firefly-linux-kernel-4.4.55.git
7 years agonet: stmmac: The netif_device_attach() should be called after napi_enable()
David Wu [Fri, 28 Apr 2017 09:41:43 +0000 (17:41 +0800)]
net: stmmac: The netif_device_attach() should be called after napi_enable()

If the netif_device_attach() is called earlier, the state of dev_queue is
waked, txtimer might be modified, and the txtimer is added at same time.
It might make run_timer_softirq crashed, because the timer is be detached
twice together.

Change-Id: I31dde4e940bddcc36372ca1f4a8313c0389d4e6b
Signed-off-by: David Wu <david.wu@rock-chips.com>
7 years agoarm: dts: simplified rk3229 board configs.
Frank Wang [Tue, 2 May 2017 08:42:38 +0000 (16:42 +0800)]
arm: dts: simplified rk3229 board configs.

Move EMMC and UART configs from every board DTS to a DTSI file.

Change-Id: If2fd49b9243b879ae89e172f55903eedfd4f3981
Signed-off-by: Frank Wang <frank.wang@rock-chips.com>
7 years agoarm: dts: add watchdog and uart2 related for rk322x SoC
Frank Wang [Mon, 8 May 2017 07:23:40 +0000 (15:23 +0800)]
arm: dts: add watchdog and uart2 related for rk322x SoC

Add another GPIO sets for UART2 since the old ones are conflict
with SDMMC, also add watchdog support.

Change-Id: Ib0f1472b9a7760e15e1b83e103f65f43e3642643
Signed-off-by: Frank Wang <frank.wang@rock-chips.com>
7 years agoARM: dts: rockchip: remove dev_mode from rk3288
Randy Li [Tue, 25 Apr 2017 03:08:03 +0000 (11:08 +0800)]
ARM: dts: rockchip: remove dev_mode from rk3288

Since there is no combo device at RK3288, no need to
use this property anymore.

Change-Id: I56434161c4167fc048e4956e97b29617367e28f6
Signed-off-by: Randy Li <randy.li@rock-chips.com>
7 years agoclk: rockchip: rk3288: always enable gpll_ddr for ddrc.
Tang Yun ping [Mon, 8 May 2017 01:36:10 +0000 (09:36 +0800)]
clk: rockchip: rk3288: always enable gpll_ddr for ddrc.

When ddr frequency scanning, need to switch to gpll for saving
times.

Change-Id: Ibb7e4ed1fa4babaf65e1d98c8a0891766cea63de
Signed-off-by: Tang Yun ping <typ@rock-chips.com>
7 years agosip: rockchip: add SHARE_PAGE_TYPE_DDR for ddr frequency scanning.
Tang Yun ping [Thu, 4 May 2017 12:38:28 +0000 (20:38 +0800)]
sip: rockchip: add SHARE_PAGE_TYPE_DDR for ddr frequency scanning.

Change-Id: I7b9c81912e15bf2cea6739a051e5f466ba759d77
Signed-off-by: Tang Yun ping <typ@rock-chips.com>
7 years agophy: rockchip-inno-usb2: increase otg sm work first schedule time
William Wu [Fri, 5 May 2017 10:16:32 +0000 (18:16 +0800)]
phy: rockchip-inno-usb2: increase otg sm work first schedule time

In rockchip inno usb2 phy driver, we use otg_sm_work to
dynamically manage power consumption for phy otg-port.
If the otg-port works as peripheral mode and doesn't
communicate with usb host, we will suspend phy.

But once suspend phy, the phy no longer has any internal
clock running, include the utmi_clk which supplied for
usb controller. So if we suspend phy before usb controller
init, it will cause usb controller fail to initialize.

Specifically, without this pathch, the observed order is:
 1. unplug usb cable
 2. start system, do dwc2 controller probe
 3. dwc2_lowlevel_hw_enable()
    - phy_init()
     - rockchip_usb2phy_init()
      - schedule otg_sm_work after 2s
        put phy in suspend, and close utmi_clk
 4. dwc2_hsotg_udc_start() - fail to initialize the usb core

Generally, dwc2_hsotg_udc_start() can be called within 5s
after start system on rockchip platform, so we increase the
the first schedule delay time to 6s for otg_sm_work afer usb
controller calls phy_init(), this can make sure that the usb
controller completes initialization before phy enter suspend.

Change-Id: I40a7f6b24620e49a1273cb9c5051d62efb62810d
Signed-off-by: William Wu <william.wu@rock-chips.com>
7 years agomailbox: rk3368: fix error setting if mbox_msg is null
Xu Jianqun [Thu, 4 May 2017 03:16:52 +0000 (11:16 +0800)]
mailbox: rk3368: fix error setting if mbox_msg is null

Fix the error dump:

[19252.682822] Unable to handle kernel NULL pointer dereference at
virtual address 00000020
[19252.682834] pgd = ffffff800935d000
[19252.682844] [00000020] *pgd=0000000077ffe003, *pud=0000000077ffe003,
*pmd=0000000000000000
[19252.682852] Internal error: Oops: 96000005 [#1] PREEMPT SMP
[19252.682863] Modules linked in: pvrsrvkm(O)
[19252.682872] CPU: 1 PID: 59 Comm: irq/32-ff6b0000 Tainted: G        W
O    4.4.55 #34
[19252.682875] Hardware name: Rockchip rk3368 p9 board (DT)
[19252.682880] task: ffffffc074cf8c40 ti: ffffffc074d04000 task.ti:
ffffffc074d04000
[19252.682894] PC is at mbox_chan_received_data+0xc/0x20
[19252.682901] LR is at rk3368_mbox_isr+0xb0/0xd0

Change-Id: I1873d6a7e7d1390d2c2c44a77c120d1a02614fdc
Signed-off-by: Xu Jianqun <jay.xu@rock-chips.com>
7 years agophy: rockchip-inno-usb2: add a delay after phy resume
William Wu [Fri, 5 May 2017 09:51:41 +0000 (17:51 +0800)]
phy: rockchip-inno-usb2: add a delay after phy resume

When resume phy, it need about 1.5 ~ 2ms to wait for
utmi_clk which used for USB controller to become stable.

Change-Id: I319a28069b4b3381f22cc34567226f341e948bd4
Signed-off-by: William Wu <william.wu@rock-chips.com>
7 years agoARM64: dts: rk3368-android: enable fiq mode
Huibin Hong [Thu, 4 May 2017 13:36:27 +0000 (21:36 +0800)]
ARM64: dts: rk3368-android: enable fiq mode

If this patch is used, dedicated trust firmwart is necessary.

Change-Id: I72ca3b1b722c4076f589341e40efcbeeb5a07a58
Signed-off-by: Huibin Hong <huibin.hong@rock-chips.com>
7 years agork_fiq_debugger: remove "read signal irq from dts directly"
Huibin Hong [Thu, 4 May 2017 13:33:37 +0000 (21:33 +0800)]
rk_fiq_debugger: remove "read signal irq from dts directly"

Change-Id: I1f531ce2f58b33d5501f8446ad393e7ac4f27ef0
Signed-off-by: Huibin Hong <huibin.hong@rock-chips.com>
7 years agoarm: dts: rk322x-android: enable usb otg controller and its phy
William Wu [Fri, 5 May 2017 09:41:00 +0000 (17:41 +0800)]
arm: dts: rk322x-android: enable usb otg controller and its phy

Change-Id: Ie03c7fe388360b0285d2a6eb0a455f5ed28e74c4
Signed-off-by: William Wu <william.wu@rock-chips.com>
7 years agophy: rockchip-inno-usb2: add otg-port support for rk322x SoC
William Wu [Fri, 5 May 2017 09:36:35 +0000 (17:36 +0800)]
phy: rockchip-inno-usb2: add otg-port support for rk322x SoC

This patch adds USB 2.0 PHY otg-port configuration for rk322x
SoC, this otg-port can be used for USB 2.0 OTG interface.

Change-Id: I7f2e362292edb45078a16d1a9665e3bdccc54814
Signed-off-by: William Wu <william.wu@rock-chips.com>
7 years agoarm: dts: rockchip: add u2phy otg-port and dwc2 ctrl nodes for rk322x SoC
William Wu [Fri, 5 May 2017 09:29:56 +0000 (17:29 +0800)]
arm: dts: rockchip: add u2phy otg-port and dwc2 ctrl nodes for rk322x SoC

This patch adds dwc2 controller and its phy nodes for rk322x SoC.

Change-Id: I29779baf92c28154ad342e234e8a5582984b8a12
Signed-off-by: William Wu <william.wu@rock-chips.com>
7 years agoARM: dts: rk322x: add vop display node
Mark Yao [Wed, 3 May 2017 08:25:50 +0000 (16:25 +0800)]
ARM: dts: rk322x: add vop display node

Change-Id: Ic26431540260c758b6872020c36a41efdb2d82f2
Signed-off-by: Mark Yao <mark.yao@rock-chips.com>
7 years agoOP-TEE: use sema_init instead of __SEMAPHORE_INITIALIZER
Huang, Tao [Sat, 6 May 2017 05:45:41 +0000 (13:45 +0800)]
OP-TEE: use sema_init instead of __SEMAPHORE_INITIALIZER

Fix lockdep warning:
the code is fine but needs lockdep annotation.
turning off the locking correctness validator.
CPU:rk3288:/ $  0 PID: 234 Comm: tee-supplicant Not tainted 4.4.64 #51
Hardware name: Rockchip (Device Tree)
[<c0110018>] (unwind_backtrace) from [<c010c048>] (show_stack+0x10/0x14)
[<c010c048>] (show_stack) from [<c04194a8>] (dump_stack+0x9c/0xd4)
[<c04194a8>] (dump_stack) from [<c018321c>] (__lock_acquire+0x638/0x1c10)
[<c018321c>] (__lock_acquire) from [<c01850ec>] (lock_acquire+0x1d0/0x29c)
[<c01850ec>] (lock_acquire) from [<c0bc0f3c>] (_raw_spin_lock_irqsave+0x50/0x64)
[<c0bc0f3c>] (_raw_spin_lock_irqsave) from [<c017e148>] (down_interruptible+0xc/0x48)
[<c017e148>] (down_interruptible) from [<c03cd72c>] (tee_supp_read+0x74/0x154)
[<c03cd72c>] (tee_supp_read) from [<c025d638>] (__vfs_read+0x2c/0xf0)
[<c025d638>] (__vfs_read) from [<c025de30>] (vfs_read+0x84/0x134)
[<c025de30>] (vfs_read) from [<c025e720>] (SyS_read+0x4c/0xa4)
[<c025e720>] (SyS_read) from [<c01072c0>] (ret_fast_syscall+0x0/0x1c)

Change-Id: I09335112bed6efb30e60a22b471d4467eecaf520
Signed-off-by: Huang, Tao <huangtao@rock-chips.com>
7 years agoarm64: rockchip_defconfig: enable MODVERSIONS
Huang, Tao [Sat, 6 May 2017 09:52:33 +0000 (17:52 +0800)]
arm64: rockchip_defconfig: enable MODVERSIONS

353a964727cf ("ANDROID: android-base.cfg: add CONFIG_MODULES option")

Change-Id: I8e85dfd6c7fedf797066e5e707eba7595dc2c123
Signed-off-by: Huang, Tao <huangtao@rock-chips.com>
7 years agoarm64: rockchip_defconfig: enable CONFIG_IKCONFIG
Huang, Tao [Sat, 6 May 2017 09:52:00 +0000 (17:52 +0800)]
arm64: rockchip_defconfig: enable CONFIG_IKCONFIG

6286b142aeb2 ("ANDROID: android-base.cfg: add CONFIG_IKCONFIG option")

Change-Id: I68b0dc00a68a3eb885eb32d8c82b326067a438dc
Signed-off-by: Huang, Tao <huangtao@rock-chips.com>
7 years agoarm64: rockchip_defconfig: disable CONFIG_USELIB
Huang, Tao [Sat, 6 May 2017 09:51:02 +0000 (17:51 +0800)]
arm64: rockchip_defconfig: disable CONFIG_USELIB

1c634ee26be1 ("config: disable CONFIG_USELIB and CONFIG_FHANDLE")

Change-Id: I1518e974427572d941b982db3896eb72822872f8
Signed-off-by: Huang, Tao <huangtao@rock-chips.com>
7 years agoarm64: rockchip_defconfig: rename UID_CPUTIME to UID_SYS_STATS
Huang, Tao [Sat, 6 May 2017 09:50:17 +0000 (17:50 +0800)]
arm64: rockchip_defconfig: rename UID_CPUTIME to UID_SYS_STATS

2ea16502ca00 ("ANDROID: uid_sys_stats: rename uid_cputime.c to uid_sys_stats.c")

Change-Id: I11ad23129722f87111a5c6f3881b4bdcc5626f66
Signed-off-by: Huang, Tao <huangtao@rock-chips.com>
7 years agoarm64: rockchip_defconfig: enable ARM64_SW_TTBR0_PAN
Huang, Tao [Sat, 6 May 2017 09:56:21 +0000 (17:56 +0800)]
arm64: rockchip_defconfig: enable ARM64_SW_TTBR0_PAN

536bf705c5fd ("ANDROID: configs: CONFIG_ARM64_SW_TTBR0_PAN=y")

Change-Id: I49f562d81d8f354dfbeb545618bc6c907256d60b
Signed-off-by: Huang, Tao <huangtao@rock-chips.com>
7 years agoARM: rockchip_defconfig: enable MODVERSIONS
Huang, Tao [Sat, 6 May 2017 09:29:27 +0000 (17:29 +0800)]
ARM: rockchip_defconfig: enable MODVERSIONS

353a964727cf ("ANDROID: android-base.cfg: add CONFIG_MODULES option")

Change-Id: Ia85709d1dc711f1ed8632e6299f121b4e6fbedc2
Signed-off-by: Huang, Tao <huangtao@rock-chips.com>
7 years agoARM: rockchip_defconfig: enable CONFIG_IKCONFIG
Huang, Tao [Sat, 6 May 2017 09:28:01 +0000 (17:28 +0800)]
ARM: rockchip_defconfig: enable CONFIG_IKCONFIG

6286b142aeb2 ("ANDROID: android-base.cfg: add CONFIG_IKCONFIG option")

Change-Id: I4d0369b990f9f9d707b672c6959e668307be700b
Signed-off-by: Huang, Tao <huangtao@rock-chips.com>
7 years agoARM: rockchip_defconfig: disable CONFIG_USELIB
Huang, Tao [Sat, 6 May 2017 09:26:09 +0000 (17:26 +0800)]
ARM: rockchip_defconfig: disable CONFIG_USELIB

1c634ee26be1 ("config: disable CONFIG_USELIB and CONFIG_FHANDLE")

Change-Id: I617db2524c604e732d9d3f4eae0b8566efd82e98
Signed-off-by: Huang, Tao <huangtao@rock-chips.com>
7 years agoARM: rockchip_defconfig: rename UID_CPUTIME to UID_SYS_STATS
Huang, Tao [Sat, 6 May 2017 09:23:51 +0000 (17:23 +0800)]
ARM: rockchip_defconfig: rename UID_CPUTIME to UID_SYS_STATS

2ea16502ca00 ("ANDROID: uid_sys_stats: rename uid_cputime.c to uid_sys_stats.c")

Change-Id: I345f44e510cb0168e9816f7d9adecf5772cdb092
Signed-off-by: Huang, Tao <huangtao@rock-chips.com>
7 years agoMerge branch 'linux-linaro-lsk-v4.4-android' of git://git.linaro.org/kernel/linux...
Huang, Tao [Sat, 6 May 2017 06:23:00 +0000 (14:23 +0800)]
Merge branch 'linux-linaro-lsk-v4.4-android' of git://git.linaro.org/kernel/linux-linaro-stable.git

* linux-linaro-lsk-v4.4-android: (521 commits)
  Linux 4.4.66
  ftrace/x86: Fix triple fault with graph tracing and suspend-to-ram
  ARCv2: save r30 on kernel entry as gcc uses it for code-gen
  nfsd: check for oversized NFSv2/v3 arguments
  Input: i8042 - add Clevo P650RS to the i8042 reset list
  p9_client_readdir() fix
  MIPS: Avoid BUG warning in arch_check_elf
  MIPS: KGDB: Use kernel context for sleeping threads
  ALSA: seq: Don't break snd_use_lock_sync() loop by timeout
  ALSA: firewire-lib: fix inappropriate assignment between signed/unsigned type
  ipv6: check raw payload size correctly in ioctl
  ipv6: check skb->protocol before lookup for nexthop
  macvlan: Fix device ref leak when purging bc_queue
  ip6mr: fix notification device destruction
  netpoll: Check for skb->queue_mapping
  net: ipv6: RTF_PCPU should not be settable from userspace
  dp83640: don't recieve time stamps twice
  tcp: clear saved_syn in tcp_disconnect()
  sctp: listen on the sock only when it's state is listening or closed
  net: ipv4: fix multipath RTM_GETROUTE behavior when iif is given
  ...

Conflicts:
drivers/usb/dwc3/gadget.c
include/linux/usb/quirks.h

Change-Id: I490f766b9a530b10da3107e20709538e4536a99d

7 years agoARM: rockchip_defconfig: update by savedefconfig
Huang, Tao [Sat, 6 May 2017 06:20:20 +0000 (14:20 +0800)]
ARM: rockchip_defconfig: update by savedefconfig

Change-Id: I96ee84cfa4b40b10f5fb273044a81b22f20f4efb
Signed-off-by: Huang, Tao <huangtao@rock-chips.com>
7 years agoarm64: rockchip_defconfig: update by savedefconfig
Huang, Tao [Sat, 6 May 2017 06:17:39 +0000 (14:17 +0800)]
arm64: rockchip_defconfig: update by savedefconfig

Change-Id: I4aa6538762060d62da3da56065abee4d42134da2
Signed-off-by: Huang, Tao <huangtao@rock-chips.com>
7 years agocamera: rockchip: camsys driver disable debug
Xu Jianqun [Thu, 4 May 2017 07:09:06 +0000 (15:09 +0800)]
camera: rockchip: camsys driver disable debug

Change-Id: I1a4b3d1ab0e96bbc4ff482b8f3a3f8aa98b4529d
Signed-off-by: Xu Jianqun <jay.xu@rock-chips.com>
7 years agoarm64: dts: rk3368: add rockchip-suspend node
XiaoDong Huang [Fri, 5 May 2017 01:14:58 +0000 (09:14 +0800)]
arm64: dts: rk3368: add rockchip-suspend node

Change-Id: I68f8068c795e87ffa3cbea4b23ba5df56a70218d
Signed-off-by: XiaoDong Huang <derrick.huang@rock-chips.com>
7 years agosoc: rockchip: support rk3368 pm config
XiaoDong Huang [Wed, 26 Apr 2017 11:06:08 +0000 (19:06 +0800)]
soc: rockchip: support rk3368 pm config

Change-Id: I69e823d397a411c1b1395563870fca6485dfb936
Signed-off-by: XiaoDong Huang <derrick.huang@rock-chips.com>
7 years agoarm: dts: assigned host vbus regulator for rk3229-evb board
Frank Wang [Thu, 4 May 2017 07:20:14 +0000 (15:20 +0800)]
arm: dts: assigned host vbus regulator for rk3229-evb board

Change-Id: I86608300c600db0ece0120ce3fba0f541953910e
Signed-off-by: Frank Wang <frank.wang@rock-chips.com>
7 years agoarm: dts: assigned host vbus regulator for rk3229-echo-v10 board
Frank Wang [Thu, 4 May 2017 07:16:32 +0000 (15:16 +0800)]
arm: dts: assigned host vbus regulator for rk3229-echo-v10 board

Change-Id: Ia4cd6a915750d933886b217d2c4818d4f66d31c9
Signed-off-by: Frank Wang <frank.wang@rock-chips.com>
7 years agoarm: dts: enable all usb phy and usb host for rk322x SoC
Frank Wang [Thu, 4 May 2017 10:58:16 +0000 (18:58 +0800)]
arm: dts: enable all usb phy and usb host for rk322x SoC

Change-Id: Ia69914348eee190aea0cd0f1a380a4ce569f1cdf
Signed-off-by: Frank Wang <frank.wang@rock-chips.com>
7 years agoarm: dts: add usb-phy and usb2.0 host nodes for rk322x SoC
Frank Wang [Thu, 4 May 2017 06:35:36 +0000 (14:35 +0800)]
arm: dts: add usb-phy and usb2.0 host nodes for rk322x SoC

This patch adds usb2.0 host and usb-phy related nodes for rk322x SoC.

Change-Id: Ib1c5375f81c8d7b55608b1b1793c27be012a8c6e
Signed-off-by: Frank Wang <frank.wang@rock-chips.com>
7 years agophy: rockchip-inno-usb2: add host-port support for rk322x SoC
Frank Wang [Thu, 4 May 2017 06:11:34 +0000 (14:11 +0800)]
phy: rockchip-inno-usb2: add host-port support for rk322x SoC

This adds support host-port on rk322x SoC and amend phy Documentation.

Change-Id: I440adc10e25c98cbe220275fecd12774c08d24d1
Signed-off-by: Frank Wang <frank.wang@rock-chips.com>
7 years agovideo: rockchip: vpu: support VDPU at RK3328
Randy Li [Wed, 12 Apr 2017 05:41:41 +0000 (13:41 +0800)]
video: rockchip: vpu: support VDPU at RK3328

The VDPU at RK3328 is a standalone decoder IP without
encoder. Also there is the other AVS+ decoder IP,
working as the combo IP.

I introduce the following commit from develop-3.10,
commit ee2f9f6912fb ("rk322xh/vcodec: bugfix, avoid combo device overwrite irq status")
commit 568dabeb12ef ("rockchip/vcodec: bugfix, inconsistence power on/off operation")

The following patches have not been introduced,
it would effect RKV device:
commit b8a2ce7e5b60 ("rockchip/vcodec: disable power-save optimization for hw defeat")
commit 046faf9ba20a ("rk322xh/vcodec: bugfix, probe failed when ion cma heap undefined")
commit beaeb230cbf2 ("rk322xh/vcodec: revise for rk322xh feature")

Change-Id: Ifc14daa84b692f8fcfbd4f6690ed66dd56bbbe29
Signed-off-by: Randy Li <randy.li@rock-chips.com>
7 years agovideo: rockchip: vpu: add avs decoder table
Randy Li [Mon, 17 Apr 2017 02:22:13 +0000 (10:22 +0800)]
video: rockchip: vpu: add avs decoder table

This table would be used for both AVS and AVS+ decoder.

Change-Id: I9557a3d170943a3b544d97b6c63f02679bd7b532
Signed-off-by: Randy Li <randy.li@rock-chips.com>
7 years agovideo: rockchip: vpu: only use the dev_mode for combo
Randy Li [Tue, 25 Apr 2017 03:06:06 +0000 (11:06 +0800)]
video: rockchip: vpu: only use the dev_mode for combo

The most of device can get this its running type from the
compatible. This property becomes unnecessary.

Change-Id: I40ec41b130fac2cadd47d92332d27c58a8c2c9f7
Signed-off-by: Randy Li <randy.li@rock-chips.com>
7 years agoPM / devfreq: rockchip_dmc: add mutex lock for pmu register
Finley Xiao [Tue, 2 May 2017 12:30:13 +0000 (20:30 +0800)]
PM / devfreq: rockchip_dmc: add mutex lock for pmu register

As dmc may also assess register PMU_BUS_IDLE_REQ, we should prevent
pd driver and dmc driver assessing this register at the same time.

Change-Id: I546033536c87dcf497774cbc6c8f36a3e651ff07
Signed-off-by: Finley Xiao <finley.xiao@rock-chips.com>
7 years agosoc: rockchip: power-domain: export rockchip_pm_register_notify_to_dmc
Finley Xiao [Tue, 2 May 2017 07:15:26 +0000 (15:15 +0800)]
soc: rockchip: power-domain: export rockchip_pm_register_notify_to_dmc

This function registers a notifier to dmc devfreq, it will lock the mutex
of pmu when scaling frequency, so that pd driver and dmc driver will not
assess register PMU_BUS_IDLE_REQ at the same time.

Change-Id: I0ba96599d9050d11924d032146e6b4d415629614
Signed-off-by: Finley Xiao <finley.xiao@rock-chips.com>
7 years agodmaengine: pl330: fix error message to dev_err_ratelimited
Xu Jianqun [Thu, 4 May 2017 03:57:33 +0000 (11:57 +0800)]
dmaengine: pl330: fix error message to dev_err_ratelimited

Change-Id: I4d1191f5b7d330c2786eaac42213b4d255b05db8
Signed-off-by: Xu Jianqun <jay.xu@rock-chips.com>
7 years agoARM64: dts: rk3368-p9: enable route mipi
Zorro Liu [Thu, 4 May 2017 03:10:45 +0000 (11:10 +0800)]
ARM64: dts: rk3368-p9: enable route mipi

Change-Id: Ib93918524c173bce1283b0001e0f8ca91594dc6f
Signed-off-by: Zorro Liu <lyx@rock-chips.com>
7 years agoPM / devfreq: rockchip_dmc: set polling_ms to 50
Finley Xiao [Tue, 2 May 2017 12:13:18 +0000 (20:13 +0800)]
PM / devfreq: rockchip_dmc: set polling_ms to 50

In order to scaling frequency more timely, reduce the polling_ms.

Change-Id: Icbee5552396fa0552fb514d92ea77687228c3e28
Signed-off-by: Finley Xiao <finley.xiao@rock-chips.com>
7 years agoPM / devfreq: rockchip_dmc: add support for rk3368
Finley Xiao [Tue, 2 May 2017 11:56:03 +0000 (19:56 +0800)]
PM / devfreq: rockchip_dmc: add support for rk3368

This adds the necessary data for handling dmcfreq on the rk3368.

Change-Id: Ie202cbaa3b27e52b22a5efc57c6e108fbd03a20a
Signed-off-by: Finley Xiao <finley.xiao@rock-chips.com>
7 years agoMerge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android
Alex Shi [Thu, 4 May 2017 04:01:39 +0000 (12:01 +0800)]
Merge branch 'linux-linaro-lsk-v4.4' into linux-linaro-lsk-v4.4-android

7 years ago Merge tag 'v4.4.66' into linux-linaro-lsk-v4.4
Alex Shi [Thu, 4 May 2017 04:01:37 +0000 (12:01 +0800)]
 Merge tag 'v4.4.66' into linux-linaro-lsk-v4.4

 This is the 4.4.66 stable release

7 years agoPM / devfreq: rockchip_dmc: separate the initialized code of dram
Finley Xiao [Tue, 2 May 2017 09:31:30 +0000 (17:31 +0800)]
PM / devfreq: rockchip_dmc: separate the initialized code of dram

It will be easy to compatible with more rockchip platforms,
if move the initialized code of dram into a separated function.

Change-Id: Iad8738b2c0995712723a8e3e84f12ae6b9b2aa91
Signed-off-by: Finley Xiao <finley.xiao@rock-chips.com>
7 years agocamera: rockchip: camsys_drv: 0.0x21.0xe
dalong.zhang [Tue, 2 May 2017 13:58:55 +0000 (21:58 +0800)]
camera: rockchip: camsys_drv: 0.0x21.0xe

1) correct mipiphy_hsfreqrange of 3368.
2) add csi-phy timing setting for 3368.

Change-Id: Ia5203dcd8f01bc8989d5bb41a1b2af71bb91f607
Signed-off-by: dalong.zhang <dalon.zhang@rock-chips.com>
7 years agoarm64: dts: rockchip: fix uart3 pinctrl error of rk3368
Zorro Liu [Thu, 4 May 2017 01:25:09 +0000 (09:25 +0800)]
arm64: dts: rockchip: fix uart3 pinctrl error of rk3368

Change-Id: Ie62fd4c6cf1a9c38a1793c9ccd0085c91f38f438
Signed-off-by: Zorro Liu <lyx@rock-chips.com>
7 years agodrm/rockchip: rga: use DMA_BIDIRECTIONAL
Jacob Chen [Tue, 2 May 2017 03:25:31 +0000 (11:25 +0800)]
drm/rockchip: rga: use DMA_BIDIRECTIONAL

In some cases, we need to read data from RGA
and DMA_TO_DEVICE are not a proper flag
So change to DMA_BIDIRECTIONAL

Change-Id: I9d421e8a15f948fcb6643addab558803247ea161
Signed-off-by: Jacob Chen <jacob2.chen@rock-chips.com>
7 years agoarm: dts: rk3288: remove assinged parent for NPLL/GPLL
Xu Jianqun [Thu, 4 May 2017 01:08:30 +0000 (09:08 +0800)]
arm: dts: rk3288: remove assinged parent for NPLL/GPLL

Change-Id: I6ab7dff4d886a776677331f370d9632363abaa87
Signed-off-by: Xu Jianqun <jay.xu@rock-chips.com>
7 years agoarm: dts: add the basic dt file for rk3229-echo-v10
Frank Wang [Tue, 25 Apr 2017 09:19:11 +0000 (17:19 +0800)]
arm: dts: add the basic dt file for rk3229-echo-v10

Initial support for rk3229-echo board.

Change-Id: I7587d333f296f66727bf1c686911cfca2f3c5619
Signed-off-by: Frank Wang <frank.wang@rock-chips.com>
7 years agoarm: dts: add android dtsi for rk322x SoC
Frank Wang [Tue, 2 May 2017 09:28:35 +0000 (17:28 +0800)]
arm: dts: add android dtsi for rk322x SoC

Change-Id: I400ab97db9d333d53474978bb339ce2ed8a99ed4
Signed-off-by: Frank Wang <frank.wang@rock-chips.com>
7 years agoclk: rockchip: rk3228: fix up the clk cpu setting
Elaine Zhang [Thu, 27 Apr 2017 07:24:46 +0000 (15:24 +0800)]
clk: rockchip: rk3228: fix up the clk cpu setting

support more cpu freq
add armcore div setting

Change-Id: I46ab974da763bab2e887377848be1d9049a1568f
Signed-off-by: Elaine Zhang <zhangqing@rock-chips.com>
7 years agoarm: dts: rk3228: add some assigned-clocks
Elaine Zhang [Thu, 27 Apr 2017 06:40:57 +0000 (14:40 +0800)]
arm: dts: rk3228: add some assigned-clocks

Change-Id: I257bbfe5ccea74245a6fe3269a896ab968a34c4f
Signed-off-by: Elaine Zhang <zhangqing@rock-chips.com>
7 years agoclk: rockchip: rk3228: Perfect clock description
Elaine Zhang [Thu, 27 Apr 2017 06:37:34 +0000 (14:37 +0800)]
clk: rockchip: rk3228: Perfect clock description

1 Add some necessary clk ID.
2 some clks add CLK_IGNORE_UNUSED flag
3 add some critical clk

Change-Id: If52699b4d5f430413b06084b7d21fb1afd4539dd
Signed-off-by: Elaine Zhang <zhangqing@rock-chips.com>
7 years agoclk: rockchip: rk3288: add ddrc clock support
Finley Xiao [Thu, 6 Apr 2017 03:40:01 +0000 (11:40 +0800)]
clk: rockchip: rk3288: add ddrc clock support

Add a ddrc clock into clk branches, so we can do ddr frequency
scaling on rk3288 platform in future.

Change-Id: Ia6c93e5ce82fa30475eddf051bc9ea2512b0cc07
Signed-off-by: Finley Xiao <finley.xiao@rock-chips.com>
7 years agoclk: rockchip: add SCLK_DDRCLK id for rk3288 ddrc
Finley Xiao [Thu, 6 Apr 2017 03:33:40 +0000 (11:33 +0800)]
clk: rockchip: add SCLK_DDRCLK id for rk3288 ddrc

Add the needed id for the ddr clock.

Change-Id: I9578decd2348a35a6e9c4cc3527375d4d02a2af6
Signed-off-by: Finley Xiao <finley.xiao@rock-chips.com>
7 years agoarm64: dts: rockchip: Rename OPP nodes as opp-<opp-hz>
Finley Xiao [Wed, 3 May 2017 03:35:50 +0000 (11:35 +0800)]
arm64: dts: rockchip: Rename OPP nodes as opp-<opp-hz>

Compiling the DT file with W=1, DTC warns like follows:

Warning (unit_address_vs_reg): Node /opp_table0/opp@1000000000 has a
unit name, but no reg property

Fix this by replacing '@' with '-' as the OPP nodes will never have a
"reg" property.

Change-Id: I5748be7888db149633c3980c3f5e9715cd256a52
Signed-off-by: Finley Xiao <finley.xiao@rock-chips.com>
7 years agoARM: dts: rk3288: Rename OPP nodes as opp-<opp-hz>
Finley Xiao [Wed, 3 May 2017 03:34:18 +0000 (11:34 +0800)]
ARM: dts: rk3288: Rename OPP nodes as opp-<opp-hz>

Compiling the DT file with W=1, DTC warns like follows:

Warning (unit_address_vs_reg): Node /opp_table0/opp@1000000000 has a
unit name, but no reg property

Fix this by replacing '@' with '-' as the OPP nodes will never have a
"reg" property.

Change-Id: Id239f49618a818ad87bb77e99f52b52a5ee2dbc6
Signed-off-by: Finley Xiao <finley.xiao@rock-chips.com>
7 years agoLinux 4.4.66
Greg Kroah-Hartman [Wed, 3 May 2017 04:20:09 +0000 (21:20 -0700)]
Linux 4.4.66

7 years agoftrace/x86: Fix triple fault with graph tracing and suspend-to-ram
Josh Poimboeuf [Thu, 13 Apr 2017 22:53:55 +0000 (17:53 -0500)]
ftrace/x86: Fix triple fault with graph tracing and suspend-to-ram

commit 34a477e5297cbaa6ecc6e17c042a866e1cbe80d6 upstream.

On x86-32, with CONFIG_FIRMWARE and multiple CPUs, if you enable function
graph tracing and then suspend to RAM, it will triple fault and reboot when
it resumes.

The first fault happens when booting a secondary CPU:

startup_32_smp()
  load_ucode_ap()
    prepare_ftrace_return()
      ftrace_graph_is_dead()
        (accesses 'kill_ftrace_graph')

The early head_32.S code calls into load_ucode_ap(), which has an an
ftrace hook, so it calls prepare_ftrace_return(), which calls
ftrace_graph_is_dead(), which tries to access the global
'kill_ftrace_graph' variable with a virtual address, causing a fault
because the CPU is still in real mode.

The fix is to add a check in prepare_ftrace_return() to make sure it's
running in protected mode before continuing.  The check makes sure the
stack pointer is a virtual kernel address.  It's a bit of a hack, but
it's not very intrusive and it works well enough.

For reference, here are a few other (more difficult) ways this could
have potentially been fixed:

- Move startup_32_smp()'s call to load_ucode_ap() down to *after* paging
  is enabled.  (No idea what that would break.)

- Track down load_ucode_ap()'s entire callee tree and mark all the
  functions 'notrace'.  (Probably not realistic.)

- Pause graph tracing in ftrace_suspend_notifier_call() or bringup_cpu()
  or __cpu_up(), and ensure that the pause facility can be queried from
  real mode.

Reported-by: Paul Menzel <pmenzel@molgen.mpg.de>
Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Tested-by: Paul Menzel <pmenzel@molgen.mpg.de>
Reviewed-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Cc: "Rafael J . Wysocki" <rjw@rjwysocki.net>
Cc: linux-acpi@vger.kernel.org
Cc: Borislav Petkov <bp@alien8.de>
Cc: Len Brown <lenb@kernel.org>
Link: http://lkml.kernel.org/r/5c1272269a580660703ed2eccf44308e790c7a98.1492123841.git.jpoimboe@redhat.com
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoARCv2: save r30 on kernel entry as gcc uses it for code-gen
Vineet Gupta [Mon, 9 Jan 2017 03:45:48 +0000 (19:45 -0800)]
ARCv2: save r30 on kernel entry as gcc uses it for code-gen

commit ecd43afdbe72017aefe48080631eb625e177ef4d upstream.

This is not exposed to userspace debugers yet, which can be done
independently as a seperate patch !

Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agonfsd: check for oversized NFSv2/v3 arguments
J. Bruce Fields [Fri, 21 Apr 2017 20:10:18 +0000 (16:10 -0400)]
nfsd: check for oversized NFSv2/v3 arguments

commit e6838a29ecb484c97e4efef9429643b9851fba6e upstream.

A client can append random data to the end of an NFSv2 or NFSv3 RPC call
without our complaining; we'll just stop parsing at the end of the
expected data and ignore the rest.

Encoded arguments and replies are stored together in an array of pages,
and if a call is too large it could leave inadequate space for the
reply.  This is normally OK because NFS RPC's typically have either
short arguments and long replies (like READ) or long arguments and short
replies (like WRITE).  But a client that sends an incorrectly long reply
can violate those assumptions.  This was observed to cause crashes.

Also, several operations increment rq_next_page in the decode routine
before checking the argument size, which can leave rq_next_page pointing
well past the end of the page array, causing trouble later in
svc_free_pages.

So, following a suggestion from Neil Brown, add a central check to
enforce our expectation that no NFSv2/v3 call has both a large call and
a large reply.

As followup we may also want to rewrite the encoding routines to check
more carefully that they aren't running off the end of the page array.

We may also consider rejecting calls that have any extra garbage
appended.  That would be safer, and within our rights by spec, but given
the age of our server and the NFS protocol, and the fact that we've
never enforced this before, we may need to balance that against the
possibility of breaking some oddball client.

Reported-by: Tuomas Haanpää <thaan@synopsys.com>
Reported-by: Ari Kauppi <ari@synopsys.com>
Reviewed-by: NeilBrown <neilb@suse.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoInput: i8042 - add Clevo P650RS to the i8042 reset list
Dmitry Torokhov [Thu, 13 Apr 2017 22:36:31 +0000 (15:36 -0700)]
Input: i8042 - add Clevo P650RS to the i8042 reset list

commit 7c5bb4ac2b76d2a09256aec8a7d584bf3e2b0466 upstream.

Clevo P650RS and other similar devices require i8042 to be reset in order
to detect Synaptics touchpad.

Reported-by: Paweł Bylica <chfast@gmail.com>
Tested-by: Ed Bordin <edbordin@gmail.com>
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=190301
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agop9_client_readdir() fix
Al Viro [Fri, 14 Apr 2017 21:22:18 +0000 (17:22 -0400)]
p9_client_readdir() fix

commit 71d6ad08379304128e4bdfaf0b4185d54375423e upstream.

Don't assume that server is sane and won't return more data than
asked for.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoMIPS: Avoid BUG warning in arch_check_elf
James Cowgill [Tue, 11 Apr 2017 12:51:07 +0000 (13:51 +0100)]
MIPS: Avoid BUG warning in arch_check_elf

commit c46f59e90226fa5bfcc83650edebe84ae47d454b upstream.

arch_check_elf contains a usage of current_cpu_data that will call
smp_processor_id() with preemption enabled and therefore triggers a
"BUG: using smp_processor_id() in preemptible" warning when an fpxx
executable is loaded.

As a follow-up to commit b244614a60ab ("MIPS: Avoid a BUG warning during
prctl(PR_SET_FP_MODE, ...)"), apply the same fix to arch_check_elf by
using raw_current_cpu_data instead. The rationale quoted from the previous
commit:

"It is assumed throughout the kernel that if any CPU has an FPU, then
all CPUs would have an FPU as well, so it is safe to perform the check
with preemption enabled - change the code to use raw_ variant of the
check to avoid the warning."

Fixes: 46490b572544 ("MIPS: kernel: elf: Improve the overall ABI and FPU mode checks")
Signed-off-by: James Cowgill <James.Cowgill@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/15951/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoMIPS: KGDB: Use kernel context for sleeping threads
James Hogan [Thu, 30 Mar 2017 15:06:02 +0000 (16:06 +0100)]
MIPS: KGDB: Use kernel context for sleeping threads

commit 162b270c664dca2e0944308e92f9fcc887151a72 upstream.

KGDB is a kernel debug stub and it can't be used to debug userland as it
can only safely access kernel memory.

On MIPS however KGDB has always got the register state of sleeping
processes from the userland register context at the beginning of the
kernel stack. This is meaningless for kernel threads (which never enter
userland), and for user threads it prevents the user seeing what it is
doing while in the kernel:

(gdb) info threads
  Id   Target Id         Frame
  ...
  3    Thread 2 (kthreadd) 0x0000000000000000 in ?? ()
  2    Thread 1 (init)   0x000000007705c4b4 in ?? ()
  1    Thread -2 (shadowCPU0) 0xffffffff8012524c in arch_kgdb_breakpoint () at arch/mips/kernel/kgdb.c:201

Get the register state instead from the (partial) kernel register
context stored in the task's thread_struct for resume() to restore. All
threads now correctly appear to be in context_switch():

(gdb) info threads
  Id   Target Id         Frame
  ...
  3    Thread 2 (kthreadd) context_switch (rq=<optimized out>, cookie=..., next=<optimized out>, prev=0x0) at kernel/sched/core.c:2903
  2    Thread 1 (init)   context_switch (rq=<optimized out>, cookie=..., next=<optimized out>, prev=0x0) at kernel/sched/core.c:2903
  1    Thread -2 (shadowCPU0) 0xffffffff8012524c in arch_kgdb_breakpoint () at arch/mips/kernel/kgdb.c:201

Call clobbered registers which aren't saved and exception registers
(BadVAddr & Cause) which can't be easily determined without stack
unwinding are reported as 0. The PC is taken from the return address,
such that the state presented matches that found immediately after
returning from resume().

Fixes: 8854700115ec ("[MIPS] kgdb: add arch support for the kernel's kgdb core")
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: Jason Wessel <jason.wessel@windriver.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/15829/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoALSA: seq: Don't break snd_use_lock_sync() loop by timeout
Takashi Iwai [Sun, 9 Apr 2017 08:41:27 +0000 (10:41 +0200)]
ALSA: seq: Don't break snd_use_lock_sync() loop by timeout

commit 4e7655fd4f47c23e5249ea260dc802f909a64611 upstream.

The snd_use_lock_sync() (thus its implementation
snd_use_lock_sync_helper()) has the 5 seconds timeout to break out of
the sync loop.  It was introduced from the beginning, just to be
"safer", in terms of avoiding the stupid bugs.

However, as Ben Hutchings suggested, this timeout rather introduces a
potential leak or use-after-free that was apparently fixed by the
commit 2d7d54002e39 ("ALSA: seq: Fix race during FIFO resize"):
for example, snd_seq_fifo_event_in() -> snd_seq_event_dup() ->
copy_from_user() could block for a long time, and snd_use_lock_sync()
goes timeout and still leaves the cell at releasing the pool.

For fixing such a problem, we remove the break by the timeout while
still keeping the warning.

Suggested-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoALSA: firewire-lib: fix inappropriate assignment between signed/unsigned type
Takashi Sakamoto [Fri, 14 Apr 2017 03:43:01 +0000 (12:43 +0900)]
ALSA: firewire-lib: fix inappropriate assignment between signed/unsigned type

commit dfb00a56935186171abb5280b3407c3f910011f1 upstream.

An abstraction of asynchronous transaction for transmission of MIDI
messages was introduced in Linux v4.4. Each driver can utilize this
abstraction to transfer MIDI messages via fixed-length payload of
transaction to a certain unit address. Filling payload of the transaction
is done by callback. In this callback, each driver can return negative
error code, however current implementation assigns the return value to
unsigned variable.

This commit changes type of the variable to fix the bug.

Reported-by: Julia Lawall <Julia.Lawall@lip6.fr>
Fixes: 585d7cba5e1f ("ALSA: firewire-lib: add helper functions for asynchronous transactions to transfer MIDI messages")
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoipv6: check raw payload size correctly in ioctl
Jamie Bainbridge [Wed, 26 Apr 2017 00:43:27 +0000 (10:43 +1000)]
ipv6: check raw payload size correctly in ioctl

[ Upstream commit 105f5528b9bbaa08b526d3405a5bcd2ff0c953c8 ]

In situations where an skb is paged, the transport header pointer and
tail pointer can be the same because the skb contents are in frags.

This results in ioctl(SIOCINQ/FIONREAD) incorrectly returning a
length of 0 when the length to receive is actually greater than zero.

skb->len is already correctly set in ip6_input_finish() with
pskb_pull(), so use skb->len as it always returns the correct result
for both linear and paged data.

Signed-off-by: Jamie Bainbridge <jbainbri@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoipv6: check skb->protocol before lookup for nexthop
WANG Cong [Tue, 25 Apr 2017 21:37:15 +0000 (14:37 -0700)]
ipv6: check skb->protocol before lookup for nexthop

[ Upstream commit 199ab00f3cdb6f154ea93fa76fd80192861a821d ]

Andrey reported a out-of-bound access in ip6_tnl_xmit(), this
is because we use an ipv4 dst in ip6_tnl_xmit() and cast an IPv4
neigh key as an IPv6 address:

        neigh = dst_neigh_lookup(skb_dst(skb),
                                 &ipv6_hdr(skb)->daddr);
        if (!neigh)
                goto tx_err_link_failure;

        addr6 = (struct in6_addr *)&neigh->primary_key; // <=== HERE
        addr_type = ipv6_addr_type(addr6);

        if (addr_type == IPV6_ADDR_ANY)
                addr6 = &ipv6_hdr(skb)->daddr;

        memcpy(&fl6->daddr, addr6, sizeof(fl6->daddr));

Also the network header of the skb at this point should be still IPv4
for 4in6 tunnels, we shold not just use it as IPv6 header.

This patch fixes it by checking if skb->protocol is ETH_P_IPV6: if it
is, we are safe to do the nexthop lookup using skb_dst() and
ipv6_hdr(skb)->daddr; if not (aka IPv4), we have no clue about which
dest address we can pick here, we have to rely on callers to fill it
from tunnel config, so just fall to ip6_route_output() to make the
decision.

Fixes: ea3dc9601bda ("ip6_tunnel: Add support for wildcard tunnel endpoints.")
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agomacvlan: Fix device ref leak when purging bc_queue
Herbert Xu [Thu, 20 Apr 2017 12:55:12 +0000 (20:55 +0800)]
macvlan: Fix device ref leak when purging bc_queue

[ Upstream commit f6478218e6edc2a587b8f132f66373baa7b2497c ]

When a parent macvlan device is destroyed we end up purging its
broadcast queue without dropping the device reference count on
the packet source device.  This causes the source device to linger.

This patch drops that reference count.

Fixes: 260916dfb48c ("macvlan: Fix potential use-after free for...")
Reported-by: Joe Ghalam <Joe.Ghalam@dell.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoip6mr: fix notification device destruction
Nikolay Aleksandrov [Fri, 21 Apr 2017 17:42:16 +0000 (20:42 +0300)]
ip6mr: fix notification device destruction

[ Upstream commit 723b929ca0f79c0796f160c2eeda4597ee98d2b8 ]

Andrey Konovalov reported a BUG caused by the ip6mr code which is caused
because we call unregister_netdevice_many for a device that is already
being destroyed. In IPv4's ipmr that has been resolved by two commits
long time ago by introducing the "notify" parameter to the delete
function and avoiding the unregister when called from a notifier, so
let's do the same for ip6mr.

The trace from Andrey:
------------[ cut here ]------------
kernel BUG at net/core/dev.c:6813!
invalid opcode: 0000 [#1] SMP KASAN
Modules linked in:
CPU: 1 PID: 1165 Comm: kworker/u4:3 Not tainted 4.11.0-rc7+ #251
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs
01/01/2011
Workqueue: netns cleanup_net
task: ffff880069208000 task.stack: ffff8800692d8000
RIP: 0010:rollback_registered_many+0x348/0xeb0 net/core/dev.c:6813
RSP: 0018:ffff8800692de7f0 EFLAGS: 00010297
RAX: ffff880069208000 RBX: 0000000000000002 RCX: 0000000000000001
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88006af90569
RBP: ffff8800692de9f0 R08: ffff8800692dec60 R09: 0000000000000000
R10: 0000000000000006 R11: 0000000000000000 R12: ffff88006af90070
R13: ffff8800692debf0 R14: dffffc0000000000 R15: ffff88006af90000
FS:  0000000000000000(0000) GS:ffff88006cb00000(0000)
knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe7e897d870 CR3: 00000000657e7000 CR4: 00000000000006e0
Call Trace:
 unregister_netdevice_many.part.105+0x87/0x440 net/core/dev.c:7881
 unregister_netdevice_many+0xc8/0x120 net/core/dev.c:7880
 ip6mr_device_event+0x362/0x3f0 net/ipv6/ip6mr.c:1346
 notifier_call_chain+0x145/0x2f0 kernel/notifier.c:93
 __raw_notifier_call_chain kernel/notifier.c:394
 raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401
 call_netdevice_notifiers_info+0x51/0x90 net/core/dev.c:1647
 call_netdevice_notifiers net/core/dev.c:1663
 rollback_registered_many+0x919/0xeb0 net/core/dev.c:6841
 unregister_netdevice_many.part.105+0x87/0x440 net/core/dev.c:7881
 unregister_netdevice_many net/core/dev.c:7880
 default_device_exit_batch+0x4fa/0x640 net/core/dev.c:8333
 ops_exit_list.isra.4+0x100/0x150 net/core/net_namespace.c:144
 cleanup_net+0x5a8/0xb40 net/core/net_namespace.c:463
 process_one_work+0xc04/0x1c10 kernel/workqueue.c:2097
 worker_thread+0x223/0x19c0 kernel/workqueue.c:2231
 kthread+0x35e/0x430 kernel/kthread.c:231
 ret_from_fork+0x31/0x40 arch/x86/entry/entry_64.S:430
Code: 3c 32 00 0f 85 70 0b 00 00 48 b8 00 02 00 00 00 00 ad de 49 89
47 78 e9 93 fe ff ff 49 8d 57 70 49 8d 5f 78 eb 9e e8 88 7a 14 fe <0f>
0b 48 8b 9d 28 fe ff ff e8 7a 7a 14 fe 48 b8 00 00 00 00 00
RIP: rollback_registered_many+0x348/0xeb0 RSP: ffff8800692de7f0
---[ end trace e0b29c57e9b3292c ]---

Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agonetpoll: Check for skb->queue_mapping
Tushar Dave [Thu, 20 Apr 2017 22:57:31 +0000 (15:57 -0700)]
netpoll: Check for skb->queue_mapping

[ Upstream commit c70b17b775edb21280e9de7531acf6db3b365274 ]

Reducing real_num_tx_queues needs to be in sync with skb queue_mapping
otherwise skbs with queue_mapping greater than real_num_tx_queues
can be sent to the underlying driver and can result in kernel panic.

One such event is running netconsole and enabling VF on the same
device. Or running netconsole and changing number of tx queues via
ethtool on same device.

e.g.
Unable to handle kernel NULL pointer dereference
tsk->{mm,active_mm}->context = 0000000000001525
tsk->{mm,active_mm}->pgd = fff800130ff9a000
              \|/ ____ \|/
              "@'/ .. \`@"
              /_| \__/ |_\
                 \__U_/
kworker/48:1(475): Oops [#1]
CPU: 48 PID: 475 Comm: kworker/48:1 Tainted: G           OE
4.11.0-rc3-davem-net+ #7
Workqueue: events queue_process
task: fff80013113299c0 task.stack: fff800131132c000
TSTATE: 0000004480e01600 TPC: 00000000103f9e3c TNPC: 00000000103f9e40 Y:
00000000    Tainted: G           OE
TPC: <ixgbe_xmit_frame_ring+0x7c/0x6c0 [ixgbe]>
g0: 0000000000000000 g1: 0000000000003fff g2: 0000000000000000 g3:
0000000000000001
g4: fff80013113299c0 g5: fff8001fa6808000 g6: fff800131132c000 g7:
00000000000000c0
o0: fff8001fa760c460 o1: fff8001311329a50 o2: fff8001fa7607504 o3:
0000000000000003
o4: fff8001f96e63a40 o5: fff8001311d77ec0 sp: fff800131132f0e1 ret_pc:
000000000049ed94
RPC: <set_next_entity+0x34/0xb80>
l0: 0000000000000000 l1: 0000000000000800 l2: 0000000000000000 l3:
0000000000000000
l4: 000b2aa30e34b10d l5: 0000000000000000 l6: 0000000000000000 l7:
fff8001fa7605028
i0: fff80013111a8a00 i1: fff80013155a0780 i2: 0000000000000000 i3:
0000000000000000
i4: 0000000000000000 i5: 0000000000100000 i6: fff800131132f1a1 i7:
00000000103fa4b0
I7: <ixgbe_xmit_frame+0x30/0xa0 [ixgbe]>
Call Trace:
 [00000000103fa4b0] ixgbe_xmit_frame+0x30/0xa0 [ixgbe]
 [0000000000998c74] netpoll_start_xmit+0xf4/0x200
 [0000000000998e10] queue_process+0x90/0x160
 [0000000000485fa8] process_one_work+0x188/0x480
 [0000000000486410] worker_thread+0x170/0x4c0
 [000000000048c6b8] kthread+0xd8/0x120
 [0000000000406064] ret_from_fork+0x1c/0x2c
 [0000000000000000]           (null)
Disabling lock debugging due to kernel taint
Caller[00000000103fa4b0]: ixgbe_xmit_frame+0x30/0xa0 [ixgbe]
Caller[0000000000998c74]: netpoll_start_xmit+0xf4/0x200
Caller[0000000000998e10]: queue_process+0x90/0x160
Caller[0000000000485fa8]: process_one_work+0x188/0x480
Caller[0000000000486410]: worker_thread+0x170/0x4c0
Caller[000000000048c6b8]: kthread+0xd8/0x120
Caller[0000000000406064]: ret_from_fork+0x1c/0x2c
Caller[0000000000000000]:           (null)

Signed-off-by: Tushar Dave <tushar.n.dave@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agonet: ipv6: RTF_PCPU should not be settable from userspace
David Ahern [Wed, 19 Apr 2017 21:19:43 +0000 (14:19 -0700)]
net: ipv6: RTF_PCPU should not be settable from userspace

[ Upstream commit 557c44be917c322860665be3d28376afa84aa936 ]

Andrey reported a fault in the IPv6 route code:

kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Modules linked in:
CPU: 1 PID: 4035 Comm: a.out Not tainted 4.11.0-rc7+ #250
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff880069809600 task.stack: ffff880062dc8000
RIP: 0010:ip6_rt_cache_alloc+0xa6/0x560 net/ipv6/route.c:975
RSP: 0018:ffff880062dced30 EFLAGS: 00010206
RAX: dffffc0000000000 RBX: ffff8800670561c0 RCX: 0000000000000006
RDX: 0000000000000003 RSI: ffff880062dcfb28 RDI: 0000000000000018
RBP: ffff880062dced68 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: ffff880062dcfb28 R14: dffffc0000000000 R15: 0000000000000000
FS:  00007feebe37e7c0(0000) GS:ffff88006cb00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000205a0fe4 CR3: 000000006b5c9000 CR4: 00000000000006e0
Call Trace:
 ip6_pol_route+0x1512/0x1f20 net/ipv6/route.c:1128
 ip6_pol_route_output+0x4c/0x60 net/ipv6/route.c:1212
...

Andrey's syzkaller program passes rtmsg.rtmsg_flags with the RTF_PCPU bit
set. Flags passed to the kernel are blindly copied to the allocated
rt6_info by ip6_route_info_create making a newly inserted route appear
as though it is a per-cpu route. ip6_rt_cache_alloc sees the flag set
and expects rt->dst.from to be set - which it is not since it is not
really a per-cpu copy. The subsequent call to __ip6_dst_alloc then
generates the fault.

Fix by checking for the flag and failing with EINVAL.

Fixes: d52d3997f843f ("ipv6: Create percpu rt6_info")
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
Acked-by: Martin KaFai Lau <kafai@fb.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agodp83640: don't recieve time stamps twice
Dan Carpenter [Tue, 18 Apr 2017 19:14:26 +0000 (22:14 +0300)]
dp83640: don't recieve time stamps twice

[ Upstream commit 9d386cd9a755c8293e8916264d4d053878a7c9c7 ]

This patch is prompted by a static checker warning about a potential
use after free.  The concern is that netif_rx_ni() can free "skb" and we
call it twice.

When I look at the commit that added this, it looks like some stray
lines were added accidentally.  It doesn't make sense to me that we
would recieve the same data two times.  I asked the author but never
recieved a response.

I can't test this code, but I'm pretty sure my patch is correct.

Fixes: 4b063258ab93 ("dp83640: Delay scheduled work.")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agotcp: clear saved_syn in tcp_disconnect()
Eric Dumazet [Sat, 8 Apr 2017 15:07:33 +0000 (08:07 -0700)]
tcp: clear saved_syn in tcp_disconnect()

[ Upstream commit 17c3060b1701fc69daedb4c90be6325d3d9fca8e ]

In the (very unlikely) case a passive socket becomes a listener,
we do not want to duplicate its saved SYN headers.

This would lead to double frees, use after free, and please hackers and
various fuzzers

Tested:
    0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3
   +0 setsockopt(3, IPPROTO_TCP, TCP_SAVE_SYN, [1], 4) = 0
   +0 fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0

   +0 bind(3, ..., ...) = 0
   +0 listen(3, 5) = 0

   +0 < S 0:0(0) win 32972 <mss 1460,nop,wscale 7>
   +0 > S. 0:0(0) ack 1 <...>
  +.1 < . 1:1(0) ack 1 win 257
   +0 accept(3, ..., ...) = 4

   +0 connect(4, AF_UNSPEC, ...) = 0
   +0 close(3) = 0
   +0 bind(4, ..., ...) = 0
   +0 listen(4, 5) = 0

   +0 < S 0:0(0) win 32972 <mss 1460,nop,wscale 7>
   +0 > S. 0:0(0) ack 1 <...>
  +.1 < . 1:1(0) ack 1 win 257

Fixes: cd8ae85299d5 ("tcp: provide SYN headers for passive connections")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agosctp: listen on the sock only when it's state is listening or closed
Xin Long [Thu, 6 Apr 2017 05:10:52 +0000 (13:10 +0800)]
sctp: listen on the sock only when it's state is listening or closed

[ Upstream commit 34b2789f1d9bf8dcca9b5cb553d076ca2cd898ee ]

Now sctp doesn't check sock's state before listening on it. It could
even cause changing a sock with any state to become a listening sock
when doing sctp_listen.

This patch is to fix it by checking sock's state in sctp_listen, so
that it will listen on the sock with right state.

Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agonet: ipv4: fix multipath RTM_GETROUTE behavior when iif is given
Florian Larysch [Mon, 3 Apr 2017 14:46:09 +0000 (16:46 +0200)]
net: ipv4: fix multipath RTM_GETROUTE behavior when iif is given

[ Upstream commit a8801799c6975601fd58ae62f48964caec2eb83f ]

inet_rtm_getroute synthesizes a skeletal ICMP skb, which is passed to
ip_route_input when iif is given. If a multipath route is present for
the designated destination, ip_multipath_icmp_hash ends up being called,
which uses the source/destination addresses within the skb to calculate
a hash. However, those are not set in the synthetic skb, causing it to
return an arbitrary and incorrect result.

Instead, use UDP, which gets no such special treatment.

Signed-off-by: Florian Larysch <fl@n621.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agol2tp: fix PPP pseudo-wire auto-loading
Guillaume Nault [Mon, 3 Apr 2017 11:23:15 +0000 (13:23 +0200)]
l2tp: fix PPP pseudo-wire auto-loading

[ Upstream commit 249ee819e24c180909f43c1173c8ef6724d21faf ]

PPP pseudo-wire type is 7 (11 is L2TP_PWTYPE_IP).

Fixes: f1f39f911027 ("l2tp: auto load type modules")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agol2tp: take reference on sessions being dumped
Guillaume Nault [Mon, 3 Apr 2017 10:03:13 +0000 (12:03 +0200)]
l2tp: take reference on sessions being dumped

[ Upstream commit e08293a4ccbcc993ded0fdc46f1e57926b833d63 ]

Take a reference on the sessions returned by l2tp_session_find_nth()
(and rename it l2tp_session_get_nth() to reflect this change), so that
caller is assured that the session isn't going to disappear while
processing it.

For procfs and debugfs handlers, the session is held in the .start()
callback and dropped in .show(). Given that pppol2tp_seq_session_show()
dereferences the associated PPPoL2TP socket and that
l2tp_dfs_seq_session_show() might call pppol2tp_show(), we also need to
call the session's .ref() callback to prevent the socket from going
away from under us.

Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Fixes: 0ad6614048cf ("l2tp: Add debugfs files for dumping l2tp debug info")
Fixes: 309795f4bec2 ("l2tp: Add netlink control API for L2TP")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agonet/packet: fix overflow in check for tp_reserve
Andrey Konovalov [Wed, 29 Mar 2017 14:11:22 +0000 (16:11 +0200)]
net/packet: fix overflow in check for tp_reserve

[ Upstream commit bcc5364bdcfe131e6379363f089e7b4108d35b70 ]

When calculating po->tp_hdrlen + po->tp_reserve the result can overflow.

Fix by checking that tp_reserve <= INT_MAX on assign.

Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agonet/packet: fix overflow in check for tp_frame_nr
Andrey Konovalov [Wed, 29 Mar 2017 14:11:21 +0000 (16:11 +0200)]
net/packet: fix overflow in check for tp_frame_nr

[ Upstream commit 8f8d28e4d6d815a391285e121c3a53a0b6cb9e7b ]

When calculating rb->frames_per_block * req->tp_block_nr the result
can overflow.

Add a check that tp_block_size * tp_block_nr <= UINT_MAX.

Since frames_per_block <= tp_block_size, the expression would
never overflow.

Signed-off-by: Andrey Konovalov <andreyknvl@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agol2tp: purge socket queues in the .destruct() callback
Guillaume Nault [Wed, 29 Mar 2017 06:45:29 +0000 (08:45 +0200)]
l2tp: purge socket queues in the .destruct() callback

[ Upstream commit e91793bb615cf6cdd59c0b6749fe173687bb0947 ]

The Rx path may grab the socket right before pppol2tp_release(), but
nothing guarantees that it will enqueue packets before
skb_queue_purge(). Therefore, the socket can be destroyed without its
queues fully purged.

Fix this by purging queues in pppol2tp_session_destruct() where we're
guaranteed nothing is still referencing the socket.

Fixes: 9e9cb6221aa7 ("l2tp: fix userspace reception on plain L2TP sockets")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agonet: phy: handle state correctly in phy_stop_machine
Nathan Sullivan [Wed, 22 Mar 2017 20:27:01 +0000 (15:27 -0500)]
net: phy: handle state correctly in phy_stop_machine

[ Upstream commit 49d52e8108a21749dc2114b924c907db43358984 ]

If the PHY is halted on stop, then do not set the state to PHY_UP.  This
ensures the phy will be restarted later in phy_start when the machine is
started again.

Fixes: 00db8189d984 ("This patch adds a PHY Abstraction Layer to the Linux Kernel, enabling ethernet drivers to remain as ignorant as is reasonable of the connected PHY's design and operation details.")
Signed-off-by: Nathan Sullivan <nathan.sullivan@ni.com>
Signed-off-by: Brad Mouring <brad.mouring@ni.com>
Acked-by: Xander Huff <xander.huff@ni.com>
Acked-by: Kyle Roeschley <kyle.roeschley@ni.com>
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agonet: neigh: guard against NULL solicit() method
Eric Dumazet [Thu, 23 Mar 2017 19:39:21 +0000 (12:39 -0700)]
net: neigh: guard against NULL solicit() method

[ Upstream commit 48481c8fa16410ffa45939b13b6c53c2ca609e5f ]

Dmitry posted a nice reproducer of a bug triggering in neigh_probe()
when dereferencing a NULL neigh->ops->solicit method.

This can happen for arp_direct_ops/ndisc_direct_ops and similar,
which can be used for NUD_NOARP neighbours (created when dev->header_ops
is NULL). Admin can then force changing nud_state to some other state
that would fire neigh timer.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agosparc64: Fix kernel panic due to erroneous #ifdef surrounding pmd_write()
Tom Hromatka [Fri, 31 Mar 2017 22:31:42 +0000 (16:31 -0600)]
sparc64: Fix kernel panic due to erroneous #ifdef surrounding pmd_write()

[ Upstream commit 9ae34dbd8afd790cb5f52467e4f816434379eafa ]

This commit moves sparc64's prototype of pmd_write() outside
of the CONFIG_TRANSPARENT_HUGEPAGE ifdef.

In 2013, commit a7b9403f0e6d ("sparc64: Encode huge PMDs using PTE
encoding.") exposed a path where pmd_write() could be called without
CONFIG_TRANSPARENT_HUGEPAGE defined.  This can result in the panic below.

The diff is awkward to read, but the changes are straightforward.
pmd_write() was moved outside of #ifdef CONFIG_TRANSPARENT_HUGEPAGE.
Also, __HAVE_ARCH_PMD_WRITE was defined.

kernel BUG at include/asm-generic/pgtable.h:576!
              \|/ ____ \|/
              "@'/ .. \`@"
              /_| \__/ |_\
                 \__U_/
oracle_8114_cdb(8114): Kernel bad sw trap 5 [#1]
CPU: 120 PID: 8114 Comm: oracle_8114_cdb Not tainted
4.1.12-61.7.1.el6uek.rc1.sparc64 #1
task: fff8400700a24d60 ti: fff8400700bc4000 task.ti: fff8400700bc4000
TSTATE: 0000004411e01607 TPC: 00000000004609f8 TNPC: 00000000004609fc Y:
00000005    Not tainted
TPC: <gup_huge_pmd+0x198/0x1e0>
g0: 000000000001c000 g1: 0000000000ef3954 g2: 0000000000000000 g3: 0000000000000001
g4: fff8400700a24d60 g5: fff8001fa5c10000 g6: fff8400700bc4000 g7: 0000000000000720
o0: 0000000000bc5058 o1: 0000000000000240 o2: 0000000000006000 o3: 0000000000001c00
o4: 0000000000000000 o5: 0000048000080000 sp: fff8400700bc6ab1 ret_pc: 00000000004609f0
RPC: <gup_huge_pmd+0x190/0x1e0>
l0: fff8400700bc74fc l1: 0000000000020000 l2: 0000000000002000 l3: 0000000000000000
l4: fff8001f93250950 l5: 000000000113f800 l6: 0000000000000004 l7: 0000000000000000
i0: fff8400700ca46a0 i1: bd0000085e800453 i2: 000000026a0c4000 i3: 000000026a0c6000
i4: 0000000000000001 i5: fff800070c958de8 i6: fff8400700bc6b61 i7: 0000000000460dd0
I7: <gup_pud_range+0x170/0x1a0>
Call Trace:
 [0000000000460dd0] gup_pud_range+0x170/0x1a0
 [0000000000460e84] get_user_pages_fast+0x84/0x120
 [00000000006f5a18] iov_iter_get_pages+0x98/0x240
 [00000000005fa744] do_direct_IO+0xf64/0x1e00
 [00000000005fbbc0] __blockdev_direct_IO+0x360/0x15a0
 [00000000101f74fc] ext4_ind_direct_IO+0xdc/0x400 [ext4]
 [00000000101af690] ext4_ext_direct_IO+0x1d0/0x2c0 [ext4]
 [00000000101af86c] ext4_direct_IO+0xec/0x220 [ext4]
 [0000000000553bd4] generic_file_read_iter+0x114/0x140
 [00000000005bdc2c] __vfs_read+0xac/0x100
 [00000000005bf254] vfs_read+0x54/0x100
 [00000000005bf368] SyS_pread64+0x68/0x80

Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agosparc64: kern_addr_valid regression
bob picco [Fri, 10 Mar 2017 19:31:19 +0000 (14:31 -0500)]
sparc64: kern_addr_valid regression

[ Upstream commit adfae8a5d833fa2b46577a8081f350e408851f5b ]

I encountered this bug when using /proc/kcore to examine the kernel. Plus a
coworker inquired about debugging tools. We computed pa but did
not use it during the maximum physical address bits test. Instead we used
the identity mapped virtual address which will always fail this test.

I believe the defect came in here:
[bpicco@zareason linus.git]$ git describe --contains bb4e6e85daa52
v3.18-rc1~87^2~4
.

Signed-off-by: Bob Picco <bob.picco@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoxen/x86: don't lose event interrupts
Stefano Stabellini [Sat, 16 Apr 2016 01:23:00 +0000 (18:23 -0700)]
xen/x86: don't lose event interrupts

commit c06b6d70feb32d28f04ba37aa3df17973fd37b6b upstream.

On slow platforms with unreliable TSC, such as QEMU emulated machines,
it is possible for the kernel to request the next event in the past. In
that case, in the current implementation of xen_vcpuop_clockevent, we
simply return -ETIME. To be precise the Xen returns -ETIME and we pass
it on. However the result of this is a missed event, which simply causes
the kernel to hang.

Instead it is better to always ask the hypervisor for a timer event,
even if the timeout is in the past. That way there are no lost
interrupts and the kernel survives. To do that, remove the
VCPU_SSHOTTMR_future flag.

Signed-off-by: Stefano Stabellini <sstabellini@kernel.org>
Acked-by: Juergen Gross <jgross@suse.com>
Cc: Julia Lawall <julia.lawall@lip6.fr>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agousb: gadget: f_midi: Fixed a bug when buflen was smaller than wMaxPacketSize
Felipe F. Tonello [Wed, 9 Mar 2016 19:39:30 +0000 (19:39 +0000)]
usb: gadget: f_midi: Fixed a bug when buflen was smaller than wMaxPacketSize

commit 03d27ade4941076b34c823d63d91dc895731a595 upstream.

buflen by default (256) is smaller than wMaxPacketSize (512) in high-speed
devices.

That caused the OUT endpoint to freeze if the host send any data packet of
length greater than 256 bytes.

This is an example dump of what happended on that enpoint:
HOST:   [DATA][Length=260][...]
DEVICE: [NAK]
HOST:   [PING]
DEVICE: [NAK]
HOST:   [PING]
DEVICE: [NAK]
...
HOST:   [PING]
DEVICE: [NAK]

This patch fixes this problem by setting the minimum usb_request's buffer size
for the OUT endpoint as its wMaxPacketSize.

Acked-by: Michal Nazarewicz <mina86@mina86.com>
Signed-off-by: Felipe F. Tonello <eu@felipetonello.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Cc: Julia Lawall <julia.lawall@lip6.fr>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoregulator: core: Clear the supply pointer if enabling fails
Jon Hunter [Thu, 21 Apr 2016 16:11:58 +0000 (17:11 +0100)]
regulator: core: Clear the supply pointer if enabling fails

commit 8e5356a73604f53da6a1e0756727cb8f9f7bba17 upstream.

During the resolution of a regulator's supply, we may attempt to enable
the supply if the regulator itself is already enabled. If enabling the
supply fails, then we will call _regulator_put() for the supply.
However, the pointer to the supply has not been cleared for the
regulator and this will cause a crash if we then unregister the
regulator and attempt to call regulator_put() a second time for the
supply. Fix this by clearing the supply pointer if enabling the supply
after fails when resolving the supply for a regulator.

Signed-off-by: Jon Hunter <jonathanh@nvidia.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Cc: Julia Lawall <julia.lawall@lip6.fr>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoRDS: Fix the atomicity for congestion map update
santosh.shilimkar@oracle.com [Thu, 14 Apr 2016 17:43:27 +0000 (10:43 -0700)]
RDS: Fix the atomicity for congestion map update

commit e47db94e10447fc467777a40302f2b393e9af2fa upstream.

Two different threads with different rds sockets may be in
rds_recv_rcvbuf_delta() via receive path. If their ports
both map to the same word in the congestion map, then
using non-atomic ops to update it could cause the map to
be incorrect. Lets use atomics to avoid such an issue.

Full credit to Wengang <wen.gang.wang@oracle.com> for
finding the issue, analysing it and also pointing out
to offending code with spin lock based fix.

Reviewed-by: Leon Romanovsky <leon@leon.nu>
Signed-off-by: Wengang Wang <wen.gang.wang@oracle.com>
Signed-off-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: Julia Lawall <julia.lawall@lip6.fr>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agonet_sched: close another race condition in tcf_mirred_release()
WANG Cong [Mon, 16 May 2016 22:11:18 +0000 (15:11 -0700)]
net_sched: close another race condition in tcf_mirred_release()

commit dc327f8931cb9d66191f489eb9a852fc04530546 upstream.

We saw the following extra refcount release on veth device:

  kernel: [7957821.463992] unregister_netdevice: waiting for mesos50284 to become free. Usage count = -1

Since we heavily use mirred action to redirect packets to veth, I think
this is caused by the following race condition:

CPU0:
tcf_mirred_release(): (in RCU callback)
struct net_device *dev = rcu_dereference_protected(m->tcfm_dev, 1);

CPU1:
mirred_device_event():
        spin_lock_bh(&mirred_list_lock);
        list_for_each_entry(m, &mirred_list, tcfm_list) {
                if (rcu_access_pointer(m->tcfm_dev) == dev) {
                        dev_put(dev);
                        /* Note : no rcu grace period necessary, as
                         * net_device are already rcu protected.
                         */
                        RCU_INIT_POINTER(m->tcfm_dev, NULL);
                }
        }
        spin_unlock_bh(&mirred_list_lock);

CPU0:
tcf_mirred_release():
        spin_lock_bh(&mirred_list_lock);
        list_del(&m->tcfm_list);
        spin_unlock_bh(&mirred_list_lock);
        if (dev)               // <======== Stil refers to the old m->tcfm_dev
                dev_put(dev);  // <======== dev_put() is called on it again

The action init code path is good because it is impossible to modify
an action that is being removed.

So, fix this by moving everything under the spinlock.

Fixes: 2ee22a90c7af ("net_sched: act_mirred: remove spinlock in fast path")
Fixes: 6bd00b850635 ("act_mirred: fix a race condition on mirred_list")
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: Julia Lawall <julia.lawall@lip6.fr>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agonet: cavium: liquidio: Avoid dma_unmap_single on uninitialized ndata
Florian Fainelli [Fri, 15 Jul 2016 23:42:16 +0000 (16:42 -0700)]
net: cavium: liquidio: Avoid dma_unmap_single on uninitialized ndata

commit 8e6ce7ebeb34f0992f56de078c3744fb383657fa upstream.

The label lio_xmit_failed is used 3 times through liquidio_xmit() but it
always makes a call to dma_unmap_single() using potentially
uninitialized variables from "ndata" variable. Out of the 3 gotos, 2 run
after ndata has been initialized, and had a prior dma_map_single() call.

Fix this by adding a new error label: lio_xmit_dma_failed which does
this dma_unmap_single() and then processed with the lio_xmit_failed
fallthrough.

Fixes: f21fb3ed364bb ("Add support of Cavium Liquidio ethernet adapters")
Reported-by: coverity (CID 1309740)
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: Julia Lawall <julia.lawall@lip6.fr>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoMIPS: Fix crash registers on non-crashing CPUs
Corey Minyard [Mon, 11 Apr 2016 14:10:19 +0000 (09:10 -0500)]
MIPS: Fix crash registers on non-crashing CPUs

commit c80e1b62ffca52e2d1d865ee58bc79c4c0c55005 upstream.

As part of handling a crash on an SMP system, an IPI is send to
all other CPUs to save their current registers and stop.  It was
using task_pt_regs(current) to get the registers, but that will
only be accurate if the CPU was interrupted running in userland.
Instead allow the architecture to pass in the registers (all
pass NULL now, but allow for the future) and then use get_irq_regs()
which should be accurate as we are in an interrupt.  Fall back to
task_pt_regs(current) if nothing else is available.

Signed-off-by: Corey Minyard <cminyard@mvista.com>
Cc: David Daney <ddaney@caviumnetworks.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/13050/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Cc: Julia Lawall <julia.lawall@lip6.fr>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agomd:raid1: fix a dead loop when read from a WriteMostly disk
Wei Fang [Mon, 21 Mar 2016 11:18:32 +0000 (19:18 +0800)]
md:raid1: fix a dead loop when read from a WriteMostly disk

commit 816b0acf3deb6d6be5d0519b286fdd4bafade905 upstream.

If first_bad == this_sector when we get the WriteMostly disk
in read_balance(), valid disk will be returned with zero
max_sectors. It'll lead to a dead loop in make_request(), and
OOM will happen because of endless allocation of struct bio.

Since we can't get data from this disk in this case, so
continue for another disk.

Signed-off-by: Wei Fang <fangwei1@huawei.com>
Signed-off-by: Shaohua Li <shli@fb.com>
Cc: Julia Lawall <julia.lawall@lip6.fr>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agoext4: check if in-inode xattr is corrupted in ext4_expand_extra_isize_ea()
Theodore Ts'o [Tue, 22 Mar 2016 20:13:15 +0000 (16:13 -0400)]
ext4: check if in-inode xattr is corrupted in ext4_expand_extra_isize_ea()

commit 9e92f48c34eb2b9af9d12f892e2fe1fce5e8ce35 upstream.

We aren't checking to see if the in-inode extended attribute is
corrupted before we try to expand the inode's extra isize fields.

This can lead to potential crashes caused by the BUG_ON() check in
ext4_xattr_shift_entries().

Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: Julia Lawall <julia.lawall@lip6.fr>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 years agodrm/amdgpu: fix array out of bounds
tom will [Mon, 16 May 2016 14:31:07 +0000 (10:31 -0400)]
drm/amdgpu: fix array out of bounds

commit 484f689fc9d4eb91c68f53e97dc355b1b06c3edb upstream.

When the initial value of i is greater than zero,
it may cause endless loop, resulting in array out
of bounds, fix it.

This is a port of the radeon fix to amdgpu.

Signed-off-by: tom will <os@iscas.ac.cn>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: Julia Lawall <julia.lawall@lip6.fr>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>