Commit graph

605488 commits

Author SHA1 Message Date
E V Ravi
26e111f650 msm: v4l2loopback: to enable 4l2loopback in kernel defconfigs
Enabling v4l2loopback modules in kernel defconfigs
to create virtual video devices.

Change-Id: I96432310f24874effa5080620340325f97719d3a
Signed-off-by: E V Ravi <evenka@codeaurora.org>
2019-04-03 22:02:58 -07:00
Linux Build Service Account
ef1fab24b2 Merge "fbdev: msm: remove check for rgb source format" 2019-04-03 05:15:03 -07:00
Linux Build Service Account
4594ebbba3 Merge "drm/msm: adjust HDMI DDC speed configuration" 2019-04-03 05:15:01 -07:00
Linux Build Service Account
e124f48789 Merge "drm/msm/sde: add post_disable stage for phys encoder" 2019-04-03 05:14:59 -07:00
Linux Build Service Account
74a50c62c4 Merge "msm: v4l2loopback: to create V4L2 loopback devices" 2019-04-02 12:20:05 -07:00
Gerrit - the friendly Code Review server
023eab95f9 Merge changes into msm-4.4 2019-04-02 12:09:32 -07:00
Linux Build Service Account
6a214b82af Merge "Merge android-4.4.177 (0c3b8c4) into msm-4.4" 2019-04-02 03:57:43 -07:00
Linux Build Service Account
6e016ebde6 Merge "Scsi: ufs: fix issue of task tag in used" 2019-03-31 20:13:22 -07:00
Shadab Naseem
1dca5a048f scripts: gcc-wrapper: Route the GCC errors to stderr
The GCC wrapper writes any error message from GCC to stdout
along with the messages from the wrapper itself. This is okay
for most case, but when GCC is used with -print-xxx flags,
the stdout output is supposed to be taken as input to some
other build command, so putting error messages in there is
pretty bad. Fix this by writing error messages to stderr.

Change-Id: I4656033f11ba5212fdcc884cc588f8b9d2c23419
Signed-off-by: Shadab Naseem <snaseem@codeaurora.org>
2019-03-29 04:31:05 -07:00
Ziqi Chen
11306d8c05 Scsi: ufs: fix issue of task tag in used
Fix a coding error that lrb_in_use bitmap is cleared twice after its
corresponding request is completed. Otherwise, a tag, which is assigned
to a new request, get released from lrb_in_use in the first clear shall
be cleared again even before the new request is actually completed. Fix
this error by removing the second clear.

CRs-Fixed: 2417820
Change-Id: I4216fa32073d2a0f0f15c0979e4dd0ad542ce684
Signed-off-by: Ziqi Chen <ziqichen@codeaurora.org>
2019-03-29 11:12:40 +08:00
Linux Build Service Account
2fe82d10f2 Merge "msm: asm: validate ADSP data before access" 2019-03-28 04:23:56 -07:00
Linux Build Service Account
337623ba25 Merge "soc: qcom: subsystem_notif_virt: Add waitqueue support for SSR" 2019-03-28 04:23:52 -07:00
E V Ravi
3ad287e4ef msm: v4l2loopback: to create V4L2 loopback devices
This module allows to create "virtual video devices".
Normal (v4l2) applications will read these devices as
if they were ordinary video devices.

Signed-off-by: E V Ravi <evenka@codeaurora.org>
Git-commit:541e3bc7aaf46dc9a21f92c7f527397fce03dfd8
Git-repo: https://github.com/umlaeute/v4l2loopback
Revision: v0.12.1
Change-Id: I294a02ee282404ae84e0d7dc62373a172b4f0c23
2019-03-28 12:04:27 +05:30
Xiaowen Wu
af3c190374 drm/msm/sde: add post_disable stage for phys encoder
add post_disable stage for each phys encoder to clear ctl_top

Change-Id: Ib34059546b6ddf7bbd2c60fd8321a7f820b97986
Signed-off-by: Xiaowen Wu <wxiaowen@codeaurora.org>
2019-03-27 22:04:52 -07:00
Linux Build Service Account
daaf0eeb1c Merge "usb: gadget: f_fs: Queue request after setting is_busy flag" 2019-03-27 16:34:41 -07:00
Anant Goel
ab9f5d8837 soc: qcom: subsystem_notif_virt: Add waitqueue support for SSR
Add blocking support for SSR on the GHS platform. SSR will
block until receiving acknowledgment.

Change-Id: I549908f702318fc9e9dca5cdb12ad353881b6991
Signed-off-by: Anant Goel <anantg@codeaurora.org>
2019-03-27 11:07:47 -07:00
Linux Build Service Account
bff3c3db6b Merge "drivers: soc: qcom: Added check to avoid opening multiple instance" 2019-03-27 08:15:07 -07:00
Linux Build Service Account
a7aa04bc70 Merge "msm: vidc: Disable DCVS in DTSI" 2019-03-27 08:14:53 -07:00
Linux Build Service Account
184af681d4 Merge "msm: vidc: Add common Boot KPI marker" 2019-03-27 08:14:50 -07:00
Linux Build Service Account
10ea8a72f6 Merge "drm/msm: read V' only for non-zero device count repeater" 2019-03-26 22:47:18 -07:00
Ajay Agarwal
1c738b6a5f usb: gadget: f_fs: Queue request after setting is_busy flag
Currently the driver queues OUT EP request after ensuring that
is_busy flag is false, and then sets it true. It might be
possible that the queued request is completed before the
execution reaches next line to set is_busy to true. As a result,
is_busy remains true even after successful completion and no
further request is queued.
Fix this by first setting is_busy to true and then queueing the
request.

Change-Id: I87fce4e2cc94be8e6b6fb63fb1fc9afb9cf0d005
Signed-off-by: Ajay Agarwal <ajaya@codeaurora.org>
2019-03-27 09:42:46 +05:30
Vignesh Kulothungan
108157a551 msm: asm: validate ADSP data before access
Validate buffer index obtained from ADSP token before using it.

CRs-Fixed: 2372302
Change-Id: I5c3b1634bd08b516844638dd67f726a882edfc17
Signed-off-by: Vignesh Kulothungan <vigneshk@codeaurora.org>
2019-03-26 19:46:09 -07:00
Abhinav Kumar
1b1e63b1a7 drm/msm: adjust HDMI DDC speed configuration
HDMI 2.0 compliance E-DDC test requires the DDC
signal timings to meet a minimum threshold to pass
the compliance test. Current DDC settings were not
matching the requirement.

Adjust the DDC settings to meet the threshold and
also make sure to leave the remaining bits of DDC
speed register untouched.

Change-Id: I1eb9304f219906e48f8dec988cd818b879911e71
Signed-off-by: Abhinav Kumar <abhinavk@codeaurora.org>
2019-03-26 16:18:20 -07:00
Abhinav Kumar
38e93647f7 drm/msm: read V' only for non-zero device count repeater
For repeaters having zero device count, the HDCP CTS expects
the device under test to either read V' and perform full
authentication or not read V' and re-authenticate.

Current HDCP driver reads V' and also re-authenticates causing
a failure of zero device count repeater test cases.

Fix this issue by implementing the correct sequence
in case of zero downstream devices.

Signed-off-by: Abhinav Kumar <abhinavk@codeaurora.org>
Change-Id: Idc36b4bc08091e23c23503aed815e19f459a62d2
2019-03-26 16:17:53 -07:00
Linux Build Service Account
83fc1fe435 Merge "icnss: Add Api to Block/Unblock modem shutdown" 2019-03-26 15:26:06 -07:00
Suprith Malligere Shankaregowda
5ac9e067c5 msm: vidc: Disable DCVS in DTSI
DCVS is not required for automotive and it is causing significant
frame drops for some clips. Hence disable it for automotive, adding
an entry in DTSI so that this can be made platform-specific.

Change-Id: I02e7ec16c7024bbc82cae93aa3e27ca8a46bb503
Signed-off-by: Suprith Malligere Shankaregowda <supgow@codeaurora.org>
2019-03-27 00:28:18 +05:30
Suprith Malligere Shankaregowda
5219134535 msm: vidc: Add common Boot KPI marker
Add a boot marker to indicate the time when video
driver probe is completed and the device is ready.

Change-Id: Ic9deb35cabbfa1cc7ad079656bde711014d3529e
Signed-off-by: Suprith Malligere Shankaregowda <supgow@codeaurora.org>
2019-03-26 22:28:29 +05:30
Linux Build Service Account
90059640cc Merge "cnss2: Initialize plat_priv during bus_init" 2019-03-26 07:12:51 -07:00
Linux Build Service Account
6a53afbc7e Merge "icnss: Defer modem graceful shutdown until probe complete" 2019-03-26 07:12:49 -07:00
Anurag Chouhan
8846ee70c3 icnss: Add Api to Block/Unblock modem shutdown
Add API to Block/Unblock modem graceful shutdown.

Change-Id: I69b061fc7d25762b2c36d9590802addfc170f91f
Signed-off-by: Sandeep Singh <sandsing@codeaurora.org>
2019-03-26 14:41:37 +05:30
Anurag Chouhan
1174076aa2 icnss: Defer modem graceful shutdown until probe complete
In case WLAN driver probe is in progress and modem graceful
shutdown occurs and if modem shutdown request is sent just
before the mode on request sent to firmware, firmware may end up
in illegal memory access.
To address this issue, modem notifier needs to be blocked needs for
probe to complete or max 5 seconds timeout.

CRs-Fixed: 2381846
Change-Id: I9e13a11c56059cb29e161c34df11de484f87ac5e
Signed-off-by: Sandeep Singh <sandsing@codeaurora.org>
2019-03-26 14:22:06 +05:30
Jayachandran Sreekumaran
a7370a6289 cnss2: Initialize plat_priv during bus_init
cnss_usb_data structure member plat_priv remains uninitialized till
the function invoke of cnss_usb_probe. This leads to the access of
uninitialized pointer plat_priv if CLD gets loaded prior to
firmware download completion. Hence initialize the plat_priv
in cnss_usb_data structure during cnss_usb_init.

Change-Id: Ic471eacf22b112aaffe61458e22c7a9102470467
Signed-off-by: Jayachandran Sreekumaran <jsreekum@codeaurora.org>
2019-03-26 12:27:47 +05:30
Rajasekaran Kalidoss
9ccdcef087 cnss2: Add QCN7605 USB for cold boot cal via fs_ready
For triggering cold boot via fs_ready, the device ID
and bus type of QCN7605 USB was added in fs_ready and
cold boot cal start and done handlers.

Change-Id: I28801207c7833af18a09819cd9ab07ede556ac87
Signed-off-by: Rajasekaran Kalidoss <rkalidos@codeaurora.org>
2019-03-25 20:33:25 -07:00
Linux Build Service Account
6543b0a4ad Merge "diag: Add protection while accessing usb_info's buffer table" 2019-03-25 06:22:50 -07:00
Hardik Arya
c739d9858b diag: Add protection while accessing usb_info's buffer table
Currently there a possibility of NULL pointer dereference while
accessing usb_info's buffer table due to missing proper protection.
The patch adds protection for the same.

Change-Id: I974a70a48e7ac47b42bc237aac4db1b9e47be6be
Signed-off-by: Hardik Arya <harya@codeaurora.org>
2019-03-25 02:03:47 -07:00
Hardik Arya
875833b037 diag: Free usb buffer's entry after removing from list
Currently, there is possibility of memory leak due to not
freeing allocated memory for usb buffer's entry after
removing it from list. The patch handle this by freeing
the entry.

Change-Id: Idb08ecad859749e6ab1b09184362de38de4a9836
Signed-off-by: Hardik Arya <harya@codeaurora.org>
2019-03-25 01:44:15 -07:00
Srinivasarao P
19342ee004 Merge android-4.4.177 (0c3b8c4) into msm-4.4
* refs/heads/tmp-0c3b8c4
  Linux 4.4.177
  KVM: X86: Fix residual mmio emulation request to userspace
  KVM: nVMX: Ignore limit checks on VMX instructions using flat segments
  KVM: nVMX: Sign extend displacements of VMX instr's mem operands
  drm/radeon/evergreen_cs: fix missing break in switch statement
  media: uvcvideo: Avoid NULL pointer dereference at the end of streaming
  rcu: Do RCU GP kthread self-wakeup from softirq and interrupt
  PM / wakeup: Rework wakeup source timer cancellation
  nfsd: fix wrong check in write_v4_end_grace()
  nfsd: fix memory corruption caused by readdir
  NFS: Don't recoalesce on error in nfs_pageio_complete_mirror()
  NFS: Fix an I/O request leakage in nfs_do_recoalesce
  md: Fix failed allocation of md_register_thread
  perf intel-pt: Fix overlap calculation for padding
  perf auxtrace: Define auxtrace record alignment
  perf intel-pt: Fix CYC timestamp calculation after OVF
  NFS41: pop some layoutget errors to application
  dm: fix to_sector() for 32bit
  ARM: s3c24xx: Fix boolean expressions in osiris_dvs_notify
  powerpc/83xx: Also save/restore SPRG4-7 during suspend
  powerpc/powernv: Make opal log only readable by root
  powerpc/wii: properly disable use of BATs when requested.
  powerpc/32: Clear on-stack exception marker upon exception return
  jbd2: fix compile warning when using JBUFFER_TRACE
  jbd2: clear dirty flag when revoking a buffer from an older transaction
  serial: 8250_pci: Have ACCES cards that use the four port Pericom PI7C9X7954 chip use the pci_pericom_setup()
  serial: 8250_pci: Fix number of ports for ACCES serial cards
  perf bench: Copy kernel files needed to build mem{cpy,set} x86_64 benchmarks
  i2c: tegra: fix maximum transfer size
  parport_pc: fix find_superio io compare code, should use equal test.
  intel_th: Don't reference unassigned outputs
  kernel/sysctl.c: add missing range check in do_proc_dointvec_minmax_conv
  mm/vmalloc: fix size check for remap_vmalloc_range_partial()
  dmaengine: usb-dmac: Make DMAC system sleep callbacks explicit
  clk: ingenic: Fix round_rate misbehaving with non-integer dividers
  ext2: Fix underflow in ext2_max_size()
  ext4: fix crash during online resizing
  cpufreq: pxa2xx: remove incorrect __init annotation
  cpufreq: tegra124: add missing of_node_put()
  crypto: pcbc - remove bogus memcpy()s with src == dest
  Btrfs: fix corruption reading shared and compressed extents after hole punching
  btrfs: ensure that a DUP or RAID1 block group has exactly two stripes
  m68k: Add -ffreestanding to CFLAGS
  scsi: target/iscsi: Avoid iscsit_release_commands_from_conn() deadlock
  scsi: virtio_scsi: don't send sc payload with tmfs
  s390/virtio: handle find on invalid queue gracefully
  clocksource/drivers/exynos_mct: Clear timer interrupt when shutdown
  clocksource/drivers/exynos_mct: Move one-shot check from tick clear to ISR
  regulator: s2mpa01: Fix step values for some LDOs
  regulator: s2mps11: Fix steps for buck7, buck8 and LDO35
  ACPI / device_sysfs: Avoid OF modalias creation for removed device
  tracing: Do not free iter->trace in fail path of tracing_open_pipe()
  CIFS: Fix read after write for files with read caching
  crypto: arm64/aes-ccm - fix logical bug in AAD MAC handling
  stm class: Prevent division by zero
  tmpfs: fix uninitialized return value in shmem_link
  net: set static variable an initial value in atl2_probe()
  mac80211_hwsim: propagate genlmsg_reply return code
  phonet: fix building with clang
  ARC: uacces: remove lp_start, lp_end from clobber list
  tmpfs: fix link accounting when a tmpfile is linked in
  arm64: Relax GIC version check during early boot
  ASoC: topology: free created components in tplg load error
  net: mv643xx_eth: disable clk on error path in mv643xx_eth_shared_probe()
  pinctrl: meson: meson8b: fix the sdxc_a data 1..3 pins
  net: systemport: Fix reception of BPDUs
  scsi: libiscsi: Fix race between iscsi_xmit_task and iscsi_complete_task
  assoc_array: Fix shortcut creation
  ARM: 8824/1: fix a migrating irq bug when hotplug cpu
  Input: st-keyscan - fix potential zalloc NULL dereference
  i2c: cadence: Fix the hold bit setting
  Input: matrix_keypad - use flush_delayed_work()
  ARM: OMAP2+: Variable "reg" in function omap4_dsi_mux_pads() could be uninitialized
  s390/dasd: fix using offset into zero size array error
  gpu: ipu-v3: Fix CSI offsets for imx53
  gpu: ipu-v3: Fix i.MX51 CSI control registers offset
  crypto: ahash - fix another early termination in hash walk
  crypto: caam - fixed handling of sg list
  stm class: Fix an endless loop in channel allocation
  ASoC: fsl_esai: fix register setting issue in RIGHT_J mode
  9p/net: fix memory leak in p9_client_create
  9p: use inode->i_lock to protect i_size_write() under 32-bit
  media: videobuf2-v4l2: drop WARN_ON in vb2_warn_zero_bytesused()
  It's wrong to add len to sector_nr in raid10 reshape twice
  fs/9p: use fscache mutex rather than spinlock
  ALSA: bebob: use more identical mod_alias for Saffire Pro 10 I/O against Liquid Saffire 56
  tcp/dccp: remove reqsk_put() from inet_child_forget()
  gro_cells: make sure device is up in gro_cells_receive()
  net/hsr: fix possible crash in add_timer()
  vxlan: Fix GRO cells race condition between receive and link delete
  vxlan: test dev->flags & IFF_UP before calling gro_cells_receive()
  ipvlan: disallow userns cap_net_admin to change global mode/flags
  missing barriers in some of unix_sock ->addr and ->path accesses
  net: Set rtm_table to RT_TABLE_COMPAT for ipv6 for tables > 255
  mdio_bus: Fix use-after-free on device_register fails
  net/x25: fix a race in x25_bind()
  net/mlx4_core: Fix qp mtt size calculation
  net/mlx4_core: Fix reset flow when in command polling mode
  tcp: handle inet_csk_reqsk_queue_add() failures
  route: set the deleted fnhe fnhe_daddr to 0 in ip_del_fnhe to fix a race
  ravb: Decrease TxFIFO depth of Q3 and Q2 to one
  pptp: dst_release sk_dst_cache in pptp_sock_destruct
  net/x25: reset state in x25_connect()
  net/x25: fix use-after-free in x25_device_event()
  net: sit: fix UBSAN Undefined behaviour in check_6rd
  net: hsr: fix memory leak in hsr_dev_finalize()
  l2tp: fix infoleak in l2tp_ip6_recvmsg()
  KEYS: restrict /proc/keys by credentials at open time
  netfilter: nf_conntrack_tcp: Fix stack out of bounds when parsing TCP options
  netfilter: nfnetlink_acct: validate NFACCT_FILTER parameters
  netfilter: nfnetlink_log: just returns error for unknown command
  netfilter: x_tables: enforce nul-terminated table name from getsockopt GET_ENTRIES
  udplite: call proper backlog handlers
  ARM: dts: exynos: Do not ignore real-world fuse values for thermal zone 0 on Exynos5420
  Revert "x86/platform/UV: Use efi_runtime_lock to serialise BIOS calls"
  ARM: dts: exynos: Add minimal clkout parameters to Exynos3250 PMU
  futex,rt_mutex: Restructure rt_mutex_finish_proxy_lock()
  iscsi_ibft: Fix missing break in switch statement
  Input: elan_i2c - add id for touchpad found in Lenovo s21e-20
  Input: wacom_serial4 - add support for Wacom ArtPad II tablet
  MIPS: Remove function size check in get_frame_info()
  perf symbols: Filter out hidden symbols from labels
  s390/qeth: fix use-after-free in error path
  dmaengine: dmatest: Abort test in case of mapping error
  dmaengine: at_xdmac: Fix wrongfull report of a channel as in use
  irqchip/mmp: Only touch the PJ4 IRQ & FIQ bits on enable/disable
  ARM: pxa: ssp: unneeded to free devm_ allocated data
  autofs: fix error return in autofs_fill_super()
  autofs: drop dentry reference only when it is never used
  fs/drop_caches.c: avoid softlockups in drop_pagecache_sb()
  mm, memory_hotplug: test_pages_in_a_zone do not pass the end of zone
  mm, memory_hotplug: is_mem_section_removable do not pass the end of a zone
  x86_64: increase stack size for KASAN_EXTRA
  x86/kexec: Don't setup EFI info if EFI runtime is not enabled
  cifs: fix computation for MAX_SMB2_HDR_SIZE
  platform/x86: Fix unmet dependency warning for SAMSUNG_Q10
  scsi: libfc: free skb when receiving invalid flogi resp
  nfs: Fix NULL pointer dereference of dev_name
  gpio: vf610: Mask all GPIO interrupts
  net: stmmac: dwmac-rk: fix error handling in rk_gmac_powerup()
  net: hns: Fix wrong read accesses via Clause 45 MDIO protocol
  net: altera_tse: fix msgdma_tx_completion on non-zero fill_level case
  xtensa: SMP: limit number of possible CPUs by NR_CPUS
  xtensa: SMP: mark each possible CPU as present
  xtensa: smp_lx200_defconfig: fix vectors clash
  xtensa: SMP: fix secondary CPU initialization
  xtensa: SMP: fix ccount_timer_shutdown
  iommu/amd: Fix IOMMU page flush when detach device from a domain
  ipvs: Fix signed integer overflow when setsockopt timeout
  IB/{hfi1, qib}: Fix WC.byte_len calculation for UD_SEND_WITH_IMM
  perf tools: Handle TOPOLOGY headers with no CPU
  vti4: Fix a ipip packet processing bug in 'IPCOMP' virtual tunnel
  media: uvcvideo: Fix 'type' check leading to overflow
  ip6mr: Do not call __IP6_INC_STATS() from preemptible context
  net: dsa: mv88e6xxx: Fix u64 statistics
  netlabel: fix out-of-bounds memory accesses
  hugetlbfs: fix races and page leaks during migration
  MIPS: irq: Allocate accurate order pages for irq stack
  applicom: Fix potential Spectre v1 vulnerabilities
  x86/CPU/AMD: Set the CPB bit unconditionally on F17h
  net: phy: Micrel KSZ8061: link failure after cable connect
  net: avoid use IPCB in cipso_v4_error
  net: Add __icmp_send helper.
  xen-netback: fix occasional leak of grant ref mappings under memory pressure
  net: nfc: Fix NULL dereference on nfc_llcp_build_tlv fails
  bnxt_en: Drop oversize TX packets to prevent errors.
  team: Free BPF filter when unregistering netdev
  sky2: Disable MSI on Dell Inspiron 1545 and Gateway P-79
  net-sysfs: Fix mem leak in netdev_register_kobject
  staging: lustre: fix buffer overflow of string buffer
  isdn: isdn_tty: fix build warning of strncpy
  ncpfs: fix build warning of strncpy
  sockfs: getxattr: Fail with -EOPNOTSUPP for invalid attribute names
  cpufreq: Use struct kobj_attribute instead of struct global_attr
  USB: serial: ftdi_sio: add ID for Hjelmslund Electronics USB485
  USB: serial: cp210x: add ID for Ingenico 3070
  USB: serial: option: add Telit ME910 ECM composition
  x86/uaccess: Don't leak the AC flag into __put_user() value evaluation
  mm: enforce min addr even if capable() in expand_downwards()
  mmc: spi: Fix card detection during probe
  powerpc: Always initialize input array when calling epapr_hypercall()
  KVM: arm/arm64: Fix MMIO emulation data handling
  arm/arm64: KVM: Feed initialized memory to MMIO accesses
  KVM: nSVM: clear events pending from svm_complete_interrupts() when exiting to L1
  cfg80211: extend range deviation for DMG
  mac80211: don't initiate TDLS connection if station is not associated to AP
  ibmveth: Do not process frames after calling napi_reschedule
  net: altera_tse: fix connect_local_phy error path
  scsi: csiostor: fix NULL pointer dereference in csio_vport_set_state()
  serial: fsl_lpuart: fix maximum acceptable baud rate with over-sampling
  mac80211: fix miscounting of ttl-dropped frames
  ARC: fix __ffs return value to avoid build warnings
  ASoC: imx-audmux: change snprintf to scnprintf for possible overflow
  ASoC: dapm: change snprintf to scnprintf for possible overflow
  usb: gadget: Potential NULL dereference on allocation error
  usb: dwc3: gadget: Fix the uninitialized link_state when udc starts
  thermal: int340x_thermal: Fix a NULL vs IS_ERR() check
  ALSA: compress: prevent potential divide by zero bugs
  ASoC: Intel: Haswell/Broadwell: fix setting for .dynamic field
  drm/msm: Unblock writer if reader closes file
  scsi: libsas: Fix rphy phy_identifier for PHYs with end devices attached
  libceph: handle an empty authorize reply
  Revert "bridge: do not add port to router list when receives query with source 0.0.0.0"
  ARCv2: Enable unaligned access in early ASM code
  net/mlx4_en: Force CHECKSUM_NONE for short ethernet frames
  sit: check if IPv6 enabled before calling ip6_err_gen_icmpv6_unreach()
  team: avoid complex list operations in team_nl_cmd_options_set()
  net/packet: fix 4gb buffer limit due to overflow check
  batman-adv: fix uninit-value in batadv_interface_tx()
  KEYS: always initialize keyring_index_key::desc_len
  KEYS: user: Align the payload buffer
  RDMA/srp: Rework SCSI device reset handling
  isdn: avm: Fix string plus integer warning from Clang
  leds: lp5523: fix a missing check of return value of lp55xx_read
  atm: he: fix sign-extension overflow on large shift
  isdn: i4l: isdn_tty: Fix some concurrency double-free bugs
  MIPS: jazz: fix 64bit build
  scsi: isci: initialize shost fully before calling scsi_add_host()
  scsi: qla4xxx: check return code of qla4xxx_copy_from_fwddb_param
  MIPS: ath79: Enable OF serial ports in the default config
  net: hns: Fix use after free identified by SLUB debug
  mfd: mc13xxx: Fix a missing check of a register-read failure
  mfd: wm5110: Add missing ASRC rate register
  mfd: qcom_rpm: write fw_version to CTRL_REG
  mfd: ab8500-core: Return zero in get_register_interruptible()
  mfd: db8500-prcmu: Fix some section annotations
  mfd: twl-core: Fix section annotations on {,un}protect_pm_master
  mfd: ti_am335x_tscadc: Use PLATFORM_DEVID_AUTO while registering mfd cells
  KEYS: allow reaching the keys quotas exactly
  numa: change get_mempolicy() to use nr_node_ids instead of MAX_NUMNODES
  ceph: avoid repeatedly adding inode to mdsc->snap_flush_list
  Revert "ANDROID: arm: process: Add display of memory around registers when displaying regs."
  ANDROID: mnt: Propagate remount correctly
  ANDROID: cuttlefish_defconfig: Add support for AC97 audio
  ANDROID: overlayfs: override_creds=off option bypass creator_cred
  FROMGIT: binder: create node flag to request sender's security context

Conflicts:
	arch/arm/kernel/irq.c
	drivers/media/v4l2-core/videobuf2-v4l2.c
	sound/core/compress_offload.c

Change-Id: I998f8d53b0c5b8a7102816034452b1779a3b69a3
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
2019-03-25 12:49:05 +05:30
Greg Kroah-Hartman
0c3b8c4866 This is the 4.4.177 stable release
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlyV4+kACgkQONu9yGCS
 aT5T2RAAn9hyo4LmxMvxab61d+PSEfn9TKhNjEtF8vFKNiYb+W+vI0ALHYSWcT1Z
 O5T4d1TeSeMrs9G1McL/D80vMJFIzcg0a9QIYuFObFAB21VpDiiGcVc74d+6fHtH
 m6loPE1d2GCpzwJ7VOCvdC9DR8C9SK0IVANyMJApXUL8mkNRo2H6vY/NGt65+5zb
 vioEbGbXZQJl1GvvwquM6cX9ABH4nyAU1yTX9r2CHMFCBQ0JDkpY4yxClY1NBZ02
 1Rc1NpJCR6OJUPvQUpyHuY5rkkPfM12Iz9dxFHARXvtTsmzm3AFdkev5GEMlR5e1
 hNXs6ZPyTADJL/fKO8nmeKwKf30xTaWObgMw9A3d8FOFSmDXAW6FLKAmIz+yZBGc
 27Tta1pGkZscC1iajEX2dcp5Zjkwr4y/HA5EJJ3jCCwrfTPDL5u8N900GbKMx4Lk
 EgPB3byZUAn/9k1m5HEA8RS08LqsNTAEA2Q6nZZhuhmqGJQPRtbBPG7tib9bvhUy
 KBLQdqJ8ubi9T1EopHu8xZdpZbbB/uCS+FB6NIkXuWR1IHkAGdEPheHrv3tuR5rf
 8/2OU970h63ztE5qHFsBci2uC4htiZFY62NULiPbI7HjeEUdym0AGK4JzGnn0lnX
 8McOBeOKwQwR5XuHZcMKWrsstt4mv9zo5QOdCJ1XDxFv628G2dQ=
 =eGAC
 -----END PGP SIGNATURE-----

Merge 4.4.177 into android-4.4

Changes in 4.4.177
	ceph: avoid repeatedly adding inode to mdsc->snap_flush_list
	numa: change get_mempolicy() to use nr_node_ids instead of MAX_NUMNODES
	KEYS: allow reaching the keys quotas exactly
	mfd: ti_am335x_tscadc: Use PLATFORM_DEVID_AUTO while registering mfd cells
	mfd: twl-core: Fix section annotations on {,un}protect_pm_master
	mfd: db8500-prcmu: Fix some section annotations
	mfd: ab8500-core: Return zero in get_register_interruptible()
	mfd: qcom_rpm: write fw_version to CTRL_REG
	mfd: wm5110: Add missing ASRC rate register
	mfd: mc13xxx: Fix a missing check of a register-read failure
	net: hns: Fix use after free identified by SLUB debug
	MIPS: ath79: Enable OF serial ports in the default config
	scsi: qla4xxx: check return code of qla4xxx_copy_from_fwddb_param
	scsi: isci: initialize shost fully before calling scsi_add_host()
	MIPS: jazz: fix 64bit build
	isdn: i4l: isdn_tty: Fix some concurrency double-free bugs
	atm: he: fix sign-extension overflow on large shift
	leds: lp5523: fix a missing check of return value of lp55xx_read
	isdn: avm: Fix string plus integer warning from Clang
	RDMA/srp: Rework SCSI device reset handling
	KEYS: user: Align the payload buffer
	KEYS: always initialize keyring_index_key::desc_len
	batman-adv: fix uninit-value in batadv_interface_tx()
	net/packet: fix 4gb buffer limit due to overflow check
	team: avoid complex list operations in team_nl_cmd_options_set()
	sit: check if IPv6 enabled before calling ip6_err_gen_icmpv6_unreach()
	net/mlx4_en: Force CHECKSUM_NONE for short ethernet frames
	ARCv2: Enable unaligned access in early ASM code
	Revert "bridge: do not add port to router list when receives query with source 0.0.0.0"
	libceph: handle an empty authorize reply
	scsi: libsas: Fix rphy phy_identifier for PHYs with end devices attached
	drm/msm: Unblock writer if reader closes file
	ASoC: Intel: Haswell/Broadwell: fix setting for .dynamic field
	ALSA: compress: prevent potential divide by zero bugs
	thermal: int340x_thermal: Fix a NULL vs IS_ERR() check
	usb: dwc3: gadget: Fix the uninitialized link_state when udc starts
	usb: gadget: Potential NULL dereference on allocation error
	ASoC: dapm: change snprintf to scnprintf for possible overflow
	ASoC: imx-audmux: change snprintf to scnprintf for possible overflow
	ARC: fix __ffs return value to avoid build warnings
	mac80211: fix miscounting of ttl-dropped frames
	serial: fsl_lpuart: fix maximum acceptable baud rate with over-sampling
	scsi: csiostor: fix NULL pointer dereference in csio_vport_set_state()
	net: altera_tse: fix connect_local_phy error path
	ibmveth: Do not process frames after calling napi_reschedule
	mac80211: don't initiate TDLS connection if station is not associated to AP
	cfg80211: extend range deviation for DMG
	KVM: nSVM: clear events pending from svm_complete_interrupts() when exiting to L1
	arm/arm64: KVM: Feed initialized memory to MMIO accesses
	KVM: arm/arm64: Fix MMIO emulation data handling
	powerpc: Always initialize input array when calling epapr_hypercall()
	mmc: spi: Fix card detection during probe
	mm: enforce min addr even if capable() in expand_downwards()
	x86/uaccess: Don't leak the AC flag into __put_user() value evaluation
	USB: serial: option: add Telit ME910 ECM composition
	USB: serial: cp210x: add ID for Ingenico 3070
	USB: serial: ftdi_sio: add ID for Hjelmslund Electronics USB485
	cpufreq: Use struct kobj_attribute instead of struct global_attr
	sockfs: getxattr: Fail with -EOPNOTSUPP for invalid attribute names
	ncpfs: fix build warning of strncpy
	isdn: isdn_tty: fix build warning of strncpy
	staging: lustre: fix buffer overflow of string buffer
	net-sysfs: Fix mem leak in netdev_register_kobject
	sky2: Disable MSI on Dell Inspiron 1545 and Gateway P-79
	team: Free BPF filter when unregistering netdev
	bnxt_en: Drop oversize TX packets to prevent errors.
	net: nfc: Fix NULL dereference on nfc_llcp_build_tlv fails
	xen-netback: fix occasional leak of grant ref mappings under memory pressure
	net: Add __icmp_send helper.
	net: avoid use IPCB in cipso_v4_error
	net: phy: Micrel KSZ8061: link failure after cable connect
	x86/CPU/AMD: Set the CPB bit unconditionally on F17h
	applicom: Fix potential Spectre v1 vulnerabilities
	MIPS: irq: Allocate accurate order pages for irq stack
	hugetlbfs: fix races and page leaks during migration
	netlabel: fix out-of-bounds memory accesses
	net: dsa: mv88e6xxx: Fix u64 statistics
	ip6mr: Do not call __IP6_INC_STATS() from preemptible context
	media: uvcvideo: Fix 'type' check leading to overflow
	vti4: Fix a ipip packet processing bug in 'IPCOMP' virtual tunnel
	perf tools: Handle TOPOLOGY headers with no CPU
	IB/{hfi1, qib}: Fix WC.byte_len calculation for UD_SEND_WITH_IMM
	ipvs: Fix signed integer overflow when setsockopt timeout
	iommu/amd: Fix IOMMU page flush when detach device from a domain
	xtensa: SMP: fix ccount_timer_shutdown
	xtensa: SMP: fix secondary CPU initialization
	xtensa: smp_lx200_defconfig: fix vectors clash
	xtensa: SMP: mark each possible CPU as present
	xtensa: SMP: limit number of possible CPUs by NR_CPUS
	net: altera_tse: fix msgdma_tx_completion on non-zero fill_level case
	net: hns: Fix wrong read accesses via Clause 45 MDIO protocol
	net: stmmac: dwmac-rk: fix error handling in rk_gmac_powerup()
	gpio: vf610: Mask all GPIO interrupts
	nfs: Fix NULL pointer dereference of dev_name
	scsi: libfc: free skb when receiving invalid flogi resp
	platform/x86: Fix unmet dependency warning for SAMSUNG_Q10
	cifs: fix computation for MAX_SMB2_HDR_SIZE
	x86/kexec: Don't setup EFI info if EFI runtime is not enabled
	x86_64: increase stack size for KASAN_EXTRA
	mm, memory_hotplug: is_mem_section_removable do not pass the end of a zone
	mm, memory_hotplug: test_pages_in_a_zone do not pass the end of zone
	fs/drop_caches.c: avoid softlockups in drop_pagecache_sb()
	autofs: drop dentry reference only when it is never used
	autofs: fix error return in autofs_fill_super()
	ARM: pxa: ssp: unneeded to free devm_ allocated data
	irqchip/mmp: Only touch the PJ4 IRQ & FIQ bits on enable/disable
	dmaengine: at_xdmac: Fix wrongfull report of a channel as in use
	dmaengine: dmatest: Abort test in case of mapping error
	s390/qeth: fix use-after-free in error path
	perf symbols: Filter out hidden symbols from labels
	MIPS: Remove function size check in get_frame_info()
	Input: wacom_serial4 - add support for Wacom ArtPad II tablet
	Input: elan_i2c - add id for touchpad found in Lenovo s21e-20
	iscsi_ibft: Fix missing break in switch statement
	futex,rt_mutex: Restructure rt_mutex_finish_proxy_lock()
	ARM: dts: exynos: Add minimal clkout parameters to Exynos3250 PMU
	Revert "x86/platform/UV: Use efi_runtime_lock to serialise BIOS calls"
	ARM: dts: exynos: Do not ignore real-world fuse values for thermal zone 0 on Exynos5420
	udplite: call proper backlog handlers
	netfilter: x_tables: enforce nul-terminated table name from getsockopt GET_ENTRIES
	netfilter: nfnetlink_log: just returns error for unknown command
	netfilter: nfnetlink_acct: validate NFACCT_FILTER parameters
	netfilter: nf_conntrack_tcp: Fix stack out of bounds when parsing TCP options
	KEYS: restrict /proc/keys by credentials at open time
	l2tp: fix infoleak in l2tp_ip6_recvmsg()
	net: hsr: fix memory leak in hsr_dev_finalize()
	net: sit: fix UBSAN Undefined behaviour in check_6rd
	net/x25: fix use-after-free in x25_device_event()
	net/x25: reset state in x25_connect()
	pptp: dst_release sk_dst_cache in pptp_sock_destruct
	ravb: Decrease TxFIFO depth of Q3 and Q2 to one
	route: set the deleted fnhe fnhe_daddr to 0 in ip_del_fnhe to fix a race
	tcp: handle inet_csk_reqsk_queue_add() failures
	net/mlx4_core: Fix reset flow when in command polling mode
	net/mlx4_core: Fix qp mtt size calculation
	net/x25: fix a race in x25_bind()
	mdio_bus: Fix use-after-free on device_register fails
	net: Set rtm_table to RT_TABLE_COMPAT for ipv6 for tables > 255
	missing barriers in some of unix_sock ->addr and ->path accesses
	ipvlan: disallow userns cap_net_admin to change global mode/flags
	vxlan: test dev->flags & IFF_UP before calling gro_cells_receive()
	vxlan: Fix GRO cells race condition between receive and link delete
	net/hsr: fix possible crash in add_timer()
	gro_cells: make sure device is up in gro_cells_receive()
	tcp/dccp: remove reqsk_put() from inet_child_forget()
	ALSA: bebob: use more identical mod_alias for Saffire Pro 10 I/O against Liquid Saffire 56
	fs/9p: use fscache mutex rather than spinlock
	It's wrong to add len to sector_nr in raid10 reshape twice
	media: videobuf2-v4l2: drop WARN_ON in vb2_warn_zero_bytesused()
	9p: use inode->i_lock to protect i_size_write() under 32-bit
	9p/net: fix memory leak in p9_client_create
	ASoC: fsl_esai: fix register setting issue in RIGHT_J mode
	stm class: Fix an endless loop in channel allocation
	crypto: caam - fixed handling of sg list
	crypto: ahash - fix another early termination in hash walk
	gpu: ipu-v3: Fix i.MX51 CSI control registers offset
	gpu: ipu-v3: Fix CSI offsets for imx53
	s390/dasd: fix using offset into zero size array error
	ARM: OMAP2+: Variable "reg" in function omap4_dsi_mux_pads() could be uninitialized
	Input: matrix_keypad - use flush_delayed_work()
	i2c: cadence: Fix the hold bit setting
	Input: st-keyscan - fix potential zalloc NULL dereference
	ARM: 8824/1: fix a migrating irq bug when hotplug cpu
	assoc_array: Fix shortcut creation
	scsi: libiscsi: Fix race between iscsi_xmit_task and iscsi_complete_task
	net: systemport: Fix reception of BPDUs
	pinctrl: meson: meson8b: fix the sdxc_a data 1..3 pins
	net: mv643xx_eth: disable clk on error path in mv643xx_eth_shared_probe()
	ASoC: topology: free created components in tplg load error
	arm64: Relax GIC version check during early boot
	tmpfs: fix link accounting when a tmpfile is linked in
	ARC: uacces: remove lp_start, lp_end from clobber list
	phonet: fix building with clang
	mac80211_hwsim: propagate genlmsg_reply return code
	net: set static variable an initial value in atl2_probe()
	tmpfs: fix uninitialized return value in shmem_link
	stm class: Prevent division by zero
	crypto: arm64/aes-ccm - fix logical bug in AAD MAC handling
	CIFS: Fix read after write for files with read caching
	tracing: Do not free iter->trace in fail path of tracing_open_pipe()
	ACPI / device_sysfs: Avoid OF modalias creation for removed device
	regulator: s2mps11: Fix steps for buck7, buck8 and LDO35
	regulator: s2mpa01: Fix step values for some LDOs
	clocksource/drivers/exynos_mct: Move one-shot check from tick clear to ISR
	clocksource/drivers/exynos_mct: Clear timer interrupt when shutdown
	s390/virtio: handle find on invalid queue gracefully
	scsi: virtio_scsi: don't send sc payload with tmfs
	scsi: target/iscsi: Avoid iscsit_release_commands_from_conn() deadlock
	m68k: Add -ffreestanding to CFLAGS
	btrfs: ensure that a DUP or RAID1 block group has exactly two stripes
	Btrfs: fix corruption reading shared and compressed extents after hole punching
	crypto: pcbc - remove bogus memcpy()s with src == dest
	cpufreq: tegra124: add missing of_node_put()
	cpufreq: pxa2xx: remove incorrect __init annotation
	ext4: fix crash during online resizing
	ext2: Fix underflow in ext2_max_size()
	clk: ingenic: Fix round_rate misbehaving with non-integer dividers
	dmaengine: usb-dmac: Make DMAC system sleep callbacks explicit
	mm/vmalloc: fix size check for remap_vmalloc_range_partial()
	kernel/sysctl.c: add missing range check in do_proc_dointvec_minmax_conv
	intel_th: Don't reference unassigned outputs
	parport_pc: fix find_superio io compare code, should use equal test.
	i2c: tegra: fix maximum transfer size
	perf bench: Copy kernel files needed to build mem{cpy,set} x86_64 benchmarks
	serial: 8250_pci: Fix number of ports for ACCES serial cards
	serial: 8250_pci: Have ACCES cards that use the four port Pericom PI7C9X7954 chip use the pci_pericom_setup()
	jbd2: clear dirty flag when revoking a buffer from an older transaction
	jbd2: fix compile warning when using JBUFFER_TRACE
	powerpc/32: Clear on-stack exception marker upon exception return
	powerpc/wii: properly disable use of BATs when requested.
	powerpc/powernv: Make opal log only readable by root
	powerpc/83xx: Also save/restore SPRG4-7 during suspend
	ARM: s3c24xx: Fix boolean expressions in osiris_dvs_notify
	dm: fix to_sector() for 32bit
	NFS41: pop some layoutget errors to application
	perf intel-pt: Fix CYC timestamp calculation after OVF
	perf auxtrace: Define auxtrace record alignment
	perf intel-pt: Fix overlap calculation for padding
	md: Fix failed allocation of md_register_thread
	NFS: Fix an I/O request leakage in nfs_do_recoalesce
	NFS: Don't recoalesce on error in nfs_pageio_complete_mirror()
	nfsd: fix memory corruption caused by readdir
	nfsd: fix wrong check in write_v4_end_grace()
	PM / wakeup: Rework wakeup source timer cancellation
	rcu: Do RCU GP kthread self-wakeup from softirq and interrupt
	media: uvcvideo: Avoid NULL pointer dereference at the end of streaming
	drm/radeon/evergreen_cs: fix missing break in switch statement
	KVM: nVMX: Sign extend displacements of VMX instr's mem operands
	KVM: nVMX: Ignore limit checks on VMX instructions using flat segments
	KVM: X86: Fix residual mmio emulation request to userspace
	Linux 4.4.177

Change-Id: Ide9813404248e6d7f9dc4024ac244dc1fbdd21b6
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
2019-03-23 08:59:43 +01:00
Greg Kroah-Hartman
6b50202a4d Linux 4.4.177 2019-03-23 08:44:40 +01:00
Wanpeng Li
5d8f03acc1 KVM: X86: Fix residual mmio emulation request to userspace
commit bbeac2830f4de270bb48141681cb730aadf8dce1 upstream.

Reported by syzkaller:

The kvm-intel.unrestricted_guest=0

   WARNING: CPU: 5 PID: 1014 at /home/kernel/data/kvm/arch/x86/kvm//x86.c:7227 kvm_arch_vcpu_ioctl_run+0x38b/0x1be0 [kvm]
   CPU: 5 PID: 1014 Comm: warn_test Tainted: G        W  OE   4.13.0-rc3+ #8
   RIP: 0010:kvm_arch_vcpu_ioctl_run+0x38b/0x1be0 [kvm]
   Call Trace:
    ? put_pid+0x3a/0x50
    ? rcu_read_lock_sched_held+0x79/0x80
    ? kmem_cache_free+0x2f2/0x350
    kvm_vcpu_ioctl+0x340/0x700 [kvm]
    ? kvm_vcpu_ioctl+0x340/0x700 [kvm]
    ? __fget+0xfc/0x210
    do_vfs_ioctl+0xa4/0x6a0
    ? __fget+0x11d/0x210
    SyS_ioctl+0x79/0x90
    entry_SYSCALL_64_fastpath+0x23/0xc2
    ? __this_cpu_preempt_check+0x13/0x20

The syszkaller folks reported a residual mmio emulation request to userspace
due to vm86 fails to emulate inject real mode interrupt(fails to read CS) and
incurs a triple fault. The vCPU returns to userspace with vcpu->mmio_needed == true
and KVM_EXIT_SHUTDOWN exit reason. However, the syszkaller testcase constructs
several threads to launch the same vCPU, the thread which lauch this vCPU after
the thread whichs get the vcpu->mmio_needed == true and KVM_EXIT_SHUTDOWN will
trigger the warning.

   #define _GNU_SOURCE
   #include <pthread.h>
   #include <stdio.h>
   #include <stdlib.h>
   #include <string.h>
   #include <sys/wait.h>
   #include <sys/types.h>
   #include <sys/stat.h>
   #include <sys/mman.h>
   #include <fcntl.h>
   #include <unistd.h>
   #include <linux/kvm.h>
   #include <stdio.h>

   int kvmcpu;
   struct kvm_run *run;

   void* thr(void* arg)
   {
     int res;
     res = ioctl(kvmcpu, KVM_RUN, 0);
     printf("ret1=%d exit_reason=%d suberror=%d\n",
         res, run->exit_reason, run->internal.suberror);
     return 0;
   }

   void test()
   {
     int i, kvm, kvmvm;
     pthread_t th[4];

     kvm = open("/dev/kvm", O_RDWR);
     kvmvm = ioctl(kvm, KVM_CREATE_VM, 0);
     kvmcpu = ioctl(kvmvm, KVM_CREATE_VCPU, 0);
     run = (struct kvm_run*)mmap(0, 4096, PROT_READ|PROT_WRITE, MAP_SHARED, kvmcpu, 0);
     srand(getpid());
     for (i = 0; i < 4; i++) {
       pthread_create(&th[i], 0, thr, 0);
       usleep(rand() % 10000);
     }
     for (i = 0; i < 4; i++)
       pthread_join(th[i], 0);
   }

   int main()
   {
     for (;;) {
       int pid = fork();
       if (pid < 0)
         exit(1);
       if (pid == 0) {
         test();
         exit(0);
       }
       int status;
       while (waitpid(pid, &status, __WALL) != pid) {}
     }
     return 0;
   }

This patch fixes it by resetting the vcpu->mmio_needed once we receive
the triple fault to avoid the residue.

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Tested-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Radim Krčmář <rkrcmar@redhat.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Wanpeng Li <wanpeng.li@hotmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Cc: Zubin Mithra <zsm@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-03-23 08:44:40 +01:00
Sean Christopherson
8c7543e3b8 KVM: nVMX: Ignore limit checks on VMX instructions using flat segments
commit 34333cc6c2cb021662fd32e24e618d1b86de95bf upstream.

Regarding segments with a limit==0xffffffff, the SDM officially states:

    When the effective limit is FFFFFFFFH (4 GBytes), these accesses may
    or may not cause the indicated exceptions.  Behavior is
    implementation-specific and may vary from one execution to another.

In practice, all CPUs that support VMX ignore limit checks for "flat
segments", i.e. an expand-up data or code segment with base=0 and
limit=0xffffffff.  This is subtly different than wrapping the effective
address calculation based on the address size, as the flat segment
behavior also applies to accesses that would wrap the 4g boundary, e.g.
a 4-byte access starting at 0xffffffff will access linear addresses
0xffffffff, 0x0, 0x1 and 0x2.

Fixes: f9eb4af67c ("KVM: nVMX: VMX instructions: add checks for #GP/#SS exceptions")
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-03-23 08:44:40 +01:00
Sean Christopherson
2866808ffc KVM: nVMX: Sign extend displacements of VMX instr's mem operands
commit 946c522b603f281195af1df91837a1d4d1eb3bc9 upstream.

The VMCS.EXIT_QUALIFCATION field reports the displacements of memory
operands for various instructions, including VMX instructions, as a
naturally sized unsigned value, but masks the value by the addr size,
e.g. given a ModRM encoded as -0x28(%ebp), the -0x28 displacement is
reported as 0xffffffd8 for a 32-bit address size.  Despite some weird
wording regarding sign extension, the SDM explicitly states that bits
beyond the instructions address size are undefined:

    In all cases, bits of this field beyond the instruction’s address
    size are undefined.

Failure to sign extend the displacement results in KVM incorrectly
treating a negative displacement as a large positive displacement when
the address size of the VMX instruction is smaller than KVM's native
size, e.g. a 32-bit address size on a 64-bit KVM.

The very original decoding, added by commit 064aea7747 ("KVM: nVMX:
Decoding memory operands of VMX instructions"), sort of modeled sign
extension by truncating the final virtual/linear address for a 32-bit
address size.  I.e. it messed up the effective address but made it work
by adjusting the final address.

When segmentation checks were added, the truncation logic was kept
as-is and no sign extension logic was introduced.  In other words, it
kept calculating the wrong effective address while mostly generating
the correct virtual/linear address.  As the effective address is what's
used in the segment limit checks, this results in KVM incorreclty
injecting #GP/#SS faults due to non-existent segment violations when
a nested VMM uses negative displacements with an address size smaller
than KVM's native address size.

Using the -0x28(%ebp) example, an EBP value of 0x1000 will result in
KVM using 0x100000fd8 as the effective address when checking for a
segment limit violation.  This causes a 100% failure rate when running
a 32-bit KVM build as L1 on top of a 64-bit KVM L0.

Fixes: f9eb4af67c ("KVM: nVMX: VMX instructions: add checks for #GP/#SS exceptions")
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-03-23 08:44:40 +01:00
Gustavo A. R. Silva
71e005f009 drm/radeon/evergreen_cs: fix missing break in switch statement
commit cc5034a5d293dd620484d1d836aa16c6764a1c8c upstream.

Add missing break statement in order to prevent the code from falling
through to case CB_TARGET_MASK.

This bug was found thanks to the ongoing efforts to enable
-Wimplicit-fallthrough.

Fixes: dd220a00e8 ("drm/radeon/kms: add support for streamout v7")
Cc: stable@vger.kernel.org
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-03-23 08:44:40 +01:00
Sakari Ailus
e4de142d0a media: uvcvideo: Avoid NULL pointer dereference at the end of streaming
commit 9dd0627d8d62a7ddb001a75f63942d92b5336561 upstream.

The UVC video driver converts the timestamp from hardware specific unit
to one known by the kernel at the time when the buffer is dequeued. This
is fine in general, but the streamoff operation consists of the
following steps (among other things):

1. uvc_video_clock_cleanup --- the hardware clock sample array is
   released and the pointer to the array is set to NULL,

2. buffers in active state are returned to the user and

3. buf_finish callback is called on buffers that are prepared.
   buf_finish includes calling uvc_video_clock_update that accesses the
   hardware clock sample array.

The above is serialised by a queue specific mutex. Address the problem
by skipping the clock conversion if the hardware clock sample array is
already released.

Fixes: 9c0863b1cc ("[media] vb2: call buf_finish from __queue_cancel")

Reported-by: Chiranjeevi Rapolu <chiranjeevi.rapolu@intel.com>
Tested-by: Chiranjeevi Rapolu <chiranjeevi.rapolu@intel.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Cc: stable@vger.kernel.org
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-03-23 08:44:40 +01:00
Zhang, Jun
25c4c45193 rcu: Do RCU GP kthread self-wakeup from softirq and interrupt
commit 1d1f898df6586c5ea9aeaf349f13089c6fa37903 upstream.

The rcu_gp_kthread_wake() function is invoked when it might be necessary
to wake the RCU grace-period kthread.  Because self-wakeups are normally
a useless waste of CPU cycles, if rcu_gp_kthread_wake() is invoked from
this kthread, it naturally refuses to do the wakeup.

Unfortunately, natural though it might be, this heuristic fails when
rcu_gp_kthread_wake() is invoked from an interrupt or softirq handler
that interrupted the grace-period kthread just after the final check of
the wait-event condition but just before the schedule() call.  In this
case, a wakeup is required, even though the call to rcu_gp_kthread_wake()
is within the RCU grace-period kthread's context.  Failing to provide
this wakeup can result in grace periods failing to start, which in turn
results in out-of-memory conditions.

This race window is quite narrow, but it actually did happen during real
testing.  It would of course need to be fixed even if it was strictly
theoretical in nature.

This patch does not Cc stable because it does not apply cleanly to
earlier kernel versions.

Fixes: 48a7639ce8 ("rcu: Make callers awaken grace-period kthread")
Reported-by: "He, Bo" <bo.he@intel.com>
Co-developed-by: "Zhang, Jun" <jun.zhang@intel.com>
Co-developed-by: "He, Bo" <bo.he@intel.com>
Co-developed-by: "xiao, jin" <jin.xiao@intel.com>
Co-developed-by: Bai, Jie A <jie.a.bai@intel.com>
Signed-off: "Zhang, Jun" <jun.zhang@intel.com>
Signed-off: "He, Bo" <bo.he@intel.com>
Signed-off: "xiao, jin" <jin.xiao@intel.com>
Signed-off: Bai, Jie A <jie.a.bai@intel.com>
Signed-off-by: "Zhang, Jun" <jun.zhang@intel.com>
[ paulmck: Switch from !in_softirq() to "!in_interrupt() &&
  !in_serving_softirq() to avoid redundant wakeups and to also handle the
  interrupt-handler scenario as well as the softirq-handler scenario that
  actually occurred in testing. ]
Signed-off-by: Paul E. McKenney <paulmck@linux.ibm.com>
Link: https://lkml.kernel.org/r/CD6925E8781EFD4D8E11882D20FC406D52A11F61@SHSMSX104.ccr.corp.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-03-23 08:44:39 +01:00
Viresh Kumar
06a7cc29d1 PM / wakeup: Rework wakeup source timer cancellation
commit 1fad17fb1bbcd73159c2b992668a6957ecc5af8a upstream.

If wakeup_source_add() is called right after wakeup_source_remove()
for the same wakeup source, timer_setup() may be called for a
potentially scheduled timer which is incorrect.

To avoid that, move the wakeup source timer cancellation from
wakeup_source_drop() to wakeup_source_remove().

Moreover, make wakeup_source_remove() clear the timer function after
canceling the timer to let wakeup_source_not_registered() treat
unregistered wakeup sources in the same way as the ones that have
never been registered.

Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Cc: 4.4+ <stable@vger.kernel.org> # 4.4+
[ rjw: Subject, changelog, merged two patches together ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-03-23 08:44:39 +01:00
Yihao Wu
d18bcfe455 nfsd: fix wrong check in write_v4_end_grace()
commit dd838821f0a29781b185cd8fb8e48d5c177bd838 upstream.

Commit 62a063b8e7d1 "nfsd4: fix crash on writing v4_end_grace before
nfsd startup" is trying to fix a NULL dereference issue, but it
mistakenly checks if the nfsd server is started. So fix it.

Fixes: 62a063b8e7d1 "nfsd4: fix crash on writing v4_end_grace before nfsd startup"
Cc: stable@vger.kernel.org
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Signed-off-by: Yihao Wu <wuyihao@linux.alibaba.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-03-23 08:44:39 +01:00
NeilBrown
d2f777c50b nfsd: fix memory corruption caused by readdir
commit b602345da6cbb135ba68cf042df8ec9a73da7981 upstream.

If the result of an NFSv3 readdir{,plus} request results in the
"offset" on one entry having to be split across 2 pages, and is sized
so that the next directory entry doesn't fit in the requested size,
then memory corruption can happen.

When encode_entry() is called after encoding the last entry that fits,
it notices that ->offset and ->offset1 are set, and so stores the
offset value in the two pages as required.  It clears ->offset1 but
*does not* clear ->offset.

Normally this omission doesn't matter as encode_entry_baggage() will
be called, and will set ->offset to a suitable value (not on a page
boundary).
But in the case where cd->buflen < elen and nfserr_toosmall is
returned, ->offset is not reset.

This means that nfsd3proc_readdirplus will see ->offset with a value 4
bytes before the end of a page, and ->offset1 set to NULL.
It will try to write 8bytes to ->offset.
If we are lucky, the next page will be read-only, and the system will
  BUG: unable to handle kernel paging request at...

If we are unlucky, some innocent page will have the first 4 bytes
corrupted.

nfsd3proc_readdir() doesn't even check for ->offset1, it just blindly
writes 8 bytes to the offset wherever it is.

Fix this by clearing ->offset after it is used, and copying the
->offset handling code from nfsd3_proc_readdirplus into
nfsd3_proc_readdir.

(Note that the commit hash in the Fixes tag is from the 'history'
 tree - this bug predates git).

Fixes: 0b1d57cf7654 ("[PATCH] kNFSd: Fix nfs3 dentry encoding")
Fixes-URL: https://git.kernel.org/pub/scm/linux/kernel/git/history/history.git/commit/?id=0b1d57cf7654
Cc: stable@vger.kernel.org (v2.6.12+)
Signed-off-by: NeilBrown <neilb@suse.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-03-23 08:44:39 +01:00
Trond Myklebust
295aac3a5a NFS: Don't recoalesce on error in nfs_pageio_complete_mirror()
commit 8127d82705998568b52ac724e28e00941538083d upstream.

If the I/O completion failed with a fatal error, then we should just
exit nfs_pageio_complete_mirror() rather than try to recoalesce.

Fixes: a7d42ddb30 ("nfs: add mirroring support to pgio layer")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Cc: stable@vger.kernel.org # v4.0+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-03-23 08:44:39 +01:00
Trond Myklebust
a853de72ab NFS: Fix an I/O request leakage in nfs_do_recoalesce
commit 4d91969ed4dbcefd0e78f77494f0cb8fada9048a upstream.

Whether we need to exit early, or just reprocess the list, we
must not lost track of the request which failed to get recoalesced.

Fixes: 03d5eb65b5 ("NFS: Fix a memory leak in nfs_do_recoalesce")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Cc: stable@vger.kernel.org # v4.0+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2019-03-23 08:44:39 +01:00