Peter Chen [Wed, 24 Feb 2016 03:05:25 +0000 (11:05 +0800)]
usb: chipidea: otg: change workqueue ci_otg as freezable
If we use USB ID pin as wakeup source, and there is a USB block
device on this USB OTG (ID) cable, the system will be deadlock
after system resume.
The root cause for this problem is: the workqueue ci_otg may try
to remove hcd before the driver resume has finished, and hcd will
disconnect the device on it, then, it will call device_release_driver,
and holds the device lock "dev->mutex", but it is never unlocked since
it waits workqueue writeback to run to flush the block information, but
the workqueue writeback is freezable, it is not thawed before driver
resume has finished.
When the driver (device: sd 0:0:0:0:) resume goes to dpm_complete, it
tries to get its device lock "dev->mutex", but it can't get it forever,
then the deadlock occurs. Below call stacks show the situation.
So, in order to fix this problem, we need to change workqueue ci_otg
as freezable, then the work item in this workqueue will be run after
driver's resume, this workqueue will not be blocked forever like above
case since the workqueue writeback has been thawed too.
Tested at: i.mx6qdl-sabresd and i.mx6sx-sdb.
[ 555.178869] kworker/u2:13 D
c07de74c 0 826 2 0x00000000
[ 555.185310] Workqueue: ci_otg ci_otg_work
[ 555.189353] Backtrace:
[ 555.191849] [<
c07de4fc>] (__schedule) from [<
c07dec6c>] (schedule+0x48/0xa0)
[ 555.198912] r10:
ee471ba0 r9:
00000000 r8:
00000000 r7:
00000002 r6:
ee470000 r5:
ee471ba4
[ 555.206867] r4:
ee470000
[ 555.209453] [<
c07dec24>] (schedule) from [<
c07e2fc4>] (schedule_timeout+0x15c/0x1e0)
[ 555.217212] r4:
7fffffff r3:
edc2b000
[ 555.220862] [<
c07e2e68>] (schedule_timeout) from [<
c07df6c8>] (wait_for_common+0x94/0x144)
[ 555.229140] r8:
00000000 r7:
00000002 r6:
ee470000 r5:
ee471ba4 r4:
7fffffff
[ 555.235980] [<
c07df634>] (wait_for_common) from [<
c07df790>] (wait_for_completion+0x18/0x1c)
[ 555.244430] r10:
00000001 r9:
c0b5563c r8:
c0042e48 r7:
ef086000 r6:
eea4372c r5:
ef131b00
[ 555.252383] r4:
00000000
[ 555.254970] [<
c07df778>] (wait_for_completion) from [<
c0043cb8>] (flush_work+0x19c/0x234)
[ 555.263177] [<
c0043b1c>] (flush_work) from [<
c0043fac>] (flush_delayed_work+0x48/0x4c)
[ 555.271106] r8:
ed5b5000 r7:
c0b38a3c r6:
eea439cc r5:
eea4372c r4:
eea4372c
[ 555.277958] [<
c0043f64>] (flush_delayed_work) from [<
c00eae18>] (bdi_unregister+0x84/0xec)
[ 555.286236] r4:
eea43520 r3:
20000153
[ 555.289885] [<
c00ead94>] (bdi_unregister) from [<
c02c2154>] (blk_cleanup_queue+0x180/0x29c)
[ 555.298250] r5:
eea43808 r4:
eea43400
[ 555.301909] [<
c02c1fd4>] (blk_cleanup_queue) from [<
c0417914>] (__scsi_remove_device+0x48/0xb8)
[ 555.310623] r7:
00000000 r6:
20000153 r5:
ededa950 r4:
ededa800
[ 555.316403] [<
c04178cc>] (__scsi_remove_device) from [<
c0415e90>] (scsi_forget_host+0x64/0x68)
[ 555.325028] r5:
ededa800 r4:
ed5b5000
[ 555.328689] [<
c0415e2c>] (scsi_forget_host) from [<
c0409828>] (scsi_remove_host+0x78/0x104)
[ 555.337054] r5:
ed5b5068 r4:
ed5b5000
[ 555.340709] [<
c04097b0>] (scsi_remove_host) from [<
c04cdfcc>] (usb_stor_disconnect+0x50/0xb4)
[ 555.349247] r6:
ed5b56e4 r5:
ed5b5818 r4:
ed5b5690 r3:
00000008
[ 555.355025] [<
c04cdf7c>] (usb_stor_disconnect) from [<
c04b3bc8>] (usb_unbind_interface+0x78/0x25c)
[ 555.363997] r8:
c13919b4 r7:
edd3c000 r6:
edd3c020 r5:
ee551c68 r4:
ee551c00 r3:
c04cdf7c
[ 555.371892] [<
c04b3b50>] (usb_unbind_interface) from [<
c03dc248>] (__device_release_driver+0x8c/0x118)
[ 555.381213] r10:
00000001 r9:
edd90c00 r8:
c13919b4 r7:
ee551c68 r6:
c0b546e0 r5:
c0b5563c
[ 555.389167] r4:
edd3c020
[ 555.391752] [<
c03dc1bc>] (__device_release_driver) from [<
c03dc2fc>] (device_release_driver+0x28/0x34)
[ 555.401071] r5:
edd3c020 r4:
edd3c054
[ 555.404721] [<
c03dc2d4>] (device_release_driver) from [<
c03db304>] (bus_remove_device+0xe0/0x110)
[ 555.413607] r5:
edd3c020 r4:
ef17f04c
[ 555.417253] [<
c03db224>] (bus_remove_device) from [<
c03d8128>] (device_del+0x114/0x21c)
[ 555.425270] r6:
edd3c028 r5:
edd3c020 r4:
ee551c00 r3:
00000000
[ 555.431045] [<
c03d8014>] (device_del) from [<
c04b1560>] (usb_disable_device+0xa4/0x1e8)
[ 555.439061] r8:
edd3c000 r7:
eded8000 r6:
00000000 r5:
00000001 r4:
ee551c00
[ 555.445906] [<
c04b14bc>] (usb_disable_device) from [<
c04a8e54>] (usb_disconnect+0x74/0x224)
[ 555.454271] r9:
edd90c00 r8:
ee551000 r7:
ee551c68 r6:
ee551c9c r5:
ee551c00 r4:
00000001
[ 555.462156] [<
c04a8de0>] (usb_disconnect) from [<
c04a8fb8>] (usb_disconnect+0x1d8/0x224)
[ 555.470259] r10:
00000001 r9:
edd90000 r8:
ee471e2c r7:
ee551468 r6:
ee55149c r5:
ee551400
[ 555.478213] r4:
00000001
[ 555.480797] [<
c04a8de0>] (usb_disconnect) from [<
c04ae5ec>] (usb_remove_hcd+0xa0/0x1ac)
[ 555.488813] r10:
00000001 r9:
ee471eb0 r8:
00000000 r7:
ef3d9500 r6:
eded810c r5:
eded80b0
[ 555.496765] r4:
eded8000
[ 555.499351] [<
c04ae54c>] (usb_remove_hcd) from [<
c04d4158>] (host_stop+0x28/0x64)
[ 555.506847] r6:
eeb50010 r5:
eded8000 r4:
eeb51010
[ 555.511563] [<
c04d4130>] (host_stop) from [<
c04d09b8>] (ci_otg_work+0xc4/0x124)
[ 555.518885] r6:
00000001 r5:
eeb50010 r4:
eeb502a0 r3:
c04d4130
[ 555.524665] [<
c04d08f4>] (ci_otg_work) from [<
c00454f0>] (process_one_work+0x194/0x420)
[ 555.532682] r6:
ef086000 r5:
eeb502a0 r4:
edc44480
[ 555.537393] [<
c004535c>] (process_one_work) from [<
c00457b0>] (worker_thread+0x34/0x514)
[ 555.545496] r10:
edc44480 r9:
ef086000 r8:
c0b1a100 r7:
ef086034 r6:
00000088 r5:
edc44498
[ 555.553450] r4:
ef086000
[ 555.556032] [<
c004577c>] (worker_thread) from [<
c004bab4>] (kthread+0xdc/0xf8)
[ 555.563268] r10:
00000000 r9:
00000000 r8:
00000000 r7:
c004577c r6:
edc44480 r5:
eddc15c0
[ 555.571221] r4:
00000000
[ 555.573804] [<
c004b9d8>] (kthread) from [<
c000fef0>] (ret_from_fork+0x14/0x24)
[ 555.581040] r7:
00000000 r6:
00000000 r5:
c004b9d8 r4:
eddc15c0
[ 553.429383] sh D
c07de74c 0 694 691 0x00000000
[ 553.435801] Backtrace:
[ 553.438295] [<
c07de4fc>] (__schedule) from [<
c07dec6c>] (schedule+0x48/0xa0)
[ 553.445358] r10:
edd3c054 r9:
edd3c078 r8:
edddbd50 r7:
edcbbc00 r6:
c1377c34 r5:
60000153
[ 553.453313] r4:
eddda000
[ 553.455896] [<
c07dec24>] (schedule) from [<
c07deff8>] (schedule_preempt_disabled+0x10/0x14)
[ 553.464261] r4:
edd3c058 r3:
0000000a
[ 553.467910] [<
c07defe8>] (schedule_preempt_disabled) from [<
c07e0bbc>] (mutex_lock_nested+0x1a0/0x3e8)
[ 553.477254] [<
c07e0a1c>] (mutex_lock_nested) from [<
c03e927c>] (dpm_complete+0xc0/0x1b0)
[ 553.485358] r10:
00561408 r9:
edd3c054 r8:
c0b4863c r7:
edddbd90 r6:
c0b485d8 r5:
edd3c020
[ 553.493313] r4:
edd3c0d0
[ 553.495896] [<
c03e91bc>] (dpm_complete) from [<
c03e9388>] (dpm_resume_end+0x1c/0x20)
[ 553.503652] r9:
00000000 r8:
c0b1a9d0 r7:
c1334ec0 r6:
c1334edc r5:
00000003 r4:
00000010
[ 553.511544] [<
c03e936c>] (dpm_resume_end) from [<
c0079894>] (suspend_devices_and_enter+0x158/0x504)
[ 553.520604] r4:
00000000 r3:
c1334efc
[ 553.524250] [<
c007973c>] (suspend_devices_and_enter) from [<
c0079e74>] (pm_suspend+0x234/0x2cc)
[ 553.532961] r10:
00561408 r9:
ed6b7300 r8:
00000004 r7:
c1334eec r6:
00000000 r5:
c1334ee8
[ 553.540914] r4:
00000003
[ 553.543493] [<
c0079c40>] (pm_suspend) from [<
c0078a6c>] (state_store+0x6c/0xc0)
[ 555.703684] 7 locks held by kworker/u2:13/826:
[ 555.708140] #0: ("%s""ci_otg"){++++.+}, at: [<
c0045484>] process_one_work+0x128/0x420
[ 555.716277] #1: ((&ci->work)){+.+.+.}, at: [<
c0045484>] process_one_work+0x128/0x420
[ 555.724317] #2: (usb_bus_list_lock){+.+.+.}, at: [<
c04ae5e4>] usb_remove_hcd+0x98/0x1ac
[ 555.732626] #3: (&dev->mutex){......}, at: [<
c04a8e28>] usb_disconnect+0x48/0x224
[ 555.740403] #4: (&dev->mutex){......}, at: [<
c04a8e28>] usb_disconnect+0x48/0x224
[ 555.748179] #5: (&dev->mutex){......}, at: [<
c03dc2f4>] device_release_driver+0x20/0x34
[ 555.756487] #6: (&shost->scan_mutex){+.+.+.}, at: [<
c04097d0>] scsi_remove_host+0x20/0x104
Cc: <stable@vger.kernel.org> #v3.14+
Cc: Jun Li <jun.li@nxp.com>
Signed-off-by: Peter Chen <peter.chen@nxp.com>
Greg Kroah-Hartman [Wed, 24 Feb 2016 17:04:21 +0000 (09:04 -0800)]
Merge tag 'fixes-for-v4.5-rc6' of git./linux/kernel/git/balbi/usb into usb-linus
Felipe writes:
usb: fixes for v4.5-rc6
The most important fixes here are:
a) yet another fix to dwc3's EP transfer resource
assignment logic. This time around we will be
pre-allocating transfer resources to avoid any
future issues;
b) two DMA fixes for the old MUSB driver.
c) dwc2's data toggle fix for FS
Other than these, we have a few other minor fixes
elsewhere.
Felipe Balbi [Fri, 19 Feb 2016 09:04:55 +0000 (11:04 +0200)]
MAINTAINERS: drop OMAP USB and MUSB maintainership
Now that I have switched to another company, I won't
be able to help by maintaining OMAP USB Support and/or
the MUSB driver.
OMAP USB Support is left Orphaned. MUSB's new
maintainer will be Bin Liu from Texas Instruments
who has accepted to take over starting with v4.6.
Cc: Bin Liu <b-liu@ti.com>
Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Felipe Balbi <balbi@kernel.org>
Cristian Birsan [Fri, 19 Feb 2016 08:11:56 +0000 (10:11 +0200)]
usb: musb: fix DMA for host mode
Commit
ac33cdb16681 ("usb: musb: Remove ifdefs for musb_host_rx in
musb_host.c part5") introduces a problem setting DMA host mode.
The musb_advance_schedule() is called immediately after receiving an
endpoint RX interrupt without waiting for the DMA transfer to complete.
As a consequence when the dma complete interrupt arrives the in_qh
member of hw_ep is already null an the musb_host_rx() exits on !urb
error case. Fix the done condition that advances the musb schedule.
Signed-off-by: Cristian Birsan <cristian.birsan@microchip.com>
Signed-off-by: Joshua Henderson <joshua.henderson@microchip.com>
Tested-by: Ladislav Michl <ladis@linux-mips.org>
Signed-off-by: Felipe Balbi <balbi@kernel.org>
Ivan T. Ivanov [Fri, 5 Feb 2016 19:17:09 +0000 (19:17 +0000)]
usb: phy: msm: Trigger USB state detection work in DRD mode
When working in Dual Role Device mode, USB state machine is not kicked,
when host or gadget drivers are loaded. Fix this be explicitly triggering
state detection on client driver load.
Issue is that if the board is booted without micro usb cable and usb
device attached, kernel fails to populate the usb host and device.
The reason for this is that the state machine worker logic only checks
for USB_DR_MODE_PERIPHERAL and USB_DR_MODE_HOST modes to run worker
thread. However if the phy is configured in OTG mode it would fail
to run the state machine, resulting in failure to detect for very
first time.
This patch fixes the issue by removing the explicit checks.
Issue is noticed on Qualcomm Dragon board DB410C.
[srinivas.kandagatla@linaro.org: Added more details to log]
Signed-off-by: Ivan T. Ivanov <ivan.ivanov@linaro.org>
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Signed-off-by: Felipe Balbi <balbi@kernel.org>
Simon Appleby [Tue, 9 Feb 2016 09:19:46 +0000 (09:19 +0000)]
usb: gadget: net2280: fix endpoint max packet for super speed connections
This patch fixes the register offset used for super-speed connection's
max packet size. Without it using the 338x series of devices in enhanced
mode will only allow full or high speed operation to function correctly.
Signed-off-by: Simon Appleby <simon.appleby@pickeringtest.com>
Signed-off-by: Felipe Balbi <balbi@kernel.org>
Marek Szyprowski [Thu, 18 Feb 2016 07:59:26 +0000 (08:59 +0100)]
usb: gadget: gadgetfs: unregister gadget only if it got successfully registered
Gadgetfs driver called usb_gadget_unregister_driver unconditionally, even
if it didn't register it earlier due to other failures. This patch fixes
this.
Reported-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Tested-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Felipe Balbi <balbi@kernel.org>
Marek Szyprowski [Mon, 8 Feb 2016 12:42:14 +0000 (13:42 +0100)]
usb: gadget: remove driver from pending list on probe error
Retry gadget probe only if the probe result is -EPROBE_DEFER, not on
every probe error.
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Felipe Balbi <balbi@kernel.org>
Greg Kroah-Hartman [Sat, 20 Feb 2016 22:19:34 +0000 (14:19 -0800)]
Revert "usb: hub: do not clear BOS field during reset device"
This reverts commit
d8f00cd685f5c8e0def8593e520a7fef12c22407.
Tony writes:
This upstream commit is causing an oops:
d8f00cd685f5 ("usb: hub: do not clear BOS field during reset device")
This patch has already been included in several -stable kernels. Here
are the affected kernels:
4.5.0-rc4 (current git)
4.4.2
4.3.6 (currently in review)
4.1.18
3.18.27
3.14.61
How to reproduce the problem:
Boot kernel with slub debugging enabled (otherwise memory corruption
will cause random oopses later instead of immediately)
Plug in USB 3.0 disk to xhci USB 3.0 port
dd if=/dev/sdc of=/dev/null bs=65536
(where /dev/sdc is the USB 3.0 disk)
Unplug USB cable while dd is still going
Oops is immediate:
Reported-by: Tony Battersby <tonyb@cybernetics.com>
Cc: Du, Changbin <changbin.du@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Greg Kroah-Hartman [Sat, 20 Feb 2016 22:18:34 +0000 (14:18 -0800)]
Merge tag 'usb-serial-4.5-rc5' of git://git./linux/kernel/git/johan/usb-serial into usb-linus
Johan writes:
USB-serial fixes for v4.5-rc5
Here are some new device ids.
Signed-off-by: Johan Hovold <johan@kernel.org>
Greg Kroah-Hartman [Sat, 20 Feb 2016 22:13:55 +0000 (14:13 -0800)]
Merge tag 'usb-ci-v4.5-rc5' of git://git./linux/kernel/git/peter.chen/usb into usb-linus
Peter writes:
Some tiny bug fixes for chipidea driver
Wei Yongjun [Sat, 6 Feb 2016 14:57:06 +0000 (22:57 +0800)]
usb: chipidea: fix return value check in ci_hdrc_pci_probe()
In case of error, the function usb_phy_generic_register()
returns ERR_PTR() and never returns NULL. The NULL test in
the return value check should be replaced with IS_ERR().
Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Signed-off-by: Peter Chen <peter.chen@nxp.com>
Alan [Mon, 15 Feb 2016 19:09:46 +0000 (19:09 +0000)]
usb: chipidea: error on overflow for port_test_write
The write value is 8bit, but currently writing a larger number
(eg a doubled digit) is not errored but instead gets cast and
sets off an action probably undesired.
Signed-off-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: Peter Chen <peter.chen@nxp.com>
(Change the style of commit log to fix checkpatch.pl warning)
Bjørn Mork [Fri, 12 Feb 2016 15:40:00 +0000 (16:40 +0100)]
USB: option: add "4G LTE usb-modem U901"
Thomas reports:
T: Bus=01 Lev=01 Prnt=01 Port=03 Cnt=01 Dev#= 4 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
P: Vendor=05c6 ProdID=6001 Rev=00.00
S: Manufacturer=USB Modem
S: Product=USB Modem
S: SerialNumber=
1234567890ABCDEF
C: #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
I: If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
I: If#= 4 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage
Cc: <stable@vger.kernel.org>
Reported-by: Thomas Schäfer <tschaefer@t-online.de>
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: Johan Hovold <johan@kernel.org>
Ken Lin [Mon, 1 Feb 2016 19:57:25 +0000 (14:57 -0500)]
USB: cp210x: add IDs for GE B650V3 and B850V3 boards
Add USB ID for cp2104/5 devices on GE B650v3 and B850v3 boards.
Signed-off-by: Ken Lin <ken.lin@advantech.com.tw>
Signed-off-by: Akshay Bhat <akshay.bhat@timesys.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Andrey Skvortsov [Thu, 28 Jan 2016 21:07:30 +0000 (00:07 +0300)]
USB: option: add support for SIM7100E
$ lsusb:
Bus 001 Device 101: ID 1e0e:9001 Qualcomm / Option
$ usb-devices:
T: Bus=01 Lev=02 Prnt=02 Port=00 Cnt=01 Dev#=101 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 2
P: Vendor=1e0e ProdID=9001 Rev= 2.32
S: Manufacturer=SimTech, Incorporated
S: Product=SimTech, Incorporated
S: SerialNumber=
0123456789ABCDEF
C:* #Ifs= 7 Cfg#= 1 Atr=80 MxPwr=500mA
I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
I:* If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I:* If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
I:* If#= 6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
The last interface (6) is used for Android Composite ADB interface.
Serial port layout:
0: QCDM/DIAG
1: NMEA
2: AT
3: AT/PPP
4: audio
Signed-off-by: Andrey Skvortsov <andrej.skvortzov@gmail.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Cristian Birsan [Thu, 11 Feb 2016 15:58:17 +0000 (08:58 -0700)]
usb: musb: Fix DMA desired mode for Mentor DMA engine
Commit
754fe4a92c07 ("usb: musb: Remove ifdefs for TX DMA for musb_host.c")
introduces a problem setting the desired channel mode for the Mentor DMA
engine.
There is a case where an address is incorrectly assigned to the DMA
channel desired mode when it should instead be assigned the actual mode
value. This results in the value of channel->desired_mode not being
correct.
Acked-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Signed-off-by: Cristian Birsan <cristian.birsan@microchip.com>
Signed-off-by: Joshua Henderson <joshua.henderson@microchip.com>
Signed-off-by: Felipe Balbi <balbi@kernel.org>
Andrzej Hajda [Mon, 15 Feb 2016 14:35:25 +0000 (15:35 +0100)]
usb: gadget: fsl_qe_udc: fix IS_ERR_VALUE usage
IS_ERR_VALUE macro should be used only with unsigned long type.
Otherwise it can work incorrectly.
The patch follows conclusion from discussion on LKML [1][2].
[1]: http://permalink.gmane.org/gmane.linux.kernel/
2120927
[2]: http://permalink.gmane.org/gmane.linux.kernel/
2150581
Signed-off-by: Andrzej Hajda <a.hajda@samsung.com>
Signed-off-by: Felipe Balbi <balbi@kernel.org>
Geert Uytterhoeven [Tue, 16 Feb 2016 15:10:59 +0000 (16:10 +0100)]
usb: dwc2: USB_DWC2 should depend on HAS_DMA
If NO_DMA=y:
ERROR: "usb_gadget_map_request" [drivers/usb/dwc2/dwc2.ko] undefined!
ERROR: "usb_gadget_unmap_request" [drivers/usb/dwc2/dwc2.ko] undefined!
ERROR: "bad_dma_ops" [drivers/usb/dwc2/dwc2.ko] undefined!
Add a dependency on HAS_DMA to fix this.
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Acked-by: John Youn <johnyoun@synopsys.com>
Signed-off-by: Felipe Balbi <balbi@kernel.org>
Tang, Jianqiang [Tue, 16 Feb 2016 23:02:07 +0000 (15:02 -0800)]
usb: dwc2: host: fix the data toggle error in full speed descriptor dma
There will be data toggle error happen for full speed buld-out transfer.
The data toggle bit is saved in qh for non-control transfers, it is wrong
to check the qtd for that case.
Also fix one static analysis tool issue after fix the data toggle error.
John Youn:
* Added WARN() to warn on improper usage of the
dwc2_hcd_save_data_toggle() function.
Signed-off-by: Dyson Lee <dyson.lee@intel.com>
Signed-off-by: Tang, Jianqiang <jianqiang.tang@intel.com>
Signed-off-by: John Youn <johnyoun@synopsys.com>
Signed-off-by: Felipe Balbi <balbi@kernel.org>
Vardan Mikayelyan [Tue, 16 Feb 2016 23:01:53 +0000 (15:01 -0800)]
usb: dwc2: host: fix logical omissions in dwc2_process_non_isoc_desc
Fixes memory manipulation issues and makes Host DDMA bulk transfers
work.
dwc2_process_non_isoc_desc() must return non zero value ONLY when
failure happens in one of the queued descriptors. After receiving
non zero value the caller must stop processing of remaining
QTDs and their descriptors from chain.
Commit
26a19ea699060fde ("usb: dwc2: host: fix use of qtd after
free in desc dma mode") breaks non_isoc transaction completion logic
in Host DDMA mode. There were bugs before that, but after this patch
dwc2_process_non_isoc_desc() returns fail status even if descriptor
was processed normally. This causes break from loop which is processing
remaining descriptors assigned to QTD, which is not correct for QTDs
containing more than one descriptor.
Current dwc2 driver gathers queued BULK URBs until receiving URB
without URB_NO_INTERRUPT flag. Once getting it, SW creates
descriptor chain, stores it in qh structure and passes start
address to HW. Multiple URB data is contained in that chain.
Hence on getting error on descriptor after its processing by HW,
SW should go out of both loops(qh->qtd, qtd->descs) and report
the failure.
Fixes:
26a19ea699060fde ("usb: dwc2: host: fix use of qtd after free in desc dma mode")
Cc: Gregory Herrero <gregory.herrero@intel.com>
Signed-off-by: Vardan Mikayelyan <mvardan@synopsys.com>
Signed-off-by: John Youn <johnyoun@synopsys.com>
Signed-off-by: Felipe Balbi <balbi@kernel.org>
John Youn [Wed, 17 Feb 2016 04:10:53 +0000 (20:10 -0800)]
usb: dwc3: Fix assignment of EP transfer resources
The assignement of EP transfer resources was not handled properly in the
dwc3 driver. Commit
aebda6187181 ("usb: dwc3: Reset the transfer
resource index on SET_INTERFACE") previously fixed one aspect of this
where resources may be exhausted with multiple calls to SET_INTERFACE.
However, it introduced an issue where composite devices with multiple
interfaces can be assigned the same transfer resources for different
endpoints. This patch solves both issues.
The assignment of transfer resources cannot perfectly follow the data
book due to the fact that the controller driver does not have all
knowledge of the configuration in advance. It is given this information
piecemeal by the composite gadget framework after every
SET_CONFIGURATION and SET_INTERFACE. Trying to follow the databook
programming model in this scenario can cause errors. For two reasons:
1) The databook says to do DEPSTARTCFG for every SET_CONFIGURATION and
SET_INTERFACE (8.1.5). This is incorrect in the scenario of multiple
interfaces.
2) The databook does not mention doing more DEPXFERCFG for new endpoint
on alt setting (8.1.6).
The following simplified method is used instead:
All hardware endpoints can be assigned a transfer resource and this
setting will stay persistent until either a core reset or hibernation.
So whenever we do a DEPSTARTCFG(0) we can go ahead and do DEPXFERCFG for
every hardware endpoint as well. We are guaranteed that there are as
many transfer resources as endpoints.
This patch triggers off of the calling dwc3_gadget_start_config() for
EP0-out, which always happens first, and which should only happen in one
of the above conditions.
Fixes:
aebda6187181 ("usb: dwc3: Reset the transfer resource index on SET_INTERFACE")
Cc: <stable@vger.kernel.org> # v3.2+
Reported-by: Ravi Babu <ravibabu@ti.com>
Signed-off-by: John Youn <johnyoun@synopsys.com>
Signed-off-by: Felipe Balbi <balbi@kernel.org>
John Youn [Mon, 15 Feb 2016 23:30:20 +0000 (15:30 -0800)]
usb: dwc2: Add extra delay when forcing dr_mode
Fixes an issue found on rockchip rk3036 and rk3188 SOC platforms. For
some reason, the existing msleep(25) is not enough after the force mode.
The following patch was reported to fix the issue.
This does increase the probe delay again slightly, but not up to the
level it was before the original series of patches that this fixes. It
does not cause any other issues when tested on Synopsys HAPS and Altera
socfpga platforms.
Need to revisit this series next release to see if we can address these
issues without having an unconditional delay.
Fixes:
09c96980dc72 ("usb: dwc2: Add functions to set and clear force mode")
Reported-by: Caesar Wang <caesar.upstream@gmail.com>
Reported-by: Michael Niewoehner <linux@mniewoehner.de>
Tested-by: Heiko Stuebner <heiko@sntech.de>
Tested-by: Caesar Wang <caesar.upstream@gmail.com>
Signed-off-by: John Youn <johnyoun@synopsys.com>
Signed-off-by: Felipe Balbi <balbi@kernel.org>
Linus Torvalds [Sun, 14 Feb 2016 21:05:20 +0000 (13:05 -0800)]
Linux 4.5-rc4
Linus Torvalds [Sun, 14 Feb 2016 20:47:45 +0000 (12:47 -0800)]
Merge tag 'char-misc-4.5-rc4' of git://git./linux/kernel/git/gregkh/char-misc
Pull char/misc driver fixes from Greg KH:
"Here are 3 fixes for some reported issues. Two nvmem driver fixes,
and one mei fix. All have been in linux-next just fine"
* tag 'char-misc-4.5-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
nvmem: qfprom: Specify LE device endianness
nvmem: core: return error for non word aligned access
mei: validate request value in client notify request ioctl
Linus Torvalds [Sun, 14 Feb 2016 20:34:53 +0000 (12:34 -0800)]
Merge tag 'driver-core-4.5-rc4' of git://git./linux/kernel/git/gregkh/driver-core
Pull driver core fix from Greg KH:
"Here is one driver core, well klist, fix for 4.5-rc4.
It fixes a problem found in the scsi device list traversal that
probably also could be triggered by other subsystems.
The fix has been in linux-next for a while with no reported problems"
* tag 'driver-core-4.5-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core:
klist: fix starting point removed bug in klist iterators
Linus Torvalds [Sun, 14 Feb 2016 20:29:59 +0000 (12:29 -0800)]
Merge tag 'tty-4.5-rc4' of git://git./linux/kernel/git/gregkh/tty
Pull tty/serial fixes from Greg KH:
"Here are a number of small tty and serial driver fixes for 4.5-rc4
that resolve some reported issues.
One of them got reverted as it wasn't correct based on testing, and
all have been in linux-next for a while"
* tag 'tty-4.5-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
Revert "8250: uniphier: allow modular build with 8250 console"
pty: make sure super_block is still valid in final /dev/tty close
pty: fix possible use after free of tty->driver_data
tty: Add support for PCIe WCH382 2S multi-IO card
serial/omap: mark wait_for_xmitr as __maybe_unused
serial: omap: Prevent DoS using unprivileged ioctl(TIOCSRS485)
8250: uniphier: allow modular build with 8250 console
tty: Drop krefs for interrupted tty lock
Linus Torvalds [Sun, 14 Feb 2016 20:24:28 +0000 (12:24 -0800)]
Merge tag 'usb-4.5-rc4' of git://git./linux/kernel/git/gregkh/usb
Pull PHY fixes from Greg KH:
"Here are a couple of PHY driver fixes for 4.5-rc4.
A few small phy issues. All have been in linux-next with no reported
issues"
* tag 'usb-4.5-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
phy: twl4030-usb: Fix unbalanced pm_runtime_enable on module reload
phy: twl4030-usb: Relase usb phy on unload
phy: core: fix wrong err handle for phy_power_on
phy: Restrict phy-hi6220-usb to HiSilicon arm64
Linus Torvalds [Sun, 14 Feb 2016 20:07:55 +0000 (12:07 -0800)]
Merge branch 'perf-urgent-for-linus' of git://git./linux/kernel/git/tip/tip
Pull perf tooling fixes from Thomas Gleixner:
"Another round of fixes for the perf tooling side:
- Prevent a NULL pointer dereference in tracepoint error handling
- Fix a thread handling bug in the intel_pt error handling code
- Search both .eh_frame and .debug_frame sections as toolchains seem
to have random choices of storing the CFI information
- Fix the perf state interval output values, which got broken when
fixing the overall output"
* 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
perf stat: Fix interval output values
perf probe: Search both .eh_frame and .debug_frame sections for probe location
perf tools: Fix thread lifetime related segfaut in intel_pt
perf tools: tracepoint_error() can receive e=NULL, robustify it
Linus Torvalds [Sun, 14 Feb 2016 20:02:05 +0000 (12:02 -0800)]
Merge branch 'locking-urgent-for-linus' of git://git./linux/kernel/git/tip/tip
Pull lockdep fix from Thomas Gleixner:
"A single fix for the stack trace caching logic in lockdep, where the
duplicate avoidance managed to store no back trace at all"
* 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
locking/lockdep: Fix stack trace caching logic
Linus Torvalds [Sun, 14 Feb 2016 19:57:24 +0000 (11:57 -0800)]
Merge branch 'timers-urgent-for-linus' of git://git./linux/kernel/git/tip/tip
Pull timer fix from Thomas Gleixner:
"A single fix preventing a 32bit overflow in timespec/val to cputime
conversions on 32bit machines"
* 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
cputime: Prevent 32bit overflow in time[val|spec]_to_cputime()
Linus Torvalds [Sun, 14 Feb 2016 19:49:30 +0000 (11:49 -0800)]
Merge branch 'irq-urgent-for-linus' of git://git./linux/kernel/git/tip/tip
Pull irqchip fixes from Thomas Gleixner:
"Another set of ARM SoC related irqchip fixes:
- Plug a memory leak in gicv3-its
- Limit features to the root gic interrupt controller
- Add a missing barrier in the gic-v3 IAR access
- Another compile test fix for sun4i"
* 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
irqchip/gic-v3: Make sure read from ICC_IAR1_EL1 is visible on redestributor
irqchip/gic: Only set the EOImodeNS bit for the root controller
irqchip/gic: Only populate set_affinity for the root controller
irqchip/gicv3-its: Fix memory leak in its_free_tables()
irqchip/sun4i: Fix compilation outside of arch/arm
Linus Torvalds [Sun, 14 Feb 2016 18:50:26 +0000 (10:50 -0800)]
Merge branch 'x86-urgent-for-linus' of git://git./linux/kernel/git/tip/tip
Pull x86 fixes from Thomas Gleixner:
"Two small fixlets for x86:
- Prevent a KASAN false positive in thread_saved_pc()
- Fix a 32-bit truncation problem in the x86 numa code"
* 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
x86/mm/numa: Fix 32-bit memblock range truncation bug on 32-bit NUMA kernels
x86: Fix KASAN false positives in thread_saved_pc()
Linus Torvalds [Sun, 14 Feb 2016 18:49:01 +0000 (10:49 -0800)]
Merge branch 'upstream' of git://git.linux-mips.org/ralf/upstream-linus
Pull MIPS fixes from Ralf Baechle:
"Here's the first round of MIPS fixes after the merge window:
- Detect Octeon III's PCI correctly.
- Fix return value of the MT7620 probing function.
- Wire up the copy_file_range syscall.
- Fix 64k page support on 32 bit kernels.
- Fix the early Coherency Manager probe.
- Allow only hardware-supported page sizes to be selected for R6000.
- Fix corner cases for the RDHWR nstruction emulation on old hardware.
- Fix FPU handling corner cases.
- Remove stale entry for BCM33xx from the MAINTAINERS file.
- 32 and 64 bit ELF headers are different, handle them correctly"
* 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus:
mips: Differentiate between 32 and 64 bit ELF header
MIPS: Octeon: Update OCTEON_FEATURE_PCIE for Octeon III
MIPS: pci-mt7620: Fix return value check in mt7620_pci_probe()
MIPS: Fix early CM probing
MIPS: Wire up copy_file_range syscall.
MIPS: Fix 64k page support for 32 bit kernels.
MIPS: R6000: Don't allow 64k pages for R6000.
MIPS: traps.c: Correct microMIPS RDHWR emulation
MIPS: traps.c: Don't emulate RDHWR in the CpU #0 exception handler
MAINTAINERS: Remove stale entry for BCM33xx chips
MIPS: Fix FPU disable with preemption
MIPS: Properly disable FPU in start_thread()
MIPS: Fix buffer overflow in syscall_get_arguments()
Linus Torvalds [Sun, 14 Feb 2016 18:46:47 +0000 (10:46 -0800)]
Merge branch 'fixes' of git://ftp.arm.linux.org.uk/~rmk/linux-arm
Pull ARM fixes from Russell King:
"A couple of ARM fixes from Linus for the ICST clock generator code"
[ "Linus" here is Linus Walleij. Name-stealer.
Linus "there can be only one" Torvalds ]
* 'fixes' of git://ftp.arm.linux.org.uk/~rmk/linux-arm:
ARM: 8519/1: ICST: try other dividends than 1
ARM: 8517/1: ICST: avoid arithmetic overflow in icst_hz()
Linus Torvalds [Sun, 14 Feb 2016 18:40:21 +0000 (10:40 -0800)]
Merge branch 'component' of git://ftp.arm.linux.org.uk/~rmk/linux-arm
Pull component helper fixes from Russell King:
"A few fixes for problems people have encountered with the recent
update to the component helpers"
* 'component' of git://ftp.arm.linux.org.uk/~rmk/linux-arm:
component: remove device from master match list on failed add
component: Detach components when deleting master struct
component: fix crash on x86_64 with hda audio drivers
Linus Torvalds [Sun, 14 Feb 2016 01:35:23 +0000 (17:35 -0800)]
Merge tag 'for-linus' of git://git./linux/kernel/git/dledford/rdma
Pull more rdma fixes from Doug Ledford:
"I think we are getting pretty close to done now. There are four
one-off fixes in this update:
- fix ipoib multicast joins
- fix mlx4 error handling
- fix mlx5 size computation
- fix a thinko in core code"
* tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma:
IB/mlx5: Fix RC transport send queue overhead computation
IB/ipoib: fix for rare multicast join race condition
IB/core: Fix reading capability mask of the port info class
net/mlx4: fix some error handling in mlx4_multi_func_init()
Linus Torvalds [Sun, 14 Feb 2016 00:39:27 +0000 (16:39 -0800)]
Merge git://git./linux/kernel/git/nab/target-pending
Pull SCSI target fixes from Nicholas Bellinger:
"This includes the long awaited series to address a set of bugs around
active I/O remote-port LUN_RESET, as well as properly handling this
same case with concurrent fabric driver session disconnect ->
reconnect.
Note this set of LUN_RESET bug-fixes has been surviving extended
testing on both v4.5-rc1 and v3.14.y code over the last weeks, and is
CC'ed for stable as it's something folks using multiple ESX connected
hosts with slow backends can certainly trigger.
The highlights also include:
- Fix WRITE_SAME/DISCARD emulation 4k sector conversion in
target/iblock (Mike Christie)
- Fix TMR abort interaction and AIO type TMR response in qla2xxx
target (Quinn Tran + Swapnil Nagle)
- Fix >= v3.17 stale descriptor pointer regression in qla2xxx target
(Quinn Tran)
- Fix >= v4.5-rc1 return regression with unmap_zeros_data_store new
configfs store handler (nab)
- Add CPU affinity flag + convert qla2xxx to use bit (Quinn + HCH +
Bart)"
* git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending:
qla2xxx: use TARGET_SCF_USE_CPUID flag to indiate CPU Affinity
target/transport: add flag to indicate CPU Affinity is observed
target: Fix incorrect unmap_zeroes_data_store return
qla2xxx: Use ATIO type to send correct tmr response
qla2xxx: Fix stale pointer access.
target/user: Fix cast from pointer to phys_addr_t
target: Drop legacy se_cmd->task_stop_comp + REQUEST_STOP usage
target: Fix race with SCF_SEND_DELAYED_TAS handling
target: Fix remote-port TMR ABORT + se_cmd fabric stop
target: Fix TAS handling for multi-session se_node_acls
target: Fix LUN_RESET active TMR descriptor handling
target: Fix LUN_RESET active I/O handling for ACK_KREF
qla2xxx: Fix TMR ABORT interaction issue between qla2xxx and TCM
qla2xxx: Fix warning reported by static checker
target: Fix WRITE_SAME/DISCARD conversion to linux 512b sectors
Linus Torvalds [Sat, 13 Feb 2016 21:05:56 +0000 (13:05 -0800)]
Merge branch 'fixes' of git://git./linux/kernel/git/evalenti/linux-soc-thermal
Pull thermal management fixes from Eduardo Valentin:
"Specifics in this pull request:
- Compilation fixes on SPEAR, and U8500 thermal drivers.
- RCAR thermal driver now recognizes OF-thermal based thermal zones.
- Small code rework on OF-thermal.
- These change have been CI tested using KernelCI bot [1,2]. \o/
I am taking over on Rui's behalf while he is out. Happy New Chinese
Year!
[1] - https://kernelci.org/build/evalenti/kernel/
v4.5-rc3-16-ga53b8394ec3c/
[2] - https://kernelci.org/boot/all/job/evalenti/kernel/
v4.5-rc3-16-ga53b8394ec3c/"
* 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/evalenti/linux-soc-thermal:
thermal: cpu_cooling: fix out of bounds access in time_in_idle
thermal: allow u8500-thermal driver to be a module
thermal: allow spear-thermal driver to be a module
thermal: spear: use __maybe_unused for PM functions
thermal: rcar: enable to use thermal-zone on DT
thermal: of: use for_each_available_child_of_node for child iterator
Linus Torvalds [Sat, 13 Feb 2016 21:04:47 +0000 (13:04 -0800)]
Merge tag 'sound-fix-4.5-rc4' of git://git./linux/kernel/git/tiwai/sound
Pull another sound fix from Takashi Iwai:
"This contains a fix for the double-free of usb-audio MIDI device at
probe failure"
* tag 'sound-fix-4.5-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
ALSA: usb-audio: avoid freeing umidi object twice
Linus Torvalds [Sat, 13 Feb 2016 16:18:21 +0000 (08:18 -0800)]
Merge tag 'arc-4.5-fixes' of git://git./linux/kernel/git/vgupta/arc
Pull ARC fixes from Vineet Gupta:
"I've been sitting on some of these fixes for a while.
- Corner case of returning to delay slot from interrupt
- Changing default interrupt prioiry level
- Kconfig'ize support for super pages
- Other minor fixes"
* tag 'arc-4.5-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc:
ARC: mm: Introduce explicit super page size support
ARCv2: intc: Allow interruption by lowest priority interrupt
ARCv2: Check for LL-SC livelock only if LLSC is enabled
ARC: shrink cpuinfo by not saving full timer BCR
ARCv2: clocksource: Rename GRTC -> GFRC ...
ARCv2: STAR
9000950267: Handle return from intr to Delay Slot #2
Andrey Konovalov [Sat, 13 Feb 2016 08:08:06 +0000 (11:08 +0300)]
ALSA: usb-audio: avoid freeing umidi object twice
The 'umidi' object will be free'd on the error path by snd_usbmidi_free()
when tearing down the rawmidi interface. So we shouldn't try to free it
in snd_usbmidi_create() after having registered the rawmidi interface.
Found by KASAN.
Signed-off-by: Andrey Konovalov <andreyknvl@gmail.com>
Acked-by: Clemens Ladisch <clemens@ladisch.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Linus Torvalds [Fri, 12 Feb 2016 23:31:22 +0000 (15:31 -0800)]
Merge tag 'pci-v4.5-fixes-1' of git://git./linux/kernel/git/helgaas/pci
Pull PCI fixes from Bjorn Helgaas:
"These are some Renesas binding updates for PCI host controllers, a
Broadcom fix for a regression we added in v4.5-rc1, and a fix for an
AER use-after-free problem that can cause memory corruption.
Summary:
AER:
Flush workqueue on device remove to avoid use-after-free (Sebastian Andrzej Siewior)
Broadcom iProc host bridge driver:
Allow multiple devices except on PAXC (Ray Jui)
Renesas R-Car host bridge driver:
Add gen2 device tree support for r8a7793 (Simon Horman)
Add device tree support for r8a7793 (Simon Horman)"
* tag 'pci-v4.5-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
PCI: rcar: Add device tree support for r8a7793
PCI: rcar: Add gen2 device tree support for r8a7793
PCI: iproc: Allow multiple devices except on PAXC
PCI/AER: Flush workqueue on device remove to avoid use-after-free
Linus Torvalds [Fri, 12 Feb 2016 21:12:27 +0000 (13:12 -0800)]
Merge branch 'akpm'(patches from Andrew)
Merge fixes from Andrew Morton:
"10 fixes"
The lockdep hlist conversion is in the locking tree too, waiting for the
next merge window. Andrew thought it should go in now. I'll take it,
since it fixes a real problem and looks trivially correct (famous last
words).
* emailed patches from Andrew Morton <akpm@linux-foundation.org>:
arch/x86/Kconfig: CONFIG_X86_UV should depend on CONFIG_EFI
mm: fix pfn_t vs highmem
kernel/locking/lockdep.c: convert hash tables to hlists
mm,thp: fix spellos in describing __HAVE_ARCH_FLUSH_PMD_TLB_RANGE
mm,thp: khugepaged: call pte flush at the time of collapse
mm/backing-dev.c: fix error path in wb_init()
mm, dax: check for pmd_none() after split_huge_pmd()
vsprintf: kptr_restrict is okay in IRQ when 2
mm: fix filemap.c kernel doc warning
ubsan: cosmetic fix to Kconfig text
Leon Romanovsky [Thu, 11 Feb 2016 19:09:57 +0000 (21:09 +0200)]
IB/mlx5: Fix RC transport send queue overhead computation
Fix the RC QPs send queue overhead computation to take into account
two additional segments in the WQE which are needed for registration
operations.
The ATOMIC and UMR segments can't coexist together, so chose maximum out
of them.
The commit
9e65dc371b5c ("IB/mlx5: Fix RC transport send queue overhead
computation") was intended to update RC transport as commit messages
states, but added the code to UC transport.
Fixes:
9e65dc371b5c ("IB/mlx5: Fix RC transport send queue overhead computation")
Signed-off-by: Kamal Heib <kamalh@mellanox.com>
Signed-off-by: Leon Romanovsky <leonro@mellanox.com>
Reviewed-by: Sagi Grimberg <sagig@mellanox.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Alex Estrin [Thu, 11 Feb 2016 21:30:51 +0000 (16:30 -0500)]
IB/ipoib: fix for rare multicast join race condition
A narrow window for race condition still exist between
multicast join thread and *dev_flush workers.
A kernel crash caused by prolong erratic link state changes
was observed (most likely a faulty cabling):
[167275.656270] BUG: unable to handle kernel NULL pointer dereference at
0000000000000020
[167275.665973] IP: [<
ffffffffa05f8f2e>] ipoib_mcast_join+0xae/0x1d0 [ib_ipoib]
[167275.674443] PGD 0
[167275.677373] Oops: 0000 [#1] SMP
...
[167275.977530] Call Trace:
[167275.982225] [<
ffffffffa05f92f0>] ? ipoib_mcast_free+0x200/0x200 [ib_ipoib]
[167275.992024] [<
ffffffffa05fa1b7>] ipoib_mcast_join_task+0x2a7/0x490
[ib_ipoib]
[167276.002149] [<
ffffffff8109d5fb>] process_one_work+0x17b/0x470
[167276.010754] [<
ffffffff8109e3cb>] worker_thread+0x11b/0x400
[167276.019088] [<
ffffffff8109e2b0>] ? rescuer_thread+0x400/0x400
[167276.027737] [<
ffffffff810a5aef>] kthread+0xcf/0xe0
Here was a hit spot:
ipoib_mcast_join() {
..............
rec.qkey = priv->broadcast->mcmember.qkey;
^^^^^^^
.....
}
Proposed patch should prevent multicast join task to continue
if link state change is detected.
Signed-off-by: Alex Estrin <alex.estrin@intel.com>
Changes from v4:
- as suggested by Doug Ledford, optimized spinlock usage,
i.e. ipoib_mcast_join() is called with lock held.
Changes from v3:
- sync with priv->lock before flag check.
Chages from v2:
- Move check for OPER_UP flag state to mcast_join() to
ensure no event worker is in progress.
- minor style fixes.
Changes from v1:
- No need to lock again if error detected.
Signed-off-by: Doug Ledford <dledford@redhat.com>
Linus Torvalds [Fri, 12 Feb 2016 17:48:55 +0000 (09:48 -0800)]
Merge tag 'mmc-v4.5-rc2' of git://git.linaro.org/people/ulf.hansson/mmc
Pull MMC fixes from Ulf Hansson:
"Here are some mmc fixes intended for v4.5 rc4.
MMC core:
- Fix an sysfs ABI regression
- Return an error in a specific error path dealing with mmc ioctls
MMC host:
- sdhci-pci|acpi: Fix card detect race for Intel BXT/APL
- sh_mmcif: Correct TX DMA channel allocation
- mmc_spi: Fix error handling for dma mapping errors
- sdhci-of-at91: Fix an unbalance issue for the runtime PM usage count
- pxamci: Fix the device-tree probe deferral path
- pxamci: Fix read-only GPIO polarity"
* tag 'mmc-v4.5-rc2' of git://git.linaro.org/people/ulf.hansson/mmc:
Revert "mmc: block: don't use parameter prefix if built as module"
mmc: sdhci-acpi: Fix card detect race for Intel BXT/APL
mmc: sdhci-pci: Fix card detect race for Intel BXT/APL
mmc: sdhci: Allow override of get_cd() called from sdhci_request()
mmc: sdhci: Allow override of mmc host operations
mmc: sh_mmcif: Correct TX DMA channel allocation
mmc: block: return error on failed mmc_blk_get()
mmc: pxamci: fix the device-tree probe deferral path
mmc: mmc_spi: add checks for dma mapping error
mmc: sdhci-of-at91: fix pm runtime unbalanced issue in error path
mmc: pxamci: fix again read-only gpio detection polarity
Linus Torvalds [Fri, 12 Feb 2016 17:42:05 +0000 (09:42 -0800)]
Merge tag 'sound-4.5-rc4' of git://git./linux/kernel/git/tiwai/sound
Pull sound fixes from Takashi Iwai:
"In this rc, we've got more volume than previous rc, unsurprisingly;
the majority of updates in ASoC are about Intel drivers, and another
major changes are the continued plumbing of ALSA timer bugs revealed
by syzkaller fuzzer. Hopefully both settle down now.
Other than that, HD-audio received a couple of code fixes as well as
the usual quirks, and various small fixes are found for FireWire
devices, ASoC codecs and drivers"
* tag 'sound-4.5-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (50 commits)
ASoC: arizona: fref must be limited in pseudo-fractional mode
ASoC: sigmadsp: Fix missleading return value
ALSA: timer: Fix race at concurrent reads
ALSA: firewire-digi00x: Drop bogus const type qualifier on dot_scrt()
ALSA: hda - Fix bad dereference of jack object
ALSA: timer: Fix race between stop and interrupt
ALSA: timer: Fix wrong instance passed to slave callbacks
ASoC: Intel: Add module tags for common match module
ASoC: Intel: Load the atom DPCM driver only
ASoC: Intel: Create independent acpi match module
ASoC: Intel: Revert "ASoC: Intel: fix ACPI probe regression with Atom DPCM driver"
ALSA: dummy: Implement timer backend switching more safely
ALSA: hda - Fix speaker output from VAIO AiO machines
Revert "ALSA: hda - Fix noise on Gigabyte Z170X mobo"
ALSA: firewire-tascam: remove needless member for control and status message
ALSA: firewire-tascam: remove a flag for controller
ALSA: firewire-tascam: add support for FW-1804
ALSA: firewire-tascam: fix NULL pointer dereference when model identification fails
ALSA: hda - Fix static checker warning in patch_hdmi.c
ASoC: Intel: Skylake: Remove autosuspend delay
...
Linus Torvalds [Fri, 12 Feb 2016 17:39:34 +0000 (09:39 -0800)]
Merge tag 'fbdev-fixes-4.5' of git://git./linux/kernel/git/tomba/linux
Pull fbdev fixes from Tomi Valkeinen:
- fix omap2plus_defconfig to enable omapfb as it was in v4.4
- ocfb: fix timings for margins
- s6e8ax0, da8xx-fb: fix compile warnings
- mmp: fix build failure caused by bad printk parameters
- imxfb: fix clock issue which kept the display off
* tag 'fbdev-fixes-4.5' of git://git.kernel.org/pub/scm/linux/kernel/git/tomba/linux:
video: fbdev: imxfb: Provide a reset mechanism
fbdev: mmp: print IRQ resource using %pR format string
fbdev: da8xx-fb: remove incorrect type cast
fbdev: s6e8ax0: avoid unused function warnings
ocfb: fix tgdel and tvdel timing parameters
ARM: omap2plus_defconfig: update display configs
Linus Torvalds [Fri, 12 Feb 2016 17:32:37 +0000 (09:32 -0800)]
Merge tag 'scsi-fixes' of git://git./linux/kernel/git/jejb/scsi
Pull SCSI fixes from James Bottomley:
"A set of seven fixes:
Two regressions in the new hisi_sas arm driver, a blacklist entry for
the marvell console which was causing a reset cascade without it, a
race fix in the WRITE_SAME/DISCARD routines, a retry fix for the rdac
driver, without which, it would prematurely return EIO and a couple of
fixes for the hyper-v storvsc driver"
* tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
block/sd: Return -EREMOTEIO when WRITE SAME and DISCARD are disabled
SCSI: Add Marvell Console to VPD blacklist
scsi_dh_rdac: always retry MODE SELECT on command lock violation
storvsc: Use the specified target ID in device lookup
storvsc: Install the storvsc specific timeout handler for FC devices
hisi_sas: fix v1 hw check for slot error
hisi_sas: add dependency for HAS_IOMEM
Linus Torvalds [Fri, 12 Feb 2016 17:27:31 +0000 (09:27 -0800)]
Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux
Pull drm amd fixes from Dave Airlie:
"Been pretty quiet.
This is an amdgpu fixes pull from AMD, a bunch of powerplay stability
fixes, race fix, hibernate fix, and a possible circular locking fix"
* 'drm-fixes' of git://people.freedesktop.org/~airlied/linux: (21 commits)
drm/amdgpu: fix issue with overlapping userptrs
drm/radeon: hold reference to fences in radeon_sa_bo_new
drm/amdgpu: remove unnecessary forward declaration
drm/amdgpu: hold reference to fences in amdgpu_sa_bo_new (v2)
drm/amdgpu: fix s4 resume
drm/amdgpu/cz: plumb pg flags through to powerplay
drm/amdgpu/tonga: plumb pg flags through to powerplay
drma/dmgpu: move cg and pg flags into shared headers
drm/amdgpu: remove unused cg defines
drm/amdgpu: add a cgs interface to fetch cg and pg flags
drm/amd/powerplay/tonga: disable vce pg
drm/amd/powerplay/tonga: disable uvd pg
drm/amd/powerplay/cz: disable vce pg
drm/amd/powerplay/cz: disable uvd pg
drm/amdgpu: be consistent with uvd cg flags
drm/amdgpu: clean up vce pg flags for cz/st
drm/amdgpu: handle vce pg flags properly
drm/amdgpu: handle uvd pg flags properly
drm/amdgpu/dpm/ci: switch over to the common pcie caps interface
drm/amdgpu/cik: don't mess with aspm if gpu is root bus
...
Linus Torvalds [Fri, 12 Feb 2016 17:24:48 +0000 (09:24 -0800)]
Merge branch 'for-linus' of git://git./linux/kernel/git/jmorris/linux-security
Pull crypto fix from James Morris.
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
EVM: Use crypto_memneq() for digest comparisons
Linus Torvalds [Fri, 12 Feb 2016 17:21:28 +0000 (09:21 -0800)]
Merge branch 'for-linus-4.5' of git://git./linux/kernel/git/mason/linux-btrfs
Pull btrfs fixes from Chris Mason:
"This has a few fixes from Filipe, along with a readdir fix from Dave
that we've been testing for some time"
* 'for-linus-4.5' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs:
btrfs: properly set the termination value of ctx->pos in readdir
Btrfs: fix hang on extent buffer lock caused by the inode_paths ioctl
Btrfs: remove no longer used function extent_read_full_page_nolock()
Btrfs: fix page reading in extent_same ioctl leading to csum errors
Btrfs: fix invalid page accesses in extent_same (dedup) ioctl
Linus Torvalds [Fri, 12 Feb 2016 17:17:03 +0000 (09:17 -0800)]
Merge tag 'xfs-fixes-for-linus-4.5' of git://git./linux/kernel/git/dgc/linux-xfs
Pull xfs fix from Dve Chinner:
"This contains a fix for an endian conversion issue in new CRC
validation in log recovery that was discovered on a ppc64 platform"
* tag 'xfs-fixes-for-linus-4.5' of git://git.kernel.org/pub/scm/linux/kernel/git/dgc/linux-xfs:
xfs: fix endianness error when checking log block crc on big endian platforms
Takashi Iwai [Fri, 12 Feb 2016 08:48:51 +0000 (09:48 +0100)]
Merge tag 'asoc-fix-v4.5-rc4' of git://git./linux/kernel/git/broonie/sound into for-linus
ASoC: Fixes for v4.5
A rather large batch of fixes here, almost all in the Intel driver.
The changes that got merged in this merge window for Skylake were rather
large and as well as issues that you'd expect in a large block of new
code there were some problems created for older processors which needed
fixing up. Things are largely settling down now hopefully.
Ryan Ware [Thu, 11 Feb 2016 23:58:44 +0000 (15:58 -0800)]
EVM: Use crypto_memneq() for digest comparisons
This patch fixes vulnerability CVE-2016-2085. The problem exists
because the vm_verify_hmac() function includes a use of memcmp().
Unfortunately, this allows timing side channel attacks; specifically
a MAC forgery complexity drop from 2^128 to 2^12. This patch changes
the memcmp() to the cryptographically safe crypto_memneq().
Reported-by: Xiaofei Rex Guo <xiaofei.rex.guo@intel.com>
Signed-off-by: Ryan Ware <ware@linux.intel.com>
Cc: stable@vger.kernel.org
Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Vineet Gupta [Wed, 10 Feb 2016 01:22:07 +0000 (06:52 +0530)]
ARC: mm: Introduce explicit super page size support
MMUv4 supports 2 concurrent page sizes: Normal and Super [4K to 16M]
So far Linux supported a single super page size for a given Normal page,
depending on the software page walking address split.
e.g. we had 11:8:13 address split for 8K page, which meant super page
was 2 ^(8+13) = 2M (given that THP size has to be PMD_SHIFT)
Now we turn this around, by allowing multiple Super Pages in Kconfig
(currently 2M and 16M only) and forcing page walker address split to
PGDIR_SHIFT and PAGE_SHIFT
For configs without Super page, things are same as before and
PGDIR_SHIFT can be hacked to get non default address split
The motivation for this change is a customer who needs 16M super page
and a 8K Normal page combo.
Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
Greg Kroah-Hartman [Fri, 12 Feb 2016 04:10:58 +0000 (20:10 -0800)]
Merge tag 'phy-for-4.5-rc' of git://git./linux/kernel/git/kishon/linux-phy into usb-linus
Kishon writes:
phy: for 4.5-rc
*) Fix error handling code in phy core [phy_power_on()]
*) phy-twl4030-usb fixes for unloading the module
*) Restrict phy-hi6220-usb to HiSilicon arm64
Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
Andrew Morton [Fri, 12 Feb 2016 00:13:20 +0000 (16:13 -0800)]
arch/x86/Kconfig: CONFIG_X86_UV should depend on CONFIG_EFI
arch/x86/built-in.o: In function `uv_bios_call':
(.text+0xeba00): undefined reference to `efi_call'
Reported-by: kbuild test robot <fengguang.wu@intel.com>
Suggested-by: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@elte.hu>
Reviewed-by: Matt Fleming <matt@codeblueprint.co.uk>
Acked-by: Alex Thorlton <athorlton@sgi.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Dan Williams [Fri, 12 Feb 2016 00:13:17 +0000 (16:13 -0800)]
mm: fix pfn_t vs highmem
The pfn_t type uses an unsigned long to store a pfn + flags value. On a
64-bit platform the upper 12 bits of an unsigned long are never used for
storing the value of a pfn. However, this is not true on highmem
platforms, all 32-bits of a pfn value are used to address a 44-bit
physical address space. A pfn_t needs to store a 64-bit value.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=112211
Fixes:
01c8f1c44b83 ("mm, dax, gpu: convert vm_insert_mixed to pfn_t")
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Reported-by: Stuart Foster <smf.linux@ntlworld.com>
Reported-by: Julian Margetson <runaway@candw.ms>
Tested-by: Julian Margetson <runaway@candw.ms>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Andrew Morton [Fri, 12 Feb 2016 00:13:14 +0000 (16:13 -0800)]
kernel/locking/lockdep.c: convert hash tables to hlists
Mike said:
: CONFIG_UBSAN_ALIGNMENT breaks x86-64 kernel with lockdep enabled, i. e
: kernel with CONFIG_UBSAN_ALIGNMENT fails to load without even any error
: message.
:
: The problem is that ubsan callbacks use spinlocks and might be called
: before lockdep is initialized. Particularly this line in the
: reserve_ebda_region function causes problem:
:
: lowmem = *(unsigned short *)__va(BIOS_LOWMEM_KILOBYTES);
:
: If i put lockdep_init() before reserve_ebda_region call in
: x86_64_start_reservations kernel loads well.
Fix this ordering issue permanently: change lockdep so that it uses
hlists for the hash tables. Unlike a list_head, an hlist_head is in its
initialized state when it is all-zeroes, so lockdep is ready for
operation immediately upon boot - lockdep_init() need not have run.
The patch will also save some memory.
lockdep_init() and lockdep_initialized can be done away with now - a 4.6
patch has been prepared to do this.
Reported-by: Mike Krinkin <krinkin.m.u@gmail.com>
Suggested-by: Mike Krinkin <krinkin.m.u@gmail.com>
Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Vineet Gupta [Fri, 12 Feb 2016 00:13:11 +0000 (16:13 -0800)]
mm,thp: fix spellos in describing __HAVE_ARCH_FLUSH_PMD_TLB_RANGE
[akpm@linux-foundation.org: s/threshhold/threshold/]
Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Vineet Gupta [Fri, 12 Feb 2016 00:13:09 +0000 (16:13 -0800)]
mm,thp: khugepaged: call pte flush at the time of collapse
This showed up on ARC when running LMBench bw_mem tests as Overlapping
TLB Machine Check Exception triggered due to STLB entry (2M pages)
overlapping some NTLB entry (regular 8K page).
bw_mem 2m touches a large chunk of vaddr creating NTLB entries. In the
interim khugepaged kicks in, collapsing the contiguous ptes into a
single pmd. pmdp_collapse_flush()->flush_pmd_tlb_range() is called to
flush out NTLB entries for the ptes. This for ARC (by design) can only
shootdown STLB entries (for pmd). The stray NTLB entries cause the
overlap with the subsequent STLB entry for collapsed page. So make
pmdp_collapse_flush() call pte flush interface not pmd flush.
Note that originally all thp flush call sites in generic code called
flush_tlb_range() leaving it to architecture to implement the flush for
pte and/or pmd. Commit
12ebc1581ad11454 changed this by calling a new
opt-in API flush_pmd_tlb_range() which made the semantics more explicit
but failed to distinguish the pte vs pmd flush in generic code, which is
what this patch fixes.
Note that ARC can fixed w/o touching the generic pmdp_collapse_flush()
by defining a ARC version, but that defeats the purpose of generic
version, plus sementically this is the right thing to do.
Fixes STAR
9000961194: LMBench on AXS103 triggering duplicate TLB
exceptions with super pages
Fixes:
12ebc1581ad11454 ("mm,thp: introduce flush_pmd_tlb_range")
Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
Reviewed-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: <stable@vger.kernel.org> [4.4]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Rasmus Villemoes [Fri, 12 Feb 2016 00:13:06 +0000 (16:13 -0800)]
mm/backing-dev.c: fix error path in wb_init()
We need to use post-decrement to get percpu_counter_destroy() called on
&wb->stat[0]. Moreover, the pre-decremebt would cause infinite
out-of-bounds accesses if the setup code failed at i==0.
Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Vladimir Davydov <vdavydov@virtuozzo.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Kirill A. Shutemov [Fri, 12 Feb 2016 00:13:03 +0000 (16:13 -0800)]
mm, dax: check for pmd_none() after split_huge_pmd()
DAX implements split_huge_pmd() by clearing pmd. This simple approach
reduces memory overhead, as we don't need to deposit page table on huge
page mapping to make split_huge_pmd() never-fail. PTE table can be
allocated and populated later on page fault from backing store.
But one side effect is that have to check if pmd is pmd_none() after
split_huge_pmd(). In most places we do this already to deal with
parallel MADV_DONTNEED.
But I found two call sites which is not affected by MADV_DONTNEED (due
down_write(mmap_sem)), but need to have the check to work with DAX
properly.
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: Matthew Wilcox <willy@linux.intel.com>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Ross Zwisler <ross.zwisler@linux.intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Jason A. Donenfeld [Fri, 12 Feb 2016 00:13:00 +0000 (16:13 -0800)]
vsprintf: kptr_restrict is okay in IRQ when 2
The kptr_restrict flag, when set to 1, only prints the kernel address
when the user has CAP_SYSLOG. When it is set to 2, the kernel address
is always printed as zero. When set to 1, this needs to check whether
or not we're in IRQ.
However, when set to 2, this check is unneccessary, and produces
confusing results in dmesg. Thus, only make sure we're not in IRQ when
mode 1 is used, but not mode 2.
[akpm@linux-foundation.org: coding-style fixes]
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Cc: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Cc: Kees Cook <keescook@chromium.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Randy Dunlap [Fri, 12 Feb 2016 00:12:58 +0000 (16:12 -0800)]
mm: fix filemap.c kernel doc warning
Add missing kernel-doc notation for function parameter 'gfp_mask' to fix
kernel-doc warning.
mm/filemap.c:1898: warning: No description found for parameter 'gfp_mask'
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Yang Shi [Fri, 12 Feb 2016 00:12:55 +0000 (16:12 -0800)]
ubsan: cosmetic fix to Kconfig text
When enabling UBSAN_SANITIZE_ALL, the kernel image size gets increased
significantly (~3x). So, it sounds better to have some note in Kconfig.
And, fixed a typo.
Signed-off-by: Yang Shi <yang.shi@linaro.org>
Acked-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Linus Torvalds [Thu, 11 Feb 2016 19:25:55 +0000 (11:25 -0800)]
Merge tag 'gpio-v4.5-2' of git://git./linux/kernel/git/linusw/linux-gpio
Pull GPIO fixes from Linus Walleij:
- Probe errorpath fix for the Altera
- irqchip ofnode pointer added to the DaVinci driver
- controller instance number correction for DaVinci
* tag 'gpio-v4.5-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio:
gpio: davinci: Fix the number of controllers allocated
gpio: davinci: Add the missing of-node pointer
gpio: gpio-altera: Remove gpiochip on probe failure.
Linus Torvalds [Thu, 11 Feb 2016 19:17:19 +0000 (11:17 -0800)]
Merge tag 'platform-drivers-x86-v4.5-3' of git://git.infradead.org/users/dvhart/linux-platform-drivers-x86
Pull x86 platform driver fixes from Darren Hart:
"Just two small fixes for the 4.5-rc cycle:
intel_scu_ipcutil:
- underflow in scu_reg_access()
intel-hid:
- fix incorrect entries in intel_hid_keymap"
* tag 'platform-drivers-x86-v4.5-3' of git://git.infradead.org/users/dvhart/linux-platform-drivers-x86:
intel_scu_ipcutil: underflow in scu_reg_access()
intel-hid: fix incorrect entries in intel_hid_keymap
Linus Torvalds [Thu, 11 Feb 2016 19:00:34 +0000 (11:00 -0800)]
Merge git://git./linux/kernel/git/davem/net
Pull networking fixes from David Miller:
1) Fix BPF handling of branch offset adjustmnets on backjumps, from
Daniel Borkmann.
2) Make sure selinux knows about SOCK_DESTROY netlink messages, from
Lorenzo Colitti.
3) Fix openvswitch tunnel mtu regression, from David Wragg.
4) Fix ICMP handling of TCP sockets in syn_recv state, from Eric
Dumazet.
5) Fix SCTP user hmacid byte ordering bug, from Xin Long.
6) Fix recursive locking in ipv6 addrconf, from Subash Abhinov
Kasiviswanathan.
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net:
bpf: fix branch offset adjustment on backjumps after patching ctx expansion
vxlan, gre, geneve: Set a large MTU on ovs-created tunnel devices
geneve: Relax MTU constraints
vxlan: Relax MTU constraints
flow_dissector: Fix unaligned access in __skb_flow_dissector when used by eth_get_headlen
of: of_mdio: Add marvell,
88e1145 to whitelist of PHY compatibilities.
selinux: nlmsgtab: add SOCK_DESTROY to the netlink mapping tables
sctp: translate network order to host order when users get a hmacid
enic: increment devcmd2 result ring in case of timeout
tg3: Fix for tg3 transmit queue 0 timed out when too many gso_segs
net:Add sysctl_max_skb_frags
tcp: do not drop syn_recv on all icmp reports
ipv6: fix a lockdep splat
unix: correctly track in-flight fds in sending process user_struct
update be2net maintainers' email addresses
dwc_eth_qos: Reset hardware before PHY start
ipv6: addrconf: Fix recursive spin lock call
Eran Ben Elisha [Thu, 11 Feb 2016 08:24:42 +0000 (10:24 +0200)]
IB/core: Fix reading capability mask of the port info class
When checking specific attribute from a bit mask, need to use bitwise
AND and not logical AND, fixed that.
Fixes:
145d9c541032 ('IB/core: Display extended counter set if
available')
Signed-off-by: Eran Ben Elisha <eranbe@mellanox.com>
Signed-off-by: Matan Barak <matanb@mellanox.com>
Reviewed-by: Or Gerlitz <ogerlitz@mellanox.com>
Reviewed-by: Christoph Lameter <cl@linux.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Rasmus Villemoes [Tue, 9 Feb 2016 20:11:14 +0000 (21:11 +0100)]
net/mlx4: fix some error handling in mlx4_multi_func_init()
The while loop after err_slaves should use post-decrement; otherwise
we'll fail to do the kfrees for i==0, and will run into out-of-bounds
accesses if the setup above failed already at i==0.
[I'm not sure why one even bothers populating the ->vlan_filter array:
mlx4.h isn't #included by anything outside
drivers/net/ethernet/mellanox/mlx4/, and "git grep -C2 -w vlan_filter
drivers/net/ethernet/mellanox/mlx4/" seems to suggest that the
vlan_filter elements aren't used at all.]
Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Ulf Hansson [Thu, 11 Feb 2016 15:42:58 +0000 (16:42 +0100)]
Revert "mmc: block: don't use parameter prefix if built as module"
This reverts commit
829b6962f7e3cfc06f7c5c26269fd47ad48cf503.
Revert this change as it causes a sysfs path to change and therefore
introduces and ABI regression. More precisely Android's vold is not being
able to access /sys/module/mmcblk/parameters/perdev_minors any more, since
the path becomes changed to: "/sys/module/mmc_block/..."
Fixes:
829b6962f7e3 ("mmc: block: don't use parameter prefix if built as
module")
Reported-by: John Stultz <john.stultz@linaro.org>
Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Javi Merino [Thu, 11 Feb 2016 12:00:51 +0000 (12:00 +0000)]
thermal: cpu_cooling: fix out of bounds access in time_in_idle
In __cpufreq_cooling_register() we allocate the arrays for time_in_idle
and time_in_idle_timestamp to be as big as the number of cpus in this
cpufreq device. However, in get_load() we access this array using the
cpu number as index, which can result in an out of bound access.
Index time_in_idle{,_timestamp} using the index in the cpufreq_device's
allowed_cpus mask, as we do for the load_cpu array in
cpufreq_get_requested_power()
Reported-by: Nicolas Boichat <drinkcat@chromium.org>
Cc: Amit Daniel Kachhap <amit.kachhap@gmail.com>
Cc: Zhang Rui <rui.zhang@intel.com>
Cc: Eduardo Valentin <edubezval@gmail.com>
Tested-by: Nicolas Boichat <drinkcat@chromium.org>
Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Javi Merino <javi.merino@arm.com>
Signed-off-by: Eduardo Valentin <edubezval@gmail.com>
David Sterba [Fri, 13 Nov 2015 12:44:28 +0000 (13:44 +0100)]
btrfs: properly set the termination value of ctx->pos in readdir
The value of ctx->pos in the last readdir call is supposed to be set to
INT_MAX due to 32bit compatibility, unless 'pos' is intentially set to a
larger value, then it's LLONG_MAX.
There's a report from PaX SIZE_OVERFLOW plugin that "ctx->pos++"
overflows (https://forums.grsecurity.net/viewtopic.php?f=1&t=4284), on a
64bit arch, where the value is 0x7fffffffffffffff ie. LLONG_MAX before
the increment.
We can get to that situation like that:
* emit all regular readdir entries
* still in the same call to readdir, bump the last pos to INT_MAX
* next call to readdir will not emit any entries, but will reach the
bump code again, finds pos to be INT_MAX and sets it to LLONG_MAX
Normally this is not a problem, but if we call readdir again, we'll find
'pos' set to LLONG_MAX and the unconditional increment will overflow.
The report from Victor at
(http://thread.gmane.org/gmane.comp.file-systems.btrfs/49500) with debugging
print shows that pattern:
Overflow: e
Overflow:
7fffffff
Overflow:
7fffffffffffffff
PAX: size overflow detected in function btrfs_real_readdir
fs/btrfs/inode.c:5760 cicus.935_282 max, count: 9, decl: pos; num: 0;
context: dir_context;
CPU: 0 PID: 2630 Comm: polkitd Not tainted 4.2.3-grsec #1
Hardware name: Gigabyte Technology Co., Ltd. H81ND2H/H81ND2H, BIOS F3 08/11/2015
ffffffff81901608 0000000000000000 ffffffff819015e6 ffffc90004973d48
ffffffff81742f0f 0000000000000007 ffffffff81901608 ffffc90004973d78
ffffffff811cb706 0000000000000000 ffff8800d47359e0 ffffc90004973ed8
Call Trace:
[<
ffffffff81742f0f>] dump_stack+0x4c/0x7f
[<
ffffffff811cb706>] report_size_overflow+0x36/0x40
[<
ffffffff812ef0bc>] btrfs_real_readdir+0x69c/0x6d0
[<
ffffffff811dafc8>] iterate_dir+0xa8/0x150
[<
ffffffff811e6d8d>] ? __fget_light+0x2d/0x70
[<
ffffffff811dba3a>] SyS_getdents+0xba/0x1c0
Overflow: 1a
[<
ffffffff811db070>] ? iterate_dir+0x150/0x150
[<
ffffffff81749b69>] entry_SYSCALL_64_fastpath+0x12/0x83
The jump from
7fffffff to
7fffffffffffffff happens when new dir entries
are not yet synced and are processed from the delayed list. Then the code
could go to the bump section again even though it might not emit any new
dir entries from the delayed list.
The fix avoids entering the "bump" section again once we've finished
emitting the entries, both for synced and delayed entries.
References: https://forums.grsecurity.net/viewtopic.php?f=1&t=4284
Reported-by: Victor <services@swwu.com>
CC: stable@vger.kernel.org
Signed-off-by: David Sterba <dsterba@suse.com>
Tested-by: Holger Hoffstätte <holger.hoffstaette@googlemail.com>
Signed-off-by: Chris Mason <clm@fb.com>
Linus Walleij [Wed, 10 Feb 2016 08:25:17 +0000 (09:25 +0100)]
ARM: 8519/1: ICST: try other dividends than 1
Since the dawn of time the ICST code has only supported divide
by one or hang in an eternal loop. Luckily we were always dividing
by one because the reference frequency for the systems using
the ICSTs is 24MHz and the [min,max] values for the PLL input
if [10,320] MHz for ICST307 and [6,200] for ICST525, so the loop
will always terminate immediately without assigning any divisor
for the reference frequency.
But for the code to make sense, let's insert the missing i++
Reported-by: David Binderman <dcb314@hotmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Thomas Gleixner [Thu, 11 Feb 2016 10:47:55 +0000 (11:47 +0100)]
Merge tag 'gic-fixes-4.5-rc4' of git://git./linux/kernel/git/maz/arm-platforms into irq/urgent
Pull GIC fixes from Marc for 4.5-rc4:
- Two fixes addressing cascaded GICv1/GICv2 (affinity setting, EOImode)
- One fix addressing possible missed interrupts on GICv3
Adrian Hunter [Tue, 9 Feb 2016 14:12:38 +0000 (16:12 +0200)]
mmc: sdhci-acpi: Fix card detect race for Intel BXT/APL
Intel BXT/APL use a card detect GPIO however the host controller
will not enable bus power unless it's card detect also reflects
the presence of a card. Unfortunately those 2 things race which
can result in commands not starting, after which the controller
does nothing and there is a 10 second wait for the driver's
10-second timer to timeout.
That is fixed by having the driver look also at the present state
register to determine if the card is present. Consequently, provide
a 'get_cd' mmc host operation for BXT/APL that does that.
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Cc: stable@vger.kernel.org # v4.4+
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Adrian Hunter [Tue, 9 Feb 2016 14:12:37 +0000 (16:12 +0200)]
mmc: sdhci-pci: Fix card detect race for Intel BXT/APL
Intel BXT/APL use a card detect GPIO however the host controller
will not enable bus power unless it's card detect also reflects
the presence of a card. Unfortunately those 2 things race which
can result in commands not starting, after which the controller
does nothing and there is a 10 second wait for the driver's
10-second timer to timeout.
That is fixed by having the driver look also at the present state
register to determine if the card is present. Consequently, provide
a 'get_cd' mmc host operation for BXT/APL that does that.
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Cc: stable@vger.kernel.org # v4.4+
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Adrian Hunter [Tue, 9 Feb 2016 14:12:36 +0000 (16:12 +0200)]
mmc: sdhci: Allow override of get_cd() called from sdhci_request()
Drivers may need to provide their own get_cd() mmc host op, but
currently the internals of the current op (sdhci_get_cd()) are
provided by sdhci_do_get_cd() which is also called from
sdhci_request().
To allow override of the get_cd functionality, change sdhci_request()
to call ->get_cd() instead of sdhci_do_get_cd().
Note, in the future the call to ->get_cd() will likely be removed
from sdhci_request() since most drivers don't need actually it.
However this change is being done now to facilitate a subsequent
bug fix.
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Cc: stable@vger.kernel.org # v4.4+
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Adrian Hunter [Tue, 9 Feb 2016 14:12:35 +0000 (16:12 +0200)]
mmc: sdhci: Allow override of mmc host operations
In the past, fixes for specific hardware devices were implemented
in sdhci using quirks. That approach is no longer accepted because
the growing number of quirks was starting to make the code difficult
to understand and maintain.
One alternative to quirks, is to allow drivers to override the default
mmc host operations. This patch makes it easy to do that, and it is
needed for a subsequent bug fix, for which separate patches are
provided.
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Cc: stable@vger.kernel.org # v4.4+
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Daniel Wagner [Wed, 10 Feb 2016 09:21:21 +0000 (10:21 +0100)]
mips: Differentiate between 32 and 64 bit ELF header
Depending on the configuration either the 32 or 64 bit version of
elf_check_arch() is defined. parse_crash_elf{32|64}_headers() does
some basic verification of the ELF header via
vmcore_elf{32|64}_check_arch() which happen to map to elf_check_arch().
Since the implementation 32 and 64 bit version of elf_check_arch()
differ, we use the wrong type:
In file included from include/linux/elf.h:4:0,
from fs/proc/vmcore.c:13:
fs/proc/vmcore.c: In function 'parse_crash_elf64_headers':
>> arch/mips/include/asm/elf.h:228:23: error: initialization from incompatible pointer type [-Werror=incompatible-pointer-types]
struct elfhdr *__h = (hdr); \
^
include/linux/crash_dump.h:41:37: note: in expansion of macro 'elf_check_arch'
#define vmcore_elf64_check_arch(x) (elf_check_arch(x) || vmcore_elf_check_arch_cross(x))
^
fs/proc/vmcore.c:1015:4: note: in expansion of macro 'vmcore_elf64_check_arch'
!vmcore_elf64_check_arch(&ehdr) ||
^
Therefore, we rather define vmcore_elf{32|64}_check_arch() as a
basic machine check and use it also in binfm_elf?32.c as well.
Signed-off-by: Daniel Wagner <daniel.wagner@bmw-carit.de>
Suggested-by: Maciej W. Rozycki <macro@imgtec.com>
Reviewed-by: Maciej W. Rozycki <macro@imgtec.com>
Reported-by: Fengguang Wu <fengguang.wu@intel.com>
Cc: linux-kernel@vger.kernel.org
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/12529/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Tirumalesh Chalamarla [Thu, 4 Feb 2016 18:45:25 +0000 (10:45 -0800)]
irqchip/gic-v3: Make sure read from ICC_IAR1_EL1 is visible on redestributor
The ARM GICv3 specification mentions the need for dsb after a read
from the ICC_IAR1_EL1 register:
4.1.1 Physical CPU Interface:
The effects of reading ICC_IAR0_EL1 and ICC_IAR1_EL1
on the state of a returned INTID are not guaranteed
to be visible until after the execution of a DSB.
Not having this could result in missed interrupts, so let's add the
required barrier.
[Marc: fixed commit message]
Acked-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Tirumalesh Chalamarla <tchalamarla@caviumnetworks.com>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Jon Hunter [Tue, 9 Feb 2016 15:24:57 +0000 (15:24 +0000)]
irqchip/gic: Only set the EOImodeNS bit for the root controller
EOImode1 is only used for the root controller and hence only the root
controller uses the eoimode1 functions for handling interrupts. However,
if the root controller supports EOImode1, then the EOImodeNS bit will be
set for all GICs, enabling EOImode1. This is not what we want and this
causes interrupts on non-root GICs to only be dropped in priority but
never deactivated. Therefore, only set the EOImodeNS bit for the root
controller.
Acked-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Jon Hunter <jonathanh@nvidia.com>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Jon Hunter [Tue, 9 Feb 2016 15:24:56 +0000 (15:24 +0000)]
irqchip/gic: Only populate set_affinity for the root controller
Setting the affinity of an IRQ, it only applicable for the root
interrupt controller and so only populate this operator for the root
controller.
Acked-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Jon Hunter <jonathanh@nvidia.com>
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Daniel Stone [Mon, 8 Feb 2016 21:12:58 +0000 (21:12 +0000)]
component: remove device from master match list on failed add
Calling component_add() may result in the completion of a set of
devices, which will try to bring up a master. In bringing the master
up, we populate its match array with the current set of children.
If binding any of the devices fails, component_add() itself will fail,
free the struct component entry, and return to the caller. The
now-freed entry is never removed from the master's match array, and
will later be used in a futile attempt to bind to freed memory.
Bring component_add's behaviour on failure to bring up a master into
line with component_del by removing the (to-be-freed) component from
the master's match array.
The specific case which broke was:
- rockchip_drm_drv adds a component master
- dwhdmi_rockchip adds a child component in probe (master incomplete)
- rockchip_drm_vop adds two children in probe, which completes the
set
- inside component_add, we try to bring up the master, having
populated the master's match array, and fail with EPROBE_DEFER from
dwhdmi_rockchip; we delete the putative component
- rockchip_drm_vop's probe fails and returns EPROBE_DEFER
- we later re-probe rockchip_drm_vop and add the component; the
master is complete, so we attempt to bring it up again
- walking the match array, we find the previous child, whose master
pointer doesn't match (as it has been freed in the meantime)
- rockchip_drm_vop probe fails, and will never be attempted again
Fixes:
ffc30b74fd6d01588bd3fdebc3b1acc0857e6fc8
Signed-off-by: Daniel Stone <daniels@collabora.com>
Cc: Russell King <rmk+kernel@arm.linux.org.uk>
Cc: Thierry Reding <treding@nvidia.com>
Cc: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Quinn Tran [Wed, 10 Feb 2016 23:59:14 +0000 (18:59 -0500)]
qla2xxx: use TARGET_SCF_USE_CPUID flag to indiate CPU Affinity
Signed-off-by: Quinn Tran <quinn.tran@qlogic.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Bart Van Assche <bart.vanassche@sandisk.com>
Fixes:
fb3269b ("qla2xxx: Add selective command queuing")
Signed-off-by: Himanshu Madhani <himanshu.madhani@qlogic.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Quinn Tran [Wed, 10 Feb 2016 23:59:13 +0000 (18:59 -0500)]
target/transport: add flag to indicate CPU Affinity is observed
Signed-off-by: Quinn Tran <quinn.tran@qlogic.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Bart Van Assche <bart.vanassche@sandisk.com>
Fixes:
fb3269b ("qla2xxx: Add selective command queuing")
Signed-off-by: Himanshu Madhani <himanshu.madhani@qlogic.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Nicholas Bellinger [Thu, 11 Feb 2016 04:34:56 +0000 (20:34 -0800)]
target: Fix incorrect unmap_zeroes_data_store return
This patch fixes an incorrect return of zero from the new
unmap_zeroes_data_store() configfs store attribute handler
introduced in v4.5-rc1, to use the correct 'count' bytes
return value.
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Chris Mason [Thu, 11 Feb 2016 00:51:38 +0000 (16:51 -0800)]
Merge branch 'integration-4.5' of git://git./linux/kernel/git/fdmanana/linux into for-linus-4.5
Linus Torvalds [Wed, 10 Feb 2016 23:11:08 +0000 (15:11 -0800)]
Merge tag 'for-linus' of git://git./linux/kernel/git/dledford/rdma
Pull rdma fixes from Doug Ledford:
"A few more minor fixes for rc3:
- One fix to ipoib
- One fix to core sysfs code
- Four patches that resolve an oops found in testing of ocrdma and a
couple other ocrdma issues"
* tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma:
RDMA/ocrdma: Fixing ocrdma debugfs directory remove
RDMA/ocrdma: Fix pkey_index returned by driver in rq work completion
RDMA/ocrdma: populate max_sge_rd in device attributes
RDMA/ocrdma: Initialize stats resources in the driver before ib device registration.
IB/sysfs: remove unused va_list args
IB/IPoIB: Do not set skb truesize since using one linearskb
Dave Airlie [Wed, 10 Feb 2016 22:39:07 +0000 (08:39 +1000)]
Merge branch 'drm-fixes-4.5' of git://people.freedesktop.org/~agd5f/linux into drm-fixes
radeon and amdgpu fixes for 4.5. Highlights:
- powerplay fixes for amdgpu
- race fixes in the sub-allocator in radeon and amdgpu
- hibernate fix for amdgpu
- fix a possible circular locking in userptr handling in amdgpu
* 'drm-fixes-4.5' of git://people.freedesktop.org/~agd5f/linux: (21 commits)
drm/amdgpu: fix issue with overlapping userptrs
drm/radeon: hold reference to fences in radeon_sa_bo_new
drm/amdgpu: remove unnecessary forward declaration
drm/amdgpu: hold reference to fences in amdgpu_sa_bo_new (v2)
drm/amdgpu: fix s4 resume
drm/amdgpu/cz: plumb pg flags through to powerplay
drm/amdgpu/tonga: plumb pg flags through to powerplay
drma/dmgpu: move cg and pg flags into shared headers
drm/amdgpu: remove unused cg defines
drm/amdgpu: add a cgs interface to fetch cg and pg flags
drm/amd/powerplay/tonga: disable vce pg
drm/amd/powerplay/tonga: disable uvd pg
drm/amd/powerplay/cz: disable vce pg
drm/amd/powerplay/cz: disable uvd pg
drm/amdgpu: be consistent with uvd cg flags
drm/amdgpu: clean up vce pg flags for cz/st
drm/amdgpu: handle vce pg flags properly
drm/amdgpu: handle uvd pg flags properly
drm/amdgpu/dpm/ci: switch over to the common pcie caps interface
drm/amdgpu/cik: don't mess with aspm if gpu is root bus
...
Daniel Borkmann [Wed, 10 Feb 2016 15:47:11 +0000 (16:47 +0100)]
bpf: fix branch offset adjustment on backjumps after patching ctx expansion
When ctx access is used, the kernel often needs to expand/rewrite
instructions, so after that patching, branch offsets have to be
adjusted for both forward and backward jumps in the new eBPF program,
but for backward jumps it fails to account the delta. Meaning, for
example, if the expansion happens exactly on the insn that sits at
the jump target, it doesn't fix up the back jump offset.
Analysis on what the check in adjust_branches() is currently doing:
/* adjust offset of jmps if necessary */
if (i < pos && i + insn->off + 1 > pos)
insn->off += delta;
else if (i > pos && i + insn->off + 1 < pos)
insn->off -= delta;
First condition (forward jumps):
Before: After:
insns[0] insns[0]
insns[1] <--- i/insn insns[1] <--- i/insn
insns[2] <--- pos insns[P] <--- pos
insns[3] insns[P] `------| delta
insns[4] <--- target_X insns[P] `-----|
insns[5] insns[3]
insns[4] <--- target_X
insns[5]
First case is if we cross pos-boundary and the jump instruction was
before pos. This is handeled correctly. I.e. if i == pos, then this
would mean our jump that we currently check was the patchlet itself
that we just injected. Since such patchlets are self-contained and
have no awareness of any insns before or after the patched one, the
delta is correctly not adjusted. Also, for the second condition in
case of i + insn->off + 1 == pos, means we jump to that newly patched
instruction, so no offset adjustment are needed. That part is correct.
Second condition (backward jumps):
Before: After:
insns[0] insns[0]
insns[1] <--- target_X insns[1] <--- target_X
insns[2] <--- pos <-- target_Y insns[P] <--- pos <-- target_Y
insns[3] insns[P] `------| delta
insns[4] <--- i/insn insns[P] `-----|
insns[5] insns[3]
insns[4] <--- i/insn
insns[5]
Second interesting case is where we cross pos-boundary and the jump
instruction was after pos. Backward jump with i == pos would be
impossible and pose a bug somewhere in the patchlet, so the first
condition checking i > pos is okay only by itself. However, i +
insn->off + 1 < pos does not always work as intended to trigger the
adjustment. It works when jump targets would be far off where the
delta wouldn't matter. But, for example, where the fixed insn->off
before pointed to pos (target_Y), it now points to pos + delta, so
that additional room needs to be taken into account for the check.
This means that i) both tests here need to be adjusted into pos + delta,
and ii) for the second condition, the test needs to be <= as pos
itself can be a target in the backjump, too.
Fixes:
9bac3d6d548e ("bpf: allow extended BPF programs access skb fields")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Linus Torvalds [Wed, 10 Feb 2016 20:21:57 +0000 (12:21 -0800)]
Merge branch 'for-linus' of git://git./linux/kernel/git/dtor/input
Pull input updates from Dmitry Torokhov:
"Just small driver fixups"
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
Input: colibri-vf50-ts - add missing #include <linux/of.h>
Input: adp5589 - fix row 5 handling for adp5589
Input: edt-ft5x06 - fix setting gain, offset, and threshold via device tree
Input: vmmouse - fix absolute device registration
Input: serio - drop warnings in case of EPROBE_DEFER from serio_find_driver()
Input: cap11xx - add missing of_node_put
Input: sirfsoc-onkey - allow modular build
Input: xpad - remove unused function
Linus Torvalds [Wed, 10 Feb 2016 20:04:59 +0000 (12:04 -0800)]
Merge branch 'for-4.5-fixes' of git://git./linux/kernel/git/tj/libata
Pull libata fixes from Tejun Heo:
- PORTS_IMPL workaround for very early ahci controllers is misbehaving
on new systems. Disabled on recent ahci versions.
- Old-style PIO state machine had a horrible locking problem. Don't
know how we've been getting away this far. Fixed.
- Other device specific updates.
* 'for-4.5-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/libata:
ahci: Intel DNV device IDs SATA
libata: fix sff host state machine locking while polling
libata-sff: use WARN instead of BUG on illegal host state machine state
libata: disable forced PORTS_IMPL for >= AHCI 1.3
libata: blacklist a Viking flash model for MWDMA corruption
drivers: ata: wake port before DMA stop for ALPM
Linus Torvalds [Wed, 10 Feb 2016 19:36:19 +0000 (11:36 -0800)]
Merge branch 'for-4.5-fixes' of git://git./linux/kernel/git/tj/cgroup
Pull cgroup fixes from Tejun Heo:
- The destruction path of cgroup objects are asynchronous and
multi-staged and some of them ended up destroying parents before
children leading to failures in cpu and memory controllers. Ensure
that parents are always destroyed after children.
- cpuset mm node migration was performed synchronously while holding
threadgroup and cgroup mutexes and the recent threadgroup locking
update resulted in a possible deadlock. The migration is best effort
and shouldn't have been performed under those locks to begin with.
Made asynchronous.
- Minor documentation fix.
* 'for-4.5-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup:
Documentation: cgroup: Fix 'cgroup-legacy' -> 'cgroup-v1'
cgroup: make sure a parent css isn't freed before its children
cgroup: make sure a parent css isn't offlined before its children
cpuset: make mm migration asynchronous
Mark Brown [Wed, 10 Feb 2016 19:23:09 +0000 (19:23 +0000)]
Merge remote-tracking branches 'asoc/fix/rt5659', 'asoc/fix/sigmadsp', 'asoc/fix/simple', 'asoc/fix/wm5110' and 'asoc/fix/wm8960' into asoc-linus
Mark Brown [Wed, 10 Feb 2016 19:23:07 +0000 (19:23 +0000)]
Merge remote-tracking branches 'asoc/fix/imx-spdif', 'asoc/fix/mtk', 'asoc/fix/mxs-saif', 'asoc/fix/qcom' and 'asoc/fix/rt286' into asoc-linus
Mark Brown [Wed, 10 Feb 2016 19:23:04 +0000 (19:23 +0000)]
Merge remote-tracking branches 'asoc/fix/amd', 'asoc/fix/arizona', 'asoc/fix/dpcm', 'asoc/fix/dwc', 'asoc/fix/fsl' and 'asoc/fix/fsl-ssi' into asoc-linus