platform/kernel/linux-rpi3.git
7 years agodrm/nouveau/disp: add missing newline in ior debug messages
Ben Skeggs [Tue, 31 Oct 2017 17:56:19 +0000 (03:56 +1000)]
drm/nouveau/disp: add missing newline in ior debug messages

Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
7 years agodrm/nouveau/secboot: add missing newline in debug message
Ben Skeggs [Tue, 31 Oct 2017 17:56:19 +0000 (03:56 +1000)]
drm/nouveau/secboot: add missing newline in debug message

Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
7 years agodrm/nouveau/core/device: remove object include to prevent unnecessary rebuilds
Ben Skeggs [Tue, 31 Oct 2017 17:56:19 +0000 (03:56 +1000)]
drm/nouveau/core/device: remove object include to prevent unnecessary rebuilds

nvkm_device hasn't subclassed nvkm_object in a long time.

Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
7 years agodrm/nouveau/core/subdev: compile out messages for unwanted debug levels
Ben Skeggs [Tue, 31 Oct 2017 17:56:19 +0000 (03:56 +1000)]
drm/nouveau/core/subdev: compile out messages for unwanted debug levels

Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
7 years agodrm/nouveau/core/gpuobj: remove embedded struct nvkm_object
Ben Skeggs [Tue, 31 Oct 2017 17:56:19 +0000 (03:56 +1000)]
drm/nouveau/core/gpuobj: remove embedded struct nvkm_object

nvkm_gpuobj hasn't subclassed nvkm_object in a long time.

Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
7 years agodrm/nouveau/core/object: plumb the unmap ioctl through
Ben Skeggs [Tue, 31 Oct 2017 17:56:19 +0000 (03:56 +1000)]
drm/nouveau/core/object: plumb the unmap ioctl through

MMU will be using this for BAR mappings.

Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
7 years agodrm/nouveau/core/object: allow arguments to be passed to map function
Ben Skeggs [Tue, 31 Oct 2017 17:56:19 +0000 (03:56 +1000)]
drm/nouveau/core/object: allow arguments to be passed to map function

MMU will be needing this to specify kind info on BAR mappings.

We have no userspace currently using these interfaces, so break the ABI
instead of supporting both.  NVIF version bump so any future use can be
guarded.

Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
7 years agodrm/nouveau/core/object: separate oclass data out into its own header
Ben Skeggs [Tue, 31 Oct 2017 17:56:19 +0000 (03:56 +1000)]
drm/nouveau/core/object: separate oclass data out into its own header

Want to be able to include this from core/device.h without pulling in
core/object.h.

Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
7 years agodrm/nouveau: fix handling of GART OOM on pre-NV50 chipsets
Ben Skeggs [Tue, 31 Oct 2017 17:56:19 +0000 (03:56 +1000)]
drm/nouveau: fix handling of GART OOM on pre-NV50 chipsets

The correct thing to do on OOM is to return 0 and set mm_node to NULL,
otherwise TTM will assume some other kind of error, and not attempt to
evict other buffers to make space.

Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
7 years agodrm/nouveau/kms/nv50: prevent oops in failure paths
Ben Skeggs [Tue, 31 Oct 2017 17:56:19 +0000 (03:56 +1000)]
drm/nouveau/kms/nv50: prevent oops in failure paths

Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
7 years agodrm/nouveau/kms: add 8.1Gbps DP link rate
Ilia Mirkin [Tue, 31 Oct 2017 17:56:19 +0000 (03:56 +1000)]
drm/nouveau/kms: add 8.1Gbps DP link rate

This was already done in dcb.c inside nvkm, but the other parser did not
get the update.

Signed-off-by: Ilia Mirkin <imirkin@alum.mit.edu>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
7 years agodrm/nouveau/bios/init: use ARRAY_SIZE
Jérémy Lefaure [Tue, 31 Oct 2017 17:56:19 +0000 (03:56 +1000)]
drm/nouveau/bios/init: use ARRAY_SIZE

Using the ARRAY_SIZE macro improves the readability of the code. Also,
it is useless to re-invent it.

Found with Coccinelle with the following semantic patch:
@r depends on (org || report)@
type T;
T[] E;
position p;
@@
(
 (sizeof(E)@p /sizeof(*E))
|
 (sizeof(E)@p /sizeof(E[...]))
|
 (sizeof(E)@p /sizeof(T))
)

Reviewed-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Jérémy Lefaure <jeremy.lefaure@lse.epita.fr>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
7 years agoremove some useless semicolons
Ben Skeggs [Tue, 31 Oct 2017 17:56:19 +0000 (03:56 +1000)]
remove some useless semicolons

Reported-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
7 years agodrm/nouveau: Document nouveau support for Tegra in DRIVER_DESC
Rhys Kidd [Tue, 31 Oct 2017 17:56:19 +0000 (03:56 +1000)]
drm/nouveau: Document nouveau support for Tegra in DRIVER_DESC

nouveau supports the Tegra K1 and higher after the SoC-based GPUs converged
with the main GeForce GPU families.

v2:
- Qualify that support is Tegra K1+ (Martin Peres)

Signed-off-by: Rhys Kidd <rhyskidd@gmail.com>
Reviewed-by: Martin Peres <martin.peres@free.fr>
Acked-by: Pierre Moreau <pierre.morrow@free.fr>
Acked-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
7 years agodrm/nouveau/therm/gp100: initial implementation of new gp1xx temperature sensor
Rhys Kidd [Tue, 31 Oct 2017 17:56:19 +0000 (03:56 +1000)]
drm/nouveau/therm/gp100: initial implementation of new gp1xx temperature sensor

v2:
 - add nv138 and drop nv13b chipsets (Ilia Mirkin)
 - refactor out status variable and instead mask tsensor (Ilia Mirkin)
 - switch SHADOWed state message away from nvkm_error() (Ilia Mirkin)
 - rename internal temperature variable (Karol Herbst)

v3:
 - use nvkm_trace() for SHADOWed state message (Ben Skeggs)

Signed-off-by: Rhys Kidd <rhyskidd@gmail.com>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
7 years agoBackmerge tag 'v4.14-rc7' into drm-next
Dave Airlie [Thu, 2 Nov 2017 02:40:41 +0000 (12:40 +1000)]
Backmerge tag 'v4.14-rc7' into drm-next

Linux 4.14-rc7

Requested by Ben Skeggs for nouveau to avoid major conflicts,
and things were getting a bit conflicty already, esp around amdgpu
reverts.

7 years agoMerge tag 'drm-hisilicon-next-2017-11-01' of github.com:xin3liang/linux into drm...
Dave Airlie [Thu, 2 Nov 2017 01:36:55 +0000 (11:36 +1000)]
Merge tag 'drm-hisilicon-next-2017-11-01' of github.com:xin3liang/linux into drm-next

For 4.15

* tag 'drm-hisilicon-next-2017-11-01' of github.com:xin3liang/linux:
  drm/hisilicon: Ensure LDI regs are properly configured.

7 years agoMerge tag 'drm-msm-next-2017-11-01' of git://people.freedesktop.org/~robclark/linux...
Dave Airlie [Thu, 2 Nov 2017 01:29:28 +0000 (11:29 +1000)]
Merge tag 'drm-msm-next-2017-11-01' of git://people.freedesktop.org/~robclark/linux into drm-next

 + preemption support for a5xx[1][2]

 + display fixes for 8x96 (snapdragon 820) including fixes for 4k scanout
   (hwpipe assignment re-work to handle multiple hwpipe assigned to plane
   for wide scanout)

 + async cursor plane updates and fixes

 + refactor adreno_bind/hwinit.. still defer fw loading until device open,
   but move clk/irq/etc to probe/bind time to fix issues when fw isn't
   present in filesys

 + clk/dt bindings cleanups w/ backward compat via msm_clk_get() (dt docs
   part ack'ed by Rob Herring)

 + fw loading re-work with helper to handle either /lib/firmware/qcom/$fw
   or /lib/firmware/$fw.. background, we've started landing fw for some of
   generations in linux-firmware, but there is a preference to put fw files
   under 'qcom' subdirectory, which is not what was done on android or for
   people who copied fw from android.  So now we first look in qcom subdir
   and then fallback to the original location.

 + bunch of GPU debugging enhancements, to dump full cmdline of processes
   that trigger faults, and to add a new debugfs to capture cmdstream of
   just submits that triggered faults.. both quite useful for piglit ;-)

* tag 'drm-msm-next-2017-11-01' of git://people.freedesktop.org/~robclark/linux: (38 commits)
  drm/msm: use %z format modifier for printing size_t
  drm/msm/mdp5: Don't use async plane update path if plane visibility changes
  drm/msm/mdp5: mdp5_crtc: Restore cursor state only if LM cursors are enabled
  drm/msm/mdp5: Update mdp5_pipe_assign to spit out both planes
  drm/msm/mdp5: Prepare mdp5_pipe_assign for some rework
  drm/msm: remove mdp5_cursor_plane_funcs
  drm/msm: update cursors asynchronously through atomic
  drm/msm/atomic: switch to drm_atomic_helper_check
  drm/msm/mdp5: restore cursor state when enabling crtc
  drm/msm/mdp5: don't use autosuspend
  drm/msm/mdp5: ignore planes that are not visible
  drm/msm: dump submits which triggered gpu hang
  drm/msm: preserve IOVAs in submit's bo table
  drm/msm/rd: allow adding addition msg to top of dump
  drm/msm: split rd debugfs file
  drm/msm: add special _get_vaddr_active() for cmdstream dumps
  drm/msm: show task cmdline in gpu recovery messages
  drm/msm: dump a rd GPUADDR header for all buffers in the command
  drm/msm: Removed unused struct_mutex_task
  drm/msm: Implement preemption for A5XX targets
  ...

7 years agodrm/msm: use %z format modifier for printing size_t
Arnd Bergmann [Thu, 3 Aug 2017 11:50:48 +0000 (13:50 +0200)]
drm/msm: use %z format modifier for printing size_t

The return type of ARRAY_SIZE() is size_t, so we have to use
%zu instead of %lu to avoid this warning:

drivers/gpu/drm/msm/msm_gpu.c: In function 'msm_gpu_init':
drivers/gpu/drm/msm/msm_gpu.c:742:31: error: format '%lu' expects argument of type 'long unsigned int', but argument 7 has type 'unsigned int' [-Werror=format=]

The warning it otherwise harmless as size_t is always the
same size as unsigned long in all supported architectures,
but gcc doesn't know that.

Fixes: c2fceabca6d5 ("drm/msm: Support multiple ringbuffers")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Rob Clark <robdclark@gmail.com>
7 years agodrm/hisilicon: Ensure LDI regs are properly configured.
Peter Griffin [Tue, 15 Aug 2017 14:14:25 +0000 (15:14 +0100)]
drm/hisilicon: Ensure LDI regs are properly configured.

This patch fixes the following soft lockup:
  BUG: soft lockup - CPU#0 stuck for 23s! [weston:307]

On weston idle-timeout the IP is powered down and reset
asserted. On weston resume we get a massive vblank
IRQ storm due to the LDI registers having lost some state.

This state loss is caused by ade_crtc_atomic_begin() not
calling ade_ldi_set_mode(). With this patch applied
resuming from Weston idle-timeout works well.

Signed-off-by: Peter Griffin <peter.griffin@linaro.org>
Tested-by: John Stultz <john.stultz@linaro.org>
Cc: stable@vger.kernel.org
Reviewed-by: Xinliang Liu <xinliang.liu@linaro.org>
Signed-off-by: Xinliang Liu <xinliang.liu@linaro.org>
7 years agoLinux 4.14-rc7 v4.14-rc7
Linus Torvalds [Sun, 29 Oct 2017 20:58:38 +0000 (13:58 -0700)]
Linux 4.14-rc7

7 years agoMerge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Linus Torvalds [Sun, 29 Oct 2017 15:11:49 +0000 (08:11 -0700)]
Merge git://git./linux/kernel/git/davem/net

Pull networking fixes from David Miller:

 1) Fix route leak in xfrm_bundle_create().

 2) In mac80211, validate user rate mask before configuring it. From
    Johannes Berg.

 3) Properly enforce memory limits in fair queueing code, from Toke
    Hoiland-Jorgensen.

 4) Fix lockdep splat in inet_csk_route_req(), from Eric Dumazet.

 5) Fix TSO header allocation and management in mvpp2 driver, from Yan
    Markman.

 6) Don't take socket lock in BH handler in strparser code, from Tom
    Herbert.

 7) Don't show sockets from other namespaces in AF_UNIX code, from
    Andrei Vagin.

 8) Fix double free in error path of tap_open(), from Girish Moodalbail.

 9) Fix TX map failure path in igb and ixgbe, from Jean-Philippe Brucker
    and Alexander Duyck.

10) Fix DCB mode programming in stmmac driver, from Jose Abreu.

11) Fix err_count handling in various tunnels (ipip, ip6_gre). From Xin
    Long.

12) Properly align SKB head before building SKB in tuntap, from Jason
    Wang.

13) Avoid matching qdiscs with a zero handle during lookups, from Cong
    Wang.

14) Fix various endianness bugs in sctp, from Xin Long.

15) Fix tc filter callback races and add selftests which trigger the
    problem, from Cong Wang.

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (73 commits)
  selftests: Introduce a new test case to tc testsuite
  selftests: Introduce a new script to generate tc batch file
  net_sched: fix call_rcu() race on act_sample module removal
  net_sched: add rtnl assertion to tcf_exts_destroy()
  net_sched: use tcf_queue_work() in tcindex filter
  net_sched: use tcf_queue_work() in rsvp filter
  net_sched: use tcf_queue_work() in route filter
  net_sched: use tcf_queue_work() in u32 filter
  net_sched: use tcf_queue_work() in matchall filter
  net_sched: use tcf_queue_work() in fw filter
  net_sched: use tcf_queue_work() in flower filter
  net_sched: use tcf_queue_work() in flow filter
  net_sched: use tcf_queue_work() in cgroup filter
  net_sched: use tcf_queue_work() in bpf filter
  net_sched: use tcf_queue_work() in basic filter
  net_sched: introduce a workqueue for RCU callbacks of tc filter
  sctp: fix some type cast warnings introduced since very beginning
  sctp: fix a type cast warnings that causes a_rwnd gets the wrong value
  sctp: fix some type cast warnings introduced by transport rhashtable
  sctp: fix some type cast warnings introduced by stream reconf
  ...

7 years agoMerge branch 'net_sched-fix-races-with-RCU-callbacks'
David S. Miller [Sun, 29 Oct 2017 13:49:32 +0000 (22:49 +0900)]
Merge branch 'net_sched-fix-races-with-RCU-callbacks'

Cong Wang says:

====================
net_sched: fix races with RCU callbacks

Recently, the RCU callbacks used in TC filters and TC actions keep
drawing my attention, they introduce at least 4 race condition bugs:

1. A simple one fixed by Daniel:

commit c78e1746d3ad7d548bdf3fe491898cc453911a49
Author: Daniel Borkmann <daniel@iogearbox.net>
Date:   Wed May 20 17:13:33 2015 +0200

    net: sched: fix call_rcu() race on classifier module unloads

2. A very nasty one fixed by me:

commit 1697c4bb5245649a23f06a144cc38c06715e1b65
Author: Cong Wang <xiyou.wangcong@gmail.com>
Date:   Mon Sep 11 16:33:32 2017 -0700

    net_sched: carefully handle tcf_block_put()

3. Two more bugs found by Chris:
https://patchwork.ozlabs.org/patch/826696/
https://patchwork.ozlabs.org/patch/826695/

Usually RCU callbacks are simple, however for TC filters and actions,
they are complex because at least TC actions could be destroyed
together with the TC filter in one callback. And RCU callbacks are
invoked in BH context, without locking they are parallel too. All of
these contribute to the cause of these nasty bugs.

Alternatively, we could also:

a) Introduce a spinlock to serialize these RCU callbacks. But as I
said in commit 1697c4bb5245 ("net_sched: carefully handle
tcf_block_put()"), it is very hard to do because of tcf_chain_dump().
Potentially we need to do a lot of work to make it possible (if not
impossible).

b) Just get rid of these RCU callbacks, because they are not
necessary at all, callers of these call_rcu() are all on slow paths
and holding RTNL lock, so blocking is allowed in their contexts.
However, David and Eric dislike adding synchronize_rcu() here.

As suggested by Paul, we could defer the work to a workqueue and
gain the permission of holding RTNL again without any performance
impact, however, in tcf_block_put() we could have a deadlock when
flushing workqueue while hodling RTNL lock, the trick here is to
defer the work itself in workqueue and make it queued after all
other works so that we keep the same ordering to avoid any
use-after-free. Please see the first patch for details.

Patch 1 introduces the infrastructure, patch 2~12 move each
tc filter to the new tc filter workqueue, patch 13 adds
an assertion to catch potential bugs like this, patch 14
closes another rcu callback race, patch 15 and patch 16 add
new test cases.
====================

Reported-by: Chris Mi <chrism@mellanox.com>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: Jiri Pirko <jiri@resnulli.us>
Cc: John Fastabend <john.fastabend@gmail.com>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agoselftests: Introduce a new test case to tc testsuite
Chris Mi [Fri, 27 Oct 2017 01:24:43 +0000 (18:24 -0700)]
selftests: Introduce a new test case to tc testsuite

In this patchset, we fixed a tc bug. This patch adds the test case
that reproduces the bug. To run this test case, user should specify
an existing NIC device:
  # sudo ./tdc.py -d enp4s0f0

This test case belongs to category "flower". If user doesn't specify
a NIC device, the test cases belong to "flower" will not be run.

In this test case, we create 1M filters and all filters share the same
action. When destroying all filters, kernel should not panic. It takes
about 18s to run it.

Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Acked-by: Lucas Bates <lucasb@mojatatu.com>
Signed-off-by: Chris Mi <chrism@mellanox.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agoselftests: Introduce a new script to generate tc batch file
Chris Mi [Fri, 27 Oct 2017 01:24:42 +0000 (18:24 -0700)]
selftests: Introduce a new script to generate tc batch file

  # ./tdc_batch.py -h
  usage: tdc_batch.py [-h] [-n NUMBER] [-o] [-s] [-p] device file

  TC batch file generator

  positional arguments:
    device                device name
    file                  batch file name

  optional arguments:
    -h, --help            show this help message and exit
    -n NUMBER, --number NUMBER
                          how many lines in batch file
    -o, --skip_sw         skip_sw (offload), by default skip_hw
    -s, --share_action    all filters share the same action
    -p, --prio            all filters have different prio

Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Acked-by: Lucas Bates <lucasb@mojatatu.com>
Signed-off-by: Chris Mi <chrism@mellanox.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonet_sched: fix call_rcu() race on act_sample module removal
Cong Wang [Fri, 27 Oct 2017 01:24:41 +0000 (18:24 -0700)]
net_sched: fix call_rcu() race on act_sample module removal

Similar to commit c78e1746d3ad
("net: sched: fix call_rcu() race on classifier module unloads"),
we need to wait for flying RCU callback tcf_sample_cleanup_rcu().

Cc: Yotam Gigi <yotamg@mellanox.com>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: Jiri Pirko <jiri@resnulli.us>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonet_sched: add rtnl assertion to tcf_exts_destroy()
Cong Wang [Fri, 27 Oct 2017 01:24:40 +0000 (18:24 -0700)]
net_sched: add rtnl assertion to tcf_exts_destroy()

After previous patches, it is now safe to claim that
tcf_exts_destroy() is always called with RTNL lock.

Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: Jiri Pirko <jiri@resnulli.us>
Cc: John Fastabend <john.fastabend@gmail.com>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonet_sched: use tcf_queue_work() in tcindex filter
Cong Wang [Fri, 27 Oct 2017 01:24:39 +0000 (18:24 -0700)]
net_sched: use tcf_queue_work() in tcindex filter

Defer the tcf_exts_destroy() in RCU callback to
tc filter workqueue and get RTNL lock.

Reported-by: Chris Mi <chrism@mellanox.com>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: Jiri Pirko <jiri@resnulli.us>
Cc: John Fastabend <john.fastabend@gmail.com>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonet_sched: use tcf_queue_work() in rsvp filter
Cong Wang [Fri, 27 Oct 2017 01:24:38 +0000 (18:24 -0700)]
net_sched: use tcf_queue_work() in rsvp filter

Defer the tcf_exts_destroy() in RCU callback to
tc filter workqueue and get RTNL lock.

Reported-by: Chris Mi <chrism@mellanox.com>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: Jiri Pirko <jiri@resnulli.us>
Cc: John Fastabend <john.fastabend@gmail.com>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonet_sched: use tcf_queue_work() in route filter
Cong Wang [Fri, 27 Oct 2017 01:24:37 +0000 (18:24 -0700)]
net_sched: use tcf_queue_work() in route filter

Defer the tcf_exts_destroy() in RCU callback to
tc filter workqueue and get RTNL lock.

Reported-by: Chris Mi <chrism@mellanox.com>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: Jiri Pirko <jiri@resnulli.us>
Cc: John Fastabend <john.fastabend@gmail.com>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonet_sched: use tcf_queue_work() in u32 filter
Cong Wang [Fri, 27 Oct 2017 01:24:36 +0000 (18:24 -0700)]
net_sched: use tcf_queue_work() in u32 filter

Defer the tcf_exts_destroy() in RCU callback to
tc filter workqueue and get RTNL lock.

Reported-by: Chris Mi <chrism@mellanox.com>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: Jiri Pirko <jiri@resnulli.us>
Cc: John Fastabend <john.fastabend@gmail.com>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonet_sched: use tcf_queue_work() in matchall filter
Cong Wang [Fri, 27 Oct 2017 01:24:35 +0000 (18:24 -0700)]
net_sched: use tcf_queue_work() in matchall filter

Defer the tcf_exts_destroy() in RCU callback to
tc filter workqueue and get RTNL lock.

Reported-by: Chris Mi <chrism@mellanox.com>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: Jiri Pirko <jiri@resnulli.us>
Cc: John Fastabend <john.fastabend@gmail.com>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonet_sched: use tcf_queue_work() in fw filter
Cong Wang [Fri, 27 Oct 2017 01:24:34 +0000 (18:24 -0700)]
net_sched: use tcf_queue_work() in fw filter

Defer the tcf_exts_destroy() in RCU callback to
tc filter workqueue and get RTNL lock.

Reported-by: Chris Mi <chrism@mellanox.com>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: Jiri Pirko <jiri@resnulli.us>
Cc: John Fastabend <john.fastabend@gmail.com>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonet_sched: use tcf_queue_work() in flower filter
Cong Wang [Fri, 27 Oct 2017 01:24:33 +0000 (18:24 -0700)]
net_sched: use tcf_queue_work() in flower filter

Defer the tcf_exts_destroy() in RCU callback to
tc filter workqueue and get RTNL lock.

Reported-by: Chris Mi <chrism@mellanox.com>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: Jiri Pirko <jiri@resnulli.us>
Cc: John Fastabend <john.fastabend@gmail.com>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonet_sched: use tcf_queue_work() in flow filter
Cong Wang [Fri, 27 Oct 2017 01:24:32 +0000 (18:24 -0700)]
net_sched: use tcf_queue_work() in flow filter

Defer the tcf_exts_destroy() in RCU callback to
tc filter workqueue and get RTNL lock.

Reported-by: Chris Mi <chrism@mellanox.com>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: Jiri Pirko <jiri@resnulli.us>
Cc: John Fastabend <john.fastabend@gmail.com>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonet_sched: use tcf_queue_work() in cgroup filter
Cong Wang [Fri, 27 Oct 2017 01:24:31 +0000 (18:24 -0700)]
net_sched: use tcf_queue_work() in cgroup filter

Defer the tcf_exts_destroy() in RCU callback to
tc filter workqueue and get RTNL lock.

Reported-by: Chris Mi <chrism@mellanox.com>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: Jiri Pirko <jiri@resnulli.us>
Cc: John Fastabend <john.fastabend@gmail.com>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonet_sched: use tcf_queue_work() in bpf filter
Cong Wang [Fri, 27 Oct 2017 01:24:30 +0000 (18:24 -0700)]
net_sched: use tcf_queue_work() in bpf filter

Defer the tcf_exts_destroy() in RCU callback to
tc filter workqueue and get RTNL lock.

Reported-by: Chris Mi <chrism@mellanox.com>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: Jiri Pirko <jiri@resnulli.us>
Cc: John Fastabend <john.fastabend@gmail.com>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonet_sched: use tcf_queue_work() in basic filter
Cong Wang [Fri, 27 Oct 2017 01:24:29 +0000 (18:24 -0700)]
net_sched: use tcf_queue_work() in basic filter

Defer the tcf_exts_destroy() in RCU callback to
tc filter workqueue and get RTNL lock.

Reported-by: Chris Mi <chrism@mellanox.com>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: Jiri Pirko <jiri@resnulli.us>
Cc: John Fastabend <john.fastabend@gmail.com>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonet_sched: introduce a workqueue for RCU callbacks of tc filter
Cong Wang [Fri, 27 Oct 2017 01:24:28 +0000 (18:24 -0700)]
net_sched: introduce a workqueue for RCU callbacks of tc filter

This patch introduces a dedicated workqueue for tc filters
so that each tc filter's RCU callback could defer their
action destroy work to this workqueue. The helper
tcf_queue_work() is introduced for them to use.

Because we hold RTNL lock when calling tcf_block_put(), we
can not simply flush works inside it, therefore we have to
defer it again to this workqueue and make sure all flying RCU
callbacks have already queued their work before this one, in
other words, to ensure this is the last one to execute to
prevent any use-after-free.

On the other hand, this makes tcf_block_put() ugly and
harder to understand. Since David and Eric strongly dislike
adding synchronize_rcu(), this is probably the only
solution that could make everyone happy.

Please also see the code comments below.

Reported-by: Chris Mi <chrism@mellanox.com>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: Jiri Pirko <jiri@resnulli.us>
Cc: John Fastabend <john.fastabend@gmail.com>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agoMerge branch 'sctp-endianness-fixes'
David S. Miller [Sun, 29 Oct 2017 09:03:25 +0000 (18:03 +0900)]
Merge branch 'sctp-endianness-fixes'

Xin Long says:

====================
sctp: a bunch of fixes for some sparse warnings

As Eric noticed, when running 'make C=2 M=net/sctp/', a plenty of
warnings or errors checked by sparse appear. They are all problems
about Endian and type cast.

Most of them are just warnings by which no issues could be caused
while some might be bugs.

This patchset fixes them with four patches basically according to
how they are introduced.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agosctp: fix some type cast warnings introduced since very beginning
Xin Long [Sat, 28 Oct 2017 11:43:57 +0000 (19:43 +0800)]
sctp: fix some type cast warnings introduced since very beginning

These warnings were found by running 'make C=2 M=net/sctp/'.
They are there since very beginning.

Note after this patch, there still one warning left in
sctp_outq_flush():
  sctp_chunk_fail(chunk, SCTP_ERROR_INV_STRM)

Since it has been moved to sctp_stream_outq_migrate on net-next,
to avoid the extra job when merging net-next to net, I will post
the fix for it after the merging is done.

Reported-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agosctp: fix a type cast warnings that causes a_rwnd gets the wrong value
Xin Long [Sat, 28 Oct 2017 11:43:56 +0000 (19:43 +0800)]
sctp: fix a type cast warnings that causes a_rwnd gets the wrong value

These warnings were found by running 'make C=2 M=net/sctp/'.

Commit d4d6fb5787a6 ("sctp: Try not to change a_rwnd when faking a
SACK from SHUTDOWN.") expected to use the peers old rwnd and add
our flight size to the a_rwnd. But with the wrong Endian, it may
not work as well as expected.

So fix it by converting to the right value.

Fixes: d4d6fb5787a6 ("sctp: Try not to change a_rwnd when faking a SACK from SHUTDOWN.")
Reported-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agosctp: fix some type cast warnings introduced by transport rhashtable
Xin Long [Sat, 28 Oct 2017 11:43:55 +0000 (19:43 +0800)]
sctp: fix some type cast warnings introduced by transport rhashtable

These warnings were found by running 'make C=2 M=net/sctp/'.

They are introduced by not aware of Endian for the port when
coding transport rhashtable patches.

Fixes: 7fda702f9315 ("sctp: use new rhlist interface on sctp transport rhashtable")
Reported-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agosctp: fix some type cast warnings introduced by stream reconf
Xin Long [Sat, 28 Oct 2017 11:43:54 +0000 (19:43 +0800)]
sctp: fix some type cast warnings introduced by stream reconf

These warnings were found by running 'make C=2 M=net/sctp/'.

They are introduced by not aware of Endian when coding stream
reconf patches.

Since commit c0d8bab6ae51 ("sctp: add get and set sockopt for
reconf_enable") enabled stream reconf feature for users, the
Fixes tag below would use it.

Fixes: c0d8bab6ae51 ("sctp: add get and set sockopt for reconf_enable")
Reported-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonet_sched: avoid matching qdisc with zero handle
Cong Wang [Sat, 28 Oct 2017 05:08:56 +0000 (22:08 -0700)]
net_sched: avoid matching qdisc with zero handle

Davide found the following script triggers a NULL pointer
dereference:

ip l a name eth0 type dummy
tc q a dev eth0 parent :1 handle 1: htb

This is because for a freshly created netdevice noop_qdisc
is attached and when passing 'parent :1', kernel actually
tries to match the major handle which is 0 and noop_qdisc
has handle 0 so is matched by mistake. Commit 69012ae425d7
tries to fix a similar bug but still misses this case.

Handle 0 is not a valid one, should be just skipped. In
fact, kernel uses it as TC_H_UNSPEC.

Fixes: 69012ae425d7 ("net: sched: fix handling of singleton qdiscs with qdisc_hash")
Fixes: 59cc1f61f09c ("net: sched:convert qdisc linked list to hashtable")
Reported-by: Davide Caratti <dcaratti@redhat.com>
Cc: Jiri Kosina <jkosina@suse.cz>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agosctp: reset owner sk for data chunks on out queues when migrating a sock
Xin Long [Fri, 27 Oct 2017 18:13:29 +0000 (02:13 +0800)]
sctp: reset owner sk for data chunks on out queues when migrating a sock

Now when migrating sock to another one in sctp_sock_migrate(), it only
resets owner sk for the data in receive queues, not the chunks on out
queues.

It would cause that data chunks length on the sock is not consistent
with sk sk_wmem_alloc. When closing the sock or freeing these chunks,
the old sk would never be freed, and the new sock may crash due to
the overflow sk_wmem_alloc.

syzbot found this issue with this series:

  r0 = socket$inet_sctp()
  sendto$inet(r0)
  listen(r0)
  accept4(r0)
  close(r0)

Although listen() should have returned error when one TCP-style socket
is in connecting (I may fix this one in another patch), it could also
be reproduced by peeling off an assoc.

This issue is there since very beginning.

This patch is to reset owner sk for the chunks on out queues so that
sk sk_wmem_alloc has correct value after accept one sock or peeloff
an assoc to one sock.

Note that when resetting owner sk for chunks on outqueue, it has to
sctp_clear_owner_w/skb_orphan chunks before changing assoc->base.sk
first and then sctp_set_owner_w them after changing assoc->base.sk,
due to that sctp_wfree and it's callees are using assoc->base.sk.

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agoMerge branch 'sockmap-fixes'
David S. Miller [Sun, 29 Oct 2017 02:18:49 +0000 (11:18 +0900)]
Merge branch 'sockmap-fixes'

John Fastabend says:

====================
net: sockmap fixes

Last two fixes (as far as I know) for sockmap code this round.

First, we are using the qdisc cb structure when making the data end
calculation. This is really just wrong so, store it with the other
metadata in the correct tcp_skb_cb sturct to avoid breaking things.

Next, with recent work to attach multiple programs to a cgroup a
specific enumeration of return codes was agreed upon. However,
I wrote the sk_skb program types before seeing this work and used
a different convention. Patch 2 in the series aligns the return
codes to avoid breaking with this infrastructure and also aligns
with other programming conventions to avoid being the odd duck out
forcing programs to remember SK_SKB programs are different. Pusing
to net because its a user visible change. With this SK_SKB program
return codes are the same as other cgroup program types.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agobpf: rename sk_actions to align with bpf infrastructure
John Fastabend [Fri, 27 Oct 2017 16:45:53 +0000 (09:45 -0700)]
bpf: rename sk_actions to align with bpf infrastructure

Recent additions to support multiple programs in cgroups impose
a strict requirement, "all yes is yes, any no is no". To enforce
this the infrastructure requires the 'no' return code, SK_DROP in
this case, to be 0.

To apply these rules to SK_SKB program types the sk_actions return
codes need to be adjusted.

This fix adds SK_PASS and makes 'SK_DROP = 0'. Finally, remove
SK_ABORTED to remove any chance that the API may allow aborted
program flows to be passed up the stack. This would be incorrect
behavior and allow programs to break existing policies.

Signed-off-by: John Fastabend <john.fastabend@gmail.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agobpf: bpf_compute_data uses incorrect cb structure
John Fastabend [Fri, 27 Oct 2017 16:45:34 +0000 (09:45 -0700)]
bpf: bpf_compute_data uses incorrect cb structure

SK_SKB program types use bpf_compute_data to store the end of the
packet data. However, bpf_compute_data assumes the cb is stored in the
qdisc layer format. But, for SK_SKB this is the wrong layer of the
stack for this type.

It happens to work (sort of!) because in most cases nothing happens
to be overwritten today. This is very fragile and error prone.
Fortunately, we have another hole in tcp_skb_cb we can use so lets
put the data_end value there.

Note, SK_SKB program types do not use data_meta, they are failed by
sk_skb_is_valid_access().

Signed-off-by: John Fastabend <john.fastabend@gmail.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agodrm/msm/mdp5: Don't use async plane update path if plane visibility changes
Archit Taneja [Fri, 27 Oct 2017 10:57:32 +0000 (16:27 +0530)]
drm/msm/mdp5: Don't use async plane update path if plane visibility changes

When a plane moves out of bounds (i.e, outside the crtc clip region), the
plane state's "visible" parameter changes to false. When this happens, we
(a) release the hwpipe resources away from it, and
(b) unstage the corresponding hwpipe(s) from the Layer Mixers in the CRTC.

(a) requires use to acquire the global atomic state and assign a new
hwpipe. (b) requires us to re-configure the Layer Mixer, which is done in
the CRTC. We don't want to do these things in the async plane update path,
so return an error if the new state's "visible" isn't the same as the
current state's "visible".

Cc: Gustavo Padovan <gustavo.padovan@collabora.com>
Signed-off-by: Archit Taneja <architt@codeaurora.org>
Signed-off-by: Rob Clark <robdclark@gmail.com>
7 years agodrm/msm/mdp5: mdp5_crtc: Restore cursor state only if LM cursors are enabled
Archit Taneja [Fri, 27 Oct 2017 10:57:31 +0000 (16:27 +0530)]
drm/msm/mdp5: mdp5_crtc: Restore cursor state only if LM cursors are enabled

MDP5 on newer SoCs support cursor planes (i.e, cursor SSPPs). They are a
separate entity unlike the cursors within LM.

Do not try to restore the MDP5 LM cursor registers, or the corresponding
CTL bits if we are not using LM cursors.

Also, since we've introduced a new variable 'lm_cursor_enabled', we can
now use it to avoid creating a different sets of crtc_funcs for CRTCs
with LM cursors and CRTCs with cursor planes.

Fixes: "drm/msm/mdp5: restore cursor state when enabling crtc"
Signed-off-by: Archit Taneja <architt@codeaurora.org>
Signed-off-by: Rob Clark <robdclark@gmail.com>
7 years agodrm/msm/mdp5: Update mdp5_pipe_assign to spit out both planes
Archit Taneja [Fri, 27 Oct 2017 10:57:30 +0000 (16:27 +0530)]
drm/msm/mdp5: Update mdp5_pipe_assign to spit out both planes

We currently call mdp5_pipe_assign() twice to assign the left and right
hwpipes for our drm_plane. When merging 2 hwpipes, there are a few
constraints that we need to keep in mind:

- Only the same types of SSPPs are preferred. I.e, a RGB pipe should
  be paired with another RGB pipe, VIG with VIG etc.
- The hwpipe staged on the left should have a higher priority than
  the hwpipe staged on the right. The priorities are as follows:
  VIG0 > VIG1 > VIG2 > VIG3
  RGB0 > RGB1 > RGB2 > RGB3
  DMA0 > DMA1

We can't apply these constraints easily if mdp5_pipe_assign() is
called twice. Update mdp5_pipe_assign() to find both hwpipes in
one go, and add the extra constraints needed.

Signed-off-by: Archit Taneja <architt@codeaurora.org>
Signed-off-by: Rob Clark <robdclark@gmail.com>
7 years agodrm/msm/mdp5: Prepare mdp5_pipe_assign for some rework
Archit Taneja [Fri, 27 Oct 2017 10:57:29 +0000 (16:27 +0530)]
drm/msm/mdp5: Prepare mdp5_pipe_assign for some rework

mdp5_pipe_assign currently returns the hwpipe pointer for the drm_plane.
Return it indirectly by setting a pointer passed as an argument. This
is needed because we want the func to find out the right hwpipe too.

Signed-off-by: Archit Taneja <architt@codeaurora.org>
Signed-off-by: Rob Clark <robdclark@gmail.com>
7 years agodrm/msm: remove mdp5_cursor_plane_funcs
Gustavo Padovan [Fri, 30 Jun 2017 18:03:21 +0000 (15:03 -0300)]
drm/msm: remove mdp5_cursor_plane_funcs

After converting legacy cursor updates to atomic async commits
mdp5_cursor_plane_funcs just duplicates mdp5_plane_funcs now.

Cc: Rob Clark <robdclark@gmail.com>
Cc: Archit Taneja <architt@codeaurora.org>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.com>
Tested-by: Archit Taneja <architt@codeaurora.org>
Signed-off-by: Rob Clark <robdclark@gmail.com>
7 years agodrm/msm: update cursors asynchronously through atomic
Gustavo Padovan [Fri, 30 Jun 2017 18:03:20 +0000 (15:03 -0300)]
drm/msm: update cursors asynchronously through atomic

Add support to async updates of cursors by using the new atomic
interface for that. Basically what this commit does is do what
mdp5_update_cursor_plane_legacy() did but through atomic.

v5: call drm_atomic_helper_async_check() from the check hook

v4: add missing atomic async commit call to msm_atomic_commit(Archit Taneja)

v3: move size checks back to drivers (Ville Syrjälä)

v2: move fb setting to core and use new state (Eric Anholt)

Cc: Rob Clark <robdclark@gmail.com>
Cc: Archit Taneja <architt@codeaurora.org>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.com>
Tested-by: Archit Taneja <architt@codeaurora.org> (v4)
[added comment about not hitting async update path if hwpipes are
 re-assigned or global state is touched]
Signed-off-by: Rob Clark <robdclark@gmail.com>
7 years agodrm/msm/atomic: switch to drm_atomic_helper_check
Rob Clark [Wed, 25 Oct 2017 16:30:51 +0000 (12:30 -0400)]
drm/msm/atomic: switch to drm_atomic_helper_check

Signed-off-by: Rob Clark <robdclark@gmail.com>
7 years agodrm/msm/mdp5: restore cursor state when enabling crtc
Rob Clark [Thu, 19 Oct 2017 20:00:31 +0000 (16:00 -0400)]
drm/msm/mdp5: restore cursor state when enabling crtc

Since we enabled runtime PM, we cannot count on cursor registers to
retain their values.  This can result in situations where we think the
cursor is enabled when we enable the CRTC but it is trying to scan out
null (and the rest of cursor position/size is lost), resulting in faults
and generally angering the hw when coming out of DPMS with a cursor
enabled.

stable backport note: reverting 774e39ee3572 is also a suitable fix

Fixes: 774e39ee3572 drm/msm/mdp5: Set up runtime PM for MDSS
Signed-off-by: Rob Clark <robdclark@gmail.com>
Reviewed-by: Archit Taneja <architt@codeaurora.org>
7 years agodrm/msm/mdp5: don't use autosuspend
Rob Clark [Fri, 20 Oct 2017 12:17:43 +0000 (08:17 -0400)]
drm/msm/mdp5: don't use autosuspend

It's only likely to paper over bugs.  Unlike the gpu, where we want to
keep things alive a bit longer in expectation of the next frame's
submit, when the display is shut down we can power off immediately.

Signed-off-by: Rob Clark <robdclark@gmail.com>
Acked-by: Archit Taneja <architt@codeaurora.org>
7 years agodrm/msm/mdp5: ignore planes that are not visible
Rob Clark [Tue, 24 Oct 2017 14:19:42 +0000 (10:19 -0400)]
drm/msm/mdp5: ignore planes that are not visible

Signed-off-by: Rob Clark <robdclark@gmail.com>
7 years agodrm/msm: dump submits which triggered gpu hang
Rob Clark [Fri, 15 Sep 2017 15:04:44 +0000 (11:04 -0400)]
drm/msm: dump submits which triggered gpu hang

Note we need to move update_fences() to after msm_rd_dump_submit(),
otherwise the bo's referenced by the submit may no longer be valid.

Signed-off-by: Rob Clark <robdclark@gmail.com>
7 years agoMerge tag 'kbuild-fixes-v4.14-2' of git://git.kernel.org/pub/scm/linux/kernel/git...
Linus Torvalds [Sat, 28 Oct 2017 18:01:57 +0000 (11:01 -0700)]
Merge tag 'kbuild-fixes-v4.14-2' of git://git./linux/kernel/git/masahiroy/linux-kbuild

Pull Kbuild fixes from Masahiro Yamada:

 - fix O= building on dash

 - remove unused dependency in Makefile

 - fix default of a choice in Kconfig

 - fix typos and documentation style

 - fix command options unrecognized by sparse

* tag 'kbuild-fixes-v4.14-2' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild:
  kbuild: clang: fix build failures with sparse check
  kbuild doc: a bundle of fixes on makefiles.txt
  Makefile: kselftest: fix grammar typo
  kbuild: Fix optimization level choice default
  kbuild: drop unused symverfile in Makefile.modpost
  kbuild: revert $(realpath ...) to $(shell cd ... && /bin/pwd)

7 years agodrm/msm: preserve IOVAs in submit's bo table
Rob Clark [Fri, 15 Sep 2017 14:58:13 +0000 (10:58 -0400)]
drm/msm: preserve IOVAs in submit's bo table

We need this if we want to dump the submit after cleanup (ie. from hang
or fault).  But in the backoff/unpin case we want to clear them.  So add
a flag so we can skip clearing the IOVAs in at cleanup.

Signed-off-by: Rob Clark <robdclark@gmail.com>
7 years agodrm/msm/rd: allow adding addition msg to top of dump
Rob Clark [Fri, 15 Sep 2017 14:46:45 +0000 (10:46 -0400)]
drm/msm/rd: allow adding addition msg to top of dump

For faults or hangs, it is nice to be able to include a bit more
information.

Signed-off-by: Rob Clark <robdclark@gmail.com>
7 years agodrm/msm: split rd debugfs file
Rob Clark [Fri, 15 Sep 2017 13:04:52 +0000 (09:04 -0400)]
drm/msm: split rd debugfs file

Split into two instances, the existing $debugfs/rd which continues to
dump all submits, and $debugfs/hangrd which will be used to dump just
submits that cause gpu hangs (and eventually faults, but that will
require some iommu framework enhancements).

Signed-off-by: Rob Clark <robdclark@gmail.com>
7 years agodrm/msm: add special _get_vaddr_active() for cmdstream dumps
Rob Clark [Fri, 15 Sep 2017 12:38:20 +0000 (08:38 -0400)]
drm/msm: add special _get_vaddr_active() for cmdstream dumps

Prep work for adding a debugfs file that dumps just submits which
trigger hangs/faults.  In this case the bo may already be in the
MADV_DONTNEED state, but will be still on the active list (since
the submit hasn't completed yet).  So the normal check that the
bo is in the WILLNEED state does not apply.  (But of course the bo
should definitely not be in the PURGED state!)

Signed-off-by: Rob Clark <robdclark@gmail.com>
7 years agodrm/msm: show task cmdline in gpu recovery messages
Rob Clark [Wed, 13 Sep 2017 14:17:18 +0000 (10:17 -0400)]
drm/msm: show task cmdline in gpu recovery messages

Now that freedreno gallium driver defaults to using submit_queue task
(render reordering), just showing task->comm is not so useful (ie. it is
always "flush_queue:0"), so also dump the cmdline.  This should also be
more useful for piglit/shader_runner.

Signed-off-by: Rob Clark <robdclark@gmail.com>
7 years agoMerge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input
Linus Torvalds [Sat, 28 Oct 2017 17:56:13 +0000 (10:56 -0700)]
Merge branch 'for-linus' of git://git./linux/kernel/git/dtor/input

Pull input fixes from Dmitry Torokhov:

 - fix gtco tablet driver, tightening parsing of HID descriptors

 - add ACPI ID added to Elan driver to be able to handle touchpads found
   in Lenovo Ideapad 320/520

 - fix the Symaptics RMI4 driver to adjust handling of buttons

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
  Input: synaptics-rmi4 - limit the range of what GPIOs are buttons
  Input: gtco - fix potential out-of-bound access
  Input: elan_i2c - add ELAN0611 to the ACPI table

7 years agoMerge tag 'pci-v4.14-fixes-6' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaa...
Linus Torvalds [Sat, 28 Oct 2017 17:53:24 +0000 (10:53 -0700)]
Merge tag 'pci-v4.14-fixes-6' of git://git./linux/kernel/git/helgaas/pci

Pull PCI fix from Bjorn Helgaas:
 "Move alpha PCI IRQ map/swizzle functions out of initdata to fix
  regression from PCI core IRQ mapping changes (Lorenzo Pieralisi)"

* tag 'pci-v4.14-fixes-6' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
  alpha/PCI: Move pci_map_irq()/pci_swizzle() out of initdata

7 years agoMerge tag 'drm-fixes-for-v4.14-rc7' of git://people.freedesktop.org/~airlied/linux
Linus Torvalds [Sat, 28 Oct 2017 17:50:38 +0000 (10:50 -0700)]
Merge tag 'drm-fixes-for-v4.14-rc7' of git://people.freedesktop.org/~airlied/linux

Pull drm fixes from Dave Airlie:
 "Two amd fixes, one i915 core and a few i915 GVT fixes, things seem
  fairly quiet"

* tag 'drm-fixes-for-v4.14-rc7' of git://people.freedesktop.org/~airlied/linux:
  drm/i915/gvt: Adding ACTHD mmio read handler
  drm/i915/gvt: Extract mmio_read_from_hw() common function
  drm/i915/gvt: Refine MMIO_RING_F()
  drm/i915/gvt: properly check per_ctx bb valid state
  drm/i915/perf: fix perf enable/disable ioctls with 32bits userspace
  drm/amd/amdgpu: Remove workaround check for UVD6 on APUs
  drm/amd/powerplay: fix uninitialized variable

7 years agoMerge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi
Linus Torvalds [Sat, 28 Oct 2017 17:46:20 +0000 (10:46 -0700)]
Merge tag 'scsi-fixes' of git://git./linux/kernel/git/jejb/scsi

Pull SCSI fixes from James Bottomley:
 "Six fixes for mostly minor issues, most of which have small race
  windows for occurring"

* tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
  scsi: Suppress a kernel warning in case the prep function returns BLKPREP_DEFER
  scsi: sg: Re-fix off by one in sg_fill_request_table()
  scsi: aacraid: Fix controller initialization failure
  scsi: hpsa: Fix configured_logical_drive_count·check
  scsi: qla2xxx: Initialize Work element before requesting IRQs
  scsi: zfcp: fix erp_action use-before-initialize in REC action trace

7 years agoassoc_array: Fix a buggy node-splitting case
David Howells [Wed, 11 Oct 2017 22:32:27 +0000 (23:32 +0100)]
assoc_array: Fix a buggy node-splitting case

This fixes CVE-2017-12193.

Fix a case in the assoc_array implementation in which a new leaf is
added that needs to go into a node that happens to be full, where the
existing leaves in that node cluster together at that level to the
exclusion of new leaf.

What needs to happen is that the existing leaves get moved out to a new
node, N1, at level + 1 and the existing node needs replacing with one,
N0, that has pointers to the new leaf and to N1.

The code that tries to do this gets this wrong in two ways:

 (1) The pointer that should've pointed from N0 to N1 is set to point
     recursively to N0 instead.

 (2) The backpointer from N0 needs to be set correctly in the case N0 is
     either the root node or reached through a shortcut.

Fix this by removing this path and using the split_node path instead,
which achieves the same end, but in a more general way (thanks to Eric
Biggers for spotting the redundancy).

The problem manifests itself as:

  BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
  IP: assoc_array_apply_edit+0x59/0xe5

Fixes: 3cb989501c26 ("Add a generic associative array implementation.")
Reported-and-tested-by: WU Fan <u3536072@connect.hku.hk>
Signed-off-by: David Howells <dhowells@redhat.com>
Cc: stable@vger.kernel.org [v3.13-rc1+]
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
7 years agoMerge tag '4.14-smb3-fixes-for-stable' of git://git.samba.org/sfrench/cifs-2.6
Linus Torvalds [Sat, 28 Oct 2017 15:39:35 +0000 (08:39 -0700)]
Merge tag '4.14-smb3-fixes-for-stable' of git://git.samba.org/sfrench/cifs-2.6

Pull cifs fixes from Steve French:
 "Various SMB3 fixes for 4.14 and stable"

* tag '4.14-smb3-fixes-for-stable' of git://git.samba.org/sfrench/cifs-2.6:
  SMB3: Validate negotiate request must always be signed
  SMB: fix validate negotiate info uninitialised memory use
  SMB: fix leak of validate negotiate info response buffer
  CIFS: Fix NULL pointer deref on SMB2_tcon() failure
  CIFS: do not send invalid input buffer on QUERY_INFO requests
  cifs: Select all required crypto modules
  CIFS: SMBD: Fix the definition for SMB2_CHANNEL_RDMA_V1_INVALIDATE
  cifs: handle large EA requests more gracefully in smb2+
  Fix encryption labels and lengths for SMB3.1.1

7 years agoMerge branch 'overlayfs-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszer...
Linus Torvalds [Sat, 28 Oct 2017 15:29:29 +0000 (08:29 -0700)]
Merge branch 'overlayfs-linus' of git://git./linux/kernel/git/mszeredi/vfs

Pull overlayfs fixes from Miklos Szeredi:
 "Fix several issues, most of them introduced in the last release"

* 'overlayfs-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs:
  ovl: do not cleanup unsupported index entries
  ovl: handle ENOENT on index lookup
  ovl: fix EIO from lookup of non-indexed upper
  ovl: Return -ENOMEM if an allocation fails ovl_lookup()
  ovl: add NULL check in ovl_alloc_inode

7 years agoMerge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi...
Linus Torvalds [Sat, 28 Oct 2017 15:27:46 +0000 (08:27 -0700)]
Merge branch 'for-linus' of git://git./linux/kernel/git/mszeredi/fuse

Pull fuse fix from Miklos Szeredi:
 "This fixes a longstanding bug, which can be triggered by interrupting
  a directory reading syscall"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse:
  fuse: fix READDIRPLUS skipping an entry

7 years agodrm/msm: dump a rd GPUADDR header for all buffers in the command
Jordan Crouse [Fri, 20 Oct 2017 17:07:03 +0000 (11:07 -0600)]
drm/msm: dump a rd GPUADDR header for all buffers in the command

Currently the rd dump avoids any buffers marked as WRITE under
the assumption that the contents are not interesting.  While it
is true that the contents are uninteresting we should still print
the iova and size for all buffers so that any listening replay
tools can correctly construct the submission.

Print the header for all buffers but only dump the contents for
buffers marked as READ.

Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org>
Signed-off-by: Rob Clark <robdclark@gmail.com>
7 years agodrm/msm: Removed unused struct_mutex_task
Jordan Crouse [Fri, 20 Oct 2017 17:07:02 +0000 (11:07 -0600)]
drm/msm: Removed unused struct_mutex_task

Recent changes to locking have rendered struct_mutex_task
unused.

Unused since 0e08270a1f01.

Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org>
Signed-off-by: Rob Clark <robdclark@gmail.com>
7 years agodrm/msm: Implement preemption for A5XX targets
Jordan Crouse [Fri, 20 Oct 2017 17:07:01 +0000 (11:07 -0600)]
drm/msm: Implement preemption for A5XX targets

Implement preemption for A5XX targets - this allows multiple
ringbuffers for different priorities with automatic preemption
of a lower priority ringbuffer if a higher one is ready.

Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org>
Signed-off-by: Rob Clark <robdclark@gmail.com>
7 years agodrm/msm: Make the value of RB_CNTL (almost) generic
Jordan Crouse [Fri, 20 Oct 2017 17:07:00 +0000 (11:07 -0600)]
drm/msm: Make the value of RB_CNTL (almost) generic

We use a global ringbuffer size and block size for all targets and
at least for 5XX preemption we need to know the value the RB_CNTL
in several locations so it makes sense to calculate it once and use
it everywhere.

The only monkey wrench is that we need to disable the RPTR shadow
for A430 targets but that only needs to be done once and doesn't
affect A5XX so we can or in the value at init time.

Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org>
Signed-off-by: Rob Clark <robdclark@gmail.com>
7 years agodrm/msm: Shadow current pointer in the ring until command is complete
Jordan Crouse [Fri, 20 Oct 2017 17:06:59 +0000 (11:06 -0600)]
drm/msm: Shadow current pointer in the ring until command is complete

Add a shadow pointer to track the current command being written into
the ring. Don't commit it as 'cur' until the command is submitted.
Because 'cur' is used to construct the software copy of the wptr this
ensures that somebody peeking in on the ring doesn't assume that a
command is inflight while it is being written. This isn't a huge deal
with a single ring (though technically the hangcheck could assume
the system is prematurely busy when it isn't) but it will be rather
important for preemption where the decision to preempt is based
on a non-empty ringbuffer. Without a shadow an aggressive preemption
scheme could assume that the ringbuffer is non empty and switch to it
before the CPU is done writing the command and boom.

Even though preemption won't be supported for all targets because of
the way the code is organized it is simpler to make this generic for
all targets. The extra load for non-preemption targets should be
minimal.

Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org>
Signed-off-by: Rob Clark <robdclark@gmail.com>
7 years agodrm/msm: Add a parameter query for the number of ringbuffers
Jordan Crouse [Fri, 20 Oct 2017 17:06:58 +0000 (11:06 -0600)]
drm/msm: Add a parameter query for the number of ringbuffers

In order to manage ringbuffer priority to its fullest userspace
should know how many ringbuffers it has to work with. Add a
parameter to return the number of active rings.

Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org>
Signed-off-by: Rob Clark <robdclark@gmail.com>
7 years agodrm/msm: Support multiple ringbuffers
Jordan Crouse [Fri, 20 Oct 2017 17:06:57 +0000 (11:06 -0600)]
drm/msm: Support multiple ringbuffers

Add the infrastructure to support the idea of multiple ringbuffers.
Assign each ringbuffer an id and use that as an index for the various
ring specific operations.

The biggest delta is to support legacy fences. Each fence gets its own
sequence number but the legacy functions expect to use a unique integer.
To handle this we return a unique identifier for each submission but
map it to a specific ring/sequence under the covers. Newer users use
a dma_fence pointer anyway so they don't care about the actual sequence
ID or ring.

The actual mechanics for multiple ringbuffers are very target specific
so this code just allows for the possibility but still only defines
one ringbuffer for each target family.

Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org>
Signed-off-by: Rob Clark <robdclark@gmail.com>
7 years agodrm/msm: Move memptrs to msm_gpu
Jordan Crouse [Fri, 20 Oct 2017 17:06:56 +0000 (11:06 -0600)]
drm/msm: Move memptrs to msm_gpu

When we move to multiple ringbuffers we're going to store the data
in the memptrs on a per-ring basis. In order to prepare for that
move the current memptrs from the adreno namespace into msm_gpu.
This is way cleaner and immediately lets us kill off some sub
functions so there is much less cost later when we do move to
per-ring structs.

Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org>
Signed-off-by: Rob Clark <robdclark@gmail.com>
7 years agodrm/msm: Add per-instance submit queues
Jordan Crouse [Fri, 20 Oct 2017 17:06:55 +0000 (11:06 -0600)]
drm/msm: Add per-instance submit queues

Currently the behavior of a command stream is provided by the user
application during submission and the application is expected to internally
maintain the settings for each 'context' or 'rendering queue' and specify
the correct ones.

This works okay for simple cases but as applications become more
complex we will want to set context specific flags and do various
permission checks to allow certain contexts to enable additional
privileges.

Add kernel-side submit queues to be analogous to 'contexts' or
'rendering queues' on the application side. Each file descriptor
instance will maintain its own list of queues. Queues cannot be
shared between file descriptors.

For backwards compatibility context id '0' is defined as a default
context specifying no priority and no special flags. This is
intended to be the usual configuration for 99% of applications so
that a garden variety application can function correctly without
creating a queue. Only those applications requiring the specific
benefit of different queues need create one.

Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org>
Signed-off-by: Rob Clark <robdclark@gmail.com>
7 years agodrm/msm/mdp5: disable vblanks when crtc is off
Rob Clark [Tue, 17 Oct 2017 13:39:53 +0000 (09:39 -0400)]
drm/msm/mdp5: disable vblanks when crtc is off

Signed-off-by: Rob Clark <robdclark@gmail.com>
7 years agodrm/msm/mdp4: disable vblanks when crtc is off
Rob Clark [Tue, 17 Oct 2017 13:39:39 +0000 (09:39 -0400)]
drm/msm/mdp4: disable vblanks when crtc is off

Signed-off-by: Rob Clark <robdclark@gmail.com>
7 years agodt-bindings: display: msm: update clk names
Rob Clark [Mon, 16 Oct 2017 21:04:16 +0000 (17:04 -0400)]
dt-bindings: display: msm: update clk names

Now that drm/msm is converted over to use msm_get_clk() everywhere (that
matters), which handles falling back to looking for a clock with the
"_clk" suffix, we can remove "_clk" from the documentation so that new
dts files added do not include "_clk" in the name.

Previously we were doing this for the more recently upstreamed bindings
but not for (nearly) all.

Signed-off-by: Rob Clark <robdclark@gmail.com>
Acked-by: Rob Herring <robh@kernel.org>
7 years agodrm/msm/hdmi: convert to msm_clk_get()
Rob Clark [Mon, 16 Oct 2017 20:56:28 +0000 (16:56 -0400)]
drm/msm/hdmi: convert to msm_clk_get()

We already have, as a result of upstreaming the gpu bindings,
msm_clk_get() which will try to get the clock both without and with a
"_clk" suffix.  Use this in HDMI code so we can drop the "_clk" suffix
in bindings while maintaing backwards compatibility.

Signed-off-by: Rob Clark <robdclark@gmail.com>
Reviewed-by: Sean Paul <seanpaul@chromium.org>
7 years agodrm/msm/edp: convert to msm_clk_get()
Rob Clark [Mon, 16 Oct 2017 20:39:59 +0000 (16:39 -0400)]
drm/msm/edp: convert to msm_clk_get()

We already have, as a result of upstreaming the gpu bindings,
msm_clk_get() which will try to get the clock both without and with a
"_clk" suffix.  Use this in eDP code so we can drop the "_clk" suffix
in bindings while maintaing backwards compatibility.

Signed-off-by: Rob Clark <robdclark@gmail.com>
Reviewed-by: Sean Paul <seanpaul@chromium.org>
7 years agodrm/msm/dsi: convert to msm_clk_get()
Rob Clark [Mon, 16 Oct 2017 17:35:57 +0000 (13:35 -0400)]
drm/msm/dsi: convert to msm_clk_get()

We already have, as a result of upstreaming the gpu bindings,
msm_clk_get() which will try to get the clock both without and with a
"_clk" suffix.  Use this in DSI code so we can drop the "_clk" suffix
in bindings while maintaing backwards compatibility.

Signed-off-by: Rob Clark <robdclark@gmail.com>
Reviewed-by: Sean Paul <seanpaul@chromium.org>
7 years agodrm/msm/mdp5: always print mdp5 version
Rob Clark [Mon, 16 Oct 2017 16:52:48 +0000 (12:52 -0400)]
drm/msm/mdp5: always print mdp5 version

This is useful to see in the log, without requiring drm.debug.

Signed-off-by: Rob Clark <robdclark@gmail.com>
7 years agodrm/msm/adreno: deal with linux-firmware fw paths
Rob Clark [Mon, 16 Oct 2017 14:46:23 +0000 (10:46 -0400)]
drm/msm/adreno: deal with linux-firmware fw paths

When firmware was added to linux-firmware, it was put in a qcom sub-
directory, unlike what we'd been using before.  For a300_pfp.fw and
a300_pm4.fw symlinks were created, but we'd prefer not to have to do
this in the future.  So add support to look in both places when
loading firmware.

Signed-off-by: Rob Clark <robdclark@gmail.com>
7 years agodrm/msm/adreno: split out helper to load fw
Rob Clark [Mon, 16 Oct 2017 14:13:15 +0000 (10:13 -0400)]
drm/msm/adreno: split out helper to load fw

Prep work for the next patch.

Signed-off-by: Rob Clark <robdclark@gmail.com>
7 years agodrm/msm/adreno: load gpu at probe/bind time
Rob Clark [Mon, 16 Oct 2017 13:22:38 +0000 (09:22 -0400)]
drm/msm/adreno: load gpu at probe/bind time

Previously, in an effort to defer initializing the gpu until firmware
was available (ie. rootfs mounted), the gpu was not loaded at when the
subdevice was bound.  Which resulted that clks/etc were requested in a
place that devm couldn't really help unwind if something failed.

Instead move request_firmware() to gpu->hw_init() and construct the gpu
earlier in adreno_bind().  To avoid the rest of the driver needing to
be aware of a gpu that hasn't managed to load firmware and hw_init()
yet, stash the gpu ptr in the adreno device's drvdata, and don't set
priv->gpu() until hw_init() succeeds.

Signed-off-by: Rob Clark <robdclark@gmail.com>
7 years agodrm/msm/hdmi: Remove mmagic_iface_clk from the 8x96 PHY clocks
Archit Taneja [Wed, 14 Jun 2017 08:06:10 +0000 (13:36 +0530)]
drm/msm/hdmi: Remove mmagic_iface_clk from the 8x96 PHY clocks

This was used as a placeholder. It was never really input to the MDSS/HDMI
clocks.

Signed-off-by: Archit Taneja <architt@codeaurora.org>
Signed-off-by: Rob Clark <robdclark@gmail.com>
7 years agodrm/msm: fix _NO_IMPLICIT fencing case
Rob Clark [Tue, 12 Sep 2017 18:23:05 +0000 (14:23 -0400)]
drm/msm: fix _NO_IMPLICIT fencing case

We need to call reservation_object_reserve_shared() in both cases, but
this wasn't happening in the _NO_IMPLICIT submit case.

Fixes: f0a42bb ("drm/msm: submit support for in-fences")
Reported-by: Jordan Crouse <jcrouse@codeaurora.org>
Signed-off-by: Rob Clark <robdclark@gmail.com>
7 years agotap: reference to KVA of an unloaded module causes kernel panic
Girish Moodalbail [Fri, 27 Oct 2017 07:00:16 +0000 (00:00 -0700)]
tap: reference to KVA of an unloaded module causes kernel panic

The commit 9a393b5d5988 ("tap: tap as an independent module") created a
separate tap module that implements tap functionality and exports
interfaces that will be used by macvtap and ipvtap modules to create
create respective tap devices.

However, that patch introduced a regression wherein the modules macvtap
and ipvtap can be removed (through modprobe -r) while there are
applications using the respective /dev/tapX devices. These applications
cause kernel to hold reference to /dev/tapX through 'struct cdev
macvtap_cdev' and 'struct cdev ipvtap_dev' defined in macvtap and ipvtap
modules respectively. So,  when the application is later closed the
kernel panics because we are referencing KVA that is present in the
unloaded modules.

----------8<------- Example ----------8<----------
$ sudo ip li add name mv0 link enp7s0 type macvtap
$ sudo ip li show mv0 |grep mv0| awk -e '{print $1 $2}'
  14:mv0@enp7s0:
$ cat /dev/tap14 &
$ lsmod |egrep -i 'tap|vlan'
macvtap                16384  0
macvlan                24576  1 macvtap
tap                    24576  3 macvtap
$ sudo modprobe -r macvtap
$ fg
cat /dev/tap14
^C

<...system panics...>
BUG: unable to handle kernel paging request at ffffffffa038c500
IP: cdev_put+0xf/0x30
----------8<-----------------8<----------

The fix is to set cdev.owner to the module that creates the tap device
(either macvtap or ipvtap). With this set, the operations (in
fs/char_dev.c) on char device holds and releases the module through
cdev_get() and cdev_put() and will not allow the module to unload
prematurely.

Fixes: 9a393b5d5988ea4e (tap: tap as an independent module)
Signed-off-by: Girish Moodalbail <girish.moodalbail@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agotcp: refresh tp timestamp before tcp_mtu_probe()
Eric Dumazet [Fri, 27 Oct 2017 04:21:40 +0000 (21:21 -0700)]
tcp: refresh tp timestamp before tcp_mtu_probe()

In the unlikely event tcp_mtu_probe() is sending a packet, we
want tp->tcp_mstamp being as accurate as possible.

This means we need to call tcp_mstamp_refresh() a bit earlier in
tcp_write_xmit().

Fixes: 385e20706fac ("tcp: use tp->tcp_mstamp in output path")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agotuntap: properly align skb->head before building skb
Jason Wang [Fri, 27 Oct 2017 03:05:44 +0000 (11:05 +0800)]
tuntap: properly align skb->head before building skb

An unaligned alloc_frag->offset caused by previous allocation will
result an unaligned skb->head. This will lead unaligned
skb_shared_info and then unaligned dataref which requires to be
aligned for accessing on some architecture. Fix this by aligning
alloc_frag->offset before the frag refilling.

Fixes: 0bbd7dad34f8 ("tun: make tun_build_skb() thread safe")
Cc: Eric Dumazet <edumazet@google.com>
Cc: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
Cc: Wei Wei <dotweiba@gmail.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Mark Rutland <mark.rutland@arm.com>
Reported-by: Wei Wei <dotweiba@gmail.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agoMerge tag 'for-linus-4.14c-rc7-tag' of git://git.kernel.org/pub/scm/linux/kernel...
Linus Torvalds [Sat, 28 Oct 2017 03:41:05 +0000 (20:41 -0700)]
Merge tag 'for-linus-4.14c-rc7-tag' of git://git./linux/kernel/git/xen/tip

Pull xen fixes from Juergen Gross:

 - a fix for the Xen gntdev device repairing an issue in case of partial
   failure of mapping multiple pages of another domain

 - a fix of a regression in the Xen balloon driver introduced in 4.13

 - a build fix for Xen on ARM which will trigger e.g. for Linux RT

 - a maintainers update for pvops (not really Xen, but carrying through
   this tree just for convenience)

* tag 'for-linus-4.14c-rc7-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
  maintainers: drop Chris Wright from pvops
  arm/xen: don't inclide rwlock.h directly.
  xen: fix booting ballooned down hvm guest
  xen/gntdev: avoid out of bounds access in case of partial gntdev_mmap()

7 years agoMerge tag 'arc-4.14-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc
Linus Torvalds [Sat, 28 Oct 2017 03:38:47 +0000 (20:38 -0700)]
Merge tag 'arc-4.14-rc7' of git://git./linux/kernel/git/vgupta/arc

Pull ARC fixes from Vineet Gupta:

 - Fixes for HSDK platform

 - module build error for !LLSC config

* tag 'arc-4.14-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc:
  ARC: unbork module link errors with !CONFIG_ARC_HAS_LLSC
  ARC: [plat-hsdk] Increase SDIO CIU frequency to 50000000Hz
  ARC: [plat-hsdk] select CONFIG_RESET_HSDK from Kconfig