Linus Torvalds [Tue, 5 Mar 2019 03:29:37 +0000 (19:29 -0800)]
Merge tag 'hwmon-for-v5.1' of git://git./linux/kernel/git/groeck/linux-staging
Pull hwmon updates from Guenter Roeck:
- Add support for LM96000, DPS-650AB to existing drivers
- Use permission specific SENSOR[_DEVICE]_ATTR variants in several
drivers
- Replace S_<PERMS> with octal values in several drivers
- Update some license headers
- Various minor fixes and improvements in several drivers
* tag 'hwmon-for-v5.1' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging: (89 commits)
dt-bindings: hwmon: Add missing documentation for lm75
hwmon: (ad7418) Add device tree probing
hwmon: (ad741x) Add DT bindings for Analog Devices AD741x
hwmon: (ntc_thermistor) Convert to new hwmon API
hwmon: (pwm-fan) Add optional regulator support
dt-bindings: hwmon: Add optional regulator support to pwm-fan
hwmon: (f71882fg) Mark expected switch fall-through
hwmon: (ad7418) Catch I2C errors
hwmon: (lm85) add support for LM96000 high frequencies
hwmon: (lm85) support the LM96000
dt-bindings: Add LM96000 as a trivial device
hwmon: (lm85) remove freq_map size hardcodes
hwmon: (occ) Fix license headers
hwmon: (via-cputemp) Use permission specific SENSOR[_DEVICE]_ATTR variants
hwmon: (vexpress-hwmon) Use permission specific SENSOR[_DEVICE]_ATTR variants
hwmon: (tmp421) Replace S_<PERMS> with octal values
hwmon: (tmp103) Use permission specific SENSOR[_DEVICE]_ATTR variants
hwmon: (tmp102) Replace S_<PERMS> with octal values
hwmon: (tc74) Use permission specific SENSOR[_DEVICE]_ATTR variants
hwmon: (tc654) Use permission specific SENSOR[_DEVICE]_ATTR variants
...
Linus Torvalds [Tue, 5 Mar 2019 03:23:56 +0000 (19:23 -0800)]
Merge tag 'spi-v5.1' of git://git./linux/kernel/git/broonie/spi
Pull spi updates from Mark Brown:
"A fairly quiet release for SPI, the biggest thing is the conversion to
use GPIO descriptors which is now 90% done but still needs some
stragglers converting.
Summary:
- Support for inter-word delays
- Conversion of the core and most drivers to use GPIO descriptors for
GPIO controlled chip selects
- New drivers for NXP FlexSPI and QuadSPI, SiFive and Spreadtrum"
* tag 'spi-v5.1' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi: (104 commits)
spi: sh-msiof: Restrict bits per word to 8/16/24/32 on R-Car Gen2/3
spi: sifive: Remove redundant dev_err call in sifive_spi_probe()
spi: sifive: Remove spi_master_put in sifive_spi_remove()
spi: spi-gpio: fix SPI_CS_HIGH capability
spi: pxa2xx: Setup maximum supported DMA transfer length
spi: sifive: Add driver for the SiFive SPI controller
spi: sifive: Add DT documentation for SiFive SPI controller
spi: sprd: Add a prefix for SPI DMA channel macros
spi: sprd: spi: sprd: Add DMA mode support
dt-bindings: spi: Add the DMA properties for the SPI dma mode
spi: sprd: Add the SPI irq function for the SPI DMA mode
dt-bindings: spi: imx: Add an entry for the i.MX8QM compatible
spi: use gpio[d]_set_value_cansleep for setting chipselect GPIO
spi: gpio: Advertise support for SPI_CS_HIGH
spi: sh-msiof: Replace spi_master by spi_controller
spi: sh-hspi: Replace spi_master by spi_controller
spi: rspi: Replace spi_master by spi_controller
spi: atmel-quadspi: add support for sam9x60 qspi controller
dt-bindings: spi: atmel-quadspi: QuadSPI driver for Microchip SAM9X60
spi: atmel-quadspi: add support for named peripheral clock
...
Linus Torvalds [Tue, 5 Mar 2019 03:20:52 +0000 (19:20 -0800)]
Merge tag 'regulator-v5.1' of git://git./linux/kernel/git/broonie/regulator
Pull regulator updates from Mark Brown:
"The bulk of the standout changes in this release are cleanups, with
the core work being a combination of factoring out common code into
helpers and the completion of the conversion of the core to use GPIO
descriptors.
Summary:
- Addition of helper functions for current limits and conversion of
drivers to use them by Axel Lin.
- Lots and lots of cleanups from Axel Lin.
- Conversion of the core to use GPIO descriptors rather than numbers
by Linus Walleij.
- New drivers for Maxim MAX77650 and ROHM BD70528"
* tag 'regulator-v5.1' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator: (131 commits)
regulator: mc13xxx: Constify regulator_ops variables
regulator: palmas: Constify palmas_smps_ramp_delay array
regulator: wm831x-dcdc: Convert to use regulator_set/get_current_limit_regmap
regulator: pv88090: Convert to use regulator_set/get_current_limit_regmap
regulator: pv88080: Convert to use regulator_set/get_current_limit_regmap
regulator: pv88060: Convert to use regulator_set/get_current_limit_regmap
regulator: max77650: Convert to use regulator_set/get_current_limit_regmap
regulator: lp873x: Convert to use regulator_set/get_current_limit_regmap
regulator: lp872x: Convert to use regulator_set/get_current_limit_regmap
regulator: da9210: Convert to use regulator_set/get_current_limit_regmap
regulator: da9055: Convert to use regulator_set/get_current_limit_regmap
regulator: core: Add set/get_current_limit helpers for regmap users
regulator: Fix comment for csel_reg and csel_mask
regulator: stm32-vrefbuf: add power management support
regulator: 88pm8607: Remove unused fields from struct pm8607_regulator_info
regulator: 88pm8607: Simplify pm8607_list_voltage implementation
regulator: cpcap: Constify omap4_regulators and xoom_regulators
regulator: cpcap: Remove unused vsel_shift from struct cpcap_regulator
dt-bindings: regulator: tps65218: rectify units of LS3
dt-bindings: regulator: add LS2 load switch documentation
...
Linus Torvalds [Tue, 5 Mar 2019 03:16:09 +0000 (19:16 -0800)]
Merge tag 'regmap-v5.1' of git://git./linux/kernel/git/broonie/regmap
Pull regmap updates from Mark Brown:
"There are only two changes here:
- fix for conflicting attributes on the rbtree node structure
- implementation of main status register support in the interrupt
code which supports chips that have a register to cut down on the
number of per-interrupt status registers that need to be checked
when handling interrupts"
* tag 'regmap-v5.1' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regmap:
regmap: Remove attribute packed from struct 'regcache_rbtree_node'
regmap: regmap-irq: Add main status register support
Linus Torvalds [Tue, 5 Mar 2019 03:07:02 +0000 (19:07 -0800)]
Merge tag 'mmc-v5.1' of git://git./linux/kernel/git/ulfh/mmc
Pull MMC updates from Ulf Hansson:
"MMC core:
- Fixup max_discard/trim calculations
- Announce SD specs greater than 4.0
- Add discard support for SD cards
- Don't do retries for CMD6 (SWITCH command)
- Various cleanups and re-structuring
MMC host:
- cqhci:
* Add maintainers for eMMC CQHCI driver
- sdhci:
* Consolidate WP GPIO code
* Add ADMA3 DMA support for V4 enabled host
* Fixup card detect support in pci-o2micro driver
* Add support for CMDQ and SDMMC pads auto-calibration in tegra
driver
* Add DCMD support and CMDQ support, support for i.MX6ULL variant,
fixup HS400 timing issue and add HS400_ES support for i.MX8QXP
to esdhc-imx driver
* Avoid CRC errors by adjusting settings to speed mode and fixup
card initialization for high speed mode in renesas_sdhi
* Fixup timeout settings for omap
* Enable 8 bits bus-width support in atmel-mci
* Convert some legacy code in jz4740 driver to use modern APIs
* Send a CMD12 to clear DPSM at errors for STM32 sdmmc mmci
driver"
* tag 'mmc-v5.1' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc: (69 commits)
mmc:fix a bug when max_discard is 0
mmc: core: Add a debug print when the card may have been replaced
mmc: core: Add sd discard timeout
mmc: core: Add discard support to sd
mmc: sdhci-esdhc-imx: clear the HALT bit when enable CQE
mmc: core: do not retry CMD6 in __mmc_switch()
mmc: core: Convert mmc_align_data_size() into an SDIO specific function
mmc: core: Move mmc_of_parse_voltage() to host.c
mmc: core: Convert mmc_regulator_get_ocrmask() to static
mmc: core: Move regulator helpers to separate file
mmc: of_mmc_spi: Convert to mmc_of_parse_voltage()
mmc: core: Drop retries as in-parameter to mmc_wait_for_app_cmd()
mmc: core: Convert mmc_wait_for_app_cmd() to static
mmc: renesas_sdhi: Change HW adjustment register according to speed mode
mmc: mmci: Send a CMD12 to clear the DPSM at errors
mmc: sdhci-xenon: Fixup already marked switch fall-through
mmc: sdhci-tegra: drop ->get_ro() implementation
mmc: sdhci-omap: drop ->get_ro() implementation
mmc: sdhci: use WP GPIO in sdhci_check_ro()
mmc: wmt-sdmmc: Drop unused include
...
Linus Torvalds [Tue, 5 Mar 2019 03:05:02 +0000 (19:05 -0800)]
Merge tag 'i3c/for-5.1' of git://git./linux/kernel/git/i3c/linux
Pull i3c updates from Boris Brezillon:
- Add a /* fall-through */ comment in the dw-i3c-master driver
- Update the I3C entries in MAINTAINERS to add an IRC chan
* tag 'i3c/for-5.1' of git://git.kernel.org/pub/scm/linux/kernel/git/i3c/linux:
i3c: master: dw-i3c-master: mark expected switch fall-through
MAINTAINERS: Add an IRC channel for the I3C subsystem
Linus Torvalds [Tue, 5 Mar 2019 02:59:37 +0000 (18:59 -0800)]
Merge tag 'mtd/for-5.1' of git://git.infradead.org/linux-mtd
Pull MTD updates from Boris Brezillon:
"Core MTD changes:
- Use struct_size() where appropriate
- mtd_{read,write}() as wrappers around mtd_{read,write}_oob()
- Fix misuse of PTR_ERR() in docg3
- Coding style improvements in mtdcore.c
SPI NOR changes:
Core changes:
- Add support of octal mode I/O transfer
- Add a bunch of SPI NOR entries to the flash_info table
SPI NOR controller driver changes:
- cadence-quadspi:
* Add support for Octal SPI controller
* write upto 8-bytes data in STIG mode
- mtk-quadspi:
* rename config to a common one
* add SNOR_HWCAPS_READ to spi_nor_hwcaps mask
- Add Tudor as SPI-NOR co-maintainer
NAND changes:
NAND core changes:
- Fourth batch of fixes/cleanup to the raw NAND core impacting
various controller drivers (Sunxi, Marvell, MTK, TMIO, OMAP2).
- Check the return code of nand_reset() and nand_readid_op().
- Remove ->legacy.erase and single_erase().
- Simplify the locking.
- Several implicit fall through annotations.
Raw NAND controllers drivers changes:
- Fix various possible object reference leaks (MTK, JZ4780, Atmel)
- ST:
* Add support for STM32 FMC2 NAND flash controller
- Meson:
* Add support for Amlogic NAND flash controller
- Denali:
* Several cleanup patches
- Sunxi:
* Several cleanup patches
- FSMC:
* Disable NAND on remove()
* Reset NAND timings on resume()
SPI-NAND drivers changes:
- Toshiba:
* Add support for all Toshiba products.
- Macronix:
* Fix ECC status read.
- Gigadevice:
* Add support for GD5F1GQ4UExxG"
* tag 'mtd/for-5.1' of git://git.infradead.org/linux-mtd: (64 commits)
mtd: spi-nor: Fix wrong abbreviation HWCPAS
mtd: spi-nor: cadence-quadspi: fix spelling mistake: "Couldnt't" -> "Couldn't"
mtd: spi-nor: Add support for en25qh64
mtd: spi-nor: Add support for MX25V8035F
mtd: spi-nor: Add support for EN25Q80A
mtd: spi-nor: cadence-quadspi: Add support for Octal SPI controller
dt-bindings: cadence-quadspi: Add new compatible for AM654 SoC
mtd: spi-nor: split s25fl128s into s25fl128s0 and s25fl128s1
mtd: spi-nor: cadence-quadspi: write upto 8-bytes data in STIG mode
mtd: spi-nor: Add support for mx25u3235f
mtd: rawnand: denali_dt: remove single anonymous clock support
mtd: rawnand: mtk: fix possible object reference leak
mtd: rawnand: jz4780: fix possible object reference leak
mtd: rawnand: atmel: fix possible object reference leak
mtd: rawnand: fsmc: Disable NAND on remove()
mtd: rawnand: fsmc: Reset NAND timings on resume()
mtd: spinand: Add support for GigaDevice GD5F1GQ4UExxG
mtd: rawnand: denali: remove unused dma_addr field from denali_nand_info
mtd: rawnand: denali: remove unused function argument 'raw'
mtd: rawnand: denali: remove unneeded denali_reset_irq() call
...
Linus Torvalds [Tue, 5 Mar 2019 02:56:36 +0000 (18:56 -0800)]
Merge tag 'vfio-v5.1-rc1' of git://github.com/awilliam/linux-vfio
Pull VFIO updates from Alex Williamson:
- Switch mdev to generic UUID API (Andy Shevchenko)
- Fixup platform reset include paths (Masahiro Yamada)
- Fix usage of MINORMASK (Chengguang Xu)
- Remove noise from duplicate spapr table unsets (Alexey Kardashevskiy)
- Restore device state after PM reset (Alex Williamson)
- Ensure memory translation enabled for PCI ROM access (Eric Auger)
* tag 'vfio-v5.1-rc1' of git://github.com/awilliam/linux-vfio:
vfio_pci: Enable memory accesses before calling pci_map_rom
vfio/pci: Restore device state on PM transition
vfio/spapr_tce: Skip unsetting already unset table
samples/vfio-mdev/mtty: expand minor range when registering chrdev region
samples/vfio-mdev/mdpy: expand minor range when registering chrdev region
samples/vfio-mdev/mbochs: expand minor range when registering chrdev region
vfio: expand minor range when registering chrdev region
vfio: platform: reset: fix up include directives to remove ccflags-y
vfio-mdev: Switch to use new generic UUID API
Slavomir Kaslev [Thu, 7 Feb 2019 15:45:19 +0000 (17:45 +0200)]
fs: Make splice() and tee() take into account O_NONBLOCK flag on pipes
The current implementation of splice() and tee() ignores O_NONBLOCK set
on pipe file descriptors and checks only the SPLICE_F_NONBLOCK flag for
blocking on pipe arguments. This is inconsistent since splice()-ing
from/to non-pipe file descriptors does take O_NONBLOCK into
consideration.
Fix this by promoting O_NONBLOCK, when set on a pipe, to
SPLICE_F_NONBLOCK.
Some context for how the current implementation of splice() leads to
inconsistent behavior. In the ongoing work[1] to add VM tracing
capability to trace-cmd we stream tracing data over named FIFOs or
vsockets from guests back to the host.
When we receive SIGINT from user to stop tracing, we set O_NONBLOCK on
the input file descriptor and set SPLICE_F_NONBLOCK for the next call to
splice(). If splice() was blocked waiting on data from the input FIFO,
after SIGINT splice() restarts with the same arguments (no
SPLICE_F_NONBLOCK) and blocks again instead of returning -EAGAIN when no
data is available.
This differs from the splice() behavior when reading from a vsocket or
when we're doing a traditional read()/write() loop (trace-cmd's
--nosplice argument).
With this patch applied we get the same behavior in all situations after
setting O_NONBLOCK which also matches the behavior of doing a
read()/write() loop instead of splice().
This change does have potential of breaking users who don't expect
EAGAIN from splice() when SPLICE_F_NONBLOCK is not set. OTOH programs
that set O_NONBLOCK and don't anticipate EAGAIN are arguably buggy[2].
[1] https://github.com/skaslev/trace-cmd/tree/vsock
[2] https://github.com/torvalds/linux/blob/
d47e3da1759230e394096fd742aad423c291ba48/fs/read_write.c#L1425
Signed-off-by: Slavomir Kaslev <kaslevs@vmware.com>
Reviewed-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Linus Torvalds [Mon, 4 Mar 2019 21:24:27 +0000 (13:24 -0800)]
Merge branch 'fixes' of git://git./linux/kernel/git/viro/vfs
Pull vfs fixes from Al Viro:
"Assorted fixes that sat in -next for a while, all over the place"
* 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
aio: Fix locking in aio_poll()
exec: Fix mem leak in kernel_read_file
copy_mount_string: Limit string length to PATH_MAX
cgroup: saner refcounting for cgroup_root
fix cgroup_do_mount() handling of failure exits
Linus Torvalds [Mon, 4 Mar 2019 18:39:05 +0000 (10:39 -0800)]
get rid of legacy 'get_ds()' function
Every in-kernel use of this function defined it to KERNEL_DS (either as
an actual define, or as an inline function). It's an entirely
historical artifact, and long long long ago used to actually read the
segment selector valueof '%ds' on x86.
Which in the kernel is always KERNEL_DS.
Inspired by a patch from Jann Horn that just did this for a very small
subset of users (the ones in fs/), along with Al who suggested a script.
I then just took it to the logical extreme and removed all the remaining
gunk.
Roughly scripted with
git grep -l '(get_ds())' -- :^tools/ | xargs sed -i 's/(get_ds())/(KERNEL_DS)/'
git grep -lw 'get_ds' -- :^tools/ | xargs sed -i '/^#define get_ds()/d'
plus manual fixups to remove a few unusual usage patterns, the couple of
inline function cases and to fix up a comment that had become stale.
The 'get_ds()' function remains in an x86 kvm selftest, since in user
space it actually does something relevant.
Inspired-by: Jann Horn <jannh@google.com>
Inspired-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Linus Torvalds [Sun, 3 Mar 2019 22:23:33 +0000 (14:23 -0800)]
aio: simplify - and fix - fget/fput for io_submit()
Al Viro root-caused a race where the IOCB_CMD_POLL handling of
fget/fput() could cause us to access the file pointer after it had
already been freed:
"In more details - normally IOCB_CMD_POLL handling looks so:
1) io_submit(2) allocates aio_kiocb instance and passes it to
aio_poll()
2) aio_poll() resolves the descriptor to struct file by req->file =
fget(iocb->aio_fildes)
3) aio_poll() sets ->woken to false and raises ->ki_refcnt of that
aio_kiocb to 2 (bumps by 1, that is).
4) aio_poll() calls vfs_poll(). After sanity checks (basically,
"poll_wait() had been called and only once") it locks the queue.
That's what the extra reference to iocb had been for - we know we
can safely access it.
5) With queue locked, we check if ->woken has already been set to
true (by aio_poll_wake()) and, if it had been, we unlock the
queue, drop a reference to aio_kiocb and bugger off - at that
point it's a responsibility to aio_poll_wake() and the stuff
called/scheduled by it. That code will drop the reference to file
in req->file, along with the other reference to our aio_kiocb.
6) otherwise, we see whether we need to wait. If we do, we unlock the
queue, drop one reference to aio_kiocb and go away - eventual
wakeup (or cancel) will deal with the reference to file and with
the other reference to aio_kiocb
7) otherwise we remove ourselves from waitqueue (still under the
queue lock), so that wakeup won't get us. No async activity will
be happening, so we can safely drop req->file and iocb ourselves.
If wakeup happens while we are in vfs_poll(), we are fine - aio_kiocb
won't get freed under us, so we can do all the checks and locking
safely. And we don't touch ->file if we detect that case.
However, vfs_poll() most certainly *does* touch the file it had been
given. So wakeup coming while we are still in ->poll() might end up
doing fput() on that file. That case is not too rare, and usually we
are saved by the still present reference from descriptor table - that
fput() is not the final one.
But if another thread closes that descriptor right after our fget()
and wakeup does happen before ->poll() returns, we are in trouble -
final fput() done while we are in the middle of a method:
Al also wrote a patch to take an extra reference to the file descriptor
to fix this, but I instead suggested we just streamline the whole file
pointer handling by submit_io() so that the generic aio submission code
simply keeps the file pointer around until the aio has completed.
Fixes:
bfe4037e722e ("aio: implement IOCB_CMD_POLL")
Acked-by: Al Viro <viro@zeniv.linux.org.uk>
Reported-by: syzbot+503d4cc169fcec1cb18c@syzkaller.appspotmail.com
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Linus Torvalds [Tue, 26 Feb 2019 17:16:04 +0000 (09:16 -0800)]
x86-64: add warning for non-canonical user access address dereferences
This adds a warning (once) for any kernel dereference that has a user
exception handler, but accesses a non-canonical address. It basically
is a simpler - and more limited - version of commit
9da3f2b74054
("x86/fault: BUG() when uaccess helpers fault on kernel addresses") that
got reverted.
Note that unlike that original commit, this only causes a warning,
because there are real situations where we currently can do this
(notably speculative argument fetching for uprobes etc). Also, unlike
that original commit, this _only_ triggers for #GP accesses, so the
cases of valid kernel pointers that cross into a non-mapped page aren't
affected.
The intent of this is two-fold:
- the uprobe/tracing accesses really do need to be more careful. In
particular, from a portability standpoint it's just wrong to think
that "a pointer is a pointer", and use the same logic for any random
pointer value you find on the stack. It may _work_ on x86-64, but it
doesn't necessarily work on other architectures (where the same
pointer value can be either a kernel pointer _or_ a user pointer, and
you really need to be much more careful in how you try to access it)
The warning can hopefully end up being a reminder that just any
random pointer access won't do.
- Kees in particular wanted a way to actually report invalid uses of
wild pointers to user space accessors, instead of just silently
failing them. Automated fuzzers want a way to get reports if the
kernel ever uses invalid values that the fuzzer fed it.
The non-canonical address range is a fair chunk of the address space,
and with this you can teach syzkaller to feed in invalid pointer
values and find cases where we do not properly validate user
addresses (possibly due to bad uses of "set_fs()").
Acked-by: Kees Cook <keescook@chromium.org>
Cc: Jann Horn <jannh@google.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Mark Brown [Mon, 4 Mar 2019 15:32:51 +0000 (15:32 +0000)]
Merge branch 'spi-5.1' into spi-next
Mark Brown [Mon, 4 Mar 2019 15:32:49 +0000 (15:32 +0000)]
Merge branch 'spi-5.0' into spi-linus
Mark Brown [Mon, 4 Mar 2019 15:32:43 +0000 (15:32 +0000)]
Merge branch 'regulator-5.1' into regulator-next
Mark Brown [Mon, 4 Mar 2019 15:32:41 +0000 (15:32 +0000)]
Merge branch 'regulator-5.0' into regulator-linus
Geert Uytterhoeven [Thu, 28 Feb 2019 11:05:13 +0000 (12:05 +0100)]
spi: sh-msiof: Restrict bits per word to 8/16/24/32 on R-Car Gen2/3
While the MSIOF variants in older SuperH and SH/R-Mobile SoCs support
bits-per-word values in the full range 8..32, the variants present in
R-Car Gen2 and Gen3 SoCs are restricted to 8, 16, 24, or 32.
Obtain the value from family-specific sh_msiof_chipdata to fix this.
Reported-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Reviewed-by: Simon Horman <horms+renesas@verge.net.au>
Signed-off-by: Mark Brown <broonie@kernel.org>
Axel Lin [Fri, 1 Mar 2019 14:20:53 +0000 (22:20 +0800)]
regulator: mc13xxx: Constify regulator_ops variables
These regulator_ops variables should never change, make them const.
Signed-off-by: Axel Lin <axel.lin@ingics.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Axel Lin [Fri, 1 Mar 2019 14:20:16 +0000 (22:20 +0800)]
regulator: palmas: Constify palmas_smps_ramp_delay array
The palmas_smps_ramp_delay array should never modify, make it const.
Signed-off-by: Axel Lin <axel.lin@ingics.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Axel Lin [Thu, 28 Feb 2019 13:40:22 +0000 (21:40 +0800)]
regulator: wm831x-dcdc: Convert to use regulator_set/get_current_limit_regmap
Use regulator_set/get_current_limit_regmap helpers to save some code.
Signed-off-by: Axel Lin <axel.lin@ingics.com>
Acked-by: Charles Keepax <ckeepax@opensource.cirrus.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Axel Lin [Thu, 28 Feb 2019 13:40:21 +0000 (21:40 +0800)]
regulator: pv88090: Convert to use regulator_set/get_current_limit_regmap
Use regulator_set/get_current_limit_regmap helpers to save some code.
Signed-off-by: Axel Lin <axel.lin@ingics.com>
Acked-by: Steve Twiss <stwiss.opensource@diasemi.com>;
Signed-off-by: Mark Brown <broonie@kernel.org>
Axel Lin [Thu, 28 Feb 2019 13:40:20 +0000 (21:40 +0800)]
regulator: pv88080: Convert to use regulator_set/get_current_limit_regmap
Use regulator_set/get_current_limit_regmap helpers to save some code.
Signed-off-by: Axel Lin <axel.lin@ingics.com>
Acked-by: Steve Twiss <stwiss.opensource@diasemi.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Axel Lin [Thu, 28 Feb 2019 13:40:19 +0000 (21:40 +0800)]
regulator: pv88060: Convert to use regulator_set/get_current_limit_regmap
Use regulator_set/get_current_limit_regmap helpers to save some code.
Signed-off-by: Axel Lin <axel.lin@ingics.com>
Acked-by: Steve Twiss <stwiss.opensource@diasemi.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Mark Brown [Sun, 3 Mar 2019 23:49:46 +0000 (23:49 +0000)]
Merge branch 'for-5.0' of https://git./linux/kernel/git/broonie/regulator into regulator-5.1
Axel Lin [Thu, 28 Feb 2019 13:40:18 +0000 (21:40 +0800)]
regulator: max77650: Convert to use regulator_set/get_current_limit_regmap
Use regulator_set/get_current_limit_regmap helpers to save some code.
Signed-off-by: Axel Lin <axel.lin@ingics.com>
Acked-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Axel Lin [Thu, 28 Feb 2019 13:40:17 +0000 (21:40 +0800)]
regulator: lp873x: Convert to use regulator_set/get_current_limit_regmap
Use regulator_set/get_current_limit_regmap helpers to save some code.
Signed-off-by: Axel Lin <axel.lin@ingics.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Axel Lin [Thu, 28 Feb 2019 13:40:16 +0000 (21:40 +0800)]
regulator: lp872x: Convert to use regulator_set/get_current_limit_regmap
Use regulator_set/get_current_limit_regmap helpers to save some code.
Signed-off-by: Axel Lin <axel.lin@ingics.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Axel Lin [Thu, 28 Feb 2019 13:40:15 +0000 (21:40 +0800)]
regulator: da9210: Convert to use regulator_set/get_current_limit_regmap
Use regulator_set/get_current_limit_regmap helpers to save some code.
Signed-off-by: Axel Lin <axel.lin@ingics.com>
Acked-by: Steve Twiss <stwiss.opensource@diasemi.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Axel Lin [Thu, 28 Feb 2019 13:40:14 +0000 (21:40 +0800)]
regulator: da9055: Convert to use regulator_set/get_current_limit_regmap
Use regulator_set/get_current_limit_regmap helpers to save some code.
Signed-off-by: Axel Lin <axel.lin@ingics.com>
Acked-by: Steve Twiss <stwiss.opensource@diasemi.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Axel Lin [Thu, 28 Feb 2019 13:40:13 +0000 (21:40 +0800)]
regulator: core: Add set/get_current_limit helpers for regmap users
By setting curr_table, n_current_limits, csel_reg and csel_mask, the
regmap users can use regulator_set_current_limit_regmap and
regulator_get_current_limit_regmap for set/get_current_limit callbacks.
Signed-off-by: Axel Lin <axel.lin@ingics.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Axel Lin [Thu, 28 Feb 2019 13:40:12 +0000 (21:40 +0800)]
regulator: Fix comment for csel_reg and csel_mask
The csel_reg and csel_mask fields in struct regulator_desc needs to
be generic for drivers. Not just for TPS65218.
Signed-off-by: Axel Lin <axel.lin@ingics.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Linus Torvalds [Sun, 3 Mar 2019 23:21:29 +0000 (15:21 -0800)]
Linux 5.0
Linus Torvalds [Sun, 3 Mar 2019 00:43:15 +0000 (16:43 -0800)]
Merge tag 'armsoc-fixes' of git://git./linux/kernel/git/soc/soc
Pull ARM SoC fixes from Arnd Bergmann:
"One more set of simple ARM platform fixes:
- A boot regression on qualcomm msm8998
- Gemini display controllers got turned off by accident
- incorrect reference counting in optee"
* tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc:
tee: optee: add missing of_node_put after of_device_is_available
arm64: dts: qcom: msm8998: Extend TZ reserved memory area
ARM: dts: gemini: Re-enable display controller
Linus Torvalds [Sat, 2 Mar 2019 19:47:29 +0000 (11:47 -0800)]
Merge branch 'x86-urgent-for-linus' of git://git./linux/kernel/git/tip/tip
Pull x86 fixes from Thomas Gleixner:
"Two last minute fixes:
- Prevent value evaluation via functions happening in the user access
enabled region of __put_user() (put another way: make sure to
evaluate the value to be stored in user space _before_ enabling
user space accesses)
- Correct the definition of a Hyper-V hypercall constant"
* 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
x86/hyper-v: Fix definition of HV_MAX_FLUSH_REP_COUNT
x86/uaccess: Don't leak the AC flag into __put_user() value evaluation
Linus Torvalds [Sat, 2 Mar 2019 19:39:54 +0000 (11:39 -0800)]
Merge tag 'scsi-fixes' of git://git./linux/kernel/git/jejb/scsi
Pull SCSI fixes from James Bottomley:
"Nine small fixes.
The resume fix is a cosmetic removal of a warning with an incorrect
condition causing it to alarm people wrongly.
The other eight patches correct a thinko in Christoph Hellwig's DMA
conversion series. Without it all these drivers end up with 32 bit DMA
masks meaning they bounce any page over 4GB before sending it to the
controller.
Nowadays, even laptops mostly have memory above 4GB, so this can lead
to significant performance degradation with all the bouncing"
* tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
scsi: core: Avoid that system resume triggers a kernel warning
scsi: hptiop: fix calls to dma_set_mask()
scsi: hisi_sas: fix calls to dma_set_mask_and_coherent()
scsi: csiostor: fix calls to dma_set_mask_and_coherent()
scsi: bfa: fix calls to dma_set_mask_and_coherent()
scsi: aic94xx: fix calls to dma_set_mask_and_coherent()
scsi: 3w-sas: fix calls to dma_set_mask_and_coherent()
scsi: 3w-9xxx: fix calls to dma_set_mask_and_coherent()
scsi: lpfc: fix calls to dma_set_mask_and_coherent()
Linus Torvalds [Sat, 2 Mar 2019 16:46:34 +0000 (08:46 -0800)]
Merge git://git./linux/kernel/git/davem/net
Pull networking fixes from David Miller:
1) Fix refcount leak in act_ipt during replace, from Davide Caratti.
2) Set task state properly in tun during blocking reads, from Timur
Celik.
3) Leaked reference in DSA, from Wen Yang.
4) NULL deref in act_tunnel_key, from Vlad Buslov.
5) cipso_v4_erro can reference the skb IPCB in inappropriate contexts
thus referencing garbage, from Nazarov Sergey.
6) Don't accept RTA_VIA and RTA_GATEWAY in contexts where those
attributes make no sense.
7) Fix hung sendto in tipc, from Tung Nguyen.
8) Out-of-bounds access in netlabel, from Paul Moore.
9) Grant reference leak in xen-netback, from Igor Druzhinin.
10) Fix tx stalls with lan743x, from Bryan Whitehead.
11) Fix interrupt storm with mv88e6xxx, from Hein Kallweit.
12) Memory leak in sit on device registry failure, from Mao Wenan.
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (44 commits)
net: sit: fix memory leak in sit_init_net()
net: dsa: mv88e6xxx: Fix statistics on mv88e6161
geneve: correctly handle ipv6.disable module parameter
net: dsa: mv88e6xxx: prevent interrupt storm caused by mv88e6390x_port_set_cmode
bpf: fix sanitation rewrite in case of non-pointers
ipv4: Add ICMPv6 support when parse route ipproto
MIPS: eBPF: Fix icache flush end address
lan743x: Fix TX Stall Issue
net: phy: phylink: fix uninitialized variable in phylink_get_mac_state
net: aquantia: regression on cpus with high cores: set mode with 8 queues
selftests: fixes for UDP GRO
bpf: drop refcount if bpf_map_new_fd() fails in map_create()
net: dsa: mv88e6xxx: power serdes on/off for 10G interfaces on 6390X
net: dsa: mv88e6xxx: Fix u64 statistics
xen-netback: don't populate the hash cache on XenBus disconnect
xen-netback: fix occasional leak of grant ref mappings under memory pressure
sctp: chunk.c: correct format string for size_t in printk
net: netem: fix skb length BUG_ON in __skb_to_sgvec
netlabel: fix out-of-bounds memory accesses
ipv4: Pass original device to ip_rcv_finish_core
...
Linus Torvalds [Sat, 2 Mar 2019 16:32:02 +0000 (08:32 -0800)]
Merge branch 'linus' of git://git./linux/kernel/git/herbert/crypto-2.6
Pull more crypto fixes from Herbert Xu:
"This fixes a couple of issues in arm64/chacha that was introduced in
5.0"
* 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
crypto: arm64/chacha - fix hchacha_block_neon() for big endian
crypto: arm64/chacha - fix chacha_4block_xor_neon() for big endian
Mao Wenan [Fri, 1 Mar 2019 15:06:40 +0000 (23:06 +0800)]
net: sit: fix memory leak in sit_init_net()
If register_netdev() is failed to register sitn->fb_tunnel_dev,
it will go to err_reg_dev and forget to free netdev(sitn->fb_tunnel_dev).
BUG: memory leak
unreferenced object 0xffff888378daad00 (size 512):
comm "syz-executor.1", pid 4006, jiffies
4295121142 (age 16.115s)
hex dump (first 32 bytes):
00 e6 ed c0 83 88 ff ff 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<
00000000d6dcb63e>] kvmalloc include/linux/mm.h:577 [inline]
[<
00000000d6dcb63e>] kvzalloc include/linux/mm.h:585 [inline]
[<
00000000d6dcb63e>] netif_alloc_netdev_queues net/core/dev.c:8380 [inline]
[<
00000000d6dcb63e>] alloc_netdev_mqs+0x600/0xcc0 net/core/dev.c:8970
[<
00000000867e172f>] sit_init_net+0x295/0xa40 net/ipv6/sit.c:1848
[<
00000000871019fa>] ops_init+0xad/0x3e0 net/core/net_namespace.c:129
[<
00000000319507f6>] setup_net+0x2ba/0x690 net/core/net_namespace.c:314
[<
0000000087db4f96>] copy_net_ns+0x1dc/0x330 net/core/net_namespace.c:437
[<
0000000057efc651>] create_new_namespaces+0x382/0x730 kernel/nsproxy.c:107
[<
00000000676f83de>] copy_namespaces+0x2ed/0x3d0 kernel/nsproxy.c:165
[<
0000000030b74bac>] copy_process.part.27+0x231e/0x6db0 kernel/fork.c:1919
[<
00000000fff78746>] copy_process kernel/fork.c:1713 [inline]
[<
00000000fff78746>] _do_fork+0x1bc/0xe90 kernel/fork.c:2224
[<
000000001c2e0d1c>] do_syscall_64+0xc8/0x580 arch/x86/entry/common.c:290
[<
00000000ec48bd44>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
[<
0000000039acff8a>] 0xffffffffffffffff
Signed-off-by: Mao Wenan <maowenan@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Andrew Lunn [Fri, 1 Mar 2019 22:43:39 +0000 (23:43 +0100)]
net: dsa: mv88e6xxx: Fix statistics on mv88e6161
Despite what the datesheet says, the silicon implements the older way
of snapshoting the statistics. Change the op.
Reported-by: Chris.Healy@zii.aero
Tested-by: Chris.Healy@zii.aero
Fixes:
0ac64c394900 ("net: dsa: mv88e6xxx: mv88e6161 uses mv88e6320 stats snapshot")
Signed-off-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jiri Benc [Thu, 28 Feb 2019 13:56:04 +0000 (14:56 +0100)]
geneve: correctly handle ipv6.disable module parameter
When IPv6 is compiled but disabled at runtime, geneve_sock_add returns
-EAFNOSUPPORT. For metadata based tunnels, this causes failure of the whole
operation of bringing up the tunnel.
Ignore failure of IPv6 socket creation for metadata based tunnels caused by
IPv6 not being available.
This is the same fix as what commit
d074bf960044 ("vxlan: correctly handle
ipv6.disable module parameter") is doing for vxlan.
Note there's also commit
c0a47e44c098 ("geneve: should not call rt6_lookup()
when ipv6 was disabled") which fixes a similar issue but for regular
tunnels, while this patch is needed for metadata based tunnels.
Signed-off-by: Jiri Benc <jbenc@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Sat, 2 Mar 2019 05:48:08 +0000 (21:48 -0800)]
Merge git://git./pub/scm/linux/kernel/git/bpf/bpf
Alexei Starovoitov says:
====================
pull-request: bpf 2019-03-01
The following pull-request contains BPF updates for your *net* tree.
The main changes are:
1) fix sanitation rewrite, from Daniel.
2) fix error path on map_new_fd, from Peng.
3) fix icache flush address, from Paul.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Heiner Kallweit [Thu, 28 Feb 2019 06:39:15 +0000 (07:39 +0100)]
net: dsa: mv88e6xxx: prevent interrupt storm caused by mv88e6390x_port_set_cmode
When debugging another issue I faced an interrupt storm in this
driver (88E6390, port 9 in SGMII mode), consisting of alternating
link-up / link-down interrupts. Analysis showed that the driver
wanted to set a cmode that was set already. But so far
mv88e6390x_port_set_cmode() doesn't check this and powers down
SERDES, what causes the link to break, and eventually results in
the described interrupt storm.
Fix this by checking whether the cmode actually changes. We want
that the very first call to mv88e6390x_port_set_cmode() always
configures the registers, therefore initialize port.cmode with
a value that is different from any supported cmode value.
We have to take care that we only init the ports cmode once
chip->info->num_ports is set.
v2:
- add small helper and init the number of actual ports only
Fixes:
364e9d7776a3 ("net: dsa: mv88e6xxx: Power on/off SERDES on cmode change")
Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Daniel Borkmann [Fri, 1 Mar 2019 21:05:29 +0000 (22:05 +0100)]
bpf: fix sanitation rewrite in case of non-pointers
Marek reported that he saw an issue with the below snippet in that
timing measurements where off when loaded as unpriv while results
were reasonable when loaded as privileged:
[...]
uint64_t a = bpf_ktime_get_ns();
uint64_t b = bpf_ktime_get_ns();
uint64_t delta = b - a;
if ((int64_t)delta > 0) {
[...]
Turns out there is a bug where a corner case is missing in the fix
d3bd7413e0ca ("bpf: fix sanitation of alu op with pointer / scalar
type from different paths"), namely fixup_bpf_calls() only checks
whether aux has a non-zero alu_state, but it also needs to test for
the case of BPF_ALU_NON_POINTER since in both occasions we need to
skip the masking rewrite (as there is nothing to mask).
Fixes:
d3bd7413e0ca ("bpf: fix sanitation of alu op with pointer / scalar type from different paths")
Reported-by: Marek Majkowski <marek@cloudflare.com>
Reported-by: Arthur Fabre <afabre@cloudflare.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/netdev/CAJPywTJqP34cK20iLM5YmUMz9KXQOdu1-+BZrGMAGgLuBWz7fg@mail.gmail.com/T/
Acked-by: Song Liu <songliubraving@fb.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Hangbin Liu [Wed, 27 Feb 2019 08:15:29 +0000 (16:15 +0800)]
ipv4: Add ICMPv6 support when parse route ipproto
For ip rules, we need to use 'ipproto ipv6-icmp' to match ICMPv6 headers.
But for ip -6 route, currently we only support tcp, udp and icmp.
Add ICMPv6 support so we can match ipv6-icmp rules for route lookup.
v2: As David Ahern and Sabrina Dubroca suggested, Add an argument to
rtm_getroute_parse_ip_proto() to handle ICMP/ICMPv6 with different family.
Reported-by: Jianlin Shi <jishi@redhat.com>
Fixes:
eacb9384a3fe ("ipv6: support sport, dport and ip_proto in RTM_GETROUTE")
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Paul Burton [Fri, 1 Mar 2019 22:58:09 +0000 (22:58 +0000)]
MIPS: eBPF: Fix icache flush end address
The MIPS eBPF JIT calls flush_icache_range() in order to ensure the
icache observes the code that we just wrote. Unfortunately it gets the
end address calculation wrong due to some bad pointer arithmetic.
The struct jit_ctx target field is of type pointer to u32, and as such
adding one to it will increment the address being pointed to by 4 bytes.
Therefore in order to find the address of the end of the code we simply
need to add the number of 4 byte instructions emitted, but we mistakenly
add the number of instructions multiplied by 4. This results in the call
to flush_icache_range() operating on a memory region 4x larger than
intended, which is always wasteful and can cause crashes if we overrun
into an unmapped page.
Fix this by correcting the pointer arithmetic to remove the bogus
multiplication, and use braces to remove the need for a set of brackets
whilst also making it obvious that the target field is a pointer.
Signed-off-by: Paul Burton <paul.burton@mips.com>
Fixes:
b6bd53f9c4e8 ("MIPS: Add missing file for eBPF JIT.")
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: Martin KaFai Lau <kafai@fb.com>
Cc: Song Liu <songliubraving@fb.com>
Cc: Yonghong Song <yhs@fb.com>
Cc: netdev@vger.kernel.org
Cc: bpf@vger.kernel.org
Cc: linux-mips@vger.kernel.org
Cc: stable@vger.kernel.org # v4.13+
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Bryan Whitehead [Tue, 26 Feb 2019 19:06:26 +0000 (14:06 -0500)]
lan743x: Fix TX Stall Issue
It has been observed that tx queue stalls while downloading
from certain web sites (example www.speedtest.net)
The cause has been tracked down to a corner case where
dma descriptors where not setup properly. And there for a tx
completion interrupt was not signaled.
This fix corrects the problem by properly marking the end of
a multi descriptor transmission.
Fixes:
23f0703c125b ("lan743x: Add main source files for new lan743x driver")
Signed-off-by: Bryan Whitehead <Bryan.Whitehead@microchip.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Heiner Kallweit [Tue, 26 Feb 2019 18:29:22 +0000 (19:29 +0100)]
net: phy: phylink: fix uninitialized variable in phylink_get_mac_state
When debugging an issue I found implausible values in state->pause.
Reason in that state->pause isn't initialized and later only single
bits are changed. Also the struct itself isn't initialized in
phylink_resolve(). So better initialize state->pause and other
not yet initialized fields.
v2:
- use right function name in subject
v3:
- initialize additional fields
Fixes:
9525ae83959b ("phylink: add phylink infrastructure")
Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Dmitry Bogdanov [Tue, 26 Feb 2019 15:39:13 +0000 (15:39 +0000)]
net: aquantia: regression on cpus with high cores: set mode with 8 queues
Recently the maximum number of queues was increased up to 8, but
NIC was not fully configured for 8 queues. In setups with more than 4 CPU
cores parts of TX traffic gets lost if the kernel routes it to queues 4th-8th.
This patch sets a tx hw traffic mode with 8 queues.
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=202651
Fixes:
71a963cfc50b ("net: aquantia: increase max number of hw queues")
Reported-by: Nicholas Johnson <nicholas.johnson@outlook.com.au>
Signed-off-by: Dmitry Bogdanov <dmitry.bogdanov@aquantia.com>
Signed-off-by: Igor Russkikh <igor.russkikh@aquantia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Paolo Abeni [Tue, 26 Feb 2019 14:27:43 +0000 (15:27 +0100)]
selftests: fixes for UDP GRO
The current implementation for UDP GRO tests is racy: the receiver
may flush the RX queue while the sending is still transmitting and
incorrectly report RX errors, with a wrong number of packet received.
Add explicit timeouts to the receiver for both connection activation
(first packet received for UDP) and reception completion, so that
in the above critical scenario the receiver will wait for the
transfer completion.
Fixes:
3327a9c46352 ("selftests: add functionals test for UDP GRO")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Acked-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Linus Torvalds [Fri, 1 Mar 2019 17:13:04 +0000 (09:13 -0800)]
Merge tag 'iommu-fix-v5.0-rc8' of git://git./linux/kernel/git/joro/iommu
Pull IOMMU fix from Joerg Roedel:
"One important fix for a memory corruption issue in the Intel VT-d
driver that triggers on hardware with deep PCI hierarchies"
* tag 'iommu-fix-v5.0-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu:
iommu/dmar: Fix buffer overflow during PCI bus notification
Linus Torvalds [Fri, 1 Mar 2019 17:04:59 +0000 (09:04 -0800)]
Merge branch 'akpm' (patches from Andrew)
Merge misc fixes from Andrew Morton:
"2 fixes"
* emailed patches from Andrew Morton <akpm@linux-foundation.org>:
hugetlbfs: fix races and page leaks during migration
kasan: turn off asan-stack for clang-8 and earlier
Mike Kravetz [Fri, 1 Mar 2019 00:22:02 +0000 (16:22 -0800)]
hugetlbfs: fix races and page leaks during migration
hugetlb pages should only be migrated if they are 'active'. The
routines set/clear_page_huge_active() modify the active state of hugetlb
pages.
When a new hugetlb page is allocated at fault time, set_page_huge_active
is called before the page is locked. Therefore, another thread could
race and migrate the page while it is being added to page table by the
fault code. This race is somewhat hard to trigger, but can be seen by
strategically adding udelay to simulate worst case scheduling behavior.
Depending on 'how' the code races, various BUG()s could be triggered.
To address this issue, simply delay the set_page_huge_active call until
after the page is successfully added to the page table.
Hugetlb pages can also be leaked at migration time if the pages are
associated with a file in an explicitly mounted hugetlbfs filesystem.
For example, consider a two node system with 4GB worth of huge pages
available. A program mmaps a 2G file in a hugetlbfs filesystem. It
then migrates the pages associated with the file from one node to
another. When the program exits, huge page counts are as follows:
node0
1024 free_hugepages
1024 nr_hugepages
node1
0 free_hugepages
1024 nr_hugepages
Filesystem Size Used Avail Use% Mounted on
nodev 4.0G 2.0G 2.0G 50% /var/opt/hugepool
That is as expected. 2G of huge pages are taken from the free_hugepages
counts, and 2G is the size of the file in the explicitly mounted
filesystem. If the file is then removed, the counts become:
node0
1024 free_hugepages
1024 nr_hugepages
node1
1024 free_hugepages
1024 nr_hugepages
Filesystem Size Used Avail Use% Mounted on
nodev 4.0G 2.0G 2.0G 50% /var/opt/hugepool
Note that the filesystem still shows 2G of pages used, while there
actually are no huge pages in use. The only way to 'fix' the filesystem
accounting is to unmount the filesystem
If a hugetlb page is associated with an explicitly mounted filesystem,
this information in contained in the page_private field. At migration
time, this information is not preserved. To fix, simply transfer
page_private from old to new page at migration time if necessary.
There is a related race with removing a huge page from a file and
migration. When a huge page is removed from the pagecache, the
page_mapping() field is cleared, yet page_private remains set until the
page is actually freed by free_huge_page(). A page could be migrated
while in this state. However, since page_mapping() is not set the
hugetlbfs specific routine to transfer page_private is not called and we
leak the page count in the filesystem.
To fix that, check for this condition before migrating a huge page. If
the condition is detected, return EBUSY for the page.
Link: http://lkml.kernel.org/r/74510272-7319-7372-9ea6-ec914734c179@oracle.com
Link: http://lkml.kernel.org/r/20190212221400.3512-1-mike.kravetz@oracle.com
Fixes:
bcc54222309c ("mm: hugetlb: introduce page_huge_active")
Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
Reviewed-by: Naoya Horiguchi <n-horiguchi@ah.jp.nec.com>
Cc: Michal Hocko <mhocko@kernel.org>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>
Cc: Mel Gorman <mgorman@techsingularity.net>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: <stable@vger.kernel.org>
[mike.kravetz@oracle.com: v2]
Link: http://lkml.kernel.org/r/7534d322-d782-8ac6-1c8d-a8dc380eb3ab@oracle.com
[mike.kravetz@oracle.com: update comment and changelog]
Link: http://lkml.kernel.org/r/420bcfd6-158b-38e4-98da-26d0cd85bd01@oracle.com
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Arnd Bergmann [Fri, 1 Mar 2019 00:21:58 +0000 (16:21 -0800)]
kasan: turn off asan-stack for clang-8 and earlier
Building an arm64 allmodconfig kernel with clang results in over 140
warnings about overly large stack frames, the worst ones being:
drivers/gpu/drm/panel/panel-sitronix-st7789v.c:196:12: error: stack frame size of 20224 bytes in function 'st7789v_prepare'
drivers/video/fbdev/omap2/omapfb/displays/panel-tpo-td028ttec1.c:196:12: error: stack frame size of 13120 bytes in function 'td028ttec1_panel_enable'
drivers/usb/host/max3421-hcd.c:1395:1: error: stack frame size of 10048 bytes in function 'max3421_spi_thread'
drivers/net/wan/slic_ds26522.c:209:12: error: stack frame size of 9664 bytes in function 'slic_ds26522_probe'
drivers/crypto/ccp/ccp-ops.c:2434:5: error: stack frame size of 8832 bytes in function 'ccp_run_cmd'
drivers/media/dvb-frontends/stv0367.c:1005:12: error: stack frame size of 7840 bytes in function 'stv0367ter_algo'
None of these happen with gcc today, and almost all of these are the
result of a single known issue in llvm. Hopefully it will eventually
get fixed with the clang-9 release.
In the meantime, the best idea I have is to turn off asan-stack for
clang-8 and earlier, so we can produce a kernel that is safe to run.
I have posted three patches that address the frame overflow warnings
that are not addressed by turning off asan-stack, so in combination with
this change, we get much closer to a clean allmodconfig build, which in
turn is necessary to do meaningful build regression testing.
It is still possible to turn on the CONFIG_ASAN_STACK option on all
versions of clang, and it's always enabled for gcc, but when
CONFIG_COMPILE_TEST is set, the option remains invisible, so
allmodconfig and randconfig builds (which are normally done with a
forced CONFIG_COMPILE_TEST) will still result in a mostly clean build.
Link: http://lkml.kernel.org/r/20190222222950.3997333-1-arnd@arndb.de
Link: https://bugs.llvm.org/show_bug.cgi?id=38809
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Qian Cai <cai@lca.pw>
Reviewed-by: Mark Brown <broonie@kernel.org>
Acked-by: Andrey Ryabinin <aryabinin@virtuozzo.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Nick Desaulniers <ndesaulniers@google.com>
Cc: Kostya Serebryany <kcc@google.com>
Cc: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Linus Torvalds [Fri, 1 Mar 2019 16:44:11 +0000 (08:44 -0800)]
Merge tag 'drm-fixes-2019-03-01' of git://anongit.freedesktop.org/drm/drm
Pull drm fixes from Dave Airlie:
"Three final fixes, one for a feature that is new in this kernel, one
bochs fix for qemu riscv and one atomic modesetting fix.
I've left a few of the other late fixes until next as I didn't want to
throw in anything that wasn't really necessary"
* tag 'drm-fixes-2019-03-01' of git://anongit.freedesktop.org/drm/drm:
drm/bochs: Fix the ID mismatch error
drm: Block fb changes for async plane updates
drm/amd/display: Use vrr friendly pageflip throttling in DC.
Peng Sun [Wed, 27 Feb 2019 14:36:25 +0000 (22:36 +0800)]
bpf: drop refcount if bpf_map_new_fd() fails in map_create()
In bpf/syscall.c, map_create() first set map->usercnt to 1, a file
descriptor is supposed to return to userspace. When bpf_map_new_fd()
fails, drop the refcount.
Fixes:
bd5f5f4ecb78 ("bpf: Add BPF_MAP_GET_FD_BY_ID")
Signed-off-by: Peng Sun <sironhide0null@gmail.com>
Acked-by: Martin KaFai Lau <kafai@fb.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Arnd Bergmann [Fri, 1 Mar 2019 14:08:16 +0000 (15:08 +0100)]
Merge tag 'qcom-fixes-for-5.0-rc8' of git://git./linux/kernel/git/agross/linux into arm/fixes
Qualcomm ARM64 Fixes for 5.0-rc8
* Fix TZ memory area size to avoid crashes during boot
* tag 'qcom-fixes-for-5.0-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/agross/linux:
arm64: dts: qcom: msm8998: Extend TZ reserved memory area
Arnd Bergmann [Fri, 1 Mar 2019 13:59:40 +0000 (14:59 +0100)]
Merge tag 'tee-fix-for-v5.0' of https://git.linaro.org/people/jens.wiklander/linux-tee into arm/fixes
OP-TEE driver
- add missing of_node_put after of_device_is_available
* tag 'tee-fix-for-v5.0' of https://git.linaro.org/people/jens.wiklander/linux-tee:
tee: optee: add missing of_node_put after of_device_is_available
Jiong Wu [Thu, 28 Feb 2019 16:18:33 +0000 (00:18 +0800)]
mmc:fix a bug when max_discard is 0
The original purpose of the code I fix is to replace max_discard with
max_trim if max_trim is less than max_discard. When max_discard is 0
we should replace max_discard with max_trim as well, because
max_discard equals 0 happens only when the max_do_calc_max_discard
process is overflowed, so if mmc_can_trim(card) is true, max_discard
should be replaced by an available max_trim.
However, in the original code, there are two lines of code interfere
the right process.
1) if (max_discard && mmc_can_trim(card))
when max_discard is 0, it skips the process checking if max_discard
needs to be replaced with max_trim.
2) if (max_trim < max_discard)
the condition is false when max_discard is 0. it also skips the process
that replaces max_discard with max_trim, in fact, we should replace the
0-valued max_discard with max_trim.
Signed-off-by: Jiong Wu <Lohengrin1024@gmail.com>
Fixes:
b305882fbc87 (mmc: core: optimize mmc_calc_max_discard)
Cc: stable@vger.kernel.org # v4.17+
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Linus Torvalds [Thu, 28 Feb 2019 23:33:10 +0000 (15:33 -0800)]
Merge tag 'mips_fixes_5.0_4' of git://git./linux/kernel/git/mips/linux
Pull MIPS fixes from Paul Burton:
"A few more MIPS fixes:
- Fix 16b cmpxchg() operations which could erroneously fail if bits
15:8 of the old value are non-zero. In practice I'm not aware of
any actual users of 16b cmpxchg() on MIPS, but this fixes the
support for it was was introduced in v4.13.
- Provide a struct device to dma_alloc_coherent for Lantiq XWAY
systems with a "Voice MIPS Macro Core" (VMMC) device.
- Provide DMA masks for BCM63xx ethernet devices, fixing a regression
introduced in v4.19.
- Fix memblock reservation for the kernel when the system has a
non-zero PHYS_OFFSET, correcting the memblock conversion performed
in v4.20"
* tag 'mips_fixes_5.0_4' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux:
MIPS: fix memory setup for platforms with PHYS_OFFSET != 0
MIPS: BCM63XX: provide DMA masks for ethernet devices
MIPS: lantiq: pass struct device to DMA API functions
MIPS: fix truncation in __cmpxchg_small for short values
Linus Torvalds [Thu, 28 Feb 2019 23:22:59 +0000 (15:22 -0800)]
Merge tag 'for-linus-5.0-ofs1' of git://git./linux/kernel/git/hubcap/linux
Pull orangefs fixlet from Mike Marshall:
"Remove two un-needed BUG_ONs"
* tag 'for-linus-5.0-ofs1' of git://git.kernel.org/pub/scm/linux/kernel/git/hubcap/linux:
orangefs: remove two un-needed BUG_ONs...
Maxime Chevallier [Thu, 28 Feb 2019 21:14:33 +0000 (22:14 +0100)]
net: dsa: mv88e6xxx: power serdes on/off for 10G interfaces on 6390X
Upon setting the cmode on 6390 and 6390X, the associated serdes
interfaces must be powered off/on.
Both 6390X and 6390 share code to do so, but it currently uses the 6390
specific helper mv88e6390_serdes_power() to disable and enable the
serdes interface.
This call will fail silently on 6390X when trying so set a 10G interface
such as XAUI or RXAUI, since mv88e6390_serdes_power() internally grabs
the lane number based on modes supported by the 6390, and returns 0 when
getting -ENODEV as a lane number.
Using mv88e6390x_serdes_power() should be safe here, since we explicitly
rule-out all ports but the 9 and 10, and because modes supported by 6390
ports 9 and 10 are a subset of those supported on 6390X.
This was tested on 6390X using RXAUI mode.
Fixes:
364e9d7776a3 ("net: dsa: mv88e6xxx: Power on/off SERDES on cmode change")
Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Andrew Lunn [Thu, 28 Feb 2019 17:14:03 +0000 (18:14 +0100)]
net: dsa: mv88e6xxx: Fix u64 statistics
The switch maintains u64 counters for the number of octets sent and
received. These are kept as two u32's which need to be combined. Fix
the combing, which wrongly worked on u16's.
Fixes:
80c4627b2719 ("dsa: mv88x6xxx: Refactor getting a single statistic")
Reported-by: Chris Healy <Chris.Healy@zii.aero>
Signed-off-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Igor Druzhinin [Thu, 28 Feb 2019 14:11:26 +0000 (14:11 +0000)]
xen-netback: don't populate the hash cache on XenBus disconnect
Occasionally, during the disconnection procedure on XenBus which
includes hash cache deinitialization there might be some packets
still in-flight on other processors. Handling of these packets includes
hashing and hash cache population that finally results in hash cache
data structure corruption.
In order to avoid this we prevent hashing of those packets if there
are no queues initialized. In that case RCU protection of queues guards
the hash cache as well.
Signed-off-by: Igor Druzhinin <igor.druzhinin@citrix.com>
Reviewed-by: Paul Durrant <paul.durrant@citrix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Igor Druzhinin [Thu, 28 Feb 2019 12:48:03 +0000 (12:48 +0000)]
xen-netback: fix occasional leak of grant ref mappings under memory pressure
Zero-copy callback flag is not yet set on frag list skb at the moment
xenvif_handle_frag_list() returns -ENOMEM. This eventually results in
leaking grant ref mappings since xenvif_zerocopy_callback() is never
called for these fragments. Those eventually build up and cause Xen
to kill Dom0 as the slots get reused for new mappings:
"d0v0 Attempt to implicitly unmap a granted PTE
c010000329fce005"
That behavior is observed under certain workloads where sudden spikes
of page cache writes coexist with active atomic skb allocations from
network traffic. Additionally, rework the logic to deal with frag_list
deallocation in a single place.
Signed-off-by: Paul Durrant <paul.durrant@citrix.com>
Signed-off-by: Igor Druzhinin <igor.druzhinin@citrix.com>
Acked-by: Wei Liu <wei.liu2@citrix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Matthias Maennich [Thu, 28 Feb 2019 11:36:52 +0000 (11:36 +0000)]
sctp: chunk.c: correct format string for size_t in printk
According to Documentation/core-api/printk-formats.rst, size_t should be
printed with %zu, rather than %Zu.
In addition, using %Zu triggers a warning on clang (-Wformat-extra-args):
net/sctp/chunk.c:196:25: warning: data argument not used by format string [-Wformat-extra-args]
__func__, asoc, max_data);
~~~~~~~~~~~~~~~~^~~~~~~~~
./include/linux/printk.h:440:49: note: expanded from macro 'pr_warn_ratelimited'
printk_ratelimited(KERN_WARNING pr_fmt(fmt), ##__VA_ARGS__)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~
./include/linux/printk.h:424:17: note: expanded from macro 'printk_ratelimited'
printk(fmt, ##__VA_ARGS__); \
~~~ ^
Fixes:
5b5e0928f742 ("lib/vsprintf.c: remove %Z support")
Link: https://github.com/ClangBuiltLinux/linux/issues/378
Signed-off-by: Matthias Maennich <maennich@google.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Sheng Lan [Thu, 28 Feb 2019 10:47:58 +0000 (18:47 +0800)]
net: netem: fix skb length BUG_ON in __skb_to_sgvec
It can be reproduced by following steps:
1. virtio_net NIC is configured with gso/tso on
2. configure nginx as http server with an index file bigger than 1M bytes
3. use tc netem to produce duplicate packets and delay:
tc qdisc add dev eth0 root netem delay 100ms 10ms 30% duplicate 90%
4. continually curl the nginx http server to get index file on client
5. BUG_ON is seen quickly
[
10258690.371129] kernel BUG at net/core/skbuff.c:4028!
[
10258690.371748] invalid opcode: 0000 [#1] SMP PTI
[
10258690.372094] CPU: 5 PID: 0 Comm: swapper/5 Tainted: G W 5.0.0-rc6 #2
[
10258690.372094] RSP: 0018:
ffffa05797b43da0 EFLAGS:
00010202
[
10258690.372094] RBP:
00000000000005ea R08:
0000000000000000 R09:
00000000000005ea
[
10258690.372094] R10:
ffffa0579334d800 R11:
00000000000002c0 R12:
0000000000000002
[
10258690.372094] R13:
0000000000000000 R14:
ffffa05793122900 R15:
ffffa0578f7cb028
[
10258690.372094] FS:
0000000000000000(0000) GS:
ffffa05797b40000(0000) knlGS:
0000000000000000
[
10258690.372094] CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
[
10258690.372094] CR2:
00007f1a6dc00868 CR3:
000000001000e000 CR4:
00000000000006e0
[
10258690.372094] Call Trace:
[
10258690.372094] <IRQ>
[
10258690.372094] skb_to_sgvec+0x11/0x40
[
10258690.372094] start_xmit+0x38c/0x520 [virtio_net]
[
10258690.372094] dev_hard_start_xmit+0x9b/0x200
[
10258690.372094] sch_direct_xmit+0xff/0x260
[
10258690.372094] __qdisc_run+0x15e/0x4e0
[
10258690.372094] net_tx_action+0x137/0x210
[
10258690.372094] __do_softirq+0xd6/0x2a9
[
10258690.372094] irq_exit+0xde/0xf0
[
10258690.372094] smp_apic_timer_interrupt+0x74/0x140
[
10258690.372094] apic_timer_interrupt+0xf/0x20
[
10258690.372094] </IRQ>
In __skb_to_sgvec(), the skb->len is not equal to the sum of the skb's
linear data size and nonlinear data size, thus BUG_ON triggered.
Because the skb is cloned and a part of nonlinear data is split off.
Duplicate packet is cloned in netem_enqueue() and may be delayed
some time in qdisc. When qdisc len reached the limit and returns
NET_XMIT_DROP, the skb will be retransmit later in write queue.
the skb will be fragmented by tso_fragment(), the limit size
that depends on cwnd and mss decrease, the skb's nonlinear
data will be split off. The length of the skb cloned by netem
will not be updated. When we use virtio_net NIC and invoke skb_to_sgvec(),
the BUG_ON trigger.
To fix it, netem returns NET_XMIT_SUCCESS to upper stack
when it clones a duplicate packet.
Fixes:
35d889d1 ("sch_netem: fix skb leak in netem_enqueue()")
Signed-off-by: Sheng Lan <lansheng@huawei.com>
Reported-by: Qin Ji <jiqin.ji@huawei.com>
Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jagan Teki [Tue, 12 Feb 2019 11:38:08 +0000 (17:08 +0530)]
dt-bindings: hwmon: Add missing documentation for lm75
Add missing dt-binding documentation for lm75 hwmon sensor.
Signed-off-by: Jagan Teki <jagan@amarulasolutions.com>
Acked-by: Rob Herring <robh@kernel.org>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Linus Torvalds [Thu, 28 Feb 2019 17:18:07 +0000 (09:18 -0800)]
Merge tag 'mmc-v5.0-rc8' of git://git./linux/kernel/git/ulfh/mmc
Pull MMC fixes from Ulf Hansson:
"MMC core:
- Fix NULL ptr crash for a special test case
- Align max segment size with logical block size to prevent bugs in
v5.1-rc1.
MMC host:
- cqhci: Minor fixes
- tmio: Prevent interrupt storm
- tmio: Fixup SD/MMC card initialization
- spi: Allow card to be detected during probe
- sdhci-esdhc-imx: Fixup fix for ERR004536"
* tag 'mmc-v5.0-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc:
mmc: sdhci-esdhc-imx: correct the fix of ERR004536
mmc: core: align max segment size with logical block size
mmc: cqhci: Fix a tiny potential memory leak on error condition
mmc: cqhci: fix space allocated for transfer descriptor
mmc: core: Fix NULL ptr crash from mmc_should_fail_request
mmc: tmio: fix access width of Block Count Register
mmc: tmio_mmc_core: don't claim spurious interrupts
mmc: spi: Fix card detection during probe
Linus Torvalds [Thu, 28 Feb 2019 17:05:18 +0000 (09:05 -0800)]
Merge branch 'linus' of git://git./linux/kernel/git/herbert/crypto-2.6
Pull crypto fixes from Herbert Xu:
"This fixes a compiler warning introduced by a previous fix, as well as
two crash bugs on ARM"
* 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
crypto: sha512/arm - fix crash bug in Thumb2 build
crypto: sha256/arm - fix crash bug in Thumb2 build
crypto: ccree - add missing inline qualifier
Greg Kroah-Hartman [Thu, 28 Feb 2019 15:34:37 +0000 (16:34 +0100)]
kvm: properly check debugfs dentry before using it
debugfs can now report an error code if something went wrong instead of
just NULL. So if the return value is to be used as a "real" dentry, it
needs to be checked if it is an error before dereferencing it.
This is now happening because of
ff9fb72bc077 ("debugfs: return error
values, not NULL"). syzbot has found a way to trigger multiple debugfs
files attempting to be created, which fails, and then the error code
gets passed to dentry_path_raw() which obviously does not like it.
Reported-by: Eric Biggers <ebiggers@kernel.org>
Reported-and-tested-by: syzbot+7857962b4d45e602b8ad@syzkaller.appspotmail.com
Cc: "Radim Krčmář" <rkrcmar@redhat.com>
Cc: kvm@vger.kernel.org
Acked-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Fabrice Gasnier [Thu, 28 Feb 2019 10:45:18 +0000 (11:45 +0100)]
regulator: stm32-vrefbuf: add power management support
Add support for suspend/resume and runtime PM to stm32-vrefbuf driver.
Signed-off-by: Fabrice Gasnier <fabrice.gasnier@st.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Ulf Hansson [Thu, 28 Feb 2019 11:19:51 +0000 (12:19 +0100)]
Merge branch 'fixes' into next
BOUGH CHEN [Thu, 28 Feb 2019 10:15:42 +0000 (10:15 +0000)]
mmc: sdhci-esdhc-imx: correct the fix of ERR004536
Commit
18094430d6b5 ("mmc: sdhci-esdhc-imx: add ADMA Length
Mismatch errata fix") involve the fix of ERR004536, but the
fix is incorrect. Double confirm with IC, need to clear the
bit 7 of register 0x6c rather than set this bit 7.
Here is the definition of bit 7 of 0x6c:
0: enable the new IC fix for ERR004536
1: do not use the IC fix, keep the same as before
Find this issue on i.MX845s-evk board when enable CMDQ, and
let system in heavy loading.
root@imx8mmevk:~# dd if=/dev/mmcblk2 of=/dev/null bs=1M &
root@imx8mmevk:~# memtester 1000M > /dev/zero &
root@imx8mmevk:~# [ 139.897220] mmc2: cqhci: timeout for tag 16
[ 139.901417] mmc2: cqhci: ============ CQHCI REGISTER DUMP ===========
[ 139.907862] mmc2: cqhci: Caps: 0x0000310a | Version: 0x00000510
[ 139.914311] mmc2: cqhci: Config: 0x00001001 | Control: 0x00000000
[ 139.920753] mmc2: cqhci: Int stat: 0x00000000 | Int enab: 0x00000006
[ 139.927193] mmc2: cqhci: Int sig: 0x00000006 | Int Coal: 0x00000000
[ 139.933634] mmc2: cqhci: TDL base: 0x7809c000 | TDL up32: 0x00000000
[ 139.940073] mmc2: cqhci: Doorbell: 0x00030000 | TCN: 0x00000000
[ 139.946518] mmc2: cqhci: Dev queue: 0x00010000 | Dev Pend: 0x00010000
[ 139.952967] mmc2: cqhci: Task clr: 0x00000000 | SSC1: 0x00011000
[ 139.959411] mmc2: cqhci: SSC2: 0x00000001 | DCMD rsp: 0x00000000
[ 139.965857] mmc2: cqhci: RED mask: 0xfdf9a080 | TERRI: 0x00000000
[ 139.972308] mmc2: cqhci: Resp idx: 0x0000002e | Resp arg: 0x00000900
[ 139.978761] mmc2: sdhci: ============ SDHCI REGISTER DUMP ===========
[ 139.985214] mmc2: sdhci: Sys addr: 0xb2c19000 | Version: 0x00000002
[ 139.991669] mmc2: sdhci: Blk size: 0x00000200 | Blk cnt: 0x00000400
[ 139.998127] mmc2: sdhci: Argument: 0x40110400 | Trn mode: 0x00000033
[ 140.004618] mmc2: sdhci: Present: 0x01088a8f | Host ctl: 0x00000030
[ 140.011113] mmc2: sdhci: Power: 0x00000002 | Blk gap: 0x00000080
[ 140.017583] mmc2: sdhci: Wake-up: 0x00000008 | Clock: 0x0000000f
[ 140.024039] mmc2: sdhci: Timeout: 0x0000008f | Int stat: 0x00000000
[ 140.030497] mmc2: sdhci: Int enab: 0x107f4000 | Sig enab: 0x107f4000
[ 140.036972] mmc2: sdhci: AC12 err: 0x00000000 | Slot int: 0x00000502
[ 140.043426] mmc2: sdhci: Caps: 0x07eb0000 | Caps_1: 0x8000b407
[ 140.049867] mmc2: sdhci: Cmd: 0x00002c1a | Max curr: 0x00ffffff
[ 140.056314] mmc2: sdhci: Resp[0]: 0x00000900 | Resp[1]: 0xffffffff
[ 140.062755] mmc2: sdhci: Resp[2]: 0x328f5903 | Resp[3]: 0x00d00f00
[ 140.069195] mmc2: sdhci: Host ctl2: 0x00000008
[ 140.073640] mmc2: sdhci: ADMA Err: 0x00000007 | ADMA Ptr: 0x7809c108
[ 140.080079] mmc2: sdhci: ============================================
[ 140.086662] mmc2: running CQE recovery
Fixes:
18094430d6b5 ("mmc: sdhci-esdhc-imx: add ADMA Length Mismatch errata fix")
Signed-off-by: Haibo Chen <haibo.chen@nxp.com>
Cc: stable@vger.kernel.org
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Lan Tianyu [Mon, 25 Feb 2019 14:31:14 +0000 (22:31 +0800)]
x86/hyper-v: Fix definition of HV_MAX_FLUSH_REP_COUNT
The max flush rep count of HvFlushGuestPhysicalAddressList hypercall is
equal with how many entries of union hv_gpa_page_range can be populated
into the input parameter page.
The code lacks parenthesis around PAGE_SIZE - 2 * sizeof(u64) which results
in bogus computations. Add them.
Fixes:
cc4edae4b924 ("x86/hyper-v: Add HvFlushGuestAddressList hypercall support")
Signed-off-by: Lan Tianyu <Tianyu.Lan@microsoft.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: kys@microsoft.com
Cc: haiyangz@microsoft.com
Cc: sthemmin@microsoft.com
Cc: sashal@kernel.org
Cc: bp@alien8.de
Cc: hpa@zytor.com
Cc: gregkh@linuxfoundation.org
Cc: devel@linuxdriverproject.org
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/20190225143114.5149-1-Tianyu.Lan@microsoft.com
Julia Lawall [Sat, 23 Feb 2019 13:20:36 +0000 (14:20 +0100)]
tee: optee: add missing of_node_put after of_device_is_available
Add an of_node_put when a tested device node is not available.
The semantic patch that fixes this problem is as follows
(http://coccinelle.lip6.fr):
// <smpl>
@@
identifier f;
local idexpression e;
expression x;
@@
e = f(...);
... when != of_node_put(e)
when != x = e
when != e = x
when any
if (<+...of_device_is_available(e)...+>) {
... when != of_node_put(e)
(
return e;
|
+ of_node_put(e);
return ...;
)
}
// </smpl>
Fixes:
db878f76b9ff ("tee: optee: take DT status property into account")
Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Gustavo A. R. Silva [Mon, 11 Feb 2019 22:14:13 +0000 (16:14 -0600)]
i3c: master: dw-i3c-master: mark expected switch fall-through
In preparation to enabling -Wimplicit-fallthrough, mark switch
cases where we are expecting to fall through.
This patch fixes the following warning:
drivers/i3c/master/dw-i3c-master.c: In function ‘dw_i3c_master_bus_init’:
drivers/i3c/master/dw-i3c-master.c:603:6: warning: this statement may fall through [-Wimplicit-fallthrough=]
if (ret)
^
drivers/i3c/master/dw-i3c-master.c:605:2: note: here
case I3C_BUS_MODE_PURE:
^~~~
Warning level 3 was used: -Wimplicit-fallthrough=3
This patch is part of the ongoing efforts to enable
-Wimplicit-fallthrough.
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Acked-by: Vitor Soares <vitor.soares@synopsys.com>
Signed-off-by: Boris Brezillon <boris.brezillon@collabora.com>
Boris Brezillon [Wed, 30 Jan 2019 08:21:22 +0000 (09:21 +0100)]
MAINTAINERS: Add an IRC channel for the I3C subsystem
The #linux-i3c chan has been created on freenode to discuss I3C related
topics.
Signed-off-by: Boris Brezillon <bbrezillon@kernel.org>
hongjiefang [Thu, 28 Feb 2019 06:08:28 +0000 (14:08 +0800)]
mmc: core: Add a debug print when the card may have been replaced
If the card was removed in suspended state and a new one was inserted,
print a debug log when the check detects that it's not the old card.
Signed-off-by: hongjiefang <hongjiefang@asrmicro.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Ulf Hansson [Thu, 28 Feb 2019 08:16:18 +0000 (09:16 +0100)]
Merge branch 'fixes' into next
Avri Altman [Tue, 26 Feb 2019 15:10:25 +0000 (17:10 +0200)]
mmc: core: Add sd discard timeout
The busy timeout is 250msec per discard command.
Signed-off-by: Avri Altman <avri.altman@wdc.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Avri Altman [Tue, 26 Feb 2019 15:10:24 +0000 (17:10 +0200)]
mmc: core: Add discard support to sd
SD spec v5.1 adds discard support. The flows and commands are similar to
mmc, so just set the discard arg in CMD38.
A host which supports DISCARD shall check if the DISCARD_SUPPORT (b313)
is set in the SD_STATUS register. If the card does not support discard,
the host shall not issue DISCARD command, but ERASE command instead.
Post the DISCARD operation, the card may de-allocate the discarded
blocks partially or completely. So the host mustn't make any assumptions
concerning the content of the discarded region. This is unlike ERASE
command, in which the region is guaranteed to contain either '0's or
'1's, depends on the content of DATA_STAT_AFTER_ERASE (b55) in the scr
register.
One more important difference compared to ERASE is the busy timeout
which we will address on the next patch.
Signed-off-by: Avri Altman <avri.altman@wdc.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
BOUGH CHEN [Wed, 27 Feb 2019 08:24:48 +0000 (08:24 +0000)]
mmc: sdhci-esdhc-imx: clear the HALT bit when enable CQE
After system suspend, CQE is in cqhci_off state, which set the HALT bit, make
CQE in HALT state. If the SoC do not power down the USDHC module, then when
system resume back, this bit keep the same, still set. Though there is a
sdhci reset during sdhci_resume_host(), but this reset do not impact the
CQE part, so need to clear this bit when enable CQE, otherwise CQE will
stuck in the first CMDQ request after system resume back.
Find this issue on NXP i.MX845s-mek board
[ 105.919862] mmc2: cqhci: timeout for tag 6
[ 105.923965] mmc2: cqhci: ============ CQHCI REGISTER DUMP ===========
[ 105.930407] mmc2: cqhci: Caps: 0x0000310a | Version: 0x00000510
[ 105.936847] mmc2: cqhci: Config: 0x00001001 | Control: 0x00000001
[ 105.943286] mmc2: cqhci: Int stat: 0x00000000 | Int enab: 0x00000006
[ 105.949725] mmc2: cqhci: Int sig: 0x00000006 | Int Coal: 0x00000000
[ 105.956164] mmc2: cqhci: TDL base: 0x7809b000 | TDL up32: 0x00000000
[ 105.962604] mmc2: cqhci: Doorbell: 0x00000040 | TCN: 0x00000000
[ 105.969043] mmc2: cqhci: Dev queue: 0x00000000 | Dev Pend: 0x00000000
[ 105.975483] mmc2: cqhci: Task clr: 0x00000000 | SSC1: 0x00011000
[ 105.981922] mmc2: cqhci: SSC2: 0x00000001 | DCMD rsp: 0x00000000
[ 105.988362] mmc2: cqhci: RED mask: 0xfdf9a080 | TERRI: 0x00000000
[ 105.994801] mmc2: cqhci: Resp idx: 0x00000000 | Resp arg: 0x00000000
[ 106.001240] mmc2: sdhci: ============ SDHCI REGISTER DUMP ===========
[ 106.007680] mmc2: sdhci: Sys addr: 0xb2b37800 | Version: 0x00000002
[ 106.014120] mmc2: sdhci: Blk size: 0x00000200 | Blk cnt: 0x00000001
[ 106.020560] mmc2: sdhci: Argument: 0x00010000 | Trn mode: 0x00000013
[ 106.026999] mmc2: sdhci: Present: 0x01f88008 | Host ctl: 0x00000030
[ 106.033439] mmc2: sdhci: Power: 0x00000002 | Blk gap: 0x00000080
[ 106.039878] mmc2: sdhci: Wake-up: 0x00000008 | Clock: 0x0000000f
[ 106.046318] mmc2: sdhci: Timeout: 0x0000008f | Int stat: 0x00000000
[ 106.052757] mmc2: sdhci: Int enab: 0x107f4000 | Sig enab: 0x107f4000
[ 106.059196] mmc2: sdhci: AC12 err: 0x00000000 | Slot int: 0x00000502
[ 106.065635] mmc2: sdhci: Caps: 0x07eb0000 | Caps_1: 0x8000b407
[ 106.072075] mmc2: sdhci: Cmd: 0x00000d1a | Max curr: 0x00ffffff
[ 106.078514] mmc2: sdhci: Resp[0]: 0x00000900 | Resp[1]: 0x31360181
[ 106.084954] mmc2: sdhci: Resp[2]: 0x44473430 | Resp[3]: 0x00450100
[ 106.091392] mmc2: sdhci: Host ctl2: 0x00000008
[ 106.095836] mmc2: sdhci: ADMA Err: 0x00000000 | ADMA Ptr: 0x7804b208
[ 106.102274] mmc2: sdhci: ============================================
[ 106.108785] mmc2: running CQE recovery
Signed-off-by: Haibo Chen <haibo.chen@nxp.com>
Acked-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Chaotian Jing [Fri, 15 Feb 2019 05:59:34 +0000 (13:59 +0800)]
mmc: core: do not retry CMD6 in __mmc_switch()
the response type of CMD6 is R1B, when the first CMD6 gets response
CRC error, do retry may get timeout error due to card may still in
busy state, which cause this retry make no sense.
Signed-off-by: Chaotian Jing <chaotian.jing@mediatek.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Eric Biggers [Sat, 23 Feb 2019 06:54:08 +0000 (22:54 -0800)]
crypto: arm64/chacha - fix hchacha_block_neon() for big endian
On big endian arm64 kernels, the xchacha20-neon and xchacha12-neon
self-tests fail because hchacha_block_neon() outputs little endian words
but the C code expects native endianness. Fix it to output the words in
native endianness (which also makes it match the arm32 version).
Fixes:
cc7cf991e9eb ("crypto: arm64/chacha20 - add XChaCha20 support")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Eric Biggers [Sat, 23 Feb 2019 06:54:07 +0000 (22:54 -0800)]
crypto: arm64/chacha - fix chacha_4block_xor_neon() for big endian
The change to encrypt a fifth ChaCha block using scalar instructions
caused the chacha20-neon, xchacha20-neon, and xchacha12-neon self-tests
to start failing on big endian arm64 kernels. The bug is that the
keystream block produced in 32-bit scalar registers is directly XOR'd
with the data words, which are loaded and stored in native endianness.
Thus in big endian mode the data bytes end up XOR'd with the wrong
bytes. Fix it by byte-swapping the keystream words in big endian mode.
Fixes:
2fe55987b262 ("crypto: arm64/chacha - use combined SIMD/ALU routine for more speed")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Paul Moore [Tue, 26 Feb 2019 00:06:06 +0000 (19:06 -0500)]
netlabel: fix out-of-bounds memory accesses
There are two array out-of-bounds memory accesses, one in
cipso_v4_map_lvl_valid(), the other in netlbl_bitmap_walk(). Both
errors are embarassingly simple, and the fixes are straightforward.
As a FYI for anyone backporting this patch to kernels prior to v4.8,
you'll want to apply the netlbl_bitmap_walk() patch to
cipso_v4_bitmap_walk() as netlbl_bitmap_walk() doesn't exist before
Linux v4.8.
Reported-by: Jann Horn <jannh@google.com>
Fixes:
446fda4f2682 ("[NetLabel]: CIPSOv4 engine")
Fixes:
3faa8f982f95 ("netlabel: Move bitmap manipulation functions to the NetLabel core.")
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David Ahern [Mon, 25 Feb 2019 21:55:48 +0000 (13:55 -0800)]
ipv4: Pass original device to ip_rcv_finish_core
ip_route_input_rcu expects the original ingress device (e.g., for
proper multicast handling). The skb->dev can be changed by l3mdev_ip_rcv,
so dev needs to be saved prior to calling it. This was the behavior prior
to the listify changes.
Fixes:
5fa12739a53d0 ("net: ipv4: listify ip_rcv_finish")
Cc: Edward Cree <ecree@solarflare.com>
Signed-off-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Thu, 28 Feb 2019 05:28:59 +0000 (21:28 -0800)]
Merge branch 'pmtu-selftest-fixes'
Paolo Abeni says:
====================
selftests: pmtu: fix and increase coverage
This series includes a fixup for the pmtu.sh test script, related to IPv6
address management, and adds coverage for the recently reported and fixed
PMTU exception issue
v2 -> v3:
- more cleanups
v1 -> v2:
- several script cleanups
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Paolo Abeni [Mon, 25 Feb 2019 15:08:37 +0000 (16:08 +0100)]
selftests: pmtu: add explicit tests for PMTU exceptions cleanup
Add a couple of new tests, explicitly checking that the kernel
timely releases PMTU exceptions on related device removal.
This is mostly a regression test vs the issue fixed by
commit
f5b51fe804ec ("ipv6: route: purge exception on removal")
Only 2 new test cases have been added, instead of extending all
the existing ones, because the reproducer requires executing
several commands and would slow down too much the tests otherwise.
v2 -> v3:
- more cleanup, still from Stefano
v1 -> v2:
- several script cleanups, as suggested by Stefano
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Paolo Abeni [Mon, 25 Feb 2019 15:08:36 +0000 (16:08 +0100)]
selftests: pmtu: disable DAD in all namespaces
Otherwise, the configured IPv6 address could be still "tentative"
at test time, possibly causing tests failures.
We can also drop some sleep along the code and decrease the
timeout for most commands so that the test runtime decreases.
v1 -> v2:
- fix comment (Stefano)
Fixes:
d1f1b9cbf34c ("selftests: net: Introduce first PMTU test")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Max Uvarov [Mon, 25 Feb 2019 09:15:10 +0000 (12:15 +0300)]
net: phy: dp83867: add soft reset delay
Similar to dp83640 delay after soft reset
is needed to set up registers correctly.
Signed-off-by: Max Uvarov <muvarov@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Alistair Francis [Thu, 21 Feb 2019 00:33:03 +0000 (00:33 +0000)]
drm/bochs: Fix the ID mismatch error
When running RISC-V QEMU with the Bochs device attached via PCIe the
probe of the Bochs device fails with:
[drm:bochs_hw_init] *ERROR* ID mismatch
This was introduced by this commit:
7780eb9ce8 bochs: convert to drm_dev_register
To fix the error we ensure that pci_enable_device() is called before
bochs_load().
Fixes:
7780eb9ce80f ("bochs: convert to drm_dev_register")
Signed-off-by: Alistair Francis <alistair.francis@wdc.com>
Reported-by: David Abdurachmanov <david.abdurachmanov@gmail.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20190221003231.31625-1-alistair.francis@wdc.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Nicholas Kazlauskas [Mon, 7 Jan 2019 17:41:46 +0000 (12:41 -0500)]
drm: Block fb changes for async plane updates
The prepare_fb call always happens on new_plane_state.
The drm_atomic_helper_cleanup_planes checks to see if
plane state pointer has changed when deciding to call cleanup_fb on
either the new_plane_state or the old_plane_state.
For a non-async atomic commit the state pointer is swapped, so this
helper calls prepare_fb on the new_plane_state and cleanup_fb on the
old_plane_state. This makes sense, since we want to prepare the
framebuffer we are going to use and cleanup the the framebuffer we are
no longer using.
For the async atomic update helpers this differs. The async atomic
update helpers perform in-place updates on the existing state. They call
drm_atomic_helper_cleanup_planes but the state pointer is not swapped.
This means that prepare_fb is called on the new_plane_state and
cleanup_fb is called on the new_plane_state (not the old).
In the case where old_plane_state->fb == new_plane_state->fb then
there should be no behavioral difference between an async update
and a non-async commit. But there are issues that arise when
old_plane_state->fb != new_plane_state->fb.
The first is that the new_plane_state->fb is immediately cleaned up
after it has been prepared, so we're using a fb that we shouldn't
be.
The second occurs during a sequence of async atomic updates and
non-async regular atomic commits. Suppose there are two framebuffers
being interleaved in a double-buffering scenario, fb1 and fb2:
- Async update, oldfb = NULL, newfb = fb1, prepare fb1, cleanup fb1
- Async update, oldfb = fb1, newfb = fb2, prepare fb2, cleanup fb2
- Non-async commit, oldfb = fb2, newfb = fb1, prepare fb1, cleanup fb2
We call cleanup_fb on fb2 twice in this example scenario, and any
further use will result in use-after-free.
The simple fix to this problem is to block framebuffer changes
in the drm_atomic_helper_async_check function for now.
v2: Move check by itself, add a FIXME (Daniel)
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: Harry Wentland <harry.wentland@amd.com>
Cc: Andrey Grodzovsky <andrey.grodzovsky@amd.com>
Cc: <stable@vger.kernel.org> # v4.14+
Fixes:
fef9df8b5945 ("drm/atomic: initial support for asynchronous plane update")
Signed-off-by: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
Acked-by: Andrey Grodzovsky <andrey.grodzovsky@amd.com>
Acked-by: Harry Wentland <harry.wentland@amd.com>
Reviewed-by: Daniel Vetter <daniel@ffwll.ch>
Signed-off-by: Harry Wentland <harry.wentland@amd.com>
Link: https://patchwork.freedesktop.org/patch/275364/
Signed-off-by: Dave Airlie <airlied@redhat.com>
Thomas Bogendoerfer [Wed, 27 Feb 2019 09:42:56 +0000 (10:42 +0100)]
MIPS: fix memory setup for platforms with PHYS_OFFSET != 0
For platforms, which use a PHYS_OFFSET != 0, symbol _end also
contains that offset. So when calling memblock_reserve() for
reserving kernel the size argument needs to be adjusted.
Fixes:
bcec54bf3118 ("mips: switch to NO_BOOTMEM")
Acked-by: Mike Rapoport <rppt@linux.ibm.com>
Signed-off-by: Thomas Bogendoerfer <tbogendoerfer@suse.de>
Signed-off-by: Paul Burton <paul.burton@mips.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Cc: James Hogan <jhogan@kernel.org>
Cc: linux-mips@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Cc: Mike Rapoport <rppt@linux.vnet.ibm.com>
Cc: stable@vger.kernel.org # v4.20+
Dave Airlie [Thu, 28 Feb 2019 02:39:59 +0000 (12:39 +1000)]
Merge branch 'drm-fixes-5.0' of git://people.freedesktop.org/~agd5f/linux into drm-fixes
Fix for variable refresh rate stuttering
Signed-off-by: Dave Airlie <airlied@redhat.com>
From: Alex Deucher <alexdeucher@gmail.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20190227192115.14597-1-alexander.deucher@amd.com
Jann Horn [Wed, 27 Feb 2019 20:29:52 +0000 (21:29 +0100)]
mm: enforce min addr even if capable() in expand_downwards()
security_mmap_addr() does a capability check with current_cred(), but
we can reach this code from contexts like a VFS write handler where
current_cred() must not be used.
This can be abused on systems without SMAP to make NULL pointer
dereferences exploitable again.
Fixes:
8869477a49c3 ("security: protect from stack expansion into low vm addresses")
Cc: stable@kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
YueHaibing [Fri, 22 Feb 2019 07:37:58 +0000 (15:37 +0800)]
net: nfc: Fix NULL dereference on nfc_llcp_build_tlv fails
KASAN report this:
BUG: KASAN: null-ptr-deref in nfc_llcp_build_gb+0x37f/0x540 [nfc]
Read of size 3 at addr
0000000000000000 by task syz-executor.0/5401
CPU: 0 PID: 5401 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ #45
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xfa/0x1ce lib/dump_stack.c:113
kasan_report+0x171/0x18d mm/kasan/report.c:321
memcpy+0x1f/0x50 mm/kasan/common.c:130
nfc_llcp_build_gb+0x37f/0x540 [nfc]
nfc_llcp_register_device+0x6eb/0xb50 [nfc]
nfc_register_device+0x50/0x1d0 [nfc]
nfcsim_device_new+0x394/0x67d [nfcsim]
? 0xffffffffc1080000
nfcsim_init+0x6b/0x1000 [nfcsim]
do_one_initcall+0xfa/0x5ca init/main.c:887
do_init_module+0x204/0x5f6 kernel/module.c:3460
load_module+0x66b2/0x8570 kernel/module.c:3808
__do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x462e99
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:
00007f9cb79dcc58 EFLAGS:
00000246 ORIG_RAX:
0000000000000139
RAX:
ffffffffffffffda RBX:
000000000073bf00 RCX:
0000000000462e99
RDX:
0000000000000000 RSI:
0000000020000280 RDI:
0000000000000003
RBP:
00007f9cb79dcc70 R08:
0000000000000000 R09:
0000000000000000
R10:
0000000000000000 R11:
0000000000000246 R12:
00007f9cb79dd6bc
R13:
00000000004bcefb R14:
00000000006f7030 R15:
0000000000000004
nfc_llcp_build_tlv will return NULL on fails, caller should check it,
otherwise will trigger a NULL dereference.
Reported-by: Hulk Robot <hulkci@huawei.com>
Fixes:
eda21f16a5ed ("NFC: Set MIU and RW values from CONNECT and CC LLCP frames")
Fixes:
d646960f7986 ("NFC: Initial LLCP support")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Mario Kleiner [Wed, 30 Jan 2019 05:04:46 +0000 (06:04 +0100)]
drm/amd/display: Use vrr friendly pageflip throttling in DC.
In VRR mode, keep track of the vblank count of the last
completed pageflip in amdgpu_crtc->last_flip_vblank, as
recorded in the pageflip completion handler after each
completed flip.
Use that count to prevent mmio programming a new pageflip
within the same vblank in which the last pageflip completed,
iow. to throttle pageflips to at most one flip per video
frame, while at the same time allowing to request a flip
not only before start of vblank, but also anywhere within
vblank.
The old logic did the same, and made sense for regular fixed
refresh rate flipping, but in vrr mode it prevents requesting
a flip anywhere inside the possibly huge vblank, thereby
reducing framerate in vrr mode instead of improving it, by
delaying a slightly delayed flip requests up to a maximum
vblank duration + 1 scanout duration. This would limit VRR
usefulness to only help applications with a very high GPU
demand, which can submit the flip request before start of
vblank, but then have to wait long for fences to complete.
With this method a flip can be both requested and - after
fences have completed - executed, ie. it doesn't matter if
the request (amdgpu_dm_do_flip()) gets delayed until deep
into the extended vblank due to cpu execution delays. This
also allows clients which want to regulate framerate within
the vrr range a much more fine-grained control of flip timing,
a feature that might be useful for video playback, and is
very useful for neuroscience/vision research applications.
In regular non-VRR mode, retain the old flip submission
behavior. This to keep flip scheduling for fullscreen X11/GLX
OpenGL clients intact, if they use the GLX_OML_sync_control
extensions glXSwapBufferMscOML(, ..., target_msc,...) function
with a specific target_msc target vblank count.
glXSwapBuffersMscOML() or DRI3/Present PresentPixmap() will
not flip at the proper target_msc for a non-zero target_msc
if VRR mode is active with this patch. They'd often flip one
frame too early. However, this limitation should not matter
much in VRR mode, as scheduling based on vblank counts is
pretty futile/unusable under variable refresh duration
anyway, so no real extra harm is done.
Signed-off-by: Mario Kleiner <mario.kleiner.de@gmail.com>
Cc: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
Cc: Harry Wentland <harry.wentland@amd.com>
Cc: Alex Deucher <alexander.deucher@amd.com>
Cc: Michel Dänzer <michel@daenzer.net>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Rajasingh Thavamani [Wed, 27 Feb 2019 12:13:19 +0000 (17:43 +0530)]
net: phy: Micrel KSZ8061: link failure after cable connect
With Micrel KSZ8061 PHY, the link may occasionally not come up after
Ethernet cable connect. The vendor's (Microchip, former Micrel) errata
sheet
80000688A.pdf descripes the problem and possible workarounds in
detail, see below.
The batch implements workaround 1, which permanently fixes the issue.
DESCRIPTION
Link-up may not occur properly when the Ethernet cable is initially
connected. This issue occurs more commonly when the cable is connected
slowly, but it may occur any time a cable is connected. This issue occurs
in the auto-negotiation circuit, and will not occur if auto-negotiation
is disabled (which requires that the two link partners be set to the
same speed and duplex).
END USER IMPLICATIONS
When this issue occurs, link is not established. Subsequent cable
plug/unplaug cycle will not correct the issue.
WORk AROUND
There are four approaches to work around this issue:
1. This issue can be prevented by setting bit 15 in MMD device address 1,
register 2, prior to connecting the cable or prior to setting the
Restart Auto-negotiation bit in register 0h. The MMD registers are
accessed via the indirect access registers Dh and Eh, or via the Micrel
EthUtil utility as shown here:
. if using the EthUtil utility (usually with a Micrel KSZ8061
Evaluation Board), type the following commands:
> address 1
> mmd 1
> iw 2 b61a
. Alternatively, write the following registers to write to the
indirect MMD register:
Write register Dh, data 0001h
Write register Eh, data 0002h
Write register Dh, data 4001h
Write register Eh, data B61Ah
2. The issue can be avoided by disabling auto-negotiation in the KSZ8061,
either by the strapping option, or by clearing bit 12 in register 0h.
Care must be taken to ensure that the KSZ8061 and the link partner
will link with the same speed and duplex. Note that the KSZ8061
defaults to full-duplex when auto-negotiation is off, but other
devices may default to half-duplex in the event of failed
auto-negotiation.
3. The issue can be avoided by connecting the cable prior to powering-up
or resetting the KSZ8061, and leaving it plugged in thereafter.
4. If the above measures are not taken and the problem occurs, link can
be recovered by setting the Restart Auto-Negotiation bit in
register 0h, or by resetting or power cycling the device. Reset may
be either hardware reset or software reset (register 0h, bit 15).
PLAN
This errata will not be corrected in the future revision.
Fixes:
7ab59dc15e2f ("drivers/net/phy/micrel_phy: Add support for new PHYs")
Signed-off-by: Alexander Onnasch <alexander.onnasch@landisgyr.com>
Signed-off-by: Rajasingh Thavamani <T.Rajasingh@landisgyr.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>