firefly-linux-kernel-4.4.55.git
7 years agoarm64: rockchip_defconfig: rename UID_CPUTIME to UID_SYS_STATS
Huang, Tao [Sat, 6 May 2017 09:50:17 +0000 (17:50 +0800)]
arm64: rockchip_defconfig: rename UID_CPUTIME to UID_SYS_STATS

2ea16502ca00 ("ANDROID: uid_sys_stats: rename uid_cputime.c to uid_sys_stats.c")

Change-Id: I11ad23129722f87111a5c6f3881b4bdcc5626f66
Signed-off-by: Huang, Tao <huangtao@rock-chips.com>
7 years agoarm64: rockchip_defconfig: enable ARM64_SW_TTBR0_PAN
Huang, Tao [Sat, 6 May 2017 09:56:21 +0000 (17:56 +0800)]
arm64: rockchip_defconfig: enable ARM64_SW_TTBR0_PAN

536bf705c5fd ("ANDROID: configs: CONFIG_ARM64_SW_TTBR0_PAN=y")

Change-Id: I49f562d81d8f354dfbeb545618bc6c907256d60b
Signed-off-by: Huang, Tao <huangtao@rock-chips.com>
7 years agoARM: rockchip_defconfig: enable MODVERSIONS
Huang, Tao [Sat, 6 May 2017 09:29:27 +0000 (17:29 +0800)]
ARM: rockchip_defconfig: enable MODVERSIONS

353a964727cf ("ANDROID: android-base.cfg: add CONFIG_MODULES option")

Change-Id: Ia85709d1dc711f1ed8632e6299f121b4e6fbedc2
Signed-off-by: Huang, Tao <huangtao@rock-chips.com>
7 years agoARM: rockchip_defconfig: enable CONFIG_IKCONFIG
Huang, Tao [Sat, 6 May 2017 09:28:01 +0000 (17:28 +0800)]
ARM: rockchip_defconfig: enable CONFIG_IKCONFIG

6286b142aeb2 ("ANDROID: android-base.cfg: add CONFIG_IKCONFIG option")

Change-Id: I4d0369b990f9f9d707b672c6959e668307be700b
Signed-off-by: Huang, Tao <huangtao@rock-chips.com>
7 years agoARM: rockchip_defconfig: disable CONFIG_USELIB
Huang, Tao [Sat, 6 May 2017 09:26:09 +0000 (17:26 +0800)]
ARM: rockchip_defconfig: disable CONFIG_USELIB

1c634ee26be1 ("config: disable CONFIG_USELIB and CONFIG_FHANDLE")

Change-Id: I617db2524c604e732d9d3f4eae0b8566efd82e98
Signed-off-by: Huang, Tao <huangtao@rock-chips.com>
7 years agoARM: rockchip_defconfig: rename UID_CPUTIME to UID_SYS_STATS
Huang, Tao [Sat, 6 May 2017 09:23:51 +0000 (17:23 +0800)]
ARM: rockchip_defconfig: rename UID_CPUTIME to UID_SYS_STATS

2ea16502ca00 ("ANDROID: uid_sys_stats: rename uid_cputime.c to uid_sys_stats.c")

Change-Id: I345f44e510cb0168e9816f7d9adecf5772cdb092
Signed-off-by: Huang, Tao <huangtao@rock-chips.com>
7 years agoMerge branch 'linux-linaro-lsk-v4.4-android' of git://git.linaro.org/kernel/linux...
Huang, Tao [Sat, 6 May 2017 06:23:00 +0000 (14:23 +0800)]
Merge branch 'linux-linaro-lsk-v4.4-android' of git://git.linaro.org/kernel/linux-linaro-stable.git

* linux-linaro-lsk-v4.4-android: (521 commits)
  Linux 4.4.66
  ftrace/x86: Fix triple fault with graph tracing and suspend-to-ram
  ARCv2: save r30 on kernel entry as gcc uses it for code-gen
  nfsd: check for oversized NFSv2/v3 arguments
  Input: i8042 - add Clevo P650RS to the i8042 reset list
  p9_client_readdir() fix
  MIPS: Avoid BUG warning in arch_check_elf
  MIPS: KGDB: Use kernel context for sleeping threads
  ALSA: seq: Don't break snd_use_lock_sync() loop by timeout
  ALSA: firewire-lib: fix inappropriate assignment between signed/unsigned type
  ipv6: check raw payload size correctly in ioctl
  ipv6: check skb->protocol before lookup for nexthop
  macvlan: Fix device ref leak when purging bc_queue
  ip6mr: fix notification device destruction
  netpoll: Check for skb->queue_mapping
  net: ipv6: RTF_PCPU should not be settable from userspace
  dp83640: don't recieve time stamps twice
  tcp: clear saved_syn in tcp_disconnect()
  sctp: listen on the sock only when it's state is listening or closed
  net: ipv4: fix multipath RTM_GETROUTE behavior when iif is given
  ...

Conflicts:
drivers/usb/dwc3/gadget.c
include/linux/usb/quirks.h

Change-Id: I490f766b9a530b10da3107e20709538e4536a99d

7 years agoARM: rockchip_defconfig: update by savedefconfig
Huang, Tao [Sat, 6 May 2017 06:20:20 +0000 (14:20 +0800)]
ARM: rockchip_defconfig: update by savedefconfig

Change-Id: I96ee84cfa4b40b10f5fb273044a81b22f20f4efb
Signed-off-by: Huang, Tao <huangtao@rock-chips.com>
7 years agoarm64: rockchip_defconfig: update by savedefconfig
Huang, Tao [Sat, 6 May 2017 06:17:39 +0000 (14:17 +0800)]
arm64: rockchip_defconfig: update by savedefconfig

Change-Id: I4aa6538762060d62da3da56065abee4d42134da2
Signed-off-by: Huang, Tao <huangtao@rock-chips.com>
7 years agocamera: rockchip: camsys driver disable debug
Xu Jianqun [Thu, 4 May 2017 07:09:06 +0000 (15:09 +0800)]
camera: rockchip: camsys driver disable debug

Change-Id: I1a4b3d1ab0e96bbc4ff482b8f3a3f8aa98b4529d
Signed-off-by: Xu Jianqun <jay.xu@rock-chips.com>
7 years agoarm64: dts: rk3368: add rockchip-suspend node
XiaoDong Huang [Fri, 5 May 2017 01:14:58 +0000 (09:14 +0800)]
arm64: dts: rk3368: add rockchip-suspend node

Change-Id: I68f8068c795e87ffa3cbea4b23ba5df56a70218d
Signed-off-by: XiaoDong Huang <derrick.huang@rock-chips.com>
7 years agosoc: rockchip: support rk3368 pm config
XiaoDong Huang [Wed, 26 Apr 2017 11:06:08 +0000 (19:06 +0800)]
soc: rockchip: support rk3368 pm config

Change-Id: I69e823d397a411c1b1395563870fca6485dfb936
Signed-off-by: XiaoDong Huang <derrick.huang@rock-chips.com>
7 years agoarm: dts: assigned host vbus regulator for rk3229-evb board
Frank Wang [Thu, 4 May 2017 07:20:14 +0000 (15:20 +0800)]
arm: dts: assigned host vbus regulator for rk3229-evb board

Change-Id: I86608300c600db0ece0120ce3fba0f541953910e
Signed-off-by: Frank Wang <frank.wang@rock-chips.com>
7 years agoarm: dts: assigned host vbus regulator for rk3229-echo-v10 board
Frank Wang [Thu, 4 May 2017 07:16:32 +0000 (15:16 +0800)]
arm: dts: assigned host vbus regulator for rk3229-echo-v10 board

Change-Id: Ia4cd6a915750d933886b217d2c4818d4f66d31c9
Signed-off-by: Frank Wang <frank.wang@rock-chips.com>
7 years agoarm: dts: enable all usb phy and usb host for rk322x SoC
Frank Wang [Thu, 4 May 2017 10:58:16 +0000 (18:58 +0800)]
arm: dts: enable all usb phy and usb host for rk322x SoC

Change-Id: Ia69914348eee190aea0cd0f1a380a4ce569f1cdf
Signed-off-by: Frank Wang <frank.wang@rock-chips.com>
7 years agoarm: dts: add usb-phy and usb2.0 host nodes for rk322x SoC
Frank Wang [Thu, 4 May 2017 06:35:36 +0000 (14:35 +0800)]
arm: dts: add usb-phy and usb2.0 host nodes for rk322x SoC

This patch adds usb2.0 host and usb-phy related nodes for rk322x SoC.

Change-Id: Ib1c5375f81c8d7b55608b1b1793c27be012a8c6e
Signed-off-by: Frank Wang <frank.wang@rock-chips.com>
7 years agophy: rockchip-inno-usb2: add host-port support for rk322x SoC
Frank Wang [Thu, 4 May 2017 06:11:34 +0000 (14:11 +0800)]
phy: rockchip-inno-usb2: add host-port support for rk322x SoC

This adds support host-port on rk322x SoC and amend phy Documentation.

Change-Id: I440adc10e25c98cbe220275fecd12774c08d24d1
Signed-off-by: Frank Wang <frank.wang@rock-chips.com>
7 years agovideo: rockchip: vpu: support VDPU at RK3328
Randy Li [Wed, 12 Apr 2017 05:41:41 +0000 (13:41 +0800)]
video: rockchip: vpu: support VDPU at RK3328

The VDPU at RK3328 is a standalone decoder IP without
encoder. Also there is the other AVS+ decoder IP,
working as the combo IP.

I introduce the following commit from develop-3.10,
commit ee2f9f6912fb ("rk322xh/vcodec: bugfix, avoid combo device overwrite irq status")
commit 568dabeb12ef ("rockchip/vcodec: bugfix, inconsistence power on/off operation")

The following patches have not been introduced,
it would effect RKV device:
commit b8a2ce7e5b60 ("rockchip/vcodec: disable power-save optimization for hw defeat")
commit 046faf9ba20a ("rk322xh/vcodec: bugfix, probe failed when ion cma heap undefined")
commit beaeb230cbf2 ("rk322xh/vcodec: revise for rk322xh feature")

Change-Id: Ifc14daa84b692f8fcfbd4f6690ed66dd56bbbe29
Signed-off-by: Randy Li <randy.li@rock-chips.com>
7 years agovideo: rockchip: vpu: add avs decoder table
Randy Li [Mon, 17 Apr 2017 02:22:13 +0000 (10:22 +0800)]
video: rockchip: vpu: add avs decoder table

This table would be used for both AVS and AVS+ decoder.

Change-Id: I9557a3d170943a3b544d97b6c63f02679bd7b532
Signed-off-by: Randy Li <randy.li@rock-chips.com>
7 years agovideo: rockchip: vpu: only use the dev_mode for combo
Randy Li [Tue, 25 Apr 2017 03:06:06 +0000 (11:06 +0800)]
video: rockchip: vpu: only use the dev_mode for combo

The most of device can get this its running type from the
compatible. This property becomes unnecessary.

Change-Id: I40ec41b130fac2cadd47d92332d27c58a8c2c9f7
Signed-off-by: Randy Li <randy.li@rock-chips.com>
7 years agoPM / devfreq: rockchip_dmc: add mutex lock for pmu register
Finley Xiao [Tue, 2 May 2017 12:30:13 +0000 (20:30 +0800)]
PM / devfreq: rockchip_dmc: add mutex lock for pmu register

As dmc may also assess register PMU_BUS_IDLE_REQ, we should prevent
pd driver and dmc driver assessing this register at the same time.

Change-Id: I546033536c87dcf497774cbc6c8f36a3e651ff07
Signed-off-by: Finley Xiao <finley.xiao@rock-chips.com>
7 years agosoc: rockchip: power-domain: export rockchip_pm_register_notify_to_dmc
Finley Xiao [Tue, 2 May 2017 07:15:26 +0000 (15:15 +0800)]
soc: rockchip: power-domain: export rockchip_pm_register_notify_to_dmc

This function registers a notifier to dmc devfreq, it will lock the mutex
of pmu when scaling frequency, so that pd driver and dmc driver will not
assess register PMU_BUS_IDLE_REQ at the same time.

Change-Id: I0ba96599d9050d11924d032146e6b4d415629614
Signed-off-by: Finley Xiao <finley.xiao@rock-chips.com>
7 years agodmaengine: pl330: fix error message to dev_err_ratelimited
Xu Jianqun [Thu, 4 May 2017 03:57:33 +0000 (11:57 +0800)]
dmaengine: pl330: fix error message to dev_err_ratelimited

Change-Id: I4d1191f5b7d330c2786eaac42213b4d255b05db8
Signed-off-by: Xu Jianqun <jay.xu@rock-chips.com>
7 years agoARM64: dts: rk3368-p9: enable route mipi
Zorro Liu [Thu, 4 May 2017 03:10:45 +0000 (11:10 +0800)]
ARM64: dts: rk3368-p9: enable route mipi

Change-Id: Ib93918524c173bce1283b0001e0f8ca91594dc6f
Signed-off-by: Zorro Liu <lyx@rock-chips.com>
7 years agoPM / devfreq: rockchip_dmc: set polling_ms to 50
Finley Xiao [Tue, 2 May 2017 12:13:18 +0000 (20:13 +0800)]
PM / devfreq: rockchip_dmc: set polling_ms to 50

In order to scaling frequency more timely, reduce the polling_ms.

Change-Id: Icbee5552396fa0552fb514d92ea77687228c3e28
Signed-off-by: Finley Xiao <finley.xiao@rock-chips.com>
7 years agoPM / devfreq: rockchip_dmc: add support for rk3368
Finley Xiao [Tue, 2 May 2017 11:56:03 +0000 (19:56 +0800)]
PM / devfreq: rockchip_dmc: add support for rk3368

This adds the necessary data for handling dmcfreq on the rk3368.

Change-Id: Ie202cbaa3b27e52b22a5efc57c6e108fbd03a20a
Signed-off-by: Finley Xiao <finley.xiao@rock-chips.com>
7 years agoMerge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android
Alex Shi [Thu, 4 May 2017 04:01:39 +0000 (12:01 +0800)]
Merge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android

7 years ago Merge tag 'v4.4.66' into linux-linaro-lsk-v4.4
Alex Shi [Thu, 4 May 2017 04:01:37 +0000 (12:01 +0800)]
 Merge tag 'v4.4.66' into linux-linaro-lsk-v4.4

 This is the 4.4.66 stable release

7 years agoPM / devfreq: rockchip_dmc: separate the initialized code of dram
Finley Xiao [Tue, 2 May 2017 09:31:30 +0000 (17:31 +0800)]
PM / devfreq: rockchip_dmc: separate the initialized code of dram

It will be easy to compatible with more rockchip platforms,
if move the initialized code of dram into a separated function.

Change-Id: Iad8738b2c0995712723a8e3e84f12ae6b9b2aa91
Signed-off-by: Finley Xiao <finley.xiao@rock-chips.com>
7 years agocamera: rockchip: camsys_drv: 0.0x21.0xe
dalong.zhang [Tue, 2 May 2017 13:58:55 +0000 (21:58 +0800)]
camera: rockchip: camsys_drv: 0.0x21.0xe

1) correct mipiphy_hsfreqrange of 3368.
2) add csi-phy timing setting for 3368.

Change-Id: Ia5203dcd8f01bc8989d5bb41a1b2af71bb91f607
Signed-off-by: dalong.zhang <dalon.zhang@rock-chips.com>
7 years agoarm64: dts: rockchip: fix uart3 pinctrl error of rk3368
Zorro Liu [Thu, 4 May 2017 01:25:09 +0000 (09:25 +0800)]
arm64: dts: rockchip: fix uart3 pinctrl error of rk3368

Change-Id: Ie62fd4c6cf1a9c38a1793c9ccd0085c91f38f438
Signed-off-by: Zorro Liu <lyx@rock-chips.com>
7 years agodrm/rockchip: rga: use DMA_BIDIRECTIONAL
Jacob Chen [Tue, 2 May 2017 03:25:31 +0000 (11:25 +0800)]
drm/rockchip: rga: use DMA_BIDIRECTIONAL

In some cases, we need to read data from RGA
and DMA_TO_DEVICE are not a proper flag
So change to DMA_BIDIRECTIONAL

Change-Id: I9d421e8a15f948fcb6643addab558803247ea161
Signed-off-by: Jacob Chen <jacob2.chen@rock-chips.com>
7 years agoarm: dts: rk3288: remove assinged parent for NPLL/GPLL
Xu Jianqun [Thu, 4 May 2017 01:08:30 +0000 (09:08 +0800)]
arm: dts: rk3288: remove assinged parent for NPLL/GPLL

Change-Id: I6ab7dff4d886a776677331f370d9632363abaa87
Signed-off-by: Xu Jianqun <jay.xu@rock-chips.com>
7 years agoarm: dts: add the basic dt file for rk3229-echo-v10
Frank Wang [Tue, 25 Apr 2017 09:19:11 +0000 (17:19 +0800)]
arm: dts: add the basic dt file for rk3229-echo-v10

Initial support for rk3229-echo board.

Change-Id: I7587d333f296f66727bf1c686911cfca2f3c5619
Signed-off-by: Frank Wang <frank.wang@rock-chips.com>
7 years agoarm: dts: add android dtsi for rk322x SoC
Frank Wang [Tue, 2 May 2017 09:28:35 +0000 (17:28 +0800)]
arm: dts: add android dtsi for rk322x SoC

Change-Id: I400ab97db9d333d53474978bb339ce2ed8a99ed4
Signed-off-by: Frank Wang <frank.wang@rock-chips.com>
7 years agoclk: rockchip: rk3228: fix up the clk cpu setting
Elaine Zhang [Thu, 27 Apr 2017 07:24:46 +0000 (15:24 +0800)]
clk: rockchip: rk3228: fix up the clk cpu setting

support more cpu freq
add armcore div setting

Change-Id: I46ab974da763bab2e887377848be1d9049a1568f
Signed-off-by: Elaine Zhang <zhangqing@rock-chips.com>
7 years agoarm: dts: rk3228: add some assigned-clocks
Elaine Zhang [Thu, 27 Apr 2017 06:40:57 +0000 (14:40 +0800)]
arm: dts: rk3228: add some assigned-clocks

Change-Id: I257bbfe5ccea74245a6fe3269a896ab968a34c4f
Signed-off-by: Elaine Zhang <zhangqing@rock-chips.com>
7 years agoclk: rockchip: rk3228: Perfect clock description
Elaine Zhang [Thu, 27 Apr 2017 06:37:34 +0000 (14:37 +0800)]
clk: rockchip: rk3228: Perfect clock description

1 Add some necessary clk ID.
2 some clks add CLK_IGNORE_UNUSED flag
3 add some critical clk

Change-Id: If52699b4d5f430413b06084b7d21fb1afd4539dd
Signed-off-by: Elaine Zhang <zhangqing@rock-chips.com>
7 years agoclk: rockchip: rk3288: add ddrc clock support
Finley Xiao [Thu, 6 Apr 2017 03:40:01 +0000 (11:40 +0800)]
clk: rockchip: rk3288: add ddrc clock support

Add a ddrc clock into clk branches, so we can do ddr frequency
scaling on rk3288 platform in future.

Change-Id: Ia6c93e5ce82fa30475eddf051bc9ea2512b0cc07
Signed-off-by: Finley Xiao <finley.xiao@rock-chips.com>
7 years agoclk: rockchip: add SCLK_DDRCLK id for rk3288 ddrc
Finley Xiao [Thu, 6 Apr 2017 03:33:40 +0000 (11:33 +0800)]
clk: rockchip: add SCLK_DDRCLK id for rk3288 ddrc

Add the needed id for the ddr clock.

Change-Id: I9578decd2348a35a6e9c4cc3527375d4d02a2af6
Signed-off-by: Finley Xiao <finley.xiao@rock-chips.com>
7 years agoarm64: dts: rockchip: Rename OPP nodes as opp-<opp-hz>
Finley Xiao [Wed, 3 May 2017 03:35:50 +0000 (11:35 +0800)]
arm64: dts: rockchip: Rename OPP nodes as opp-<opp-hz>

Compiling the DT file with W=1, DTC warns like follows:

Warning (unit_address_vs_reg): Node /opp_table0/opp@1000000000 has a
unit name, but no reg property

Fix this by replacing '@' with '-' as the OPP nodes will never have a
"reg" property.

Change-Id: I5748be7888db149633c3980c3f5e9715cd256a52
Signed-off-by: Finley Xiao <finley.xiao@rock-chips.com>
7 years agoARM: dts: rk3288: Rename OPP nodes as opp-<opp-hz>
Finley Xiao [Wed, 3 May 2017 03:34:18 +0000 (11:34 +0800)]
ARM: dts: rk3288: Rename OPP nodes as opp-<opp-hz>

Compiling the DT file with W=1, DTC warns like follows:

Warning (unit_address_vs_reg): Node /opp_table0/opp@1000000000 has a
unit name, but no reg property

Fix this by replacing '@' with '-' as the OPP nodes will never have a
"reg" property.

Change-Id: Id239f49618a818ad87bb77e99f52b52a5ee2dbc6
Signed-off-by: Finley Xiao <finley.xiao@rock-chips.com>
7 years agoLinux 4.4.66
Greg Kroah-Hartman [Wed, 3 May 2017 04:20:09 +0000 (21:20 -0700)]
Linux 4.4.66

7 years agoftrace/x86: Fix triple fault with graph tracing and suspend-to-ram
Josh Poimboeuf [Thu, 13 Apr 2017 22:53:55 +0000 (17:53 -0500)]
ftrace/x86: Fix triple fault with graph tracing and suspend-to-ram

commit 34a477e5297cbaa6ecc6e17c042a866e1cbe80d6 upstream.

On x86-32, with CONFIG_FIRMWARE and multiple CPUs, if you enable function
graph tracing and then suspend to RAM, it will triple fault and reboot when
it resumes.

The first fault happens when booting a secondary CPU:

startup_32_smp()
  load_ucode_ap()
    prepare_ftrace_return()
      ftrace_graph_is_dead()
        (accesses 'kill_ftrace_graph')

The early head_32.S code calls into load_ucode_ap(), which has an an
ftrace hook, so it calls prepare_ftrace_return(), which calls
ftrace_graph_is_dead(), which tries to access the global
'kill_ftrace_graph' variable with a virtual address, causing a fault
because the CPU is still in real mode.

The fix is to add a check in prepare_ftrace_return() to make sure it's
running in protected mode before continuing.  The check makes sure the
stack pointer is a virtual kernel address.  It's a bit of a hack, but
it's not very intrusive and it works well enough.

For reference, here are a few other (more difficult) ways this could
have potentially been fixed:

- Move startup_32_smp()'s call to load_ucode_ap() down to *after* paging
  is enabled.  (No idea what that would break.)

- Track down load_ucode_ap()'s entire callee tree and mark all the
  functions 'notrace'.  (Probably not realistic.)

- Pause graph tracing in ftrace_suspend_notifier_call() or bringup_cpu()
  or __cpu_up(), and ensure that the pause facility can be queried from
  real mode.

Reported-by: Paul Menzel <pmenzel@molgen.mpg.de>
Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Tested-by: Paul Menzel <pmenzel@molgen.mpg.de>
Reviewed-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Cc: "Rafael J . Wysocki" <rjw@rjwysocki.net>
Cc: linux-acpi@vger.kernel.org
Cc: Borislav Petkov <bp@alien8.de>
Cc: Len Brown <lenb@kernel.org>
Link: http://lkml.kernel.org/r/5c1272269a580660703ed2eccf44308e790c7a98.1492123841.git.jpoimboe@redhat.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoARCv2: save r30 on kernel entry as gcc uses it for code-gen
Vineet Gupta [Mon, 9 Jan 2017 03:45:48 +0000 (19:45 -0800)]
ARCv2: save r30 on kernel entry as gcc uses it for code-gen

commit ecd43afdbe72017aefe48080631eb625e177ef4d upstream.

This is not exposed to userspace debugers yet, which can be done
independently as a seperate patch !

Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agonfsd: check for oversized NFSv2/v3 arguments
J. Bruce Fields [Fri, 21 Apr 2017 20:10:18 +0000 (16:10 -0400)]
nfsd: check for oversized NFSv2/v3 arguments

commit e6838a29ecb484c97e4efef9429643b9851fba6e upstream.

A client can append random data to the end of an NFSv2 or NFSv3 RPC call
without our complaining; we'll just stop parsing at the end of the
expected data and ignore the rest.

Encoded arguments and replies are stored together in an array of pages,
and if a call is too large it could leave inadequate space for the
reply.  This is normally OK because NFS RPC's typically have either
short arguments and long replies (like READ) or long arguments and short
replies (like WRITE).  But a client that sends an incorrectly long reply
can violate those assumptions.  This was observed to cause crashes.

Also, several operations increment rq_next_page in the decode routine
before checking the argument size, which can leave rq_next_page pointing
well past the end of the page array, causing trouble later in
svc_free_pages.

So, following a suggestion from Neil Brown, add a central check to
enforce our expectation that no NFSv2/v3 call has both a large call and
a large reply.

As followup we may also want to rewrite the encoding routines to check
more carefully that they aren't running off the end of the page array.

We may also consider rejecting calls that have any extra garbage
appended.  That would be safer, and within our rights by spec, but given
the age of our server and the NFS protocol, and the fact that we've
never enforced this before, we may need to balance that against the
possibility of breaking some oddball client.

Reported-by: Tuomas Haanpää <thaan@synopsys.com>
Reported-by: Ari Kauppi <ari@synopsys.com>
Reviewed-by: NeilBrown <neilb@suse.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoInput: i8042 - add Clevo P650RS to the i8042 reset list
Dmitry Torokhov [Thu, 13 Apr 2017 22:36:31 +0000 (15:36 -0700)]
Input: i8042 - add Clevo P650RS to the i8042 reset list

commit 7c5bb4ac2b76d2a09256aec8a7d584bf3e2b0466 upstream.

Clevo P650RS and other similar devices require i8042 to be reset in order
to detect Synaptics touchpad.

Reported-by: Paweł Bylica <chfast@gmail.com>
Tested-by: Ed Bordin <edbordin@gmail.com>
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=190301
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agop9_client_readdir() fix
Al Viro [Fri, 14 Apr 2017 21:22:18 +0000 (17:22 -0400)]
p9_client_readdir() fix

commit 71d6ad08379304128e4bdfaf0b4185d54375423e upstream.

Don't assume that server is sane and won't return more data than
asked for.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoMIPS: Avoid BUG warning in arch_check_elf
James Cowgill [Tue, 11 Apr 2017 12:51:07 +0000 (13:51 +0100)]
MIPS: Avoid BUG warning in arch_check_elf

commit c46f59e90226fa5bfcc83650edebe84ae47d454b upstream.

arch_check_elf contains a usage of current_cpu_data that will call
smp_processor_id() with preemption enabled and therefore triggers a
"BUG: using smp_processor_id() in preemptible" warning when an fpxx
executable is loaded.

As a follow-up to commit b244614a60ab ("MIPS: Avoid a BUG warning during
prctl(PR_SET_FP_MODE, ...)"), apply the same fix to arch_check_elf by
using raw_current_cpu_data instead. The rationale quoted from the previous
commit:

"It is assumed throughout the kernel that if any CPU has an FPU, then
all CPUs would have an FPU as well, so it is safe to perform the check
with preemption enabled - change the code to use raw_ variant of the
check to avoid the warning."

Fixes: 46490b572544 ("MIPS: kernel: elf: Improve the overall ABI and FPU mode checks")
Signed-off-by: James Cowgill <James.Cowgill@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/15951/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoMIPS: KGDB: Use kernel context for sleeping threads
James Hogan [Thu, 30 Mar 2017 15:06:02 +0000 (16:06 +0100)]
MIPS: KGDB: Use kernel context for sleeping threads

commit 162b270c664dca2e0944308e92f9fcc887151a72 upstream.

KGDB is a kernel debug stub and it can't be used to debug userland as it
can only safely access kernel memory.

On MIPS however KGDB has always got the register state of sleeping
processes from the userland register context at the beginning of the
kernel stack. This is meaningless for kernel threads (which never enter
userland), and for user threads it prevents the user seeing what it is
doing while in the kernel:

(gdb) info threads
  Id   Target Id         Frame
  ...
  3    Thread 2 (kthreadd) 0x0000000000000000 in ?? ()
  2    Thread 1 (init)   0x000000007705c4b4 in ?? ()
  1    Thread -2 (shadowCPU0) 0xffffffff8012524c in arch_kgdb_breakpoint () at arch/mips/kernel/kgdb.c:201

Get the register state instead from the (partial) kernel register
context stored in the task's thread_struct for resume() to restore. All
threads now correctly appear to be in context_switch():

(gdb) info threads
  Id   Target Id         Frame
  ...
  3    Thread 2 (kthreadd) context_switch (rq=<optimized out>, cookie=..., next=<optimized out>, prev=0x0) at kernel/sched/core.c:2903
  2    Thread 1 (init)   context_switch (rq=<optimized out>, cookie=..., next=<optimized out>, prev=0x0) at kernel/sched/core.c:2903
  1    Thread -2 (shadowCPU0) 0xffffffff8012524c in arch_kgdb_breakpoint () at arch/mips/kernel/kgdb.c:201

Call clobbered registers which aren't saved and exception registers
(BadVAddr & Cause) which can't be easily determined without stack
unwinding are reported as 0. The PC is taken from the return address,
such that the state presented matches that found immediately after
returning from resume().

Fixes: 8854700115ec ("[MIPS] kgdb: add arch support for the kernel's kgdb core")
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Jason Wessel <jason.wessel@windriver.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/15829/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoALSA: seq: Don't break snd_use_lock_sync() loop by timeout
Takashi Iwai [Sun, 9 Apr 2017 08:41:27 +0000 (10:41 +0200)]
ALSA: seq: Don't break snd_use_lock_sync() loop by timeout

commit 4e7655fd4f47c23e5249ea260dc802f909a64611 upstream.

The snd_use_lock_sync() (thus its implementation
snd_use_lock_sync_helper()) has the 5 seconds timeout to break out of
the sync loop.  It was introduced from the beginning, just to be
"safer", in terms of avoiding the stupid bugs.

However, as Ben Hutchings suggested, this timeout rather introduces a
potential leak or use-after-free that was apparently fixed by the
commit 2d7d54002e39 ("ALSA: seq: Fix race during FIFO resize"):
for example, snd_seq_fifo_event_in() -> snd_seq_event_dup() ->
copy_from_user() could block for a long time, and snd_use_lock_sync()
goes timeout and still leaves the cell at releasing the pool.

For fixing such a problem, we remove the break by the timeout while
still keeping the warning.

Suggested-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoALSA: firewire-lib: fix inappropriate assignment between signed/unsigned type
Takashi Sakamoto [Fri, 14 Apr 2017 03:43:01 +0000 (12:43 +0900)]
ALSA: firewire-lib: fix inappropriate assignment between signed/unsigned type

commit dfb00a56935186171abb5280b3407c3f910011f1 upstream.

An abstraction of asynchronous transaction for transmission of MIDI
messages was introduced in Linux v4.4. Each driver can utilize this
abstraction to transfer MIDI messages via fixed-length payload of
transaction to a certain unit address. Filling payload of the transaction
is done by callback. In this callback, each driver can return negative
error code, however current implementation assigns the return value to
unsigned variable.

This commit changes type of the variable to fix the bug.

Reported-by: Julia Lawall <Julia.Lawall@lip6.fr>
Fixes: 585d7cba5e1f ("ALSA: firewire-lib: add helper functions for asynchronous transactions to transfer MIDI messages")
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoipv6: check raw payload size correctly in ioctl
Jamie Bainbridge [Wed, 26 Apr 2017 00:43:27 +0000 (10:43 +1000)]
ipv6: check raw payload size correctly in ioctl

[ Upstream commit 105f5528b9bbaa08b526d3405a5bcd2ff0c953c8 ]

In situations where an skb is paged, the transport header pointer and
tail pointer can be the same because the skb contents are in frags.

This results in ioctl(SIOCINQ/FIONREAD) incorrectly returning a
length of 0 when the length to receive is actually greater than zero.

skb->len is already correctly set in ip6_input_finish() with
pskb_pull(), so use skb->len as it always returns the correct result
for both linear and paged data.

Signed-off-by: Jamie Bainbridge <jbainbri@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoipv6: check skb->protocol before lookup for nexthop
WANG Cong [Tue, 25 Apr 2017 21:37:15 +0000 (14:37 -0700)]
ipv6: check skb->protocol before lookup for nexthop

[ Upstream commit 199ab00f3cdb6f154ea93fa76fd80192861a821d ]

Andrey reported a out-of-bound access in ip6_tnl_xmit(), this
is because we use an ipv4 dst in ip6_tnl_xmit() and cast an IPv4
neigh key as an IPv6 address:

        neigh = dst_neigh_lookup(skb_dst(skb),
                                 &ipv6_hdr(skb)->daddr);
        if (!neigh)
                goto tx_err_link_failure;

        addr6 = (struct in6_addr *)&neigh->primary_key; // <=== HERE
        addr_type = ipv6_addr_type(addr6);

        if (addr_type == IPV6_ADDR_ANY)
                addr6 = &ipv6_hdr(skb)->daddr;

        memcpy(&fl6->daddr, addr6, sizeof(fl6->daddr));

Also the network header of the skb at this point should be still IPv4
for 4in6 tunnels, we shold not just use it as IPv6 header.

This patch fixes it by checking if skb->protocol is ETH_P_IPV6: if it
is, we are safe to do the nexthop lookup using skb_dst() and
ipv6_hdr(skb)->daddr; if not (aka IPv4), we have no clue about which
dest address we can pick here, we have to rely on callers to fill it
from tunnel config, so just fall to ip6_route_output() to make the
decision.

Fixes: ea3dc9601bda ("ip6_tunnel: Add support for wildcard tunnel endpoints.")
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agomacvlan: Fix device ref leak when purging bc_queue
Herbert Xu [Thu, 20 Apr 2017 12:55:12 +0000 (20:55 +0800)]
macvlan: Fix device ref leak when purging bc_queue

[ Upstream commit f6478218e6edc2a587b8f132f66373baa7b2497c ]

When a parent macvlan device is destroyed we end up purging its
broadcast queue without dropping the device reference count on
the packet source device.  This causes the source device to linger.

This patch drops that reference count.

Fixes: 260916dfb48c ("macvlan: Fix potential use-after free for...")
Reported-by: Joe Ghalam <Joe.Ghalam@dell.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoip6mr: fix notification device destruction
Nikolay Aleksandrov [Fri, 21 Apr 2017 17:42:16 +0000 (20:42 +0300)]
ip6mr: fix notification device destruction

[ Upstream commit 723b929ca0f79c0796f160c2eeda4597ee98d2b8 ]

Andrey Konovalov reported a BUG caused by the ip6mr code which is caused
because we call unregister_netdevice_many for a device that is already
being destroyed. In IPv4's ipmr that has been resolved by two commits
long time ago by introducing the "notify" parameter to the delete
function and avoiding the unregister when called from a notifier, so
let's do the same for ip6mr.

The trace from Andrey:
------------[ cut here ]------------
kernel BUG at net/core/dev.c:6813!
invalid opcode: 0000 [#1] SMP KASAN
Modules linked in:
CPU: 1 PID: 1165 Comm: kworker/u4:3 Not tainted 4.11.0-rc7+ #251
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs
01/01/2011
Workqueue: netns cleanup_net
task: ffff880069208000 task.stack: ffff8800692d8000
RIP: 0010:rollback_registered_many+0x348/0xeb0 net/core/dev.c:6813
RSP: 0018:ffff8800692de7f0 EFLAGS: 00010297
RAX: ffff880069208000 RBX: 0000000000000002 RCX: 0000000000000001
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88006af90569
RBP: ffff8800692de9f0 R08: ffff8800692dec60 R09: 0000000000000000
R10: 0000000000000006 R11: 0000000000000000 R12: ffff88006af90070
R13: ffff8800692debf0 R14: dffffc0000000000 R15: ffff88006af90000
FS:  0000000000000000(0000) GS:ffff88006cb00000(0000)
knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe7e897d870 CR3: 00000000657e7000 CR4: 00000000000006e0
Call Trace:
 unregister_netdevice_many.part.105+0x87/0x440 net/core/dev.c:7881
 unregister_netdevice_many+0xc8/0x120 net/core/dev.c:7880
 ip6mr_device_event+0x362/0x3f0 net/ipv6/ip6mr.c:1346
 notifier_call_chain+0x145/0x2f0 kernel/notifier.c:93
 __raw_notifier_call_chain kernel/notifier.c:394
 raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401
 call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1647
 call_netdevice_notifiers net/core/dev.c:1663
 rollback_registered_many+0x919/0xeb0 net/core/dev.c:6841
 unregister_netdevice_many.part.105+0x87/0x440 net/core/dev.c:7881
 unregister_netdevice_many net/core/dev.c:7880
 default_device_exit_batch+0x4fa/0x640 net/core/dev.c:8333
 ops_exit_list.isra.4+0x100/0x150 net/core/net_namespace.c:144
 cleanup_net+0x5a8/0xb40 net/core/net_namespace.c:463
 process_one_work+0xc04/0x1c10 kernel/workqueue.c:2097
 worker_thread+0x223/0x19c0 kernel/workqueue.c:2231
 kthread+0x35e/0x430 kernel/kthread.c:231
 ret_from_fork+0x31/0x40 arch/x86/entry/entry_64.S:430
Code: 3c 32 00 0f 85 70 0b 00 00 48 b8 00 02 00 00 00 00 ad de 49 89
47 78 e9 93 fe ff ff 49 8d 57 70 49 8d 5f 78 eb 9e e8 88 7a 14 fe <0f>
0b 48 8b 9d 28 fe ff ff e8 7a 7a 14 fe 48 b8 00 00 00 00 00
RIP: rollback_registered_many+0x348/0xeb0 RSP: ffff8800692de7f0
---[ end trace e0b29c57e9b3292c ]---

Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agonetpoll: Check for skb->queue_mapping
Tushar Dave [Thu, 20 Apr 2017 22:57:31 +0000 (15:57 -0700)]
netpoll: Check for skb->queue_mapping

[ Upstream commit c70b17b775edb21280e9de7531acf6db3b365274 ]

Reducing real_num_tx_queues needs to be in sync with skb queue_mapping
otherwise skbs with queue_mapping greater than real_num_tx_queues
can be sent to the underlying driver and can result in kernel panic.

One such event is running netconsole and enabling VF on the same
device. Or running netconsole and changing number of tx queues via
ethtool on same device.

e.g.
Unable to handle kernel NULL pointer dereference
tsk->{mm,active_mm}->context = 0000000000001525
tsk->{mm,active_mm}->pgd = fff800130ff9a000
              \|/ ____ \|/
              "@'/ .. \`@"
              /_| \__/ |_\
                 \__U_/
kworker/48:1(475): Oops [#1]
CPU: 48 PID: 475 Comm: kworker/48:1 Tainted: G           OE
4.11.0-rc3-davem-net+ #7
Workqueue: events queue_process
task: fff80013113299c0 task.stack: fff800131132c000
TSTATE: 0000004480e01600 TPC: 00000000103f9e3c TNPC: 00000000103f9e40 Y:
00000000    Tainted: G           OE
TPC: <ixgbe_xmit_frame_ring+0x7c/0x6c0 [ixgbe]>
g0: 0000000000000000 g1: 0000000000003fff g2: 0000000000000000 g3:
0000000000000001
g4: fff80013113299c0 g5: fff8001fa6808000 g6: fff800131132c000 g7:
00000000000000c0
o0: fff8001fa760c460 o1: fff8001311329a50 o2: fff8001fa7607504 o3:
0000000000000003
o4: fff8001f96e63a40 o5: fff8001311d77ec0 sp: fff800131132f0e1 ret_pc:
000000000049ed94
RPC: <set_next_entity+0x34/0xb80>
l0: 0000000000000000 l1: 0000000000000800 l2: 0000000000000000 l3:
0000000000000000
l4: 000b2aa30e34b10d l5: 0000000000000000 l6: 0000000000000000 l7:
fff8001fa7605028
i0: fff80013111a8a00 i1: fff80013155a0780 i2: 0000000000000000 i3:
0000000000000000
i4: 0000000000000000 i5: 0000000000100000 i6: fff800131132f1a1 i7:
00000000103fa4b0
I7: <ixgbe_xmit_frame+0x30/0xa0 [ixgbe]>
Call Trace:
 [00000000103fa4b0] ixgbe_xmit_frame+0x30/0xa0 [ixgbe]
 [0000000000998c74] netpoll_start_xmit+0xf4/0x200
 [0000000000998e10] queue_process+0x90/0x160
 [0000000000485fa8] process_one_work+0x188/0x480
 [0000000000486410] worker_thread+0x170/0x4c0
 [000000000048c6b8] kthread+0xd8/0x120
 [0000000000406064] ret_from_fork+0x1c/0x2c
 [0000000000000000]           (null)
Disabling lock debugging due to kernel taint
Caller[00000000103fa4b0]: ixgbe_xmit_frame+0x30/0xa0 [ixgbe]
Caller[0000000000998c74]: netpoll_start_xmit+0xf4/0x200
Caller[0000000000998e10]: queue_process+0x90/0x160
Caller[0000000000485fa8]: process_one_work+0x188/0x480
Caller[0000000000486410]: worker_thread+0x170/0x4c0
Caller[000000000048c6b8]: kthread+0xd8/0x120
Caller[0000000000406064]: ret_from_fork+0x1c/0x2c
Caller[0000000000000000]:           (null)

Signed-off-by: Tushar Dave <tushar.n.dave@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agonet: ipv6: RTF_PCPU should not be settable from userspace
David Ahern [Wed, 19 Apr 2017 21:19:43 +0000 (14:19 -0700)]
net: ipv6: RTF_PCPU should not be settable from userspace

[ Upstream commit 557c44be917c322860665be3d28376afa84aa936 ]

Andrey reported a fault in the IPv6 route code:

kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Modules linked in:
CPU: 1 PID: 4035 Comm: a.out Not tainted 4.11.0-rc7+ #250
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff880069809600 task.stack: ffff880062dc8000
RIP: 0010:ip6_rt_cache_alloc+0xa6/0x560 net/ipv6/route.c:975
RSP: 0018:ffff880062dced30 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff8800670561c0 RCX: 0000000000000006
RDX: 0000000000000003 RSI: ffff880062dcfb28 RDI: 0000000000000018
RBP: ffff880062dced68 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: ffff880062dcfb28 R14: dffffc0000000000 R15: 0000000000000000
FS:  00007feebe37e7c0(0000) GS:ffff88006cb00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000205a0fe4 CR3: 000000006b5c9000 CR4: 00000000000006e0
Call Trace:
 ip6_pol_route+0x1512/0x1f20 net/ipv6/route.c:1128
 ip6_pol_route_output+0x4c/0x60 net/ipv6/route.c:1212
...

Andrey's syzkaller program passes rtmsg.rtmsg_flags with the RTF_PCPU bit
set. Flags passed to the kernel are blindly copied to the allocated
rt6_info by ip6_route_info_create making a newly inserted route appear
as though it is a per-cpu route. ip6_rt_cache_alloc sees the flag set
and expects rt->dst.from to be set - which it is not since it is not
really a per-cpu copy. The subsequent call to __ip6_dst_alloc then
generates the fault.

Fix by checking for the flag and failing with EINVAL.

Fixes: d52d3997f843f ("ipv6: Create percpu rt6_info")
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
Acked-by: Martin KaFai Lau <kafai@fb.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agodp83640: don't recieve time stamps twice
Dan Carpenter [Tue, 18 Apr 2017 19:14:26 +0000 (22:14 +0300)]
dp83640: don't recieve time stamps twice

[ Upstream commit 9d386cd9a755c8293e8916264d4d053878a7c9c7 ]

This patch is prompted by a static checker warning about a potential
use after free.  The concern is that netif_rx_ni() can free "skb" and we
call it twice.

When I look at the commit that added this, it looks like some stray
lines were added accidentally.  It doesn't make sense to me that we
would recieve the same data two times.  I asked the author but never
recieved a response.

I can't test this code, but I'm pretty sure my patch is correct.

Fixes: 4b063258ab93 ("dp83640: Delay scheduled work.")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agotcp: clear saved_syn in tcp_disconnect()
Eric Dumazet [Sat, 8 Apr 2017 15:07:33 +0000 (08:07 -0700)]
tcp: clear saved_syn in tcp_disconnect()

[ Upstream commit 17c3060b1701fc69daedb4c90be6325d3d9fca8e ]

In the (very unlikely) case a passive socket becomes a listener,
we do not want to duplicate its saved SYN headers.

This would lead to double frees, use after free, and please hackers and
various fuzzers

Tested:
    0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3
   +0 setsockopt(3, IPPROTO_TCP, TCP_SAVE_SYN, [1], 4) = 0
   +0 fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0

   +0 bind(3, ..., ...) = 0
   +0 listen(3, 5) = 0

   +0 < S 0:0(0) win 32972 <mss 1460,nop,wscale 7>
   +0 > S. 0:0(0) ack 1 <...>
  +.1 < . 1:1(0) ack 1 win 257
   +0 accept(3, ..., ...) = 4

   +0 connect(4, AF_UNSPEC, ...) = 0
   +0 close(3) = 0
   +0 bind(4, ..., ...) = 0
   +0 listen(4, 5) = 0

   +0 < S 0:0(0) win 32972 <mss 1460,nop,wscale 7>
   +0 > S. 0:0(0) ack 1 <...>
  +.1 < . 1:1(0) ack 1 win 257

Fixes: cd8ae85299d5 ("tcp: provide SYN headers for passive connections")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agosctp: listen on the sock only when it's state is listening or closed
Xin Long [Thu, 6 Apr 2017 05:10:52 +0000 (13:10 +0800)]
sctp: listen on the sock only when it's state is listening or closed

[ Upstream commit 34b2789f1d9bf8dcca9b5cb553d076ca2cd898ee ]

Now sctp doesn't check sock's state before listening on it. It could
even cause changing a sock with any state to become a listening sock
when doing sctp_listen.

This patch is to fix it by checking sock's state in sctp_listen, so
that it will listen on the sock with right state.

Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agonet: ipv4: fix multipath RTM_GETROUTE behavior when iif is given
Florian Larysch [Mon, 3 Apr 2017 14:46:09 +0000 (16:46 +0200)]
net: ipv4: fix multipath RTM_GETROUTE behavior when iif is given

[ Upstream commit a8801799c6975601fd58ae62f48964caec2eb83f ]

inet_rtm_getroute synthesizes a skeletal ICMP skb, which is passed to
ip_route_input when iif is given. If a multipath route is present for
the designated destination, ip_multipath_icmp_hash ends up being called,
which uses the source/destination addresses within the skb to calculate
a hash. However, those are not set in the synthetic skb, causing it to
return an arbitrary and incorrect result.

Instead, use UDP, which gets no such special treatment.

Signed-off-by: Florian Larysch <fl@n621.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agol2tp: fix PPP pseudo-wire auto-loading
Guillaume Nault [Mon, 3 Apr 2017 11:23:15 +0000 (13:23 +0200)]
l2tp: fix PPP pseudo-wire auto-loading

[ Upstream commit 249ee819e24c180909f43c1173c8ef6724d21faf ]

PPP pseudo-wire type is 7 (11 is L2TP_PWTYPE_IP).

Fixes: f1f39f911027 ("l2tp: auto load type modules")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agol2tp: take reference on sessions being dumped
Guillaume Nault [Mon, 3 Apr 2017 10:03:13 +0000 (12:03 +0200)]
l2tp: take reference on sessions being dumped

[ Upstream commit e08293a4ccbcc993ded0fdc46f1e57926b833d63 ]

Take a reference on the sessions returned by l2tp_session_find_nth()
(and rename it l2tp_session_get_nth() to reflect this change), so that
caller is assured that the session isn't going to disappear while
processing it.

For procfs and debugfs handlers, the session is held in the .start()
callback and dropped in .show(). Given that pppol2tp_seq_session_show()
dereferences the associated PPPoL2TP socket and that
l2tp_dfs_seq_session_show() might call pppol2tp_show(), we also need to
call the session's .ref() callback to prevent the socket from going
away from under us.

Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Fixes: 0ad6614048cf ("l2tp: Add debugfs files for dumping l2tp debug info")
Fixes: 309795f4bec2 ("l2tp: Add netlink control API for L2TP")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agonet/packet: fix overflow in check for tp_reserve
Andrey Konovalov [Wed, 29 Mar 2017 14:11:22 +0000 (16:11 +0200)]
net/packet: fix overflow in check for tp_reserve

[ Upstream commit bcc5364bdcfe131e6379363f089e7b4108d35b70 ]

When calculating po->tp_hdrlen + po->tp_reserve the result can overflow.

Fix by checking that tp_reserve <= INT_MAX on assign.

Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agonet/packet: fix overflow in check for tp_frame_nr
Andrey Konovalov [Wed, 29 Mar 2017 14:11:21 +0000 (16:11 +0200)]
net/packet: fix overflow in check for tp_frame_nr

[ Upstream commit 8f8d28e4d6d815a391285e121c3a53a0b6cb9e7b ]

When calculating rb->frames_per_block * req->tp_block_nr the result
can overflow.

Add a check that tp_block_size * tp_block_nr <= UINT_MAX.

Since frames_per_block <= tp_block_size, the expression would
never overflow.

Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agol2tp: purge socket queues in the .destruct() callback
Guillaume Nault [Wed, 29 Mar 2017 06:45:29 +0000 (08:45 +0200)]
l2tp: purge socket queues in the .destruct() callback

[ Upstream commit e91793bb615cf6cdd59c0b6749fe173687bb0947 ]

The Rx path may grab the socket right before pppol2tp_release(), but
nothing guarantees that it will enqueue packets before
skb_queue_purge(). Therefore, the socket can be destroyed without its
queues fully purged.

Fix this by purging queues in pppol2tp_session_destruct() where we're
guaranteed nothing is still referencing the socket.

Fixes: 9e9cb6221aa7 ("l2tp: fix userspace reception on plain L2TP sockets")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agonet: phy: handle state correctly in phy_stop_machine
Nathan Sullivan [Wed, 22 Mar 2017 20:27:01 +0000 (15:27 -0500)]
net: phy: handle state correctly in phy_stop_machine

[ Upstream commit 49d52e8108a21749dc2114b924c907db43358984 ]

If the PHY is halted on stop, then do not set the state to PHY_UP.  This
ensures the phy will be restarted later in phy_start when the machine is
started again.

Fixes: 00db8189d984 ("This patch adds a PHY Abstraction Layer to the Linux Kernel, enabling ethernet drivers to remain as ignorant as is reasonable of the connected PHY's design and operation details.")
Signed-off-by: Nathan Sullivan <nathan.sullivan@ni.com>
Signed-off-by: Brad Mouring <brad.mouring@ni.com>
Acked-by: Xander Huff <xander.huff@ni.com>
Acked-by: Kyle Roeschley <kyle.roeschley@ni.com>
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agonet: neigh: guard against NULL solicit() method
Eric Dumazet [Thu, 23 Mar 2017 19:39:21 +0000 (12:39 -0700)]
net: neigh: guard against NULL solicit() method

[ Upstream commit 48481c8fa16410ffa45939b13b6c53c2ca609e5f ]

Dmitry posted a nice reproducer of a bug triggering in neigh_probe()
when dereferencing a NULL neigh->ops->solicit method.

This can happen for arp_direct_ops/ndisc_direct_ops and similar,
which can be used for NUD_NOARP neighbours (created when dev->header_ops
is NULL). Admin can then force changing nud_state to some other state
that would fire neigh timer.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agosparc64: Fix kernel panic due to erroneous #ifdef surrounding pmd_write()
Tom Hromatka [Fri, 31 Mar 2017 22:31:42 +0000 (16:31 -0600)]
sparc64: Fix kernel panic due to erroneous #ifdef surrounding pmd_write()

[ Upstream commit 9ae34dbd8afd790cb5f52467e4f816434379eafa ]

This commit moves sparc64's prototype of pmd_write() outside
of the CONFIG_TRANSPARENT_HUGEPAGE ifdef.

In 2013, commit a7b9403f0e6d ("sparc64: Encode huge PMDs using PTE
encoding.") exposed a path where pmd_write() could be called without
CONFIG_TRANSPARENT_HUGEPAGE defined.  This can result in the panic below.

The diff is awkward to read, but the changes are straightforward.
pmd_write() was moved outside of #ifdef CONFIG_TRANSPARENT_HUGEPAGE.
Also, __HAVE_ARCH_PMD_WRITE was defined.

kernel BUG at include/asm-generic/pgtable.h:576!
              \|/ ____ \|/
              "@'/ .. \`@"
              /_| \__/ |_\
                 \__U_/
oracle_8114_cdb(8114): Kernel bad sw trap 5 [#1]
CPU: 120 PID: 8114 Comm: oracle_8114_cdb Not tainted
4.1.12-61.7.1.el6uek.rc1.sparc64 #1
task: fff8400700a24d60 ti: fff8400700bc4000 task.ti: fff8400700bc4000
TSTATE: 0000004411e01607 TPC: 00000000004609f8 TNPC: 00000000004609fc Y:
00000005    Not tainted
TPC: <gup_huge_pmd+0x198/0x1e0>
g0: 000000000001c000 g1: 0000000000ef3954 g2: 0000000000000000 g3: 0000000000000001
g4: fff8400700a24d60 g5: fff8001fa5c10000 g6: fff8400700bc4000 g7: 0000000000000720
o0: 0000000000bc5058 o1: 0000000000000240 o2: 0000000000006000 o3: 0000000000001c00
o4: 0000000000000000 o5: 0000048000080000 sp: fff8400700bc6ab1 ret_pc: 00000000004609f0
RPC: <gup_huge_pmd+0x190/0x1e0>
l0: fff8400700bc74fc l1: 0000000000020000 l2: 0000000000002000 l3: 0000000000000000
l4: fff8001f93250950 l5: 000000000113f800 l6: 0000000000000004 l7: 0000000000000000
i0: fff8400700ca46a0 i1: bd0000085e800453 i2: 000000026a0c4000 i3: 000000026a0c6000
i4: 0000000000000001 i5: fff800070c958de8 i6: fff8400700bc6b61 i7: 0000000000460dd0
I7: <gup_pud_range+0x170/0x1a0>
Call Trace:
 [0000000000460dd0] gup_pud_range+0x170/0x1a0
 [0000000000460e84] get_user_pages_fast+0x84/0x120
 [00000000006f5a18] iov_iter_get_pages+0x98/0x240
 [00000000005fa744] do_direct_IO+0xf64/0x1e00
 [00000000005fbbc0] __blockdev_direct_IO+0x360/0x15a0
 [00000000101f74fc] ext4_ind_direct_IO+0xdc/0x400 [ext4]
 [00000000101af690] ext4_ext_direct_IO+0x1d0/0x2c0 [ext4]
 [00000000101af86c] ext4_direct_IO+0xec/0x220 [ext4]
 [0000000000553bd4] generic_file_read_iter+0x114/0x140
 [00000000005bdc2c] __vfs_read+0xac/0x100
 [00000000005bf254] vfs_read+0x54/0x100
 [00000000005bf368] SyS_pread64+0x68/0x80

Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agosparc64: kern_addr_valid regression
bob picco [Fri, 10 Mar 2017 19:31:19 +0000 (14:31 -0500)]
sparc64: kern_addr_valid regression

[ Upstream commit adfae8a5d833fa2b46577a8081f350e408851f5b ]

I encountered this bug when using /proc/kcore to examine the kernel. Plus a
coworker inquired about debugging tools. We computed pa but did
not use it during the maximum physical address bits test. Instead we used
the identity mapped virtual address which will always fail this test.

I believe the defect came in here:
[bpicco@zareason linus.git]$ git describe --contains bb4e6e85daa52
v3.18-rc1~87^2~4
.

Signed-off-by: Bob Picco <bob.picco@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoxen/x86: don't lose event interrupts
Stefano Stabellini [Sat, 16 Apr 2016 01:23:00 +0000 (18:23 -0700)]
xen/x86: don't lose event interrupts

commit c06b6d70feb32d28f04ba37aa3df17973fd37b6b upstream.

On slow platforms with unreliable TSC, such as QEMU emulated machines,
it is possible for the kernel to request the next event in the past. In
that case, in the current implementation of xen_vcpuop_clockevent, we
simply return -ETIME. To be precise the Xen returns -ETIME and we pass
it on. However the result of this is a missed event, which simply causes
the kernel to hang.

Instead it is better to always ask the hypervisor for a timer event,
even if the timeout is in the past. That way there are no lost
interrupts and the kernel survives. To do that, remove the
VCPU_SSHOTTMR_future flag.

Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
Acked-by: Juergen Gross <jgross@suse.com>
Cc: Julia Lawall <julia.lawall@lip6.fr>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agousb: gadget: f_midi: Fixed a bug when buflen was smaller than wMaxPacketSize
Felipe F. Tonello [Wed, 9 Mar 2016 19:39:30 +0000 (19:39 +0000)]
usb: gadget: f_midi: Fixed a bug when buflen was smaller than wMaxPacketSize

commit 03d27ade4941076b34c823d63d91dc895731a595 upstream.

buflen by default (256) is smaller than wMaxPacketSize (512) in high-speed
devices.

That caused the OUT endpoint to freeze if the host send any data packet of
length greater than 256 bytes.

This is an example dump of what happended on that enpoint:
HOST:   [DATA][Length=260][...]
DEVICE: [NAK]
HOST:   [PING]
DEVICE: [NAK]
HOST:   [PING]
DEVICE: [NAK]
...
HOST:   [PING]
DEVICE: [NAK]

This patch fixes this problem by setting the minimum usb_request's buffer size
for the OUT endpoint as its wMaxPacketSize.

Acked-by: Michal Nazarewicz <mina86@mina86.com>
Signed-off-by: Felipe F. Tonello <eu@felipetonello.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Cc: Julia Lawall <julia.lawall@lip6.fr>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoregulator: core: Clear the supply pointer if enabling fails
Jon Hunter [Thu, 21 Apr 2016 16:11:58 +0000 (17:11 +0100)]
regulator: core: Clear the supply pointer if enabling fails

commit 8e5356a73604f53da6a1e0756727cb8f9f7bba17 upstream.

During the resolution of a regulator's supply, we may attempt to enable
the supply if the regulator itself is already enabled. If enabling the
supply fails, then we will call _regulator_put() for the supply.
However, the pointer to the supply has not been cleared for the
regulator and this will cause a crash if we then unregister the
regulator and attempt to call regulator_put() a second time for the
supply. Fix this by clearing the supply pointer if enabling the supply
after fails when resolving the supply for a regulator.

Signed-off-by: Jon Hunter <jonathanh@nvidia.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Cc: Julia Lawall <julia.lawall@lip6.fr>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoRDS: Fix the atomicity for congestion map update
santosh.shilimkar@oracle.com [Thu, 14 Apr 2016 17:43:27 +0000 (10:43 -0700)]
RDS: Fix the atomicity for congestion map update

commit e47db94e10447fc467777a40302f2b393e9af2fa upstream.

Two different threads with different rds sockets may be in
rds_recv_rcvbuf_delta() via receive path. If their ports
both map to the same word in the congestion map, then
using non-atomic ops to update it could cause the map to
be incorrect. Lets use atomics to avoid such an issue.

Full credit to Wengang <wen.gang.wang@oracle.com> for
finding the issue, analysing it and also pointing out
to offending code with spin lock based fix.

Reviewed-by: Leon Romanovsky <leon@leon.nu>
Signed-off-by: Wengang Wang <wen.gang.wang@oracle.com>
Signed-off-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: Julia Lawall <julia.lawall@lip6.fr>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agonet_sched: close another race condition in tcf_mirred_release()
WANG Cong [Mon, 16 May 2016 22:11:18 +0000 (15:11 -0700)]
net_sched: close another race condition in tcf_mirred_release()

commit dc327f8931cb9d66191f489eb9a852fc04530546 upstream.

We saw the following extra refcount release on veth device:

  kernel: [7957821.463992] unregister_netdevice: waiting for mesos50284 to become free. Usage count = -1

Since we heavily use mirred action to redirect packets to veth, I think
this is caused by the following race condition:

CPU0:
tcf_mirred_release(): (in RCU callback)
struct net_device *dev = rcu_dereference_protected(m->tcfm_dev, 1);

CPU1:
mirred_device_event():
        spin_lock_bh(&mirred_list_lock);
        list_for_each_entry(m, &mirred_list, tcfm_list) {
                if (rcu_access_pointer(m->tcfm_dev) == dev) {
                        dev_put(dev);
                        /* Note : no rcu grace period necessary, as
                         * net_device are already rcu protected.
                         */
                        RCU_INIT_POINTER(m->tcfm_dev, NULL);
                }
        }
        spin_unlock_bh(&mirred_list_lock);

CPU0:
tcf_mirred_release():
        spin_lock_bh(&mirred_list_lock);
        list_del(&m->tcfm_list);
        spin_unlock_bh(&mirred_list_lock);
        if (dev)               // <======== Stil refers to the old m->tcfm_dev
                dev_put(dev);  // <======== dev_put() is called on it again

The action init code path is good because it is impossible to modify
an action that is being removed.

So, fix this by moving everything under the spinlock.

Fixes: 2ee22a90c7af ("net_sched: act_mirred: remove spinlock in fast path")
Fixes: 6bd00b850635 ("act_mirred: fix a race condition on mirred_list")
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: Julia Lawall <julia.lawall@lip6.fr>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agonet: cavium: liquidio: Avoid dma_unmap_single on uninitialized ndata
Florian Fainelli [Fri, 15 Jul 2016 23:42:16 +0000 (16:42 -0700)]
net: cavium: liquidio: Avoid dma_unmap_single on uninitialized ndata

commit 8e6ce7ebeb34f0992f56de078c3744fb383657fa upstream.

The label lio_xmit_failed is used 3 times through liquidio_xmit() but it
always makes a call to dma_unmap_single() using potentially
uninitialized variables from "ndata" variable. Out of the 3 gotos, 2 run
after ndata has been initialized, and had a prior dma_map_single() call.

Fix this by adding a new error label: lio_xmit_dma_failed which does
this dma_unmap_single() and then processed with the lio_xmit_failed
fallthrough.

Fixes: f21fb3ed364bb ("Add support of Cavium Liquidio ethernet adapters")
Reported-by: coverity (CID 1309740)
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: Julia Lawall <julia.lawall@lip6.fr>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoMIPS: Fix crash registers on non-crashing CPUs
Corey Minyard [Mon, 11 Apr 2016 14:10:19 +0000 (09:10 -0500)]
MIPS: Fix crash registers on non-crashing CPUs

commit c80e1b62ffca52e2d1d865ee58bc79c4c0c55005 upstream.

As part of handling a crash on an SMP system, an IPI is send to
all other CPUs to save their current registers and stop.  It was
using task_pt_regs(current) to get the registers, but that will
only be accurate if the CPU was interrupted running in userland.
Instead allow the architecture to pass in the registers (all
pass NULL now, but allow for the future) and then use get_irq_regs()
which should be accurate as we are in an interrupt.  Fall back to
task_pt_regs(current) if nothing else is available.

Signed-off-by: Corey Minyard <cminyard@mvista.com>
Cc: David Daney <ddaney@caviumnetworks.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/13050/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Cc: Julia Lawall <julia.lawall@lip6.fr>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agomd:raid1: fix a dead loop when read from a WriteMostly disk
Wei Fang [Mon, 21 Mar 2016 11:18:32 +0000 (19:18 +0800)]
md:raid1: fix a dead loop when read from a WriteMostly disk

commit 816b0acf3deb6d6be5d0519b286fdd4bafade905 upstream.

If first_bad == this_sector when we get the WriteMostly disk
in read_balance(), valid disk will be returned with zero
max_sectors. It'll lead to a dead loop in make_request(), and
OOM will happen because of endless allocation of struct bio.

Since we can't get data from this disk in this case, so
continue for another disk.

Signed-off-by: Wei Fang <fangwei1@huawei.com>
Signed-off-by: Shaohua Li <shli@fb.com>
Cc: Julia Lawall <julia.lawall@lip6.fr>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoext4: check if in-inode xattr is corrupted in ext4_expand_extra_isize_ea()
Theodore Ts'o [Tue, 22 Mar 2016 20:13:15 +0000 (16:13 -0400)]
ext4: check if in-inode xattr is corrupted in ext4_expand_extra_isize_ea()

commit 9e92f48c34eb2b9af9d12f892e2fe1fce5e8ce35 upstream.

We aren't checking to see if the in-inode extended attribute is
corrupted before we try to expand the inode's extra isize fields.

This can lead to potential crashes caused by the BUG_ON() check in
ext4_xattr_shift_entries().

Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: Julia Lawall <julia.lawall@lip6.fr>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agodrm/amdgpu: fix array out of bounds
tom will [Mon, 16 May 2016 14:31:07 +0000 (10:31 -0400)]
drm/amdgpu: fix array out of bounds

commit 484f689fc9d4eb91c68f53e97dc355b1b06c3edb upstream.

When the initial value of i is greater than zero,
it may cause endless loop, resulting in array out
of bounds, fix it.

This is a port of the radeon fix to amdgpu.

Signed-off-by: tom will <os@iscas.ac.cn>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: Julia Lawall <julia.lawall@lip6.fr>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agocrypto: testmgr - fix out of bound read in __test_aead()
Jerome Marchand [Wed, 3 Feb 2016 12:58:12 +0000 (13:58 +0100)]
crypto: testmgr - fix out of bound read in __test_aead()

commit abfa7f4357e3640fdee87dfc276fd0f379fb5ae6 upstream.

__test_aead() reads MAX_IVLEN bytes from template[i].iv, but the
actual length of the initialisation vector can be shorter.
The length of the IV is already calculated earlier in the
function. Let's just reuses that. Also the IV length is currently
calculated several time for no reason. Let's fix that too.
This fix an out-of-bound error detected by KASan.

Signed-off-by: Jerome Marchand <jmarchan@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Julia Lawall <julia.lawall@lip6.fr>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoclk: sunxi: Add apb0 gates for H3
Krzysztof Adamski [Mon, 22 Feb 2016 13:03:25 +0000 (14:03 +0100)]
clk: sunxi: Add apb0 gates for H3

commit 6e17b4181603d183d20c73f4535529ddf2a2a020 upstream.

This patch adds support for APB0 in H3. It seems to be compatible with
earlier SOCs. apb0 gates controls R_ block peripherals (R_PIO, R_IR,
etc).

Since this gates behave just like any Allwinner clock gate, add a generic
compatible that can be reused if we don't have any clock to protect.

Signed-off-by: Krzysztof Adamski <k@japko.eu>
[Maxime: Removed the H3 compatible from the simple-gates driver, reworked
         the commit log a bit]
Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
Cc: Julia Lawall <julia.lawall@lip6.fr>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoARM: OMAP2+: timer: add probe for clocksources
Tero Kristo [Thu, 16 Jun 2016 12:25:18 +0000 (15:25 +0300)]
ARM: OMAP2+: timer: add probe for clocksources

commit 970f9091d25df14e9540ec7ff48a2f709e284cd1 upstream.

A few platforms are currently missing clocksource_probe() completely
in their time_init functionality. On OMAP3430 for example, this is
causing cpuidle to be pretty much dead, as the counter32k is not
going to be registered and instead a gptimer is used as a clocksource.
This will tick in periodic mode, preventing any deeper idle states.

While here, also drop one unnecessary check for populated DT before
existing clocksource_probe() call.

Signed-off-by: Tero Kristo <t-kristo@ti.com>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Cc: Julia Lawall <julia.lawall@lip6.fr>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoxc2028: unlock on error in xc2028_set_config()
Dan Carpenter [Wed, 3 Feb 2016 15:34:00 +0000 (13:34 -0200)]
xc2028: unlock on error in xc2028_set_config()

commit 210bd104c6acd31c3c6b8b075b3f12d4a9f6b60d upstream.

We have to unlock before returning -ENOMEM.

Fixes: 8dfbcc4351a0 ('[media] xc2028: avoid use after free')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agof2fs: do more integrity verification for superblock
Chao Yu [Tue, 15 Dec 2015 01:58:18 +0000 (09:58 +0800)]
f2fs: do more integrity verification for superblock

commit 9a59b62fd88196844cee5fff851bee2cfd7afb6e upstream.

Do more sanity check for superblock during ->mount.

Signed-off-by: Chao Yu <chao2.yu@samsung.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoiio: adc: remove unused rockchip_adc driver
Huang, Tao [Wed, 3 May 2017 03:28:38 +0000 (11:28 +0800)]
iio: adc: remove unused rockchip_adc driver

replaced by rockchip_saradc from upstream.

Change-Id: I1a0a54240cd4b6f647a84597c739669b7c829157
Signed-off-by: Huang, Tao <huangtao@rock-chips.com>
7 years agodrm/rockchip: vop: fix update timeout to 1000 ms
Xu Jianqun [Tue, 2 May 2017 06:34:52 +0000 (14:34 +0800)]
drm/rockchip: vop: fix update timeout to 1000 ms

Extend timeout value from 100 jiffies to 1000 millisecond.

Change-Id: I4941bb487051a73cf348f72799226e17d4b60e49
Signed-off-by: Xu Jianqun <jay.xu@rock-chips.com>
7 years agocamera: rockchip: camsys driver 0.0x21.d
dalong.zhang [Tue, 2 May 2017 08:44:24 +0000 (16:44 +0800)]
camera: rockchip: camsys driver 0.0x21.d

modify mipiphy_hsfreqrange for 3368

Change-Id: I4a9d2d6a28202e734e900f3bb761190842c2948e
Signed-off-by: dalong.zhang <dalon.zhang@rock-chips.com>
7 years agodrm/rockchip: vop: fix NV12 video display error
Mark Yao [Tue, 2 May 2017 07:22:43 +0000 (15:22 +0800)]
drm/rockchip: vop: fix NV12 video display error

fixup the scale calculation formula on the case
src_height == (dst_height/2).

Change-Id: I620a4646232c016ff1547b5b6469ed2eedeacfed
Signed-off-by: Mark Yao <mark.yao@rock-chips.com>
7 years agodrm: bridge: dw-hdmi: Reorder HDMI Initialization Step
Zheng Yang [Fri, 28 Apr 2017 03:21:34 +0000 (11:21 +0800)]
drm: bridge: dw-hdmi: Reorder HDMI Initialization Step

There is a bug of pll lock detection in previous code.

/* Wait for PHY PLL lock */
msec = 5;
do {
val = hdmi_readb(hdmi, HDMI_PHY_STAT0) & HDMI_PHY_TX_PHY_LOCK;
if (!val)
break;
...
} while (1)

while is break if pll is not lock yet, the real lock status may
be after the dw_hdmi_enable_video_path.

This bug is fixed in commit <a479fa5417b12fdf7aef8e41fdb99393e1c28581>
(FROMLIST: drm: bridge: dw-hdmi: Fix the PHY power up sequence)

But it introduced an new bug: hdmi output timing may be not stable,
the format shown on some TV is not a standard hdmi timing. For example,
1080P will be shown as 1922x1080 on LEADSTAR LD-1088.

After reorder the HDMI Initialization Step, phy initialization is
moved after the dw_hdmi_enable_video_path, this bug is fixed.

Change-Id: Id996978ceabcf1cce4bf83ddb84528c04fbb7583
Signed-off-by: Zheng Yang <zhengyang@rock-chips.com>
7 years agodrm: bridge: dw-hdmi: remove the function is_rockchip
Zheng Yang [Fri, 28 Apr 2017 03:06:48 +0000 (11:06 +0800)]
drm: bridge: dw-hdmi: remove the function is_rockchip

The function is_rockchip isn't used any more now that phy reset
operation is performed based on detected phy type.

Change-Id: I58e7a222bc1e1578f0d5d2fcd884b17171fb9601
Signed-off-by: Zheng Yang <zhengyang@rock-chips.com>
7 years agodrm: bridge: dw-hdmi: add default phy function for DW_HDMI_PHY_DWC_HDMI20_TX_PHY
Zheng Yang [Fri, 28 Apr 2017 02:59:31 +0000 (10:59 +0800)]
drm: bridge: dw-hdmi: add default phy function for DW_HDMI_PHY_DWC_HDMI20_TX_PHY

DWC HDMI 2.0 TX PHY has the same register layout with DWC HDMI
MHL TX PHY, so we use hdmi_phy_configure_dwc_hdmi_3d_tx as
DW_HDMI_PHY_DWC_HDMI20_TX_PHY default configuration function.

Change-Id: Ib50464b9eef87707a8597493cc05e61a1ecde240
Signed-off-by: Zheng Yang <zhengyang@rock-chips.com>
7 years agoFROMLIST: drm: bridge: dw-hdmi: Add support for custom PHY configuration
Kieran Bingham [Fri, 3 Mar 2017 17:20:04 +0000 (19:20 +0200)]
FROMLIST: drm: bridge: dw-hdmi: Add support for custom PHY configuration

The DWC HDMI TX controller interfaces with a companion PHY. While
Synopsys provides multiple standard PHYs, SoC vendors can also integrate
a custom PHY.

Modularize PHY configuration to support vendor PHYs through platform
data. The existing PHY configuration code was originally written to
support the DWC HDMI 3D TX PHY, and seems to be compatible with the DWC
MLP PHY. The HDMI 2.0 PHY will require a separate configuration
function.

Signed-off-by: Kieran Bingham <kieran.bingham+renesas@ideasonboard.com>
Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
Tested-by: Neil Armstrong <narmstrong@baylibre.com>
Reviewed-by: Jose Abreu <Jose.Abreu@synopsys.com>
Signed-off-by: Archit Taneja <architt@codeaurora.org>
Link: http://patchwork.freedesktop.org/patch/msgid/20170303172007.26541-8-laurent.pinchart+renesas@ideasonboard.com
Change-Id: I7527e77fd8679434379161a6bf3daa1639d081b8
Signed-off-by: Zheng Yang <zhengyang@rock-chips.com>
(am from https://patchwork.kernel.org/patch/9603303/)

7 years agofiq_debugger: use __handle_sysrq instead of handle_sysrq
Huibin Hong [Tue, 2 May 2017 02:46:41 +0000 (10:46 +0800)]
fiq_debugger: use __handle_sysrq instead of handle_sysrq

Because init.rc does the following operation, handle_sysrq
will do nothing. If we want to use sysrq, __handle_sysrq
can work.
write /proc/sys/kernel/sysrq 0

Change-Id: Ia51debd92f393326f183736e405e25dc4d6a2abc
Signed-off-by: Huibin Hong <huibin.hong@rock-chips.com>
7 years agoANDROID: uid_sys_stats: fix access of task_uid(task)
Ganesh Mahendran [Tue, 25 Apr 2017 10:07:43 +0000 (18:07 +0800)]
ANDROID: uid_sys_stats: fix access of task_uid(task)

struct task_struct *task should be proteced by tasklist_lock.

Change-Id: Iefcd13442a9b9d855a2bbcde9fd838a4132fee58
Signed-off-by: Ganesh Mahendran <opensource.ganesh@gmail.com>
7 years agoBACKPORT: f2fs: sanity check log_blocks_per_seg
Jin Qian [Tue, 25 Apr 2017 01:20:52 +0000 (18:20 -0700)]
BACKPORT: f2fs: sanity check log_blocks_per_seg

f2fs currently only supports 4KB block size and 2MB segment size.
Sanity check log_blocks_per_seg == 9, i.e. 2MB/4KB = (1 << 9)

Partially
(cherry-picked from commit 9a59b62fd88196844cee5fff851bee2cfd7afb6e)

f2fs: do more integrity verification for superblock

Do more sanity check for superblock during ->mount.

Signed-off-by: Chao Yu <chao2.yu@samsung.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Bug: 36817013
Change-Id: I0be52e54fba82083068337ceb9f7ad985a87319f
Signed-off-by: Jin Qian <jinqian@google.com>
7 years agoANDROID: sdcardfs: Call lower fs's revalidate
Daniel Rosenberg [Tue, 25 Apr 2017 02:49:02 +0000 (19:49 -0700)]
ANDROID: sdcardfs: Call lower fs's revalidate

We should be calling the lower filesystem's revalidate
inside of sdcardfs's revalidate, as wrapfs does.

Signed-off-by: Daniel Rosenberg <drosen@google.com>
Bug: 35766959
Change-Id: I939d1c4192fafc1e21678aeab43fe3d588b8e2f4

7 years agoANDROID: sdcardfs: Avoid setting GIDs outside of valid ranges
Daniel Rosenberg [Mon, 24 Apr 2017 23:11:03 +0000 (16:11 -0700)]
ANDROID: sdcardfs: Avoid setting GIDs outside of valid ranges

When setting up the ownership of files on the lower filesystem,
ensure that these values are in reasonable ranges for apps. If
they aren't, default to AID_MEDIA_RW

Signed-off-by: Daniel Rosenberg <drosen@google.com>
Bug: 37516160
Change-Id: I0bec76a61ac72aff0b993ab1ad04be8382178a00

7 years agoANDROID: sdcardfs: Copy meta-data from lower inode
Daniel Rosenberg [Mon, 24 Apr 2017 23:10:21 +0000 (16:10 -0700)]
ANDROID: sdcardfs: Copy meta-data from lower inode

From wrapfs commit 3ee9b365e38c ("Wrapfs: properly copy meta-data after
AIO operations from lower inode")

Signed-off-by: Daniel Rosenberg <drosen@google.com>
Bug: 35766959
Change-Id: I9a789222e27a17b8d85ce61c45397d1839f9a675