hjc [Mon, 25 Feb 2013 07:53:25 +0000 (15:53 +0800)]
rk3168_86v: add rk3168_86v_old,the arm is connected to the DCDC
yxj [Mon, 25 Feb 2013 06:46:43 +0000 (14:46 +0800)]
rk3188 lcdc:support color key config for win1
黄涛 [Mon, 25 Feb 2013 06:44:51 +0000 (14:44 +0800)]
rk: disable disable_nonboot_cpus when kernel restart
work around rk3188 cpu down bug temporarily.
Cody Xie [Mon, 25 Feb 2013 05:59:52 +0000 (13:59 +0800)]
rk3188 ds1006h: do not use logo from customer, the sdk uses default
please config logo on your project by yourself
Revert "rk3188 ds1006h: sync logo"
This reverts commit
e591148c1cc1e074d0e112e632adfd016322c61a.
hjc [Mon, 25 Feb 2013 04:44:33 +0000 (12:44 +0800)]
rk3168_86v: deconfig set ddr 324M,support charge display
hjc [Mon, 25 Feb 2013 04:43:46 +0000 (12:43 +0800)]
rk3168_86v: update dvfs_gpu_table
hjc [Mon, 25 Feb 2013 04:24:52 +0000 (12:24 +0800)]
rk3168m: use a useless gpio to instead of PMU_EN; set 4in1 voltage 2800->1800
hjc [Mon, 25 Feb 2013 01:49:19 +0000 (09:49 +0800)]
rk3168m: To backup defconfig
hjc [Mon, 25 Feb 2013 01:27:30 +0000 (09:27 +0800)]
rk3168m: add board-rk3168m-tb.c
hjc [Mon, 25 Feb 2013 01:11:24 +0000 (09:11 +0800)]
rk3168_86v: add maxbrightness restriction
yxj [Sat, 23 Feb 2013 09:00:05 +0000 (17:00 +0800)]
rk3188 lcdc:move RK_FBIOSET_CONFIG_DONE to rk fb
yxj [Sat, 23 Feb 2013 08:59:41 +0000 (16:59 +0800)]
rk fb: move ioctl RK_FBIOSET_CONFIG_DONE to rk fb
yxj [Sat, 23 Feb 2013 06:18:49 +0000 (14:18 +0800)]
rk3188 lcdc:update lcdc register in config done
yxj [Sat, 23 Feb 2013 06:17:42 +0000 (14:17 +0800)]
rk fb: add some key parameter for layer_par,wirite config done when show logo
yxj [Fri, 22 Feb 2013 07:15:06 +0000 (15:15 +0800)]
rk fb:add config done in rk_fb_switch_screen
黄涛 [Sat, 23 Feb 2013 08:41:10 +0000 (16:41 +0800)]
Merge remote-tracking branch 'stable/linux-3.0.y' into develop-3.0
Merge v3.0.66
Conflicts:
Makefile
yzq [Sat, 23 Feb 2013 08:04:02 +0000 (16:04 +0800)]
rk610 hdmi: fix compile err
yzq [Sat, 23 Feb 2013 06:21:53 +0000 (14:21 +0800)]
rk610 hdmi: set hdmi probe later than codec,
fix codec not close when system start with hdmi plug
黄涛 [Sat, 23 Feb 2013 05:28:40 +0000 (13:28 +0800)]
rk3066b: use rk3188 cpufreq driver
黄涛 [Sat, 23 Feb 2013 05:23:22 +0000 (13:23 +0800)]
rk3188: cpufreq: version 2.0
thermal throttle by load
support sys_state
throttle cpu frequency when boot with low battery
xxx [Sat, 23 Feb 2013 03:11:42 +0000 (11:11 +0800)]
dvfs gets volt chngeing time for regulator
黄涛 [Fri, 22 Feb 2013 10:03:43 +0000 (18:03 +0800)]
rk: enable synchronization framework, for support android 4.2 with mali gpu
Jamie Gennis [Wed, 20 Feb 2013 02:49:20 +0000 (18:49 -0800)]
sync: fix timeout = 0 wait behavior
Change-Id: I8b9254e92c26d9f44abbc0c77fb44624de947013
Signed-off-by: Jamie Gennis <jgennis@google.com>
Jonathan Hamilton [Fri, 8 Feb 2013 21:05:38 +0000 (13:05 -0800)]
base: sync: Include seq_file.h in sync.h
sync.h uses struct seq_file in some function table prototypes. This
causes compile failures when including the header in files that do not
otherwise include seq_file.h
Signed-off-by: Jonathan Hamilton <jonathan.hamilton@imgtec.com>
Erik Gilling [Mon, 4 Feb 2013 20:37:16 +0000 (12:37 -0800)]
sync: don't log wait timeouts when timeout = 0
Signed-off-by: Erik Gilling <konkers@android.com>
Ørjan Eide [Wed, 5 Dec 2012 15:38:08 +0000 (16:38 +0100)]
sync: Fix race condition between merge and signal
The copied sync_pt was activated immediately. If the sync_pt was
signaled before the entire merge was completed, the new fence's pt_list
could be iterated over while it is still in the process of being
created.
Moving the the sync_pt_activate call for all new sync_pts to after both
the sync_fence_copy_pts and the sync_fence_merge_pts calls ensure that
the pt_list is complete and immutable before it can be reached from the
timeline's active list.
Signed-off-by: Erik Gilling <konkers@android.com>
Erik Gilling [Tue, 16 Oct 2012 23:14:48 +0000 (16:14 -0700)]
sync: add tracepoint support
Change-Id: I181326db4247009161557e45444c9b3548b83d25
Signed-off-by: Erik Gilling <konkers@android.com>
Erik Gilling [Tue, 16 Oct 2012 22:16:55 +0000 (15:16 -0700)]
sync: refactor sync debug printing
Move driver callbacks to fill strings instead of using seq_files. This
will allow those values to be used in a future tracepoint patch.
Change-Id: I9b706343e35b11124141fe520e520514a32003d2
Signed-off-by: Erik Gilling <konkers@android.com>
Erik Gilling [Tue, 16 Oct 2012 00:58:46 +0000 (17:58 -0700)]
sync: use proper barriers when waiting indefinitely
The previous fix only addressed waiting with a timeout.
Change-Id: I8ad735d2d0dfdd53592904e8a54f5689cb5eaa5e
Signed-off-by: Erik Gilling <konkers@android.com>
Erik Gilling [Tue, 16 Oct 2012 00:51:01 +0000 (17:51 -0700)]
sync: update new fence status with sync_fence_signal_pt
If a fence's pt is signaled before sync_fence_create is called, the fence
will never transition into the signaled state. This also address a tiny
race if a merged fence's pt after sync_fence_get_status checks it's status
and before fence->status is updated.
Change-Id: Ic8e292a323db26c6f04cb4757d920278b3125ff6
Signed-off-by: Erik Gilling <konkers@android.com>
Erik Gilling [Thu, 11 Oct 2012 19:35:22 +0000 (12:35 -0700)]
sync: protect unlocked access to fence status
Fence status is checked outside of locks in both sync_fence_wait and
sync_fence_poll. This patch adds propper barrier protection in these
cases to avoid seeing stale status.
Change-Id: I9d8b6ce6accb415e797df58068a1ccd54e6be445
Signed-off-by: Erik Gilling <konkers@android.com>
Erik Gilling [Thu, 11 Oct 2012 01:08:11 +0000 (18:08 -0700)]
sync: dump sync state of fence errors
Change-Id: I297a43aadf83504993040ea875c7f22d988628f1
Signed-off-by: Erik Gilling <konkers@android.com>
Erik Gilling [Tue, 4 Sep 2012 22:29:09 +0000 (15:29 -0700)]
sync: improve timeout dumps
Change-Id: I3b378d63c324c7b5862dd214f380b5e91131cc2a
Signed-off-by: Erik Gilling <konkers@android.com>
Erik Gilling [Tue, 4 Sep 2012 22:28:52 +0000 (15:28 -0700)]
sync: use correct signed type when handling SYNC_IOC_WAIT
Change-Id: Ic7d5adf9b145765e52b23186b8c3c793ccf29be7
Signed-off-by: Erik Gilling <konkers@android.com>
Erik Gilling [Fri, 24 Aug 2012 20:48:57 +0000 (13:48 -0700)]
sync: dump sync state to console on timeout
Change-Id: I74bca6b4a2afa7ed5b1f5233c5165d2edddf269a
Signed-off-by: Erik Gilling <konkers@android.com>
Erik Gilling [Fri, 24 Aug 2012 20:48:34 +0000 (13:48 -0700)]
sync: clean up compiler warnings
Change-Id: I8a2ec5db652c61fd04571402067b37273b91e78f
Signed-off-by: Erik Gilling <konkers@android.com>
Erik Gilling [Wed, 22 Aug 2012 01:43:21 +0000 (18:43 -0700)]
sync: fix erase-o in sync_fence_wait
Change-Id: I189707cf658a9f1f2943515c891b43961994e774
Signed-off-by: Erik Gilling <konkers@android.com>
Erik Gilling [Wed, 22 Aug 2012 00:57:19 +0000 (17:57 -0700)]
sync: change wait timeout to mirror poll semantics
Change-Id: Ib38e6d339d41885a33027752690d65a52b6897f6
Signed-off-by: Erik Gilling <konkers@android.com>
Rebecca Schultz Zavin [Wed, 8 Aug 2012 20:46:22 +0000 (13:46 -0700)]
sync: Fix error paths
Check the return value of get_unused_fd to make sure a valid
file descriptor is returned.
Make sure to call put_unused_fd even if an error occurs before
the fd can be used.
Change-Id: I0fe8f78d9e30ecfc4d271c5d875424543dae2d0f
Signed-off-by: Rebecca Schultz Zavin <rebecca@android.com>
Erik Gilling [Fri, 3 Aug 2012 00:26:45 +0000 (17:26 -0700)]
sync: add reference counting to timelines
If a timeline is destroyed while fences still hold pts on it, the reworked
fence release handler can cause the timeline to be freed before all it's points
are freed.
Change-Id: I1cd8ddb638eded7db9db446ff6b37f3dd165d6c4
Signed-off-by: Erik Gilling <konkers@android.com>
Erik Gilling [Mon, 23 Jul 2012 23:43:05 +0000 (16:43 -0700)]
sync: add internal refcounting to fences
If a fence is released while a timeline that one of it's pts is on is being
signaled, it is possible for that fence to be deleted before it is signaled.
This patch adds a refcount for internal references such as signaled pt
processing.
Change-Id: Ie8605e6fd2ac026c207220a03d84e1c1078ec719
Signed-off-by: Erik Gilling <konkers@android.com>
Erik Gilling [Thu, 12 Jul 2012 00:13:50 +0000 (17:13 -0700)]
sync: optimize fence merges
If the two fences being merged contain sync_pts from the same timeline,
those two pts will be collapsed into a single pt representing the latter
of the two.
Change-Id: Iced7ebb7e5a17a0c8b1a2969ba3388a4edb9ecaf
Signed-off-by: Erik Gilling <konkers@android.com>
Erik Gilling [Thu, 12 Jul 2012 00:07:39 +0000 (17:07 -0700)]
sync: reorder sync_fence_release
Previously fence's pts were freed before the were the fence was removed from the
global fence list. This led to a race with the debugfs support where it would
iterate over sync_pts that had been freed.
Change-Id: Ia3ddbf77de42ca593fc2dc353b5d04e42ddf3946
Signed-off-by: Erik Gilling <konkers@android.com>
Erik Gilling [Wed, 16 May 2012 20:09:22 +0000 (13:09 -0700)]
sync: export sync API symbols
This is needed to allow modules to link against the sync subsystem
Change-Id: I15c1818de329f24e4113ef1d0923413b22fd0eff
Signed-off-by: Erik Gilling <konkers@android.com>
Erik Gilling [Tue, 15 May 2012 23:23:26 +0000 (16:23 -0700)]
sync: allow async waits to be canceled
In order to allow drivers to cleanly handled teardown we need to allow them
to cancel pending async waits. To do this cleanly, we move allocation of
sync_fence_waiter to the driver calling sync_async_wait().
Change-Id: Ifcd95648be6ec07026d67f810070a4310f099989
Signed-off-by: Erik Gilling <konkers@android.com>
Paul Gortmaker [Mon, 23 May 2011 18:11:39 +0000 (14:11 -0400)]
module.h: split out the EXPORT_SYMBOL into export.h
A lot of files pull in module.h when all they are really
looking for is the basic EXPORT_SYMBOL functionality. The
recent data from Ingo[1] shows that this is one of several
instances that has a significant impact on compile times,
and it should be targeted for factoring out (as done here).
Note that several commonly used header files in include/*
directly include <linux/module.h> themselves (some 34 of them!)
The most commonly used ones of these will have to be made
independent of module.h before the full benefit of this change
can be realized.
We also transition THIS_MODULE from module.h to export.h,
since there are lots of files with subsystem structs that
in turn will have a struct module *owner and only be doing:
.owner = THIS_MODULE;
and absolutely nothing else modular. So, we also want to have
the THIS_MODULE definition present in the lightweight header.
[1] https://lkml.org/lkml/2011/5/23/76
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
hjc [Fri, 22 Feb 2013 08:19:32 +0000 (16:19 +0800)]
rk3168_86v: xbw:delete SDCARD_DET_FROM_GPIO
hjc [Fri, 22 Feb 2013 08:11:06 +0000 (16:11 +0800)]
rk3168_86v: xbw SDMMC IO voltage
wuhao [Fri, 22 Feb 2013 08:04:56 +0000 (16:04 +0800)]
rk3188 ds1006h: sync logo
黄涛 [Fri, 22 Feb 2013 07:49:03 +0000 (15:49 +0800)]
rk: Kconfig add RK3168M support, add SOC_RK3168M config, add RK3168M TB config
黄涛 [Fri, 22 Feb 2013 07:10:24 +0000 (15:10 +0800)]
rk: power_supply: add rk_get_system_battery_capacity and rk_get_system_battery_status api
hjc [Fri, 22 Feb 2013 06:27:21 +0000 (14:27 +0800)]
rk3168_86v: increase the arm and logic voltage
chenxing [Fri, 22 Feb 2013 03:46:58 +0000 (11:46 +0800)]
rk3168: dvfs support voltage diff = 0
wuhao [Fri, 22 Feb 2013 02:58:08 +0000 (10:58 +0800)]
rk3188 ds1006h : sync board-rk3188-ds1006h-sdmmc-config.c
xbw [Fri, 22 Feb 2013 01:26:15 +0000 (09:26 +0800)]
MT6620 wifi: add the support for MT6620 wifi in RK31XX porject.
xbw [Fri, 22 Feb 2013 01:20:58 +0000 (09:20 +0800)]
MT6620 wifi: mt6620 use 2.8v power.
xbw [Fri, 22 Feb 2013 01:11:07 +0000 (09:11 +0800)]
SDMMC IO voltage:
Modify a numerical definition of small flaws.Not suitable for the use of the original property is double.
Please modify your own board-xxx-sdmmc-config.c youself, Reference to this example.
Greg Kroah-Hartman [Thu, 21 Feb 2013 18:03:01 +0000 (10:03 -0800)]
3.0.66
Alexandre SIMON [Fri, 1 Feb 2013 14:31:54 +0000 (15:31 +0100)]
printk: fix buffer overflow when calling log_prefix function from call_console_drivers
This patch corrects a buffer overflow in kernels from 3.0 to 3.4 when calling
log_prefix() function from call_console_drivers().
This bug existed in previous releases but has been revealed with commit
162a7e7500f9664636e649ba59defe541b7c2c60 (2.6.39 => 3.0) that made changes
about how to allocate memory for early printk buffer (use of memblock_alloc).
It disappears with commit
7ff9554bb578ba02166071d2d487b7fc7d860d62 (3.4 => 3.5)
that does a refactoring of printk buffer management.
In log_prefix(), the access to "p[0]", "p[1]", "p[2]" or
"simple_strtoul(&p[1], &endp, 10)" may cause a buffer overflow as this
function is called from call_console_drivers by passing "&LOG_BUF(cur_index)"
where the index must be masked to do not exceed the buffer's boundary.
The trick is to prepare in call_console_drivers() a buffer with the necessary
data (PRI field of syslog message) to be safely evaluated in log_prefix().
This patch can be applied to stable kernel branches 3.0.y, 3.2.y and 3.4.y.
Without this patch, one can freeze a server running this loop from shell :
$ export DUMMY=`cat /dev/urandom | tr -dc '12345AZERTYUIOPQSDFGHJKLMWXCVBNazertyuiopqsdfghjklmwxcvbn' | head -c255`
$ while true do ; echo $DUMMY > /dev/kmsg ; done
The "server freeze" depends on where memblock_alloc does allocate printk buffer :
if the buffer overflow is inside another kernel allocation the problem may not
be revealed, else the server may hangs up.
Signed-off-by: Alexandre SIMON <Alexandre.Simon@univ-lorraine.fr>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
xbw [Thu, 21 Feb 2013 11:09:29 +0000 (19:09 +0800)]
SDMMC-RK31XX:
Eliminate the problem of card as unidentified during the open-device or insert-removal in suspend-resume.
xbw [Thu, 21 Feb 2013 11:01:55 +0000 (19:01 +0800)]
SDMMC:
For example, how to modify the voltage of sdmmc0-gpio group in RK CPU.
Please modify your board-xxx-sdmmc-config.c youself , if you want to use 1.8V for SDMMC0-PIN.
xbw [Thu, 21 Feb 2013 10:58:19 +0000 (18:58 +0800)]
SDMMC:
add the control for the voltage of sdmmc0-pin in RK-host gpio group.
黄涛 [Thu, 21 Feb 2013 10:30:03 +0000 (18:30 +0800)]
rk: rm video_state.c which replace by ddr_freq.c
yzq [Thu, 21 Feb 2013 09:27:06 +0000 (17:27 +0800)]
hdmi: set hdmi probe later than codec,
fix codec not close when system start with hdmi plug
xxx [Thu, 21 Feb 2013 09:25:46 +0000 (17:25 +0800)]
remove printk in last updateing
xxx [Thu, 21 Feb 2013 09:17:49 +0000 (17:17 +0800)]
dvfs support list regulator volt
hjc [Thu, 21 Feb 2013 09:00:55 +0000 (17:00 +0800)]
rk3168_86v: deconfig add SDCARD_DET_FROM_GPIO and watchdog
hhb [Thu, 21 Feb 2013 07:45:14 +0000 (15:45 +0800)]
add rgb2mipi display drivers for tc358768 and ssd2828
yangkai [Thu, 21 Feb 2013 07:01:21 +0000 (15:01 +0800)]
EHCI&HSIC support
yxj [Thu, 21 Feb 2013 06:46:04 +0000 (14:46 +0800)]
rk3066b lcdc:support 1.8V io
yxj [Thu, 21 Feb 2013 06:08:29 +0000 (14:08 +0800)]
rk3066b lcdc:enable color key for win1,this will be used in pcba for camera test
yxj [Wed, 20 Feb 2013 12:45:44 +0000 (20:45 +0800)]
rk fb:fix bug for one lcdc dual display
yxj [Tue, 19 Feb 2013 08:34:21 +0000 (16:34 +0800)]
rk3188 lcdc:modify DBG
kfx [Thu, 21 Feb 2013 01:12:01 +0000 (09:12 +0800)]
iomux: default mode: uart2&uart3: add ctsn&rtsn
hhb [Wed, 20 Feb 2013 07:13:14 +0000 (15:13 +0800)]
rk_gps: fix bug when disable gps aclk
yzq [Wed, 20 Feb 2013 01:16:09 +0000 (09:16 +0800)]
it66121 hdmi: remove debug message
yxj [Tue, 19 Feb 2013 06:34:47 +0000 (14:34 +0800)]
LR097 defconfig:add camera GC2035 SP2518 support
yxj [Tue, 19 Feb 2013 06:31:26 +0000 (14:31 +0800)]
board LR097:update camera,charger,ddr freq
yxj [Tue, 19 Feb 2013 02:29:42 +0000 (10:29 +0800)]
board LR097:ddr 533MHZ
yxj [Tue, 19 Feb 2013 02:29:08 +0000 (10:29 +0800)]
rk3188 lcdc:add alpah config
yxj [Tue, 19 Feb 2013 02:18:21 +0000 (10:18 +0800)]
rk3188 lcdc:support set fps by sys
hjc [Tue, 19 Feb 2013 02:06:13 +0000 (10:06 +0800)]
rk3168_86v: front camera gc0308 turn upside down
hjc [Tue, 19 Feb 2013 01:56:51 +0000 (09:56 +0800)]
rk3168_86v: deconfig delete HDMI
邱建斌 [Mon, 18 Feb 2013 12:00:54 +0000 (20:00 +0800)]
rk610 codec : The headphone playback the probability of loss of a channel
邱建斌 [Mon, 18 Feb 2013 11:45:18 +0000 (19:45 +0800)]
rt5631 : fix RT5631 high frequency indicators
luowei [Mon, 18 Feb 2013 08:23:38 +0000 (16:23 +0800)]
add light sensor cm3232 support
hwg [Mon, 18 Feb 2013 06:28:34 +0000 (14:28 +0800)]
wifi: update mt5931 driver to 2.09
黄涛 [Mon, 18 Feb 2013 04:31:44 +0000 (12:31 +0800)]
Merge remote-tracking branch 'stable/linux-3.0.y' into develop-3.0
Merge v3.0.65
Conflicts:
Makefile
drivers/net/wireless/ath/ath9k/beacon.c
drivers/net/wireless/ath/ath9k/htc_hst.c
luowei [Mon, 18 Feb 2013 03:52:49 +0000 (11:52 +0800)]
add sensor version info
黄涛 [Mon, 18 Feb 2013 03:08:41 +0000 (11:08 +0800)]
Merge remote-tracking branch 'aosp/android-3.0' into develop-3.0
Conflicts:
drivers/net/wireless/bcmdhd/Makefile
drivers/net/wireless/bcmdhd/dhd.h
drivers/net/wireless/bcmdhd/dhd_common.c
drivers/net/wireless/bcmdhd/dhd_linux.c
drivers/net/wireless/bcmdhd/include/epivers.h
drivers/net/wireless/bcmdhd/wl_cfg80211.c
drivers/net/wireless/bcmdhd/wl_cfgp2p.c
黄涛 [Mon, 18 Feb 2013 02:46:05 +0000 (10:46 +0800)]
rk3188: Kconfig: enable RK_SRAM_DMA
黄涛 [Mon, 18 Feb 2013 02:32:41 +0000 (10:32 +0800)]
rk3188: Kconfig: depends on ARCH_RK3188
Greg Kroah-Hartman [Sun, 17 Feb 2013 18:46:34 +0000 (10:46 -0800)]
Linux 3.0.65
Alexander Duyck [Wed, 8 Aug 2012 05:23:22 +0000 (05:23 +0000)]
igb: Remove artificial restriction on RQDPC stat reading
commit
ae1c07a6b7ced6c0c94c99e3b53f4e7856fa8bff upstream.
For some reason the reading of the RQDPC register was being artificially
limited to 4K. Instead of limiting the value we should read the value and
add the full amount. Otherwise this can lead to a misleading number of
dropped packets when the actual value is in fact much higher.
Signed-off-by: Alexander Duyck <alexander.h.duyck@intel.com>
Tested-by: Jeff Pieper <jeffrey.e.pieper@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Cc: Vinson Lee <vlee@twitter.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Rafael J. Wysocki [Mon, 11 Feb 2013 19:49:49 +0000 (20:49 +0100)]
PCI/PM: Clean up PME state when removing a device
commit
249bfb83cf8ba658955f0245ac3981d941f746ee upstream.
Devices are added to pci_pme_list when drivers use pci_enable_wake()
or pci_wake_from_d3(), but they aren't removed from the list unless
the driver explicitly disables wakeup. Many drivers never disable
wakeup, so their devices remain on the list even after they are
removed, e.g., via hotplug. A subsequent PME poll will oops when
it tries to touch the device.
This patch disables PME# on a device before removing it, which removes
the device from pci_pme_list. This is safe even if the device never
had PME# enabled.
This oops can be triggered by unplugging a Thunderbolt ethernet adapter
on a Macbook Pro, as reported by Daniel below.
[bhelgaas: changelog]
Reference: http://lkml.kernel.org/r/CAMVG2svG21yiM1wkH4_2pen2n+cr2-Zv7TbH3Gj+8MwevZjDbw@mail.gmail.com
Reported-and-tested-by: Daniel J Blueman <daniel@quora.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Jan Beulich [Thu, 24 Jan 2013 13:11:10 +0000 (13:11 +0000)]
x86/xen: don't assume %ds is usable in xen_iret for 32-bit PVOPS.
commit
13d2b4d11d69a92574a55bfd985cfb0ca77aebdc upstream.
This fixes CVE-2013-0228 / XSA-42
Drew Jones while working on CVE-2013-0190 found that that unprivileged guest user
in 32bit PV guest can use to crash the > guest with the panic like this:
-------------
general protection fault: 0000 [#1] SMP
last sysfs file: /sys/devices/vbd-51712/block/xvda/dev
Modules linked in: sunrpc ipt_REJECT nf_conntrack_ipv4 nf_defrag_ipv4
iptable_filter ip_tables ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6
xt_state nf_conntrack ip6table_filter ip6_tables ipv6 xen_netfront ext4
mbcache jbd2 xen_blkfront dm_mirror dm_region_hash dm_log dm_mod [last
unloaded: scsi_wait_scan]
Pid: 1250, comm: r Not tainted 2.6.32-356.el6.i686 #1
EIP: 0061:[<
c0407462>] EFLAGS:
00010086 CPU: 0
EIP is at xen_iret+0x12/0x2b
EAX:
eb8d0000 EBX:
00000001 ECX:
08049860 EDX:
00000010
ESI:
00000000 EDI:
003d0f00 EBP:
b77f8388 ESP:
eb8d1fe0
DS: 0000 ES: 007b FS: 0000 GS: 00e0 SS: 0069
Process r (pid: 1250, ti=
eb8d0000 task=
c2953550 task.ti=
eb8d0000)
Stack:
00000000 0027f416 00000073 00000206 b77f8364 0000007b 00000000 00000000
Call Trace:
Code: c3 8b 44 24 18 81 4c 24 38 00 02 00 00 8d 64 24 30 e9 03 00 00 00
8d 76 00 f7 44 24 08 00 00 02 80 75 33 50 b8 00 e0 ff ff 21 e0 <8b> 40
10 8b 04 85 a0 f6 ab c0 8b 80 0c b0 b3 c0 f6 44 24 0d 02
EIP: [<
c0407462>] xen_iret+0x12/0x2b SS:ESP 0069:
eb8d1fe0
general protection fault: 0000 [#2]
---[ end trace
ab0d29a492dcd330 ]---
Kernel panic - not syncing: Fatal exception
Pid: 1250, comm: r Tainted: G D ---------------
2.6.32-356.el6.i686 #1
Call Trace:
[<
c08476df>] ? panic+0x6e/0x122
[<
c084b63c>] ? oops_end+0xbc/0xd0
[<
c084b260>] ? do_general_protection+0x0/0x210
[<
c084a9b7>] ? error_code+0x73/
-------------
Petr says: "
I've analysed the bug and I think that xen_iret() cannot cope with
mangled DS, in this case zeroed out (null selector/descriptor) by either
xen_failsafe_callback() or RESTORE_REGS because the corresponding LDT
entry was invalidated by the reproducer. "
Jan took a look at the preliminary patch and came up a fix that solves
this problem:
"This code gets called after all registers other than those handled by
IRET got already restored, hence a null selector in %ds or a non-null
one that got loaded from a code or read-only data descriptor would
cause a kernel mode fault (with the potential of crashing the kernel
as a whole, if panic_on_oops is set)."
The way to fix this is to realize that the we can only relay on the
registers that IRET restores. The two that are guaranteed are the
%cs and %ss as they are always fixed GDT selectors. Also they are
inaccessible from user mode - so they cannot be altered. This is
the approach taken in this patch.
Another alternative option suggested by Jan would be to relay on
the subtle realization that using the %ebp or %esp relative references uses
the %ss segment. In which case we could switch from using %eax to %ebp and
would not need the %ss over-rides. That would also require one extra
instruction to compensate for the one place where the register is used
as scaled index. However Andrew pointed out that is too subtle and if
further work was to be done in this code-path it could escape folks attention
and lead to accidents.
Reviewed-by: Petr Matousek <pmatouse@redhat.com>
Reported-by: Petr Matousek <pmatouse@redhat.com>
Reviewed-by: Andrew Cooper <andrew.cooper3@citrix.com>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Mel Gorman [Mon, 11 Feb 2013 14:52:36 +0000 (14:52 +0000)]
x86/mm: Check if PUD is large when validating a kernel address
commit
0ee364eb316348ddf3e0dfcd986f5f13f528f821 upstream.
A user reported the following oops when a backup process reads
/proc/kcore:
BUG: unable to handle kernel paging request at
ffffbb00ff33b000
IP: [<
ffffffff8103157e>] kern_addr_valid+0xbe/0x110
[...]
Call Trace:
[<
ffffffff811b8aaa>] read_kcore+0x17a/0x370
[<
ffffffff811ad847>] proc_reg_read+0x77/0xc0
[<
ffffffff81151687>] vfs_read+0xc7/0x130
[<
ffffffff811517f3>] sys_read+0x53/0xa0
[<
ffffffff81449692>] system_call_fastpath+0x16/0x1b
Investigation determined that the bug triggered when reading
system RAM at the 4G mark. On this system, that was the first
address using 1G pages for the virt->phys direct mapping so the
PUD is pointing to a physical address, not a PMD page.
The problem is that the page table walker in kern_addr_valid() is
not checking pud_large() and treats the physical address as if
it was a PMD. If it happens to look like pmd_none then it'll
silently fail, probably returning zeros instead of real data. If
the data happens to look like a present PMD though, it will be
walked resulting in the oops above.
This patch adds the necessary pud_large() check.
Unfortunately the problem was not readily reproducible and now
they are running the backup program without accessing
/proc/kcore so the patch has not been validated but I think it
makes sense.
Signed-off-by: Mel Gorman <mgorman@suse.de>
Reviewed-by: Rik van Riel <riel@redhat.coM>
Reviewed-by: Michal Hocko <mhocko@suse.cz>
Acked-by: Johannes Weiner <hannes@cmpxchg.org>
Cc: linux-mm@kvack.org
Link: http://lkml.kernel.org/r/20130211145236.GX21389@suse.de
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cody Xie [Sat, 16 Feb 2013 03:28:07 +0000 (11:28 +0800)]
rk3188 ds1006h : boot logo use linux default
Cody Xie [Fri, 15 Feb 2013 08:31:33 +0000 (16:31 +0800)]
rk3188 lr097: defconfig add support charger display
Cody Xie [Fri, 15 Feb 2013 08:22:36 +0000 (16:22 +0800)]
rk3188 ds1006h : do no invoke act8846_device_shutdown when shutdown without charger pluged in.
this would cause tablet cannot boot while plug in charger
and it can boot normally by press power button