- 13 Apr, 2015 3 commits
-
-
Vineet Gupta authored
Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
-
Vineet Gupta authored
* There was obvious bit rot due to lack of use * Old naming was confusing since BCR are read only Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
-
Mischa Jonker authored
Signed-off-by: Mischa Jonker <mjonker@synopsys.com>
-
- 31 Mar, 2015 1 commit
-
-
Alex Dowad authored
The 'arg' argument to copy_thread() is only ever used when forking a new kernel thread. Hence, rename it to 'kthread_arg' for clarity. Signed-off-by: Alex Dowad <alexinbeijing@gmail.com> Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
-
- 29 Mar, 2015 7 commits
-
-
Linus Torvalds authored
-
git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-socLinus Torvalds authored
Pull ARM SoC fixes from Olof Johansson: "The latest and greatest fixes for ARM platform code. Worth pointing out are: - Lines-wise, largest is a PXA fix for dealing with interrupts on DT that was quite broken. It's still newish code so while we could have held this off, it seemed appropriate to include now - Some GPIO fixes for OMAP platforms added a few lines. This was also fixes for code recently added (this release). - Small OMAP timer fix to behave better with partially upstreamed platforms, which is quite welcome. - Allwinner fixes about operating point control, reducing overclocking in some cases for better stability. plus a handful of other smaller fixes across the map" * tag 'armsoc-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc: arm64: juno: Fix misleading name of UART reference clock ARM: dts: sunxi: Remove overclocked/overvoltaged OPP ARM: dts: sun4i: a10-lime: Override and remove 1008MHz OPP setting ARM: socfpga: dts: fix spi1 interrupt ARM: dts: Fix gpio interrupts for dm816x ARM: dts: dra7: remove ti,hwmod property from pcie phy ARM: OMAP: dmtimer: disable pm runtime on remove ARM: OMAP: dmtimer: check for pm_runtime_get_sync() failure ARM: OMAP2+: Fix socbus family info for AM33xx devices ARM: dts: omap3: Add missing dmas for crypto ARM: dts: rockchip: disable gmac by default in rk3288.dtsi MAINTAINERS: add rockchip regexp to the ARM/Rockchip entry ARM: pxa: fix pxa interrupts handling in DT ARM: pxa: Fix typo in zeus.c ARM: sunxi: Have ARCH_SUNXI select RESET_CONTROLLER for clock driver usage
-
Olof Johansson authored
Merge tag 'sunxi-fixes-for-4.0' of https://git.kernel.org/pub/scm/linux/kernel/git/mripard/linux into fixes Allwinner fixes for 4.0 There's a few fixes to merge for 4.0, one to add a select in the machine Kconfig option to fix a potential build failure, and two fixing cpufreq related issues. * tag 'sunxi-fixes-for-4.0' of https://git.kernel.org/pub/scm/linux/kernel/git/mripard/linux: ARM: dts: sunxi: Remove overclocked/overvoltaged OPP ARM: dts: sun4i: a10-lime: Override and remove 1008MHz OPP setting ARM: sunxi: Have ARCH_SUNXI select RESET_CONTROLLER for clock driver usage Signed-off-by: Olof Johansson <olof@lixom.net>
-
Olof Johansson authored
Merge tag 'fixes-v4.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap into fixes Fixes for omaps for the -rc cycle: - Fix a device tree based booting vs legacy booting regression for omap3 crypto hardware by adding the missing DMA channels. - Fix /sys/bus/soc/devices/soc0/family for am33xx devices. - Fix two timer issues that can cause hangs if the timer related hwmod data is missing like it often initially is for new SoCs. - Remove pcie hwmods entry from dts as that causes runtime PM to fail for the PHYs. - A paper bag type dts configuration fix for dm816x GPIO interrupts that I just noticed. This is most of the changes diffstat wise, but as it's a basic feature for connecting devices and things work otherwise, it should be fixed. * tag 'fixes-v4.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap: ARM: dts: Fix gpio interrupts for dm816x ARM: dts: dra7: remove ti,hwmod property from pcie phy ARM: OMAP: dmtimer: disable pm runtime on remove ARM: OMAP: dmtimer: check for pm_runtime_get_sync() failure ARM: OMAP2+: Fix socbus family info for AM33xx devices ARM: dts: omap3: Add missing dmas for crypto Signed-off-by: Olof Johansson <olof@lixom.net>
-
git://git.rocketboards.org/linux-socfpga-nextOlof Johansson authored
Late fix for v4.0 on the SoCFPGA platform: - Fix interrupt number for SPI1 interface * tag 'socfpga_fix_for_v4.0_2' of git://git.rocketboards.org/linux-socfpga-next: ARM: socfpga: dts: fix spi1 interrupt Signed-off-by: Olof Johansson <olof@lixom.net>
-
Dave Martin authored
The UART reference clock speed is 7273.8 kHz, not 72738 kHz. Dots aren't usually used in node names even though ePAPR permits them. However, this can easily be avoided by expressing the frequency in Hz, not kHz. This patch changes the name to refclk7273800hz, reflecting the actual clock speed. Signed-off-by: Dave Martin <Dave.Martin@arm.com> Acked-by: Liviu Dudau <Liviu.Dudau@arm.com> Signed-off-by: Olof Johansson <olof@lixom.net>
-
https://github.com/rjarzmik/linuxOlof Johansson authored
arm: pxa: fixes for v4.0-rc5 There are only 2 fixes, one for the zeus board about the regulator changes, where a typo prevented the zeus board from having a working can regulator, and one regression triggered by the interrupts IRQ shift of 16 affecting all boards. * tag 'fixes-for-v4.0-rc5' of https://github.com/rjarzmik/linux: ARM: pxa: fix pxa interrupts handling in DT ARM: pxa: Fix typo in zeus.c Signed-off-by: Olof Johansson <olof@lixom.net>
-
- 28 Mar, 2015 9 commits
-
-
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tipLinus Torvalds authored
Pull x86 fix from Ingo Molnar: "Fix x86 syscall exit code bug that resulted in spurious non-execution of TIF-driven user-return worklets, causing big trouble for things like KVM that rely on user notifiers for correctness of their vcpu model, causing crashes like double faults" * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/asm/entry: Check for syscall exit work with IRQs disabled
-
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tipLinus Torvalds authored
Pull timer fixes from Ingo Molnar: "Two clocksource driver fixes, and an idle loop RCU warning fix" * 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: clocksource/drivers/sun5i: Fix cpufreq interaction with sched_clock() clocksource/drivers: Fix various !CONFIG_HAS_IOMEM build errors timers/tick/broadcast-hrtimer: Fix suspicious RCU usage in idle loop
-
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tipLinus Torvalds authored
Pull scheduler fix from Ingo Molnar: "A single sched/rt corner case fix for RLIMIT_RTIME correctness" * 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: sched: Fix RLIMIT_RTTIME when PI-boosting to RT
-
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tipLinus Torvalds authored
Pull perf fix from Ingo Molnar: "A perf kernel side fix for a fuzzer triggered lockup" * 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: perf: Fix irq_work 'tail' recursion
-
git://git.kernel.org/pub/scm/linux/kernel/git/tip/tipLinus Torvalds authored
Pull locking fix from Ingo Molnar: "A module unload lockdep race fix" * 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: lockdep: Fix the module unload key range freeing logic
-
git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linuxLinus Torvalds authored
Pull parsic fixes from Helge Deller: "One patch from Mikulas fixes a bug on parisc by artifically incrementing the counter in pmd_free when the kernel tries to free the preallocated pmd. Other than that we now prevent that syscalls gets added without incrementing __NR_Linux_syscalls and fix the initial pmd setup code if a default page size greater than 4k has been selected" * 'parisc-4.0-1' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux: parisc: Fix pmd code to depend on PT_NLEVELS value, not on CONFIG_64BIT parisc: mm: don't count preallocated pmds parisc: Add compile-time check when adding new syscalls
-
git://git.kernel.org/pub/scm/virt/kvm/kvmLinus Torvalds authored
Pull kvm ppc bugfixes from Marcelo Tosatti. * git://git.kernel.org/pub/scm/virt/kvm/kvm: KVM: PPC: Book3S HV: Fix instruction emulation KVM: PPC: Book3S HV: Endian fix for accessing VPA yield count KVM: PPC: Book3S HV: Fix spinlock/mutex ordering issue in kvmppc_set_lpcr()
-
git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arcLinus Torvalds authored
Pull ARC fixes from Vineet Gupta: "We found some issues with signal handling taking down the system. I know its late, but these are important and all marked for stable. ARC signal handling related fixes uncovered during recent testing of NPTL tools" * tag 'arc-4.0-fixes-part-2' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc: ARC: signal handling robustify ARC: SA_SIGINFO ucontext regs off-by-one
-
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-securityLinus Torvalds authored
Pull selinux bugfix from James Morris. Fix broken return value. * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: selinux: fix sel_write_enforce broken return value
-
- 27 Mar, 2015 6 commits
-
-
git://www.linux-watchdog.org/linux-watchdogLinus Torvalds authored
Pull watchdog fixes from Wim Van Sebroeck: - mtk_wdt: signedness bug in mtk_wdt_start() - imgpdc: Fix NULL pointer dereference during probe and fix the default heartbeat * git://www.linux-watchdog.org/linux-watchdog: watchdog: imgpdc: Fix default heartbeat watchdog: imgpdc: Fix probe NULL pointer dereference watchdog: mtk_wdt: signedness bug in mtk_wdt_start()
-
git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/soundLinus Torvalds authored
Pull sound fixes from Takashi Iwai: "Three trivial oneliner fixes for HD-audio. Two are device-specific quirks while one is a generic fix for recent Realtek codecs" * tag 'sound-4.0-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: ALSA: hda - Add one more node in the EAPD supporting candidate list ALSA: hda_intel: apply the Seperate stream_tag for Sunrise Point ALSA: hda - Add dock support for Thinkpad T450s (17aa:5036)
-
-
James Hogan authored
The IMG PDC watchdog driver heartbeat module parameter has no default so it is initialised to zero. This results in the following warning during probe: imgpdc-wdt 2006000.wdt: Initial timeout out of range! setting max timeout The module parameter description implies that the default value should be PDC_WDT_DEF_TIMEOUT, which isn't yet used, so initialise it to that. Also tweak the heartbeat module parameter description for consistency. Fixes: 93937669 ("watchdog: ImgTec PDC Watchdog Timer Driver") Signed-off-by: James Hogan <james.hogan@imgtec.com> Cc: Ezequiel Garcia <ezequiel.garcia@imgtec.com> Cc: Naidu Tellapati <Naidu.Tellapati@imgtec.com> Cc: Jude Abraham <Jude.Abraham@imgtec.com> Cc: linux-watchdog@vger.kernel.org Reviewed-by: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Wim Van Sebroeck <wim@iguana.be>
-
James Hogan authored
The IMG PDC watchdog probe function calls pdc_wdt_stop() prior to watchdog_set_drvdata(), causing a NULL pointer dereference when pdc_wdt_stop() retrieves the struct pdc_wdt_dev pointer using watchdog_get_drvdata() and reads the register base address through it. Fix by moving the watchdog_set_drvdata() call earlier, to where various other pdc_wdt->wdt_dev fields are initialised. Fixes: 93937669 ("watchdog: ImgTec PDC Watchdog Timer Driver") Signed-off-by: James Hogan <james.hogan@imgtec.com> Cc: Ezequiel Garcia <ezequiel.garcia@imgtec.com> Cc: Naidu Tellapati <Naidu.Tellapati@imgtec.com> Cc: Jude Abraham <Jude.Abraham@imgtec.com> Cc: linux-watchdog@vger.kernel.org Reviewed-by: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Wim Van Sebroeck <wim@iguana.be>
-
Dan Carpenter authored
"ret" should be signed for the error handling to work correctly. This doesn't matter much in real life since mtk_wdt_set_timeout() always succeeds. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Reviewed-by: Matthias Brugger <matthias.bgg@gmail.com> Reviewed-by: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Wim Van Sebroeck <wim@iguana.be>
-
- 26 Mar, 2015 14 commits
-
-
git://people.freedesktop.org/~airlied/linuxLinus Torvalds authored
Pull drm refcounting fixes from Dave Airlie: "Here is the complete set of i915 bug/warn/refcounting fixes" * 'drm-fixes' of git://people.freedesktop.org/~airlied/linux: drm/i915: Fixup legacy plane->crtc link for initial fb config drm/i915: Fix atomic state when reusing the firmware fb drm/i915: Keep ring->active_list and ring->requests_list consistent drm/i915: Don't try to reference the fb in get_initial_plane_config() drm: Fixup racy refcounting in plane_force_disable
-
git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dmLinus Torvalds authored
Pull device mapper fix from Mike Snitzer: "Fix DM core device cleanup regression -- due to a latent race that was exposed by the bdi changes that were introduced during the 4.0 merge" * tag 'dm-4.0-fix-2' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm: dm: fix add_disk() NULL pointer due to race with free_dev()
-
Linus Torvalds authored
Merge tag 'linux-kselftest-4.0-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest Pull kselftest fix from Shuah Khan. * tag 'linux-kselftest-4.0-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest: selftests: Fix build failures when invoked from kselftest target
-
git://anongit.freedesktop.org/drm-intelDave Airlie authored
This should cover the final warnings in -rc5 with two more backports from our development branch (drm-intel-next-queued). They're the ones from Daniel and Damien, with references to the reports. This is on top of drm-fixes because of the dependency on the two earlier fixes not yet in Linus' tree. There's an additional regression fix from Chris. * tag 'drm-intel-fixes-2015-03-26' of git://anongit.freedesktop.org/drm-intel: drm/i915: Fixup legacy plane->crtc link for initial fb config drm/i915: Fix atomic state when reusing the firmware fb drm/i915: Keep ring->active_list and ring->requests_list consistent
-
git://git.kernel.org/pub/scm/linux/kernel/git/s390/linuxLinus Torvalds authored
Pull s390 fixes from Martin Schwidefsky: "A couple of bug fixes for s390. The ftrace comile fix is quite large for a -rc6 release, but it would be nice to have it in 4.0" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux: s390/smp: reenable smt after resume s390/mm: limit STACK_RND_MASK for compat tasks s390/ftrace: fix compile error if CONFIG_KPROBES is disabled s390/cpum_sf: add diagnostic sampling event only if it is authorized
-
Daniel Vetter authored
This is a very similar bug in the load detect code fixed in commit 9128b040 Author: Daniel Vetter <daniel.vetter@ffwll.ch> Date: Tue Mar 3 17:31:21 2015 +0100 drm/i915: Fix modeset state confusion in the load detect code But this time around it was the initial fb code that forgot to update the plane->crtc pointer. Otherwise it's the exact same bug, with the exact same restrains (any set_config call/ioctl that doesn't disable the pipe papers over the bug for free, so fairly hard to hit in normal testing). So if you want the full explanation just go read that one over there - it's rather long ... Cc: Matt Roper <matthew.d.roper@intel.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Chris Wilson <chris@chris-wilson.co.uk> Cc: Josh Boyer <jwboyer@fedoraproject.org> Cc: Jani Nikula <jani.nikula@linux.intel.com> Reported-and-tested-by: Josh Boyer <jwboyer@fedoraproject.org> Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> [Jani: backported to drm-intel-fixes for v4.0-rc] Reference: http://mid.gmane.org/CA+5PVA7ChbtJrknqws1qvZcbrg1CW2pQAFkSMURWWgyASRyGXg@mail.gmail.comSigned-off-by: Jani Nikula <jani.nikula@intel.com>
-
Damien Lespiau authored
Right now, we get a warning when taking over the firmware fb: [drm:drm_atomic_plane_check] FB set but no CRTC with the following backtrace: [<ffffffffa010339d>] drm_atomic_check_only+0x35d/0x510 [drm] [<ffffffffa0103567>] drm_atomic_commit+0x17/0x60 [drm] [<ffffffffa00a6ccd>] drm_atomic_helper_plane_set_property+0x8d/0xd0 [drm_kms_helper] [<ffffffffa00f1fed>] drm_mode_plane_set_obj_prop+0x2d/0x90 [drm] [<ffffffffa00a8a1b>] restore_fbdev_mode+0x6b/0xf0 [drm_kms_helper] [<ffffffffa00aa969>] drm_fb_helper_restore_fbdev_mode_unlocked+0x29/0x80 [drm_kms_helper] [<ffffffffa00aa9e2>] drm_fb_helper_set_par+0x22/0x50 [drm_kms_helper] [<ffffffffa050a71a>] intel_fbdev_set_par+0x1a/0x60 [i915] [<ffffffff813ad444>] fbcon_init+0x4f4/0x580 That's because we update the plane state with the fb from the firmware, but we never associate the plane to that CRTC. We don't quite have the full DRM take over from HW state just yet, so fake enough of the plane atomic state to pass the checks. v2: Fix the state on which we set the CRTC in the case we're sharing the initial fb with another pipe. (Matt) Signed-off-by: Damien Lespiau <damien.lespiau@intel.com> Reviewed-by: Matt Roper <matthew.d.roper@intel.com> Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch> [Jani: backported to drm-intel-fixes for v4.0-rc] Reference: http://mid.gmane.org/CA+5PVA7yXH=U757w8V=Zj2U1URG4nYNav20NpjtQ4svVueyPNw@mail.gmail.com Reference: http://lkml.kernel.org/r/CA+55aFweWR=nDzc2Y=rCtL_H8JfdprQiCimN5dwc+TgyD4Bjsg@mail.gmail.comSigned-off-by: Jani Nikula <jani.nikula@intel.com>
-
Hui Wang authored
We have a HP machine which use the codec node 0x17 connecting the internal speaker, and from the node capability, we saw the EAPD, if we don't set the EAPD on for this node, the internal speaker can't output any sound. Cc: <stable@vger.kernel.org> BugLink: https://bugs.launchpad.net/bugs/1436745Signed-off-by: Hui Wang <hui.wang@canonical.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Maxime Ripard authored
The sun5i timer is used as the sched-clock on certain systems, and ever since we started using cpufreq, the cpu clock (that is one of the timer's clock indirect parent) now changes as well, along with the actual sched_clock() rate. This is not accurate and not desirable. We can safely remove the sun5i sched-clock on those systems, since we have other reliable sched_clock() sources in the system. Tested-by: Hans de Goede <hdegoede@redhat.com> Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com> Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org> [ Improved the changelog. ] Cc: richard@nod.at Link: http://lkml.kernel.org/r/1427362029-6511-4-git-send-email-daniel.lezcano@linaro.orgSigned-off-by: Ingo Molnar <mingo@kernel.org>
-
Richard Weinberger authored
Fix !CONFIG_HAS_IOMEM related build failures in three clocksource drivers. The build failures have the pattern of: drivers/clocksource/sh_cmt.c: In function ‘sh_cmt_map_memory’: drivers/clocksource/sh_cmt.c:920:2: error: implicit declaration of function ‘ioremap_nocache’ [-Werror=implicit-function-declaration] cmt->mapbase = ioremap_nocache(mem->start, resource_size(mem)); Signed-off-by: Richard Weinberger <richard@nod.at> Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org> Acked-by: Geert Uytterhoeven <geert+renesas@glider.be> Cc: maxime.ripard@free-electrons.com Link: http://lkml.kernel.org/r/1427362029-6511-1-git-send-email-daniel.lezcano@linaro.orgSigned-off-by: Ingo Molnar <mingo@kernel.org>
-
Chris Wilson authored
If we retire requests last, we may use a later seqno and so clear the requests lists without clearing the active list, leading to confusion. Hence we should retire requests first for consistency with the early return. The order used to be important as the lifecycle for the object on the active list was determined by request->seqno. However, the requests themselves are now reference counted removing the constraint from the order of retirement. Fixes regression from commit 1b5a433a Author: John Harrison <John.C.Harrison@Intel.com> Date: Mon Nov 24 18:49:42 2014 +0000 drm/i915: Convert 'i915_seqno_passed' calls into 'i915_gem_request_completed ' and a WARNING: CPU: 0 PID: 1383 at drivers/gpu/drm/i915/i915_gem_evict.c:279 i915_gem_evict_vm+0x10c/0x140() WARN_ON(!list_empty(&vm->active_list)) Identified by updating WATCH_LISTS: [drm:i915_verify_lists] *ERROR* blitter ring: active list not empty, but no requests WARNING: CPU: 0 PID: 681 at drivers/gpu/drm/i915/i915_gem.c:2751 i915_gem_retire_requests_ring+0x149/0x230() WARN_ON(i915_verify_lists(ring->dev)) Note that this is only a problem in evict_vm where the following happens after a retire_request has cleaned out all requests, but not all active bo: - intel_ring_idle called from i915_gpu_idle notices that no requests are outstanding and immediately returns. - i915_gem_retire_requests_ring called from i915_gem_retire_requests also immediately returns when there's no request, still leaving the bo on the active list. - evict_vm hits the WARN_ON(!list_empty(&vm->active_list)) after evicting all active objects that there's still stuff left that shouldn't be there. Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> Cc: John Harrison <John.C.Harrison@Intel.com> Cc: Daniel Vetter <daniel.vetter@ffwll.ch> Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch> Signed-off-by: Jani Nikula <jani.nikula@intel.com>
-
Libin Yang authored
The total stream number of Sunrise Point's input and output stream exceeds 15, which will cause some streams do not work because of the overflow on SDxCTL.STRM field if using the legacy stream tag allocation method. This patch uses the new stream tag allocation method by add the flag AZX_DCAPS_SEPARATE_STREAM_TAG for Skylake platform. Signed-off-by: Libin Yang <libin.yang@intel.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
-
Vineet Gupta authored
A malicious signal handler / restorer can DOS the system by fudging the user regs saved on stack, causing weird things such as sigreturn returning to user mode PC but cpu state still being kernel mode.... Ensure that in sigreturn path status32 always has U bit; any other bogosity (gargbage PC etc) will be taken care of by normal user mode exceptions mechanisms. Reproducer signal handler: void handle_sig(int signo, siginfo_t *info, void *context) { ucontext_t *uc = context; struct user_regs_struct *regs = &(uc->uc_mcontext.regs); regs->scratch.status32 = 0; } Before the fix, kernel would go off to weeds like below: --------->8----------- [ARCLinux]$ ./signal-test Path: /signal-test CPU: 0 PID: 61 Comm: signal-test Not tainted 4.0.0-rc5+ #65 task: 8f177880 ti: 5ffe6000 task.ti: 8f15c000 [ECR ]: 0x00220200 => Invalid Write @ 0x00000010 by insn @ 0x00010698 [EFA ]: 0x00000010 [BLINK ]: 0x2007c1ee [ERET ]: 0x10698 [STAT32]: 0x00000000 : <-------- BTA: 0x00010680 SP: 0x5ffe7e48 FP: 0x00000000 LPS: 0x20003c6c LPE: 0x20003c70 LPC: 0x00000000 ... --------->8----------- Reported-by: Alexey Brodkin <abrodkin@synopsys.com> Cc: <stable@vger.kernel.org> Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
-
Vineet Gupta authored
The regfile provided to SA_SIGINFO signal handler as ucontext was off by one due to pt_regs gutter cleanups in 2013. Before handling signal, user pt_regs are copied onto user_regs_struct and copied back later. Both structs are binary compatible. This was all fine until commit 2fa91904 (ARC: pt_regs update #2) which removed the empty stack slot at top of pt_regs (corresponding to first pad) and made the corresponding fixup in struct user_regs_struct (the pad in there was moved out of @scratch - not removed altogether as it is part of ptrace ABI) struct user_regs_struct { + long pad; struct { - long pad; long bta, lp_start, lp_end,.... } scratch; ... } This meant that now user_regs_struct was off by 1 reg w.r.t pt_regs and signal code needs to user_regs_struct.scratch to reflect it as pt_regs, which is what this commit does. This problem was hidden for 2 years, because both save/restore, despite using wrong location, were using the same location. Only an interim inspection (reproducer below) exposed the issue. void handle_segv(int signo, siginfo_t *info, void *context) { ucontext_t *uc = context; struct user_regs_struct *regs = &(uc->uc_mcontext.regs); printf("regs %x %x\n", <=== prints 7 8 (vs. 8 9) regs->scratch.r8, regs->scratch.r9); } int main() { struct sigaction sa; sa.sa_sigaction = handle_segv; sa.sa_flags = SA_SIGINFO; sigemptyset(&sa.sa_mask); sigaction(SIGSEGV, &sa, NULL); asm volatile( "mov r7, 7 \n" "mov r8, 8 \n" "mov r9, 9 \n" "mov r10, 10 \n" :::"r7","r8","r9","r10"); *((unsigned int*)0x10) = 0; } Fixes: 2fa91904 "ARC: pt_regs update #2: Remove unused gutter at start of pt_regs" CC: <stable@vger.kernel.org> Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
-