1. 26 Nov, 2016 4 commits
    • Linus Torvalds's avatar
      Merge branch 'libnvdimm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm · 30e2b7cf
      Linus Torvalds authored
      Pull libnvdimm fixes from Dan Williams:
      
       - Fix a crash that occurs at driver initialization if the memory region
         is already busy (request_mem_region() fails).
      
       - Fix a vma validation check that mistakenly allows a private device-
         dax mapping to be established. Device-dax explicitly forbids private
         mappings so it can guarantee a given fault granularity and backing
         memory type.
      
       Both of these fixes have soaked in -next and are tagged for -stable.
      
      * 'libnvdimm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm:
        device-dax: fail all private mapping attempts
        device-dax: check devm_nsio_enable() return value
      30e2b7cf
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · fc13ca19
      Linus Torvalds authored
      Pull KVM fixes from Radim Krčmář:
       "Four fixes for bugs found by syzkaller on x86, all for stable"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        KVM: x86: check for pic and ioapic presence before use
        KVM: x86: fix out-of-bounds accesses of rtc_eoi map
        KVM: x86: drop error recovery in em_jmp_far and em_ret_far
        KVM: x86: fix out-of-bounds access in lapic
      fc13ca19
    • Linus Torvalds's avatar
      Merge tag 'powerpc-4.9-6' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · 39c15737
      Linus Torvalds authored
      Pull powerpc fixes from Michael Ellerman:
       "Fixes marked for stable:
         - Set missing wakeup bit in LPCR on POWER9
         - Fix the early OPAL console wrappers
         - Fixup kernel read only mapping
      
        Fixes for code merged this cycle:
         - Fix missing CRCs, add more asm-prototypes.h declarations"
      
      * tag 'powerpc-4.9-6' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        powerpc/mm: Fixup kernel read only mapping
        powerpc/boot: Fix the early OPAL console wrappers
        powerpc: Fix missing CRCs, add more asm-prototypes.h declarations
        powerpc: Set missing wakeup bit in LPCR on POWER9
      39c15737
    • Linus Torvalds's avatar
      Merge branch 'parisc-4.9-4' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux · 3ad0e83c
      Linus Torvalds authored
      Pull parisc fixes from Helge Deller:
       "On parisc we were still seeing occasional random segmentation faults
        and memory corruption on SMP machines. Dave Anglin then looked again
        at the TLB related code and found two issues in the PCI DMA and
        generic TLB flush functions.
      
        Then, in our startup code we had some timing of the cache and TLB
        functions to calculate a threshold when to use a complete TLB/cache
        flush or just to flush a specific range. This code produced a race
        with newly started CPUs and thus lead to occasional kernel crashes
        (due to stale TLB/cache entries). The patch by Dave fixes this issue
        by flushing the local caches before starting secondary CPUs and by
        removing the race.
      
        The last problem fixed by this series is that we quite often suffered
        from hung tasks and self-detected stalls on the CPUs. It was somehow
        clear that this was related to the (in v4.7) newly introduced cr16
        clocksource and the own implementation of sched_clock(). I replaced
        the open-coded sched_clock() function and switched to the generic
        sched_clock() implementation which seems to have fixed this isse as
        well.
      
        All patches have been sucessfully tested on a variety of machines,
        including our debian buildd servers.
      
        All patches (beside the small pr_cont fix) are tagged for stable
        releases"
      
      * 'parisc-4.9-4' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux:
        parisc: Also flush data TLB in flush_icache_page_asm
        parisc: Fix race in pci-dma.c
        parisc: Switch to generic sched_clock implementation
        parisc: Fix races in parisc_setup_cache_timing()
        parisc: Fix printk continuations in system detection
      3ad0e83c
  2. 25 Nov, 2016 19 commits
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security · 86b01b54
      Linus Torvalds authored
      Pull keys fixes from James Morris:
       "From David:
      
         - Fix mpi_powm()'s handling of a number with a zero exponent
           [CVE-2016-8650].
      
           Integrate my and Andrey's patches for mpi_powm() and use
           mpi_resize() instead of RESIZE_IF_NEEDED() - the latter adds a
           duplicate check into the execution path of a trivial case we
           don't normally expect to be taken.
      
         - Fix double free in X.509 error handling"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
        mpi: Fix NULL ptr dereference in mpi_powm() [ver #3]
        X.509: Fix double free in x509_cert_parse() [ver #3]
      86b01b54
    • Linus Torvalds's avatar
      Fix subtle CONFIG_MODVERSIONS problems · cd3caefb
      Linus Torvalds authored
      CONFIG_MODVERSIONS has been broken for pretty much the whole 4.9 series,
      and quite frankly, nobody has cared very deeply.  We absolutely know how
      to fix it, and it's not _complicated_, but it's not exactly pretty
      either.
      
      This oneliner fixes it without the ugliness, and allows for further
      future cleanups.
      
        "We've secretly replaced their regular MODVERSIONS with nothing at
         all, let's see if they notice"
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      cd3caefb
    • Linus Torvalds's avatar
      Merge tag 'acpi-4.9-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · beb53e4b
      Linus Torvalds authored
      Pull ACPI fixes from Rafael Wysocki:
       "Two ACPI fixes for 4.9-rc7.
      
        One of them reverts a recent ACPI commit that attempted to improve
        reboot/power-off on some systems, but introduced problems elsewhere,
        and the other one fixes kernel builds with the new WDAT watchdog
        driver enabled in some configurations.
      
        Specifics:
      
         - Revert the recent commit that caused the ACPI _PTS method to be
           executed in the power-off/reboot code path (as per the
           specification) in an attempt to improve things on some systems
           (apparently expecting _PTS to be executed in that code path), but
           broke power-off/reboot on at least one other machine (Rafael
           Wysocki).
      
         - Fix kernel builds with the new WDAT watchdog driver enabled in some
           configurations by explicitly selecting WATCHDOG_CORE when enabling
           the WDAT watchdog driver (Mika Westerberg)"
      
      * tag 'acpi-4.9-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        watchdog: wdat_wdt: Select WATCHDOG_CORE
        Revert "ACPI: Execute _PTS before system reboot"
      beb53e4b
    • Rafael J. Wysocki's avatar
      MAINTAINERS: Add bug tracking system location entry type · 68656443
      Rafael J. Wysocki authored
      Following the kernel Bugzilla discussion during the Kernel Summit
      (https://lwn.net/Articles/705245/), add bug tracking system location
      entry type (B) to MAINTAINERS and populate it for several subsystems
      known to be using the kernel BZ actively (and add the upstream BZ for
      ACPICA too).
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      68656443
    • Rafael J. Wysocki's avatar
      Merge branches 'acpi-sleep-fixes' and 'acpi-wdat-fixes' · 7e5c07af
      Rafael J. Wysocki authored
      * acpi-sleep-fixes:
        Revert "ACPI: Execute _PTS before system reboot"
      
      * acpi-wdat-fixes:
        watchdog: wdat_wdt: Select WATCHDOG_CORE
      7e5c07af
    • Linus Torvalds's avatar
      Merge tag 'mfd-fixes-4.9.1' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd · f2051f8f
      Linus Torvalds authored
      Pull MFD fixes from Lee Jones:
       "Received a copule of last minute fixes for v4.9.
      
        The patches from Viresh are fixing issues displayed in KernelCI"
      
      * tag 'mfd-fixes-4.9.1' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd:
        mfd: wm8994-core: Don't use managed regulator bulk get API
        mfd: wm8994-core: Disable regulators before removing them
        mfd: syscon: Support native-endian regmaps
      f2051f8f
    • Linus Torvalds's avatar
      Merge tag 'media/v4.9-4' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media · ea9ea6c6
      Linus Torvalds authored
      Pull media fix from Mauro Carvalho Chehab:
       "Fix for the firmware load logic of the tuner-xc2028 driver"
      
      * tag 'media/v4.9-4' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media:
        xc2028: Fix use-after-free bug properly
      ea9ea6c6
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-for-v4.9-rc7' of git://people.freedesktop.org/~airlied/linux · 6006d6e7
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "Seems to be quietening down nicely, a few mediatek, one exynos and one
        hdlcd fix, along with two amd fixes"
      
      * tag 'drm-fixes-for-v4.9-rc7' of git://people.freedesktop.org/~airlied/linux:
        gpu/drm/exynos/exynos_hdmi - Unmap region obtained by of_iomap
        drm/mediatek: fix null pointer dereference
        drm/mediatek: fixed the calc method of data rate per lane
        drm/mediatek: fix a typo of DISP_OD_CFG to OD_RELAYMODE
        drm/radeon: fix power state when port pm is unavailable (v2)
        drm/amdgpu: fix power state when port pm is unavailable
        drm/arm: hdlcd: fix plane base address update
        drm/amd/powerplay: avoid out of bounds access on array ps.
      6006d6e7
    • John David Anglin's avatar
      parisc: Also flush data TLB in flush_icache_page_asm · 5035b230
      John David Anglin authored
      This is the second issue I noticed in reviewing the parisc TLB code.
      
      The fic instruction may use either the instruction or data TLB in
      flushing the instruction cache.  Thus, on machines with a split TLB, we
      should also flush the data TLB after setting up the temporary alias
      registers.
      
      Although this has no functional impact, I changed the pdtlb and pitlb
      instructions to consistently use the index register %r0.  These
      instructions do not support integer displacements.
      
      Tested on rp3440 and c8000.
      Signed-off-by: default avatarJohn David Anglin  <dave.anglin@bell.net>
      Cc: <stable@vger.kernel.org> # v3.16+
      Signed-off-by: default avatarHelge Deller <deller@gmx.de>
      5035b230
    • John David Anglin's avatar
      parisc: Fix race in pci-dma.c · c0452fb9
      John David Anglin authored
      We are still troubled by occasional random segmentation faults and
      memory memory corruption on SMP machines.  The causes quite a few
      package builds to fail on the Debian buildd machines for parisc.  When
      gcc-6 failed to build three times in a row, I looked again at the TLB
      related code.  I found a couple of issues.  This is the first.
      
      In general, we need to ensure page table updates and corresponding TLB
      purges are atomic.  The attached patch fixes an instance in pci-dma.c
      where the page table update was not guarded by the TLB lock.
      
      Tested on rp3440 and c8000.  So far, no further random segmentation
      faults have been observed.
      Signed-off-by: default avatarJohn David Anglin  <dave.anglin@bell.net>
      Cc: <stable@vger.kernel.org> # v3.16+
      Signed-off-by: default avatarHelge Deller <deller@gmx.de>
      c0452fb9
    • Helge Deller's avatar
      parisc: Switch to generic sched_clock implementation · 43b1f6ab
      Helge Deller authored
      Drop the open-coded sched_clock() function and replace it by the provided
      GENERIC_SCHED_CLOCK implementation.  We have seen quite some hung tasks in the
      past, which seem to be fixed by this patch.
      Signed-off-by: default avatarHelge Deller <deller@gmx.de>
      Cc: <stable@vger.kernel.org> # v4.7+
      Signed-off-by: default avatarHelge Deller <deller@gmx.de>
      43b1f6ab
    • John David Anglin's avatar
      parisc: Fix races in parisc_setup_cache_timing() · 741dc7bf
      John David Anglin authored
      Helge reported to me the following startup crash:
      
      [    0.000000] Linux version 4.8.0-1-parisc64-smp (debian-kernel@lists.debian.org) (gcc version 5.4.1 20161019 (GCC) ) #1 SMP Debian 4.8.7-1 (2016-11-13)
      [    0.000000] The 64-bit Kernel has started...
      [    0.000000] Kernel default page size is 4 KB. Huge pages enabled with 1 MB physical and 2 MB virtual size.
      [    0.000000] Determining PDC firmware type: System Map.
      [    0.000000] model 9000/785/J5000
      [    0.000000] Total Memory: 2048 MB
      [    0.000000] Memory: 2018528K/2097152K available (9272K kernel code, 3053K rwdata, 1319K rodata, 1024K init, 840K bss, 78624K reserved, 0K cma-reserved)
      [    0.000000] virtual kernel memory layout:
      [    0.000000]     vmalloc : 0x0000000000008000 - 0x000000003f000000   (1007 MB)
      [    0.000000]     memory  : 0x0000000040000000 - 0x00000000c0000000   (2048 MB)
      [    0.000000]       .init : 0x0000000040100000 - 0x0000000040200000   (1024 kB)
      [    0.000000]       .data : 0x0000000040b0e000 - 0x0000000040f533e0   (4372 kB)
      [    0.000000]       .text : 0x0000000040200000 - 0x0000000040b0e000   (9272 kB)
      [    0.768910] Brought up 1 CPUs
      [    0.992465] NET: Registered protocol family 16
      [    2.429981] Releasing cpu 1 now, hpa=fffffffffffa2000
      [    2.635751] CPU(s): 2 out of 2 PA8500 (PCX-W) at 440.000000 MHz online
      [    2.726692] Setting cache flush threshold to 1024 kB
      [    2.729932] Not-handled unaligned insn 0x43ffff80
      [    2.798114] Setting TLB flush threshold to 140 kB
      [    2.928039] Unaligned handler failed, ret = -1
      [    3.000419]       _______________________________
      [    3.000419]      < Your System ate a SPARC! Gah! >
      [    3.000419]       -------------------------------
      [    3.000419]              \   ^__^
      [    3.000419]                  (__)\       )\/\
      [    3.000419]                   U  ||----w |
      [    3.000419]                      ||     ||
      [    9.340055] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.8.0-1-parisc64-smp #1 Debian 4.8.7-1
      [    9.448082] task: 00000000bfd48060 task.stack: 00000000bfd50000
      [    9.528040]
      [   10.760029] IASQ: 0000000000000000 0000000000000000 IAOQ: 000000004025d154 000000004025d158
      [   10.868052]  IIR: 43ffff80    ISR: 0000000000340000  IOR: 000001ff54150960
      [   10.960029]  CPU:        1   CR30: 00000000bfd50000 CR31: 0000000011111111
      [   11.052057]  ORIG_R28: 000000004021e3b4
      [   11.100045]  IAOQ[0]: irq_exit+0x94/0x120
      [   11.152062]  IAOQ[1]: irq_exit+0x98/0x120
      [   11.208031]  RP(r2): irq_exit+0xb8/0x120
      [   11.256074] Backtrace:
      [   11.288067]  [<00000000402cd944>] cpu_startup_entry+0x1e4/0x598
      [   11.368058]  [<0000000040109528>] smp_callin+0x2c0/0x2f0
      [   11.436308]  [<00000000402b53fc>] update_curr+0x18c/0x2d0
      [   11.508055]  [<00000000402b73b8>] dequeue_entity+0x2c0/0x1030
      [   11.584040]  [<00000000402b3cc0>] set_next_entity+0x80/0xd30
      [   11.660069]  [<00000000402c1594>] pick_next_task_fair+0x614/0x720
      [   11.740085]  [<000000004020dd34>] __schedule+0x394/0xa60
      [   11.808054]  [<000000004020e488>] schedule+0x88/0x118
      [   11.876039]  [<0000000040283d3c>] rescuer_thread+0x4d4/0x5b0
      [   11.948090]  [<000000004028fc4c>] kthread+0x1ec/0x248
      [   12.016053]  [<0000000040205020>] end_fault_vector+0x20/0xc0
      [   12.092239]  [<00000000402050c0>] _switch_to_ret+0x0/0xf40
      [   12.164044]
      [   12.184036] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.8.0-1-parisc64-smp #1 Debian 4.8.7-1
      [   12.244040] Backtrace:
      [   12.244040]  [<000000004021c480>] show_stack+0x68/0x80
      [   12.244040]  [<00000000406f332c>] dump_stack+0xec/0x168
      [   12.244040]  [<000000004021c74c>] die_if_kernel+0x25c/0x430
      [   12.244040]  [<000000004022d320>] handle_unaligned+0xb48/0xb50
      [   12.244040]
      [   12.632066] ---[ end trace 9ca05a7215c7bbb2 ]---
      [   12.692036] Kernel panic - not syncing: Attempted to kill the idle task!
      
      We have the insn 0x43ffff80 in IIR but from IAOQ we should have:
         4025d150:   0f f3 20 df     ldd,s r19(r31),r31
         4025d154:   0f 9f 00 9c     ldw r31(ret0),ret0
         4025d158:   bf 80 20 58     cmpb,*<> r0,ret0,4025d18c <irq_exit+0xcc>
      
      Cpu0 has just completed running parisc_setup_cache_timing:
      
      [    2.429981] Releasing cpu 1 now, hpa=fffffffffffa2000
      [    2.635751] CPU(s): 2 out of 2 PA8500 (PCX-W) at 440.000000 MHz online
      [    2.726692] Setting cache flush threshold to 1024 kB
      [    2.729932] Not-handled unaligned insn 0x43ffff80
      [    2.798114] Setting TLB flush threshold to 140 kB
      [    2.928039] Unaligned handler failed, ret = -1
      
      From the backtrace, cpu1 is in smp_callin:
      
      void __init smp_callin(void)
      {
             int slave_id = cpu_now_booting;
      
             smp_cpu_init(slave_id);
             preempt_disable();
      
             flush_cache_all_local(); /* start with known state */
             flush_tlb_all_local(NULL);
      
             local_irq_enable();  /* Interrupts have been off until now */
      
             cpu_startup_entry(CPUHP_AP_ONLINE_IDLE);
      
      So, it has just flushed its caches and the TLB. It would seem either the
      flushes in parisc_setup_cache_timing or smp_callin have corrupted kernel
      memory.
      
      The attached patch reworks parisc_setup_cache_timing to remove the races
      in setting the cache and TLB flush thresholds. It also corrects the
      number of bytes flushed in the TLB calculation.
      
      The patch flushes the cache and TLB on cpu0 before starting the
      secondary processors so that they are started from a known state.
      
      Tested with a few reboots on c8000.
      Signed-off-by: default avatarJohn David Anglin  <dave.anglin@bell.net>
      Cc: <stable@vger.kernel.org> # v3.18+
      Signed-off-by: default avatarHelge Deller <deller@gmx.de>
      741dc7bf
    • Viresh Kumar's avatar
      mfd: wm8994-core: Don't use managed regulator bulk get API · 1a41741f
      Viresh Kumar authored
      The kernel WARNs and then crashes today if wm8994_device_init() fails
      after calling devm_regulator_bulk_get().
      
      That happens because there are multiple devices involved here and the
      order in which managed resources are freed isn't correct.
      
      The regulators are added as children of wm8994->dev.  Whereas,
      devm_regulator_bulk_get() receives wm8994->dev as the device, though it
      gets the same regulators which were added as children of wm8994->dev
      earlier.
      
      During failures, the children are removed first and the core eventually
      calls regulator_unregister() for them. As regulator_put() was never done
      for them (opposite of devm_regulator_bulk_get()), the kernel WARNs at
      
      	WARN_ON(rdev->open_count);
      
      And eventually it crashes from debugfs_remove_recursive().
      
      --------x------------------x----------------
      
       wm8994 3-001a: Device is not a WM8994, ID is 0
       ------------[ cut here ]------------
       WARNING: CPU: 0 PID: 1 at /mnt/ssd/all/work/repos/devel/linux/drivers/regulator/core.c:4072 regulator_unregister+0xc8/0xd0
       Modules linked in:
       CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.8.0-rc6-00154-g54fe84cbd50b #41
       Hardware name: SAMSUNG EXYNOS (Flattened Device Tree)
       [<c010e24c>] (unwind_backtrace) from [<c010af38>] (show_stack+0x10/0x14)
       [<c010af38>] (show_stack) from [<c032a1c4>] (dump_stack+0x88/0x9c)
       [<c032a1c4>] (dump_stack) from [<c011a98c>] (__warn+0xe8/0x100)
       [<c011a98c>] (__warn) from [<c011aa54>] (warn_slowpath_null+0x20/0x28)
       [<c011aa54>] (warn_slowpath_null) from [<c0384a0c>] (regulator_unregister+0xc8/0xd0)
       [<c0384a0c>] (regulator_unregister) from [<c0406434>] (release_nodes+0x16c/0x1dc)
       [<c0406434>] (release_nodes) from [<c04039c4>] (__device_release_driver+0x8c/0x110)
       [<c04039c4>] (__device_release_driver) from [<c0403a64>] (device_release_driver+0x1c/0x28)
       [<c0403a64>] (device_release_driver) from [<c0402b24>] (bus_remove_device+0xd8/0x104)
       [<c0402b24>] (bus_remove_device) from [<c03ffcd8>] (device_del+0x10c/0x218)
       [<c03ffcd8>] (device_del) from [<c0404e4c>] (platform_device_del+0x1c/0x88)
       [<c0404e4c>] (platform_device_del) from [<c0404ec4>] (platform_device_unregister+0xc/0x20)
       [<c0404ec4>] (platform_device_unregister) from [<c0428bc0>] (mfd_remove_devices_fn+0x5c/0x64)
       [<c0428bc0>] (mfd_remove_devices_fn) from [<c03ff9d8>] (device_for_each_child_reverse+0x4c/0x78)
       [<c03ff9d8>] (device_for_each_child_reverse) from [<c04288c4>] (mfd_remove_devices+0x20/0x30)
       [<c04288c4>] (mfd_remove_devices) from [<c042758c>] (wm8994_device_init+0x2ac/0x7f0)
       [<c042758c>] (wm8994_device_init) from [<c04f14a8>] (i2c_device_probe+0x178/0x1fc)
       [<c04f14a8>] (i2c_device_probe) from [<c04036fc>] (driver_probe_device+0x214/0x2c0)
       [<c04036fc>] (driver_probe_device) from [<c0403854>] (__driver_attach+0xac/0xb0)
       [<c0403854>] (__driver_attach) from [<c0401a74>] (bus_for_each_dev+0x68/0x9c)
       [<c0401a74>] (bus_for_each_dev) from [<c0402cf0>] (bus_add_driver+0x1a0/0x218)
       [<c0402cf0>] (bus_add_driver) from [<c040406c>] (driver_register+0x78/0xf8)
       [<c040406c>] (driver_register) from [<c04f20a0>] (i2c_register_driver+0x34/0x84)
       [<c04f20a0>] (i2c_register_driver) from [<c01017d0>] (do_one_initcall+0x40/0x170)
       [<c01017d0>] (do_one_initcall) from [<c0a00dbc>] (kernel_init_freeable+0x15c/0x1fc)
       [<c0a00dbc>] (kernel_init_freeable) from [<c06e07b0>] (kernel_init+0x8/0x114)
       [<c06e07b0>] (kernel_init) from [<c0107978>] (ret_from_fork+0x14/0x3c)
       ---[ end trace 0919d3d0bc998260 ]---
      
       [snip..]
      
       Unable to handle kernel NULL pointer dereference at virtual address 00000078
       pgd = c0004000
       [00000078] *pgd=00000000
       Internal error: Oops: 5 [#1] PREEMPT SMP ARM
       Modules linked in:
       CPU: 0 PID: 1 Comm: swapper/0 Tainted: G        W       4.8.0-rc6-00154-g54fe84cbd50b #41
       Hardware name: SAMSUNG EXYNOS (Flattened Device Tree)
       task: ee874000 task.stack: ee878000
       PC is at down_write+0x14/0x54
       LR is at debugfs_remove_recursive+0x30/0x150
      
       [snip..]
      
       [<c06e489c>] (down_write) from [<c02e9954>] (debugfs_remove_recursive+0x30/0x150)
       [<c02e9954>] (debugfs_remove_recursive) from [<c0382b78>] (_regulator_put+0x24/0xac)
       [<c0382b78>] (_regulator_put) from [<c0382c1c>] (regulator_put+0x1c/0x2c)
       [<c0382c1c>] (regulator_put) from [<c0406434>] (release_nodes+0x16c/0x1dc)
       [<c0406434>] (release_nodes) from [<c04035d4>] (driver_probe_device+0xec/0x2c0)
       [<c04035d4>] (driver_probe_device) from [<c0403854>] (__driver_attach+0xac/0xb0)
       [<c0403854>] (__driver_attach) from [<c0401a74>] (bus_for_each_dev+0x68/0x9c)
       [<c0401a74>] (bus_for_each_dev) from [<c0402cf0>] (bus_add_driver+0x1a0/0x218)
       [<c0402cf0>] (bus_add_driver) from [<c040406c>] (driver_register+0x78/0xf8)
       [<c040406c>] (driver_register) from [<c04f20a0>] (i2c_register_driver+0x34/0x84)
       [<c04f20a0>] (i2c_register_driver) from [<c01017d0>] (do_one_initcall+0x40/0x170)
       [<c01017d0>] (do_one_initcall) from [<c0a00dbc>] (kernel_init_freeable+0x15c/0x1fc)
       [<c0a00dbc>] (kernel_init_freeable) from [<c06e07b0>] (kernel_init+0x8/0x114)
       [<c06e07b0>] (kernel_init) from [<c0107978>] (ret_from_fork+0x14/0x3c)
       Code: e1a04000 f590f000 e3a03001 e34f3fff (e1902f9f)
       ---[ end trace 0919d3d0bc998262 ]---
      
      --------x------------------x----------------
      
      Fix the kernel warnings and crashes by using regulator_bulk_get()
      instead of devm_regulator_bulk_get() and explicitly freeing the supplies
      in exit paths.
      
      Tested on Exynos 5250, dual core ARM A15 machine.
      Signed-off-by: default avatarViresh Kumar <viresh.kumar@linaro.org>
      Acked-by: default avatarCharles Keepax <ckeepax@opensource.wolfsonmicro.com>
      Signed-off-by: default avatarLee Jones <lee.jones@linaro.org>
      1a41741f
    • Viresh Kumar's avatar
      mfd: wm8994-core: Disable regulators before removing them · 3cfc43df
      Viresh Kumar authored
      The order in which resources were freed in wm8994_device_exit() isn't
      correct. The regulators are removed before they are disabled.
      
      Fix it by reordering code a bit, which makes it exact opposite of
      wm8994_device_init() as well.
      Signed-off-by: default avatarViresh Kumar <viresh.kumar@linaro.org>
      Acked-by: default avatarCharles Keepax <ckeepax@opensource.wolfsonmicro.com>
      Signed-off-by: default avatarLee Jones <lee.jones@linaro.org>
      3cfc43df
    • Paul Burton's avatar
      mfd: syscon: Support native-endian regmaps · d29ccdb3
      Paul Burton authored
      The regmap devicetree binding documentation states that a native-endian
      property should be supported as well as big-endian & little-endian,
      however syscon in its duplication of the parsing of these properties
      omits support for native-endian. Fix this by setting
      REGMAP_ENDIAN_NATIVE when a native-endian property is found.
      Signed-off-by: default avatarPaul Burton <paul.burton@imgtec.com>
      Cc: Lee Jones <lee.jones@linaro.org>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Guenter Roeck <linux@roeck-us.net>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: linux-mips@linux-mips.org
      Signed-off-by: default avatarLee Jones <lee.jones@linaro.org>
      d29ccdb3
    • Dave Airlie's avatar
      Merge branch 'mediatek-drm-fixes-2016-11-24' of... · 9704668e
      Dave Airlie authored
      Merge branch 'mediatek-drm-fixes-2016-11-24' of https://github.com/ckhu-mediatek/linux.git-tags into drm-fixes
      
      This branch include patches of fixing a typo, accurate dsi frame rate,
      and fixing null pointer dereference.
      
      * 'mediatek-drm-fixes-2016-11-24' of https://github.com/ckhu-mediatek/linux.git-tags:
        drm/mediatek: fix null pointer dereference
        drm/mediatek: fixed the calc method of data rate per lane
        drm/mediatek: fix a typo of DISP_OD_CFG to OD_RELAYMODE
      9704668e
    • Aneesh Kumar K.V's avatar
      powerpc/mm: Fixup kernel read only mapping · 984d7a1e
      Aneesh Kumar K.V authored
      With commit e58e87ad ("powerpc/mm: Update _PAGE_KERNEL_RO") we
      started using the ppp value 0b110 to map kernel readonly. But that
      facility was only added as part of ISA 2.04. For earlier ISA version
      only supported ppp bit value for readonly mapping is 0b011. (This
      implies both user and kernel get mapped using the same ppp bit value for
      readonly mapping.).
      Update the code such that for earlier architecture version we use ppp
      value 0b011 for readonly mapping. We don't differentiate between power5+
      and power5 here and apply the new ppp bits only from power6 (ISA 2.05).
      This keep the changes minimal.
      
      This fixes issue with PS3 spu usage reported at
      https://lkml.kernel.org/r/rep.1421449714.geoff@infradead.org
      
      Fixes: e58e87ad ("powerpc/mm: Update _PAGE_KERNEL_RO")
      Cc: stable@vger.kernel.org # v4.7+
      Tested-by: default avatarGeoff Levand <geoff@infradead.org>
      Signed-off-by: default avatarAneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      984d7a1e
    • Andrey Ryabinin's avatar
      mpi: Fix NULL ptr dereference in mpi_powm() [ver #3] · f5527fff
      Andrey Ryabinin authored
      This fixes CVE-2016-8650.
      
      If mpi_powm() is given a zero exponent, it wants to immediately return
      either 1 or 0, depending on the modulus.  However, if the result was
      initalised with zero limb space, no limbs space is allocated and a
      NULL-pointer exception ensues.
      
      Fix this by allocating a minimal amount of limb space for the result when
      the 0-exponent case when the result is 1 and not touching the limb space
      when the result is 0.
      
      This affects the use of RSA keys and X.509 certificates that carry them.
      
      BUG: unable to handle kernel NULL pointer dereference at           (null)
      IP: [<ffffffff8138ce5d>] mpi_powm+0x32/0x7e6
      PGD 0
      Oops: 0002 [#1] SMP
      Modules linked in:
      CPU: 3 PID: 3014 Comm: keyctl Not tainted 4.9.0-rc6-fscache+ #278
      Hardware name: ASUS All Series/H97-PLUS, BIOS 2306 10/09/2014
      task: ffff8804011944c0 task.stack: ffff880401294000
      RIP: 0010:[<ffffffff8138ce5d>]  [<ffffffff8138ce5d>] mpi_powm+0x32/0x7e6
      RSP: 0018:ffff880401297ad8  EFLAGS: 00010212
      RAX: 0000000000000000 RBX: ffff88040868bec0 RCX: ffff88040868bba0
      RDX: ffff88040868b260 RSI: ffff88040868bec0 RDI: ffff88040868bee0
      RBP: ffff880401297ba8 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000047 R11: ffffffff8183b210 R12: 0000000000000000
      R13: ffff8804087c7600 R14: 000000000000001f R15: ffff880401297c50
      FS:  00007f7a7918c700(0000) GS:ffff88041fb80000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000000000000 CR3: 0000000401250000 CR4: 00000000001406e0
      Stack:
       ffff88040868bec0 0000000000000020 ffff880401297b00 ffffffff81376cd4
       0000000000000100 ffff880401297b10 ffffffff81376d12 ffff880401297b30
       ffffffff81376f37 0000000000000100 0000000000000000 ffff880401297ba8
      Call Trace:
       [<ffffffff81376cd4>] ? __sg_page_iter_next+0x43/0x66
       [<ffffffff81376d12>] ? sg_miter_get_next_page+0x1b/0x5d
       [<ffffffff81376f37>] ? sg_miter_next+0x17/0xbd
       [<ffffffff8138ba3a>] ? mpi_read_raw_from_sgl+0xf2/0x146
       [<ffffffff8132a95c>] rsa_verify+0x9d/0xee
       [<ffffffff8132acca>] ? pkcs1pad_sg_set_buf+0x2e/0xbb
       [<ffffffff8132af40>] pkcs1pad_verify+0xc0/0xe1
       [<ffffffff8133cb5e>] public_key_verify_signature+0x1b0/0x228
       [<ffffffff8133d974>] x509_check_for_self_signed+0xa1/0xc4
       [<ffffffff8133cdde>] x509_cert_parse+0x167/0x1a1
       [<ffffffff8133d609>] x509_key_preparse+0x21/0x1a1
       [<ffffffff8133c3d7>] asymmetric_key_preparse+0x34/0x61
       [<ffffffff812fc9f3>] key_create_or_update+0x145/0x399
       [<ffffffff812fe227>] SyS_add_key+0x154/0x19e
       [<ffffffff81001c2b>] do_syscall_64+0x80/0x191
       [<ffffffff816825e4>] entry_SYSCALL64_slow_path+0x25/0x25
      Code: 56 41 55 41 54 53 48 81 ec a8 00 00 00 44 8b 71 04 8b 42 04 4c 8b 67 18 45 85 f6 89 45 80 0f 84 b4 06 00 00 85 c0 75 2f 41 ff ce <49> c7 04 24 01 00 00 00 b0 01 75 0b 48 8b 41 18 48 83 38 01 0f
      RIP  [<ffffffff8138ce5d>] mpi_powm+0x32/0x7e6
       RSP <ffff880401297ad8>
      CR2: 0000000000000000
      ---[ end trace d82015255d4a5d8d ]---
      
      Basically, this is a backport of a libgcrypt patch:
      
      	http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=patch;h=6e1adb05d290aeeb1c230c763970695f4a538526
      
      Fixes: cdec9cb5 ("crypto: GnuPG based MPI lib - source files (part 1)")
      Signed-off-by: default avatarAndrey Ryabinin <aryabinin@virtuozzo.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
      cc: linux-ima-devel@lists.sourceforge.net
      cc: stable@vger.kernel.org
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      f5527fff
    • Andrey Ryabinin's avatar
      X.509: Fix double free in x509_cert_parse() [ver #3] · 2b95fda2
      Andrey Ryabinin authored
      We shouldn't free cert->pub->key in x509_cert_parse() because
      x509_free_certificate() also does this:
      	BUG: Double free or freeing an invalid pointer
      	...
      	Call Trace:
      	 [<ffffffff81896c20>] dump_stack+0x63/0x83
      	 [<ffffffff81356571>] kasan_object_err+0x21/0x70
      	 [<ffffffff81356ed9>] kasan_report_double_free+0x49/0x60
      	 [<ffffffff813561ad>] kasan_slab_free+0x9d/0xc0
      	 [<ffffffff81350b7a>] kfree+0x8a/0x1a0
      	 [<ffffffff81844fbf>] public_key_free+0x1f/0x30
      	 [<ffffffff818455d4>] x509_free_certificate+0x24/0x90
      	 [<ffffffff818460bc>] x509_cert_parse+0x2bc/0x300
      	 [<ffffffff81846cae>] x509_key_preparse+0x3e/0x330
      	 [<ffffffff818444cf>] asymmetric_key_preparse+0x6f/0x100
      	 [<ffffffff8178bec0>] key_create_or_update+0x260/0x5f0
      	 [<ffffffff8178e6d9>] SyS_add_key+0x199/0x2a0
      	 [<ffffffff821d823b>] entry_SYSCALL_64_fastpath+0x1e/0xad
      	Object at ffff880110bd1900, in cache kmalloc-512 size: 512
      	....
      	Freed:
      	PID = 2579
      	[<ffffffff8104283b>] save_stack_trace+0x1b/0x20
      	[<ffffffff813558f6>] save_stack+0x46/0xd0
      	[<ffffffff81356183>] kasan_slab_free+0x73/0xc0
      	[<ffffffff81350b7a>] kfree+0x8a/0x1a0
      	[<ffffffff818460a3>] x509_cert_parse+0x2a3/0x300
      	[<ffffffff81846cae>] x509_key_preparse+0x3e/0x330
      	[<ffffffff818444cf>] asymmetric_key_preparse+0x6f/0x100
      	[<ffffffff8178bec0>] key_create_or_update+0x260/0x5f0
      	[<ffffffff8178e6d9>] SyS_add_key+0x199/0x2a0
      	[<ffffffff821d823b>] entry_SYSCALL_64_fastpath+0x1e/0xad
      
      Fixes: db6c43bd ("crypto: KEYS: convert public key and digsig asym to the akcipher api")
      Signed-off-by: default avatarAndrey Ryabinin <aryabinin@virtuozzo.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      2b95fda2
  3. 24 Nov, 2016 15 commits
    • Arvind Yadav's avatar
      gpu/drm/exynos/exynos_hdmi - Unmap region obtained by of_iomap · d7420002
      Arvind Yadav authored
      Free memory mapping, if hdmi_probe is not successful.
      Signed-off-by: default avatarArvind Yadav <arvind.yadav.cs@gmail.com>
      Signed-off-by: default avatarInki Dae <inki.dae@samsung.com>
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      d7420002
    • Linus Torvalds's avatar
      Merge tag 'mmc-v4.9-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc · 16ae16c6
      Linus Torvalds authored
      Pull MMC fixes from Ulf Hansson:
       "MMC host:
      
         - sdhci-of-esdhc: Fix card detection
         - dw_mmc: Fix DMA error path"
      
      * tag 'mmc-v4.9-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc:
        mmc: dw_mmc: fix the error handling for dma operation
        mmc: sdhci-of-esdhc: fixup PRESENT_STATE read
      16ae16c6
    • Linus Torvalds's avatar
      Merge tag 'usb-4.9-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · bae73e80
      Linus Torvalds authored
      Pull USB fixes from Greg KH:
       "Here are a few small USB fixes and new device ids for 4.9-rc7.
      
        The majority of these fixes are in the musb driver, fixing a number of
        regressions that have been reported but took a while to resolve. The
        other fixes are all small ones, to resolve other reported minor
        issues.
      
        All have been in linux-next for a while with no reported issues"
      
      * tag 'usb-4.9-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
        usb: gadget: f_fs: fix wrong parenthesis in ffs_func_req_match()
        phy: twl4030-usb: Fix for musb session bit based PM
        usb: musb: Drop pointless PM runtime code for dsps glue
        usb: musb: Add missing pm_runtime_disable and drop 2430 PM timeout
        usb: musb: Fix PM for hub disconnect
        usb: musb: Fix sleeping function called from invalid context for hdrc glue
        usb: musb: Fix broken use of static variable for multiple instances
        USB: serial: cp210x: add ID for the Zone DPMX
        usb: chipidea: move the lock initialization to core file
        Fix USB CB/CBI storage devices with CONFIG_VMAP_STACK=y
        USB: serial: ftdi_sio: add support for TI CC3200 LaunchPad
      bae73e80
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid · e2b6535d
      Linus Torvalds authored
      Pull HID fixes from Jiri Kosina:
      
       - DMA-on-stack fixes for a couple drivers, from Benjamin Tissoires
      
       - small memory sanitization fix for sensor-hub driver, from Song
         Hongyan
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid:
        HID: hid-sensor-hub: clear memory to avoid random data
        HID: rmi: make transfer buffers DMA capable
        HID: magicmouse: make transfer buffers DMA capable
        HID: lg: make transfer buffers DMA capable
        HID: cp2112: make transfer buffers DMA capable
      e2b6535d
    • Radim Krčmář's avatar
      KVM: x86: check for pic and ioapic presence before use · df492896
      Radim Krčmář authored
      Split irqchip allows pic and ioapic routes to be used without them being
      created, which results in NULL access.  Check for NULL and avoid it.
      (The setup is too racy for a nicer solutions.)
      
      Found by syzkaller:
      
        general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN
        Dumping ftrace buffer:
           (ftrace buffer empty)
        Modules linked in:
        CPU: 3 PID: 11923 Comm: kworker/3:2 Not tainted 4.9.0-rc5+ #27
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
        Workqueue: events irqfd_inject
        task: ffff88006a06c7c0 task.stack: ffff880068638000
        RIP: 0010:[...]  [...] __lock_acquire+0xb35/0x3380 kernel/locking/lockdep.c:3221
        RSP: 0000:ffff88006863ea20  EFLAGS: 00010006
        RAX: dffffc0000000000 RBX: dffffc0000000000 RCX: 0000000000000000
        RDX: 0000000000000039 RSI: 0000000000000000 RDI: 1ffff1000d0c7d9e
        RBP: ffff88006863ef58 R08: 0000000000000001 R09: 0000000000000000
        R10: 00000000000001c8 R11: 0000000000000000 R12: ffff88006a06c7c0
        R13: 0000000000000001 R14: ffffffff8baab1a0 R15: 0000000000000001
        FS:  0000000000000000(0000) GS:ffff88006d100000(0000) knlGS:0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        CR2: 00000000004abdd0 CR3: 000000003e2f2000 CR4: 00000000000026e0
        Stack:
         ffffffff894d0098 1ffff1000d0c7d56 ffff88006863ecd0 dffffc0000000000
         ffff88006a06c7c0 0000000000000000 ffff88006863ecf8 0000000000000082
         0000000000000000 ffffffff815dd7c1 ffffffff00000000 ffffffff00000000
        Call Trace:
         [...] lock_acquire+0x2a2/0x790 kernel/locking/lockdep.c:3746
         [...] __raw_spin_lock include/linux/spinlock_api_smp.h:144
         [...] _raw_spin_lock+0x38/0x50 kernel/locking/spinlock.c:151
         [...] spin_lock include/linux/spinlock.h:302
         [...] kvm_ioapic_set_irq+0x4c/0x100 arch/x86/kvm/ioapic.c:379
         [...] kvm_set_ioapic_irq+0x8f/0xc0 arch/x86/kvm/irq_comm.c:52
         [...] kvm_set_irq+0x239/0x640 arch/x86/kvm/../../../virt/kvm/irqchip.c:101
         [...] irqfd_inject+0xb4/0x150 arch/x86/kvm/../../../virt/kvm/eventfd.c:60
         [...] process_one_work+0xb40/0x1ba0 kernel/workqueue.c:2096
         [...] worker_thread+0x214/0x18a0 kernel/workqueue.c:2230
         [...] kthread+0x328/0x3e0 kernel/kthread.c:209
         [...] ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:433
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Cc: stable@vger.kernel.org
      Fixes: 49df6397 ("KVM: x86: Split the APIC from the rest of IRQCHIP.")
      Signed-off-by: default avatarRadim Krčmář <rkrcmar@redhat.com>
      df492896
    • Radim Krčmář's avatar
      KVM: x86: fix out-of-bounds accesses of rtc_eoi map · 81cdb259
      Radim Krčmář authored
      KVM was using arrays of size KVM_MAX_VCPUS with vcpu_id, but ID can be
      bigger that the maximal number of VCPUs, resulting in out-of-bounds
      access.
      
      Found by syzkaller:
      
        BUG: KASAN: slab-out-of-bounds in __apic_accept_irq+0xb33/0xb50 at addr [...]
        Write of size 1 by task a.out/27101
        CPU: 1 PID: 27101 Comm: a.out Not tainted 4.9.0-rc5+ #49
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
         [...]
        Call Trace:
         [...] __apic_accept_irq+0xb33/0xb50 arch/x86/kvm/lapic.c:905
         [...] kvm_apic_set_irq+0x10e/0x180 arch/x86/kvm/lapic.c:495
         [...] kvm_irq_delivery_to_apic+0x732/0xc10 arch/x86/kvm/irq_comm.c:86
         [...] ioapic_service+0x41d/0x760 arch/x86/kvm/ioapic.c:360
         [...] ioapic_set_irq+0x275/0x6c0 arch/x86/kvm/ioapic.c:222
         [...] kvm_ioapic_inject_all arch/x86/kvm/ioapic.c:235
         [...] kvm_set_ioapic+0x223/0x310 arch/x86/kvm/ioapic.c:670
         [...] kvm_vm_ioctl_set_irqchip arch/x86/kvm/x86.c:3668
         [...] kvm_arch_vm_ioctl+0x1a08/0x23c0 arch/x86/kvm/x86.c:3999
         [...] kvm_vm_ioctl+0x1fa/0x1a70 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3099
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Cc: stable@vger.kernel.org
      Fixes: af1bae54 ("KVM: x86: bump KVM_MAX_VCPU_ID to 1023")
      Reviewed-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Reviewed-by: default avatarDavid Hildenbrand <david@redhat.com>
      Signed-off-by: default avatarRadim Krčmář <rkrcmar@redhat.com>
      81cdb259
    • Radim Krčmář's avatar
      KVM: x86: drop error recovery in em_jmp_far and em_ret_far · 2117d539
      Radim Krčmář authored
      em_jmp_far and em_ret_far assumed that setting IP can only fail in 64
      bit mode, but syzkaller proved otherwise (and SDM agrees).
      Code segment was restored upon failure, but it was left uninitialized
      outside of long mode, which could lead to a leak of host kernel stack.
      We could have fixed that by always saving and restoring the CS, but we
      take a simpler approach and just break any guest that manages to fail
      as the error recovery is error-prone and modern CPUs don't need emulator
      for this.
      
      Found by syzkaller:
      
        WARNING: CPU: 2 PID: 3668 at arch/x86/kvm/emulate.c:2217 em_ret_far+0x428/0x480
        Kernel panic - not syncing: panic_on_warn set ...
      
        CPU: 2 PID: 3668 Comm: syz-executor Not tainted 4.9.0-rc4+ #49
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
         [...]
        Call Trace:
         [...] __dump_stack lib/dump_stack.c:15
         [...] dump_stack+0xb3/0x118 lib/dump_stack.c:51
         [...] panic+0x1b7/0x3a3 kernel/panic.c:179
         [...] __warn+0x1c4/0x1e0 kernel/panic.c:542
         [...] warn_slowpath_null+0x2c/0x40 kernel/panic.c:585
         [...] em_ret_far+0x428/0x480 arch/x86/kvm/emulate.c:2217
         [...] em_ret_far_imm+0x17/0x70 arch/x86/kvm/emulate.c:2227
         [...] x86_emulate_insn+0x87a/0x3730 arch/x86/kvm/emulate.c:5294
         [...] x86_emulate_instruction+0x520/0x1ba0 arch/x86/kvm/x86.c:5545
         [...] emulate_instruction arch/x86/include/asm/kvm_host.h:1116
         [...] complete_emulated_io arch/x86/kvm/x86.c:6870
         [...] complete_emulated_mmio+0x4e9/0x710 arch/x86/kvm/x86.c:6934
         [...] kvm_arch_vcpu_ioctl_run+0x3b7a/0x5a90 arch/x86/kvm/x86.c:6978
         [...] kvm_vcpu_ioctl+0x61e/0xdd0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:2557
         [...] vfs_ioctl fs/ioctl.c:43
         [...] do_vfs_ioctl+0x18c/0x1040 fs/ioctl.c:679
         [...] SYSC_ioctl fs/ioctl.c:694
         [...] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685
         [...] entry_SYSCALL_64_fastpath+0x1f/0xc2
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Cc: stable@vger.kernel.org
      Fixes: d1442d85 ("KVM: x86: Handle errors when RIP is set during far jumps")
      Signed-off-by: default avatarRadim Krčmář <rkrcmar@redhat.com>
      2117d539
    • Radim Krčmář's avatar
      KVM: x86: fix out-of-bounds access in lapic · 444fdad8
      Radim Krčmář authored
      Cluster xAPIC delivery incorrectly assumed that dest_id <= 0xff.
      With enabled KVM_X2APIC_API_USE_32BIT_IDS in KVM_CAP_X2APIC_API, a
      userspace can send an interrupt with dest_id that results in
      out-of-bounds access.
      
      Found by syzkaller:
      
        BUG: KASAN: slab-out-of-bounds in kvm_irq_delivery_to_apic_fast+0x11fa/0x1210 at addr ffff88003d9ca750
        Read of size 8 by task syz-executor/22923
        CPU: 0 PID: 22923 Comm: syz-executor Not tainted 4.9.0-rc4+ #49
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
         [...]
        Call Trace:
         [...] __dump_stack lib/dump_stack.c:15
         [...] dump_stack+0xb3/0x118 lib/dump_stack.c:51
         [...] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156
         [...] print_address_description mm/kasan/report.c:194
         [...] kasan_report_error mm/kasan/report.c:283
         [...] kasan_report+0x231/0x500 mm/kasan/report.c:303
         [...] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:329
         [...] kvm_irq_delivery_to_apic_fast+0x11fa/0x1210 arch/x86/kvm/lapic.c:824
         [...] kvm_irq_delivery_to_apic+0x132/0x9a0 arch/x86/kvm/irq_comm.c:72
         [...] kvm_set_msi+0x111/0x160 arch/x86/kvm/irq_comm.c:157
         [...] kvm_send_userspace_msi+0x201/0x280 arch/x86/kvm/../../../virt/kvm/irqchip.c:74
         [...] kvm_vm_ioctl+0xba5/0x1670 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3015
         [...] vfs_ioctl fs/ioctl.c:43
         [...] do_vfs_ioctl+0x18c/0x1040 fs/ioctl.c:679
         [...] SYSC_ioctl fs/ioctl.c:694
         [...] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:685
         [...] entry_SYSCALL_64_fastpath+0x1f/0xc2
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Cc: stable@vger.kernel.org
      Fixes: e45115b6 ("KVM: x86: use physical LAPIC array for logical x2APIC")
      Reviewed-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarRadim Krčmář <rkrcmar@redhat.com>
      444fdad8
    • Nicolas Schichan's avatar
      init: use pr_cont() when displaying rotator during ramdisk loading. · 18594e9b
      Nicolas Schichan authored
      Otherwise each individual rotator char would be printed in a new line:
      
      (...)
      [    0.642350] -
      [    0.644374] |
      [    0.646367] -
      (...)
      Signed-off-by: default avatarNicolas Schichan <nicolas.schichan@gmail.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      18594e9b
    • Matthias Brugger's avatar
      drm/mediatek: fix null pointer dereference · 5ad45307
      Matthias Brugger authored
      The probe function requests the interrupt before initializing
      the ddp component. Which leads to a null pointer dereference at boot.
      Fix this by requesting the interrput after all components got
      initialized properly.
      
      Fixes: 119f5173 ("drm/mediatek: Add DRM Driver for Mediatek SoC
      MT8173.")
      Signed-off-by: default avatarMatthias Brugger <matthias.bgg@gmail.com>
      
      Change-Id: I57193a7ab554dfb37c35a455900689333adf511c
      5ad45307
    • Jitao Shi's avatar
      drm/mediatek: fixed the calc method of data rate per lane · f6c87239
      Jitao Shi authored
      Tune dsi frame rate by pixel clock, dsi add some extra signal (i.e.
      Tlpx, Ths-prepare, Ths-zero, Ths-trail,Ths-exit) when enter and exit LP
      mode, those signals will cause h-time larger than normal and reduce FPS.
      So need to multiply a coefficient to offset the extra signal's effect.
        coefficient = ((htotal*bpp/lane_number)+Tlpx+Ths_prep+Ths_zero+
      		 Ths_trail+Ths_exit)/(htotal*bpp/lane_number)
      Signed-off-by: default avatarJitao Shi <jitao.shi@mediatek.com>
      Reviewed-by: default avatarDaniel Kurtz <djkurtz@chromium.org>
      f6c87239
    • Bibby Hsieh's avatar
      drm/mediatek: fix a typo of DISP_OD_CFG to OD_RELAYMODE · 1ee6f347
      Bibby Hsieh authored
      If we want to set the hardware OD to relay mode,
      we have to set DISP_OD_CFG register rather than
      OD_RELAYMODE; otherwise, the system will access
      the wrong address.
      
      Change-Id: Ifb9bb4caa63df906437d48b5d5326b6d04ea332a
      Fixes: 72164364 ("drm/mediatek: set mt8173 dithering function")
      Cc: stable@vger.kernel.org # v4.9+
      Signed-off-by: default avatarBibby Hsieh <bibby.hsieh@mediatek.com>
      Acked-by: default avatarCK Hu <ck.hu@mediatek.com>
      1ee6f347
    • Oliver O'Halloran's avatar
      powerpc/boot: Fix the early OPAL console wrappers · a1ff5741
      Oliver O'Halloran authored
      When configured with CONFIG_PPC_EARLY_DEBUG_OPAL=y the kernel expects
      the OPAL entry and base addresses to be passed in r8 and r9
      respectively. Currently the wrapper does not attempt to restore these
      values before entering the decompressed kernel which causes the kernel
      to branch into whatever happens to be in r9 when doing a write to the
      OPAL console in early boot.
      
      This patch adds a platform_ops hook that can be used to branch into the
      new kernel. The OPAL console driver patches this at runtime so that if
      the console is used it will be restored just prior to entering the
      kernel.
      
      Fixes: 656ad58e ("powerpc/boot: Add OPAL console to epapr wrappers")
      Cc: stable@vger.kernel.org # v4.8+
      Signed-off-by: default avatarOliver O'Halloran <oohall@gmail.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      a1ff5741
    • Dave Airlie's avatar
      Merge branch 'for-upstream/hdlcd' of git://linux-arm.org/linux-ld into drm-fixes · 855f6529
      Dave Airlie authored
      A late issue discovered by Russell King while testing his setup on Juno.
      
      * 'for-upstream/hdlcd' of git://linux-arm.org/linux-ld:
        drm/arm: hdlcd: fix plane base address update
      855f6529
    • Dave Airlie's avatar
      Merge branch 'drm-fixes-4.9' of git://people.freedesktop.org/~agd5f/linux into drm-fixes · 7ad54c99
      Dave Airlie authored
      one small powerplay fix and one regression fix for older PX systems and d3cold
      
      * 'drm-fixes-4.9' of git://people.freedesktop.org/~agd5f/linux:
        drm/radeon: fix power state when port pm is unavailable (v2)
        drm/amdgpu: fix power state when port pm is unavailable
        drm/amd/powerplay: avoid out of bounds access on array ps.
      7ad54c99
  4. 23 Nov, 2016 2 commits
    • Takashi Iwai's avatar
      xc2028: Fix use-after-free bug properly · 22a1e778
      Takashi Iwai authored
      The commit 8dfbcc43 ("[media] xc2028: avoid use after free") tried
      to address the reported use-after-free by clearing the reference.
      
      However, it's clearing the wrong pointer; it sets NULL to
      priv->ctrl.fname, but it's anyway overwritten by the next line
      memcpy(&priv->ctrl, p, sizeof(priv->ctrl)).
      
      OTOH, the actual code accessing the freed string is the strcmp() call
      with priv->fname:
      	if (!firmware_name[0] && p->fname &&
      	    priv->fname && strcmp(p->fname, priv->fname))
      		free_firmware(priv);
      
      where priv->fname points to the previous file name, and this was
      already freed by kfree().
      
      For fixing the bug properly, this patch does the following:
      
      - Keep the copy of firmware file name in only priv->fname,
        priv->ctrl.fname isn't changed;
      - The allocation is done only when the firmware gets loaded;
      - The kfree() is called in free_firmware() commonly
      
      Fixes: commit 8dfbcc43 ('[media] xc2028: avoid use after free')
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      22a1e778
    • Linus Torvalds's avatar
      Merge tag 'nfs-for-4.9-4' of git://git.linux-nfs.org/projects/anna/linux-nfs · 10b9dd56
      Linus Torvalds authored
      Pull NFS client bugfixes from Anna Schumaker:
       "Most of these fix regressions or races, but there is one patch for
        stable that Arnd sent me
      
        Stable bugfix:
         - Hide array-bounds warning
      
        Bugfixes:
         - Keep a reference on lock states while checking
         - Handle NFS4ERR_OLD_STATEID in nfs4_reclaim_open_state
         - Don't call close if the open stateid has already been cleared
         - Fix CLOSE rases with OPEN
         - Fix a regression in DELEGRETURN"
      
      * tag 'nfs-for-4.9-4' of git://git.linux-nfs.org/projects/anna/linux-nfs:
        NFSv4.x: hide array-bounds warning
        NFSv4.1: Keep a reference on lock states while checking
        NFSv4.1: Handle NFS4ERR_OLD_STATEID in nfs4_reclaim_open_state
        NFSv4: Don't call close if the open stateid has already been cleared
        NFSv4: Fix CLOSE races with OPEN
        NFSv4.1: Fix a regression in DELEGRETURN
      10b9dd56