Alex Shi [Tue, 21 Jun 2016 03:22:43 +0000 (11:22 +0800)]
Merge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android
Alex Shi [Tue, 21 Jun 2016 03:14:16 +0000 (11:14 +0800)]
Merge branch 'v4.4/topic/coresight' into linux-linaro-lsk-v4.4
Mathieu Poirier [Thu, 26 May 2016 16:31:47 +0000 (10:31 -0600)]
cs-etm: associating output packet with CPU they executed on
This patch adds the required mechanic to quickly lookup the CPU number
associated with a traceID. That way the CPU that executed the code
conveyed by a decoded packet can be identified, without having to
do unecessary translations.
Using this new functionality the "cs-trace-disasm.py" script is
enhanced to output the file and CPU number the code has been
executed on:
FILE: /lib/aarch64-linux-gnu/ld-2.21.so CPU: 3
7fab57fd80:
910003e0 mov x0, sp
7fab57fd84:
94000d53 bl
7fab5832d0 <free@plt+0x3790>
FILE: /lib/aarch64-linux-gnu/ld-2.21.so CPU: 3
7fab5832d0:
d11203ff sub sp, sp, #0x480
FILE: /lib/aarch64-linux-gnu/ld-2.21.so CPU: 3
7fab5832d4:
a9ba7bfd stp x29, x30, [sp,#-96]!
7fab5832d8:
910003fd mov x29, sp
7fab5832dc:
a90363f7 stp x23, x24, [sp,#48]
7fab5832e0:
9101e3b7 add x23, x29, #0x78
7fab5832e4:
a90573fb stp x27, x28, [sp,#80]
7fab5832e8:
a90153f3 stp x19, x20, [sp,#16]
7fab5832ec:
aa0003fb mov x27, x0
7fab5832f0:
910a82e1 add x1, x23, #0x2a0
7fab5832f4:
a9025bf5 stp x21, x22, [sp,#32]
7fab5832f8:
a9046bf9 stp x25, x26, [sp,#64]
7fab5832fc:
910102e0 add x0, x23, #0x40
7fab583300:
f800841f str xzr, [x0],#8
7fab583304:
eb01001f cmp x0, x1
7fab583308:
54ffffc1 b.ne
7fab583300 <free@plt+0x37c0>
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Mathieu Poirier [Fri, 20 May 2016 17:35:25 +0000 (11:35 -0600)]
cs-etm: removing unecessary structure field
Function cs_etm__sample() is called only from cs_etm__run_decoder() where
cs_etm_queue::have_sample is set to 'true'. As such checking the value of
the variable again in cs_etm__sample() is not needed.
Since the variable isn't used anywhere else, also removing it from the
structure definition.
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Mathieu Poirier [Wed, 18 May 2016 18:58:26 +0000 (12:58 -0600)]
cs-etm: account for each trace buffer in the queue
Function cs_etm__get_trace() picks up a single buffer from the current
queue. As such when multiple buffers are present in the queue several
iteration of the fetch-decode block need to be run in order to process
all the trace data.
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Mathieu Poirier [Mon, 16 May 2016 22:55:55 +0000 (16:55 -0600)]
cs-etm: avoid casting variable
Because of two's complement reprensentation, casting an int to
and unsigned value doesn't simply get rid of the negative sign.
As such a value of -1 becomes 0xFFFFFFFF, which is clearly not
the desired effect.
This patch deals with cases when @cpu has the value of -1. In
those cases queue '0' is initially selected.
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Mathieu Poirier [Tue, 3 May 2016 19:45:28 +0000 (13:45 -0600)]
perf tools: fixing Makefile problems
This patch is fixing the ifeq condition to get the debug or release
version of the openCSD libraries. It also fix a naming typo when
release libraries are southg.
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Mathieu Poirier [Tue, 3 May 2016 19:26:08 +0000 (13:26 -0600)]
perf tools: new naming convention for openCSD
The naming convention for the openCSD API and header files
was changed so that using it was easier. Headers went from
"rctdl_xyz.h" to "opencsd_xyz.h" while internal symbol from
"rctdl_" to "ocsd_".
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
tor-jeremiassen [Wed, 17 Feb 2016 16:58:21 +0000 (10:58 -0600)]
perf scripts: Add python scripts for CoreSight traces
Example scripts for CoreSight trace processing with perf script.
Signed-off-by: Tor Jeremiassen <tor@ti.com>
tor-jeremiassen [Tue, 9 Feb 2016 16:34:51 +0000 (10:34 -0600)]
perf tools: decoding capailitity for CoreSight traces
Added user space perf functionality for CoreSight trace decoding.
tor-jeremiassen [Wed, 17 Feb 2016 14:29:21 +0000 (08:29 -0600)]
perf symbols: Check before overwriting build_id
Added check to see if has_build_id is set before overwriting build_id.
Signed-off-by: Tor Jeremiassen <tor@ti.com>
Mathieu Poirier [Fri, 29 Apr 2016 22:04:48 +0000 (22:04 +0000)]
perf tools: pushing driver configuration down to the kernel
Now that PMU specific driver configuration are queued in
evsel::drv_config_terms, all we need to do is re-use the current
ioctl() mechanism to push down the information to the kernel
driver.
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Mathieu Poirier [Fri, 29 Apr 2016 21:21:11 +0000 (21:21 +0000)]
perf tools: add infrastructure for PMU specific configuration
This patchset adds PMU driver specific configuration to the parser
infrastructure by preceding any term with the '@' letter. As such
doing something like:
perf -e some_event/@drv1,@drv2=drv_config/ ...
will see 'drv1' and 'drv2=config' being added to the list of evsel config
terms. Token 'drv1' and 'drv2=config' are not processed in user space
and are meant to be interpreted by the PMU driver.
First the lexer/parser are supplemented with the required definitions to
recognise the driver specific configuration. From there they are simply
added to the list of event terms. The bulk of the work is done in
function "parse_events_add_pmu()" where driver config event terms are
added to a new list of driver config terms, which in turn spliced with
the event's new driver configuration list.
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Mathieu Poirier [Fri, 29 Apr 2016 19:29:12 +0000 (13:29 -0600)]
coresight: etm-perf: incorporating sink definition from the cmd line
Now that PMU specific configuration is available as part of the event,
lookup the sink identified by users from the perf command line and build
a path from source to sink.
With this functionality it is no longer required to select a sink in a
separate step (from sysFS) before a perf trace session can be started.
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Mathieu Poirier [Fri, 29 Apr 2016 19:22:59 +0000 (13:22 -0600)]
coresight: adding sink parameter to function coresight_build_path()
Up to now function coresight_build_path() was counting on a sink to
have been selected (from sysFS) prior to being called. This patch
adds a string argument so that a sink matching the argument can be
selected.
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Mathieu Poirier [Thu, 28 Apr 2016 22:26:25 +0000 (16:26 -0600)]
perf: passing struct perf_event to function setup_aux()
Some information, like driver specific configuration, is found
in the perf event structure. As such pass a 'struct perf_event'
to function setup_aux() rather than just the CPU number so that
individual drivers can make the right configuration when setting
up a session.
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Mathieu Poirier [Tue, 31 May 2016 22:32:55 +0000 (16:32 -0600)]
perf/core: adding PMU driver specific configuration
It is entirely possible that some PMUs need specific configuration
that is currently not found in the perf options before a session
can be setup.
It is the case for the CoreSight PMU where a sink needs to be
provided. That sink doesn't fall in any of the current perf
options.
As such this patch adds the capability to receive driver
specific configuration using the existing ioctl() mechanism.
Once the configuration has been pushed down the kernel PMU
callbacks are used to deal with the information sent from user
space.
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Mathieu Poirier [Fri, 11 Sep 2015 20:43:39 +0000 (20:43 +0000)]
perf tools: adding coresight etm PMU record capabilities
Coresight ETMs are IP blocks used to perform HW assisted tracing
on a CPU core. This patch introduce the required auxiliary API
functions allowing the perf core to interact with a tracer.
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Mathieu Poirier [Tue, 20 Oct 2015 16:18:53 +0000 (16:18 +0000)]
perf tools: making coresight PMU listable
Adding the required mechanic allowing 'perf list pmu' to
discover coresight ETM/PTM tracers.
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Mathieu Poirier [Thu, 10 Dec 2015 18:36:15 +0000 (11:36 -0700)]
coresight: tmc: implementing TMC-ETR AUX space API
This patch implement the AUX area interfaces required to
use the TMC (configured as an ETR) from the Perf sub-system.
The ETR is configured to work with contiguous memory only.
Although not optimal, it allows the IP block to be used
while the scatter-gather mode of operation is being worked
on.
The heuristic is heavily borrowed from the ETB10 and TMC-ETF
implementation.
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Mathieu Poirier [Sun, 18 Oct 2015 22:50:48 +0000 (16:50 -0600)]
coresight: Add support for Juno platform
This patch adds support for ARM's juno platform. More
specifically it has definitions for the A53/57 tracers,
the A53/57 cluster funnels, the main funnel and the ETF
in circular buffer mode.
Support for all the other coresight IP blocks is not
addressed.
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Suzuki K Poulose [Fri, 6 May 2016 14:35:50 +0000 (15:35 +0100)]
coresight: Handle build path error
Enabling a component via sysfs (echo 1 > enable_source), would
trigger building a path from the enabled sources to the sink.
If there is an error in the process (e.g, sink not enabled or
the device (CPU corresponding to ETM) is not online), we never report
failure, except for leaving a message in the dmesg.
Do proper error checking for the build path and return the error.
Before:
$ echo 0 > /sys/devices/system/cpu/cpu2/online
$ echo 1 > /sys/devices/cs_etm/cpu2/enable_source
$ echo $?
0
After:
$ echo 0 > /sys/devices/system/cpu/cpu2/online
$ echo 1 > /sys/devices/cs_etm/cpu2/enable_source
-bash: echo: write error: No such device or address
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Acked-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit
5014e904681ddbdf663bb20f134eb053ddccb181)
Suzuki K Poulose [Tue, 14 Jun 2016 17:17:14 +0000 (11:17 -0600)]
coresight: Fix erroneous memset in tmc_read_unprepare_etr
At the end of a trace collection, we try to clear the entire buffer
and enable the ETR back if it was already enabled. But, we would have
adjusted the drvdata->buf to point to the beginning of the trace data
in the trace buffer @drvdata->vaddr. So, the following code which
clears the buffer is dangerous and can cause crashes, like below :
memset(drvdata->buf, 0, drvdata->size);
Unable to handle kernel paging request at virtual address
ffffff800a145000
pgd =
ffffffc974726000
*pgd=
00000009f3e91003, *pud=
00000009f3e91003, *pmd=
0000000000000000
PREEMPT SMP
Modules linked in:
CPU: 4 PID: 1692 Comm: dd Not tainted 4.7.0-rc2+ #1721
Hardware name: ARM Juno development board (r0) (DT)
task:
ffffffc9734a0080 ti:
ffffffc974460000 task.ti:
ffffffc974460000
PC is at __memset+0x1ac/0x200
LR is at tmc_read_unprepare_etr+0x144/0x1bc
pc : [<
ffffff80083a05ac>] lr : [<
ffffff800859c984>] pstate:
200001c5
...
[<
ffffff80083a05ac>] __memset+0x1ac/0x200
[<
ffffff800859b2e4>] tmc_release+0x90/0x94
[<
ffffff8008202f58>] __fput+0xa8/0x1ec
[<
ffffff80082030f4>] ____fput+0xc/0x14
[<
ffffff80080c3ef8>] task_work_run+0xb0/0xe4
[<
ffffff8008088bf4>] do_notify_resume+0x64/0x6c
[<
ffffff8008084d5c>] work_pending+0x10/0x14
Code:
91010108 54ffff4a 8b040108 cb050042 (
d50b7428)
Since we clear the buffer anyway in the following call to
tmc_etr_enable_hw(), remove the erroneous memset().
Fixes: commit de5461970b3e9e1 ("coresight: tmc: allocating memory when needed")
Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit
f3b8172fe15fbed0d0d33d99780e122213e00684)
Suzuki K Poulose [Tue, 14 Jun 2016 17:17:13 +0000 (11:17 -0600)]
coresight: Fix tmc_read_unprepare_etr
At the end of the trace capture, we free the allocated memory,
resetting the drvdata->buf to NULL, to indicate that trace data
was collected and the next trace session should allocate the
memory in tmc_enable_etr_sink_sysfs.
The tmc_enable_etr_sink_sysfs, we only allocate memory if drvdata->vaddr
is not NULL (which is not performed at the end of previous session).
This can cause, drvdata->vaddr getting assigned NULL and later we do
memset() which causes a crash as below :
Unable to handle kernel NULL pointer dereference at virtual
address
00000000
pgd =
ffffffc9747f0000
[
00000000] *pgd=
00000009f402e003, *pud=
00000009f402e003,
*pmd=
0000000000000000
Internal error: Oops:
96000046 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 1592 Comm: bash Not tainted 4.7.0-rc1+ #1712
Hardware name: ARM Juno development board (r0) (DT)
task:
ffffffc078fe0080 ti:
ffffffc974178000 task.ti:
ffffffc974178000
PC is at __memset+0x1ac/0x200
LR is at tmc_enable_etr_sink+0xf8/0x304
pc : [<
ffffff80083a002c>] lr : [<
ffffff800859be44>] pstate:
400001c5
sp :
ffffffc97417bc00
x29:
ffffffc97417bc00 x28:
ffffffc974178000
Call trace:
Exception stack(0xffffffc97417ba40 to 0xffffffc97417bb60)
ba40:
0000000000000001 ffffffc974a5d098 ffffffc97417bc00 ffffff80083a002c
ba60:
ffffffc974a5d118 0000000000000000 0000000000000000 0000000000000000
ba80:
0000000000000001 0000000000000000 ffffff800859bdec 0000000000000040
baa0:
ffffff8008b45b58 00000000000001c0 ffffffc97417baf0 ffffff80080eddb4
bac0:
0000000000000003 ffffffc078fe0080 ffffffc078fe0960 ffffffc078fe0940
bae0:
0000000000000000 0000000000000000 00000000007fffc0 0000000000000004
bb00:
0000000000000000 0000000000000040 000000000000003f 0000000000000000
bb20:
0000000000000000 0000000000000000 0000000000000000 0000000000000001
bb40:
ffffffc078fe0960 0000000000000018 ffffffffffffffff 0008669628000000
[<
ffffff80083a002c>] __memset+0x1ac/0x200
[<
ffffff8008599814>] coresight_enable_path+0xa8/0x1dc
[<
ffffff8008599b10>] coresight_enable+0x88/0x1b8
[<
ffffff8008599d88>] enable_source_store+0x3c/0x6c
[<
ffffff800845eaf4>] dev_attr_store+0x18/0x28
[<
ffffff80082829e8>] sysfs_kf_write+0x54/0x64
[<
ffffff8008281c30>] kernfs_fop_write+0x148/0x1d8
[<
ffffff8008200128>] __vfs_write+0x28/0x110
[<
ffffff8008200e88>] vfs_write+0xa0/0x198
[<
ffffff80082021b0>] SyS_write+0x44/0xa0
[<
ffffff8008084e70>] el0_svc_naked+0x24/0x28
Code:
91010108 54ffff4a 8b040108 cb050042 (
d50b7428)
This patch fixes the issue by clearing the drvdata->vaddr while we free
the allocated buffer at the end of a session, so that we allocate the
memory again.
Cc: mathieu.poirier@linaro.org
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit
8e215298a15d5b93c6fa22895c406da538769bca)
Suzuki K Poulose [Tue, 14 Jun 2016 17:17:12 +0000 (11:17 -0600)]
coresight: Fix NULL pointer dereference in _coresight_build_path
_coresight_build_path assumes that all the connections of a csdev
has the child_dev initialised. This may not be true if the particular
component is not supported by the kernel config(e.g TPIU) but is
present in the DT. In which case, building a path can cause a crash like this :
Unable to handle kernel NULL pointer dereference at virtual address
00000010
pgd =
ffffffc9750dd000
[
00000010] *pgd=
00000009f5e90003, *pud=
00000009f5e90003, *pmd=
0000000000000000
Internal error: Oops:
96000006 [#1] PREEMPT SMP
Modules linked in:
CPU: 4 PID: 1348 Comm: bash Not tainted 4.6.0-next-
20160517 #1646
Hardware name: ARM Juno development board (r0) (DT)
task:
ffffffc97517a280 ti:
ffffffc9762c4000 task.ti:
ffffffc9762c4000
PC is at _coresight_build_path+0x18/0xe4
LR is at _coresight_build_path+0xc0/0xe4
pc : [<
ffffff80083d5130>] lr : [<
ffffff80083d51d8>] pstate:
20000145
sp :
ffffffc9762c7ba0
[<
ffffff80083d5130>] _coresight_build_path+0x18/0xe4
[<
ffffff80083d51d8>] _coresight_build_path+0xc0/0xe4
[<
ffffff80083d51d8>] _coresight_build_path+0xc0/0xe4
[<
ffffff80083d51d8>] _coresight_build_path+0xc0/0xe4
[<
ffffff80083d51d8>] _coresight_build_path+0xc0/0xe4
[<
ffffff80083d51d8>] _coresight_build_path+0xc0/0xe4
[<
ffffff80083d5cdc>] coresight_build_path+0x40/0x68
[<
ffffff80083d5e14>] coresight_enable+0x74/0x1bc
[<
ffffff80083d60a0>] enable_source_store+0x3c/0x6c
[<
ffffff800830b17c>] dev_attr_store+0x18/0x28
[<
ffffff80081ca9c4>] sysfs_kf_write+0x40/0x50
[<
ffffff80081c9e38>] kernfs_fop_write+0x140/0x1cc
[<
ffffff8008163ec8>] __vfs_write+0x28/0x110
[<
ffffff8008164bf0>] vfs_write+0xa0/0x174
[<
ffffff8008165d18>] SyS_write+0x44/0xa0
[<
ffffff8008084e70>] el0_svc_naked+0x24/0x28
Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit
ec48a1d981fe90ecb5bcfaaf1ae2c69d842cbbbc)
Sami Tolvanen [Fri, 3 Jun 2016 21:22:46 +0000 (14:22 -0700)]
ANDROID: dm verity fec: add missing release from fec_ktype
Add a release function to allow destroying the dm-verity device.
Bug:
27928374
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Change-Id: Ic0f7c17e4889c5580d70b52d9a709a37165a5747
(cherry picked from commit
0039ccf47c8f99888f7b71b2a36a68a027fbe357)
Sami Tolvanen [Fri, 3 Jun 2016 21:06:14 +0000 (14:06 -0700)]
ANDROID: dm verity fec: limit error correction recursion
If verity tree itself is sufficiently corrupted in addition to data
blocks, it's possible for error correction to end up in a deep recursive
error correction loop that eventually causes a kernel panic as follows:
[ 14.728962] [<
ffffffc0008c1a14>] verity_fec_decode+0xa8/0x138
[ 14.734691] [<
ffffffc0008c3ee0>] verity_verify_level+0x11c/0x180
[ 14.740681] [<
ffffffc0008c482c>] verity_hash_for_block+0x88/0xe0
[ 14.746671] [<
ffffffc0008c1508>] fec_decode_rsb+0x318/0x75c
[ 14.752226] [<
ffffffc0008c1a14>] verity_fec_decode+0xa8/0x138
[ 14.757956] [<
ffffffc0008c3ee0>] verity_verify_level+0x11c/0x180
[ 14.763944] [<
ffffffc0008c482c>] verity_hash_for_block+0x88/0xe0
This change limits the recursion to a reasonable level during a single
I/O operation.
Bug:
28943429
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Change-Id: I0a7ebff331d259c59a5e03c81918cc1613c3a766
(cherry picked from commit
f4b9e40597e73942d2286a73463c55f26f61bfa7)
Jeff Vander Stoep [Wed, 1 Jun 2016 20:44:47 +0000 (13:44 -0700)]
ANDROID: restrict access to perf events
Add:
CONFIG_SECURITY_PERF_EVENTS_RESTRICT=y
to android-base.cfg
The kernel.perf_event_paranoid sysctl is set to 3 by default.
No unprivileged use of the perf_event_open syscall will be
permitted unless it is changed.
Bug:
29054680
Change-Id: Ie7512259150e146d8e382dc64d40e8faaa438917
Jeff Vander Stoep [Sun, 29 May 2016 21:22:32 +0000 (14:22 -0700)]
FROMLIST: security,perf: Allow further restriction of perf_event_open
When kernel.perf_event_open is set to 3 (or greater), disallow all
access to performance events by users without CAP_SYS_ADMIN.
Add a Kconfig symbol CONFIG_SECURITY_PERF_EVENTS_RESTRICT that
makes this value the default.
This is based on a similar feature in grsecurity
(CONFIG_GRKERNSEC_PERF_HARDEN). This version doesn't include making
the variable read-only. It also allows enabling further restriction
at run-time regardless of whether the default is changed.
https://lkml.org/lkml/2016/1/11/587
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Bug:
29054680
Change-Id: Iff5bff4fc1042e85866df9faa01bce8d04335ab8
Ben Hutchings [Tue, 19 Jan 2016 21:35:15 +0000 (21:35 +0000)]
BACKPORT: perf tools: Document the perf sysctls
perf_event_paranoid was only documented in source code and a perf error
message. Copy the documentation from the error message to
Documentation/sysctl/kernel.txt.
perf_cpu_time_max_percent was already documented but missing from the
list at the top, so add it there.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: linux-doc@vger.kernel.org
Link: http://lkml.kernel.org/r/20160119213515.GG2637@decadent.org.uk
[ Remove reference to external Documentation file, provide info inline, as before ]
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Bug:
29054680
Change-Id: I13e73cfb2ad761c94762d0c8196df7725abdf5c5
Amit Pundir [Thu, 26 May 2016 07:28:21 +0000 (12:58 +0530)]
Revert "armv6 dcc tty driver"
This reverts commit
97312429c2bef1bf8055d01b35cf12028f60ef62.
Drop AOSP's "armv6 dcc tty driver" in favor of upstream DCC driver for
ARMv6/v7
16c63f8ea49c (drivers: char: hvc: add arm JTAG DCC console
support) and for ARMv8
4cad4c57e0b3 (ARM64: TTY: hvc_dcc: Add support
for ARM64 dcc).
Change-Id: I0ca651ef2d854fff03cee070524fe1e3971b6d8f
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Amit Pundir [Thu, 26 May 2016 07:27:56 +0000 (12:57 +0530)]
Revert "arm: dcc_tty: fix armv6 dcc tty build failure"
This reverts commit
dfc1d4be88597141f5ad9d39908c13944d209009.
Drop AOSP's "armv6 dcc tty driver" in favor of upstream DCC driver for
ARMv6/v7
16c63f8ea49c (drivers: char: hvc: add arm JTAG DCC console
support) and for ARMv8
4cad4c57e0b3 (ARM64: TTY: hvc_dcc: Add support
for ARM64 dcc).
Change-Id: I8110a4fd649b8ac1ec9bfac00255c1214135e4b2
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Dmitry Shmidt [Tue, 24 May 2016 21:41:57 +0000 (14:41 -0700)]
ARM64: Ignore Image-dtb from git point of view
Change-Id: I5bbf1db90f28ea956383b4a5d91ad508eea656dc
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
Haojian Zhuang [Fri, 22 Apr 2016 09:23:29 +0000 (17:23 +0800)]
arm64: add option to build Image-dtb
Some bootloaders couldn't decompress Image.gz-dtb.
Change-Id: I698cd0c4ee6894e8d0655d88f3ecf4826c28a645
Signed-off-by: Haojian Zhuang <haojian.zhuang@linaro.org>
Signed-off-by: John Stultz <john.stultz@linaro.org>
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
Winter Wang [Fri, 20 May 2016 03:05:00 +0000 (11:05 +0800)]
ANDROID: usb: gadget: f_midi: set fi->f to NULL when free f_midi function
fi->f is set in f_midi's alloc_func, need to clean this to
NULL in free_func, otherwise on ConfigFS's function switch,
midi->usb_function it self is freed, fi->f will be a wild
pointer and run into below kernel panic:
---------------
[ 58.950628] Unable to handle kernel paging request at virtual address
63697664
[ 58.957869] pgd =
c0004000
[ 58.960583] [
63697664] *pgd=
00000000
[ 58.964185] Internal error: Oops:
80000005 [#1] PREEMPT SMP ARM
[ 58.970111] Modules linked in:
[ 58.973191] CPU: 0 PID: 0 Comm: swapper/0 Not tainted
4.1.15-03504-g34c857c-dirty #89
[ 58.981024] Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
[ 58.987557] task:
c110bd70 ti:
c1100000 task.ti:
c1100000
[ 58.992962] PC is at 0x63697664
[ 58.996120] LR is at android_setup+0x78/0x138
<..snip..>
[ 60.044980] 1fc0:
ffffffff ffffffff c1000684 00000000 00000000 c108ecd0 c11f7294 c11039c0
[ 60.053181] 1fe0:
c108eccc c110d148 1000406a 412fc09a 00000000 1000807c 00000000 00000000
[ 60.061420] [<
c073b1fc>] (android_setup) from [<
c0730490>] (udc_irq+0x758/0x1034)
[ 60.068951] [<
c0730490>] (udc_irq) from [<
c017c650>] (handle_irq_event_percpu+0x50/0x254)
[ 60.077165] [<
c017c650>] (handle_irq_event_percpu) from [<
c017c890>] (handle_irq_event+0x3c/0x5c)
[ 60.086072] [<
c017c890>] (handle_irq_event) from [<
c017f3ec>] (handle_fasteoi_irq+0xe0/0x198)
[ 60.094630] [<
c017f3ec>] (handle_fasteoi_irq) from [<
c017bcfc>] (generic_handle_irq+0x2c/0x3c)
[ 60.103271] [<
c017bcfc>] (generic_handle_irq) from [<
c017bfb8>] (__handle_domain_irq+0x7c/0xec)
[ 60.112000] [<
c017bfb8>] (__handle_domain_irq) from [<
c0101450>] (gic_handle_irq+0x24/0x5c)
--------------
Signed-off-by: Winter Wang <wente.wang@nxp.com>
Alex Shi [Tue, 14 Jun 2016 09:08:03 +0000 (17:08 +0800)]
Merge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android
Alex Shi [Tue, 14 Jun 2016 09:07:59 +0000 (17:07 +0800)]
Merge tag 'v4.4.13' into linux-linaro-lsk-v4.4
This is the 4.4.13 stable release
Greg Kroah-Hartman [Wed, 8 Jun 2016 01:14:51 +0000 (18:14 -0700)]
Linux 4.4.13
Dave Chinner [Mon, 11 Jan 2016 20:04:01 +0000 (07:04 +1100)]
xfs: handle dquot buffer readahead in log recovery correctly
commit
7d6a13f023567d573ac362502bb702eda716e654 upstream.
When we do dquot readahead in log recovery, we do not use a verifier
as the underlying buffer may not have dquots in it. e.g. the
allocation operation hasn't yet been replayed. Hence we do not want
to fail recovery because we detect an operation to be replayed has
not been run yet. This problem was addressed for inodes in commit
d891400 ("xfs: inode buffers may not be valid during recovery
readahead") but the problem was not recognised to exist for dquots
and their buffers as the dquot readahead did not have a verifier.
The result of not using a verifier is that when the buffer is then
next read to replay a dquot modification, the dquot buffer verifier
will only be attached to the buffer if *readahead is not complete*.
Hence we can read the buffer, replay the dquot changes and then add
it to the delwri submission list without it having a verifier
attached to it. This then generates warnings in xfs_buf_ioapply(),
which catches and warns about this case.
Fix this and make it handle the same readahead verifier error cases
as for inode buffers by adding a new readahead verifier that has a
write operation as well as a read operation that marks the buffer as
not done if any corruption is detected. Also make sure we don't run
readahead if the dquot buffer has been marked as cancelled by
recovery.
This will result in readahead either succeeding and the buffer
having a valid write verifier, or readahead failing and the buffer
state requiring the subsequent read to resubmit the IO with the new
verifier. In either case, this will result in the buffer always
ending up with a valid write verifier on it.
Note: we also need to fix the inode buffer readahead error handling
to mark the buffer with EIO. Brian noticed the code I copied from
there wrong during review, so fix it at the same time. Add comments
linking the two functions that handle readahead verifier errors
together so we don't forget this behavioural link in future.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Eric Sandeen [Mon, 4 Jan 2016 05:10:19 +0000 (16:10 +1100)]
xfs: print name of verifier if it fails
commit
233135b763db7c64d07b728a9c66745fb0376275 upstream.
This adds a name to each buf_ops structure, so that if
a verifier fails we can print the type of verifier that
failed it. Should be a slight debugging aid, I hope.
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Cc: Holger Hoffstätte <holger@applied-asynchrony.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Dave Chinner [Wed, 18 May 2016 03:54:23 +0000 (13:54 +1000)]
xfs: skip stale inodes in xfs_iflush_cluster
commit
7d3aa7fe970791f1a674b14572a411accf2f4d4e upstream.
We don't write back stale inodes so we should skip them in
xfs_iflush_cluster, too.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Dave Chinner [Wed, 18 May 2016 03:54:22 +0000 (13:54 +1000)]
xfs: fix inode validity check in xfs_iflush_cluster
commit
51b07f30a71c27405259a0248206ed4e22adbee2 upstream.
Some careless idiot(*) wrote crap code in commit
1a3e8f3 ("xfs:
convert inode cache lookups to use RCU locking") back in late 2010,
and so xfs_iflush_cluster checks the wrong inode for whether it is
still valid under RCU protection. Fix it to lock and check the
correct inode.
(*) Careless-idiot: Dave Chinner <dchinner@redhat.com>
Discovered-by: Brain Foster <bfoster@redhat.com>
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Dave Chinner [Wed, 18 May 2016 03:53:42 +0000 (13:53 +1000)]
xfs: xfs_iflush_cluster fails to abort on error
commit
b1438f477934f5a4d5a44df26f3079a7575d5946 upstream.
When a failure due to an inode buffer occurs, the error handling
fails to abort the inode writeback correctly. This can result in the
inode being reclaimed whilst still in the AIL, leading to
use-after-free situations as well as filesystems that cannot be
unmounted as the inode log items left in the AIL never get removed.
Fix this by ensuring fatal errors from xfs_imap_to_bp() result in
the inode flush being aborted correctly.
Reported-by: Shyam Kaushik <shyam@zadarastorage.com>
Diagnosed-by: Shyam Kaushik <shyam@zadarastorage.com>
Tested-by: Shyam Kaushik <shyam@zadarastorage.com>
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Dave Chinner [Tue, 5 Apr 2016 21:06:20 +0000 (07:06 +1000)]
xfs: Don't wrap growfs AGFL indexes
commit
ad747e3b299671e1a53db74963cc6c5f6cdb9f6d upstream.
Commit
96f859d ("libxfs: pack the agfl header structure so
XFS_AGFL_SIZE is correct") allowed the freelist to use the empty
slot at the end of the freelist on 64 bit systems that was not
being used due to sizeof() rounding up the structure size.
This has caused versions of xfs_repair prior to 4.5.0 (which also
has the fix) to report this as a corruption once the filesystem has
been grown. Older kernels can also have problems (seen from a whacky
container/vm management environment) mounting filesystems grown on a
system with a newer kernel than the vm/container it is deployed on.
To avoid this problem, change the initial free list indexes not to
wrap across the end of the AGFL, hence avoiding the initialisation
of agf_fllast to the last index in the AGFL.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Carlos Maiolino <cmaiolino@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Eric Sandeen [Tue, 5 Apr 2016 21:05:41 +0000 (07:05 +1000)]
xfs: disallow rw remount on fs with unknown ro-compat features
commit
d0a58e833931234c44e515b5b8bede32bd4e6eed upstream.
Today, a kernel which refuses to mount a filesystem read-write
due to unknown ro-compat features can still transition to read-write
via the remount path. The old kernel is most likely none the wiser,
because it's unaware of the new feature, and isn't using it. However,
writing to the filesystem may well corrupt metadata related to that
new feature, and moving to a newer kernel which understand the feature
will have problems.
Right now the only ro-compat feature we have is the free inode btree,
which showed up in v3.16. It would be good to push this back to
all the active stable kernels, I think, so that if anyone is using
newer mkfs (which enables the finobt feature) with older kernel
releases, they'll be protected.
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Reviewed-by: Bill O'Donnell <billodo@redhat.com>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Arnd Bergmann [Mon, 25 Apr 2016 15:35:30 +0000 (17:35 +0200)]
gcov: disable tree-loop-im to reduce stack usage
commit
c87bf431448b404a6ef5fbabd74c0e3e42157a7f upstream.
Enabling CONFIG_GCOV_PROFILE_ALL produces us a lot of warnings like
lib/lz4/lz4hc_compress.c: In function 'lz4_compresshcctx':
lib/lz4/lz4hc_compress.c:514:1: warning: the frame size of 1504 bytes is larger than 1024 bytes [-Wframe-larger-than=]
After some investigation, I found that this behavior started with gcc-4.9,
and opened https://gcc.gnu.org/bugzilla/show_bug.cgi?id=69702.
A suggested workaround for it is to use the -fno-tree-loop-im
flag that turns off one of the optimization stages in gcc, so the
code runs a little slower but does not use excessive amounts
of stack.
We could make this conditional on the gcc version, but I could not
find an easy way to do this in Kbuild and the benefit would be
fairly small, given that most of the gcc version in production are
affected now.
I'm marking this for 'stable' backports because it addresses a bug
with code generation in gcc that exists in all kernel versions
with the affected gcc releases.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Peter Oberparleiter <oberpar@linux.vnet.ibm.com>
Signed-off-by: Michal Marek <mmarek@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Srinivas Pandruvada [Sun, 15 May 2016 03:09:52 +0000 (20:09 -0700)]
scripts/package/Makefile: rpmbuild add support of RPMOPTS
commit
65a9f31c5042e5bb50d30ed8ae374044be561054 upstream.
After commit
21a59991ce0c ("scripts/package/Makefile: rpmbuild is needed
for rpm targets"), it is no longer possible to specify RPMOPTS.
For example, we can no longer able to control _topdir using the following
make command.
make RPMOPTS="--define '_topdir /home/xyz/workspace/'" binrpm-pkg
Fixes: 21a59991ce0c ("scripts/package/Makefile: rpmbuild is needed for rpm targets")
Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Signed-off-by: Michal Marek <mmarek@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Ville Syrjälä [Thu, 26 May 2016 22:16:25 +0000 (15:16 -0700)]
dma-debug: avoid spinlock recursion when disabling dma-debug
commit
3017cd63f26fc655d56875aaf497153ba60e9edf upstream.
With netconsole (at least) the pr_err("... disablingn") call can
recurse back into the dma-debug code, where it'll try to grab
free_entries_lock again. Avoid the problem by doing the printk after
dropping the lock.
Link: http://lkml.kernel.org/r/1463678421-18683-1-git-send-email-ville.syrjala@linux.intel.com
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Rafael J. Wysocki [Fri, 20 May 2016 21:09:49 +0000 (23:09 +0200)]
PM / sleep: Handle failures in device_suspend_late() consistently
commit
3a17fb329da68cb00558721aff876a80bba2fdb9 upstream.
Grygorii Strashko reports:
The PM runtime will be left disabled for the device if its
.suspend_late() callback fails and async suspend is not allowed
for this device. In this case device will not be added in
dpm_late_early_list and dpm_resume_early() will ignore this
device, as result PM runtime will be disabled for it forever
(side effect: after 8 subsequent failures for the same device
the PM runtime will be reenabled due to disable_depth overflow).
To fix this problem, add devices to dpm_late_early_list regardless
of whether or not device_suspend_late() returns errors for them.
That will ensure failures in there to be handled consistently for
all devices regardless of their async suspend/resume status.
Reported-by: Grygorii Strashko <grygorii.strashko@ti.com>
Tested-by: Grygorii Strashko <grygorii.strashko@ti.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Nicolai Stange [Thu, 5 May 2016 23:46:19 +0000 (19:46 -0400)]
ext4: silence UBSAN in ext4_mb_init()
commit
935244cd54b86ca46e69bc6604d2adfb1aec2d42 upstream.
Currently, in ext4_mb_init(), there's a loop like the following:
do {
...
offset += 1 << (sb->s_blocksize_bits - i);
i++;
} while (i <= sb->s_blocksize_bits + 1);
Note that the updated offset is used in the loop's next iteration only.
However, at the last iteration, that is at i == sb->s_blocksize_bits + 1,
the shift count becomes equal to (unsigned)-1 > 31 (c.f. C99 6.5.7(3))
and UBSAN reports
UBSAN: Undefined behaviour in fs/ext4/mballoc.c:2621:15
shift exponent
4294967295 is too large for 32-bit type 'int'
[...]
Call Trace:
[<
ffffffff818c4d25>] dump_stack+0xbc/0x117
[<
ffffffff818c4c69>] ? _atomic_dec_and_lock+0x169/0x169
[<
ffffffff819411ab>] ubsan_epilogue+0xd/0x4e
[<
ffffffff81941cac>] __ubsan_handle_shift_out_of_bounds+0x1fb/0x254
[<
ffffffff81941ab1>] ? __ubsan_handle_load_invalid_value+0x158/0x158
[<
ffffffff814b6dc1>] ? kmem_cache_alloc+0x101/0x390
[<
ffffffff816fc13b>] ? ext4_mb_init+0x13b/0xfd0
[<
ffffffff814293c7>] ? create_cache+0x57/0x1f0
[<
ffffffff8142948a>] ? create_cache+0x11a/0x1f0
[<
ffffffff821c2168>] ? mutex_lock+0x38/0x60
[<
ffffffff821c23ab>] ? mutex_unlock+0x1b/0x50
[<
ffffffff814c26ab>] ? put_online_mems+0x5b/0xc0
[<
ffffffff81429677>] ? kmem_cache_create+0x117/0x2c0
[<
ffffffff816fcc49>] ext4_mb_init+0xc49/0xfd0
[...]
Observe that the mentioned shift exponent,
4294967295, equals (unsigned)-1.
Unless compilers start to do some fancy transformations (which at least
GCC 6.0.0 doesn't currently do), the issue is of cosmetic nature only: the
such calculated value of offset is never used again.
Silence UBSAN by introducing another variable, offset_incr, holding the
next increment to apply to offset and adjust that one by right shifting it
by one position per loop iteration.
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=114701
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=112161
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Nicolai Stange [Thu, 5 May 2016 21:38:03 +0000 (17:38 -0400)]
ext4: address UBSAN warning in mb_find_order_for_block()
commit
b5cb316cdf3a3f5f6125412b0f6065185240cfdc upstream.
Currently, in mb_find_order_for_block(), there's a loop like the following:
while (order <= e4b->bd_blkbits + 1) {
...
bb += 1 << (e4b->bd_blkbits - order);
}
Note that the updated bb is used in the loop's next iteration only.
However, at the last iteration, that is at order == e4b->bd_blkbits + 1,
the shift count becomes negative (c.f. C99 6.5.7(3)) and UBSAN reports
UBSAN: Undefined behaviour in fs/ext4/mballoc.c:1281:11
shift exponent -1 is negative
[...]
Call Trace:
[<
ffffffff818c4d35>] dump_stack+0xbc/0x117
[<
ffffffff818c4c79>] ? _atomic_dec_and_lock+0x169/0x169
[<
ffffffff819411bb>] ubsan_epilogue+0xd/0x4e
[<
ffffffff81941cbc>] __ubsan_handle_shift_out_of_bounds+0x1fb/0x254
[<
ffffffff81941ac1>] ? __ubsan_handle_load_invalid_value+0x158/0x158
[<
ffffffff816e93a0>] ? ext4_mb_generate_from_pa+0x590/0x590
[<
ffffffff816502c8>] ? ext4_read_block_bitmap_nowait+0x598/0xe80
[<
ffffffff816e7b7e>] mb_find_order_for_block+0x1ce/0x240
[...]
Unless compilers start to do some fancy transformations (which at least
GCC 6.0.0 doesn't currently do), the issue is of cosmetic nature only: the
such calculated value of bb is never used again.
Silence UBSAN by introducing another variable, bb_incr, holding the next
increment to apply to bb and adjust that one by right shifting it by one
position per loop iteration.
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=114701
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=112161
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Jan Kara [Thu, 5 May 2016 15:10:15 +0000 (11:10 -0400)]
ext4: fix oops on corrupted filesystem
commit
74177f55b70e2f2be770dd28684dd6d17106a4ba upstream.
When filesystem is corrupted in the right way, it can happen
ext4_mark_iloc_dirty() in ext4_orphan_add() returns error and we
subsequently remove inode from the in-memory orphan list. However this
deletion is done with list_del(&EXT4_I(inode)->i_orphan) and thus we
leave i_orphan list_head with a stale content. Later we can look at this
content causing list corruption, oops, or other issues. The reported
trace looked like:
WARNING: CPU: 0 PID: 46 at lib/list_debug.c:53 __list_del_entry+0x6b/0x100()
list_del corruption,
0000000061c1d6e0->next is LIST_POISON1
0000000000100100)
CPU: 0 PID: 46 Comm: ext4.exe Not tainted 4.1.0-rc4+ #250
Stack:
60462947 62219960 602ede24 62219960
602ede24 603ca293 622198f0 602f02eb
62219950 6002c12c 62219900 601b4d6b
Call Trace:
[<
6005769c>] ? vprintk_emit+0x2dc/0x5c0
[<
602ede24>] ? printk+0x0/0x94
[<
600190bc>] show_stack+0xdc/0x1a0
[<
602ede24>] ? printk+0x0/0x94
[<
602ede24>] ? printk+0x0/0x94
[<
602f02eb>] dump_stack+0x2a/0x2c
[<
6002c12c>] warn_slowpath_common+0x9c/0xf0
[<
601b4d6b>] ? __list_del_entry+0x6b/0x100
[<
6002c254>] warn_slowpath_fmt+0x94/0xa0
[<
602f4d09>] ? __mutex_lock_slowpath+0x239/0x3a0
[<
6002c1c0>] ? warn_slowpath_fmt+0x0/0xa0
[<
60023ebf>] ? set_signals+0x3f/0x50
[<
600a205a>] ? kmem_cache_free+0x10a/0x180
[<
602f4e88>] ? mutex_lock+0x18/0x30
[<
601b4d6b>] __list_del_entry+0x6b/0x100
[<
601177ec>] ext4_orphan_del+0x22c/0x2f0
[<
6012f27c>] ? __ext4_journal_start_sb+0x2c/0xa0
[<
6010b973>] ? ext4_truncate+0x383/0x390
[<
6010bc8b>] ext4_write_begin+0x30b/0x4b0
[<
6001bb50>] ? copy_from_user+0x0/0xb0
[<
601aa840>] ? iov_iter_fault_in_readable+0xa0/0xc0
[<
60072c4f>] generic_perform_write+0xaf/0x1e0
[<
600c4166>] ? file_update_time+0x46/0x110
[<
60072f0f>] __generic_file_write_iter+0x18f/0x1b0
[<
6010030f>] ext4_file_write_iter+0x15f/0x470
[<
60094e10>] ? unlink_file_vma+0x0/0x70
[<
6009b180>] ? unlink_anon_vmas+0x0/0x260
[<
6008f169>] ? free_pgtables+0xb9/0x100
[<
600a6030>] __vfs_write+0xb0/0x130
[<
600a61d5>] vfs_write+0xa5/0x170
[<
600a63d6>] SyS_write+0x56/0xe0
[<
6029fcb0>] ? __libc_waitpid+0x0/0xa0
[<
6001b698>] handle_syscall+0x68/0x90
[<
6002633d>] userspace+0x4fd/0x600
[<
6002274f>] ? save_registers+0x1f/0x40
[<
60028bd7>] ? arch_prctl+0x177/0x1b0
[<
60017bd5>] fork_handler+0x85/0x90
Fix the problem by using list_del_init() as we always should with
i_orphan list.
Reported-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Theodore Ts'o [Sat, 30 Apr 2016 04:49:54 +0000 (00:49 -0400)]
ext4: clean up error handling when orphan list is corrupted
commit
7827a7f6ebfcb7f388dc47fddd48567a314701ba upstream.
Instead of just printing warning messages, if the orphan list is
corrupted, declare the file system is corrupted. If there are any
reserved inodes in the orphaned inode list, declare the file system
corrupted and stop right away to avoid doing more potential damage to
the file system.
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Theodore Ts'o [Sat, 30 Apr 2016 04:48:54 +0000 (00:48 -0400)]
ext4: fix hang when processing corrupted orphaned inode list
commit
c9eb13a9105e2e418f72e46a2b6da3f49e696902 upstream.
If the orphaned inode list contains inode #5, ext4_iget() returns a
bad inode (since the bootloader inode should never be referenced
directly). Because of the bad inode, we end up processing the inode
repeatedly and this hangs the machine.
This can be reproduced via:
mke2fs -t ext4 /tmp/foo.img 100
debugfs -w -R "ssv last_orphan 5" /tmp/foo.img
mount -o loop /tmp/foo.img /mnt
(But don't do this if you are using an unpatched kernel if you care
about the system staying functional. :-)
This bug was found by the port of American Fuzzy Lop into the kernel
to find file system problems[1]. (Since it *only* happens if inode #5
shows up on the orphan list --- 3, 7, 8, etc. won't do it, it's not
surprising that AFL needed two hours before it found it.)
[1] http://events.linuxfoundation.org/sites/events/files/slides/AFL%20filesystem%20fuzzing%2C%20Vault%202016_0.pdf
Reported by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Philipp Zabel [Thu, 12 May 2016 13:00:44 +0000 (15:00 +0200)]
drm/imx: Match imx-ipuv3-crtc components using device node in platform data
commit
310944d148e3600dcff8b346bee7fa01d34903b1 upstream.
The component master driver imx-drm-core matches component devices using
their of_node. Since commit
950b410dd1ab ("gpu: ipu-v3: Fix imx-ipuv3-crtc
module autoloading"), the imx-ipuv3-crtc dev->of_node is not set during
probing. Before that, of_node was set and caused an of: modalias to be
used instead of the platform: modalias, which broke module autoloading.
On the other hand, if dev->of_node is not set yet when the imx-ipuv3-crtc
probe function calls component_add, component matching in imx-drm-core
fails. While dev->of_node will be set once the next component tries to
bring up the component master, imx-drm-core component binding will never
succeed if one of the crtc devices is probed last.
Add of_node to the component platform data and match against the
pdata->of_node instead of dev->of_node in imx-drm-core to work around
this problem.
Fixes: 950b410dd1ab ("gpu: ipu-v3: Fix imx-ipuv3-crtc module autoloading")
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
Tested-by: Fabio Estevam <fabio.estevam@nxp.com>
Tested-by: Lothar Waßmann <LW@KARO-electronics.de>
Tested-by: Heiko Schocher <hs@denx.de>
Tested-by: Chris Ruehl <chris.ruehl@gtsys.com.hk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Ville Syrjälä [Fri, 13 May 2016 14:55:17 +0000 (17:55 +0300)]
drm/i915: Don't leave old junk in ilk active watermarks on readout
commit
7045c3689f148a0c95f42bae8ef3eb2829ac7de9 upstream.
When we read out the watermark state from the hardware we're supposed to
transfer that into the active watermarks, but currently we fail to any
part of the active watermarks that isn't explicitly written. Let's clear
it all upfront.
Looks like this has been like this since the beginning, when I added the
readout. No idea why I didn't clear it up.
Cc: Matt Roper <matthew.d.roper@intel.com>
Fixes: 243e6a44b9ca ("drm/i915: Init HSW watermark tracking in intel_modeset_setup_hw_state()")
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Reviewed-by: Matt Roper <matthew.d.roper@intel.com>
Signed-off-by: Matt Roper <matthew.d.roper@intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/1463151318-14719-2-git-send-email-ville.syrjala@linux.intel.com
(cherry picked from commit
15606534bf0a65d8a74a90fd57b8712d147dbca6)
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Lyude [Tue, 31 May 2016 16:49:07 +0000 (12:49 -0400)]
drm/atomic: Verify connector->funcs != NULL when clearing states
Unfortunately since we don't have Dave's connector refcounting patch
here yet, it's very possible that drm_atomic_state_default_clear() could
get called by intel_display_resume() when
intel_dp_mst_destroy_connector() isn't completely finished destroying an
mst connector, but has already finished setting connector->funcs to
NULL. As such, we need to treat the connector like it's already been
destroyed and just skip it, otherwise we'll end up dereferencing a NULL
pointer.
This fix is only required for 4.6 and below. David Airlie's patchseries
for 4.7 to add connector reference counting provides a more proper fix
for this.
Changes since v1:
- Fix leftover whitespace
Upstream fix:
0552f7651bc2 ("drm/i915/mst: use reference counted
connectors. (v3)")
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Lyude <cpaul@redhat.com>
Lyude [Thu, 12 May 2016 14:56:59 +0000 (10:56 -0400)]
drm/fb_helper: Fix references to dev->mode_config.num_connector
commit
255f0e7c418ad95a4baeda017ae6182ba9b3c423 upstream.
During boot, MST hotplugs are generally expected (even if no physical
hotplugging occurs) and result in DRM's connector topology changing.
This means that using num_connector from the current mode configuration
can lead to the number of connectors changing under us. This can lead to
some nasty scenarios in fbcon:
- We allocate an array to the size of dev->mode_config.num_connectors.
- MST hotplug occurs, dev->mode_config.num_connectors gets incremented.
- We try to loop through each element in the array using the new value
of dev->mode_config.num_connectors, and end up going out of bounds
since dev->mode_config.num_connectors is now larger then the array we
allocated.
fb_helper->connector_count however, will always remain consistent while
we do a modeset in fb_helper.
Note: This is just polish for 4.7, Dave Airlie's drm_connector
refcounting fixed these bugs for real. But it's good enough duct-tape
for stable kernel backporting, since backporting the refcounting
changes is way too invasive.
Signed-off-by: Lyude <cpaul@redhat.com>
[danvet: Clarify why we need this. Also remove the now unused "dev"
local variable to appease gcc.]
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: http://patchwork.freedesktop.org/patch/msgid/1463065021-18280-3-git-send-email-cpaul@redhat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Lyude [Thu, 12 May 2016 14:56:58 +0000 (10:56 -0400)]
drm/i915/fbdev: Fix num_connector references in intel_fb_initial_config()
commit
14a3842a1d5945067d1dd0788f314e14d5b18e5b upstream.
During boot time, MST devices usually send a ton of hotplug events
irregardless of whether or not any physical hotplugs actually occurred.
Hotplugs mean connectors being created/destroyed, and the number of DRM
connectors changing under us. This isn't a problem if we use
fb_helper->connector_count since we only set it once in the code,
however if we use num_connector from struct drm_mode_config we risk it's
value changing under us. On top of that, there's even a chance that
dev->mode_config.num_connector != fb_helper->connector_count. If the
number of connectors happens to increase under us, we'll end up using
the wrong array size for memcpy and start writing beyond the actual
length of the array, occasionally resulting in kernel panics.
Note: This is just polish for 4.7, Dave Airlie's drm_connector
refcounting fixed these bugs for real. But it's good enough duct-tape
for stable kernel backporting, since backporting the refcounting
changes is way too invasive.
Signed-off-by: Lyude <cpaul@redhat.com>
[danvet: Clarify why we need this.]
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: http://patchwork.freedesktop.org/patch/msgid/1463065021-18280-2-git-send-email-cpaul@redhat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Mario Kleiner [Tue, 24 May 2016 16:12:43 +0000 (18:12 +0200)]
drm/amdgpu: Fix hdmi deep color support.
commit
9d746ab68163d642dae13756b2b3145b2e38cb65 upstream.
When porting the hdmi deep color detection code from
radeon-kms to amdgpu-kms apparently some kind of
copy and paste error happened, attaching an else
branch to the wrong if statement.
The result is that hdmi deep color mode is always
disabled, regardless of gpu and display capabilities and
user wishes, as the code mistakenly thinks that the display
doesn't provide the required max_tmds_clock limit and falls
back to 8 bpc.
This patch fixes deep color support, as tested on a
R9 380 Tonga Pro + suitable display, and should be
backported to all kernels with amdgpu-kms support.
Signed-off-by: Mario Kleiner <mario.kleiner.de@gmail.com>
Cc: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Alex Deucher [Mon, 2 May 2016 14:24:41 +0000 (10:24 -0400)]
drm/amdgpu: use drm_mode_vrefresh() rather than mode->vrefresh
commit
6b8812eb004ee2b24aac8b1a711a0e8e797df3ce upstream.
This is a port of radeon commit:
3d2d98ee1af0cf6eebfbd6bff4c17d3601ac1284
drm/radeon: use drm_mode_vrefresh() rather than mode->vrefresh
to amdgpu.
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Sinclair Yeh [Thu, 21 Apr 2016 18:29:31 +0000 (11:29 -0700)]
drm/vmwgfx: Fix order of operation
commit
7851496a32319237456919575e5f4ba62f74cc7d upstream.
mode->hdisplay * (var->bits_per_pixel + 7) gets evaluated before
the division, potentially making the pitch larger than it should
be.
Since the original intention is to do a div-round-up, just use
the macro instead.
Signed-off-by: Sinclair Yeh <syeh@vmware.com>
Reviewed-by: Thomas Hellstrom <thellstrom@vmware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Charmaine Lee [Tue, 12 Apr 2016 15:19:08 +0000 (08:19 -0700)]
drm/vmwgfx: use vmw_cmd_dx_cid_check for query commands.
commit
e02e58843153ce80a9fe7588def89b2638d40e64 upstream.
Instead of calling vmw_cmd_ok, call vmw_cmd_dx_cid_check to
validate the context id for query commands.
Signed-off-by: Charmaine Lee <charmainel@vmware.com>
Reviewed-by: Sinclair Yeh <syeh@vmware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Charmaine Lee [Tue, 12 Apr 2016 15:14:23 +0000 (08:14 -0700)]
drm/vmwgfx: Enable SVGA_3D_CMD_DX_SET_PREDICATION
commit
1883598d4201361a6d2ce785095695f58071ee11 upstream.
Fixes piglit tests nv_conditional_render-* crashes.
Signed-off-by: Charmaine Lee <charmainel@vmware.com>
Reviewed-by: Brian Paul <brianp@vmware.com>
Reviewed-by: Sinclair Yeh <syeh@vmware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Itai Handler [Mon, 2 Nov 2015 22:20:56 +0000 (00:20 +0200)]
drm/gma500: Fix possible out of bounds read
commit
7ccca1d5bf69fdd1d3c5fcf84faf1659a6e0ad11 upstream.
Fix possible out of bounds read, by adding missing comma.
The code may read pass the end of the dsi_errors array
when the most significant bit (bit #31) in the intr_stat register
is set.
This bug has been detected using CppCheck (static analysis tool).
Signed-off-by: Itai Handler <itai_handler@hotmail.com>
Signed-off-by: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Tomáš Trnka [Fri, 20 May 2016 14:41:10 +0000 (16:41 +0200)]
sunrpc: fix stripping of padded MIC tokens
commit
c0cb8bf3a8e4bd82e640862cdd8891400405cb89 upstream.
The length of the GSS MIC token need not be a multiple of four bytes.
It is then padded by XDR to a multiple of 4 B, but unwrap_integ_data()
would previously only trim mic.len + 4 B. The remaining up to three
bytes would then trigger a check in nfs4svc_decode_compoundargs(),
leading to a "garbage args" error and mount failure:
nfs4svc_decode_compoundargs: compound not properly padded!
nfsd: failed to decode arguments!
This would prevent older clients using the pre-RFC 4121 MIC format
(37-byte MIC including a 9-byte OID) from mounting exports from v3.9+
servers using krb5i.
The trimming was introduced by commit
4c190e2f913f ("sunrpc: trim off
trailing checksum before returning decrypted or integrity authenticated
buffer").
Fixes: 4c190e2f913f "unrpc: trim off trailing checksum..."
Signed-off-by: Tomáš Trnka <ttrnka@mail.muni.cz>
Acked-by: Jeff Layton <jlayton@poochiereds.net>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Juergen Gross [Wed, 18 May 2016 14:44:54 +0000 (16:44 +0200)]
xen: use same main loop for counting and remapping pages
commit
dd14be92fbf5bc1ef7343f34968440e44e21b46a upstream.
Instead of having two functions for cycling through the E820 map in
order to count to be remapped pages and remap them later, just use one
function with a caller supplied sub-function called for each region to
be processed. This eliminates the possibility of a mismatch between
both loops which showed up in certain configurations.
Suggested-by: Ed Swierk <eswierk@skyportsystems.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Ross Lagerwall [Tue, 10 May 2016 15:11:00 +0000 (16:11 +0100)]
xen/events: Don't move disabled irqs
commit
f0f393877c71ad227d36705d61d1e4062bc29cf5 upstream.
Commit
ff1e22e7a638 ("xen/events: Mask a moving irq") open-coded
irq_move_irq() but left out checking if the IRQ is disabled. This broke
resuming from suspend since it tries to move a (disabled) irq without
holding the IRQ's desc->lock. Fix it by adding in a check for disabled
IRQs.
The resulting stacktrace was:
kernel BUG at /build/linux-UbQGH5/linux-4.4.0/kernel/irq/migration.c:31!
invalid opcode: 0000 [#1] SMP
Modules linked in: xenfs xen_privcmd ...
CPU: 0 PID: 9 Comm: migration/0 Not tainted 4.4.0-22-generic #39-Ubuntu
Hardware name: Xen HVM domU, BIOS 4.6.1-xs125180 05/04/2016
task:
ffff88003d75ee00 ti:
ffff88003d7bc000 task.ti:
ffff88003d7bc000
RIP: 0010:[<
ffffffff810e26e2>] [<
ffffffff810e26e2>] irq_move_masked_irq+0xd2/0xe0
RSP: 0018:
ffff88003d7bfc50 EFLAGS:
00010046
RAX:
0000000000000000 RBX:
ffff88003d40ba00 RCX:
0000000000000001
RDX:
0000000000000001 RSI:
0000000000000100 RDI:
ffff88003d40bad8
RBP:
ffff88003d7bfc68 R08:
0000000000000000 R09:
ffff88003d000000
R10:
0000000000000000 R11:
000000000000023c R12:
ffff88003d40bad0
R13:
ffffffff81f3a4a0 R14:
0000000000000010 R15:
00000000ffffffff
FS:
0000000000000000(0000) GS:
ffff88003da00000(0000) knlGS:
0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
CR2:
00007fd4264de624 CR3:
0000000037922000 CR4:
00000000003406f0
DR0:
0000000000000000 DR1:
0000000000000000 DR2:
0000000000000000
DR3:
0000000000000000 DR6:
00000000fffe0ff0 DR7:
0000000000000400
Stack:
ffff88003d40ba38 0000000000000024 0000000000000000 ffff88003d7bfca0
ffffffff814c8d92 00000010813ef89d 00000000805ea732 0000000000000009
0000000000000024 ffff88003cc39b80 ffff88003d7bfce0 ffffffff814c8f66
Call Trace:
[<
ffffffff814c8d92>] eoi_pirq+0xb2/0xf0
[<
ffffffff814c8f66>] __startup_pirq+0xe6/0x150
[<
ffffffff814ca659>] xen_irq_resume+0x319/0x360
[<
ffffffff814c7e75>] xen_suspend+0xb5/0x180
[<
ffffffff81120155>] multi_cpu_stop+0xb5/0xe0
[<
ffffffff811200a0>] ? cpu_stop_queue_work+0x80/0x80
[<
ffffffff811203d0>] cpu_stopper_thread+0xb0/0x140
[<
ffffffff810a94e6>] ? finish_task_switch+0x76/0x220
[<
ffffffff810ca731>] ? __raw_callee_save___pv_queued_spin_unlock+0x11/0x20
[<
ffffffff810a3935>] smpboot_thread_fn+0x105/0x160
[<
ffffffff810a3830>] ? sort_range+0x30/0x30
[<
ffffffff810a0588>] kthread+0xd8/0xf0
[<
ffffffff810a04b0>] ? kthread_create_on_node+0x1e0/0x1e0
[<
ffffffff8182568f>] ret_from_fork+0x3f/0x70
[<
ffffffff810a04b0>] ? kthread_create_on_node+0x1e0/0x1e0
Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Signed-off-by: David Vrabel <david.vrabel@citrix.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Gavin Shan [Wed, 27 Apr 2016 01:14:51 +0000 (11:14 +1000)]
powerpc/eeh: Restore initial state in eeh_pe_reset_and_recover()
commit
5a0cdbfd17b90a89c64a71d8aec9773ecdb20d0d upstream.
The function eeh_pe_reset_and_recover() is used to recover EEH
error when the passthrou device are transferred to guest and
backwards. The content in the device's config space will be lost
on PE reset issued in the middle of the recovery. The function
saves/restores it before/after the reset. However, config access
to some adapters like Broadcom BCM5719 at this point will causes
fenced PHB. The config space is always blocked and we save 0xFF's
that are restored at late point. The memory BARs are totally
corrupted, causing another EEH error upon access to one of the
memory BARs.
This restores the config space on those adapters like BCM5719
from the content saved to the EEH device when it's populated,
to resolve above issue.
Fixes: 5cfb20b9 ("powerpc/eeh: Emulate EEH recovery for VFIO devices")
Signed-off-by: Gavin Shan <gwshan@linux.vnet.ibm.com>
Reviewed-by: Russell Currey <ruscur@russell.cc>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Guilherme G. Piccoli [Mon, 11 Apr 2016 19:17:22 +0000 (16:17 -0300)]
Revert "powerpc/eeh: Fix crash in eeh_add_device_early() on Cell"
commit
c2078d9ef600bdbe568c89e5ddc2c6f15b7982c8 upstream.
This reverts commit
89a51df5ab1d38b257300b8ac940bbac3bb0eb9b.
The function eeh_add_device_early() is used to perform EEH
initialization in devices added later on the system, like in
hotplug/DLPAR scenarios. Since the commit
89a51df5ab1d ("powerpc/eeh:
Fix crash in eeh_add_device_early() on Cell") a new check was introduced
in this function - Cell has no EEH capabilities which led to kernel oops
if hotplug was performed, so checking for eeh_enabled() was introduced
to avoid the issue.
However, in architectures that EEH is present like pSeries or PowerNV,
we might reach a case in which no PCI devices are present on boot time
and so EEH is not initialized. Then, if a device is added via DLPAR for
example, eeh_add_device_early() fails because eeh_enabled() is false,
and EEH end up not being enabled at all.
This reverts the aforementioned patch since a new verification was
introduced by the commit
d91dafc02f42 ("powerpc/eeh: Delay probing EEH
device during hotplug") and so the original Cell issue does not happen
anymore.
Reviewed-by: Gavin Shan <gwshan@linux.vnet.ibm.com>
Signed-off-by: Guilherme G. Piccoli <gpiccoli@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Gavin Shan [Wed, 27 Apr 2016 01:14:50 +0000 (11:14 +1000)]
powerpc/eeh: Don't report error in eeh_pe_reset_and_recover()
commit
affeb0f2d3a9af419ad7ef4ac782e1540b2f7b28 upstream.
The function eeh_pe_reset_and_recover() is used to recover EEH
error when the passthrough device are transferred to guest and
backwards, meaning the device's driver is vfio-pci or none.
When the driver is vfio-pci that provides error_detected() error
handler only, the handler simply stops the guest and it's not
expected behaviour. On the other hand, no error handlers will
be called if we don't have a bound driver.
This ignores the error handler in eeh_pe_reset_and_recover()
that reports the error to device driver to avoid the exceptional
behaviour.
Fixes: 5cfb20b9 ("powerpc/eeh: Emulate EEH recovery for VFIO devices")
Signed-off-by: Gavin Shan <gwshan@linux.vnet.ibm.com>
Reviewed-by: Russell Currey <ruscur@russell.cc>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Hari Bathini [Fri, 15 Apr 2016 12:48:02 +0000 (22:48 +1000)]
powerpc/book3s64: Fix branching to OOL handlers in relocatable kernel
commit
8ed8ab40047a570fdd8043a40c104a57248dd3fd upstream.
Some of the interrupt vectors on 64-bit POWER server processors are only
32 bytes long (8 instructions), which is not enough for the full
first-level interrupt handler. For these we need to branch to an
out-of-line (OOL) handler. But when we are running a relocatable kernel,
interrupt vectors till __end_interrupts marker are copied down to real
address 0x100. So, branching to labels (ie. OOL handlers) outside this
section must be handled differently (see LOAD_HANDLER()), considering
relocatable kernel, which would need at least 4 instructions.
However, branching from interrupt vector means that we corrupt the
CFAR (come-from address register) on POWER7 and later processors as
mentioned in commit
1707dd16. So, EXCEPTION_PROLOG_0 (6 instructions)
that contains the part up to the point where the CFAR is saved in the
PACA should be part of the short interrupt vectors before we branch out
to OOL handlers.
But as mentioned already, there are interrupt vectors on 64-bit POWER
server processors that are only 32 bytes long (like vectors 0x4f00,
0x4f20, etc.), which cannot accomodate the above two cases at the same
time owing to space constraint. Currently, in these interrupt vectors,
we simply branch out to OOL handlers, without using LOAD_HANDLER(),
which leaves us vulnerable when running a relocatable kernel (eg. kdump
case). While this has been the case for sometime now and kdump is used
widely, we were fortunate not to see any problems so far, for three
reasons:
1. In almost all cases, production kernel (relocatable) is used for
kdump as well, which would mean that crashed kernel's OOL handler
would be at the same place where we end up branching to, from short
interrupt vector of kdump kernel.
2. Also, OOL handler was unlikely the reason for crash in almost all
the kdump scenarios, which meant we had a sane OOL handler from
crashed kernel that we branched to.
3. On most 64-bit POWER server processors, page size is large enough
that marking interrupt vector code as executable (see commit
429d2e83) leads to marking OOL handler code from crashed kernel,
that sits right below interrupt vector code from kdump kernel, as
executable as well.
Let us fix this by moving the __end_interrupts marker down past OOL
handlers to make sure that we also copy OOL handlers to real address
0x100 when running a relocatable kernel.
This fix has been tested successfully in kdump scenario, on an LPAR with
4K page size by using different default/production kernel and kdump
kernel.
Also tested by manually corrupting the OOL handlers in the first kernel
and then kdump'ing, and then causing the OOL handlers to fire - mpe.
Fixes: c1fb6816fb1b ("powerpc: Add relocation on exception vector handlers")
Signed-off-by: Hari Bathini <hbathini@linux.vnet.ibm.com>
Signed-off-by: Mahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Willy Tarreau [Mon, 18 Jan 2016 15:36:09 +0000 (16:36 +0100)]
pipe: limit the per-user amount of pages allocated in pipes
commit
759c01142a5d0f364a462346168a56de28a80f52 upstream.
On no-so-small systems, it is possible for a single process to cause an
OOM condition by filling large pipes with data that are never read. A
typical process filling 4000 pipes with 1 MB of data will use 4 GB of
memory. On small systems it may be tricky to set the pipe max size to
prevent this from happening.
This patch makes it possible to enforce a per-user soft limit above
which new pipes will be limited to a single page, effectively limiting
them to 4 kB each, as well as a hard limit above which no new pipes may
be created for this user. This has the effect of protecting the system
against memory abuse without hurting other users, and still allowing
pipes to work correctly though with less data at once.
The limit are controlled by two new sysctls : pipe-user-pages-soft, and
pipe-user-pages-hard. Both may be disabled by setting them to zero. The
default soft limit allows the default number of FDs per process (1024)
to create pipes of the default size (64kB), thus reaching a limit of 64MB
before starting to create only smaller pipes. With 256 processes limited
to 1024 FDs each, this results in 1024*64kB + (256*1024 - 1024) * 4kB =
1084 MB of memory allocated for a user. The hard limit is disabled by
default to avoid breaking existing applications that make intensive use
of pipes (eg: for splicing).
Reported-by: socketpair@gmail.com
Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Mitigates: CVE-2013-4312 (Linux 2.0+)
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Cc: Moritz Muehlenhoff <moritz@wikimedia.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Zhao Qiang [Wed, 9 Mar 2016 01:48:11 +0000 (09:48 +0800)]
QE-UART: add "fsl,t1040-ucc-uart" to of_device_id
commit
11ca2b7ab432eb90906168c327733575e68d388f upstream.
New bindings use "fsl,t1040-ucc-uart" as the compatible for qe-uart.
So add it.
Signed-off-by: Zhao Qiang <qiang.zhao@nxp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Oleg Nesterov [Mon, 23 May 2016 23:23:50 +0000 (16:23 -0700)]
wait/ptrace: assume __WALL if the child is traced
commit
bf959931ddb88c4e4366e96dd22e68fa0db9527c upstream.
The following program (simplified version of generated by syzkaller)
#include <pthread.h>
#include <unistd.h>
#include <sys/ptrace.h>
#include <stdio.h>
#include <signal.h>
void *thread_func(void *arg)
{
ptrace(PTRACE_TRACEME, 0,0,0);
return 0;
}
int main(void)
{
pthread_t thread;
if (fork())
return 0;
while (getppid() != 1)
;
pthread_create(&thread, NULL, thread_func, NULL);
pthread_join(thread, NULL);
return 0;
}
creates an unreapable zombie if /sbin/init doesn't use __WALL.
This is not a kernel bug, at least in a sense that everything works as
expected: debugger should reap a traced sub-thread before it can reap the
leader, but without __WALL/__WCLONE do_wait() ignores sub-threads.
Unfortunately, it seems that /sbin/init in most (all?) distributions
doesn't use it and we have to change the kernel to avoid the problem.
Note also that most init's use sys_waitid() which doesn't allow __WALL, so
the necessary user-space fix is not that trivial.
This patch just adds the "ptrace" check into eligible_child(). To some
degree this matches the "tsk->ptrace" in exit_notify(), ->exit_signal is
mostly ignored when the tracee reports to debugger. Or WSTOPPED, the
tracer doesn't need to set this flag to wait for the stopped tracee.
This obviously means the user-visible change: __WCLONE and __WALL no
longer have any meaning for debugger. And I can only hope that this won't
break something, but at least strace/gdb won't suffer.
We could make a more conservative change. Say, we can take __WCLONE into
account, or !thread_group_leader(). But it would be nice to not
complicate these historical/confusing checks.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: Jan Kratochvil <jan.kratochvil@redhat.com>
Cc: "Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>
Cc: Pedro Alves <palves@redhat.com>
Cc: Roland McGrath <roland@hack.frob.com>
Cc: <syzkaller@googlegroups.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stefan Bader [Fri, 20 May 2016 23:58:38 +0000 (16:58 -0700)]
mm: use phys_addr_t for reserve_bootmem_region() arguments
commit
4b50bcc7eda4d3cc9e3f2a0aa60e590fedf728c5 upstream.
Since commit
92923ca3aace ("mm: meminit: only set page reserved in the
memblock region") the reserved bit is set on reserved memblock regions.
However start and end address are passed as unsigned long. This is only
32bit on i386, so it can end up marking the wrong pages reserved for
ranges at 4GB and above.
This was observed on a 32bit Xen dom0 which was booted with initial
memory set to a value below 4G but allowing to balloon in memory
(dom0_mem=1024M for example). This would define a reserved bootmem
region for the additional memory (for example on a 8GB system there was
a reverved region covering the 4GB-8GB range). But since the addresses
were passed on as unsigned long, this was actually marking all pages
from 0 to 4GB as reserved.
Fixes: 92923ca3aacef63 ("mm: meminit: only set page reserved in the memblock region")
Link: http://lkml.kernel.org/r/1463491221-10573-1-git-send-email-stefan.bader@canonical.com
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Tiffany Lin [Mon, 14 Mar 2016 11:16:14 +0000 (08:16 -0300)]
media: v4l2-compat-ioctl32: fix missing reserved field copy in put_v4l2_create32
commit
baf43c6eace43868e490f18560287fa3481b2159 upstream.
In v4l2-compliance utility, test VIDIOC_CREATE_BUFS will check whether reserved
filed of v4l2_create_buffers filled with zero
Reserved field is filled with zero in v4l_create_bufs.
This patch copy reserved field of v4l2_create_buffer from kernel space to user
space
Signed-off-by: Tiffany Lin <tiffany.lin@mediatek.com>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Prarit Bhargava [Wed, 11 May 2016 16:27:16 +0000 (12:27 -0400)]
PCI: Disable all BAR sizing for devices with non-compliant BARs
commit
ad67b437f187ea818b2860524d10f878fadfdd99 upstream.
b84106b4e229 ("PCI: Disable IO/MEM decoding for devices with non-compliant
BARs") disabled BAR sizing for BARs 0-5 of devices that don't comply with
the PCI spec. But it didn't do anything for expansion ROM BARs, so we
still try to size them, resulting in warnings like this on Broadwell-EP:
pci 0000:ff:12.0: BAR 6: failed to assign [mem size 0x00000001 pref]
Move the non-compliant BAR check from __pci_read_base() up to
pci_read_bases() so it applies to the expansion ROM BAR as well as
to BARs 0-5.
Note that direct callers of __pci_read_base(), like sriov_init(), will now
bypass this check. We haven't had reports of devices with broken SR-IOV
BARs yet.
[bhelgaas: changelog]
Fixes: b84106b4e229 ("PCI: Disable IO/MEM decoding for devices with non-compliant BARs")
Signed-off-by: Prarit Bhargava <prarit@redhat.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
CC: Thomas Gleixner <tglx@linutronix.de>
CC: Ingo Molnar <mingo@redhat.com>
CC: "H. Peter Anvin" <hpa@zytor.com>
CC: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Andrew Jeffery [Wed, 20 Apr 2016 01:54:17 +0000 (11:24 +0930)]
pinctrl: exynos5440: Use off-stack memory for pinctrl_gpio_range
commit
71324fdc72ef0163e57631aa814a9a81e9e4770b upstream.
The range is registered into a linked list which can be referenced
throughout the lifetime of the driver. Ensure the range's memory is useful
for the same lifetime by adding it to the driver's private data structure.
The bug was introduced in the driver's initial commit, which was present in
v3.10.
Fixes: f0b9a7e521fa ("pinctrl: exynos5440: add pinctrl driver for Samsung EXYNOS5440 SoC")
Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
Acked-by: Tomasz Figa <tomasz.figa@gmail.com>
Reviewed-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Martin Sperl [Mon, 29 Feb 2016 11:39:20 +0000 (11:39 +0000)]
clk: bcm2835: divider value has to be 1 or more
commit
997f16bd5d2e9b3456027f96fcadfe1e2bf12f4e upstream.
Current clamping of a normal divider allows a value < 1 to be valid.
A divider of < 1 would actually only be possible if we had a PLL...
So this patch clamps the divider to 1.
Fixes: 41691b8862e2 ("clk: bcm2835: Add support for programming the
audio domain clocks")
Signed-off-by: Martin Sperl <kernel@martin.sperl.org>
Signed-off-by: Eric Anholt <eric@anholt.net>
Reviewed-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Martin Sperl [Mon, 29 Feb 2016 11:39:17 +0000 (11:39 +0000)]
clk: bcm2835: pll_off should only update CM_PLL_ANARST
commit
6727f086cfe4ddcc651eb2bf4301abfcf619be06 upstream.
bcm2835_pll_off is currently assigning CM_PLL_ANARST to the control
register, which may lose the other bits that are currently set by the
clock dividers.
It also now locks during the read/modify/write cycle of both
registers.
Fixes: 41691b8862e2 ("clk: bcm2835: Add support for programming the
audio domain clocks")
Signed-off-by: Martin Sperl <kernel@martin.sperl.org>
Signed-off-by: Eric Anholt <eric@anholt.net>
Reviewed-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Vladimir Zapolskiy [Mon, 7 Mar 2016 23:41:29 +0000 (01:41 +0200)]
clk: at91: fix check of clk_register() returned value
commit
cb0ceaf77d93964a0d00477c79f4499123f6159c upstream.
The clk_register() function returns a valid pointer to struct clk or
ERR_PTR() error code, this makes a check for returned NULL value
useless and may lead to oops on error path.
Signed-off-by: Vladimir Zapolskiy <vz@mleia.com>
Acked-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>
Acked-by: Boris Brezillon <boris.brezillon@free-electrons.com>
Fixes: bcc5fd49a0fd ("clk: at91: add a driver for the h32mx clock")
Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Eric Anholt [Wed, 13 Apr 2016 20:05:03 +0000 (13:05 -0700)]
clk: bcm2835: Fix PLL poweron
commit
e708b383f4b94feca2e0d5d06e1cfc13cdfea100 upstream.
In poweroff, we set the reset bit and the power down bit, but only
managed to unset the reset bit for poweron. This meant that if HDMI
did -EPROBE_DEFER after it had grabbed its clocks, we'd power down the
PLLH (that had been on at boot time) and never recover.
Signed-off-by: Eric Anholt <eric@anholt.net>
Fixes: 41691b8862e2 ("clk: bcm2835: Add support for programming the audio domain clocks")
Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Daniel Lezcano [Tue, 17 May 2016 14:54:00 +0000 (16:54 +0200)]
cpuidle: Fix cpuidle_state_is_coupled() argument in cpuidle_enter()
commit
e7387da52028b072489c45efeb7a916c0205ebd2 upstream.
Commit
0b89e9aa2856 (cpuidle: delay enabling interrupts until all
coupled CPUs leave idle) rightfully fixed a regression by letting
the coupled idle state framework to handle local interrupt enabling
when the CPU is exiting an idle state.
The current code checks if the idle state is coupled and, if so, it
will let the coupled code to enable interrupts. This way, it can
decrement the ready-count before handling the interrupt. This
mechanism prevents the other CPUs from waiting for a CPU which is
handling interrupts.
But the check is done against the state index returned by the back
end driver's ->enter functions which could be different from the
initial index passed as parameter to the cpuidle_enter_state()
function.
entered_state = target_state->enter(dev, drv, index);
[ ... ]
if (!cpuidle_state_is_coupled(drv, entered_state))
local_irq_enable();
[ ... ]
If the 'index' is referring to a coupled idle state but the
'entered_state' is *not* coupled, then the interrupts are enabled
again. All CPUs blocked on the sync barrier may busy loop longer
if the CPU has interrupts to handle before decrementing the
ready-count. That's consuming more energy than saving.
Fixes: 0b89e9aa2856 (cpuidle: delay enabling interrupts until all coupled CPUs leave idle)
Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
[ rjw: Subject & changelog ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Dave Gerlach [Tue, 5 Apr 2016 19:05:38 +0000 (14:05 -0500)]
cpuidle: Indicate when a device has been unregistered
commit
c998c07836f985b24361629dc98506ec7893e7a0 upstream.
Currently the 'registered' member of the cpuidle_device struct is set
to 1 during cpuidle_register_device. In this same function there are
checks to see if the device is already registered to prevent duplicate
calls to register the device, but this value is never set to 0 even on
unregister of the device. Because of this, any attempt to call
cpuidle_register_device after a call to cpuidle_unregister_device will
fail which shouldn't be the case.
To prevent this, set registered to 0 when the device is unregistered.
Fixes: c878a52d3c7c (cpuidle: Check if device is already registered)
Signed-off-by: Dave Gerlach <d-gerlach@ti.com>
Acked-by: Daniel Lezcano <daniel.lezcano@linaro.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Ulf Hansson [Fri, 8 Apr 2016 11:10:23 +0000 (13:10 +0200)]
PM / Runtime: Fix error path in pm_runtime_force_resume()
commit
0ae3aeefabbeef26294e7a349b51f1c761d46c9f upstream.
As pm_runtime_set_active() may fail because the device's parent isn't
active, we can end up executing the ->runtime_resume() callback for the
device when it isn't allowed.
Fix this by invoking pm_runtime_set_active() before running the callback
and let's also deal with the error code.
Fixes: 37f204164dfb (PM: Add pm_runtime_suspend|resume_force functions)
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Ville Syrjälä [Fri, 22 Apr 2016 19:38:55 +0000 (22:38 +0300)]
mfd: intel_soc_pmic_core: Terminate panel control GPIO lookup table correctly
commit
36e6d081cfb2cb64e6d8e5121cffb1e62f894d36 upstream.
GPIO lookup tables are supposed to be zero terminated. Let's do that
and avoid accidentally walking off the end.
Fixes: 61dd2ca2d44e ("mfd: intel_soc_pmic_core: Add lookup table for Panel Control as GPIO signal")
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Acked-by: Linus Walleij <linus.walleij@linaro.org>
Acked-by: Daniel Vetter <daniel@ffwll.ch>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Heikki Krogerus [Mon, 18 Apr 2016 12:14:56 +0000 (15:14 +0300)]
mfd: intel-lpss: Save register context on suspend
commit
41a3da2b8e1639d983192e3650670df4ecc94cf7 upstream.
All configurations are lost and the registers will have
default values when the hardware is suspended and resumed,
so saving the private register space context on suspend, and
restoring it on resume.
Fixes: 4b45efe85263 (mfd: Add support for Intel Sunrisepoint LPSS devices)
Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Akshay Bhat [Mon, 18 Apr 2016 19:47:53 +0000 (15:47 -0400)]
hwmon: (ads7828) Enable internal reference
commit
7a18afe8097731b8ffb6cb5b2b3b418ded77c105 upstream.
On ads7828 the internal reference defaults to off upon power up. When
using internal reference, it needs to be turned on and the voltage needs
to settle before normal conversion cycle can be started. Hence perform a
dummy read in the probe to enable the internal reference allowing the
voltage to settle before performing a normal read.
Without this fix, the first read from the ADC when using internal
reference always returns incorrect data.
Signed-off-by: Akshay Bhat <akshay.bhat@timesys.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Raghava Aditya Renukunta [Tue, 26 Apr 2016 06:32:37 +0000 (23:32 -0700)]
aacraid: Fix for KDUMP driver hang
commit
78cbccd3bd683c295a44af8050797dc4a41376ff upstream.
When KDUMP is triggered the driver first talks to the firmware in INTX
mode, but the adapter firmware is still in MSIX mode. Therefore the first
driver command hangs since the driver is waiting for an INTX response and
firmware gives a MSIX response. If when the OS is installed on a RAID
drive created by the adapter KDUMP will hang since the driver does not
receive a response in sync mode.
Fixed by: Change the firmware to INTX mode if it is in MSIX mode before
sending the first sync command.
Signed-off-by: Raghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Raghava Aditya Renukunta [Tue, 26 Apr 2016 06:31:57 +0000 (23:31 -0700)]
aacraid: Fix for aac_command_thread hang
commit
fc4bf75ea300a5e62a2419f89dd0e22189dd7ab7 upstream.
Typically under error conditions, it is possible for aac_command_thread()
to miss the wakeup from kthread_stop() and go back to sleep, causing it
to hang aac_shutdown.
In the observed scenario, the adapter is not functioning correctly and so
aac_fib_send() never completes (or time-outs depending on how it was
called). Shortly after aac_command_thread() starts it performs
aac_fib_send(SendHostTime) which hangs. When aac_probe_one
/aac_get_adapter_info send time outs, kthread_stop is called which breaks
the command thread out of it's hang.
The code will still go back to sleep in schedule_timeout() without
checking kthread_should_stop() so it causes aac_probe_one to hang until
the schedule_timeout() which is 30 minutes.
Fixed by: Adding another kthread_should_stop() before schedule_timeout()
Signed-off-by: Raghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Raghava Aditya Renukunta [Tue, 26 Apr 2016 06:31:26 +0000 (23:31 -0700)]
aacraid: Relinquish CPU during timeout wait
commit
07beca2be24cc710461c0b131832524c9ee08910 upstream.
aac_fib_send has a special function case for initial commands during
driver initialization using wait < 0(pseudo sync mode). In this case,
the command does not sleep but rather spins checking for timeout.This
loop is calls cpu_relax() in an attempt to allow other processes/threads
to use the CPU, but this function does not relinquish the CPU and so the
command will hog the processor. This was observed in a KDUMP
"crashkernel" and that prevented the "command thread" (which is
responsible for completing the command from being timed out) from
starting because it could not get the CPU.
Fixed by replacing "cpu_relax()" call with "schedule()"
Signed-off-by: Raghava Aditya Renukunta <RaghavaAditya.Renukunta@microsemi.com>
Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
wang yanqing [Fri, 6 May 2016 16:33:53 +0000 (00:33 +0800)]
rtlwifi: pci: use dev_kfree_skb_irq instead of kfree_skb in rtl_pci_reset_trx_ring
commit
cf968937d27751296920e6b82ffa89735e3a0023 upstream.
We can't use kfree_skb in irq disable context, because spin_lock_irqsave
make sure we are always in irq disable context, use dev_kfree_skb_irq
instead of kfree_skb is better than dev_kfree_skb_any.
This patch fix below kernel warning:
[ 7612.095528] ------------[ cut here ]------------
[ 7612.095546] WARNING: CPU: 3 PID: 4460 at kernel/softirq.c:150 __local_bh_enable_ip+0x58/0x80()
[ 7612.095550] Modules linked in: rtl8723be x86_pkg_temp_thermal btcoexist rtl_pci rtlwifi rtl8723_common
[ 7612.095567] CPU: 3 PID: 4460 Comm: ifconfig Tainted: G W 4.4.0+ #4
[ 7612.095570] Hardware name: LENOVO
20DFA04FCD/
20DFA04FCD, BIOS J5ET48WW (1.19 ) 08/27/2015
[ 7612.095574]
00000000 00000000 da37fc70 c12ce7c5 00000000 da37fca0 c104cc59 c19d4454
[ 7612.095584]
00000003 0000116c c19d4784 00000096 c10508a8 c10508a8 00000200 c1b42400
[ 7612.095594]
f29be780 da37fcb0 c104ccad 00000009 00000000 da37fcbc c10508a8 f21f08b8
[ 7612.095604] Call Trace:
[ 7612.095614] [<
c12ce7c5>] dump_stack+0x41/0x5c
[ 7612.095620] [<
c104cc59>] warn_slowpath_common+0x89/0xc0
[ 7612.095628] [<
c10508a8>] ? __local_bh_enable_ip+0x58/0x80
[ 7612.095634] [<
c10508a8>] ? __local_bh_enable_ip+0x58/0x80
[ 7612.095640] [<
c104ccad>] warn_slowpath_null+0x1d/0x20
[ 7612.095646] [<
c10508a8>] __local_bh_enable_ip+0x58/0x80
[ 7612.095653] [<
c16b7d34>] destroy_conntrack+0x64/0xa0
[ 7612.095660] [<
c16b300f>] nf_conntrack_destroy+0xf/0x20
[ 7612.095665] [<
c1677565>] skb_release_head_state+0x55/0xa0
[ 7612.095670] [<
c16775bb>] skb_release_all+0xb/0x20
[ 7612.095674] [<
c167760b>] __kfree_skb+0xb/0x60
[ 7612.095679] [<
c16776f0>] kfree_skb+0x30/0x70
[ 7612.095686] [<
f81b869d>] ? rtl_pci_reset_trx_ring+0x22d/0x370 [rtl_pci]
[ 7612.095692] [<
f81b869d>] rtl_pci_reset_trx_ring+0x22d/0x370 [rtl_pci]
[ 7612.095698] [<
f81b87f9>] rtl_pci_start+0x19/0x190 [rtl_pci]
[ 7612.095705] [<
f81970e6>] rtl_op_start+0x56/0x90 [rtlwifi]
[ 7612.095712] [<
c17e3f16>] drv_start+0x36/0xc0
[ 7612.095717] [<
c17f5ab3>] ieee80211_do_open+0x2d3/0x890
[ 7612.095725] [<
c16820fe>] ? call_netdevice_notifiers_info+0x2e/0x60
[ 7612.095730] [<
c17f60bd>] ieee80211_open+0x4d/0x50
[ 7612.095736] [<
c16891b3>] __dev_open+0xa3/0x130
[ 7612.095742] [<
c183fa53>] ? _raw_spin_unlock_bh+0x13/0x20
[ 7612.095748] [<
c1689499>] __dev_change_flags+0x89/0x140
[ 7612.095753] [<
c127c70d>] ? selinux_capable+0xd/0x10
[ 7612.095759] [<
c1689589>] dev_change_flags+0x29/0x60
[ 7612.095765] [<
c1700b93>] devinet_ioctl+0x553/0x670
[ 7612.095772] [<
c12db758>] ? _copy_to_user+0x28/0x40
[ 7612.095777] [<
c17018b5>] inet_ioctl+0x85/0xb0
[ 7612.095783] [<
c166e647>] sock_ioctl+0x67/0x260
[ 7612.095788] [<
c166e5e0>] ? sock_fasync+0x80/0x80
[ 7612.095795] [<
c115c99b>] do_vfs_ioctl+0x6b/0x550
[ 7612.095800] [<
c127c812>] ? selinux_file_ioctl+0x102/0x1e0
[ 7612.095807] [<
c10a8914>] ? timekeeping_suspend+0x294/0x320
[ 7612.095813] [<
c10a256a>] ? __hrtimer_run_queues+0x14a/0x210
[ 7612.095820] [<
c1276e24>] ? security_file_ioctl+0x34/0x50
[ 7612.095827] [<
c115cef0>] SyS_ioctl+0x70/0x80
[ 7612.095832] [<
c1001804>] do_fast_syscall_32+0x84/0x120
[ 7612.095839] [<
c183ff91>] sysenter_past_esp+0x36/0x55
[ 7612.095844] ---[ end trace
97e9c637a20e8348 ]---
Signed-off-by: Wang YanQing <udknight@gmail.com>
Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
wang yanqing [Mon, 2 May 2016 16:38:36 +0000 (00:38 +0800)]
rtlwifi: Fix logic error in enter/exit power-save mode
commit
873ffe154ae074c46ed2d72dbd9a2a99f06f55b4 upstream.
In commit
a269913c52ad ("rtlwifi: Rework rtl_lps_leave() and
rtl_lps_enter() to use work queue"), the tests for enter/exit
power-save mode were inverted. With this change applied, the
wifi connection becomes much more stable.
Fixes: a269913c52ad ("rtlwifi: Rework rtl_lps_leave() and rtl_lps_enter() to use work queue")
Signed-off-by: Wang YanQing <udknight@gmail.com>
Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Larry Finger [Wed, 16 Mar 2016 18:33:35 +0000 (13:33 -0500)]
rtlwifi: btcoexist: Implement antenna selection
commit
baa1702290953295e421f0f433e2b1ff4815827c upstream.
The previous patch added an option to rtl8723be to manually select the
antenna for those cases when only a single antenna is present, and the
on-board EEPROM is incorrectly programmed. This patch implements the
necessary changes in the Bluetooth coexistence driver.
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Larry Finger [Wed, 16 Mar 2016 18:33:34 +0000 (13:33 -0500)]
rtlwifi: rtl8723be: Add antenna select module parameter
commit
c18d8f5095715c56bb3cd9cba64242542632054b upstream.
A number of new laptops have been delivered with only a single antenna.
In principle, this is OK; however, a problem arises when the on-board
EEPROM is programmed to use the other antenna connection. The option
of opening the computer and moving the connector is not always possible
as it will void the warranty in some cases. In addition, this solution
breaks the Windows driver when the box dual boots Linux and Windows.
A fix involving a new module parameter has been developed. This commit
adds the new parameter and implements the changes needed for the driver.
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Krzysztof Kozlowski [Mon, 14 Mar 2016 00:07:13 +0000 (09:07 +0900)]
hwrng: exynos - Fix unbalanced PM runtime put on timeout error path
commit
f1925d78d7b710a1179828d53e918295f5f5d222 upstream.
In case of timeout during read operation, the exit path lacked PM
runtime put. This could lead to unbalanced runtime PM usage counter thus
leaving the device in an active state.
Fixes: d7fd6075a205 ("hwrng: exynos - Add timeout for waiting on init done")
Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Joseph Salisbury [Mon, 14 Mar 2016 18:51:48 +0000 (14:51 -0400)]
ath5k: Change led pin configuration for compaq c700 laptop
commit
7b9bc799a445aea95f64f15e0083cb19b5789abe upstream.
BugLink: http://bugs.launchpad.net/bugs/972604
Commit
09c9bae26b0d3c9472cb6ae45010460a2cee8b8d ("ath5k: add led pin
configuration for compaq c700 laptop") added a pin configuration for the Compaq
c700 laptop. However, the polarity of the led pin is reversed. It should be
red for wifi off and blue for wifi on, but it is the opposite. This bug was
reported in the following bug report:
http://pad.lv/972604
Fixes: 09c9bae26b0d3c9472cb6ae45010460a2cee8b8d ("ath5k: add led pin configuration for compaq c700 laptop")
Signed-off-by: Joseph Salisbury <joseph.salisbury@canonical.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Anilkumar Kolli [Tue, 26 Apr 2016 16:05:48 +0000 (21:35 +0530)]
ath10k: fix kernel panic, move arvifs list head init before htt init
commit
4ad24a9d83bd4bf0a85e95bf144e18d3fda4fbf1 upstream.
It is observed that while loading and unloading ath10k modules
in an infinite loop, before ath10k_core_start() completion HTT
rx frames are received, while processing these frames,
dereferencing the arvifs list code is getting hit before
initilizing the arvifs list, causing a kernel panic.
This patch initilizes the arvifs list before initilizing htt.
Fixes the below issue:
[<
bf88b058>] (ath10k_htt_rx_pktlog_completion_handler+0x278/0xd08 [ath10k_core])
[<
bf88b058>] (ath10k_htt_rx_pktlog_completion_handler [ath10k_core])
[<
bf88c0dc>] (ath10k_htt_txrx_compl_task+0x5f4/0xeb0 [ath10k_core])
[<
bf88c0dc>] (ath10k_htt_txrx_compl_task [ath10k_core])
[<
c0234100>] (tasklet_action+0x8c/0xec)
[<
c0234100>] (tasklet_action)
[<
c02337c0>] (__do_softirq+0xf8/0x228)
[<
c02337c0>] (__do_softirq) [<
c0233920>] (run_ksoftirqd+0x30/0x90)
Code:
e5954ad8 e2899008 e1540009 0a00000d (
e5943008)
---[ end trace
71de5c2e011dbf56 ]---
Kernel panic - not syncing: Fatal exception in interrupt
Fixes: 500ff9f9389d ("ath10k: implement chanctx API")
Signed-off-by: Anilkumar Kolli <akolli@qti.qualcomm.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Rajkumar Manoharan [Thu, 7 Apr 2016 06:41:54 +0000 (12:11 +0530)]
ath10k: fix rx_channel during hw reconfigure
commit
1ce8c1484e80010a6e4b9611c65668ff77556f45 upstream.
Upon firmware assert, restart work will be triggered so that mac80211
will reconfigure the driver. An issue is reported that after restart
work, survey dump data do not contain in-use (SURVEY_INFO_IN_USE) info
for operating channel. During reconfigure, since mac80211 already has
valid channel context for given radio, channel context iteration return
num_chanctx > 0. Hence rx_channel is always NULL. Fix this by assigning
channel context to rx_channel when driver restart is in progress.
Signed-off-by: Rajkumar Manoharan <rmanohar@qti.qualcomm.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
projects / firefly-linux-kernel-4.4.55.git / log