1. 02 Oct, 2018 2 commits
    • Noralf Trønnes's avatar
      drm/cma-helper: Fix crash in fbdev error path · 4d4c2d89
      Noralf Trønnes authored
      Sergey Suloev reported a crash happening in drm_client_dev_hotplug()
      when fbdev had failed to register.
      
      [    9.124598] vc4_hdmi 3f902000.hdmi: ASoC: Failed to create component debugfs directory
      [    9.147667] vc4_hdmi 3f902000.hdmi: vc4-hdmi-hifi <-> 3f902000.hdmi mapping ok
      [    9.155184] vc4_hdmi 3f902000.hdmi: ASoC: no DMI vendor name!
      [    9.166544] vc4-drm soc:gpu: bound 3f902000.hdmi (ops vc4_hdmi_ops [vc4])
      [    9.173840] vc4-drm soc:gpu: bound 3f806000.vec (ops vc4_vec_ops [vc4])
      [    9.181029] vc4-drm soc:gpu: bound 3f004000.txp (ops vc4_txp_ops [vc4])
      [    9.188519] vc4-drm soc:gpu: bound 3f400000.hvs (ops vc4_hvs_ops [vc4])
      [    9.195690] vc4-drm soc:gpu: bound 3f206000.pixelvalve (ops vc4_crtc_ops [vc4])
      [    9.203523] vc4-drm soc:gpu: bound 3f207000.pixelvalve (ops vc4_crtc_ops [vc4])
      [    9.215032] vc4-drm soc:gpu: bound 3f807000.pixelvalve (ops vc4_crtc_ops [vc4])
      [    9.274785] vc4-drm soc:gpu: bound 3fc00000.v3d (ops vc4_v3d_ops [vc4])
      [    9.290246] [drm] Initialized vc4 0.0.0 20140616 for soc:gpu on minor 0
      [    9.297464] [drm] Supports vblank timestamp caching Rev 2 (21.10.2013).
      [    9.304600] [drm] Driver supports precise vblank timestamp query.
      [    9.382856] vc4-drm soc:gpu: [drm:drm_fb_helper_fbdev_setup [drm_kms_helper]] *ERROR* Failed to set fbdev configuration
      [   10.404937] Unable to handle kernel paging request at virtual address 00330a656369768a
      [   10.441620] [00330a656369768a] address between user and kernel address ranges
      [   10.449087] Internal error: Oops: 96000004 [#1] PREEMPT SMP
      [   10.454762] Modules linked in: brcmfmac vc4 drm_kms_helper cfg80211 drm rfkill smsc95xx brcmutil usbnet drm_panel_orientation_quirks raspberrypi_hwmon bcm2835_dma crc32_ce pwm_bcm2835 bcm2835_rng virt_dma rng_core i2c_bcm2835 ip_tables x_tables ipv6
      [   10.477296] CPU: 2 PID: 45 Comm: kworker/2:1 Not tainted 4.19.0-rc5 #3
      [   10.483934] Hardware name: Raspberry Pi 3 Model B Rev 1.2 (DT)
      [   10.489966] Workqueue: events output_poll_execute [drm_kms_helper]
      [   10.596515] Process kworker/2:1 (pid: 45, stack limit = 0x000000007e8924dc)
      [   10.603590] Call trace:
      [   10.606259]  drm_client_dev_hotplug+0x5c/0xb0 [drm]
      [   10.611303]  drm_kms_helper_hotplug_event+0x30/0x40 [drm_kms_helper]
      [   10.617849]  output_poll_execute+0xc4/0x1e0 [drm_kms_helper]
      [   10.623616]  process_one_work+0x1c8/0x318
      [   10.627695]  worker_thread+0x48/0x428
      [   10.631420]  kthread+0xf8/0x128
      [   10.634615]  ret_from_fork+0x10/0x18
      [   10.638255] Code: 54000220 f9401261 aa1303e0 b4000141 (f9400c21)
      [   10.644456] ---[ end trace c75b4a4b0e141908 ]---
      
      The reason for this is that drm_fbdev_cma_init() removes the drm_client
      when fbdev registration fails, but it doesn't remove the client from the
      drm_device client list. So the client list now has a pointer that points
      into the unknown and we have a 'use after free' situation.
      
      Split drm_client_new() into drm_client_init() and drm_client_add() to fix
      removal in the error path.
      
      Fixes: 894a677f ("drm/cma-helper: Use the generic fbdev emulation")
      Reported-by: default avatarSergey Suloev <ssuloev@orpaltech.com>
      Cc: Stefan Wahren <stefan.wahren@i2se.com>
      Cc: Eric Anholt <eric@anholt.net>
      Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: default avatarNoralf Trønnes <noralf@tronnes.org>
      Reviewed-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Link: https://patchwork.freedesktop.org/patch/msgid/20181001194536.57756-1-noralf@tronnes.org
      4d4c2d89
    • Jann Horn's avatar
      drm: fix use-after-free read in drm_mode_create_lease_ioctl() · 12d43deb
      Jann Horn authored
      fd_install() moves the reference given to it into the file descriptor table
      of the current process. If the current process is multithreaded, then
      immediately after fd_install(), another thread can close() the file
      descriptor and cause the file's resources to be cleaned up.
      
      Since the reference to "lessee" is held by the file, we must not access
      "lessee" after the fd_install() call.
      
      As far as I can tell, to reach this codepath, the caller must have an open
      file descriptor to a DRI device in master mode. I'm not sure what the
      requirements for that are.
      Signed-off-by: default avatarJann Horn <jannh@google.com>
      Fixes: 62884cd3 ("drm: Add four ioctls for managing drm mode object leases [v7]")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Link: https://patchwork.freedesktop.org/patch/msgid/20181001153117.216923-1-jannh@google.com
      12d43deb
  2. 30 Sep, 2018 4 commits
  3. 29 Sep, 2018 12 commits
    • Greg Kroah-Hartman's avatar
      Merge tag 'for-linus-20180929' of git://git.kernel.dk/linux-block · 291d0e5d
      Greg Kroah-Hartman authored
      Jens writes:
        "Block fixes for 4.19-rc6
      
         A set of fixes that should go into this release. This pull request
         contains:
      
         - A fix (hopefully) for the persistent grants for xen-blkfront. A
           previous fix from this series wasn't complete, hence reverted, and
           this one should hopefully be it. (Boris Ostrovsky)
      
         - Fix for an elevator drain warning with SMR devices, which is
           triggered when you switch schedulers (Damien)
      
         - bcache deadlock fix (Guoju Fang)
      
         - Fix for the block unplug tracepoint, which has had the
           timer/explicit flag reverted since 4.11 (Ilya)
      
         - Fix a regression in this series where the blk-mq timeout hook is
           invoked with the RCU read lock held, hence preventing it from
           blocking (Keith)
      
         - NVMe pull from Christoph, with a single multipath fix (Susobhan Dey)"
      
      * tag 'for-linus-20180929' of git://git.kernel.dk/linux-block:
        xen/blkfront: correct purging of persistent grants
        Revert "xen/blkfront: When purging persistent grants, keep them in the buffer"
        blk-mq: I/O and timer unplugs are inverted in blktrace
        bcache: add separate workqueue for journal_write to avoid deadlock
        xen/blkfront: When purging persistent grants, keep them in the buffer
        block: fix deadline elevator drain for zoned block devices
        blk-mq: Allow blocking queue tag iter callbacks
        nvme: properly propagate errors in nvme_mpath_init
      291d0e5d
    • Greg Kroah-Hartman's avatar
      Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · e7541773
      Greg Kroah-Hartman authored
      Thomas writes:
        "A single fix for the AMD memory encryption boot code so it does not
         read random garbage instead of the cached encryption bit when a kexec
         kernel is allocated above the 32bit address limit."
      
      * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/boot: Fix kexec booting failure in the SEV bit detection code
      e7541773
    • Greg Kroah-Hartman's avatar
      Merge branch 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · e1ce697d
      Greg Kroah-Hartman authored
      Thomas writes:
        "Three small fixes for clocksource drivers:
         - Proper error handling in the Atmel PIT driver
         - Add CLOCK_SOURCE_SUSPEND_NONSTOP for TI SoCs so suspend works again
         - Fix the next event function for Facebook Backpack-CMM BMC chips so
           usleep(100) doesnt sleep several milliseconds"
      
      * 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        clocksource/drivers/timer-atmel-pit: Properly handle error cases
        clocksource/drivers/fttmr010: Fix set_next_event handler
        clocksource/drivers/ti-32k: Add CLOCK_SOURCE_SUSPEND_NONSTOP flag for non-am43 SoCs
      e1ce697d
    • Greg Kroah-Hartman's avatar
      Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · af17b3aa
      Greg Kroah-Hartman authored
      Thomas writes:
        "A single fix for a missing sanity check when a pinned event is tried
        to be read on the wrong CPU due to a legit event scheduling failure."
      
      * 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        perf/core: Add sanity check to deal with pinned event failure
      af17b3aa
    • Greg Kroah-Hartman's avatar
      Merge tag 'pm-4.19-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 82ec752c
      Greg Kroah-Hartman authored
      Rafael writes:
        "Power management fix for 4.19-rc6
      
         Fix incorrect __init and __exit annotations in the Qualcomm
         Kryo cpufreq driver (Nathan Chancellor)."
      
      * tag 'pm-4.19-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        cpufreq: qcom-kryo: Fix section annotations
      82ec752c
    • Nathan Chancellor's avatar
      cpufreq: qcom-kryo: Fix section annotations · d51aea13
      Nathan Chancellor authored
      There is currently a warning when building the Kryo cpufreq driver into
      the kernel image:
      
      WARNING: vmlinux.o(.text+0x8aa424): Section mismatch in reference from
      the function qcom_cpufreq_kryo_probe() to the function
      .init.text:qcom_cpufreq_kryo_get_msm_id()
      The function qcom_cpufreq_kryo_probe() references
      the function __init qcom_cpufreq_kryo_get_msm_id().
      This is often because qcom_cpufreq_kryo_probe lacks a __init
      annotation or the annotation of qcom_cpufreq_kryo_get_msm_id is wrong.
      
      Remove the '__init' annotation from qcom_cpufreq_kryo_get_msm_id
      so that there is no more mismatch warning.
      
      Additionally, Nick noticed that the remove function was marked as
      '__init' when it should really be marked as '__exit'.
      
      Fixes: 46e2856b (cpufreq: Add Kryo CPU scaling driver)
      Fixes: 5ad7346b (cpufreq: kryo: Add module remove and exit)
      Reported-by: default avatarNick Desaulniers <ndesaulniers@google.com>
      Signed-off-by: default avatarNathan Chancellor <natechancellor@gmail.com>
      Acked-by: default avatarViresh Kumar <viresh.kumar@linaro.org>
      Cc: 4.18+ <stable@vger.kernel.org> # 4.18+
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      d51aea13
    • Greg Kroah-Hartman's avatar
      Merge tag 'dma-mapping-4.19-3' of git://git.infradead.org/users/hch/dma-mapping · 7a6878bb
      Greg Kroah-Hartman authored
      Christoph writes:
        "dma mapping fix for 4.19-rc6
      
         fix a missing Kconfig symbol for commits introduced in 4.19-rc"
      
      * tag 'dma-mapping-4.19-3' of git://git.infradead.org/users/hch/dma-mapping:
        dma-mapping: add the missing ARCH_HAS_SYNC_DMA_FOR_CPU_ALL declaration
      7a6878bb
    • Greg Kroah-Hartman's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input · e704966c
      Greg Kroah-Hartman authored
      Dmitry writes:
        "Input updates for v4.19-rc5
      
         Just a few driver fixes"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
        Input: uinput - allow for max == min during input_absinfo validation
        Input: elantech - enable middle button of touchpad on ThinkPad P72
        Input: atakbd - fix Atari CapsLock behaviour
        Input: atakbd - fix Atari keymap
        Input: egalax_ts - add system wakeup support
        Input: gpio-keys - fix a documentation index issue
      e704966c
    • Greg Kroah-Hartman's avatar
      Merge tag 'spi-fix-v4.19-rc5' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi · 2f19e7a7
      Greg Kroah-Hartman authored
      Mark writes:
        "spi: Fixes for v4.19
      
         Quite a few fixes for the Renesas drivers in here, plus a fix for the
         Tegra driver and some documentation fixes for the recently added
         spi-mem code.  The Tegra fix is relatively large but fairly
         straightforward and mechanical, it runs on probe so it's been
         reasonably well covered in -next testing."
      
      * tag 'spi-fix-v4.19-rc5' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi:
        spi: spi-mem: Move the DMA-able constraint doc to the kerneldoc header
        spi: spi-mem: Add missing description for data.nbytes field
        spi: rspi: Fix interrupted DMA transfers
        spi: rspi: Fix invalid SPI use during system suspend
        spi: sh-msiof: Fix handling of write value for SISTR register
        spi: sh-msiof: Fix invalid SPI use during system suspend
        spi: gpio: Fix copy-and-paste error
        spi: tegra20-slink: explicitly enable/disable clock
      2f19e7a7
    • Greg Kroah-Hartman's avatar
      Merge tag 'regulator-v4.19-rc5' of... · 8f056611
      Greg Kroah-Hartman authored
      Merge tag 'regulator-v4.19-rc5' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator
      
      Mark writes:
        "regulator: Fixes for 4.19
      
         A collection of fairly minor bug fixes here, a couple of driver
         specific ones plus two core fixes.  There's one fix for the new
         suspend state code which fixes some confusion with constant values
         that are supposed to indicate noop operation and another fixing a
         race condition with the creation of sysfs files on new regulators."
      
      * tag 'regulator-v4.19-rc5' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator:
        regulator: fix crash caused by null driver data
        regulator: Fix 'do-nothing' value for regulators without suspend state
        regulator: da9063: fix DT probing with constraints
        regulator: bd71837: Disable voltage monitoring for LDO3/4
      8f056611
    • Greg Kroah-Hartman's avatar
      Merge tag 'powerpc-4.19-3' of https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · f005de01
      Greg Kroah-Hartman authored
      Michael writes:
        "powerpc fixes for 4.19 #3
      
         A reasonably big batch of fixes due to me being away for a few weeks.
      
         A fix for the TM emulation support on Power9, which could result in
         corrupting the guest r11 when running under KVM.
      
         Two fixes to the TM code which could lead to userspace GPR corruption
         if we take an SLB miss at exactly the wrong time.
      
         Our dynamic patching code had a bug that meant we could patch freed
         __init text, which could lead to corrupting userspace memory.
      
         csum_ipv6_magic() didn't work on little endian platforms since we
         optimised it recently.
      
         A fix for an endian bug when reading a device tree property telling
         us how many storage keys the machine has available.
      
         Fix a crash seen on some configurations of PowerVM when migrating the
         partition from one machine to another.
      
         A fix for a regression in the setup of our CPU to NUMA node mapping
         in KVM guests.
      
         A fix to our selftest Makefiles to make them work since a recent
         change to the shared Makefile logic."
      
      * tag 'powerpc-4.19-3' of https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        selftests/powerpc: Fix Makefiles for headers_install change
        powerpc/numa: Use associativity if VPHN hcall is successful
        powerpc/tm: Avoid possible userspace r1 corruption on reclaim
        powerpc/tm: Fix userspace r13 corruption
        powerpc/pseries: Fix unitialized timer reset on migration
        powerpc/pkeys: Fix reading of ibm, processor-storage-keys property
        powerpc: fix csum_ipv6_magic() on little endian platforms
        powerpc/powernv/ioda2: Reduce upper limit for DMA window size (again)
        powerpc: Avoid code patching freed init sections
        KVM: PPC: Book3S HV: Fix guest r11 corruption with POWER9 TM workarounds
      f005de01
    • Greg Kroah-Hartman's avatar
      Merge tag 'pinctrl-v4.19-4' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl · 900915f9
      Greg Kroah-Hartman authored
      Linus writes:
        "Pin control fixes for v4.19:
         - Fixes to x86 hardware:
         - AMD interrupt debounce issues
         - Faulty Intel cannonlake register offset
         - Revert pin translation IRQ locking"
      
      * tag 'pinctrl-v4.19-4' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
        Revert "pinctrl: intel: Do pin translation when lock IRQ"
        pinctrl: cannonlake: Fix HOSTSW_OWN register offset of H variant
        pinctrl/amd: poll InterruptEnable bits in amd_gpio_irq_set_type
      900915f9
  4. 28 Sep, 2018 8 commits
  5. 27 Sep, 2018 14 commits