Dave Hansen [Fri, 14 Nov 2014 15:18:31 +0000 (07:18 -0800)]
x86, mpx: Cleanup unused bound tables
The previous patch allocates bounds tables on-demand. As noted in
an earlier description, these can add up to *HUGE* amounts of
memory. This has caused OOMs in practice when running tests.
This patch adds support for freeing bounds tables when they are no
longer in use.
There are two types of mappings in play when unmapping tables:
1. The mapping with the actual data, which userspace is
munmap()ing or brk()ing away, etc...
2. The mapping for the bounds table *backing* the data
(is tagged with VM_MPX, see the patch "add MPX specific
mmap interface").
If userspace use the prctl() indroduced earlier in this patchset
to enable the management of bounds tables in kernel, when it
unmaps the first type of mapping with the actual data, the kernel
needs to free the mapping for the bounds table backing the data.
This patch hooks in at the very end of do_unmap() to do so.
We look at the addresses being unmapped and find the bounds
directory entries and tables which cover those addresses. If
an entire table is unused, we clear associated directory entry
and free the table.
Once we unmap the bounds table, we would have a bounds directory
entry pointing at empty address space. That address space might
now be allocated for some other (random) use, and the MPX
hardware might now try to walk it as if it were a bounds table.
That would be bad. So any unmapping of an enture bounds table
has to be accompanied by a corresponding write to the bounds
directory entry to invalidate it. That write to the bounds
directory can fault, which causes the following problem:
Since we are doing the freeing from munmap() (and other paths
like it), we hold mmap_sem for write. If we fault, the page
fault handler will attempt to acquire mmap_sem for read and
we will deadlock. To avoid the deadlock, we pagefault_disable()
when touching the bounds directory entry and use a
get_user_pages() to resolve the fault.
The unmapping of bounds tables happends under vm_munmap(). We
also (indirectly) call vm_munmap() to _do_ the unmapping of the
bounds tables. We avoid unbounded recursion by disallowing
freeing of bounds tables *for* bounds tables. This would not
occur normally, so should not have any practical impact. Being
strict about it here helps ensure that we do not have an
exploitable stack overflow.
Based-on-patch-by: Qiaowei Ren <qiaowei.ren@intel.com> Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com> Cc: linux-mm@kvack.org Cc: linux-mips@linux-mips.org Cc: Dave Hansen <dave@sr71.net> Link: http://lkml.kernel.org/r/20141114151831.E4531C4A@viggo.jf.intel.com Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Dave Hansen [Fri, 14 Nov 2014 15:18:29 +0000 (07:18 -0800)]
x86, mpx: On-demand kernel allocation of bounds tables
This is really the meat of the MPX patch set. If there is one patch to
review in the entire series, this is the one. There is a new ABI here
and this kernel code also interacts with userspace memory in a
relatively unusual manner. (small FAQ below).
Long Description:
This patch adds two prctl() commands to provide enable or disable the
management of bounds tables in kernel, including on-demand kernel
allocation (See the patch "on-demand kernel allocation of bounds tables")
and cleanup (See the patch "cleanup unused bound tables"). Applications
do not strictly need the kernel to manage bounds tables and we expect
some applications to use MPX without taking advantage of this kernel
support. This means the kernel can not simply infer whether an application
needs bounds table management from the MPX registers. The prctl() is an
explicit signal from userspace.
PR_MPX_ENABLE_MANAGEMENT is meant to be a signal from userspace to
require kernel's help in managing bounds tables.
PR_MPX_DISABLE_MANAGEMENT is the opposite, meaning that userspace don't
want kernel's help any more. With PR_MPX_DISABLE_MANAGEMENT, the kernel
won't allocate and free bounds tables even if the CPU supports MPX.
PR_MPX_ENABLE_MANAGEMENT will fetch the base address of the bounds
directory out of a userspace register (bndcfgu) and then cache it into
a new field (->bd_addr) in the 'mm_struct'. PR_MPX_DISABLE_MANAGEMENT
will set "bd_addr" to an invalid address. Using this scheme, we can
use "bd_addr" to determine whether the management of bounds tables in
kernel is enabled.
Also, the only way to access that bndcfgu register is via an xsaves,
which can be expensive. Caching "bd_addr" like this also helps reduce
the cost of those xsaves when doing table cleanup at munmap() time.
Unfortunately, we can not apply this optimization to #BR fault time
because we need an xsave to get the value of BNDSTATUS.
==== Why does the hardware even have these Bounds Tables? ====
MPX only has 4 hardware registers for storing bounds information.
If MPX-enabled code needs more than these 4 registers, it needs to
spill them somewhere. It has two special instructions for this
which allow the bounds to be moved between the bounds registers
and some new "bounds tables".
They are similar conceptually to a page fault and will be raised by
the MPX hardware during both bounds violations or when the tables
are not present. This patch handles those #BR exceptions for
not-present tables by carving the space out of the normal processes
address space (essentially calling the new mmap() interface indroduced
earlier in this patch set.) and then pointing the bounds-directory
over to it.
The tables *need* to be accessed and controlled by userspace because
the instructions for moving bounds in and out of them are extremely
frequent. They potentially happen every time a register pointing to
memory is dereferenced. Any direct kernel involvement (like a syscall)
to access the tables would obviously destroy performance.
==== Why not do this in userspace? ====
This patch is obviously doing this allocation in the kernel.
However, MPX does not strictly *require* anything in the kernel.
It can theoretically be done completely from userspace. Here are
a few ways this *could* be done. I don't think any of them are
practical in the real-world, but here they are.
Q: Can virtual space simply be reserved for the bounds tables so
that we never have to allocate them?
A: As noted earlier, these tables are *HUGE*. An X-GB virtual
area needs 4*X GB of virtual space, plus 2GB for the bounds
directory. If we were to preallocate them for the 128TB of
user virtual address space, we would need to reserve 512TB+2GB,
which is larger than the entire virtual address space today.
This means they can not be reserved ahead of time. Also, a
single process's pre-popualated bounds directory consumes 2GB
of virtual *AND* physical memory. IOW, it's completely
infeasible to prepopulate bounds directories.
Q: Can we preallocate bounds table space at the same time memory
is allocated which might contain pointers that might eventually
need bounds tables?
A: This would work if we could hook the site of each and every
memory allocation syscall. This can be done for small,
constrained applications. But, it isn't practical at a larger
scale since a given app has no way of controlling how all the
parts of the app might allocate memory (think libraries). The
kernel is really the only place to intercept these calls.
Q: Could a bounds fault be handed to userspace and the tables
allocated there in a signal handler instead of in the kernel?
A: (thanks to tglx) mmap() is not on the list of safe async
handler functions and even if mmap() would work it still
requires locking or nasty tricks to keep track of the
allocation state there.
Having ruled out all of the userspace-only approaches for managing
bounds tables that we could think of, we create them on demand in
the kernel.
Based-on-patch-by: Qiaowei Ren <qiaowei.ren@intel.com> Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com> Cc: linux-mm@kvack.org Cc: linux-mips@linux-mips.org Cc: Dave Hansen <dave@sr71.net> Link: http://lkml.kernel.org/r/20141114151829.AD4310DE@viggo.jf.intel.com Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Dave Hansen [Fri, 14 Nov 2014 15:18:28 +0000 (07:18 -0800)]
x86, mpx: Decode MPX instruction to get bound violation information
This patch sets bound violation fields of siginfo struct in #BR
exception handler by decoding the user instruction and constructing
the faulting pointer.
We have to be very careful when decoding these instructions. They
are completely controlled by userspace and may be changed at any
time up to and including the point where we try to copy them in to
the kernel. They may or may not be MPX instructions and could be
completely invalid for all we know.
Note: This code is based on Qiaowei Ren's specialized MPX
decoder, but uses the generic decoder whenever possible. It was
tested for robustness by generating a completely random data
stream and trying to decode that stream. I also unmapped random
pages inside the stream to test the "partial instruction" short
read code.
We kzalloc() the siginfo instead of stack allocating it because
we need to memset() it anyway, and doing this makes it much more
clear when it got initialized by the MPX instruction decoder.
Changes from the old decoder:
* Use the generic decoder instead of custom functions. Saved
~70 lines of code overall.
* Remove insn->addr_bytes code (never used??)
* Make sure never to possibly overflow the regoff[] array, plus
check the register range correctly in 32 and 64-bit modes.
* Allow get_reg() to return an error and have mpx_get_addr_ref()
handle when it sees errors.
* Only call insn_get_*() near where we actually use the values
instead if trying to call them all at once.
* Handle short reads from copy_from_user() and check the actual
number of read bytes against what we expect from
insn_get_length(). If a read stops in the middle of an
instruction, we error out.
* Actually check the opcodes intead of ignoring them.
* Dynamically kzalloc() siginfo_t so we don't leak any stack
data.
* Detect and handle decoder failures instead of ignoring them.
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com> Based-on-patch-by: Qiaowei Ren <qiaowei.ren@intel.com> Cc: linux-mm@kvack.org Cc: linux-mips@linux-mips.org Cc: Dave Hansen <dave@sr71.net> Link: http://lkml.kernel.org/r/20141114151828.5BDD0915@viggo.jf.intel.com Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Qiaowei Ren [Fri, 14 Nov 2014 15:18:27 +0000 (07:18 -0800)]
x86, mpx: Add MPX-specific mmap interface
We have chosen to perform the allocation of bounds tables in
kernel (See the patch "on-demand kernel allocation of bounds
tables") and to mark these VMAs with VM_MPX.
However, there is currently no suitable interface to actually do
this. Existing interfaces, like do_mmap_pgoff(), have no way to
set a modified ->vm_ops or ->vm_flags and don't hold mmap_sem
long enough to let a caller do it.
This patch wraps mmap_region() and hold mmap_sem long enough to
make the modifications to the VMA which we need.
Also note the 32/64-bit #ifdef in the header. We actually need
to do this at runtime eventually. But, for now, we don't support
running 32-bit binaries on 64-bit kernels. Support for this will
come in later patches.
Signed-off-by: Qiaowei Ren <qiaowei.ren@intel.com> Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com> Cc: linux-mm@kvack.org Cc: linux-mips@linux-mips.org Cc: Dave Hansen <dave@sr71.net> Link: http://lkml.kernel.org/r/20141114151827.CE440F67@viggo.jf.intel.com Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Qiaowei Ren [Fri, 14 Nov 2014 15:18:25 +0000 (07:18 -0800)]
x86, mpx: Introduce VM_MPX to indicate that a VMA is MPX specific
MPX-enabled applications using large swaths of memory can
potentially have large numbers of bounds tables in process
address space to save bounds information. These tables can take
up huge swaths of memory (as much as 80% of the memory on the
system) even if we clean them up aggressively. In the worst-case
scenario, the tables can be 4x the size of the data structure
being tracked. IOW, a 1-page structure can require 4 bounds-table
pages.
Being this huge, our expectation is that folks using MPX are
going to be keen on figuring out how much memory is being
dedicated to it. So we need a way to track memory use for MPX.
If we want to specifically track MPX VMAs we need to be able to
distinguish them from normal VMAs, and keep them from getting
merged with normal VMAs. A new VM_ flag set only on MPX VMAs does
both of those things. With this flag, MPX bounds-table VMAs can
be distinguished from other VMAs, and userspace can also walk
/proc/$pid/smaps to get memory usage for MPX.
In addition to this flag, we also introduce a special ->vm_ops
specific to MPX VMAs (see the patch "add MPX specific mmap
interface"), but currently different ->vm_ops do not by
themselves prevent VMA merging, so we still need this flag.
We understand that VM_ flags are scarce and are open to other
options.
Signed-off-by: Qiaowei Ren <qiaowei.ren@intel.com> Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com> Cc: linux-mm@kvack.org Cc: linux-mips@linux-mips.org Cc: Dave Hansen <dave@sr71.net> Link: http://lkml.kernel.org/r/20141114151825.565625B3@viggo.jf.intel.com Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Dave Hansen [Fri, 14 Nov 2014 15:18:23 +0000 (07:18 -0800)]
x86, mpx: Add MPX to disabled features
This allows us to use cpu_feature_enabled(X86_FEATURE_MPX) as
both a runtime and compile-time check.
When CONFIG_X86_INTEL_MPX is disabled,
cpu_feature_enabled(X86_FEATURE_MPX) will evaluate at
compile-time to 0. If CONFIG_X86_INTEL_MPX=y, then the cpuid
flag will be checked at runtime.
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com> Cc: Qiaowei Ren <qiaowei.ren@intel.com> Cc: linux-mm@kvack.org Cc: linux-mips@linux-mips.org Cc: Dave Hansen <dave@sr71.net> Link: http://lkml.kernel.org/r/20141114151823.B358EAD2@viggo.jf.intel.com Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Qiaowei Ren [Fri, 14 Nov 2014 15:18:22 +0000 (07:18 -0800)]
ia64: Sync struct siginfo with general version
New fields about bound violation are added into general struct
siginfo. This will impact MIPS and IA64, which extend general
struct siginfo. This patch syncs this struct for IA64 with
general version.
Signed-off-by: Qiaowei Ren <qiaowei.ren@intel.com> Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com> Cc: linux-mm@kvack.org Cc: linux-mips@linux-mips.org Cc: Dave Hansen <dave@sr71.net> Link: http://lkml.kernel.org/r/20141114151822.82B3B486@viggo.jf.intel.com Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Qiaowei Ren [Fri, 14 Nov 2014 15:18:20 +0000 (07:18 -0800)]
mips: Sync struct siginfo with general version
New fields about bound violation are added into general struct
siginfo. This will impact MIPS and IA64, which extend general
struct siginfo. This patch syncs this struct for MIPS with
general version.
Signed-off-by: Qiaowei Ren <qiaowei.ren@intel.com> Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com> Cc: linux-mm@kvack.org Cc: linux-mips@linux-mips.org Cc: Dave Hansen <dave@sr71.net> Link: http://lkml.kernel.org/r/20141114151820.F7EDC3CC@viggo.jf.intel.com Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Qiaowei Ren [Fri, 14 Nov 2014 15:18:19 +0000 (07:18 -0800)]
mpx: Extend siginfo structure to include bound violation information
This patch adds new fields about bound violation into siginfo
structure. si_lower and si_upper are respectively lower bound
and upper bound when bound violation is caused.
Signed-off-by: Qiaowei Ren <qiaowei.ren@intel.com> Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com> Cc: linux-mm@kvack.org Cc: linux-mips@linux-mips.org Cc: Dave Hansen <dave@sr71.net> Link: http://lkml.kernel.org/r/20141114151819.1908C900@viggo.jf.intel.com Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Dave Hansen [Fri, 14 Nov 2014 15:18:17 +0000 (07:18 -0800)]
x86, mpx: Rename cfg_reg_u and status_reg
According to Intel SDM extension, MPX configuration and status registers
should be BNDCFGU and BNDSTATUS. This patch renames cfg_reg_u and
status_reg to bndcfgu and bndstatus.
[ tglx: Renamed 'struct bndscr_struct' to 'struct bndscr' ]
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com> Cc: linux-mm@kvack.org Cc: linux-mips@linux-mips.org Cc: Dave Hansen <dave@sr71.net> Cc: Qiaowei Ren <qiaowei.ren@intel.com> Link: http://lkml.kernel.org/r/20141114151817.031762AC@viggo.jf.intel.com Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
That kinda sucks. Every time you access it, you need to know:
1. Each bndX register is two entries wide in "bndregs"
2. The lower comes first followed by upper. We do the +1 to get
upper vs. lower.
This replaces the old definition. You can now access them
indexed by the register number directly, and with a meaningful
name for the lower and upper bound:
It's now *VERY* clear that there are 4 registers. The programmer
now doesn't have to care what order the lower and upper bounds
are in, and it's harder to get it wrong.
[ tglx: Changed ub/lb to upper_bound/lower_bound and renamed struct
bndreg_struct to struct bndreg ]
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com> Cc: x86@kernel.org Cc: "H. Peter Anvin" <hpa@linux.intel.com> Cc: Qiaowei Ren <qiaowei.ren@intel.com> Cc: "Yu, Fenghua" <fenghua.yu@intel.com> Cc: Dave Hansen <dave@sr71.net> Link: http://lkml.kernel.org/r/20141031215820.5EA5E0EC@viggo.jf.intel.com Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Dave Hansen [Fri, 14 Nov 2014 15:39:57 +0000 (07:39 -0800)]
x86: Remove arbitrary instruction size limit in instruction decoder
The current x86 instruction decoder steps along through the
instruction stream but always ensures that it never steps farther
than the largest possible instruction size (MAX_INSN_SIZE).
The MPX code is now going to be doing some decoding of userspace
instructions. We copy those from userspace in to the kernel and
they're obviously completely untrusted coming from userspace. In
addition to the constraint that instructions can only be so long,
we also have to be aware of how long the buffer is that came in
from userspace. This _looks_ to be similar to what the perf and
kprobes is doing, but it's unclear to me whether they are
affected.
The whole reason we need this is that it is perfectly valid to be
executing an instruction within MAX_INSN_SIZE bytes of an
unreadable page. We should be able to gracefully handle short
reads in those cases.
This adds support to the decoder to record how long the buffer
being decoded is and to refuse to "validate" the instruction if
we would have gone over the end of the buffer to decode it.
The kprobes code probably needs to be looked at here a bit more
carefully. This patch still respects the MAX_INSN_SIZE limit
there but the kprobes code does look like it might be able to
be a bit more strict than it currently is.
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com> Acked-by: Jim Keniston <jkenisto@us.ibm.com> Acked-by: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com> Cc: x86@kernel.org Cc: Peter Zijlstra <a.p.zijlstra@chello.nl> Cc: Paul Mackerras <paulus@samba.org> Cc: Arnaldo Carvalho de Melo <acme@kernel.org> Cc: Srikar Dronamraju <srikar@linux.vnet.ibm.com> Cc: Ananth N Mavinakayanahalli <ananth@in.ibm.com> Cc: Anil S Keshavamurthy <anil.s.keshavamurthy@intel.com> Cc: "David S. Miller" <davem@davemloft.net> Link: http://lkml.kernel.org/r/20141114153957.E6B01535@viggo.jf.intel.com Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Linus Torvalds [Sun, 9 Nov 2014 22:49:56 +0000 (14:49 -0800)]
Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux
Pull arm64 fixes from Catalin Marinas:
- enable bpf syscall for compat
- cpu_suspend fix when checking the idle state type
- defconfig update
* tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
arm64: defconfig: update defconfig for 3.18
arm64: compat: Enable bpf syscall
arm64: psci: fix cpu_suspend to check idle state type for index
Linus Torvalds [Sun, 9 Nov 2014 22:46:36 +0000 (14:46 -0800)]
Merge tag 'armsoc-for-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc
Pull ARM SoC fixes from Olof Johansson:
"Another quiet week:
- a fix to silence edma probe error on non-supported platforms from
Arnd
- a fix to enable the PL clock for Parallella, to make mainline
usable with the SDK.
- a somewhat verbose fix for the PLL clock tree on VF610
- enabling of SD/MMC on one of the VF610-based boards (for testing)
- a fix for i.MX where CONFIG_SPI used to be implicitly enabled and
now needs to be added to the defconfig instead
- another maintainer added for bcm2835: Lee Jones"
* tag 'armsoc-for-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc:
ARM: dts: zynq: Enable PL clocks for Parallella
dma: edma: move device registration to platform code
ARM: dts: vf610: add SD node to cosmic dts
MAINTAINERS: update bcm2835 entry
ARM: imx: Fix the removal of CONFIG_SPI option
ARM: imx: clk-vf610: define PLL's clock tree
Linus Torvalds [Sun, 9 Nov 2014 22:30:24 +0000 (14:30 -0800)]
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs
Pull btrfs fix from Chris Mason:
"It's a one liner for an error cleanup path that leads to crashes"
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs:
Btrfs: fix kfree on list_head in btrfs_lookup_csums_range error cleanup
Linus Torvalds [Sun, 9 Nov 2014 22:11:58 +0000 (14:11 -0800)]
Merge tag 'driver-core-3.18-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core
Pull driver core fixes from Greg KH:
"Here are 3 tiny fixes for 3.18-rc4.
One fixes up a long-stading race condition in the driver core for
removing directories in /sys/devices/virtual/ and the other 2 fix up
the wording of a new Kconfig option that was added in 3.18-rc1"
* tag 'driver-core-3.18-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core:
tiny: rename ENABLE_DEV_COREDUMP to ALLOW_DEV_COREDUMP
tiny: reverse logic for DISABLE_DEV_COREDUMP
sysfs: driver core: Fix glue dir race condition by gdp_mutex
Linus Torvalds [Sun, 9 Nov 2014 22:11:07 +0000 (14:11 -0800)]
Merge tag 'staging-3.18-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging
Pull staging driver fixes from Greg KH:
"Here are some staging/iio fixes for 3.18-rc4.
Nothing major, just a few bugfixes of things that have been reported"
* tag 'staging-3.18-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
staging:iio:ade7758: Remove "raw" from channel name
staging:iio:ade7758: Fix check if channels are enabled in prenable
staging:iio:ade7758: Fix NULL pointer deref when enabling buffer
iio: as3935: allocate correct iio_device size
io: accel: kxcjk-1013: Fix iio_event_spec direction
iio: tsl4531: Fix compiler error when CONFIG_PM_OPS is not defined
iio: adc: mxs-lradc: Disable the clock on probe failure
iio: st_sensors: Fix buffer copy
staging:iio:ad5933: Drop "raw" from channel names
staging:iio:ad5933: Fix NULL pointer deref when enabling buffer
Linus Torvalds [Sun, 9 Nov 2014 22:07:30 +0000 (14:07 -0800)]
Merge tag 'tty-3.18-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty
Pull tty/serial fixes from Greg KH:
"Here are some tiny serial/tty fixes for 3.18-rc4 that resolve some
reported issues"
* tag 'tty-3.18-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
tty: Fix pty master poll() after slave closes v2
serial: of-serial: fix uninitialized kmalloc variable
tty/vt: don't set font mappings on vc not supporting this
tty: serial: 8250_mtk: Fix quot calculation
tty: Prevent "read/write wait queue active!" log flooding
tty: Fix high cpu load if tty is unreleaseable
serial: Fix divide-by-zero fault in uart_get_divisor()
Linus Torvalds [Sun, 9 Nov 2014 22:05:53 +0000 (14:05 -0800)]
Merge tag 'usb-3.18-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb
Pull USB fixes from Greg KH:
"Here are some USB fixes for 3.18-rc4.
Just a bunch of little fixes resolving reported issues and new device
ids for existing drivers. Full details are in the shortlog"
* tag 'usb-3.18-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (26 commits)
USB: Update default usb-storage delay_use value in kernel-parameters.txt
USB: cdc-acm: add quirk for control-line state requests
phy: omap-usb2: Enable runtime PM of omap-usb2 phy properly
USB: storage: Fix timeout in usb_stor_euscsi_init() and usb_stor_huawei_e220_init()
USB: cdc-acm: only raise DTR on transitions from B0
Revert "storage: Replace magic number with define in usb_stor_euscsi_init()"
usb: core: notify disconnection when core detects disconnect
usb: core: need to call usb_phy_notify_connect after device setup
uas: Add US_FL_NO_ATA_1X quirk for 2 more Seagate models
xhci: no switching back on non-ULT Haswell
USB: quirks: enable device-qualifier quirk for yet another Elan touchscreen
USB: quirks: enable device-qualifier quirk for another Elan touchscreen
MAINTAINERS: Remove duplicate entry for usbip driver
usb: storage: fix build warnings !CONFIG_PM
usb: Remove references to non-existent PLAT_S5P symbol
uas: Add NO_ATA_1X for VIA VL711 devices
xhci: Disable streams on Asmedia 1042 xhci controllers
USB: HWA: fix a warning message
uas: Add US_FL_NO_ATA_1X quirk for 1 more Seagate model
usb-storage: handle a skipped data phase
...
Andreas Färber [Thu, 6 Nov 2014 17:22:10 +0000 (18:22 +0100)]
ARM: dts: zynq: Enable PL clocks for Parallella
The Parallella board comes with a U-Boot bootloader that loads one of
two predefined FPGA bitstreams before booting the kernel. Both define an
AXI interface to the on-board Epiphany processor.
Enable clocks FCLK0..FCLK3 for the Programmable Logic by default.
Otherwise accessing, e.g., the ESYSRESET register freezes the board,
as seen with the Epiphany SDK tools e-reset and e-hw-rev, using /dev/mem.
Cc: <stable@vger.kernel.org> # 3.17.x Signed-off-by: Andreas Färber <afaerber@suse.de> Acked-by: Michal Simek <michal.simek@xilinx.com> Signed-off-by: Olof Johansson <olof@lixom.net>
Linus Torvalds [Sat, 8 Nov 2014 17:32:29 +0000 (09:32 -0800)]
Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux
Pull i2c bugfixes from Wolfram Sang:
"One bigger cleanup (FSF address removal) and two bugfixes for I2C"
* 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
i2c: core: Dispose OF IRQ mapping at client removal time
i2c: at91: don't account as iowait
i2c: remove FSF address
Pull media fixes from Mauro Carvalho Chehab:
"For:
- some regression fixes at the Remote Controller core and imon driver
- a build fix for certain randconfigs with ir-hix5hd2
- don't feed power to satellite system at ds3000 driver init
It also contains some fixes for drivers added for Kernel 3.18:
- some fixes at the new ISDB-S driver, and the corresponding bits to
fix some descriptors for this Japanese TV standard at the DVB core
- two warning cleanups for sp2 driver if PM is disabled
- change the default mode for the new vivid driver"
* git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media:
[media] sp2: sp2_init() can be static
[media] dvb:tc90522: fix always-false expression
[media] dvb-core: set default properties of ISDB-S
[media] dvb:tc90522: fix stats report
[media] vivid: default to single planar device instances
[media] imon: fix other RC type protocol support
[media] ir-hix5hd2 fix build warning
[media] ds3000: fix LNB supply voltage on Tevii S480 on initialization
[media] rc5-decoder: BZ#85721: Fix RC5-SZ decoding
[media] rc-core: fix protocol_change regression in ir_raw_event_register
Linus Torvalds [Sat, 8 Nov 2014 02:08:02 +0000 (18:08 -0800)]
Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus
Pull MIPS updates from Ralf Baechle:
"This weeks' round of MIPS bug fixes for 3.18:
- wire up the bpf syscall
- fix TLB dump output for R3000 class TLBs
- fix strnlen_user return value if no NUL character was found.
- fix build with binutils 2.24.51+. While there is no binutils 2.25
release yet, toolchains derived from binutils 2.24.51+ are already
in common use.
- the Octeon GPIO code forgot to offline GPIO IRQs.
- fix build error for XLP.
- fix possible BUG assertion with EVA for CMA"
* 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus:
MIPS: Fix build with binutils 2.24.51+
MIPS: R3000: Fix debug output for Virtual page number
MIPS: Fix strnlen_user() return value in case of overlong strings.
MIPS: CMA: Do not reserve memory if not required
MIPS: Wire up bpf syscall.
MIPS/Xlp: Remove the dead function destroy_irq() to fix build error
MIPS: Octeon: Make Octeon GPIO IRQ chip CPU hotplug-aware
Linus Torvalds [Fri, 7 Nov 2014 22:08:13 +0000 (14:08 -0800)]
Merge tag 'xfs-for-linus-3.18-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/dgc/linux-xfs
Pull xfs fixes from Dave Chinner:
"This update fixes a warning in the new pagecache_isize_extended() and
updates some related comments, another fix for zero-range
misbehaviour, and an unforntuately large set of fixes for regressions
in the bulkstat code.
The bulkstat fixes are large but necessary. I wouldn't normally push
such a rework for a -rcX update, but right now xfsdump can silently
create incomplete dumps on 3.17 and it's possible that even xfsrestore
won't notice that the dumps were incomplete. Hence we need to get
this update into 3.17-stable kernels ASAP.
In more detail, the refactoring work I committed in 3.17 has exposed a
major hole in our QA coverage. With both xfsdump (the major user of
bulkstat) and xfsrestore silently ignoring missing files in the
dump/restore process, incomplete dumps were going unnoticed if they
were being triggered. Many of the dump/restore filesets were so small
that they didn't evenhave a chance of triggering the loop iteration
bugs we introduced in 3.17, so we didn't exercise the code
sufficiently, either.
We have already taken steps to improve QA coverage in xfstests to
avoid this happening again, and I've done a lot of manual verification
of dump/restore on very large data sets (tens of millions of inodes)
of the past week to verify this patch set results in bulkstat behaving
the same way as it does on 3.16.
Unfortunately, the fixes are not exactly simple - in tracking down the
problem historic API warts were discovered (e.g xfsdump has been
working around a 20 year old bug in the bulkstat API for the past 10
years) and so that complicated the process of diagnosing and fixing
the problems. i.e. we had to fix bugs in the code as well as
discover and re-introduce the userspace visible API bugs that we
unwittingly "fixed" in 3.17 that xfsdump relied on to work correctly.
Summary:
- incorrect warnings about i_mutex locking in pagecache_isize_extended()
and updates comments to match expected locking
- another zero-range bug fix for stray file size updates
- a bunch of fixes for regression in the bulkstat code introduced in
3.17"
* tag 'xfs-for-linus-3.18-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/dgc/linux-xfs:
xfs: track bulkstat progress by agino
xfs: bulkstat error handling is broken
xfs: bulkstat main loop logic is a mess
xfs: bulkstat chunk-formatter has issues
xfs: bulkstat chunk formatting cursor is broken
xfs: bulkstat btree walk doesn't terminate
mm: Fix comment before truncate_setsize()
xfs: rework zero range to prevent invalid i_size updates
mm: Remove false WARN_ON from pagecache_isize_extended()
xfs: Check error during inode btree iteration in xfs_bulkstat()
xfs: bulkstat doesn't release AGI buffer on error
Linus Torvalds [Fri, 7 Nov 2014 19:55:47 +0000 (11:55 -0800)]
Merge tag 'regulator-v3.18-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator
Pull regulator fixes from Mark Brown:
"More changes than I'd like here, most of them for a single bug
repeated in a bunch of drivers with data not being initialized
correctly, plus a fix to lower the severity of a warning introduced in
the last merge window which can legitimately go off so we don't want
to alarm users excessively"
* tag 'regulator-v3.18-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator:
regulator: s2mpa01: zero-initialize regulator match table array
regulator: max8660: zero-initialize regulator match table array
regulator: max77802: zero-initialize regulator match table
regulator: max77686: zero-initialize regulator match table
regulator: max1586: zero-initialize regulator match table array
regulator: max77693: Fix use of uninitialized regulator config
regulator: of: Lower the severity of the error with no container
Linus Torvalds [Fri, 7 Nov 2014 19:54:44 +0000 (11:54 -0800)]
Merge tag 'spi-v3.18-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi
Pull spi bugfixes from Mark Brown:
"A couple of small driver fixes for v3.18, both quite problematic if
you hit a use case that's affected"
* tag 'spi-v3.18-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi:
spi: pxa2xx: toggle clocks on suspend if not disabled by runtime PM
spi: fsl-dspi: Fix CTAR selection
Johannes Berg [Thu, 30 Oct 2014 09:00:35 +0000 (10:00 +0100)]
tiny: rename ENABLE_DEV_COREDUMP to ALLOW_DEV_COREDUMP
The ENABLE_DEV_COREDUMP option is misleading as it implies that
it gets the framework enabled, this isn't true it just allows it
to get enabled if a driver needs it.
Rename it to ALLOW_DEV_COREDUMP to better capture its semantics.
Aristeu Rozanski [Thu, 16 Oct 2014 15:49:49 +0000 (11:49 -0400)]
tiny: reverse logic for DISABLE_DEV_COREDUMP
It's desirable for allnconfig and tinyconfig targets to result in the
least amount of code possible. DISABLE_DEV_COREDUMP exists as a way to
switch off DEV_COREDUMP regardless if any drivers select
WANT_DEV_COREDUMP.
This patch renames the option to ENABLE_DEV_COREDUMP and setting it to
'n' (as in allnconfig or tinyconfig) will effectively disable device
coredump.
Mark Knibbs [Tue, 4 Nov 2014 13:00:15 +0000 (13:00 +0000)]
USB: Update default usb-storage delay_use value in kernel-parameters.txt
Back in 2010 the default usb-storage delay_use time was reduced from 5 to 1
second (commit a4a47bc03fe520e95e0c4212bf97c86545fb14f9), but
kernel-parameters.txt wasn't updated to reflect that.
Signed-off-by: Mark Knibbs <markk@clara.co.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Yijing Wang [Fri, 7 Nov 2014 04:05:49 +0000 (12:05 +0800)]
sysfs: driver core: Fix glue dir race condition by gdp_mutex
There is a race condition when removing glue directory.
It can be reproduced in following test:
path 1: Add first child device
device_add()
get_device_parent()
/*find parent from glue_dirs.list*/
list_for_each_entry(k, &dev->class->p->glue_dirs.list, entry)
if (k->parent == parent_kobj) {
kobj = kobject_get(k);
break;
}
....
class_dir_create_and_add()
path2: Remove last child device under glue dir
device_del()
cleanup_device_parent()
cleanup_glue_dir()
kobject_put(glue_dir);
If path2 has been called cleanup_glue_dir(), but not
call kobject_put(glue_dir), the glue dir is still
in parent's kset list. Meanwhile, path1 find the glue
dir from the glue_dirs.list. Path2 may release glue dir
before path1 call kobject_get(). So kernel will report
the warning and bug_on.
This is a "classic" problem we have of a kref in a list
that can be found while the last instance could be removed
at the same time.
This patch reuse gdp_mutex to fix this race condition.
The following calltrace is captured in kernel 3.4, but
the latest kernel still has this bug.
Manuel Lauss [Fri, 7 Nov 2014 13:13:54 +0000 (14:13 +0100)]
MIPS: Fix build with binutils 2.24.51+
Starting with version 2.24.51.20140728 MIPS binutils complain loudly
about mixing soft-float and hard-float object files, leading to this
build failure since GCC is invoked with "-msoft-float" on MIPS:
To fix this, we detect if GAS is new enough to support "-msoft-float" command
option, and if it does, we can let GCC pass it to GAS; but then we also need
to sprinkle the files which make use of floating point registers with the
necessary ".set hardfloat" directives.
Signed-off-by: Manuel Lauss <manuel.lauss@gmail.com> Cc: Linux-MIPS <linux-mips@linux-mips.org> Cc: Matthew Fortune <Matthew.Fortune@imgtec.com> Cc: Markos Chandras <Markos.Chandras@imgtec.com> Cc: Maciej W. Rozycki <macro@linux-mips.org>
Patchwork: https://patchwork.linux-mips.org/patch/8355/ Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Dave Chinner [Thu, 6 Nov 2014 21:33:52 +0000 (08:33 +1100)]
xfs: track bulkstat progress by agino
The bulkstat main loop progress is tracked by the "lastino"
variable, which is a full 64 bit inode. However, the loop actually
works on agno/agino pairs, and so there's a significant disconnect
between the rest of the loop and the main cursor. Convert this to
use the agino, and pass the agino into the chunk formatting function
and convert it too.
This gets rid of the inconsistency in the loop processing, and
finally makes it simple for us to skip inodes at any point in the
loop simply by incrementing the agino cursor.
cc: <stable@vger.kernel.org> # 3.17 Signed-off-by: Dave Chinner <dchinner@redhat.com> Reviewed-by: Brian Foster <bfoster@redhat.com> Signed-off-by: Dave Chinner <david@fromorbit.com>
Dave Chinner [Thu, 6 Nov 2014 21:31:15 +0000 (08:31 +1100)]
xfs: bulkstat error handling is broken
The error propagation is a horror - xfs_bulkstat() returns
a rval variable which is only set if there are formatter errors. Any
sort of btree walk error or corruption will cause the bulkstat walk
to terminate but will not pass an error back to userspace. Worse
is the fact that formatter errors will also be ignored if any inodes
were correctly formatted into the user buffer.
Hence bulkstat can fail badly yet still report success to userspace.
This causes significant issues with xfsdump not dumping everything
in the filesystem yet reporting success. It's not until a restore
fails that there is any indication that the dump was bad and tha
bulkstat failed. This patch now triggers xfsdump to fail with
bulkstat errors rather than silently missing files in the dump.
This now causes bulkstat to fail when the lastino cookie does not
fall inside an existing inode chunk. The pre-3.17 code tolerated
that error by allowing the code to move to the next inode chunk
as the agino target is guaranteed to fall into the next btree
record.
With the fixes up to this point in the series, xfsdump now passes on
the troublesome filesystem image that exposes all these bugs.
cc: <stable@vger.kernel.org> Signed-off-by: Dave Chinner <dchinner@redhat.com> Reviewed-by: Brian Foster <bfoster@redhat.com>
Dave Chinner [Thu, 6 Nov 2014 21:31:13 +0000 (08:31 +1100)]
xfs: bulkstat main loop logic is a mess
There are a bunch of variables tha tare more wildy scoped than they
need to be, obfuscated user buffer checks and tortured "next inode"
tracking. This all needs cleaning up to expose the real issues that
need fixing.
cc: <stable@vger.kernel.org> # 3.17 Signed-off-by: Dave Chinner <dchinner@redhat.com> Reviewed-by: Brian Foster <bfoster@redhat.com> Signed-off-by: Dave Chinner <david@fromorbit.com>
Dave Chinner [Thu, 6 Nov 2014 21:30:58 +0000 (08:30 +1100)]
xfs: bulkstat chunk-formatter has issues
The loop construct has issues:
- clustidx is completely unused, so remove it.
- the loop tries to be smart by terminating when the
"freecount" tells it that all inodes are free. Just drop
it as in most cases we have to scan all inodes in the
chunk anyway.
- move the "user buffer left" condition check to the only
point where we consume space int eh user buffer.
- move the initialisation of agino out of the loop, leaving
just a simple loop control logic using the clusteridx.
Also, double handling of the user buffer variables leads to problems
tracking the current state - use the cursor variables directly
rather than keeping local copies and then having to update the
cursor before returning.
cc: <stable@vger.kernel.org> # 3.17 Signed-off-by: Dave Chinner <dchinner@redhat.com> Reviewed-by: Brian Foster <bfoster@redhat.com> Signed-off-by: Dave Chinner <david@fromorbit.com>
Dave Chinner [Thu, 6 Nov 2014 21:30:30 +0000 (08:30 +1100)]
xfs: bulkstat chunk formatting cursor is broken
The xfs_bulkstat_agichunk formatting cursor takes buffer values from
the main loop and passes them via the structure to the chunk
formatter, and the writes the changed values back into the main loop
local variables. Unfortunately, this complex dance is full of corner
cases that aren't handled correctly.
The biggest problem is that it is double handling the information in
both the main loop and the chunk formatting function, leading to
inconsistent updates and endless loops where progress is not made.
To fix this, push the struct xfs_bulkstat_agichunk outwards to be
the primary holder of user buffer information. this removes the
double handling in the main loop.
Also, pass the last inode processed by the chunk formatter as a
separate parameter as it purely an output variable and is not
related to the user buffer consumption cursor.
Finally, the chunk formatting code is not shared by anyone, so make
it local to xfs_itable.c.
cc: <stable@vger.kernel.org> # 3.17 Signed-off-by: Dave Chinner <dchinner@redhat.com> Reviewed-by: Brian Foster <bfoster@redhat.com> Signed-off-by: Dave Chinner <david@fromorbit.com>
Dave Chinner [Thu, 6 Nov 2014 21:29:57 +0000 (08:29 +1100)]
xfs: bulkstat btree walk doesn't terminate
The bulkstat code has several different ways of detecting the end of
an AG when doing a walk. They are not consistently detected, and the
code that checks for the end of AG conditions is not consistently
coded. Hence the are conditions where the walk code can get stuck in
an endless loop making no progress and not triggering any
termination conditions.
Convert all the "tmp/i" status return codes from btree operations
to a common name (stat) and apply end-of-ag detection to these
operations consistently.
cc: <stable@vger.kernel.org> # 3.17 Signed-off-by: Dave Chinner <dchinner@redhat.com> Reviewed-by: Brian Foster <bfoster@redhat.com> Signed-off-by: Dave Chinner <david@fromorbit.com>
Jan Kara [Thu, 6 Nov 2014 21:29:25 +0000 (08:29 +1100)]
mm: Fix comment before truncate_setsize()
XFS doesn't always hold i_mutex when calling truncate_setsize() and it
uses a different lock to serialize truncates and writes. So fix the
comment before truncate_setsize().
Reported-by: Jan Beulich <JBeulich@suse.com> Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Dave Chinner <david@fromorbit.com>
Johan Hovold [Thu, 6 Nov 2014 17:08:33 +0000 (18:08 +0100)]
USB: cdc-acm: add quirk for control-line state requests
Add new quirk for devices that cannot handle control-line state
requests.
Note that we currently send these requests to all devices, regardless of
whether they claim to support it, but that errors are only logged if
support is claimed.
Since commit 0943d8ead30e ("USB: cdc-acm: use tty-port dtr_rts"), which
only changed the timings for these requests slightly, this has been
reported to cause occasional firmware crashes on Simtec Electronics
Entropy Key devices after re-enumeration. Enable the quirk for this
device.
Merge tag 'fixes-for-v3.18-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/balbi/usb into usb-linus
Felipe writes:
usb: fixes for v3.18-rc4
A single fix this for dwc2 this time. Because of
excessive debugging messages, dwc2 would sometimes
fail enumeration. The fix is simple, just converting
a dev_info() into dev_dbg().
Commit f95499c3030f ("n_tty: Don't wait for buffer work in read() loop")
introduces a race window where a pty master can be signalled that the pty
slave was closed before all the data that the slave wrote is delivered.
Commit f8747d4a466a ("tty: Fix pty master read() after slave closes") fixed the
problem in case of n_tty_read, but the problem still exists for n_tty_poll.
This can be seen by running 'for ((i=0; i<100;i++));do ./test.py ;done'
where test.py is:
import os, select, pty
(pid, pty_fd) = pty.fork()
if pid == 0:
os.write(1, 'This string should be received by parent')
else:
poller = select.epoll()
poller.register( pty_fd, select.EPOLLIN )
ready = poller.poll( 1 * 1000 )
for fd, events in ready:
if not events & select.EPOLLIN:
print 'missed POLLIN event'
else:
print os.read(fd, 100)
poller.close()
The string from the slave is missed several times.
This patch takes the same approach as the fix for read and special cases
this condition for poll.
Tested on 3.16.
Signed-off-by: Francesco Ruggeri <fruggeri@arista.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linus Torvalds [Thu, 6 Nov 2014 19:33:06 +0000 (11:33 -0800)]
Merge tag 'pci-v3.18-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci
Pull PCI fix from Bjorn Helgaas:
"This fixes an oops when enabling SR-IOV VF devices. The oops is a
regression I added by configuring all devices during enumeration.
- Don't oops on virtual buses in acpi_pci_get_bridge_handle() (Yinghai Lu)"
* tag 'pci-v3.18-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
PCI: Don't oops on virtual buses in acpi_pci_get_bridge_handle()
Linus Torvalds [Thu, 6 Nov 2014 19:31:32 +0000 (11:31 -0800)]
Merge tag 'sound-3.18-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound
Pull sound fixes from Takashi Iwai:
"This update contains mostly only fixes for Realtek HD-audio codec
driver in addition to a long-standing sysfs warning bug fix for
USB-audio.
One significant fix for Realtek codecs is the update of EAPD init
codes. This avoids invalid COEF setups for some codec models and may
fix "lost sound" in some cases.
The rest are a bit high volume but only new quirks and ALC668-specific
COEF tables"
* tag 'sound-3.18-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
ALSA: hda/realtek - Restore default value for ALC668
ALSA: usb-audio: Fix device_del() sysfs warnings at disconnect
ALSA: hda - fix mute led problem for three HP laptops
ALSA: hda/realtek - Update Initial AMP for EAPD control
ALSA: hda - change three SSID quirks to one pin quirk
ALSA: hda - Set GPIO 4 low for a few HP machines
ALSA: hda - Add ultra dock support for Thinkpad X240.
Isamu Mogi [Thu, 30 Oct 2014 13:07:36 +0000 (22:07 +0900)]
MIPS: R3000: Fix debug output for Virtual page number
Virtual page number of R3000 in entryhi is 20 bit from MSB. But in
dump_tlb(), the bit mask to read it from entryhi is 19 bit (0xffffe000).
The patch fixes that to 0xfffff000.
spi: pxa2xx: toggle clocks on suspend if not disabled by runtime PM
If PM_RUNTIME is enabled, it is easy to trigger the following backtrace
on pxa2xx hosts:
------------[ cut here ]------------
WARNING: CPU: 0 PID: 1 at /home/lumag/linux/arch/arm/mach-pxa/clock.c:35 clk_disable+0xa0/0xa8()
Modules linked in:
CPU: 0 PID: 1 Comm: swapper Not tainted 3.17.0-00007-g1b3d2ee-dirty #104
[<c000de68>] (unwind_backtrace) from [<c000c078>] (show_stack+0x10/0x14)
[<c000c078>] (show_stack) from [<c001d75c>] (warn_slowpath_common+0x6c/0x8c)
[<c001d75c>] (warn_slowpath_common) from [<c001d818>] (warn_slowpath_null+0x1c/0x24)
[<c001d818>] (warn_slowpath_null) from [<c0015e80>] (clk_disable+0xa0/0xa8)
[<c0015e80>] (clk_disable) from [<c02507f8>] (pxa2xx_spi_suspend+0x2c/0x34)
[<c02507f8>] (pxa2xx_spi_suspend) from [<c0200360>] (platform_pm_suspend+0x2c/0x54)
[<c0200360>] (platform_pm_suspend) from [<c0207fec>] (dpm_run_callback.isra.14+0x2c/0x74)
[<c0207fec>] (dpm_run_callback.isra.14) from [<c0209254>] (__device_suspend+0x120/0x2f8)
[<c0209254>] (__device_suspend) from [<c0209a94>] (dpm_suspend+0x50/0x208)
[<c0209a94>] (dpm_suspend) from [<c00455ac>] (suspend_devices_and_enter+0x8c/0x3a0)
[<c00455ac>] (suspend_devices_and_enter) from [<c0045ad4>] (pm_suspend+0x214/0x2a8)
[<c0045ad4>] (pm_suspend) from [<c04b5c34>] (test_suspend+0x14c/0x1dc)
[<c04b5c34>] (test_suspend) from [<c000880c>] (do_one_initcall+0x8c/0x1fc)
[<c000880c>] (do_one_initcall) from [<c04aecfc>] (kernel_init_freeable+0xf4/0x1b4)
[<c04aecfc>] (kernel_init_freeable) from [<c0378078>] (kernel_init+0x8/0xec)
[<c0378078>] (kernel_init) from [<c0009590>] (ret_from_fork+0x14/0x24)
---[ end trace 46524156d8faa4f6 ]---
This happens because suspend function tries to disable a clock that is
already disabled by runtime_suspend callback. Add if
(!pm_runtime_suspended()) checks to suspend/resume path.
Fixes: 7d94a505858 (spi/pxa2xx: add support for runtime PM) Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> Reported-by: Andrea Adami <andrea.adami@gmail.com> Signed-off-by: Mark Brown <broonie@kernel.org> Cc: stable@vger.kernel.org
The info pointer points to an uninitialized kmalloced space.
If a device doesn't have clk property, then info->clk may
have unpredicated value and cause call trace. So use kzalloc
to make sure it is NULL initialized.
Imre Deak [Thu, 2 Oct 2014 13:34:31 +0000 (16:34 +0300)]
tty/vt: don't set font mappings on vc not supporting this
We can call this function for a dummy console that doesn't support
setting the font mapping, which will result in a null ptr BUG. So check
for this case and return error for consoles w/o font mapping support.
The calculation of value quot for highspeed register set to three
was wrong. This patch fixes the calculation so that the serial port
for baudrates bigger then 576000 baud is working correctly.
Arnd Bergmann [Fri, 24 Oct 2014 16:14:01 +0000 (18:14 +0200)]
dma: edma: move device registration to platform code
The horrible split between the low-level part of the edma support
and the dmaengine front-end driver causes problems on multiplatform
kernels. This is an attempt to improve the situation slightly
by only registering the dmaengine devices that are actually
present.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
[olof: add missing include of linux/dma-mapping.h] Signed-off-by: Olof Johansson <olof@lixom.net> Signed-off-by: Olof Johansson <olof@lixom.net>
Peter Hurley [Thu, 16 Oct 2014 17:51:30 +0000 (13:51 -0400)]
tty: Fix high cpu load if tty is unreleaseable
Kernel oops can cause the tty to be unreleaseable (for example, if
n_tty_read() crashes while on the read_wait queue). This will cause
tty_release() to endlessly loop without sleeping.
Use a killable sleep timeout which grows by 2n+1 jiffies over the interval
[0, 120 secs.) and then jumps to forever (but still killable).
NB: killable just allows for the task to be rewoken manually, not
to be terminated.
Cc: <stable@vger.kernel.org> # since before 2.6.32 Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Peter Hurley [Thu, 16 Oct 2014 17:46:38 +0000 (13:46 -0400)]
serial: Fix divide-by-zero fault in uart_get_divisor()
uart_get_baud_rate() will return baud == 0 if the max rate is set
to the "magic" 38400 rate and the SPD_* flags are also specified.
On the first iteration, if the current baud rate is higher than the
max, the baud rate is clamped at the max (which in the degenerate
case is 38400). On the second iteration, the now-"magic" 38400 baud
rate selects the possibly higher alternate baud rate indicated by
the SPD_* flag. Since only two loop iterations are performed, the
loop is exited, a kernel WARNING is generated and a baud rate of
0 is returned.
Only perform the "magic" 38400 -> SPD_* baud transform on the first
loop iteration, which prevents the degenerate case from recognizing
the clamped baud rate as the "magic" 38400 value.
Reported-by: Robert Święcki <robert@swiecki.net> Cc: <stable@vger.kernel.org> # all Signed-off-by: Peter Hurley <peter@hurleysoftware.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Kailang Yang [Fri, 24 Oct 2014 07:43:46 +0000 (15:43 +0800)]
ALSA: hda/realtek - Restore default value for ALC668
Restore the registers to prevent the abnormal digital power supply
rising ratio/sequence to the codec and causing the incorrect default
codec register restoration during initialization.
Signed-off-by: Kailang Yang <kailang@realtek.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
Oussama Ghorbel [Tue, 4 Nov 2014 06:17:06 +0000 (11:47 +0530)]
phy: omap-usb2: Enable runtime PM of omap-usb2 phy properly
The USB OTG port does not work since v3.16 on omap platform.
This is a regression introduced by the commit eb82a3d846fa (phy: omap-usb2: Balance pm_runtime_enable() on probe failure
and remove).
This because the call to pm_runtime_enable() function is moved after the
call to devm_phy_create() function, which has side effect since later in
the subsequent calls of devm_phy_create() there is a check with
pm_runtime_enabled() to configure few things.
Fixes: eb82a3d846fa Signed-off-by: Oussama Ghorbel <ghorbel@pivasoftware.com> Tested-by: Rabin Vincent <rabin@rab.in> Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linus Torvalds [Wed, 5 Nov 2014 20:13:52 +0000 (12:13 -0800)]
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux
Pull s390 update from Martin Schwidefsky:
"One small improvement for the cputime accounting, two bug fixes and an
update for the default configuration files"
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
s390/ftrace: add ftrace_graph_is_dead() check
s390: update default configuration
s390/vdso: fix stack corruption
s390/time: use stck clock fast for do_account_vtime
Yinghai Lu [Thu, 30 Oct 2014 16:17:25 +0000 (10:17 -0600)]
PCI: Don't oops on virtual buses in acpi_pci_get_bridge_handle()
acpi_pci_get_bridge_handle() returns the ACPI handle for the bridge device
(either a host bridge or a PCI-to-PCI bridge) leading to a PCI bus. But
SR-IOV virtual functions can be on a virtual bus with no bridge leading to
it. Return a NULL acpi_handle in this case instead of trying to
dereference the NULL pointer to the bridge.
This fixes a NULL pointer dereference oops in pci_get_hp_params() when
adding SR-IOV VF devices on virtual buses.
Merge tag 'iio-fixes-for-3.18b' of git://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio into staging-linus
Jonathan writes:
Second round of IIO fixes for the 3.18 cycle.
* tsl4531 - fix a compile error when CONFIG_PM_OPS not set.
* kxcjk-1013 - event spec direction was invalid - leading to 'interesting'
attrribute names.
* as3935 - sizeof(st) used instead of sizeof(*st) leading to allocation of
space for a pointer rather than the structure desired.
* ade7758 - Another null pointer deref fix due to different channels
being provided to the the buffer register than used for the sysfs
side of things.
* ade7758 - Check there is a channel enabled in preenable for the buffer
before doing anything.
* ade7758 - Drop a stray raw from the channel name that leads to _raw_raw
postfix.
staging:iio:ade7758: Fix NULL pointer deref when enabling buffer
In older versions of the IIO framework it was possible to pass a completely
different set of channels to iio_buffer_register() as the one that is
assigned to the IIO device. Commit 959d2952d124 ("staging:iio: make
iio_sw_buffer_preenable much more general.") introduced a restriction that
requires that the set of channels that is passed to iio_buffer_register() is
a subset of the channels assigned to the IIO device as the IIO core will use
the list of channels that is assigned to the device to lookup a channel by
scan index in iio_compute_scan_bytes(). If it can not find the channel the
function will crash. This patch fixes the issue by making sure that the same
set of channels is assigned to the IIO device and passed to
iio_buffer_register().
Note that we need to remove the IIO_CHAN_INFO_RAW and IIO_CHAN_INFO_SCALE
info attributes from the channels since we don't actually want those to be
registered.
Fixes: 959d2952d124 ("staging:iio: make iio_sw_buffer_preenable much more general.") Signed-off-by: Lars-Peter Clausen <lars@metafoo.de> Cc: <stable@vger.kernel.org> Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Daniel Baluta [Fri, 10 Oct 2014 14:53:00 +0000 (15:53 +0100)]
io: accel: kxcjk-1013: Fix iio_event_spec direction
Because IIO_EV_DIR_* are not bitmasks but enums,
IIO_EV_DIR_RISING | IIO_EV_DIR_FALLING is not equal
with IIO_EV_DIR_EITHER.
This could lead to potential misformatted sysfs attributes
like:
* in_accel_x_thresh_(null)_en
* in_accel_x_thresh_(null)_period
* in_accel_x_thresh_(null)_value
or even memory corruption.
Fixes: b4b491c083 (iio: accel: kxcjk-1013: Support threshold) Signed-off-by: Daniel Baluta <daniel.baluta@intel.com> Cc: <Stable@vger.kernel.org> Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Dan Murphy [Mon, 20 Oct 2014 19:52:02 +0000 (14:52 -0500)]
iio: tsl4531: Fix compiler error when CONFIG_PM_OPS is not defined
Fix the compiler error when the CONFIG_PM_OPS flag is not set.
drivers/iio/light/tsl4531.c:235:8: error: ‘tsl4531_suspend’ undeclared here (not in a function)
drivers/iio/light/tsl4531.c:235:8: error: ‘tsl4531_resume’ undeclared here (not in a function)
Signed-off-by: Dan Murphy <dmurphy@ti.com> Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Use byte_for_channel as iterator to properly initialize the buffer.
Signed-off-by: Robin van der Gracht <robin@protonic.nl> Acked-by: Denis Ciocca <denis.ciocca@st.com> Signed-off-by: Jonathan Cameron <jic23@kernel.org> Cc: <Stable@vger.kernel.org>
staging:iio:ad5933: Fix NULL pointer deref when enabling buffer
In older versions of the IIO framework it was possible to pass a
completely different set of channels to iio_buffer_register() as the one
that is assigned to the IIO device. Commit 959d2952d124 ("staging:iio: make
iio_sw_buffer_preenable much more general.") introduced a restriction that
requires that the set of channels that is passed to iio_buffer_register() is
a subset of the channels assigned to the IIO device as the IIO core will use
the list of channels that is assigned to the device to lookup a channel by
scan index in iio_compute_scan_bytes(). If it can not find the channel the
function will crash. This patch fixes the issue by making sure that the same
set of channels is assigned to the IIO device and passed to
iio_buffer_register().
Fixes: 959d2952d124 ("staging:iio: make iio_sw_buffer_preenable much more general.") Signed-off-by: Lars-Peter Clausen <lars@metafoo.de> Cc: Stable@vger.kernel.org Signed-off-by: Jonathan Cameron <jic23@kernel.org>
This comes from the fact that usb-audio driver may receive the
disconnect callback multiple times, per each usb interface. When a
device has both audio and midi interfaces, it gets called twice, and
currently the driver tries to release resources at the last call.
At this point, the first parent interface has been already deleted,
thus deleting a child of the first parent hits such a warning.
For fixing this problem, we need to call snd_card_disconnect() and
cancel pending operations at the very first disconnect while the
release of the whole objects waits until the last disconnect call.
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=80931 Reported-and-tested-by: Tomas Gayoso <tgayoso@gmail.com> Reported-and-tested-by: Chris J Arges <chris.j.arges@canonical.com> Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>
Miklos Szeredi [Tue, 4 Nov 2014 15:11:03 +0000 (16:11 +0100)]
ovl: don't poison cursor
ovl_cache_put() can be called from ovl_dir_reset() if the cache needs to be
rebuilt. We did list_del() on the cursor, which results in an Oops on the
poisoned pointer in ovl_seek_cursor().
Since commit 89168b489915 ("mmc: core: restore detect line inversion
semantics"), the SD card on i.MX28 (and possibly other) devices isn't
detected and booting stops at:
[ 4.120617] Waiting for root device /dev/mmcblk0p3...
This is caused by the MMC_CAP2_CD_ACTIVE_HIGH flag being set incorrectly
when the host controller doesn't use a GPIO for card detection (but
instead uses a dedicated pin). In this case mmc_gpiod_request_cd() will
return before assigning to the gpio_invert variable, leaving the
variable uninitialized. The variable then gets used to set the flag.
This patch fixes the issue by making sure gpio_invert is set to false
when a GPIO isn't used. After this patch, i.MX28 boots fine.
The MMC_CAP2_RO_ACTIVE_HIGH (write protect) flag is also set incorrectly
for the exact same reason (it uses the same uninitialized variable), so
this patch fixes that too.
Hui Wang [Wed, 5 Nov 2014 04:17:58 +0000 (12:17 +0800)]
ALSA: hda - fix mute led problem for three HP laptops
Without the fix, the mute led can't work on these three machines.
After apply this fix, these three machines will fall back on the led
control quirk as below, and through testing, the mute led works very
well.
PIN_QUIRK(0x10ec0282, 0x103c, "HP", ALC269_FIXUP_HP_LINE1_MIC1_LED,
ALC282_STANDARD_PINS,
{0x12, 0x90a60140},
...
BugLink: https://bugs.launchpad.net/bugs/1389497 Tested-by: TieFu Chen <tienfu.chen@canonical.com> Cc: Kailang Yang <kailang@realtek.com> Cc: stable@vger.kernel.org Signed-off-by: Hui Wang <hui.wang@canonical.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
Olof Johansson [Wed, 5 Nov 2014 04:37:25 +0000 (20:37 -0800)]
Merge tag 'imx-fixes-3.18-2' of git://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux into fixes
Merge "ARM: imx: fixes for 3.18, 2nd round" from Shawn Guo:
"This is the second round of i.MX fixes for 3.18. The clk-vf610 fix is
relatively big, because it needs some adaption to the change made by
offending commit dc4805c2e78b (ARM: imx: remove ENABLE and BYPASS bits
from clk-pllv3 driver). And it should have been sent to you for earlier
-rc inclusion, but unfortunately it got delayed for some time because
Stefan wasn't aware of my email address change."
The i.MX fixes for 3.18, 2nd round:
- Fix a regression on Vybrid platform which is caused by commit dc4805c2e78b (ARM: imx: remove ENABLE and BYPASS bits from clk-pllv3
driver), and results in a missing configuration on PLL clocks.
- Fix a regression with i.MX defconfig files where CONFIG_SPI option
gets lost accidentally.
* tag 'imx-fixes-3.18-2' of git://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux: (460 commits)
ARM: imx: Fix the removal of CONFIG_SPI option
ARM: imx: clk-vf610: define PLL's clock tree
+ Linux 3.18-rc3
Linus Torvalds [Tue, 4 Nov 2014 19:57:27 +0000 (11:57 -0800)]
Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/evalenti/linux-soc-thermal
Pull thermal fixes from Eduardo Valentin:
"Specifics:
- a few code fixes improving the Exynos code base. They remove dead
and unreachable code. No functional changes here
- in Exynos code base, fixes regarding the right usage of features
(TRIMINFO and TRIMRELOAD)
- documentation of RCAR thermal
- fix in the of-thermal, regarding the proper usage of of-APIs
- fixes on thermal-core, removal of unreachable code"
[ Eduardo is sending the thermal fixes on behalf of Rui Zhang this time.
Rui is currently unable to send pull requests due to troubles with his
machine and he's currently in a business trip ]
* 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/evalenti/linux-soc-thermal:
Thermal:Remove usless if(!result) before return tz
thermal: exynos: fix IRQ clearing on TMU initialization
thermal: fix multiple disbalanced device node counters
thermal: rcar: Add binding docs for new R-Car Gen2 SoCs
thermal: exynos: Add support for TRIM_RELOAD feature at Exynos3250
thermal: exynos: Add support for many TRIMINFO_CTRL registers
thermal: samsung: Exynos5260 and Exynos5420 should not use TRIM_RELOAD flag
thermal: exynos: remove identical values from exynos*_tmu_registers structures
thermal: exynos: remove redundant pdata checks from exynos_tmu_control()
thermal: exynos: cache non_hw_trigger_levels in pdata
thermal: exynos: simplify temp_to_code() and code_to_temp()
thermal: exynos: remove redundant threshold_code checks from exynos_tmu_initialize()
thermal: exynos: remove redundant pdata checks from exynos_tmu_initialize()
thermal: exynos: remove dead code for HW_MODE calibration
thermal: exynos: remove unused struct exynos_tmu_registers entries
Linus Torvalds [Tue, 4 Nov 2014 19:52:45 +0000 (11:52 -0800)]
Merge tag 'platform-drivers-x86-v3.18-2' of git://git.infradead.org/users/dvhart/linux-platform-drivers-x86
Pull x86 platform drievr updates from Darren Hart:
"A short list of patches applying quirks and new DMI matches. These
pass my basic build tests and have spent 4 days in linux-next"
* tag 'platform-drivers-x86-v3.18-2' of git://git.infradead.org/users/dvhart/linux-platform-drivers-x86:
quirk for Lenovo Yoga 3: no rfkill switch
acer-wmi: Add acpi_backlight=video quirk for the Acer KAV80
samsung-laptop: Add broken-acpi-video quirk for NC210/NC110
asus-nb-wmi: Add wapf4 quirk for the X550VB
toshiba_acpi: Add Toshiba TECRA A50-A to the alt keymap dmi list
Linus Torvalds [Tue, 4 Nov 2014 19:18:29 +0000 (11:18 -0800)]
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mpe/linux
Pull powerpc fixes from Michael Ellerman:
"Some more powerpc fixes if you please"
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mpe/linux:
powerpc: use device_online/offline() instead of cpu_up/down()
powerpc/powernv: Properly fix LPC debugfs endianness
powerpc: do_notify_resume can be called with bad thread_info flags argument
powerpc/fadump: Fix endianess issues in firmware assisted dump handling
powerpc: Fix section mismatch warning
Linus Torvalds [Tue, 4 Nov 2014 19:12:25 +0000 (11:12 -0800)]
Merge tag 'ftracetest-3.18-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace
Pull ftracetest fix from Steven Rostedt:
"Running the ftracetests on a machine that had the debugfs file system
mounted in two locations caused the ftracetests to fail. This is
because the ftracetests script does a grep of the /proc/mounts file to
find where the debugfs file system is mounted. If it is mounted
twice, then the grep returns two lines instead of just one. This
causes the ftracetests to get confused and fail.
Use "head -1" to only return the first mount point for debugfs"
* tag 'ftracetest-3.18-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
ftracetest: Take the first debugfs mount found
Chris Mason [Tue, 4 Nov 2014 14:59:04 +0000 (06:59 -0800)]
Btrfs: fix kfree on list_head in btrfs_lookup_csums_range error cleanup
If we hit any errors in btrfs_lookup_csums_range, we'll loop through all
the csums we allocate and free them. But the code was using list_entry
incorrectly, and ended up trying to free the on-stack list_head instead.
Ralf Baechle [Tue, 4 Nov 2014 10:54:29 +0000 (11:54 +0100)]
MIPS: Fix strnlen_user() return value in case of overlong strings.
We were returning maxlen like the userland strnlen if no '\0' character
was encountered while the kernel version is expected to return a value
larger than maxlen. Fixed to return maxlen + 1.
projects / karo-tx-linux.git / log