Andy Lutomirski [Wed, 15 Jul 2015 17:29:38 +0000 (10:29 -0700)]
x86/nmi/64: Use DF to avoid userspace RSP confusing nested NMI detection
We have a tricky bug in the nested NMI code: if we see RSP
pointing to the NMI stack on NMI entry from kernel mode, we
assume that we are executing a nested NMI.
This isn't quite true. A malicious userspace program can point
RSP at the NMI stack, issue SYSCALL, and arrange for an NMI to
happen while RSP is still pointing at the NMI stack.
Fix it with a sneaky trick. Set DF in the region of code that
the RSP check is intended to detect. IRET will clear DF
atomically.
( Note: other than paravirt, there's little need for all this
complexity. We could check RIP instead of RSP. )
Andy Lutomirski [Wed, 15 Jul 2015 17:29:37 +0000 (10:29 -0700)]
x86/nmi/64: Reorder nested NMI checks
Check the repeat_nmi .. end_repeat_nmi special case first. The
next patch will rework the RSP check and, as a side effect, the
RSP check will no longer detect repeat_nmi .. end_repeat_nmi, so
we'll need this ordering of the checks.
Note: this is more subtle than it appears. The check for
repeat_nmi .. end_repeat_nmi jumps straight out of the NMI code
instead of adjusting the "iret" frame to force a repeat. This
is necessary, because the code between repeat_nmi and
end_repeat_nmi sets "NMI executing" and then writes to the
"iret" frame itself. If a nested NMI comes in and modifies the
"iret" frame while repeat_nmi is also modifying it, we'll end up
with garbage. The old code got this right, as does the new
code, but the new code is a bit more explicit.
If we were to move the check right after the "NMI executing"
check, then we'd get it wrong and have random crashes.
( Because the "NMI executing" check would jump to the code that would
modify the "iret" frame without checking if the interrupted NMI was
currently modifying it. )
Andy Lutomirski [Wed, 15 Jul 2015 17:29:35 +0000 (10:29 -0700)]
x86/nmi/64: Switch stacks on userspace NMI entry
Returning to userspace is tricky: IRET can fail, and ESPFIX can
rearrange the stack prior to IRET.
The NMI nesting fixup relies on a precise stack layout and
atomic IRET. Rather than trying to teach the NMI nesting fixup
to handle ESPFIX and failed IRET, punt: run NMIs that came from
user mode on the normal kernel stack.
This will make some nested NMIs visible to C code, but the C
code is okay with that.
As a side effect, this should speed up perf: it eliminates an
RDMSR when NMIs come from user mode.
Andy Lutomirski [Wed, 15 Jul 2015 17:29:33 +0000 (10:29 -0700)]
x86/nmi: Enable nested do_nmi() handling for 64-bit kernels
32-bit kernels handle nested NMIs in C. Enable the exact same
handling on 64-bit kernels as well. This isn't currently
necessary, but it will become necessary once the asm code starts
allowing limited nesting.
Marc Zyngier [Fri, 17 Jul 2015 09:46:42 +0000 (10:46 +0100)]
irqchip/gicv3-its: Fix mapping of LPIs to collections
The GICv3 ITS architecture allows a given [DevID, EventID] pair to be
translated to a [LPI, Collection] pair, where DevID is the device writing
the MSI, EventID is the payload being written, LPI is the actual
interrupt number, and Collection is roughly equivalent to a target CPU.
Each LPI can be mapped to a separate collection, but the ITS driver
insists on maintaining the collection on a device basis, instead of doing
it on a per interrupt basis.
This is obviously flawed, and this patch fixes it by adding a per interrupt
index that indicates which collection number is in use.
Thomas Gleixner [Thu, 16 Jul 2015 12:10:17 +0000 (14:10 +0200)]
genirq: Prevent resend to interrupts marked IRQ_NESTED_THREAD
The resend mechanism happily calls the interrupt handler of interrupts
which are marked IRQ_NESTED_THREAD from softirq context. This can
result in crashes because the interrupt handler is not the proper way
to invoke the device handlers. They must be invoked via
handle_nested_irq.
Prevent the resend even if the interrupt has no valid parent irq
set. Its better to have a lost interrupt than a crashing machine.
Johannes Berg [Wed, 8 Jul 2015 12:41:50 +0000 (15:41 +0300)]
mac80211: shut down interfaces before destroying interface list
If the hardware is unregistered while interfaces are up, mac80211 will
unregister all interfaces, which in turns causes mac80211 to be called
again to remove them all from the driver and eventually shut down the
hardware.
During this shutdown, however, it's currently already unsafe to iterate
the list of interfaces atomically, as the list is manipulated in an
unsafe manner. This puts an undue burden on the driver - it must stop
all its activities before calling ieee80211_unregister_hw(), while in
the normal stop path it can do all cleanup in the stop method. If, for
example, it's using the iteration during RX for some reason, it would
have to stop RX before unregistering to avoid crashes.
Fix this problem by closing all interfaces before unregistering them.
This will cause the driver stop to have completed before we manipulate
the interface list, and after the driver is stopped *and* has called
ieee80211_unregister_hw() it really musn't be iterating any more as
the memory will be freed as well.
Chaitanya T K [Wed, 10 Jun 2015 13:42:31 +0000 (19:12 +0530)]
mac80211: wowlan: enable powersave if suspend while ps-polling
If for any reason we're in the middle of PS-polling or awake after
TX due to dynamic powersave while going to suspend, go back to save
power. This might cause a response frame to get lost, but since we
can't really wait for it while going to suspend that's still better
than not enabling powersave which would cause higher power usage
during (and possibly even after) suspend.
Note that this really only affects the very few drivers that use
the powersave implementation in mac80211.
Michal Kazior [Thu, 2 Jul 2015 07:59:56 +0000 (09:59 +0200)]
mac80211: don't clear all tx flags when requeing
When acting as AP and a PS-Poll frame is received
associated station is marked as one in a Service
Period. This state is kept until Tx status for
released frame is reported. While a station is in
Service Period PS-Poll frames are ignored.
However if PS-Poll was received during A-MPDU
teardown it was possible to have the to-be
released frame re-queued back to pending queue.
In such case the frame was stripped of 2 important
flags:
Stripping of (a) led to the frame that was to be
released to be queued back to ps_tx_buf queue. If
station remained to use only PS-Poll frames the
re-queued frame (and new ones) was never actually
transmitted because mac80211 would ignore
subsequent PS-Poll frames due to station being in
Service Period. There was nothing left to clear
the Service Period bit (no xmit -> no tx status ->
no SP end), i.e. the AP would have the station
stuck in Service Period. Beacon TIM would
repeatedly prompt station to poll for frames but
it would get none.
Once (a) is not stripped (b) becomes important
because it's the main condition to clear the
Service Period bit of the station when Tx status
for the released frame is reported back.
This problem was observed with ath9k acting as P2P
GO in some testing scenarios but isn't limited to
it. AP operation with mac80211 based Tx A-MPDU
control combined with clients using PS-Poll frames
is subject to this race.
Tom Hughes [Mon, 29 Jun 2015 18:41:49 +0000 (19:41 +0100)]
mac80211: clear subdir_stations when removing debugfs
If we don't do this, and we then fail to recreate the debugfs
directory during a mode change, then we will fail later trying
to add stations to this now bogus directory:
Kalle Valo [Fri, 17 Jul 2015 08:19:08 +0000 (11:19 +0300)]
Merge tag 'iwlwifi-for-kalle-2015-06-12' of https://git.kernel.org/pub/scm/linux/kernel/git/iwlwifi/iwlwifi-fixes
* bug fixes specific for 8000 series
* fix a crash in time events
* fix a crash in PCIe transport
* fix BT Coex code that prevented association on certain
devices (3160).
* revert the new RBD allocation model because it introduced
a bug when running on weak VM setups.
* a new device IDs
drm/ttm: fix uncached page deallocation to properly fill page pool v3.
Current code never allowed the page pool to actualy fill in anyway.
This fix it, so that we only start freeing page from the pool when
we go over the pool size.
Changed since v1:
- Move the page batching optimization to its separate patch.
Changed since v2:
- Do not remove code part of the batching optimization with
this patch.
- Better commit message.
Since 9a2c1c3b91aa ("pinctrl: samsung: Allow grouping multiple
pinmux/pinconf nodes") the defines for GPIO group and function names are
not used anywhere in the driver.
Sergei Shtylyov [Tue, 14 Jul 2015 21:56:52 +0000 (00:56 +0300)]
ravb: do not invalidate cache for RX buffer twice
First, dma_sync_single_for_cpu() shouldn't have been called in the first place
(it's a streaming DMA API), dma_unmap_single() should have been called instead.
Second, dma_unmap_single() call after handing the buffer to napi_gro_receive()
makes little sense. Moreover desc->dptr might not be valid at this point.
Merge tag 'pm+acpi-4.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm
Pull power management and ACPI fixes from Rafael Wysocki:
"These fix two bugs in the cpufreq core (including one recent
regression), fix a 4.0 PCI regression related to the ACPI resources
management and quieten an RCU-related lockdep complaint about a
tracepoint in the suspend-to-idle code.
Specifics:
- Fix a recently introduced issue in the cpufreq policy object
reinitialization that leads to CPU offline/online breakage (Viresh
Kumar)
- Make it possible to access frequency tables of offline CPUs which
is needed by thermal management code among other things (Viresh
Kumar)
- Fix an ACPI resource management regression introduced during the
4.0 cycle that may cause incorrect resource validation results to
appear in 32-bit x86 kernels due to silent truncation of 64-bit
values to 32-bit (Jiang Liu)
- Fix up an RCU-related lockdep complaint about suspicious RCU usage
in idle caused by using a suspend tracepoint in the core suspend-
to-idle code (Rafael J Wysocki)"
* tag 'pm+acpi-4.2-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
ACPI / PCI: Fix regressions caused by resource_size_t overflow with 32-bit kernel
cpufreq: Allow freq_table to be obtained for offline CPUs
cpufreq: Initialize the governor again while restoring policy
suspend-to-idle: Prevent RCU from complaining about tick_freeze()
Merge tag 'platform-drivers-x86-v4.2-3' of git://git.infradead.org/users/dvhart/linux-platform-drivers-x86
Pull x86 platform driver fixes from Darren Hart:
"Fix SMBIOS call handling and hwswitch state coherency in the
dell-laptop driver. Cleanups for intel_*_ipc drivers. Details:
dell-laptop:
- Do not cache hwswitch state
- Check return value of each SMBIOS call
- Clear buffer before each SMBIOS call
intel_scu_ipc:
- Move local memory initialization out of a mutex
* tag 'platform-drivers-x86-v4.2-3' of git://git.infradead.org/users/dvhart/linux-platform-drivers-x86:
intel_scu_ipc: move local memory initialization out of a mutex
intel_pmc_ipc: Update kerneldoc formatting
dell-laptop: Do not cache hwswitch state
dell-laptop: Check return value of each SMBIOS call
dell-laptop: Clear buffer before each SMBIOS call
intel_pmc_ipc: Fix compiler casting warnings
Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/gerg/m68knommu
Pull m68knommu/coldfire fixes from Greg Ungerer:
"Contains build fixes and updates for the ColdFire defconfigs.
Specifically there is a couple of fixes that address problems building
allnoconfig. Also fix for enabling PCI bus on the M54xx family of
ColdFire"
* 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/gerg/m68knommu:
m68k: enable PCI support for m5475evb defconfig
m68k: fix io functions for ColdFire/MMU/PCI case
m68knommu: update defconfig for ColdFire m5475evb
m68knommu: update defconfig for ColdFire m5407c3
m68knommu: update defconfig for ColdFire m5307c3
m68knommu: update defconfig for ColdFire m5275evb
m68knommu: update defconfig for ColdFire m5272c3
m68knommu: update defconfig for ColdFire m5249evb
m68knommu: update defconfig for m5208evb
m68knommu: make ColdFire SoC selection a choice
m68knommu: improve the clock configuration defaults
m68knommu: force setting of CONFIG_CLOCK_FREQ for ColdFire
Mike Snitzer [Fri, 17 Jul 2015 01:16:31 +0000 (21:16 -0400)]
dm cache: do not wake_worker() in free_migration()
All methods that queue work call wake_worker() as you'd expect.
E.g. cell_defer, defer_bio, quiesce_migration (which is called by
writeback, promote, demote_then_promote, invalidate, discard, etc).
Dave Airlie [Fri, 17 Jul 2015 00:24:34 +0000 (10:24 +1000)]
Merge tag 'imx-drm-fixes-2015-07-14' of git://git.pengutronix.de/git/pza/linux into drm-fixes
imx-drm: fixes for parallel-display, imx-tve, and ipu-common
These patches fix the parallel-display driver to use the standard OF
graph bindings for connecting a drm_panel via device tree instead of
an undocumented, driver specific device tree property, take care to
disable all IPU interrupts before setting up the irq chip to fix a
kexec lockup, and fix VGA output on i.MX53-QSB boards by correcting
the media bus format set by the imx-tve driver.
* tag 'imx-drm-fixes-2015-07-14' of git://git.pengutronix.de/git/pza/linux:
drm/imx: tve: fix media bus format for VGA output
GPU: ipu: fix lockup caused by pending chained interrupts
drm/imx: parallel-display: fix drm_panel support
Dave Airlie [Fri, 17 Jul 2015 00:06:04 +0000 (10:06 +1000)]
Merge branch 'drm-armada-fixes' of git://ftp.arm.linux.org.uk/~rmk/linux-arm into drm-fixes
A range of fixes for the Armada DRM driver:
- A missing wakeup could result in overlay frames being delayed, causing
video playback to hiccup.
- Avoid unmapping a dma-buf attachment which was never mapped
- Fix the overlay when partially off the screen by switching to the
drm_plane_helper_check_update() helper and using the calculated
coordinates to set the start address.
- Remove an incorrect assignment to crtc->mode - which should be the
unadjusted mode.
- Fix a missing call to drm_plane_cleanup() in the overlay code.
* 'drm-armada-fixes' of git://ftp.arm.linux.org.uk/~rmk/linux-arm:
drm/armada: avoid saving the adjusted mode to crtc->mode
drm/armada: fix overlay when partially off-screen
drm/armada: convert overlay to use drm_plane_helper_check_update()
drm/armada: fix gem object free after failed prime import
drm/armada: fix incorrect overlay plane cleanup
drm/armada: fix missing overlay wake-up
Dave Airlie [Thu, 16 Jul 2015 23:57:16 +0000 (09:57 +1000)]
Merge tag 'drm-intel-fixes-2015-07-15' of git://anongit.freedesktop.org/drm-intel into drm-fixes
Next batch of i915 fixes. Note that the compat32 patch here needs the drm
core one to be actually useful, I'll send you that one with a separate
drm-fixes pull request. One revert because a fix in -rc2 did break
existing userspace.
* tag 'drm-intel-fixes-2015-07-15' of git://anongit.freedesktop.org/drm-intel:
drm/i915: Do not call intel_crtc_disable if the crtc is already disabled.
Revert "drm/i915: Declare the swizzling unknown for L-shaped configurations"
drm/i915: Forward all core DRM ioctls to core compat handling
drm/i915: fix oops in primary_check_plane
drm/i915: remove unused has_dma_mapping flag
drm/i915: Fix missing return warning for !CONFIG_DEBUGFS
drm/i915: avoid leaking DMA mappings
drm/i915: Snapshot seqno of most recently submitted request.
drm/i915: Store device pointer in contexts for late tracepoint usafe
Dave Airlie [Thu, 16 Jul 2015 23:56:00 +0000 (09:56 +1000)]
Merge tag 'topic/drm-fixes-2015-07-16' of git://anongit.freedesktop.org/drm-intel into drm-fixes
Ok next attempt at drm-fixes pull. Big thing really is just the compat32
one for addfb2.1.
* tag 'topic/drm-fixes-2015-07-16' of git://anongit.freedesktop.org/drm-intel:
drm: Provide compat ioctl for addfb2.1
Documentation: drm: Fix tablulation in KMS properties table
drm: add a check for x/y in drm_mode_setcrtc
drm/rockchip: use drm_gem_mmap helpers
Dave Airlie [Thu, 16 Jul 2015 23:39:23 +0000 (09:39 +1000)]
Merge branch 'drm-fixes-4.2' of git://people.freedesktop.org/~agd5f/linux into drm-fixes
More radeon and amdgpu fixes for 4.2. Mostly amdgpu bug fixes.
* 'drm-fixes-4.2' of git://people.freedesktop.org/~agd5f/linux:
drm/amdgpu/dce8: Re-set VBLANK interrupt state when enabling a CRTC
drm/radeon/ci: silence a harmless PCC warning
drm/amdgpu/cz: silence some dpm debug output
drm/amdgpu/cz: store the forced dpm level
drm/amdgpu/cz: unforce dpm levels before forcing to low/high
drm/amdgpu: remove bogus check in gfx8 rb setup
drm/amdgpu: set proper index/data pair for smc regs on CZ (v2)
drm/amdgpu: disable the IP module if early_init returns -ENOENT (v2)
drm/amdgpu: stop context leak in the error path
drm/amdgpu: validate the context id in the dependencies
drm/radeon: fix user ptr race condition
drm/radeon: Don't flush the GART TLB if rdev->gart.ptr == NULL
drm/radeon: add a dpm quirk for Sapphire Radeon R9 270X 2GB GDDR5
Merge branch 'for-linus' of git://git.kernel.dk/linux-block
Pull block fixes from Jens Axboe:
"A collection of fixes from the last few weeks that should go into the
current series. This contains:
- Various fixes for the per-blkcg policy data, fixing regressions
since 4.1. From Arianna and Tejun
- Code cleanup for bcache closure macros from me. Really just
flushing this out, it's been sitting in another branch for months
- FIELD_SIZEOF cleanup from Maninder Singh
- bio integrity oops fix from Mike
- Timeout regression fix for blk-mq from Ming Lei"
* 'for-linus' of git://git.kernel.dk/linux-block:
blk-mq: set default timeout as 30 seconds
NVMe: Reread partitions on metadata formats
bcache: don't embed 'return' statements in closure macros
blkcg: fix blkcg_policy_data allocation bug
blkcg: implement all_blkcgs list
blkcg: blkcg_css_alloc() should grab blkcg_pol_mutex while iterating blkcg_policy[]
blkcg: allow blkcg_pol_mutex to be grabbed from cgroup [file] methods
block/blk-cgroup.c: free per-blkcg data when freeing the blkcg
block: use FIELD_SIZEOF to calculate size of a field
bio integrity: do not assume bio_integrity_pool exists if bioset exists
Merge tag 'jfs-4.2' of git://github.com/kleikamp/linux-shaggy
Pull jfs fixes from David Kleikamp:
"A couple trivial fixes and an error path fix"
* tag 'jfs-4.2' of git://github.com/kleikamp/linux-shaggy:
jfs: clean up jfs_rename and fix out of order unlock
jfs: fix indentation on if statement
jfs: removed a prohibited space after opening parenthesis
Currently PCIe DT bindings are broken. PCIe driver can't function
without having a SerDes driver that provide the phy configuration.
On K2E EVM, this causes problem since the EVM has Marvell SATA
controller present and with default values in the SerDes register,
it seems to pass the PCIe link check, but causes issues since
the configuration is not correct. The manifestation is that when
EVM is booted with NFS rootfs, the boot hangs. We shouldn't enable
PCIe on this EVM since to work, SerDes driver has to be present as
well. So by default, the PCIe DT binding should be disabled in SoC
specific DTS. It can be enabled in the board specific DTS when the
SerDes device driver is also present.
So fix the status of PCIe DT bindings in the SoC specific DTS to
"disabled". To enable PCIe, the status should be set to "ok" in
the EVM DTS file when SerDes driver support becomes available in
the upstream tree.
Robert Jarzmik [Sat, 11 Jul 2015 19:33:06 +0000 (21:33 +0200)]
ARM: pxa: fix dm9000 platform data regression
Since dm9000 driver added support for a vcc regulator, platform data
based platforms have their ethernet broken, as the regulator claiming
returns -EPROBE_DEFER and prevents dm9000 loading.
This patch fixes this for all pxa boards using dm9000, by using the
specific regulator_has_full_constraints() function.
This was discovered and tested on the cm-x300 board.
Fixes: 7994fe55a4a2 ("dm9000: Add regulator and reset support to dm9000") Signed-off-by: Robert Jarzmik <[email protected]> Acked-by: Igor Grinberg <[email protected]>
regulator: core: Increase refcount for regulator supply's module
When a regulator is unregistered with regulator_unregister(), a call to
regulator_put() is made for its input supply if there is one. This does
a module_put() to decrement the refcount of the module that owns the
supply but there isn't a corresponding try_module_get() in set_supply()
to make the calls balanced.
Peter Hutterer [Thu, 16 Jul 2015 17:38:15 +0000 (10:38 -0700)]
Input: elantech - force resolution of 31 u/mm
All Elantech touchpads pre-v4 with dynamic resolution queries have a fixed
resolution of 800dpi -> 31.49 units/mm. Set this statically, so userspace
does not have to guess.
Michel Dänzer [Thu, 9 Jul 2015 09:24:24 +0000 (18:24 +0900)]
drm/amdgpu/dce8: Re-set VBLANK interrupt state when enabling a CRTC
Something (ATOM BIOS?) seems to be clobbering the LB_INTERRUPT_MASK
register while the CRTC is off, which caused e.g. glxgears or
gnome-shell to hang after a modeset.
Alex Deucher [Tue, 14 Jul 2015 16:26:41 +0000 (12:26 -0400)]
drm/amdgpu/cz: unforce dpm levels before forcing to low/high
This is necessary to properly reset the min/max limits before
clamping them otherwise we may get improper clamping depending
on what what was the last forced level.
Michel Dänzer [Fri, 3 Jul 2015 01:02:27 +0000 (10:02 +0900)]
drm/radeon: Don't flush the GART TLB if rdev->gart.ptr == NULL
This can be the case when the GPU is powered off, e.g. via vgaswitcheroo
or runpm. When the GPU is powered up again, radeon_gart_table_vram_pin
flushes the TLB after setting rdev->gart.ptr to non-NULL.
A new Micron drive was just announced, once again recycling the first
part of the model string. Add an underscore to the M510/M550 pattern to
avoid picking up the new DC drive.
Ming Lei [Thu, 16 Jul 2015 11:53:22 +0000 (19:53 +0800)]
blk-mq: set default timeout as 30 seconds
It is reasonable to set default timeout of request as 30 seconds instead of
30000 ticks, which may be 300 seconds if HZ is 100, for example, some arm64
based systems may choose 100 HZ.
Signed-off-by: Ming Lei <[email protected]> Fixes: c76cbbcf4044 ("blk-mq: put blk_queue_rq_timeout together in blk_mq_init_queue()" Signed-off-by: Jens Axboe <[email protected]>
Mike Snitzer [Wed, 15 Jul 2015 15:42:59 +0000 (11:42 -0400)]
dm cache: display 'needs_check' in status if it is set
There is currently no way to see that the needs_check flag has been set
in the metadata. Display 'needs_check' in the cache status if it is set
in the cache metadata.
Mike Snitzer [Wed, 15 Jul 2015 15:40:24 +0000 (11:40 -0400)]
dm thin: display 'needs_check' in status if it is set
There is currently no way to see that the needs_check flag has been set
in the metadata. Display 'needs_check' in the thin-pool status if it is
set in the thinp metadata.
Mike Snitzer [Wed, 15 Jul 2015 20:52:04 +0000 (16:52 -0400)]
dm thin: stay in out-of-data-space mode once no_space_timeout expires
This fixes an issue where running out of data space would cause the
thin-pool's metadata to become read-only. There was no reason to make
metadata read-only -- calling set_pool_mode() with PM_READ_ONLY was a
misguided way to error all queued and future write IOs. We can
accomplish the same by degrading from PM_OUT_OF_DATA_SPACE to
PM_OUT_OF_DATA_SPACE with error_if_no_space enabled.
Otherwise, the use of PM_READ_ONLY could cause a race where commit() was
started before the PM_READ_ONLY transition but dm_pool_commit_metadata()
would go on to fail because the block manager had transitioned to
read-only. The return of -EPERM from dm_pool_commit_metadata(), due to
attempting to commit while in read-only mode, caused the thin-pool to
set 'needs_check' because a metadata_operation_failed(). This needless
cascade of failures makes life for users more difficult than needed.
scsi: fix host max depth checking for the 'queue_depth' sysfs interface
Commit 1e6f2416044c0 changed the scsi sysfs 'queue_depth' code to
rejects depths higher than the scsi host template setting. But lots
of hosts set this to 1, and update the settings in the scsi host
when the controller/devices probing happens.
This breaks (at least) mpt2sas and mpt3sas runtime setting of queue
depth, returning EINVAL for all settings but '1'. And once it's set to
1, there's no way to go back up.
pca953x interrupt controller functionality is implemented using
nested threaded IRQs which require parent_irq to be configured
properly otherwise below warning can be seen if IRQ core
will try re-schedule nested IRQ:
------------[ cut here ]------------
WARNING: CPU: 1 PID: 12 at kernel/irq/manage.c:696 irq_nested_primary_handler+0x30/0x38()
Primary handler called for nested irq 301
Modules linked in: uinput ipv6 smsc95xx usbnet mii imx2_wdt etnaviv(C) matrix_keypad matrix_keymap ar1021_i2c
CPU: 1 PID: 12 Comm: ksoftirqd/1 Tainted: G WC 4.1.1 #9
Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
Backtrace:
[<c0013298>] (dump_backtrace) from [<c0013488>] (show_stack+0x20/0x24)
[<c0013468>] (show_stack) from [<c05743c4>] (dump_stack+0x70/0xc0)
[<c0574354>] (dump_stack) from [<c002b7b8>] (warn_slowpath_common+0x88/0xc0)
[<c002b730>] (warn_slowpath_common) from [<c002b8ac>] (warn_slowpath_fmt+0x40/0x48)
[<c002b870>] (warn_slowpath_fmt) from [<c0075798>] (irq_nested_primary_handler+0x30/0x38)
[<c0075768>] (irq_nested_primary_handler) from [<c0075200>] (handle_irq_event_percpu+0x70/0x2d0)
[<c0075190>] (handle_irq_event_percpu) from [<c00754ac>] (handle_irq_event+0x4c/0x6c)
[<c0075460>] (handle_irq_event) from [<c0078204>] (handle_simple_irq+0xa4/0xc8)
[<c0078160>] (handle_simple_irq) from [<c0077cd4>] (resend_irqs+0x50/0x7c)
[<c0077c84>] (resend_irqs) from [<c002f99c>] (tasklet_action+0x94/0x140)
[<c002f908>] (tasklet_action) from [<c002eea8>] (__do_softirq+0xa0/0x3c8)
[<c002ee08>] (__do_softirq) from [<c002f208>] (run_ksoftirqd+0x38/0x54)
[<c002f1d0>] (run_ksoftirqd) from [<c004b1e4>] (smpboot_thread_fn+0x1f8/0x2f0)
[<c004afec>] (smpboot_thread_fn) from [<c0047744>] (kthread+0xe8/0x104)
[<c004765c>] (kthread) from [<c000fac8>] (ret_from_fork+0x14/0x2c)
---[ end trace 96052cda48865769 ]---
The issue was reported and described in details by Lothar Waßmann and
Christian Gmeiner in https://lkml.org/lkml/2014/9/9/123.
Fix it by adding missed call of gpiochip_set_chained_irqchip()
so GPIO IRQ chip helpers will set parent_irq for nested IRQs
properly.
Analysis reveals the cause of the crash to be due to STp->device
being NULL. The pointer was NULLed via scsi_tape_put(STp) when it
calls scsi_tape_release(). In st_open() we jump to err_out after
scsi_block_when_processing_errors() completes and returns the
device as offline (sdev_state was SDEV_DEL):
1180 /* Open the device. Needs to take the BKL only because of incrementing the SCSI host
1181 module count. */
1182 static int st_open(struct inode *inode, struct file *filp)
1183 {
1184 int i, retval = (-EIO);
1185 int resumed = 0;
1186 struct scsi_tape *STp;
1187 struct st_partstat *STps;
1188 int dev = TAPE_NR(inode);
1189 char *name;
...
1217 if (scsi_autopm_get_device(STp->device) < 0) {
1218 retval = -EIO;
1219 goto err_out;
1220 }
1221 resumed = 1;
1222 if (!scsi_block_when_processing_errors(STp->device)) {
1223 retval = (-ENXIO);
1224 goto err_out;
1225 }
...
1264 err_out:
1265 normalize_buffer(STp->buffer);
1266 spin_lock(&st_use_lock);
1267 STp->in_use = 0;
1268 spin_unlock(&st_use_lock);
1269 scsi_tape_put(STp); <-- STp->device = 0 after this
1270 if (resumed)
1271 scsi_autopm_put_device(STp->device);
1272 return retval;
The ref count for the struct scsi_tape had already been reduced
to 1 when the .remove method of the st module had been called.
The kref_put() in scsi_tape_put() caused scsi_tape_release()
to be called:
gpio: omap: prevent module from being unloaded while in use
OMAP GPIO driver allowed to be built as loadable module, but it
doesn't set owner field in GPIO chip structure. As result,
module_get/put() API is not working and it's possible to unload
OMAP driver while in use:
omap_gpio 48051000.gpio: REMOVING GPIOCHIP WITH GPIOS STILL REQUESTED
Marek Vasut [Tue, 30 Jun 2015 18:04:18 +0000 (20:04 +0200)]
gpio: max732x: Add missing dev reference to gpiochip
In case the gpiochip doesn't have the .dev field set, as is the case
in here, it is not possible to reference this device in DT as a GPIO
controller. A good example of this problem is that gpio-leds can not
be used when connected to this chip, the gpio-leds driver bails out
with -EPROBE_DEFER.
Fix this problem by setting the .dev field of the gpio_chip to the
parent i2c device.
gpio/xilinx: Use correct address when setting initial values.
xgpio_save_regs() is used in this driver to setup the initial
values of the registers in the hardware.
The relevant registers at that time are:
0x0 -> channel 0 data (32 bits, one for each GPIO on this channel).
0x4 -> channel 0 tri, controls in/out status for each GPIO of this channel.
0x8 -> channel 1 data
0xC -> channel 1 tri
Before this patch, the "data" register value of channel 1 was written
at 0x4 intead of 0x8 (overwriting the channel 0 "tri" register),
and the "tri" register value for channel 1 was written at 0x8 instead of 0xC.
Keith Packard [Wed, 15 Jul 2015 19:14:39 +0000 (12:14 -0700)]
ALSA: hda/realtek: Enable HP amp and mute LED on HP Folio 9480m [v3]
This laptop needs GPIO4 pulled high to enable the headphone amplifier,
and has a mute LED on GPIO3. I modelled the patch on the existing
GPIO4 code which pulls the line low for the same purpose; this time,
the HP amp line is pulled high.
v2: Disable the headphone amplifier when no headphone is connected.
Don't disable power savings to preserve the LED state.
v3: Remove headset-specific hooks and code; this is just a headphone.
Stefan Agner [Mon, 18 May 2015 16:33:28 +0000 (18:33 +0200)]
can: mcp251x: get regulators optionally
The regulators power and transceiver are optional. If those are not
present, the pointer (or error pointer) is correctly handled by the
driver, hence we can use devm_regulator_get_optional safely, which
avoids regulators getting created.
Stefan Agner [Mon, 18 May 2015 16:33:27 +0000 (18:33 +0200)]
can: mcp251x: fix resume when device is down
If a valid power regulator or a dummy regulator is used (which
happens to be the case when no regulator is specified), restart_work
is queued no matter whether the device was running or not at suspend
time. Since work queues get initialized in the ndo_open callback,
resuming leads to a NULL pointer exception.
Reverse exactly the steps executed at suspend time:
- Enable the power regulator in any case
- Enable the transceiver regulator if the device was running, even in
case we have a power regulator
- Queue restart_work only in case the device was running
Fixes: bf66f3736a94 ("can: mcp251x: Move to threaded interrupts instead of workqueues.") Signed-off-by: Stefan Agner <[email protected]> Cc: linux-stable <[email protected]> Signed-off-by: Marc Kleine-Budde <[email protected]>
David S. Miller [Thu, 16 Jul 2015 04:59:23 +0000 (21:59 -0700)]
Merge branch 'for-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth
Johan Hedberg says:
====================
pull request: bluetooth 2015-07-15
Here's a regression fix for Broadcom Bluetooth adapters found at least
in certain Apple laptops. The issue was introduced in 4.1 so there's the
appropriate "Cc: stable" entry for it.
====================
prog->bpf_ops is populated when act_bpf is used with classic BPF and
prog->bpf_name is optionally used with extended BPF.
Fix memory leak when act_bpf is released.
Fixes: d23b8ad8ab23 ("tc: add BPF based action") Fixes: a8cb5f556b56 ("act_bpf: add initial eBPF support for actions") Acked-by: Daniel Borkmann <[email protected]> Signed-off-by: Alexei Starovoitov <[email protected]> Signed-off-by: David S. Miller <[email protected]>
v3 has reduced set of patches from "ipvlan: fix ipv6 autoconfiguration".
Here just cleanups and patch which ignores ipv6 notifications from RA.
====================
ipvlan: ignore addresses from ipv6 autoconfiguration
Inet6addr notifier is atomic and runs in bh context without RTNL when
ipv6 receives router advertisement packet and performs autoconfiguration.
Proper fix still in discussion. Let's at least plug the bug.
v1: http://lkml.kernel.org/r/20150514135618.14062.1969.stgit@buzz
v2: http://lkml.kernel.org/r/20150703125840.24121.91556.stgit@buzz
All structures used in traffic forwarding are rcu-protected:
ipvl_addr, ipvl_dev and ipvl_port. Thus we can unhash addresses
without synchronization. We'll anyway hash it back into the same
bucket: in worst case lockless lookup will scan hash once again.
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull TPM bugfixes from James Morris.
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
tpm, tpm_crb: fail when TPM2 ACPI table contents look corrupted
tpm: Fix initialization of the cdev
isdn/gigaset: reset tty->receive_room when attaching ser_gigaset
Commit 79901317ce80 ("n_tty: Don't flush buffer when closing ldisc"),
first merged in kernel release 3.10, caused the following regression
in the Gigaset M101 driver:
Before that commit, when closing the N_TTY line discipline in
preparation to switching to N_GIGASET_M101, receive_room would be
reset to a non-zero value by the call to n_tty_flush_buffer() in
n_tty's close method. With the removal of that call, receive_room
might be left at zero, blocking data reception on the serial line.
The present patch fixes that regression by setting receive_room
to an appropriate value in the ldisc open method.
Fixes: 79901317ce80 ("n_tty: Don't flush buffer when closing ldisc") Signed-off-by: Tilman Schmidt <[email protected]> Signed-off-by: David S. Miller <[email protected]>
Currently F-RTO may repeatedly send new data packets on non-recurring
timeouts in CA_Loss mode. This is a bug because F-RTO (RFC5682)
should only be used on either new recovery or recurring timeouts.
This exacerbates the recovery progress during frequent timeout &
repair, because we prioritize sending new data packets instead of
repairing the holes when the bandwidth is already scarce.
Fix it by correcting the test of a new recovery episode.
Since the mdb add/del code was introduced there have been 2 br_mdb_notify
calls when doing br_mdb_add() resulting in 2 notifications on each add.
Example:
Command: bridge mdb add dev br0 port eth1 grp 239.0.0.1 permanent
Before patch:
root@debian:~# bridge monitor all
[MDB]dev br0 port eth1 grp 239.0.0.1 permanent
[MDB]dev br0 port eth1 grp 239.0.0.1 permanent
After patch:
root@debian:~# bridge monitor all
[MDB]dev br0 port eth1 grp 239.0.0.1 permanent
Signed-off-by: Nikolay Aleksandrov <[email protected]> Fixes: cfd567543590 ("bridge: add support of adding and deleting mdb entries") Signed-off-by: David S. Miller <[email protected]>
bridge: multicast: treat igmpv3 report with INCLUDE and no sources as a leave
A report with INCLUDE/Change_to_include and empty source list should be
treated as a leave, specified by RFC 3376, section 3.1:
"If the requested filter mode is INCLUDE *and* the requested source
list is empty, then the entry corresponding to the requested
interface and multicast address is deleted if present. If no such
entry is present, the request is ignored."
Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma
Pull rdma fixes from Doug Ledford:
"Mainly fix-ups for the various 4.2 items"
* tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma: (24 commits)
IB/core: Destroy ocrdma_dev_id IDR on module exit
IB/core: Destroy multcast_idr on module exit
IB/mlx4: Optimize do_slave_init
IB/mlx4: Fix memory leak in do_slave_init
IB/mlx4: Optimize freeing of items on error unwind
IB/mlx4: Fix use of flow-counters for process_mad
IB/ipath: Convert use of __constant_<foo> to <foo>
IB/ipoib: Set MTU to max allowed by mode when mode changes
IB/ipoib: Scatter-Gather support in connected mode
IB/ucm: Fix bitmap wrap when devnum > IB_UCM_MAX_DEVICES
IB/ipoib: Prevent lockdep warning in __ipoib_ib_dev_flush
IB/ucma: Fix lockdep warning in ucma_lock_files
rds: rds_ib_device.refcount overflow
RDMA/nes: Fix for incorrect recording of the MAC address
RDMA/nes: Fix for resolving the neigh
RDMA/core: Fixes for port mapper client registration
IB/IPoIB: Fix bad error flow in ipoib_add_port()
IB/mlx4: Do not attemp to report HCA clock offset on VFs
IB/cm: Do not queue work to a device that's going away
IB/srp: Avoid using uninitialized variable
...
Herbert Xu [Mon, 13 Jul 2015 12:01:42 +0000 (20:01 +0800)]
net: Fix skb csum races when peeking
When we calculate the checksum on the recv path, we store the
result in the skb as an optimisation in case we need the checksum
again down the line.
This is in fact bogus for the MSG_PEEK case as this is done without
any locking. So multiple threads can peek and then store the result
to the same skb, potentially resulting in bogus skb states.
This patch fixes this by only storing the result if the skb is not
shared. This preserves the optimisations for the few cases where
it can be done safely due to locking or other reasons, e.g., SIOCINQ.
Herbert Xu [Mon, 13 Jul 2015 08:04:13 +0000 (16:04 +0800)]
net: Clone skb before setting peeked flag
Shared skbs must not be modified and this is crucial for broadcast
and/or multicast paths where we use it as an optimisation to avoid
unnecessary cloning.
The function skb_recv_datagram breaks this rule by setting peeked
without cloning the skb first. This causes funky races which leads
to double-free.
This patch fixes this by cloning the skb and replacing the skb
in the list when setting skb->peeked.
Fixes: a59322be07c9 ("[UDP]: Only increment counter on first peek/recv") Reported-by: Konstantin Khlebnikov <[email protected]> Signed-off-by: Herbert Xu <[email protected]> Signed-off-by: David S. Miller <[email protected]>
Similarly as in commit 4f7d2cdfdde7 ("rtnetlink: verify IFLA_VF_INFO
attributes before passing them to driver"), we have a double nesting
of netlink attributes, i.e. IFLA_VF_PORTS only contains IFLA_VF_PORT
that is nested itself. While IFLA_VF_PORTS is a verified attribute
from ifla_policy[], we only check if the IFLA_VF_PORTS container has
IFLA_VF_PORT attributes and then pass the attribute's content itself
via nla_parse_nested(). It would be more correct to reject inner types
other than IFLA_VF_PORT instead of continuing parsing and also similarly
as in commit 4f7d2cdfdde7, to check for a minimum of NLA_HDRLEN.
Gregory Fong [Thu, 18 Jun 2015 01:00:40 +0000 (18:00 -0700)]
gpio: brcmstb: fix null ptr dereference in driver remove
If a failure occurs during probe, brcmstb_gpio_remove() is called. In
remove, we call platform_get_drvdata(), but at the time of failure in
the probe the driver data hadn't yet been set which leads to a NULL
ptr dereference in the remove's list_for_each. Call
platform_set_drvdata() and set up list head right after allocating the
priv struct to both avoid the null pointer dereference that could
occur today. To guard against potential future changes, check for
null pointer in remove.
Keith Busch [Tue, 14 Jul 2015 17:57:48 +0000 (11:57 -0600)]
NVMe: Reread partitions on metadata formats
This patch has the driver automatically reread partitions if a namespace
has a separate metadata format. Previously revalidating a disk was
sufficient to get the correct capacity set on such formatted drives,
but partitions that may exist would not have been surfaced.
Merge tag 'locks-v4.2-1' of git://git.samba.org/jlayton/linux
Pull file locking updates from Jeff Layton:
"I had thought that I was going to get away without a pull request this
cycle. There was a NFSv4 file locking problem that cropped up that I
tried to fix in the NFSv4 code alone, but that fix has turned out to
be problematic. These patches fix this in the correct way.
Note that this touches some NFSv4 code as well. Ordinarily I'd wait
for Trond to ACK this, but he's on holiday right now and the bug is
rather nasty. So I suggest we merge this and if he raises issues with
it we can sort it out when he gets back"
Acked-by: Bruce Fields <[email protected]> Acked-by: Dan Williams <[email protected]>
[ +1 to this series fixing a 100% reproducible slab corruption +
general protection fault in my nfs-root test environment. - Dan ] Acked-by: Anna Schumaker <[email protected]>
* tag 'locks-v4.2-1' of git://git.samba.org/jlayton/linux:
locks: inline posix_lock_file_wait and flock_lock_file_wait
nfs4: have do_vfs_lock take an inode pointer
locks: new helpers - flock_lock_inode_wait and posix_lock_inode_wait
locks: have flock_lock_file take an inode pointer instead of a filp
Revert "nfs: take extra reference to fl->fl_file when running a LOCKU operation"
projects / linux.git / log