1. 14 Jul, 2016 5 commits
    • Paolo Bonzini's avatar
      Revert "KVM: release anon file in failure path of vm creation" · 7964218c
      Paolo Bonzini authored
      This reverts commit 77ecc085fed1af1000ca719522977b960aa6da52.
      
      Al Viro colorfully says: "You should *NEVER* use sys_close() on failure
      exit paths like that.  Moreover, this kvm_put_kvm() becomes a double-put,
      since closing the damn file will drop that reference to kvm.  Please,
      revert.  anon_inode_getfd() should be used only when there's no possible
      failures past its call".
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      7964218c
    • Liu Shuo's avatar
      KVM: release anon file in failure path of vm creation · 2be5b3f6
      Liu Shuo authored
      The failure of create debugfs of VM will return directly without release
      the anon file. It will leak memory and file descriptors, even through
      be not serious.
      Signed-off-by: default avatarLiu Shuo <shuo.a.liu@intel.com>
      Fixes: 536a6f88Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      2be5b3f6
    • Jim Mattson's avatar
      KVM: nVMX: Fix memory corruption when using VMCS shadowing · 2f1fe811
      Jim Mattson authored
      When freeing the nested resources of a vcpu, there is an assumption that
      the vcpu's vmcs01 is the current VMCS on the CPU that executes
      nested_release_vmcs12(). If this assumption is violated, the vcpu's
      vmcs01 may be made active on multiple CPUs at the same time, in
      violation of Intel's specification. Moreover, since the vcpu's vmcs01 is
      not VMCLEARed on every CPU on which it is active, it can linger in a
      CPU's VMCS cache after it has been freed and potentially
      repurposed. Subsequent eviction from the CPU's VMCS cache on a capacity
      miss can result in memory corruption.
      
      It is not sufficient for vmx_free_vcpu() to call vmx_load_vmcs01(). If
      the vcpu in question was last loaded on a different CPU, it must be
      migrated to the current CPU before calling vmx_load_vmcs01().
      Signed-off-by: default avatarJim Mattson <jmattson@google.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      2f1fe811
    • Peter Feiner's avatar
      kvm: vmx: ensure VMCS is current while enabling PML · 4e59516a
      Peter Feiner authored
      Between loading the new VMCS and enabling PML, the CPU was unpinned.
      If the vCPU thread were migrated to another CPU in the interim (e.g.,
      due to preemption or sleeping alloc_page), then the VMWRITEs to enable
      PML would target the wrong VMCS -- or no VMCS at all:
      
        [ 2087.266950] vmwrite error: reg 200e value 3fe1d52000 (err -506126336)
        [ 2087.267062] vmwrite error: reg 812 value 1ff (err 511)
        [ 2087.267125] vmwrite error: reg 401e value 12229c00 (err 304258048)
      
      This patch ensures that the VMCS remains current while enabling PML by
      doing the VMWRITEs while the CPU is pinned. Allocation of the PML buffer
      is hoisted out of the critical section.
      Signed-off-by: default avatarPeter Feiner <pfeiner@google.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      4e59516a
    • Paolo Bonzini's avatar
      KVM: SVM: fix trashing of MSR_TSC_AUX · 9770404a
      Paolo Bonzini authored
      I don't know what I was thinking when I wrote commit 46896c73 ("KVM:
      svm: add support for RDTSCP", 2015-11-12); I missed write_rdtscp_aux which
      obviously uses MSR_TSC_AUX.
      
      Therefore we do need to save/restore MSR_TSC_AUX in svm_vcpu_run.
      
      Cc: stable@vger.kernel.org
      Cc: Borislav Petkov <bp@alien8.de>
      Fixes: 46896c73 ("KVM: svm: add support for RDTSCP")
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      9770404a
  2. 05 Jul, 2016 1 commit
    • Alexis Dambricourt's avatar
      KVM: MTRR: fix kvm_mtrr_check_gfn_range_consistency page fault · 30b072ce
      Alexis Dambricourt authored
      The following #PF may occurs:
      [ 1403.317041] BUG: unable to handle kernel paging request at 0000000200000068
      [ 1403.317045] IP: [<ffffffffc04c20b0>] __mtrr_lookup_var_next+0x10/0xa0 [kvm]
      
      [ 1403.317123] Call Trace:
      [ 1403.317134]  [<ffffffffc04c2a65>] ? kvm_mtrr_check_gfn_range_consistency+0xc5/0x120 [kvm]
      [ 1403.317143]  [<ffffffffc04ac11f>] ? tdp_page_fault+0x9f/0x2c0 [kvm]
      [ 1403.317152]  [<ffffffffc0498128>] ? kvm_set_msr_common+0x858/0xc00 [kvm]
      [ 1403.317161]  [<ffffffffc04b8883>] ? x86_emulate_insn+0x273/0xd30 [kvm]
      [ 1403.317171]  [<ffffffffc04c04e4>] ? kvm_cpuid+0x34/0x190 [kvm]
      [ 1403.317180]  [<ffffffffc04a5bb9>] ? kvm_mmu_page_fault+0x59/0xe0 [kvm]
      [ 1403.317183]  [<ffffffffc0d729e1>] ? vmx_handle_exit+0x1d1/0x14a0 [kvm_intel]
      [ 1403.317185]  [<ffffffffc0d75f3f>] ? atomic_switch_perf_msrs+0x6f/0xa0 [kvm_intel]
      [ 1403.317187]  [<ffffffffc0d7621d>] ? vmx_vcpu_run+0x2ad/0x420 [kvm_intel]
      [ 1403.317196]  [<ffffffffc04a0962>] ? kvm_arch_vcpu_ioctl_run+0x622/0x1550 [kvm]
      [ 1403.317204]  [<ffffffffc049abb9>] ? kvm_arch_vcpu_load+0x59/0x210 [kvm]
      [ 1403.317206]  [<ffffffff81036245>] ? __kernel_fpu_end+0x35/0x100
      [ 1403.317213]  [<ffffffffc0487eb6>] ? kvm_vcpu_ioctl+0x316/0x5d0 [kvm]
      [ 1403.317215]  [<ffffffff81088225>] ? do_sigtimedwait+0xd5/0x220
      [ 1403.317217]  [<ffffffff811f84dd>] ? do_vfs_ioctl+0x9d/0x5c0
      [ 1403.317224]  [<ffffffffc04928ae>] ? kvm_on_user_return+0x3e/0x70 [kvm]
      [ 1403.317225]  [<ffffffff811f8a74>] ? SyS_ioctl+0x74/0x80
      [ 1403.317227]  [<ffffffff815bf0b6>] ? entry_SYSCALL_64_fastpath+0x1e/0xa8
      [ 1403.317242] RIP  [<ffffffffc04c20b0>] __mtrr_lookup_var_next+0x10/0xa0 [kvm]
      
      At mtrr_lookup_fixed_next(), when the condition
      'if (iter->index >= ARRAY_SIZE(iter->mtrr_state->fixed_ranges))' becomes true,
      mtrr_lookup_var_start() is called with iter->range with gargabe values from the
      fixed MTRR union field. Then, list_prepare_entry() do not call list_entry()
      initialization, keeping a garbage pointer in iter->range which is accessed in
      the following __mtrr_lookup_var_next() call.
      
      Fixes: f571c097Signed-off-by: default avatarAlexis Dambricourt <alexis@blade-group.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      30b072ce
  3. 04 Jul, 2016 1 commit
  4. 03 Jul, 2016 5 commits
  5. 02 Jul, 2016 6 commits
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-for-v4.7-rc6' of git://people.freedesktop.org/~airlied/linux · 99b0f54e
      Linus Torvalds authored
      Pull drm fixes frlm Dave Airlie:
       "Just some AMD and Intel fixes, the AMD ones are further production
        Polaris fixes, and the Intel ones fix some early timeouts, some PCI ID
        changes and a couple of other fixes.
      
        Still a bit Internet challenged here, hopefully end of next week will
        solve it"
      
      * tag 'drm-fixes-for-v4.7-rc6' of git://people.freedesktop.org/~airlied/linux:
        drm/i915: Fix missing unlock on error in i915_ppgtt_info()
        drm/amd/powerplay: workaround for UVD clock issue
        drm/amdgpu: add ACLK_CNTL setting for polaris10
        drm/amd/powerplay: fix issue uvd dpm can't enabled on Polaris11.
        drm/amd/powerplay: Workaround for Memory EDC Error on Polaris10.
        drm/i915: Removing PCI IDs that are no longer listed as Kabylake.
        drm/i915: Add more Kabylake PCI IDs.
        drm/i915: Avoid early timeout during AUX transfers
        drm/i915/hsw: Avoid early timeout during LCPLL disable/restore
        drm/i915/lpt: Avoid early timeout during FDI PHY reset
        drm/i915/bxt: Avoid early timeout during PLL enable
        drm/i915: Refresh cached DP port register value on resume
        drm/amd/powerplay: Update CKS on/ CKS off voltage offset calculation
        drm/amd/powerplay: disable FFC.
        drm/amd/powerplay: add some definition for FFC feature on polaris.
      99b0f54e
    • Linus Torvalds's avatar
      Merge tag 'spi-fix-v4.7-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi · 467ce769
      Linus Torvalds authored
      Pull spi fixes from Mark Brown:
       "A few small driver-specific fixes for SPI, all in the normal important
        if you hit them category especially the rockchip driver fix which
        addresses a race which has been exposed more frequently with some
        recent performance improvements"
      
      * tag 'spi-fix-v4.7-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi:
        spi: sunxi: fix transfer timeout
        spi: sun4i: fix FIFO limit
        spi: rockchip: Signal unfinished DMA transfers
        spi: spi-ti-qspi: Suspend the queue before removing the device
      467ce769
    • Linus Torvalds's avatar
      Merge tag 'regulator-fix-v4.7-rc5' of... · a2b0db5b
      Linus Torvalds authored
      Merge tag 'regulator-fix-v4.7-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator
      
      Pull regulator fixes from Mark Brown:
       "Two small fixes for the regulator subsystem - one fixing a crash with
        one of the devices supported by the max77620 driver, another fixing
        startup for the anatop regulator when it starts up with the regulator
        in bypass mode"
      
      * tag 'regulator-fix-v4.7-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator:
        regulator: max77620: check for valid regulator info
        regulator: anatop: allow regulator to be in bypass mode
      a2b0db5b
    • Linus Torvalds's avatar
      Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux · 44385120
      Linus Torvalds authored
      Pull clk fixes from Stephen Boyd:
       "A small fix for the newly added oxnas clk driver and a handful of
        rockchip clk driver fixes for newly added rk3399 support"
      
      * tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux:
        clk: Fix return value check in oxnas_stdclk_probe()
        clk: rockchip: release io resource when failing to init clk on rk3399
        clk: rockchip: fix cpuclk registration error handling
        clk: rockchip: Revert "clk: rockchip: reset init state before mmc card initialization"
        clk: rockchip: fix incorrect parent for rk3399's {c,g}pll_aclk_perihp_src
        clk: rockchip: mark rk3399 GIC clocks as critical
        clk: rockchip: initialize flags of clk_init_data in mmc-phase clock
      44385120
    • Dave Airlie's avatar
      Merge tag 'drm-intel-fixes-2016-06-30' of git://anongit.freedesktop.org/drm-intel into drm-fixes · 88c08710
      Dave Airlie authored
      here's a batch of i915 fixes for 4.7.
      
      * tag 'drm-intel-fixes-2016-06-30' of git://anongit.freedesktop.org/drm-intel:
        drm/i915: Fix missing unlock on error in i915_ppgtt_info()
        drm/i915: Removing PCI IDs that are no longer listed as Kabylake.
        drm/i915: Add more Kabylake PCI IDs.
        drm/i915: Avoid early timeout during AUX transfers
        drm/i915/hsw: Avoid early timeout during LCPLL disable/restore
        drm/i915/lpt: Avoid early timeout during FDI PHY reset
        drm/i915/bxt: Avoid early timeout during PLL enable
        drm/i915: Refresh cached DP port register value on resume
      88c08710
    • Dave Airlie's avatar
      Merge branch 'drm-fixes-4.7' of git://people.freedesktop.org/~agd5f/linux into drm-fixes · 40793e85
      Dave Airlie authored
      Just a few more late fixes for Polaris cards.
      
      * 'drm-fixes-4.7' of git://people.freedesktop.org/~agd5f/linux:
        drm/amd/powerplay: workaround for UVD clock issue
        drm/amdgpu: add ACLK_CNTL setting for polaris10
        drm/amd/powerplay: fix issue uvd dpm can't enabled on Polaris11.
        drm/amd/powerplay: Workaround for Memory EDC Error on Polaris10.
        drm/amd/powerplay: Update CKS on/ CKS off voltage offset calculation
        drm/amd/powerplay: disable FFC.
        drm/amd/powerplay: add some definition for FFC feature on polaris.
      40793e85
  6. 01 Jul, 2016 18 commits
    • Ralf Baechle's avatar
      MIPS: Fix possible corruption of cache mode by mprotect. · 6d037de9
      Ralf Baechle authored
      The following testcase may result in a page table entries with a invalid
      CCA field being generated:
      
      static void *bindstack;
      
      static int sysrqfd;
      
      static void protect_low(int protect)
      {
      	mprotect(bindstack, BINDSTACK_SIZE, protect);
      }
      
      static void sigbus_handler(int signal, siginfo_t * info, void *context)
      {
      	void *addr = info->si_addr;
      
      	write(sysrqfd, "x", 1);
      
      	printf("sigbus, fault address %p (should not happen, but might)\n",
      	       addr);
      	abort();
      }
      
      static void run_bind_test(void)
      {
      	unsigned int *p = bindstack;
      
      	p[0] = 0xf001f001;
      
      	write(sysrqfd, "x", 1);
      
      	/* Set trap on access to p[0] */
      	protect_low(PROT_NONE);
      
      	write(sysrqfd, "x", 1);
      
      	/* Clear trap on access to p[0] */
      	protect_low(PROT_READ | PROT_WRITE | PROT_EXEC);
      
      	write(sysrqfd, "x", 1);
      
      	/* Check the contents of p[0] */
      	if (p[0] != 0xf001f001) {
      		write(sysrqfd, "x", 1);
      
      		/* Reached, but shouldn't be */
      		printf("badness, shouldn't happen but does\n");
      		abort();
      	}
      }
      
      int main(void)
      {
      	struct sigaction sa;
      
      	sysrqfd = open("/proc/sysrq-trigger", O_WRONLY);
      
      	if (sigprocmask(SIG_BLOCK, NULL, &sa.sa_mask)) {
      		perror("sigprocmask");
      		return 0;
      	}
      
      	sa.sa_sigaction = sigbus_handler;
      	sa.sa_flags = SA_SIGINFO | SA_NODEFER | SA_RESTART;
      	if (sigaction(SIGBUS, &sa, NULL)) {
      		perror("sigaction");
      		return 0;
      	}
      
      	bindstack = mmap(NULL,
      			 BINDSTACK_SIZE,
      			 PROT_READ | PROT_WRITE | PROT_EXEC,
      			 MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
      	if (bindstack == MAP_FAILED) {
      		perror("mmap bindstack");
      		return 0;
      	}
      
      	printf("bindstack: %p\n", bindstack);
      
      	run_bind_test();
      
      	printf("done\n");
      
      	return 0;
      }
      
      There are multiple ingredients for this:
      
       1) PAGE_NONE is defined to _CACHE_CACHABLE_NONCOHERENT, which is CCA 3
          on all platforms except SB1 where it's CCA 5.
       2) _page_cachable_default must have bits set which are not set
          _CACHE_CACHABLE_NONCOHERENT.
       3) Either the defective version of pte_modify for XPA or the standard
          version must be in used.  However pte_modify for the 36 bit address
          space support is no affected.
      
      In that case additional bits in the final CCA mode may generate an invalid
      value for the CCA field.  On the R10000 system where this was tracked
      down for example a CCA 7 has been observed, which is Uncached Accelerated.
      
      Fixed by:
      
       1) Using the proper CCA mode for PAGE_NONE just like for all the other
          PAGE_* pte/pmd bits.
       2) Fix the two affected variants of pte_modify.
      
      Further code inspection also shows the same issue to exist in pmd_modify
      which would affect huge page systems.
      
      Issue in pte_modify tracked down by Alastair Bridgewater, PAGE_NONE
      and pmd_modify issue found by me.
      
      The history of this goes back beyond Linus' git history.  Chris Dearman's
      commit 35133692 ("[MIPS] Allow setting of
      the cache attribute at run time.") missed the opportunity to fix this
      but it was originally introduced in lmo commit
      d523832cf12007b3242e50bb77d0c9e63e0b6518 ("Missing from last commit.")
      and 32cc38229ac7538f2346918a09e75413e8861f87 ("New configuration option
      CONFIG_MIPS_UNCACHED.")
      Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Reported-by: default avatarAlastair Bridgewater <alastair.bridgewater@gmail.com>
      6d037de9
    • Linus Torvalds's avatar
      Merge tag 'acpi-4.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · dbdc3bb7
      Linus Torvalds authored
      Pull ACPI fix from Rafael Wysocki:
       "Fix an expression in the ACPI PCI IRQ management code added by a
        recent commit that overlooked missing parens in it, so the result of
        the computation is incorrect in some cases (Sinan Kaya)"
      
      * tag 'acpi-4.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        ACPI,PCI,IRQ: correct operator precedence
      dbdc3bb7
    • Linus Torvalds's avatar
      Merge tag 'pm-4.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 81dbd6f5
      Linus Torvalds authored
      Pull power management fixes from Rafael Wysocki:
       "Three cpufreq fixes, one in the core (stable-candidate) and two in
        drivers (intel_pstate and cpufreq-dt).
      
        Specifics:
      
         - Fix a recent intel_pstate regression that caused the number of
           wakeups to increase significantly on an idle system in some cases
           due to excessive synchronize_sched() invocations (Rafael Wysocki).
      
         - Fix unnecessary invocations of WARN_ON() in the cpufreq core after
           cpufreq has been suspended introduced during the 4.6 cycla (Rafael
           Wysocki).
      
         - Fix an error code path in the cpufreq-dt-platdev driver that
           forgets to drop a reference to a DT node (Masahiro Yamada)"
      
      * tag 'pm-4.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        cpufreq: Avoid false-positive WARN_ON()s in cpufreq_update_policy()
        cpufreq: dt: call of_node_put() before error out
        intel_pstate: Do not clear utilization update hooks on policy changes
      81dbd6f5
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs · 48c4565e
      Linus Torvalds authored
      Pull vfs fixes from Al Viro:
       "Tmpfs readdir throughput regression fix (this cycle) + some -stable
        fodder all over the place.
      
        One missing bit is Miklos' tonight locks.c fix - NFS folks had already
        grabbed that one by the time I woke up ;-)"
      
      [ The locks.c fix came through the nfsd tree just moments ago ]
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
        namespace: update event counter when umounting a deleted dentry
        9p: use file_dentry()
        ceph: fix d_obtain_alias() misuses
        lockless next_positive()
        libfs.c: new helper - next_positive()
        dcache_{readdir,dir_lseek}(): don't bother with nested ->d_lock
      48c4565e
    • Linus Torvalds's avatar
      Merge tag 'nfsd-4.7-3' of git://linux-nfs.org/~bfields/linux · 2728c57f
      Linus Torvalds authored
      Pull lockd/locks fixes from Bruce Fields:
       "One fix for lockd soft lookups in an error path, and one fix for file
        leases on overlayfs"
      
      * tag 'nfsd-4.7-3' of git://linux-nfs.org/~bfields/linux:
        locks: use file_inode()
        lockd: unregister notifier blocks if the service fails to come up completely
      2728c57f
    • Linus Torvalds's avatar
      Merge tag 'mfd-fixes-4.7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd · 0d064a7b
      Linus Torvalds authored
      Pull more MFD fixes from Lee Jones:
       "Apologies for missing these from the first pull request.
      
        Final patches fixing Reset API change"
      
      * tag 'mfd-fixes-4.7.1' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd:
        usb: dwc3: st: Use explicit reset_control_get_exclusive() API
        phy: phy-stih407-usb: Use explicit reset_control_get_exclusive() API
        phy: miphy28lp: Inform the reset framework that our reset line may be shared
      0d064a7b
    • Linus Torvalds's avatar
      Merge branch 'libnvdimm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm · f3683ccd
      Linus Torvalds authored
      Pull libnvdimm fixes from Dan Williams:
       "1/ Two regression fixes since v4.6: one for the byte order of a sysfs
           attribute (bz121161) and another for QEMU 2.6's NVDIMM _DSM (ACPI
           Device Specific Method) implementation that gets tripped up by new
           auto-probing behavior in the NFIT driver.
      
        2/ A fix tagged for -stable that stops the kernel from
           clobbering/ignoring changes to the configuration of a 'pfn'
           instance ("struct page" driver).  For example changing the
           alignment from 2M to 1G may silently revert to 2M if that value is
           currently stored on media.
      
        3/ A fix from Eric for an xfstests failure in dax.  It is not
           currently tagged for -stable since it requires an 8-exabyte file
           system to trigger, and there appear to be no user visible side
           effects"
      
      * 'libnvdimm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm:
        nfit: fix format interface code byte order
        dax: fix offset overflow in dax_io
        acpi, nfit: fix acpi_check_dsm() vs zero functions implemented
        libnvdimm, pfn, dax: fix initialization vs autodetect for mode + alignment
      f3683ccd
    • Linus Torvalds's avatar
      Merge tag 'staging-4.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging · 6e5c4f13
      Linus Torvalds authored
      Pull staging and IIO fixes from Greg KH:
       "Here are a few small staging and iio driver fixes for 4.7-rc6.
      
        Nothing major here, just a number of small fixes, all have been in
        linux-next for a while, and the full details are in the shortlog"
      
      * tag 'staging-4.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
        iio:ad7266: Fix probe deferral for vref
        iio:ad7266: Fix support for optional regulators
        iio:ad7266: Fix broken regulator error handling
        iio: accel: kxsd9: fix the usage of spi_w8r8()
        staging: iio: accel: fix error check
        staging: iio: ad5933: fix order of cycle conditions
        staging: iio: fix ad7606_spi regression
        iio: inv_mpu6050: Fix use-after-free in ACPI code
      6e5c4f13
    • Linus Torvalds's avatar
      Merge tag 'tty-4.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty · 756c0aec
      Linus Torvalds authored
      Pull tty fixes from Greg KH:
       "Here are two tty fixes for some reported issues.  One resolves a crash
        in devpts, and the other resolves a problem with the fbcon cursor
        blink causing lockups.
      
        Both have been in linux-next with no reported problems"
      
      * tag 'tty-4.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
        devpts: fix null pointer dereference on failed memory allocation
        tty: vt: Fix soft lockup in fbcon cursor blink timer.
      756c0aec
    • Linus Torvalds's avatar
      Merge tag 'usb-4.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · 0232b23d
      Linus Torvalds authored
      Pull USB and PHY fixes from Greg KH:
       "Here are a number of small USB and PHY driver fixes for 4.7-rc6.
      
        Nothing major here, all are described in the shortlog below.  All have
        been in linux-next with no reported issues"
      
      * tag 'usb-4.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
        USB: don't free bandwidth_mutex too early
        USB: EHCI: declare hostpc register as zero-length array
        phy-sun4i-usb: Fix irq free conditions to match request conditions
        phy: bcm-ns-usb2: checking the wrong variable
        phy-sun4i-usb: fix missing __iomem *
        phy: phy-sun4i-usb: Fix optional gpios failing probe
        phy: rockchip-dp: fix return value check in rockchip_dp_phy_probe()
        phy: rcar-gen3-usb2: fix unexpected repeat interrupts of VBUS change
        usb: common: otg-fsm: add license to usb-otg-fsm
      0232b23d
    • Linus Torvalds's avatar
      Merge tag 'iommu-fixes-v4.7-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu · aa7a6c8e
      Linus Torvalds authored
      Pull IOMMU fixes from Joerg Roedel:
       "Three fixes:
      
         - Fix use of smp_processor_id() in preemptible code in the IOVA
           allocation code.  This got introduced with the scalability
           improvements in this release cycle.
      
         - A VT-d fix for out-of-bounds access of the iommu->domains array.
           The bug showed during suspend/resume.
      
         - AMD IOMMU fix to print the correct device id in the ACPI parsing
           code"
      
      * tag 'iommu-fixes-v4.7-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu:
        iommu/amd: Initialize devid variable before using it
        iommu/vt-d: Fix overflow of iommu->domains array
        iommu/iova: Disable preemption around use of this_cpu_ptr()
      aa7a6c8e
    • Mark Brown's avatar
      Merge remote-tracking branches 'regulator/fix/anatop' and... · a29a36f2
      Mark Brown authored
      Merge remote-tracking branches 'regulator/fix/anatop' and 'regulator/fix/max77620' into regulator-linus
      a29a36f2
    • Miklos Szeredi's avatar
      locks: use file_inode() · 6343a212
      Miklos Szeredi authored
      (Another one for the f_path debacle.)
      
      ltp fcntl33 testcase caused an Oops in selinux_file_send_sigiotask.
      
      The reason is that generic_add_lease() used filp->f_path.dentry->inode
      while all the others use file_inode().  This makes a difference for files
      opened on overlayfs since the former will point to the overlay inode the
      latter to the underlying inode.
      
      So generic_add_lease() added the lease to the overlay inode and
      generic_delete_lease() removed it from the underlying inode.  When the file
      was released the lease remained on the overlay inode's lock list, resulting
      in use after free.
      Reported-by: default avatarEryu Guan <eguan@redhat.com>
      Fixes: 4bacc9c9 ("overlayfs: Make f_path always point to the overlay and f_inode to the underlay")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      Reviewed-by: default avatarJeff Layton <jlayton@redhat.com>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      6343a212
    • Lee Jones's avatar
      usb: dwc3: st: Use explicit reset_control_get_exclusive() API · 5baaf3b9
      Lee Jones authored
      We're making all reset line users specify whether their lines are
      shared with other IP or they operate them exclusively.  In this case
      the line is exclusively used only by this IP, so use the *_exclusive()
      API accordingly.
      Acked-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarLee Jones <lee.jones@linaro.org>
      5baaf3b9
    • Lee Jones's avatar
      phy: phy-stih407-usb: Use explicit reset_control_get_exclusive() API · f5f35830
      Lee Jones authored
      We're making all reset line users specify whether their lines are
      shared with other IP or they operate them exclusively.  In this case
      the line is exclusively used only by this IP, so use the *_exclusive()
      API accordingly.
      Acked-by: default avatarKishon Vijay Abraham I <kishon@ti.com>
      Signed-off-by: default avatarLee Jones <lee.jones@linaro.org>
      f5f35830
    • Lee Jones's avatar
      phy: miphy28lp: Inform the reset framework that our reset line may be shared · 8293c8a3
      Lee Jones authored
      On the STiH410 B2120 development board the MiPHY28lp shares its reset
      line with the Synopsys DWC3 SuperSpeed (SS) USB 3.0 Dual-Role-Device
      (DRD).  New functionality in the reset subsystems forces consumers to
      be explicit when requesting shared/exclusive reset lines.
      Acked-by: default avatarKishon Vijay Abraham I <kishon@ti.com>
      Signed-off-by: default avatarLee Jones <lee.jones@linaro.org>
      8293c8a3
    • Andrey Ulanov's avatar
      namespace: update event counter when umounting a deleted dentry · e06b933e
      Andrey Ulanov authored
      - m_start() in fs/namespace.c expects that ns->event is incremented each
        time a mount added or removed from ns->list.
      - umount_tree() removes items from the list but does not increment event
        counter, expecting that it's done before the function is called.
      - There are some codepaths that call umount_tree() without updating
        "event" counter. e.g. from __detach_mounts().
      - When this happens m_start may reuse a cached mount structure that no
        longer belongs to ns->list (i.e. use after free which usually leads
        to infinite loop).
      
      This change fixes the above problem by incrementing global event counter
      before invoking umount_tree().
      
      Change-Id: I622c8e84dcb9fb63542372c5dbf0178ee86bb589
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarAndrey Ulanov <andreyu@google.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      e06b933e
    • Miklos Szeredi's avatar
      9p: use file_dentry() · b403f0e3
      Miklos Szeredi authored
      v9fs may be used as lower layer of overlayfs and accessing f_path.dentry
      can lead to a crash.  In this case it's a NULL pointer dereference in
      p9_fid_create().
      
      Fix by replacing direct access of file->f_path.dentry with the
      file_dentry() accessor, which will always return a native object.
      Reported-by: default avatarAlessio Igor Bogani <alessioigorbogani@gmail.com>
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      Tested-by: default avatarAlessio Igor Bogani <alessioigorbogani@gmail.com>
      Fixes: 4bacc9c9 ("overlayfs: Make f_path always point to the overlay and f_inode to the underlay")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      b403f0e3
  7. 30 Jun, 2016 4 commits