1. 11 Jul, 2016 40 commits
    • Jaroslav Kysela's avatar
    • Hui Wang's avatar
      ALSA: hda - remove one pin from ALC292_STANDARD_PINS · 65f6fab1
      Hui Wang authored
      [ Upstream commit 21e9d017 ]
      
      One more Dell laptop with alc293 codec needs
      ALC293_FIXUP_DELL1_MIC_NO_PRESENCE, but the pin 0x1e does not match
      the corresponding one in the ALC292_STANDARD_PINS. To use this macro
      for this machine, we need to remove pin 0x1e from it.
      
      BugLink: https://bugs.launchpad.net/bugs/1476888
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarHui Wang <hui.wang@canonical.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      65f6fab1
    • Scott Bauer's avatar
      HID: hiddev: validate num_values for HIDIOCGUSAGES, HIDIOCSUSAGES commands · f67b6920
      Scott Bauer authored
      [ Upstream commit 93a2001b ]
      
      This patch validates the num_values parameter from userland during the
      HIDIOCGUSAGES and HIDIOCSUSAGES commands. Previously, if the report id was set
      to HID_REPORT_ID_UNKNOWN, we would fail to validate the num_values parameter
      leading to a heap overflow.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarScott Bauer <sbauer@plzdonthack.me>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      f67b6920
    • Jerome Marchand's avatar
      cifs: dynamic allocation of ntlmssp blob · 32dc059d
      Jerome Marchand authored
      [ Upstream commit b8da344b ]
      
      In sess_auth_rawntlmssp_authenticate(), the ntlmssp blob is allocated
      statically and its size is an "empirical" 5*sizeof(struct
      _AUTHENTICATE_MESSAGE) (320B on x86_64). I don't know where this value
      comes from or if it was ever appropriate, but it is currently
      insufficient: the user and domain name in UTF16 could take 1kB by
      themselves. Because of that, build_ntlmssp_auth_blob() might corrupt
      memory (out-of-bounds write). The size of ntlmssp_blob in
      SMB2_sess_setup() is too small too (sizeof(struct _NEGOTIATE_MESSAGE)
      + 500).
      
      This patch allocates the blob dynamically in
      build_ntlmssp_auth_blob().
      Signed-off-by: default avatarJerome Marchand <jmarchan@redhat.com>
      Signed-off-by: default avatarSteve French <smfrench@gmail.com>
      CC: Stable <stable@vger.kernel.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      32dc059d
    • Sinclair Yeh's avatar
      Input: vmmouse - remove port reservation · 60243e67
      Sinclair Yeh authored
      [ Upstream commit 60842ef8 ]
      
      The VMWare EFI BIOS will expose port 0x5658 as an ACPI resource.  This
      causes the port to be reserved by the APCI module as the system comes up,
      making it unavailable to be reserved again by other drivers, thus
      preserving this VMWare port for special use in a VMWare guest.
      
      This port is designed to be shared among multiple VMWare services, such as
      the VMMOUSE.  Because of this, VMMOUSE should not try to reserve this port
      on its own.
      
      The VMWare non-EFI BIOS does not do this to preserve compatibility with
      existing/legacy VMs.  It is known that there is small chance a VM may be
      configured such that these ports get reserved by other non-VMWare devices,
      and if this ever happens, the result is undefined.
      Signed-off-by: default avatarSinclair Yeh <syeh@vmware.com>
      Reviewed-by: default avatarThomas Hellstrom <thellstrom@vmware.com>
      Cc: <stable@vger.kernel.org> # 4.1-
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      60243e67
    • Dmitrii Tcvetkov's avatar
      drm/nouveau: fix for disabled fbdev emulation · 6a2f1585
      Dmitrii Tcvetkov authored
      [ Upstream commit 52dfcc5c ]
      
      Hello,
      
      after this commit:
      
      commit f045f459
      Author: Ben Skeggs <bskeggs@redhat.com>
      Date:   Thu Jun 2 12:23:31 2016 +1000
          drm/nouveau/fbcon: fix out-of-bounds memory accesses
      
      kernel started to oops when loading nouveau module when using GTX 780 Ti
      video adapter. This patch fixes the problem.
      
      Bug report: https://bugzilla.kernel.org/show_bug.cgi?id=120591Signed-off-by: default avatarDmitrii Tcvetkov <demfloro@demfloro.ru>
      Suggested-by: default avatarIlia Mirkin <imirkin@alum.mit.edu>
      Fixes: f045f459 ("nouveau_fbcon_init()")
      Signed-off-by: default avatarBen Skeggs <bskeggs@redhat.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      6a2f1585
    • Dmitry Torokhov's avatar
      Input: elantech - add more IC body types to the list · 97e2a929
      Dmitry Torokhov authored
      [ Upstream commit 226ba707 ]
      
      The touchpad in HP Pavilion 14-ab057ca reports it's version as 12 and
      according to Elan both 11 and 12 are valid IC types and should be
      identified as hw_version 4.
      Reported-by: default avatarPatrick Lessard <Patrick.Lessard@cogeco.com>
      Tested-by: default avatarPatrick Lessard <Patrick.Lessard@cogeco.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      97e2a929
    • Ping Cheng's avatar
      Input: wacom_w8001 - w8001_MAX_LENGTH should be 13 · 37d925d2
      Ping Cheng authored
      [ Upstream commit 12afb344 ]
      
      Somehow the patch that added two-finger touch support forgot to update
      W8001_MAX_LENGTH from 11 to 13.
      Signed-off-by: default avatarPing Cheng <pingc@wacom.com>
      Reviewed-by: default avatarPeter Hutterer <peter.hutterer@who-t.net>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      37d925d2
    • Andrey Grodzovsky's avatar
      xen/pciback: Fix conf_space read/write overlap check. · 90a12c57
      Andrey Grodzovsky authored
      [ Upstream commit 02ef871e ]
      
      Current overlap check is evaluating to false a case where a filter
      field is fully contained (proper subset) of a r/w request.  This
      change applies classical overlap check instead to include all the
      scenarios.
      
      More specifically, for (Hilscher GmbH CIFX 50E-DP(M/S)) device driver
      the logic is such that the entire confspace is read and written in 4
      byte chunks. In this case as an example, CACHE_LINE_SIZE,
      LATENCY_TIMER and PCI_BIST are arriving together in one call to
      xen_pcibk_config_write() with offset == 0xc and size == 4.  With the
      exsisting overlap check the LATENCY_TIMER field (offset == 0xd, length
      == 1) is fully contained in the write request and hence is excluded
      from write, which is incorrect.
      Signed-off-by: default avatarAndrey Grodzovsky <andrey2805@gmail.com>
      Reviewed-by: default avatarBoris Ostrovsky <boris.ostrovsky@oracle.com>
      Reviewed-by: default avatarJan Beulich <JBeulich@suse.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      90a12c57
    • Oliver Hartkopp's avatar
      can: fix oops caused by wrong rtnl dellink usage · 760102cd
      Oliver Hartkopp authored
      [ Upstream commit 25e1ed6e ]
      
      For 'real' hardware CAN devices the netlink interface is used to set CAN
      specific communication parameters. Real CAN hardware can not be created nor
      removed with the ip tool ...
      
      This patch adds a private dellink function for the CAN device driver interface
      that does just nothing.
      
      It's a follow up to commit 993e6f2f ("can: fix oops caused by wrong rtnl
      newlink usage") but for dellink.
      Reported-by: default avatarajneu <ajneu1@gmail.com>
      Signed-off-by: default avatarOliver Hartkopp <socketcan@hartkopp.net>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      760102cd
    • Oliver Hartkopp's avatar
      can: fix handling of unmodifiable configuration options fix · 488ba7c5
      Oliver Hartkopp authored
      [ Upstream commit bce271f2 ]
      
      With upstream commit bb208f14 (can: fix handling of unmodifiable
      configuration options) a new can_validate() function was introduced.
      
      When invoking 'ip link set can0 type can' without any configuration data
      can_validate() tries to validate the content without taking into account that
      there's totally no content. This patch adds a check for missing content.
      Reported-by: default avatarajneu <ajneu1@gmail.com>
      Signed-off-by: default avatarOliver Hartkopp <socketcan@hartkopp.net>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      488ba7c5
    • Kirill A. Shutemov's avatar
      UBIFS: Implement ->migratepage() · f3d1ae6f
      Kirill A. Shutemov authored
      [ Upstream commit 4ac1c17b ]
      
      During page migrations UBIFS might get confused
      and the following assert triggers:
      [  213.480000] UBIFS assert failed in ubifs_set_page_dirty at 1451 (pid 436)
      [  213.490000] CPU: 0 PID: 436 Comm: drm-stress-test Not tainted 4.4.4-00176-geaa802524636-dirty #1008
      [  213.490000] Hardware name: Allwinner sun4i/sun5i Families
      [  213.490000] [<c0015e70>] (unwind_backtrace) from [<c0012cdc>] (show_stack+0x10/0x14)
      [  213.490000] [<c0012cdc>] (show_stack) from [<c02ad834>] (dump_stack+0x8c/0xa0)
      [  213.490000] [<c02ad834>] (dump_stack) from [<c0236ee8>] (ubifs_set_page_dirty+0x44/0x50)
      [  213.490000] [<c0236ee8>] (ubifs_set_page_dirty) from [<c00fa0bc>] (try_to_unmap_one+0x10c/0x3a8)
      [  213.490000] [<c00fa0bc>] (try_to_unmap_one) from [<c00fadb4>] (rmap_walk+0xb4/0x290)
      [  213.490000] [<c00fadb4>] (rmap_walk) from [<c00fb1bc>] (try_to_unmap+0x64/0x80)
      [  213.490000] [<c00fb1bc>] (try_to_unmap) from [<c010dc28>] (migrate_pages+0x328/0x7a0)
      [  213.490000] [<c010dc28>] (migrate_pages) from [<c00d0cb0>] (alloc_contig_range+0x168/0x2f4)
      [  213.490000] [<c00d0cb0>] (alloc_contig_range) from [<c010ec00>] (cma_alloc+0x170/0x2c0)
      [  213.490000] [<c010ec00>] (cma_alloc) from [<c001a958>] (__alloc_from_contiguous+0x38/0xd8)
      [  213.490000] [<c001a958>] (__alloc_from_contiguous) from [<c001ad44>] (__dma_alloc+0x23c/0x274)
      [  213.490000] [<c001ad44>] (__dma_alloc) from [<c001ae08>] (arm_dma_alloc+0x54/0x5c)
      [  213.490000] [<c001ae08>] (arm_dma_alloc) from [<c035cecc>] (drm_gem_cma_create+0xb8/0xf0)
      [  213.490000] [<c035cecc>] (drm_gem_cma_create) from [<c035cf20>] (drm_gem_cma_create_with_handle+0x1c/0xe8)
      [  213.490000] [<c035cf20>] (drm_gem_cma_create_with_handle) from [<c035d088>] (drm_gem_cma_dumb_create+0x3c/0x48)
      [  213.490000] [<c035d088>] (drm_gem_cma_dumb_create) from [<c0341ed8>] (drm_ioctl+0x12c/0x444)
      [  213.490000] [<c0341ed8>] (drm_ioctl) from [<c0121adc>] (do_vfs_ioctl+0x3f4/0x614)
      [  213.490000] [<c0121adc>] (do_vfs_ioctl) from [<c0121d30>] (SyS_ioctl+0x34/0x5c)
      [  213.490000] [<c0121d30>] (SyS_ioctl) from [<c000f2c0>] (ret_fast_syscall+0x0/0x34)
      
      UBIFS is using PagePrivate() which can have different meanings across
      filesystems. Therefore the generic page migration code cannot handle this
      case correctly.
      We have to implement our own migration function which basically does a
      plain copy but also duplicates the page private flag.
      UBIFS is not a block device filesystem and cannot use buffer_migrate_page().
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarKirill A. Shutemov <kirill.shutemov@linux.intel.com>
      [rw: Massaged changelog, build fixes, etc...]
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      Acked-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      f3d1ae6f
    • Richard Weinberger's avatar
      mm: Export migrate_page_move_mapping and migrate_page_copy · a13b0f0a
      Richard Weinberger authored
      [ Upstream commit 1118dce7 ]
      
      Export these symbols such that UBIFS can implement
      ->migratepage.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      Acked-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      a13b0f0a
    • Richard Weinberger's avatar
      ubi: Make recover_peb power cut aware · 59523335
      Richard Weinberger authored
      [ Upstream commit 972228d8 ]
      
      recover_peb() was never power cut aware,
      if a power cut happened right after writing the VID header
      upon next attach UBI would blindly use the new partial written
      PEB and all data from the old PEB is lost.
      
      In order to make recover_peb() power cut aware, write the new
      VID with a proper crc and copy_flag set such that the UBI attach
      process will detect whether the new PEB is completely written
      or not.
      We cannot directly use ubi_eba_atomic_leb_change() since we'd
      have to unlock the LEB which is facing a write error.
      
      Cc: stable@vger.kernel.org
      Reported-by: default avatarJörg Pfähler <pfaehler@isse.de>
      Reviewed-by: default avatarJörg Pfähler <pfaehler@isse.de>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      59523335
    • Tony Lindgren's avatar
      pinctrl: single: Fix missing flush of posted write for a wakeirq · 0e16f4fb
      Tony Lindgren authored
      [ Upstream commit 0ac3c0a4 ]
      
      With many repeated suspend resume cycles, the pin specific wakeirq
      may not always work on omaps. This is because the write to enable the
      pin interrupt may not have reached the device over the interconnect
      before suspend happens.
      
      Let's fix the issue with a flush of posted write with a readback.
      
      Cc: stable@vger.kernel.org
      Reported-by: default avatarNishanth Menon <nm@ti.com>
      Signed-off-by: default avatarTony Lindgren <tony@atomide.com>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      0e16f4fb
    • Alexander Shiyan's avatar
      pinctrl: imx: Do not treat a PIN without MUX register as an error · 65c68fd8
      Alexander Shiyan authored
      [ Upstream commit ba562d5e ]
      
      Some PINs do not have a MUX register, it is not an error.
      It is necessary to allow the continuation of the PINs configuration,
      otherwise the whole PIN-group will be configured incorrectly.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarAlexander Shiyan <shc_work@mail.ru>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      65c68fd8
    • Shaokun Zhang's avatar
      arm64: mm: remove page_mapping check in __sync_icache_dcache · 32bab075
      Shaokun Zhang authored
      [ Upstream commit 20c27a42 ]
      
      __sync_icache_dcache unconditionally skips the cache maintenance for
      anonymous pages, under the assumption that flushing is only required in
      the presence of D-side aliases [see 7249b79f ("arm64: Do not flush
      the D-cache for anonymous pages")].
      
      Unfortunately, this breaks migration of anonymous pages holding
      self-modifying code, where userspace cannot be reasonably expected to
      reissue maintenance instructions in response to a migration.
      
      This patch fixes the problem by removing the broken page_mapping(page)
      check from the cache syncing code, otherwise we may end up fetching and
      executing stale instructions from the PoU.
      
      Cc: Catalin Marinas <catalin.marinas@arm.com>
      Cc: Will Deacon <will.deacon@arm.com>
      Cc: Mark Rutland <mark.rutland@arm.com>
      Cc: <stable@vger.kernel.org>
      Reviewed-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      Signed-off-by: default avatarShaokun Zhang <zhangshaokun@hisilicon.com>
      Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      32bab075
    • Boris Brezillon's avatar
      drm: atmel-hlcdc: actually disable scaling when no scaling is required · 78016458
      Boris Brezillon authored
      [ Upstream commit 1b7e38b9 ]
      
      The driver is only enabling scaling, but never disabling it, thus, if you
      enable the scaling feature once it stays enabled forever.
      Signed-off-by: default avatarBoris Brezillon <boris.brezillon@free-electrons.com>
      Reported-by: default avatarAlex Vazquez <avazquez.dev@gmail.com>
      Reviewed-by: default avatarNicolas Ferre <nicolas.ferre@atmel.com>
      Fixes: 1a396789 ("drm: add Atmel HLCDC Display Controller support")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      78016458
    • Steven Rostedt (Red Hat)'s avatar
      tracing: Handle NULL formats in hold_module_trace_bprintk_format() · 335f166e
      Steven Rostedt (Red Hat) authored
      [ Upstream commit 70c8217a ]
      
      If a task uses a non constant string for the format parameter in
      trace_printk(), then the trace_printk_fmt variable is set to NULL. This
      variable is then saved in the __trace_printk_fmt section.
      
      The function hold_module_trace_bprintk_format() checks to see if duplicate
      formats are used by modules, and reuses them if so (saves them to the list
      if it is new). But this function calls lookup_format() that does a strcmp()
      to the value (which is now NULL) and can cause a kernel oops.
      
      This wasn't an issue till 3debb0a9 ("tracing: Fix trace_printk() to print
      when not using bprintk()") which added "__used" to the trace_printk_fmt
      variable, and before that, the kernel simply optimized it out (no NULL value
      was saved).
      
      The fix is simply to handle the NULL pointer in lookup_format() and have the
      caller ignore the value if it was NULL.
      
      Link: http://lkml.kernel.org/r/1464769870-18344-1-git-send-email-zhengjun.xing@intel.comReported-by: default avatarxingzhen <zhengjun.xing@intel.com>
      Acked-by: default avatarNamhyung Kim <namhyung@kernel.org>
      Fixes: 3debb0a9 ("tracing: Fix trace_printk() to print when not using bprintk()")
      Cc: stable@vger.kernel.org # v3.5+
      Signed-off-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      335f166e
    • Wolfgang Grandegger's avatar
      can: at91_can: RX queue could get stuck at high bus load · 1105110d
      Wolfgang Grandegger authored
      [ Upstream commit 43200a44 ]
      
      At high bus load it could happen that "at91_poll()" enters with all RX
      message boxes filled up. If then at the end the "quota" is exceeded as
      well, "rx_next" will not be reset to the first RX mailbox and hence the
      interrupts remain disabled.
      Signed-off-by: default avatarWolfgang Grandegger <wg@grandegger.com>
      Tested-by: default avatarAmr Bekhit <amrbekhit@gmail.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      1105110d
    • Thor Thayer's avatar
      can: c_can: Update D_CAN TX and RX functions to 32 bit - fix Altera Cyclone access · 293745be
      Thor Thayer authored
      [ Upstream commit 427460c8 ]
      
      When testing CAN write floods on Altera's CycloneV, the first 2 bytes
      are sometimes 0x00, 0x00 or corrupted instead of the values sent. Also
      observed bytes 4 & 5 were corrupted in some cases.
      
      The D_CAN Data registers are 32 bits and changing from 16 bit writes to
      32 bit writes fixes the problem.
      
      Testing performed on Altera CycloneV (D_CAN).  Requesting tests on other
      C_CAN & D_CAN platforms.
      Reported-by: default avatarRichard Andrysek <richard.andrysek@gomtec.de>
      Signed-off-by: default avatarThor Thayer <tthayer@opensource.altera.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      293745be
    • Jason Gunthorpe's avatar
      IB/mlx4: Properly initialize GRH TClass and FlowLabel in AHs · 0764832c
      Jason Gunthorpe authored
      [ Upstream commit 8c5122e4 ]
      
      When this code was reworked for IBoE support the order of assignments
      for the sl_tclass_flowlabel got flipped around resulting in
      TClass & FlowLabel being permanently set to 0 in the packet headers.
      
      This breaks IB routers that rely on these headers, but only affects
      kernel users - libmlx4 does this properly for user space.
      
      Cc: stable@vger.kernel.org
      Fixes: fa417f7b ("IB/mlx4: Add support for IBoE")
      Signed-off-by: default avatarJason Gunthorpe <jgunthorpe@obsidianresearch.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      0764832c
    • Jeff Mahoney's avatar
      btrfs: account for non-CoW'd blocks in btrfs_abort_transaction · efe098c3
      Jeff Mahoney authored
      [ Upstream commit 64c12921 ]
      
      The test for !trans->blocks_used in btrfs_abort_transaction is
      insufficient to determine whether it's safe to drop the transaction
      handle on the floor.  btrfs_cow_block, informed by should_cow_block,
      can return blocks that have already been CoW'd in the current
      transaction.  trans->blocks_used is only incremented for new block
      allocations. If an operation overlaps the blocks in the current
      transaction entirely and must abort the transaction, we'll happily
      let it clean up the trans handle even though it may have modified
      the blocks and will commit an incomplete operation.
      
      In the long-term, I'd like to do closer tracking of when the fs
      is actually modified so we can still recover as gracefully as possible,
      but that approach will need some discussion.  In the short term,
      since this is the only code using trans->blocks_used, let's just
      switch it to a bool indicating whether any blocks were used and set
      it when should_cow_block returns false.
      
      Cc: stable@vger.kernel.org # 3.4+
      Signed-off-by: default avatarJeff Mahoney <jeffm@suse.com>
      Reviewed-by: default avatarFilipe Manana <fdmanana@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      efe098c3
    • Jaroslav Kysela's avatar
      ALSA: hdac_regmap - fix the register access for runtime PM · 0b1ca750
      Jaroslav Kysela authored
      [ Upstream commit 8198868f ]
      
      Call path:
      
        1) snd_hdac_power_up_pm()
        2) snd_hdac_power_up()
        3) pm_runtime_get_sync()
        4) __pm_runtime_resume()
        5) rpm_resume()
      
      The rpm_resume() returns 1 when the device is already active.
      Because the return value is unmodified, the hdac regmap read/write
      functions should allow this value for the retry I/O operation, too.
      Signed-off-by: default avatarJaroslav Kysela <perex@perex.cz>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      0b1ca750
    • Takashi Iwai's avatar
      ALSA: hda - Fix possible race on regmap bypass flip · ec3e7322
      Takashi Iwai authored
      [ Upstream commit 3194ed49 ]
      
      HD-audio driver uses regmap cache bypass feature for reading a raw
      value without the cache.  But this is racy since both the cached and
      the uncached reads may occur concurrently.  The former is done via the
      normal control API access while the latter comes from the proc file
      read.
      
      Even though the regmap itself has the protection against the
      concurrent accesses, the flag set/reset is done without the
      protection, so it may lead to inconsistent state of bypass flag that
      doesn't match with the current read and occasionally result in a
      kernel WARNING like:
        WARNING: CPU: 3 PID: 2731 at drivers/base/regmap/regcache.c:499 regcache_cache_only+0x78/0x93
      
      One way to work around such a problem is to wrap with a mutex.  But in
      this case, the solution is simpler: for the uncached read, we just
      skip the regmap and directly calls its accessor.  The verb execution
      there is protected by itself, so basically it's safe to call
      individually.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=116171Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      ec3e7322
    • Dan Carpenter's avatar
      KEYS: potential uninitialized variable · c262505c
      Dan Carpenter authored
      [ Upstream commit 38327424 ]
      
      If __key_link_begin() failed then "edit" would be uninitialized.  I've
      added a check to fix that.
      
      This allows a random user to crash the kernel, though it's quite
      difficult to achieve.  There are three ways it can be done as the user
      would have to cause an error to occur in __key_link():
      
       (1) Cause the kernel to run out of memory.  In practice, this is difficult
           to achieve without ENOMEM cropping up elsewhere and aborting the
           attempt.
      
       (2) Revoke the destination keyring between the keyring ID being looked up
           and it being tested for revocation.  In practice, this is difficult to
           time correctly because the KEYCTL_REJECT function can only be used
           from the request-key upcall process.  Further, users can only make use
           of what's in /sbin/request-key.conf, though this does including a
           rejection debugging test - which means that the destination keyring
           has to be the caller's session keyring in practice.
      
       (3) Have just enough key quota available to create a key, a new session
           keyring for the upcall and a link in the session keyring, but not then
           sufficient quota to create a link in the nominated destination keyring
           so that it fails with EDQUOT.
      
      The bug can be triggered using option (3) above using something like the
      following:
      
      	echo 80 >/proc/sys/kernel/keys/root_maxbytes
      	keyctl request2 user debug:fred negate @t
      
      The above sets the quota to something much lower (80) to make the bug
      easier to trigger, but this is dependent on the system.  Note also that
      the name of the keyring created contains a random number that may be
      between 1 and 10 characters in size, so may throw the test off by
      changing the amount of quota used.
      
      Assuming the failure occurs, something like the following will be seen:
      
      	kfree_debugcheck: out of range ptr 6b6b6b6b6b6b6b68h
      	------------[ cut here ]------------
      	kernel BUG at ../mm/slab.c:2821!
      	...
      	RIP: 0010:[<ffffffff811600f9>] kfree_debugcheck+0x20/0x25
      	RSP: 0018:ffff8804014a7de8  EFLAGS: 00010092
      	RAX: 0000000000000034 RBX: 6b6b6b6b6b6b6b68 RCX: 0000000000000000
      	RDX: 0000000000040001 RSI: 00000000000000f6 RDI: 0000000000000300
      	RBP: ffff8804014a7df0 R08: 0000000000000001 R09: 0000000000000000
      	R10: ffff8804014a7e68 R11: 0000000000000054 R12: 0000000000000202
      	R13: ffffffff81318a66 R14: 0000000000000000 R15: 0000000000000001
      	...
      	Call Trace:
      	  kfree+0xde/0x1bc
      	  assoc_array_cancel_edit+0x1f/0x36
      	  __key_link_end+0x55/0x63
      	  key_reject_and_link+0x124/0x155
      	  keyctl_reject_key+0xb6/0xe0
      	  keyctl_negate_key+0x10/0x12
      	  SyS_keyctl+0x9f/0xe7
      	  do_syscall_64+0x63/0x13a
      	  entry_SYSCALL64_slow_path+0x25/0x25
      
      Fixes: f70e2e06 ('KEYS: Do preallocation for __key_link()')
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      cc: stable@vger.kernel.org
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      c262505c
    • Tejun Heo's avatar
      cgroup: set css->id to -1 during init · 0356b95f
      Tejun Heo authored
      [ Upstream commit 8fa3b8d6 ]
      
      If percpu_ref initialization fails during css_create(), the free path
      can end up trying to free css->id of zero.  As ID 0 is unused, it
      doesn't cause a critical breakage but it does trigger a warning
      message.  Fix it by setting css->id to -1 from init_and_link_css().
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Cc: Wenwei Tao <ww.tao0320@gmail.com>
      Fixes: 01e58659 ("cgroup: release css->id after css_free")
      Cc: stable@vger.kernel.org # v4.0+
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      0356b95f
    • Ocquidant, Sebastien's avatar
      memory: omap-gpmc: Fix omap gpmc EXTRADELAY timing · 4c9b1064
      Ocquidant, Sebastien authored
      [ Upstream commit 8f50b8e5 ]
      
      In the omap gpmc driver it can be noticed that GPMC_CONFIG4_OEEXTRADELAY
      is overwritten by the WEEXTRADELAY value from the device tree and
      GPMC_CONFIG4_WEEXTRADELAY is not updated by the value from the device
      tree.
      
      As a consequence, the memory accesses cannot be configured properly when
      the extra delay are needed for OE and WE.
      
      Fix the update of GPMC_CONFIG4_WEEXTRADELAY with the value from the
      device tree file and prevents GPMC_CONFIG4_OEXTRADELAY
      being overwritten by the WEXTRADELAY value from the device tree.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarOcquidant, Sebastien <sebastienocquidant@eaton.com>
      Signed-off-by: default avatarRoger Quadros <rogerq@ti.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      4c9b1064
    • Xiubo Li's avatar
      kvm: Fix irq route entries exceeding KVM_MAX_IRQ_ROUTES · 31651598
      Xiubo Li authored
      [ Upstream commit caf1ff26 ]
      
      These days, we experienced one guest crash with 8 cores and 3 disks,
      with qemu error logs as bellow:
      
      qemu-system-x86_64: /build/qemu-2.0.0/kvm-all.c:984:
      kvm_irqchip_commit_routes: Assertion `ret == 0' failed.
      
      And then we found one patch(bdf026317d) in qemu tree, which said
      could fix this bug.
      
      Execute the following script will reproduce the BUG quickly:
      
      irq_affinity.sh
      ========================================================================
      
      vda_irq_num=25
      vdb_irq_num=27
      while [ 1 ]
      do
          for irq in {1,2,4,8,10,20,40,80}
              do
                  echo $irq > /proc/irq/$vda_irq_num/smp_affinity
                  echo $irq > /proc/irq/$vdb_irq_num/smp_affinity
                  dd if=/dev/vda of=/dev/zero bs=4K count=100 iflag=direct
                  dd if=/dev/vdb of=/dev/zero bs=4K count=100 iflag=direct
              done
      done
      ========================================================================
      
      The following qemu log is added in the qemu code and is displayed when
      this bug reproduced:
      
      kvm_irqchip_commit_routes: max gsi: 1008, nr_allocated_irq_routes: 1024,
      irq_routes->nr: 1024, gsi_count: 1024.
      
      That's to say when irq_routes->nr == 1024, there are 1024 routing entries,
      but in the kernel code when routes->nr >= 1024, will just return -EINVAL;
      
      The nr is the number of the routing entries which is in of
      [1 ~ KVM_MAX_IRQ_ROUTES], not the index in [0 ~ KVM_MAX_IRQ_ROUTES - 1].
      
      This patch fix the BUG above.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarXiubo Li <lixiubo@cmss.chinamobile.com>
      Signed-off-by: default avatarWei Tang <tangwei@cmss.chinamobile.com>
      Signed-off-by: default avatarZhang Zhuoyu <zhangzhuoyu@cmss.chinamobile.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      31651598
    • Jiri Slaby's avatar
      base: make module_create_drivers_dir race-free · aec2ddb9
      Jiri Slaby authored
      [ Upstream commit 7e1b1fc4 ]
      
      Modules which register drivers via standard path (driver_register) in
      parallel can cause a warning:
      WARNING: CPU: 2 PID: 3492 at ../fs/sysfs/dir.c:31 sysfs_warn_dup+0x62/0x80
      sysfs: cannot create duplicate filename '/module/saa7146/drivers'
      Modules linked in: hexium_gemini(+) mxb(+) ...
      ...
      Call Trace:
      ...
       [<ffffffff812e63a2>] sysfs_warn_dup+0x62/0x80
       [<ffffffff812e6487>] sysfs_create_dir_ns+0x77/0x90
       [<ffffffff8140f2c4>] kobject_add_internal+0xb4/0x340
       [<ffffffff8140f5b8>] kobject_add+0x68/0xb0
       [<ffffffff8140f631>] kobject_create_and_add+0x31/0x70
       [<ffffffff8157a703>] module_add_driver+0xc3/0xd0
       [<ffffffff8155e5d4>] bus_add_driver+0x154/0x280
       [<ffffffff815604c0>] driver_register+0x60/0xe0
       [<ffffffff8145bed0>] __pci_register_driver+0x60/0x70
       [<ffffffffa0273e14>] saa7146_register_extension+0x64/0x90 [saa7146]
       [<ffffffffa0033011>] hexium_init_module+0x11/0x1000 [hexium_gemini]
      ...
      
      As can be (mostly) seen, driver_register causes this call sequence:
        -> bus_add_driver
          -> module_add_driver
            -> module_create_drivers_dir
      The last one creates "drivers" directory in /sys/module/<...>. When
      this is done in parallel, the directory is attempted to be created
      twice at the same time.
      
      This can be easily reproduced by loading mxb and hexium_gemini in
      parallel:
      while :; do
        modprobe mxb &
        modprobe hexium_gemini
        wait
        rmmod mxb hexium_gemini saa7146_vv saa7146
      done
      
      saa7146 calls pci_register_driver for both mxb and hexium_gemini,
      which means /sys/module/saa7146/drivers is to be created for both of
      them.
      
      Fix this by a new mutex in module_create_drivers_dir which makes the
      test-and-create "drivers" dir atomic.
      
      I inverted the condition and removed 'return' to avoid multiple
      unlocks or a goto.
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Fixes: fe480a26 (Modules: only add drivers/ direcory if needed)
      Cc: v2.6.21+ <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      aec2ddb9
    • J. Bruce Fields's avatar
      nfsd4/rpc: move backchannel create logic into rpc code · c2edadb9
      J. Bruce Fields authored
      [ Upstream commit d50039ea ]
      
      Also simplify the logic a bit.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      Acked-by: default avatarTrond Myklebust <trondmy@primarydata.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      c2edadb9
    • Andrey Grodzovsky's avatar
      drm/dp/mst: Always clear proposed vcpi table for port. · 040ad2a3
      Andrey Grodzovsky authored
      [ Upstream commit fd2d2bac ]
      
      Not clearing mst manager's proposed vcpis table for destroyed connectors when the manager is stopped leaves it pointing to unrefernced memory, this causes pagefault when the manager is restarted when plugging back a branch.
      
      Fixes: 91a25e46 ("drm/dp/mst: deallocate payload on port destruction")
      Signed-off-by: default avatarAndrey Grodzovsky <Andrey.Grodzovsky@amd.com>
      Reviewed-by: default avatarLyude <cpaul@redhat.com>
      Cc: stable@vger.kernel.org
      Cc: Mykola Lysenko <Mykola.Lysenko@amd.com>
      Cc: Alex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      040ad2a3
    • Lyude's avatar
      drm/i915/ilk: Don't disable SSC source if it's in use · 5a6c735c
      Lyude authored
      [ Upstream commit 476490a9 ]
      
      Thanks to Ville Syrjälä for pointing me towards the cause of this issue.
      
      Unfortunately one of the sideaffects of having the refclk for a DPLL set
      to SSC is that as long as it's set to SSC, the GPU will prevent us from
      powering down any of the pipes or transcoders using it. A couple of
      BIOSes enable SSC in both PCH_DREF_CONTROL and in the DPLL
      configurations. This causes issues on the first modeset, since we don't
      expect SSC to be left on and as a result, can't successfully power down
      the pipes or the transcoders using it. Here's an example from this Dell
      OptiPlex 990:
      
      [drm:intel_modeset_init] SSC enabled by BIOS, overriding VBT which says disabled
      [drm:intel_modeset_init] 2 display pipes available.
      [drm:intel_update_cdclk] Current CD clock rate: 400000 kHz
      [drm:intel_update_max_cdclk] Max CD clock rate: 400000 kHz
      [drm:intel_update_max_cdclk] Max dotclock rate: 360000 kHz
      vgaarb: device changed decodes: PCI:0000:00:02.0,olddecodes=io+mem,decodes=io+mem:owns=io+mem
      [drm:intel_crt_reset] crt adpa set to 0xf40000
      [drm:intel_dp_init_connector] Adding DP connector on port C
      [drm:intel_dp_aux_init] registering DPDDC-C bus for card0-DP-1
      [drm:ironlake_init_pch_refclk] has_panel 0 has_lvds 0 has_ck505 0
      [drm:ironlake_init_pch_refclk] Disabling SSC entirely
      … later we try committing the first modeset …
      [drm:intel_dump_pipe_config] [CRTC:26][modeset] config ffff88041b02e800 for pipe A
      [drm:intel_dump_pipe_config] cpu_transcoder: A
      …
      [drm:intel_dump_pipe_config] dpll_hw_state: dpll: 0xc4016001, dpll_md: 0x0, fp0: 0x20e08, fp1: 0x30d07
      [drm:intel_dump_pipe_config] planes on this crtc
      [drm:intel_dump_pipe_config] STANDARD PLANE:23 plane: 0.0 idx: 0 enabled
      [drm:intel_dump_pipe_config]     FB:42, fb = 800x600 format = 0x34325258
      [drm:intel_dump_pipe_config]     scaler:0 src (0, 0) 800x600 dst (0, 0) 800x600
      [drm:intel_dump_pipe_config] CURSOR PLANE:25 plane: 0.1 idx: 1 disabled, scaler_id = 0
      [drm:intel_dump_pipe_config] STANDARD PLANE:27 plane: 0.1 idx: 2 disabled, scaler_id = 0
      [drm:intel_get_shared_dpll] CRTC:26 allocated PCH DPLL A
      [drm:intel_get_shared_dpll] using PCH DPLL A for pipe A
      [drm:ilk_audio_codec_disable] Disable audio codec on port C, pipe A
      [drm:intel_disable_pipe] disabling pipe A
      ------------[ cut here ]------------
      WARNING: CPU: 1 PID: 130 at drivers/gpu/drm/i915/intel_display.c:1146 intel_disable_pipe+0x297/0x2d0 [i915]
      pipe_off wait timed out
      …
      ---[ end trace 94fc8aa03ae139e8 ]---
      [drm:intel_dp_link_down]
      [drm:ironlake_crtc_disable [i915]] *ERROR* failed to disable transcoder A
      
      Later modesets succeed since they reset the DPLL's configuration anyway,
      but this is enough to get stuck with a big fat warning in dmesg.
      
      A better solution would be to add refcounts for the SSC source, but for
      now leaving the source clock on should suffice.
      
      Changes since v4:
       - Fix calculation of final for systems with LVDS panels (fixes BUG() on
         CI test suite)
      Changes since v3:
       - Move temp variable into loop
       - Move checks for using_ssc_source to after we've figured out has_ck505
       - Add using_ssc_source to debug output
      Changes since v2:
       - Fix debug output for when we disable the CPU source
      Changes since v1:
       - Leave the SSC source clock on instead of just shutting it off on all
         of the DPLL configurations.
      
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarVille Syrjälä <ville.syrjala@linux.intel.com>
      Signed-off-by: default avatarLyude <cpaul@redhat.com>
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Link: http://patchwork.freedesktop.org/patch/msgid/1465916649-10228-1-git-send-email-cpaul@redhat.comSigned-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      5a6c735c
    • Rhyland Klein's avatar
      power_supply: power_supply_read_temp only if use_cnt > 0 · 260c505e
      Rhyland Klein authored
      [ Upstream commit 5bc28b93 ]
      
      Change power_supply_read_temp() to use power_supply_get_property()
      so that it will check the use_cnt and ensure it is > 0. The use_cnt
      will be incremented at the end of __power_supply_register, so this
      will block to case where get_property can be called before the supply
      is fully registered. This fixes the issue show in the stack below:
      
      [    1.452598] power_supply_read_temp+0x78/0x80
      [    1.458680] thermal_zone_get_temp+0x5c/0x11c
      [    1.464765] thermal_zone_device_update+0x34/0xb4
      [    1.471195] thermal_zone_device_register+0x87c/0x8cc
      [    1.477974] __power_supply_register+0x364/0x424
      [    1.484317] power_supply_register_no_ws+0x10/0x18
      [    1.490833] bq27xxx_battery_setup+0x10c/0x164
      [    1.497003] bq27xxx_battery_i2c_probe+0xd0/0x1b0
      [    1.503435] i2c_device_probe+0x174/0x240
      [    1.509172] driver_probe_device+0x1fc/0x29c
      [    1.515167] __driver_attach+0xa4/0xa8
      [    1.520643] bus_for_each_dev+0x58/0x98
      [    1.526204] driver_attach+0x20/0x28
      [    1.531505] bus_add_driver+0x1c8/0x22c
      [    1.537067] driver_register+0x68/0x108
      [    1.542630] i2c_register_driver+0x38/0x7c
      [    1.548457] bq27xxx_battery_i2c_driver_init+0x18/0x20
      [    1.555321] do_one_initcall+0x38/0x12c
      [    1.560886] kernel_init_freeable+0x148/0x1ec
      [    1.566972] kernel_init+0x10/0xfc
      [    1.572101] ret_from_fork+0x10/0x40
      
      Also make the same change to ps_get_max_charge_cntl_limit() and
      ps_get_cur_chrage_cntl_limit() to be safe. Lastly, change the return
      value of power_supply_get_property() to -EAGAIN from -ENODEV if
      use_cnt <= 0.
      
      Fixes: 297d716f ("power_supply: Change ownership from driver to core")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarRhyland Klein <rklein@nvidia.com>
      Reviewed-by: default avatarKrzysztof Kozlowski <k.kozlowski@samsung.com>
      Signed-off-by: default avatarSebastian Reichel <sre@kernel.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      260c505e
    • Andrey Ryabinin's avatar
      kernel/sysrq, watchdog, sched/core: Reset watchdog on all CPUs while processing sysrq-w · 9f67dcf6
      Andrey Ryabinin authored
      [ Upstream commit 57675cb9 ]
      
      Lengthy output of sysrq-w may take a lot of time on slow serial console.
      
      Currently we reset NMI-watchdog on the current CPU to avoid spurious
      lockup messages. Sometimes this doesn't work since softlockup watchdog
      might trigger on another CPU which is waiting for an IPI to proceed.
      We reset softlockup watchdogs on all CPUs, but we do this only after
      listing all tasks, and this may be too late on a busy system.
      
      So, reset watchdogs CPUs earlier, in for_each_process_thread() loop.
      Signed-off-by: default avatarAndrey Ryabinin <aryabinin@virtuozzo.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: <stable@vger.kernel.org>
      Link: http://lkml.kernel.org/r/1465474805-14641-1-git-send-email-aryabinin@virtuozzo.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      9f67dcf6
    • Masami Hiramatsu's avatar
      kprobes/x86: Clear TF bit in fault on single-stepping · c5ffc99b
      Masami Hiramatsu authored
      [ Upstream commit dcfc4724 ]
      
      Fix kprobe_fault_handler() to clear the TF (trap flag) bit of
      the flags register in the case of a fault fixup on single-stepping.
      
      If we put a kprobe on the instruction which caused a
      page fault (e.g. actual mov instructions in copy_user_*),
      that fault happens on the single-stepping buffer. In this
      case, kprobes resets running instance so that the CPU can
      retry execution on the original ip address.
      
      However, current code forgets to reset the TF bit. Since this
      fault happens with TF bit set for enabling single-stepping,
      when it retries, it causes a debug exception and kprobes
      can not handle it because it already reset itself.
      
      On the most of x86-64 platform, it can be easily reproduced
      by using kprobe tracer. E.g.
      
        # cd /sys/kernel/debug/tracing
        # echo p copy_user_enhanced_fast_string+5 > kprobe_events
        # echo 1 > events/kprobes/enable
      
      And you'll see a kernel panic on do_debug(), since the debug
      trap is not handled by kprobes.
      
      To fix this problem, we just need to clear the TF bit when
      resetting running kprobe.
      Signed-off-by: default avatarMasami Hiramatsu <mhiramat@kernel.org>
      Reviewed-by: default avatarAnanth N Mavinakayanahalli <ananth@linux.vnet.ibm.com>
      Acked-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Brian Gerst <brgerst@gmail.com>
      Cc: Denys Vlasenko <dvlasenk@redhat.com>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Stephane Eranian <eranian@google.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Vince Weaver <vincent.weaver@maine.edu>
      Cc: systemtap@sourceware.org
      Cc: stable@vger.kernel.org # All the way back to ancient kernels
      Link: http://lkml.kernel.org/r/20160611140648.25885.37482.stgit@devbox
      [ Updated the comments. ]
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      c5ffc99b
    • Michal Suchanek's avatar
      spi: sunxi: fix transfer timeout · 01c93ba6
      Michal Suchanek authored
      [ Upstream commit 719bd654 ]
      
      The trasfer timeout is fixed at 1000 ms. Reading a 4Mbyte flash over
      1MHz SPI bus takes way longer than that. Calculate the timeout from the
      actual time the transfer is supposed to take and multiply by 2 for good
      measure.
      Signed-off-by: default avatarMichal Suchanek <hramrach@gmail.com>
      Acked-by: default avatarMaxime Ripard <maxime.ripard@free-electrons.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      01c93ba6
    • Michal Suchanek's avatar
      spi: sun4i: fix FIFO limit · fcc5d265
      Michal Suchanek authored
      [ Upstream commit 6d9fe44b ]
      
      When testing SPI without DMA I noticed that filling the FIFO on the
      spi controller causes timeout.
      
      Always leave room for one byte in the FIFO.
      Signed-off-by: default avatarMichal Suchanek <hramrach@gmail.com>
      Acked-by: default avatarMaxime Ripard <maxime.ripard@free-electrons.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      fcc5d265
    • James Hogan's avatar
      MIPS: KVM: Fix modular KVM under QEMU · d1c7fc1c
      James Hogan authored
      [ Upstream commit 797179bc ]
      
      Copy __kvm_mips_vcpu_run() into unmapped memory, so that we can never
      get a TLB refill exception in it when KVM is built as a module.
      
      This was observed to happen with the host MIPS kernel running under
      QEMU, due to a not entirely transparent optimisation in the QEMU TLB
      handling where TLB entries replaced with TLBWR are copied to a separate
      part of the TLB array. Code in those pages continue to be executable,
      but those mappings persist only until the next ASID switch, even if they
      are marked global.
      
      An ASID switch happens in __kvm_mips_vcpu_run() at exception level after
      switching to the guest exception base. Subsequent TLB mapped kernel
      instructions just prior to switching to the guest trigger a TLB refill
      exception, which enters the guest exception handlers without updating
      EPC. This appears as a guest triggered TLB refill on a host kernel
      mapped (host KSeg2) address, which is not handled correctly as user
      (guest) mode accesses to kernel (host) segments always generate address
      error exceptions.
      Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: Radim Krčmář <rkrcmar@redhat.com>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: kvm@vger.kernel.org
      Cc: linux-mips@linux-mips.org
      Cc: <stable@vger.kernel.org> # 3.10.x-
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      d1c7fc1c
    • Oscar's avatar
      usb: common: otg-fsm: add license to usb-otg-fsm · 505291af
      Oscar authored
      [ Upstream commit ea1d39a3 ]
      
      Fix warning about tainted kernel because usb-otg-fsm has no license.
      WARNING: with this patch usb-otg-fsm module can be loaded
      but then the kernel will hang. Tested with a udoo quad board.
      
      Cc: <stable@vger.kernel.org> #v4.1+
      Signed-off-by: default avatarOscar <oscar@naiandei.net>
      Signed-off-by: default avatarPeter Chen <peter.chen@nxp.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      505291af