platform/kernel/linux-exynos.git
5 years agoextcon: max14577: Delete an unnecessary variable initialisation in max14577_muic_set_...
Markus Elfring [Sun, 22 Oct 2017 17:39:12 +0000 (19:39 +0200)]
extcon: max14577: Delete an unnecessary variable initialisation in max14577_muic_set_path()

The variable "ret" is immediately reassigned by a following statement.
Thus omit the explicit initialisation at the beginning.

Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Reviewed-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
5 years agoextcon: make extcon_info static const, fixes warning
Colin Ian King [Sat, 9 Sep 2017 16:51:00 +0000 (17:51 +0100)]
extcon: make extcon_info static const, fixes warning

The array extcon_info is read only, local to the source and does not
need to be in global scope, so make it static const.

Cleans up sparse warning:
symbol 'extcon_info' was not declared. Should it be static?

Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
5 years agoextcon: Split out extcon header file for consumer and provider device
Chanwoo Choi [Thu, 21 Sep 2017 03:11:24 +0000 (12:11 +0900)]
extcon: Split out extcon header file for consumer and provider device

The extcon has two type of extcon devices as following.
- 'extcon provider deivce' adds new extcon device and detect the
   state/properties of external connector. Also, it notifies the
   state/properties to the extcon consumer device.
- 'extcon consumer device' gets the change state/properties
   from extcon provider device.
Prior to that, include/linux/extcon.h contains all exported API for
both provider and consumer device driver. To clarify the meaning of
header file and to remove the wrong use-case on consumer device,
this patch separates into extcon.h and extcon-provider.h.

[Description for include/linux/{extcon.h|extcon-provider.h}]
- extcon.h includes the extcon API and data structure for extcon consumer
  device driver. This header file contains the following APIs:
  : Register/unregister the notifier to catch the change of extcon device
  : Get the extcon device instance
  : Get the extcon device name
  : Get the state of each external connector
  : Get the property value of each external connector
  : Get the property capability of each external connector

- extcon-provider.h includes the extcon API and data structure for extcon
  provider device driver. This header file contains the following APIs:
  : Include 'include/linux/extcon.h'
  : Allocate the memory for extcon device instance
  : Register/unregister extcon device
  : Set the state of each external connector
  : Set the property value of each external connector
  : Set the property capability of each external connector

Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
Acked-by: Sebastian Reichel <sebastian.reichel@collabora.co.uk>
Acked-by: Chen-Yu Tsai <wens@csie.org>
Acked-by: Charles Keepax <ckeepax@opensource.cirrus.com>
Acked-by: Lee Jones <lee.jones@linaro.org>
Acked-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Acked-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
Acked-by: Kishon Vijay Abraham I <kishon@ti.com>
5 years agoiommu/exynos: Rework runtime PM links management
Marek Szyprowski [Fri, 15 Sep 2017 11:05:08 +0000 (13:05 +0200)]
iommu/exynos: Rework runtime PM links management

add_device is a bit more suitable for establishing runtime PM links than
the xlate callback. This change also makes it possible to implement proper
cleanup - in remove_device callback.

Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Joerg Roedel <jroedel@suse.de>
5 years agoASoC: samsung: i2s: disable secondary DAI until it gets fixed
Marek Szyprowski [Wed, 18 Oct 2017 07:25:34 +0000 (09:25 +0200)]
ASoC: samsung: i2s: disable secondary DAI until it gets fixed

Secondary DAI in Exynos I2S driver is not used by any of the currently
supported boards and it causes problems due to some limitations in the
ASoC code. Disable it until it gets proper support both by board-specific
and ASoC core code. Also disable IDMA support, which relies on secondary
DAI presence.

This patch fixes following kernel warning:
samsung-i2s 3830000.i2s: ASoC: Failed to create component debugfs directory
samsung-i2s 3830000.i2s: ASoC: Failed to create component debugfs directory
------------[ cut here ]------------
WARNING: CPU: 3 PID: 82 at fs/proc/generic.c:330 proc_register+0xec/0x10c
proc_dir_entry 'sub0/prealloc' already registered
Modules linked in:
CPU: 3 PID: 82 Comm: kworker/3:1 Not tainted 4.14.0-rc5-next-20171017 #3089
Hardware name: SAMSUNG EXYNOS (Flattened Device Tree)
Workqueue: events deferred_probe_work_func
[<c0110114>] (unwind_backtrace) from [<c010c900>] (show_stack+0x10/0x14)
[<c010c900>] (show_stack) from [<c083e664>] (dump_stack+0x90/0xc8)
[<c083e664>] (dump_stack) from [<c011d2b8>] (__warn+0xd4/0x100)
[<c011d2b8>] (__warn) from [<c011d384>] (warn_slowpath_fmt+0x38/0x48)
[<c011d384>] (warn_slowpath_fmt) from [<c0271268>] (proc_register+0xec/0x10c)
[<c0271268>] (proc_register) from [<c027130c>] (proc_create_data+0x84/0xc8)
[<c027130c>] (proc_create_data) from [<c061afbc>] (snd_info_register+0x64/0xcc)
[<c061afbc>] (snd_info_register) from [<c062a6e0>] (snd_pcm_lib_preallocate_pages1+0x78/0x1a0)
[<c062a6e0>] (snd_pcm_lib_preallocate_pages1) from [<c063eef4>] (dmaengine_pcm_new+0xa0/0x1ec)
[<c063eef4>] (dmaengine_pcm_new) from [<c062b9f8>] (snd_soc_platform_drv_pcm_new+0x1c/0x28)
[<c062b9f8>] (snd_soc_platform_drv_pcm_new) from [<c063d54c>] (soc_new_pcm+0x2f4/0x4f4)
[<c063d54c>] (soc_new_pcm) from [<c063107c>] (snd_soc_register_card+0xc4c/0xdc4)
[<c063107c>] (snd_soc_register_card) from [<c063db30>] (devm_snd_soc_register_card+0x34/0x70)
[<c063db30>] (devm_snd_soc_register_card) from [<c064af60>] (asoc_simple_card_probe+0x230/0x47c)
[<c064af60>] (asoc_simple_card_probe) from [<c047f8fc>] (platform_drv_probe+0x50/0xb0)
[<c047f8fc>] (platform_drv_probe) from [<c047dee0>] (driver_probe_device+0x2a0/0x46c)
[<c047dee0>] (driver_probe_device) from [<c047c0bc>] (bus_for_each_drv+0x44/0x8c)
[<c047c0bc>] (bus_for_each_drv) from [<c047db50>] (__device_attach+0xa0/0x134)
[<c047db50>] (__device_attach) from [<c047cf7c>] (bus_probe_device+0x88/0x90)
[<c047cf7c>] (bus_probe_device) from [<c047d484>] (deferred_probe_work_func+0x3c/0x168)
[<c047d484>] (deferred_probe_work_func) from [<c01371f8>] (process_one_work+0x188/0x41c)
[<c01371f8>] (process_one_work) from [<c01374b4>] (process_scheduled_works+0x28/0x38)
[<c01374b4>] (process_scheduled_works) from [<c01376d4>] (worker_thread+0x210/0x4dc)
[<c01376d4>] (worker_thread) from [<c013d9cc>] (kthread+0x128/0x164)
[<c013d9cc>] (kthread) from [<c0108848>] (ret_from_fork+0x14/0x2c)
---[ end trace bad8db6ee771d094 ]--

Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
5 years agommc: sdhci-s3c: Fix driver data for Exynos4 SoCs
Marek Szyprowski [Wed, 4 Oct 2017 06:38:24 +0000 (08:38 +0200)]
mmc: sdhci-s3c: Fix driver data for Exynos4 SoCs

Support for non-dt based initialization for Exynos SoCs has been removed,
so there is no need to keep driver IDs for this case. While touching this,
replace odd conditional code for instantiating driver data for Exynos4
SoCs with a simple reference and move that driver data under CONFIG_OF.

Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Acked-by: Krzysztof Kozlowski <krzk@kernel.org>
Reviewed-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
5 years agomedia: s5p-mfc: fix lockdep warning
Shuah Khan [Mon, 30 Oct 2017 21:04:57 +0000 (17:04 -0400)]
media: s5p-mfc: fix lockdep warning

The driver mmap functions shouldn't take lock when calling vb2_mmap().
Fix it to not take the lock. The following lockdep warning is fixed
with this change.

[ 2106.181412] ======================================================
[ 2106.187563] WARNING: possible circular locking dependency detected
[ 2106.193718] 4.14.0-rc2-00002-gfab205f-dirty #4 Not tainted
[ 2106.199175] ------------------------------------------------------
[ 2106.205328] qtdemux0:sink/2614 is trying to acquire lock:
[ 2106.210701]  (&dev->mfc_mutex){+.+.}, at: [<bf175544>] s5p_mfc_mmap+0x28/0xd4 [s5p_mfc]
[ 2106.218672]
[ 2106.218672] but task is already holding lock:
[ 2106.224477]  (&mm->mmap_sem){++++}, at: [<c01df2e4>] vm_mmap_pgoff+0x44/0xb8
[ 2106.231497]
[ 2106.231497] which lock already depends on the new lock.
[ 2106.231497]
[ 2106.239642]
[ 2106.239642] the existing dependency chain (in reverse order) is:
[ 2106.247095]
[ 2106.247095] -> #1 (&mm->mmap_sem){++++}:
[ 2106.252473]        __might_fault+0x80/0xb0
[ 2106.256567]        video_usercopy+0x1cc/0x510 [videodev]
[ 2106.261845]        v4l2_ioctl+0xa4/0xdc [videodev]
[ 2106.266596]        do_vfs_ioctl+0xa0/0xa18
[ 2106.270667]        SyS_ioctl+0x34/0x5c
[ 2106.274395]        ret_fast_syscall+0x0/0x28
[ 2106.278637]
[ 2106.278637] -> #0 (&dev->mfc_mutex){+.+.}:
[ 2106.284186]        lock_acquire+0x6c/0x88
[ 2106.288173]        __mutex_lock+0x68/0xa34
[ 2106.292244]        mutex_lock_interruptible_nested+0x1c/0x24
[ 2106.297893]        s5p_mfc_mmap+0x28/0xd4 [s5p_mfc]
[ 2106.302747]        v4l2_mmap+0x54/0x88 [videodev]
[ 2106.307409]        mmap_region+0x3a8/0x638
[ 2106.311480]        do_mmap+0x330/0x3a4
[ 2106.315207]        vm_mmap_pgoff+0x90/0xb8
[ 2106.319279]        SyS_mmap_pgoff+0x90/0xc0
[ 2106.323439]        ret_fast_syscall+0x0/0x28
[ 2106.327683]
[ 2106.327683] other info that might help us debug this:
[ 2106.327683]
[ 2106.335656]  Possible unsafe locking scenario:
[ 2106.335656]
[ 2106.341548]        CPU0                    CPU1
[ 2106.346053]        ----                    ----
[ 2106.350559]   lock(&mm->mmap_sem);
[ 2106.353939]                                lock(&dev->mfc_mutex);
[ 2106.353939]                                lock(&dev->mfc_mutex);
[ 2106.365897]   lock(&dev->mfc_mutex);
[ 2106.369450]
[ 2106.369450]  *** DEADLOCK ***
[ 2106.369450]
[ 2106.375344] 1 lock held by qtdemux0:sink/2614:
[ 2106.379762]  #0:  (&mm->mmap_sem){++++}, at: [<c01df2e4>] vm_mmap_pgoff+0x44/0xb8
[ 2106.387214]
[ 2106.387214] stack backtrace:
[ 2106.391550] CPU: 7 PID: 2614 Comm: qtdemux0:sink Not tainted 4.14.0-rc2-00002-gfab205f-dirty #4
[ 2106.400213] Hardware name: SAMSUNG EXYNOS (Flattened Device Tree)
[ 2106.406285] [<c01102c8>] (unwind_backtrace) from [<c010cabc>] (show_stack+0x10/0x14)
[ 2106.413995] [<c010cabc>] (show_stack) from [<c08543a4>] (dump_stack+0x98/0xc4)
[ 2106.421187] [<c08543a4>] (dump_stack) from [<c016b2fc>] (print_circular_bug+0x254/0x410)
[ 2106.429245] [<c016b2fc>] (print_circular_bug) from [<c016c580>] (check_prev_add+0x468/0x938)
[ 2106.437651] [<c016c580>] (check_prev_add) from [<c016f4dc>] (__lock_acquire+0x1314/0x14fc)
[ 2106.445883] [<c016f4dc>] (__lock_acquire) from [<c016fefc>] (lock_acquire+0x6c/0x88)
[ 2106.453596] [<c016fefc>] (lock_acquire) from [<c0869fb4>] (__mutex_lock+0x68/0xa34)
[ 2106.461221] [<c0869fb4>] (__mutex_lock) from [<c086aa08>] (mutex_lock_interruptible_nested+0x1c/0x24)
[ 2106.470425] [<c086aa08>] (mutex_lock_interruptible_nested) from [<bf175544>] (s5p_mfc_mmap+0x28/0xd4 [s5p_mfc])
[ 2106.480494] [<bf175544>] (s5p_mfc_mmap [s5p_mfc]) from [<bf037120>] (v4l2_mmap+0x54/0x88 [videodev])
[ 2106.489575] [<bf037120>] (v4l2_mmap [videodev]) from [<c01f4798>] (mmap_region+0x3a8/0x638)
[ 2106.497875] [<c01f4798>] (mmap_region) from [<c01f4d58>] (do_mmap+0x330/0x3a4)
[ 2106.505068] [<c01f4d58>] (do_mmap) from [<c01df330>] (vm_mmap_pgoff+0x90/0xb8)
[ 2106.512260] [<c01df330>] (vm_mmap_pgoff) from [<c01f28cc>] (SyS_mmap_pgoff+0x90/0xc0)
[ 2106.520059] [<c01f28cc>] (SyS_mmap_pgoff) from [<c0108820>] (ret_fast_syscall+0x0/0x28)

Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
Suggested-by: Hans Verkuil <hansverk@cisco.com>
Acked-by: Marek Szyprowski <m.szyprowski@samsung.com>
Acked-by: Hans Verkuil <hansverk@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
5 years agos5p-mfc: Adjust a null pointer check in four functions
Markus Elfring [Fri, 8 Sep 2017 20:37:00 +0000 (22:37 +0200)]
s5p-mfc: Adjust a null pointer check in four functions

The script “checkpatch.pl” pointed information out like the following.

Comparison to NULL could be written...

Thus fix the affected source code places.

Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
5 years agos5p-mfc: Improve a size determination in s5p_mfc_alloc_memdev()
Markus Elfring [Fri, 8 Sep 2017 20:30:09 +0000 (22:30 +0200)]
s5p-mfc: Improve a size determination in s5p_mfc_alloc_memdev()

Replace the specification of a data structure by a pointer dereference
as the parameter for the operator "sizeof" to make the corresponding size
determination a bit safer according to the Linux coding style convention.

This issue was detected by using the Coccinelle software.

Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
5 years agos5p-mfc: Delete an error message for a failed memory allocation
Markus Elfring [Fri, 8 Sep 2017 20:25:17 +0000 (22:25 +0200)]
s5p-mfc: Delete an error message for a failed memory allocation

Omit an extra message for a memory allocation failure in s5p_mfc_probe()
function.  This issue was detected by using the Coccinelle software.

Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
5 years agoexynos-gsc: Add hardware rotation limits
Hoegeun Kwon [Wed, 13 Sep 2017 11:41:55 +0000 (20:41 +0900)]
exynos-gsc: Add hardware rotation limits

The hardware rotation limits of gsc depends on SOC (Exynos
5250/5420/5433). Distinguish them and add them to the driver data.

[s.nawrocki@samsung.com: corrected num_entities in 5420 variant data]
Signed-off-by: Hoegeun Kwon <hoegeun.kwon@samsung.com>
Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
5 years agoexynos-gsc: Add compatible for Exynos 5250 and 5420 SoC version
Hoegeun Kwon [Wed, 13 Sep 2017 11:41:52 +0000 (20:41 +0900)]
exynos-gsc: Add compatible for Exynos 5250 and 5420 SoC version

Exynos 5250 and 5420 have different hardware rotation limits.
Since we have to distinguish between these two, we add different
compatible: samsung,exynos5250-gsc and samsung,exynos5420-gsc.

Signed-off-by: Hoegeun Kwon <hoegeun.kwon@samsung.com>
Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
5 years agoclk: exynos5433: Extend list of available AUD_PLL output frequencies
Sylwester Nawrocki [Mon, 12 Feb 2018 15:52:27 +0000 (16:52 +0100)]
clk: exynos5433: Extend list of available AUD_PLL output frequencies

Add one more entry to the exynos5433_aud_pll_rates table, this allows
to support audio sample rates: 48000, 96000, 192000 Hz with minimum
error. The M, P, S, K values re confirmed by the HW team.

Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
Acked-by: Chanwoo Choi <cw00.choi@samsung.com>
5 years agoclk: exynos5433: Add CLK_IGNORE_UNUSED flag to sclk_ioclk_i2s1_bclk
Sylwester Nawrocki [Mon, 5 Feb 2018 14:22:30 +0000 (15:22 +0100)]
clk: exynos5433: Add CLK_IGNORE_UNUSED flag to sclk_ioclk_i2s1_bclk

The sclk_ioclk_i2s1_bclk clock is not currently handled by any driver
and disabling this clock by the clk core prevents proper operation
of the I2S1 block. CLK_IGNORE_UNUSED flag is added as a temporary fix.

Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
Reviewed-by: Chanwoo Choi <cw00.choi@samsung.com>
5 years agoclk: samsung: Remove redundant dev_err call in exynos5433_cmu_probe()
Wei Yongjun [Wed, 17 Jan 2018 11:26:27 +0000 (11:26 +0000)]
clk: samsung: Remove redundant dev_err call in exynos5433_cmu_probe()

There is a error message within devm_ioremap_resource already,
so remove the dev_err call to avoid redundant error message.

Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
5 years agoclk: samsung: Remove obsolete clkdev alias support
Marek Szyprowski [Tue, 3 Oct 2017 10:00:16 +0000 (12:00 +0200)]
clk: samsung: Remove obsolete clkdev alias support

Remove support for obsolete clkdev alias definition in generic helper
macros for MUX, DIV, GATE and PLL clocks. clkdev aliases can be still
created using samsung_clk_register_alias() function if given platform
still needs them. All current drivers have been converted not to use
*_A-style macros and checked if there are any clients for the PLL
clocks, which had aliases created unconditionally.

Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Acked-by: Chanwoo Choi <cw00.choi@samsung.com>
Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
5 years agoclk: samsung: Add explicit MPLL, EPLL clkdev aliases in S3C2443 driver
Marek Szyprowski [Tue, 3 Oct 2017 10:00:15 +0000 (12:00 +0200)]
clk: samsung: Add explicit MPLL, EPLL clkdev aliases in S3C2443 driver

S3C2443 platform still use non-dt based lookup in some of its drivers
to get MPLL and EPLL clocks. Till now it worked only because PLL()
macro implicitly created aliases for all instantiated clocks. This
feature will be removed, so explicitly create aliases for MPLL and
EPLL clocks.

Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Acked-by: Chanwoo Choi <cw00.choi@samsung.com>
Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
5 years agoclk: samsung: Rework clkdev alias handling in S3C2443 driver
Marek Szyprowski [Tue, 3 Oct 2017 10:00:14 +0000 (12:00 +0200)]
clk: samsung: Rework clkdev alias handling in S3C2443 driver

S3C2443 SoC still uses old, non-dt CPUfreq driver, which requires clkdev
aliases to get access to proper clocks. Create those aliases using
samsung_clk_register_alias() function instead of using *_A clock macros,
which will be removed soon.

Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Acked-by: Chanwoo Choi <cw00.choi@samsung.com>
Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
5 years agoclk: samsung: Rework clkdev alias handling in Exynos5440 driver
Marek Szyprowski [Tue, 3 Oct 2017 10:00:13 +0000 (12:00 +0200)]
clk: samsung: Rework clkdev alias handling in Exynos5440 driver

Exynos5440 still uses old, non-dt CPUfreq driver, which requires clkdev
aliases to get access to proper clocks. Create those aliases using
samsung_clk_register_alias() function instead of using *_A clock macros,
which will be removed soon.

Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Acked-by: Chanwoo Choi <cw00.choi@samsung.com>
Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
5 years agoclk: samsung: Drop useless alias in Exynos5420 clk driver
Marek Szyprowski [Tue, 3 Oct 2017 10:00:12 +0000 (12:00 +0200)]
clk: samsung: Drop useless alias in Exynos5420 clk driver

Drop clkdev alias for "mout_aclk400_mscl" clock. It was not used at all
and it was probably committed by accident.

Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Acked-by: Chanwoo Choi <cw00.choi@samsung.com>
Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
5 years agoclk: samsung: Remove clkdev alias support in Exynos5250 clk driver
Marek Szyprowski [Tue, 3 Oct 2017 10:00:11 +0000 (12:00 +0200)]
clk: samsung: Remove clkdev alias support in Exynos5250 clk driver

All Exynos5250 boards have been fully converted to device-tree and use
generic dt-based CPUfreq driver, so there is no need to create any clkdev
aliases for the clocks. Drop all the code related to aliases handling.

Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Acked-by: Chanwoo Choi <cw00.choi@samsung.com>
Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
5 years agoclk: samsung: Remove double assignment of CLK_ARM_CLK in Exynos4 driver
Marek Szyprowski [Tue, 3 Oct 2017 10:00:10 +0000 (12:00 +0200)]
clk: samsung: Remove double assignment of CLK_ARM_CLK in Exynos4 driver

CLK_ARM_CLK ("armclk") clock is provided by cpu-clk subdriver, which is
instantiated after creating all divider clocks from exynos4_div_clks
array. There is no point assigning this id to "div_core2" clock and later
overwrite with proper "armcpu" clock by cpu-clk subdriver.

Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Acked-by: Chanwoo Choi <cw00.choi@samsung.com>
Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
5 years agoclk: samsung: Remove clkdev alias support in Exynos4 clk driver
Marek Szyprowski [Tue, 3 Oct 2017 10:00:09 +0000 (12:00 +0200)]
clk: samsung: Remove clkdev alias support in Exynos4 clk driver

All Exynos4 boards have been fully converted to device-tree and use generic
dt-based CPUfreq driver, so there is no need to create any clkdev aliases
for the clocks. Drop all the code related to aliases handling.

Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Acked-by: Chanwoo Choi <cw00.choi@samsung.com>
Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
5 years agoclk: samsung: Remove support for obsolete Exynos4212 CPU clock
Marek Szyprowski [Tue, 3 Oct 2017 10:00:08 +0000 (12:00 +0200)]
clk: samsung: Remove support for obsolete Exynos4212 CPU clock

Support for Exynos 4212 SoC has been removed by commit bca9085e0ae9 ("ARM:
dts: exynos: remove Exynos4212 support (dead code)"), so there is no need
to keep dead code.

Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Acked-by: Chanwoo Choi <cw00.choi@samsung.com>
Acked-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
5 years agoclk: samsung: Remove support for Exynos4212 SoCs in Exynos CLKOUT driver
Marek Szyprowski [Wed, 4 Oct 2017 06:38:26 +0000 (08:38 +0200)]
clk: samsung: Remove support for Exynos4212 SoCs in Exynos CLKOUT driver

Support for Exynos4212 SoCs has been removed by commit bca9085e0ae9 ("ARM:
dts: exynos: remove Exynos4212 support (dead code)"), so there is no need
to keep remaining dead code related to this SoC version.

Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Acked-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
5 years agoclk: samsung: Properly propagate flags in __PLL macro
Marek Szyprowski [Thu, 14 Sep 2017 14:38:17 +0000 (16:38 +0200)]
clk: samsung: Properly propagate flags in __PLL macro

All users of __PLL macro already provide flags parameter, so don't
overwrite it unconditionally with CLK_GET_RATE_NOCACHE.

Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
5 years agoclk: samsung: Fix m2m scaler clock on Exynos542x
Andrzej Pietrasiewicz [Fri, 29 Sep 2017 07:32:53 +0000 (09:32 +0200)]
clk: samsung: Fix m2m scaler clock on Exynos542x

The TOP "aclk400_mscl" clock should be kept enabled all the time
to allow proper access to power management control for MSC power
domain and devices that are a part of it. This change is required
for the scaler to work properly after domain power on/off sequence.

Fixes: 318fa46cc60d ("clk/samsung: exynos542x: mark some clocks as critical")
Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
5 years agoclk: samsung: Delete a memory allocation error message in clk-cpu.c
Markus Elfring [Wed, 27 Sep 2017 13:46:53 +0000 (15:46 +0200)]
clk: samsung: Delete a memory allocation error message in clk-cpu.c

Omit an extra message for a memory allocation failure
in exynos_register_cpu_clock() function.

This issue was detected by using the Coccinelle software.

Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
5 years agoclk: use atomic runtime pm api in clk_core_is_enabled
Dong Aisheng [Fri, 22 Dec 2017 09:46:04 +0000 (17:46 +0800)]
clk: use atomic runtime pm api in clk_core_is_enabled

Current clk_pm_runtime_put is using pm_runtime_put_sync which
is not safe to be called in clk_core_is_enabled as it should
be able to run in atomic context.

Thus use pm_runtime_put instead which is atomic safe.

Cc: Stephen Boyd <sboyd@codeaurora.org>
Cc: Michael Turquette <mturquette@baylibre.com>
Cc: Ulf Hansson <ulf.hansson@linaro.org>
Cc: Marek Szyprowski <m.szyprowski@samsung.com>
Fixes: 9a34b45397e5 ("clk: Add support for runtime PM")
Signed-off-by: Dong Aisheng <aisheng.dong@nxp.com>
Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
5 years agoclk: Manage proper runtime PM state in clk_change_rate()
Marek Szyprowski [Thu, 30 Nov 2017 12:14:51 +0000 (13:14 +0100)]
clk: Manage proper runtime PM state in clk_change_rate()

clk_change_rate() propagates rate change down to all its children. Such
operation requires managing proper runtime PM state of each child, what
was missing. Add needed calls to clk_pm_runtime*() to ensure that
set_rate() clock callback is called on runtime active clock.

This fixes following issue found on Exynos5433 TM2 board with devfreq
enabled:

Synchronous External Abort: synchronous external abort (0x96000210) at 0xffffff80093f5600
Internal error: : 96000210 [#1] PREEMPT SMP
Modules linked in:
CPU: 0 PID: 5 Comm: kworker/u16:0 Not tainted 4.15.0-rc1-next-20171129+ #4
Hardware name: Samsung TM2 board (DT)
Workqueue: devfreq_wq devfreq_monitor
task: ffffffc0ca96b600 task.stack: ffffff80093a8000
pstate: a0000085 (NzCv daIf -PAN -UAO)
pc : clk_divider_set_rate+0x54/0x118
lr : clk_divider_set_rate+0x44/0x118
...
Process kworker/u16:0 (pid: 5, stack limit = 0xffffff80093a8000)
Call trace:
 clk_divider_set_rate+0x54/0x118
 clk_change_rate+0xfc/0x4e0
 clk_change_rate+0x1f0/0x4e0
 clk_change_rate+0x1f0/0x4e0
 clk_change_rate+0x1f0/0x4e0
 clk_core_set_rate_nolock+0x138/0x148
 clk_set_rate+0x28/0x50
 exynos_bus_passive_target+0x6c/0x11c
 update_devfreq_passive+0x58/0xb4
 devfreq_passive_notifier_call+0x50/0x5c
 notifier_call_chain+0x4c/0x88
 __srcu_notifier_call_chain+0x54/0x80
 srcu_notifier_call_chain+0x14/0x1c
 update_devfreq+0x100/0x1b4
 devfreq_monitor+0x2c/0x88
 process_one_work+0x148/0x3d8
 worker_thread+0x13c/0x3f8
 kthread+0x100/0x12c
 ret_from_fork+0x10/0x18

Reported-by: Chanwoo Choi <cw00.choi@samsung.com>
Fixes: 9a34b45397e5 ("clk: Add support for runtime PM")
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
Tested-by: Chanwoo Choi <cw00.choi@samsung.com>
Reviewed-by: Chanwoo Choi <cw00.choi@samsung.com>
Signed-off-by: Stephen Boyd <sboyd@codeaurora.org>
5 years agoclk: samsung: Add a separate driver for Exynos4412 ISP clocks
Marek Szyprowski [Wed, 11 Oct 2017 09:25:13 +0000 (11:25 +0200)]
clk: samsung: Add a separate driver for Exynos4412 ISP clocks

Some registers for the Exynos 4412 ISP (Camera subsystem) clocks are
located in the ISP power domain. Because those registers are also
located in a different memory region than the main clock controller,
support for them can be provided by a separate clock controller.
This in turn allows to almost seamlessly make it aware of the power
domain using recently introduced runtime PM support for clocks.

Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Acked-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
5 years agoclk: samsung: Add dt bindings for Exynos4412 ISP clock controller
Marek Szyprowski [Wed, 11 Oct 2017 09:25:12 +0000 (11:25 +0200)]
clk: samsung: Add dt bindings for Exynos4412 ISP clock controller

Some registers for the Exynos 4412 ISP (Camera subsystem) clocks are
located in the ISP power domain. Because those registers are also
located in a different memory region than the main clock controller,
support for them can be provided by a separate clock controller.

Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Acked-by: Krzysztof Kozlowski <krzk@kernel.org>
Acked-by: Rob Herring <robh@kernel.org>
Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
5 years agoclk: samsung: Instantiate Exynos4412 ISP clocks only when available
Marek Szyprowski [Wed, 11 Oct 2017 09:25:11 +0000 (11:25 +0200)]
clk: samsung: Instantiate Exynos4412 ISP clocks only when available

Some registers for the Exynos 4412 ISP (Camera subsystem) clocks are
located in the ISP power domain. Instantiate those clocks only when
provided clock registers resource covers those registers. This is
a preparation for adding a separate clock driver for ISP clocks,
which will be integrated with power domain using runtime PM feature.

Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Acked-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
5 years agoclk: samsung: exynos5433: mark PM functions as __maybe_unused
Arnd Bergmann [Tue, 10 Oct 2017 09:15:12 +0000 (11:15 +0200)]
clk: samsung: exynos5433: mark PM functions as __maybe_unused

The suspend/resume functions are referenced conditionally, causing
a harmless warning when CONFIG_PM is disabled:

drivers/clk/samsung/clk-exynos5433.c:5476:12: error: 'exynos5433_cmu_resume' defined but not used [-Werror=unused-function]
drivers/clk/samsung/clk-exynos5433.c:5453:12: error: 'exynos5433_cmu_suspend' defined but not used [-Werror=unused-function]

This marks both as __maybe_unused to shut up the warning.

Fixes: 523d3de41f02 ("clk: samsung: exynos5433: Add support for runtime PM")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Marek Szyprowski <m.szyprowski@samsung.com>
Acked-by: Chanwoo Choi <cw00.choi@samsung.com>
Acked-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
5 years agoclk: samsung: exynos-audss: Add support for runtime PM
Marek Szyprowski [Mon, 21 Aug 2017 08:05:03 +0000 (10:05 +0200)]
clk: samsung: exynos-audss: Add support for runtime PM

This patch adds support for runtime PM to Exynos Audio SubSystem driver to
enable full support for audio power domain on Exynos5 SoCs. The main change
is moving register saving and restoring code from system sleep PM ops to
runtime PM ops and implementing system sleep PM ops with generic
pm_runtime_force_suspend/resume helpers. Runtime PM of the Exynos AudSS
device is managed from clock core depending on the preparation status
of the provided clocks.

Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
Reviewed-by: Krzysztof Kozlowski <krzk@kernel.org>
Reviewed-by: Chanwoo Choi <cw00.choi@samsung.com>
Signed-off-by: Michael Turquette <mturquette@baylibre.com>
Link: lkml.kernel.org/r/1503302703-13801-6-git-send-email-m.szyprowski@samsung.com

5 years agoclk: samsung: exynos-audss: Use local variable for controller's device
Marek Szyprowski [Mon, 21 Aug 2017 08:05:02 +0000 (10:05 +0200)]
clk: samsung: exynos-audss: Use local variable for controller's device

Store pointer to the controller's device in local variable to avoid
extracting it from platform device in each call. This will also simplify
code in the future, when runtime PM support is added.

Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Reviewed-by: Krzysztof Kozlowski <krzk@kernel.org>
Reviewed-by: Chanwoo Choi <cw00.choi@samsung.com>
Signed-off-by: Michael Turquette <mturquette@baylibre.com>
Link: lkml.kernel.org/r/1503302703-13801-5-git-send-email-m.szyprowski@samsung.com

5 years agoclk: samsung: exynos5433: Add support for runtime PM
Marek Szyprowski [Mon, 21 Aug 2017 08:05:01 +0000 (10:05 +0200)]
clk: samsung: exynos5433: Add support for runtime PM

Add runtime pm support for all clock controller units (CMU), which belong
to power domains and require special handling during on/off operations.
Typically special values has to be written to MUX registers to change
internal clocks parents to OSC clock before turning power off. During such
operation all clocks, which enter CMU has to be enabled to let MUX to
stabilize. Also for each CMU there is one special parent clock, which has
to be enabled all the time when any access to CMU registers is being done.

This patch solves most of the mysterious external abort and freeze issues
caused by a lack of proper parent CMU clock enabled or incorrect turn off
procedure.

Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
Reviewed-by: Chanwoo Choi <cw00.choi@samsung.com>
Tested-by: Chanwoo Choi <cw00.choi@samsung.com>
Reviewed-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Michael Turquette <mturquette@baylibre.com>
Link: lkml.kernel.org/r/1503302703-13801-4-git-send-email-m.szyprowski@samsung.com

5 years agoclk: samsung: Add support for runtime PM
Marek Szyprowski [Mon, 21 Aug 2017 08:05:00 +0000 (10:05 +0200)]
clk: samsung: Add support for runtime PM

This patch adds struct device pointer to samsung_clk_provider and forwarding it
to clk_register_* functions, so drivers can register clocks, which use runtime
pm feature.

Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
Reviewed-by: Chanwoo Choi <cw00.choi@samsung.com>
Tested-by: Chanwoo Choi <cw00.choi@samsung.com>
Reviewed-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Michael Turquette <mturquette@baylibre.com>
Link: lkml.kernel.org/r/1503302703-13801-3-git-send-email-m.szyprowski@samsung.com

5 years agoclk: Add support for runtime PM
Marek Szyprowski [Mon, 21 Aug 2017 08:04:59 +0000 (10:04 +0200)]
clk: Add support for runtime PM

Registers for some clocks might be located in the SOC area, which are under the
power domain. To enable access to those registers respective domain has to be
turned on. Additionally, registers for such clocks will usually loose its
contents when power domain is turned off, so additional saving and restoring of
them might be needed in the clock controller driver.

This patch adds basic infrastructure in the clocks core to allow implementing
driver for such clocks under power domains. Clock provider can supply a
struct device pointer, which is the used by clock core for tracking and managing
clock's controller runtime pm state. Each clk_prepare() operation
will first call pm_runtime_get_sync() on the supplied device, while
clk_unprepare() will do pm_runtime_put_sync() at the end.

Additional calls to pm_runtime_get/put functions are required to ensure that any
register access (like calculating/changing clock rates and unpreparing/disabling
unused clocks on boot) will be done with clock controller in runtime resumend
state.

When one wants to register clock controller, which make use of this feature, he
has to:
1. Provide a struct device to the core when registering the provider.
2. Ensure to enable runtime PM for that device before registering clocks.
3. Make sure that the runtime PM status of the controller device reflects
   the HW state.

Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
Acked-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Michael Turquette <mturquette@baylibre.com>
Link: lkml.kernel.org/r/1503302703-13801-2-git-send-email-m.szyprowski@samsung.com

5 years agodt-bindings: samsung: Document binding for new Odroid HC1 board
Krzysztof Kozlowski [Sun, 8 Oct 2017 12:26:28 +0000 (14:26 +0200)]
dt-bindings: samsung: Document binding for new Odroid HC1 board

Document the binding for new Hardkernel Odroid HC1 board.

Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
5 years agoARM: dts: exynos: Add HDMI and Sil9234 to Trats2 board
Maciej Purski [Mon, 9 Oct 2017 07:39:38 +0000 (09:39 +0200)]
ARM: dts: exynos: Add HDMI and Sil9234 to Trats2 board

Add HDMI and Sil9234 MHL converter to Trats2 board.
Following in SoC devices have been enabled:
- HDMI (HDMI signal encoder),
- Mixer (video buffer scanout device),
- I2C_5 bus (used for HDMI DDC)
- I2C_8 bus (used for HDMI_PHY control).

Based on previous work by:
Tomasz Stanislawski <t.stanislaws@samsung.com>

Signed-off-by: Maciej Purski <m.purski@samsung.com>
Reviewed-by: Andrzej Hajda <a.hajda@samsung.com>
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
5 years agosoc: samsung: Remove Exynos4212 related dead code
Marek Szyprowski [Wed, 4 Oct 2017 06:38:23 +0000 (08:38 +0200)]
soc: samsung: Remove Exynos4212 related dead code

Support for Exynos4212 SoCs has been removed by commit bca9085e0ae9 ("ARM:
dts: exynos: remove Exynos4212 support (dead code)"), so there is no need
to keep remaining dead code related to this SoC version.

Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
5 years agoARM: EXYNOS: Remove Exynos4212 related dead code
Marek Szyprowski [Wed, 4 Oct 2017 06:38:22 +0000 (08:38 +0200)]
ARM: EXYNOS: Remove Exynos4212 related dead code

Support for Exynos4212 SoCs has been removed by commit bca9085e0ae9 ("ARM:
dts: exynos: remove Exynos4212 support (dead code)"), so there is no need
to keep remaining dead code related to this SoC version.

Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
5 years agoARM: SAMSUNG: Simplify size used for kzalloc
Markus Elfring [Wed, 4 Oct 2017 07:52:33 +0000 (09:52 +0200)]
ARM: SAMSUNG: Simplify size used for kzalloc

Simplify the size argument of kzalloc() memory allocation by using
sizeof(*ptr) syntax in adc.c and devs.c.

This issue was detected by using the Coccinelle software.

Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
[krzk: Rewrite commit message]
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
5 years agoARM: SAMSUNG: Remove printk for failed memory allocation
Markus Elfring [Wed, 4 Oct 2017 07:33:52 +0000 (09:33 +0200)]
ARM: SAMSUNG: Remove printk for failed memory allocation

Omit an extra message for a memory allocation failure in adc.c and
platformdata.c.

This issue was detected by using the Coccinelle software.

Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
5 years agoARM: multi_v7_defconfig: Enable UAS support for Odroid HC1 board
Marek Szyprowski [Tue, 3 Oct 2017 10:13:32 +0000 (12:13 +0200)]
ARM: multi_v7_defconfig: Enable UAS support for Odroid HC1 board

Odroid HC1 board has built-in JMicron USB to SATA bridge, which supports
UAS protocol. Enable support for it to make sure that all built-in storage
devices are available. Enable it as module to keep in line with multi_v7
policy to enable drivers as build-in only if they are critical for boot
process. On Odroid HC1 the kernel itself has to be still read from the
SD-card, so assume that modules/initrd is also accessible there.

Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
5 years agoARM: dts: exynos: Add support for Hardkernel's Odroid HC1 board
Marek Szyprowski [Mon, 2 Oct 2017 06:39:34 +0000 (08:39 +0200)]
ARM: dts: exynos: Add support for Hardkernel's Odroid HC1 board

Odroid HC1 board is based on Odroid XU4 board, but it has no HDMI,
no eMMC, no built-in USB3.0 hub, no extension port pins, and no GPIO
button. USB3.0 ports are used for built-in JMicron USB to SATA bridge
and Gigabit R8152 ethernet chips. HC1 uses only passive cooling.

Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
5 years agoARM: multi_v7_defconfig: Enable USB3503 driver
Linus Lüssing [Thu, 28 Sep 2017 20:27:03 +0000 (22:27 +0200)]
ARM: multi_v7_defconfig: Enable USB3503 driver

The Odroid U3 (Exynos 4412 based) for instance needs this driver,
otherwise its USB hub will not come up.

Also selecting it as built-in to allow booting from USB without
an initrd/initramfs.

Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
5 years agoARM: dts: exynos: Move audio clocks configuration to odroidxu3-audio.dtsi
Marek Szyprowski [Fri, 29 Sep 2017 12:33:25 +0000 (14:33 +0200)]
ARM: dts: exynos: Move audio clocks configuration to odroidxu3-audio.dtsi

Audio subsystem clocks configuration is a part of audio block,
so there it should be moved to exynos5422-odroidxu3-audio.dtsi
to avoid it on Odroid XU4, which has no audio codec.

Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Reviewed-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
5 years agoARM: dts: exynos: Add dwc3 SUSPHY quirk
Andrzej Pietrasiewicz [Mon, 18 Sep 2017 10:02:13 +0000 (12:02 +0200)]
ARM: dts: exynos: Add dwc3 SUSPHY quirk

Odroid XU4 board does not enumerate SuperSpeed devices.
This patch makes exynos5 series chips use USB SUSPHY quirk,
which solves the problem.

Signed-off-by: Andrzej Pietrasiewicz <andrzej.p@samsung.com>
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
5 years agoARM: dts: exynos: Add status property to Exynos 542x Mixer nodes
Marek Szyprowski [Fri, 15 Sep 2017 09:11:23 +0000 (11:11 +0200)]
ARM: dts: exynos: Add status property to Exynos 542x Mixer nodes

HDMI support requires some additional off-SoC logic, so Mixer device (part
of HDMI display path) should be disabled by default in SoC dtsi and enabled
then in each board dts. This patch unifies Mixer handling with other
Exynos SoCs.

Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
5 years agoARM: dts: exynos: Add status property to Exynos 5250 HDMI and Mixer nodes
Marek Szyprowski [Fri, 15 Sep 2017 09:11:22 +0000 (11:11 +0200)]
ARM: dts: exynos: Add status property to Exynos 5250 HDMI and Mixer nodes

HDMI support requires some additional off-SoC logic, so HDMI and Mixer
devices should be disabled by default in SoC dtsi and enabled then
in each board dts. This patch unifies HDMI and Mixer handling with other
Exynos SoCs.

Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
5 years agoARM: dts: exynos: Cleanup HDMI DCC definitions on Exynos5250 and Exynos542x boards
Marek Szyprowski [Fri, 15 Sep 2017 09:11:21 +0000 (11:11 +0200)]
ARM: dts: exynos: Cleanup HDMI DCC definitions on Exynos5250 and Exynos542x boards

Commit 2b7681326dc2 ("drm/exynos: hdmi: remove the i2c drivers and use")
merged to v3.15 kernel added a required 'ddc' property to Exynos HDMI
device tree bindings, which should point to i2c bus used for handling DDC
(mainly reading display's EDID information). It has been enough time to
convert all boards to use new bindings, but sadly due to copy/paste design
the old approach using separate node with 'samsung,exynos4210-hdmiddc'
compatible was used also for many new boards. This patch finally converts
all boards to the new approach and unifies HDMI DDC definition across all
Exynos boards.

Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
5 years agoARM: dts: exynos: Move HDMI PHY node from boards to exynos5250.dtsi
Marek Szyprowski [Fri, 15 Sep 2017 09:11:20 +0000 (11:11 +0200)]
ARM: dts: exynos: Move HDMI PHY node from boards to exynos5250.dtsi

All Exynos 5250 SoCs have HDMI PHY connected via dedicated I2C bus (bus
number 8), so HDMI PHY should be defined in exynos5250.dtsi instead of
duplicating it in every board, which enables HDMI support.

Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
5 years agoARM: dts: exynos: Use specific compatibles for proper Gscaler limits on Exynos5250...
Hoegeun Kwon [Wed, 13 Sep 2017 11:41:53 +0000 (20:41 +0900)]
ARM: dts: exynos: Use specific compatibles for proper Gscaler limits on Exynos5250 and Exynos5420

Exynos 5250 and 5420 have different hardware rotation limits. However,
currently it uses only one compatible - "exynos5-gsc". Since we have
to distinguish between these two, we add different compatible.

Signed-off-by: Hoegeun Kwon <hoegeun.kwon@samsung.com>
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
5 years agoARM: dts: exynos: Remove redundant interrupt properties in gpio-keys on Odroid boards
Marek Szyprowski [Fri, 15 Sep 2017 06:42:47 +0000 (08:42 +0200)]
ARM: dts: exynos: Remove redundant interrupt properties in gpio-keys on Odroid boards

GPIO keys don't need interrupt property. Interrupt number can be derived
directly from the GPIO pin definition, so remove redundant 'interrupts'
and 'interrupt-parent' properties from gpio-keys nodes on
Exynos4412-based Odroid boards.

Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
5 years agoARM: dts: exynos: Add power button for Odroid XU3/4
Brian Kim [Tue, 12 Sep 2017 11:57:54 +0000 (13:57 +0200)]
ARM: dts: exynos: Add power button for Odroid XU3/4

The power button (SW2) on Odroid XU3/4 is connected to the PWRON pin
of the S2MPS11 PMIC.

The S2MPS11 datasheet says that ONOB pin operates as 'PWRON key active
low signal'. In fact, S2MPS11 PMIC acts as a 16ms debouce filter and
signal inverter, thus effectively repeating PWRON (active high) to ONOB
pin (active low).

ONOB PMIC pin is then connected to XEINT3 SoC pin, so we get the state
of the power button on the gpx0-3 GPIO.

This patch adds device-tree bindings for the power button of Odroid
XU3/4 boards.

Signed-off-by: Brian Kim <brian.kim@hardkernel.com>
[mszyprow: extended commit message, added comments and fixed minor
 issues in the dts]
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Reviewed-by: Anand Moon <linux.amoon@gmail.com>
Tested-by: Anand Moon <linux.amoon@gmail.com>
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
5 years agoARM: dts: exynos: Remove the display-timing and delay from Rinato
Hoegeun Kwon [Mon, 18 Sep 2017 02:54:24 +0000 (11:54 +0900)]
ARM: dts: exynos: Remove the display-timing and delay from Rinato

The display-timing and delay are included in the panel driver so they
should be removed from dts.

Signed-off-by: Hoegeun Kwon <hoegeun.kwon@samsung.com>
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
5 years agoARM: dts: exynos: add exynos5422 cpu capacity-dmips-mhz information
Dietmar Eggemann [Wed, 30 Aug 2017 14:41:19 +0000 (15:41 +0100)]
ARM: dts: exynos: add exynos5422 cpu capacity-dmips-mhz information

The following 'capacity-dmips-mhz' dt property values are used:

Cortex-A15: 1024, Cortex-A7: 539

They have been derived form the cpu_efficiency values:

Cortex-A15: 3891, Cortex-A7: 2048

by scaling them so that the Cortex-A15s (big cores) use 1024.

The cpu_efficiency values were originally derived from the "Big.LITTLE
Processing with ARM Cortex™-A15 & Cortex-A7" white paper
(http://www.cl.cam.ac.uk/~rdm34/big.LITTLE.pdf). Table 1 lists 1.9x
(3891/2048) as the Cortex-A15 vs Cortex-A7 performance ratio for the
Dhrystone benchmark.

The following platforms are affected once cpu-invariant accounting
support is re-connected to the task scheduler:

odroidxu3, odroidxu3-lite, odroidxu4

Cc: Rob Herring <robh+dt@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Dietmar Eggemann <dietmar.eggemann@arm.com>
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
5 years agoARM: dts: exynos: add exynos5420 cpu capacity-dmips-mhz information
Dietmar Eggemann [Wed, 30 Aug 2017 14:41:18 +0000 (15:41 +0100)]
ARM: dts: exynos: add exynos5420 cpu capacity-dmips-mhz information

The following 'capacity-dmips-mhz' dt property values are used:

Cortex-A15: 1024, Cortex-A7: 539

They have been derived from the cpu_efficiency values:

Cortex-A15: 3891, Cortex-A7: 2048

by scaling them so that the Cortex-A15s (big cores) use 1024.

The cpu_efficiency values were originally derived from the "Big.LITTLE
Processing with ARM Cortex™-A15 & Cortex-A7" white paper
(http://www.cl.cam.ac.uk/~rdm34/big.LITTLE.pdf). Table 1 lists 1.9x
(3891/2048) as the Cortex-A15 vs Cortex-A7 performance ratio for the
Dhrystone benchmark.

The following platforms are affected once cpu-invariant accounting
support is re-connected to the task scheduler:

arndale-octa, peach-pi, peach-pit, smdk5420

The patch has been tested on Samsung Chromebook 2 13" (peach-pi, Exynos
5800).

$ cat /sys/devices/system/cpu/cpu*/cpu_capacity
1024
1024
1024
1024
389
389
389
389

The Cortex-A15 vs Cortex-A7 performance ratio is 1024/389 = 2.63.

The values derived with the 'cpu_efficiency/clock-frequency dt property'
solution are:

$ cat /sys/devices/system/cpu/cpu*/cpu_capacity
1535
1535
1535
1535
448
448
448
448

The Cortex-A15 vs Cortex-A7 performance ratio is 1535/448 = 3.43.

The discrepancy between 2.63 and 3.43 is due to the false assumption
when using the 'cpu_efficiency/clock-frequency dt property' solution
that the max cpu frequency of the little cpus is 1 GHZ and not 1.3 GHz.
The Cortex-A7 cluster runs with a max cpu frequency of 1.3 GHZ whereas
the 'clock-frequency' property value is set to 1 GHz.

3.43/1.3 = 2.64

$ cat /sys/devices/system/cpu/cpu*/cpufreq/scaling_max_freq
1800000
1800000
1800000
1800000
1300000 <-- max cpu frequency of the Cortex-A7s (little cores)
1300000
1300000
1300000

Running another benchmark (single-threaded sysbench affine to the
individual cpus) with performance cpufreq governor on the Samsung
Chromebook 2 13" showed the following numbers:

$ for i in `seq 0 7`; do taskset -c $i sysbench --test=cpu
  --num-threads=1 --max-time=10 run | grep "total number of events:";
  done

total number of events: 1083
total number of events: 1085
total number of events: 1085
total number of events: 1085
total number of events: 454
total number of events: 454
total number of events: 454
total number of events: 454

The Cortex-A15 vs Cortex-A7 performance ratio is 2.39, i.e. very close
to the one derived from the Dhrystone based one of the "Big.LITTLE
Processing with ARM Cortex™-A15 & Cortex-A7" white paper (2.63).

We don't aim for exact values for the cpu capacity values. Besides the
CPI (Cycles Per Instruction), the instruction mix and whether the system
runs cpu-bound or memory-bound has an impact on the cpu capacity values
derived from these benchmark results.

Cc: Rob Herring <robh+dt@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Dietmar Eggemann <dietmar.eggemann@arm.com>
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
5 years agoARM: dts: exynos: fix incomplete Odroid-XU3/4 thermal-zones definition
Willy Wolff [Thu, 7 Sep 2017 16:10:00 +0000 (18:10 +0200)]
ARM: dts: exynos: fix incomplete Odroid-XU3/4 thermal-zones definition

Odroid XU3/4 boards have thermal sensors per 4 pairs of A7+A15
cores but currently there is only one thermal-zone (including
cooling maps) defined (for the first pair of cores - the first
core of the A7 cluster and the first core of A15 cluster) so
i.e. if the task is running on any of A15 cores but the first
one, such core can reach high temperature without any proper
cooling action.

Fix it by adding missing thermal-zones definitions.

Also while at it fix the number of steps in cpufreq cooling for
cpu4 (11 steps for A15 corresponds to 700MHz, for 600MHz 12 steps
should be used).

Signed-off-by: Willy Wolff <willy.mh.wolff@gmail.com>
[b.zolnierkie: rewrote patch subject & description + minor fixups]
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
5 years agoLinux 4.14.99 v4.14.99
Greg Kroah-Hartman [Tue, 12 Feb 2019 18:46:14 +0000 (19:46 +0100)]
Linux 4.14.99

5 years agoath9k: dynack: check da->enabled first in sampling routines
Lorenzo Bianconi [Fri, 2 Nov 2018 20:49:57 +0000 (21:49 +0100)]
ath9k: dynack: check da->enabled first in sampling routines

commit 9d3d65a91f027b8a9af5e63752d9b78cb10eb92d upstream.

Check da->enabled flag first in ath_dynack_sample_tx_ts and
ath_dynack_sample_ack_ts routines in order to avoid useless
processing

Tested-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
5 years agoath9k: dynack: make ewma estimation faster
Lorenzo Bianconi [Fri, 2 Nov 2018 20:49:58 +0000 (21:49 +0100)]
ath9k: dynack: make ewma estimation faster

commit 0c60c490830a1a756c80f8de8d33d9c6359d4a36 upstream.

In order to make propagation time estimation faster,
use current sample as ewma output value during 'late ack'
tracking

Tested-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
5 years agoperf/x86/intel: Delay memory deallocation until x86_pmu_dead_cpu()
Peter Zijlstra [Wed, 19 Dec 2018 16:53:50 +0000 (17:53 +0100)]
perf/x86/intel: Delay memory deallocation until x86_pmu_dead_cpu()

commit 602cae04c4864bb3487dfe4c2126c8d9e7e1614a upstream.

intel_pmu_cpu_prepare() allocated memory for ->shared_regs among other
members of struct cpu_hw_events. This memory is released in
intel_pmu_cpu_dying() which is wrong. The counterpart of the
intel_pmu_cpu_prepare() callback is x86_pmu_dead_cpu().

Otherwise if the CPU fails on the UP path between CPUHP_PERF_X86_PREPARE
and CPUHP_AP_PERF_X86_STARTING then it won't release the memory but
allocate new memory on the next attempt to online the CPU (leaking the
old memory).
Also, if the CPU down path fails between CPUHP_AP_PERF_X86_STARTING and
CPUHP_PERF_X86_PREPARE then the CPU will go back online but never
allocate the memory that was released in x86_pmu_dying_cpu().

Make the memory allocation/free symmetrical in regard to the CPU hotplug
notifier by moving the deallocation to intel_pmu_cpu_dead().

This started in commit:

   a7e3ed1e47011 ("perf: Add support for supplementary event registers").

In principle the bug was introduced in v2.6.39 (!), but it will almost
certainly not backport cleanly across the big CPU hotplug rewrite between v4.7-v4.15...

[ bigeasy: Added patch description. ]
[ mingo: Added backporting guidance. ]

Reported-by: He Zhe <zhe.he@windriver.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> # With developer hat on
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> # With maintainer hat on
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: acme@kernel.org
Cc: bp@alien8.de
Cc: hpa@zytor.com
Cc: jolsa@kernel.org
Cc: kan.liang@linux.intel.com
Cc: namhyung@kernel.org
Cc: <stable@vger.kernel.org>
Fixes: a7e3ed1e47011 ("perf: Add support for supplementary event registers").
Link: https://lkml.kernel.org/r/20181219165350.6s3jvyxbibpvlhtq@linutronix.de
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[ He Zhe: Fixes conflict caused by missing disable_counter_freeze which is
 introduced since v4.20 af3bdb991a5cb. ]
Signed-off-by: He Zhe <zhe.he@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
5 years agoIB/hfi1: Add limit test for RC/UC send via loopback
Mike Marciniszyn [Thu, 17 Jan 2019 20:42:16 +0000 (12:42 -0800)]
IB/hfi1: Add limit test for RC/UC send via loopback

commit 09ce351dff8e7636af0beb72cd4a86c3904a0500 upstream.

Fix potential memory corruption and panic in loopback for IB_WR_SEND
variants.

The code blindly assumes the posted length will fit in the fetched rwqe,
which is not a valid assumption.

Fix by adding a limit test, and triggering the appropriate send completion
and putting the QP in an error state.  This mimics the handling for
non-loopback QPs.

Fixes: 15703461533a ("IB/{hfi1, qib, rdmavt}: Move ruc_loopback to rdmavt")
Cc: <stable@vger.kernel.org> #v4.20+
Reviewed-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
5 years agonfsd4: catch some false session retries
J. Bruce Fields [Wed, 18 Oct 2017 00:38:49 +0000 (20:38 -0400)]
nfsd4: catch some false session retries

commit 53da6a53e1d414e05759fa59b7032ee08f4e22d7 upstream.

The spec allows us to return NFS4ERR_SEQ_FALSE_RETRY if we notice that
the client is making a call that matches a previous (slot, seqid) pair
but that *isn't* actually a replay, because some detail of the call
doesn't actually match the previous one.

Catching every such case is difficult, but we may as well catch a few
easy ones.  This also handles the case described in the previous patch,
in a different way.

The spec does however require us to catch the case where the difference
is in the rpc credentials.  This prevents somebody from snooping another
user's replies by fabricating retries.

(But the practical value of the attack is limited by the fact that the
replies with the most sensitive data are READ replies, which are not
normally cached.)

Tested-by: Olga Kornievskaia <aglo@umich.edu>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Donald Buczek <buczek@molgen.mpg.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
5 years agonfsd4: fix cached replies to solo SEQUENCE compounds
J. Bruce Fields [Wed, 18 Oct 2017 20:17:18 +0000 (16:17 -0400)]
nfsd4: fix cached replies to solo SEQUENCE compounds

commit 085def3ade52f2ffe3e31f42e98c27dcc222dd37 upstream.

Currently our handling of 4.1+ requests without "cachethis" set is
confusing and not quite correct.

Suppose a client sends a compound consisting of only a single SEQUENCE
op, and it matches the seqid in a session slot (so it's a retry), but
the previous request with that seqid did not have "cachethis" set.

The obvious thing to do might be to return NFS4ERR_RETRY_UNCACHED_REP,
but the protocol only allows that to be returned on the op following the
SEQUENCE, and there is no such op in this case.

The protocol permits us to cache replies even if the client didn't ask
us to.  And it's easy to do so in the case of solo SEQUENCE compounds.

So, when we get a solo SEQUENCE, we can either return the previously
cached reply or NFSERR_SEQ_FALSE_RETRY if we notice it differs in some
way from the original call.

Currently, we're returning a corrupt reply in the case a solo SEQUENCE
matches a previous compound with more ops.  This actually matters
because the Linux client recently started doing this as a way to recover
from lost replies to idempotent operations in the case the process doing
the original reply was killed: in that case it's difficult to keep the
original arguments around to do a real retry, and the client no longer
cares what the result is anyway, but it would like to make sure that the
slot's sequence id has been incremented, and the solo SEQUENCE assures
that: if the server never got the original reply, it will increment the
sequence id.  If it did get the original reply, it won't increment, and
nothing else that about the reply really matters much.  But we can at
least attempt to return valid xdr!

Tested-by: Olga Kornievskaia <aglo@umich.edu>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Donald Buczek <buczek@molgen.mpg.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
5 years agoserial: 8250_pci: Make PCI class test non fatal
Andy Shevchenko [Thu, 24 Jan 2019 21:51:21 +0000 (23:51 +0200)]
serial: 8250_pci: Make PCI class test non fatal

commit 824d17c57b0abbcb9128fb3f7327fae14761914b upstream.

As has been reported the National Instruments serial cards have broken
PCI class.

The commit 7d8905d06405

  ("serial: 8250_pci: Enable device after we check black list")

made the PCI class check mandatory for the case when device is listed in
a quirk list.

Make PCI class test non fatal to allow broken card be enumerated.

Fixes: 7d8905d06405 ("serial: 8250_pci: Enable device after we check black list")
Cc: stable <stable@vger.kernel.org>
Reported-by: Guan Yung Tseng <guan.yung.tseng@ni.com>
Tested-by: Guan Yung Tseng <guan.yung.tseng@ni.com>
Tested-by: KHUENY.Gerhard <Gerhard.KHUENY@bachmann.info>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
5 years agoserial: fix race between flush_to_ldisc and tty_open
Greg Kroah-Hartman [Thu, 31 Jan 2019 09:43:16 +0000 (17:43 +0800)]
serial: fix race between flush_to_ldisc and tty_open

commit fedb5760648a291e949f2380d383b5b2d2749b5e upstream.

There still is a race window after the commit b027e2298bd588
("tty: fix data race between tty_init_dev and flush of buf"),
and we encountered this crash issue if receive_buf call comes
before tty initialization completes in tty_open and
tty->driver_data may be NULL.

CPU0                                    CPU1
----                                    ----
                                  tty_open
                                   tty_init_dev
                                     tty_ldisc_unlock
                                       schedule
flush_to_ldisc
 receive_buf
  tty_port_default_receive_buf
   tty_ldisc_receive_buf
    n_tty_receive_buf_common
      __receive_buf
       uart_flush_chars
        uart_start
        /*tty->driver_data is NULL*/
                                   tty->ops->open
                                   /*init tty->driver_data*/

it can be fixed by extending ldisc semaphore lock in tty_init_dev
to driver_data initialized completely after tty->ops->open(), but
this will lead to get lock on one function and unlock in some other
function, and hard to maintain, so fix this race only by checking
tty->driver_data when receiving, and return if tty->driver_data
is NULL, and n_tty_receive_buf_common maybe calls uart_unthrottle,
so add the same check.

Because the tty layer knows nothing about the driver associated with the
device, the tty layer can not do anything here, it is up to the tty
driver itself to check for this type of race.  Fix up the serial driver
to correctly check to see if it is finished binding with the device when
being called, and if not, abort the tty calls.

[Description and problem report and testing from Li RongQing, I rewrote
the patch to be in the serial layer, not in the tty core - gregkh]

Reported-by: Li RongQing <lirongqing@baidu.com>
Tested-by: Li RongQing <lirongqing@baidu.com>
Signed-off-by: Wang Li <wangli39@baidu.com>
Signed-off-by: Zhang Yu <zhangyu31@baidu.com>
Signed-off-by: Li RongQing <lirongqing@baidu.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
5 years agoperf tests evsel-tp-sched: Fix bitwise operator
Gustavo A. R. Silva [Tue, 22 Jan 2019 23:34:39 +0000 (17:34 -0600)]
perf tests evsel-tp-sched: Fix bitwise operator

commit 489338a717a0dfbbd5a3fabccf172b78f0ac9015 upstream.

Notice that the use of the bitwise OR operator '|' always leads to true
in this particular case, which seems a bit suspicious due to the context
in which this expression is being used.

Fix this by using bitwise AND operator '&' instead.

This bug was detected with the help of Coccinelle.

Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Acked-by: Jiri Olsa <jolsa@kernel.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: stable@vger.kernel.org
Fixes: 6a6cd11d4e57 ("perf test: Add test for the sched tracepoint format fields")
Link: http://lkml.kernel.org/r/20190122233439.GA5868@embeddedor
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
5 years agoperf/core: Don't WARN() for impossible ring-buffer sizes
Mark Rutland [Thu, 10 Jan 2019 14:27:45 +0000 (14:27 +0000)]
perf/core: Don't WARN() for impossible ring-buffer sizes

commit 9dff0aa95a324e262ffb03f425d00e4751f3294e upstream.

The perf tool uses /proc/sys/kernel/perf_event_mlock_kb to determine how
large its ringbuffer mmap should be. This can be configured to arbitrary
values, which can be larger than the maximum possible allocation from
kmalloc.

When this is configured to a suitably large value (e.g. thanks to the
perf fuzzer), attempting to use perf record triggers a WARN_ON_ONCE() in
__alloc_pages_nodemask():

   WARNING: CPU: 2 PID: 5666 at mm/page_alloc.c:4511 __alloc_pages_nodemask+0x3f8/0xbc8

Let's avoid this by checking that the requested allocation is possible
before calling kzalloc.

Reported-by: Julien Thierry <julien.thierry@arm.com>
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Julien Thierry <julien.thierry@arm.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: <stable@vger.kernel.org>
Link: https://lkml.kernel.org/r/20190110142745.25495-1-mark.rutland@arm.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
5 years agox86/MCE: Initialize mce.bank in the case of a fatal error in mce_no_way_out()
Tony Luck [Fri, 1 Feb 2019 00:33:41 +0000 (16:33 -0800)]
x86/MCE: Initialize mce.bank in the case of a fatal error in mce_no_way_out()

commit d28af26faa0b1daf3c692603d46bc4687c16f19e upstream.

Internal injection testing crashed with a console log that said:

  mce: [Hardware Error]: CPU 7: Machine Check Exception: f Bank 0: bd80000000100134

This caused a lot of head scratching because the MCACOD (bits 15:0) of
that status is a signature from an L1 data cache error. But Linux says
that it found it in "Bank 0", which on this model CPU only reports L1
instruction cache errors.

The answer was that Linux doesn't initialize "m->bank" in the case that
it finds a fatal error in the mce_no_way_out() pre-scan of banks. If
this was a local machine check, then this partially initialized struct
mce is being passed to mce_panic().

Fix is simple: just initialize m->bank in the case of a fatal error.

Fixes: 40c36e2741d7 ("x86/mce: Fix incorrect "Machine check from unknown source" message")
Signed-off-by: Tony Luck <tony.luck@intel.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vishal Verma <vishal.l.verma@intel.com>
Cc: x86-ml <x86@kernel.org>
Cc: stable@vger.kernel.org # v4.18 Note pre-v5.0 arch/x86/kernel/cpu/mce/core.c was called arch/x86/kernel/cpu/mcheck/mce.c
Link: https://lkml.kernel.org/r/20190201003341.10638-1-tony.luck@intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
5 years agoperf/x86/intel/uncore: Add Node ID mask
Kan Liang [Sun, 27 Jan 2019 14:53:14 +0000 (06:53 -0800)]
perf/x86/intel/uncore: Add Node ID mask

commit 9e63a7894fd302082cf3627fe90844421a6cbe7f upstream.

Some PCI uncore PMUs cannot be registered on an 8-socket system (HPE
Superdome Flex).

To understand which Socket the PCI uncore PMUs belongs to, perf retrieves
the local Node ID of the uncore device from CPUNODEID(0xC0) of the PCI
configuration space, and the mapping between Socket ID and Node ID from
GIDNIDMAP(0xD4). The Socket ID can be calculated accordingly.

The local Node ID is only available at bit 2:0, but current code doesn't
mask it. If a BIOS doesn't clear the rest of the bits, an incorrect Node ID
will be fetched.

Filter the Node ID by adding a mask.

Reported-by: Song Liu <songliubraving@fb.com>
Tested-by: Song Liu <songliubraving@fb.com>
Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: <stable@vger.kernel.org> # v3.7+
Fixes: 7c94ee2e0917 ("perf/x86: Add Intel Nehalem and Sandy Bridge-EP uncore support")
Link: https://lkml.kernel.org/r/1548600794-33162-1-git-send-email-kan.liang@linux.intel.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
5 years agocpu/hotplug: Fix "SMT disabled by BIOS" detection for KVM
Josh Poimboeuf [Wed, 30 Jan 2019 13:13:58 +0000 (07:13 -0600)]
cpu/hotplug: Fix "SMT disabled by BIOS" detection for KVM

commit b284909abad48b07d3071a9fc9b5692b3e64914b upstream.

With the following commit:

  73d5e2b47264 ("cpu/hotplug: detect SMT disabled by BIOS")

... the hotplug code attempted to detect when SMT was disabled by BIOS,
in which case it reported SMT as permanently disabled.  However, that
code broke a virt hotplug scenario, where the guest is booted with only
primary CPU threads, and a sibling is brought online later.

The problem is that there doesn't seem to be a way to reliably
distinguish between the HW "SMT disabled by BIOS" case and the virt
"sibling not yet brought online" case.  So the above-mentioned commit
was a bit misguided, as it permanently disabled SMT for both cases,
preventing future virt sibling hotplugs.

Going back and reviewing the original problems which were attempted to
be solved by that commit, when SMT was disabled in BIOS:

  1) /sys/devices/system/cpu/smt/control showed "on" instead of
     "notsupported"; and

  2) vmx_vm_init() was incorrectly showing the L1TF_MSG_SMT warning.

I'd propose that we instead consider #1 above to not actually be a
problem.  Because, at least in the virt case, it's possible that SMT
wasn't disabled by BIOS and a sibling thread could be brought online
later.  So it makes sense to just always default the smt control to "on"
to allow for that possibility (assuming cpuid indicates that the CPU
supports SMT).

The real problem is #2, which has a simple fix: change vmx_vm_init() to
query the actual current SMT state -- i.e., whether any siblings are
currently online -- instead of looking at the SMT "control" sysfs value.

So fix it by:

  a) reverting the original "fix" and its followup fix:

     73d5e2b47264 ("cpu/hotplug: detect SMT disabled by BIOS")
     bc2d8d262cba ("cpu/hotplug: Fix SMT supported evaluation")

     and

  b) changing vmx_vm_init() to query the actual current SMT state --
     instead of the sysfs control value -- to determine whether the L1TF
     warning is needed.  This also requires the 'sched_smt_present'
     variable to exported, instead of 'cpu_smt_control'.

Fixes: 73d5e2b47264 ("cpu/hotplug: detect SMT disabled by BIOS")
Reported-by: Igor Mammedov <imammedo@redhat.com>
Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Joe Mario <jmario@redhat.com>
Cc: Jiri Kosina <jikos@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: kvm@vger.kernel.org
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/e3a85d585da28cc333ecbc1e78ee9216e6da9396.1548794349.git.jpoimboe@redhat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
5 years agoKVM: nVMX: unconditionally cancel preemption timer in free_nested (CVE-2019-7221)
Peter Shier [Thu, 11 Oct 2018 18:46:46 +0000 (11:46 -0700)]
KVM: nVMX: unconditionally cancel preemption timer in free_nested (CVE-2019-7221)

commit ecec76885bcfe3294685dc363fd1273df0d5d65f upstream.

Bugzilla: 1671904

There are multiple code paths where an hrtimer may have been started to
emulate an L1 VMX preemption timer that can result in a call to free_nested
without an intervening L2 exit where the hrtimer is normally
cancelled. Unconditionally cancel in free_nested to cover all cases.

Embargoed until Feb 7th 2019.

Signed-off-by: Peter Shier <pshier@google.com>
Reported-by: Jim Mattson <jmattson@google.com>
Reviewed-by: Jim Mattson <jmattson@google.com>
Reported-by: Felix Wilhelm <fwilhelm@google.com>
Cc: stable@kernel.org
Message-Id: <20181011184646.154065-1-pshier@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
5 years agokvm: fix kvm_ioctl_create_device() reference counting (CVE-2019-6974)
Jann Horn [Sat, 26 Jan 2019 00:54:33 +0000 (01:54 +0100)]
kvm: fix kvm_ioctl_create_device() reference counting (CVE-2019-6974)

commit cfa39381173d5f969daf43582c95ad679189cbc9 upstream.

kvm_ioctl_create_device() does the following:

1. creates a device that holds a reference to the VM object (with a borrowed
   reference, the VM's refcount has not been bumped yet)
2. initializes the device
3. transfers the reference to the device to the caller's file descriptor table
4. calls kvm_get_kvm() to turn the borrowed reference to the VM into a real
   reference

The ownership transfer in step 3 must not happen before the reference to the VM
becomes a proper, non-borrowed reference, which only happens in step 4.
After step 3, an attacker can close the file descriptor and drop the borrowed
reference, which can cause the refcount of the kvm object to drop to zero.

This means that we need to grab a reference for the device before
anon_inode_getfd(), otherwise the VM can disappear from under us.

Fixes: 852b6d57dc7f ("kvm: add device control API")
Cc: stable@kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
5 years agoKVM: x86: work around leak of uninitialized stack contents (CVE-2019-7222)
Paolo Bonzini [Tue, 29 Jan 2019 17:41:16 +0000 (18:41 +0100)]
KVM: x86: work around leak of uninitialized stack contents (CVE-2019-7222)

commit 353c0956a618a07ba4bbe7ad00ff29fe70e8412a upstream.

Bugzilla: 1671930

Emulation of certain instructions (VMXON, VMCLEAR, VMPTRLD, VMWRITE with
memory operand, INVEPT, INVVPID) can incorrectly inject a page fault
when passed an operand that points to an MMIO address.  The page fault
will use uninitialized kernel stack memory as the CR2 and error code.

The right behavior would be to abort the VM with a KVM_EXIT_INTERNAL_ERROR
exit to userspace; however, it is not an easy fix, so for now just
ensure that the error code and CR2 are zero.

Embargoed until Feb 7th 2019.

Reported-by: Felix Wilhelm <fwilhelm@google.com>
Cc: stable@kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
5 years agoscsi: aic94xx: fix module loading
James Bottomley [Thu, 31 Jan 2019 00:42:12 +0000 (16:42 -0800)]
scsi: aic94xx: fix module loading

commit 42caa0edabd6a0a392ec36a5f0943924e4954311 upstream.

The aic94xx driver is currently failing to load with errors like

sysfs: cannot create duplicate filename '/devices/pci0000:00/0000:00:03.0/0000:02:00.3/0000:07:02.0/revision'

Because the PCI code had recently added a file named 'revision' to every
PCI device.  Fix this by renaming the aic94xx revision file to
aic_revision.  This is safe to do for us because as far as I can tell,
there's nothing in userspace relying on the current aic94xx revision file
so it can be renamed without breaking anything.

Fixes: 702ed3be1b1b (PCI: Create revision file in sysfs)
Cc: stable@vger.kernel.org
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
5 years agoscsi: cxlflash: Prevent deadlock when adapter probe fails
Vaibhav Jain [Wed, 30 Jan 2019 12:26:51 +0000 (17:56 +0530)]
scsi: cxlflash: Prevent deadlock when adapter probe fails

commit bb61b843ffd46978d7ca5095453e572714934eeb upstream.

Presently when an error is encountered during probe of the cxlflash
adapter, a deadlock is seen with cpu thread stuck inside
cxlflash_remove(). Below is the trace of the deadlock as logged by
khungtaskd:

cxlflash 0006:00:00.0: cxlflash_probe: init_afu failed rc=-16
INFO: task kworker/80:1:890 blocked for more than 120 seconds.
       Not tainted 5.0.0-rc4-capi2-kexec+ #2
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
kworker/80:1    D    0   890      2 0x00000808
Workqueue: events work_for_cpu_fn

Call Trace:
 0x4d72136320 (unreliable)
 __switch_to+0x2cc/0x460
 __schedule+0x2bc/0xac0
 schedule+0x40/0xb0
 cxlflash_remove+0xec/0x640 [cxlflash]
 cxlflash_probe+0x370/0x8f0 [cxlflash]
 local_pci_probe+0x6c/0x140
 work_for_cpu_fn+0x38/0x60
 process_one_work+0x260/0x530
 worker_thread+0x280/0x5d0
 kthread+0x1a8/0x1b0
 ret_from_kernel_thread+0x5c/0x80
INFO: task systemd-udevd:5160 blocked for more than 120 seconds.

The deadlock occurs as cxlflash_remove() is called from cxlflash_probe()
without setting 'cxlflash_cfg->state' to STATE_PROBED and the probe thread
starts to wait on 'cxlflash_cfg->reset_waitq'. Since the device was never
successfully probed the 'cxlflash_cfg->state' never changes from
STATE_PROBING hence the deadlock occurs.

We fix this deadlock by setting the variable 'cxlflash_cfg->state' to
STATE_PROBED in case an error occurs during cxlflash_probe() and just
before calling cxlflash_remove().

Cc: stable@vger.kernel.org
Fixes: c21e0bbfc485("cxlflash: Base support for IBM CXL Flash Adapter")
Signed-off-by: Vaibhav Jain <vaibhav@linux.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
5 years agostaging: speakup: fix tty-operation NULL derefs
Johan Hovold [Wed, 30 Jan 2019 09:49:34 +0000 (10:49 +0100)]
staging: speakup: fix tty-operation NULL derefs

commit a1960e0f1639cb1f7a3d94521760fc73091f6640 upstream.

The send_xchar() and tiocmset() tty operations are optional. Add the
missing sanity checks to prevent user-space triggerable NULL-pointer
dereferences.

Fixes: 6b9ad1c742bf ("staging: speakup: add send_xchar, tiocmset and input functionality for tty")
Cc: stable <stable@vger.kernel.org> # 4.13
Cc: Okash Khawaja <okash.khawaja@gmail.com>
Cc: Samuel Thibault <samuel.thibault@ens-lyon.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
5 years agousb: gadget: musb: fix short isoc packets with inventra dma
Paul Elder [Wed, 30 Jan 2019 14:13:21 +0000 (08:13 -0600)]
usb: gadget: musb: fix short isoc packets with inventra dma

commit c418fd6c01fbc5516a2cd1eaf1df1ec86869028a upstream.

Handling short packets (length < max packet size) in the Inventra DMA
engine in the MUSB driver causes the MUSB DMA controller to hang. An
example of a problem that is caused by this problem is when streaming
video out of a UVC gadget, only the first video frame is transferred.

For short packets (mode-0 or mode-1 DMA), MUSB_TXCSR_TXPKTRDY must be
set manually by the driver. This was previously done in musb_g_tx
(musb_gadget.c), but incorrectly (all csr flags were cleared, and only
MUSB_TXCSR_MODE and MUSB_TXCSR_TXPKTRDY were set). Fixing that problem
allows some requests to be transferred correctly, but multiple requests
were often put together in one USB packet, and caused problems if the
packet size was not a multiple of 4. Instead, set MUSB_TXCSR_TXPKTRDY
in dma_controller_irq (musbhsdma.c), just like host mode transfers.

This topic was originally tackled by Nicolas Boichat [0] [1] and is
discussed further at [2] as part of his GSoC project [3].

[0] https://groups.google.com/forum/?hl=en#!topic/beagleboard-gsoc/k8Azwfp75CU
[1] https://gitorious.org/beagleboard-usbsniffer/beagleboard-usbsniffer-kernel/commit/b0be3b6cc195ba732189b04f1d43ec843c3e54c9?p=beagleboard-usbsniffer:beagleboard-usbsniffer-kernel.git;a=patch;h=b0be3b6cc195ba732189b04f1d43ec843c3e54c9
[2] http://beagleboard-usbsniffer.blogspot.com/2010/07/musb-isochronous-transfers-fixed.html
[3] http://elinux.org/BeagleBoard/GSoC/USBSniffer

Fixes: 550a7375fe72 ("USB: Add MUSB and TUSB support")
Signed-off-by: Paul Elder <paul.elder@ideasonboard.com>
Signed-off-by: Bin Liu <b-liu@ti.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
5 years agousb: gadget: udc: net2272: Fix bitwise and boolean operations
Gustavo A. R. Silva [Tue, 22 Jan 2019 21:28:08 +0000 (15:28 -0600)]
usb: gadget: udc: net2272: Fix bitwise and boolean operations

commit 07c69f1148da7de3978686d3af9263325d9d60bd upstream.

(!x & y) strikes again.

Fix bitwise and boolean operations by enclosing the expression:

intcsr & (1 << NET2272_PCI_IRQ)

in parentheses, before applying the boolean operator '!'.

Notice that this code has been there since 2011. So, it would
be helpful if someone can double-check this.

This issue was detected with the help of Coccinelle.

Fixes: ceb80363b2ec ("USB: net2272: driver for PLX NET2272 USB device controller")
Cc: stable@vger.kernel.org
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
5 years agousb: dwc3: gadget: Handle 0 xfer length for OUT EP
Tejas Joglekar [Tue, 22 Jan 2019 07:56:51 +0000 (13:26 +0530)]
usb: dwc3: gadget: Handle 0 xfer length for OUT EP

commit 1e19cdc8060227b0802bda6bc0bd22b23679ba32 upstream.

For OUT endpoints, zero-length transfers require MaxPacketSize buffer as
per the DWC_usb3 programming guide 3.30a section 4.2.3.3.

This patch fixes this by explicitly checking zero length
transfer to correctly pad up to MaxPacketSize.

Fixes: c6267a51639b ("usb: dwc3: gadget: align transfers to wMaxPacketSize")
Cc: stable@vger.kernel.org
Signed-off-by: Tejas Joglekar <joglekar@synopsys.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
5 years agousb: phy: am335x: fix race condition in _probe
Bin Liu [Wed, 16 Jan 2019 17:54:07 +0000 (11:54 -0600)]
usb: phy: am335x: fix race condition in _probe

commit a53469a68eb886e84dd8b69a1458a623d3591793 upstream.

power off the phy should be done before populate the phy. Otherwise,
am335x_init() could be called by the phy owner to power on the phy first,
then am335x_phy_probe() turns off the phy again without the caller knowing
it.

Fixes: 2fc711d76352 ("usb: phy: am335x: Enable USB remote wakeup using PHY wakeup")
Cc: stable@vger.kernel.org # v3.18+
Signed-off-by: Bin Liu <b-liu@ti.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
5 years agoirqchip/gic-v3-its: Plug allocation race for devices sharing a DevID
Marc Zyngier [Tue, 29 Jan 2019 10:02:33 +0000 (10:02 +0000)]
irqchip/gic-v3-its: Plug allocation race for devices sharing a DevID

commit 9791ec7df0e7b4d80706ccea8f24b6542f6059e9 upstream.

On systems or VMs where multiple devices share a single DevID
(because they sit behind a PCI bridge, or because the HW is
broken in funky ways), we reuse the save its_device structure
in order to reflect this.

It turns out that there is a distinct lack of locking when looking
up the its_device, and two device being probed concurrently can result
in double allocations. That's obviously not nice.

A solution for this is to have a per-ITS mutex that serializes device
allocation.

A similar issue exists on the freeing side, which can run concurrently
with the allocation. On top of now taking the appropriate lock, we
also make sure that a shared device is never freed, as we have no way
to currently track the life cycle of such object.

Reported-by: Zheng Xiang <zhengxiang9@huawei.com>
Tested-by: Zheng Xiang <zhengxiang9@huawei.com>
Cc: stable@vger.kernel.org
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
5 years agofutex: Handle early deadlock return correctly
Thomas Gleixner [Tue, 29 Jan 2019 22:15:12 +0000 (23:15 +0100)]
futex: Handle early deadlock return correctly

commit 1a1fb985f2e2b85ec0d3dc2e519ee48389ec2434 upstream.

commit 56222b212e8e ("futex: Drop hb->lock before enqueueing on the
rtmutex") changed the locking rules in the futex code so that the hash
bucket lock is not longer held while the waiter is enqueued into the
rtmutex wait list. This made the lock and the unlock path symmetric, but
unfortunately the possible early exit from __rt_mutex_proxy_start() due to
a detected deadlock was not updated accordingly. That allows a concurrent
unlocker to observe inconsitent state which triggers the warning in the
unlock path.

futex_lock_pi()                         futex_unlock_pi()
  lock(hb->lock)
  queue(hb_waiter) lock(hb->lock)
  lock(rtmutex->wait_lock)
  unlock(hb->lock)
                                        // acquired hb->lock
                                        hb_waiter = futex_top_waiter()
                                        lock(rtmutex->wait_lock)
  __rt_mutex_proxy_start()
     ---> fail
          remove(rtmutex_waiter);
     ---> returns -EDEADLOCK
  unlock(rtmutex->wait_lock)
                                        // acquired wait_lock
                                        wake_futex_pi()
                                        rt_mutex_next_owner()
  --> returns NULL
                                          --> WARN

  lock(hb->lock)
  unqueue(hb_waiter)

The problem is caused by the remove(rtmutex_waiter) in the failure case of
__rt_mutex_proxy_start() as this lets the unlocker observe a waiter in the
hash bucket but no waiter on the rtmutex, i.e. inconsistent state.

The original commit handles this correctly for the other early return cases
(timeout, signal) by delaying the removal of the rtmutex waiter until the
returning task reacquired the hash bucket lock.

Treat the failure case of __rt_mutex_proxy_start() in the same way and let
the existing cleanup code handle the eventual handover of the rtmutex
gracefully. The regular rt_mutex_proxy_start() gains the rtmutex waiter
removal for the failure case, so that the other callsites are still
operating correctly.

Add proper comments to the code so all these details are fully documented.

Thanks to Peter for helping with the analysis and writing the really
valuable code comments.

Fixes: 56222b212e8e ("futex: Drop hb->lock before enqueueing on the rtmutex")
Reported-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Co-developed-by: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Tested-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
Cc: linux-s390@vger.kernel.org
Cc: Stefan Liebler <stli@linux.ibm.com>
Cc: Sebastian Sewior <bigeasy@linutronix.de>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/alpine.DEB.2.21.1901292311410.1950@nanos.tec.linutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
5 years agodmaengine: imx-dma: fix wrong callback invoke
Leonid Iziumtsev [Tue, 15 Jan 2019 17:15:23 +0000 (17:15 +0000)]
dmaengine: imx-dma: fix wrong callback invoke

commit 341198eda723c8c1cddbb006a89ad9e362502ea2 upstream.

Once the "ld_queue" list is not empty, next descriptor will migrate
into "ld_active" list. The "desc" variable will be overwritten
during that transition. And later the dmaengine_desc_get_callback_invoke()
will use it as an argument. As result we invoke wrong callback.

That behaviour was in place since:
commit fcaaba6c7136 ("dmaengine: imx-dma: fix callback path in tasklet").
But after commit 4cd13c21b207 ("softirq: Let ksoftirqd do its job")
things got worse, since possible delay between tasklet_schedule()
from DMA irq handler and actual tasklet function execution got bigger.
And that gave more time for new DMA request to be submitted and
to be put into "ld_queue" list.

It has been noticed that DMA issue is causing problems for "mxc-mmc"
driver. While stressing the system with heavy network traffic and
writing/reading to/from sd card simultaneously the timeout may happen:

10013000.sdhci: mxcmci_watchdog: read time out (status = 0x30004900)

That often lead to file system corruption.

Signed-off-by: Leonid Iziumtsev <leonid.iziumtsev@gmail.com>
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
5 years agodmaengine: bcm2835: Fix abort of transactions
Lukas Wunner [Wed, 23 Jan 2019 08:26:00 +0000 (09:26 +0100)]
dmaengine: bcm2835: Fix abort of transactions

commit 9e528c799d17a4ac37d788c81440b50377dd592d upstream.

There are multiple issues with bcm2835_dma_abort() (which is called on
termination of a transaction):

* The algorithm to abort the transaction first pauses the channel by
  clearing the ACTIVE flag in the CS register, then waits for the PAUSED
  flag to clear.  Page 49 of the spec documents the latter as follows:

  "Indicates if the DMA is currently paused and not transferring data.
   This will occur if the active bit has been cleared [...]"
   https://www.raspberrypi.org/app/uploads/2012/02/BCM2835-ARM-Peripherals.pdf

  So the function is entering an infinite loop because it is waiting for
  PAUSED to clear which is always set due to the function having cleared
  the ACTIVE flag.  The only thing that's saving it from itself is the
  upper bound of 10000 loop iterations.

  The code comment says that the intention is to "wait for any current
  AXI transfer to complete", so the author probably wanted to check the
  WAITING_FOR_OUTSTANDING_WRITES flag instead.  Amend the function
  accordingly.

* The CS register is only read at the beginning of the function.  It
  needs to be read again after pausing the channel and before checking
  for outstanding writes, otherwise writes which were issued between
  the register read at the beginning of the function and pausing the
  channel may not be waited for.

* The function seeks to abort the transfer by writing 0 to the NEXTCONBK
  register and setting the ABORT and ACTIVE flags.  Thereby, the 0 in
  NEXTCONBK is sought to be loaded into the CONBLK_AD register.  However
  experimentation has shown this approach to not work:  The CONBLK_AD
  register remains the same as before and the CS register contains
  0x00000030 (PAUSED | DREQ_STOPS_DMA).  In other words, the control
  block is not aborted but merely paused and it will be resumed once the
  next DMA transaction is started.  That is absolutely not the desired
  behavior.

  A simpler approach is to set the channel's RESET flag instead.  This
  reliably zeroes the NEXTCONBK as well as the CS register.  It requires
  less code and only a single MMIO write.  This is also what popular
  user space DMA drivers do, e.g.:
  https://github.com/metachris/RPIO/blob/master/source/c_pwm/pwm.c

  Note that the spec is contradictory whether the NEXTCONBK register
  is writeable at all.  On the one hand, page 41 claims:

  "The value loaded into the NEXTCONBK register can be overwritten so
  that the linked list of Control Block data structures can be
  dynamically altered. However it is only safe to do this when the DMA
  is paused."

  On the other hand, page 40 specifies:

  "Only three registers in each channel's register set are directly
  writeable (CS, CONBLK_AD and DEBUG). The other registers (TI,
  SOURCE_AD, DEST_AD, TXFR_LEN, STRIDE & NEXTCONBK), are automatically
  loaded from a Control Block data structure held in external memory."

Fixes: 96286b576690 ("dmaengine: Add support for BCM2835")
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Cc: stable@vger.kernel.org # v3.14+
Cc: Frank Pavlic <f.pavlic@kunbus.de>
Cc: Martin Sperl <kernel@martin.sperl.org>
Cc: Florian Meier <florian.meier@koalo.de>
Cc: Clive Messer <clive.m.messer@gmail.com>
Cc: Matthias Reichl <hias@horus.com>
Tested-by: Stefan Wahren <stefan.wahren@i2se.com>
Acked-by: Florian Kauer <florian.kauer@koalo.de>
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
5 years agodmaengine: bcm2835: Fix interrupt race on RT
Lukas Wunner [Wed, 23 Jan 2019 08:26:00 +0000 (09:26 +0100)]
dmaengine: bcm2835: Fix interrupt race on RT

commit f7da7782aba92593f7b82f03d2409a1c5f4db91b upstream.

If IRQ handlers are threaded (either because CONFIG_PREEMPT_RT_BASE is
enabled or "threadirqs" was passed on the command line) and if system
load is sufficiently high that wakeup latency of IRQ threads degrades,
SPI DMA transactions on the BCM2835 occasionally break like this:

ks8851 spi0.0: SPI transfer timed out
bcm2835-dma 3f007000.dma: DMA transfer could not be terminated
ks8851 spi0.0 eth2: ks8851_rdfifo: spi_sync() failed

The root cause is an assumption made by the DMA driver which is
documented in a code comment in bcm2835_dma_terminate_all():

/*
 * Stop DMA activity: we assume the callback will not be called
 * after bcm_dma_abort() returns (even if it does, it will see
 * c->desc is NULL and exit.)
 */

That assumption falls apart if the IRQ handler bcm2835_dma_callback() is
threaded: A client may terminate a descriptor and issue a new one
before the IRQ handler had a chance to run. In fact the IRQ handler may
miss an *arbitrary* number of descriptors. The result is the following
race condition:

1. A descriptor finishes, its interrupt is deferred to the IRQ thread.
2. A client calls dma_terminate_async() which sets channel->desc = NULL.
3. The client issues a new descriptor. Because channel->desc is NULL,
   bcm2835_dma_issue_pending() immediately starts the descriptor.
4. Finally the IRQ thread runs and writes BCM2835_DMA_INT to the CS
   register to acknowledge the interrupt. This clears the ACTIVE flag,
   so the newly issued descriptor is paused in the middle of the
   transaction. Because channel->desc is not NULL, the IRQ thread
   finalizes the descriptor and tries to start the next one.

I see two possible solutions: The first is to call synchronize_irq()
in bcm2835_dma_issue_pending() to wait until the IRQ thread has
finished before issuing a new descriptor. The downside of this approach
is unnecessary latency if clients desire rapidly terminating and
re-issuing descriptors and don't have any use for an IRQ callback.
(The SPI TX DMA channel is a case in point.)

A better alternative is to make the IRQ thread recognize that it has
missed descriptors and avoid finalizing the newly issued descriptor.
So first of all, set the ACTIVE flag when acknowledging the interrupt.
This keeps a newly issued descriptor running.

If the descriptor was finished, the channel remains idle despite the
ACTIVE flag being set. However the ACTIVE flag can then no longer be
used to check whether the channel is idle, so instead check whether
the register containing the current control block address is zero
and finalize the current descriptor only if so.

That way, there is no impact on latency and throughput if the client
doesn't care for the interrupt: Only minimal additional overhead is
introduced for non-cyclic descriptors as one further MMIO read is
necessary per interrupt to check for idleness of the channel. Cyclic
descriptors are sped up slightly by removing one MMIO write per
interrupt.

Fixes: 96286b576690 ("dmaengine: Add support for BCM2835")
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Cc: stable@vger.kernel.org # v3.14+
Cc: Frank Pavlic <f.pavlic@kunbus.de>
Cc: Martin Sperl <kernel@martin.sperl.org>
Cc: Florian Meier <florian.meier@koalo.de>
Cc: Clive Messer <clive.m.messer@gmail.com>
Cc: Matthias Reichl <hias@horus.com>
Tested-by: Stefan Wahren <stefan.wahren@i2se.com>
Acked-by: Florian Kauer <florian.kauer@koalo.de>
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
5 years agofuse: handle zero sized retrieve correctly
Miklos Szeredi [Wed, 16 Jan 2019 09:27:59 +0000 (10:27 +0100)]
fuse: handle zero sized retrieve correctly

commit 97e1532ef81acb31c30f9e75bf00306c33a77812 upstream.

Dereferencing req->page_descs[0] will Oops if req->max_pages is zero.

Reported-by: syzbot+c1e36d30ee3416289cc0@syzkaller.appspotmail.com
Tested-by: syzbot+c1e36d30ee3416289cc0@syzkaller.appspotmail.com
Fixes: b2430d7567a3 ("fuse: add per-page descriptor <offset, length> to fuse_req")
Cc: <stable@vger.kernel.org> # v3.9
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
5 years agofuse: decrement NR_WRITEBACK_TEMP on the right page
Miklos Szeredi [Wed, 16 Jan 2019 09:27:59 +0000 (10:27 +0100)]
fuse: decrement NR_WRITEBACK_TEMP on the right page

commit a2ebba824106dabe79937a9f29a875f837e1b6d4 upstream.

NR_WRITEBACK_TEMP is accounted on the temporary page in the request, not
the page cache page.

Fixes: 8b284dc47291 ("fuse: writepages: handle same page rewrites")
Cc: <stable@vger.kernel.org> # v3.13
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
5 years agofuse: call pipe_buf_release() under pipe lock
Jann Horn [Sat, 12 Jan 2019 01:39:05 +0000 (02:39 +0100)]
fuse: call pipe_buf_release() under pipe lock

commit 9509941e9c534920ccc4771ae70bd6cbbe79df1c upstream.

Some of the pipe_buf_release() handlers seem to assume that the pipe is
locked - in particular, anon_pipe_buf_release() accesses pipe->tmp_page
without taking any extra locks. From a glance through the callers of
pipe_buf_release(), it looks like FUSE is the only one that calls
pipe_buf_release() without having the pipe locked.

This bug should only lead to a memory leak, nothing terrible.

Fixes: dd3bb14f44a6 ("fuse: support splice() writing to fuse device")
Cc: stable@vger.kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
5 years agoALSA: hda - Serialize codec registrations
Takashi Iwai [Wed, 30 Jan 2019 16:46:03 +0000 (17:46 +0100)]
ALSA: hda - Serialize codec registrations

commit 305a0ade180981686eec1f92aa6252a7c6ebb1cf upstream.

In the current code, the codec registration may happen both at the
codec bind time and the end of the controller probe time.  In a rare
occasion, they race with each other, leading to Oops due to the still
uninitialized card device.

This patch introduces a simple flag to prevent the codec registration
at the codec bind time as long as the controller probe is going on.
The controller probe invokes snd_card_register() that does the whole
registration task, and we don't need to register each piece
beforehand.

Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
5 years agoALSA: compress: Fix stop handling on compressed capture streams
Charles Keepax [Tue, 5 Feb 2019 16:29:40 +0000 (16:29 +0000)]
ALSA: compress: Fix stop handling on compressed capture streams

commit 4f2ab5e1d13d6aa77c55f4914659784efd776eb4 upstream.

It is normal user behaviour to start, stop, then start a stream
again without closing it. Currently this works for compressed
playback streams but not capture ones.

The states on a compressed capture stream go directly from OPEN to
PREPARED, unlike a playback stream which moves to SETUP and waits
for a write of data before moving to PREPARED. Currently however,
when a stop is sent the state is set to SETUP for both types of
streams. This leaves a capture stream in the situation where a new
start can't be sent as that requires the state to be PREPARED and
a new set_params can't be sent as that requires the state to be
OPEN. The only option being to close the stream, and then reopen.

Correct this issues by allowing snd_compr_drain_notify to set the
state depending on the stream direction, as we already do in
set_params.

Fixes: 49bb6402f1aa ("ALSA: compress_core: Add support for capture streams")
Signed-off-by: Charles Keepax <ckeepax@opensource.cirrus.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
5 years agonet: dsa: slave: Don't propagate flag changes on down slave interfaces
Rundong Ge [Sat, 2 Feb 2019 14:29:35 +0000 (14:29 +0000)]
net: dsa: slave: Don't propagate flag changes on down slave interfaces

[ Upstream commit 17ab4f61b8cd6f9c38e9d0b935d86d73b5d0d2b5 ]

The unbalance of master's promiscuity or allmulti will happen after ifdown
and ifup a slave interface which is in a bridge.

When we ifdown a slave interface , both the 'dsa_slave_close' and
'dsa_slave_change_rx_flags' will clear the master's flags. The flags
of master will be decrease twice.
In the other hand, if we ifup the slave interface again, since the
slave's flags were cleared the 'dsa_slave_open' won't set the master's
flag, only 'dsa_slave_change_rx_flags' that triggered by 'br_add_if'
will set the master's flags. The flags of master is increase once.

Only propagating flag changes when a slave interface is up makes
sure this does not happen. The 'vlan_dev_change_rx_flags' had the
same problem and was fixed, and changes here follows that fix.

Fixes: 91da11f870f0 ("net: Distributed Switch Architecture protocol support")
Signed-off-by: Rundong Ge <rdong.ge@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
5 years agonet/mlx5e: Force CHECKSUM_UNNECESSARY for short ethernet frames
Cong Wang [Tue, 4 Dec 2018 06:14:04 +0000 (22:14 -0800)]
net/mlx5e: Force CHECKSUM_UNNECESSARY for short ethernet frames

[ Upstream commit e8c8b53ccaff568fef4c13a6ccaf08bf241aa01a ]

When an ethernet frame is padded to meet the minimum ethernet frame
size, the padding octets are not covered by the hardware checksum.
Fortunately the padding octets are usually zero's, which don't affect
checksum. However, we have a switch which pads non-zero octets, this
causes kernel hardware checksum fault repeatedly.

Prior to:
commit '88078d98d1bb ("net: pskb_trim_rcsum() and CHECKSUM_COMPLETE ...")'
skb checksum was forced to be CHECKSUM_NONE when padding is detected.
After it, we need to keep skb->csum updated, like what we do for RXFCS.
However, fixing up CHECKSUM_COMPLETE requires to verify and parse IP
headers, it is not worthy the effort as the packets are so small that
CHECKSUM_COMPLETE can't save anything.

Fixes: 88078d98d1bb ("net: pskb_trim_rcsum() and CHECKSUM_COMPLETE are friends"),
Cc: Eric Dumazet <edumazet@google.com>
Cc: Tariq Toukan <tariqt@mellanox.com>
Cc: Nikola Ciprich <nikola.ciprich@linuxbox.cz>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
5 years agonet: systemport: Fix WoL with password after deep sleep
Florian Fainelli [Fri, 1 Feb 2019 21:23:38 +0000 (13:23 -0800)]
net: systemport: Fix WoL with password after deep sleep

[ Upstream commit 8dfb8d2cceb76b74ad5b58cc65c75994329b4d5e ]

Broadcom STB chips support a deep sleep mode where all register
contents are lost. Because we were stashing the MagicPacket password
into some of these registers a suspend into that deep sleep then a
resumption would not lead to being able to wake-up from MagicPacket with
password again.

Fix this by keeping a software copy of the password and program it
during suspend.

Fixes: 83e82f4c706b ("net: systemport: add Wake-on-LAN support")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
5 years agords: fix refcount bug in rds_sock_addref
Eric Dumazet [Thu, 31 Jan 2019 16:47:10 +0000 (08:47 -0800)]
rds: fix refcount bug in rds_sock_addref

[ Upstream commit 6fa19f5637a6c22bc0999596bcc83bdcac8a4fa6 ]

syzbot was able to catch a bug in rds [1]

The issue here is that the socket might be found in a hash table
but that its refcount has already be set to 0 by another cpu.

We need to use refcount_inc_not_zero() to be safe here.

[1]

refcount_t: increment on 0; use-after-free.
WARNING: CPU: 1 PID: 23129 at lib/refcount.c:153 refcount_inc_checked lib/refcount.c:153 [inline]
WARNING: CPU: 1 PID: 23129 at lib/refcount.c:153 refcount_inc_checked+0x61/0x70 lib/refcount.c:151
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 23129 Comm: syz-executor3 Not tainted 5.0.0-rc4+ #53
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1db/0x2d0 lib/dump_stack.c:113
 panic+0x2cb/0x65c kernel/panic.c:214
 __warn.cold+0x20/0x48 kernel/panic.c:571
 report_bug+0x263/0x2b0 lib/bug.c:186
 fixup_bug arch/x86/kernel/traps.c:178 [inline]
 fixup_bug arch/x86/kernel/traps.c:173 [inline]
 do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:271
 do_invalid_op+0x37/0x50 arch/x86/kernel/traps.c:290
 invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:973
RIP: 0010:refcount_inc_checked lib/refcount.c:153 [inline]
RIP: 0010:refcount_inc_checked+0x61/0x70 lib/refcount.c:151
Code: 1d 51 63 c8 06 31 ff 89 de e8 eb 1b f2 fd 84 db 75 dd e8 a2 1a f2 fd 48 c7 c7 60 9f 81 88 c6 05 31 63 c8 06 01 e8 af 65 bb fd <0f> 0b eb c1 90 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 54 49
RSP: 0018:ffff8880a0cbf1e8 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffc90006113000
RDX: 000000000001047d RSI: ffffffff81685776 RDI: 0000000000000005
RBP: ffff8880a0cbf1f8 R08: ffff888097c9e100 R09: ffffed1015ce5021
R10: ffffed1015ce5020 R11: ffff8880ae728107 R12: ffff8880723c20c0
R13: ffff8880723c24b0 R14: dffffc0000000000 R15: ffffed1014197e64
 sock_hold include/net/sock.h:647 [inline]
 rds_sock_addref+0x19/0x20 net/rds/af_rds.c:675
 rds_find_bound+0x97c/0x1080 net/rds/bind.c:82
 rds_recv_incoming+0x3be/0x1430 net/rds/recv.c:362
 rds_loop_xmit+0xf3/0x2a0 net/rds/loop.c:96
 rds_send_xmit+0x1355/0x2a10 net/rds/send.c:355
 rds_sendmsg+0x323c/0x44e0 net/rds/send.c:1368
 sock_sendmsg_nosec net/socket.c:621 [inline]
 sock_sendmsg+0xdd/0x130 net/socket.c:631
 __sys_sendto+0x387/0x5f0 net/socket.c:1788
 __do_sys_sendto net/socket.c:1800 [inline]
 __se_sys_sendto net/socket.c:1796 [inline]
 __x64_sys_sendto+0xe1/0x1a0 net/socket.c:1796
 do_syscall_64+0x1a3/0x800 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x458089
Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fc266df8c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 0000000000458089
RDX: 0000000000000000 RSI: 00000000204b3fff RDI: 0000000000000005
RBP: 000000000073bf00 R08: 00000000202b4000 R09: 0000000000000010
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fc266df96d4
R13: 00000000004c56e4 R14: 00000000004d94a8 R15: 00000000ffffffff

Fixes: cc4dfb7f70a3 ("rds: fix two RCU related problems")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: Sowmini Varadhan <sowmini.varadhan@oracle.com>
Cc: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Cc: rds-devel@oss.oracle.com
Cc: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
5 years agoskge: potential memory corruption in skge_get_regs()
Dan Carpenter [Fri, 1 Feb 2019 08:28:16 +0000 (11:28 +0300)]
skge: potential memory corruption in skge_get_regs()

[ Upstream commit 294c149a209c6196c2de85f512b52ef50f519949 ]

The "p" buffer is 0x4000 bytes long.  B3_RI_WTO_R1 is 0x190.  The value
of "regs->len" is in the 1-0x4000 range.  The bug here is that
"regs->len - B3_RI_WTO_R1" can be a negative value which would lead to
memory corruption and an abrupt crash.

Fixes: c3f8be961808 ("[PATCH] skge: expand ethtool debug register dump")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>