Nick Xie [Fri, 15 Nov 2019 14:16:43 +0000 (22:16 +0800)]
Merge tag 'v4.9.201' into khadas-vims-4.9.y
This is the 4.9.201 stable release
Conflicts:
drivers/usb/gadget/configfs.c
Nick Xie [Fri, 15 Nov 2019 13:27:40 +0000 (21:27 +0800)]
Merge tag 'v4.9.200' into khadas-vims-4.9.y
This is the 4.9.200 stable release
Nick Xie [Fri, 15 Nov 2019 13:27:33 +0000 (21:27 +0800)]
Merge tag 'v4.9.199' into khadas-vims-4.9.y
This is the 4.9.199 stable release
Nick Xie [Fri, 15 Nov 2019 13:27:29 +0000 (21:27 +0800)]
Merge tag 'v4.9.198' into khadas-vims-4.9.y
This is the 4.9.198 stable release
Nick Xie [Fri, 15 Nov 2019 13:27:20 +0000 (21:27 +0800)]
Merge tag 'v4.9.197' into khadas-vims-4.9.y
This is the 4.9.197 stable release
Nick Xie [Fri, 15 Nov 2019 13:26:44 +0000 (21:26 +0800)]
Merge tag 'v4.9.196' into khadas-vims-4.9.y
This is the 4.9.196 stable release
Conflicts:
drivers/android/binder.c
Nick Xie [Fri, 15 Nov 2019 13:25:52 +0000 (21:25 +0800)]
Merge tag 'v4.9.195' into khadas-vims-4.9.y
This is the 4.9.195 stable release
Nick Xie [Fri, 15 Nov 2019 13:25:47 +0000 (21:25 +0800)]
Merge tag 'v4.9.194' into khadas-vims-4.9.y
This is the 4.9.194 stable release
Nick Xie [Fri, 15 Nov 2019 13:25:41 +0000 (21:25 +0800)]
Merge tag 'v4.9.193' into khadas-vims-4.9.y
This is the 4.9.193 stable release
Nick Xie [Fri, 15 Nov 2019 13:25:37 +0000 (21:25 +0800)]
Merge tag 'v4.9.192' into khadas-vims-4.9.y
This is the 4.9.192 stable release
Nick Xie [Fri, 15 Nov 2019 13:25:23 +0000 (21:25 +0800)]
Merge tag 'v4.9.191' into khadas-vims-4.9.y
This is the 4.9.191 stable release
Conflicts:
fs/userfaultfd.c
Nick Xie [Fri, 15 Nov 2019 13:11:17 +0000 (21:11 +0800)]
bcmdhd: disable the following message
wl_run_escan: LEGACY_SCAN sync ID: xxx, bssidx: 0
Signed-off-by: Nick Xie <nick@khadas.com>
renjiang.han [Thu, 4 Jul 2019 07:34:36 +0000 (15:34 +0800)]
ppmgr: Unbound kstrdup and Potential Null Dereference. [1/1]
PD#OTT-4872
Problem:
Unbound kstrdup and Potential Null Dereference.
Solution:
Add a judgment on the return value and the null pointer.
Verify:
on u212
Change-Id: I1e493c8125e08d4a6fb9fb46f28309eba6f0e47b
Signed-off-by: renjiang.han <renjiang.han@amlogic.com>
renjiang.han [Sat, 15 Jun 2019 15:16:39 +0000 (23:16 +0800)]
ppmgr: modify first frame garbage. [1/1]
PD#SWPL-9350
Problem:
ppmgr first frame garbage for afbc.
Solution:
alloc canvas.
Verify:
on u212
Change-Id: Ifd8d865240fee07f37d8ed47b224a39f24eac3d4
Signed-off-by: renjiang.han <renjiang.han@amlogic.com>
Nick Xie [Thu, 14 Nov 2019 04:02:39 +0000 (12:02 +0800)]
Revert "video_sink: add amvideocap module This will add the amvideocap module to kernel 4.9 If the frame rate is higher than 30 fps each second frame get captured. stretchblt: fix missing block assignment in _stretchblt_noalpha"
This reverts commit
65b754c27c64451d563858a976b32914543018a5.
Nick Xie [Thu, 14 Nov 2019 04:01:07 +0000 (12:01 +0800)]
Revert "media: fixup build error"
This reverts commit
14329d392764e0113ddb9f9b8c411eff40ad3436.
renjiang.han [Wed, 12 Jun 2019 09:06:39 +0000 (17:06 +0800)]
ppmgr: add compatibility with doublewrite. [1/1]
PD#SWPL-9350
Problem:
For output with compressed and uncompressed formats,
ppmgr recognizes the compressed format and returns directly.
Solution:
add compatibility with doublewrite.
Verify:
on u212
Change-Id: I9fffa720deee80b5db4ef21086c4638a630f9a80
Signed-off-by: renjiang.han <renjiang.han@amlogic.com>
renjiang.han [Tue, 11 Jun 2019 13:40:03 +0000 (21:40 +0800)]
ppmgr: Interlaced video only shows half. [1/1]
PD#SWPL-9350
Problem:
Interlaced video only shows half.
Solution:
Interlaced video height is divided by 2.
Verify:
on U212
Change-Id: I983e3369687eeb55f03d3e7f8474b9e37549440f
Signed-off-by: renjiang.han <renjiang.han@amlogic.com>
renjiang.han [Wed, 5 Jun 2019 12:55:47 +0000 (20:55 +0800)]
ppmgr: add phy_addr add support. [6/6]
PD#SWPL-9350
Problem:
ppmgr not support vf with phy_addr.
Solution:
config canvas
Verify:
on U212
Change-Id: I96629ed6287edaf4e7d7a2673ff604e99e3b12df
Signed-off-by: renjiang.han <renjiang.han@amlogic.com>
renjiang.han [Tue, 4 Jun 2019 11:13:04 +0000 (19:13 +0800)]
ppmgr: add keep last frame in ppmgr. [5/6]
PD#SWPL-9350
Problem:
freeze frame fail among two vertical videos switching.
Solution:
add keep last frame in ppmgr
Verify:
on U212
Change-Id: I7192c69725ce08a546af3f2252e743224ad19ec3
Signed-off-by: renjiang.han <renjiang.han@amlogic.com>
renjiang.han [Tue, 4 Jun 2019 08:55:00 +0000 (16:55 +0800)]
ppmgr: Add the value of stats_get to protect tb_task. [4/6]
PD#SWPL-9350
Problem:
Low probability of system crash when play live channel
Solution:
Increase the value of stats_get to protect tb_task.
Verify:
on U212
Change-Id: I4a13a3f7f2a4259fc8d4dd6630dd28d82a8c2541
Signed-off-by: renjiang.han <renjiang.han@amlogic.com>
renjiang.han [Tue, 4 Jun 2019 07:37:44 +0000 (15:37 +0800)]
ppmgr: Rotate the screen after rotation. [3/6]
PD#SWPL-9350
Problem:
After the HDR video is played, play normal video,
and the display is abnormal.
Solution:
Signal_type and bitdepth need to be reassigned.
Verify:
on U212
Change-Id: Ie2acddff3be34e01062a69d48bf4e82619559fb9
Signed-off-by: renjiang.han <renjiang.han@amlogic.com>
renjiang.han [Tue, 4 Jun 2019 07:28:39 +0000 (15:28 +0800)]
ppmgr: Detection of top and bottom for interlace sources. [2/6]
PD#SWPL-9350
Problem:
HDMI connection vertical screen, 1080i signal picture jitter.
Solution:
The interlace source is extracted based on the top and bottom values.
Verify:
on U212
Change-Id: I38f91fda32d1275dcc286fbb33034b4fd099e18f
Signed-off-by: renjiang.han <renjiang.han@amlogic.com>
renjiang.han [Tue, 4 Jun 2019 07:15:04 +0000 (15:15 +0800)]
ppmgr: add vdin support 10bit. [1/6]
PD#SWPL-9350
Problem:
ppmgr does not support 10bit to cause a rotating screen.
Solution:
add vdin support 10bit.
Verify:
on U212
Change-Id: Idbe90f7e351edbc12e0e2d905f06e0cdd18da148
Signed-off-by: renjiang.han <renjiang.han@amlogic.com>
renjiang.han [Thu, 16 May 2019 08:34:31 +0000 (16:34 +0800)]
ppmgr: Add IS_ERR_OR_NULL to determine if the thread exists [1/1]
PD#SWPL-8658
Problem:
handle is NULL cause kernel panic.
Solution:
Add IS_ERR_OR_NULL to prevent hanle from being NULL
to cause kernel panic.
Verify:
on T962X2
Change-Id: I3086a497d99646e6475a93b5a53b3c9aca2d2ada
Signed-off-by: renjiang.han <renjiang.han@amlogic.com>
renjiang.han [Mon, 1 Apr 2019 09:09:58 +0000 (17:09 +0800)]
ppmgr: The cut table caused a crash. [1/1]
PD#SWPL-6557
Problem:
The cut table caused a crash.
Solution:
modify dma flag
Verify:
on X301
Change-Id: Ic0ced1f4934d1125c56a79d1e102de9d2e02a528
Signed-off-by: renjiang.han <renjiang.han@amlogic.com>
Gongwei Chen [Mon, 28 Oct 2019 03:17:40 +0000 (11:17 +0800)]
dts: sync w400_a form W400 [1/1]
PD#SWPL-15005
Problem:
sync w400_a form W400
Solution:
sync w400_a form W400
Verify:
Verify by Android P w400_a
Change-Id: I0ace7496f26bacac6343fd772ec2ab8c87721e76
Signed-off-by: GongWei Chen <gongwei.chen@amlogic.com>
Luan Yuan [Sat, 26 Oct 2019 09:13:31 +0000 (17:13 +0800)]
galilei: update g12b_w200 config for compile error.[1/1]
PD#SWPL-15005
Problem:
update g12b_w200 dts config for compile error
Solution:
update g12b_w200 dts config for compile error.
Verify:
verify by galilei.
Change-Id: Id0cffc41a9bf633dba3d1d052d28bb7a0a2e9d69
Signed-off-by: Luan Yuan <luan.yuan@amlogic.com>
Cheng Wang [Tue, 15 Oct 2019 07:53:46 +0000 (15:53 +0800)]
amvecm: control cm_en status [1/1]
PD#SWPL-14964
Problem:
the screen color will abnormal after open cm_en
Solution:
adjust am_en status according to chip ID
Verify:
on newton
Change-Id: I8619dc4119c4d6c7e5a2d8f2985bbd508c7f94d7
Signed-off-by: Cheng Wang <cheng.wang@amlogic.com>
Shuai Li [Fri, 30 Aug 2019 10:38:21 +0000 (18:38 +0800)]
audio: make loopback compitable with chips [1/1]
PD#TV-8363
Problem:
Loopback doesn't work on TM2.
TL1 doesn't support loopback in OE pins.
Solution:
Make it compitable with chips.
Add tdm_lb format and chmasks.
Verify:
TM2 AB311 and TL1 X301.
Change-Id: If878fe75fc87857eae7a44439a451c5b2f494c67
Signed-off-by: Shuai Li <shuai.li@amlogic.com>
Gongwei Chen [Mon, 21 Oct 2019 08:43:48 +0000 (16:43 +0800)]
audio: no_mclk for amp [1/1]
PD#SWPL-15422
Problem:
Play video without HDMI connection, no sound output
Solution:
no_mclk for amp
Verify:
Verify by Android P w400
Change-Id: Ic95a1e28f8ccbf6e3ba4a21f7d7b329f5854ea49
Signed-off-by: GongWei Chen <gongwei.chen@amlogic.com>
Gongwei Chen [Mon, 21 Oct 2019 08:43:48 +0000 (16:43 +0800)]
audio: no_mclk for amp [1/1]
PD#SWPL-15422
Problem:
Play video without HDMI connection, no sound output
Solution:
no_mclk for amp
Verify:
Verify by Android P w400
Change-Id: Ic95a1e28f8ccbf6e3ba4a21f7d7b329f5854ea49
Signed-off-by: GongWei Chen <gongwei.chen@amlogic.com>
Pengcheng Chen [Wed, 4 Sep 2019 03:15:32 +0000 (11:15 +0800)]
vpp: sr software flow improvement [1/1]
PD#SWPL-13633
Problem:
sr input size need improvement
Solution:
improvement sr software flow
Verify:
verified by sm1
Change-Id: I10b9dd6d057fc8906ce312576623480aa14ae8a3
Signed-off-by: Pengcheng Chen <pengcheng.chen@amlogic.com>
Zongdong Jiao [Mon, 21 Oct 2019 13:44:56 +0000 (21:44 +0800)]
hdmitx: add missing 'product_desc' in SPD infoframe [1/1]
PD#SWPL-14801
Problem:
Sharp/LCD-42GX50A TV will be black when it receives vendor_name
but without product_desc in SPD infoframe
Solution:
Add missing 'product_desc' in SPD infoframe
Verify:
G12A/U212
Change-Id: I630fa416580855883a80be2747d39887ef67ef5c
Signed-off-by: Zongdong Jiao <zongdong.jiao@amlogic.com>
Signed-off-by: Luan Yuan <luan.yuan@amlogic.com>
Bencheng Jing [Wed, 16 Oct 2019 11:06:03 +0000 (19:06 +0800)]
vpp: dynamic adjust scaler path according to supsc0 h&v ratio [2/2]
PD#SWPL-12202
Problem:
scaler path need adjust according to supsc0 h&v ratio
Solution:
add dynamic adjust scaler path
Verify:
g12a&sm1
Change-Id: If00b4c321e24910ff7abd166d9a828dc424ab0d0
Signed-off-by: Bencheng Jing <bencheng.jing@amlogic.com>
Brian Zhu [Wed, 9 Oct 2019 17:24:07 +0000 (01:24 +0800)]
vpp: set the sr position reg correctly [1/1]
PD#SWPL-14963
Problem:
The position bits of super scaler is incorrect.
Solution:
Set the position bits correctly
Verify:
Verified on U212
Change-Id: I133662859456f65e130b8795f574da845039c717
Signed-off-by: Brian Zhu <brian.zhu@amlogic.com>
Brian Zhu [Fri, 2 Aug 2019 17:58:29 +0000 (01:58 +0800)]
vpp: sr: disable more latch ctrl for SR0 [1/1]
PD#TV-7673
Problem:
SR0 register enabled the latch function, it will cause
frame size setting out of sync when bypass sr0.
Solution:
Disable the latch option.
Verify:
Verified with X301
Change-Id: Ibfc4c5f8f695757ddd7d7d9e50e4b5be23268388
Signed-off-by: Brian Zhu <brian.zhu@amlogic.com>
baocheng sun [Thu, 26 Sep 2019 07:41:42 +0000 (03:41 -0400)]
ion: ion_sync_for_device use swiotlb_dma_ops not dummy_dma_ops [1/1]
PD#OTT-5276
Problem:
CTS EncodeDecodeTest failed. Ion sync ioctrl was
forwarded to a dummy implementation. So cached dma buffer
syncing between device and driver was inconsistent occasionally.
Solution:
Changed the dummy_dma_ops to swiotbl_dma_ops when ion_sync_for_device
Verify:
franklin, hertz
Change-Id: I16863bba6c3fe16b9c3b2b410ade6e45c9e74826
Signed-off-by: baocheng sun <baocheng.sun@amlogic.com>
Greg Kroah-Hartman [Tue, 12 Nov 2019 18:16:25 +0000 (19:16 +0100)]
Linux 4.9.201
Ben Hutchings [Mon, 11 Nov 2019 16:13:24 +0000 (08:13 -0800)]
drm/i915/cmdparser: Fix jump whitelist clearing
commit
ea0b163b13ffc52818c079adb00d55e227a6da6f upstream.
When a jump_whitelist bitmap is reused, it needs to be cleared.
Currently this is done with memset() and the size calculation assumes
bitmaps are made of 32-bit words, not longs. So on 64-bit
architectures, only the first half of the bitmap is cleared.
If some whitelist bits are carried over between successive batches
submitted on the same context, this will presumably allow embedding
the rogue instructions that we're trying to reject.
Use bitmap_zero() instead, which gets the calculation right.
Fixes:
f8c08d8faee5 ("drm/i915/cmdparser: Add support for backward jumps")
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Jon Bloomfield <jon.bloomfield@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Imre Deak [Mon, 9 Jul 2018 15:24:27 +0000 (18:24 +0300)]
drm/i915/gen8+: Add RC6 CTX corruption WA
commit
7e34f4e4aad3fd34c02b294a3cf2321adf5b4438 upstream.
In some circumstances the RC6 context can get corrupted. We can detect
this and take the required action, that is disable RC6 and runtime PM.
The HW recovers from the corrupted state after a system suspend/resume
cycle, so detect the recovery and re-enable RC6 and runtime PM.
v2: rebase (Mika)
v3:
- Move intel_suspend_gt_powersave() to the end of the GEM suspend
sequence.
- Add commit message.
v4:
- Rebased on intel_uncore_forcewake_put(i915->uncore, ...) API
change.
v5:
- Rebased on latest upstream gt_pm refactoring.
Signed-off-by: Imre Deak <imre.deak@intel.com>
Signed-off-by: Mika Kuoppala <mika.kuoppala@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Uma Shankar [Tue, 7 Aug 2018 15:45:35 +0000 (21:15 +0530)]
drm/i915: Lower RM timeout to avoid DSI hard hangs
commit
1d85a299c4db57c55e0229615132c964d17aa765 upstream.
In BXT/APL, device 2 MMIO reads from MIPI controller requires its PLL
to be turned ON. When MIPI PLL is turned off (MIPI Display is not
active or connected), and someone (host or GT engine) tries to read
MIPI registers, it causes hard hang. This is a hardware restriction
or limitation.
Driver by itself doesn't read MIPI registers when MIPI display is off.
But any userspace application can submit unprivileged batch buffer for
execution. In that batch buffer there can be mmio reads. And these
reads are allowed even for unprivileged applications. If these
register reads are for MIPI DSI controller and MIPI display is not
active during that time, then the MMIO read operation causes system
hard hang and only way to recover is hard reboot. A genuine
process/application won't submit batch buffer like this and doesn't
cause any issue. But on a compromised system, a malign userspace
process/app can generate such batch buffer and can trigger system
hard hang (denial of service attack).
The fix is to lower the internal MMIO timeout value to an optimum
value of 950us as recommended by hardware team. If the timeout is
beyond 1ms (which will hit for any value we choose if MMIO READ on a
DSI specific register is performed without PLL ON), it causes the
system hang. But if the timeout value is lower than it will be below
the threshold (even if timeout happens) and system will not get into
a hung state. This will avoid a system hang without losing any
programming or GT interrupts, taking the worst case of lowest CDCLK
frequency and early DC5 abort into account.
Signed-off-by: Uma Shankar <uma.shankar@intel.com>
Reviewed-by: Jon Bloomfield <jon.bloomfield@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Jon Bloomfield [Thu, 20 Sep 2018 16:45:10 +0000 (09:45 -0700)]
drm/i915/cmdparser: Ignore Length operands during command matching
commit
926abff21a8f29ef159a3ac893b05c6e50e043c3 upstream.
Some of the gen instruction macros (e.g. MI_DISPLAY_FLIP) have the
length directly encoded in them. Since these are used directly in
the tables, the Length becomes part of the comparison used for
matching during parsing. Thus, if the cmd being parsed has a
different length to that in the table, it is not matched and the
cmd is accepted via the default variable length path.
Fix by masking out everything except the Opcode in the cmd tables
Cc: Tony Luck <tony.luck@intel.com>
Cc: Dave Airlie <airlied@redhat.com>
Cc: Takashi Iwai <tiwai@suse.de>
Cc: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Jon Bloomfield <jon.bloomfield@intel.com>
Reviewed-by: Chris Wilson <chris.p.wilson@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Jon Bloomfield [Thu, 20 Sep 2018 16:58:36 +0000 (09:58 -0700)]
drm/i915/cmdparser: Add support for backward jumps
commit
f8c08d8faee5567803c8c533865296ca30286bbf upstream.
To keep things manageable, the pre-gen9 cmdparser does not
attempt to track any form of nested BB_START's. This did not
prevent usermode from using nested starts, or even chained
batches because the cmdparser is not strictly enforced pre gen9.
Instead, the existence of a nested BB_START would cause the batch
to be emitted in insecure mode, and any privileged capabilities
would not be available.
For Gen9, the cmdparser becomes mandatory (for BCS at least), and
so not providing any form of nested BB_START support becomes
overly restrictive. Any such batch will simply not run.
We make heavy use of backward jumps in igt, and it is much easier
to add support for this restricted subset of nested jumps, than to
rewrite the whole of our test suite to avoid them.
Add the required logic to support limited backward jumps, to
instructions that have already been validated by the parser.
Note that it's not sufficient to simply approve any BB_START
that jumps backwards in the buffer because this would allow an
attacker to embed a rogue instruction sequence within the
operand words of a harmless instruction (say LRI) and jump to
that.
We introduce a bit array to track every instr offset successfully
validated, and test the target of BB_START against this. If the
target offset hits, it is re-written to the same offset in the
shadow buffer and the BB_START cmd is allowed.
Note: This patch deliberately ignores checkpatch issues in the
cmdtables, in order to match the style of the surrounding code.
We'll correct the entire file in one go in a later patch.
v2: set dispatch secure late (Mika)
v3: rebase (Mika)
v4: Clear whitelist on each parse
Minor review updates (Chris)
v5: Correct backward jump batching
v6: fix compilation error due to struct eb shuffle (Mika)
Cc: Tony Luck <tony.luck@intel.com>
Cc: Dave Airlie <airlied@redhat.com>
Cc: Takashi Iwai <tiwai@suse.de>
Cc: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Jon Bloomfield <jon.bloomfield@intel.com>
Signed-off-by: Mika Kuoppala <mika.kuoppala@linux.intel.com>
Reviewed-by: Chris Wilson <chris.p.wilson@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Jon Bloomfield [Thu, 27 Sep 2018 17:23:17 +0000 (10:23 -0700)]
drm/i915/cmdparser: Use explicit goto for error paths
commit
0546a29cd884fb8184731c79ab008927ca8859d0 upstream.
In the next patch we will be adding a second valid
termination condition which will require a small
amount of refactoring to share logic with the BB_END
case.
Refactor all error conditions to jump to a dedicated
exit path, with 'break' reserved only for a successful
parse.
Signed-off-by: Jon Bloomfield <jon.bloomfield@intel.com>
Cc: Tony Luck <tony.luck@intel.com>
Cc: Dave Airlie <airlied@redhat.com>
Cc: Takashi Iwai <tiwai@suse.de>
Cc: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Mika Kuoppala <mika.kuoppala@linux.intel.com>
Reviewed-by: Chris Wilson <chris.p.wilson@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Jon Bloomfield [Mon, 23 Apr 2018 18:12:15 +0000 (11:12 -0700)]
drm/i915: Add gen9 BCS cmdparsing
commit
0f2f39758341df70202ae1c42d5a1e4ee392b6d3 upstream.
For gen9 we enable cmdparsing on the BCS ring, specifically
to catch inadvertent accesses to sensitive registers
Unlike gen7/hsw, we use the parser only to block certain
registers. We can rely on h/w to block restricted commands,
so the command tables only provide enough info to allow the
parser to delineate each command, and identify commands that
access registers.
Note: This patch deliberately ignores checkpatch issues in
favour of matching the style of the surrounding code. We'll
correct the entire file in one go in a later patch.
v3: rebase (Mika)
v4: Add RING_TIMESTAMP registers to whitelist (Jon)
Signed-off-by: Jon Bloomfield <jon.bloomfield@intel.com>
Cc: Tony Luck <tony.luck@intel.com>
Cc: Dave Airlie <airlied@redhat.com>
Cc: Takashi Iwai <tiwai@suse.de>
Cc: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Mika Kuoppala <mika.kuoppala@linux.intel.com>
Reviewed-by: Chris Wilson <chris.p.wilson@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Jon Bloomfield [Wed, 1 Aug 2018 16:45:50 +0000 (09:45 -0700)]
drm/i915: Allow parsing of unsized batches
commit
435e8fc059dbe0eec823a75c22da2972390ba9e0 upstream.
In "drm/i915: Add support for mandatory cmdparsing" we introduced the
concept of mandatory parsing. This allows the cmdparser to be invoked
even when user passes batch_len=0 to the execbuf ioctl's.
However, the cmdparser needs to know the extents of the buffer being
scanned. Refactor the code to ensure the cmdparser uses the actual
object size, instead of the incoming length, if user passes 0.
Signed-off-by: Jon Bloomfield <jon.bloomfield@intel.com>
Cc: Tony Luck <tony.luck@intel.com>
Cc: Dave Airlie <airlied@redhat.com>
Cc: Takashi Iwai <tiwai@suse.de>
Cc: Tyler Hicks <tyhicks@canonical.com>
Reviewed-by: Chris Wilson <chris.p.wilson@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Jon Bloomfield [Tue, 22 May 2018 20:59:06 +0000 (13:59 -0700)]
drm/i915: Support ro ppgtt mapped cmdparser shadow buffers
commit
4f7af1948abcb18b4772fe1bcd84d7d27d96258c upstream.
For Gen7, the original cmdparser motive was to permit limited
use of register read/write instructions in unprivileged BB's.
This worked by copying the user supplied bb to a kmd owned
bb, and running it in secure mode, from the ggtt, only if
the scanner finds no unsafe commands or registers.
For Gen8+ we can't use this same technique because running bb's
from the ggtt also disables access to ppgtt space. But we also
do not actually require 'secure' execution since we are only
trying to reduce the available command/register set. Instead we
will copy the user buffer to a kmd owned read-only bb in ppgtt,
and run in the usual non-secure mode.
Note that ro pages are only supported by ppgtt (not ggtt), but
luckily that's exactly what we need.
Add the required paths to map the shadow buffer to ppgtt ro for Gen8+
v2: IS_GEN7/IS_GEN (Mika)
v3: rebase
v4: rebase
v5: rebase
Signed-off-by: Jon Bloomfield <jon.bloomfield@intel.com>
Cc: Tony Luck <tony.luck@intel.com>
Cc: Dave Airlie <airlied@redhat.com>
Cc: Takashi Iwai <tiwai@suse.de>
Cc: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Mika Kuoppala <mika.kuoppala@linux.intel.com>
Reviewed-by: Chris Wilson <chris.p.wilson@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Jon Bloomfield [Wed, 1 Aug 2018 16:33:59 +0000 (09:33 -0700)]
drm/i915: Add support for mandatory cmdparsing
commit
311a50e76a33d1e029563c24b2ff6db0c02b5afe upstream.
The existing cmdparser for gen7 can be bypassed by specifying
batch_len=0 in the execbuf call. This is safe because bypassing
simply reduces the cmd-set available.
In a later patch we will introduce cmdparsing for gen9, as a
security measure, which must be strictly enforced since without
it we are vulnerable to DoS attacks.
Introduce the concept of 'required' cmd parsing that cannot be
bypassed by submitting zero-length bb's.
v2: rebase (Mika)
v2: rebase (Mika)
v3: fix conflict on engine flags (Mika)
Signed-off-by: Jon Bloomfield <jon.bloomfield@intel.com>
Cc: Tony Luck <tony.luck@intel.com>
Cc: Dave Airlie <airlied@redhat.com>
Cc: Takashi Iwai <tiwai@suse.de>
Cc: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Mika Kuoppala <mika.kuoppala@linux.intel.com>
Reviewed-by: Chris Wilson <chris.p.wilson@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Jon Bloomfield [Fri, 8 Jun 2018 17:05:26 +0000 (10:05 -0700)]
drm/i915: Remove Master tables from cmdparser
commit
66d8aba1cd6db34af10de465c0d52af679288cb6 upstream.
The previous patch has killed support for secure batches
on gen6+, and hence the cmdparsers master tables are
now dead code. Remove them.
Signed-off-by: Jon Bloomfield <jon.bloomfield@intel.com>
Cc: Tony Luck <tony.luck@intel.com>
Cc: Dave Airlie <airlied@redhat.com>
Cc: Takashi Iwai <tiwai@suse.de>
Cc: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Mika Kuoppala <mika.kuoppala@linux.intel.com>
Reviewed-by: Chris Wilson <chris.p.wilson@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Jon Bloomfield [Fri, 8 Jun 2018 15:53:46 +0000 (08:53 -0700)]
drm/i915: Disable Secure Batches for gen6+
commit
44157641d448cbc0c4b73c5231d2b911f0cb0427 upstream.
Retroactively stop reporting support for secure batches
through the api for gen6+ so that older binaries trigger
the fallback path instead.
Older binaries use secure batches pre gen6 to access resources
that are not available to normal usermode processes. However,
all known userspace explicitly checks for HAS_SECURE_BATCHES
before relying on the secure batch feature.
Since there are no known binaries relying on this for newer gens
we can kill secure batches from gen6, via I915_PARAM_HAS_SECURE_BATCHES.
v2: rebase (Mika)
v3: rebase (Mika)
Signed-off-by: Jon Bloomfield <jon.bloomfield@intel.com>
Cc: Tony Luck <tony.luck@intel.com>
Cc: Dave Airlie <airlied@redhat.com>
Cc: Takashi Iwai <tiwai@suse.de>
Cc: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Mika Kuoppala <mika.kuoppala@linux.intel.com>
Reviewed-by: Chris Wilson <chris.p.wilson@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Jon Bloomfield [Fri, 20 Apr 2018 21:26:01 +0000 (14:26 -0700)]
drm/i915: Rename gen7 cmdparser tables
commit
0a2f661b6c21815a7fa60e30babe975fee8e73c6 upstream.
We're about to introduce some new tables for later gens, and the
current naming for the gen7 tables will no longer make sense.
v2: rebase
Signed-off-by: Jon Bloomfield <jon.bloomfield@intel.com>
Cc: Tony Luck <tony.luck@intel.com>
Cc: Dave Airlie <airlied@redhat.com>
Cc: Takashi Iwai <tiwai@suse.de>
Cc: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Mika Kuoppala <mika.kuoppala@linux.intel.com>
Reviewed-by: Chris Wilson <chris.p.wilson@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Tvrtko Ursulin [Wed, 29 Nov 2017 08:24:09 +0000 (08:24 +0000)]
drm/i915: Move engine->needs_cmd_parser to engine->flags
commit
439e2ee4ca520e72870e4fa44aa0076060ad6857 upstream.
Will be adding a new per-engine flags shortly so it makes sense
to consolidate.
v2: Keep the original code flow in intel_engine_cleanup_cmd_parser.
(Joonas Lahtinen)
Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@intel.com>
Suggested-by: Chris Wilson <chris@chris-wilson.co.uk>
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
Reviewed-by: Sagar Arun Kamble <sagar.a.kamble@intel.com>
Reviewed-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20171129082409.18189-1-tvrtko.ursulin@linux.intel.com
Signed-off-by: Jon Bloomfield <jon.bloomfield@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Chris Wilson [Tue, 7 Nov 2017 15:40:55 +0000 (15:40 +0000)]
drm/i915: Silence smatch for cmdparser
commit
0ffba1fc98e8ec35caae8d50b657296ebb9a9a51 upstream.
drivers/gpu/drm/i915/i915_cmd_parser.c:808:23: error: not an lvalue
drivers/gpu/drm/i915/i915_cmd_parser.c:811:23: error: not an lvalue
drivers/gpu/drm/i915/i915_cmd_parser.c:814:23: error: not an lvalue
drivers/gpu/drm/i915/i915_cmd_parser.c:808:23: error: not an lvalue
drivers/gpu/drm/i915/i915_cmd_parser.c:811:23: error: not an lvalue
drivers/gpu/drm/i915/i915_cmd_parser.c:814:23: error: not an lvalue
drivers/gpu/drm/i915/i915_cmd_parser.c:808:23: error: not an lvalue
drivers/gpu/drm/i915/i915_cmd_parser.c:811:23: error: not an lvalue
drivers/gpu/drm/i915/i915_cmd_parser.c:814:23: error: not an lvalue
drivers/gpu/drm/i915/i915_cmd_parser.c:808:23: error: not an lvalue
drivers/gpu/drm/i915/i915_cmd_parser.c:811:23: error: not an lvalue
drivers/gpu/drm/i915/i915_cmd_parser.c:814:23: error: not an lvalue
If we move the shift into each case not only do we kill the warning from
smatch, but we shrink the code slightly:
text data bss dec hex filename
1267906 20587 3168 1291661 13b58d before
1267890 20587 3168 1291645 13b57d after
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Cc: Mika Kuoppala <mika.kuoppala@linux.intel.com>
Cc: Matthew Auld <matthew.william.auld@gmail.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20171107154055.19460-1-chris@chris-wilson.co.uk
Reviewed-by: Matthew Auld <matthew.william.auld@gmail.com>
Reviewed-by: Gabriel Krisman Bertazi <krisman@collabora.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Michal Srb [Mon, 5 Feb 2018 16:04:38 +0000 (16:04 +0000)]
drm/i915/cmdparser: Do not check past the cmd length.
commit
b3ad99ed45917f42884fee731fa3cf9b8229a26c upstream.
The command MEDIA_VFE_STATE checks bits at offset +2 dwords. However, it is
possible to have MEDIA_VFE_STATE command with length = 0 + LENGTH_BIAS = 2.
In that case check_cmd will read bits from the following command, or even past
the end of the buffer.
If the offset ends up outside of the command length, reject the command.
Fixes:
351e3db2b363 ("drm/i915: Implement command buffer parsing logic")
Signed-off-by: Michal Srb <msrb@suse.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20180205151745.29292-1-msrb@suse.com
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Link: https://patchwork.freedesktop.org/patch/msgid/20180205160438.3267-2-chris@chris-wilson.co.uk
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Michal Srb [Mon, 5 Feb 2018 16:04:37 +0000 (16:04 +0000)]
drm/i915/cmdparser: Check reg_table_count before derefencing.
commit
2f265fad9756a40c09e3f4dcc62d5d7fa73a9fb2 upstream.
The find_reg function was assuming that there is always at least one table in
reg_tables. It is not always true.
In case of VCS or VECS, the reg_tables is NULL and reg_table_count is 0,
implying that no register-accessing commands are allowed. However, the command
tables include commands such as MI_STORE_REGISTER_MEM. When trying to check
such command, the find_reg would dereference NULL pointer.
Now it will just return NULL meaning that the register was not found and the
command will be rejected.
Fixes:
76ff480ec963 ("drm/i915/cmdparser: Use binary search for faster register lookup")
Signed-off-by: Michal Srb <msrb@suse.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20180205142916.27092-2-msrb@suse.com
Cc: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Matthew Auld <matthew.auld@intel.com>
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Link: https://patchwork.freedesktop.org/patch/msgid/20180205160438.3267-1-chris@chris-wilson.co.uk
register lookup")
Reviewed-by: Jon Bloomfield <jon.bloomfield@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Chris Wilson [Thu, 12 Jul 2018 18:53:13 +0000 (19:53 +0100)]
drm/i915: Prevent writing into a read-only object via a GGTT mmap
commit
3e977ac6179b39faa3c0eda5fce4f00663ae298d upstream.
If the user has created a read-only object, they should not be allowed
to circumvent the write protection by using a GGTT mmapping. Deny it.
Also most machines do not support read-only GGTT PTEs, so again we have
to reject attempted writes. Fortunately, this is known a priori, so we
can at least reject in the call to create the mmap (with a sanity check
in the fault handler).
v2: Check the vma->vm_flags during mmap() to allow readonly access.
v3: Remove VM_MAYWRITE to curtail mprotect()
Testcase: igt/gem_userptr_blits/readonly_mmap*
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Jon Bloomfield <jon.bloomfield@intel.com>
Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Cc: Matthew Auld <matthew.william.auld@gmail.com>
Cc: David Herrmann <dh.herrmann@gmail.com>
Reviewed-by: Matthew Auld <matthew.william.auld@gmail.com> #v1
Reviewed-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20180712185315.3288-4-chris@chris-wilson.co.uk
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Reviewed-by: Jon Bloomfield <jon.bloomfield@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Chris Wilson [Thu, 12 Jul 2018 18:53:12 +0000 (19:53 +0100)]
drm/i915/gtt: Disable read-only support under GVT
commit
c9e666880de5a1fed04dc412b046916d542b72dd upstream.
GVT is not propagating the PTE bits, and is always setting the
read-write bit, thus breaking read-only support.
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Zhenyu Wang <zhenyuw@linux.intel.com>
Cc: Jon Bloomfield <jon.bloomfield@intel.com>
Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Cc: Matthew Auld <matthew.william.auld@gmail.com>
Reviewed-by: Jon Bloomfield <jon.bloomfield@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20180712185315.3288-3-chris@chris-wilson.co.uk
Signed-off--by: Jon Bloomfield <jon.bloomfield@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Jon Bloomfield [Mon, 6 Aug 2018 21:10:48 +0000 (14:10 -0700)]
drm/i915/gtt: Read-only pages for insert_entries on bdw+
commit
250f8c8140ac0a5e5acb91891d6813f12778b224 upstream.
Hook up the flags to allow read-only ppGTT mappings for gen8+
v2: Include a selftest to check that writes to a readonly PTE are
dropped
v3: Don't duplicate cpu_check() as we can just reuse it, and even worse
don't wholesale copy the theory-of-operation comment from igt_ctx_exec
without changing it to explain the intention behind the new test!
v4: Joonas really likes magic mystery values
Signed-off-by: Jon Bloomfield <jon.bloomfield@intel.com>
Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Cc: Matthew Auld <matthew.william.auld@gmail.com>
Reviewed-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Reviewed-by: Matthew Auld <matthew.william.auld@gmail.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20180712185315.3288-2-chris@chris-wilson.co.uk
Signed-off-by: Jon Bloomfield <jon.bloomfield@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Jon Bloomfield [Thu, 12 Jul 2018 18:53:10 +0000 (19:53 +0100)]
drm/i915/gtt: Add read only pages to gen8_pte_encode
commit
25dda4dabeeb12af5209b0183c788ef2a88dabbe upstream.
We can set a bit inside the ppGTT PTE to indicate a page is read-only;
writes from the GPU will be discarded. We can use this to protect pages
and in particular support read-only userptr mappings (necessary for
importing PROT_READ vma).
Signed-off-by: Jon Bloomfield <jon.bloomfield@intel.com>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Cc: Matthew Auld <matthew.william.auld@gmail.com>
Reviewed-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Reviewed-by: Matthew Auld <matthew.william.auld@gmail.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20180712185315.3288-1-chris@chris-wilson.co.uk
Reviewed-by: Jon Bloomfield <jon.bloomfield@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Chris Wilson [Fri, 10 Mar 2017 11:55:18 +0000 (11:55 +0000)]
drm/i915/cmdparser: Limit clflush to active cachelines
commit
504ae4024131c5a01c3ce8382d49b801375e039c upstream.
We only need to clflush those cachelines that we have validated to be
read by the GPU. Userspace typically fills the batch length in
correctly, the exceptions tend to be explicit tests within igt.
v2: Use ptr_mask_bits() to make Mika happy
v3: cmd is not advanced on MI_BBE, so make sure to include an extra
dword in the clflush.
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Mika Kuoppala <mika.kuoppala@linux.intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20170310115518.13832-1-chris@chris-wilson.co.uk
Signed-off-by: Jon Bloomfield <jon.bloomfield@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Chris Wilson [Thu, 24 Nov 2016 12:58:51 +0000 (12:58 +0000)]
drm/i915: Use the precomputed value for whether to enable command parsing
commit
41736a8e3331a67445b271e73be39536c498659e upstream.
As i915.enable_cmd_parser is an unsafe option, make it read-only at
runtime. Now that it is constant, we can use the value determined during
initialisation as to whether we need the cmdparser at execbuffer time.
v2: Remove the inline for its single user, it is clear enough (and
shorter) without!
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Reviewed-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Signed-off-by: Jon Bloomfield <jon.bloomfield@intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20161124125851.6615-1-chris@chris-wilson.co.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Robert Bragg [Tue, 8 Nov 2016 12:51:48 +0000 (12:51 +0000)]
drm/i915: don't whitelist oacontrol in cmd parser
commit
10ff401df041e57afc2b1619cd252b86d0ae5f30 upstream.
Being able to program OACONTROL from a non-privileged batch buffer is
not sufficient to be able to configure the OA unit. This was originally
allowed to help enable Mesa to expose OA counters via the
INTEL_performance_query extension, but the current implementation based
on programming OACONTROL via a batch buffer isn't able to report useable
data without a more complete OA unit configuration. Mesa handles the
possibility that writes to OACONTROL may not be allowed and so only
advertises the extension after explicitly testing that a write to
OACONTROL succeeds. Based on this; removing OACONTROL from the whitelist
should be ok for userspace.
Removing this simplifies adding a new kernel api for configuring the OA
unit without needing to consider the possibility that userspace might
trample on OACONTROL state which we'd like to start managing within
the kernel instead. In particular running any Mesa based GL application
currently results in clearing OACONTROL when initializing which would
disable the capturing of metrics.
v2:
This bumps the command parser version from 8 to 9, as the change is
visible to userspace.
Signed-off-by: Robert Bragg <robert@sixbynine.org>
Reviewed-by: Matthew Auld <matthew.auld@intel.com>
Reviewed-by: Sourab Gupta <sourab.gupta@intel.com>Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Jon Bloomfield <jon.bloomfield@intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20161108125148.25007-1-robert@sixbynine.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Robert Bragg [Mon, 7 Nov 2016 19:49:49 +0000 (19:49 +0000)]
drm/i915: return EACCES for check_cmd() failures
commit
9bbeaedb664a6d3e1cfbe6b0c2f07bf667512456 upstream.
check_cmd() is checking whether a command adheres to certain
restrictions that ensure it's safe to execute within a privileged batch
buffer. Returning false implies a privilege problem, not that the
command is invalid.
The distinction makes the difference between allowing the buffer to be
executed as an unprivileged batch buffer or returning an EINVAL error to
userspace without executing anything.
In a case where userspace may want to test whether it can successfully
write to a register that needs privileges the distinction may be
important and an EINVAL error may be considered fatal.
In particular this is currently true for Mesa, which includes a test for
whether OACONTROL can be written too, but Mesa treats any error when
flushing a batch buffer as fatal, calling exit(1).
As it is currently Mesa can gracefully handle a failure to write to
OACONTROL if the command parser is disabled, but if we were to remove
OACONTROL from the parser's whitelist then the returned EINVAL would
break Mesa applications as they attempt an OACONTROL write.
This bumps the command parser version from 7 to 8, as the change is
visible to userspace.
Signed-off-by: Robert Bragg <robert@sixbynine.org>
Reviewed-by: Matthew Auld <matthew.auld@intel.com>
Reviewed-by: Sourab Gupta <sourab.gupta@intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Jon Bloomfield <jon.bloomfield@intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20161107194957.3385-4-robert@sixbynine.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Matthew Auld [Mon, 14 Nov 2016 22:39:34 +0000 (22:39 +0000)]
drm/i915: cleanup use of INSTR_CLIENT_MASK
commit
e3f51ece02f877d2ce9619aa8d5919db56f39582 upstream.
Doing cmd_header >> 29 to extract our 3-bit client value where we know
cmd_header is a u32 shouldn't then also require the use of a mask. So
remove the redundant operation and get rid of INSTR_CLIENT_MASK now that
there are no longer any users.
Cc: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Matthew Auld <matthew.auld@intel.com>
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Signed-off-by: Jon Bloomfield <jon.bloomfield@intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/1479163174-29686-1-git-send-email-matthew.auld@intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Matthew Auld [Wed, 23 Nov 2016 23:02:27 +0000 (23:02 +0000)]
drm/i915: kick out cmd_parser specific structs from i915_drv.h
commit
007873b30b9001348c0dfc96deb9db220a3be116 upstream.
No sense in keeping the cmd_descriptor and cmd_table structs in
i915_drv.h, now that they are no longer referenced externally.
Cc: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Matthew Auld <matthew.auld@intel.com>
Reviewed-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Signed-off-by: Jon Bloomfield <jon.bloomfield@intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/1479942147-9837-1-git-send-email-matthew.auld@intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Eric Dumazet [Tue, 5 Nov 2019 05:38:43 +0000 (21:38 -0800)]
net: prevent load/store tearing on sk->sk_stamp
[ Upstream commit
f75359f3ac855940c5718af10ba089b8977bf339 ]
Add a couple of READ_ONCE() and WRITE_ONCE() to prevent
load-tearing and store-tearing in sock_read_timestamp()
and sock_write_timestamp()
This might prevent another KCSAN report.
Fixes:
3a0ed3e96197 ("sock: Make sock->sk_stamp thread-safe")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Deepa Dinamani <deepa.kernel@gmail.com>
Acked-by: Deepa Dinamani <deepa.kernel@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Tejun Heo [Fri, 8 Nov 2019 20:18:29 +0000 (12:18 -0800)]
cgroup,writeback: don't switch wbs immediately on dead wbs if the memcg is dead
commit
65de03e251382306a4575b1779c57c87889eee49 upstream.
cgroup writeback tries to refresh the associated wb immediately if the
current wb is dead. This is to avoid keeping issuing IOs on the stale
wb after memcg - blkcg association has changed (ie. when blkcg got
disabled / enabled higher up in the hierarchy).
Unfortunately, the logic gets triggered spuriously on inodes which are
associated with dead cgroups. When the logic is triggered on dead
cgroups, the attempt fails only after doing quite a bit of work
allocating and initializing a new wb.
While
c3aab9a0bd91 ("mm/filemap.c: don't initiate writeback if mapping
has no dirty pages") alleviated the issue significantly as it now only
triggers when the inode has dirty pages. However, the condition can
still be triggered before the inode is switched to a different cgroup
and the logic simply doesn't make sense.
Skip the immediate switching if the associated memcg is dying.
This is a simplified version of the following two patches:
* https://lore.kernel.org/linux-mm/
20190513183053.GA73423@dennisz-mbp/
* http://lkml.kernel.org/r/
156355839560.2063.
5265687291430814589.stgit@buzz
Cc: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Fixes:
e8a7abf5a5bd ("writeback: disassociate inodes from dying bdi_writebacks")
Acked-by: Dennis Zhou <dennis@kernel.org>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Konstantin Khlebnikov [Mon, 23 Sep 2019 22:34:45 +0000 (15:34 -0700)]
mm/filemap.c: don't initiate writeback if mapping has no dirty pages
commit
c3aab9a0bd91b696a852169479b7db1ece6cbf8c upstream.
Functions like filemap_write_and_wait_range() should do nothing if inode
has no dirty pages or pages currently under writeback. But they anyway
construct struct writeback_control and this does some atomic operations if
CONFIG_CGROUP_WRITEBACK=y - on fast path it locks inode->i_lock and
updates state of writeback ownership, on slow path might be more work.
Current this path is safely avoided only when inode mapping has no pages.
For example generic_file_read_iter() calls filemap_write_and_wait_range()
at each O_DIRECT read - pretty hot path.
This patch skips starting new writeback if mapping has no dirty tags set.
If writeback is already in progress filemap_write_and_wait_range() will
wait for it.
Link: http://lkml.kernel.org/r/156378816804.1087.8607636317907921438.stgit@buzz
Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Reviewed-by: Jan Kara <jack@suse.cz>
Cc: Tejun Heo <tj@kernel.org>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Joakim Zhang [Thu, 15 Aug 2019 08:00:26 +0000 (08:00 +0000)]
can: flexcan: disable completely the ECC mechanism
[ Upstream commit
5e269324db5adb2f5f6ec9a93a9c7b0672932b47 ]
The ECC (memory error detection and correction) mechanism can be
activated or not, controlled by the ECCDIS bit in CAN_MECR. When
disabled, updates on indications and reporting registers are stopped.
So if want to disable ECC completely, had better assert ECCDIS bit, not
just mask the related interrupts.
Fixes:
cdce844865be ("can: flexcan: add vf610 support for FlexCAN")
Signed-off-by: Joakim Zhang <qiangqing.zhang@nxp.com>
Cc: linux-stable <stable@vger.kernel.org>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Jan Beulich [Tue, 29 Oct 2019 09:34:19 +0000 (10:34 +0100)]
x86/apic/32: Avoid bogus LDR warnings
[ Upstream commit
fe6f85ca121e9c74e7490fe66b0c5aae38e332c3 ]
The removal of the LDR initialization in the bigsmp_32 APIC code unearthed
a problem in setup_local_APIC().
The code checks unconditionally for a mismatch of the logical APIC id by
comparing the early APIC id which was initialized in get_smp_config() with
the actual LDR value in the APIC.
Due to the removal of the bogus LDR initialization the check now can
trigger on bigsmp_32 APIC systems emitting a warning for every booting
CPU. This is of course a false positive because the APIC is not using
logical destination mode.
Restrict the check and the possibly resulting fixup to systems which are
actually using the APIC in logical destination mode.
[ tglx: Massaged changelog and added Cc stable ]
Fixes:
bae3a8d3308 ("x86/apic: Do not initialize LDR and DFR for bigsmp")
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/666d8f91-b5a8-1afd-7add-821e72a35f03@suse.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
Dou Liyang [Thu, 1 Mar 2018 05:59:30 +0000 (13:59 +0800)]
x86/apic: Drop logical_smp_processor_id() inline
[ Upstream commit
8f1561680f42a5491b371b513f1ab8197f31fd62 ]
The logical_smp_processor_id() inline which is only called in
setup_local_APIC() on x86_32 systems has no real value.
Drop it and directly use GET_APIC_LOGICAL_ID() at the call site and use a
more suitable variable name for readability
Signed-off-by: Dou Liyang <douly.fnst@cn.fujitsu.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: andy.shevchenko@gmail.com
Cc: bhe@redhat.com
Cc: ebiederm@xmission.com
Link: https://lkml.kernel.org/r/20180301055930.2396-4-douly.fnst@cn.fujitsu.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
Dou Liyang [Thu, 1 Mar 2018 05:59:28 +0000 (13:59 +0800)]
x86/apic: Move pending interrupt check code into it's own function
[ Upstream commit
9b217f33017715903d0956dfc58f82d2a2d00e63 ]
The pending interrupt check code is mixed with the local APIC setup code,
that looks messy.
Extract the related code, move it into a new function named
apic_pending_intr_clear().
Signed-off-by: Dou Liyang <douly.fnst@cn.fujitsu.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Cc: bhe@redhat.com
Cc: ebiederm@xmission.com
Link: https://lkml.kernel.org/r/20180301055930.2396-2-douly.fnst@cn.fujitsu.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
Wenwen Wang [Mon, 12 Aug 2019 05:59:21 +0000 (00:59 -0500)]
e1000: fix memory leaks
[ Upstream commit
8472ba62154058b64ebb83d5f57259a352d28697 ]
In e1000_set_ringparam(), 'tx_old' and 'rx_old' are not deallocated if
e1000_up() fails, leading to memory leaks. Refactor the code to fix this
issue.
Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
Tested-by: Aaron Brown <aaron.f.brown@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Manfred Rudigier [Thu, 15 Aug 2019 20:55:20 +0000 (13:55 -0700)]
igb: Fix constant media auto sense switching when no cable is connected
[ Upstream commit
8d5cfd7f76a2414e23c74bb8858af7540365d985 ]
At least on the i350 there is an annoying behavior that is maybe also
present on 82580 devices, but was probably not noticed yet as MAS is not
widely used.
If no cable is connected on both fiber/copper ports the media auto sense
code will constantly swap between them as part of the watchdog task and
produce many unnecessary kernel log messages.
The swap code responsible for this behavior (switching to fiber) should
not be executed if the current media type is copper and there is no signal
detected on the fiber port. In this case we can safely wait until the
AUTOSENSE_EN bit is cleared.
Signed-off-by: Manfred Rudigier <manfred.rudigier@omicronenergy.com>
Tested-by: Aaron Brown <aaron.f.brown@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Chuhong Yuan [Fri, 1 Nov 2019 12:17:25 +0000 (20:17 +0800)]
net: ethernet: arc: add the missed clk_disable_unprepare
[ Upstream commit
4202e219edd6cc164c042e16fa327525410705ae ]
The remove misses to disable and unprepare priv->macclk like what is done
when probe fails.
Add the missed call in remove.
Signed-off-by: Chuhong Yuan <hslester96@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Trond Myklebust [Thu, 31 Oct 2019 22:40:32 +0000 (18:40 -0400)]
NFSv4: Don't allow a cached open with a revoked delegation
[ Upstream commit
be3df3dd4c70ee020587a943a31b98a0fb4b6424 ]
If the delegation is marked as being revoked, we must not use it
for cached opens.
Fixes:
869f9dfa4d6d ("NFSv4: Fix races between nfs_remove_bad_delegation() and delegation return")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Jiangfeng Xiao [Fri, 25 Oct 2019 13:48:22 +0000 (21:48 +0800)]
net: hisilicon: Fix "Trying to free already-free IRQ"
[ Upstream commit
63a41746827cb16dc6ad0d4d761ab4e7dda7a0c3 ]
When rmmod hip04_eth.ko, we can get the following warning:
Task track: rmmod(1623)>bash(1591)>login(1581)>init(1)
------------[ cut here ]------------
WARNING: CPU: 0 PID: 1623 at kernel/irq/manage.c:1557 __free_irq+0xa4/0x2ac()
Trying to free already-free IRQ 200
Modules linked in: ping(O) pramdisk(O) cpuinfo(O) rtos_snapshot(O) interrupt_ctrl(O) mtdblock mtd_blkdevrtfs nfs_acl nfs lockd grace sunrpc xt_tcpudp ipt_REJECT iptable_filter ip_tables x_tables nf_reject_ipv
CPU: 0 PID: 1623 Comm: rmmod Tainted: G O 4.4.193 #1
Hardware name: Hisilicon A15
[<
c020b408>] (rtos_unwind_backtrace) from [<
c0206624>] (show_stack+0x10/0x14)
[<
c0206624>] (show_stack) from [<
c03f2be4>] (dump_stack+0xa0/0xd8)
[<
c03f2be4>] (dump_stack) from [<
c021a780>] (warn_slowpath_common+0x84/0xb0)
[<
c021a780>] (warn_slowpath_common) from [<
c021a7e8>] (warn_slowpath_fmt+0x3c/0x68)
[<
c021a7e8>] (warn_slowpath_fmt) from [<
c026876c>] (__free_irq+0xa4/0x2ac)
[<
c026876c>] (__free_irq) from [<
c0268a14>] (free_irq+0x60/0x7c)
[<
c0268a14>] (free_irq) from [<
c0469e80>] (release_nodes+0x1c4/0x1ec)
[<
c0469e80>] (release_nodes) from [<
c0466924>] (__device_release_driver+0xa8/0x104)
[<
c0466924>] (__device_release_driver) from [<
c0466a80>] (driver_detach+0xd0/0xf8)
[<
c0466a80>] (driver_detach) from [<
c0465e18>] (bus_remove_driver+0x64/0x8c)
[<
c0465e18>] (bus_remove_driver) from [<
c02935b0>] (SyS_delete_module+0x198/0x1e0)
[<
c02935b0>] (SyS_delete_module) from [<
c0202ed0>] (__sys_trace_return+0x0/0x10)
---[ end trace
bb25d6123d849b44 ]---
Currently "rmmod hip04_eth.ko" call free_irq more than once
as devres_release_all and hip04_remove both call free_irq.
This results in a 'Trying to free already-free IRQ' warning.
To solve the problem free_irq has been moved out of hip04_remove.
Signed-off-by: Jiangfeng Xiao <xiaojiangfeng@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Will Deacon [Fri, 25 Oct 2019 11:06:02 +0000 (12:06 +0100)]
fjes: Handle workqueue allocation failure
[ Upstream commit
85ac30fa2e24f628e9f4f9344460f4015d33fd7d ]
In the highly unlikely event that we fail to allocate either of the
"/txrx" or "/control" workqueues, we should bail cleanly rather than
blindly march on with NULL queue pointer(s) installed in the
'fjes_adapter' instance.
Cc: "David S. Miller" <davem@davemloft.net>
Reported-by: Nicolas Waisman <nico@semmle.com>
Link: https://lore.kernel.org/lkml/CADJ_3a8WFrs5NouXNqS5WYe7rebFP+_A5CheeqAyD_p7DFJJcg@mail.gmail.com/
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Nicholas Piggin [Thu, 24 Oct 2019 06:38:04 +0000 (16:38 +1000)]
scsi: qla2xxx: stop timer in shutdown path
[ Upstream commit
d3566abb1a1e7772116e4d50fb6a58d19c9802e5 ]
In shutdown/reboot paths, the timer is not stopped:
qla2x00_shutdown
pci_device_shutdown
device_shutdown
kernel_restart_prepare
kernel_restart
sys_reboot
This causes lockups (on powerpc) when firmware config space access calls
are interrupted by smp_send_stop later in reboot.
Fixes:
e30d1756480dc ("[SCSI] qla2xxx: Addition of shutdown callback handler.")
Link: https://lore.kernel.org/r/20191024063804.14538-1-npiggin@gmail.com
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Acked-by: Himanshu Madhani <hmadhani@marvell.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Potnuri Bharat Teja [Fri, 25 Oct 2019 12:34:40 +0000 (18:04 +0530)]
RDMA/iw_cxgb4: Avoid freeing skb twice in arp failure case
[ Upstream commit
d4934f45693651ea15357dd6c7c36be28b6da884 ]
_put_ep_safe() and _put_pass_ep_safe() free the skb before it is freed by
process_work(). fix double free by freeing the skb only in process_work().
Fixes:
1dad0ebeea1c ("iw_cxgb4: Avoid touch after free error in ARP failure handlers")
Link: https://lore.kernel.org/r/1572006880-5800-1-git-send-email-bharat@chelsio.com
Signed-off-by: Dakshaja Uppalapati <dakshaja@chelsio.com>
Signed-off-by: Potnuri Bharat Teja <bharat@chelsio.com>
Reviewed-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Alan Stern [Mon, 28 Oct 2019 14:52:35 +0000 (10:52 -0400)]
USB: Skip endpoints with 0 maxpacket length
[ Upstream commit
d482c7bb0541d19dea8bff437a9f3c5563b5b2d2 ]
Endpoints with a maxpacket length of 0 are probably useless. They
can't transfer any data, and it's not at all unlikely that an HCD will
crash or hang when trying to handle an URB for such an endpoint.
Currently the USB core does not check for endpoints having a maxpacket
value of 0. This patch adds a check, printing a warning and skipping
over any endpoints it catches.
Now, the USB spec does not rule out endpoints having maxpacket = 0.
But since they wouldn't have any practical use, there doesn't seem to
be any good reason for us to accept them.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/Pine.LNX.4.44L0.1910281050420.1485-100000@iolanthe.rowland.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Kim Phillips [Wed, 23 Oct 2019 15:09:55 +0000 (10:09 -0500)]
perf/x86/amd/ibs: Handle erratum #420 only on the affected CPU family (10h)
[ Upstream commit
e431e79b60603079d269e0c2a5177943b95fa4b6 ]
This saves us writing the IBS control MSR twice when disabling the
event.
I searched revision guides for all families since 10h, and did not
find occurrence of erratum #420, nor anything remotely similar:
so we isolate the secondary MSR write to family 10h only.
Also unconditionally update the count mask for IBS Op implementations
that have read & writeable current count (CurCnt) fields in addition
to the MaxCnt field. These bits were reserved on prior
implementations, and therefore shouldn't have negative impact.
Signed-off-by: Kim Phillips <kim.phillips@amd.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Fixes:
c9574fe0bdb9 ("perf/x86-ibs: Implement workaround for IBS erratum #420")
Link: https://lkml.kernel.org/r/20191023150955.30292-2-kim.phillips@amd.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Kim Phillips [Wed, 23 Oct 2019 15:09:54 +0000 (10:09 -0500)]
perf/x86/amd/ibs: Fix reading of the IBS OpData register and thus precise RIP validity
[ Upstream commit
317b96bb14303c7998dbcd5bc606bd8038fdd4b4 ]
The loop that reads all the IBS MSRs into *buf stopped one MSR short of
reading the IbsOpData register, which contains the RipInvalid status bit.
Fix the offset_max assignment so the MSR gets read, so the RIP invalid
evaluation is based on what the IBS h/w output, instead of what was
left in memory.
Signed-off-by: Kim Phillips <kim.phillips@amd.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Fixes:
d47e8238cd76 ("perf/x86-ibs: Take instruction pointer from ibs sample")
Link: https://lkml.kernel.org/r/20191023150955.30292-1-kim.phillips@amd.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Yinbo Zhu [Mon, 29 Jul 2019 06:46:07 +0000 (14:46 +0800)]
usb: dwc3: remove the call trace of USBx_GFLADJ
[ Upstream commit
a7d9874c6f3fbc8d25cd9ceba35b6822612c4ebf ]
layerscape board sometimes reported some usb call trace, that is due to
kernel sent LPM tokerns automatically when it has no pending transfers
and think that the link is idle enough to enter L1, which procedure will
ask usb register has a recovery,then kernel will compare USBx_GFLADJ and
set GFLADJ_30MHZ, GFLADJ_30MHZ_REG until GFLADJ_30MHZ is equal 0x20, if
the conditions were met then issue occur, but whatever the conditions
whether were met that usb is all need keep GFLADJ_30MHZ of value is 0x20
(xhci spec ask use GFLADJ_30MHZ to adjust any offset from clock source
that generates the clock that drives the SOF counter, 0x20 is default
value of it)That is normal logic, so need remove the call trace.
Signed-off-by: Yinbo Zhu <yinbo.zhu@nxp.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Peter Chen [Mon, 26 Aug 2019 19:10:55 +0000 (15:10 -0400)]
usb: gadget: configfs: fix concurrent issue between composite APIs
[ Upstream commit
1a1c851bbd706ea9f3a9756c2d3db28523506d3b ]
We meet several NULL pointer issues if configfs_composite_unbind
and composite_setup (or composite_disconnect) are running together.
These issues occur when do the function switch stress test, the
configfs_compsoite_unbind is called from user mode by
echo "" to /sys/../UDC entry, and meanwhile, the setup interrupt
or disconnect interrupt occurs by hardware. The composite_setup
will get the cdev from get_gadget_data, but configfs_composite_unbind
will set gadget data as NULL, so the NULL pointer issue occurs.
This concurrent is hard to reproduce by native kernel, but can be
reproduced by android kernel.
In this commit, we introduce one spinlock belongs to structure
gadget_info since we can't use the same spinlock in usb_composite_dev
due to exclusive running together between composite_setup and
configfs_composite_unbind. And one bit flag 'unbind' to indicate the
code is at unbind routine, this bit is needed due to we release the
lock at during configfs_composite_unbind sometimes, and composite_setup
may be run at that time.
Several oops:
oops 1:
android_work: sent uevent USB_STATE=CONNECTED
configfs-gadget gadget: super-speed config #1: b
android_work: sent uevent USB_STATE=CONFIGURED
init: Received control message 'start' for 'adbd' from pid: 3515 (system_server)
Unable to handle kernel NULL pointer dereference at virtual address
0000002a
init: Received control message 'stop' for 'adbd' from pid: 3375 (/vendor/bin/hw/android.hardware.usb@1.1-servic)
Mem abort info:
Exception class = DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
Data abort info:
ISV = 0, ISS = 0x00000004
CM = 0, WnR = 0
user pgtable: 4k pages, 48-bit VAs, pgd =
ffff8008f1b7f000
[
000000000000002a] *pgd=
0000000000000000
Internal error: Oops:
96000004 [#1] PREEMPT SMP
Modules linked in:
CPU: 4 PID: 2457 Comm: irq/125-5b11000 Not tainted 4.14.98-07846-g0b40a9b-dirty #16
Hardware name: Freescale i.MX8QM MEK (DT)
task:
ffff8008f2a98000 task.stack:
ffff00000b7b8000
PC is at composite_setup+0x44/0x1508
LR is at android_setup+0xb8/0x13c
pc : [<
ffff0000089ffb3c>] lr : [<
ffff000008a032fc>] pstate:
800001c5
sp :
ffff00000b7bbb80
x29:
ffff00000b7bbb80 x28:
ffff8008f2a3c010
x27:
0000000000000001 x26:
0000000000000000 [1232/1897]
audit: audit_lost=25791 audit_rate_limit=5 audit_backlog_limit=64
x25:
00000000ffffffa1 x24:
ffff8008f2a3c010
audit: rate limit exceeded
x23:
0000000000000409 x22:
ffff000009c8e000
x21:
ffff8008f7a8b428 x20:
ffff00000afae000
x19:
ffff0000089ff000 x18:
0000000000000000
x17:
0000000000000000 x16:
ffff0000082b7c9c
x15:
0000000000000000 x14:
f1866f5b952aca46
x13:
e35502e30d44349c x12:
0000000000000008
x11:
0000000000000008 x10:
0000000000000a30
x9 :
ffff00000b7bbd00 x8 :
ffff8008f2a98a90
x7 :
ffff8008f27a9c90 x6 :
0000000000000001
x5 :
0000000000000000 x4 :
0000000000000001
x3 :
0000000000000000 x2 :
0000000000000006
x1 :
ffff0000089ff8d0 x0 :
732a010310b9ed00
X7: 0xffff8008f27a9c10:
9c10
00000002 00000000 00000001 00000000 13110000 ffff0000 00000002 00208040
9c30
00000000 00000000 00000000 00000000 00000000 00000005 00000029 00000000
9c50
00051778 00000001 f27a8e00 ffff8008 00000005 00000000 00000078 00000078
9c70
00000078 00000000 09031d48 ffff0000 00100000 00000000 00400000 00000000
9c90
00000001 00000000 00000000 00000000 00000000 00000000 ffefb1a0 ffff8008
9cb0
f27a9ca8 ffff8008 00000000 00000000 b9d88037 00000173 1618a3eb 00000001
9cd0
870a792a 0000002e 16188fe6 00000001 0000242b 00000000 00000000 00000000
using random self ethernet address
9cf0
019a4646 00000000 000547f3 00000000 ecfd6c33 00000002 00000000
using random host ethernet address
00000000
X8: 0xffff8008f2a98a10:
8a10
00000000 00000000 f7788d00 ffff8008 00000001 00000000 00000000 00000000
8a30
eb218000 ffff8008 f2a98000 ffff8008 f2a98000 ffff8008 09885000 ffff0000
8a50
f34df480 ffff8008 00000000 00000000 f2a98648 ffff8008 09c8e000 ffff0000
8a70
fff2c800 ffff8008 09031d48 ffff0000 0b7bbd00 ffff0000 0b7bbd00 ffff0000
8a90
080861bc ffff0000 00000000 00000000 00000000 00000000 00000000 00000000
8ab0
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
8ad0
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
8af0
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
X21: 0xffff8008f7a8b3a8:
b3a8
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
b3c8
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
b3e8
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
b408
00000000 00000000 00000000 00000000 00000000 00000000 00000001 00000000
b428
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
b448
0053004d 00540046 00300031 00010030 eb07b520 ffff8008 20011201 00000003
b468
e418d109 0104404e 00010302 00000000 eb07b558 ffff8008 eb07b558 ffff8008
b488
f7a8b488 ffff8008 f7a8b488 ffff8008 f7a8b300 ffff8008 00000000 00000000
X24: 0xffff8008f2a3bf90:
bf90
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
bfb0
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
bfd0
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
bff0
00000000 00000000 00000000 00000000 f76c8010 ffff8008 f76c8010 ffff8008
c010
00000000 00000000 f2a3c018 ffff8008 f2a3c018 ffff8008 08a067dc ffff0000
c030
f2a5a000 ffff8008 091c3650 ffff0000 f716fd18 ffff8008 f716fe30 ffff8008
c050
f2ce4a30 ffff8008 00000000 00000005 00000000 00000000 095d1568 ffff0000
c070
f76c8010 ffff8008 f2ce4b00 ffff8008 095cac68 ffff0000 f2a5a028 ffff8008
X28: 0xffff8008f2a3bf90:
bf90
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
bfb0
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
bfd0
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
bff0
00000000 00000000 00000000 00000000 f76c8010 ffff8008 f76c8010 ffff8008
c010
00000000 00000000 f2a3c018 ffff8008 f2a3c018 ffff8008 08a067dc ffff0000
c030
f2a5a000 ffff8008 091c3650 ffff0000 f716fd18 ffff8008 f716fe30 ffff8008
c050
f2ce4a30 ffff8008 00000000 00000005 00000000 00000000 095d1568 ffff0000
c070
f76c8010 ffff8008 f2ce4b00 ffff8008 095cac68 ffff0000 f2a5a028 ffff8008
Process irq/125-5b11000 (pid: 2457, stack limit = 0xffff00000b7b8000)
Call trace:
Exception stack(0xffff00000b7bba40 to 0xffff00000b7bbb80)
ba40:
732a010310b9ed00 ffff0000089ff8d0 0000000000000006 0000000000000000
ba60:
0000000000000001 0000000000000000 0000000000000001 ffff8008f27a9c90
ba80:
ffff8008f2a98a90 ffff00000b7bbd00 0000000000000a30 0000000000000008
baa0:
0000000000000008 e35502e30d44349c f1866f5b952aca46 0000000000000000
bac0:
ffff0000082b7c9c 0000000000000000 0000000000000000 ffff0000089ff000
bae0:
ffff00000afae000 ffff8008f7a8b428 ffff000009c8e000 0000000000000409
bb00:
ffff8008f2a3c010 00000000ffffffa1 0000000000000000 0000000000000001
bb20:
ffff8008f2a3c010 ffff00000b7bbb80 ffff000008a032fc ffff00000b7bbb80
bb40:
ffff0000089ffb3c 00000000800001c5 ffff00000b7bbb80 732a010310b9ed00
bb60:
ffffffffffffffff ffff0000080f777c ffff00000b7bbb80 ffff0000089ffb3c
[<
ffff0000089ffb3c>] composite_setup+0x44/0x1508
[<
ffff000008a032fc>] android_setup+0xb8/0x13c
[<
ffff0000089bd9a8>] cdns3_ep0_delegate_req+0x44/0x70
[<
ffff0000089bdff4>] cdns3_check_ep0_interrupt_proceed+0x33c/0x654
[<
ffff0000089bca44>] cdns3_device_thread_irq_handler+0x4b0/0x4bc
[<
ffff0000089b77b4>] cdns3_thread_irq+0x48/0x68
[<
ffff000008145bf0>] irq_thread_fn+0x28/0x88
[<
ffff000008145e38>] irq_thread+0x13c/0x228
[<
ffff0000080fed70>] kthread+0x104/0x130
[<
ffff000008085064>] ret_from_fork+0x10/0x18
oops2:
composite_disconnect: Calling disconnect on a Gadget that is not connected
android_work: did not send uevent (0 0 (null))
init: Received control message 'stop' for 'adbd' from pid: 3359 (/vendor/bin/hw/android.hardware.usb@1.1-service.imx)
init: Sending signal 9 to service 'adbd' (pid 22343) process group...
------------[ cut here ]------------
audit: audit_lost=180038 audit_rate_limit=5 audit_backlog_limit=64
audit: rate limit exceeded
WARNING: CPU: 0 PID: 3468 at kernel_imx/drivers/usb/gadget/composite.c:2009 composite_disconnect+0x80/0x88
Modules linked in:
CPU: 0 PID: 3468 Comm: HWC-UEvent-Thre Not tainted 4.14.98-07846-g0b40a9b-dirty #16
Hardware name: Freescale i.MX8QM MEK (DT)
task:
ffff8008f2349c00 task.stack:
ffff00000b0a8000
PC is at composite_disconnect+0x80/0x88
LR is at composite_disconnect+0x80/0x88
pc : [<
ffff0000089ff9b0>] lr : [<
ffff0000089ff9b0>] pstate:
600001c5
sp :
ffff000008003dd0
x29:
ffff000008003dd0 x28:
ffff8008f2349c00
x27:
ffff000009885018 x26:
ffff000008004000
Timeout for IPC response!
x25:
ffff000009885018 x24:
ffff000009c8e280
x23:
ffff8008f2d98010 x22:
00000000000001c0
x21:
ffff8008f2d98394 x20:
ffff8008f2d98010
x19:
0000000000000000 x18:
0000e3956f4f075a
fxos8700 4-001e: i2c block read acc failed
x17:
0000e395735727e8 x16:
ffff00000829f4d4
x15:
ffffffffffffffff x14:
7463656e6e6f6320
x13:
746f6e2009090920 x12:
7369207461687420
x11:
7465676461472061 x10:
206e6f207463656e
x9 :
6e6f637369642067 x8 :
ffff000009c8e280
x7 :
ffff0000086ca6cc x6 :
ffff000009f15e78
x5 :
0000000000000000 x4 :
0000000000000000
x3 :
ffffffffffffffff x2 :
c3f28b86000c3900
x1 :
c3f28b86000c3900 x0 :
000000000000004e
X20: 0xffff8008f2d97f90:
7f90
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
7fb0
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
libprocessgroup: Failed to kill process cgroup uid 0 pid 22343 in 215ms, 1 processes remain
7fd0
Timeout for IPC response!
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
using random self ethernet address
7ff0
00000000 00000000 00000000 00000000 f76c8010 ffff8008 f76c8010 ffff8008
8010
00000100 00000000 f2d98018 ffff8008 f2d98018 ffff8008 08a067dc
using random host ethernet address
ffff0000
8030
f206d800 ffff8008 091c3650 ffff0000 f7957b18 ffff8008 f7957730 ffff8008
8050
f716a630 ffff8008 00000000 00000005 00000000 00000000 095d1568 ffff0000
8070
f76c8010 ffff8008 f716a800 ffff8008 095cac68 ffff0000 f206d828 ffff8008
X21: 0xffff8008f2d98314:
8314
ffff8008 00000000 00000000 00000000 00000000 00000000 00000000 00000000
8334
00000000 00000000 00000000 00000000 00000000 08a04cf4 ffff0000 00000000
8354
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
8374
00000000 00000000 00000000 00001001 00000000 00000000 00000000 00000000
8394
e4bbe4bb 0f230000 ffff0000 0afae000 ffff0000 ae001000 00000000 f206d400
Timeout for IPC response!
83b4
ffff8008 00000000 00000000 f7957b18 ffff8008 f7957718 ffff8008 f7957018
83d4
ffff8008 f7957118 ffff8008 f7957618 ffff8008 f7957818 ffff8008 f7957918
83f4
ffff8008 f7957d18 ffff8008 00000000 00000000 00000000 00000000 00000000
X23: 0xffff8008f2d97f90:
7f90
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
7fb0
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
7fd0
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
7ff0
00000000 00000000 00000000 00000000 f76c8010 ffff8008 f76c8010 ffff8008
8010
00000100 00000000 f2d98018 ffff8008 f2d98018 ffff8008 08a067dc ffff0000
8030
f206d800 ffff8008 091c3650 ffff0000 f7957b18 ffff8008 f7957730 ffff8008
8050
f716a630 ffff8008 00000000 00000005 00000000 00000000 095d1568 ffff0000
8070
f76c8010 ffff8008 f716a800 ffff8008 095cac68 ffff0000 f206d828 ffff8008
X28: 0xffff8008f2349b80:
9b80
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9ba0
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9bc0
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9be0
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9c00
00000022 00000000 ffffffff ffffffff 00010001 00000000 00000000 00000000
9c20
0b0a8000 ffff0000 00000002 00404040 00000000 00000000 00000000 00000000
9c40
00000001 00000000 00000001 00000000 001ebd44 00000001 f390b800 ffff8008
9c60
00000000 00000001 00000070 00000070 00000070 00000000 09031d48 ffff0000
Call trace:
Exception stack(0xffff000008003c90 to 0xffff000008003dd0)
3c80:
000000000000004e c3f28b86000c3900
3ca0:
c3f28b86000c3900 ffffffffffffffff 0000000000000000 0000000000000000
3cc0:
ffff000009f15e78 ffff0000086ca6cc ffff000009c8e280 6e6f637369642067
3ce0:
206e6f207463656e 7465676461472061 7369207461687420 746f6e2009090920
3d00:
7463656e6e6f6320 ffffffffffffffff ffff00000829f4d4 0000e395735727e8
3d20:
0000e3956f4f075a 0000000000000000 ffff8008f2d98010 ffff8008f2d98394
3d40:
00000000000001c0 ffff8008f2d98010 ffff000009c8e280 ffff000009885018
3d60:
ffff000008004000 ffff000009885018 ffff8008f2349c00 ffff000008003dd0
3d80:
ffff0000089ff9b0 ffff000008003dd0 ffff0000089ff9b0 00000000600001c5
3da0:
ffff8008f33f2cd8 0000000000000000 0000ffffffffffff 0000000000000000
init: Received control message 'start' for 'adbd' from pid: 3359 (/vendor/bin/hw/android.hardware.usb@1.1-service.imx)
3dc0:
ffff000008003dd0 ffff0000089ff9b0
[<
ffff0000089ff9b0>] composite_disconnect+0x80/0x88
[<
ffff000008a044d4>] android_disconnect+0x3c/0x68
[<
ffff0000089ba9f8>] cdns3_device_irq_handler+0xfc/0x2c8
[<
ffff0000089b84c0>] cdns3_irq+0x44/0x94
[<
ffff00000814494c>] __handle_irq_event_percpu+0x60/0x24c
[<
ffff000008144c0c>] handle_irq_event+0x58/0xc0
[<
ffff00000814873c>] handle_fasteoi_irq+0x98/0x180
[<
ffff000008143a10>] generic_handle_irq+0x24/0x38
[<
ffff000008144170>] __handle_domain_irq+0x60/0xac
[<
ffff0000080819c4>] gic_handle_irq+0xd4/0x17c
Signed-off-by: Peter Chen <peter.chen@nxp.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Chandana Kishori Chiluveru [Tue, 1 Oct 2019 07:46:48 +0000 (13:16 +0530)]
usb: gadget: composite: Fix possible double free memory bug
[ Upstream commit
1c20c89b0421b52b2417bb0f62a611bc669eda1d ]
composite_dev_cleanup call from the failure of configfs_composite_bind
frees up the cdev->os_desc_req and cdev->req. If the previous calls of
bind and unbind is successful these will carry stale values.
Consider the below sequence of function calls:
configfs_composite_bind()
composite_dev_prepare()
- Allocate cdev->req, cdev->req->buf
composite_os_desc_req_prepare()
- Allocate cdev->os_desc_req, cdev->os_desc_req->buf
configfs_composite_unbind()
composite_dev_cleanup()
- free the cdev->os_desc_req->buf and cdev->req->buf
Next composition switch
configfs_composite_bind()
- If it fails goto err_comp_cleanup will call the
composite_dev_cleanup() function
composite_dev_cleanup()
- calls kfree up with the stale values of cdev->req->buf and
cdev->os_desc_req from the previous configfs_composite_bind
call. The free call on these stale values leads to double free.
Hence, Fix this issue by setting request and buffer pointer to NULL after
kfree.
Signed-off-by: Chandana Kishori Chiluveru <cchiluve@codeaurora.org>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Cristian Birsan [Fri, 4 Oct 2019 17:10:54 +0000 (20:10 +0300)]
usb: gadget: udc: atmel: Fix interrupt storm in FIFO mode.
[ Upstream commit
ba3a1a915c49cc3023e4ddfc88f21e7514e82aa4 ]
Fix interrupt storm generated by endpoints when working in FIFO mode.
The TX_COMPLETE interrupt is used only by control endpoints processing.
Do not enable it for other types of endpoints.
Fixes:
914a3f3b3754 ("USB: add atmel_usba_udc driver")
Signed-off-by: Cristian Birsan <cristian.birsan@microchip.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Nikhil Badola [Mon, 21 Oct 2019 10:21:51 +0000 (18:21 +0800)]
usb: fsl: Check memory resource before releasing it
[ Upstream commit
bc1e3a2dd0c9954fd956ac43ca2876bbea018c01 ]
Check memory resource existence before releasing it to avoid NULL
pointer dereference
Signed-off-by: Nikhil Badola <nikhil.badola@freescale.com>
Reviewed-by: Ran Wang <ran.wang_1@nxp.com>
Reviewed-by: Peter Chen <peter.chen@nxp.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Taehee Yoo [Mon, 21 Oct 2019 18:47:52 +0000 (18:47 +0000)]
bonding: fix unexpected IFF_BONDING bit unset
[ Upstream commit
65de65d9033750d2cf1b336c9d6e9da3a8b5cc6e ]
The IFF_BONDING means bonding master or bonding slave device.
->ndo_add_slave() sets IFF_BONDING flag and ->ndo_del_slave() unsets
IFF_BONDING flag.
bond0<--bond1
Both bond0 and bond1 are bonding device and these should keep having
IFF_BONDING flag until they are removed.
But bond1 would lose IFF_BONDING at ->ndo_del_slave() because that routine
do not check whether the slave device is the bonding type or not.
This patch adds the interface type check routine before removing
IFF_BONDING flag.
Test commands:
ip link add bond0 type bond
ip link add bond1 type bond
ip link set bond1 master bond0
ip link set bond1 nomaster
ip link del bond1 type bond
ip link add bond1 type bond
Splat looks like:
[ 226.665555] proc_dir_entry 'bonding/bond1' already registered
[ 226.666440] WARNING: CPU: 0 PID: 737 at fs/proc/generic.c:361 proc_register+0x2a9/0x3e0
[ 226.667571] Modules linked in: bonding af_packet sch_fq_codel ip_tables x_tables unix
[ 226.668662] CPU: 0 PID: 737 Comm: ip Not tainted 5.4.0-rc3+ #96
[ 226.669508] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 226.670652] RIP: 0010:proc_register+0x2a9/0x3e0
[ 226.671612] Code: 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 39 01 00 00 48 8b 04 24 48 89 ea 48 c7 c7 a0 0b 14 9f 48 8b b0 e
0 00 00 00 e8 07 e7 88 ff <0f> 0b 48 c7 c7 40 2d a5 9f e8 59 d6 23 01 48 8b 4c 24 10 48 b8 00
[ 226.675007] RSP: 0018:
ffff888050e17078 EFLAGS:
00010282
[ 226.675761] RAX:
dffffc0000000008 RBX:
ffff88805fdd0f10 RCX:
ffffffff9dd344e2
[ 226.676757] RDX:
0000000000000001 RSI:
0000000000000008 RDI:
ffff88806c9f6b8c
[ 226.677751] RBP:
ffff8880507160f3 R08:
ffffed100d940019 R09:
ffffed100d940019
[ 226.678761] R10:
0000000000000001 R11:
ffffed100d940018 R12:
ffff888050716008
[ 226.679757] R13:
ffff8880507160f2 R14:
dffffc0000000000 R15:
ffffed100a0e2c1e
[ 226.680758] FS:
00007fdc217cc0c0(0000) GS:
ffff88806c800000(0000) knlGS:
0000000000000000
[ 226.681886] CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
[ 226.682719] CR2:
00007f49313424d0 CR3:
0000000050e46001 CR4:
00000000000606f0
[ 226.683727] DR0:
0000000000000000 DR1:
0000000000000000 DR2:
0000000000000000
[ 226.684725] DR3:
0000000000000000 DR6:
00000000fffe0ff0 DR7:
0000000000000400
[ 226.685681] Call Trace:
[ 226.687089] proc_create_seq_private+0xb3/0xf0
[ 226.687778] bond_create_proc_entry+0x1b3/0x3f0 [bonding]
[ 226.691458] bond_netdev_event+0x433/0x970 [bonding]
[ 226.692139] ? __module_text_address+0x13/0x140
[ 226.692779] notifier_call_chain+0x90/0x160
[ 226.693401] register_netdevice+0x9b3/0xd80
[ 226.694010] ? alloc_netdev_mqs+0x854/0xc10
[ 226.694629] ? netdev_change_features+0xa0/0xa0
[ 226.695278] ? rtnl_create_link+0x2ed/0xad0
[ 226.695849] bond_newlink+0x2a/0x60 [bonding]
[ 226.696422] __rtnl_newlink+0xb9f/0x11b0
[ 226.696968] ? rtnl_link_unregister+0x220/0x220
[ ... ]
Fixes:
0b680e753724 ("[PATCH] bonding: Add priv_flag to avoid event mishandling")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Eric Dumazet [Wed, 23 Oct 2019 16:53:03 +0000 (09:53 -0700)]
ipvs: move old_secure_tcp into struct netns_ipvs
[ Upstream commit
c24b75e0f9239e78105f81c5f03a751641eb07ef ]
syzbot reported the following issue :
BUG: KCSAN: data-race in update_defense_level / update_defense_level
read to 0xffffffff861a6260 of 4 bytes by task 3006 on cpu 1:
update_defense_level+0x621/0xb30 net/netfilter/ipvs/ip_vs_ctl.c:177
defense_work_handler+0x3d/0xd0 net/netfilter/ipvs/ip_vs_ctl.c:225
process_one_work+0x3d4/0x890 kernel/workqueue.c:2269
worker_thread+0xa0/0x800 kernel/workqueue.c:2415
kthread+0x1d4/0x200 drivers/block/aoe/aoecmd.c:1253
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352
write to 0xffffffff861a6260 of 4 bytes by task 7333 on cpu 0:
update_defense_level+0xa62/0xb30 net/netfilter/ipvs/ip_vs_ctl.c:205
defense_work_handler+0x3d/0xd0 net/netfilter/ipvs/ip_vs_ctl.c:225
process_one_work+0x3d4/0x890 kernel/workqueue.c:2269
worker_thread+0xa0/0x800 kernel/workqueue.c:2415
kthread+0x1d4/0x200 drivers/block/aoe/aoecmd.c:1253
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352
Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 7333 Comm: kworker/0:5 Not tainted 5.4.0-rc3+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events defense_work_handler
Indeed, old_secure_tcp is currently a static variable, while it
needs to be a per netns variable.
Fixes:
a0840e2e165a ("IPVS: netns, ip_vs_ctl local vars moved to ipvs struct.")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Daniel Wagner [Tue, 22 Oct 2019 07:21:12 +0000 (09:21 +0200)]
scsi: lpfc: Honor module parameter lpfc_use_adisc
[ Upstream commit
0fd103ccfe6a06e40e2d9d8c91d96332cc9e1239 ]
The initial lpfc_desc_set_adisc implementation in commit
dea3101e0a5c ("lpfc: add Emulex FC driver version 8.0.28") enabled ADISC if
cfg_use_adisc && RSCN_MODE && FCP_2_DEVICE
In commit
92d7f7b0cde3 ("[SCSI] lpfc: NPIV: add NPIV support on top of
SLI-3") this changed to
(cfg_use_adisc && RSC_MODE) || FCP_2_DEVICE
and later in commit
ffc954936b13 ("[SCSI] lpfc 8.3.13: FC Discovery Fixes
and enhancements.") to
(cfg_use_adisc && RSC_MODE) || (FCP_2_DEVICE && FCP_TARGET)
A customer reports that after a devloss, an ADISC failure is logged. It
turns out the ADISC flag is set even the user explicitly set lpfc_use_adisc
= 0.
[Sat Dec 22 22:55:58 2018] lpfc 0000:82:00.0: 2:(0):0203 Devloss timeout on WWPN 50:01:43:80:12:8e:40:20 NPort x05df00 Data: x82000000 x8 xa
[Sat Dec 22 23:08:20 2018] lpfc 0000:82:00.0: 2:(0):2755 ADISC failure DID:05DF00 Status:x9/x70000
[mkp: fixed Hannes' email]
Fixes:
92d7f7b0cde3 ("[SCSI] lpfc: NPIV: add NPIV support on top of SLI-3")
Cc: Dick Kennedy <dick.kennedy@broadcom.com>
Cc: James Smart <james.smart@broadcom.com>
Link: https://lore.kernel.org/r/20191022072112.132268-1-dwagner@suse.de
Reviewed-by: Hannes Reinecke <hare@suse.de>
Reviewed-by: James Smart <james.smart@broadcom.com>
Signed-off-by: Daniel Wagner <dwagner@suse.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Hannes Reinecke [Fri, 18 Oct 2019 14:04:58 +0000 (16:04 +0200)]
scsi: qla2xxx: fixup incorrect usage of host_byte
[ Upstream commit
66cf50e65b183c863825f5c28a818e3f47a72e40 ]
DRIVER_ERROR is a a driver byte setting, not a host byte. The qla2xxx
driver should rather return DID_ERROR here to be in line with the other
drivers.
Link: https://lore.kernel.org/r/20191018140458.108278-1-hare@suse.de
Signed-off-by: Hannes Reinecke <hare@suse.com>
Acked-by: Himanshu Madhani <hmadhani@marvell.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Zhang Lixu [Wed, 16 Oct 2019 00:15:59 +0000 (08:15 +0800)]
HID: intel-ish-hid: fix wrong error handling in ishtp_cl_alloc_tx_ring()
[ Upstream commit
16ff7bf6dbcc6f77d2eec1ac9120edf44213c2f1 ]
When allocating tx ring buffers failed, should free tx buffers, not rx buffers.
Signed-off-by: Zhang Lixu <lixu.zhang@intel.com>
Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Radhey Shyam Pandey [Thu, 26 Sep 2019 10:50:58 +0000 (16:20 +0530)]
dmaengine: xilinx_dma: Fix control reg update in vdma_channel_set_config
[ Upstream commit
6c6de1ddb1be3840f2ed5cc9d009a622720940c9 ]
In vdma_channel_set_config clear the delay, frame count and master mask
before updating their new values. It avoids programming incorrect state
when input parameters are different from default.
Signed-off-by: Radhey Shyam Pandey <radhey.shyam.pandey@xilinx.com>
Acked-by: Appana Durga Kedareswara rao <appana.durga.rao@xilinx.com>
Signed-off-by: Michal Simek <michal.simek@xilinx.com>
Link: https://lore.kernel.org/r/1569495060-18117-3-git-send-email-radhey.shyam.pandey@xilinx.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Vidya Sagar [Thu, 4 Jul 2019 15:04:28 +0000 (20:34 +0530)]
PCI: tegra: Enable Relaxed Ordering only for Tegra20 & Tegra30
commit
7be142caabc4780b13a522c485abc806de5c4114 upstream.
The PCI Tegra controller conversion to a device tree configurable
driver in commit
d1523b52bff3 ("PCI: tegra: Move PCIe driver
to drivers/pci/host") implied that code for the driver can be
compiled in for a kernel supporting multiple platforms.
Unfortunately, a blind move of the code did not check that some of the
quirks that were applied in arch/arm (eg enabling Relaxed Ordering on
all PCI devices - since the quirk hook erroneously matches PCI_ANY_ID
for both Vendor-ID and Device-ID) are now applied in all kernels that
compile the PCI Tegra controlled driver, DT and ACPI alike.
This is completely wrong, in that enablement of Relaxed Ordering is only
required by default in Tegra20 platforms as described in the Tegra20
Technical Reference Manual (available at
https://developer.nvidia.com/embedded/downloads#?search=tegra%202 in
Section 34.1, where it is mentioned that Relaxed Ordering bit needs to
be enabled in its root ports to avoid deadlock in hardware) and in the
Tegra30 platforms for the same reasons (unfortunately not documented
in the TRM).
There is no other strict requirement on PCI devices Relaxed Ordering
enablement on any other Tegra platforms or PCI host bridge driver.
Fix this quite upsetting situation by limiting the vendor and device IDs
to which the Relaxed Ordering quirk applies to the root ports in
question, reported above.
Signed-off-by: Vidya Sagar <vidyas@nvidia.com>
[lorenzo.pieralisi@arm.com: completely rewrote the commit log/fixes tag]
Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Acked-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Gustavo A. R. Silva [Thu, 9 Feb 2017 07:49:56 +0000 (01:49 -0600)]
drivers: usb: usbip: Add missing break statement to switch
commit
7c92e5fbf4dac0dd4dd41a0383adc54f16f403e2 upstream.
Add missing break statement to prevent the code for case
USB_PORT_FEAT_C_RESET falling through to the default case.
Addresses-Coverity-ID: 143155
Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Nobuo Iwata [Thu, 13 Oct 2016 03:49:02 +0000 (12:49 +0900)]
usbip: fix possibility of dereference by NULLL pointer in vhci_hcd.c
commit
d79cda045e3bacb7e754a5324cd3d4ce80708eb1 upstream.
This patch fixes possibility of dereference by NULLL pointer in "[PATCH
v5 1/3] usbip: vhci extension: modifications to vhci driver" which has
been merged to 4.9-rc1. It occurs when a URB with pointer to invalid
USB/IP device is enqueued in race condition against detach operation.
A pointer was passed to vdev_to_vhci() before NULL check.
In vdev_to_vhci(), there's a dereference by the pointer.
This patch moves vdev_to_vhci() after NULL check of the pointer.
Signed-off-by: Nobuo Iwata <nobuo.iwata@fujixerox.co.jp>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Shuah Khan [Thu, 24 Jan 2019 21:46:42 +0000 (14:46 -0700)]
usbip: Fix vhci_urb_enqueue() URB null transfer buffer error path
commit
2c904963b1dd2acd4bc785b6c72e10a6283c2081 upstream.
Fix vhci_urb_enqueue() to print debug msg and return error instead of
failing with BUG_ON.
Signed-off-by: Shuah Khan <shuah@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Shuah Khan [Fri, 15 Dec 2017 17:05:15 +0000 (10:05 -0700)]
usbip: stub_rx: fix static checker warning on unnecessary checks
commit
10c90120930628e8b959bf58d4a0aaef3ae5d945 upstream.
Fix the following static checker warnings:
The patch
c6688ef9f297: "usbip: fix stub_rx: harden CMD_SUBMIT path
to handle malicious input" from Dec 7, 2017, leads to the following
static checker warning:
drivers/usb/usbip/stub_rx.c:346 get_pipe()
warn: impossible condition
'(pdu->u.cmd_submit.transfer_buffer_length > ((~0 >> 1))) =>
(s32min-s32max > s32max)'
drivers/usb/usbip/stub_rx.c:486 stub_recv_cmd_submit()
warn: always true condition
'(pdu->u.cmd_submit.transfer_buffer_length <= ((~0 >> 1))) =>
(s32min-s32max <= s32max)'
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>