linux-toradex.git/drivers, branch v4.18-rc7 Linux kernel for Apalis and Colibri modules Merge tag 'random_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/random 2018-07-29T02:40:06+00:00 Linus Torvalds torvalds@linux-foundation.org 2018-07-29T02:40:06+00:00 a26fb01c2879ed7026e6cbd78bb701912d249eef Pull random fixes from Ted Ts'o: "In reaction to the fixes to address CVE-2018-1108, some Linux distributions that have certain systemd versions in some cases combined with patches to libcrypt for FIPS/FEDRAMP compliance, have led to boot-time stalls for some hardware. The reaction by some distros and Linux sysadmins has been to install packages that try to do complicated things with the CPU and hope that leads to randomness. To mitigate this, if RDRAND is available, mix it into entropy provided by userspace. It won't hurt, and it will probably help" * tag 'random_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/random: random: mix rdrand with entropy sent in from userspace 
Pull random fixes from Ted Ts'o:
 "In reaction to the fixes to address CVE-2018-1108, some Linux
  distributions that have certain systemd versions in some cases
  combined with patches to libcrypt for FIPS/FEDRAMP compliance, have
  led to boot-time stalls for some hardware.

  The reaction by some distros and Linux sysadmins has been to install
  packages that try to do complicated things with the CPU and hope that
  leads to randomness.

  To mitigate this, if RDRAND is available, mix it into entropy provided
  by userspace. It won't hurt, and it will probably help"

* tag 'random_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/random:
  random: mix rdrand with entropy sent in from userspace
Merge tag 'gpio-v4.18-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio 2018-07-28T22:43:14+00:00 Linus Torvalds torvalds@linux-foundation.org 2018-07-28T22:43:14+00:00 2ffb57dfa793ca2932c524a1e91d403b28bd84b9 Pull GPIO fixes from Linus Walleij: "Just a smallish OF fix and a driver fix: - OF flag fix for special regulator flags - fix up the Uniphier IRQ callback" * tag 'gpio-v4.18-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio: gpio: uniphier: set legitimate irq trigger type in .to_irq hook gpio: of: Handle fixed regulator flags properly 
Pull GPIO fixes from Linus Walleij:
 "Just a smallish OF fix and a driver fix:

   - OF flag fix for special regulator flags

   - fix up the Uniphier IRQ callback"

* tag 'gpio-v4.18-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio:
  gpio: uniphier: set legitimate irq trigger type in .to_irq hook
  gpio: of: Handle fixed regulator flags properly
Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux 2018-07-28T17:04:40+00:00 Linus Torvalds torvalds@linux-foundation.org 2018-07-28T17:04:40+00:00 dd63bf22fccd68913e3088c5ed5de3bf406a7546 Pull i2c fixes from Wolfram Sang: "Some driver bugfixes" * 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux: i2c: imx: use open drain for recovery GPIO i2c: rcar: handle RXDMA HW behaviour on Gen3 i2c: imx: Fix reinit_completion() use i2c: davinci: Avoid zero value of CLKH 
Pull i2c fixes from Wolfram Sang:
 "Some driver bugfixes"

* 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
  i2c: imx: use open drain for recovery GPIO
  i2c: rcar: handle RXDMA HW behaviour on Gen3
  i2c: imx: Fix reinit_completion() use
  i2c: davinci: Avoid zero value of CLKH
Merge tag 'for-linus-20180727' of git://git.kernel.dk/linux-block 2018-07-27T19:51:00+00:00 Linus Torvalds torvalds@linux-foundation.org 2018-07-27T19:51:00+00:00 eb181a814c98255b32d30b383baca00e6ebec72e Pull block fixes from Jens Axboe: "Bigger than usual at this time, mostly due to the O_DIRECT corruption issue and the fact that I was on vacation last week. This contains: - NVMe pull request with two fixes for the FC code, and two target fixes (Christoph) - a DIF bio reset iteration fix (Greg Edwards) - two nbd reply and requeue fixes (Josef) - SCSI timeout fixup (Keith) - a small series that fixes an issue with bio_iov_iter_get_pages(), which ended up causing corruption for larger sized O_DIRECT writes that ended up racing with buffered writes (Martin Wilck)" * tag 'for-linus-20180727' of git://git.kernel.dk/linux-block: block: reset bi_iter.bi_done after splitting bio block: bio_iov_iter_get_pages: pin more pages for multi-segment IOs blkdev: __blkdev_direct_IO_simple: fix leak in error case block: bio_iov_iter_get_pages: fix size of last iovec nvmet: only check for filebacking on -ENOTBLK nvmet: fixup crash on NULL device path scsi: set timed out out mq requests to complete blk-mq: export setting request completion state nvme: if_ready checks to fail io to deleting controller nvmet-fc: fix target sgl list on large transfers nbd: handle unexpected replies better nbd: don't requeue the same request twice. 
Pull block fixes from Jens Axboe:
 "Bigger than usual at this time, mostly due to the O_DIRECT corruption
  issue and the fact that I was on vacation last week. This contains:

   - NVMe pull request with two fixes for the FC code, and two target
     fixes (Christoph)

   - a DIF bio reset iteration fix (Greg Edwards)

   - two nbd reply and requeue fixes (Josef)

   - SCSI timeout fixup (Keith)

   - a small series that fixes an issue with bio_iov_iter_get_pages(),
     which ended up causing corruption for larger sized O_DIRECT writes
     that ended up racing with buffered writes (Martin Wilck)"

* tag 'for-linus-20180727' of git://git.kernel.dk/linux-block:
  block: reset bi_iter.bi_done after splitting bio
  block: bio_iov_iter_get_pages: pin more pages for multi-segment IOs
  blkdev: __blkdev_direct_IO_simple: fix leak in error case
  block: bio_iov_iter_get_pages: fix size of last iovec
  nvmet: only check for filebacking on -ENOTBLK
  nvmet: fixup crash on NULL device path
  scsi: set timed out out mq requests to complete
  blk-mq: export setting request completion state
  nvme: if_ready checks to fail io to deleting controller
  nvmet-fc: fix target sgl list on large transfers
  nbd: handle unexpected replies better
  nbd: don't requeue the same request twice.
Merge branch 'akpm' (patches from Andrew) 2018-07-27T17:30:47+00:00 Linus Torvalds torvalds@linux-foundation.org 2018-07-27T17:30:47+00:00 864af0d40cdc82b705e3ca79cf2a57be900954b1 Merge misc fixes from Andrew Morton: "11 fixes" * emailed patches from Andrew Morton <akpm@linux-foundation.org>: kvm, mm: account shadow page tables to kmemcg zswap: re-check zswap_is_full() after do zswap_shrink() include/linux/eventfd.h: include linux/errno.h mm: fix vma_is_anonymous() false-positives mm: use vma_init() to initialize VMAs on stack and data segments mm: introduce vma_init() mm: fix exports that inadvertently make put_page() EXPORT_SYMBOL_GPL ipc/sem.c: prevent queue.status tearing in semop mm: disallow mappings that conflict for devm_memremap_pages() kasan: only select SLUB_DEBUG with SYSFS=y delayacct: fix crash in delayacct_blkio_end() after delayacct init failure 
Merge misc fixes from Andrew Morton:
 "11 fixes"

* emailed patches from Andrew Morton <akpm@linux-foundation.org>:
  kvm, mm: account shadow page tables to kmemcg
  zswap: re-check zswap_is_full() after do zswap_shrink()
  include/linux/eventfd.h: include linux/errno.h
  mm: fix vma_is_anonymous() false-positives
  mm: use vma_init() to initialize VMAs on stack and data segments
  mm: introduce vma_init()
  mm: fix exports that inadvertently make put_page() EXPORT_SYMBOL_GPL
  ipc/sem.c: prevent queue.status tearing in semop
  mm: disallow mappings that conflict for devm_memremap_pages()
  kasan: only select SLUB_DEBUG with SYSFS=y
  delayacct: fix crash in delayacct_blkio_end() after delayacct init failure
Merge tag 'pci-v4.18-fixes-4' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci 2018-07-27T17:28:51+00:00 Linus Torvalds torvalds@linux-foundation.org 2018-07-27T17:28:51+00:00 1a3d8691fd2ae95f5443b2d57f91f28f6ff4700d Pull PCI fix from Bjorn Helgaas: "Fix a use-after-free error in fatal error recovery (Thomas Tai)" * tag 'pci-v4.18-fixes-4' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci: PCI/AER: Work around use-after-free in pcie_do_fatal_recovery() 
Pull PCI fix from Bjorn Helgaas:
 "Fix a use-after-free error in fatal error recovery (Thomas Tai)"

* tag 'pci-v4.18-fixes-4' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
  PCI/AER: Work around use-after-free in pcie_do_fatal_recovery()
Merge tag 'drm-fixes-2018-07-27' of git://anongit.freedesktop.org/drm/drm 2018-07-27T17:03:08+00:00 Linus Torvalds torvalds@linux-foundation.org 2018-07-27T17:03:08+00:00 3c9fdefe516f350469ac105943fb1bc22e3e8196 Pull drm fixes from Dave Airlie: "Not much happening this week which is good: two imx display fixes and one i915 quirk addition" * tag 'drm-fixes-2018-07-27' of git://anongit.freedesktop.org/drm/drm: drm/i915/glk: Add Quirk for GLK NUC HDMI port issues. gpu: ipu-csi: Check for field type alternate drm/imx: imx-ldb: check if channel is enabled before printing warning drm/imx: imx-ldb: disable LDB on driver bind 
Pull drm fixes from Dave Airlie:
 "Not much happening this week which is good: two imx display fixes and
  one i915 quirk addition"

* tag 'drm-fixes-2018-07-27' of git://anongit.freedesktop.org/drm/drm:
  drm/i915/glk: Add Quirk for GLK NUC HDMI port issues.
  gpu: ipu-csi: Check for field type alternate
  drm/imx: imx-ldb: check if channel is enabled before printing warning
  drm/imx: imx-ldb: disable LDB on driver bind
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input 2018-07-27T16:53:45+00:00 Linus Torvalds torvalds@linux-foundation.org 2018-07-27T16:53:45+00:00 49b1622bdb0be9b1cb20d36c64a635bcc5981c4b Pull input fixes from Dmitry Torokhov: - a couple of new device IDs added to Elan i2c touchpad controller driver - another entry in i8042 reset quirk list * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input: Input: i8042 - add Lenovo LaVie Z to the i8042 reset list Input: elan_i2c - add another ACPI ID for Lenovo Ideapad 330-15AST MAINTAINERS: Add file patterns for serio device tree bindings Input: elan_i2c - add ACPI ID for lenovo ideapad 330 
Pull input fixes from Dmitry Torokhov:

 - a couple of new device IDs added to Elan i2c touchpad controller
   driver

 - another entry in i8042 reset quirk list

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
  Input: i8042 - add Lenovo LaVie Z to the i8042 reset list
  Input: elan_i2c - add another ACPI ID for Lenovo Ideapad 330-15AST
  MAINTAINERS: Add file patterns for serio device tree bindings
  Input: elan_i2c - add ACPI ID for lenovo ideapad 330
mm: fix vma_is_anonymous() false-positives 2018-07-27T02:38:03+00:00 Kirill A. Shutemov kirill.shutemov@linux.intel.com 2018-07-26T23:37:35+00:00 bfd40eaff5abb9f62c8ef94ca13ed0d94a560f10 vma_is_anonymous() relies on ->vm_ops being NULL to detect anonymous VMA. This is unreliable as ->mmap may not set ->vm_ops. False-positive vma_is_anonymous() may lead to crashes: next ffff8801ce5e7040 prev ffff8801d20eca50 mm ffff88019c1e13c0 prot 27 anon_vma ffff88019680cdd8 vm_ops 0000000000000000 pgoff 0 file ffff8801b2ec2d00 private_data 0000000000000000 flags: 0xff(read|write|exec|shared|mayread|maywrite|mayexec|mayshare) ------------[ cut here ]------------ kernel BUG at mm/memory.c:1422! invalid opcode: 0000 [#1] SMP KASAN CPU: 0 PID: 18486 Comm: syz-executor3 Not tainted 4.18.0-rc3+ #136 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:zap_pmd_range mm/memory.c:1421 [inline] RIP: 0010:zap_pud_range mm/memory.c:1466 [inline] RIP: 0010:zap_p4d_range mm/memory.c:1487 [inline] RIP: 0010:unmap_page_range+0x1c18/0x2220 mm/memory.c:1508 Call Trace: unmap_single_vma+0x1a0/0x310 mm/memory.c:1553 zap_page_range_single+0x3cc/0x580 mm/memory.c:1644 unmap_mapping_range_vma mm/memory.c:2792 [inline] unmap_mapping_range_tree mm/memory.c:2813 [inline] unmap_mapping_pages+0x3a7/0x5b0 mm/memory.c:2845 unmap_mapping_range+0x48/0x60 mm/memory.c:2880 truncate_pagecache+0x54/0x90 mm/truncate.c:800 truncate_setsize+0x70/0xb0 mm/truncate.c:826 simple_setattr+0xe9/0x110 fs/libfs.c:409 notify_change+0xf13/0x10f0 fs/attr.c:335 do_truncate+0x1ac/0x2b0 fs/open.c:63 do_sys_ftruncate+0x492/0x560 fs/open.c:205 __do_sys_ftruncate fs/open.c:215 [inline] __se_sys_ftruncate fs/open.c:213 [inline] __x64_sys_ftruncate+0x59/0x80 fs/open.c:213 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe Reproducer: #include <stdio.h> #include <stddef.h> #include <stdint.h> #include <stdlib.h> #include <string.h> #include <sys/types.h> #include <sys/stat.h> #include <sys/ioctl.h> #include <sys/mman.h> #include <unistd.h> #include <fcntl.h> #define KCOV_INIT_TRACE _IOR('c', 1, unsigned long) #define KCOV_ENABLE _IO('c', 100) #define KCOV_DISABLE _IO('c', 101) #define COVER_SIZE (1024<<10) #define KCOV_TRACE_PC 0 #define KCOV_TRACE_CMP 1 int main(int argc, char **argv) { int fd; unsigned long *cover; system("mount -t debugfs none /sys/kernel/debug"); fd = open("/sys/kernel/debug/kcov", O_RDWR); ioctl(fd, KCOV_INIT_TRACE, COVER_SIZE); cover = mmap(NULL, COVER_SIZE * sizeof(unsigned long), PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0); munmap(cover, COVER_SIZE * sizeof(unsigned long)); cover = mmap(NULL, COVER_SIZE * sizeof(unsigned long), PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0); memset(cover, 0, COVER_SIZE * sizeof(unsigned long)); ftruncate(fd, 3UL << 20); return 0; } This can be fixed by assigning anonymous VMAs own vm_ops and not relying on it being NULL. If ->mmap() failed to set ->vm_ops, mmap_region() will set it to dummy_vm_ops. This way we will have non-NULL ->vm_ops for all VMAs. Link: http://lkml.kernel.org/r/20180724121139.62570-4-kirill.shutemov@linux.intel.com Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> Reported-by: syzbot+3f84280d52be9b7083cc@syzkaller.appspotmail.com Acked-by: Linus Torvalds <torvalds@linux-foundation.org> Reviewed-by: Andrew Morton <akpm@linux-foundation.org> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Oleg Nesterov <oleg@redhat.com> Cc: Andrea Arcangeli <aarcange@redhat.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 
vma_is_anonymous() relies on ->vm_ops being NULL to detect anonymous
VMA.  This is unreliable as ->mmap may not set ->vm_ops.

False-positive vma_is_anonymous() may lead to crashes:

	next ffff8801ce5e7040 prev ffff8801d20eca50 mm ffff88019c1e13c0
	prot 27 anon_vma ffff88019680cdd8 vm_ops 0000000000000000
	pgoff 0 file ffff8801b2ec2d00 private_data 0000000000000000
	flags: 0xff(read|write|exec|shared|mayread|maywrite|mayexec|mayshare)
	------------[ cut here ]------------
	kernel BUG at mm/memory.c:1422!
	invalid opcode: 0000 [#1] SMP KASAN
	CPU: 0 PID: 18486 Comm: syz-executor3 Not tainted 4.18.0-rc3+ #136
	Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
	01/01/2011
	RIP: 0010:zap_pmd_range mm/memory.c:1421 [inline]
	RIP: 0010:zap_pud_range mm/memory.c:1466 [inline]
	RIP: 0010:zap_p4d_range mm/memory.c:1487 [inline]
	RIP: 0010:unmap_page_range+0x1c18/0x2220 mm/memory.c:1508
	Call Trace:
	 unmap_single_vma+0x1a0/0x310 mm/memory.c:1553
	 zap_page_range_single+0x3cc/0x580 mm/memory.c:1644
	 unmap_mapping_range_vma mm/memory.c:2792 [inline]
	 unmap_mapping_range_tree mm/memory.c:2813 [inline]
	 unmap_mapping_pages+0x3a7/0x5b0 mm/memory.c:2845
	 unmap_mapping_range+0x48/0x60 mm/memory.c:2880
	 truncate_pagecache+0x54/0x90 mm/truncate.c:800
	 truncate_setsize+0x70/0xb0 mm/truncate.c:826
	 simple_setattr+0xe9/0x110 fs/libfs.c:409
	 notify_change+0xf13/0x10f0 fs/attr.c:335
	 do_truncate+0x1ac/0x2b0 fs/open.c:63
	 do_sys_ftruncate+0x492/0x560 fs/open.c:205
	 __do_sys_ftruncate fs/open.c:215 [inline]
	 __se_sys_ftruncate fs/open.c:213 [inline]
	 __x64_sys_ftruncate+0x59/0x80 fs/open.c:213
	 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
	 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Reproducer:

	#include <stdio.h>
	#include <stddef.h>
	#include <stdint.h>
	#include <stdlib.h>
	#include <string.h>
	#include <sys/types.h>
	#include <sys/stat.h>
	#include <sys/ioctl.h>
	#include <sys/mman.h>
	#include <unistd.h>
	#include <fcntl.h>

	#define KCOV_INIT_TRACE			_IOR('c', 1, unsigned long)
	#define KCOV_ENABLE			_IO('c', 100)
	#define KCOV_DISABLE			_IO('c', 101)
	#define COVER_SIZE			(1024<<10)

	#define KCOV_TRACE_PC  0
	#define KCOV_TRACE_CMP 1

	int main(int argc, char **argv)
	{
		int fd;
		unsigned long *cover;

		system("mount -t debugfs none /sys/kernel/debug");
		fd = open("/sys/kernel/debug/kcov", O_RDWR);
		ioctl(fd, KCOV_INIT_TRACE, COVER_SIZE);
		cover = mmap(NULL, COVER_SIZE * sizeof(unsigned long),
				PROT_READ | PROT_WRITE, MAP_SHARED, fd, 0);
		munmap(cover, COVER_SIZE * sizeof(unsigned long));
		cover = mmap(NULL, COVER_SIZE * sizeof(unsigned long),
				PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0);
		memset(cover, 0, COVER_SIZE * sizeof(unsigned long));
		ftruncate(fd, 3UL << 20);
		return 0;
	}

This can be fixed by assigning anonymous VMAs own vm_ops and not relying
on it being NULL.

If ->mmap() failed to set ->vm_ops, mmap_region() will set it to
dummy_vm_ops.  This way we will have non-NULL ->vm_ops for all VMAs.

Link: http://lkml.kernel.org/r/20180724121139.62570-4-kirill.shutemov@linux.intel.com
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Reported-by: syzbot+3f84280d52be9b7083cc@syzkaller.appspotmail.com
Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Merge tag 'imx-drm-fixes-2018-07-20' of git://git.pengutronix.de/git/pza/linux into drm-fixes 2018-07-27T02:17:31+00:00 Dave Airlie airlied@redhat.com 2018-07-27T02:16:34+00:00 050d2a5533af362932553cb47fd5db9a3476074e drm/imx: imx-drm ldb and ipu-v3 csi fixes - Disable the LVDS Display Bridge (LDB) on driver bind. This is necessary to guarantee correct LVDS signals in case the bootloader left the LVDS output active. - Remove false positive warning about disabled second LVDS channel in dual-channel mode. In this mode, the second LVDS channel can not be used separately. If the second channel is correctly described as disabled in the device tree, the driver warned about this anyway. - Fix the CSI confiuration to not only enable interlaced capture mode for V4L2_FIELD_SEQ_BT and V4L2_FIELD_SEQ_TB, but also for the V4L2_FIELD_ALTERNATE interlacing mode. Before, it incorrectly tried to capture progressive frames in that case. Signed-off-by: Dave Airlie <airlied@redhat.com> Link: https://patchwork.freedesktop.org/patch/msgid/1532100423.3438.8.camel@pengutronix.de 
drm/imx: imx-drm ldb and ipu-v3 csi fixes

- Disable the LVDS Display Bridge (LDB) on driver bind. This is
  necessary to guarantee correct LVDS signals in case the bootloader
  left the LVDS output active.
- Remove false positive warning about disabled second LVDS channel in
  dual-channel mode. In this mode, the second LVDS channel can not be
  used separately. If the second channel is correctly described as
  disabled in the device tree, the driver warned about this anyway.
- Fix the CSI confiuration to not only enable interlaced capture mode
  for V4L2_FIELD_SEQ_BT and V4L2_FIELD_SEQ_TB, but also for the
  V4L2_FIELD_ALTERNATE interlacing mode. Before, it incorrectly tried
  to capture progressive frames in that case.

Signed-off-by: Dave Airlie <airlied@redhat.com>
Link: https://patchwork.freedesktop.org/patch/msgid/1532100423.3438.8.camel@pengutronix.de