINE disabled due to Errata" on hypervisors
Commit 594a30fb12 ("x86/apic: Silence "FW_BUG TSC_DEADLINE disabled
due to Errata" on CPUs without the feature", 2017-08-30) was also about
silencing the warning on VirtualBox; however, KVM does expose the TSC
deadline timer, and it's virtualized so that it is immune from CPU errata.

Therefore, booting 4.13 with "-cpu Haswell" shows this in the logs:

     [    0.000000] [Firmware Bug]: TSC_DEADLINE disabled due to Errata;
                    please update microcode to version: 0xb2 (or later)

Even if you had a hypervisor that does _not_ virtualize the TSC deadline
and rather exposes the hardware one, it should be the hypervisors task
to update microcode and possibly hide the flag from CPUID.  So just
hide the message when running on _any_ hypervisor, not just those that
do not support the TSC deadline timer.

The older check still makes sense, so keep it.

Fixes: bd9240a18e ("x86/apic: Add TSC_DEADLINE quirk due to errata")
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Hans de Goede <hdegoede@redhat.com>
Cc: kvm@vger.kernel.org
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/1507630377-54471-1-git-send-email-pbonzini@redhat.com
2017-10-12 17:10:10 +02:00
Wei Yongjun
c9811d0fa5 drm/msm: fix return value check in _msm_gem_kernel_new()
In case of error, the function msm_gem_get_vaddr() returns ERR_PTR()
and never returns NULL. The NULL test in the return value check should
be replaced with IS_ERR().

Fixes: 8223286d62 ("drm/msm: Add a helper function for in-kernel
buffer allocations")
Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
Signed-off-by: Rob Clark <robdclark@gmail.com>
2017-10-12 10:59:56 -04:00
Rob Clark
f44001e263 drm/msm: use proper memory barriers for updating tail/head
Fixes intermittent corruption of cmdstream dump.

Signed-off-by: Rob Clark <robdclark@gmail.com>
2017-10-12 10:59:11 -04:00
Rob Clark
aa3c2ba1c3 drm/msm/mdp5: add missing max size for 8x74 v1
This should have same max width as v2.

Signed-off-by: Rob Clark <robdclark@gmail.com>
2017-10-12 10:59:10 -04:00
Eric Biggers
13923d0865 KEYS: encrypted: fix dereference of NULL user_key_payload
A key of type "encrypted" references a "master key" which is used to
encrypt and decrypt the encrypted key's payload.  However, when we
accessed the master key's payload, we failed to handle the case where
the master key has been revoked, which sets the payload pointer to NULL.
Note that request_key() *does* skip revoked keys, but there is still a
window where the key can be revoked before we acquire its semaphore.

Fix it by checking for a NULL payload, treating it like a key which was
already revoked at the time it was requested.

This was an issue for master keys of type "user" only.  Master keys can
also be of type "trusted", but those cannot be revoked.

Fixes: 7e70cb4978 ("keys: add new key-type encrypted")
Reviewed-by: James Morris <james.l.morris@oracle.com>
Cc: <stable@vger.kernel.org>    [v2.6.38+]
Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: David Safford <safford@us.ibm.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
2017-10-12 15:55:09 +01:00
Christian König
27b94b4f13 drm/amdgpu: fix placement flags in amdgpu_ttm_bind
Otherwise we lose the NO_EVICT flag and can try to evict pinned BOs.

Signed-off-by: Christian König <christian.koenig@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
2017-10-12 10:34:42 -04:00
Jan Luebbe
2bbbd96357 bus: mbus: fix window size calculation for 4GB windows
At least the Armada XP SoC supports 4GB on a single DRAM window. Because
the size register values contain the actual size - 1, the MSB is set in
that case. For example, the SDRAM window's control register's value is
0xffffffe1 for 4GB (bits 31 to 24 contain the size).

The MBUS driver reads back each window's size from registers and
calculates the actual size as (control_reg | ~DDR_SIZE_MASK) + 1, which
overflows for 32 bit values, resulting in other miscalculations further
on (a bad RAM window for the CESA crypto engine calculated by
mvebu_mbus_setup_cpu_target_nooverlap() in my case).

This patch changes the type in 'struct mbus_dram_window' from u32 to
u64, which allows us to keep using the same register calculation code in
most MBUS-using drivers (which calculate ->size - 1 again).

Fixes: fddddb52a6 ("bus: introduce an Marvell EBU MBus driver")
CC: stable@vger.kernel.org
Signed-off-by: Jan Luebbe <jlu@pengutronix.de>
Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
2017-10-12 15:01:30 +02:00
Anju T Sudhakar
cd4f2b30e5 powerpc/perf: Add ___GFP_NOWARN flag to alloc_pages_node()
Stack trace output during a stress test:
 [    4.310049] Freeing initrd memory: 22592K
[    4.310646] rtas_flash: no firmware flash support
[    4.313341] cpuhp/64: page allocation failure: order:0, mode:0x14480c0(GFP_KERNEL|__GFP_ZERO|__GFP_THISNODE), nodemask=(null)
[    4.313465] cpuhp/64 cpuset=/ mems_allowed=0
[    4.313521] CPU: 64 PID: 392 Comm: cpuhp/64 Not tainted 4.11.0-39.el7a.ppc64le #1
[    4.313588] Call Trace:
[    4.313622] [c000000f1fb1b8e0] [c000000000c09388] dump_stack+0xb0/0xf0 (unreliable)
[    4.313694] [c000000f1fb1b920] [c00000000030ef6c] warn_alloc+0x12c/0x1c0
[    4.313753] [c000000f1fb1b9c0] [c00000000030ff68] __alloc_pages_nodemask+0xea8/0x1000
[    4.313823] [c000000f1fb1bbb0] [c000000000113a8c] core_imc_mem_init+0xbc/0x1c0
[    4.313892] [c000000f1fb1bc00] [c000000000113cdc] ppc_core_imc_cpu_online+0x14c/0x170
[    4.313962] [c000000f1fb1bc90] [c000000000125758] cpuhp_invoke_callback+0x198/0x5d0
[    4.314031] [c000000f1fb1bd00] [c00000000012782c] cpuhp_thread_fun+0x8c/0x3d0
[    4.314101] [c000000f1fb1bd60] [c0000000001678d0] smpboot_thread_fn+0x290/0x2a0
[    4.314169] [c000000f1fb1bdc0] [c00000000015ee78] kthread+0x168/0x1b0
[    4.314229] [c000000f1fb1be30] [c00000000000b368] ret_from_kernel_thread+0x5c/0x74
[    4.314313] Mem-Info:
[    4.314356] active_anon:0 inactive_anon:0 isolated_anon:0

core_imc_mem_init() at system boot use alloc_pages_node() to get memory
and alloc_pages_node() throws this stack dump when tried to allocate
memory from a node which has no memory behind it. Add a ___GFP_NOWARN
flag in allocation request as a fix.

Signed-off-by: Anju T Sudhakar <anju@linux.vnet.ibm.com>
Reported-by: Michael Ellerman <mpe@ellerman.id.au>
Reported-by: Venkat R.B <venkatb3@in.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
2017-10-12 23:12:12 +11:00
Anju T Sudhakar
0d923820c6 powerpc/perf: Fix for core/nest imc call trace on cpuhotplug
Nest/core pmu units are enabled only when it is used. A reference count is
maintained for the events which uses the nest/core pmu units. Currently in
*_imc_counters_release function a WARN() is used for notification of any
underflow of ref count.

The case where event ref count hit a negative value is, when perf session is
started, followed by offlining of all cpus in a given core.
i.e. in cpuhotplug offline path ppc_core_imc_cpu_offline() function set the
ref->count to zero, if the current cpu which is about to offline is the last
cpu in a given core and make an OPAL call to disable the engine in that core.
And on perf session termination, perf->destroy (core_imc_counters_release) will
first decrement the ref->count for this core and based on the ref->count value
an opal call is made to disable the core-imc engine.
Now, since cpuhotplug path already clears the ref->count for core and disabled
the engine, perf->destroy() decrementing again at event termination make it
negative which in turn fires the WARN_ON. The same happens for nest units.

Add a check to see if the reference count is alreday zero, before decrementing
the count, so that the ref count will not hit a negative value.

Signed-off-by: Anju T Sudhakar <anju@linux.vnet.ibm.com>
Reviewed-by: Santosh Sivaraj <santosh@fossix.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
2017-10-12 23:11:56 +11:00
Thomas Huth
8a60aea621 MAINTAINERS: Add Paul Mackerras as maintainer for KVM/powerpc
Paul is handling almost all of the powerpc related KVM patches nowadays,
so he should be mentioned in the MAINTAINERS file accordingly.

Signed-off-by: Thomas Huth <thuth@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2017-10-12 13:55:08 +02:00
Haozhong Zhang
8eb3f87d90 KVM: nVMX: fix guest CR4 loading when emulating L2 to L1 exit
When KVM emulates an exit from L2 to L1, it loads L1 CR4 into the
guest CR4. Before this CR4 loading, the guest CR4 refers to L2
CR4. Because these two CR4's are in different levels of guest, we
should vmx_set_cr4() rather than kvm_set_cr4() here. The latter, which
is used to handle guest writes to its CR4, checks the guest change to
CR4 and may fail if the change is invalid.

The failure may cause trouble. Consider we start
  a L1 guest with non-zero L1 PCID in use,
     (i.e. L1 CR4.PCIDE == 1 && L1 CR3.PCID != 0)
and
  a L2 guest with L2 PCID disabled,
     (i.e. L2 CR4.PCIDE == 0)
and following events may happen:

1. If kvm_set_cr4() is used in load_vmcs12_host_state() to load L1 CR4
   into guest CR4 (in VMCS01) for L2 to L1 exit, it will fail because
   of PCID check. As a result, the guest CR4 recorded in L0 KVM (i.e.
   vcpu->arch.cr4) is left to the value of L2 CR4.

2. Later, if L1 attempts to change its CR4, e.g., clearing VMXE bit,
   kvm_set_cr4() in L0 KVM will think L1 also wants to enable PCID,
   because the wrong L2 CR4 is used by L0 KVM as L1 CR4. As L1
   CR3.PCID != 0, L0 KVM will inject GP to L1 guest.

Fixes: 4704d0befb ("KVM: nVMX: Exiting from L2 to L1")
Cc: qemu-stable@nongnu.org
Signed-off-by: Haozhong Zhang <haozhong.zhang@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2017-10-12 13:54:56 +02:00
Nicolas Pitre
ee3eaee6a1 ARM: 8704/1: semihosting: use proper instruction on v7m processors
The svc instruction doesn't exist on v7m processors. Semihosting ops are
invoked with the bkpt instruction instead.

Signed-off-by: Nicolas Pitre <nico@linaro.org>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
2017-10-12 11:28:29 +01:00
Luc Van Oostenryck II
6042b8c7c0 ARM: 8701/1: fix sparse flags for build on 64bit machines
By default sparse uses the characteristics of the build
machine to infer things like the wordsize.
This is fine when doing native builds but for ARM it's,
I suspect, very rarely the case and if the build are done
on a 64bit machine we get a bunch of warnings like:
  'cast truncates bits from constant value (... becomes ...)'

Fix this by adding the -m32 flags for sparse.

Reported-by: Stephen Boyd <sboyd@codeaurora.org>
Signed-off-by: Luc Van Oostenryck <luc.vanoostenryck@gmail.com>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
2017-10-12 11:18:19 +01:00
Nicolas Pitre
195320fd6e ARM: 8700/1: nommu: always reserve address 0 away
Some nommu systems have RAM at address 0. When vectors are not located
there, the very beginning of memory remains available for dynamic
allocations. The memblock allocator explicitly skips the first page
but the standard page allocator does not, and while it correctly returns
a non-null struct page pointer for that page, page_address() gives 0
which gets confused with NULL (out of memory) by callers despite having
plenty of free memory left.

Signed-off-by: Nicolas Pitre <nico@linaro.org>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
2017-10-12 11:18:17 +01:00
Greg Kroah-Hartman
2d30408ecf USB: fixes for v4.14-rc5
A deadlock fix in dummy-hcd; Fixing a use-after-free bug in composite;
 Renesas got another fix for DMA programming (this time around a fix
 for receiving ZLP); Tegra PHY got a suspend fix; A memory leak on our
 configfs ABI got plugged.
 
 Other than these, a couple other minor fixes on usbtest.
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEElLzh7wn96CXwjh2IzL64meEamQYFAlnfLs4ACgkQzL64meEa
 mQblUQ/9HFiX4p7z908QkU6JhESyE89T3C4N7309E6JbHlr7whjlQWRvYnmaDsN1
 R6EvpsrYuuiuG2peoHeOy9LwrQ2ULTo59X6TYAGxN8+t51lnDkWWZBVMlOACqKMd
 SQExYw/Ik4UJiFQdrD5TDa/+sAC5uZYKFST9cYp7v+Rt0PEqjT41rgdDXHHfRuQc
 cpSfBxDfcZwcmV/xJAn9RLfGmg+SDMHqPHZY1lph7ayrn/xZ4G2eQmkBAOGqJB9y
 O+GQCRVzhX2N5HiFLKvwehx1AvUUrqosE6w8wE7JkefGnfvgjy+JfUqJ71GhbSu3
 tn/zVEBC3hgpr+ccQepzdFtScynQoRnMwa6yuV3W5zlgiy0f3nR6X82nFnNZmpks
 H1gbmTOK/jGIsFq5j5pOsd50Ch157VYG1wMz7el0Jig+derVIaxLcBaRK3ZvNfVO
 qx1s9WztXlJ42XJDaWfBr8ieemWcSSHO0fA+EXQ3NkdN/OR38FS+4RwhrlMKp0lG
 XFWaLhDUOHZ+SAak9L5FjzVLpxC1dmqYziY35oax4Jvm7yrjhdB+be+tnXFiE7yW
 nMXW22bM4jVJhGg9SKjBvW5kiKijYBFbkAGsH9hVswVQLrVtZXUofyfypTgGqI02
 85y/1cN9o5gjQAH3Rc7eH0qmza7ouhi2a/BV+NsQY4I9ZFe2bq0=
 =uGcr
 -----END PGP SIGNATURE-----

Merge tag 'fixes-for-v4.14-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/balbi/usb into usb-linus

Felipe writes:

USB: fixes for v4.14-rc5

A deadlock fix in dummy-hcd; Fixing a use-after-free bug in composite;
Renesas got another fix for DMA programming (this time around a fix
for receiving ZLP); Tegra PHY got a suspend fix; A memory leak on our
configfs ABI got plugged.

Other than these, a couple other minor fixes on usbtest.
2017-10-12 11:17:34 +02:00