Commit d523ad4f authored May 26, 2017 by Kyle Yan

Merge remote-tracking branch '4.9/tmp-951d823c' into msm-4.9



* 4.9/tmp-951d823c:
  Linux 4.9.30
  drm/i915/gvt: Disable access to stolen memory as a guest
  drivers: char: mem: Check for address space wraparound with mmap()
  nfsd: encoders mustn't use unitialized values in error cases
  nfsd: fix undefined behavior in nfsd4_layout_verify
  NFS: Use GFP_NOIO for two allocations in writeback
  NFS: Fix use after free in write error path
  NFSv4: Fix a hang in OPEN related to server reboot
  drm/edid: Add 10 bpc quirk for LGD 764 panel in HP zBook 17 G2
  mtd: nand: add ooblayout for old hamming layout
  mtd: nand: omap2: Fix partition creation via cmdline mtdparts
  mtd: nand: orion: fix clk handling
  PCI: Freeze PME scan before suspending devices
  PCI: Only allow WC mmap on prefetchable resources
  PCI: Fix another sanity check bug in /proc/pci mmap
  PCI: Fix pci_mmap_fits() for HAVE_PCI_RESOURCE_TO_USER platforms
  PCI: hv: Specify CPU_AFFINITY_ALL for MSI affinity when >= 32 CPUs
  PCI: hv: Allocate interrupt descriptors with GFP_ATOMIC
  tracing/kprobes: Enforce kprobes teardown after testing
  um: Fix to call read_initrd after init_bootmem
  osf_wait4(): fix infoleak
  MIPS: Loongson-3: Select MIPS_L1_CACHE_SHIFT_6
  nvme: unmap CMB and remove sysfs file in reset path
  genirq: Fix chained interrupt data ordering
  uwb: fix device quirk on big-endian hosts
  stackprotector: Increase the per-task stack canary's random range from 32 bits to 64 bits on 64-bit platforms
  metag/uaccess: Check access_ok in strncpy_from_user
  metag/uaccess: Fix access_ok()
  iommu/vt-d: Flush the IOTLB to get rid of the initial kdump mappings
  staging: rtl8192e: GetTs Fix invalid TID 7 warning.
  staging: rtl8192e: rtl92e_get_eeprom_size Fix read size of EPROM_CMD.
  staging: rtl8192e: fix 2 byte alignment of register BSSIDR.
  staging: rtl8192e: rtl92e_fill_tx_desc fix write to mapped out memory.
  arm64: documentation: document tagged pointer stack constraints
  arm64: uaccess: ensure extension of access_ok() addr
  arm64: armv8_deprecated: ensure extension of addr
  arm64: ensure extension of smp_store_release value
  arm64: xchg: hazard against entire exchange variable
  arm64: dts: hi6220: Reset the mmc hosts
  ARM: dts: imx6sx-sdb: Remove OPP override
  ARM: dts: at91: sama5d3_xplained: not all ADC channels are available
  ARM: dts: at91: sama5d3_xplained: fix ADC vref
  ARM: 8670/1: V7M: Do not corrupt vector table around v7m_invalidate_l1 call
  ARM: 8662/1: module: split core and init PLT sections
  KVM: arm: plug potential guest hardware debug leakage
  arm: KVM: Do not use stack-protector to compile HYP code
  arm64: KVM: Do not use stack-protector to compile EL2 code
  powerpc/tm: Fix FP and VMX register corruption
  powerpc/64e: Fix hang when debugging programs with relocated kernel
  powerpc/iommu: Do not call PageTransHuge() on tail pages
  powerpc/pseries: Fix of_node_put() underflow during DLPAR remove
  powerpc/book3s/mce: Move add_taint() later in virtual mode
  powerpc/eeh: Avoid use after free in eeh_handle_special_event()
  powerpc/mm: Ensure IRQs are off in switch_mm()
  cx231xx-cards: fix NULL-deref at probe
  cx231xx-audio: fix NULL-deref at probe
  cx231xx-audio: fix init error path
  dw2102: limit messages to buffer size
  digitv: limit messages to buffer size
  dvb-frontends/cxd2841er: define symbol_rate_min/max in T/C fe-ops
  zr364xx: enforce minimum size when reading header
  dib0700: fix NULL-deref at probe
  s5p-mfc: Fix unbalanced call to clock management
  gspca: konica: add missing endpoint sanity check
  s5p-mfc: Fix race between interrupt routine and device functions
  iio: hid-sensor: Store restore poll and hysteresis on S3
  iio: proximity: as3935: fix as3935_write
  ipx: call ipxitf_put() in ioctl error path
  USB: hub: fix non-SS hub-descriptor handling
  USB: hub: fix SS hub-descriptor handling
  USB: serial: io_ti: fix div-by-zero in set_termios
  USB: serial: mct_u232: fix big-endian baud-rate handling
  USB: serial: qcserial: add more Lenovo EM74xx device IDs
  usb: serial: option: add Telit ME910 support
  USB: iowarrior: fix info ioctl on big-endian hosts
  usb: musb: Fix trying to suspend while active for OTG configurations
  usb: musb: tusb6010_omap: Do not reset the other direction's packet size
  usb: dwc3: gadget: Prevent losing events in event cache
  dvb-usb-dibusb-mc-common: Add MODULE_LICENSE
  ttusb2: limit messages to buffer size
  mceusb: fix NULL-deref at probe
  usbvision: fix NULL-deref at probe
  net: irda: irda-usb: fix firmware name on big-endian hosts
  usb: host: xhci-mem: allocate zeroed Scratchpad Buffer
  xhci: apply PME_STUCK_QUIRK and MISSING_CAS quirk for Denverton
  usb: host: xhci-plat: propagate return value of platform_get_irq()
  xhci: remove GFP_DMA flag from allocation
  libnvdimm: fix clear length of nvdimm_forget_poison()
  fscrypt: avoid collisions when presenting long encrypted filenames
  f2fs: check entire encrypted bigname when finding a dentry
  USB: chaoskey: fix Alea quirk on big-endian hosts
  USB: serial: ftdi_sio: add Olimex ARM-USB-TINY(H) PIDs
  USB: serial: ftdi_sio: fix setting latency for unprivileged users
  pid_ns: Fix race between setns'ed fork() and zap_pid_ns_processes()
  pid_ns: Sleep in TASK_INTERRUPTIBLE in zap_pid_ns_processes
  IB/hfi1: Fix a subcontext memory leak
  IB/hfi1: Return an error on memory allocation failure
  IIO: bmp280-core.c: fix error in humidity calculation
  iio: dac: ad7303: fix channel description
  ibmvscsis: Do not send aborted task response
  of: fdt: add missing allocation-failure check
  of: fix "/cpus" reference leak in of_numa_parse_cpu_nodes()
  of: fix sparse warning in of_pci_range_parser_one
  proc: Fix unbalanced hard link numbers
  cxl: Route eeh events to all drivers in cxl_pci_error_detected()
  cxl: Force context lock during EEH flow
  ohci-pci: add qemu quirk
  cdc-acm: fix possible invalid access when processing notification
  gpio: omap: return error if requested debounce time is not possible
  drm/nouveau/tmr: handle races with hw when updating the next alarm time
  drm/nouveau/tmr: avoid processing completed alarms when adding a new one
  drm/nouveau/tmr: fix corruption of the pending list when rescheduling an alarm
  drm/nouveau/tmr: ack interrupt before processing alarms
  drm/nouveau/therm: remove ineffective workarounds for alarm bugs
  drm/amdgpu: Add missing lb_vblank_lead_lines setup to DCE-6 path.
  drm/amdgpu: Avoid overflows/divide-by-zero in latency_watermark calculations.
  drm/amdgpu: Make display watermark calculations more accurate
  ath9k_htc: fix NULL-deref at probe
  ath9k_htc: Add support of AirTies 1eda:2315 AR9271 device
  s390/cputime: fix incorrect system time
  s390/kdump: Add final note
  regulator: tps65023: Fix inverted core enable logic.
  regulator: rk808: Fix RK818 LDO2
  x86: fix 32-bit case of __get_user_asm_u64()
  KVM: X86: Fix read out-of-bounds vulnerability in kvm pio emulation
  KVM: x86: Fix potential preemption when get the current kvmclock timestamp
  KVM: x86: Fix load damaged SSEx MXCSR register
  ima: accept previously set IMA_NEW_FILE
  mwifiex: pcie: fix cmd_buf use-after-free in remove/reset
  mwifiex: MAC randomization should not be persistent
  rtlwifi: rtl8821ae: setup 8812ae RFE according to device type
  md: MD_CLOSING needs to be cleared after called md_set_readonly or do_md_stop
  md: update slab_cache before releasing new stripes when stripes resizing
  dm space map disk: fix some book keeping in the disk space map
  dm thin metadata: call precommit before saving the roots
  dm bufio: make the parameter "retain_bytes" unsigned long
  dm cache metadata: fail operations if fail_io mode has been established
  dm mpath: split and rename activate_path() to prepare for its expanded use
  dm bufio: check new buffer allocation watermark every 30 seconds
  dm bufio: avoid a possible ABBA deadlock
  dm raid: select the Kconfig option CONFIG_MD_RAID0
  dm btree: fix for dm_btree_find_lowest_key()
  infiniband: call ipv6 route lookup via the stub interface
  mlx5: Fix mlx5_ib_map_mr_sg mr length
  ASoC: cs4271: configure reset GPIO as output
  tpm_crb: check for bad response size
  tpm: add sleep only for retry in i2c_nuvoton_write_status()
  tpm: msleep() delays - replace with usleep_range() in i2c nuvoton driver
  tpm_tis_spi: Add small delay after last transfer
  tpm_tis_spi: Remove limitation of transfers to MAX_SPI_FRAMESIZE bytes
  tpm_tis_spi: Check correct byte for wait state indicator
  tpm_tis_spi: Abort transfer when too many wait states are signaled
  tpm_tis_spi: Use single function to transfer data
  fanotify: don't expose EOPENSTALE to userspace
  ARM: tegra: paz00: Mark panel regulator as enabled on boot
  ALSA: hda: Fix cpu lockup when stopping the cmd dmas
  tpm_tis_core: Choose appropriate timeout for reading burstcount
  USB: core: replace %p with %pK
  char: lp: fix possible integer overflow in lp_setup()
  watchdog: pcwd_usb: fix NULL-deref at probe
  USB: ene_usb6250: fix DMA to the stack
  usb: misc: legousbtower: Fix memory leak
  usb: misc: legousbtower: Fix buffers on stack
  UPSTREAM: drm/fb_cma_helper: Add missing forward declaration
  ANDROID: uid_sys_stats: defer io stats calulation for dead tasks
  BACKPORT: drm/fence: fix memory overwrite when setting out_fence fd
  BACKPORT: drm/fence: add drm_crtc_create_fence()
  UPSTREAM: drm/fences: add DOC: for explicit fencing
  UPSTREAM: drm/atomic: Fix double free in drm_atomic_state_default_clear
  BACKPORT: drm/fence: add out-fences support
  BACKPORT: drm/fence: add fence timeline to drm_crtc
  BACKPORT: drm/fence: add in-fences support
  BACKPORT: dma-buf: Use fence_get_rcu_safe() for retrieving the exclusive fence
  BACKPORT: drm/fb_cma_helper: Add drm_fb_cma_prepare_fb() helper
  BACKPORT: drm/atomic: add drm_atomic_set_fence_for_plane()
  UPSTREAM: dma-buf: Update kerneldoc for sync_file_create
  UPSTREAM: Revert "dma-buf/sync-file: Avoid enable fence signaling if poll(.timeout=0)"
  UPSTREAM: reservation: revert "wait only with non-zero timeout specified (v3)" v2
  BACKPORT: dma-buf/fence: revert "don't wait when specified timeout is zero" (v2)
  UPSTREAM: dma-buf/sw_sync: put fence reference from the fence creation
  UPSTREAM: dma-buf/fence: add an lockdep_assert_held()
  UPSTREAM: dma-buf/sync_file: hold reference to fence when creating sync_file
  UPSTREAM: drm/fence: release fence reference when canceling event
  UPSTREAM: dma-buf: Restart reservation_object_test_signaled_rcu() after writes
  UPSTREAM: dma-buf: Restart reservation_object_wait_timeout_rcu() after writes
  UPSTREAM: dma-buf: Restart reservation_object_get_fences_rcu() after writes
  UPSTREAM: dma-buf: Introduce fence_get_rcu_safe()
  ANDROID: sdcardfs: Check for NULL in revalidate
  ANDROID: Add CGROUP_BPF to android base config
  BACKPORT: UPSTREAM: bpf: pass sk to helper functions
  BACKPORT: UPSTREAM: Add a eBPF helper function to retrieve socket uid
  BACKPORT: UPSTREAM: Add a helper function to get socket cookie in eBPF
  ANDROID: Fix missing uapi headers
  UPSTREAM: cgroup: Fix CGROUP_BPF config
  UPSTREAM: samples: bpf: add userspace example for attaching eBPF programs to cgroups
  UPSTREAM: net: ipv4, ipv6: run cgroup eBPF egress programs
  UPSTREAM: net: filter: run cgroup eBPF ingress programs
  UPSTREAM: bpf: add BPF_PROG_ATTACH and BPF_PROG_DETACH commands
  UPSTREAM: cgroup: add support for eBPF programs
  UPSTREAM: bpf: add new prog type for cgroup socket filtering

Change-Id: Ic92b4df2a2fd08d1ec4bbcf6a5d6e100acfa5b61
Signed-off-by: Kyle Yan <kyan@codeaurora.org>

parents ea5149e3 951d823c

Documentation/arm64/tagged-pointers.txt

+47 −15

Original line number	Diff line number	Diff line
		@@ -11,24 +11,56 @@ in AArch64 Linux.
		The kernel configures the translation tables so that translations made
		via TTBR0 (i.e. userspace mappings) have the top byte (bits 63:56) of
		the virtual address ignored by the translation hardware. This frees up
		this byte for application use, with the following caveats:
		this byte for application use.

		(1) The kernel requires that all user addresses passed to EL1
		are tagged with tag 0x00. This means that any syscall
		parameters containing user virtual addresses must have
		their top byte cleared before trapping to the kernel.

		(2) Non-zero tags are not preserved when delivering signals.
		This means that signal handlers in applications making use
		of tags cannot rely on the tag information for user virtual
		addresses being maintained for fields inside siginfo_t.
		One exception to this rule is for signals raised in response
		to watchpoint debug exceptions, where the tag information
		will be preserved.
		Passing tagged addresses to the kernel
		--------------------------------------

		(3) Special care should be taken when using tagged pointers,
		since it is likely that C compilers will not hazard two
		virtual addresses differing only in the upper byte.
		All interpretation of userspace memory addresses by the kernel assumes
		an address tag of 0x00.

		This includes, but is not limited to, addresses found in:

		- pointer arguments to system calls, including pointers in structures
		passed to system calls,

		- the stack pointer (sp), e.g. when interpreting it to deliver a
		signal,

		- the frame pointer (x29) and frame records, e.g. when interpreting
		them to generate a backtrace or call graph.

		Using non-zero address tags in any of these locations may result in an
		error code being returned, a (fatal) signal being raised, or other modes
		of failure.

		For these reasons, passing non-zero address tags to the kernel via
		system calls is forbidden, and using a non-zero address tag for sp is
		strongly discouraged.

		Programs maintaining a frame pointer and frame records that use non-zero
		address tags may suffer impaired or inaccurate debug and profiling
		visibility.


		Preserving tags
		---------------

		Non-zero tags are not preserved when delivering signals. This means that
		signal handlers in applications making use of tags cannot rely on the
		tag information for user virtual addresses being maintained for fields
		inside siginfo_t. One exception to this rule is for signals raised in
		response to watchpoint debug exceptions, where the tag information will
		be preserved.

		The architecture prevents the use of a tagged PC, so the upper byte will
		be set to a sign-extension of bit 55 on exception return.


		Other considerations
		--------------------

		Special care should be taken when using tagged pointers, since it is
		likely that C compilers will not hazard two virtual addresses differing
		only in the upper byte.

Documentation/gpu/drm-kms.rst

+6 −0

Original line number	Diff line number	Diff line
		@@ -308,6 +308,12 @@ Color Management Properties
		.. kernel-doc:: drivers/gpu/drm/drm_color_mgmt.c
		:export:

		Explicit Fencing Properties
		---------------------------

		.. kernel-doc:: drivers/gpu/drm/drm_atomic.c
		:doc: explicit fencing properties

		Existing KMS Properties
		-----------------------

Makefile

+1 −1

Original line number	Diff line number	Diff line
		VERSION = 4
		PATCHLEVEL = 9
		SUBLEVEL = 29
		SUBLEVEL = 30
		EXTRAVERSION =
		NAME = Roaring Lionus

arch/alpha/kernel/osf_sys.c

+4 −2

Original line number	Diff line number	Diff line
		@@ -1188,8 +1188,10 @@ SYSCALL_DEFINE4(osf_wait4, pid_t, pid, int __user *, ustatus, int, options,
		if (!access_ok(VERIFY_WRITE, ur, sizeof(*ur)))
		return -EFAULT;

		err = 0;
		err \|= put_user(status, ustatus);
		err = put_user(status, ustatus);
		if (ret < 0)
		return err ? err : ret;

		err \|= __put_user(r.ru_utime.tv_sec, &ur->ru_utime.tv_sec);
		err \|= __put_user(r.ru_utime.tv_usec, &ur->ru_utime.tv_usec);
		err \|= __put_user(r.ru_stime.tv_sec, &ur->ru_stime.tv_sec);

arch/arm/boot/dts/at91-sama5d3_xplained.dts

+2 −3

Original line number	Diff line number	Diff line
		@@ -162,9 +162,10 @@
		};

		adc0: adc@f8018000 {
		atmel,adc-vref = <3300>;
		atmel,adc-channels-used = <0xfe>;
		pinctrl-0 = <
		&pinctrl_adc0_adtrg
		&pinctrl_adc0_ad0
		&pinctrl_adc0_ad1
		&pinctrl_adc0_ad2
		&pinctrl_adc0_ad3
		@@ -172,8 +173,6 @@
		&pinctrl_adc0_ad5
		&pinctrl_adc0_ad6
		&pinctrl_adc0_ad7
		&pinctrl_adc0_ad8
		&pinctrl_adc0_ad9
		>;
		status = "okay";
		};