git.osdn.net Git - sagit-ice-cold/kernel_xiaomi

drm/msm/hdmi: add rgb flag for HDMI customized mode

Add rgb flag to make sure HDMI customized mode pass
the format check.

Change-Id: I2d1df731bef493e15f83dac569673589e2408c68
Signed-off-by: Yunyun Cao <yunyunc@codeaurora.org>

Merge changes into msm-4.4

Merge "nl80211: nl80211_update_ft_ies to validate NL80211_ATTR_IE"

nl80211: nl80211_update_ft_ies to validate NL80211_ATTR_IE

Current nl80211_update_ft_ies doesn't validate NL80211_ATTR_IE
before dereferencing it, which leads to a null pointer exception
if not passed.
This commit validates this attribute too.

Change-Id: Ia40b02fc218bc26a07bc6b2153f425b8cae3bd82
CRs-Fixed: 2261685
Signed-off-by: Arunk Khandavalli <akhandav@codeaurora.org>
Signed-off-by: Srinivas Dasari <dasaris@codeaurora.org>

Merge "net: Include additional rmnet header in flow_dissector"

net: Include additional rmnet header in flow_dissector

Add an additional header in flow_dissector since it
provides some structs that are needed for it.

Change-Id: I654ce9838f704c71b5c5015ef30d88a01a528f0b
Signed-off-by: Gustavo Solaira <gustavos@codeaurora.org>

diag: Only include MHI headers if it is enabled

Only include the MHI header file if CONFIG_MSM_MHI
is enabled, avoid compilation errors if the platform
does not support MHI.

Change-Id: Ic2d84a8bbd066d0d8e50711a7499ae9a959a0b71
Signed-off-by: Gustavo Solaira <gustavos@codeaurora.org>

Merge "asoc : msm: Fix zero size pointer issue"

Merge "net: hns: Fix a skb used after free bug"

asoc : msm: Fix zero size pointer issue

APPS crashes randomly due to invalid memory allocation
in q6asm_audio_client_buf_free_contiguous.
Added check to return error if memory allocation size is 0.

Change-Id: I40f49aa147d513b29b56224a5ee77ccbb2dcc110
CRs-Fixed: 2285272
Signed-off-by: Soumya Managoli <smanag@codeaurora.org>

net: hns: Fix a skb used after free bug

skb maybe freed in hns_nic_net_xmit_hw() and return NETDEV_TX_OK,
which cause hns_nic_net_xmit to use a freed skb.

BUG: KASAN: use-after-free in hns_nic_net_xmit_hw+0x62c/0x940...
[17659.112635]      alloc_debug_processing+0x18c/0x1a0
[17659.117208]      __slab_alloc+0x52c/0x560
[17659.120909]      kmem_cache_alloc_node+0xac/0x2c0
[17659.125309]      __alloc_skb+0x6c/0x260
[17659.128837]      tcp_send_ack+0x8c/0x280
[17659.132449]      __tcp_ack_snd_check+0x9c/0xf0
[17659.136587]      tcp_rcv_established+0x5a4/0xa70
[17659.140899]      tcp_v4_do_rcv+0x27c/0x620
[17659.144687]      tcp_prequeue_process+0x108/0x170
[17659.149085]      tcp_recvmsg+0x940/0x1020
[17659.152787]      inet_recvmsg+0x124/0x180
[17659.156488]      sock_recvmsg+0x64/0x80
[17659.160012]      SyS_recvfrom+0xd8/0x180
[17659.163626]      __sys_trace_return+0x0/0x4
[17659.167506] INFO: Freed in kfree_skbmem+0xa0/0xb0 age=23 cpu=1 pid=13
[17659.174000]      free_debug_processing+0x1d4/0x2c0
[17659.178486]      __slab_free+0x240/0x390
[17659.182100]      kmem_cache_free+0x24c/0x270
[17659.186062]      kfree_skbmem+0xa0/0xb0
[17659.189587]      __kfree_skb+0x28/0x40
[17659.193025]      napi_gro_receive+0x168/0x1c0
[17659.197074]      hns_nic_rx_up_pro+0x58/0x90
[17659.201038]      hns_nic_rx_poll_one+0x518/0xbc0
[17659.205352]      hns_nic_common_poll+0x94/0x140
[17659.209576]      net_rx_action+0x458/0x5e0
[17659.213363]      __do_softirq+0x1b8/0x480
[17659.217062]      run_ksoftirqd+0x64/0x80
[17659.220679]      smpboot_thread_fn+0x224/0x310
[17659.224821]      kthread+0x150/0x170
[17659.228084]      ret_from_fork+0x10/0x40

BUG: KASAN: use-after-free in hns_nic_net_xmit+0x8c/0xc0...
[17751.080490]      __slab_alloc+0x52c/0x560
[17751.084188]      kmem_cache_alloc+0x244/0x280
[17751.088238]      __build_skb+0x40/0x150
[17751.091764]      build_skb+0x28/0x100
[17751.095115]      __alloc_rx_skb+0x94/0x150
[17751.098900]      __napi_alloc_skb+0x34/0x90
[17751.102776]      hns_nic_rx_poll_one+0x180/0xbc0
[17751.107097]      hns_nic_common_poll+0x94/0x140
[17751.111333]      net_rx_action+0x458/0x5e0
[17751.115123]      __do_softirq+0x1b8/0x480
[17751.118823]      run_ksoftirqd+0x64/0x80
[17751.122437]      smpboot_thread_fn+0x224/0x310
[17751.126575]      kthread+0x150/0x170
[17751.129838]      ret_from_fork+0x10/0x40
[17751.133454] INFO: Freed in kfree_skbmem+0xa0/0xb0 age=19 cpu=7 pid=43
[17751.139951]      free_debug_processing+0x1d4/0x2c0
[17751.144436]      __slab_free+0x240/0x390
[17751.148051]      kmem_cache_free+0x24c/0x270
[17751.152014]      kfree_skbmem+0xa0/0xb0
[17751.155543]      __kfree_skb+0x28/0x40
[17751.159022]      napi_gro_receive+0x168/0x1c0
[17751.163074]      hns_nic_rx_up_pro+0x58/0x90
[17751.167041]      hns_nic_rx_poll_one+0x518/0xbc0
[17751.171358]      hns_nic_common_poll+0x94/0x140
[17751.175585]      net_rx_action+0x458/0x5e0
[17751.179373]      __do_softirq+0x1b8/0x480
[17751.183076]      run_ksoftirqd+0x64/0x80
[17751.186691]      smpboot_thread_fn+0x224/0x310
[17751.190826]      kthread+0x150/0x170
[17751.194093]      ret_from_fork+0x10/0x40

Change-Id: I5fbdea5d0264c79dbcc91f8519cda1004b667866
Fixes: 13ac695e7ea1 ("net:hns: Add support of Hip06 SoC to the Hislicon Network Subsystem")
Signed-off-by: Yunsheng Lin <linyunsheng@huawei.com>
Signed-off-by: lipeng <lipeng321@huawei.com>
Reported-by: Jun He <hjat2005@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Git-commit: 27463ad99f738ed93c7c8b3e2e5bc8c4853a2ff2
Signed-off-by: Dennis Cagle <dcagle@codeaurora.org>
Acked-By: Chinmay Agarwal <chinagar@qti.qualcomm.com>
[ tejaswit@codeaurora.org : resolved minor conflicts ]
Signed-off-by: Tejaswi Tanikella <tejaswit@codeaurora.org>

msm: kgsl: Replace scm call api with its atomic version

scm_call2() API can block indefinitely if another client is using
this API. This is due to a mutex in this API to serialize calls to
the TZ. This blocks the GPU wake up which in turn can result in
kgsl fence timeouts. Since CPZ register programing is handled at
the hypervisor, we can safely avoid this serialization by using
scm_call2_atomic() API which doesn't block.

Change-Id: I48ba3e1a682e1027463a1c6b067e6cfcb4a0e8bc
Signed-off-by: Akhil P Oommen <akhilpo@codeaurora.org>

Merge "ARM: dts: msm: Add 8GB DDR device tree for msm8996 ivi vplatform"

Merge "drm: Pass CRTC ID in userspace vblank events"

Merge "cnss: Use the nosync API in cnss when disabling irq"

Merge "diag: Add protection before accessing md_session_map"

Merge "drm: msm: sde: Fix SMMU fault during DRM test"

Merge "Merge android-4.4.150 (5541782) into msm-4.4"

Merge "icnss: Add a flag to indicare FW rejuvenate"

Merge "msm:ais:Handling bigger value than upper bound in msm_cpp_irq api"

Merge "USB: core: only clean up what we allocated"

icnss: Add a flag to indicare FW rejuvenate

Add a flag to maintain fw rejuvenate state,
set if fw rejuvenate happens and reset at fw ready.
export an API to the wlan host driver to distinguish the
case of ssr or pdr with the FW rejuventae.

Change-Id: I7a01cc4996f68f78aa13eacf36648331a701882a
Signed-off-by: Anurag Chouhan <achouhan@codeaurora.org>

Merge "Revert "power: wakeup_reason: send uevent to user space""

ARM: dts: msm: Add 8GB DDR device tree for msm8996 ivi vplatform

Add a new device tree to support 8GB DDR target for msm8996 IVI
virtual platform.

Change-Id: Ia3be942de1c3064aecc59560743849335e8ff60d
Signed-off-by: Anant Goel <anantg@codeaurora.org>
Signed-off-by: Zhiqiang Tu <ztu@codeaurora.org>

Merge "msm: ipa3: Add mutex to prevent race condition"

Merge "msm:ipa: Prevent NAT table deletion only if public ip is not assigned"

msm: ipa3: Add mutex to prevent race condition

There is a race condition between ipa3_nat_init_cmd
and ipa_read_nat4. The two thread will R/W the critical
global variables. This will result in race conditions
and possibly buffer overread/ overwrite issues. Add code
to prevent this race condition.

Change-Id: I6bf9a837ae941cf3ad9413da6e44821916acf196
Acked-by: Pooja Kumari <kumarip@qti.qualcomm.com>
Signed-off-by: Mohammed Javid <mjavid@codeaurora.org>

Merge "defconfig : Enable Hibernation support for msm8996AU."

defconfig : Enable Hibernation support for msm8996AU.

Add support to Hibernation for msm8996AU based auto
platform.

Change-Id: I6db195dbf33a146c01b3d097ef9b34cb11019f60
Signed-off-by: Atul Raut <araut@codeaurora.org>

Merge "diag: Update msg mask's ranges properly"

Merge "msm: ipa: Validate routing rule id"

msm:ipa: Prevent NAT table deletion only if public ip is not assigned

Currnetly NAT table is not deleted even if public ip is assigned to
NAT table. Add check to prevent deletion only if public ip is not assigned.

Change-Id: I4855b21472d3f6bf541d07733b18592e9e677ce6
Acked-by: Pooja Kumari <kumarip@qti.qualcomm.com>
Signed-off-by: Mohammed Javid <mjavid@codeaurora.org>

diag: Update msg mask's ranges properly

There is a possibility of out-of-bound read if msg mask
ranges received from peripheral are more than max ssid per
range. Cap msg mask's ssid ranges to MAX_SSID_PER_RANGE if
ranges received from peripheral are greater than the same.

Change-Id: I886692ad223e16678bfaecbe381c62fdf3503cb5
Signed-off-by: Hardik Arya <harya@codeaurora.org>

Merge android-4.4.150 (5541782) into msm-4.4

* refs/heads/tmp-5541782
  Linux 4.4.150
  x86/speculation/l1tf: Exempt zeroed PTEs from inversion
  Linux 4.4.149
  x86/mm: Add TLB purge to free pmd/pte page interfaces
  ioremap: Update pgtable free interfaces with addr
  Bluetooth: hidp: buffer overflow in hidp_process_report
  ASoC: Intel: cht_bsw_max98090_ti: Fix jack initialization
  crypto: ablkcipher - fix crash flushing dcache in error path
  crypto: blkcipher - fix crash flushing dcache in error path
  crypto: vmac - separate tfm and request context
  crypto: vmac - require a block cipher with 128-bit block size
  kbuild: verify that $DEPMOD is installed
  i2c: ismt: fix wrong device address when unmap the data buffer
  kasan: don't emit builtin calls when sanitization is off
  tcp: Fix missing range_truesize enlargement in the backport
  x86/mm: Disable ioremap free page handling on x86-PAE

Conflicts:
Makefile

Change-Id: I9cbfedbeb3bdb1df021d4f192a2a7392010cd627
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>

Merge "soc: qcom: subsystem_notif_virt: Added support for virtual subsystems"

Merge "diag: Prevent out of bound access while initializing msg mask"

Merge "defconfig: msm: Disable configs for GVM platforms"

Merge "diag: Fix HSIC read complete work function"

Merge "ARM: dts: msm: Modify subsys notif virtualization on msm8996 vplatform"

Merge "net: memset smsg to avoid the padding data"

Merge "drm: msm: remove hdcp related error messages"

msm: ipa: Validate routing rule id

IPA driver expose routing rule id IOCTL's to user space.
There is a chance of getting invalid routing rule-id.
Validate it before committing it to IPA hardware.

Change-Id: If80b94d3a055f9212d25aff9a57d1b45001ba586
Signed-off-by: Mohammed Javid <mjavid@codeaurora.org>

msm:ais:Handling bigger value than upper bound in msm_cpp_irq api

In msm_cpp_irq function, tx_level is read using msm_carmera_io_r(),
However, this value is never verified to lower than
MSM_CPP_TX_FIFO_LEVEL (16), As tx_level is used as the upper bound
for the following loop, any value bigger than 16 will result in a
buffer overflow. Hence handling this case as error with error log.

Change-Id: I13222b315c3c9ee46bedb8b4e8e161179fea321d
Signed-off-by: Suprith Malligere Shankaregowda <supgow@codeaurora.org>

soc: qcom: subsystem_notif_virt: Added support for virtual subsystems

The driver is modified to allow communication between a virtual
subsystem, and its native clients.

Change-Id: I40854327431f3691f76df9d781dbd0a24090594e
Signed-off-by: Anant Goel <anantg@codeaurora.org>

defconfig: msm: Disable configs for GVM platforms

Remove configs for SMD, SMEM and SMP2P. These configs
are not required for the GVM platform.

Change-Id: I93d154085c6f249cd26949b40a953e66f010e72b
Signed-off-by: Anant Goel <anantg@codeaurora.org>

Merge "drm/msm: check HDMI HFVSDB block before adding formats"

Merge "msm: ais: Fix out-of-bounds read in string class name"

Merge "ARM: dts: msm: Add a reset gpio for ethernet on msm8996 CV2X boards"

Merge "cfg80211: never ignore user regulatory hint"

Merge "Merge android-4.4.148 (f057ff9) into msm-4.4"

Merge "icnss: Clear ICNSS_MSA0_ASSIGNED flag in cap failure case"

Merge "msm: ais: change csid to avoid overflow"

ARM: dts: msm: Modify subsys notif virtualization on msm8996 vplatform

Modify subsys_notif_virt device to enable communication between
subsystems and their registered clients.

Change-Id: Id44081a391c55f1326082e6b629e69b7de5dbb9e
Signed-off-by: Anant Goel <anantg@codeaurora.org>

diag: Prevent out of bound access while initializing msg mask

Move the mask_info mutex initialization outside mask structure
to facilitate prevention of out of bound access while initializing
msg mask during md session creation. Use separate msg_mask_tbl_count
for ODL session msg mask and regular msg mask to prevent out of
bound access in a possible race condition of accessing mask ranges.

Change-Id: I87497c67daff8cc1797a1266d50456bdbd3a9c23
Signed-off-by: Manoj Prabhu B <bmanoj@codeaurora.org>

ARM: dts: msm: Add a reset gpio for ethernet on msm8996 CV2X boards

Enable reset gpio for Neutrino ethernet for
msm8996 CV2X boards

Change-Id: I6b00a76640184d34feee382cd1c6de1427464719
Signed-off-by: Aditya Mathur <aditmath@codeaurora.org>

icnss: Clear ICNSS_MSA0_ASSIGNED flag in cap failure case

During capability qmi message failure ICNSS_MSA0_ASSIGNED
flag is not getting clear. Due to this after PDR/SSR next
time it is not configuring the MSA0 permission to q6 which
result into NOC error as q6 is not having access permission.

To address above issue clear ICNSS_MSA0_ASSIGNED bit in
failure case.

CRs-Fixed: 2300877
Change-Id: I6aeaedb5a394b843c4f1c8ef1e0be47a6947b331
Signed-off-by: Hardik Kantilal Patel <hkpatel@codeaurora.org>

Merge "soc: qcom: hab: fix the incompatible pointer initialization warning"

Merge "defconfig: gvm: enable TCPMSS and RPFILTER"

Merge "ARM: dts: msm: Enable upscaling on Sharp Dual DSI panel"

cfg80211: never ignore user regulatory hint

Currently user regulatory hint is ignored if all wiphys
in the system are self managed. But the hint is not ignored
if there is no wiphy in the system. This affects the global
regulatory setting. Global regulatory setting needs to be
maintained so that it can be applied to a new wiphy entering
the system. Therefore, do not ignore user regulatory setting
even if all wiphys in the system are self managed.

Signed-off-by: Amar Singhal <asinghal@codeaurora.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Change-Id: I468fcd3403259b03369e011fa41b003e8ff33d3c
CRs-Fixed: 2276224
Git-commit: e31f6456c01c76f154e1b25cd54df97809a49edb
Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211.git
Signed-off-by: Amar Singhal <asinghal@codeaurora.org>

Merge android-4.4.148 (f057ff9) into msm-4.4

* refs/heads/tmp-f057ff9
  Linux 4.4.148
  x86/speculation/l1tf: Unbreak !__HAVE_ARCH_PFN_MODIFY_ALLOWED architectures
  x86/init: fix build with CONFIG_SWAP=n
  x86/speculation/l1tf: Fix up CPU feature flags
  x86/mm/kmmio: Make the tracer robust against L1TF
  x86/mm/pat: Make set_memory_np() L1TF safe
  x86/speculation/l1tf: Make pmd/pud_mknotpresent() invert
  x86/speculation/l1tf: Invert all not present mappings
  x86/speculation/l1tf: Fix up pte->pfn conversion for PAE
  x86/speculation/l1tf: Protect PAE swap entries against L1TF
  x86/cpufeatures: Add detection of L1D cache flush support.
  x86/speculation/l1tf: Extend 64bit swap file size limit
  x86/bugs: Move the l1tf function and define pr_fmt properly
  x86/speculation/l1tf: Limit swap file size to MAX_PA/2
  x86/speculation/l1tf: Disallow non privileged high MMIO PROT_NONE mappings
  mm: fix cache mode tracking in vm_insert_mixed()
  mm: Add vm_insert_pfn_prot()
  x86/speculation/l1tf: Add sysfs reporting for l1tf
  x86/speculation/l1tf: Make sure the first page is always reserved
  x86/speculation/l1tf: Protect PROT_NONE PTEs against speculation
  x86/speculation/l1tf: Protect swap entries against L1TF
  x86/speculation/l1tf: Change order of offset/type in swap entry
  mm: x86: move _PAGE_SWP_SOFT_DIRTY from bit 7 to bit 1
  x86/mm: Fix swap entry comment and macro
  x86/mm: Move swap offset/type up in PTE to work around erratum
  x86/speculation/l1tf: Increase 32bit PAE __PHYSICAL_PAGE_SHIFT
  x86/irqflags: Provide a declaration for native_save_fl
  kprobes/x86: Fix %p uses in error messages
  x86/speculation: Protect against userspace-userspace spectreRSB
  x86/paravirt: Fix spectre-v2 mitigations for paravirt guests
  ARM: dts: imx6sx: fix irq for pcie bridge
  IB/ocrdma: fix out of bounds access to local buffer
  IB/mlx4: Mark user MR as writable if actual virtual memory is writable
  IB/core: Make testing MR flags for writability a static inline function
  fix __legitimize_mnt()/mntput() race
  fix mntput/mntput race
  root dentries need RCU-delayed freeing
  scsi: sr: Avoid that opening a CD-ROM hangs with runtime power management enabled
  ACPI / LPSS: Add missing prv_offset setting for byt/cht PWM devices
  xen/netfront: don't cache skb_shinfo()
  parisc: Define mb() and add memory barriers to assembler unlock sequences
  parisc: Enable CONFIG_MLONGCALLS by default
  fork: unconditionally clear stack on fork
  ipv4+ipv6: Make INET*_ESP select CRYPTO_ECHAINIV
  tpm: fix race condition in tpm_common_write()
  ext4: fix check to prevent initializing reserved inodes
  Linux 4.4.147
  jfs: Fix inconsistency between memory allocation and ea_buf->max_size
  i2c: imx: Fix reinit_completion() use
  ring_buffer: tracing: Inherit the tracing setting to next ring buffer
  ACPI / PCI: Bail early in acpi_pci_add_bus() if there is no ACPI handle
  ext4: fix false negatives *and* false positives in ext4_check_descriptors()
  netlink: Don't shift on 64 for ngroups
  netlink: Don't shift with UB on nlk->ngroups
  netlink: Do not subscribe to non-existent groups
  nohz: Fix local_timer_softirq_pending()
  genirq: Make force irq threading setup more robust
  scsi: qla2xxx: Return error when TMF returns
  scsi: qla2xxx: Fix ISP recovery on unload

Conflicts:
include/linux/swapfile.h

Removed CONFIG_CRYPTO_ECHAINIV from defconfig files since this upmerge is
adding this config to Kconfig file.

Change-Id: Ide96c29f919d76590c2bdccf356d1d464a892fd7
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>

net: memset smsg to avoid the padding data

memset smsg to avoid the padding data of kernel to be shared
with user space. Fix is to set fields event to all "0", but there is
actually 6 bytes padding between "sktype" and "skflags", so memset was
done to set all the padding bits to 0.

CRs-Fixed: 2287852

Change-Id: I435486b80ad19c5fa54b098680623e7a4f080198
Signed-off-by: Kaustubh Pandey <kapandey@codeaurora.org>
Acked-by: Chinmay Agarwal <chinagar@qti.qualcomm.com>

soc: qcom: hab: fix the incompatible pointer initialization warning

Such warning of "initialization from incompatible pointer type"
is found in the build time, and it's good to fix it.

Change-Id: Iaf820ae7ec4a7851185febbdebaaab3706fb2402
Signed-off-by: Yong Ding <yongding@codeaurora.org>

defconfig: gvm: enable TCPMSS and RPFILTER

wlan tether function depends on these

Change-Id: Ia00c752b46b23e9e4955e09bb9d69231a3b6cabc
Signed-off-by: Nijun Gong <ngong@codeaurora.org>

drm/msm: check HDMI HFVSDB block before adding formats

Currently, the EDID parser adds the formats based on the
parsing of the Video data blocks and other CTA blocks.

However, there is no input validation based on the
HDMI HFVSDB block to check whether the mode advertised
by the sink actually falls in the TMDS char rate limits.

Add this check in the EDID parser to make sure invalid
formats are not added to the list.

Change-Id: I9a8e8f023924421710cf27402be98150554d0271
Signed-off-by: Abhinav Kumar <abhinavk@codeaurora.org>

drm: Pass CRTC ID in userspace vblank events

With the atomic API, it is possible that a single commit affects
multiple crtcs. If the user requests an event with that commit, one
event will be sent for each CRTC, but it is not possible to distinguish
which crtc an event is for in user space. To solve this, the reserved
field in struct drm_vblank_event is repurposed to include the crtc_id
which the event is for.

The DRM_CAP_CRTC_IN_VBLANK_EVENT is added to allow userspace to query if
the crtc field will be set properly.

[daniels: Rebased, using Maarten's forward-port.]

Change-Id: I48b6b3ab4c97b20b79ebff0cb367acb1f53e95cc
Signed-off-by: Ander Conselvan de Oliveira <ander.conselvan.de.oliveira@intel.com>
Signed-off-by: Daniel Stone <daniels@collabora.com>
Cc: Maarten Lankhorst <maarten.lankhorst@intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20170404165221.28240-2-daniels@collabora.com
[abhinavk@codeaurora.org: resolved trivial merge conflicts]
Git-commit: 5db06a8a98f515f67446a69c57577c4c363ec65d
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Signed-off-by: Abhinav Kumar <abhinavk@codeaurora.org>

Merge "iommu/arm-smmu: Add Hibernation support"

iommu/arm-smmu: Add Hibernation support

This adds support for saving the arm-smmu client's context
just before going into hibernation. This context is restored
on the subesequent hibernate restore.
Also, invalidate the TLB during the restore phase to avoid
wrong translations post-resume.

Change-Id: Idd8d12bb4d13f8a62bd51e0adaad82bd92f658ee
Signed-off-by: vkakani <vkakani@codeaurora.org>
Signed-off-by: Arun KS <arunks@codeaurora.org>
Signed-off-by: Atul Raut <araut@codeaurora.org>
Signed-off-by: Siddhartha Agrawal <agrawals@codeaurora.org>

msm: ais: change csid to avoid overflow

Check the cid number to be less than MAX_CID in csid.

Change-Id: I16777dc8e8c72e01dc10490cd4c205c939adb7b5
Signed-off-by: Chunhuan Zhan <zhanc@codeaurora.org>
Signed-off-by: Rahul Sharma <rahsha@codeaurora.org>

msm: ais: Fix out-of-bounds read in string class name

jpeg driver is calling class_create with stack variable, which
can be overwritten by other stack variables.

Change-Id: I92ccd4629cef8a06b7715b8483cf53a9607bd22f
Signed-off-by: Deepak Shankar <dees@codeaurora.org>
Signed-off-by: Rahul Sharma <rahsha@codeaurora.org>

Revert "usb: phy: dual-role: update sysfs attrs when changed"

This reverts commit 563b2f7a6bed72d34560df5f4358e948eb52a43f.

The previous approach of dynamically updating the writeable
permission bits of the power/data_role attributes only works
if the userspace application has root permission since the
call to sysfs_update_group() removes and re-adds the files. If
they had previously been chown/chgrp'ed, the ownership would be
reset. On the other hand, if there was a ueventd rule to
dynamically update the ownership, then the mode would always
be overridden with the static umask given in the ueventd rule,
contradicting the driver's determination of writeability.

Hence, the more comprehensive fix should be done in userspace
to not rely solely on writeability. Still, this change needs
to be reverted since it can still cause a race between ueventd
and the userspace service trying to check writability.

Change-Id: Ic667a97f2bae41e5a86ee45565518b06db959b36
Signed-off-by: Jack Pham <jackp@codeaurora.org>

Merge "platform: msm: resolve NULL pointer dereference issue"

Merge "msm: adsprpc: DSP device node to provide restricted access to ADSP/SLPI"

Merge 4.4.150 into android-4.4

Changes in 4.4.150
x86/speculation/l1tf: Exempt zeroed PTEs from inversion
Linux 4.4.150

Change-Id: I2dfd6e160998ae2f55f3b7621df62e96a4511f7c
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>

Linux 4.4.150

x86/speculation/l1tf: Exempt zeroed PTEs from inversion

commit f19f5c49bbc3ffcc9126cc245fc1b24cc29f4a37 upstream.

It turns out that we should *not* invert all not-present mappings,
because the all zeroes case is obviously special.

clear_page() does not undergo the XOR logic to invert the address bits,
i.e. PTE, PMD and PUD entries that have not been individually written
will have val=0 and so will trigger __pte_needs_invert(). As a result,
{pte,pmd,pud}_pfn() will return the wrong PFN value, i.e. all ones
(adjusted by the max PFN mask) instead of zero. A zeroed entry is ok
because the page at physical address 0 is reserved early in boot
specifically to mitigate L1TF, so explicitly exempt them from the
inversion when reading the PFN.

Manifested as an unexpected mprotect(..., PROT_NONE) failure when called
on a VMA that has VM_PFNMAP and was mmap'd to as something other than
PROT_NONE but never used. mprotect() sends the PROT_NONE request down
prot_none_walk(), which walks the PTEs to check the PFNs.
prot_none_pte_entry() gets the bogus PFN from pte_pfn() and returns
-EACCES because it thinks mprotect() is trying to adjust a high MMIO
address.

[ This is a very modified version of Sean's original patch, but all
  credit goes to Sean for doing this and also pointing out that
  sometimes the __pte_needs_invert() function only gets the protection
  bits, not the full eventual pte.  But zero remains special even in
  just protection bits, so that's ok.   - Linus ]

Fixes: f22cc87f6c1f ("x86/speculation/l1tf: Invert all not present mappings")
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Acked-by: Andi Kleen <ak@linux.intel.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Dave Hansen <dave.hansen@intel.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Merge 4.4.149 into android-4.4

Changes in 4.4.149
x86/mm: Disable ioremap free page handling on x86-PAE
tcp: Fix missing range_truesize enlargement in the backport
kasan: don't emit builtin calls when sanitization is off
i2c: ismt: fix wrong device address when unmap the data buffer
kbuild: verify that $DEPMOD is installed
crypto: vmac - require a block cipher with 128-bit block size
crypto: vmac - separate tfm and request context
crypto: blkcipher - fix crash flushing dcache in error path
crypto: ablkcipher - fix crash flushing dcache in error path
ASoC: Intel: cht_bsw_max98090_ti: Fix jack initialization
Bluetooth: hidp: buffer overflow in hidp_process_report
ioremap: Update pgtable free interfaces with addr
x86/mm: Add TLB purge to free pmd/pte page interfaces
Linux 4.4.149

Change-Id: I1e23095dd229992359341bda5c05e9b5b59fec45
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>

Linux 4.4.149

x86/mm: Add TLB purge to free pmd/pte page interfaces

commit 5e0fb5df2ee871b841f96f9cb6a7f2784e96aa4e upstream.

ioremap() calls pud_free_pmd_page() / pmd_free_pte_page() when it creates
a pud / pmd map.  The following preconditions are met at their entry.
- All pte entries for a target pud/pmd address range have been cleared.
- System-wide TLB purges have been peformed for a target pud/pmd address
   range.

The preconditions assure that there is no stale TLB entry for the range.
Speculation may not cache TLB entries since it requires all levels of page
entries, including ptes, to have P & A-bits set for an associated address.
However, speculation may cache pud/pmd entries (paging-structure caches)
when they have P-bit set.

Add a system-wide TLB purge (INVLPG) to a single page after clearing
pud/pmd entry's P-bit.

SDM 4.10.4.1, Operation that Invalidate TLBs and Paging-Structure Caches,
states that:
  INVLPG invalidates all paging-structure caches associated with the
  current PCID regardless of the liner addresses to which they correspond.

Fixes: 28ee90fe6048 ("x86/mm: implement free pmd/pte page interfaces")
Signed-off-by: Toshi Kani <toshi.kani@hpe.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: mhocko@suse.com
Cc: akpm@linux-foundation.org
Cc: hpa@zytor.com
Cc: cpandya@codeaurora.org
Cc: linux-mm@kvack.org
Cc: linux-arm-kernel@lists.infradead.org
Cc: Joerg Roedel <joro@8bytes.org>
Cc: stable@vger.kernel.org
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: <stable@vger.kernel.org>
Link: https://lkml.kernel.org/r/20180627141348.21777-4-toshi.kani@hpe.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

ioremap: Update pgtable free interfaces with addr

commit 785a19f9d1dd8a4ab2d0633be4656653bd3de1fc upstream.

The following kernel panic was observed on ARM64 platform due to a stale
TLB entry.

1. ioremap with 4K size, a valid pte page table is set.
2. iounmap it, its pte entry is set to 0.
3. ioremap the same address with 2M size, update its pmd entry with
a new value.
4. CPU may hit an exception because the old pmd entry is still in TLB,
which leads to a kernel panic.

Commit b6bdb7517c3d ("mm/vmalloc: add interfaces to free unmapped page
table") has addressed this panic by falling to pte mappings in the above
case on ARM64.

To support pmd mappings in all cases, TLB purge needs to be performed
in this case on ARM64.

Add a new arg, 'addr', to pud_free_pmd_page() and pmd_free_pte_page()
so that TLB purge can be added later in seprate patches.

[toshi.kani@hpe.com: merge changes, rewrite patch description]
Fixes: 28ee90fe6048 ("x86/mm: implement free pmd/pte page interfaces")
Signed-off-by: Chintan Pandya <cpandya@codeaurora.org>
Signed-off-by: Toshi Kani <toshi.kani@hpe.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: mhocko@suse.com
Cc: akpm@linux-foundation.org
Cc: hpa@zytor.com
Cc: linux-mm@kvack.org
Cc: linux-arm-kernel@lists.infradead.org
Cc: Will Deacon <will.deacon@arm.com>
Cc: Joerg Roedel <joro@8bytes.org>
Cc: stable@vger.kernel.org
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: <stable@vger.kernel.org>
Link: https://lkml.kernel.org/r/20180627141348.21777-3-toshi.kani@hpe.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Bluetooth: hidp: buffer overflow in hidp_process_report

commit 7992c18810e568b95c869b227137a2215702a805 upstream.

CVE-2018-9363

The buffer length is unsigned at all layers, but gets cast to int and
checked in hidp_process_report and can lead to a buffer overflow.
Switch len parameter to unsigned int to resolve issue.

This affects 3.18 and newer kernels.

Signed-off-by: Mark Salyzyn <salyzyn@android.com>
Fixes: a4b1b5877b514b276f0f31efe02388a9c2836728 ("HID: Bluetooth: hidp: make sure input buffers are big enough")
Cc: Marcel Holtmann <marcel@holtmann.org>
Cc: Johan Hedberg <johan.hedberg@gmail.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Kees Cook <keescook@chromium.org>
Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Cc: linux-bluetooth@vger.kernel.org
Cc: netdev@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Cc: security@kernel.org
Cc: kernel-team@android.com
Acked-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

ASoC: Intel: cht_bsw_max98090_ti: Fix jack initialization

commit 3bbda5a38601f7675a214be2044e41d7749e6c7b upstream.

If the ts3a227e audio accessory detection hardware is present and its
driver probed, the jack needs to be created before enabling jack
detection in the ts3a227e driver. With this patch, the jack is
instantiated in the max98090 headset init function if the ts3a227e is
present. This fixes a null pointer dereference as the jack detection
enabling function in the ts3a driver was called before the jack is
created.

[minor correction to keep error handling on jack creation the same
as before by Pierre Bossart]

Signed-off-by: Thierry Escande <thierry.escande@collabora.com>
Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Acked-By: Vinod Koul <vinod.koul@intel.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

crypto: ablkcipher - fix crash flushing dcache in error path

commit 318abdfbe708aaaa652c79fb500e9bd60521f9dc upstream.

Like the skcipher_walk and blkcipher_walk cases:

scatterwalk_done() is only meant to be called after a nonzero number of
bytes have been processed, since scatterwalk_pagedone() will flush the
dcache of the *previous* page. But in the error case of
ablkcipher_walk_done(), e.g. if the input wasn't an integer number of
blocks, scatterwalk_done() was actually called after advancing 0 bytes.
This caused a crash ("BUG: unable to handle kernel paging request")
during '!PageSlab(page)' on architectures like arm and arm64 that define
ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE, provided that the input was
page-aligned as in that case walk->offset == 0.

Fix it by reorganizing ablkcipher_walk_done() to skip the
scatterwalk_advance() and scatterwalk_done() if an error has occurred.

Reported-by: Liu Chao <liuchao741@huawei.com>
Fixes: bf06099db18a ("crypto: skcipher - Add ablkcipher_walk interfaces")
Cc: <stable@vger.kernel.org> # v2.6.35+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

crypto: blkcipher - fix crash flushing dcache in error path

commit 0868def3e4100591e7a1fdbf3eed1439cc8f7ca3 upstream.

Like the skcipher_walk case:

scatterwalk_done() is only meant to be called after a nonzero number of
bytes have been processed, since scatterwalk_pagedone() will flush the
dcache of the *previous* page. But in the error case of
blkcipher_walk_done(), e.g. if the input wasn't an integer number of
blocks, scatterwalk_done() was actually called after advancing 0 bytes.
This caused a crash ("BUG: unable to handle kernel paging request")
during '!PageSlab(page)' on architectures like arm and arm64 that define
ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE, provided that the input was
page-aligned as in that case walk->offset == 0.

Fix it by reorganizing blkcipher_walk_done() to skip the
scatterwalk_advance() and scatterwalk_done() if an error has occurred.

This bug was found by syzkaller fuzzing.

Reproducer, assuming ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE:

#include <linux/if_alg.h>
#include <sys/socket.h>
#include <unistd.h>

int main()
{
struct sockaddr_alg addr = {
.salg_type = "skcipher",
.salg_name = "ecb(aes-generic)",
};
char buffer[4096] __attribute__((aligned(4096))) = { 0 };
int fd;

fd = socket(AF_ALG, SOCK_SEQPACKET, 0);
bind(fd, (void *)&addr, sizeof(addr));
setsockopt(fd, SOL_ALG, ALG_SET_KEY, buffer, 16);
fd = accept(fd, NULL, NULL);
write(fd, buffer, 15);
read(fd, buffer, 15);
}

Reported-by: Liu Chao <liuchao741@huawei.com>
Fixes: 5cde0af2a982 ("[CRYPTO] cipher: Added block cipher type")
Cc: <stable@vger.kernel.org> # v2.6.19+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

crypto: vmac - separate tfm and request context

commit bb29648102335586e9a66289a1d98a0cb392b6e5 upstream.

syzbot reported a crash in vmac_final() when multiple threads
concurrently use the same "vmac(aes)" transform through AF_ALG.  The bug
is pretty fundamental: the VMAC template doesn't separate per-request
state from per-tfm (per-key) state like the other hash algorithms do,
but rather stores it all in the tfm context.  That's wrong.

Also, vmac_final() incorrectly zeroes most of the state including the
derived keys and cached pseudorandom pad.  Therefore, only the first
VMAC invocation with a given key calculates the correct digest.

Fix these bugs by splitting the per-tfm state from the per-request state
and using the proper init/update/final sequencing for requests.

Reproducer for the crash:

    #include <linux/if_alg.h>
    #include <sys/socket.h>
    #include <unistd.h>

    int main()
    {
            int fd;
            struct sockaddr_alg addr = {
                    .salg_type = "hash",
                    .salg_name = "vmac(aes)",
            };
            char buf[256] = { 0 };

            fd = socket(AF_ALG, SOCK_SEQPACKET, 0);
            bind(fd, (void *)&addr, sizeof(addr));
            setsockopt(fd, SOL_ALG, ALG_SET_KEY, buf, 16);
            fork();
            fd = accept(fd, NULL, NULL);
            for (;;)
                    write(fd, buf, 256);
    }

The immediate cause of the crash is that vmac_ctx_t.partial_size exceeds
VMAC_NHBYTES, causing vmac_final() to memset() a negative length.

Reported-by: syzbot+264bca3a6e8d645550d3@syzkaller.appspotmail.com
Fixes: f1939f7c5645 ("crypto: vmac - New hash algorithm for intel_txt support")
Cc: <stable@vger.kernel.org> # v2.6.32+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

crypto: vmac - require a block cipher with 128-bit block size

commit 73bf20ef3df262026c3470241ae4ac8196943ffa upstream.

The VMAC template assumes the block cipher has a 128-bit block size, but
it failed to check for that. Thus it was possible to instantiate it
using a 64-bit block size cipher, e.g. "vmac(cast5)", causing
uninitialized memory to be used.

Add the needed check when instantiating the template.

Fixes: f1939f7c5645 ("crypto: vmac - New hash algorithm for intel_txt support")
Cc: <stable@vger.kernel.org> # v2.6.32+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

kbuild: verify that $DEPMOD is installed

commit 934193a654c1f4d0643ddbf4b2529b508cae926e upstream.

Verify that 'depmod' ($DEPMOD) is installed.
This is a partial revert of commit 620c231c7a7f
("kbuild: do not check for ancient modutils tools").

Also update Documentation/process/changes.rst to refer to
kmod instead of module-init-tools.

Fixes kernel bugzilla #198965:
https://bugzilla.kernel.org/show_bug.cgi?id=198965

Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Cc: Lucas De Marchi <lucas.demarchi@profusion.mobi>
Cc: Lucas De Marchi <lucas.de.marchi@gmail.com>
Cc: Michal Marek <michal.lkml@markovi.net>
Cc: Jessica Yu <jeyu@kernel.org>
Cc: Chih-Wei Huang <cwhuang@linux.org.tw>
Cc: stable@vger.kernel.org # any kernel since 2012
Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

i2c: ismt: fix wrong device address when unmap the data buffer

commit 17e83549e199d89aace7788a9f11c108671eecf5 upstream.

Fix the following kernel bug:

kernel BUG at drivers/iommu/intel-iommu.c:3260!
invalid opcode: 0000 [#5] PREEMPT SMP
Hardware name: Intel Corp. Harcuvar/Server, BIOS HAVLCRB0.X64.0013.D39.1608311820 08/31/2016
task: ffff880175389950 ti: ffff880176bec000 task.ti: ffff880176bec000
RIP: 0010:[<ffffffff8150a83b>]  [<ffffffff8150a83b>] intel_unmap+0x25b/0x260
RSP: 0018:ffff880176bef5e8  EFLAGS: 00010296
RAX: 0000000000000024 RBX: ffff8800773c7c88 RCX: 000000000000ce04
RDX: 0000000080000000 RSI: 0000000000000000 RDI: 0000000000000009
RBP: ffff880176bef638 R08: 0000000000000010 R09: 0000000000000004
R10: ffff880175389c78 R11: 0000000000000a4f R12: ffff8800773c7868
R13: 00000000ffffac88 R14: ffff8800773c7818 R15: 0000000000000001
FS:  00007fef21258700(0000) GS:ffff88017b5c0000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000066d6d8 CR3: 000000007118c000 CR4: 00000000003406e0
Stack:
00000000ffffac88 ffffffff8199867f ffff880176bef5f8 ffff880100000030
ffff880176bef668 ffff8800773c7c88 ffff880178288098 ffff8800772c0010
ffff8800773c7818 0000000000000001 ffff880176bef648 ffffffff8150a86e
Call Trace:
[<ffffffff8199867f>] ? printk+0x46/0x48
[<ffffffff8150a86e>] intel_unmap_page+0xe/0x10
[<ffffffffa039d99b>] ismt_access+0x27b/0x8fa [i2c_ismt]
[<ffffffff81554420>] ? __pm_runtime_suspend+0xa0/0xa0
[<ffffffff815544a0>] ? pm_suspend_timer_fn+0x80/0x80
[<ffffffff81554420>] ? __pm_runtime_suspend+0xa0/0xa0
[<ffffffff815544a0>] ? pm_suspend_timer_fn+0x80/0x80
[<ffffffff8143dfd0>] ? pci_bus_read_dev_vendor_id+0xf0/0xf0
[<ffffffff8172b36c>] i2c_smbus_xfer+0xec/0x4b0
[<ffffffff810aa4d5>] ? vprintk_emit+0x345/0x530
[<ffffffffa038936b>] i2cdev_ioctl_smbus+0x12b/0x240 [i2c_dev]
[<ffffffff810aa829>] ? vprintk_default+0x29/0x40
[<ffffffffa0389b33>] i2cdev_ioctl+0x63/0x1ec [i2c_dev]
[<ffffffff811b04c8>] do_vfs_ioctl+0x328/0x5d0
[<ffffffff8119d8ec>] ? vfs_write+0x11c/0x190
[<ffffffff8109d449>] ? rt_up_read+0x19/0x20
[<ffffffff811b07f1>] SyS_ioctl+0x81/0xa0
[<ffffffff819a351b>] system_call_fastpath+0x16/0x6e

This happen When run "i2cdetect -y 0" detect SMBus iSMT adapter.

After finished I2C block read/write, when unmap the data buffer,
a wrong device address was pass to dma_unmap_single().

To fix this, give dma_unmap_single() the "dev" parameter, just like
what dma_map_single() does, then unmap can find the right devices.

Fixes: 13f35ac14cd0 ("i2c: Adding support for Intel iSMT SMBus 2.0 host controller")
Signed-off-by: Liwei Song <liwei.song@windriver.com>
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

kasan: don't emit builtin calls when sanitization is off

commit 0e410e158e5baa1300bdf678cea4f4e0cf9d8b94 upstream.

With KASAN enabled the kernel has two different memset() functions, one
with KASAN checks (memset) and one without (__memset).  KASAN uses some
macro tricks to use the proper version where required.  For example
memset() calls in mm/slub.c are without KASAN checks, since they operate
on poisoned slab object metadata.

The issue is that clang emits memset() calls even when there is no
memset() in the source code.  They get linked with improper memset()
implementation and the kernel fails to boot due to a huge amount of KASAN
reports during early boot stages.

The solution is to add -fno-builtin flag for files with KASAN_SANITIZE :=
n marker.

Link: http://lkml.kernel.org/r/8ffecfffe04088c52c42b92739c2bd8a0bcb3f5e.1516384594.git.andreyknvl@google.com
Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Acked-by: Nick Desaulniers <ndesaulniers@google.com>
Cc: Masahiro Yamada <yamada.masahiro@socionext.com>
Cc: Michal Marek <michal.lkml@markovi.net>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Alexander Potapenko <glider@google.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[ Nick : Backported to 4.4 avoiding KUBSAN ]
Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

tcp: Fix missing range_truesize enlargement in the backport

The 4.4.y stable backport dc6ae4dffd65 for the upstream commit
3d4bf93ac120 ("tcp: detect malicious patterns in
tcp_collapse_ofo_queue()") missed a line that enlarges the
range_truesize value, which broke the whole check.

Fixes: dc6ae4dffd65 ("tcp: detect malicious patterns in tcp_collapse_ofo_queue()")
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Cc: Michal Kubecek <mkubecek@suse.cz>

x86/mm: Disable ioremap free page handling on x86-PAE

commit f967db0b9ed44ec3057a28f3b28efc51df51b835 upstream.

ioremap() supports pmd mappings on x86-PAE.  However, kernel's pmd
tables are not shared among processes on x86-PAE.  Therefore, any
update to sync'd pmd entries need re-syncing.  Freeing a pte page
also leads to a vmalloc fault and hits the BUG_ON in vmalloc_sync_one().

Disable free page handling on x86-PAE.  pud_free_pmd_page() and
pmd_free_pte_page() simply return 0 if a given pud/pmd entry is present.
This assures that ioremap() does not update sync'd pmd entries at the
cost of falling back to pte mappings.

Fixes: 28ee90fe6048 ("x86/mm: implement free pmd/pte page interfaces")
Reported-by: Joerg Roedel <joro@8bytes.org>
Signed-off-by: Toshi Kani <toshi.kani@hpe.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: mhocko@suse.com
Cc: akpm@linux-foundation.org
Cc: hpa@zytor.com
Cc: cpandya@codeaurora.org
Cc: linux-mm@kvack.org
Cc: linux-arm-kernel@lists.infradead.org
Cc: stable@vger.kernel.org
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: <stable@vger.kernel.org>
Link: https://lkml.kernel.org/r/20180627141348.21777-2-toshi.kani@hpe.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Merge "drm: msm: update dsi state context when splash is on"

drm: msm: sde: Fix SMMU fault during DRM test

This change is done to detach all pipes first before the first commit
proceed, Kernel will have to do the pipe detach when kernel got the first
valid frame and we want to detach all the splash pipes after the LK is
being notified to stop.

Change-Id: I3a599a102286596333a35273e27d8a363f2134b7
Signed-off-by: Suprith Malligere Shankaregowda <supgow@codeaurora.org>

drm: msm: remove hdcp related error messages

HDMI display on auto boards has disabled pluggable function
and hardcoded 1080p mode for output. So ddc related function
should also be skipped. Otherwise, some HDCP related error
messages are printed during boot up when accessing ddc.

Change-Id: I0fea0470dd11cc599bc7eb86d7fe3fb4ccf96693
Signed-off-by: Suprith Malligere Shankaregowda <supgow@codeaurora.org>

ARM: dts: msm: set qcom,guard-memory property for rmtfs on sdm660

This is needed to address the XPU limitation, so that the
shared memory is not contiguous with other memory allocations
that may happen from other clients in the system.

Change-Id: Ibc9961245f32ecc63892007a3d12b7956cf63e67
Signed-off-by: Ankit Jain <jankit@codeaurora.org>

uio: msm_sharedmem: add guard page around shared memory

If guard_memory dtsi property is set, then the shared memory
region will be guarded by SZ_4K at the start and at the end.
This is needed to overcome the XPU limitation on few MSM HW,
so as to make this memory not contiguous with other allocations
that may possibly happen from other clients in the system.

Change-Id: I57637619cea8fe7f0f7254624e07177ea4a4fce0
Signed-off-by: Sahitya Tummala <stummala@codeaurora.org>

cnss: Use the nosync API in cnss when disabling irq

The disable_irq API will wait for IRQ handler completion
when pcie link down, this will cause system error. Use
the nosync API to disable irq.

Change-Id: Ib8e1c160cb748c2007bd24089e09b0ee6694d04d
CRs-Fixed: 2157312
Signed-off-by: Guisen Yang <guiseny@codeaurora.org>

platform: msm: resolve NULL pointer dereference issue

Fix some null pointer dereference flaw and parameter not init issues.

change-Id: I0ed5f3f62c3794775bf97d353c4e50dd8ceb32da
Signed-off-by: Yao Jiang <yaojia@codeaurora.org>

Merge 4.4.148 into android-4.4

Changes in 4.4.148
ext4: fix check to prevent initializing reserved inodes
tpm: fix race condition in tpm_common_write()
ipv4+ipv6: Make INET*_ESP select CRYPTO_ECHAINIV
fork: unconditionally clear stack on fork
parisc: Enable CONFIG_MLONGCALLS by default
parisc: Define mb() and add memory barriers to assembler unlock sequences
xen/netfront: don't cache skb_shinfo()
ACPI / LPSS: Add missing prv_offset setting for byt/cht PWM devices
scsi: sr: Avoid that opening a CD-ROM hangs with runtime power management enabled
root dentries need RCU-delayed freeing
fix mntput/mntput race
fix __legitimize_mnt()/mntput() race
IB/core: Make testing MR flags for writability a static inline function
IB/mlx4: Mark user MR as writable if actual virtual memory is writable
IB/ocrdma: fix out of bounds access to local buffer
ARM: dts: imx6sx: fix irq for pcie bridge
x86/paravirt: Fix spectre-v2 mitigations for paravirt guests
x86/speculation: Protect against userspace-userspace spectreRSB
kprobes/x86: Fix %p uses in error messages
x86/irqflags: Provide a declaration for native_save_fl
x86/speculation/l1tf: Increase 32bit PAE __PHYSICAL_PAGE_SHIFT
x86/mm: Move swap offset/type up in PTE to work around erratum
x86/mm: Fix swap entry comment and macro
mm: x86: move _PAGE_SWP_SOFT_DIRTY from bit 7 to bit 1
x86/speculation/l1tf: Change order of offset/type in swap entry
x86/speculation/l1tf: Protect swap entries against L1TF
x86/speculation/l1tf: Protect PROT_NONE PTEs against speculation
x86/speculation/l1tf: Make sure the first page is always reserved
x86/speculation/l1tf: Add sysfs reporting for l1tf
mm: Add vm_insert_pfn_prot()
mm: fix cache mode tracking in vm_insert_mixed()
x86/speculation/l1tf: Disallow non privileged high MMIO PROT_NONE mappings
x86/speculation/l1tf: Limit swap file size to MAX_PA/2
x86/bugs: Move the l1tf function and define pr_fmt properly
x86/speculation/l1tf: Extend 64bit swap file size limit
x86/cpufeatures: Add detection of L1D cache flush support.
x86/speculation/l1tf: Protect PAE swap entries against L1TF
x86/speculation/l1tf: Fix up pte->pfn conversion for PAE
x86/speculation/l1tf: Invert all not present mappings
x86/speculation/l1tf: Make pmd/pud_mknotpresent() invert
x86/mm/pat: Make set_memory_np() L1TF safe
x86/mm/kmmio: Make the tracer robust against L1TF
x86/speculation/l1tf: Fix up CPU feature flags
x86/init: fix build with CONFIG_SWAP=n
x86/speculation/l1tf: Unbreak !__HAVE_ARCH_PFN_MODIFY_ALLOWED architectures
Linux 4.4.148

Change-Id: I83c857d9d9d74ee47e61d15eb411f276f057ba3d
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>

Linux 4.4.148